1135 files changed, 0 insertions, 526524 deletions

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
deleted file mode 100644
index 941b946db36a..000000000000
--- a/contrib/bind9/CHANGES
+++ /dev/null
@@ -1,5978 +0,0 @@
-
-	--- 9.3.2 released ---
-
-	--- 9.3.2rc1 released ---
-
-1936.	[bug]		The validator could leak memory. [RT #15544]
-
-1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
-
-	--- 9.3.2b2 released ---
-
-1930.	[port]		HPUX: ia64 support. [RT #15473]
-
-1929.	[port]		FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
-
-1926.	[bug]		The Windows installer did not check for empty
-			passwords.  BINDinstall was being installed in
-			the wrong place. [RT #15483]
-
-1925.	[port]		All outer level AC_TRY_RUNs need cross compiling
-			defaults. [RT #15469]
-
-1924.	[port]		libbind: hpux ia64 support. [RT #15473]
-
-1923.	[bug]		ns_client_detach() called too early. [RT #15499]
-
-	--- 9.3.2b1 released ---
-
-1917.	[doc]		funcsynopsisinfo wasn't being treated as verbatim
-			when generating man pages. [RT #15385]
-
-1915.	[bug]		dig +ndots was broken. [RT #15215]
-
-1914.	[protocol]	DS is required to accept mnemonic algorithms
-			(RFC 4034).  Still emit numeric algorithms for
-			compatability with RFC 3658. [RT #15354]
-
-1911.	[bug]		Update windows socket code. [RT #14965]
-
-1910.	[bug]		dig's +sigchase code overhauled. [RT #14933]
-
-1909.	[bug]		The DLV code has been re-worked to make no longer
-			query order sensitive. [RT #14933]
-
-1905.	[bug]		Strings returned from cfg_obj_asstring() should be
-                        treated as read-only.  [RT #15256]
-
-1901.	[cleanup]	Don't add DNSKEY records to the additional section.
-
-1900.	[bug]		ixfr-from-differences failed to ensure that the
-			serial number increased. [RT #15036]
-
-1896.	[bug]		Extend ISC_SOCKADDR_FORMATSIZE and
-			ISC_NETADDR_FORMATSIZE to allow for scope details.
-
-1894.	[bug]		Recursive clients soft quota support wasn't working
-			as expected. [RT #15103]
-
-1893.	[bug]		A escaped character is, potentially, converted to
-			the output character set too early. [RT #14666]
-
-1892.	[port]		Use uintptr_t if available. [RT #14606]
-
-1889.	[port]		sunos: non blocking i/o support. [RT #14951]
-
-1887.	[bug]		The cache could delete expired records too fast for
-			clients with a virtual time in the past. [RT #14991]
-
-1886.	[bug]		fctx_create() could return success even though it
-			failed. [RT #14993]
-
-1884.	[cleanup]	dighost.c: move external declarations into <dig/dig.h>.
-
-1883.	[bug]		dnssec-signzone, dnssec-keygen: handle negative debug
-			levels. [RT #14962]
-
-1881.	[func]		Add a system test for named-checkconf. [RT #14931]
-
-1877.	[bug]		Fix unreasonably low quantum on call to
-			dns_rbt_destroy2().  Remove unnecessay unhash_node()
-			call. [RT #14919]
-
-1875.	[bug]		process_dhtkey() was using the wrong memory context
-			to free some memory. [RT #14890]
-
-1874.	[port]		sunos: portability fixes. [RT #14814]
-
-1873.	[port]		win32: isc__errno2result() now reports its caller.
-			[RT #13753]
-
-1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
-
-1867.	[bug]		It was possible to trigger a INSIST in
-			dlv_validatezonekey(). [RT #14846]
-
-1866.	[bug]		resolv.conf parse errors were being ignored by
-			dig/host/nslookup. [RT #14841]
-
-1865.	[bug]		Silently ignore nameservers in /etc/resolv.conf with
-			bad addresses. [RT #14841]
-
-1864.	[bug]		Don't try the alternative transfer source if you
-			got a answer / transfer with the main source
-			address. [RT #14802]
-
-1863.	[bug]		rrset-order "fixed" error messages not complete.
-
-1861.	[bug]		dig could trigger a INSIST on certain malformed
-			responses. [RT #14801]
-
-1860.	[port]		solaris 2.8: hack_shutup_pthreadmutexinit was
-			incorrectly set. [RT #14775]
-
-1858.	[bug]		The flush-zones-on-shutdown option wasn't being
-			parsed. [RT #14686]
-
-1857.	[bug]		named could trigger a INSIST() if reconfigured /
-			reloaded too fast.  [RT #14673]
-
-1856.	[doc]		Switch Docbook toolchain from DSSSL to XSL.
-			[RT #11398]
-
-1855.	[bug]		ixfr-from-differences was failing to detect changes
-			of ttl due to dns_diff_subtract() was ignoring the ttl
-			of records.  [RT #14616]
-
-1854.	[bug]		lwres also needs to know the print format for
-			(long long).  [RT #13754]
-
-1853.	[bug]		Rework how DLV interacts with proveunsecure().
-			[RT #13605]
-
-1852.	[cleanup]	Remove last vestiges of dnssec-signkey and
-			dnssec-makekeyset (removed from Makefile years ago).
-
-1850.	[bug]		Memory leak in lwres_getipnodebyaddr(). [RT #14591]
-
-1849.	[doc]		All forms of the man pages (docbook, man, html) should
-			have consistant copyright dates.
-
-1848.	[bug]		Improve SMF integration. [RT #13238]
-
-1847.	[bug]		isc_ondestroy_init() is called too late in
-			dns_rbtdb_create()/dns_rbtdb64_create(). 
-			[RT #13661]
-			
-1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
-			<bortzmeyer@nic.fr>.
-
-1845.	[bug]		Improve error reporting to distingish between
-			accept()/fcntl() and socket()/fcntl() errors.
-			[RT #13745]
-
-1844.	[bug]		inet_pton() accepted more that 4 hexadecimal digits
-			for each 16 bit piece of the IPv6 address.  The text
-			representation of a IPv6 address has been tighted
-			to disallow this (draft-ietf-ipv6-addr-arch-v4-02.txt).
-			[RT #5662]
-
-1843.	[cleanup]	CINCLUDES takes precedence over CFLAGS.  This helps
-			when CFLAGS contains "-I /usr/local/include"
-			resulting in old header files being used.
-
-1842.	[port]		cmsg_len() could produce incorrect results on
-			some platform. [RT #13744]
-
-1841.	[bug]		"dig +nssearch" now makes a recursive query to
-			find the list of nameservers to query. [RT #13694]
-
-1839.	[bug]		<isc/hash.h> was not being installed.
-
-1838.	[cleanup]	Don't allow Linux capabilities to be inherited.
-			[RT #13707]
-
-1837.	[bug]		Compile time option ISC_FACILITY was not effective
-			for 'named -u <user>'.  [RT #13714]
-
-1836.	[cleanup]	Silence compiler warnings in hash_test.c.
-
-1835.	[bug]		Update dnssec-signzone's usage message. [RT #13657]
-
-1834.	[bug]		Bad memset in rdata_test.c. [RT #13658]
-
-1833.	[bug]		Race condition in isc_mutex_lock_profile(). [RT #13660]
-
-1832.	[bug]		named fails to return BADKEY on unknown TSIG algorithm.
-			[RT #13620]
-
-1831.	[doc]		Update named-checkzone documentation. [RT#13604]
-
-1830.	[bug]		adb lame cache has sence of test reversed. [RT #13600]
-
-1829.	[bug]		win32: "pid-file none;" broken. [RT #13563]
-
-1828.	[bug]		isc_rwlock_init() failed to properly cleanup if it
-			encountered a error. [RT #13549]
-
-1827.	[bug]		host: update usage message for '-a'. [RT #37116]
-
-1826.	[bug]		Missing DESTROYLOCK() in isc_mem_createx() on out
-			of memory error. [RT #13537]
-
-1825.	[bug]		Missing UNLOCK() on out of memory error from in
-			rbtdb.c:subtractrdataset(). [RT #13519]
-
-1824.	[bug]		Memory leak on dns_zone_setdbtype() failure.
-			[RT #13510]
-
-1823.	[bug]		Wrong macro used to check for point to point interface.
-			[RT#13418]
-
-1822.	[bug]		check-names test for RT was reversed. [RT #13382]
-
-1821.	[doc]		acls definitions are no longer required to be 
-			in named.conf prior to reference.  They can be
-			defined after being referenced.
-
-1820.	[bug]		Gracefully handle acl loops. [RT #13659]
-
-1819.	[bug]		The validator needed to check both the algorithm and
-			digest types of the DS to determine if it could be
-			used to introduce a secure zone. [RT #13593]
-
-1816.	[port]		UnixWare: failed to compile lib/isc/unix/net.c.
-			[RT #13597]
-
-1815.	[bug]		nsupdate triggered a REQUIRE if the server was set
-			without also setting the zone and it encountered
-			a CNAME and was using TSIG.  [RT #13086]
-
-1810.	[bug]		configure, lib/bind/configure make different default
-			decisions about whether to do a threaded build.
-			[RT #13212]
-
-1809.	[bug]		"make distclean" failed for libbind if the platform
-			is not supported.
-
-1807.	[bug]		When forwarding (forward only) set the active domain
-			from the forward zone name. [RT #13526]
-			
-1804.	[bug]		Ensure that if we are queried for glue that it fits
-			in the additional section or TC is set to tell the
-			client to retry using TCP. [RT #10114]
-
-1803.	[bug]		dnssec-signzone sometimes failed to remove old
-			RRSIGs. [RT #13483]
-
-1802.	[bug]		Handle connection resets better. [RT #11280]
-
-1799.	[bug]		'rndc flushname' failed to flush negative cache
-			entries. [RT #13438]
-
-1795.	[bug]		"rndc dumpdb" was not fully documented.  Minor
-			formating issues with "rndc dumpdb -all".  [RT #13396]
-
-1791.	[bug]		'host -t a' still printed out AAAA and MX records.
-			[RT #13230]
-
-	--- 9.3.1 released ---
-
-1818.	[bug]		'named-checkconf -z' triggered an INSIST. [RT #13599]
-
-	--- 9.3.1rc1 released ---
-
-1812.	[port]		win32: IN6_IS_ADDR_UNSPECIFIED macro is incorrect.
-			[RT #13453]
-
-1808.	[bug]		zone.c:notify_zone() contained a race condition,
-			zone->db could change underneath it.  [RT #13511]
-
-1806.	[bug]		The resolver returned the wrong result when a CNAME /
-			DNAME was encountered when fetching glue from a
-			secure namespace. [RT #13501]
-
-1805.	[bug]		Pending status was not being cleared when DLV was
-			active. [RT #13501]
-
-	--- 9.3.1beta2 released ---
-
-1800.	[bug]		Changes #1719 allowed a INSIST to be triggered.
-			[RT #13428]
-
-	--- 9.3.1beta1 released ---
-
-1790.	[cleanup]	Move lib/dns/sec/dst up into lib/dns.  This should
-			allow parallel make to succeed.
-
-1789.	[bug]		Prerequisite test for tkey and dnssec could fail
-			with "configure --with-libtool".
-
-1788.	[bug]		libbind9.la/libbind9.so needs to link against
-			libisccfg.la/libisccfg.so.
-
-1787.	[port]		HPUX: both "cc" and "gcc" need -Wl,+vnocompatwarnings.
-
-1786.	[port]		AIX: libt_api needs to be taught to look for
-			T_testlist in the main executable (--with-libtool).
-			[RT #13239]
-
-1785.	[bug]		libbind9.la/libbind9.so needs to link against
-			libisc.la/libisc.so.
-
-1784.	[cleanup]	"libtool -allow-undefined" is the default.
-			Leave hooks in configure to allow it to be set
-			if needed in the future.
-
-1783.	[cleanup]	We only need one copy of libtool.m4, ltmain.sh in the
-			source tree.
-
-1782.	[port]		OSX: --with-libtool + --enable-libbind broke on
-			__evOptMonoTime.  [RT #13219]
-
-1781.	[port]		FreeBSD 5.3: set PTHREAD_SCOPE_SYSTEM. [RT #12810]
-
-1780.	[bug]		Update libtool to 1.5.10.
-
-1779.	[port]		OSF 5.1: libtool didn't handle -pthread correctly.
-
-1778.   [port]   	HUX 11.11: fix broken IN6ADDR_ANY_INIT and
-			IN6ADDR_LOOPBACK_INIT macros.
-
-1777.   [port]   	OSF 5.1: fix broken IN6ADDR_ANY_INIT and
-			IN6ADDR_LOOPBACK_INIT macros.
-
-1776.   [port]   	Solaris 2.9: fix broken IN6ADDR_ANY_INIT and
-                        IN6ADDR_LOOPBACK_INIT macros.
-
-1775.	[bug]		Only compile getnetent_r.c when threaded. [RT #13205]
-
-1774.	[port]		Aix: Silence compiler warnings / build failures.
-			[RT #13154]
-
-1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
-
-1770.	[bug]		named-checkconf failed to report missing a missing
-			file clause for rbt{64} master/hint zones. [RT#13009]
-
-1769.	[port]		win32: change compiler flags /MTd ==> /MDd,
-			/MT ==> /MD.
-
-1768.	[bug]		nsecnoexistnodata() could be called with a non-NSEC
-			rdataset. [RT #12907]
-
-1767.	[port]		Builds on IPv6 platforms without IPv6 Advanced API
-			support for (struct in6_pktinfo) failed.  [RT #13077]
-
-1766.	[bug]		Update the master file timestamp on successful refresh
-			as well as the journal's timestamp. [RT# 13062]
-
-1765.	[bug]		configure --with-openssl=auto failed. [RT #12937]
-
-1764.	[bug]		dns_zone_replacedb failed to emit a error message
-			if there was no SOA record in the replacment db.
-			[RT #13016]
-
-1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
-			even when it failed. [RT #12995]
-
-1761.	[bug]		'rndc dumpdb' didn't report unassociated entries.
-			[RT #12971]
-
-1760.	[bug]		Host / net unreachable was not penalising rtt
-			estimates. [RT #12970]
-
-1759.	[bug]		Named failed to startup if the OS supported IPv6
-			but had no IPv6 interfaces configured. [RT #12942]
-
-1754.	[bug]		We wern't always attempting to query the parent
-			server for the DS records at the zone cut.
-			[RT #12774]
-
-1753.	[bug]		Don't serve a slave zone which has no NS records.
-			[RT #12894]
-
-1752.	[port]		Move isc_app_start() to after ns_os_daemonise()
-			as some fork() implementations unblock the signals
-			that are blocked by isc_app_start(). [RT #12810]
-
-1751.	[bug]		--enable-getifaddrs failed under linux. [RT #12867]
-
-1750.	[port]		lib/bind/make/rules.in:subdirs was not bash friendly.
-			[RT #12864]
-
-1749.	[bug]		'check-names response ignore;' failed to ignore.
-			[RT #12866]
-
-1747.	[bug]		BIND 8 compatability: named/named-checkconf failed
-			to parse "host-statistics-max" in named.conf.
-
-1745.	[bug]		Dig/host/nslookup accept replies from link locals
-			regardless of scope if no scope was specified when
-			query was sent. [RT #12745]
-
-1744.	[bug]		If tuple2msgname() failed to convert a tuple to
-			a name a REQUIRE could be triggered. [RT #12796]
-
-1743.	[bug]		If isc_taskmgr_create() was not able to create the
-			requested number of worker threads then destruction
-			of the manager would trigger an INSIST() failure.
-			[RT #12790]
-			
-1742.	[bug]		Deleting all records at a node then adding a
-			previously existing record, in a single UPDATE
-			transaction, failed to leave / regenerate the
-			associated RRSIG records. [RT #12788]
-
-1741.	[bug]		Deleting all records at a node in a secure zone
-			using a update-policy grant failed. [RT #12787]
-
-1740.	[bug]		Replace rbt's hash algorithm as it performed badly
-			with certain zones. [RT #12729]
-			
-			NOTE: a hash context now needs to be established
-			via isc_hash_create() if the application was not
-			already doing this.
-
-1739.	[bug]		dns_rbt_deletetree() could incorrectly return
-			ISC_R_QUOTA.  [RT #12695]
-
-1738.	[bug]		Enable overrun checking by default. [RT #12695]
-
-1737.	[bug]		named failed if more than 16 masters were specified.
-			[RT #12627]
-
-1736.	[bug]		dst_key_fromnamedfile() could fail to read a
-			public key. [RT #12687]
-			
-1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
-			[RE #12688]
-
-1734.	[cleanup]	'rndc-confgen -a -t' remove extra '/' in path.
-			[RT #12588]
-
-1733.	[bug]		Return non-zero exit status on initial load failure.
-			[RT #12658]
-
-1732.	[bug]		'rrset-order name "*"' wasn't being applied to ".".
-			[RT #12467]
-
-1731.	[port]		darwin: relax version test in ifconfig.sh.
-			[RT #12581]
-
-1730.	[port]		Determine the length type used by the socket API.
-			[RT #12581]
-
-1728.	[doc]		Update check-names documentation.
-
-1727.	[bug]		named-checkzone: check-names support didn't match
-			documentation.
-
-1726.	[port]		aix5: add support for aix5.
-
-1725.	[port]		linux: update error message on interaction of threads,
-			capabilities and setuid support (named -u). [RT #12541]
-
-1724.	[bug]		Look for DNSKEY records with "dig +sigtrace".
-			[RT #12557]
-
-1723.	[cleanup]	Silence compiler warnings from t_tasks.c. [RT #12493]
-
-1722.	[bug]		Don't commit the journal on malformed ixfr streams.
-			[RT #12519]
-
-1721.	[bug]		Error message from the journal processing were not
-			always identifing the relevent journal. [RT #12519]
-
-1720.	[bug]		'dig +chase' did not terminate on a RFC 2308 Type 1
-			negative response. [RT #12506]
-
-1719.	[bug]		named was not correctly caching a RFC 2308 Type 1
-			negative response. [RT #12506]
-
-1718.	[bug]		nsupdate was not handling RFC 2308 Type 3 negative
-			responses when looking for the zone / master server.
-			[RT #12506]
-
-1717.	[port]		solaris: ifconfig.sh did not support Solaris 10.
-			"ifconfig.sh down" didn't work for Solaris 9.
-
-1716.	[doc]		named.conf(5) was being installed in the wrong
-			location.  [RT# 12441]
-
-1714.	[bug]		dig/host/nslookup were only trying the first
-			address when a nameserver was specified by name.
-			[RT #12286]
-
-1713.	[port]		linux: extend capset failure message to say:
-			please ensure that the capset kernel module is
-			loaded.  see insmod(8)
-
-1712.	[bug]		Missing FULLCHECK for "trusted-key" in dig.
-
-	--- 9.3.0 released ---
-
-1711.	[func]		'rndc unfreeze' has been deprecated by 'rndc thaw'.
-
-	--- 9.3.0rc4 released ---
-
-1709.	[port]		solaris: add SMF support.
-
-1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
-			for conformance to the name space convention.  Binary
-			backward compatibility to the old function name is
-			provided. [RT #12376]
-
-1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
-
-1706.	[bug]		'rndc stop' failed to cause zones to be flushed
-			sometimes. [RT #12328]
-
-1704.	[port]		lwres needed a snprintf() implementation for
-			platforms without snprintf().  Add missing
-			"#include <isc/print.h>". [RT #12321]
-
-1703.	[bug]		named would loop sending NOTIFY messages when it
-			failed to receive a response. [RT #12322]
-
-1702.	[bug]		also-notify should not be applied to builtin zones.
-			[RT #12323]
-
-1701.	[doc]		A minimal named.conf man page.
-
-1700.	[func]		nslookup is no longer to be treated as deprecated.
-			Remove "deprecated" warning message.  Add man page.
-
-1699.	[bug]		dnssec-signzone can generate "not exact" errors
-			when resigning. [RT #12281]
-
-1698.	[doc]		Use reserved IPv6 documentation prefix.
-
-1697.	[bug]		xxx-source{,-v6} was not effective when it
-			specified one of listening addresses and a
-			different port than the listening port. [RT #12257]
-
-	--- 9.3.0rc3 released ---
-
-1696.	[bug]		dnssec-signzone failed to clean out nodes that
-			consisted of only NSEC and RRSIG records.
-			[RT #12154]
-
-1695.	[bug]		DS records when forwarding require special handling.
-			[RT #12133]
-
-1694.	[bug]		Report if the builtin views of "_default" / "_bind"
-			are defined in named.conf. [RT #12023]
-
-1693.	[bug]		max-journal-size was not effective for master zones
-			with ixfr-from-differences set. [RT# 12024]
-
-1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
-			/usr/lib. [RT #11971]
-
-1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
-
-1690.	[bug]		Delay detaching view from the client until UPDATE
-			processing completes when shutting down. [RT #11714]
-
-1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
-			contained gratuitous semicolons. [RT #11707]
-
-1688.	[bug]		LDFLAGS was not supported.
-
-1687.	[bug]		Race condition in dispatch. [RT #10272]
-
-1686.	[bug]		Named sent a extraneous NOTIFY when it received a
-			redundant UPDATE request. [RT #11943]
-
-	--- 9.3.0rc2 released ---
-
-1685.	[bug]		Change #1679 loop tests weren't quite right.
-
-1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
-
-1682.	[port]		Update configure test for (long long) printf format.
-			[RT #5066]
-
-1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
-			isc_socket_bind(). [RT #11742]
-
-1679.	[bug]		When there was a single nameserver with multiple
-			addresses for a zone not all addresses were tried.
-			[RT #11706]
-
-1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.
-
-1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.
-
-1675.	[bug]		named would sometimes add extra NSEC records to
-			the authority section.
-			
-1674.	[port]		linux: increase buffer size used to scan
-			/proc/net/if_inet6.
-
-1673.	[port]		linux: issue a error messages if IPv6 interface
-			scans fails.
-
-1672.	[cleanup]	Tests which only function in a threaded build
-			now return R:THREADONLY (rather than R:UNTESTED)
-			in a non-threaded build.
-
-1671.	[contrib]	queryperf: add NAPTR to the list of known types.
-
-1670.	[func]		Log UPDATE requests to slave zones without an acl as
-			"disabled" at debug level 3. [RT# 11657]
-
-1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
-
-1667.	[port]		linux: not all versions have IF_NAMESIZE.
-
-1666.	[bug]		The optional port on hostnames in dual-stack-servers
-			was being ignored.
-
-1663.	[func]		Look for OpenSSL by default.
-
-1661.	[bug]		Restore dns_name_concatenate() call in
-			adb.c:set_target().  [RT #11582]
-
-1660.	[bug]		win32: connection_reset_fix() was being called
-			unconditionally.  [RT #11595]
-
-	--- 9.3.0rc1 released ---
-
-1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
-
-1662.	[bug]		Change #1658 failed to change one use of 'type'
-			to 'keytype'.
-
-1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
-			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
-
-1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
-			and DH.  Tighten which options apply to KEY and
-			DNSKEY records.
-
-1657.	[doc]		ARM: document query log output.
-
-1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
-			DNSKEY and RRSIG.  [RT #11542]
-
-1655.	[bug]		Logging multiple versions w/o a size was broken.
-			[RT #11446]
-
-1654.	[bug]		isc_result_totext() contained array bounds read
-			error.
-
-1653.	[func]		Add key type checking to dst_key_fromfilename(),
-			DST_TYPE_KEY should be used to read TSIG, TKEY and
-			SIG(0) keys.
-
-1652.	[bug]		TKEY still uses KEY.
-
-1651.	[bug]		dig: process multiple dash options.
-
-1650.	[bug]		dig, nslookup: flush standard out after each command.
-
-1649.	[bug]		Silence "unexpected non-minimal diff" message.
-			[RT #11206]
-
-1648.	[func]		Update dnssec-lookaside named.conf syntax to support
-			multiple dnssec-lookaside namespaces (not yet
-			implemented).  
-
-1647.	[bug]		It was possible trigger a INSIST when chasing a DS
-			record that required walking back over a empty node.
-			[RT #11445]
-
-1646.	[bug]		win32: logging file versions didn't work with
-			non-UNC filenames.  [RT#11486]
-
-1645.	[bug]		named could trigger a REQUIRE failure if multiple
-			masters with keys are specified.
-
-1644.	[bug]		Update the journal modification time after a
-			sucessfull refresh query. [RT #11436]
-
-1643.	[bug]		dns_db_closeversion() could leak memory / node
-			references. [RT #11163]
-
-1642.	[port]		Support OpenSSL implementations which don't have
-			DSA support. [RT #11360]
-
-1641.	[bug]		Update the check-names description in ARM. [RT #11389]
-
-	--- 9.3.0beta4 released ---
-
-1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
-			incorrectly closing the socket.  [RT #11291]
-
-1639.	[func]		Initial dlv system test.
-
-1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
-			failure if the journal open failed. [RT #11347]
-			
-1637.	[bug]		Node reference leak on error in addnoqname().
-
-1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
-			a error had occured.  The database version no longer
-			matched the version of the database that was dumped.
-
-1635.	[bug]		Memory leak on error in query_addds().
-
-1634.	[bug]		named didn't supply a useful error message when it
-			detected duplicate views.  [RT #11208]
-
-1633.	[bug]		named should return NOTIMP to update requests to a
-			slaves without a allow-update-forwarding acl specified.
-			[RT #11331]
-
-1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
-			messages. [RT #11288]
-
-1631.	[bug]		dns_journal_compact() could sometimes corrupt the
-			journal. [RT #11124]
-
-1630.	[contrib]	queryperf: add support for IPv6 transport.
-
-1629.	[func]		dig now supports IPv6 scoped addresses with the
-			extended format in the local-server part. [RT #8753]
-
-1628.	[bug]		Typo in Compaq Trucluster support. [RT# 11264]
-
-1627.	[bug]		win32: sockets were not being closed when the
-			last external reference was removed. [RT# 11179]
-
-1626.	[bug]		--enable-getifaddrs was broken. [RT#11259]
-
-1625.	[bug]		named failed to load/transfer RFC2535 signed zones
-			which contained CNAMES. [RT# 11237]
-
-1606.	[bug]	 	DLV insecurity proof was failing.
-
-1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
-
-	--- 9.3.0beta3 released ---
-
-1624.	[bug]		zonemgr_putio() call should be locked. [RT# 11163]
-
-1623.	[bug]		A serial number of zero was being displayed in the
-			"sending notifies" log message when also-notify was
-			used. [RT #11177]
-
-1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
-			available, and suppress wildcard binding if not.
-
-1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
-			[RT# 11156]
-
-1620.	[func]		When loading a zone report if it is signed. [RT #11149]
-
-1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
-			[RT# 11118]
-
-1618.	[bug]		Fencepost errors in dns_name_ishostname() and
-			dns_name_ismailbox() could trigger a INSIST().
-
-1617.	[port]		win32: VC++ 6.0 support.
-
-1616.	[compat]	Ensure that named's version is visible in the core
-			dump. [RT #11127]
-
-1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
-			it is defined.
-
-1614.	[port]		win32: silence resource limit messages. [RT# 11101]
-
-1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
-			Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
-			[RT #11119]
-
-1612.	[bug]		check-names at the option/view level could trigger
-			an INSIST. [RT# 11116]
-
-1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
-			no active IPv6 interfaces.
-
-1610.	[bug]		On dual stack machines "dig -b" failed to set the
-			address type to be looked up with "@server".
-			[RT #11069]
-
-1600.	[bug]		Duplicate zone pre-load checks were not case
-			insensitive.
-
-1599.	[bug]		Fix memory leak on error path when checking named.conf.
-
-1598.	[func]		Specify that certain parts of the namespace must
-			be secure (dnssec-must-be-secure).
-
-	--- 9.3.0beta2 released ---
-
-1609.	[func]		dig now has support to chase DNSSEC signature chains.
-			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
-
-			DNSSEC validation code in dig coded by Olivier Courtay
-			(olivier.courtay@irisa.fr) for the IDsA project
-			(http://idsa.irisa.fr).
-
-1608.	[func]		dig and host now accept -4/-6 to select IP transport
-			to use when making queries.
-
-1607.	[bug]		dig, host and nslookup were still using random()
-			to generate query ids. [RT# 11013]
-
-1604.	[bug]		A xfrout_ctx_create() failure would result in
-			xfrout_ctx_destroy() being called with a
-			partially initialized structure.
-			
-1603.	[bug]		nsupdate: set interactive based on isatty().
-			[RT# 10929]
-
-1602.	[bug]		Logging to a file failed unless a size was specified.
-			[RT# 10925]
-
-1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
-			"allow-recursion" active' warning from view "_bind".
-			[RT# 10920]
-
-1594.	[bug]		'rndc dumpdb' could prevent named from answering
-			queries while the dump was in progress.  [RT #10565]
-
-1593.	[bug]		rndc should return "unknown command" to unknown
-			commands. [RT# 10642]
-
-	--- 9.3.0beta1 released ---
-
-1592.	[bug]		configure_view() could leak a dispatch. [RT #10675]
-
-1591.	[bug]		libbind: updated to BIND 8.4.5.
-
-1590.	[port]		netbsd: update thread support.
-
-1589.	[func]		DNSSEC lookaside validation.
-
-1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
-
-1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
-			[RT #10590]
-
-1586.	[func]		"check-names" is now implemented.
-
-1584.	[bug]		"make test" failed with a read only source tree.
-			[RT #10461]
-
-1583.	[bug]		Records add via UPDATE failed to get the correct trust
-			level. [RT #10452]
-
-1582.	[bug]		rrset-order failed to work on RRsets with more
-			than 32 elements. [RT #10381]
-
-1581.	[func]		Disable DNSSEC support by default.  To enable
-			DNSSEC specify "dnssec-enable yes;" in named.conf.
-
-1580.	[bug]		Zone destruction on final detach takes a long time.
-			[RT #3746]
-
-1579.	[bug]		Multiple task managers could not be created.
-
-1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
-			[RT #10346]
-
-1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
-			workaround code. [RT #10331]
-
-1576.	[bug]		Race condition in dns_dispatch_addresponse().
-			[RT# 10272]
-
-1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]
-
-1574.	[bug]		Don't attempt to open the controls socket(s) when
-			running tests. [RT #9091]
-
-1573.	[port]		linux: update to libtool 1.5.2 so that
-			"make install DESTDIR=/xx" works with
-			"configure --with-libtool".  [RT #9941]
-
-1572.	[bug]		nsupdate: sign the soa query to find the enclosing
-			zone if the server is specified. [RT #10148]
-
-1571.	[bug]		rbt:hash_node() could fail leaving the hash table
-			in an inconsistent state.  [RT #10208]
-
-1570.	[bug]		nsupdate failed to handle classes other than IN.
-			New keyword 'class' which sets the default class.
-			[RT #10202]
-
-1569.	[func]		nsupdate new command 'answer' which displays the
-			complete answer message to the last update.
-
-1568.	[bug]		nsupdate now reports that the update failed in
-			interactive mode. [RT# 10236]
-
-1567.	[bug]		B.ROOT-SERVERS.NET is now 192.228.79.201.
-
-1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
-			This also solved the problem that match-destinations
-			for IPv6 addresses did not work on these systems.
-			[RT #10221]
-
-1565.	[bug]		CD flag should be copied to outgoing queries unless
-			the query is under a secure entry point in which case
-			CD should be set.
-
-1564.	[func]		Attempt to provide a fallback entropy source to be
-			used if named is running chrooted and named is unable
-			to open entropy source within the chroot area.
-			[RT #10133]
-
-1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
-			nor an IPv6 dispatch. [RT #10230]
-
-1562.	[bug]		isc_socket_create() and isc_socket_accept() could
-			leak memory under error conditions. [RT #10230]
-
-1561.	[bug]		It was possible to release the same name twice if
-			named ran out of memory. [RT #10197]
-
-1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
-			and EAI_NONAME to the same value.
-
-1559.	[port]		named should ignore SIGFSZ.
-
-1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
-			child zones for which we don't have a supported
-			algorithm.  Such child zones are treated as unsigned.
-
-1557.	[func]		Implement missing DNSSEC tests for
-			* NOQNAME proof with wildcard answers.
-			* NOWILDARD proof with NXDOMAIN.
-			Cache and return NOQNAME with wildcard answers.
-
-1556.	[bug]		nsupdate now treats all names as fully qualified.
-			[RT #6427]
-
-1555.	[func]		'rrset-order cyclic' no longer has a random starting
-			point. [RT #7572]
-
-1554.	[bug]		dig, host, nslookup failed when no nameservers
-			were specified in /etc/resolv.conf. [RT #8232]
-
-1553.	[bug]		The windows socket code could stop accepting
-			connections. [RT#10115]
-
-1552.	[bug]		Accept NOTIFY requests from mapped masters if
-			matched-mapped is set. [RT #10049]
-
-1551.	[port]		Open "/dev/null" before calling chroot().
-
-1550.	[port]		Call tzset(), if available, before calling chroot().
-
-1549.	[func]		named-checkzone can now write out the zone contents
-			in a easily parsable format (-D and -o).
-
-1548.	[bug]		When parsing APL records it was possible to silently
-			accept out of range ADDRESSFAMILY values. [RT# 9979]
-
-1547.	[bug]		Named wasted memory recording duplicate lame zone
-			entries. [RT #9341]
-
-1546.	[bug]		We were rejecting valid secure CNAME to negative
-			answers.
-
-1545.	[bug]		It was possible to leak memory if named was unable to
-			bind to the specified transfer source and TSIG was
-			being used. [RT #10120]
-
-1544.	[bug]		Named would logged a single entry to a file despite it
-			being over the specified size limit.
-
-1543.	[bug]		Logging using "versions unlimited" did not work.
-
-1541.	[func]		NSEC now uses new bitmap format.
-
-1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
-			[RT #8934]
-
-1539.	[bug]		Open UDP sockets for notify-source and transfer-source
-			that use reserved ports at startup. [RT #9475]
-
-1537.	[func]		New option "querylog".  If set specify whether query
-			logging is to be enabled or disabled at startup.
-
-1536.	[bug]		Windows socket code failed to log a error description
-			when returning ISC_R_UNEXPECTED. [RT #9998]
-
-1534.	[bug]		Race condition when priming cache. [RT# 9940]
-
-1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
-			are active. [RT# 4389]
-
-1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
-			requires <sys/param.h>.
-
-1531.	[port]		AIX more libtool fixes.
-
-1530.	[bug]		It was possible to trigger a INSIST() failure if a
-			slave master file was removed at just the correct
-			moment. [RT #9462]
-
-1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
-			were being sent for the zone. [RT# 9442]
-
-1528.	[cleanup]	Simplify some dns_name_ functions based on the
-			deprecation of bitstring labels.
-
-1527.	[cleanup]	Reduce the number of gettimeofday() calls without
-			losing necessary timer granularity.
-
-1525.	[bug]		dns_cache_create() could trigger a REQUIRE
-			failure in isc_mem_put() during error cleanup.
-			[RT# 9360]
-
-1524.	[port]		AIX needs to be able to resolve all symbols when
-			creating shared libraries (--with-libtool).
-
-1523.	[bug]		Fix race condition in rbtdb. [RT# 9189]
-
-1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
-			[RT# 9286]
-
-1521.	[bug]		dns_view_createresolver() failed to check the
-			result from isc_mem_create(). [RT# 9294]
-
-1520.	[protocol]	Add SSHFP (SSH Finger Print) type.
-
-1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
-			length of the new bitmap.
-
-1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
-			contained a off-by-one error when working out the
-			number of octets in the bitmap.
-
-1517.	[port]		Support for IPv6 interface scanning on HP/UX and
-			TrueUNIX 5.1.
-
-1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
-
-1515.	[func]		Allow transfer source to be set in a server statement.
-			[RT #6496]
-
-1514.	[bug]		named: isc_hash_destroy() was being called too early.
-			[RT #9160]
-
-1513.	[doc]		Add "US" to root-delegation-only exclude list.
-
-1512.	[bug]		Extend the delegation-only logging to return query
-			type, class and responding nameserver.
-
-1511.	[bug]		delegation-only was generating false positives
-			on negative answers from subzones.
-
-1510.	[func]		New view option "root-delegation-only".  Apply
-			delegation-only check to all TLDs and root.
-			Note there are some TLDs that are NOT delegation
-			only (e.g. DE, LV, US and MUSEUM) these can be excluded
-			from the checks by using exclude.
-
-			root-delegation-only exclude {
-				"DE"; "LV"; "US"; "MUSEUM";
-			};
-
-1509.	[bug]		Hint zones should accept delegation-only.  Forward
-			zone should not accept delegation-only.
-
-1508.	[bug]		Don't apply delegation-only checks to answers from
-			forwarders.
-
-1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
-			when making delegation-only checks.
-
-1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
-
-1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
-
-1504.	[func]		New zone type "delegation-only".
-
-1503.	[port]		win32: install libeay32.dll outside of system32.
-
-1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.
-
-1501.	[func]		Allow TCP queue length to be specified via
-			named.conf, tcp-listen-queue.
-
-1500.	[bug]		host failed to lookup MX records.  Also look up
-			AAAA records.
-
-1475.	[port]		Probe for old sprintf().
-
-1474.	[port]		Provide strtoul() and memmove() for platforms
-			without them.
-
-1469.	[func]		Log end of outgoing zone transfer at same level
-			as the start of transfer is logged. [RT #4441]
-
-1468.	[func]		Internal zones are no longer counted for
-			'rndc status'.  [RT #4706]
-
-1467.	[func]		$GENERATES now supports optional class and ttl.
-
-1458.	[cleanup]	sprintf() -> snprintf().
-
-1457.	[port]		Provide strlcat() and strlcpy() for platforms without
-			them.
-
-1455.	[bug]		<netaddr> missing from server grammar in
-			doc/misc/options. [RT #5616]
-
-1454.	[port]		Use getifaddrs() if available for interface scanning.
-			--disable-getifaddrs to override.  Glibc currently
-			has a getifaddrs() that does not support IPv6.
-			Use --enable-getifaddrs=glibc to force the use of
-			this version under linux machines.
-
-1446.	[func]		Implemented undocumented alternate transfer sources
-			from BIND 8.  See use-alt-transfer-source,
-			alt-transfer-source and alt-transfer-source-v6.
-
-			SECURITY: use-alt-transfer-source is ENABLED unless
-			you are using views.  This may cause a security risk
-			resulting in accidental disclosure of wrong zone
-			content if the master supplying different source
-			content based on IP address.  If you are not certain
-			ISC recommends setting use-alt-transfer-source no;
-
-1444.	[func]		dns_view_findzonecut2() allows you to specify if the
-			cache should be searched for zone cuts.
-
-1443.	[func]		Masters lists can now be specified and referenced
-			in zone masters clauses and other masters lists.
-
-1442.	[func]		New functions for manipulating port lists:
-			dns_portlist_create(), dns_portlist_add(),
-			dns_portlist_remove(), dns_portlist_match(),
-			dns_portlist_attach() and dns_portlist_detach().
-
-1441.	[func]		It is now possible to tell dig to bind to a specific
-			source port.
-
-1440.	[func]		It is now possible to tell named to avoid using
-			certain source ports (avoid-v4-udp-ports,
-			avoid-v6-udp-ports).
-
-1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
-
-1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
-			stalled transfers.
-
-1433.	[bug]		named could trigger a REQUIRE failure if it could
-			not get a file descriptor when attempting to write
-			a master file. [RT #4347]
-
-1432.	[func]		The advertised EDNS UDP buffer size can now be set
-			via named.conf (edns-udp-size).
-
-1430.	[port]		linux: IPv6 interface scanning support.
-
-1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
-
-1421.	[func]		Differentiate updates that don't succeed due to
-			prerequisites (unsuccessful) vs other reasons
-			(failed).
-
-1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
-			See "server-id" for how to configure.
-
-1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
-			from SOA MINIMUM.
-
-1414.	[func]		Support for KSK flag.
-
-1413.	[func]		Explictly request the (re-)generation of DS records from
-			keysets (dnssec-signzone -g).
-
-1412.	[func]		You can now specify servers to be tried if a nameserver
-			has IPv6 address and you only support IPv4 or the
-			reverse. See dual-stack-servers.
-
-1410.	[func]		Handle records that live in the parent zone, e.g. DS.
-
-1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
-
-1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
-			buffer.
-
-1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
-			dnssec-signkey now report their version in the
-			usage message.
-
-1402.	[cleanup]	A6 has been moved to experimental and is no longer
-			fully supported.
-
-1400.	[bug]		Block the addition of wildcard NS records by IXFR
-			or UPDATE. [RT #3502]
-
-1398.	[doc]		ARM: notify-also should have been also-notify.
-			[RT #4345]
-
-1396.	[func]		dnssec-signzone: adjust the default signing time by
-			1 hour to allow for clock skew.
-
-1394.	[func]		It is now possible to check if a particular element is
-			in a acl.  Remove duplicate entries from the localnets
-			acl.
-
-1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
-			is not available in the kernel to prevent accidently
-			listening on IPv4 interfaces.
-
-1392.	[bug]		named-checkzone: update usage.
-
-1391.	[func]		Add support for IPv6 scoped addresses in named.
-
-1390.	[func]		host now supports ixfr.
-
-1386.	[bug]		named-checkzone -z stopped on errors in a zone.
-			[RT #3653]
-
-1383.	[func]		Track the serial number in a IXFR response and log if
-			a mismatch occurs.  This is a more specific error than
-			"not exact". [RT #3445]
-
-1380.	[func]		'rndc recursing' dump recursing queries to
-			'recursing-file = "named.recursing";'.
-
-1379.	[func]		'rndc status' now reports tcp and recursion quota
-			states.
-
-1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
-
-1377.	[func]		dns_zone_load{new}() now reports if the zone was
-			loaded, queued for loading to up to date.
-
-1376.	[func]		New function dns_zone_logc() to log to specified
-			category.
-
-1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
-			data cache.
-
-1374.	[func]		dns_adb_dump() now logs the lame zones associated
-			with each server.
-
-1371.	[bug]		notify-source-v6, transfer-source-v6 and
-			query-source-v6 with explicit addresses and using the
-			same ports as named was listening on could interfere
-			with named's ability to answer queries sent to those
-			addresses.
-
-1368.	[func]		remove support for bitstring labels.
-
-1367.	[func]		Use response times to select forwarders.
-
-1365.	[func]		"localhost" and "localnets" acls now include IPv6
-			addresses / prefixes.
-
-1364.	[func]		Log file name when unable to open memory statistics
-			and dump database files. [RT# 3437]
-
-1363.	[func]		Listen-on-v6 now supports specific addresses.
-
-1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
-
-1361.	[func]		log the reason for rejecting a server when resolving
-			queries.
-
-1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
-
-1344.	[func]		Log if the serial number on the master has gone
-			backwards.
-			If you have multiple machines specified in the masters
-			clause you may want to set 'multi-master yes;' to
-			suppress this warning.
-
-1343.	[func]		Log successful notifies received (info).  Adjust log
-			level for failed notifies to notice.
-
-1342.	[func]		Log remote address with TCP dispatch failures.
-
-1341.	[func]		Allow a rate limiter to be stalled.
-
-1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
-			lookups.  Bit string lookups are no longer attempted.
-
-1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
-			dns_byaddr_create().  dns_byaddr_createptrname() is
-			deprecated, use dns_byaddr_createptrname2() instead.
-
-1332.	[func]		Report the current serial with periodic commits when
-			rolling forward the journal.
-
-1331.	[func]		Generate DNSSEC wildcard proofs.
-
-1329.	[func]		named-checkzone will now check if nameservers that
-			appear to be IP addresses.  Available modes "fail",
-			"warn" (default) and "ignore" the results of the
-			check.
-
-1328.	[bug]		The validator could incorrectly verify an invalid
-			negative proof.
-
-1322.	[bug]		dnssec-signzone usage message was misleading.
-
-1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
-			would incorrectly duplicate its output and sign it.
-
-1313.	[func]		Query log now says if the query was signed (S) or
-			if EDNS was used (E).
-
-1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
-
-1309.	[func]		Log that a zone transfer was covered by a TSIG.
-
-1308.	[func]		DS (delegation signer) support.
-
-1304.	[func]		New function: dns_zone_name().
-
-1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
-
-1302.	[func]		Extended rndc dumpdb to support dumping of zones and
-			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
-
-1301.	[func]		New category 'update-security'.
-
-1300.	[port]		Compaq Trucluster support.
-
-1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
-
-1292.	[func]		Enable IPv6 support when using ioctl style interface
-			scanning and OS supports SIOCGLIFADDR using struct
-			if_laddrreq.
-
-1291.	[func]		Enable IPv6 support when using sysctl style interface
-			scanning.
-
-1290.	[func]		"dig axfr" now reports the number of messages
-			as well as the number of records.
-
-1285.	[func]		lwres: probe the system to see what address families
-			are currently in use.
-
-1283.	[func]		Use "dataready" accept filter if available.
-
-1281.	[func]		Log zone when unable to get private keys to update
-			zone.  Log zone when NXT records are missing from
-			secure zone.
-
-1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
-
-1277.	[func]		You can now create your own customized printing
-			styles: dns_master_stylecreate() and
-			dns_master_styledestroy().
-
-1271.	[bug]		"recursion available: {denied,approved}" was too
-			confusing.
-
-1267.	[func]		isc_file_openunique() now creates file using mode
-			0666 rather than 0600.
-
-1254.	[func]		preferred-glue option from BIND 8.3.
-
-1250.	[func]		Nsupdate will report the address the update was
-			sent to.
-
-1247.	[bug]		Don't reset the interface index for link/site local
-			addresses. [RT #2576]
-
-1246.	[func]		New functions isc_sockaddr_issitelocal(),
-			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
-			and isc_netaddr_islinklocal().
-
-1243.	[bug]		It was possible to trigger a REQUIRE() in
-			dns_message_findtype(). [RT #2659]
-
-1235.	[func]		Report 'out of memory' errors from openssl.
-
-1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
-			dns_result_register().  DNS_R_SEENINCLUDE should not
-			be fatal.
-
-1233.	[bug]		The flags field of a KEY record can be expressed in
-			hex as well as decimal.
-
-1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
-
-1225.	[func]		dns_message_setopt() no longer requires that
-			dns_message_renderbegin() to have been called.
-
-1224.	[bug]		'rrset-order' and 'sortlist' should be additive
-			not exclusive.
-
-1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
-			are supported.
-
-1220.	[func]		Support for APL rdata type.
-
-1219.	[func]		Named now reports the TSIG extended error code when
-			signature verification fails. [RT #1651]
-
-1217.	[func]		Report locations of previous key definition when a
-			duplicate is detected.
-
-1213.	[func]		Report view associated with client if it is not a
-			standard view (_default or _bind).
-
-1203.	[func]		Report locations of previous acl and zone definitions
-			when a duplicate is detected.
-
-1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
-
-1192.	[bug]		The seconds fields in LOC records were restricted
-			to three decimal places.  More decimal places should
-			be allowed but warned about.
-
-1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
-			[RT #2394]
-
-1187.	[bug]		named was incorrectly returning DNSSEC records
-			in negative responses when the DO bit was not set.
-
-1181.	[func]		Add the "key-directory" configuration statement,
-			which allows the server to look for online signing
-			keys in alternate directories.
-
-1180.	[func]		dnssec-keygen should always generate keys with
-			protocol 3 (DNSSEC), since it's less confusing
-			that way.
-
-1179.	[func]		Add SIG(0) support to nsupdate.
-
-1177.	[func]		Report view when loading zones if it is not a
-			standard view (_default or _bind). [RT #2270]
-
-1171.	[func]		Added function isc_region_compare(), updated files in
-			lib/dns to use this function instead of local one.
-
-1169.	[func]		Identify recursive queries in the query log.
-
-1163.	[func]		isc_time_formattimestamp() now includes the year.
-
-1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
-
-1158.	[func]		Report the client's address when logging notify
-			messages.
-
-1157.	[func]		match-clients and match-destinations now accept
-			keys. [RT #2045]
-
-1155.	[func]		Recover from master files being removed from under
-			us.
-
-1153.	[func]		'rndc {stop|halt} -p' now reports the process id
-			of the instance of named being shutdown.
-
-1151.	[bug]		nslookup failed to check that the arguments to
-			the port, timeout, and retry options were
-			valid integers and in range. [RT #2099]
-
-1150.	[bug]		named incorrectly accepted TTL values
-			containing plus or minus signs, such as
-			1d+1h-1s.
-
-1149.	[func]		New function isc_parse_uint32().
-
-1148.	[func]		'rndc-confgen -a' now provides positive feedback.
-
-1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
-			the OS.  listen-on-v6 { any; }; should no longer
-			result in IPv4 queries be accepted.  Similarly
-			control { inet :: ... }; should no longer result
-			in IPv4 connections being accepted.  This can be
-			overridden at compile time by defining
-			ISC_ALLOW_MAPPED=1.
-
-1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
-			supported by the OS by a new function
-			isc_socket_ipv6only().
-
-1145.	[func]		"host" no longer reports a NOERROR/NODATA response
-			by printing nothing. [RT #2065]
-
-1143.	[bug]		When a trusted-keys statement was present and named
-			was built without crypto support, it would leak memory.
-
-1139.	[func]		It is now possible to flush a given name from the
-			cache(s) via 'rndc flushname name [view]'. [RT #2051]
-
-1138.	[func]		It is now possible to flush a given name from the
-			cache by calling the new function
-			dns_cache_flushname().
-
-1137.	[func]		It is now possible to flush a given name from the
-			ADB by calling the new function dns_adb_flushname().
-
-1135.	[func]		You can now override the default syslog() facility for
-			named/lwresd at compile time. [RT #1982]
-
-1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
-
-1128.	[func]		sdb drivers can now provide RR data in either text
-			or wire format, the latter using the new functions
-			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
-
-1127.	[func]		rndc: If the server to contact has multiple addresses,
-			try all of them.
-
-1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
-			for access control.
-
-1115.	[func]		Set maximum values for cleaning-interval,
-			heartbeat-interval, interface-interval,
-			max-transfer-idle-in, max-transfer-idle-out,
-			max-transfer-time-in, max-transfer-time-out,
-			statistics-interval of 28 days and
-			sig-validity-interval of 3660 days. [RT #2002]
-
-1110.	[bug]		dig should only accept valid abbreviations of +options.
-			[RT #2003]
-
-1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
-
-1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
-			as the second element of a two-element top level
-			sort list statement. [RT #1964]
-
-1079.	[bug]		BIND 8 compatibility: accept bare elements at top
-			level of sort list treating them as if they were
-			a single element list. [RT #1963]
-
-1077.	[func]		Do not accept further recursive clients when
-			the total number of recursive lookups being
-			processed exceeds max-recursive-clients, even
-			if some of the lookups are internally generated.
-			[RT #1915, #1938]
-
-1073.	[bug]		The ADB cache cleaning should also be space driven.
-			[RT #1915, #1938]
-
-1067.	[func]		Allow quotas to be soft, isc_quota_soft().
-
-1065.	[func]		Runtime support to select new / old style interface
-			scanning using ioctls.
-
-1060.	[func]		Move refresh, stub and notify UDP retry processing
-			into dns_request.
-
-1059.	[func]		dns_request now support will now retry UDP queries,
-			dns_request_createvia2() and dns_request_createraw2().
-
-1058.	[func]		Limited lifetime ticker timers are now available,
-			isc_timertype_limited.
-
-1055.	[func]		Version and hostname queries can now be disabled
-			using "version none;" and "hostname none;",
-			respectively.
-
-1049.	[func]		"pid-file none;" will disable writing a pid file.
-			[RT #1848]
-
-1037.	[bug]		Negative responses whose authority section contain
-			SOA or NS records whose owner names are not equal
-			equal to or parents of the query name should be
-			rejected. [RT #1862]
-
-1036.	[func]		Silently drop requests received via multicast as
-			long as there is no final multicast DNS standard.
-
-1035.	[bug]		If we respond to multicast queries (which we
-			currently do not), respond from a unicast address
-			as specified in RFC 1123. [RT #137]
-
-1034.	[bug]		Ignore the RD bit on multicast queries as specified
-			in RFC 1123. [RT #137]
-
-1032.	[func]		hostname.bind/txt/chaos now returns the name of
-			the machine hosting the nameserver.  This is useful
-			in diagnosing problems with anycast servers.
-
-1025.	[bug]		Don't use multicast addresses to resolve iterative
-			queries. [RT #101]
-
-1024.	[port]		Compilation failed on HP-UX 11.11 due to
-			incompatible use of the SIOCGLIFCONF macro
-			name. [RT #1831]
-
-1023.	[func]		Accept hints without TTLs.
-
-1011.	[cleanup]	Removed isc_dir_current().
-
-1009.	[port]		OpenUNIX 8 support. [RT #1728]
-
-1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
-
-1007.	[port]		config.guess, config.sub from autoconf-2.52.
-
-1003.	[func]		Add the +retry option to dig.
-
- 999.	[func]		"rndc retransfer zone [class [view]]" added.
-			[RT #1752]
-
- 998.	[func]		named-checkzone now has arguments to specify the
-			chroot directory (-t) and working directory (-w).
-			[RT #1755]
-
- 997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
-
- 996.	[func]		Issue warning if the configuration filename contains
-			the chroot path.
-
- 994.	[func]		Treat non-authoritative responses to queries for type
-			NS as referrals even if the NS records are in the
-			answer section, because BIND 8 servers incorrectly
-			send them that way.  This is necessary for DNSSEC
-			validation of the NS records of a secure zone to
-			succeed when the parent is a BIND 8 server. [RT #1706]
-
- 993.	[func]		dig: -v now reports the version.
-
- 991.	[func]		Lower UDP refresh timeout messages to level
-			debug 1.
-
- 985.	[func]		Consider network interfaces to be up iff they have
-			a nonzero IP address rather than based on the
-			IFF_UP flag. [RT #1160]
-
- 983.	[func]		The server now supports generating IXFR difference
-			sequences for non-dynamic zones by comparing zone
-			versions, when enabled using the new config
-			option "ixfr-from-differences". [RT #1727]
-
- 982.	[func]		If "memstatistics-file" is set in options the memory
-			statistics will be written to it.
-
- 981.	[func]		The dnssec tools can now take multiple '-r randomfile'
-			arguments.
-
- 979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
-			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
-			dns_dumpctx_detach(), dns_dumpctx_cancel(),
-			dns_dumpctx_db() and dns_dumpctx_version().
-
- 976.	[func]		named-checkconf can now test load master zones
-			(named-checkconf -z). [RT #1468]
-
- 970.	[func]		'max-journal-size' can now be used to set a target
-			size for a journal.
-
- 969.	[func]		dig now supports the undocumented dig 8 feature
-			of allowing arbitrary labels, not just dotted
-			decimal quads, with the -x option.  This can be
-			used to conveniently look up RFC2317 names as in
-			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
-
-	--- 9.2.3rc1 released ---
-
-1499.	[bug]		isc_random need to be seeded better if arc4random()
-			is not used.
-
-1498.	[port]		bsdos: 5.x support.
-
-1497.	[protocol]	dig, nslookup and host now perform nibble lookups
-			under IP6.ARPA, use -i for IP6.INT (dig and host).
-			lwres now uses IP6.ARPA.
-
-1496.	[port]		test for pthread_attr_setstacksize().
-
-1495.	[cleanup]	Replace hash functions with universal hash.
-
-1494.	[security]	Turn on RSA BLINDING as a precaution.
-
-1493.	[doc]		A6 and "bitstring" labels are now experimental.
-
-1492.	[cleanup]	Preserve rwlock quota context when upgrading /
-			downgrading. [RT #5599]
-
-1491.	[bug]		dns_master_dump*() would produce extraneous $ORIGIN
-			lines. [RT #6206]
-
-1490.	[bug]		Accept reading state as well as working state in
-			ns_client_next(). [RT #6813]
-
-1489.	[compat]	Treat 'allow-update' on slave zones as a warning.
-			[RT #3469]
-
-1488.	[bug]		Don't override trust levels for glue addresses.
-			[RT #5764]
-
-1487.	[bug]		A REQUIRE() failure could be triggered if a zone was
-			queued for transfer and the zone was then removed.
-			[RT #6189]
-
-1486.	[bug]		isc_print_snprintf() '%%' consumed one too many format
-			characters. [RT# 8230]
-
-1485.	[bug]		gen failed to handle high type values. [RT #6225]
-
-1484.	[bug]		The number of records reported after a AXFR was wrong.
-			[RT #6229]
-
-1483.	[bug]		dig axfr failed if the message id in the answer failed
-			to match that in the request.  Only the id in the first
-			message is required to match. [RT #8138]
-
-1482.	[bug]		named could fail to start if the kernel supports
-			IPv6 but no interfaces are configured.  Similarly
-			for IPv4. [RT #6229]
-
-1481.	[bug]		Refresh and stub queries failed to use masters keys
-			if specified. [RT #7391]
-
-1480.	[bug]		Provide replay protection for rndc commands.  Full
-			replay protection requires both rndc and named to
-			be updated.  Partial replay protection (limited
-			exposure after restart) is provided if just named
-			is updated.
-
-1479.	[bug]		cfg_create_tuple() failed to handle out of
-			memory cleanup.  parse_list() would leak memory
-			on syntax errors.
-
-1478.	[port]		ifconfig.sh didn't account for other virtual
-			interfaces.  It now takes a optional argument
-			to specify the first interface number. [RT #3907]
-
-1477.	[bug]		memory leak using stub zones and TSIG.
-
-1476.	[port]		win32: port unreachables were blocking further i/o
-			on sockets (Windows 2000 SP2 and later).
-
-1473.	[bug]		create_map() and create_string() failed to handle out
-			of memory cleanup.  [RT #6813]
-
-1472.	[contrib]	idnkit-1.0 from JPNIC, replaces mdnkit.
-
-1471.	[bug]		libbind: updated to BIND 8.4.0.
-
-1470.	[bug]		Incorrect length passed to snprintf. [RT #5966]
-
-1466.	[bug]		lwresd configuration errors resulted in memory
-			and lock leaks.  [RT #5228]
-
-1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
-			failed to check that trailing bits were zero allowing
-			some invalid base64 strings to be accepted.  [RT #5397]
-
-1464.	[bug]		Preserve "out of zone" data for outgoing zone
-			transfers. [RT #5192]
-
-1463.	[bug]		dns_rdata_from{wire,struct}() failed to catch bad
-			NXT bit maps. [RT #5577]
-
-1462.	[bug]		parse_sizeval() failed to check the token type.
-			[RT #5586]
-
-1461.	[bug]		Remove deadlock from rbtdb code. [RT #5599]
-
-1460.	[bug]		inet_pton() failed to reject certain malformed
-			IPv6 literals.
-
-1459.	[bug]		win32: we were leaking a bits in the exception
-			fd_set resulting in "Socket operation on non-socket"
-			errors from select(). [RT #2966]
-
-1456.	[contrib]	gen-data-queryperf.py from Stephane Bortzmeyer.
-
-1453.	[doc]		ARM: $GENERATE example wasn't accurate. [RT #5298]
-
-1452.	[bug]		Bad #ifdef, ISC_RFC2335 -> ISC_RFC2535.
-
-1451.	[bug]		rndc-confgen didn't exit with a error code for all
-			failures. [RT #5209]
-
-1450.	[bug]		Fetching expired glue failed under certain
-			circumstances.  [RT #5124]
-
-1449.	[bug]		query_addbestns() didn't handle running out of memory
-			gracefully.
-
-1448.	[bug]		Handle empty wildcards labels.
-
-1447.	[bug]		We were casting (unsigned int) to and from (void *).
-			rdataset->private4 is now rdataset->privateuint4
-			to reflect a type change.
-
-1445.	[bug]		DNS_ADBFIND_STARTATROOT broke stub zones.  This has
-			been replaced with DNS_ADBFIND_STARTATZONE which
-			causes the search to start using the closest zone.
-
-1439.	[bug]		Named could return NOERROR with certain NOTIFY
-			failures.  Return NOTAUTH if the NOTIFY zone is
-			not being served.
-
-1435.	[bug]		zmgr_resume_xfrs() was being called read locked
-			rather than write locked.  zmgr_resume_xfrs()
-			was not being called if the zone was being
-			shutdown.
-
-1437.	[bug]		Leave space for stdio to work in. [RT #5033]
-
-1434.	[bug]		"rndc reconfig" failed to initiate the initial
-			zone transfer of new slave zones.
-
-1431.	[bug]		isc_print_snprintf() "%s" with precision could walk off
-			end of argument. [RT #5191]
-
-1429.	[bug]		Prevent the cache getting locked to old servers.
-
-1424.	[bug]		EDNS version not being correctly printed.
-
-1423.	[contrib]	queryperf: added A6 and SRV.
-
-1420.	[port]		solaris: work around gcc optimizer bug.
-
-1419.	[port]		openbsd: use /dev/arandom. [RT #4950]
-
-1418.	[bug]		'rndc reconfig' did not cause new slaves to load.
-
-1416.	[bug]		Empty node should return NOERROR NODATA, not NXDOMAIN.
-			[RT #4715]
-
-1411.	[bug]		empty nodes should stop wildcard matches. [RT #4802]
-
-1408.	[bug]		"make distclean" was not complete. [RT #4700]
-
-1407.	[bug]		lfsr incorrectly implements the shift register.
-			[RT #4617]
-
-1406.	[bug]		dispatch initializes one of the LFSR's with a incorrect
-			polynomial.  [RT #4617]
-
-1405.	[func]		Use arc4random() if available.
-
-1401.	[bug]		adb wasn't clearing state when the timer expired.
-
-1399.	[bug]		Use serial number arithmetic when testing SIG
-			timestamps. [RT #4268]
-
-1397.	[bug]		J.ROOT-SERVERS.NET is now 192.58.128.30.
-
-1389.	[bug]		named could fail to rotate long log files.  [RT #3666]
-
-1388.	[port]		irix: check for sys/sysctl.h and NET_RT_IFLIST before
-			defining HAVE_IFLIST_SYSCTL. [RT #3770]
-
-1387.	[bug]		named could crash due to an access to invalid memory
-			space (which caused an assertion failure) in
-			incremental cleaning.  [RT #3588]
-
-1385.	[bug]		Setting serial-query-rate to 10 would trigger a
-			REQUIRE failure.
-
-1384.	[bug]		host was incompatible with BIND 8 in its exit code and
-			in the output with the -l option.  [RT #3536]
-
-1373.	[bug]		Recovery from expired glue failed under certain
-			circumstances.
-
-1372.	[bug]		named crashes with an assertion failure on exit when
-			sharing the same port for listening and querying, and
-			changing listening addresses several times. [RT# 3509]
-
-1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
-
-1369.	[bug]		Adding an NS record as the lexicographically last
-			record in a secure zone didn't work.
-
-1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
-
-1348.	[port]		win32: Rewrote code to use I/O Completion Ports
-			in socket.c and eliminating a host of socket
-			errors. Performance is enhanced.
-
-1333.	[contrib]	queryperf now reports a summary of returned
-			rcodes (-c), rcodes are printed in mnemonic form (-v).
-
-1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
-			via getaddrinfo() (affects dig, host, nslookup, rndc
-			and nsupdate).
-
-1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
-			[RT #2436]
-
-1122.	[tuning]	Resolution timeout reduced from 90 to 30 seconds.
-			[RT #2046]
-
- 992.	[doc]		dig: ~/.digrc is now documented.
-
-	--- 9.2.2 released ---
-
-1428.	[port]		hpux: temporary work around of hpux 11.11 interface
-			scanning.
-
-1427.	[bug]		Race condition in adb with threaded build.
-
-1426.	[cleanup]	Disable RFC2535 style DNSSEC.  This is incompatible
-			with the forthcoming DS style DNSSEC.
-
-1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
-			function prototypes in netdb.h.  [RT #4921]
-
-1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
-			have a working implementation.  [RT #4079]
-
-1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
-
-1381.	[bug]		named failed to correctly process answers that
-			contained DNAME records where the resulting CNAME
-			resulted in a negative answer.
-
-	--- 9.2.2rc1 released ---
-
-1360.	[bug]		--enable-libbind would fail when not built in the
-			source tree for certain OS's.
-
-1359.	[security]	Support patches OpenSSL libraries.
-			http://www.cert.org/advisories/CA-2002-23.html
-
-1358.	[bug]		It was possible to trigger a INSIST when debugging
-			large dynamic updates. [RT #3390]
-
-1357.	[bug]		nsupdate was extremely wasteful of memory.
-
-1356.	[tuning]	Reduce the number of events / quantum for zone tasks.
-
-1354.	[doc]		lwres man pages had illegal nroff.
-
-1353.	[contrib]	sdb/ldap to version 0.9.
-
-1352.	[bug]		dig, host, nslookup when falling back to TCP use the
-			current search entry (if any). [RT #3374]
-
-1351.	[bug]		lwres_getipnodebyname() returned the wrong name
-			when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
-			was set.
-
-1350.	[bug]		dns_name_fromtext() failed to handle too many labels
-			gracefully.
-
-1349.	[security]	Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
-			http://www.cert.org/advisories/CA-2002-23.html
-
-1346.	[bug]		Win32: select timeout in socket.c was too small
-			as value given was meant to be milliseconds and
-			timeval structure requires microseconds. This
-			caused high CPU loads with a compute bound loop.
-			[RT #3358]
-
-1345.	[port]		Use a explicit -Wformat with gcc.  Not all versions
-			include it in -Wall.
-
-1340.	[bug]		Delay and spread out the startup refresh load.
-
-1335.	[bug]		When performing a nonexistence proof, the validator
-			should discard parent NXTs from higher in the DNS.
-
-1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
-			need to be suppressed.
-
-1330.	[bug]		When processing events (non-threaded) only allow
-			the task one chance to use to use its quantum.
-
-1327.	[bug]		The validator would incorrectly mark data as insecure
-			when seeing a bogus signature before a correct
-			signature.
-
-1326.	[bug]		DNAME/CNAME signatures were not being cached when
-			validation was not being performed. [RT #3284]
-
-1325.	[bug]		If the tcpquota was exhausted it was possible to
-			to trigger a INSIST() failure.
-
-1324.	[port]		darwin: ifconfig.sh now supports darwin.
-
-1323.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
-
-1320.	[doc]		query-source-v6 was missing from options section.
-			[RT #3218]
-
-1319.	[func]		libbind: log attempts to exploit #1318.
-
-1318.	[bug]		libbind: Remote buffer overrun.
-
-1317.	[port]		libbind: TrueUNIX 5.1 does not like __align as a
-			element name.
-
-1316.	[bug]		libbind: gethostans() could get out of sync parsing
-			the response if there was a very long CNAME chain.
-
-1315.	[bug]		Options should apply to the internal _bind view.
-
-1314.	[port]		Handle ECONNRESET from sendmsg() [unix].
-
-1311.	[bug]		lwres_getrrsetbyname leaked memory.  [RT #3159]
-
-1310.	[bug]		'rndc stop' failed to cause zones to be flushed
-			sometimes. [RT #3157]
-
-1307.	[bug]		nsupdate: allow white space base64 key data.
-
-1306.	[bug]		Badly encoded LOC record when the size, horizontal
-			precision or vertical precision was 0.1m.
-
-1305.	[bug]		Document that internal zones are included in the
-			rndc status results.
-
-1298.	[bug]		The CINCLUDES macro in lib/dns/sec/dst/Makefile
-			could be left with a trailing "\" after configure
-			has been run.
-
-1297.	[port]		linux: make handling EINVAL from socket() no longer
-			conditional on #ifdef LINUX.
-
-1296.	[bug]		isc_log_closefilelogs() needed to lock the log
-			context.
-
-1295.	[bug]		isc_log_setdebuglevel() needed to lock the log
-			context.
-
-1294.	[func]		libbind: no longer attempts bit string labels for
-			IPv6 reverse resolution.  Try IP6.ARPA then IP6.INT
-			for nibble style resolution.
-
-1289.	[port]		See if -ldl is required for OpenSSL? [RT #2672]
-
-1288.	[bug]		Adjusted REQUIRE's in lib/dns/name.c to better
-			reflect written requirements.
-
-1287.	[bug]		REQUIRE that DNS_DBADD_MERGE only be set when adding
-			a rdataset to a zone db in the rbtdb implementation of
-			addrdataset.
-
-1286.	[bug]		dns_name_downcase() enforce requirement that
-			target != NULL or name->buffer != NULL.
-
-1284.	[bug]		The RTT estimate on unused servers was not aged.
-			[RT #2569]
-
-1282.	[port]		libbind: hpux 11.11 interface scanning.
-
-1280.	[bug]		libbind: escape '(' and ')' when converting to
-			presentation form.
-
-1279.	[port]		Darwin uses (unsigned long) for size_t. [RT #2590]
-
-1276.	[bug]		libbind: const pointer conflicts in res_debug.c.
-
-1275.	[port]		libbind: hpux: treat all hpux systems as BIG_ENDIAN.
-
-1274.	[bug]		Memory leak in lwres_gnbarequest_parse().
-
-1273.	[port]		libbind: solaris: 64 bit binary compatibility.
-
-1272.	[contrib]	Berkeley DB 4.0 sdb implementation from
-			Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
-
-1270.	[bug]		Check that system inet_pton() and inet_ntop() support
-			AF_INET6.
-
-1269.	[port]		Openserver: ifconfig.sh support.
-
-1268.	[port]		Openserver: the value FD_SETSIZE depends on whether
-			<sys/param.h> is included or not.  Be consistent.
-
-1266.	[bug]		ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
-			__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
-			are not C++ compatible, use *_TYPE versions instead.
-
-1265.	[bug]		libbind: LINK_INIT and UNLINK were not compatible with
-			C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
-
-1263.	[bug]		Reference after free error if dns_dispatchmgr_create()
-			failed.
-
-1262.	[bug]		ns_server_destroy() failed to set *serverp to NULL.
-
-1261.	[func]		libbind: ns_sign2() and ns_sign_tcp() now provide
-			support for compressed TSIG owner names.
-
-1260.	[func]		libbind: res_update can now update IPv6 servers,
-			new function res_findzonecut2().
-
-1259.	[bug]		libbind: get_salen() IPv6 support was broken for OSs
-			w/o sa_len.
-
-1258.	[bug]		libbind: res_nametotype() and res_nametoclass() were
-			broken.
-
-1257.	[bug]		Failure to write pid-file should not be fatal on
-			reload. [RT #2861]
-
-1256.	[contrib]	'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
-
-1255.	[bug]		When verifying that an NXT proves nonexistence, check
-			the rcode of the message and only do the matching NXT
-			check.  That is, for NXDOMAIN responses, check that
-			the name is in the range between the NXT owner and
-			next name, and for NOERROR NODATA responses, check
-			that the type is not present in the NXT bitmap.
-
-1253.	[bug]		The dnssec system test failed to remove the correct
-			files.
-
-1252.	[bug]		Dig, host and nslookup were not checking the address
-			the answer was coming from against the address it was
-			sent to. [RT# 2692]
-
-1248.	[bug]		DESTDIR was not being propagated between makes.
-
-1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
-			accept().
-
-1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
-
-1241.	[bug]		Drop received UDP messages with a zero source port
-			as these are invariably forged. [RT #2621]
-
-1209.	[bug]		Dig, host, nslookup were not checking the message ids
-			on the responses. [RT #2454]
-
-1097.	[func]		libbind: RES_PRF_TRUNC for dig.
-
-1096.	[func]		libbind: "DNSSEC OK" (DO) support.
-
-1095.	[func]		libbind: resolver option: no-tld-query.  disables
-			trying unqualified as a tld.  no_tld_query is also
-			supported for FreeBSD compatibility.
-
-1094.	[func]		libbind: add support gcc's format string checking.
-
-1089.	[func]		libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
-			support.
-
-	--- 9.2.1 released ---
-
-1251.	[port]		win32: a make file contained absolute version specific
-			references.
-
-1249.	[bug]		Missing masters clause was not handled gracefully.
-			[RT #2703]
-
-1244.	[bug]		Receiving a TCP message from a blackhole address would
-			prevent further messages being received over that
-			interface.
-
-1178.	[bug]		Follow and cache (if appropriate) A6 and other
-			data chains to completion in the additional section.
-
-	--- 9.2.1rc2 released ---
-
-1240.	[bug]		It was possible to leak zone references by
-			specifying an incorrect zone to rndc.
-
-1239.	[bug]		Under certain circumstances named could continue to
-			use a name after it had been freed triggering
-			INSIST() failures.  [RT #2614]
-
-1238.	[bug]		It is possible to lockup the server when shutting down
-			if notifies were being processed. [RT #2591]
-
-1237.	[bug]		nslookup: "set q=type" failed.
-
-1236.	[bug]		dns_rdata{class,type}_fromtext() didn't handle non
-			NULL terminated text regions. [RT #2588]
-
-1232.	[bug]		unix/errno2result() didn't handle EADDRNOTAVAIL.
-
-1231.	[port]		HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
-
-1230.	[bug]		isccc_cc_isreply() and isccc_cc_isack() were broken.
-
-1229.	[bug]		named would crash if it received a TSIG signed
-			query as part of an AXFR response. [RT #2570]
-
-1228.	[bug]		'make install' did not depend on 'make all'. [RT #2559]
-
-1227.	[bug]		dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
-			if a number was expected and some other token was
-			found. [RT#2532]
-
-1222.	[bug]		Specifying 'port *' did not always result in a system
-			selected (non-reserved) port being used. [RT #2537]
-
-1221.	[bug]		Zone types 'master', 'slave' and 'stub' were not being
-			compared case insensitively. [RT #2542]
-
-1218.	[bug]		Named incorrectly returned SERVFAIL rather than
-			NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
-
-1216.	[bug]		Multiple server clauses for the same server were not
-			reported.  [RT #2514]
-
-1215.	[port]		solaris: add support to ifconfig.sh for x86 2.5.1
-
-1214.	[bug]		Win32: isc_file_renameunique() could leave zero length
-			files behind.
-
-1212.	[port]		libbind: 64k answer buffers were causing stack space
-			to be exceeded for certain OS.  Use heap space instead.
-
-1211.	[bug]		dns_name_fromtext() incorrectly handled certain
-			valid octal bitlabels. [RT #2483]
-
-1210.	[bug]		libbind: getnameinfo() failed to lookup IPv4 mapped /
-			compatible addresses. [RT #2461]
-
-1208.	[bug]		dns_master_load*() failed to log a error message if
-			an error was detected when parsing the ownername of
-			a record.  [RT #2448]
-
-	--- 9.2.1rc1 released ---
-
-1207.	[bug]		libbind: getaddrinfo() could call freeaddrinfo() with
-			an invalid pointer.
-
-1206.	[bug]		SERVFAIL and NOTIMP responses to an EDNS query should
-			trigger a non-EDNS retry.
-
-1205.	[bug]		OPT, TSIG and TKEY cannot be used to set the "class"
-			of the message. [RT #2449]
-
-1204.	[bug]		libbind: res_nupdate() failed to update the name
-			server addresses before sending the update.
-
-1201.	[bug]		Require that if 'callbacks' is passed to
-			dns_rdata_fromtext(), callbacks->error and
-			callbacks->warn are initialized.
-
-1200.	[bug]		Log 'errno' that we are unable to convert to
-			isc_result_t. [RT #2404]
-
-1198.	[bug]		OPT printing style was not consistent with the way the
-			header fields are printed.  The DO bit was not reported
-			if set.  Report if any of the MBZ bits are set.
-
-1197.	[bug]		Attempts to define the same acl multiple times were not
-			detected.
-
-1196.	[contrib]	update mdnkit to 2.2.3.
-
-1195.	[bug]		Attempts to redefine builtin acls should be caught.
-			[RT #2403]
-
-1194.	[bug]		Not all duplicate zone definitions were being detected
-			at the named.conf checking stage. [RT #2431]
-
-1193.	[bug]		Best effort parsing didn't handle packet truncation.
-
-1191.	[bug]		A dynamic update removing the last non-apex name in
-			a secure zone would fail. [RT #2399]
-
-1189.	[bug]		On some systems, malloc(0) returns NULL, which
-			could cause the caller to report an out of memory
-			error. [RT #2398]
-
-1188.	[bug]		Dynamic updates of a signed zone would fail if
-			some of the zone private keys were unavailable.
-
-1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
-			EOL token when reading to end of line.
-
-1185.	[bug]		libbind: don't assume statp->_u._ext.ext is valid
-			unless RES_INIT is set when calling res_*init().
-
-1184.	[bug]		libbind: call res_ndestroy() if RES_INIT is set
-			when res_*init() is called.
-
-1183.	[bug]		Handle ENOSR error when writing to the internal
-			control pipe. [RT #2395]
-
-1182.	[bug]		The server could throw an assertion failure when
-			constructing a negative response packet.
-
-1176.	[doc]		Document that allow-v6-synthesis is only performed
-			for clients that are supplied recursive service.
-			[RT #2260]
-
-1175.	[bug]		named-checkzone failed to call dns_result_register()
-			at startup which could result in runtime
-			exceptions when printing "out of memory" errors.
-			[RT #2335]
-
-1174.	[bug]		Win32: add WSAECONNRESET to the expected errors
-			from connect(). [RT #2308]
-
-1173.	[bug]		Potential memory leaks in isc_log_create() and
-			isc_log_settag(). [RT #2336]
-
-1172.	[doc]		Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
-			table of RR types in ARM.
-
-1170.	[bug]		Don't attempt to print the token when a I/O error
-			occurs when parsing named.conf. [RT #2275]
-
-1168.	[bug]		Empty also-notify clauses were not handled. [RT #2309]
-
-1167.	[contrib]	nslint-2.1a3 (from author).
-
-1166.	[bug]		"Not Implemented" should be reported as NOTIMP,
-			not NOTIMPL. [RT #2281]
-
-1165.	[bug]		We were rejecting notify-source{-v6} in zone clauses.
-
-1164.	[bug]		Empty masters clauses in slave / stub zones were not
-			handled gracefully. [RT #2262]
-
-1162.	[bug]		The allow-notify option was not accepted in slave
-			zone statements.
-
-1161.	[bug]		named-checkzone looped on unbalanced brackets.
-			[RT #2248]
-
-1160.	[bug]		Generating Diffie-Hellman keys longer than 1024
-			bits could fail. [RT #2241]
-
-1156.	[port]		The configure test for strsep() incorrectly
-			succeeded on certain patched versions of
-			AIX 4.3.3. [RT #2190]
-
-1154.	[bug]		Don't attempt to obtain the netmask of a interface
-			if there is no address configured. [RT #2176]
-
-1152.	[bug]		libbind: read buffer overflows.
-
-1144.	[bug]		rndc-confgen would crash if both the -a and -t
-			options were specified. [RT #2159]
-
-1142.	[bug]		dnssec-signzone would fail to delete temporary files
-			in some failure cases. [RT #2144]
-
-1141.	[bug]		When named rejected a control message, it would
-			leak a file descriptor and memory.  It would also
-			fail to respond, causing rndc to hang.
-			[RT #2139, #2164]
-
-1140.	[bug]		rndc-confgen did not accept IPv6 addresses as arguments
-			to the -s option. [RT #2138]
-
-1136.	[bug]		CNAME records synthesized from DNAMEs did not
-			have a TTL of zero as required by RFC2672.
-			[RT #2129]
-
-1125.	[bug]		rndc: -k option was missing from usage message.
-			[RT #2057]
-
-1124.	[doc]		dig: +[no]dnssec, +[no]besteffort and +[no]fail
-			are now documented. [RT #2052]
-
-1123.	[bug]		dig +[no]fail did not match description. [RT #2052]
-
-1109.	[bug]		nsupdate accepted illegal ttl values.
-
-1108.	[bug]		On Win32, rndc was hanging when named was not running
-			due to failure to select for exceptional conditions
-			in select(). [RT #1870]
-
-1081.	[bug]		Multicast queries were incorrectly identified
-			based on the source address, not the destination
-			address.
-
-1072.	[bug]		The TCP client quota could be exceeded when
-			recursion occurred. [RT #1937]
-
-1071.	[bug]		Sockets listening for TCP DNS connections
-			specified an excessive listen backlog. [RT #1937]
-
-1070.	[bug]		Copy DNSSEC OK (DO) to response as specified by
-			draft-ietf-dnsext-dnssec-okbit-03.txt.
-
-1014.	[bug]		Some queries would cause statistics counters to
-			increment more than once or not at all. [RT #1321]
-
-1012.	[bug]		The -p option to named did not behave as documented.
-
- 988.	[bug]		'additional-from-auth no;' did not work reliably
-			in the case of queries answered from the cache.
-			[RT #1436]
-
- 995.	[bug]		dig, host, nslookup: using a raw IPv6 address as a
-			target address should be fatal on a IPv4 only system.
-
-	--- 9.2.0 released ---
-
-1134.	[bug]		Multi-threaded servers could deadlock in ferror()
-			when reloading zone files. [RT #1951, #1998]
-
-1133.	[bug]		IN6_IS_ADDR_LOOPBACK was not portably defined on
-			platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
-
-	--- 9.2.0rc10 released ---
-
-1131.	[bug]		The match-destinations view option did not work with
-			IPv6 destinations. [RT #2073, #2074]
-
-1130.	[bug]		Log messages reporting an out-of-range serial number
-			did not include the out-of-range number but the
-			following token. [RT #2076]
-
-1129.	[bug]		Multi-threaded servers could crash under heavy
-			resolution load due to a race condition. [RT #2018]
-
-1126.	[bug]		The server could access a freed event if shut
-			down while a client start event was pending
-			delivery. [RT #2061]
-
-1121.	[bug]		The server could attempt to access a NULL zone
-			table if shut down while resolving.
-			[RT #1587, #2054]
-
-1120.	[bug]		Errors in options were not fatal. [RT #2002]
-
-1118.	[bug]		On multi-threaded servers, a race condition
-			could cause an assertion failure in resolver.c
-			during resolver shutdown. [RT #2029]
-
-1117.	[port]		The configure check for in6addr_loopback incorrectly
-			succeeded on AIX 4.3 when compiling with -O2
-			because the test code was optimized away.
-			[RT #2016]
-
-1116.	[bug]		Setting transfers in a server clause, transfers-in,
-			or transfers-per-ns to a value greater than
-			2147483647 disabled transfers. [RT #2002]
-
-1114.	[port]		Ignore more accept() errors. [RT #2021]
-
-1113.	[bug]		The allow-update-forwarding option was ignored
-			when specified in a view. [RT #2014]
-
-1111.	[bug]		Multi-threaded servers could deadlock processing
-			recursive queries due to a locking hierarchy
-			violation in adb.c. [RT #2017]
-
-	--- 9.2.0rc9 released ---
-
-1107.	[bug]		nsupdate could catch an assertion failure if an
-			invalid domain name was given as the argument to
-			the "zone" command.
-
-1106.	[bug]		After seeing an out of range TTL, nsupdate would
-			treat all TTLs as out of range. [RT #2001]
-
-1104.	[bug]		Invalid arguments to the transfer-format option
-			could cause an assertion failure. [RT #1995]
-
-1103.	[port]		OpenUNIX 8 support (ifconfig.sh). [RT #1970]
-
-1102.	[doc]		Note that query logging is enabled by directing the
-			queries category to a channel.
-
-1101.	[bug]		Array bounds read error in lwres_gai_strerror.
-
-1100.	[bug]		libbind: DNSSEC key ids were computed incorrectly.
-
-1099.	[cleanup]	libbind: defining REPORT_ERRORS in lib/bind/dst caused
-			compile time errors.
-
-1098.	[bug]		libbind: HMAC-MD5 key files are now mode 0600.
-
-1093.	[doc]		libbind: miscellaneous nroff fixes.
-
-1092.	[bug]		libbind: get*by*() failed to check if res_init() had
-			been called.
-
-1091.	[bug]		libbind: misplaced va_end().
-
-1090.	[bug]		libbind: dns_ho.c:add_hostent() was not returning
-			the amount of memory consumed resulting in garbage
-			address being returned.  Alignment calculations were
-			wasting space.  We weren't suppressing duplicate
-			addresses.
-
-1088.	[port]		libbind: MPE/iX C.70 (incomplete)
-
-1087.	[bug]		libbind: struct __res_state too large on 64 bit arch.
-
-1086.	[port]		libbind: sunos: old sprintf.
-
-1085.	[port]		libbind: solaris: sys_nerr and sys_errlist do not
-			exist when compiling in 64 bit mode.
-
-1084.	[cleanup]	libbind: gai_strerror() rewritten.
-
-1083.	[bug]		The default control channel listened on the
-			wildcard address, not the loopback as documented.
-			[RT #1975]
-
-1082.	[bug]		The -g option to named incorrectly caused logging
-			to be sent to syslog in addition to stderr.
-			[RT #1974]
-
-1078.	[bug]		We failed to correct bad tv_usec values in one case.
-			[RT #1966]
-
-1076.	[bug]		A badly defined global key could trigger an assertion
-			on load/reload if views were used. [RT #1947]
-
-1075.	[bug]		Out-of-range network prefix lengths were not
-			reported. [RT #1954]
-
-1074.	[bug]		Running out of memory in dump_rdataset() could
-			cause an assertion failure. [RT #1946]
-
-	--- 9.2.0rc8 released ---
-
-1068.	[bug]		errno could be overwritten by catgets(). [RT #1921]
-
-1066.	[bug]		Provide a thread safe wrapper for strerror().
-			[RT #1689]
-
-1064.	[bug]		Do not shut down active network interfaces if we
-			are unable to scan the interface list. [RT #1921]
-
-1063.	[bug]		libbind: "make install" was failing on IRIX.
-			[RT #1919]
-
-1062.	[bug]		If the control channel listener socket was shut
-			down before server exit, the listener object could
-			be freed twice. [RT #1916]
-
-1061.	[bug]		If periodic cache cleaning happened to start
-			while cleaning due to reaching the configured
-			maximum cache size was in progress, the server
-			could catch an assertion failure. [RT #1912]
-
-1057.	[bug]		Reloading the server after adding a "file" clause
-			to a zone statement could cause the server to
-			crash due to a typo in change 1016.
-
-1056.	[bug]		Rndc could catch an assertion failure on SIGINT due
-			to an uninitialized variable. [RT #1908]
-
-	--- 9.2.0rc7 released ---
-
-1054.	[bug]		On Win32, cfg_categories and cfg_modules need to be
-			exported from the libisccfg DLL.
-
-1053.	[bug]		Dig did not increase its timeout when receiving
-			AXFRs unless the +time option was used. [RT #1904]
-
-1052.	[bug]		Journals were not being created in binary mode
-			resulting in "journal format not recognized" error
-			under Win32. [RT #1889]
-
-1051.	[bug]		Do not ignore a network interface completely just
-			because it has a noncontiguous netmask.  Instead,
-			omit it from the localnets ACL and issue a warning.
-			[RT #1891]
-
-1050.	[bug]		Log messages reporting malformed IP addresses in
-			address lists such as that of the forwarders option
-			failed to include the correct error code, file
-			name, and line number. [RT #1890]
-
-1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
-			didn't work.
-
-1047.	[bug]		named was incorrectly refusing all requests signed
-			with a TSIG key derived from an unsigned TKEY
-			negotiation with a NOERROR response. [RT #1886]
-
-1046.	[bug]		The help message for the --with-openssl configure
-			option was inaccurate. [RT #1880]
-
-1045.	[bug]		It was possible to skip saving glue for a nameserver
-			for a stub zone.
-
-1044.	[bug]		Specifying allow-transfer, notify-source, or
-			notify-source-v6 in a stub zone was not treated
-			as an error.
-
-1043.	[bug]		Specifying a transfer-source or transfer-source-v6
-			option in the zone statement for a master zone was
-			not treated as an error. [RT #1876]
-
-1042.	[bug]		The "config" logging category did not work properly.
-			[RT #1873]
-
-1041.	[bug]		Dig/host/nslookup could catch an assertion failure
-			on SIGINT due to an uninitialized variable. [RT #1867]
-
-1040.	[bug]		Multiple listen-on-v6 options with different ports
-			were not accepted. [RT #1875]
-
-1039.	[bug]		Negative responses with CNAMEs in the answer section
-			were cached incorrectly. [RT #1862]
-
-1038.	[bug]		In servers configured with a tkey-domain option,
-			TKEY queries with an owner name other than the root
-			could cause an assertion failure. [RT #1866, #1869]
-
-1033.	[bug]		Always respond to requests with an unsupported opcode
-			with NOTIMP, even if we don't have a matching view
-			or cannot determine the class.
-
-	--- 9.2.0rc6 released ---
-
-1031.	[bug]		libbind.a: isc__gettimeofday() infinite recursion.
-			[RT #1858]
-
-1030.	[bug]		On systems with no resolv.conf file, nsupdate
-			exited with an error rather than defaulting
-			to using the loopback address. [RT #1836]
-
-1029.	[bug]		Some named.conf errors did not cause the loading
-			of the configuration file to return a failure
-			status even though they were logged. [RT #1847]
-
-1028.	[bug]		On Win32, dig/host/nslookup looked for resolv.conf
-			in the wrong directory. [RT #1833]
-
-1027.	[bug]		RRs having the reserved type 0 should be rejected.
-			[RT #1471]
-
-1026.	[port]		Recognize OpenUNIX 8 in config.guess. [RT #1830]
-
-1022.	[bug]		Don't report empty root hints as "extra data".
-			[RT #1802]
-
-	--- 9.2.0rc5 released ---
-
-1021.	[bug]		On Win32, log message timestamps were one month
-			later than they should have been, and the server
-			would exhibit unspecified behavior in December.
-
-1020.	[bug]		IXFR log messages did not distinguish between
-			true IXFRs, AXFR-style IXFRs, and mere version
-			polls. [RT #1811]
-
-1019.	[bug]		The value of the lame-ttl option was limited to 18000
-			seconds, not 1800 seconds as documented. [RT #1803]
-
-1018.	[bug]		The default log channel was not always initialized
-			correctly. [RT #1813]
-
-1017.	[bug]		When specifying TSIG keys to dig and nsupdate using
-			the -k option, they must be HMAC-MD5 keys. [RT #1810]
-
-1016.	[bug]		Slave zones with no backup file were re-transferred
-			on every server reload.
-
-1015.	[bug]		Log channels that had a "versions" option but no
-			"size" option failed to create numbered log
-			files. [RT #1783]
-
-	--- 9.2.0rc4 released ---
-
-1013.	[bug]		It was possible to cancel a query twice when marking
-			a server as bogus or by having a blackhole acl.
-			[RT #1776]
-
-1010.	[bug]		The server could attempt to execute a command channel
-			command after initiating server shutdown, causing
-			an assertion failure. [RT #1766]
-
-1006.	[bug]		If a KEY RR was found missing during DNSSEC validation,
-			an assertion failure could subsequently be triggered
-			in the resolver. [RT #1763]
-
-1005.	[bug]		Don't copy nonzero RCODEs from request to response.
-			[RT #1765]
-
-1004.	[port]		Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
-
-1002.	[bug]		When reporting an unknown class name in named.conf,
-			including the file name and line number. [RT #1759]
-
-1001.	[bug]		win32 socket code doio_recv was not catching a
-			WSACONNRESET error when a client was timing out
-			the request and closing its socket. [RT #1745]
-
-1000.	[bug]		BIND 8 compatibility: accept "HESIOD" as an alias
-			for class "HS". [RT #1759]
-
-	--- 9.2.0rc3 released ---
-
- 990.	[bug]		The rndc-confgen man page was not installed.
-
- 989.	[bug]		Report filename if $INCLUDE fails for file related
-			errors. [RT #1736]
-
- 987.	[bug]		"dig -help" didn't show "+[no]stats".
-
- 986.	[bug]		"dig +noall" failed to clear stats and command
-			printing.
-
- 984.	[bug]		Multi-threading should be enabled by default on
-			Solaris 2.7 and newer, but it wasn't.
-
-	--- 9.2.0rc2 released ---
-
- 980.	[bug]		Incoming zone transfers restarting after an error
-			could trigger an assertion failure. [RT #1692]
-
- 978.	[bug]		dns_db_attachversion() had an invalid REQUIRE()
-			condition.
-
- 977.	[bug]		Improve "not at top of zone" error message.
-
- 975.	[bug]		"max-cache-size default;" as a view option
-			caused an assertion failure.
-
- 974.	[bug]		"max-cache-size unlimited;" as a global option
-			was not accepted.
-
- 973.	[bug]		Failed to log the question name when logging:
-			"bad zone transfer request: non-authoritative zone
-			(NOTAUTH)".
-
- 972.	[bug]		The file modification time code in zone.c was using the
-			wrong epoch. [RT #1667]
-
- 968.	[bug]		On win32, the isc_time_now() function was unnecessarily
-			calling strtime(). [RT #1671]
-
- 967.	[bug]		On win32, the link for bindevt was not including the
-			required resource file to enable the event viewer
-			to interpret the error messages in the event log,
-			[RT #1668]
-
- 966.	[placeholder]
-
- 965.	[bug]		Including data other than root server NS and A
-			records in the root hint file could cause a rbtdb
-			node reference leak. [RT #1581, #1618]
-
- 964.	[func]		Warn if data other than root server NS and A records
-			are found in the root hint file. [RT #1581, #1618]
-
- 963.	[bug]		Bad ISC_LANG_ENDDECLS. [RT #1645]
-
- 962.	[bug]		libbind: bad "#undef", don't attempt to install
-			non-existant nlist.h. [RT #1640]
-
- 961.	[bug]		Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
-			was not defined. [RT #1482]
-
- 960.	[port]		liblwres failed to build on systems with support for
-			getrrsetbyname() in the OS. [RT #1592]
-
- 959.	[port]		On FreeBSD, determine the number of CPUs by calling
-			sysctlbyname(). [RT #1584]
-
- 958.	[port]		ssize_t is not available on all platforms. [RT #1607]
-
- 957.	[bug]		sys/select.h inclusion was broken on older platforms.
-			[RT #1607]
-
- 956.	[bug]		ns_g_autorndcfile changed to ns_g_keyfile
-			in named/win32/os.c due to code changes in
-			change #953. win32 .make file for rndc-confgen
-			updated to add include path for os.h header.
-
-	--- 9.2.0rc1 released ---
-
- 955.	[bug]		When using views, the zone's class was not being
-			inherited from the view's class. [RT #1583]
-
- 954.	[bug]		When requesting AXFRs or IXFRs using dig, host, or
-			nslookup, the RD bit should not be set as zone
-			transfers are inherently nonrecursive. [RT #1575]
-
- 953.	[func]		The /var/run/named.key file from change #843
-			has been replaced by /etc/rndc.key.  Both
-			named and rndc will look for this file and use
-			it to configure a default control channel key
-			if not already configured using a different
-			method (rndc.conf / controls).  Unlike
-			named.key, rndc.key is not created automatically;
-			it must be created by manually running
-			"rndc-confgen -a".
-
- 952.	[bug]		The server required manual intervention to serve the
-			affected zones if it died between creating a journal
-			and committing the first change to it.
-
- 951.	[bug]		CFLAGS was not passed to the linker when
-			linking some of the test programs under
-			bin/tests. [RT #1555].
-
- 950.	[bug]		Explicit TTLs did not properly override $TTL
-			due to a bug in change 834. [RT #1558]
-
- 949.	[bug]		host was unable to print records larger than 512
-			bytes. [RT #1557]
-
-	--- 9.2.0b2 released ---
-
- 948.	[port]		Integrated support for building on Windows NT /
-			Windows 2000.
-
- 947.	[bug]		dns_rdata_soa_t had a badly named element "mname" which
-			was really the RNAME field from RFC1035.  To avoid
-			confusion and silent errors that would occur it the
-			"origin" and "mname" elements were given their correct
-			names "mname" and "rname" respectively, the "mname"
-			element is renamed to "contact".
-
- 946.	[cleanup]	doc/misc/options is now machine-generated from the
-			configuration parser syntax tables, and therefore
-			more likely to be correct.
-
- 945.	[func]		Add the new view-specific options
-			"match-destinations" and "match-recursive-only".
-
- 944.	[func]		Check for expired signatures on load.
-
- 943.	[bug]		The server could crash when receiving a command
-			via rndc if the configuration file listed only
-			nonexistent keys in the controls statement. [RT #1530]
-
- 942.	[port]		libbind: GETNETBYADDR_ADDR_T was not correctly
-			defined on some platforms.
-
- 941.	[bug]		The configuration checker crashed if a slave
-			zone didn't contain a masters statement. [RT #1514]
-
- 940.	[bug]		Double zone locking failure on error path. [RT #1510]
-
-	--- 9.2.0b1 released ---
-
- 939.	[port]		Add the --disable-linux-caps option to configure for
-			systems that manage capabilities outside of named.
-			[RT #1503]
-
- 938.	[placeholder]
-
- 937.	[bug]		A race when shutting down a zone could trigger a
-			INSIST() failure. [RT #1034]
-
- 936.	[func]		Warn about IPv4 addresses that are not complete
-			dotted quads. [RT #1084]
-
- 935.	[bug]		inet_pton failed to reject leading zeros.
-
- 934.	[port]		Deal with systems where accept() spuriously returns
-			ECONNRESET.
-
- 933.	[bug]		configure failed doing libbind on platforms not
-			supported by BIND 8. [RT #1496]
-
-	--- 9.2.0a3 released ---
-
- 932.	[bug]		Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
-			when installing isc-config.sh.
-			[RT #198, #1466]
-
- 931.	[bug]		The controls statement only attempted to verify
-			messages using the first key in the key list.
-			(9.2.0a1/a2 only).
-
- 930.	[func]		Query performance testing tool added as
-			contrib/queryperf.
-
- 929.	[placeholder]
-
- 928.	[bug]		nsupdate would send empty update packets if the
-			send (or empty line) command was run after
-			another send but before any new updates or
-			prerequisites were specified.  It should simply
-			ignore this command.
-
- 927.	[bug]		Don't hold the zone lock for the entire dump to disk.
-			[RT #1423]
-
- 926.	[bug]		The resolver could deadlock with the ADB when
-			shutting down (multi-threaded builds only).
-			[RT #1324]
-
- 925.	[cleanup]	Remove openssl from the distribution; require that
-			--with-openssl be specified if DNSSEC is needed.
-
- 924.	[port]		Extend support for pre-RFC2133 IPv6 implementation.
-			[RT #987]
-
- 923.	[bug]		Multiline TSIG secrets (and other multiline strings)
-			were not accepted in named.conf. [RT #1469]
-
- 922.	[func]		Added two new lwres_getrrsetbyname() result codes,
-			ERR_NONAME and ERR_NODATA.
-
- 921.	[bug]		lwres returned an incorrect error code if it received
-			a truncated message.
-
- 920.	[func]		Increase the lwres receive buffer size to 16K.
-			[RT #1451]
-
- 919.	[placeholder]
-
- 918.	[func]		In nsupdate, TSIG errors are no longer treated as
-			fatal errors.
-
- 917.	[func]		New nsupdate command 'key', allowing TSIG keys to
-			be specified in the nsupdate command stream rather
-			than the command line.
-
- 916.	[bug]		Specifying type ixfr to dig without specifying
-			a serial number failed in unexpected ways.
-
- 915.	[func]		The named-checkconf and named-checkzone programs
-			now have a '-v' option for printing their version.
-			[RT #1151]
-
- 914.	[bug]		Global 'server' statements were rejected when
-			using views, even though they were accepted
-			in 9.1. [RT #1368]
-
- 913.	[bug]		Cache cleaning was not sufficiently aggressive.
-			[RT #1441, #1444]
-
- 912.	[bug]		Attempts to set the 'additional-from-cache' or
-			'additional-from-auth' option to 'no' in a
-			server with recursion enabled will now
-			be ignored and cause a warning message.
-			[RT #1145]
-
- 911.	[placeholder]
-
- 910.	[port]		Some pre-RFC2133 IPv6 implementations do not define
-			IN6ADDR_ANY_INIT. [RT #1416]
-
- 908.	[func]		New program, rndc-confgen, to simplify setting up rndc.
-
- 907.	[func]		The ability to get entropy from either the
-			random device, a user-provided file or from
-			the keyboard was migrated from the DNSSEC tools
-			to libisc as isc_entropy_usebestsource().
-
- 906.	[port]		Separated the system independent portion of
-			lib/isc/unix/entropy.c into lib/isc/entropy.c
-			and added lib/isc/win32/entropy.c.
-
- 905.	[bug]		Configuring a forward "zone" for the root domain
-			did not work. [RT #1418]
-
- 904.	[bug]		The server would leak memory if attempting to use
-			an expired TSIG key. [RT #1406]
-
- 903.	[bug]		dig should not crash when receiving a TCP packet
-			of length 0.
-
- 902.	[bug]		The -d option was ignored if both -t and -g were also
-			specified.
-
- 901.	[placeholder]
-
- 900.	[bug]		A config.guess update changed the system identification
-			string of FreeBSD systems; configure and
-			bin/tests/system/ifconfig.sh now recognize the new
-			string.
-
-	--- 9.2.0a2 released ---
-
- 899.	[bug]		lib/dns/soa.c failed to compile on many platforms
-			due to inappropriate use of a void value.
-			[RT #1372, #1373, #1386, #1387, #1395]
-
- 898.	[bug]		"dig" failed to set a nonzero exit status
-			on UDP query timeout. [RT #1323]
-
- 897.	[bug]		A config.guess update changed the system identification
-			string of UnixWare systems; configure now recognizes
-			the new string.
-
- 896.	[bug]		If a configuration file is set on named's command line
-			and it has a relative pathname, the current directory
-			(after any possible jailing resulting from named -t)
-			will be prepended to it so that reloading works
-			properly even when a directory option is present.
-
- 895.	[func]		New function, isc_dir_current(), akin to POSIX's
-			getcwd().
-
- 894.	[bug]		When using the DNSSEC tools, a message intended to warn
-			when the keyboard was being used because of the lack
-			of a suitable random device was not being printed.
-
- 893.	[func]		Removed isc_file_test() and added isc_file_exists()
-			for the basic functionality that was being added
-			with isc_file_test().
-
- 892.	[placeholder]
-
- 891.	[bug]		Return an error when a SIG(0) signed response to
-			an unsigned query is seen.  This should actually
-			do the verification, but it's not currently
-			possible. [RT #1391]
-
- 890.	[cleanup]	The man pages no longer require the mandoc macros
-			and should now format cleanly using most versions of
-			nroff, and HTML versions of the man pages have been
-			added.  Both are generated from DocBook source.
-
- 889.	[port]		Eliminated blank lines before .TH in nroff man
-			pages since they cause problems with some versions
-			of nroff. [RT #1390]
-
- 888.	[bug]		Don't die when using TKEY to delete a nonexistent
-			TSIG key. [RT #1392]
-
- 887.	[port]		Detect broken compilers that can't call static
-			functions from inline functions. [RT #1212]
-
- 866.	[func]		Close debug only file channels when debug is set to
-			zero. [RT #1246]
-
- 865.	[bug]		The new configuration parser did not allow
-			the optional debug level in a "severity debug"
-			clause of a logging channel to be omitted.
-			This is now allowed and treated as "severity
-			debug 1;" like it does in BIND 8.2.4, not as
-			"severity debug 0;" like it did in BIND 9.1.
-			[RT #1367]
-
- 864.	[cleanup]	Multi-threading is now enabled by default on
-			OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
-
- 863.	[bug]		If an error occurred while an outgoing zone transfer
-			was starting up, the server could access a domain
-			name that had already been freed when logging a
-			message saying that the transfer was starting.
-			[RT #1383]
-
- 862.	[bug]		Use after realloc(), non portable pointer arithmetic in
-			grmerge().
-
- 861.	[port]		Add support for Mac OS X, by making it equivalent
-			to Darwin.  This was derived from the config.guess
-			file shipped with Mac OS X. [RT #1355]
-
- 860.	[func]		Drop cross class glue in zone transfers.
-
- 859.	[bug]		Cache cleaning now won't swamp the CPU if there
-			is a persistent overlimit condition.
-
- 858.	[func]		isc_mem_setwater() no longer requires that when the
-			callback function is non-NULL then its hi_water
-			argument must be greater than its lo_water argument
-			(they can now be equal) or that they be non-zero.
-
- 857.	[cleanup]	Use ISC_MAGIC() to define all magic numbers for
-			structs, for our friends in EBCDIC-land.
-
- 856.	[func]		Allow partial rdatasets to be returned in answer and
-			authority sections to help non-TCP capable clients
-			recover from truncation. [RT #1301]
-
- 855.	[bug]		Stop spurious "using RFC 1035 TTL semantics" warnings.
-
- 854.	[bug]		The config parser didn't properly handle config
-			options that were specified in units of time other
-			than seconds. [RT #1372]
-
- 853.	[bug]		configure_view_acl() failed to detach existing acls.
-			[RT #1374]
-
- 852.	[bug]		Handle responses from servers which do not know
-			about IXFR.
-
- 851.	[cleanup]	The obsolete support-ixfr option was not properly
-			ignored.
-
-	--- 9.2.0a1 released ---
-
- 850.	[bug]		dns_rbt_findnode() would not find nodes that were
-			split on a bitstring label somewhere other than in
-			the last label of the node. [RT #1351]
-
- 849.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined.
-
- 848.	[func]		A minimum max-cache-size of two megabytes is enforced
-			by the cache cleaner.
-
- 847.	[func]		Added isc_file_test(), which currently only has
-			some very basic functionality to test for the
-			existence of a file, whether a pathname is absolute,
-			or whether a pathname is the fundamental representation
-			of the current directory.  It is intended that this
-			function can be expanded to test other things a
-			programmer might want to know about a file.
-
- 846.	[func]		A non-zero 'param' to dst_key_generate() when making an
-			hmac-md5 key means that good entropy is not required.
-
- 845.	[bug]		The access rights on the public file of a symmetric
-			key are now restricted as soon as the file is opened,
-			rather than after it has been written and closed.
-
- 844.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined,
-			just as <lwres/net.h> does.
-
- 843.	[func]		If no controls statement is present in named.conf,
-			or if any inet phrase of a controls statement is
-			lacking a keys clause, then a key will be automatically
-			generated by named and an rndc.conf-style file
-			named named.key will be written that uses it.  rndc
-			will use this file only if its normal configuration
-			file, or one provided on the command line, does not
-			exist.
-
- 842.	[func]		'rndc flush' now takes an optional view.
-
- 841.	[bug]		When sdb modules were not declared threadsafe, their
-			create and destroy functions were not serialized.
-
- 840.	[bug]		The config file parser could print the wrong file
-			name if an error was detected after an included file
-			was parsed. [RT #1353]
-
- 839.	[func]		Dump packets for which there was no view or that the
-			class could not be determined to category "unmatched".
-
- 838.	[port]		UnixWare 7.x.x is now suported by
-			bin/tests/system/ifconfig.sh.
-
- 837.	[cleanup]	Multi-threading is now enabled by default only on
-			OSF1, Solaris 2.7 and newer, and AIX.
-
- 836.	[func]		Upgraded libtool to 1.4.
-
- 835.	[bug]		The dispatcher could enter a busy loop if
-			it got an I/O error receiving on a UDP socket.
-			[RT #1293]
-
- 834.	[func]		Accept (but warn about) master files beginning with
-			an SOA record without an explicit TTL field and
-			lacking a $TTL directive, by using the SOA MINTTL
-			as a default TTL.  This is for backwards compatibility
-			with old versions of BIND 8, which accepted such
-			files without warning although they are illegal
-			according to RFC1035.
-
- 833.	[cleanup]	Moved dns_soa_*() from <dns/journal.h> to
-			<dns/soa.h>, and extended them to support
-			all the integer-valued fields of the SOA RR.
-
- 832.	[bug]		The default location for named.conf in named-checkconf
-			should depend on --sysconfdir like it does in named.
-			[RT #1258]
-
- 831.	[placeholder]
-
- 830.	[func]		Implement 'rndc status'.
-
- 829.	[bug]		The DNS_R_ZONECUT result code should only be returned
-			when an ANY query is made with DNS_DBFIND_GLUEOK set.
-			In all other ANY query cases, returning the delegation
-			is better.
-
- 828.	[bug]		The errno value from recvfrom() could be overwritten
-			by logging code. [RT #1293]
-
- 827.	[bug]		When an IXFR protocol error occurs, the slave
-			should retry with AXFR.
-
- 826.	[bug]		Some IXFR protocol errors were not detected.
-
- 825.	[bug]		zone.c:ns_query() detached from the wrong zone
-			reference. [RT #1264]
-
- 824.	[bug]		Correct line numbers reported by dns_master_load().
-			[RT #1263]
-
- 823.	[func]		The output of "dig -h" now goes to stdout so that it
-			can easily be piped through "more". [RT #1254]
-
- 822.	[bug]		Sending nxrrset prerequisites would crash nsupdate.
-			[RT #1248]
-
- 821.	[bug]		The program name used when logging to syslog should
-			be stripped of leading path components.
-			[RT #1178, #1232]
-
- 820.	[bug]		Name server address lookups failed to follow
-			A6 chains into the glue of local authoritative
-			zones.
-
- 819.	[bug]		In certain cases, the resolver's attempts to
-			restart an address lookup at the root could cause
-			the fetch to deadlock (with itself) instead of
-			restarting. [RT #1225]
-
- 818.	[bug]		Certain pathological responses to ANY queries could
-			cause an assertion failure. [RT #1218]
-
- 817.	[func]		Adjust timeouts for dialup zone queries.
-
- 816.	[bug]		Report potential problems with log file accessibility
-			at configuration time, since such problems can't
-			reliably be reported at the time they actually occur.
-
- 815.	[bug]		If a log file was specified with a path separator
-			character (i.e. "/") in its name and the directory
-			did not exist, the log file's name was treated as
-			though it were the directory name. [RT #1189]
-
- 814.	[bug]		Socket objects left over from accept() failures
-			were incorrectly destroyed, causing corruption
-			of socket manager data structures.
-
- 813.	[bug]		File descriptors exceeding FD_SETSIZE were handled
-			badly. [RT #1192]
-
- 812.	[bug]		dig sometimes printed incomplete IXFR responses
-			due to an uninitialized variable. [RT #1188]
-
- 811.	[bug]		Parentheses were not quoted in zone dumps. [RT #1194]
-
- 810.	[bug]		The signer name in SIG records was not properly
-			downcased when signing/verifying records. [RT #1186]
-
- 809.	[bug]		Configuring a non-local address as a transfer-source
-			could cause an assertion failure during load.
-
- 808.	[func]		Add 'rndc flush' to flush the server's cache.
-
- 807.	[bug]		When setting up TCP connections for incoming zone
-			transfers, the transfer-source port was not
-			ignored like it should be.
-
- 806.	[bug]		DNS_R_SEENINCLUDE was failing to propagate back up
-			the calling stack to the zone maintence level, causing
-			zones to not reload when an included file was touched
-			but the top-level zone file was not.
-
- 805.	[bug]		When using "forward only", missing root hints should
-			not cause queries to fail. [RT #1143]
-
- 804.	[bug]		Attempting to obtain entropy could fail in some
-			situations.  This would be most common on systems
-			with user-space threads. [RT #1131]
-
- 803.	[bug]		Treat all SIG queries as if they have the CD bit set,
-			otherwise no data will be returned [RT #749]
-
- 802.	[bug]		DNSSEC key tags were computed incorrectly in almost
-			all cases. [RT #1146]
-
- 801.	[bug]		nsupdate should treat lines beginning with ';' as
-			comments. [RT #1139]
-
- 800.	[bug]		dnssec-signzone produced incorrect statistics for
-			large zones. [RT #1133]
-
- 799.	[bug]		The ADB didn't find AAAA glue in a zone unless A6
-			glue was also present.
-
- 798.	[bug]		nsupdate should be able to reject bad input lines
-			and continue. [RT #1130]
-
- 797.	[func]		Issue a warning if the 'directory' option contains
-			a relative path. [RT #269]
-
- 796.	[func]		When a size limit is associated with a log file,
-			only roll it when the size is reached, not every
-			time the log file is opened. [RT #1096]
-
- 795.	[func]		Add the +multiline option to dig. [RT #1095]
-
- 794.	[func]		Implement the "port" and "default-port" statements
-			in rndc.conf.
-
- 793.	[cleanup]	The DNSSEC tools could create filenames that were
-			illegal or contained shell metacharacters.  They
-			now use a different text encoding of names that
-			doesn't have these problems. [RT #1101]
-
- 792.	[cleanup]	Replace the OMAPI command channel protocol with a
-			simpler one.
-
- 791.	[bug]		The command channel now works over IPv6.
-
- 790.	[bug]		Wildcards created using dynamic update or IXFR
-			could fail to match. [RT #1111]
-
- 789.	[bug]		The "localhost" and "localnets" ACLs did not match
-			when used as the second element of a two-element
-			sortlist item.
-
- 788.	[func]		Add the "match-mapped-addresses" option, which
-			causes IPv6 v4mapped addresses to be treated as
-			IPv4 addresses for the purpose of acl matching.
-
- 787.	[bug]		The DNSSEC tools failed to downcase domain
-			names when mapping them into file names.
-
- 786.	[bug]		When DNSSEC signing/verifying data, owner names were
-			not properly downcased.
-
- 785.	[bug]		A race condition in the resolver could cause
-			an assertion failure. [RT #673, #872, #1048]
-
- 784.	[bug]		nsupdate and other programs would not quit properly
-			if some signals were blocked by the caller. [RT #1081]
-
- 783.	[bug]		Following CNAMEs could cause an assertion failure
-			when either using an sdb database or under very
-			rare conditions.
-
- 782.	[func]		Implement the "serial-query-rate" option.
-
- 781.	[func]		Avoid error packet loops by dropping duplicate FORMERR
-			responses. [RT #1006]
-
- 780.	[bug]		Error handling code dealing with out of memory or
-			other rare errors could lead to assertion failures
-			by calling functions on unitialized names. [RT #1065]
-
- 779.	[func]		Added the "minimal-responses" option.
-
- 778.	[bug]		When starting cache cleaning, cleaning_timer_action()
-			returned without first pausing the iterator, which
-			could cause deadlock. [RT #998]
-
- 777.	[bug]		An empty forwarders list in a zone failed to override
-			global forwarders. [RT #995]
-
- 776.	[func]		Improved error reporting in denied messages. [RT #252]
-
- 775.	[placeholder]
-
- 774.	[func]		max-cache-size is implemented.
-
- 773.	[func]		Added isc_rwlock_trylock() to attempt to lock without
-			blocking.
-
- 772.	[bug]		Owner names could be incorrectly omitted from cache
-			dumps in the presence of negative caching entries.
-			[RT #991]
-
- 771.	[cleanup]	TSIG errors related to unsynchronized clocks
-			are logged better. [RT #919]
-
- 770.	[func]		Add the "edns yes_or_no" statement to the server
-			clause. [RT #524]
-
- 769.	[func]		Improved error reporting when parsing rdata. [RT #740]
-
- 768.	[bug]		The server did not emit an SOA when a CNAME
-			or DNAME chain ended in NXDOMAIN in an
-			authoritative zone.
-
- 767.	[placeholder]
-
- 766.	[bug]		A few cases in query_find() could leak fname.
-			This would trigger the mpctx->allocated == 0
-			assertion when the server exited.
-			[RT #739, #776, #798, #812, #818, #821, #845,
-			#892, #935, #966]
-
- 765.	[func]		ACL names are once again case insensitive, like
-			in BIND 8. [RT #252]
-
- 764.	[func]		Configuration files now allow "include" directives
-			in more places, such as inside the "view" statement.
-			[RT #377, #728, #860]
-
- 763.	[func]		Configuration files no longer have reserved words.
-			[RT #731, #753]
-
- 762.	[cleanup]	The named.conf and rndc.conf file parsers have
-			been completely rewritten.
-
- 761.	[bug]		_REENTRANT was still defined when building with
-			--disable-threads.
-
- 760.	[contrib]	Significant enhancements to the pgsql sdb driver.
-
- 759.	[bug]		The resolver didn't turn off "avoid fetches" mode
-			when restarting, possibly causing resolution
-			to fail when it should not.  This bug only affected
-			platforms which support both IPv4 and IPv6. [RT #927]
-
- 758.	[bug]		The "avoid fetches" code did not treat negative
-			cache entries correctly, causing fetches that would
-			be useful to be avoided.  This bug only affected
-			platforms which support both IPv4 and IPv6. [RT #927]
-
- 757.	[func]		Log zone transfers.
-
- 756.	[bug]		dns_zone_load() could "return" success when no master
-			file was configured.
-
- 755.	[bug]		Fix incorrectly formatted log messages in zone.c.
-
- 754.	[bug]		Certain failure conditions sending UDP packets
-			could cause the server to retry the transmission
-			indefinitely. [RT #902]
-
- 753.	[bug]		dig, host, and nslookup would fail to contact a
-			remote server if getaddrinfo() returned an IPv6
-			address on a system that doesn't support IPv6.
-			[RT #917]
-
- 752.	[func]		Correct bad tv_usec elements returned by
-			gettimeofday().
-
- 751.	[func]		Log successful zone loads / transfers.  [RT #898]
-
- 750.	[bug]		A query should not match a DNAME whose trust level
-			is pending. [RT #916]
-
- 749.	[bug]		When a query matched a DNAME in a secure zone, the
-			server did not return the signature of the DNAME.
-			[RT #915]
-
- 748.	[doc]		List supported RFCs in doc/misc/rfc-compliance.
-			[RT #781]
-
- 747.	[bug]		The code to determine whether an IXFR was possible
-			did not properly check for a database that could
-			not have a journal. [RT #865, #908]
-
- 746.	[bug]		The sdb didn't clone rdatasets properly, causing
-			a crash when the server followed delegations. [RT #905]
-
- 745.	[func]		Report the owner name of records that fail
-			semantic checks while loading.
-
- 744.	[bug]		When returning DNS_R_CNAME or DNS_R_DNAME as the
-			result of an ANY or SIG query, the resolver failed
-			to setup the return event's rdatasets, causing an
-			assertion failure in the query code. [RT #881]
-
- 743.	[bug]		Receiving a large number of certain malformed
-			answers could cause named to stop responding.
-			[RT #861]
-
- 742.	[placeholder]
-
- 741.	[port]		Support openssl-engine. [RT #709]
-
- 740.	[port]		Handle openssl library mismatches slightly better.
-
- 739.	[port]		Look for /dev/random in configure, rather than
-			assuming it will be there for only a predefined
-			set of OSes.
-
- 738.	[bug]		If a non-threadsafe sdb driver supported AXFR and
-			received an AXFR request, it would deadlock or die
-			with an assertion failure. [RT #852]
-
- 737.	[port]		stdtime.c failed to compile on certain platforms.
-
- 736.	[func]		New functions isc_task_{begin,end}exclusive().
-
- 735.	[doc]		Add BIND 4 migration notes.
-
- 734.	[bug]		An attempt to re-lock the zone lock could occur if
-			the server was shutdown during a zone tranfer.
-			[RT #830]
-
- 733.	[bug]		Reference counts of dns_acl_t objects need to be
-			locked but were not. [RT #801, #821]
-
- 732.	[bug]		Glue with 0 TTL could also cause SERVFAIL. [RT #828]
-
- 731.	[bug]		Certain zone errors could cause named-checkzone to
-			fail ungracefully. [RT #819]
-
- 730.	[bug]		lwres_getaddrinfo() returns the correct result when
-			it fails to contact a server. [RT #768]
-
- 729.	[port]		pthread_setconcurrency() needs to be called on Solaris.
-
- 728.	[bug]		Fix comment processing on master file directives.
-			[RT# 757]
-
- 727.	[port]		Work around OS bug where accept() succeeds but
-			fails to fill in the peer address of the accepted
-			connection, by treating it as an error rather than
-			an assertion failure. [RT #809]
-
- 726.	[func]		Implement the "trace" and "notrace" commands in rndc.
-
- 725.	[bug]		Installing man pages could fail.
-
- 724.	[func]		New libisc functions isc_netaddr_any(),
-			isc_netaddr_any6().
-
- 723.	[bug]		Referrals whose NS RRs had a 0 TTL caused the resolver
-			to return DNS_R_SERVFAIL. [RT #783]
-
- 722.	[func]		Allow incremental loads to be canceled.
-
- 721.	[cleanup]	Load manager and dns_master_loadfilequota() are no
-			more.
-
- 720.	[bug]		Server could enter infinite loop in
-			dispatch.c:do_cancel(). [RT #733]
-
- 719.	[bug]		Rapid reloads could trigger an assertion failure.
-			[RT #743, #763]
-
- 718.	[cleanup]	"internal" is no longer a reserved word in named.conf.
-			[RT #753, #731]
-
- 717.	[bug]		Certain TKEY processing failure modes could
-			reference an uninitialized variable, causing the
-			server to crash. [RT #750]
-
- 716.	[bug]		The first line of a $INCLUDE master file was lost if
-			an origin was specified. [RT #744]
-
- 715.	[bug]		Resolving some A6 chains could cause an assertion
-			failure in adb.c. [RT #738]
-
- 714.	[bug]		Preserve interval timers across reloads unless changed.
-			[RT# 729]
-
- 713.	[func]		named-checkconf takes '-t directory' similar to named.
-			[RT #726]
-
- 712.	[bug]		Sending a large signed update message caused an
-			assertion failure. [RT #718]
-
- 711.	[bug]		The libisc and liblwres implementations of
-			inet_ntop contained an off by one error.
-
- 710.	[func]		The forwarders statement now takes an optional
-			port. [RT #418]
-
- 709.	[bug]		ANY or SIG queries for data with a TTL of 0
-			would return SERVFAIL. [RT #620]
-
- 708.	[bug]		When building with --with-openssl, the openssl headers
-			included with BIND 9 should not be used. [RT #702]
-
- 707.	[func]		The "filename" argument to named-checkzone is no
-			longer optional, to reduce confusion. [RT #612]
-
- 706.	[bug]		Zones with an explicit "allow-update { none; };"
-			were considered dynamic and therefore not reloaded
-			on SIGHUP or "rndc reload".
-
- 705.	[port]		Work out resource limit type for use where rlim_t is
-			not available. [RT #695]
-
- 704.	[port]		RLIMIT_NOFILE is not available on all platforms.
-			[RT #695]
-
- 703.	[port]		sys/select.h is needed on older platforms. [RT #695]
-
- 702.	[func]		If the address 0.0.0.0 is seen in resolv.conf,
-			use 127.0.0.1 instead. [RT #693]
-
- 701.	[func]		Root hints are now fully optional.  Class IN
-			views use compiled-in hints by default, as
-			before.  Non-IN views with no root hints now
-			provide authoritative service but not recursion.
-			A warning is logged if a view has neither root
-			hints nor authoritative data for the root. [RT #696]
-
- 700.	[bug]		$GENERATE range check was wrong. [RT #688]
-
- 699.	[bug]		The lexer mishandled empty quoted strings. [RT #694]
-
- 698.	[bug]		Aborting nsupdate with ^C would lead to several
-			race conditions.
-
- 697.	[bug]		nsupdate was not compatible with the undocumented
-			BIND 8 behavior of ignoring TTLs in "update delete"
-			commands. [RT #693]
-
- 696.	[bug]		lwresd would die with an assertion failure when passed
-			a zero-length name. [RT #692]
-
- 695.	[bug]		If the resolver attempted to query a blackholed or
-			bogus server, the resolution would fail immediately.
-
- 694.	[bug]		$GENERATE did not produce the last entry.
-			[RT #682, #683]
-
- 693.	[bug]		An empty lwres statement in named.conf caused
-			the server to crash while loading.
-
- 692.	[bug]		Deal with systems that have getaddrinfo() but not
-			gai_strerror(). [RT #679]
-
- 691.	[bug]		Configuring per-view forwarders caused an assertion
-			failure. [RT #675, #734]
-
- 690.	[func]		$GENERATE now supports DNAME. [RT #654]
-
- 689.	[doc]		man pages are now installed. [RT #210]
-
- 688.	[func]		"make tags" now works on systems with the
-			"Exuberant Ctags" etags.
-
- 687.	[bug]		Only say we have IPv6, with sufficent functionality,
-			if it has actually been tested. [RT #586]
-
- 686.	[bug]		dig and nslookup can now be properly aborted during
-			blocking operations. [RT #568]
-
- 685.	[bug]		nslookup should use the search list/domain options
-			from resolv.conf by default. [RT #405, #630]
-
- 684.	[bug]		Memory leak with view forwarders. [RT #656]
-
- 683.	[bug]		File descriptor leak in isc_lex_openfile().
-
- 682.	[bug]		nslookup displayed SOA records incorrectly. [RT #665]
-
- 681.	[bug]		$GENERATE specifying output format was broken. [RT #653]
-
- 680.	[bug]		dns_rdata_fromstruct() mishandled options bigger
-			than 255 octets.
-
- 679.	[bug]		$INCLUDE could leak memory and file descriptors on
-			reload. [RT #639]
-
- 678.	[bug]		"transfer-format one-answer;" could trigger an assertion
-			failure. [RT #646]
-
- 677.	[bug]		dnssec-signzone would occasionally use the wrong ttl
-			for database operations and fail. [RT #643]
-
- 676.	[bug]		Log messages about lame servers to category
-			'lame-servers' rather than 'resolver', so as not
-			to be gratuitously incompatible with BIND 8.
-
- 675.	[bug]		TKEY queries could cause the server to leak
-			memory.
-
- 674.	[func]		Allow messages to be TSIG signed / verified using
-			a offset from the current time.
-
- 673.	[func]		The server can now convert RFC1886-style recursive
-			lookup requests into RFC2874-style lookups, when
-			enabled using the new option "allow-v6-synthesis".
-
- 672.	[bug]		The wrong time was in the "time signed" field when
-			replying with BADTIME error.
-
- 671.	[bug]		The message code was failing to parse a message with
-			no question section and a TSIG record. [RT #628]
-
- 670.	[bug]		The lwres replacements for getaddrinfo and
-			getipnodebyname didn't properly check for the
-			existence of the sockaddr sa_len field.
-
- 669.	[bug]		dnssec-keygen now makes the public key file
-			non-world-readable for symmetric keys. [RT #403]
-
- 668.	[func]		named-checkzone now reports multiple errors in master
-			files.
-
- 667.	[bug]		On Linux, running named with the -u option and a
-			non-world-readable configuration file didn't work.
-			[RT #626]
-
- 666.	[bug]		If a request sent by dig is longer than 512 bytes,
-			use TCP.
-
- 665.	[bug]		Signed responses were not sent when the size of the
-			TSIG + question exceeded the maximum message size.
-			[RT #628]
-
- 664.	[bug]		The t_tasks and t_timers module tests are now skipped
-			when building without threads, since they require
-			threads.
-
- 663.	[func]		Accept a size_spec, not just an integer, in the
-			(unimplemented and ignored) max-ixfr-log-size option
-			for compatibility with recent versions of BIND 8.
-			[RT #613]
-
- 662.	[bug]		dns_rdata_fromtext() failed to log certain errors.
-
- 661.	[bug]		Certain UDP IXFR requests caused an assertion failure
-			(mpctx->allocated == 0). [RT #355, #394, #623]
-
- 660.	[port]		Detect multiple CPUs on HP-UX and IRIX.
-
- 659.	[performance]	Rewrite the name compression code to be much faster.
-
- 658.	[cleanup]	Remove all vestiges of 16 bit global compression.
-
- 657.	[bug]		When a listen-on statement in an lwres block does not
-			specify a port, use 921, not 53.  Also update the
-			listen-on documentation. [RT #616]
-
- 656.	[func]		Treat an unescaped newline in a quoted string as
-			an error.  This means that TXT records with missing
-			close quotes should have meaningful errors printed.
-
- 655.	[bug]		Improve error reporting on unexpected eof when loading
-			zones. [RT #611]
-
- 654.	[bug]		Origin was being forgotten in TCP retries in dig.
-			[RT #574]
-
- 653.	[bug]		+defname option in dig was reversed in sense.
-			[RT #549]
-
- 652.	[bug]		zone_saveunique() did not report the new name.
-
- 651.	[func]		The AD bit in responses now has the meaning
-			specified in <draft-ietf-dnsext-ad-is-secure>.
-
- 650.	[bug]		SIG(0) records were being generated and verified
-			incorrectly. [RT #606]
-
- 649.	[bug]		It was possible to join to an already running fctx
-			after it had "cloned" its events, but before it sent
-			them.  In this case, the event of the newly joined
-			fetch would not contain the answer, and would
-			trigger the INSIST() in fctx_sendevents().  In
-			BIND 9.0, this bug did not trigger an INSIST(), but
-			caused the fetch to fail with a SERVFAIL result.
-			[RT #588, #597, #605, #607]
-
- 648.	[port]		Add support for pre-RFC2133 IPv6 implementations.
-
- 647.	[bug]		Resolver queries sent after following multiple
-			referrals had excessively long retransmission
-			timeouts due to incorrectly counting the referrals
-			as "restarts".
-
- 646.	[bug]		The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
-			didn't _cleanly_ fix the problem it was trying to fix.
-
- 645.	[port]		BSD/OS 3.0 needs pthread_init(). [RT #603]
-
- 644.	[bug]		#622 needed more work. [RT #562]
-
- 643.	[bug]		xfrin error messages made more verbose, added class
-			of the zone. [RT# 599]
-
- 642.	[bug]		Break the exit_check() race in the zone module.
-			[RT #598]
-
-	--- 9.1.0b2 released ---
-
- 641.	[bug]		$GENERATE caused a uninitialized link to be used.
-			[RT #595]
-
- 640.	[bug]		Memory leak in error path could cause
-			"mpctx->allocated == 0" failure. [RT #584]
-
- 639.	[bug]		Reading entropy from the keyboard would sometimes fail.
-			[RT #591]
-
- 638.	[port]		lib/isc/random.c needed to explicitly include time.h
-			to get a prototype for time() when pthreads was not
-			being used. [RT #592]
-
- 637.	[port]		Use isc_u?int64_t instead of (unsigned) long long in
-			lib/isc/print.c.  Also allow lib/isc/print.c to
-			be compiled even if the platform does not need it.
-			[RT #592]
-
- 636.	[port]		Shut up MSVC++ about a possible loss of precision
-			in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
-
- 635.	[bug]		Reloading a server with a configured blackhole list
-			would cause an assertion. [RT #590]
-
- 634.	[bug]		A log file will completely stop being written when
-			it reaches the maximum size in all cases, not just
-			when versioning is also enabled. [RT #570]
-
- 633.	[port]		Cope with rlim_t missing on BSD/OS systems. [RT #575]
-
- 632.	[bug]		The index array of the journal file was
-			corrupted as it was written to disk.
-
- 631.	[port]		Build without thread support on systems without
-			pthreads.
-
- 630.	[bug]		Locking failure in zone code. [RT #582]
-
- 629.	[bug]		9.1.0b1 dereferenced a null pointer and crashed
-			when responding to a UDP IXFR request.
-
- 628.	[bug]		If the root hints contained only AAAA addresses,
-			named would be unable to perform resolution.
-
- 627.	[bug]		The EDNS0 blackhole detection code of change 324
-			waited for three retransmissions to each server,
-			which takes much too long when a domain has many
-			name servers and all of them drop EDNS0 queries.
-			Now we retry without EDNS0 after three consecutive
-			timeouts, even if they are all from different
-			servers. [RT #143]
-
- 626.	[bug]		The lightweight resolver daemon no longer crashes
-			when asked for a SIG rrset. [RT #558]
-
- 625.	[func]		Zones now inherit their class from the enclosing view.
-
- 624.	[bug]		The zone object could get timer events after it had
-			been destroyed, causing a server crash. [RT #571]
-
- 623.	[func]		Added "named-checkconf" and "named-checkzone" program
-			for syntax checking named.conf files and zone files,
-			respectively.
-
- 622.	[bug]		A canceled request could be destroyed before
-			dns_request_destroy() was called. [RT #562]
-
- 621.	[port]		Disable IPv6 at runtime if IPv6 sockets are unusable.
-			This mostly affects Red Hat Linux 7.0, which has
-			conflicts between libc and the kernel.
-
- 620.	[bug]		dns_master_load*inc() now require 'task' and 'load'
-			to be non-null.  Also 'done' will not be called if
-			dns_master_load*inc() fails immediately. [RT #565]
-
- 618.	[bug]		Queries to a signed zone could sometimes cause
-			an assertion failure.
-
- 617.	[bug]		When using dynamic update to add a new RR to an
-			existing RRset with a different TTL, the journal
-			entries generated from the update did not include
-			explicit deletions and re-additions of the existing
-			RRs to update their TTL to the new value.
-
- 616.	[func]		dnssec-signzone -t output now includes performance
-			statistics.
-
- 615.	[bug]		dnssec-signzone did not like child keysets signed
-			by multiple keys.
-
- 614.	[bug]		Checks for uninitialized link fields were prone
-			to false positives, causing assertion failures.
-			The checks are now disabled by default and may
-			be re-enabled by defining ISC_LIST_CHECKINIT.
-
- 613.	[bug]		"rndc reload zone" now reloads primary zones.
-			It previously only updated slave and stub zones,
-			if an SOA query indicated an out of date serial.
-
- 612.	[cleanup]	Shutup a ridiculously noisy HP-UX compiler that
-			complains relentlessly about how its treatment
-			of 'const' has changed as well as how casting
-			sometimes tightens alignment constraints.
-
- 611.	[func]		allow-notify can be used to permit processing of
-			notify messages from hosts other than a slave's
-			masters.
-
- 610.	[func]		rndc dumpdb is now supported.
-
- 609.	[bug]		getrrsetbyname() would crash lwresd if the server
-			found more SIGs than answers. [RT #554]
-
- 608.	[func]		dnssec-signzone now adds a comment to the zone
-			with the time the file was signed.
-
- 607.	[bug]		nsupdate would fail if it encountered a CNAME or
-			DNAME in a response to an SOA query. [RT #515]
-
- 606.	[bug]		Compiling with --disable-threads failed due
-			to isc_thread_self() being incorrectly defined
-			as an integer rather than a function.
-
- 605.	[func]		New function isc_lex_getlasttokentext().
-
- 604.	[bug]		The named.conf parser could print incorrect line
-			numbers when long comments were present.
-
- 603.	[bug]		Make dig handle multiple types or classes on the same
-			query more correctly.
-
- 602.	[func]		Cope automatically with UnixWare's broken
-			IN6_IS_ADDR_* macros. [RT #539]
-
- 601.	[func]		Return a non-zero exit code if an update fails
-			in nsupdate.
-
- 600.	[bug]		Reverse lookups sometimes failed in dig, etc...
-
- 599.	[func]		Added four new functions to the libisc log API to
-			support i18n messages.  isc_log_iwrite(),
-			isc_log_ivwrite(), isc_log_iwrite1() and
-			isc_log_ivwrite1() were added.
-
- 598.	[bug]		An update-policy statement would cause the server
-			to assert while loading. [RT #536]
-
- 597.	[func]		dnssec-signzone is now multi-threaded.
-
- 596.	[bug]		DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
-			not mutually exclusive.
-
- 595.	[port]		On Linux 2.2, socket() returns EINVAL when it
-			should return EAFNOSUPPORT.  Work around this.
-			[RT #531]
-
- 594.	[func]		sdb drivers are now assumed to not be thread-safe
-			unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
-
- 593.	[bug]		If a secure zone was missing all its NXTs and
-			a dynamic update was attempted, the server entered
-			an infinite loop.
-
- 592.	[bug]		The sig-validity-interval option now specifies a
-			number of days, not seconds.  This matches the
-			documentation. [RT #529]
-
-	--- 9.1.0b1 released ---
-
- 591.	[bug]		Work around non-reentrancy in openssl by disabling
-			precomputation in keys.
-
- 590.	[doc]		There are now man pages for the lwres library in
-			doc/man/lwres.
-
- 589.	[bug]		The server could deadlock if a zone was updated
-			while being transferred out.
-
- 588.	[bug]		ctx->in_use was not being correctly initialized when
-			when pushing a file for $INCLUDE. [RT #523]
-
- 587.	[func]		A warning is now printed if the "allow-update"
-			option allows updates based on the source IP
-			address, to alert users to the fact that this
-			is insecure and becoming increasingly so as
-			servers capable of update forwarding are being
-			deployed.
-
- 586.	[bug]		multiple views with the same name were fatal. [RT #516]
-
- 585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()
-			now support 'exact' additions in a similar manner to
-			dns_db_subtractrdataset() and dns_rdataslab_subtract().
-
- 584.	[func]		You can now say 'notify explicit'; to suppress
-			notification of the servers listed in NS records
-			and notify only those servers listed in the
-			'also-notify' option.
-
- 583.	[func]		"rndc querylog" will now toggle logging of
-			queries, like "ndc querylog" in BIND 8.
-
- 582.	[bug]		dns_zone_idetach() failed to lock the zone.
-			[RT #199, #463]
-
- 581.	[bug]		log severity was not being correctly processed.
-			[RT #485]
-
- 580.	[func]		Ignore trailing garbage on incoming DNS packets,
-			for interoperability with broken server
-			implementations. [RT #491]
-
- 579.	[bug]		nsupdate did not take a filename to read update from.
-			[RT #492]
-
- 578.	[func]		New config option "notify-source", to specify the
-			source address for notify messages.
-
- 577.	[func]		Log illegal RDATA combinations. e.g. multiple
-			singlton types, cname and other data.
-
- 576.	[doc]		isc_log_create() description did not match reality.
-
- 575.	[bug]		isc_log_create() was not setting internal state
-			correctly to reflect the default channels created.
-
- 574.	[bug]		TSIG signed queries sent by the resolver would fail to
-			have their responses validated and would leak memory.
-
- 573.	[bug]		The journal files of IXFRed slave zones were
-			inadvertantly discarded on server reload, causing
-			"journal out of sync with zone" errors on subsequent
-			reloads. [RT #482]
-
- 572.	[bug]		Quoted strings were not accepted as key names in
-			address match lists.
-
- 571.	[bug]		It was possible to create an rdataset of singleton
-			type which had more than one rdata. [RT #154]
-			[RT #279]
-
- 570.	[bug]		rbtdb.c allowed zones containing nodes which had
-			both a CNAME and "other data". [RT #154]
-
- 569.	[func]		The DNSSEC AD bit will not be set on queries which
-			have not requested a DNSSEC response.
-
- 568.	[func]		Add sample simple database drivers in contrib/sdb.
-
- 567.	[bug]		Setting the zone transfer timeout to zero caused an
-			assertion failure. [RT #302]
-
- 566.	[func]		New public function dns_timer_setidle().
-
- 565.	[func]		Log queries more like BIND 8: query logging is now
-			done to category "queries", level "info". [RT #169]
-
- 564.	[func]		Add sortlist support to lwresd.
-
- 563.	[func]		New public functions dns_rdatatype_format() and
-			dns_rdataclass_format(), for convenient formatting
-			of rdata type/class mnemonics in log messages.
-
- 562.	[cleanup]	Moved lib/dns/*conf.c to bin/named where they belong.
-
- 561.	[func]		The 'datasize', 'stacksize', 'coresize' and 'files'
-			clauses of the options{} statement are now implemented.
-
- 560.	[bug]		dns_name_split did not properly the resulting prefix
-			when a maximal length bitstring label was split which
-			was preceded by another bitstring label. [RT #429]
-
- 559.	[bug]		dns_name_split did not properly create the suffix
-			when splitting within a maximal length bitstring label.
-
- 558.	[func]		New functions, isc_resource_getlimit and
-			isc_resource_setlimit.
-
- 557.	[func]		Symbolic constants for libisc integral types.
-
- 556.	[func]		The DNSSEC OK bit in the EDNS extended flags
-			is now implemented.  Responses to queries without
-			this bit set will not contain any DNSSEC records.
-
- 555.	[bug]		A slave server attempting a zone transfer could
-			crash with an assertion failure on certain
-			malformed responses from the master. [RT #457]
-
- 554.	[bug]		In some cases, not all of the dnssec tools were
-			properly installed.
-
- 553.	[bug]		Incoming zone transfers deferred due to quota
-			were not started when quota was increased but
-			only when a transfer in progress finished. [RT #456]
-
- 552.	[bug]		We were not correctly detecting the end of all c-style
-			comments. [RT #455]
-
- 551.	[func]		Implemented the 'sortlist' option.
-
- 550.	[func]		Support unknown rdata types and classes.
-
- 549.	[bug]		"make" did not immediately abort the build when a
-			subdirectory make failed [RT #450].
-
- 548.	[func]		The lexer now ungets tokens more correctly.
-
- 546.	[func]		Option 'lame-ttl' is now implemented.
-
- 545.	[func]		Name limit and counting options removed from dig;
-			they didn't work properly, and cannot be correctly
-			implemented without significant changes.
-
- 544.	[func]		Add statistics option, enable statistics-file option,
-			add RNDC option "dump-statistics" to write out a
-			query statistics file.
-
- 543.	[doc]		The 'port' option is now documented.
-
- 542.	[func]		Add support for update forwarding as required for
-			full compliance with RFC2136.  It is turned off
-			by default and can be enabled using the
-			'allow-update-forwarding' option.
-
- 541.	[func]		Add bogus server support.
-
- 540.	[func]		Add dialup support.
-
- 539.	[func]		Support the blackhole option.
-
- 538.	[bug]		fix buffer overruns by 1 in lwres_getnameinfo().
-
- 536.	[func]		Use transfer-source{-v6} when sending refresh queries.
-			Transfer-source{-v6} now take a optional port
-			parameter for setting the UDP source port.  The port
-			parameter is ignored for TCP.
-
- 535.	[func]		Use transfer-source{-v6} when forwarding update
-			requests.
-
- 534.	[func]		Ancestors have been removed from RBT chains.  Ancestor
-			information can be discerned via node parent pointers.
-
- 533.	[func]		Incorporated name hashing into the RBT database to
-			improve search speed.
-
- 532.	[func]		Implement DNS UPDATE pseudo records using
-			DNS_RDATA_UPDATE flag.
-
- 531.	[func]		Rdata really should be initialized before being assigned
-			to (dns_rdata_fromwire(), dns_rdata_fromtext(),
-			dns_rdata_clone(), dns_rdata_fromregion()),
-			check that it is.
-
- 530.	[func]		New function dns_rdata_invalidate().
-
- 529.	[bug]		521 contained a bug which caused zones to always
-			reload.  [RT #410]
-
- 528.	[func]		The ISC_LIST_XXXX macros now perform sanity checks
-			on their arguments.  ISC_LIST_XXXXUNSAFE can be use
-			to skip the checks however use with caution.
-
- 527.	[func]		New function dns_rdata_clone().
-
- 526.	[bug]		nsupdate incorrectly refused to add RRs with a TTL
-			of 0.
-
- 525.	[func]		New arguments 'options' for dns_db_subtractrdataset(),
-			and 'flags' for dns_rdataslab_subtract() allowing you
-			to request that the RR's must exist prior to deletion.
-			DNS_R_NOTEXACT is returned if the condition is not met.
-
- 524.	[func]		The 'forward' and 'forwarders' statement in
-			non-forward zones should work now.
-
- 523.	[doc]		The source to the Administrator Reference Manual is
-			now an XML file using the DocBook DTD, and is included
-			in the distribution.  The plain text version of the
-			ARM is temporarily unavailable while we figure out
-			how to generate readable plain text from the XML.
-
- 522.	[func]		The lightweight resolver daemon can now use
-			a real configuration file, and its functionality
-			can be provided by a name server.  Also, the -p and -P
-			options to lwresd have been reversed.
-
- 521.	[bug]		Detect master files which contain $INCLUDE and always
-			reload. [RT #196]
-
- 520.	[bug]		Upgraded libtool to 1.3.5, which makes shared
-			library builds almost work on AIX (and possibly
-			others).
-
- 519.	[bug]		dns_name_split() would improperly split some bitstring
-			labels, zeroing a few of the least signficant bits in
-			the prefix part.  When such an improperly created
-			prefix was returned to the RBT database, the bogus
-			label was dutifully stored, corrupting the tree.
-			[RT #369]
-
- 518.	[bug]		The resolver did not realize that a DNAME which was
-			"the answer" to the client's query was "the answer",
-			and such queries would fail. [RT #399]
-
- 517.	[bug]		The resolver's DNAME code would trigger an assertion
-			if there was more than one DNAME in the chain.
-			[RT #399]
-
- 516.	[bug]		Cache lookups which had a NULL node pointer, e.g.
-			those by dns_view_find(), and which would match a
-			DNAME, would trigger an INSIST(!search.need_cleanup)
-			assertion. [RT #399]
-
- 515.	[bug]		The ssu table was not being attached / detached
-			by dns_zone_[sg]etssutable. [RT#397]
-
- 514.	[func]		Retry refresh and notify queries if they timeout.
-			[RT #388]
-
- 513.	[func]		New functionality added to rdnc and server to allow
-			individual zones to be refreshed or reloaded.
-
- 512.	[bug]		The zone transfer code could throw an execption with
-			an invalid IXFR stream.
-
- 511.	[bug]		The message code could throw an assertion on an
-			out of memory failure. [RT #392]
-
- 510.	[bug]		Remove spurious view notify warning. [RT #376]
-
- 509.	[func]		Add support for write of zone files on shutdown.
-
- 508.	[func]		dns_message_parse() can now do a best-effort
-			attempt, which should allow dig to print more invalid
-			messages.
-
- 507.	[func]		New functions dns_zone_flush(), dns_zt_flushanddetach()
-			and dns_view_flushanddetach().
-
- 506.	[func]		Do not fail to start on errors in zone files.
-
- 505.	[bug]		nsupdate was printing "unknown result code". [RT #373]
-
- 504.	[bug]		The zone was not being marked as dirty when updated via
-			IXFR.
-
- 503.	[bug]		dumptime was not being set along with
-			DNS_ZONEFLG_NEEDDUMP.
-
- 502.	[func]		On a SERVFAIL reply, DiG will now try the next server
-			in the list, unless the +fail option is specified.
-
- 501.	[bug]		Incorrect port numbers were being displayed by
-			nslookup. [RT #352]
-
- 500.	[func]		Nearly useless +details option removed from DiG.
-
- 499.	[func]		In DiG, specifying a class with -c or type with -t
-			changes command-line parsing so that classes and
-			types are only recognized if following -c or -t.
-			This allows hosts with the same name as a class or
-			type to be looked up.
-
- 498.	[doc]		There is now a man page for "dig"
-			in doc/man/bin/dig.1.
-
- 497.	[bug]		The error messages printed when an IP match list
-			contained a network address with a nonzero host
-			part where not sufficiently detailed. [RT #365]
-
- 496.	[bug]		named didn't sanity check numeric parameters. [RT #361]
-
- 495.	[bug]		nsupdate was unable to handle large records. [RT #368]
-
- 494.	[func]		Do not cache NXDOMAIN responses for SOA queries.
-
- 493.	[func]		Return non-cachable (ttl = 0) NXDOMAIN responses
-			for SOA queries.  This makes it easier to locate
-			the containing zone without polluting intermediate
-			caches.
-
- 492.	[bug]		attempting to reload a zone caused the server fail
-			to shutdown cleanly. [RT #360]
-
- 491.	[bug]		nsupdate would segfault when sending certain
-			prerequisites with empty RDATA. [RT #356]
-
- 490.	[func]		When a slave/stub zone has not yet successfully
-			obtained an SOA containing the zone's configured
-			retry time, perform the SOA query retries using
-			exponential backoff. [RT #337]
-
- 489.	[func]		The zone manager now has a "i/o" queue.
-
- 488.	[bug]		Locks weren't properly destroyed in some cases.
-
- 487.	[port]		flockfile() is not defined on all systems.
-
- 486.	[bug]		nslookup: "set all" and "server" commands showed
-			the incorrect port number if a port other than 53
-			was specified. [RT #352]
-
- 485.	[func]		When dig had more than one server to query, it would
-			send all of the messages at the same time.  Add
-			rate limiting of the transmitted messages.
-
- 484.	[bug]		When the server was reloaded after removing addresses
-			from the named.conf "listen-on" statement, sockets
-			were still listening on the removed addresses due
-			to reference count loops. [RT #325]
-
- 483.	[bug]		nslookup: "set all" showed a "search" option but it
-			was not settable.
-
- 482.	[bug]		nslookup: a plain "server" or "lserver" should be
-			treated as a lookup.
-
- 481.	[bug]		nslookup:get_next_command() stack size could exceed
-			per thread limit.
-
- 480.	[bug]		strtok() is not thread safe. [RT #349]
-
- 479.	[func]		The test suite can now be run by typing "make check"
-			or "make test" at the top level.
-
- 478.	[bug]		"make install" failed if the directory specified with
-			--prefix did not already exist.
-
- 477.	[bug]		The the isc-config.sh script could be installed before
-			its directory was created. [RT #324]
-
- 476.	[bug]		A zone could expire while a zone transfer was in
-			progress triggering a INSIST failure. [RT #329]
-
- 475.	[bug]		query_getzonedb() sometimes returned a non-null version
-			on failure.  This caused assertion failures when
-			generating query responses where names subject to
-			additional section processing pointed to a zone
-			to which access had been denied by means of the
-			allow-query option. [RT #336]
-
- 474.	[bug]		The mnemonic of the CHAOS class is CH according to
-			RFC1035, but it was printed and read only as CHAOS.
-			We now accept both forms as input, and print it
-			as CH. [RT #305]
-
- 473.	[bug]		nsupdate overran the end of the list of name servers
-			when no servers could be reached, typically causing
-			it to print the error message "dns_request_create:
-			not implemented".
-
- 472.	[bug]		Off-by-one error caused isc_time_add() to sometimes
-			produce invalid time values.
-
- 471.	[bug]		nsupdate didn't compile on HP/UX 10.20
-
- 470.	[func]		$GENERATE is now supported.  See also
-			doc/misc/migration.
-
- 469.	[bug]		"query-source address * port 53;" now works.
-
- 468.	[bug]		dns_master_load*() failed to report file and line
-			number in certain error conditions.
-
- 467.	[bug]		dns_master_load*() failed to log an error if
-			pushfile() failed.
-
- 466.	[bug]		dns_master_load*() could return success when it failed.
-
- 465.	[cleanup]	Allow 0 to be set as an omapi_value_t value by
-			omapi_value_storeint().
-
- 464.	[cleanup]	Build with openssl's RSA code instead of dnssafe.
-
- 463.	[bug]		nsupdate sent malformed SOA queries to the second
-			and subsequent name servers in resolv.conf if the
-			query sent to the first one failed.
-
- 462.	[bug]		--disable-ipv6 should work now.
-
- 461.	[bug]		Specifying an unknown key in the "keys" clause of the
-			"controls" statement caused a NULL pointer dereference.
-			[RT #316]
-
- 460.	[bug]		Much of the DNSSEC code only worked with class IN.
-
- 459.	[bug]		Nslookup processed the "set" command incorrectly.
-
- 458.	[bug]		Nslookup didn't properly check class and type values.
-			[RT #305]
-
- 457.	[bug]		Dig/host/hslookup didn't properly handle connect
-			timeouts in certain situations, causing an
-			unnecessary warning message to be printed.
-
- 456.	[bug]		Stub zones were not resetting the refresh and expire
-			counters, loadtime or clearing the DNS_ZONE_REFRESH
-			(refresh in progress) flag upon successful update.
-			This disabled further refreshing of the stub zone,
-			causing it to eventually expire. [RT #300]
-
- 455.	[doc]		Document IPv4 prefix notation does not require a
-			dotted decimal quad but may be just dotted decimal.
-
- 454.	[bug]		Enforce dotted decimal and dotted decimal quad where
-			documented as such in named.conf. [RT #304, RT #311]
-
- 453.	[bug]		Warn if the obsolete option "maintain-ixfr-base"
-			is specified in named.conf. [RT #306]
-
- 452.	[bug]		Warn if the unimplemented option "statistics-file"
-			is specified in named.conf. [RT #301]
-
- 451.	[func]		Update forwarding implememted.
-
- 450.	[func]		New function ns_client_sendraw().
-
- 449.	[bug]		isc_bitstring_copy() only works correctly if the
-			two bitstrings have the same lsb0 value, but this
-			requirement was not documented, nor was there a
-			REQUIRE for it.
-
- 448.	[bug]		Host output formatting change, to match v8. [RT #255]
-
- 447.	[bug]		Dig didn't properly retry in TCP mode after
-			a truncated reply. [RT #277]
-
- 446.	[bug]		Confusing notify log message. [RT #298]
-
- 445.	[bug]		Doing a 0 bit isc_bitstring_copy() of an lsb0
-			bitstring triggered a REQUIRE statement.  The REQUIRE
-			statement was incorrect. [RT #297]
-
- 444.	[func]		"recursion denied" messages are always logged at
-			debug level 1, now, rather than sometimes at ERROR.
-			This silences these warnings in the usual case, where
-			some clients set the RD bit in all queries.
-
- 443.	[bug]		When loading a master file failed because of an
-			unrecognized RR type name, the error message
-			did not include the file name and line number.
-			[RT #285]
-
- 442.	[bug]		TSIG signed messages that did not match any view
-			crashed the server. [RT #290]
-
- 441.	[bug]		Nodes obscured by a DNAME were inaccessible even
-			when DNS_DBFIND_GLUEOK was set.
-
- 440.	[func]		New function dns_zone_forwardupdate().
-
- 439.	[func]		New function dns_request_createraw().
-
- 438.	[func]		New function dns_message_getrawmessage().
-
- 437.	[func]		Log NOTIFY activity to the notify channel.
-
- 436.	[bug]		If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
-			which sometimes happens on Linux, named would enter
-			a busy loop.  Also, unexpected socket errors were
-			not logged at a high enough logging level to be
-			useful in diagnosing this situation. [RT #275]
-
- 435.	[bug]		dns_zone_dump() overwrote existing zone files
-			rather than writing to a temporary file and
-			renaming.  This could lead to empty or partial
-			zone files being left around in certain error
-			conditions involving the initial transfer of a
-			slave zone, interfering with subsequent server
-			startup. [RT #282]
-
- 434.	[func]		New function isc_file_isabsolute().
-
- 433.	[func]		isc_base64_decodestring() now accepts newlines
-			within the base64 data.  This makes it possible
-			to break up the key data in a "trusted-keys"
-			statement into multiple lines. [RT #284]
-
- 432.	[func]		Added refresh/retry jitter.  The actual refresh/
-			retry time is now a random value between 75% and
-			100% of the configured value.
-
- 431.	[func]		Log at ISC_LOG_INFO when a zone is successfully
-			loaded.
-
- 430.	[bug]		Rewrote the lightweight resolver client management
-			code to handle shutdown correctly and general
-			cleanup.
-
- 429.	[bug]		The space reserved for a TSIG record in a response
-			was 2 bytes too short, leading to message
-			generation failures.
-
- 428.	[bug]		rbtdb.c:find_closest_nxt() erroneously returned
-			DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
-			(e.g. glue).  This could cause SERVFAILs when
-			generating negative responses in a secure zone.
-
- 427.	[bug]		Avoid going into an infinite loop when the validator
-			gets a negative response to a key query where the
-			records are signed by the missing key.
-
- 426.	[bug]		Attempting to generate an oversized RSA key could
-			cause dnssec-keygen to dump core.
-
- 425.	[bug]		Warn about the auth-nxdomain default value change
-			if there is no auth-nxdomain statement in the
-			config file. [RT #287]
-
- 424.	[bug]		notify_createmessage() could trigger an assertion
-			failure when creating the notify message failed,
-			e.g. due to corrupt zones with multiple SOA records.
-			[RT #279]
-
- 423.	[bug]		When responding to a recusive query, errors that occur
-			after following a CNAME should cause the query to fail.
-			[RT #274]
-
- 422.	[func]		get rid of isc_random_t, and make isc_random_get()
-			and isc_random_jitter() use rand() internally
-			instead of local state.  Note that isc_random_*()
-			functions are only for weak, non-critical "randomness"
-			such as timing jitter and such.
-
- 421.	[bug]		nslookup would exit when given a blank line as input.
-
- 420.	[bug]		nslookup failed to implement the "exit" command.
-
- 419.	[bug]		The certificate type PKIX was misspelled as SKIX.
-
- 418.	[bug]		At debug levels >= 10, getting an unexpected
-			socket receive error would crash the server
-			while trying to log the error message.
-
- 417.	[func]		Add isc_app_block() and isc_app_unblock(), which
-			allow an application to handle signals while
-			blocking.
-
- 416.	[bug]		Slave zones with no master file tried to use a
-			NULL pointer for a journal file name when they
-			received an IXFR. [RT #273]
-
- 415.	[bug]		The logging code leaked file descriptors.
-
- 414.	[bug]		Server did not shut down until all incoming zone
-			transfers were finished.
-
- 413.	[bug]		Notify could attempt to use the zone database after
-			it had been unloaded. [RT#267]
-
- 412.	[bug]		named -v didn't print the version.
-
- 411.	[bug]		A typo in the HS A code caused an assertion failure.
-
- 410.	[bug]		lwres_gethostbyname() and company set lwres_h_errno
-			to a random value on success.
-
- 409.	[bug]		If named was shut down early in the startup
-			process, ns_omapi_shutdown() would attempt to lock
-			an unintialized mutex. [RT #262]
-
- 408.	[bug]		stub zones could leak memory and reference counts if
-			all the masters were unreachable.
-
- 407.	[bug]		isc_rwlock_lock() would needlessly block
-			readers when it reached the read quota even
-			if no writers were waiting.
-
- 406.	[bug]		Log messages were occasionally lost or corrupted
-			due to a race condition in isc_log_doit().
-
- 405.	[func]		Add support for selective forwarding (forward zones)
-
- 404.	[bug]		The request library didn't completely work with IPv6.
-
- 403.	[bug]		"host" did not use the search list.
-
- 402.	[bug]		Treat undefined acls as errors, rather than
-			warning and then later throwing an assertion.
-			[RT #252]
-
- 401.	[func]		Added simple database API.
-
- 400.	[bug]		SIG(0) signing and verifying was done incorrectly.
-			[RT #249]
-
- 399.	[bug]		When reloading the server with a config file
-			containing a syntax error, it could catch an
-			assertion failure trying to perform zone
-			maintenance on, or sending notifies from,
-			tentatively created zones whose views were
-			never fully configured and lacked an address
-			database and request manager.
-
- 398.	[bug]		"dig" sometimes caught an assertion failure when
-			using TSIG, depending on the key length.
-
- 397.	[func]		Added utility functions dns_view_gettsig() and
-			dns_view_getpeertsig().
-
- 396.	[doc]		There is now a man page for "nsupdate"
-			in doc/man/bin/nsupdate.8.
-
- 395.	[bug]		nslookup printed incorrect RR type mnemonics
-			for RRs of type >= 21 [RT #237].
-
- 394.	[bug]		Current name was not propagated via $INCLUDE.
-
- 393.	[func]		Initial answer while loading (awl) support.
-			Entry points: dns_master_loadfileinc(),
-			dns_master_loadstreaminc(), dns_master_loadbufferinc().
-			Note: calls to dns_master_load*inc() should be rate
-			be rate limited so as to not use up all file
-			descriptors.
-
- 392.	[func]		Add ISC_R_FAMILYNOSUPPORT.  Returned when OS does
-			not support the given address family requested.
-
- 391.	[clarity]	ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
-
- 390.	[func]		The function dns_zone_setdbtype() now takes
-			an argc/argv style vector of words and sets
-			both the zone database type and its arguments,
-			making the functions dns_zone_adddbarg()
-			and dns_zone_cleardbargs() unnecessary.
-
- 389.	[bug]		Attempting to send a reqeust over IPv6 using
-			dns_request_create() on a system without IPv6
-			support caused an assertion failure [RT #235].
-
- 388.	[func]		dig and host can now do reverse ipv6 lookups.
-
- 387.	[func]		Add dns_byaddr_createptrname(), which converts
-			an address into the name used by a PTR query.
-
- 386.	[bug]		Missing strdup() of ACL name caused random
-			ACL matching failures [RT #228].
-
- 385.	[cleanup]	Removed functions dns_zone_equal(), dns_zone_print(),
-			and dns_zt_print().
-
- 384.	[bug]		nsupdate was incorrectly limiting TTLs to 65535 instead
-			of 2147483647.
-
- 383.	[func]		When writing a master file, print the SOA and NS
-			records (and their SIGs) before other records.
-
- 382.	[bug]		named -u failed on many Linux systems where the
-			libc provided kernel headers do not match
-			the current kernel.
-
- 381.	[bug]		Check for IPV6_RECVPKTINFO and use it instead of
-			IPV6_PKTINFO if found. [RT #229]
-
- 380.	[bug]		nsupdate didn't work with IPv6.
-
- 379.	[func]		New library function isc_sockaddr_anyofpf().
-
- 378.	[func]		named and lwresd will log the command line arguments
-			they were started with in the "starting ..." message.
-
- 377.	[bug]		When additional data lookups were refused due to
-			"allow-query", the databases were still being
-			attached causing reference leaks.
-
- 376.	[bug]		The server should always use good entropy when
-			performing cryptographic functions needing entropy.
-
- 375.	[bug]		Per-zone "allow-query" did not properly override the
-			view/global one for CNAME targets and additional
-			data [RT #220].
-
- 374.	[bug]		SOA in authoritative negative responses had wrong TTL.
-
- 373.	[func]		nslookup is now installed by "make install".
-
- 372.	[bug]		Deal with Microsoft DNS servers appending two bytes of
-			garbage to zone transfer requests.
-
- 371.	[bug]		At high debug levels, doing an outgoing zone transfer
-			of a very large RRset could cause an assertion failure
-			during logging.
-
- 370.	[bug]		The error messages for rollforward failures were
-			overly terse.
-
- 369.	[func]		Support new named.conf options, view and zone
-			statements:
-
-				max-retry-time, min-retry-time,
-				max-refresh-time, min-refresh-time.
-
- 368.	[func]		Restructure the internal ".bind" view so that more
-			zones can be added to it.
-
- 367.	[bug]		Allow proper selection of server on nslookup command
-			line.
-
- 366.	[func]		Allow use of '-' batch file in dig for stdin.
-
- 365.	[bug]		nsupdate -k leaked memory.
-
- 364.	[func]		Added additional-from-{cache,auth}
-
- 362.	[bug]		rndc no longer aborts if the configuration file is
-			missing an options statement. [RT #209]
-
- 361.	[func]		When the RBT find or chain functions set the name and
-			origin for a node that stores the root label
-			the name is now set to an empty name, instead of ".",
-			to simplify later use of the name and origin by
-			dns_name_concatenate(), dns_name_totext() or
-			dns_name_format().
-
- 360.	[func]		dns_name_totext() and dns_name_format() now allow
-			an empty name to be passed, which is formatted as "@".
-
- 359.	[bug]		dnssec-signzone occasionally signed glue records.
-
- 358.	[cleanup]	Rename the intermediate files used by the dnssec
-			programs.
-
- 357.	[bug]		The zone file parser crashed if the argument
-			to $INCLUDE was a quoted string.
-
- 356.	[cleanup]	isc_task_send no longer requires event->sender to
-			be non-null.
-
- 355.	[func]		Added isc_dir_createunique(), similar to mkdtemp().
-
- 354.	[doc]		Man pages for the dnssec tools are now included in
-			the distribution, in doc/man/dnssec.
-
- 353.	[bug]		double increment in lwres/gethost.c:copytobuf().
-			[RT# 187]
-
- 352.	[bug]		Race condition in dns_client_t startup could cause
-			an assertion failure.
-
- 351.	[bug]		Constructing a response with rcode SERVFAIL to a TSIG
-			signed query could crash the server.
-
- 350.	[bug]		Also-notify lists specified in the global options
-			block were not correctly reference counted, causing
-			a memory leak.
-
- 349.	[bug]		Processing a query with the CD bit set now works
-			as expected.
-
- 348.	[func]		New boolean named.conf options 'additional-from-auth'
-			and 'additional-from-cache' now supported in view and
-			global options statement.
-
- 347.	[bug]		Don't crash if an argument is left off options in dig.
-
- 346.	[func]		Add support for .digrc config file, in the
-			user's current directory.
-
- 345.	[bug]		Large-scale changes/cleanups to dig:
-			* Significantly improve structure handling
-			* Don't pre-load entire batch files
-			* Add name/rr counting/limiting
-			* Fix SIGINT handling
-			* Shorten timeouts to match v8's behavior
-
- 344.	[bug]		When shutting down, lwresd sometimes tried
-			to shut down its client tasks twice,
-			triggering an assertion.
-
- 343.	[bug]		Although zone maintenance SOA queries and
-			notify requests were signed with TSIG keys
-			when configured for the server in case,
-			the TSIG was not verified on the response.
-
- 342.	[bug]		The wrong name was being passed to
-			dns_name_dup() when generating a TSIG
-			key using TKEY.
-
- 341.	[func]		Support 'key' clause in named.conf zone masters
-			statement to allow authentication via TSIG keys:
-
-				masters {
-					10.0.0.1 port 5353 key "foo";
-					10.0.0.2 ;
-				};
-
- 340.	[bug]		The top-level COPYRIGHT file was missing from
-			the distribution.
-
- 339.	[bug]		DNSSEC validation of the response to an ANY
-			query at a name with a CNAME RR in a secure
-			zone triggered an assertion failure.
-
- 338.	[bug]		lwresd logged to syslog as named, not lwresd.
-
- 337.	[bug]		"dig" did not recognize "nsap-ptr" as an RR type
-			on the command line.
-
- 336.	[bug]		"dig -f" used 64 k of memory for each line in
-			the file.  It now uses much less, though still
-			proportionally to the file size.
-
- 335.	[bug]		named would occasionally attempt recursion when
-			it was disallowed or undesired.
-
- 334.	[func]		Added hmac-md5 to libisc.
-
- 333.	[bug]		The resolver incorrectly accepted referrals to
-			domains that were not parents of the query name,
-			causing assertion failures.
-
- 332.	[func]		New function dns_name_reset().
-
- 331.	[bug]		Only log "recursion denied" if RD is set. [RT #178]
-
- 330.	[bug]		Many debugging messages were partially formatted
-			even when debugging was turned off, causing a
-			significant decrease in query performance.
-
- 329.	[func]		omapi_auth_register() now takes a size_t argument for
-			the length of a key's secret data.  Previously
-			OMAPI only stored secrets up to the first NUL byte.
-
- 328.	[func]		Added isc_base64_decodestring().
-
- 327.	[bug]		rndc.conf parser wasn't correctly recognising an IP
-			address where a host specification was required.
-
- 326.	[func]		'keys' in an 'inet' control statement is now
-			required and must have at least one item in it.
-			A "not supported" warning is now issued if a 'unix'
-			control channel is defined.
-
- 325.	[bug]		isc_lex_gettoken was processing octal strings when
-			ISC_LEXOPT_CNUMBER was not set.
-
- 324.	[func]		In the resolver, turn EDNS0 off if there is no
-			response after a number of retransmissions.
-			This is to allow queries some chance of succeeding
-			even if all the authoritative servers of a zone
-			silently discard EDNS0 requests instead of
-			sending an error response like they ought to.
-
- 323.	[bug]		dns_rbt_findname() did not ignore empty rbt nodes.
-			Because of this, servers authoritative for a parent
-			and grandchild zone but not authoritative for the
-			intervening child zone did not correctly issue
-			referrals to the servers of the child zone.
-
- 322.	[bug]		Queries for KEY RRs are now sent to the parent
-			server before the authoritative one, making
-			DNSSEC insecurity proofs work in many cases
-			where they previously didn't.
-
- 321.	[bug]		When synthesizing a CNAME RR for a DNAME
-			response, query_addcname() failed to intitialize
-			the type and class of the CNAME dns_rdata_t,
-			causing random failures.
-
- 320.	[func]		Multiple rndc changes: parses an rndc.conf file,
-			uses authentication to talk to named, command
-			line syntax changed.  This will all be described
-			in the ARM.
-
- 319.	[func]		The named.conf "controls" statement is now used
-			to configure the OMAPI command channel.
-
- 318.	[func]		dns_c_ndcctx_destroy() could never return anything
-			except ISC_R_SUCCESS; made it have void return instead.
-
- 317.	[func]		Use callbacks from libomapi to determine if a
-			new connection is valid, and if a key requested
-			to be used with that connection is valid.
-
- 316.	[bug]		Generate a warning if we detect an unexpected <eof>
-			but treat as <eol><eof>.
-
- 315.	[bug]		Handle non-empty blanks lines. [RT #163]
-
- 314.	[func]		The named.conf controls statement can now have
-			more than one key specified for the inet clause.
-
- 313.	[bug]		When parsing resolv.conf, don't terminate on an
-			error.  Instead, parse as much as possible, but
-			still return an error if one was found.
-
- 312.	[bug]		Increase the number of allowed elements in the
-			resolv.conf search path from 6 to 8.  If there
-			are more than this, ignore the remainder rather
-			than returning a failure in lwres_conf_parse.
-
- 311.	[bug]		lwres_conf_parse failed when the first line of
-			resolv.conf was empty or a comment.
-
- 310.	[func]		Changes to named.conf "controls" statement (inet
-			subtype only)
-
-			  - support "keys" clause
-
-				controls {
-				   inet * port 1024
-					allow { any; } keys { "foo"; }
-				}
-
-			  - allow "port xxx" to be left out of statement,
-			    in which case it defaults to omapi's default port
-			    of 953.
-
- 309.	[bug]		When sending a referral, the server did not look
-			for name server addresses as glue in the zone
-			holding the NS RRset in the case where this zone
-			was not the same as the one where it looked for
-			name server addresses as authoritative data.
-
- 308.	[bug]		Treat a SOA record not at top of zone as an error
-			when loading a zone. [RT #154]
-
- 307.	[bug]		When canceling a query, the resolver didn't check for
-			isc_socket_sendto() calls that did not yet have their
-			completion events posted, so it could (rarely) end up
-			destroying the query context and then want to use
-			it again when the send event posted, triggering an
-			assertion as it tried to cancel an already-canceled
-			query.  [RT #77]
-
- 306.	[bug]		Reading HMAC-MD5 private key files didn't work.
-
- 305.	[bug]		When reloading the server with a config file
-			containing a syntax error, it could catch an
-			assertion failure trying to perform zone
-			maintenance on tentatively created zones whose
-			views were never fully configured and lacked
-			an address database.
-
- 304.	[bug]		If more than LWRES_CONFMAXNAMESERVERS servers
-			are listed in resolv.conf, silently ignore them
-			instead of returning failure.
-
- 303.	[bug]		Add additional sanity checks to differentiate a AXFR
-			response vs a IXFR response. [RT #157]
-
- 302.	[bug]		In dig, host, and nslookup, MXNAME should be large
-			enough to hold any legal domain name in presentation
-			format + terminating NULL.
-
- 301.	[bug]		Uninitialized pointer in host:printmessage(). [RT #159]
-
- 300.	[bug]		Using both <isc/net.h> and <lwres/net.h> didn't work
-			on platforms lacking IPv6 because each included their
-			own ipv6 header file for the missing definitions.  Now
-			each library's ipv6.h defines the wrapper symbol of
-			the other (ISC_IPV6_H and LWRES_IPV6_H).
-
- 299.	[cleanup]	Get the user and group information before changing the
-			root directory, so the administrator does not need to
-			keep a copy of the user and group databases in the
-			chroot'ed environment.  Suggested by Hakan Olsson.
-
- 298.	[bug]		A mutex deadlock occurred during shutdown of the
-			interface manager under certain conditions.
-			Digital Unix systems were the most affected.
-
- 297.	[bug]		Specifying a key name that wasn't fully qualified
-			in certain parts of the config file could cause
-			an assertion failure.
-
- 296.	[bug]		"make install" from a separate build directory
-			failed unless configure had been run in the source
-			directory, too.
-
- 295.	[bug]		When invoked with type==CNAME and a message
-			not constructed by dns_message_parse(),
-			dns_message_findname() failed to find anything
-			due to checking for attribute bits that are set
-			only in dns_message_parse().  This caused an
-			infinite loop when constructing the response to
-			an ANY query at a CNAME in a secure zone.
-
- 294.	[bug]		If we run out of space in while processing glue
-			when reading a master file and commit "current name"
-			reverts to "name_current" instead of staying as
-			"name_glue".
-
- 293.	[port]		Add support for FreeBSD 4.0 system tests.
-
- 292.	[bug]		Due to problems with the way some operating systems
-			handle simultaneous listening on IPv4 and IPv6
-			addresses, the server no longer listens on IPv6
-			addresses by default.  To revert to the previous
-			behavior, specify "listen-on-v6 { any; };" in
-			the config file.
-
- 291.	[func]		Caching servers no longer send outgoing queries
-			over TCP just because the incoming recursive query
-			was a TCP one.
-
- 290.	[cleanup]	+twiddle option to dig (for testing only) removed.
-
- 289.	[cleanup]	dig is now installed in $bindir instead of $sbindir.
-			host is now installed in $bindir.  (Be sure to remove
-			any $sbindir/dig from a previous release.)
-
- 288.	[func]		rndc is now installed by "make install" into $sbindir.
-
- 287.	[bug]		rndc now works again as "rndc 127.1 reload" (for
-			only that task).  Parsing its configuration file and
-			using digital signatures for authentication has been
-			disabled until named supports the "controls" statement,
-			post-9.0.0.
-
- 286.	[bug]		On Solaris 2, when named inherited a signal state
-			where SIGHUP had the SIG_IGN action, SIGHUP would
-			be ignored rather than causing the server to reload
-			its configuration.
-
- 285.	[bug]		A change made to the dst API for beta4 inadvertently
-			broke OMAPI's creation of a dst key from an incoming
-			message, causing an assertion to be triggered.  Fixed.
-
- 284.	[func]		The DNSSEC key generation and signing tools now
-			generate randomness from keyboard input on systems
-			that lack /dev/random.
-
- 283.	[cleanup]	The 'lwresd' program is now a link to 'named'.
-
- 282.	[bug]		The lexer now returns ISC_R_RANGE if parsed integer is
-			too big for an unsigned long.
-
- 281.	[bug]		Fixed list of recognized config file category names.
-
- 280.	[func]		Add isc-config.sh, which can be used to more
-			easily build applications that link with
-			our libraries.
-
- 279.	[bug]		Private omapi function symbols shared between
-			two or more files in libomapi.a were not namespace
-			protected using the ISC convention of starting with
-			the library name and two underscores ("omapi__"...)
-
- 278.	[bug]		bin/named/logconf.c:category_fromconf() didn't take
-			note of when isc_log_categorybyname() wasn't able
-			to find the category name and would then apply the
-			channel list of the unknown category to all categories.
-
- 277.	[bug]		isc_log_categorybyname() and isc_log_modulebyname()
-			would fail to find the first member of any category
-			or module array apart from the internal defaults.
-			Thus, for example, the "notify" category was improperly
-			configured by named.
-
- 276.	[bug]		dig now supports maximum sized TCP messages.
-
- 275.	[bug]		The definition of lwres_gai_strerror() was missing
-			the lwres_ prefix.
-
- 274.	[bug]		TSIG AXFR verify failed when talking to a BIND 8
-			server.
-
- 273.	[func]		The default for the 'transfer-format' option is
-			now 'many-answers'.  This will break zone transfers
-			to BIND 4.9.5 and older unless there is an explicit
-			'one-answer' configuration.
-
- 272.	[bug]		The sending of large TCP responses was canceled
-			in mid-transmission due to a race condition
-			caused by the failure to set the client object's
-			"newstate" variable correctly when transitioning
-			to the "working" state.
-
- 271.	[func]		Attempt to probe the number of cpus in named
-			if unspecified rather than defaulting to 1.
-
- 270.	[func]		Allow maximum sized TCP answers.
-
- 269.	[bug]		Failed DNSSEC validations could cause an assertion
-			failure by causing clone_results() to be called with
-			with hevent->node == NULL.
-
- 268.	[doc]		A plain text version of the Administrator
-			Reference Manual is now included in the distribution,
-			as doc/arm/Bv9ARM.txt.
-
- 267.	[func]		Nsupdate is now provided in the distribution.
-
- 266.	[bug]		zone.c:save_nsrrset() node was not initialized.
-
- 265.	[bug]		dns_request_create() now works for TCP.
-
- 264.	[func]		Dispatch can not take TCP sockets in connecting
-			state.  Set DNS_DISPATCHATTR_CONNECTED when calling
-			dns_dispatch_createtcp() for connected TCP sockets
-			or call dns_dispatch_starttcp() when the socket is
-			connected.
-
- 263.	[func]		New logging channel type 'stderr'
-
-				channel some-name {
-					stderr;
-					severity error;
-				}
-
- 262.	[bug]		'master' was not initialized in zone.c:stub_callback().
-
- 261.	[func]		Add dns_zone_markdirty().
-
- 260.	[bug]		Running named as a non-root user failed on Linux
-			kernels new enough to support retaining capabilities
-			after setuid().
-
- 259.	[func]		New random-device and random-seed-file statements
-			for global options block of named.conf. Both accept
-			a single string argument.
-
- 258.	[bug]		Fixed printing of lwres_addr_t.address field.
-
- 257.	[bug]		The server detached the last zone manager reference
-			too early, while it could still be in use by queries.
-			This manifested itself as assertion failures during the
-			shutdown process for busy name servers. [RT #133]
-
- 256.	[func]		isc_ratelimiter_t now has attach/detach semantics, and
-			isc_ratelimiter_shutdown guarantees that the rate
-			limiter is detached from its task.
-
- 255.	[func]		New function dns_zonemgr_attach().
-
- 254.	[bug]		Suppress "query denied" messages on additional data
-			lookups.
-
-	--- 9.0.0b4 released ---
-
- 253.	[func]		resolv.conf parser now recognises ';' and '#' as
-			comments (anywhere in line, not just as the beginning).
-
- 252.	[bug]		resolv.conf parser mishandled masks on sortlists.
-			It also aborted when an unrecognized keyword was seen,
-			now it silently ignores the entire line.
-
- 251.	[bug]		lwresd caught an assertion failure on startup.
-
- 250.	[bug]		fixed handling of size+unit when value would be too
-			large for internal representation.
-
- 249.	[cleanup]	max-cache-size config option now takes a size-spec
-			like 'datasize', except 'default' is not allowed.
-
- 248.	[bug]		global lame-ttl option was not being printed when
-			config structures were written out.
-
- 247.	[cleanup]	Rename cache-size config option to max-cache-size.
-
- 246.	[func]		Rename global option cachesize to cache-size and
-			add corresponding option to view statement.
-
- 245.	[bug]		If an uncompressed name will take more than 255
-			bytes and the buffer is sufficiently long,
-			dns_name_fromwire should return DNS_R_FORMERR,
-			not ISC_R_NOSPACE.  This bug caused cause the
-			server to catch an assertion failure when it
-			received a query for a name longer than 255
-			bytes.
-
- 244.	[bug]		empty named.conf file and empty options statement are
-			now parsed properly.
-
- 243.	[func]		new cachesize option for named.conf
-
- 242.	[cleanup]	fixed incorrect warning about auth-nxdomain usage.
-
- 241.	[cleanup]	nscount and soacount have been removed from the
-			dns_master_*() argument lists.
-
- 240.	[func]		databases now come in three flavours: zone, cache
-			and stub.
-
- 239.	[func]		If ISC_MEM_DEBUG is enabled, the variable
-			isc_mem_debugging controls whether messages
-			are printed or not.
-
- 238.	[cleanup]	A few more compilation warnings have been quieted:
-			+ missing sigwait prototype on BSD/OS 4.0/4.0.1.
-			+ PTHREAD_ONCE_INIT unbraced initializer warnings on
-				Solaris 2.8.
-			+ IN6ADDR_ANY_INIT unbraced initializer warnings on
-				BSD/OS 4.*, Linux and Solaris 2.8.
-
- 237.	[bug]		If connect() returned ENOBUFS when the resolver was
-			initiating a TCP query, the socket didn't get
-			destroyed, and the server did not shut down cleanly.
-
- 236.	[func]		Added new listen-on-v6 config file statement.
-
- 235.	[func]		Consider it a config file error if a listen-on
-			statement has an IPv6 address in it, or a
-			listen-on-v6 statement has an IPv4 address in it.
-
- 234.	[bug]		Allow a trusted-key's first field (domain-name) be
-			either a quoted or an unquoted string, instead of
-			requiring a quoted string.
-
- 233.	[cleanup]	Convert all config structure integer values to unsigned
-			integer (isc_uint32_t) to match grammer.
-
- 232.	[bug]		Allow slave zones to not have a file.
-
- 231.	[func]		Support new 'port' clause in config file options
-			section. Causes 'listen-on', 'masters' and
-			'also-notify' statements to use its value instead of
-			default (53).
-
- 230.	[func]		Replace the dst sign/verify API with a cleaner one.
-
- 229.	[func]		Support config file sig-validity-interval statement
-			in options, views and zone statements (master
-			zones only).
-
- 228.	[cleanup]	Logging messages in config module stripped of
-			trailing period.
-
- 227.	[cleanup]	The enumerated identifiers dns_rdataclass_*,
-			dns_rcode_*, dns_opcode_*, and dns_trust_* are
-			also now cast to their appropriate types, as with
-			dns_rdatatype_* in item number 225 below.
-
- 226.	[func]		dns_name_totext() now always prints the root name as
-			'.', even when omit_final_dot is true.
-
- 225.	[cleanup]	The enumerated dns_rdatatype_* identifiers are now
-			cast to dns_rdatatype_t via macros of their same name
-			so that they are of the proper integral type wherever
-			a dns_rdatatype_t is needed.
-
- 224.	[cleanup]	The entire project builds cleanly with gcc's
-			-Wcast-qual and -Wwrite-strings warnings enabled,
-			which is now the default when using gcc.  (Warnings
-			from confparser.c, because of yacc's code, are
-			unfortunately to be expected.)
-
- 223.	[func]		Several functions were reprototyped to qualify one
-			or more of their arguments with "const".  Similarly,
-			several functions that return pointers now have
-			those pointers qualified with const.
-
- 222.	[bug]		The global 'also-notify' option was ignored.
-
- 221.	[bug]		An uninitialized variable was sometimes passed to
-			dns_rdata_freestruct() when loading a zone, causing
-			an assertion failure.
-
- 220.	[cleanup]	Set the default outgoing port in the view, and
-			set it in sockaddrs returned from the ADB.
-			[31-May-2000 explorer]
-
- 219.	[bug]		Signed truncated messages more correctly follow
-			the respective specs.
-
- 218.	[func]		When an rdataset is signed, its ttl is normalized
-			based on the signature validity period.
-
- 217.	[func]		Also-notify and trusted-keys can now be used in
-			the 'view' statement.
-
- 216.	[func]		The 'max-cache-ttl' and 'max-ncache-ttl' options
-			now work.
-
- 215.	[bug]		Failures at certain points in request processing
-			could cause the assertion INSIST(client->lockview
-			== NULL) to be triggered.
-
- 214.	[func]		New public function isc_netaddr_format(), for
-			formatting network addresses in log messages.
-
- 213.	[bug]		Don't leak memory when reloading the zone if
-			an update-policy clause was present in the old zone.
-
- 212.	[func]		Added dns_message_get/settsigkey, to make TSIG
-			key management reasonable.
-
- 211.	[func]		The 'key' and 'server' statements can now occur
-			inside 'view' statements.
-
- 210.	[bug]		The 'allow-transfer' option was ignored for slave
-			zones, and the 'transfers-per-ns' option was
-			was ignored for all zones.
-
- 209.	[cleanup]	Upgraded openssl files to new version 0.9.5a
-
- 208.	[func]		Added ISC_OFFSET_MAXIMUM for the maximum value
-			of an isc_offset_t.
-
- 207.	[func]		The dnssec tools properly use the logging subsystem.
-
- 206.	[cleanup]	dst now stores the key name as a dns_name_t, not
-			a char *.
-
- 205.	[cleanup]	On IRIX, turn off the mostly harmless warnings 1692
-			("prototyped function redeclared without prototype")
-			and 1552 ("variable ... set but not used") when
-			compiling in the lib/dns/sec/{dnssafe,openssl}
-			directories, which contain code imported from outside
-			sources.
-
- 204.	[cleanup]	On HP/UX, pass +vnocompatwarnings to the linker
-			to quiet the warnings that "The linked output may not
-			run on a PA 1.x system."
-
- 203.	[func]		notify and zone soa queries are now tsig signed when
-			appropriate.
-
- 202.	[func]		isc_lex_getsourceline() changed from returning int
-			to returning unsigned long, the type of its underlying
-			counter.
-
- 201.	[cleanup]	Removed the test/sdig program, it has been
-			replaced by bin/dig/dig.
-
-
-	--- 9.0.0b3 released ---
-
- 200.	[bug]		Failures in sending query responses to clients
-			(e.g., running out of network buffers) were
-			not logged.
-
- 199.	[bug]		isc_heap_delete() sometimes violated the heap
-			invariant, causing timer events not to be posted
-			when due.
-
- 198.	[func]		Dispatch managers hold memory pools which
-			any managed dispatcher may use.  This allows
-			us to avoid dipping into the memory context for
-			most allocations. [19-May-2000 explorer]
-
- 197.	[bug]		When an incoming AXFR or IXFR completes, the
-			zone's internal state is refreshed from the
-			SOA data. [19-May-2000 explorer]
-
- 196.	[func]		Dispatchers can be shared easily between views
-			and/or interfaces. [19-May-2000 explorer]
-
- 195.	[bug]		Including the NXT record of the root domain
-			in a negative response caused an assertion
-			failure.
-
- 194.	[doc]		The PDF version of the Administrator's Reference
-			Manual is no longer included in the ISC BIND9
-			distribution.
-
- 193.	[func]		changed dst_key_free() prototype.
-
- 192.	[bug]		Zone configuration validation is now done at end
-			of config file parsing, and before loading
-			callbacks.
-
- 191.	[func]		Patched to compile on UnixWare 7.x.  This platform
-			is not directly supported by the ISC.
-
- 190.	[cleanup]	The DNSSEC tools have been moved to a separate
-			directory dnssec/ and given the following new,
-			more descriptive names:
-
-			      dnssec-keygen
-			      dnssec-signzone
-			      dnssec-signkey
-			      dnssec-makekeyset
-
-			Their command line arguments have also been changed to
-			be more consistent.  dnssec-keygen now prints the
-			name of the generated key files (sans extension)
-			on standard output to simplify its use in automated
-			scripts.
-
- 189.	[func]		isc_time_secondsastimet(), a new function, will ensure
-			that the number of seconds in an isc_time_t does not
-			exceed the range of a time_t, or return ISC_R_RANGE.
-			Similarly, isc_time_now(), isc_time_nowplusinterval(),
-			isc_time_add() and isc_time_subtract() now check the
-			range for overflow/underflow.  In the case of
-			isc_time_subtract, this changed a calling requirement
-			(ie, something that could generate an assertion)
-			into merely a condition that returns an error result.
-			isc_time_add() and isc_time_subtract() were void-
-			valued before but now return isc_result_t.
-
- 188.	[func]		Log a warning message when an incoming zone transfer
-			contains out-of-zone data.
-
- 187.	[func]		isc_ratelimter_enqueue() has an additional argument
-			'task'.
-
- 186.	[func]		dns_request_getresponse() has an additional argument
-			'preserve_order'.
-
- 185.	[bug]		Fixed up handling of ISC_MEMCLUSTER_LEGACY.  Several
-			public functions did not have an isc__ prefix, and
-			referred to functions that had previously been
-			renamed.
-
- 184.	[cleanup]	Variables/functions which began with two leading
-			underscores were made to conform to the ANSI/ISO
-			standard, which says that such names are reserved.
-
- 183.	[func]		ISC_LOG_PRINTTAG option for log channels.  Useful
-			for logging the program name or other identifier.
-
- 182.	[cleanup]	New commandline parameters for dnssec tools
-
- 181.	[func]		Added dst_key_buildfilename and dst_key_parsefilename
-
- 180.	[func]		New isc_result_t ISC_R_RANGE.  Supersedes DNS_R_RANGE.
-
- 179.	[func]		options named.conf statement *must* now come
-			before any zone or view statements.
-
- 178.	[func]		Post-load of named.conf check verifies a slave zone
-			has non-empty list of masters defined.
-
- 177.	[func]		New per-zone boolean:
-
-				enable-zone yes | no ;
-
-			intended to let a zone be disabled without having
-			to comment out the entire zone statement.
-
- 176.	[func]		New global and per-view option:
-
-				max-cache-ttl number
-
- 175.	[func]		New global and per-view option:
-
-				additional-data internal | minimal | maximal;
-
- 174.	[func]		New public function isc_sockaddr_format(), for
-			formatting socket addresses in log messages.
-
- 173.	[func]		Keep a queue of zones waiting for zone transfer
-			quota so that a new transfer can be dispatched
-			immediately whenever quota becomes available.
-
- 172.	[bug]		$TTL directive was sometimes missing from dumped
-			master files because totext_ctx_init() failed to
-			initialize ctx->current_ttl_valid.
-
- 171.	[cleanup]	On NetBSD systems, the mit-pthreads or
-			unproven-pthreads library is now always used
-			unless --with-ptl2 is explicitly specified on
-			the configure command line.  The
-			--with-mit-pthreads option is no longer needed
-			and has been removed.
-
- 170.	[cleanup]	Remove inter server consistancy checks from zone,
-			these should return as a seperate module in 9.1.
-			dns_zone_checkservers(), dns_zone_checkparents(),
-			dns_zone_checkchildren(), dns_zone_checkglue().
-
-			Remove dns_zone_setadb(), dns_zone_setresolver(),
-			dns_zone_setrequestmgr() these should now be found
-			via the view.
-
- 169.	[func]		ratelimiter can now process N events per interval.
-
- 168.	[bug]		include statements in named.conf caused syntax errors
-			due to not consuming the semicolon ending the include
-			statement before switching input streams.
-
- 167.	[bug]		Make lack of masters for a slave zone a soft error.
-
- 166.	[bug]		Keygen was overwriting existing keys if key_id
-			conflicted, now it will retry, and non-null keys
-			with key_id == 0 are not generated anymore.  Key
-			was not able to generate NOAUTHCONF DSA key,
-			increased RSA key size to 2048 bits.
-
- 165.	[cleanup]	Silence "end-of-loop condition not reached" warnings
-			from Solaris compiler.
-
- 164.	[func]		Added functions isc_stdio_open(), isc_stdio_close(),
-			isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
-			isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
-			to encapsulate nonportable usage of errno and sync.
-
- 163.	[func]		Added result codes ISC_R_FILENOTFOUND and
-			ISC_R_FILEEXISTS.
-
- 162.	[bug]		Ensure proper range for arguments to ctype.h functions.
-
- 161.	[cleanup]	error in yyparse prototype that only HPUX caught.
-
- 160.	[cleanup]	getnet*() are not going to be implemented at this
-			stage.
-
- 159.	[func]		Redefinition of config file elements is now an
-			error (instead of a warning).
-
- 158.	[bug]		Log channel and category list copy routines
-			weren't assigning properly to output parameter.
-
- 157.	[port]		Fix missing prototype for getopt().
-
- 156.	[func]		Support new 'database' statement in zone.
-
-				database "quoted-string";
-
- 155.	[bug]		ns_notify_start() was not detaching the found zone.
-
- 154.	[func]		The signer now logs libdns warnings to stderr even when
-			not verbose, and in a nicer format.
-
- 153.	[func]		dns_rdata_tostruct() 'mctx' is now optional.  If 'mctx'
-			is NULL then you need to preserve the 'rdata' until
-			you have finished using the structure as there may be
-			references to the associated memory.  If 'mctx' is
-			non-NULL it is guaranteed that there are no references
-			to memory associated with 'rdata'.
-
-			dns_rdata_freestruct() must be called if 'mctx' was
-			non-NULL and may safely be called if 'mctx' was NULL.
-
- 152.	[bug]		keygen dumped core if domain name argument was omitted
-			from command line.
-
- 151.	[func]		Support 'disabled' statement in zone config (causes
-			zone to be parsed and then ignored). Currently must
-			come after the 'type' clause.
-
- 150.	[func]		Support optional ports in masters and also-notify
-			statements:
-
-				masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
-
- 149.	[cleanup]	Removed usused argument 'olist' from
-			dns_c_view_unsetordering().
-
- 148.	[cleanup]	Stop issuing some warnings about some configuration
-			file statements that were not implemented, but now are.
-
- 147.	[bug]		Changed yacc union size to be smaller for yaccs that
-			put yacc-stack on the real stack.
-
- 146.	[cleanup]	More general redundant header file cleanup.  Rather
-			than continuing to itemize every header which changed,
-			this changelog entry just notes that if a header file
-			did not need another header file that it was including
-			in order to provide its advertized functionality, the
-			inclusion of the other header file was removed.  See
-			util/check-includes for how this was tested.
-
- 145.	[cleanup]	Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
-			ISC_LANG_ENDDECLS to header files that had function
-			prototypes, and removed it from those that did not.
-
- 144.	[cleanup]	libdns header files too numerous to name were made
-			to conform to the same style for multiple inclusion
-			protection.
-
- 143.	[func]		Added function dns_rdatatype_isknown().
-
- 142.	[cleanup]	<isc/stdtime.h> does not need <time.h> or
-			<isc/result.h>.
-
- 141.	[bug]		Corrupt requests with multiple questions could
-			cause an assertion failure.
-
- 140.	[cleanup]	<isc/time.h> does not need <time.h> or <isc/result.h>.
-
- 139.	[cleanup]	<isc/net.h> now includes <isc/types.h> instead of
-			<isc/int.h> and <isc/result.h>.
-
- 138.	[cleanup]	isc_strtouq moved from str.[ch] to string.[ch] and
-			renamed isc_string_touint64.  isc_strsep moved from
-			strsep.c to string.c and renamed isc_string_separate.
-
- 137.	[cleanup]	<isc/commandline.h>, <isc/mem.h>, <isc/print.h>
-			<isc/serial.h>, <isc/string.h> and <isc/offset.h>
-			made to conform to the same style for multiple
-			inclusion protection.
-
- 136.	[cleanup]	<isc/commandline.h>, <isc/interfaceiter.h>,
-			<isc/net.h> and Win32's <isc/thread.h> needed
-			ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
-
- 135.	[cleanup]	Win32's <isc/condition.h> did not need <isc/result.h>
-			or <isc/boolean.h>, now uses <isc/types.h> in place
-			of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
-			and ISC_LANG_ENDDECLS.
-
- 134.	[cleanup]	<isc/dir.h> does not need <limits.h>.
-
- 133.	[cleanup]	<isc/ipv6.h> needs <isc/platform.h>.
-
- 132.	[cleanup]	<isc/app.h> does not need <isc/task.h>, but does
-			need <isc/eventclass.h>.
-
- 131.	[cleanup]	<isc/mutex.h> and <isc/util.h> need <isc/result.h>
-			for ISC_R_* codes used in macros.
-
- 130.	[cleanup]	<isc/condition.h> does not need <pthread.h> or
-			<isc/boolean.h>, and now includes <isc/types.h>
-			instead of <isc/time.h>.
-
- 129.	[bug]		The 'default_debug' log channel was not set up when
-			'category default' was present in the config file
-
- 128.	[cleanup]	<isc/dir.h> had ISC_LANG_BEGINDECLS instead of
-			ISC_LANG_ENDDECLS at end of header.
-
- 127.	[cleanup]	The contracts for the comparision routines
-			dns_name_fullcompare(), dns_name_compare(),
-			dns_name_rdatacompare(), and dns_rdata_compare() now
-			specify that the order value returned is < 0, 0, or > 0
-			instead of -1, 0, or 1.
-
- 126.	[cleanup]	<isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
-
- 125.	[cleanup]	<isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
-			<isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
-			<isc/resultclass.h> do not need <isc/lang.h>.
-
- 124.	[func]		signer now imports parent's zone key signature
-			and creates null keys/sets zone status bit for
-			children when necessary
-
- 123.	[cleanup]	<isc/event.h> does not need <stddef.h>.
-
- 122.	[cleanup]	<isc/task.h> does not need <isc/mem.h> or
-			<isc/result.h>.
-
- 121.	[cleanup]	<isc/symtab.h> does not need <isc/mem.h> or
-			<isc/result.h>.  Multiple inclusion protection
-			symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
-			isc_symtab_t moved to <isc/types.h>.
-
- 120.	[cleanup]	<isc/socket.h> does not need <isc/boolean.h>,
-			<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
-			<isc/net.h>.
-
- 119.	[cleanup]	structure definitions for generic rdata stuctures do
-			not have _generic_ in their names.
-
- 118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
-			YACC crust (yyparse, etc) [2000-apr-27 explorer]
-
- 117.	[cleanup]	libdns.a changes:
-			dns_zone_clearnotify() and dns_zone_addnotify()
-			are replaced by dns_zone_setnotifyalso().
-			dns_zone_clearmasters() and dns_zone_addmaster()
-			are replaced by dns_zone_setmasters().
-
- 116.	[func]		Added <isc/offset.h> for isc_offset_t (aka off_t
-			on Unix systems).
-
- 115.	[port]		Shut up the -Wmissing-declarations warning about
-			<stdio.h>'s __sputaux on BSD/OS pre-4.1.
-
- 114.	[cleanup]	<isc/sockaddr.h> does not need <isc/buffer.h> or
-			<isc/list.h>.
-
- 113.	[func]		Utility programs dig and host added.
-
- 112.	[cleanup]	<isc/serial.h> does not need <isc/boolean.h>.
-
- 111.	[cleanup]	<isc/rwlock.h> does not need <isc/result.h> or
-			<isc/mutex.h>.
-
- 110.	[cleanup]	<isc/result.h> does not need <isc/boolean.h> or
-			<isc/list.h>.
-
- 109.	[bug]		"make depend" did nothing for
-			bin/tests/{db,mem,sockaddr,tasks,timers}/.
-
- 108.	[cleanup]	DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
-			<dns/types.h> to <dns/bit.h> and renamed to
-			DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
-
- 107.	[func]		Add keysigner and keysettool.
-
- 106.	[func]		Allow dnssec verifications to ignore the validity
-			period.  Used by several of the dnssec tools.
-
- 105.	[doc]		doc/dev/coding.html expanded with other
-			implicit conventions the developers have used.
-
- 104.	[bug]		Made compress_add and compress_find static to
-			lib/dns/compress.c.
-
- 103.	[func]		libisc buffer API changes for <isc/buffer.h>:
-			Added:
-				isc_buffer_base(b)          (pointer)
-				isc_buffer_current(b)       (pointer)
-				isc_buffer_active(b)        (pointer)
-				isc_buffer_used(b)          (pointer)
-				isc_buffer_length(b)            (int)
-				isc_buffer_usedlength(b)        (int)
-				isc_buffer_consumedlength(b)    (int)
-				isc_buffer_remaininglength(b)   (int)
-				isc_buffer_activelength(b)      (int)
-				isc_buffer_availablelength(b)   (int)
-			Removed:
-				ISC_BUFFER_USEDCOUNT(b)
-				ISC_BUFFER_AVAILABLECOUNT(b)
-				isc_buffer_type(b)
-			Changed names:
-				isc_buffer_used(b, r) ->
-					isc_buffer_usedregion(b, r)
-				isc_buffer_available(b, r) ->
-					isc_buffer_available_region(b, r)
-				isc_buffer_consumed(b, r) ->
-					isc_buffer_consumedregion(b, r)
-				isc_buffer_active(b, r) ->
-					isc_buffer_activeregion(b, r)
-				isc_buffer_remaining(b, r) ->
-					isc_buffer_remainingregion(b, r)
-
-			Buffer types were removed, so the ISC_BUFFERTYPE_*
-			macros are no more, and the type argument to
-			isc_buffer_init and isc_buffer_allocate were removed.
-			isc_buffer_putstr is now void (instead of isc_result_t)
-			and requires that the caller ensure that there
-			is enough available buffer space for the string.
-
- 102.	[port]		Correctly detect inet_aton, inet_pton and inet_ptop
-			on BSD/OS 4.1.
-
- 101.	[cleanup]	Quieted EGCS warnings from lib/isc/print.c.
-
- 100.	[cleanup]	<isc/random.h> does not need <isc/int.h> or
-			<isc/mutex.h>.  isc_random_t moved to <isc/types.h>.
-
-  99.	[cleanup]	Rate limiter now has separate shutdown() and
-			destroy() functions, and it guarantees that all
-			queued events are delivered even in the shutdown case.
-
-  98.	[cleanup]	<isc/print.h> does not need <stdarg.h> or <stddef.h>
-			unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
-
-  97.	[cleanup]	<isc/ondestroy.h> does not need <stddef.h> or
-			<isc/event.h>.
-
-  96.	[cleanup]	<isc/mutex.h> does not need <isc/result.h>.
-
-  95.	[cleanup]	<isc/mutexblock.h> does not need <isc/result.h>.
-
-  94.	[cleanup]	Some installed header files did not compile as C++.
-
-  93.	[cleanup]	<isc/msgcat.h> does not need <isc/result.h>.
-
-  92.	[cleanup]	<isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
-			or <isc/result.h>.
-
-  91.	[cleanup]	<isc/log.h> does not need <sys/types.h> or
-			<isc/result.h>.
-
-  90.	[cleanup]	Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
-			from <named/listenlist.h>.
-
-  89.	[cleanup]	<isc/lex.h> does not need <stddef.h>.
-
-  88.	[cleanup]	<isc/interfaceiter.h> does not need <isc/result.h> or
-			<isc/mem.h>.  isc_interface_t and isc_interfaceiter_t
-			moved to <isc/types.h>.
-
-  87.	[cleanup]	<isc/heap.h> does not need <isc/boolean.h>,
-			<isc/mem.h> or <isc/result.h>.
-
-  86.	[cleanup]	isc_bufferlist_t moved from <isc/bufferlist.h> to
-			<isc/types.h>.
-
-  85.	[cleanup]	<isc/bufferlist.h> does not need <isc/buffer.h>,
-			<isc/list.h>, <isc/mem.h>, <isc/region.h> or
-			<isc/int.h>.
-
-  84.	[func]		allow-query ACL checks now apply to all data
-			added to a response.
-
-  83.	[func]		If the server is authoritative for both a
-			delegating zone and its (nonsecure) delegatee, and
-			a query is made for a KEY RR at the top of the
-			delegatee, then the server will look for a KEY
-			in the delegator if it is not found in the delegatee.
-
-  82.	[cleanup]	<isc/buffer.h> does not need <isc/list.h>.
-
-  81.	[cleanup]	<isc/int.h> and <isc/boolean.h> do not need
-			<isc/lang.h>.
-
-  80.	[cleanup]	<isc/print.h> does not need <stdio.h> or <stdlib.h>.
-
-  79.	[cleanup]	<dns/callbacks.h> does not need <stdio.h>.
-
-  78.	[cleanup]	lwres_conftest renamed to lwresconf_test for
-			consistency with other *_test programs.
-
-  77.	[cleanup]	typedef of isc_time_t and isc_interval_t moved from
-			<isc/time.h> to <isc/types.h>.
-
-  76.	[cleanup]	Rewrote keygen.
-
-  75.	[func]		Don't load a zone if its database file is older
-			than the last time the zone was loaded.
-
-  74.	[cleanup]	Removed mktemplate.o and ufile.o from libisc.a,
-			subsumed by file.o.
-
-  73.	[func]		New "file" API in libisc, including new function
-			isc_file_getmodtime, isc_mktemplate renamed to
-			isc_file_mktemplate and isc_ufile renamed to
-			isc_file_openunique.  By no means an exhaustive API,
-			it is just what's needed for now.
-
-  72.	[func]		DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
-			added for dns_rbt_findnode, the former to disable the
-			setting of the chain to the predecessor, and the
-			latter to make clear when no options are set.
-
-  71.	[cleanup]	Made explicit the implicit REQUIREs of
-			isc_time_seconds, isc_time_nanoseconds, and
-			isc_time_subtract.
-
-  70.	[func]		isc_time_set() added.
-
-  69.	[bug]		The zone object's master and also-notify lists grew
-			longer with each server reload.
-
-  68.	[func]		Partial support for SIG(0) on incoming messages.
-
-  67.	[performance]	Allow use of alternate (compile-time supplied)
-			OpenSSL libraries/headers.
-
-  66.	[func]		Data in authoritative zones should have a trust level
-			beyond secure.
-
-  65.	[cleanup]	Removed obsolete typedef of dns_zone_callbackarg_t
-			from <dns/types.h>.
-
-  64.	[func]		The RBT, DB, and zone table APIs now allow the
-			caller find the most-enclosing superdomain of
-			a name.
-
-  63.	[func]		Generate NOTIFY messages.
-
-  62.	[func]		Add UDP refresh support.
-
-  61.	[cleanup]	Use single quotes consistently in log messages.
-
-  60.	[func]		Catch and disallow singleton types on message
-			parse.
-
-  59.	[bug]		Cause net/host unreachable to be a hard error
-			when sending and receiving.
-
-  58.	[bug]		bin/named/query.c could sometimes trigger the
-			(client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
-			== 0 assertion in query_newname().
-
-  57.	[func]		Added dns_nxt_typepresent()
-
-  56.	[bug]		SIG records were not properly returned in cached
-			negative answers.
-
-  55.	[bug]		Responses containing multiple names in the authority
-			section were not negatively cached.
-
-  54.	[bug]		If a fetch with sigrdataset==NULL joined one with
-			sigrdataset!=NULL or vice versa, the resolver
-			could catch an assertion or lose signature data,
-			respectively.
-
-  53.	[port]		freebsd 4.0: lib/isc/unix/socket.c requires
-			<sys/param.h>.
-
-  52.	[bug]		rndc: taskmgr and socketmgr were not initialized
-			to NULL.
-
-  51.	[cleanup]	dns/compress.h and dns/zt.h did not need to include
-			dns/rbt.h; it was needed only by compress.c and zt.c.
-
-  50.	[func]		RBT deletion no longer requires a valid chain to work,
-			and dns_rbt_deletenode was added.
-
-  49.	[func]		Each cache now has its own mctx.
-
-  48.	[func]		isc_task_create() no longer takes an mctx.
-			isc_task_mem() has been eliminated.
-
-  47.	[func]		A number of modules now use memory context reference
-			counting.
-
-  46.	[func]		Memory contexts are now reference counted.
-			Added isc_mem_inuse() and isc_mem_preallocate().
-			Renamed isc_mem_destroy_check() to
-			isc_mem_setdestroycheck().
-
-  45.	[bug]		The trusted-key statement incorrectly loaded keys.
-
-  44.	[bug]		Don't include authority data if it would force us
-			to unset the AD bit in the message.
-
-  43.	[bug]		DNSSEC verification of cached rdatasets was failing.
-
-  42.	[cleanup]	Simplified logging of messages with embedded domain
-			names by introducing a new convenience function
-			dns_name_format().
-
-  41.	[func]		Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
-			to allow 'named' to run as a non-root user while
-			retaining the ability to bind() to privileged
-			ports.
-
-  40.	[func]		Introduced new logging category "dnssec" and
-			logging module "dns/validator".
-
-  39.	[cleanup]	Moved the typedefs for isc_region_t, isc_textregion_t,
-			and isc_lex_t to <isc/types.h>.
-
-  38.	[bug]		TSIG signed incoming zone transfers work now.
-
-  37.	[bug]		If the first RR in an incoming zone transfer was
-			not an SOA, the server died with an assertion failure
-			instead of just reporting an error.
-
-  36.	[cleanup]	Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
-
-  35.	[performance]	Log messages which are of a level too high to be
-			logged by any channel in the logging configuration
-			will not cause the log mutex to be locked.
-
-  34.	[bug]		Recursion was allowed even with 'recursion no'.
-
-  33.	[func]		The RBT now maintains a parent pointer at each node.
-
-  32.	[cleanup]	bin/lwresd/client.c needs <string.h> for memset()
-			prototype.
-
-  31.	[bug]		Use ${LIBTOOL} to compile bin/named/main.@O@.
-
-  30.	[func]		config file grammer change to support optional
-			class type for a view.
-
-  29.	[func]		support new config file view options:
-
-				auth-nxdomain recursion query-source
-				query-source-v6 transfer-source
-				transfer-source-v6 max-transfer-time-out
-				max-transfer-idle-out transfer-format
-				request-ixfr provide-ixfr cleaning-interval
-				fetch-glue notify rfc2308-type1 lame-ttl
-				max-ncache-ttl min-roots
-
-  28.	[func]		support lame-ttl, min-roots and serial-queries
-			config global options.
-
-  27.	[bug]		Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
-			Including it on other platforms (eg, NetBSD) can
-			cause a forced #error from the C preprocessor.
-
-  26.	[func]		new match-clients statement in config file view.
-
-  25.	[bug]		make install failed to install <isc/log.h> and
-			<isc/ondestroy.h>.
-
-  24.	[cleanup]	Eliminate some unnecessary #includes of header
-			files from header files.
-
-  23.	[cleanup]	Provide more context in log messages about client
-			requests, using a new function ns_client_log().
-
-  22.	[bug]		SIGs weren't returned in the answer section when
-			the query resulted in a fetch.
-
-  21.	[port]		Look at STD_CINCLUDES after CINCLUDES during
-			compilation, so additional system include directories
-			can be searched but header files in the bind9 source
-			tree with conflicting names take precedence.  This
-			avoids issues with installed versions of dnssafe and
-			openssl.
-
-  20.	[func]		Configuration file post-load validation of zones
-			failed if there were no zones.
-
-  19.	[bug]		dns_zone_notifyreceive() failed to unlock the zone
-			lock in certain error cases.
-
-  18.	[bug]		Use AC_TRY_LINK rather than AC_TRY_COMPILE in
-			configure.in to check for presence of in6addr_any.
-
-  17.	[func]		Do configuration file post-load validation of zones.
-
-  16.	[bug]		put quotes around key names on config file
-			output to avoid possible keyword clashes.
-
-  15.	[func]		Add dns_name_dupwithoffsets().  This function is
-			improves comparison performance for duped names.
-
-  14.	[bug]		free_rbtdb() could have 'put' unallocated memory in
-			an unlikely error path.
-
-  13.	[bug]		lib/dns/master.c and lib/dns/xfrin.c didn't ignore
-			out-of-zone data.
-
-  12.	[bug]		Fixed possible unitialized variable error.
-
-  11.	[bug]		axfr_rrstream_first() didn't check the result code of
-			db_rr_iterator_first(), possibly causing an assertion
-			to be triggered later.
-
-  10.	[bug]		A bug in the code which makes EDNS0 OPT records in
-			bin/named/client.c and lib/dns/resolver.c could
-			trigger an assertion.
-
-   9.	[cleanup]	replaced bit-setting code in confctx.c and replaced
-			repeated code with macro calls.
-
-   8.	[bug]		Shutdown of incoming zone transfer accessed
-			freed memory.
-
-   7.	[cleanup]	removed 'listen-on' from view statement.
-
-   6.	[bug]		quote RR names when generating config file to
-			prevent possible clash with config file keywords
-			(such as 'key').
-
-   5.	[func]		syntax change to named.conf file: new ssu grant/deny
-			statements must now be enclosed by an 'update-policy'
-			block.
-
-   4.	[port]		bin/named/unix/os.c didn't compile on systems with
-			linux 2.3 kernel includes due to conflicts between
-			C library includes and the kernel includes.  We now
-			get only what we need from <linux/capability.h>, and
-			avoid pulling in other linux kernel .h files.
-
-   3.	[bug]		TKEYs go in the answer section of responses, not
-			the additional section.
-
-   2.	[bug]		Generating cryptographic randomness failed on
-			systems without /dev/random.
-
-   1.	[bug]		The installdirs rule in
-			lib/isc/unix/include/isc/Makefile.in had a typo which
-			prevented the isc directory from being created if it
-			didn't exist.
-
-	--- 9.0.0b2 released ---
-
-# This tells Emacs to use hard tabs in this file.
-# Local Variables:
-# indent-tabs-mode: t
-# End:
diff --git a/contrib/bind9/COPYRIGHT b/contrib/bind9/COPYRIGHT
deleted file mode 100644
index 484dac8e4517..000000000000
--- a/contrib/bind9/COPYRIGHT
+++ /dev/null
@@ -1,30 +0,0 @@
-Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 1996-2003  Internet Software Consortium.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
-
-$Id: COPYRIGHT,v 1.6.2.2.8.3 2005/01/10 23:51:37 marka Exp $
-
-Portions Copyright (C) 1996-2001  Nominum, Inc.
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/contrib/bind9/FAQ b/contrib/bind9/FAQ
deleted file mode 100644
index 9b806cbde533..000000000000
--- a/contrib/bind9/FAQ
+++ /dev/null
@@ -1,525 +0,0 @@
-Frequently Asked Questions about BIND 9
-
--------------------------------------------------------------------------------
-
-Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
-
-A: Linux threads do not fully implement the Posix threads (pthreads) standard.
-   In particular, setuid() operates only on the current thread, not the full
-   process. Because of this limitation, BIND 9 cannot use setuid() on Linux as
-   it can on all other supported platforms. setuid() cannot be called before
-   creating threads, since the server does not start listening on reserved
-   ports until after threads have started.
-
-   In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
-   capabilities across a setuid() call is present. This allows BIND 9 to call
-   setuid() early, while retaining the ability to bind reserved ports. This is
-   a Linux-specific hack.
-
-   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
-   of a security risk than a root process that has not dropped privileges.
-
-   If Linux threads ever work correctly, this restriction will go away.
-
-   Configuring BIND9 with the --disable-threads option (the default) causes a
-   non-threaded version to be built, which will allow -u to be used.
-
-Q: Why does named log the warning message "no TTL specified - using SOA MINTTL
-   instead"?
-
-A: Your zone file is illegal according to RFC1035. It must either have a line
-   like:
-
-   $TTL 86400
-
-   at the beginning, or the first record in it must have a TTL field, like the
-   "84600" in this example:
-
-   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
-
-Q: Why do I see 5 (or more) copies of named on Linux?
-
-A: Linux threads each show up as a process under ps. The approximate number of
-   threads running is n+4, where n is the number of CPUs. Note that the amount
-   of memory used is not cumulative; if each process is using 10M of memory,
-   only a total of 10M is used.
-
-Q: Why does BIND 9 log "permission denied" errors accessing its configuration
-   files or zones on my Linux system even though it is running as root?
-
-A: On Linux, BIND 9 drops most of its root privileges on startup. This
-   including the privilege to open files owned by other users. Therefore, if
-   the server is running as root, the configuration files and zone files should
-   also be owned by root.
-
-Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
-   bar: ran out of space"?
-
-A: This is often caused by TXT records with missing close quotes. Check that
-   all TXT records containing quoted strings have both open and close quotes.
-
-Q: How do I produce a usable core file from a multithreaded named on Linux?
-
-A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps are usable
-   (that is, the correct thread is dumped). Otherwise, if using a 2.2 kernel,
-   apply the kernel patch found in contrib/linux/coredump-patch and rebuild the
-   kernel. This patch will cause multithreaded programs to dump the correct
-   thread.
-
-Q: How do I restrict people from looking up the server version?
-
-A: Put a "version" option containing something other than the real version in
-   the "options" section of named.conf. Note doing this will not prevent
-   attacks and may impede people trying to diagnose problems with your server.
-   Also it is possible to "fingerprint" nameservers to determine their version.
-
-Q: How do I restrict only remote users from looking up the server version?
-
-A: The following view statement will intercept lookups as the internal view
-   that holds the version information will be matched last. The caveats of the
-   previous answer still apply, of course.
-
-   view "chaos" chaos {
-           match-clients { <those to be refused>; };
-           allow-query { none; };
-           zone "." {
-                   type hint;
-                   file "/dev/null";  // or any empty file
-           };
-   };
-
-Q: What do "no source of entropy found" or "could not open entropy source foo"
-   mean?
-
-A: The server requires a source of entropy to perform certain operations,
-   mostly DNSSEC related. These messages indicate that you have no source of
-   entropy. On systems with /dev/random or an equivalent, it is used by
-   default. A source of entropy can also be defined using the random-device
-   option in named.conf.
-
-Q: I installed BIND 9 and restarted named, but it's still BIND 8. Why?
-
-A: BIND 9 is installed under /usr/local by default. BIND 8 is often installed
-   under /usr. Check that the correct named is running.
-
-Q: I'm trying to use TSIG to authenticate dynamic updates or zone transfers.
-   I'm sure I have the keys set up correctly, but the server is rejecting the
-   TSIG. Why?
-
-A: This may be a clock skew problem. Check that the the clocks on the client
-   and server are properly synchronised (e.g., using ntp).
-
-Q: I'm trying to compile BIND 9, and "make" is failing due to files not being
-   found. Why?
-
-A: Using a parallel or distributed "make" to build BIND 9 is not supported, and
-   doesn't work. If you are using one of these, use normal make or gmake
-   instead.
-
-Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is logging
-   error messages like "notify to 10.0.0.1#53 failed: unexpected end of input".
-   What's wrong?
-
-A: This error message is caused by a known bug in BIND 8.2.3 and is fixed in
-   BIND 8.2.4. It can be safely ignored - the notify has been acted on by the
-   slave despite the error message.
-
-Q: I keep getting log messages like the following. Why?
-
-   Dec 4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN': update
-   failed: 'RRset exists (value dependent)' prerequisite not satisfied
-   (NXRRSET)
-
-A: DNS updates allow the update request to test to see if certain conditions
-   are met prior to proceeding with the update. The message above is saying
-   that conditions were not met and the update is not proceeding. See doc/rfc/
-   rfc2136.txt for more details on prerequisites.
-
-Q: I keep getting log messages like the following. Why?
-
-   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
-
-A: Someone is trying to update your DNS data using the RFC2136 Dynamic Update
-   protocol. Windows 2000 machines have a habit of sending dynamic update
-   requests to DNS servers without being specifically configured to do so. If
-   the update requests are coming from a Windows 2000 machine, see http://
-   support.microsoft.com/support/kb/articles/q246/8/04.asp for information
-   about how to turn them off.
-
-Q: I see a log message like the following. Why?
-
-   couldn't open pid file '/var/run/named.pid': Permission denied
-
-A: You are most likely running named as a non-root user, and that user does not
-   have permission to write in /var/run. The common ways of fixing this are to
-   create a /var/run/named directory owned by the named user and set pid-file
-   to "/var/run/named/named.pid", or set pid-file to "named.pid", which will
-   put the file in the directory specified by the directory option (which, in
-   this case, must be writable by the named user).
-
-Q: When I do a "dig . ns", many of the A records for the root servers are
-   missing. Why?
-
-A: This is normal and harmless. It is a somewhat confusing side effect of the
-   way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9 makes to
-   avoid promoting glue into answers.
-
-   When BIND 9 first starts up and primes its cache, it receives the root
-   server addresses as additional data in an authoritative response from a root
-   server, and these records are eligible for inclusion as additional data in
-   responses. Subsequently it receives a subset of the root server addresses as
-   additional data in a non-authoritative (referral) response from a root
-   server. This causes the addresses to now be considered non-authoritative
-   (glue) data, which is not eligible for inclusion in responses.
-
-   The server does have a complete set of root server addresses cached at all
-   times, it just may not include all of them as additional data, depending on
-   whether they were last received as answers or as glue. You can always look
-   up the addresses with explicit queries like "dig a.root-servers.net A".
-
-Q: Zone transfers from my BIND 9 master to my Windows 2000 slave fail. Why?
-
-A: This may be caused by a bug in the Windows 2000 DNS server where DNS
-   messages larger than 16K are not handled properly. This can be worked around
-   by setting the option "transfer-format one-answer;". Also check whether your
-   zone contains domain names with embedded spaces or other special characters,
-   like "John\032Doe\213s\032Computer", since such names have been known to
-   cause Windows 2000 slaves to incorrectly reject the zone.
-
-Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
-
-A: A zone can be updated either by editing zone files and reloading the server
-   or by dynamic update, but not both. If you have enabled dynamic update for a
-   zone using the "allow-update" option, you are not supposed to edit the zone
-   file by hand, and the server will not attempt to reload it.
-
-Q: I can query the nameserver from the nameserver but not from other machines.
-   Why?
-
-A: This is usually the result of the firewall configuration stopping the
-   queries and / or the replies.
-
-Q: How can I make a server a slave for both an internal and an external view at
-   the same time? When I tried, both views on the slave were transferred from
-   the same view on the master.
-
-A: You will need to give the master and slave multiple IP addresses and use
-   those to make sure you reach the correct view on the other machine.
-
-   Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
-       internal:
-           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-                   notify-source 10.0.1.1;
-                   transfer-source 10.0.1.1;
-                   query-source address 10.0.1.1;
-       external:
-           match-clients { any; };
-           recursion no;   // don't offer recursion to the world
-           notify-source 10.0.1.2;
-           transfer-source 10.0.1.2;
-           query-source address 10.0.1.2;
-
-   Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
-       internal:
-           match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-           notify-source 10.0.1.3;
-           transfer-source 10.0.1.3;
-           query-source address 10.0.1.3;
-      external:
-           match-clients { any; };
-           recursion no;   // don't offer recursion to the world
-           notify-source 10.0.1.4;
-           transfer-source 10.0.1.4;
-           query-source address 10.0.1.4;
-
-   You put the external address on the alias so that all the other dns clients
-   on these boxes see the internal view by default.
-
-A: BIND 9.3 and later: Use TSIG to select the appropriate view.
-
-   Master 10.0.1.1:
-           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
-           };
-           view "internal" {
-                   match-clients { !key external; 10.0.1/24; };
-                   ...
-           };
-           view "external" {
-                   match-clients { key external; any; };
-                   server 10.0.0.2 { keys external; };
-                   recursion no;
-                   ...
-           };
-
-   Slave 10.0.1.2:
-           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
-           };
-           view "internal" {
-                   match-clients { !key external; 10.0.1/24; };
-                   ...
-           };
-           view "external" {
-                   match-clients { key external; any; };
-                   server 10.0.0.1 { keys external; };
-                   recursion no;
-                   ...
-           };
-
-Q: I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
-
-A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to use
-   certain interrupts as a source of random events. You can make this permanent
-   by setting rand_irqs in /etc/rc.conf.
-
-   /etc/rc.conf
-   rand_irqs="3 14 15"
-
-   See also http://people.freebsd.org/~dougb/randomness.html
-
-Q: Why is named listening on UDP port other than 53?
-
-A: Named uses a system selected port to make queries of other nameservers. This
-   behaviour can be overridden by using query-source to lock down the port and/
-   or address. See also notify-source and transfer-source.
-
-Q: I get error messages like "multiple RRs of singleton type" and "CNAME and
-   other data" when transferring a zone. What does this mean?
-
-A: These indicate a malformed master zone. You can identify the exact records
-   involved by transferring the zone using dig then running named-checkzone on
-   it.
-
-   dig axfr example.com @master-server > tmp
-   named-checkzone example.com tmp
-
-   A CNAME record cannot exist with the same name as another record except for
-   the DNSSEC records which prove its existance (NSEC).
-
-   RFC 1034, Section 3.6.2: "If a CNAME RR is present at a node, no other data
-   should be present; this ensures that the data for a canonical name and its
-   aliases cannot be different. This rule also insures that a cached CNAME can
-   be used without checking with an authoritative server for other RR types."
-
-Q: I get error messages like "named.conf:99: unexpected end of input" where 99
-   is the last line of named.conf.
-
-A: Some text editors (notepad and wordpad) fail to put a line title indication
-   (e.g. CR/LF) on the last line of a text file. This can be fixed by "adding"
-   a blank line to the end of the file. Named expects to see EOF immediately
-   after EOL and treats text files where this is not met as truncated.
-
-Q: I get warning messages like "zone example.com/IN: refresh: failure trying
-   master 1.2.3.4#53: timed out".
-
-A: Check that you can make UDP queries from the slave to the master
-
-   dig +norec example.com soa @1.2.3.4
-
-   You could be generating queries faster than the slave can cope with. Lower
-   the serial query rate.
-
-   serial-query-rate 5; // default 20
-
-Q: How do I share a dynamic zone between multiple views?
-
-A: You choose one view to be master and the second a slave and transfer the
-   zone between views.
-
-   Master 10.0.1.1:
-           key "external" {
-                   algorithm hmac-md5;
-                   secret "xxxxxxxx";
-           };
-
-           key "mykey" {
-                   algorithm hmac-md5;
-                   secret "yyyyyyyy";
-           };
-
-           view "internal" {
-                   match-clients { !external; 10.0.1/24; };
-                   server 10.0.1.1 {
-                           /* Deliver notify messages to external view. */
-                           keys { external; };
-                   };
-                   zone "example.com" {
-                           type master;
-                           file "internal/example.db";
-                           allow-update { key mykey; };
-                           notify-also { 10.0.1.1; };
-                   };
-           };
-
-           view "external" {
-                   match-clients { external; any; };
-                   zone "example.com" {
-                           type slave;
-                           file "external/example.db";
-                           masters { 10.0.1.1; };
-                           transfer-source { 10.0.1.1; };
-                           // allow-update-forwarding { any; };
-                           // allow-notify { ... };
-                   };
-           };
-
-Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
-   file primaries/wireless.ietf56.ietf.org: no owner".
-
-A: This error is produced when a line in the master file contains leading white
-   space (tab/space) but the is no current record owner name to inherit the
-   name from. Usually this is the result of putting white space before a
-   comment. Forgeting the "@" for the SOA record or indenting the master file.
-
-Q: Why are my logs in GMT (UTC).
-
-A: You are running chrooted (-t) and have not supplied local timzone
-   information in the chroot area.
-
-   FreeBSD: /etc/localtime
-   Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
-   OSF: /etc/zoneinfo/localtime
-
-   See also tzset(3) and zic(8).
-
-Q: I get the error message "named: capset failed: Operation not permitted" when
-   starting named.
-
-A: The capability module, part of "Linux Security Modules/LSM", has not been
-   loaded into the kernel. See insmod(8).
-
-Q: I get "rndc: connect failed: connection refused" when I try to run rndc.
-
-A: This is usually a configuration error.
-
-   First ensure that named is running and no errors are being reported at
-   startup (/var/log/messages or equivalent). Running "named -g <usual
-   arguments>" from a title can help at this point.
-
-   Secondly ensure that named is configured to use rndc either by "rndc-confgen
-   -a", rndc-confgen or manually. The Administrators Reference manual has
-   details on how to do this.
-
-   Old versions of rndc-confgen used localhost rather than 127.0.0.1 in /etc/
-   rndc.conf for the default server. Update /etc/rndc.conf if necessary so that
-   the default server listed in /etc/rndc.conf matches the addresses used in
-   named.conf. "localhost" has two address (127.0.0.1 and ::1).
-
-   If you use "rndc-confgen -a" and named is running with -t or -u ensure that
-   /etc/rndc.conf has the correct ownership and that a copy is in the chroot
-   area. You can do this by re-running "rndc-confgen -a" with appropriate -t
-   and -u arguments.
-
-Q: I don't get RRSIG's returned when I use "dig +dnssec".
-
-A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
-
-Q: I get "Error 1067" when starting named under Windows.
-
-A: This is the service manager saying that named exited. You need to examine
-   the Application log in the EventViewer to find out why.
-
-   Common causes are that you failed to create "named.conf" (usually "C:\
-   windows\dns\etc\named.conf") or failed to specify the directory in
-   named.conf.
-
-   options {
-           Directory "C:\windows\dns\etc";
-   };
-
-Q: I get "transfer of 'example.net/IN' from 192.168.4.12#53: failed while
-   receiving responses: permission denied" error messages.
-
-A: These indicate a filesystem permission error preventing named creating /
-   renaming the temporary file. These will usually also have other associated
-   error messages like
-
-   "dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"
-
-   Named needs write permission on the directory containing the file. Named
-   writes the new cache file to a temporary file then renames it to the name
-   specified in named.conf to ensure that the contents are always complete.
-   This is to prevent named loading a partial zone in the event of power
-   failure or similar interrupting the write of the master file.
-
-   Note file names are relative to the directory specified in options and any
-   chroot directory ([<chroot dir>/][<options dir>]).
-
-   If named is invoked as "named -t /chroot/DNS" with the following named.conf
-   then "/chroot/DNS/var/named/sl" needs to be writable by the user named is
-   running as.
-
-   options {
-           directory "/var/named";
-   };
-
-   zone "example.net" {
-           type slave;
-           file "sl/example.net";
-           masters { 192.168.4.12; };
-   };
-
-Q: How do I intergrate BIND 9 and Solaris SMF
-
-A: Sun has a blog entry describing how to do this.
-
-   http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
-
-Q: Can a NS record refer to a CNAME.
-
-A: No. The rules for glue (copies of the *address* records in the parent zones)
-   and additional section processing do not allow it to work.
-
-   You would have to add both the CNAME and address records (A/AAAA) as glue to
-   the parent zone and have CNAMEs be followed when doing additional section
-   processing to make it work. No namesever implementation supports either of
-   these requirements.
-
-Q: What does "RFC 1918 response from Internet for 0.0.0.10.IN-ADDR.ARPA" mean?
-
-A: If the IN-ADDR.ARPA name covered refers to a internal address space you are
-   using then you have failed to follow RFC 1918 usage rules and are leaking
-   queries to the Internet. You should establish your own zones for these
-   addresses to prevent you quering the Internet's name servers for these
-   addresses. Please see http://as112.net/ for details of the problems you are
-   causing and the counter measures that have had to be deployed.
-
-   If you are not using these private addresses then a client has queried for
-   them. You can just ignore the messages, get the offending client to stop
-   sending you these messages as they are most probably leaking them or setup
-   your own zones empty zones to serve answers to these queries.
-
-   zone "10.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   zone "16.172.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   ...
-
-   zone "31.172.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   zone "168.192.IN-ADDR.ARPA" {
-           type master;
-           file "empty";
-   };
-
-   empty:
-   @ 10800 IN SOA <name-of-server>. <contact-email>. (
-                  1 3600 1200 604800 10800 )
-   @ 10800 IN NS <name-of-server>.
-
-   Note
-
-   Future versions of named are likely to do this automatically.
-
diff --git a/contrib/bind9/FAQ.xml b/contrib/bind9/FAQ.xml
deleted file mode 100644
index 963cd0a8c40d..000000000000
--- a/contrib/bind9/FAQ.xml
+++ /dev/null
@@ -1,1007 +0,0 @@
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-       "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: FAQ.xml,v 1.4.6.3 2005/11/02 22:53:51 marka Exp $ -->
-
-<article class="faq">
-  <title>Frequently Asked Questions about BIND 9</title>
-  <qandaset defaultlabel='qanda'>
-    <qandaentry>
-      <question>
-	<para>
-	  Why doesn't -u work on Linux 2.2.x when I build with
-	  --enable-threads?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Linux threads do not fully implement the Posix threads
-	  (pthreads) standard.  In particular, setuid() operates only
-	  on the current thread, not the full process.  Because of
-	  this limitation, BIND 9 cannot use setuid() on Linux as it
-	  can on all other supported platforms.  setuid() cannot be
-	  called before creating threads, since the server does not
-	  start listening on reserved ports until after threads have
-	  started.
-	</para>
-	<para>
-	  In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability
-	  to preserve capabilities across a setuid() call is present.
-	  This allows BIND 9 to call setuid() early, while retaining
-	  the ability to bind reserved ports.  This is a Linux-specific
-	  hack.
-	</para>
-	<para>
-	  On a 2.2 kernel, BIND 9 does drop many root privileges, so
-	  it should be less of a security risk than a root process
-	  that has not dropped privileges.
-	</para>
-	<para>
-	  If Linux threads ever work correctly, this restriction will
-	  go away.
-	</para>
-	<para>
-	  Configuring BIND9 with the --disable-threads option (the
-	  default) causes a non-threaded version to be built, which
-	  will allow -u to be used.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why does named log the warning message <quote>no TTL specified -
-	  using SOA MINTTL instead</quote>?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Your zone file is illegal according to RFC1035.  It must either
-	  have a line like:
-	</para>
-	<informalexample>
-	  <programlisting>
-$TTL 86400</programlisting>
-	</informalexample>
-	<para>
-	  at the beginning, or the first record in it must have a TTL field,
-	  like the "84600" in this example:
-	</para>
-	<informalexample>
-	  <programlisting>
-example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why do I see 5 (or more) copies of named on Linux?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Linux threads each show up as a process under ps.  The
-	  approximate number of threads running is n+4, where n is
-	  the number of CPUs.  Note that the amount of memory used
-	  is not cumulative; if each process is using 10M of memory,
-	  only a total of 10M is used.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why does BIND 9 log <quote>permission denied</quote> errors accessing
-	  its configuration files or zones on my Linux system even
-	  though it is running as root?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  On Linux, BIND 9 drops most of its root privileges on
-	  startup.  This including the privilege to open files owned
-	  by other users.  Therefore, if the server is running as
-	  root, the configuration files and zone files should also
-	  be owned by root.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why do I get errors like <quote>dns_zone_load: zone foo/IN: loading
-	  master file bar: ran out of space</quote>?
-	</para>
-      </question>
-      <answer>
-	<para>
-	This is often caused by TXT records with missing close
-	quotes.  Check that all TXT records containing quoted strings
-	have both open and close quotes.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	How do I produce a usable core file from a multithreaded
-	named on Linux?
-	</para>
-      </question>
-      <answer>
-	<para>
-	If the Linux kernel is 2.4.7 or newer, multithreaded core
-	dumps are usable (that is, the correct thread is dumped).
-	Otherwise, if using a 2.2 kernel, apply the kernel patch
-	found in contrib/linux/coredump-patch and rebuild the kernel.
-	This patch will cause multithreaded programs to dump the
-	correct thread.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I restrict people from looking up the server version?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Put a "version" option containing something other than the
-	  real version in the "options" section of named.conf.  Note
-	  doing this will not prevent attacks and may impede people
-	  trying to diagnose problems with your server.  Also it is
-	  possible to "fingerprint" nameservers to determine their
-	  version.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I restrict only remote users from looking up the
-	  server version?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The following view statement will intercept lookups as the
-	  internal view that holds the version information will be
-	  matched last.  The caveats of the previous answer still
-	  apply, of course.
-	</para>
-	<informalexample>
-	  <programlisting>
-view "chaos" chaos {
-	match-clients { &lt;those to be refused&gt;; };
-	allow-query { none; };
-	zone "." {
-		type hint;
-		file "/dev/null";  // or any empty file
-	};
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  What do <quote>no source of entropy found</quote> or <quote>could not
-	  open entropy source foo</quote> mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The server requires a source of entropy to perform certain
-	  operations, mostly DNSSEC related.  These messages indicate
-	  that you have no source of entropy.  On systems with
-	  /dev/random or an equivalent, it is used by default.  A
-	  source of entropy can also be defined using the random-device
-	  option in named.conf.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I installed BIND 9 and restarted named, but it's still BIND 8.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  BIND 9 is installed under /usr/local by default.  BIND 8
-	  is often installed under /usr.  Check that the correct named
-	  is running.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I'm trying to use TSIG to authenticate dynamic updates or
-	  zone transfers.  I'm sure I have the keys set up correctly,
-	  but the server is rejecting the TSIG.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This may be a clock skew problem.  Check that the the clocks
-	  on the client and server are properly synchronised (e.g.,
-	  using ntp).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I'm trying to compile BIND 9, and "make" is failing due to
-	  files not being found.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Using a parallel or distributed "make" to build BIND 9 is
-	  not supported, and doesn't work.  If you are using one of
-	  these, use normal make or gmake instead.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I have a BIND 9 master and a BIND 8.2.3 slave, and the
-	  master is logging error messages like <quote>notify to 10.0.0.1#53
-	  failed: unexpected end of input</quote>.  What's wrong?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This error message is caused by a known bug in BIND 8.2.3
-	  and is fixed in BIND 8.2.4.  It can be safely ignored - the
-	  notify has been acted on by the slave despite the error
-	  message.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I keep getting log messages like the following.  Why?
-	</para>
-	<para>
-	  Dec  4 23:47:59 client 10.0.0.1#1355: updating zone
-	  'example.com/IN': update failed: 'RRset exists (value
-	  dependent)' prerequisite not satisfied (NXRRSET)
-	</para>
-      </question>
-      <answer>
-	<para>
-	  DNS updates allow the update request to test to see if
-	  certain conditions are met prior to proceeding with the
-	  update.  The message above is saying that conditions were
-	  not met and the update is not proceeding.  See doc/rfc/rfc2136.txt
-	  for more details on prerequisites.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I keep getting log messages like the following.  Why?
-	</para>
-	<para>
-	  Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Someone is trying to update your DNS data using the RFC2136
-	  Dynamic Update protocol.  Windows 2000 machines have a habit
-	  of sending dynamic update requests to DNS servers without
-	  being specifically configured to do so.  If the update
-	  requests are coming from a Windows 2000 machine, see
-	  <ulink
-	   url="http://support.microsoft.com/support/kb/articles/q246/8/04.asp">
-	    http://support.microsoft.com/support/kb/articles/q246/8/04.asp
-	  </ulink>
-	  for information about how to turn them off.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I see a log message like the following.  Why?
-	</para>
-	<para>
-	  couldn't open pid file '/var/run/named.pid': Permission denied
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You are most likely running named as a non-root user, and
-	  that user does not have permission to write in /var/run.
-	  The common ways of fixing this are to create a /var/run/named
-	  directory owned by the named user and set pid-file to
-	  "/var/run/named/named.pid", or set pid-file to "named.pid",
-	  which will put the file in the directory specified by the
-	  directory option (which, in this case, must be writable by
-	  the named user).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  When I do a "dig . ns", many of the A records for the root
-	  servers are missing.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is normal and harmless.  It is a somewhat confusing
-	  side effect of the way BIND 9 does RFC2181 trust ranking
-	  and of the efforts BIND 9 makes to avoid promoting glue
-	  into answers.
-	</para>
-	<para>
-	 When BIND 9 first starts up and primes its cache, it receives
-	 the root server addresses as additional data in an authoritative
-	 response from a root server, and these records are eligible
-	 for inclusion as additional data in responses.  Subsequently
-	 it receives a subset of the root server addresses as
-	 additional data in a non-authoritative (referral) response
-	 from a root server.  This causes the addresses to now be
-	 considered non-authoritative (glue) data, which is not
-	 eligible for inclusion in responses.
-	</para>
-	<para>
-	 The server does have a complete set of root server addresses
-	 cached at all times, it just may not include all of them
-	 as additional data, depending on whether they were last
-	 received as answers or as glue.  You can always look up the
-	 addresses with explicit queries like "dig a.root-servers.net A".
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Zone transfers from my BIND 9 master to my Windows 2000
-	  slave fail.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This may be caused by a bug in the Windows 2000 DNS server
-	  where DNS messages larger than 16K are not handled properly.
-	  This can be worked around by setting the option "transfer-format
-	  one-answer;".  Also check whether your zone contains domain
-	  names with embedded spaces or other special characters,
-	  like "John\032Doe\213s\032Computer", since such names have
-	  been known to cause Windows 2000 slaves to incorrectly
-	  reject the zone.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why don't my zones reload when I do an "rndc reload" or SIGHUP?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  A zone can be updated either by editing zone files and
-	  reloading the server or by dynamic update, but not both.
-	  If you have enabled dynamic update for a zone using the
-	  "allow-update" option, you are not supposed to edit the
-	  zone file by hand, and the server will not attempt to reload
-	  it.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I can query the nameserver from the nameserver but not from other
-	  machines.  Why?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is usually the result of the firewall configuration stopping
-	  the queries and / or the replies.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How can I make a server a slave for both an internal and
-	  an external view at the same time?  When I tried, both views
-	  on the slave were transferred from the same view on the master.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You will need to give the master and slave multiple IP
-	  addresses and use those to make sure you reach the correct
-	  view on the other machine.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
-    internal:
-	match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-		notify-source 10.0.1.1;
-		transfer-source 10.0.1.1;
-		query-source address 10.0.1.1;
-    external:
-	match-clients { any; };
-	recursion no;	// don't offer recursion to the world
-	notify-source 10.0.1.2;
-	transfer-source 10.0.1.2;
-	query-source address 10.0.1.2;
-
-Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
-    internal:
-	match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
-	notify-source 10.0.1.3;
-	transfer-source 10.0.1.3;
-	query-source address 10.0.1.3;
-   external:
-	match-clients { any; };
-	recursion no;	// don't offer recursion to the world
-	notify-source 10.0.1.4;
-	transfer-source 10.0.1.4;
-	query-source address 10.0.1.4;</programlisting>
-	</informalexample>
-	<para>
-	  You put the external address on the alias so that all the other
-	  dns clients on these boxes see the internal view by default.
-	</para>
-      </answer>
-      <answer>
-	<para>
-	  BIND 9.3 and later: Use TSIG to select the appropriate view.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master 10.0.1.1:
-	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
-	};
-	view "internal" {
-		match-clients { !key external; 10.0.1/24; };
-		...
-	};
-	view "external" {
-		match-clients { key external; any; };
-		server 10.0.0.2 { keys external; };
-		recursion no;
-		...
-	};
-
-Slave 10.0.1.2:
-	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
-	};
-	view "internal" {
-		match-clients { !key external; 10.0.1/24; };
-		...
-	};
-	view "external" {
-		match-clients { key external; any; };
-		server 10.0.0.1 { keys external; };
-		recursion no;
-		...
-	};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I have FreeBSD 4.x and "rndc-confgen -a" just sits there.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  /dev/random is not configured.  Use rndcontrol(8) to tell
-	  the kernel to use certain interrupts as a source of random
-	  events.  You can make this permanent by setting rand_irqs
-	  in /etc/rc.conf.
-	</para>
-	<informalexample>
-	  <programlisting>
-/etc/rc.conf
-rand_irqs="3 14 15"</programlisting>
-	</informalexample>
-	<para>
-	  See also
-	  <ulink url="http://people.freebsd.org/~dougb/randomness.html">
-	    http://people.freebsd.org/~dougb/randomness.html
-	  </ulink>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why is named listening on UDP port other than 53?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Named uses a system selected port to make queries of other
-	  nameservers.  This behaviour can be overridden by using
-	  query-source to lock down the port and/or address.  See
-	  also notify-source and transfer-source.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get error messages like <quote>multiple RRs of singleton type</quote>
-	  and <quote>CNAME and other data</quote> when transferring a zone.  What
-	  does this mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  These indicate a malformed master zone.  You can identify
-	  the exact records involved by transferring the zone using
-	  dig then running named-checkzone on it.
-	</para>
-	<informalexample>
-	  <programlisting>
-dig axfr example.com @master-server &gt; tmp
-named-checkzone example.com tmp</programlisting>
-	</informalexample>
-	<para>
-	  A CNAME record cannot exist with the same name as another record
-	  except for the DNSSEC records which prove its existance (NSEC).
-	</para>
-	<para>
-	  RFC 1034, Section 3.6.2: <quote>If a CNAME RR is present at a node,
-	  no other data should be present; this ensures that the data for a
-	  canonical name and its aliases cannot be different.  This rule also
-	  insures that a cached CNAME can be used without checking with an
-	  authoritative server for other RR types.</quote>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get error messages like <quote>named.conf:99: unexpected end
-	  of input</quote> where 99 is the last line of named.conf.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Some text editors (notepad and wordpad) fail to put a line
-	  title indication (e.g. CR/LF) on the last line of a
-	  text file.  This can be fixed by "adding" a blank line to
-	  the end of the file.  Named expects to see EOF immediately
-	  after EOL and treats text files where this is not met as
-	  truncated.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get warning messages like <quote>zone example.com/IN: refresh:
-	  failure trying master 1.2.3.4#53: timed out</quote>.
-	</para>
-      </question>
-      <answer>
-	<para>
-	Check that you can make UDP queries from the slave to the master
-	</para>
-	<informalexample>
-	  <programlisting>
-dig +norec example.com soa @1.2.3.4</programlisting>
-	</informalexample>
-	<para>
-	  You could be generating queries faster than the slave can
-	  cope with.  Lower the serial query rate.
-	</para>
-	<informalexample>
-	  <programlisting>
-serial-query-rate 5; // default 20</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I share a dynamic zone between multiple views?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You choose one view to be master and the second a slave and
-	  transfer the zone between views.
-	</para>
-	<informalexample>
-	  <programlisting>
-Master 10.0.1.1:
-	key "external" {
-		algorithm hmac-md5;
-		secret "xxxxxxxx";
-	};
-
-	key "mykey" {
-		algorithm hmac-md5;
-		secret "yyyyyyyy";
-	};
-
-	view "internal" {
-		match-clients { !external; 10.0.1/24; };
-		server 10.0.1.1 {
-			/* Deliver notify messages to external view. */
-			keys { external; };
-		};
-		zone "example.com" {
-			type master;
-			file "internal/example.db";
-			allow-update { key mykey; };
-			notify-also { 10.0.1.1; };
-		};
-	};
-
-	view "external" {
-		match-clients { external; any; };
-		zone "example.com" {
-			type slave;
-			file "external/example.db";
-			masters { 10.0.1.1; };
-			transfer-source { 10.0.1.1; };
-			// allow-update-forwarding { any; };
-			// allow-notify { ... };
-		};
-	};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get a error message like <quote>zone wireless.ietf56.ietf.org/IN:
-	  loading master file primaries/wireless.ietf56.ietf.org: no
-	  owner</quote>.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This error is produced when a line in the master file
-	  contains leading white space (tab/space) but the is no
-	  current record owner name to inherit the name from.  Usually
-	  this is the result of putting white space before a comment.
-	  Forgeting the "@" for the SOA record or indenting the master
-	  file.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Why are my logs in GMT (UTC).
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You are running chrooted (-t) and have not supplied local timzone
-	  information in the chroot area.
-	</para>
-	<simplelist>
-	  <member>FreeBSD: /etc/localtime</member>
-	  <member>Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo</member>
-	  <member>OSF: /etc/zoneinfo/localtime</member>
-	  </simplelist>
-	<para>
-	  See also tzset(3) and zic(8).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get the error message <quote>named: capset failed: Operation
-	  not permitted</quote> when starting named.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  The capability module, part of "Linux Security Modules/LSM",
-	  has not been loaded into the kernel.  See insmod(8).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>rndc: connect failed: connection refused</quote> when
-	  I try to run rndc.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is usually a configuration error.
-	</para>
-	<para>
-	  First ensure that named is running and no errors are being
-	  reported at startup (/var/log/messages or equivalent).
-	  Running "named -g &lt;usual arguments&gt;" from a title
-	  can help at this point.
-	</para>
-	<para>
-	  Secondly ensure that named is configured to use rndc either
-	  by "rndc-confgen -a", rndc-confgen or manually.  The
-	  Administrators Reference manual has details on how to do
-	  this.
-	</para>
-	<para>
-	  Old versions of rndc-confgen used localhost rather than
-	  127.0.0.1 in /etc/rndc.conf for the default server.  Update
-	  /etc/rndc.conf if necessary so that the default server
-	  listed in /etc/rndc.conf matches the addresses used in
-	  named.conf.  "localhost" has two address (127.0.0.1 and
-	  ::1).
-	</para>
-	<para>
-	  If you use "rndc-confgen -a" and named is running with -t or -u
-	  ensure that /etc/rndc.conf has the correct ownership and that
-	  a copy is in the chroot area.  You can do this by re-running
-	  "rndc-confgen -a" with appropriate -t and -u arguments.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I don't get RRSIG's returned when I use "dig +dnssec".
-	</para>
-      </question>
-      <answer>
-	<para>
-	  You need to ensure DNSSEC is enabled (dnssec-enable yes;).
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>Error 1067</quote> when starting named under Windows.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  This is the service manager saying that named exited.   You
-	  need to examine the Application log in the EventViewer to
-	  find out why.
-	</para>
-	<para>
-	  Common causes are that you failed to create "named.conf"
-	  (usually "C:\windows\dns\etc\named.conf") or failed to
-	  specify the directory in named.conf.
-	</para>
-	<informalexample>
-	  <programlisting>
-options {
-	Directory "C:\windows\dns\etc";
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  I get <quote>transfer of 'example.net/IN' from 192.168.4.12#53:
-	  failed while receiving responses: permission denied</quote> error
-	  messages.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  These indicate a filesystem permission error preventing
-	  named creating / renaming the temporary file.  These will
-	  usually also have other associated error messages like
-	</para>
-	<informalexample>
-	  <programlisting>
-"dumping master file: sl/tmp-XXXX5il3sQ: open: permission denied"</programlisting>
-	</informalexample>
-	<para>
-	  Named needs write permission on the directory containing
-	  the file.  Named writes the new cache file to a temporary
-	  file then renames it to the name specified in named.conf
-	  to ensure that the contents are always complete.  This is
-	  to prevent named loading a partial zone in the event of
-	  power failure or similar interrupting the write of the
-	  master file.
-	</para>
-	<para>
-	  Note file names are relative to the directory specified in
-	  options and any chroot directory  ([&lt;chroot
-	  dir&gt;/][&lt;options dir&gt;]).
-	</para>
-	<informalexample>
-	  <para>
-	    If named is invoked as "named -t /chroot/DNS" with
-	    the following named.conf then "/chroot/DNS/var/named/sl"
-	    needs to be writable by the user named is running as.
-	  </para>
-	  <programlisting>
-options {
-	directory "/var/named";
-};
-
-zone "example.net" {
-	type slave;
-	file "sl/example.net";
-	masters { 192.168.4.12; };
-};</programlisting>
-	</informalexample>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  How do I intergrate BIND 9 and Solaris SMF
-	</para>
-      </question>
-      <answer>
-	<para>
-	  Sun has a blog entry describing how to do this.
-	</para>
-	<para>
-	  <ulink
-	  url="http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris">
-	     http://blogs.sun.com/roller/page/anay/Weblog?catname=%2FSolaris
-	  </ulink>
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  Can a NS record refer to a CNAME.
-	</para>
-      </question>
-      <answer>
-	<para>
-	  No.  The rules for glue (copies of the *address* records
-	  in the parent zones) and additional section processing do
-	  not allow it to work.
-	</para>
-	<para>
-	  You would have to add both the CNAME and address records
-	  (A/AAAA) as glue to the parent zone and have CNAMEs be
-	  followed when doing additional section processing to make
-	  it work.  No namesever implementation supports either of
-	  these requirements.
-	</para>
-      </answer>
-    </qandaentry>
-
-    <qandaentry>
-      <question>
-	<para>
-	  What does <quote>RFC 1918 response from Internet for
-	  0.0.0.10.IN-ADDR.ARPA</quote> mean?
-	</para>
-      </question>
-      <answer>
-	<para>
-	  If the IN-ADDR.ARPA name covered refers to a internal address
-	  space you are using then you have failed to follow RFC 1918
-	  usage rules and are leaking queries to the Internet.  You
-	  should establish your own zones for these addresses to prevent
-	  you quering the Internet's name servers for these addresses.
-	  Please see <ulink url="http://as112.net/">http://as112.net/</ulink>
-	  for details of the problems you are causing and the counter
-	  measures that have had to be deployed.
-	</para>
-	<para>
-	  If you are not using these private addresses then a client
-	  has queried for them.  You can just ignore the messages,
-	  get the offending client to stop sending you these messages
-	  as they are most probably leaking them or setup your own zones
-	  empty zones to serve answers to these queries.
-	</para>
-	<informalexample>
-	  <programlisting>
-zone "10.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-zone "16.172.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-...
-
-zone "31.172.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-zone "168.192.IN-ADDR.ARPA" {
-	type master;
-	file "empty";
-};
-
-empty:
-@ 10800 IN SOA &lt;name-of-server&gt;. &lt;contact-email&gt;. (
-	       1 3600 1200 604800 10800 )
-@ 10800 IN NS &lt;name-of-server&gt;.</programlisting>
-	</informalexample>
-	<note>
-	  Future versions of named are likely to do this automatically.
-	</note>
-      </answer>
-    </qandaentry>
-
-  </qandaset>
-</article>
diff --git a/contrib/bind9/FREEBSD-Upgrade b/contrib/bind9/FREEBSD-Upgrade
deleted file mode 100644
index f5901817d461..000000000000
--- a/contrib/bind9/FREEBSD-Upgrade
+++ /dev/null
@@ -1,17 +0,0 @@
-# $FreeBSD$
-#
-# Bug trhodes@ and des@ to actually throw some text in here.
-#
-
-while read pattern ; do rm -rf $pattern ; done <FREEBSD-Xlist
-
-sed -i.orig -e '/\/tests/d; /docutil/d;' configure.in Makefile.in */Makefile.in
-
-autoconf253
-
-autoheader253
-
-./configure --prefix=/usr --infodir=/usr/share/info --mandir=/usr/share/man \
-	--enable-threads --enable-libbind --disable-ipv6 \
-	--enable-getifaddrs --disable-linux-caps \
-	--with-openssl=/usr --with-randomdev=/dev/random
diff --git a/contrib/bind9/FREEBSD-Xlist b/contrib/bind9/FREEBSD-Xlist
deleted file mode 100644
index 652d2c0d2f98..000000000000
--- a/contrib/bind9/FREEBSD-Xlist
+++ /dev/null
@@ -1,61 +0,0 @@
-# $FreeBSD$
-
-# Misc. stuff
-.cvsignore
-aclocal.m4
-bin/tests
-config.h.in
-configure
-contrib
-docutil
-
-# Windows directories
-bin/check/win32
-bin/dig/win32
-bin/dnssec/win32
-bin/named/win32
-bin/nsupdate/win32
-bin/rndc/win32
-bin/win32
-config.h.win32
-lib/bind9/win32
-lib/dns/gen-win32.h
-lib/dns/win32
-lib/isc/win32
-lib/isccc/win32
-lib/isccfg/win32
-lib/lwres/win32
-lib/win32
-win32utils
-
-# Various ports to other OSs
-lib/bind/port/aix32
-lib/bind/port/aix4
-lib/bind/port/aux3
-lib/bind/port/bsdos
-lib/bind/port/bsdos2
-lib/bind/port/cygwin
-lib/bind/port/darwin
-lib/bind/port/decunix
-lib/bind/port/hpux
-lib/bind/port/hpux10
-lib/bind/port/hpux9
-lib/bind/port/irix
-lib/bind/port/linux
-lib/bind/port/lynxos
-lib/bind/port/mpe
-lib/bind/port/netbsd
-lib/bind/port/next
-lib/bind/port/openbsd
-lib/bind/port/prand_conf
-lib/bind/port/qnx
-lib/bind/port/rhapsody
-lib/bind/port/sco42
-lib/bind/port/sco50
-lib/bind/port/solaris
-lib/bind/port/sunos
-lib/bind/port/ultrix
-lib/bind/port/unixware20
-lib/bind/port/unixware212
-lib/bind/port/unixware7
-lib/bind/port/unknown
diff --git a/contrib/bind9/Makefile.in b/contrib/bind9/Makefile.in
deleted file mode 100644
index a2a06531b878..000000000000
--- a/contrib/bind9/Makefile.in
+++ /dev/null
@@ -1,59 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.41.2.2.2.2 2004/03/08 04:04:12 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-SUBDIRS =	make lib bin doc @LIBBIND@
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-distclean::
-	@if [ "X@LIBBIND@" = "X" ] ; then \
-		i=lib/bind; \
-		echo "making $@ in `pwd`/$$i"; \
-		(cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
-	fi
-
-distclean::
-	rm -f config.cache config.h config.log config.status TAGS
-	rm -f libtool isc-config.sh configure.lineno
-	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
-
-# XXX we should clean libtool stuff too.  Only do this after we add rules
-# to make it.
-maintainer-clean::
-	rm -f configure
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
-
-install:: isc-config.sh installdirs
-	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
-
-tags:
-	rm -f TAGS
-	find lib bin -name "*.[ch]" -print | @ETAGS@ -
-
-check: test
-
-test:
-	(cd bin/tests && ${MAKE} ${MAKEDEFS} test)
diff --git a/contrib/bind9/README b/contrib/bind9/README
deleted file mode 100644
index 574b07d73247..000000000000
--- a/contrib/bind9/README
+++ /dev/null
@@ -1,374 +0,0 @@
-BIND 9
-
-	BIND version 9 is a major rewrite of nearly all aspects of the
-	underlying BIND architecture.  Some of the important features of
-	BIND 9 are:
-
-		- DNS Security
-			DNSSEC (signed zones)
-			TSIG (signed DNS requests)
-
-		- IP version 6
-			Answers DNS queries on IPv6 sockets
-			IPv6 resource records (AAAA)
-			Experimental IPv6 Resolver Library
-
-		- DNS Protocol Enhancements
-			IXFR, DDNS, Notify, EDNS0
-			Improved standards conformance
-
-		- Views
-			One server process can provide multiple "views" of
-			the DNS namespace, e.g. an "inside" view to certain
-			clients, and an "outside" view to others.
-
-		- Multiprocessor Support
-
-		- Improved Portability Architecture
-
-
-	BIND version 9 development has been underwritten by the following
-	organizations:
-
-		Sun Microsystems, Inc.
-		Hewlett Packard
-		Compaq Computer Corporation
-		IBM
-		Process Software Corporation
-		Silicon Graphics, Inc.
-		Network Associates, Inc.
-		U.S. Defense Information Systems Agency
-		USENIX Association
-		Stichting NLnet - NLnet Foundation
-		Nominum, Inc.
-
-
-BIND 9.3.2
-
-        BIND 9.3.2 is a maintenance release, containing fixes for
-        a number of bugs in 9.3.1.
-
-        libbind: corresponds to that from BIND 8.4.7-REL.
-
-	Known Issues:
-
-	The following INSIST can be triggered with DNSSEC enabled.
-
-resolver.c:762: INSIST(result != 0 || dns_rdataset_isassociated(event->rdataset) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_any) || fctx->type == ((dns_rdatatype_t)dns_rdatatype_rrsig)) failed
-
-	We are still trying to isolate the cause.  If you have core
-	dump please send a bug report to bind9-bugs@isc.org with
-	the location of the core, named executable and OS details.
-	
-	Note: contrib/nanny contains a perl script to restart named
-	in the event of a INSIST/REQUIRE/ENSURE failure.
-
-BIND 9.3.1
-
-        BIND 9.3.1 is a maintenance release, containing fixes for
-        a number of bugs in 9.3.0.
-
-        libbind: corresponds to that from BIND 8.4.6-REL.
-
-BIND 9.3.0
-
-	BIND 9.3.0 has a number of new features over 9.2,
-	including:
-
-	DNSSEC is now DS based (RFC 3658).
-	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
-
-	DNSSEC lookaside validation.
-
-	check-names is now implemented.
-	rrset-order in more complete.
-
-	IPv4/IPv6 transition support, dual-stack-servers.
-
-	IXFR deltas can now be generated when loading master files,
-	ixfr-from-differences.
-
-	It is now possible to specify the size of a journal, max-journal-size.
-
-	It is now possible to define a named set of master servers to be
-	used in masters clause, masters.
-
-	The advertised EDNS UDP size can now be set, edns-udp-size.
-
-	allow-v6-synthesis has been obsoleted.
-
-	NOTE:
-	* Zones containing MD and MF will now be rejected.
-	* dig, nslookup name. now report "Not Implemented" as
-	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
-	  that are looking for NOTIMPL.
-
-	libbind: corresponds to that from BIND 8.4.5.
-
-BIND 9.2.0
-
-	BIND 9.2.0 has a number of new features over 9.1,
-	including:
-
-	  - The size of the cache can now be limited using the
-            "max-cache-size" option.
-
-	  - The server can now automatically convert RFC1886-style
-	    recursive lookup requests into RFC2874-style lookups, 
-	    when enabled using the new option "allow-v6-synthesis".
-            This allows stub resolvers that support AAAA records
-            but not A6 record chains or binary labels to perform
-            lookups in domains that make use of these IPv6 DNS
-            features.
-
-	  - Performance has been improved.
-
-	  - The man pages now use the more portable "man" macros
-	    rather than the "mandoc" macros, and are installed
-            by "make install".
-
-          - The named.conf parser has been completely rewritten.
-            It now supports "include" directives in more
-            places such as inside "view" statements, and it no
-            longer has any reserved words.
-
-          - The "rndc status" command is now implemented.
-
-	  - rndc can now be configured automatically.
-
-	  - A BIND 8 compatible stub resolver library is now
-	    included in lib/bind.
-
-	  - OpenSSL has been removed from the distribution.  This
-	    means that to use DNSSEC, OpenSSL must be installed and
-	    the --with-openssl option must be supplied to configure.
-	    This does not apply to the use of TSIG, which does not
-	    require OpenSSL.
-
-	  - The source distribution now builds on Windows NT/2000.
-	    See win32utils/readme1.txt and win32utils/win32-build.txt
-	    for details.
-
-	This distribution also includes a new lightweight stub
-	resolver library and associated resolver daemon that fully
-	support forward and reverse lookups of both IPv4 and IPv6
-	addresses.  This library is considered experimental and
-	is not a complete replacement for the BIND 8 resolver library.
-	Applications that use the BIND 8 res_* functions to perform
-	DNS lookups or dynamic updates still need to be linked against
-	the BIND 8 libraries.  For DNS lookups, they can also use the
-	new "getrrsetbyname()" API.
-
-	BIND 9.2 is capable of acting as an authoritative server
-	for DNSSEC secured zones.  This functionality is believed to
-	be stable and complete except for lacking support for
-	verifications involving wildcard records in secure zones.
-
-	When acting as a caching server, BIND 9.2 can be configured
-	to perform DNSSEC secure resolution on behalf of its clients.
-	This part of the DNSSEC implementation is still considered
-	experimental.  For detailed information about the state of the
-	DNSSEC implementation, see the file doc/misc/dnssec.
-
-	There are a few known bugs:
-
-		On some systems, IPv6 and IPv4 sockets interact in
-		unexpected ways.  For details, see doc/misc/ipv6.
-		To reduce the impact of these problems, the server
-		no longer listens for requests on IPv6 addresses
-		by default.  If you need to accept DNS queries over
-		IPv6, you must specify "listen-on-v6 { any; };"
-		in the named.conf options statement.
-
-		FreeBSD prior to 4.2 (and 4.2 if running as non-root)
-		and OpenBSD prior to 2.8 log messages like
-		"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
-		This is due to a bug in "/dev/random" and impacts the
-		server's DNSSEC support.
-
-		OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
-		OS X 10.2 (Darwin 6.0) reports errors like
-		"fcntl(3, F_SETFL, 4): Operation not supported by device".
-		This is due to a bug in "/dev/random" and impacts the
-		server's DNSSEC support.
-
-		--with-libtool does not work on AIX.
-
-	A bug in the Windows 2000 DNS server can cause zone transfers
-	from a BIND 9 server to a W2K server to fail.  For details,
-	see the "Zone Transfers" section in doc/misc/migration.
-
-	For a detailed list of user-visible changes from
-	previous releases, see the CHANGES file.
-
-
-Building
-
-	BIND 9 currently requires a UNIX system with an ANSI C compiler,
-	basic POSIX support, and a 64 bit integer type.
-
-	We've had successful builds and tests on the following systems:
-
-		COMPAQ Tru64 UNIX 5.1B
-		FreeBSD 4.10, 5.2.1
-		HP-UX 11.11
-		NetBSD 1.5
-		Slackware Linux 8.1
-		Solaris 8, 9, 9 (x86)
-		Windows NT/2000/XP/2003
-
-	Additionally, we have unverified reports of success building
-	previous versions of BIND 9 from users of the following systems:
-
-		AIX 5L
-		SuSE Linux 7.0
-		Slackware Linux 7.x, 8.0
-	        Red Hat Linux 7.1
-		Debian GNU/Linux 2.2 and 3.0
-		Mandrake 8.1
-		OpenBSD 2.6, 2.8, 2.9
-		UnixWare 7.1.1
-		HP-UX 10.20
-		BSD/OS 4.2
-		Mac OS X 10.1, 10.3.8
-
-	To build, just
-
-		./configure
-		make
-
-	Do not use a parallel "make".
-
-	Several environment variables that can be set before running
-	configure will affect compilation:
-
-	    CC
-		The C compiler to use.	configure tries to figure
-		out the right one for supported systems.
-
-	    CFLAGS
-		C compiler flags.  Defaults to include -g and/or -O2
-		as supported by the compiler.  
-
-	    STD_CINCLUDES
-		System header file directories.	 Can be used to specify
-		where add-on thread or IPv6 support is, for example.
-		Defaults to empty string.
-
-	    STD_CDEFINES
-		Any additional preprocessor symbols you want defined.
-		Defaults to empty string.
-
-		Possible settings:
-		Change the default syslog facility of named/lwresd.
-		  -DISC_FACILITY=LOG_LOCAL0	
-		Enable DNSSEC signature chasing support in dig.
-		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
-				    -DDIG_SIGCHASE_BU=1)
-
-	    LDFLAGS
-		Linker flags. Defaults to empty string.
-
-	To build shared libraries, specify "--with-libtool" on the
-	configure command line.
-
-	For the server to support DNSSEC, you need to build it
-	with crypto support.  You must have OpenSSL 0.9.5a
-	or newer installed and specify "--with-openssl" on the
-	configure command line.  If OpenSSL is installed under
-	a nonstandard prefix, you can tell configure where to
-	look for it using "--with-openssl=/prefix".
-
-	To build libbind (the BIND 8 resolver library), specify
-	"--enable-libbind" on the configure command line.
-
-	On some platforms, BIND 9 can be built with multithreading
-	support, allowing it to take advantage of multiple CPUs.
-	You can specify whether to build a multithreaded BIND 9 
-	by specifying "--enable-threads" or "--disable-threads"
-	on the configure command line.  The default is operating
-	system dependent.
-
-	If your operating system has integrated support for IPv6, it
-	will be used automatically.  If you have installed KAME IPv6
-	separately, use "--with-kame[=PATH]" to specify its location.
-
-	"make install" will install "named" and the various BIND 9 libraries.
-	By default, installation is into /usr/local, but this can be changed
-	with the "--prefix" option when running "configure".
-
-	You may specify the option "--sysconfdir" to set the directory 
-	where configuration files like "named.conf" go by default,
-	and "--localstatedir" to set the default parent directory
-	of "run/named.pid".   For backwards compatibility with BIND 8,
-	--sysconfdir defaults to "/etc" and --localstatedir defaults to
-	"/var" if no --prefix option is given.  If there is a --prefix
-	option, sysconfdir defaults to "$prefix/etc" and localstatedir
-	defaults to "$prefix/var".
-
-	To see additional configure options, run "configure --help".
-	Note that the help message does not reflect the BIND 8 
-	compatibility defaults for sysconfdir and localstatedir.
-
-	If you're planning on making changes to the BIND 9 source, you
-	should also "make depend".  If you're using Emacs, you might find
-	"make tags" helpful.
-
-	If you need to re-run configure please run "make distclean" first.
-	This will ensure that all the option changes take.
-
-	Building with gcc is not supported, unless gcc is the vendor's usual
-	compiler (e.g. the various BSD systems, Linux).
-	
-	Known compiler issues:
-	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
-	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
-	* gcc-3.3.5 powerpc generates incorrect code at -02.
-	* Irix, MipsPRO 7.4.1m is known to cause problems.
-
-	A limited test suite can be run with "make test".  Many of
-	the tests require you to configure a set of virtual IP addresses
-	on your system, and some require Perl; see bin/tests/system/README
-	for details.
-
-
-Documentation
-
-	The BIND 9 Administrator Reference Manual is included with the
-	source distribution in DocBook XML and HTML format, in the
-	doc/arm directory.
-
-	Some of the programs in the BIND 9 distribution have man pages
-	in their directories.  In particular, the command line
-	options of "named" are documented in /bin/named/named.8.
-	There is now also a set of man pages for the lwres library.
-
-	If you are upgrading from BIND 8, please read the migration
-	notes in doc/misc/migration.  If you are upgrading from
-	BIND 4, read doc/misc/migration-4to9.
-
-	Frequently asked questions and their answers can be found in
-	FAQ.
-
-
-Bug Reports and Mailing Lists
-
-	Bugs reports should be sent to
-
-		bind9-bugs@isc.org
-
-	To join the BIND Users mailing list, send mail to
-
-		bind-users-request@isc.org
-
-	archives of which can be found via
-
-		http://www.isc.org/ops/lists/
-
-	If you're planning on making changes to the BIND 9 source
-	code, you might want to join the BIND Workers mailing list.
-	Send mail to
-
-		bind-workers-request@isc.org
-
-
diff --git a/contrib/bind9/acconfig.h b/contrib/bind9/acconfig.h
deleted file mode 100644
index 574ea358e02c..000000000000
--- a/contrib/bind9/acconfig.h
+++ /dev/null
@@ -1,147 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acconfig.h,v 1.35.2.4.2.10 2004/12/04 06:50:02 marka Exp $ */
-
-/***
- *** This file is not to be included by any public header files, because
- *** it does not get installed.
- ***/
-@TOP@
-
-/* define to `int' if <sys/types.h> doesn't define.  */
-#undef ssize_t
-
-/* define on DEC OSF to enable 4.4BSD style sa_len support */
-#undef _SOCKADDR_LEN
-
-/* define if your system needs pthread_init() before using pthreads */
-#undef NEED_PTHREAD_INIT
-
-/* define if your system has sigwait() */
-#undef HAVE_SIGWAIT
-
-/* define if sigwait() is the UnixWare flavor */
-#undef HAVE_UNIXWARE_SIGWAIT
-
-/* define on Solaris to get sigwait() to work using pthreads semantics */
-#undef _POSIX_PTHREAD_SEMANTICS
-
-/* define if LinuxThreads is in use */
-#undef HAVE_LINUXTHREADS
-
-/* define if sysconf() is available */
-#undef HAVE_SYSCONF
-
-/* define if sysctlbyname() is available */
-#undef HAVE_SYSCTLBYNAME
-
-/* define if catgets() is available */
-#undef HAVE_CATGETS
-
-/* define if getifaddrs() exists */
-#undef HAVE_GETIFADDRS
-
-/* define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
-#undef HAVE_IFLIST_SYSCTL
-
-/* define if chroot() is available */
-#undef HAVE_CHROOT
-
-/* define if tzset() is available */
-#undef HAVE_TZSET
-
-/* define if struct addrinfo exists */
-#undef HAVE_ADDRINFO
-
-/* define if getaddrinfo() exists */
-#undef HAVE_GETADDRINFO
-
-/* define if gai_strerror() exists */
-#undef HAVE_GAISTRERROR
-
-/* define if arc4random() exists */
-#undef HAVE_ARC4RANDOM
-
-/* define if pthread_setconcurrency() should be called to tell the
- * OS how many threads we might want to run.
- */
-#undef CALL_PTHREAD_SETCONCURRENCY
-
-/* define if IPv6 is not disabled */
-#undef WANT_IPV6
-
-/* define if flockfile() is available */
-#undef HAVE_FLOCKFILE
-
-/* define if getc_unlocked() is available */
-#undef HAVE_GETCUNLOCKED
-
-/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
-#undef SHUTUP_SPUTAUX
-#ifdef SHUTUP_SPUTAUX
-struct __sFILE;
-extern __inline int __sputaux(int _c, struct __sFILE *_p);
-#endif
-
-/* Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
-#undef SHUTUP_SIGWAIT
-#ifdef SHUTUP_SIGWAIT
-int sigwait(const unsigned int *set, int *sig);
-#endif
-
-/* Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
-#undef SHUTUP_STDARG_CAST
-#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
-#include <stdarg.h>		/* Grr.  Must be included *every time*. */
-/*
- * The silly continuation line is to keep configure from
- * commenting out the #undef.
- */
-#undef \
-	va_start
-#define	va_start(ap, last) \
-	do { \
-		union { const void *konst; long *var; } _u; \
-		_u.konst = &(last); \
-		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
-	} while (0)
-#endif /* SHUTUP_STDARG_CAST && __GNUC__ */
-
-/* define if the system has a random number generating device */
-#undef PATH_RANDOMDEV
-
-/* define if pthread_attr_getstacksize() is available */
-#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
-
-/* define if pthread_attr_setstacksize() is available */
-#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
-
-/* define if you have strerror in the C library. */
-#undef HAVE_STRERROR
-
-/* Define if you are running under Compaq TruCluster. */
-#undef HAVE_TRUCLUSTER
-
-/* Define if OpenSSL includes DSA support */
-#undef HAVE_OPENSSL_DSA
-
-/* Define to the length type used by the socket API (socklen_t, size_t, int). */
-#undef ISC_SOCKADDR_LEN_T
-
-/* Define if threads need PTHREAD_SCOPE_SYSTEM */
-#undef NEED_PTHREAD_SCOPE_SYSTEM
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in
deleted file mode 100644
index d8261d7b4c2a..000000000000
--- a/contrib/bind9/bin/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.22.208.1 2004/03/06 10:21:10 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	named rndc dig dnssec tests nsupdate check
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in
deleted file mode 100644
index 5fdf4637afe6..000000000000
--- a/contrib/bind9/bin/check/Makefile.in
+++ /dev/null
@@ -1,95 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.15.2.3.8.6 2004/07/20 07:01:48 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${ISC_INCLUDES}
-
-CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
-CWARNINGS =
-
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =
-
-# Alphabetically
-TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
-
-# Alphabetically
-SRCS =		named-checkconf.c named-checkzone.c check-tool.c
-
-MANPAGES =	named-checkconf.8 named-checkzone.8
-
-HTMLPAGES =	named-checkconf.html named-checkzone.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-named-checkconf.@O@: named-checkconf.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-c ${srcdir}/named-checkconf.c
-
-named-checkzone.@O@: named-checkzone.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-c ${srcdir}/named-checkzone.c
-
-named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
-		${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
-	${DNSLIBS} ${ISCLIBS} ${LIBS}
-
-named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	named-checkzone.@O@ check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
-
-clean distclean::
-	rm -f ${TARGETS} r1.htm
diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c
deleted file mode 100644
index 1b67ca88596f..000000000000
--- a/contrib/bind9/bin/check/check-tool.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: check-tool.c,v 1.4.12.7 2004/11/30 01:15:40 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include "check-tool.h"
-#include <isc/util.h>
-
-#include <isc/buffer.h>
-#include <isc/log.h>
-#include <isc/region.h>
-#include <isc/stdio.h>
-#include <isc/types.h>
-
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/types.h>
-#include <dns/zone.h>
-
-#define CHECK(r) \
-        do { \
-		result = (r); \
-                if (result != ISC_R_SUCCESS) \
-                        goto cleanup; \
-        } while (0)   
-
-static const char *dbtype[] = { "rbt" };
-
-int debug = 0;
-isc_boolean_t nomerge = ISC_TRUE;
-unsigned int zone_options = DNS_ZONEOPT_CHECKNS | 
-			    DNS_ZONEOPT_MANYERRORS |
-			    DNS_ZONEOPT_CHECKNAMES;
-
-isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
-	isc_logdestination_t destination;
-	isc_logconfig_t *logconfig = NULL;
-	isc_log_t *log = NULL;
-
-	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
-	isc_log_setcontext(log);
-
-	destination.file.stream = stdout;
-	destination.file.name = NULL;
-	destination.file.versions = ISC_LOG_ROLLNEVER;
-	destination.file.maximum_size = 0;
-	RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
-				       ISC_LOG_TOFILEDESC,
-				       ISC_LOG_DYNAMIC,
-				       &destination, 0) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
-					 NULL, NULL) == ISC_R_SUCCESS);
-
-	*logp = log;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  const char *classname, dns_zone_t **zonep)
-{
-	isc_result_t result;
-	dns_rdataclass_t rdclass;
-	isc_textregion_t region;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixorigin;
-	dns_name_t *origin;
-	dns_zone_t *zone = NULL;
-
-	REQUIRE(zonep == NULL || *zonep == NULL);
-
-	if (debug)
-		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
-			zonename, filename, classname);
-
-	CHECK(dns_zone_create(&zone, mctx));
-
-	dns_zone_settype(zone, dns_zone_master);
-
-	isc_buffer_init(&buffer, zonename, strlen(zonename));
-	isc_buffer_add(&buffer, strlen(zonename));
-	dns_fixedname_init(&fixorigin);
-	origin = dns_fixedname_name(&fixorigin);
-	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
-			        ISC_FALSE, NULL));
-	CHECK(dns_zone_setorigin(zone, origin));
-	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
-	CHECK(dns_zone_setfile(zone, filename));
-
-	DE_CONST(classname, region.base);
-	region.length = strlen(classname);
-	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
-
-	dns_zone_setclass(zone, rdclass);
-	dns_zone_setoption(zone, zone_options, ISC_TRUE);
-	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
-
-	CHECK(dns_zone_load(zone));
-	if (zonep != NULL){
-		*zonep = zone;
-		zone = NULL;
-	}
-
- cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	return (result);
-}
-
-isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename)
-{
-	isc_result_t result;
-	FILE *output = stdout;
-
-	if (debug) {
-		if (filename != NULL)
-			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
-				zonename, filename);
-		else
-			fprintf(stderr, "dumping \"%s\"\n", zonename);
-	}
-
-	if (filename != NULL) {
-		result = isc_stdio_open(filename, "w+", &output);
-
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "could not open output "
-				"file \"%s\" for writing\n", filename);
-			return (ISC_R_FAILURE);
-		}
-	}
-
-	result = dns_zone_fulldumptostream(zone, output);
-
-	if (filename != NULL)
-		(void)isc_stdio_close(output);
-
-	return (result);
-}
diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h
deleted file mode 100644
index 105cd258ca3d..000000000000
--- a/contrib/bind9/bin/check/check-tool.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: check-tool.h,v 1.2.12.5 2004/03/08 04:04:13 marka Exp $ */
-
-#ifndef CHECK_TOOL_H
-#define CHECK_TOOL_H
-
-#include <isc/lang.h>
-
-#include <isc/types.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp);
-
-isc_result_t
-load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
-	  const char *classname, dns_zone_t **zonep);
-
-isc_result_t
-dump_zone(const char *zonename, dns_zone_t *zone, const char *filename);
-
-extern int debug;
-extern isc_boolean_t nomerge;
-extern unsigned int zone_options;
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/bin/check/named-checkconf.8 b/contrib/bind9/bin/check/named-checkconf.8
deleted file mode 100644
index 68b745aed290..000000000000
--- a/contrib/bind9/bin/check/named-checkconf.8
+++ /dev/null
@@ -1,70 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: named-checkconf.8,v 1.11.12.7 2005/10/13 02:33:41 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NAMED\-CHECKCONF" "8" "June 14, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named\-checkconf \- named configuration file syntax checking tool
-.SH "SYNOPSIS"
-.HP 16
-\fBnamed\-checkconf\fR [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
-.SH "DESCRIPTION"
-.PP
-\fBnamed\-checkconf\fR
-checks the syntax, but not the semantics, of a named configuration file.
-.SH "OPTIONS"
-.TP
-\-t \fIdirectory\fR
-chroot to
-\fIdirectory\fR
-so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP
-\-v
-Print the version of the
-\fBnamed\-checkconf\fR
-program and exit.
-.TP
-\-z
-Perform a check load the master zonefiles found in
-\fInamed.conf\fR.
-.TP
-\-j
-When loading a zonefile read the journal if it exists.
-.TP
-filename
-The name of the configuration file to be checked. If not specified, it defaults to
-\fI/etc/named.conf\fR.
-.SH "RETURN VALUES"
-.PP
-\fBnamed\-checkconf\fR
-returns an exit status of 1 if errors were detected and 0 otherwise.
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c
deleted file mode 100644
index e7f91386ff0e..000000000000
--- a/contrib/bind9/bin/check/named-checkconf.c
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: named-checkconf.c,v 1.12.12.9 2005/03/03 06:33:38 marka Exp $ */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <bind9/check.h>
-
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/result.h>
-
-#include "check-tool.h"
-
-isc_log_t *logc = NULL;
-
-#define CHECK(r)\
-	do { \
-		result = (r); \
-		if (result != ISC_R_SUCCESS) \
-			goto cleanup; \
-	} while (0)
-
-static void
-usage(void) {
-        fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
-		"[named.conf]\n");
-        exit(1);
-}
-
-static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
-	isc_result_t result;
-	char *directory;
-
-	REQUIRE(strcasecmp("directory", clausename) == 0);
-
-	UNUSED(arg);
-	UNUSED(clausename);
-
-	/*
-	 * Change directory.
-	 */
-	directory = cfg_obj_asstring(obj);
-	result = isc_dir_chdir(directory);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
-			    "change directory to '%s' failed: %s\n",
-			    directory, isc_result_totext(result));
-		return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
-	       isc_mem_t *mctx)
-{
-	isc_result_t result;
-	const char *zclass;
-	const char *zname;
-	const char *zfile;
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *classobj = NULL;
-	cfg_obj_t *typeobj = NULL;
-	cfg_obj_t *fileobj = NULL;
-	cfg_obj_t *dbobj = NULL;
-
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-	classobj = cfg_tuple_get(zconfig, "class");
-        if (!cfg_obj_isstring(classobj))
-                zclass = vclass;
-        else
-		zclass = cfg_obj_asstring(classobj);
-	zoptions = cfg_tuple_get(zconfig, "options");
-	cfg_map_get(zoptions, "type", &typeobj);
-	if (typeobj == NULL)
-		return (ISC_R_FAILURE);
-	if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)
-		return (ISC_R_SUCCESS);
-        cfg_map_get(zoptions, "database", &dbobj);
-        if (dbobj != NULL)
-                return (ISC_R_SUCCESS);
-	cfg_map_get(zoptions, "file", &fileobj);
-	if (fileobj == NULL)
-		return (ISC_R_FAILURE);
-	zfile = cfg_obj_asstring(fileobj);
-	result = load_zone(mctx, zname, zfile, zclass, NULL);
-	if (result != ISC_R_SUCCESS)
-		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
-			dns_result_totext(result));
-	return(result);
-}
-
-static isc_result_t
-configure_view(const char *vclass, const char *view, cfg_obj_t *config,
-	       cfg_obj_t *vconfig, isc_mem_t *mctx)
-{
-	cfg_listelt_t *element;
-	cfg_obj_t *voptions;
-	cfg_obj_t *zonelist;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-
-	voptions = NULL;
-	if (vconfig != NULL)
-		voptions = cfg_tuple_get(vconfig, "options");
-
-	zonelist = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "zone", &zonelist);
-	else
-		(void)cfg_map_get(config, "zone", &zonelist);
-
-	for (element = cfg_list_first(zonelist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *zconfig = cfg_listelt_value(element);
-		tresult = configure_zone(vclass, view, zconfig, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-	return (result);
-}
-
-
-static isc_result_t
-load_zones_fromconfig(cfg_obj_t *config, isc_mem_t *mctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *classobj;
-	cfg_obj_t *views;
-	cfg_obj_t *vconfig;
-	const char *vclass;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-
-	views = NULL;
-
-	(void)cfg_map_get(config, "view", &views);
-	for (element = cfg_list_first(views);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		const char *vname;
-
-		vclass = "IN";
-		vconfig = cfg_listelt_value(element);
-		if (vconfig != NULL) {
-			classobj = cfg_tuple_get(vconfig, "class");
-			if (cfg_obj_isstring(classobj))
-				vclass = cfg_obj_asstring(classobj);
-		}
-		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
-		tresult = configure_view(vclass, vname, config, vconfig, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-
-	if (views == NULL) {
-		tresult = configure_view("IN", "_default", config, NULL, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-	return (result);
-}
-
-int
-main(int argc, char **argv) {
-	int c;
-	cfg_parser_t *parser = NULL;
-	cfg_obj_t *config = NULL;
-	const char *conffile = NULL;
-	isc_mem_t *mctx = NULL;
-	isc_result_t result;
-	int exit_status = 0;
-	isc_entropy_t *ectx = NULL;
-	isc_boolean_t load_zones = ISC_FALSE;
-	
-	while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) {
-		switch (c) {
-		case 'd':
-			debug++;
-			break;
-
-		case 'j':
-			nomerge = ISC_FALSE;
-			break;
-
-		case 't':
-			result = isc_dir_chroot(isc_commandline_argument);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chroot: %s\n",
-					isc_result_totext(result));
-				exit(1);
-			}
-			result = isc_dir_chdir("/");
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chdir: %s\n",
-					isc_result_totext(result));
-				exit(1);
-			}
-			break;
-
-		case 'v':
-			printf(VERSION "\n");
-			exit(0);
-
-		case 'z':
-			load_zones = ISC_TRUE;
-			break;
-
-		default:
-			usage();
-		}
-	}
-
-	if (argv[isc_commandline_index] != NULL)
-		conffile = argv[isc_commandline_index];
-	if (conffile == NULL || conffile[0] == '\0')
-		conffile = NAMED_CONFFILE;
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
-	RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS);
-
-	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
-		      == ISC_R_SUCCESS);
-
-	dns_result_register();
-
-	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
-
-	cfg_parser_setcallback(parser, directory_callback, NULL);
-
-	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
-	    ISC_R_SUCCESS)
-		exit(1);
-
-	result = bind9_check_namedconf(config, logc, mctx);
-	if (result != ISC_R_SUCCESS)
-		exit_status = 1;
-
-	if (result == ISC_R_SUCCESS && load_zones) {
-		dns_log_init(logc);
-                dns_log_setcontext(logc);
-		result = load_zones_fromconfig(config, mctx);
-		if (result != ISC_R_SUCCESS)
-			exit_status = 1;
-	}
-
-	cfg_obj_destroy(parser, &config);
-
-	cfg_parser_destroy(&parser);
-
-	isc_log_destroy(&logc);
-
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
-
-	isc_mem_destroy(&mctx);
-
-	return (exit_status);
-}
diff --git a/contrib/bind9/bin/check/named-checkconf.docbook b/contrib/bind9/bin/check/named-checkconf.docbook
deleted file mode 100644
index c2529f642fe0..000000000000
--- a/contrib/bind9/bin/check/named-checkconf.docbook
+++ /dev/null
@@ -1,163 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.7 2005/05/12 21:35:56 sra Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 14, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named-checkconf</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>named-checkconf</application></refname>
-    <refpurpose>named configuration file syntax checking tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named-checkconf</command>
-      <arg><option>-v</option></arg>
-      <arg><option>-j</option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg choice="req">filename</arg>
-      <arg><option>-z</option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>named-checkconf</command> checks the syntax, but not
-	the semantics, of a named configuration file.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	      chroot to <filename>directory</filename> so that include
-	      directives in the configuration file are processed as if
-	      run by a similarly chrooted named.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-	<listitem>
-	  <para>
-	      Print the version of the <command>named-checkconf</command>
-	      program and exit.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-z</term>
-	<listitem>
-	  <para>
-	      Perform a check load the master zonefiles found in
-	      <filename>named.conf</filename>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-j</term>
-	<listitem>
-	  <para>
-	      When loading a zonefile read the journal if it exists.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>filename</term>
-	<listitem>
-	  <para>
-	       The name of the configuration file to be checked.  If not
-	       specified, it defaults to <filename>/etc/named.conf</filename>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-        <command>named-checkconf</command> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
-
diff --git a/contrib/bind9/bin/check/named-checkconf.html b/contrib/bind9/bin/check/named-checkconf.html
deleted file mode 100644
index 14b8ff89cb1f..000000000000
--- a/contrib/bind9/bin/check/named-checkconf.html
+++ /dev/null
@@ -1,92 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: named-checkconf.html,v 1.5.2.1.4.12 2005/10/13 02:33:42 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkconf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-checkconf</span> &#8212; named configuration file syntax checking tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525865"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">named-checkconf</strong></span> checks the syntax, but not
-	the semantics, of a named configuration file.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525878"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-	      chroot to <code class="filename">directory</code> so that include
-	      directives in the configuration file are processed as if
-	      run by a similarly chrooted named.
-	  </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-	      Print the version of the <span><strong class="command">named-checkconf</strong></span>
-	      program and exit.
-	  </p></dd>
-<dt><span class="term">-z</span></dt>
-<dd><p>
-	      Perform a check load the master zonefiles found in
-	      <code class="filename">named.conf</code>.
-	  </p></dd>
-<dt><span class="term">-j</span></dt>
-<dd><p>
-	      When loading a zonefile read the journal if it exists.
-	  </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-	       The name of the configuration file to be checked.  If not
-	       specified, it defaults to <code class="filename">/etc/named.conf</code>.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525970"></a><h2>RETURN VALUES</h2>
-<p>
-        <span><strong class="command">named-checkconf</strong></span> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525982"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526006"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/check/named-checkzone.8 b/contrib/bind9/bin/check/named-checkzone.8
deleted file mode 100644
index 33402d5fe8d0..000000000000
--- a/contrib/bind9/bin/check/named-checkzone.8
+++ /dev/null
@@ -1,111 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: named-checkzone.8,v 1.11.2.1.8.8 2005/10/13 02:33:41 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NAMED\-CHECKZONE" "8" "June 13, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named\-checkzone \- zone file validity checking tool
-.SH "SYNOPSIS"
-.HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] {zonename} {filename}
-.SH "DESCRIPTION"
-.PP
-\fBnamed\-checkzone\fR
-checks the syntax and integrity of a zone file. It performs the same checks as
-\fBnamed\fR
-does when loading a zone. This makes
-\fBnamed\-checkzone\fR
-useful for checking zone files before configuring them into a name server.
-.SH "OPTIONS"
-.TP
-\-d
-Enable debugging.
-.TP
-\-q
-Quiet mode \- exit code only.
-.TP
-\-v
-Print the version of the
-\fBnamed\-checkzone\fR
-program and exit.
-.TP
-\-j
-When loading the zone file read the journal if it exists.
-.TP
-\-c \fIclass\fR
-Specify the class of the zone. If not specified "IN" is assumed.
-.TP
-\-k \fImode\fR
-Perform
-\fB"check\-name"\fR
-checks with the specified failure mode. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR.
-.TP
-\-n \fImode\fR
-Specify whether NS records should be checked to see if they are addresses. Possible modes are
-\fB"fail"\fR,
-\fB"warn"\fR
-(default) and
-\fB"ignore"\fR.
-.TP
-\-o \fIfilename\fR
-Write zone output to
-\fIfilename\fR.
-.TP
-\-t \fIdirectory\fR
-chroot to
-\fIdirectory\fR
-so that include directives in the configuration file are processed as if run by a similarly chrooted named.
-.TP
-\-w \fIdirectory\fR
-chdir to
-\fIdirectory\fR
-so that relative filenames in master file $INCLUDE directives work. This is similar to the directory clause in
-\fInamed.conf\fR.
-.TP
-\-D
-Dump zone file in canonical format.
-.TP
-zonename
-The domain name of the zone being checked.
-.TP
-filename
-The name of the zone file.
-.SH "RETURN VALUES"
-.PP
-\fBnamed\-checkzone\fR
-returns an exit status of 1 if errors were detected and 0 otherwise.
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-RFC 1035,
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c
deleted file mode 100644
index 0eea166822a7..000000000000
--- a/contrib/bind9/bin/check/named-checkzone.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: named-checkzone.c,v 1.13.2.3.8.11 2004/10/25 01:36:06 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/app.h>
-#include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/hash.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/socket.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/zone.h>
-
-#include "check-tool.h"
-
-static int quiet = 0;
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-dns_zone_t *zone = NULL;
-dns_zonetype_t zonetype = dns_zone_master;
-static int dumpzone = 0;
-static const char *output_filename;
-
-#define ERRRET(result, function) \
-	do { \
-		if (result != ISC_R_SUCCESS) { \
-			if (!quiet) \
-				fprintf(stderr, "%s() returned %s\n", \
-					function, dns_result_totext(result)); \
-			return (result); \
-		} \
-	} while (0)
-
-static void
-usage(void) {
-	fprintf(stderr,
-		"usage: named-checkzone [-djqvD] [-c class] [-o output] "
-		"[-t directory] [-w directory] [-k (ignore|warn|fail)] "
-		"[-n (ignore|warn|fail)] zonename filename\n");
-	exit(1);
-}
-
-static void
-destroy(void) {
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-}
-
-int
-main(int argc, char **argv) {
-	int c;
-	char *origin = NULL;
-	char *filename = NULL;
-	isc_log_t *lctx = NULL;
-	isc_result_t result;
-	char classname_in[] = "IN";
-	char *classname = classname_in;
-	const char *workdir = NULL;
-
-	while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:D")) != EOF) {
-		switch (c) {
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-
-		case 'd':
-			debug++;
-			break;
-
-		case 'j':
-			nomerge = ISC_FALSE;
-			break;
-
-		case 'n':
-			if (!strcmp(isc_commandline_argument, "ignore"))
-				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
-						  DNS_ZONEOPT_FATALNS);
-			else if (!strcmp(isc_commandline_argument, "warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKNS;
-				zone_options &= ~DNS_ZONEOPT_FATALNS;
-			} else if (!strcmp(isc_commandline_argument, "fail"))
-				zone_options |= DNS_ZONEOPT_CHECKNS|
-					        DNS_ZONEOPT_FATALNS;
-			break;
-
-		case 'k':
-			if (!strcmp(isc_commandline_argument, "warn")) {
-				zone_options |= DNS_ZONEOPT_CHECKNAMES;
-				zone_options &= ~DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (!strcmp(isc_commandline_argument,
-					   "fail")) {
-				zone_options |= DNS_ZONEOPT_CHECKNAMES |
-						DNS_ZONEOPT_CHECKNAMESFAIL;
-			} else if (!strcmp(isc_commandline_argument,
-					   "ignore")) {
-				zone_options &= ~(DNS_ZONEOPT_CHECKNAMES |
-						  DNS_ZONEOPT_CHECKNAMESFAIL);
-			}
-			break;
-
-		case 'q':
-			quiet++;
-			break;
-
-		case 't':
-			result = isc_dir_chroot(isc_commandline_argument);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
-					isc_commandline_argument,
-					isc_result_totext(result));
-				exit(1);
-			}
-			result = isc_dir_chdir("/");
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chdir: %s\n",
-					isc_result_totext(result));
-				exit(1);
-			}
-			break;
-
-		case 'o':
-			output_filename = isc_commandline_argument;
-			break;
-
-		case 'v':
-			printf(VERSION "\n");
-			exit(0);
-
-		case 'w':
-			workdir = isc_commandline_argument;
-			break;
-
-		case 'D':
-			dumpzone++;
-			break;
-
-		default:
-			usage();
-		}
-	}
-
-	if (workdir != NULL) {
-		result = isc_dir_chdir(workdir);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "isc_dir_chdir: %s: %s\n",
-				workdir, isc_result_totext(result));
-			exit(1);
-		}
-	}
-
-	if (isc_commandline_index + 2 > argc)
-		usage();
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-	if (!quiet) {
-		RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
-		dns_log_init(lctx);
-		dns_log_setcontext(lctx);
-	}
-	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
-	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
-		      == ISC_R_SUCCESS);
-
-	dns_result_register();
-
-	origin = argv[isc_commandline_index++];
-	filename = argv[isc_commandline_index++];
-	result = load_zone(mctx, origin, filename, classname, &zone);
-
-	if (result == ISC_R_SUCCESS && dumpzone) {
-		result = dump_zone(origin, zone, output_filename);
-	}
-
-	if (!quiet && result == ISC_R_SUCCESS)
-		fprintf(stdout, "OK\n");
-	destroy();
-	if (lctx != NULL)
-		isc_log_destroy(&lctx);
-	isc_hash_destroy();
-	isc_entropy_detach(&ectx);
-	isc_mem_destroy(&mctx);
-	return ((result == ISC_R_SUCCESS) ? 0 : 1);
-}
diff --git a/contrib/bind9/bin/check/named-checkzone.docbook b/contrib/bind9/bin/check/named-checkzone.docbook
deleted file mode 100644
index ce0d78bdbdfe..000000000000
--- a/contrib/bind9/bin/check/named-checkzone.docbook
+++ /dev/null
@@ -1,254 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.11 2005/05/12 21:35:57 sra Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 13, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named-checkzone</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>named-checkzone</application></refname>
-    <refpurpose>zone file validity checking tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named-checkzone</command>
-      <arg><option>-d</option></arg>
-      <arg><option>-j</option></arg>
-      <arg><option>-q</option></arg>
-      <arg><option>-v</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
-      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-D</option></arg>
-      <arg choice="req">zonename</arg>
-      <arg choice="req">filename</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>named-checkzone</command> checks the syntax and integrity of
-	a zone file.  It performs the same checks as <command>named</command>
-	does when loading a zone.  This makes
-	<command>named-checkzone</command> useful for checking zone
-	files before configuring them into a name server.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-d</term>
-	<listitem>
-	  <para>
-	      Enable debugging.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-q</term>
-	<listitem>
-	  <para>
-	      Quiet mode - exit code only.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v</term>
-	<listitem>
-	  <para>
-	      Print the version of the <command>named-checkzone</command>
-	      program and exit.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-j</term>
-        <listitem>
-          <para>
-              When loading the zone file read the journal if it exists.
-          </para>   
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	      Specify the class of the zone.  If not specified "IN" is assumed.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">mode</replaceable></term>
-	<listitem>
-	  <para>
-	      Perform <command>"check-name"</command> checks with the specified failure mode.
-	      Possible modes are <command>"fail"</command>,
-	      <command>"warn"</command> (default) and
-	      <command>"ignore"</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">mode</replaceable></term>
-	<listitem>
-	  <para>
-	      Specify whether NS records should be checked to see if they
-	      are addresses.  Possible modes are <command>"fail"</command>,
-	      <command>"warn"</command> (default) and
-	      <command>"ignore"</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-o <replaceable class="parameter">filename</replaceable></term>
-        <listitem>
-          <para>
-	      Write zone output to <filename>filename</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-              chroot to <filename>directory</filename> so that include
-              directives in the configuration file are processed as if
-              run by a similarly chrooted named.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-w <replaceable class="parameter">directory</replaceable></term>
-        <listitem>
-          <para>
-              chdir to <filename>directory</filename> so that relative
-	      filenames in master file $INCLUDE directives work.  This
-	      is similar to the directory clause in
-	      <filename>named.conf</filename>.
-          </para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-D</term>
-	<listitem>
-	  <para>
-	      Dump zone file in canonical format.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>zonename</term>
-	<listitem>
-	  <para>
-	       The domain name of the zone being checked.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>filename</term>
-	<listitem>
-	  <para>
-	       The name of the zone file.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>RETURN VALUES</title>
-    <para>
-        <command>named-checkzone</command> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>RFC 1035</citetitle>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
-
diff --git a/contrib/bind9/bin/check/named-checkzone.html b/contrib/bind9/bin/check/named-checkzone.html
deleted file mode 100644
index cf544c94728a..000000000000
--- a/contrib/bind9/bin/check/named-checkzone.html
+++ /dev/null
@@ -1,135 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: named-checkzone.html,v 1.5.2.2.4.13 2005/10/13 02:33:42 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named-checkzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named-checkzone</span> &#8212; zone file validity checking tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] {zonename} {filename}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525922"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">named-checkzone</strong></span> checks the syntax and integrity of
-	a zone file.  It performs the same checks as <span><strong class="command">named</strong></span>
-	does when loading a zone.  This makes
-	<span><strong class="command">named-checkzone</strong></span> useful for checking zone
-	files before configuring them into a name server.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525942"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-d</span></dt>
-<dd><p>
-	      Enable debugging.
-	  </p></dd>
-<dt><span class="term">-q</span></dt>
-<dd><p>
-	      Quiet mode - exit code only.
-	  </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-	      Print the version of the <span><strong class="command">named-checkzone</strong></span>
-	      program and exit.
-	  </p></dd>
-<dt><span class="term">-j</span></dt>
-<dd><p>
-              When loading the zone file read the journal if it exists.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-	      Specify the class of the zone.  If not specified "IN" is assumed.
-	  </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-	      Perform <span><strong class="command">"check-name"</strong></span> checks with the specified failure mode.
-	      Possible modes are <span><strong class="command">"fail"</strong></span>,
-	      <span><strong class="command">"warn"</strong></span> (default) and
-	      <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>mode</code></em></span></dt>
-<dd><p>
-	      Specify whether NS records should be checked to see if they
-	      are addresses.  Possible modes are <span><strong class="command">"fail"</strong></span>,
-	      <span><strong class="command">"warn"</strong></span> (default) and
-	      <span><strong class="command">"ignore"</strong></span>.
-	  </p></dd>
-<dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
-<dd><p>
-	      Write zone output to <code class="filename">filename</code>.
-          </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-              chroot to <code class="filename">directory</code> so that include
-              directives in the configuration file are processed as if
-              run by a similarly chrooted named.
-          </p></dd>
-<dt><span class="term">-w <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-              chdir to <code class="filename">directory</code> so that relative
-	      filenames in master file $INCLUDE directives work.  This
-	      is similar to the directory clause in
-	      <code class="filename">named.conf</code>.
-          </p></dd>
-<dt><span class="term">-D</span></dt>
-<dd><p>
-	      Dump zone file in canonical format.
-	  </p></dd>
-<dt><span class="term">zonename</span></dt>
-<dd><p>
-	       The domain name of the zone being checked.
-	  </p></dd>
-<dt><span class="term">filename</span></dt>
-<dd><p>
-	       The name of the zone file.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526187"></a><h2>RETURN VALUES</h2>
-<p>
-        <span><strong class="command">named-checkzone</strong></span> returns an exit status of 1 if
-	errors were detected and 0 otherwise.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526200"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">RFC 1035</em>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526227"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in
deleted file mode 100644
index 65c14ce88222..000000000000
--- a/contrib/bind9/bin/dig/Makefile.in
+++ /dev/null
@@ -1,101 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} ${LWRES_INCLUDES}
-
-CDEFINES =	-DVERSION=\"${VERSION}\"
-CWARNINGS =
-
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-LWRESLIBS =	../../lib/lwres/liblwres.@A@
-
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
-
-DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
-		${LWRESDEPLIBS}
-
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
-		${ISCCFGLIBS} @LIBS@
-
-SUBDIRS =
-
-TARGETS =	dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
-
-OBJS =		dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
-
-UOBJS =
-
-SRCS =		dig.c dighost.c host.c nslookup.c
-
-MANPAGES =	dig.1 host.1 nslookup.1
-
-HTMLPAGES =	dig.html host.html nslookup.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
-
-host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
-
-nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
-
-install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
-		dig@EXEEXT@ ${DESTDIR}${bindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
-		host@EXEEXT@ ${DESTDIR}${bindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
-		nslookup@EXEEXT@ ${DESTDIR}${bindir}
-	for m in ${MANPAGES}; do \
-		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
-		done
diff --git a/contrib/bind9/bin/dig/dig.1 b/contrib/bind9/bin/dig/dig.1
deleted file mode 100644
index 7031217dd2bb..000000000000
--- a/contrib/bind9/bin/dig/dig.1
+++ /dev/null
@@ -1,423 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dig.1,v 1.14.2.4.2.10 2005/10/13 02:33:42 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "DIG" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dig \- DNS lookup utility
-.SH "SYNOPSIS"
-.HP 4
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
-.HP 4
-\fBdig\fR [\fB\-h\fR]
-.HP 4
-\fBdig\fR [global\-queryopt...] [query...]
-.SH "DESCRIPTION"
-.PP
-\fBdig\fR
-(domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use
-\fBdig\fR
-to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than
-\fBdig\fR.
-.PP
-Although
-\fBdig\fR
-is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
-\fB\-h\fR
-option is given. Unlike earlier versions, the BIND9 implementation of
-\fBdig\fR
-allows multiple lookups to be issued from the command line.
-.PP
-Unless it is told to query a specific name server,
-\fBdig\fR
-will try each of the servers listed in
-\fI/etc/resolv.conf\fR.
-.PP
-When no command line arguments or options are given, will perform an NS query for "." (the root).
-.PP
-It is possible to set per\-user defaults for
-\fBdig\fR
-via
-\fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments.
-.SH "SIMPLE USAGE"
-.PP
-A typical invocation of
-\fBdig\fR
-looks like:
-.sp
-.nf
- dig @server name type 
-.fi
-.sp
-where:
-.TP
-\fBserver\fR
-is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
-\fIserver\fR
-argument is a hostname,
-\fBdig\fR
-resolves that name before querying that name server. If no
-\fIserver\fR
-argument is provided,
-\fBdig\fR
-consults
-\fI/etc/resolv.conf\fR
-and queries the name servers listed there. The reply from the name server that responds is displayed.
-.TP
-\fBname\fR
-is the name of the resource record that is to be looked up.
-.TP
-\fBtype\fR
-indicates what type of query is required \(em ANY, A, MX, SIG, etc.
-\fItype\fR
-can be any valid query type. If no
-\fItype\fR
-argument is supplied,
-\fBdig\fR
-will perform a lookup for an A record.
-.SH "OPTIONS"
-.PP
-The
-\fB\-b\fR
-option sets the source IP address of the query to
-\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#<port>"
-.PP
-The default query class (IN for internet) is overridden by the
-\fB\-c\fR
-option.
-\fIclass\fR
-is any valid class, such as HS for Hesiod records or CH for CHAOSNET records.
-.PP
-The
-\fB\-f\fR
-option makes
-\fBdig \fR
-operate in batch mode by reading a list of lookup requests to process from the file
-\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to
-\fBdig\fR
-using the command\-line interface.
-.PP
-If a non\-standard port number is to be queried, the
-\fB\-p\fR
-option is used.
-\fIport#\fR
-is the port number that
-\fBdig\fR
-will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number.
-.PP
-The
-\fB\-4\fR
-option forces
-\fBdig\fR
-to only use IPv4 query transport. The
-\fB\-6\fR
-option forces
-\fBdig\fR
-to only use IPv6 query transport.
-.PP
-The
-\fB\-t\fR
-option sets the query type to
-\fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the
-\fB\-x\fR
-option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
-\fItype\fR
-is set to
-ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
-\fIN\fR.
-.PP
-Reverse lookups \- mapping addresses to names \- are simplified by the
-\fB\-x\fR
-option.
-\fIaddr\fR
-is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address. When this option is used, there is no need to provide the
-\fIname\fR,
-\fIclass\fR
-and
-\fItype\fR
-arguments.
-\fBdig\fR
-automatically performs a lookup for a name like
-11.12.13.10.in\-addr.arpa
-and sets the query type and class to PTR and IN respectively. By default, IPv6 addresses are looked up using nibble format under the IP6.ARPA domain. To use the older RFC1886 method using the IP6.INT domain specify the
-\fB\-i\fR
-option. Bit string labels (RFC2874) are now experimental and are not attempted.
-.PP
-To sign the DNS queries sent by
-\fBdig\fR
-and their responses using transaction signatures (TSIG), specify a TSIG key file using the
-\fB\-k\fR
-option. You can also specify the TSIG key itself on the command line using the
-\fB\-y\fR
-option;
-\fIname\fR
-is the name of the TSIG key and
-\fIkey\fR
-is the actual key. The key is a base\-64 encoded string, typically generated by
-\fBdnssec\-keygen\fR(8). Caution should be taken when using the
-\fB\-y\fR
-option on multi\-user systems as the key can be visible in the output from
-\fBps\fR(1 )
-or in the shell's history file. When using TSIG authentication with
-\fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
-\fBkey\fR
-and
-\fBserver\fR
-statements in
-\fInamed.conf\fR.
-.SH "QUERY OPTIONS"
-.PP
-\fBdig\fR
-provides a number of query options which affect the way in which lookups are made and the results displayed. Some of these set or reset flag bits in the query header, some determine which sections of the answer get printed, and others determine the timeout and retry strategies.
-.PP
-Each query option is identified by a keyword preceded by a plus sign (+). Some keywords set or reset an option. These may be preceded by the string
-no
-to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
-\fB+keyword=value\fR. The query options are:
-.TP
-\fB+[no]tcp\fR
-Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
-.TP
-\fB+[no]vc\fR
-Use [do not use] TCP when querying name servers. This alternate syntax to
-\fI+[no]tcp\fR
-is provided for backwards compatibility. The "vc" stands for "virtual circuit".
-.TP
-\fB+[no]ignore\fR
-Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
-.TP
-\fB+domain=somename\fR
-Set the search list to contain the single domain
-\fIsomename\fR, as if specified in a
-\fBdomain\fR
-directive in
-\fI/etc/resolv.conf\fR, and enable search list processing as if the
-\fI+search\fR
-option were given.
-.TP
-\fB+[no]search\fR
-Use [do not use] the search list defined by the searchlist or domain directive in
-\fIresolv.conf\fR
-(if any). The search list is not used by default.
-.TP
-\fB+[no]defname\fR
-Deprecated, treated as a synonym for
-\fI+[no]search\fR
-.TP
-\fB+[no]aaonly\fR
-Sets the "aa" flag in the query.
-.TP
-\fB+[no]aaflag\fR
-A synonym for
-\fI+[no]aaonly\fR.
-.TP
-\fB+[no]adflag\fR
-Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
-.TP
-\fB+[no]cdflag\fR
-Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
-.TP
-\fB+[no]cl\fR
-Display [do not display] the CLASS when printing the record.
-.TP
-\fB+[no]ttlid\fR
-Display [do not display] the TTL when printing the record.
-.TP
-\fB+[no]recurse\fR
-Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
-\fBdig\fR
-normally sends recursive queries. Recursion is automatically disabled when the
-\fI+nssearch\fR
-or
-\fI+trace\fR
-query options are used.
-.TP
-\fB+[no]nssearch\fR
-When this option is set,
-\fBdig\fR
-attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
-.TP
-\fB+[no]trace\fR
-Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
-\fBdig\fR
-makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
-.TP
-\fB+[no]cmd\fR
-toggles the printing of the initial comment in the output identifying the version of
-\fBdig\fR
-and the query options that have been applied. This comment is printed by default.
-.TP
-\fB+[no]short\fR
-Provide a terse answer. The default is to print the answer in a verbose form.
-.TP
-\fB+[no]identify\fR
-Show [or do not show] the IP address and port number that supplied the answer when the
-\fI+short\fR
-option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
-.TP
-\fB+[no]comments\fR
-Toggle the display of comment lines in the output. The default is to print comments.
-.TP
-\fB+[no]stats\fR
-This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
-.TP
-\fB+[no]qr\fR
-Print [do not print] the query as it is sent. By default, the query is not printed.
-.TP
-\fB+[no]question\fR
-Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
-.TP
-\fB+[no]answer\fR
-Display [do not display] the answer section of a reply. The default is to display it.
-.TP
-\fB+[no]authority\fR
-Display [do not display] the authority section of a reply. The default is to display it.
-.TP
-\fB+[no]additional\fR
-Display [do not display] the additional section of a reply. The default is to display it.
-.TP
-\fB+[no]all\fR
-Set or clear all display flags.
-.TP
-\fB+time=T\fR
-Sets the timeout for a query to
-\fIT\fR
-seconds. The default time out is 5 seconds. An attempt to set
-\fIT\fR
-to less than 1 will result in a query timeout of 1 second being applied.
-.TP
-\fB+tries=T\fR
-Sets the number of times to try UDP queries to server to
-\fIT\fR
-instead of the default, 3. If
-\fIT\fR
-is less than or equal to zero, the number of tries is silently rounded up to 1.
-.TP
-\fB+retry=T\fR
-Sets the number of times to retry UDP queries to server to
-\fIT\fR
-instead of the default, 2. Unlike
-\fI+tries\fR, this does not include the initial query.
-.TP
-\fB+ndots=D\fR
-Set the number of dots that have to appear in
-\fIname\fR
-to
-\fID\fR
-for it to be considered absolute. The default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
-\fBsearch\fR
-or
-\fBdomain\fR
-directive in
-\fI/etc/resolv.conf\fR.
-.TP
-\fB+bufsize=B\fR
-Set the UDP message buffer size advertised using EDNS0 to
-\fIB\fR
-bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.
-.TP
-\fB+[no]multiline\fR
-Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
-\fBdig\fR
-output.
-.TP
-\fB+[no]fail\fR
-Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
-.TP
-\fB+[no]besteffort\fR
-Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
-.TP
-\fB+[no]dnssec\fR
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
-.TP
-\fB+[no]sigchase\fR
-Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP
-\fB+trusted\-key=####\fR
-Specifies a file containing trusted keys to be used with
-\fB+sigchase\fR. Each DNSKEY record must be on its own line.
-.sp
-If not specified
-\fBdig\fR
-will look for
-\fI/etc/trusted\-key.key\fR
-then
-\fItrusted\-key.key\fR
-in the current directory.
-.sp
-Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP
-\fB+[no]topdown\fR
-When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
-.SH "MULTIPLE QUERIES"
-.PP
-The BIND 9 implementation of
-\fBdig \fR
-supports specifying multiple queries on the command line (in addition to supporting the
-\fB\-f\fR
-batch file option). Each of those queries can be supplied with its own set of flags, options and query options.
-.PP
-In this case, each
-\fIquery\fR
-argument represent an individual query in the command\-line syntax described above. Each consists of any of the standard options and flags, the name to be looked up, an optional query type and class and any query options that should be applied to that query.
-.PP
-A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied on the command line. Any global query options (except the
-\fB+[no]cmd\fR
-option) can be overridden by a query\-specific set of query options. For example:
-.sp
-.nf
-dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
-.fi
-.sp
-shows how
-\fBdig\fR
-could be used from the command line to make three lookups: an ANY query for
-www.isc.org, a reverse lookup of 127.0.0.1 and a query for the NS records of
-isc.org. A global query option of
-\fI+qr\fR
-is applied, so that
-\fBdig\fR
-shows the initial query it made for each lookup. The final query has a local query option of
-\fI+noqr\fR
-which means that
-\fBdig\fR
-will not print the initial query when it looks up the NS records for
-isc.org.
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.PP
-\fI${HOME}/.digrc\fR
-.SH "SEE ALSO"
-.PP
-\fBhost\fR(1),
-\fBnamed\fR(8),
-\fBdnssec\-keygen\fR(8),
-RFC1035.
-.SH "BUGS "
-.PP
-There are probably too many query options.
diff --git a/contrib/bind9/bin/dig/dig.c b/contrib/bind9/bin/dig/dig.c
deleted file mode 100644
index 52df6608685b..000000000000
--- a/contrib/bind9/bin/dig/dig.c
+++ /dev/null
@@ -1,1670 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dig.c,v 1.157.2.13.2.29 2005/10/14 01:38:40 marka Exp $ */
-
-#include <config.h>
-#include <stdlib.h>
-#include <time.h>
-#include <ctype.h>
-
-#include <isc/app.h>
-#include <isc/netaddr.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/task.h>
-
-#include <dns/byaddr.h>
-#include <dns/fixedname.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatatype.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-
-#include <bind9/getaddresses.h>
-
-#include <dig/dig.h>
-
-#define ADD_STRING(b, s) { 				\
-	if (strlen(s) >= isc_buffer_availablelength(b)) \
- 		return (ISC_R_NOSPACE); 		\
-	else 						\
-		isc_buffer_putstr(b, s); 		\
-}
-
-#define DIG_MAX_ADDRESSES 20
-
-dig_lookup_t *default_lookup = NULL;
-
-static char *batchname = NULL;
-static FILE *batchfp = NULL;
-static char *argv0;
-static int addresscount = 0;
-
-static char domainopt[DNS_NAME_MAXTEXT];
-
-static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
-	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
-	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
-
-static const char *opcodetext[] = {
-	"QUERY",
-	"IQUERY",
-	"STATUS",
-	"RESERVED3",
-	"NOTIFY",
-	"UPDATE",
-	"RESERVED6",
-	"RESERVED7",
-	"RESERVED8",
-	"RESERVED9",
-	"RESERVED10",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15"
-};
-
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
-
-static void
-print_usage(FILE *fp) {
-	fputs(
-"Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}\n"
-"            {global-d-opt} host [@local-server] {local-d-opt}\n"
-"            [ host [@local-server] {local-d-opt} [...]]\n", fp);
-}
-
-static void
-usage(void) {
-	print_usage(stderr);
-	fputs("\nUse \"dig -h\" (or \"dig -h | more\") "
-	      "for complete list of options\n", stderr);
-	exit(1);
-}
-
-static void
-version(void) {
-	fputs("DiG " VERSION "\n", stderr);
-}
-
-static void
-help(void) {
-	print_usage(stdout);
-	fputs(
-"Where:  domain	  is in the Domain Name System\n"
-"        q-class  is one of (in,hs,ch,...) [default: in]\n"
-"        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
-"                 (Use ixfr=version for type ixfr)\n"
-"        q-opt    is one of:\n"
-"                 -x dot-notation     (shortcut for in-addr lookups)\n"
-"                 -i                  (IP6.INT reverse IPv6 lookups)\n"
-"                 -f filename         (batch mode)\n"
-"                 -b address[#port]   (bind to source address/port)\n"
-"                 -p port             (specify port number)\n"
-"                 -t type             (specify query type)\n"
-"                 -c class            (specify query class)\n"
-"                 -k keyfile          (specify tsig key file)\n"
-"                 -y name:key         (specify named base64 tsig key)\n"
-"                 -4                  (use IPv4 query transport only)\n"
-"                 -6                  (use IPv6 query transport only)\n"
-"        d-opt    is of the form +keyword[=value], where keyword is:\n"
-"                 +[no]vc             (TCP mode)\n"
-"                 +[no]tcp            (TCP mode, alternate syntax)\n"
-"                 +time=###           (Set query timeout) [5]\n"
-"                 +tries=###          (Set number of UDP attempts) [3]\n"
-"                 +retry=###          (Set number of UDP retries) [2]\n"
-"                 +domain=###         (Set default domainname)\n"
-"                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
-"                 +ndots=###          (Set NDOTS value)\n"
-"                 +[no]search         (Set whether to use searchlist)\n"
-"                 +[no]defname        (Ditto)\n"
-"                 +[no]recurse        (Recursive mode)\n"
-"                 +[no]ignore         (Don't revert to TCP for TC responses.)"
-"\n"
-"                 +[no]fail           (Don't try next server on SERVFAIL)\n"
-"                 +[no]besteffort     (Try to parse even illegal messages)\n"
-"                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))\n"
-"                 +[no]adflag         (Set AD flag in query)\n"
-"                 +[no]cdflag         (Set CD flag in query)\n"
-"                 +[no]cl             (Control display of class in records)\n"
-"                 +[no]cmd            (Control display of command line)\n"
-"                 +[no]comments       (Control display of comment lines)\n"
-"                 +[no]question       (Control display of question)\n"
-"                 +[no]answer         (Control display of answer)\n"
-"                 +[no]authority      (Control display of authority)\n"
-"                 +[no]additional     (Control display of additional)\n"
-"                 +[no]stats          (Control display of statistics)\n"
-"                 +[no]short          (Disable everything except short\n"
-"                                      form of answer)\n"
-"                 +[no]ttlid          (Control display of ttls in records)\n"
-"                 +[no]all            (Set or clear all display flags)\n"
-"                 +[no]qr             (Print question before sending)\n"
-"                 +[no]nssearch       (Search all authoritative nameservers)\n"
-"                 +[no]identify       (ID responders in short answers)\n"
-"                 +[no]trace          (Trace delegation down from root)\n"
-"                 +[no]dnssec         (Request DNSSEC records)\n"
-#ifdef DIG_SIGCHASE
-"                 +[no]sigchase       (Chase DNSSEC signatures)\n"
-"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
-#if DIG_SIGCHASE_TD
-"                 +[no]topdown        (Do DNSSEC validation top down mode)\n"
-#endif
-#endif
-"                 +[no]multiline      (Print records in an expanded format)\n"
-"        global d-opts and servers (before host name) affect all queries.\n"
-"        local d-opts and servers (after host name) affect only that lookup.\n"
-"        -h                           (print help and exit)\n"
-"        -v                           (print version and exit)\n",
-	stdout);
-}
-
-/*
- * Callback from dighost.c to print the received message.
- */
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
-	isc_uint64_t diff;
-	isc_time_t now;
-	time_t tnow;
-	char fromtext[ISC_SOCKADDR_FORMATSIZE];
-
-	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
-
-	TIME_NOW(&now);
-
-	if (query->lookup->stats && !short_form) {
-		diff = isc_time_microdiff(&now, &query->time_sent);
-		printf(";; Query time: %ld msec\n", (long int)diff/1000);
-		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
-		time(&tnow);
-		printf(";; WHEN: %s", ctime(&tnow));
-		if (query->lookup->doing_xfr) {
-			printf(";; XFR size: %u records (messages %u)\n",
-			       query->rr_count, query->msg_count);
-		} else {
-			printf(";; MSG SIZE  rcvd: %d\n", bytes);
-
-		}
-		if (key != NULL) {
-			if (!validated)
-				puts(";; WARNING -- Some TSIG could not "
-				     "be validated");
-		}
-		if ((key == NULL) && (keysecret[0] != 0)) {
-			puts(";; WARNING -- TSIG key was not used.");
-		}
-		puts("");
-	} else if (query->lookup->identify && !short_form) {
-		diff = isc_time_microdiff(&now, &query->time_sent);
-		printf(";; Received %u bytes from %s(%s) in %d ms\n\n",
-		       bytes, fromtext, query->servname,
-		       (int)diff/1000);
-	}
-}
-
-/*
- * Callback from dighost.c to print that it is trying a server.
- * Not used in dig.
- * XXX print_trying
- */
-void
-trying(char *frm, dig_lookup_t *lookup) {
-	UNUSED(frm);
-	UNUSED(lookup);
-}
-
-/*
- * Internal print routine used to print short form replies.
- */
-static isc_result_t
-say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
-	isc_result_t result;
-	isc_uint64_t diff;
-	isc_time_t now;
-	char store[sizeof("12345678901234567890")];
-
-	if (query->lookup->trace || query->lookup->ns_search_only) {
-		result = dns_rdatatype_totext(rdata->type, buf);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		ADD_STRING(buf, " ");
-	}
-	result = dns_rdata_totext(rdata, NULL, buf);
-	check_result(result, "dns_rdata_totext");
-	if (query->lookup->identify) {
-		TIME_NOW(&now);
-		diff = isc_time_microdiff(&now, &query->time_sent);
-		ADD_STRING(buf, " from server ");
-		ADD_STRING(buf, query->servname);
-		snprintf(store, 19, " in %d ms.", (int)diff/1000);
-		ADD_STRING(buf, store);
-	}
-	ADD_STRING(buf, "\n");
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * short_form message print handler.  Calls above say_message()
- */
-static isc_result_t
-short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
-	     isc_buffer_t *buf, dig_query_t *query)
-{
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_buffer_t target;
-	isc_result_t result, loopresult;
-	dns_name_t empty_name;
-	char t[4096];
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	UNUSED(flags);
-
-	dns_name_init(&empty_name, NULL);
-	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (;;) {
-		name = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
-
-		isc_buffer_init(&target, t, sizeof(t));
-
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			loopresult = dns_rdataset_first(rdataset);
-			while (loopresult == ISC_R_SUCCESS) {
-				dns_rdataset_current(rdataset, &rdata);
-				result = say_message(&rdata, query,
-						     buf);
-				check_result(result, "say_message");
-				loopresult = dns_rdataset_next(rdataset);
-				dns_rdata_reset(&rdata);
-			}
-		}
-		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-#ifdef DIG_SIGCHASE
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
-	      isc_buffer_t *target)
-{
-	isc_result_t result;
-	dns_master_style_t *style = NULL;
-	unsigned int styleflags = 0;
-
-	if (rdataset == NULL || owner_name == NULL || target == NULL)
-		return(ISC_FALSE);
-
-	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (nottl)
-		styleflags |= DNS_STYLEFLAG_NO_TTL;
-	if (noclass)
-		styleflags |= DNS_STYLEFLAG_NO_CLASS;
-	if (multiline) {
-		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
-		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
-		styleflags |= DNS_STYLEFLAG_REL_DATA;
-		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
-		styleflags |= DNS_STYLEFLAG_TTL;
-		styleflags |= DNS_STYLEFLAG_MULTILINE;
-		styleflags |= DNS_STYLEFLAG_COMMENT;
-	}
-	if (multiline || (nottl && noclass))
-		result = dns_master_stylecreate(&style, styleflags,
-						24, 24, 24, 32, 80, 8, mctx);
-	else if (nottl || noclass)
-		result = dns_master_stylecreate(&style, styleflags,
-						24, 24, 32, 40, 80, 8, mctx);
-	else 
-		result = dns_master_stylecreate(&style, styleflags,
-						24, 32, 40, 48, 80, 8, mctx);
-	check_result(result, "dns_master_stylecreate");
-
-	result = dns_master_rdatasettotext(owner_name, rdataset, style, target);
-
-	if (style != NULL)
-		dns_master_styledestroy(&style, mctx);
-  
-	return(result);
-}
-#endif
-
-/*
- * Callback from dighost.c to print the reply from a server
- */
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
-	isc_result_t result;
-	dns_messagetextflag_t flags;
-	isc_buffer_t *buf = NULL;
-	unsigned int len = OUTPUTBUF;
-	dns_master_style_t *style = NULL;
-	unsigned int styleflags = 0;
-
-	styleflags |= DNS_STYLEFLAG_REL_OWNER;
-	if (nottl)
-		styleflags |= DNS_STYLEFLAG_NO_TTL;
-	if (noclass)
-		styleflags |= DNS_STYLEFLAG_NO_CLASS;
-	if (multiline) {
-		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
-		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
-		styleflags |= DNS_STYLEFLAG_REL_DATA;
-		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
-		styleflags |= DNS_STYLEFLAG_TTL;
-		styleflags |= DNS_STYLEFLAG_MULTILINE;
-		styleflags |= DNS_STYLEFLAG_COMMENT;
-	}
-	if (multiline || (nottl && noclass))
-		result = dns_master_stylecreate(&style, styleflags,
-						24, 24, 24, 32, 80, 8, mctx);
-	else if (nottl || noclass)
-		result = dns_master_stylecreate(&style, styleflags,
-						24, 24, 32, 40, 80, 8, mctx);
-	else 
-		result = dns_master_stylecreate(&style, styleflags,
-						24, 32, 40, 48, 80, 8, mctx);
-	check_result(result, "dns_master_stylecreate");
-
-	if (query->lookup->cmdline[0] != 0) {
-		if (!short_form)
-			fputs(query->lookup->cmdline, stdout);
-		query->lookup->cmdline[0]=0;
-	}
-	debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
-	      query->lookup->comments ? "comments" : "nocomments",
-	      short_form ? "short_form" : "long_form");
-
-	flags = 0;
-	if (!headers) {
-		flags |= DNS_MESSAGETEXTFLAG_NOHEADERS;
-		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
-	}
-	if (!query->lookup->comments)
-		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
-
-	result = ISC_R_SUCCESS;
-
-	result = isc_buffer_allocate(mctx, &buf, len);
-	check_result(result, "isc_buffer_allocate");
-
-	if (query->lookup->comments && !short_form) {
-		if (query->lookup->cmdline[0] != 0)
-			printf("; %s\n", query->lookup->cmdline);
-		if (msg == query->lookup->sendmsg)
-			printf(";; Sending:\n");
-		else
-			printf(";; Got answer:\n");
-
-		if (headers) {
-			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
-			       "id: %u\n",
-			       opcodetext[msg->opcode], rcodetext[msg->rcode],
-			       msg->id);
-			printf(";; flags:");
-			if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
-				printf(" qr");
-			if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
-				printf(" aa");
-			if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
-				printf(" tc");
-			if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
-				printf(" rd");
-			if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
-				printf(" ra");
-			if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
-				printf(" ad");
-			if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
-				printf(" cd");
-
-			printf("; QUERY: %u, ANSWER: %u, "
-			       "AUTHORITY: %u, ADDITIONAL: %u\n",
-			       msg->counts[DNS_SECTION_QUESTION],
-			       msg->counts[DNS_SECTION_ANSWER],
-			       msg->counts[DNS_SECTION_AUTHORITY],
-			       msg->counts[DNS_SECTION_ADDITIONAL]);
-		}
-	}
-
-repopulate_buffer:
-
-	if (query->lookup->comments && headers && !short_form) {
-		result = dns_message_pseudosectiontotext(msg,
-			 DNS_PSEUDOSECTION_OPT,
-			 style, flags, buf);
-		if (result == ISC_R_NOSPACE) {
-buftoosmall:
-			len += OUTPUTBUF;
-			isc_buffer_free(&buf);
-			result = isc_buffer_allocate(mctx, &buf, len);
-			if (result == ISC_R_SUCCESS)
-				goto repopulate_buffer;
-			else
-				goto cleanup;
-		}
-		check_result(result,
-		     "dns_message_pseudosectiontotext");
-	}
-
-	if (query->lookup->section_question && headers) {
-		if (!short_form) {
-			result = dns_message_sectiontotext(msg,
-						       DNS_SECTION_QUESTION,
-						       style, flags, buf);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "dns_message_sectiontotext");
-		}
-	}
-	if (query->lookup->section_answer) {
-		if (!short_form) {
-			result = dns_message_sectiontotext(msg,
-						       DNS_SECTION_ANSWER,
-						       style, flags, buf);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "dns_message_sectiontotext");
-		} else {
-			result = short_answer(msg, flags, buf, query);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "short_answer");
-		}
-	}
-	if (query->lookup->section_authority) {
-		if (!short_form) {
-			result = dns_message_sectiontotext(msg,
-						       DNS_SECTION_AUTHORITY,
-						       style, flags, buf);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "dns_message_sectiontotext");
-		}
-	}
-	if (query->lookup->section_additional) {
-		if (!short_form) {
-			result = dns_message_sectiontotext(msg,
-						      DNS_SECTION_ADDITIONAL,
-						      style, flags, buf);
-			if (result == ISC_R_NOSPACE)
-				goto buftoosmall;
-			check_result(result, "dns_message_sectiontotext");
-			/*
-			 * Only print the signature on the first record.
-			 */
-			if (headers) {
-				result = dns_message_pseudosectiontotext(
-						   msg,
-						   DNS_PSEUDOSECTION_TSIG,
-						   style, flags, buf);
-				if (result == ISC_R_NOSPACE)
-					goto buftoosmall;
-				check_result(result,
-					  "dns_message_pseudosectiontotext");
-				result = dns_message_pseudosectiontotext(
-						   msg,
-						   DNS_PSEUDOSECTION_SIG0,
-						   style, flags, buf);
-				if (result == ISC_R_NOSPACE)
-					goto buftoosmall;
-				check_result(result,
-					   "dns_message_pseudosectiontotext");
-			}
-		}
-	}
-
-	if (headers && query->lookup->comments && !short_form)
-		printf("\n");
-
-	printf("%.*s", (int)isc_buffer_usedlength(buf),
-	       (char *)isc_buffer_base(buf));
-	isc_buffer_free(&buf);
-
-cleanup:
-	if (style != NULL)
-		dns_master_styledestroy(&style, mctx);
-	return (result);
-}
-
-/*
- * print the greeting message when the program first starts up.
- */
-static void
-printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
-	int i;
-	int remaining;
-	static isc_boolean_t first = ISC_TRUE;
-	char append[MXNAME];
-
-	if (printcmd) {
-		lookup->cmdline[sizeof(lookup->cmdline) - 1] = 0;
-		snprintf(lookup->cmdline, sizeof(lookup->cmdline),
-			 "%s; <<>> DiG " VERSION " <<>>",
-			 first?"\n":"");
-		i = 1;
-		while (i < argc) {
-			snprintf(append, sizeof(append), " %s", argv[i++]);
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
-		}
-		remaining = sizeof(lookup->cmdline) -
-			    strlen(lookup->cmdline) - 1;
-		strncat(lookup->cmdline, "\n", remaining);
-		if (first && addresscount != 0) {
-			snprintf(append, sizeof(append),
-				 "; (%d server%s found)\n",
-				 addresscount,
-				 addresscount > 1 ? "s" : "");
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
-		}
-		if (first) {
-			snprintf(append, sizeof(append), 
-				 ";; global options: %s %s\n",
-			       short_form ? "short_form" : "",
-			       printcmd ? "printcmd" : "");
-			first = ISC_FALSE;
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
-		}
-	}
-}
-
-/*
- * Reorder an argument list so that server names all come at the end.
- * This is a bit of a hack, to allow batch-mode processing to properly
- * handle the server options.
- */
-static void
-reorder_args(int argc, char *argv[]) {
-	int i, j;
-	char *ptr;
-	int end;
-
-	debug("reorder_args()");
-	end = argc - 1;
-	while (argv[end][0] == '@') {
-		end--;
-		if (end == 0)
-			return;
-	}
-	debug("arg[end]=%s", argv[end]);
-	for (i = 1; i < end - 1; i++) {
-		if (argv[i][0] == '@') {
-			debug("arg[%d]=%s", i, argv[i]);
-			ptr = argv[i];
-			for (j = i + 1; j < end; j++) {
-				debug("Moving %s to %d", argv[j], j - 1);
-				argv[j - 1] = argv[j];
-			}
-			debug("moving %s to end, %d", ptr, end - 1);
-			argv[end - 1] = ptr;
-			end--;
-			if (end < 1)
-				return;
-		}
-	}
-}
-
-static isc_uint32_t
-parse_uint(char *arg, const char *desc, isc_uint32_t max) {
-	isc_result_t result;
-	isc_uint32_t tmp;
-
-	result = isc_parse_uint32(&tmp, arg, 10);
-	if (result == ISC_R_SUCCESS && tmp > max)
-		result = ISC_R_RANGE;
-	if (result != ISC_R_SUCCESS)
-		fatal("%s '%s': %s", desc, arg, isc_result_totext(result));
-	return (tmp);
-}
-
-/*
- * We're not using isc_commandline_parse() here since the command line
- * syntax of dig is quite a bit different from that which can be described
- * by that routine.
- * XXX doc options
- */
-
-static void
-plus_option(char *option, isc_boolean_t is_batchfile,
-	    dig_lookup_t *lookup)
-{
-	char option_store[256];
-	char *cmd, *value, *ptr;
-	isc_boolean_t state = ISC_TRUE;
-#ifdef DIG_SIGCHASE
-	size_t n;
-#endif
-
-	strncpy(option_store, option, sizeof(option_store));
-	option_store[sizeof(option_store)-1]=0;
-	ptr = option_store;
-	cmd = next_token(&ptr,"=");
-	if (cmd == NULL) {
-		printf(";; Invalid option %s\n", option_store);
-		return;
-	}
-	value = ptr;
-	if (strncasecmp(cmd, "no", 2)==0) {
-		cmd += 2;
-		state = ISC_FALSE;
-	}
-
-#define FULLCHECK(A) \
-	do { \
-		size_t _l = strlen(cmd); \
-		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
-			goto invalid_option; \
-	} while (0)
-#define FULLCHECK2(A, B) \
-	do { \
-		size_t _l = strlen(cmd); \
-		if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \
-		    (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0)) \
-			goto invalid_option; \
-	} while (0)
-
-	switch (cmd[0]) {
-	case 'a':
-		switch (cmd[1]) {
-		case 'a': /* aaonly / aaflag */
-			FULLCHECK2("aaonly", "aaflag");
-			lookup->aaonly = state;
-			break;
-		case 'd': 
-			switch (cmd[2]) {
-			case 'd': /* additional */
-				FULLCHECK("additional");
-				lookup->section_additional = state;
-				break;
-			case 'f': /* adflag */
-				FULLCHECK("adflag");
-				lookup->adflag = state;
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-		case 'l': /* all */
-			FULLCHECK("all");
-			lookup->section_question = state;
-			lookup->section_authority = state;
-			lookup->section_answer = state;
-			lookup->section_additional = state;
-			lookup->comments = state;
-			lookup->stats = state;
-			printcmd = state;
-			break;
-		case 'n': /* answer */
-			FULLCHECK("answer");
-			lookup->section_answer = state;
-			break;
-		case 'u': /* authority */
-			FULLCHECK("authority");
-			lookup->section_authority = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'b':
-		switch (cmd[1]) {
-		case 'e':/* besteffort */
-			FULLCHECK("besteffort");
-			lookup->besteffort = state;
-			break;
-		case 'u':/* bufsize */
-			FULLCHECK("bufsize");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
-				goto invalid_option;
-			lookup->udpsize = (isc_uint16_t) parse_uint(value,
-						    "buffer size", COMMSIZE);
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'c':
-		switch (cmd[1]) {
-		case 'd':/* cdflag */
-			FULLCHECK("cdflag");
-			lookup->cdflag = state;
-			break;
-		case 'l': /* cl */
-			FULLCHECK("cl");
-			noclass = ISC_TF(!state);
-			break;
-		case 'm': /* cmd */
-			FULLCHECK("cmd");
-			printcmd = state;
-			break;
-		case 'o': /* comments */
-			FULLCHECK("comments");
-			lookup->comments = state;
-			if (lookup == default_lookup)
-				pluscomm = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'd':
-		switch (cmd[1]) {
-		case 'e': /* defname */
-			FULLCHECK("defname");
-			usesearch = state;
-			break;
-		case 'n': /* dnssec */	
-			FULLCHECK("dnssec");
-			lookup->dnssec = state;
-			break;
-		case 'o': /* domain */	
-			FULLCHECK("domain");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
-				goto invalid_option;
-			strncpy(domainopt, value, sizeof(domainopt));
-			domainopt[sizeof(domainopt)-1] = '\0';
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'f': /* fail */
-		FULLCHECK("fail");
-		lookup->servfail_stops = state;
-		break;
-	case 'i':
-		switch (cmd[1]) {
-		case 'd': /* identify */
-			FULLCHECK("identify");
-			lookup->identify = state;
-			break;
-		case 'g': /* ignore */
-		default: /* Inherets default for compatibility */
-			FULLCHECK("ignore");
-			lookup->ignore = ISC_TRUE;
-		}
-		break;
-	case 'm': /* multiline */
-		FULLCHECK("multiline");
-		multiline = state;
-		break;
-	case 'n':
-		switch (cmd[1]) {
-		case 'd': /* ndots */
-			FULLCHECK("ndots");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
-				goto invalid_option;
-			ndots = parse_uint(value, "ndots", MAXNDOTS);
-			break;
-		case 's': /* nssearch */
-			FULLCHECK("nssearch");
-			lookup->ns_search_only = state;
-			if (state) {
-				lookup->trace_root = ISC_TRUE;
-				lookup->recurse = ISC_TRUE;
-				lookup->identify = ISC_TRUE;
-				lookup->stats = ISC_FALSE;
-				lookup->comments = ISC_FALSE;
-				lookup->section_additional = ISC_FALSE;
-				lookup->section_authority = ISC_FALSE;
-				lookup->section_question = ISC_FALSE;
-				lookup->rdtype = dns_rdatatype_ns;
-				lookup->rdtypeset = ISC_TRUE;
-				short_form = ISC_TRUE;
-			}
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'q': 
-		switch (cmd[1]) {
-		case 'r': /* qr */
-			FULLCHECK("qr");
-			qr = state;
-			break;
-		case 'u': /* question */
-			FULLCHECK("question");
-			lookup->section_question = state;
-			if (lookup == default_lookup)
-				plusquest = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'r':
-		switch (cmd[1]) {
-		case 'e':
-			switch (cmd[2]) {
-			case 'c': /* recurse */
-				FULLCHECK("recurse");
-				lookup->recurse = state;
-				break;
-			case 't': /* retry / retries */
-				FULLCHECK2("retry", "retries");
-				if (value == NULL)
-					goto need_value;
-				if (!state)
-					goto invalid_option;
-				lookup->retries = parse_uint(value, "retries",
-						       MAXTRIES - 1);
-				lookup->retries++;
-				break;
-			default:
-				goto invalid_option;
-			}
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 's':
-		switch (cmd[1]) {
-		case 'e': /* search */
-			FULLCHECK("search");
-			usesearch = state;
-			break;
-		case 'h': /* short */
-			FULLCHECK("short");
-			short_form = state;
-			if (state) {
-				printcmd = ISC_FALSE;
-				lookup->section_additional = ISC_FALSE;
-				lookup->section_answer = ISC_TRUE;
-				lookup->section_authority = ISC_FALSE;
-				lookup->section_question = ISC_FALSE;
-				lookup->comments = ISC_FALSE;
-				lookup->stats = ISC_FALSE;
-			}
-			break;
-#ifdef DIG_SIGCHASE
-		case 'i': /* sigchase */
-		        FULLCHECK("sigchase");
-			lookup->sigchase = state;
-			if (lookup->sigchase)
-				lookup->dnssec = ISC_TRUE;
-			break;	
-#endif
-		case 't': /* stats */
-			FULLCHECK("stats");
-			lookup->stats = state;
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 't':
-		switch (cmd[1]) {
-		case 'c': /* tcp */
-			FULLCHECK("tcp");
-			if (!is_batchfile)
-				lookup->tcp_mode = state;
-			break;
-		case 'i': /* timeout */
-			FULLCHECK("timeout");
-			if (value == NULL)
-				goto need_value;
-			if (!state)
-				goto invalid_option;
-			timeout = parse_uint(value, "timeout", MAXTIMEOUT);
-			if (timeout == 0)
-				timeout = 1;
-			break;
-#if DIG_SIGCHASE_TD
-		case 'o': /* topdown */	
-			FULLCHECK("topdown");
-			lookup->do_topdown = state;
-			break;
-#endif
-		case 'r':
-			switch (cmd[2]) {
-			case 'a': /* trace */
-				FULLCHECK("trace");
-				lookup->trace = state;
-				lookup->trace_root = state;
-				if (state) {
-					lookup->recurse = ISC_FALSE;
-					lookup->identify = ISC_TRUE;
-					lookup->comments = ISC_FALSE;
-					lookup->stats = ISC_FALSE;
-					lookup->section_additional = ISC_FALSE;
-					lookup->section_authority = ISC_TRUE;
-					lookup->section_question = ISC_FALSE;
-				}
-				break;
-			case 'i': /* tries */
-				FULLCHECK("tries");
-				if (value == NULL)
-					goto need_value;
-				if (!state)
-					goto invalid_option;
-				lookup->retries = parse_uint(value, "tries",
-							     MAXTRIES);
-				if (lookup->retries == 0)
-					lookup->retries = 1;
-				break;
-#ifdef DIG_SIGCHASE
-			case 'u': /* trusted-key */
-				FULLCHECK("trusted-key");
-			  	if (value == NULL) 
-					goto need_value;
-				if (!state)
-					goto invalid_option;
-				n = strlcpy(trustedkey, ptr,
-					    sizeof(trustedkey));
-				if (n >= sizeof(trustedkey))
-					fatal("trusted key too large");
-				break;
-#endif
-			default:
-				goto invalid_option;
-			}
-			break;
-		case 't': /* ttlid */
-			FULLCHECK("ttlid");
-			nottl = ISC_TF(!state);
-			break;
-		default:
-			goto invalid_option;
-		}
-		break;
-	case 'v':
-		FULLCHECK("vc");
-		if (!is_batchfile)
-			lookup->tcp_mode = state;
-		break;
-	default:
-	invalid_option:
-	need_value:
-		fprintf(stderr, "Invalid option: +%s\n",
-			 option);
-		usage();
-	}
-	return;
-}
-
-/*
- * ISC_TRUE returned if value was used
- */
-static const char *single_dash_opts = "46dhimnv";
-static const char *dash_opts = "46bcdfhikmnptvyx";
-static isc_boolean_t
-dash_option(char *option, char *next, dig_lookup_t **lookup,
-	    isc_boolean_t *open_type_class)
-{
-	char opt, *value, *ptr;
-	isc_result_t result;
-	isc_boolean_t value_from_next;
-	isc_textregion_t tr;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	char textname[MXNAME];
-	struct in_addr in4;
-	struct in6_addr in6;
-	in_port_t srcport;
-	char *hash, *cmd;
-
-	while (strpbrk(option, single_dash_opts) == &option[0]) {
-		/*
-		 * Since the -[46dhimnv] options do not take an argument,
-		 * account for them (in any number and/or combination)
-		 * if they appear as the first character(s) of a q-opt.
-		 */
-		opt = option[0];
-		switch (opt) {
-		case '4':
-			if (have_ipv4) {
-				isc_net_disableipv6();
-				have_ipv6 = ISC_FALSE;
-			} else {
-				fatal("can't find IPv4 networking");
-				return (ISC_FALSE);
-			}
-			break;
-		case '6':
-			if (have_ipv6) {
-				isc_net_disableipv4();
-				have_ipv4 = ISC_FALSE;
-			} else {
-				fatal("can't find IPv6 networking");
-				return (ISC_FALSE);
-			}
-			break;
-		case 'd':
-			ptr = strpbrk(&option[1], dash_opts);
-			if (ptr != &option[1]) {
-				cmd = option;
-				FULLCHECK("debug");
-				debugging = ISC_TRUE;
-				return (ISC_FALSE);
-			} else
-				debugging = ISC_TRUE;
-			break;
-		case 'h':
-			help();
-			exit(0);
-			break;
-		case 'i':
-			ip6_int = ISC_TRUE;
-			break;
-		case 'm': /* memdebug */
-			/* memdebug is handled in preparse_args() */
-			break;
-		case 'n':
-			/* deprecated */
-			break;
-		case 'v':
-			version();
-			exit(0);
-			break;
-		}
-		if (strlen(option) > 1U)
-			option = &option[1];
-		else
-			return (ISC_FALSE);
-	}
-	opt = option[0];
-	if (strlen(option) > 1U) {
-		value_from_next = ISC_FALSE;
-		value = &option[1];
-	} else {
-		value_from_next = ISC_TRUE;
-		value = next;
-	}
-	if (value == NULL)
-		goto invalid_option;
-	switch (opt) {
-	case 'b':
-		hash = strchr(value, '#');
-		if (hash != NULL) {
-			srcport = (in_port_t)
-			  	parse_uint(hash + 1,
-					   "port number", MAXPORT);
-			*hash = '\0';
-		} else
-			srcport = 0;
-		if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) {
-			isc_sockaddr_fromin6(&bind_address, &in6, srcport);
-			isc_net_disableipv4();
-		} else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) {
-			isc_sockaddr_fromin(&bind_address, &in4, srcport);
-			isc_net_disableipv6();
-		} else {
-			if (hash != NULL)
-				*hash = '#';
-			fatal("invalid address %s", value);
-		}
-		if (hash != NULL)
-			*hash = '#';
-		specified_source = ISC_TRUE;
-		return (value_from_next);
-	case 'c':
-		if ((*lookup)->rdclassset) {
-			fprintf(stderr, ";; Warning, extra class option\n");
-		}
-		*open_type_class = ISC_FALSE;
-		tr.base = value;
-		tr.length = strlen(value);
-		result = dns_rdataclass_fromtext(&rdclass,
-						 (isc_textregion_t *)&tr);
-		if (result == ISC_R_SUCCESS) {
-			(*lookup)->rdclass = rdclass;
-			(*lookup)->rdclassset = ISC_TRUE;
-		} else
-			fprintf(stderr, ";; Warning, ignoring "
-				"invalid class %s\n",
-				value);
-		return (value_from_next);
-	case 'f':
-		batchname = value;
-		return (value_from_next);
-	case 'k':
-		strncpy(keyfile, value, sizeof(keyfile));
-		keyfile[sizeof(keyfile)-1]=0;
-		return (value_from_next);
-	case 'p':
-		port = (in_port_t) parse_uint(value, "port number", MAXPORT);
-		return (value_from_next);
-	case 't':
-		*open_type_class = ISC_FALSE;
-		if (strncasecmp(value, "ixfr=", 5) == 0) {
-			rdtype = dns_rdatatype_ixfr;
-			result = ISC_R_SUCCESS;
-		} else {
-			tr.base = value;
-			tr.length = strlen(value);
-			result = dns_rdatatype_fromtext(&rdtype,
-						(isc_textregion_t *)&tr);
-			if (result == ISC_R_SUCCESS &&
-			    rdtype == dns_rdatatype_ixfr) {
-				result = DNS_R_UNKNOWN;
-			}
-		}
-		if (result == ISC_R_SUCCESS) {
-			if ((*lookup)->rdtypeset) {
-				fprintf(stderr, ";; Warning, "
-						"extra type option\n");
-			}
-			if (rdtype == dns_rdatatype_ixfr) {
-				(*lookup)->rdtype = dns_rdatatype_ixfr;
-				(*lookup)->rdtypeset = ISC_TRUE;
-				(*lookup)->ixfr_serial =
-					parse_uint(&value[5], "serial number",
-					  	MAXSERIAL);
-				(*lookup)->section_question = plusquest;
-				(*lookup)->comments = pluscomm;
-			} else {
-				(*lookup)->rdtype = rdtype;
-				(*lookup)->rdtypeset = ISC_TRUE;
-				if (rdtype == dns_rdatatype_axfr) {
-					(*lookup)->section_question = plusquest;
-					(*lookup)->comments = pluscomm;
-				}
-				(*lookup)->ixfr_serial = ISC_FALSE;
-			}
-		} else
-			fprintf(stderr, ";; Warning, ignoring "
-				 "invalid type %s\n",
-				 value);
-		return (value_from_next);
-	case 'y':
-		ptr = next_token(&value,":");
-		if (ptr == NULL) {
-			usage();
-		}
-		strncpy(keynametext, ptr, sizeof(keynametext));
-		keynametext[sizeof(keynametext)-1]=0;
-		ptr = next_token(&value, "");
-		if (ptr == NULL)
-			usage();
-		strncpy(keysecret, ptr, sizeof(keysecret));
-		keysecret[sizeof(keysecret)-1]=0;
-		return (value_from_next);
-	case 'x':
-		*lookup = clone_lookup(default_lookup, ISC_TRUE);
-		if (get_reverse(textname, sizeof(textname), value,
-				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
-			strncpy((*lookup)->textname, textname,
-				sizeof((*lookup)->textname));
-			debug("looking up %s", (*lookup)->textname);
-			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
-						(*lookup)->ns_search_only);
-			(*lookup)->ip6_int = ip6_int;
-			if (!(*lookup)->rdtypeset)
-				(*lookup)->rdtype = dns_rdatatype_ptr;
-			if (!(*lookup)->rdclassset)
-				(*lookup)->rdclass = dns_rdataclass_in;
-			(*lookup)->new_search = ISC_TRUE;
-			ISC_LIST_APPEND(lookup_list, *lookup, link);
-		} else {
-			fprintf(stderr, "Invalid IP address %s\n", value);
-			exit(1);
-		}
-		return (value_from_next);
-	invalid_option:
-	default:
-		fprintf(stderr, "Invalid option: -%s\n", option);
-		usage();
-	}
-	return (ISC_FALSE);
-}
-
-/*
- * Because we may be trying to do memory allocation recording, we're going
- * to need to parse the arguments for the -m *before* we start the main
- * argument parsing routine.
- * I'd prefer not to have to do this, but I am not quite sure how else to
- * fix the problem.  Argument parsing in dig involves memory allocation
- * by its nature, so it can't be done in the main argument parser.
- */
-static void
-preparse_args(int argc, char **argv) {
-	int rc;
-	char **rv;
-	char *option;
-
-	rc = argc;
-	rv = argv;
-	for (rc--, rv++; rc > 0; rc--, rv++) {
-		if (rv[0][0] != '-')
-			continue;
-		option = &rv[0][1];
-		while (strpbrk(option, single_dash_opts) == &option[0]) {
-			if (option[0] == 'm') {
-				memdebugging = ISC_TRUE;
-				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
-					ISC_MEM_DEBUGRECORD;
-				return;
-			}
-			option = &option[1];
-		}
-	}
-}
-
-static void
-getaddresses(dig_lookup_t *lookup, const char *host) {
-	isc_result_t result;
-	isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
-	isc_netaddr_t netaddr;
-	int count, i;
-	dig_server_t *srv;
-	char tmp[ISC_NETADDR_FORMATSIZE];
-
-	result = bind9_getaddresses(host, 0, sockaddrs,
-				    DIG_MAX_ADDRESSES, &count);   
-	if (result != ISC_R_SUCCESS)
-	fatal("couldn't get address for '%s': %s",
-	      host, isc_result_totext(result));
-
-	for (i = 0; i < count; i++) {
-		isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
-		isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
-		srv = make_server(tmp, host);
-		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
-	}
-	addresscount = count;
-}
-
-static void
-parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
-	   int argc, char **argv) {
-	isc_result_t result;
-	isc_textregion_t tr;
-	isc_boolean_t firstarg = ISC_TRUE;
-	dig_lookup_t *lookup = NULL;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	isc_boolean_t open_type_class = ISC_TRUE;
-	char batchline[MXNAME];
-	int bargc;
-	char *bargv[64];
-	int rc;
-	char **rv;
-#ifndef NOPOSIX
-	char *homedir;
-	char rcfile[256];
-#endif
-	char *input;
-
-	/*
-	 * The semantics for parsing the args is a bit complex; if
-	 * we don't have a host yet, make the arg apply globally,
-	 * otherwise make it apply to the latest host.  This is
-	 * a bit different than the previous versions, but should
-	 * form a consistent user interface.
-	 *
-	 * First, create a "default lookup" which won't actually be used
-	 * anywhere, except for cloning into new lookups
-	 */
-
-	debug("parse_args()");
-	if (!is_batchfile) {
-		debug("making new lookup");
-		default_lookup = make_empty_lookup();
-
-#ifndef NOPOSIX
-		/*
-		 * Treat ${HOME}/.digrc as a special batchfile
-		 */
-		INSIST(batchfp == NULL);
-		homedir = getenv("HOME");
-		if (homedir != NULL) {
-			unsigned int n;
-			n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc",
-			             homedir);
-			if (n < sizeof(rcfile))
-				batchfp = fopen(rcfile, "r");
-		}
-		if (batchfp != NULL) {
-			while (fgets(batchline, sizeof(batchline),
-				     batchfp) != 0) {
-				debug("config line %s", batchline);
-				bargc = 1;
-				input = batchline;
-				bargv[bargc] = next_token(&input, " \t\r\n");
-				while ((bargv[bargc] != NULL) &&
-				       (bargc < 62)) {
-					bargc++;
-					bargv[bargc] =
-						next_token(&input, " \t\r\n");
-				}
-
-				bargv[0] = argv[0];
-				argv0 = argv[0];
-
-				reorder_args(bargc, (char **)bargv);
-				parse_args(ISC_TRUE, ISC_TRUE, bargc,
-					   (char **)bargv);
-			}
-			fclose(batchfp);
-		}
-#endif
-	}
-
-	lookup = default_lookup;
-
-	rc = argc;
-	rv = argv;
-	for (rc--, rv++; rc > 0; rc--, rv++) {
-		debug("main parsing %s", rv[0]);
-		if (strncmp(rv[0], "%", 1) == 0)
-			break;
-		if (strncmp(rv[0], "@", 1) == 0) {
-			getaddresses(lookup, &rv[0][1]);
-		} else if (rv[0][0] == '+') {
-			plus_option(&rv[0][1], is_batchfile,
-				    lookup);
-		} else if (rv[0][0] == '-') {
-			if (rc <= 1) {
-				if (dash_option(&rv[0][1], NULL,
-						&lookup, &open_type_class)) {
-					rc--;
-					rv++;
-				}
-			} else {
-				if (dash_option(&rv[0][1], rv[1],
-						&lookup, &open_type_class)) {
-					rc--;
-					rv++;
-				}
-			}
-		} else {
-			/*
-			 * Anything which isn't an option
-			 */
-			if (open_type_class) {
-				if (strncmp(rv[0], "ixfr=", 5) == 0) {
-					rdtype = dns_rdatatype_ixfr;
-					result = ISC_R_SUCCESS;
-				} else {
-					tr.base = rv[0];
-					tr.length = strlen(rv[0]);
-					result = dns_rdatatype_fromtext(&rdtype,
-					     	(isc_textregion_t *)&tr);
-					if (result == ISC_R_SUCCESS &&
-					    rdtype == dns_rdatatype_ixfr) {
-						result = DNS_R_UNKNOWN;
-						fprintf(stderr, ";; Warning, "
-							"ixfr requires a "
-							"serial number\n");
-						continue;
-					}
-				}
-				if (result == ISC_R_SUCCESS) {
-					if (lookup->rdtypeset) {
-						fprintf(stderr, ";; Warning, "
-							"extra type option\n");
-					}
-					if (rdtype == dns_rdatatype_ixfr) {
-						lookup->rdtype =
-							dns_rdatatype_ixfr;
-						lookup->rdtypeset = ISC_TRUE;
-						lookup->ixfr_serial =
-							parse_uint(&rv[0][5],
-							  	"serial number",
-							  	MAXSERIAL);
-						lookup->section_question =
-							plusquest;
-						lookup->comments = pluscomm;
-					} else {
-						lookup->rdtype = rdtype;
-						lookup->rdtypeset = ISC_TRUE;
-						if (rdtype ==
-						    dns_rdatatype_axfr) {
-						    lookup->section_question =
-								plusquest;
-						    lookup->comments = pluscomm;
-						}
-						lookup->ixfr_serial = ISC_FALSE;
-					}
-					continue;
-				}
-				result = dns_rdataclass_fromtext(&rdclass,
-						     (isc_textregion_t *)&tr);
-				if (result == ISC_R_SUCCESS) {
-					if (lookup->rdclassset) {
-						fprintf(stderr, ";; Warning, "
-							"extra class option\n");
-					}
-					lookup->rdclass = rdclass;
-					lookup->rdclassset = ISC_TRUE;
-					continue;
-				}
-			}
-			if (!config_only) {
-				lookup = clone_lookup(default_lookup,
-						      ISC_TRUE);
-				strncpy(lookup->textname, rv[0], 
-					sizeof(lookup->textname));
-				lookup->textname[sizeof(lookup->textname)-1]=0;
-				lookup->trace_root = ISC_TF(lookup->trace  ||
-						     lookup->ns_search_only);
-				lookup->new_search = ISC_TRUE;
-				ISC_LIST_APPEND(lookup_list, lookup, link);
-				debug("looking up %s", lookup->textname);
-			}
-			/* XXX Error message */
-		}
-	}
-	/*
-	 * If we have a batchfile, seed the lookup list with the
-	 * first entry, then trust the callback in dighost_shutdown
-	 * to get the rest
-	 */
-	if ((batchname != NULL) && !(is_batchfile)) {
-		if (strcmp(batchname, "-") == 0)
-			batchfp = stdin;
-		else
-			batchfp = fopen(batchname, "r");
-		if (batchfp == NULL) {
-			perror(batchname);
-			if (exitcode < 8)
-				exitcode = 8;
-			fatal("couldn't open specified batch file");
-		}
-		/* XXX Remove code dup from shutdown code */
-	next_line:
-		if (fgets(batchline, sizeof(batchline), batchfp) != 0) {
-			bargc = 1;
-			debug("batch line %s", batchline);
-			if (batchline[0] == '\r' || batchline[0] == '\n'
-			    || batchline[0] == '#' || batchline[0] == ';')
-				goto next_line;
-			input = batchline;
-			bargv[bargc] = next_token(&input, " \t\r\n");
-			while ((bargv[bargc] != NULL) && (bargc < 14)) {
-				bargc++;
-				bargv[bargc] = next_token(&input, " \t\r\n");
-			}
-
-			bargv[0] = argv[0];
-			argv0 = argv[0];
-
-			reorder_args(bargc, (char **)bargv);
-			parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
-		}
-	}
-	/*
-	 * If no lookup specified, search for root
-	 */
-	if ((lookup_list.head == NULL) && !config_only) {
-		lookup = clone_lookup(default_lookup, ISC_TRUE);
-		lookup->trace_root = ISC_TF(lookup->trace ||
-					    lookup->ns_search_only);
-		lookup->new_search = ISC_TRUE;
-		strcpy(lookup->textname, ".");
-		lookup->rdtype = dns_rdatatype_ns;
-		lookup->rdtypeset = ISC_TRUE;
-		if (firstarg) {
-			printgreeting(argc, argv, lookup);
-			firstarg = ISC_FALSE;
-		}
-		ISC_LIST_APPEND(lookup_list, lookup, link);
-	} else if (!config_only && firstarg) {
-			printgreeting(argc, argv, lookup);
-			firstarg = ISC_FALSE;
-	}
-}
-
-/*
- * Callback from dighost.c to allow program-specific shutdown code.
- * Here, we're possibly reading from a batch file, then shutting down
- * for real if there's nothing in the batch file to read.
- */
-void
-dighost_shutdown(void) {
-	char batchline[MXNAME];
-	int bargc;
-	char *bargv[16];
-	char *input;
-
-
-	if (batchname == NULL) {
-		isc_app_shutdown();
-		return;
-	}
-
-	fflush(stdout);
-	if (feof(batchfp)) {
-		batchname = NULL;
-		isc_app_shutdown();
-		if (batchfp != stdin)
-			fclose(batchfp);
-		return;
-	}
-
-	if (fgets(batchline, sizeof(batchline), batchfp) != 0) {
-		debug("batch line %s", batchline);
-		bargc = 1;
-		input = batchline;
-		bargv[bargc] = next_token(&input, " \t\r\n");
-		while ((bargv[bargc] != NULL) && (bargc < 14)) {
-			bargc++;
-			bargv[bargc] = next_token(&input, " \t\r\n");
-		}
-
-		bargv[0] = argv0;
-
-		reorder_args(bargc, (char **)bargv);
-		parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
-		start_lookup();
-	} else {
-		batchname = NULL;
-		if (batchfp != stdin)
-			fclose(batchfp);
-		isc_app_shutdown();
-		return;
-	}
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-	dig_server_t *s, *s2;
-
-	ISC_LIST_INIT(lookup_list);
-	ISC_LIST_INIT(server_list);
-	ISC_LIST_INIT(search_list);
-
-	debug("main()");
-	preparse_args(argc, argv);
-	progname = argv[0];
-	result = isc_app_start();
-	check_result(result, "isc_app_start");
-	setup_libs();
-	parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
-	setup_system();
-	if (domainopt[0] != '\0') {
-		set_search_domain(domainopt);
-		usesearch = ISC_TRUE;
-	}
-	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
-	check_result(result, "isc_app_onrun");
-	isc_app_run();
-	s = ISC_LIST_HEAD(default_lookup->my_server_list);
-	while (s != NULL) {
-		debug("freeing server %p belonging to %p",
-		      s, default_lookup);
-		s2 = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(default_lookup->my_server_list, s2, link);
-		isc_mem_free(mctx, s2);
-	}
-	isc_mem_free(mctx, default_lookup);
-	if (batchname != NULL) {
-		if (batchfp != stdin)
-			fclose(batchfp);
-		batchname = NULL;
-	}
-#ifdef DIG_SIGCHASE
-	clean_trustedkey();
-#endif
-	cancel_all();
-	destroy_libs();
-	isc_app_finish();
-	return (exitcode);
-}
diff --git a/contrib/bind9/bin/dig/dig.docbook b/contrib/bind9/bin/dig/dig.docbook
deleted file mode 100644
index 87c98ae7b1f0..000000000000
--- a/contrib/bind9/bin/dig/dig.docbook
+++ /dev/null
@@ -1,641 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dig.docbook,v 1.4.2.7.4.12 2005/08/30 00:50:29 marka Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>dig</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>dig</refname>
-<refpurpose>DNS lookup utility</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-<command>dig</command>
-<arg choice="opt">@server</arg>
-<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
-<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-<arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
-<arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
-<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
-<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
-<arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg>
-<arg><option>-4</option></arg>
-<arg><option>-6</option></arg>
-<arg choice="opt">name</arg>
-<arg choice="opt">type</arg>
-<arg choice="opt">class</arg>
-<arg choice="opt" rep="repeat">queryopt</arg>
-</cmdsynopsis>
-
-<cmdsynopsis>
-<command>dig</command>
-<arg><option>-h</option></arg>
-</cmdsynopsis>
-
-<cmdsynopsis>
-<command>dig</command>
-<arg choice="opt" rep="repeat">global-queryopt</arg>
-<arg choice="opt" rep="repeat">query</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>dig</command> (domain information groper) is a flexible tool
-for interrogating DNS name servers.  It performs DNS lookups and
-displays the answers that are returned from the name server(s) that
-were queried.  Most DNS administrators use <command>dig</command> to
-troubleshoot DNS problems because of its flexibility, ease of use and
-clarity of output.  Other lookup tools tend to have less functionality
-than <command>dig</command>.
-</para>
-
-<para>
-Although <command>dig</command> is normally used with command-line
-arguments, it also has a batch mode of operation for reading lookup
-requests from a file.  A brief summary of its command-line arguments
-and options is printed when the <option>-h</option> option is given.
-Unlike earlier versions, the BIND9 implementation of
-<command>dig</command> allows multiple lookups to be issued from the
-command line.
-</para>
-
-<para>
-Unless it is told to query a specific name server,
-<command>dig</command> will try each of the servers listed in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-When no command line arguments or options are given, will perform an
-NS query for "." (the root).
-</para>
-
-<para>
-It is possible to set per-user defaults for <command>dig</command> via
-<filename>${HOME}/.digrc</filename>.  This file is read and any options in it
-are applied before the command line arguments.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>SIMPLE USAGE</title>
-
-<para>
-A typical invocation of <command>dig</command> looks like:
-<programlisting> dig @server name type </programlisting> where:
-
-<variablelist>
-
-<varlistentry><term><constant>server</constant></term>
-<listitem><para>
-is the name or IP address of the name server to query.  This can be an IPv4
-address in dotted-decimal notation or an IPv6
-address in colon-delimited notation.  When the supplied
-<parameter>server</parameter> argument is a hostname,
-<command>dig</command> resolves that name before querying that name
-server.  If no <parameter>server</parameter> argument is provided,
-<command>dig</command> consults <filename>/etc/resolv.conf</filename>
-and queries the name servers listed there.  The reply from the name
-server that responds is displayed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>name</constant></term>
-<listitem><para>
-is the name of the resource record that is to be looked up.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>type</constant></term>
-<listitem><para>
-indicates what type of query is required &mdash;
-ANY, A, MX, SIG, etc.
-<parameter>type</parameter> can be any valid query type.  If no
-<parameter>type</parameter> argument is supplied,
-<command>dig</command> will perform a lookup for an A record.
-</para></listitem></varlistentry>
-
-</variablelist>
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>OPTIONS</title>
-
-<para>
-The <option>-b</option> option sets the source IP address of the query
-to <parameter>address</parameter>.  This must be a valid address on
-one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
-may be specified by appending "#&lt;port&gt;"
-</para>
-
-<para>
-The default query class (IN for internet) is overridden by the
-<option>-c</option> option.  <parameter>class</parameter> is any valid
-class, such as HS for Hesiod records or CH for CHAOSNET records.
-</para>
-
-<para>
-The <option>-f</option> option makes <command>dig </command> operate
-in batch mode by reading a list of lookup requests to process from the
-file <parameter>filename</parameter>.  The file contains a number of
-queries, one per line.  Each entry in the file should be organised in
-the same way they would be presented as queries to
-<command>dig</command> using the command-line interface.
-</para>
-
-<para>
-If a non-standard port number is to be queried, the
-<option>-p</option> option is used.  <parameter>port#</parameter> is
-the port number that <command>dig</command> will send its queries
-instead of the standard DNS port number 53.  This option would be used
-to test a name server that has been configured to listen for queries
-on a non-standard port number.
-</para>
-
-<para>
-The <option>-4</option> option forces <command>dig</command> to only
-use IPv4 query transport.  The <option>-6</option> option forces
-<command>dig</command> to only use IPv6 query transport.
-</para>
-
-<para>
-The <option>-t</option> option sets the query type to
-<parameter>type</parameter>.  It can be any valid query type which is
-supported in BIND9.  The default query type "A", unless the
-<option>-x</option> option is supplied to indicate a reverse lookup.
-A zone transfer can be requested by specifying a type of AXFR.  When
-an incremental zone transfer (IXFR) is required,
-<parameter>type</parameter> is set to <literal>ixfr=N</literal>.
-The incremental zone transfer will contain the changes made to the zone
-since the serial number in the zone's SOA record was
-<parameter>N</parameter>.
-</para>
-
-<para>
-Reverse lookups - mapping addresses to names - are simplified by the
-<option>-x</option> option.  <parameter>addr</parameter> is an IPv4
-address in dotted-decimal notation, or a colon-delimited IPv6 address.
-When this option is used, there is no need to provide the
-<parameter>name</parameter>, <parameter>class</parameter> and
-<parameter>type</parameter> arguments.  <command>dig</command>
-automatically performs a lookup for a name like
-<literal>11.12.13.10.in-addr.arpa</literal> and sets the query type and
-class to PTR and IN respectively.  By default, IPv6 addresses are
-looked up using nibble format under the IP6.ARPA domain.
-To use the older RFC1886 method using the IP6.INT domain 
-specify the <option>-i</option> option.  Bit string labels (RFC2874)
-are now experimental and are not attempted.
-</para>
-
-<para>
-To sign the DNS queries sent by <command>dig</command> and their
-responses using transaction signatures (TSIG), specify a TSIG key file
-using the <option>-k</option> option.  You can also specify the TSIG
-key itself on the command line using the <option>-y</option> option;
-<parameter>name</parameter> is the name of the TSIG key and
-<parameter>key</parameter> is the actual key.  The key is a base-64
-encoded string, typically generated by <citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-
-Caution should be taken when using the <option>-y</option> option on
-multi-user systems as the key can be visible in the output from
-<citerefentry> <refentrytitle>ps</refentrytitle><manvolnum>1
-</manvolnum> </citerefentry> or in the shell's history file.  When
-using TSIG authentication with <command>dig</command>, the name
-server that is queried needs to know the key and algorithm that is
-being used.  In BIND, this is done by providing appropriate
-<command>key</command> and <command>server</command> statements in
-<filename>named.conf</filename>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>QUERY OPTIONS</title>
-
-<para>
-<command>dig</command> provides a number of query options which affect
-the way in which lookups are made and the results displayed.  Some of
-these set or reset flag bits in the query header, some determine which
-sections of the answer get printed, and others determine the timeout
-and retry strategies.
-</para>
-
-<para>
-Each query option is identified by a keyword preceded by a plus sign
-(<literal>+</literal>).  Some keywords set or reset an option.  These may be preceded
-by the string <literal>no</literal> to negate the meaning of that keyword.  Other
-keywords assign values to options like the timeout interval.  They
-have the form <option>+keyword=value</option>.
-The query options are:
-
-<variablelist>
-
-<varlistentry><term><option>+[no]tcp</option></term>
-<listitem><para>
-Use [do not use] TCP when querying name servers.  The default
-behaviour is to use UDP unless an AXFR or IXFR query is requested, in
-which case a TCP connection is used.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]vc</option></term>
-<listitem><para>
-Use [do not use] TCP when querying name servers.  This alternate
-syntax to <parameter>+[no]tcp</parameter> is provided for backwards
-compatibility.  The "vc" stands for "virtual circuit".
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]ignore</option></term>
-<listitem><para>
-Ignore truncation in UDP responses instead of retrying with TCP.  By
-default, TCP retries are performed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+domain=somename</option></term>
-<listitem><para>
-Set the search list to contain the single domain
-<parameter>somename</parameter>, as if specified in a
-<command>domain</command> directive in
-<filename>/etc/resolv.conf</filename>, and enable search list
-processing as if the <parameter>+search</parameter> option were given.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]search</option></term>
-<listitem><para>
-Use [do not use] the search list defined by the searchlist or domain
-directive in <filename>resolv.conf</filename> (if any).
-The search list is not used by default.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]defname</option></term>
-<listitem><para>
-Deprecated, treated as a synonym for <parameter>+[no]search</parameter>
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]aaonly</option></term>
-<listitem><para>
-Sets the "aa" flag in the query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]aaflag</option></term>
-<listitem><para>
-A synonym for <parameter>+[no]aaonly</parameter>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]adflag</option></term>
-<listitem><para>
-Set [do not set] the AD (authentic data) bit in the query.  The AD bit
-currently has a standard meaning only in responses, not in queries,
-but the ability to set the bit in the query is provided for
-completeness.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cdflag</option></term>
-<listitem><para>
-Set [do not set] the CD (checking disabled) bit in the query.  This
-requests the server to not perform DNSSEC validation of responses.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cl</option></term>
-<listitem><para>
-Display [do not display] the CLASS when printing the record.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]ttlid</option></term>
-<listitem><para>
-Display [do not display] the TTL when printing the record.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]recurse</option></term>
-<listitem><para>
-Toggle the setting of the RD (recursion desired) bit in the query.
-This bit is set by default, which means <command>dig</command>
-normally sends recursive queries.  Recursion is automatically disabled
-when the <parameter>+nssearch</parameter> or
-<parameter>+trace</parameter> query options are used.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]nssearch</option></term>
-<listitem><para>
-When this option is set, <command>dig</command> attempts to find the
-authoritative name servers for the zone containing the name being
-looked up and display the SOA record that each name server has for the
-zone.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]trace</option></term>
-<listitem><para>
-Toggle tracing of the delegation path from the root name servers for
-the name being looked up.  Tracing is disabled by default.  When
-tracing is enabled, <command>dig</command> makes iterative queries to
-resolve the name being looked up.  It will follow referrals from the
-root servers, showing the answer from each server that was used to
-resolve the lookup.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cmd</option></term>
-<listitem><para>
-toggles the printing of the initial comment in the output identifying
-the version of <command>dig</command> and the query options that have
-been applied.  This comment is printed by default.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]short</option></term>
-<listitem><para>
-Provide a terse answer.  The default is to print the answer in a
-verbose form.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]identify</option></term>
-<listitem><para>
-Show [or do not show] the IP address and port number that supplied the
-answer when the <parameter>+short</parameter> option is enabled.  If
-short form answers are requested, the default is not to show the
-source address and port number of the server that provided the answer.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]comments</option></term>
-<listitem><para>
-Toggle the display of comment lines in the output.  The default is to
-print comments.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]stats</option></term>
-<listitem><para>
-This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on.  The default behaviour is
-to print the query statistics.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]qr</option></term>
-<listitem><para>
-Print [do not print] the query as it is sent.
-By default, the query is not printed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]question</option></term>
-<listitem><para>
-Print [do not print] the question section of a query when an answer is
-returned.  The default is to print the question section as a comment.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]answer</option></term>
-<listitem><para>
-Display [do not display] the answer section of a reply.  The default
-is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]authority</option></term>
-<listitem><para>
-Display [do not display] the authority section of a reply.  The
-default is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]additional</option></term>
-<listitem><para>
-Display [do not display] the additional section of a reply.
-The default is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]all</option></term>
-<listitem><para>
-Set or clear all display flags.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+time=T</option></term>
-<listitem><para>
-
-Sets the timeout for a query to
-<parameter>T</parameter> seconds.  The default time out is 5 seconds.
-An attempt to set <parameter>T</parameter> to less than 1 will result
-in a query timeout of 1 second being applied.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+tries=T</option></term>
-<listitem><para>
-Sets the number of times to try UDP queries to server to
-<parameter>T</parameter> instead of the default, 3.  If
-<parameter>T</parameter> is less than or equal to zero, the number of
-tries is silently rounded up to 1.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+retry=T</option></term>
-<listitem><para>
-Sets the number of times to retry UDP queries to server to
-<parameter>T</parameter> instead of the default, 2.  Unlike
-<parameter>+tries</parameter>, this does not include the initial
-query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+ndots=D</option></term>
-<listitem><para>
-Set the number of dots that have to appear in
-<parameter>name</parameter> to <parameter>D</parameter> for it to be
-considered absolute.  The default value is that defined using the
-ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no
-ndots statement is present.  Names with fewer dots are interpreted as
-relative names and will be searched for in the domains listed in the
-<option>search</option> or <option>domain</option> directive in
-<filename>/etc/resolv.conf</filename>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+bufsize=B</option></term>
-<listitem><para>
-Set the UDP message buffer size advertised using EDNS0 to
-<parameter>B</parameter> bytes.  The maximum and minimum sizes of this
-buffer are 65535 and 0 respectively.  Values outside this range are
-rounded up or down appropriately.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><option>+[no]multiline</option></term>
-<listitem><para>
-Print records like the SOA records in a verbose multi-line
-format with human-readable comments.  The default is to print
-each record on a single line, to facilitate machine parsing 
-of the <command>dig</command> output.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]fail</option></term>
-<listitem><para>
-Do not try the next server if you receive a SERVFAIL.  The default is
-to not try the next server which is the reverse of normal stub resolver
-behaviour.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]besteffort</option></term>
-<listitem><para>
-Attempt to display the contents of messages which are malformed.
-The default is to not display malformed answers.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]dnssec</option></term>
-<listitem><para>
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
-in the OPT record in the additional section of the query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]sigchase</option></term>
-<listitem><para>
-Chase DNSSEC signature chains.  Requires dig be compiled with
--DDIG_SIGCHASE.
-</para></listitem></varlistentry>
-
-	<varlistentry>
-	  <term><option>+trusted-key=####</option></term>
-	  <listitem>
-	    <para>
-	      Specifies a file containing trusted keys to be used with
-	      <option>+sigchase</option>.  Each DNSKEY record must be
-	      on its own line.
-	    </para>
-	    <para>
-	      If not specified <command>dig</command> will look for
-	      <filename>/etc/trusted-key.key</filename> then
-	      <filename>trusted-key.key</filename> in the current directory.
-	    </para>
-	    <para>
-	      Requires dig be compiled with -DDIG_SIGCHASE.
-	    </para>
-	  </listitem>
-	</varlistentry>
-
-<varlistentry><term><option>+[no]topdown</option></term>
-<listitem><para>
-When chasing DNSSEC signature chains perform a top down validation.
-Requires dig be compiled with -DDIG_SIGCHASE.
-</para></listitem></varlistentry>
-
-
-
-</variablelist>
-
-</para>
-</refsect1>
-
-<refsect1>
-<title>MULTIPLE QUERIES</title>
-
-<para>
-The BIND 9 implementation of <command>dig </command> supports
-specifying multiple queries on the command line (in addition to
-supporting the <option>-f</option> batch file option).  Each of those
-queries can be supplied with its own set of flags, options and query
-options.
-</para>
-
-<para>
-In this case, each <parameter>query</parameter> argument represent an
-individual query in the command-line syntax described above.  Each
-consists of any of the standard options and flags, the name to be
-looked up, an optional query type and class and any query options that
-should be applied to that query.
-</para>
-
-<para>
-A global set of query options, which should be applied to all queries,
-can also be supplied.  These global query options must precede the
-first tuple of name, class, type, options, flags, and query options
-supplied on the command line.  Any global query options (except
-the <option>+[no]cmd</option> option) can be
-overridden by a query-specific set of query options.  For example:
-<programlisting>
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-</programlisting>
-shows how <command>dig</command> could be used from the command line
-to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
-reverse lookup of 127.0.0.1 and a query for the NS records of
-<literal>isc.org</literal>.
-
-A global query option of <parameter>+qr</parameter> is applied, so
-that <command>dig</command> shows the initial query it made for each
-lookup.  The final query has a local query option of
-<parameter>+noqr</parameter> which means that <command>dig</command>
-will not print the initial query when it looks up the NS records for
-<literal>isc.org</literal>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-<para>
-<filename>${HOME}/.digrc</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citetitle>RFC1035</citetitle>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>BUGS </title>
-<para>
-There are probably too many query options. 
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/bin/dig/dig.html b/contrib/bind9/bin/dig/dig.html
deleted file mode 100644
index 3425fb3d21b2..000000000000
--- a/contrib/bind9/bin/dig/dig.html
+++ /dev/null
@@ -1,514 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: dig.html,v 1.6.2.4.2.13 2005/10/13 02:33:43 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>dig &#8212; DNS lookup utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525976"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool
-for interrogating DNS name servers.  It performs DNS lookups and
-displays the answers that are returned from the name server(s) that
-were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
-troubleshoot DNS problems because of its flexibility, ease of use and
-clarity of output.  Other lookup tools tend to have less functionality
-than <span><strong class="command">dig</strong></span>.
-</p>
-<p>
-Although <span><strong class="command">dig</strong></span> is normally used with command-line
-arguments, it also has a batch mode of operation for reading lookup
-requests from a file.  A brief summary of its command-line arguments
-and options is printed when the <code class="option">-h</code> option is given.
-Unlike earlier versions, the BIND9 implementation of
-<span><strong class="command">dig</strong></span> allows multiple lookups to be issued from the
-command line.
-</p>
-<p>
-Unless it is told to query a specific name server,
-<span><strong class="command">dig</strong></span> will try each of the servers listed in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-When no command line arguments or options are given, will perform an
-NS query for "." (the root).
-</p>
-<p>
-It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
-<code class="filename">${HOME}/.digrc</code>.  This file is read and any options in it
-are applied before the command line arguments.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526035"></a><h2>SIMPLE USAGE</h2>
-<p>
-A typical invocation of <span><strong class="command">dig</strong></span> looks like:
-</p>
-<pre class="programlisting"> dig @server name type </pre>
-<p> where:
-
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">server</code></span></dt>
-<dd><p>
-is the name or IP address of the name server to query.  This can be an IPv4
-address in dotted-decimal notation or an IPv6
-address in colon-delimited notation.  When the supplied
-<em class="parameter"><code>server</code></em> argument is a hostname,
-<span><strong class="command">dig</strong></span> resolves that name before querying that name
-server.  If no <em class="parameter"><code>server</code></em> argument is provided,
-<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
-and queries the name servers listed there.  The reply from the name
-server that responds is displayed.
-</p></dd>
-<dt><span class="term"><code class="constant">name</code></span></dt>
-<dd><p>
-is the name of the resource record that is to be looked up.
-</p></dd>
-<dt><span class="term"><code class="constant">type</code></span></dt>
-<dd><p>
-indicates what type of query is required &#8212;
-ANY, A, MX, SIG, etc.
-<em class="parameter"><code>type</code></em> can be any valid query type.  If no
-<em class="parameter"><code>type</code></em> argument is supplied,
-<span><strong class="command">dig</strong></span> will perform a lookup for an A record.
-</p></dd>
-</dl></div>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526114"></a><h2>OPTIONS</h2>
-<p>
-The <code class="option">-b</code> option sets the source IP address of the query
-to <em class="parameter"><code>address</code></em>.  This must be a valid address on
-one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
-may be specified by appending "#&lt;port&gt;"
-</p>
-<p>
-The default query class (IN for internet) is overridden by the
-<code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is any valid
-class, such as HS for Hesiod records or CH for CHAOSNET records.
-</p>
-<p>
-The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> operate
-in batch mode by reading a list of lookup requests to process from the
-file <em class="parameter"><code>filename</code></em>.  The file contains a number of
-queries, one per line.  Each entry in the file should be organised in
-the same way they would be presented as queries to
-<span><strong class="command">dig</strong></span> using the command-line interface.
-</p>
-<p>
-If a non-standard port number is to be queried, the
-<code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
-the port number that <span><strong class="command">dig</strong></span> will send its queries
-instead of the standard DNS port number 53.  This option would be used
-to test a name server that has been configured to listen for queries
-on a non-standard port number.
-</p>
-<p>
-The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span> to only
-use IPv4 query transport.  The <code class="option">-6</code> option forces
-<span><strong class="command">dig</strong></span> to only use IPv6 query transport.
-</p>
-<p>
-The <code class="option">-t</code> option sets the query type to
-<em class="parameter"><code>type</code></em>.  It can be any valid query type which is
-supported in BIND9.  The default query type "A", unless the
-<code class="option">-x</code> option is supplied to indicate a reverse lookup.
-A zone transfer can be requested by specifying a type of AXFR.  When
-an incremental zone transfer (IXFR) is required,
-<em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
-The incremental zone transfer will contain the changes made to the zone
-since the serial number in the zone's SOA record was
-<em class="parameter"><code>N</code></em>.
-</p>
-<p>
-Reverse lookups - mapping addresses to names - are simplified by the
-<code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is an IPv4
-address in dotted-decimal notation, or a colon-delimited IPv6 address.
-When this option is used, there is no need to provide the
-<em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
-<em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
-automatically performs a lookup for a name like
-<code class="literal">11.12.13.10.in-addr.arpa</code> and sets the query type and
-class to PTR and IN respectively.  By default, IPv6 addresses are
-looked up using nibble format under the IP6.ARPA domain.
-To use the older RFC1886 method using the IP6.INT domain 
-specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
-are now experimental and are not attempted.
-</p>
-<p>
-To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and their
-responses using transaction signatures (TSIG), specify a TSIG key file
-using the <code class="option">-k</code> option.  You can also specify the TSIG
-key itself on the command line using the <code class="option">-y</code> option;
-<em class="parameter"><code>name</code></em> is the name of the TSIG key and
-<em class="parameter"><code>key</code></em> is the actual key.  The key is a base-64
-encoded string, typically generated by <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-
-Caution should be taken when using the <code class="option">-y</code> option on
-multi-user systems as the key can be visible in the output from
-<span class="citerefentry"><span class="refentrytitle">ps</span>(1
-)</span> or in the shell's history file.  When
-using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
-server that is queried needs to know the key and algorithm that is
-being used.  In BIND, this is done by providing appropriate
-<span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
-<code class="filename">named.conf</code>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526365"></a><h2>QUERY OPTIONS</h2>
-<p>
-<span><strong class="command">dig</strong></span> provides a number of query options which affect
-the way in which lookups are made and the results displayed.  Some of
-these set or reset flag bits in the query header, some determine which
-sections of the answer get printed, and others determine the timeout
-and retry strategies.
-</p>
-<p>
-Each query option is identified by a keyword preceded by a plus sign
-(<code class="literal">+</code>).  Some keywords set or reset an option.  These may be preceded
-by the string <code class="literal">no</code> to negate the meaning of that keyword.  Other
-keywords assign values to options like the timeout interval.  They
-have the form <code class="option">+keyword=value</code>.
-The query options are:
-
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
-<dd><p>
-Use [do not use] TCP when querying name servers.  The default
-behaviour is to use UDP unless an AXFR or IXFR query is requested, in
-which case a TCP connection is used.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]vc</code></span></dt>
-<dd><p>
-Use [do not use] TCP when querying name servers.  This alternate
-syntax to <em class="parameter"><code>+[no]tcp</code></em> is provided for backwards
-compatibility.  The "vc" stands for "virtual circuit".
-</p></dd>
-<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
-<dd><p>
-Ignore truncation in UDP responses instead of retrying with TCP.  By
-default, TCP retries are performed.
-</p></dd>
-<dt><span class="term"><code class="option">+domain=somename</code></span></dt>
-<dd><p>
-Set the search list to contain the single domain
-<em class="parameter"><code>somename</code></em>, as if specified in a
-<span><strong class="command">domain</strong></span> directive in
-<code class="filename">/etc/resolv.conf</code>, and enable search list
-processing as if the <em class="parameter"><code>+search</code></em> option were given.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]search</code></span></dt>
-<dd><p>
-Use [do not use] the search list defined by the searchlist or domain
-directive in <code class="filename">resolv.conf</code> (if any).
-The search list is not used by default.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]defname</code></span></dt>
-<dd><p>
-Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
-</p></dd>
-<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
-<dd><p>
-Sets the "aa" flag in the query.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
-<dd><p>
-A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
-<dd><p>
-Set [do not set] the AD (authentic data) bit in the query.  The AD bit
-currently has a standard meaning only in responses, not in queries,
-but the ability to set the bit in the query is provided for
-completeness.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
-<dd><p>
-Set [do not set] the CD (checking disabled) bit in the query.  This
-requests the server to not perform DNSSEC validation of responses.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]cl</code></span></dt>
-<dd><p>
-Display [do not display] the CLASS when printing the record.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
-<dd><p>
-Display [do not display] the TTL when printing the record.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
-<dd><p>
-Toggle the setting of the RD (recursion desired) bit in the query.
-This bit is set by default, which means <span><strong class="command">dig</strong></span>
-normally sends recursive queries.  Recursion is automatically disabled
-when the <em class="parameter"><code>+nssearch</code></em> or
-<em class="parameter"><code>+trace</code></em> query options are used.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
-<dd><p>
-When this option is set, <span><strong class="command">dig</strong></span> attempts to find the
-authoritative name servers for the zone containing the name being
-looked up and display the SOA record that each name server has for the
-zone.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]trace</code></span></dt>
-<dd><p>
-Toggle tracing of the delegation path from the root name servers for
-the name being looked up.  Tracing is disabled by default.  When
-tracing is enabled, <span><strong class="command">dig</strong></span> makes iterative queries to
-resolve the name being looked up.  It will follow referrals from the
-root servers, showing the answer from each server that was used to
-resolve the lookup.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
-<dd><p>
-toggles the printing of the initial comment in the output identifying
-the version of <span><strong class="command">dig</strong></span> and the query options that have
-been applied.  This comment is printed by default.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]short</code></span></dt>
-<dd><p>
-Provide a terse answer.  The default is to print the answer in a
-verbose form.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]identify</code></span></dt>
-<dd><p>
-Show [or do not show] the IP address and port number that supplied the
-answer when the <em class="parameter"><code>+short</code></em> option is enabled.  If
-short form answers are requested, the default is not to show the
-source address and port number of the server that provided the answer.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
-<dd><p>
-Toggle the display of comment lines in the output.  The default is to
-print comments.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]stats</code></span></dt>
-<dd><p>
-This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on.  The default behaviour is
-to print the query statistics.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]qr</code></span></dt>
-<dd><p>
-Print [do not print] the query as it is sent.
-By default, the query is not printed.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]question</code></span></dt>
-<dd><p>
-Print [do not print] the question section of a query when an answer is
-returned.  The default is to print the question section as a comment.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]answer</code></span></dt>
-<dd><p>
-Display [do not display] the answer section of a reply.  The default
-is to display it.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]authority</code></span></dt>
-<dd><p>
-Display [do not display] the authority section of a reply.  The
-default is to display it.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]additional</code></span></dt>
-<dd><p>
-Display [do not display] the additional section of a reply.
-The default is to display it.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]all</code></span></dt>
-<dd><p>
-Set or clear all display flags.
-</p></dd>
-<dt><span class="term"><code class="option">+time=T</code></span></dt>
-<dd><p>
-
-Sets the timeout for a query to
-<em class="parameter"><code>T</code></em> seconds.  The default time out is 5 seconds.
-An attempt to set <em class="parameter"><code>T</code></em> to less than 1 will result
-in a query timeout of 1 second being applied.
-</p></dd>
-<dt><span class="term"><code class="option">+tries=T</code></span></dt>
-<dd><p>
-Sets the number of times to try UDP queries to server to
-<em class="parameter"><code>T</code></em> instead of the default, 3.  If
-<em class="parameter"><code>T</code></em> is less than or equal to zero, the number of
-tries is silently rounded up to 1.
-</p></dd>
-<dt><span class="term"><code class="option">+retry=T</code></span></dt>
-<dd><p>
-Sets the number of times to retry UDP queries to server to
-<em class="parameter"><code>T</code></em> instead of the default, 2.  Unlike
-<em class="parameter"><code>+tries</code></em>, this does not include the initial
-query.
-</p></dd>
-<dt><span class="term"><code class="option">+ndots=D</code></span></dt>
-<dd><p>
-Set the number of dots that have to appear in
-<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
-considered absolute.  The default value is that defined using the
-ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
-ndots statement is present.  Names with fewer dots are interpreted as
-relative names and will be searched for in the domains listed in the
-<code class="option">search</code> or <code class="option">domain</code> directive in
-<code class="filename">/etc/resolv.conf</code>.
-</p></dd>
-<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
-<dd><p>
-Set the UDP message buffer size advertised using EDNS0 to
-<em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes of this
-buffer are 65535 and 0 respectively.  Values outside this range are
-rounded up or down appropriately.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
-<dd><p>
-Print records like the SOA records in a verbose multi-line
-format with human-readable comments.  The default is to print
-each record on a single line, to facilitate machine parsing 
-of the <span><strong class="command">dig</strong></span> output.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]fail</code></span></dt>
-<dd><p>
-Do not try the next server if you receive a SERVFAIL.  The default is
-to not try the next server which is the reverse of normal stub resolver
-behaviour.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
-<dd><p>
-Attempt to display the contents of messages which are malformed.
-The default is to not display malformed answers.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
-<dd><p>
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
-in the OPT record in the additional section of the query.
-</p></dd>
-<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
-<dd><p>
-Chase DNSSEC signature chains.  Requires dig be compiled with
--DDIG_SIGCHASE.
-</p></dd>
-<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
-<dd>
-<p>
-	      Specifies a file containing trusted keys to be used with
-	      <code class="option">+sigchase</code>.  Each DNSKEY record must be
-	      on its own line.
-	    </p>
-<p>
-	      If not specified <span><strong class="command">dig</strong></span> will look for
-	      <code class="filename">/etc/trusted-key.key</code> then
-	      <code class="filename">trusted-key.key</code> in the current directory.
-	    </p>
-<p>
-	      Requires dig be compiled with -DDIG_SIGCHASE.
-	    </p>
-</dd>
-<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
-<dd><p>
-When chasing DNSSEC signature chains perform a top down validation.
-Requires dig be compiled with -DDIG_SIGCHASE.
-</p></dd>
-</dl></div>
-<p>
-
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2527033"></a><h2>MULTIPLE QUERIES</h2>
-<p>
-The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports
-specifying multiple queries on the command line (in addition to
-supporting the <code class="option">-f</code> batch file option).  Each of those
-queries can be supplied with its own set of flags, options and query
-options.
-</p>
-<p>
-In this case, each <em class="parameter"><code>query</code></em> argument represent an
-individual query in the command-line syntax described above.  Each
-consists of any of the standard options and flags, the name to be
-looked up, an optional query type and class and any query options that
-should be applied to that query.
-</p>
-<p>
-A global set of query options, which should be applied to all queries,
-can also be supplied.  These global query options must precede the
-first tuple of name, class, type, options, flags, and query options
-supplied on the command line.  Any global query options (except
-the <code class="option">+[no]cmd</code> option) can be
-overridden by a query-specific set of query options.  For example:
-</p>
-<pre class="programlisting">
-dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
-</pre>
-<p>
-shows how <span><strong class="command">dig</strong></span> could be used from the command line
-to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
-reverse lookup of 127.0.0.1 and a query for the NS records of
-<code class="literal">isc.org</code>.
-
-A global query option of <em class="parameter"><code>+qr</code></em> is applied, so
-that <span><strong class="command">dig</strong></span> shows the initial query it made for each
-lookup.  The final query has a local query option of
-<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
-will not print the initial query when it looks up the NS records for
-<code class="literal">isc.org</code>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2527092"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-<p>
-<code class="filename">${HOME}/.digrc</code>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2527111"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-<em class="citetitle">RFC1035</em>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2527149"></a><h2>BUGS </h2>
-<p>
-There are probably too many query options. 
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dig/dighost.c b/contrib/bind9/bin/dig/dighost.c
deleted file mode 100644
index 6129fedb6c64..000000000000
--- a/contrib/bind9/bin/dig/dighost.c
+++ /dev/null
@@ -1,5072 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dighost.c,v 1.221.2.19.2.31 2005/10/14 01:38:40 marka Exp $ */
-
-/*
- * Notice to programmers:  Do not use this code as an example of how to
- * use the ISC library to perform DNS lookups.  Dig and Host both operate
- * on the request level, since they allow fine-tuning of output and are
- * intended as debugging tools.  As a result, they perform many of the
- * functions which could be better handled using the dns_resolver
- * functions in most applications.
- */
-
-#include <config.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <limits.h>
-
-#include <dns/byaddr.h>
-#ifdef DIG_SIGCHASE
-#include <dns/dnssec.h>
-#include <dns/ds.h>
-#include <dns/nsec.h>
-#include <isc/random.h>
-#include <ctype.h>
-#endif
-#include <dns/fixedname.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-
-#include <dst/dst.h>
-
-#include <isc/app.h>
-#include <isc/base64.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/lang.h>
-#include <isc/netaddr.h>
-#ifdef DIG_SIGCHASE
-#include <isc/netdb.h>
-#endif
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-
-#include <bind9/getaddresses.h>
-
-#include <dig/dig.h>
-
-#if ! defined(NS_INADDRSZ)
-#define NS_INADDRSZ	 4
-#endif
-
-#if ! defined(NS_IN6ADDRSZ)
-#define NS_IN6ADDRSZ	16
-#endif
-
-static lwres_context_t *lwctx = NULL;
-static lwres_conf_t *lwconf;
-
-dig_lookuplist_t lookup_list;
-dig_serverlist_t server_list;
-dig_searchlistlist_t search_list;
-
-isc_boolean_t
-	have_ipv4 = ISC_FALSE,
-	have_ipv6 = ISC_FALSE,
-	specified_source = ISC_FALSE,
-	free_now = ISC_FALSE,
-	cancel_now = ISC_FALSE,
-	usesearch = ISC_FALSE,
-	qr = ISC_FALSE,
-	is_dst_up = ISC_FALSE;
-in_port_t port = 53;
-unsigned int timeout = 0;
-isc_mem_t *mctx = NULL;
-isc_taskmgr_t *taskmgr = NULL;
-isc_task_t *global_task = NULL;
-isc_timermgr_t *timermgr = NULL;
-isc_socketmgr_t *socketmgr = NULL;
-isc_sockaddr_t bind_address;
-isc_sockaddr_t bind_any;
-int sendcount = 0;
-int recvcount = 0;
-int sockcount = 0;
-int ndots = -1;
-int tries = 3;
-int lookup_counter = 0;
-
-/*
- * Exit Codes:
- *   0   Everything went well, including things like NXDOMAIN
- *   1   Usage error
- *   7   Got too many RR's or Names
- *   8   Couldn't open batch file
- *   9   No reply from server
- *   10  Internal error
- */
-int exitcode = 0;
-int fatalexit = 0;
-char keynametext[MXNAME];
-char keyfile[MXNAME] = "";
-char keysecret[MXNAME] = "";
-isc_buffer_t *namebuf = NULL;
-dns_tsigkey_t *key = NULL;
-isc_boolean_t validated = ISC_TRUE;
-isc_entropy_t *entp = NULL;
-isc_mempool_t *commctx = NULL;
-isc_boolean_t debugging = ISC_FALSE;
-isc_boolean_t memdebugging = ISC_FALSE;
-char *progname = NULL;
-isc_mutex_t lookup_lock;
-dig_lookup_t *current_lookup = NULL;
-
-#ifdef DIG_SIGCHASE
-
-isc_result_t	  get_trusted_key(isc_mem_t *mctx);
-dns_rdataset_t *  sigchase_scanname(dns_rdatatype_t type,
-				    dns_rdatatype_t covers,
-				    isc_boolean_t *lookedup,
-				    dns_name_t *rdata_name);
-dns_rdataset_t *  chase_scanname_section(dns_message_t *msg,
-					 dns_name_t *name,
-					 dns_rdatatype_t type,
-					 dns_rdatatype_t covers,
-					 int section);
-isc_result_t	  advanced_rrsearch(dns_rdataset_t **rdataset,
-				    dns_name_t *name,
-				    dns_rdatatype_t type,
-				    dns_rdatatype_t covers,
-				    isc_boolean_t *lookedup);
-isc_result_t	  sigchase_verify_sig_key(dns_name_t *name,
-					  dns_rdataset_t *rdataset,
-					  dst_key_t* dnsseckey,
-					  dns_rdataset_t *sigrdataset,
-					  isc_mem_t *mctx);
-isc_result_t	  sigchase_verify_sig(dns_name_t *name,
-				      dns_rdataset_t *rdataset,
-				      dns_rdataset_t *keyrdataset,
-				      dns_rdataset_t *sigrdataset,
-				      isc_mem_t *mctx);
-isc_result_t	  sigchase_verify_ds(dns_name_t *name,
-				     dns_rdataset_t *keyrdataset,
-				     dns_rdataset_t *dsrdataset,
-				     isc_mem_t *mctx);
-void		  sigchase(dns_message_t *msg);
-void		  print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx);
-void		  print_rdataset(dns_name_t *name,
-				 dns_rdataset_t *rdataset, isc_mem_t *mctx);
-void		  dup_name(dns_name_t *source, dns_name_t* target,
-			   isc_mem_t *mctx);
-void		  free_name(dns_name_t *name, isc_mem_t *mctx);
-void		  dump_database(void);
-void		  dump_database_section(dns_message_t *msg, int section);
-dns_rdataset_t *  search_type(dns_name_t *name, dns_rdatatype_t type,
-			      dns_rdatatype_t covers);
-isc_result_t	  contains_trusted_key(dns_name_t *name,
-				       dns_rdataset_t *rdataset,
-				       dns_rdataset_t *sigrdataset,
-				       isc_mem_t *mctx);
-void		  print_type(dns_rdatatype_t type);
-isc_result_t	  prove_nx_domain(dns_message_t * msg,
-				  dns_name_t * name,
-				  dns_name_t * rdata_name,
-				  dns_rdataset_t ** rdataset,
-				  dns_rdataset_t ** sigrdataset);
-isc_result_t	  prove_nx_type(dns_message_t * msg, dns_name_t *name,
-				dns_rdataset_t *nsec,
-				dns_rdataclass_t class,
-				dns_rdatatype_t type,
-				dns_name_t * rdata_name,
-				dns_rdataset_t ** rdataset,
-				dns_rdataset_t ** sigrdataset);
-isc_result_t	  prove_nx(dns_message_t * msg, dns_name_t * name,
-			   dns_rdataclass_t class,
-			   dns_rdatatype_t type,
-			   dns_name_t * rdata_name,
-			   dns_rdataset_t ** rdataset,
-			   dns_rdataset_t ** sigrdataset);
-static void	  nameFromString(const char *str, dns_name_t *p_ret);
-int		  inf_name(dns_name_t * name1, dns_name_t * name2);
-isc_result_t	  opentmpkey(isc_mem_t *mctx, const char *file,
-			     char **tempp, FILE **fp);
-isc_result_t	  removetmpkey(isc_mem_t *mctx, const char *file);
-void		  clean_trustedkey(void);
-void		  insert_trustedkey(dst_key_t  * key);
-#if DIG_SIGCHASE_BU
-isc_result_t	  getneededrr(dns_message_t *msg);
-void		  sigchase_bottom_up(dns_message_t *msg);
-void		  sigchase_bu(dns_message_t *msg);
-#endif
-#if DIG_SIGCHASE_TD
-isc_result_t	  initialization(dns_name_t *name);
-isc_result_t	  prepare_lookup(dns_name_t *name);
-isc_result_t	  grandfather_pb_test(dns_name_t * zone_name,
-				      dns_rdataset_t *sigrdataset);
-isc_result_t	  child_of_zone(dns_name_t *name,
-				dns_name_t *zone_name,
-				dns_name_t *child_name);
-void		  sigchase_td(dns_message_t *msg);
-#endif
-char trustedkey[MXNAME] = "";
-
-dns_rdataset_t *chase_rdataset = NULL;
-dns_rdataset_t *chase_sigrdataset = NULL;
-dns_rdataset_t *chase_dsrdataset = NULL;
-dns_rdataset_t *chase_sigdsrdataset = NULL;
-dns_rdataset_t *chase_keyrdataset = NULL;
-dns_rdataset_t *chase_sigkeyrdataset = NULL;
-dns_rdataset_t *chase_nsrdataset = NULL;
-
-dns_name_t chase_name; /* the query name */
-#if DIG_SIGCHASE_TD
-/*
- * the current name is the parent name when we follow delegation
- */
-dns_name_t chase_current_name;
-/*
- * the child name is used for delegation (NS DS responses in AUTHORITY section)
- */
-dns_name_t chase_authority_name;
-#endif
-#if DIG_SIGCHASE_BU
-dns_name_t chase_signame;
-#endif
-
-
-isc_boolean_t chase_siglookedup = ISC_FALSE;
-isc_boolean_t chase_keylookedup = ISC_FALSE;
-isc_boolean_t chase_sigkeylookedup = ISC_FALSE;
-isc_boolean_t chase_dslookedup = ISC_FALSE;
-isc_boolean_t chase_sigdslookedup = ISC_FALSE;
-#if DIG_SIGCHASE_TD
-isc_boolean_t chase_nslookedup = ISC_FALSE;
-isc_boolean_t chase_lookedup = ISC_FALSE;
-
-
-isc_boolean_t delegation_follow = ISC_FALSE;
-isc_boolean_t grandfather_pb = ISC_FALSE;
-isc_boolean_t have_response = ISC_FALSE;
-isc_boolean_t have_delegation_ns = ISC_FALSE;
-dns_message_t * error_message = NULL;
-#endif
-
-isc_boolean_t dsvalidating = ISC_FALSE;
-isc_boolean_t chase_name_dup = ISC_FALSE;
-
-ISC_LIST(dig_message_t) chase_message_list;
-ISC_LIST(dig_message_t) chase_message_list2;
-
-
-#define MAX_TRUSTED_KEY 5
-typedef struct struct_trusted_key_list {
-	dst_key_t * key[MAX_TRUSTED_KEY];
-	int nb_tk;
-} struct_tk_list;
-
-struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
-
-#endif
-
-#define DIG_MAX_ADDRESSES 20
-
-/*
- * Apply and clear locks at the event level in global task.
- * Can I get rid of these using shutdown events?  XXX
- */
-#define LOCK_LOOKUP {\
-	debug("lock_lookup %s:%d", __FILE__, __LINE__);\
-	check_result(isc_mutex_lock((&lookup_lock)), "isc_mutex_lock");\
-	debug("success");\
-}
-#define UNLOCK_LOOKUP {\
-	debug("unlock_lookup %s:%d", __FILE__, __LINE__);\
-	check_result(isc_mutex_unlock((&lookup_lock)),\
-		     "isc_mutex_unlock");\
-}
-
-static void
-cancel_lookup(dig_lookup_t *lookup);
-
-static void
-recv_done(isc_task_t *task, isc_event_t *event);
-
-static void
-connect_timeout(isc_task_t *task, isc_event_t *event);
-
-static void
-launch_next_query(dig_query_t *query, isc_boolean_t include_question);
-
-
-static void *
-mem_alloc(void *arg, size_t size) {
-	return (isc_mem_get(arg, size));
-}
-
-static void
-mem_free(void *arg, void *mem, size_t size) {
-	isc_mem_put(arg, mem, size);
-}
-
-char *
-next_token(char **stringp, const char *delim) {
-	char *res;
-
-	do {
-		res = strsep(stringp, delim);
-		if (res == NULL)
-			break;
-	} while (*res == '\0');
-	return (res);
-}
-
-static int
-count_dots(char *string) {
-	char *s;
-	int i = 0;
-
-	s = string;
-	while (*s != '\0') {
-		if (*s == '.')
-			i++;
-		s++;
-	}
-	return (i);
-}
-
-static void
-hex_dump(isc_buffer_t *b) {
-	unsigned int len;
-	isc_region_t r;
-
-	isc_buffer_usedregion(b, &r);
-
-	printf("%d bytes\n", r.length);
-	for (len = 0; len < r.length; len++) {
-		printf("%02x ", r.base[len]);
-		if (len % 16 == 15)
-			printf("\n");
-	}
-	if (len % 16 != 0)
-		printf("\n");
-}
-
-/*
- * Append 'len' bytes of 'text' at '*p', failing with
- * ISC_R_NOSPACE if that would advance p past 'end'.
- */
-static isc_result_t
-append(const char *text, int len, char **p, char *end) {
-	if (len > end - *p)
-		return (ISC_R_NOSPACE);
-	memcpy(*p, text, len);
-	*p += len;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-reverse_octets(const char *in, char **p, char *end) {
-	char *dot = strchr(in, '.');
-	int len;
-	if (dot != NULL) {
-		isc_result_t result;
-		result = reverse_octets(dot + 1, p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = append(".", 1, p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		len = dot - in;
-	} else {
-		len = strlen(in);
-	}
-	return (append(in, len, p, end));
-}
-
-isc_result_t
-get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
-	    isc_boolean_t strict)
-{
-	int r;
-	isc_result_t result;
-	isc_netaddr_t addr;
-
-	addr.family = AF_INET6;
-	r = inet_pton(AF_INET6, value, &addr.type.in6);
-	if (r > 0) {
-		/* This is a valid IPv6 address. */
-		dns_fixedname_t fname;
-		dns_name_t *name;
-		unsigned int options = 0;
-
-		if (ip6_int)
-			options |= DNS_BYADDROPT_IPV6INT;
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		result = dns_byaddr_createptrname2(&addr, options, name);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_name_format(name, reverse, len);
-		return (ISC_R_SUCCESS);
-	} else {
-		/*
-		 * Not a valid IPv6 address.  Assume IPv4.
-		 * If 'strict' is not set, construct the
-		 * in-addr.arpa name by blindly reversing
-		 * octets whether or not they look like integers,
-		 * so that this can be used for RFC2317 names
-		 * and such.
-		 */
-		char *p = reverse;
-		char *end = reverse + len;
-		if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1)
-			return (DNS_R_BADDOTTEDQUAD);
-		result = reverse_octets(value, &p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		/* Append .in-addr.arpa. and a terminating NUL. */
-		result = append(".in-addr.arpa.", 15, &p, end);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (ISC_R_SUCCESS);
-	}
-}
-
-void
-fatal(const char *format, ...) {
-	va_list args;
-
-	fprintf(stderr, "%s: ", progname);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (exitcode < 10)
-		exitcode = 10;
-	if (fatalexit != 0)
-		exitcode = fatalexit;
-	exit(exitcode);
-}
-
-void
-debug(const char *format, ...) {
-	va_list args;
-
-	if (debugging) {
-		va_start(args, format);
-		vfprintf(stderr, format, args);
-		va_end(args);
-		fprintf(stderr, "\n");
-	}
-}
-
-void
-check_result(isc_result_t result, const char *msg) {
-	if (result != ISC_R_SUCCESS) {
-		fatal("%s: %s", msg, isc_result_totext(result));
-	}
-}
-
-/*
- * Create a server structure, which is part of the lookup structure.
- * This is little more than a linked list of servers to query in hopes
- * of finding the answer the user is looking for
- */
-dig_server_t *
-make_server(const char *servname, const char *userarg) {
-	dig_server_t *srv;
-
-	REQUIRE(servname != NULL);
-
-	debug("make_server(%s)", servname);
-	srv = isc_mem_allocate(mctx, sizeof(struct dig_server));
-	if (srv == NULL)
-		fatal("memory allocation failure in %s:%d",
-		      __FILE__, __LINE__);
-	strncpy(srv->servername, servname, MXNAME);
-	strncpy(srv->userarg, userarg, MXNAME);
-	srv->servername[MXNAME-1] = 0;
-	srv->userarg[MXNAME-1] = 0;
-	ISC_LINK_INIT(srv, link);
-	return (srv);
-}
-
-static int
-addr2af(int lwresaddrtype)
-{
-	int af = 0;
-
-	switch (lwresaddrtype) {
-	case LWRES_ADDRTYPE_V4:
-		af = AF_INET;
-		break;
-
-	case LWRES_ADDRTYPE_V6:
-		af = AF_INET6;
-		break;
-	}
-
-	return (af);
-}
-
-/*
- * Create a copy of the server list from the lwres configuration structure.
- * The dest list must have already had ISC_LIST_INIT applied.
- */
-static void
-copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) {
-	dig_server_t *newsrv;
-	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
-	int af;
-	int i;
-
-	debug("copy_server_list()");
-	for (i = 0; i < confdata->nsnext; i++) {
-		af = addr2af(confdata->nameservers[i].family);
-
-		lwres_net_ntop(af, confdata->nameservers[i].address,
-				   tmp, sizeof(tmp));
-		newsrv = make_server(tmp, tmp);
-		ISC_LINK_INIT(newsrv, link);
-		ISC_LIST_ENQUEUE(*dest, newsrv, link);
-	}
-}
-
-void
-flush_server_list(void) {
-	dig_server_t *s, *ps;
-
-	debug("flush_server_list()");
-	s = ISC_LIST_HEAD(server_list);
-	while (s != NULL) {
-		ps = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(server_list, ps, link);
-		isc_mem_free(mctx, ps);
-	}
-}
-
-void
-set_nameserver(char *opt) {
-	isc_result_t result;
-	isc_sockaddr_t sockaddrs[DIG_MAX_ADDRESSES];
-	isc_netaddr_t netaddr;
-	int count, i;
-	dig_server_t *srv;
-	char tmp[ISC_NETADDR_FORMATSIZE];
-
-	if (opt == NULL)
-		return;
-
-	result = bind9_getaddresses(opt, 0, sockaddrs,
-				    DIG_MAX_ADDRESSES, &count);
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      opt, isc_result_totext(result));
-
-	flush_server_list();
-	
-	for (i = 0; i < count; i++) {
-		isc_netaddr_fromsockaddr(&netaddr, &sockaddrs[i]);
-		isc_netaddr_format(&netaddr, tmp, sizeof(tmp));
-		srv = make_server(tmp, opt);
-		if (srv == NULL)
-			fatal("memory allocation failure");
-		ISC_LIST_APPEND(server_list, srv, link);
-	}
-}
-
-static isc_result_t
-add_nameserver(lwres_conf_t *confdata, const char *addr, int af) {
-
-	int i = confdata->nsnext;
-
-	if (confdata->nsnext >= LWRES_CONFMAXNAMESERVERS)
-		return (ISC_R_FAILURE);
-
-	switch (af) {
-	case AF_INET:
-		confdata->nameservers[i].family = LWRES_ADDRTYPE_V4;
-		confdata->nameservers[i].length = NS_INADDRSZ;
-		break;
-	case AF_INET6:
-		confdata->nameservers[i].family = LWRES_ADDRTYPE_V6;
-		confdata->nameservers[i].length = NS_IN6ADDRSZ;
-		break;
-	default:
-		return (ISC_R_FAILURE);
-	}
-
-	if (lwres_net_pton(af, addr, &confdata->nameservers[i].address) == 1) {
-		confdata->nsnext++;
-		return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_FAILURE);
-}
-
-/*
- * Produce a cloned server list.  The dest list must have already had
- * ISC_LIST_INIT applied.
- */
-void
-clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) {
-	dig_server_t *srv, *newsrv;
-
-	debug("clone_server_list()");
-	srv = ISC_LIST_HEAD(src);
-	while (srv != NULL) {
-		newsrv = make_server(srv->servername, srv->userarg);
-		ISC_LINK_INIT(newsrv, link);
-		ISC_LIST_ENQUEUE(*dest, newsrv, link);
-		srv = ISC_LIST_NEXT(srv, link);
-	}
-}
-
-/*
- * Create an empty lookup structure, which holds all the information needed
- * to get an answer to a user's question.  This structure contains two
- * linked lists: the server list (servers to query) and the query list
- * (outstanding queries which have been made to the listed servers).
- */
-dig_lookup_t *
-make_empty_lookup(void) {
-	dig_lookup_t *looknew;
-
-	debug("make_empty_lookup()");
-
-	INSIST(!free_now);
-
-	looknew = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
-	if (looknew == NULL)
-		fatal("memory allocation failure in %s:%d",
-		       __FILE__, __LINE__);
-	looknew->pending = ISC_TRUE;
-	looknew->textname[0] = 0;
-	looknew->cmdline[0] = 0;
-	looknew->rdtype = dns_rdatatype_a;
-	looknew->qrdtype = dns_rdatatype_a;
-	looknew->rdclass = dns_rdataclass_in;
-	looknew->rdtypeset = ISC_FALSE;
-	looknew->rdclassset = ISC_FALSE;
-	looknew->sendspace = NULL;
-	looknew->sendmsg = NULL;
-	looknew->name = NULL;
-	looknew->oname = NULL;
-	looknew->timer = NULL;
-	looknew->xfr_q = NULL;
-	looknew->current_query = NULL;
-	looknew->doing_xfr = ISC_FALSE;
-	looknew->ixfr_serial = ISC_FALSE;
-	looknew->trace = ISC_FALSE;
-	looknew->trace_root = ISC_FALSE;
-	looknew->identify = ISC_FALSE;
-	looknew->identify_previous_line = ISC_FALSE;
-	looknew->ignore = ISC_FALSE;
-	looknew->servfail_stops = ISC_TRUE;
-	looknew->besteffort = ISC_TRUE;
-	looknew->dnssec = ISC_FALSE;
-#ifdef DIG_SIGCHASE
-	looknew->sigchase = ISC_FALSE;
-#if DIG_SIGCHASE_TD
-	looknew->do_topdown = ISC_FALSE;
-	looknew->trace_root_sigchase = ISC_FALSE;
-	looknew->rdtype_sigchaseset = ISC_FALSE;
-	looknew->rdtype_sigchase = dns_rdatatype_any;
-	looknew->qrdtype_sigchase = dns_rdatatype_any;
-	looknew->rdclass_sigchase = dns_rdataclass_in;
-	looknew->rdclass_sigchaseset = ISC_FALSE;
-#endif
-#endif
-	looknew->udpsize = 0;
-	looknew->recurse = ISC_TRUE;
-	looknew->aaonly = ISC_FALSE;
-	looknew->adflag = ISC_FALSE;
-	looknew->cdflag = ISC_FALSE;
-	looknew->ns_search_only = ISC_FALSE;
-	looknew->origin = NULL;
-	looknew->tsigctx = NULL;
-	looknew->querysig = NULL;
-	looknew->retries = tries;
-	looknew->nsfound = 0;
-	looknew->tcp_mode = ISC_FALSE;
-	looknew->ip6_int = ISC_FALSE;
-	looknew->comments = ISC_TRUE;
-	looknew->stats = ISC_TRUE;
-	looknew->section_question = ISC_TRUE;
-	looknew->section_answer = ISC_TRUE;
-	looknew->section_authority = ISC_TRUE;
-	looknew->section_additional = ISC_TRUE;
-	looknew->new_search = ISC_FALSE;
-	ISC_LINK_INIT(looknew, link);
-	ISC_LIST_INIT(looknew->q);
-	ISC_LIST_INIT(looknew->my_server_list);
-	return (looknew);
-}
-
-/*
- * Clone a lookup, perhaps copying the server list.  This does not clone
- * the query list, since it will be regenerated by the setup_lookup()
- * function, nor does it queue up the new lookup for processing.
- * Caution: If you don't clone the servers, you MUST clone the server
- * list seperately from somewhere else, or construct it by hand.
- */
-dig_lookup_t *
-clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
-	dig_lookup_t *looknew;
-
-	debug("clone_lookup()");
-
-	INSIST(!free_now);
-
-	looknew = make_empty_lookup();
-	INSIST(looknew != NULL);
-	strncpy(looknew->textname, lookold->textname, MXNAME);
-#if DIG_SIGCHASE_TD
-	strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
-#endif
-	strncpy(looknew->cmdline, lookold->cmdline, MXNAME);
-	looknew->textname[MXNAME-1] = 0;
-	looknew->rdtype = lookold->rdtype;
-	looknew->qrdtype = lookold->qrdtype;
-	looknew->rdclass = lookold->rdclass;
-	looknew->rdtypeset = lookold->rdtypeset;
-	looknew->rdclassset = lookold->rdclassset;
-	looknew->doing_xfr = lookold->doing_xfr;
-	looknew->ixfr_serial = lookold->ixfr_serial;
-	looknew->trace = lookold->trace;
-	looknew->trace_root = lookold->trace_root;
-	looknew->identify = lookold->identify;
-	looknew->identify_previous_line = lookold->identify_previous_line;
-	looknew->ignore = lookold->ignore;
-	looknew->servfail_stops = lookold->servfail_stops;
-	looknew->besteffort = lookold->besteffort;
-	looknew->dnssec = lookold->dnssec;
-#ifdef DIG_SIGCHASE
-	looknew->sigchase = lookold->sigchase;
-#if DIG_SIGCHASE_TD
-	looknew->do_topdown = lookold->do_topdown;
-	looknew->trace_root_sigchase = lookold->trace_root_sigchase;
-	looknew->rdtype_sigchaseset = lookold->rdtype_sigchaseset;
-	looknew->rdtype_sigchase = lookold->rdtype_sigchase;
-	looknew->qrdtype_sigchase = lookold->qrdtype_sigchase;
-	looknew->rdclass_sigchase = lookold->rdclass_sigchase;
-	looknew->rdclass_sigchaseset = lookold->rdclass_sigchaseset;
-#endif
-#endif
-	looknew->udpsize = lookold->udpsize;
-	looknew->recurse = lookold->recurse;
-	looknew->aaonly = lookold->aaonly;
-	looknew->adflag = lookold->adflag;
-	looknew->cdflag = lookold->cdflag;
-	looknew->ns_search_only = lookold->ns_search_only;
-	looknew->tcp_mode = lookold->tcp_mode;
-	looknew->comments = lookold->comments;
-	looknew->stats = lookold->stats;
-	looknew->section_question = lookold->section_question;
-	looknew->section_answer = lookold->section_answer;
-	looknew->section_authority = lookold->section_authority;
-	looknew->section_additional = lookold->section_additional;
-	looknew->retries = lookold->retries;
-	looknew->tsigctx = NULL;
-
-	if (servers)
-		clone_server_list(lookold->my_server_list,
-				  &looknew->my_server_list);
-	return (looknew);
-}
-
-/*
- * Requeue a lookup for further processing, perhaps copying the server
- * list.  The new lookup structure is returned to the caller, and is
- * queued for processing.  If servers are not cloned in the requeue, they
- * must be added before allowing the current event to complete, since the
- * completion of the event may result in the next entry on the lookup
- * queue getting run.
- */
-dig_lookup_t *
-requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
-	dig_lookup_t *looknew;
-
-	debug("requeue_lookup()");
-
-	lookup_counter++;
-	if (lookup_counter > LOOKUP_LIMIT)
-		fatal("too many lookups");
-
-	looknew = clone_lookup(lookold, servers);
-	INSIST(looknew != NULL);
-
-	debug("before insertion, init@%p -> %p, new@%p -> %p",
-	      lookold, lookold->link.next, looknew, looknew->link.next);
-	ISC_LIST_PREPEND(lookup_list, looknew, link);
-	debug("after insertion, init -> %p, new = %p, new -> %p",
-	      lookold, looknew, looknew->link.next);
-	return (looknew);
-}
-
-
-static void
-setup_text_key(void) {
-	isc_result_t result;
-	dns_name_t keyname;
-	isc_buffer_t secretbuf;
-	int secretsize;
-	unsigned char *secretstore;
-
-	debug("setup_text_key()");
-	result = isc_buffer_allocate(mctx, &namebuf, MXNAME);
-	check_result(result, "isc_buffer_allocate");
-	dns_name_init(&keyname, NULL);
-	check_result(result, "dns_name_init");
-	isc_buffer_putstr(namebuf, keynametext);
-	secretsize = strlen(keysecret) * 3 / 4;
-	secretstore = isc_mem_allocate(mctx, secretsize);
-	if (secretstore == NULL)
-		fatal("memory allocation failure in %s:%d",
-		      __FILE__, __LINE__);
-	isc_buffer_init(&secretbuf, secretstore, secretsize);
-	result = isc_base64_decodestring(keysecret, &secretbuf);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	
-	secretsize = isc_buffer_usedlength(&secretbuf);
-
-	result = dns_name_fromtext(&keyname, namebuf,
-				   dns_rootname, ISC_FALSE,
-				   namebuf);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = dns_tsigkey_create(&keyname, dns_tsig_hmacmd5_name,
-				    secretstore, secretsize,
-				    ISC_FALSE, NULL, 0, 0, mctx,
-				    NULL, &key);
- failure:
-	if (result != ISC_R_SUCCESS)
-		printf(";; Couldn't create key %s: %s\n",
-		       keynametext, isc_result_totext(result));
-
-	isc_mem_free(mctx, secretstore);
-	dns_name_invalidate(&keyname);
-	isc_buffer_free(&namebuf);
-}
-
-static void
-setup_file_key(void) {
-	isc_result_t result;
-	dst_key_t *dstkey = NULL;
-
-	debug("setup_file_key()");
-	result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY,
-				       mctx, &dstkey);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "Couldn't read key from %s: %s\n",
-			keyfile, isc_result_totext(result));
-		goto failure;
-	}
-
-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-					   dns_tsig_hmacmd5_name,
-					   dstkey, ISC_FALSE, NULL, 0, 0,
-					   mctx, NULL, &key);
-	if (result != ISC_R_SUCCESS) {
-		printf(";; Couldn't create key %s: %s\n",
-		       keynametext, isc_result_totext(result));
-		goto failure;
-	}
-	dstkey = NULL;
- failure:
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-}
-
-static dig_searchlist_t *
-make_searchlist_entry(char *domain) {
-	dig_searchlist_t *search;
-	search = isc_mem_allocate(mctx, sizeof(*search));
-	if (search == NULL)
-		fatal("memory allocation failure in %s:%d",
-		      __FILE__, __LINE__);
-	strncpy(search->origin, domain, MXNAME);
-	search->origin[MXNAME-1] = 0;
-	ISC_LINK_INIT(search, link);
-	return (search);
-}
-
-static void
-create_search_list(lwres_conf_t *confdata) {
-	int i;
-	dig_searchlist_t *search;
-
-	debug("create_search_list()");
-	ISC_LIST_INIT(search_list);
-
-	for (i = 0; i < confdata->searchnxt; i++) {
-		search = make_searchlist_entry(confdata->search[i]);
-		ISC_LIST_APPEND(search_list, search, link);
-	}
-}
-
-/*
- * Setup the system as a whole, reading key information and resolv.conf
- * settings.
- */
-void
-setup_system(void) {
-	dig_searchlist_t *domain = NULL;
-	lwres_result_t lwresult;
-
-	debug("setup_system()");
-
-	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
-	if (lwresult != LWRES_R_SUCCESS)
-		fatal("lwres_context_create failed");
-
-	if (isc_file_exists(RESOLV_CONF))
-		lwresult = lwres_conf_parse(lwctx, RESOLV_CONF);
-	if (lwresult != LWRES_R_SUCCESS)
-		fatal("parse of %s failed", RESOLV_CONF);
-
-	lwconf = lwres_conf_get(lwctx);
-
-	/* Make the search list */
-	if (lwconf->searchnxt > 0)
-		create_search_list(lwconf);
-	else { /* No search list. Use the domain name if any */
-		if (lwconf->domainname != NULL) {
-			domain = make_searchlist_entry(lwconf->domainname);
-			ISC_LIST_INITANDAPPEND(search_list, domain, link);
-			domain  = NULL;
-		}
-	}
-			
-	if (ndots == -1) {
-		ndots = lwconf->ndots;
-		debug("ndots is %d.", ndots);
-	}
-
-	/* If we don't find a nameserver fall back to localhost */
-	if (lwconf->nsnext == 0) {
-		if (have_ipv4) {
-			lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET);
-			if (lwresult != ISC_R_SUCCESS)
-				fatal("add_nameserver failed");
-		}
-		if (have_ipv6) {
-			lwresult = add_nameserver(lwconf, "::1", AF_INET6);
-			if (lwresult != ISC_R_SUCCESS)
-				fatal("add_nameserver failed");
-		}
-	}
-
-	if (ISC_LIST_EMPTY(server_list))
-		copy_server_list(lwconf, &server_list);
-
-	if (keyfile[0] != 0)
-		setup_file_key();
-	else if (keysecret[0] != 0)
-		setup_text_key();
-#ifdef DIG_SIGCHASE
-	/* Setup the list of messages for +sigchase */
-	ISC_LIST_INIT(chase_message_list);
-	ISC_LIST_INIT(chase_message_list2);
-	dns_name_init(&chase_name, NULL);
-#if DIG_SIGCHASE_TD
-	dns_name_init(&chase_current_name, NULL);
-	dns_name_init(&chase_authority_name, NULL);
-#endif
-#if DIG_SIGCHASE_BU
-	dns_name_init(&chase_signame, NULL);
-#endif
-
-#endif
-
-}
-
-static void
-clear_searchlist(void) {
-	dig_searchlist_t *search;
-	while ((search = ISC_LIST_HEAD(search_list)) != NULL) {
-		ISC_LIST_UNLINK(search_list, search, link);
-		isc_mem_free(mctx, search);
-	}
-}
-
-/*
- * Override the search list derived from resolv.conf by 'domain'.
- */
-void
-set_search_domain(char *domain) {
-	dig_searchlist_t *search;
-	
-	clear_searchlist();
-	search = make_searchlist_entry(domain);
-	ISC_LIST_APPEND(search_list, search, link);
-}
-
-/*
- * Setup the ISC and DNS libraries for use by the system.
- */
-void
-setup_libs(void) {
-	isc_result_t result;
-
-	debug("setup_libs()");
-
-	result = isc_net_probeipv4();
-	if (result == ISC_R_SUCCESS)
-		have_ipv4 = ISC_TRUE;
-
-	result = isc_net_probeipv6();
-	if (result == ISC_R_SUCCESS)
-		have_ipv6 = ISC_TRUE;
-	if (!have_ipv6 && !have_ipv4)
-		fatal("can't find either v4 or v6 networking");
-
-	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create");
-
-	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
-	check_result(result, "isc_taskmgr_create");
-
-	result = isc_task_create(taskmgr, 0, &global_task);
-	check_result(result, "isc_task_create");
-
-	result = isc_timermgr_create(mctx, &timermgr);
-	check_result(result, "isc_timermgr_create");
-
-	result = isc_socketmgr_create(mctx, &socketmgr);
-	check_result(result, "isc_socketmgr_create");
-
-	result = isc_entropy_create(mctx, &entp);
-	check_result(result, "isc_entropy_create");
-
-	result = dst_lib_init(mctx, entp, 0);
-	check_result(result, "dst_lib_init");
-	is_dst_up = ISC_TRUE;
-
-	result = isc_mempool_create(mctx, COMMSIZE, &commctx);
-	check_result(result, "isc_mempool_create");
-	isc_mempool_setname(commctx, "COMMPOOL");
-	/*
-	 * 6 and 2 set as reasonable parameters for 3 or 4 nameserver
-	 * systems.
-	 */
-	isc_mempool_setfreemax(commctx, 6);
-	isc_mempool_setfillcount(commctx, 2);
-
-	result = isc_mutex_init(&lookup_lock);
-	check_result(result, "isc_mutex_init");
-
-	dns_result_register();
-}
-
-/*
- * Add EDNS0 option record to a message.  Currently, the only supported
- * options are UDP buffer size and the DO bit.
- */
-static void
-add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdata_t *rdata = NULL;
-	isc_result_t result;
-
-	debug("add_opt()");
-	result = dns_message_gettemprdataset(msg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdataset_init(rdataset);
-	result = dns_message_gettemprdatalist(msg, &rdatalist);
-	check_result(result, "dns_message_gettemprdatalist");
-	result = dns_message_gettemprdata(msg, &rdata);
-	check_result(result, "dns_message_gettemprdata");
-
-	debug("setting udp size of %d", udpsize);
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-	rdatalist->rdclass = udpsize;
-	rdatalist->ttl = 0;
-	if (dnssec)
-		rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
-	rdata->data = NULL;
-	rdata->length = 0;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	result = dns_message_setopt(msg, rdataset);
-	check_result(result, "dns_message_setopt");
-}
-
-/*
- * Add a question section to a message, asking for the specified name,
- * type, and class.
- */
-static void
-add_question(dns_message_t *message, dns_name_t *name,
-	     dns_rdataclass_t rdclass, dns_rdatatype_t rdtype)
-{
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	debug("add_question()");
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(message, &rdataset);
-	check_result(result, "dns_message_gettemprdataset()");
-	dns_rdataset_init(rdataset);
-	dns_rdataset_makequestion(rdataset, rdclass, rdtype);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-}
-
-/*
- * Check if we're done with all the queued lookups, which is true iff
- * all sockets, sends, and recvs are accounted for (counters == 0),
- * and the lookup list is empty.
- * If we are done, pass control back out to dighost_shutdown() (which is
- * part of dig.c, host.c, or nslookup.c) to either shutdown the system as
- * a whole or reseed the lookup list.
- */
-static void
-check_if_done(void) {
-	debug("check_if_done()");
-	debug("list %s", ISC_LIST_EMPTY(lookup_list) ? "empty" : "full");
-	if (ISC_LIST_EMPTY(lookup_list) && current_lookup == NULL &&
-	    sendcount == 0) {
-		INSIST(sockcount == 0);
-		INSIST(recvcount == 0);
-		debug("shutting down");
-		dighost_shutdown();
-	}
-}
-
-/*
- * Clear out a query when we're done with it.  WARNING: This routine
- * WILL invalidate the query pointer.
- */
-static void
-clear_query(dig_query_t *query) {
-	dig_lookup_t *lookup;
-
-	REQUIRE(query != NULL);
-
-	debug("clear_query(%p)", query);
-
-	lookup = query->lookup;
-
-	if (lookup->current_query == query)
-		lookup->current_query = NULL;
-
-	ISC_LIST_UNLINK(lookup->q, query, link);
-	if (ISC_LINK_LINKED(&query->recvbuf, link))
-		ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
-				 link);
-	if (ISC_LINK_LINKED(&query->lengthbuf, link))
-		ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf,
-				 link);
-	INSIST(query->recvspace != NULL);
-	if (query->sock != NULL) {
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		debug("sockcount=%d", sockcount);
-	}
-	isc_mempool_put(commctx, query->recvspace);
-	isc_buffer_invalidate(&query->recvbuf);
-	isc_buffer_invalidate(&query->lengthbuf);
-	isc_mem_free(mctx, query);
-}
-
-/*
- * Try and clear out a lookup if we're done with it.  Return ISC_TRUE if
- * the lookup was successfully cleared.  If ISC_TRUE is returned, the
- * lookup pointer has been invalidated.
- */
-static isc_boolean_t
-try_clear_lookup(dig_lookup_t *lookup) {
-	dig_server_t *s;
-	dig_query_t *q;
-	void *ptr;
-
-	REQUIRE(lookup != NULL);
-
-	debug("try_clear_lookup(%p)", lookup);
-
-	if (ISC_LIST_HEAD(lookup->q) != NULL) {
-		if (debugging) {
-			q = ISC_LIST_HEAD(lookup->q);
-			while (q != NULL) {
-				debug("query to %s still pending", q->servname);
-				q = ISC_LIST_NEXT(q, link);
-			}
-			return (ISC_FALSE);
-		}
-	}
-	/*
-	 * At this point, we know there are no queries on the lookup,
-	 * so can make it go away also.
-	 */
-	debug("cleared");
-	s = ISC_LIST_HEAD(lookup->my_server_list);
-	while (s != NULL) {
-		debug("freeing server %p belonging to %p", s, lookup);
-		ptr = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(lookup->my_server_list,
-				 (dig_server_t *)ptr, link);
-		isc_mem_free(mctx, ptr);
-	}
-	if (lookup->sendmsg != NULL)
-		dns_message_destroy(&lookup->sendmsg);
-	if (lookup->querysig != NULL) {
-		debug("freeing buffer %p", lookup->querysig);
-		isc_buffer_free(&lookup->querysig);
-	}
-	if (lookup->timer != NULL)
-		isc_timer_detach(&lookup->timer);
-	if (lookup->sendspace != NULL)
-		isc_mempool_put(commctx, lookup->sendspace);
-
-	if (lookup->tsigctx != NULL)
-		dst_context_destroy(&lookup->tsigctx);
-
-	isc_mem_free(mctx, lookup);
-	return (ISC_TRUE);
-}
-
-
-/*
- * If we can, start the next lookup in the queue running.
- * This assumes that the lookup on the head of the queue hasn't been
- * started yet.  It also removes the lookup from the head of the queue,
- * setting the current_lookup pointer pointing to it.
- */
-void
-start_lookup(void) {
-	debug("start_lookup()");
-	if (cancel_now)
-		return;
-
-	/*
-	 * If there's a current lookup running, we really shouldn't get
-	 * here.
-	 */
-	INSIST(current_lookup == NULL);
-
-	current_lookup = ISC_LIST_HEAD(lookup_list);
-	/*
-	 * Put the current lookup somewhere so cancel_all can find it
-	 */
-	if (current_lookup != NULL) {
-		ISC_LIST_DEQUEUE(lookup_list, current_lookup, link);
-#if DIG_SIGCHASE_TD
-		if (current_lookup->do_topdown &&
-		    !current_lookup->rdtype_sigchaseset) {
-			dst_key_t *trustedkey = NULL;
-			isc_buffer_t *b = NULL;
-			isc_region_t r;
-			isc_result_t result;
-			dns_name_t query_name;
-			dns_name_t *key_name;
-			int i;
-
-			result = get_trusted_key(mctx);
-			if (result != ISC_R_SUCCESS) {
-				printf("\n;; No trusted key, "
-				       "+sigchase option is disabled\n");
-				current_lookup->sigchase = ISC_FALSE;
-				goto novalidation;
-			}
-			dns_name_init(&query_name, NULL);
-			nameFromString(current_lookup->textname, &query_name);
-
-			for (i = 0; i < tk_list.nb_tk; i++) {
-				key_name = dst_key_name(tk_list.key[i]);
-
-				if (dns_name_issubdomain(&query_name,
-							 key_name) == ISC_TRUE)
-					trustedkey = tk_list.key[i];
-				/*
-				 * Verifier que la temp est bien la plus basse
-				 * WARNING
-				 */
-			}
-			if (trustedkey == NULL) {
-				printf("\n;; The queried zone: ");
-				dns_name_print(&query_name, stdout);
-				printf(" isn't a subdomain of any Trusted Keys"
-				       ": +sigchase option is disable\n");
-				current_lookup->sigchase = ISC_FALSE;
-				free_name(&query_name, mctx);
-				goto novalidation;
-			}
-			free_name(&query_name, mctx);
-
-			current_lookup->rdtype_sigchase
-				= current_lookup->rdtype;
-			current_lookup->rdtype_sigchaseset
-				= current_lookup->rdtypeset;
-			current_lookup->rdtype = dns_rdatatype_ns;
-
-			current_lookup->qrdtype_sigchase
-				= current_lookup->qrdtype;
-			current_lookup->qrdtype = dns_rdatatype_ns;
-		
-			current_lookup->rdclass_sigchase
-				= current_lookup->rdclass;
-			current_lookup->rdclass_sigchaseset
-				= current_lookup->rdclassset;
-			current_lookup->rdclass = dns_rdataclass_in;
-
-			strncpy(current_lookup->textnamesigchase,
-				current_lookup->textname, MXNAME);
-
-			current_lookup->trace_root_sigchase = ISC_TRUE;
-
-			result = isc_buffer_allocate(mctx, &b, BUFSIZE);
-			check_result(result, "isc_buffer_allocate");
-			result = dns_name_totext(dst_key_name(trustedkey),
-						 ISC_FALSE, b);
-			check_result(result, "dns_name_totext");
-			isc_buffer_usedregion(b, &r);
-			r.base[r.length] = '\0';
-			strncpy(current_lookup->textname, (char*)r.base,
-				MXNAME);
-			isc_buffer_free(&b);
-
-			nameFromString(current_lookup->textnamesigchase,
-				       &chase_name);
-
-			dns_name_init(&chase_authority_name, NULL);
-		}
-	novalidation:
-#endif
-		setup_lookup(current_lookup);
-		do_lookup(current_lookup);
-	} else {
-		check_if_done();
-	}
-}
-
-/*
- * If we can, clear the current lookup and start the next one running.
- * This calls try_clear_lookup, so may invalidate the lookup pointer.
- */
-static void
-check_next_lookup(dig_lookup_t *lookup) {
-
-	INSIST(!free_now);
-
-	debug("check_next_lookup(%p)", lookup);
-
-	if (ISC_LIST_HEAD(lookup->q) != NULL) {
-		debug("still have a worker");
-		return;
-	}
-	if (try_clear_lookup(lookup)) {
-		current_lookup = NULL;
-		start_lookup();
-	}
-}
-
-/*
- * Create and queue a new lookup as a followup to the current lookup,
- * based on the supplied message and section.  This is used in trace and
- * name server search modes to start a new lookup using servers from
- * NS records in a reply. Returns the number of followup lookups made.
- */
-static int
-followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
-{
-	dig_lookup_t *lookup = NULL;
-	dig_server_t *srv = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_name_t *name = NULL;
-	isc_result_t result;
-	isc_boolean_t success = ISC_FALSE;
-	int numLookups = 0;
-
-	INSIST(!free_now);
-
-	debug("following up %s", query->lookup->textname);
-	
-	for (result = dns_message_firstname(msg, section);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(msg, section)) {
-		name = NULL;
-		dns_message_currentname(msg, section, &name);
-
-		if (section == DNS_SECTION_AUTHORITY) {
-			rdataset = NULL;
-			result = dns_message_findtype(name, dns_rdatatype_soa,
-						      0, &rdataset);
-			if (result == ISC_R_SUCCESS)
-				return (0);
-		}
-		rdataset = NULL;
-		result = dns_message_findtype(name, dns_rdatatype_ns, 0,
-					      &rdataset);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		debug("found NS set");
-
-		for (result = dns_rdataset_first(rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(rdataset)) {
-			char namestr[DNS_NAME_FORMATSIZE];
-			dns_rdata_ns_t ns;
-
-			if (query->lookup->trace_root &&
-			    query->lookup->nsfound >= MXSERV)
-				break;
-
-			dns_rdataset_current(rdataset, &rdata);
-
-			query->lookup->nsfound++;
-			(void)dns_rdata_tostruct(&rdata, &ns, NULL);
-			dns_name_format(&ns.name, namestr, sizeof(namestr));
-			dns_rdata_freestruct(&ns);
-
-			/* Initialize lookup if we've not yet */
-			debug("found NS %d %s", numLookups, namestr);
-			numLookups++;
-			if (!success) {
-				success = ISC_TRUE;
-				lookup_counter++;
-				lookup = requeue_lookup(query->lookup,
-							ISC_FALSE);
-				cancel_lookup(query->lookup);
-				lookup->doing_xfr = ISC_FALSE;
-				if (!lookup->trace_root &&
-				    section == DNS_SECTION_ANSWER)
-					lookup->trace = ISC_FALSE;
-				else
-					lookup->trace = query->lookup->trace;
-				lookup->ns_search_only =
-					query->lookup->ns_search_only;
-				lookup->trace_root = ISC_FALSE;
-				if (lookup->ns_search_only)
-					lookup->recurse = ISC_FALSE;
-			}
-			srv = make_server(namestr, namestr);
-			debug("adding server %s", srv->servername);
-			ISC_LIST_APPEND(lookup->my_server_list, srv, link);
-			dns_rdata_reset(&rdata);
-		}
-	}
-
-	if (lookup == NULL &&
-	    section == DNS_SECTION_ANSWER &&
-	    (query->lookup->trace || query->lookup->ns_search_only))
-		return (followup_lookup(msg, query, DNS_SECTION_AUTHORITY));
-
-	return numLookups;
-}
-
-/*
- * Create and queue a new lookup using the next origin from the search
- * list, read in setup_system().
- *
- * Return ISC_TRUE iff there was another searchlist entry.
- */
-static isc_boolean_t
-next_origin(dns_message_t *msg, dig_query_t *query) {
-	dig_lookup_t *lookup;
-
-	UNUSED(msg);
-
-	INSIST(!free_now);
-
-	debug("next_origin()");
-	debug("following up %s", query->lookup->textname);
-
-	if (!usesearch)
-		/*
-		 * We're not using a search list, so don't even think
-		 * about finding the next entry.
-		 */
-		return (ISC_FALSE);
-	if (query->lookup->origin == NULL)
-		/*
-		 * Then we just did rootorg; there's nothing left.
-		 */
-		return (ISC_FALSE);
-	lookup = requeue_lookup(query->lookup, ISC_TRUE);
-	lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link);
-	cancel_lookup(query->lookup);
-	return (ISC_TRUE);
-}
-
-/*
- * Insert an SOA record into the sendmessage in a lookup.  Used for
- * creating IXFR queries.
- */
-static void
-insert_soa(dig_lookup_t *lookup) {
-	isc_result_t result;
-	dns_rdata_soa_t soa;
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_name_t *soaname = NULL;
-
-	debug("insert_soa()");
-	soa.mctx = mctx;
-	soa.serial = lookup->ixfr_serial;
-	soa.refresh = 0;
-	soa.retry = 0;
-	soa.expire = 0;
-	soa.minimum = 0;
-	soa.common.rdclass = lookup->rdclass;
-	soa.common.rdtype = dns_rdatatype_soa;
-
-	dns_name_init(&soa.origin, NULL);
-	dns_name_init(&soa.contact, NULL);
-
-	dns_name_clone(dns_rootname, &soa.origin);
-	dns_name_clone(dns_rootname, &soa.contact);
-
-	isc_buffer_init(&lookup->rdatabuf, lookup->rdatastore,
-			sizeof(lookup->rdatastore));
-
-	result = dns_message_gettemprdata(lookup->sendmsg, &rdata);
-	check_result(result, "dns_message_gettemprdata");
-
-	result = dns_rdata_fromstruct(rdata, lookup->rdclass,
-				      dns_rdatatype_soa, &soa,
-				      &lookup->rdatabuf);
-	check_result(result, "isc_rdata_fromstruct");
-
-	result = dns_message_gettemprdatalist(lookup->sendmsg, &rdatalist);
-	check_result(result, "dns_message_gettemprdatalist");
-
-	result = dns_message_gettemprdataset(lookup->sendmsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-
-	dns_rdatalist_init(rdatalist);
-	rdatalist->type = dns_rdatatype_soa;
-	rdatalist->rdclass = lookup->rdclass;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-
-	result = dns_message_gettempname(lookup->sendmsg, &soaname);
-	check_result(result, "dns_message_gettempname");
-	dns_name_init(soaname, NULL);
-	dns_name_clone(lookup->name, soaname);
-	ISC_LIST_INIT(soaname->list);
-	ISC_LIST_APPEND(soaname->list, rdataset, link);
-	dns_message_addname(lookup->sendmsg, soaname, DNS_SECTION_AUTHORITY);
-}
-
-/*
- * Setup the supplied lookup structure, making it ready to start sending
- * queries to servers.  Create and initialize the message to be sent as
- * well as the query structures and buffer space for the replies.  If the
- * server list is empty, clone it from the system default list.
- */
-void
-setup_lookup(dig_lookup_t *lookup) {
-	isc_result_t result;
-	isc_uint32_t id;
-	int len;
-	dig_server_t *serv;
-	dig_query_t *query;
-	isc_buffer_t b;
-	dns_compress_t cctx;
-	char store[MXNAME];
-
-	REQUIRE(lookup != NULL);
-	INSIST(!free_now);
-
-	debug("setup_lookup(%p)", lookup);
-
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
-				    &lookup->sendmsg);
-	check_result(result, "dns_message_create");
-
-	if (lookup->new_search) {
-		debug("resetting lookup counter.");
-		lookup_counter = 0;
-	}
-
-	if (ISC_LIST_EMPTY(lookup->my_server_list)) {
-		debug("cloning server list");
-		clone_server_list(server_list, &lookup->my_server_list);
-	}
-	result = dns_message_gettempname(lookup->sendmsg, &lookup->name);
-	check_result(result, "dns_message_gettempname");
-	dns_name_init(lookup->name, NULL);
-
-	isc_buffer_init(&lookup->namebuf, lookup->namespace,
-			sizeof(lookup->namespace));
-	isc_buffer_init(&lookup->onamebuf, lookup->onamespace,
-			sizeof(lookup->onamespace));
-
-	/*
-	 * If the name has too many dots, force the origin to be NULL
-	 * (which produces an absolute lookup).  Otherwise, take the origin
-	 * we have if there's one in the struct already.  If it's NULL,
-	 * take the first entry in the searchlist iff either usesearch
-	 * is TRUE or we got a domain line in the resolv.conf file.
-	 */
-	/* XXX New search here? */
-	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
-		lookup->origin = NULL; /* Force abs lookup */
-	else if (lookup->origin == NULL && lookup->new_search && usesearch)
-		lookup->origin = ISC_LIST_HEAD(search_list);
-
-	if (lookup->origin != NULL) {
-		debug("trying origin %s", lookup->origin->origin);
-		result = dns_message_gettempname(lookup->sendmsg,
-						 &lookup->oname);
-		check_result(result, "dns_message_gettempname");
-		dns_name_init(lookup->oname, NULL);
-		/* XXX Helper funct to conv char* to name? */
-		len = strlen(lookup->origin->origin);
-		isc_buffer_init(&b, lookup->origin->origin, len);
-		isc_buffer_add(&b, len);
-		result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
-					   ISC_FALSE, &lookup->onamebuf);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->name);
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->oname);
-			fatal("'%s' is not in legal name syntax (%s)",
-			      lookup->origin->origin,
-			      isc_result_totext(result));
-		}
-		if (lookup->trace && lookup->trace_root) {
-			dns_name_clone(dns_rootname, lookup->name);
-		} else {
-			len = strlen(lookup->textname);
-			isc_buffer_init(&b, lookup->textname, len);
-			isc_buffer_add(&b, len);
-			result = dns_name_fromtext(lookup->name, &b,
-						   lookup->oname, ISC_FALSE,
-						   &lookup->namebuf);
-		}
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->name);
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->oname);
-			fatal("'%s' is not in legal name syntax (%s)",
-			      lookup->textname, isc_result_totext(result));
-		}
-		dns_message_puttempname(lookup->sendmsg, &lookup->oname);
-	} else {
-		debug("using root origin");
-		if (lookup->trace && lookup->trace_root)
-			dns_name_clone(dns_rootname, lookup->name);
-		else {
-			len = strlen(lookup->textname);
-			isc_buffer_init(&b, lookup->textname, len);
-			isc_buffer_add(&b, len);
-			result = dns_name_fromtext(lookup->name, &b,
-						   dns_rootname,
-						   ISC_FALSE,
-						   &lookup->namebuf);
-		}
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(lookup->sendmsg,
-						&lookup->name);
-			isc_buffer_init(&b, store, MXNAME);
-			fatal("'%s' is not a legal name "
-			      "(%s)", lookup->textname,
-			      isc_result_totext(result));
-		}
-	}
-	dns_name_format(lookup->name, store, sizeof(store));
-	trying(store, lookup);
-	INSIST(dns_name_isabsolute(lookup->name));
-
-	isc_random_get(&id);
-	lookup->sendmsg->id = (unsigned short)id & 0xFFFF;
-	lookup->sendmsg->opcode = dns_opcode_query;
-	lookup->msgcounter = 0;
-	/*
-	 * If this is a trace request, completely disallow recursion, since
-	 * it's meaningless for traces.
-	 */
-	if (lookup->trace || (lookup->ns_search_only && !lookup->trace_root))
-		lookup->recurse = ISC_FALSE;
-
-	if (lookup->recurse &&
-	    lookup->rdtype != dns_rdatatype_axfr &&
-	    lookup->rdtype != dns_rdatatype_ixfr) {
-		debug("recursive query");
-		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_RD;
-	}
-
-	/* XXX aaflag */
-	if (lookup->aaonly) {
-		debug("AA query");
-		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AA;
-	}
-
-	if (lookup->adflag) {
-		debug("AD query");
-		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AD;
-	}
-
-	if (lookup->cdflag) {
-		debug("CD query");
-		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_CD;
-	}
-
-	dns_message_addname(lookup->sendmsg, lookup->name,
-			    DNS_SECTION_QUESTION);
-
-	if (lookup->trace && lookup->trace_root) {
-		lookup->qrdtype = lookup->rdtype;
-		lookup->rdtype = dns_rdatatype_ns;
-	}
-
-	if ((lookup->rdtype == dns_rdatatype_axfr) ||
-	    (lookup->rdtype == dns_rdatatype_ixfr)) {
-		lookup->doing_xfr = ISC_TRUE;
-		/*
-		 * Force TCP mode if we're doing an xfr.
-		 * XXX UDP ixfr's would be useful
-		 */
-		lookup->tcp_mode = ISC_TRUE;
-	}
-
-	add_question(lookup->sendmsg, lookup->name, lookup->rdclass,
-		     lookup->rdtype);
-
-	/* add_soa */
-	if (lookup->rdtype == dns_rdatatype_ixfr)
-		insert_soa(lookup);
-
-	/* XXX Insist this? */
-	lookup->tsigctx = NULL;
-	lookup->querysig = NULL;
-	if (key != NULL) {
-		debug("initializing keys");
-		result = dns_message_settsigkey(lookup->sendmsg, key);
-		check_result(result, "dns_message_settsigkey");
-	}
-
-	lookup->sendspace = isc_mempool_get(commctx);
-	if (lookup->sendspace == NULL)
-		fatal("memory allocation failure");
-
-	result = dns_compress_init(&cctx, -1, mctx);
-	check_result(result, "dns_compress_init");
-
-	debug("starting to render the message");
-	isc_buffer_init(&lookup->sendbuf, lookup->sendspace, COMMSIZE);
-	result = dns_message_renderbegin(lookup->sendmsg, &cctx,
-					 &lookup->sendbuf);
-	check_result(result, "dns_message_renderbegin");
-	if (lookup->udpsize > 0 || lookup->dnssec) {
-		if (lookup->udpsize == 0)
-			lookup->udpsize = 2048;
-		add_opt(lookup->sendmsg, lookup->udpsize, lookup->dnssec);
-	}
-
-	result = dns_message_rendersection(lookup->sendmsg,
-					   DNS_SECTION_QUESTION, 0);
-	check_result(result, "dns_message_rendersection");
-	result = dns_message_rendersection(lookup->sendmsg,
-					   DNS_SECTION_AUTHORITY, 0);
-	check_result(result, "dns_message_rendersection");
-	result = dns_message_renderend(lookup->sendmsg);
-	check_result(result, "dns_message_renderend");
-	debug("done rendering");
-
-	dns_compress_invalidate(&cctx);
-
-	/*
-	 * Force TCP mode if the request is larger than 512 bytes.
-	 */
-	if (isc_buffer_usedlength(&lookup->sendbuf) > 512)
-		lookup->tcp_mode = ISC_TRUE;
-
-	lookup->pending = ISC_FALSE;
-
-	for (serv = ISC_LIST_HEAD(lookup->my_server_list);
-	     serv != NULL;
-	     serv = ISC_LIST_NEXT(serv, link)) {
-		query = isc_mem_allocate(mctx, sizeof(dig_query_t));
-		if (query == NULL)
-			fatal("memory allocation failure in %s:%d",
-			      __FILE__, __LINE__);
-		debug("create query %p linked to lookup %p",
-		       query, lookup);
-		query->lookup = lookup;
-		query->waiting_connect = ISC_FALSE;
-		query->recv_made = ISC_FALSE;
-		query->first_pass = ISC_TRUE;
-		query->first_soa_rcvd = ISC_FALSE;
-		query->second_rr_rcvd = ISC_FALSE;
-		query->first_repeat_rcvd = ISC_FALSE;
-		query->warn_id = ISC_TRUE;
-		query->first_rr_serial = 0;
-		query->second_rr_serial = 0;
-		query->servname = serv->servername;
-		query->userarg = serv->userarg;
-		query->rr_count = 0;
-		query->msg_count = 0;
-		ISC_LINK_INIT(query, link);
-		ISC_LIST_INIT(query->recvlist);
-		ISC_LIST_INIT(query->lengthlist);
-		query->sock = NULL;
-		query->recvspace = isc_mempool_get(commctx);
-		if (query->recvspace == NULL)
-			fatal("memory allocation failure");
-
-		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
-		isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
-		isc_buffer_init(&query->slbuf, query->slspace, 2);
-
-		ISC_LINK_INIT(query, link);
-		ISC_LIST_ENQUEUE(lookup->q, query, link);
-	}
-	/* XXX qrflag, print_query, etc... */
-	if (!ISC_LIST_EMPTY(lookup->q) && qr) {
-		printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
-			     ISC_TRUE);
-	}
-}
-
-/*
- * Event handler for send completion.  Track send counter, and clear out
- * the query if the send was canceled.
- */
-static void
-send_done(isc_task_t *_task, isc_event_t *event) {
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-
-	UNUSED(_task);
-
-	LOCK_LOOKUP;
-
-	isc_event_free(&event);
-
-	debug("send_done()");
-	sendcount--;
-	debug("sendcount=%d", sendcount);
-	INSIST(sendcount >= 0);
-	check_if_done();
-	UNLOCK_LOOKUP;
-}
-
-/*
- * Cancel a lookup, sending isc_socket_cancel() requests to all outstanding
- * IO sockets.  The cancel handlers should take care of cleaning up the
- * query and lookup structures
- */
-static void
-cancel_lookup(dig_lookup_t *lookup) {
-	dig_query_t *query, *next;
-
-	debug("cancel_lookup()");
-	query = ISC_LIST_HEAD(lookup->q);
-	while (query != NULL) {
-		next = ISC_LIST_NEXT(query, link);
-		if (query->sock != NULL) {
-			isc_socket_cancel(query->sock, global_task,
-					  ISC_SOCKCANCEL_ALL);
-			check_if_done();
-		} else {
-			clear_query(query);
-		}
-		query = next;
-	}
-	if (lookup->timer != NULL)
-		isc_timer_detach(&lookup->timer);
-	lookup->pending = ISC_FALSE;
-	lookup->retries = 0;
-}
-
-static void
-bringup_timer(dig_query_t *query, unsigned int default_timeout) {
-	dig_lookup_t *l;
-	unsigned int local_timeout;
-	isc_result_t result;
-
-	debug("bringup_timer()");
-	/*
-	 * If the timer already exists, that means we're calling this
-	 * a second time (for a retry).  Don't need to recreate it,
-	 * just reset it.
-	 */
-	l = query->lookup;
-	if (ISC_LIST_NEXT(query, link) != NULL)
-		local_timeout = SERVER_TIMEOUT;
-	else {
-		if (timeout == 0)
-			local_timeout = default_timeout;
-		else
-			local_timeout = timeout;
-	}
-	debug("have local timeout of %d", local_timeout);
-	isc_interval_set(&l->interval, local_timeout, 0);
-	if (l->timer != NULL)
-		isc_timer_detach(&l->timer);
-	result = isc_timer_create(timermgr, isc_timertype_once, NULL,
-				  &l->interval, global_task, connect_timeout,
-				  l, &l->timer);
-	check_result(result, "isc_timer_create");
-}	
-
-static void
-connect_done(isc_task_t *task, isc_event_t *event);
-
-/*
- * Unlike send_udp, this can't be called multiple times with the same
- * query.  When we retry TCP, we requeue the whole lookup, which should
- * start anew.
- */
-static void
-send_tcp_connect(dig_query_t *query) {
-	isc_result_t result;
-	dig_query_t *next;
-	dig_lookup_t *l;
-
-	debug("send_tcp_connect(%p)", query);
-
-	l = query->lookup;
-	query->waiting_connect = ISC_TRUE;
-	query->lookup->current_query = query;
-	get_address(query->servname, port, &query->sockaddr);
-	
-	if (specified_source &&
-	    (isc_sockaddr_pf(&query->sockaddr) !=
-	     isc_sockaddr_pf(&bind_address))) {
-		printf(";; Skipping server %s, incompatible "
-		       "address family\n", query->servname);
-		query->waiting_connect = ISC_FALSE;
-		next = ISC_LIST_NEXT(query, link);
-		l = query->lookup;
-		clear_query(query);
-		if (next == NULL) {
-			printf(";; No acceptable nameservers\n");
-			check_next_lookup(l);
-			return;
-		}
-		send_tcp_connect(next);
-		return;
-	}
-	INSIST(query->sock == NULL);
-	result = isc_socket_create(socketmgr,
-				   isc_sockaddr_pf(&query->sockaddr),
-				   isc_sockettype_tcp, &query->sock);
-	check_result(result, "isc_socket_create");
-	sockcount++;
-	debug("sockcount=%d", sockcount);
-	if (specified_source)
-		result = isc_socket_bind(query->sock, &bind_address);
-	else {
-		if ((isc_sockaddr_pf(&query->sockaddr) == AF_INET) &&
-		    have_ipv4)
-			isc_sockaddr_any(&bind_any);
-		else
-			isc_sockaddr_any6(&bind_any);
-		result = isc_socket_bind(query->sock, &bind_any);
-	}
-	check_result(result, "isc_socket_bind");
-	bringup_timer(query, TCP_TIMEOUT);
-	result = isc_socket_connect(query->sock, &query->sockaddr,
-				    global_task, connect_done, query);
-	check_result(result, "isc_socket_connect");
-	/*
-	 * If we're at the endgame of a nameserver search, we need to
-	 * immediately bring up all the queries.  Do it here.
-	 */
-	if (l->ns_search_only && !l->trace_root) {
-		debug("sending next, since searching");
-		next = ISC_LIST_NEXT(query, link);
-		if (next != NULL)
-			send_tcp_connect(next);
-	}
-}
-
-/*
- * Send a UDP packet to the remote nameserver, possible starting the
- * recv action as well.  Also make sure that the timer is running and
- * is properly reset.
- */
-static void
-send_udp(dig_query_t *query) {
-	dig_lookup_t *l = NULL;
-	dig_query_t *next;
-	isc_result_t result;
-
-	debug("send_udp(%p)", query);
-
-	l = query->lookup;
-	bringup_timer(query, UDP_TIMEOUT);
-	l->current_query = query;
-	debug("working on lookup %p, query %p", query->lookup, query);
-	if (!query->recv_made) {
-		/* XXX Check the sense of this, need assertion? */
-		query->waiting_connect = ISC_FALSE;
-		get_address(query->servname, port, &query->sockaddr);
-
-		result = isc_socket_create(socketmgr,
-					   isc_sockaddr_pf(&query->sockaddr),
-					   isc_sockettype_udp, &query->sock);
-		check_result(result, "isc_socket_create");
-		sockcount++;
-		debug("sockcount=%d", sockcount);
-		if (specified_source) {
-			result = isc_socket_bind(query->sock, &bind_address);
-		} else {
-			isc_sockaddr_anyofpf(&bind_any,
-					isc_sockaddr_pf(&query->sockaddr));
-			result = isc_socket_bind(query->sock, &bind_any);
-		}
-		check_result(result, "isc_socket_bind");
-
-		query->recv_made = ISC_TRUE;
-		ISC_LINK_INIT(&query->recvbuf, link);
-		ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf,
-				 link);
-		debug("recving with lookup=%p, query=%p, sock=%p",
-		      query->lookup, query, query->sock);
-		result = isc_socket_recvv(query->sock, &query->recvlist, 1,
-					  global_task, recv_done, query);
-		check_result(result, "isc_socket_recvv");
-		recvcount++;
-		debug("recvcount=%d", recvcount);
-	}
-	ISC_LIST_INIT(query->sendlist);
-	ISC_LINK_INIT(&l->sendbuf, link);
-	ISC_LIST_ENQUEUE(query->sendlist, &l->sendbuf,
-			 link);
-	debug("sending a request");
-	TIME_NOW(&query->time_sent);
-	INSIST(query->sock != NULL);
-	result = isc_socket_sendtov(query->sock, &query->sendlist,
-				    global_task, send_done, query,
-				    &query->sockaddr, NULL);
-	check_result(result, "isc_socket_sendtov");
-	sendcount++;
-	/*
-	 * If we're at the endgame of a nameserver search, we need to
-	 * immediately bring up all the queries.  Do it here.
-	 */
-	if (l->ns_search_only && !l->trace_root) {
-		debug("sending next, since searching");
-		next = ISC_LIST_NEXT(query, link);
-		if (next != NULL)
-			send_udp(next);
-	}
-}
-
-/*
- * IO timeout handler, used for both connect and recv timeouts.  If
- * retries are still allowed, either resend the UDP packet or queue a
- * new TCP lookup.  Otherwise, cancel the lookup.
- */
-static void
-connect_timeout(isc_task_t *task, isc_event_t *event) {
-	dig_lookup_t *l = NULL;
-	dig_query_t *query = NULL, *cq;
-
-	UNUSED(task);
-	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
-
-	debug("connect_timeout()");
-
-	LOCK_LOOKUP;
-	l = event->ev_arg;
-	query = l->current_query;
-	isc_event_free(&event);
-
-	INSIST(!free_now);
-
-	if ((query != NULL) && (query->lookup->current_query != NULL) &&
-	    (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
-		debug("trying next server...");
-		cq = query->lookup->current_query;
-		if (!l->tcp_mode)
-			send_udp(ISC_LIST_NEXT(cq, link));
-		else
-			send_tcp_connect(ISC_LIST_NEXT(cq, link));
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	if (l->retries > 1) {
-		if (!l->tcp_mode) {
-			l->retries--;
-			debug("resending UDP request to first server");
-			send_udp(ISC_LIST_HEAD(l->q));
-		} else {
-			debug("making new TCP request, %d tries left",
-			      l->retries);
-			l->retries--;
-			requeue_lookup(l, ISC_TRUE);
-			cancel_lookup(l);
-			check_next_lookup(l);
-		}
-	} else {
-		fputs(l->cmdline, stdout);
-		printf(";; connection timed out; no servers could be "
-		       "reached\n");
-		cancel_lookup(l);
-		check_next_lookup(l);
-		if (exitcode < 9)
-			exitcode = 9;
-	}
-	UNLOCK_LOOKUP;
-}
-
-/*
- * Event handler for the TCP recv which gets the length header of TCP
- * packets.  Start the next recv of length bytes.
- */
-static void
-tcp_length_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent;
-	isc_buffer_t *b = NULL;
-	isc_result_t result;
-	dig_query_t *query = NULL;
-	dig_lookup_t *l;
-	isc_uint16_t length;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
-	INSIST(!free_now);
-
-	UNUSED(task);
-
-	debug("tcp_length_done()");
-
-	LOCK_LOOKUP;
-	sevent = (isc_socketevent_t *)event;
-	query = event->ev_arg;
-
-	recvcount--;
-	INSIST(recvcount >= 0);
-
-	if (sevent->result == ISC_R_CANCELED) {
-		isc_event_free(&event);
-		l = query->lookup;
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	if (sevent->result != ISC_R_SUCCESS) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&query->sockaddr, sockstr,
-				    sizeof(sockstr));
-		printf(";; communications error to %s: %s\n",
-		       sockstr, isc_result_totext(sevent->result));
-		l = query->lookup;
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		debug("sockcount=%d", sockcount);
-		INSIST(sockcount >= 0);
-		isc_event_free(&event);
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->lengthbuf, link);
-	length = isc_buffer_getuint16(b);
-	if (length == 0) {
-		isc_event_free(&event);
-		launch_next_query(query, ISC_FALSE);
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	/*
-	 * Even though the buffer was already init'ed, we need
-	 * to redo it now, to force the length we want.
-	 */
-	isc_buffer_invalidate(&query->recvbuf);
-	isc_buffer_init(&query->recvbuf, query->recvspace, length);
-	ENSURE(ISC_LIST_EMPTY(query->recvlist));
-	ISC_LINK_INIT(&query->recvbuf, link);
-	ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
-	debug("recving with lookup=%p, query=%p", query->lookup, query);
-	result = isc_socket_recvv(query->sock, &query->recvlist, length, task,
-				  recv_done, query);
-	check_result(result, "isc_socket_recvv");
-	recvcount++;
-	debug("resubmitted recv request with length %d, recvcount=%d",
-	      length, recvcount);
-	isc_event_free(&event);
-	UNLOCK_LOOKUP;
-}
-
-/*
- * For transfers that involve multiple recvs (XFR's in particular),
- * launch the next recv.
- */
-static void
-launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
-	isc_result_t result;
-	dig_lookup_t *l;
-
-	INSIST(!free_now);
-
-	debug("launch_next_query()");
-
-	if (!query->lookup->pending) {
-		debug("ignoring launch_next_query because !pending");
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		debug("sockcount=%d", sockcount);
-		INSIST(sockcount >= 0);
-		query->waiting_connect = ISC_FALSE;
-		l = query->lookup;
-		clear_query(query);
-		check_next_lookup(l);
-		return;
-	}
-
-	isc_buffer_clear(&query->slbuf);
-	isc_buffer_clear(&query->lengthbuf);
-	isc_buffer_putuint16(&query->slbuf,
-			     (isc_uint16_t) query->lookup->sendbuf.used);
-	ISC_LIST_INIT(query->sendlist);
-	ISC_LINK_INIT(&query->slbuf, link);
-	ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link);
-	if (include_question) {
-		ISC_LINK_INIT(&query->lookup->sendbuf, link);
-		ISC_LIST_ENQUEUE(query->sendlist, &query->lookup->sendbuf,
-				 link);
-	}
-	ISC_LINK_INIT(&query->lengthbuf, link);
-	ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
-
-	result = isc_socket_recvv(query->sock, &query->lengthlist, 0,
-				  global_task, tcp_length_done, query);
-	check_result(result, "isc_socket_recvv");
-	recvcount++;
-	debug("recvcount=%d", recvcount);
-	if (!query->first_soa_rcvd) {
-		debug("sending a request in launch_next_query");
-		TIME_NOW(&query->time_sent);
-		result = isc_socket_sendv(query->sock, &query->sendlist,
-					  global_task, send_done, query);
-		check_result(result, "isc_socket_sendv");
-		sendcount++;
-		debug("sendcount=%d", sendcount);
-	}
-	query->waiting_connect = ISC_FALSE;
-#if 0
-	check_next_lookup(query->lookup);
-#endif
-	return;
-}
-
-/*
- * Event handler for TCP connect complete.  Make sure the connection was
- * successful, then pass into launch_next_query to actually send the
- * question.
- */
-static void
-connect_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = NULL;
-	dig_query_t *query = NULL, *next;
-	dig_lookup_t *l;
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
-	INSIST(!free_now);
-
-	debug("connect_done()");
-
-	LOCK_LOOKUP;
-	sevent = (isc_socketevent_t *)event;
-	query = sevent->ev_arg;
-
-	INSIST(query->waiting_connect);
-
-	query->waiting_connect = ISC_FALSE;
-
-	if (sevent->result == ISC_R_CANCELED) {
-		debug("in cancel handler");
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		INSIST(sockcount >= 0);
-		debug("sockcount=%d", sockcount);
-		query->waiting_connect = ISC_FALSE;
-		isc_event_free(&event);
-		l = query->lookup;
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	if (sevent->result != ISC_R_SUCCESS) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-
-		debug("unsuccessful connection: %s",
-		      isc_result_totext(sevent->result));
-		isc_sockaddr_format(&query->sockaddr, sockstr, sizeof(sockstr));
-		if (sevent->result != ISC_R_CANCELED)
-			printf(";; Connection to %s(%s) for %s failed: "
-			       "%s.\n", sockstr,
-			       query->servname, query->lookup->textname,
-			       isc_result_totext(sevent->result));
-		isc_socket_detach(&query->sock);
-		sockcount--;
-		INSIST(sockcount >= 0);
-		/* XXX Clean up exitcodes */
-		if (exitcode < 9)
-			exitcode = 9;
-		debug("sockcount=%d", sockcount);
-		query->waiting_connect = ISC_FALSE;
-		isc_event_free(&event);
-		l = query->lookup;
-		if (l->current_query != NULL)
-			next = ISC_LIST_NEXT(l->current_query, link);
-		else
-			next = NULL;
-		clear_query(query);
-		if (next != NULL) {
-			bringup_timer(next, TCP_TIMEOUT);
-			send_tcp_connect(next);
-		} else {
-			check_next_lookup(l);
-		}
-		UNLOCK_LOOKUP;
-		return;
-	}
-	launch_next_query(query, ISC_TRUE);
-	isc_event_free(&event);
-	UNLOCK_LOOKUP;
-}
-
-/*
- * Check if the ongoing XFR needs more data before it's complete, using
- * the semantics of IXFR and AXFR protocols.  Much of the complexity of
- * this routine comes from determining when an IXFR is complete.
- * ISC_FALSE means more data is on the way, and the recv has been issued.
- */
-static isc_boolean_t
-check_for_more_data(dig_query_t *query, dns_message_t *msg,
-		    isc_socketevent_t *sevent)
-{
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-	isc_uint32_t serial;
-	isc_result_t result;
-
-	debug("check_for_more_data()");
-
-	/*
-	 * By the time we're in this routine, we know we're doing
-	 * either an AXFR or IXFR.  If there's no second_rr_type,
-	 * then we don't yet know which kind of answer we got back
-	 * from the server.  Here, we're going to walk through the
-	 * rr's in the message, acting as necessary whenever we hit
-	 * an SOA rr.
-	 */
-
-	query->msg_count++;
-	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
-	if (result != ISC_R_SUCCESS) {
-		puts("; Transfer failed.");
-		return (ISC_TRUE);
-	}
-	do {
-		dns_name_t *name;
-		name = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ANSWER,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			result = dns_rdataset_first(rdataset);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			do {
-				query->rr_count++;
-				dns_rdata_reset(&rdata);
-				dns_rdataset_current(rdataset, &rdata);
-				/*
-				 * If this is the first rr, make sure
-				 * it's an SOA
-				 */
-				if ((!query->first_soa_rcvd) &&
-				    (rdata.type != dns_rdatatype_soa)) {
-					puts("; Transfer failed.  "
-					     "Didn't start with SOA answer.");
-					return (ISC_TRUE);
-				}
-				if ((!query->second_rr_rcvd) &&
-				    (rdata.type != dns_rdatatype_soa)) {
-					query->second_rr_rcvd = ISC_TRUE;
-					query->second_rr_serial = 0;
-					debug("got the second rr as nonsoa");
-					goto next_rdata;
-				}
-
-				/*
-				 * If the record is anything except an SOA
-				 * now, just continue on...
-				 */
-				if (rdata.type != dns_rdatatype_soa)
-					goto next_rdata;
-				/* Now we have an SOA.  Work with it. */
-				debug("got an SOA");
-				(void)dns_rdata_tostruct(&rdata, &soa, NULL);
-				serial = soa.serial;
-				dns_rdata_freestruct(&soa);
-				if (!query->first_soa_rcvd) {
-					query->first_soa_rcvd = ISC_TRUE;
-					query->first_rr_serial = serial;
-					debug("this is the first %d",
-					       query->lookup->ixfr_serial);
-					if (query->lookup->ixfr_serial >=
-					    serial)
-						goto doexit;
-					goto next_rdata;
-				}
-				if (query->lookup->rdtype ==
-				    dns_rdatatype_axfr) {
-					debug("doing axfr, got second SOA");
-					goto doexit;
-				}
-				if (!query->second_rr_rcvd) {
-					if (query->first_rr_serial == serial) {
-						debug("doing ixfr, got "
-						      "empty zone");
-						goto doexit;
-					}
-					debug("this is the second %d",
-					       query->lookup->ixfr_serial);
-					query->second_rr_rcvd = ISC_TRUE;
-					query->second_rr_serial = serial;
-					goto next_rdata;
-				}
-				if (query->second_rr_serial == 0) {
-					/*
-					 * If the second RR was a non-SOA
-					 * record, and we're getting any
-					 * other SOA, then this is an
-					 * AXFR, and we're done.
-					 */
-					debug("done, since axfr");
-					goto doexit;
-				}
-				/*
-				 * If we get to this point, we're doing an
-				 * IXFR and have to start really looking
-				 * at serial numbers.
-				 */
-				if (query->first_rr_serial == serial) {
-					debug("got a match for ixfr");
-					if (!query->first_repeat_rcvd) {
-						query->first_repeat_rcvd =
-							ISC_TRUE;
-						goto next_rdata;
-					}
-					debug("done with ixfr");
-					goto doexit;
-				}
-				debug("meaningless soa %d", serial);
-			next_rdata:
-				result = dns_rdataset_next(rdataset);
-			} while (result == ISC_R_SUCCESS);
-		}
-		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
-	} while (result == ISC_R_SUCCESS);
-	launch_next_query(query, ISC_FALSE);
-	return (ISC_FALSE);
- doexit:
-	received(sevent->n, &sevent->address, query);
-	return (ISC_TRUE);
-}
-
-/*
- * Event handler for recv complete.  Perform whatever actions are necessary,
- * based on the specifics of the user's request.
- */
-static void
-recv_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = NULL;
-	dig_query_t *query = NULL;
-	isc_buffer_t *b = NULL;
-	dns_message_t *msg = NULL;
-#ifdef DIG_SIGCHASE
-	dig_message_t *chase_msg = NULL;
-	dig_message_t *chase_msg2 = NULL;
-#endif
-	isc_result_t result;
-	dig_lookup_t *n, *l;
-	isc_boolean_t docancel = ISC_FALSE;
-	isc_boolean_t match = ISC_TRUE;
-	unsigned int parseflags;
-	dns_messageid_t id;
-	unsigned int msgflags;
-#ifdef DIG_SIGCHASE
-	isc_result_t do_sigchase = ISC_FALSE;
-
-	dns_message_t *msg_temp = NULL;
-	isc_region_t r;
-	isc_buffer_t *buf = NULL;
-#endif
-
-	UNUSED(task);
-	INSIST(!free_now);
-
-	debug("recv_done()");
-
-	LOCK_LOOKUP;
-	recvcount--;
-	debug("recvcount=%d", recvcount);
-	INSIST(recvcount >= 0);
-
-	query = event->ev_arg;
-	debug("lookup=%p, query=%p", query->lookup, query);
-
-	l = query->lookup;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
-	sevent = (isc_socketevent_t *)event;
-
-	if ((l->tcp_mode) && (l->timer != NULL))
-		isc_timer_touch(l->timer);
-	if ((!l->pending && !l->ns_search_only) || cancel_now) {
-		debug("no longer pending.  Got %s",
-			isc_result_totext(sevent->result));
-		query->waiting_connect = ISC_FALSE;
-
-		isc_event_free(&event);
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	if (sevent->result != ISC_R_SUCCESS) {
-		if (sevent->result == ISC_R_CANCELED) {
-			debug("in recv cancel handler");
-			query->waiting_connect = ISC_FALSE;
-		} else {
-			printf(";; communications error: %s\n",
-			       isc_result_totext(sevent->result));
-			isc_socket_detach(&query->sock);
-			sockcount--;
-			debug("sockcount=%d", sockcount);
-			INSIST(sockcount >= 0);
-		}
-		isc_event_free(&event);
-		clear_query(query);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	b = ISC_LIST_HEAD(sevent->bufferlist);
-	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
-
-	if (!l->tcp_mode &&
-	    !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) {
-		char buf1[ISC_SOCKADDR_FORMATSIZE];
-		char buf2[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_t any;
-
-		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET)
-			isc_sockaddr_any(&any);
-		else
-			isc_sockaddr_any6(&any);
-
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		/*
-		 * Accept answers from any scope if we havn't specified the
-		 * scope as long as the address and port match.
-		 */
-		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET6 &&
-		    query->sockaddr.type.sin6.sin6_scope_id == 0 &&
-		    memcmp(&sevent->address.type.sin6.sin6_addr,
-			   &query->sockaddr.type.sin6.sin6_addr,
-			   sizeof(query->sockaddr.type.sin6.sin6_addr)) == 0 &&
-		    isc_sockaddr_getport(&sevent->address) ==
-		    isc_sockaddr_getport(&query->sockaddr))
-			/* empty */;
-		else
-#endif
-		/*
-		 * We don't expect a match above when the packet is
-		 * sent to 0.0.0.0, :: or to a multicast addresses.
-		 * XXXMPA broadcast needs to be handled here as well.
-		 */
-		if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
-		     !isc_sockaddr_ismulticast(&query->sockaddr)) ||
-		    isc_sockaddr_getport(&query->sockaddr) !=
-		    isc_sockaddr_getport(&sevent->address)) {
-			isc_sockaddr_format(&sevent->address, buf1,
-			sizeof(buf1));
-			isc_sockaddr_format(&query->sockaddr, buf2,
-			sizeof(buf2));
-			printf(";; reply from unexpected source: %s,"
-			" expected %s\n", buf1, buf2);
-			match = ISC_FALSE;
-		}
-	}
-
- 	result = dns_message_peekheader(b, &id, &msgflags);
-	if (result != ISC_R_SUCCESS || l->sendmsg->id != id) {
-		match = ISC_FALSE;
-		if (l->tcp_mode) {
-			isc_boolean_t fail = ISC_TRUE;
-			if (result == ISC_R_SUCCESS) {
-				if (!query->first_soa_rcvd ||
-				     query->warn_id)
-					printf(";; %s: ID mismatch: "
-					       "expected ID %u, got %u\n",
-					       query->first_soa_rcvd ?
-					       "WARNING" : "ERROR",
-					       l->sendmsg->id, id);
-				if (query->first_soa_rcvd)
-					fail = ISC_FALSE;
-				query->warn_id = ISC_FALSE;
-			} else
-				printf(";; ERROR: short "
-				       "(< header size) message\n");
-			if (fail) {
-				isc_event_free(&event);
-				clear_query(query);
-				check_next_lookup(l);
-				UNLOCK_LOOKUP;
-				return;
-			}
-			match = ISC_TRUE;
-		} else if (result == ISC_R_SUCCESS)
-			printf(";; Warning: ID mismatch: "
-			       "expected ID %u, got %u\n", l->sendmsg->id, id);
-		else
-			printf(";; Warning: short "
-			       "(< header size) message received\n");
-	}
-
-	if (!match) {
-		isc_buffer_invalidate(&query->recvbuf);
-		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
-		ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
-		result = isc_socket_recvv(query->sock, &query->recvlist, 1,
-					  global_task, recv_done, query);
-		check_result(result, "isc_socket_recvv");
-		recvcount++;
-		isc_event_free(&event);
-		UNLOCK_LOOKUP;
-		return;
-	}
-
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
-	check_result(result, "dns_message_create");
-
-	if (key != NULL) {
-		if (l->querysig == NULL) {
-			debug("getting initial querysig");
-			result = dns_message_getquerytsig(l->sendmsg, mctx,
-							  &l->querysig);
-			check_result(result, "dns_message_getquerytsig");
-		}
-		result = dns_message_setquerytsig(msg, l->querysig);
-		check_result(result, "dns_message_setquerytsig");
-		result = dns_message_settsigkey(msg, key);
-		check_result(result, "dns_message_settsigkey");
-		msg->tsigctx = l->tsigctx;
-		l->tsigctx = NULL;
-		if (l->msgcounter != 0)
-			msg->tcp_continuation = 1;
-		l->msgcounter++;
-	}
-
-	debug("before parse starts");
-	parseflags = DNS_MESSAGEPARSE_PRESERVEORDER;
-#ifdef DIG_SIGCHASE
-	if (!l->sigchase) {
-		do_sigchase = ISC_FALSE;
-	} else {
-		parseflags = 0;
-		do_sigchase = ISC_TRUE;
-	}
-#endif
-	if (l->besteffort) {
-		parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
-		parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION;
-	}
-	result = dns_message_parse(msg, b, parseflags);
-	if (result == DNS_R_RECOVERABLE) {
-		printf(";; Warning: Message parser reports malformed "
-		       "message packet.\n");
-		result = ISC_R_SUCCESS;
-	}
-	if (result != ISC_R_SUCCESS) {
-		printf(";; Got bad packet: %s\n", isc_result_totext(result));
-		hex_dump(b);
-		query->waiting_connect = ISC_FALSE;
-		dns_message_destroy(&msg);
-		isc_event_free(&event);
-		clear_query(query);
-		cancel_lookup(l);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}
-	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0
-	    && !l->ignore && !l->tcp_mode) {
-		printf(";; Truncated, retrying in TCP mode.\n");
-		n = requeue_lookup(l, ISC_TRUE);
-		n->tcp_mode = ISC_TRUE;
-		n->origin = query->lookup->origin;
-		dns_message_destroy(&msg);
-		isc_event_free(&event);
-		clear_query(query);
-		cancel_lookup(l);
-		check_next_lookup(l);
-		UNLOCK_LOOKUP;
-		return;
-	}			
-	if (msg->rcode == dns_rcode_servfail && !l->servfail_stops) {
-		dig_query_t *next = ISC_LIST_NEXT(query, link);
-		if (l->current_query == query)
-			l->current_query = NULL;
-		if (next != NULL) {
-			debug("sending query %p\n", next);
-			if (l->tcp_mode)
-				send_tcp_connect(next);
-			else
-				send_udp(next);
-		}
-		/*
-		 * If our query is at the head of the list and there
-		 * is no next, we're the only one left, so fall
-		 * through to print the message.
-		 */
-		if ((ISC_LIST_HEAD(l->q) != query) ||
-		    (ISC_LIST_NEXT(query, link) != NULL)) {
-			printf(";; Got SERVFAIL reply from %s, "
-			       "trying next server\n",
-			       query->servname);
-			clear_query(query);
-			check_next_lookup(l);
-			dns_message_destroy(&msg);
-			isc_event_free(&event);
-			UNLOCK_LOOKUP;
-			return;
-		}
-	}
-
-	if (key != NULL) {
-		result = dns_tsig_verify(&query->recvbuf, msg, NULL, NULL);
-		if (result != ISC_R_SUCCESS) {
-			printf(";; Couldn't verify signature: %s\n",
-			       isc_result_totext(result));
-			validated = ISC_FALSE;
-		}
-		l->tsigctx = msg->tsigctx;
-		msg->tsigctx = NULL;
-		if (l->querysig != NULL) {
-			debug("freeing querysig buffer %p", l->querysig);
-			isc_buffer_free(&l->querysig);
-		}
-		result = dns_message_getquerytsig(msg, mctx, &l->querysig);
-		check_result(result,"dns_message_getquerytsig");
-	}
-
-	debug("after parse");
-	if (l->doing_xfr && l->xfr_q == NULL) {
-		l->xfr_q = query;
-		/*
-		 * Once we are in the XFR message, increase
-		 * the timeout to much longer, so brief network
-		 * outages won't cause the XFR to abort
-		 */
-		if (timeout != INT_MAX && l->timer != NULL) {
-			unsigned int local_timeout;
-
-			if (timeout == 0) {
-				if (l->tcp_mode)
-					local_timeout = TCP_TIMEOUT * 4;
-				else
-					local_timeout = UDP_TIMEOUT * 4;
-			} else {
-				if (timeout < (INT_MAX / 4))
-					local_timeout = timeout * 4;
-				else
-					local_timeout = INT_MAX;
-			}
-			debug("have local timeout of %d", local_timeout);
-			isc_interval_set(&l->interval, local_timeout, 0);
-			result = isc_timer_reset(l->timer,
-						 isc_timertype_once,
-						 NULL,
-						 &l->interval,
-						 ISC_FALSE);
-			check_result(result, "isc_timer_reset");
-		}
-	}
-
-	if (!l->doing_xfr || l->xfr_q == query) {
-		if (msg->rcode != dns_rcode_noerror && l->origin != NULL) {
-			if (!next_origin(msg, query)) {
-				printmessage(query, msg, ISC_TRUE);
-				received(b->used, &sevent->address, query);
-			}
-		} else if (!l->trace && !l->ns_search_only) {
-#ifdef DIG_SIGCHASE
-			if (!do_sigchase)
-#endif
-				printmessage(query, msg, ISC_TRUE);
-		} else if (l->trace) {
-			int n = 0;
-			int count = msg->counts[DNS_SECTION_ANSWER];
-
-			debug("in TRACE code");
-			if (!l->ns_search_only)
-				printmessage(query, msg, ISC_TRUE);
-
-			l->rdtype = l->qrdtype;
-			if (l->trace_root || (l->ns_search_only && count > 0)) {
-				if (!l->trace_root)
-					l->rdtype = dns_rdatatype_soa;
-				n = followup_lookup(msg, query,
-						    DNS_SECTION_ANSWER);
-				l->trace_root = ISC_FALSE;
-			} else if (count == 0)
-				n = followup_lookup(msg, query,
-						    DNS_SECTION_AUTHORITY);
-			if (n == 0)
-				docancel = ISC_TRUE;
-		} else {
-			debug("in NSSEARCH code");
-
-			if (l->trace_root) {
-				/*
-				 * This is the initial NS query.
-				 */
-				int n;
-
-				l->rdtype = dns_rdatatype_soa;
-				n = followup_lookup(msg, query,
-						    DNS_SECTION_ANSWER);
-				if (n == 0)
-					docancel = ISC_TRUE;
-				l->trace_root = ISC_FALSE;
-			} else
-#ifdef DIG_SIGCHASE
-				if (!do_sigchase)
-#endif
-				printmessage(query, msg, ISC_TRUE);
-		}
-#ifdef DIG_SIGCHASE
-		if (do_sigchase) {
-			chase_msg = isc_mem_allocate(mctx,
-						     sizeof(dig_message_t));
-			if (chase_msg == NULL) {
-				fatal("Memory allocation failure in %s:%d",
-				      __FILE__, __LINE__);
-			}
-			ISC_LIST_INITANDAPPEND(chase_message_list, chase_msg,
-					       link);
-			if (dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
-					       &msg_temp) != ISC_R_SUCCESS) {
-				fatal("dns_message_create in %s:%d",
-				      __FILE__, __LINE__);
-			}
-
-			isc_buffer_usedregion(b, &r);
-			result = isc_buffer_allocate(mctx, &buf, r.length);
-	
-			check_result(result, "isc_buffer_allocate");
-			result =  isc_buffer_copyregion(buf, &r);
-			check_result(result, "isc_buffer_copyregion");
-	
-			result =  dns_message_parse(msg_temp, buf, 0);
-
-			isc_buffer_free(&buf);
-			chase_msg->msg = msg_temp;
-
-			chase_msg2 = isc_mem_allocate(mctx,
-						      sizeof(dig_message_t));
-			if (chase_msg2 == NULL) {
-				fatal("Memory allocation failure in %s:%d",
-				      __FILE__, __LINE__);
-			}
-			ISC_LIST_INITANDAPPEND(chase_message_list2, chase_msg2,
-					       link);
-			chase_msg2->msg = msg;
-		}
-#endif
-	
-	}
-
-#ifdef DIG_SIGCHASE
-	if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) {
-		sigchase(msg_temp);
-	}
-#endif
-
-	if (l->pending)
-		debug("still pending.");
-	if (l->doing_xfr) {
-		if (query != l->xfr_q) {
-			dns_message_destroy(&msg);
-			isc_event_free(&event);
-			query->waiting_connect = ISC_FALSE;
-			UNLOCK_LOOKUP;
-			return;
-		}
-		if (!docancel)
-			docancel = check_for_more_data(query, msg, sevent);
-		if (docancel) {
-			dns_message_destroy(&msg);
-			clear_query(query);
-			cancel_lookup(l);
-			check_next_lookup(l);
-		}
-	} else {
-
-		if (msg->rcode == dns_rcode_noerror || l->origin == NULL) {
-
-#ifdef DIG_SIGCHASE
-			if (!l->sigchase)
-#endif
-				received(b->used, &sevent->address, query);
-		}
-
-		if (!query->lookup->ns_search_only)
-			query->lookup->pending = ISC_FALSE;
-		if (!query->lookup->ns_search_only ||
-		    query->lookup->trace_root || docancel) {
-#ifdef DIG_SIGCHASE
-			if (!do_sigchase)
-#endif
-				dns_message_destroy(&msg);
-
-			cancel_lookup(l);
-		}
-		clear_query(query);
-		check_next_lookup(l);
-	}
-	if (msg != NULL) {
-#ifdef DIG_SIGCHASE
-		if (do_sigchase)
-			msg = NULL;
-		else
-#endif
-			dns_message_destroy(&msg);
-	}
-	isc_event_free(&event);
-	UNLOCK_LOOKUP;
-}
-
-/*
- * Turn a name into an address, using system-supplied routines.  This is
- * used in looking up server names, etc... and needs to use system-supplied
- * routines, since they may be using a non-DNS system for these lookups.
- */
-void
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
-	int count;
-	isc_result_t result;
-
-	isc_app_block();
-	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
-	isc_app_unblock();
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      host, isc_result_totext(result));
-	INSIST(count == 1);
-}
-
-/*
- * Initiate either a TCP or UDP lookup
- */
-void
-do_lookup(dig_lookup_t *lookup) {
-
-	REQUIRE(lookup != NULL);
-
-	debug("do_lookup()");
-	lookup->pending = ISC_TRUE;
-	if (lookup->tcp_mode)
-		send_tcp_connect(ISC_LIST_HEAD(lookup->q));
-	else
-		send_udp(ISC_LIST_HEAD(lookup->q));
-}
-
-/*
- * Start everything in action upon task startup.
- */
-void
-onrun_callback(isc_task_t *task, isc_event_t *event) {
-	UNUSED(task);
-
-	isc_event_free(&event);
-	LOCK_LOOKUP;
-	start_lookup();
-	UNLOCK_LOOKUP;
-}
-
-/*
- * Make everything on the lookup queue go away.  Mainly used by the
- * SIGINT handler.
- */
-void
-cancel_all(void) {
-	dig_lookup_t *l, *n;
-	dig_query_t *q, *nq;
-
-	debug("cancel_all()");
-
-	LOCK_LOOKUP;
-	if (free_now) {
-		UNLOCK_LOOKUP;
-		return;
-	}
-	cancel_now = ISC_TRUE;
-	if (current_lookup != NULL) {
-		if (current_lookup->timer != NULL)
-			isc_timer_detach(&current_lookup->timer);
-		q = ISC_LIST_HEAD(current_lookup->q);
-		while (q != NULL) {
-			debug("cancelling query %p, belonging to %p",
-			      q, current_lookup);
-			nq = ISC_LIST_NEXT(q, link);
-			if (q->sock != NULL) {
-				isc_socket_cancel(q->sock, NULL,
-						  ISC_SOCKCANCEL_ALL);
-			} else {
-				clear_query(q);
-			}
-			q = nq;
-		}
-	}
-	l = ISC_LIST_HEAD(lookup_list);
-	while (l != NULL) {
-		n = ISC_LIST_NEXT(l, link);
-		ISC_LIST_DEQUEUE(lookup_list, l, link);
-		try_clear_lookup(l);
-		l = n;
-	}
-	UNLOCK_LOOKUP;
-}
-
-/*
- * Destroy all of the libs we are using, and get everything ready for a
- * clean shutdown.
- */
-void
-destroy_libs(void) {
-#ifdef DIG_SIGCHASE
-	void * ptr;
-	dig_message_t *chase_msg;
-#endif
-
-	debug("destroy_libs()");
-	if (global_task != NULL) {
-		debug("freeing task");
-		isc_task_detach(&global_task);
-	}
-	/*
-	 * The taskmgr_destroy() call blocks until all events are cleared
-	 * from the task.
-	 */
-	if (taskmgr != NULL) {
-		debug("freeing taskmgr");
-		isc_taskmgr_destroy(&taskmgr);
-	}
-	LOCK_LOOKUP;
-	REQUIRE(sockcount == 0);
-	REQUIRE(recvcount == 0);
-	REQUIRE(sendcount == 0);
-
-	INSIST(ISC_LIST_HEAD(lookup_list) == NULL);
-	INSIST(current_lookup == NULL);
-	INSIST(!free_now);
-
-	free_now = ISC_TRUE;
-
-	lwres_conf_clear(lwctx);
-	lwres_context_destroy(&lwctx);
-
-	flush_server_list();
-
-	clear_searchlist();
-	if (commctx != NULL) {
-		debug("freeing commctx");
-		isc_mempool_destroy(&commctx);
-	}
-	if (socketmgr != NULL) {
-		debug("freeing socketmgr");
-		isc_socketmgr_destroy(&socketmgr);
-	}
-	if (timermgr != NULL) {
-		debug("freeing timermgr");
-		isc_timermgr_destroy(&timermgr);
-	}
-	if (key != NULL) {
-		debug("freeing key %p", key);
-		dns_tsigkey_detach(&key);
-	}
-	if (namebuf != NULL)
-		isc_buffer_free(&namebuf);
-
-	if (is_dst_up) {
-		debug("destroy DST lib");
-		dst_lib_destroy();
-		is_dst_up = ISC_FALSE;
-	}
-	if (entp != NULL) {
-		debug("detach from entropy");
-		isc_entropy_detach(&entp);
-	}
-
-	UNLOCK_LOOKUP;
-	DESTROYLOCK(&lookup_lock);
-#ifdef DIG_SIGCHASE
-
-	debug("Destroy the messages kept for sigchase");
-	/* Destroy the messages kept for sigchase */
-	chase_msg = ISC_LIST_HEAD(chase_message_list);
-
-	while (chase_msg != NULL) {
-		INSIST(chase_msg->msg != NULL);
-		dns_message_destroy(&(chase_msg->msg));
-		ptr = chase_msg;
-		chase_msg = ISC_LIST_NEXT(chase_msg, link);
-		isc_mem_free(mctx, ptr);
-	}
-
-	chase_msg = ISC_LIST_HEAD(chase_message_list2);
-
-	while (chase_msg != NULL) {
-		INSIST(chase_msg->msg != NULL);
-		dns_message_destroy(&(chase_msg->msg));
-		ptr = chase_msg;
-		chase_msg = ISC_LIST_NEXT(chase_msg, link);
-		isc_mem_free(mctx, ptr);
-	}
-	if (dns_name_dynamic(&chase_name))
-		free_name(&chase_name, mctx);
-#if DIG_SIGCHASE_TD
-	if (dns_name_dynamic(&chase_current_name))
-		free_name(&chase_current_name, mctx);
-	if (dns_name_dynamic(&chase_authority_name))
-		free_name(&chase_authority_name, mctx);
-#endif
-#if DIG_SIGCHASE_BU
-	if (dns_name_dynamic(&chase_signame))
-		free_name(&chase_signame, mctx);
-#endif
-
-	debug("Destroy memory");
-	
-#endif
-	if (memdebugging != 0)
-		isc_mem_stats(mctx, stderr);
-	if (mctx != NULL)
-		isc_mem_destroy(&mctx);
-}
-
-
-
-
-#ifdef DIG_SIGCHASE
-void
-print_type(dns_rdatatype_t type)
-{
-	isc_buffer_t * b = NULL;
-	isc_result_t result;
-	isc_region_t r;
-
-	result = isc_buffer_allocate(mctx, &b, 4000);
-	check_result(result, "isc_buffer_allocate");
-
-	result = dns_rdatatype_totext(type, b);
-	check_result(result, "print_type");
-
-	isc_buffer_usedregion(b, &r);
-	r.base[r.length] = '\0';
-
-	printf("%s", r.base);
-
-	isc_buffer_free(&b);
-}
-
-void
-dump_database_section(dns_message_t *msg, int section)
-{
-	dns_name_t *msg_name=NULL;
-
-	dns_rdataset_t *rdataset;
-
-	do {
-		dns_message_currentname(msg, section, &msg_name);
-
-		for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {	
-			dns_name_print(msg_name, stdout);
-			printf("\n");
-			print_rdataset(msg_name, rdataset, mctx);
-			printf("end\n");
-		}
-		msg_name = NULL;
-	} while (dns_message_nextname(msg, section) == ISC_R_SUCCESS);
-}
-
-void
-dump_database(void) {
-	dig_message_t * msg;
-
-	for (msg = ISC_LIST_HEAD(chase_message_list);  msg != NULL;
-	     msg = ISC_LIST_NEXT(msg, link)) {
-		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
-		    == ISC_R_SUCCESS)
-			dump_database_section(msg->msg, DNS_SECTION_ANSWER);
-
-		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
-		    == ISC_R_SUCCESS)
-			dump_database_section(msg->msg, DNS_SECTION_AUTHORITY);
-	
-		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
-		    == ISC_R_SUCCESS)
-			dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL);
-	}
-}
-
-
-dns_rdataset_t *
-search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) {
-	dns_rdataset_t *rdataset;
-	dns_rdata_sig_t siginfo;
-	dns_rdata_t sigrdata;
-	isc_result_t result;
-
-	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-		if (type == dns_rdatatype_any) {
-			if (rdataset->type != dns_rdatatype_rrsig)
-				return (rdataset);
-		} else if ((type == dns_rdatatype_rrsig) &&
-			   (rdataset->type == dns_rdatatype_rrsig)) {
-			dns_rdata_init(&sigrdata);
-			result = dns_rdataset_first(rdataset);
-			check_result(result, "empty rdataset");
-			dns_rdataset_current(rdataset, &sigrdata);
-			result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
-			check_result(result, "sigrdata tostruct siginfo");
-
-			if ((siginfo.covered == covers) ||
-			    (covers == dns_rdatatype_any)) {
-				dns_rdata_reset(&sigrdata);
-				dns_rdata_freestruct(&siginfo);	
-				return (rdataset);
-			}
-			dns_rdata_reset(&sigrdata);
-			dns_rdata_freestruct(&siginfo);
-		} else if (rdataset->type == type)
-			return (rdataset);
-	}
-	return (NULL);
-}
-
-dns_rdataset_t *
-chase_scanname_section(dns_message_t *msg, dns_name_t *name,
-		       dns_rdatatype_t type, dns_rdatatype_t covers,
-		       int section)
-{
-	dns_rdataset_t *rdataset;
-	dns_name_t *msg_name = NULL;
-
-	do {
-		dns_message_currentname(msg, section, &msg_name);
-		if (dns_name_compare(msg_name, name) == 0) {
-			rdataset = search_type(msg_name, type, covers);
-			if (rdataset != NULL)
-				return (rdataset);
-		}
-		msg_name = NULL;
-	} while (dns_message_nextname(msg, section) == ISC_R_SUCCESS);
-
-	return (NULL);
-}
-
-
-dns_rdataset_t *
-chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers)
-{
-	dns_rdataset_t *rdataset = NULL;
-	dig_message_t * msg;
-
-	for (msg = ISC_LIST_HEAD(chase_message_list2);  msg != NULL;
-	     msg = ISC_LIST_NEXT(msg, link)) {
-		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
-		    == ISC_R_SUCCESS)
-			rdataset = chase_scanname_section(msg->msg, name,
-							  type, covers,
-							  DNS_SECTION_ANSWER);
-			if (rdataset != NULL)
-				return (rdataset);
-		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
-		    == ISC_R_SUCCESS)
-			rdataset =
-				chase_scanname_section(msg->msg, name,
-						       type, covers,
-						       DNS_SECTION_AUTHORITY);
-			if (rdataset != NULL)
-				return (rdataset);
-		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
-		    == ISC_R_SUCCESS)
-			rdataset =
-				chase_scanname_section(msg->msg, name, type,
-						       covers,
-						       DNS_SECTION_ADDITIONAL);
-			if (rdataset != NULL)
-				return (rdataset);
-	}
-
-	return (NULL);
-}
-
-dns_rdataset_t *
-sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
-		  isc_boolean_t * lookedup, dns_name_t *rdata_name)
-{
-	dig_lookup_t *lookup;
-	isc_buffer_t *b = NULL;
-	isc_region_t r;
-	isc_result_t result;
-	dns_rdataset_t * temp;
-	dns_rdatatype_t querytype;
-
-	temp = chase_scanname(rdata_name, type, covers);
-	if (temp != NULL)
-		return (temp);
-
-	if (*lookedup == ISC_TRUE)
-		return (NULL);
-
-	lookup = clone_lookup(current_lookup, ISC_TRUE);
-	lookup->trace_root = ISC_FALSE;
-	lookup->new_search = ISC_TRUE;
-
-	result = isc_buffer_allocate(mctx, &b, BUFSIZE);
-	check_result(result, "isc_buffer_allocate");
-	result = dns_name_totext(rdata_name, ISC_FALSE, b);
-	check_result(result, "dns_name_totext");
-	isc_buffer_usedregion(b, &r);
-	r.base[r.length] = '\0';
-	strcpy(lookup->textname, (char*)r.base);
-	isc_buffer_free(&b);
-
-	if (type ==  dns_rdatatype_rrsig)
-		querytype = covers;
-	else
-		querytype = type;
-
-	if (querytype == 0 || querytype == 255) {
-		printf("Error in the queried type: %d\n", querytype);
-		return (NULL);
-	}
-
-	lookup->rdtype = querytype;
-	lookup->rdtypeset = ISC_TRUE;
-	lookup->qrdtype = querytype;
-	*lookedup = ISC_TRUE;
-
-	ISC_LIST_APPEND(lookup_list, lookup, link);
-	printf("\n\nLaunch a query to find a RRset of type ");
-	print_type(type);
-	printf(" for zone: %s\n", lookup->textname);
-	return (NULL);
-}
-
-void
-insert_trustedkey(dst_key_t * key)
-{
-	if (key == NULL)
-		return;
-	if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
-		return;
-
-	tk_list.key[tk_list.nb_tk++] = key;
-	return;
-}
-
-void
-clean_trustedkey()
-{
-	int i = 0;
-
-	for (i= 0; i < MAX_TRUSTED_KEY; i++) {
-		if (tk_list.key[i] != NULL) {
-			dst_key_free(&tk_list.key[i]);
-			tk_list.key[i] = NULL;
-		} else
-			break;
-	}
-	tk_list.nb_tk = 0;
-	return;
-}
-
-char alphnum[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-
-isc_result_t
-removetmpkey(isc_mem_t *mctx, const char *file)
-{
-	char *tempnamekey = NULL;
-	int tempnamekeylen;
-	isc_result_t result;
-
-	tempnamekeylen = strlen(file)+10;
-
-	tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
-	if (tempnamekey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(tempnamekey, 0, tempnamekeylen);
-
-	strcat(tempnamekey, file);
-	strcat(tempnamekey,".key");
-	isc_file_remove(tempnamekey);
-
-	result = isc_file_remove(tempnamekey);
-	isc_mem_free(mctx, tempnamekey);
-	return (result);
-}
-
-isc_result_t
-opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
-	FILE *f = NULL;
-	isc_result_t result;
-	char *tempname = NULL;
-	char *tempnamekey = NULL;
-	int tempnamelen;
-	int tempnamekeylen;
-	char *x;
-	char *cp;
-	isc_uint32_t which;
-
-	while (1) {
-		tempnamelen = strlen(file) + 20;
-		tempname = isc_mem_allocate(mctx, tempnamelen);
-		if (tempname == NULL)
-			return (ISC_R_NOMEMORY);
-		memset(tempname, 0, tempnamelen);
-
-		result = isc_file_mktemplate(file, tempname, tempnamelen);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		cp = tempname;
-		while (*cp != '\0')
-			cp++;
-		if (cp == tempname) {
-			isc_mem_free(mctx, tempname);
-			return (ISC_R_FAILURE);
-		}
-	
-		x = cp--;
-		while (cp >= tempname && *cp == 'X') {
-			isc_random_get(&which);
-			*cp = alphnum[which % (sizeof(alphnum) - 1)];
-			x = cp--;
-		}
-
-		tempnamekeylen = tempnamelen+5;
-		tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
-		if (tempnamekey == NULL)
-			return (ISC_R_NOMEMORY);
-	
-		memset(tempnamekey, 0, tempnamekeylen);
-		strncpy(tempnamekey, tempname, tempnamelen);
-		strcat(tempnamekey ,".key");
-
-	
-		if (isc_file_exists(tempnamekey)) {
-			isc_mem_free(mctx, tempnamekey);
-			isc_mem_free(mctx, tempname);
-			continue;
-		}
-
-		if ((f = fopen(tempnamekey, "w")) == NULL) {
-			printf("get_trusted_key(): trusted key not found %s\n",
-			       tempnamekey);
-			return (ISC_R_FAILURE);
-		}
-		break;
-	}
-	isc_mem_free(mctx, tempnamekey);
-	*tempp = tempname;
-	*fp = f;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mem_free(mctx, tempname);
-	
-	return (result);
-}
-
-
-isc_result_t
-get_trusted_key(isc_mem_t *mctx)
-{
-	isc_result_t result;
-	const char *filename = NULL;
-	char *filetemp = NULL;
-	char buf[1500];
-	FILE *fp, *fptemp;
-	dst_key_t *key = NULL;
-
-	result = isc_file_exists(trustedkey);
-	if (result !=  ISC_TRUE) {
-		result = isc_file_exists("/etc/trusted-key.key");
-		if (result !=  ISC_TRUE) {
-			result = isc_file_exists("./trusted-key.key");
-			if (result !=  ISC_TRUE)
-				return (ISC_R_FAILURE);
-			else
-				filename = "./trusted-key.key";
-		} else
-			filename = "/etc/trusted-key.key";
-	} else
-		filename = trustedkey;
-
-	if (filename == NULL) {
-		printf("No trusted key\n");
-		return (ISC_R_FAILURE);
-	}
-
-	if ((fp = fopen(filename, "r")) == NULL) {
-		printf("get_trusted_key(): trusted key not found %s\n",
-		       filename);
-		return (ISC_R_FAILURE);
-	}
-	while (fgets(buf, 1500, fp) != NULL) {
-		result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp);
-		if (result != ISC_R_SUCCESS) {
-			fclose(fp);
-			return (ISC_R_FAILURE);
-		}
-		if (fputs(buf, fptemp) < 0) {
-			fclose(fp);
-			fclose(fptemp);
-			return (ISC_R_FAILURE);
-		}
-		fclose(fptemp);
-		result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC,
-					       mctx, &key);
-		removetmpkey(mctx, filetemp);
-		isc_mem_free(mctx, filetemp);
-		if (result !=  ISC_R_SUCCESS) {
-			fclose(fp);
-			return (ISC_R_FAILURE);
-		}
-		insert_trustedkey(key);
-#if 0
-		dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp");
-#endif
-		key = NULL;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-
-static void
-nameFromString(const char *str, dns_name_t *p_ret) {
-	size_t len = strlen(str);
-	isc_result_t result;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixedname;
-
-	REQUIRE(p_ret != NULL);
-	REQUIRE(str != NULL);
-
-	isc_buffer_init(&buffer, str, len);
-	isc_buffer_add(&buffer, len);
-
-	dns_fixedname_init(&fixedname);
-	result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
-				   dns_rootname, ISC_TRUE, NULL);
-	check_result(result, "nameFromString");
-
-	if (dns_name_dynamic(p_ret))
-		free_name(p_ret, mctx);
-
-	result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
-	check_result(result, "nameFromString");
-}
-
-
-#if DIG_SIGCHASE_TD
-isc_result_t
-prepare_lookup(dns_name_t *name)
-{
-	isc_result_t result;
-	dig_lookup_t *lookup = NULL;
-	dig_server_t *s;
-	void *ptr;
-
-	lookup = clone_lookup(current_lookup, ISC_TRUE);
-	lookup->trace_root = ISC_FALSE;
-	lookup->new_search = ISC_TRUE;
-	lookup->trace_root_sigchase = ISC_FALSE;
-
-	strncpy(lookup->textname, lookup->textnamesigchase, MXNAME);
-
-	lookup->rdtype = lookup->rdtype_sigchase;
-	lookup->rdtypeset = ISC_TRUE;
-	lookup->qrdtype = lookup->qrdtype_sigchase;
-
-	s = ISC_LIST_HEAD(lookup->my_server_list);
-	while (s != NULL) {
-		debug("freeing server %p belonging to %p",
-		      s, lookup);
-		ptr = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(lookup->my_server_list,
-				 (dig_server_t *)ptr, link);
-		isc_mem_free(mctx, ptr);
-	}
-
-
-	for (result = dns_rdataset_first(chase_nsrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(chase_nsrdataset)) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_rdata_ns_t ns;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dig_server_t * srv = NULL;
-#define __FOLLOW_GLUE__
-#ifdef __FOLLOW_GLUE__
-		isc_buffer_t *b = NULL;
-		isc_result_t result;
-		isc_region_t r;
-		dns_rdataset_t *rdataset = NULL;
-		isc_boolean_t true = ISC_TRUE;
-#endif
-
-		memset(namestr, 0, DNS_NAME_FORMATSIZE);
-
-		dns_rdataset_current(chase_nsrdataset, &rdata);
-
-		(void)dns_rdata_tostruct(&rdata, &ns, NULL);
-
-
-
-#ifdef __FOLLOW_GLUE__
-
-		result = advanced_rrsearch(&rdataset, &ns.name,
-					   dns_rdatatype_aaaa,
-					   dns_rdatatype_any, &true);
-		if (result == ISC_R_SUCCESS) {
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdata_t aaaa = DNS_RDATA_INIT;
-				dns_rdataset_current(rdataset, &aaaa);
-
-				result = isc_buffer_allocate(mctx, &b, 80);
-				check_result(result, "isc_buffer_allocate");
-
-				dns_rdata_totext(&aaaa, &ns.name, b);
-				isc_buffer_usedregion(b, &r);
-				r.base[r.length] = '\0';
-				strncpy(namestr, (char*)r.base,
-					DNS_NAME_FORMATSIZE);
-				isc_buffer_free(&b);
-				dns_rdata_reset(&aaaa);
-
-
-				srv = make_server(namestr, namestr);
-	
-				ISC_LIST_APPEND(lookup->my_server_list,
-						srv, link);
-			}
-		}
-
-		rdataset = NULL;
-		result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
-					   dns_rdatatype_any, &true);
-		if (result == ISC_R_SUCCESS) {
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdata_t a = DNS_RDATA_INIT;
-				dns_rdataset_current(rdataset, &a);
-
-				result = isc_buffer_allocate(mctx, &b, 80);
-				check_result(result, "isc_buffer_allocate");
-
-				dns_rdata_totext(&a, &ns.name, b);
-				isc_buffer_usedregion(b, &r);
-				r.base[r.length] = '\0';
-				strncpy(namestr, (char*)r.base,
-					DNS_NAME_FORMATSIZE);
-				isc_buffer_free(&b);
-				dns_rdata_reset(&a);
-				printf("ns name: %s\n", namestr);
-
-
-				srv = make_server(namestr, namestr);
-	
-				ISC_LIST_APPEND(lookup->my_server_list,
-						srv, link);
-			}
-		}
-#else
-
-		dns_name_format(&ns.name, namestr, sizeof(namestr));
-		printf("ns name: ");
-		dns_name_print(&ns.name, stdout);
-		printf("\n");
-		srv = make_server(namestr, namestr);
-	
-		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
-
-#endif
-		dns_rdata_freestruct(&ns);
-		dns_rdata_reset(&rdata);
-
-	}
-
-	ISC_LIST_APPEND(lookup_list, lookup, link);
-	printf("\nLaunch a query to find a RRset of type ");
-	print_type(lookup->rdtype);
-	printf(" for zone: %s", lookup->textname);
-	printf(" with nameservers:");
-	printf("\n");
-	print_rdataset(name, chase_nsrdataset, mctx);
-	return (ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-child_of_zone(dns_name_t * name, dns_name_t * zone_name,
-	      dns_name_t * child_name)
-{
-	dns_namereln_t name_reln;
-	int orderp;
-	unsigned int nlabelsp;
-
-	name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp);
-	if (name_reln != dns_namereln_subdomain ||
-	    dns_name_countlabels(name) <= dns_name_countlabels(zone_name) + 1) {
-		printf("\n;; ERROR : ");
-		dns_name_print(name, stdout);
-		printf(" is not a subdomain of: ");
-		dns_name_print(zone_name, stdout);
-		printf(" FAILED\n\n");
-		return (ISC_R_FAILURE);
-	}
-
-	dns_name_getlabelsequence(name,
-				  dns_name_countlabels(name) -
-				  dns_name_countlabels(zone_name) -1,
-				  dns_name_countlabels(zone_name) +1,
-				  child_name);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
-{
-	isc_result_t result;
-	dns_rdata_t sigrdata;
-	dns_rdata_sig_t siginfo;
-
-	result = dns_rdataset_first(sigrdataset);
-	check_result(result, "empty RRSIG dataset");
-	dns_rdata_init(&sigrdata);
-
-	do {
-		dns_rdataset_current(sigrdataset, &sigrdata);
-
-		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
-		check_result(result, "sigrdata tostruct siginfo");
-
-		if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
-			dns_rdata_freestruct(&siginfo);
-			dns_rdata_reset(&sigrdata);
-			return (ISC_R_SUCCESS);
-		}
-
-		dns_rdata_freestruct(&siginfo);
-
-	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&sigrdata);
-
-	return (ISC_R_FAILURE);
-}
-
-
-isc_result_t
-initialization(dns_name_t *name)
-{
-	isc_result_t   result;
-	isc_boolean_t  true = ISC_TRUE;
-
-	chase_nsrdataset = NULL;
-	result = advanced_rrsearch(&chase_nsrdataset, name, dns_rdatatype_ns,
-				   dns_rdatatype_any, &true);
-	if (result != ISC_R_SUCCESS) {
-		printf("\n;; NS RRset is missing to continue validation:"
-		       " FAILED\n\n");
-		return (ISC_R_FAILURE);
-	}
-	INSIST(chase_nsrdataset != NULL);
-	prepare_lookup(name);
-
-	dup_name(name, &chase_current_name, mctx);
-
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-void
-print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
-{
-	isc_buffer_t *b = NULL;
-	isc_result_t result;
-	isc_region_t r;
-
-	result = isc_buffer_allocate(mctx, &b, 9000);
-	check_result(result, "isc_buffer_allocate");
-
-	printrdataset(name, rdataset, b);
-
-	isc_buffer_usedregion(b, &r);
-	r.base[r.length] = '\0';
-
-
-	printf("%s\n", r.base);
-
-	isc_buffer_free(&b);
-}
-
-
-void
-dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) {
-	isc_result_t result;
-
-	if (dns_name_dynamic(target))
-		free_name(target, mctx);
-	result = dns_name_dup(source, mctx, target);
-	check_result(result, "dns_name_dup");
-}
-
-void
-free_name(dns_name_t *name, isc_mem_t *mctx) {
-	dns_name_free(name, mctx);
-	dns_name_init(name, NULL);
-}
-
-/*
- *
- * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter
- * return ISC_R_SUCCESS if the DNSKEY RRset contains a trusted_key
- * 			and the RRset is valid
- * return ISC_R_NOTFOUND if not contains trusted key
- 			or if the RRset isn't valid
- * return ISC_R_FAILURE if problem
- *
- */
-isc_result_t
-contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
-		     dns_rdataset_t *sigrdataset,
-		     isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdata_t rdata;
-	dst_key_t *trustedKey = NULL;
-	dst_key_t *dnsseckey = NULL;
-	int i;
-
-	if (name == NULL || rdataset == NULL)
-		return (ISC_R_FAILURE);
-
-	result = dns_rdataset_first(rdataset);
-	check_result(result, "empty rdataset");
-	dns_rdata_init(&rdata);
-
-	do {
-		dns_rdataset_current(rdataset, &rdata);
-		INSIST(rdata.type == dns_rdatatype_dnskey);
-  	
-		result = dns_dnssec_keyfromrdata(name, &rdata,
-						 mctx, &dnsseckey);
-		check_result(result, "dns_dnssec_keyfromrdata");
-
-
-		for (i = 0; i < tk_list.nb_tk; i++) {
-			if (dst_key_compare(tk_list.key[i], dnsseckey)
-			    == ISC_TRUE) {
-				dns_rdata_reset(&rdata);
-	
-				printf(";; Ok, find a Trusted Key in the "
-				       "DNSKEY RRset: %d\n",
-				       dst_key_id(dnsseckey));
-				if (sigchase_verify_sig_key(name, rdataset,
-							    dnsseckey,
-							    sigrdataset,
-							    mctx)
-				    == ISC_R_SUCCESS) {
-					dst_key_free(&dnsseckey);
-					dnsseckey = NULL;
-					return (ISC_R_SUCCESS);
-				}
-			}
-		}
-
-		dns_rdata_reset(&rdata);
-		if (dnsseckey != NULL)
-			dst_key_free(&dnsseckey);
-	} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
-
-	if (trustedKey != NULL)
-		dst_key_free(&trustedKey);
-	trustedKey = NULL;
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
-		    dns_rdataset_t *keyrdataset,
-		    dns_rdataset_t *sigrdataset,
-		    isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdata_t keyrdata;
-	dst_key_t *dnsseckey = NULL;
-
-	result = dns_rdataset_first(keyrdataset);
-	check_result(result, "empty DNSKEY dataset");
-	dns_rdata_init(&keyrdata);
-
-	do {
-		dns_rdataset_current(keyrdataset, &keyrdata);
-		INSIST(keyrdata.type == dns_rdatatype_dnskey);
-  	
-		result = dns_dnssec_keyfromrdata(name, &keyrdata,
-						 mctx, &dnsseckey);
-		check_result(result, "dns_dnssec_keyfromrdata");
-
-		result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
-						 sigrdataset, mctx);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdata_reset(&keyrdata);
-			dst_key_free(&dnsseckey);
-			return (ISC_R_SUCCESS);
-		}
-		dst_key_free(&dnsseckey);
-	} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&keyrdata);
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
-			dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
-			isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdata_t sigrdata;
-	dns_rdata_sig_t siginfo;
-
-	result = dns_rdataset_first(sigrdataset);
-	check_result(result, "empty RRSIG dataset");
-	dns_rdata_init(&sigrdata);
-
-	do {
-		dns_rdataset_current(sigrdataset, &sigrdata);
-
-		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
-		check_result(result, "sigrdata tostruct siginfo");
-
-		/*
-		 * Test if the id of the DNSKEY is
-		 * the id of the DNSKEY signer's
-		 */
-		if (siginfo.keyid == dst_key_id(dnsseckey)) {
-
-			result = dns_rdataset_first(rdataset);
-			check_result(result, "empty DS dataset");
-
-			result = dns_dnssec_verify(name, rdataset, dnsseckey,
-						   ISC_FALSE, mctx, &sigrdata);
-
-			printf(";; VERIFYING ");
-			print_type(rdataset->type);
-			printf(" RRset for ");
-			dns_name_print(name, stdout);
-			printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
-			       isc_result_totext(result));
-
-			if (result == ISC_R_SUCCESS) {
-				dns_rdata_reset(&sigrdata);
-				return (result);
-			}
-		}
-		dns_rdata_freestruct(&siginfo);
-
-	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
-
-	dns_rdata_reset(&sigrdata);
-
-	return (ISC_R_NOTFOUND);
-}
-
-
-isc_result_t
-sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
-		   dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_rdata_t keyrdata;
-	dns_rdata_t newdsrdata;
-	dns_rdata_t dsrdata;
-	dns_rdata_ds_t dsinfo;
-	dst_key_t *dnsseckey = NULL;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-
-	result = dns_rdataset_first(dsrdataset);
-	check_result(result, "empty DSset dataset");
-	dns_rdata_init(&dsrdata);
-	do {
-		dns_rdataset_current(dsrdataset, &dsrdata);
-
-		result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
-		check_result(result, "dns_rdata_tostruct  for DS");
-
-		result = dns_rdataset_first(keyrdataset);
-		check_result(result, "empty KEY dataset");
-		dns_rdata_init(&keyrdata);	
-
-		do {
-			dns_rdataset_current(keyrdataset, &keyrdata);
-			INSIST(keyrdata.type == dns_rdatatype_dnskey);
-  	
-			result = dns_dnssec_keyfromrdata(name, &keyrdata,
-							 mctx, &dnsseckey);
-			check_result(result, "dns_dnssec_keyfromrdata");
-
-			/*
-			 * Test if the id of the DNSKEY is the
-			 * id of DNSKEY referenced by the DS
-			 */
-			if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
-				dns_rdata_init(&newdsrdata);
-
-				result = dns_ds_buildrdata(name, &keyrdata,
-							   dsinfo.digest_type,
-							   dsbuf, &newdsrdata);
-				dns_rdata_freestruct(&dsinfo);
-
-				if (result != ISC_R_SUCCESS) {
-					dns_rdata_reset(&keyrdata);
-					dns_rdata_reset(&newdsrdata);
-					dns_rdata_reset(&dsrdata);
-					dst_key_free(&dnsseckey);
-					dns_rdata_freestruct(&dsinfo);
-					printf("Oops: impossible to build"
-					       " new DS rdata\n");
-					return (result);
-				}
-	
-	
-				if (dns_rdata_compare(&dsrdata,
-						      &newdsrdata) == 0) {
-					printf(";; OK a DS valids a DNSKEY"
-					       " in the RRset\n");
-					printf(";; Now verify that this"
-					       " DNSKEY validates the "
-					       "DNSKEY RRset\n");
-	
-					result = sigchase_verify_sig_key(name,
-							 keyrdataset,
-							 dnsseckey,
-							 chase_sigkeyrdataset,
-							 mctx);
-					if (result ==  ISC_R_SUCCESS) {
-						dns_rdata_reset(&keyrdata);
-						dns_rdata_reset(&newdsrdata);
-						dns_rdata_reset(&dsrdata);
-						dst_key_free(&dnsseckey);
-		
-						return (result);
-					}
-				} else {
-					printf(";; This DS is NOT the DS for"
-					       " the chasing KEY: FAILED\n");
-				}
-
-				dns_rdata_reset(&newdsrdata);
-			}
-			dst_key_free(&dnsseckey);
-			dnsseckey = NULL;
-		} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
-		dns_rdata_reset(&keyrdata);
-
-	} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
-#if 0
-	dns_rdata_reset(&dsrdata); WARNING
-#endif
-
-	return (ISC_R_NOTFOUND);
-}
-
-/*
- *
- * take a pointer on a rdataset in parameter and try to resolv it.
- * the searched rrset is a rrset on 'name' with type 'type'
- * (and if the type is a rrsig the signature cover 'covers').
- * the lookedup is to known if you have already done the query on the net.
- * ISC_R_SUCCESS: if we found the rrset
- * ISC_R_NOTFOUND: we do not found the rrset in cache
- * and we do a query on the net
- * ISC_R_FAILURE: rrset not found
- */
-isc_result_t
-advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name,
-		  dns_rdatatype_t type, dns_rdatatype_t covers,
-		  isc_boolean_t *lookedup)
-{
-	isc_boolean_t  tmplookedup;
-
-	INSIST(rdataset != NULL);
-
-	if (*rdataset != NULL)
-		return (ISC_R_SUCCESS);
-
-	tmplookedup = *lookedup;
-	if ((*rdataset = sigchase_scanname(type, covers,
-					   lookedup, name)) == NULL) {
-		if (tmplookedup)
-			return (ISC_R_FAILURE);
-		return (ISC_R_NOTFOUND);
-	}
-	*lookedup = ISC_FALSE;
-	return (ISC_R_SUCCESS);
-}
-
-
-
-#if DIG_SIGCHASE_TD
-void
-sigchase_td(dns_message_t *msg)
-{
-	isc_result_t result;
-	dns_name_t *name = NULL;
-	isc_boolean_t have_answer = ISC_FALSE;
-	isc_boolean_t true = ISC_TRUE;
-
-	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
-	    == ISC_R_SUCCESS) {
-		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
-		if (current_lookup->trace_root_sigchase) {
-			initialization(name);
-			return;
-		}
-		have_answer = true;
-	} else {
-		if (!current_lookup->trace_root_sigchase) {
-			result = dns_message_firstname(msg,
-						       DNS_SECTION_AUTHORITY);
-			if (result == ISC_R_SUCCESS)
-				dns_message_currentname(msg,
-							DNS_SECTION_AUTHORITY,
-							&name);
-			chase_nsrdataset
-				= chase_scanname_section(msg, name,
-							 dns_rdatatype_ns,
-							 dns_rdatatype_any,
-							 DNS_SECTION_AUTHORITY);
-			dup_name(name, &chase_authority_name, mctx);
-			if (chase_nsrdataset != NULL) {
-				have_delegation_ns = ISC_TRUE;
-				printf("no response but there is a delegation"
-				       " in authority section:");
-				dns_name_print(name, stdout);
-				printf("\n");
-			} else {
-				printf("no response and no delegation in "
-				       "authority section but a reference"
-				       " to: ");
-				dns_name_print(name, stdout);
-				printf("\n");
-				error_message = msg;
-			}
-		} else {
-			printf(";; NO ANSWERS: %s\n",
-			       isc_result_totext(result));
-			free_name(&chase_name, mctx);
-			clean_trustedkey();
-			return;
-		}
-	}
-
-
-	if (have_answer) {
-		chase_rdataset
-			= chase_scanname_section(msg, &chase_name,
-						 current_lookup
-						 ->rdtype_sigchase,
-						 dns_rdatatype_any,
-						 DNS_SECTION_ANSWER);
-		if (chase_rdataset != NULL)
-			have_response = ISC_TRUE;
-	}
-
-	result = advanced_rrsearch(&chase_keyrdataset,
-				   &chase_current_name,
-				   dns_rdatatype_dnskey,
-				   dns_rdatatype_any,
-				   &chase_keylookedup);
-	if (result == ISC_R_FAILURE) {
-		printf("\n;; DNSKEY is missing to continue validation:"
-		       " FAILED\n\n");
-		goto cleanandgo;
-	}
-	if (result == ISC_R_NOTFOUND)
-		return;
-	INSIST(chase_keyrdataset != NULL);
-	printf("\n;; DNSKEYset:\n");
-	print_rdataset(&chase_current_name , chase_keyrdataset, mctx);
-
-
-	result = advanced_rrsearch(&chase_sigkeyrdataset,
-				   &chase_current_name,
-				   dns_rdatatype_rrsig,
-				   dns_rdatatype_dnskey,
-				   &chase_sigkeylookedup);
-	if (result == ISC_R_FAILURE) {
-		printf("\n;; RRSIG of DNSKEY is missing to continue validation:"
-		       " FAILED\n\n");
-		goto cleanandgo;
-	}
-	if (result == ISC_R_NOTFOUND)
-		return;
-	INSIST(chase_sigkeyrdataset != NULL);
-	printf("\n;; RRSIG of the DNSKEYset:\n");
-	print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx);
-
-
-	if (!chase_dslookedup && !chase_nslookedup) {
-		if (!delegation_follow) {
-			result = contains_trusted_key(&chase_current_name,
-						      chase_keyrdataset,
-						      chase_sigkeyrdataset,
-						      mctx);
-		} else {
-			INSIST(chase_dsrdataset != NULL);
-			INSIST(chase_sigdsrdataset != NULL);
-			result = sigchase_verify_ds(&chase_current_name,
-						    chase_keyrdataset,
-						    chase_dsrdataset,
-						    mctx);
-		}
-
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; chain of trust can't be validated:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		} else {
-			chase_dsrdataset = NULL;
-			chase_sigdsrdataset = NULL;
-		}
-	}
-
-	if (have_response || (!have_delegation_ns && !have_response)) {
-		/* test if it's a grand father case */
-
-		if (have_response) {
-			result = advanced_rrsearch(&chase_sigrdataset,
-						   &chase_name,
-						   dns_rdatatype_rrsig,
-						   current_lookup
-						   ->rdtype_sigchase,
-						   &true);
-			if (result == ISC_R_FAILURE) {
-				printf("\n;; RRset is missing to continue"
-				       " validation SHOULD NOT APPEND:"
-				       " FAILED\n\n");
-				goto cleanandgo;
-			}
-
-		} else {
-			result = advanced_rrsearch(&chase_sigrdataset,
-						   &chase_authority_name,
-						   dns_rdatatype_rrsig,
-						   dns_rdatatype_any,
-						   &true);
-			if (result == ISC_R_FAILURE) {
-				printf("\n;; RRSIG is missing  to continue"
-				       " validation SHOULD NOT APPEND:"
-				       " FAILED\n\n");
-				goto cleanandgo;
-			}
-		}
-		result =  grandfather_pb_test(&chase_current_name,
-					      chase_sigrdataset);
-		if (result != ISC_R_SUCCESS) {
-			dns_name_t tmp_name;
-
-			printf("\n;; We are in a Grand Father Problem:"
-			       " See 2.2.1 in RFC 3568\n");
-			chase_rdataset = NULL;
-			chase_sigrdataset = NULL;
-			have_response = ISC_FALSE;
-			have_delegation_ns = ISC_FALSE;
-	
-			dns_name_init(&tmp_name, NULL);
-			result = child_of_zone(&chase_name, &chase_current_name,
-					       &tmp_name);
-			if (dns_name_dynamic(&chase_authority_name))
-				free_name(&chase_authority_name, mctx);
-			dup_name(&tmp_name, &chase_authority_name, mctx);
-			printf(";; and we try to continue chain of trust"
-			       " validation of the zone: ");
-			dns_name_print(&chase_authority_name, stdout);
-			printf("\n");
-			have_delegation_ns = ISC_TRUE;
-		} else {
-			if (have_response)
-				goto finalstep;
-			else
-				chase_sigrdataset = NULL;
-		}
-	}
-
-	if (have_delegation_ns) {
-		chase_nsrdataset = NULL;
-		result = advanced_rrsearch(&chase_nsrdataset,
-					   &chase_authority_name,
-					   dns_rdatatype_ns,
-					   dns_rdatatype_any,
-					   &chase_nslookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;;NSset is missing to continue validation:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		if (result == ISC_R_NOTFOUND) {
-			return;
-		}
-		INSIST(chase_nsrdataset != NULL);
-
-		result = advanced_rrsearch(&chase_dsrdataset,
-					   &chase_authority_name,
-					   dns_rdatatype_ds,
-					   dns_rdatatype_any,
-					   &chase_dslookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; DSset is missing to continue validation:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		if (result == ISC_R_NOTFOUND)
-			return;
-		INSIST(chase_dsrdataset != NULL);
-		printf("\n;; DSset:\n");
-		print_rdataset(&chase_authority_name , chase_dsrdataset, mctx);
-
-		result = advanced_rrsearch(&chase_sigdsrdataset,
-					   &chase_authority_name,
-					   dns_rdatatype_rrsig,
-					   dns_rdatatype_ds,
-					   &true);
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; DSset is missing to continue validation:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		printf("\n;; RRSIGset of DSset\n");
-		print_rdataset(&chase_authority_name,
-			       chase_sigdsrdataset, mctx);
-		INSIST(chase_sigdsrdataset != NULL);
-
-		result = sigchase_verify_sig(&chase_authority_name,
-					     chase_dsrdataset,
-					     chase_keyrdataset,
-					     chase_sigdsrdataset, mctx);
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; Impossible to verify the DSset:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		chase_keyrdataset = NULL;
-		chase_sigkeyrdataset = NULL;
-
-
-		prepare_lookup(&chase_authority_name);
-	
-		have_response = ISC_FALSE;
-		have_delegation_ns = ISC_FALSE;
-		delegation_follow = ISC_TRUE;
-		error_message = NULL;
-		dup_name(&chase_authority_name, &chase_current_name, mctx);
-		free_name(&chase_authority_name, mctx);
-		return;
-	}
-
-
-	if (error_message != NULL) {
-		dns_rdataset_t *rdataset;
-		dns_rdataset_t *sigrdataset;
-		dns_name_t rdata_name;
-		isc_result_t ret = ISC_R_FAILURE;
-
-		dns_name_init(&rdata_name, NULL);
-		result = prove_nx(error_message, &chase_name,
-				  current_lookup->rdclass_sigchase,
-				  current_lookup->rdtype_sigchase, &rdata_name,
-				  &rdataset, &sigrdataset);
-		if (rdataset == NULL || sigrdataset == NULL ||
-		    dns_name_countlabels(&rdata_name) == 0) {
-			printf("\n;; Impossible to verify the non-existence,"
-			       " the NSEC RRset can't be validated:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		}
-		ret = sigchase_verify_sig(&rdata_name, rdataset,
-					  chase_keyrdataset,
-					  sigrdataset, mctx);
-		if (ret != ISC_R_SUCCESS) {
-			free_name(&rdata_name, mctx);
-			printf("\n;; Impossible to verify the NSEC RR to prove"
-			       " the non-existence : FAILED\n\n");
-			goto cleanandgo;
-		}
-		free_name(&rdata_name, mctx);
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; Impossible to verify the non-existence:"
-			       " FAILED\n\n");
-			goto cleanandgo;
-		} else {
-			printf("\n;; OK the query doesn't have response but"
-			       " we have validate this fact : SUCCESS\n\n");
-			goto cleanandgo;
-		}
-	}
-
- cleanandgo:
-	printf(";; cleanandgo \n");
-	if (dns_name_dynamic(&chase_current_name))
-		free_name(&chase_current_name, mctx);
-	if (dns_name_dynamic(&chase_authority_name))
-		free_name(&chase_authority_name, mctx);
-	clean_trustedkey();
-	return;
-
-	finalstep :
-		result = advanced_rrsearch(&chase_rdataset, &chase_name,
-					   current_lookup->rdtype_sigchase,
-					   dns_rdatatype_any ,
-					   &true);
-	if (result == ISC_R_FAILURE) {
-		printf("\n;; RRsig of RRset is missing to continue validation"
-		       " SHOULD NOT APPEND: FAILED\n\n");
-		goto cleanandgo;
-	}
-	result = sigchase_verify_sig(&chase_name, chase_rdataset,
-				     chase_keyrdataset,
-				     chase_sigrdataset, mctx);
-	if (result != ISC_R_SUCCESS) {
-		printf("\n;; Impossible to verify the RRset : FAILED\n\n");
-		/*
-		  printf("RRset:\n");
-		  print_rdataset(&chase_name , chase_rdataset, mctx);
-		  printf("DNSKEYset:\n");
-		  print_rdataset(&chase_name , chase_keyrdataset, mctx);
-		  printf("RRSIG of RRset:\n");
-		  print_rdataset(&chase_name , chase_sigrdataset, mctx);
-		  printf("\n");
-		*/
-		goto cleanandgo;
-	} else {
-		printf("\n;; The Answer:\n");
-		print_rdataset(&chase_name , chase_rdataset, mctx);
-
-		printf("\n;; FINISH : we have validate the DNSSEC chain"
-		       " of trust: SUCCESS\n\n");
-		goto cleanandgo;
-	}
-}
-
-#endif
-
-
-#if DIG_SIGCHASE_BU
-
-isc_result_t
-getneededrr(dns_message_t *msg)
-{
-	isc_result_t result;
-	dns_name_t *name = NULL;
-	dns_rdata_t sigrdata;
-	dns_rdata_sig_t siginfo;
-	isc_boolean_t   true = ISC_TRUE;
-
-	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
-	    != ISC_R_SUCCESS) {
-		printf(";; NO ANSWERS: %s\n", isc_result_totext(result));
-
-		if (chase_name.ndata == NULL)
-			return (ISC_R_ADDRNOTAVAIL);
-	} else {
-		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
-	}
-
-	/* What do we chase? */
-	if (chase_rdataset == NULL) {
-		result = advanced_rrsearch(&chase_rdataset, name,
-					   dns_rdatatype_any,
-					   dns_rdatatype_any, &true);
-		if (result != ISC_R_SUCCESS) {
-			printf("\n;; No Answers: Validation FAILED\n\n");
-			return (ISC_R_NOTFOUND);
-		}
-		dup_name(name, &chase_name, mctx);
-		printf(";; RRset to chase:\n");
-		print_rdataset(&chase_name, chase_rdataset, mctx);
-	}
-	INSIST(chase_rdataset != NULL);
-
-
-	if (chase_sigrdataset == NULL) {
-		result = advanced_rrsearch(&chase_sigrdataset, name,
-					   dns_rdatatype_rrsig,
-					   chase_rdataset->type,
-					   &chase_siglookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; RRSIG is missing for continue validation:"
-			       " FAILED\n\n");
-			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		if (result == ISC_R_NOTFOUND) {
-			return (ISC_R_NOTFOUND);
-		}
-		printf("\n;; RRSIG of the RRset to chase:\n");
-		print_rdataset(&chase_name, chase_sigrdataset, mctx);
-	}
-	INSIST(chase_sigrdataset != NULL);
-
-
-	/* first find the DNSKEY name */
-	result = dns_rdataset_first(chase_sigrdataset);
-	check_result(result, "empty RRSIG dataset");
-	dns_rdata_init(&sigrdata);
-	dns_rdataset_current(chase_sigrdataset, &sigrdata);
-	result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
-	check_result(result, "sigrdata tostruct siginfo");
-	dup_name(&siginfo.signer, &chase_signame, mctx);
-	dns_rdata_freestruct(&siginfo);
-	dns_rdata_reset(&sigrdata);
-
-	/* Do we have a key?  */
-	if (chase_keyrdataset == NULL) {
-		result = advanced_rrsearch(&chase_keyrdataset,
-					   &chase_signame,
-					   dns_rdatatype_dnskey,
-					   dns_rdatatype_any,
-					   &chase_keylookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; DNSKEY is missing to continue validation:"
-			       " FAILED\n\n");
-			free_name(&chase_signame, mctx);
-			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		printf("\n;; DNSKEYset that signs the RRset to chase:\n");
-		print_rdataset(&chase_signame, chase_keyrdataset, mctx);
-	}
-	INSIST(chase_keyrdataset != NULL);
-
-	if (chase_sigkeyrdataset == NULL) {
-		result = advanced_rrsearch(&chase_sigkeyrdataset,
-					   &chase_signame,
-					   dns_rdatatype_rrsig,
-					   dns_rdatatype_dnskey,
-					   &chase_sigkeylookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; RRSIG for DNSKEY  is missing  to continue"
-			       " validation : FAILED\n\n");
-			free_name(&chase_signame, mctx);
-			if (dns_name_dynamic(&chase_name))
-				free_name(&chase_name, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		printf("\n;; RRSIG of the DNSKEYset that signs the "
-		       "RRset to chase:\n");
-		print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx);
-	}
-	INSIST(chase_sigkeyrdataset != NULL);
-
-
-	if (chase_dsrdataset == NULL) {
-		result = advanced_rrsearch(&chase_dsrdataset, &chase_signame,
-					   dns_rdatatype_ds,
-					   dns_rdatatype_any,
-		&chase_dslookedup);
-		if (result == ISC_R_FAILURE) {
-			printf("\n;; WARNING There is no DS for the zone: ");
-			dns_name_print(&chase_signame, stdout);
-			printf("\n");
-		}
-		if (result == ISC_R_NOTFOUND) {
-			free_name(&chase_signame, mctx);
-			return (ISC_R_NOTFOUND);
-		}
-		if (chase_dsrdataset != NULL) {
-			printf("\n;; DSset of the DNSKEYset\n");
-			print_rdataset(&chase_signame, chase_dsrdataset, mctx);
-		}
-	}
-
-	if (chase_dsrdataset != NULL) {
-		/*
-		 * if there is no RRSIG of DS,
-		 * we don't want to search on the network
-		 */
-		result = advanced_rrsearch(&chase_sigdsrdataset,
-					   &chase_signame,
-					   dns_rdatatype_rrsig,
-					   dns_rdatatype_ds, &true);
-		if (result == ISC_R_FAILURE) {
-			printf(";; WARNING : NO RRSIG DS : RRSIG DS"
-			       " should come with DS\n");
-			/*
-			 * We continue even the DS couldn't be validated,
-			 * because the DNSKEY could be a Trusted Key.
-			 */
-			chase_dsrdataset = NULL;
-		} else {
-			printf("\n;; RRSIG of the DSset of the DNSKEYset\n");
-			print_rdataset(&chase_signame, chase_sigdsrdataset,
-				       mctx);
-		}
-	}
-	return (1);
-}
-
-
-
-void
-sigchase_bu(dns_message_t *msg)
-{
-	isc_result_t result;
-	int ret;
-
-	if (tk_list.nb_tk == 0) {
-		result = get_trusted_key(mctx);
-		if (result != ISC_R_SUCCESS) {
-			printf("No trusted keys present\n");
-			return;
-		}
-	}
-
-
-	ret = getneededrr(msg);
-	if (ret == ISC_R_NOTFOUND)
-		return;
-
-	if (ret == ISC_R_ADDRNOTAVAIL) {
-		/* We have no response */
-		dns_rdataset_t *rdataset;
-		dns_rdataset_t *sigrdataset;
-		dns_name_t rdata_name;
-		dns_name_t query_name;
-
-
-		dns_name_init(&query_name, NULL);
-		dns_name_init(&rdata_name, NULL);
-		nameFromString(current_lookup->textname, &query_name);
-
-		result = prove_nx(msg, &query_name, current_lookup->rdclass,
-				  current_lookup->rdtype, &rdata_name,
-				  &rdataset, &sigrdataset);
-		free_name(&query_name, mctx);
-		if (rdataset == NULL || sigrdataset == NULL ||
-		    dns_name_countlabels(&rdata_name) == 0) {
-			printf("\n;; Impossible to verify the Non-existence,"
-			       " the NSEC RRset can't be validated: "
-			       "FAILED\n\n");
-			clean_trustedkey();
-			return;
-		}
-
-		if (result != ISC_R_SUCCESS) {
-			printf("\n No Answers and impossible to prove the"
-			       " unsecurity : Validation FAILED\n\n");
-			clean_trustedkey();
-			return;
-		}
-		printf(";; An NSEC prove the non-existence of a answers,"
-		       " Now we want validate this NSEC\n");
-	
-		dup_name(&rdata_name, &chase_name, mctx);
-		free_name(&rdata_name, mctx);
-		chase_rdataset =  rdataset;
-		chase_sigrdataset = sigrdataset;
-		chase_keyrdataset = NULL;
-		chase_sigkeyrdataset = NULL;
-		chase_dsrdataset = NULL;
-		chase_sigdsrdataset = NULL;
-		chase_siglookedup = ISC_FALSE;
-		chase_keylookedup = ISC_FALSE;
-		chase_dslookedup = ISC_FALSE;
-		chase_sigdslookedup = ISC_FALSE;
-		sigchase(msg);
-		clean_trustedkey();
-		return;
-	}
-
-
-	printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n");
-
-	result = sigchase_verify_sig(&chase_name, chase_rdataset,
-				     chase_keyrdataset,
-				     chase_sigrdataset, mctx);
-	if (result != ISC_R_SUCCESS) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
-		printf(";; No DNSKEY is valid to check the RRSIG"
-		       " of the RRset: FAILED\n");
-		clean_trustedkey();
-		return;
-	}
-	printf(";; OK We found DNSKEY (or more) to validate the RRset\n");
-
-	result = contains_trusted_key(&chase_signame, chase_keyrdataset,
-				      chase_sigkeyrdataset, mctx);
-	if (result ==  ISC_R_SUCCESS) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
-		printf("\n;; Ok this DNSKEY is a Trusted Key,"
-		       " DNSSEC validation is ok: SUCCESS\n\n");
-		clean_trustedkey();
-		return;
-	}
-
-	printf(";; Now, we are going to validate this DNSKEY by the DS\n");
-
-	if (chase_dsrdataset == NULL) {
-		free_name(&chase_name, mctx);
-		free_name(&chase_signame, mctx);
-		printf(";; the DNSKEY isn't trusted-key and there isn't"
-		       " DS to validate the DNSKEY: FAILED\n");
-		clean_trustedkey();
-		return;
-	}
-
-	result =  sigchase_verify_ds(&chase_signame, chase_keyrdataset,
-				     chase_dsrdataset, mctx);
-	if (result !=  ISC_R_SUCCESS) {
-		free_name(&chase_signame, mctx);
-		free_name(&chase_name, mctx);
-		printf(";; ERROR no DS validates a DNSKEY in the"
-		       " DNSKEY RRset: FAILED\n");
-		clean_trustedkey();
-		return;
-	} else
-		printf(";; OK this DNSKEY (validated by the DS) validates"
-		       " the RRset of the DNSKEYs, thus the DNSKEY validates"
-		       " the RRset\n");
-	INSIST(chase_sigdsrdataset != NULL);
-
-	dup_name(&chase_signame, &chase_name, mctx);
-	free_name(&chase_signame, mctx);
-	chase_rdataset = chase_dsrdataset;
-	chase_sigrdataset = chase_sigdsrdataset;
-	chase_keyrdataset = NULL;
-	chase_sigkeyrdataset = NULL;
-	chase_dsrdataset = NULL;
-	chase_sigdsrdataset = NULL;
-	chase_siglookedup = chase_keylookedup = ISC_FALSE;
-	chase_dslookedup = chase_sigdslookedup = ISC_FALSE;
-
-	printf(";; Now, we want to validate the DS :  recursive call\n");
-	sigchase(msg);
-	return;
-}
-#endif
-
-void
-sigchase(dns_message_t *msg) {
-#if DIG_SIGCHASE_TD
-	if (current_lookup->do_topdown) {
-		sigchase_td(msg);
-		return;
-	}
-#endif
-#if DIG_SIGCHASE_BU
-	sigchase_bu(msg);
-	return;
-#endif
-}
-
-
-/*
- * return 1  if name1  <  name2
- *	  0  if name1  == name2
- *	  -1 if name1  >  name2
- *    and -2 if problem
- */
-int
-inf_name(dns_name_t *name1, dns_name_t *name2)
-{
-	dns_label_t  label1;
-	dns_label_t  label2;
-	unsigned int nblabel1;
-	unsigned int nblabel2;
-	int min_lum_label;
-	int i;
-	int ret = -2;
-
-	nblabel1 = dns_name_countlabels(name1);
-	nblabel2 = dns_name_countlabels(name2);
-
-	if (nblabel1 >= nblabel2)
-		min_lum_label = nblabel2;
-	else
-		min_lum_label = nblabel1;
-
-
-	for (i=1 ; i < min_lum_label; i++) {
-		dns_name_getlabel(name1, nblabel1 -1  - i, &label1);
-		dns_name_getlabel(name2, nblabel2 -1  - i, &label2);
-		if ((ret = isc_region_compare(&label1, &label2)) != 0) {
-			if (ret < 0)
-				return (-1);
-			else if (ret > 0)
-				return (1);
-		}
-	}
-	if (nblabel1 == nblabel2)
-		return (0);
-
-	if (nblabel1 < nblabel2)
-		return (-1);
-	else
-		return (1);
-}
-
-/**
- *
- *
- *
- */
-isc_result_t
-prove_nx_domain(dns_message_t *msg,
-		dns_name_t *name,
-		dns_name_t *rdata_name,
-		dns_rdataset_t **rdataset,
-		dns_rdataset_t **sigrdataset)
-{
-	isc_result_t ret = ISC_R_FAILURE;
-	isc_result_t result = ISC_R_NOTFOUND;
-	dns_rdataset_t *nsecset = NULL;
-	dns_rdataset_t *signsecset = NULL ;
-	dns_rdata_t nsec = DNS_RDATA_INIT;
-	dns_name_t *nsecname;
-	dns_rdata_nsec_t nsecstruct;
-
-	if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
-	    != ISC_R_SUCCESS) {
-		printf(";; nothing in authority section : impossible to"
-		       " validate the non-existence : FAILED\n");
-		return (ISC_R_FAILURE);
-	}
-
-	do {
-		nsecname = NULL;
-		dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname);
-		nsecset = search_type(nsecname, dns_rdatatype_nsec,
-				      dns_rdatatype_any);
-		if (nsecset == NULL)
-			continue;
-
-		printf("There is a NSEC for this zone in the"
-		       " AUTHORITY section:\n");
-		print_rdataset(nsecname, nsecset, mctx);
-
-		for (result = dns_rdataset_first(nsecset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(nsecset)) {
-			dns_rdataset_current(nsecset, &nsec);
-
-
-			signsecset
-				= chase_scanname_section(msg, nsecname,
-						 dns_rdatatype_rrsig,
-						 dns_rdatatype_nsec,
-						 DNS_SECTION_AUTHORITY);
-			if (signsecset == NULL) {
-				printf(";; no RRSIG NSEC in authority section:"
-				       " impossible to validate the "
-				       "non-existence: FAILED\n");
-				return (ISC_R_FAILURE);
-			}
-
-			ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL);
-			check_result(ret,"dns_rdata_tostruct");
-
-			if ((inf_name(nsecname, &nsecstruct.next) == 1 &&
-			     inf_name(name, &nsecstruct.next) == 1) ||
-			    (inf_name(name, nsecname) == 1 &&
-			     inf_name(&nsecstruct.next, name) == 1)) {
-				dns_rdata_freestruct(&nsecstruct);
-				*rdataset = nsecset;
-				*sigrdataset = signsecset;
-				dup_name(nsecname, rdata_name, mctx);
-
-				return (ISC_R_SUCCESS);
-			}
-
-			dns_rdata_freestruct(&nsecstruct);
-		}
-	} while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY)
-		 == ISC_R_SUCCESS);
-
-	*rdataset = NULL;
-	*sigrdataset =  NULL;
-	rdata_name = NULL;
-	return (ISC_R_FAILURE);
-}
-
-/**
- *
- *
- *
- *
- *
- */
-isc_result_t
-prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
-	      dns_rdataclass_t class, dns_rdatatype_t type,
-	      dns_name_t *rdata_name, dns_rdataset_t **rdataset,
-	      dns_rdataset_t **sigrdataset)
-{
-	isc_result_t ret;
-	dns_rdataset_t *signsecset;
-	dns_rdata_t nsec = DNS_RDATA_INIT;
-
-	UNUSED(class);
-
-	ret = dns_rdataset_first(nsecset);
-	check_result(ret,"dns_rdataset_first");
-	
-	dns_rdataset_current(nsecset, &nsec);
-
-	ret = dns_nsec_typepresent(&nsec, type);
-	if (ret == ISC_R_SUCCESS)
-		printf("OK the NSEC said that the type doesn't exist \n");
-
-	signsecset = chase_scanname_section(msg, name,
-					    dns_rdatatype_rrsig,
-					    dns_rdatatype_nsec,
-					    DNS_SECTION_AUTHORITY);
-	if (signsecset == NULL) {
-		printf("There isn't RRSIG NSEC for the zone \n");
-		return (ISC_R_FAILURE);
-	}
-	dup_name(name, rdata_name, mctx);
-	*rdataset = nsecset;
-	*sigrdataset = signsecset;
-
-	return (ret);
-}
-
-/**
- *
- *
- *
- *
- */
-isc_result_t
-prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
-	 dns_rdatatype_t type, dns_name_t *rdata_name,
-	 dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset)
-{
-	isc_result_t ret;
-	dns_rdataset_t *nsecset = NULL;
-
-	printf("We want to prove the non-existance of a type of rdata %d"
-	       " or of the zone: \n", type);
-
-	if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
-	    != ISC_R_SUCCESS) {
-		printf(";; nothing in authority section : impossible to"
-		       " validate the non-existence : FAILED\n");
-		return (ISC_R_FAILURE);
-	}
-
-	nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec,
-					 dns_rdatatype_any,
-					 DNS_SECTION_AUTHORITY);
-	if (nsecset != NULL) {
-		printf("We have a NSEC for this zone :OK\n");
-		ret = prove_nx_type(msg, name, nsecset, class,
-				    type, rdata_name, rdataset,
-				    sigrdataset);
-		if (ret != ISC_R_SUCCESS) {
-			printf("prove_nx: ERROR type exist\n");
-			return (ret);
-		} else {
-			printf("prove_nx: OK type does not exist\n");
-			return (ISC_R_SUCCESS);
-		}
-	} else {
-		printf("there is no NSEC for this zone: validating "
-		       "that the zone doesn't exist\n");
-		ret = prove_nx_domain(msg, name, rdata_name,
-				      rdataset, sigrdataset);
-		return (ret);
-	}
-}
-#endif
diff --git a/contrib/bind9/bin/dig/host.1 b/contrib/bind9/bin/dig/host.1
deleted file mode 100644
index cf44a5c3f35c..000000000000
--- a/contrib/bind9/bin/dig/host.1
+++ /dev/null
@@ -1,185 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: host.1,v 1.11.2.1.4.7 2005/10/13 02:33:43 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "HOST" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-host \- DNS lookup utility
-.SH "SYNOPSIS"
-.HP 5
-\fBhost\fR [\fB\-aCdlnrTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
-.SH "DESCRIPTION"
-.PP
-\fBhost\fR
-is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given,
-\fBhost\fR
-prints a short summary of its command line arguments and options.
-.PP
-\fIname\fR
-is the domain name that is to be looked up. It can also be a dotted\-decimal IPv4 address or a colon\-delimited IPv6 address, in which case
-\fBhost\fR
-will by default perform a reverse lookup for that address.
-\fIserver\fR
-is an optional argument which is either the name or IP address of the name server that
-\fBhost\fR
-should query instead of the server or servers listed in
-\fI/etc/resolv.conf\fR.
-.PP
-The
-\fB\-a\fR
-(all) option is equivalent to setting the
-\fB\-v\fR
-option and asking
-\fBhost\fR
-to make a query of type ANY.
-.PP
-When the
-\fB\-C\fR
-option is used,
-\fBhost\fR
-will attempt to display the SOA records for zone
-\fIname\fR
-from all the listed authoritative name servers for that zone. The list of name servers is defined by the NS records that are found for the zone.
-.PP
-The
-\fB\-c\fR
-option instructs to make a DNS query of class
-\fIclass\fR. This can be used to lookup Hesiod or Chaosnet class resource records. The default class is IN (Internet).
-.PP
-Verbose output is generated by
-\fBhost\fR
-when the
-\fB\-d\fR
-or
-\fB\-v\fR
-option is used. The two options are equivalent. They have been provided for backwards compatibility. In previous versions, the
-\fB\-d\fR
-option switched on debugging traces and
-\fB\-v\fR
-enabled verbose output.
-.PP
-List mode is selected by the
-\fB\-l\fR
-option. This makes
-\fBhost\fR
-perform a zone transfer for zone
-\fIname\fR. Transfer the zone printing out the NS, PTR and address records (A/AAAA). If combined with
-\fB\-a\fR
-all records will be printed.
-.PP
-The
-\fB\-i\fR
-option specifies that reverse lookups of IPv6 addresses should use the IP6.INT domain as defined in RFC1886. The default is to use IP6.ARPA.
-.PP
-The
-\fB\-N\fR
-option sets the number of dots that have to be in
-\fIname\fR
-for it to be considered absolute. The default value is that defined using the ndots statement in
-\fI/etc/resolv.conf\fR, or 1 if no ndots statement is present. Names with fewer dots are interpreted as relative names and will be searched for in the domains listed in the
-\fBsearch\fR
-or
-\fBdomain\fR
-directive in
-\fI/etc/resolv.conf\fR.
-.PP
-The number of UDP retries for a lookup can be changed with the
-\fB\-R\fR
-option.
-\fInumber\fR
-indicates how many times
-\fBhost\fR
-will repeat a query that does not get answered. The default number of retries is 1. If
-\fInumber\fR
-is negative or zero, the number of retries will default to 1.
-.PP
-Non\-recursive queries can be made via the
-\fB\-r\fR
-option. Setting this option clears the
-\fBRD\fR
-\(em recursion desired \(em bit in the query which
-\fBhost\fR
-makes. This should mean that the name server receiving the query will not attempt to resolve
-\fIname\fR. The
-\fB\-r\fR
-option enables
-\fBhost\fR
-to mimic the behaviour of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
-.PP
-By default
-\fBhost\fR
-uses UDP when making queries. The
-\fB\-T\fR
-option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests.
-.PP
-The
-\fB\-4\fR
-option forces
-\fBhost\fR
-to only use IPv4 query transport. The
-\fB\-6\fR
-option forces
-\fBhost\fR
-to only use IPv6 query transport.
-.PP
-The
-\fB\-t\fR
-option is used to select the query type.
-\fItype\fR
-can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
-\fBhost\fR
-automatically selects an appropriate query type. By default it looks for A records, but if the
-\fB\-C\fR
-option was given, queries will be made for SOA records, and if
-\fIname\fR
-is a dotted\-decimal IPv4 address or colon\-delimited IPv6 address,
-\fBhost\fR
-will query for PTR records. If a query type of IXFR is chosen the starting serial number can be specified by appending an equal followed by the starting serial number (e.g. \-t IXFR=12345678).
-.PP
-The time to wait for a reply can be controlled through the
-\fB\-W\fR
-and
-\fB\-w\fR
-options. The
-\fB\-W\fR
-option makes
-\fBhost\fR
-wait for
-\fIwait\fR
-seconds. If
-\fIwait\fR
-is less than one, the wait interval is set to one second. When the
-\fB\-w\fR
-option is used,
-\fBhost\fR
-will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBnamed\fR(8).
diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c
deleted file mode 100644
index 468d53bf944e..000000000000
--- a/contrib/bind9/bin/dig/host.c
+++ /dev/null
@@ -1,740 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: host.c,v 1.76.2.5.2.13 2005/07/04 03:29:45 marka Exp $ */
-
-#include <config.h>
-#include <limits.h>
-
-#include <isc/app.h>
-#include <isc/commandline.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/task.h>
-#include <isc/stdlib.h>
-
-#include <dns/byaddr.h>
-#include <dns/fixedname.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatatype.h>
-
-#include <dig/dig.h>
-
-static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE;
-static isc_boolean_t default_lookups = ISC_TRUE;
-static int seen_error = -1;
-static isc_boolean_t list_addresses = ISC_TRUE;
-static dns_rdatatype_t list_type = dns_rdatatype_a;
-
-static const char *opcodetext[] = {
-	"QUERY",
-	"IQUERY",
-	"STATUS",
-	"RESERVED3",
-	"NOTIFY",
-	"UPDATE",
-	"RESERVED6",
-	"RESERVED7",
-	"RESERVED8",
-	"RESERVED9",
-	"RESERVED10",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15"
-};
-
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
-
-struct rtype {
-	unsigned int type;
-	const char *text;
-};
-
-struct rtype rtypes[] = {
-	{ 1, 	"has address" },
-	{ 2, 	"name server" },
-	{ 5, 	"is an alias for" },
-	{ 11,	"has well known services" },
-	{ 12,	"domain name pointer" },
-	{ 13,	"host information" },
-	{ 15,	"mail is handled by" },
-	{ 16,	"descriptive text" },
-	{ 19,	"x25 address" },
-	{ 20,	"ISDN address" },
-	{ 24,	"has signature" },
-	{ 25,	"has key" },
-	{ 28,	"has IPv6 address" },
-	{ 29,	"location" },
-	{ 0, NULL }
-};
-
-static void
-show_usage(void) {
-	fputs(
-"Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
-"            [-R number] hostname [server]\n"
-"       -a is equivalent to -v -t *\n"
-"       -c specifies query class for non-IN data\n"
-"       -C compares SOA records on authoritative nameservers\n"
-"       -d is equivalent to -v\n"
-"       -l lists all hosts in a domain, using AXFR\n"
-"       -i IP6.INT reverse lookups\n"
-"       -N changes the number of dots allowed before root lookup is done\n"
-"       -r disables recursive processing\n"
-"       -R specifies number of retries for UDP packets\n"
-"       -t specifies the query type\n"
-"       -T enables TCP/IP mode\n"
-"       -v enables verbose output\n"
-"       -w specifies to wait forever for a reply\n"
-"       -W specifies how long to wait for a reply\n"
-"       -4 use IPv4 query transport only\n"
-"       -6 use IPv6 query transport only\n", stderr);
-	exit(1);
-}
-
-void
-dighost_shutdown(void) {
-	isc_app_shutdown();
-}
-
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
-	isc_time_t now;
-	int diff;
-
-	if (!short_form) {
-		char fromtext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(from, fromtext, sizeof(fromtext));
-		TIME_NOW(&now);
-		diff = (int) isc_time_microdiff(&now, &query->time_sent);
-		printf("Received %u bytes from %s in %d ms\n",
-		       bytes, fromtext, diff/1000);
-	}
-}
-
-void
-trying(char *frm, dig_lookup_t *lookup) {
-	UNUSED(lookup);
-
-	if (!short_form)
-		printf("Trying \"%s\"\n", frm);
-}
-
-static void
-say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
-	    dig_query_t *query)
-{
-	isc_buffer_t *b = NULL;
-	char namestr[DNS_NAME_FORMATSIZE];
-	isc_region_t r;
-	isc_result_t result;
-	unsigned int bufsize = BUFSIZ;
-
-	dns_name_format(name, namestr, sizeof(namestr));
- retry:
-	result = isc_buffer_allocate(mctx, &b, bufsize);
-	check_result(result, "isc_buffer_allocate");
-	result = dns_rdata_totext(rdata, NULL, b);
-	if (result == ISC_R_NOSPACE) {
-		isc_buffer_free(&b);
-		bufsize *= 2;
-		goto retry;
-	}
-	check_result(result, "dns_rdata_totext");
-	isc_buffer_usedregion(b, &r);
-	if (query->lookup->identify_previous_line) {
-		printf("Nameserver %s:\n\t",
-			query->servname);
-	}
-	printf("%s %s %.*s", namestr,
-	       msg, (int)r.length, (char *)r.base);
-	if (query->lookup->identify) {
-		printf(" on server %s", query->servname);
-	}
-	printf("\n");
-	isc_buffer_free(&b);
-}
-#ifdef DIG_SIGCHASE
-/* Just for compatibility : not use in host program */
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
-	      isc_buffer_t *target)
-{
-  UNUSED(owner_name);
-  UNUSED(rdataset);
-  UNUSED(target);
-  return(ISC_FALSE);
-}
-#endif
-static isc_result_t
-printsection(dns_message_t *msg, dns_section_t sectionid,
-	     const char *section_name, isc_boolean_t headers,
-	     dig_query_t *query)
-{
-	dns_name_t *name, *print_name;
-	dns_rdataset_t *rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_buffer_t target;
-	isc_result_t result, loopresult;
-	isc_region_t r;
-	dns_name_t empty_name;
-	char t[4096];
-	isc_boolean_t first;
-	isc_boolean_t no_rdata;
-
-	if (sectionid == DNS_SECTION_QUESTION)
-		no_rdata = ISC_TRUE;
-	else
-		no_rdata = ISC_FALSE;
-
-	if (headers)
-		printf(";; %s SECTION:\n", section_name);
-
-	dns_name_init(&empty_name, NULL);
-
-	result = dns_message_firstname(msg, sectionid);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (;;) {
-		name = NULL;
-		dns_message_currentname(msg, sectionid, &name);
-
-		isc_buffer_init(&target, t, sizeof(t));
-		first = ISC_TRUE;
-		print_name = name;
-
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (query->lookup->rdtype == dns_rdatatype_axfr &&
-			    !((!list_addresses &&
-			       (list_type == dns_rdatatype_any ||
-			        rdataset->type == list_type)) ||
-			      (list_addresses &&
-			       (rdataset->type == dns_rdatatype_a ||
-			        rdataset->type == dns_rdatatype_aaaa ||
-				rdataset->type == dns_rdatatype_ns ||
-				rdataset->type == dns_rdatatype_ptr))))
-				continue;
-			if (!short_form) {
-				result = dns_rdataset_totext(rdataset,
-							     print_name,
-							     ISC_FALSE,
-							     no_rdata,
-							     &target);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-#ifdef USEINITALWS
-				if (first) {
-					print_name = &empty_name;
-					first = ISC_FALSE;
-				}
-#else
-				UNUSED(first); /* Shut up compiler. */
-#endif
-			} else {
-				loopresult = dns_rdataset_first(rdataset);
-				while (loopresult == ISC_R_SUCCESS) {
-					struct rtype *t;
-					const char *rtt;
-					char typebuf[DNS_RDATATYPE_FORMATSIZE];
-					char typebuf2[DNS_RDATATYPE_FORMATSIZE
-						     + 20];
-					dns_rdataset_current(rdataset, &rdata);
-
-					for (t = rtypes; t->text != NULL; t++) {
-						if (t->type == rdata.type) {
-							rtt = t->text;
-							goto found;
-						}
-					}
-
-					dns_rdatatype_format(rdata.type,
-							     typebuf,
-							     sizeof(typebuf));
-					snprintf(typebuf2, sizeof(typebuf2),
-						 "has %s record", typebuf);
-					rtt = typebuf2;
-				found:
-					say_message(print_name, rtt,
-						    &rdata, query);
-					dns_rdata_reset(&rdata);
-					loopresult =
-						dns_rdataset_next(rdataset);
-				}
-			}
-		}
-		if (!short_form) {
-			isc_buffer_usedregion(&target, &r);
-			if (no_rdata)
-				printf(";%.*s", (int)r.length,
-				       (char *)r.base);
-			else
-				printf("%.*s", (int)r.length, (char *)r.base);
-		}
-
-		result = dns_message_nextname(msg, sectionid);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
-	   const char *set_name, isc_boolean_t headers)
-{
-	isc_buffer_t target;
-	isc_result_t result;
-	isc_region_t r;
-	char t[4096];
-
-	UNUSED(msg);
-	if (headers)
-		printf(";; %s SECTION:\n", set_name);
-
-	isc_buffer_init(&target, t, sizeof(t));
-
-	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
-				     &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_usedregion(&target, &r);
-	printf("%.*s", (int)r.length, (char *)r.base);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
-	isc_boolean_t did_flag = ISC_FALSE;
-	dns_rdataset_t *opt, *tsig = NULL;
-	dns_name_t *tsigname;
-	isc_result_t result = ISC_R_SUCCESS;
-	int force_error;
-
-	UNUSED(headers);
-
-	/*
-	 * We get called multiple times.
-	 * Preserve any existing error status.
-	 */
-	force_error = (seen_error == 1) ? 1 : 0;
-	seen_error = 1;
-	if (listed_server) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-
-		printf("Using domain server:\n");
-		printf("Name: %s\n", query->userarg);
-		isc_sockaddr_format(&query->sockaddr, sockstr,
-				    sizeof(sockstr));
-		printf("Address: %s\n", sockstr);
-		printf("Aliases: \n\n");
-	}
-
-	if (msg->rcode != 0) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		printf("Host %s not found: %d(%s)\n", namestr,
-		       msg->rcode, rcodetext[msg->rcode]);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dig_lookup_t *lookup;
-
-		/* Add AAAA and MX lookups. */
-
-		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		lookup = clone_lookup(query->lookup, ISC_FALSE);
-		if (lookup != NULL) {
-			strncpy(lookup->textname, namestr,
-				sizeof(lookup->textname));
-			lookup->textname[sizeof(lookup->textname)-1] = 0;
-			lookup->rdtype = dns_rdatatype_aaaa;
-                        lookup->rdtypeset = ISC_TRUE;
-			lookup->origin = NULL;
-			lookup->retries = tries;
-			ISC_LIST_APPEND(lookup_list, lookup, link);
-		}
-		lookup = clone_lookup(query->lookup, ISC_FALSE);
-		if (lookup != NULL) {
-			strncpy(lookup->textname, namestr,
-				sizeof(lookup->textname));
-			lookup->textname[sizeof(lookup->textname)-1] = 0;
-			lookup->rdtype = dns_rdatatype_mx;
-                        lookup->rdtypeset = ISC_TRUE;
-			lookup->origin = NULL;
-			lookup->retries = tries;
-			ISC_LIST_APPEND(lookup_list, lookup, link);
-		}
-	}
-
-	if (!short_form) {
-		printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
-		       opcodetext[msg->opcode], rcodetext[msg->rcode],
-		       msg->id);
-		printf(";; flags: ");
-		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
-			printf("qr");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
-			printf("%saa", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
-			printf("%stc", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
-			printf("%srd", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
-			printf("%sra", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
-			printf("%sad", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
-			printf("%scd", did_flag ? " " : "");
-			did_flag = ISC_TRUE;
-		}
-		printf("; QUERY: %u, ANSWER: %u, "
-		       "AUTHORITY: %u, ADDITIONAL: %u\n",
-		       msg->counts[DNS_SECTION_QUESTION],
-		       msg->counts[DNS_SECTION_ANSWER],
-		       msg->counts[DNS_SECTION_AUTHORITY],
-		       msg->counts[DNS_SECTION_ADDITIONAL]);
-		opt = dns_message_getopt(msg);
-		if (opt != NULL)
-			printf(";; EDNS: version: %u, udp=%u\n",
-			       (unsigned int)((opt->ttl & 0x00ff0000) >> 16),
-			       (unsigned int)opt->rdclass);
-		tsigname = NULL;
-		tsig = dns_message_gettsig(msg, &tsigname);
-		if (tsig != NULL)
-			printf(";; PSEUDOSECTIONS: TSIG\n");
-	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) &&
-	    !short_form) {
-		printf("\n");
-		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
-				      ISC_TRUE, query);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
-		if (!short_form)
-			printf("\n");
-		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
-				      ISC_TF(!short_form), query);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
-	    !short_form) {
-		printf("\n");
-		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
-				      ISC_TRUE, query);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
-	    !short_form) {
-		printf("\n");
-		result = printsection(msg, DNS_SECTION_ADDITIONAL,
-				      "ADDITIONAL", ISC_TRUE, query);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if ((tsig != NULL) && !short_form) {
-		printf("\n");
-		result = printrdata(msg, tsig, tsigname,
-				    "PSEUDOSECTION TSIG", ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (!short_form)
-		printf("\n");
-
-	if (short_form && !default_lookups &&
-	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		char typestr[DNS_RDATATYPE_FORMATSIZE];
-		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		dns_rdatatype_format(query->lookup->rdtype, typestr,
-				     sizeof(typestr));
-		printf("%s has no %s record\n", namestr, typestr);
-	}
-	seen_error = force_error;
-	return (result);
-}
-
-static void
-parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
-	char hostname[MXNAME];
-	dig_lookup_t *lookup;
-	int c;
-	char store[MXNAME];
-	isc_textregion_t tr;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	isc_uint32_t serial = 0;
-
-	UNUSED(is_batchfile);
-
-	lookup = make_empty_lookup();
-
-	while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46"))
-	       != EOF) {
-		switch (c) {
-		case 'l':
-			lookup->tcp_mode = ISC_TRUE;
-			lookup->rdtype = dns_rdatatype_axfr;
-			lookup->rdtypeset = ISC_TRUE;
-			fatalexit = 3;
-			break;
-		case 'v':
-		case 'd':
-			short_form = ISC_FALSE;
-			break;
-		case 'r':
-			lookup->recurse = ISC_FALSE;
-			break;
-		case 't':
-			if (strncasecmp(isc_commandline_argument,
-					"ixfr=", 5) == 0) {
-				rdtype = dns_rdatatype_ixfr;
-				/* XXXMPA add error checking */
-				serial = strtoul(isc_commandline_argument + 5,
-						 NULL, 10);
-				result = ISC_R_SUCCESS;
-			} else {
-				tr.base = isc_commandline_argument;
-				tr.length = strlen(isc_commandline_argument);
-				result = dns_rdatatype_fromtext(&rdtype,
-						   (isc_textregion_t *)&tr);
-			}
-
-			if (result != ISC_R_SUCCESS) {
-				fatalexit = 2;
-				fatal("invalid type: %s\n",
-				      isc_commandline_argument);
-			}
-			if (!lookup->rdtypeset ||
-			    lookup->rdtype != dns_rdatatype_axfr)
-				lookup->rdtype = rdtype;
-			lookup->rdtypeset = ISC_TRUE;
-			if (rdtype == dns_rdatatype_axfr) {
-				/* -l -t any -v */
-				list_type = dns_rdatatype_any;
-				short_form = ISC_FALSE;
-				lookup->tcp_mode = ISC_TRUE;
-			} else if (rdtype == dns_rdatatype_ixfr) {
-				lookup->ixfr_serial = serial;
-				list_type = rdtype;
-			} else
-				list_type = rdtype;
-			list_addresses = ISC_FALSE;
-			default_lookups = ISC_FALSE;
-			break;
-		case 'c':
-			tr.base = isc_commandline_argument;
-			tr.length = strlen(isc_commandline_argument);
-			result = dns_rdataclass_fromtext(&rdclass,
-						   (isc_textregion_t *)&tr);
-
-			if (result != ISC_R_SUCCESS) {
-				fatalexit = 2;
-				fatal("invalid class: %s\n",
-				      isc_commandline_argument);
-			} else {
-				lookup->rdclass = rdclass;
-				lookup->rdclassset = ISC_TRUE;
-			}
-			default_lookups = ISC_FALSE;
-			break;
-		case 'a':
-			if (!lookup->rdtypeset ||
-			    lookup->rdtype != dns_rdatatype_axfr)
-				lookup->rdtype = dns_rdatatype_any;
-			list_type = dns_rdatatype_any;
-			list_addresses = ISC_FALSE;
-			lookup->rdtypeset = ISC_TRUE;
-			short_form = ISC_FALSE;
-			default_lookups = ISC_FALSE;
-			break;
-		case 'i':
-			lookup->ip6_int = ISC_TRUE;
-			break;
-		case 'n':
-			/* deprecated */
-			break;
-		case 'w':
-			/*
-			 * The timer routines are coded such that
-			 * timeout==MAXINT doesn't enable the timer
-			 */
-			timeout = INT_MAX;
-			break;
-		case 'W':
-			timeout = atoi(isc_commandline_argument);
-			if (timeout < 1)
-				timeout = 1;
-			break;
-		case 'R':
-			tries = atoi(isc_commandline_argument) + 1;
-			if (tries < 2)
-				tries = 2;
-			break;
-		case 'T':
-			lookup->tcp_mode = ISC_TRUE;
-			break;
-		case 'C':
-			debug("showing all SOAs");
-			lookup->rdtype = dns_rdatatype_ns;
-			lookup->rdtypeset = ISC_TRUE;
-			lookup->rdclass = dns_rdataclass_in;
-			lookup->rdclassset = ISC_TRUE;
-			lookup->ns_search_only = ISC_TRUE;
-			lookup->trace_root = ISC_TRUE;
-			lookup->identify_previous_line = ISC_TRUE;
-			default_lookups = ISC_FALSE;
-			break;
-		case 'N':
-			debug("setting NDOTS to %s",
-			      isc_commandline_argument);
-			ndots = atoi(isc_commandline_argument);
-			break;
-		case 'D':
-			debugging = ISC_TRUE;
-			break;
-		case '4':
-			if (have_ipv4) {
-				isc_net_disableipv6();
-				have_ipv6 = ISC_FALSE;
-			} else
-				fatal("can't find IPv4 networking");
-			break;
-		case '6':
-			if (have_ipv6) {
-				isc_net_disableipv4();
-				have_ipv4 = ISC_FALSE;
-			} else
-				fatal("can't find IPv6 networking");
-			break;
-		}
-	}
-
-	lookup->retries = tries;
-
-	if (isc_commandline_index >= argc)
-		show_usage();
-
-	strncpy(hostname, argv[isc_commandline_index], sizeof(hostname));
-	hostname[sizeof(hostname)-1]=0;
-	if (argc > isc_commandline_index + 1) {
-		set_nameserver(argv[isc_commandline_index+1]);
-		debug("server is %s", argv[isc_commandline_index+1]);
-		listed_server = ISC_TRUE;
-	}
-
-	lookup->pending = ISC_FALSE;
-	if (get_reverse(store, sizeof(store), hostname,
-			lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
-		strncpy(lookup->textname, store, sizeof(lookup->textname));
-		lookup->textname[sizeof(lookup->textname)-1] = 0;
-		lookup->rdtype = dns_rdatatype_ptr;
-		lookup->rdtypeset = ISC_TRUE;
-		default_lookups = ISC_FALSE;
-	} else {
-		strncpy(lookup->textname, hostname, sizeof(lookup->textname));
-		lookup->textname[sizeof(lookup->textname)-1]=0;
-	}
-	lookup->new_search = ISC_TRUE;
-	ISC_LIST_APPEND(lookup_list, lookup, link);
-
-	usesearch = ISC_TRUE;
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-
-	tries = 2;
-
-	ISC_LIST_INIT(lookup_list);
-	ISC_LIST_INIT(server_list);
-	ISC_LIST_INIT(search_list);
-	
-	fatalexit = 1;
-
-	debug("main()");
-	progname = argv[0];
-	result = isc_app_start();
-	check_result(result, "isc_app_start");
-	setup_libs();
-	parse_args(ISC_FALSE, argc, argv);
-	setup_system();
-	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
-	check_result(result, "isc_app_onrun");
-	isc_app_run();
-	cancel_all();
-	destroy_libs();
-	isc_app_finish();
-	return ((seen_error == 0) ? 0 : 1);
-}
-
diff --git a/contrib/bind9/bin/dig/host.docbook b/contrib/bind9/bin/dig/host.docbook
deleted file mode 100644
index 2b6e92b76d46..000000000000
--- a/contrib/bind9/bin/dig/host.docbook
+++ /dev/null
@@ -1,228 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: host.docbook,v 1.2.2.2.4.7 2005/05/13 01:22:32 marka Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>host</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>host</refname>
-<refpurpose>DNS lookup utility</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-  <command>host</command>
-  <arg><option>-aCdlnrTwv</option></arg>
-  <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-  <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
-  <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
-  <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-  <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
-  <arg><option>-4</option></arg>
-  <arg><option>-6</option></arg>
-  <arg choice="req">name</arg>
-  <arg choice="opt">server</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>host</command>
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
-<command>host</command>
-prints a short summary of its command line arguments and options.
-</para>
-
-<para>
-<parameter>name</parameter> is the domain name that is to be looked
-up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <command>host</command> will by default
-perform a reverse lookup for that address.
-<parameter>server</parameter> is an optional argument which is either
-the name or IP address of the name server that <command>host</command>
-should query instead of the server or servers listed in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-The <option>-a</option> (all) option is equivalent to setting the
-<option>-v</option> option and asking <command>host</command> to make
-a query of type ANY.
-</para>
-
-<para>
-When the <option>-C</option> option is used, <command>host</command>
-will attempt to display the SOA records for zone
-<parameter>name</parameter> from all the listed authoritative name
-servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.
-</para>
-
-<para>
-The <option>-c</option> option instructs to make a DNS query of class
-<parameter>class</parameter>.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).
-</para>
-
-<para>
-Verbose output is generated by <command>host</command> when the
-<option>-d</option> or <option>-v</option> option is used.  The two
-options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <option>-d</option> option
-switched on debugging traces and <option>-v</option> enabled verbose
-output.
-</para>
-
-<para>
-List mode is selected by the <option>-l</option> option.  This makes
-<command>host</command> perform a zone transfer for zone
-<parameter>name</parameter>.  Transfer the zone printing out the NS, PTR
-and address records (A/AAAA).  If combined with <option>-a</option>
-all records will be printed.  
-</para>
-
-<para>
-The <option>-i</option>
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.
-</para>
-
-<para>
-The <option>-N</option> option sets the number of dots that have to be
-in <parameter>name</parameter> for it to be considered absolute.  The
-default value is that defined using the ndots statement in
-<filename>/etc/resolv.conf</filename>, or 1 if no ndots statement is
-present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <type>search</type>
-or <type>domain</type> directive in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-The number of UDP retries for a lookup can be changed with the
-<option>-R</option> option.  <parameter>number</parameter> indicates
-how many times <command>host</command> will repeat a query that does
-not get answered.  The default number of retries is 1.  If
-<parameter>number</parameter> is negative or zero, the number of
-retries will default to 1.
-</para>
-
-<para>
-Non-recursive queries can be made via the <option>-r</option> option.
-Setting this option clears the <type>RD</type> &mdash; recursion
-desired &mdash; bit in the query which <command>host</command> makes.
-This should mean that the name server receiving the query will not
-attempt to resolve <parameter>name</parameter>.  The
-<option>-r</option> option enables <command>host</command> to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.
-</para>
-
-<para>
-By default <command>host</command> uses UDP when making queries.  The
-<option>-T</option> option makes it use a TCP connection when querying
-the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
-</para>
-
-<para>
-The <option>-4</option> option forces <command>host</command> to only
-use IPv4 query transport.  The <option>-6</option> option forces
-<command>host</command> to only use IPv6 query transport.
-</para>
-
-<para>
-The <option>-t</option> option is used to select the query type.
-<parameter>type</parameter> can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<command>host</command> automatically selects an appropriate query
-type.  By default it looks for A records, but if the
-<option>-C</option> option was given, queries will be made for SOA
-records, and if <parameter>name</parameter> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <command>host</command> will
-query for PTR records.  If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).
-</para>
-
-<para>
-The time to wait for a reply can be controlled through the
-<option>-W</option> and <option>-w</option> options.  The
-<option>-W</option> option makes <command>host</command> wait for
-<parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
-is less than one, the wait interval is set to one second.  When the
-<option>-w</option> option is used, <command>host</command> will
-effectively wait forever for a reply.  The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/bin/dig/host.html b/contrib/bind9/bin/dig/host.html
deleted file mode 100644
index 7670868ceed8..000000000000
--- a/contrib/bind9/bin/dig/host.html
+++ /dev/null
@@ -1,171 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: host.html,v 1.4.2.1.4.12 2005/10/13 02:33:44 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>host &#8212; DNS lookup utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525901"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">host</strong></span>
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
-<span><strong class="command">host</strong></span>
-prints a short summary of its command line arguments and options.
-</p>
-<p>
-<em class="parameter"><code>name</code></em> is the domain name that is to be looked
-up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <span><strong class="command">host</strong></span> will by default
-perform a reverse lookup for that address.
-<em class="parameter"><code>server</code></em> is an optional argument which is either
-the name or IP address of the name server that <span><strong class="command">host</strong></span>
-should query instead of the server or servers listed in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-The <code class="option">-a</code> (all) option is equivalent to setting the
-<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
-a query of type ANY.
-</p>
-<p>
-When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
-will attempt to display the SOA records for zone
-<em class="parameter"><code>name</code></em> from all the listed authoritative name
-servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.
-</p>
-<p>
-The <code class="option">-c</code> option instructs to make a DNS query of class
-<em class="parameter"><code>class</code></em>.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).
-</p>
-<p>
-Verbose output is generated by <span><strong class="command">host</strong></span> when the
-<code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
-options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <code class="option">-d</code> option
-switched on debugging traces and <code class="option">-v</code> enabled verbose
-output.
-</p>
-<p>
-List mode is selected by the <code class="option">-l</code> option.  This makes
-<span><strong class="command">host</strong></span> perform a zone transfer for zone
-<em class="parameter"><code>name</code></em>.  Transfer the zone printing out the NS, PTR
-and address records (A/AAAA).  If combined with <code class="option">-a</code>
-all records will be printed.  
-</p>
-<p>
-The <code class="option">-i</code>
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.
-</p>
-<p>
-The <code class="option">-N</code> option sets the number of dots that have to be
-in <em class="parameter"><code>name</code></em> for it to be considered absolute.  The
-default value is that defined using the ndots statement in
-<code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is
-present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <span class="type">search</span>
-or <span class="type">domain</span> directive in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-The number of UDP retries for a lookup can be changed with the
-<code class="option">-R</code> option.  <em class="parameter"><code>number</code></em> indicates
-how many times <span><strong class="command">host</strong></span> will repeat a query that does
-not get answered.  The default number of retries is 1.  If
-<em class="parameter"><code>number</code></em> is negative or zero, the number of
-retries will default to 1.
-</p>
-<p>
-Non-recursive queries can be made via the <code class="option">-r</code> option.
-Setting this option clears the <span class="type">RD</span> &#8212; recursion
-desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
-This should mean that the name server receiving the query will not
-attempt to resolve <em class="parameter"><code>name</code></em>.  The
-<code class="option">-r</code> option enables <span><strong class="command">host</strong></span> to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.
-</p>
-<p>
-By default <span><strong class="command">host</strong></span> uses UDP when making queries.  The
-<code class="option">-T</code> option makes it use a TCP connection when querying
-the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
-</p>
-<p>
-The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
-use IPv4 query transport.  The <code class="option">-6</code> option forces
-<span><strong class="command">host</strong></span> to only use IPv6 query transport.
-</p>
-<p>
-The <code class="option">-t</code> option is used to select the query type.
-<em class="parameter"><code>type</code></em> can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<span><strong class="command">host</strong></span> automatically selects an appropriate query
-type.  By default it looks for A records, but if the
-<code class="option">-C</code> option was given, queries will be made for SOA
-records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
-query for PTR records.  If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).
-</p>
-<p>
-The time to wait for a reply can be controlled through the
-<code class="option">-W</code> and <code class="option">-w</code> options.  The
-<code class="option">-W</code> option makes <span><strong class="command">host</strong></span> wait for
-<em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
-is less than one, the wait interval is set to one second.  When the
-<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> will
-effectively wait forever for a reply.  The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526241"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526253"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dig/include/dig/dig.h b/contrib/bind9/bin/dig/include/dig/dig.h
deleted file mode 100644
index 431d109cf081..000000000000
--- a/contrib/bind9/bin/dig/include/dig/dig.h
+++ /dev/null
@@ -1,377 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dig.h,v 1.71.2.6.2.11 2005/07/04 03:29:45 marka Exp $ */
-
-#ifndef DIG_H
-#define DIG_H
-
-#include <dns/rdatalist.h>
-
-#include <dst/dst.h>
-
-#include <isc/boolean.h>
-#include <isc/buffer.h>
-#include <isc/bufferlist.h>
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/list.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
-
-#define MXSERV 20
-#define MXNAME (DNS_NAME_MAXTEXT+1)
-#define MXRD 32
-#define BUFSIZE 512
-#define COMMSIZE 0xffff
-#ifndef RESOLV_CONF
-#define RESOLV_CONF "/etc/resolv.conf"
-#endif
-#define OUTPUTBUF 32767
-#define MAXRRLIMIT 0xffffffff
-#define MAXTIMEOUT 0xffff
-#define MAXTRIES 0xffffffff
-#define MAXNDOTS 0xffff
-#define MAXPORT 0xffff
-#define MAXSERIAL 0xffffffff
-
-/*
- * Default timeout values
- */
-#define TCP_TIMEOUT 10
-#define UDP_TIMEOUT 5
-
-#define SERVER_TIMEOUT 1
-
-#define LOOKUP_LIMIT 64
-/*
- * Lookup_limit is just a limiter, keeping too many lookups from being
- * created.  It's job is mainly to prevent the program from running away
- * in a tight loop of constant lookups.  It's value is arbitrary.
- */
-
-/*
- * Defaults for the sigchase suboptions.  Consolidated here because
- * these control the layout of dig_lookup_t (among other things).
- */
-#ifdef DIG_SIGCHASE
-#ifndef DIG_SIGCHASE_BU
-#define DIG_SIGCHASE_BU 1
-#endif
-#ifndef DIG_SIGCHASE_TD
-#define DIG_SIGCHASE_TD 1
-#endif
-#endif
-
-ISC_LANG_BEGINDECLS
-
-typedef struct dig_lookup dig_lookup_t;
-typedef struct dig_query dig_query_t;
-typedef struct dig_server dig_server_t;
-#ifdef DIG_SIGCHASE
-typedef struct dig_message dig_message_t;
-#endif
-typedef ISC_LIST(dig_server_t) dig_serverlist_t;
-typedef struct dig_searchlist dig_searchlist_t;
-
-struct dig_lookup {
-	isc_boolean_t
-	        pending, /* Pending a successful answer */
-		waiting_connect,
-		doing_xfr,
-		ns_search_only, /* dig +nssearch, host -C */
-		identify, /* Append an "on server <foo>" message */
-		identify_previous_line, /* Prepend a "Nameserver <foo>:"
-					   message, with newline and tab */
-		ignore,
-		recurse,
-		aaonly,
-		adflag,
-		cdflag,
-		trace, /* dig +trace */
-		trace_root, /* initial query for either +trace or +nssearch */
-		tcp_mode,
-		ip6_int,
-		comments,
-		stats,
-		section_question,
-		section_answer,
-		section_authority,
-		section_additional,
-		servfail_stops,
-		new_search,
-		besteffort,
-		dnssec;
-#ifdef DIG_SIGCHASE
-isc_boolean_t	sigchase;
-#if DIG_SIGCHASE_TD
- 	isc_boolean_t do_topdown,
-	        trace_root_sigchase,
-	        rdtype_sigchaseset,
-	        rdclass_sigchaseset;
-	/* Name we are going to validate RRset */
-  	char textnamesigchase[MXNAME];
-#endif
-#endif
-	
-	char textname[MXNAME]; /* Name we're going to be looking up */
-	char cmdline[MXNAME];
-	dns_rdatatype_t rdtype;
-	dns_rdatatype_t qrdtype;
-#if DIG_SIGCHASE_TD
-        dns_rdatatype_t rdtype_sigchase;
-        dns_rdatatype_t qrdtype_sigchase;
-        dns_rdataclass_t rdclass_sigchase;
-#endif
-	dns_rdataclass_t rdclass;
-	isc_boolean_t rdtypeset;
-	isc_boolean_t rdclassset;
-	char namespace[BUFSIZE];
-	char onamespace[BUFSIZE];
-	isc_buffer_t namebuf;
-	isc_buffer_t onamebuf;
-	isc_buffer_t sendbuf;
-	char *sendspace;
-	dns_name_t *name;
-	isc_timer_t *timer;
-	isc_interval_t interval;
-	dns_message_t *sendmsg;
-	dns_name_t *oname;
-	ISC_LINK(dig_lookup_t) link;
-	ISC_LIST(dig_query_t) q;
-	dig_query_t *current_query;
-	dig_serverlist_t my_server_list;
-	dig_searchlist_t *origin;
-	dig_query_t *xfr_q;
-	isc_uint32_t retries;
-	int nsfound;
-	isc_uint16_t udpsize;
-	isc_uint32_t ixfr_serial;
-	isc_buffer_t rdatabuf;
-	char rdatastore[MXNAME];
-	dst_context_t *tsigctx;
-	isc_buffer_t *querysig;
-	isc_uint32_t msgcounter;
-};
-
-struct dig_query {
-	dig_lookup_t *lookup;
-	isc_boolean_t waiting_connect,
-		first_pass,
-		first_soa_rcvd,
-		second_rr_rcvd,
-		first_repeat_rcvd,
-		recv_made,
-		warn_id;
-	isc_uint32_t first_rr_serial;
-	isc_uint32_t second_rr_serial;
-	isc_uint32_t msg_count;
-	isc_uint32_t rr_count;
-	char *servname;
-	char *userarg;
-	isc_bufferlist_t sendlist,
-		recvlist,
-		lengthlist;
-	isc_buffer_t recvbuf,
-		lengthbuf,
-		slbuf;
-	char *recvspace,
-		lengthspace[4],
-		slspace[4];
-	isc_socket_t *sock;
-	ISC_LINK(dig_query_t) link;
-	isc_sockaddr_t sockaddr;
-	isc_time_t time_sent;
-};
-
-struct dig_server {
-	char servername[MXNAME];
-	char userarg[MXNAME];
-	ISC_LINK(dig_server_t) link;
-};
-
-struct dig_searchlist {
-	char origin[MXNAME];
-	ISC_LINK(dig_searchlist_t) link;
-};
-#ifdef DIG_SIGCHASE
-struct dig_message {
-	        dns_message_t *msg;
-		ISC_LINK(dig_message_t) link;
-};
-#endif
-
-typedef ISC_LIST(dig_searchlist_t) dig_searchlistlist_t;
-typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
-
-/*
- * Externals from dighost.c
- */
-
-extern dig_lookuplist_t lookup_list;
-extern dig_serverlist_t server_list;
-extern dig_searchlistlist_t search_list;
-
-extern isc_boolean_t have_ipv4, have_ipv6, specified_source,
-        usesearch, qr;
-extern in_port_t port;
-extern unsigned int timeout;
-extern isc_mem_t *mctx;
-extern dns_messageid_t id;
-extern int sendcount;
-extern int ndots;
-extern int lookup_counter;
-extern int exitcode;
-extern isc_sockaddr_t bind_address;
-extern char keynametext[MXNAME];
-extern char keyfile[MXNAME];
-extern char keysecret[MXNAME];
-#ifdef DIG_SIGCHASE
-extern char trustedkey[MXNAME];
-#endif
-extern dns_tsigkey_t *key;
-extern isc_boolean_t validated;
-extern isc_taskmgr_t *taskmgr;
-extern isc_task_t *global_task;
-extern isc_boolean_t free_now;
-extern isc_boolean_t debugging, memdebugging;
-
-extern char *progname;
-extern int tries;
-extern int fatalexit;
-
-/*
- * Routines in dighost.c.
- */
-void
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
-
-isc_result_t
-get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
-	    isc_boolean_t strict);
-
-void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-check_result(isc_result_t result, const char *msg);
-
-void
-setup_lookup(dig_lookup_t *lookup);
-
-void
-do_lookup(dig_lookup_t *lookup);
-
-void
-start_lookup(void);
-
-void
-onrun_callback(isc_task_t *task, isc_event_t *event);
-
-int
-dhmain(int argc, char **argv);
-
-void
-setup_libs(void);
-
-void
-setup_system(void);
-
-dig_lookup_t *
-requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
-
-dig_lookup_t *
-make_empty_lookup(void);
-
-dig_lookup_t *
-clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
-
-dig_server_t *
-make_server(const char *servname, const char *userarg);
-
-void
-flush_server_list(void);
-
-void
-set_nameserver(char *opt);
-
-void
-clone_server_list(dig_serverlist_t src,
-		  dig_serverlist_t *dest);
-
-void
-cancel_all(void);
-
-void
-destroy_libs(void);
-
-void
-set_search_domain(char *domain);
-
-#ifdef DIG_SIGCHASE
-void
-clean_trustedkey(void);
-#endif
-
-/*
- * Routines to be defined in dig.c, host.c, and nslookup.c.
- */
-#ifdef DIG_SIGCHASE
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
-	      isc_buffer_t *target);
-#endif
-
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
-/*
- * Print the final result of the lookup.
- */
-
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
-/*
- * Print a message about where and when the response
- * was received from, like the final comment in the
- * output of "dig".
- */
-
-void
-trying(char *frm, dig_lookup_t *lookup);
-
-void
-dighost_shutdown(void);
-
-char *
-next_token(char **stringp, const char *delim);
-
-#ifdef DIG_SIGCHASE
-/* Chasing functions */
-dns_rdataset_t *
-chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers);
-void
-chase_sig(dns_message_t *msg);
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/bin/dig/nslookup.1 b/contrib/bind9/bin/dig/nslookup.1
deleted file mode 100644
index 3de04ca4f912..000000000000
--- a/contrib/bind9/bin/dig/nslookup.1
+++ /dev/null
@@ -1,181 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: nslookup.1,v 1.1.6.5 2005/10/13 02:33:43 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-nslookup \- query Internet name servers interactively
-.SH "SYNOPSIS"
-.HP 9
-\fBnslookup\fR [\fB\-option\fR] [name\ |\ \-] [server]
-.SH "DESCRIPTION"
-.PP
-\fBNslookup\fR
-is a program to query Internet domain name servers.
-\fBNslookup\fR
-has two modes: interactive and non\-interactive. Interactive mode allows the user to query name servers for information about various hosts and domains or to print a list of hosts in a domain. Non\-interactive mode is used to print just the name and requested information for a host or domain.
-.SH "ARGUMENTS"
-.PP
-Interactive mode is entered in the following cases:
-.TP 3
-1.
-when no arguments are given (the default name server will be used)
-.TP
-2.
-when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
-.PP
-Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
-.PP
-Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.IP .sp .nf nslookup \-query=hinfo \-timeout=10 .fi
-.SH "INTERACTIVE COMMANDS"
-.TP
-host [server]
-Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
-.sp
-To look up a host not in the current domain, append a period to the name.
-.TP
-\fBserver\fR \fIdomain\fR
-.TP
-\fBlserver\fR \fIdomain\fR
-Change the default server to
-\fIdomain\fR;
-\fBlserver\fR
-uses the initial server to look up information about
-\fIdomain\fR, while
-\fBserver\fR
-uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
-.TP
-\fBroot\fR
-not implemented
-.TP
-\fBfinger\fR
-not implemented
-.TP
-\fBls\fR
-not implemented
-.TP
-\fBview\fR
-not implemented
-.TP
-\fBhelp\fR
-not implemented
-.TP
-\fB?\fR
-not implemented
-.TP
-\fBexit\fR
-Exits the program.
-.TP
-\fBset\fR \fIkeyword\fR\fI[=value]\fR
-This command is used to change state information that affects the lookups. Valid keywords are:
-.RS
-.TP
-\fBall\fR
-Prints the current values of the frequently used options to
-\fBset\fR. Information about the current default server and host is also printed.
-.TP
-\fBclass=\fR\fIvalue\fR
-Change the query class to one of:
-.RS
-.TP
-\fBIN\fR
-the Internet class
-.TP
-\fBCH\fR
-the Chaos class
-.TP
-\fBHS\fR
-the Hesiod class
-.TP
-\fBANY\fR
-wildcard
-.RE
-.IP
-The class specifies the protocol group of the information.
-.sp
-(Default = IN; abbreviation = cl)
-.TP
-\fB\fI[no]\fR\fR\fBdebug\fR
-Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
-.sp
-(Default = nodebug; abbreviation =
-[no]deb)
-.TP
-\fB\fI[no]\fR\fR\fBd2\fR
-Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
-.sp
-(Default = nod2)
-.TP
-\fBdomain=\fR\fIname\fR
-Sets the search list to
-\fIname\fR.
-.TP
-\fB\fI[no]\fR\fR\fBsearch\fR
-If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
-.sp
-(Default = search)
-.TP
-\fBport=\fR\fIvalue\fR
-Change the default TCP/UDP name server port to
-\fIvalue\fR.
-.sp
-(Default = 53; abbreviation = po)
-.TP
-\fBquerytype=\fR\fIvalue\fR
-.TP
-\fBtype=\fR\fIvalue\fR
-Change the top of the information query.
-.sp
-(Default = A; abbreviations = q, ty)
-.TP
-\fB\fI[no]\fR\fR\fBrecurse\fR
-Tell the name server to query other servers if it does not have the information.
-.sp
-(Default = recurse; abbreviation = [no]rec)
-.TP
-\fBretry=\fR\fInumber\fR
-Set the number of retries to number.
-.TP
-\fBtimeout=\fR\fInumber\fR
-Change the initial timeout interval for waiting for a reply to number seconds.
-.TP
-\fB\fI[no]\fR\fR\fBvc\fR
-Always use a virtual circuit when sending requests to the server.
-.sp
-(Default = novc)
-.RE
-.IP
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBdig\fR(1),
-\fBhost\fR(1),
-\fBnamed\fR(8).
-.SH "AUTHOR"
-.PP
-Andrew Cherenson
diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c
deleted file mode 100644
index ab9ed68764c8..000000000000
--- a/contrib/bind9/bin/dig/nslookup.c
+++ /dev/null
@@ -1,876 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nslookup.c,v 1.90.2.4.2.10 2005/07/12 05:47:42 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/app.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/event.h>
-#include <isc/parseint.h>
-#include <isc/string.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-#include <isc/task.h>
-#include <isc/netaddr.h>
-
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/fixedname.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/byaddr.h>
-
-#include <dig/dig.h>
-
-static isc_boolean_t short_form = ISC_TRUE,
-	tcpmode = ISC_FALSE,
-	identify = ISC_FALSE, stats = ISC_TRUE,
-	comments = ISC_TRUE, section_question = ISC_TRUE,
-	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
-	section_additional = ISC_TRUE, recurse = ISC_TRUE,
-	aaonly = ISC_FALSE;
-static isc_boolean_t in_use = ISC_FALSE;
-static char defclass[MXRD] = "IN";
-static char deftype[MXRD] = "A";
-static isc_event_t *global_event = NULL;
-
-static char domainopt[DNS_NAME_MAXTEXT];
-
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
-
-static const char *rtypetext[] = {
-	"rtype_0 = ",			/* 0 */
-	"internet address = ",		/* 1 */
-	"nameserver = ",		/* 2 */
-	"md = ",			/* 3 */
-	"mf = ",			/* 4 */
-	"canonical name = ",		/* 5 */
-	"soa = ",			/* 6 */
-	"mb = ",			/* 7 */
-	"mg = ",			/* 8 */
-	"mr = ",			/* 9 */
-	"rtype_10 = ",			/* 10 */
-	"protocol = ",			/* 11 */
-	"name = ",			/* 12 */
-	"hinfo = ",			/* 13 */
-	"minfo = ",			/* 14 */
-	"mail exchanger = ",		/* 15 */
-	"text = ",			/* 16 */
-	"rp = ",       			/* 17 */
-	"afsdb = ",			/* 18 */
-	"x25 address = ",		/* 19 */
-	"isdn address = ",		/* 20 */
-	"rt = ",			/* 21 */
-	"nsap = ",			/* 22 */
-	"nsap_ptr = ",			/* 23 */
-	"signature = ",			/* 24 */
-	"key = ",			/* 25 */
-	"px = ",			/* 26 */
-	"gpos = ",			/* 27 */
-	"has AAAA address ",		/* 28 */
-	"loc = ",			/* 29 */
-	"next = ",			/* 30 */
-	"rtype_31 = ",			/* 31 */
-	"rtype_32 = ",			/* 32 */
-	"service = ",			/* 33 */
-	"rtype_34 = ",			/* 34 */
-	"naptr = ",			/* 35 */
-	"kx = ",			/* 36 */
-	"cert = ",			/* 37 */
-	"v6 address = ",		/* 38 */
-	"dname = ",			/* 39 */
-	"rtype_40 = ",			/* 40 */
-	"optional = "			/* 41 */
-};
-
-#define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
-
-static void flush_lookup_list(void);
-static void getinput(isc_task_t *task, isc_event_t *event);
-
-void
-dighost_shutdown(void) {
-	isc_event_t *event = global_event;
-
-	flush_lookup_list();
-	debug("dighost_shutdown()");
-
-	if (!in_use) {
-		isc_app_shutdown();
-		return;
-	}
-
-	isc_task_send(global_task, &event);
-}
-
-static void
-printsoa(dns_rdata_t *rdata) {
-	dns_rdata_soa_t soa;
-	isc_result_t result;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	result = dns_rdata_tostruct(rdata, &soa, NULL);
-	check_result(result, "dns_rdata_tostruct");
-
-	dns_name_format(&soa.origin, namebuf, sizeof(namebuf));
-	printf("\torigin = %s\n", namebuf);
-	dns_name_format(&soa.contact, namebuf, sizeof(namebuf));
-	printf("\tmail addr = %s\n", namebuf);
-	printf("\tserial = %u\n", soa.serial);
-	printf("\trefresh = %u\n", soa.refresh);
-	printf("\tretry = %u\n", soa.retry);
-	printf("\texpire = %u\n", soa.expire);
-	printf("\tminimum = %u\n", soa.minimum);
-	dns_rdata_freestruct(&soa);
-}
-
-static void
-printa(dns_rdata_t *rdata) {
-	isc_result_t result;
-	char text[sizeof("255.255.255.255")];
-	isc_buffer_t b;
-
-	isc_buffer_init(&b, text, sizeof(text));
-	result = dns_rdata_totext(rdata, NULL, &b);
-	check_result(result, "dns_rdata_totext");
-	printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b),
-	       (char *)isc_buffer_base(&b));
-}
-#ifdef DIG_SIGCHASE
-/* Just for compatibility : not use in host program */
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
-	      isc_buffer_t *target)
-{
-	UNUSED(owner_name);
-	UNUSED(rdataset);
-	UNUSED(target);
-	return(ISC_FALSE);
-}
-#endif
-static void
-printrdata(dns_rdata_t *rdata) {
-	isc_result_t result;
-	isc_buffer_t *b = NULL;
-	unsigned int size = 1024;
-	isc_boolean_t done = ISC_FALSE;
-
-	if (rdata->type < N_KNOWN_RRTYPES)
-		printf("%s", rtypetext[rdata->type]);
-	else
-		printf("rdata_%d = ", rdata->type);
-
-	while (!done) {
-		result = isc_buffer_allocate(mctx, &b, size);
-		if (result != ISC_R_SUCCESS)
-			check_result(result, "isc_buffer_allocate");
-		result = dns_rdata_totext(rdata, NULL, b);
-		if (result == ISC_R_SUCCESS) {
-			printf("%.*s\n", (int)isc_buffer_usedlength(b),
-			       (char *)isc_buffer_base(b));
-			done = ISC_TRUE;
-		} else if (result != ISC_R_NOSPACE)
-			check_result(result, "dns_rdata_totext");
-		isc_buffer_free(&b);
-		size *= 2;
-	}
-}
-
-static isc_result_t
-printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
-	     dns_section_t section) {
-	isc_result_t result, loopresult;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	UNUSED(query);
-	UNUSED(headers);
-
-	debug("printsection()");
-
-	result = dns_message_firstname(msg, section);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-	for (;;) {
-		name = NULL;
-		dns_message_currentname(msg, section,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			loopresult = dns_rdataset_first(rdataset);
-			while (loopresult == ISC_R_SUCCESS) {
-				dns_rdataset_current(rdataset, &rdata);
-				switch (rdata.type) {
-				case dns_rdatatype_a:
-					if (section != DNS_SECTION_ANSWER)
-						goto def_short_section;
-					dns_name_format(name, namebuf,
-							sizeof(namebuf));
-					printf("Name:\t%s\n", namebuf);
-					printa(&rdata);
-					break;
-				case dns_rdatatype_soa:
-					dns_name_format(name, namebuf,
-							sizeof(namebuf));
-					printf("%s\n", namebuf);
-					printsoa(&rdata);
-					break;
-				default:
-				def_short_section:
-					dns_name_format(name, namebuf,
-							sizeof(namebuf));
-					printf("%s\t", namebuf);
-					printrdata(&rdata);
-					break;
-				}
-				dns_rdata_reset(&rdata);
-				loopresult = dns_rdataset_next(rdataset);
-			}
-		}
-		result = dns_message_nextname(msg, section);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS) {
-			return (result);
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
-	     dns_section_t section) {
-	isc_result_t result, loopresult;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	UNUSED(query);
-
-	debug("detailsection()");
-
-	if (headers) {
-		switch (section) {
-		case DNS_SECTION_QUESTION:
-			puts("    QUESTIONS:");
-			break;
-		case DNS_SECTION_ANSWER:
-			puts("    ANSWERS:");
-			break;
-		case DNS_SECTION_AUTHORITY:
-			puts("    AUTHORITY RECORDS:");
-			break;
-		case DNS_SECTION_ADDITIONAL:
-			puts("    ADDITIONAL RECORDS:");
-			break;
-		}
-	}
-
-	result = dns_message_firstname(msg, section);
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_SUCCESS);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-	for (;;) {
-		name = NULL;
-		dns_message_currentname(msg, section,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (section == DNS_SECTION_QUESTION) {
-				dns_name_format(name, namebuf,
-						sizeof(namebuf));
-				printf("\t%s, ", namebuf);
-				dns_rdatatype_format(rdataset->type,
-						     namebuf,
-						     sizeof(namebuf));
-				printf("type = %s, ", namebuf);
-				dns_rdataclass_format(rdataset->rdclass,
-						      namebuf,
-						      sizeof(namebuf));
-				printf("class = %s\n", namebuf);
-			}
-			loopresult = dns_rdataset_first(rdataset);
-			while (loopresult == ISC_R_SUCCESS) {
-				dns_rdataset_current(rdataset, &rdata);
-
-				dns_name_format(name, namebuf,
-						sizeof(namebuf));
-				printf("    ->  %s\n", namebuf);
-
-				switch (rdata.type) {
-				case dns_rdatatype_soa:
-					printsoa(&rdata);
-					break;
-				default:
-					printf("\t");
-					printrdata(&rdata);
-				}
-				dns_rdata_reset(&rdata);
-				loopresult = dns_rdataset_next(rdataset);
-			}
-		}
-		result = dns_message_nextname(msg, section);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS) {
-			return (result);
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
-{
-	UNUSED(bytes);
-	UNUSED(from);
-	UNUSED(query);
-}
-
-void
-trying(char *frm, dig_lookup_t *lookup) {
-	UNUSED(frm);
-	UNUSED(lookup);
-
-}
-
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
-	char servtext[ISC_SOCKADDR_FORMATSIZE];	
-
-	debug("printmessage()");
-
-	isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
-	printf("Server:\t\t%s\n", query->userarg);
-	printf("Address:\t%s\n", servtext);
-	
-	puts("");
-
-	if (!short_form) {
-		isc_boolean_t headers = ISC_TRUE;
-		puts("------------");
-		/*		detailheader(query, msg);*/
-		detailsection(query, msg, headers, DNS_SECTION_QUESTION);
-		detailsection(query, msg, headers, DNS_SECTION_ANSWER);
-		detailsection(query, msg, headers, DNS_SECTION_AUTHORITY);
-		detailsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
-		puts("------------");
-	}
-
-	if (msg->rcode != 0) {
-		char nametext[DNS_NAME_FORMATSIZE];
-		dns_name_format(query->lookup->name,
-				nametext, sizeof(nametext));
-		printf("** server can't find %s: %s\n", nametext,
-		       rcodetext[msg->rcode]);
-		debug("returning with rcode == 0");
-		return (ISC_R_SUCCESS);
-	}
-
-	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0)
-		puts("Non-authoritative answer:");
-	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
-		printsection(query, msg, headers, DNS_SECTION_ANSWER);
-	else
-		printf("*** Can't find %s: No answer\n",
-		       query->lookup->textname);
-
-	if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
-	    (query->lookup->rdtype != dns_rdatatype_a)) {
-		puts("\nAuthoritative answers can be found from:");
-		printsection(query, msg, headers,
-			     DNS_SECTION_AUTHORITY);
-		printsection(query, msg, headers,
-			     DNS_SECTION_ADDITIONAL);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static void
-show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
-	dig_server_t *srv;
-	isc_sockaddr_t sockaddr;
-	dig_searchlist_t *listent;
-
-	srv = ISC_LIST_HEAD(server_list);
-
-	while (srv != NULL) {
-		char sockstr[ISC_SOCKADDR_FORMATSIZE];
-
-		get_address(srv->servername, port, &sockaddr);
-		isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
-		printf("Default server: %s\nAddress: %s\n",
-			srv->userarg, sockstr);
-		if (!full)
-			return;
-		srv = ISC_LIST_NEXT(srv, link);
-	}
-	if (serv_only)
-		return;
-	printf("\nSet options:\n");
-	printf("  %s\t\t\t%s\t\t%s\n",
-	       tcpmode ? "vc" : "novc",
-	       short_form ? "nodebug" : "debug",
-	       debugging ? "d2" : "nod2");
-	printf("  %s\t\t%s\n",
-	       usesearch ? "search" : "nosearch",
-	       recurse ? "recurse" : "norecurse");
-	printf("  timeout = %d\t\tretry = %d\tport = %d\n",
-	       timeout, tries, port);
-	printf("  querytype = %-8s\tclass = %s\n", deftype, defclass);
-	printf("  srchlist = ");
-	for (listent = ISC_LIST_HEAD(search_list);
-	     listent != NULL;
-	     listent = ISC_LIST_NEXT(listent, link)) {
-		     printf("%s", listent->origin);
-		     if (ISC_LIST_NEXT(listent, link) != NULL)
-			     printf("/");
-	}
-	printf("\n");
-}
-
-static isc_boolean_t
-testtype(char *typetext) {
-	isc_result_t result;
-	isc_textregion_t tr;
-	dns_rdatatype_t rdtype;
-
-	tr.base = typetext;
-	tr.length = strlen(typetext);
-	result = dns_rdatatype_fromtext(&rdtype, &tr);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-	else {
-		printf("unknown query type: %s\n", typetext);
-		return (ISC_FALSE);
-	}
-}
-
-static isc_boolean_t
-testclass(char *typetext) {
-	isc_result_t result;
-	isc_textregion_t tr;
-	dns_rdataclass_t rdclass;
-
-	tr.base = typetext;
-	tr.length = strlen(typetext);
-	result = dns_rdataclass_fromtext(&rdclass, &tr);
-	if (result == ISC_R_SUCCESS) 
-		return (ISC_TRUE);
-	else {
-		printf("unknown query class: %s\n", typetext);
-		return (ISC_FALSE);
-	}
-}
-
-static void
-safecpy(char *dest, char *src, int size) {
-	strncpy(dest, src, size);
-	dest[size-1] = 0;
-}
-
-static isc_result_t
-parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
-	   const char *desc) {
-	isc_uint32_t n;
-	isc_result_t result = isc_parse_uint32(&n, value, 10);
-	if (result == ISC_R_SUCCESS && n > max)
-		result = ISC_R_RANGE;
-	if (result != ISC_R_SUCCESS) {
-		printf("invalid %s '%s': %s\n", desc,
-		       value, isc_result_totext(result));
-		return result;
-	}
-	*uip = n;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-set_port(const char *value) {
-	isc_uint32_t n;
-	isc_result_t result = parse_uint(&n, value, 65535, "port");
-	if (result == ISC_R_SUCCESS)
-		port = (isc_uint16_t) n;
-}
-
-static void
-set_timeout(const char *value) {
-	isc_uint32_t n;
-	isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
-	if (result == ISC_R_SUCCESS)
-		timeout = n;
-}
-
-static void
-set_tries(const char *value) {
-	isc_uint32_t n;
-	isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
-	if (result == ISC_R_SUCCESS)
-		tries = n;
-}
-
-static void
-setoption(char *opt) {
-	if (strncasecmp(opt, "all", 4) == 0) {
-		show_settings(ISC_TRUE, ISC_FALSE);
-	} else if (strncasecmp(opt, "class=", 6) == 0) {
-		if (testclass(&opt[6]))
-			safecpy(defclass, &opt[6], sizeof(defclass));
-	} else if (strncasecmp(opt, "cl=", 3) == 0) {
-		if (testclass(&opt[3]))
-			safecpy(defclass, &opt[3], sizeof(defclass));
-	} else if (strncasecmp(opt, "type=", 5) == 0) {
-		if (testtype(&opt[5]))
-			safecpy(deftype, &opt[5], sizeof(deftype));
-	} else if (strncasecmp(opt, "ty=", 3) == 0) {
-		if (testtype(&opt[3]))
-			safecpy(deftype, &opt[3], sizeof(deftype));
-	} else if (strncasecmp(opt, "querytype=", 10) == 0) {
-		if (testtype(&opt[10]))
-			safecpy(deftype, &opt[10], sizeof(deftype));
-	} else if (strncasecmp(opt, "query=", 6) == 0) {
-		if (testtype(&opt[6]))
-			safecpy(deftype, &opt[6], sizeof(deftype));
-	} else if (strncasecmp(opt, "qu=", 3) == 0) {
-		if (testtype(&opt[3]))
-			safecpy(deftype, &opt[3], sizeof(deftype));
-	} else if (strncasecmp(opt, "q=", 2) == 0) {
-		if (testtype(&opt[2]))
-			safecpy(deftype, &opt[2], sizeof(deftype));
-	} else if (strncasecmp(opt, "domain=", 7) == 0) {
-		safecpy(domainopt, &opt[7], sizeof(domainopt));
-		set_search_domain(domainopt);
-		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "do=", 3) == 0) {
-		safecpy(domainopt, &opt[3], sizeof(domainopt));
-		set_search_domain(domainopt);
-		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "port=", 5) == 0) {
-		set_port(&opt[5]);
-	} else if (strncasecmp(opt, "po=", 3) == 0) {
-		set_port(&opt[3]);
-	} else if (strncasecmp(opt, "timeout=", 8) == 0) {
-		set_timeout(&opt[8]);
-	} else if (strncasecmp(opt, "t=", 2) == 0) {
-		set_timeout(&opt[2]);
- 	} else if (strncasecmp(opt, "rec", 3) == 0) {
-		recurse = ISC_TRUE;
-	} else if (strncasecmp(opt, "norec", 5) == 0) {
-		recurse = ISC_FALSE;
-	} else if (strncasecmp(opt, "retry=", 6) == 0) {
-		set_tries(&opt[6]);
-	} else if (strncasecmp(opt, "ret=", 4) == 0) {
-		set_tries(&opt[4]);
- 	} else if (strncasecmp(opt, "def", 3) == 0) {
-		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nodef", 5) == 0) {
-		usesearch = ISC_FALSE;
- 	} else if (strncasecmp(opt, "vc", 3) == 0) {
-		tcpmode = ISC_TRUE;
-	} else if (strncasecmp(opt, "novc", 5) == 0) {
-		tcpmode = ISC_FALSE;
- 	} else if (strncasecmp(opt, "deb", 3) == 0) {
-		short_form = ISC_FALSE;
-	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
-		short_form = ISC_TRUE;
- 	} else if (strncasecmp(opt, "d2", 2) == 0) {
-		debugging = ISC_TRUE;
-	} else if (strncasecmp(opt, "nod2", 4) == 0) {
-		debugging = ISC_FALSE;
-	} else if (strncasecmp(opt, "search", 3) == 0) {
-		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nosearch", 5) == 0) {
-		usesearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "sil", 3) == 0) {
-		/* deprecation_msg = ISC_FALSE; */
-	} else {
-		printf("*** Invalid option: %s\n", opt);	
-	}
-}
-
-static void
-addlookup(char *opt) {
-	dig_lookup_t *lookup;
-	isc_result_t result;
-	isc_textregion_t tr;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	char store[MXNAME];
-
-	debug("addlookup()");
-	tr.base = deftype;
-	tr.length = strlen(deftype);
-	result = dns_rdatatype_fromtext(&rdtype, &tr);
-	if (result != ISC_R_SUCCESS) {
-		printf("unknown query type: %s\n", deftype);
-		rdclass = dns_rdatatype_a;
-	}
-	tr.base = defclass;
-	tr.length = strlen(defclass);
-	result = dns_rdataclass_fromtext(&rdclass, &tr);
-	if (result != ISC_R_SUCCESS) {
-		printf("unknown query class: %s\n", defclass);
-		rdclass = dns_rdataclass_in;
-	}
-	lookup = make_empty_lookup();
-	if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, ISC_TRUE)
-	    == ISC_R_SUCCESS) {
-		safecpy(lookup->textname, store, sizeof(lookup->textname));
-		lookup->rdtype = dns_rdatatype_ptr;
-		lookup->rdtypeset = ISC_TRUE;
-	} else {
-		safecpy(lookup->textname, opt, sizeof(lookup->textname));
-		lookup->rdtype = rdtype;
-		lookup->rdtypeset = ISC_TRUE;
-	}
-	lookup->rdclass = rdclass;
-	lookup->rdclassset = ISC_TRUE;
-	lookup->trace = ISC_FALSE;
-	lookup->trace_root = lookup->trace;
-	lookup->ns_search_only = ISC_FALSE;
-	lookup->identify = identify;
-	lookup->recurse = recurse;
-	lookup->aaonly = aaonly;
-	lookup->retries = tries;
-	lookup->udpsize = 0;
-	lookup->comments = comments;
-	lookup->tcp_mode = tcpmode;
-	lookup->stats = stats;
-	lookup->section_question = section_question;
-	lookup->section_answer = section_answer;
-	lookup->section_authority = section_authority;
-	lookup->section_additional = section_additional;
-	lookup->new_search = ISC_TRUE;
-	ISC_LIST_INIT(lookup->q);
-	ISC_LINK_INIT(lookup, link);
-	ISC_LIST_APPEND(lookup_list, lookup, link);
-	lookup->origin = NULL;
-	ISC_LIST_INIT(lookup->my_server_list);
-	debug("looking up %s", lookup->textname);
-}
-
-static void
-get_next_command(void) {
-	char *buf;
-	char *ptr, *arg;
-	char *input;
-
-	fflush(stdout);
-	buf = isc_mem_allocate(mctx, COMMSIZE);
-	if (buf == NULL)
-		fatal("memory allocation failure");
-	fputs("> ", stderr);
-	isc_app_block();
-	ptr = fgets(buf, COMMSIZE, stdin);
-	isc_app_unblock();
-	if (ptr == NULL) {
-		in_use = ISC_FALSE;
-		goto cleanup;
-	}
-	input = buf;
-	ptr = next_token(&input, " \t\r\n");
-	if (ptr == NULL)
-		goto cleanup;
-	arg = next_token(&input, " \t\r\n");
-	if ((strcasecmp(ptr, "set") == 0) &&
-	    (arg != NULL))
-		setoption(arg);
-	else if ((strcasecmp(ptr, "server") == 0) ||
-		 (strcasecmp(ptr, "lserver") == 0)) {
-		isc_app_block();
-		set_nameserver(arg);
-		isc_app_unblock();
-		show_settings(ISC_TRUE, ISC_TRUE);
-	} else if (strcasecmp(ptr, "exit") == 0) {
-		in_use = ISC_FALSE;
-		goto cleanup;
-	} else if (strcasecmp(ptr, "help") == 0 ||
-		   strcasecmp(ptr, "?") == 0) {
-		printf("The '%s' command is not yet implemented.\n", ptr);
-		goto cleanup;
-	} else if (strcasecmp(ptr, "finger") == 0 ||
-		   strcasecmp(ptr, "root") == 0 ||
-		   strcasecmp(ptr, "ls") == 0 ||
-		   strcasecmp(ptr, "view") == 0) {
-		printf("The '%s' command is not implemented.\n", ptr);
-		goto cleanup;
-	} else
-		addlookup(ptr);
- cleanup:
-	isc_mem_free(mctx, buf);
-}
-
-static void
-parse_args(int argc, char **argv) {
-	isc_boolean_t have_lookup = ISC_FALSE;
-
-	usesearch = ISC_TRUE;
-	for (argc--, argv++; argc > 0; argc--, argv++) {
-		debug("main parsing %s", argv[0]);
-		if (argv[0][0] == '-') {
-			if (argv[0][1] != 0)
-				setoption(&argv[0][1]);
-			else
-				have_lookup = ISC_TRUE;
-		} else {
-			if (!have_lookup) {
-				have_lookup = ISC_TRUE;
-				in_use = ISC_TRUE;
-				addlookup(argv[0]);
-			}
-			else
-				set_nameserver(argv[0]);
-		}
-	}
-}
-
-static void
-flush_lookup_list(void) {
-	dig_lookup_t *l, *lp;
-	dig_query_t *q, *qp;
-	dig_server_t *s, *sp;
-
-	lookup_counter = 0;
-	l = ISC_LIST_HEAD(lookup_list);
-	while (l != NULL) {
-		q = ISC_LIST_HEAD(l->q);
-		while (q != NULL) {
-			if (q->sock != NULL) {
-				isc_socket_cancel(q->sock, NULL,
-						  ISC_SOCKCANCEL_ALL);
-				isc_socket_detach(&q->sock);
-			}
-			if (ISC_LINK_LINKED(&q->recvbuf, link))
-				ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
-						 link);
-			if (ISC_LINK_LINKED(&q->lengthbuf, link))
-				ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
-						 link);
-			isc_buffer_invalidate(&q->recvbuf);
-			isc_buffer_invalidate(&q->lengthbuf);
-			qp = q;
-			q = ISC_LIST_NEXT(q, link);
-			ISC_LIST_DEQUEUE(l->q, qp, link);
-			isc_mem_free(mctx, qp);
-		}
-		s = ISC_LIST_HEAD(l->my_server_list);
-		while (s != NULL) {
-			sp = s;
-			s = ISC_LIST_NEXT(s, link);
-			ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
-			isc_mem_free(mctx, sp);
-
-		}
-		if (l->sendmsg != NULL)
-			dns_message_destroy(&l->sendmsg);
-		if (l->timer != NULL)
-			isc_timer_detach(&l->timer);
-		lp = l;
-		l = ISC_LIST_NEXT(l, link);
-		ISC_LIST_DEQUEUE(lookup_list, lp, link);
-		isc_mem_free(mctx, lp);
-	}
-}
-
-static void
-getinput(isc_task_t *task, isc_event_t *event) {
-	UNUSED(task);
-	if (global_event == NULL)
-		global_event = event;
-	while (in_use) {
-		get_next_command();
-		if (ISC_LIST_HEAD(lookup_list) != NULL) {
-			start_lookup();
-			return;
-		}
-	}
-	isc_app_shutdown();
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-
-	ISC_LIST_INIT(lookup_list);
-	ISC_LIST_INIT(server_list);
-	ISC_LIST_INIT(search_list);
-
-	result = isc_app_start();
-	check_result(result, "isc_app_start");
-
-	setup_libs();
-	progname = argv[0];
-
-	parse_args(argc, argv);
-
-	setup_system();
-	if (domainopt[0] != '\0')
-		set_search_domain(domainopt);
-	if (in_use)
-		result = isc_app_onrun(mctx, global_task, onrun_callback,
-				       NULL);
-	else
-		result = isc_app_onrun(mctx, global_task, getinput, NULL);
-	check_result(result, "isc_app_onrun");
-	in_use = ISC_TF(!in_use);
-
-	(void)isc_app_run();
-
-	puts("");
-	debug("done, and starting to shut down");
-	if (global_event != NULL)
-		isc_event_free(&global_event);
-	cancel_all();
-	destroy_libs();
-	isc_app_finish();
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dig/nslookup.docbook b/contrib/bind9/bin/dig/nslookup.docbook
deleted file mode 100644
index 189fabe85073..000000000000
--- a/contrib/bind9/bin/dig/nslookup.docbook
+++ /dev/null
@@ -1,330 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: nslookup.docbook,v 1.3.6.5 2005/05/13 01:22:33 marka Exp $ -->
-
-<!--
- - Copyright (c) 1985, 1989
- -    The Regents of the University of California.  All rights reserved.
- - 
- - Redistribution and use in source and binary forms, with or without
- - modification, are permitted provided that the following conditions
- - are met:
- - 1. Redistributions of source code must retain the above copyright
- -    notice, this list of conditions and the following disclaimer.
- - 2. Redistributions in binary form must reproduce the above copyright
- -    notice, this list of conditions and the following disclaimer in the
- -    documentation and/or other materials provided with the distribution.
- - 3. All advertising materials mentioning features or use of this software
- -    must display the following acknowledgement:
- -     This product includes software developed by the University of
- -     California, Berkeley and its contributors.
- - 4. Neither the name of the University nor the names of its contributors
- -    may be used to endorse or promote products derived from this software
- -    without specific prior written permission.
- - 
- - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- - ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- - SUCH DAMAGE.
--->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>nslookup</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>nslookup</refname>
-<refpurpose>query Internet name servers interactively</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-  <command>nslookup</command>
-  <arg><option>-option</option></arg>
-  <arg choice="opt">name | -</arg>
-  <arg choice="opt">server</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>Nslookup</command>
-is a program to query Internet domain name servers.  <command>Nslookup</command>
-has two modes: interactive and non-interactive.  Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain.  Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.
-</para>
-</refsect1>
-
-<refsect1>
-<title>ARGUMENTS</title>
-<para>
-Interactive mode is entered in the following cases:
-<orderedlist numeration="loweralpha">
-<listitem>
-<para>
-when no arguments are given (the default name server will be used)
-</para>
-</listitem>
-<listitem>
-<para>
-when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.
-</para>
-</listitem>
-</orderedlist>
-</para>
-
-<para>
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-</para>
-
-<para>
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen.  For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-<informalexample>
-<programlisting>
-nslookup -query=hinfo  -timeout=10
-</programlisting>
-</informalexample>
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>INTERACTIVE COMMANDS</title>
-<variablelist>
-<varlistentry><term>host <optional>server</optional></term>
-<listitem><para>
-Look up information for host using the current default server or
-using server, if specified.  If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.
-</para>
-
-<para>
-To look up a host not in the current domain, append a period to
-the name.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
-<listitem><para></para></listitem></varlistentry>
-<varlistentry><term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
-<listitem><para>
-Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
-server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
-the current default server.  If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>root</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>finger</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ls</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>view</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>help</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>?</constant></term>
-<listitem><para>not implemented</para></listitem></varlistentry>
-
-<varlistentry><term><constant>exit</constant></term>
-<listitem><para>Exits the program.</para></listitem></varlistentry>
-
-<varlistentry><term><constant>set</constant> <replaceable>keyword<optional>=value</optional></replaceable></term>
-<listitem><para>This command is used to change state information that affects
-the lookups.  Valid keywords are:
- <variablelist>
-  <varlistentry><term><constant>all</constant></term>
-  <listitem>
-  <para>Prints the current values of the frequently used
-  options to <command>set</command>.  Information about the  current default
-  server and host is also printed.
-  </para>
-  </listitem>
-  </varlistentry>
-
-  <varlistentry><term><constant>class=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-   Change the query class to one of:
-   <variablelist>
-    <varlistentry><term><constant>IN</constant></term>
-    <listitem><para>the Internet class</para></listitem></varlistentry>
-    <varlistentry><term><constant>CH</constant></term>
-    <listitem><para>the Chaos class</para></listitem></varlistentry>
-    <varlistentry><term><constant>HS</constant></term>
-    <listitem><para>the Hesiod class</para></listitem></varlistentry>
-    <varlistentry><term><constant>ANY</constant></term>
-    <listitem><para>wildcard</para></listitem></varlistentry>
-   </variablelist>
-   The class specifies the protocol group of the information.
-   </para><para>
-   (Default = IN; abbreviation = cl)
-   </para></listitem>
-  </varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
-  <listitem><para>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </para><para>
-  (Default = nodebug; abbreviation = <optional>no</optional>deb)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
-  <listitem><para>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </para><para>
-  (Default = nod2)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>domain=</constant><replaceable>name</replaceable></term>
-  <listitem><para>
-  Sets the search list to <replaceable>name</replaceable>.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
-  <listitem><para>
-  If the lookup request contains at least one period but
-  doesn't end with a trailing period, append the domain
-  names in the domain search list to the request until an
-  answer is received.
-  </para><para>
-  (Default = search)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>port=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-  Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
-  </para><para>
-  (Default = 53; abbreviation = po)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>querytype=</constant><replaceable>value</replaceable></term>
-  <listitem><para></para></listitem></varlistentry>
-
-  <varlistentry><term><constant>type=</constant><replaceable>value</replaceable></term>
-  <listitem><para>
-  Change the top of the information query.
-  </para><para>
-  (Default = A; abbreviations = q, ty)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
-  <listitem><para>
-  Tell the name server to query other servers if it does not have the
-  information.
-  </para><para>
-  (Default = recurse; abbreviation = [no]rec)
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>retry=</constant><replaceable>number</replaceable></term>
-  <listitem><para>
-  Set the number of retries to number.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant>timeout=</constant><replaceable>number</replaceable></term>
-  <listitem><para>
-  Change the initial timeout interval for waiting for a
-  reply to number seconds.
-  </para></listitem></varlistentry>
-
-  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
-  <listitem><para>
-  Always use a virtual circuit when sending requests to the server.
-  </para><para>
-  (Default = novc)
-  </para></listitem></varlistentry>
-
-  </variablelist>
-</para></listitem></varlistentry>
-</variablelist>
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>Author</title>
-<para>
-Andrew Cherenson
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/bin/dig/nslookup.html b/contrib/bind9/bin/dig/nslookup.html
deleted file mode 100644
index fc2e4e80d723..000000000000
--- a/contrib/bind9/bin/dig/nslookup.html
+++ /dev/null
@@ -1,264 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: nslookup.html,v 1.1.6.9 2005/10/13 02:33:44 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nslookup</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463728"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>nslookup &#8212; query Internet name servers interactively</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [<code class="option">-option</code>] [name | -] [server]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525973"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">Nslookup</strong></span>
-is a program to query Internet domain name servers.  <span><strong class="command">Nslookup</strong></span>
-has two modes: interactive and non-interactive.  Interactive mode allows
-the user to query name servers for information about various hosts and
-domains or to print a list of hosts in a domain.  Non-interactive mode is
-used to print just the name and requested information for a host or
-domain.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525990"></a><h2>ARGUMENTS</h2>
-<p>
-Interactive mode is entered in the following cases:
-</p>
-<div class="orderedlist"><ol type="a">
-<li><p>
-when no arguments are given (the default name server will be used)
-</p></li>
-<li><p>
-when the first argument is a hyphen (-) and the second argument is
-the host name or Internet address of a name server.
-</p></li>
-</ol></div>
-<p>
-</p>
-<p>
-Non-interactive mode is used when the name or Internet address of the
-host to be looked up is given as the first argument. The optional second
-argument specifies the host name or address of a name server.
-</p>
-<p>
-Options can also be specified on the command line if they precede the
-arguments and are prefixed with a hyphen.  For example, to
-change the default query type to host information, and the initial timeout to 10 seconds, type:
-</p>
-<div class="informalexample"><pre class="programlisting">
-nslookup -query=hinfo  -timeout=10
-</pre></div>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526033"></a><h2>INTERACTIVE COMMANDS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">host [<span class="optional">server</span>]</span></dt>
-<dd>
-<p>
-Look up information for host using the current default server or
-using server, if specified.  If host is an Internet address and
-the query type is A or PTR, the name of the host is returned.
-If host is a name and does not have a trailing period, the
-search list is used to qualify the name.
-</p>
-<p>
-To look up a host not in the current domain, append a period to
-the name.
-</p>
-</dd>
-<dt><span class="term"><code class="constant">server</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p></p></dd>
-<dt><span class="term"><code class="constant">lserver</code> <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
-Change the default server to <em class="replaceable"><code>domain</code></em>; <code class="constant">lserver</code> uses the initial
-server to look up information about <em class="replaceable"><code>domain</code></em>, while <code class="constant">server</code> uses
-the current default server.  If an authoritative answer can't be
-found, the names of servers that might have the answer are
-returned.
-</p></dd>
-<dt><span class="term"><code class="constant">root</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">finger</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">ls</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">view</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">help</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">?</code></span></dt>
-<dd><p>not implemented</p></dd>
-<dt><span class="term"><code class="constant">exit</code></span></dt>
-<dd><p>Exits the program.</p></dd>
-<dt><span class="term"><code class="constant">set</code> <em class="replaceable"><code>keyword[<span class="optional">=value</span>]</code></em></span></dt>
-<dd>
-<p>This command is used to change state information that affects
-the lookups.  Valid keywords are:
- </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">all</code></span></dt>
-<dd><p>Prints the current values of the frequently used
-  options to <span><strong class="command">set</strong></span>.  Information about the  current default
-  server and host is also printed.
-  </p></dd>
-<dt><span class="term"><code class="constant">class=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-   Change the query class to one of:
-   </p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">IN</code></span></dt>
-<dd><p>the Internet class</p></dd>
-<dt><span class="term"><code class="constant">CH</code></span></dt>
-<dd><p>the Chaos class</p></dd>
-<dt><span class="term"><code class="constant">HS</code></span></dt>
-<dd><p>the Hesiod class</p></dd>
-<dt><span class="term"><code class="constant">ANY</code></span></dt>
-<dd><p>wildcard</p></dd>
-</dl></div>
-<p>
-   The class specifies the protocol group of the information.
-   </p>
-<p>
-   (Default = IN; abbreviation = cl)
-   </p>
-</dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>debug</code></span></dt>
-<dd>
-<p>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </p>
-<p>
-  (Default = nodebug; abbreviation = [<span class="optional">no</span>]deb)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>d2</code></span></dt>
-<dd>
-<p>
-  Turn debugging mode on.  A lot more information is
-  printed about the packet sent to the server and the
-  resulting answer.
-  </p>
-<p>
-  (Default = nod2)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant">domain=</code><em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>
-  Sets the search list to <em class="replaceable"><code>name</code></em>.
-  </p></dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>search</code></span></dt>
-<dd>
-<p>
-  If the lookup request contains at least one period but
-  doesn't end with a trailing period, append the domain
-  names in the domain search list to the request until an
-  answer is received.
-  </p>
-<p>
-  (Default = search)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant">port=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-  Change the default TCP/UDP name server port to <em class="replaceable"><code>value</code></em>.
-  </p>
-<p>
-  (Default = 53; abbreviation = po)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant">querytype=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd><p></p></dd>
-<dt><span class="term"><code class="constant">type=</code><em class="replaceable"><code>value</code></em></span></dt>
-<dd>
-<p>
-  Change the top of the information query.
-  </p>
-<p>
-  (Default = A; abbreviations = q, ty)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>recurse</code></span></dt>
-<dd>
-<p>
-  Tell the name server to query other servers if it does not have the
-  information.
-  </p>
-<p>
-  (Default = recurse; abbreviation = [no]rec)
-  </p>
-</dd>
-<dt><span class="term"><code class="constant">retry=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
-  Set the number of retries to number.
-  </p></dd>
-<dt><span class="term"><code class="constant">timeout=</code><em class="replaceable"><code>number</code></em></span></dt>
-<dd><p>
-  Change the initial timeout interval for waiting for a
-  reply to number seconds.
-  </p></dd>
-<dt><span class="term"><code class="constant"><em class="replaceable"><code>[<span class="optional">no</span>]</code></em>vc</code></span></dt>
-<dd>
-<p>
-  Always use a virtual circuit when sending requests to the server.
-  </p>
-<p>
-  (Default = novc)
-  </p>
-</dd>
-</dl></div>
-<p>
-</p>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526490"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526503"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526538"></a><h2>Author</h2>
-<p>
-Andrew Cherenson
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in
deleted file mode 100644
index b9b7bea37c26..000000000000
--- a/contrib/bind9/bin/dnssec/Makefile.in
+++ /dev/null
@@ -1,83 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.19.12.12 2005/05/02 00:25:54 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
-
-CDEFINES =	-DVERSION=\"${VERSION}\" 
-CWARNINGS =
-
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS =	../../lib/isc/libisc.@A@
-
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-
-DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
-
-LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
-
-# Alphabetically
-TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@
-
-OBJS =		dnssectool.@O@
-
-SRCS =		dnssec-keygen.c dnssec-signzone.c dnssectool.c
-
-MANPAGES =	dnssec-keygen.8 dnssec-signzone.8
-
-HTMLPAGES =	dnssec-keygen.html dnssec-signzone.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-keygen.@O@ ${OBJS} ${LIBS}
-
-dnssec-signzone.@O@: dnssec-signzone.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -DVERSION=\"${VERSION}\" \
-		-c ${srcdir}/dnssec-signzone.c
-
-dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	dnssec-signzone.@O@ ${OBJS} ${LIBS}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: ${TARGETS} installdirs
-	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
-
-clean distclean::
-	rm -f ${TARGETS}
-
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8
deleted file mode 100644
index 0f8f003de426..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.8
+++ /dev/null
@@ -1,164 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dnssec-keygen.8,v 1.19.12.9 2005/10/13 02:33:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "DNSSEC\-KEYGEN" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-keygen \- DNSSEC key generation tool
-.SH "SYNOPSIS"
-.HP 14
-\fBdnssec\-keygen\fR {\-a\ \fIalgorithm\fR} {\-b\ \fIkeysize\fR} {\-n\ \fInametype\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-keygen\fR
-generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
-.SH "OPTIONS"
-.TP
-\-a \fIalgorithm\fR
-Selects the cryptographic algorithm. The value of
-\fBalgorithm\fR
-must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
-.sp
-Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
-.sp
-Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
-.TP
-\-b \fIkeysize\fR
-Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
-.TP
-\-n \fInametype\fR
-Specifies the owner type of the key. The value of
-\fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
-.TP
-\-c \fIclass\fR
-Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
-.TP
-\-e
-If generating an RSAMD5/RSASHA1 key, use a large exponent.
-.TP
-\-f \fIflag\fR
-Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
-.TP
-\-g \fIgenerator\fR
-If generating a Diffie Hellman key, use this generator. Allowed values are 2 and 5. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2.
-.TP
-\-h
-Prints a short summary of the options and arguments to
-\fBdnssec\-keygen\fR.
-.TP
-\-k
-Generate KEY records rather than DNSKEY records.
-.TP
-\-p \fIprotocol\fR
-Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
-.TP
-\-r \fIrandomdev\fR
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.TP
-\-s \fIstrength\fR
-Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
-.TP
-\-t \fItype\fR
-Indicates the use of the key.
-\fBtype\fR
-must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
-.TP
-\-v \fIlevel\fR
-Sets the debugging level.
-.SH "GENERATED KEYS"
-.PP
-When
-\fBdnssec\-keygen\fR
-completes successfully, it prints a string of the form
-\fIKnnnn.+aaa+iiiii\fR
-to the standard output. This is an identification string for the key it has generated.
-.TP 3
-\(bu
-\fInnnn\fR
-is the key name.
-.TP
-\(bu
-\fIaaa\fR
-is the numeric representation of the algorithm.
-.TP
-\(bu
-\fIiiiii\fR
-is the key identifier (or footprint).
-.PP
-\fBdnssec\-keygen\fR
-creates two file, with names based on the printed string.
-\fIKnnnn.+aaa+iiiii.key\fR
-contains the public key, and
-\fIKnnnn.+aaa+iiiii.private\fR
-contains the private key.
-.PP
-The
-\fI.key\fR
-file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
-.PP
-The
-\fI.private\fR
-file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
-.PP
-Both
-\fI.key\fR
-and
-\fI.private\fR
-files are generated for symmetric encryption algorithm such as HMAC\-MD5, even though the public and private key are equivalent.
-.SH "EXAMPLE"
-.PP
-To generate a 768\-bit DSA key for the domain
-\fBexample.com\fR, the following command would be issued:
-.PP
-\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example.com\fR
-.PP
-The command would print a string of the form:
-.PP
-\fBKexample.com.+003+26160\fR
-.PP
-In this example,
-\fBdnssec\-keygen\fR
-creates the files
-\fIKexample.com.+003+26160.key\fR
-and
-\fIKexample.com.+003+26160.private\fR
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-signzone\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 2535,
-RFC 2845,
-RFC 2539.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c
deleted file mode 100644
index 7feaf7c3d977..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.c
+++ /dev/null
@@ -1,415 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2003  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-keygen.c,v 1.48.2.1.10.11 2004/06/11 01:17:34 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-#define MAX_RSA 4096 /* should be long enough... */
-
-const char *program = "dnssec-keygen";
-int verbose;
-
-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5";
-
-static isc_boolean_t
-dsa_size_ok(int size) {
-	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
-}
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -a alg -b bits -n type [options] name\n\n",
-		program);
-	fprintf(stderr, "Version: %s\n", VERSION);
-	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -a algorithm: %s\n", algs);
-	fprintf(stderr, "    -b key size, in bits:\n");
-	fprintf(stderr, "        RSAMD5:\t\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        RSASHA1:\t\t[512..%d]\n", MAX_RSA);
-	fprintf(stderr, "        DH:\t\t[128..4096]\n");
-	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
-	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
-	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
-	fprintf(stderr, "    name: owner of the key\n");
-	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -c <class> (default: IN)\n");
-	fprintf(stderr, "    -e use large exponent (RSAMD5/RSASHA1 only)\n");
-	fprintf(stderr, "    -f keyflag: KSK\n");
-	fprintf(stderr, "    -g <generator> use specified generator "
-		"(DH only)\n");
-	fprintf(stderr, "    -t <type>: "
-		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
-		"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -p <protocol>: "
-	       "default: 3 [dnssec]\n");
-	fprintf(stderr, "    -s <strength> strength value this key signs DNS "
-		"records with (default: 0)\n");
-	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
-	fprintf(stderr, "    -v <verbose level>\n");
-	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
-		"K<name>+<alg>+<id>.private\n");
-
-	exit (-1);
-}
-
-int
-main(int argc, char **argv) {
-	char		*algname = NULL, *nametype = NULL, *type = NULL;
-	char		*classname = NULL;
-	char		*endp;
-	dst_key_t	*key = NULL, *oldkey;
-	dns_fixedname_t	fname;
-	dns_name_t	*name;
-	isc_uint16_t	flags = 0, ksk = 0;
-	dns_secalg_t	alg;
-	isc_boolean_t	conflict = ISC_FALSE, null_key = ISC_FALSE;
-	isc_mem_t	*mctx = NULL;
-	int		ch, rsa_exp = 0, generator = 0, param = 0;
-	int		protocol = -1, size = -1, signatory = 0;
-	isc_result_t	ret;
-	isc_textregion_t r;
-	char		filename[255];
-	isc_buffer_t	buf;
-	isc_log_t	*log = NULL;
-	isc_entropy_t	*ectx = NULL;
-	dns_rdataclass_t rdclass;
-	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
-
-	if (argc == 1)
-		usage();
-
-	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
-	dns_result_register();
-
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
-	{
-	    switch (ch) {
-		case 'a':
-			algname = isc_commandline_argument;
-			break;
-		case 'b':
-			size = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || size < 0)
-				fatal("-b requires a non-negative number");
-			break;
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-		case 'e':
-			rsa_exp = 1;
-			break;
-		case 'f':
-			if (strcasecmp(isc_commandline_argument, "KSK") == 0)
-				ksk = DNS_KEYFLAG_KSK;
-			else
-				fatal("unknown flag '%s'",
-				      isc_commandline_argument);
-			break;
-		case 'g':
-			generator = strtol(isc_commandline_argument,
-					   &endp, 10);
-			if (*endp != '\0' || generator <= 0)
-				fatal("-g requires a positive number");
-			break;
-		case 'k':
-			options |= DST_TYPE_KEY;
-			break;
-		case 'n':
-			nametype = isc_commandline_argument;
-			break;
-		case 't':
-			type = isc_commandline_argument;
-			break;
-		case 'p':
-			protocol = strtol(isc_commandline_argument, &endp, 10);
-			if (*endp != '\0' || protocol < 0 || protocol > 255)
-				fatal("-p must be followed by a number "
-				      "[0..255]");
-			break;
-		case 's':
-			signatory = strtol(isc_commandline_argument,
-					   &endp, 10);
-			if (*endp != '\0' || signatory < 0 || signatory > 15)
-				fatal("-s must be followed by a number "
-				      "[0..15]");
-			break;
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
-			break;
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("-v must be followed by a number");
-			break;
-
-		case 'h':
-			usage();
-		default:
-			fprintf(stderr, "%s: invalid argument -%c\n",
-				program, ch);
-			usage();
-		}
-	}
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init(mctx, ectx,
-			   ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
-	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
-
-	setup_logging(verbose, mctx, &log);
-
-	if (argc < isc_commandline_index + 1)
-		fatal("the key name was not specified");
-	if (argc > isc_commandline_index + 1)
-		fatal("extraneous arguments");
-
-	if (algname == NULL)
-		fatal("no algorithm was specified");
-	if (strcasecmp(algname, "HMAC-MD5") == 0) {
-		options |= DST_TYPE_KEY;
-		alg = DST_ALG_HMACMD5;
-	} else {
-		r.base = algname;
-		r.length = strlen(algname);
-		ret = dns_secalg_fromtext(&alg, &r);
-		if (ret != ISC_R_SUCCESS)
-			fatal("unknown algorithm %s", algname);
-		if (alg == DST_ALG_DH)
-			options |= DST_TYPE_KEY;
-	}
-
-	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
-		if (strcasecmp(type, "NOAUTH") == 0)
-			flags |= DNS_KEYTYPE_NOAUTH;
-		else if (strcasecmp(type, "NOCONF") == 0)
-			flags |= DNS_KEYTYPE_NOCONF;
-		else if (strcasecmp(type, "NOAUTHCONF") == 0) {
-			flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
-			if (size < 0)
-				size = 0;
-		}
-		else if (strcasecmp(type, "AUTHCONF") == 0)
-			/* nothing */;
-		else
-			fatal("invalid type %s", type);
-	}
-
-	if (size < 0)
-		fatal("key size not specified (-b option)");
-
-	switch (alg) {
-	case DNS_KEYALG_RSAMD5:
-	case DNS_KEYALG_RSASHA1:
-		if (size != 0 && (size < 512 || size > MAX_RSA))
-			fatal("RSA key size %d out of range", size);
-		break;
-	case DNS_KEYALG_DH:
-		if (size != 0 && (size < 128 || size > 4096))
-			fatal("DH key size %d out of range", size);
-		break;
-	case DNS_KEYALG_DSA:
-		if (size != 0 && !dsa_size_ok(size))
-			fatal("invalid DSS key size: %d", size);
-		break;
-	case DST_ALG_HMACMD5:
-		if (size < 1 || size > 512)
-			fatal("HMAC-MD5 key size %d out of range", size);
-		break;
-	}
-
-	if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) &&
-	    rsa_exp != 0)
-		fatal("specified RSA exponent for a non-RSA key");
-
-	if (alg != DNS_KEYALG_DH && generator != 0)
-		fatal("specified DH generator for a non-DH key");
-
-	if (nametype == NULL)
-		fatal("no nametype specified");
-	if (strcasecmp(nametype, "zone") == 0)
-		flags |= DNS_KEYOWNER_ZONE;
-	else if ((options & DST_TYPE_KEY) != 0)	{ /* KEY */
-		if (strcasecmp(nametype, "host") == 0 ||
-			 strcasecmp(nametype, "entity") == 0)
-			flags |= DNS_KEYOWNER_ENTITY;
-		else if (strcasecmp(nametype, "user") == 0)
-			flags |= DNS_KEYOWNER_USER;
-		else
-			fatal("invalid KEY nametype %s", nametype);
-	} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
-		fatal("invalid DNSKEY nametype %s", nametype);
-
-	rdclass = strtoclass(classname);
-
-	if ((options & DST_TYPE_KEY) != 0)  /* KEY */
-		flags |= signatory;
-	else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
-		flags |= ksk;
-
-	if (protocol == -1)
-		protocol = DNS_KEYPROTO_DNSSEC;
-	else if ((options & DST_TYPE_KEY) == 0 &&
-		 protocol != DNS_KEYPROTO_DNSSEC)
-		fatal("invalid DNSKEY protocol: %d", protocol);
-
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
-		if (size > 0)
-			fatal("specified null key with non-zero size");
-		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
-			fatal("specified null key with signing authority");
-	}
-
-	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
-	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5))
-		fatal("a key with algorithm '%s' cannot be a zone key",
-		      algname);
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	isc_buffer_init(&buf, argv[isc_commandline_index],
-			strlen(argv[isc_commandline_index]));
-	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
-	ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
-	if (ret != ISC_R_SUCCESS)
-		fatal("invalid key name %s: %s", argv[isc_commandline_index],
-		      isc_result_totext(ret));
-
-	switch(alg) {
-	case DNS_KEYALG_RSAMD5:
-	case DNS_KEYALG_RSASHA1:
-		param = rsa_exp;
-		break;
-	case DNS_KEYALG_DH:
-		param = generator;
-		break;
-	case DNS_KEYALG_DSA:
-	case DST_ALG_HMACMD5:
-		param = 0;
-		break;
-	}
-
-	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
-		null_key = ISC_TRUE;
-
-	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
-
-	do {
-		conflict = ISC_FALSE;
-		oldkey = NULL;
-
-		/* generate the key */
-		ret = dst_key_generate(name, alg, size, param, flags, protocol,
-				       rdclass, mctx, &key);
-		isc_entropy_stopcallbacksources(ectx);
-
-		if (ret != ISC_R_SUCCESS) {
-			char namestr[DNS_NAME_FORMATSIZE];
-			char algstr[ALG_FORMATSIZE];
-			dns_name_format(name, namestr, sizeof(namestr));
-			alg_format(alg, algstr, sizeof(algstr));
-			fatal("failed to generate key %s/%s: %s\n",
-			      namestr, algstr, isc_result_totext(ret));
-			exit(-1);
-		}
-
-		/*
-		 * Try to read a key with the same name, alg and id from disk.
-		 * If there is one we must continue generating a new one
-		 * unless we were asked to generate a null key, in which
-		 * case we return failure.
-		 */
-		ret = dst_key_fromfile(name, dst_key_id(key), alg,
-				       DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
-		/* do not overwrite an existing key  */
-		if (ret == ISC_R_SUCCESS) {
-			dst_key_free(&oldkey);
-			conflict = ISC_TRUE;
-			if (null_key)
-				break;
-		}
-		if (conflict == ISC_TRUE) {
-			if (verbose > 0) {
-				isc_buffer_clear(&buf);
-				ret = dst_key_buildfilename(key, 0, NULL, &buf);
-				fprintf(stderr,
-					"%s: %s already exists, "
-					"generating a new key\n",
-					program, filename);
-			}
-			dst_key_free(&key);
-		}
-
-	} while (conflict == ISC_TRUE);
-
-	if (conflict)
-		fatal("cannot generate a null key when a key with id 0 "
-		      "already exists");
-
-	ret = dst_key_tofile(key, options, NULL);
-	if (ret != ISC_R_SUCCESS) {
-		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof(keystr));
-		fatal("failed to write key %s: %s\n", keystr,
-		      isc_result_totext(ret));
-	}
-
-	isc_buffer_clear(&buf);
-	ret = dst_key_buildfilename(key, 0, NULL, &buf);
-	printf("%s\n", filename);
-	dst_key_free(&key);
-
-	cleanup_logging(&log);
-	cleanup_entropy(&ectx);
-	dst_lib_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
deleted file mode 100644
index e1eee228ee65..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
+++ /dev/null
@@ -1,358 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-keygen.docbook,v 1.3.12.9 2005/08/30 01:41:41 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-keygen</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>dnssec-keygen</application></refname>
-    <refpurpose>DNSSEC key generation tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-keygen</command>
-      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
-      <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
-      <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-e</option></arg>
-      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
-      <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-k</option></arg>
-      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
-      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="req">name</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-keygen</command> generates keys for DNSSEC
-	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
-	keys for use with TSIG (Transaction Signatures), as
-	defined in RFC 2845.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
-	<listitem>
-	  <para>
-	      Selects the cryptographic algorithm.  The value of
-	      <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
-	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-	      are case insensitive.
-	  </para>
-	  <para>
-	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
-	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
-	  </para>
-	  <para>
-	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-b <replaceable class="parameter">keysize</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the number of bits in the key.  The choice of key
-	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
-	       512 and 2048 bits.  Diffie Hellman keys must be between
-	       128 and 4096 bits.  DSA keys must be between 512 and 1024
-	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
-	       between 1 and 512 bits.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">nametype</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the owner type of the key.  The value of
-	       <option>nametype</option> must either be ZONE (for a DNSSEC
-	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
-	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
-	       case insensitive.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	       Indicates that the DNS record containing the key should have
-	       the specified class.  If not specified, class IN is used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-e</term>
-	<listitem>
-	  <para>
-	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f <replaceable class="parameter">flag</replaceable></term>
-	<listitem>
-	  <para>
-		Set the specified flag in the flag field of the KEY/DNSKEY record.
-		The only recognized flag is KSK (Key Signing Key) DNSKEY.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-g <replaceable class="parameter">generator</replaceable></term>
-	<listitem>
-	  <para>
-	       If generating a Diffie Hellman key, use this generator.
-	       Allowed values are 2 and 5.  If no generator
-	       is specified, a known prime from RFC 2539 will be used
-	       if possible; otherwise the default is 2.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-keygen</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k</term>
-	<listitem>
-	  <para>
-	       Generate KEY records rather than DNSKEY records.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">protocol</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 3 (DNSSEC).
-	       Other possible values for this argument are listed in
-	       RFC 2535 and its successors.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">strength</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the strength value of the key.  The strength is
-	       a number between 0 and 15, and currently has no defined
-	       purpose in DNSSEC.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">type</replaceable></term>
-	<listitem>
-	  <para>
-	       Indicates the use of the key.  <option>type</option> must be
-	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-	       is AUTHCONF.  AUTH refers to the ability to authenticate
-	       data, and CONF the ability to encrypt data.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>GENERATED KEYS</title>
-    <para>
-        When <command>dnssec-keygen</command> completes successfully,
-	it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
-	to the standard output.  This is an identification string for
-	the key it has generated.
-    </para>
-    <itemizedlist>
-      <listitem>
-        <para>
-          <filename>nnnn</filename> is the key name.
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-          <filename>aaa</filename> is the numeric representation of the
-          algorithm.
-        </para>
-      </listitem>
-      <listitem>
-        <para>
-          <filename>iiiii</filename> is the key identifier (or footprint).
-        </para>
-      </listitem>
-    </itemizedlist>
-    <para>
-        <command>dnssec-keygen</command> creates two file, with names based
-	on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
-	contains the public key, and
-	<filename>Knnnn.+aaa+iiiii.private</filename> contains the private
-	key.
-    </para>
-    <para>
-        The <filename>.key</filename> file contains a DNS KEY record that
-	can be inserted into a zone file (directly or with a $INCLUDE
-	statement).
-    </para>
-    <para>
-        The <filename>.private</filename> file contains algorithm specific
-	fields.  For obvious security reasons, this file does not have
-	general read permission.
-    </para>
-    <para>
-        Both <filename>.key</filename> and <filename>.private</filename>
-	files are generated for symmetric encryption algorithm such as
-	HMAC-MD5, even though the public and private key are equivalent.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-        To generate a 768-bit DSA key for the domain
-	<userinput>example.com</userinput>, the following command would be
-	issued:
-    </para>
-    <para>
-        <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
-    </para>
-    <para>
-        The command would print a string of the form:
-    </para>
-    <para>
-        <userinput>Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-        In this example, <command>dnssec-keygen</command> creates
-	the files <filename>Kexample.com.+003+26160.key</filename> and
-	<filename>Kexample.com.+003+26160.private</filename>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 2535</citetitle>,
-      <citetitle>RFC 2845</citetitle>,
-      <citetitle>RFC 2539</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html
deleted file mode 100644
index 00271faadf46..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-keygen.html
+++ /dev/null
@@ -1,228 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.13 2005/10/13 02:33:45 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-keygen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525956"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC
-	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
-	keys for use with TSIG (Transaction Signatures), as
-	defined in RFC 2845.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525969"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
-<dd>
-<p>
-	      Selects the cryptographic algorithm.  The value of
-	      <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
-	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-	      are case insensitive.
-	  </p>
-<p>
-	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
-	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
-	  </p>
-<p>
-	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
-	  </p>
-</dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
-	       Specifies the number of bits in the key.  The choice of key
-	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
-	       512 and 2048 bits.  Diffie Hellman keys must be between
-	       128 and 4096 bits.  DSA keys must be between 512 and 1024
-	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
-	       between 1 and 512 bits.
-	  </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
-<dd><p>
-	       Specifies the owner type of the key.  The value of
-	       <code class="option">nametype</code> must either be ZONE (for a DNSSEC
-	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
-	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
-	       case insensitive.
-	  </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-	       Indicates that the DNS record containing the key should have
-	       the specified class.  If not specified, class IN is used.
-	  </p></dd>
-<dt><span class="term">-e</span></dt>
-<dd><p>
-	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
-	  </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
-<dd><p>
-		Set the specified flag in the flag field of the KEY/DNSKEY record.
-		The only recognized flag is KSK (Key Signing Key) DNSKEY.
-	  </p></dd>
-<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
-<dd><p>
-	       If generating a Diffie Hellman key, use this generator.
-	       Allowed values are 2 and 5.  If no generator
-	       is specified, a known prime from RFC 2539 will be used
-	       if possible; otherwise the default is 2.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">dnssec-keygen</strong></span>.
-	  </p></dd>
-<dt><span class="term">-k</span></dt>
-<dd><p>
-	       Generate KEY records rather than DNSKEY records.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
-<dd><p>
-	       Sets the protocol value for the generated key.  The protocol
-	       is a number between 0 and 255.  The default is 3 (DNSSEC).
-	       Other possible values for this argument are listed in
-	       RFC 2535 and its successors.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
-	       input should be used.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
-<dd><p>
-	       Specifies the strength value of the key.  The strength is
-	       a number between 0 and 15, and currently has no defined
-	       purpose in DNSSEC.
-	  </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
-<dd><p>
-	       Indicates the use of the key.  <code class="option">type</code> must be
-	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
-	       is AUTHCONF.  AUTH refers to the ability to authenticate
-	       data, and CONF the ability to encrypt data.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-	       Sets the debugging level.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526306"></a><h2>GENERATED KEYS</h2>
-<p>
-        When <span><strong class="command">dnssec-keygen</strong></span> completes successfully,
-	it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
-	to the standard output.  This is an identification string for
-	the key it has generated.
-    </p>
-<div class="itemizedlist"><ul type="disc">
-<li><p>
-          <code class="filename">nnnn</code> is the key name.
-        </p></li>
-<li><p>
-          <code class="filename">aaa</code> is the numeric representation of the
-          algorithm.
-        </p></li>
-<li><p>
-          <code class="filename">iiiii</code> is the key identifier (or footprint).
-        </p></li>
-</ul></div>
-<p>
-        <span><strong class="command">dnssec-keygen</strong></span> creates two file, with names based
-	on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
-	contains the public key, and
-	<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the private
-	key.
-    </p>
-<p>
-        The <code class="filename">.key</code> file contains a DNS KEY record that
-	can be inserted into a zone file (directly or with a $INCLUDE
-	statement).
-    </p>
-<p>
-        The <code class="filename">.private</code> file contains algorithm specific
-	fields.  For obvious security reasons, this file does not have
-	general read permission.
-    </p>
-<p>
-        Both <code class="filename">.key</code> and <code class="filename">.private</code>
-	files are generated for symmetric encryption algorithm such as
-	HMAC-MD5, even though the public and private key are equivalent.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526394"></a><h2>EXAMPLE</h2>
-<p>
-        To generate a 768-bit DSA key for the domain
-	<strong class="userinput"><code>example.com</code></strong>, the following command would be
-	issued:
-    </p>
-<p>
-        <strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
-    </p>
-<p>
-        The command would print a string of the form:
-    </p>
-<p>
-        <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-        In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
-	the files <code class="filename">Kexample.com.+003+26160.key</code> and
-	<code class="filename">Kexample.com.+003+26160.private</code>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526440"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2535</em>,
-      <em class="citetitle">RFC 2845</em>,
-      <em class="citetitle">RFC 2539</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526473"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssec-makekeyset.8 b/contrib/bind9/bin/dnssec/dnssec-makekeyset.8
deleted file mode 100644
index 0189b31e62e5..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-makekeyset.8
+++ /dev/null
@@ -1,113 +0,0 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dnssec-makekeyset.8,v 1.16.2.2.4.1 2004/03/06 07:41:39 marka Exp $
-.\"
-.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
-.SH NAME
-dnssec-makekeyset \- DNSSEC zone signing tool
-.SH SYNOPSIS
-.sp
-\fBdnssec-makekeyset\fR [ \fB-a\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-h\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-t\fIttl\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBkey\fR\fI...\fR
-.SH "DESCRIPTION"
-.PP
-\fBdnssec-makekeyset\fR generates a key set from one
-or more keys created by \fBdnssec-keygen\fR. It creates
-a file containing a KEY record for each key, and self-signs the key
-set with each zone key. The output file is of the form
-\fIkeyset-nnnn.\fR, where \fInnnn\fR
-is the zone name.
-.SH "OPTIONS"
-.TP
-\fB-a\fR
-Verify all generated signatures.
-.TP
-\fB-s \fIstart-time\fB\fR
-Specify the date and time when the generated SIG records
-become valid. This can be either an absolute or relative
-time. An absolute start time is indicated by a number
-in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-14:45:00 UTC on May 30th, 2000. A relative start time is
-indicated by +N, which is N seconds from the current time.
-If no \fBstart-time\fR is specified, the current
-time is used.
-.TP
-\fB-e \fIend-time\fB\fR
-Specify the date and time when the generated SIG records
-expire. As with \fBstart-time\fR, an absolute
-time is indicated in YYYYMMDDHHMMSS notation. A time relative
-to the start time is indicated with +N, which is N seconds from
-the start time. A time relative to the current time is
-indicated with now+N. If no \fBend-time\fR is
-specified, 30 days from the start time is used as a default.
-.TP
-\fB-h\fR
-Prints a short summary of the options and arguments to
-\fBdnssec-makekeyset\fR.
-.TP
-\fB-p\fR
-Use pseudo-random data when signing the zone. This is faster,
-but less secure, than using real random data. This option
-may be useful when signing large zones or when the entropy
-source is limited.
-.TP
-\fB-r \fIrandomdev\fB\fR
-Specifies the source of randomness. If the operating
-system does not provide a \fI/dev/random\fR
-or equivalent device, the default source of randomness
-is keyboard input. \fIrandomdev\fR specifies
-the name of a character device or file containing random
-data to be used instead of the default. The special value
-\fIkeyboard\fR indicates that keyboard
-input should be used.
-.TP
-\fB-t \fIttl\fB\fR
-Specify the TTL (time to live) of the KEY and SIG records.
-The default is 3600 seconds.
-.TP
-\fB-v \fIlevel\fB\fR
-Sets the debugging level.
-.TP
-\fBkey\fR
-The list of keys to be included in the keyset file. These keys
-are expressed in the form \fIKnnnn.+aaa+iiiii\fR
-as generated by \fBdnssec-keygen\fR.
-.SH "EXAMPLE"
-.PP
-The following command generates a keyset containing the DSA key for
-\fBexample.com\fR generated in the
-\fBdnssec-keygen\fR man page.
-.PP
-\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
-.PP
-In this example, \fBdnssec-makekeyset\fR creates
-the file \fIkeyset-example.com.\fR. This file
-contains the specified key and a self-generated signature.
-.PP
-The DNS administrator for \fBexample.com\fR could
-send \fIkeyset-example.com.\fR to the DNS
-administrator for \fB.com\fR for signing, if the
-\&.com zone is DNSSEC-aware and the administrators of the two zones
-have some mechanism for authenticating each other and exchanging
-the keys and signatures securely.
-.SH "SEE ALSO"
-.PP
-\fBdnssec-keygen\fR(8),
-\fBdnssec-signkey\fR(8),
-\fIBIND 9 Administrator Reference Manual\fR,
-\fIRFC 2535\fR.
-.SH "AUTHOR"
-.PP
-Internet Software Consortium
diff --git a/contrib/bind9/bin/dnssec/dnssec-makekeyset.c b/contrib/bind9/bin/dnssec/dnssec-makekeyset.c
deleted file mode 100644
index c8224ed3888f..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-makekeyset.c
+++ /dev/null
@@ -1,401 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2003  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-makekeyset.c,v 1.52.2.1.10.7 2004/08/28 06:25:27 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/time.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-makekeyset";
-int verbose;
-
-typedef struct keynode keynode_t;
-struct keynode {
-	dst_key_t *key;
-	ISC_LINK(keynode_t) link;
-};
-typedef ISC_LIST(keynode_t) keylist_t;
-
-static isc_stdtime_t starttime = 0, endtime = 0, now;
-static int ttl = -1;
-
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-
-static keylist_t keylist;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "\t%s [options] keys\n", program);
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Version: %s\n", VERSION);
-
-	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-a\n");
-	fprintf(stderr, "\t\tverify generated signatures\n");
-	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
-	fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n");
-	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tSIG end time  - "
-			     "absolute|from start|from now (now + 30 days)\n");
-	fprintf(stderr, "\t-t ttl\n");
-	fprintf(stderr, "\t-p\n");
-	fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
-	fprintf(stderr, "\t-r randomdev:\n");
-	fprintf(stderr, "\t\ta file containing random data\n");
-	fprintf(stderr, "\t-v level:\n");
-	fprintf(stderr, "\t\tverbose level (0)\n");
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "keys:\n");
-	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "\tkeyset (keyset-<name>)\n");
-	exit(0);
-}
-
-static isc_boolean_t
-zonekey_on_list(dst_key_t *key) {
-	keynode_t *keynode;
-	for (keynode = ISC_LIST_HEAD(keylist);
-	     keynode != NULL;
-	     keynode = ISC_LIST_NEXT(keynode, link))
-	{
-		if (dst_key_compare(keynode->key, key))
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-int
-main(int argc, char *argv[]) {
-	int i, ch;
-	char *startstr = NULL, *endstr = NULL;
-	dns_fixedname_t fdomain;
-	dns_name_t *domain = NULL;
-	char *output = NULL;
-	char *endp;
-	unsigned char data[65536];
-	dns_db_t *db;
-	dns_dbversion_t *version;
-	dns_diff_t diff;
-	dns_difftuple_t *tuple;
-	dns_fixedname_t tname;
-	dst_key_t *key = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset;
-	dns_rdataclass_t rdclass;
-	isc_result_t result;
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_log_t *log = NULL;
-	keynode_t *keynode;
-	unsigned int eflags;
-	isc_boolean_t pseudorandom = ISC_FALSE;
-	isc_boolean_t tryverify = ISC_FALSE;
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create memory context: %s",
-		      isc_result_totext(result));
-
-	dns_result_register();
-
-	while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1)
-	{
-		switch (ch) {
-		case 'a':
-			tryverify = ISC_TRUE;
-			break;
-		case 's':
-			startstr = isc_commandline_argument;
-			break;
-
-		case 'e':
-			endstr = isc_commandline_argument;
-			break;
-
-		case 't':
-			endp = NULL;
-			ttl = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("TTL must be numeric");
-			break;
-
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
-			break;
-
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("verbose level must be numeric");
-			break;
-
-		case 'p':
-			pseudorandom = ISC_TRUE;
-			break;
-
-		case 'h':
-		default:
-			usage();
-
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 1)
-		usage();
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	eflags = ISC_ENTROPY_BLOCKING;
-	if (!pseudorandom)
-		eflags |= ISC_ENTROPY_GOODONLY;
-	result = dst_lib_init(mctx, ectx, eflags);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s", 
-		      isc_result_totext(result));
-
-	isc_stdtime_get(&now);
-
-	if (startstr != NULL)
-		starttime = strtotime(startstr, now, now);
-	else
-		starttime = now;
-
-	if (endstr != NULL)
-		endtime = strtotime(endstr, now, starttime);
-	else
-		endtime = starttime + (30 * 24 * 60 * 60);
-
-	if (ttl == -1) {
-		ttl = 3600;
-		fprintf(stderr, "%s: TTL not specified, assuming 3600\n",
-			program);
-	}
-
-	setup_logging(verbose, mctx, &log);
-
-	dns_diff_init(mctx, &diff);
-	rdclass = 0;
-
-	ISC_LIST_INIT(keylist);
-
-	for (i = 0; i < argc; i++) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		isc_buffer_t namebuf;
-
-		key = NULL;
-		result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC,
-					       mctx, &key);
-		if (result != ISC_R_SUCCESS)
-			fatal("error loading key from %s: %s", argv[i],
-			      isc_result_totext(result));
-		if (rdclass == 0)
-			rdclass = dst_key_class(key);
-
-		isc_buffer_init(&namebuf, namestr, sizeof(namestr));
-		result = dns_name_tofilenametext(dst_key_name(key),
-						 ISC_FALSE,
-						 &namebuf);
-		check_result(result, "dns_name_tofilenametext");
-		isc_buffer_putuint8(&namebuf, 0);
-
-		if (domain == NULL) {
-			dns_fixedname_init(&fdomain);
-			domain = dns_fixedname_name(&fdomain);
-			dns_name_copy(dst_key_name(key), domain, NULL);
-		} else if (!dns_name_equal(domain, dst_key_name(key))) {
-			char str[DNS_NAME_FORMATSIZE];
-			dns_name_format(domain, str, sizeof(str));
-			fatal("all keys must have the same owner - %s "
-			      "and %s do not match", str, namestr);
-		}
-
-		if (output == NULL) {
-			output = isc_mem_allocate(mctx,
-						  strlen("keyset-") +
-						  strlen(namestr) + 1);
-			if (output == NULL)
-				fatal("out of memory");
-			sprintf(output, "keyset-%s", namestr);
-		}
-
-		if (dst_key_iszonekey(key)) {
-			dst_key_t *zonekey = NULL;
-			result = dst_key_fromnamedfile(argv[i],
-						       DST_TYPE_PUBLIC |
-						       DST_TYPE_PRIVATE,
-						       mctx, &zonekey);
-			if (result != ISC_R_SUCCESS)
-				fatal("failed to read private key %s: %s",
-				      argv[i], isc_result_totext(result));
-			if (!zonekey_on_list(zonekey)) {
-				keynode = isc_mem_get(mctx, sizeof(keynode_t));
-				if (keynode == NULL)
-					fatal("out of memory");
-				keynode->key = zonekey;
-				ISC_LIST_INITANDAPPEND(keylist, keynode, link);
-			} else
-				dst_key_free(&zonekey);
-		}
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&b, data, sizeof(data));
-		result = dst_key_todns(key, &b);
-		dst_key_free(&key);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to convert key %s to a DNS KEY: %s",
-			      argv[i], isc_result_totext(result));
-		isc_buffer_usedregion(&b, &r);
-		dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r);
-		tuple = NULL;
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-					      domain, ttl, &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-	}
-
-	db = NULL;
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create a database");
-
-	version = NULL;
-	dns_db_newversion(db, &version);
-
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	dns_fixedname_init(&tname);
-	dns_rdataset_init(&rdataset);
-	result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0,
-			     NULL, dns_fixedname_name(&tname), &rdataset,
-			     NULL);
-	check_result(result, "dns_db_find");
-
-	if (ISC_LIST_EMPTY(keylist))
-		fprintf(stderr,
-			"%s: no private zone key found; not self-signing\n",
-			program);
-	for (keynode = ISC_LIST_HEAD(keylist);
-	     keynode != NULL;
-	     keynode = ISC_LIST_NEXT(keynode, link))
-	{
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&b, data, sizeof(data));
-		result = dns_dnssec_sign(domain, &rdataset, keynode->key,
-					 &starttime, &endtime, mctx, &b,
-					 &rdata);
-		isc_entropy_stopcallbacksources(ectx);
-		if (result != ISC_R_SUCCESS) {
-			char keystr[KEY_FORMATSIZE];
-			key_format(keynode->key, keystr, sizeof(keystr));
-			fatal("failed to sign keyset with key %s: %s",
-			      keystr, isc_result_totext(result));
-		}
-		if (tryverify) {
-			result = dns_dnssec_verify(domain, &rdataset,
-						   keynode->key, ISC_TRUE,
-						   mctx, &rdata);
-			if (result != ISC_R_SUCCESS) {
-				char keystr[KEY_FORMATSIZE];
-				key_format(keynode->key, keystr, sizeof(keystr));
-				fatal("signature from key '%s' failed to "
-				      "verify: %s",
-				      keystr, isc_result_totext(result));
-			}
-		}
-		tuple = NULL;
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-					      domain, ttl, &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-	}
-
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	dns_rdataset_disassociate(&rdataset);
-
-	dns_db_closeversion(db, &version, ISC_TRUE);
-	result = dns_db_dump(db, version, output);
-	if (result != ISC_R_SUCCESS) {
-		char domainstr[DNS_NAME_FORMATSIZE];
-		dns_name_format(domain, domainstr, sizeof(domainstr));
-		fatal("failed to write database for %s to %s",
-		      domainstr, output);
-	}
-
-	printf("%s\n", output);
-
-	dns_db_detach(&db);
-
-	while (!ISC_LIST_EMPTY(keylist)) {
-		keynode = ISC_LIST_HEAD(keylist);
-		ISC_LIST_UNLINK(keylist, keynode, link);
-		dst_key_free(&keynode->key);
-		isc_mem_put(mctx, keynode, sizeof(keynode_t));
-	}
-
-	cleanup_logging(&log);
-	cleanup_entropy(&ectx);
-
-	isc_mem_free(mctx, output);
-	dst_lib_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-makekeyset.docbook b/contrib/bind9/bin/dnssec/dnssec-makekeyset.docbook
deleted file mode 100644
index 07327481550b..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-makekeyset.docbook
+++ /dev/null
@@ -1,233 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.3.4.2 2004/06/03 02:24:55 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-makekeyset</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-makekeyset</application></refname>
-    <refpurpose>DNSSEC zone signing tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-makekeyset</command>
-      <arg><option>-a</option></arg>
-      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
-      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-p</option></arg>
-      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="req" rep="repeat">key</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-makekeyset</command> generates a key set from one
-	or more keys created by <command>dnssec-keygen</command>.  It creates
-	a file containing a KEY record for each key, and self-signs the key
-	set with each zone key.  The output file is of the form
-	<filename>keyset-nnnn.</filename>, where <filename>nnnn</filename>
-	is the zone name.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-	<listitem>
-	  <para>
-	      Verify all generated signatures.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">start-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated SIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <option>start-time</option> is specified, the current
-	       time is used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-e <replaceable class="parameter">end-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated SIG records
-	       expire.  As with <option>start-time</option>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <option>end-time</option> is
-	       specified, 30 days from the start time is used as a default.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-makekeyset</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p</term>
-	<listitem>
-	  <para>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">ttl</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the TTL (time to live) of the KEY and SIG records.
-	       The default is 3600 seconds.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>key</term>
-	<listitem>
-	  <para>
-	       The list of keys to be included in the keyset file.  These keys
-	       are expressed in the form <filename>Knnnn.+aaa+iiiii</filename>
-	       as generated by <command>dnssec-keygen</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-        The following command generates a keyset containing the DSA key for
-	<userinput>example.com</userinput> generated in the
-	<command>dnssec-keygen</command> man page.
-    </para>
-    <para>
-        <userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-        In this example, <command>dnssec-makekeyset</command> creates
-	the file <filename>keyset-example.com.</filename>.  This file
-	contains the specified key and a self-generated signature.
-    </para>
-    <para>
-        The DNS administrator for <userinput>example.com</userinput> could
-	send <filename>keyset-example.com.</filename> to the DNS
-	administrator for <userinput>.com</userinput> for signing, if the
-	.com zone is DNSSEC-aware and the administrators of the two zones
-	have some mechanism for authenticating each other and exchanging
-	the keys and signatures securely.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-signkey</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 2535</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-makekeyset.html b/contrib/bind9/bin/dnssec/dnssec-makekeyset.html
deleted file mode 100644
index 48f1d4a59e11..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-makekeyset.html
+++ /dev/null
@@ -1,407 +0,0 @@
-<!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-makekeyset.html,v 1.4.2.2.4.1 2004/03/06 10:21:15 marka Exp $ -->
-
-<HTML
-><HEAD
-><TITLE
->dnssec-makekeyset</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.73
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-><SPAN
-CLASS="APPLICATION"
->dnssec-makekeyset</SPAN
-></A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN9"
-></A
-><H2
->Name</H2
-><SPAN
-CLASS="APPLICATION"
->dnssec-makekeyset</SPAN
->&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->dnssec-makekeyset</B
->  [<TT
-CLASS="OPTION"
->-a</TT
->] [<TT
-CLASS="OPTION"
->-s <TT
-CLASS="REPLACEABLE"
-><I
->start-time</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-e <TT
-CLASS="REPLACEABLE"
-><I
->end-time</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-h</TT
->] [<TT
-CLASS="OPTION"
->-p</TT
->] [<TT
-CLASS="OPTION"
->-r <TT
-CLASS="REPLACEABLE"
-><I
->randomdev</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-t</TT
-><TT
-CLASS="REPLACEABLE"
-><I
->ttl</I
-></TT
->] [<TT
-CLASS="OPTION"
->-v <TT
-CLASS="REPLACEABLE"
-><I
->level</I
-></TT
-></TT
->] {key...}</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN38"
-></A
-><H2
->DESCRIPTION</H2
-><P
->        <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
-> generates a key set from one
-	or more keys created by <B
-CLASS="COMMAND"
->dnssec-keygen</B
->.  It creates
-	a file containing a KEY record for each key, and self-signs the key
-	set with each zone key.  The output file is of the form
-	<TT
-CLASS="FILENAME"
->keyset-nnnn.</TT
->, where <TT
-CLASS="FILENAME"
->nnnn</TT
->
-	is the zone name.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN45"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-a</DT
-><DD
-><P
->	      Verify all generated signatures.
-	  </P
-></DD
-><DT
->-s <TT
-CLASS="REPLACEABLE"
-><I
->start-time</I
-></TT
-></DT
-><DD
-><P
->	       Specify the date and time when the generated SIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <TT
-CLASS="OPTION"
->start-time</TT
-> is specified, the current
-	       time is used.
-	  </P
-></DD
-><DT
->-e <TT
-CLASS="REPLACEABLE"
-><I
->end-time</I
-></TT
-></DT
-><DD
-><P
->	       Specify the date and time when the generated SIG records
-	       expire.  As with <TT
-CLASS="OPTION"
->start-time</TT
->, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <TT
-CLASS="OPTION"
->end-time</TT
-> is
-	       specified, 30 days from the start time is used as a default.
-	  </P
-></DD
-><DT
->-h</DT
-><DD
-><P
->	       Prints a short summary of the options and arguments to
-	       <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
->.
-	  </P
-></DD
-><DT
->-p</DT
-><DD
-><P
->	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </P
-></DD
-><DT
->-r <TT
-CLASS="REPLACEABLE"
-><I
->randomdev</I
-></TT
-></DT
-><DD
-><P
->	       Specifies the source of randomness.  If the operating
-	       system does not provide a <TT
-CLASS="FILENAME"
->/dev/random</TT
->
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <TT
-CLASS="FILENAME"
->randomdev</TT
-> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <TT
-CLASS="FILENAME"
->keyboard</TT
-> indicates that keyboard
-	       input should be used.
-	  </P
-></DD
-><DT
->-t <TT
-CLASS="REPLACEABLE"
-><I
->ttl</I
-></TT
-></DT
-><DD
-><P
->	       Specify the TTL (time to live) of the KEY and SIG records.
-	       The default is 3600 seconds.
-	  </P
-></DD
-><DT
->-v <TT
-CLASS="REPLACEABLE"
-><I
->level</I
-></TT
-></DT
-><DD
-><P
->	       Sets the debugging level.
-	  </P
-></DD
-><DT
->key</DT
-><DD
-><P
->	       The list of keys to be included in the keyset file.  These keys
-	       are expressed in the form <TT
-CLASS="FILENAME"
->Knnnn.+aaa+iiiii</TT
->
-	       as generated by <B
-CLASS="COMMAND"
->dnssec-keygen</B
->.
-	  </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN98"
-></A
-><H2
->EXAMPLE</H2
-><P
->        The following command generates a keyset containing the DSA key for
-	<TT
-CLASS="USERINPUT"
-><B
->example.com</B
-></TT
-> generated in the
-	<B
-CLASS="COMMAND"
->dnssec-keygen</B
-> man page.
-    </P
-><P
->        <TT
-CLASS="USERINPUT"
-><B
->dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
-></TT
->
-    </P
-><P
->        In this example, <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
-> creates
-	the file <TT
-CLASS="FILENAME"
->keyset-example.com.</TT
->.  This file
-	contains the specified key and a self-generated signature.
-    </P
-><P
->        The DNS administrator for <TT
-CLASS="USERINPUT"
-><B
->example.com</B
-></TT
-> could
-	send <TT
-CLASS="FILENAME"
->keyset-example.com.</TT
-> to the DNS
-	administrator for <TT
-CLASS="USERINPUT"
-><B
->.com</B
-></TT
-> for signing, if the
-	.com zone is DNSSEC-aware and the administrators of the two zones
-	have some mechanism for authenticating each other and exchanging
-	the keys and signatures securely.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN112"
-></A
-><H2
->SEE ALSO</H2
-><P
->      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-keygen</SPAN
->(8)</SPAN
->,
-      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-signkey</SPAN
->(8)</SPAN
->,
-      <I
-CLASS="CITETITLE"
->BIND 9 Administrator Reference Manual</I
->,
-      <I
-CLASS="CITETITLE"
->RFC 2535</I
->.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN123"
-></A
-><H2
->AUTHOR</H2
-><P
->        Internet Software Consortium
-    </P
-></DIV
-></BODY
-></HTML
->
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.8 b/contrib/bind9/bin/dnssec/dnssec-signkey.8
deleted file mode 100644
index ea2818bdfe21..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-signkey.8
+++ /dev/null
@@ -1,108 +0,0 @@
-.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dnssec-signkey.8,v 1.18.2.1.4.1 2004/03/06 07:41:39 marka Exp $
-.\"
-.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
-.SH NAME
-dnssec-signkey \- DNSSEC key set signing tool
-.SH SYNOPSIS
-.sp
-\fBdnssec-signkey\fR [ \fB-a\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-h\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBkeyset\fR \fBkey\fR\fI...\fR
-.SH "DESCRIPTION"
-.PP
-\fBdnssec-signkey\fR signs a keyset. Typically
-the keyset will be for a child zone, and will have been generated
-by \fBdnssec-makekeyset\fR. The child zone's keyset
-is signed with the zone keys for its parent zone. The output file
-is of the form \fIsignedkey-nnnn.\fR, where
-\fInnnn\fR is the zone name.
-.SH "OPTIONS"
-.TP
-\fB-a\fR
-Verify all generated signatures.
-.TP
-\fB-c \fIclass\fB\fR
-Specifies the DNS class of the key sets.
-.TP
-\fB-s \fIstart-time\fB\fR
-Specify the date and time when the generated SIG records
-become valid. This can be either an absolute or relative
-time. An absolute start time is indicated by a number
-in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-14:45:00 UTC on May 30th, 2000. A relative start time is
-indicated by +N, which is N seconds from the current time.
-If no \fBstart-time\fR is specified, the current
-time is used.
-.TP
-\fB-e \fIend-time\fB\fR
-Specify the date and time when the generated SIG records
-expire. As with \fBstart-time\fR, an absolute
-time is indicated in YYYYMMDDHHMMSS notation. A time relative
-to the start time is indicated with +N, which is N seconds from
-the start time. A time relative to the current time is
-indicated with now+N. If no \fBend-time\fR is
-specified, 30 days from the start time is used as a default.
-.TP
-\fB-h\fR
-Prints a short summary of the options and arguments to
-\fBdnssec-signkey\fR.
-.TP
-\fB-p\fR
-Use pseudo-random data when signing the zone. This is faster,
-but less secure, than using real random data. This option
-may be useful when signing large zones or when the entropy
-source is limited.
-.TP
-\fB-r \fIrandomdev\fB\fR
-Specifies the source of randomness. If the operating
-system does not provide a \fI/dev/random\fR
-or equivalent device, the default source of randomness
-is keyboard input. \fIrandomdev\fR specifies
-the name of a character device or file containing random
-data to be used instead of the default. The special value
-\fIkeyboard\fR indicates that keyboard
-input should be used.
-.TP
-\fB-v \fIlevel\fB\fR
-Sets the debugging level.
-.TP
-\fBkeyset\fR
-The file containing the child's keyset.
-.TP
-\fBkey\fR
-The keys used to sign the child's keyset.
-.SH "EXAMPLE"
-.PP
-The DNS administrator for a DNSSEC-aware \fB.com\fR
-zone would use the following command to sign the
-\fIkeyset\fR file for \fBexample.com\fR
-created by \fBdnssec-makekeyset\fR with a key generated
-by \fBdnssec-keygen\fR:
-.PP
-\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
-.PP
-In this example, \fBdnssec-signkey\fR creates
-the file \fIsignedkey-example.com.\fR, which
-contains the \fBexample.com\fR keys and the
-signatures by the \fB.com\fR keys.
-.SH "SEE ALSO"
-.PP
-\fBdnssec-keygen\fR(8),
-\fBdnssec-makekeyset\fR(8),
-\fBdnssec-signzone\fR(8).
-.SH "AUTHOR"
-.PP
-Internet Software Consortium
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.c b/contrib/bind9/bin/dnssec/dnssec-signkey.c
deleted file mode 100644
index fd8b0fd322b5..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-signkey.c
+++ /dev/null
@@ -1,448 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2003  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-signkey.c,v 1.50.2.2.2.7 2004/08/28 06:25:28 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/string.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-signkey";
-int verbose;
-
-typedef struct keynode keynode_t;
-struct keynode {
-	dst_key_t *key;
-	isc_boolean_t verified;
-	ISC_LINK(keynode_t) link;
-};
-typedef ISC_LIST(keynode_t) keylist_t;
-
-static isc_stdtime_t starttime = 0, endtime = 0, now;
-
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-static keylist_t keylist;
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "\t%s [options] keyset keys\n", program);
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Version: %s\n", VERSION);
-
-	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-a\n");
-	fprintf(stderr, "\t\tverify generated signatures\n");
-	fprintf(stderr, "\t-c class (IN)\n");
-	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
-	fprintf(stderr, "\t\tSIG start time - absolute|offset (from keyset)\n");
-	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tSIG end time  - absolute|from start|from now "
-		"(from keyset)\n");
-	fprintf(stderr, "\t-v level:\n");
-	fprintf(stderr, "\t\tverbose level (0)\n");
-	fprintf(stderr, "\t-p\n");
-	fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
-	fprintf(stderr, "\t-r randomdev:\n");
-	fprintf(stderr, "\t\ta file containing random data\n");
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "keyset:\n");
-	fprintf(stderr, "\tfile with keyset to be signed (keyset-<name>)\n");
-	fprintf(stderr, "keys:\n");
-	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
-
-	fprintf(stderr, "\n");
-	fprintf(stderr, "Output:\n");
-	fprintf(stderr, "\tsigned keyset (signedkey-<name>)\n");
-	exit(0);
-}
-
-static void
-loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
-	dst_key_t *key;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	keynode_t *keynode;
-	isc_result_t result;
-
-	ISC_LIST_INIT(keylist);
-	result = dns_rdataset_first(rdataset);
-	check_result(result, "dns_rdataset_first");
-	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		key = NULL;
-		result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		if (!dst_key_iszonekey(key)) {
-			dst_key_free(&key);
-			continue;
-		}
-		keynode = isc_mem_get(mctx, sizeof(keynode_t));
-		if (keynode == NULL)
-			fatal("out of memory");
-		keynode->key = key;
-		keynode->verified = ISC_FALSE;
-		ISC_LIST_INITANDAPPEND(keylist, keynode, link);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("failure traversing key list");
-}
-
-static dst_key_t *
-findkey(dns_rdata_rrsig_t *sig) {
-	keynode_t *keynode;
-	for (keynode = ISC_LIST_HEAD(keylist);
-	     keynode != NULL;
-	     keynode = ISC_LIST_NEXT(keynode, link))
-	{
-		if (dst_key_id(keynode->key) == sig->keyid &&
-		    dst_key_alg(keynode->key) == sig->algorithm) {
-			keynode->verified = ISC_TRUE;
-			return (keynode->key);
-		}
-	}
-	fatal("signature generated by non-zone or missing key");
-	return (NULL);
-}
-
-int
-main(int argc, char *argv[]) {
-	int i, ch;
-	char *startstr = NULL, *endstr = NULL, *classname = NULL;
-	char tdomain[1025];
-	dns_fixedname_t fdomain;
-	dns_name_t *domain;
-	char *output = NULL;
-	char *endp;
-	unsigned char data[65536];
-	dns_db_t *db;
-	dns_dbnode_t *node;
-	dns_dbversion_t *version;
-	dns_diff_t diff;
-	dns_difftuple_t *tuple;
-	dns_dbiterator_t *dbiter;
-	dns_rdatasetiter_t *rdsiter;
-	dst_key_t *key = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdataset_t rdataset, sigrdataset;
-	dns_rdata_rrsig_t sig;
-	isc_result_t result;
-	isc_buffer_t b;
-	isc_log_t *log = NULL;
-	keynode_t *keynode;
-	isc_boolean_t pseudorandom = ISC_FALSE;
-	unsigned int eflags;
-	dns_rdataclass_t rdclass;
-	isc_boolean_t tryverify = ISC_FALSE;
-	isc_boolean_t settime = ISC_FALSE;
-
-	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create()");
-
-	dns_result_register();
-
-	while ((ch = isc_commandline_parse(argc, argv, "ac:s:e:pr:v:h")) != -1)
-	{
-		switch (ch) {
-		case 'a':
-			tryverify = ISC_TRUE;
-			break;
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-
-		case 's':
-			startstr = isc_commandline_argument;
-			break;
-						
-		case 'e':
-			endstr = isc_commandline_argument;
-			break;
-
-		case 'p':
-			pseudorandom = ISC_TRUE;
-			break;
-
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
-			break;
-
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("verbose level must be numeric");
-			break;
-
-		case 'h':
-		default:
-			usage();
-
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 2)
-		usage();
-
-	rdclass = strtoclass(classname);
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	eflags = ISC_ENTROPY_BLOCKING;
-	if (!pseudorandom)
-		eflags |= ISC_ENTROPY_GOODONLY;
-	result = dst_lib_init(mctx, ectx, eflags);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst: %s", 
-		      isc_result_totext(result));
-
-	isc_stdtime_get(&now);
-
-	if ((startstr == NULL || endstr == NULL) &&
-	    !(startstr == NULL && endstr == NULL))
-		fatal("if -s or -e is specified, both must be");
-
-	if (startstr != NULL) {
-		starttime = strtotime(startstr, now, now);
-		endtime = strtotime(endstr, now, starttime);
-		settime = ISC_TRUE;
-	}
-
-	setup_logging(verbose, mctx, &log);
-
-	if (strlen(argv[0]) < 8U || strncmp(argv[0], "keyset-", 7) != 0)
-		fatal("keyset file '%s' must start with keyset-", argv[0]);
-
-	db = NULL;
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	check_result(result, "dns_db_create()");
-
-	result = dns_db_load(db, argv[0]);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		fatal("failed to load database from '%s': %s", argv[0],
-		      isc_result_totext(result));
-
-	dns_fixedname_init(&fdomain);
-	domain = dns_fixedname_name(&fdomain);
-
-	dbiter = NULL;
-	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(dbiter);
-	check_result(result, "dns_dbiterator_first()");
-	while (result == ISC_R_SUCCESS) {
-		node = NULL;
-		dns_dbiterator_current(dbiter, &node, domain);
-		rdsiter = NULL;
-		result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter);
-		check_result(result, "dns_db_allrdatasets()");
-		result = dns_rdatasetiter_first(rdsiter);
-		dns_rdatasetiter_destroy(&rdsiter);
-		if (result == ISC_R_SUCCESS)
-			break;
-		dns_db_detachnode(db, &node);
-		result = dns_dbiterator_next(dbiter);
-	}
-	dns_dbiterator_destroy(&dbiter);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find data in keyset file");
-
-	isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
-	result = dns_name_tofilenametext(domain, ISC_FALSE, &b);
-	check_result(result, "dns_name_tofilenametext()");
-	isc_buffer_putuint8(&b, 0);
-
-	output = isc_mem_allocate(mctx,
-				  strlen("signedkey-") + strlen(tdomain) + 1);
-	if (output == NULL)
-		fatal("out of memory");
-	sprintf(output, "signedkey-%s", tdomain);
-
-	version = NULL;
-	dns_db_newversion(db, &version);
-
-	dns_rdataset_init(&rdataset);
-	dns_rdataset_init(&sigrdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
-				     0, &rdataset, &sigrdataset);
-	if (result != ISC_R_SUCCESS) {
-		char domainstr[DNS_NAME_FORMATSIZE];
-		dns_name_format(domain, domainstr, sizeof(domainstr));
-		fatal("failed to find rdataset '%s KEY': %s",
-		      domainstr, isc_result_totext(result));
-	}
-
-	loadkeys(domain, &rdataset);
-
-	dns_diff_init(mctx, &diff);
-
-	if (!dns_rdataset_isassociated(&sigrdataset))
-		fatal("no SIG KEY set present");
-
-	result = dns_rdataset_first(&sigrdataset);
-	check_result(result, "dns_rdataset_first()");
-	do {
-		dns_rdataset_current(&sigrdataset, &sigrdata);
-		result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
-		check_result(result, "dns_rdata_tostruct()");
-		key = findkey(&sig);
-		result = dns_dnssec_verify(domain, &rdataset, key,
-					   ISC_TRUE, mctx, &sigrdata);
-		if (result != ISC_R_SUCCESS) {
-			char keystr[KEY_FORMATSIZE];
-			key_format(key, keystr, sizeof(keystr));
-			fatal("signature by key '%s' did not verify: %s",
-			      keystr, isc_result_totext(result));
-		}
-		if (!settime) {
-			starttime = sig.timesigned;
-			endtime = sig.timeexpire;
-			settime = ISC_TRUE;
-		}
-		dns_rdata_freestruct(&sig);
-		dns_rdata_reset(&sigrdata);
-		result = dns_rdataset_next(&sigrdataset);
-	} while (result == ISC_R_SUCCESS);
-
-	for (keynode = ISC_LIST_HEAD(keylist);
-	     keynode != NULL;
-	     keynode = ISC_LIST_NEXT(keynode, link))
-		if (!keynode->verified)
-			fatal("not all zone keys self signed the key set");
-
-	argc -= 1;
-	argv += 1;
-
-	for (i = 0; i < argc; i++) {
-		key = NULL;
-		result = dst_key_fromnamedfile(argv[i],
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &key);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to read key %s from disk: %s",
-			      argv[i], isc_result_totext(result));
-
-		dns_rdata_reset(&rdata);
-		isc_buffer_init(&b, data, sizeof(data));
-		result = dns_dnssec_sign(domain, &rdataset, key,
-					 &starttime, &endtime,
-					 mctx, &b, &rdata);
-		isc_entropy_stopcallbacksources(ectx);
-		if (result != ISC_R_SUCCESS) {
-			char keystr[KEY_FORMATSIZE];
-			key_format(key, keystr, sizeof(keystr));
-			fatal("key '%s' failed to sign data: %s",
-			      keystr, isc_result_totext(result));
-		}
-		if (tryverify) {
-			result = dns_dnssec_verify(domain, &rdataset, key,
-						   ISC_TRUE, mctx, &rdata);
-			if (result != ISC_R_SUCCESS) {
-				char keystr[KEY_FORMATSIZE];
-				key_format(key, keystr, sizeof(keystr));
-				fatal("signature from key '%s' failed to "
-				      "verify: %s",
-				      keystr, isc_result_totext(result));
-			}
-		}
-		tuple = NULL;
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-					      domain, rdataset.ttl,
-					      &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-		dst_key_free(&key);
-	}
-
-	result = dns_db_deleterdataset(db, node, version, dns_rdatatype_rrsig,
-				       dns_rdatatype_dnskey);
-	check_result(result, "dns_db_deleterdataset");
-
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &version, ISC_TRUE);
-	result = dns_db_dump(db, version, output);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to write database to '%s': %s",
-		      output, isc_result_totext(result));
-
-	printf("%s\n", output);
-
-	dns_rdataset_disassociate(&rdataset);
-	dns_rdataset_disassociate(&sigrdataset);
-
-	dns_db_detach(&db);
-
-	while (!ISC_LIST_EMPTY(keylist)) {
-		keynode = ISC_LIST_HEAD(keylist);
-		ISC_LIST_UNLINK(keylist, keynode, link);
-		dst_key_free(&keynode->key);
-		isc_mem_put(mctx, keynode, sizeof(keynode_t));
-	}
-
-	cleanup_logging(&log);
-
-	isc_mem_free(mctx, output);
-	cleanup_entropy(&ectx);
-	dst_lib_destroy();
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.docbook b/contrib/bind9/bin/dnssec/dnssec-signkey.docbook
deleted file mode 100644
index 8258a3da7102..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-signkey.docbook
+++ /dev/null
@@ -1,237 +0,0 @@
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
-<!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-signkey.docbook,v 1.2.2.2.4.2 2004/06/03 02:24:55 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-signkey</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <refnamediv>
-    <refname><application>dnssec-signkey</application></refname>
-    <refpurpose>DNSSEC key set signing tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-signkey</command>
-      <arg><option>-a</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
-      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-p</option></arg>
-      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg choice="req">keyset</arg>
-      <arg choice="req" rep="repeat">key</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-signkey</command> signs a keyset.  Typically
-	the keyset will be for a child zone, and will have been generated
-	by <command>dnssec-makekeyset</command>.  The child zone's keyset
-	is signed with the zone keys for its parent zone.  The output file
-	is of the form <filename>signedkey-nnnn.</filename>, where
-	<filename>nnnn</filename> is the zone name.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-	<listitem>
-	  <para>
-	      Verify all generated signatures.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the DNS class of the key sets.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">start-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated SIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <option>start-time</option> is specified, the current
-	       time is used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-e <replaceable class="parameter">end-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated SIG records
-	       expire.  As with <option>start-time</option>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <option>end-time</option> is
-	       specified, 30 days from the start time is used as a default.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-signkey</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p</term>
-	<listitem>
-	  <para>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>keyset</term>
-	  <listitem>
-	    <para>
-	        The file containing the child's keyset.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>key</term>
-	  <listitem>
-	    <para>
-	        The keys used to sign the child's keyset.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-        The DNS administrator for a DNSSEC-aware <userinput>.com</userinput>
-	zone would use the following command to sign the
-	<filename>keyset</filename> file for <userinput>example.com</userinput>
-	created by <command>dnssec-makekeyset</command> with a key generated
-	by <command>dnssec-keygen</command>:
-    </para>
-    <para>
-        <userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput>
-    </para>
-    <para>
-        In this example, <command>dnssec-signkey</command> creates
-	the file <filename>signedkey-example.com.</filename>, which
-	contains the <userinput>example.com</userinput> keys and the
-	signatures by the <userinput>.com</userinput> keys.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-makekeyset</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>dnssec-signzone</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.html b/contrib/bind9/bin/dnssec/dnssec-signkey.html
deleted file mode 100644
index 8cbf1fc736a3..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-signkey.html
+++ /dev/null
@@ -1,407 +0,0 @@
-<!--
- - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ -->
-
-<HTML
-><HEAD
-><TITLE
->dnssec-signkey</TITLE
-><META
-NAME="GENERATOR"
-CONTENT="Modular DocBook HTML Stylesheet Version 1.73
-"></HEAD
-><BODY
-CLASS="REFENTRY"
-BGCOLOR="#FFFFFF"
-TEXT="#000000"
-LINK="#0000FF"
-VLINK="#840084"
-ALINK="#0000FF"
-><H1
-><A
-NAME="AEN1"
-><SPAN
-CLASS="APPLICATION"
->dnssec-signkey</SPAN
-></A
-></H1
-><DIV
-CLASS="REFNAMEDIV"
-><A
-NAME="AEN9"
-></A
-><H2
->Name</H2
-><SPAN
-CLASS="APPLICATION"
->dnssec-signkey</SPAN
->&nbsp;--&nbsp;DNSSEC key set signing tool</DIV
-><DIV
-CLASS="REFSYNOPSISDIV"
-><A
-NAME="AEN13"
-></A
-><H2
->Synopsis</H2
-><P
-><B
-CLASS="COMMAND"
->dnssec-signkey</B
->  [<TT
-CLASS="OPTION"
->-a</TT
->] [<TT
-CLASS="OPTION"
->-c <TT
-CLASS="REPLACEABLE"
-><I
->class</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-s <TT
-CLASS="REPLACEABLE"
-><I
->start-time</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-e <TT
-CLASS="REPLACEABLE"
-><I
->end-time</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-h</TT
->] [<TT
-CLASS="OPTION"
->-p</TT
->] [<TT
-CLASS="OPTION"
->-r <TT
-CLASS="REPLACEABLE"
-><I
->randomdev</I
-></TT
-></TT
->] [<TT
-CLASS="OPTION"
->-v <TT
-CLASS="REPLACEABLE"
-><I
->level</I
-></TT
-></TT
->] {keyset} {key...}</P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN39"
-></A
-><H2
->DESCRIPTION</H2
-><P
->        <B
-CLASS="COMMAND"
->dnssec-signkey</B
-> signs a keyset.  Typically
-	the keyset will be for a child zone, and will have been generated
-	by <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
->.  The child zone's keyset
-	is signed with the zone keys for its parent zone.  The output file
-	is of the form <TT
-CLASS="FILENAME"
->signedkey-nnnn.</TT
->, where
-	<TT
-CLASS="FILENAME"
->nnnn</TT
-> is the zone name.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN46"
-></A
-><H2
->OPTIONS</H2
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->-a</DT
-><DD
-><P
->	      Verify all generated signatures.
-	  </P
-></DD
-><DT
->-c <TT
-CLASS="REPLACEABLE"
-><I
->class</I
-></TT
-></DT
-><DD
-><P
->	       Specifies the DNS class of the key sets.
-	  </P
-></DD
-><DT
->-s <TT
-CLASS="REPLACEABLE"
-><I
->start-time</I
-></TT
-></DT
-><DD
-><P
->	       Specify the date and time when the generated SIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <TT
-CLASS="OPTION"
->start-time</TT
-> is specified, the current
-	       time is used.
-	  </P
-></DD
-><DT
->-e <TT
-CLASS="REPLACEABLE"
-><I
->end-time</I
-></TT
-></DT
-><DD
-><P
->	       Specify the date and time when the generated SIG records
-	       expire.  As with <TT
-CLASS="OPTION"
->start-time</TT
->, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <TT
-CLASS="OPTION"
->end-time</TT
-> is
-	       specified, 30 days from the start time is used as a default.
-	  </P
-></DD
-><DT
->-h</DT
-><DD
-><P
->	       Prints a short summary of the options and arguments to
-	       <B
-CLASS="COMMAND"
->dnssec-signkey</B
->.
-	  </P
-></DD
-><DT
->-p</DT
-><DD
-><P
->	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </P
-></DD
-><DT
->-r <TT
-CLASS="REPLACEABLE"
-><I
->randomdev</I
-></TT
-></DT
-><DD
-><P
->	       Specifies the source of randomness.  If the operating
-	       system does not provide a <TT
-CLASS="FILENAME"
->/dev/random</TT
->
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <TT
-CLASS="FILENAME"
->randomdev</TT
-> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <TT
-CLASS="FILENAME"
->keyboard</TT
-> indicates that keyboard
-	       input should be used.
-	  </P
-></DD
-><DT
->-v <TT
-CLASS="REPLACEABLE"
-><I
->level</I
-></TT
-></DT
-><DD
-><P
->	       Sets the debugging level.
-	  </P
-></DD
-><DT
->keyset</DT
-><DD
-><P
->	        The file containing the child's keyset.
-	  </P
-></DD
-><DT
->key</DT
-><DD
-><P
->	        The keys used to sign the child's keyset.
-	  </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN101"
-></A
-><H2
->EXAMPLE</H2
-><P
->        The DNS administrator for a DNSSEC-aware <TT
-CLASS="USERINPUT"
-><B
->.com</B
-></TT
->
-	zone would use the following command to sign the
-	<TT
-CLASS="FILENAME"
->keyset</TT
-> file for <TT
-CLASS="USERINPUT"
-><B
->example.com</B
-></TT
->
-	created by <B
-CLASS="COMMAND"
->dnssec-makekeyset</B
-> with a key generated
-	by <B
-CLASS="COMMAND"
->dnssec-keygen</B
->:
-    </P
-><P
->        <TT
-CLASS="USERINPUT"
-><B
->dnssec-signkey keyset-example.com. Kcom.+003+51944</B
-></TT
->
-    </P
-><P
->        In this example, <B
-CLASS="COMMAND"
->dnssec-signkey</B
-> creates
-	the file <TT
-CLASS="FILENAME"
->signedkey-example.com.</TT
->, which
-	contains the <TT
-CLASS="USERINPUT"
-><B
->example.com</B
-></TT
-> keys and the
-	signatures by the <TT
-CLASS="USERINPUT"
-><B
->.com</B
-></TT
-> keys.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN116"
-></A
-><H2
->SEE ALSO</H2
-><P
->      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-keygen</SPAN
->(8)</SPAN
->,
-      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-makekeyset</SPAN
->(8)</SPAN
->,
-      <SPAN
-CLASS="CITEREFENTRY"
-><SPAN
-CLASS="REFENTRYTITLE"
->dnssec-signzone</SPAN
->(8)</SPAN
->.
-    </P
-></DIV
-><DIV
-CLASS="REFSECT1"
-><A
-NAME="AEN128"
-></A
-><H2
->AUTHOR</H2
-><P
->        Internet Software Consortium
-    </P
-></DIV
-></BODY
-></HTML
->
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8
deleted file mode 100644
index 63ffadba644f..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.8
+++ /dev/null
@@ -1,157 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.10 2005/10/13 02:33:45 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "DNSSEC\-SIGNZONE" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-dnssec\-signzone \- DNSSEC zone signing tool
-.SH "SYNOPSIS"
-.HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-n\ \fR\fB\fInthreads\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...]
-.SH "DESCRIPTION"
-.PP
-\fBdnssec\-signzone\fR
-signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a
-\fIkeyset\fR
-file for each child zone.
-.SH "OPTIONS"
-.TP
-\-a
-Verify all generated signatures.
-.TP
-\-c \fIclass\fR
-Specifies the DNS class of the zone.
-.TP
-\-k \fIkey\fR
-Treat specified key as a key signing key ignoring any key flags. This option may be specified multiple times.
-.TP
-\-l \fIdomain\fR
-Generate a DLV set in addition to the key (DNSKEY) and DS sets. The domain is appended to the name of the records.
-.TP
-\-d \fIdirectory\fR
-Look for
-\fIkeyset\fR
-files in
-\fBdirectory\fR
-as the directory
-.TP
-\-g
-Generate DS records for child zones from keyset files. Existing DS records will be removed.
-.TP
-\-s \fIstart\-time\fR
-Specify the date and time when the generated RRSIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no
-\fBstart\-time\fR
-is specified, the current time minus 1 hour (to allow for clock skew) is used.
-.TP
-\-e \fIend\-time\fR
-Specify the date and time when the generated RRSIG records expire. As with
-\fBstart\-time\fR, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time relative to the current time is indicated with now+N. If no
-\fBend\-time\fR
-is specified, 30 days from the start time is used as a default.
-.TP
-\-f \fIoutput\-file\fR
-The name of the output file containing the signed zone. The default is to append
-\fI.signed\fR
-to the input file.
-.TP
-\-h
-Prints a short summary of the options and arguments to
-\fBdnssec\-signzone\fR.
-.TP
-\-i \fIinterval\fR
-When a previously signed zone is passed as input, records may be resigned. The
-\fBinterval\fR
-option specifies the cycle interval as an offset from the current time (in seconds). If a RRSIG record expires after the cycle interval, it is retained. Otherwise, it is considered to be expiring soon, and it will be replaced.
-.sp
-The default cycle interval is one quarter of the difference between the signature end and start times. So if neither
-\fBend\-time\fR
-or
-\fBstart\-time\fR
-are specified,
-\fBdnssec\-signzone\fR
-generates signatures that are valid for 30 days, with a cycle interval of 7.5 days. Therefore, if any existing RRSIG records are due to expire in less than 7.5 days, they would be replaced.
-.TP
-\-n \fIncpus\fR
-Specifies the number of threads to use. By default, one thread is started for each detected CPU.
-.TP
-\-o \fIorigin\fR
-The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-.TP
-\-p
-Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited.
-.TP
-\-r \fIrandomdev\fR
-Specifies the source of randomness. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.TP
-\-t
-Print statistics at completion.
-.TP
-\-v \fIlevel\fR
-Sets the debugging level.
-.TP
-\-z
-Ignore KSK flag on key when determining what to sign.
-.TP
-zonefile
-The file containing the zone to be signed.
-.TP
-key
-The keys used to sign the zone. If no keys are specified, the default all zone keys that have private key files in the current directory.
-.SH "EXAMPLE"
-.PP
-The following command signs the
-\fBexample.com\fR
-zone with the DSA key generated in the
-\fBdnssec\-keygen\fR
-man page. The zone's keys must be in the zone. If there are
-\fIkeyset\fR
-files associated with child zones, they must be in the current directory.
-\fBexample.com\fR, the following command would be issued:
-.PP
-\fBdnssec\-signzone \-o example.com db.example.com Kexample.com.+003+26160\fR
-.PP
-The command would print a string of the form:
-.PP
-In this example,
-\fBdnssec\-signzone\fR
-creates the file
-\fIdb.example.com.signed\fR. This file should be referenced in a zone statement in a
-\fInamed.conf\fR
-file.
-.SH "SEE ALSO"
-.PP
-\fBdnssec\-keygen\fR(8),
-BIND 9 Administrator Reference Manual,
-RFC 2535.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c
deleted file mode 100644
index 93caf497e266..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.c
+++ /dev/null
@@ -1,2134 +0,0 @@
-/*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec-signzone.c,v 1.139.2.2.4.21 2005/10/14 01:38:41 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <time.h>
-
-#include <isc/app.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/event.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/os.h>
-#include <isc/print.h>
-#include <isc/serial.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-#include <isc/time.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/ds.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/nsec.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/time.h>
-
-#include <dst/dst.h>
-
-#include "dnssectool.h"
-
-const char *program = "dnssec-signzone";
-int verbose;
-
-#define BUFSIZE 2048
-#define MAXDSKEYS 8
-
-typedef struct signer_key_struct signer_key_t;
-
-struct signer_key_struct {
-	dst_key_t *key;
-	isc_boolean_t issigningkey;
-	isc_boolean_t isdsk;
-	isc_boolean_t isksk;
-	unsigned int position;
-	ISC_LINK(signer_key_t) link;
-};
-
-#define SIGNER_EVENTCLASS	ISC_EVENTCLASS(0x4453)
-#define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
-#define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)
-
-typedef struct signer_event sevent_t;
-struct signer_event {
-	ISC_EVENT_COMMON(sevent_t);
-	dns_fixedname_t *fname;
-	dns_dbnode_t *node;
-};
-
-static ISC_LIST(signer_key_t) keylist;
-static unsigned int keycount = 0;
-static isc_stdtime_t starttime = 0, endtime = 0, now;
-static int cycle = -1;
-static isc_boolean_t tryverify = ISC_FALSE;
-static isc_boolean_t printstats = ISC_FALSE;
-static isc_mem_t *mctx = NULL;
-static isc_entropy_t *ectx = NULL;
-static dns_ttl_t zonettl;
-static FILE *fp;
-static char *tempfile = NULL;
-static const dns_master_style_t *masterstyle;
-static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
-static unsigned int nverified = 0, nverifyfailed = 0;
-static const char *directory;
-static isc_mutex_t namelock, statslock;
-static isc_taskmgr_t *taskmgr = NULL;
-static dns_db_t *gdb;			/* The database */
-static dns_dbversion_t *gversion;	/* The database version */
-static dns_dbiterator_t *gdbiter;	/* The database iterator */
-static dns_rdataclass_t gclass;		/* The class */
-static dns_name_t *gorigin;		/* The database origin */
-static isc_task_t *master = NULL;
-static unsigned int ntasks = 0;
-static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
-static unsigned int assigned = 0, completed = 0;
-static isc_boolean_t nokeys = ISC_FALSE;
-static isc_boolean_t removefile = ISC_FALSE;
-static isc_boolean_t generateds = ISC_FALSE;
-static isc_boolean_t ignoreksk = ISC_FALSE;
-static dns_name_t *dlv = NULL;
-static dns_fixedname_t dlv_fixed;
-static dns_master_style_t *dsstyle = NULL;
-
-#define INCSTAT(counter)		\
-	if (printstats) {		\
-		LOCK(&statslock);	\
-		counter++;		\
-		UNLOCK(&statslock);	\
-	}
-
-static void
-sign(isc_task_t *task, isc_event_t *event);
-
-
-static inline void
-set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
-	unsigned int shift, mask;
-
-	shift = 7 - (index % 8);
-	mask = 1 << shift;
-
-	if (bit != 0)
-		array[index / 8] |= mask;
-	else
-		array[index / 8] &= (~mask & 0xFF);
-}
-
-static void
-dumpnode(dns_name_t *name, dns_dbnode_t *node) {
-	isc_result_t result;
-
-	result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name,
-					     masterstyle, fp);
-	check_result(result, "dns_master_dumpnodetostream");
-}
-
-static void
-dumpdb(dns_db_t *db) {
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	dbiter = NULL;
-	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	node = NULL;
-
-	for (result = dns_dbiterator_first(dbiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbiter))
-	{
-		result = dns_dbiterator_current(dbiter, &node, name);
-		check_result(result, "dns_dbiterator_current()");
-		dumpnode(name, node);
-		dns_db_detachnode(db, &node);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("iterating database: %s", isc_result_totext(result));
-
-	dns_dbiterator_destroy(&dbiter);
-}
-
-static signer_key_t *
-newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) {
-	signer_key_t *key;
-
-	key = isc_mem_get(mctx, sizeof(signer_key_t));
-	if (key == NULL)
-		fatal("out of memory");
-	key->key = dstkey;
-	if ((dst_key_flags(dstkey) & DNS_KEYFLAG_KSK) != 0) {
-		key->issigningkey = signwithkey;
-		key->isksk = ISC_TRUE;
-		key->isdsk = ISC_FALSE;
-	} else {
-		key->issigningkey = signwithkey;
-		key->isksk = ISC_FALSE;
-		key->isdsk = ISC_TRUE;
-	}
-	key->position = keycount++;
-	ISC_LINK_INIT(key, link);
-	return (key);
-}
-
-static void
-signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
-	    dst_key_t *key, isc_buffer_t *b)
-{
-	isc_result_t result;
-
-	result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
-				 mctx, b, rdata);
-	isc_entropy_stopcallbacksources(ectx);
-	if (result != ISC_R_SUCCESS) {
-		char keystr[KEY_FORMATSIZE];
-		key_format(key, keystr, sizeof(keystr));
-		fatal("dnskey '%s' failed to sign data: %s",
-		      keystr, isc_result_totext(result));
-	}
-	INCSTAT(nsigned);
-
-	if (tryverify) {
-		result = dns_dnssec_verify(name, rdataset, key,
-					   ISC_TRUE, mctx, rdata);
-		if (result == ISC_R_SUCCESS) {
-			vbprintf(3, "\tsignature verified\n");
-			INCSTAT(nverified);
-		} else {
-			vbprintf(3, "\tsignature failed to verify\n");
-			INCSTAT(nverifyfailed);
-		}
-	}
-}
-
-static inline isc_boolean_t
-issigningkey(signer_key_t *key) {
-	return (key->issigningkey);
-}
-
-static inline isc_boolean_t
-iszonekey(signer_key_t *key) {
-	return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) &&
-		       dst_key_iszonekey(key->key)));
-}
-
-/*
- * Finds the key that generated a RRSIG, if possible.  First look at the keys
- * that we've loaded already, and then see if there's a key on disk.
- */
-static signer_key_t *
-keythatsigned(dns_rdata_rrsig_t *rrsig) {
-	isc_result_t result;
-	dst_key_t *pubkey = NULL, *privkey = NULL;
-	signer_key_t *key;
-
-	key = ISC_LIST_HEAD(keylist);
-	while (key != NULL) {
-		if (rrsig->keyid == dst_key_id(key->key) &&
-		    rrsig->algorithm == dst_key_alg(key->key) &&
-		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
-			return key;
-		key = ISC_LIST_NEXT(key, link);
-	}
-
-	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
-				  rrsig->algorithm, DST_TYPE_PUBLIC,
-				  NULL, mctx, &pubkey);
-	if (result != ISC_R_SUCCESS)
-		return (NULL);
-
-	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
-				  rrsig->algorithm,
-				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
-				  NULL, mctx, &privkey);
-	if (result == ISC_R_SUCCESS) {
-		dst_key_free(&pubkey);
-		key = newkeystruct(privkey, ISC_FALSE);
-	} else
-		key = newkeystruct(pubkey, ISC_FALSE);
-	ISC_LIST_APPEND(keylist, key, link);
-	return (key);
-}
-
-/*
- * Check to see if we expect to find a key at this name.  If we see a RRSIG
- * and can't find the signing key that we expect to find, we drop the rrsig.
- * I'm not sure if this is completely correct, but it seems to work.
- */
-static isc_boolean_t
-expecttofindkey(dns_name_t *name) {
-	unsigned int options = DNS_DBFIND_NOWILD;
-	dns_fixedname_t fname;
-	isc_result_t result;
-	char namestr[DNS_NAME_FORMATSIZE];
-
-	dns_fixedname_init(&fname);
-	result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options,
-			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
-	switch (result) {
-	case ISC_R_SUCCESS:
-	case DNS_R_NXDOMAIN:
-	case DNS_R_NXRRSET:
-		return (ISC_TRUE);
-	case DNS_R_DELEGATION:
-	case DNS_R_CNAME:
-	case DNS_R_DNAME:
-		return (ISC_FALSE);
-	}
-	dns_name_format(name, namestr, sizeof(namestr));
-	fatal("failure looking for '%s DNSKEY' in database: %s",
-	      namestr, isc_result_totext(result));
-	return (ISC_FALSE); /* removes a warning */
-}
-
-static inline isc_boolean_t
-setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
-	    dns_rdata_t *rrsig)
-{
-	isc_result_t result;
-	result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig);
-	if (result == ISC_R_SUCCESS) {
-		INCSTAT(nverified);
-		return (ISC_TRUE);
-	} else {
-		INCSTAT(nverifyfailed);
-		return (ISC_FALSE);
-	}
-}
-
-/*
- * Signs a set.  Goes through contortions to decide if each RRSIG should
- * be dropped or retained, and then determines if any new SIGs need to
- * be generated.
- */
-static void
-signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
-	dns_rdataset_t *set)
-{
-	dns_rdataset_t sigset;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_rrsig_t rrsig;
-	signer_key_t *key;
-	isc_result_t result;
-	isc_boolean_t nosigs = ISC_FALSE;
-	isc_boolean_t *wassignedby, *nowsignedby;
-	int arraysize;
-	dns_difftuple_t *tuple;
-	dns_ttl_t ttl;
-	int i;
-	char namestr[DNS_NAME_FORMATSIZE];
-	char typestr[TYPE_FORMATSIZE];
-	char sigstr[SIG_FORMATSIZE];
-
-	dns_name_format(name, namestr, sizeof(namestr));
-	type_format(set->type, typestr, sizeof(typestr));
-
-	ttl = ISC_MIN(set->ttl, endtime - starttime);
-
-	dns_rdataset_init(&sigset);
-	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig,
-				     set->type, 0, &sigset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		result = ISC_R_SUCCESS;
-		nosigs = ISC_TRUE;
-	}
-	if (result != ISC_R_SUCCESS)
-		fatal("failed while looking for '%s RRSIG %s': %s",
-		      namestr, typestr, isc_result_totext(result));
-
-	vbprintf(1, "%s/%s:\n", namestr, typestr);
-
-	arraysize = keycount;
-	if (!nosigs)
-		arraysize += dns_rdataset_count(&sigset);
-	wassignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
-	nowsignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
-	if (wassignedby == NULL || nowsignedby == NULL)
-		fatal("out of memory");
-
-	for (i = 0; i < arraysize; i++)
-		wassignedby[i] = nowsignedby[i] = ISC_FALSE;
-
-	if (nosigs)
-		result = ISC_R_NOMORE;
-	else
-		result = dns_rdataset_first(&sigset);
-
-	while (result == ISC_R_SUCCESS) {
-		isc_boolean_t expired, future;
-		isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
-
-		dns_rdataset_current(&sigset, &sigrdata);
-
-		result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
-		check_result(result, "dns_rdata_tostruct");
-
-		future = isc_serial_lt(now, rrsig.timesigned);
-
-		key = keythatsigned(&rrsig);
-		sig_format(&rrsig, sigstr, sizeof(sigstr));
-		if (key != NULL && issigningkey(key))
-			expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
-		else
-			expired = isc_serial_gt(now, rrsig.timeexpire);
-
-		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
-			/* rrsig is dropped and not replaced */
-			vbprintf(2, "\trrsig by %s dropped - "
-				 "invalid validity period\n",
-				 sigstr);
-		} else if (key == NULL && !future &&
-			 expecttofindkey(&rrsig.signer))
-		{
-			/* rrsig is dropped and not replaced */
-			vbprintf(2, "\trrsig by %s dropped - "
-				 "private dnskey not found\n",
-				 sigstr);
-		} else if (key == NULL || future) {
-			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
-				 expired ? "retained" : "dropped", sigstr);
-			if (!expired)
-				keep = ISC_TRUE;
-		} else if (issigningkey(key)) {
-			if (!expired && setverifies(name, set, key, &sigrdata))
-			{
-				vbprintf(2, "\trrsig by %s retained\n", sigstr);
-				keep = ISC_TRUE;
-				wassignedby[key->position] = ISC_TRUE;
-				nowsignedby[key->position] = ISC_TRUE;
-			} else {
-				vbprintf(2, "\trrsig by %s dropped - %s\n",
-					 sigstr,
-					 expired ? "expired" :
-						   "failed to verify");
-				wassignedby[key->position] = ISC_TRUE;
-				resign = ISC_TRUE;
-			}
-		} else if (iszonekey(key)) {
-			if (!expired && setverifies(name, set, key, &sigrdata))
-			{
-				vbprintf(2, "\trrsig by %s retained\n", sigstr);
-				keep = ISC_TRUE;
-				wassignedby[key->position] = ISC_TRUE;
-				nowsignedby[key->position] = ISC_TRUE;
-			} else {
-				vbprintf(2, "\trrsig by %s dropped - %s\n",
-					 sigstr,
-					 expired ? "expired" :
-						   "failed to verify");
-				wassignedby[key->position] = ISC_TRUE;
-			}
-		} else if (!expired) {
-			vbprintf(2, "\trrsig by %s retained\n", sigstr);
-			keep = ISC_TRUE;
-		} else {
-			vbprintf(2, "\trrsig by %s expired\n", sigstr);
-		}
-
-		if (keep) {
-			nowsignedby[key->position] = ISC_TRUE;
-			INCSTAT(nretained);
-			if (sigset.ttl != ttl) {
-				vbprintf(2, "\tfixing ttl %s\n", sigstr);
-				tuple = NULL;
-				result = dns_difftuple_create(mctx,
-							      DNS_DIFFOP_DEL,
-							      name, sigset.ttl,
-							      &sigrdata,
-							      &tuple);
-				check_result(result, "dns_difftuple_create");
-				dns_diff_append(del, &tuple);
-				result = dns_difftuple_create(mctx,
-							      DNS_DIFFOP_ADD,
-							      name, ttl,
-							      &sigrdata,
-							      &tuple);
-				check_result(result, "dns_difftuple_create");
-				dns_diff_append(add, &tuple);
-			}
-		} else {
-			tuple = NULL;
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
-						      name, sigset.ttl,
-						      &sigrdata, &tuple);
-			check_result(result, "dns_difftuple_create");
-			dns_diff_append(del, &tuple);
-			INCSTAT(ndropped);
-		}
-
-		if (resign) {
-			isc_buffer_t b;
-			dns_rdata_t trdata = DNS_RDATA_INIT;
-			unsigned char array[BUFSIZE];
-			char keystr[KEY_FORMATSIZE];
-
-			INSIST(!keep);
-
-			key_format(key->key, keystr, sizeof(keystr));
-			vbprintf(1, "\tresigning with dnskey %s\n", keystr);
-			isc_buffer_init(&b, array, sizeof(array));
-			signwithkey(name, set, &trdata, key->key, &b);
-			nowsignedby[key->position] = ISC_TRUE;
-			tuple = NULL;
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      name, ttl, &trdata,
-						      &tuple);
-			check_result(result, "dns_difftuple_create");
-			dns_diff_append(add, &tuple);
-		}
-
-		dns_rdata_reset(&sigrdata);
-		dns_rdata_freestruct(&rrsig);
-		result = dns_rdataset_next(&sigset);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	check_result(result, "dns_rdataset_first/next");
-	if (dns_rdataset_isassociated(&sigset))
-		dns_rdataset_disassociate(&sigset);
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-	{
-		isc_buffer_t b;
-		dns_rdata_t trdata;
-		unsigned char array[BUFSIZE];
-		char keystr[KEY_FORMATSIZE];
-
-		if (nowsignedby[key->position])
-			continue;
-
-		if (!key->issigningkey)
-			continue;
-		if (!(ignoreksk || key->isdsk ||
-		      (key->isksk &&
-		       set->type == dns_rdatatype_dnskey &&
-		       dns_name_equal(name, gorigin))))
-			continue;
-
-		key_format(key->key, keystr, sizeof(keystr));
-		vbprintf(1, "\tsigning with dnskey %s\n", keystr);
-		dns_rdata_init(&trdata);
-		isc_buffer_init(&b, array, sizeof(array));
-		signwithkey(name, set, &trdata, key->key, &b);
-		tuple = NULL;
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
-					      ttl, &trdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(add, &tuple);
-	}
-
-	isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
-	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
-}
-
-static void
-opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
-       dns_db_t **dbp)
-{
-	char filename[256];
-	isc_buffer_t b;
-	isc_result_t result;
-
-	isc_buffer_init(&b, filename, sizeof(filename));
-	if (directory != NULL) {
-		isc_buffer_putstr(&b, directory);
-		if (directory[strlen(directory) - 1] != '/')
-			isc_buffer_putstr(&b, "/");
-	}
-	isc_buffer_putstr(&b, prefix);
-	result = dns_name_tofilenametext(name, ISC_FALSE, &b);
-	check_result(result, "dns_name_tofilenametext()");
-	if (isc_buffer_availablelength(&b) == 0) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof(namestr));
-		fatal("name '%s' is too long", namestr);
-	}
-	isc_buffer_putuint8(&b, 0);
-
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdclass, 0, NULL, dbp);
-	check_result(result, "dns_db_create()");
-
-	result = dns_db_load(*dbp, filename);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		dns_db_detach(dbp);
-}
-
-/*
- * Loads the key set for a child zone, if there is one, and builds DS records.
- */
-static isc_result_t
-loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
-	dns_db_t *db = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_dbnode_t *node = NULL;
-	isc_result_t result;
-	dns_rdataset_t keyset;
-	dns_rdata_t key, ds;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-	dns_diff_t diff;
-	dns_difftuple_t *tuple = NULL;
-
-	opendb("keyset-", name, gclass, &db);
-	if (db == NULL)
-		return (ISC_R_NOTFOUND);
-
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS) {
-		dns_db_detach(&db);
-		return (DNS_R_BADDB);
-	}
-	dns_rdataset_init(&keyset);
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
-				     &keyset, NULL);
-	if (result != ISC_R_SUCCESS) {
-		dns_db_detachnode(db, &node);
-		dns_db_detach(&db);
-		return (result);
-	}
-
-	vbprintf(2, "found DNSKEY records\n");
-
-	result = dns_db_newversion(db, &ver);
-	check_result(result, "dns_db_newversion");
-
-	dns_diff_init(mctx, &diff);
-
-	for (result = dns_rdataset_first(&keyset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&keyset))
-	{
-		dns_rdata_init(&key);
-		dns_rdata_init(&ds);
-		dns_rdataset_current(&keyset, &key);
-		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1,
-					   dsbuf, &ds);
-		check_result(result, "dns_ds_buildrdata");
-
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
-					      ttl, &ds, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-	}
-	result = dns_diff_apply(&diff, db, ver);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	dns_db_closeversion(db, &ver, ISC_TRUE);
-
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, 0,
-				     dsset, NULL);
-	check_result(result, "dns_db_findrdataset");
-
-	dns_rdataset_disassociate(&keyset);
-	dns_db_detachnode(db, &node);
-	dns_db_detach(&db);
-	return (result);
-}
-
-static isc_boolean_t
-nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type,
-	   unsigned int val)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nsec_t nsec;
-	unsigned int newlen;
-	unsigned char bitmap[8192 + 512];
-	unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE];
-	isc_boolean_t answer = ISC_FALSE;
-	unsigned int i, len, window;
-	int octet;
-
-	result = dns_rdataset_first(rdataset);
-	check_result(result, "dns_rdataset_first()");
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-	check_result(result, "dns_rdata_tostruct");
-
-	INSIST(nsec.len <= sizeof(bitmap));
-
-	newlen = 0;
-
-	memset(bitmap, 0, sizeof(bitmap));
-	for (i = 0; i < nsec.len; i += len) {
-		INSIST(i + 2 <= nsec.len);
-		window = nsec.typebits[i];
-		len = nsec.typebits[i+1];
-		i += 2;
-		INSIST(len > 0 && len <= 32);
-		INSIST(i + len <= nsec.len);
-		memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len);
-	}
-	set_bit(bitmap + 512, type, val);
-	for (window = 0; window < 256; window++) {
-		for (octet = 31; octet >= 0; octet--)
-			if (bitmap[window * 32 + 512 + octet] != 0)
-				break;
-		if (octet < 0)
-			continue;
-		bitmap[newlen] = window;
-		bitmap[newlen + 1] = octet + 1;
-		newlen += 2;
-		/*
-		 * Overlapping move.
-		 */
-		memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1);
-		newlen += octet + 1;
-	}
-	if (newlen != nsec.len ||
-	    memcmp(nsec.typebits, bitmap, newlen) != 0) {
-		dns_rdata_t newrdata = DNS_RDATA_INIT;
-		isc_buffer_t b;
-		dns_diff_t diff;
-		dns_difftuple_t *tuple = NULL;
-
-		dns_diff_init(mctx, &diff);
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name,
-					      rdataset->ttl, &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-
-		nsec.typebits = bitmap;
-		nsec.len = newlen;
-		isc_buffer_init(&b, nsecdata, sizeof(nsecdata));
-		result = dns_rdata_fromstruct(&newrdata, rdata.rdclass,
-					      dns_rdatatype_nsec, &nsec,
-					      &b);
-		check_result(result, "dns_rdata_fromstruct");
-
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-					      name, rdataset->ttl,
-					      &newrdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-		result = dns_diff_apply(&diff, gdb, gversion);
-		check_result(result, "dns_difftuple_apply");
-		dns_diff_clear(&diff);
-		answer = ISC_TRUE;
-	}
-	dns_rdata_freestruct(&nsec);
-	return (answer);
-}
-
-static isc_boolean_t
-delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
-	dns_rdataset_t nsset;
-	isc_result_t result;
-
-	if (dns_name_equal(name, gorigin))
-		return (ISC_FALSE);
-
-	dns_rdataset_init(&nsset);
-	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ns,
-				     0, 0, &nsset, NULL);
-	if (dns_rdataset_isassociated(&nsset)) {
-		if (ttlp != NULL)
-			*ttlp = nsset.ttl;
-		dns_rdataset_disassociate(&nsset);
-	}
-
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-/*
- * Signs all records at a name.  This mostly just signs each set individually,
- * but also adds the RRSIG bit to any NSECs generated earlier, deals with
- * parent/child KEY signatures, and handles other exceptional cases.
- */
-static void
-signname(dns_dbnode_t *node, dns_name_t *name) {
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_rdatasetiter_t *rdsiter;
-	isc_boolean_t isdelegation = ISC_FALSE;
-	isc_boolean_t hasds = ISC_FALSE;
-	isc_boolean_t changed = ISC_FALSE;
-	dns_diff_t del, add;
-	char namestr[DNS_NAME_FORMATSIZE];
-	isc_uint32_t nsttl = 0;
-
-	dns_name_format(name, namestr, sizeof(namestr));
-
-	/*
-	 * Determine if this is a delegation point.
-	 */
-	if (delegation(name, node, &nsttl))
-		isdelegation = ISC_TRUE;
-
-	/*
-	 * If this is a delegation point, look for a DS set.
-	 */
-	if (isdelegation) {
-		dns_rdataset_t dsset;
-		dns_rdataset_t sigdsset;
-
-		dns_rdataset_init(&dsset);
-		dns_rdataset_init(&sigdsset);
-		result = dns_db_findrdataset(gdb, node, gversion,
-					     dns_rdatatype_ds,
-					     0, 0, &dsset, &sigdsset);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdataset_disassociate(&dsset);
-			if (generateds) {
-				result = dns_db_deleterdataset(gdb, node,
-							       gversion,
-							       dns_rdatatype_ds,
-							       0);
-				check_result(result, "dns_db_deleterdataset");
-			} else
-				hasds = ISC_TRUE;
-		}
-		if (generateds) {
-			result = loadds(name, nsttl, &dsset);
-			if (result == ISC_R_SUCCESS) {
-				result = dns_db_addrdataset(gdb, node,
-							    gversion, 0,
-							    &dsset, 0, NULL);
-				check_result(result, "dns_db_addrdataset");
-				hasds = ISC_TRUE;
-				dns_rdataset_disassociate(&dsset);
-				if (dns_rdataset_isassociated(&sigdsset))
-					dns_rdataset_disassociate(&sigdsset);
-			} else if (dns_rdataset_isassociated(&sigdsset)) {
-				result = dns_db_deleterdataset(gdb, node,
-							    gversion,
-							    dns_rdatatype_rrsig,
-							    dns_rdatatype_ds);
-				check_result(result, "dns_db_deleterdataset");
-				dns_rdataset_disassociate(&sigdsset);
-			}
-		} else if (dns_rdataset_isassociated(&sigdsset))
-			dns_rdataset_disassociate(&sigdsset);
-	}
-
-	/*
-	 * Make sure that NSEC bits are appropriately set.
-	 */
-	dns_rdataset_init(&rdataset);
-	RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
-					  dns_rdatatype_nsec, 0, 0, &rdataset,
-					  NULL) == ISC_R_SUCCESS);
-	if (!nokeys)
-		changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1);
-	if (changed) {
-		dns_rdataset_disassociate(&rdataset);
-		RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
-						  dns_rdatatype_nsec, 0, 0,
-						  &rdataset,
-						  NULL) == ISC_R_SUCCESS);
-	}
-	if (hasds)
-		(void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1);
-	else
-		(void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0);
-	dns_rdataset_disassociate(&rdataset);
-
-	/*
-	 * Now iterate through the rdatasets.
-	 */
-	dns_diff_init(mctx, &del);
-	dns_diff_init(mctx, &add);
-	rdsiter = NULL;
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-
-		/* If this is a RRSIG set, skip it. */
-		if (rdataset.type == dns_rdatatype_rrsig)
-			goto skip;
-
-		/*
-		 * If this name is a delegation point, skip all records
-		 * except NSEC and DS sets.  Otherwise check that there
-		 * isn't a DS record.
-		 */
-		if (isdelegation) {
-			if (rdataset.type != dns_rdatatype_nsec &&
-			    rdataset.type != dns_rdatatype_ds)
-				goto skip;
-		} else if (rdataset.type == dns_rdatatype_ds) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			fatal("'%s': found DS RRset without NS RRset\n",
-			      namebuf);
-		}
-
-		signset(&del, &add, node, name, &rdataset);
-
- skip:
-		dns_rdataset_disassociate(&rdataset);
-		result = dns_rdatasetiter_next(rdsiter);
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration for name '%s' failed: %s",
-		      namestr, isc_result_totext(result));
-
-	dns_rdatasetiter_destroy(&rdsiter);
-
-	result = dns_diff_applysilently(&del, gdb, gversion);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to delete SIGs at node '%s': %s",
-		      namestr, isc_result_totext(result));
-
-	result = dns_diff_applysilently(&add, gdb, gversion);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to add SIGs at node '%s': %s",
-		      namestr, isc_result_totext(result));
-
-	dns_diff_clear(&del);
-	dns_diff_clear(&add);
-}
-
-static inline isc_boolean_t
-active_node(dns_dbnode_t *node) {
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_rdatasetiter_t *rdsiter2 = NULL;
-	isc_boolean_t active = ISC_FALSE;
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_rdatatype_t type;
-	dns_rdatatype_t covers;
-	isc_boolean_t found;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec &&
-		    rdataset.type != dns_rdatatype_rrsig)
-			active = ISC_TRUE;
-		dns_rdataset_disassociate(&rdataset);
-		if (!active)
-			result = dns_rdatasetiter_next(rdsiter);
-		else
-			result = ISC_R_NOMORE;
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed: %s",
-		      isc_result_totext(result));
-
-	if (!active) {
-		/*
-		 * The node is empty of everything but NSEC / RRSIG records.
-		 */
-		for (result = dns_rdatasetiter_first(rdsiter);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter)) {
-			dns_rdatasetiter_current(rdsiter, &rdataset);
-			result = dns_db_deleterdataset(gdb, node, gversion,
-						       rdataset.type,
-						       rdataset.covers);
-			check_result(result, "dns_db_deleterdataset()");
-			dns_rdataset_disassociate(&rdataset);
-		}
-		if (result != ISC_R_NOMORE)
-			fatal("rdataset iteration failed: %s",
-			      isc_result_totext(result));
-	} else {
-		/* 
-		 * Delete RRSIGs for types that no longer exist.
-		 */
-		result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter2);
-		check_result(result, "dns_db_allrdatasets()");
-		for (result = dns_rdatasetiter_first(rdsiter);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdatasetiter_next(rdsiter)) {
-			dns_rdatasetiter_current(rdsiter, &rdataset);
-			type = rdataset.type;
-			covers = rdataset.covers;
-			dns_rdataset_disassociate(&rdataset);
-			if (type != dns_rdatatype_rrsig)
-				continue;
-			found = ISC_FALSE;
-			for (result = dns_rdatasetiter_first(rdsiter2);
-			     !found && result == ISC_R_SUCCESS;
-			     result = dns_rdatasetiter_next(rdsiter2)) {
-				dns_rdatasetiter_current(rdsiter2, &rdataset);
-				if (rdataset.type == covers)
-					found = ISC_TRUE;
-				dns_rdataset_disassociate(&rdataset);
-			}
-			if (!found) {
-				if (result != ISC_R_NOMORE)
-					fatal("rdataset iteration failed: %s",
-					      isc_result_totext(result));
-				result = dns_db_deleterdataset(gdb, node,
-							       gversion, type,
-							       covers);
-				check_result(result,
-					     "dns_db_deleterdataset(rrsig)");
-			} else if (result != ISC_R_NOMORE &&
-				   result != ISC_R_SUCCESS)
-				fatal("rdataset iteration failed: %s",
-				      isc_result_totext(result));
-		}
-		if (result != ISC_R_NOMORE)
-			fatal("rdataset iteration failed: %s",
-			      isc_result_totext(result));
-		dns_rdatasetiter_destroy(&rdsiter2);
-	}
-	dns_rdatasetiter_destroy(&rdsiter);
-
-	return (active);
-}
-
-/*
- * Extracts the TTL from the SOA.
- */
-static dns_ttl_t
-soattl(void) {
-	dns_rdataset_t soaset;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-	dns_ttl_t ttl;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_rdataset_init(&soaset);
-	result = dns_db_find(gdb, gorigin, gversion, dns_rdatatype_soa,
-			     0, 0, NULL, name, &soaset, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find an SOA at the zone apex: %s",
-		      isc_result_totext(result));
-
-	result = dns_rdataset_first(&soaset);
-	check_result(result, "dns_rdataset_first");
-	dns_rdataset_current(&soaset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	check_result(result, "dns_rdata_tostruct");
-	ttl = soa.minimum;
-	dns_rdataset_disassociate(&soaset);
-	return (ttl);
-}
-
-/*
- * Delete any RRSIG records at a node.
- */
-static void
-cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_rdataset_t set;
-	isc_result_t result, dresult;
-
-	dns_rdataset_init(&set);
-	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets");
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		isc_boolean_t destroy = ISC_FALSE;
-		dns_rdatatype_t covers = 0;
-		dns_rdatasetiter_current(rdsiter, &set);
-		if (set.type == dns_rdatatype_rrsig) {
-			covers = set.covers;
-			destroy = ISC_TRUE;
-		}
-		dns_rdataset_disassociate(&set);
-		result = dns_rdatasetiter_next(rdsiter);
-		if (destroy) {
-			dresult = dns_db_deleterdataset(db, node, version,
-							dns_rdatatype_rrsig,
-							covers);
-			check_result(dresult, "dns_db_deleterdataset");
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		fatal("rdataset iteration failed: %s",
-		      isc_result_totext(result));
-	dns_rdatasetiter_destroy(&rdsiter);
-}
-
-/*
- * Set up the iterator and global state before starting the tasks.
- */
-static void
-presign(void) {
-	isc_result_t result;
-
-	gdbiter = NULL;
-	result = dns_db_createiterator(gdb, ISC_FALSE, &gdbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(gdbiter);
-	check_result(result, "dns_dbiterator_first()");
-}
-
-/*
- * Clean up the iterator and global state after the tasks complete.
- */
-static void
-postsign(void) {
-	dns_dbiterator_destroy(&gdbiter);
-}
-
-/*
- * Assigns a node to a worker thread.  This is protected by the master task's
- * lock.
- */
-static void
-assignwork(isc_task_t *task, isc_task_t *worker) {
-	dns_fixedname_t *fname;
-	dns_name_t *name;
-	dns_dbnode_t *node;
-	sevent_t *sevent;
-	dns_rdataset_t nsec;
-	isc_boolean_t found;
-	isc_result_t result;
-
-	if (shuttingdown)
-		return;
-
-	if (finished) {
-		if (assigned == completed) {
-			isc_task_detach(&task);
-			isc_app_shutdown();
-		}
-		return;
-	}
-
-	fname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
-	if (fname == NULL)
-		fatal("out of memory");
-	dns_fixedname_init(fname);
-	name = dns_fixedname_name(fname);
-	node = NULL;
-	found = ISC_FALSE;
-	LOCK(&namelock);
-	while (!found) {
-		result = dns_dbiterator_current(gdbiter, &node, name);
-		if (result != ISC_R_SUCCESS)
-			fatal("failure iterating database: %s",
-			      isc_result_totext(result));
-		dns_rdataset_init(&nsec);
-		result = dns_db_findrdataset(gdb, node, gversion,
-					     dns_rdatatype_nsec, 0, 0,
-					     &nsec, NULL);
-		if (result == ISC_R_SUCCESS)
-			found = ISC_TRUE;
-		else
-			dumpnode(name, node);
-		if (dns_rdataset_isassociated(&nsec))
-			dns_rdataset_disassociate(&nsec);
-		if (!found)
-			dns_db_detachnode(gdb, &node);
-
-		result = dns_dbiterator_next(gdbiter);
-		if (result == ISC_R_NOMORE) {
-			finished = ISC_TRUE;
-			break;
-		} else if (result != ISC_R_SUCCESS)
-			fatal("failure iterating database: %s",
-			      isc_result_totext(result));
-	}
-	UNLOCK(&namelock);
-	if (!found) {
-		if (assigned == completed) {
-			isc_task_detach(&task);
-			isc_app_shutdown();
-		}
-		isc_mem_put(mctx, fname, sizeof(dns_fixedname_t));
-		return;
-	}
-	sevent = (sevent_t *)
-		 isc_event_allocate(mctx, task, SIGNER_EVENT_WORK,
-				    sign, NULL, sizeof(sevent_t));
-	if (sevent == NULL)
-		fatal("failed to allocate event\n");
-
-	sevent->node = node;
-	sevent->fname = fname;
-	isc_task_send(worker, ISC_EVENT_PTR(&sevent));
-	assigned++;
-}
-
-/*
- * Start a worker task
- */
-static void
-startworker(isc_task_t *task, isc_event_t *event) {
-	isc_task_t *worker;
-
-	worker = (isc_task_t *)event->ev_arg;
-	assignwork(task, worker);
-	isc_event_free(&event);
-}
-
-/*
- * Write a node to the output file, and restart the worker task.
- */
-static void
-writenode(isc_task_t *task, isc_event_t *event) {
-	isc_task_t *worker;
-	sevent_t *sevent = (sevent_t *)event;
-
-	completed++;
-	worker = (isc_task_t *)event->ev_sender;
-	dumpnode(dns_fixedname_name(sevent->fname), sevent->node);
-	cleannode(gdb, gversion, sevent->node);
-	dns_db_detachnode(gdb, &sevent->node);
-	isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t));
-	assignwork(task, worker);
-	isc_event_free(&event);
-}
-
-/*
- *  Sign a database node.
- */
-static void
-sign(isc_task_t *task, isc_event_t *event) {
-	dns_fixedname_t *fname;
-	dns_dbnode_t *node;
-	sevent_t *sevent, *wevent;
-
-	sevent = (sevent_t *)event;
-	node = sevent->node;
-	fname = sevent->fname;
-	isc_event_free(&event);
-
-	signname(node, dns_fixedname_name(fname));
-	wevent = (sevent_t *)
-		 isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE,
-				    writenode, NULL, sizeof(sevent_t));
-	if (wevent == NULL)
-		fatal("failed to allocate event\n");
-	wevent->node = node;
-	wevent->fname = fname;
-	isc_task_send(master, ISC_EVENT_PTR(&wevent));
-}
-
-/*
- * Generate NSEC records for the zone.
- */
-static void
-nsecify(void) {
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node = NULL, *nextnode = NULL;
-	dns_fixedname_t fname, fnextname, fzonecut;
-	dns_name_t *name, *nextname, *zonecut;
-	isc_boolean_t done = ISC_FALSE;
-	isc_result_t result;
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	dns_fixedname_init(&fnextname);
-	nextname = dns_fixedname_name(&fnextname);
-	dns_fixedname_init(&fzonecut);
-	zonecut = NULL;
-
-	result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter);
-	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(dbiter);
-	check_result(result, "dns_dbiterator_first()");
-
-	while (!done) {
-		dns_dbiterator_current(dbiter, &node, name);
-		if (delegation(name, node, NULL)) {
-			zonecut = dns_fixedname_name(&fzonecut);
-			dns_name_copy(name, zonecut, NULL);
-		}
-		result = dns_dbiterator_next(dbiter);
-		nextnode = NULL;
-		while (result == ISC_R_SUCCESS) {
-			isc_boolean_t active = ISC_FALSE;
-			result = dns_dbiterator_current(dbiter, &nextnode,
-							nextname);
-			if (result != ISC_R_SUCCESS)
-				break;
-			active = active_node(nextnode);
-			if (!active) {
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			if (result != ISC_R_SUCCESS) {
-				dns_db_detachnode(gdb, &nextnode);
-				break;
-			}
-			if (!dns_name_issubdomain(nextname, gorigin) ||
-			    (zonecut != NULL &&
-			     dns_name_issubdomain(nextname, zonecut)))
-			{
-				dns_db_detachnode(gdb, &nextnode);
-				result = dns_dbiterator_next(dbiter);
-				continue;
-			}
-			dns_db_detachnode(gdb, &nextnode);
-			break;
-		}
-		if (result == ISC_R_NOMORE) {
-			dns_name_clone(gorigin, nextname);
-			done = ISC_TRUE;
-		} else if (result != ISC_R_SUCCESS)
-			fatal("iterating through the database failed: %s",
-			      isc_result_totext(result));
-		result = dns_nsec_build(gdb, gversion, node, nextname,
-					zonettl);
-		check_result(result, "dns_nsec_build()");
-		dns_db_detachnode(gdb, &node);
-	}
-
-	dns_dbiterator_destroy(&dbiter);
-}
-
-/*
- * Load the zone file from disk
- */
-static void
-loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
-	isc_buffer_t b;
-	int len;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	len = strlen(origin);
-	isc_buffer_init(&b, origin, len);
-	isc_buffer_add(&b, len);
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed converting name '%s' to dns format: %s",
-		      origin, isc_result_totext(result));
-
-	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
-			       rdclass, 0, NULL, db);
-	check_result(result, "dns_db_create()");
-
-	result = dns_db_load(*db, file);
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		fatal("failed loading zone from '%s': %s",
-		      file, isc_result_totext(result));
-}
-
-/*
- * Finds all public zone keys in the zone, and attempts to load the
- * private keys from disk.
- */
-static void
-loadzonekeys(dns_db_t *db) {
-	dns_dbnode_t *node;
-	dns_dbversion_t *currentversion;
-	isc_result_t result;
-	dst_key_t *keys[20];
-	unsigned int nkeys, i;
-
-	currentversion = NULL;
-	dns_db_currentversion(db, &currentversion);
-
-	node = NULL;
-	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
-
-	result = dns_dnssec_findzonekeys(db, currentversion, node, gorigin,
-					 mctx, 20, keys, &nkeys);
-	if (result == ISC_R_NOTFOUND)
-		result = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone keys: %s",
-		      isc_result_totext(result));
-
-	for (i = 0; i < nkeys; i++) {
-		signer_key_t *key;
-
-		key = newkeystruct(keys[i], ISC_TRUE);
-		ISC_LIST_APPEND(keylist, key, link);
-	}
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &currentversion, ISC_FALSE);
-}
-
-/*
- * Finds all public zone keys in the zone.
- */
-static void
-loadzonepubkeys(dns_db_t *db) {
-	dns_dbversion_t *currentversion = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *pubkey;
-	signer_key_t *key;
-	isc_result_t result;
-
-	dns_db_currentversion(db, &currentversion);
-
-	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, currentversion,
-				     dns_rdatatype_dnskey, 0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find keys at the zone apex: %s",
-		      isc_result_totext(result));
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first");
-	while (result == ISC_R_SUCCESS) {
-		pubkey = NULL;
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx,
-						 &pubkey);
-		if (result != ISC_R_SUCCESS)
-			goto next;
-		if (!dst_key_iszonekey(pubkey)) {
-			dst_key_free(&pubkey);
-			goto next;
-		}
-
-		key = newkeystruct(pubkey, ISC_FALSE);
-		ISC_LIST_APPEND(keylist, key, link);
- next:
-		result = dns_rdataset_next(&rdataset);
-	}
-	dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &currentversion, ISC_FALSE);
-}
-
-static void
-warnifallksk(dns_db_t *db) {
-	dns_dbversion_t *currentversion = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dns_rdata_key_t key;
-	isc_boolean_t have_non_ksk = ISC_FALSE;
-
-	dns_db_currentversion(db, &currentversion);
-
-	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find the zone's origin: %s",
-		      isc_result_totext(result));
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, currentversion,
-				     dns_rdatatype_dnskey, 0, 0, &rdataset, NULL);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to find keys at the zone apex: %s",
-		      isc_result_totext(result));
-	result = dns_rdataset_first(&rdataset);
-	check_result(result, "dns_rdataset_first");
-	while (result == ISC_R_SUCCESS) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &key, NULL);
-		check_result(result, "dns_rdata_tostruct");
-		if ((key.flags & DNS_KEYFLAG_KSK) == 0) {
-			have_non_ksk = ISC_TRUE;
-			result = ISC_R_NOMORE;
-		} else
-			result = dns_rdataset_next(&rdataset);
-	}
-	dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	dns_db_closeversion(db, &currentversion, ISC_FALSE);
-	if (!have_non_ksk && !ignoreksk)
-		fprintf(stderr, "%s: warning: No non-KSK dnskey found. "
-			"Supply non-KSK dnskey or use '-z'.\n",
-			program);
-}
-
-static void
-writeset(const char *prefix, dns_rdatatype_t type) {
-	char *filename;
-	char namestr[DNS_NAME_FORMATSIZE];
-	dns_db_t *db = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_diff_t diff;
-	dns_difftuple_t *tuple = NULL;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	dns_rdata_t rdata, ds;
-	isc_boolean_t have_ksk = ISC_FALSE;
-	isc_boolean_t have_non_ksk = ISC_FALSE;
-	isc_buffer_t b;
-	isc_buffer_t namebuf;
-	isc_region_t r;
-	isc_result_t result;
-	signer_key_t *key;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-	unsigned char keybuf[DST_KEY_MAXSIZE];
-	unsigned int filenamelen;
-	const dns_master_style_t *style = 
-		(type == dns_rdatatype_dnskey) ? masterstyle : dsstyle;
-
-	isc_buffer_init(&namebuf, namestr, sizeof(namestr));
-	result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf);
-	check_result(result, "dns_name_tofilenametext");
-	isc_buffer_putuint8(&namebuf, 0);
-	filenamelen = strlen(prefix) + strlen(namestr);
-	if (directory != NULL)
-		filenamelen += strlen(directory) + 1;
-	filename = isc_mem_get(mctx, filenamelen + 1);
-	if (filename == NULL)
-		fatal("out of memory");
-	if (directory != NULL)
-		sprintf(filename, "%s/", directory);
-	else
-		filename[0] = 0;
-	strcat(filename, prefix);
-	strcat(filename, namestr);
-
-	dns_diff_init(mctx, &diff);
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-		if (!key->isksk) {
-			have_non_ksk = ISC_TRUE;
-			break;
-		}
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-		if (key->isksk) {
-			have_ksk = ISC_TRUE;
-			break;
-		}
-
-	if (type == dns_rdatatype_dlv) {
-		dns_name_t tname;
-		unsigned int labels;
-
-		dns_name_init(&tname, NULL);
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-		labels = dns_name_countlabels(gorigin);
-		dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname);
-		result = dns_name_concatenate(&tname, dlv, name, NULL);
-		check_result(result, "dns_name_concatenate");
-	} else
-		name = gorigin;
-
-	for (key = ISC_LIST_HEAD(keylist);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-	{
-		if (have_ksk && have_non_ksk && !key->isksk)
-			continue;
-		dns_rdata_init(&rdata);
-		dns_rdata_init(&ds);
-		isc_buffer_init(&b, keybuf, sizeof(keybuf));
-		result = dst_key_todns(key->key, &b);
-		check_result(result, "dst_key_todns");
-		isc_buffer_usedregion(&b, &r);
-		dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
-		if (type != dns_rdatatype_dnskey) {
-			result = dns_ds_buildrdata(gorigin, &rdata,
-						   DNS_DSDIGEST_SHA1,
-						   dsbuf, &ds);
-			check_result(result, "dns_ds_buildrdata");
-			if (type == dns_rdatatype_dlv)
-				ds.type = dns_rdatatype_dlv;
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      name, 0, &ds, &tuple);
-		} else
-			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-						      gorigin, zonettl,
-						      &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-	}
-
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       gclass, 0, NULL, &db);
-	check_result(result, "dns_db_create");
-
-	result = dns_db_newversion(db, &version);
-	check_result(result, "dns_db_newversion");
-
-	result = dns_diff_apply(&diff, db, version);
-	check_result(result, "dns_diff_apply");
-	dns_diff_clear(&diff);
-
-	result = dns_master_dump(mctx, db, version, style, filename);
-	check_result(result, "dns_master_dump");
-
-	isc_mem_put(mctx, filename, filenamelen + 1);
-
-	dns_db_closeversion(db, &version, ISC_FALSE);
-	dns_db_detach(&db);
-}
-
-static void
-print_time(FILE *fp) {
-	time_t currenttime;
-
-	currenttime = time(NULL);
-	fprintf(fp, "; File written on %s", ctime(&currenttime));
-}
-
-static void
-print_version(FILE *fp) {
-	fprintf(fp, "; dnssec_signzone version " VERSION "\n");
-}
-
-static void
-usage(void) {
-	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Version: %s\n", VERSION);
-
-	fprintf(stderr, "Options: (default value in parenthesis) \n");
-	fprintf(stderr, "\t-c class (IN)\n");
-	fprintf(stderr, "\t-d directory\n");
-	fprintf(stderr, "\t\tdirectory to find keyset files (.)\n");
-	fprintf(stderr, "\t-g:\t");
-	fprintf(stderr, "generate DS records from keyset files\n");
-	fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n");
-	fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
-	fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
-	fprintf(stderr, "\t\tRRSIG end time  - absolute|from start|from now "
-				"(now + 30 days)\n");
-	fprintf(stderr, "\t-i interval:\n");
-	fprintf(stderr, "\t\tcycle interval - resign "
-				"if < interval from end ( (end-start)/4 )\n");
-	fprintf(stderr, "\t-v debuglevel (0)\n");
-	fprintf(stderr, "\t-o origin:\n");
-	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
-	fprintf(stderr, "\t-f outfile:\n");
-	fprintf(stderr, "\t\tfile the signed zone is written in "
-				"(zonefile + .signed)\n");
-	fprintf(stderr, "\t-r randomdev:\n");
-	fprintf(stderr,	"\t\ta file containing random data\n");
-	fprintf(stderr, "\t-a:\t");
-	fprintf(stderr, "verify generated signatures\n");
-	fprintf(stderr, "\t-p:\t");
-	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
-	fprintf(stderr, "\t-t:\t");
-	fprintf(stderr, "print statistics\n");
-	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
-	fprintf(stderr, "\t-k key_signing_key\n");
-	fprintf(stderr, "\t-l lookasidezone\n");
-	fprintf(stderr, "\t-z:\t");
-	fprintf(stderr, "ignore KSK flag in DNSKEYs");
-
-	fprintf(stderr, "\n");
-
-	fprintf(stderr, "Signing Keys: ");
-	fprintf(stderr, "(default: all zone keys that have private keys)\n");
-	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
-	exit(0);
-}
-
-static void
-removetempfile(void) {
-	if (removefile)
-		isc_file_remove(tempfile);
-}
-
-static void
-print_stats(isc_time_t *timer_start, isc_time_t *timer_finish) {
-	isc_uint64_t runtime_us;   /* Runtime in microseconds */
-	isc_uint64_t runtime_ms;   /* Runtime in milliseconds */
-	isc_uint64_t sig_ms;	   /* Signatures per millisecond */
-
-	runtime_us = isc_time_microdiff(timer_finish, timer_start);
-
-	printf("Signatures generated:               %10d\n", nsigned);
-	printf("Signatures retained:                %10d\n", nretained);
-	printf("Signatures dropped:                 %10d\n", ndropped);
-	printf("Signatures successfully verified:   %10d\n", nverified);
-	printf("Signatures unsuccessfully verified: %10d\n", nverifyfailed);
-	runtime_ms = runtime_us / 1000;
-	printf("Runtime in seconds:                %7u.%03u\n", 
-	       (unsigned int) (runtime_ms / 1000), 
-	       (unsigned int) (runtime_ms % 1000));
-	if (runtime_us > 0) {
-		sig_ms = ((isc_uint64_t)nsigned * 1000000000) / runtime_us;
-		printf("Signatures per second:             %7u.%03u\n",
-		       (unsigned int) sig_ms / 1000, 
-		       (unsigned int) sig_ms % 1000);
-	}
-}
-
-int
-main(int argc, char *argv[]) {
-	int i, ch;
-	char *startstr = NULL, *endstr = NULL, *classname = NULL;
-	char *origin = NULL, *file = NULL, *output = NULL;
-	char *dskeyfile[MAXDSKEYS];
-	int ndskeys = 0;
-	char *endp;
-	isc_time_t timer_start, timer_finish;
-	signer_key_t *key;
-	isc_result_t result;
-	isc_log_t *log = NULL;
-	isc_boolean_t pseudorandom = ISC_FALSE;
-	unsigned int eflags;
-	isc_boolean_t free_output = ISC_FALSE;
-	int tempfilelen;
-	dns_rdataclass_t rdclass;
-	dns_db_t *udb = NULL;
-	isc_task_t **tasks = NULL;
-	isc_buffer_t b;
-	int len;
-
-	masterstyle = &dns_master_style_explicitttl;
-
-	check_result(isc_app_start(), "isc_app_start");
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS)
-		fatal("out of memory");
-
-	dns_result_register();
-
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
-	       != -1) {
-		switch (ch) {
-		case 'a':
-			tryverify = ISC_TRUE;
-			break;
-
-		case 'c':
-			classname = isc_commandline_argument;
-			break;
-
-		case 'd':
-			directory = isc_commandline_argument;
-			break;
-
-		case 'e':
-			endstr = isc_commandline_argument;
-			break;
-
-		case 'f':
-			output = isc_commandline_argument;
-			break;
-
-		case 'g':
-			generateds = ISC_TRUE;
-			break;
-
-		case 'h':
-		default:
-			usage();
-			break;
-
-		case 'i':
-			endp = NULL;
-			cycle = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0' || cycle < 0)
-				fatal("cycle period must be numeric and "
-				      "positive");
-			break;
-
-		case 'l': 
-			dns_fixedname_init(&dlv_fixed);
-			len = strlen(isc_commandline_argument);
-			isc_buffer_init(&b, isc_commandline_argument, len);
-			isc_buffer_add(&b, len);
-
-			dns_fixedname_init(&dlv_fixed);
-			dlv = dns_fixedname_name(&dlv_fixed);
-			result = dns_name_fromtext(dlv, &b, dns_rootname,
-						   ISC_FALSE, NULL);
-			check_result(result, "dns_name_fromtext(dlv)");
-			break;
-
-		case 'k':
-			if (ndskeys == MAXDSKEYS)
-				fatal("too many key-signing keys specified");
-			dskeyfile[ndskeys++] = isc_commandline_argument;
-			break;
-
-		case 'n':
-			endp = NULL;
-			ntasks = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0' || ntasks > ISC_INT32_MAX)
-				fatal("number of cpus must be numeric");
-			break;
-
-		case 'o':
-			origin = isc_commandline_argument;
-			break;
-
-		case 'p':
-			pseudorandom = ISC_TRUE;
-			break;
-
-		case 'r':
-			setup_entropy(mctx, isc_commandline_argument, &ectx);
-			break;
-
-		case 's':
-			startstr = isc_commandline_argument;
-			break;
-
-		case 'S':
-			/* This is intentionally undocumented */
-			/* -S: simple output style */
-			masterstyle = &dns_master_style_simple;
-			break;
-
-		case 't':
-			printstats = ISC_TRUE;
-			break;
-
-		case 'v':
-			endp = NULL;
-			verbose = strtol(isc_commandline_argument, &endp, 0);
-			if (*endp != '\0')
-				fatal("verbose level must be numeric");
-			break;
-
-		case 'z':
-			ignoreksk = ISC_TRUE;
-			break;
-		}
-	}
-
-	if (ectx == NULL)
-		setup_entropy(mctx, NULL, &ectx);
-	eflags = ISC_ENTROPY_BLOCKING;
-	if (!pseudorandom)
-		eflags |= ISC_ENTROPY_GOODONLY;
-
-	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not create hash context");
-
-	result = dst_lib_init(mctx, ectx, eflags);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
-
-	isc_stdtime_get(&now);
-
-	if (startstr != NULL)
-		starttime = strtotime(startstr, now, now);
-	else
-		starttime = now - 3600;  /* Allow for some clock skew. */
-
-	if (endstr != NULL)
-		endtime = strtotime(endstr, now, starttime);
-	else
-		endtime = starttime + (30 * 24 * 60 * 60);
-
-	if (cycle == -1)
-		cycle = (endtime - starttime) / 4;
-
-	if (ntasks == 0)
-		ntasks = isc_os_ncpus();
-	vbprintf(4, "using %d cpus\n", ntasks);
-
-	rdclass = strtoclass(classname);
-
-	setup_logging(verbose, mctx, &log);
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 1)
-		usage();
-
-	file = argv[0];
-
-	argc -= 1;
-	argv += 1;
-
-	if (origin == NULL)
-		origin = file;
-
-	if (output == NULL) {
-		free_output = ISC_TRUE;
-		output = isc_mem_allocate(mctx,
-					  strlen(file) + strlen(".signed") + 1);
-		if (output == NULL)
-			fatal("out of memory");
-		sprintf(output, "%s.signed", file);
-	}
-
-	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
-					0, 24, 0, 0, 0, 8, mctx);
-	check_result(result, "dns_master_stylecreate");
-					
-
-	gdb = NULL;
-	TIME_NOW(&timer_start);
-	loadzone(file, origin, rdclass, &gdb);
-	gorigin = dns_db_origin(gdb);
-	gclass = dns_db_class(gdb);
-	zonettl = soattl();
-
-	ISC_LIST_INIT(keylist);
-
-	if (argc == 0) {
-		loadzonekeys(gdb);
-	} else {
-		for (i = 0; i < argc; i++) {
-			dst_key_t *newkey = NULL;
-
-			result = dst_key_fromnamedfile(argv[i],
-						       DST_TYPE_PUBLIC |
-						       DST_TYPE_PRIVATE,
-						       mctx, &newkey);
-			if (result != ISC_R_SUCCESS)
-				fatal("cannot load dnskey %s: %s", argv[i], 
-				      isc_result_totext(result)); 
-
-			key = ISC_LIST_HEAD(keylist);
-			while (key != NULL) {
-				dst_key_t *dkey = key->key;
-				if (dst_key_id(dkey) == dst_key_id(newkey) &&
-				    dst_key_alg(dkey) == dst_key_alg(newkey) &&
-				    dns_name_equal(dst_key_name(dkey),
-					    	   dst_key_name(newkey)))
-				{
-					if (!dst_key_isprivate(dkey))
-						fatal("cannot sign zone with "
-						      "non-private dnskey %s",
-						      argv[i]);
-					break;
-				}
-				key = ISC_LIST_NEXT(key, link);
-			}
-			if (key == NULL) {
-				key = newkeystruct(newkey, ISC_TRUE);
-				ISC_LIST_APPEND(keylist, key, link);
-			} else
-				dst_key_free(&newkey);
-		}
-
-		loadzonepubkeys(gdb);
-	}
-
-	for (i = 0; i < ndskeys; i++) {
-		dst_key_t *newkey = NULL;
-
-		result = dst_key_fromnamedfile(dskeyfile[i],
-					       DST_TYPE_PUBLIC |
-					       DST_TYPE_PRIVATE,
-					       mctx, &newkey);
-		if (result != ISC_R_SUCCESS)
-			fatal("cannot load dnskey %s: %s", dskeyfile[i],
-			      isc_result_totext(result)); 
-
-		key = ISC_LIST_HEAD(keylist);
-		while (key != NULL) {
-			dst_key_t *dkey = key->key;
-			if (dst_key_id(dkey) == dst_key_id(newkey) &&
-			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
-			    dns_name_equal(dst_key_name(dkey),
-				    	   dst_key_name(newkey)))
-			{
-				/* Override key flags. */
-				key->issigningkey = ISC_TRUE;
-				key->isksk = ISC_TRUE;
-				key->isdsk = ISC_FALSE;
-				dst_key_free(&dkey);
-				key->key = newkey;
-				break;
-			}
-			key = ISC_LIST_NEXT(key, link);
-		}
-		if (key == NULL) {
-			/* Override dnskey flags. */
-			key = newkeystruct(newkey, ISC_TRUE);
-			key->isksk = ISC_TRUE;
-			key->isdsk = ISC_FALSE;
-			ISC_LIST_APPEND(keylist, key, link);
-		}
-	}
-
-	if (ISC_LIST_EMPTY(keylist)) {
-		fprintf(stderr, "%s: warning: No keys specified or found\n",
-			program);
-		nokeys = ISC_TRUE;
-	}
-
-	warnifallksk(gdb);
-
-	gversion = NULL;
-	result = dns_db_newversion(gdb, &gversion);
-	check_result(result, "dns_db_newversion()");
-
-	nsecify();
-
-	if (!nokeys) {
-		writeset("keyset-", dns_rdatatype_dnskey);
-		writeset("dsset-", dns_rdatatype_ds);
-		if (dlv != NULL) {
-			writeset("dlvset-", dns_rdatatype_dlv);
-		}
-	}
-
-	tempfilelen = strlen(output) + 20;
-	tempfile = isc_mem_get(mctx, tempfilelen);
-	if (tempfile == NULL)
-		fatal("out of memory");
-
-	result = isc_file_mktemplate(output, tempfile, tempfilelen);
-	check_result(result, "isc_file_mktemplate");
-
-	fp = NULL;
-	result = isc_file_openunique(tempfile, &fp);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to open temporary output file: %s",
-		      isc_result_totext(result));
-	removefile = ISC_TRUE;
-	setfatalcallback(&removetempfile);
-
-	print_time(fp);
-	print_version(fp);
-
-	result = isc_taskmgr_create(mctx, ntasks, 0, &taskmgr);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create task manager: %s",
-		      isc_result_totext(result));
-
-	master = NULL;
-	result = isc_task_create(taskmgr, 0, &master);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to create task: %s", isc_result_totext(result));
-
-	tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
-	if (tasks == NULL)
-		fatal("out of memory");
-	for (i = 0; i < (int)ntasks; i++) {
-		tasks[i] = NULL;
-		result = isc_task_create(taskmgr, 0, &tasks[i]);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to create task: %s",
-			      isc_result_totext(result));
-		result = isc_app_onrun(mctx, master, startworker, tasks[i]);
-		if (result != ISC_R_SUCCESS)
-			fatal("failed to start task: %s",
-			      isc_result_totext(result));
-	}
-
-	RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS);
-	if (printstats)
-		RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS);
-
-	presign();
-	(void)isc_app_run();
-	if (!finished)
-		fatal("process aborted by user");
-	shuttingdown = ISC_TRUE;
-	for (i = 0; i < (int)ntasks; i++)
-		isc_task_detach(&tasks[i]);
-	isc_taskmgr_destroy(&taskmgr);
-	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
-	postsign();
-
-	if (udb != NULL) {
-		dumpdb(udb);
-		dns_db_detach(&udb);
-	}
-
-	result = isc_stdio_close(fp);
-	check_result(result, "isc_stdio_close");
-	removefile = ISC_FALSE;
-
-	result = isc_file_rename(tempfile, output);
-	if (result != ISC_R_SUCCESS)
-		fatal("failed to rename temp file to %s: %s\n",
-		      output, isc_result_totext(result));
-
-	DESTROYLOCK(&namelock);
-	if (printstats)
-		DESTROYLOCK(&statslock);
-
-	printf("%s\n", output);
-
-	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
-	dns_db_detach(&gdb);
-
-	while (!ISC_LIST_EMPTY(keylist)) {
-		key = ISC_LIST_HEAD(keylist);
-		ISC_LIST_UNLINK(keylist, key, link);
-		dst_key_free(&key->key);
-		isc_mem_put(mctx, key, sizeof(signer_key_t));
-	}
-
-	isc_mem_put(mctx, tempfile, tempfilelen);
-
-	if (free_output)
-		isc_mem_free(mctx, output);
-
-	dns_master_styledestroy(&dsstyle, mctx);
-
-	cleanup_logging(&log);
-	dst_lib_destroy();
-	isc_hash_destroy();
-	cleanup_entropy(&ectx);
-	if (verbose > 10)
-		isc_mem_stats(mctx, stdout);
-	isc_mem_destroy(&mctx);
-
-	(void) isc_app_finish();
-
-	if (printstats) {
-		TIME_NOW(&timer_finish);
-		print_stats(&timer_start, &timer_finish);
-	}
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
deleted file mode 100644
index 35f35cc7339d..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
+++ /dev/null
@@ -1,378 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.11 2005/06/24 00:18:15 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>dnssec-signzone</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>dnssec-signzone</application></refname>
-    <refpurpose>DNSSEC zone signing tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>dnssec-signzone</command>
-      <arg><option>-a</option></arg>
-      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-      <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
-      <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
-      <arg><option>-g</option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
-      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
-      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
-      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
-      <arg><option>-p</option></arg>
-      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
-      <arg><option>-t</option></arg>
-      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
-      <arg><option>-z</option></arg>
-      <arg choice="req">zonefile</arg>
-      <arg rep="repeat">key</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>dnssec-signzone</command> signs a zone.  It generates
-	NSEC and RRSIG records and produces a signed version of the
-	zone. The security status of delegations from the signed zone
-	(that is, whether the child zones are secure or not) is
-	determined by the presence or absence of a
-	<filename>keyset</filename> file for each child zone.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-	<listitem>
-	  <para>
-	      Verify all generated signatures.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">class</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the DNS class of the zone.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">key</replaceable></term>
-	<listitem>
-	  <para>
-	       Treat specified key as a key signing key ignoring any
-	       key flags.  This option may be specified multiple times.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-l <replaceable class="parameter">domain</replaceable></term>
-	<listitem>
-	  <para>
-		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-		The domain is appended to the name of the records.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-d <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-	       Look for <filename>keyset</filename> files in
-	       <option>directory</option> as the directory 
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-g</term>
-	<listitem>
-	  <para>
-		Generate DS records for child zones from keyset files.
-		Existing DS records will be removed.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">start-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated RRSIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <option>start-time</option> is specified, the current
-	       time minus 1 hour (to allow for clock skew) is used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-e <replaceable class="parameter">end-time</replaceable></term>
-	<listitem>
-	  <para>
-	       Specify the date and time when the generated RRSIG records
-	       expire.  As with <option>start-time</option>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <option>end-time</option> is
-	       specified, 30 days from the start time is used as a default.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-f <replaceable class="parameter">output-file</replaceable></term>
-	<listitem>
-	  <para>
-	       The name of the output file containing the signed zone.  The
-	       default is to append <filename>.signed</filename> to the
-	       input file.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>dnssec-signzone</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-i <replaceable class="parameter">interval</replaceable></term>
-	<listitem>
-	  <para>
-	       When a previously signed zone is passed as input, records
-	       may be resigned.  The <option>interval</option> option
-	       specifies the cycle interval as an offset from the current
-	       time (in seconds).  If a RRSIG record expires after the
-	       cycle interval, it is retained.  Otherwise, it is considered
-	       to be expiring soon, and it will be replaced.
-	  </para>
-	  <para>
-	       The default cycle interval is one quarter of the difference
-	       between the signature end and start times.  So if neither
-	       <option>end-time</option> or <option>start-time</option>
-	       are specified, <command>dnssec-signzone</command> generates
-	       signatures that are valid for 30 days, with a cycle
-	       interval of 7.5 days.  Therefore, if any existing RRSIG records
-	       are due to expire in less than 7.5 days, they would be
-	       replaced.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the number of threads to use.  By default, one
-	       thread is started for each detected CPU.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-o <replaceable class="parameter">origin</replaceable></term>
-	<listitem>
-	  <para>
-	       The zone origin.  If not specified, the name of the zone file
-	       is assumed to be the origin.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p</term>
-	<listitem>
-	  <para>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t</term>
-	<listitem>
-	  <para>
-	       Print statistics at completion.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-v <replaceable class="parameter">level</replaceable></term>
-	<listitem>
-	  <para>
-	       Sets the debugging level.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-z</term>
-	<listitem>
-	  <para>
-	       Ignore KSK flag on key when determining what to sign.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>zonefile</term>
-	<listitem>
-	  <para>
-	       The file containing the zone to be signed.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>key</term>
-	<listitem>
-	  <para>
-	       The keys used to sign the zone.  If no keys are specified, the
-	       default all zone keys that have private key files in the
-	       current directory.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-    <para>
-        The following command signs the <userinput>example.com</userinput>
-	zone with the DSA key generated in the <command>dnssec-keygen</command>
-	man page.  The zone's keys must be in the zone.  If there are
-	<filename>keyset</filename> files associated with child zones,
-	they must be in the current directory.
-	<userinput>example.com</userinput>, the following command would be
-	issued:
-    </para>
-    <para>
-        <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
-    </para>
-    <para>
-        The command would print a string of the form:
-    </para>
-    <para>
-        In this example, <command>dnssec-signzone</command> creates
-	the file <filename>db.example.com.signed</filename>.  This file
-	should be referenced in a zone statement in a
-	<filename>named.conf</filename> file.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>dnssec-keygen</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
-      <citetitle>RFC 2535</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html
deleted file mode 100644
index 5cc8c0747cc8..000000000000
--- a/contrib/bind9/bin/dnssec/dnssec-signzone.html
+++ /dev/null
@@ -1,220 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.14 2005/10/13 02:33:46 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>dnssec-signzone</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">dnssec-signzone</span> &#8212; DNSSEC zone signing tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nthreads</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525979"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">dnssec-signzone</strong></span> signs a zone.  It generates
-	NSEC and RRSIG records and produces a signed version of the
-	zone. The security status of delegations from the signed zone
-	(that is, whether the child zones are secure or not) is
-	determined by the presence or absence of a
-	<code class="filename">keyset</code> file for each child zone.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525995"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd><p>
-	      Verify all generated signatures.
-	  </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
-<dd><p>
-	       Specifies the DNS class of the zone.
-	  </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>key</code></em></span></dt>
-<dd><p>
-	       Treat specified key as a key signing key ignoring any
-	       key flags.  This option may be specified multiple times.
-	  </p></dd>
-<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
-<dd><p>
-		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
-		The domain is appended to the name of the records.
-	  </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
-<dd><p>
-	       Look for <code class="filename">keyset</code> files in
-	       <code class="option">directory</code> as the directory 
-	  </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-		Generate DS records for child zones from keyset files.
-		Existing DS records will be removed.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt>
-<dd><p>
-	       Specify the date and time when the generated RRSIG records
-	       become valid.  This can be either an absolute or relative
-	       time.  An absolute start time is indicated by a number
-	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
-	       14:45:00 UTC on May 30th, 2000.  A relative start time is
-	       indicated by +N, which is N seconds from the current time.
-	       If no <code class="option">start-time</code> is specified, the current
-	       time minus 1 hour (to allow for clock skew) is used.
-	  </p></dd>
-<dt><span class="term">-e <em class="replaceable"><code>end-time</code></em></span></dt>
-<dd><p>
-	       Specify the date and time when the generated RRSIG records
-	       expire.  As with <code class="option">start-time</code>, an absolute
-	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
-	       to the start time is indicated with +N, which is N seconds from
-	       the start time.  A time relative to the current time is
-	       indicated with now+N.  If no <code class="option">end-time</code> is
-	       specified, 30 days from the start time is used as a default.
-	  </p></dd>
-<dt><span class="term">-f <em class="replaceable"><code>output-file</code></em></span></dt>
-<dd><p>
-	       The name of the output file containing the signed zone.  The
-	       default is to append <code class="filename">.signed</code> to the
-	       input file.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">dnssec-signzone</strong></span>.
-	  </p></dd>
-<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
-<dd>
-<p>
-	       When a previously signed zone is passed as input, records
-	       may be resigned.  The <code class="option">interval</code> option
-	       specifies the cycle interval as an offset from the current
-	       time (in seconds).  If a RRSIG record expires after the
-	       cycle interval, it is retained.  Otherwise, it is considered
-	       to be expiring soon, and it will be replaced.
-	  </p>
-<p>
-	       The default cycle interval is one quarter of the difference
-	       between the signature end and start times.  So if neither
-	       <code class="option">end-time</code> or <code class="option">start-time</code>
-	       are specified, <span><strong class="command">dnssec-signzone</strong></span> generates
-	       signatures that are valid for 30 days, with a cycle
-	       interval of 7.5 days.  Therefore, if any existing RRSIG records
-	       are due to expire in less than 7.5 days, they would be
-	       replaced.
-	  </p>
-</dd>
-<dt><span class="term">-n <em class="replaceable"><code>ncpus</code></em></span></dt>
-<dd><p>
-	       Specifies the number of threads to use.  By default, one
-	       thread is started for each detected CPU.
-	  </p></dd>
-<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
-<dd><p>
-	       The zone origin.  If not specified, the name of the zone file
-	       is assumed to be the origin.
-	  </p></dd>
-<dt><span class="term">-p</span></dt>
-<dd><p>
-	       Use pseudo-random data when signing the zone.  This is faster,
-	       but less secure, than using real random data.  This option
-	       may be useful when signing large zones or when the entropy
-	       source is limited.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
-<dd><p>
-	       Specifies the source of randomness.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
-	       input should be used.
-	  </p></dd>
-<dt><span class="term">-t</span></dt>
-<dd><p>
-	       Print statistics at completion.
-	  </p></dd>
-<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
-<dd><p>
-	       Sets the debugging level.
-	  </p></dd>
-<dt><span class="term">-z</span></dt>
-<dd><p>
-	       Ignore KSK flag on key when determining what to sign.
-	  </p></dd>
-<dt><span class="term">zonefile</span></dt>
-<dd><p>
-	       The file containing the zone to be signed.
-	  </p></dd>
-<dt><span class="term">key</span></dt>
-<dd><p>
-	       The keys used to sign the zone.  If no keys are specified, the
-	       default all zone keys that have private key files in the
-	       current directory.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526435"></a><h2>EXAMPLE</h2>
-<p>
-        The following command signs the <strong class="userinput"><code>example.com</code></strong>
-	zone with the DSA key generated in the <span><strong class="command">dnssec-keygen</strong></span>
-	man page.  The zone's keys must be in the zone.  If there are
-	<code class="filename">keyset</code> files associated with child zones,
-	they must be in the current directory.
-	<strong class="userinput"><code>example.com</code></strong>, the following command would be
-	issued:
-    </p>
-<p>
-        <strong class="userinput"><code>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</code></strong>
-    </p>
-<p>
-        The command would print a string of the form:
-    </p>
-<p>
-        In this example, <span><strong class="command">dnssec-signzone</strong></span> creates
-	the file <code class="filename">db.example.com.signed</code>.  This file
-	should be referenced in a zone statement in a
-	<code class="filename">named.conf</code> file.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526485"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
-      <em class="citetitle">RFC 2535</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526512"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c
deleted file mode 100644
index 83ba76d91288..000000000000
--- a/contrib/bind9/bin/dnssec/dnssectool.c
+++ /dev/null
@@ -1,307 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssectool.c,v 1.31.2.3.2.6 2005/07/02 02:42:43 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/list.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-#include <isc/print.h>
-
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/time.h>
-
-#include "dnssectool.h"
-
-extern int verbose;
-extern const char *program;
-
-typedef struct entropysource entropysource_t;
-
-struct entropysource {
-	isc_entropysource_t *source;
-	isc_mem_t *mctx;
-	ISC_LINK(entropysource_t) link;
-};
-
-static ISC_LIST(entropysource_t) sources;
-static fatalcallback_t *fatalcallback = NULL;
-
-void
-fatal(const char *format, ...) {
-	va_list args;
-
-	fprintf(stderr, "%s: ", program);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	if (fatalcallback != NULL)
-		(*fatalcallback)();
-	exit(1);
-}
-
-void
-setfatalcallback(fatalcallback_t *callback) {
-	fatalcallback = callback;
-}
-
-void
-check_result(isc_result_t result, const char *message) {
-	if (result != ISC_R_SUCCESS)
-		fatal("%s: %s", message, isc_result_totext(result));
-}
-
-void
-vbprintf(int level, const char *fmt, ...) {
-	va_list ap;
-	if (level > verbose)
-		return;
-	va_start(ap, fmt);
-	fprintf(stderr, "%s: ", program);
-	vfprintf(stderr, fmt, ap);
-	va_end(ap);
-}
-
-void
-type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_result_t result;
-
-	isc_buffer_init(&b, cp, size - 1);
-	result = dns_rdatatype_totext(type, &b);
-	check_result(result, "dns_rdatatype_totext()");
-	isc_buffer_usedregion(&b, &r);
-	r.base[r.length] = 0;
-}
-
-void
-alg_format(const dns_secalg_t alg, char *cp, unsigned int size) {
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_result_t result;
-
-	isc_buffer_init(&b, cp, size - 1);
-	result = dns_secalg_totext(alg, &b);
-	check_result(result, "dns_secalg_totext()");
-	isc_buffer_usedregion(&b, &r);
-	r.base[r.length] = 0;
-}
-
-void
-sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
-	char namestr[DNS_NAME_FORMATSIZE];
-	char algstr[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(&sig->signer, namestr, sizeof(namestr));
-	alg_format(sig->algorithm, algstr, sizeof(algstr));
-	snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
-}
-
-void
-key_format(const dst_key_t *key, char *cp, unsigned int size) {
-	char namestr[DNS_NAME_FORMATSIZE];
-	char algstr[DNS_NAME_FORMATSIZE];
-
-	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
-	alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr));
-	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
-}
-
-void
-setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
-	isc_result_t result;
-	isc_logdestination_t destination;
-	isc_logconfig_t *logconfig = NULL;
-	isc_log_t *log = NULL;
-	int level;
-
-	if (verbose < 0)
-		verbose = 0;
-	switch (verbose) {
-	case 0:
-		/*
-		 * We want to see warnings about things like out-of-zone
-		 * data in the master file even when not verbose.
-		 */
-		level = ISC_LOG_WARNING;
-		break;
-	case 1:
-		level = ISC_LOG_INFO;
-		break;
-	default:
-		level = ISC_LOG_DEBUG(verbose - 2 + 1);
-		break;
-	}
-
-	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
-	isc_log_setcontext(log);
-	dns_log_init(log);
-	dns_log_setcontext(log);
-
-	RUNTIME_CHECK(isc_log_settag(logconfig, program) == ISC_R_SUCCESS);
-
-	/*
-	 * Set up a channel similar to default_stderr except:
-	 *  - the logging level is passed in
-	 *  - the program name and logging level are printed
-	 *  - no time stamp is printed
-	 */
-	destination.file.stream = stderr;
-	destination.file.name = NULL;
-	destination.file.versions = ISC_LOG_ROLLNEVER;
-	destination.file.maximum_size = 0;
-	result = isc_log_createchannel(logconfig, "stderr",
-				       ISC_LOG_TOFILEDESC,
-				       level,
-				       &destination,
-				       ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL);
-	check_result(result, "isc_log_createchannel()");
-
-	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
-					 NULL, NULL) == ISC_R_SUCCESS);
-
-	*logp = log;
-}
-
-void
-cleanup_logging(isc_log_t **logp) {
-	isc_log_t *log;
-
-	REQUIRE(logp != NULL);
-
-	log = *logp;
-	if (log == NULL)
-		return;
-	isc_log_destroy(&log);
-	isc_log_setcontext(NULL);
-	dns_log_setcontext(NULL);
-	logp = NULL;
-}
-
-void
-setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
-	isc_result_t result;
-	isc_entropysource_t *source = NULL;
-	entropysource_t *elt;
-	int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
-
-	REQUIRE(ectx != NULL);
-	
-	if (*ectx == NULL) {
-		result = isc_entropy_create(mctx, ectx);
-		if (result != ISC_R_SUCCESS)
-			fatal("could not create entropy object");
-		ISC_LIST_INIT(sources);
-	}
-
-	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
-		usekeyboard = ISC_ENTROPY_KEYBOARDYES;
-		randomfile = NULL;
-	}
-
-	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
-					   usekeyboard);
-
-	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize entropy source: %s",
-		      isc_result_totext(result));
-
-	if (source != NULL) {
-		elt = isc_mem_get(mctx, sizeof(*elt));
-		if (elt == NULL)
-			fatal("out of memory");
-		elt->source = source;
-		elt->mctx = mctx;
-		ISC_LINK_INIT(elt, link);
-		ISC_LIST_APPEND(sources, elt, link);
-	}
-}
-
-void
-cleanup_entropy(isc_entropy_t **ectx) {
-	entropysource_t *source;
-	while (!ISC_LIST_EMPTY(sources)) {
-		source = ISC_LIST_HEAD(sources);
-		ISC_LIST_UNLINK(sources, source, link);
-		isc_entropy_destroysource(&source->source);
-		isc_mem_put(source->mctx, source, sizeof(*source));
-	}
-	isc_entropy_detach(ectx);
-}
-
-isc_stdtime_t
-strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
-	isc_int64_t val, offset;
-	isc_result_t result;
-	char *endp;
-
-	if (str[0] == '+') {
-		offset = strtol(str + 1, &endp, 0);
-		if (*endp != '\0')
-			fatal("time value %s is invalid", str);
-		val = base + offset;
-	} else if (strncmp(str, "now+", 4) == 0) {
-		offset = strtol(str + 4, &endp, 0);
-		if (*endp != '\0')
-			fatal("time value %s is invalid", str);
-		val = now + offset;
-	} else if (strlen(str) == 8U) {
-		char timestr[15];
-		sprintf(timestr, "%s000000", str);
-		result = dns_time64_fromtext(timestr, &val);
-		if (result != ISC_R_SUCCESS)
-			fatal("time value %s is invalid", str);
-	} else {
-		result = dns_time64_fromtext(str, &val);
-		if (result != ISC_R_SUCCESS)
-			fatal("time value %s is invalid", str);
-	}
-
-	return ((isc_stdtime_t) val);
-}
-
-dns_rdataclass_t
-strtoclass(const char *str) {
-	isc_textregion_t r;
-	dns_rdataclass_t rdclass;
-	isc_result_t ret;
-
-	if (str == NULL)
-		return dns_rdataclass_in;
-	DE_CONST(str, r.base);
-	r.length = strlen(str);
-	ret = dns_rdataclass_fromtext(&rdclass, &r);
-	if (ret != ISC_R_SUCCESS)
-		fatal("unknown class %s", str);
-	return (rdclass);
-}
diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h
deleted file mode 100644
index 0d179503b766..000000000000
--- a/contrib/bind9/bin/dnssec/dnssectool.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssectool.h,v 1.15.12.3 2004/03/08 04:04:18 marka Exp $ */
-
-#ifndef DNSSECTOOL_H
-#define DNSSECTOOL_H 1
-
-#include <isc/log.h>
-#include <isc/stdtime.h>
-#include <dns/rdatastruct.h>
-#include <dst/dst.h>
-
-typedef void (fatalcallback_t)(void);
-
-void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-setfatalcallback(fatalcallback_t *callback);
-
-void
-check_result(isc_result_t result, const char *message);
-
-void
-vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
-
-void
-type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
-#define TYPE_FORMATSIZE 10
-
-void
-alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
-#define ALG_FORMATSIZE 10
-
-void
-sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
-#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
-
-void
-key_format(const dst_key_t *key, char *cp, unsigned int size);
-#define KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
-
-void
-setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
-
-void
-cleanup_logging(isc_log_t **logp);
-
-void
-setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
-
-void
-cleanup_entropy(isc_entropy_t **ectx);
-
-isc_stdtime_t
-strtotime(const char *str, isc_int64_t now, isc_int64_t base);
-
-dns_rdataclass_t
-strtoclass(const char *str);
-
-#endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in
deleted file mode 100644
index 50fb93bf11d9..000000000000
--- a/contrib/bind9/bin/named/Makefile.in
+++ /dev/null
@@ -1,135 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.74.12.11 2004/09/06 21:47:25 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-#
-# Add database drivers here.
-#
-DBDRIVER_OBJS =
-DBDRIVER_SRCS =
-DBDRIVER_INCLUDES =
-DBDRIVER_LIBS =
-
-CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
-		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
-		${DBDRIVER_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-LWRESLIBS =	../../lib/lwres/liblwres.@A@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-
-DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
-		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
-
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
-		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
-
-SUBDIRS =	unix
-
-TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
-
-OBJS =		aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \
-		controlconf.@O@ interfacemgr.@O@ \
-		listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
-		query.@O@ server.@O@ sortlist.@O@ \
-		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
-		zoneconf.@O@ \
-		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
-		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
-		$(DBDRIVER_OBJS)
-
-UOBJS =		unix/os.@O@
-
-SRCS =		aclconf.c builtin.c client.c config.c control.c \
-		controlconf.c interfacemgr.c \
-		listenlist.c log.c logconf.c main.c notify.c \
-		query.c server.c sortlist.c \
-		tkeyconf.c tsigconf.c update.c xfrout.c \
-		zoneconf.c \
-		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
-		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
-		$(DBDRIVER_SRCS)
-
-MANPAGES =	named.8 lwresd.8 named.conf.5
-
-HTMLPAGES =	named.html lwresd.html named.conf.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-main.@O@: main.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
-
-config.@O@: config.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
-		-c ${srcdir}/config.c
-
-named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
-	${OBJS} ${UOBJS} ${LIBS}
-
-lwresd@EXEEXT@: named@EXEEXT@
-	rm -f lwresd@EXEEXT@
-	@LN@ named@EXEEXT@ lwresd@EXEEXT@
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS} ${OBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
-	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
-	${INSTALL_DATA} ${srcdir}/named.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/lwresd.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/named.conf.5 ${DESTDIR}${mandir}/man5
-
diff --git a/contrib/bind9/bin/named/aclconf.c b/contrib/bind9/bin/named/aclconf.c
deleted file mode 100644
index 8b6d0c767d4f..000000000000
--- a/contrib/bind9/bin/named/aclconf.c
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: aclconf.c,v 1.27.12.5 2005/03/17 03:58:25 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <dns/acl.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-
-#include <named/aclconf.h>
-
-#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
-
-void
-ns_aclconfctx_init(ns_aclconfctx_t *ctx) {
-	ISC_LIST_INIT(ctx->named_acl_cache);
-}
-
-void
-ns_aclconfctx_destroy(ns_aclconfctx_t *ctx) {
-     	dns_acl_t *dacl, *next;
-	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
-	     dacl != NULL;
-	     dacl = next)
-	{
-		next = ISC_LIST_NEXT(dacl, nextincache);
-		dns_acl_detach(&dacl);
-	}
-}
-
-/*
- * Find the definition of the named acl whose name is "name".
- */
-static isc_result_t
-get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *acls = NULL;
-	cfg_listelt_t *elt;
-	
-	result = cfg_map_get(cctx, "acl", &acls);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (elt = cfg_list_first(acls);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *acl = cfg_listelt_value(elt);
-		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-		if (strcasecmp(aclname, name) == 0) {
-			*ret = cfg_tuple_get(acl, "value");
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
-		  ns_aclconfctx_t *ctx, isc_mem_t *mctx,
-		  dns_acl_t **target)
-{
-	isc_result_t result;
-	cfg_obj_t *cacl = NULL;
-	dns_acl_t *dacl;
-	dns_acl_t loop;
-	char *aclname = cfg_obj_asstring(nameobj);
-
-	/* Look for an already-converted version. */
-	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
-	     dacl != NULL;
-	     dacl = ISC_LIST_NEXT(dacl, nextincache))
-	{
-		if (strcasecmp(aclname, dacl->name) == 0) {
-			if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
-				cfg_obj_log(nameobj, dns_lctx, ISC_LOG_ERROR,
-					    "acl loop detected: %s", aclname);
-				return (ISC_R_FAILURE);
-			}
-			dns_acl_attach(dacl, target);
-			return (ISC_R_SUCCESS);
-		}
-	}
-	/* Not yet converted.  Convert now. */
-	result = get_acl_def(cctx, aclname, &cacl);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(nameobj, dns_lctx, ISC_LOG_WARNING,
-			    "undefined ACL '%s'", aclname);
-		return (result);
-	}
-	/*
-	 * Add a loop detection element.
-	 */
-	memset(&loop, 0, sizeof(loop));
-	ISC_LINK_INIT(&loop, nextincache);
-	loop.name = aclname;
-	loop.magic = LOOP_MAGIC;
-	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
-	result = ns_acl_fromconfig(cacl, cctx, ctx, mctx, &dacl);
-	ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
-	loop.magic = 0;
-	loop.name = NULL;
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dacl->name = isc_mem_strdup(dacl->mctx, aclname);
-	if (dacl->name == NULL)
-		return (ISC_R_NOMEMORY);
-	ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
-	dns_acl_attach(dacl, target);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
-	isc_result_t result;
-	isc_buffer_t buf;
-	dns_fixedname_t fixname;
-	unsigned int keylen;
-	const char *txtname = cfg_obj_asstring(keyobj);
-
-	keylen = strlen(txtname);
-	isc_buffer_init(&buf, txtname, keylen);
-	isc_buffer_add(&buf, keylen);
-	dns_fixedname_init(&fixname);
-	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
-				   dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(keyobj, dns_lctx, ISC_LOG_WARNING,
-			    "key name '%s' is not a valid domain name",
-			    txtname);
-		return (result);
-	}
-	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
-}
-
-isc_result_t
-ns_acl_fromconfig(cfg_obj_t *caml,
-		  cfg_obj_t *cctx,
-		  ns_aclconfctx_t *ctx,
-		  isc_mem_t *mctx,
-		  dns_acl_t **target)
-{
-	isc_result_t result;
-	unsigned int count;
-	dns_acl_t *dacl = NULL;
-	dns_aclelement_t *de;
-	cfg_listelt_t *elt;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	count = 0;
-	for (elt = cfg_list_first(caml);
-	     elt != NULL;
-	     elt = cfg_list_next(elt))
-		count++;
-
-	result = dns_acl_create(mctx, count, &dacl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	de = dacl->elements;
-	for (elt = cfg_list_first(caml);
-	     elt != NULL;
-	     elt = cfg_list_next(elt))
-	{
-		cfg_obj_t *ce = cfg_listelt_value(elt);
-		if (cfg_obj_istuple(ce)) {
-			/* This must be a negated element. */
-			ce = cfg_tuple_get(ce, "value");
-			de->negative = ISC_TRUE;
-		} else {
-			de->negative = ISC_FALSE;
-		}
-
-		if (cfg_obj_isnetprefix(ce)) {
-			/* Network prefix */
-			de->type = dns_aclelementtype_ipprefix;
-
-			cfg_obj_asnetprefix(ce,
-					    &de->u.ip_prefix.address,
-					    &de->u.ip_prefix.prefixlen);
-		} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
-			/* Key name */
-			de->type = dns_aclelementtype_keyname;
-			dns_name_init(&de->u.keyname, NULL);
-			result = convert_keyname(ce, mctx, &de->u.keyname);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		} else if (cfg_obj_islist(ce)) {
-			/* Nested ACL */
-			de->type = dns_aclelementtype_nestedacl;
-			result = ns_acl_fromconfig(ce, cctx, ctx, mctx,
-						   &de->u.nestedacl);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		} else if (cfg_obj_isstring(ce)) {
-			/* ACL name */
-			char *name = cfg_obj_asstring(ce);
-			if (strcasecmp(name, "localhost") == 0) {
-				de->type = dns_aclelementtype_localhost;
-			} else if (strcasecmp(name, "localnets") == 0) {
-				de->type = dns_aclelementtype_localnets;
-			}  else if (strcasecmp(name, "any") == 0) {
-				de->type = dns_aclelementtype_any;
-			}  else if (strcasecmp(name, "none") == 0) {
-				de->type = dns_aclelementtype_any;
-				de->negative = ISC_TF(! de->negative);
-			} else {
-				de->type = dns_aclelementtype_nestedacl;
-				result = convert_named_acl(ce, cctx, ctx, mctx,
-							   &de->u.nestedacl);
-				if (result != ISC_R_SUCCESS)
-					goto cleanup;
-			}
-		} else {
-			cfg_obj_log(ce, dns_lctx, ISC_LOG_WARNING,
-				    "address match list contains "
-				    "unsupported element type");
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-		de++;
-		dacl->length++;
-	}
-
-	*target = dacl;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_acl_detach(&dacl);
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c
deleted file mode 100644
index af4d7a3f0d43..000000000000
--- a/contrib/bind9/bin/named/builtin.c
+++ /dev/null
@@ -1,228 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: builtin.c,v 1.4.106.4 2004/03/08 04:04:18 marka Exp $ */
-
-/*
- * The built-in "version", "hostname", "id" and "authors" databases.
- */
-
-#include <config.h>
-
-#include <string.h>
-#include <stdio.h>
-
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-#include <dns/sdb.h>
-#include <dns/result.h>
-
-#include <named/builtin.h>
-#include <named/globals.h>
-#include <named/server.h>
-#include <named/os.h>
-
-typedef struct builtin builtin_t;
-
-static isc_result_t do_version_lookup(dns_sdblookup_t *lookup);
-static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
-static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
-static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
-
-/*
- * We can't use function pointers as the db_data directly
- * because ANSI C does not guarantee that function pointers
- * can safely be cast to void pointers and back.
- */
-
-struct builtin {
-	isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
-};
-
-static builtin_t version_builtin = { do_version_lookup };
-static builtin_t hostname_builtin = { do_hostname_lookup };
-static builtin_t authors_builtin = { do_authors_lookup };
-static builtin_t id_builtin = { do_id_lookup };
-
-static dns_sdbimplementation_t *builtin_impl;
-
-static isc_result_t
-builtin_lookup(const char *zone, const char *name, void *dbdata,
-	       dns_sdblookup_t *lookup)
-{
-	builtin_t *b = (builtin_t *) dbdata;
-
-	UNUSED(zone);
-
-	if (strcmp(name, "@") == 0)
-		return (b->do_lookup(lookup));
-	else
-		return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-put_txt(dns_sdblookup_t *lookup, const char *text) {
-	unsigned char buf[256];
-	unsigned int len = strlen(text);
-	if (len > 255)
-		len = 255; /* Silently truncate */
-	buf[0] = len;
-	memcpy(&buf[1], text, len);
-	return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1));
-}
-
-static isc_result_t
-do_version_lookup(dns_sdblookup_t *lookup) {
-	if (ns_g_server->version_set) {	
-		if (ns_g_server->version == NULL)
-			return (ISC_R_SUCCESS);
-		else
-			return (put_txt(lookup, ns_g_server->version));
-	} else {
-		return (put_txt(lookup, ns_g_version));
-	}
-}
-
-static isc_result_t
-do_hostname_lookup(dns_sdblookup_t *lookup) {
-	if (ns_g_server->hostname_set) {
-		if (ns_g_server->hostname == NULL)
-			return (ISC_R_SUCCESS);
-		else
-			return (put_txt(lookup, ns_g_server->hostname));
-	} else {
-		char buf[256];
-		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (put_txt(lookup, buf));
-	}
-}
-
-static isc_result_t
-do_authors_lookup(dns_sdblookup_t *lookup) {
-	isc_result_t result;
-	const char **p;
-	static const char *authors[] = {
-		"Mark Andrews",
-		"James Brister",
-		"Ben Cottrell",
-		"Michael Graff",
-		"Andreas Gustafsson",
-		"Bob Halley",
-		"David Lawrence",
-		"Danny Mayer",
-		"Damien Neil",
-		"Matt Nelson",
-		"Michael Sawyer",
-		"Brian Wellington",
-		NULL
-	};
-
-	/*
-	 * If a version string is specified, disable the authors.bind zone.
-	 */
-	if (ns_g_server->version_set)
-		return (ISC_R_SUCCESS);
-
-	for (p = authors; *p != NULL; p++) {
-		result = put_txt(lookup, *p);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-do_id_lookup(dns_sdblookup_t *lookup) {
-
-	if (ns_g_server->server_usehostname) {
-		char buf[256];
-		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (put_txt(lookup, buf));
-	}
-
-	if (ns_g_server->server_id == NULL)
-		return (ISC_R_SUCCESS);
-	else
-		return (put_txt(lookup, ns_g_server->server_id));
-}
-
-static isc_result_t
-builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
-	isc_result_t result;
-
-	UNUSED(zone);
-	UNUSED(dbdata);
-
-	result = dns_sdb_putsoa(lookup, "@", "hostmaster", 0);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-	result = dns_sdb_putrr(lookup, "ns", 0, "@");
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-builtin_create(const char *zone, int argc, char **argv,
-	       void *driverdata, void **dbdata)
-{
-	UNUSED(zone);
-	UNUSED(driverdata);
-	if (argc != 1)
-		return (DNS_R_SYNTAX);
-	if (strcmp(argv[0], "version") == 0)
-		*dbdata = &version_builtin;
-	else if (strcmp(argv[0], "hostname") == 0)
-		*dbdata = &hostname_builtin;
-	else if (strcmp(argv[0], "authors") == 0)
-		*dbdata = &authors_builtin;
-	else if (strcmp(argv[0], "id") == 0)
-		*dbdata = &id_builtin;
-	else
-		return (ISC_R_NOTIMPLEMENTED);
-	return (ISC_R_SUCCESS);
-}
-
-static dns_sdbmethods_t builtin_methods = {
-	builtin_lookup,
-	builtin_authority,
-	NULL,		/* allnodes */
-	builtin_create,
-	NULL		/* destroy */
-};
-
-isc_result_t
-ns_builtin_init(void) {
-	RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL,
-				       DNS_SDBFLAG_RELATIVEOWNER |
-				       DNS_SDBFLAG_RELATIVERDATA,
-				       ns_g_mctx, &builtin_impl)
-		      == ISC_R_SUCCESS);
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_builtin_deinit(void) {
-	dns_sdb_unregister(&builtin_impl);
-}
diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c
deleted file mode 100644
index baecc2345cb9..000000000000
--- a/contrib/bind9/bin/named/client.c
+++ /dev/null
@@ -1,2366 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: client.c,v 1.176.2.13.4.26 2005/07/27 02:53:14 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/formatcheck.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dispatch.h>
-#include <dns/events.h>
-#include <dns/message.h>
-#include <dns/rcode.h>
-#include <dns/resolver.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-
-#include <named/interfacemgr.h>
-#include <named/log.h>
-#include <named/notify.h>
-#include <named/server.h>
-#include <named/update.h>
-
-/***
- *** Client
- ***/
-
-/*
- * Important note!
- *
- * All client state changes, other than that from idle to listening, occur
- * as a result of events.  This guarantees serialization and avoids the
- * need for locking.
- *
- * If a routine is ever created that allows someone other than the client's
- * task to change the client, then the client will have to be locked.
- */
-
-#define NS_CLIENT_TRACE
-#ifdef NS_CLIENT_TRACE
-#define CTRACE(m)	ns_client_log(client, \
-				      NS_LOGCATEGORY_CLIENT, \
-				      NS_LOGMODULE_CLIENT, \
-				      ISC_LOG_DEBUG(3), \
-				      "%s", (m))
-#define MTRACE(m)	isc_log_write(ns_g_lctx, \
-				      NS_LOGCATEGORY_GENERAL, \
-				      NS_LOGMODULE_CLIENT, \
-				      ISC_LOG_DEBUG(3), \
-				      "clientmgr @%p: %s", manager, (m))
-#else
-#define CTRACE(m)	((void)(m))
-#define MTRACE(m)	((void)(m))
-#endif
-
-#define TCP_CLIENT(c)	(((c)->attributes & NS_CLIENTATTR_TCP) != 0)
-
-#define TCP_BUFFER_SIZE			(65535 + 2)
-#define SEND_BUFFER_SIZE		4096
-#define RECV_BUFFER_SIZE		4096
-
-struct ns_clientmgr {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	isc_taskmgr_t *			taskmgr;
-	isc_timermgr_t *		timermgr;
-	isc_mutex_t			lock;
-	/* Locked by lock. */
-	isc_boolean_t			exiting;
-	client_list_t			active; 	/* Active clients */
-	client_list_t			recursing; 	/* Recursing clients */
-	client_list_t 			inactive;	/* To be recycled */
-};
-
-#define MANAGER_MAGIC			ISC_MAGIC('N', 'S', 'C', 'm')
-#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, MANAGER_MAGIC)
-
-/*
- * Client object states.  Ordering is significant: higher-numbered
- * states are generally "more active", meaning that the client can
- * have more dynamically allocated data, outstanding events, etc.
- * In the list below, any such properties listed for state N
- * also apply to any state > N.
- *
- * To force the client into a less active state, set client->newstate
- * to that state and call exit_check().  This will cause any
- * activities defined for higher-numbered states to be aborted.
- */
-
-#define NS_CLIENTSTATE_FREED    0
-/*
- * The client object no longer exists.
- */
-
-#define NS_CLIENTSTATE_INACTIVE 1
-/*
- * The client object exists and has a task and timer.
- * Its "query" struct and sendbuf are initialized.
- * It is on the client manager's list of inactive clients.
- * It has a message and OPT, both in the reset state.
- */
-
-#define NS_CLIENTSTATE_READY    2
-/*
- * The client object is either a TCP or a UDP one, and
- * it is associated with a network interface.  It is on the
- * client manager's list of active clients.
- *
- * If it is a TCP client object, it has a TCP listener socket
- * and an outstanding TCP listen request.
- *
- * If it is a UDP client object, it has a UDP listener socket
- * and an outstanding UDP receive request.
- */
-
-#define NS_CLIENTSTATE_READING  3
-/*
- * The client object is a TCP client object that has received
- * a connection.  It has a tcpsocket, tcpmsg, TCP quota, and an
- * outstanding TCP read request.  This state is not used for
- * UDP client objects.
- */
-
-#define NS_CLIENTSTATE_WORKING  4
-/*
- * The client object has received a request and is working
- * on it.  It has a view, and it may have any of a non-reset OPT,
- * recursion quota, and an outstanding write request.
- */
-
-#define NS_CLIENTSTATE_MAX      9
-/*
- * Sentinel value used to indicate "no state".  When client->newstate
- * has this value, we are not attempting to exit the current state.
- * Must be greater than any valid state.
- */
-
-
-static void client_read(ns_client_t *client);
-static void client_accept(ns_client_t *client);
-static void client_udprecv(ns_client_t *client);
-static void clientmgr_destroy(ns_clientmgr_t *manager);
-static isc_boolean_t exit_check(ns_client_t *client);
-static void ns_client_endrequest(ns_client_t *client);
-static void ns_client_checkactive(ns_client_t *client);
-static void client_start(isc_task_t *task, isc_event_t *event);
-static void client_request(isc_task_t *task, isc_event_t *event);
-static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
-
-void
-ns_client_recursing(ns_client_t *client) {
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	LOCK(&client->manager->lock);
-	ISC_LIST_UNLINK(*client->list, client, link);
-	ISC_LIST_APPEND(client->manager->recursing, client, link);
-	client->list = &client->manager->recursing;
-	UNLOCK(&client->manager->lock);
-}
-
-void
-ns_client_killoldestquery(ns_client_t *client) {
-	ns_client_t *oldest;
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	LOCK(&client->manager->lock);
-	oldest = ISC_LIST_HEAD(client->manager->recursing);
-	if (oldest != NULL) {
-		ns_query_cancel(oldest);
-		ISC_LIST_UNLINK(*oldest->list, oldest, link);
-		ISC_LIST_APPEND(client->manager->active, oldest, link);
-		oldest->list = &client->manager->active;
-	}
-	UNLOCK(&client->manager->lock);
-}
-
-void
-ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
-	isc_result_t result;
-	isc_interval_t interval;
-
-	isc_interval_set(&interval, seconds, 0);
-	result = isc_timer_reset(client->timer, isc_timertype_once, NULL,
-				 &interval, ISC_FALSE);
-	client->timerset = ISC_TRUE;
-	if (result != ISC_R_SUCCESS) {
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-			      "setting timeout: %s",
-			      isc_result_totext(result));
-		/* Continue anyway. */
-	}
-}
-
-/*
- * Check for a deactivation or shutdown request and take appropriate
- * action.  Returns ISC_TRUE if either is in progress; in this case
- * the caller must no longer use the client object as it may have been
- * freed.
- */
-static isc_boolean_t
-exit_check(ns_client_t *client) {
-	ns_clientmgr_t *locked_manager = NULL;
-	ns_clientmgr_t *destroy_manager = NULL;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	if (client->state <= client->newstate)
-		return (ISC_FALSE); /* Business as usual. */
-
-	INSIST(client->newstate < NS_CLIENTSTATE_WORKING);
-
-	/*
-	 * We need to detach from the view early when shutting down
-	 * the server to break the following vicious circle:
-	 *
-	 *  - The resolver will not shut down until the view refcount is zero
-	 *  - The view refcount does not go to zero until all clients detach
-	 *  - The client does not detach from the view until references is zero
-	 *  - references does not go to zero until the resolver has shut down
-	 *
-	 * Keep the view attached until any outstanding updates complete.
-	 */
-	if (client->nupdates == 0 && 
-	    client->newstate == NS_CLIENTSTATE_FREED && client->view != NULL)
-		dns_view_detach(&client->view);
-
-	if (client->state == NS_CLIENTSTATE_WORKING) {
-		INSIST(client->newstate <= NS_CLIENTSTATE_READING);
-		/*
-		 * Let the update processing complete.
-		 */
-		if (client->nupdates > 0)
-			return (ISC_TRUE);
-		/*
-		 * We are trying to abort request processing.
-		 */
-		if (client->nsends > 0) {
-			isc_socket_t *socket;
-			if (TCP_CLIENT(client))
-				socket = client->tcpsocket;
-			else
-				socket = client->udpsocket;
-			isc_socket_cancel(socket, client->task,
-					  ISC_SOCKCANCEL_SEND);
-		}
-
-		if (! (client->nsends == 0 && client->nrecvs == 0 &&
-		       client->references == 0))
-		{
-			/*
-			 * Still waiting for I/O cancel completion.
-			 * or lingering references.
-			 */
-			return (ISC_TRUE);
-		}
-		/*
-		 * I/O cancel is complete.  Burn down all state
-		 * related to the current request.
-		 */
-		ns_client_endrequest(client);
-
-		client->state = NS_CLIENTSTATE_READING;
-		INSIST(client->recursionquota == NULL);
-		if (NS_CLIENTSTATE_READING == client->newstate) {
-			client_read(client);
-			client->newstate = NS_CLIENTSTATE_MAX;
-			return (ISC_TRUE); /* We're done. */
-		}
-	}
-
-	if (client->state == NS_CLIENTSTATE_READING) {
-		/*
-		 * We are trying to abort the current TCP connection,
-		 * if any.
-		 */
-		INSIST(client->recursionquota == NULL);
-		INSIST(client->newstate <= NS_CLIENTSTATE_READY);
-		if (client->nreads > 0)
-			dns_tcpmsg_cancelread(&client->tcpmsg);
-		if (! client->nreads == 0) {
-			/* Still waiting for read cancel completion. */
-			return (ISC_TRUE);
-		}
-
-		if (client->tcpmsg_valid) {
-			dns_tcpmsg_invalidate(&client->tcpmsg);
-			client->tcpmsg_valid = ISC_FALSE;
-		}
-		if (client->tcpsocket != NULL) {
-			CTRACE("closetcp");
-			isc_socket_detach(&client->tcpsocket);
-		}
-
-		if (client->tcpquota != NULL)
-			isc_quota_detach(&client->tcpquota);
-
-		if (client->timerset) {
-			(void)isc_timer_reset(client->timer,
-					      isc_timertype_inactive,
-					      NULL, NULL, ISC_TRUE);
-			client->timerset = ISC_FALSE;
-		}
-
-		client->peeraddr_valid = ISC_FALSE;
-
-		client->state = NS_CLIENTSTATE_READY;
-		INSIST(client->recursionquota == NULL);
-
-		/*
-		 * Now the client is ready to accept a new TCP connection
-		 * or UDP request, but we may have enough clients doing
-		 * that already.  Check whether this client needs to remain
-		 * active and force it to go inactive if not.
-		 */
-		ns_client_checkactive(client);
-
-		if (NS_CLIENTSTATE_READY == client->newstate) {
-			if (TCP_CLIENT(client)) {
-				client_accept(client);
-			} else
-				client_udprecv(client);
-			client->newstate = NS_CLIENTSTATE_MAX;
-			return (ISC_TRUE);
-		}
-	}
-
-	if (client->state == NS_CLIENTSTATE_READY) {
-		INSIST(client->newstate <= NS_CLIENTSTATE_INACTIVE);
-		/*
-		 * We are trying to enter the inactive state.
-		 */
-		if (client->naccepts > 0)
-			isc_socket_cancel(client->tcplistener, client->task,
-					  ISC_SOCKCANCEL_ACCEPT);
-
-		if (! (client->naccepts == 0)) {
-			/* Still waiting for accept cancel completion. */
-			return (ISC_TRUE);
-		}
-		/* Accept cancel is complete. */
-
-		if (client->nrecvs > 0)
-			isc_socket_cancel(client->udpsocket, client->task,
-					  ISC_SOCKCANCEL_RECV);
-		if (! (client->nrecvs == 0)) {
-			/* Still waiting for recv cancel completion. */
-			return (ISC_TRUE);
-		}
-		/* Recv cancel is complete. */
-
-		if (client->nctls > 0) {
-			/* Still waiting for control event to be delivered */
-			return (ISC_TRUE);
-		}
-
-		/* Deactivate the client. */
-		if (client->interface)
-			ns_interface_detach(&client->interface);
-
-		INSIST(client->naccepts == 0);
-		INSIST(client->recursionquota == NULL);
-		if (client->tcplistener != NULL)
-			isc_socket_detach(&client->tcplistener);
-
-		if (client->udpsocket != NULL)
-			isc_socket_detach(&client->udpsocket);
-
-		if (client->dispatch != NULL)
-			dns_dispatch_detach(&client->dispatch);
-
-		client->attributes = 0;
-		client->mortal = ISC_FALSE;
-
-		LOCK(&client->manager->lock);
-		/*
-		 * Put the client on the inactive list.  If we are aiming for
-		 * the "freed" state, it will be removed from the inactive
-		 * list shortly, and we need to keep the manager locked until
-		 * that has been done, lest the manager decide to reactivate
-		 * the dying client inbetween.
-		 */
-		locked_manager = client->manager;
-		ISC_LIST_UNLINK(*client->list, client, link);
-		ISC_LIST_APPEND(client->manager->inactive, client, link);
-		client->list = &client->manager->inactive;
-		client->state = NS_CLIENTSTATE_INACTIVE;
-		INSIST(client->recursionquota == NULL);
-
-		if (client->state == client->newstate) {
-			client->newstate = NS_CLIENTSTATE_MAX;
-			goto unlock;
-		}
-	}
-
-	if (client->state == NS_CLIENTSTATE_INACTIVE) {
-		INSIST(client->newstate == NS_CLIENTSTATE_FREED);
-		/*
-		 * We are trying to free the client.
-		 *
-		 * When "shuttingdown" is true, either the task has received
-		 * its shutdown event or no shutdown event has ever been
-		 * set up.  Thus, we have no outstanding shutdown
-		 * event at this point.
-		 */
-		REQUIRE(client->state == NS_CLIENTSTATE_INACTIVE);
-
-		INSIST(client->recursionquota == NULL);
-
-		ns_query_free(client);
-		isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);
-		isc_event_free((isc_event_t **)&client->sendevent);
-		isc_event_free((isc_event_t **)&client->recvevent);
-		isc_timer_detach(&client->timer);
-
-		if (client->tcpbuf != NULL)
-			isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
-		if (client->opt != NULL) {
-			INSIST(dns_rdataset_isassociated(client->opt));
-			dns_rdataset_disassociate(client->opt);
-			dns_message_puttemprdataset(client->message, &client->opt);
-		}
-		dns_message_destroy(&client->message);
-		if (client->manager != NULL) {
-			ns_clientmgr_t *manager = client->manager;
-			if (locked_manager == NULL) {
-				LOCK(&manager->lock);
-				locked_manager = manager;
-			}
-			ISC_LIST_UNLINK(*client->list, client, link);
-			client->list = NULL;
-			if (manager->exiting &&
-			    ISC_LIST_EMPTY(manager->active) &&
-			    ISC_LIST_EMPTY(manager->inactive) &&
-			    ISC_LIST_EMPTY(manager->recursing))
-				destroy_manager = manager;
-		}
-		/*
-		 * Detaching the task must be done after unlinking from
-		 * the manager's lists because the manager accesses
-		 * client->task.
-		 */
-		if (client->task != NULL)
-			isc_task_detach(&client->task);
-
-		CTRACE("free");
-		client->magic = 0;
-		isc_mem_put(client->mctx, client, sizeof(*client));
-
-		goto unlock;
-	}
-
- unlock:
-	if (locked_manager != NULL) {
-		UNLOCK(&locked_manager->lock);
-		locked_manager = NULL;
-	}
-
-	/*
-	 * Only now is it safe to destroy the client manager (if needed),
-	 * because we have accessed its lock for the last time.
-	 */
-	if (destroy_manager != NULL)
-		clientmgr_destroy(destroy_manager);
-
-	return (ISC_TRUE);
-}
-
-/*
- * The client's task has received the client's control event
- * as part of the startup process.
- */
-static void
-client_start(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client = (ns_client_t *) event->ev_arg;
-
-	INSIST(task == client->task);
-
-	UNUSED(task);
-
-	INSIST(client->nctls == 1);
-	client->nctls--;
-
-	if (exit_check(client))
-		return;
-
-	if (TCP_CLIENT(client)) {
-		client_accept(client);
-	} else {
-		client_udprecv(client);
-	}
-}
-
-
-/*
- * The client's task has received a shutdown event.
- */
-static void
-client_shutdown(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client;
-
-	REQUIRE(event != NULL);
-	REQUIRE(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
-	client = event->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-
-	UNUSED(task);
-
-	CTRACE("shutdown");
-
-	isc_event_free(&event);
-
-	if (client->shutdown != NULL) {
-		(client->shutdown)(client->shutdown_arg, ISC_R_SHUTTINGDOWN);
-		client->shutdown = NULL;
-		client->shutdown_arg = NULL;
-	}
-
-	client->newstate = NS_CLIENTSTATE_FREED;
-	(void)exit_check(client);
-}
-
-static void
-ns_client_endrequest(ns_client_t *client) {
-	INSIST(client->naccepts == 0);
-	INSIST(client->nreads == 0);
-	INSIST(client->nsends == 0);
-	INSIST(client->nrecvs == 0);
-	INSIST(client->nupdates == 0);
-	INSIST(client->state == NS_CLIENTSTATE_WORKING);
-
-	CTRACE("endrequest");
-
-	if (client->next != NULL) {
-		(client->next)(client);
-		client->next = NULL;
-	}
-
-	if (client->view != NULL)
-		dns_view_detach(&client->view);
-	if (client->opt != NULL) {
-		INSIST(dns_rdataset_isassociated(client->opt));
-		dns_rdataset_disassociate(client->opt);
-		dns_message_puttemprdataset(client->message, &client->opt);
-	}
-
-	client->udpsize = 512;
-	client->extflags = 0;
-	dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE);
-
-	if (client->recursionquota != NULL)
-		isc_quota_detach(&client->recursionquota);
-
-	/*
-	 * Clear all client attributes that are specific to
-	 * the request; that's all except the TCP flag.
-	 */
-	client->attributes &= NS_CLIENTATTR_TCP;
-}
-
-static void
-ns_client_checkactive(ns_client_t *client) {
-	if (client->mortal) {
-		/*
-		 * This client object should normally go inactive
-		 * at this point, but if we have fewer active client
-		 * objects than  desired due to earlier quota exhaustion,
-		 * keep it active to make up for the shortage.
-		 */
-		isc_boolean_t need_another_client = ISC_FALSE;
-		if (TCP_CLIENT(client)) {
-			LOCK(&client->interface->lock);
-			if (client->interface->ntcpcurrent <
-			    client->interface->ntcptarget)
-				need_another_client = ISC_TRUE;
-			UNLOCK(&client->interface->lock);
-		} else {
-			/*
-			 * The UDP client quota is enforced by making
-			 * requests fail rather than by not listening
-			 * for new ones.  Therefore, there is always a
-			 * full set of UDP clients listening.
-			 */
-		}
-		if (! need_another_client) {
-			/*
-			 * We don't need this client object.  Recycle it.
-			 */
-			if (client->newstate >= NS_CLIENTSTATE_INACTIVE)
-				client->newstate = NS_CLIENTSTATE_INACTIVE;
-		}
-	}
-}
-
-void
-ns_client_next(ns_client_t *client, isc_result_t result) {
-	int newstate;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(client->state == NS_CLIENTSTATE_WORKING ||
-		client->state == NS_CLIENTSTATE_READING);
-
-	CTRACE("next");
-
-	if (result != ISC_R_SUCCESS)
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request failed: %s", isc_result_totext(result));
-
-	/*
-	 * An error processing a TCP request may have left
-	 * the connection out of sync.  To be safe, we always
-	 * sever the connection when result != ISC_R_SUCCESS.
-	 */
-	if (result == ISC_R_SUCCESS && TCP_CLIENT(client))
-		newstate = NS_CLIENTSTATE_READING;
-	else
-		newstate = NS_CLIENTSTATE_READY;
-
-	if (client->newstate > newstate)
-		client->newstate = newstate;
-	(void)exit_check(client);
-}
-
-
-static void
-client_senddone(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client;
-	isc_socketevent_t *sevent = (isc_socketevent_t *) event;
-
-	REQUIRE(sevent != NULL);
-	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE);
-	client = sevent->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-	REQUIRE(sevent == client->sendevent);
-
-	UNUSED(task);
-
-	CTRACE("senddone");
-
-	if (sevent->result != ISC_R_SUCCESS)
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
-			      "error sending response: %s",
-			      isc_result_totext(sevent->result));
-
-	INSIST(client->nsends > 0);
-	client->nsends--;
-
-	if (client->tcpbuf != NULL) {
-		INSIST(TCP_CLIENT(client));
-		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
-		client->tcpbuf = NULL;
-	}
-
-	if (exit_check(client))
-		return;
-
-	ns_client_next(client, ISC_R_SUCCESS);
-}
-
-/*
- * We only want to fail with ISC_R_NOSPACE when called from
- * ns_client_sendraw() and not when called from ns_client_send(),
- * tcpbuffer is NULL when called from ns_client_sendraw() and
- * length != 0.  tcpbuffer != NULL when called from ns_client_send()
- * and length == 0.
- */
-
-static isc_result_t
-client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer,
-		    isc_buffer_t *tcpbuffer, isc_uint32_t length,
-		    unsigned char *sendbuf, unsigned char **datap)
-{
-	unsigned char *data;
-	isc_uint32_t bufsize;
-	isc_result_t result;
-
-	INSIST(datap != NULL);
-	INSIST((tcpbuffer == NULL && length != 0) ||
-	       (tcpbuffer != NULL && length == 0));
-
-	if (TCP_CLIENT(client)) {
-		INSIST(client->tcpbuf == NULL);
-		if (length + 2 > TCP_BUFFER_SIZE) {
-			result = ISC_R_NOSPACE;
-			goto done;
-		}
-		client->tcpbuf = isc_mem_get(client->mctx, TCP_BUFFER_SIZE);
-		if (client->tcpbuf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto done;
-		}
-		data = client->tcpbuf;
-		if (tcpbuffer != NULL) {
-			isc_buffer_init(tcpbuffer, data, TCP_BUFFER_SIZE);
-			isc_buffer_init(buffer, data + 2, TCP_BUFFER_SIZE - 2);
-		} else {
-			isc_buffer_init(buffer, data, TCP_BUFFER_SIZE);
-			INSIST(length <= 0xffff);
-			isc_buffer_putuint16(buffer, (isc_uint16_t)length);
-		}
-	} else {
-		data = sendbuf;
-		if (client->udpsize < SEND_BUFFER_SIZE)
-			bufsize = client->udpsize;
-		else
-			bufsize = SEND_BUFFER_SIZE;
-		if (length > bufsize) {
-			result = ISC_R_NOSPACE;
-			goto done;
-		}
-		isc_buffer_init(buffer, data, bufsize);
-	}
-	*datap = data;
-	result = ISC_R_SUCCESS;
-
- done:
-	return (result);
-}
-
-static isc_result_t
-client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) {
-	struct in6_pktinfo *pktinfo;
-	isc_result_t result;
-	isc_region_t r;
-	isc_sockaddr_t *address;
-	isc_socket_t *socket;
-	isc_netaddr_t netaddr;
-	int match;
-	unsigned int sockflags = ISC_SOCKFLAG_IMMEDIATE;
-
-	if (TCP_CLIENT(client)) {
-		socket = client->tcpsocket;
-		address = NULL;
-	} else {
-		socket = client->udpsocket;
-		address = &client->peeraddr;
-
-		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-		if (ns_g_server->blackholeacl != NULL &&
-		    dns_acl_match(&netaddr, NULL,
-			    	  ns_g_server->blackholeacl,
-				  &ns_g_server->aclenv,
-				  &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-			return (DNS_R_BLACKHOLED);
-		sockflags |= ISC_SOCKFLAG_NORETRY;
-	}
-
-	if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0 &&
-	    (client->attributes & NS_CLIENTATTR_MULTICAST) == 0)
-		pktinfo = &client->pktinfo;
-	else
-		pktinfo = NULL;
-
-	isc_buffer_usedregion(buffer, &r);
-
-	CTRACE("sendto");
-	
-	result = isc_socket_sendto2(socket, &r, client->task,
-				    address, pktinfo,
-				    client->sendevent, sockflags);
-	if (result == ISC_R_SUCCESS || result == ISC_R_INPROGRESS) {
-		client->nsends++;
-		if (result == ISC_R_SUCCESS)
-			client_senddone(client->task,
-					(isc_event_t *)client->sendevent);
-		result = ISC_R_SUCCESS;
-	}
-	return (result);
-}
-
-void
-ns_client_sendraw(ns_client_t *client, dns_message_t *message) {
-	isc_result_t result;
-	unsigned char *data;
-	isc_buffer_t buffer;
-	isc_region_t r;
-	isc_region_t *mr;
-	unsigned char sendbuf[SEND_BUFFER_SIZE];
-
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	CTRACE("sendraw");
-
-	mr = dns_message_getrawmessage(message);
-	if (mr == NULL) {
-		result = ISC_R_UNEXPECTEDEND;
-		goto done;
-	}
-
-	result = client_allocsendbuf(client, &buffer, NULL, mr->length,
-				     sendbuf, &data);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	/*
-	 * Copy message to buffer and fixup id.
-	 */
-	isc_buffer_availableregion(&buffer, &r);
-	result = isc_buffer_copyregion(&buffer, mr);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	r.base[0] = (client->message->id >> 8) & 0xff;
-	r.base[1] = client->message->id & 0xff;
-
-	result = client_sendpkg(client, &buffer);
-	if (result == ISC_R_SUCCESS)
-		return;
-
- done:
-	if (client->tcpbuf != NULL) {
-		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
-		client->tcpbuf = NULL;
-	}
-	ns_client_next(client, result);
-}
-
-void
-ns_client_send(ns_client_t *client) {
-	isc_result_t result;
-	unsigned char *data;
-	isc_buffer_t buffer;
-	isc_buffer_t tcpbuffer;
-	isc_region_t r;
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-	unsigned char sendbuf[SEND_BUFFER_SIZE];
-	unsigned int dnssec_opts;
-	unsigned int preferred_glue;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	CTRACE("send");
-
-	if ((client->attributes & NS_CLIENTATTR_RA) != 0)
-		client->message->flags |= DNS_MESSAGEFLAG_RA;
-
-	if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
-		dnssec_opts = 0;
-	else
-		dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC;
-
-	preferred_glue = 0;
-	if (client->view != NULL) {
-		if (client->view->preferred_glue == dns_rdatatype_a)
-			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
-		else if (client->view->preferred_glue == dns_rdatatype_aaaa)
-			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
-	}
-
-	/*
-	 * XXXRTH  The following doesn't deal with TCP buffer resizing.
-	 */
-	result = client_allocsendbuf(client, &buffer, &tcpbuffer, 0,
-				     sendbuf, &data);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	result = dns_compress_init(&cctx, -1, client->mctx);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	cleanup_cctx = ISC_TRUE;
-
-	result = dns_message_renderbegin(client->message, &cctx, &buffer);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	if (client->opt != NULL) {
-		result = dns_message_setopt(client->message, client->opt);
-		/*
-		 * XXXRTH dns_message_setopt() should probably do this...
-		 */
-		client->opt = NULL;
-		if (result != ISC_R_SUCCESS)
-			goto done;
-	}
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_QUESTION, 0);
-	if (result == ISC_R_NOSPACE) {
-		client->message->flags |= DNS_MESSAGEFLAG_TC;
-		goto renderend;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_ANSWER,
-					   DNS_MESSAGERENDER_PARTIAL |
-					   dnssec_opts);
-	if (result == ISC_R_NOSPACE) {
-		client->message->flags |= DNS_MESSAGEFLAG_TC;
-		goto renderend;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_AUTHORITY,
-					   DNS_MESSAGERENDER_PARTIAL |
-					   dnssec_opts);
-	if (result == ISC_R_NOSPACE) {
-		client->message->flags |= DNS_MESSAGEFLAG_TC;
-		goto renderend;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = dns_message_rendersection(client->message,
-					   DNS_SECTION_ADDITIONAL,
-					   preferred_glue | dnssec_opts);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
-		goto done;
- renderend:
-	result = dns_message_renderend(client->message);
-
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	if (cleanup_cctx) {
-		dns_compress_invalidate(&cctx);
-		cleanup_cctx = ISC_FALSE;
-	}
-
-	if (TCP_CLIENT(client)) {
-		isc_buffer_usedregion(&buffer, &r);
-		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t) r.length);
-		isc_buffer_add(&tcpbuffer, r.length);
-		result = client_sendpkg(client, &tcpbuffer);
-	} else
-		result = client_sendpkg(client, &buffer);
-	if (result == ISC_R_SUCCESS)
-		return;
-
- done:
-	if (client->tcpbuf != NULL) {
-		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
-		client->tcpbuf = NULL;
-	}
-
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-
-	ns_client_next(client, result);
-}
-
-void
-ns_client_error(ns_client_t *client, isc_result_t result) {
-	dns_rcode_t rcode;
-	dns_message_t *message;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-
-	CTRACE("error");
-
-	message = client->message;
-	rcode = dns_result_torcode(result);
-
-	/*
-	 * Message may be an in-progress reply that we had trouble
-	 * with, in which case QR will be set.  We need to clear QR before
-	 * calling dns_message_reply() to avoid triggering an assertion.
-	 */
-	message->flags &= ~DNS_MESSAGEFLAG_QR;
-	/*
-	 * AA and AD shouldn't be set.
-	 */
-	message->flags &= ~(DNS_MESSAGEFLAG_AA | DNS_MESSAGEFLAG_AD);
-	result = dns_message_reply(message, ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * It could be that we've got a query with a good header,
-		 * but a bad question section, so we try again with
-		 * want_question_section set to ISC_FALSE.
-		 */
-		result = dns_message_reply(message, ISC_FALSE);
-		if (result != ISC_R_SUCCESS) {
-			ns_client_next(client, result);
-			return;
-		}
-	}
-	message->rcode = rcode;
-
-	/*
-	 * FORMERR loop avoidance:  If we sent a FORMERR message
-	 * with the same ID to the same client less than two
-	 * seconds ago, assume that we are in an infinite error 
-	 * packet dialog with a server for some protocol whose 
-	 * error responses look enough like DNS queries to
-	 * elicit a FORMERR response.  Drop a packet to break
-	 * the loop.
-	 */
-	if (rcode == dns_rcode_formerr) {
-		if (isc_sockaddr_equal(&client->peeraddr,
-				       &client->formerrcache.addr) &&
-		    message->id == client->formerrcache.id &&
-		    client->requesttime - client->formerrcache.time < 2) {
-			/* Drop packet. */
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-				      "possible error packet loop, "
-				      "FORMERR dropped");
-			ns_client_next(client, result);
-			return;
-		}
-		client->formerrcache.addr = client->peeraddr;
-		client->formerrcache.time = client->requesttime;
-		client->formerrcache.id = message->id;
-	}
-	ns_client_send(client);
-}
-
-static inline isc_result_t
-client_addopt(ns_client_t *client) {
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	isc_result_t result;
-	dns_view_t *view;
-	dns_resolver_t *resolver;
-	isc_uint16_t udpsize;
-
-	REQUIRE(client->opt == NULL);	/* XXXRTH free old. */
-
-	rdatalist = NULL;
-	result = dns_message_gettemprdatalist(client->message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdata = NULL;
-	result = dns_message_gettemprdata(client->message, &rdata);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_init(rdataset);
-
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-
-	/*
-	 * Set the maximum UDP buffer size.
-	 */
-	view = client->view;
-	resolver = (view != NULL) ? view->resolver : NULL;
-	if (resolver != NULL)
-		udpsize = dns_resolver_getudpsize(resolver);
-	else
-		udpsize = ns_g_udpsize;
-	rdatalist->rdclass = udpsize;
-
-	/*
-	 * Set EXTENDED-RCODE, VERSION and Z to 0.
-	 */
-	rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
-
-	/*
-	 * No ENDS options in the default case.
-	 */
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatalist->type;
-	rdata->flags = 0;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
-		      == ISC_R_SUCCESS);
-
-	client->opt = rdataset;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_boolean_t
-allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
-	int match;
-	isc_result_t result;
-
-	if (acl == NULL)
-		return (ISC_TRUE);
-	result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv,
-			       &match, NULL);
-	if (result == ISC_R_SUCCESS && match > 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*
- * Handle an incoming request event from the socket (UDP case)
- * or tcpmsg (TCP case).
- */
-static void
-client_request(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client;
-	isc_socketevent_t *sevent;
-	isc_result_t result;
-	isc_result_t sigresult = ISC_R_SUCCESS;
-	isc_buffer_t *buffer;
-	isc_buffer_t tbuffer;
-	dns_view_t *view;
-	dns_rdataset_t *opt;
-	isc_boolean_t ra; 	/* Recursion available. */
-	isc_netaddr_t netaddr;
-	isc_netaddr_t destaddr;
-	int match;
-	dns_messageid_t id;
-	unsigned int flags;
-	isc_boolean_t notimp;
-
-	REQUIRE(event != NULL);
-	client = event->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-
-	INSIST(client->recursionquota == NULL);
-
-	INSIST(client->state ==
-	       TCP_CLIENT(client) ?
-	       NS_CLIENTSTATE_READING :
-	       NS_CLIENTSTATE_READY);
-
-	if (event->ev_type == ISC_SOCKEVENT_RECVDONE) {
-		INSIST(!TCP_CLIENT(client));
-		sevent = (isc_socketevent_t *)event;
-		REQUIRE(sevent == client->recvevent);
-		isc_buffer_init(&tbuffer, sevent->region.base, sevent->n);
-		isc_buffer_add(&tbuffer, sevent->n);
-		buffer = &tbuffer;
-		result = sevent->result;
-		if (result == ISC_R_SUCCESS) {
-			client->peeraddr = sevent->address;
-			client->peeraddr_valid = ISC_TRUE;
-		}
-		if ((sevent->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) {
-			client->attributes |= NS_CLIENTATTR_PKTINFO;
-			client->pktinfo = sevent->pktinfo;
-		}
-		if ((sevent->attributes & ISC_SOCKEVENTATTR_MULTICAST) != 0)
-			client->attributes |= NS_CLIENTATTR_MULTICAST;
-		client->nrecvs--;
-	} else {
-		INSIST(TCP_CLIENT(client));
-		REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
-		REQUIRE(event->ev_sender == &client->tcpmsg);
-		buffer = &client->tcpmsg.buffer;
-		result = client->tcpmsg.result;
-		INSIST(client->nreads == 1);
-		/*
-		 * client->peeraddr was set when the connection was accepted.
-		 */
-		client->nreads--;
-	}
-
-	if (exit_check(client))
-		goto cleanup;
-	client->state = client->newstate = NS_CLIENTSTATE_WORKING;
-
-	isc_task_getcurrenttime(task, &client->requesttime);
-	client->now = client->requesttime;
-
-	if (result != ISC_R_SUCCESS) {
-		if (TCP_CLIENT(client)) {
-			ns_client_next(client, result);
-		} else {
-			if  (result != ISC_R_CANCELED)
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_CLIENT,
-					      ISC_LOG_ERROR,
-					      "UDP client handler shutting "
-					      "down due to fatal receive "
-					      "error: %s",
-					      isc_result_totext(result));
-			isc_task_shutdown(client->task);
-		}
-		goto cleanup;
-	}
-
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-		      "%s request",
-		      TCP_CLIENT(client) ? "TCP" : "UDP");
-
-	/*
-	 * Check the blackhole ACL for UDP only, since TCP is done in
-	 * client_newconn.
-	 */
-	if (!TCP_CLIENT(client)) {
-
-		if (ns_g_server->blackholeacl != NULL &&
-		    dns_acl_match(&netaddr, NULL, ns_g_server->blackholeacl,
-				  &ns_g_server->aclenv,
-				  &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-		{
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-				      "blackholed UDP datagram");
-			ns_client_next(client, ISC_R_SUCCESS);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Silently drop multicast requests for the present.
-	 * XXXMPA look at when/if mDNS spec stabilizes.
-	 */
-	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) {
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
-			      "dropping multicast request");
-		ns_client_next(client, DNS_R_REFUSED);
-	}
-
-	result = dns_message_peekheader(buffer, &id, &flags);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * There isn't enough header to determine whether
-		 * this was a request or a response.  Drop it.
-		 */
-		ns_client_next(client, result);
-		goto cleanup;
-	}
-
-	/*
-	 * The client object handles requests, not responses.
-	 * If this is a UDP response, forward it to the dispatcher.
-	 * If it's a TCP response, discard it here.
-	 */
-	if ((flags & DNS_MESSAGEFLAG_QR) != 0) {
-		if (TCP_CLIENT(client)) {
-			CTRACE("unexpected response");
-			ns_client_next(client, DNS_R_FORMERR);
-			goto cleanup;
-		} else {
-			dns_dispatch_importrecv(client->dispatch, event);
-			ns_client_next(client, ISC_R_SUCCESS);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * It's a request.  Parse it.
-	 */
-	result = dns_message_parse(client->message, buffer, 0);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Parsing the request failed.  Send a response
-		 * (typically FORMERR or SERVFAIL).
-		 */
-		ns_client_error(client, result);
-		goto cleanup;
-	}
-
-	switch (client->message->opcode) {
-	case dns_opcode_query:
-	case dns_opcode_update:
-	case dns_opcode_notify:
-		notimp = ISC_FALSE;
-		break;
-	case dns_opcode_iquery:
-	default:
-		notimp = ISC_TRUE;
-		break;
-	}
-
-	client->message->rcode = dns_rcode_noerror;
-
-	/* RFC1123 section 6.1.3.2 */
-	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0)
-		client->message->flags &= ~DNS_MESSAGEFLAG_RD;
-
-	/*
-	 * Deal with EDNS.
-	 */
-	opt = dns_message_getopt(client->message);
-	if (opt != NULL) {
-		unsigned int version;
-
-		/*
-		 * Set the client's UDP buffer size.
-		 */
-		client->udpsize = opt->rdclass;
-
-		/*
-		 * If the requested UDP buffer size is less than 512,
-		 * ignore it and use 512.
-		 */
-		if (client->udpsize < 512)
-			client->udpsize = 512;
-
-		/*
-		 * Get the flags out of the OPT record.
-		 */
-		client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF);
-
-		/*
-		 * Create an OPT for our reply.
-		 */
-		result = client_addopt(client);
-		if (result != ISC_R_SUCCESS) {
-			ns_client_error(client, result);
-			goto cleanup;
-		}
-
-		/*
-		 * Do we understand this version of ENDS?
-		 *
-		 * XXXRTH need library support for this!
-		 */
-		version = (opt->ttl & 0x00FF0000) >> 16;
-		if (version != 0) {
-			ns_client_error(client, DNS_R_BADVERS);
-			goto cleanup;
-		}
-	}
-
-	if (client->message->rdclass == 0) {
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-			      "message class could not be determined");
-		ns_client_dumpmessage(client,
-				      "message class could not be determined");
-		ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_FORMERR);
-		goto cleanup;
-	}
-
-	/*
-	 * Determine the destination address.  If the receiving interface is
-	 * bound to a specific address, we simply use it regardless of the
-	 * address family.  All IPv4 queries should fall into this case.
-	 * Otherwise, if this is a TCP query, get the address from the
-	 * receiving socket (this needs a system call and can be heavy).
-	 * For IPv6 UDP queries, we get this from the pktinfo structure (if
-	 * supported).
-	 * If all the attempts fail (this can happen due to memory shortage,
-	 * etc), we regard this as an error for safety. 
-	 */
-	if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0)
-		isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr);
-	else {
-		result = ISC_R_FAILURE;
-
-		if (TCP_CLIENT(client)) {
-			isc_sockaddr_t destsockaddr;
-
-			result = isc_socket_getsockname(client->tcpsocket,
-							&destsockaddr);
-			if (result == ISC_R_SUCCESS)
-				isc_netaddr_fromsockaddr(&destaddr,
-							 &destsockaddr);
-		}
-		if (result != ISC_R_SUCCESS &&
-		    client->interface->addr.type.sa.sa_family == AF_INET6 &&
-		    (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {
-			isc_uint32_t zone = 0;
-
-			/*
-			 * XXXJT technically, we should convert the receiving
-			 * interface ID to a proper scope zone ID.  However,
-			 * due to the fact there is no standard API for this,
-			 * we only handle link-local addresses and use the
-			 * interface index as link ID.  Despite the assumption,
-			 * it should cover most typical cases.
-			 */
-			if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
-				zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex;
-
-			isc_netaddr_fromin6(&destaddr,
-					    &client->pktinfo.ipi6_addr);
-			isc_netaddr_setzone(&destaddr, zone);
-			result = ISC_R_SUCCESS;
-		}
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "failed to get request's "
-					 "destination: %s",
-					 isc_result_totext(result));
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Find a view that matches the client's source address.
-	 */
-	for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		if (client->message->rdclass == view->rdclass ||
-		    client->message->rdclass == dns_rdataclass_any)
-		{
-			dns_name_t *tsig = NULL;
-			sigresult = dns_message_rechecksig(client->message,
-							   view);
-			if (sigresult == ISC_R_SUCCESS)
-				tsig = client->message->tsigname;
-				
-			if (allowed(&netaddr, tsig, view->matchclients) &&
-			    allowed(&destaddr, tsig, view->matchdestinations) &&
-			    !((client->message->flags & DNS_MESSAGEFLAG_RD)
-			      == 0 && view->matchrecursiveonly))
-			{
-				dns_view_attach(view, &client->view);
-				break;
-			}
-		}
-	}
-
-	if (view == NULL) {
-		char classname[DNS_RDATACLASS_FORMATSIZE];
-
-		/*
-		 * Do a dummy TSIG verification attempt so that the
-		 * response will have a TSIG if the query did, as
-		 * required by RFC2845.
-		 */
-		isc_buffer_t b;
-		isc_region_t *r;
-
-		dns_message_resetsig(client->message);
-
-		r = dns_message_getrawmessage(client->message);
-		isc_buffer_init(&b, r->base, r->length);
-		isc_buffer_add(&b, r->length);
-		(void)dns_tsig_verify(&b, client->message, NULL, NULL);
-
-		dns_rdataclass_format(client->message->rdclass, classname,
-				      sizeof(classname));
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-			      "no matching view in class '%s'", classname);
-		ns_client_dumpmessage(client, "no matching view in class");
-		ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_REFUSED);
-		goto cleanup;
-	}
-
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(5),
-		      "using view '%s'", view->name);
-
-	/*
-	 * Check for a signature.  We log bad signatures regardless of
-	 * whether they ultimately cause the request to be rejected or
-	 * not.  We do not log the lack of a signature unless we are
-	 * debugging.
-	 */
-	client->signer = NULL;
-	dns_name_init(&client->signername, NULL);
-	result = dns_message_signer(client->message, &client->signername);
-	if (result == ISC_R_SUCCESS) {
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request has valid signature");
-		client->signer = &client->signername;
-	} else if (result == ISC_R_NOTFOUND) {
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request is not signed");
-	} else if (result == DNS_R_NOIDENTITY) {
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "request is signed by a nonauthoritative key");
-	} else {
-		char tsigrcode[64];
-		isc_buffer_t b;
-		dns_name_t *name = NULL;
-
-		isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
-		RUNTIME_CHECK(dns_tsigrcode_totext(client->message->tsigstatus,
-						   &b) == ISC_R_SUCCESS);
-		tsigrcode[isc_buffer_usedlength(&b)] = '\0';
-		/* There is a signature, but it is bad. */
-		if (dns_message_gettsig(client->message, &name) != NULL) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-				      "request has invalid signature: "
-				      "TSIG %s: %s (%s)", namebuf,
-				      isc_result_totext(result), tsigrcode);
-		} else {
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-				      "request has invalid signature: %s (%s)",
-				      isc_result_totext(result), tsigrcode);
-		}
-		/*
-		 * Accept update messages signed by unknown keys so that
-		 * update forwarding works transparently through slaves
-		 * that don't have all the same keys as the master.
-		 */
-		if (!(client->message->tsigstatus == dns_tsigerror_badkey &&
-		      client->message->opcode == dns_opcode_update)) {
-			ns_client_error(client, sigresult);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Decide whether recursive service is available to this client.
-	 * We do this here rather than in the query code so that we can
-	 * set the RA bit correctly on all kinds of responses, not just
-	 * responses to ordinary queries.
-	 */
-	ra = ISC_FALSE;
-	if (client->view->resolver != NULL &&
-	    client->view->recursion == ISC_TRUE &&
-	    ns_client_checkaclsilent(client, client->view->recursionacl,
-				     ISC_TRUE) == ISC_R_SUCCESS)
-		ra = ISC_TRUE;
-
-	if (ra == ISC_TRUE)
-		client->attributes |= NS_CLIENTATTR_RA;
-
-	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
-		      ISC_LOG_DEBUG(3), ra ? "recursion available" :
-		      			     "recursion not available");
-
-	/*
-	 * Dispatch the request.
-	 */
-	switch (client->message->opcode) {
-	case dns_opcode_query:
-		CTRACE("query");
-		ns_query_start(client);
-		break;
-	case dns_opcode_update:
-		CTRACE("update");
-		ns_client_settimeout(client, 60);
-		ns_update_start(client, sigresult);
-		break;
-	case dns_opcode_notify:
-		CTRACE("notify");
-		ns_client_settimeout(client, 60);
-		ns_notify_start(client);
-		break;
-	case dns_opcode_iquery:
-		CTRACE("iquery");
-		ns_client_error(client, DNS_R_NOTIMP);
-		break;
-	default:
-		CTRACE("unknown opcode");
-		ns_client_error(client, DNS_R_NOTIMP);
-	}
-
- cleanup:
-	return;
-}
-
-static void
-client_timeout(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client;
-
-	REQUIRE(event != NULL);
-	REQUIRE(event->ev_type == ISC_TIMEREVENT_LIFE ||
-		event->ev_type == ISC_TIMEREVENT_IDLE);
-	client = event->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-	REQUIRE(client->timer != NULL);
-
-	UNUSED(task);
-
-	CTRACE("timeout");
-
-	isc_event_free(&event);
-
-	if (client->shutdown != NULL) {
-		(client->shutdown)(client->shutdown_arg, ISC_R_TIMEDOUT);
-		client->shutdown = NULL;
-		client->shutdown_arg = NULL;
-	}
-
-	if (client->newstate > NS_CLIENTSTATE_READY)
-		client->newstate = NS_CLIENTSTATE_READY;
-	(void)exit_check(client);
-}
-
-static isc_result_t
-client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
-	ns_client_t *client;
-	isc_result_t result;
-
-	/*
-	 * Caller must be holding the manager lock.
-	 *
-	 * Note: creating a client does not add the client to the
-	 * manager's client list or set the client's manager pointer.
-	 * The caller is responsible for that.
-	 */
-
-	REQUIRE(clientp != NULL && *clientp == NULL);
-
-	client = isc_mem_get(manager->mctx, sizeof(*client));
-	if (client == NULL)
-		return (ISC_R_NOMEMORY);
-
-	client->task = NULL;
-	result = isc_task_create(manager->taskmgr, 0, &client->task);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_client;
-	isc_task_setname(client->task, "client", client);
-
-	client->timer = NULL;
-	result = isc_timer_create(manager->timermgr, isc_timertype_inactive,
-				  NULL, NULL, client->task, client_timeout,
-				  client, &client->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_task;
-	client->timerset = ISC_FALSE;
-
-	client->message = NULL;
-	result = dns_message_create(manager->mctx, DNS_MESSAGE_INTENTPARSE,
-				    &client->message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_timer;
-
-	/* XXXRTH  Hardwired constants */
-
-	client->sendevent = (isc_socketevent_t *)
-			    isc_event_allocate(manager->mctx, client,
-					       ISC_SOCKEVENT_SENDDONE,
-					       client_senddone, client,
-					       sizeof(isc_socketevent_t));
-	if (client->sendevent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_message;
-	}
-
-	client->recvbuf = isc_mem_get(manager->mctx, RECV_BUFFER_SIZE);
-	if  (client->recvbuf == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_sendevent;
-	}
-
-	client->recvevent = (isc_socketevent_t *)
-			    isc_event_allocate(manager->mctx, client,
-					       ISC_SOCKEVENT_RECVDONE,
-					       client_request, client,
-					       sizeof(isc_socketevent_t));
-	if (client->recvevent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_recvbuf;
-	}
-
-	client->magic = NS_CLIENT_MAGIC;
-	client->mctx = manager->mctx;
-	client->manager = NULL;
-	client->state = NS_CLIENTSTATE_INACTIVE;
-	client->newstate = NS_CLIENTSTATE_MAX;
-	client->naccepts = 0;
-	client->nreads = 0;
-	client->nsends = 0;
-	client->nrecvs = 0;
-	client->nupdates = 0;
-	client->nctls = 0;
-	client->references = 0;
-	client->attributes = 0;
-	client->view = NULL;
-	client->dispatch = NULL;
-	client->udpsocket = NULL;
-	client->tcplistener = NULL;
-	client->tcpsocket = NULL;
-	client->tcpmsg_valid = ISC_FALSE;
-	client->tcpbuf = NULL;
-	client->opt = NULL;
-	client->udpsize = 512;
-	client->extflags = 0;
-	client->next = NULL;
-	client->shutdown = NULL;
-	client->shutdown_arg = NULL;
-	dns_name_init(&client->signername, NULL);
-	client->mortal = ISC_FALSE;
-	client->tcpquota = NULL;
-	client->recursionquota = NULL;
-	client->interface = NULL;
-	client->peeraddr_valid = ISC_FALSE;
-	ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
-		       NS_EVENT_CLIENTCONTROL, client_start, client, client,
-		       NULL, NULL);
-	/*
-	 * Initialize FORMERR cache to sentinel value that will not match
-	 * any actual FORMERR response.
-	 */
-	isc_sockaddr_any(&client->formerrcache.addr);
-	client->formerrcache.time = 0;
-	client->formerrcache.id = 0;
-	ISC_LINK_INIT(client, link);
-	client->list = NULL;
-
-	/*
-	 * We call the init routines for the various kinds of client here,
-	 * after we have created an otherwise valid client, because some
-	 * of them call routines that REQUIRE(NS_CLIENT_VALID(client)).
-	 */
-	result = ns_query_init(client);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_recvevent;
-
-	result = isc_task_onshutdown(client->task, client_shutdown, client);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_query;
-
-	CTRACE("create");
-
-	*clientp = client;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_query:
-	ns_query_free(client);
-
- cleanup_recvevent:
-	isc_event_free((isc_event_t **)&client->recvevent);
-
- cleanup_recvbuf:
-	isc_mem_put(manager->mctx, client->recvbuf, RECV_BUFFER_SIZE);
-
- cleanup_sendevent:
-	isc_event_free((isc_event_t **)&client->sendevent);
-
-	client->magic = 0;
-
- cleanup_message:
-	dns_message_destroy(&client->message);
-
- cleanup_timer:
-	isc_timer_detach(&client->timer);
-
- cleanup_task:
-	isc_task_detach(&client->task);
-
- cleanup_client:
-	isc_mem_put(manager->mctx, client, sizeof(*client));
-
-	return (result);
-}
-
-static void
-client_read(ns_client_t *client) {
-	isc_result_t result;
-
-	CTRACE("read");
-
-	result = dns_tcpmsg_readmessage(&client->tcpmsg, client->task,
-					client_request, client);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	/*
-	 * Set a timeout to limit the amount of time we will wait
-	 * for a request on this TCP connection.
-	 */
-	ns_client_settimeout(client, 30);
-
-	client->state = client->newstate = NS_CLIENTSTATE_READING;
-	INSIST(client->nreads == 0);
-	INSIST(client->recursionquota == NULL);
-	client->nreads++;
-
-	return;
- fail:
-	ns_client_next(client, result);
-}
-
-static void
-client_newconn(isc_task_t *task, isc_event_t *event) {
-	ns_client_t *client = event->ev_arg;
-	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
-	isc_result_t result;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(client->task == task);
-
-	UNUSED(task);
-
-	INSIST(client->state == NS_CLIENTSTATE_READY);
-
-	INSIST(client->naccepts == 1);
-	client->naccepts--;
-
-	LOCK(&client->interface->lock);
-	INSIST(client->interface->ntcpcurrent > 0);
-	client->interface->ntcpcurrent--;
-	UNLOCK(&client->interface->lock);
-
-	/*
-	 * We must take ownership of the new socket before the exit
-	 * check to make sure it gets destroyed if we decide to exit.
-	 */
-	if (nevent->result == ISC_R_SUCCESS) {
-		client->tcpsocket = nevent->newsocket;
-		client->state = NS_CLIENTSTATE_READING;
-		INSIST(client->recursionquota == NULL);
-
-		(void)isc_socket_getpeername(client->tcpsocket,
-					     &client->peeraddr);
-		client->peeraddr_valid = ISC_TRUE;
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			   NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			   "new TCP connection");
-	} else {
-		/*
-		 * XXXRTH  What should we do?  We're trying to accept but
-		 *         it didn't work.  If we just give up, then TCP
-		 *	   service may eventually stop.
-		 *
-		 *	   For now, we just go idle.
-		 *
-		 *	   Going idle is probably the right thing if the
-		 *	   I/O was canceled.
-		 */
-		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "accept failed: %s",
-			      isc_result_totext(nevent->result));
-	}
-
-	if (exit_check(client))
-		goto freeevent;
-
-	if (nevent->result == ISC_R_SUCCESS) {
-		int match;
-		isc_netaddr_t netaddr;
-
-		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
-		if (ns_g_server->blackholeacl != NULL &&
-		    dns_acl_match(&netaddr, NULL,
-			    	  ns_g_server->blackholeacl,
-				  &ns_g_server->aclenv,
-				  &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-		{
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-				      "blackholed connection attempt");
-			client->newstate = NS_CLIENTSTATE_READY;
-			(void)exit_check(client);
-			goto freeevent;
-		}
-
-		INSIST(client->tcpmsg_valid == ISC_FALSE);
-		dns_tcpmsg_init(client->mctx, client->tcpsocket,
-				&client->tcpmsg);
-		client->tcpmsg_valid = ISC_TRUE;
-
-		/*
-		 * Let a new client take our place immediately, before
-		 * we wait for a request packet.  If we don't,
-		 * telnetting to port 53 (once per CPU) will
-		 * deny service to legititmate TCP clients.
-		 */
-		result = isc_quota_attach(&ns_g_server->tcpquota,
-					  &client->tcpquota);
-		if (result == ISC_R_SUCCESS)
-			result = ns_client_replace(client);
-		if (result != ISC_R_SUCCESS) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
-				      "no more TCP clients: %s",
-				      isc_result_totext(result));
-		}
-
-		client_read(client);
-	}
-
- freeevent:
-	isc_event_free(&event);
-}
-
-static void
-client_accept(ns_client_t *client) {
-	isc_result_t result;
-
-	CTRACE("accept");
-
-	result = isc_socket_accept(client->tcplistener, client->task,
-				   client_newconn, client);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_accept() failed: %s",
-				 isc_result_totext(result));
-		/*
-		 * XXXRTH  What should we do?  We're trying to accept but
-		 *         it didn't work.  If we just give up, then TCP
-		 *	   service may eventually stop.
-		 *
-		 *	   For now, we just go idle.
-		 */
-		return;
-	}
-	INSIST(client->naccepts == 0);
-	client->naccepts++;
-	LOCK(&client->interface->lock);
-	client->interface->ntcpcurrent++;
-	UNLOCK(&client->interface->lock);
-}
-
-static void
-client_udprecv(ns_client_t *client) {
-	isc_result_t result;
-	isc_region_t r;
-
-	CTRACE("udprecv");
-
-	r.base = client->recvbuf;
-	r.length = RECV_BUFFER_SIZE;
-	result = isc_socket_recv2(client->udpsocket, &r, 1,
-				  client->task, client->recvevent, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_recv2() failed: %s",
-				 isc_result_totext(result));
-		/*
-		 * This cannot happen in the current implementation, since
-		 * isc_socket_recv2() cannot fail if flags == 0.
-		 *
-		 * If this does fail, we just go idle.
-		 */
-		return;
-	}
-	INSIST(client->nrecvs == 0);
-	client->nrecvs++;
-}
-
-void
-ns_client_attach(ns_client_t *source, ns_client_t **targetp) {
-	REQUIRE(NS_CLIENT_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	source->references++;
-	ns_client_log(source, NS_LOGCATEGORY_CLIENT,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-		      "ns_client_attach: ref = %d", source->references);
-	*targetp = source;
-}
-
-void
-ns_client_detach(ns_client_t **clientp) {
-	ns_client_t *client = *clientp;
-
-	client->references--;
-	INSIST(client->references >= 0);
-	*clientp = NULL;
-	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
-		      "ns_client_detach: ref = %d", client->references);
-	(void)exit_check(client);
-}
-
-isc_boolean_t
-ns_client_shuttingdown(ns_client_t *client) {
-	return (ISC_TF(client->newstate == NS_CLIENTSTATE_FREED));
-}
-
-isc_result_t
-ns_client_replace(ns_client_t *client) {
-	isc_result_t result;
-
-	CTRACE("replace");
-
-	result = ns_clientmgr_createclients(client->manager,
-					    1, client->interface,
-					    (TCP_CLIENT(client) ?
-					     ISC_TRUE : ISC_FALSE));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * The responsibility for listening for new requests is hereby
-	 * transferred to the new client.  Therefore, the old client
-	 * should refrain from listening for any more requests.
-	 */
-	client->mortal = ISC_TRUE;
-
-	return (ISC_R_SUCCESS);
-}
-
-/***
- *** Client Manager
- ***/
-
-static void
-clientmgr_destroy(ns_clientmgr_t *manager) {
-	REQUIRE(ISC_LIST_EMPTY(manager->active));
-	REQUIRE(ISC_LIST_EMPTY(manager->inactive));
-	REQUIRE(ISC_LIST_EMPTY(manager->recursing));
-
-	MTRACE("clientmgr_destroy");
-
-	DESTROYLOCK(&manager->lock);
-	manager->magic = 0;
-	isc_mem_put(manager->mctx, manager, sizeof(*manager));
-}
-
-isc_result_t
-ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp)
-{
-	ns_clientmgr_t *manager;
-	isc_result_t result;
-
-	manager = isc_mem_get(mctx, sizeof(*manager));
-	if (manager == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&manager->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_manager;
-
-	manager->mctx = mctx;
-	manager->taskmgr = taskmgr;
-	manager->timermgr = timermgr;
-	manager->exiting = ISC_FALSE;
-	ISC_LIST_INIT(manager->active);
-	ISC_LIST_INIT(manager->inactive);
-	ISC_LIST_INIT(manager->recursing);
-	manager->magic = MANAGER_MAGIC;
-
-	MTRACE("create");
-
-	*managerp = manager;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_manager:
-	isc_mem_put(manager->mctx, manager, sizeof(*manager));
-
-	return (result);
-}
-
-void
-ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
-	ns_clientmgr_t *manager;
-	ns_client_t *client;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(managerp != NULL);
-	manager = *managerp;
-	REQUIRE(VALID_MANAGER(manager));
-
-	MTRACE("destroy");
-
-	LOCK(&manager->lock);
-
-	manager->exiting = ISC_TRUE;
-
-	for (client = ISC_LIST_HEAD(manager->recursing);
-	     client != NULL;
-	     client = ISC_LIST_NEXT(client, link))
-		isc_task_shutdown(client->task);
-
-	for (client = ISC_LIST_HEAD(manager->active);
-	     client != NULL;
-	     client = ISC_LIST_NEXT(client, link))
-		isc_task_shutdown(client->task);
-
-	for (client = ISC_LIST_HEAD(manager->inactive);
-	     client != NULL;
-	     client = ISC_LIST_NEXT(client, link))
-		isc_task_shutdown(client->task);
-
-	if (ISC_LIST_EMPTY(manager->active) &&
-	    ISC_LIST_EMPTY(manager->inactive) &&
-	    ISC_LIST_EMPTY(manager->recursing))
-		need_destroy = ISC_TRUE;
-
-	UNLOCK(&manager->lock);
-
-	if (need_destroy)
-		clientmgr_destroy(manager);
-
-	*managerp = NULL;
-}
-
-isc_result_t
-ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
-			   ns_interface_t *ifp, isc_boolean_t tcp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int i;
-	ns_client_t *client;
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(n > 0);
-
-	MTRACE("createclients");
-
-	/*
-	 * We MUST lock the manager lock for the entire client creation
-	 * process.  If we didn't do this, then a client could get a
-	 * shutdown event and disappear out from under us.
-	 */
-
-	LOCK(&manager->lock);
-
-	for (i = 0; i < n; i++) {
-		isc_event_t *ev;
-		/*
-		 * Allocate a client.  First try to get a recycled one;
-		 * if that fails, make a new one.
-		 */
-		client = ISC_LIST_HEAD(manager->inactive);
-		if (client != NULL) {
-			MTRACE("recycle");
-			ISC_LIST_UNLINK(manager->inactive, client, link);
-			client->list = NULL;
-		} else {
-			MTRACE("create new");
-			result = client_create(manager, &client);
-			if (result != ISC_R_SUCCESS)
-				break;
-		}
-
-		ns_interface_attach(ifp, &client->interface);
-		client->state = NS_CLIENTSTATE_READY;
-		INSIST(client->recursionquota == NULL);
-
-		if (tcp) {
-			client->attributes |= NS_CLIENTATTR_TCP;
-			isc_socket_attach(ifp->tcpsocket,
-					  &client->tcplistener);
-		} else {
-			isc_socket_t *sock;
-
-			dns_dispatch_attach(ifp->udpdispatch,
-					    &client->dispatch);
-			sock = dns_dispatch_getsocket(client->dispatch);
-			isc_socket_attach(sock, &client->udpsocket);
-		}
-		client->manager = manager;
-		ISC_LIST_APPEND(manager->active, client, link);
-		client->list = &manager->active;
-
-		INSIST(client->nctls == 0);
-		client->nctls++;
-		ev = &client->ctlevent;
-		isc_task_send(client->task, &ev);
-	}
-	if (i != 0) {
-		/*
-		 * We managed to create at least one client, so we
-		 * declare victory.
-		 */
-		result = ISC_R_SUCCESS;
-	}
-
-	UNLOCK(&manager->lock);
-
-	return (result);
-}
-
-isc_sockaddr_t *
-ns_client_getsockaddr(ns_client_t *client) {
-	return (&client->peeraddr);
-}
-
-isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
-			 isc_boolean_t default_allow)
-{
-	isc_result_t result;
-	int match;
-	isc_netaddr_t netaddr;
-
-	if (acl == NULL) {
-		if (default_allow)
-			goto allow;
-		else
-			goto deny;
-	}
-
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-
-	result = dns_acl_match(&netaddr, client->signer, acl,
-			       &ns_g_server->aclenv,
-			       &match, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto deny; /* Internal error, already logged. */
-	if (match > 0)
-		goto allow;
-	goto deny; /* Negative match or no match. */
-
- allow:
-	return (ISC_R_SUCCESS);
-
- deny:
-	return (DNS_R_REFUSED);
-}
-
-isc_result_t
-ns_client_checkacl(ns_client_t *client,
-		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow, int log_level)
-{
-	isc_result_t result =
-		ns_client_checkaclsilent(client, acl, default_allow);
-
-	if (result == ISC_R_SUCCESS) 
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-			      "%s approved", opname);
-	else
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_CLIENT,
-			      log_level, "%s denied", opname);
-	return (result);
-}
-
-static void
-ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
-	if (client->peeraddr_valid)
-		isc_sockaddr_format(&client->peeraddr, peerbuf, len);
-	else
-		snprintf(peerbuf, len, "@%p", client);
-}
-
-void
-ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
-	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
-{
-	char msgbuf[2048];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-	const char *name = "";
-	const char *sep = "";
-
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	ns_client_name(client, peerbuf, sizeof(peerbuf));
-	if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 &&
-	    strcmp(client->view->name, "_default") != 0) {
-		name = client->view->name;
-		sep = ": view ";
-	}
-
-	isc_log_write(ns_g_lctx, category, module, level,
-		      "client %s%s%s: %s", peerbuf, sep, name, msgbuf);
-}
-
-void
-ns_client_log(ns_client_t *client, isc_logcategory_t *category,
-	   isc_logmodule_t *module, int level, const char *fmt, ...)
-{
-	va_list ap;
-
-	if (! isc_log_wouldlog(ns_g_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	ns_client_logv(client, category, module, level, fmt, ap);
-	va_end(ap);
-}
-
-void
-ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
-		 dns_rdataclass_t rdclass, char *buf, size_t len) 
-{
-        char namebuf[DNS_NAME_FORMATSIZE];
-        char typebuf[DNS_RDATATYPE_FORMATSIZE];
-        char classbuf[DNS_RDATACLASS_FORMATSIZE];
-
-        dns_name_format(name, namebuf, sizeof(namebuf));
-        dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-        dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
-        (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
-		       classbuf);
-}
-
-static void
-ns_client_dumpmessage(ns_client_t *client, const char *reason) {
-	isc_buffer_t buffer;
-	char *buf = NULL;
-	int len = 1024;
-	isc_result_t result;
-
-	/*
-	 * Note that these are multiline debug messages.  We want a newline
-	 * to appear in the log after each message.
-	 */
-
-	do {
-		buf = isc_mem_get(client->mctx, len);
-		if (buf == NULL)
-			break;
-		isc_buffer_init(&buffer, buf, len);
-		result = dns_message_totext(client->message,
-					    &dns_master_style_debug,
-					    0, &buffer);
-		if (result == ISC_R_NOSPACE) {
-			isc_mem_put(client->mctx, buf, len);
-			len += 1024;
-		} else if (result == ISC_R_SUCCESS)
-		        ns_client_log(client, NS_LOGCATEGORY_UNMATCHED,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
-				      "%s\n%.*s", reason,
-				       (int)isc_buffer_usedlength(&buffer),
-				       buf);
-	} while (result == ISC_R_NOSPACE);
-
-	if (buf != NULL)
-		isc_mem_put(client->mctx, buf, len);
-}
-
-void
-ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
-	ns_client_t *client;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-	const char *name;
-	const char *sep;
-
-	REQUIRE(VALID_MANAGER(manager));
-	      
-	LOCK(&manager->lock);
-	client = ISC_LIST_HEAD(manager->recursing);
-	while (client != NULL) {
-		ns_client_name(client, peerbuf, sizeof(peerbuf));
-		if (client->view != NULL &&
-		    strcmp(client->view->name, "_bind") != 0 &&
-		    strcmp(client->view->name, "_default") != 0) {
-			name = client->view->name;
-			sep = ": view ";
-		} else {
-			name = "";
-			sep = "";
-		}
-		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
-		fprintf(f, "; client %s%s%s: '%s' requesttime %d\n",
-			peerbuf, sep, name, namebuf, client->requesttime);
-		client = ISC_LIST_NEXT(client, link);
-	}
-	UNLOCK(&manager->lock);
-}
diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c
deleted file mode 100644
index 99e5ffa7f418..000000000000
--- a/contrib/bind9/bin/named/config.c
+++ /dev/null
@@ -1,723 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: config.c,v 1.11.2.4.8.29 2004/10/05 02:52:26 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/tsig.h>
-#include <dns/zone.h>
-
-#include <named/config.h>
-#include <named/globals.h>
-
-static char defaultconf[] = "\
-options {\n\
-#	blackhole {none;};\n"
-#ifndef WIN32
-"	coresize default;\n\
-	datasize default;\n\
-	files default;\n\
-	stacksize default;\n"
-#endif
-"	deallocate-on-exit true;\n\
-#	directory <none>\n\
-	dump-file \"named_dump.db\";\n\
-	fake-iquery no;\n\
-	has-old-clients false;\n\
-	heartbeat-interval 60;\n\
-	host-statistics no;\n\
-	interface-interval 60;\n\
-	listen-on {any;};\n\
-	listen-on-v6 {none;};\n\
-	match-mapped-addresses no;\n\
-	memstatistics-file \"named.memstats\";\n\
-	multiple-cnames no;\n\
-#	named-xfer <obsolete>;\n\
-#	pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\
-	port 53;\n\
-	recursing-file \"named.recursing\";\n\
-"
-#ifdef PATH_RANDOMDEV
-"\
-	random-device \"" PATH_RANDOMDEV "\";\n\
-"
-#endif
-"\
-	recursive-clients 1000;\n\
-	rrset-order {order cyclic;};\n\
-	serial-queries 20;\n\
-	serial-query-rate 20;\n\
-	server-id none;\n\
-	statistics-file \"named.stats\";\n\
-	statistics-interval 60;\n\
-	tcp-clients 100;\n\
-	tcp-listen-queue 3;\n\
-#	tkey-dhkey <none>\n\
-#	tkey-gssapi-credential <none>\n\
-#	tkey-domain <none>\n\
-	transfers-per-ns 2;\n\
-	transfers-in 10;\n\
-	transfers-out 10;\n\
-	treat-cr-as-space true;\n\
-	use-id-pool true;\n\
-	use-ixfr true;\n\
-	edns-udp-size 4096;\n\
-\n\
-	/* view */\n\
-	allow-notify {none;};\n\
-	allow-update-forwarding {none;};\n\
-	allow-recursion {any;};\n\
-#	allow-v6-synthesis <obsolete>;\n\
-#	sortlist <none>\n\
-#	topology <none>\n\
-	auth-nxdomain false;\n\
-	minimal-responses false;\n\
-	recursion true;\n\
-	provide-ixfr true;\n\
-	request-ixfr true;\n\
-	fetch-glue no;\n\
-	rfc2308-type1 no;\n\
-	additional-from-auth true;\n\
-	additional-from-cache true;\n\
-	query-source address *;\n\
-	query-source-v6 address *;\n\
-	notify-source *;\n\
-	notify-source-v6 *;\n\
-	cleaning-interval 60;\n\
-	min-roots 2;\n\
-	lame-ttl 600;\n\
-	max-ncache-ttl 10800; /* 3 hours */\n\
-	max-cache-ttl 604800; /* 1 week */\n\
-	transfer-format many-answers;\n\
-	max-cache-size 0;\n\
-	check-names master fail;\n\
-	check-names slave warn;\n\
-	check-names response ignore;\n\
-	dnssec-enable no; /* Make yes for 9.4. */ \n\
-"
-
-"	/* zone */\n\
-	allow-query {any;};\n\
-	allow-transfer {any;};\n\
-	notify yes;\n\
-#	also-notify <none>\n\
-	dialup no;\n\
-#	forward <none>\n\
-#	forwarders <none>\n\
-	maintain-ixfr-base no;\n\
-#	max-ixfr-log-size <obsolete>\n\
-	transfer-source *;\n\
-	transfer-source-v6 *;\n\
-	alt-transfer-source *;\n\
-	alt-transfer-source-v6 *;\n\
-	max-transfer-time-in 120;\n\
-	max-transfer-time-out 120;\n\
-	max-transfer-idle-in 60;\n\
-	max-transfer-idle-out 60;\n\
-	max-retry-time 1209600; /* 2 weeks */\n\
-	min-retry-time 500;\n\
-	max-refresh-time 2419200; /* 4 weeks */\n\
-	min-refresh-time 300;\n\
-	multi-master no;\n\
-	sig-validity-interval 30; /* days */\n\
-	zone-statistics false;\n\
-	max-journal-size unlimited;\n\
-	ixfr-from-differences false;\n\
-};\n\
-"
-
-"#\n\
-#  Zones in the \"_bind\" view are NOT counted is the count of zones.\n\
-#\n\
-view \"_bind\" chaos {\n\
-	recursion no;\n\
-	notify no;\n\
-\n\
-	zone \"version.bind\" chaos {\n\
-		type master;\n\
-		database \"_builtin version\";\n\
-	};\n\
-\n\
-	zone \"hostname.bind\" chaos {\n\
-		type master;\n\
-		database \"_builtin hostname\";\n\
-	};\n\
-\n\
-	zone \"authors.bind\" chaos {\n\
-		type master;\n\
-		database \"_builtin authors\";\n\
-	};\n\
-	zone \"id.server\" chaos {\n\
-		type master;\n\
-		database \"_builtin id\";\n\
-	};\n\
-};\n\
-";
-
-isc_result_t
-ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
-	isc_buffer_t b;
-
-	isc_buffer_init(&b, defaultconf, sizeof(defaultconf) - 1);
-	isc_buffer_add(&b, sizeof(defaultconf) - 1);
-	return (cfg_parse_buffer(parser, &b, &cfg_type_namedconf, conf));
-}
-
-isc_result_t
-ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
-	int i;
-
-	for (i = 0;; i++) {
-		if (maps[i] == NULL)
-			return (ISC_R_NOTFOUND);
-		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
-			return (ISC_R_SUCCESS);
-	}
-}
-
-isc_result_t
-ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) {
-	cfg_listelt_t *element;
-	cfg_obj_t *checknames;
-	cfg_obj_t *type;
-	cfg_obj_t *value;
-	int i;
-
-	for (i = 0;; i++) {
-		if (maps[i] == NULL)
-			return (ISC_R_NOTFOUND);
-		checknames = NULL;
-		if (cfg_map_get(maps[i], "check-names", &checknames) == ISC_R_SUCCESS) {
-			/*
-			 * Zone map entry is not a list.
-			 */
-			if (checknames != NULL && !cfg_obj_islist(checknames)) {
-				*obj = checknames;
-				return (ISC_R_SUCCESS);
-			}
-			for (element = cfg_list_first(checknames);
-			     element != NULL;
-			     element = cfg_list_next(element)) {
-				value = cfg_listelt_value(element);
-				type = cfg_tuple_get(value, "type");
-				if (strcasecmp(cfg_obj_asstring(type), which) == 0) {
-					*obj = cfg_tuple_get(value, "mode");
-					return (ISC_R_SUCCESS);
-				}
-			}
-
-		}
-	}
-}
-
-int
-ns_config_listcount(cfg_obj_t *list) {
-	cfg_listelt_t *e;
-	int i = 0;
-
-	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
-		i++;
-
-	return (i);
-}
-
-isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
-		   dns_rdataclass_t *classp) {
-	char *str;
-	isc_textregion_t r;
-	isc_result_t result;
-
-	if (!cfg_obj_isstring(classobj)) {
-		*classp = defclass;
-		return (ISC_R_SUCCESS);
-	}
-	str = cfg_obj_asstring(classobj);
-	r.base = str;
-	r.length = strlen(str);
-	result = dns_rdataclass_fromtext(classp, &r);
-	if (result != ISC_R_SUCCESS)
-		cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown class '%s'", str);
-	return (result);
-}
-
-isc_result_t
-ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
-		   dns_rdatatype_t *typep) {
-	char *str;
-	isc_textregion_t r;
-	isc_result_t result;
-
-	if (!cfg_obj_isstring(typeobj)) {
-		*typep = deftype;
-		return (ISC_R_SUCCESS);
-	}
-	str = cfg_obj_asstring(typeobj);
-	r.base = str;
-	r.length = strlen(str);
-	result = dns_rdatatype_fromtext(typep, &r);
-	if (result != ISC_R_SUCCESS)
-		cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown type '%s'", str);
-	return (result);
-}
-
-dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
-	dns_zonetype_t ztype = dns_zone_none;
-	char *str;
-
-	str = cfg_obj_asstring(zonetypeobj);
-	if (strcasecmp(str, "master") == 0)
-		ztype = dns_zone_master;
-	else if (strcasecmp(str, "slave") == 0)
-		ztype = dns_zone_slave;
-	else if (strcasecmp(str, "stub") == 0)
-		ztype = dns_zone_stub;
-	else
-		INSIST(0);
-	return (ztype);
-}
-
-isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
-		    in_port_t defport, isc_mem_t *mctx,
-		    isc_sockaddr_t **addrsp, isc_uint32_t *countp)
-{
-	int count, i = 0;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
-	cfg_listelt_t *element;
-	isc_sockaddr_t *addrs;
-	in_port_t port;
-	isc_result_t result;
-
-	INSIST(addrsp != NULL && *addrsp == NULL);
-	INSIST(countp != NULL);
-
-	addrlist = cfg_tuple_get(list, "addresses");
-	count = ns_config_listcount(addrlist);
-
-	portobj = cfg_tuple_get(list, "port");
-	if (cfg_obj_isuint32(portobj)) {
-		isc_uint32_t val = cfg_obj_asuint32(portobj);
-		if (val > ISC_UINT16_MAX) {
-			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "port '%u' out of range", val);
-			return (ISC_R_RANGE);
-		}
-		port = (in_port_t) val;
-	} else if (defport != 0)
-		port = defport;
-	else {
-		result = ns_config_getport(config, &port);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t));
-	if (addrs == NULL)
-		return (ISC_R_NOMEMORY);
-
-	for (element = cfg_list_first(addrlist);
-	     element != NULL;
-	     element = cfg_list_next(element), i++)
-	{
-		INSIST(i < count);
-		addrs[i] = *cfg_obj_assockaddr(cfg_listelt_value(element));
-		if (isc_sockaddr_getport(&addrs[i]) == 0)
-			isc_sockaddr_setport(&addrs[i], port);
-	}
-	INSIST(i == count);
-
-	*addrsp = addrs;
-	*countp = count;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-		    isc_uint32_t count)
-{
-	INSIST(addrsp != NULL && *addrsp != NULL);
-
-	isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
-	*addrsp = NULL;
-}
-
-static isc_result_t
-get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *masters = NULL;
-	cfg_listelt_t *elt;
-
-	result = cfg_map_get(cctx, "masters", &masters);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (elt = cfg_list_first(masters);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *list;
-		const char *listname;
-
-		list = cfg_listelt_value(elt);
-		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
-
-		if (strcasecmp(listname, name) == 0) {
-			*ret = list;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keysp,
-			  isc_uint32_t *countp)
-{
-	isc_uint32_t addrcount = 0, keycount = 0, i = 0;
-	isc_uint32_t listcount = 0, l = 0, j;
-	isc_uint32_t stackcount = 0, pushed = 0;
-	isc_result_t result;
-	cfg_listelt_t *element;
-	cfg_obj_t *addrlist;
-	cfg_obj_t *portobj;
-	in_port_t port;
-	dns_fixedname_t fname;
-	isc_sockaddr_t *addrs = NULL;
-	dns_name_t **keys = NULL;
-	char **lists = NULL;
-	struct {
-		cfg_listelt_t *element;
-		in_port_t port;
-	} *stack = NULL;
-
-	REQUIRE(addrsp != NULL && *addrsp == NULL);
-	REQUIRE(keysp != NULL && *keysp == NULL);
-	REQUIRE(countp != NULL);
-
- newlist:
-	addrlist = cfg_tuple_get(list, "addresses");
-	portobj = cfg_tuple_get(list, "port");
-	if (cfg_obj_isuint32(portobj)) {
-		isc_uint32_t val = cfg_obj_asuint32(portobj);
-		if (val > ISC_UINT16_MAX) {
-			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "port '%u' out of range", val);
-			return (ISC_R_RANGE);
-		}
-		port = (in_port_t) val;
-	} else {
-		result = ns_config_getport(config, &port);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	result = ISC_R_NOMEMORY;
-
-	element = cfg_list_first(addrlist);
- resume:
-	for ( ;
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *addr;
-		cfg_obj_t *key;
-		char *keystr;
-		isc_buffer_t b;
-
-		addr = cfg_tuple_get(cfg_listelt_value(element),
-				     "masterselement");
-		key = cfg_tuple_get(cfg_listelt_value(element), "key");
-
-		if (!cfg_obj_issockaddr(addr)) {
-			char *listname = cfg_obj_asstring(addr);
-			isc_result_t tresult;
-
-			/* Grow lists? */
-			if (listcount == l) {
-				void * new;
-				isc_uint32_t newlen = listcount + 16;
-				size_t newsize, oldsize;
-
-				newsize = newlen * sizeof(*lists);
-				oldsize = listcount * sizeof(*lists);
-				new = isc_mem_get(mctx, newsize);
-				if (new == NULL)
-					goto cleanup;
-				if (listcount != 0) {
-					memcpy(new, lists, oldsize);
-					isc_mem_put(mctx, lists, oldsize);
-				}
-				lists = new;
-				listcount = newlen;
-			}
-			/* Seen? */
-			for (j = 0; j < l; j++)
-				if (strcasecmp(lists[j], listname) == 0)
-					break;
-			if (j < l)
-				continue;
-			tresult = get_masters_def(config, listname, &list);
-			if (tresult == ISC_R_NOTFOUND) {
-				cfg_obj_log(addr, ns_g_lctx, ISC_LOG_ERROR,
-                                    "masters \"%s\" not found", listname);
-
-				result = tresult;
-				goto cleanup;
-			}
-			if (tresult != ISC_R_SUCCESS)
-				goto cleanup;
-			lists[l++] = listname;
-			/* Grow stack? */
-			if (stackcount == pushed) {
-				void * new;
-				isc_uint32_t newlen = stackcount + 16;
-				size_t newsize, oldsize;
-
-				newsize = newlen * sizeof(*stack);
-				oldsize = stackcount * sizeof(*stack);
-				new = isc_mem_get(mctx, newsize);
-				if (new == NULL)
-					goto cleanup;
-				if (stackcount != 0) {
-					memcpy(new, stack, oldsize);
-					isc_mem_put(mctx, stack, oldsize);
-				}
-				stack = new;
-				stackcount = newlen;
-			}
-			/*
-			 * We want to resume processing this list on the
-			 * next element.
-			 */
-			stack[pushed].element = cfg_list_next(element);
-			stack[pushed].port = port;
-			pushed++;
-			goto newlist;
-		}
-
-		if (i == addrcount) {
-			void * new;
-			isc_uint32_t newlen = addrcount + 16;
-			size_t newsize, oldsize;
-
-			newsize = newlen * sizeof(isc_sockaddr_t);
-			oldsize = addrcount * sizeof(isc_sockaddr_t);
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			if (addrcount != 0) {
-				memcpy(new, addrs, oldsize);
-				isc_mem_put(mctx, addrs, oldsize);
-			}
-			addrs = new;
-			addrcount = newlen;
-
-			newsize = newlen * sizeof(dns_name_t *);
-			oldsize = keycount * sizeof(dns_name_t *);
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			if (keycount != 0) {
-				memcpy(new, keys, oldsize);
-				isc_mem_put(mctx, keys, oldsize);
-			}
-			keys = new;
-			keycount = newlen;
-		}
-
-		addrs[i] = *cfg_obj_assockaddr(addr);
-		if (isc_sockaddr_getport(&addrs[i]) == 0)
-			isc_sockaddr_setport(&addrs[i], port);
-		keys[i] = NULL;
-		if (!cfg_obj_isstring(key)) {
-			i++;
-			continue;
-		}
-		keys[i] = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (keys[i] == NULL)
-			goto cleanup;
-		dns_name_init(keys[i], NULL);
-		
-		keystr = cfg_obj_asstring(key);
-		isc_buffer_init(&b, keystr, strlen(keystr));
-		isc_buffer_add(&b, strlen(keystr));
-		dns_fixedname_init(&fname);
-		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-					   dns_rootname, ISC_FALSE, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = dns_name_dup(dns_fixedname_name(&fname), mctx,
-				      keys[i]);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		i++;
-	}
-	if (pushed != 0) {
-		pushed--;
-		element = stack[pushed].element;
-		port = stack[pushed].port;
-		goto resume;
-	}
-	if (i < addrcount) {
-		void * new;
-		size_t newsize, oldsize;
-
-		newsize = i * sizeof(isc_sockaddr_t);
-		oldsize = addrcount * sizeof(isc_sockaddr_t);
-		if (i != 0) {
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			memcpy(new, addrs, newsize);
-			isc_mem_put(mctx, addrs, oldsize);
-		} else
-			new = NULL;
-		addrs = new;
-		addrcount = i;
-
-		newsize = i * sizeof(dns_name_t *);
-		oldsize = keycount * sizeof(dns_name_t *);
-		if (i != 0) {
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			memcpy(new, keys,  newsize);
-			isc_mem_put(mctx, keys, oldsize);
-		} else
-			new = NULL;
-		keys = new;
-		keycount = i;
-	}
-
-	if (lists != NULL)
-		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
-	if (stack != NULL)
-		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
-	
-	INSIST(keycount == addrcount);
-
-	*addrsp = addrs;
-	*keysp = keys;
-	*countp = addrcount;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (addrs != NULL)
-		isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
-	if (keys != NULL) {
-		for (j = 0; j <= i; j++) {
-			if (keys[j] == NULL)
-				continue;
-			if (dns_name_dynamic(keys[j]))
-				dns_name_free(keys[j], mctx);
-			isc_mem_put(mctx, keys[j], sizeof(dns_name_t));
-		}
-		isc_mem_put(mctx, keys, keycount * sizeof(dns_name_t *));
-	}
-	if (lists != NULL)
-		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
-	if (stack != NULL)
-		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
-	return (result);
-}
-
-void
-ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-			  dns_name_t ***keysp, isc_uint32_t count)
-{
-	unsigned int i;
-	dns_name_t **keys = *keysp;
-
-	INSIST(addrsp != NULL && *addrsp != NULL);
-
-	isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
-	for (i = 0; i < count; i++) {
-		if (keys[i] == NULL)
-			continue;
-		if (dns_name_dynamic(keys[i]))
-			dns_name_free(keys[i], mctx);
-		isc_mem_put(mctx, keys[i], sizeof(dns_name_t));
-	}
-	isc_mem_put(mctx, *keysp, count * sizeof(dns_name_t *));
-	*addrsp = NULL;
-	*keysp = NULL;
-}
-
-isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
-	cfg_obj_t *maps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *portobj = NULL;
-	isc_result_t result;
-	int i;
-
-	(void)cfg_map_get(config, "options", &options);
-	i = 0;
-	if (options != NULL)
-		maps[i++] = options;
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-
-	result = ns_config_get(maps, "port", &portobj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
-		cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-			    "port '%u' out of range",
-			    cfg_obj_asuint32(portobj));
-		return (ISC_R_RANGE);
-	}
-	*portp = (in_port_t)cfg_obj_asuint32(portobj);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name)
-{
-	if (strcasecmp(str, "hmac-md5") == 0 ||
-	    strcasecmp(str, "hmac-md5.sig-alg.reg.int") == 0 ||
-	    strcasecmp(str, "hmac-md5.sig-alg.reg.int.") == 0)
-	{
-		if (name != NULL)
-			*name = dns_tsig_hmacmd5_name;
-		return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_NOTFOUND);
-}
diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c
deleted file mode 100644
index c9d17abe0276..000000000000
--- a/contrib/bind9/bin/named/control.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: control.c,v 1.7.2.2.2.14 2005/04/29 01:04:47 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/app.h>
-#include <isc/event.h>
-#include <isc/mem.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-
-#include <isccc/alist.h>
-#include <isccc/cc.h>
-#include <isccc/result.h>
-
-#include <named/control.h>
-#include <named/log.h>
-#include <named/os.h>
-#include <named/server.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
-
-static isc_boolean_t
-command_compare(const char *text, const char *command) {
-	unsigned int commandlen = strlen(command);
-	if (strncasecmp(text, command, commandlen) == 0 &&
-	    (text[commandlen] == '\0' ||
-	     text[commandlen] == ' ' ||
-	     text[commandlen] == '\t'))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-/*
- * This function is called to process the incoming command
- * when a control channel message is received.  
- */
-isc_result_t
-ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
-	isccc_sexpr_t *data;
-	char *command;
-	isc_result_t result;
-#ifdef HAVE_LIBSCF
-	ns_smf_want_disable = 0;
-#endif
-
-	data = isccc_alist_lookup(message, "_data");
-	if (data == NULL) {
-		/*
-		 * No data section.
-		 */
-		return (ISC_R_FAILURE);
-	}
-
-	result = isccc_cc_lookupstring(data, "type", &command);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * We have no idea what this is.
-		 */
-		return (result);
-	}
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(1),
-		      "received control channel command '%s'",
-		      command);
-
-	/*
-	 * Compare the 'command' parameter against all known control commands.
-	 */
-	if (command_compare(command, NS_COMMAND_RELOAD)) {
-		result = ns_server_reloadcommand(ns_g_server, command, text);
-	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
-		result = ns_server_reconfigcommand(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_REFRESH)) {
-		result = ns_server_refreshcommand(ns_g_server, command, text);
-	} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
-		result = ns_server_retransfercommand(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_HALT)) {
-#ifdef HAVE_LIBSCF
-		/*
-		 * If we are managed by smf(5), AND in chroot, then
-		 * we cannot connect to the smf repository, so just
-		 * return with an appropriate message back to rndc.
-		 */
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
-			result = ns_smf_add_message(text);
-			return (result);
-		}
-		/*
-		 * If we are managed by smf(5) but not in chroot,
-		 * try to disable ourselves the smf way.
-		 */
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
-			ns_smf_want_disable = 1;
-		/*
-		 * If ns_smf_got_instance = 0, ns_smf_chroot
-		 * is not relevant and we fall through to
-		 * isc_app_shutdown below.
-		 */
-#endif
-		ns_server_flushonshutdown(ns_g_server, ISC_FALSE);
-		ns_os_shutdownmsg(command, text);
-		isc_app_shutdown();
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_STOP)) {
-#ifdef HAVE_LIBSCF
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 1) {
-			result = ns_smf_add_message(text);
-			return (result);
-		}
-		if (ns_smf_got_instance == 1 && ns_smf_chroot == 0)
-			ns_smf_want_disable = 1;
-#endif
-		ns_server_flushonshutdown(ns_g_server, ISC_TRUE);
-		ns_os_shutdownmsg(command, text);
-		isc_app_shutdown();
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_DUMPSTATS)) {
-		result = ns_server_dumpstats(ns_g_server);
-	} else if (command_compare(command, NS_COMMAND_QUERYLOG)) {
-		result = ns_server_togglequerylog(ns_g_server);
-	} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
-		ns_server_dumpdb(ns_g_server, command);
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_TRACE)) {
-		result = ns_server_setdebuglevel(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
-		ns_g_debuglevel = 0;
-		isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-		result = ISC_R_SUCCESS;
-	} else if (command_compare(command, NS_COMMAND_FLUSH)) {
-		result = ns_server_flushcache(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_FLUSHNAME)) {
-		result = ns_server_flushname(ns_g_server, command);
-	} else if (command_compare(command, NS_COMMAND_STATUS)) {
-		result = ns_server_status(ns_g_server, text);
-	} else if (command_compare(command, NS_COMMAND_FREEZE)) {
-		result = ns_server_freeze(ns_g_server, ISC_TRUE, command);
-	} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
-		   command_compare(command, NS_COMMAND_THAW)) {
-		result = ns_server_freeze(ns_g_server, ISC_FALSE, command);
-	} else if (command_compare(command, NS_COMMAND_RECURSING)) {
-		result = ns_server_dumprecursing(ns_g_server);
-	} else if (command_compare(command, NS_COMMAND_NULL)) {
-		result = ISC_R_SUCCESS;
-	} else {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "unknown control channel command '%s'",
-			      command);
-		result = DNS_R_UNKNOWNCOMMAND;
-	}
-
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c
deleted file mode 100644
index 5b87fb9c0a1f..000000000000
--- a/contrib/bind9/bin/named/controlconf.c
+++ /dev/null
@@ -1,1323 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: controlconf.c,v 1.28.2.9.2.6 2004/03/08 09:04:14 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/event.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/random.h>
-#include <isc/result.h>
-#include <isc/stdtime.h>
-#include <isc/string.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <bind9/check.h>
-
-#include <isccc/alist.h>
-#include <isccc/cc.h>
-#include <isccc/ccmsg.h>
-#include <isccc/events.h>
-#include <isccc/result.h>
-#include <isccc/sexpr.h>
-#include <isccc/symtab.h>
-#include <isccc/util.h>
-
-#include <dns/result.h>
-
-#include <named/config.h>
-#include <named/control.h>
-#include <named/log.h>
-#include <named/server.h>
-
-/*
- * Note: Listeners and connections are not locked.  All event handlers are
- * executed by the server task, and all callers of exported routines must
- * be running under the server task.
- */
-
-typedef struct controlkey controlkey_t;
-typedef ISC_LIST(controlkey_t) controlkeylist_t;
-
-typedef struct controlconnection controlconnection_t;
-typedef ISC_LIST(controlconnection_t) controlconnectionlist_t;
-
-typedef struct controllistener controllistener_t;
-typedef ISC_LIST(controllistener_t) controllistenerlist_t;
-
-struct controlkey {
-	char *				keyname;
-	isc_region_t			secret;
-	ISC_LINK(controlkey_t)		link;
-};
-
-struct controlconnection {
-	isc_socket_t *			sock;
-	isccc_ccmsg_t			ccmsg;
-	isc_boolean_t			ccmsg_valid;
-	isc_boolean_t			sending;
-	isc_timer_t *			timer;
-	unsigned char			buffer[2048];
-	controllistener_t *		listener;
-	isc_uint32_t			nonce;
-	ISC_LINK(controlconnection_t)	link;
-};
-
-struct controllistener {
-	ns_controls_t *			controls;
-	isc_mem_t *			mctx;
-	isc_task_t *			task;
-	isc_sockaddr_t			address;
-	isc_socket_t *			sock;
-	dns_acl_t *			acl;
-	isc_boolean_t			listening;
-	isc_boolean_t			exiting;
-	controlkeylist_t		keys;
-	controlconnectionlist_t		connections;
-	ISC_LINK(controllistener_t)	link;
-};
-
-struct ns_controls {
-	ns_server_t			*server;
-	controllistenerlist_t 		listeners;
-	isc_boolean_t			shuttingdown;
-	isccc_symtab_t			*symtab;
-};
-
-static void control_newconn(isc_task_t *task, isc_event_t *event);
-static void control_recvmessage(isc_task_t *task, isc_event_t *event);
-
-#define CLOCKSKEW 300
-
-static void
-free_controlkey(controlkey_t *key, isc_mem_t *mctx) {
-	if (key->keyname != NULL)
-		isc_mem_free(mctx, key->keyname);
-	if (key->secret.base != NULL)
-		isc_mem_put(mctx, key->secret.base, key->secret.length);
-	isc_mem_put(mctx, key, sizeof(*key));
-}
-
-static void
-free_controlkeylist(controlkeylist_t *keylist, isc_mem_t *mctx) {
-	while (!ISC_LIST_EMPTY(*keylist)) {
-		controlkey_t *key = ISC_LIST_HEAD(*keylist);
-		ISC_LIST_UNLINK(*keylist, key, link);
-		free_controlkey(key, mctx);
-	}
-}
-
-static void
-free_listener(controllistener_t *listener) {
-	INSIST(listener->exiting);
-	INSIST(!listener->listening);
-	INSIST(ISC_LIST_EMPTY(listener->connections));
-
-	if (listener->sock != NULL)
-		isc_socket_detach(&listener->sock);
-
-	free_controlkeylist(&listener->keys, listener->mctx);
-
-	if (listener->acl != NULL)
-		dns_acl_detach(&listener->acl);
-
-	isc_mem_put(listener->mctx, listener, sizeof(*listener));
-}
-
-static void
-maybe_free_listener(controllistener_t *listener) {
-	if (listener->exiting &&
-	    !listener->listening &&
-	    ISC_LIST_EMPTY(listener->connections))
-		free_listener(listener);
-}
-
-static void
-maybe_free_connection(controlconnection_t *conn) {
-	controllistener_t *listener = conn->listener;
-
-	if (conn->timer != NULL)
-		isc_timer_detach(&conn->timer);
-
-	if (conn->ccmsg_valid) {
-		isccc_ccmsg_cancelread(&conn->ccmsg);
-		return;
-	}
-
-	if (conn->sending) {
-		isc_socket_cancel(conn->sock, listener->task,
-				  ISC_SOCKCANCEL_SEND);
-		return;
-	}
-
-	ISC_LIST_UNLINK(listener->connections, conn, link);
-	isc_mem_put(listener->mctx, conn, sizeof(*conn));
-}
-
-static void
-shutdown_listener(controllistener_t *listener) {
-	controlconnection_t *conn;
-	controlconnection_t *next;
-
-	if (!listener->exiting) {
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-		ISC_LIST_UNLINK(listener->controls->listeners, listener, link);
-
-		isc_sockaddr_format(&listener->address, socktext,
-				    sizeof(socktext));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
-			      "stopping command channel on %s", socktext);
-		listener->exiting = ISC_TRUE;
-	}
-
-	for (conn = ISC_LIST_HEAD(listener->connections);
-	     conn != NULL;
-	     conn = next)
-	{
-		next = ISC_LIST_NEXT(conn, link);
-		maybe_free_connection(conn);
-	}
-
-	if (listener->listening)
-		isc_socket_cancel(listener->sock, listener->task,
-				  ISC_SOCKCANCEL_ACCEPT);
-
-	maybe_free_listener(listener);
-}
-
-static isc_boolean_t
-address_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) {
-	isc_netaddr_t netaddr;
-	isc_result_t result;
-	int match;
-
-	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-
-	result = dns_acl_match(&netaddr, NULL, acl,
-			       &ns_g_server->aclenv, &match, NULL);
-
-	if (result != ISC_R_SUCCESS || match <= 0)
-		return (ISC_FALSE);
-	else
-		return (ISC_TRUE);
-}
-
-static isc_result_t
-control_accept(controllistener_t *listener) {
-	isc_result_t result;
-	result = isc_socket_accept(listener->sock,
-				   listener->task,
-				   control_newconn, listener);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_accept() failed: %s",
-				 isc_result_totext(result));
-	else
-		listener->listening = ISC_TRUE;
-	return (result);
-}
-
-static isc_result_t
-control_listen(controllistener_t *listener) {
-	isc_result_t result;
-
-	result = isc_socket_listen(listener->sock, 0);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socket_listen() failed: %s",
-				 isc_result_totext(result));
-	return (result);
-}
-
-static void
-control_next(controllistener_t *listener) {
-	(void)control_accept(listener);
-}
-
-static void
-control_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *) event;
-	controlconnection_t *conn = event->ev_arg;
-	controllistener_t *listener = conn->listener;
-	isc_socket_t *sock = (isc_socket_t *)sevent->ev_sender;
-	isc_result_t result;
-
-	REQUIRE(conn->sending);
-
-	UNUSED(task);
-
-	conn->sending = ISC_FALSE;
-
-	if (sevent->result != ISC_R_SUCCESS &&
-	    sevent->result != ISC_R_CANCELED)
-	{
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_t peeraddr;
-
-		(void)isc_socket_getpeername(sock, &peeraddr);
-		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "error sending command response to %s: %s",
-			      socktext, isc_result_totext(sevent->result));
-	}
-	isc_event_free(&event);
-
-	result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
-					 control_recvmessage, conn);
-	if (result != ISC_R_SUCCESS) {
-		isc_socket_detach(&conn->sock);
-		maybe_free_connection(conn);
-		maybe_free_listener(listener);
-	}
-}
-
-static inline void
-log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t peeraddr;
-
-	(void)isc_socket_getpeername(ccmsg->sock, &peeraddr);
-	isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_CONTROL, ISC_LOG_ERROR,
-		      "invalid command from %s: %s",
-		      socktext, isc_result_totext(result));
-}
-
-static void
-control_recvmessage(isc_task_t *task, isc_event_t *event) {
-	controlconnection_t *conn;
-	controllistener_t *listener;
-	controlkey_t *key;
-	isccc_sexpr_t *request = NULL;
-	isccc_sexpr_t *response = NULL;
-	isccc_region_t ccregion;
-	isccc_region_t secret;
-	isc_stdtime_t now;
-	isc_buffer_t b;
-	isc_region_t r;
-	isc_uint32_t len;
-	isc_buffer_t text;
-	char textarray[1024];
-	isc_result_t result;
-	isc_result_t eresult;
-	isccc_sexpr_t *_ctrl;
-	isccc_time_t sent;
-	isccc_time_t exp;
-	isc_uint32_t nonce;
-
-	REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
-
-	conn = event->ev_arg;
-	listener = conn->listener;
-	secret.rstart = NULL;
-
-        /* Is the server shutting down? */
-        if (listener->controls->shuttingdown)
-                goto cleanup;
-
-	if (conn->ccmsg.result != ISC_R_SUCCESS) {
-		if (conn->ccmsg.result != ISC_R_CANCELED &&
-		    conn->ccmsg.result != ISC_R_EOF)
-			log_invalid(&conn->ccmsg, conn->ccmsg.result);
-		goto cleanup;
-	}
-
-	request = NULL;
-
-	for (key = ISC_LIST_HEAD(listener->keys);
-	     key != NULL;
-	     key = ISC_LIST_NEXT(key, link))
-	{
-		ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
-		ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
-		secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
-		if (secret.rstart == NULL)
-			goto cleanup;
-		memcpy(secret.rstart, key->secret.base, key->secret.length);
-		secret.rend = secret.rstart + key->secret.length;
-		result = isccc_cc_fromwire(&ccregion, &request, &secret);
-		if (result == ISC_R_SUCCESS)
-			break;
-		else if (result == ISCCC_R_BADAUTH) {
-			/*
-			 * For some reason, request is non-NULL when
-			 * isccc_cc_fromwire returns ISCCC_R_BADAUTH.
-			 */
-			if (request != NULL)
-				isccc_sexpr_free(&request);
-			isc_mem_put(listener->mctx, secret.rstart,
-				    REGION_SIZE(secret));
-		} else {
-			log_invalid(&conn->ccmsg, result);
-			goto cleanup;
-		}
-	}
-
-	if (key == NULL) {
-		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
-		goto cleanup;
-	}
-
-	/* We shouldn't be getting a reply. */
-	if (isccc_cc_isreply(request)) {
-		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
-		goto cleanup;
-	}
-
-	isc_stdtime_get(&now);
-
-	/*
-	 * Limit exposure to replay attacks.
-	 */
-	_ctrl = isccc_alist_lookup(request, "_ctrl");
-	if (_ctrl == NULL) {
-		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
-		goto cleanup;
-	}
-
-	if (isccc_cc_lookupuint32(_ctrl, "_tim", &sent) == ISC_R_SUCCESS) {
-		if ((sent + CLOCKSKEW) < now || (sent - CLOCKSKEW) > now) {
-			log_invalid(&conn->ccmsg, ISCCC_R_CLOCKSKEW);
-			goto cleanup;
-		}
-	} else {
-		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
-		goto cleanup;
-	}
-
-	/*
-	 * Expire messages that are too old.
-	 */
-	if (isccc_cc_lookupuint32(_ctrl, "_exp", &exp) == ISC_R_SUCCESS &&
-	    now > exp) {
-		log_invalid(&conn->ccmsg, ISCCC_R_EXPIRED);
-		goto cleanup;
-	}
-
-	/*
-	 * Duplicate suppression (required for UDP).
-	 */
-	isccc_cc_cleansymtab(listener->controls->symtab, now);
-	result = isccc_cc_checkdup(listener->controls->symtab, request, now);
-	if (result != ISC_R_SUCCESS) {
-		if (result == ISC_R_EXISTS)
-                        result = ISCCC_R_DUPLICATE; 
-		log_invalid(&conn->ccmsg, result);
-		goto cleanup;
-	}
-
-	if (conn->nonce != 0 &&
-	    (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS ||
-	     conn->nonce != nonce)) {
-		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
-		goto cleanup;
-	}
-
-	/*
-	 * Establish nonce.
-	 */
-	while (conn->nonce == 0)
-		isc_random_get(&conn->nonce);
-
-	isc_buffer_init(&text, textarray, sizeof(textarray));
-	eresult = ns_control_docommand(request, &text);
-
-	result = isccc_cc_createresponse(request, now, now + 60, &response);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (eresult != ISC_R_SUCCESS) {
-		isccc_sexpr_t *data;
-
-		data = isccc_alist_lookup(response, "_data");
-		if (data != NULL) {
-			const char *estr = isc_result_totext(eresult);
-			if (isccc_cc_definestring(data, "err", estr) == NULL)
-				goto cleanup;
-		}
-	}
-
-	if (isc_buffer_usedlength(&text) > 0) {
-		isccc_sexpr_t *data;
-
-		data = isccc_alist_lookup(response, "_data");
-		if (data != NULL) {
-			char *str = (char *)isc_buffer_base(&text);
-			if (isccc_cc_definestring(data, "text", str) == NULL)
-				goto cleanup;
-		}
-	}
-
-	_ctrl = isccc_alist_lookup(response, "_ctrl");
-	if (_ctrl == NULL ||
-	    isccc_cc_defineuint32(_ctrl, "_nonce", conn->nonce) == NULL)
-		goto cleanup;
-
-	ccregion.rstart = conn->buffer + 4;
-	ccregion.rend = conn->buffer + sizeof(conn->buffer);
-	result = isccc_cc_towire(response, &ccregion, &secret);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_buffer_init(&b, conn->buffer, 4);
-	len = sizeof(conn->buffer) - REGION_SIZE(ccregion);
-	isc_buffer_putuint32(&b, len - 4);
-	r.base = conn->buffer;
-	r.length = len;
-
-	result = isc_socket_send(conn->sock, &r, task, control_senddone, conn);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	conn->sending = ISC_TRUE;
-
-	if (secret.rstart != NULL)
-		isc_mem_put(listener->mctx, secret.rstart,
-			    REGION_SIZE(secret));
-	if (request != NULL)
-		isccc_sexpr_free(&request);
-	if (response != NULL)
-		isccc_sexpr_free(&response);
-	return;
-
- cleanup:
-	if (secret.rstart != NULL)
-		isc_mem_put(listener->mctx, secret.rstart,
-			    REGION_SIZE(secret));
-	isc_socket_detach(&conn->sock);
-	isccc_ccmsg_invalidate(&conn->ccmsg);
-	conn->ccmsg_valid = ISC_FALSE;
-	maybe_free_connection(conn);
-	maybe_free_listener(listener);
-	if (request != NULL)
-		isccc_sexpr_free(&request);
-	if (response != NULL)
-		isccc_sexpr_free(&response);
-}
-
-static void
-control_timeout(isc_task_t *task, isc_event_t *event) {
-	controlconnection_t *conn = event->ev_arg;
-
-	UNUSED(task);
-
-	isc_timer_detach(&conn->timer);
-	maybe_free_connection(conn);
-
-	isc_event_free(&event);
-}
-
-static isc_result_t
-newconnection(controllistener_t *listener, isc_socket_t *sock) {
-	controlconnection_t *conn;
-	isc_interval_t interval;
-	isc_result_t result;
-
-	conn = isc_mem_get(listener->mctx, sizeof(*conn));
-	if (conn == NULL)
-		return (ISC_R_NOMEMORY);
-	
-	conn->sock = sock;
-	isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg);
-	conn->ccmsg_valid = ISC_TRUE;
-	conn->sending = ISC_FALSE;
-	conn->timer = NULL;
-	isc_interval_set(&interval, 60, 0);
-	result = isc_timer_create(ns_g_timermgr, isc_timertype_once,
-				  NULL, &interval, listener->task,
-				  control_timeout, conn, &conn->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	conn->listener = listener;
-	conn->nonce = 0;
-	ISC_LINK_INIT(conn, link);
-
-	result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
-					 control_recvmessage, conn);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isccc_ccmsg_setmaxsize(&conn->ccmsg, 2048);
-
-	ISC_LIST_APPEND(listener->connections, conn, link);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isccc_ccmsg_invalidate(&conn->ccmsg);
-	if (conn->timer != NULL)
-		isc_timer_detach(&conn->timer);
-	isc_mem_put(listener->mctx, conn, sizeof(*conn));
-	return (result);
-}
-
-static void
-control_newconn(isc_task_t *task, isc_event_t *event) {
-	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
-	controllistener_t *listener = event->ev_arg;
-	isc_socket_t *sock;
-	isc_sockaddr_t peeraddr;
-	isc_result_t result;
-
-	UNUSED(task);
-
-	listener->listening = ISC_FALSE;
-
-	if (nevent->result != ISC_R_SUCCESS) {
-		if (nevent->result == ISC_R_CANCELED) {
-			shutdown_listener(listener);
-			goto cleanup;
-		}
-		goto restart;
-	}
-
-	sock = nevent->newsocket;
-	(void)isc_socket_getpeername(sock, &peeraddr);
-	if (!address_ok(&peeraddr, listener->acl)) {
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "rejected command channel message from %s",
-			      socktext);
-		isc_socket_detach(&sock);
-		goto restart;
-	}
-
-	result = newconnection(listener, sock);
-	if (result != ISC_R_SUCCESS) {
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
-			      "dropped command channel from %s: %s",
-			      socktext, isc_result_totext(result));
-		isc_socket_detach(&sock);
-		goto restart;
-	}
-
- restart:
-	control_next(listener);
- cleanup:
-	isc_event_free(&event);
-}
-
-static void
-controls_shutdown(ns_controls_t *controls) {
-	controllistener_t *listener;
-	controllistener_t *next;
-
-	for (listener = ISC_LIST_HEAD(controls->listeners);
-	     listener != NULL;
-	     listener = next)
-	{
-		/*
-		 * This is asynchronous.  As listeners shut down, they will
-		 * call their callbacks.
-		 */
-		next = ISC_LIST_NEXT(listener, link);
-		shutdown_listener(listener);
-	}
-}
-
-void
-ns_controls_shutdown(ns_controls_t *controls) {
-	controls_shutdown(controls);
-	controls->shuttingdown = ISC_TRUE;
-}
-
-static isc_result_t
-cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
-	cfg_listelt_t *element;
-	const char *str;
-	cfg_obj_t *obj;
-
-	for (element = cfg_list_first(keylist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(cfg_map_getname(obj));
-		if (strcasecmp(str, keyname) == 0)
-			break;
-	}
-	if (element == NULL)
-		return (ISC_R_NOTFOUND);
-	obj = cfg_listelt_value(element);
-	*objp = obj;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
-		       controlkeylist_t *keyids)
-{
-	cfg_listelt_t *element;
-	char *newstr = NULL;
-	const char *str;
-	cfg_obj_t *obj;
-	controlkey_t *key = NULL;
-
-	for (element = cfg_list_first(keylist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(obj);
-		newstr = isc_mem_strdup(mctx, str);
-		if (newstr == NULL)
-			goto cleanup;
-		key = isc_mem_get(mctx, sizeof(*key));
-		if (key == NULL)
-			goto cleanup;
-		key->keyname = newstr;
-		key->secret.base = NULL;
-		key->secret.length = 0;
-		ISC_LINK_INIT(key, link);
-		ISC_LIST_APPEND(*keyids, key, link);
-		key = NULL;
-		newstr = NULL;
-	}
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (newstr != NULL)
-		isc_mem_free(mctx, newstr);
-	if (key != NULL)
-		isc_mem_put(mctx, key, sizeof(*key));
-	free_controlkeylist(keyids, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static void
-register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
-	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
-{
-	controlkey_t *keyid, *next;
-	cfg_obj_t *keydef;
-	char secret[1024];
-	isc_buffer_t b;
-	isc_result_t result;
-
-	/*
-	 * Find the keys corresponding to the keyids used by this listener.
-	 */
-	for (keyid = ISC_LIST_HEAD(*keyids); keyid != NULL; keyid = next) {
-		next = ISC_LIST_NEXT(keyid, link);
-
-		result = cfgkeylist_find(keylist, keyid->keyname, &keydef);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't find key '%s' for use with "
-				    "command channel %s",
-				    keyid->keyname, socktext);
-			ISC_LIST_UNLINK(*keyids, keyid, link);
-			free_controlkey(keyid, mctx);
-		} else {
-			cfg_obj_t *algobj = NULL;
-			cfg_obj_t *secretobj = NULL;
-			char *algstr = NULL;
-			char *secretstr = NULL;
-
-			(void)cfg_map_get(keydef, "algorithm", &algobj);
-			(void)cfg_map_get(keydef, "secret", &secretobj);
-			INSIST(algobj != NULL && secretobj != NULL);
-
-			algstr = cfg_obj_asstring(algobj);
-			secretstr = cfg_obj_asstring(secretobj);
-
-			if (ns_config_getkeyalgorithm(algstr, NULL) !=
-			    ISC_R_SUCCESS)
-			{
-				cfg_obj_log(control, ns_g_lctx,
-					    ISC_LOG_WARNING,
-					    "unsupported algorithm '%s' in "
-					    "key '%s' for use with command "
-					    "channel %s",
-					    algstr, keyid->keyname, socktext);
-				ISC_LIST_UNLINK(*keyids, keyid, link);
-				free_controlkey(keyid, mctx);
-				continue;
-			}
-
-			isc_buffer_init(&b, secret, sizeof(secret));
-			result = isc_base64_decodestring(secretstr, &b);
-
-			if (result != ISC_R_SUCCESS) {
-				cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
-					    "secret for key '%s' on "
-					    "command channel %s: %s",
-					    keyid->keyname, socktext,
-					    isc_result_totext(result));
-				ISC_LIST_UNLINK(*keyids, keyid, link);
-				free_controlkey(keyid, mctx);
-				continue;
-			}
-
-			keyid->secret.length = isc_buffer_usedlength(&b);
-			keyid->secret.base = isc_mem_get(mctx,
-							 keyid->secret.length);
-			if (keyid->secret.base == NULL) {
-				cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
-					   "couldn't register key '%s': "
-					   "out of memory", keyid->keyname);
-				ISC_LIST_UNLINK(*keyids, keyid, link);
-				free_controlkey(keyid, mctx);
-				break;
-			}
-			memcpy(keyid->secret.base, isc_buffer_base(&b),
-			       keyid->secret.length);
-		}
-	}
-}
-
-#define CHECK(x) \
-	do { \
-		 result = (x); \
-		 if (result != ISC_R_SUCCESS) \
-			goto cleanup; \
-	} while (0)
-		
-static isc_result_t
-get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
-	isc_result_t result;
-	cfg_parser_t *pctx = NULL;
-	cfg_obj_t *config = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
-	char *algstr = NULL;
-	char *secretstr = NULL;
-	controlkey_t *keyid = NULL;
-	char secret[1024];
-	isc_buffer_t b;
-
-	CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
-	CHECK(cfg_parse_file(pctx, ns_g_keyfile, &cfg_type_rndckey, &config));
-	CHECK(cfg_map_get(config, "key", &key));
-
-	keyid = isc_mem_get(mctx, sizeof(*keyid));
-	if (keyid == NULL) 
-		CHECK(ISC_R_NOMEMORY);
-	keyid->keyname = isc_mem_strdup(mctx,
-					cfg_obj_asstring(cfg_map_getname(key)));
-	keyid->secret.base = NULL;
-	keyid->secret.length = 0;
-	ISC_LINK_INIT(keyid, link);
-	if (keyid->keyname == NULL) 
-		CHECK(ISC_R_NOMEMORY);
-
-	CHECK(bind9_check_key(key, ns_g_lctx));
-
-	(void)cfg_map_get(key, "algorithm", &algobj);
-	(void)cfg_map_get(key, "secret", &secretobj);
-	INSIST(algobj != NULL && secretobj != NULL);
-
-	algstr = cfg_obj_asstring(algobj);
-	secretstr = cfg_obj_asstring(secretobj);
-
-	if (ns_config_getkeyalgorithm(algstr, NULL) != ISC_R_SUCCESS) {
-		cfg_obj_log(key, ns_g_lctx,
-			    ISC_LOG_WARNING,
-			    "unsupported algorithm '%s' in "
-			    "key '%s' for use with command "
-			    "channel",
-			    algstr, keyid->keyname);
-		goto cleanup;
-	}
-
-	isc_buffer_init(&b, secret, sizeof(secret));
-	result = isc_base64_decodestring(secretstr, &b);
-
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
-			    "secret for key '%s' on command channel: %s",
-			    keyid->keyname, isc_result_totext(result));
-		CHECK(result);
-	}
-
-	keyid->secret.length = isc_buffer_usedlength(&b);
-	keyid->secret.base = isc_mem_get(mctx,
-					 keyid->secret.length);
-	if (keyid->secret.base == NULL) {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
-			   "couldn't register key '%s': "
-			   "out of memory", keyid->keyname);
-		CHECK(ISC_R_NOMEMORY);
-	}
-	memcpy(keyid->secret.base, isc_buffer_base(&b),
-	       keyid->secret.length);
-	ISC_LIST_APPEND(*keyids, keyid, link);
-	keyid = NULL;
-	result = ISC_R_SUCCESS;
-
-  cleanup:
-	if (keyid != NULL)
-		free_controlkey(keyid, mctx);
-	if (config != NULL)
-		cfg_obj_destroy(pctx, &config);
-	if (pctx != NULL)
-		cfg_parser_destroy(&pctx);
-	return (result);
-}
-			
-/*
- * Ensures that both '*global_keylistp' and '*control_keylistp' are
- * valid or both are NULL.
- */
-static void
-get_key_info(cfg_obj_t *config, cfg_obj_t *control,
-	     cfg_obj_t **global_keylistp, cfg_obj_t **control_keylistp)
-{
-	isc_result_t result;
-	cfg_obj_t *control_keylist = NULL;
-	cfg_obj_t *global_keylist = NULL;
-
-	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
-	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
-
-	control_keylist = cfg_tuple_get(control, "keys");
-
-	if (!cfg_obj_isvoid(control_keylist) &&
-	    cfg_list_first(control_keylist) != NULL) {
-		result = cfg_map_get(config, "key", &global_keylist);
-
-		if (result == ISC_R_SUCCESS) {
-			*global_keylistp = global_keylist;
-			*control_keylistp = control_keylist;
-		}
-	}
-}
-
-static void
-update_listener(ns_controls_t *cp,
-		controllistener_t **listenerp, cfg_obj_t *control,
-		cfg_obj_t *config, isc_sockaddr_t *addr,
-		ns_aclconfctx_t *aclconfctx, const char *socktext)
-{
-	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
-	dns_acl_t *new_acl = NULL;
-	controlkeylist_t keys;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	for (listener = ISC_LIST_HEAD(cp->listeners);
-	     listener != NULL;
-	     listener = ISC_LIST_NEXT(listener, link))
-		if (isc_sockaddr_equal(addr, &listener->address))
-			break;
-
-	if (listener == NULL) {
-		*listenerp = NULL;
-		return;
-	}
-		
-	/*
-	 * There is already a listener for this sockaddr.
-	 * Update the access list and key information.
-	 *
-	 * First try to deal with the key situation.  There are a few
-	 * possibilities:
-	 *  (a)	It had an explicit keylist and still has an explicit keylist.
-	 *  (b)	It had an automagic key and now has an explicit keylist.
-	 *  (c)	It had an explicit keylist and now needs an automagic key.
-	 *  (d) It has an automagic key and still needs the automagic key.
-	 *
-	 * (c) and (d) are the annoying ones.  The caller needs to know
-	 * that it should use the automagic configuration for key information
-	 * in place of the named.conf configuration.
-	 *
-	 * XXXDCL There is one other hazard that has not been dealt with,
-	 * the problem that if a key change is being caused by a control
-	 * channel reload, then the response will be with the new key
-	 * and not able to be decrypted by the client.
-	 */
-	if (control != NULL)
-		get_key_info(config, control, &global_keylist,
-			     &control_keylist);
-
-	if (control_keylist != NULL) {
-		INSIST(global_keylist != NULL);
-
-		ISC_LIST_INIT(keys);
-		result = controlkeylist_fromcfg(control_keylist,
-						listener->mctx, &keys);
-		if (result == ISC_R_SUCCESS) {
-			free_controlkeylist(&listener->keys, listener->mctx);
-			listener->keys = keys;
-			register_keys(control, global_keylist, &listener->keys,
-				      listener->mctx, socktext);
-		}
-	} else {
-		free_controlkeylist(&listener->keys, listener->mctx);
-		result = get_rndckey(listener->mctx, &listener->keys);
-	}
-
-	if (result != ISC_R_SUCCESS && global_keylist != NULL)
-		/*
-		 * This message might be a little misleading since the
-		 * "new keys" might in fact be identical to the old ones,
-		 * but tracking whether they are identical just for the
-		 * sake of avoiding this message would be too much trouble.
-		 */
-		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-			    "couldn't install new keys for "
-			    "command channel %s: %s",
-			    socktext, isc_result_totext(result));
-
-
-	/*
-	 * Now, keep the old access list unless a new one can be made.
-	 */
-	if (control != NULL) {
-		allow = cfg_tuple_get(control, "allow");
-		result = ns_acl_fromconfig(allow, config, aclconfctx,
-					   listener->mctx, &new_acl);
-	} else {
-		result = dns_acl_any(listener->mctx, &new_acl);
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		dns_acl_detach(&listener->acl);
-		dns_acl_attach(new_acl, &listener->acl);
-		dns_acl_detach(&new_acl);
-	} else
-		/* XXXDCL say the old acl is still used? */
-		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-			    "couldn't install new acl for "
-			    "command channel %s: %s",
-			    socktext, isc_result_totext(result));
-
-	*listenerp = listener;
-}
-
-static void
-add_listener(ns_controls_t *cp, controllistener_t **listenerp,
-	     cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr,
-	     ns_aclconfctx_t *aclconfctx, const char *socktext)
-{
-	isc_mem_t *mctx = cp->server->mctx;
-	controllistener_t *listener;
-	cfg_obj_t *allow;
-	cfg_obj_t *global_keylist = NULL;
-	cfg_obj_t *control_keylist = NULL;
-	dns_acl_t *new_acl = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	listener = isc_mem_get(mctx, sizeof(*listener));
-	if (listener == NULL)
-		result = ISC_R_NOMEMORY;
-
-	if (result == ISC_R_SUCCESS) {
-		listener->controls = cp;
-		listener->mctx = mctx;
-		listener->task = cp->server->task;
-		listener->address = *addr;
-		listener->sock = NULL;
-		listener->listening = ISC_FALSE;
-		listener->exiting = ISC_FALSE;
-		listener->acl = NULL;
-		ISC_LINK_INIT(listener, link);
-		ISC_LIST_INIT(listener->keys);
-		ISC_LIST_INIT(listener->connections);
-
-		/*
-		 * Make the acl.
-		 */
-		if (control != NULL) {
-			allow = cfg_tuple_get(control, "allow");
-			result = ns_acl_fromconfig(allow, config, aclconfctx,
-						   mctx, &new_acl);
-		} else {
-			result = dns_acl_any(mctx, &new_acl);
-		}
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		dns_acl_attach(new_acl, &listener->acl);
-		dns_acl_detach(&new_acl);
-
-		if (config != NULL)
-			get_key_info(config, control, &global_keylist,
-				     &control_keylist);
-
-		if (control_keylist != NULL) {
-			result = controlkeylist_fromcfg(control_keylist,
-							listener->mctx,
-							&listener->keys);
-			if (result == ISC_R_SUCCESS)
-				register_keys(control, global_keylist,
-					      &listener->keys,
-					      listener->mctx, socktext);
-		} else
-			result = get_rndckey(mctx, &listener->keys);
-
-		if (result != ISC_R_SUCCESS && control != NULL)
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't install keys for "
-				    "command channel %s: %s",
-				    socktext, isc_result_totext(result));
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		int pf = isc_sockaddr_pf(&listener->address);
-		if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
-		    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
-			result = ISC_R_FAMILYNOSUPPORT;
-	}
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_socket_create(ns_g_socketmgr,
-					   isc_sockaddr_pf(&listener->address),
-					   isc_sockettype_tcp,
-					   &listener->sock);
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_socket_bind(listener->sock,
-					 &listener->address);
-
-	if (result == ISC_R_SUCCESS)
-		result = control_listen(listener);
-
-	if (result == ISC_R_SUCCESS)
-		result = control_accept(listener);
-
-	if (result == ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
-			      "command channel listening on %s", socktext);
-		*listenerp = listener;
-
-	} else {
-		if (listener != NULL) {
-			listener->exiting = ISC_TRUE;
-			free_listener(listener);
-		}
-
-		if (control != NULL)
-			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
-				    "couldn't add command channel %s: %s",
-				    socktext, isc_result_totext(result));
-		else
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
-				      "couldn't add command channel %s: %s",
-				      socktext, isc_result_totext(result));
-
-		*listenerp = NULL;
-	}
-
-	/* XXXDCL return error results? fail hard? */
-}
-
-isc_result_t
-ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
-		      ns_aclconfctx_t *aclconfctx)
-{
-	controllistener_t *listener;
-	controllistenerlist_t new_listeners;
-	cfg_obj_t *controlslist = NULL;
-	cfg_listelt_t *element, *element2;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-	ISC_LIST_INIT(new_listeners);
-
-	/*
-	 * Get the list of named.conf 'controls' statements.
-	 */
-	(void)cfg_map_get(config, "controls", &controlslist);
-
-	/*
-	 * Run through the new control channel list, noting sockets that
-	 * are already being listened on and moving them to the new list.
-	 *
-	 * Identifying duplicate addr/port combinations is left to either
-	 * the underlying config code, or to the bind attempt getting an
-	 * address-in-use error.
-	 */
-	if (controlslist != NULL) {
-		for (element = cfg_list_first(controlslist);
-		     element != NULL;
-		     element = cfg_list_next(element)) {
-			cfg_obj_t *controls;
-			cfg_obj_t *inetcontrols = NULL;
-
-			controls = cfg_listelt_value(element);
-			(void)cfg_map_get(controls, "inet", &inetcontrols);
-			if (inetcontrols == NULL)
-				continue;
-
-			for (element2 = cfg_list_first(inetcontrols);
-			     element2 != NULL;
-			     element2 = cfg_list_next(element2)) {
-				cfg_obj_t *control;
-				cfg_obj_t *obj;
-				isc_sockaddr_t *addr;
-
-				/*
-				 * The parser handles BIND 8 configuration file
-				 * syntax, so it allows unix phrases as well
-				 * inet phrases with no keys{} clause.
-				 *
-				 * "unix" phrases have been reported as
-				 * unsupported by the parser.
-				 */
-				control = cfg_listelt_value(element2);
-
-				obj = cfg_tuple_get(control, "address");
-				addr = cfg_obj_assockaddr(obj);
-				if (isc_sockaddr_getport(addr) == 0)
-					isc_sockaddr_setport(addr,
-							     NS_CONTROL_PORT);
-
-				isc_sockaddr_format(addr, socktext,
-						    sizeof(socktext));
-
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_CONTROL,
-					      ISC_LOG_DEBUG(9),
-					      "processing control channel %s",
-					      socktext);
-
-				update_listener(cp, &listener, control, config,
-						addr, aclconfctx, socktext);
-
-				if (listener != NULL)
-					/*
-					 * Remove the listener from the old
-					 * list, so it won't be shut down.
-					 */
-					ISC_LIST_UNLINK(cp->listeners,
-							listener, link);
-				else
-					/*
-					 * This is a new listener.
-					 */
-					add_listener(cp, &listener, control,
-						     config, addr, aclconfctx,
-						     socktext);
-
-				if (listener != NULL)
-					ISC_LIST_APPEND(new_listeners,
-							listener, link);
-			}
-		}
-	} else {
-		int i;
-
-		for (i = 0; i < 2; i++) {
-			isc_sockaddr_t addr;
-
-			if (i == 0) {
-				struct in_addr localhost;
-
-				if (isc_net_probeipv4() != ISC_R_SUCCESS)
-					continue;
-				localhost.s_addr = htonl(INADDR_LOOPBACK);
-				isc_sockaddr_fromin(&addr, &localhost, 0);
-			} else {
-				if (isc_net_probeipv6() != ISC_R_SUCCESS)
-					continue;
-				isc_sockaddr_fromin6(&addr,
-						     &in6addr_loopback, 0);
-			}
-			isc_sockaddr_setport(&addr, NS_CONTROL_PORT);
-
-			isc_sockaddr_format(&addr, socktext, sizeof(socktext));
-			
-			update_listener(cp, &listener, NULL, NULL,
-					&addr, NULL, socktext);
-
-			if (listener != NULL)
-				/*
-				 * Remove the listener from the old
-				 * list, so it won't be shut down.
-				 */
-				ISC_LIST_UNLINK(cp->listeners,
-						listener, link);
-			else
-				/*
-				 * This is a new listener.
-				 */
-				add_listener(cp, &listener, NULL, NULL,
-					     &addr, NULL, socktext);
-
-			if (listener != NULL)
-				ISC_LIST_APPEND(new_listeners,
-						listener, link);
-		}
-	}
-
-	/*
-	 * ns_control_shutdown() will stop whatever is on the global
-	 * listeners list, which currently only has whatever sockaddrs
-	 * were in the previous configuration (if any) that do not
-	 * remain in the current configuration.
-	 */
-	controls_shutdown(cp);
-
-	/*
-	 * Put all of the valid listeners on the listeners list.
-	 * Anything already on listeners in the process of shutting
-	 * down will be taken care of by listen_done().
-	 */
-	ISC_LIST_APPENDLIST(cp->listeners, new_listeners, link);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp) {
-	isc_mem_t *mctx = server->mctx;
-	isc_result_t result;
-	ns_controls_t *controls = isc_mem_get(mctx, sizeof(*controls));
-
-	if (controls == NULL)
-		return (ISC_R_NOMEMORY);
-	controls->server = server;
-	ISC_LIST_INIT(controls->listeners);
-	controls->shuttingdown = ISC_FALSE;
-	controls->symtab = NULL;
-	result = isccc_cc_createsymtab(&controls->symtab);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(server->mctx, controls, sizeof(*controls));
-		return (result);
-	}
-	*ctrlsp = controls;
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_controls_destroy(ns_controls_t **ctrlsp) {
-	ns_controls_t *controls = *ctrlsp;
-
-	REQUIRE(ISC_LIST_EMPTY(controls->listeners));
-
-	isccc_symtab_destroy(&controls->symtab);
-	isc_mem_put(controls->server->mctx, controls, sizeof(*controls));
-	*ctrlsp = NULL;
-}
diff --git a/contrib/bind9/bin/named/include/named/aclconf.h b/contrib/bind9/bin/named/include/named/aclconf.h
deleted file mode 100644
index 812657278485..000000000000
--- a/contrib/bind9/bin/named/include/named/aclconf.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: aclconf.h,v 1.12.208.1 2004/03/06 10:21:23 marka Exp $ */
-
-#ifndef NS_ACLCONF_H
-#define NS_ACLCONF_H 1
-
-#include <isc/lang.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/types.h>
-
-typedef struct ns_aclconfctx {
-	ISC_LIST(dns_acl_t) named_acl_cache;
-} ns_aclconfctx_t;
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-void
-ns_aclconfctx_init(ns_aclconfctx_t *ctx);
-/*
- * Initialize an ACL configuration context.
- */
-
-void
-ns_aclconfctx_destroy(ns_aclconfctx_t *ctx);
-/*
- * Destroy an ACL configuration context.
- */
-
-isc_result_t
-ns_acl_fromconfig(cfg_obj_t *caml,
-		  cfg_obj_t *cctx,
-		  ns_aclconfctx_t *ctx,
-		  isc_mem_t *mctx,
-		  dns_acl_t **target);
-/*
- * Construct a new dns_acl_t from configuration data in 'caml' and
- * 'cctx'.  Memory is allocated through 'mctx'.
- *
- * Any named ACLs referred to within 'caml' will be be converted
- * inte nested dns_acl_t objects.  Multiple references to the same
- * named ACLs will be converted into shared references to a single
- * nested dns_acl_t object when the referring objects were created
- * passing the same ACL configuration context 'ctx'.
- *
- * On success, attach '*target' to the new dns_acl_t object.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* NS_ACLCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/builtin.h b/contrib/bind9/bin/named/include/named/builtin.h
deleted file mode 100644
index 15564bf3fb0d..000000000000
--- a/contrib/bind9/bin/named/include/named/builtin.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: builtin.h,v 1.1.204.3 2004/03/08 04:04:20 marka Exp $ */
-
-#ifndef NAMED_BUILTIN_H
-#define NAMED_BUILTIN_H 1
-
-#include <isc/types.h>
-
-isc_result_t ns_builtin_init(void);
-
-void ns_builtin_deinit(void);
-
-#endif /* NAMED_BUILTIN_H */
diff --git a/contrib/bind9/bin/named/include/named/client.h b/contrib/bind9/bin/named/include/named/client.h
deleted file mode 100644
index 7097a3bb05b5..000000000000
--- a/contrib/bind9/bin/named/include/named/client.h
+++ /dev/null
@@ -1,343 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: client.h,v 1.60.2.2.10.10 2005/07/29 00:13:08 marka Exp $ */
-
-#ifndef NAMED_CLIENT_H
-#define NAMED_CLIENT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Client
- *
- * This module defines two objects, ns_client_t and ns_clientmgr_t.
- *
- * An ns_client_t object handles incoming DNS requests from clients
- * on a given network interface.
- *
- * Each ns_client_t object can handle only one TCP connection or UDP
- * request at a time.  Therefore, several ns_client_t objects are
- * typically created to serve each network interface, e.g., one
- * for handling TCP requests and a few (one per CPU) for handling
- * UDP requests.
- *
- * Incoming requests are classified as queries, zone transfer
- * requests, update requests, notify requests, etc, and handed off
- * to the appropriate request handler.  When the request has been
- * fully handled (which can be much later), the ns_client_t must be
- * notified of this by calling one of the following functions
- * exactly once in the context of its task:
- *
- *   ns_client_send()	(sending a non-error response)
- *   ns_client_sendraw() (sending a raw response)
- *   ns_client_error()	(sending an error response)
- *   ns_client_next()	(sending no response)
- *
- * This will release any resources used by the request and
- * and allow the ns_client_t to listen for the next request.
- *
- * A ns_clientmgr_t manages a number of ns_client_t objects.
- * New ns_client_t objects are created by calling
- * ns_clientmgr_createclients(). They are destroyed by
- * destroying their manager.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/buffer.h>
-#include <isc/magic.h>
-#include <isc/stdtime.h>
-#include <isc/quota.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/tcpmsg.h>
-#include <dns/types.h>
-
-#include <named/types.h>
-#include <named/query.h>
-
-/***
- *** Types
- ***/
-
-typedef ISC_LIST(ns_client_t) client_list_t;
-
-struct ns_client {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	ns_clientmgr_t *	manager;
-	int			state;
-	int			newstate;
-	int			naccepts;
-	int			nreads;
-	int			nsends;
-	int			nrecvs;
-	int			nupdates;
-	int			nctls;
-	int			references;
-	unsigned int		attributes;
-	isc_task_t *		task;
-	dns_view_t *		view;
-	dns_dispatch_t *	dispatch;
-	isc_socket_t *		udpsocket;
-	isc_socket_t *		tcplistener;
-	isc_socket_t *		tcpsocket;
-	unsigned char *		tcpbuf;
-	dns_tcpmsg_t		tcpmsg;
-	isc_boolean_t		tcpmsg_valid;
-	isc_timer_t *		timer;
-	isc_boolean_t 		timerset;
-	dns_message_t *		message;
-	isc_socketevent_t *	sendevent;
-	isc_socketevent_t *	recvevent;
-	unsigned char *		recvbuf;
-	dns_rdataset_t *	opt;
-	isc_uint16_t		udpsize;
-	isc_uint16_t		extflags;
-	void			(*next)(ns_client_t *);
-	void			(*shutdown)(void *arg, isc_result_t result);
-	void 			*shutdown_arg;
-	ns_query_t		query;
-	isc_stdtime_t		requesttime;
-	isc_stdtime_t		now;
-	dns_name_t		signername;   /* [T]SIG key name */
-	dns_name_t *		signer;	      /* NULL if not valid sig */
-	isc_boolean_t		mortal;	      /* Die after handling request */
-	isc_quota_t		*tcpquota;
-	isc_quota_t		*recursionquota;
-	ns_interface_t		*interface;
-	isc_sockaddr_t		peeraddr;
-	isc_boolean_t		peeraddr_valid;
-	struct in6_pktinfo	pktinfo;
-	isc_event_t		ctlevent;
-	/*
-	 * Information about recent FORMERR response(s), for
-	 * FORMERR loop avoidance.  This is separate for each
-	 * client object rather than global only to avoid
-	 * the need for locking.
-	 */
-	struct {
-		isc_sockaddr_t		addr;
-		isc_stdtime_t		time;
-		dns_messageid_t		id;
-	} formerrcache;
-	ISC_LINK(ns_client_t)	link;
-	/*
-	 * The list 'link' is part of, or NULL if not on any list.
-	 */
-	client_list_t		*list;
-};
-
-#define NS_CLIENT_MAGIC			ISC_MAGIC('N','S','C','c')
-#define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
-
-#define NS_CLIENTATTR_TCP		0x01
-#define NS_CLIENTATTR_RA		0x02 /* Client gets recusive service */
-#define NS_CLIENTATTR_PKTINFO		0x04 /* pktinfo is valid */
-#define NS_CLIENTATTR_MULTICAST		0x08 /* recv'd from multicast */
-#define NS_CLIENTATTR_WANTDNSSEC	0x10 /* include dnssec records */
-
-
-/***
- *** Functions
- ***/
-
-/*
- * Note!  These ns_client_ routines MUST be called ONLY from the client's
- * task in order to ensure synchronization.
- */
-
-void
-ns_client_send(ns_client_t *client);
-/*
- * Finish processing the current client request and
- * send client->message as a response.
- */
-
-void
-ns_client_sendraw(ns_client_t *client, dns_message_t *msg);
-/*
- * Finish processing the current client request and
- * send msg as a response using client->message->id for the id.
- */
-
-void
-ns_client_error(ns_client_t *client, isc_result_t result);
-/*
- * Finish processing the current client request and return
- * an error response to the client.  The error response
- * will have an RCODE determined by 'result'.
- */
-
-void
-ns_client_next(ns_client_t *client, isc_result_t result);
-/*
- * Finish processing the current client request,
- * return no response to the client.
- */
-
-isc_boolean_t
-ns_client_shuttingdown(ns_client_t *client);
-/*
- * Return ISC_TRUE iff the client is currently shutting down.
- */
-
-void
-ns_client_attach(ns_client_t *source, ns_client_t **target);
-/*
- * Attach '*targetp' to 'source'.
- */
-
-void
-ns_client_detach(ns_client_t **clientp);
-/*
- * Detach '*clientp' from its client.
- */
-
-isc_result_t
-ns_client_replace(ns_client_t *client);
-/*
- * Try to replace the current client with a new one, so that the
- * current one can go off and do some lengthy work without
- * leaving the dispatch/socket without service.
- */
-
-void
-ns_client_settimeout(ns_client_t *client, unsigned int seconds);
-/*
- * Set a timer in the client to go off in the specified amount of time.
- */
-
-isc_result_t
-ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp);
-/*
- * Create a client manager.
- */
-
-void
-ns_clientmgr_destroy(ns_clientmgr_t **managerp);
-/*
- * Destroy a client manager and all ns_client_t objects
- * managed by it.
- */
-
-isc_result_t
-ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
-			   ns_interface_t *ifp, isc_boolean_t tcp);
-/*
- * Create up to 'n' clients listening on interface 'ifp'.
- * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections,
- * otherwise for UDP requests.
- */
-
-isc_sockaddr_t *
-ns_client_getsockaddr(ns_client_t *client);
-/*
- * Get the socket address of the client whose request is
- * currently being processed.
- */
-
-isc_result_t
-ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
-			 isc_boolean_t default_allow);
-
-/*
- * Convenience function for client request ACL checking.
- *
- * Check the current client request against 'acl'.  If 'acl'
- * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
- *
- * Notes:
- *	This is appropriate for checking allow-update,
- * 	allow-query, allow-transfer, etc.  It is not appropriate
- * 	for checking the blackhole list because we treat positive
- * 	matches as "allow" and negative matches as "deny"; in
- *	the case of the blackhole list this would be backwards.
- *
- * Requires:
- *	'client' points to a valid client.
- *	'acl' points to a valid ACL, or is NULL.
- *
- * Returns:
- *	ISC_R_SUCCESS	if the request should be allowed
- * 	ISC_R_REFUSED	if the request should be denied
- *	No other return values are possible.
- */
-
-isc_result_t
-ns_client_checkacl(ns_client_t  *client,
-		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow,
-		   int log_level);
-/*
- * Like ns_client_checkacl, but also logs the outcome of the
- * check at log level 'log_level' if denied, and at debug 3
- * if approved.  Log messages will refer to the request as
- * an 'opname' request.
- *
- * Requires:
- *	Those of ns_client_checkaclsilent(), and:
- *
- *	'opname' points to a null-terminated string.
- */
-
-void
-ns_client_log(ns_client_t *client, isc_logcategory_t *category,
-	      isc_logmodule_t *module, int level,
-	      const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
-
-void
-ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0);
-
-void
-ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
-		 dns_rdataclass_t rdclass, char *buf, size_t len);
-
-#define NS_CLIENT_ACLMSGSIZE(x) \
-	(DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \
-	 DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'"))
-
-void
-ns_client_recursing(ns_client_t *client);
-/*%
- * Add client to end of recursing list.  If 'killoldest' is true
- * kill the oldest recursive client (list head). 
- */
-
-void
-ns_client_killoldestquery(ns_client_t *client);
-/*%
- * Kill the oldest recursive query (recursing list head).
- */
-
-void
-ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
-/*
- * Dump the outstanding recursive queries to 'f'.
- */
-
-#endif /* NAMED_CLIENT_H */
diff --git a/contrib/bind9/bin/named/include/named/config.h b/contrib/bind9/bin/named/include/named/config.h
deleted file mode 100644
index b3b4f121606b..000000000000
--- a/contrib/bind9/bin/named/include/named/config.h
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: config.h,v 1.4.12.4 2004/04/20 14:12:10 marka Exp $ */
-
-#ifndef NAMED_CONFIG_H
-#define NAMED_CONFIG_H 1
-
-#include <isccfg/cfg.h>
-
-#include <dns/types.h>
-#include <dns/zone.h>
-
-isc_result_t
-ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
-
-isc_result_t
-ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
-
-isc_result_t
-ns_checknames_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
-
-int
-ns_config_listcount(cfg_obj_t *list);
-
-isc_result_t
-ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
-		   dns_rdataclass_t *classp);
-
-isc_result_t
-ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
-		  dns_rdatatype_t *typep);
-
-dns_zonetype_t
-ns_config_getzonetype(cfg_obj_t *zonetypeobj);
-
-isc_result_t
-ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
-		    in_port_t defport, isc_mem_t *mctx,
-		    isc_sockaddr_t **addrsp, isc_uint32_t *countp);
-
-void
-ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-		    isc_uint32_t count);
-
-isc_result_t
-ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
-			  isc_sockaddr_t **addrsp, dns_name_t ***keys,
-			  isc_uint32_t *countp);
-
-void
-ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
-			  dns_name_t ***keys, isc_uint32_t count);
-
-isc_result_t
-ns_config_getport(cfg_obj_t *config, in_port_t *portp);
-
-isc_result_t
-ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
-
-#endif /* NAMED_CONFIG_H */
diff --git a/contrib/bind9/bin/named/include/named/control.h b/contrib/bind9/bin/named/include/named/control.h
deleted file mode 100644
index bbb7d36cbbe7..000000000000
--- a/contrib/bind9/bin/named/include/named/control.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: control.h,v 1.6.2.2.2.7 2004/09/03 03:43:32 marka Exp $ */
-
-#ifndef NAMED_CONTROL_H
-#define NAMED_CONTROL_H 1
-
-/*
- * The name server command channel.
- */
-
-#include <isccc/types.h>
-
-#include <named/aclconf.h>
-#include <named/types.h>
-
-#define NS_CONTROL_PORT			953
-
-#define NS_COMMAND_STOP		"stop"
-#define NS_COMMAND_HALT		"halt"
-#define NS_COMMAND_RELOAD	"reload"
-#define NS_COMMAND_RECONFIG	"reconfig"
-#define NS_COMMAND_REFRESH	"refresh"
-#define NS_COMMAND_RETRANSFER	"retransfer"
-#define NS_COMMAND_DUMPSTATS	"stats"
-#define NS_COMMAND_QUERYLOG	"querylog"
-#define NS_COMMAND_DUMPDB	"dumpdb"
-#define NS_COMMAND_TRACE	"trace"
-#define NS_COMMAND_NOTRACE	"notrace"
-#define NS_COMMAND_FLUSH	"flush"
-#define NS_COMMAND_FLUSHNAME	"flushname"
-#define NS_COMMAND_STATUS	"status"
-#define NS_COMMAND_FREEZE	"freeze"
-#define NS_COMMAND_UNFREEZE	"unfreeze"
-#define NS_COMMAND_THAW		"thaw"
-#define NS_COMMAND_RECURSING	"recursing"
-#define NS_COMMAND_NULL		"null"
-
-isc_result_t
-ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
-/*
- * Create an initial, empty set of command channels for 'server'.
- */
-
-void
-ns_controls_destroy(ns_controls_t **ctrlsp);
-/*
- * Destroy a set of command channels.
- *
- * Requires:
- *	Shutdown of the channels has completed.
- */
-
-isc_result_t
-ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config,
-		      ns_aclconfctx_t *aclconfctx);
-/*
- * Configure zero or more command channels into 'controls'
- * as defined in the configuration parse tree 'config'.
- * The channels will evaluate ACLs in the context of
- * 'aclconfctx'.
- */
-
-void
-ns_controls_shutdown(ns_controls_t *controls);
-/*
- * Initiate shutdown of all the command channels in 'controls'.
- */
-
-isc_result_t
-ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text);
-
-#endif /* NAMED_CONTROL_H */
diff --git a/contrib/bind9/bin/named/include/named/globals.h b/contrib/bind9/bin/named/include/named/globals.h
deleted file mode 100644
index 2cc854839562..000000000000
--- a/contrib/bind9/bin/named/include/named/globals.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: globals.h,v 1.59.68.5 2004/03/08 04:04:20 marka Exp $ */
-
-#ifndef NAMED_GLOBALS_H
-#define NAMED_GLOBALS_H 1
-
-#include <isc/rwlock.h>
-#include <isc/log.h>
-#include <isc/net.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/zone.h>
-
-#include <named/types.h>
-
-#undef EXTERN
-#undef INIT
-#ifdef NS_MAIN
-#define EXTERN
-#define INIT(v)	= (v)
-#else
-#define EXTERN extern
-#define INIT(v)
-#endif
-
-EXTERN isc_mem_t *		ns_g_mctx		INIT(NULL);
-EXTERN unsigned int		ns_g_cpus		INIT(0);
-EXTERN isc_taskmgr_t *		ns_g_taskmgr		INIT(NULL);
-EXTERN dns_dispatchmgr_t *	ns_g_dispatchmgr	INIT(NULL);
-EXTERN isc_entropy_t *		ns_g_entropy		INIT(NULL);
-EXTERN isc_entropy_t *		ns_g_fallbackentropy	INIT(NULL);
-
-/*
- * XXXRTH  We're going to want multiple timer managers eventually.  One
- *         for really short timers, another for client timers, and one
- *         for zone timers.
- */
-EXTERN isc_timermgr_t *		ns_g_timermgr		INIT(NULL);
-EXTERN isc_socketmgr_t *	ns_g_socketmgr		INIT(NULL);
-EXTERN cfg_parser_t *		ns_g_parser		INIT(NULL);
-EXTERN const char *		ns_g_version		INIT(VERSION);
-EXTERN in_port_t		ns_g_port		INIT(0);
-EXTERN in_port_t		lwresd_g_listenport	INIT(0);
-
-EXTERN ns_server_t *		ns_g_server		INIT(NULL);
-
-EXTERN isc_boolean_t		ns_g_lwresdonly		INIT(ISC_FALSE);
-
-/*
- * Logging.
- */
-EXTERN isc_log_t *		ns_g_lctx		INIT(NULL);
-EXTERN isc_logcategory_t *	ns_g_categories		INIT(NULL);
-EXTERN isc_logmodule_t *	ns_g_modules		INIT(NULL);
-EXTERN unsigned int		ns_g_debuglevel		INIT(0);
-
-/*
- * Current configuration information.
- */
-EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
-EXTERN cfg_obj_t *		ns_g_defaults		INIT(NULL);
-EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
-							     "/named.conf");
-EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
-							     "/rndc.key");
-EXTERN const char *		lwresd_g_conffile	INIT(NS_SYSCONFDIR
-							     "/lwresd.conf");
-EXTERN const char *		lwresd_g_resolvconffile	INIT("/etc"
-							     "/resolv.conf");
-EXTERN isc_boolean_t		ns_g_conffileset	INIT(ISC_FALSE);
-EXTERN isc_boolean_t		lwresd_g_useresolvconf	INIT(ISC_FALSE);
-EXTERN isc_uint16_t		ns_g_udpsize		INIT(4096);
-
-/*
- * Initial resource limits.
- */
-EXTERN isc_resourcevalue_t	ns_g_initstacksize	INIT(0);
-EXTERN isc_resourcevalue_t	ns_g_initdatasize	INIT(0);
-EXTERN isc_resourcevalue_t	ns_g_initcoresize	INIT(0);
-EXTERN isc_resourcevalue_t	ns_g_initopenfiles	INIT(0);
-
-/*
- * Misc.
- */
-EXTERN isc_boolean_t		ns_g_coreok		INIT(ISC_TRUE);
-EXTERN const char *		ns_g_chrootdir		INIT(NULL);
-EXTERN isc_boolean_t		ns_g_foreground		INIT(ISC_FALSE);
-EXTERN isc_boolean_t		ns_g_logstderr		INIT(ISC_FALSE);
-
-EXTERN const char *		ns_g_defaultpidfile 	INIT(NS_LOCALSTATEDIR
-							     "/run/named.pid");
-EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
-							    "/run/lwresd.pid");
-EXTERN const char *		ns_g_username		INIT(NULL);
-
-EXTERN int			ns_g_listen		INIT(3);
-
-#undef EXTERN
-#undef INIT
-
-#endif /* NAMED_GLOBALS_H */
diff --git a/contrib/bind9/bin/named/include/named/interfacemgr.h b/contrib/bind9/bin/named/include/named/interfacemgr.h
deleted file mode 100644
index 54bd91cbd4c5..000000000000
--- a/contrib/bind9/bin/named/include/named/interfacemgr.h
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: interfacemgr.h,v 1.23.24.7 2004/04/29 01:31:22 marka Exp $ */
-
-#ifndef NAMED_INTERFACEMGR_H
-#define NAMED_INTERFACEMGR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Interface manager
- *
- * The interface manager monitors the operating system's list
- * of network interfaces, creating and destroying listeners
- * as needed.
- *
- * Reliability:
- *	No impact expected.
- *
- * Resources:
- *
- * Security:
- * 	The server will only be able to bind to the DNS port on
- *	newly discovered interfaces if it is running as root.
- *
- * Standards:
- *	The API for scanning varies greatly among operating systems.
- *	This module attempts to hide the differences.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/socket.h>
-
-#include <dns/result.h>
-
-#include <named/listenlist.h>
-#include <named/types.h>
-
-/***
- *** Types
- ***/
-
-#define IFACE_MAGIC		ISC_MAGIC('I',':','-',')')
-#define NS_INTERFACE_VALID(t)	ISC_MAGIC_VALID(t, IFACE_MAGIC)
-
-#define NS_INTERFACEFLAG_ANYADDR	0x01U	/* bound to "any" address */
-
-struct ns_interface {
-	unsigned int		magic;		/* Magic number. */
-	ns_interfacemgr_t *	mgr;		/* Interface manager. */
-	isc_mutex_t		lock;
-	int			references;	/* Locked */
-	unsigned int		generation;     /* Generation number. */
-	isc_sockaddr_t		addr;           /* Address and port. */
-	unsigned int		flags;		/* Interface characteristics */
-	char 			name[32];	/* Null terminated. */
-	dns_dispatch_t *	udpdispatch;	/* UDP dispatcher. */
-	isc_socket_t *		tcpsocket;	/* TCP socket. */
-	int			ntcptarget;	/* Desired number of concurrent
-						   TCP accepts */
-	int			ntcpcurrent;	/* Current ditto, locked */
-	ns_clientmgr_t *	clientmgr;	/* Client manager. */
-	ISC_LINK(ns_interface_t) link;
-};
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		       isc_socketmgr_t *socketmgr,
-		       dns_dispatchmgr_t *dispatchmgr,
-		       ns_interfacemgr_t **mgrp);
-/*
- * Create a new interface manager.
- *
- * Initially, the new manager will not listen on any interfaces.
- * Call ns_interfacemgr_setlistenon() and/or ns_interfacemgr_setlistenon6()
- * to set nonempty listen-on lists.
- */
-
-void
-ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target);
-
-void
-ns_interfacemgr_detach(ns_interfacemgr_t **targetp);
-
-void
-ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr);
-
-void
-ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
-/*
- * Scan the operatings system's list of network interfaces
- * and create listeners when new interfaces are discovered.
- * Shut down the sockets for interfaces that go away.
- *
- * This should be called once on server startup and then
- * periodically according to the 'interface-interval' option
- * in named.conf.
- */
-
-void
-ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
-		       isc_boolean_t verbose);
-/*
- * Similar to ns_interfacemgr_scan(), but this function also tries to see the
- * need for an explicit listen-on when a list element in 'list' is going to
- * override an already-listening a wildcard interface.
- *
- * This function does not update localhost and localnets ACLs.
- *
- * This should be called once on server startup, after configuring views and
- * zones.
- */
-
-void
-ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
-/*
- * Set the IPv4 "listen-on" list of 'mgr' to 'value'.
- * The previous IPv4 listen-on list is freed.
- */
-
-void
-ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
-/*
- * Set the IPv6 "listen-on" list of 'mgr' to 'value'.
- * The previous IPv6 listen-on list is freed.
- */
-
-dns_aclenv_t *
-ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr);
-
-void
-ns_interface_attach(ns_interface_t *source, ns_interface_t **target);
-
-void
-ns_interface_detach(ns_interface_t **targetp);
-
-void
-ns_interface_shutdown(ns_interface_t *ifp);
-/*
- * Stop listening for queries on interface 'ifp'.
- * May safely be called multiple times.
- */
-
-void
-ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr);
-
-#endif /* NAMED_INTERFACEMGR_H */
diff --git a/contrib/bind9/bin/named/include/named/listenlist.h b/contrib/bind9/bin/named/include/named/listenlist.h
deleted file mode 100644
index 31e889393895..000000000000
--- a/contrib/bind9/bin/named/include/named/listenlist.h
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: listenlist.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
-
-#ifndef NAMED_LISTENLIST_H
-#define NAMED_LISTENLIST_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * "Listen lists", as in the "listen-on" configuration statement.
- */
-
-/***
- *** Imports
- ***/
-#include <isc/net.h>
-
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-typedef struct ns_listenelt ns_listenelt_t;
-typedef struct ns_listenlist ns_listenlist_t;
-
-struct ns_listenelt {
-	isc_mem_t *	       		mctx;
-	in_port_t			port;
-	dns_acl_t *	       		acl;
-	ISC_LINK(ns_listenelt_t)	link;
-};
-
-struct ns_listenlist {
-	isc_mem_t *			mctx;
-	int				refcount;
-	ISC_LIST(ns_listenelt_t)	elts;
-};
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
-		    dns_acl_t *acl, ns_listenelt_t **target);
-/*
- * Create a listen-on list element.
- */
-
-void
-ns_listenelt_destroy(ns_listenelt_t *elt);
-/*
- * Destroy a listen-on list element.
- */
-
-isc_result_t
-ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target);
-/*
- * Create a new, empty listen-on list.
- */
-
-void
-ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target);
-/*
- * Attach '*target' to '*source'.
- */
-
-void
-ns_listenlist_detach(ns_listenlist_t **listp);
-/*
- * Detach 'listp'.
- */
-
-isc_result_t
-ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
-		      isc_boolean_t enabled, ns_listenlist_t **target);
-/*
- * Create a listen-on list with default contents, matching
- * all addresses with port 'port' (if 'enabled' is ISC_TRUE),
- * or no addresses (if 'enabled' is ISC_FALSE).
- */
-
-#endif /* NAMED_LISTENLIST_H */
-
-
diff --git a/contrib/bind9/bin/named/include/named/log.h b/contrib/bind9/bin/named/include/named/log.h
deleted file mode 100644
index e8ad1ca15ff1..000000000000
--- a/contrib/bind9/bin/named/include/named/log.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.h,v 1.19.12.3 2004/03/08 04:04:21 marka Exp $ */
-
-#ifndef NAMED_LOG_H
-#define NAMED_LOG_H 1
-
-#include <isc/log.h>
-#include <isc/types.h>
-
-#include <dns/log.h>
-
-#include <named/globals.h>	/* Required for ns_g_(categories|modules). */
-
-/* Unused slot 0. */
-#define NS_LOGCATEGORY_CLIENT		(&ns_g_categories[1])
-#define NS_LOGCATEGORY_NETWORK		(&ns_g_categories[2])
-#define NS_LOGCATEGORY_UPDATE		(&ns_g_categories[3])
-#define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
-#define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
-#define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
-
-/*
- * Backwards compatibility.
- */
-#define NS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
-
-#define NS_LOGMODULE_MAIN		(&ns_g_modules[0])
-#define NS_LOGMODULE_CLIENT		(&ns_g_modules[1])
-#define NS_LOGMODULE_SERVER		(&ns_g_modules[2])
-#define NS_LOGMODULE_QUERY		(&ns_g_modules[3])
-#define NS_LOGMODULE_INTERFACEMGR	(&ns_g_modules[4])
-#define NS_LOGMODULE_UPDATE		(&ns_g_modules[5])
-#define NS_LOGMODULE_XFER_IN		(&ns_g_modules[6])
-#define NS_LOGMODULE_XFER_OUT		(&ns_g_modules[7])
-#define NS_LOGMODULE_NOTIFY		(&ns_g_modules[8])
-#define NS_LOGMODULE_CONTROL		(&ns_g_modules[9])
-#define NS_LOGMODULE_LWRESD		(&ns_g_modules[10])
-
-isc_result_t
-ns_log_init(isc_boolean_t safe);
-/*
- * Initialize the logging system and set up an initial default
- * logging default configuration that will be used until the
- * config file has been read.
- *
- * If 'safe' is true, use a default configuration that refrains
- * from opening files.  This is to avoid creating log files
- * as root.
- */
-
-isc_result_t
-ns_log_setdefaultchannels(isc_logconfig_t *lcfg);
-/*
- * Set up logging channels according to the named defaults, which
- * may differ from the logging library defaults.  Currently,
- * this just means setting up default_debug.
- */
-
-isc_result_t
-ns_log_setsafechannels(isc_logconfig_t *lcfg);
-/*
- * Like ns_log_setdefaultchannels(), but omits any logging to files.
- */
-
-isc_result_t
-ns_log_setdefaultcategory(isc_logconfig_t *lcfg);
-/*
- * Set up "category default" to go to the right places.
- */
-
-isc_result_t
-ns_log_setunmatchedcategory(isc_logconfig_t *lcfg);
-/*
- * Set up "category unmatched" to go to the right places.
- */
-
-void
-ns_log_shutdown(void);
-
-#endif /* NAMED_LOG_H */
diff --git a/contrib/bind9/bin/named/include/named/logconf.h b/contrib/bind9/bin/named/include/named/logconf.h
deleted file mode 100644
index a6f7450c9386..000000000000
--- a/contrib/bind9/bin/named/include/named/logconf.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: logconf.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
-
-#ifndef NAMED_LOGCONF_H
-#define NAMED_LOGCONF_H 1
-
-#include <isc/log.h>
-
-isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt);
-/*
- * Set up the logging configuration in '*logconf' according to
- * the named.conf data in 'logstmt'.
- */
-
-#endif /* NAMED_LOGCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/lwaddr.h b/contrib/bind9/bin/named/include/named/lwaddr.h
deleted file mode 100644
index 0aa66b78019f..000000000000
--- a/contrib/bind9/bin/named/include/named/lwaddr.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwaddr.h,v 1.3.208.1 2004/03/06 10:21:24 marka Exp $ */
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-
-isc_result_t
-lwaddr_netaddr_fromlwresaddr(isc_netaddr_t *na, lwres_addr_t *la);
-
-isc_result_t
-lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la,
-			      in_port_t port);
-
-isc_result_t
-lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na);
-
-isc_result_t
-lwaddr_lwresaddr_fromsockaddr(lwres_addr_t *la, isc_sockaddr_t *sa);
diff --git a/contrib/bind9/bin/named/include/named/lwdclient.h b/contrib/bind9/bin/named/include/named/lwdclient.h
deleted file mode 100644
index 09d68ff086e3..000000000000
--- a/contrib/bind9/bin/named/include/named/lwdclient.h
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdclient.h,v 1.13.208.1 2004/03/06 10:21:24 marka Exp $ */
-
-#ifndef NAMED_LWDCLIENT_H
-#define NAMED_LWDCLIENT_H 1
-
-#include <isc/event.h>
-#include <isc/eventclass.h>
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-#include <isc/types.h>
-
-#include <dns/fixedname.h>
-#include <dns/types.h>
-
-#include <lwres/lwres.h>
-
-#include <named/lwsearch.h>
-
-#define LWRD_EVENTCLASS		ISC_EVENTCLASS(4242)
-
-#define LWRD_SHUTDOWN		(LWRD_EVENTCLASS + 0x0001)
-
-struct ns_lwdclient {
-	isc_sockaddr_t		address;	/* where to reply */
-	struct in6_pktinfo	pktinfo;
-	isc_boolean_t		pktinfo_valid;
-	ns_lwdclientmgr_t	*clientmgr;	/* our parent */
-	ISC_LINK(ns_lwdclient_t) link;
-	unsigned int		state;
-	void			*arg;		/* packet processing state */
-
-	/*
-	 * Received data info.
-	 */
-	unsigned char		buffer[LWRES_RECVLENGTH]; /* receive buffer */
-	isc_uint32_t		recvlength;	/* length recv'd */
-	lwres_lwpacket_t	pkt;
-
-	/*
-	 * Send data state.  If sendbuf != buffer (that is, the send buffer
-	 * isn't our receive buffer) it will be freed to the lwres_context_t.
-	 */
-	unsigned char	       *sendbuf;
-	isc_uint32_t		sendlength;
-	isc_buffer_t		recv_buffer;
-
-	/*
-	 * gabn (get address by name) state info.
-	 */
-	dns_adbfind_t		*find;
-	dns_adbfind_t		*v4find;
-	dns_adbfind_t		*v6find;
-	unsigned int		find_wanted;	/* Addresses we want */
-	dns_fixedname_t		query_name;
-	dns_fixedname_t		target_name;
-	ns_lwsearchctx_t	searchctx;
-	lwres_gabnresponse_t	gabn;
-
-	/*
-	 * gnba (get name by address) state info.
-	 */
-	lwres_gnbaresponse_t	gnba;
-	dns_byaddr_t	       *byaddr;
-	unsigned int		options;
-	isc_netaddr_t		na;
-
-	/*
-	 * grbn (get rrset by name) state info.
-	 *
-	 * Note: this also uses target_name and searchctx.
-	 */
-	lwres_grbnresponse_t	grbn;
-	dns_lookup_t	       *lookup;
-	dns_rdatatype_t		rdtype;
-
-	/*
-	 * Alias and address info.  This is copied up to the gabn/gnba
-	 * structures eventually.
-	 *
-	 * XXXMLG We can keep all of this in a client since we only service
-	 * three packet types right now.  If we started handling more,
-	 * we'd need to use "arg" above and allocate/destroy things.
-	 */
-	char		       *aliases[LWRES_MAX_ALIASES];
-	isc_uint16_t		aliaslen[LWRES_MAX_ALIASES];
-	lwres_addr_t		addrs[LWRES_MAX_ADDRS];
-};
-
-/*
- * Client states.
- *
- * _IDLE	The client is not doing anything at all.
- *
- * _RECV	The client is waiting for data after issuing a socket recv().
- *
- * _RECVDONE	Data has been received, and is being processed.
- *
- * _FINDWAIT	An adb (or other) request was made that cannot be satisfied
- *		immediately.  An event will wake the client up.
- *
- * _SEND	All data for a response has completed, and a reply was
- *		sent via a socket send() call.
- *
- * Badly formatted state table:
- *
- *	IDLE -> RECV when client has a recv() queued.
- *
- *	RECV -> RECVDONE when recvdone event received.
- *
- *	RECVDONE -> SEND if the data for a reply is at hand.
- *	RECVDONE -> FINDWAIT if more searching is needed, and events will
- *		eventually wake us up again.
- *
- *	FINDWAIT -> SEND when enough data was received to reply.
- *
- *	SEND -> IDLE when a senddone event was received.
- *
- *	At any time -> IDLE on error.  Sometimes this will be -> SEND
- *	instead, if enough data is on hand to reply with a meaningful
- *	error.
- *
- *	Packets which are badly formatted may or may not get error returns.
- */
-#define NS_LWDCLIENT_STATEIDLE		1
-#define NS_LWDCLIENT_STATERECV		2
-#define NS_LWDCLIENT_STATERECVDONE	3
-#define NS_LWDCLIENT_STATEFINDWAIT	4
-#define NS_LWDCLIENT_STATESEND		5
-#define NS_LWDCLIENT_STATESENDDONE	6
-
-#define NS_LWDCLIENT_ISIDLE(c)		\
-			((c)->state == NS_LWDCLIENT_STATEIDLE)
-#define NS_LWDCLIENT_ISRECV(c)		\
-			((c)->state == NS_LWDCLIENT_STATERECV)
-#define NS_LWDCLIENT_ISRECVDONE(c)	\
-			((c)->state == NS_LWDCLIENT_STATERECVDONE)
-#define NS_LWDCLIENT_ISFINDWAIT(c)	\
-			((c)->state == NS_LWDCLIENT_STATEFINDWAIT)
-#define NS_LWDCLIENT_ISSEND(c)		\
-			((c)->state == NS_LWDCLIENT_STATESEND)
-
-/*
- * Overall magic test that means we're not idle.
- */
-#define NS_LWDCLIENT_ISRUNNING(c)	(!NS_LWDCLIENT_ISIDLE(c))
-
-#define NS_LWDCLIENT_SETIDLE(c)		\
-			((c)->state = NS_LWDCLIENT_STATEIDLE)
-#define NS_LWDCLIENT_SETRECV(c)		\
-			((c)->state = NS_LWDCLIENT_STATERECV)
-#define NS_LWDCLIENT_SETRECVDONE(c)	\
-			((c)->state = NS_LWDCLIENT_STATERECVDONE)
-#define NS_LWDCLIENT_SETFINDWAIT(c)	\
-			((c)->state = NS_LWDCLIENT_STATEFINDWAIT)
-#define NS_LWDCLIENT_SETSEND(c)		\
-			((c)->state = NS_LWDCLIENT_STATESEND)
-#define NS_LWDCLIENT_SETSENDDONE(c)	\
-			((c)->state = NS_LWDCLIENT_STATESENDDONE)
-
-struct ns_lwdclientmgr {
-	ns_lwreslistener_t     *listener;
-	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;		/* socket to use */
-	dns_view_t	       *view;
-	lwres_context_t	       *lwctx;		/* lightweight proto context */
-	isc_task_t	       *task;		/* owning task */
-	unsigned int		flags;
-	ISC_LINK(ns_lwdclientmgr_t)	link;
-	ISC_LIST(ns_lwdclient_t)	idle;		/* idle client slots */
-	ISC_LIST(ns_lwdclient_t)	running;	/* running clients */
-};
-
-#define NS_LWDCLIENTMGR_FLAGRECVPENDING		0x00000001
-#define NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN	0x00000002
-
-isc_result_t
-ns_lwdclientmgr_create(ns_lwreslistener_t *, unsigned int, isc_taskmgr_t *);
-
-void
-ns_lwdclient_initialize(ns_lwdclient_t *, ns_lwdclientmgr_t *);
-
-isc_result_t
-ns_lwdclient_startrecv(ns_lwdclientmgr_t *);
-
-void
-ns_lwdclient_stateidle(ns_lwdclient_t *);
-
-void
-ns_lwdclient_recv(isc_task_t *, isc_event_t *);
-
-void
-ns_lwdclient_shutdown(isc_task_t *, isc_event_t *);
-
-void
-ns_lwdclient_send(isc_task_t *, isc_event_t *);
-
-isc_result_t
-ns_lwdclient_sendreply(ns_lwdclient_t *client, isc_region_t *r);
-
-/*
- * Processing functions of various types.
- */
-void ns_lwdclient_processgabn(ns_lwdclient_t *, lwres_buffer_t *);
-void ns_lwdclient_processgnba(ns_lwdclient_t *, lwres_buffer_t *);
-void ns_lwdclient_processgrbn(ns_lwdclient_t *, lwres_buffer_t *);
-void ns_lwdclient_processnoop(ns_lwdclient_t *, lwres_buffer_t *);
-
-void ns_lwdclient_errorpktsend(ns_lwdclient_t *, isc_uint32_t);
-
-void ns_lwdclient_log(int level, const char *format, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-#endif /* NAMED_LWDCLIENT_H */
diff --git a/contrib/bind9/bin/named/include/named/lwresd.h b/contrib/bind9/bin/named/include/named/lwresd.h
deleted file mode 100644
index 7ba857c04ed1..000000000000
--- a/contrib/bind9/bin/named/include/named/lwresd.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwresd.h,v 1.12.208.1 2004/03/06 10:21:25 marka Exp $ */
-
-#ifndef NAMED_LWRESD_H
-#define NAMED_LWRESD_H 1
-
-#include <isc/types.h>
-#include <isc/sockaddr.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/types.h>
-
-struct ns_lwresd {
-	unsigned int magic;
-
-	isc_mutex_t lock;
-	dns_view_t *view;
-	ns_lwsearchlist_t *search;
-	unsigned int ndots;
-	isc_mem_t *mctx;
-	isc_boolean_t shutting_down;
-	unsigned int refs;
-};
-
-struct ns_lwreslistener {
-	unsigned int magic;
-
-	isc_mutex_t lock;
-	isc_mem_t *mctx;
-	isc_sockaddr_t address;
-	ns_lwresd_t *manager;
-	isc_socket_t *sock;
-	unsigned int refs;
-	ISC_LIST(ns_lwdclientmgr_t) cmgrs;
-	ISC_LINK(ns_lwreslistener_t) link;
-};
-
-/*
- * Configure lwresd.
- */
-isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config);
-
-isc_result_t
-ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
-			   cfg_obj_t **configp);
-
-/*
- * Trigger shutdown.
- */
-void
-ns_lwresd_shutdown(void);
-
-/*
- * Manager functions
- */
-isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres, ns_lwresd_t **lwresdp);
-
-void
-ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp);
-
-void
-ns_lwdmanager_detach(ns_lwresd_t **lwresdp);
-
-/*
- * Listener functions
- */
-void
-ns_lwreslistener_attach(ns_lwreslistener_t *source,
-			ns_lwreslistener_t **targetp);
-
-void
-ns_lwreslistener_detach(ns_lwreslistener_t **listenerp);
-
-void
-ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm);
-
-void
-ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm);
-
-
-
-
-/*
- * INTERNAL FUNCTIONS.
- */
-void *
-ns__lwresd_memalloc(void *arg, size_t size);
-
-void
-ns__lwresd_memfree(void *arg, void *mem, size_t size);
-
-#endif /* NAMED_LWRESD_H */
diff --git a/contrib/bind9/bin/named/include/named/lwsearch.h b/contrib/bind9/bin/named/include/named/lwsearch.h
deleted file mode 100644
index a864a89d8292..000000000000
--- a/contrib/bind9/bin/named/include/named/lwsearch.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwsearch.h,v 1.4.208.1 2004/03/06 10:21:25 marka Exp $ */
-
-#ifndef NAMED_LWSEARCH_H
-#define NAMED_LWSEARCH_H 1
-
-#include <isc/mutex.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-#include <named/types.h>
-
-/*
- * Lightweight resolver search list types and routines.
- *
- * An ns_lwsearchlist_t holds a list of search path elements.
- *
- * An ns_lwsearchctx stores the state of search list during a lookup
- * operation.
- */
-
-struct ns_lwsearchlist {
-	unsigned int magic;
-
-	isc_mutex_t lock;
-	isc_mem_t *mctx;
-	unsigned int refs;
-	dns_namelist_t names;
-};
-
-struct ns_lwsearchctx {
-	dns_name_t *relname;
-	dns_name_t *searchname;
-	unsigned int ndots;
-	ns_lwsearchlist_t *list;
-	isc_boolean_t doneexact;
-	isc_boolean_t exactfirst;
-};
-
-isc_result_t
-ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp);
-/*
- * Create an empty search list object.
- */
-
-void
-ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target);
-/*
- * Attach to a search list object.
- */
-
-void
-ns_lwsearchlist_detach(ns_lwsearchlist_t **listp);
-/*
- * Detach from a search list object.
- */
-
-isc_result_t
-ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name);
-/*
- * Append an element to a search list.  This creates a copy of the name.
- */
-
-void
-ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list,
-		    dns_name_t *name, unsigned int ndots);
-/*
- * Creates a search list context structure.
- */
-
-void
-ns_lwsearchctx_first(ns_lwsearchctx_t *sctx);
-/*
- * Moves the search list context iterator to the first element, which
- * is usually the exact name.
- */
-
-isc_result_t
-ns_lwsearchctx_next(ns_lwsearchctx_t *sctx);
-/*
- * Moves the search list context iterator to the next element.
- */
-
-isc_result_t
-ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname);
-/*
- * Obtains the current name to be looked up.  This involves either
- * concatenating the name with a search path element, making an
- * exact name absolute, or doing nothing.
- */
-
-#endif /* NAMED_LWSEARCH_H */
diff --git a/contrib/bind9/bin/named/include/named/main.h b/contrib/bind9/bin/named/include/named/main.h
deleted file mode 100644
index e37b5198fd03..000000000000
--- a/contrib/bind9/bin/named/include/named/main.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: main.h,v 1.8.2.2.8.4 2004/03/08 04:04:21 marka Exp $ */
-
-#ifndef NAMED_MAIN_H
-#define NAMED_MAIN_H 1
-
-void
-ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-ns_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void
-ns_main_setmemstats(const char *);
-
-#endif /* NAMED_MAIN_H */
diff --git a/contrib/bind9/bin/named/include/named/notify.h b/contrib/bind9/bin/named/include/named/notify.h
deleted file mode 100644
index 3cb1d854e932..000000000000
--- a/contrib/bind9/bin/named/include/named/notify.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: notify.h,v 1.9.208.1 2004/03/06 10:21:25 marka Exp $ */
-
-#ifndef NAMED_NOTIFY_H
-#define NAMED_NOTIFY_H 1
-
-#include <named/types.h>
-#include <named/client.h>
-
-/***
- ***	Module Info
- ***/
-
-/*
- *	RFC 1996
- *	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
- */
-
-/***
- ***	Functions.
- ***/
-
-void
-ns_notify_start(ns_client_t *client);
-
-/*
- *	Examines the incoming message to determine apporiate zone.
- *	Returns FORMERR if there is not exactly one question.
- *	Returns REFUSED if we do not serve the listed zone.
- *	Pass the message to the zone module for processing
- *	and returns the return status.
- *
- * Requires
- *	client to be valid.
- */
-
-#endif /* NAMED_NOTIFY_H */
-
diff --git a/contrib/bind9/bin/named/include/named/ns_smf_globals.h b/contrib/bind9/bin/named/include/named/ns_smf_globals.h
deleted file mode 100644
index 49aa31dc5c06..000000000000
--- a/contrib/bind9/bin/named/include/named/ns_smf_globals.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ns_smf_globals.h,v 1.2.4.4 2005/05/13 01:22:33 marka Exp $ */
-
-#ifndef NS_SMF_GLOBALS_H
-#define NS_SMF_GLOBALS_H 1
- 
-#include <libscf.h>
- 
-#undef EXTERN
-#undef INIT
-#ifdef NS_MAIN
-#define EXTERN
-#define INIT(v) = (v)
-#else
-#define EXTERN extern
-#define INIT(v)
-#endif
-                
-EXTERN unsigned int	ns_smf_got_instance	INIT(0);
-EXTERN unsigned int	ns_smf_chroot		INIT(0);
-EXTERN unsigned int	ns_smf_want_disable	INIT(0);
-
-isc_result_t ns_smf_add_message(isc_buffer_t *text);
-isc_result_t ns_smf_get_instance(char **name, int debug, isc_mem_t *mctx);
-
-#undef EXTERN
-#undef INIT
- 
-#endif /* NS_SMF_GLOBALS_H */
diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h
deleted file mode 100644
index 6f348d530e7c..000000000000
--- a/contrib/bind9/bin/named/include/named/query.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: query.h,v 1.28.2.3.8.6 2004/03/08 04:04:21 marka Exp $ */
-
-#ifndef NAMED_QUERY_H
-#define NAMED_QUERY_H 1
-
-#include <isc/types.h>
-#include <isc/buffer.h>
-#include <isc/netaddr.h>
-
-#include <dns/types.h>
-
-#include <named/types.h>
-
-typedef struct ns_dbversion {
-	dns_db_t			*db;
-	dns_dbversion_t			*version;
-	isc_boolean_t			queryok;
-	ISC_LINK(struct ns_dbversion)	link;
-} ns_dbversion_t;
-
-struct ns_query {
-	unsigned int			attributes;
-	unsigned int			restarts;
-	isc_boolean_t			timerset;
-	dns_name_t *			qname;
-	dns_name_t *			origqname;
-	unsigned int			dboptions;
-	unsigned int			fetchoptions;
-	dns_db_t *			gluedb;
-	dns_db_t *			authdb;
-	dns_zone_t *			authzone;
-	isc_boolean_t			authdbset;
-	isc_boolean_t			isreferral;
-	isc_mutex_t			fetchlock;
-	dns_fetch_t *			fetch;
-	isc_bufferlist_t		namebufs;
-	ISC_LIST(ns_dbversion_t)	activeversions;
-	ISC_LIST(ns_dbversion_t)	freeversions;
-};
-
-#define NS_QUERYATTR_RECURSIONOK	0x0001
-#define NS_QUERYATTR_CACHEOK		0x0002
-#define NS_QUERYATTR_PARTIALANSWER	0x0004
-#define NS_QUERYATTR_NAMEBUFUSED	0x0008
-#define NS_QUERYATTR_RECURSING		0x0010
-#define NS_QUERYATTR_CACHEGLUEOK	0x0020
-#define NS_QUERYATTR_QUERYOKVALID	0x0040
-#define NS_QUERYATTR_QUERYOK		0x0080
-#define NS_QUERYATTR_WANTRECURSION	0x0100
-#define NS_QUERYATTR_SECURE		0x0200
-#define NS_QUERYATTR_NOAUTHORITY	0x0400
-#define NS_QUERYATTR_NOADDITIONAL	0x0800
-
-isc_result_t
-ns_query_init(ns_client_t *client);
-
-void
-ns_query_free(ns_client_t *client);
-
-void
-ns_query_start(ns_client_t *client);
-
-void
-ns_query_cancel(ns_client_t *client);
-
-#endif /* NAMED_QUERY_H */
diff --git a/contrib/bind9/bin/named/include/named/server.h b/contrib/bind9/bin/named/include/named/server.h
deleted file mode 100644
index 97eb2efce341..000000000000
--- a/contrib/bind9/bin/named/include/named/server.h
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: server.h,v 1.58.2.1.10.11 2004/03/08 04:04:21 marka Exp $ */
-
-#ifndef NAMED_SERVER_H
-#define NAMED_SERVER_H 1
-
-#include <isc/log.h>
-#include <isc/sockaddr.h>
-#include <isc/magic.h>
-#include <isc/types.h>
-#include <isc/quota.h>
-
-#include <dns/types.h>
-#include <dns/acl.h>
-
-#include <named/types.h>
-
-#define NS_EVENTCLASS		ISC_EVENTCLASS(0x4E43)
-#define NS_EVENT_RELOAD		(NS_EVENTCLASS + 0)
-#define NS_EVENT_CLIENTCONTROL	(NS_EVENTCLASS + 1)
-
-/*
- * Name server state.  Better here than in lots of separate global variables.
- */
-struct ns_server {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-
-	isc_task_t *		task;
-
-	/* Configurable data. */
-	isc_quota_t		xfroutquota;
-	isc_quota_t		tcpquota;
-	isc_quota_t		recursionquota;
-	dns_acl_t		*blackholeacl;
-	char *			statsfile;	/* Statistics file name */
-	char *			dumpfile;	/* Dump file name */
-	char *			recfile;	/* Recursive file name */
-	isc_boolean_t		version_set;	/* User has set version */
-	char *			version;	/* User-specified version */
-	isc_boolean_t		hostname_set;	/* User has set hostname */
-	char *			hostname;	/* User-specified hostname */
-	/* Use hostname for server id */
-	isc_boolean_t		server_usehostname;
-	char *			server_id;	/* User-specified server id */
-
-        /*
-	 * Current ACL environment.  This defines the
-	 * current values of the localhost and localnets
-	 * ACLs.
-	 */
-	dns_aclenv_t		aclenv;
-
-	/* Server data structures. */
-	dns_loadmgr_t *		loadmgr;
-	dns_zonemgr_t *		zonemgr;
-	dns_viewlist_t		viewlist;
-	ns_interfacemgr_t *	interfacemgr;
-	dns_db_t *		in_roothints;
-	dns_tkeyctx_t *		tkeyctx;
-
-	isc_timer_t *		interface_timer;
-	isc_timer_t *		heartbeat_timer;
-	isc_uint32_t		interface_interval;
-	isc_uint32_t		heartbeat_interval;
-
-	isc_mutex_t		reload_event_lock;
-	isc_event_t *		reload_event;
-
-	isc_boolean_t		flushonshutdown;
-	isc_boolean_t		log_queries;	/* For BIND 8 compatibility */
-
-	isc_uint64_t *		querystats;	/* Query statistics counters */
-
-	ns_controls_t *		controls;	/* Control channels */
-	unsigned int		dispatchgen;
-	ns_dispatchlist_t	dispatches;
-						
-};
-
-#define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
-#define NS_SERVER_VALID(s)		ISC_MAGIC_VALID(s, NS_SERVER_MAGIC)
-
-void
-ns_server_create(isc_mem_t *mctx, ns_server_t **serverp);
-/*
- * Create a server object with default settings.
- * This function either succeeds or causes the program to exit
- * with a fatal error.
- */
-
-void
-ns_server_destroy(ns_server_t **serverp);
-/*
- * Destroy a server object, freeing its memory.
- */
-
-void
-ns_server_reloadwanted(ns_server_t *server);
-/*
- * Inform a server that a reload is wanted.  This function
- * may be called asynchronously, from outside the server's task.
- * If a reload is already scheduled or in progress, the call
- * is ignored.
- */
-
-void
-ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush);
-/*
- * Inform the server that the zones should be flushed to disk on shutdown.
- */
-
-isc_result_t
-ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text);
-/*
- * Act on a "reload" command from the command channel.
- */
-
-isc_result_t
-ns_server_reconfigcommand(ns_server_t *server, char *args);
-/*
- * Act on a "reconfig" command from the command channel.
- */
-
-isc_result_t
-ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text);
-/*
- * Act on a "refresh" command from the command channel.
- */
-
-isc_result_t
-ns_server_retransfercommand(ns_server_t *server, char *args);
-/*
- * Act on a "retransfer" command from the command channel.
- */
-
-isc_result_t
-ns_server_togglequerylog(ns_server_t *server);
-/*
- * Toggle logging of queries, as in BIND 8.
- */
-
-/*
- * Dump the current statistics to the statistics file.
- */
-isc_result_t
-ns_server_dumpstats(ns_server_t *server);
-
-/*
- * Dump the current cache to the dump file.
- */
-isc_result_t
-ns_server_dumpdb(ns_server_t *server, char *args);
-
-/*
- * Change or increment the server debug level.
- */
-isc_result_t
-ns_server_setdebuglevel(ns_server_t *server, char *args);
-
-/*
- * Flush the server's cache(s)
- */
-isc_result_t
-ns_server_flushcache(ns_server_t *server, char *args);
-
-/*
- * Flush a particular name from the server's cache(s)
- */
-isc_result_t
-ns_server_flushname(ns_server_t *server, char *args);
-
-/*
- * Report the server's status.
- */
-isc_result_t
-ns_server_status(ns_server_t *server, isc_buffer_t *text);
-
-/*
- * Enable or disable updates for a zone.
- */
-isc_result_t
-ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args);
-
-/*
- * Dump the current recursive queries.
- */
-isc_result_t
-ns_server_dumprecursing(ns_server_t *server);
-
-/*
- * Maintain a list of dispatches that require reserved ports.
- */
-void
-ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr);
-
-#endif /* NAMED_SERVER_H */
diff --git a/contrib/bind9/bin/named/include/named/sortlist.h b/contrib/bind9/bin/named/include/named/sortlist.h
deleted file mode 100644
index 88a149387795..000000000000
--- a/contrib/bind9/bin/named/include/named/sortlist.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sortlist.h,v 1.4.208.1 2004/03/06 10:21:26 marka Exp $ */
-
-#ifndef NAMED_SORTLIST_H
-#define NAMED_SORTLIST_H 1
-
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-/*
- * Type for callback functions that rank addresses.
- */
-typedef int 
-(*dns_addressorderfunc_t)(isc_netaddr_t *address, void *arg);
-
-/*
- * Return value type for setup_sortlist.
- */
-typedef enum {
-	NS_SORTLISTTYPE_NONE,
-	NS_SORTLISTTYPE_1ELEMENT,
-	NS_SORTLISTTYPE_2ELEMENT
-} ns_sortlisttype_t;
-
-ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
-/*
- * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
- *
- * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and
- * make '*argp' point to the matching subelement.
- *
- * If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and
- * make '*argp' point to ACL that forms the second element.
- *
- * If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp'
- * to NULL.
- */
-
-int
-ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg);
-/*
- * Find the sort order of 'addr' in 'arg', the matching element
- * of a 1-element top-level sortlist statement.
- */
-
-int
-ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
-/*
- * Find the sort order of 'addr' in 'arg', a topology-like
- * ACL forming the second element in a 2-element top-level
- * sortlist statement.
- */
-
-void
-ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
-			dns_addressorderfunc_t *orderp,
-			void **argp);
-/*
- * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
- * If a sortlist statement applies, return in '*orderp' a pointer to a function
- * for ranking network addresses based on that sortlist statement, and in
- * '*argp' an argument to pass to said function.  If no sortlist statement
- * applies, set '*orderp' and '*argp' to NULL.
- */
-
-#endif /* NAMED_SORTLIST_H */
diff --git a/contrib/bind9/bin/named/include/named/tkeyconf.h b/contrib/bind9/bin/named/include/named/tkeyconf.h
deleted file mode 100644
index e3710eae3e00..000000000000
--- a/contrib/bind9/bin/named/include/named/tkeyconf.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tkeyconf.h,v 1.9.208.1 2004/03/06 10:21:26 marka Exp $ */
-
-#ifndef NS_TKEYCONF_H
-#define NS_TKEYCONF_H 1
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-#include <isccfg/cfg.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
-		      dns_tkeyctx_t **tctxp);
-/*
- * 	Create a TKEY context and configure it, including the default DH key
- *	and default domain, according to 'options'.
- *
- *	Requires:
- *		'cfg' is a valid configuration options object.
- *		'mctx' is not NULL
- *		'ectx' is not NULL
- *		'tctx' is not NULL
- *		'*tctx' is NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* NS_TKEYCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/tsigconf.h b/contrib/bind9/bin/named/include/named/tsigconf.h
deleted file mode 100644
index ef4161ded8a1..000000000000
--- a/contrib/bind9/bin/named/include/named/tsigconf.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsigconf.h,v 1.9.208.1 2004/03/06 10:21:26 marka Exp $ */
-
-#ifndef NS_TSIGCONF_H
-#define NS_TSIGCONF_H 1
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
-			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
-/*
- * Create a TSIG key ring and configure it according to the 'key'
- * statements in the global and view configuration objects.
- *
- *	Requires:
- *		'config' is not NULL.
- *		'mctx' is not NULL
- *		'ring' is not NULL, and '*ring' is NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* NS_TSIGCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/types.h b/contrib/bind9/bin/named/include/named/types.h
deleted file mode 100644
index eb44c53b66f3..000000000000
--- a/contrib/bind9/bin/named/include/named/types.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: types.h,v 1.19.208.2 2004/03/06 10:21:26 marka Exp $ */
-
-#ifndef NAMED_TYPES_H
-#define NAMED_TYPES_H 1
-
-#include <dns/types.h>
-
-typedef struct ns_client		ns_client_t;
-typedef struct ns_clientmgr		ns_clientmgr_t;
-typedef struct ns_query			ns_query_t;
-typedef struct ns_server 		ns_server_t;
-typedef struct ns_interface 		ns_interface_t;
-typedef struct ns_interfacemgr		ns_interfacemgr_t;
-typedef struct ns_lwresd		ns_lwresd_t;
-typedef struct ns_lwreslistener		ns_lwreslistener_t;
-typedef struct ns_lwdclient		ns_lwdclient_t;
-typedef struct ns_lwdclientmgr		ns_lwdclientmgr_t;
-typedef struct ns_lwsearchlist		ns_lwsearchlist_t;
-typedef struct ns_lwsearchctx		ns_lwsearchctx_t;
-typedef struct ns_controls		ns_controls_t;
-typedef struct ns_dispatch		ns_dispatch_t;
-typedef ISC_LIST(ns_dispatch_t)		ns_dispatchlist_t;
-
-#endif /* NAMED_TYPES_H */
diff --git a/contrib/bind9/bin/named/include/named/update.h b/contrib/bind9/bin/named/include/named/update.h
deleted file mode 100644
index 4c97235cc93c..000000000000
--- a/contrib/bind9/bin/named/include/named/update.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: update.h,v 1.8.208.1 2004/03/06 10:21:26 marka Exp $ */
-
-#ifndef NAMED_UPDATE_H
-#define NAMED_UPDATE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * RFC2136 Dynamic Update
- */
-
-/***
- *** Imports
- ***/
-
-#include <dns/types.h>
-#include <dns/result.h>
-
-/***
- *** Types.
- ***/
-
-/***
- *** Functions
- ***/
-
-void
-ns_update_start(ns_client_t *client, isc_result_t sigresult);
-
-#endif /* NAMED_UPDATE_H */
diff --git a/contrib/bind9/bin/named/include/named/xfrout.h b/contrib/bind9/bin/named/include/named/xfrout.h
deleted file mode 100644
index e96ff31dd2de..000000000000
--- a/contrib/bind9/bin/named/include/named/xfrout.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: xfrout.h,v 1.7.208.1 2004/03/06 10:21:27 marka Exp $ */
-
-#ifndef NAMED_XFROUT_H
-#define NAMED_XFROUT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Outgoing zone transfers (AXFR + IXFR).
- */
-
-/***
- *** Functions
- ***/
-
-void
-ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype);
-
-#endif /* NAMED_XFROUT_H */
diff --git a/contrib/bind9/bin/named/include/named/zoneconf.h b/contrib/bind9/bin/named/include/named/zoneconf.h
deleted file mode 100644
index 3b8f200dc79f..000000000000
--- a/contrib/bind9/bin/named/include/named/zoneconf.h
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zoneconf.h,v 1.16.2.2.8.1 2004/03/06 10:21:27 marka Exp $ */
-
-#ifndef NS_ZONECONF_H
-#define NS_ZONECONF_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <isccfg/cfg.h>
-
-#include <named/aclconf.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
-		  ns_aclconfctx_t *ac, dns_zone_t *zone);
-/*
- * Configure or reconfigure a zone according to the named.conf
- * data in 'cctx' and 'czone'.
- *
- * The zone origin is not configured, it is assumed to have been set
- * at zone creation time.
- *
- * Require:
- *	'lctx' to be initialized or NULL.
- *	'cctx' to be initialized or NULL.
- *	'ac' to point to an initialized ns_aclconfctx_t.
- *	'czone' to be initialized.
- *	'zone' to be initialized.
- */
-
-isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig);
-/*
- * If 'zone' can be safely reconfigured according to the configuration
- * data in 'zconfig', return ISC_TRUE.  If the configuration data is so
- * different from the current zone state that the zone needs to be destroyed
- * and recreated, return ISC_FALSE.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* NS_ZONECONF_H */
diff --git a/contrib/bind9/bin/named/interfacemgr.c b/contrib/bind9/bin/named/interfacemgr.c
deleted file mode 100644
index b212892c8e1a..000000000000
--- a/contrib/bind9/bin/named/interfacemgr.c
+++ /dev/null
@@ -1,911 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: interfacemgr.c,v 1.59.2.5.8.15 2004/08/10 04:56:23 jinmei Exp $ */
-
-#include <config.h>
-
-#include <isc/interfaceiter.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/dispatch.h>
-
-#include <named/client.h>
-#include <named/log.h>
-#include <named/interfacemgr.h>
-
-#define IFMGR_MAGIC			ISC_MAGIC('I', 'F', 'M', 'G')
-#define NS_INTERFACEMGR_VALID(t)	ISC_MAGIC_VALID(t, IFMGR_MAGIC)
-
-#define IFMGR_COMMON_LOGARGS \
-	ns_g_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR
-
-struct ns_interfacemgr {
-	unsigned int		magic;		/* Magic number. */
-	int			references;
-	isc_mutex_t		lock;
-	isc_mem_t *		mctx;		/* Memory context. */
-	isc_taskmgr_t *		taskmgr;	/* Task manager. */
-	isc_socketmgr_t *	socketmgr;	/* Socket manager. */
-	dns_dispatchmgr_t *	dispatchmgr;
-	unsigned int		generation;	/* Current generation no. */
-	ns_listenlist_t *	listenon4;
-	ns_listenlist_t *	listenon6;
-	dns_aclenv_t		aclenv;		/* Localhost/localnets ACLs */
-	ISC_LIST(ns_interface_t) interfaces;	/* List of interfaces. */
-};
-
-static void
-purge_old_interfaces(ns_interfacemgr_t *mgr);
-
-isc_result_t
-ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		       isc_socketmgr_t *socketmgr,
-		       dns_dispatchmgr_t *dispatchmgr,
-		       ns_interfacemgr_t **mgrp)
-{
-	isc_result_t result;
-	ns_interfacemgr_t *mgr;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(mgrp != NULL);
-	REQUIRE(*mgrp == NULL);
-
-	mgr = isc_mem_get(mctx, sizeof(*mgr));
-	if (mgr == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&mgr->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mem;
-
-	mgr->mctx = mctx;
-	mgr->taskmgr = taskmgr;
-	mgr->socketmgr = socketmgr;
-	mgr->dispatchmgr = dispatchmgr;
-	mgr->generation = 1;
-	mgr->listenon4 = NULL;
-	mgr->listenon6 = NULL;
-	
-	ISC_LIST_INIT(mgr->interfaces);
-
-	/*
-	 * The listen-on lists are initially empty.
-	 */
-	result = ns_listenlist_create(mctx, &mgr->listenon4);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mem;
-	ns_listenlist_attach(mgr->listenon4, &mgr->listenon6);
-
-	result = dns_aclenv_init(mctx, &mgr->aclenv);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_listenon;
-
-	mgr->references = 1;
-	mgr->magic = IFMGR_MAGIC;
-	*mgrp = mgr;
-	return (ISC_R_SUCCESS);
-
- cleanup_listenon:
-	ns_listenlist_detach(&mgr->listenon4);
-	ns_listenlist_detach(&mgr->listenon6);
- cleanup_mem:
-	isc_mem_put(mctx, mgr, sizeof(*mgr));
-	return (result);
-}
-
-static void
-ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
-	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
-	dns_aclenv_destroy(&mgr->aclenv);
-	ns_listenlist_detach(&mgr->listenon4);
-	ns_listenlist_detach(&mgr->listenon6);
-	DESTROYLOCK(&mgr->lock);
-	mgr->magic = 0;
-	isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
-}
-
-dns_aclenv_t *
-ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr) {
-	return (&mgr->aclenv);
-}
-
-void
-ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target) {
-	REQUIRE(NS_INTERFACEMGR_VALID(source));
-	LOCK(&source->lock);
-	INSIST(source->references > 0);
-	source->references++;
-	UNLOCK(&source->lock);
-	*target = source;
-}
-
-void
-ns_interfacemgr_detach(ns_interfacemgr_t **targetp) {
-	isc_result_t need_destroy = ISC_FALSE;
-	ns_interfacemgr_t *target = *targetp;
-	REQUIRE(target != NULL);
-	REQUIRE(NS_INTERFACEMGR_VALID(target));
-	LOCK(&target->lock);
-	REQUIRE(target->references > 0);
-	target->references--;
-	if (target->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&target->lock);
-	if (need_destroy)
-		ns_interfacemgr_destroy(target);
-	*targetp = NULL;
-}
-
-void
-ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
-	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
-
-	/*
-	 * Shut down and detach all interfaces.
-	 * By incrementing the generation count, we make purge_old_interfaces()
-	 * consider all interfaces "old".
-	 */
-	mgr->generation++;
-	purge_old_interfaces(mgr);
-}
-
-
-static isc_result_t
-ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
-		    const char *name, ns_interface_t **ifpret)
-{
-	ns_interface_t *ifp;
-	isc_result_t result;
-
-	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
-	ifp = isc_mem_get(mgr->mctx, sizeof(*ifp));
-	if (ifp == NULL)
-		return (ISC_R_NOMEMORY);
-	ifp->mgr = NULL;
-	ifp->generation = mgr->generation;
-	ifp->addr = *addr;
-	strncpy(ifp->name, name, sizeof(ifp->name));
-	ifp->name[sizeof(ifp->name)-1] = '\0';
-	ifp->clientmgr = NULL;
-
-	result = isc_mutex_init(&ifp->lock);
-	if (result != ISC_R_SUCCESS)
-		goto lock_create_failure;
-
-	result = ns_clientmgr_create(mgr->mctx, mgr->taskmgr,
-				     ns_g_timermgr,
-				     &ifp->clientmgr);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "ns_clientmgr_create() failed: %s",
-			      isc_result_totext(result));
-		goto clientmgr_create_failure;
-	}
-
-	ifp->udpdispatch = NULL;
-
-	ifp->tcpsocket = NULL;
-	/*
-	 * Create a single TCP client object.  It will replace itself
-	 * with a new one as soon as it gets a connection, so the actual
-	 * connections will be handled in parallel even though there is
-	 * only one client initially.
-	 */
-	ifp->ntcptarget = 1;
-	ifp->ntcpcurrent = 0;
-
-	ISC_LINK_INIT(ifp, link);
-
-	ns_interfacemgr_attach(mgr, &ifp->mgr);
-	ISC_LIST_APPEND(mgr->interfaces, ifp, link);
-
-	ifp->references = 1;
-	ifp->magic = IFACE_MAGIC;
-	*ifpret = ifp;
-
-	return (ISC_R_SUCCESS);
-
- clientmgr_create_failure:
-	DESTROYLOCK(&ifp->lock);
- lock_create_failure:
-	ifp->magic = 0;
-	isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
-
-	return (ISC_R_UNEXPECTED);
-}
-
-static isc_result_t
-ns_interface_listenudp(ns_interface_t *ifp) {
-	isc_result_t result;
-	unsigned int attrs;
-	unsigned int attrmask;
-
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	if (isc_sockaddr_pf(&ifp->addr) == AF_INET)
-		attrs |= DNS_DISPATCHATTR_IPV4;
-	else
-		attrs |= DNS_DISPATCHATTR_IPV6;
-	attrs |= DNS_DISPATCHATTR_NOLISTEN;
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
-	result = dns_dispatch_getudp(ifp->mgr->dispatchmgr, ns_g_socketmgr,
-				     ns_g_taskmgr, &ifp->addr,
-				     4096, 1000, 32768, 8219, 8237,
-				     attrs, attrmask, &ifp->udpdispatch);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "could not listen on UDP socket: %s",
-			      isc_result_totext(result));
-		goto udp_dispatch_failure;
-	}
-
-	result = ns_clientmgr_createclients(ifp->clientmgr, ns_g_cpus,
-					    ifp, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "UDP ns_clientmgr_createclients(): %s",
-				 isc_result_totext(result));
-		goto addtodispatch_failure;
-	}
-	return (ISC_R_SUCCESS);
-
- addtodispatch_failure:
-	dns_dispatch_changeattributes(ifp->udpdispatch, 0,
-				      DNS_DISPATCHATTR_NOLISTEN);
-	dns_dispatch_detach(&ifp->udpdispatch);
- udp_dispatch_failure:
-	return (result);
-}
-
-static isc_result_t
-ns_interface_accepttcp(ns_interface_t *ifp) {
-	isc_result_t result;
-
-	/*
-	 * Open a TCP socket.
-	 */
-	result = isc_socket_create(ifp->mgr->socketmgr,
-				   isc_sockaddr_pf(&ifp->addr),
-				   isc_sockettype_tcp,
-				   &ifp->tcpsocket);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "creating TCP socket: %s",
-				 isc_result_totext(result));
-		goto tcp_socket_failure;
-	}
-#ifndef ISC_ALLOW_MAPPED
-	isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE);
-#endif
-	result = isc_socket_bind(ifp->tcpsocket, &ifp->addr);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "binding TCP socket: %s",
-				 isc_result_totext(result));
-		goto tcp_bind_failure;
-	}
-	result = isc_socket_listen(ifp->tcpsocket, ns_g_listen);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "listening on TCP socket: %s",
-				 isc_result_totext(result));
-		goto tcp_listen_failure;
-	}
-
-	/* 
-	 * If/when there a multiple filters listen to the
-	 * result.
-	 */
-	(void)isc_socket_filter(ifp->tcpsocket, "dataready");
-
-	result = ns_clientmgr_createclients(ifp->clientmgr,
-					    ifp->ntcptarget, ifp,
-					    ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "TCP ns_clientmgr_createclients(): %s",
-				 isc_result_totext(result));
-		goto accepttcp_failure;
-	}
-	return (ISC_R_SUCCESS);
-
- accepttcp_failure:
- tcp_listen_failure:
- tcp_bind_failure:
-	isc_socket_detach(&ifp->tcpsocket);
- tcp_socket_failure:
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
-		   const char *name, ns_interface_t **ifpret,
-		   isc_boolean_t accept_tcp)
-{
-	isc_result_t result;
-	ns_interface_t *ifp = NULL;
-	REQUIRE(ifpret != NULL && *ifpret == NULL);
-
-	result = ns_interface_create(mgr, addr, name, &ifp);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = ns_interface_listenudp(ifp);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_interface;
-
-	if (accept_tcp == ISC_TRUE) {
-		result = ns_interface_accepttcp(ifp);
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * XXXRTH We don't currently have a way to easily stop
-			 * dispatch service, so we currently return
-			 * ISC_R_SUCCESS (the UDP stuff will work even if TCP
-			 * creation failed).  This will be fixed later.
-			 */
-			result = ISC_R_SUCCESS;
-		}
-	}
-	*ifpret = ifp;
-	return (ISC_R_SUCCESS);
-
- cleanup_interface:
-	ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
-	ns_interface_detach(&ifp);
-	return (result);
-}
-
-void
-ns_interface_shutdown(ns_interface_t *ifp) {
-	if (ifp->clientmgr != NULL)
-		ns_clientmgr_destroy(&ifp->clientmgr);
-}
-
-static void
-ns_interface_destroy(ns_interface_t *ifp) {
-	isc_mem_t *mctx = ifp->mgr->mctx;
-	REQUIRE(NS_INTERFACE_VALID(ifp));
-
-	ns_interface_shutdown(ifp);
-
-	if (ifp->udpdispatch != NULL) {
-		dns_dispatch_changeattributes(ifp->udpdispatch, 0,
-					      DNS_DISPATCHATTR_NOLISTEN);
-		dns_dispatch_detach(&ifp->udpdispatch);
-	}
-	if (ifp->tcpsocket != NULL)
-		isc_socket_detach(&ifp->tcpsocket);
-
-	DESTROYLOCK(&ifp->lock);
-
-	ns_interfacemgr_detach(&ifp->mgr);
-
-	ifp->magic = 0;
-	isc_mem_put(mctx, ifp, sizeof(*ifp));
-}
-
-void
-ns_interface_attach(ns_interface_t *source, ns_interface_t **target) {
-	REQUIRE(NS_INTERFACE_VALID(source));
-	LOCK(&source->lock);
-	INSIST(source->references > 0);
-	source->references++;
-	UNLOCK(&source->lock);
-	*target = source;
-}
-
-void
-ns_interface_detach(ns_interface_t **targetp) {
-	isc_result_t need_destroy = ISC_FALSE;
-	ns_interface_t *target = *targetp;
-	REQUIRE(target != NULL);
-	REQUIRE(NS_INTERFACE_VALID(target));
-	LOCK(&target->lock);
-	REQUIRE(target->references > 0);
-	target->references--;
-	if (target->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&target->lock);
-	if (need_destroy)
-		ns_interface_destroy(target);
-	*targetp = NULL;
-}
-
-/*
- * Search the interface list for an interface whose address and port
- * both match those of 'addr'.  Return a pointer to it, or NULL if not found.
- */
-static ns_interface_t *
-find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
-	ns_interface_t *ifp;
-	for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL;
-	     ifp = ISC_LIST_NEXT(ifp, link)) {
-		if (isc_sockaddr_equal(&ifp->addr, addr))
-			break;
-	}
-	return (ifp);
-}
-
-/*
- * Remove any interfaces whose generation number is not the current one.
- */
-static void
-purge_old_interfaces(ns_interfacemgr_t *mgr) {
-	ns_interface_t *ifp, *next;
-	for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL; ifp = next) {
-		INSIST(NS_INTERFACE_VALID(ifp));
-		next = ISC_LIST_NEXT(ifp, link);
-		if (ifp->generation != mgr->generation) {
-			char sabuf[256];
-			ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
-			isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
-			isc_log_write(IFMGR_COMMON_LOGARGS,
-				      ISC_LOG_INFO,
-				      "no longer listening on %s", sabuf);
-			ns_interface_shutdown(ifp);
-			ns_interface_detach(&ifp);
-		}
-	}
-}
-
-static isc_result_t
-clearacl(isc_mem_t *mctx, dns_acl_t **aclp) {
-	dns_acl_t *newacl = NULL;
-	isc_result_t result;
-	result = dns_acl_create(mctx, 10, &newacl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_acl_detach(aclp);
-	dns_acl_attach(newacl, aclp);
-	dns_acl_detach(&newacl);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-listenon_is_ip6_any(ns_listenelt_t *elt) {
-	if (elt->acl->length != 1)
-		return (ISC_FALSE);
-	if (elt->acl->elements[0].negative == ISC_FALSE &&
-	    elt->acl->elements[0].type == dns_aclelementtype_any)
-		return (ISC_TRUE);  /* listen-on-v6 { any; } */
-	return (ISC_FALSE); /* All others */
-}
-
-static isc_result_t
-setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
-	isc_result_t result;
-	dns_aclelement_t elt;
-	unsigned int family;
-	unsigned int prefixlen;
-
-	family = interface->address.family;
-	
-	elt.type = dns_aclelementtype_ipprefix;
-	elt.negative = ISC_FALSE;
-	elt.u.ip_prefix.address = interface->address;
-	elt.u.ip_prefix.prefixlen = (family == AF_INET) ? 32 : 128;
-	result = dns_acl_appendelement(mgr->aclenv.localhost, &elt);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_netaddr_masktoprefixlen(&interface->netmask,
-					     &prefixlen);
-
-	/* Non contigious netmasks not allowed by IPv6 arch. */
-	if (result != ISC_R_SUCCESS && family == AF_INET6)
-		return (result);
-
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      ISC_LOG_WARNING,
-			      "omitting IPv4 interface %s from "
-			      "localnets ACL: %s",
-			      interface->name,
-			      isc_result_totext(result));
-	} else {
-		elt.u.ip_prefix.prefixlen = prefixlen;
-		if (dns_acl_elementmatch(mgr->aclenv.localnets, &elt,
-					 NULL) == ISC_R_NOTFOUND) {
-			result = dns_acl_appendelement(mgr->aclenv.localnets,
-						       &elt);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
-	isc_boolean_t verbose)
-{
-	isc_interfaceiter_t *iter = NULL;
-	isc_boolean_t scan_ipv4 = ISC_FALSE;
-	isc_boolean_t scan_ipv6 = ISC_FALSE;
-	isc_boolean_t adjusting = ISC_FALSE;
-	isc_boolean_t ipv6only = ISC_TRUE;
-	isc_boolean_t ipv6pktinfo = ISC_TRUE;
-	isc_result_t result;
-	isc_netaddr_t zero_address, zero_address6;
-	ns_listenelt_t *le;
-	isc_sockaddr_t listen_addr;
-	ns_interface_t *ifp;
-	isc_boolean_t log_explicit = ISC_FALSE;
-
-	if (ext_listen != NULL)
-		adjusting = ISC_TRUE;
-
-	if (isc_net_probeipv6() == ISC_R_SUCCESS)
-		scan_ipv6 = ISC_TRUE;
-#ifdef WANT_IPV6
-	else
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
-			      "no IPv6 interfaces found");
-#endif
-
-	if (isc_net_probeipv4() == ISC_R_SUCCESS)
-		scan_ipv4 = ISC_TRUE;
-	else
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
-			      "no IPv4 interfaces found");
-
-	/*
-	 * A special, but typical case; listen-on-v6 { any; }.
-	 * When we can make the socket IPv6-only, open a single wildcard
-	 * socket for IPv6 communication.  Otherwise, make separate socket
-	 * for each IPv6 address in order to avoid accepting IPv4 packets
-	 * as the form of mapped addresses unintentionally unless explicitly
-	 * allowed.
-	 */
-#ifndef ISC_ALLOW_MAPPED
-	if (scan_ipv6 == ISC_TRUE &&
-	    isc_net_probe_ipv6only() != ISC_R_SUCCESS) {
-		ipv6only = ISC_FALSE;
-		log_explicit = ISC_TRUE;
-	}
-#endif
-	if (scan_ipv6 == ISC_TRUE &&
-	    isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) {
-		ipv6pktinfo = ISC_FALSE;
-		log_explicit = ISC_TRUE;
-	}
-	if (scan_ipv6 == ISC_TRUE && ipv6only && ipv6pktinfo) {
-		for (le = ISC_LIST_HEAD(mgr->listenon6->elts);
-		     le != NULL;
-		     le = ISC_LIST_NEXT(le, link)) {
-			struct in6_addr in6a;
-
-			if (!listenon_is_ip6_any(le))
-				continue;
-
-			in6a = in6addr_any;
-			isc_sockaddr_fromin6(&listen_addr, &in6a, le->port);
-
-			ifp = find_matching_interface(mgr, &listen_addr);
-			if (ifp != NULL) {
-				ifp->generation = mgr->generation;
-			} else {
-				isc_log_write(IFMGR_COMMON_LOGARGS,
-					      ISC_LOG_INFO,
-					      "listening on IPv6 "
-					      "interfaces, port %u",
-					      le->port);
-				result = ns_interface_setup(mgr, &listen_addr,
-							    "<any>", &ifp,
-							    ISC_TRUE);
-				if (result == ISC_R_SUCCESS)
-					ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
-				else
-					isc_log_write(IFMGR_COMMON_LOGARGS,
-						      ISC_LOG_ERROR,
-						      "listening on all IPv6 "
-						      "interfaces failed");
-				/* Continue. */
-			}
-		}
-	}
-
-	isc_netaddr_any(&zero_address);
-	isc_netaddr_any6(&zero_address6);
-
-	result = isc_interfaceiter_create(mgr->mctx, &iter);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (adjusting == ISC_FALSE) {
-		result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iter;
-		result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iter;
-	}
-
-	for (result = isc_interfaceiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = isc_interfaceiter_next(iter))
-	{
-		isc_interface_t interface;
-		ns_listenlist_t *ll;
-		unsigned int family; 
-
-		result = isc_interfaceiter_current(iter, &interface);
-		if (result != ISC_R_SUCCESS)
-			break;
-
-		family = interface.address.family;
-		if (family != AF_INET && family != AF_INET6)
-			continue;
-		if (scan_ipv4 == ISC_FALSE && family == AF_INET)
-			continue;
-		if (scan_ipv6 == ISC_FALSE && family == AF_INET6)
-			continue;
-
-		/*
-		 * Test for the address being nonzero rather than testing
-		 * INTERFACE_F_UP, because on some systems the latter
-		 * follows the media state and we could end up ignoring
-		 * the interface for an entire rescan interval due to
-		 * a temporary media glitch at rescan time.
-		 */
-		if (family == AF_INET &&
-		    isc_netaddr_equal(&interface.address, &zero_address)) {
-			continue;
-		}
-		if (family == AF_INET6 &&
-		    isc_netaddr_equal(&interface.address, &zero_address6)) {
-			continue;
-		}
-
-		if (adjusting == ISC_FALSE) {
-			result = setup_locals(mgr, &interface);
-			if (result != ISC_R_SUCCESS)
-				goto ignore_interface;
-		}
-
-		ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6;
-		for (le = ISC_LIST_HEAD(ll->elts);
-		     le != NULL;
-		     le = ISC_LIST_NEXT(le, link))
-		{
-			int match;
-			isc_boolean_t ipv6_wildcard = ISC_FALSE;
-			isc_netaddr_t listen_netaddr;
-			isc_sockaddr_t listen_sockaddr;
-
-			/*
-			 * Construct a socket address for this IP/port
-			 * combination.
-			 */
-			if (family == AF_INET) {
-				isc_netaddr_fromin(&listen_netaddr,
-						   &interface.address.type.in);
-			} else {
-				isc_netaddr_fromin6(&listen_netaddr,
-						    &interface.address.type.in6);
-				isc_netaddr_setzone(&listen_netaddr,
-						    interface.address.zone);
-			}
-			isc_sockaddr_fromnetaddr(&listen_sockaddr,
-						 &listen_netaddr,
-						 le->port);
-
-			/*
-			 * See if the address matches the listen-on statement;
-			 * if not, ignore the interface.
-			 */
-			result = dns_acl_match(&listen_netaddr, NULL,
-					       le->acl, &mgr->aclenv,
-					       &match, NULL);
-			if (match <= 0)
-				continue;
-
-			/*
-			 * The case of "any" IPv6 address will require
-			 * special considerations later, so remember it.
-			 */
-			if (family == AF_INET6 && ipv6only && ipv6pktinfo &&
-			    listenon_is_ip6_any(le))
-				ipv6_wildcard = ISC_TRUE;
-
-			/*
-			 * When adjusting interfaces with extra a listening
-			 * list, see if the address matches the extra list.
-			 * If it does, and is also covered by a wildcard
-			 * interface, we need to listen on the address
-			 * explicitly.
-			 */
-			if (adjusting == ISC_TRUE) {
-				ns_listenelt_t *ele;
-
-				match = 0;
-				for (ele = ISC_LIST_HEAD(ext_listen->elts);
-				     ele != NULL;
-				     ele = ISC_LIST_NEXT(ele, link)) {
-					dns_acl_match(&listen_netaddr, NULL,
-						      ele->acl, NULL,
-						      &match, NULL);
-					if (match > 0 && ele->port == le->port)
-						break;
-					else
-						match = 0;
-				}
-				if (ipv6_wildcard == ISC_TRUE && match == 0)
-					continue;
-			}
-
-			ifp = find_matching_interface(mgr, &listen_sockaddr);
-			if (ifp != NULL) {
-				ifp->generation = mgr->generation;
-			} else {
-				char sabuf[ISC_SOCKADDR_FORMATSIZE];
-
-				if (adjusting == ISC_FALSE &&
-				    ipv6_wildcard == ISC_TRUE)
-					continue;
-
-				if (log_explicit && family == AF_INET6 &&
-				    !adjusting && listenon_is_ip6_any(le)) {
-					isc_log_write(IFMGR_COMMON_LOGARGS,
-						      verbose ? ISC_LOG_INFO :
-							      ISC_LOG_DEBUG(1),
-						      "IPv6 socket API is "
-						      "incomplete; explicitly "
-						      "binding to each IPv6 "
-						      "address separately");
-					log_explicit = ISC_FALSE;
-				}
-				isc_sockaddr_format(&listen_sockaddr,
-						    sabuf, sizeof(sabuf));
-				isc_log_write(IFMGR_COMMON_LOGARGS,
-					      ISC_LOG_INFO,
-					      "%s"
-					      "listening on %s interface "
-					      "%s, %s",
-					      (adjusting == ISC_TRUE) ?
-					      "additionally " : "",
-					      (family == AF_INET) ?
-					      "IPv4" : "IPv6",
-					      interface.name, sabuf);
-
-				result = ns_interface_setup(mgr,
-							    &listen_sockaddr,
-							    interface.name,
-							    &ifp,
-							    (adjusting == ISC_TRUE) ?
-							    ISC_FALSE :
-							    ISC_TRUE);
-
-				if (result != ISC_R_SUCCESS) {
-					isc_log_write(IFMGR_COMMON_LOGARGS,
-						      ISC_LOG_ERROR,
-						      "creating %s interface "
-						      "%s failed; interface "
-						      "ignored",
-						      (family == AF_INET) ?
-						      "IPv4" : "IPv6",
-						      interface.name);
-				}
-				/* Continue. */
-			}
-
-		}
-		continue;
-
-	ignore_interface:
-		isc_log_write(IFMGR_COMMON_LOGARGS,
-			      ISC_LOG_ERROR,
-			      "ignoring %s interface %s: %s",
-			      (family == AF_INET) ? "IPv4" : "IPv6",
-			      interface.name, isc_result_totext(result));
-		continue;
-	}
-	if (result != ISC_R_NOMORE)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "interface iteration failed: %s",
-				 isc_result_totext(result));
-	else 
-		result = ISC_R_SUCCESS;
- cleanup_iter:
-	isc_interfaceiter_destroy(&iter);
-	return (result);
-}
-
-static void
-ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
-		      isc_boolean_t verbose)
-{
-	isc_boolean_t purge = ISC_TRUE;
-
-	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
-
-	mgr->generation++;	/* Increment the generation count. */
-
-	if (do_scan(mgr, ext_listen, verbose) != ISC_R_SUCCESS)
-		purge = ISC_FALSE;
-
-	/*
-	 * Now go through the interface list and delete anything that
-	 * does not have the current generation number.  This is
-	 * how we catch interfaces that go away or change their
-	 * addresses.
-	 */
-	if (purge)
-		purge_old_interfaces(mgr);
-
-	/*
-	 * Warn if we are not listening on any interface, unless
-	 * we're in lwresd-only mode, in which case that is to 
-	 * be expected.
-	 */
-	if (ext_listen == NULL &&
-	    ISC_LIST_EMPTY(mgr->interfaces) && ! ns_g_lwresdonly) {
-		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
-			      "not listening on any interfaces");
-	}
-}
-
-void
-ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) {
-	ns_interfacemgr_scan0(mgr, NULL, verbose);
-}
-
-void
-ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
-		       isc_boolean_t verbose)
-{
-	ns_interfacemgr_scan0(mgr, list, verbose);
-}
-
-void
-ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
-	LOCK(&mgr->lock);
-	ns_listenlist_detach(&mgr->listenon4);
-	ns_listenlist_attach(value, &mgr->listenon4);
-	UNLOCK(&mgr->lock);
-}
-
-void
-ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
-	LOCK(&mgr->lock);
-	ns_listenlist_detach(&mgr->listenon6);
-	ns_listenlist_attach(value, &mgr->listenon6);
-	UNLOCK(&mgr->lock);
-}
-
-void
-ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) {
-	ns_interface_t *interface;
-
-	LOCK(&mgr->lock);
-	interface = ISC_LIST_HEAD(mgr->interfaces);
-	while (interface != NULL) {
-		if (interface->clientmgr != NULL)
-			ns_client_dumprecursing(f, interface->clientmgr);
-		interface = ISC_LIST_NEXT(interface, link);
-	}
-	UNLOCK(&mgr->lock);
-}
diff --git a/contrib/bind9/bin/named/listenlist.c b/contrib/bind9/bin/named/listenlist.c
deleted file mode 100644
index bba164f08126..000000000000
--- a/contrib/bind9/bin/named/listenlist.c
+++ /dev/null
@@ -1,136 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: listenlist.c,v 1.9.208.1 2004/03/06 10:21:18 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-
-#include <named/listenlist.h>
-
-static void
-destroy(ns_listenlist_t *list);
-
-isc_result_t
-ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
-		    dns_acl_t *acl, ns_listenelt_t **target)
-{
-	ns_listenelt_t *elt = NULL;
-	REQUIRE(target != NULL && *target == NULL);
-	elt = isc_mem_get(mctx, sizeof(*elt));
-	if (elt == NULL)
-		return (ISC_R_NOMEMORY);
-	elt->mctx = mctx;
-	ISC_LINK_INIT(elt, link);
-	elt->port = port;
-	elt->acl = acl;
-	*target = elt;
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_listenelt_destroy(ns_listenelt_t *elt) {
-	if (elt->acl != NULL)
-		dns_acl_detach(&elt->acl);
-	isc_mem_put(elt->mctx, elt, sizeof(*elt));
-}
-
-isc_result_t
-ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target) {
-	ns_listenlist_t *list = NULL;
-	REQUIRE(target != NULL && *target == NULL);
-	list = isc_mem_get(mctx, sizeof(*list));
-	if (list == NULL)
-		return (ISC_R_NOMEMORY);
-	list->mctx = mctx;
-	list->refcount = 1;
-	ISC_LIST_INIT(list->elts);
-	*target = list;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-destroy(ns_listenlist_t *list) {
-	ns_listenelt_t *elt, *next;
-	for (elt = ISC_LIST_HEAD(list->elts);
-	     elt != NULL;
-	     elt = next)
-	{
-		next = ISC_LIST_NEXT(elt, link);
-		ns_listenelt_destroy(elt);
-	}
-	isc_mem_put(list->mctx, list, sizeof(*list));
-}
-
-void
-ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target) {
-	INSIST(source->refcount > 0);
-	source->refcount++;
-	*target = source;
-}
-
-void
-ns_listenlist_detach(ns_listenlist_t **listp) {
-	ns_listenlist_t *list = *listp;
-	INSIST(list->refcount > 0);
-	list->refcount--;
-	if (list->refcount == 0)
-		destroy(list);
-	*listp = NULL;
-}
-
-isc_result_t
-ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
-		      isc_boolean_t enabled, ns_listenlist_t **target)
-{
-	isc_result_t result;
-	dns_acl_t *acl = NULL;
-	ns_listenelt_t *elt = NULL;
-	ns_listenlist_t *list = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-	if (enabled)
-		result = dns_acl_any(mctx, &acl);
-	else
-		result = dns_acl_none(mctx, &acl);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = ns_listenelt_create(mctx, port, acl, &elt);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_acl;
-
-	result = ns_listenlist_create(mctx, &list);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_listenelt;
-
-	ISC_LIST_APPEND(list->elts, elt, link);
-
-	*target = list;
-	return (ISC_R_SUCCESS);
-
- cleanup_listenelt:
-	ns_listenelt_destroy(elt);
- cleanup_acl:
-	dns_acl_detach(&acl);
- cleanup:
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/log.c b/contrib/bind9/bin/named/log.c
deleted file mode 100644
index 9032af795d4f..000000000000
--- a/contrib/bind9/bin/named/log.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.c,v 1.33.2.1.10.6 2005/05/24 23:58:17 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/result.h>
-
-#include <isccfg/log.h>
-
-#include <named/log.h>
-
-#ifndef ISC_FACILITY
-#define ISC_FACILITY LOG_DAEMON
-#endif
-
-/*
- * When adding a new category, be sure to add the appropriate
- * #define to <named/log.h>.
- */
-static isc_logcategory_t categories[] = {
-	{ "",		 		0 },
-	{ "client",	 		0 },
-	{ "network",	 		0 },
-	{ "update",	 		0 },
-	{ "queries",	 		0 },
-	{ "unmatched",	 		0 },
-	{ "update-security",		0 },
-	{ NULL, 			0 }
-};
-
-/*
- * When adding a new module, be sure to add the appropriate
- * #define to <dns/log.h>.
- */
-static isc_logmodule_t modules[] = {
-	{ "main",	 		0 },
-	{ "client",	 		0 },
-	{ "server",		 	0 },
-	{ "query",		 	0 },
-	{ "interfacemgr",	 	0 },
-	{ "update",	 		0 },
-	{ "xfer-in",	 		0 },
-	{ "xfer-out",	 		0 },
-	{ "notify",	 		0 },
-	{ "control",	 		0 },
-	{ "lwresd",	 		0 },
-	{ NULL, 			0 }
-};
-
-isc_result_t
-ns_log_init(isc_boolean_t safe) {
-	isc_result_t result;
-	isc_logconfig_t *lcfg = NULL;
-
-	ns_g_categories = categories;
-	ns_g_modules = modules;
-
-	/*
-	 * Setup a logging context.
-	 */
-	result = isc_log_create(ns_g_mctx, &ns_g_lctx, &lcfg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	isc_log_registercategories(ns_g_lctx, ns_g_categories);
-	isc_log_registermodules(ns_g_lctx, ns_g_modules);
-	isc_log_setcontext(ns_g_lctx);
-	dns_log_init(ns_g_lctx);
-	dns_log_setcontext(ns_g_lctx);
-	cfg_log_init(ns_g_lctx);
-
-	if (safe)
-		result = ns_log_setsafechannels(lcfg);
-	else
-		result = ns_log_setdefaultchannels(lcfg);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = ns_log_setdefaultcategory(lcfg);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_log_destroy(&ns_g_lctx);
-	isc_log_setcontext(NULL);
-	dns_log_setcontext(NULL);
-
-	return (result);
-}
-
-isc_result_t
-ns_log_setdefaultchannels(isc_logconfig_t *lcfg) {
-	isc_result_t result;
-	isc_logdestination_t destination;
-
-	/*
-	 * By default, the logging library makes "default_debug" log to
-	 * stderr.  In BIND, we want to override this and log to named.run
-	 * instead, unless the the -g option was given.
-	 */
-	if (! ns_g_logstderr) {
-		destination.file.stream = NULL;
-		destination.file.name = "named.run";
-		destination.file.versions = ISC_LOG_ROLLNEVER;
-		destination.file.maximum_size = 0;
-		result = isc_log_createchannel(lcfg, "default_debug",
-					       ISC_LOG_TOFILE,
-					       ISC_LOG_DYNAMIC,
-					       &destination,
-					       ISC_LOG_PRINTTIME|
-					       ISC_LOG_DEBUGONLY);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-#if ISC_FACILITY != LOG_DAEMON
-	destination.facility = ISC_FACILITY;
-	result = isc_log_createchannel(lcfg, "default_syslog",
-				       ISC_LOG_TOSYSLOG, ISC_LOG_INFO,
-				       &destination, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-#endif
-
-	/*
-	 * Set the initial debug level.
-	 */
-	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	return (result);
-}
-
-isc_result_t
-ns_log_setsafechannels(isc_logconfig_t *lcfg) {
-	isc_result_t result;
-#if ISC_FACILITY != LOG_DAEMON
-	isc_logdestination_t destination;
-#endif
-
-	if (! ns_g_logstderr) {
-		result = isc_log_createchannel(lcfg, "default_debug",
-					       ISC_LOG_TONULL,
-					       ISC_LOG_DYNAMIC,
-					       NULL, 0);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/*
-		 * Setting the debug level to zero should get the output
-		 * discarded a bit faster.
-		 */
-		isc_log_setdebuglevel(ns_g_lctx, 0);
-	} else {
-		isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-	}
-
-#if ISC_FACILITY != LOG_DAEMON
-	destination.facility = ISC_FACILITY;
-	result = isc_log_createchannel(lcfg, "default_syslog",
-				       ISC_LOG_TOSYSLOG, ISC_LOG_INFO,
-				       &destination, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-#endif
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	return (result);
-}
-
-isc_result_t
-ns_log_setdefaultcategory(isc_logconfig_t *lcfg) {
-	isc_result_t result;
-
-	if (! ns_g_logstderr) {
-		result = isc_log_usechannel(lcfg, "default_syslog",
-					    ISC_LOGCATEGORY_DEFAULT, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	result = isc_log_usechannel(lcfg, "default_debug",
-				    ISC_LOGCATEGORY_DEFAULT, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	return (result);
-}
-
-isc_result_t
-ns_log_setunmatchedcategory(isc_logconfig_t *lcfg) {
-	isc_result_t result;
-
-	result = isc_log_usechannel(lcfg, "null",
-				    NS_LOGCATEGORY_UNMATCHED, NULL);
-	return (result);
-}
-
-void
-ns_log_shutdown(void) {
-	isc_log_destroy(&ns_g_lctx);
-	isc_log_setcontext(NULL);
-	dns_log_setcontext(NULL);
-}
diff --git a/contrib/bind9/bin/named/logconf.c b/contrib/bind9/bin/named/logconf.c
deleted file mode 100644
index 596d40166bb3..000000000000
--- a/contrib/bind9/bin/named/logconf.c
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: logconf.c,v 1.30.2.3.10.2 2004/03/06 10:21:18 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/offset.h>
-#include <isc/result.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/syslog.h>
-
-#include <isccfg/cfg.h>
-#include <isccfg/log.h>
-
-#include <named/log.h>
-#include <named/logconf.h>
-
-#define CHECK(op) \
-	do { result = (op); 				  	 \
-	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
-	} while (0)
-
-/*
- * Set up a logging category according to the named.conf data
- * in 'ccat' and add it to 'lctx'.
- */
-static isc_result_t
-category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
-	isc_result_t result;
-	const char *catname;
-	isc_logcategory_t *category;
-	isc_logmodule_t *module;
-	cfg_obj_t *destinations = NULL;
-	cfg_listelt_t *element = NULL;
-
-	catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name"));
-	category = isc_log_categorybyname(ns_g_lctx, catname);
-	if (category == NULL) {
-		cfg_obj_log(ccat, ns_g_lctx, ISC_LOG_ERROR,
-			    "unknown logging category '%s' ignored",
-			    catname);
-		/*
-		 * Allow further processing by returning success.
-		 */
-		return (ISC_R_SUCCESS);
-	}
-
-	module = NULL;
-
-	destinations = cfg_tuple_get(ccat, "destinations");
-	for (element = cfg_list_first(destinations);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *channel = cfg_listelt_value(element);
-		char *channelname = cfg_obj_asstring(channel);
-
-		result = isc_log_usechannel(lctx, channelname, category,
-					    module);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, CFG_LOGCATEGORY_CONFIG,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "logging channel '%s': %s", channelname,
-				      isc_result_totext(result));
-			return (result);
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Set up a logging channel according to the named.conf data
- * in 'cchan' and add it to 'lctx'.
- */
-static isc_result_t
-channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
-	isc_result_t result;
-	isc_logdestination_t dest;
-	unsigned int type;
-	unsigned int flags = 0;
-	int level;
-	const char *channelname;
-	cfg_obj_t *fileobj = NULL;
-	cfg_obj_t *syslogobj = NULL;
-	cfg_obj_t *nullobj = NULL;
-	cfg_obj_t *stderrobj = NULL;
-	cfg_obj_t *severity = NULL;
-	int i;
-
-	channelname = cfg_obj_asstring(cfg_map_getname(channel));
-
-	(void)cfg_map_get(channel, "file", &fileobj);
-	(void)cfg_map_get(channel, "syslog", &syslogobj);
-	(void)cfg_map_get(channel, "null", &nullobj);
-	(void)cfg_map_get(channel, "stderr", &stderrobj);
-
-	i = 0;
-	if (fileobj != NULL)
-		i++;
-	if (syslogobj != NULL)
-		i++;
-	if (nullobj != NULL)
-		i++;
-	if (stderrobj != NULL)
-		i++;
-
-	if (i != 1) {
-		cfg_obj_log(channel, ns_g_lctx, ISC_LOG_ERROR,
-			      "channel '%s': exactly one of file, syslog, "
-			      "null, and stderr must be present", channelname);
-		return (ISC_R_FAILURE);
-	}
-
-	type = ISC_LOG_TONULL;
-	
-	if (fileobj != NULL) {
-		cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
-		cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
-		cfg_obj_t *versionsobj = cfg_tuple_get(fileobj, "versions");
-		isc_int32_t versions = ISC_LOG_ROLLNEVER;
-		isc_offset_t size = 0;
-
-		type = ISC_LOG_TOFILE;
-		
-		if (versionsobj != NULL && cfg_obj_isuint32(versionsobj))
-			versions = cfg_obj_asuint32(versionsobj);
-		if (versionsobj != NULL && cfg_obj_isstring(versionsobj) &&
-		    strcasecmp(cfg_obj_asstring(versionsobj), "unlimited") == 0)
-			versions = ISC_LOG_ROLLINFINITE;
-		if (sizeobj != NULL &&
-		    cfg_obj_isuint64(sizeobj) &&
-		    cfg_obj_asuint64(sizeobj) < ISC_OFFSET_MAXIMUM)
-			size = (isc_offset_t)cfg_obj_asuint64(sizeobj);
-		dest.file.stream = NULL;
-		dest.file.name = cfg_obj_asstring(pathobj);
-		dest.file.versions = versions;
-		dest.file.maximum_size = size;
-	} else if (syslogobj != NULL) {
-		int facility = LOG_DAEMON;
-
-		type = ISC_LOG_TOSYSLOG;
-
-		if (cfg_obj_isstring(syslogobj)) {
-			char *facilitystr = cfg_obj_asstring(syslogobj);
-			(void)isc_syslog_facilityfromstring(facilitystr,
-							    &facility);
-		}
-		dest.facility = facility;
-	} else if (stderrobj != NULL) {
-		type = ISC_LOG_TOFILEDESC;
-		dest.file.stream = stderr;
-		dest.file.name = NULL;
-		dest.file.versions = ISC_LOG_ROLLNEVER;
-		dest.file.maximum_size = 0;
-	}
-
-	/*
-	 * Munge flags.
-	 */
-	{
-		cfg_obj_t *printcat = NULL;
-		cfg_obj_t *printsev = NULL;
-		cfg_obj_t *printtime = NULL;
-
-		(void)cfg_map_get(channel, "print-category", &printcat);
-		(void)cfg_map_get(channel, "print-severity", &printsev);
-		(void)cfg_map_get(channel, "print-time", &printtime);
-
-		if (printcat != NULL && cfg_obj_asboolean(printcat))
-			flags |= ISC_LOG_PRINTCATEGORY;
-		if (printtime != NULL && cfg_obj_asboolean(printtime))
-			flags |= ISC_LOG_PRINTTIME;
-		if (printsev != NULL && cfg_obj_asboolean(printsev))
-			flags |= ISC_LOG_PRINTLEVEL;
-	}
-
-	level = ISC_LOG_INFO;
-	if (cfg_map_get(channel, "severity", &severity) == ISC_R_SUCCESS) {
-		if (cfg_obj_isstring(severity)) {
-			char *str = cfg_obj_asstring(severity);
-			if (strcasecmp(str, "critical") == 0)
-				level = ISC_LOG_CRITICAL;
-			else if (strcasecmp(str, "error") == 0)
-				level = ISC_LOG_ERROR;
-			else if (strcasecmp(str, "warning") == 0)
-				level = ISC_LOG_WARNING;
-			else if (strcasecmp(str, "notice") == 0)
-				level = ISC_LOG_NOTICE;
-			else if (strcasecmp(str, "info") == 0)
-				level = ISC_LOG_INFO;
-			else if (strcasecmp(str, "dynamic") == 0)
-				level = ISC_LOG_DYNAMIC;
-		} else
-			/* debug */
-			level = cfg_obj_asuint32(severity);
-	}
-
-	result = isc_log_createchannel(lctx, channelname,
-				       type, level, &dest, flags);
-
-	if (result == ISC_R_SUCCESS && type == ISC_LOG_TOFILE) {
-		FILE *fp;
-		
-		/*
-		 * Test that the file can be opened, since isc_log_open()
-		 * can't effectively report failures when called in
-		 * isc_log_doit().
-		 */
-		result = isc_stdio_open(dest.file.name, "a", &fp);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(ns_g_lctx, CFG_LOGCATEGORY_CONFIG,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "logging channel '%s' file '%s': %s",
-				      channelname, dest.file.name,
-				      isc_result_totext(result));
-		else
-			(void)isc_stdio_close(fp);
-
-		/*
-		 * Allow named to continue by returning success.
-		 */
-		result = ISC_R_SUCCESS;
-	}
-
-	return (result);
-}
-
-isc_result_t
-ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
-	isc_result_t result;
-	cfg_obj_t *channels = NULL;
-	cfg_obj_t *categories = NULL;
-	cfg_listelt_t *element;
-	isc_boolean_t default_set = ISC_FALSE;
-	isc_boolean_t unmatched_set = ISC_FALSE;
-
-	CHECK(ns_log_setdefaultchannels(logconf));
-
-	(void)cfg_map_get(logstmt, "channel", &channels);
-	for (element = cfg_list_first(channels);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *channel = cfg_listelt_value(element);
-		CHECK(channel_fromconf(channel, logconf));
-	}
-
-	(void)cfg_map_get(logstmt, "category", &categories);
-	for (element = cfg_list_first(categories);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *category = cfg_listelt_value(element);
-		CHECK(category_fromconf(category, logconf));
-		if (!default_set) {
-			cfg_obj_t *catname = cfg_tuple_get(category, "name");
-			if (strcmp(cfg_obj_asstring(catname), "default") == 0)
-				default_set = ISC_TRUE;
-		}
-		if (!unmatched_set) {
-			cfg_obj_t *catname = cfg_tuple_get(category, "name");
-			if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0)
-				unmatched_set = ISC_TRUE;
-		}
-	}
-
-	if (!default_set)
-		CHECK(ns_log_setdefaultcategory(logconf));
-
-	if (!unmatched_set)
-		CHECK(ns_log_setunmatchedcategory(logconf));
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (logconf != NULL)
-		isc_logconfig_destroy(&logconf);
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/lwaddr.c b/contrib/bind9/bin/named/lwaddr.c
deleted file mode 100644
index 1bd8d82875e7..000000000000
--- a/contrib/bind9/bin/named/lwaddr.c
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwaddr.c,v 1.3.208.1 2004/03/06 10:21:18 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/result.h>
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-
-#include <lwres/lwres.h>
-
-#include <named/lwaddr.h>
-
-/*
- * Convert addresses from lwres to isc format.
- */
-isc_result_t
-lwaddr_netaddr_fromlwresaddr(isc_netaddr_t *na, lwres_addr_t *la) {
-	if (la->family != LWRES_ADDRTYPE_V4 && la->family != LWRES_ADDRTYPE_V6)
-		return (ISC_R_FAMILYNOSUPPORT);
-
-	if (la->family == LWRES_ADDRTYPE_V4) {
-		struct in_addr ina;
-		memcpy(&ina.s_addr, la->address, 4);
-		isc_netaddr_fromin(na, &ina);
-	} else {
-		struct in6_addr ina6;
-		memcpy(&ina6.s6_addr, la->address, 16);
-		isc_netaddr_fromin6(na, &ina6);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la,
-			      in_port_t port)
-{
-	isc_netaddr_t na;
-	isc_result_t result;
-
-	result = lwaddr_netaddr_fromlwresaddr(&na, la);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_sockaddr_fromnetaddr(sa, &na, port);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Convert addresses from isc to lwres format.
- */
-
-isc_result_t
-lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na) {
-	if (na->family != AF_INET && na->family != AF_INET6)
-		return (ISC_R_FAMILYNOSUPPORT);
-
-	if (na->family == AF_INET) {
-		la->family = LWRES_ADDRTYPE_V4;
-		la->length = 4;
-		memcpy(la->address, &na->type.in, 4);
-	} else {
-		la->family = LWRES_ADDRTYPE_V6;
-		la->length = 16;
-		memcpy(la->address, &na->type.in, 16);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-lwaddr_lwresaddr_fromsockaddr(lwres_addr_t *la, isc_sockaddr_t *sa) {
-	isc_netaddr_t na;
-	isc_netaddr_fromsockaddr(&na, sa);
-	return (lwaddr_lwresaddr_fromnetaddr(la, &na));
-}
diff --git a/contrib/bind9/bin/named/lwdclient.c b/contrib/bind9/bin/named/lwdclient.c
deleted file mode 100644
index 7975a4991e13..000000000000
--- a/contrib/bind9/bin/named/lwdclient.c
+++ /dev/null
@@ -1,465 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdclient.c,v 1.13.12.5 2004/03/08 09:04:15 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/socket.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/view.h>
-#include <dns/log.h>
-
-#include <named/types.h>
-#include <named/log.h>
-#include <named/lwresd.h>
-#include <named/lwdclient.h>
-
-#define SHUTTINGDOWN(cm) ((cm->flags & NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN) != 0)
-
-static void
-lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev);
-
-void
-ns_lwdclient_log(int level, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	isc_log_vwrite(dns_lctx,
-		       DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
-		       ISC_LOG_DEBUG(level), format, args);
-	va_end(args);
-}
-
-isc_result_t
-ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients,
-		    isc_taskmgr_t *taskmgr)
-{
-	ns_lwresd_t *lwresd = listener->manager;
-	ns_lwdclientmgr_t *cm;
-	ns_lwdclient_t *client;
-	unsigned int i;
-	isc_result_t result = ISC_R_FAILURE;
-
-	cm = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclientmgr_t));
-	if (cm == NULL)
-		return (ISC_R_NOMEMORY);
-
-	cm->listener = NULL;
-	ns_lwreslistener_attach(listener, &cm->listener);
-	cm->mctx = lwresd->mctx;
-	cm->sock = NULL;
-	isc_socket_attach(listener->sock, &cm->sock);
-	cm->view = lwresd->view;
-	cm->lwctx = NULL;
-	cm->task = NULL;
-	cm->flags = 0;
-	ISC_LINK_INIT(cm, link);
-	ISC_LIST_INIT(cm->idle);
-	ISC_LIST_INIT(cm->running);
-
-	if (lwres_context_create(&cm->lwctx, cm->mctx,
-				 ns__lwresd_memalloc, ns__lwresd_memfree,
-				 LWRES_CONTEXT_SERVERMODE)
-	    != ISC_R_SUCCESS)
-		goto errout;
-
-	for (i = 0; i < nclients; i++) {
-		client = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclient_t));
-		if (client != NULL) {
-			ns_lwdclient_log(50, "created client %p, manager %p",
-					 client, cm);
-			ns_lwdclient_initialize(client, cm);
-		}
-	}
-
-	/*
-	 * If we could create no clients, clean up and return.
-	 */
-	if (ISC_LIST_EMPTY(cm->idle))
-		goto errout;
-
-	result = isc_task_create(taskmgr, 0, &cm->task);
-	if (result != ISC_R_SUCCESS)
-		goto errout;
-
-	/*
-	 * This MUST be last, since there is no way to cancel an onshutdown...
-	 */
-	result = isc_task_onshutdown(cm->task, lwdclientmgr_shutdown_callback,
-				     cm);
-	if (result != ISC_R_SUCCESS)
-		goto errout;
-
-	ns_lwreslistener_linkcm(listener, cm);
-
-	return (ISC_R_SUCCESS);
-
- errout:
-	client = ISC_LIST_HEAD(cm->idle);
-	while (client != NULL) {
-		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(lwresd->mctx, client, sizeof(*client));
-		client = ISC_LIST_HEAD(cm->idle);
-	}
-
-	if (cm->task != NULL)
-		isc_task_detach(&cm->task);
-
-	if (cm->lwctx != NULL)
-		lwres_context_destroy(&cm->lwctx);
-
-	isc_mem_put(lwresd->mctx, cm, sizeof(*cm));
-	return (result);
-}
-
-static void
-lwdclientmgr_destroy(ns_lwdclientmgr_t *cm) {
-	ns_lwdclient_t *client;
-	ns_lwreslistener_t *listener;
-
-	if (!SHUTTINGDOWN(cm))
-		return;
-
-	/*
-	 * run through the idle list and free the clients there.  Idle
-	 * clients do not have a recv running nor do they have any finds
-	 * or similar running.
-	 */
-	client = ISC_LIST_HEAD(cm->idle);
-	while (client != NULL) {
-		ns_lwdclient_log(50, "destroying client %p, manager %p",
-				 client, cm);
-		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(cm->mctx, client, sizeof(*client));
-		client = ISC_LIST_HEAD(cm->idle);
-	}
-
-	if (!ISC_LIST_EMPTY(cm->running))
-		return;
-
-	lwres_context_destroy(&cm->lwctx);
-	cm->view = NULL;
-	isc_socket_detach(&cm->sock);
-	isc_task_detach(&cm->task);
-
-	listener = cm->listener;
-	ns_lwreslistener_unlinkcm(listener, cm);
-	ns_lwdclient_log(50, "destroying manager %p", cm);
-	isc_mem_put(cm->mctx, cm, sizeof(*cm));
-	ns_lwreslistener_detach(&listener);
-}
-
-static void
-process_request(ns_lwdclient_t *client) {
-	lwres_buffer_t b;
-	isc_result_t result;
-
-	lwres_buffer_init(&b, client->buffer, client->recvlength);
-	lwres_buffer_add(&b, client->recvlength);
-
-	result = lwres_lwpacket_parseheader(&b, &client->pkt);
-	if (result != ISC_R_SUCCESS) {
-		ns_lwdclient_log(50, "invalid packet header received");
-		goto restart;
-	}
-
-	ns_lwdclient_log(50, "opcode %08x", client->pkt.opcode);
-
-	switch (client->pkt.opcode) {
-	case LWRES_OPCODE_GETADDRSBYNAME:
-		ns_lwdclient_processgabn(client, &b);
-		return;
-	case LWRES_OPCODE_GETNAMEBYADDR:
-		ns_lwdclient_processgnba(client, &b);
-		return;
-	case LWRES_OPCODE_GETRDATABYNAME:
-		ns_lwdclient_processgrbn(client, &b);
-		return;
-	case LWRES_OPCODE_NOOP:
-		ns_lwdclient_processnoop(client, &b);
-		return;
-	default:
-		ns_lwdclient_log(50, "unknown opcode %08x", client->pkt.opcode);
-		goto restart;
-	}
-
-	/*
-	 * Drop the packet.
-	 */
- restart:
-	ns_lwdclient_log(50, "restarting client %p...", client);
-	ns_lwdclient_stateidle(client);
-}
-
-void
-ns_lwdclient_recv(isc_task_t *task, isc_event_t *ev) {
-	isc_result_t result;
-	ns_lwdclient_t *client = ev->ev_arg;
-	ns_lwdclientmgr_t *cm = client->clientmgr;
-	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
-
-	INSIST(dev->region.base == client->buffer);
-	INSIST(NS_LWDCLIENT_ISRECV(client));
-
-	NS_LWDCLIENT_SETRECVDONE(client);
-
-	INSIST((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0);
-	cm->flags &= ~NS_LWDCLIENTMGR_FLAGRECVPENDING;
-
-	ns_lwdclient_log(50,
-			 "event received: task %p, length %u, result %u (%s)",
-			 task, dev->n, dev->result,
-			 isc_result_totext(dev->result));
-
-	if (dev->result != ISC_R_SUCCESS) {
-		isc_event_free(&ev);
-		dev = NULL;
-
-		/*
-		 * Go idle.
-		 */
-		ns_lwdclient_stateidle(client);
-
-		return;
-	}
-
-	client->recvlength = dev->n;
-	client->address = dev->address;
-	if ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) {
-		client->pktinfo = dev->pktinfo;
-		client->pktinfo_valid = ISC_TRUE;
-	} else
-		client->pktinfo_valid = ISC_FALSE;
-	isc_event_free(&ev);
-	dev = NULL;
-
-	result = ns_lwdclient_startrecv(cm);
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
-			      "could not start lwres "
-			      "client handler: %s",
-			      isc_result_totext(result));
-
-	process_request(client);
-}
-
-/*
- * This function will start a new recv() on a socket for this client manager.
- */
-isc_result_t
-ns_lwdclient_startrecv(ns_lwdclientmgr_t *cm) {
-	ns_lwdclient_t *client;
-	isc_result_t result;
-	isc_region_t r;
-
-	if (SHUTTINGDOWN(cm)) {
-		lwdclientmgr_destroy(cm);
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If a recv is already running, don't bother.
-	 */
-	if ((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * If we have no idle slots, just return success.
-	 */
-	client = ISC_LIST_HEAD(cm->idle);
-	if (client == NULL)
-		return (ISC_R_SUCCESS);
-	INSIST(NS_LWDCLIENT_ISIDLE(client));
-
-	/*
-	 * Issue the recv.  If it fails, return that it did.
-	 */
-	r.base = client->buffer;
-	r.length = LWRES_RECVLENGTH;
-	result = isc_socket_recv(cm->sock, &r, 0, cm->task, ns_lwdclient_recv,
-				 client);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Set the flag to say we've issued a recv() call.
-	 */
-	cm->flags |= NS_LWDCLIENTMGR_FLAGRECVPENDING;
-
-	/*
-	 * Remove the client from the idle list, and put it on the running
-	 * list.
-	 */
-	NS_LWDCLIENT_SETRECV(client);
-	ISC_LIST_UNLINK(cm->idle, client, link);
-	ISC_LIST_APPEND(cm->running, client, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) {
-	ns_lwdclientmgr_t *cm = ev->ev_arg;
-	ns_lwdclient_t *client;
-
-	REQUIRE(!SHUTTINGDOWN(cm));
-
-	ns_lwdclient_log(50, "got shutdown event, task %p, lwdclientmgr %p",
-			 task, cm);
-
-	/*
-	 * run through the idle list and free the clients there.  Idle
-	 * clients do not have a recv running nor do they have any finds
-	 * or similar running.
-	 */
-	client = ISC_LIST_HEAD(cm->idle);
-	while (client != NULL) {
-		ns_lwdclient_log(50, "destroying client %p, manager %p",
-				 client, cm);
-		ISC_LIST_UNLINK(cm->idle, client, link);
-		isc_mem_put(cm->mctx, client, sizeof(*client));
-		client = ISC_LIST_HEAD(cm->idle);
-	}
-
-	/*
-	 * Cancel any pending I/O.
-	 */
-	isc_socket_cancel(cm->sock, task, ISC_SOCKCANCEL_ALL);
-
-	/*
-	 * Run through the running client list and kill off any finds
-	 * in progress.
-	 */
-	client = ISC_LIST_HEAD(cm->running);
-	while (client != NULL) {
-		if (client->find != client->v4find
-		    && client->find != client->v6find)
-			dns_adb_cancelfind(client->find);
-		if (client->v4find != NULL)
-			dns_adb_cancelfind(client->v4find);
-		if (client->v6find != NULL)
-			dns_adb_cancelfind(client->v6find);
-		client = ISC_LIST_NEXT(client, link);
-	}
-
-	cm->flags |= NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN;
-
-	isc_event_free(&ev);
-}
-
-/*
- * Do all the crap needed to move a client from the run queue to the idle
- * queue.
- */
-void
-ns_lwdclient_stateidle(ns_lwdclient_t *client) {
-	ns_lwdclientmgr_t *cm;
-	isc_result_t result;
-
-	cm = client->clientmgr;
-
-	INSIST(client->sendbuf == NULL);
-	INSIST(client->sendlength == 0);
-	INSIST(client->arg == NULL);
-	INSIST(client->v4find == NULL);
-	INSIST(client->v6find == NULL);
-
-	ISC_LIST_UNLINK(cm->running, client, link);
-	ISC_LIST_PREPEND(cm->idle, client, link);
-
-	NS_LWDCLIENT_SETIDLE(client);
-
-	result = ns_lwdclient_startrecv(cm);
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
-			      "could not start lwres "
-			      "client handler: %s",
-			      isc_result_totext(result));
-}
-
-void
-ns_lwdclient_send(isc_task_t *task, isc_event_t *ev) {
-	ns_lwdclient_t *client = ev->ev_arg;
-	ns_lwdclientmgr_t *cm = client->clientmgr;
-	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
-
-	UNUSED(task);
-	UNUSED(dev);
-
-	INSIST(NS_LWDCLIENT_ISSEND(client));
-	INSIST(client->sendbuf == dev->region.base);
-
-	ns_lwdclient_log(50, "task %p for client %p got send-done event",
-			 task, client);
-
-	if (client->sendbuf != client->buffer)
-		lwres_context_freemem(cm->lwctx, client->sendbuf,
-				      client->sendlength);
-	client->sendbuf = NULL;
-	client->sendlength = 0;
-
-	ns_lwdclient_stateidle(client);
-
-	isc_event_free(&ev);
-}
-
-isc_result_t
-ns_lwdclient_sendreply(ns_lwdclient_t *client, isc_region_t *r) {
-	struct in6_pktinfo *pktinfo;
-	ns_lwdclientmgr_t *cm = client->clientmgr;
-
-	if (client->pktinfo_valid)
-		pktinfo = &client->pktinfo;
-	else
-		pktinfo = NULL;
-	return (isc_socket_sendto(cm->sock, r, cm->task, ns_lwdclient_send,
-				  client, &client->address, pktinfo));
-}
-
-void
-ns_lwdclient_initialize(ns_lwdclient_t *client, ns_lwdclientmgr_t *cmgr) {
-	client->clientmgr = cmgr;
-	ISC_LINK_INIT(client, link);
-	NS_LWDCLIENT_SETIDLE(client);
-	client->arg = NULL;
-
-	client->recvlength = 0;
-
-	client->sendbuf = NULL;
-	client->sendlength = 0;
-
-	client->find = NULL;
-	client->v4find = NULL;
-	client->v6find = NULL;
-	client->find_wanted = 0;
-
-	client->options = 0;
-	client->byaddr = NULL;
-
-	client->lookup = NULL;
-
-	client->pktinfo_valid = ISC_FALSE;
-
-	ISC_LIST_APPEND(cmgr->idle, client, link);
-}
diff --git a/contrib/bind9/bin/named/lwderror.c b/contrib/bind9/bin/named/lwderror.c
deleted file mode 100644
index 51cecf0abd57..000000000000
--- a/contrib/bind9/bin/named/lwderror.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwderror.c,v 1.7.208.1 2004/03/06 10:21:18 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/socket.h>
-#include <isc/util.h>
-
-#include <named/types.h>
-#include <named/lwdclient.h>
-
-/*
- * Generate an error packet for the client, schedule a send, and put us in
- * the SEND state.
- *
- * The client->pkt structure will be modified to form an error return.
- * The receiver needs to verify that it is in fact an error, and do the
- * right thing with it.  The opcode will be unchanged.  The result needs
- * to be set before calling this function.
- *
- * The only change this code makes is to set the receive buffer size to the
- * size we use, set the reply bit, and recompute any security information.
- */
-void
-ns_lwdclient_errorpktsend(ns_lwdclient_t *client, isc_uint32_t _result) {
-	isc_result_t result;
-	int lwres;
-	isc_region_t r;
-	lwres_buffer_t b;
-
-	REQUIRE(NS_LWDCLIENT_ISRUNNING(client));
-
-	/*
-	 * Since we are only sending the packet header, we can safely toss
-	 * the receive buffer.  This means we won't need to allocate space
-	 * for sending an error reply.  This is a Good Thing.
-	 */
-	client->pkt.length = LWRES_LWPACKET_LENGTH;
-	client->pkt.pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-	client->pkt.result = _result;
-
-	lwres_buffer_init(&b, client->buffer, LWRES_RECVLENGTH);
-	lwres = lwres_lwpacket_renderheader(&b, &client->pkt);
-	if (lwres != LWRES_R_SUCCESS) {
-		ns_lwdclient_stateidle(client);
-		return;
-	}
-
-	r.base = client->buffer;
-	r.length = b.used;
-	client->sendbuf = client->buffer;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS) {
-		ns_lwdclient_stateidle(client);
-		return;
-	}
-
-	NS_LWDCLIENT_SETSEND(client);
-}
diff --git a/contrib/bind9/bin/named/lwdgabn.c b/contrib/bind9/bin/named/lwdgabn.c
deleted file mode 100644
index 030a77ae7864..000000000000
--- a/contrib/bind9/bin/named/lwdgabn.c
+++ /dev/null
@@ -1,655 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdgabn.c,v 1.13.12.3 2004/03/08 04:04:19 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/events.h>
-#include <dns/result.h>
-
-#include <named/types.h>
-#include <named/lwaddr.h>
-#include <named/lwdclient.h>
-#include <named/lwresd.h>
-#include <named/lwsearch.h>
-#include <named/sortlist.h>
-
-#define NEED_V4(c)	((((c)->find_wanted & LWRES_ADDRTYPE_V4) != 0) \
-			 && ((c)->v4find == NULL))
-#define NEED_V6(c)	((((c)->find_wanted & LWRES_ADDRTYPE_V6) != 0) \
-			 && ((c)->v6find == NULL))
-
-static isc_result_t start_find(ns_lwdclient_t *);
-static void restart_find(ns_lwdclient_t *);
-static void init_gabn(ns_lwdclient_t *);
-
-/*
- * Destroy any finds.  This can be used to "start over from scratch" and
- * should only be called when events are _not_ being generated by the finds.
- */
-static void
-cleanup_gabn(ns_lwdclient_t *client) {
-	ns_lwdclient_log(50, "cleaning up client %p", client);
-
-	if (client->v6find != NULL) {
-		if (client->v6find == client->v4find)
-			client->v6find = NULL;
-		else
-			dns_adb_destroyfind(&client->v6find);
-	}
-	if (client->v4find != NULL)
-		dns_adb_destroyfind(&client->v4find);
-}
-
-static void
-setup_addresses(ns_lwdclient_t *client, dns_adbfind_t *find, unsigned int at) {
-	dns_adbaddrinfo_t *ai;
-	lwres_addr_t *addr;
-	int af;
-	const struct sockaddr *sa;
-	isc_result_t result;
-
-	if (at == DNS_ADBFIND_INET)
-		af = AF_INET;
-	else
-		af = AF_INET6;
-
-	ai = ISC_LIST_HEAD(find->list);
-	while (ai != NULL && client->gabn.naddrs < LWRES_MAX_ADDRS) {
-		sa = &ai->sockaddr.type.sa;
-		if (sa->sa_family != af)
-			goto next;
-
-		addr = &client->addrs[client->gabn.naddrs];
-
-		result = lwaddr_lwresaddr_fromsockaddr(addr, &ai->sockaddr);
-		if (result != ISC_R_SUCCESS)
-			goto next;
-
-		ns_lwdclient_log(50, "adding address %p, family %d, length %d",
-				 addr->address, addr->family, addr->length);
-
-		client->gabn.naddrs++;
-		REQUIRE(!LWRES_LINK_LINKED(addr, link));
-		LWRES_LIST_APPEND(client->gabn.addrs, addr, link);
-
-	next:
-		ai = ISC_LIST_NEXT(ai, publink);
-	}
-}
-
-typedef struct {
-	isc_netaddr_t address;
-	int rank;
-} rankedaddress;
-
-static int
-addr_compare(const void *av, const void *bv) {
-	const rankedaddress *a = (const rankedaddress *) av;
-	const rankedaddress *b = (const rankedaddress *) bv;
-	return (a->rank - b->rank);
-}
-
-static void
-sort_addresses(ns_lwdclient_t *client) {
-	unsigned int naddrs;
-	rankedaddress *addrs;
-	isc_netaddr_t remote;
-	dns_addressorderfunc_t order;
-	void *arg;
-	ns_lwresd_t *lwresd = client->clientmgr->listener->manager;
-	unsigned int i;
-	isc_result_t result;
-
-	naddrs = client->gabn.naddrs;
-
-	if (naddrs <= 1 || lwresd->view->sortlist == NULL)
-		return;
-
-	addrs = isc_mem_get(lwresd->mctx, sizeof(rankedaddress) * naddrs);
-	if (addrs == NULL)
-		return;
-
-	isc_netaddr_fromsockaddr(&remote, &client->address);
-	ns_sortlist_byaddrsetup(lwresd->view->sortlist,
-				&remote, &order, &arg);
-	if (order == NULL) {
-		isc_mem_put(lwresd->mctx, addrs,
-			    sizeof(rankedaddress) * naddrs);
-		return;
-	}
-	for (i = 0; i < naddrs; i++) {
-		result = lwaddr_netaddr_fromlwresaddr(&addrs[i].address,
-						      &client->addrs[i]);
-		INSIST(result == ISC_R_SUCCESS);
-		addrs[i].rank = (*order)(&addrs[i].address, arg);
-	}
-	qsort(addrs, naddrs, sizeof(rankedaddress), addr_compare);
-	for (i = 0; i < naddrs; i++) {
-		result = lwaddr_lwresaddr_fromnetaddr(&client->addrs[i],
-						      &addrs[i].address);
-		INSIST(result == ISC_R_SUCCESS);
-	}
-
-	isc_mem_put(lwresd->mctx, addrs, sizeof(rankedaddress) * naddrs);
-}
-
-static void
-generate_reply(ns_lwdclient_t *client) {
-	isc_result_t result;
-	int lwres;
-	isc_region_t r;
-	lwres_buffer_t lwb;
-	ns_lwdclientmgr_t *cm;
-
-	cm = client->clientmgr;
-	lwb.base = NULL;
-
-	ns_lwdclient_log(50, "generating gabn reply for client %p", client);
-
-	/*
-	 * We must make certain the client->find is not still active.
-	 * If it is either the v4 or v6 answer, just set it to NULL and
-	 * let the cleanup code destroy it.  Otherwise, destroy it now.
-	 */
-	if (client->find == client->v4find || client->find == client->v6find)
-		client->find = NULL;
-	else
-		if (client->find != NULL)
-			dns_adb_destroyfind(&client->find);
-
-	/*
-	 * perhaps there are some here?
-	 */
-	if (NEED_V6(client) && client->v4find != NULL)
-		client->v6find = client->v4find;
-
-	/*
-	 * Run through the finds we have and wire them up to the gabn
-	 * structure.
-	 */
-	LWRES_LIST_INIT(client->gabn.addrs);
-	if (client->v4find != NULL)
-		setup_addresses(client, client->v4find, DNS_ADBFIND_INET);
-	if (client->v6find != NULL)
-		setup_addresses(client, client->v6find, DNS_ADBFIND_INET6);
-
-	/*
-	 * If there are no addresses, try the next element in the search
-	 * path, if there are any more.  Otherwise, fall through into
-	 * the error handling code below.
-	 */
-	if (client->gabn.naddrs == 0) {
-		do {
-			result = ns_lwsearchctx_next(&client->searchctx);
-			if (result == ISC_R_SUCCESS) {
-				cleanup_gabn(client);
-				result = start_find(client);
-				if (result == ISC_R_SUCCESS)
-					return;
-			}
-		} while (result == ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Render the packet.
-	 */
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-
-	/*
-	 * If there are no addresses, return failure.
-	 */
-	if (client->gabn.naddrs != 0)
-		client->pkt.result = LWRES_R_SUCCESS;
-	else
-		client->pkt.result = LWRES_R_NOTFOUND;
-
-	sort_addresses(client);
-
-	lwres = lwres_gabnresponse_render(cm->lwctx, &client->gabn,
-					  &client->pkt, &lwb);
-	if (lwres != LWRES_R_SUCCESS)
-		goto out;
-
-	r.base = lwb.base;
-	r.length = lwb.used;
-	client->sendbuf = r.base;
-	client->sendlength = r.length;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	NS_LWDCLIENT_SETSEND(client);
-
-	/*
-	 * All done!
-	 */
-	cleanup_gabn(client);
-
-	return;
-
- out:
-	cleanup_gabn(client);
-
-	if (lwb.base != NULL)
-		lwres_context_freemem(client->clientmgr->lwctx,
-				      lwb.base, lwb.length);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
-
-/*
- * Take the current real name, move it to an alias slot (if any are
- * open) then put this new name in as the real name for the target.
- *
- * Return success if it can be rendered, otherwise failure.  Note that
- * not having enough alias slots open is NOT a failure.
- */
-static isc_result_t
-add_alias(ns_lwdclient_t *client) {
-	isc_buffer_t b;
-	isc_result_t result;
-	isc_uint16_t naliases;
-
-	b = client->recv_buffer;
-
-	/*
-	 * Render the new name to the buffer.
-	 */
-	result = dns_name_totext(dns_fixedname_name(&client->target_name),
-				 ISC_TRUE, &client->recv_buffer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Are there any open slots?
-	 */
-	naliases = client->gabn.naliases;
-	if (naliases < LWRES_MAX_ALIASES) {
-		client->gabn.aliases[naliases] = client->gabn.realname;
-		client->gabn.aliaslen[naliases] = client->gabn.realnamelen;
-		client->gabn.naliases++;
-	}
-
-	/*
-	 * Save this name away as the current real name.
-	 */
-	client->gabn.realname = (char *)(b.base) + b.used;
-	client->gabn.realnamelen = client->recv_buffer.used - b.used;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-store_realname(ns_lwdclient_t *client) {
-	isc_buffer_t b;
-	isc_result_t result;
-	dns_name_t *tname;
-
-	b = client->recv_buffer;
-
-	tname = dns_fixedname_name(&client->target_name);
-	result = ns_lwsearchctx_current(&client->searchctx, tname);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Render the new name to the buffer.
-	 */
-	result = dns_name_totext(tname, ISC_TRUE, &client->recv_buffer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Save this name away as the current real name.
-	 */
-	client->gabn.realname = (char *) b.base + b.used;
-	client->gabn.realnamelen = client->recv_buffer.used - b.used;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-process_gabn_finddone(isc_task_t *task, isc_event_t *ev) {
-	ns_lwdclient_t *client = ev->ev_arg;
-	isc_eventtype_t evtype;
-	isc_boolean_t claimed;
-
-	ns_lwdclient_log(50, "find done for task %p, client %p", task, client);
-
-	evtype = ev->ev_type;
-	isc_event_free(&ev);
-
-	/*
-	 * No more info to be had?  If so, we have all the good stuff
-	 * right now, so we can render things.
-	 */
-	claimed = ISC_FALSE;
-	if (evtype == DNS_EVENT_ADBNOMOREADDRESSES) {
-		if (NEED_V4(client)) {
-			client->v4find = client->find;
-			claimed = ISC_TRUE;
-		}
-		if (NEED_V6(client)) {
-			client->v6find = client->find;
-			claimed = ISC_TRUE;
-		}
-		if (client->find != NULL) {
-			if (claimed)
-				client->find = NULL;
-			else
-				dns_adb_destroyfind(&client->find);
-
-		}
-		generate_reply(client);
-		return;
-	}
-
-	/*
-	 * We probably don't need this find anymore.  We're either going to
-	 * reissue it, or an error occurred.  Either way, we're done with
-	 * it.
-	 */
-	if ((client->find != client->v4find)
-	    && (client->find != client->v6find)) {
-		dns_adb_destroyfind(&client->find);
-	} else {
-		client->find = NULL;
-	}
-
-	/*
-	 * We have some new information we can gather.  Run off and fetch
-	 * it.
-	 */
-	if (evtype == DNS_EVENT_ADBMOREADDRESSES) {
-		restart_find(client);
-		return;
-	}
-
-	/*
-	 * An error or other strangeness happened.  Drop this query.
-	 */
-	cleanup_gabn(client);
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
-
-static void
-restart_find(ns_lwdclient_t *client) {
-	unsigned int options;
-	isc_result_t result;
-	isc_boolean_t claimed;
-
-	ns_lwdclient_log(50, "starting find for client %p", client);
-
-	/*
-	 * Issue a find for the name contained in the request.  We won't
-	 * set the bit that says "anything is good enough" -- we want it
-	 * all.
-	 */
-	options = 0;
-	options |= DNS_ADBFIND_WANTEVENT;
-	options |= DNS_ADBFIND_RETURNLAME;
-
-	/*
-	 * Set the bits up here to mark that we want this address family
-	 * and that we do not currently have a find pending.  We will
-	 * set that bit again below if it turns out we will get an event.
-	 */
-	if (NEED_V4(client))
-		options |= DNS_ADBFIND_INET;
-	if (NEED_V6(client))
-		options |= DNS_ADBFIND_INET6;
-
- find_again:
-	INSIST(client->find == NULL);
-	result = dns_adb_createfind(client->clientmgr->view->adb,
-				    client->clientmgr->task,
-				    process_gabn_finddone, client,
-				    dns_fixedname_name(&client->target_name),
-				    dns_rootname, options, 0,
-				    dns_fixedname_name(&client->target_name),
-				    client->clientmgr->view->dstport,
-				    &client->find);
-
-	/*
-	 * Did we get an alias?  If so, save it and re-issue the query.
-	 */
-	if (result == DNS_R_ALIAS) {
-		ns_lwdclient_log(50, "found alias, restarting query");
-		dns_adb_destroyfind(&client->find);
-		cleanup_gabn(client);
-		result = add_alias(client);
-		if (result != ISC_R_SUCCESS) {
-			ns_lwdclient_log(50,
-					 "out of buffer space adding alias");
-			ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-			return;
-		}
-		goto find_again;
-	}
-
-	ns_lwdclient_log(50, "find returned %d (%s)", result,
-			 isc_result_totext(result));
-
-	/*
-	 * Did we get an error?
-	 */
-	if (result != ISC_R_SUCCESS) {
-		if (client->find != NULL)
-			dns_adb_destroyfind(&client->find);
-		cleanup_gabn(client);
-		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-		return;
-	}
-
-	claimed = ISC_FALSE;
-
-	/*
-	 * Did we get our answer to V4 addresses?
-	 */
-	if (NEED_V4(client)
-	    && ((client->find->query_pending & DNS_ADBFIND_INET) == 0)) {
-		ns_lwdclient_log(50, "client %p ipv4 satisfied by find %p",
-				 client, client->find);
-		claimed = ISC_TRUE;
-		client->v4find = client->find;
-	}
-
-	/*
-	 * Did we get our answer to V6 addresses?
-	 */
-	if (NEED_V6(client)
-	    && ((client->find->query_pending & DNS_ADBFIND_INET6) == 0)) {
-		ns_lwdclient_log(50, "client %p ipv6 satisfied by find %p",
-				 client, client->find);
-		claimed = ISC_TRUE;
-		client->v6find = client->find;
-	}
-
-	/*
-	 * If we're going to get an event, set our internal pending flag
-	 * and return.  When we get an event back we'll do the right
-	 * thing, basically by calling this function again, perhaps with a
-	 * new target name.
-	 *
-	 * If we have both v4 and v6, and we are still getting an event,
-	 * we have a programming error, so die hard.
-	 */
-	if ((client->find->options & DNS_ADBFIND_WANTEVENT) != 0) {
-		ns_lwdclient_log(50, "event will be sent");
-		INSIST(client->v4find == NULL || client->v6find == NULL);
-		return;
-	}
-	ns_lwdclient_log(50, "no event will be sent");
-	if (claimed)
-		client->find = NULL;
-	else
-		dns_adb_destroyfind(&client->find);
-
-	/*
-	 * We seem to have everything we asked for, or at least we are
-	 * able to respond with things we've learned.
-	 */
-
-	generate_reply(client);
-}
-
-static isc_result_t
-start_find(ns_lwdclient_t *client) {
-	isc_result_t result;
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	init_gabn(client);
-
-	result = store_realname(client);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	restart_find(client);
-	return (ISC_R_SUCCESS);
-
-}
-
-static void
-init_gabn(ns_lwdclient_t *client) {
-	int i;
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	for (i = 0; i < LWRES_MAX_ALIASES; i++) {
-		client->aliases[i] = NULL;
-		client->aliaslen[i] = 0;
-	}
-	for (i = 0; i < LWRES_MAX_ADDRS; i++) {
-		client->addrs[i].family = 0;
-		client->addrs[i].length = 0;
-		memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN);
-		LWRES_LINK_INIT(&client->addrs[i], link);
-	}
-
-	client->gabn.naliases = 0;
-	client->gabn.naddrs = 0;
-	client->gabn.realname = NULL;
-	client->gabn.aliases = client->aliases;
-	client->gabn.realnamelen = 0;
-	client->gabn.aliaslen = client->aliaslen;
-	LWRES_LIST_INIT(client->gabn.addrs);
-	client->gabn.base = NULL;
-	client->gabn.baselen = 0;
-
-	/*
-	 * Set up the internal buffer to point to the receive region.
-	 */
-	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
-}
-
-/*
- * When we are called, we can be assured that:
- *
- *	client->sockaddr contains the address we need to reply to,
- *
- *	client->pkt contains the packet header data,
- *
- *	the packet "checks out" overall -- any MD5 hashes or crypto
- *	bits have been verified,
- *
- *	"b" points to the remaining data after the packet header
- *	was parsed off.
- *
- *	We are in a the RECVDONE state.
- *
- * From this state we will enter the SEND state if we happen to have
- * everything we need or we need to return an error packet, or to the
- * FINDWAIT state if we need to look things up.
- */
-void
-ns_lwdclient_processgabn(ns_lwdclient_t *client, lwres_buffer_t *b) {
-	isc_result_t result;
-	lwres_gabnrequest_t *req;
-	ns_lwdclientmgr_t *cm;
-	isc_buffer_t namebuf;
-
-	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
-
-	cm = client->clientmgr;
-	req = NULL;
-
-	result = lwres_gabnrequest_parse(client->clientmgr->lwctx,
-					 b, &client->pkt, &req);
-	if (result != LWRES_R_SUCCESS)
-		goto out;
-	if (req->name == NULL)
-		goto out;
-
-	isc_buffer_init(&namebuf, req->name, req->namelen);
-	isc_buffer_add(&namebuf, req->namelen);
-
-	dns_fixedname_init(&client->target_name);
-	dns_fixedname_init(&client->query_name);
-	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
-				   &namebuf, NULL, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	ns_lwsearchctx_init(&client->searchctx,
-			    cm->listener->manager->search,
-			    dns_fixedname_name(&client->query_name),
-			    cm->listener->manager->ndots);
-	ns_lwsearchctx_first(&client->searchctx);
-
-	client->find_wanted = req->addrtypes;
-	ns_lwdclient_log(50, "client %p looking for addrtypes %08x",
-			 client, client->find_wanted);
-
-	/*
-	 * We no longer need to keep this around.
-	 */
-	lwres_gabnrequest_free(client->clientmgr->lwctx, &req);
-
-	/*
-	 * Start the find.
-	 */
-	result = start_find(client);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	return;
-
-	/*
-	 * We're screwed.  Return an error packet to our caller.
-	 */
- out:
-	if (req != NULL)
-		lwres_gabnrequest_free(client->clientmgr->lwctx, &req);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
diff --git a/contrib/bind9/bin/named/lwdgnba.c b/contrib/bind9/bin/named/lwdgnba.c
deleted file mode 100644
index 21ef804ac933..000000000000
--- a/contrib/bind9/bin/named/lwdgnba.c
+++ /dev/null
@@ -1,270 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdgnba.c,v 1.13.2.1.2.5 2004/03/08 04:04:19 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/socket.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/byaddr.h>
-#include <dns/result.h>
-
-#include <named/types.h>
-#include <named/lwdclient.h>
-
-static void start_byaddr(ns_lwdclient_t *);
-
-static void
-byaddr_done(isc_task_t *task, isc_event_t *event) {
-	ns_lwdclient_t *client;
-	ns_lwdclientmgr_t *cm;
-	dns_byaddrevent_t *bevent;
-	int lwres;
-	lwres_buffer_t lwb;
-	dns_name_t *name;
-	isc_result_t result;
-	lwres_result_t lwresult;
-	isc_region_t r;
-	isc_buffer_t b;
-	lwres_gnbaresponse_t *gnba;
-	isc_uint16_t naliases;
-
-	UNUSED(task);
-
-	lwb.base = NULL;
-	client = event->ev_arg;
-	cm = client->clientmgr;
-	INSIST(client->byaddr == (dns_byaddr_t *)event->ev_sender);
-
-	bevent = (dns_byaddrevent_t *)event;
-	gnba = &client->gnba;
-
-	ns_lwdclient_log(50, "byaddr event result = %s",
-			 isc_result_totext(bevent->result));
-
-	result = bevent->result;
-	if (result != ISC_R_SUCCESS) {
-		dns_byaddr_destroy(&client->byaddr);
-		isc_event_free(&event);
-		bevent = NULL;
-
-		if (client->na.family != AF_INET6 ||
-		    (client->options & DNS_BYADDROPT_IPV6INT) != 0) {
-			if (result == DNS_R_NCACHENXDOMAIN ||
-			    result == DNS_R_NCACHENXRRSET ||
-			    result == DNS_R_NXDOMAIN ||
-			    result == DNS_R_NXRRSET)
-				lwresult = LWRES_R_NOTFOUND;
-			else
-				lwresult = LWRES_R_FAILURE;
-			ns_lwdclient_errorpktsend(client, lwresult);
-			return;
-		}
-
-		/*
-		 * Fall back to ip6.int reverse if the default ip6.arpa
-		 * fails.
-		 */
-		client->options |= DNS_BYADDROPT_IPV6INT;
-
-		start_byaddr(client);
-		return;
-	}
-
-	for (name = ISC_LIST_HEAD(bevent->names);
-	     name != NULL;
-	     name = ISC_LIST_NEXT(name, link))
-	{
-		b = client->recv_buffer;
-
-		result = dns_name_totext(name, ISC_TRUE, &client->recv_buffer);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-		ns_lwdclient_log(50, "found name '%.*s'",
-				 (int)(client->recv_buffer.used - b.used),
-				 (char *)(b.base) + b.used);
-		if (gnba->realname == NULL) {
-			gnba->realname = (char *)(b.base) + b.used;
-			gnba->realnamelen = client->recv_buffer.used - b.used;
-		} else {
-			naliases = gnba->naliases;
-			if (naliases >= LWRES_MAX_ALIASES)
-				break;
-			gnba->aliases[naliases] = (char *)(b.base) + b.used;
-			gnba->aliaslen[naliases] =
-				client->recv_buffer.used - b.used;
-			gnba->naliases++;
-		}
-	}
-
-	dns_byaddr_destroy(&client->byaddr);
-	isc_event_free(&event);
-
-	/*
-	 * Render the packet.
-	 */
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-	client->pkt.result = LWRES_R_SUCCESS;
-
-	lwres = lwres_gnbaresponse_render(cm->lwctx,
-					  gnba, &client->pkt, &lwb);
-	if (lwres != LWRES_R_SUCCESS)
-		goto out;
-
-	r.base = lwb.base;
-	r.length = lwb.used;
-	client->sendbuf = r.base;
-	client->sendlength = r.length;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	NS_LWDCLIENT_SETSEND(client);
-
-	return;
-
- out:
-	if (client->byaddr != NULL)
-		dns_byaddr_destroy(&client->byaddr);
-	if (lwb.base != NULL)
-		lwres_context_freemem(cm->lwctx,
-				      lwb.base, lwb.length);
-
-	if (event != NULL)
-		isc_event_free(&event);
-}
-
-static void
-start_byaddr(ns_lwdclient_t *client) {
-	isc_result_t result;
-	ns_lwdclientmgr_t *cm;
-
-	cm = client->clientmgr;
-
-	INSIST(client->byaddr == NULL);
-
-	result = dns_byaddr_create(cm->mctx, &client->na, cm->view,
-				   client->options, cm->task, byaddr_done,
-				   client, &client->byaddr);
-	if (result != ISC_R_SUCCESS) {
-		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-		return;
-	}
-}
-
-static void
-init_gnba(ns_lwdclient_t *client) {
-	int i;
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	for (i = 0; i < LWRES_MAX_ALIASES; i++) {
-		client->aliases[i] = NULL;
-		client->aliaslen[i] = 0;
-	}
-	for (i = 0; i < LWRES_MAX_ADDRS; i++) {
-		client->addrs[i].family = 0;
-		client->addrs[i].length = 0;
-		memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN);
-		LWRES_LINK_INIT(&client->addrs[i], link);
-	}
-
-	client->gnba.naliases = 0;
-	client->gnba.realname = NULL;
-	client->gnba.aliases = client->aliases;
-	client->gnba.realnamelen = 0;
-	client->gnba.aliaslen = client->aliaslen;
-	client->gnba.base = NULL;
-	client->gnba.baselen = 0;
-	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
-}
-
-void
-ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) {
-	lwres_gnbarequest_t *req;
-	isc_result_t result;
-	isc_sockaddr_t sa;
-	ns_lwdclientmgr_t *cm;
-
-	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
-	INSIST(client->byaddr == NULL);
-
-	cm = client->clientmgr;
-	req = NULL;
-
-	result = lwres_gnbarequest_parse(cm->lwctx,
-					 b, &client->pkt, &req);
-	if (result != LWRES_R_SUCCESS)
-		goto out;
-	if (req->addr.address == NULL)
-		goto out;
-
-	client->options = 0;
-	if (req->addr.family == LWRES_ADDRTYPE_V4) {
-		client->na.family = AF_INET;
-		if (req->addr.length != 4)
-			goto out;
-		memcpy(&client->na.type.in, req->addr.address, 4);
-	} else if (req->addr.family == LWRES_ADDRTYPE_V6) {
-		client->na.family = AF_INET6;
-		if (req->addr.length != 16)
-			goto out;
-		memcpy(&client->na.type.in6, req->addr.address, 16);
-	} else {
-		goto out;
-	}
-	isc_sockaddr_fromnetaddr(&sa, &client->na, 53);
-
-	ns_lwdclient_log(50, "client %p looking for addrtype %08x",
-			 client, req->addr.family);
-
-	/*
-	 * We no longer need to keep this around.
-	 */
-	lwres_gnbarequest_free(cm->lwctx, &req);
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	init_gnba(client);
-	client->options = 0;
-
-	/*
-	 * Start the find.
-	 */
-	start_byaddr(client);
-
-	return;
-
-	/*
-	 * We're screwed.  Return an error packet to our caller.
-	 */
- out:
-	if (req != NULL)
-		lwres_gnbarequest_free(cm->lwctx, &req);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
diff --git a/contrib/bind9/bin/named/lwdgrbn.c b/contrib/bind9/bin/named/lwdgrbn.c
deleted file mode 100644
index 665226539b4f..000000000000
--- a/contrib/bind9/bin/named/lwdgrbn.c
+++ /dev/null
@@ -1,513 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdgrbn.c,v 1.11.208.3 2004/03/08 04:04:19 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/socket.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/lookup.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-#include <named/types.h>
-#include <named/lwdclient.h>
-#include <named/lwresd.h>
-#include <named/lwsearch.h>
-
-static void start_lookup(ns_lwdclient_t *);
-
-static isc_result_t
-fill_array(int *pos, dns_rdataset_t *rdataset,
-	   int size, unsigned char **rdatas, lwres_uint16_t *rdatalen)
-{
-	dns_rdata_t rdata;
-	isc_result_t result;
-	isc_region_t r;
-
-	UNUSED(size);
-
-	dns_rdata_init(&rdata);
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		INSIST(*pos < size);
-		dns_rdataset_current(rdataset, &rdata);
-		dns_rdata_toregion(&rdata, &r);
-		rdatas[*pos] = r.base;
-		rdatalen[*pos] = r.length;
-		dns_rdata_reset(&rdata);
-		(*pos)++;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-static isc_result_t
-iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node,
-	     isc_mem_t *mctx)
-{
-	int used = 0, count;
-	int size = 8, oldsize = 0;
-	unsigned char **rdatas = NULL, **oldrdatas = NULL, **newrdatas = NULL;
-	lwres_uint16_t *lens = NULL, *oldlens = NULL, *newlens = NULL;
-	dns_rdatasetiter_t *iter = NULL;
-	dns_rdataset_t set;
-	dns_ttl_t ttl = ISC_INT32_MAX;
-	lwres_uint32_t flags = LWRDATA_VALIDATED;
-	isc_result_t result = ISC_R_NOMEMORY;
-
-	result = dns_db_allrdatasets(db, node, NULL, 0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	rdatas = isc_mem_get(mctx, size * sizeof(*rdatas));
-	if (rdatas == NULL)
-		goto out;
-	lens = isc_mem_get(mctx, size * sizeof(*lens));
-	if (lens == NULL)
-		goto out;
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter))
-	{
-		result = ISC_R_NOMEMORY;
-		dns_rdataset_init(&set);
-		dns_rdatasetiter_current(iter, &set);
-
-		if (set.type != dns_rdatatype_rrsig) {
-			dns_rdataset_disassociate(&set);
-			continue;
-		}
-
-		count = dns_rdataset_count(&set);
-		if (used + count > size) {
-			/* copy & reallocate */
-			oldsize = size;
-			oldrdatas = rdatas;
-			oldlens = lens;
-			rdatas = NULL;
-			lens = NULL;
-
-			size *= 2;
-
-			rdatas = isc_mem_get(mctx, size * sizeof(*rdatas));
-			if (rdatas == NULL)
-				goto out;
-			lens = isc_mem_get(mctx, size * sizeof(*lens));
-			if (lens == NULL)
-				goto out;
-			memcpy(rdatas, oldrdatas, used * sizeof(*rdatas));
-			memcpy(lens, oldlens, used * sizeof(*lens));
-			isc_mem_put(mctx, oldrdatas,
-				    oldsize * sizeof(*oldrdatas));
-			isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
-			oldrdatas = NULL;
-			oldlens = NULL;
-		}
-		if (set.ttl < ttl)
-			ttl = set.ttl;
-		if (set.trust != dns_trust_secure)
-			flags &= (~LWRDATA_VALIDATED);
-		result = fill_array(&used, &set, size, rdatas, lens);
-		dns_rdataset_disassociate(&set);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	dns_rdatasetiter_destroy(&iter);
-
-	/*
-	 * If necessary, shrink and copy the arrays.
-	 */
-	if (size != used) {
-		result = ISC_R_NOMEMORY;
-		newrdatas = isc_mem_get(mctx, used * sizeof(*rdatas));
-		if (newrdatas == NULL)
-			goto out;
-		newlens = isc_mem_get(mctx, used * sizeof(*lens));
-		if (newlens == NULL)
-			goto out;
-		memcpy(newrdatas, rdatas, used * sizeof(*rdatas));
-		memcpy(newlens, lens, used * sizeof(*lens));
-		isc_mem_put(mctx, rdatas, size * sizeof(*rdatas));
-		isc_mem_put(mctx, lens, size * sizeof(*lens));
-		grbn->rdatas = newrdatas;
-		grbn->rdatalen = newlens;
-	} else {
-		grbn->rdatas = rdatas;
-		grbn->rdatalen = lens;
-	}
-	grbn->nrdatas = used;
-	grbn->ttl = ttl;
-	grbn->flags = flags;
-	return (ISC_R_SUCCESS);
-
- out:
-	dns_rdatasetiter_destroy(&iter);
-	if (rdatas != NULL)
-		isc_mem_put(mctx, rdatas, size * sizeof(*rdatas));
-	if (lens != NULL)
-		isc_mem_put(mctx, lens, size * sizeof(*lens));
-	if (oldrdatas != NULL)
-		isc_mem_put(mctx, oldrdatas, oldsize * sizeof(*oldrdatas));
-	if (oldlens != NULL)
-		isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
-	if (newrdatas != NULL)
-		isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas));
-	if (newlens != NULL)
-		isc_mem_put(mctx, newlens, used * sizeof(*oldlens));
-	return (result);
-}
-
-static void
-lookup_done(isc_task_t *task, isc_event_t *event) {
-	ns_lwdclient_t *client;
-	ns_lwdclientmgr_t *cm;
-	dns_lookupevent_t *levent;
-	lwres_buffer_t lwb;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	dns_rdataset_t *sigrdataset;
-	isc_result_t result;
-	lwres_result_t lwresult;
-	isc_region_t r;
-	isc_buffer_t b;
-	lwres_grbnresponse_t *grbn;
-	int i;
-
-	UNUSED(task);
-
-	lwb.base = NULL;
-	client = event->ev_arg;
-	cm = client->clientmgr;
-	INSIST(client->lookup == (dns_lookup_t *)event->ev_sender);
-
-	levent = (dns_lookupevent_t *)event;
-	grbn = &client->grbn;
-
-	ns_lwdclient_log(50, "lookup event result = %s",
-			 isc_result_totext(levent->result));
-
-	result = levent->result;
-	if (result != ISC_R_SUCCESS) {
-		dns_lookup_destroy(&client->lookup);
-		isc_event_free(&event);
-		levent = NULL;
-
-		switch (result) {
-		case DNS_R_NXDOMAIN:
-		case DNS_R_NCACHENXDOMAIN:
-			result = ns_lwsearchctx_next(&client->searchctx);
-			if (result != ISC_R_SUCCESS)
-				lwresult = LWRES_R_NOTFOUND;
-			else {
-				start_lookup(client);
-				return;
-			}
-			break;
-		case DNS_R_NXRRSET:
-		case DNS_R_NCACHENXRRSET:
-			lwresult = LWRES_R_TYPENOTFOUND;
-			break;
-		default:
-			lwresult = LWRES_R_FAILURE;
-		}
-		ns_lwdclient_errorpktsend(client, lwresult);
-		return;
-	}
-
-	name = levent->name;
-	b = client->recv_buffer;
-
-	grbn->flags = 0;
-
-	grbn->nrdatas = 0;
-	grbn->rdatas = NULL;
-	grbn->rdatalen = NULL;
-
-	grbn->nsigs = 0;
-	grbn->sigs = NULL;
-	grbn->siglen = NULL;
-
-	result = dns_name_totext(name, ISC_TRUE, &client->recv_buffer);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	grbn->realname = (char *)isc_buffer_used(&b);
-	grbn->realnamelen = isc_buffer_usedlength(&client->recv_buffer) -
-			    isc_buffer_usedlength(&b);
-	ns_lwdclient_log(50, "found name '%.*s'", grbn->realnamelen,
-			 grbn->realname);
-
-	grbn->rdclass = cm->view->rdclass;
-	grbn->rdtype = client->rdtype;
-
-	rdataset = levent->rdataset;
-	if (rdataset != NULL) {
-		/* The normal case */
-		grbn->nrdatas = dns_rdataset_count(rdataset);
-		grbn->rdatas = isc_mem_get(cm->mctx, grbn->nrdatas *
-					   sizeof(unsigned char *));
-		if (grbn->rdatas == NULL)
-			goto out;
-		grbn->rdatalen = isc_mem_get(cm->mctx, grbn->nrdatas *
-					     sizeof(lwres_uint16_t));
-		if (grbn->rdatalen == NULL)
-			goto out;
-
-		i = 0;
-		result = fill_array(&i, rdataset, grbn->nrdatas, grbn->rdatas,
-				    grbn->rdatalen);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-		INSIST(i == grbn->nrdatas);
-		grbn->ttl = rdataset->ttl;
-		if (rdataset->trust == dns_trust_secure)
-			grbn->flags |= LWRDATA_VALIDATED;
-	} else {
-		/* The SIG query case */
-		result = iterate_node(grbn, levent->db, levent->node,
-				      cm->mctx);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-	}
-	ns_lwdclient_log(50, "filled in %d rdata%s", grbn->nrdatas,
-			 (grbn->nrdatas == 1) ? "" : "s");
-
-	sigrdataset = levent->sigrdataset;
-	if (sigrdataset != NULL) {
-		grbn->nsigs = dns_rdataset_count(sigrdataset);
-		grbn->sigs = isc_mem_get(cm->mctx, grbn->nsigs *
-					 sizeof(unsigned char *));
-		if (grbn->sigs == NULL)
-			goto out;
-		grbn->siglen = isc_mem_get(cm->mctx, grbn->nsigs *
-					   sizeof(lwres_uint16_t));
-		if (grbn->siglen == NULL)
-			goto out;
-
-		i = 0;
-		result = fill_array(&i, sigrdataset, grbn->nsigs, grbn->sigs,
-				    grbn->siglen);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-		INSIST(i == grbn->nsigs);
-		ns_lwdclient_log(50, "filled in %d signature%s", grbn->nsigs,
-				 (grbn->nsigs == 1) ? "" : "s");
-	}
-
-	dns_lookup_destroy(&client->lookup);
-	isc_event_free(&event);
-
-	/*
-	 * Render the packet.
-	 */
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-	client->pkt.result = LWRES_R_SUCCESS;
-
-	lwresult = lwres_grbnresponse_render(cm->lwctx,
-					     grbn, &client->pkt, &lwb);
-	if (lwresult != LWRES_R_SUCCESS)
-		goto out;
-
-	isc_mem_put(cm->mctx, grbn->rdatas,
-		    grbn->nrdatas * sizeof(unsigned char *));
-	isc_mem_put(cm->mctx, grbn->rdatalen,
-		    grbn->nrdatas * sizeof(lwres_uint16_t));
-
-	if (grbn->sigs != NULL)
-		isc_mem_put(cm->mctx, grbn->sigs,
-			    grbn->nsigs * sizeof(unsigned char *));
-	if (grbn->siglen != NULL)
-		isc_mem_put(cm->mctx, grbn->siglen,
-			    grbn->nsigs * sizeof(lwres_uint16_t));
-
-	r.base = lwb.base;
-	r.length = lwb.used;
-	client->sendbuf = r.base;
-	client->sendlength = r.length;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	NS_LWDCLIENT_SETSEND(client);
-
-	return;
-
- out:
-	if (grbn->rdatas != NULL)
-		isc_mem_put(cm->mctx, grbn->rdatas,
-			    grbn->nrdatas * sizeof(unsigned char *));
-	if (grbn->rdatalen != NULL)
-		isc_mem_put(cm->mctx, grbn->rdatalen,
-			    grbn->nrdatas * sizeof(lwres_uint16_t));
-
-	if (grbn->sigs != NULL)
-		isc_mem_put(cm->mctx, grbn->sigs,
-			    grbn->nsigs * sizeof(unsigned char *));
-	if (grbn->siglen != NULL)
-		isc_mem_put(cm->mctx, grbn->siglen,
-			    grbn->nsigs * sizeof(lwres_uint16_t));
-
-	if (client->lookup != NULL)
-		dns_lookup_destroy(&client->lookup);
-	if (lwb.base != NULL)
-		lwres_context_freemem(cm->lwctx, lwb.base, lwb.length);
-
-	if (event != NULL)
-		isc_event_free(&event);
-
-	ns_lwdclient_log(50, "error constructing getrrsetbyname response");
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
-
-static void
-start_lookup(ns_lwdclient_t *client) {
-	isc_result_t result;
-	ns_lwdclientmgr_t *cm;
-	dns_fixedname_t absname;
-
-	cm = client->clientmgr;
-
-	INSIST(client->lookup == NULL);
-
-	dns_fixedname_init(&absname);
-	result = ns_lwsearchctx_current(&client->searchctx,
-					dns_fixedname_name(&absname));
-	/*
-	 * This will return failure if relative name + suffix is too long.
-	 * In this case, just go on to the next entry in the search path.
-	 */
-	if (result != ISC_R_SUCCESS)
-		start_lookup(client);
-
-	result = dns_lookup_create(cm->mctx,
-				   dns_fixedname_name(&absname),
-				   client->rdtype, cm->view,
-				   client->options, cm->task, lookup_done,
-				   client, &client->lookup);
-	if (result != ISC_R_SUCCESS) {
-		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-		return;
-	}
-}
-
-static void
-init_grbn(ns_lwdclient_t *client) {
-	client->grbn.rdclass = 0;
-	client->grbn.rdtype = 0;
-	client->grbn.ttl = 0;
-	client->grbn.nrdatas = 0;
-	client->grbn.realname = NULL;
-	client->grbn.realnamelen = 0;
-	client->grbn.rdatas = 0;
-	client->grbn.rdatalen = 0;
-	client->grbn.base = NULL;
-	client->grbn.baselen = 0;
-	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
-}
-
-void
-ns_lwdclient_processgrbn(ns_lwdclient_t *client, lwres_buffer_t *b) {
-	lwres_grbnrequest_t *req;
-	isc_result_t result;
-	ns_lwdclientmgr_t *cm;
-	isc_buffer_t namebuf;
-
-	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
-	INSIST(client->byaddr == NULL);
-
-	cm = client->clientmgr;
-	req = NULL;
-
-	result = lwres_grbnrequest_parse(cm->lwctx,
-					 b, &client->pkt, &req);
-	if (result != LWRES_R_SUCCESS)
-		goto out;
-	if (req->name == NULL)
-		goto out;
-
-	client->options = 0;
-	if (req->rdclass != cm->view->rdclass)
-		goto out;
-
-	if (req->rdclass == dns_rdataclass_any ||
-	    req->rdtype == dns_rdatatype_any)
-		goto out;
-
-	client->rdtype = req->rdtype;
-
-	isc_buffer_init(&namebuf, req->name, req->namelen);
-	isc_buffer_add(&namebuf, req->namelen);
-
-	dns_fixedname_init(&client->query_name);
-	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
-				   &namebuf, NULL, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-	ns_lwsearchctx_init(&client->searchctx,
-			    cm->listener->manager->search,
-			    dns_fixedname_name(&client->query_name),
-			    cm->listener->manager->ndots);
-	ns_lwsearchctx_first(&client->searchctx);
-
-	ns_lwdclient_log(50, "client %p looking for type %d",
-			 client, client->rdtype);
-
-	/*
-	 * We no longer need to keep this around.
-	 */
-	lwres_grbnrequest_free(cm->lwctx, &req);
-
-	/*
-	 * Initialize the real name and alias arrays in the reply we're
-	 * going to build up.
-	 */
-	init_grbn(client);
-
-	/*
-	 * Start the find.
-	 */
-	start_lookup(client);
-
-	return;
-
-	/*
-	 * We're screwed.  Return an error packet to our caller.
-	 */
- out:
-	if (req != NULL)
-		lwres_grbnrequest_free(cm->lwctx, &req);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
diff --git a/contrib/bind9/bin/named/lwdnoop.c b/contrib/bind9/bin/named/lwdnoop.c
deleted file mode 100644
index 30d95ee8d8e2..000000000000
--- a/contrib/bind9/bin/named/lwdnoop.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwdnoop.c,v 1.6.208.1 2004/03/06 10:21:19 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/socket.h>
-#include <isc/util.h>
-
-#include <named/types.h>
-#include <named/lwdclient.h>
-
-void
-ns_lwdclient_processnoop(ns_lwdclient_t *client, lwres_buffer_t *b) {
-	lwres_nooprequest_t *req;
-	lwres_noopresponse_t resp;
-	isc_result_t result;
-	lwres_result_t lwres;
-	isc_region_t r;
-	lwres_buffer_t lwb;
-
-	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
-	INSIST(client->byaddr == NULL);
-
-	req = NULL;
-
-	result = lwres_nooprequest_parse(client->clientmgr->lwctx,
-					 b, &client->pkt, &req);
-	if (result != LWRES_R_SUCCESS)
-		goto out;
-
-	client->pkt.recvlength = LWRES_RECVLENGTH;
-	client->pkt.authtype = 0; /* XXXMLG */
-	client->pkt.authlength = 0;
-	client->pkt.result = LWRES_R_SUCCESS;
-
-	resp.datalength = req->datalength;
-	resp.data = req->data;
-
-	lwres = lwres_noopresponse_render(client->clientmgr->lwctx, &resp,
-					  &client->pkt, &lwb);
-	if (lwres != LWRES_R_SUCCESS)
-		goto out;
-
-	r.base = lwb.base;
-	r.length = lwb.used;
-	client->sendbuf = r.base;
-	client->sendlength = r.length;
-	result = ns_lwdclient_sendreply(client, &r);
-	if (result != ISC_R_SUCCESS)
-		goto out;
-
-	/*
-	 * We can now destroy request.
-	 */
-	lwres_nooprequest_free(client->clientmgr->lwctx, &req);
-
-	NS_LWDCLIENT_SETSEND(client);
-
-	return;
-
- out:
-	if (req != NULL)
-		lwres_nooprequest_free(client->clientmgr->lwctx, &req);
-
-	if (lwb.base != NULL)
-		lwres_context_freemem(client->clientmgr->lwctx,
-				      lwb.base, lwb.length);
-
-	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
-}
diff --git a/contrib/bind9/bin/named/lwresd.8 b/contrib/bind9/bin/named/lwresd.8
deleted file mode 100644
index 58f24b062374..000000000000
--- a/contrib/bind9/bin/named/lwresd.8
+++ /dev/null
@@ -1,140 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwresd.8,v 1.13.208.5 2005/10/13 02:33:47 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRESD" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwresd \- lightweight resolver daemon
-.SH "SYNOPSIS"
-.HP 7
-\fBlwresd\fR [\fB\-C\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-i\ \fR\fB\fIpid\-file\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-P\ \fR\fB\fIport\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR]
-.SH "DESCRIPTION"
-.PP
-\fBlwresd\fR
-is the daemon providing name lookup services to clients that use the BIND 9 lightweight resolver library. It is essentially a stripped\-down, caching\-only name server that answers queries using the BIND 9 lightweight resolver protocol rather than the DNS protocol.
-.PP
-\fBlwresd\fR
-listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that
-\fBlwresd\fR
-can only be used by processes running on the local machine. By default UDP port number 921 is used for lightweight resolver requests and responses.
-.PP
-Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When the DNS lookup completes,
-\fBlwresd\fR
-encodes the answers in the lightweight resolver format and returns them to the client that made the request.
-.PP
-If
-\fI/etc/resolv.conf\fR
-contains any
-\fBnameserver\fR
-entries,
-\fBlwresd\fR
-sends recursive DNS queries to those servers. This is similar to the use of forwarders in a caching name server. If no
-\fBnameserver\fR
-entries are present, or if forwarding fails,
-\fBlwresd\fR
-resolves the queries autonomously starting at the root name servers, using a built\-in list of root server hints.
-.SH "OPTIONS"
-.TP
-\-C \fIconfig\-file\fR
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/resolv.conf\fR.
-.TP
-\-d \fIdebug\-level\fR
-Set the daemon's debug level to
-\fIdebug\-level\fR. Debugging traces from
-\fBlwresd\fR
-become more verbose as the debug level increases.
-.TP
-\-f
-Run the server in the foreground (i.e. do not daemonize).
-.TP
-\-g
-Run the server in the foreground and force all logging to
-\fIstderr\fR.
-.TP
-\-n \fI#cpus\fR
-Create
-\fI#cpus\fR
-worker threads to take advantage of multiple CPUs. If not specified,
-\fBlwresd\fR
-will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP
-\-P \fIport\fR
-Listen for lightweight resolver queries on port
-\fIport\fR. If not specified, the default is port 921.
-.TP
-\-p \fIport\fR
-Send DNS lookups to port
-\fIport\fR. If not specified, the default is port 53. This provides a way of testing the lightweight resolver daemon with a name server that listens for queries on a non\-standard port number.
-.TP
-\-s
-Write memory usage statistics to
-\fIstdout\fR
-on exit.
-.RS
-.B "Note:"
-This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
-.TP
-\-t \fIdirectory\fR
-\fBchroot()\fR
-to
-\fIdirectory\fR
-after processing the command line arguments, but before reading the configuration file.
-.RS
-.B "Warning:"
-This option should be used in conjunction with the
-\fB\-u\fR
-option, as chrooting a process running as root doesn't enhance security on most systems; the way
-\fBchroot()\fR
-is defined allows a process with root privileges to escape a chroot jail.
-.RE
-.TP
-\-u \fIuser\fR
-\fBsetuid()\fR
-to
-\fIuser\fR
-after completing privileged operations, such as creating sockets that listen on privileged ports.
-.TP
-\-v
-Report the version number and exit.
-.SH "FILES"
-.TP
-\fI/etc/resolv.conf\fR
-The default configuration file.
-.TP
-\fI/var/run/lwresd.pid\fR
-The default process\-id file.
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBlwres\fR(3),
-\fBresolver\fR(5).
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/named/lwresd.c b/contrib/bind9/bin/named/lwresd.c
deleted file mode 100644
index 9da41681a533..000000000000
--- a/contrib/bind9/bin/named/lwresd.c
+++ /dev/null
@@ -1,861 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwresd.c,v 1.37.2.2.2.5 2004/03/08 04:04:19 marka Exp $ */
-
-/*
- * Main program for the Lightweight Resolver Daemon.
- *
- * To paraphrase the old saying about X11, "It's not a lightweight deamon
- * for resolvers, it's a deamon for lightweight resolvers".
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/list.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/socket.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <dns/log.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-#include <named/config.h>
-#include <named/globals.h>
-#include <named/log.h>
-#include <named/lwaddr.h>
-#include <named/lwresd.h>
-#include <named/lwdclient.h>
-#include <named/lwsearch.h>
-#include <named/server.h>
-
-#define LWRESD_MAGIC		ISC_MAGIC('L', 'W', 'R', 'D')
-#define VALID_LWRESD(l)		ISC_MAGIC_VALID(l, LWRESD_MAGIC)
-
-#define LWRESLISTENER_MAGIC	ISC_MAGIC('L', 'W', 'R', 'L')
-#define VALID_LWRESLISTENER(l)	ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC)
-
-/*
- * The total number of clients we can handle will be NTASKS * NRECVS.
- */
-#define NTASKS		2	/* tasks to create to handle lwres queries */
-#define NRECVS		2	/* max clients per task */
-
-typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t;
-
-static ns_lwreslistenerlist_t listeners;
-static isc_mutex_t listeners_lock;
-static isc_once_t once = ISC_ONCE_INIT;
-
-
-static void
-initialize_mutex(void) {
-	RUNTIME_CHECK(isc_mutex_init(&listeners_lock) == ISC_R_SUCCESS);
-}
-
-
-/*
- * Wrappers around our memory management stuff, for the lwres functions.
- */
-void *
-ns__lwresd_memalloc(void *arg, size_t size) {
-	return (isc_mem_get(arg, size));
-}
-
-void
-ns__lwresd_memfree(void *arg, void *mem, size_t size) {
-	isc_mem_put(arg, mem, size);
-}
-
-
-#define CHECK(op)						\
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto cleanup;	\
-	} while (0)
-
-static isc_result_t
-buffer_putstr(isc_buffer_t *b, const char *s) {
-	unsigned int len = strlen(s);
-	if (isc_buffer_availablelength(b) <= len)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(b, (const unsigned char *)s, len);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Convert a resolv.conf file into a config structure.
- */
-isc_result_t
-ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
-			   cfg_obj_t **configp)
-{
-	char text[4096];
-	char str[16];
-	isc_buffer_t b;
-	lwres_context_t *lwctx = NULL;
-	lwres_conf_t *lwc = NULL;
-	isc_sockaddr_t sa;
-	isc_netaddr_t na;
-	int i;
-	isc_result_t result;
-	lwres_result_t lwresult;
-
-	lwctx = NULL;
-	lwresult = lwres_context_create(&lwctx, mctx, ns__lwresd_memalloc,
-					ns__lwresd_memfree,
-					LWRES_CONTEXT_SERVERMODE);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
-	lwresult = lwres_conf_parse(lwctx, lwresd_g_resolvconffile);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = DNS_R_SYNTAX;
-		goto cleanup;
-	}
-
-	lwc = lwres_conf_get(lwctx);
-	INSIST(lwc != NULL);
-
-	isc_buffer_init(&b, text, sizeof(text));
-
-	CHECK(buffer_putstr(&b, "options {\n"));
-
-	/*
-	 * Build the list of forwarders.
-	 */
-	if (lwc->nsnext > 0) {
-		CHECK(buffer_putstr(&b, "\tforwarders {\n"));
-
-		for (i = 0; i < lwc->nsnext; i++) {
-			CHECK(lwaddr_sockaddr_fromlwresaddr(
-							&sa,
-							&lwc->nameservers[i],
-							ns_g_port));
-			isc_netaddr_fromsockaddr(&na, &sa);
-			CHECK(buffer_putstr(&b, "\t\t"));
-			CHECK(isc_netaddr_totext(&na, &b));
-			CHECK(buffer_putstr(&b, ";\n"));
-		}
-		CHECK(buffer_putstr(&b, "\t};\n"));
-	}
-
-	/*
-	 * Build the sortlist
-	 */
-	if (lwc->sortlistnxt > 0) {
-		CHECK(buffer_putstr(&b, "\tsortlist {\n"));
-		CHECK(buffer_putstr(&b, "\t\t{\n"));
-		CHECK(buffer_putstr(&b, "\t\t\tany;\n"));
-		CHECK(buffer_putstr(&b, "\t\t\t{\n"));
-		for (i = 0; i < lwc->sortlistnxt; i++) {
-			lwres_addr_t *lwaddr = &lwc->sortlist[i].addr;
-			lwres_addr_t *lwmask = &lwc->sortlist[i].mask;
-			unsigned int mask;
-
-			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, lwmask, 0));
-			isc_netaddr_fromsockaddr(&na, &sa);
-			result = isc_netaddr_masktoprefixlen(&na, &mask);
-			if (result != ISC_R_SUCCESS) {
-				char addrtext[ISC_NETADDR_FORMATSIZE];
-				isc_netaddr_format(&na, addrtext,
-						   sizeof(addrtext));
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_LWRESD,
-					      ISC_LOG_ERROR,
-					      "processing sortlist: '%s' is "
-					      "not a valid netmask",
-					      addrtext);
-				goto cleanup;
-			}
-
-			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, lwaddr, 0));
-			isc_netaddr_fromsockaddr(&na, &sa);
-
-			CHECK(buffer_putstr(&b, "\t\t\t\t"));
-			CHECK(isc_netaddr_totext(&na, &b));
-			snprintf(str, sizeof(str), "%u", mask);
-			CHECK(buffer_putstr(&b, "/"));
-			CHECK(buffer_putstr(&b, str));
-			CHECK(buffer_putstr(&b, ";\n"));
-		}
-		CHECK(buffer_putstr(&b, "\t\t\t};\n"));
-		CHECK(buffer_putstr(&b, "\t\t};\n"));
-		CHECK(buffer_putstr(&b, "\t};\n"));
-	}
-
-	CHECK(buffer_putstr(&b, "};\n\n"));
-
-	CHECK(buffer_putstr(&b, "lwres {\n"));
-
-	/*
-	 * Build the search path
-	 */
-	if (lwc->searchnxt > 0) {
-		if (lwc->searchnxt > 0) {
-			CHECK(buffer_putstr(&b, "\tsearch {\n"));
-			for (i = 0; i < lwc->searchnxt; i++) {
-				CHECK(buffer_putstr(&b, "\t\t\""));
-				CHECK(buffer_putstr(&b, lwc->search[i]));
-			        CHECK(buffer_putstr(&b, "\";\n"));
-			}
-			CHECK(buffer_putstr(&b, "\t};\n"));
-		}
-	}
-
-	/*
-	 * Build the ndots line
-	 */
-	if (lwc->ndots != 1) {
-		CHECK(buffer_putstr(&b, "\tndots "));
-		snprintf(str, sizeof(str), "%u", lwc->ndots);
-		CHECK(buffer_putstr(&b, str));
-		CHECK(buffer_putstr(&b, ";\n"));
-	}
-
-	/*
-	 * Build the listen-on line
-	 */
-	if (lwc->lwnext > 0) {
-		CHECK(buffer_putstr(&b, "\tlisten-on {\n"));
-
-		for (i = 0; i < lwc->lwnext; i++) {
-			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa,
-							    &lwc->lwservers[i],
-							    0));
-			isc_netaddr_fromsockaddr(&na, &sa);
-			CHECK(buffer_putstr(&b, "\t\t"));
-			CHECK(isc_netaddr_totext(&na, &b));
-			CHECK(buffer_putstr(&b, ";\n"));
-		}
-		CHECK(buffer_putstr(&b, "\t};\n"));
-	}
-
-	CHECK(buffer_putstr(&b, "};\n"));
-
-#if 0
-	printf("%.*s\n",
-	       (int)isc_buffer_usedlength(&b),
-	       (char *)isc_buffer_base(&b));
-#endif
-
-	lwres_conf_clear(lwctx);
-	lwres_context_destroy(&lwctx);
-
-	return (cfg_parse_buffer(pctx, &b, &cfg_type_namedconf, configp));
-
- cleanup:
-
-	if (lwctx != NULL) {
-		lwres_conf_clear(lwctx);
-		lwres_context_destroy(&lwctx);
-	}
-
-	return (result);
-}
-
-
-/*
- * Handle lwresd manager objects
- */
-isc_result_t
-ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
-		     ns_lwresd_t **lwresdp)
-{
-	ns_lwresd_t *lwresd;
-	const char *vname;
-	dns_rdataclass_t vclass;
-	cfg_obj_t *obj, *viewobj, *searchobj;
-	cfg_listelt_t *element;
-	isc_result_t result;
-
-	INSIST(lwresdp != NULL && *lwresdp == NULL);
-
-	lwresd = isc_mem_get(mctx, sizeof(ns_lwresd_t));
-	if (lwresd == NULL)
-		return (ISC_R_NOMEMORY);
-
-	lwresd->mctx = NULL;
-	isc_mem_attach(mctx, &lwresd->mctx);
-	lwresd->view = NULL;
-	lwresd->search = NULL;
-	lwresd->refs = 1;
-
-	obj = NULL;
-	(void)cfg_map_get(lwres, "ndots", &obj);
-	if (obj != NULL)
-		lwresd->ndots = cfg_obj_asuint32(obj);
-	else
-		lwresd->ndots = 1;
-
-	RUNTIME_CHECK(isc_mutex_init(&lwresd->lock) == ISC_R_SUCCESS);
-
-	lwresd->shutting_down = ISC_FALSE;
-
-	viewobj = NULL;
-	(void)cfg_map_get(lwres, "view", &viewobj);
-	if (viewobj != NULL) {
-		vname = cfg_obj_asstring(cfg_tuple_get(viewobj, "name"));
-		obj = cfg_tuple_get(viewobj, "class");
-		result = ns_config_getclass(obj, dns_rdataclass_in, &vclass);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	} else {
-		vname = "_default";
-		vclass = dns_rdataclass_in;
-	}
-
-	result = dns_viewlist_find(&ns_g_server->viewlist, vname, vclass,
-				   &lwresd->view);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "couldn't find view %s", vname);
-		goto fail;
-	}
-
-	searchobj = NULL;
-	(void)cfg_map_get(lwres, "search", &searchobj);
-	if (searchobj != NULL) {
-		lwresd->search = NULL;
-		result = ns_lwsearchlist_create(lwresd->mctx,
-						&lwresd->search);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-				      "couldn't create searchlist");
-			goto fail;
-		}
-		for (element = cfg_list_first(searchobj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			cfg_obj_t *search;
-			char *searchstr;
-			isc_buffer_t namebuf;
-			dns_fixedname_t fname;
-			dns_name_t *name;
-
-			search = cfg_listelt_value(element);
-			searchstr = cfg_obj_asstring(search);
-
-			dns_fixedname_init(&fname);
-			name = dns_fixedname_name(&fname);
-			isc_buffer_init(&namebuf, searchstr,
-					strlen(searchstr));
-			isc_buffer_add(&namebuf, strlen(searchstr));
-			result = dns_name_fromtext(name, &namebuf,
-						   dns_rootname, ISC_FALSE,
-						   NULL);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_LWRESD,
-					      ISC_LOG_WARNING,
-					      "invalid name %s in searchlist",
-					      searchstr);
-				continue;
-			}
-
-			result = ns_lwsearchlist_append(lwresd->search, name);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_LWRESD,
-					      ISC_LOG_WARNING,
-					      "couldn't update searchlist");
-				goto fail;
-			}
-		}
-	}
-
-	lwresd->magic = LWRESD_MAGIC;
-
-	*lwresdp = lwresd;
-	return (ISC_R_SUCCESS);
-
- fail:
-	if (lwresd->view != NULL)
-		dns_view_detach(&lwresd->view);
-	if (lwresd->search != NULL)
-		ns_lwsearchlist_detach(&lwresd->search);
-	if (lwresd->mctx != NULL)
-		isc_mem_detach(&lwresd->mctx);
-	return (result);
-}
-
-void
-ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp) {
-	INSIST(VALID_LWRESD(source));
-	INSIST(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-	source->refs++;
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-ns_lwdmanager_detach(ns_lwresd_t **lwresdp) {
-	ns_lwresd_t *lwresd;
-	isc_mem_t *mctx;
-	isc_boolean_t done = ISC_FALSE;
-
-	INSIST(lwresdp != NULL && *lwresdp != NULL);
-	INSIST(VALID_LWRESD(*lwresdp));
-
-	lwresd = *lwresdp;
-	*lwresdp = NULL;
-
-	LOCK(&lwresd->lock);
-	INSIST(lwresd->refs > 0);
-	lwresd->refs--;
-	if (lwresd->refs == 0)
-		done = ISC_TRUE;
-	UNLOCK(&lwresd->lock);
-
-	if (!done)
-		return;
-
-	dns_view_detach(&lwresd->view);
-	if (lwresd->search != NULL)
-		ns_lwsearchlist_detach(&lwresd->search);
-	mctx = lwresd->mctx;
-	lwresd->magic = 0;
-	isc_mem_put(mctx, lwresd, sizeof(*lwresd));
-	isc_mem_detach(&mctx);
-}
-
-
-/*
- * Handle listener objects
- */
-void
-ns_lwreslistener_attach(ns_lwreslistener_t *source,
-			ns_lwreslistener_t **targetp)
-{
-	INSIST(VALID_LWRESLISTENER(source));
-	INSIST(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-	source->refs++;
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-ns_lwreslistener_detach(ns_lwreslistener_t **listenerp) {
-	ns_lwreslistener_t *listener;
-	isc_mem_t *mctx;
-	isc_boolean_t done = ISC_FALSE;
-
-	INSIST(listenerp != NULL && *listenerp != NULL);
-	INSIST(VALID_LWRESLISTENER(*listenerp));
-
-	listener = *listenerp;
-
-	LOCK(&listener->lock);
-	INSIST(listener->refs > 0);
-	listener->refs--;
-	if (listener->refs == 0)
-		done = ISC_TRUE;
-	UNLOCK(&listener->lock);
-
-	if (!done)
-		return;
-
-	if (listener->manager != NULL)
-		ns_lwdmanager_detach(&listener->manager);
-
-	if (listener->sock != NULL)
-		isc_socket_detach(&listener->sock);
-
-	listener->magic = 0;
-	mctx = listener->mctx;
-	isc_mem_put(mctx, listener, sizeof(*listener));
-	isc_mem_detach(&mctx);
-	listenerp = NULL;
-}
-
-static isc_result_t
-listener_create(isc_mem_t *mctx, ns_lwresd_t *lwresd,
-		ns_lwreslistener_t **listenerp)
-{
-	ns_lwreslistener_t *listener;
-
-	REQUIRE(listenerp != NULL && *listenerp == NULL);
-
-	listener = isc_mem_get(mctx, sizeof(ns_lwreslistener_t));
-	if (listener == NULL)
-		return (ISC_R_NOMEMORY);
-	RUNTIME_CHECK(isc_mutex_init(&listener->lock) == ISC_R_SUCCESS);
-
-	listener->magic = LWRESLISTENER_MAGIC;
-	listener->refs = 1;
-
-	listener->sock = NULL;
-
-	listener->manager = NULL;
-	ns_lwdmanager_attach(lwresd, &listener->manager);
-
-	listener->mctx = NULL;
-	isc_mem_attach(mctx, &listener->mctx);
-
-	ISC_LINK_INIT(listener, link);
-	ISC_LIST_INIT(listener->cmgrs);
-
-	*listenerp = listener;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-listener_bind(ns_lwreslistener_t *listener, isc_sockaddr_t *address) {
-	isc_socket_t *sock = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	int pf;
-
-	pf = isc_sockaddr_pf(address);
-	if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
-	    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
-		return (ISC_R_FAMILYNOSUPPORT);
-
-	listener->address = *address;
-
-	if (isc_sockaddr_getport(&listener->address) == 0) {
-		in_port_t port;
-		port = lwresd_g_listenport;
-		if (port == 0)
-			port = LWRES_UDP_PORT;
-		isc_sockaddr_setport(&listener->address, port);
-	}
-
-	sock = NULL;
-	result = isc_socket_create(ns_g_socketmgr, pf,
-				   isc_sockettype_udp, &sock);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "failed to create lwres socket: %s",
-			      isc_result_totext(result));
-		return (result);
-	}
-
-	result = isc_socket_bind(sock, &listener->address);
-	if (result != ISC_R_SUCCESS) {
-		char socktext[ISC_SOCKADDR_FORMATSIZE];
-		isc_sockaddr_format(&listener->address, socktext,
-				    sizeof(socktext));
-		isc_socket_detach(&sock);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "failed to add lwres socket: %s: %s",
-			      socktext, isc_result_totext(result));
-		return (result);
-	}
-	listener->sock = sock;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-listener_copysock(ns_lwreslistener_t *oldlistener,
-		  ns_lwreslistener_t *newlistener)
-{
-	newlistener->address = oldlistener->address;
-	isc_socket_attach(oldlistener->sock, &newlistener->sock);
-}
-
-static isc_result_t
-listener_startclients(ns_lwreslistener_t *listener) {
-	ns_lwdclientmgr_t *cm;
-	unsigned int i;
-	isc_result_t result;
-
-	/*
-	 * Create the client managers.
-	 */
-	result = ISC_R_SUCCESS;
-	for (i = 0; i < NTASKS && result == ISC_R_SUCCESS; i++)
-		result = ns_lwdclientmgr_create(listener, NRECVS,
-						ns_g_taskmgr);
-
-	/*
-	 * Ensure that we have created at least one.
-	 */
-	if (ISC_LIST_EMPTY(listener->cmgrs))
-		return (result);
-
-	/*
-	 * Walk the list of clients and start each one up.
-	 */
-	LOCK(&listener->lock);
-	cm = ISC_LIST_HEAD(listener->cmgrs);
-	while (cm != NULL) {
-		result = ns_lwdclient_startrecv(cm);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
-				      "could not start lwres "
-				      "client handler: %s",
-				      isc_result_totext(result));
-		cm = ISC_LIST_NEXT(cm, link);
-	}
-	UNLOCK(&listener->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-listener_shutdown(ns_lwreslistener_t *listener) {
-	ns_lwdclientmgr_t *cm;
-
-	cm = ISC_LIST_HEAD(listener->cmgrs);
-	while (cm != NULL) {
-		isc_task_shutdown(cm->task);
-		cm = ISC_LIST_NEXT(cm, link);
-	}
-}
-
-static isc_result_t
-find_listener(isc_sockaddr_t *address, ns_lwreslistener_t **listenerp) {
-	ns_lwreslistener_t *listener;
-
-	INSIST(listenerp != NULL && *listenerp == NULL);
-
-	for (listener = ISC_LIST_HEAD(listeners);
-	     listener != NULL;
-	     listener = ISC_LIST_NEXT(listener, link))
-	{
-		if (!isc_sockaddr_equal(address, &listener->address))
-			continue;
-		*listenerp = listener;
-		return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-void
-ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm)
-{
-	REQUIRE(VALID_LWRESLISTENER(listener));
-
-	LOCK(&listener->lock);
-	ISC_LIST_UNLINK(listener->cmgrs, cm, link);
-	UNLOCK(&listener->lock);
-}
-
-void
-ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm) {
-	REQUIRE(VALID_LWRESLISTENER(listener));
-
-	/*
-	 * This does no locking, since it's called early enough that locking
-	 * isn't needed.
-	 */
-	ISC_LIST_APPEND(listener->cmgrs, cm, link);
-}
-
-static isc_result_t
-configure_listener(isc_sockaddr_t *address, ns_lwresd_t *lwresd,
-		   isc_mem_t *mctx, ns_lwreslistenerlist_t *newlisteners)
-{
-	ns_lwreslistener_t *listener, *oldlistener = NULL;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	isc_result_t result;
-
-	(void)find_listener(address, &oldlistener);
-	listener = NULL;
-	result = listener_create(mctx, lwresd, &listener);
-	if (result != ISC_R_SUCCESS) {
-		isc_sockaddr_format(address, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "lwres failed to configure %s: %s",
-			      socktext, isc_result_totext(result));
-		return (result);
-	}
-
-	/*
-	 * If there's already a listener, don't rebind the socket.
-	 */
-	if (oldlistener == NULL) {
-		result = listener_bind(listener, address);
-		if (result != ISC_R_SUCCESS) {
-			ns_lwreslistener_detach(&listener);
-			return (ISC_R_SUCCESS);
-		}
-	} else
-		listener_copysock(oldlistener, listener);
-
-	result = listener_startclients(listener);
-	if (result != ISC_R_SUCCESS) {
-		isc_sockaddr_format(address, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
-			      "lwres: failed to start %s: %s", socktext,
-			      isc_result_totext(result));
-		ns_lwreslistener_detach(&listener);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (oldlistener != NULL) {
-		/*
-		 * Remove the old listener from the old list and shut it down.
-		 */
-		ISC_LIST_UNLINK(listeners, oldlistener, link);
-		listener_shutdown(oldlistener);
-		ns_lwreslistener_detach(&oldlistener);
-	} else {
-		isc_sockaddr_format(address, socktext, sizeof(socktext));
-		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_NOTICE,
-			      "lwres listening on %s", socktext);
-	}
-
-	ISC_LIST_APPEND(*newlisteners, listener, link);
-	return (result);
-}
-
-isc_result_t
-ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config) {
-	cfg_obj_t *lwreslist = NULL;
-	cfg_obj_t *lwres = NULL;
-	cfg_obj_t *listenerslist = NULL;
-	cfg_listelt_t *element = NULL;
-	ns_lwreslistener_t *listener;
-	ns_lwreslistenerlist_t newlisteners;
-	isc_result_t result;
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t *addrs = NULL;
-	ns_lwresd_t *lwresd = NULL;
-	isc_uint32_t count = 0;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(config != NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS);
-
-	ISC_LIST_INIT(newlisteners);
-
-	result = cfg_map_get(config, "lwres", &lwreslist);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-
-	LOCK(&listeners_lock);
-	/*
-	 * Run through the new lwres address list, noting sockets that
-	 * are already being listened on and moving them to the new list.
-	 *
-	 * Identifying duplicates addr/port combinations is left to either
-	 * the underlying config code, or to the bind attempt getting an
-	 * address-in-use error.
-	 */
-	for (element = cfg_list_first(lwreslist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		in_port_t port;
-
-		lwres = cfg_listelt_value(element);
-		CHECK(ns_lwdmanager_create(mctx, lwres, &lwresd));
-
-		port = lwresd_g_listenport;
-		if (port == 0)
-			port = LWRES_UDP_PORT;
-
-		listenerslist = NULL;
-		(void)cfg_map_get(lwres, "listen-on", &listenerslist);
-		if (listenerslist == NULL) {
-			struct in_addr localhost;
-			isc_sockaddr_t address;
-
-			localhost.s_addr = htonl(INADDR_LOOPBACK);
-			isc_sockaddr_fromin(&address, &localhost, port);
-			CHECK(configure_listener(&address, lwresd, mctx,
-						 &newlisteners));
-		} else {
-			isc_uint32_t i;
-
-			CHECK(ns_config_getiplist(config, listenerslist,
-						  port, mctx, &addrs, &count));
-			for (i = 0; i < count; i++)
-				CHECK(configure_listener(&addrs[i], lwresd,
-							 mctx, &newlisteners));
-			ns_config_putiplist(mctx, &addrs, count);
-		}
-		ns_lwdmanager_detach(&lwresd);
-	}
-
-	/*
-	 * Shutdown everything on the listeners list, and remove them from
-	 * the list.  Then put all of the new listeners on it.
-	 */
-
-	while (!ISC_LIST_EMPTY(listeners)) {
-		listener = ISC_LIST_HEAD(listeners);
-		ISC_LIST_UNLINK(listeners, listener, link);
-
-		isc_sockaddr_format(&listener->address,
-				    socktext, sizeof(socktext));
-
-		listener_shutdown(listener);
-		ns_lwreslistener_detach(&listener);
-
-		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_LWRESD, ISC_LOG_NOTICE,
-			      "lwres no longer listening on %s", socktext);
-	}
-
- cleanup:
-	ISC_LIST_APPENDLIST(listeners, newlisteners, link);
-
-	if (addrs != NULL)
-		ns_config_putiplist(mctx, &addrs, count);
-
-	if (lwresd != NULL)
-		ns_lwdmanager_detach(&lwresd);
-
-	UNLOCK(&listeners_lock);
-
-	return (result);
-}
-
-void
-ns_lwresd_shutdown(void) {
-	ns_lwreslistener_t *listener;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS);
-
-	while (!ISC_LIST_EMPTY(listeners)) {
-		listener = ISC_LIST_HEAD(listeners);
-		ISC_LIST_UNLINK(listeners, listener, link);
-		ns_lwreslistener_detach(&listener);
-	}
-}
diff --git a/contrib/bind9/bin/named/lwresd.docbook b/contrib/bind9/bin/named/lwresd.docbook
deleted file mode 100644
index c1f500bb8300..000000000000
--- a/contrib/bind9/bin/named/lwresd.docbook
+++ /dev/null
@@ -1,315 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwresd.docbook,v 1.6.208.4 2005/05/13 01:22:33 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>lwresd</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>lwresd</application></refname>
-    <refpurpose>lightweight resolver daemon</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>lwresd</command>
-      <arg><option>-C <replaceable class="parameter">config-file</replaceable></option></arg>
-      <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
-      <arg><option>-f</option></arg>
-      <arg><option>-g</option></arg>
-      <arg><option>-i <replaceable class="parameter">pid-file</replaceable></option></arg>
-      <arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
-      <arg><option>-P <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-s</option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
-      <arg><option>-v</option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-	<command>lwresd</command> is the daemon providing name lookup
-	services to clients that use the BIND 9 lightweight resolver
-	library.  It is essentially a stripped-down, caching-only name
-	server that answers queries using the BIND 9 lightweight
-	resolver protocol rather than the DNS protocol.
-    </para>
-    <para>
-	<command>lwresd</command> listens for resolver queries on a
-	UDP port on the IPv4 loopback interface, 127.0.0.1.  This
-	means that <command>lwresd</command> can only be used by
-	processes running on the local machine.  By default UDP port
-	number 921 is used for lightweight resolver requests and
-	responses.
-    </para>
-    <para>
-	Incoming lightweight resolver requests are decoded by the
-	server which then resolves them using the DNS protocol.  When
-	the DNS lookup completes, <command>lwresd</command> encodes
-	the answers in the lightweight resolver format and returns
-	them to the client that made the request.
-    </para>
-    <para>
-	If <filename>/etc/resolv.conf</filename> contains any
-	<option>nameserver</option> entries, <command>lwresd</command>
-	sends recursive DNS queries to those servers.  This is similar
-	to the use of forwarders in a caching name server.  If no
-	<option>nameserver</option> entries are present, or if
-	forwarding fails, <command>lwresd</command> resolves the
-	queries autonomously starting at the root name servers, using
-	a built-in list of root server hints.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-	<term>-C <replaceable class="parameter">config-file</replaceable></term>
-	<listitem>
-	  <para>
-		Use <replaceable
-		class="parameter">config-file</replaceable> as the
-		configuration file instead of the default,
-		<filename>/etc/resolv.conf</filename>.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-d <replaceable class="parameter">debug-level</replaceable></term>
-	<listitem>
-	  <para>
-		Set the daemon's debug level to <replaceable
-		class="parameter">debug-level</replaceable>.
-		Debugging traces from <command>lwresd</command> become
-		more verbose as the debug level increases.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-f</term>
-	<listitem>
-	  <para>
-		Run the server in the foreground (i.e. do not daemonize).
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-g</term>
-	<listitem>
-	  <para>
-		Run the server in the foreground and force all logging
-		to <filename>stderr</filename>.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-n <replaceable class="parameter">#cpus</replaceable></term>
-	<listitem>
-	  <para>
-		Create <replaceable
-		class="parameter">#cpus</replaceable> worker threads
-		to take advantage of multiple CPUs.  If not specified,
-		<command>lwresd</command> will try to determine the
-		number of CPUs present and create one thread per CPU.
-		If it is unable to determine the number of CPUs, a
-		single worker thread will be created.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-P <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-		Listen for lightweight resolver queries on port
-		<replaceable class="parameter">port</replaceable>.  If
-		not specified, the default is port 921.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-p <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-		Send DNS lookups to port <replaceable
-		class="parameter">port</replaceable>.  If not
-		specified, the default is port 53.  This provides a
-		way of testing the lightweight resolver daemon with a
-		name server that listens for queries on a non-standard
-		port number.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-s</term>
-	<listitem>
-	  <para>
-		Write memory usage statistics to <filename>stdout</filename>
-		on exit.
-          </para>
-	  <note>
-	    <para>
-		This option is mainly of interest to BIND 9 developers
-		and may be removed or changed in a future release.
-	    </para>
-	  </note>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-t <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-		<function>chroot()</function> to <replaceable
-		class="parameter">directory</replaceable> after
-		processing the command line arguments, but before
-		reading the configuration file.
-          </para>
-	  <warning>
-	    <para>
-		This option should be used in conjunction with the
-		<option>-u</option> option, as chrooting a process
-		running as root doesn't enhance security on most
-		systems; the way <function>chroot()</function> is
-		defined allows a process with root privileges to
-		escape a chroot jail.
-	    </para>
-	  </warning>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-u <replaceable class="parameter">user</replaceable></term>
-	<listitem>
-	  <para>
-		<function>setuid()</function> to <replaceable
-		class="parameter">user</replaceable> after completing
-		privileged operations, such as creating sockets that
-		listen on privileged ports.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-v</term>
-	<listitem>
-	  <para>
-		Report the version number and exit.
-          </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <variablelist>
-
-      <varlistentry>
-	<term><filename>/etc/resolv.conf</filename></term>
-	<listitem>
-	  <para>
-		The default configuration file.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term><filename>/var/run/lwresd.pid</filename></term>
-	<listitem>
-	  <para>
-		The default process-id file.
-          </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-	<citerefentry>
-	  <refentrytitle>named</refentrytitle>
-	  <manvolnum>8</manvolnum>
-        </citerefentry>,
-	<citerefentry>
-	  <refentrytitle>lwres</refentrytitle>
-	  <manvolnum>3</manvolnum>
-        </citerefentry>,
-	<citerefentry>
-	  <refentrytitle>resolver</refentrytitle>
-	  <manvolnum>5</manvolnum>
-        </citerefentry>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-	<corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/named/lwresd.html b/contrib/bind9/bin/named/lwresd.html
deleted file mode 100644
index 439153aa826a..000000000000
--- a/contrib/bind9/bin/named/lwresd.html
+++ /dev/null
@@ -1,189 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwresd.html,v 1.4.2.1.4.8 2005/10/13 02:33:47 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwresd</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">lwresd</span> &#8212; lightweight resolver daemon</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525920"></a><h2>DESCRIPTION</h2>
-<p>
-	<span><strong class="command">lwresd</strong></span> is the daemon providing name lookup
-	services to clients that use the BIND 9 lightweight resolver
-	library.  It is essentially a stripped-down, caching-only name
-	server that answers queries using the BIND 9 lightweight
-	resolver protocol rather than the DNS protocol.
-    </p>
-<p>
-	<span><strong class="command">lwresd</strong></span> listens for resolver queries on a
-	UDP port on the IPv4 loopback interface, 127.0.0.1.  This
-	means that <span><strong class="command">lwresd</strong></span> can only be used by
-	processes running on the local machine.  By default UDP port
-	number 921 is used for lightweight resolver requests and
-	responses.
-    </p>
-<p>
-	Incoming lightweight resolver requests are decoded by the
-	server which then resolves them using the DNS protocol.  When
-	the DNS lookup completes, <span><strong class="command">lwresd</strong></span> encodes
-	the answers in the lightweight resolver format and returns
-	them to the client that made the request.
-    </p>
-<p>
-	If <code class="filename">/etc/resolv.conf</code> contains any
-	<code class="option">nameserver</code> entries, <span><strong class="command">lwresd</strong></span>
-	sends recursive DNS queries to those servers.  This is similar
-	to the use of forwarders in a caching name server.  If no
-	<code class="option">nameserver</code> entries are present, or if
-	forwarding fails, <span><strong class="command">lwresd</strong></span> resolves the
-	queries autonomously starting at the root name servers, using
-	a built-in list of root server hints.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525969"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-C <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-		Use <em class="replaceable"><code>config-file</code></em> as the
-		configuration file instead of the default,
-		<code class="filename">/etc/resolv.conf</code>.
-          </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd><p>
-		Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-		Debugging traces from <span><strong class="command">lwresd</strong></span> become
-		more verbose as the debug level increases.
-          </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-		Run the server in the foreground (i.e. do not daemonize).
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-		Run the server in the foreground and force all logging
-		to <code class="filename">stderr</code>.
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd><p>
-		Create <em class="replaceable"><code>#cpus</code></em> worker threads
-		to take advantage of multiple CPUs.  If not specified,
-		<span><strong class="command">lwresd</strong></span> will try to determine the
-		number of CPUs present and create one thread per CPU.
-		If it is unable to determine the number of CPUs, a
-		single worker thread will be created.
-          </p></dd>
-<dt><span class="term">-P <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-		Listen for lightweight resolver queries on port
-		<em class="replaceable"><code>port</code></em>.  If
-		not specified, the default is port 921.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-		Send DNS lookups to port <em class="replaceable"><code>port</code></em>.  If not
-		specified, the default is port 53.  This provides a
-		way of testing the lightweight resolver daemon with a
-		name server that listens for queries on a non-standard
-		port number.
-          </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-<p>
-		Write memory usage statistics to <code class="filename">stdout</code>
-		on exit.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-		This option is mainly of interest to BIND 9 developers
-		and may be removed or changed in a future release.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-<p>
-		<code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after
-		processing the command line arguments, but before
-		reading the configuration file.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-		This option should be used in conjunction with the
-		<code class="option">-u</code> option, as chrooting a process
-		running as root doesn't enhance security on most
-		systems; the way <code class="function">chroot()</code> is
-		defined allows a process with root privileges to
-		escape a chroot jail.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>
-		<code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing
-		privileged operations, such as creating sockets that
-		listen on privileged ports.
-          </p></dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-		Report the version number and exit.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526237"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
-<dd><p>
-		The default configuration file.
-          </p></dd>
-<dt><span class="term"><code class="filename">/var/run/lwresd.pid</code></span></dt>
-<dd><p>
-		The default process-id file.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526277"></a><h2>SEE ALSO</h2>
-<p>
-	<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-	<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526315"></a><h2>AUTHOR</h2>
-<p>
-	<span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/named/lwsearch.c b/contrib/bind9/bin/named/lwsearch.c
deleted file mode 100644
index 8b9ea526f1e5..000000000000
--- a/contrib/bind9/bin/named/lwsearch.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwsearch.c,v 1.7.208.1 2004/03/06 10:21:20 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/name.h>
-#include <dns/types.h>
-
-#include <named/lwsearch.h>
-#include <named/types.h>
-
-#define LWSEARCHLIST_MAGIC		ISC_MAGIC('L', 'W', 'S', 'L')
-#define VALID_LWSEARCHLIST(l)		ISC_MAGIC_VALID(l, LWSEARCHLIST_MAGIC)
-
-isc_result_t
-ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) {
-	ns_lwsearchlist_t *list;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(listp != NULL && *listp == NULL);
-
-	list = isc_mem_get(mctx, sizeof(ns_lwsearchlist_t));
-	if (list == NULL)
-		return (ISC_R_NOMEMORY);
-	
-	RUNTIME_CHECK(isc_mutex_init(&list->lock) == ISC_R_SUCCESS);
-	list->mctx = NULL;
-	isc_mem_attach(mctx, &list->mctx);
-	list->refs = 1;
-	ISC_LIST_INIT(list->names);
-	list->magic = LWSEARCHLIST_MAGIC;
-
-	*listp = list;
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target) {
-	REQUIRE(VALID_LWSEARCHLIST(source));
-	REQUIRE(target != NULL && *target == NULL);
-
-	LOCK(&source->lock);
-	INSIST(source->refs > 0);
-	source->refs++;
-	INSIST(source->refs != 0);
-	UNLOCK(&source->lock);
-
-	*target = source;
-}
-
-void
-ns_lwsearchlist_detach(ns_lwsearchlist_t **listp) {
-	ns_lwsearchlist_t *list;
-	isc_mem_t *mctx;
-
-	REQUIRE(listp != NULL);
-	list = *listp;
-	REQUIRE(VALID_LWSEARCHLIST(list));
-
-	LOCK(&list->lock);
-	INSIST(list->refs > 0);
-	list->refs--;
-	UNLOCK(&list->lock);
-
-	*listp = NULL;
-	if (list->refs != 0)
-		return;
-
-	mctx = list->mctx;
-	while (!ISC_LIST_EMPTY(list->names)) {
-		dns_name_t *name = ISC_LIST_HEAD(list->names);
-		ISC_LIST_UNLINK(list->names, name, link);
-		dns_name_free(name, list->mctx);
-		isc_mem_put(list->mctx, name, sizeof(dns_name_t));
-	}
-	list->magic = 0;
-	isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t));
-	isc_mem_detach(&mctx);
-}
-
-isc_result_t
-ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name) {
-	dns_name_t *newname;
-	isc_result_t result;
-
-	REQUIRE(VALID_LWSEARCHLIST(list));
-	REQUIRE(name != NULL);
-
-	newname = isc_mem_get(list->mctx, sizeof(dns_name_t));
-	if (newname == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_init(newname, NULL);
-	result = dns_name_dup(name, list->mctx, newname);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(list->mctx, newname, sizeof(dns_name_t));
-		return (result);
-	}
-	ISC_LINK_INIT(newname, link);
-	ISC_LIST_APPEND(list->names, newname, link);
-	return (ISC_R_SUCCESS);
-}
-
-void
-ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list,
-		    dns_name_t *name, unsigned int ndots)
-{
-	INSIST(sctx != NULL);
-	sctx->relname = name;
-	sctx->searchname = NULL;
-	sctx->doneexact = ISC_FALSE;
-	sctx->exactfirst = ISC_FALSE;
-	sctx->ndots = ndots;
-	if (dns_name_isabsolute(name) || list == NULL) {
-		sctx->list = NULL;
-		return;
-	}
-	sctx->list = list;
-	sctx->searchname = ISC_LIST_HEAD(sctx->list->names);
-	if (dns_name_countlabels(name) > ndots)
-		sctx->exactfirst = ISC_TRUE;
-}
-
-void
-ns_lwsearchctx_first(ns_lwsearchctx_t *sctx) {
-	REQUIRE(sctx != NULL);
-	UNUSED(sctx);
-}
-
-isc_result_t
-ns_lwsearchctx_next(ns_lwsearchctx_t *sctx) {
-	REQUIRE(sctx != NULL);
-
-	if (sctx->list == NULL)
-		return (ISC_R_NOMORE);
-
-	if (sctx->searchname == NULL) {
-		INSIST (!sctx->exactfirst || sctx->doneexact);
-		if (sctx->exactfirst || sctx->doneexact)
-			return (ISC_R_NOMORE);
-		sctx->doneexact = ISC_TRUE;
-	} else {
-		if (sctx->exactfirst && !sctx->doneexact)
-			sctx->doneexact = ISC_TRUE;
-		else {
-			sctx->searchname = ISC_LIST_NEXT(sctx->searchname,
-							 link);
-			if (sctx->searchname == NULL && sctx->doneexact)
-				return (ISC_R_NOMORE);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname) {
-	dns_name_t *tname;
-	isc_boolean_t useexact = ISC_FALSE;
-
-	REQUIRE(sctx != NULL);
-
-	if (sctx->list == NULL ||
-	    sctx->searchname == NULL ||
-	    (sctx->exactfirst && !sctx->doneexact))
-		useexact = ISC_TRUE;
-
-	if (useexact) {
-		if (dns_name_isabsolute(sctx->relname))
-			tname = NULL;
-		else
-			tname = dns_rootname;
-	} else
-		tname = sctx->searchname;
-
-	return (dns_name_concatenate(sctx->relname, tname, absname, NULL));
-}
diff --git a/contrib/bind9/bin/named/main.c b/contrib/bind9/bin/named/main.c
deleted file mode 100644
index c155291d6ca6..000000000000
--- a/contrib/bind9/bin/named/main.c
+++ /dev/null
@@ -1,895 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: main.c,v 1.119.2.3.2.22 2005/04/29 01:04:47 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/app.h>
-#include <isc/commandline.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/os.h>
-#include <isc/platform.h>
-#include <isc/resource.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <isccc/result.h>
-
-#include <dns/dispatch.h>
-#include <dns/name.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-#include <dst/result.h>
-
-/*
- * Defining NS_MAIN provides storage declarations (rather than extern)
- * for variables in named/globals.h.
- */
-#define NS_MAIN 1
-
-#include <named/builtin.h>
-#include <named/control.h>
-#include <named/globals.h>	/* Explicit, though named/log.h includes it. */
-#include <named/interfacemgr.h>
-#include <named/log.h>
-#include <named/os.h>
-#include <named/server.h>
-#include <named/lwresd.h>
-#include <named/main.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
-
-/*
- * Include header files for database drivers here.
- */
-/* #include "xxdb.h" */
-
-static isc_boolean_t	want_stats = ISC_FALSE;
-static char		program_name[ISC_DIR_NAMEMAX] = "named";
-static char		absolute_conffile[ISC_DIR_PATHMAX];
-static char		saved_command_line[512];
-static char		version[512];
-
-void
-ns_main_earlywarning(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	if (ns_g_lctx != NULL) {
-		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_WARNING,
-			       format, args);
-	} else {
-		fprintf(stderr, "%s: ", program_name);
-		vfprintf(stderr, format, args);
-		fprintf(stderr, "\n");
-		fflush(stderr);
-	}
-	va_end(args);
-}
-
-void
-ns_main_earlyfatal(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	if (ns_g_lctx != NULL) {
-		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			       format, args);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			       "exiting (due to early fatal error)");
-	} else {
-		fprintf(stderr, "%s: ", program_name);
-		vfprintf(stderr, format, args);
-		fprintf(stderr, "\n");
-		fflush(stderr);
-	}
-	va_end(args);
-
-	exit(1);
-}
-
-static void
-assertion_failed(const char *file, int line, isc_assertiontype_t type,
-		 const char *cond)
-{
-	/*
-	 * Handle assertion failures.
-	 */
-
-	if (ns_g_lctx != NULL) {
-		/*
-		 * Reset the assetion callback in case it is the log
-		 * routines causing the assertion.
-		 */
-		isc_assertion_setcallback(NULL);
-
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "%s:%d: %s(%s) failed", file, line,
-			      isc_assertion_typetotext(type), cond);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "exiting (due to assertion failure)");
-	} else {
-		fprintf(stderr, "%s:%d: %s(%s) failed\n",
-			file, line, isc_assertion_typetotext(type), cond);
-		fflush(stderr);
-	}
-
-	if (ns_g_coreok)
-		abort();
-	exit(1);
-}
-
-static void
-library_fatal_error(const char *file, int line, const char *format,
-		    va_list args) ISC_FORMAT_PRINTF(3, 0);
-
-static void
-library_fatal_error(const char *file, int line, const char *format,
-		    va_list args)
-{
-	/*
-	 * Handle isc_error_fatal() calls from our libraries.
-	 */
-
-	if (ns_g_lctx != NULL) {
-		/*
-		 * Reset the error callback in case it is the log
-		 * routines causing the assertion.
-		 */
-		isc_error_setfatal(NULL);
-
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "%s:%d: fatal error:", file, line);
-		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			       format, args);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
-			      "exiting (due to fatal error in library)");
-	} else {
-		fprintf(stderr, "%s:%d: fatal error: ", file, line);
-		vfprintf(stderr, format, args);
-		fprintf(stderr, "\n");
-		fflush(stderr);
-	}
-
-	if (ns_g_coreok)
-		abort();
-	exit(1);
-}
-
-static void
-library_unexpected_error(const char *file, int line, const char *format,
-			 va_list args) ISC_FORMAT_PRINTF(3, 0);
-
-static void
-library_unexpected_error(const char *file, int line, const char *format,
-			 va_list args)
-{
-	/*
-	 * Handle isc_error_unexpected() calls from our libraries.
-	 */
-
-	if (ns_g_lctx != NULL) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_MAIN, ISC_LOG_ERROR,
-			      "%s:%d: unexpected error:", file, line);
-		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			       NS_LOGMODULE_MAIN, ISC_LOG_ERROR,
-			       format, args);
-	} else {
-		fprintf(stderr, "%s:%d: fatal error: ", file, line);
-		vfprintf(stderr, format, args);
-		fprintf(stderr, "\n");
-		fflush(stderr);
-	}
-}
-
-static void
-lwresd_usage(void) {
-	fprintf(stderr,
-		"usage: lwresd [-4|-6] [-c conffile | -C resolvconffile] "
-		"[-d debuglevel]\n"
-		"              [-f|-g] [-n number_of_cpus] [-p port] "
-		"[-P listen-port] [-s]\n"
-		"              [-t chrootdir] [-u username] [-i pidfile]\n"
-		"              [-m {usage|trace|record}]\n");
-}
-
-static void
-usage(void) {
-	if (ns_g_lwresdonly) {
-		lwresd_usage();
-		return;
-	}
-	fprintf(stderr,
-		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
-		"[-f|-g] [-n number_of_cpus]\n"
-		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
-		"             [-m {usage|trace|record}]\n");
-}
-
-static void
-save_command_line(int argc, char *argv[]) {
-	int i;
-	char *src;
-	char *dst;
-	char *eob;
-	const char truncated[] = "...";
-	isc_boolean_t quoted = ISC_FALSE;
-
-	dst = saved_command_line;
-	eob = saved_command_line + sizeof(saved_command_line);
-
-	for (i = 1; i < argc && dst < eob; i++) {
-		*dst++ = ' ';
-
-		src = argv[i];
-		while (*src != '\0' && dst < eob) {
-			/*
-			 * This won't perfectly produce a shell-independent
-			 * pastable command line in all circumstances, but
-			 * comes close, and for practical purposes will
-			 * nearly always be fine.
-			 */
-			if (quoted || isalnum(*src & 0xff) ||
-			    *src == '-' || *src == '_' ||
-			    *src == '.' || *src == '/') {
-				*dst++ = *src++;
-				quoted = ISC_FALSE;
-			} else {
-				*dst++ = '\\';
-				quoted = ISC_TRUE;
-			}
-		}
-	}
-
-	INSIST(sizeof(saved_command_line) >= sizeof(truncated));
-
-	if (dst == eob)
-		strcpy(eob - sizeof(truncated), truncated);
-	else
-		*dst = '\0';
-}
-
-static int
-parse_int(char *arg, const char *desc) {
-	char *endp;
-	int tmp;
-	long int ltmp;
-
-	ltmp = strtol(arg, &endp, 10);
-	tmp = (int) ltmp;
-	if (*endp != '\0')
-		ns_main_earlyfatal("%s '%s' must be numeric", desc, arg);
-	if (tmp < 0 || tmp != ltmp)
-		ns_main_earlyfatal("%s '%s' out of range", desc, arg);
-	return (tmp);
-}
-
-static struct flag_def {
-	const char *name;
-	unsigned int value;
-} mem_debug_flags[] = {
-	{ "trace",  ISC_MEM_DEBUGTRACE },
-	{ "record", ISC_MEM_DEBUGRECORD },
-	{ "usage", ISC_MEM_DEBUGUSAGE },
-	{ NULL, 0 }
-};
-
-static void
-set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) {
-	for (;;) {
-		const struct flag_def *def;
-		const char *end = strchr(arg, ',');
-		int arglen;
-		if (end == NULL)
-			end = arg + strlen(arg);
-		arglen = end - arg;
-		for (def = defs; def->name != NULL; def++) {
-			if (arglen == (int)strlen(def->name) &&
-			    memcmp(arg, def->name, arglen) == 0) {
-				*ret |= def->value;
-				goto found;
-			}
-		}
-		ns_main_earlyfatal("unrecognized flag '%.*s'", arglen, arg);
-	 found:
-		if (*end == '\0')
-			break;
-		arg = end + 1;
-	}
-}
-
-static void
-parse_command_line(int argc, char *argv[]) {
-	int ch;
-	int port;
-	isc_boolean_t disable6 = ISC_FALSE;
-	isc_boolean_t disable4 = ISC_FALSE;
-
-	save_command_line(argc, argv);
-
-	isc_commandline_errprint = ISC_FALSE;
-	while ((ch = isc_commandline_parse(argc, argv,
-			           "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:")) != -1) {
-		switch (ch) {
-		case '4':
-			if (disable4)
-				ns_main_earlyfatal("cannot specify -4 and -6");
-			if (isc_net_probeipv4() != ISC_R_SUCCESS)
-				ns_main_earlyfatal("IPv4 not supported by OS");
-			isc_net_disableipv6();
-			disable6 = ISC_TRUE;
-			break;
-		case '6':
-			if (disable6)
-				ns_main_earlyfatal("cannot specify -4 and -6");
-			if (isc_net_probeipv6() != ISC_R_SUCCESS)
-				ns_main_earlyfatal("IPv6 not supported by OS");
-			isc_net_disableipv4();
-			disable4 = ISC_TRUE;
-			break;
-		case 'c':
-			ns_g_conffile = isc_commandline_argument;
-			lwresd_g_conffile = isc_commandline_argument;
-			if (lwresd_g_useresolvconf)
-				ns_main_earlyfatal("cannot specify -c and -C");
-			ns_g_conffileset = ISC_TRUE;
-			break;
-		case 'C':
-			lwresd_g_resolvconffile = isc_commandline_argument;
-			if (ns_g_conffileset)
-				ns_main_earlyfatal("cannot specify -c and -C");
-			lwresd_g_useresolvconf = ISC_TRUE;
-			break;
-		case 'd':
-			ns_g_debuglevel = parse_int(isc_commandline_argument,
-						    "debug level");
-			break;
-		case 'f':
-			ns_g_foreground = ISC_TRUE;
-			break;
-		case 'g':
-			ns_g_foreground = ISC_TRUE;
-			ns_g_logstderr = ISC_TRUE;
-			break;
-		/* XXXBEW -i should be removed */
-		case 'i':
-			lwresd_g_defaultpidfile = isc_commandline_argument;
-			break;
-		case 'l':
-			ns_g_lwresdonly = ISC_TRUE;
-			break;
-		case 'm':
-			set_flags(isc_commandline_argument, mem_debug_flags,
-				  &isc_mem_debugging);
-			break;
-		case 'N': /* Deprecated. */
-		case 'n':
-			ns_g_cpus = parse_int(isc_commandline_argument,
-					      "number of cpus");
-			if (ns_g_cpus == 0)
-				ns_g_cpus = 1;
-			break;
-		case 'p':
-			port = parse_int(isc_commandline_argument, "port");
-			if (port < 1 || port > 65535)
-				ns_main_earlyfatal("port '%s' out of range",
-						   isc_commandline_argument);
-			ns_g_port = port;
-			break;
-		/* XXXBEW Should -P be removed? */
-		case 'P':
-			port = parse_int(isc_commandline_argument, "port");
-			if (port < 1 || port > 65535)
-				ns_main_earlyfatal("port '%s' out of range",
-						   isc_commandline_argument);
-			lwresd_g_listenport = port;
-			break;
-		case 's':
-			/* XXXRTH temporary syntax */
-			want_stats = ISC_TRUE;
-			break;
-		case 't':
-			/* XXXJAB should we make a copy? */
-			ns_g_chrootdir = isc_commandline_argument;
-			break;
-		case 'u':
-			ns_g_username = isc_commandline_argument;
-			break;
-		case 'v':
-			printf("BIND %s\n", ns_g_version);
-			exit(0);
-		case '?':
-			usage();
-			ns_main_earlyfatal("unknown option '-%c'",
-					   isc_commandline_option);
-		default:
-			ns_main_earlyfatal("parsing options returned %d", ch);
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc > 0) {
-		usage();
-		ns_main_earlyfatal("extra command line arguments");
-	}
-}
-
-static isc_result_t
-create_managers(void) {
-	isc_result_t result;
-#ifdef ISC_PLATFORM_USETHREADS
-	unsigned int cpus_detected;
-#endif
-
-#ifdef ISC_PLATFORM_USETHREADS
-	cpus_detected = isc_os_ncpus();
-	if (ns_g_cpus == 0)
-		ns_g_cpus = cpus_detected;
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_INFO, "found %u CPU%s, using %u worker thread%s",
-		      cpus_detected, cpus_detected == 1 ? "" : "s",
-		      ns_g_cpus, ns_g_cpus == 1 ? "" : "s");
-#else
-	ns_g_cpus = 1;
-#endif
-	result = isc_taskmgr_create(ns_g_mctx, ns_g_cpus, 0, &ns_g_taskmgr);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "ns_taskmgr_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_timermgr_create(ns_g_mctx, &ns_g_timermgr);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "ns_timermgr_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_socketmgr_create(ns_g_mctx, &ns_g_socketmgr);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_socketmgr_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_entropy_create(ns_g_mctx, &ns_g_entropy);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_entropy_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_hash_create(ns_g_mctx, ns_g_entropy, DNS_NAME_MAXWIRE);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_hash_create() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-destroy_managers(void) {
-	ns_lwresd_shutdown();
-
-	isc_entropy_detach(&ns_g_entropy);
-	if (ns_g_fallbackentropy != NULL)
-		isc_entropy_detach(&ns_g_fallbackentropy);
-
-	/*
-	 * isc_taskmgr_destroy() will block until all tasks have exited,
-	 */
-	isc_taskmgr_destroy(&ns_g_taskmgr);
-	isc_timermgr_destroy(&ns_g_timermgr);
-	isc_socketmgr_destroy(&ns_g_socketmgr);
-
-	/*
-	 * isc_hash_destroy() cannot be called as long as a resolver may be
-	 * running.  Calling this after isc_taskmgr_destroy() ensures the
-	 * call is safe.
-	 */
-	isc_hash_destroy();
-}
-
-static void
-setup(void) {
-	isc_result_t result;
-#ifdef HAVE_LIBSCF
-	char *instance = NULL;
-#endif
-
-	/*
-	 * Get the user and group information before changing the root
-	 * directory, so the administrator does not need to keep a copy
-	 * of the user and group databases in the chroot'ed environment.
-	 */
-	ns_os_inituserinfo(ns_g_username);
-
-	/*
-	 * Initialize time conversion information
-	 */
-	ns_os_tzset();
-
-	ns_os_opendevnull();
-
-#ifdef HAVE_LIBSCF
-	/* Check if named is under smf control, before chroot. */
-	result = ns_smf_get_instance(&instance, 0, ns_g_mctx);
-	/* We don't care about instance, just check if we got one. */
-	if (result == ISC_R_SUCCESS)
-		ns_smf_got_instance = 1;
-	else
-		ns_smf_got_instance = 0;
-	if (instance != NULL)
-		isc_mem_free(ns_g_mctx, instance);
-#endif /* HAVE_LIBSCF */
-
-#ifdef PATH_RANDOMDEV
-	/*
-	 * Initialize system's random device as fallback entropy source
-	 * if running chroot'ed.
-	 */
-	if (ns_g_chrootdir != NULL) {
-		result = isc_entropy_create(ns_g_mctx, &ns_g_fallbackentropy);
-		if (result != ISC_R_SUCCESS)
-			ns_main_earlyfatal("isc_entropy_create() failed: %s",
-					   isc_result_totext(result));
-
-		result = isc_entropy_createfilesource(ns_g_fallbackentropy,
-						      PATH_RANDOMDEV);
-		if (result != ISC_R_SUCCESS) {
-			ns_main_earlywarning("could not open pre-chroot "
-					     "entropy source %s: %s",
-					     PATH_RANDOMDEV,
-					     isc_result_totext(result));
-			isc_entropy_detach(&ns_g_fallbackentropy);
-		}
-	}
-#endif
-
-	ns_os_chroot(ns_g_chrootdir);
-
-	/*
-	 * For operating systems which have a capability mechanism, now
-	 * is the time to switch to minimal privs and change our user id.
-	 * On traditional UNIX systems, this call will be a no-op, and we
-	 * will change the user ID after reading the config file the first
-	 * time.  (We need to read the config file to know which possibly
-	 * privileged ports to bind() to.)
-	 */
-	ns_os_minprivs();
-
-	result = ns_log_init(ISC_TF(ns_g_username != NULL));
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("ns_log_init() failed: %s",
-				   isc_result_totext(result));
-
-	/*
-	 * Now is the time to daemonize (if we're not running in the
-	 * foreground).  We waited until now because we wanted to get
-	 * a valid logging context setup.  We cannot daemonize any later,
-	 * because calling create_managers() will create threads, which
-	 * would be lost after fork().
-	 */
-	if (!ns_g_foreground)
-		ns_os_daemonize();
-
-	/*
-	 * We call isc_app_start() here as some versions of FreeBSD's fork()
-	 * destroys all the signal handling it sets up.
-	 */
-	result = isc_app_start();
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("isc_app_start() failed: %s",
-				   isc_result_totext(result));
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
-		      saved_command_line);
-
-	/*
-	 * Get the initial resource limits.
-	 */
-	(void)isc_resource_getlimit(isc_resource_stacksize,
-				    &ns_g_initstacksize);
-	(void)isc_resource_getlimit(isc_resource_datasize,
-				    &ns_g_initdatasize);
-	(void)isc_resource_getlimit(isc_resource_coresize,
-				    &ns_g_initcoresize);
-	(void)isc_resource_getlimit(isc_resource_openfiles,
-				    &ns_g_initopenfiles);
-
-	/*
-	 * If the named configuration filename is relative, prepend the current
-	 * directory's name before possibly changing to another directory.
-	 */
-	if (! isc_file_isabsolute(ns_g_conffile)) {
-		result = isc_file_absolutepath(ns_g_conffile,
-					       absolute_conffile,
-					       sizeof(absolute_conffile));
-		if (result != ISC_R_SUCCESS)
-			ns_main_earlyfatal("could not construct absolute path of "
-					   "configuration file: %s", 
-					   isc_result_totext(result));
-		ns_g_conffile = absolute_conffile;
-	}
-
-	result = create_managers();
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("create_managers() failed: %s",
-				   isc_result_totext(result));
-
-	ns_builtin_init();
-
-	/*
-	 * Add calls to register sdb drivers here.
-	 */
-	/* xxdb_init(); */
-
-	ns_server_create(ns_g_mctx, &ns_g_server);
-}
-
-static void
-cleanup(void) {
-	destroy_managers();
-
-	ns_server_destroy(&ns_g_server);
-
-	ns_builtin_deinit();
-
-	/*
-	 * Add calls to unregister sdb drivers here.
-	 */
-	/* xxdb_clear(); */
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
-		      ISC_LOG_NOTICE, "exiting");
-	ns_log_shutdown();
-}
-
-static char *memstats = NULL;
-
-void
-ns_main_setmemstats(const char *filename) {
-	/*
-	 * Caller has to ensure locking.
-	 */
-
-	if (memstats != NULL) {
-		free(memstats);
-		memstats = NULL;
-	}
-	if (filename == NULL)
-		return;
-	memstats = malloc(strlen(filename) + 1);
-	if (memstats)
-		strcpy(memstats, filename);
-}
-
-#ifdef HAVE_LIBSCF
-/*
- * Get FMRI for the named process.
- */
-isc_result_t
-ns_smf_get_instance(char **ins_name, int debug, isc_mem_t *mctx) {
-	scf_handle_t *h = NULL;
-	int namelen;
-	char *instance;
-
-	REQUIRE(ins_name != NULL && *ins_name == NULL);
-
-	if ((h = scf_handle_create(SCF_VERSION)) == NULL) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_handle_create() failed: %s",
-			 		 scf_strerror(scf_error()));
-		return (ISC_R_FAILURE);
-	}
-
-	if (scf_handle_bind(h) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_handle_bind() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
-
-	if ((namelen = scf_myname(h, NULL, 0)) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_myname() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
-
-	if ((instance = isc_mem_allocate(mctx, namelen + 1)) == NULL) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "ns_smf_get_instance memory "
-				 "allocation failed: %s",
-				 isc_result_totext(ISC_R_NOMEMORY));
-		scf_handle_destroy(h);
-		return (ISC_R_FAILURE);
-	}
-
-	if (scf_myname(h, instance, namelen + 1) == -1) {
-		if (debug)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "scf_myname() failed: %s",
-					 scf_strerror(scf_error()));
-		scf_handle_destroy(h);
-		isc_mem_free(mctx, instance);
-		return (ISC_R_FAILURE);
-	}
-
-	scf_handle_destroy(h);
-	*ins_name = instance;
-	return (ISC_R_SUCCESS);
-}
-#endif /* HAVE_LIBSCF */
-
-int
-main(int argc, char *argv[]) {
-	isc_result_t result;
-#ifdef HAVE_LIBSCF
-	char *instance = NULL;
-#endif
-
-	/*
-	 * Record version in core image.
-	 * strings named.core | grep "named version:"
-	 */
-	strlcat(version,
-#ifdef __DATE__
-		"named version: BIND " VERSION " (" __DATE__ ")",
-#else
-		"named version: BIND " VERSION,
-#endif
-		sizeof(version));
-	result = isc_file_progname(*argv, program_name, sizeof(program_name));
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("program name too long");
-
-	if (strcmp(program_name, "lwresd") == 0)
-		ns_g_lwresdonly = ISC_TRUE;
-
-	isc_assertion_setcallback(assertion_failed);
-	isc_error_setfatal(library_fatal_error);
-	isc_error_setunexpected(library_unexpected_error);
-
-	ns_os_init(program_name);
-
-	dns_result_register();
-	dst_result_register();
-	isccc_result_register();
-
-	parse_command_line(argc, argv);
-
-	/*
-	 * Warn about common configuration error.
-	 */
-	if (ns_g_chrootdir != NULL) {
-		int len = strlen(ns_g_chrootdir);
-		if (strncmp(ns_g_chrootdir, ns_g_conffile, len) == 0 &&
-		    (ns_g_conffile[len] == '/' || ns_g_conffile[len] == '\\'))
-			ns_main_earlywarning("config filename (-c %s) contains "
-					     "chroot path (-t %s)",
-					     ns_g_conffile, ns_g_chrootdir);
-	}
-
-	result = isc_mem_create(0, 0, &ns_g_mctx);
-	if (result != ISC_R_SUCCESS)
-		ns_main_earlyfatal("isc_mem_create() failed: %s",
-				   isc_result_totext(result));
-
-	setup();
-
-	/*
-	 * Start things running and then wait for a shutdown request
-	 * or reload.
-	 */
-	do {
-		result = isc_app_run();
-
-		if (result == ISC_R_RELOAD) {
-			ns_server_reloadwanted(ns_g_server);
-		} else if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_run(): %s",
-					 isc_result_totext(result));
-			/*
-			 * Force exit.
-			 */
-			result = ISC_R_SUCCESS;
-		}
-	} while (result != ISC_R_SUCCESS);
-
-#ifdef HAVE_LIBSCF
-	if (ns_smf_want_disable == 1) {
-		result = ns_smf_get_instance(&instance, 1, ns_g_mctx);
-		if (result == ISC_R_SUCCESS && instance != NULL) {
-			if (smf_disable_instance(instance, 0) != 0)
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "smf_disable_instance() ",
-						 "failed for %s : %s",
-						 instance,
-						 scf_strerror(scf_error()));
-		}
-		if (instance != NULL)
-			isc_mem_free(ns_g_mctx, instance);
-	}
-#endif /* HAVE_LIBSCF */
-
-	cleanup();
-
-	if (want_stats) {
-		isc_mem_stats(ns_g_mctx, stdout);
-		isc_mutex_stats(stdout);
-	}
-	if (memstats != NULL) {
-		FILE *fp = NULL;
-		result = isc_stdio_open(memstats, "w", &fp);
-		if (result == ISC_R_SUCCESS) {
-			isc_mem_stats(ns_g_mctx, fp);
-			isc_mutex_stats(fp);
-			isc_stdio_close(fp);
-		}
-	}
-	isc_mem_destroy(&ns_g_mctx);
-
-	ns_main_setmemstats(NULL);
-
-	isc_app_finish();
-
-	ns_os_closedevnull();
-
-	ns_os_shutdown();
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/named/named.8 b/contrib/bind9/bin/named/named.8
deleted file mode 100644
index e072c169be3e..000000000000
--- a/contrib/bind9/bin/named/named.8
+++ /dev/null
@@ -1,182 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: named.8,v 1.17.208.6 2005/10/13 02:33:46 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NAMED" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named \- Internet domain name server
-.SH "SYNOPSIS"
-.HP 6
-\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
-.SH "DESCRIPTION"
-.PP
-\fBnamed\fR
-is a Domain Name System (DNS) server, part of the BIND 9 distribution from ISC. For more information on the DNS, see RFCs 1033, 1034, and 1035.
-.PP
-When invoked without arguments,
-\fBnamed\fR
-will read the default configuration file
-\fI/etc/named.conf\fR, read any initial data, and listen for queries.
-.SH "OPTIONS"
-.TP
-\-4
-Use IPv4 only even if the host machine is capable of IPv6.
-\fB\-4\fR
-and
-\fB\-6\fR
-are mutually exclusive.
-.TP
-\-6
-Use IPv6 only even if the host machine is capable of IPv4.
-\fB\-4\fR
-and
-\fB\-6\fR
-are mutually exclusive.
-.TP
-\-c \fIconfig\-file\fR
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/named.conf\fR. To ensure that reloading the configuration file continues to work after the server has changed its working directory due to to a possible
-\fBdirectory\fR
-option in the configuration file,
-\fIconfig\-file\fR
-should be an absolute pathname.
-.TP
-\-d \fIdebug\-level\fR
-Set the daemon's debug level to
-\fIdebug\-level\fR. Debugging traces from
-\fBnamed\fR
-become more verbose as the debug level increases.
-.TP
-\-f
-Run the server in the foreground (i.e. do not daemonize).
-.TP
-\-g
-Run the server in the foreground and force all logging to
-\fIstderr\fR.
-.TP
-\-n \fI#cpus\fR
-Create
-\fI#cpus\fR
-worker threads to take advantage of multiple CPUs. If not specified,
-\fBnamed\fR
-will try to determine the number of CPUs present and create one thread per CPU. If it is unable to determine the number of CPUs, a single worker thread will be created.
-.TP
-\-p \fIport\fR
-Listen for queries on port
-\fIport\fR. If not specified, the default is port 53.
-.TP
-\-s
-Write memory usage statistics to
-\fIstdout\fR
-on exit.
-.RS
-.B "Note:"
-This option is mainly of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
-.TP
-\-t \fIdirectory\fR
-\fBchroot()\fR
-to
-\fIdirectory\fR
-after processing the command line arguments, but before reading the configuration file.
-.RS
-.B "Warning:"
-This option should be used in conjunction with the
-\fB\-u\fR
-option, as chrooting a process running as root doesn't enhance security on most systems; the way
-\fBchroot()\fR
-is defined allows a process with root privileges to escape a chroot jail.
-.RE
-.TP
-\-u \fIuser\fR
-\fBsetuid()\fR
-to
-\fIuser\fR
-after completing privileged operations, such as creating sockets that listen on privileged ports.
-.RS
-.B "Note:"
-On Linux,
-\fBnamed\fR
-uses the kernel's capability mechanism to drop all root privileges except the ability to
-\fBbind()\fR
-to a privileged port and set process resource limits. Unfortunately, this means that the
-\fB\-u\fR
-option only works when
-\fBnamed\fR
-is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previous kernels did not allow privileges to be retained after
-\fBsetuid()\fR.
-.RE
-.TP
-\-v
-Report the version number and exit.
-.TP
-\-x \fIcache\-file\fR
-Load data from
-\fIcache\-file\fR
-into the cache of the default view.
-.RS
-.B "Warning:"
-This option must not be used. It is only of interest to BIND 9 developers and may be removed or changed in a future release.
-.RE
-.SH "SIGNALS"
-.PP
-In routine operation, signals should not be used to control the nameserver;
-\fBrndc\fR
-should be used instead.
-.TP
-SIGHUP
-Force a reload of the server.
-.TP
-SIGINT, SIGTERM
-Shut down the server.
-.PP
-The result of sending any other signals to the server is undefined.
-.SH "CONFIGURATION"
-.PP
-The
-\fBnamed\fR
-configuration file is too complex to describe in detail here. A complete description is provided in the
-BIND 9 Administrator Reference Manual.
-.SH "FILES"
-.TP
-\fI/etc/named.conf\fR
-The default configuration file.
-.TP
-\fI/var/run/named.pid\fR
-The default process\-id file.
-.SH "SEE ALSO"
-.PP
-RFC 1033,
-RFC 1034,
-RFC 1035,
-\fBrndc\fR(8),
-\fBlwresd\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/named/named.conf.5 b/contrib/bind9/bin/named/named.conf.5
deleted file mode 100644
index d0b690b1b5a0..000000000000
--- a/contrib/bind9/bin/named/named.conf.5
+++ /dev/null
@@ -1,438 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: named.conf.5,v 1.1.4.6 2005/10/13 02:33:47 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "\\FINAMED.CONF\\FR" "5" "Aug 13, 2004" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-named.conf \- configuration file for named
-.SH "SYNOPSIS"
-.HP 11
-\fBnamed.conf\fR
-.SH "DESCRIPTION"
-.PP
-\fInamed.conf\fR
-is the configuration file for
-\fBnamed\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
-.PP
-C style: /* */
-.PP
-C++ style: // to end of line
-.PP
-Unix style: # to end of line
-.SH "ACL"
-.sp
-.nf
-acl \fIstring\fR { \fIaddress_match_element\fR; ... };
-.fi
-.SH "KEY"
-.sp
-.nf
-key \fIdomain_name\fR {
-	algorithm \fIstring\fR;
-	secret \fIstring\fR;
-};
-.fi
-.SH "MASTERS"
-.sp
-.nf
-masters \fIstring\fR [ port \fIinteger\fR ] {
-	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
-	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; ...
-};
-.fi
-.SH "SERVER"
-.sp
-.nf
-server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
-	bogus \fIboolean\fR;
-	edns \fIboolean\fR;
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	keys \fIserver_key\fR;
-	transfers \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	support\-ixfr \fIboolean\fR; // obsolete
-};
-.fi
-.SH "TRUSTED\-KEYS"
-.sp
-.nf
-trusted\-keys {
-	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
-};
-.fi
-.SH "CONTROLS"
-.sp
-.nf
-controls {
-	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ]
-		allow { \fIaddress_match_element\fR; ... }
-		[ keys { \fIstring\fR; ... } ];
-	unix \fIunsupported\fR; // not implemented
-};
-.fi
-.SH "LOGGING"
-.sp
-.nf
-logging {
-	channel \fIstring\fR {
-		file \fIlog_file\fR;
-		syslog \fIoptional_facility\fR;
-		null;
-		stderr;
-		severity \fIlog_severity\fR;
-		print\-time \fIboolean\fR;
-		print\-severity \fIboolean\fR;
-		print\-category \fIboolean\fR;
-	};
-	category \fIstring\fR { \fIstring\fR; ... };
-};
-.fi
-.SH "LWRES"
-.sp
-.nf
-lwres {
-	listen\-on [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	view \fIstring\fR \fIoptional_class\fR;
-	search { \fIstring\fR; ... };
-	ndots \fIinteger\fR;
-};
-.fi
-.SH "OPTIONS"
-.sp
-.nf
-options {
-	avoid\-v4\-udp\-ports { \fIport\fR; ... };
-	avoid\-v6\-udp\-ports { \fIport\fR; ... };
-	blackhole { \fIaddress_match_element\fR; ... };
-	coresize \fIsize\fR;
-	datasize \fIsize\fR;
-	directory \fIquoted_string\fR;
-	dump\-file \fIquoted_string\fR;
-	files \fIsize\fR;
-	heartbeat\-interval \fIinteger\fR;
-	host\-statistics \fIboolean\fR; // not implemented
-	host\-statistics\-max \fInumber\fR; // not implemented
-	hostname ( \fIquoted_string\fR | none );
-	interface\-interval \fIinteger\fR;
-	listen\-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
-	listen\-on\-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
-	match\-mapped\-addresses \fIboolean\fR;
-	memstatistics\-file \fIquoted_string\fR;
-	pid\-file ( \fIquoted_string\fR | none );
-	port \fIinteger\fR;
-	querylog \fIboolean\fR;
-	recursing\-file \fIquoted_string\fR;
-	random\-device \fIquoted_string\fR;
-	recursive\-clients \fIinteger\fR;
-	serial\-query\-rate \fIinteger\fR;
-	server\-id ( \fIquoted_string\fR | none |;
-	stacksize \fIsize\fR;
-	statistics\-file \fIquoted_string\fR;
-	statistics\-interval \fIinteger\fR; // not yet implemented
-	tcp\-clients \fIinteger\fR;
-	tcp\-listen\-queue \fIinteger\fR;
-	tkey\-dhkey \fIquoted_string\fR \fIinteger\fR;
-	tkey\-gssapi\-credential \fIquoted_string\fR;
-	tkey\-domain \fIquoted_string\fR;
-	transfers\-per\-ns \fIinteger\fR;
-	transfers\-in \fIinteger\fR;
-	transfers\-out \fIinteger\fR;
-	use\-ixfr \fIboolean\fR;
-	version ( \fIquoted_string\fR | none );
-	allow\-recursion { \fIaddress_match_element\fR; ... };
-	sortlist { \fIaddress_match_element\fR; ... };
-	topology { \fIaddress_match_element\fR; ... }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source \fIquerysource4\fR;
-	query\-source\-v6 \fIquerysource6\fR;
-	cleaning\-interval \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize_no_default\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR;
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); ...
-	}
-	edns\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-journal\-size \fIsize_no_default\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
-	deallocate\-on\-exit \fIboolean\fR; // obsolete
-	fake\-iquery \fIboolean\fR; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	has\-old\-clients \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	multiple\-cnames \fIboolean\fR; // obsolete
-	named\-xfer \fIquoted_string\fR; // obsolete
-	serial\-queries \fIinteger\fR; // obsolete
-	treat\-cr\-as\-space \fIboolean\fR; // obsolete
-	use\-id\-pool \fIboolean\fR; // obsolete
-};
-.fi
-.SH "VIEW"
-.sp
-.nf
-view \fIstring\fR \fIoptional_class\fR {
-	match\-clients { \fIaddress_match_element\fR; ... };
-	match\-destinations { \fIaddress_match_element\fR; ... };
-	match\-recursive\-only \fIboolean\fR;
-	key \fIstring\fR {
-		algorithm \fIstring\fR;
-		secret \fIstring\fR;
-	};
-	zone \fIstring\fR \fIoptional_class\fR {
-		...
-	};
-	server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
-		...
-	};
-	trusted\-keys {
-		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ...
-	};
-	allow\-recursion { \fIaddress_match_element\fR; ... };
-	sortlist { \fIaddress_match_element\fR; ... };
-	topology { \fIaddress_match_element\fR; ... }; // not implemented
-	auth\-nxdomain \fIboolean\fR; // default changed
-	minimal\-responses \fIboolean\fR;
-	recursion \fIboolean\fR;
-	rrset\-order {
-		[ class \fIstring\fR ] [ type \fIstring\fR ]
-		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
-	};
-	provide\-ixfr \fIboolean\fR;
-	request\-ixfr \fIboolean\fR;
-	rfc2308\-type1 \fIboolean\fR; // not yet implemented
-	additional\-from\-auth \fIboolean\fR;
-	additional\-from\-cache \fIboolean\fR;
-	query\-source \fIquerysource4\fR;
-	query\-source\-v6 \fIquerysource6\fR;
-	cleaning\-interval \fIinteger\fR;
-	min\-roots \fIinteger\fR; // not implemented
-	lame\-ttl \fIinteger\fR;
-	max\-ncache\-ttl \fIinteger\fR;
-	max\-cache\-ttl \fIinteger\fR;
-	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize_no_default\fR;
-	check\-names ( master | slave | response )
-		( fail | warn | ignore );
-	cache\-file \fIquoted_string\fR;
-	suppress\-initial\-notify \fIboolean\fR; // not yet implemented
-	preferred\-glue \fIstring\fR;
-	dual\-stack\-servers [ port \fIinteger\fR ] {
-		( \fIquoted_string\fR [port \fIinteger\fR] |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [port \fIinteger\fR] ); ...
-	};
-	edns\-udp\-size \fIinteger\fR;
-	root\-delegation\-only [ exclude { \fIquoted_string\fR; ... } ];
-	disable\-algorithms \fIstring\fR { \fIstring\fR; ... };
-	dnssec\-enable \fIboolean\fR;
-	dnssec\-lookaside \fIstring\fR trust\-anchor \fIstring\fR;
-	dnssec\-must\-be\-secure \fIstring\fR \fIboolean\fR;
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIixfrdiff\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-journal\-size \fIsize_no_default\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
-	fetch\-glue \fIboolean\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-};
-.fi
-.SH "ZONE"
-.sp
-.nf
-zone \fIstring\fR \fIoptional_class\fR {
-	type ( master | slave | stub | hint |
-		forward | delegation\-only );
-	file \fIquoted_string\fR;
-	masters [ port \fIinteger\fR ] {
-		( \fImasters\fR |
-		\fIipv4_address\fR [port \fIinteger\fR] |
-		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; ...
-	};
-	database \fIstring\fR;
-	delegation\-only \fIboolean\fR;
-	check\-names ( fail | warn | ignore );
-	dialup \fIdialuptype\fR;
-	ixfr\-from\-differences \fIboolean\fR;
-	allow\-query { \fIaddress_match_element\fR; ... };
-	allow\-transfer { \fIaddress_match_element\fR; ... };
-	allow\-update { \fIaddress_match_element\fR; ... };
-	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
-	update\-policy {
-		( grant | deny ) \fIstring\fR
-		( name | subdomain | wildcard | self ) \fIstring\fR
-		\fIrrtypelist\fR; ...
-	};
-	notify \fInotifytype\fR;
-	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
-	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
-		[ port \fIinteger\fR ]; ... };
-	allow\-notify { \fIaddress_match_element\fR; ... };
-	forward ( first | only );
-	forwarders [ port \fIinteger\fR ] {
-		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
-	};
-	max\-journal\-size \fIsize_no_default\fR;
-	max\-transfer\-time\-in \fIinteger\fR;
-	max\-transfer\-time\-out \fIinteger\fR;
-	max\-transfer\-idle\-in \fIinteger\fR;
-	max\-transfer\-idle\-out \fIinteger\fR;
-	max\-retry\-time \fIinteger\fR;
-	min\-retry\-time \fIinteger\fR;
-	max\-refresh\-time \fIinteger\fR;
-	min\-refresh\-time \fIinteger\fR;
-	multi\-master \fIboolean\fR;
-	sig\-validity\-interval \fIinteger\fR;
-	transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source ( \fIipv4_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	alt\-transfer\-source\-v6 ( \fIipv6_address\fR | * )
-		[ port ( \fIinteger\fR | * ) ];
-	use\-alt\-transfer\-source \fIboolean\fR;
-	zone\-statistics \fIboolean\fR;
-	key\-directory \fIquoted_string\fR;
-	ixfr\-base \fIquoted_string\fR; // obsolete
-	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
-	maintain\-ixfr\-base \fIboolean\fR; // obsolete
-	max\-ixfr\-log\-size \fIsize\fR; // obsolete
-	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
-};
-.fi
-.SH "FILES"
-.PP
-\fI/etc/named.conf\fR
-.SH "SEE ALSO"
-.PP
-\fBnamed\fR(8),
-\fBrndc\fR(8),
-\fBBIND 9 Adminstrators Reference Manual\fR().
diff --git a/contrib/bind9/bin/named/named.conf.docbook b/contrib/bind9/bin/named/named.conf.docbook
deleted file mode 100644
index 4ba10844cc32..000000000000
--- a/contrib/bind9/bin/named/named.conf.docbook
+++ /dev/null
@@ -1,543 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named.conf.docbook,v 1.1.4.4 2005/05/13 01:22:33 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>Aug 13, 2004</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><filename>named.conf</filename></refentrytitle>
-    <manvolnum>5</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><filename>named.conf</filename></refname>
-    <refpurpose>configuration file for named</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named.conf</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-	<filename>named.conf</filename> is the configuration file for
-	<command>named</command>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
-    </para>
-    <para>
-	C style: /* */
-    </para>
-    <para>
-	C++ style: // to end of line
-    </para>
-    <para>
-	Unix style: # to end of line
-    </para>
-  </refsect1>
-
-<refsect1>
-<title>ACL</title>
-<literallayout>
-acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
-
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>KEY</title>
-<literallayout>
-key <replaceable>domain_name</replaceable> {
-	algorithm <replaceable>string</replaceable>;
-	secret <replaceable>string</replaceable>;
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>MASTERS</title>
-<literallayout>
-masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
-	( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-	<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>SERVER</title>
-<literallayout>
-server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) {
-	bogus <replaceable>boolean</replaceable>;
-	edns <replaceable>boolean</replaceable>;
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	keys <replaceable>server_key</replaceable>;
-	transfers <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	support-ixfr <replaceable>boolean</replaceable>; // obsolete
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>TRUSTED-KEYS</title>
-<literallayout>
-trusted-keys {
-	<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>CONTROLS</title>
-<literallayout>
-controls {
-	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>
-		allow { <replaceable>address_match_element</replaceable>; ... }
-		<optional> keys { <replaceable>string</replaceable>; ... } </optional>;
-	unix <replaceable>unsupported</replaceable>; // not implemented
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>LOGGING</title>
-<literallayout>
-logging {
-	channel <replaceable>string</replaceable> {
-		file <replaceable>log_file</replaceable>;
-		syslog <replaceable>optional_facility</replaceable>;
-		null;
-		stderr;
-		severity <replaceable>log_severity</replaceable>;
-		print-time <replaceable>boolean</replaceable>;
-		print-severity <replaceable>boolean</replaceable>;
-		print-category <replaceable>boolean</replaceable>;
-	};
-	category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>LWRES</title>
-<literallayout>
-lwres {
-	listen-on <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-	view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>;
-	search { <replaceable>string</replaceable>; ... };
-	ndots <replaceable>integer</replaceable>;
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>OPTIONS</title>
-<literallayout>
-options {
-	avoid-v4-udp-ports { <replaceable>port</replaceable>; ... };
-	avoid-v6-udp-ports { <replaceable>port</replaceable>; ... };
-	blackhole { <replaceable>address_match_element</replaceable>; ... };
-	coresize <replaceable>size</replaceable>;
-	datasize <replaceable>size</replaceable>;
-	directory <replaceable>quoted_string</replaceable>;
-	dump-file <replaceable>quoted_string</replaceable>;
-	files <replaceable>size</replaceable>;
-	heartbeat-interval <replaceable>integer</replaceable>;
-	host-statistics <replaceable>boolean</replaceable>; // not implemented
-	host-statistics-max <replaceable>number</replaceable>; // not implemented
-	hostname ( <replaceable>quoted_string</replaceable> | none );
-	interface-interval <replaceable>integer</replaceable>;
-	listen-on <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
-	listen-on-v6 <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
-	match-mapped-addresses <replaceable>boolean</replaceable>;
-	memstatistics-file <replaceable>quoted_string</replaceable>;
-	pid-file ( <replaceable>quoted_string</replaceable> | none );
-	port <replaceable>integer</replaceable>;
-	querylog <replaceable>boolean</replaceable>;
-	recursing-file <replaceable>quoted_string</replaceable>;
-	random-device <replaceable>quoted_string</replaceable>;
-	recursive-clients <replaceable>integer</replaceable>;
-	serial-query-rate <replaceable>integer</replaceable>;
-	server-id ( <replaceable>quoted_string</replaceable> | none |;
-	stacksize <replaceable>size</replaceable>;
-	statistics-file <replaceable>quoted_string</replaceable>;
-	statistics-interval <replaceable>integer</replaceable>; // not yet implemented
-	tcp-clients <replaceable>integer</replaceable>;
-	tcp-listen-queue <replaceable>integer</replaceable>;
-	tkey-dhkey <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
-	tkey-gssapi-credential <replaceable>quoted_string</replaceable>;
-	tkey-domain <replaceable>quoted_string</replaceable>;
-	transfers-per-ns <replaceable>integer</replaceable>;
-	transfers-in <replaceable>integer</replaceable>;
-	transfers-out <replaceable>integer</replaceable>;
-	use-ixfr <replaceable>boolean</replaceable>;
-	version ( <replaceable>quoted_string</replaceable> | none );
-	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
-	sortlist { <replaceable>address_match_element</replaceable>; ... };
-	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
-	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
-	minimal-responses <replaceable>boolean</replaceable>;
-	recursion <replaceable>boolean</replaceable>;
-	rrset-order {
-		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
-		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
-	};
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
-	additional-from-auth <replaceable>boolean</replaceable>;
-	additional-from-cache <replaceable>boolean</replaceable>;
-	query-source <replaceable>querysource4</replaceable>;
-	query-source-v6 <replaceable>querysource6</replaceable>;
-	cleaning-interval <replaceable>integer</replaceable>;
-	min-roots <replaceable>integer</replaceable>; // not implemented
-	lame-ttl <replaceable>integer</replaceable>;
-	max-ncache-ttl <replaceable>integer</replaceable>;
-	max-cache-ttl <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	max-cache-size <replaceable>size_no_default</replaceable>;
-	check-names ( master | slave | response )
-		( fail | warn | ignore );
-	cache-file <replaceable>quoted_string</replaceable>;
-	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
-	preferred-glue <replaceable>string</replaceable>;
-	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
-	}
-	edns-udp-size <replaceable>integer</replaceable>;
-	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
-	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
-	dnssec-enable <replaceable>boolean</replaceable>;
-	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
-	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
-
-	dialup <replaceable>dialuptype</replaceable>;
-	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-journal-size <replaceable>size_no_default</replaceable>;
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	multi-master <replaceable>boolean</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	use-alt-transfer-source <replaceable>boolean</replaceable>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-	key-directory <replaceable>quoted_string</replaceable>;
-
-	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
-	deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
-	fake-iquery <replaceable>boolean</replaceable>; // obsolete
-	fetch-glue <replaceable>boolean</replaceable>; // obsolete
-	has-old-clients <replaceable>boolean</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-	multiple-cnames <replaceable>boolean</replaceable>; // obsolete
-	named-xfer <replaceable>quoted_string</replaceable>; // obsolete
-	serial-queries <replaceable>integer</replaceable>; // obsolete
-	treat-cr-as-space <replaceable>boolean</replaceable>; // obsolete
-	use-id-pool <replaceable>boolean</replaceable>; // obsolete
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>VIEW</title>
-<literallayout>
-view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-	match-clients { <replaceable>address_match_element</replaceable>; ... };
-	match-destinations { <replaceable>address_match_element</replaceable>; ... };
-	match-recursive-only <replaceable>boolean</replaceable>;
-
-	key <replaceable>string</replaceable> {
-		algorithm <replaceable>string</replaceable>;
-		secret <replaceable>string</replaceable>;
-	};
-
-	zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-		...
-	};
-
-	server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) {
-		...
-	};
-
-	trusted-keys {
-		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ...
-	};
-
-	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
-	sortlist { <replaceable>address_match_element</replaceable>; ... };
-	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
-	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
-	minimal-responses <replaceable>boolean</replaceable>;
-	recursion <replaceable>boolean</replaceable>;
-	rrset-order {
-		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
-		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
-	};
-	provide-ixfr <replaceable>boolean</replaceable>;
-	request-ixfr <replaceable>boolean</replaceable>;
-	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
-	additional-from-auth <replaceable>boolean</replaceable>;
-	additional-from-cache <replaceable>boolean</replaceable>;
-	query-source <replaceable>querysource4</replaceable>;
-	query-source-v6 <replaceable>querysource6</replaceable>;
-	cleaning-interval <replaceable>integer</replaceable>;
-	min-roots <replaceable>integer</replaceable>; // not implemented
-	lame-ttl <replaceable>integer</replaceable>;
-	max-ncache-ttl <replaceable>integer</replaceable>;
-	max-cache-ttl <replaceable>integer</replaceable>;
-	transfer-format ( many-answers | one-answer );
-	max-cache-size <replaceable>size_no_default</replaceable>;
-	check-names ( master | slave | response )
-		( fail | warn | ignore );
-	cache-file <replaceable>quoted_string</replaceable>;
-	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
-	preferred-glue <replaceable>string</replaceable>;
-	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
-	};
-	edns-udp-size <replaceable>integer</replaceable>;
-	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
-	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
-	dnssec-enable <replaceable>boolean</replaceable>;
-	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
-
-	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
-	dialup <replaceable>dialuptype</replaceable>;
-	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-journal-size <replaceable>size_no_default</replaceable>;
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	multi-master <replaceable>boolean</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	use-alt-transfer-source <replaceable>boolean</replaceable>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-	key-directory <replaceable>quoted_string</replaceable>;
-
-	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
-	fetch-glue <replaceable>boolean</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>ZONE</title>
-<literallayout>
-zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
-	type ( master | slave | stub | hint |
-		forward | delegation-only );
-	file <replaceable>quoted_string</replaceable>;
-
-	masters <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>masters</replaceable> |
-		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
-		<replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
-	};
-
-	database <replaceable>string</replaceable>;
-	delegation-only <replaceable>boolean</replaceable>;
-	check-names ( fail | warn | ignore );
-	dialup <replaceable>dialuptype</replaceable>;
-	ixfr-from-differences <replaceable>boolean</replaceable>;
-
-	allow-query { <replaceable>address_match_element</replaceable>; ... };
-	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
-	allow-update { <replaceable>address_match_element</replaceable>; ... };
-	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
-	update-policy {
-		( grant | deny ) <replaceable>string</replaceable>
-		( name | subdomain | wildcard | self ) <replaceable>string</replaceable>
-		<replaceable>rrtypelist</replaceable>; ...
-	};
-
-	notify <replaceable>notifytype</replaceable>;
-	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
-		<optional> port <replaceable>integer</replaceable> </optional>; ... };
-	allow-notify { <replaceable>address_match_element</replaceable>; ... };
-
-	forward ( first | only );
-	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
-		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
-	};
-
-	max-journal-size <replaceable>size_no_default</replaceable>;
-	max-transfer-time-in <replaceable>integer</replaceable>;
-	max-transfer-time-out <replaceable>integer</replaceable>;
-	max-transfer-idle-in <replaceable>integer</replaceable>;
-	max-transfer-idle-out <replaceable>integer</replaceable>;
-	max-retry-time <replaceable>integer</replaceable>;
-	min-retry-time <replaceable>integer</replaceable>;
-	max-refresh-time <replaceable>integer</replaceable>;
-	min-refresh-time <replaceable>integer</replaceable>;
-	multi-master <replaceable>boolean</replaceable>;
-	sig-validity-interval <replaceable>integer</replaceable>;
-
-	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-
-	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
-		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
-	use-alt-transfer-source <replaceable>boolean</replaceable>;
-
-	zone-statistics <replaceable>boolean</replaceable>;
-	key-directory <replaceable>quoted_string</replaceable>;
-
-	ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
-	ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete
-	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
-	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
-	pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete
-};
-</literallayout>
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/named.conf</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>BIND 9 Adminstrators Reference Manual</refentrytitle>
-</citerefentry>.
-</para>
-</refsect1>
-
-</refentry>
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/named/named.conf.html b/contrib/bind9/bin/named/named.conf.html
deleted file mode 100644
index 8b3b517d7d73..000000000000
--- a/contrib/bind9/bin/named/named.conf.html
+++ /dev/null
@@ -1,500 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: named.conf.html,v 1.1.4.10 2005/10/13 02:33:48 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><code class="filename">named.conf</code> &#8212; configuration file for named</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named.conf</code> </p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525889"></a><h2>DESCRIPTION</h2>
-<p>
-	<code class="filename">named.conf</code> is the configuration file for
-	<span><strong class="command">named</strong></span>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
-    </p>
-<p>
-	C style: /* */
-    </p>
-<p>
-	C++ style: // to end of line
-    </p>
-<p>
-	Unix style: # to end of line
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525917"></a><h2>ACL</h2>
-<div class="literallayout"><p><br>
-acl <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525933"></a><h2>KEY</h2>
-<div class="literallayout"><p><br>
-key <em class="replaceable"><code>domain_name</code></em> {<br>
-	algorithm <em class="replaceable"><code>string</code></em>;<br>
-	secret <em class="replaceable"><code>string</code></em>;<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525953"></a><h2>MASTERS</h2>
-<div class="literallayout"><p><br>
-masters <em class="replaceable"><code>string</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-	( <em class="replaceable"><code>masters</code></em> | <em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-	<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525998"></a><h2>SERVER</h2>
-<div class="literallayout"><p><br>
-server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br>
-	bogus <em class="replaceable"><code>boolean</code></em>;<br>
-	edns <em class="replaceable"><code>boolean</code></em>;<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	keys <em class="replaceable"><code>server_key</code></em>;<br>
-	transfers <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	support-ixfr <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526056"></a><h2>TRUSTED-KEYS</h2>
-<div class="literallayout"><p><br>
-trusted-keys {<br>
-	<em class="replaceable"><code>domain_name</code></em> <em class="replaceable"><code>flags</code></em> <em class="replaceable"><code>protocol</code></em> <em class="replaceable"><code>algorithm</code></em> <em class="replaceable"><code>key</code></em>; ... <br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526082"></a><h2>CONTROLS</h2>
-<div class="literallayout"><p><br>
-controls {<br>
-	inet ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>]<br>
-		allow { <em class="replaceable"><code>address_match_element</code></em>; ... }<br>
-		[<span class="optional"> keys { <em class="replaceable"><code>string</code></em>; ... } </span>];<br>
-	unix <em class="replaceable"><code>unsupported</code></em>; // not implemented<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526117"></a><h2>LOGGING</h2>
-<div class="literallayout"><p><br>
-logging {<br>
-	channel <em class="replaceable"><code>string</code></em> {<br>
-		file <em class="replaceable"><code>log_file</code></em>;<br>
-		syslog <em class="replaceable"><code>optional_facility</code></em>;<br>
-		null;<br>
-		stderr;<br>
-		severity <em class="replaceable"><code>log_severity</code></em>;<br>
-		print-time <em class="replaceable"><code>boolean</code></em>;<br>
-		print-severity <em class="replaceable"><code>boolean</code></em>;<br>
-		print-category <em class="replaceable"><code>boolean</code></em>;<br>
-	};<br>
-	category <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526155"></a><h2>LWRES</h2>
-<div class="literallayout"><p><br>
-lwres {<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-	view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em>;<br>
-	search { <em class="replaceable"><code>string</code></em>; ... };<br>
-	ndots <em class="replaceable"><code>integer</code></em>;<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526197"></a><h2>OPTIONS</h2>
-<div class="literallayout"><p><br>
-options {<br>
-	avoid-v4-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	avoid-v6-udp-ports { <em class="replaceable"><code>port</code></em>; ... };<br>
-	blackhole { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	coresize <em class="replaceable"><code>size</code></em>;<br>
-	datasize <em class="replaceable"><code>size</code></em>;<br>
-	directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-	dump-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	files <em class="replaceable"><code>size</code></em>;<br>
-	heartbeat-interval <em class="replaceable"><code>integer</code></em>;<br>
-	host-statistics <em class="replaceable"><code>boolean</code></em>; // not implemented<br>
-	host-statistics-max <em class="replaceable"><code>number</code></em>; // not implemented<br>
-	hostname ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	interface-interval <em class="replaceable"><code>integer</code></em>;<br>
-	listen-on [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-mapped-addresses <em class="replaceable"><code>boolean</code></em>;<br>
-	memstatistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	pid-file ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	port <em class="replaceable"><code>integer</code></em>;<br>
-	querylog <em class="replaceable"><code>boolean</code></em>;<br>
-	recursing-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	random-device <em class="replaceable"><code>quoted_string</code></em>;<br>
-	recursive-clients <em class="replaceable"><code>integer</code></em>;<br>
-	serial-query-rate <em class="replaceable"><code>integer</code></em>;<br>
-	server-id ( <em class="replaceable"><code>quoted_string</code></em> | none |;<br>
-	stacksize <em class="replaceable"><code>size</code></em>;<br>
-	statistics-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	statistics-interval <em class="replaceable"><code>integer</code></em>; // not yet implemented<br>
-	tcp-clients <em class="replaceable"><code>integer</code></em>;<br>
-	tcp-listen-queue <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-dhkey <em class="replaceable"><code>quoted_string</code></em> <em class="replaceable"><code>integer</code></em>;<br>
-	tkey-gssapi-credential <em class="replaceable"><code>quoted_string</code></em>;<br>
-	tkey-domain <em class="replaceable"><code>quoted_string</code></em>;<br>
-	transfers-per-ns <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-in <em class="replaceable"><code>integer</code></em>;<br>
-	transfers-out <em class="replaceable"><code>integer</code></em>;<br>
-	use-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source <em class="replaceable"><code>querysource4</code></em>;<br>
-	query-source-v6 <em class="replaceable"><code>querysource6</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	}<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	has-old-clients <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	multiple-cnames <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	named-xfer <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	serial-queries <em class="replaceable"><code>integer</code></em>; // obsolete<br>
-	treat-cr-as-space <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	use-id-pool <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526858"></a><h2>VIEW</h2>
-<div class="literallayout"><p><br>
-view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-destinations { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	match-recursive-only <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	key <em class="replaceable"><code>string</code></em> {<br>
-		algorithm <em class="replaceable"><code>string</code></em>;<br>
-		secret <em class="replaceable"><code>string</code></em>;<br>
-	};<br>
-<br>
-	zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-		...<br>
-	};<br>
-<br>
-	server ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) {<br>
-		...<br>
-	};<br>
-<br>
-	trusted-keys {<br>
-		<em class="replaceable"><code>string</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; ...<br>
-	};<br>
-<br>
-	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
-	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
-	minimal-responses <em class="replaceable"><code>boolean</code></em>;<br>
-	recursion <em class="replaceable"><code>boolean</code></em>;<br>
-	rrset-order {<br>
-		[<span class="optional"> class <em class="replaceable"><code>string</code></em> </span>] [<span class="optional"> type <em class="replaceable"><code>string</code></em> </span>]<br>
-		[<span class="optional"> name <em class="replaceable"><code>quoted_string</code></em> </span>] <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>string</code></em>; ...<br>
-	};<br>
-	provide-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	request-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
-	rfc2308-type1 <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	additional-from-auth <em class="replaceable"><code>boolean</code></em>;<br>
-	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
-	query-source <em class="replaceable"><code>querysource4</code></em>;<br>
-	query-source-v6 <em class="replaceable"><code>querysource6</code></em>;<br>
-	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
-	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
-	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
-	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	check-names ( master | slave | response )<br>
-		( fail | warn | ignore );<br>
-	cache-file <em class="replaceable"><code>quoted_string</code></em>;<br>
-	suppress-initial-notify <em class="replaceable"><code>boolean</code></em>; // not yet implemented<br>
-	preferred-glue <em class="replaceable"><code>string</code></em>;<br>
-	dual-stack-servers [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>quoted_string</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] ); ...<br>
-	};<br>
-	edns-udp-size <em class="replaceable"><code>integer</code></em>;<br>
-	root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>quoted_string</code></em>; ... } </span>];<br>
-	disable-algorithms <em class="replaceable"><code>string</code></em> { <em class="replaceable"><code>string</code></em>; ... };<br>
-	dnssec-enable <em class="replaceable"><code>boolean</code></em>;<br>
-	dnssec-lookaside <em class="replaceable"><code>string</code></em> trust-anchor <em class="replaceable"><code>string</code></em>;<br>
-<br>
-	dnssec-must-be-secure <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>boolean</code></em>;<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
-	fetch-glue <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2527269"></a><h2>ZONE</h2>
-<div class="literallayout"><p><br>
-zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
-	type ( master | slave | stub | hint |<br>
-		forward | delegation-only );<br>
-	file <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	masters [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>masters</code></em> |<br>
-		<em class="replaceable"><code>ipv4_address</code></em> [<span class="optional">port <em class="replaceable"><code>integer</code></em></span>] |<br>
-		<em class="replaceable"><code>ipv6_address</code></em> [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] ) [<span class="optional"> key <em class="replaceable"><code>string</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	database <em class="replaceable"><code>string</code></em>;<br>
-	delegation-only <em class="replaceable"><code>boolean</code></em>;<br>
-	check-names ( fail | warn | ignore );<br>
-	dialup <em class="replaceable"><code>dialuptype</code></em>;<br>
-	ixfr-from-differences <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-	update-policy {<br>
-		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self ) <em class="replaceable"><code>string</code></em><br>
-		<em class="replaceable"><code>rrtypelist</code></em>; ...<br>
-	};<br>
-<br>
-	notify <em class="replaceable"><code>notifytype</code></em>;<br>
-	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
-		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
-	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
-<br>
-	forward ( first | only );<br>
-	forwarders [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] {<br>
-		( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> ) [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ...<br>
-	};<br>
-<br>
-	max-journal-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-transfer-time-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-time-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-in <em class="replaceable"><code>integer</code></em>;<br>
-	max-transfer-idle-out <em class="replaceable"><code>integer</code></em>;<br>
-	max-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-retry-time <em class="replaceable"><code>integer</code></em>;<br>
-	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
-	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
-	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
-<br>
-	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-<br>
-	alt-transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	alt-transfer-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * )<br>
-		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
-	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
-<br>
-	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
-	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
-<br>
-	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
-	max-ixfr-log-size <em class="replaceable"><code>size</code></em>; // obsolete<br>
-	pubkey <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>integer</code></em> <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
-};<br>
-</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2527606"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/named.conf</code>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2527619"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">BIND 9 Adminstrators Reference Manual</span></span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/named/named.docbook b/contrib/bind9/bin/named/named.docbook
deleted file mode 100644
index 47ccf54b38e8..000000000000
--- a/contrib/bind9/bin/named/named.docbook
+++ /dev/null
@@ -1,386 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: named.docbook,v 1.5.98.5 2005/05/13 01:22:33 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>named</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>named</application></refname>
-    <refpurpose>Internet domain name server</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>named</command>
-      <arg><option>-4</option></arg>
-      <arg><option>-6</option></arg>
-      <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
-      <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
-      <arg><option>-f</option></arg>
-      <arg><option>-g</option></arg>
-      <arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-s</option></arg>
-      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
-      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
-      <arg><option>-v</option></arg>
-      <arg><option>-x <replaceable class="parameter">cache-file</replaceable></option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-	<command>named</command> is a Domain Name System (DNS) server,
-	part of the BIND 9 distribution from ISC.  For more
-	information on the DNS, see RFCs 1033, 1034, and 1035.
-    </para>
-    <para>
-	When invoked without arguments, <command>named</command> will
-	read the default configuration file
-	<filename>/etc/named.conf</filename>, read any initial
-	data, and listen for queries.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-	<term>-4</term>
-	<listitem>
-	  <para>
-		Use IPv4 only even if the host machine is capable of IPv6.
-		<option>-4</option> and <option>-6</option> are mutually
-		exclusive.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-6</term>
-	<listitem>
-	  <para>
-		Use IPv6 only even if the host machine is capable of IPv4.
-		<option>-4</option> and <option>-6</option> are mutually
-		exclusive.
-          </para>
-	</listitem>
-      </varlistentry>
-      <varlistentry>
-	<term>-c <replaceable class="parameter">config-file</replaceable></term>
-	<listitem>
-	  <para>
-		Use <replaceable
-		class="parameter">config-file</replaceable> as the
-		configuration file instead of the default,
-		<filename>/etc/named.conf</filename>.  To
-		ensure that reloading the configuration file continues
-		to work after the server has changed its working
-		directory due to to a possible
-		<option>directory</option> option in the configuration
-		file, <replaceable
-		class="parameter">config-file</replaceable> should be
-		an absolute pathname.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-d <replaceable class="parameter">debug-level</replaceable></term>
-	<listitem>
-	  <para>
-		Set the daemon's debug level to <replaceable
-		class="parameter">debug-level</replaceable>.
-		Debugging traces from <command>named</command> become
-		more verbose as the debug level increases.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-f</term>
-	<listitem>
-	  <para>
-		Run the server in the foreground (i.e. do not daemonize).
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-g</term>
-	<listitem>
-	  <para>
-		Run the server in the foreground and force all logging
-		to <filename>stderr</filename>.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-n <replaceable class="parameter">#cpus</replaceable></term>
-	<listitem>
-	  <para>
-		Create <replaceable
-		class="parameter">#cpus</replaceable> worker threads
-		to take advantage of multiple CPUs.  If not specified,
-		<command>named</command> will try to determine the
-		number of CPUs present and create one thread per CPU.
-		If it is unable to determine the number of CPUs, a
-		single worker thread will be created.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-p <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-		Listen for queries on port <replaceable
-		class="parameter">port</replaceable>.  If not
-		specified, the default is port 53.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-s</term>
-	<listitem>
-	  <para>
-		Write memory usage statistics to <filename>stdout</filename> on exit.
-          </para>
-	  <note>
-	    <para>
-		This option is mainly of interest to BIND 9 developers
-		and may be removed or changed in a future release.
-	    </para>
-	  </note>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-t <replaceable class="parameter">directory</replaceable></term>
-	<listitem>
-	  <para>
-		<function>chroot()</function> to <replaceable
-		class="parameter">directory</replaceable> after
-		processing the command line arguments, but before
-		reading the configuration file.
-          </para>
-	  <warning>
-	    <para>
-		This option should be used in conjunction with the
-		<option>-u</option> option, as chrooting a process
-		running as root doesn't enhance security on most
-		systems; the way <function>chroot()</function> is
-		defined allows a process with root privileges to
-		escape a chroot jail.
-	    </para>
-	  </warning>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-u <replaceable class="parameter">user</replaceable></term>
-	<listitem>
-	  <para>
-		<function>setuid()</function> to <replaceable
-		class="parameter">user</replaceable> after completing
-		privileged operations, such as creating sockets that
-		listen on privileged ports.
-          </para>
-	  <note>
-	    <para>
-		On Linux, <command>named</command> uses the kernel's
-		capability mechanism to drop all root privileges
-		except the ability to <function>bind()</function> to a
-		privileged port and set process resource limits.
-		Unfortunately, this means that the <option>-u</option>
-		option only works when <command>named</command> is run
-		on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
-		later, since previous kernels did not allow privileges
-		to be retained after <function>setuid()</function>.
-	    </para>
-	  </note>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-v</term>
-	<listitem>
-	  <para>
-		Report the version number and exit.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>-x <replaceable class="parameter">cache-file</replaceable></term>
-	<listitem>
-	  <para>
-		Load data from <replaceable
-		class="parameter">cache-file</replaceable> into the
-		cache of the default view.
-          </para>
-	  <warning>
-	    <para>
-		This option must not be used.  It is only of interest
-		to BIND 9 developers and may be removed or changed in a
-		future release.
-	    </para>
-	  </warning>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>SIGNALS</title>
-    <para>
-	In routine operation, signals should not be used to control
-	the nameserver; <command>rndc</command> should be used
-	instead.
-    </para>
-
-    <variablelist>
-
-      <varlistentry>
-	<term>SIGHUP</term>
-	<listitem>
-	  <para>
-		Force a reload of the server.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term>SIGINT, SIGTERM</term>
-	<listitem>
-	  <para>
-		Shut down the server.
-          </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-    <para>
-	The result of sending any other signals to the server is undefined.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>CONFIGURATION</title>
-    <para>
-	The <command>named</command> configuration file is too complex
-	to describe in detail here.  A complete description is
-	provided in the <citetitle>BIND 9 Administrator Reference
-	Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>FILES</title>
-
-    <variablelist>
-
-      <varlistentry>
-	<term><filename>/etc/named.conf</filename></term>
-	<listitem>
-	  <para>
-		The default configuration file.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-	<term><filename>/var/run/named.pid</filename></term>
-	<listitem>
-	  <para>
-		The default process-id file.
-          </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-	<citetitle>RFC 1033</citetitle>,
-	<citetitle>RFC 1034</citetitle>,
-	<citetitle>RFC 1035</citetitle>,
-	<citerefentry>
-	  <refentrytitle>rndc</refentrytitle>
-	  <manvolnum>8</manvolnum>
-        </citerefentry>,
-	<citerefentry>
-	  <refentrytitle>lwresd</refentrytitle>
-	  <manvolnum>8</manvolnum>
-        </citerefentry>,
-	<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-	<corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/named/named.html b/contrib/bind9/bin/named/named.html
deleted file mode 100644
index f266e70af554..000000000000
--- a/contrib/bind9/bin/named/named.html
+++ /dev/null
@@ -1,240 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: named.html,v 1.4.2.1.4.9 2005/10/13 02:33:47 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>named</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">named</span> &#8212; Internet domain name server</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525923"></a><h2>DESCRIPTION</h2>
-<p>
-	<span><strong class="command">named</strong></span> is a Domain Name System (DNS) server,
-	part of the BIND 9 distribution from ISC.  For more
-	information on the DNS, see RFCs 1033, 1034, and 1035.
-    </p>
-<p>
-	When invoked without arguments, <span><strong class="command">named</strong></span> will
-	read the default configuration file
-	<code class="filename">/etc/named.conf</code>, read any initial
-	data, and listen for queries.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525948"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-4</span></dt>
-<dd><p>
-		Use IPv4 only even if the host machine is capable of IPv6.
-		<code class="option">-4</code> and <code class="option">-6</code> are mutually
-		exclusive.
-          </p></dd>
-<dt><span class="term">-6</span></dt>
-<dd><p>
-		Use IPv6 only even if the host machine is capable of IPv4.
-		<code class="option">-4</code> and <code class="option">-6</code> are mutually
-		exclusive.
-          </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-		Use <em class="replaceable"><code>config-file</code></em> as the
-		configuration file instead of the default,
-		<code class="filename">/etc/named.conf</code>.  To
-		ensure that reloading the configuration file continues
-		to work after the server has changed its working
-		directory due to to a possible
-		<code class="option">directory</code> option in the configuration
-		file, <em class="replaceable"><code>config-file</code></em> should be
-		an absolute pathname.
-          </p></dd>
-<dt><span class="term">-d <em class="replaceable"><code>debug-level</code></em></span></dt>
-<dd><p>
-		Set the daemon's debug level to <em class="replaceable"><code>debug-level</code></em>.
-		Debugging traces from <span><strong class="command">named</strong></span> become
-		more verbose as the debug level increases.
-          </p></dd>
-<dt><span class="term">-f</span></dt>
-<dd><p>
-		Run the server in the foreground (i.e. do not daemonize).
-          </p></dd>
-<dt><span class="term">-g</span></dt>
-<dd><p>
-		Run the server in the foreground and force all logging
-		to <code class="filename">stderr</code>.
-          </p></dd>
-<dt><span class="term">-n <em class="replaceable"><code>#cpus</code></em></span></dt>
-<dd><p>
-		Create <em class="replaceable"><code>#cpus</code></em> worker threads
-		to take advantage of multiple CPUs.  If not specified,
-		<span><strong class="command">named</strong></span> will try to determine the
-		number of CPUs present and create one thread per CPU.
-		If it is unable to determine the number of CPUs, a
-		single worker thread will be created.
-          </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-		Listen for queries on port <em class="replaceable"><code>port</code></em>.  If not
-		specified, the default is port 53.
-          </p></dd>
-<dt><span class="term">-s</span></dt>
-<dd>
-<p>
-		Write memory usage statistics to <code class="filename">stdout</code> on exit.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-		This option is mainly of interest to BIND 9 developers
-		and may be removed or changed in a future release.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
-<dd>
-<p>
-		<code class="function">chroot()</code> to <em class="replaceable"><code>directory</code></em> after
-		processing the command line arguments, but before
-		reading the configuration file.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-		This option should be used in conjunction with the
-		<code class="option">-u</code> option, as chrooting a process
-		running as root doesn't enhance security on most
-		systems; the way <code class="function">chroot()</code> is
-		defined allows a process with root privileges to
-		escape a chroot jail.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd>
-<p>
-		<code class="function">setuid()</code> to <em class="replaceable"><code>user</code></em> after completing
-		privileged operations, such as creating sockets that
-		listen on privileged ports.
-          </p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-		On Linux, <span><strong class="command">named</strong></span> uses the kernel's
-		capability mechanism to drop all root privileges
-		except the ability to <code class="function">bind()</code> to a
-		privileged port and set process resource limits.
-		Unfortunately, this means that the <code class="option">-u</code>
-		option only works when <span><strong class="command">named</strong></span> is run
-		on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
-		later, since previous kernels did not allow privileges
-		to be retained after <code class="function">setuid()</code>.
-	    </p>
-</div>
-</dd>
-<dt><span class="term">-v</span></dt>
-<dd><p>
-		Report the version number and exit.
-          </p></dd>
-<dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
-<dd>
-<p>
-		Load data from <em class="replaceable"><code>cache-file</code></em> into the
-		cache of the default view.
-          </p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>
-		This option must not be used.  It is only of interest
-		to BIND 9 developers and may be removed or changed in a
-		future release.
-	    </p>
-</div>
-</dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526297"></a><h2>SIGNALS</h2>
-<p>
-	In routine operation, signals should not be used to control
-	the nameserver; <span><strong class="command">rndc</strong></span> should be used
-	instead.
-    </p>
-<div class="variablelist"><dl>
-<dt><span class="term">SIGHUP</span></dt>
-<dd><p>
-		Force a reload of the server.
-          </p></dd>
-<dt><span class="term">SIGINT, SIGTERM</span></dt>
-<dd><p>
-		Shut down the server.
-          </p></dd>
-</dl></div>
-<p>
-	The result of sending any other signals to the server is undefined.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526412"></a><h2>CONFIGURATION</h2>
-<p>
-	The <span><strong class="command">named</strong></span> configuration file is too complex
-	to describe in detail here.  A complete description is
-	provided in the <em class="citetitle">BIND 9 Administrator Reference
-	Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526429"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
-<dd><p>
-		The default configuration file.
-          </p></dd>
-<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt>
-<dd><p>
-		The default process-id file.
-          </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526469"></a><h2>SEE ALSO</h2>
-<p>
-	<em class="citetitle">RFC 1033</em>,
-	<em class="citetitle">RFC 1034</em>,
-	<em class="citetitle">RFC 1035</em>,
-	<span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-	<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>,
-	<em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526512"></a><h2>AUTHOR</h2>
-<p>
-	<span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/named/notify.c b/contrib/bind9/bin/named/notify.c
deleted file mode 100644
index e3c5b2a8987e..000000000000
--- a/contrib/bind9/bin/named/notify.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: notify.c,v 1.24.2.2.2.7 2004/08/28 06:25:30 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/log.h>
-#include <isc/print.h>
-
-#include <dns/message.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <named/log.h>
-#include <named/notify.h>
-
-/*
- * This module implements notify as in RFC 1996.
- */
-
-static void
-notify_log(ns_client_t *client, int level, const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	ns_client_logv(client, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY,
-		       level, fmt, ap);
-	va_end(ap);
-}
-
-static void
-respond(ns_client_t *client, isc_result_t result) {
-	dns_rcode_t rcode;
-	dns_message_t *message;
-	isc_result_t msg_result;
-
-	message = client->message;
-	rcode = dns_result_torcode(result);
-
-	msg_result = dns_message_reply(message, ISC_TRUE);
-	if (msg_result != ISC_R_SUCCESS)
-		msg_result = dns_message_reply(message, ISC_FALSE);
-	if (msg_result != ISC_R_SUCCESS) {
-		ns_client_next(client, msg_result);
-		return;
-	}
-	message->rcode = rcode;
-	if (rcode == dns_rcode_noerror)
-		message->flags |= DNS_MESSAGEFLAG_AA;
-	else
-		message->flags &= ~DNS_MESSAGEFLAG_AA;
-	ns_client_send(client);
-}
-
-void
-ns_notify_start(ns_client_t *client) {
-	dns_message_t *request = client->message;
-	isc_result_t result;
-	dns_name_t *zonename;
-	dns_rdataset_t *zone_rdataset;
-	dns_zone_t *zone = NULL;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
-	dns_name_t *tsigname;
-
-	/*
-	 * Interpret the question section.
-	 */
-	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
-	if (result != ISC_R_SUCCESS) {
-		notify_log(client, ISC_LOG_NOTICE,
-			   "notify question section empty");
-		goto formerr;
-	}
-
-	/*
-	 * The question section must contain exactly one question.
-	 */
-	zonename = NULL;
-	dns_message_currentname(request, DNS_SECTION_QUESTION, &zonename);
-	zone_rdataset = ISC_LIST_HEAD(zonename->list);
-	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) {
-		notify_log(client, ISC_LOG_NOTICE,
-			   "notify question section contains multiple RRs");
-		goto formerr;
-	}
-
-	/* The zone section must have exactly one name. */
-	result = dns_message_nextname(request, DNS_SECTION_ZONE);
-	if (result != ISC_R_NOMORE) {
-		notify_log(client, ISC_LOG_NOTICE,
-			   "notify question section contains multiple RRs");
-		goto formerr;
-	}
-
-	/* The one rdataset must be an SOA. */
-	if (zone_rdataset->type != dns_rdatatype_soa) {
-		notify_log(client, ISC_LOG_NOTICE,
-			   "notify question section contains no SOA");
-		goto formerr;
-	}
-
-	tsigname = NULL;
-	if (dns_message_gettsig(request, &tsigname) != NULL) {
-		dns_name_format(tsigname, namebuf, sizeof(namebuf));
-		snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", namebuf);
-	} else
-		tsigbuf[0] = '\0';
-	dns_name_format(zonename, namebuf, sizeof(namebuf));
-	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
-			     &zone);
-	if (result != ISC_R_SUCCESS)
-		goto notauth;
-
-	switch (dns_zone_gettype(zone)) {
-	case dns_zone_master:
-	case dns_zone_slave:
-	case dns_zone_stub:	/* Allow dialup passive to work. */
-		notify_log(client, ISC_LOG_INFO,
-			   "received notify for zone '%s'%s", namebuf, tsigbuf);
-		respond(client, dns_zone_notifyreceive(zone,
-			ns_client_getsockaddr(client), request));
-		break;
-	default:
-		goto notauth;
-	}
-	dns_zone_detach(&zone);
-	return;
-
- notauth:
-	notify_log(client, ISC_LOG_NOTICE,
-		   "received notify for zone '%s'%s: not authoritative",
-		   namebuf, tsigbuf);
-	result = DNS_R_NOTAUTH;
-	goto failure;
-
- formerr:
-	result = DNS_R_FORMERR;
-
- failure:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	respond(client, result);
-}
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
deleted file mode 100644
index 75102fd1369d..000000000000
--- a/contrib/bind9/bin/named/query.c
+++ /dev/null
@@ -1,3553 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: query.c,v 1.198.2.13.4.36 2005/08/11 05:25:20 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/mem.h>
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/byaddr.h>
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/message.h>
-#include <dns/order.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/stats.h>
-#include <dns/tkey.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <named/client.h>
-#include <named/log.h>
-#include <named/server.h>
-#include <named/sortlist.h>
-#include <named/xfrout.h>
-
-#define PARTIALANSWER(c)	(((c)->query.attributes & \
-				  NS_QUERYATTR_PARTIALANSWER) != 0)
-#define USECACHE(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_CACHEOK) != 0)
-#define RECURSIONOK(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_RECURSIONOK) != 0)
-#define RECURSING(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_RECURSING) != 0)
-#define CACHEGLUEOK(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_CACHEGLUEOK) != 0)
-#define WANTRECURSION(c)	(((c)->query.attributes & \
-				  NS_QUERYATTR_WANTRECURSION) != 0)
-#define WANTDNSSEC(c)		(((c)->attributes & \
-				  NS_CLIENTATTR_WANTDNSSEC) != 0)
-#define NOAUTHORITY(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_NOAUTHORITY) != 0)
-#define NOADDITIONAL(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_NOADDITIONAL) != 0)
-#define SECURE(c)		(((c)->query.attributes & \
-				  NS_QUERYATTR_SECURE) != 0)
-
-#if 0
-#define CTRACE(m)       isc_log_write(ns_g_lctx, \
-				      NS_LOGCATEGORY_CLIENT, \
-				      NS_LOGMODULE_QUERY, \
-				      ISC_LOG_DEBUG(3), \
-				      "client %p: %s", client, (m))
-#define QTRACE(m)       isc_log_write(ns_g_lctx, \
-				      NS_LOGCATEGORY_GENERAL, \
-				      NS_LOGMODULE_QUERY, \
-				      ISC_LOG_DEBUG(3), \
-				      "query %p: %s", query, (m))
-#else
-#define CTRACE(m) ((void)m)
-#define QTRACE(m) ((void)m)
-#endif
-
-#define DNS_GETDB_NOEXACT 0x01U
-#define DNS_GETDB_NOLOG 0x02U
-#define DNS_GETDB_PARTIAL 0x04U
-
-static void
-query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
-
-/*
- * Increment query statistics counters.
- */
-static inline void
-inc_stats(ns_client_t *client, dns_statscounter_t counter) {
-	dns_zone_t *zone = client->query.authzone;
-
-	REQUIRE(counter < DNS_STATS_NCOUNTERS);
-
-	ns_g_server->querystats[counter]++;
-
-	if (zone != NULL) {
-		isc_uint64_t *zonestats = dns_zone_getstatscounters(zone);
-		if (zonestats != NULL)
-			zonestats[counter]++;
-	}
-}
-
-static void
-query_send(ns_client_t *client) {
-	dns_statscounter_t counter;
-	if (client->message->rcode == dns_rcode_noerror) {
-		if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
-			if (client->query.isreferral) {
-				counter = dns_statscounter_referral;
-			} else {
-				counter = dns_statscounter_nxrrset;
-			}
-		} else {
-			counter = dns_statscounter_success;
-		}
-	} else if (client->message->rcode == dns_rcode_nxdomain) {
-		counter = dns_statscounter_nxdomain;
-	} else {
-		/* We end up here in case of YXDOMAIN, and maybe others */
-		counter = dns_statscounter_failure;
-	}
-	inc_stats(client, counter);
-	ns_client_send(client);
-}
-
-static void
-query_error(ns_client_t *client, isc_result_t result) {
-	inc_stats(client, dns_statscounter_failure);
-	ns_client_error(client, result);
-}
-
-static void
-query_next(ns_client_t *client, isc_result_t result) {
-	inc_stats(client, dns_statscounter_failure);
-	ns_client_next(client, result);
-}
-
-static inline void
-query_maybeputqname(ns_client_t *client) {
-	if (client->query.restarts > 0) {
-		/*
-		 * client->query.qname was dynamically allocated.
-		 */
-		dns_message_puttempname(client->message,
-					&client->query.qname);
-		client->query.qname = NULL;
-	}
-}
-
-static inline void
-query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
-	ns_dbversion_t *dbversion, *dbversion_next;
-	unsigned int i;
-
-	for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
-	     dbversion != NULL;
-	     dbversion = dbversion_next, i++)
-	{
-		dbversion_next = ISC_LIST_NEXT(dbversion, link);
-		/*
-		 * If we're not freeing everything, we keep the first three
-		 * dbversions structures around.
-		 */
-		if (i > 3 || everything) {
-			ISC_LIST_UNLINK(client->query.freeversions, dbversion,
-					link);
-			isc_mem_put(client->mctx, dbversion,
-				    sizeof(*dbversion));
-		}
-	}
-}
-
-void
-ns_query_cancel(ns_client_t *client) {
-	LOCK(&client->query.fetchlock);
-	if (client->query.fetch != NULL) {
-		dns_resolver_cancelfetch(client->query.fetch);
-
-		client->query.fetch = NULL;
-	}
-	UNLOCK(&client->query.fetchlock);
-}
-
-static inline void
-query_reset(ns_client_t *client, isc_boolean_t everything) {
-	isc_buffer_t *dbuf, *dbuf_next;
-	ns_dbversion_t *dbversion, *dbversion_next;
-
-	/*
-	 * Reset the query state of a client to its default state.
-	 */
-
-	/*
-	 * Cancel the fetch if it's running.
-	 */
-	ns_query_cancel(client);
-
-	/*
-	 * Cleanup any active versions.
-	 */
-	for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
-	     dbversion != NULL;
-	     dbversion = dbversion_next) {
-		dbversion_next = ISC_LIST_NEXT(dbversion, link);
-		dns_db_closeversion(dbversion->db, &dbversion->version,
-				    ISC_FALSE);
-		dns_db_detach(&dbversion->db);
-		ISC_LIST_INITANDAPPEND(client->query.freeversions,
-				      dbversion, link);
-	}
-	ISC_LIST_INIT(client->query.activeversions);
-
-	if (client->query.authdb != NULL)
-		dns_db_detach(&client->query.authdb);
-	if (client->query.authzone != NULL)
-		dns_zone_detach(&client->query.authzone);
-
-	query_freefreeversions(client, everything);
-
-	for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
-	     dbuf != NULL;
-	     dbuf = dbuf_next) {
-		dbuf_next = ISC_LIST_NEXT(dbuf, link);
-		if (dbuf_next != NULL || everything) {
-			ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
-			isc_buffer_free(&dbuf);
-		}
-	}
-
-	query_maybeputqname(client);
-
-	client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
-				    NS_QUERYATTR_CACHEOK |
-				    NS_QUERYATTR_SECURE);
-	client->query.restarts = 0;
-	client->query.timerset = ISC_FALSE;
-	client->query.origqname = NULL;
-	client->query.qname = NULL;
-	client->query.dboptions = 0;
-	client->query.fetchoptions = 0;
-	client->query.gluedb = NULL;
-	client->query.authdbset = ISC_FALSE;
-	client->query.isreferral = ISC_FALSE;
-}
-
-static void
-query_next_callback(ns_client_t *client) {
-	query_reset(client, ISC_FALSE);
-}
-
-void
-ns_query_free(ns_client_t *client) {
-	query_reset(client, ISC_TRUE);
-}
-
-static inline isc_result_t
-query_newnamebuf(ns_client_t *client) {
-	isc_buffer_t *dbuf;
-	isc_result_t result;
-
-	CTRACE("query_newnamebuf");
-	/*
-	 * Allocate a name buffer.
-	 */
-
-	dbuf = NULL;
-	result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
-		return (result);
-	}
-	ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
-
-	CTRACE("query_newnamebuf: done");
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_buffer_t *
-query_getnamebuf(ns_client_t *client) {
-	isc_buffer_t *dbuf;
-	isc_result_t result;
-	isc_region_t r;
-
-	CTRACE("query_getnamebuf");
-	/*
-	 * Return a name buffer with space for a maximal name, allocating
-	 * a new one if necessary.
-	 */
-
-	if (ISC_LIST_EMPTY(client->query.namebufs)) {
-		result = query_newnamebuf(client);
-		if (result != ISC_R_SUCCESS) {
-		    CTRACE("query_getnamebuf: query_newnamebuf failed: done");
-			return (NULL);
-		}
-	}
-
-	dbuf = ISC_LIST_TAIL(client->query.namebufs);
-	INSIST(dbuf != NULL);
-	isc_buffer_availableregion(dbuf, &r);
-	if (r.length < 255) {
-		result = query_newnamebuf(client);
-		if (result != ISC_R_SUCCESS) {
-		    CTRACE("query_getnamebuf: query_newnamebuf failed: done");
-			return (NULL);
-
-		}
-		dbuf = ISC_LIST_TAIL(client->query.namebufs);
-		isc_buffer_availableregion(dbuf, &r);
-		INSIST(r.length >= 255);
-	}
-	CTRACE("query_getnamebuf: done");
-	return (dbuf);
-}
-
-static inline void
-query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
-	isc_region_t r;
-
-	CTRACE("query_keepname");
-	/*
-	 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
-	 * adjusted to take account of that.  We do the adjustment.
-	 */
-
-	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
-
-	dns_name_toregion(name, &r);
-	isc_buffer_add(dbuf, r.length);
-	dns_name_setbuffer(name, NULL);
-	client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
-}
-
-static inline void
-query_releasename(ns_client_t *client, dns_name_t **namep) {
-	dns_name_t *name = *namep;
-
-	/*
-	 * 'name' is no longer needed.  Return it to our pool of temporary
-	 * names.  If it is using a name buffer, relinquish its exclusive
-	 * rights on the buffer.
-	 */
-
-	CTRACE("query_releasename");
-	if (dns_name_hasbuffer(name)) {
-		INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
-		       != 0);
-		client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
-	}
-	dns_message_puttempname(client->message, namep);
-	CTRACE("query_releasename: done");
-}
-
-static inline dns_name_t *
-query_newname(ns_client_t *client, isc_buffer_t *dbuf,
-	      isc_buffer_t *nbuf)
-{
-	dns_name_t *name;
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
-
-	CTRACE("query_newname");
-	name = NULL;
-	result = dns_message_gettempname(client->message, &name);
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_newname: dns_message_gettempname failed: done");
-		return (NULL);
-	}
-	isc_buffer_availableregion(dbuf, &r);
-	isc_buffer_init(nbuf, r.base, r.length);
-	dns_name_init(name, NULL);
-	dns_name_setbuffer(name, nbuf);
-	client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
-
-	CTRACE("query_newname: done");
-	return (name);
-}
-
-static inline dns_rdataset_t *
-query_newrdataset(ns_client_t *client) {
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	CTRACE("query_newrdataset");
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS) {
-	  CTRACE("query_newrdataset: "
-		 "dns_message_gettemprdataset failed: done");
-		return (NULL);
-	}
-	dns_rdataset_init(rdataset);
-
-	CTRACE("query_newrdataset: done");
-	return (rdataset);
-}
-
-static inline void
-query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
-	dns_rdataset_t *rdataset = *rdatasetp;
-
-	CTRACE("query_putrdataset");
-	if (rdataset != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		dns_message_puttemprdataset(client->message, rdatasetp);
-	}
-	CTRACE("query_putrdataset: done");
-}
-
-
-static inline isc_result_t
-query_newdbversion(ns_client_t *client, unsigned int n) {
-	unsigned int i;
-	ns_dbversion_t *dbversion;
-
-	for (i = 0; i < n; i++) {
-		dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
-		if (dbversion != NULL) {
-			dbversion->db = NULL;
-			dbversion->version = NULL;
-			ISC_LIST_INITANDAPPEND(client->query.freeversions,
-					      dbversion, link);
-		} else {
-			/*
-			 * We only return ISC_R_NOMEMORY if we couldn't
-			 * allocate anything.
-			 */
-			if (i == 0)
-				return (ISC_R_NOMEMORY);
-			else
-				return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline ns_dbversion_t *
-query_getdbversion(ns_client_t *client) {
-	isc_result_t result;
-	ns_dbversion_t *dbversion;
-
-	if (ISC_LIST_EMPTY(client->query.freeversions)) {
-		result = query_newdbversion(client, 1);
-		if (result != ISC_R_SUCCESS)
-			return (NULL);
-	}
-	dbversion = ISC_LIST_HEAD(client->query.freeversions);
-	INSIST(dbversion != NULL);
-	ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
-
-	return (dbversion);
-}
-
-isc_result_t
-ns_query_init(ns_client_t *client) {
-	isc_result_t result;
-
-	ISC_LIST_INIT(client->query.namebufs);
-	ISC_LIST_INIT(client->query.activeversions);
-	ISC_LIST_INIT(client->query.freeversions);
-	client->query.restarts = 0;
-	client->query.timerset = ISC_FALSE;
-	client->query.qname = NULL;
-	result = isc_mutex_init(&client->query.fetchlock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	client->query.fetch = NULL;
-	client->query.authdb = NULL;
-	client->query.authzone = NULL;
-	client->query.authdbset = ISC_FALSE;
-	client->query.isreferral = ISC_FALSE;	
-	query_reset(client, ISC_FALSE);
-	result = query_newdbversion(client, 3);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&client->query.fetchlock);
-		return (result);
-	}
-	result = query_newnamebuf(client);
-	if (result != ISC_R_SUCCESS)
-		query_freefreeversions(client, ISC_TRUE);
-
-	return (result);
-}
-
-static inline ns_dbversion_t *
-query_findversion(ns_client_t *client, dns_db_t *db,
-		  isc_boolean_t *newzonep)
-{
-	ns_dbversion_t *dbversion;
-
-	/*
-	 * We may already have done a query related to this
-	 * database.  If so, we must be sure to make subsequent
-	 * queries from the same version.
-	 */
-	for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
-	     dbversion != NULL;
-	     dbversion = ISC_LIST_NEXT(dbversion, link)) {
-		if (dbversion->db == db)
-			break;
-	}
-
-	if (dbversion == NULL) {
-		/*
-		 * This is a new zone for this query.  Add it to
-		 * the active list.
-		 */
-		dbversion = query_getdbversion(client);
-		if (dbversion == NULL)
-			return (NULL);
-		dns_db_attach(db, &dbversion->db);
-		dns_db_currentversion(db, &dbversion->version);
-		dbversion->queryok = ISC_FALSE;
-		ISC_LIST_APPEND(client->query.activeversions,
-				dbversion, link);
-		*newzonep = ISC_TRUE;
-	} else
-		*newzonep = ISC_FALSE;
-
-	return (dbversion);
-}
-
-static inline isc_result_t
-query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
-		unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
-		dns_dbversion_t **versionp)
-{
-	isc_result_t result;
-	isc_boolean_t check_acl, new_zone;
-	dns_acl_t *queryacl;
-	ns_dbversion_t *dbversion;
-	unsigned int ztoptions;
-	dns_zone_t *zone = NULL;
-	dns_db_t *db = NULL;
-	isc_boolean_t partial = ISC_FALSE;
-
-	REQUIRE(zonep != NULL && *zonep == NULL);
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	/*
-	 * Find a zone database to answer the query.
-	 */
-	ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
-		DNS_ZTFIND_NOEXACT : 0;
-
-	result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
-			     &zone);
-	if (result == DNS_R_PARTIALMATCH)
-		partial = ISC_TRUE;
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = dns_zone_getdb(zone, &db);
-
-	if (result != ISC_R_SUCCESS)		
-		goto fail;
-
-	/*
-	 * This limits our searching to the zone where the first name
-	 * (the query target) was looked for.  This prevents following
-	 * CNAMES or DNAMES into other zones and prevents returning 
-	 * additional data from other zones.
-	 */
-	if (!client->view->additionalfromauth &&
-	    client->query.authdbset &&
-	    db != client->query.authdb)
-		goto refuse;
-
-	/*
-	 * If the zone has an ACL, we'll check it, otherwise
-	 * we use the view's "allow-query" ACL.  Each ACL is only checked
-	 * once per query.
-	 *
-	 * Also, get the database version to use.
-	 */
-
-	check_acl = ISC_TRUE;	/* Keep compiler happy. */
-	queryacl = NULL;
-
-	/*
-	 * Get the current version of this database.
-	 */
-	dbversion = query_findversion(client, db, &new_zone);
-	if (dbversion == NULL) {
-		result = DNS_R_SERVFAIL;
-		goto fail;
-	}
-	if (new_zone) {
-		check_acl = ISC_TRUE;
-	} else if (!dbversion->queryok) {
-		goto refuse;
-	} else {
-		check_acl = ISC_FALSE;
-	}
-
-	queryacl = dns_zone_getqueryacl(zone);
-	if (queryacl == NULL) {
-		queryacl = client->view->queryacl;
-		if ((client->query.attributes &
-		     NS_QUERYATTR_QUERYOKVALID) != 0) {
-			/*
-			 * We've evaluated the view's queryacl already.  If
-			 * NS_QUERYATTR_QUERYOK is set, then the client is
-			 * allowed to make queries, otherwise the query should
-			 * be refused.
-			 */
-			check_acl = ISC_FALSE;
-			if ((client->query.attributes &
-			     NS_QUERYATTR_QUERYOK) == 0)
-				goto refuse;
-		} else {
-			/*
-			 * We haven't evaluated the view's queryacl yet.
-			 */
-			check_acl = ISC_TRUE;
-		}
-	}
-
-	if (check_acl) {
-		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-
-		result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE);
-		if (log) {
-			char msg[NS_CLIENT_ACLMSGSIZE("query")];
-			if (result == ISC_R_SUCCESS) {
-				if (isc_log_wouldlog(ns_g_lctx,
-						     ISC_LOG_DEBUG(3)))
-				{
-					ns_client_aclmsg("query", name, qtype,
-							 client->view->rdclass,
-							 msg, sizeof(msg));
-					ns_client_log(client,
-						      DNS_LOGCATEGORY_SECURITY,
-						      NS_LOGMODULE_QUERY,
-						      ISC_LOG_DEBUG(3),
-						      "%s approved", msg);
-				}
-		    	} else {
-				ns_client_aclmsg("query", name, qtype,
-						 client->view->rdclass,
-						 msg, sizeof(msg));
-				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
-					      "%s denied", msg);
-			}
-		}
-
-		if (queryacl == client->view->queryacl) {
-			if (result == ISC_R_SUCCESS) {
-				/*
-				 * We were allowed by the default
-				 * "allow-query" ACL.  Remember this so we
-				 * don't have to check again.
-				 */
-				client->query.attributes |=
-					NS_QUERYATTR_QUERYOK;
-			}
-			/*
-			 * We've now evaluated the view's query ACL, and
-			 * the NS_QUERYATTR_QUERYOK attribute is now valid.
-			 */
-			client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
-		}
-
-		if (result != ISC_R_SUCCESS)
-			goto refuse;
-	}
-
-	/* Approved. */
-
-	/*
-	 * Remember the result of the ACL check so we
-	 * don't have to check again.
-	 */
-	dbversion->queryok = ISC_TRUE;
-
-	/* Transfer ownership. */
-	*zonep = zone;
-	*dbp = db;
-	*versionp = dbversion->version;
-
-	if (partial && (options & DNS_GETDB_PARTIAL) != 0)
-		return (DNS_R_PARTIALMATCH);
-	return (ISC_R_SUCCESS);
-
- refuse:
-	result = DNS_R_REFUSED;
- fail:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (db != NULL)
-		dns_db_detach(&db);
-
-	return (result);
-}
-
-static inline isc_result_t
-query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
-		 dns_db_t **dbp, unsigned int options)
-{
-	isc_result_t result;
-	isc_boolean_t check_acl;
-	dns_db_t *db = NULL;
-
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	/*
-	 * Find a cache database to answer the query.
-	 * This may fail with DNS_R_REFUSED if the client
-	 * is not allowed to use the cache.
-	 */
-
-	if (!USECACHE(client))
-		return (DNS_R_REFUSED);
-	dns_db_attach(client->view->cachedb, &db);
-
-	if ((client->query.attributes &
-	     NS_QUERYATTR_QUERYOKVALID) != 0) {
-		/*
-		 * We've evaluated the view's queryacl already.  If
-		 * NS_QUERYATTR_QUERYOK is set, then the client is
-		 * allowed to make queries, otherwise the query should
-		 * be refused.
-		 */
-		check_acl = ISC_FALSE;
-		if ((client->query.attributes &
-		     NS_QUERYATTR_QUERYOK) == 0)
-			goto refuse;
-	} else {
-		/*
-		 * We haven't evaluated the view's queryacl yet.
-		 */
-		check_acl = ISC_TRUE;
-	}
-
-	if (check_acl) {
-		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
-		
-		result = ns_client_checkaclsilent(client,
-						  client->view->queryacl,
-						  ISC_TRUE);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * We were allowed by the default
-			 * "allow-query" ACL.  Remember this so we
-			 * don't have to check again.
-			 */
-			client->query.attributes |=
-				NS_QUERYATTR_QUERYOK;
-			if (log && isc_log_wouldlog(ns_g_lctx,
-						     ISC_LOG_DEBUG(3)))
-			{
-				ns_client_aclmsg("query (cache)", name, qtype,
-						 client->view->rdclass,
-						 msg, sizeof(msg));
-				ns_client_log(client,
-					      DNS_LOGCATEGORY_SECURITY,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_DEBUG(3),
-					      "%s approved", msg);
-			}
-		} else if (log) {
-			ns_client_aclmsg("query (cache)", name, qtype,
-					 client->view->rdclass, msg,
-					 sizeof(msg));
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
-				      "%s denied", msg);
-		}
-		/*
-		 * We've now evaluated the view's query ACL, and
-		 * the NS_QUERYATTR_QUERYOK attribute is now valid.
-		 */
-		client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
-
-		if (result != ISC_R_SUCCESS)
-			goto refuse;
-	}
-
-	/* Approved. */
-
-	/* Transfer ownership. */
-	*dbp = db;
-
-	return (ISC_R_SUCCESS);
-
- refuse:
-	result = DNS_R_REFUSED;
-
-	if (db != NULL)
-		dns_db_detach(&db);
-
-	return (result);
-}
-
-
-static inline isc_result_t
-query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
-	    unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
-	    dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
-{
-	isc_result_t result;
-
-	result = query_getzonedb(client, name, qtype, options,
-				 zonep, dbp, versionp);
-	if (result == ISC_R_SUCCESS) {
-		*is_zonep = ISC_TRUE;
-	} else if (result == ISC_R_NOTFOUND) {
-		result = query_getcachedb(client, name, qtype, dbp, options);
-		*is_zonep = ISC_FALSE;
-	}
-	return (result);
-}
-
-static inline isc_boolean_t
-query_isduplicate(ns_client_t *client, dns_name_t *name,
-		  dns_rdatatype_t type, dns_name_t **mnamep)
-{
-	dns_section_t section;
-	dns_name_t *mname = NULL;
-	isc_result_t result;
-
-	CTRACE("query_isduplicate");
-
-	for (section = DNS_SECTION_ANSWER;
-	     section <= DNS_SECTION_ADDITIONAL;
-	     section++) {
-		result = dns_message_findname(client->message, section,
-					      name, type, 0, &mname, NULL);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * We've already got this RRset in the response.
-			 */
-			CTRACE("query_isduplicate: true: done");
-			return (ISC_TRUE);
-		} else if (result == DNS_R_NXRRSET) {
-			/*
-			 * The name exists, but the rdataset does not.
-			 */
-			if (section == DNS_SECTION_ADDITIONAL)
-				break;
-		} else
-			RUNTIME_CHECK(result == DNS_R_NXDOMAIN);
-		mname = NULL;
-	}
-
-	/*
-	 * If the dns_name_t we're looking up is already in the message,
-	 * we don't want to trigger the caller's name replacement logic.
-	 */
-	if (name == mname)
-		mname = NULL;
-
-	*mnamep = mname;
-
-	CTRACE("query_isduplicate: false: done");
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
-	ns_client_t *client = arg;
-	isc_result_t result, eresult;
-	dns_dbnode_t *node;
-	dns_db_t *db;
-	dns_name_t *fname, *mname;
-	dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
-	isc_buffer_t *dbuf;
-	isc_buffer_t b;
-	dns_dbversion_t *version;
-	isc_boolean_t added_something, need_addname;
-	dns_zone_t *zone;
-	dns_rdatatype_t type;
-
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(qtype != dns_rdatatype_any);
-
-	if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
-		return (ISC_R_SUCCESS);
-
-	CTRACE("query_addadditional");
-
-	/*
-	 * Initialization.
-	 */
-	eresult = ISC_R_SUCCESS;
-	fname = NULL;
-	rdataset = NULL;
-	sigrdataset = NULL;
-	trdataset = NULL;
-	db = NULL;
-	version = NULL;
-	node = NULL;
-	added_something = ISC_FALSE;
-	need_addname = ISC_FALSE;
-	zone = NULL;
-
-	/*
-	 * We treat type A additional section processing as if it
-	 * were "any address type" additional section processing.
-	 * To avoid multiple lookups, we do an 'any' database
-	 * lookup and iterate over the node.
-	 */
-	if (qtype == dns_rdatatype_a)
-		type = dns_rdatatype_any;
-	else
-		type = qtype;
-
-	/*
-	 * Get some resources.
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	rdataset = query_newrdataset(client);
-	if (fname == NULL || rdataset == NULL)
-		goto cleanup;
-	if (WANTDNSSEC(client)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL)
-			goto cleanup;
-	}
-
-	/*
-	 * Look for a zone database that might contain authoritative
-	 * additional data.
-	 */
-	result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
-				 &zone, &db, &version);
-	if (result != ISC_R_SUCCESS)
-		goto try_cache;
-
-	CTRACE("query_addadditional: db_find");
-
-	/*
-	 * Since we are looking for authoritative data, we do not set
-	 * the GLUEOK flag.  Glue will be looked for later, but not
-	 * necessarily in the same database.
-	 */
-	node = NULL;
-	result = dns_db_find(db, name, version, type, client->query.dboptions,
-			     client->now, &node, fname, rdataset,
-			     sigrdataset);
-	if (result == ISC_R_SUCCESS)
-		goto found;
-
-	if (dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
-		dns_rdataset_disassociate(sigrdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	version = NULL;
-	dns_db_detach(&db);
-
-	/*
-	 * No authoritative data was found.  The cache is our next best bet.
-	 */
-
- try_cache:
-	result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
-	if (result != ISC_R_SUCCESS)
-		/*
-		 * Most likely the client isn't allowed to query the cache.
-		 */
-		goto try_glue;
-
-	result = dns_db_find(db, name, version, type,  client->query.dboptions,
-			     client->now, &node, fname, rdataset,
-			     sigrdataset);
-	if (result == ISC_R_SUCCESS)
-		goto found;
-
-	if (dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
-		dns_rdataset_disassociate(sigrdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	dns_db_detach(&db);
-
- try_glue:
-	/*
-	 * No cached data was found.  Glue is our last chance.
-	 * RFC1035 sayeth:
-	 *
-	 *	NS records cause both the usual additional section
-	 *	processing to locate a type A record, and, when used
-	 *	in a referral, a special search of the zone in which
-	 *	they reside for glue information.
-	 *
-	 * This is the "special search".  Note that we must search
-	 * the zone where the NS record resides, not the zone it
-	 * points to, and that we only do the search in the delegation
-	 * case (identified by client->query.gluedb being set).
-	 */
-
-	if (client->query.gluedb == NULL)
-		goto cleanup;
-
-	/*
-	 * Don't poision caches using the bailiwick protection model.
-	 */
-	if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
-		goto cleanup;
-
-	dns_db_attach(client->query.gluedb, &db);
-	result = dns_db_find(db, name, version, type,
-			     client->query.dboptions | DNS_DBFIND_GLUEOK,
-			     client->now, &node, fname, rdataset,
-			     sigrdataset);
-	if (!(result == ISC_R_SUCCESS ||
-	      result == DNS_R_ZONECUT ||
-	      result == DNS_R_GLUE))
-		goto cleanup;
-
- found:
-	/*
-	 * We have found a potential additional data rdataset, or
-	 * at least a node to iterate over.
-	 */
-	query_keepname(client, fname, dbuf);
-
-	/*
-	 * If we have an rdataset, add it to the additional data
-	 * section.
-	 */
-	mname = NULL;
-	if (dns_rdataset_isassociated(rdataset) &&
-	    !query_isduplicate(client, fname, type, &mname)) {
-		if (mname != NULL) {
-			query_releasename(client, &fname);
-			fname = mname;
-		} else
-			need_addname = ISC_TRUE;
-		ISC_LIST_APPEND(fname->list, rdataset, link);
-		trdataset = rdataset;
-		rdataset = NULL;
-		added_something = ISC_TRUE;
-		/*
-		 * Note: we only add SIGs if we've added the type they cover,
-		 * so we do not need to check if the SIG rdataset is already
-		 * in the response.
-		 */
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-		{
-			ISC_LIST_APPEND(fname->list, sigrdataset, link);
-			sigrdataset = NULL;
-		}
-	}
-
-	if (qtype == dns_rdatatype_a) {
-		/*
-		 * We now go looking for A and AAAA records, along with
-		 * their signatures.
-		 *
-		 * XXXRTH  This code could be more efficient.
-		 */
-		if (rdataset != NULL) {
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-		} else {
-			rdataset = query_newrdataset(client);
-			if (rdataset == NULL)
-				goto addname;
-		}
-		if (sigrdataset != NULL) {
-			if (dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-		} else if (WANTDNSSEC(client)) {
-			sigrdataset = query_newrdataset(client);
-			if (sigrdataset == NULL)
-				goto addname;
-		}
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_a, 0,
-					     client->now, rdataset,
-					     sigrdataset);
-		if (result == DNS_R_NCACHENXDOMAIN)
-			goto addname;
-		if (result == DNS_R_NCACHENXRRSET) {
-			dns_rdataset_disassociate(rdataset);
-			/*
-			 * Negative cache entries don't have sigrdatasets.
-			 */
-			INSIST(sigrdataset == NULL ||
-			       ! dns_rdataset_isassociated(sigrdataset));
-		}
-		if (result == ISC_R_SUCCESS) {
-			mname = NULL;
-			if (!query_isduplicate(client, fname,
-					       dns_rdatatype_a, &mname)) {
-				if (mname != NULL) {
-					query_releasename(client, &fname);
-					fname = mname;
-				} else
-					need_addname = ISC_TRUE;
-				ISC_LIST_APPEND(fname->list, rdataset, link);
-				added_something = ISC_TRUE;
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-				{
-					ISC_LIST_APPEND(fname->list,
-							sigrdataset, link);
-					sigrdataset =
-						query_newrdataset(client);
-				}
-				rdataset = query_newrdataset(client);
-				if (rdataset == NULL)
-					goto addname;
-				if (WANTDNSSEC(client) && sigrdataset == NULL)
-					goto addname;
-			} else {
-				dns_rdataset_disassociate(rdataset);
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-					dns_rdataset_disassociate(sigrdataset);
-			}
-		}
-		result = dns_db_findrdataset(db, node, version,
-					     dns_rdatatype_aaaa, 0,
-					     client->now, rdataset,
-					     sigrdataset);
-		if (result == DNS_R_NCACHENXDOMAIN)
-			goto addname;
-		if (result == DNS_R_NCACHENXRRSET) {
-			dns_rdataset_disassociate(rdataset);
-			INSIST(sigrdataset == NULL ||
-			       ! dns_rdataset_isassociated(sigrdataset));
-		}
-		if (result == ISC_R_SUCCESS) {
-			mname = NULL;
-			if (!query_isduplicate(client, fname,
-					       dns_rdatatype_aaaa, &mname)) {
-				if (mname != NULL) {
-					query_releasename(client, &fname);
-					fname = mname;
-				} else
-					need_addname = ISC_TRUE;
-				ISC_LIST_APPEND(fname->list, rdataset, link);
-				added_something = ISC_TRUE;
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(sigrdataset))
-				{
-					ISC_LIST_APPEND(fname->list,
-							sigrdataset, link);
-					sigrdataset = NULL;
-				}
-				rdataset = NULL;
-			}
-		}
-	}
-
- addname:
-	CTRACE("query_addadditional: addname");
-	/*
-	 * If we haven't added anything, then we're done.
-	 */
-	if (!added_something)
-		goto cleanup;
-
-	/*
-	 * We may have added our rdatasets to an existing name, if so, then
-	 * need_addname will be ISC_FALSE.  Whether we used an existing name
-	 * or a new one, we must set fname to NULL to prevent cleanup.
-	 */
-	if (need_addname)
-		dns_message_addname(client->message, fname,
-				    DNS_SECTION_ADDITIONAL);
-	fname = NULL;
-
-	/*
-	 * In a few cases, we want to add additional data for additional
-	 * data.  It's simpler to just deal with special cases here than
-	 * to try to create a general purpose mechanism and allow the
-	 * rdata implementations to do it themselves.
-	 *
-	 * This involves recursion, but the depth is limited.  The
-	 * most complex case is adding a SRV rdataset, which involves
-	 * recursing to add address records, which in turn can cause
-	 * recursion to add KEYs.
-	 */
- 	if (type == dns_rdatatype_srv && trdataset != NULL) {
-		/*
-		 * If we're adding SRV records to the additional data
-		 * section, it's helpful if we add the SRV additional data
-		 * as well.
-		 */
-		eresult = dns_rdataset_additionaldata(trdataset,
-						      query_addadditional,
-						      client);
-	}
-
- cleanup:
-	CTRACE("query_addadditional: cleanup");
-	query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	CTRACE("query_addadditional: done");
-	return (eresult);
-}
-
-static inline void
-query_addrdataset(ns_client_t *client, dns_name_t *fname,
-		  dns_rdataset_t *rdataset)
-{
-	/*
-	 * Add 'rdataset' and any pertinent additional data to
-	 * 'fname', a name in the response message for 'client'.
-	 */
-
-	CTRACE("query_addrdataset");
-
-	ISC_LIST_APPEND(fname->list, rdataset, link);
-
-	if (client->view->order != NULL)
-		rdataset->attributes |= dns_order_find(client->view->order,
-						       fname, rdataset->type,
-						       rdataset->rdclass);
-	if (NOADDITIONAL(client))
-		return;
-
-	/*
-	 * Add additional data.
-	 *
-	 * We don't care if dns_rdataset_additionaldata() fails.
-	 */
-	(void)dns_rdataset_additionaldata(rdataset,
-					  query_addadditional, client);
-	CTRACE("query_addrdataset: done");
-}
-
-static void
-query_addrrset(ns_client_t *client, dns_name_t **namep,
-	       dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
-	       isc_buffer_t *dbuf, dns_section_t section)
-{
-	dns_name_t *name, *mname;
-	dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
-	isc_result_t result;
-
-	/*
-	 * To the current response for 'client', add the answer RRset
-	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
-	 * owner name '*namep', to section 'section', unless they are
-	 * already there.  Also add any pertinent additional data.
-	 *
-	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
-	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
-	 * when it returns the name will either have been kept or released.
-	 */
-	CTRACE("query_addrrset");
-	name = *namep;
-	rdataset = *rdatasetp;
-	if (sigrdatasetp != NULL)
-		sigrdataset = *sigrdatasetp;
-	else
-		sigrdataset = NULL;
-	mname = NULL;
-	mrdataset = NULL;
-	result = dns_message_findname(client->message, section,
-				      name, rdataset->type, rdataset->covers,
-				      &mname, &mrdataset);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * We've already got an RRset of the given name and type.
-		 * There's nothing else to do;
-		 */
-		CTRACE("query_addrrset: dns_message_findname succeeded: done");
-		if (dbuf != NULL)
-			query_releasename(client, namep);
-		return;
-	} else if (result == DNS_R_NXDOMAIN) {
-		/*
-		 * The name doesn't exist.
-		 */
-		if (dbuf != NULL)
-			query_keepname(client, name, dbuf);
-		dns_message_addname(client->message, name, section);
-		*namep = NULL;
-		mname = name;
-	} else {
-		RUNTIME_CHECK(result == DNS_R_NXRRSET);
-		if (dbuf != NULL)
-			query_releasename(client, namep);
-	}
-
-	if (rdataset->trust != dns_trust_secure &&
-	    (section == DNS_SECTION_ANSWER ||
-	     section == DNS_SECTION_AUTHORITY))
-		client->query.attributes &= ~NS_QUERYATTR_SECURE;
-	/*
-	 * Note: we only add SIGs if we've added the type they cover, so
-	 * we do not need to check if the SIG rdataset is already in the
-	 * response.
-	 */
-	query_addrdataset(client, mname, rdataset);
-	*rdatasetp = NULL;
-	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
-		/*
-		 * We have a signature.  Add it to the response.
-		 */
-		ISC_LIST_APPEND(mname->list, sigrdataset, link);
-		*sigrdatasetp = NULL;
-	}
-	CTRACE("query_addrrset: done");
-}
-
-static inline isc_result_t
-query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) {
-	dns_name_t *name, *fname;
-	dns_dbnode_t *node;
-	isc_result_t result, eresult;
-	dns_fixedname_t foundname;
-	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
-	dns_rdataset_t **sigrdatasetp = NULL;
-
-	CTRACE("query_addsoa");
-	/*
-	 * Initialization.
-	 */
-	eresult = ISC_R_SUCCESS;
-	name = NULL;
-	rdataset = NULL;
-	node = NULL;
-	dns_fixedname_init(&foundname);
-	fname = dns_fixedname_name(&foundname);
-
-	/*
-	 * Get resources and make 'name' be the database origin.
-	 */
-	result = dns_message_gettempname(client->message, &name);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(name, NULL);
-	dns_name_clone(dns_db_origin(db), name);
-	rdataset = query_newrdataset(client);
-	if (rdataset == NULL) {
-		eresult = DNS_R_SERVFAIL;
-		goto cleanup;
-	}
-	if (WANTDNSSEC(client)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL) {
-			eresult = DNS_R_SERVFAIL;
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Find the SOA.
-	 */
-	result = dns_db_find(db, name, NULL, dns_rdatatype_soa,
-			     client->query.dboptions, 0, &node,
-			     fname, rdataset, sigrdataset);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * This is bad.  We tried to get the SOA RR at the zone top
-		 * and it didn't work!
-		 */
-		eresult = DNS_R_SERVFAIL;
-	} else {
-		/*
-		 * Extract the SOA MINIMUM.
-		 */
-		dns_rdata_soa_t soa;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		result = dns_rdataset_first(rdataset);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &soa, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		if (zero_ttl) {
-			rdataset->ttl = 0;
-			if (sigrdataset != NULL)
-				sigrdataset->ttl = 0;
-		}
-
-		/*
-		 * Add the SOA and its SIG to the response, with the
-		 * TTLs adjusted per RFC2308 section 3.
-		 */
-		if (rdataset->ttl > soa.minimum)
-			rdataset->ttl = soa.minimum;
-		if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum)
-			sigrdataset->ttl = soa.minimum;
-
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
-			       DNS_SECTION_AUTHORITY);
-	}
-
- cleanup:
-	query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (name != NULL)
-		query_releasename(client, &name);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	return (eresult);
-}
-
-static inline isc_result_t
-query_addns(ns_client_t *client, dns_db_t *db) {
-	dns_name_t *name, *fname;
-	dns_dbnode_t *node;
-	isc_result_t result, eresult;
-	dns_fixedname_t foundname;
-	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
-	dns_rdataset_t **sigrdatasetp = NULL;
-
-	CTRACE("query_addns");
-	/*
-	 * Initialization.
-	 */
-	eresult = ISC_R_SUCCESS;
-	name = NULL;
-	rdataset = NULL;
-	node = NULL;
-	dns_fixedname_init(&foundname);
-	fname = dns_fixedname_name(&foundname);
-
-	/*
-	 * Get resources and make 'name' be the database origin.
-	 */
-	result = dns_message_gettempname(client->message, &name);
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addns: dns_message_gettempname failed: done");
-		return (result);
-	}
-	dns_name_init(name, NULL);
-	dns_name_clone(dns_db_origin(db), name);
-	rdataset = query_newrdataset(client);
-	if (rdataset == NULL) {
-		CTRACE("query_addns: query_newrdataset failed");
-		eresult = DNS_R_SERVFAIL;
-		goto cleanup;
-	}
-	if (WANTDNSSEC(client)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL) {
-			CTRACE("query_addns: query_newrdataset failed");
-			eresult = DNS_R_SERVFAIL;
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Find the NS rdataset.
-	 */
-	CTRACE("query_addns: calling dns_db_find");
-	result = dns_db_find(db, name, NULL, dns_rdatatype_ns,
-			     client->query.dboptions, 0, &node,
-			     fname, rdataset, sigrdataset);
-	CTRACE("query_addns: dns_db_find complete");
-	if (result != ISC_R_SUCCESS) {
-		CTRACE("query_addns: dns_db_find failed");
-		/*
-		 * This is bad.  We tried to get the NS rdataset at the zone
-		 * top and it didn't work!
-		 */
-		eresult = DNS_R_SERVFAIL;
-	} else {
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
-			       DNS_SECTION_AUTHORITY);
-	}
-
- cleanup:
-	CTRACE("query_addns: cleanup");
-	query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (name != NULL)
-		query_releasename(client, &name);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-
-	CTRACE("query_addns: done");
-	return (eresult);
-}
-
-static inline isc_result_t
-query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
-		   dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type)
-{
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	isc_result_t result;
-	isc_region_t r;
-
-	/*
-	 * We assume the name data referred to by tname won't go away.
-	 */
-
-	REQUIRE(anamep != NULL);
-
-	rdatalist = NULL;
-	result = dns_message_gettemprdatalist(client->message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdata = NULL;
-	result = dns_message_gettemprdata(client->message, &rdata);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_init(rdataset);
-	result = dns_name_dup(qname, client->mctx, *anamep);
-	if (result != ISC_R_SUCCESS) {
-		dns_message_puttemprdataset(client->message, &rdataset);
-		return (result);
-	}
-
-	rdatalist->type = type;
-	rdatalist->covers = 0;
-	rdatalist->rdclass = client->message->rdclass;
-	rdatalist->ttl = 0;
-
-	dns_name_toregion(tname, &r);
-	rdata->data = r.base;
-	rdata->length = r.length;
-	rdata->rdclass = client->message->rdclass;
-	rdata->type = type;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
-		      == ISC_R_SUCCESS);
-	rdataset->trust = trust;
-
-	query_addrrset(client, anamep, &rdataset, NULL, NULL,
-		       DNS_SECTION_ANSWER);
-
-	if (rdataset != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		dns_message_puttemprdataset(client->message, &rdataset);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-query_addbestns(ns_client_t *client) {
-	dns_db_t *db, *zdb;
-	dns_dbnode_t *node;
-	dns_name_t *fname, *zfname;
-	dns_rdataset_t *rdataset, *sigrdataset, *zrdataset, *zsigrdataset;
-	isc_boolean_t is_zone, use_zone;
-	isc_buffer_t *dbuf;
-	isc_result_t result;
-	dns_dbversion_t *version;
-	dns_zone_t *zone;
-	isc_buffer_t b;
-
-	CTRACE("query_addbestns");
-	fname = NULL;
-	zfname = NULL;
-	rdataset = NULL;
-	zrdataset = NULL;
-	sigrdataset = NULL;
-	zsigrdataset = NULL;
-	node = NULL;
-	db = NULL;
-	zdb = NULL;
-	version = NULL;
-	zone = NULL;
-	is_zone = ISC_FALSE;
-	use_zone = ISC_FALSE;
-
-	/*
-	 * Find the right database.
-	 */
-	result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
-			     &zone, &db, &version, &is_zone);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
- db_find:
-	/*
-	 * We'll need some resources...
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	rdataset = query_newrdataset(client);
-	if (fname == NULL || rdataset == NULL)
-		goto cleanup;
-	if (WANTDNSSEC(client)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL)
-			goto cleanup;
-	}
-
-	/*
-	 * Now look for the zonecut.
-	 */
-	if (is_zone) {
-		result = dns_db_find(db, client->query.qname, version,
-				     dns_rdatatype_ns, client->query.dboptions,
-				     client->now, &node, fname,
-				     rdataset, sigrdataset);
-		if (result != DNS_R_DELEGATION)
-			goto cleanup;
-		if (USECACHE(client)) {
-			query_keepname(client, fname, dbuf);
-			zdb = db;
-			zfname = fname;
-			fname = NULL;
-			zrdataset = rdataset;
-			rdataset = NULL;
-			zsigrdataset = sigrdataset;
-			sigrdataset = NULL;
-			dns_db_detachnode(db, &node);
-			version = NULL;
-			db = NULL;
-			dns_db_attach(client->view->cachedb, &db);
-			is_zone = ISC_FALSE;
-			goto db_find;
-		}
-	} else {
-		result = dns_db_findzonecut(db, client->query.qname,
-					    client->query.dboptions,
-					    client->now, &node, fname,
-					    rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS) {
-			if (zfname != NULL &&
-			    !dns_name_issubdomain(fname, zfname)) {
-				/*
-				 * We found a zonecut in the cache, but our
-				 * zone delegation is better.
-				 */
-				use_zone = ISC_TRUE;
-			}
-		} else if (result == ISC_R_NOTFOUND && zfname != NULL) {
-			/*
-			 * We didn't find anything in the cache, but we
-			 * have a zone delegation, so use it.
-			 */
-			use_zone = ISC_TRUE;
-		} else
-			goto cleanup;
-	}
-
-	if (use_zone) {
-		query_releasename(client, &fname);
-		fname = zfname;
-		zfname = NULL;
-		/*
-		 * We've already done query_keepname() on
-		 * zfname, so we must set dbuf to NULL to
-		 * prevent query_addrrset() from trying to
-		 * call query_keepname() again.
-		 */
-		dbuf = NULL;
-		query_putrdataset(client, &rdataset);
-		if (sigrdataset != NULL)
-			query_putrdataset(client, &sigrdataset);
-		rdataset = zrdataset;
-		zrdataset = NULL;
-		sigrdataset = zsigrdataset;
-		zsigrdataset = NULL;
-	}
-
-	if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 &&
-	    (rdataset->trust == dns_trust_pending ||
-	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)))
-		goto cleanup;
-
-	if (WANTDNSSEC(client) && SECURE(client) &&
-	    (rdataset->trust == dns_trust_glue ||
-	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)))
-		goto cleanup;
-
-	query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
-		       DNS_SECTION_AUTHORITY);
-
- cleanup:
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (zdb != NULL) {
-		query_putrdataset(client, &zrdataset);
-		if (zsigrdataset != NULL)
-			query_putrdataset(client, &zsigrdataset);
-		if (zfname != NULL)
-			query_releasename(client, &zfname);
-		dns_db_detach(&zdb);
-	}
-}
-
-static void
-query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) {
-	dns_name_t *rname;
-	dns_rdataset_t *rdataset, *sigrdataset;
-	isc_result_t result;
-
-	CTRACE("query_addds");
-	rname = NULL;
-	rdataset = NULL;
-	sigrdataset = NULL;
-
-	/*
-	 * We'll need some resources...
-	 */
-	rdataset = query_newrdataset(client);
-	sigrdataset = query_newrdataset(client);
-	if (rdataset == NULL || sigrdataset == NULL)
-		goto cleanup;
-
-	/*
-	 * Look for the DS record, which may or may not be present.
-	 */
-	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0,
-				     client->now, rdataset, sigrdataset);
-	/*
-	 * If we didn't find it, look for an NSEC. */
-	if (result == ISC_R_NOTFOUND)
-		result = dns_db_findrdataset(db, node, NULL,
-					     dns_rdatatype_nsec, 0, client->now,
-					     rdataset, sigrdataset);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		goto cleanup;
-	if (!dns_rdataset_isassociated(rdataset) ||
-	    !dns_rdataset_isassociated(sigrdataset))
-		goto cleanup;
-
-	/*
-	 * We've already added the NS record, so if the name's not there,
-	 * we have other problems.  Use this name rather than calling
-	 * query_addrrset().
-	 */
-	result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	rname = NULL;
-	dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
-				&rname);
-	result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	ISC_LIST_APPEND(rname->list, rdataset, link);
-	ISC_LIST_APPEND(rname->list, sigrdataset, link);
-	rdataset = NULL;
-	sigrdataset = NULL;
-
- cleanup:
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-}
-
-static void
-query_addwildcardproof(ns_client_t *client, dns_db_t *db,
-		       dns_name_t *name, isc_boolean_t ispositive)
-{
-	isc_buffer_t *dbuf, b;
-	dns_name_t *fname;
-	dns_rdataset_t *rdataset, *sigrdataset;
-	dns_fixedname_t wfixed;
-	dns_name_t *wname;
-	dns_dbnode_t *node;
-	unsigned int options;
-	unsigned int olabels, nlabels;
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nsec_t nsec;
-	isc_boolean_t have_wname;
-	int order;
-
-	CTRACE("query_addwildcardproof");
-	fname = NULL;
-	rdataset = NULL;
-	sigrdataset = NULL;
-	node = NULL;
-
-	/*
-	 * Get the NOQNAME proof then if !ispositve
-	 * get the NOWILDCARD proof.
-	 *
-	 * DNS_DBFIND_NOWILD finds the NSEC records that covers the
-	 * name ignoring any wildcard.  From the owner and next names
-	 * of this record you can compute which wildcard (if it exists)
-	 * will match by finding the longest common suffix of the
-	 * owner name and next names with the qname and prefixing that
-	 * with the wildcard label.
-	 *
-	 * e.g.
-	 *   Given:
-	 *	example SOA
-	 *	example NSEC b.example
-	 * 	b.example A
-	 * 	b.example NSEC a.d.example
-	 * 	a.d.example A
-	 * 	a.d.example NSEC g.f.example
-	 * 	g.f.example A
-	 * 	g.f.example NSEC z.i.example
-	 * 	z.i.example A
-	 * 	z.i.example NSEC example
-	 *
-	 *   QNAME:
-	 *   a.example -> example NSEC b.example
-	 * 	owner common example
-	 * 	next common example
-	 * 	wild *.example
-	 *   d.b.example -> b.example NSEC a.d.example
-	 *	owner common b.example
-	 *	next common example
-	 *	wild *.b.example
-	 *   a.f.example -> a.d.example NSEC g.f.example
-	 *	owner common example
-	 *	next common f.example
-	 *	wild *.f.example
-	 *  j.example -> z.i.example NSEC example
-	 *	owner common example
-	 * 	next common example
-	 *	wild *.f.example
-	 */
-	options = client->query.dboptions | DNS_DBFIND_NOWILD;
-	dns_fixedname_init(&wfixed);
-	wname = dns_fixedname_name(&wfixed);
- again:
-	have_wname = ISC_FALSE;
-	/*
-	 * We'll need some resources...
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	rdataset = query_newrdataset(client);
-	sigrdataset = query_newrdataset(client);
-	if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
-		goto cleanup;
-
-	result = dns_db_find(db, name, NULL, dns_rdatatype_nsec, options,
-			     0, &node, fname, rdataset, sigrdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (result == DNS_R_NXDOMAIN) {
-		if (!ispositive)
-			result = dns_rdataset_first(rdataset);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-		}
-		if (result == ISC_R_SUCCESS) {
-			(void)dns_name_fullcompare(name, fname, &order,
-						   &olabels);
-			(void)dns_name_fullcompare(name, &nsec.next, &order,
-						   &nlabels);
-			if (olabels > nlabels)
-				dns_name_split(name, olabels, NULL, wname);
-			else
-				dns_name_split(name, nlabels, NULL, wname);
-			result = dns_name_concatenate(dns_wildcardname,
-						      wname, wname, NULL);
-			if (result == ISC_R_SUCCESS)
-				have_wname = ISC_TRUE;
-			dns_rdata_freestruct(&nsec);
-		}
-		query_addrrset(client, &fname, &rdataset, &sigrdataset,
-			       dbuf, DNS_SECTION_AUTHORITY);
-	}
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (have_wname) {
-		ispositive = ISC_TRUE;	/* prevent loop */
-		if (!dns_name_equal(name, wname)) {
-			name = wname;
-			goto again;
-		}
-	} 
- cleanup:
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-}
-
-static void
-query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, dns_name_t **namep,
-		    dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
-{
-	dns_name_t *name;
-	dns_rdataset_t *sigrdataset;
-	dns_rdata_t sigrdata;
-	dns_rdata_rrsig_t sig;
-	unsigned int labels;
-	isc_buffer_t *dbuf, b;
-	dns_name_t *fname;
-	isc_result_t result;
-
-	name = *namep;
-	if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
-		query_addrrset(client, namep, rdatasetp, sigrdatasetp,
-			       NULL, DNS_SECTION_AUTHORITY);
-		return;
-	}
-
-	if (sigrdatasetp == NULL)
-		return;
-	sigrdataset = *sigrdatasetp;
-	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
-		return;
-	result = dns_rdataset_first(sigrdataset);
-	if (result != ISC_R_SUCCESS)
-		return;
-	dns_rdata_init(&sigrdata);
-	dns_rdataset_current(sigrdataset, &sigrdata);
-	result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	labels = dns_name_countlabels(name);
-	if ((unsigned int)sig.labels + 1 >= labels)
-		return;
-
-	/* XXX */
-	query_addwildcardproof(client, db,
-			       client->query.qname,
-			       ISC_TRUE);
-
-	/*
-	 * We'll need some resources...
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		return;
-	fname = query_newname(client, dbuf, &b);
-	if (fname == NULL)
-		return;
-	dns_name_split(name, sig.labels + 1, NULL, fname);
-	/* This will succeed, since we've stripped labels. */
-	RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
-					   NULL) == ISC_R_SUCCESS);
-	query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
-		       dbuf, DNS_SECTION_AUTHORITY);
-}
-
-static void
-query_resume(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
-	ns_client_t *client;
-	isc_boolean_t fetch_cancelled, client_shuttingdown;
-
-	/*
-	 * Resume a query after recursion.
-	 */
-
-	UNUSED(task);
-
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	client = devent->ev_arg;
-	REQUIRE(NS_CLIENT_VALID(client));
-	REQUIRE(task == client->task);
-	REQUIRE(RECURSING(client));
-
-	LOCK(&client->query.fetchlock);
-	if (client->query.fetch != NULL) {
-		/*
-		 * This is the fetch we've been waiting for.
-		 */
-		INSIST(devent->fetch == client->query.fetch);
-		client->query.fetch = NULL;
-		fetch_cancelled = ISC_FALSE;
-		/*
-		 * Update client->now.
-		 */
-		isc_stdtime_get(&client->now);
-	} else {
-		/*
-		 * This is a fetch completion event for a cancelled fetch.
-		 * Clean up and don't resume the find.
-		 */
-		fetch_cancelled = ISC_TRUE;
-	}
-	UNLOCK(&client->query.fetchlock);
-	INSIST(client->query.fetch == NULL);
-
-	client->query.attributes &= ~NS_QUERYATTR_RECURSING;
-	dns_resolver_destroyfetch(&devent->fetch);
-
-	/*
-	 * If this client is shutting down, or this transaction
-	 * has timed out, do not resume the find.
-	 */
-	client_shuttingdown = ns_client_shuttingdown(client);
-	if (fetch_cancelled || client_shuttingdown) {
-		if (devent->node != NULL)
-			dns_db_detachnode(devent->db, &devent->node);
-		if (devent->db != NULL)
-			dns_db_detach(&devent->db);
-		query_putrdataset(client, &devent->rdataset);
-		if (devent->sigrdataset != NULL)
-			query_putrdataset(client, &devent->sigrdataset);
-		isc_event_free(&event);
-		if (fetch_cancelled)
-			query_error(client, DNS_R_SERVFAIL);
-		else
-			query_next(client, ISC_R_CANCELED);
-		/*
-		 * This may destroy the client.
-		 */
-		ns_client_detach(&client);
-	} else {
-		query_find(client, devent, 0);
-	}
-}
-
-static isc_result_t
-query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
-	      dns_rdataset_t *nameservers)
-{
-	isc_result_t result;
-	dns_rdataset_t *rdataset, *sigrdataset;
-
-	inc_stats(client, dns_statscounter_recursion);
-
-	/*
-	 * We are about to recurse, which means that this client will
-	 * be unavailable for serving new requests for an indeterminate
-	 * amount of time.  If this client is currently responsible
-	 * for handling incoming queries, set up a new client
-	 * object to handle them while we are waiting for a
-	 * response.  There is no need to replace TCP clients
-	 * because those have already been replaced when the
-	 * connection was accepted (if allowed by the TCP quota).
-	 */
-	if (client->recursionquota == NULL) {
-		result = isc_quota_attach(&ns_g_server->recursionquota,
-					  &client->recursionquota);
-		if  (result == ISC_R_SOFTQUOTA) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-				      "recursive-clients soft limit exceeded, "
-				      "aborting oldest query");
-			ns_client_killoldestquery(client);
-			result = ISC_R_SUCCESS;
-		} else if (result == ISC_R_QUOTA) {
-			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
-				      "no more recursive clients: %s",
-				      isc_result_totext(result));
-			ns_client_killoldestquery(client);
-		}
-		if (result == ISC_R_SUCCESS && !client->mortal &&
-		    (client->attributes & NS_CLIENTATTR_TCP) == 0) {
-			result = ns_client_replace(client);
-			if (result != ISC_R_SUCCESS) {
-				ns_client_log(client, NS_LOGCATEGORY_CLIENT,
-					      NS_LOGMODULE_QUERY,
-					      ISC_LOG_WARNING,
-					      "ns_client_replace() failed: %s",
-					      isc_result_totext(result));
-				isc_quota_detach(&client->recursionquota);
-			}
-		}
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		ns_client_recursing(client);
-	}
-
-	/*
-	 * Invoke the resolver.
-	 */
-	REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns);
-	REQUIRE(client->query.fetch == NULL);
-
-	rdataset = query_newrdataset(client);
-	if (rdataset == NULL)
-		return (ISC_R_NOMEMORY);
-	if (WANTDNSSEC(client)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL) {
-			query_putrdataset(client, &rdataset);
-			return (ISC_R_NOMEMORY);
-		}
-	} else
-		sigrdataset = NULL;
-
-	if (client->query.timerset == ISC_FALSE)
-		ns_client_settimeout(client, 60);
-	result = dns_resolver_createfetch(client->view->resolver,
-					  client->query.qname,
-					  qtype, qdomain, nameservers,
-					  NULL, client->query.fetchoptions,
-					  client->task,
-					  query_resume, client,
-					  rdataset, sigrdataset,
-					  &client->query.fetch);
-
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Record that we're waiting for an event.  A client which
-		 * is shutting down will not be destroyed until all the
-		 * events have been received.
-		 */
-	} else {
-		query_putrdataset(client, &rdataset);
-		if (sigrdataset != NULL)
-			query_putrdataset(client, &sigrdataset);
-	}
-
-	return (result);
-}
-
-#define MAX_RESTARTS 16
-
-#define QUERY_ERROR(r) \
-do { \
-	eresult = r; \
-	want_restart = ISC_FALSE; \
-} while (0)
-
-/*
- * Extract a network address from the RDATA of an A or AAAA
- * record.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
- */
-static isc_result_t
-rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
-	struct in_addr ina;
-	struct in6_addr in6a;
-	
-	switch (rdata->type) {
-	case dns_rdatatype_a:
-		INSIST(rdata->length == 4);
-		memcpy(&ina.s_addr, rdata->data, 4);
-		isc_netaddr_fromin(netaddr, &ina);
-		return (ISC_R_SUCCESS);
-	case dns_rdatatype_aaaa:
-		INSIST(rdata->length == 16);
-		memcpy(in6a.s6_addr, rdata->data, 16);
-		isc_netaddr_fromin6(netaddr, &in6a);
-		return (ISC_R_SUCCESS);
-	default:
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-}
-
-/*
- * Find the sort order of 'rdata' in the topology-like
- * ACL forming the second element in a 2-element top-level
- * sortlist statement.
- */
-static int
-query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
-	isc_netaddr_t netaddr;
-
-	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
-		return (INT_MAX);
-	return (ns_sortlist_addrorder2(&netaddr, arg));
-}
-
-/*
- * Find the sort order of 'rdata' in the matching element
- * of a 1-element top-level sortlist statement.
- */
-static int
-query_sortlist_order_1element(dns_rdata_t *rdata, void *arg) {
-	isc_netaddr_t netaddr;
-
-	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
-		return (INT_MAX);
-	return (ns_sortlist_addrorder1(&netaddr, arg));
-}
-
-/*
- * Find the sortlist statement that applies to 'client' and set up
- * the sortlist info in in client->message appropriately.
- */
-static void
-setup_query_sortlist(ns_client_t *client) {
-	isc_netaddr_t netaddr;
-	dns_rdatasetorderfunc_t order = NULL;
-	void *order_arg = NULL;
-	
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
-	switch (ns_sortlist_setup(client->view->sortlist,
-			       &netaddr, &order_arg)) {
-	case NS_SORTLISTTYPE_1ELEMENT:
-		order = query_sortlist_order_1element;
-		break;
-	case NS_SORTLISTTYPE_2ELEMENT:
-		order = query_sortlist_order_2element;
-		break;
-	case NS_SORTLISTTYPE_NONE:
-		order = NULL;
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-	dns_message_setsortorder(client->message, order, order_arg);
-}
-
-static void
-query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
-	isc_buffer_t *dbuf, b;
-	dns_name_t *fname;
-	dns_rdataset_t *nsec, *nsecsig;
-	isc_result_t result = ISC_R_NOMEMORY;
-
-	CTRACE("query_addnoqnameproof");
-
-	fname = NULL;
-	nsec = NULL;
-	nsecsig = NULL;
-
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL)
-		goto cleanup;
-	fname = query_newname(client, dbuf, &b);
-	nsec = query_newrdataset(client);
-	nsecsig = query_newrdataset(client);
-	if (fname == NULL || nsec == NULL || nsecsig == NULL)
-		goto cleanup;
-
-	result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	query_addrrset(client, &fname, &nsec, &nsecsig, dbuf,
-		       DNS_SECTION_AUTHORITY);
-
- cleanup:
-	if (nsec != NULL)
-                query_putrdataset(client, &nsec);
-        if (nsecsig != NULL)
-                query_putrdataset(client, &nsecsig);
-        if (fname != NULL)
-                query_releasename(client, &fname);
-}
-
-static inline void
-answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
-	dns_name_t *name;
-	dns_message_t *msg;
-	dns_section_t section = DNS_SECTION_ADDITIONAL;
-	dns_rdataset_t *rdataset = NULL;
-
-	msg = client->message;
-	for (name = ISC_LIST_HEAD(msg->sections[section]);
-	     name != NULL;
-	     name = ISC_LIST_NEXT(name, link))
-		if (dns_name_equal(name, client->query.qname)) {
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link))
-				if (rdataset->type == qtype)
-					break;
-			break;
-		}
-	if (rdataset != NULL) {
-		ISC_LIST_UNLINK(msg->sections[section], name, link);
-		ISC_LIST_PREPEND(msg->sections[section], name, link);
-		ISC_LIST_UNLINK(name->list, rdataset, link);
-		ISC_LIST_PREPEND(name->list, rdataset, link);
-		rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE;
-	}
-}
-
-/*
- * Do the bulk of query processing for the current query of 'client'.
- * If 'event' is non-NULL, we are returning from recursion and 'qtype'
- * is ignored.  Otherwise, 'qtype' is the query type.
- */
-static void
-query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
-{
-	dns_db_t *db, *zdb;
-	dns_dbnode_t *node;
-	dns_rdatatype_t type;
-	dns_name_t *fname, *zfname, *tname, *prefix;
-	dns_rdataset_t *rdataset, *trdataset;
-	dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset;
-	dns_rdataset_t **sigrdatasetp;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdatasetiter_t *rdsiter;
-	isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof;
-	unsigned int n, nlabels;
-	dns_namereln_t namereln;
-	int order;
-	isc_buffer_t *dbuf;
-	isc_buffer_t b;
-	isc_result_t result, eresult;
-	dns_fixedname_t fixed;
-	dns_fixedname_t wildcardname;
-	dns_dbversion_t *version;
-	dns_zone_t *zone;
-	dns_rdata_cname_t cname;
-	dns_rdata_dname_t dname;
-	unsigned int options;
-	isc_boolean_t empty_wild;
-	dns_rdataset_t *noqname;
-
-	CTRACE("query_find");
-
-	/*
-	 * One-time initialization.
-	 *
-	 * It's especially important to initialize anything that the cleanup
-	 * code might cleanup.
-	 */
-
-	eresult = ISC_R_SUCCESS;
-	fname = NULL;
-	zfname = NULL;
-	rdataset = NULL;
-	zrdataset = NULL;
-	sigrdataset = NULL;
-	zsigrdataset = NULL;
-	node = NULL;
-	db = NULL;
-	zdb = NULL;
-	version = NULL;
-	zone = NULL;
-	need_wildcardproof = ISC_FALSE;
-	empty_wild = ISC_FALSE;
-	options = 0;
-
-	if (event != NULL) {
-		/*
-		 * We're returning from recursion.  Restore the query context
-		 * and resume.
-		 */
-
-		want_restart = ISC_FALSE;
-		authoritative = ISC_FALSE;
-		is_zone = ISC_FALSE;
-
-		qtype = event->qtype;
-		if (qtype == dns_rdatatype_rrsig)
-			type = dns_rdatatype_any;
-		else
-			type = qtype;
-		db = event->db;
-		node = event->node;
-		rdataset = event->rdataset;
-		sigrdataset = event->sigrdataset;
-
-		/*
-		 * We'll need some resources...
-		 */
-		dbuf = query_getnamebuf(client);
-		if (dbuf == NULL) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-		fname = query_newname(client, dbuf, &b);
-		if (fname == NULL) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-		tname = dns_fixedname_name(&event->foundname);
-		result = dns_name_copy(tname, fname, NULL);
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-
-		result = event->result;
-
-		goto resume;
-	}
-	
-	/*
-	 * Not returning from recursion.
-	 */
-
-	/*
-	 * If it's a SIG query, we'll iterate the node.
-	 */
-	if (qtype == dns_rdatatype_rrsig)
-		type = dns_rdatatype_any;
-	else
-		type = qtype;
-
- restart:
-	CTRACE("query_find: restart");
-	want_restart = ISC_FALSE;
-	authoritative = ISC_FALSE;
-	version = NULL;
-	need_wildcardproof = ISC_FALSE;
-
-	if (client->view->checknames &&
-	    !dns_rdata_checkowner(client->query.qname,
-				  client->message->rdclass,
-				  qtype, ISC_FALSE)) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char typename[DNS_RDATATYPE_FORMATSIZE];
-		char classname[DNS_RDATACLASS_FORMATSIZE];
-
-		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(qtype, typename, sizeof(typename));
-		dns_rdataclass_format(client->message->rdclass, classname,
-				      sizeof(classname));
-		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-			      NS_LOGMODULE_QUERY, ISC_LOG_ERROR,
-			      "check-names failure %s/%s/%s", namebuf,
-			      typename, classname);
-		QUERY_ERROR(DNS_R_REFUSED);
-		goto cleanup;
-	}
-
-	/*
-	 * First we must find the right database.
-	 */
-	options = 0;
-	if (dns_rdatatype_atparent(qtype) &&
-	    !dns_name_equal(client->query.qname, dns_rootname))
-		options |= DNS_GETDB_NOEXACT;
-	result = query_getdb(client, client->query.qname, qtype, options,
-			     &zone, &db, &version, &is_zone);
-	if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) &&
-	    (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) {
-		/*
-		 * Look to see if we are authoritative for the
-		 * child zone if the query type is DS.
-		 */
-		dns_db_t *tdb = NULL;
-		dns_zone_t *tzone = NULL;
-		dns_dbversion_t *tversion = NULL;
-		isc_result_t tresult;
-
-		tresult = query_getzonedb(client, client->query.qname, qtype,
-					 DNS_GETDB_PARTIAL, &tzone, &tdb,
-					 &tversion);
-		if (tresult == ISC_R_SUCCESS) {
-			options &= ~DNS_GETDB_NOEXACT;
-			query_putrdataset(client, &rdataset);
-			if (db != NULL)
-				dns_db_detach(&db);
-			if (zone != NULL)
-				dns_zone_detach(&zone);
-			version = tversion;
-			db = tdb;
-			zone = tzone;
-			is_zone = ISC_TRUE;
-			result = ISC_R_SUCCESS;
-		} else {
-			if (tdb != NULL)
-				dns_db_detach(&tdb);
-			if (tzone != NULL)
-				dns_zone_detach(&tzone);
-		}
-	}
-	if (result != ISC_R_SUCCESS) {
-		if (result == DNS_R_REFUSED)
-			QUERY_ERROR(DNS_R_REFUSED);
-		else
-			QUERY_ERROR(DNS_R_SERVFAIL);
-		goto cleanup;
-	}
-
-	if (is_zone)
-		authoritative = ISC_TRUE;
-       
-	if (event == NULL && client->query.restarts == 0) {
-		if (is_zone) {
-			dns_zone_attach(zone, &client->query.authzone);
-			dns_db_attach(db, &client->query.authdb);
-		}
-		client->query.authdbset = ISC_TRUE;
-	}
-
- db_find:
-	CTRACE("query_find: db_find");
-	/*
-	 * We'll need some resources...
-	 */
-	dbuf = query_getnamebuf(client);
-	if (dbuf == NULL) {
-		QUERY_ERROR(DNS_R_SERVFAIL);
-		goto cleanup;
-	}
-	fname = query_newname(client, dbuf, &b);
-	rdataset = query_newrdataset(client);
-	if (fname == NULL || rdataset == NULL) {
-		QUERY_ERROR(DNS_R_SERVFAIL);
-		goto cleanup;
-	}
-	if (WANTDNSSEC(client)) {
-		sigrdataset = query_newrdataset(client);
-		if (sigrdataset == NULL) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * Now look for an answer in the database.
-	 */
-	result = dns_db_find(db, client->query.qname, version, type,
-			     client->query.dboptions, client->now,
-			     &node, fname, rdataset, sigrdataset);
-
- resume:
-	CTRACE("query_find: resume");
-	switch (result) {
-	case ISC_R_SUCCESS:
-		/*
-		 * This case is handled in the main line below.
-		 */
-		break;
-	case DNS_R_GLUE:
-	case DNS_R_ZONECUT:
-		/*
-		 * These cases are handled in the main line below.
-		 */
-		INSIST(is_zone);
-		authoritative = ISC_FALSE;
-		break;
-	case ISC_R_NOTFOUND:
-		/*
-		 * The cache doesn't even have the root NS.  Get them from
-		 * the hints DB.
-		 */
-		INSIST(!is_zone);
-		if (db != NULL)
-			dns_db_detach(&db);
-
-		if (client->view->hints == NULL) {
-			/* We have no hints. */
-			result = ISC_R_FAILURE;
-		} else {
-			dns_db_attach(client->view->hints, &db);
-			result = dns_db_find(db, dns_rootname,
-					     NULL, dns_rdatatype_ns,
-					     0, client->now, &node, fname,
-					     rdataset, sigrdataset);
-		}
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * Nonsensical root hints may require cleanup.
-			 */
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-			if (node != NULL)
-				dns_db_detachnode(db, &node);
-
-			/*
-			 * We don't have any root server hints, but
-			 * we may have working forwarders, so try to
-			 * recurse anyway.
-			 */
-			if (RECURSIONOK(client)) {
-				result = query_recurse(client, qtype,
-						       NULL, NULL);
-				if (result == ISC_R_SUCCESS)
-					client->query.attributes |=
-						NS_QUERYATTR_RECURSING;
-				else {
-					/* Unable to recurse. */
-					QUERY_ERROR(DNS_R_SERVFAIL);
-				}
-				goto cleanup;
-			} else {
-				/* Unable to give root server referral. */
-				QUERY_ERROR(DNS_R_SERVFAIL);
-				goto cleanup;
-			}
-		}
-		/*
-		 * XXXRTH  We should trigger root server priming here.
-		 */
-		/* FALLTHROUGH */
-	case DNS_R_DELEGATION:
-		authoritative = ISC_FALSE;
-		if (is_zone) {
-			/*
-			 * Look to see if we are authoritative for the
-			 * child zone if the query type is DS.
-			 */
-			if (!RECURSIONOK(client) &&
-			    (options & DNS_GETDB_NOEXACT) != 0 &&
-			    qtype == dns_rdatatype_ds) {
-				dns_db_t *tdb = NULL;
-				dns_zone_t *tzone = NULL;
-				dns_dbversion_t *tversion = NULL;
-				result = query_getzonedb(client,
-							 client->query.qname,
-							 qtype,
-							 DNS_GETDB_PARTIAL,
-							 &tzone, &tdb,
-							 &tversion);
-				if (result == ISC_R_SUCCESS) {
-					options &= ~DNS_GETDB_NOEXACT;
-					query_putrdataset(client, &rdataset);
-					if (sigrdataset != NULL)
-						query_putrdataset(client,
-								  &sigrdataset);
-					if (fname != NULL)
-						query_releasename(client,
-								  &fname);
-					if (node != NULL)
-						dns_db_detachnode(db, &node);
-					if (db != NULL)
-						dns_db_detach(&db);
-					if (zone != NULL)
-						dns_zone_detach(&zone);
-					version = tversion;
-					db = tdb;
-					zone = tzone;
-					authoritative = ISC_TRUE;
-					goto db_find;
-				}
-				if (tdb != NULL)
-					dns_db_detach(&tdb);
-				if (tzone != NULL)
-					dns_zone_detach(&tzone);
-			}
-			/*
-			 * We're authoritative for an ancestor of QNAME.
-			 */
-			if (!USECACHE(client) || !RECURSIONOK(client)) {
-				/*
-				 * If we don't have a cache, this is the best
-				 * answer.
-				 *
-				 * If the client is making a nonrecursive
-				 * query we always give out the authoritative
-				 * delegation.  This way even if we get
-				 * junk in our cache, we won't fail in our
-				 * role as the delegating authority if another
-				 * nameserver asks us about a delegated
-				 * subzone.
-				 *
-				 * We enable the retrieval of glue for this
-				 * database by setting client->query.gluedb.
-				 */
-				client->query.gluedb = db;
-				client->query.isreferral = ISC_TRUE;
-				/*
-				 * We must ensure NOADDITIONAL is off,
-				 * because the generation of
-				 * additional data is required in
-				 * delegations.
-				 */
-				client->query.attributes &=
-					~NS_QUERYATTR_NOADDITIONAL;
-				if (sigrdataset != NULL)
-					sigrdatasetp = &sigrdataset;
-				else
-					sigrdatasetp = NULL;
-				query_addrrset(client, &fname,
-					       &rdataset, sigrdatasetp,
-					       dbuf, DNS_SECTION_AUTHORITY);
-				client->query.gluedb = NULL;
-				if (WANTDNSSEC(client) && dns_db_issecure(db))
-					query_addds(client, db, node);
-			} else {
-				/*
-				 * We might have a better answer or delegation
-				 * in the cache.  We'll remember the current
-				 * values of fname, rdataset, and sigrdataset.
-				 * We'll then go looking for QNAME in the
-				 * cache.  If we find something better, we'll
-				 * use it instead.
-				 */
-				query_keepname(client, fname, dbuf);
-				zdb = db;
-				zfname = fname;
-				fname = NULL;
-				zrdataset = rdataset;
-				rdataset = NULL;
-				zsigrdataset = sigrdataset;
-				sigrdataset = NULL;
-				dns_db_detachnode(db, &node);
-				version = NULL;
-				db = NULL;
-				dns_db_attach(client->view->cachedb, &db);
-				is_zone = ISC_FALSE;
-				goto db_find;
-			}
-		} else {
-			if (zfname != NULL &&
-			    !dns_name_issubdomain(fname, zfname)) {
-				/*
-				 * We've already got a delegation from
-				 * authoritative data, and it is better
-				 * than what we found in the cache.  Use
-				 * it instead of the cache delegation.
-				 */
-				query_releasename(client, &fname);
-				fname = zfname;
-				zfname = NULL;
-				/*
-				 * We've already done query_keepname() on
-				 * zfname, so we must set dbuf to NULL to
-				 * prevent query_addrrset() from trying to
-				 * call query_keepname() again.
-				 */
-				dbuf = NULL;
-				query_putrdataset(client, &rdataset);
-				if (sigrdataset != NULL)
-					query_putrdataset(client,
-							  &sigrdataset);
-				rdataset = zrdataset;
-				zrdataset = NULL;
-				sigrdataset = zsigrdataset;
-				zsigrdataset = NULL;
-				/*
-				 * We don't clean up zdb here because we
-				 * may still need it.  It will get cleaned
-				 * up by the main cleanup code.
-				 */
-			}
-
-			if (RECURSIONOK(client)) {
-				/*
-				 * Recurse!
-				 */
-				if (dns_rdatatype_atparent(type))
-					result = query_recurse(client, qtype,
-							       NULL, NULL);
-				else
-					result = query_recurse(client, qtype,
-							       fname, rdataset);
-				if (result == ISC_R_SUCCESS)
-					client->query.attributes |=
-						NS_QUERYATTR_RECURSING;
-				else
-					QUERY_ERROR(DNS_R_SERVFAIL);
-			} else {
-				/*
-				 * This is the best answer.
-				 */
-				client->query.attributes |=
-					NS_QUERYATTR_CACHEGLUEOK;
-				client->query.gluedb = zdb;
-				client->query.isreferral = ISC_TRUE;
-				/*
-				 * We must ensure NOADDITIONAL is off,
-				 * because the generation of
-				 * additional data is required in
-				 * delegations.
-				 */
-				client->query.attributes &=
-					~NS_QUERYATTR_NOADDITIONAL;
-				if (sigrdataset != NULL)
-					sigrdatasetp = &sigrdataset;
-				else
-					sigrdatasetp = NULL;
-				query_addrrset(client, &fname,
-					       &rdataset, sigrdatasetp,
-					       dbuf, DNS_SECTION_AUTHORITY);
-				client->query.gluedb = NULL;
-				client->query.attributes &=
-					~NS_QUERYATTR_CACHEGLUEOK;
-				if (WANTDNSSEC(client))
-					query_addds(client, db, node);
-			}
-		}
-		goto cleanup;
-	case DNS_R_EMPTYNAME:
-		result = DNS_R_NXRRSET;
-		/* FALLTHROUGH */
-	case DNS_R_NXRRSET:
-		INSIST(is_zone);
-		if (dns_rdataset_isassociated(rdataset)) {
-			/*
-			 * If we've got a NSEC record, we need to save the
-			 * name now because we're going call query_addsoa()
-			 * below, and it needs to use the name buffer.
-			 */
-			query_keepname(client, fname, dbuf);
-		} else {
-			/*
-			 * We're not going to use fname, and need to release
-			 * our hold on the name buffer so query_addsoa()
-			 * may use it.
-			 */
-			query_releasename(client, &fname);
-		}
-		/*
-		 * Add SOA.
-		 */
-		result = query_addsoa(client, db, ISC_FALSE);
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(result);
-			goto cleanup;
-		}
-		/*
-		 * Add NSEC record if we found one.
-		 */
-		if (WANTDNSSEC(client)) {
-			if (dns_rdataset_isassociated(rdataset))
-				query_addnxrrsetnsec(client, db, &fname,
-						    &rdataset, &sigrdataset);
-		}
-		goto cleanup;
-	case DNS_R_EMPTYWILD:
-		empty_wild = ISC_TRUE;
-		/* FALLTHROUGH */
-	case DNS_R_NXDOMAIN:
-		INSIST(is_zone);
-		if (dns_rdataset_isassociated(rdataset)) {
-			/*
-			 * If we've got a NSEC record, we need to save the
-			 * name now because we're going call query_addsoa()
-			 * below, and it needs to use the name buffer.
-			 */
-			query_keepname(client, fname, dbuf);
-		} else {
-			/*
-			 * We're not going to use fname, and need to release
-			 * our hold on the name buffer so query_addsoa()
-			 * may use it.
-			 */
-			query_releasename(client, &fname);
-		}
-		/*
-		 * Add SOA.  If the query was for a SOA record force the
-		 * ttl to zero so that it is possible for clients to find
-		 * the containing zone of an arbitrary name with a stub
-		 * resolver and not have it cached.
-		 */
-		if (qtype == dns_rdatatype_soa)
-			result = query_addsoa(client, db, ISC_TRUE);
-		else
-			result = query_addsoa(client, db, ISC_FALSE);
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(result);
-			goto cleanup;
-		}
-		/*
-		 * Add NSEC record if we found one.
-		 */
-		if (dns_rdataset_isassociated(rdataset)) {
-			if (WANTDNSSEC(client)) {
-				query_addrrset(client, &fname, &rdataset,
-					       &sigrdataset,
-					       NULL, DNS_SECTION_AUTHORITY);
-				query_addwildcardproof(client, db,
-						       client->query.qname,
-						       ISC_FALSE);
-			}
-		}
-		/*
-		 * Set message rcode.
-		 */
-		if (empty_wild)
-			client->message->rcode = dns_rcode_noerror;
-		else
-			client->message->rcode = dns_rcode_nxdomain;
-		goto cleanup;
-	case DNS_R_NCACHENXDOMAIN:
-	case DNS_R_NCACHENXRRSET:
-		INSIST(!is_zone);
-		authoritative = ISC_FALSE;
-		/*
-		 * Set message rcode, if required.
-		 */
-		if (result == DNS_R_NCACHENXDOMAIN)
-			client->message->rcode = dns_rcode_nxdomain;
-		/*
-		 * We don't call query_addrrset() because we don't need any
-		 * of its extra features (and things would probably break!).
-		 */
-		query_keepname(client, fname, dbuf);
-		dns_message_addname(client->message, fname,
-				    DNS_SECTION_AUTHORITY);
-		ISC_LIST_APPEND(fname->list, rdataset, link);
-		fname = NULL;
-		rdataset = NULL;
-		goto cleanup;
-	case DNS_R_CNAME:
-		/*
-		 * Keep a copy of the rdataset.  We have to do this because
-		 * query_addrrset may clear 'rdataset' (to prevent the
-		 * cleanup code from cleaning it up).
-		 */
-		trdataset = rdataset;
-		/*
-		 * Add the CNAME to the answer section.
-		 */
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		if (WANTDNSSEC(client) &&
-		    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
-		{
-			dns_fixedname_init(&wildcardname);
-			dns_name_copy(fname, dns_fixedname_name(&wildcardname),
-				      NULL);
-			need_wildcardproof = ISC_TRUE;
-		}
-		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
-		     WANTDNSSEC(client))
-			noqname = rdataset;
-		else
-			noqname = NULL;
-		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
-			       DNS_SECTION_ANSWER);
-		if (noqname != NULL)
-			query_addnoqnameproof(client, noqname);
-		/*
-		 * We set the PARTIALANSWER attribute so that if anything goes
-		 * wrong later on, we'll return what we've got so far.
-		 */
-		client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
-		/*
-		 * Reset qname to be the target name of the CNAME and restart
-		 * the query.
-		 */
-		tname = NULL;
-		result = dns_message_gettempname(client->message, &tname);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = dns_rdataset_first(trdataset);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		dns_rdataset_current(trdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &cname, NULL);
-		dns_rdata_reset(&rdata);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		dns_name_init(tname, NULL);
-		result = dns_name_dup(&cname.cname, client->mctx, tname);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			dns_rdata_freestruct(&cname);
-			goto cleanup;
-		}
-		dns_rdata_freestruct(&cname);
-		query_maybeputqname(client);
-		client->query.qname = tname;
-		want_restart = ISC_TRUE;
-		goto addauth;
-	case DNS_R_DNAME:
-		/*
-		 * Compare the current qname to the found name.  We need
-		 * to know how many labels and bits are in common because
-		 * we're going to have to split qname later on.
-		 */
-		namereln = dns_name_fullcompare(client->query.qname, fname,
-						&order, &nlabels);
-		INSIST(namereln == dns_namereln_subdomain);
-		/*
-		 * Keep a copy of the rdataset.  We have to do this because
-		 * query_addrrset may clear 'rdataset' (to prevent the
-		 * cleanup code from cleaning it up).
-		 */
-		trdataset = rdataset;
-		/*
-		 * Add the DNAME to the answer section.
-		 */
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		if (WANTDNSSEC(client) &&
-		    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
-		{
-			dns_fixedname_init(&wildcardname);
-			dns_name_copy(fname, dns_fixedname_name(&wildcardname),
-				      NULL);
-			need_wildcardproof = ISC_TRUE;
-		}
-		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
-			       DNS_SECTION_ANSWER);
-		/*
-		 * We set the PARTIALANSWER attribute so that if anything goes
-		 * wrong later on, we'll return what we've got so far.
-		 */
-		client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
-		/*
-		 * Get the target name of the DNAME.
-		 */
-		tname = NULL;
-		result = dns_message_gettempname(client->message, &tname);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = dns_rdataset_first(trdataset);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		dns_rdataset_current(trdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dname, NULL);
-		dns_rdata_reset(&rdata);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		dns_name_init(tname, NULL);
-		dns_name_clone(&dname.dname, tname);
-		dns_rdata_freestruct(&dname);
-		/*
-		 * Construct the new qname.
-		 */
-		dns_fixedname_init(&fixed);
-		prefix = dns_fixedname_name(&fixed);
-		dns_name_split(client->query.qname, nlabels, prefix, NULL);
-		INSIST(fname == NULL);
-		dbuf = query_getnamebuf(client);
-		if (dbuf == NULL) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		fname = query_newname(client, dbuf, &b);
-		if (fname == NULL) {
-			dns_message_puttempname(client->message, &tname);
-			goto cleanup;
-		}
-		result = dns_name_concatenate(prefix, tname, fname, NULL);
-		if (result != ISC_R_SUCCESS) {
-			dns_message_puttempname(client->message, &tname);
-			if (result == ISC_R_NOSPACE) {
-				/*
-				 * RFC 2672, section 4.1, subsection 3c says
-				 * we should return YXDOMAIN if the constructed
-				 * name would be too long.
-				 */
-				client->message->rcode = dns_rcode_yxdomain;
-			}
-			goto cleanup;
-		}
-		query_keepname(client, fname, dbuf);
-		/*
-		 * Synthesize a CNAME for this DNAME.
-		 *
-		 * We want to synthesize a CNAME since if we don't
-		 * then older software that doesn't understand DNAME
-		 * will not chain like it should.
-		 *
-		 * We do not try to synthesize a signature because we hope
-		 * that security aware servers will understand DNAME.  Also,
-		 * even if we had an online key, making a signature
-		 * on-the-fly is costly, and not really legitimate anyway
-		 * since the synthesized CNAME is NOT in the zone.
-		 */
-		dns_name_init(tname, NULL);
-		(void)query_addcnamelike(client, client->query.qname, fname,
-					 trdataset->trust, &tname,
-					 dns_rdatatype_cname);
-		if (tname != NULL)
-			dns_message_puttempname(client->message, &tname);
-		/*
-		 * Switch to the new qname and restart.
-		 */
-		query_maybeputqname(client);
-		client->query.qname = fname;
-		fname = NULL;
-		want_restart = ISC_TRUE;
-		goto addauth;
-	default:
-		/*
-		 * Something has gone wrong.
-		 */
-		QUERY_ERROR(DNS_R_SERVFAIL);
-		goto cleanup;
-	}
-
-	if (WANTDNSSEC(client) &&
-	    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
-	{
-		dns_fixedname_init(&wildcardname);
-		dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL);
-		need_wildcardproof = ISC_TRUE;
-	}
-
-	if (type == dns_rdatatype_any) {
-		/*
-		 * XXXRTH  Need to handle zonecuts with special case
-		 * code.
-		 */
-		n = 0;
-		rdsiter = NULL;
-		result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
-		if (result != ISC_R_SUCCESS) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-		/*
-		 * Calling query_addrrset() with a non-NULL dbuf is going
-		 * to either keep or release the name.  We don't want it to
-		 * release fname, since we may have to call query_addrrset()
-		 * more than once.  That means we have to call query_keepname()
-		 * now, and pass a NULL dbuf to query_addrrset().
-		 *
-		 * If we do a query_addrrset() below, we must set fname to
-		 * NULL before leaving this block, otherwise we might try to
-		 * cleanup fname even though we're using it!
-		 */
-		query_keepname(client, fname, dbuf);
-		tname = fname;
-		result = dns_rdatasetiter_first(rdsiter);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdatasetiter_current(rdsiter, rdataset);
-			if ((qtype == dns_rdatatype_any ||
-			     rdataset->type == qtype) && rdataset->type != 0) {
-				query_addrrset(client,
-					       fname != NULL ? &fname : &tname,
-					       &rdataset, NULL,
-					       NULL, DNS_SECTION_ANSWER);
-				n++;
-				INSIST(tname != NULL);
-				/*
-				 * rdataset is non-NULL only in certain pathological
-				 * cases involving DNAMEs.
-				 */
-				if (rdataset != NULL)
-					query_putrdataset(client, &rdataset);
-				rdataset = query_newrdataset(client);
-				if (rdataset == NULL)
-					break;
-			} else {
-				/*
-				 * We're not interested in this rdataset.
-				 */
-				dns_rdataset_disassociate(rdataset);
-			}
-			result = dns_rdatasetiter_next(rdsiter);
-		}
-
-		if (fname != NULL)
-			dns_message_puttempname(client->message, &fname);
-
-		if (n == 0) {
-			/*
-			 * We didn't match any rdatasets.
-			 */
-			if (qtype == dns_rdatatype_rrsig &&
-			    result == ISC_R_NOMORE) {
-				/*
-				 * XXXRTH  If this is a secure zone and we
-				 * didn't find any SIGs, we should generate
-				 * an error unless we were searching for
-				 * glue.  Ugh.
-				 */
-				/*
-				 * We were searching for SIG records in
-				 * a nonsecure zone.  Send a "no error,
-				 * no data" response.
-				 */
-				/*
-				 * Add SOA.
-				 */
-				result = query_addsoa(client, db, ISC_FALSE);
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_NOMORE;
-			} else {
-				/*
-				 * Something went wrong.
-				 */
-				result = DNS_R_SERVFAIL;
-			}
-		}
-		dns_rdatasetiter_destroy(&rdsiter);
-		if (result != ISC_R_NOMORE) {
-			QUERY_ERROR(DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-	} else {
-		/*
-		 * This is the "normal" case -- an ordinary question to which
-		 * we know the answer.
-		 */
-		if (sigrdataset != NULL)
-			sigrdatasetp = &sigrdataset;
-		else
-			sigrdatasetp = NULL;
-		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
-		     WANTDNSSEC(client))
-			noqname = rdataset;
-		else
-			noqname = NULL;
-		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
-			       DNS_SECTION_ANSWER);
-		if (noqname != NULL)
-			query_addnoqnameproof(client, noqname);
-		/*
-		 * We shouldn't ever fail to add 'rdataset'
-		 * because it's already in the answer.
-		 */
-		INSIST(rdataset == NULL);
-	}
-
- addauth:
-	CTRACE("query_find: addauth");
-	/*
-	 * Add NS records to the authority section (if we haven't already
-	 * added them to the answer section).
-	 */
-	if (!want_restart && !NOAUTHORITY(client)) {
-		if (is_zone) {
-			if (!((qtype == dns_rdatatype_ns ||
-			       qtype == dns_rdatatype_any) &&
-			      dns_name_equal(client->query.qname,
-					     dns_db_origin(db))))
-				(void)query_addns(client, db);
-		} else if (qtype != dns_rdatatype_ns) {
-			if (fname != NULL)
-				query_releasename(client, &fname);
-			query_addbestns(client);
-		}
-	}
-
-	/*
-	 * Add NSEC records to the authority section if they're needed for
-	 * DNSSEC wildcard proofs.
-	 */
-	if (need_wildcardproof && dns_db_issecure(db))
-		query_addwildcardproof(client, db,
-				       dns_fixedname_name(&wildcardname),
-				       ISC_TRUE);
- cleanup:
-	CTRACE("query_find: cleanup");
-	/*
-	 * General cleanup.
-	 */
-	if (rdataset != NULL)
-		query_putrdataset(client, &rdataset);
-	if (sigrdataset != NULL)
-		query_putrdataset(client, &sigrdataset);
-	if (fname != NULL)
-		query_releasename(client, &fname);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (zdb != NULL) {
-		query_putrdataset(client, &zrdataset);
-		if (zsigrdataset != NULL)
-			query_putrdataset(client, &zsigrdataset);
-		if (zfname != NULL)
-			query_releasename(client, &zfname);
-		dns_db_detach(&zdb);
-	}
-	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
-
-	/*
-	 * AA bit.
-	 */
-	if (client->query.restarts == 0 && !authoritative) {
-		/*
-		 * We're not authoritative, so we must ensure the AA bit
-		 * isn't set.
-		 */
-		client->message->flags &= ~DNS_MESSAGEFLAG_AA;
-	}
-
-	/*
-	 * Restart the query?
-	 */
-	if (want_restart && client->query.restarts < MAX_RESTARTS) {
-		client->query.restarts++;
-		goto restart;
-	}
-
-	if (eresult != ISC_R_SUCCESS &&
-	    (!PARTIALANSWER(client) || WANTRECURSION(client))) {
-		/*
-		 * If we don't have any answer to give the client,
-		 * or if the client requested recursion and thus wanted
-		 * the complete answer, send an error response.
-		 */
-		 query_error(client, eresult);
-		 ns_client_detach(&client);
-	} else if (!RECURSING(client)) {
-		/*
-		 * We are done.  Set up sortlist data for the message
-		 * rendering code, make a final tweak to the AA bit if the
-		 * auth-nxdomain config option says so, then render and
-		 * send the response.
-		 */
-		setup_query_sortlist(client);
-
-		/*
-		 * If this is a referral and the answer to the question
-		 * is in the glue sort it to the start of the additional
-		 * section.
-		 */
-		if (client->message->counts[DNS_SECTION_ANSWER] == 0 &&
-		    client->message->rcode == dns_rcode_noerror &&
-		    (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa))
-			answer_in_glue(client, qtype);
-
-		if (client->message->rcode == dns_rcode_nxdomain &&
-		    client->view->auth_nxdomain == ISC_TRUE)
-			client->message->flags |= DNS_MESSAGEFLAG_AA;
-
-		query_send(client);
-		ns_client_detach(&client);
-	}
-	CTRACE("query_find: done");
-}
-
-static inline void
-log_query(ns_client_t *client) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typename[DNS_RDATATYPE_FORMATSIZE];
-	char classname[DNS_RDATACLASS_FORMATSIZE];
-	dns_rdataset_t *rdataset;
-	int level = ISC_LOG_INFO;
-
-	if (! isc_log_wouldlog(ns_g_lctx, level))
-		return;
-
-	rdataset = ISC_LIST_HEAD(client->query.qname->list);
-	INSIST(rdataset != NULL);
-	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
-	dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname));
-	dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
-
-	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
-		      level, "query: %s %s %s %s%s%s", namebuf, classname,
-		      typename, WANTRECURSION(client) ? "+" : "-",
-		      (client->signer != NULL) ? "S": "",
-		      (client->opt != NULL) ? "E" : "");
-}
-
-void
-ns_query_start(ns_client_t *client) {
-	isc_result_t result;
-	dns_message_t *message = client->message;
-	dns_rdataset_t *rdataset;
-	ns_client_t *qclient;
-	dns_rdatatype_t qtype;
-
-	CTRACE("ns_query_start");
-
-	/*
-	 * Ensure that appropriate cleanups occur.
-	 */
-	client->next = query_next_callback;
-
-	/*
-	 * Behave as if we don't support DNSSEC if not enabled.
-	 */
-	if (!client->view->enablednssec) {
-		message->flags &= ~DNS_MESSAGEFLAG_CD;
-		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
-	}
-
-	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
-		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
-	
-	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
-		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
-	
-	if (client->view->minimalresponses)
-		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
-					     NS_QUERYATTR_NOADDITIONAL);
-
-	if ((client->view->cachedb == NULL)
-	    || (!client->view->additionalfromcache)) {
-		/*
-		 * We don't have a cache.  Turn off cache support and
-		 * recursion.
-		 */
-		client->query.attributes &=
-			~(NS_QUERYATTR_RECURSIONOK|NS_QUERYATTR_CACHEOK);
-	} else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
-		   (message->flags & DNS_MESSAGEFLAG_RD) == 0) {
-		/*
-		 * If the client isn't allowed to recurse (due to
-		 * "recursion no", the allow-recursion ACL, or the
-		 * lack of a resolver in this view), or if it
-		 * doesn't want recursion, turn recursion off.
-		 */
-		client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
-	}
-
-	/*
-	 * Get the question name.
-	 */
-	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
-	if (result != ISC_R_SUCCESS) {
-		query_error(client, result);
-		return;
-	}
-	dns_message_currentname(message, DNS_SECTION_QUESTION,
-				&client->query.qname);
-	client->query.origqname = client->query.qname;
-	result = dns_message_nextname(message, DNS_SECTION_QUESTION);
-	if (result != ISC_R_NOMORE) {
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * There's more than one QNAME in the question
-			 * section.
-			 */
-			query_error(client, DNS_R_FORMERR);
-		} else
-			query_error(client, result);
-		return;
-	}
-
-	if (ns_g_server->log_queries)
-		log_query(client);
-
-	/*
-	 * Check for multiple question queries, since edns1 is dead.
-	 */
-	if (message->counts[DNS_SECTION_QUESTION] > 1) {
-		query_error(client, DNS_R_FORMERR);
-		return;
-	}
-
-	/*
-	 * Check for meta-queries like IXFR and AXFR.
-	 */
-	rdataset = ISC_LIST_HEAD(client->query.qname->list);
-	INSIST(rdataset != NULL);
-	qtype = rdataset->type;
-	if (dns_rdatatype_ismeta(qtype)) {
-		switch (qtype) {
-		case dns_rdatatype_any:
-			break; /* Let query_find handle it. */
-		case dns_rdatatype_ixfr:
-		case dns_rdatatype_axfr:
-			ns_xfr_start(client, rdataset->type);
-			return;
-		case dns_rdatatype_maila:
-		case dns_rdatatype_mailb:
-			query_error(client, DNS_R_NOTIMP);
-			return;
-		case dns_rdatatype_tkey:
-			result = dns_tkey_processquery(client->message,
-						ns_g_server->tkeyctx,
-						client->view->dynamickeys);
-			if (result == ISC_R_SUCCESS)
-				query_send(client);
-			else
-				query_error(client, result);
-			return;
-		default: /* TSIG, etc. */
-			query_error(client, DNS_R_FORMERR);
-			return;
-		}
-	}
-
-	/*
-	 * If the client has requested that DNSSEC checking be disabled,
-	 * allow lookups to return pending data and instruct the resolver
-	 * to return data before validation has completed.
-	 */
-	if (message->flags & DNS_MESSAGEFLAG_CD ||
-	    qtype == dns_rdatatype_rrsig)
-	{
-		client->query.dboptions |= DNS_DBFIND_PENDINGOK;
-		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
-	}
-
-	/*
-	 * Allow glue NS records to be added to the authority section
-	 * if the answer is secure.
-	 */
-	if (message->flags & DNS_MESSAGEFLAG_CD)
-		client->query.attributes &= ~NS_QUERYATTR_SECURE;
-
-	/*
-	 * This is an ordinary query.
-	 */
-	result = dns_message_reply(message, ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		query_next(client, result);
-		return;
-	}
-
-	/*
-	 * Assume authoritative response until it is known to be
-	 * otherwise.
-	 */
-	message->flags |= DNS_MESSAGEFLAG_AA;
-
-	/*
-	 * Set AD.  We must clear it if we add non-validated data to a
-	 * response.
-	 */
-	if (client->view->enablednssec)
-		message->flags |= DNS_MESSAGEFLAG_AD;
-
-	qclient = NULL;
-	ns_client_attach(client, &qclient);
-	query_find(qclient, NULL, qtype);
-}
diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c
deleted file mode 100644
index b9d30d02f644..000000000000
--- a/contrib/bind9/bin/named/server.c
+++ /dev/null
@@ -1,4153 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: server.c,v 1.339.2.15.2.65 2005/07/27 02:53:15 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/app.h>
-#include <isc/base64.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/hash.h>
-#include <isc/lex.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/resource.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <bind9/check.h>
-
-#include <dns/adb.h>
-#include <dns/cache.h>
-#include <dns/db.h>
-#include <dns/dispatch.h>
-#include <dns/forward.h>
-#include <dns/journal.h>
-#include <dns/keytable.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/order.h>
-#include <dns/peer.h>
-#include <dns/portlist.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/resolver.h>
-#include <dns/rootns.h>
-#include <dns/secalg.h>
-#include <dns/stats.h>
-#include <dns/tkey.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <dst/dst.h>
-#include <dst/result.h>
-
-#include <named/client.h>
-#include <named/config.h>
-#include <named/control.h>
-#include <named/interfacemgr.h>
-#include <named/log.h>
-#include <named/logconf.h>
-#include <named/lwresd.h>
-#include <named/main.h>
-#include <named/os.h>
-#include <named/server.h>
-#include <named/tkeyconf.h>
-#include <named/tsigconf.h>
-#include <named/zoneconf.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#include <stdlib.h>
-#endif
-
-/*
- * Check an operation for failure.  Assumes that the function
- * using it has a 'result' variable and a 'cleanup' label.
- */
-#define CHECK(op) \
-	do { result = (op); 				  	 \
-	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
-	} while (0)
-
-#define CHECKM(op, msg) \
-	do { result = (op); 				  	  \
-	       if (result != ISC_R_SUCCESS) {			  \
-			isc_log_write(ns_g_lctx,		  \
-				      NS_LOGCATEGORY_GENERAL,	  \
-				      NS_LOGMODULE_SERVER,	  \
-				      ISC_LOG_ERROR,		  \
-				      "%s: %s", msg,		  \
-				      isc_result_totext(result)); \
-			goto cleanup;				  \
-		}						  \
-	} while (0)						  \
-
-#define CHECKMF(op, msg, file) \
-	do { result = (op); 				  	  \
-	       if (result != ISC_R_SUCCESS) {			  \
-			isc_log_write(ns_g_lctx,		  \
-				      NS_LOGCATEGORY_GENERAL,	  \
-				      NS_LOGMODULE_SERVER,	  \
-				      ISC_LOG_ERROR,		  \
-				      "%s '%s': %s", msg, file,	  \
-				      isc_result_totext(result)); \
-			goto cleanup;				  \
-		}						  \
-	} while (0)						  \
-
-#define CHECKFATAL(op, msg) \
-	do { result = (op); 				  	  \
-	       if (result != ISC_R_SUCCESS)			  \
-			fatal(msg, result);			  \
-	} while (0)						  \
-
-struct ns_dispatch {
-	isc_sockaddr_t			addr;
-	unsigned int			dispatchgen;
-	dns_dispatch_t			*dispatch;
-	ISC_LINK(struct ns_dispatch)	link;
-};
-
-struct dumpcontext {
-	isc_mem_t			*mctx;
-	isc_boolean_t			dumpcache;
-	isc_boolean_t			dumpzones;
-	FILE				*fp;
-	ISC_LIST(struct viewlistentry)	viewlist;
-	struct viewlistentry		*view;
-	struct zonelistentry		*zone;
-	dns_dumpctx_t			*mdctx;
-	dns_db_t			*db;
-	dns_db_t			*cache;
-	isc_task_t			*task;
-	dns_dbversion_t			*version;
-};
-
-struct viewlistentry {
-	dns_view_t			*view;
-	ISC_LINK(struct viewlistentry)	link;
-	ISC_LIST(struct zonelistentry)	zonelist;
-};
-
-struct zonelistentry {
-	dns_zone_t			*zone;
-	ISC_LINK(struct zonelistentry)	link;
-};
-
-static void
-fatal(const char *msg, isc_result_t result);
-
-static void
-ns_server_reload(isc_task_t *task, isc_event_t *event);
-
-static isc_result_t
-ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
-			ns_aclconfctx_t *actx,
-			isc_mem_t *mctx, ns_listenelt_t **target);
-static isc_result_t
-ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
-			 ns_aclconfctx_t *actx,
-			 isc_mem_t *mctx, ns_listenlist_t **target);
-
-static isc_result_t
-configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype);
-
-static isc_result_t
-configure_alternates(cfg_obj_t *config, dns_view_t *view,
-		     cfg_obj_t *alternates);
-
-static isc_result_t
-configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, dns_view_t *view,
-	       ns_aclconfctx_t *aclconf);
-
-static void
-end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
-
-/*
- * Configure a single view ACL at '*aclp'.  Get its configuration by
- * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl'
- * (for a global default).
- */
-static isc_result_t
-configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
-		   const char *aclname, ns_aclconfctx_t *actx,
-		   isc_mem_t *mctx, dns_acl_t **aclp)
-{
-	isc_result_t result;
-	cfg_obj_t *maps[3];
-	cfg_obj_t *aclobj = NULL;
-	int i = 0;
-
-	if (*aclp != NULL)
-		dns_acl_detach(aclp);
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	if (config != NULL) {
-		cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	maps[i] = NULL;
-
-	result = ns_config_get(maps, aclname, &aclobj);
-	if (aclobj == NULL)
-		/*
-		 * No value available.  *aclp == NULL.
-		 */
-		return (ISC_R_SUCCESS);
-
-	result = ns_acl_fromconfig(aclobj, config, actx, mctx, aclp);
-
-	return (result);
-}
-
-static isc_result_t
-configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
-			 dns_keytable_t *keytable, isc_mem_t *mctx)
-{
-	dns_rdataclass_t viewclass;
-	dns_rdata_dnskey_t keystruct;
-	isc_uint32_t flags, proto, alg;
-	char *keystr, *keynamestr;
-	unsigned char keydata[4096];
-	isc_buffer_t keydatabuf;
-	unsigned char rrdata[4096];
-	isc_buffer_t rrdatabuf;
-	isc_region_t r;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
-	isc_buffer_t namebuf;
-	isc_result_t result;
-	dst_key_t *dstkey = NULL;
-
-	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
-	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
-	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
-	keyname = dns_fixedname_name(&fkeyname);
-	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
-
-	if (vconfig == NULL)
-		viewclass = dns_rdataclass_in;
-	else {
-		cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
-		CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
-					 &viewclass));
-	}
-	keystruct.common.rdclass = viewclass;
-	keystruct.common.rdtype = dns_rdatatype_dnskey;
-	/*
-	 * The key data in keystruct is not dynamically allocated.
-	 */
-	keystruct.mctx = NULL;
-
-	ISC_LINK_INIT(&keystruct.common, link);
-
-	if (flags > 0xffff)
-		CHECKM(ISC_R_RANGE, "key flags");
-	if (proto > 0xff)
-		CHECKM(ISC_R_RANGE, "key protocol");
-	if (alg > 0xff)
-		CHECKM(ISC_R_RANGE, "key algorithm");
-	keystruct.flags = (isc_uint16_t)flags;
-	keystruct.protocol = (isc_uint8_t)proto;
-	keystruct.algorithm = (isc_uint8_t)alg;
-
-	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
-	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
-
-	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
-	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
-	isc_buffer_usedregion(&keydatabuf, &r);
-	keystruct.datalen = r.length;
-	keystruct.data = r.base;
-
-	CHECK(dns_rdata_fromstruct(NULL,
-				   keystruct.common.rdclass,
-				   keystruct.common.rdtype,
-				   &keystruct, &rrdatabuf));
-	dns_fixedname_init(&fkeyname);
-	isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
-	isc_buffer_add(&namebuf, strlen(keynamestr));
-	CHECK(dns_name_fromtext(keyname, &namebuf,
-				dns_rootname, ISC_FALSE,
-				NULL));
-	CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
-			      mctx, &dstkey));
-
-	CHECK(dns_keytable_add(keytable, &dstkey));
-	INSIST(dstkey == NULL);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (result == DST_R_NOCRYPTO) {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-			    "ignoring trusted key for '%s': no crypto support",
-			    keynamestr);
-		result = ISC_R_SUCCESS;
-	} else {
-		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-			    "configuring trusted key for '%s': %s",
-			    keynamestr, isc_result_totext(result));
-		result = ISC_R_FAILURE;
-	}
-
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-
-	return (result);
-}
-
-/*
- * Configure DNSSEC keys for a view.  Currently used only for
- * the security roots.
- *
- * The per-view configuration values and the server-global defaults are read
- * from 'vconfig' and 'config'.  The variable to be configured is '*target'.
- */
-static isc_result_t
-configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
-			  isc_mem_t *mctx, dns_keytable_t **target)
-{
-	isc_result_t result;
-	cfg_obj_t *keys = NULL;
-	cfg_obj_t *voptions = NULL;
-	cfg_listelt_t *element, *element2;
-	cfg_obj_t *keylist;
-	cfg_obj_t *key;
-	dns_keytable_t *keytable = NULL;
-
-	CHECK(dns_keytable_create(mctx, &keytable));
-
-	if (vconfig != NULL)
-		voptions = cfg_tuple_get(vconfig, "options");
-
-	keys = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "trusted-keys", &keys);
-	if (keys == NULL)
-		(void)cfg_map_get(config, "trusted-keys", &keys);
-
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		keylist = cfg_listelt_value(element);
-		for (element2 = cfg_list_first(keylist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2))
-		{
-			key = cfg_listelt_value(element2);
-			CHECK(configure_view_dnsseckey(vconfig, key,
-						       keytable, mctx));
-		}
-	}
-
-	dns_keytable_detach(target);
-	*target = keytable; /* Transfer ownership. */
-	keytable = NULL;
-	result = ISC_R_SUCCESS;
-	
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver)
-{
-	cfg_listelt_t *element;
-	cfg_obj_t *obj;
-	const char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_boolean_t value;
-	isc_result_t result;
-	isc_buffer_t b;
-	
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	for (element = cfg_list_first(mbs);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		CHECK(dns_name_fromtext(name, &b, dns_rootname,
-					ISC_FALSE, NULL));
-		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
-		CHECK(dns_resolver_setmustbesecure(resolver, name, value));
-	}
-
-	result = ISC_R_SUCCESS;
-	
- cleanup:
-	return (result);
-}
-
-/*
- * Get a dispatch appropriate for the resolver of a given view.
- */
-static isc_result_t
-get_view_querysource_dispatch(cfg_obj_t **maps,
-			      int af, dns_dispatch_t **dispatchp)
-{
-	isc_result_t result;
-	dns_dispatch_t *disp;
-	isc_sockaddr_t sa;
-	unsigned int attrs, attrmask;
-	cfg_obj_t *obj = NULL;
-
-	/*
-	 * Make compiler happy.
-	 */
-	result = ISC_R_FAILURE;
-
-	switch (af) {
-	case AF_INET:
-		result = ns_config_get(maps, "query-source", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-
-		break;
-	case AF_INET6:
-		result = ns_config_get(maps, "query-source-v6", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		break;
-	default:
-		INSIST(0);
-	}
-
-	sa = *(cfg_obj_assockaddr(obj));
-	INSIST(isc_sockaddr_pf(&sa) == af);
-
-	/*
-	 * If we don't support this address family, we're done!
-	 */
-	switch (af) {
-	case AF_INET:
-		result = isc_net_probeipv4();
-		break;
-	case AF_INET6:
-		result = isc_net_probeipv6();
-		break;
-	default:
-		INSIST(0);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-
-	/*
-	 * Try to find a dispatcher that we can share.
-	 */
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	switch (af) {
-	case AF_INET:
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		break;
-	case AF_INET6:
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		break;
-	}
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP;
-	attrmask |= DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4;
-	attrmask |= DNS_DISPATCHATTR_IPV6;
-
-	disp = NULL;
-	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
-				     ns_g_taskmgr, &sa, 4096,
-				     1000, 32768, 16411, 16433,
-				     attrs, attrmask, &disp);
-	if (result != ISC_R_SUCCESS) {
-		isc_sockaddr_t any;
-		char buf[ISC_SOCKADDR_FORMATSIZE];
-
-		switch (af) {
-		case AF_INET:
-			isc_sockaddr_any(&any);
-			break;
-		case AF_INET6:
-			isc_sockaddr_any6(&any);
-			break;
-		}
-		if (isc_sockaddr_equal(&sa, &any))
-			return (ISC_R_SUCCESS);
-		isc_sockaddr_format(&sa, buf, sizeof(buf));
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "could not get query source dispatcher (%s)",
-			      buf);
-		return (result);
-	}
-
-	*dispatchp = disp;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-configure_order(dns_order_t *order, cfg_obj_t *ent) {
-	dns_rdataclass_t rdclass;
-	dns_rdatatype_t rdtype;
-	cfg_obj_t *obj;
-	dns_fixedname_t fixed;
-	unsigned int mode = 0;
-	const char *str;
-	isc_buffer_t b;
-	isc_result_t result;
-	isc_boolean_t addroot;
-
-	result = ns_config_getclass(cfg_tuple_get(ent, "class"),
-				    dns_rdataclass_any, &rdclass);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = ns_config_gettype(cfg_tuple_get(ent, "type"),
-				   dns_rdatatype_any, &rdtype);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = cfg_tuple_get(ent, "name");
-	if (cfg_obj_isstring(obj)) 
-		str = cfg_obj_asstring(obj);
-	else
-		str = "*";
-	addroot = ISC_TF(strcmp(str, "*") == 0);
-	isc_buffer_init(&b, str, strlen(str));
-	isc_buffer_add(&b, strlen(str));
-	dns_fixedname_init(&fixed);
-	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-				   dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = cfg_tuple_get(ent, "ordering");
-	INSIST(cfg_obj_isstring(obj));
-	str = cfg_obj_asstring(obj);
-	if (!strcasecmp(str, "fixed"))
-		mode = DNS_RDATASETATTR_FIXEDORDER;
-	else if (!strcasecmp(str, "random"))
-		mode = DNS_RDATASETATTR_RANDOMIZE;
-	else if (!strcasecmp(str, "cyclic"))
-		mode = 0;
-	else
-		INSIST(0);
-
-	/*
-	 * "*" should match everything including the root (BIND 8 compat).
-	 * As dns_name_matcheswildcard(".", "*.") returns FALSE add a
-	 * explict entry for "." when the name is "*".
-	 */
-	if (addroot) {
-		result = dns_order_add(order, dns_rootname,
-				       rdtype, rdclass, mode);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (dns_order_add(order, dns_fixedname_name(&fixed),
-			      rdtype, rdclass, mode));
-}
-
-static isc_result_t
-configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
-	isc_sockaddr_t *sa;
-	isc_netaddr_t na;
-	dns_peer_t *peer;
-	cfg_obj_t *obj;
-	char *str;
-	isc_result_t result;
-
-	sa = cfg_obj_assockaddr(cfg_map_getname(cpeer));
-	isc_netaddr_fromsockaddr(&na, sa);
-
-	peer = NULL;
-	result = dns_peer_new(mctx, &na, &peer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "bogus", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "request-ixfr", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "edns", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "transfers", &obj);
-	if (obj != NULL)
-		CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "transfer-format", &obj);
-	if (obj != NULL) {
-		str = cfg_obj_asstring(obj);
-		if (strcasecmp(str, "many-answers") == 0)
-			CHECK(dns_peer_settransferformat(peer,
-							 dns_many_answers));
-		else if (strcasecmp(str, "one-answer") == 0)
-			CHECK(dns_peer_settransferformat(peer,
-							 dns_one_answer));
-		else
-			INSIST(0);
-	}
-
-	obj = NULL;
-	(void)cfg_map_get(cpeer, "keys", &obj);
-	if (obj != NULL) {
-		result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	obj = NULL;
-	if (isc_sockaddr_pf(sa) == AF_INET)
-		(void)cfg_map_get(cpeer, "transfer-source", &obj);
-	else
-		(void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
-	if (obj != NULL) {
-		result = dns_peer_settransfersource(peer,
-						    cfg_obj_assockaddr(obj));
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-	*peerp = peer;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_peer_detach(&peer);
-	return (result);
-}
-
-static isc_result_t
-disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
-	isc_result_t result;
-	cfg_obj_t *algorithms;
-	cfg_listelt_t *element;
-	const char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_buffer_t b;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
-	isc_buffer_init(&b, str, strlen(str));
-	isc_buffer_add(&b, strlen(str));
-	CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL));
-
-	algorithms = cfg_tuple_get(disabled, "algorithms");
-	for (element = cfg_list_first(algorithms);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		isc_textregion_t r;
-		dns_secalg_t alg;
-
-		r.base = cfg_obj_asstring(cfg_listelt_value(element));
-		r.length = strlen(r.base);
-
-		result = dns_secalg_fromtext(&alg, &r);
-		if (result != ISC_R_SUCCESS) {
-			isc_uint8_t ui;
-			result = isc_parse_uint8(&ui, r.base, 10);
-			alg = ui;
-		}
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(cfg_listelt_value(element),
-				    ns_g_lctx, ISC_LOG_ERROR,
-				    "invalid algorithm");
-			CHECK(result);
-		}
-		CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
-	}
- cleanup:
-	return (result);
-}
-
-/*
- * Configure 'view' according to 'vconfig', taking defaults from 'config'
- * where values are missing in 'vconfig'.
- *
- * When configuring the default view, 'vconfig' will be NULL and the
- * global defaults in 'config' used exclusively.
- */
-static isc_result_t
-configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, ns_aclconfctx_t *actx,
-	       isc_boolean_t need_hints)
-{
-	cfg_obj_t *maps[4];
-	cfg_obj_t *cfgmaps[3];
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *voptions = NULL;
-	cfg_obj_t *forwardtype;
-	cfg_obj_t *forwarders;
-	cfg_obj_t *alternates;
-	cfg_obj_t *zonelist;
-	cfg_obj_t *disabled;
-	cfg_obj_t *obj;
-	cfg_listelt_t *element;
-	in_port_t port;
-	dns_cache_t *cache = NULL;
-	isc_result_t result;
-	isc_uint32_t max_adb_size;
-	isc_uint32_t max_cache_size;
-	isc_uint32_t lame_ttl;
-	dns_tsig_keyring_t *ring;
-	dns_view_t *pview = NULL;	/* Production view */
-	isc_mem_t *cmctx;
-	dns_dispatch_t *dispatch4 = NULL;
-	dns_dispatch_t *dispatch6 = NULL;
-	isc_boolean_t reused_cache = ISC_FALSE;
-	int i;
-	const char *str;
-	dns_order_t *order = NULL;
-	isc_uint32_t udpsize;
-	unsigned int check = 0;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	cmctx = NULL;
-
-	if (config != NULL)
-		(void)cfg_map_get(config, "options", &options);
-
-	i = 0;
-	if (vconfig != NULL) {
-		voptions = cfg_tuple_get(vconfig, "options");
-		maps[i++] = voptions;
-	}
-	if (options != NULL)
-		maps[i++] = options;
-	maps[i++] = ns_g_defaults;
-	maps[i] = NULL;
-
-	i = 0;
-	if (voptions != NULL)
-		cfgmaps[i++] = voptions;
-	if (config != NULL)
-		cfgmaps[i++] = config;
-	cfgmaps[i] = NULL;
-
-	/*
-	 * Set the view's port number for outgoing queries.
-	 */
-	CHECKM(ns_config_getport(config, &port), "port");
-	dns_view_setdstport(view, port);
-
-	/*
-	 * Configure the zones.
-	 */
-	zonelist = NULL;
-	if (voptions != NULL)
-		(void)cfg_map_get(voptions, "zone", &zonelist);
-	else
-		(void)cfg_map_get(config, "zone", &zonelist);
-	for (element = cfg_list_first(zonelist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *zconfig = cfg_listelt_value(element);
-		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
-				     actx));
-	}
-
-	/*
-	 * Configure the view's cache.  Try to reuse an existing
-	 * cache if possible, otherwise create a new cache.
-	 * Note that the ADB is not preserved in either case.
-	 *
-	 * XXX Determining when it is safe to reuse a cache is
-	 * tricky.  When the view's configuration changes, the cached
-	 * data may become invalid because it reflects our old
-	 * view of the world.  As more view attributes become
-	 * configurable, we will have to add code here to check
-	 * whether they have changed in ways that could
-	 * invalidate the cache.
-	 */
-	result = dns_viewlist_find(&ns_g_server->viewlist,
-				   view->name, view->rdclass,
-				   &pview);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (pview != NULL) {
-		INSIST(pview->cache != NULL);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3),
-			      "reusing existing cache");
-		reused_cache = ISC_TRUE;
-		dns_cache_attach(pview->cache, &cache);
-		dns_view_detach(&pview);
-	} else {
-		CHECK(isc_mem_create(0, 0, &cmctx));
-		CHECK(dns_cache_create(cmctx, ns_g_taskmgr, ns_g_timermgr,
-				       view->rdclass, "rbt", 0, NULL, &cache));
-	}
-	dns_view_setcache(view, cache);
-
-	/*
-	 * cache-file cannot be inherited if views are present, but this
-	 * should be caught by the configuration checking stage.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "cache-file", &obj);
-	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
-		CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
-		if (!reused_cache)
-			CHECK(dns_cache_load(cache));
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "cleaning-interval", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_cache_setcleaninginterval(cache, cfg_obj_asuint32(obj) * 60);
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-cache-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_isstring(obj)) {
-		str = cfg_obj_asstring(obj);
-		INSIST(strcasecmp(str, "unlimited") == 0);
-		max_cache_size = ISC_UINT32_MAX;
-	} else {
-		isc_resourcevalue_t value;
-		value = cfg_obj_asuint64(obj);
-		if (value > ISC_UINT32_MAX) {
-			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-				    "'max-cache-size "
-				    "%" ISC_PRINT_QUADFORMAT "d' is too large",
-				    value);
-			result = ISC_R_RANGE;
-			goto cleanup;
-		}
-		max_cache_size = (isc_uint32_t)value;
-	}
-	dns_cache_setcachesize(cache, max_cache_size);
-
-	dns_cache_detach(&cache);
-
-	/*
-	 * Check-names.
-	 */
-	obj = NULL;
-	result = ns_checknames_get(maps, "response", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-
-	str = cfg_obj_asstring(obj);
-	if (strcasecmp(str, "fail") == 0) {
-		check = DNS_RESOLVER_CHECKNAMES |
-			DNS_RESOLVER_CHECKNAMESFAIL;
-		view->checknames = ISC_TRUE;
-	} else if (strcasecmp(str, "warn") == 0) {
-		check = DNS_RESOLVER_CHECKNAMES;
-		view->checknames = ISC_FALSE;
-	} else if (strcasecmp(str, "ignore") == 0) {
-		check = 0;
-		view->checknames = ISC_FALSE;
-	} else
-		INSIST(0);
-
-	/*
-	 * Resolver.
-	 *
-	 * XXXRTH  Hardwired number of tasks.
-	 */
-	CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4));
-	CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6));
-	if (dispatch4 == NULL && dispatch6 == NULL) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "unable to obtain neither an IPv4 nor"
-				 " an IPv6 dispatch");
-		result = ISC_R_UNEXPECTED;
-		goto cleanup;
-	}
-	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
-				      ns_g_socketmgr, ns_g_timermgr,
-				      check, ns_g_dispatchmgr,
-				      dispatch4, dispatch6));
-
-	/*
-	 * Set the ADB cache size to 1/8th of the max-cache-size.
-	 */
-	max_adb_size = 0;
-	if (max_cache_size != 0) {
-		max_adb_size = max_cache_size / 8;
-		if (max_adb_size == 0)
-			max_adb_size = 1;	/* Force minimum. */
-	}
-	dns_adb_setadbsize(view->adb, max_adb_size);
-
-	/*
-	 * Set resolver's lame-ttl.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "lame-ttl", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	lame_ttl = cfg_obj_asuint32(obj);
-	if (lame_ttl > 1800)
-		lame_ttl = 1800;
-	dns_resolver_setlamettl(view->resolver, lame_ttl);
-	
-	/*
-	 * Set the resolver's EDNS UDP size.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "edns-udp-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	udpsize = cfg_obj_asuint32(obj);
-	if (udpsize < 512)
-		udpsize = 512;
-	if (udpsize > 4096)
-		udpsize = 4096;
-	dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
-	
-	/*
-	 * Set supported DNSSEC algorithms.
-	 */
-	dns_resolver_reset_algorithms(view->resolver);
-	disabled = NULL;
-	(void)ns_config_get(maps, "disable-algorithms", &disabled);
-	if (disabled != NULL) {
-		for (element = cfg_list_first(disabled);
-		     element != NULL;
-		     element = cfg_list_next(element))
-			CHECK(disable_algorithms(cfg_listelt_value(element),
-						 view->resolver));
-	}
-
-	/*
-	 * A global or view "forwarders" option, if present,
-	 * creates an entry for "." in the forwarding table.
-	 */
-	forwardtype = NULL;
-	forwarders = NULL;
-	(void)ns_config_get(maps, "forward", &forwardtype);
-	(void)ns_config_get(maps, "forwarders", &forwarders);
-	if (forwarders != NULL)
-		CHECK(configure_forward(config, view, dns_rootname, 
-					forwarders, forwardtype));
-
-	/*
-	 * Dual Stack Servers.
-	 */
-	alternates = NULL;
-	(void)ns_config_get(maps, "dual-stack-servers", &alternates);
-	if (alternates != NULL)
-		CHECK(configure_alternates(config, view, alternates));
-
-	/*
-	 * We have default hints for class IN if we need them.
-	 */
-	if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
-		dns_view_sethints(view, ns_g_server->in_roothints);
-
-	/*
-	 * If we still have no hints, this is a non-IN view with no
-	 * "hints zone" configured.  Issue a warning, except if this
-	 * is a root server.  Root servers never need to consult 
-	 * their hints, so it's no point requiring users to configure
-	 * them.
-	 */
-	if (view->hints == NULL) {
-		dns_zone_t *rootzone = NULL;
-		(void)dns_view_findzone(view, dns_rootname, &rootzone);
-		if (rootzone != NULL) {
-			dns_zone_detach(&rootzone);
-			need_hints = ISC_FALSE;
-		}
-		if (need_hints)
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "no root hints for view '%s'",
-				      view->name);
-	}
-
-	/*
-	 * Configure the view's TSIG keys.
-	 */
-	ring = NULL;
-	CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
-	dns_view_setkeyring(view, ring);
-
-	/*
-	 * Configure the view's peer list.
-	 */
-	{
-		cfg_obj_t *peers = NULL;
-		cfg_listelt_t *element;
-		dns_peerlist_t *newpeers = NULL;
-
-		(void)ns_config_get(cfgmaps, "server", &peers);
-		CHECK(dns_peerlist_new(mctx, &newpeers));
-		for (element = cfg_list_first(peers);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			cfg_obj_t *cpeer = cfg_listelt_value(element);
-			dns_peer_t *peer;
-
-			CHECK(configure_peer(cpeer, mctx, &peer));
-			dns_peerlist_addpeer(newpeers, peer);
-			dns_peer_detach(&peer);
-		}
-		dns_peerlist_detach(&view->peers);
-		view->peers = newpeers; /* Transfer ownership. */
-	}
-
-	/*
-	 *	Configure the views rrset-order.
-	 */
-	{
-		cfg_obj_t *rrsetorder = NULL;
-		cfg_listelt_t *element;
-
-		(void)ns_config_get(maps, "rrset-order", &rrsetorder);
-		CHECK(dns_order_create(mctx, &order));
-		for (element = cfg_list_first(rrsetorder);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			cfg_obj_t *ent = cfg_listelt_value(element);
-
-			CHECK(configure_order(order, ent));
-		}
-		if (view->order != NULL)
-			dns_order_detach(&view->order);
-		dns_order_attach(order, &view->order);
-		dns_order_detach(&order);
-	}
-	/*
-	 * Copy the aclenv object.
-	 */
-	dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
-
-	/*
-	 * Configure the "match-clients" and "match-destinations" ACL.
-	 */
-	CHECK(configure_view_acl(vconfig, config, "match-clients", actx,
-				 ns_g_mctx, &view->matchclients));
-	CHECK(configure_view_acl(vconfig, config, "match-destinations", actx,
-				 ns_g_mctx, &view->matchdestinations));
-
-	/*
-	 * Configure the "match-recursive-only" option.
-	 */
-	obj = NULL;
-	(void) ns_config_get(maps, "match-recursive-only", &obj);
-	if (obj != NULL && cfg_obj_asboolean(obj))
-		view->matchrecursiveonly = ISC_TRUE;
-	else
-		view->matchrecursiveonly = ISC_FALSE;
-
-	/*
-	 * Configure other configurable data.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "recursion", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->recursion = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "auth-nxdomain", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->auth_nxdomain = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "minimal-responses", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->minimalresponses = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "transfer-format", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	str = cfg_obj_asstring(obj);
-	if (strcasecmp(str, "many-answers") == 0)
-		view->transfer_format = dns_many_answers;
-	else if (strcasecmp(str, "one-answer") == 0)
-		view->transfer_format = dns_one_answer;
-	else
-		INSIST(0);
-	
-	/*
-	 * Set sources where additional data and CNAME/DNAME
-	 * targets for authoritative answers may be found.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "additional-from-auth", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->additionalfromauth = cfg_obj_asboolean(obj);
-	if (view->recursion && ! view->additionalfromauth) {
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
-			    "'additional-from-auth no' is only supported "
-			    "with 'recursion no'");
-		view->additionalfromauth = ISC_TRUE;
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "additional-from-cache", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->additionalfromcache = cfg_obj_asboolean(obj);
-	if (view->recursion && ! view->additionalfromcache) {
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
-			    "'additional-from-cache no' is only supported "
-			    "with 'recursion no'");
-		view->additionalfromcache = ISC_TRUE;
-	}
-
-	CHECK(configure_view_acl(vconfig, config, "allow-query",
-				 actx, ns_g_mctx, &view->queryacl));
-
-	if (strcmp(view->name, "_bind") != 0)
-		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
-					 actx, ns_g_mctx, &view->recursionacl));
-
-	/*
-	 * Warning if both "recursion no;" and allow-recursion are active
-	 * except for "allow-recursion { none; };".
-	 */
-	if (!view->recursion && view->recursionacl != NULL &&
-	    (view->recursionacl->length != 1 ||
-	     view->recursionacl->elements[0].type != dns_aclelementtype_any ||
-	     view->recursionacl->elements[0].negative != ISC_TRUE)) {
-		const char *forview = " for view ";
-		const char *viewname = view->name;
-
-		if (!strcmp(view->name, "_bind") ||
-		    !strcmp(view->name, "_default")) {
-			forview = "";
-			viewname = "";
-		}
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "both \"recursion no;\" and \"allow-recursion\" "
-			      "active%s%s", forview, viewname);
-	}
-
-	CHECK(configure_view_acl(vconfig, config, "sortlist",
-				 actx, ns_g_mctx, &view->sortlist));
-
-	obj = NULL;
-	result = ns_config_get(maps, "request-ixfr", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->requestixfr = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "provide-ixfr", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->provideixfr = cfg_obj_asboolean(obj);
-			
-	obj = NULL;
-	result = ns_config_get(maps, "dnssec-enable", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->enablednssec = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "dnssec-lookaside", &obj);
-	if (result == ISC_R_SUCCESS) {
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			const char *str;
-			isc_buffer_t b;
-			dns_name_t *dlv;
-
-			obj = cfg_listelt_value(element);
-#if 0
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-
-			/*
-			 * When we support multiple dnssec-lookaside
-			 * entries this is how to find the domain to be
-			 * checked. XXXMPA
-			 */
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			str = cfg_obj_asstring(cfg_tuple_get(obj,
-							     "domain"));
-			isc_buffer_init(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			CHECK(dns_name_fromtext(name, &b, dns_rootname,
-						ISC_TRUE, NULL));
-#endif
-			str = cfg_obj_asstring(cfg_tuple_get(obj,
-							     "trust-anchor"));
-			isc_buffer_init(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			dlv = dns_fixedname_name(&view->dlv_fixed);
-			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
-						ISC_TRUE, NULL));
-			view->dlv = dns_fixedname_name(&view->dlv_fixed);
-		}
-	} else
-		view->dlv = NULL;
-
-	/*
-	 * For now, there is only one kind of trusted keys, the
-	 * "security roots".
-	 */
-	if (view->enablednssec) {
-		CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
-						&view->secroots));
-		dns_resolver_resetmustbesecure(view->resolver);
-		obj = NULL;
-		result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
-		if (result == ISC_R_SUCCESS)
-			CHECK(mustbesecure(obj, view->resolver));
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-cache-ttl", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->maxcachettl = cfg_obj_asuint32(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-ncache-ttl", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->maxncachettl = cfg_obj_asuint32(obj);
-	if (view->maxncachettl > 7 * 24 * 3600)
-		view->maxncachettl = 7 * 24 * 3600;
-
-	obj = NULL;
-	result = ns_config_get(maps, "preferred-glue", &obj);
-	if (result == ISC_R_SUCCESS) {
-		str = cfg_obj_asstring(obj);
-		if (strcasecmp(str, "a") == 0)
-			view->preferred_glue = dns_rdatatype_a;
-		else if (strcasecmp(str, "aaaa") == 0)
-			view->preferred_glue = dns_rdatatype_aaaa;
-		else
-			view->preferred_glue = 0;
-	} else
-		view->preferred_glue = 0;
-
-	obj = NULL;
-	result = ns_config_get(maps, "root-delegation-only", &obj);
-	if (result == ISC_R_SUCCESS) {
-		dns_view_setrootdelonly(view, ISC_TRUE);
-		if (!cfg_obj_isvoid(obj)) {
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-			isc_buffer_t b;
-			char *str;
-			cfg_obj_t *exclude;
-
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			for (element = cfg_list_first(obj);
-			     element != NULL;
-			     element = cfg_list_next(element)) {
-				exclude = cfg_listelt_value(element);
-				str = cfg_obj_asstring(exclude);
-				isc_buffer_init(&b, str, strlen(str));
-				isc_buffer_add(&b, strlen(str));
-				CHECK(dns_name_fromtext(name, &b, dns_rootname,
-							ISC_FALSE, NULL));
-				CHECK(dns_view_excludedelegationonly(view,
-								     name));
-			}
-		}
-	} else
-		dns_view_setrootdelonly(view, ISC_FALSE);
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	if (dispatch4 != NULL)
-		dns_dispatch_detach(&dispatch4);
-	if (dispatch6 != NULL)
-		dns_dispatch_detach(&dispatch6);
-	if (order != NULL)
-		dns_order_detach(&order);
-	if (cmctx != NULL)
-		isc_mem_detach(&cmctx);
-
-	if (cache != NULL)
-		dns_cache_detach(&cache);
-
-	return (result);
-}
-
-static isc_result_t
-configure_hints(dns_view_t *view, const char *filename) {
-	isc_result_t result;
-	dns_db_t *db;
-
-	db = NULL;
-	result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
-	if (result == ISC_R_SUCCESS) {
-		dns_view_sethints(view, db);
-		dns_db_detach(&db);
-	}
-
-	return (result);
-}
-
-static isc_result_t
-configure_alternates(cfg_obj_t *config, dns_view_t *view,
-		     cfg_obj_t *alternates)
-{
-	cfg_obj_t *portobj;
-	cfg_obj_t *addresses;
-	cfg_listelt_t *element;
-	isc_result_t result = ISC_R_SUCCESS;
-	in_port_t port;
-
-	/*
-	 * Determine which port to send requests to.
-	 */
-	if (ns_g_lwresdonly && ns_g_port != 0)
-		port = ns_g_port;
-	else
-		CHECKM(ns_config_getport(config, &port), "port");
-
-	if (alternates != NULL) {
-		portobj = cfg_tuple_get(alternates, "port");
-		if (cfg_obj_isuint32(portobj)) {
-			isc_uint32_t val = cfg_obj_asuint32(portobj);
-			if (val > ISC_UINT16_MAX) {
-				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-					    "port '%u' out of range", val);
-				return (ISC_R_RANGE);
-			}
-			port = (in_port_t) val;
-		}
-	}
-
-	addresses = NULL;
-	if (alternates != NULL)
-		addresses = cfg_tuple_get(alternates, "addresses");
-
-	for (element = cfg_list_first(addresses);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *alternate = cfg_listelt_value(element);
-		isc_sockaddr_t sa;
-
-		if (!cfg_obj_issockaddr(alternate)) {
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-			char *str = cfg_obj_asstring(cfg_tuple_get(alternate,
-								   "name"));
-			isc_buffer_t buffer;
-			in_port_t myport = port;
-
-			isc_buffer_init(&buffer, str, strlen(str));
-			isc_buffer_add(&buffer, strlen(str));
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
-						ISC_FALSE, NULL));
-
-			portobj = cfg_tuple_get(alternate, "port");
-			if (cfg_obj_isuint32(portobj)) {
-				isc_uint32_t val = cfg_obj_asuint32(portobj);
-				if (val > ISC_UINT16_MAX) {
-					cfg_obj_log(portobj, ns_g_lctx,
-						    ISC_LOG_ERROR,
-						    "port '%u' out of range",
-						     val);
-					return (ISC_R_RANGE);
-				}
-				myport = (in_port_t) val;
-			}
-			CHECK(dns_resolver_addalternate(view->resolver, NULL,
-							name, myport));
-			continue;
-		}
-
-		sa = *cfg_obj_assockaddr(alternate);
-		if (isc_sockaddr_getport(&sa) == 0)
-			isc_sockaddr_setport(&sa, port);
-		CHECK(dns_resolver_addalternate(view->resolver, &sa,
-						NULL, 0));
-	}
-
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
-		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype)
-{
-	cfg_obj_t *portobj;
-	cfg_obj_t *faddresses;
-	cfg_listelt_t *element;
-	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
-	isc_sockaddrlist_t addresses;
-	isc_sockaddr_t *sa;
-	isc_result_t result;
-	in_port_t port;
-
-	/*
-	 * Determine which port to send forwarded requests to.
-	 */
-	if (ns_g_lwresdonly && ns_g_port != 0)
-		port = ns_g_port;
-	else
-		CHECKM(ns_config_getport(config, &port), "port");
-
-	if (forwarders != NULL) {
-		portobj = cfg_tuple_get(forwarders, "port");
-		if (cfg_obj_isuint32(portobj)) {
-			isc_uint32_t val = cfg_obj_asuint32(portobj);
-			if (val > ISC_UINT16_MAX) {
-				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-					    "port '%u' out of range", val);
-				return (ISC_R_RANGE);
-			}
-			port = (in_port_t) val;
-		}
-	}
-
-	faddresses = NULL;
-	if (forwarders != NULL)
-		faddresses = cfg_tuple_get(forwarders, "addresses");
-
-	ISC_LIST_INIT(addresses);
-
-	for (element = cfg_list_first(faddresses);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *forwarder = cfg_listelt_value(element);
-		sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
-		if (sa == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		*sa = *cfg_obj_assockaddr(forwarder);
-		if (isc_sockaddr_getport(sa) == 0)
-			isc_sockaddr_setport(sa, port);
-		ISC_LINK_INIT(sa, link);
-		ISC_LIST_APPEND(addresses, sa, link);
-	}
-
-	if (ISC_LIST_EMPTY(addresses)) {
-		if (forwardtype != NULL)
-			cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
-				    "no forwarders seen; disabling "
-				    "forwarding");
-		fwdpolicy = dns_fwdpolicy_none;
-	} else {
-		if (forwardtype == NULL)
-			fwdpolicy = dns_fwdpolicy_first;
-		else {
-			char *forwardstr = cfg_obj_asstring(forwardtype);
-			if (strcasecmp(forwardstr, "first") == 0)
-				fwdpolicy = dns_fwdpolicy_first;
-			else if (strcasecmp(forwardstr, "only") == 0)
-				fwdpolicy = dns_fwdpolicy_only;
-			else
-				INSIST(0);
-		}
-	}
-
-	result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
-				  fwdpolicy);
-	if (result != ISC_R_SUCCESS) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		dns_name_format(origin, namebuf, sizeof(namebuf));
-		cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
-			    "could not set up forwarding for domain '%s': %s",
-			    namebuf, isc_result_totext(result));
-		goto cleanup;
-	}
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-
-	while (!ISC_LIST_EMPTY(addresses)) {
-		sa = ISC_LIST_HEAD(addresses);
-		ISC_LIST_UNLINK(addresses, sa, link);
-		isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
-	}
-
-	return (result);
-}
-
-/*
- * Create a new view and add it to the list.
- *
- * If 'vconfig' is NULL, create the default view.
- *
- * The view created is attached to '*viewp'.
- */
-static isc_result_t
-create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
-	isc_result_t result;
-	const char *viewname;
-	dns_rdataclass_t viewclass;
-	dns_view_t *view = NULL;
-
-	if (vconfig != NULL) {
-		cfg_obj_t *classobj = NULL;
-
-		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
-		classobj = cfg_tuple_get(vconfig, "class");
-		result = ns_config_getclass(classobj, dns_rdataclass_in,
-					    &viewclass);
-	} else {
-		viewname = "_default";
-		viewclass = dns_rdataclass_in;
-	}
-	result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_R_EXISTS);
-	if (result != ISC_R_NOTFOUND)
-		return (result);
-	INSIST(view == NULL);
-
-	result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	ISC_LIST_APPEND(*viewlist, view, link);
-	dns_view_attach(view, viewp);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Configure or reconfigure a zone.
- */
-static isc_result_t
-configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
-	       isc_mem_t *mctx, dns_view_t *view,
-	       ns_aclconfctx_t *aclconf)
-{
-	dns_view_t *pview = NULL;	/* Production view */
-	dns_zone_t *zone = NULL;	/* New or reused zone */
-	dns_zone_t *dupzone = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *typeobj = NULL;
-	cfg_obj_t *forwarders = NULL;
-	cfg_obj_t *forwardtype = NULL;
-	cfg_obj_t *only = NULL;
-	isc_result_t result;
-	isc_result_t tresult;
-	isc_buffer_t buffer;
-	dns_fixedname_t fixorigin;
-	dns_name_t *origin;
-	const char *zname;
-	dns_rdataclass_t zclass;
-	const char *ztypestr;
-
-	options = NULL;
-	(void)cfg_map_get(config, "options", &options);
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-
-	/*
-	 * Get the zone origin as a dns_name_t.
-	 */
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-	isc_buffer_init(&buffer, zname, strlen(zname));
-	isc_buffer_add(&buffer, strlen(zname));
-	dns_fixedname_init(&fixorigin);
-	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
-				&buffer, dns_rootname, ISC_FALSE, NULL));
-	origin = dns_fixedname_name(&fixorigin);
-
-	CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
-				 view->rdclass, &zclass));
-	if (zclass != view->rdclass) {
-		const char *vname = NULL;
-		if (vconfig != NULL)
-			vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
-							       "name"));
-		else
-			vname = "<default view>";
-	
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "zone '%s': wrong class for view '%s'",
-			      zname, vname);
-		result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
-	(void)cfg_map_get(zoptions, "type", &typeobj);
-	if (typeobj == NULL) {
-		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-			    "zone '%s' 'type' not specified", zname);
-		return (ISC_R_FAILURE);
-	}
-	ztypestr = cfg_obj_asstring(typeobj);
-
-	/*
-	 * "hints zones" aren't zones.  If we've got one,
-	 * configure it and return.
-	 */
-	if (strcasecmp(ztypestr, "hint") == 0) {
-		cfg_obj_t *fileobj = NULL;
-		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "zone '%s': 'file' not specified",
-				      zname);
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-		if (dns_name_equal(origin, dns_rootname)) {
-			char *hintsfile = cfg_obj_asstring(fileobj);
-
-			result = configure_hints(view, hintsfile);
-			if (result != ISC_R_SUCCESS) {
-				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_SERVER,
-					      ISC_LOG_ERROR,
-					      "could not configure root hints "
-					      "from '%s': %s", hintsfile,
-					      isc_result_totext(result));
-				goto cleanup;
-			}
-			/*
-			 * Hint zones may also refer to delegation only points.
-			 */
-			only = NULL;
-			tresult = cfg_map_get(zoptions, "delegation-only",
-					      &only);
-			if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
-				CHECK(dns_view_adddelegationonly(view, origin));
-		} else {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "ignoring non-root hint zone '%s'",
-				      zname);
-			result = ISC_R_SUCCESS;
-		}
-		/* Skip ordinary zone processing. */
-		goto cleanup;
-	}
-
-	/*
-	 * "forward zones" aren't zones either.  Translate this syntax into
-	 * the appropriate selective forwarding configuration and return.
-	 */
-	if (strcasecmp(ztypestr, "forward") == 0) {
-		forwardtype = NULL;
-		forwarders = NULL;
-
-		(void)cfg_map_get(zoptions, "forward", &forwardtype);
-		(void)cfg_map_get(zoptions, "forwarders", &forwarders);
-		result = configure_forward(config, view, origin, forwarders,
-					   forwardtype);
-		goto cleanup;
-	}
-
-	/*
-	 * "delegation-only zones" aren't zones either.
-	 */
-	if (strcasecmp(ztypestr, "delegation-only") == 0) {
-		result = dns_view_adddelegationonly(view, origin);
-		goto cleanup;
-	}
-
-	/*
-	 * Check for duplicates in the new zone table.
-	 */
-	result = dns_view_findzone(view, origin, &dupzone);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * We already have this zone!
-		 */
-		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
-			    "zone '%s' already exists", zname);
-		dns_zone_detach(&dupzone);
-		result = ISC_R_EXISTS;
-		goto cleanup;
-	}
-	INSIST(dupzone == NULL);
-
-	/*
-	 * See if we can reuse an existing zone.  This is
-	 * only possible if all of these are true:
-	 *   - The zone's view exists
-	 *   - A zone with the right name exists in the view
-	 *   - The zone is compatible with the config
-	 *     options (e.g., an existing master zone cannot
-	 *     be reused if the options specify a slave zone)
-	 */
-	result = dns_viewlist_find(&ns_g_server->viewlist,
-				   view->name, view->rdclass,
-				   &pview);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (pview != NULL)
-		result = dns_view_findzone(pview, origin, &zone);
-	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (zone != NULL) {
-		if (! ns_zone_reusable(zone, zconfig))
-			dns_zone_detach(&zone);
-	}
-
-	if (zone != NULL) {
-		/*
-		 * We found a reusable zone.  Make it use the
-		 * new view.
-		 */
-		dns_zone_setview(zone, view);
-	} else {
-		/*
-		 * We cannot reuse an existing zone, we have
-		 * to create a new one.
-		 */
-		CHECK(dns_zone_create(&zone, mctx));
-		CHECK(dns_zone_setorigin(zone, origin));
-		dns_zone_setview(zone, view);
-		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
-	}
-
-	/*
-	 * If the zone contains a 'forwarders' statement, configure
-	 * selective forwarding.
-	 */
-	forwarders = NULL;
-	if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
-	{
-		forwardtype = NULL;
-		(void)cfg_map_get(zoptions, "forward", &forwardtype);
-		CHECK(configure_forward(config, view, origin, forwarders,
-					forwardtype));
-	}
-
-	/*
-	 * Stub and forward zones may also refer to delegation only points.
-	 */
-	only = NULL;
-	if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
-	{
-		if (cfg_obj_asboolean(only))
-			CHECK(dns_view_adddelegationonly(view, origin));
-	}
-
-	/*
-	 * Configure the zone.
-	 */
-	CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone));
-
-	/*
-	 * Add the zone to its view in the new view list.
-	 */
-	CHECK(dns_view_addzone(view, zone));
-
- cleanup:
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	if (pview != NULL)
-		dns_view_detach(&pview);
-
-	return (result);
-}
-
-/*
- * Configure a single server quota.
- */
-static void
-configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
-{
-	cfg_obj_t *obj = NULL;
-	isc_result_t result;
-
-	result = ns_config_get(maps, name, &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	isc_quota_max(quota, cfg_obj_asuint32(obj));
-}
-
-/*
- * This function is called as soon as the 'directory' statement has been
- * parsed.  This can be extended to support other options if necessary.
- */
-static isc_result_t
-directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
-	isc_result_t result;
-	char *directory;
-
-	REQUIRE(strcasecmp("directory", clausename) == 0);
-
-	UNUSED(arg);
-	UNUSED(clausename);
-
-	/*
-	 * Change directory.
-	 */
-	directory = cfg_obj_asstring(obj);
-
-	if (! isc_file_ischdiridempotent(directory))
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
-			    "option 'directory' contains relative path '%s'",
-			    directory);
-
-	result = isc_dir_chdir(directory);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-			    "change directory to '%s' failed: %s",
-			    directory, isc_result_totext(result));
-		return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
-	isc_boolean_t match_mapped = server->aclenv.match_mapped;
-
-	ns_interfacemgr_scan(server->interfacemgr, verbose);
-	/*
-	 * Update the "localhost" and "localnets" ACLs to match the
-	 * current set of network interfaces.
-	 */
-	dns_aclenv_copy(&server->aclenv,
-			ns_interfacemgr_getaclenv(server->interfacemgr));
-
-	server->aclenv.match_mapped = match_mapped;
-}
-
-static isc_result_t
-add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) {
-	ns_listenelt_t *lelt = NULL;
-	dns_acl_t *src_acl = NULL;
-	dns_aclelement_t aelt;
-	isc_result_t result;
-	isc_sockaddr_t any_sa6;
-
-	REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
-
-	isc_sockaddr_any6(&any_sa6);
-	if (!isc_sockaddr_equal(&any_sa6, addr)) {
-		aelt.type = dns_aclelementtype_ipprefix;
-		aelt.negative = ISC_FALSE;
-		aelt.u.ip_prefix.prefixlen = 128;
-		isc_netaddr_fromin6(&aelt.u.ip_prefix.address,
-				    &addr->type.sin6.sin6_addr);
-
-		result = dns_acl_create(mctx, 1, &src_acl);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = dns_acl_appendelement(src_acl, &aelt);
-		if (result != ISC_R_SUCCESS)
-			goto clean;
-
-		result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
-					     src_acl, &lelt);
-		if (result != ISC_R_SUCCESS)
-			goto clean;
-		ISC_LIST_APPEND(list->elts, lelt, link);
-	}
-
-	return (ISC_R_SUCCESS);
-
- clean:
-	INSIST(lelt == NULL);
-	if (src_acl != NULL)
-		dns_acl_detach(&src_acl);
-
-	return (result);
-}
-
-/*
- * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
- * to update the listening interfaces accordingly.
- * We currently only consider IPv6, because this only affects IPv6 wildcard
- * sockets.
- */
-static void
-adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
-	isc_result_t result;
-	ns_listenlist_t *list = NULL;
-	dns_view_t *view;
-	dns_zone_t *zone, *next;
-	isc_sockaddr_t addr, *addrp;
-
-	result = ns_listenlist_create(mctx, &list);
-	if (result != ISC_R_SUCCESS)
-		return;
-
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		dns_dispatch_t *dispatch6;
-
-		dispatch6 = dns_resolver_dispatchv6(view->resolver);
-		if (dispatch6 == NULL)
-			continue;
-		result = dns_dispatch_getlocaladdress(dispatch6, &addr);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-		result = add_listenelt(mctx, list, &addr);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
-
-	zone = NULL;
-	for (result = dns_zone_first(server->zonemgr, &zone);
-	     result == ISC_R_SUCCESS;
-	     next = NULL, result = dns_zone_next(zone, &next), zone = next) {
-		dns_view_t *zoneview;
-
-		/*
-		 * At this point the zone list may contain a stale zone
-		 * just removed from the configuration.  To see the validity,
-		 * check if the corresponding view is in our current view list.
-		 * There may also be old zones that are still in the process
-		 * of shutting down and have detached from their old view
-		 * (zoneview == NULL).
-		 */
-		zoneview = dns_zone_getview(zone);
-		if (zoneview == NULL)
-			continue;
-		for (view = ISC_LIST_HEAD(server->viewlist);
-		     view != NULL && view != zoneview;
-		     view = ISC_LIST_NEXT(view, link))
-			;
-		if (view == NULL)
-			continue;
-
-		addrp = dns_zone_getnotifysrc6(zone);
-		result = add_listenelt(mctx, list, addrp);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-
-		addrp = dns_zone_getxfrsource6(zone);
-		result = add_listenelt(mctx, list, addrp);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-	}
-
-	ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
-	
- clean:
-	ns_listenlist_detach(&list);
-	return;
-
- fail:
-	/*
-	 * Even when we failed the procedure, most of other interfaces
-	 * should work correctly.  We therefore just warn it.
-	 */
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-		      "could not adjust the listen-on list; "
-		      "some interfaces may not work");
-	goto clean;
-}
-
-/*
- * This event callback is invoked to do periodic network
- * interface scanning.
- */
-static void
-interface_timer_tick(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	ns_server_t *server = (ns_server_t *) event->ev_arg;
-	INSIST(task == server->task);
-	UNUSED(task);
-	isc_event_free(&event);
-	/*
-	 * XXX should scan interfaces unlocked and get exclusive access
-	 * only to replace ACLs.
-	 */
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	scan_interfaces(server, ISC_FALSE);
-	isc_task_endexclusive(server->task);
-}
-
-static void
-heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
-	ns_server_t *server = (ns_server_t *) event->ev_arg;
-	dns_view_t *view;
-
-	UNUSED(task);
-	isc_event_free(&event);
-	view = ISC_LIST_HEAD(server->viewlist);
-	while (view != NULL) {
-		dns_view_dialup(view);
-		view = ISC_LIST_NEXT(view, link);
-	}
-}
-
-/*
- * Replace the current value of '*field', a dynamically allocated
- * string or NULL, with a dynamically allocated copy of the
- * null-terminated string pointed to by 'value', or NULL.
- */
-static isc_result_t
-setstring(ns_server_t *server, char **field, const char *value) {
-	char *copy;
-
-	if (value != NULL) {
-		copy = isc_mem_strdup(server->mctx, value);
-		if (copy == NULL)
-			return (ISC_R_NOMEMORY);
-	} else {
-		copy = NULL;
-	}
-
-	if (*field != NULL)
-		isc_mem_free(server->mctx, *field);
-
-	*field = copy;
-	return (ISC_R_SUCCESS);
-}	
-
-/*
- * Replace the current value of '*field', a dynamically allocated
- * string or NULL, with another dynamically allocated string
- * or NULL if whether 'obj' is a string or void value, respectively.
- */
-static isc_result_t
-setoptstring(ns_server_t *server, char **field, cfg_obj_t *obj) {
-	if (cfg_obj_isvoid(obj))
-		return (setstring(server, field, NULL));
-	else
-		return (setstring(server, field, cfg_obj_asstring(obj)));
-}
-
-static void
-set_limit(cfg_obj_t **maps, const char *configname, const char *description,
-	  isc_resource_t resourceid, isc_resourcevalue_t defaultvalue)
-{
-	cfg_obj_t *obj = NULL;
-	char *resource;
-	isc_resourcevalue_t value;
-	isc_result_t result;
-
-	if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
-		return;
-
-	if (cfg_obj_isstring(obj)) {
-		resource = cfg_obj_asstring(obj);
-		if (strcasecmp(resource, "unlimited") == 0)
-			value = ISC_RESOURCE_UNLIMITED;
-		else {
-			INSIST(strcasecmp(resource, "default") == 0);
-			value = defaultvalue;
-		}
-	} else
-		value = cfg_obj_asuint64(obj);
-
-	result = isc_resource_setlimit(resourceid, value);
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      result == ISC_R_SUCCESS ?
-		      	ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
-		      "set maximum %s to %" ISC_PRINT_QUADFORMAT "d: %s",
-		      description, value, isc_result_totext(result));
-}
-
-#define SETLIMIT(cfgvar, resource, description) \
-	set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
-		  ns_g_init ## resource)
-
-static void
-set_limits(cfg_obj_t **maps) {
-	SETLIMIT("stacksize", stacksize, "stack size");
-	SETLIMIT("datasize", datasize, "data size");
-	SETLIMIT("coresize", coresize, "core size");
-	SETLIMIT("files", openfiles, "open files");
-}
-
-static isc_result_t
-portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
-		  cfg_obj_t *ports)
-{
-	cfg_listelt_t *element;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	for (element = cfg_list_first(ports);
-	     element != NULL;
-	     element = cfg_list_next(element)) {
-		cfg_obj_t *obj = cfg_listelt_value(element);
-		in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
-		
-		result = dns_portlist_add(portlist, family, port);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-	return (result);
-}
-
-static isc_result_t
-load_configuration(const char *filename, ns_server_t *server,
-		   isc_boolean_t first_time)
-{
-	isc_result_t result;
-	cfg_parser_t *parser = NULL;
-	cfg_obj_t *config;
-	cfg_obj_t *options;
-	cfg_obj_t *views;
-	cfg_obj_t *obj;
-	cfg_obj_t *v4ports, *v6ports;
-	cfg_obj_t *maps[3];
-	cfg_obj_t *builtin_views;
-	cfg_listelt_t *element;
-	dns_view_t *view = NULL;
-	dns_view_t *view_next;
-	dns_viewlist_t viewlist;
-	dns_viewlist_t tmpviewlist;
-	ns_aclconfctx_t aclconfctx;
-	isc_uint32_t interface_interval;
-	isc_uint32_t heartbeat_interval;
-	isc_uint32_t udpsize;
-	in_port_t listen_port;
-	int i;
-
-	ns_aclconfctx_init(&aclconfctx);
-	ISC_LIST_INIT(viewlist);
-
-	/* Ensure exclusive access to configuration data. */
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);	
-
-	/*
-	 * Parse the global default pseudo-config file.
-	 */
-	if (first_time) {
-		CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
-		RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
-					  &ns_g_defaults) ==
-			      ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Parse the configuration file using the new config code.
-	 */
-	result = ISC_R_FAILURE;
-	config = NULL;
-
-	/*
-	 * Unless this is lwresd with the -C option, parse the config file.
-	 */
-	if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
-		isc_log_write(ns_g_lctx,
-			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-			      ISC_LOG_INFO, "loading configuration from '%s'",
-			      filename);
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
-		cfg_parser_setcallback(parser, directory_callback, NULL);
-		result = cfg_parse_file(parser, filename, &cfg_type_namedconf,
-					&config);
-	}
-
-	/*
-	 * If this is lwresd with the -C option, or lwresd with no -C or -c
-	 * option where the above parsing failed, parse resolv.conf.
-	 */
-	if (ns_g_lwresdonly &&
-	    (lwresd_g_useresolvconf ||
-	     (!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
-	{
-		isc_log_write(ns_g_lctx,
-			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-			      ISC_LOG_INFO, "loading configuration from '%s'",
-			      lwresd_g_resolvconffile);
-		if (parser != NULL)
-			cfg_parser_destroy(&parser);
-		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
-		result = ns_lwresd_parseeresolvconf(ns_g_mctx, parser,
-						    &config);
-	}
-	CHECK(result);
-
-	/*
-	 * Check the validity of the configuration.
-	 */
-	CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
-
-	/*
-	 * Fill in the maps array, used for resolving defaults.
-	 */
-	i = 0;
-	options = NULL;
-	result = cfg_map_get(config, "options", &options);
-	if (result == ISC_R_SUCCESS)
-		maps[i++] = options;
-	maps[i++] = ns_g_defaults;
-	maps[i++] = NULL;
-
-	/*
-	 * Set process limits, which (usually) needs to be done as root.
-	 */
-	set_limits(maps);
-
-	/*
-	 * Configure various server options.
-	 */
-	configure_server_quota(maps, "transfers-out", &server->xfroutquota);
-	configure_server_quota(maps, "tcp-clients", &server->tcpquota);
-	configure_server_quota(maps, "recursive-clients",
-			       &server->recursionquota);
-	if (server->recursionquota.max > 1000)
-		isc_quota_soft(&server->recursionquota,
-			       server->recursionquota.max - 100);
-	else
-		isc_quota_soft(&server->recursionquota, 0);
-
-	CHECK(configure_view_acl(NULL, config, "blackhole", &aclconfctx,
-				 ns_g_mctx, &server->blackholeacl));
-	if (server->blackholeacl != NULL)
-		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
-					     server->blackholeacl);
-
-	obj = NULL;
-	result = ns_config_get(maps, "match-mapped-addresses", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
-
-	v4ports = NULL;
-	v6ports = NULL;
-	(void)ns_config_get(maps, "avoid-v4-udp-ports", &v4ports);
-	(void)ns_config_get(maps, "avoid-v6-udp-ports", &v6ports);
-	if (v4ports != NULL || v6ports != NULL) {
-		dns_portlist_t *portlist = NULL;
-		result = dns_portlist_create(ns_g_mctx, &portlist);
-		if (result == ISC_R_SUCCESS && v4ports != NULL)
-			result = portlist_fromconf(portlist, AF_INET, v4ports);
-		if (result == ISC_R_SUCCESS && v6ports != NULL)
-			portlist_fromconf(portlist, AF_INET6, v6ports);
-		if (result == ISC_R_SUCCESS)
-			dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, portlist);
-		if (portlist != NULL)
-			dns_portlist_detach(&portlist);
-		CHECK(result);
-	} else
-		dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, NULL);
-
-	/*
-	 * Set the EDNS UDP size when we don't match a view.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "edns-udp-size", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	udpsize = cfg_obj_asuint32(obj);
-	if (udpsize < 512)
-		udpsize = 512;
-	if (udpsize > 4096)
-		udpsize = 4096;
-	ns_g_udpsize = (isc_uint16_t)udpsize;
-
-	/*
-	 * Configure the zone manager.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "transfers-in", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
-
-	obj = NULL;
-	result = ns_config_get(maps, "transfers-per-ns", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
-
-	obj = NULL;
-	result = ns_config_get(maps, "serial-query-rate", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
-
-	/*
-	 * Determine which port to use for listening for incoming connections.
-	 */
-	if (ns_g_port != 0)
-		listen_port = ns_g_port;
-	else
-		CHECKM(ns_config_getport(config, &listen_port), "port");
-
-	/*
-	 * Find the listen queue depth.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "tcp-listen-queue", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	ns_g_listen = cfg_obj_asuint32(obj);
-	if (ns_g_listen < 3)
-		ns_g_listen = 3;
-
-	/*
-	 * Configure the interface manager according to the "listen-on"
-	 * statement.
-	 */
-	{
-		cfg_obj_t *clistenon = NULL;
-		ns_listenlist_t *listenon = NULL;
-
-		clistenon = NULL;
-		/*
-		 * Even though listen-on is present in the default
-		 * configuration, we can't use it here, since it isn't
-		 * used if we're in lwresd mode.  This way is easier.
-		 */
-		if (options != NULL)
-			(void)cfg_map_get(options, "listen-on", &clistenon);
-		if (clistenon != NULL) {
-			result = ns_listenlist_fromconfig(clistenon,
-							  config,
-							  &aclconfctx,
-							  ns_g_mctx,
-							  &listenon);
-		} else if (!ns_g_lwresdonly) {
-			/*
-			 * Not specified, use default.
-			 */
-			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
-						    ISC_TRUE, &listenon));
-		}
-		if (listenon != NULL) {
-			ns_interfacemgr_setlistenon4(server->interfacemgr,
-						     listenon);
-			ns_listenlist_detach(&listenon);
-		}
-	}
-	/*
-	 * Ditto for IPv6.
-	 */
-	{
-		cfg_obj_t *clistenon = NULL;
-		ns_listenlist_t *listenon = NULL;
-
-		if (options != NULL)
-			(void)cfg_map_get(options, "listen-on-v6", &clistenon);
-		if (clistenon != NULL) {
-			result = ns_listenlist_fromconfig(clistenon,
-							  config,
-							  &aclconfctx,
-							  ns_g_mctx,
-							  &listenon);
-		} else if (!ns_g_lwresdonly) {
-			/*
-			 * Not specified, use default.
-			 */
-			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
-						    ISC_FALSE, &listenon));
-		}
-		if (listenon != NULL) {
-			ns_interfacemgr_setlistenon6(server->interfacemgr,
-						     listenon);
-			ns_listenlist_detach(&listenon);
-		}
-	}
-
-	/*
-	 * Rescan the interface list to pick up changes in the
-	 * listen-on option.  It's important that we do this before we try
-	 * to configure the query source, since the dispatcher we use might
-	 * be shared with an interface.
-	 */
-	scan_interfaces(server, ISC_TRUE);
-
-	/*
-	 * Arrange for further interface scanning to occur periodically
-	 * as specified by the "interface-interval" option.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "interface-interval", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	interface_interval = cfg_obj_asuint32(obj) * 60;
-	if (interface_interval == 0) {
-		CHECK(isc_timer_reset(server->interface_timer,
-				      isc_timertype_inactive,
-				      NULL, NULL, ISC_TRUE));
-	} else if (server->interface_interval != interface_interval) {
-		isc_interval_t interval;
-		isc_interval_set(&interval, interface_interval, 0);
-		CHECK(isc_timer_reset(server->interface_timer,
-				      isc_timertype_ticker,
-				      NULL, &interval, ISC_FALSE));
-	}
-	server->interface_interval = interface_interval;
-
-	/*
-	 * Configure the dialup heartbeat timer.
-	 */
-	obj = NULL;
-	result = ns_config_get(maps, "heartbeat-interval", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	heartbeat_interval = cfg_obj_asuint32(obj) * 60;
-	if (heartbeat_interval == 0) {
-		CHECK(isc_timer_reset(server->heartbeat_timer,
-				      isc_timertype_inactive,
-				      NULL, NULL, ISC_TRUE));
-	} else if (server->heartbeat_interval != heartbeat_interval) {
-		isc_interval_t interval;
-		isc_interval_set(&interval, heartbeat_interval, 0);
-		CHECK(isc_timer_reset(server->heartbeat_timer,
-				      isc_timertype_ticker,
-				      NULL, &interval, ISC_FALSE));
-	}
-	server->heartbeat_interval = heartbeat_interval;
-
-	/*
-	 * Configure and freeze all explicit views.  Explicit
-	 * views that have zones were already created at parsing
-	 * time, but views with no zones must be created here.
-	 */
-	views = NULL;
-	(void)cfg_map_get(config, "view", &views);
-	for (element = cfg_list_first(views);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
-		view = NULL;
-
-		CHECK(create_view(vconfig, &viewlist, &view));
-		INSIST(view != NULL);
-		CHECK(configure_view(view, config, vconfig,
-				     ns_g_mctx, &aclconfctx, ISC_TRUE));
-		dns_view_freeze(view);
-		dns_view_detach(&view);
-	}
-
-	/*
-	 * Make sure we have a default view if and only if there
-	 * were no explicit views.
-	 */
-	if (views == NULL) {
-		/*
-		 * No explicit views; there ought to be a default view.
-		 * There may already be one created as a side effect
-		 * of zone statements, or we may have to create one.
-		 * In either case, we need to configure and freeze it.
-		 */
-		CHECK(create_view(NULL, &viewlist, &view));
-		CHECK(configure_view(view, config, NULL, ns_g_mctx,
-				     &aclconfctx, ISC_TRUE));
-		dns_view_freeze(view);
-		dns_view_detach(&view);
-	}
-
-	/*
-	 * Create (or recreate) the built-in views.  Currently
-	 * there is only one, the _bind view.
-	 */
-	builtin_views = NULL;
-	RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
-				  &builtin_views) == ISC_R_SUCCESS);
-	for (element = cfg_list_first(builtin_views);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *vconfig = cfg_listelt_value(element);
-		CHECK(create_view(vconfig, &viewlist, &view));
-		CHECK(configure_view(view, config, vconfig, ns_g_mctx,
-				     &aclconfctx, ISC_FALSE));
-		dns_view_freeze(view);
-		dns_view_detach(&view);
-		view = NULL;
-	}
-
-	/*
-	 * Swap our new view list with the production one.
-	 */
-	tmpviewlist = server->viewlist;
-	server->viewlist = viewlist;
-	viewlist = tmpviewlist;
-
-	/*
-	 * Load the TKEY information from the configuration.
-	 */
-	if (options != NULL) {
-		dns_tkeyctx_t *t = NULL;
-		CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
-					     &t),
-		       "configuring TKEY");
-		if (server->tkeyctx != NULL)
-			dns_tkeyctx_destroy(&server->tkeyctx);
-		server->tkeyctx = t;
-	}
-
-	/*
-	 * Bind the control port(s).
-	 */
-	CHECKM(ns_controls_configure(ns_g_server->controls, config,
-				     &aclconfctx),
-	       "binding control channel(s)");
-
-	/*
-	 * Bind the lwresd port(s).
-	 */
-	CHECKM(ns_lwresd_configure(ns_g_mctx, config),
-	       "binding lightweight resolver ports");
-
-	/*
-	 * Open the source of entropy.
-	 */
-	if (first_time) {
-		obj = NULL;
-		result = ns_config_get(maps, "random-device", &obj);
-		if (result != ISC_R_SUCCESS) {
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "no source of entropy found");
-		} else {
-			const char *randomdev = cfg_obj_asstring(obj);
-			result = isc_entropy_createfilesource(ns_g_entropy,
-							      randomdev);
-			if (result != ISC_R_SUCCESS)
-				isc_log_write(ns_g_lctx,
-					      NS_LOGCATEGORY_GENERAL,
-					      NS_LOGMODULE_SERVER,
-					      ISC_LOG_INFO,
-					      "could not open entropy source "
-					      "%s: %s",
-					      randomdev,
-					      isc_result_totext(result));
-#ifdef PATH_RANDOMDEV
-			if (ns_g_fallbackentropy != NULL) {
-				if (result != ISC_R_SUCCESS) {
-					isc_log_write(ns_g_lctx,
-						      NS_LOGCATEGORY_GENERAL,
-						      NS_LOGMODULE_SERVER,
-						      ISC_LOG_INFO,
-						      "using pre-chroot entropy source "
-						      "%s",
-						      PATH_RANDOMDEV);
-					isc_entropy_detach(&ns_g_entropy);
-					isc_entropy_attach(ns_g_fallbackentropy,
-							   &ns_g_entropy);
-				}
-				isc_entropy_detach(&ns_g_fallbackentropy);
-			}
-#endif
-		}
-	}
-
-	/*
-	 * Relinquish root privileges.
-	 */
-	if (first_time)
-		ns_os_changeuser();
-
-	/*
-	 * Configure the logging system.
-	 *
-	 * Do this after changing UID to make sure that any log
-	 * files specified in named.conf get created by the
-	 * unprivileged user, not root.
-	 */
-	if (ns_g_logstderr) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "ignoring config file logging "
-			      "statement due to -g option");
-	} else {
-		cfg_obj_t *logobj = NULL;
-		isc_logconfig_t *logc = NULL;
-
-		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
-		       "creating new logging configuration");
-
-		logobj = NULL;
-		(void)cfg_map_get(config, "logging", &logobj);
-		if (logobj != NULL) {
-			CHECKM(ns_log_configure(logc, logobj),
-			       "configuring logging");
-		} else {
-			CHECKM(ns_log_setdefaultchannels(logc),
-			       "setting up default logging channels");
-			CHECKM(ns_log_setunmatchedcategory(logc),
-			       "setting up default 'category unmatched'");
-			CHECKM(ns_log_setdefaultcategory(logc),
-			       "setting up default 'category default'");
-		}
-
-		result = isc_logconfig_use(ns_g_lctx, logc);
-		if (result != ISC_R_SUCCESS) {
-			isc_logconfig_destroy(&logc);
-			CHECKM(result, "installing logging configuration");
-		}
-
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
-			      "now using logging configuration from "
-			      "config file");
-	}
-
-	/*
-	 * Set the default value of the query logging flag depending
-	 * whether a "queries" category has been defined.  This is
-	 * a disgusting hack, but we need to do this for BIND 8
-	 * compatibility.
-	 */
-	if (first_time) {
-		cfg_obj_t *logobj = NULL;
-		cfg_obj_t *categories = NULL;
-
-		obj = NULL;
-		if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
-			server->log_queries = cfg_obj_asboolean(obj);
-		} else {
-
-			(void)cfg_map_get(config, "logging", &logobj);
-			if (logobj != NULL)
-				(void)cfg_map_get(logobj, "category",
-						  &categories);
-			if (categories != NULL) {
-				cfg_listelt_t *element;
-				for (element = cfg_list_first(categories);
-				     element != NULL;
-				     element = cfg_list_next(element))
-				{
-					cfg_obj_t *catobj;
-					char *str;
-
-					obj = cfg_listelt_value(element);
-					catobj = cfg_tuple_get(obj, "name");
-					str = cfg_obj_asstring(catobj);
-					if (strcasecmp(str, "queries") == 0)
-						server->log_queries = ISC_TRUE;
-				}
-			}
-		}
-	}
-
-	obj = NULL;
-	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
-		if (cfg_obj_isvoid(obj))
-			ns_os_writepidfile(NULL, first_time);
-		else
-			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
-	else if (ns_g_lwresdonly)
-		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
-	else
-		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
-	
-	obj = NULL;
-	if (options != NULL &&
-	    cfg_map_get(options, "memstatistics-file", &obj) == ISC_R_SUCCESS)
-		ns_main_setmemstats(cfg_obj_asstring(obj));
-	else
-		ns_main_setmemstats(NULL);
-
-	obj = NULL;
-	result = ns_config_get(maps, "statistics-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
-	       "strdup");
-
-	obj = NULL;
-	result = ns_config_get(maps, "dump-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
-	       "strdup");
-
-	obj = NULL;
-	result = ns_config_get(maps, "recursing-file", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
-	       "strdup");
-
-	obj = NULL;
-	result = ns_config_get(maps, "version", &obj);
-	if (result == ISC_R_SUCCESS) {
-		CHECKM(setoptstring(server, &server->version, obj), "strdup");
-		server->version_set = ISC_TRUE;
-	} else {
-		server->version_set = ISC_FALSE;
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "hostname", &obj);
-	if (result == ISC_R_SUCCESS) {
-		CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
-		server->hostname_set = ISC_TRUE;
-	} else {
-		server->hostname_set = ISC_FALSE;
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "server-id", &obj);
-	server->server_usehostname = ISC_FALSE;
-	if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
-		server->server_usehostname = ISC_TRUE;
-	} else if (result == ISC_R_SUCCESS) {
-		CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
-	} else {
-		result = setoptstring(server, &server->server_id, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	}
-
-	obj = NULL;
-	result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
-	if (result == ISC_R_SUCCESS) {
-		server->flushonshutdown = cfg_obj_asboolean(obj);
-	} else {
-		server->flushonshutdown = ISC_FALSE;
-	}
-
-	result = ISC_R_SUCCESS;
-
- cleanup:
-	ns_aclconfctx_destroy(&aclconfctx);
-
-	if (parser != NULL) {
-		if (config != NULL)
-			cfg_obj_destroy(parser, &config);
-		cfg_parser_destroy(&parser);
-	}
-
-	if (view != NULL)
-		dns_view_detach(&view);
-
-	/*
-	 * This cleans up either the old production view list
-	 * or our temporary list depending on whether they
-	 * were swapped above or not.
-	 */
-	for (view = ISC_LIST_HEAD(viewlist);
-	     view != NULL;
-	     view = view_next) {
-		view_next = ISC_LIST_NEXT(view, link);
-		ISC_LIST_UNLINK(viewlist, view, link);
-		dns_view_detach(&view);
-
-	}
-
-	/*
-	 * Adjust the listening interfaces in accordance with the source
-	 * addresses specified in views and zones.
-	 */
-	if (isc_net_probeipv6() == ISC_R_SUCCESS)
-		adjust_interfaces(server, ns_g_mctx);
-
-	/* Relinquish exclusive access to configuration data. */
-	isc_task_endexclusive(server->task);
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_DEBUG(1), "load_configuration: %s",
-		      isc_result_totext(result));
-
-	return (result);
-}
-
-static isc_result_t
-load_zones(ns_server_t *server, isc_boolean_t stop) {
-	isc_result_t result;
-	dns_view_t *view;
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	/*
-	 * Load zone data from disk.
-	 */
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		CHECK(dns_view_load(view, stop));
-	}
-
-	/*
-	 * Force zone maintenance.  Do this after loading
-	 * so that we know when we need to force AXFR of
-	 * slave zones whose master files are missing.
-	 */
-	CHECK(dns_zonemgr_forcemaint(server->zonemgr));
- cleanup:
-	isc_task_endexclusive(server->task);	
-	return (result);
-}
-
-static isc_result_t
-load_new_zones(ns_server_t *server, isc_boolean_t stop) {
-	isc_result_t result;
-	dns_view_t *view;
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	/*
-	 * Load zone data from disk.
-	 */
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		CHECK(dns_view_loadnew(view, stop));
-	}
-	/*
-	 * Force zone maintenance.  Do this after loading
-	 * so that we know when we need to force AXFR of
-	 * slave zones whose master files are missing.
-	 */
-	dns_zonemgr_resumexfrs(server->zonemgr);
- cleanup:
-	isc_task_endexclusive(server->task);	
-	return (result);
-}
-
-static void
-run_server(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	ns_server_t *server = (ns_server_t *)event->ev_arg;
-
-	INSIST(task == server->task);
-
-	isc_event_free(&event);
-
-	CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
-					  &ns_g_dispatchmgr),
-		   "creating dispatch manager");
-
-	CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
-					  ns_g_socketmgr, ns_g_dispatchmgr,
-					  &server->interfacemgr),
-		   "creating interface manager");
-
-	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
-				    NULL, NULL, server->task,
-				    interface_timer_tick,
-				    server, &server->interface_timer),
-		   "creating interface timer");
-
-	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
-				    NULL, NULL, server->task,
-				    heartbeat_timer_tick,
-				    server, &server->heartbeat_timer),
-		   "creating heartbeat timer");
-
-	CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
-		   "creating default configuration parser");
-
-	if (ns_g_lwresdonly)
-		CHECKFATAL(load_configuration(lwresd_g_conffile, server,
-					      ISC_TRUE),
-			   "loading configuration");
-	else
-		CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
-			   "loading configuration");
-
-	isc_hash_init();
-
-	CHECKFATAL(load_zones(server, ISC_FALSE), "loading zones");
-
-	ns_os_started();
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_NOTICE, "running");
-}
-
-void 
-ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
-
-	REQUIRE(NS_SERVER_VALID(server));
-
-	server->flushonshutdown = flush;
-}
-
-static void
-shutdown_server(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_view_t *view, *view_next;
-	ns_server_t *server = (ns_server_t *)event->ev_arg;
-	isc_boolean_t flush = server->flushonshutdown;
-
-	UNUSED(task);
-	INSIST(task == server->task);
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_INFO, "shutting down%s",
-		      flush ? ": flushing changes" : "");
-
-	ns_controls_shutdown(server->controls);
-	end_reserved_dispatches(server, ISC_TRUE);
-
-	cfg_obj_destroy(ns_g_parser, &ns_g_config);
-	cfg_parser_destroy(&ns_g_parser);
-
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = view_next) {
-		view_next = ISC_LIST_NEXT(view, link);
-		ISC_LIST_UNLINK(server->viewlist, view, link);
-		if (flush)
-			dns_view_flushanddetach(&view);
-		else
-			dns_view_detach(&view);
-	}
-
-	isc_timer_detach(&server->interface_timer);
-	isc_timer_detach(&server->heartbeat_timer);
-
-	ns_interfacemgr_shutdown(server->interfacemgr);
-	ns_interfacemgr_detach(&server->interfacemgr);
-
-	dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
-
-	dns_zonemgr_shutdown(server->zonemgr);
-
-	if (server->blackholeacl != NULL)
-		dns_acl_detach(&server->blackholeacl);
-
-	dns_db_detach(&server->in_roothints);
-
-	isc_task_endexclusive(server->task);
-
-	isc_task_detach(&server->task);
-
-	isc_event_free(&event);
-}
-
-void
-ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
-	isc_result_t result;
-
-	ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
-	if (server == NULL)
-		fatal("allocating server object", ISC_R_NOMEMORY);
-
-	server->mctx = mctx;
-	server->task = NULL;
-
-	/* Initialize configuration data with default values. */
-
-	result = isc_quota_init(&server->xfroutquota, 10);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	result = isc_quota_init(&server->tcpquota, 10);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	result = isc_quota_init(&server->recursionquota, 100);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	result = dns_aclenv_init(mctx, &server->aclenv);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	/* Initialize server data structures. */
-	server->zonemgr = NULL;
-	server->interfacemgr = NULL;
-	ISC_LIST_INIT(server->viewlist);
-	server->in_roothints = NULL;
-	server->blackholeacl = NULL;
-
-	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
-				     &server->in_roothints),
-		   "setting up root hints");
-
-	CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
-		   "initializing reload event lock");
-	server->reload_event =
-		isc_event_allocate(ns_g_mctx, server,
-				   NS_EVENT_RELOAD,
-				   ns_server_reload,
-				   server,
-				   sizeof(isc_event_t));
-	CHECKFATAL(server->reload_event == NULL ?
-		   ISC_R_NOMEMORY : ISC_R_SUCCESS,
-		   "allocating reload event");
-
-	CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY),
-		   "initializing DST");
-
-	server->tkeyctx = NULL;
-	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
-				      &server->tkeyctx),
-		   "creating TKEY context");
-
-	/*
-	 * Setup the server task, which is responsible for coordinating
-	 * startup and shutdown of the server.
-	 */
-	CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
-		   "creating server task");
-	isc_task_setname(server->task, "server", server);
-	CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
-		   "isc_task_onshutdown");
-	CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
-		   "isc_app_onrun");
-
-	server->interface_timer = NULL;
-	server->heartbeat_timer = NULL;
-	
-	server->interface_interval = 0;
-	server->heartbeat_interval = 0;
-
-	CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
-				      ns_g_socketmgr, &server->zonemgr),
-		   "dns_zonemgr_create");
-
-	server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
-	CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
-		   "isc_mem_strdup");
-	server->querystats = NULL;
-
-	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
-	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
-		   "isc_mem_strdup");
-
-	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
-	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
-		   "isc_mem_strdup");
-
-	server->hostname_set = ISC_FALSE;
-	server->hostname = NULL;
-	server->version_set = ISC_FALSE;	
-	server->version = NULL;
-	server->server_usehostname = ISC_FALSE;
-	server->server_id = NULL;
-
-	CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats),
-		   "dns_stats_alloccounters");
-
-	server->flushonshutdown = ISC_FALSE;
-	server->log_queries = ISC_FALSE;
-
-	server->controls = NULL;
-	CHECKFATAL(ns_controls_create(server, &server->controls),
-		   "ns_controls_create");
-	server->dispatchgen = 0;
-	ISC_LIST_INIT(server->dispatches);
-
-	server->magic = NS_SERVER_MAGIC;
-	*serverp = server;
-}
-
-void
-ns_server_destroy(ns_server_t **serverp) {
-	ns_server_t *server = *serverp;
-	REQUIRE(NS_SERVER_VALID(server));
-
-	ns_controls_destroy(&server->controls);
-
-	dns_stats_freecounters(server->mctx, &server->querystats);
-
-	isc_mem_free(server->mctx, server->statsfile);
-	isc_mem_free(server->mctx, server->dumpfile);
-	isc_mem_free(server->mctx, server->recfile);
-
-	if (server->version != NULL)
-		isc_mem_free(server->mctx, server->version);
-	if (server->hostname != NULL)
-		isc_mem_free(server->mctx, server->hostname);
-	if (server->server_id != NULL)
-		isc_mem_free(server->mctx, server->server_id);
-
-	dns_zonemgr_detach(&server->zonemgr);
-
-	if (server->tkeyctx != NULL)
-		dns_tkeyctx_destroy(&server->tkeyctx);
-
-	dst_lib_destroy();
-
-	isc_event_free(&server->reload_event);
-
-	INSIST(ISC_LIST_EMPTY(server->viewlist));
-
-	dns_aclenv_destroy(&server->aclenv);
-
-	isc_quota_destroy(&server->recursionquota);
-	isc_quota_destroy(&server->tcpquota);
-	isc_quota_destroy(&server->xfroutquota);
-
-	server->magic = 0;
-	isc_mem_put(server->mctx, server, sizeof(*server));
-	*serverp = NULL;
-}
-
-static void
-fatal(const char *msg, isc_result_t result) {
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_CRITICAL, "%s: %s", msg,
-		      isc_result_totext(result));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
-		      ISC_LOG_CRITICAL, "exiting (due to fatal error)");
-	exit(1);
-}
-
-static void
-start_reserved_dispatches(ns_server_t *server) {
-
-	REQUIRE(NS_SERVER_VALID(server));
-
-	server->dispatchgen++;
-}
-
-static void
-end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
-	ns_dispatch_t *dispatch, *nextdispatch;
-
-	REQUIRE(NS_SERVER_VALID(server));
-
-	for (dispatch = ISC_LIST_HEAD(server->dispatches);
-	     dispatch != NULL;
-	     dispatch = nextdispatch) {
-		nextdispatch = ISC_LIST_NEXT(dispatch, link);
-		if (!all && server->dispatchgen == dispatch-> dispatchgen)
-			continue;
-		ISC_LIST_UNLINK(server->dispatches, dispatch, link);
-		dns_dispatch_detach(&dispatch->dispatch);
-		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
-	}
-}
-
-void
-ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr) {
-	ns_dispatch_t *dispatch;
-	in_port_t port;
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	isc_result_t result;
-	unsigned int attrs, attrmask;
-
-	REQUIRE(NS_SERVER_VALID(server));
-
-	port = isc_sockaddr_getport(addr);
-	if (port == 0 || port >= 1024)
-		return;
-
-	for (dispatch = ISC_LIST_HEAD(server->dispatches);
-	     dispatch != NULL;
-	     dispatch = ISC_LIST_NEXT(dispatch, link)) {
-		if (isc_sockaddr_equal(&dispatch->addr, addr))
-			break;
-	}
-	if (dispatch != NULL) {
-		dispatch->dispatchgen = server->dispatchgen;
-		return;
-	}
-
-	dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
-	if (dispatch == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
-	dispatch->addr = *addr;
-	dispatch->dispatchgen = server->dispatchgen;
-	dispatch->dispatch = NULL;
-
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	switch (isc_sockaddr_pf(addr)) {
-	case AF_INET:
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		break;
-	case AF_INET6:
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto cleanup;
-	}
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP;
-	attrmask |= DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4;
-	attrmask |= DNS_DISPATCHATTR_IPV6;
-
-	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
-				     ns_g_taskmgr, &dispatch->addr, 4096,
-				     1000, 32768, 16411, 16433,
-				     attrs, attrmask, &dispatch->dispatch); 
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
-
-	return;
-
- cleanup:
-	if (dispatch != NULL)
-		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
-	isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-		      "unable to create dispatch for reserved port %s: %s",
-		      addrbuf, isc_result_totext(result));
-}
-
-
-static isc_result_t
-loadconfig(ns_server_t *server) {
-	isc_result_t result;
-	start_reserved_dispatches(server);
-	result = load_configuration(ns_g_lwresdonly ?
-				    lwresd_g_conffile : ns_g_conffile,
-				    server, ISC_FALSE);
-	if (result == ISC_R_SUCCESS)
-		end_reserved_dispatches(server, ISC_FALSE);
-	else
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "reloading configuration failed: %s",
-			      isc_result_totext(result));
-	return (result);
-}
-
-static isc_result_t
-reload(ns_server_t *server) {
-	isc_result_t result;
-	CHECK(loadconfig(server));
-
-	result = load_zones(server, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "reloading zones failed: %s",
-			      isc_result_totext(result));
-	}
- cleanup:
-	return (result);
-}
-
-static void
-reconfig(ns_server_t *server) {
-	isc_result_t result;
-	CHECK(loadconfig(server));
-
-	result = load_new_zones(server, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-			      "loading new zones failed: %s",
-			      isc_result_totext(result));
-	}
- cleanup: ;
-}
-
-/*
- * Handle a reload event (from SIGHUP).
- */
-static void
-ns_server_reload(isc_task_t *task, isc_event_t *event) {
-	ns_server_t *server = (ns_server_t *)event->ev_arg;
-
-	INSIST(task = server->task);
-	UNUSED(task);
-
-	(void)reload(server);
-
-	LOCK(&server->reload_event_lock);
-	INSIST(server->reload_event == NULL);
-	server->reload_event = event;
-	UNLOCK(&server->reload_event_lock);
-}
-
-void
-ns_server_reloadwanted(ns_server_t *server) {
-	LOCK(&server->reload_event_lock);
-	if (server->reload_event != NULL)
-		isc_task_send(server->task, &server->reload_event);
-	UNLOCK(&server->reload_event_lock);
-}
-
-static char *
-next_token(char **stringp, const char *delim) {
-	char *res;
-
-	do {
-		res = strsep(stringp, delim);
-		if (res == NULL)
-			break;
-	} while (*res == '\0');
-	return (res);
-}                       
-
-/*
- * Find the zone specified in the control channel command 'args',
- * if any.  If a zone is specified, point '*zonep' at it, otherwise
- * set '*zonep' to NULL.
- */
-static isc_result_t
-zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
-	char *input, *ptr;
-	const char *zonetxt;
-	char *classtxt;
-	const char *viewtxt = NULL;
-	dns_fixedname_t name;
-	isc_result_t result;
-	isc_buffer_t buf;
-	dns_view_t *view = NULL;
-	dns_rdataclass_t rdclass;
-
-	REQUIRE(zonep != NULL && *zonep == NULL);
-
-	input = args;
-
-	/* Skip the command name. */
-	ptr = next_token(&input, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Look for the zone name. */
-	zonetxt = next_token(&input, " \t");
-	if (zonetxt == NULL)
-		return (ISC_R_SUCCESS);
-
-	/* Look for the optional class name. */
-	classtxt = next_token(&input, " \t");
-	if (classtxt != NULL) {
-		/* Look for the optional view name. */
-		viewtxt = next_token(&input, " \t");
-	}
-
-	isc_buffer_init(&buf, zonetxt, strlen(zonetxt));
-	isc_buffer_add(&buf, strlen(zonetxt));
-	dns_fixedname_init(&name);
-	result = dns_name_fromtext(dns_fixedname_name(&name),
-				   &buf, dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto fail1;
-
-	if (classtxt != NULL) {
-		isc_textregion_t r;
-		r.base = classtxt;
-		r.length = strlen(classtxt);
-		result = dns_rdataclass_fromtext(&rdclass, &r);
-		if (result != ISC_R_SUCCESS)
-			goto fail1;
-	} else {
-		rdclass = dns_rdataclass_in;
-	}
-	
-	if (viewtxt == NULL)
-		viewtxt = "_default";
-	result = dns_viewlist_find(&server->viewlist, viewtxt,
-				   rdclass, &view);
-	if (result != ISC_R_SUCCESS)
-		goto fail1;
-	
-	result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
-			     0, NULL, zonep);
-	/* Partial match? */
-	if (result != ISC_R_SUCCESS && *zonep != NULL)
-		dns_zone_detach(zonep);
-	dns_view_detach(&view);
- fail1:
-	return (result);
-}
-
-/*
- * Act on a "retransfer" command from the command channel.
- */
-isc_result_t
-ns_server_retransfercommand(ns_server_t *server, char *args) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	dns_zonetype_t type;
-	
-	result = zone_from_args(server, args, &zone);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-	type = dns_zone_gettype(zone);
-	if (type == dns_zone_slave || type == dns_zone_stub)
-		dns_zone_forcereload(zone);
-	else
-		result = ISC_R_NOTFOUND;
-	dns_zone_detach(&zone);
-	return (result);
-}	
-
-/*
- * Act on a "reload" command from the command channel.
- */
-isc_result_t
-ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	dns_zonetype_t type;
-	const char *msg = NULL;
-	
-	result = zone_from_args(server, args, &zone);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL) {
-		result = reload(server);
-		if (result == ISC_R_SUCCESS)
-			msg = "server reload successful";
-	} else {
-		type = dns_zone_gettype(zone);
-		if (type == dns_zone_slave || type == dns_zone_stub) {
-			dns_zone_refresh(zone);
-			msg = "zone refresh queued";
-		} else {
-			result = dns_zone_load(zone);
-			dns_zone_detach(&zone);
-			switch (result) {	
-			case ISC_R_SUCCESS:
-				 msg = "zone reload successful";
-				 break;
-			case DNS_R_CONTINUE:
-				msg = "zone reload queued";
-				result = ISC_R_SUCCESS;
-				break;
-			case DNS_R_UPTODATE:
-				msg = "zone reload up-to-date";
-				result = ISC_R_SUCCESS;
-				break;
-			default:
-				/* failure message will be generated by rndc */
-				break;
-			}
-		}
-	}
-	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, (const unsigned char *)msg,
-				  strlen(msg) + 1);
-	return (result);
-}	
-
-/*
- * Act on a "reconfig" command from the command channel.
- */
-isc_result_t
-ns_server_reconfigcommand(ns_server_t *server, char *args) {
-	UNUSED(args);
-
-	reconfig(server);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Act on a "refresh" command from the command channel.
- */
-isc_result_t
-ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	const unsigned char msg[] = "zone refresh queued";
-
-	result = zone_from_args(server, args, &zone);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-	
-	dns_zone_refresh(zone);
-	dns_zone_detach(&zone);
-	if (sizeof(msg) <= isc_buffer_availablelength(text))
-		isc_buffer_putmem(text, msg, sizeof(msg));
-
-	return (ISC_R_SUCCESS);
-}	
-
-isc_result_t
-ns_server_togglequerylog(ns_server_t *server) {
-	server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE;
-	
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "query logging is now %s",
-		      server->log_queries ? "on" : "off");
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
-			 ns_aclconfctx_t *actx,
-			 isc_mem_t *mctx, ns_listenlist_t **target)
-{
-	isc_result_t result;
-	cfg_listelt_t *element;
-	ns_listenlist_t *dlist = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	result = ns_listenlist_create(mctx, &dlist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (element = cfg_list_first(listenlist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		ns_listenelt_t *delt = NULL;
-		cfg_obj_t *listener = cfg_listelt_value(element);
-		result = ns_listenelt_fromconfig(listener, config, actx,
-						 mctx, &delt);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		ISC_LIST_APPEND(dlist->elts, delt, link);
-	}
-	*target = dlist;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	ns_listenlist_detach(&dlist);
-	return (result);
-}
-
-/*
- * Create a listen list from the corresponding configuration
- * data structure.
- */
-static isc_result_t
-ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
-			ns_aclconfctx_t *actx,
-			isc_mem_t *mctx, ns_listenelt_t **target)
-{
-	isc_result_t result;
-	cfg_obj_t *portobj;
-	in_port_t port;
-	ns_listenelt_t *delt = NULL;
-	REQUIRE(target != NULL && *target == NULL);
-
-	portobj = cfg_tuple_get(listener, "port");
-	if (!cfg_obj_isuint32(portobj)) {
-		if (ns_g_port != 0) {
-			port = ns_g_port;
-		} else {
-			result = ns_config_getport(config, &port);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-	} else {
-		if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
-			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "port value '%u' is out of range",
-				    cfg_obj_asuint32(portobj));
-			return (ISC_R_RANGE);
-		}
-		port = (in_port_t)cfg_obj_asuint32(portobj);
-	}
-
-	result = ns_listenelt_create(mctx, port, NULL, &delt);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = ns_acl_fromconfig(cfg_tuple_get(listener, "acl"),
-				   config, actx, mctx, &delt->acl);
-	if (result != ISC_R_SUCCESS) {
-		ns_listenelt_destroy(delt);
-		return (result);
-	}
-	*target = delt;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_server_dumpstats(ns_server_t *server) {
-	isc_result_t result;
-	dns_zone_t *zone, *next;
-	isc_stdtime_t now;
-	FILE *fp = NULL;
-	int i;
-	int ncounters;
-
-	isc_stdtime_get(&now);
-
-	CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
-		"could not open statistics dump file", server->statsfile);
-	
-	ncounters = DNS_STATS_NCOUNTERS;
-	fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now);
-	
-	for (i = 0; i < ncounters; i++)
-		fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT "u\n",
-			dns_statscounter_names[i],
-			server->querystats[i]);
-	
-	zone = NULL;
-	for (result = dns_zone_first(server->zonemgr, &zone);
-	     result == ISC_R_SUCCESS;
-	     next = NULL, result = dns_zone_next(zone, &next), zone = next)
-	{
-		isc_uint64_t *zonestats = dns_zone_getstatscounters(zone);
-		if (zonestats != NULL) {
-			char zonename[DNS_NAME_FORMATSIZE];
-			dns_view_t *view;
-			char *viewname;
-			
-			dns_name_format(dns_zone_getorigin(zone),
-					zonename, sizeof(zonename));
-			view = dns_zone_getview(zone);
-			viewname = view->name;
-			for (i = 0; i < ncounters; i++) {
-				fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT
-					"u %s",
-					dns_statscounter_names[i],
-					zonestats[i],
-					zonename);
-				if (strcmp(viewname, "_default") != 0)
-					fprintf(fp, " %s", viewname);
-				fprintf(fp, "\n");
-			}
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	CHECK(result);
-	
-	fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now);
-
- cleanup:
-	if (fp != NULL)
-		(void)isc_stdio_close(fp);
-	return (result);
-}
-
-static isc_result_t
-add_zone_tolist(dns_zone_t *zone, void *uap) {
-	struct dumpcontext *dctx = uap;
-	struct zonelistentry *zle;
-
-	zle = isc_mem_get(dctx->mctx, sizeof *zle);
-	if (zle ==  NULL)
-		return (ISC_R_NOMEMORY);
-	zle->zone = NULL;
-	dns_zone_attach(zone, &zle->zone);
-	ISC_LINK_INIT(zle, link);
-	ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
-	struct viewlistentry *vle;
-	isc_result_t result = ISC_R_SUCCESS;
-	
-	/*
-	 * Prevent duplicate views.
-	 */
-	for (vle = ISC_LIST_HEAD(dctx->viewlist);
-	     vle != NULL;
-	     vle = ISC_LIST_NEXT(vle, link))
-		if (vle->view == view)
-			return (ISC_R_SUCCESS);
-
-	vle = isc_mem_get(dctx->mctx, sizeof *vle);
-	if (vle == NULL)
-		return (ISC_R_NOMEMORY);
-	vle->view = NULL;
-	dns_view_attach(view, &vle->view);
-	ISC_LINK_INIT(vle, link);
-	ISC_LIST_INIT(vle->zonelist);
-	ISC_LIST_APPEND(dctx->viewlist, vle, link);
-	if (dctx->dumpzones)
-		result = dns_zt_apply(view->zonetable, ISC_TRUE,
-				      add_zone_tolist, dctx);
-	return (result);
-}
-
-static void
-dumpcontext_destroy(struct dumpcontext *dctx) {
-	struct viewlistentry *vle;
-	struct zonelistentry *zle;
-
-	vle = ISC_LIST_HEAD(dctx->viewlist);
-	while (vle != NULL) {
-		ISC_LIST_UNLINK(dctx->viewlist, vle, link);
-		zle = ISC_LIST_HEAD(vle->zonelist);
-		while (zle != NULL) {
-			ISC_LIST_UNLINK(vle->zonelist, zle, link);
-			dns_zone_detach(&zle->zone);
-			isc_mem_put(dctx->mctx, zle, sizeof *zle);
-			zle = ISC_LIST_HEAD(vle->zonelist);
-		}
-		dns_view_detach(&vle->view);
-		isc_mem_put(dctx->mctx, vle, sizeof *vle);
-		vle = ISC_LIST_HEAD(dctx->viewlist);
-	}
-	if (dctx->version != NULL)
-		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
-	if (dctx->db != NULL)
-		dns_db_detach(&dctx->db);
-	if (dctx->cache != NULL)
-		dns_db_detach(&dctx->cache);
-	if (dctx->task != NULL)
-		isc_task_detach(&dctx->task);
-	if (dctx->fp != NULL)
-		(void)isc_stdio_close(dctx->fp);
-	if (dctx->mdctx != NULL)
-		dns_dumpctx_detach(&dctx->mdctx);
-	isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
-}
-
-static void
-dumpdone(void *arg, isc_result_t result) {
-	struct dumpcontext *dctx = arg;
-	char buf[1024+32];
-	const dns_master_style_t *style;
-	
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (dctx->mdctx != NULL)
-		dns_dumpctx_detach(&dctx->mdctx);
-	if (dctx->view == NULL) {
-		dctx->view = ISC_LIST_HEAD(dctx->viewlist);
-		if (dctx->view == NULL)
-			goto done;
-		INSIST(dctx->zone == NULL);
-	} else
-		goto resume;
- nextview:
-	fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
- resume:
-	if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) {
-		style = &dns_master_style_cache;
-		/* start cache dump */
-		if (dctx->view->view->cachedb != NULL)
-			dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
-		if (dctx->cache != NULL) {
-
-			fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n",
-				dctx->view->view->name);
-			result = dns_master_dumptostreaminc(dctx->mctx,
-							    dctx->cache, NULL,
-							    style, dctx->fp,
-							    dctx->task,
-							    dumpdone, dctx,
-							    &dctx->mdctx);
-			if (result == DNS_R_CONTINUE)
-				return;
-			if (result == ISC_R_NOTIMPLEMENTED)
-				fprintf(dctx->fp, "; %s\n",
-					dns_result_totext(result));
-			else if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		}
-	}
-	if (dctx->cache != NULL) {
-		dns_adb_dump(dctx->view->view->adb, dctx->fp);
-		dns_db_detach(&dctx->cache);
-	}
-	if (dctx->dumpzones) {
-		style = &dns_master_style_full;
- nextzone:
-		if (dctx->version != NULL)
-			dns_db_closeversion(dctx->db, &dctx->version,
-					    ISC_FALSE);
-		if (dctx->db != NULL)
-			dns_db_detach(&dctx->db);
-		if (dctx->zone == NULL)
-			dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
-		else
-			dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
-		if (dctx->zone != NULL) {
-			/* start zone dump */
-			dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
-			fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
-			result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(dctx->fp, "; %s\n",
-					dns_result_totext(result));
-				goto nextzone;
-			}
-			dns_db_currentversion(dctx->db, &dctx->version);
-			result = dns_master_dumptostreaminc(dctx->mctx,
-							    dctx->db,
-							    dctx->version,
-							    style, dctx->fp,
-							    dctx->task,
-							    dumpdone, dctx,
-							    &dctx->mdctx);
-			if (result == DNS_R_CONTINUE)
-				return;
-			if (result == ISC_R_NOTIMPLEMENTED) {
-				fprintf(dctx->fp, "; %s\n",
-					dns_result_totext(result));
-				result = ISC_R_SUCCESS;
-				goto nextzone;
-			}
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-		}
-	}
-	if (dctx->view != NULL)
-		dctx->view = ISC_LIST_NEXT(dctx->view, link);
-	if (dctx->view != NULL)
-		goto nextview;
- done:
-	fprintf(dctx->fp, "; Dump complete\n");
-	result = isc_stdio_flush(dctx->fp);
-	if (result == ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "dumpdb complete");
- cleanup:
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-			      "dumpdb failed: %s", dns_result_totext(result));
-	dumpcontext_destroy(dctx);
-}
-
-isc_result_t
-ns_server_dumpdb(ns_server_t *server, char *args) {
-	struct dumpcontext *dctx = NULL;
-	dns_view_t *view;
-	isc_result_t result;
-	char *ptr;
-	const char *sep;
-
-	dctx = isc_mem_get(server->mctx, sizeof(*dctx));
-	if (dctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dctx->mctx = server->mctx;
-	dctx->dumpcache = ISC_TRUE;
-	dctx->dumpzones = ISC_FALSE;
-	dctx->fp = NULL;
-	ISC_LIST_INIT(dctx->viewlist);
-	dctx->view = NULL;
-	dctx->zone = NULL;
-	dctx->cache = NULL;
-	dctx->mdctx = NULL;
-	dctx->db = NULL;
-	dctx->cache = NULL;
-	dctx->task = NULL;
-	dctx->version = NULL;
-	isc_task_attach(server->task, &dctx->task);
-
-	CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
-		"could not open dump file", server->dumpfile);
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	sep = (args == NULL) ? "" : ": ";
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "dumpdb started%s%s", sep, (args != NULL) ? args : "");
-
-	ptr = next_token(&args, " \t");
-	if (ptr != NULL && strcmp(ptr, "-all") == 0) {
-		dctx->dumpzones = ISC_TRUE;
-		dctx->dumpcache = ISC_TRUE;
-		ptr = next_token(&args, " \t");
-	} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
-		dctx->dumpzones = ISC_FALSE;
-		dctx->dumpcache = ISC_TRUE;
-		ptr = next_token(&args, " \t");
-	} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
-		dctx->dumpzones = ISC_TRUE;
-		dctx->dumpcache = ISC_FALSE;
-		ptr = next_token(&args, " \t");
-	} 
-
- nextview:
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (ptr != NULL && strcmp(view->name, ptr) != 0)
-			continue;
-		CHECK(add_view_tolist(dctx, view));
-	}
-	if (ptr != NULL) {
-		ptr = next_token(&args, " \t");
-		if (ptr != NULL)
-			goto nextview;
-	}
-	dumpdone(dctx, ISC_R_SUCCESS);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (dctx != NULL)
-		dumpcontext_destroy(dctx);
-	return (result);
-}
-
-isc_result_t
-ns_server_dumprecursing(ns_server_t *server) {
-	FILE *fp = NULL;
-	isc_result_t result;
-
-	CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
-		"could not open dump file", server->recfile);
-	fprintf(fp,";\n; Recursing Queries\n;\n");
-	ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
-	fprintf(fp, "; Dump complete\n");
-
- cleanup:
-	if (fp != NULL)
-		result = isc_stdio_close(fp);
-	return (result);
-}
-
-isc_result_t
-ns_server_setdebuglevel(ns_server_t *server, char *args) {
-	char *ptr;
-	char *levelstr;
-	char *endp;
-	long newlevel;
-
-	UNUSED(server);
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Look for the new level name. */
-	levelstr = next_token(&args, " \t");
-	if (levelstr == NULL) {
-		if (ns_g_debuglevel < 99)
-			ns_g_debuglevel++;
-	} else {
-		newlevel = strtol(levelstr, &endp, 10);
-		if (*endp != '\0' || newlevel < 0 || newlevel > 99)
-			return (ISC_R_RANGE);
-		ns_g_debuglevel = (unsigned int)newlevel;
-	}
-	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_server_flushcache(ns_server_t *server, char *args) {
-	char *ptr, *viewname;
-	dns_view_t *view;
-	isc_boolean_t flushed = ISC_FALSE;
-	isc_result_t result;
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Look for the view name. */
-	viewname = next_token(&args, " \t");
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
-			continue;
-		result = dns_view_flushcache(view);
-		if (result != ISC_R_SUCCESS)
-			goto out;
-		flushed = ISC_TRUE;
-	}
-	if (flushed)
-		result = ISC_R_SUCCESS;
-	else
-		result = ISC_R_FAILURE;
- out:
-	isc_task_endexclusive(server->task);	
-	return (result);
-}
-
-isc_result_t
-ns_server_flushname(ns_server_t *server, char *args) {
-	char *ptr, *target, *viewname;
-	dns_view_t *view;
-	isc_boolean_t flushed = ISC_FALSE;
-	isc_result_t result;
-	isc_buffer_t b;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-
-	/* Skip the command name. */
-	ptr = next_token(&args, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/* Find the domain name to flush. */
-	target = next_token(&args, " \t");
-	if (target == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_init(&b, target, strlen(target));
-	isc_buffer_add(&b, strlen(target));
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/* Look for the view name. */
-	viewname = next_token(&args, " \t");
-
-	result = isc_task_beginexclusive(server->task);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	flushed = ISC_TRUE;
-	for (view = ISC_LIST_HEAD(server->viewlist);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link))
-	{
-		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
-			continue;
-		result = dns_view_flushname(view, name);
-		if (result != ISC_R_SUCCESS)
-			flushed = ISC_FALSE;
-	}
-	if (flushed)
-		result = ISC_R_SUCCESS;
-	else
-		result = ISC_R_FAILURE;
-	isc_task_endexclusive(server->task);	
-	return (result);
-}
-
-isc_result_t
-ns_server_status(ns_server_t *server, isc_buffer_t *text) {
-	int zonecount, xferrunning, xferdeferred, soaqueries;
-	unsigned int n;
-
-	zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
-	xferrunning = dns_zonemgr_getcount(server->zonemgr,
-					   DNS_ZONESTATE_XFERRUNNING);
-	xferdeferred = dns_zonemgr_getcount(server->zonemgr,
-					    DNS_ZONESTATE_XFERDEFERRED);
-	soaqueries = dns_zonemgr_getcount(server->zonemgr,
-					  DNS_ZONESTATE_SOAQUERY);
-	n = snprintf((char *)isc_buffer_used(text),
-		     isc_buffer_availablelength(text),
-		     "number of zones: %u\n"
-		     "debug level: %d\n"
-		     "xfers running: %u\n"
-		     "xfers deferred: %u\n"
-		     "soa queries in progress: %u\n"
-		     "query logging is %s\n"
-		     "recursive clients: %d/%d\n"
-		     "tcp clients: %d/%d\n"
-		     "server is up and running",
-		     zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
-		     soaqueries, server->log_queries ? "ON" : "OFF",
-		     server->recursionquota.used, server->recursionquota.max,
-		     server->tcpquota.used, server->tcpquota.max);
-	if (n >= isc_buffer_availablelength(text))
-		return (ISC_R_NOSPACE);
-	isc_buffer_add(text, n);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Act on a "freeze" or "unfreeze" command from the command channel.
- */
-isc_result_t
-ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) {
-	isc_result_t result;
-	dns_zone_t *zone = NULL;
-	dns_zonetype_t type;
-	char classstr[DNS_RDATACLASS_FORMATSIZE];
-	char zonename[DNS_NAME_FORMATSIZE];
-	dns_view_t *view;
-	char *journal;
-	const char *vname, *sep;
-	isc_boolean_t frozen;
-	
-	result = zone_from_args(server, args, &zone);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (zone == NULL)
-		return (ISC_R_UNEXPECTEDEND);
-	type = dns_zone_gettype(zone);
-	if (type != dns_zone_master) {
-		dns_zone_detach(&zone);
-		return (ISC_R_NOTFOUND);
-	}
-
-	frozen = dns_zone_getupdatedisabled(zone);
-	if (freeze) {
-		if (frozen)
-			result = DNS_R_FROZEN;
-		if (result == ISC_R_SUCCESS)
-			result = dns_zone_flush(zone);
-		if (result == ISC_R_SUCCESS) {
-			journal = dns_zone_getjournal(zone);
-			if (journal != NULL)
-				(void)isc_file_remove(journal);
-		}
-	} else {
-		if (frozen) {
-			result = dns_zone_load(zone);
-			if (result == DNS_R_CONTINUE ||
-			    result == DNS_R_UPTODATE)
-				result = ISC_R_SUCCESS;
-		}
-	}
-	if (result == ISC_R_SUCCESS)
-		dns_zone_setupdatedisabled(zone, freeze);
-
-	view = dns_zone_getview(zone);
-	if (strcmp(view->name, "_bind") == 0 ||
-	    strcmp(view->name, "_default") == 0)
-	{
-		vname = "";
-		sep = "";
-	} else {
-		vname = view->name;
-		sep = " ";
-	}
-	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
-			      sizeof(classstr));
-	dns_name_format(dns_zone_getorigin(zone),
-			zonename, sizeof(zonename));
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-		      "%s zone '%s/%s'%s%s: %s",
-		      freeze ? "freezing" : "unfreezing",
-		      zonename, classstr, sep, vname,
-		      isc_result_totext(result));
-	dns_zone_detach(&zone);
-	return (result);
-}
-
-#ifdef HAVE_LIBSCF
-/*
- * This function adds a message for rndc to echo if named
- * is managed by smf and is also running chroot.
- */
-isc_result_t
-ns_smf_add_message(isc_buffer_t *text) {
-	unsigned int n;
-
-	n = snprintf((char *)isc_buffer_used(text),
-		isc_buffer_availablelength(text),
-		"use svcadm(1M) to manage named");
-	if (n >= isc_buffer_availablelength(text))
-		return (ISC_R_NOSPACE);
-	isc_buffer_add(text, n);
-	return (ISC_R_SUCCESS);
-}
-#endif /* HAVE_LIBSCF */
diff --git a/contrib/bind9/bin/named/sortlist.c b/contrib/bind9/bin/named/sortlist.c
deleted file mode 100644
index 0098fe779c89..000000000000
--- a/contrib/bind9/bin/named/sortlist.c
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sortlist.c,v 1.5.12.4 2004/03/08 04:04:19 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/result.h>
-
-#include <named/globals.h>
-#include <named/server.h>
-#include <named/sortlist.h>
-
-ns_sortlisttype_t
-ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
-	unsigned int i;
-
-	if (acl == NULL)
-		goto dont_sort;
-
-	for (i = 0; i < acl->length; i++) {
-		/*
-		 * 'e' refers to the current 'top level statement'
-		 * in the sortlist (see ARM).
-		 */
-		dns_aclelement_t *e = &acl->elements[i];
-		dns_aclelement_t *try_elt;
-		dns_aclelement_t *order_elt = NULL;
-		dns_aclelement_t *matched_elt = NULL;
-
-		if (e->type == dns_aclelementtype_nestedacl) {
-			dns_acl_t *inner = e->u.nestedacl;
-
-			if (inner->length < 1 || inner->length > 2)
-				goto dont_sort;
-			if (inner->elements[0].negative)
-				goto dont_sort;
-			try_elt = &inner->elements[0];
-			if (inner->length == 2)
-				order_elt = &inner->elements[1];
-		} else {
-			/*
-			 * BIND 8 allows bare elements at the top level
-			 * as an undocumented feature.
-			 */
-			try_elt = e;
-		}
-
-		if (dns_aclelement_match(clientaddr, NULL, try_elt,
-					 &ns_g_server->aclenv,
-					 &matched_elt)) {
-			if (order_elt != NULL) {
-				if (order_elt->type ==
-				    dns_aclelementtype_nestedacl) {
-					*argp = order_elt->u.nestedacl;
-					return (NS_SORTLISTTYPE_2ELEMENT);
-				} else if (order_elt->type ==
-					   dns_aclelementtype_localhost &&
-					   ns_g_server->aclenv.localhost != NULL) {
-					*argp = ns_g_server->aclenv.localhost;
-					return (NS_SORTLISTTYPE_2ELEMENT);
-				} else if (order_elt->type ==
-					   dns_aclelementtype_localnets &&
-					   ns_g_server->aclenv.localnets != NULL) {
-					*argp = ns_g_server->aclenv.localnets;
-					return (NS_SORTLISTTYPE_2ELEMENT);
-				} else {
-					/*
-					 * BIND 8 allows a bare IP prefix as
-					 * the 2nd element of a 2-element
-					 * sortlist statement.
-					 */
-					*argp = order_elt;
-					return (NS_SORTLISTTYPE_1ELEMENT);
-				}
-			} else {
-				INSIST(matched_elt != NULL);
-				*argp = matched_elt;
-				return (NS_SORTLISTTYPE_1ELEMENT);
-			}
-		}
-	}
-
-	/* No match; don't sort. */
- dont_sort:
-	*argp = NULL;
-	return (NS_SORTLISTTYPE_NONE);
-}
-
-int
-ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
-	dns_acl_t *sortacl = (dns_acl_t *) arg;
-	int match;
-
-	(void)dns_acl_match(addr, NULL, sortacl,
-			    &ns_g_server->aclenv,
-			    &match, NULL);
-	if (match > 0)
-		return (match);
-	else if (match < 0)
-		return (INT_MAX - (-match));
-	else
-		return (INT_MAX / 2);
-}
-
-int
-ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
-	dns_aclelement_t *matchelt = (dns_aclelement_t *) arg;
-	if (dns_aclelement_match(addr, NULL, matchelt,
-				 &ns_g_server->aclenv,
-				 NULL)) {
-		return (0);
-	} else {
-		return (INT_MAX);
-	}
-}
-
-void
-ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
-		       dns_addressorderfunc_t *orderp,
-		       void **argp)
-{
-	ns_sortlisttype_t sortlisttype;
-
-	sortlisttype = ns_sortlist_setup(sortlist_acl, client_addr, argp);
-
-	switch (sortlisttype) {
-	case NS_SORTLISTTYPE_1ELEMENT:
-		*orderp = ns_sortlist_addrorder1;
-		break;
-	case NS_SORTLISTTYPE_2ELEMENT:
-		*orderp = ns_sortlist_addrorder2;
-		break;
-	case NS_SORTLISTTYPE_NONE:
-		*orderp = NULL;
-		break;
-	default:
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "unexpected return from ns_sortlist_setup(): "
-				 "%d", sortlisttype);
-		break;
-	}
-}
-
diff --git a/contrib/bind9/bin/named/tkeyconf.c b/contrib/bind9/bin/named/tkeyconf.c
deleted file mode 100644
index 7fc13f3d9c0b..000000000000
--- a/contrib/bind9/bin/named/tkeyconf.c
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tkeyconf.c,v 1.19.208.2 2004/06/11 00:30:51 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/mem.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-#include <dns/tkey.h>
-
-#include <dst/gssapi.h>
-
-#include <named/tkeyconf.h>
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-
-isc_result_t
-ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
-		       dns_tkeyctx_t **tctxp)
-{
-	isc_result_t result;
-	dns_tkeyctx_t *tctx = NULL;
-	char *s;
-	isc_uint32_t n;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_buffer_t b;
-	cfg_obj_t *obj;
-	int type;
-
-	result = dns_tkeyctx_create(mctx, ectx, &tctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = NULL;
-	result = cfg_map_get(options, "tkey-dhkey", &obj);
-	if (result == ISC_R_SUCCESS) {
-		s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
-		n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
-		isc_buffer_init(&b, s, strlen(s));
-		isc_buffer_add(&b, strlen(s));
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname,
-					 ISC_FALSE, NULL));
-		type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY;
-		RETERR(dst_key_fromfile(name, (dns_keytag_t) n, DNS_KEYALG_DH,
-					type, NULL, mctx, &tctx->dhkey));
-	}
-
-	obj = NULL;
-	result = cfg_map_get(options, "tkey-domain", &obj);
-	if (result == ISC_R_SUCCESS) {
-		s = cfg_obj_asstring(obj);
-		isc_buffer_init(&b, s, strlen(s));
-		isc_buffer_add(&b, strlen(s));
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE,
-					 NULL));
-		tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (tctx->domain == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		dns_name_init(tctx->domain, NULL);
-		RETERR(dns_name_dup(name, mctx, tctx->domain));
-	}
-
-	obj = NULL;
-	result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
-	if (result == ISC_R_SUCCESS) {
-		s = cfg_obj_asstring(obj);
-		isc_buffer_init(&b, s, strlen(s));
-		isc_buffer_add(&b, strlen(s));
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE,
-					 NULL));
-		RETERR(dst_gssapi_acquirecred(name, ISC_FALSE,
-					      &tctx->gsscred));
-	}
-
-	*tctxp = tctx;
-	return (ISC_R_SUCCESS);
-
- failure:
-	dns_tkeyctx_destroy(&tctx);
-	return (result);
-}
-
diff --git a/contrib/bind9/bin/named/tsigconf.c b/contrib/bind9/bin/named/tsigconf.c
deleted file mode 100644
index 38524c37fad7..000000000000
--- a/contrib/bind9/bin/named/tsigconf.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsigconf.c,v 1.21.208.4 2004/03/08 04:04:19 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-
-#include <isccfg/cfg.h>
-
-#include <dns/tsig.h>
-#include <dns/result.h>
-
-#include <named/log.h>
-
-#include <named/config.h>
-#include <named/tsigconf.h>
-
-static isc_result_t
-add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *key = NULL;
-	char *keyid = NULL;
-	unsigned char *secret = NULL;
-	int secretalloc = 0;
-	int secretlen = 0;
-	isc_result_t ret;
-	isc_stdtime_t now;
-
-	for (element = cfg_list_first(list);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *algobj = NULL;
-		cfg_obj_t *secretobj = NULL;
-		dns_name_t keyname;
-		dns_name_t *alg;
-		char *algstr;
-		char keynamedata[1024];
-		isc_buffer_t keynamesrc, keynamebuf;
-		char *secretstr;
-		isc_buffer_t secretbuf;
-
-		key = cfg_listelt_value(element);
-		keyid = cfg_obj_asstring(cfg_map_getname(key));
-
-		algobj = NULL;
-		secretobj = NULL;
-		(void)cfg_map_get(key, "algorithm", &algobj);
-		(void)cfg_map_get(key, "secret", &secretobj);
-		INSIST(algobj != NULL && secretobj != NULL);
-
-		/*
-		 * Create the key name.
-		 */
-		dns_name_init(&keyname, NULL);
-		isc_buffer_init(&keynamesrc, keyid, strlen(keyid));
-		isc_buffer_add(&keynamesrc, strlen(keyid));
-		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
-		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
-					ISC_TRUE, &keynamebuf);
-		if (ret != ISC_R_SUCCESS)
-			goto failure;
-
-		/*
-		 * Create the algorithm.
-		 */
-		algstr = cfg_obj_asstring(algobj);
-		if (ns_config_getkeyalgorithm(algstr, &alg) != ISC_R_SUCCESS) {
-			cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR,
-				    "key '%s': the only supported algorithm "
-				    "is hmac-md5", keyid);
-			ret = DNS_R_BADALG;
-			goto failure;
-		}
-
-		secretstr = cfg_obj_asstring(secretobj);
-		secretalloc = secretlen = strlen(secretstr) * 3 / 4;
-		secret = isc_mem_get(mctx, secretlen);
-		if (secret == NULL) {
-			ret = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		isc_buffer_init(&secretbuf, secret, secretlen);
-		ret = isc_base64_decodestring(secretstr, &secretbuf);
-		if (ret != ISC_R_SUCCESS)
-			goto failure;
-		secretlen = isc_buffer_usedlength(&secretbuf);
-
-		isc_stdtime_get(&now);
-		ret = dns_tsigkey_create(&keyname, alg, secret, secretlen,
-					 ISC_FALSE, NULL, now, now,
-					 mctx, ring, NULL);
-		isc_mem_put(mctx, secret, secretalloc);
-		secret = NULL;
-		if (ret != ISC_R_SUCCESS)
-			goto failure;
-	}
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
-		    "configuring key '%s': %s", keyid,
-		    isc_result_totext(ret));
-
-	if (secret != NULL)
-		isc_mem_put(mctx, secret, secretalloc);
-	return (ret);
-
-}
-
-isc_result_t
-ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
-			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp)
-{
-	cfg_obj_t *maps[3];
-	cfg_obj_t *keylist;
-	dns_tsig_keyring_t *ring = NULL;
-	isc_result_t result;
-	int i;
-
-	i = 0;
-	if (config != NULL)
-		maps[i++] = config;
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	maps[i] = NULL;
-
-	result = dns_tsigkeyring_create(mctx, &ring);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (i = 0; ; i++) {
-		if (maps[i] == NULL)
-			break;
-		keylist = NULL;
-		result = cfg_map_get(maps[i], "key", &keylist);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		result = add_initial_keys(keylist, ring, mctx);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-	}
-
-	*ringp = ring;
-	return (ISC_R_SUCCESS);
-
- failure:
-	dns_tsigkeyring_destroy(&ring);
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in
deleted file mode 100644
index 60ce968865dc..000000000000
--- a/contrib/bind9/bin/named/unix/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.6.12.3 2004/03/08 09:04:15 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
-		${DNS_INCLUDES} ${ISC_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		os.@O@
-
-SRCS =		os.c
-
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/named/unix/include/named/os.h b/contrib/bind9/bin/named/unix/include/named/os.h
deleted file mode 100644
index 03baee57ea48..000000000000
--- a/contrib/bind9/bin/named/unix/include/named/os.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.h,v 1.14.2.2.8.9 2004/09/29 06:36:44 marka Exp $ */
-
-#ifndef NS_OS_H
-#define NS_OS_H 1
-
-#include <isc/types.h>
-
-void
-ns_os_init(const char *progname);
-
-void
-ns_os_daemonize(void);
-
-void
-ns_os_opendevnull(void);
-
-void
-ns_os_closedevnull(void);
-
-void
-ns_os_chroot(const char *root);
-
-void
-ns_os_inituserinfo(const char *username);
-
-void
-ns_os_changeuser(void);
-
-void
-ns_os_minprivs(void);
-
-void
-ns_os_writepidfile(const char *filename, isc_boolean_t first_time);
-
-void
-ns_os_shutdown(void);
-
-isc_result_t
-ns_os_gethostname(char *buf, size_t len);
-
-void
-ns_os_shutdownmsg(char *command, isc_buffer_t *text);
-
-void
-ns_os_tzset(void);
-
-void
-ns_os_started(void);
-
-#endif /* NS_OS_H */
diff --git a/contrib/bind9/bin/named/unix/os.c b/contrib/bind9/bin/named/unix/os.c
deleted file mode 100644
index f306f1462259..000000000000
--- a/contrib/bind9/bin/named/unix/os.c
+++ /dev/null
@@ -1,682 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.c,v 1.46.2.4.8.22 2005/05/20 01:37:19 marka Exp $ */
-
-#include <config.h>
-#include <stdarg.h>
-
-#include <sys/types.h>	/* dev_t FreeBSD 2.1 */
-#include <sys/stat.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <grp.h>		/* Required for initgroups() on IRIX. */
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <syslog.h>
-#ifdef HAVE_TZSET
-#include <time.h>
-#endif
-#include <unistd.h>
-
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-
-#include <named/main.h>
-#include <named/os.h>
-#ifdef HAVE_LIBSCF
-#include <named/ns_smf_globals.h>
-#endif
-
-static char *pidfile = NULL;
-static int devnullfd = -1;
-
-#ifndef ISC_FACILITY
-#define ISC_FACILITY LOG_DAEMON
-#endif
-
-/*
- * If there's no <linux/capability.h>, we don't care about <sys/prctl.h>
- */
-#ifndef HAVE_LINUX_CAPABILITY_H
-#undef HAVE_SYS_PRCTL_H
-#endif
-
-/*
- * Linux defines:
- *	(T) HAVE_LINUXTHREADS
- *	(C) HAVE_LINUX_CAPABILITY_H
- *	(P) HAVE_SYS_PRCTL_H
- * The possible cases are:
- *	none:	setuid() normally
- *	T:	no setuid()
- *	C:	setuid() normally, drop caps (keep CAP_SETUID)
- *	T+C:	no setuid(), drop caps (don't keep CAP_SETUID)
- *	T+C+P:	setuid() early, drop caps (keep CAP_SETUID)
- *	C+P:	setuid() normally, drop caps (keep CAP_SETUID)
- *	P:	not possible
- *	T+P:	not possible
- *
- * if (C)
- *	caps = BIND_SERVICE + CHROOT + SETGID
- *	if ((T && C && P) || !T)
- *		caps += SETUID
- *	endif
- *	capset(caps)
- * endif
- * if (T && C && P && -u)
- *	setuid()
- * else if (T && -u)
- *	fail
- * --> start threads
- * if (!T && -u)
- *	setuid()
- * if (C && (P || !-u))
- *	caps = BIND_SERVICE
- *	capset(caps)
- * endif
- *
- * It will be nice when Linux threads work properly with setuid().
- */
-
-#ifdef HAVE_LINUXTHREADS
-static pid_t mainpid = 0;
-#endif
-
-static struct passwd *runas_pw = NULL;
-static isc_boolean_t done_setuid = ISC_FALSE;
-static int dfd[2] = { -1, -1 };
-
-#ifdef HAVE_LINUX_CAPABILITY_H
-
-static isc_boolean_t non_root = ISC_FALSE;
-static isc_boolean_t non_root_caps = ISC_FALSE;
-
-/*
- * We define _LINUX_FS_H to prevent it from being included.  We don't need
- * anything from it, and the files it includes cause warnings with 2.2
- * kernels, and compilation failures (due to conflicts between <linux/string.h>
- * and <string.h>) on 2.3 kernels.
- */
-#define _LINUX_FS_H
-
-#include <sys/syscall.h>	/* Required for syscall(). */
-#include <linux/capability.h>	/* Required for _LINUX_CAPABILITY_VERSION. */
-
-#ifdef HAVE_SYS_PRCTL_H
-#include <sys/prctl.h>		/* Required for prctl(). */
-
-/*
- * If the value of PR_SET_KEEPCAPS is not in <sys/prctl.h>, define it
- * here.  This allows setuid() to work on systems running a new enough
- * kernel but with /usr/include/linux pointing to "standard" kernel
- * headers.
- */
-#ifndef PR_SET_KEEPCAPS
-#define PR_SET_KEEPCAPS 8
-#endif
-
-#endif /* HAVE_SYS_PRCTL_H */
-
-#ifndef SYS_capset
-#ifndef __NR_capset
-#include <asm/unistd.h> /* Slackware 4.0 needs this. */
-#endif
-#define SYS_capset __NR_capset
-#endif
-
-static void
-linux_setcaps(unsigned int caps) {
-	struct __user_cap_header_struct caphead;
-	struct __user_cap_data_struct cap;
-	char strbuf[ISC_STRERRORSIZE];
-
-	if ((getuid() != 0 && !non_root_caps) || non_root)
-		return;
-
-	memset(&caphead, 0, sizeof(caphead));
-	caphead.version = _LINUX_CAPABILITY_VERSION;
-	caphead.pid = 0;
-	memset(&cap, 0, sizeof(cap));
-	cap.effective = caps;
-	cap.permitted = caps;
-	cap.inheritable = 0;
-	if (syscall(SYS_capset, &caphead, &cap) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("capset failed: %s:"
-				   " please ensure that the capset kernel"
-				   " module is loaded.  see insmod(8)",
-				   strbuf);
-	}
-}
-
-static void
-linux_initialprivs(void) {
-	unsigned int caps;
-
-	/*
-	 * We don't need most privileges, so we drop them right away.
-	 * Later on linux_minprivs() will be called, which will drop our
-	 * capabilities to the minimum needed to run the server.
-	 */
-
-	caps = 0;
-
-	/*
-	 * We need to be able to bind() to privileged ports, notably port 53!
-	 */
-	caps |= (1 << CAP_NET_BIND_SERVICE);
-
-	/*
-	 * We need chroot() initially too.
-	 */
-	caps |= (1 << CAP_SYS_CHROOT);
-
-#if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS)
-	/*
-	 * We can setuid() only if either the kernel supports keeping
-	 * capabilities after setuid() (which we don't know until we've
-	 * tried) or we're not using threads.  If either of these is
-	 * true, we want the setuid capability.
-	 */
-	caps |= (1 << CAP_SETUID);
-#endif
-
-	/*
-	 * Since we call initgroups, we need this.
-	 */
-	caps |= (1 << CAP_SETGID);
-
-	/*
-	 * Without this, we run into problems reading a configuration file
-	 * owned by a non-root user and non-world-readable on startup.
-	 */
-	caps |= (1 << CAP_DAC_READ_SEARCH);
-
-	/*
-	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
-	 *      clear it would work right given the way linuxthreads work.
-	 * XXXDCL But since we need to be able to set the maximum number
-	 * of files, the stack size, data size, and core dump size to
-	 * support named.conf options, this is now being added to test.
-	 */
-	caps |= (1 << CAP_SYS_RESOURCE);
-
-	linux_setcaps(caps);
-}
-
-static void
-linux_minprivs(void) {
-	unsigned int caps;
-
-	/*
-	 * Drop all privileges except the ability to bind() to privileged
-	 * ports.
-	 *
-	 * It's important that we drop CAP_SYS_CHROOT.  If we didn't, it
-	 * chroot() could be used to escape from the chrooted area.
-	 */
-
-	caps = 0;
-	caps |= (1 << CAP_NET_BIND_SERVICE);
-
-	/*
-	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
-	 *      clear it would work right given the way linuxthreads work.
-	 * XXXDCL But since we need to be able to set the maximum number
-	 * of files, the stack size, data size, and core dump size to
-	 * support named.conf options, this is now being added to test.
-	 */
-	caps |= (1 << CAP_SYS_RESOURCE);
-
-	linux_setcaps(caps);
-}
-
-#ifdef HAVE_SYS_PRCTL_H
-static void
-linux_keepcaps(void) {
-	char strbuf[ISC_STRERRORSIZE];
-	/*
-	 * Ask the kernel to allow us to keep our capabilities after we
-	 * setuid().
-	 */
-
-	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
-		if (errno != EINVAL) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlyfatal("prctl() failed: %s", strbuf);
-		}
-	} else {
-		non_root_caps = ISC_TRUE;
-		if (getuid() != 0)
-			non_root = ISC_TRUE;
-	}
-}
-#endif
-
-#endif	/* HAVE_LINUX_CAPABILITY_H */
-
-
-static void
-setup_syslog(const char *progname) {
-	int options;
-
-	options = LOG_PID;
-#ifdef LOG_NDELAY
-	options |= LOG_NDELAY;
-#endif
-	openlog(isc_file_basename(progname), options, ISC_FACILITY);
-}
-
-void
-ns_os_init(const char *progname) {
-	setup_syslog(progname);
-#ifdef HAVE_LINUX_CAPABILITY_H
-	linux_initialprivs();
-#endif
-#ifdef HAVE_LINUXTHREADS
-	mainpid = getpid();
-#endif
-#ifdef SIGXFSZ
-	signal(SIGXFSZ, SIG_IGN);
-#endif
-}
-
-void
-ns_os_daemonize(void) {
-	pid_t pid;
-	char strbuf[ISC_STRERRORSIZE];
-
-	if (pipe(dfd) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("pipe(): %s", strbuf);
-	}
-
-	pid = fork();
-	if (pid == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("fork(): %s", strbuf);
-	}
-	if (pid != 0) {
-		int n;
-		/*
-		 * Wait for the child to finish loading for the first time.
-		 * This would be so much simpler if fork() worked once we
-	         * were multi-threaded.
-		 */
-		(void)close(dfd[1]);
-		do {
-			char buf;
-			n = read(dfd[0], &buf, 1);
-			if (n == 1)
-				_exit(0);
-		} while (n == -1 && errno == EINTR);
-		_exit(1);
-	}
-	(void)close(dfd[0]);
-
-	/*
-	 * We're the child.
-	 */
-
-#ifdef HAVE_LINUXTHREADS
-	mainpid = getpid();
-#endif
-
-	if (setsid() == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("setsid(): %s", strbuf);
-	}
-
-	/*
-	 * Try to set stdin, stdout, and stderr to /dev/null, but press
-	 * on even if it fails.
-	 *
-	 * XXXMLG The close() calls here are unneeded on all but NetBSD, but
-	 * are harmless to include everywhere.  dup2() is supposed to close
-	 * the FD if it is in use, but unproven-pthreads-0.16 is broken
-	 * and will end up closing the wrong FD.  This will be fixed eventually,
-	 * and these calls will be removed.
-	 */
-	if (devnullfd != -1) {
-		if (devnullfd != STDIN_FILENO) {
-			(void)close(STDIN_FILENO);
-			(void)dup2(devnullfd, STDIN_FILENO);
-		}
-		if (devnullfd != STDOUT_FILENO) {
-			(void)close(STDOUT_FILENO);
-			(void)dup2(devnullfd, STDOUT_FILENO);
-		}
-		if (devnullfd != STDERR_FILENO) {
-			(void)close(STDERR_FILENO);
-			(void)dup2(devnullfd, STDERR_FILENO);
-		}
-	}
-}
-
-void
-ns_os_started(void) {
-	char buf = 0;
-
-	/*
-	 * Signal to the parent that we stated successfully.
-	 */
-	if (dfd[0] != -1 && dfd[1] != -1) {
-		write(dfd[1], &buf, 1);
-		close(dfd[1]);
-		dfd[0] = dfd[1] = -1;
-	}
-}
-
-void
-ns_os_opendevnull(void) {
-	devnullfd = open("/dev/null", O_RDWR, 0);
-}
-
-void
-ns_os_closedevnull(void) {
-	if (devnullfd != STDIN_FILENO &&
-	    devnullfd != STDOUT_FILENO &&
-	    devnullfd != STDERR_FILENO) {
-		close(devnullfd);
-		devnullfd = -1;
-	}
-}
-
-static isc_boolean_t
-all_digits(const char *s) {
-	if (*s == '\0')
-		return (ISC_FALSE);
-	while (*s != '\0') {
-		if (!isdigit((*s)&0xff))
-			return (ISC_FALSE);
-		s++;
-	}
-	return (ISC_TRUE);
-}
-
-void
-ns_os_chroot(const char *root) {
-	char strbuf[ISC_STRERRORSIZE];
-#ifdef HAVE_LIBSCF
-	ns_smf_chroot = 0;
-#endif
-	if (root != NULL) {
-		if (chroot(root) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlyfatal("chroot(): %s", strbuf);
-		}
-		if (chdir("/") < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlyfatal("chdir(/): %s", strbuf);
-		}
-#ifdef HAVE_LIBSCF
-		/* Set ns_smf_chroot flag on successful chroot. */
-		ns_smf_chroot = 1;
-#endif
-	}
-}
-
-void
-ns_os_inituserinfo(const char *username) {
-	char strbuf[ISC_STRERRORSIZE];
-	if (username == NULL)
-		return;
-
-	if (all_digits(username))
-		runas_pw = getpwuid((uid_t)atoi(username));
-	else
-		runas_pw = getpwnam(username);
-	endpwent();
-
-	if (runas_pw == NULL)
-		ns_main_earlyfatal("user '%s' unknown", username);
-
-	if (getuid() == 0) {
-		if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			ns_main_earlyfatal("initgroups(): %s", strbuf);
-		}
-	}
-
-}
-
-void
-ns_os_changeuser(void) {
-	char strbuf[ISC_STRERRORSIZE];
-	if (runas_pw == NULL || done_setuid)
-		return;
-
-	done_setuid = ISC_TRUE;
-
-#ifdef HAVE_LINUXTHREADS
-#ifdef HAVE_LINUX_CAPABILITY_H
-	if (!non_root_caps)
-		ns_main_earlyfatal("-u with Linux threads not supported: "
-				   "requires kernel support for "
-				   "prctl(PR_SET_KEEPCAPS)");
-#else
-	ns_main_earlyfatal("-u with Linux threads not supported: "
-			   "no capabilities support or capabilities "
-			   "disabled at build time");
-#endif
-#endif
-
-	if (setgid(runas_pw->pw_gid) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("setgid(): %s", strbuf);
-	}
-
-	if (setuid(runas_pw->pw_uid) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("setuid(): %s", strbuf);
-	}
-
-#if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS)
-	linux_minprivs();
-#endif
-}
-
-void
-ns_os_minprivs(void) {
-#ifdef HAVE_SYS_PRCTL_H
-	linux_keepcaps();
-#endif
-
-#ifdef HAVE_LINUXTHREADS
-	ns_os_changeuser(); /* Call setuid() before threads are started */
-#endif
-
-#if defined(HAVE_LINUX_CAPABILITY_H) && defined(HAVE_LINUXTHREADS)
-	linux_minprivs();
-#endif
-}
-
-static int
-safe_open(const char *filename, isc_boolean_t append) {
-	int fd;
-	struct stat sb;
-
-	if (stat(filename, &sb) == -1) {
-		if (errno != ENOENT)
-			return (-1);
-	} else if ((sb.st_mode & S_IFREG) == 0) {
-		errno = EOPNOTSUPP;
-		return (-1);
-	}
-
-	if (append)
-		fd = open(filename, O_WRONLY|O_CREAT|O_APPEND,
-			  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
-	else {
-		(void)unlink(filename);
-		fd = open(filename, O_WRONLY|O_CREAT|O_EXCL,
-			  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
-	}
-	return (fd);
-}
-
-static void
-cleanup_pidfile(void) {
-	if (pidfile != NULL) {
-		(void)unlink(pidfile);
-		free(pidfile);
-	}
-	pidfile = NULL;
-}
-
-void
-ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
-	int fd;
-	FILE *lockfile;
-	size_t len;
-	pid_t pid;
-	char strbuf[ISC_STRERRORSIZE];
-	void (*report)(const char *, ...);
-
-	/*
-	 * The caller must ensure any required synchronization.
-	 */
-
-	report = first_time ? ns_main_earlyfatal : ns_main_earlywarning;
-
-	cleanup_pidfile();
-
-	if (filename == NULL)
-		return;
-
-	len = strlen(filename);
-	pidfile = malloc(len + 1);
-	if (pidfile == NULL) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		(*report)("couldn't malloc '%s': %s", filename, strbuf);
-		return;
-	}
-	/* This is safe. */
-	strcpy(pidfile, filename);
-
-	fd = safe_open(filename, ISC_FALSE);
-	if (fd < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		(*report)("couldn't open pid file '%s': %s", filename, strbuf);
-		free(pidfile);
-		pidfile = NULL;
-		return;
-	}
-	lockfile = fdopen(fd, "w");
-	if (lockfile == NULL) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		(*report)("could not fdopen() pid file '%s': %s",
-			  filename, strbuf);
-		(void)close(fd);
-		cleanup_pidfile();
-		return;
-	}
-#ifdef HAVE_LINUXTHREADS
-	pid = mainpid;
-#else
-	pid = getpid();
-#endif
-	if (fprintf(lockfile, "%ld\n", (long)pid) < 0) {
-		(*report)("fprintf() to pid file '%s' failed", filename);
-		(void)fclose(lockfile);
-		cleanup_pidfile();
-		return;
-	}
-	if (fflush(lockfile) == EOF) {
-		(*report)("fflush() to pid file '%s' failed", filename);
-		(void)fclose(lockfile);
-		cleanup_pidfile();
-		return;
-	}
-	(void)fclose(lockfile);
-}
-
-void
-ns_os_shutdown(void) {
-	closelog();
-	cleanup_pidfile();
-}
-
-isc_result_t
-ns_os_gethostname(char *buf, size_t len) {
-	int n;
-
-	n = gethostname(buf, len);
-	return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
-}
-
-static char *
-next_token(char **stringp, const char *delim) {
-	char *res;
-
-	do {
-		res = strsep(stringp, delim);
-		if (res == NULL)
-			break;
-	} while (*res == '\0');
-	return (res);
-}
-
-void
-ns_os_shutdownmsg(char *command, isc_buffer_t *text) {
-	char *input, *ptr;
-	unsigned int n;
-	pid_t pid;
-
-	input = command;
-
-	/* Skip the command name. */
-	ptr = next_token(&input, " \t");
-	if (ptr == NULL)
-		return;
-
-	ptr = next_token(&input, " \t");
-	if (ptr == NULL)
-		return;
-	
-	if (strcmp(ptr, "-p") != 0)
-		return;
-
-#ifdef HAVE_LINUXTHREADS
-	pid = mainpid;
-#else
-	pid = getpid();
-#endif
-
-	n = snprintf((char *)isc_buffer_used(text),
-		     isc_buffer_availablelength(text),
-		     "pid: %ld", (long)pid);
-	/* Only send a message if it is complete. */
-	if (n < isc_buffer_availablelength(text))
-		isc_buffer_add(text, n);
-}
-
-void
-ns_os_tzset(void) {
-#ifdef HAVE_TZSET
-	tzset();
-#endif
-}
diff --git a/contrib/bind9/bin/named/update.c b/contrib/bind9/bin/named/update.c
deleted file mode 100644
index 6c2d7597f797..000000000000
--- a/contrib/bind9/bin/named/update.c
+++ /dev/null
@@ -1,2826 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: update.c,v 1.88.2.5.2.27 2005/10/08 00:21:06 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/taskpool.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/journal.h>
-#include <dns/message.h>
-#include <dns/nsec.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/soa.h>
-#include <dns/ssu.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <named/client.h>
-#include <named/log.h>
-#include <named/update.h>
-
-/*
- * This module implements dynamic update as in RFC2136.
- */
-
-/*
-  XXX TODO:
-  - document strict minimality
-*/
-
-/**************************************************************************/
-
-/*
- * Log level for tracing dynamic update protocol requests.
- */
-#define LOGLEVEL_PROTOCOL	ISC_LOG_INFO
-
-/*
- * Log level for low-level debug tracing.
- */
-#define LOGLEVEL_DEBUG 		ISC_LOG_DEBUG(8)
-
-/*
- * Check an operation for failure.  These macros all assume that
- * the function using them has a 'result' variable and a 'failure'
- * label.
- */
-#define CHECK(op) \
-	do { result = (op); 				  	 \
-	       if (result != ISC_R_SUCCESS) goto failure; 	 \
-	} while (0)
-
-/*
- * Fail unconditionally with result 'code', which must not
- * be ISC_R_SUCCESS.  The reason for failure presumably has
- * been logged already.
- *
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-
-#define FAIL(code) \
-	do {							\
-		result = (code);				\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-/*
- * Fail unconditionally and log as a client error.
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAILC(code, msg) \
-	do {							\
-		const char *_what = "failed";			\
-		result = (code);				\
-		switch (result) {				\
-		case DNS_R_NXDOMAIN:				\
-		case DNS_R_YXDOMAIN:				\
-		case DNS_R_YXRRSET:				\
-		case DNS_R_NXRRSET:				\
-			_what = "unsuccessful";			\
-		}						\
-		update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
-			      "update %s: %s (%s)", _what,	\
-		      	      msg, isc_result_totext(result));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define FAILN(code, name, msg) \
-	do {								\
-		const char *_what = "failed";				\
-		result = (code);					\
-		switch (result) {					\
-		case DNS_R_NXDOMAIN:					\
-		case DNS_R_YXDOMAIN:					\
-		case DNS_R_YXRRSET:					\
-		case DNS_R_NXRRSET:					\
-			_what = "unsuccessful";				\
-		}							\
-		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
-			char _nbuf[DNS_NAME_FORMATSIZE];		\
-			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
-			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
-				   "update %s: %s: %s (%s)", _what, _nbuf, \
-				   msg, isc_result_totext(result));	\
-		}							\
-		if (result != ISC_R_SUCCESS) goto failure;		\
-	} while (0)
-
-#define FAILNT(code, name, type, msg) \
-	do {								\
-		const char *_what = "failed";				\
-		result = (code);					\
-		switch (result) {					\
-		case DNS_R_NXDOMAIN:					\
-		case DNS_R_YXDOMAIN:					\
-		case DNS_R_YXRRSET:					\
-		case DNS_R_NXRRSET:					\
-			_what = "unsuccessful";				\
-		}							\
-		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
-			char _nbuf[DNS_NAME_FORMATSIZE];		\
-			char _tbuf[DNS_RDATATYPE_FORMATSIZE];		\
-			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
-			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
-			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
-				   "update %s: %s/%s: %s (%s)",		\
-				   _what, _nbuf, _tbuf, msg,		\
-				   isc_result_totext(result));		\
-		}							\
-		if (result != ISC_R_SUCCESS) goto failure;		\
-	} while (0)
-/*
- * Fail unconditionally and log as a server error.
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAILS(code, msg) \
-	do {							\
-		result = (code);				\
-		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
-			      "error: %s: %s", 			\
-			      msg, isc_result_totext(result));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-/**************************************************************************/
-
-typedef struct rr rr_t;
-
-struct rr {
-	/* dns_name_t name; */
-	isc_uint32_t 		ttl;
-	dns_rdata_t 		rdata;
-};
-
-typedef struct update_event update_event_t;
-
-struct update_event {
-	ISC_EVENT_COMMON(update_event_t);
-	dns_zone_t 		*zone;
-	isc_result_t		result;
-	dns_message_t		*answer;
-};
-
-/**************************************************************************/
-/*
- * Forward declarations.
- */
-
-static void update_action(isc_task_t *task, isc_event_t *event);
-static void updatedone_action(isc_task_t *task, isc_event_t *event);
-static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
-static void forward_done(isc_task_t *task, isc_event_t *event);
-
-/**************************************************************************/
-
-static void
-update_log(ns_client_t *client, dns_zone_t *zone,
-	   int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
-
-static void
-update_log(ns_client_t *client, dns_zone_t *zone,
-	   int level, const char *fmt, ...)
-{
-	va_list ap;
-	char message[4096];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-
-	if (client == NULL || zone == NULL)
-		return;
-
-	if (isc_log_wouldlog(ns_g_lctx, level) == ISC_FALSE)
-		return;
-
-	dns_name_format(dns_zone_getorigin(zone), namebuf,
-			sizeof(namebuf));
-	dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
-			      sizeof(classbuf));
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-
-	ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
-		      level, "updating zone '%s/%s': %s",
-		      namebuf, classbuf, message);
-}
-
-static isc_result_t
-checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
-	       dns_name_t *zonename, isc_boolean_t slave)
-{
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-	int level = ISC_LOG_ERROR;
-	const char *msg = "denied";
-	isc_result_t result;
-
-	if (slave && acl == NULL) {
-		result = DNS_R_NOTIMP;
-		level = ISC_LOG_DEBUG(3);
-		msg = "disabled";
-	} else
-		result = ns_client_checkaclsilent(client, acl, ISC_FALSE);
-
-	if (result == ISC_R_SUCCESS) {
-		level = ISC_LOG_DEBUG(3);
-		msg = "approved";
-	}
-
-	dns_name_format(zonename, namebuf, sizeof(namebuf));
-	dns_rdataclass_format(client->view->rdclass, classbuf,
-			      sizeof(classbuf));
-
-	ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
-			      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
-			      message, namebuf, classbuf, msg);
-	return (result);
-}
-
-/*
- * Update a single RR in version 'ver' of 'db' and log the
- * update in 'diff'.
- *
- * Ensures:
- *   '*tuple' == NULL.  Either the tuple is freed, or its
- *         ownership has been transferred to the diff.
- */
-static isc_result_t
-do_one_tuple(dns_difftuple_t **tuple,
-	     dns_db_t *db, dns_dbversion_t *ver,
-	     dns_diff_t *diff)
-{
-	dns_diff_t temp_diff;
-	isc_result_t result;
-
-	/*
-	 * Create a singleton diff.
-	 */
-	dns_diff_init(diff->mctx, &temp_diff);
-	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
-
-	/*
-	 * Apply it to the database.
-	 */
-	result = dns_diff_apply(&temp_diff, db, ver);
-	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
-	if (result != ISC_R_SUCCESS) {
-		dns_difftuple_free(tuple);
-		return (result);
-	}
-
-	/*
-	 * Merge it into the current pending journal entry.
-	 */
-	dns_diff_appendminimal(diff, tuple);
-
-	/*
-	 * Do not clear temp_diff.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Perform the updates in 'updates' in version 'ver' of 'db' and log the
- * update in 'diff'.
- *
- * Ensures:
- *   'updates' is empty.
- */
-static isc_result_t
-do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
-	dns_diff_t *diff)
-{
-	isc_result_t result;
-	while (! ISC_LIST_EMPTY(updates->tuples)) {
-		dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples);
-		ISC_LIST_UNLINK(updates->tuples, t, link);
-		CHECK(do_one_tuple(&t, db, ver, diff));
-	}
-	return (ISC_R_SUCCESS);
-
- failure:
-	dns_diff_clear(diff);
-	return (result);
-}
-
-static isc_result_t
-update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-	      dns_diffop_t op, dns_name_t *name,
-	      dns_ttl_t ttl, dns_rdata_t *rdata)
-{
-	dns_difftuple_t *tuple = NULL;
-	isc_result_t result;
-	result = dns_difftuple_create(diff->mctx, op,
-				      name, ttl, rdata, &tuple);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (do_one_tuple(&tuple, db, ver, diff));
-}
-
-/**************************************************************************/
-/*
- * Callback-style iteration over rdatasets and rdatas.
- *
- * foreach_rrset() can be used to iterate over the RRsets
- * of a name and call a callback function with each
- * one.  Similarly, foreach_rr() can be used to iterate
- * over the individual RRs at name, optionally restricted
- * to RRs of a given type.
- *
- * The callback functions are called "actions" and take
- * two arguments: a void pointer for passing arbitrary
- * context information, and a pointer to the current RRset
- * or RR.  By convention, their names end in "_action".
- */
-
-/*
- * XXXRTH  We might want to make this public somewhere in libdns.
- */
-
-/*
- * Function type for foreach_rrset() iterator actions.
- */
-typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
-
-/*
- * Function type for foreach_rr() iterator actions.
- */
-typedef isc_result_t rr_func(void *data, rr_t *rr);
-
-/*
- * Internal context struct for foreach_node_rr().
- */
-typedef struct {
-	rr_func *	rr_action;
-	void *		rr_action_data;
-} foreach_node_rr_ctx_t;
-
-/*
- * Internal helper function for foreach_node_rr().
- */
-static isc_result_t
-foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	foreach_node_rr_ctx_t *ctx = data;
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		rr_t rr = { 0, DNS_RDATA_INIT };
-		
-		dns_rdataset_current(rdataset, &rr.rdata);
-		rr.ttl = rdataset->ttl;
-		result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * For each rdataset of 'name' in 'ver' of 'db', call 'action'
- * with the rdataset and 'action_data' as arguments.  If the name
- * does not exist, do nothing.
- *
- * If 'action' returns an error, abort iteration and return the error.
- */
-static isc_result_t
-foreach_rrset(dns_db_t *db,
-	      dns_dbversion_t *ver,
-	      dns_name_t *name,
-	      rrset_func *action,
-	      void *action_data)
-{
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdatasetiter_t *iter;
-
-	node = NULL;
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	iter = NULL;
-	result = dns_db_allrdatasets(db, node, ver,
-				     (isc_stdtime_t) 0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter))
-	{
-		dns_rdataset_t rdataset;
-
-		dns_rdataset_init(&rdataset);
-		dns_rdatasetiter_current(iter, &rdataset);
-
-		result = (*action)(action_data, &rdataset);
-
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_iterator;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- cleanup_iterator:
-	dns_rdatasetiter_destroy(&iter);
-
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/*
- * For each RR of 'name' in 'ver' of 'db', call 'action'
- * with the RR and 'action_data' as arguments.  If the name
- * does not exist, do nothing.
- *
- * If 'action' returns an error, abort iteration
- * and return the error.
- */
-static isc_result_t
-foreach_node_rr(dns_db_t *db,
-	    dns_dbversion_t *ver,
-	    dns_name_t *name,
-	    rr_func *rr_action,
-	    void *rr_action_data)
-{
-	foreach_node_rr_ctx_t ctx;
-	ctx.rr_action = rr_action;
-	ctx.rr_action_data = rr_action_data;
-	return (foreach_rrset(db, ver, name,
-			      foreach_node_rr_action, &ctx));
-}
-
-
-/*
- * For each of the RRs specified by 'db', 'ver', 'name', 'type',
- * (which can be dns_rdatatype_any to match any type), and 'covers', call
- * 'action' with the RR and 'action_data' as arguments. If the name
- * does not exist, or if no RRset of the given type exists at the name,
- * do nothing.
- *
- * If 'action' returns an error, abort iteration and return the error.
- */
-static isc_result_t
-foreach_rr(dns_db_t *db,
-	   dns_dbversion_t *ver,
-	   dns_name_t *name,
-	   dns_rdatatype_t type,
-	   dns_rdatatype_t covers,
-	   rr_func *rr_action,
-	   void *rr_action_data)
-{
-
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdataset_t rdataset;
-
-	if (type == dns_rdatatype_any)
-		return (foreach_node_rr(db, ver, name,
-					rr_action, rr_action_data));
-
-	node = NULL;
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND)
-		return (ISC_R_SUCCESS);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, type, covers,
-				     (isc_stdtime_t) 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		result = ISC_R_SUCCESS;
-		goto cleanup_node;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdataset_first(&rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&rdataset))
-	{
-		rr_t rr = { 0, DNS_RDATA_INIT };
-		dns_rdataset_current(&rdataset, &rr.rdata);
-		rr.ttl = rdataset.ttl;
-		result = (*rr_action)(rr_action_data, &rr);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_rdataset;
-	}
-	if (result != ISC_R_NOMORE)
-		goto cleanup_rdataset;
-	result = ISC_R_SUCCESS;
-
- cleanup_rdataset:
-	dns_rdataset_disassociate(&rdataset);
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Various tests on the database contents (for prerequisites, etc).
- */
-
-/*
- * Function type for predicate functions that compare a database RR 'db_rr'
- * against an update RR 'update_rr'.
- */
-typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
-
-/*
- * Helper function for rrset_exists().
- */
-static isc_result_t
-rrset_exists_action(void *data, rr_t *rr) {
-	UNUSED(data);
-	UNUSED(rr);
-	return (ISC_R_EXISTS);
-}
-
-/*
- * Utility macro for RR existence checking functions.
- *
- * If the variable 'result' has the value ISC_R_EXISTS or
- * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
- * respectively, and return success.
- *
- * If 'result' has any other value, there was a failure.
- * Return the failure result code and do not set *exists.
- *
- * This would be more readable as "do { if ... } while(0)",
- * but that form generates tons of warnings on Solaris 2.6.
- */
-#define RETURN_EXISTENCE_FLAG 				\
-	return ((result == ISC_R_EXISTS) ? 		\
-		(*exists = ISC_TRUE, ISC_R_SUCCESS) : 	\
-		((result == ISC_R_SUCCESS) ?		\
-		 (*exists = ISC_FALSE, ISC_R_SUCCESS) :	\
-		 result))
-
-/*
- * Set '*exists' to true iff an rrset of the given type exists,
- * to false otherwise.
- */
-static isc_result_t
-rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
-	     dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
-	     isc_boolean_t *exists)
-{
-	isc_result_t result;
-	result = foreach_rr(db, ver, name, type, covers,
-			    rrset_exists_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/*
- * Helper function for cname_incompatible_rrset_exists.
- */
-static isc_result_t
-cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
-	UNUSED(data);
-	if (rrset->type != dns_rdatatype_cname &&
-	    ! dns_rdatatype_isdnssec(rrset->type))
-		return (ISC_R_EXISTS);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Check whether there is an rrset incompatible with adding a CNAME RR,
- * i.e., anything but another CNAME (which can be replaced) or a
- * DNSSEC RR (which can coexist).
- *
- * If such an incompatible rrset exists, set '*exists' to ISC_TRUE.
- * Otherwise, set it to ISC_FALSE.
- */
-static isc_result_t
-cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
-				dns_name_t *name, isc_boolean_t *exists) {
-	isc_result_t result;
-	result = foreach_rrset(db, ver, name,
-			       cname_compatibility_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/*
- * Helper function for rr_count().
- */
-static isc_result_t
-count_rr_action(void *data, rr_t *rr) {
-	int *countp = data;
-	UNUSED(rr);
-	(*countp)++;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
- */
-static isc_result_t
-rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	 dns_rdatatype_t type, dns_rdatatype_t covers, int *countp)
-{
-	*countp = 0;
-	return (foreach_rr(db, ver, name, type, covers,
-			   count_rr_action, countp));
-}
-
-/*
- * Context struct and helper function for name_exists().
- */
-
-static isc_result_t
-name_exists_action(void *data, dns_rdataset_t *rrset) {
-	UNUSED(data);
-	UNUSED(rrset);
-	return (ISC_R_EXISTS);
-}
-
-/*
- * Set '*exists' to true iff the given name exists, to false otherwise.
- */
-static isc_result_t
-name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	    isc_boolean_t *exists)
-{
-	isc_result_t result;
-	result = foreach_rrset(db, ver, name,
-			       name_exists_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-typedef struct {
-	dns_name_t *name, *signer;
-	dns_ssutable_t *table;
-} ssu_check_t;
-
-static isc_result_t
-ssu_checkrule(void *data, dns_rdataset_t *rrset) {
-	ssu_check_t *ssuinfo = data;
-	isc_boolean_t result;
-
-	/*
-	 * If we're deleting all records, it's ok to delete RRSIG and NSEC even
-	 * if we're normally not allowed to.
-	 */
-	if (rrset->type == dns_rdatatype_rrsig ||
-	    rrset->type == dns_rdatatype_nsec)
-		return (ISC_R_SUCCESS);
-	result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
-					 ssuinfo->name, rrset->type);
-	return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
-}
-
-static isc_boolean_t
-ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	     dns_ssutable_t *ssutable, dns_name_t *signer)
-{
-	isc_result_t result;
-	ssu_check_t ssuinfo;
-
-	ssuinfo.name = name;
-	ssuinfo.table = ssutable;
-	ssuinfo.signer = signer;
-	result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-/**************************************************************************/
-/*
- * Checking of "RRset exists (value dependent)" prerequisites.
- *
- * In the RFC2136 section 3.2.5, this is the pseudocode involving
- * a variable called "temp", a mapping of <name, type> tuples to rrsets.
- *
- * Here, we represent the "temp" data structure as (non-minimial) "dns_diff_t"
- * where each typle has op==DNS_DIFFOP_EXISTS.
- */
-
-
-/*
- * Append a tuple asserting the existence of the RR with
- * 'name' and 'rdata' to 'diff'.
- */
-static isc_result_t
-temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS,
-				      name, 0, rdata, &tuple));
-	ISC_LIST_APPEND(diff->tuples, tuple, link);
- failure:
-	return (result);
-}
-
-/*
- * Compare two rdatasets represented as sorted lists of tuples.
- * All list elements must have the same owner name and type.
- * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
- * if not.
- */
-static isc_result_t
-temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
-	for (;;) {
-		if (a == NULL || b == NULL)
-			break;
-		INSIST(a->op == DNS_DIFFOP_EXISTS &&
-		       b->op == DNS_DIFFOP_EXISTS);
-		INSIST(a->rdata.type == b->rdata.type);
-		INSIST(dns_name_equal(&a->name, &b->name));
-		if (dns_rdata_compare(&a->rdata, &b->rdata) != 0)
-			return (DNS_R_NXRRSET);
-		a = ISC_LIST_NEXT(a, link);
-		b = ISC_LIST_NEXT(b, link);
-	}
-	if (a != NULL || b != NULL)
-		return (DNS_R_NXRRSET);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * A comparison function defining the sorting order for the entries
- * in the "temp" data structure.  The major sort key is the owner name,
- * followed by the type and rdata.
- */
-static int
-temp_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	int r;
-	r = dns_name_compare(&a->name, &b->name);
-	if (r != 0)
-		return (r);
-	r = (b->rdata.type - a->rdata.type);
-	if (r != 0)
-		return (r);
-	r = dns_rdata_compare(&a->rdata, &b->rdata);
-	return (r);
-}
-
-/*
- * Check the "RRset exists (value dependent)" prerequisite information
- * in 'temp' against the contents of the database 'db'.
- *
- * Return ISC_R_SUCCESS if the prerequisites are satisfied,
- * rcode(dns_rcode_nxrrset) if not.
- *
- * 'temp' must be pre-sorted.
- */
-
-static isc_result_t
-temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
-	   dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep)
-{
-	isc_result_t result;
-	dns_name_t *name;
-	dns_dbnode_t *node;
-	dns_difftuple_t *t;
-	dns_diff_t trash;
-
-	dns_diff_init(mctx, &trash);
-
-	/*
-	 * For each name and type in the prerequisites,
-	 * construct a sorted rdata list of the corresponding
-	 * database contents, and compare the lists.
-	 */
-	t = ISC_LIST_HEAD(temp->tuples);
-	while (t != NULL) {
-		name = &t->name;
-		(void)dns_name_copy(name, tmpname, NULL);
-		*typep = t->rdata.type;
-
-		/* A new unique name begins here. */
-		node = NULL;
-		result = dns_db_findnode(db, name, ISC_FALSE, &node);
-		if (result == ISC_R_NOTFOUND)
-			return (DNS_R_NXRRSET);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		/* A new unique type begins here. */
-		while (t != NULL && dns_name_equal(&t->name, name)) {
-			dns_rdatatype_t type, covers;
-			dns_rdataset_t rdataset;
-			dns_diff_t d_rrs; /* Database RRs with
-						this name and type */
- 			dns_diff_t u_rrs; /* Update RRs with
-						this name and type */
-
-			*typep = type = t->rdata.type;
-			if (type == dns_rdatatype_rrsig ||
-			    type == dns_rdatatype_sig)
-				covers = dns_rdata_covers(&t->rdata);
-			else
-				covers = 0;
-
-			/*
-			 * Collect all database RRs for this name and type
-			 * onto d_rrs and sort them.
-			 */
-			dns_rdataset_init(&rdataset);
-			result = dns_db_findrdataset(db, node, ver, type,
-						     covers, (isc_stdtime_t) 0,
-						     &rdataset, NULL);
-			if (result != ISC_R_SUCCESS) {
-				dns_db_detachnode(db, &node);
-				return (DNS_R_NXRRSET);
-			}
-
-			dns_diff_init(mctx, &d_rrs);
-			dns_diff_init(mctx, &u_rrs);
-
-			for (result = dns_rdataset_first(&rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(&rdataset))
-			{
-				dns_rdata_t rdata = DNS_RDATA_INIT;
-				dns_rdataset_current(&rdataset, &rdata);
-				result = temp_append(&d_rrs, name, &rdata);
-				if (result != ISC_R_SUCCESS)
-					goto failure;
-			}
-			if (result != ISC_R_NOMORE)
-				goto failure;
-			result = dns_diff_sort(&d_rrs, temp_order);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			/*
-			 * Collect all update RRs for this name and type
-			 * onto u_rrs.  No need to sort them here -
-			 * they are already sorted.
-			 */
-			while (t != NULL &&
-			       dns_name_equal(&t->name, name) &&
-			       t->rdata.type == type)
-			{
-				dns_difftuple_t *next =
-					ISC_LIST_NEXT(t, link);
-				ISC_LIST_UNLINK(temp->tuples, t, link);
-				ISC_LIST_APPEND(u_rrs.tuples, t, link);
-				t = next;
-			}
-
-			/* Compare the two sorted lists. */
-			result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples),
-						  ISC_LIST_HEAD(d_rrs.tuples));
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			/*
-			 * We are done with the tuples, but we can't free
-			 * them yet because "name" still points into one
-			 * of them.  Move them on a temporary list.
-			 */
-			ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link);
-			ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link);
-			dns_rdataset_disassociate(&rdataset);
-
-			continue;
-
-		    failure:
-			dns_diff_clear(&d_rrs);
-			dns_diff_clear(&u_rrs);
-			dns_diff_clear(&trash);
-			dns_rdataset_disassociate(&rdataset);
-			dns_db_detachnode(db, &node);
-			return (result);
-		}
-
-		dns_db_detachnode(db, &node);
-	}
-
-	dns_diff_clear(&trash);
-	return (ISC_R_SUCCESS);
-}
-
-/**************************************************************************/
-/*
- * Conditional deletion of RRs.
- */
-
-/*
- * Context structure for delete_if().
- */
-
-typedef struct {
-	rr_predicate *predicate;
-	dns_db_t *db;
-	dns_dbversion_t *ver;
-	dns_diff_t *diff;
-	dns_name_t *name;
-	dns_rdata_t *update_rr;
-} conditional_delete_ctx_t;
-
-/*
- * Predicate functions for delete_if().
- */
-
-/*
- * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
- * an RRSIG nor a NSEC.
- */
-static isc_boolean_t
-type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	return ((db_rr->type != dns_rdatatype_soa &&
-		 db_rr->type != dns_rdatatype_ns &&
-		 db_rr->type != dns_rdatatype_rrsig &&
-		 db_rr->type != dns_rdatatype_nsec) ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-/*
- * Return true iff 'db_rr' is neither a RRSIG nor a NSEC.
- */
-static isc_boolean_t
-type_not_dnssec(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	return ((db_rr->type != dns_rdatatype_rrsig &&
-		 db_rr->type != dns_rdatatype_nsec) ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-/*
- * Return true always.
- */
-static isc_boolean_t
-true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	UNUSED(update_rr);
-	UNUSED(db_rr);
-	return (ISC_TRUE);
-}
-
-/*
- * Return true iff the two RRs have identical rdata.
- */
-static isc_boolean_t
-rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	/*
-	 * XXXRTH  This is not a problem, but we should consider creating
-	 *         dns_rdata_equal() (that used dns_name_equal()), since it
-	 *         would be faster.  Not a priority.
-	 */
-	return (dns_rdata_compare(update_rr, db_rr) == 0 ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-/*
- * Return true iff 'update_rr' should replace 'db_rr' according
- * to the special RFC2136 rules for CNAME, SOA, and WKS records.
- *
- * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
- * make little sense, so we replace those, too.
- */
-static isc_boolean_t
-replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
-	if (db_rr->type != update_rr->type)
-		return (ISC_FALSE);
-	if (db_rr->type == dns_rdatatype_cname)
-		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_dname)
-		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_soa)
-		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_nsec)
-		return (ISC_TRUE);
-	if (db_rr->type == dns_rdatatype_wks) {
-		/*
-		 * Compare the address and protocol fields only.  These
-		 * form the first five bytes of the RR data.  Do a
-		 * raw binary comparison; unpacking the WKS RRs using
-		 * dns_rdata_tostruct() might be cleaner in some ways,
-		 * but it would require us to pass around an mctx.
-		 */
-		INSIST(db_rr->length >= 5 && update_rr->length >= 5);
-		return (memcmp(db_rr->data, update_rr->data, 5) == 0 ?
-			ISC_TRUE : ISC_FALSE);
-	}
-	return (ISC_FALSE);
-}
-
-/*
- * Internal helper function for delete_if().
- */
-static isc_result_t
-delete_if_action(void *data, rr_t *rr) {
-	conditional_delete_ctx_t *ctx = data;
-	if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
-		isc_result_t result;
-		result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
-				       DNS_DIFFOP_DEL, ctx->name,
-				       rr->ttl, &rr->rdata);
-		return (result);
-	} else {
-		return (ISC_R_SUCCESS);
-	}
-}
-
-/*
- * Conditionally delete RRs.  Apply 'predicate' to the RRs
- * specified by 'db', 'ver', 'name', and 'type' (which can
- * be dns_rdatatype_any to match any type).  Delete those
- * RRs for which the predicate returns true, and log the
- * deletions in 'diff'.
- */
-static isc_result_t
-delete_if(rr_predicate *predicate,
-	  dns_db_t *db,
-	  dns_dbversion_t *ver,
-	  dns_name_t *name,
-	  dns_rdatatype_t type,
-	  dns_rdatatype_t covers,
-	  dns_rdata_t *update_rr,
-	  dns_diff_t *diff)
-{
-	conditional_delete_ctx_t ctx;
-	ctx.predicate = predicate;
-	ctx.db = db;
-	ctx.ver = ver;
-	ctx.diff = diff;
-	ctx.name = name;
-	ctx.update_rr = update_rr;
-	return (foreach_rr(db, ver, name, type, covers,
-			   delete_if_action, &ctx));
-}
-
-/**************************************************************************/
-/*
- * Prepare an RR for the addition of the new RR 'ctx->update_rr',
- * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
- * the RRs if it is replaced by the new RR or has a conflicting TTL.
- * The necessary changes are appended to ctx->del_diff and ctx->add_diff;
- * we need to do all deletions before any additions so that we don't run
- * into transient states with conflicting TTLs.
- */
-
-typedef struct {
-	dns_db_t *db;
-	dns_dbversion_t *ver;
-	dns_diff_t *diff;
-	dns_name_t *name;
-	dns_rdata_t *update_rr;
-	dns_ttl_t update_rr_ttl;
-	isc_boolean_t ignore_add;
-	dns_diff_t del_diff;
-	dns_diff_t add_diff;
-} add_rr_prepare_ctx_t;
-
-static isc_result_t
-add_rr_prepare_action(void *data, rr_t *rr) {
-	isc_result_t result = ISC_R_SUCCESS;	
-	add_rr_prepare_ctx_t *ctx = data;
-	dns_difftuple_t *tuple = NULL;
-	isc_boolean_t equal;
-
-	/*
-	 * If the update RR is a "duplicate" of the update RR,
-	 * the update should be silently ignored.
-	 */
-	equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0);
-	if (equal && rr->ttl == ctx->update_rr_ttl) {
-		ctx->ignore_add = ISC_TRUE;
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If this RR is "equal" to the update RR, it should
-	 * be deleted before the update RR is added.
-	 */
-	if (replaces_p(ctx->update_rr, &rr->rdata)) {
-		CHECK(dns_difftuple_create(ctx->del_diff.mctx,
-					   DNS_DIFFOP_DEL, ctx->name,
-					   rr->ttl,
-					   &rr->rdata,
-					   &tuple));
-		dns_diff_append(&ctx->del_diff, &tuple);
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If this RR differs in TTL from the update RR,
-	 * its TTL must be adjusted.
-	 */
-	if (rr->ttl != ctx->update_rr_ttl) {
-		CHECK(dns_difftuple_create(ctx->del_diff.mctx,
-					   DNS_DIFFOP_DEL, ctx->name,
-					   rr->ttl,
-					   &rr->rdata,
-					   &tuple));
-		dns_diff_append(&ctx->del_diff, &tuple);
-		if (!equal) {
-			CHECK(dns_difftuple_create(ctx->add_diff.mctx,
-						   DNS_DIFFOP_ADD, ctx->name,
-						   ctx->update_rr_ttl,
-						   &rr->rdata,
-						   &tuple));
-			dns_diff_append(&ctx->add_diff, &tuple);
-		}
-	}
- failure:
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Miscellaneous subroutines.
- */
-
-/*
- * Extract a single update RR from 'section' of dynamic update message
- * 'msg', with consistency checking.
- *
- * Stores the owner name, rdata, and TTL of the update RR at 'name',
- * 'rdata', and 'ttl', respectively.
- */
-static void
-get_current_rr(dns_message_t *msg, dns_section_t section,
-	       dns_rdataclass_t zoneclass,
-	       dns_name_t **name, dns_rdata_t *rdata, dns_rdatatype_t *covers,
-	       dns_ttl_t *ttl,
-	       dns_rdataclass_t *update_class)
-{
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-	dns_message_currentname(msg, section, name);
-	rdataset = ISC_LIST_HEAD((*name)->list);
-	INSIST(rdataset != NULL);
-	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
-	*covers = rdataset->covers;
-	*ttl = rdataset->ttl;
-	result = dns_rdataset_first(rdataset);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_rdataset_current(rdataset, rdata);
-	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
-	*update_class = rdata->rdclass;
-	rdata->rdclass = zoneclass;
-}
-
-/*
- * Increment the SOA serial number of database 'db', version 'ver'.
- * Replace the SOA record in the database, and log the
- * change in 'diff'.
- */
-
-	/*
-	 * XXXRTH  Failures in this routine will be worth logging, when
-	 *         we have a logging system.  Failure to find the zonename
-	 *	   or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
-	 */
-
-static isc_result_t
-increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
-		     dns_diff_t *diff, isc_mem_t *mctx)
-{
-	dns_difftuple_t *deltuple = NULL;
-	dns_difftuple_t *addtuple = NULL;
-	isc_uint32_t serial;
-	isc_result_t result;
-
-	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
-	CHECK(dns_difftuple_copy(deltuple, &addtuple));
-	addtuple->op = DNS_DIFFOP_ADD;
-
-	serial = dns_soa_getserial(&addtuple->rdata);
-
-	/* RFC1982 */
-	serial = (serial + 1) & 0xFFFFFFFF;
-	if (serial == 0)
-		serial = 1;
-
-	dns_soa_setserial(serial, &addtuple->rdata);
-	CHECK(do_one_tuple(&deltuple, db, ver, diff));
-	CHECK(do_one_tuple(&addtuple, db, ver, diff));
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (addtuple != NULL)
-		dns_difftuple_free(&addtuple);
-	if (deltuple != NULL)
-		dns_difftuple_free(&deltuple);
-	return (result);
-}
-
-/*
- * Check that the new SOA record at 'update_rdata' does not
- * illegally cause the SOA serial number to decrease or stay
- * unchanged relative to the existing SOA in 'db'.
- *
- * Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not.
- *
- * William King points out that RFC2136 is inconsistent about
- * the case where the serial number stays unchanged:
- *
- *   section 3.4.2.2 requires a server to ignore a SOA update request
- *   if the serial number on the update SOA is less_than_or_equal to
- *   the zone SOA serial.
- *
- *   section 3.6 requires a server to ignore a SOA update request if
- *   the serial is less_than the zone SOA serial.
- *
- * Paul says 3.4.2.2 is correct.
- *
- */
-static isc_result_t
-check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
-		    dns_rdata_t *update_rdata,
-		    isc_boolean_t *ok)
-{
-	isc_uint32_t db_serial;
-	isc_uint32_t update_serial;
-	isc_result_t result;
-
-	update_serial = dns_soa_getserial(update_rdata);
-
-	result = dns_db_getsoaserial(db, ver, &db_serial);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (DNS_SERIAL_GE(db_serial, update_serial)) {
-		*ok = ISC_FALSE;
-	} else {
-		*ok = ISC_TRUE;
-	}
-
-	return (ISC_R_SUCCESS);
-
-}
-
-/**************************************************************************/
-/*
- * Incremental updating of NSECs and RRSIGs.
- */
-
-#define MAXZONEKEYS 32	/* Maximum number of zone keys supported. */
-
-/*
- * We abuse the dns_diff_t type to represent a set of domain names
- * affected by the update.
- */
-static isc_result_t
-namelist_append_name(dns_diff_t *list, dns_name_t *name) {
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-	static dns_rdata_t dummy_rdata = { NULL, 0, 0, 0, 0,
-					   { (void*)(-1), (void*)(-1) } };
-	CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
-				   &dummy_rdata, &tuple));
-	dns_diff_append(list, &tuple);
- failure:
-	return (result);
-}
-
-static isc_result_t
-namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
-{
-	isc_result_t result;
-	dns_fixedname_t fixedname;
-	dns_name_t *child;
-	dns_dbiterator_t *dbit = NULL;
-
-	dns_fixedname_init(&fixedname);
-	child = dns_fixedname_name(&fixedname);
-
-	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
-
-	for (result = dns_dbiterator_seek(dbit, name);
-	     result == ISC_R_SUCCESS;
-	     result = dns_dbiterator_next(dbit))
-	{
-		dns_dbnode_t *node = NULL;
-		CHECK(dns_dbiterator_current(dbit, &node, child));
-		dns_db_detachnode(db, &node);
-		if (! dns_name_issubdomain(child, name))
-			break;
-		CHECK(namelist_append_name(affected, child));
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- failure:
-	if (dbit != NULL)
-		dns_dbiterator_destroy(&dbit);
-	return (result);
-}
-
-
-
-/*
- * Helper function for non_nsec_rrset_exists().
- */
-static isc_result_t
-is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
-	UNUSED(data);
-	if (!(rrset->type == dns_rdatatype_nsec ||
-	      (rrset->type == dns_rdatatype_rrsig &&
-	       rrset->covers == dns_rdatatype_nsec)))
-		return (ISC_R_EXISTS);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
- * i.e., anything that justifies the continued existence of a name
- * after a secure update.
- *
- * If such an rrset exists, set '*exists' to ISC_TRUE.
- * Otherwise, set it to ISC_FALSE.
- */
-static isc_result_t
-non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
-		     dns_name_t *name, isc_boolean_t *exists)
-{
-	isc_result_t result;
-	result = foreach_rrset(db, ver, name,
-			       is_non_nsec_action, NULL);
-	RETURN_EXISTENCE_FLAG;
-}
-
-/*
- * A comparison function for sorting dns_diff_t:s by name.
- */
-static int
-name_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	return (dns_name_compare(&a->name, &b->name));
-}
-
-static isc_result_t
-uniqify_name_list(dns_diff_t *list) {
-	isc_result_t result;
-	dns_difftuple_t *p, *q;
-
-	CHECK(dns_diff_sort(list, name_order));
-
-	p = ISC_LIST_HEAD(list->tuples);
-	while (p != NULL) {
-		do {
-			q = ISC_LIST_NEXT(p, link);
-			if (q == NULL || ! dns_name_equal(&p->name, &q->name))
-				break;
-			ISC_LIST_UNLINK(list->tuples, q, link);
-			dns_difftuple_free(&q);
-		} while (1);
-		p = ISC_LIST_NEXT(p, link);
-	}
- failure:
-	return (result);
-}
-
-
-static isc_result_t
-is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	isc_boolean_t *flag)
-{
-	isc_result_t result;
-	dns_fixedname_t foundname;
-	dns_fixedname_init(&foundname);
-	result = dns_db_find(db, name, ver, dns_rdatatype_any,
-			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
-			     (isc_stdtime_t) 0, NULL,
-			     dns_fixedname_name(&foundname),
-			     NULL, NULL);
-	if (result == ISC_R_SUCCESS) {
-		*flag = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	} else if (result == DNS_R_ZONECUT) {
-		/*
-		 * We are at the zonecut.  The name will have an NSEC, but
-		 * non-delegation will be omitted from the type bit map.
-		 */
-		*flag = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	} else if (result == DNS_R_GLUE || result == DNS_R_DNAME) {
-		*flag = ISC_TRUE;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (result);
-	}
-}
-
-/*
- * Find the next/previous name that has a NSEC record.
- * In other words, skip empty database nodes and names that
- * have had their NSECs removed because they are obscured by
- * a zone cut.
- */
-static isc_result_t
-next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-	    dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname,
-	    isc_boolean_t forward)
-{
-	isc_result_t result;
-	dns_dbiterator_t *dbit = NULL;
-	isc_boolean_t has_nsec;
-	unsigned int wraps = 0;
-
-	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
-
-	CHECK(dns_dbiterator_seek(dbit, oldname));
-	do {
-		dns_dbnode_t *node = NULL;
-
-		if (forward)
-			result = dns_dbiterator_next(dbit);
-		else
-			result = dns_dbiterator_prev(dbit);
-		if (result == ISC_R_NOMORE) {
-			/*
-			 * Wrap around.
-			 */
-			if (forward)
-				CHECK(dns_dbiterator_first(dbit));
-			else
-				CHECK(dns_dbiterator_last(dbit));
-			wraps++;
-			if (wraps == 2) {
-				update_log(client, zone, ISC_LOG_ERROR,
-					   "secure zone with no NSECs");
-				result = DNS_R_BADZONE;
-				goto failure;
-			}
-		}
-		CHECK(dns_dbiterator_current(dbit, &node, newname));
-		dns_db_detachnode(db, &node);
-
-		/*
-		 * The iterator may hold the tree lock, and
-		 * rrset_exists() calls dns_db_findnode() which
-		 * may try to reacquire it.  To avoid deadlock
-		 * we must pause the iterator first.
-		 */
-		CHECK(dns_dbiterator_pause(dbit));
-		CHECK(rrset_exists(db, ver, newname,
-				   dns_rdatatype_nsec, 0, &has_nsec));
-
-	} while (! has_nsec);
- failure:
-	if (dbit != NULL)
-		dns_dbiterator_destroy(&dbit);
-
-	return (result);
-}
-
-/*
- * Add a NSEC record for "name", recording the change in "diff".
- * The existing NSEC is removed.
- */
-static isc_result_t
-add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-	dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_difftuple_t *tuple = NULL;
-	dns_fixedname_t fixedname;
-	dns_name_t *target;
-
-	dns_fixedname_init(&fixedname);
-	target = dns_fixedname_name(&fixedname);
-
-	/*
-	 * Find the successor name, aka NSEC target.
-	 */
-	CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE));
-
-	/*
-	 * Create the NSEC RDATA.
-	 */
-	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
-	dns_rdata_init(&rdata);
-	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
-	dns_db_detachnode(db, &node);
-
-	/*
-	 * Delete the old NSEC and record the change.
-	 */
-	CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0,
-			NULL, diff));
-	/*
-	 * Add the new NSEC and record the change.
-	 */
-	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
-				   3600,	/* XXXRTH */
-				   &rdata, &tuple));
-	CHECK(do_one_tuple(&tuple, db, ver, diff));
-	INSIST(tuple == NULL);
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*
- * Add a placeholder NSEC record for "name", recording the change in "diff".
- */
-static isc_result_t
-add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-		    dns_diff_t *diff) {
-	isc_result_t result;
-	dns_difftuple_t *tuple = NULL;
-	isc_region_t r;
-	unsigned char data[1] = { 0 }; /* The root domain, no bits. */
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	r.base = data;
-	r.length = sizeof(data);
-	dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
-	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
-				   &rdata, &tuple));
-	CHECK(do_one_tuple(&tuple, db, ver, diff));
- failure:
-	return (result);
-}
-
-static isc_result_t
-find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	       isc_mem_t *mctx, unsigned int maxkeys,
-	       dst_key_t **keys, unsigned int *nkeys)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	const char *directory = dns_zone_getkeydirectory(zone);
-	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
-	CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
-				       directory, mctx, maxkeys, keys, nkeys));
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*
- * Add RRSIG records for an RRset, recording the change in "diff".
- */
-static isc_result_t
-add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
-	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
-	 isc_stdtime_t expire)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
-	isc_buffer_t buffer;
-	unsigned char data[1024]; /* XXX */
-	unsigned int i;
-
-	dns_rdataset_init(&rdataset);
-	isc_buffer_init(&buffer, data, sizeof(data));
-
-	/* Get the rdataset to sign. */
-	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
-	CHECK(dns_db_findrdataset(db, node, ver, type, 0,
-				  (isc_stdtime_t) 0,
-				  &rdataset, NULL));
-	dns_db_detachnode(db, &node);
-
-	for (i = 0; i < nkeys; i++) {
-		/* Calculate the signature, creating a RRSIG RDATA. */
-		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
-				      &inception, &expire,
-				      mctx, &buffer, &sig_rdata));
-
-		/* Update the database and journal with the RRSIG. */
-		/* XXX inefficient - will cause dataset merging */
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name,
-				    rdataset.ttl, &sig_rdata));
-		dns_rdata_reset(&sig_rdata);
-	}
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-/*
- * Update RRSIG and NSEC records affected by an update.  The original
- * update, including the SOA serial update but exluding the RRSIG & NSEC
- * changes, is in "diff" and has already been applied to "newver" of "db".
- * The database version prior to the update is "oldver".
- *
- * The necessary RRSIG and NSEC changes will be applied to "newver"
- * and added (as a minimal diff) to "diff".
- *
- * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
- */
-static isc_result_t
-update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
-		  dns_dbversion_t *oldver, dns_dbversion_t *newver,
-		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
-{
-	isc_result_t result;
-	dns_difftuple_t *t;
-	dns_diff_t diffnames;
-	dns_diff_t affected;
-	dns_diff_t sig_diff;
-	dns_diff_t nsec_diff;
-	dns_diff_t nsec_mindiff;
-	isc_boolean_t flag;
-	dst_key_t *zone_keys[MAXZONEKEYS];
-	unsigned int nkeys = 0;
-	unsigned int i;
-	isc_stdtime_t now, inception, expire;
-
-	dns_diff_init(client->mctx, &diffnames);
-	dns_diff_init(client->mctx, &affected);
-
-	dns_diff_init(client->mctx, &sig_diff);
-	dns_diff_init(client->mctx, &nsec_diff);
-	dns_diff_init(client->mctx, &nsec_mindiff);
-
-	result = find_zone_keys(zone, db, newver, client->mctx,
-				MAXZONEKEYS, zone_keys, &nkeys);
-	if (result != ISC_R_SUCCESS) {
-		update_log(client, zone, ISC_LOG_ERROR,
-			   "could not get zone keys for secure dynamic update");
-		goto failure;
-	}
-
-	isc_stdtime_get(&now);
-	inception = now - 3600; /* Allow for some clock skew. */
-	expire = now + sigvalidityinterval;
-
-	/*
-	 * Find all RRsets directly affected by the update, and
-	 * update their RRSIGs.  Also build a list of names affected
-	 * by the update in "diffnames".
-	 */
-	CHECK(dns_diff_sort(diff, temp_order));
-
-	t = ISC_LIST_HEAD(diff->tuples);
-	while (t != NULL) {
-		dns_name_t *name = &t->name;
-		/* Now "name" is a new, unique name affected by the update. */
-
-		CHECK(namelist_append_name(&diffnames, name));
-
-		while (t != NULL && dns_name_equal(&t->name, name)) {
-			dns_rdatatype_t type;
-			type = t->rdata.type;
-
-			/*
-			 * Now "name" and "type" denote a new unique RRset
-			 * affected by the update.
-			 */
-
-			/* Don't sign RRSIGs. */
-			if (type == dns_rdatatype_rrsig)
-				goto skip;
-
-			/*
-			 * Delete all old RRSIGs covering this type, since they
-			 * are all invalid when the signed RRset has changed.
-			 * We may not be able to recreate all of them - tough.
-			 */
-			CHECK(delete_if(true_p, db, newver, name,
-					dns_rdatatype_rrsig, type,
-					NULL, &sig_diff));
-
-			/*
-			 * If this RRset still exists after the update,
-			 * add a new signature for it.
-			 */
-			CHECK(rrset_exists(db, newver, name, type, 0, &flag));
-			if (flag) {
-				CHECK(add_sigs(db, newver, name, type,
-					       &sig_diff, zone_keys, nkeys,
-					       client->mctx, inception,
-					       expire));
-			}
-		skip:
-			/* Skip any other updates to the same RRset. */
-			while (t != NULL &&
-			       dns_name_equal(&t->name, name) &&
-			       t->rdata.type == type)
-			{
-				t = ISC_LIST_NEXT(t, link);
-			}
-		}
-	}
-
-	/* Remove orphaned NSECs and RRSIG NSECs. */
-	for (t = ISC_LIST_HEAD(diffnames.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag));
-		if (! flag) {
-			CHECK(delete_if(true_p, db, newver, &t->name,
-					dns_rdatatype_any, 0,
-					NULL, &sig_diff));
-		}
-	}
-
-	/*
-	 * When a name is created or deleted, its predecessor needs to
-	 * have its NSEC updated.
-	 */
-	for (t = ISC_LIST_HEAD(diffnames.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		isc_boolean_t existed, exists;
-		dns_fixedname_t fixedname;
-		dns_name_t *prevname;
-
-		dns_fixedname_init(&fixedname);
-		prevname = dns_fixedname_name(&fixedname);
-
-		CHECK(name_exists(db, oldver, &t->name, &existed));
-		CHECK(name_exists(db, newver, &t->name, &exists));
-		if (exists == existed)
-			continue;
-
-		/*
-		 * Find the predecessor.
-		 * When names become obscured or unobscured in this update
-		 * transaction, we may find the wrong predecessor because
-		 * the NSECs have not yet been updated to reflect the delegation
-		 * change.  This should not matter because in this case,
-		 * the correct predecessor is either the delegation node or
-		 * a newly unobscured node, and those nodes are on the
-		 * "affected" list in any case.
-		 */
-		CHECK(next_active(client, zone, db, newver,
-				  &t->name, prevname, ISC_FALSE));
-		CHECK(namelist_append_name(&affected, prevname));
-	}
-
-	/*
-	 * Find names potentially affected by delegation changes
-	 * (obscured by adding an NS or DNAME, or unobscured by
-	 * removing one).
-	 */
-	for (t = ISC_LIST_HEAD(diffnames.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		isc_boolean_t ns_existed, dname_existed;
-		isc_boolean_t ns_exists, dname_exists;
-
-		CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_ns, 0,
-				   &ns_existed));
-		CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_dname, 0,
-				   &dname_existed));
-		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
-				   &ns_exists));
-		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_dname, 0,
-				   &dname_exists));
-		if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
-			continue;
-		/*
-		 * There was a delegation change.  Mark all subdomains
-		 * of t->name as potentially needing a NSEC update.
-		 */
-		CHECK(namelist_append_subdomain(db, &t->name, &affected));
-	}
-
-	ISC_LIST_APPENDLIST(affected.tuples, diffnames.tuples, link);
-	INSIST(ISC_LIST_EMPTY(diffnames.tuples));
-
-	CHECK(uniqify_name_list(&affected));
-
-	/*
-	 * Determine which names should have NSECs, and delete/create
-	 * NSECs to make it so.  We don't know the final NSEC targets yet,
-	 * so we just create placeholder NSECs with arbitrary contents
-	 * to indicate that their respective owner names should be part of
-	 * the NSEC chain.
-	 */
-	for (t = ISC_LIST_HEAD(affected.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		isc_boolean_t exists;
-		CHECK(name_exists(db, newver, &t->name, &exists));
-		if (! exists)
-			continue;
-		CHECK(is_glue(db, newver, &t->name, &flag));
-		if (flag) {
-			/*
-			 * This name is obscured.  Delete any
-			 * existing NSEC record.
-			 */
-			CHECK(delete_if(true_p, db, newver, &t->name,
-					dns_rdatatype_nsec, 0,
-					NULL, &nsec_diff));
-		} else {
-			/*
-			 * This name is not obscured.  It should have a NSEC.
-			 */
-			CHECK(rrset_exists(db, newver, &t->name,
-					   dns_rdatatype_nsec, 0, &flag));
-			if (! flag)
-				CHECK(add_placeholder_nsec(db, newver, &t->name,
-							  diff));
-		}
-	}
-
-	/*
-	 * Now we know which names are part of the NSEC chain.
-	 * Make them all point at their correct targets.
-	 */
-	for (t = ISC_LIST_HEAD(affected.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		CHECK(rrset_exists(db, newver, &t->name,
-				   dns_rdatatype_nsec, 0, &flag));
-		if (flag) {
-			/*
-			 * There is a NSEC, but we don't know if it is correct.
-			 * Delete it and create a correct one to be sure.
-			 * If the update was unnecessary, the diff minimization
-			 * will take care of eliminating it from the journal,
-			 * IXFRs, etc.
-			 *
-			 * The RRSIG bit should always be set in the NSECs
-			 * we generate, because they will all get RRSIG NSECs.
-			 * (XXX what if the zone keys are missing?).
-			 * Because the RRSIG NSECs have not necessarily been
-			 * created yet, the correctness of the bit mask relies
-			 * on the assumption that NSECs are only created if
-			 * there is other data, and if there is other data,
-			 * there are other RRSIGs.
-			 */
-			CHECK(add_nsec(client, zone, db, newver,
-				      &t->name, &nsec_diff));
-		}
-	}
-
-	/*
-	 * Minimize the set of NSEC updates so that we don't
-	 * have to regenerate the RRSIG NSECs for NSECs that were
-	 * replaced with identical ones.
-	 */
-	while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
-		dns_diff_appendminimal(&nsec_mindiff, &t);
-	}
-
-	/* Update RRSIG NSECs. */
-	for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		if (t->op == DNS_DIFFOP_DEL) {
-			CHECK(delete_if(true_p, db, newver, &t->name,
-					dns_rdatatype_rrsig, dns_rdatatype_nsec,
-					NULL, &sig_diff));
-		} else if (t->op == DNS_DIFFOP_ADD) {
-			CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec,
-				       &sig_diff, zone_keys, nkeys,
-				       client->mctx, inception, expire));
-		} else {
-			INSIST(0);
-		}
-	}
-
-	/* Record our changes for the journal. */
-	while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(sig_diff.tuples, t, link);
-		dns_diff_appendminimal(diff, &t);
-	}
-	while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
-		ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
-		dns_diff_appendminimal(diff, &t);
-	}
-
-	INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
-	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
-	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
-
- failure:
-	dns_diff_clear(&sig_diff);
-	dns_diff_clear(&nsec_diff);
-	dns_diff_clear(&nsec_mindiff);
-
-	dns_diff_clear(&affected);
-	dns_diff_clear(&diffnames);
-
-	for (i = 0; i < nkeys; i++)
-		dst_key_free(&zone_keys[i]);
-
-	return (result);
-}
-
-
-/**************************************************************************/
-/*
- * The actual update code in all its glory.  We try to follow
- * the RFC2136 pseudocode as closely as possible.
- */
-
-static isc_result_t
-send_update_event(ns_client_t *client, dns_zone_t *zone) {
-	isc_result_t result = ISC_R_SUCCESS;
-	update_event_t *event = NULL;
-	isc_task_t *zonetask = NULL;
-	ns_client_t *evclient;
-
-	event = (update_event_t *)
-		isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
-				   update_action, NULL, sizeof(*event));
-	if (event == NULL)
-		FAIL(ISC_R_NOMEMORY);
-	event->zone = zone;
-	event->result = ISC_R_SUCCESS;
-
-	evclient = NULL;
-	ns_client_attach(client, &evclient);
-	INSIST(client->nupdates == 0);
-	client->nupdates++;
-	event->ev_arg = evclient;
-
-	dns_zone_gettask(zone, &zonetask);
-	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
-
- failure:
-	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
-	return (result);
-}
-
-static void
-respond(ns_client_t *client, isc_result_t result) {
-	isc_result_t msg_result;
-
-	msg_result = dns_message_reply(client->message, ISC_TRUE);
-	if (msg_result != ISC_R_SUCCESS)
-		goto msg_failure;
-	client->message->rcode = dns_result_torcode(result);
-
-	ns_client_send(client);
-	return;
-
- msg_failure:
-	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
-		      ISC_LOG_ERROR,
-		      "could not create update response message: %s",
-		      isc_result_totext(msg_result));
-	ns_client_next(client, msg_result);
-}
-
-void
-ns_update_start(ns_client_t *client, isc_result_t sigresult) {
-	dns_message_t *request = client->message;
-	isc_result_t result;
-	dns_name_t *zonename;
-	dns_rdataset_t *zone_rdataset;
-	dns_zone_t *zone = NULL;
-
-	/*
-	 * Interpret the zone section.
-	 */
-	result = dns_message_firstname(request, DNS_SECTION_ZONE);
-	if (result != ISC_R_SUCCESS)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section empty");
-
-	/*
-	 * The zone section must contain exactly one "question", and
-	 * it must be of type SOA.
-	 */
-	zonename = NULL;
-	dns_message_currentname(request, DNS_SECTION_ZONE, &zonename);
-	zone_rdataset = ISC_LIST_HEAD(zonename->list);
-	if (zone_rdataset->type != dns_rdatatype_soa)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section contains non-SOA");
-	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section contains multiple RRs");
-
-	/* The zone section must have exactly one name. */
-	result = dns_message_nextname(request, DNS_SECTION_ZONE);
-	if (result != ISC_R_NOMORE)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section contains multiple RRs");
-
-	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
-			     &zone);
-	if (result != ISC_R_SUCCESS)
-		FAILC(DNS_R_NOTAUTH,
-		      "not authoritative for update zone");
-
-	switch(dns_zone_gettype(zone)) {
-	case dns_zone_master:
-		/*
-		 * We can now fail due to a bad signature as we now know
-		 * that we are the master.
-		 */
-		if (sigresult != ISC_R_SUCCESS)
-			FAIL(sigresult);
-		CHECK(send_update_event(client, zone));
-		break;
-	case dns_zone_slave:
-		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
-				     "update forwarding", zonename, ISC_TRUE));
-		CHECK(send_forward_event(client, zone));
-		break;
-	default:
-		FAILC(DNS_R_NOTAUTH,
-		      "not authoritative for update zone");
-	}
-	return;
-
- failure:
-	/*
-	 * We failed without having sent an update event to the zone.
-	 * We are still in the client task context, so we can
-	 * simply give an error response without switching tasks.
-	 */
-	respond(client, result);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-}
-
-/*
- * DS records are not allowed to exist without corresponding NS records,
- * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change,
- * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
- */
-
-static isc_result_t
-remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
-	isc_result_t result;
-	isc_boolean_t ns_exists, ds_exists;
-	dns_difftuple_t *t;
-
-	for (t = ISC_LIST_HEAD(diff->tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link)) {
-		if (t->op != DNS_DIFFOP_DEL ||
-		    t->rdata.type != dns_rdatatype_ns)
-			continue;
-		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
-				   &ns_exists));
-		if (ns_exists)
-			continue;
-		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ds, 0,
-				   &ds_exists));
-		if (!ds_exists)
-			continue;
-		CHECK(delete_if(true_p, db, newver, &t->name,
-				dns_rdatatype_ds, 0, NULL, diff));
-	}
-	return (ISC_R_SUCCESS);
-
- failure:
-	return (result);
-}
-
-static void
-update_action(isc_task_t *task, isc_event_t *event) {
-	update_event_t *uev = (update_event_t *) event;
-	dns_zone_t *zone = uev->zone;
-	ns_client_t *client = (ns_client_t *)event->ev_arg;
-
-	isc_result_t result;
-	dns_db_t *db = NULL;
-	dns_dbversion_t *oldver = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff; 	/* Pending updates. */
-	dns_diff_t temp; 	/* Pending RR existence assertions. */
-	isc_boolean_t soa_serial_changed = ISC_FALSE;
-	isc_mem_t *mctx = client->mctx;
-	dns_rdatatype_t covers;
-	dns_message_t *request = client->message;
-	dns_rdataclass_t zoneclass;
-	dns_name_t *zonename;
-	dns_ssutable_t *ssutable = NULL;
-	dns_fixedname_t tmpnamefixed;
-	dns_name_t *tmpname = NULL;
-
-	INSIST(event->ev_type == DNS_EVENT_UPDATE);
-
-	dns_diff_init(mctx, &diff);
-	dns_diff_init(mctx, &temp);
-
-	CHECK(dns_zone_getdb(zone, &db));
-	zonename = dns_db_origin(db);
-	zoneclass = dns_db_class(db);
-	dns_zone_getssutable(zone, &ssutable);
-	dns_db_currentversion(db, &oldver);
-	CHECK(dns_db_newversion(db, &ver));
-
-	/*
-	 * Check prerequisites.
-	 */
-
-	for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE))
-	{
-		dns_name_t *name = NULL;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_ttl_t ttl;
-		dns_rdataclass_t update_class;
-		isc_boolean_t flag;
-
-		get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass,
-			       &name, &rdata, &covers, &ttl, &update_class);
-
-		if (ttl != 0)
-			FAILC(DNS_R_FORMERR, "prerequisite TTL is not zero");
-
-		if (! dns_name_issubdomain(name, zonename))
-			FAILN(DNS_R_NOTZONE, name,
-				"prerequisite name is out of zone");
-
-		if (update_class == dns_rdataclass_any) {
-			if (rdata.length != 0)
-				FAILC(DNS_R_FORMERR,
-				      "class ANY prerequisite "
-				      "RDATA is not empty");
-			if (rdata.type == dns_rdatatype_any) {
-				CHECK(name_exists(db, ver, name, &flag));
-				if (! flag) {
-					FAILN(DNS_R_NXDOMAIN, name,
-					      "'name in use' prerequisite "
-					      "not satisfied");
-				}
-			} else {
-				CHECK(rrset_exists(db, ver, name,
-						   rdata.type, covers, &flag));
-				if (! flag) {
-					/* RRset does not exist. */
-					FAILNT(DNS_R_NXRRSET, name, rdata.type,
-					"'rrset exists (value independent)' "
-					"prerequisite not satisfied");
-				}
-			}
-		} else if (update_class == dns_rdataclass_none) {
-			if (rdata.length != 0)
-				FAILC(DNS_R_FORMERR,
-				      "class NONE prerequisite "
-				      "RDATA is not empty");
-			if (rdata.type == dns_rdatatype_any) {
-				CHECK(name_exists(db, ver, name, &flag));
-				if (flag) {
-					FAILN(DNS_R_YXDOMAIN, name,
-					      "'name not in use' prerequisite "
-					      "not satisfied");
-				}
-			} else {
-				CHECK(rrset_exists(db, ver, name,
-						   rdata.type, covers, &flag));
-				if (flag) {
-					/* RRset exists. */
-					FAILNT(DNS_R_YXRRSET, name, rdata.type,
-					       "'rrset does not exist' "
-					       "prerequisite not satisfied");
-				}
-			}
-		} else if (update_class == zoneclass) {
-			/* "temp<rr.name, rr.type> += rr;" */
-			result = temp_append(&temp, name, &rdata);
-			if (result != ISC_R_SUCCESS) {
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "temp entry creation failed: %s",
-						 dns_result_totext(result));
-				FAIL(ISC_R_UNEXPECTED);
-			}
-		} else {
-			FAILC(DNS_R_FORMERR, "malformed prerequisite");
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		FAIL(result);
-
-
-	/*
-	 * Perform the final check of the "rrset exists (value dependent)"
-	 * prerequisites.
-	 */
-	if (ISC_LIST_HEAD(temp.tuples) != NULL) {
-		dns_rdatatype_t type;
-
-		/*
-		 * Sort the prerequisite records by owner name,
-		 * type, and rdata.
-		 */
-		result = dns_diff_sort(&temp, temp_order);
-		if (result != ISC_R_SUCCESS)
-			FAILC(result, "'RRset exists (value dependent)' "
-			      "prerequisite not satisfied");
-
-		dns_fixedname_init(&tmpnamefixed);
-		tmpname = dns_fixedname_name(&tmpnamefixed);
-		result = temp_check(mctx, &temp, db, ver, tmpname, &type);
-		if (result != ISC_R_SUCCESS)
-			FAILNT(result, tmpname, type,
-			       "'RRset exists (value dependent)' "
-			       "prerequisite not satisfied");
-	}
-
-	update_log(client, zone, LOGLEVEL_DEBUG,
-		   "prerequisites are OK");
-
-	/*
-	 * Check Requestor's Permissions.  It seems a bit silly to do this
-	 * only after prerequisite testing, but that is what RFC2136 says.
-	 */
-	result = ISC_R_SUCCESS;
-	if (ssutable == NULL)
-		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
-				     "update", zonename, ISC_FALSE));
-	else if (client->signer == NULL)
-		CHECK(checkupdateacl(client, NULL, "update", zonename,
-				     ISC_FALSE));
-	
-	if (dns_zone_getupdatedisabled(zone))
-		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled");
-
-	/*
-	 * Perform the Update Section Prescan.
-	 */
-
-	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
-	{
-		dns_name_t *name = NULL;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_ttl_t ttl;
-		dns_rdataclass_t update_class;
-		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
-			       &name, &rdata, &covers, &ttl, &update_class);
-
-		if (! dns_name_issubdomain(name, zonename))
-			FAILC(DNS_R_NOTZONE,
-			      "update RR is outside zone");
-		if (update_class == zoneclass) {
-			/*
-			 * Check for meta-RRs.  The RFC2136 pseudocode says
-			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
-			 * "or any other QUERY metatype"
-			 */
-			if (dns_rdatatype_ismeta(rdata.type)) {
-				FAILC(DNS_R_FORMERR,
-				      "meta-RR in update");
-			}
-			result = dns_zone_checknames(zone, name, &rdata);
-			if (result != ISC_R_SUCCESS)
-				FAIL(DNS_R_REFUSED);
-		} else if (update_class == dns_rdataclass_any) {
-			if (ttl != 0 || rdata.length != 0 ||
-			    (dns_rdatatype_ismeta(rdata.type) &&
-			     rdata.type != dns_rdatatype_any))
-				FAILC(DNS_R_FORMERR,
-				      "meta-RR in update");
-		} else if (update_class == dns_rdataclass_none) {
-			if (ttl != 0 ||
-			    dns_rdatatype_ismeta(rdata.type))
-				FAILC(DNS_R_FORMERR,
-				      "meta-RR in update");
-		} else {
-			update_log(client, zone, ISC_LOG_WARNING,
-				   "update RR has incorrect class %d",
-				   update_class);
-			FAIL(DNS_R_FORMERR);
-		}
-		/*
-		 * draft-ietf-dnsind-simple-secure-update-01 says
-		 * "Unlike traditional dynamic update, the client
-		 * is forbidden from updating NSEC records."
-		 */
-		if (dns_db_issecure(db)) {
-			if (rdata.type == dns_rdatatype_nsec) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit NSEC updates are not allowed "
-				      "in secure zones");
-			}
-			else if (rdata.type == dns_rdatatype_rrsig) {
-				FAILC(DNS_R_REFUSED,
-				      "explicit RRSIG updates are currently not "
-				      "supported in secure zones");
-			}
-		}
-
-		if (ssutable != NULL && client->signer != NULL) {
-			if (rdata.type != dns_rdatatype_any) {
-				if (!dns_ssutable_checkrules(ssutable,
-							     client->signer,
-							     name, rdata.type))
-					FAILC(DNS_R_REFUSED,
-					      "rejected by secure update");
-			}
-			else {
-				if (!ssu_checkall(db, ver, name, ssutable,
-						  client->signer))
-					FAILC(DNS_R_REFUSED,
-					      "rejected by secure update");
-			}
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		FAIL(result);
-
-	update_log(client, zone, LOGLEVEL_DEBUG,
-		   "update section prescan OK");
-
-	/*
-	 * Process the Update Section.
-	 */
-
-	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
-	{
-		dns_name_t *name = NULL;
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_ttl_t ttl;
-		dns_rdataclass_t update_class;
-		isc_boolean_t flag;
-
-		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
-			       &name, &rdata, &covers, &ttl, &update_class);
-
-		if (update_class == zoneclass) {
-
-			/*
-			 * RFC 1123 doesn't allow MF and MD in master zones.				 */
-			if (rdata.type == dns_rdatatype_md ||
-			    rdata.type == dns_rdatatype_mf) {
-				char typebuf[DNS_RDATATYPE_FORMATSIZE];
-
-				dns_rdatatype_format(rdata.type, typebuf,
-						     sizeof(typebuf));
-				update_log(client, zone, LOGLEVEL_PROTOCOL,
-					   "attempt to add %s ignored",
-					   typebuf);
-				continue;
-			}
-			if (rdata.type == dns_rdatatype_ns &&
-			    dns_name_iswildcard(name)) {
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
-					   "attempt to add wildcard NS record"
-					   "ignored");
-				continue;
-			}
-			if (rdata.type == dns_rdatatype_cname) {
-				CHECK(cname_incompatible_rrset_exists(db, ver,
-								      name,
-								      &flag));
-				if (flag) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to add CNAME "
-						   "alongside non-CNAME "
-						   "ignored");
-					continue;
-				}
-			} else {
-				CHECK(rrset_exists(db, ver, name,
-						   dns_rdatatype_cname, 0,
-						   &flag));
-				if (flag &&
-				    ! dns_rdatatype_isdnssec(rdata.type))
-				{
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to add non-CNAME "
-						   "alongside CNAME ignored");
-					continue;
-				}
-			}
-			if (rdata.type == dns_rdatatype_soa) {
-				isc_boolean_t ok;
-				CHECK(rrset_exists(db, ver, name,
-						   dns_rdatatype_soa, 0,
-						   &flag));
-				if (! flag) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to create 2nd "
-						   "SOA ignored");
-					continue;
-				}
-				CHECK(check_soa_increment(db, ver, &rdata,
-							  &ok));
-				if (! ok) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "SOA update failed to "
-						   "increment serial, "
-						   "ignoring it");
-					continue;
-				}
-				soa_serial_changed = ISC_TRUE;
-			}
-
-			if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
-				char namestr[DNS_NAME_FORMATSIZE];
-				char typestr[DNS_RDATATYPE_FORMATSIZE];
-				dns_name_format(name, namestr,
-						sizeof(namestr));
-				dns_rdatatype_format(rdata.type, typestr,
-						     sizeof(typestr));
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
-					   "adding an RR at '%s' %s",
-					   namestr, typestr);
-			}
-
-			/* Prepare the affected RRset for the addition. */
-			{
-				add_rr_prepare_ctx_t ctx;
-				ctx.db = db;
-				ctx.ver = ver;
-				ctx.diff = &diff;
-				ctx.name = name;
-				ctx.update_rr = &rdata;
-				ctx.update_rr_ttl = ttl;
-				ctx.ignore_add = ISC_FALSE;
-				dns_diff_init(mctx, &ctx.del_diff);
-				dns_diff_init(mctx, &ctx.add_diff);
-				CHECK(foreach_rr(db, ver, name, rdata.type,
-						 covers, add_rr_prepare_action,
-						 &ctx));
-
-				if (ctx.ignore_add) {
-					dns_diff_clear(&ctx.del_diff);
-					dns_diff_clear(&ctx.add_diff);
-				} else {
-					CHECK(do_diff(&ctx.del_diff, db, ver, &diff));
-					CHECK(do_diff(&ctx.add_diff, db, ver, &diff));
-					CHECK(update_one_rr(db, ver, &diff,
-							    DNS_DIFFOP_ADD,
-							    name, ttl, &rdata));
-				}
-			}
-		} else if (update_class == dns_rdataclass_any) {
-			if (rdata.type == dns_rdatatype_any) {
-				if (isc_log_wouldlog(ns_g_lctx,
-						     LOGLEVEL_PROTOCOL))
-				{
-					char namestr[DNS_NAME_FORMATSIZE];
-					dns_name_format(name, namestr,
-							sizeof(namestr));
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "delete all rrsets from "
-						   "name '%s'", namestr);
-				}
-				if (dns_name_equal(name, zonename)) {
-					CHECK(delete_if(type_not_soa_nor_ns_p,
-							db, ver, name,
-							dns_rdatatype_any, 0,
-							&rdata, &diff));
-				} else {
-					CHECK(delete_if(type_not_dnssec,
-							db, ver, name,
-							dns_rdatatype_any, 0,
-							&rdata, &diff));
-				}
-			} else if (dns_name_equal(name, zonename) &&
-				   (rdata.type == dns_rdatatype_soa ||
-				    rdata.type == dns_rdatatype_ns)) {
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
-					   "attempt to delete all SOA "
-					   "or NS records ignored");
-				continue;
-			} else {
-				if (isc_log_wouldlog(ns_g_lctx,
-						     LOGLEVEL_PROTOCOL))
-				{
-					char namestr[DNS_NAME_FORMATSIZE];
-					char typestr[DNS_RDATATYPE_FORMATSIZE];
-					dns_name_format(name, namestr,
-							sizeof(namestr));
-					dns_rdatatype_format(rdata.type,
-							     typestr,
-							     sizeof(typestr));
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "deleting rrset at '%s' %s",
-						   namestr, typestr);
-				}
-				CHECK(delete_if(true_p, db, ver, name,
-						rdata.type, covers, &rdata,
-						&diff));
-			}
-		} else if (update_class == dns_rdataclass_none) {
-			/*
-			 * The (name == zonename) condition appears in
-			 * RFC2136 3.4.2.4 but is missing from the pseudocode.
-			 */
-			if (dns_name_equal(name, zonename)) {
-				if (rdata.type == dns_rdatatype_soa) {
-					update_log(client, zone,
-						   LOGLEVEL_PROTOCOL,
-						   "attempt to delete SOA "
-						   "ignored");
-					continue;
-				}
-				if (rdata.type == dns_rdatatype_ns) {
-					int count;
-					CHECK(rr_count(db, ver, name,
-						       dns_rdatatype_ns,
-						       0, &count));
-					if (count == 1) {
-						update_log(client, zone,
-							   LOGLEVEL_PROTOCOL,
-							   "attempt to "
-							   "delete last "
-							   "NS ignored");
-						continue;
-					}
-				}
-			}
-			update_log(client, zone,
-				   LOGLEVEL_PROTOCOL,
-				   "deleting an RR");
-			CHECK(delete_if(rr_equal_p, db, ver, name,
-					rdata.type, covers, &rdata, &diff));
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		FAIL(result);
-
-	/*
-	 * If any changes were made, increment the SOA serial number,
-	 * update RRSIGs and NSECs (if zone is secure), and write the update
-	 * to the journal.
-	 */
-	if (! ISC_LIST_EMPTY(diff.tuples)) {
-		char *journalfile;
-		dns_journal_t *journal;
-
-		/*
-		 * Increment the SOA serial, but only if it was not
-		 * changed as a result of an update operation.
-		 */
-		if (! soa_serial_changed) {
-			CHECK(increment_soa_serial(db, ver, &diff, mctx));
-		}
-
-		CHECK(remove_orphaned_ds(db, ver, &diff));
-
-		if (dns_db_issecure(db)) {
-			result = update_signatures(client, zone, db, oldver,
-						   ver, &diff,
-					 dns_zone_getsigvalidityinterval(zone));
-			if (result != ISC_R_SUCCESS) {
-				update_log(client, zone,
-					   ISC_LOG_ERROR,
-					   "RRSIG/NSEC update failed: %s",
-					   isc_result_totext(result));
-				goto failure;
-			}
-		}
-
-		journalfile = dns_zone_getjournal(zone);
-		if (journalfile != NULL) {
-			update_log(client, zone, LOGLEVEL_DEBUG,
-				   "writing journal %s", journalfile);
-
-			journal = NULL;
-			result = dns_journal_open(mctx, journalfile,
-						  ISC_TRUE, &journal);
-			if (result != ISC_R_SUCCESS)
-				FAILS(result, "journal open failed");
-
-			result = dns_journal_write_transaction(journal, &diff);
-			if (result != ISC_R_SUCCESS) {
-				dns_journal_destroy(&journal);
-				FAILS(result, "journal write failed");
-			}
-
-			dns_journal_destroy(&journal);
-		}
-
-		/*
-		 * XXXRTH  Just a note that this committing code will have
-		 *	   to change to handle databases that need two-phase
-		 *	   commit, but this isn't a priority.
-		 */
-		update_log(client, zone, LOGLEVEL_DEBUG,
-			   "committing update transaction");
-		dns_db_closeversion(db, &ver, ISC_TRUE);
-
-		/*
-		 * Mark the zone as dirty so that it will be written to disk.
-		 */
-		dns_zone_markdirty(zone);
-
-		/*
-		 * Notify slaves of the change we just made.
-		 */
-		dns_zone_notify(zone);
-	} else {
-		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
-		dns_db_closeversion(db, &ver, ISC_TRUE);
-	}
-	result = ISC_R_SUCCESS;
-	goto common;
-
- failure:
-	/*
-	 * The reason for failure should have been logged at this point.
-	 */
-	if (ver != NULL) {
-		update_log(client, zone, LOGLEVEL_DEBUG, 
-			   "rolling back");
-		dns_db_closeversion(db, &ver, ISC_FALSE);
-	}
-
- common:
-	dns_diff_clear(&temp);
-	dns_diff_clear(&diff);
-
-	if (oldver != NULL)
-		dns_db_closeversion(db, &oldver, ISC_FALSE);
-
-	if (db != NULL)
-		dns_db_detach(&db);
-
-	if (ssutable != NULL)
-		dns_ssutable_detach(&ssutable);
-
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	isc_task_detach(&task);
-	uev->result = result;
-	uev->ev_type = DNS_EVENT_UPDATEDONE;
-	uev->ev_action = updatedone_action;
-	isc_task_send(client->task, &event);
-	INSIST(event == NULL);
-}
-
-static void
-updatedone_action(isc_task_t *task, isc_event_t *event) {
-	update_event_t *uev = (update_event_t *) event;
-	ns_client_t *client = (ns_client_t *) event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == DNS_EVENT_UPDATEDONE);
-	INSIST(task == client->task);
-
-	INSIST(client->nupdates > 0);
-	client->nupdates--;
-	respond(client, uev->result);
-	isc_event_free(&event);
-	ns_client_detach(&client);
-}
-
-/*
- * Update forwarding support.
- */
-
-static void
-forward_fail(isc_task_t *task, isc_event_t *event) {
-        ns_client_t *client = (ns_client_t *)event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(client->nupdates > 0);
-	client->nupdates--;
-	respond(client, DNS_R_SERVFAIL);
-	isc_event_free(&event);
-	ns_client_detach(&client);
-}
-
-
-static void
-forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
-	update_event_t *uev = arg;
-	ns_client_t *client = uev->ev_arg;
-
-	if (result != ISC_R_SUCCESS) {
-		INSIST(answer == NULL);
-		uev->ev_type = DNS_EVENT_UPDATEDONE;
-		uev->ev_action = forward_fail;
-	} else {
-		uev->ev_type = DNS_EVENT_UPDATEDONE;
-		uev->ev_action = forward_done;
-		uev->answer = answer;
-	}
-	isc_task_send(client->task, ISC_EVENT_PTR(&uev));
-}
-
-static void
-forward_done(isc_task_t *task, isc_event_t *event) {
-	update_event_t *uev = (update_event_t *) event;
-	ns_client_t *client = (ns_client_t *)event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(client->nupdates > 0);
-	client->nupdates--;
-	ns_client_sendraw(client, uev->answer);
-	dns_message_destroy(&uev->answer);
-	isc_event_free(&event);
-	ns_client_detach(&client);
-}
-
-static void
-forward_action(isc_task_t *task, isc_event_t *event) {
-	update_event_t *uev = (update_event_t *) event;
-	dns_zone_t *zone = uev->zone;
-	ns_client_t *client = (ns_client_t *)event->ev_arg;
-	isc_result_t result;
-
-	result = dns_zone_forwardupdate(zone, client->message,
-					forward_callback, event);
-	if (result != ISC_R_SUCCESS) {
-		uev->ev_type = DNS_EVENT_UPDATEDONE;
-		uev->ev_action = forward_fail;
-		isc_task_send(client->task, &event);
-	}
-	dns_zone_detach(&zone);
-	isc_task_detach(&task);
-}
-
-static isc_result_t
-send_forward_event(ns_client_t *client, dns_zone_t *zone) {
-	isc_result_t result = ISC_R_SUCCESS;
-	update_event_t *event = NULL;
-	isc_task_t *zonetask = NULL;
-	ns_client_t *evclient;
-
-	event = (update_event_t *)
-		isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
-				   forward_action, NULL, sizeof(*event));
-	if (event == NULL)
-		FAIL(ISC_R_NOMEMORY);
-	event->zone = zone;
-	event->result = ISC_R_SUCCESS;
-
-	evclient = NULL;
-	ns_client_attach(client, &evclient);
-	INSIST(client->nupdates == 0);
-	client->nupdates++;
-	event->ev_arg = evclient;
-
-	dns_zone_gettask(zone, &zonetask);
-	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
-
- failure:
-	if (event != NULL)
-		isc_event_free(ISC_EVENT_PTR(&event));
-	return (result);
-}
diff --git a/contrib/bind9/bin/named/xfrout.c b/contrib/bind9/bin/named/xfrout.c
deleted file mode 100644
index 687c287f4bda..000000000000
--- a/contrib/bind9/bin/named/xfrout.c
+++ /dev/null
@@ -1,1718 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: xfrout.c,v 1.101.2.5.2.12 2005/10/14 02:13:05 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/formatcheck.h>
-#include <isc/mem.h>
-#include <isc/timer.h>
-#include <isc/print.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/fixedname.h>
-#include <dns/journal.h>
-#include <dns/message.h>
-#include <dns/peer.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-#include <dns/timer.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#include <named/client.h>
-#include <named/log.h>
-#include <named/server.h>
-#include <named/xfrout.h>
-
-/*
- * Outgoing AXFR and IXFR.
- */
-
-/*
- * TODO:
- *  - IXFR over UDP
- */
-
-#define XFROUT_COMMON_LOGARGS \
-	ns_g_lctx, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT
-
-#define XFROUT_PROTOCOL_LOGARGS \
-	XFROUT_COMMON_LOGARGS, ISC_LOG_INFO
-
-#define XFROUT_DEBUG_LOGARGS(n) \
-	XFROUT_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
-
-#define XFROUT_RR_LOGARGS \
-	XFROUT_COMMON_LOGARGS, XFROUT_RR_LOGLEVEL
-
-#define XFROUT_RR_LOGLEVEL	ISC_LOG_DEBUG(8)
-
-/*
- * Fail unconditionally and log as a client error.
- * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAILC(code, msg) \
-	do {							\
-		result = (code);				\
-		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
-			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
-			   "bad zone transfer request: %s (%s)", \
-		      	   msg, isc_result_totext(code));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define FAILQ(code, msg, question, rdclass) \
-	do {							\
-		char _buf1[DNS_NAME_FORMATSIZE];		\
-		char _buf2[DNS_RDATACLASS_FORMATSIZE]; 		\
-		result = (code);				\
-		dns_name_format(question, _buf1, sizeof(_buf1));  \
-		dns_rdataclass_format(rdclass, _buf2, sizeof(_buf2)); \
-		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
-			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
-			   "bad zone transfer request: '%s/%s': %s (%s)", \
-		      	   _buf1, _buf2, msg, isc_result_totext(code));	\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define CHECK(op) \
-     	do { result = (op); 					\
-		if (result != ISC_R_SUCCESS) goto failure; 	\
-	} while (0)
-
-/**************************************************************************/
-/*
- * A db_rr_iterator_t is an iterator that iterates over an entire database,
- * returning one RR at a time, in some arbitrary order.
- */
-
-typedef struct db_rr_iterator db_rr_iterator_t;
-
-struct db_rr_iterator {
-	isc_result_t		result;
-	dns_db_t		*db;
-    	dns_dbiterator_t 	*dbit;
-	dns_dbversion_t 	*ver;
-	isc_stdtime_t		now;
-	dns_dbnode_t		*node;
-	dns_fixedname_t		fixedname;
-    	dns_rdatasetiter_t 	*rdatasetit;
-	dns_rdataset_t 		rdataset;
-	dns_rdata_t		rdata;
-};
-
-static isc_result_t
-db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
-		    isc_stdtime_t now);
-
-static isc_result_t
-db_rr_iterator_first(db_rr_iterator_t *it);
-
-static isc_result_t
-db_rr_iterator_next(db_rr_iterator_t *it);
-
-static void
-db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
-		       isc_uint32_t *ttl, dns_rdata_t **rdata);
-
-static void
-db_rr_iterator_destroy(db_rr_iterator_t *it);
-
-static isc_result_t
-db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
-		    isc_stdtime_t now)
-{
-	isc_result_t result;
-	it->db = db;
-	it->dbit = NULL;
-	it->ver = ver;
-	it->now = now;
-	it->node = NULL;
-	result = dns_db_createiterator(it->db, ISC_FALSE, &it->dbit);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	it->rdatasetit = NULL;
-	dns_rdata_init(&it->rdata);
-	dns_rdataset_init(&it->rdataset);
-	dns_fixedname_init(&it->fixedname);
-	INSIST(! dns_rdataset_isassociated(&it->rdataset));
-	it->result = ISC_R_SUCCESS;
-	return (it->result);
-}
-
-static isc_result_t
-db_rr_iterator_first(db_rr_iterator_t *it) {
-	it->result = dns_dbiterator_first(it->dbit);
-	/*
-	 * The top node may be empty when out of zone glue exists.
-	 * Walk the tree to find the first node with data.
-	 */
-	while (it->result == ISC_R_SUCCESS) {
-		it->result = dns_dbiterator_current(it->dbit, &it->node,
-				    dns_fixedname_name(&it->fixedname));
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-
-		it->result = dns_db_allrdatasets(it->db, it->node,
-						 it->ver, it->now,
-						 &it->rdatasetit);
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-
-		it->result = dns_rdatasetiter_first(it->rdatasetit);
-		if (it->result != ISC_R_SUCCESS) {
-			/*
-			 * This node is empty. Try next node.
-			 */
-			dns_rdatasetiter_destroy(&it->rdatasetit);
-			dns_db_detachnode(it->db, &it->node);
-			it->result = dns_dbiterator_next(it->dbit);
-			continue;
-		}
-		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
-
-		it->result = dns_rdataset_first(&it->rdataset);
-		return (it->result);
-	}
-	return (it->result);
-}
-
-
-static isc_result_t
-db_rr_iterator_next(db_rr_iterator_t *it) {
-	if (it->result != ISC_R_SUCCESS)
-		return (it->result);
-
-	INSIST(it->dbit != NULL);
-	INSIST(it->node != NULL);
-	INSIST(it->rdatasetit != NULL);
-
-	it->result = dns_rdataset_next(&it->rdataset);
-	if (it->result == ISC_R_NOMORE) {
-		dns_rdataset_disassociate(&it->rdataset);
-		it->result = dns_rdatasetiter_next(it->rdatasetit);
-		/*
-		 * The while loop body is executed more than once
-		 * only when an empty dbnode needs to be skipped.
-		 */
-		while (it->result == ISC_R_NOMORE) {
-			dns_rdatasetiter_destroy(&it->rdatasetit);
-			dns_db_detachnode(it->db, &it->node);
-			it->result = dns_dbiterator_next(it->dbit);
-			if (it->result == ISC_R_NOMORE) {
-				/* We are at the end of the entire database. */
-				return (it->result);
-			}
-			if (it->result != ISC_R_SUCCESS)
-				return (it->result);
-			it->result = dns_dbiterator_current(it->dbit,
-				    &it->node,
-				    dns_fixedname_name(&it->fixedname));
-			if (it->result != ISC_R_SUCCESS)
-				return (it->result);
-			it->result = dns_db_allrdatasets(it->db, it->node,
-					 it->ver, it->now,
-					 &it->rdatasetit);
-			if (it->result != ISC_R_SUCCESS)
-				return (it->result);
-			it->result = dns_rdatasetiter_first(it->rdatasetit);
-		}
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
-		it->result = dns_rdataset_first(&it->rdataset);
-		if (it->result != ISC_R_SUCCESS)
-			return (it->result);
-	}
-	return (it->result);
-}
-
-static void
-db_rr_iterator_pause(db_rr_iterator_t *it) {
-	RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS);
-}
-
-static void
-db_rr_iterator_destroy(db_rr_iterator_t *it) {
-	if (dns_rdataset_isassociated(&it->rdataset))
-		dns_rdataset_disassociate(&it->rdataset);
-	if (it->rdatasetit != NULL)
-		dns_rdatasetiter_destroy(&it->rdatasetit);
-	if (it->node != NULL)
-		dns_db_detachnode(it->db, &it->node);
-	dns_dbiterator_destroy(&it->dbit);
-}
-
-static void
-db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
-		      isc_uint32_t *ttl, dns_rdata_t **rdata)
-{
-	REQUIRE(name != NULL && *name == NULL);
-	REQUIRE(it->result == ISC_R_SUCCESS);
-	*name = dns_fixedname_name(&it->fixedname);
-	*ttl = it->rdataset.ttl;
-	dns_rdata_reset(&it->rdata);
-	dns_rdataset_current(&it->rdataset, &it->rdata);
-	*rdata = &it->rdata;
-}
-
-/**************************************************************************/
-
-/* Log an RR (for debugging) */
-
-static void
-log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) {
-	isc_result_t result;
-	isc_buffer_t buf;
-	char mem[2000];
-	dns_rdatalist_t rdl;
-	dns_rdataset_t rds;
-	dns_rdata_t rd = DNS_RDATA_INIT;
-
-	rdl.type = rdata->type;
-	rdl.rdclass = rdata->rdclass;
-	rdl.ttl = ttl;
-	ISC_LIST_INIT(rdl.rdata);
-	ISC_LINK_INIT(&rdl, link);
-	dns_rdataset_init(&rds);
-	dns_rdata_init(&rd);
-	dns_rdata_clone(rdata, &rd);
-	ISC_LIST_APPEND(rdl.rdata, &rd, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdl, &rds) == ISC_R_SUCCESS);
-
-	isc_buffer_init(&buf, mem, sizeof(mem));
-	result = dns_rdataset_totext(&rds, name,
-				     ISC_FALSE, ISC_FALSE, &buf);
-
-	/*
-	 * We could use xfrout_log(), but that would produce
-	 * very long lines with a repetitive prefix.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Get rid of final newline.
-		 */
-		INSIST(buf.used >= 1 &&
-		       ((char *) buf.base)[buf.used - 1] == '\n');
-		buf.used--;
-		
-		isc_log_write(XFROUT_RR_LOGARGS, "%.*s",
-			      (int)isc_buffer_usedlength(&buf),
-			      (char *)isc_buffer_base(&buf));
-	} else {
-		isc_log_write(XFROUT_RR_LOGARGS, "<RR too large to print>");
-	}
-}
-
-/**************************************************************************/
-/*
- * An 'rrstream_t' is a polymorphic iterator that returns
- * a stream of resource records.  There are multiple implementations,
- * e.g. for generating AXFR and IXFR records streams.
- */
-
-typedef struct rrstream_methods rrstream_methods_t;
-
-typedef struct rrstream {
-	isc_mem_t 		*mctx;
-	rrstream_methods_t	*methods;
-} rrstream_t;
-
-struct rrstream_methods {
-	isc_result_t 		(*first)(rrstream_t *);
-	isc_result_t 		(*next)(rrstream_t *);
-	void			(*current)(rrstream_t *,
-					   dns_name_t **,
-					   isc_uint32_t *,
-					   dns_rdata_t **);
-	void	 		(*pause)(rrstream_t *);
-	void 			(*destroy)(rrstream_t **);
-};
-
-static void
-rrstream_noop_pause(rrstream_t *rs) {
-	UNUSED(rs);
-}
-
-/**************************************************************************/
-/*
- * An 'ixfr_rrstream_t' is an 'rrstream_t' that returns
- * an IXFR-like RR stream from a journal file.
- *
- * The SOA at the beginning of each sequence of additions
- * or deletions are included in the stream, but the extra
- * SOAs at the beginning and end of the entire transfer are
- * not included.
- */
-
-typedef struct ixfr_rrstream {
-	rrstream_t		common;
-	dns_journal_t 		*journal;
-} ixfr_rrstream_t;
-
-/* Forward declarations. */
-static void
-ixfr_rrstream_destroy(rrstream_t **sp);
-
-static rrstream_methods_t ixfr_rrstream_methods;
-
-/*
- * Returns: anything dns_journal_open() or dns_journal_iter_init()
- * may return.
- */
-
-static isc_result_t
-ixfr_rrstream_create(isc_mem_t *mctx,
-		     const char *journal_filename,
-		     isc_uint32_t begin_serial,
-		     isc_uint32_t end_serial,
-		     rrstream_t **sp)
-{
-	ixfr_rrstream_t *s;
-	isc_result_t result;
-
-	INSIST(sp != NULL && *sp == NULL);
-
-	s = isc_mem_get(mctx, sizeof(*s));
-	if (s == NULL)
-		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
-	s->common.methods = &ixfr_rrstream_methods;
-	s->journal = NULL;
-
-	CHECK(dns_journal_open(mctx, journal_filename,
-			       ISC_FALSE, &s->journal));
-	CHECK(dns_journal_iter_init(s->journal, begin_serial, end_serial));
-
-	*sp = (rrstream_t *) s;
-	return (ISC_R_SUCCESS);
-
- failure:
-	ixfr_rrstream_destroy((rrstream_t **) (void *)&s);
-	return (result);
-}
-
-static isc_result_t
-ixfr_rrstream_first(rrstream_t *rs) {
-	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
-	return (dns_journal_first_rr(s->journal));
-}
-
-static isc_result_t
-ixfr_rrstream_next(rrstream_t *rs) {
-	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
-	return (dns_journal_next_rr(s->journal));
-}
-
-static void
-ixfr_rrstream_current(rrstream_t *rs,
-		       dns_name_t **name, isc_uint32_t *ttl,
-		       dns_rdata_t **rdata)
-{
-	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
-	dns_journal_current_rr(s->journal, name, ttl, rdata);
-}
-
-static void
-ixfr_rrstream_destroy(rrstream_t **rsp) {
-	ixfr_rrstream_t *s = (ixfr_rrstream_t *) *rsp;
-	if (s->journal != 0)
-		dns_journal_destroy(&s->journal);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
-}
-
-static rrstream_methods_t ixfr_rrstream_methods = {
-	ixfr_rrstream_first,
-	ixfr_rrstream_next,
-	ixfr_rrstream_current,
-	rrstream_noop_pause,
-	ixfr_rrstream_destroy
-};
-
-/**************************************************************************/
-/*
- * An 'axfr_rrstream_t' is an 'rrstream_t' that returns
- * an AXFR-like RR stream from a database.
- *
- * The SOAs at the beginning and end of the transfer are
- * not included in the stream.
- */
-
-typedef struct axfr_rrstream {
-	rrstream_t		common;
-	db_rr_iterator_t	it;
-	isc_boolean_t		it_valid;
-} axfr_rrstream_t;
-
-/*
- * Forward declarations.
- */
-static void
-axfr_rrstream_destroy(rrstream_t **rsp);
-
-static rrstream_methods_t axfr_rrstream_methods;
-
-static isc_result_t
-axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
-		     rrstream_t **sp)
-{
-	axfr_rrstream_t *s;
-	isc_result_t result;
-
-	INSIST(sp != NULL && *sp == NULL);
-
-	s = isc_mem_get(mctx, sizeof(*s));
-	if (s == NULL)
-		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
-	s->common.methods = &axfr_rrstream_methods;
-	s->it_valid = ISC_FALSE;
-
-	CHECK(db_rr_iterator_init(&s->it, db, ver, 0));
-	s->it_valid = ISC_TRUE;
-
-	*sp = (rrstream_t *) s;
-	return (ISC_R_SUCCESS);
-
- failure:
-	axfr_rrstream_destroy((rrstream_t **) (void *)&s);
-	return (result);
-}
-
-static isc_result_t
-axfr_rrstream_first(rrstream_t *rs) {
-	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	isc_result_t result;
-	result = db_rr_iterator_first(&s->it);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	/* Skip SOA records. */
-	for (;;) {
-		dns_name_t *name_dummy = NULL;
-		isc_uint32_t ttl_dummy;
-		dns_rdata_t *rdata = NULL;
-		db_rr_iterator_current(&s->it, &name_dummy,
-				      &ttl_dummy, &rdata);
-		if (rdata->type != dns_rdatatype_soa)
-			break;
-		result = db_rr_iterator_next(&s->it);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-	return (result);
-}
-
-static isc_result_t
-axfr_rrstream_next(rrstream_t *rs) {
-	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	isc_result_t result;
-
-	/* Skip SOA records. */
-	for (;;) {
-		dns_name_t *name_dummy = NULL;
-		isc_uint32_t ttl_dummy;
-		dns_rdata_t *rdata = NULL;
-		result = db_rr_iterator_next(&s->it);
-		if (result != ISC_R_SUCCESS)
-			break;
-		db_rr_iterator_current(&s->it, &name_dummy,
-				      &ttl_dummy, &rdata);
-		if (rdata->type != dns_rdatatype_soa)
-			break;
-	}
-	return (result);
-}
-
-static void
-axfr_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
-		      dns_rdata_t **rdata)
-{
-	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	db_rr_iterator_current(&s->it, name, ttl, rdata);
-}
-
-static void
-axfr_rrstream_pause(rrstream_t *rs) {
-	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
-	db_rr_iterator_pause(&s->it);
-}
-
-static void
-axfr_rrstream_destroy(rrstream_t **rsp) {
-	axfr_rrstream_t *s = (axfr_rrstream_t *) *rsp;
-	if (s->it_valid)
-		db_rr_iterator_destroy(&s->it);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
-}
-
-static rrstream_methods_t axfr_rrstream_methods = {
-	axfr_rrstream_first,
-	axfr_rrstream_next,
-	axfr_rrstream_current,
-	axfr_rrstream_pause,
-	axfr_rrstream_destroy
-};
-
-/**************************************************************************/
-/*
- * An 'soa_rrstream_t' is a degenerate 'rrstream_t' that returns
- * a single SOA record.
- */
-
-typedef struct soa_rrstream {
-	rrstream_t		common;
-	dns_difftuple_t 	*soa_tuple;
-} soa_rrstream_t;
-
-/*
- * Forward declarations.
- */
-static void
-soa_rrstream_destroy(rrstream_t **rsp);
-
-static rrstream_methods_t soa_rrstream_methods;
-
-static isc_result_t
-soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
-		    rrstream_t **sp)
-{
-	soa_rrstream_t *s;
-	isc_result_t result;
-
-	INSIST(sp != NULL && *sp == NULL);
-
-	s = isc_mem_get(mctx, sizeof(*s));
-	if (s == NULL)
-		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
-	s->common.methods = &soa_rrstream_methods;
-	s->soa_tuple = NULL;
-
-	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
-				    &s->soa_tuple));
-
-	*sp = (rrstream_t *) s;
-	return (ISC_R_SUCCESS);
-
- failure:
-	soa_rrstream_destroy((rrstream_t **) (void *)&s);
-	return (result);
-}
-
-static isc_result_t
-soa_rrstream_first(rrstream_t *rs) {
-	UNUSED(rs);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-soa_rrstream_next(rrstream_t *rs) {
-	UNUSED(rs);
-	return (ISC_R_NOMORE);
-}
-
-static void
-soa_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
-		     dns_rdata_t **rdata)
-{
-	soa_rrstream_t *s = (soa_rrstream_t *) rs;
-	*name = &s->soa_tuple->name;
-	*ttl = s->soa_tuple->ttl;
-	*rdata = &s->soa_tuple->rdata;
-}
-
-static void
-soa_rrstream_destroy(rrstream_t **rsp) {
-	soa_rrstream_t *s = (soa_rrstream_t *) *rsp;
-	if (s->soa_tuple != NULL)
-		dns_difftuple_free(&s->soa_tuple);
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
-}
-
-static rrstream_methods_t soa_rrstream_methods = {
-	soa_rrstream_first,
-	soa_rrstream_next,
-	soa_rrstream_current,
-	rrstream_noop_pause,
-	soa_rrstream_destroy
-};
-
-/**************************************************************************/
-/*
- * A 'compound_rrstream_t' objects owns a soa_rrstream
- * and another rrstream, the "data stream".  It returns
- * a concatenated stream consisting of the soa_rrstream, then
- * the data stream, then the soa_rrstream again.
- *
- * The component streams are owned by the compound_rrstream_t
- * and are destroyed with it.
- */
-
-typedef struct compound_rrstream {
-	rrstream_t		common;
-	rrstream_t		*components[3];
-	int			state;
-	isc_result_t		result;
-} compound_rrstream_t;
-
-/*
- * Forward declarations.
- */
-static void
-compound_rrstream_destroy(rrstream_t **rsp);
-
-static isc_result_t
-compound_rrstream_next(rrstream_t *rs);
-
-static rrstream_methods_t compound_rrstream_methods;
-
-/*
- * Requires:
- *	soa_stream != NULL && *soa_stream != NULL
- *	data_stream != NULL && *data_stream != NULL
- *	sp != NULL && *sp == NULL
- *
- * Ensures:
- *	*soa_stream == NULL
- *	*data_stream == NULL
- *	*sp points to a valid compound_rrstream_t
- *	The soa and data streams will be destroyed
- *	when the compound_rrstream_t is destroyed.
- */
-static isc_result_t
-compound_rrstream_create(isc_mem_t *mctx, rrstream_t **soa_stream,
-			 rrstream_t **data_stream, rrstream_t **sp)
-{
-	compound_rrstream_t *s;
-
-	INSIST(sp != NULL && *sp == NULL);
-
-	s = isc_mem_get(mctx, sizeof(*s));
-	if (s == NULL)
-		return (ISC_R_NOMEMORY);
-	s->common.mctx = mctx;
-	s->common.methods = &compound_rrstream_methods;
-	s->components[0] = *soa_stream;
-	s->components[1] = *data_stream;
-	s->components[2] = *soa_stream;
-	s->state = -1;
-	s->result = ISC_R_FAILURE;
-
-	*soa_stream = NULL;
-	*data_stream = NULL;
-	*sp = (rrstream_t *) s;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-compound_rrstream_first(rrstream_t *rs) {
-	compound_rrstream_t *s = (compound_rrstream_t *) rs;
-	s->state = 0;
-	do {
-		rrstream_t *curstream = s->components[s->state];
-		s->result = curstream->methods->first(curstream);
-	} while (s->result == ISC_R_NOMORE && s->state < 2);
-	return (s->result);
-}
-
-static isc_result_t
-compound_rrstream_next(rrstream_t *rs) {
-	compound_rrstream_t *s = (compound_rrstream_t *) rs;
-	rrstream_t *curstream = s->components[s->state];
-	s->result = curstream->methods->next(curstream);
-	while (s->result == ISC_R_NOMORE) {
-		/*
-		 * Make sure locks held by the current stream
-		 * are released before we switch streams.
-		 */
-		curstream->methods->pause(curstream);
-		if (s->state == 2)
-			return (ISC_R_NOMORE);
-		s->state++;
-		curstream = s->components[s->state];
-		s->result = curstream->methods->first(curstream);
-	}
-	return (s->result);
-}
-
-static void
-compound_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
-			  dns_rdata_t **rdata)
-{
-	compound_rrstream_t *s = (compound_rrstream_t *) rs;
-	rrstream_t *curstream;
-	INSIST(0 <= s->state && s->state < 3);
-	INSIST(s->result == ISC_R_SUCCESS);
-	curstream = s->components[s->state];
-	curstream->methods->current(curstream, name, ttl, rdata);
-}
-
-static void
-compound_rrstream_pause(rrstream_t *rs)
-{
-	compound_rrstream_t *s = (compound_rrstream_t *) rs;
-	rrstream_t *curstream;
-	INSIST(0 <= s->state && s->state < 3);
-	curstream = s->components[s->state];
-	curstream->methods->pause(curstream);
-}
-
-static void
-compound_rrstream_destroy(rrstream_t **rsp) {
-	compound_rrstream_t *s = (compound_rrstream_t *) *rsp;
-	s->components[0]->methods->destroy(&s->components[0]);
-	s->components[1]->methods->destroy(&s->components[1]);
-	s->components[2] = NULL; /* Copy of components[0]. */
-	isc_mem_put(s->common.mctx, s, sizeof(*s));
-}
-
-static rrstream_methods_t compound_rrstream_methods = {
-	compound_rrstream_first,
-	compound_rrstream_next,
-	compound_rrstream_current,
-	compound_rrstream_pause,
-	compound_rrstream_destroy
-};
-
-/**************************************************************************/
-/*
- * An 'xfrout_ctx_t' contains the state of an outgoing AXFR or IXFR
- * in progress.
- */
-
-typedef struct {
-	isc_mem_t 		*mctx;
-	ns_client_t		*client;
-	unsigned int 		id;		/* ID of request */
-	dns_name_t		*qname;		/* Question name of request */
-	dns_rdatatype_t		qtype;		/* dns_rdatatype_{a,i}xfr */
-	dns_rdataclass_t	qclass;
-	dns_db_t 		*db;
-	dns_dbversion_t 	*ver;
-	isc_quota_t		*quota;
-	rrstream_t 		*stream;	/* The XFR RR stream */
-	isc_boolean_t		end_of_stream;	/* EOS has been reached */
-	isc_buffer_t 		buf;		/* Buffer for message owner
-						   names and rdatas */
-	isc_buffer_t 		txlenbuf;	/* Transmit length buffer */
-	isc_buffer_t		txbuf;		/* Transmit message buffer */
-	void 			*txmem;
-	unsigned int 		txmemlen;
-	unsigned int		nmsg;		/* Number of messages sent */
-	dns_tsigkey_t		*tsigkey;	/* Key used to create TSIG */
-	isc_buffer_t		*lasttsig;	/* the last TSIG */
-	isc_boolean_t		many_answers;
-	int			sends;		/* Send in progress */
-	isc_boolean_t		shuttingdown;
-	const char		*mnemonic;	/* Style of transfer */
-} xfrout_ctx_t;
-
-static isc_result_t
-xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client,
-		  unsigned int id, dns_name_t *qname, dns_rdatatype_t qtype,
-		  dns_rdataclass_t qclass,
-		  dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
-		  rrstream_t *stream, dns_tsigkey_t *tsigkey,
-		  isc_buffer_t *lasttsig,
-		  unsigned int maxtime,
-		  unsigned int idletime,
-		  isc_boolean_t many_answers,
-		  xfrout_ctx_t **xfrp);
-
-static void
-sendstream(xfrout_ctx_t *xfr);
-
-static void
-xfrout_senddone(isc_task_t *task, isc_event_t *event);
-
-static void
-xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg);
-
-static void
-xfrout_maybe_destroy(xfrout_ctx_t *xfr);
-
-static void
-xfrout_ctx_destroy(xfrout_ctx_t **xfrp);
-
-static void
-xfrout_client_shutdown(void *arg, isc_result_t result);
-
-static void
-xfrout_log1(ns_client_t *client, dns_name_t *zonename,
-	    dns_rdataclass_t rdclass, int level,
-	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
-
-static void
-xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...)
-	   ISC_FORMAT_PRINTF(3, 4);
-
-/**************************************************************************/
-
-void
-ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
-	isc_result_t result;
-	dns_name_t *question_name;
-	dns_rdataset_t *question_rdataset;
-	dns_zone_t *zone = NULL;
-	dns_db_t *db = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_rdataclass_t question_class;
-	rrstream_t *soa_stream = NULL;
-	rrstream_t *data_stream = NULL;
-	rrstream_t *stream = NULL;
-	dns_difftuple_t *current_soa_tuple = NULL;
-	dns_name_t *soa_name;
-	dns_rdataset_t *soa_rdataset;
-	dns_rdata_t soa_rdata = DNS_RDATA_INIT;
-	isc_boolean_t have_soa = ISC_FALSE;
-	const char *mnemonic = NULL;
-	isc_mem_t *mctx = client->mctx;
-	dns_message_t *request = client->message;
-	xfrout_ctx_t *xfr = NULL;
-	isc_quota_t *quota = NULL;
-	dns_transfer_format_t format = client->view->transfer_format;
-	isc_netaddr_t na;
-	dns_peer_t *peer = NULL;
-	isc_buffer_t *tsigbuf = NULL;
-	char *journalfile;
-	char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
-	char keyname[DNS_NAME_FORMATSIZE];
-	isc_boolean_t is_poll = ISC_FALSE;
-
-	switch (reqtype) {
-	case dns_rdatatype_axfr:
-		mnemonic = "AXFR";
-		break;
-	case dns_rdatatype_ixfr:
-		mnemonic = "IXFR";
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-
-	ns_client_log(client,
-		      DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT,
-		      ISC_LOG_DEBUG(6), "%s request", mnemonic);
-	/*
-	 * Apply quota.
-	 */
-	result = isc_quota_attach(&ns_g_server->xfroutquota, &quota);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING,
-			      "%s request denied: %s", mnemonic,
-			      isc_result_totext(result));
-		goto failure;
-	}
-
-	/*
-	 * Interpret the question section.
-	 */
-	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
-	INSIST(result == ISC_R_SUCCESS);
-
-	/*
-	 * The question section must contain exactly one question, and
-	 * it must be for AXFR/IXFR as appropriate.
-	 */
-	question_name = NULL;
-	dns_message_currentname(request, DNS_SECTION_QUESTION, &question_name);
-	question_rdataset = ISC_LIST_HEAD(question_name->list);
-	question_class = question_rdataset->rdclass;
-	INSIST(question_rdataset->type == reqtype);
-	if (ISC_LIST_NEXT(question_rdataset, link) != NULL)
-		FAILC(DNS_R_FORMERR, "multiple questions");
-	result = dns_message_nextname(request, DNS_SECTION_QUESTION);
-	if (result != ISC_R_NOMORE)
-		FAILC(DNS_R_FORMERR, "multiple questions");
-
-	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
-			     &zone);
-	if (result != ISC_R_SUCCESS)
-		FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-		      question_name, question_class);
-	switch(dns_zone_gettype(zone)) {
-	case dns_zone_master:
-	case dns_zone_slave:
-		break;	/* Master and slave zones are OK for transfer. */
-	default:
-		FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
-		      question_name, question_class);
-	}
-	CHECK(dns_zone_getdb(zone, &db));
-	dns_db_currentversion(db, &ver);
-
-	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
-		    "%s question section OK", mnemonic);
-
-	/*
-	 * Check the authority section.  Look for a SOA record with
-	 * the same name and class as the question.
-	 */
-	for (result = dns_message_firstname(request, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(request, DNS_SECTION_AUTHORITY))
-	{
-		soa_name = NULL;
-		dns_message_currentname(request, DNS_SECTION_AUTHORITY,
-					&soa_name);
-
-		/*
-		 * Ignore data whose owner name is not the zone apex.
-		 */
-		if (! dns_name_equal(soa_name, question_name))
-			continue;
-
-		for (soa_rdataset = ISC_LIST_HEAD(soa_name->list);
-		     soa_rdataset != NULL;
-		     soa_rdataset = ISC_LIST_NEXT(soa_rdataset, link))
-		{
-			/*
-			 * Ignore non-SOA data.
-			 */
-			if (soa_rdataset->type != dns_rdatatype_soa)
-				continue;
-			if (soa_rdataset->rdclass != question_class)
-				continue;
-
-			CHECK(dns_rdataset_first(soa_rdataset));
-			dns_rdataset_current(soa_rdataset, &soa_rdata);
-			result = dns_rdataset_next(soa_rdataset);
-			if (result == ISC_R_SUCCESS)
-				FAILC(DNS_R_FORMERR,
-				      "IXFR authority section "
-				      "has multiple SOAs");
-			have_soa = ISC_TRUE;
-			goto got_soa;
-		}
-	}
- got_soa:
-	if (result != ISC_R_NOMORE)
-		CHECK(result);
-
-	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
-		    "%s authority section OK", mnemonic);
-
-	/*
-	 * Decide whether to allow this transfer.
-	 */
-	ns_client_aclmsg("zone transfer", question_name, reqtype,
-			 client->view->rdclass, msg, sizeof(msg));
-	CHECK(ns_client_checkacl(client, msg,
-				 dns_zone_getxfracl(zone), ISC_TRUE,
-				 ISC_LOG_ERROR));
-
-	/*
-	 * AXFR over UDP is not possible.
-	 */
-	if (reqtype == dns_rdatatype_axfr &&
-	    (client->attributes & NS_CLIENTATTR_TCP) == 0)
-		FAILC(DNS_R_FORMERR, "attempted AXFR over UDP");
-
-	/*
-	 * Look up the requesting server in the peer table.
-	 */
-	isc_netaddr_fromsockaddr(&na, &client->peeraddr);
-	(void)dns_peerlist_peerbyaddr(client->view->peers, &na, &peer);
-
-	/*
-	 * Decide on the transfer format (one-answer or many-answers).
-	 */
-	if (peer != NULL)
-		(void)dns_peer_gettransferformat(peer, &format);
-
-	/*
-	 * Get a dynamically allocated copy of the current SOA.
-	 */
-	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
-				    &current_soa_tuple));
-
-	if (reqtype == dns_rdatatype_ixfr) {
-		isc_uint32_t begin_serial, current_serial;
-		isc_boolean_t provide_ixfr;
-
-		/*
-		 * Outgoing IXFR may have been disabled for this peer
-		 * or globally.
-		 */
-		provide_ixfr = client->view->provideixfr;
-		if (peer != NULL)
-			(void) dns_peer_getprovideixfr(peer, &provide_ixfr);
-		if (provide_ixfr == ISC_FALSE)
-			goto axfr_fallback;
-
-		if (! have_soa)
-			FAILC(DNS_R_FORMERR,
-			      "IXFR request missing SOA");
-
-		begin_serial = dns_soa_getserial(&soa_rdata);
-		current_serial = dns_soa_getserial(&current_soa_tuple->rdata);
-
-		/*
-		 * RFC1995 says "If an IXFR query with the same or
-		 * newer version number than that of the server
-		 * is received, it is replied to with a single SOA
-		 * record of the server's current version, just as
-		 * in AXFR".  The claim about AXFR is incorrect,
-		 * but other than that, we do as the RFC says.
-		 *
-		 * Sending a single SOA record is also how we refuse
-		 * IXFR over UDP (currently, we always do).
-		 */
-		if (DNS_SERIAL_GE(begin_serial, current_serial) ||
-		    (client->attributes & NS_CLIENTATTR_TCP) == 0)
-		{
-			CHECK(soa_rrstream_create(mctx, db, ver, &stream));
-			is_poll = ISC_TRUE;
-			goto have_stream;
-		}
-		journalfile = dns_zone_getjournal(zone);
-		if (journalfile != NULL)
-			result = ixfr_rrstream_create(mctx,
-						      journalfile,
-						      begin_serial,
-						      current_serial,
-						      &data_stream);
-		else
-			result = ISC_R_NOTFOUND;
-		if (result == ISC_R_NOTFOUND ||
-		    result == ISC_R_RANGE) {
-			xfrout_log1(client, question_name, question_class,
-				    ISC_LOG_DEBUG(4),
-				    "IXFR version not in journal, "
-				    "falling back to AXFR");
-			mnemonic = "AXFR-style IXFR";
-			goto axfr_fallback;
-		}
-		CHECK(result);
-	} else {
-	axfr_fallback:
-		CHECK(axfr_rrstream_create(mctx, db, ver,
-					   &data_stream));
-	}
-
-	/*
-	 * Bracket the the data stream with SOAs.
-	 */
-	CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream));
-	CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream,
-				       &stream));
-	soa_stream = NULL;
-	data_stream = NULL;
-
- have_stream:
-	CHECK(dns_message_getquerytsig(request, mctx, &tsigbuf));
-	/*
-	 * Create the xfrout context object.  This transfers the ownership
-	 * of "stream", "db", "ver", and "quota" to the xfrout context object.
-	 */
-	CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
-				reqtype, question_class, db, ver, quota,
-				stream, dns_message_gettsigkey(request),
-				tsigbuf,
-				dns_zone_getmaxxfrout(zone),
-				dns_zone_getidleout(zone),
-				(format == dns_many_answers) ?
-					ISC_TRUE : ISC_FALSE,
-				&xfr));
-	xfr->mnemonic = mnemonic;
-	stream = NULL;
-	quota = NULL;
-
-	CHECK(xfr->stream->methods->first(xfr->stream));
-
-	if (xfr->tsigkey != NULL) {
-		dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname));
-	} else
-		keyname[0] = '\0';
-	if (is_poll)
-		xfrout_log1(client, question_name, question_class,
-			    ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s",
-			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
-	else
-		xfrout_log1(client, question_name, question_class,
-			    ISC_LOG_INFO, "%s started%s%s", mnemonic,
-			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
-
-	/*
-	 * Hand the context over to sendstream().  Set xfr to NULL;
-	 * sendstream() is responsible for either passing the
-	 * context on to a later event handler or destroying it.
-	 */
-	sendstream(xfr);
-	xfr = NULL;
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (quota != NULL)
-		isc_quota_detach(&quota);
-	if (current_soa_tuple != NULL)
-		dns_difftuple_free(&current_soa_tuple);
-	if (stream != NULL)
-		stream->methods->destroy(&stream);
-	if (soa_stream != NULL)
-		soa_stream->methods->destroy(&soa_stream);
-	if (data_stream != NULL)
-		data_stream->methods->destroy(&data_stream);
-	if (ver != NULL)
-		dns_db_closeversion(db, &ver, ISC_FALSE);
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-	/* XXX kludge */
-	if (xfr != NULL) {
-		xfrout_fail(xfr, result, "setting up zone transfer");
-	} else if (result != ISC_R_SUCCESS) {
-		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
-			      NS_LOGMODULE_XFER_OUT,
-			      ISC_LOG_DEBUG(3), "zone transfer setup failed");
-		ns_client_error(client, result);
-	}
-}
-
-static isc_result_t
-xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
-		  dns_name_t *qname, dns_rdatatype_t qtype,
-		  dns_rdataclass_t qclass,
-		  dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
-		  rrstream_t *stream, dns_tsigkey_t *tsigkey,
-		  isc_buffer_t *lasttsig, unsigned int maxtime,
-		  unsigned int idletime, isc_boolean_t many_answers,
-		  xfrout_ctx_t **xfrp)
-{
-	xfrout_ctx_t *xfr;
-	isc_result_t result;
-	unsigned int len;
-	void *mem;
-
-	INSIST(xfrp != NULL && *xfrp == NULL);
-	xfr = isc_mem_get(mctx, sizeof(*xfr));
-	if (xfr == NULL)
-		return (ISC_R_NOMEMORY);
-	xfr->mctx = mctx;
-	xfr->client = NULL;
-	ns_client_attach(client, &xfr->client);
-	xfr->id = id;
-	xfr->qname = qname;
-	xfr->qtype = qtype;
-	xfr->qclass = qclass;
-	xfr->db = NULL;
-	xfr->ver = NULL;
-	dns_db_attach(db, &xfr->db);
-	dns_db_attachversion(db, ver, &xfr->ver);
-	xfr->end_of_stream = ISC_FALSE;
-	xfr->tsigkey = tsigkey;
-	xfr->lasttsig = lasttsig;
-	xfr->txmem = NULL;
-	xfr->txmemlen = 0;
-	xfr->nmsg = 0;
-	xfr->many_answers = many_answers,
-	xfr->sends = 0;
-	xfr->shuttingdown = ISC_FALSE;
-	xfr->mnemonic = NULL;
-	xfr->buf.base = NULL;
-	xfr->buf.length = 0;
-	xfr->txmem = NULL;
-	xfr->txmemlen = 0;
-	xfr->stream = NULL;
-	xfr->quota = NULL;
-
-	/*
-	 * Allocate a temporary buffer for the uncompressed response
-	 * message data.  The size should be no more than 65535 bytes
-	 * so that the compressed data will fit in a TCP message,
-	 * and no less than 65535 bytes so that an almost maximum-sized
-	 * RR will fit.  Note that although 65535-byte RRs are allowed
-	 * in principle, they cannot be zone-transferred (at least not
-	 * if uncompressible), because the message and RR headers would
-	 * push the size of the TCP message over the 65536 byte limit.
-	 */
-	len = 65535;
-	mem = isc_mem_get(mctx, len);
-	if (mem == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	isc_buffer_init(&xfr->buf, mem, len);
-
-	/*
-	 * Allocate another temporary buffer for the compressed
-	 * response message and its TCP length prefix.
-	 */
-	len = 2 + 65535;
-	mem = isc_mem_get(mctx, len);
-	if (mem == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	isc_buffer_init(&xfr->txlenbuf, mem, 2);
-	isc_buffer_init(&xfr->txbuf, (char *) mem + 2, len - 2);
-	xfr->txmem = mem;
-	xfr->txmemlen = len;
-
-	CHECK(dns_timer_setidle(xfr->client->timer,
-				maxtime, idletime, ISC_FALSE));
-
-	/*
-	 * Register a shutdown callback with the client, so that we
-	 * can stop the transfer immediately when the client task
-	 * gets a shutdown event.
-	 */
-	xfr->client->shutdown = xfrout_client_shutdown;
-	xfr->client->shutdown_arg = xfr;
-	/*
-	 * These MUST be after the last "goto failure;" / CHECK to
-	 * prevent a double free by the caller.
-	 */
-	xfr->quota = quota;
-	xfr->stream = stream;
-
-	*xfrp = xfr;
-	return (ISC_R_SUCCESS);
-
-failure:
-	xfrout_ctx_destroy(&xfr);
-	return (result);
-}
-
-
-/*
- * Arrange to send as much as we can of "stream" without blocking.
- *
- * Requires:
- *	The stream iterator is initialized and points at an RR,
- *      or possiby at the end of the stream (that is, the
- *      _first method of the iterator has been called).
- */
-static void
-sendstream(xfrout_ctx_t *xfr) {
-	dns_message_t *tcpmsg = NULL;
-	dns_message_t *msg = NULL; /* Client message if UDP, tcpmsg if TCP */
-	isc_result_t result;
-	isc_region_t used;
-	isc_region_t region;
-	dns_rdataset_t *qrdataset;
-	dns_name_t *msgname = NULL;
-	dns_rdata_t *msgrdata = NULL;
-	dns_rdatalist_t *msgrdl = NULL;
-	dns_rdataset_t *msgrds = NULL;
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-
-	int n_rrs;
-
-	isc_buffer_clear(&xfr->buf);
-	isc_buffer_clear(&xfr->txlenbuf);
-	isc_buffer_clear(&xfr->txbuf);
-
-	if ((xfr->client->attributes & NS_CLIENTATTR_TCP) == 0) {
-		/*
-		 * In the UDP case, we put the response data directly into
-		 * the client message.
-		 */
-		msg = xfr->client->message;
-		CHECK(dns_message_reply(msg, ISC_TRUE));
-	} else {
-		/*
-		 * TCP. Build a response dns_message_t, temporarily storing
-		 * the raw, uncompressed owner names and RR data contiguously
-		 * in xfr->buf.  We know that if the uncompressed data fits
-		 * in xfr->buf, the compressed data will surely fit in a TCP
-		 * message.
-		 */
-
-		CHECK(dns_message_create(xfr->mctx,
-					 DNS_MESSAGE_INTENTRENDER, &tcpmsg));
-		msg = tcpmsg;
-
-		msg->id = xfr->id;
-		msg->rcode = dns_rcode_noerror;
-		msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA;
-		if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0)
-			msg->flags |= DNS_MESSAGEFLAG_RA;
-		CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
-		CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
-		if (xfr->lasttsig != NULL)
-			isc_buffer_free(&xfr->lasttsig);
-
-		/*
-		 * Include a question section in the first message only.
-		 * BIND 8.2.1 will not recognize an IXFR if it does not
-		 * have a question section.
-		 */
-		if (xfr->nmsg == 0) {
-			dns_name_t *qname = NULL;
-			isc_region_t r;
-
-			/*
-			 * Reserve space for the 12-byte message header
-			 * and 4 bytes of question.
-			 */
-			isc_buffer_add(&xfr->buf, 12 + 4);
-
-			qrdataset = NULL;
-			result = dns_message_gettemprdataset(msg, &qrdataset);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-			dns_rdataset_init(qrdataset);
-			dns_rdataset_makequestion(qrdataset,
-					xfr->client->message->rdclass,
-					xfr->qtype);
-
-			result = dns_message_gettempname(msg, &qname);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-			dns_name_init(qname, NULL);
-			isc_buffer_availableregion(&xfr->buf, &r);
-			INSIST(r.length >= xfr->qname->length);
-			r.length = xfr->qname->length;
-			isc_buffer_putmem(&xfr->buf, xfr->qname->ndata,
-					  xfr->qname->length);
-			dns_name_fromregion(qname, &r);
-			ISC_LIST_INIT(qname->list);
-			ISC_LIST_APPEND(qname->list, qrdataset, link);
-
-			dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-		}
-		else
-			msg->tcp_continuation = 1;
-	}
-
-	/*
-	 * Try to fit in as many RRs as possible, unless "one-answer"
-	 * format has been requested.
-	 */
-	for (n_rrs = 0; ; n_rrs++) {
-		dns_name_t *name = NULL;
-		isc_uint32_t ttl;
-		dns_rdata_t *rdata = NULL;
-
-		unsigned int size;
-		isc_region_t r;
-
-		msgname = NULL;
-		msgrdata = NULL;
-		msgrdl = NULL;
-		msgrds = NULL;
-
-		xfr->stream->methods->current(xfr->stream,
-					      &name, &ttl, &rdata);
-		size = name->length + 10 + rdata->length;
-		isc_buffer_availableregion(&xfr->buf, &r);
-		if (size >= r.length) {
-			/*
-			 * RR would not fit.  If there are other RRs in the
-			 * buffer, send them now and leave this RR to the
-			 * next message.  If this RR overflows the buffer
-			 * all by itself, fail.
-			 *
-			 * In theory some RRs might fit in a TCP message
-			 * when compressed even if they do not fit when
-			 * uncompressed, but surely we don't want
-			 * to send such monstrosities to an unsuspecting
-			 * slave.
-			 */
-			if (n_rrs == 0) {
-				xfrout_log(xfr, ISC_LOG_WARNING,
-					   "RR too large for zone transfer "
-					   "(%d bytes)", size);
-				/* XXX DNS_R_RRTOOLARGE? */
-				result = ISC_R_NOSPACE;
-				goto failure;
-			}
-			break;
-		}
-
-		if (isc_log_wouldlog(ns_g_lctx, XFROUT_RR_LOGLEVEL))
-			log_rr(name, rdata, ttl); /* XXX */
-
-		result = dns_message_gettempname(msg, &msgname);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		dns_name_init(msgname, NULL);
-		isc_buffer_availableregion(&xfr->buf, &r);
-		INSIST(r.length >= name->length);
-		r.length = name->length;
-		isc_buffer_putmem(&xfr->buf, name->ndata, name->length);
-		dns_name_fromregion(msgname, &r);
-
-		/* Reserve space for RR header. */
-		isc_buffer_add(&xfr->buf, 10);
-
-		result = dns_message_gettemprdata(msg, &msgrdata);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		isc_buffer_availableregion(&xfr->buf, &r);
-		r.length = rdata->length;
-		isc_buffer_putmem(&xfr->buf, rdata->data, rdata->length);
-		dns_rdata_init(msgrdata);
-		dns_rdata_fromregion(msgrdata,
-				     rdata->rdclass, rdata->type, &r);
-
-		result = dns_message_gettemprdatalist(msg, &msgrdl);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		msgrdl->type = rdata->type;
-		msgrdl->rdclass = rdata->rdclass;
-		msgrdl->ttl = ttl;
-		ISC_LINK_INIT(msgrdl, link);
-		ISC_LIST_INIT(msgrdl->rdata);
-		ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link);
-
-		result = dns_message_gettemprdataset(msg, &msgrds);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		dns_rdataset_init(msgrds);
-		result = dns_rdatalist_tordataset(msgrdl, msgrds);
-		INSIST(result == ISC_R_SUCCESS);
-
-		ISC_LIST_APPEND(msgname->list, msgrds, link);
-
-		dns_message_addname(msg, msgname, DNS_SECTION_ANSWER);
-		msgname = NULL;
-
-		result = xfr->stream->methods->next(xfr->stream);
-		if (result == ISC_R_NOMORE) {
-			xfr->end_of_stream = ISC_TRUE;
-			break;
-		}
-		CHECK(result);
-
-		if (! xfr->many_answers)
-			break;
-	}
-
-	if ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0) {
-		CHECK(dns_compress_init(&cctx, -1, xfr->mctx));
-		cleanup_cctx = ISC_TRUE;
-		CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf));
-		CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
-		CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
-		CHECK(dns_message_renderend(msg));
-		dns_compress_invalidate(&cctx);
-		cleanup_cctx = ISC_FALSE;
-
-		isc_buffer_usedregion(&xfr->txbuf, &used);
-		isc_buffer_putuint16(&xfr->txlenbuf,
-				     (isc_uint16_t)used.length);
-		region.base = xfr->txlenbuf.base;
-		region.length = 2 + used.length;
-		xfrout_log(xfr, ISC_LOG_DEBUG(8),
-			   "sending TCP message of %d bytes",
-			   used.length);
-		CHECK(isc_socket_send(xfr->client->tcpsocket, /* XXX */
-				      &region, xfr->client->task,
-				      xfrout_senddone,
-				      xfr));
-		xfr->sends++;
-	} else {
-		xfrout_log(xfr, ISC_LOG_DEBUG(8), "sending IXFR UDP response");
-		ns_client_send(xfr->client);
-		xfr->stream->methods->pause(xfr->stream);
-		xfrout_ctx_destroy(&xfr);
-		return;
-	}
-
-	/* Advance lasttsig to be the last TSIG generated */
-	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
-
-	xfr->nmsg++;
-
- failure:
-	if (msgname != NULL) {
-		if (msgrds != NULL) {
-			if (dns_rdataset_isassociated(msgrds))
-				dns_rdataset_disassociate(msgrds);
-			dns_message_puttemprdataset(msg, &msgrds);
-		}
-		if (msgrdl != NULL) {
-			ISC_LIST_UNLINK(msgrdl->rdata, msgrdata, link);
-			dns_message_puttemprdatalist(msg, &msgrdl);
-		}
-		if (msgrdata != NULL)
-			dns_message_puttemprdata(msg, &msgrdata);
-		dns_message_puttempname(msg, &msgname);
-	}
-
-	if (tcpmsg != NULL)
-		dns_message_destroy(&tcpmsg);
-
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-	/*
-	 * Make sure to release any locks held by database
-	 * iterators before returning from the event handler.
-	 */
-	xfr->stream->methods->pause(xfr->stream);
-	
-	if (result == ISC_R_SUCCESS)
-		return;
-
-	xfrout_fail(xfr, result, "sending zone data");
-}
-
-static void
-xfrout_ctx_destroy(xfrout_ctx_t **xfrp) {
-	xfrout_ctx_t *xfr = *xfrp;
-
-	INSIST(xfr->sends == 0);
-
-	xfr->client->shutdown = NULL;
-	xfr->client->shutdown_arg = NULL;
-
-	if (xfr->stream != NULL)
-		xfr->stream->methods->destroy(&xfr->stream);
-	if (xfr->buf.base != NULL)
-		isc_mem_put(xfr->mctx, xfr->buf.base, xfr->buf.length);
-	if (xfr->txmem != NULL)
-		isc_mem_put(xfr->mctx, xfr->txmem, xfr->txmemlen);
-	if (xfr->lasttsig != NULL)
-		isc_buffer_free(&xfr->lasttsig);
-	if (xfr->quota != NULL)
-		isc_quota_detach(&xfr->quota);
-	if (xfr->ver != NULL)
-		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
-	if (xfr->db != NULL)
-		dns_db_detach(&xfr->db);
-
-	ns_client_detach(&xfr->client);
-
-	isc_mem_put(xfr->mctx, xfr, sizeof(*xfr));
-
-	*xfrp = NULL;
-}
-
-static void
-xfrout_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sev = (isc_socketevent_t *)event;
-	xfrout_ctx_t *xfr = (xfrout_ctx_t *)event->ev_arg;
-	isc_result_t evresult = sev->result;
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-
-	isc_event_free(&event);
-	xfr->sends--;
-	INSIST(xfr->sends == 0);
-
-	(void)isc_timer_touch(xfr->client->timer);
-	if (xfr->shuttingdown == ISC_TRUE) {
-		xfrout_maybe_destroy(xfr);
-	} else if (evresult != ISC_R_SUCCESS) {
-		xfrout_fail(xfr, evresult, "send");
-	} else if (xfr->end_of_stream == ISC_FALSE) {
-		sendstream(xfr);
-	} else {
-		/* End of zone transfer stream. */
-		xfrout_log(xfr, ISC_LOG_INFO, "%s ended", xfr->mnemonic);
-		ns_client_next(xfr->client, ISC_R_SUCCESS);
-		xfrout_ctx_destroy(&xfr);
-	}
-}
-
-static void
-xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg) {
-	xfr->shuttingdown = ISC_TRUE;
-	xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s",
-		   msg, isc_result_totext(result));
-	xfrout_maybe_destroy(xfr);
-}
-
-static void
-xfrout_maybe_destroy(xfrout_ctx_t *xfr) {
-	INSIST(xfr->shuttingdown == ISC_TRUE);
-	if (xfr->sends > 0) {
-		/*
-		 * If we are currently sending, cancel it and wait for
-		 * cancel event before destroying the context.
-		 */
-		isc_socket_cancel(xfr->client->tcpsocket, xfr->client->task,
-				  ISC_SOCKCANCEL_SEND);
-	} else {
-		ns_client_next(xfr->client, ISC_R_CANCELED);
-		xfrout_ctx_destroy(&xfr);
-	}
-}
-
-static void
-xfrout_client_shutdown(void *arg, isc_result_t result) {
-	xfrout_ctx_t *xfr = (xfrout_ctx_t *) arg;
-	xfrout_fail(xfr, result, "aborted");
-}
-
-/*
- * Log outgoing zone transfer messages in a format like
- * <client>: transfer of <zone>: <message>
- */
-
-static void
-xfrout_logv(ns_client_t *client, dns_name_t *zonename,
-	    dns_rdataclass_t rdclass, int level, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
-
-static void
-xfrout_logv(ns_client_t *client, dns_name_t *zonename,
-	    dns_rdataclass_t rdclass, int level, const char *fmt, va_list ap)
-{
-	char msgbuf[2048];
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char classbuf[DNS_RDATACLASS_FORMATSIZE];
-
-	dns_name_format(zonename, namebuf, sizeof(namebuf));
-	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
-		      NS_LOGMODULE_XFER_OUT, level,
-		      "transfer of '%s/%s': %s", namebuf, classbuf, msgbuf);
-}
-
-/*
- * Logging function for use when a xfrout_ctx_t has not yet been created.
- */
-static void
-xfrout_log1(ns_client_t *client, dns_name_t *zonename,
-	    dns_rdataclass_t rdclass, int level, const char *fmt, ...) {
-	va_list ap;
-	va_start(ap, fmt);
-	xfrout_logv(client, zonename, rdclass, level, fmt, ap);
-	va_end(ap);
-}
-
-/*
- * Logging function for use when there is a xfrout_ctx_t.
- */
-static void
-xfrout_log(xfrout_ctx_t *xfr, int level, const char *fmt, ...) {
-	va_list ap;
-	va_start(ap, fmt);
-	xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap);
-	va_end(ap);
-}
diff --git a/contrib/bind9/bin/named/zoneconf.c b/contrib/bind9/bin/named/zoneconf.c
deleted file mode 100644
index 41ce69d6a627..000000000000
--- a/contrib/bind9/bin/named/zoneconf.c
+++ /dev/null
@@ -1,742 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zoneconf.c,v 1.87.2.4.10.15 2005/09/06 02:12:39 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/name.h>
-#include <dns/rdatatype.h>
-#include <dns/ssu.h>
-#include <dns/view.h>
-#include <dns/zone.h>
-
-#include <named/config.h>
-#include <named/globals.h>
-#include <named/log.h>
-#include <named/server.h>
-#include <named/zoneconf.h>
-
-/*
- * These are BIND9 server defaults, not necessarily identical to the
- * library defaults defined in zone.c.
- */
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-/*
- * Convenience function for configuring a single zone ACL.
- */
-static isc_result_t
-configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
-		   const char *aclname, ns_aclconfctx_t *actx,
-		   dns_zone_t *zone, 
-		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
-		   void (*clearzacl)(dns_zone_t *))
-{
-	isc_result_t result;
-	cfg_obj_t *maps[4];
-	cfg_obj_t *aclobj = NULL;
-	int i = 0;
-	dns_acl_t *dacl = NULL;
-
-	if (zconfig != NULL)
-		maps[i++] = cfg_tuple_get(zconfig, "options");
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	if (config != NULL) {
-		cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	maps[i] = NULL;
-
-	result = ns_config_get(maps, aclname, &aclobj);
-	if (aclobj == NULL) {
-		(*clearzacl)(zone);
-		return (ISC_R_SUCCESS);
-	}
-
-	result = ns_acl_fromconfig(aclobj, config, actx,
-				   dns_zone_getmctx(zone), &dacl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	(*setzacl)(zone, dacl);
-	dns_acl_detach(&dacl);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Parse the zone update-policy statement.
- */
-static isc_result_t
-configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
-	cfg_obj_t *updatepolicy = NULL;
-	cfg_listelt_t *element, *element2;
-	dns_ssutable_t *table = NULL;
-	isc_mem_t *mctx = dns_zone_getmctx(zone);
-	isc_result_t result;
-
-	(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
-	if (updatepolicy == NULL)
-		return (ISC_R_SUCCESS);
-
-	result = dns_ssutable_create(mctx, &table);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	for (element = cfg_list_first(updatepolicy);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *stmt = cfg_listelt_value(element);
-		cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
-		cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
-		cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
-		cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
-		cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
-		char *str;
-		isc_boolean_t grant = ISC_FALSE;
-		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
-		dns_fixedname_t fname, fident;
-		isc_buffer_t b;
-		dns_rdatatype_t *types;
-		unsigned int i, n;
-
-		str = cfg_obj_asstring(mode);
-		if (strcasecmp(str, "grant") == 0)
-			grant = ISC_TRUE;
-		else if (strcasecmp(str, "deny") == 0)
-			grant = ISC_FALSE;
-		else
-			INSIST(0);
-
-		str = cfg_obj_asstring(matchtype);
-		if (strcasecmp(str, "name") == 0)
-			mtype = DNS_SSUMATCHTYPE_NAME;
-		else if (strcasecmp(str, "subdomain") == 0)
-			mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
-		else if (strcasecmp(str, "wildcard") == 0)
-			mtype = DNS_SSUMATCHTYPE_WILDCARD;
-		else if (strcasecmp(str, "self") == 0)
-			mtype = DNS_SSUMATCHTYPE_SELF;
-		else
-			INSIST(0);
-
-		dns_fixedname_init(&fident);
-		str = cfg_obj_asstring(identity);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
-					   dns_rootname, ISC_FALSE, NULL);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-				    "'%s' is not a valid name", str);
-			goto cleanup;
-		}
-
-		dns_fixedname_init(&fname);
-		str = cfg_obj_asstring(dname);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-					   dns_rootname, ISC_FALSE, NULL);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-				    "'%s' is not a valid name", str);
-			goto cleanup;
-		}
-
-		n = ns_config_listcount(typelist);
-		if (n == 0)
-			types = NULL;
-		else {
-			types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t));
-			if (types == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-		}
-
-		i = 0;
-		for (element2 = cfg_list_first(typelist);
-		     element2 != NULL;
-		     element2 = cfg_list_next(element2))
-		{
-			cfg_obj_t *typeobj;
-			isc_textregion_t r;
-
-			INSIST(i < n);
-
-			typeobj = cfg_listelt_value(element2);
-			str = cfg_obj_asstring(typeobj);
-			r.base = str;
-			r.length = strlen(str);
-
-			result = dns_rdatatype_fromtext(&types[i++], &r);
-			if (result != ISC_R_SUCCESS) {
-				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
-					    "'%s' is not a valid type", str);
-				isc_mem_put(mctx, types,
-					    n * sizeof(dns_rdatatype_t));
-				goto cleanup;
-			}
-		}
-		INSIST(i == n);
-
-		result = dns_ssutable_addrule(table, grant,
-					      dns_fixedname_name(&fident),
-					      mtype,
-					      dns_fixedname_name(&fname),
-					      n, types);
-		if (types != NULL)
-			isc_mem_put(mctx, types, n * sizeof(dns_rdatatype_t));
-		if (result != ISC_R_SUCCESS) {
-			goto cleanup;
-		}
-
-	}
-
-	result = ISC_R_SUCCESS;
-	dns_zone_setssutable(zone, table);
-
- cleanup:
-	dns_ssutable_detach(&table);
-	return (result);
-}
-
-/*
- * Convert a config file zone type into a server zone type.
- */
-static inline dns_zonetype_t
-zonetype_fromconfig(cfg_obj_t *map) {
-	cfg_obj_t *obj = NULL;
-	isc_result_t result;
-
-	result = cfg_map_get(map, "type", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	return (ns_config_getzonetype(obj));
-}
-
-/*
- * Helper function for strtoargv().  Pardon the gratuitous recursion.
- */
-static isc_result_t
-strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
-	     char ***argvp, unsigned int n)
-{
-	isc_result_t result;
-	
-	/* Discard leading whitespace. */
-	while (*s == ' ' || *s == '\t')
-		s++;
-	
-	if (*s == '\0') {
-		/* We have reached the end of the string. */
-		*argcp = n;
-		*argvp = isc_mem_get(mctx, n * sizeof(char *));
-		if (*argvp == NULL)
-			return (ISC_R_NOMEMORY);
-	} else {
-		char *p = s;
-		while (*p != ' ' && *p != '\t' && *p != '\0')
-			p++;
-		if (*p != '\0')
-			*p++ = '\0';
-
-		result = strtoargvsub(mctx, p, argcp, argvp, n + 1);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		(*argvp)[n] = s;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Tokenize the string "s" into whitespace-separated words,
- * return the number of words in '*argcp' and an array
- * of pointers to the words in '*argvp'.  The caller
- * must free the array using isc_mem_put().  The string
- * is modified in-place.
- */
-static isc_result_t
-strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
-	return (strtoargvsub(mctx, s, argcp, argvp, 0));
-}
-
-static void
-checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) {
-	const char *zone = NULL;
-	isc_result_t result;
-
-	switch (ztype) {
-	case dns_zone_slave: zone = "slave"; break;
-	case dns_zone_master: zone = "master"; break;
-	default:
-		INSIST(0);
-	}
-	result = ns_checknames_get(maps, zone, objp);
-	INSIST(result == ISC_R_SUCCESS);
-}
-
-isc_result_t
-ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
-		  ns_aclconfctx_t *ac, dns_zone_t *zone)
-{
-	isc_result_t result;
-	char *zname;
-	dns_rdataclass_t zclass;
-	dns_rdataclass_t vclass;
-	cfg_obj_t *maps[5];
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *obj;
-	const char *filename = NULL;
-	dns_notifytype_t notifytype = dns_notifytype_yes;
-	isc_sockaddr_t *addrs;
-	dns_name_t **keynames;
-	isc_uint32_t count;
-	char *cpval;
-	unsigned int dbargc;
-	char **dbargv;
-	static char default_dbtype[] = "rbt";
-	isc_mem_t *mctx = dns_zone_getmctx(zone);
-	dns_dialuptype_t dialup = dns_dialuptype_no;
-	dns_zonetype_t ztype;
-	int i;
-	isc_int32_t journal_size;
-	isc_boolean_t multi;
-	isc_boolean_t alt;
-	dns_view_t *view;
-	isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
-
-	i = 0;
-	if (zconfig != NULL) {
-		zoptions = cfg_tuple_get(zconfig, "options");
-		maps[i++] = zoptions;
-	}
-	if (vconfig != NULL)
-		maps[i++] = cfg_tuple_get(vconfig, "options");
-	if (config != NULL) {
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			maps[i++] = options;
-	}
-	maps[i++] = ns_g_defaults;
-	maps[i++] = NULL;
-
-	if (vconfig != NULL)
-		RETERR(ns_config_getclass(cfg_tuple_get(vconfig, "class"),
-					  dns_rdataclass_in, &vclass));
-	else
-		vclass = dns_rdataclass_in;
-
-	/*
-	 * Configure values common to all zone types.
-	 */
-
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-
-	RETERR(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
-				  vclass, &zclass));
-	dns_zone_setclass(zone, zclass);
-
-	ztype = zonetype_fromconfig(zoptions);
-	dns_zone_settype(zone, ztype);
-
-	obj = NULL;
-	result = cfg_map_get(zoptions, "database", &obj);
-	if (result == ISC_R_SUCCESS)
-		cpval = isc_mem_strdup(mctx, cfg_obj_asstring(obj));
-	else
-		cpval = default_dbtype;
-
-	if (cpval == NULL)
-		return(ISC_R_NOMEMORY);
-
-	result = strtoargv(mctx, cpval, &dbargc, &dbargv);
-	if (result != ISC_R_SUCCESS && cpval != default_dbtype) {
-		isc_mem_free(mctx, cpval);
-		return (result);
-	}
-
-	/*
-	 * ANSI C is strange here.  There is no logical reason why (char **)
-	 * cannot be promoted automatically to (const char * const *) by the
-	 * compiler w/o generating a warning.
-	 */
-	result = dns_zone_setdbtype(zone, dbargc, (const char * const *)dbargv);
-	isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv));
-	if (cpval != default_dbtype)
-		isc_mem_free(mctx, cpval);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	obj = NULL;
-	result = cfg_map_get(zoptions, "file", &obj);
-	if (result == ISC_R_SUCCESS)
-		filename = cfg_obj_asstring(obj);
-	RETERR(dns_zone_setfile(zone, filename));
-
-	if (ztype == dns_zone_slave)
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-notify", ac, zone,
-					  dns_zone_setnotifyacl,
-					  dns_zone_clearnotifyacl));
-	/*
-	 * XXXAG This probably does not make sense for stubs.
-	 */
-	RETERR(configure_zone_acl(zconfig, vconfig, config,
-				  "allow-query", ac, zone,
-				  dns_zone_setqueryacl,
-				  dns_zone_clearqueryacl));
-
-	obj = NULL;
-	result = ns_config_get(maps, "dialup", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	if (cfg_obj_isboolean(obj)) {
-		if (cfg_obj_asboolean(obj))
-			dialup = dns_dialuptype_yes;
-		else
-			dialup = dns_dialuptype_no;
-	} else {
-		char *dialupstr = cfg_obj_asstring(obj);
-		if (strcasecmp(dialupstr, "notify") == 0)
-			dialup = dns_dialuptype_notify;
-		else if (strcasecmp(dialupstr, "notify-passive") == 0)
-			dialup = dns_dialuptype_notifypassive;
-		else if (strcasecmp(dialupstr, "refresh") == 0)
-			dialup = dns_dialuptype_refresh;
-		else if (strcasecmp(dialupstr, "passive") == 0)
-			dialup = dns_dialuptype_passive;
-		else
-			INSIST(0);
-	}
-	dns_zone_setdialup(zone, dialup);
-
-	obj = NULL;
-	result = ns_config_get(maps, "zone-statistics", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	RETERR(dns_zone_setstatistics(zone, cfg_obj_asboolean(obj)));
-
-	/*
-	 * Configure master functionality.  This applies
-	 * to primary masters (type "master") and slaves
-	 * acting as masters (type "slave"), but not to stubs.
-	 */
-	if (ztype != dns_zone_stub) {
-		obj = NULL;
-		result = ns_config_get(maps, "notify", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		if (cfg_obj_isboolean(obj)) {
-			if (cfg_obj_asboolean(obj))
-				notifytype = dns_notifytype_yes;
-			else
-				notifytype = dns_notifytype_no;
-		} else {
-			char *notifystr = cfg_obj_asstring(obj);
-			if (strcasecmp(notifystr, "explicit") == 0)
-				notifytype = dns_notifytype_explicit;
-			else
-				INSIST(0);
-		}
-		dns_zone_setnotifytype(zone, notifytype);
-
-		obj = NULL;
-		result = ns_config_get(maps, "also-notify", &obj);
-		if (result == ISC_R_SUCCESS) {
-			isc_sockaddr_t *addrs = NULL;
-			isc_uint32_t addrcount;
-			result = ns_config_getiplist(config, obj, 0, mctx,
-						     &addrs, &addrcount);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			result = dns_zone_setalsonotify(zone, addrs,
-							addrcount);
-			ns_config_putiplist(mctx, &addrs, addrcount);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		} else
-			RETERR(dns_zone_setalsonotify(zone, NULL, 0));
-
-		obj = NULL;
-		result = ns_config_get(maps, "notify-source", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "notify-source-v6", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-transfer", ac, zone,
-					  dns_zone_setxfracl,
-					  dns_zone_clearxfracl));
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-transfer-time-out", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setmaxxfrout(zone, cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-transfer-idle-out", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result =  ns_config_get(maps, "max-journal-size", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setjournalsize(zone, -1);
-		if (cfg_obj_isstring(obj)) {
-			const char *str = cfg_obj_asstring(obj);
-			INSIST(strcasecmp(str, "unlimited") == 0);
-			journal_size = ISC_UINT32_MAX / 2;
-		} else {
-			isc_resourcevalue_t value;
-			value = cfg_obj_asuint64(obj);
-			if (value > ISC_UINT32_MAX / 2) {
-				cfg_obj_log(obj, ns_g_lctx,
-					    ISC_LOG_ERROR,
-					    "'max-journal-size "
-					    "%" ISC_PRINT_QUADFORMAT "d' "
-					    "is too large",
-					    value);
-				RETERR(ISC_R_RANGE);
-			}
-			journal_size = (isc_uint32_t)value;
-		}
-		dns_zone_setjournalsize(zone, journal_size);
-
-		obj = NULL;
-		result = ns_config_get(maps, "ixfr-from-differences", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
-				   cfg_obj_asboolean(obj));
-
-		checknames(ztype, maps, &obj);
-		INSIST(obj != NULL);
-		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
-			fail = ISC_FALSE;
-			check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
-			fail = check = ISC_TRUE;
-		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
-			fail = check = ISC_FALSE;
-		} else
-			INSIST(0);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail);
-	}
-
-	/*
-	 * Configure update-related options.  These apply to
-	 * primary masters only.
-	 */
-	if (ztype == dns_zone_master) {
-		dns_acl_t *updateacl;
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update", ac, zone,
-					  dns_zone_setupdateacl,
-					  dns_zone_clearupdateacl));
-		
-		updateacl = dns_zone_getupdateacl(zone);
-		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
-			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "zone '%s' allows updates by IP "
-				      "address, which is insecure",
-				      zname);
-		
-		RETERR(configure_zone_ssutable(zoptions, zone));
-
-		obj = NULL;
-		result = ns_config_get(maps, "sig-validity-interval", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setsigvalidityinterval(zone,
-						cfg_obj_asuint32(obj) * 86400);
-
-		obj = NULL;
-		result = ns_config_get(maps, "key-directory", &obj);
-		if (result == ISC_R_SUCCESS) {
-			filename = cfg_obj_asstring(obj);
-			if (!isc_file_isabsolute(filename)) {
-				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-					    "key-directory '%s' "
-					    "is not absolute", filename);
-				return (ISC_R_FAILURE);
-			}
-			RETERR(dns_zone_setkeydirectory(zone, filename));
-		}
-
-	} else if (ztype == dns_zone_slave) {
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update-forwarding", ac, zone,
-					  dns_zone_setforwardacl,
-					  dns_zone_clearforwardacl));
-	}
-
-	/*
-	 * Configure slave functionality.
-	 */
-	switch (ztype) {
-	case dns_zone_slave:
-	case dns_zone_stub:
-		obj = NULL;
-		result = cfg_map_get(zoptions, "masters", &obj);
-		if (obj != NULL) {
-			addrs = NULL;
-			keynames = NULL;
-			RETERR(ns_config_getipandkeylist(config, obj, mctx,
-							 &addrs, &keynames,
-							 &count));
-			result = dns_zone_setmasterswithkeys(zone, addrs,
-							     keynames, count);
-			ns_config_putipandkeylist(mctx, &addrs, &keynames,
-						  count);
-		} else
-			result = dns_zone_setmasters(zone, NULL, 0);
-		RETERR(result);
-
-		multi = ISC_FALSE;
-		if (count > 1) {
-			obj = NULL;
-			result = ns_config_get(maps, "multi-master", &obj);
-			INSIST(result == ISC_R_SUCCESS);
-			multi = cfg_obj_asboolean(obj);
-		}
-		dns_zone_setoption(zone, DNS_ZONEOPT_MULTIMASTER, multi);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-transfer-time-in", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setmaxxfrin(zone, cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-transfer-idle-in", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setidlein(zone, cfg_obj_asuint32(obj) * 60);
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-refresh-time", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setmaxrefreshtime(zone, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "min-refresh-time", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setminrefreshtime(zone, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "max-retry-time", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setmaxretrytime(zone, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "min-retry-time", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setminretrytime(zone, cfg_obj_asuint32(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "transfer-source", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		RETERR(dns_zone_setxfrsource4(zone, cfg_obj_assockaddr(obj)));
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "transfer-source-v6", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		RETERR(dns_zone_setxfrsource6(zone, cfg_obj_assockaddr(obj)));
-		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
-
-		obj = NULL;
-		result = ns_config_get(maps, "alt-transfer-source", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		RETERR(dns_zone_setaltxfrsource4(zone, cfg_obj_assockaddr(obj)));
-
-		obj = NULL;
-		result = ns_config_get(maps, "alt-transfer-source-v6", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		RETERR(dns_zone_setaltxfrsource6(zone, cfg_obj_assockaddr(obj)));
-
-		obj = NULL;
-		(void)ns_config_get(maps, "use-alt-transfer-source", &obj);
-		if (obj == NULL) {
-			/*
-			 * Default off when views are in use otherwise
-			 * on for BIND 8 compatibility.
-			 */
-			view = dns_zone_getview(zone);
-			if (view != NULL && strcmp(view->name, "_default") == 0)
-				alt = ISC_TRUE;
-			else
-				alt = ISC_FALSE;
-		} else
-			alt = cfg_obj_asboolean(obj);
-		dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt);
-
-		break;
-
-	default:
-		break;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig) {
-	cfg_obj_t *zoptions = NULL;
-	cfg_obj_t *obj = NULL;
-	const char *cfilename;
-	const char *zfilename;
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-
-	if (zonetype_fromconfig(zoptions) != dns_zone_gettype(zone))
-		return (ISC_FALSE);
-
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "file", &obj);
-	if (obj != NULL)
-		cfilename = cfg_obj_asstring(obj);
-	else
-		cfilename = NULL;
-	zfilename = dns_zone_getfile(zone);
-	if (!((cfilename == NULL && zfilename == NULL) ||
-	      (cfilename != NULL && zfilename != NULL &&
-	       strcmp(cfilename, zfilename) == 0)))
-	    return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
diff --git a/contrib/bind9/bin/nsupdate/Makefile.in b/contrib/bind9/bin/nsupdate/Makefile.in
deleted file mode 100644
index 2652628768da..000000000000
--- a/contrib/bind9/bin/nsupdate/Makefile.in
+++ /dev/null
@@ -1,83 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.15.12.10 2004/07/20 07:01:49 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-LWRESLIBS =	../../lib/lwres/liblwres.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-
-LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-
-DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
-
-LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} ${ISCCFGLIBS} @LIBS@
-
-SUBDIRS =
-
-TARGETS =	nsupdate@EXEEXT@
-
-OBJS =		nsupdate.@O@
-
-UOBJS =
-
-SRCS =		nsupdate.c
-
-MANPAGES =	nsupdate.8
-
-HTMLPAGES =	nsupdate.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-@BIND9_MAKE_RULES@
-
-nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-clean distclean::
-	rm -f ${TARGETS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-
-install:: nsupdate@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsupdate@EXEEXT@ ${DESTDIR}${bindir}
-	${INSTALL_DATA} ${srcdir}/nsupdate.8 ${DESTDIR}${mandir}/man8
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.8 b/contrib/bind9/bin/nsupdate/nsupdate.8
deleted file mode 100644
index 602a55b18310..000000000000
--- a/contrib/bind9/bin/nsupdate/nsupdate.8
+++ /dev/null
@@ -1,298 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: nsupdate.8,v 1.24.2.2.2.8 2005/10/13 02:33:48 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-nsupdate \- Dynamic DNS update utility
-.SH "SYNOPSIS"
-.HP 9
-\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fIkeyname:secret\fR\fR] [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename]
-.SH "DESCRIPTION"
-.PP
-\fBnsupdate\fR
-is used to submit Dynamic DNS Update requests as defined in RFC2136 to a name server. This allows resource records to be added or removed from a zone without manually editing the zone file. A single update request can contain requests to add or remove more than one resource record.
-.PP
-Zones that are under dynamic control via
-\fBnsupdate\fR
-or a DHCP server should not be edited by hand. Manual edits could conflict with dynamic updates and cause data to be lost.
-.PP
-The resource records that are dynamically added or removed with
-\fBnsupdate\fR
-have to be in the same zone. Requests are sent to the zone's master server. This is identified by the MNAME field of the zone's SOA record.
-.PP
-The
-\fB\-d\fR
-option makes
-\fBnsupdate\fR
-operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.
-.PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to
-\fBnsupdate\fR
-and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance suitable
-\fBkey\fR
-and
-\fBserver\fR
-statements would be added to
-\fI/etc/named.conf\fR
-so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
-\fBnsupdate\fR
-does not read
-\fI/etc/named.conf\fR.
-.PP
-\fBnsupdate\fR
-uses the
-\fB\-y\fR
-or
-\fB\-k\fR
-option (with an HMAC\-MD5 key) to provide the shared secret needed to generate a TSIG record for authenticating Dynamic DNS update requests. These options are mutually exclusive. With the
-\fB\-k\fR
-option,
-\fBnsupdate\fR
-reads the shared secret from the file
-\fIkeyfile\fR, whose name is of the form
-\fIK{name}.+157.+{random}.private\fR. For historical reasons, the file
-\fIK{name}.+157.+{random}.key\fR
-must also be present. When the
-\fB\-y\fR
-option is used, a signature is generated from
-\fIkeyname:secret.\fR\fIkeyname\fR
-is the name of the key, and
-\fIsecret\fR
-is the base64 encoded shared secret. Use of the
-\fB\-y\fR
-option is discouraged because the shared secret is supplied as a command line argument in clear text. This may be visible in the output from
-\fBps\fR(1 )
-or in a history file maintained by the user's shell.
-.PP
-The
-\fB\-k\fR
-may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
-.PP
-By default
-\fBnsupdate\fR
-uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The
-\fB\-v\fR
-option makes
-\fBnsupdate\fR
-use a TCP connection. This may be preferable when a batch of update requests is made.
-.PP
-The
-\fB\-t\fR
-option sets the maximum time a update request can take before it is aborted. The default is 300 seconds. Zero can be used to disable the timeout.
-.PP
-The
-\fB\-u\fR
-option sets the UDP retry interval. The default is 3 seconds. If zero the interval will be computed from the timeout interval and number of UDP retries.
-.PP
-The
-\fB\-r\fR
-option sets the number of UDP retries. The default is 3. If zero only one update request will be made.
-.SH "INPUT FORMAT"
-.PP
-\fBnsupdate\fR
-reads input from
-\fIfilename\fR
-or standard input. Each command is supplied on exactly one line of input. Some commands are for administrative purposes. The others are either update instructions or prerequisite checks on the contents of the zone. These checks set conditions that some name or set of resource records (RRset) either exists or is absent from the zone. These conditions must be met if the entire update request is to succeed. Updates will be rejected if the tests for the prerequisite conditions fail.
-.PP
-Every update request consists of zero or more prerequisites and zero or more updates. This allows a suitably authenticated update request to proceed if some specified resource records are present or missing from the zone. A blank input line (or the
-\fBsend\fR
-command) causes the accumulated commands to be sent as one Dynamic DNS update request to the name server.
-.PP
-The command formats and their meaning are as follows:
-.TP
-.HP 7 \fBserver\fR {servername} [port]
-Sends all dynamic update requests to the name server
-\fIservername\fR. When no server statement is provided,
-\fBnsupdate\fR
-will send updates to the master server of the correct zone. The MNAME field of that zone's SOA record will identify the master server for that zone.
-\fIport\fR
-is the port number on
-\fIservername\fR
-where the dynamic update requests get sent. If no port number is specified, the default DNS port number of 53 is used.
-.TP
-.HP 6 \fBlocal\fR {address} [port]
-Sends all dynamic update requests using the local
-\fIaddress\fR. When no local statement is provided,
-\fBnsupdate\fR
-will send updates using an address and port chosen by the system.
-\fIport\fR
-can additionally be used to make requests come from a specific port. If no port number is specified, the system will assign one.
-.TP
-.HP 5 \fBzone\fR {zonename}
-Specifies that all updates are to be made to the zone
-\fIzonename\fR. If no
-\fIzone\fR
-statement is provided,
-\fBnsupdate\fR
-will attempt determine the correct zone to update based on the rest of the input.
-.TP
-.HP 6 \fBclass\fR {classname}
-Specify the default class. If no
-\fIclass\fR
-is specified the default class is
-\fIIN\fR.
-.TP
-.HP 4 \fBkey\fR {name} {secret}
-Specifies that all updates are to be TSIG signed using the
-\fIkeyname\fR\fIkeysecret\fR
-pair. The
-\fBkey\fR
-command overrides any key specified on the command line via
-\fB\-y\fR
-or
-\fB\-k\fR.
-.TP
-.HP 16 \fBprereq nxdomain\fR {domain\-name}
-Requires that no resource record of any type exists with name
-\fIdomain\-name\fR.
-.TP
-.HP 16 \fBprereq yxdomain\fR {domain\-name}
-Requires that
-\fIdomain\-name\fR
-exists (has as at least one resource record, of any type).
-.TP
-.HP 15 \fBprereq nxrrset\fR {domain\-name} [class] {type}
-Requires that no resource record exists of the specified
-\fItype\fR,
-\fIclass\fR
-and
-\fIdomain\-name\fR. If
-\fIclass\fR
-is omitted, IN (internet) is assumed.
-.TP
-.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type}
-This requires that a resource record of the specified
-\fItype\fR,
-\fIclass\fR
-and
-\fIdomain\-name\fR
-must exist. If
-\fIclass\fR
-is omitted, IN (internet) is assumed.
-.TP
-.HP 15 \fBprereq yxrrset\fR {domain\-name} [class] {type} {data...}
-The
-\fIdata\fR
-from each set of prerequisites of this form sharing a common
-\fItype\fR,
-\fIclass\fR, and
-\fIdomain\-name\fR
-are combined to form a set of RRs. This set of RRs must exactly match the set of RRs existing in the zone at the given
-\fItype\fR,
-\fIclass\fR, and
-\fIdomain\-name\fR. The
-\fIdata\fR
-are written in the standard text representation of the resource record's RDATA.
-.TP
-.HP 14 \fBupdate delete\fR {domain\-name} [ttl] [class] [type\ [data...]]
-Deletes any resource records named
-\fIdomain\-name\fR. If
-\fItype\fR
-and
-\fIdata\fR
-is provided, only matching resource records will be removed. The internet class is assumed if
-\fIclass\fR
-is not supplied. The
-\fIttl\fR
-is ignored, and is only allowed for compatibility.
-.TP
-.HP 11 \fBupdate add\fR {domain\-name} {ttl} [class] {type} {data...}
-Adds a new resource record with the specified
-\fIttl\fR,
-\fIclass\fR
-and
-\fIdata\fR.
-.TP
-.HP 5 \fBshow\fR
-Displays the current message, containing all of the prerequisites and updates specified since the last send.
-.TP
-.HP 5 \fBsend\fR
-Sends the current message. This is equivalent to entering a blank line.
-.TP
-.HP 7 \fBanswer\fR
-Displays the answer.
-.PP
-Lines beginning with a semicolon are comments and are ignored.
-.SH "EXAMPLES"
-.PP
-The examples below show how
-\fBnsupdate\fR
-could be used to insert and delete resource records from the
-\fBexample.com\fR
-zone. Notice that the input in each example contains a trailing blank line so that a group of commands are sent as one dynamic update request to the master name server for
-\fBexample.com\fR.
-.sp
-.nf
-# nsupdate
-> update delete oldhost.example.com A
-> update add newhost.example.com 86400 A 172.16.1.1
-> send
-.fi
-.sp
-.PP
-Any A records for
-\fBoldhost.example.com\fR
-are deleted. and an A record for
-\fBnewhost.example.com\fR
-it IP address 172.16.1.1 is added. The newly\-added record has a 1 day TTL (86400 seconds)
-.sp
-.nf
-# nsupdate
-> prereq nxdomain nickname.example.com
-> update add nickname.example.com 86400 CNAME somehost.example.com
-> send
-.fi
-.sp
-.PP
-The prerequisite condition gets the name server to check that there are no resource records of any type for
-\fBnickname.example.com\fR. If there are, the update request fails. If this name does not exist, a CNAME for it is added. This ensures that when the CNAME is added, it cannot conflict with the long\-standing rule in RFC1034 that a name must not exist as any other record type if it exists as a CNAME. (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have RRSIG, DNSKEY and NSEC records.)
-.SH "FILES"
-.TP
-\fB/etc/resolv.conf\fR
-used to identify default name server
-.TP
-\fBK{name}.+157.+{random}.key\fR
-base\-64 encoding of HMAC\-MD5 key created by
-\fBdnssec\-keygen\fR(8).
-.TP
-\fBK{name}.+157.+{random}.private\fR
-base\-64 encoding of HMAC\-MD5 key created by
-\fBdnssec\-keygen\fR(8).
-.SH "SEE ALSO"
-.PP
-\fBRFC2136\fR(),
-\fBRFC3007\fR(),
-\fBRFC2104\fR(),
-\fBRFC2845\fR(),
-\fBRFC1034\fR(),
-\fBRFC2535\fR(),
-\fBRFC2931\fR(),
-\fBnamed\fR(8),
-\fBdnssec\-keygen\fR(8).
-.SH "BUGS"
-.PP
-The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c
deleted file mode 100644
index 7c728b6db950..000000000000
--- a/contrib/bind9/bin/nsupdate/nsupdate.c
+++ /dev/null
@@ -1,1986 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsupdate.c,v 1.103.2.15.2.20 2005/03/17 03:58:26 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/app.h>
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/event.h>
-#include <isc/hash.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/parseint.h>
-#include <isc/region.h>
-#include <isc/sockaddr.h>
-#include <isc/socket.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/dispatch.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rcode.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/request.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-
-#include <dst/dst.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-
-#include <bind9/getaddresses.h>
-
-#ifdef HAVE_ADDRINFO
-#ifdef HAVE_GETADDRINFO
-#ifdef HAVE_GAISTRERROR
-#define USE_GETADDRINFO
-#endif
-#endif
-#endif
-
-#ifndef USE_GETADDRINFO
-#ifndef ISC_PLATFORM_NONSTDHERRNO
-extern int h_errno;
-#endif
-#endif
-
-#define MAXCMD (4 * 1024)
-#define MAXWIRE (64 * 1024)
-#define PACKETSIZE ((64 * 1024) - 1)
-#define INITTEXT (2 * 1024)
-#define MAXTEXT (128 * 1024)
-#define FIND_TIMEOUT 5
-#define TTL_MAX 2147483647U	/* Maximum signed 32 bit integer. */
-
-#define DNSDEFAULTPORT 53
-
-#ifndef RESOLV_CONF
-#define RESOLV_CONF "/etc/resolv.conf"
-#endif
-
-static isc_boolean_t debugging = ISC_FALSE, ddebugging = ISC_FALSE;
-static isc_boolean_t memdebugging = ISC_FALSE;
-static isc_boolean_t have_ipv4 = ISC_FALSE;
-static isc_boolean_t have_ipv6 = ISC_FALSE;
-static isc_boolean_t is_dst_up = ISC_FALSE;
-static isc_boolean_t usevc = ISC_FALSE;
-static isc_taskmgr_t *taskmgr = NULL;
-static isc_task_t *global_task = NULL;
-static isc_event_t *global_event = NULL;
-static isc_mem_t *mctx = NULL;
-static dns_dispatchmgr_t *dispatchmgr = NULL;
-static dns_requestmgr_t *requestmgr = NULL;
-static isc_socketmgr_t *socketmgr = NULL;
-static isc_timermgr_t *timermgr = NULL;
-static dns_dispatch_t *dispatchv4 = NULL;
-static dns_dispatch_t *dispatchv6 = NULL;
-static dns_message_t *updatemsg = NULL;
-static dns_fixedname_t fuserzone;
-static dns_name_t *userzone = NULL;
-static dns_tsigkey_t *tsigkey = NULL;
-static dst_key_t *sig0key;
-static lwres_context_t *lwctx = NULL;
-static lwres_conf_t *lwconf;
-static isc_sockaddr_t *servers;
-static int ns_inuse = 0;
-static int ns_total = 0;
-static isc_sockaddr_t *userserver = NULL;
-static isc_sockaddr_t *localaddr = NULL;
-static char *keystr = NULL, *keyfile = NULL;
-static isc_entropy_t *entp = NULL;
-static isc_boolean_t shuttingdown = ISC_FALSE;
-static FILE *input;
-static isc_boolean_t interactive = ISC_TRUE;
-static isc_boolean_t seenerror = ISC_FALSE;
-static const dns_master_style_t *style;
-static int requests = 0;
-static unsigned int timeout = 300;
-static unsigned int udp_timeout = 3;
-static unsigned int udp_retries = 3;
-static dns_rdataclass_t defaultclass = dns_rdataclass_in;
-static dns_rdataclass_t zoneclass = dns_rdataclass_none;
-static dns_message_t *answer = NULL;
-
-typedef struct nsu_requestinfo {
-	dns_message_t *msg;
-	isc_sockaddr_t *addr;
-} nsu_requestinfo_t;
-
-static void
-sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	    dns_message_t *msg, dns_request_t **request);
-static void
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-static void
-debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-static void
-ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-#define STATUS_MORE	(isc_uint16_t)0
-#define STATUS_SEND	(isc_uint16_t)1
-#define STATUS_QUIT	(isc_uint16_t)2
-#define STATUS_SYNTAX	(isc_uint16_t)3
-
-static dns_rdataclass_t
-getzoneclass(void) {
-	if (zoneclass == dns_rdataclass_none)
-		zoneclass = defaultclass;
-	return (zoneclass);
-}
-
-static isc_boolean_t
-setzoneclass(dns_rdataclass_t rdclass) {
-	if (zoneclass == dns_rdataclass_none ||
-	    rdclass == dns_rdataclass_none)
-		zoneclass = rdclass;
-	if (zoneclass != rdclass)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-static void
-fatal(const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}
-
-static void
-debug(const char *format, ...) {
-	va_list args;
-
-	if (debugging) {
-		va_start(args, format);
-		vfprintf(stderr, format, args);
-		va_end(args);
-		fprintf(stderr, "\n");
-	}
-}
-
-static void
-ddebug(const char *format, ...) {
-	va_list args;
-
-	if (ddebugging) {
-		va_start(args, format);
-		vfprintf(stderr, format, args);
-		va_end(args);
-		fprintf(stderr, "\n");
-	}
-}
-
-static inline void
-check_result(isc_result_t result, const char *msg) {
-	if (result != ISC_R_SUCCESS)
-		fatal("%s: %s", msg, isc_result_totext(result));
-}
-
-static void *
-mem_alloc(void *arg, size_t size) {
-	return (isc_mem_get(arg, size));
-}
-
-static void
-mem_free(void *arg, void *mem, size_t size) {
-	isc_mem_put(arg, mem, size);
-}
-
-static char *
-nsu_strsep(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (; *string != '\0'; string++) {
-		sc = *string;
-		for (d = delim; (dc = *d) != '\0'; d++) {
-			if (sc == dc)
-				break;
-		}
-		if (dc == 0)
-			break;
-	}
-
-	for (s = string; *s != '\0'; s++) {
-		sc = *s;
-		for (d = delim; (dc = *d) != '\0'; d++) {
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-		}
-	}
-	*stringp = NULL;
-	return (string);
-}
-
-static void
-reset_system(void) {
-	isc_result_t result;
-
-	ddebug("reset_system()");
-	/* If the update message is still around, destroy it */
-	if (updatemsg != NULL)
-		dns_message_reset(updatemsg, DNS_MESSAGE_INTENTRENDER);
-	else {
-		result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
-					    &updatemsg);
-		check_result(result, "dns_message_create");
-	}
-	updatemsg->opcode = dns_opcode_update;
-}
-
-static void
-setup_keystr(void) {
-	unsigned char *secret = NULL;
-	int secretlen;
-	isc_buffer_t secretbuf;
-	isc_result_t result;
-	isc_buffer_t keynamesrc;
-	char *secretstr;
-	char *s;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
-
-	dns_fixedname_init(&fkeyname);
-	keyname = dns_fixedname_name(&fkeyname);
-
-	debug("Creating key...");
-
-	s = strchr(keystr, ':');
-	if (s == NULL || s == keystr || *s == 0)
-		fatal("key option must specify keyname:secret");
-	secretstr = s + 1;
-
-	isc_buffer_init(&keynamesrc, keystr, s - keystr);
-	isc_buffer_add(&keynamesrc, s - keystr);
-
-	debug("namefromtext");
-	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname,
-				   ISC_FALSE, NULL);
-	check_result(result, "dns_name_fromtext");
-
-	secretlen = strlen(secretstr) * 3 / 4;
-	secret = isc_mem_allocate(mctx, secretlen);
-	if (secret == NULL)
-		fatal("out of memory");
-
-	isc_buffer_init(&secretbuf, secret, secretlen);
-	result = isc_base64_decodestring(secretstr, &secretbuf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not create key from %s: %s\n",
-			keystr, isc_result_totext(result));
-		goto failure;
-	}
-
-	secretlen = isc_buffer_usedlength(&secretbuf);
-
-	debug("keycreate");
-	result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name,
-				    secret, secretlen, ISC_TRUE, NULL,
-				    0, 0, mctx, NULL, &tsigkey);
-	if (result != ISC_R_SUCCESS)
-		fprintf(stderr, "could not create key from %s: %s\n",
-			keystr, dns_result_totext(result));
- failure:
-	if (secret != NULL)
-		isc_mem_free(mctx, secret);
-}
-
-static void
-setup_keyfile(void) {
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-
-	debug("Creating key...");
-
-	result = dst_key_fromnamedfile(keyfile,
-				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
-				       &dstkey);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not read key from %s: %s\n",
-			keyfile, isc_result_totext(result));
-		return;
-	}
-	if (dst_key_alg(dstkey) == DST_ALG_HMACMD5) {
-		result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-						   dns_tsig_hmacmd5_name,
-						   dstkey, ISC_FALSE, NULL,
-						   0, 0, mctx, NULL, &tsigkey);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "could not create key from %s: %s\n",
-				keyfile, isc_result_totext(result));
-			dst_key_free(&dstkey);
-			return;
-		}
-	} else
-		sig0key = dstkey;
-}
-
-static void
-doshutdown(void) {
-	isc_task_detach(&global_task);
-
-	if (userserver != NULL)
-		isc_mem_put(mctx, userserver, sizeof(isc_sockaddr_t));
-
-	if (localaddr != NULL)
-		isc_mem_put(mctx, localaddr, sizeof(isc_sockaddr_t));
-
-	if (tsigkey != NULL) {
-		ddebug("Freeing TSIG key");
-		dns_tsigkey_detach(&tsigkey);
-	}
-
-	if (sig0key != NULL) {
-		ddebug("Freeing SIG(0) key");
-		dst_key_free(&sig0key);
-	}
-
-	if (updatemsg != NULL)
-		dns_message_destroy(&updatemsg);
-
-	if (is_dst_up) {
-		ddebug("Destroy DST lib");
-		dst_lib_destroy();
-		is_dst_up = ISC_FALSE;
-	}
-
-	if (entp != NULL) {
-		ddebug("Detach from entropy");
-		isc_entropy_detach(&entp);
-	}
-
-	lwres_conf_clear(lwctx);
-	lwres_context_destroy(&lwctx);
-
-	isc_mem_put(mctx, servers, ns_total * sizeof(isc_sockaddr_t));
-
-	ddebug("Destroying request manager");
-	dns_requestmgr_detach(&requestmgr);
-
-	ddebug("Freeing the dispatchers");
-	if (have_ipv4)
-		dns_dispatch_detach(&dispatchv4);
-	if (have_ipv6)
-		dns_dispatch_detach(&dispatchv6);
-
-	ddebug("Shutting down dispatch manager");
-	dns_dispatchmgr_destroy(&dispatchmgr);
-
-}
-
-static void
-maybeshutdown(void) {
-	ddebug("Shutting down request manager");
-	dns_requestmgr_shutdown(requestmgr);
-
-	if (requests != 0)
-		return;
-
-	doshutdown();
-}
-
-static void
-shutdown_program(isc_task_t *task, isc_event_t *event) {
-	REQUIRE(task == global_task);
-	UNUSED(task);
-
-	ddebug("shutdown_program()");
-	isc_event_free(&event);
-
-	shuttingdown = ISC_TRUE;
-	maybeshutdown();
-}
-
-static void
-setup_system(void) {
-	isc_result_t result;
-	isc_sockaddr_t bind_any, bind_any6;
-	lwres_result_t lwresult;
-	unsigned int attrs, attrmask;
-	int i;
-
-	ddebug("setup_system()");
-
-	dns_result_register();
-
-	result = isc_net_probeipv4();
-	if (result == ISC_R_SUCCESS)
-		have_ipv4 = ISC_TRUE;
-
-	result = isc_net_probeipv6();
-	if (result == ISC_R_SUCCESS)
-		have_ipv6 = ISC_TRUE;
-
-	if (!have_ipv4 && !have_ipv6)
-		fatal("could not find either IPv4 or IPv6");
-
-	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create");
-
-	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
-	if (lwresult != LWRES_R_SUCCESS)
-		fatal("lwres_context_create failed");
-
-	(void)lwres_conf_parse(lwctx, RESOLV_CONF);
-	lwconf = lwres_conf_get(lwctx);
-
-	ns_total = lwconf->nsnext;
-	if (ns_total <= 0) {
-		/* No name servers in resolv.conf; default to loopback. */
-		struct in_addr localhost;
-		ns_total = 1;
-		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
-		if (servers == NULL)
-			fatal("out of memory");
-		localhost.s_addr = htonl(INADDR_LOOPBACK);
-		isc_sockaddr_fromin(&servers[0], &localhost, DNSDEFAULTPORT);
-	} else {
-		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
-		if (servers == NULL)
-			fatal("out of memory");
-		for (i = 0; i < ns_total; i++) {
-			if (lwconf->nameservers[i].family == LWRES_ADDRTYPE_V4) {
-				struct in_addr in4;
-				memcpy(&in4, lwconf->nameservers[i].address, 4);
-				isc_sockaddr_fromin(&servers[i], &in4, DNSDEFAULTPORT);
-			} else {
-				struct in6_addr in6;
-				memcpy(&in6, lwconf->nameservers[i].address, 16);
-				isc_sockaddr_fromin6(&servers[i], &in6,
-						     DNSDEFAULTPORT);
-			}
-		}
-	}
-
-	result = isc_entropy_create(mctx, &entp);
-	check_result(result, "isc_entropy_create");
-
-	result = isc_hash_create(mctx, entp, DNS_NAME_MAXWIRE);
-	check_result(result, "isc_hash_create");
-	isc_hash_init();
-
-	result = dns_dispatchmgr_create(mctx, entp, &dispatchmgr);
-	check_result(result, "dns_dispatchmgr_create");
-
-	result = isc_socketmgr_create(mctx, &socketmgr);
-	check_result(result, "dns_socketmgr_create");
-
-	result = isc_timermgr_create(mctx, &timermgr);
-	check_result(result, "dns_timermgr_create");
-
-	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
-	check_result(result, "isc_taskmgr_create");
-
-	result = isc_task_create(taskmgr, 0, &global_task);
-	check_result(result, "isc_task_create");
-
-	result = isc_task_onshutdown(global_task, shutdown_program, NULL);
-	check_result(result, "isc_task_onshutdown");
-
-	result = dst_lib_init(mctx, entp, 0);
-	check_result(result, "dst_lib_init");
-	is_dst_up = ISC_TRUE;
-
-	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
-
-	if (have_ipv6) {
-		attrs = DNS_DISPATCHATTR_UDP;
-		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		isc_sockaddr_any6(&bind_any6);
-		result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
-					     &bind_any6, PACKETSIZE,
-					     4, 2, 3, 5,
-					     attrs, attrmask, &dispatchv6);
-		check_result(result, "dns_dispatch_getudp (v6)");
-	}
-
-	if (have_ipv4) {
-		attrs = DNS_DISPATCHATTR_UDP;
-		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		isc_sockaddr_any(&bind_any);
-		result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
-					     &bind_any, PACKETSIZE,
-					     4, 2, 3, 5,
-					     attrs, attrmask, &dispatchv4);
-		check_result(result, "dns_dispatch_getudp (v4)");
-	}
-
-	result = dns_requestmgr_create(mctx, timermgr,
-				       socketmgr, taskmgr, dispatchmgr,
-				       dispatchv4, dispatchv6, &requestmgr);
-	check_result(result, "dns_requestmgr_create");
-
-	if (keystr != NULL)
-		setup_keystr();
-	else if (keyfile != NULL)
-		setup_keyfile();
-}
-
-static void
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
-	int count;
-	isc_result_t result;
-
-	isc_app_block();
-	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
-	isc_app_unblock();
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      host, isc_result_totext(result));
-	INSIST(count == 1);
-}
-
-static void
-parse_args(int argc, char **argv) {
-	int ch;
-	isc_result_t result;
-
-	debug("parse_args");
-	while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:r:t:u:")) != -1)
-	{
-		switch (ch) {
-		case 'd':
-			debugging = ISC_TRUE;
-			break;
-		case 'D': /* was -dd */
-			debugging = ISC_TRUE;
-			ddebugging = ISC_TRUE;
-			break;
-		case 'M': /* was -dm */
-			debugging = ISC_TRUE;
-			ddebugging = ISC_TRUE;
-			memdebugging = ISC_TRUE;
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
-					    ISC_MEM_DEBUGRECORD;
-			break;
-		case 'y':
-			keystr = isc_commandline_argument;
-			break;
-		case 'v':
-			usevc = ISC_TRUE;
-			break;
-		case 'k':
-			keyfile = isc_commandline_argument;
-			break;
-		case 't':
-			result = isc_parse_uint32(&timeout,
-						  isc_commandline_argument, 10);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "bad timeout '%s'\n",						isc_commandline_argument);
-				exit(1);
-			}
-			if (timeout == 0)
-				timeout = UINT_MAX;
-			break;
-		case 'u':
-			result = isc_parse_uint32(&udp_timeout,
-						  isc_commandline_argument, 10);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "bad udp timeout '%s'\n",						isc_commandline_argument);
-				exit(1);
-			}
-			if (udp_timeout == 0)
-				udp_timeout = UINT_MAX;
-			break;
-		case 'r':
-			result = isc_parse_uint32(&udp_retries,
-						  isc_commandline_argument, 10);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "bad udp retries '%s'\n",						isc_commandline_argument);
-				exit(1);
-			}
-			break;
-		default:
-			fprintf(stderr, "%s: invalid argument -%c\n",
-				argv[0], ch);
-			fprintf(stderr, "usage: nsupdate [-d] "
-				"[-y keyname:secret | -k keyfile] [-v] "
-				"[filename]\n");
-			exit(1);
-		}
-	}
-	if (keyfile != NULL && keystr != NULL) {
-		fprintf(stderr, "%s: cannot specify both -k and -y\n",
-			argv[0]);
-		exit(1);
-	}
-
-	if (argv[isc_commandline_index] != NULL) {
-		if (strcmp(argv[isc_commandline_index], "-") == 0) {
-			input = stdin;
-		} else {
-			result = isc_stdio_open(argv[isc_commandline_index],
-						"r", &input);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "could not open '%s': %s\n",
-					argv[isc_commandline_index],
-					isc_result_totext(result));
-				exit(1);
-			}
-		}
-		interactive = ISC_FALSE;
-	}
-}
-
-static isc_uint16_t
-parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {
-	isc_result_t result;
-	char *word;
-	isc_buffer_t *namebuf = NULL;
-	isc_buffer_t source;
-
-	word = nsu_strsep(cmdlinep, " \t\r\n");
-	if (*word == 0) {
-		fprintf(stderr, "could not read owner name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	result = dns_message_gettempname(msg, namep);
-	check_result(result, "dns_message_gettempname");
-	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
-	check_result(result, "isc_buffer_allocate");
-	dns_name_init(*namep, NULL);
-	dns_name_setbuffer(*namep, namebuf);
-	dns_message_takebuffer(msg, &namebuf);
-	isc_buffer_init(&source, word, strlen(word));
-	isc_buffer_add(&source, strlen(word));
-	result = dns_name_fromtext(*namep, &source, dns_rootname,
-				   ISC_FALSE, NULL);
-	check_result(result, "dns_name_fromtext");
-	isc_buffer_invalidate(&source);
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass,
-	    dns_rdatatype_t rdatatype, dns_message_t *msg,
-	    dns_rdata_t *rdata)
-{
-	char *cmdline = *cmdlinep;
-	isc_buffer_t source, *buf = NULL, *newbuf = NULL;
-	isc_region_t r;
-	isc_lex_t *lex = NULL;
-	dns_rdatacallbacks_t callbacks;
-	isc_result_t result;
-
-	while (*cmdline != 0 && isspace((unsigned char)*cmdline))
-		cmdline++;
-
-	if (*cmdline != 0) {
-		dns_rdatacallbacks_init(&callbacks);
-		result = isc_lex_create(mctx, strlen(cmdline), &lex);
-		check_result(result, "isc_lex_create");
-		isc_buffer_init(&source, cmdline, strlen(cmdline));
-		isc_buffer_add(&source, strlen(cmdline));
-		result = isc_lex_openbuffer(lex, &source);
-		check_result(result, "isc_lex_openbuffer");
-		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
-		check_result(result, "isc_buffer_allocate");
-		result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
-					    dns_rootname, 0, mctx, buf,
-					    &callbacks);
-		isc_lex_destroy(&lex);
-		if (result == ISC_R_SUCCESS) {
-			isc_buffer_usedregion(buf, &r);
-			result = isc_buffer_allocate(mctx, &newbuf, r.length);
-			check_result(result, "isc_buffer_allocate");
-			isc_buffer_putmem(newbuf, r.base, r.length);
-			isc_buffer_usedregion(newbuf, &r);
-			dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
-			isc_buffer_free(&buf);
-			dns_message_takebuffer(msg, &newbuf);
-		} else {
-			fprintf(stderr, "invalid rdata format: %s\n",
-				isc_result_totext(result));
-			isc_buffer_free(&buf);
-			return (STATUS_SYNTAX);
-		}
-	} else {
-		rdata->flags = DNS_RDATA_UPDATE;
-	}
-	*cmdlinep = cmdline;
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
-	isc_result_t result;
-	char *word;
-	dns_name_t *name = NULL;
-	isc_textregion_t region;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdataclass_t rdataclass;
-	dns_rdatatype_t rdatatype;
-	dns_rdata_t *rdata = NULL;
-	isc_uint16_t retval;
-
-	ddebug("make_prereq()");
-
-	/*
-	 * Read the owner name
-	 */
-	retval = parse_name(&cmdline, updatemsg, &name);
-	if (retval != STATUS_MORE)
-		return (retval);
-
-	/*
-	 * If this is an rrset prereq, read the class or type.
-	 */
-	if (isrrset) {
-		word = nsu_strsep(&cmdline, " \t\r\n");
-		if (*word == 0) {
-			fprintf(stderr, "could not read class or type\n");
-			goto failure;
-		}
-		region.base = word;
-		region.length = strlen(word);
-		result = dns_rdataclass_fromtext(&rdataclass, &region);
-		if (result == ISC_R_SUCCESS) {
-			if (!setzoneclass(rdataclass)) {
-				fprintf(stderr, "class mismatch: %s\n", word);
-				goto failure;
-			}
-			/*
-			 * Now read the type.
-			 */
-			word = nsu_strsep(&cmdline, " \t\r\n");
-			if (*word == 0) {
-				fprintf(stderr, "could not read type\n");
-				goto failure;
-			}
-			region.base = word;
-			region.length = strlen(word);
-			result = dns_rdatatype_fromtext(&rdatatype, &region);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "invalid type: %s\n", word);
-				goto failure;
-			}
-		} else {
-			rdataclass = getzoneclass();
-			result = dns_rdatatype_fromtext(&rdatatype, &region);
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "invalid type: %s\n", word);
-				goto failure;
-			}
-		}
-	} else
-		rdatatype = dns_rdatatype_any;
-
-	result = dns_message_gettemprdata(updatemsg, &rdata);
-	check_result(result, "dns_message_gettemprdata");
-
-	rdata->data = NULL;
-	rdata->length = 0;
-
-	if (isrrset && ispositive) {
-		retval = parse_rdata(&cmdline, rdataclass, rdatatype,
-				     updatemsg, rdata);
-		if (retval != STATUS_MORE)
-			goto failure;
-	} else
-		rdata->flags = DNS_RDATA_UPDATE;
-
-	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
-	check_result(result, "dns_message_gettemprdatalist");
-	result = dns_message_gettemprdataset(updatemsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdatalist_init(rdatalist);
-	rdatalist->type = rdatatype;
-	if (ispositive) {
-		if (isrrset && rdata->data != NULL)
-			rdatalist->rdclass = rdataclass;
-		else
-			rdatalist->rdclass = dns_rdataclass_any;
-	} else
-		rdatalist->rdclass = dns_rdataclass_none;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatatype;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(updatemsg, name, DNS_SECTION_PREREQUISITE);
-	return (STATUS_MORE);
-
- failure:
-	if (name != NULL)
-		dns_message_puttempname(updatemsg, &name);
-	return (STATUS_SYNTAX);
-}
-
-static isc_uint16_t
-evaluate_prereq(char *cmdline) {
-	char *word;
-	isc_boolean_t ispositive, isrrset;
-
-	ddebug("evaluate_prereq()");
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
-		fprintf(stderr, "could not read operation code\n");
-		return (STATUS_SYNTAX);
-	}
-	if (strcasecmp(word, "nxdomain") == 0) {
-		ispositive = ISC_FALSE;
-		isrrset = ISC_FALSE;
-	} else if (strcasecmp(word, "yxdomain") == 0) {
-		ispositive = ISC_TRUE;
-		isrrset = ISC_FALSE;
-	} else if (strcasecmp(word, "nxrrset") == 0) {
-		ispositive = ISC_FALSE;
-		isrrset = ISC_TRUE;
-	} else if (strcasecmp(word, "yxrrset") == 0) {
-		ispositive = ISC_TRUE;
-		isrrset = ISC_TRUE;
-	} else {
-		fprintf(stderr, "incorrect operation code: %s\n", word);
-		return (STATUS_SYNTAX);
-	}
-	return (make_prereq(cmdline, ispositive, isrrset));
-}
-
-static isc_uint16_t
-evaluate_server(char *cmdline) {
-	char *word, *server;
-	long port;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
-		fprintf(stderr, "could not read server name\n");
-		return (STATUS_SYNTAX);
-	}
-	server = word;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0)
-		port = DNSDEFAULTPORT;
-	else {
-		char *endp;
-		port = strtol(word, &endp, 10);
-		if (*endp != 0) {
-			fprintf(stderr, "port '%s' is not numeric\n", word);
-			return (STATUS_SYNTAX);
-		} else if (port < 1 || port > 65535) {
-			fprintf(stderr, "port '%s' is out of range "
-				"(1 to 65535)\n", word);
-			return (STATUS_SYNTAX);
-		}
-	}
-
-	if (userserver == NULL) {
-		userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
-		if (userserver == NULL)
-			fatal("out of memory");
-	}
-
-	get_address(server, (in_port_t)port, userserver);
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_local(char *cmdline) {
-	char *word, *local;
-	long port;
-	struct in_addr in4;
-	struct in6_addr in6;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
-		fprintf(stderr, "could not read server name\n");
-		return (STATUS_SYNTAX);
-	}
-	local = word;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0)
-		port = 0;
-	else {
-		char *endp;
-		port = strtol(word, &endp, 10);
-		if (*endp != 0) {
-			fprintf(stderr, "port '%s' is not numeric\n", word);
-			return (STATUS_SYNTAX);
-		} else if (port < 1 || port > 65535) {
-			fprintf(stderr, "port '%s' is out of range "
-				"(1 to 65535)\n", word);
-			return (STATUS_SYNTAX);
-		}
-	}
-
-	if (localaddr == NULL) {
-		localaddr = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
-		if (localaddr == NULL)
-			fatal("out of memory");
-	}
-
-	if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1)
-		isc_sockaddr_fromin6(localaddr, &in6, (in_port_t)port);
-	else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1)
-		isc_sockaddr_fromin(localaddr, &in4, (in_port_t)port);
-	else {
-		fprintf(stderr, "invalid address %s", local);
-		return (STATUS_SYNTAX);
-	}
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_key(char *cmdline) {
-	char *namestr;
-	char *secretstr;
-	isc_buffer_t b;
-	isc_result_t result;
-	dns_fixedname_t fkeyname;
-	dns_name_t *keyname;
-	int secretlen;
-	unsigned char *secret = NULL;
-	isc_buffer_t secretbuf;
-
-	namestr = nsu_strsep(&cmdline, " \t\r\n");
-	if (*namestr == 0) {
-		fprintf(stderr, "could not read key name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	dns_fixedname_init(&fkeyname);
-	keyname = dns_fixedname_name(&fkeyname);
-
-	isc_buffer_init(&b, namestr, strlen(namestr));
-	isc_buffer_add(&b, strlen(namestr));
-	result = dns_name_fromtext(keyname, &b, dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not parse key name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	secretstr = nsu_strsep(&cmdline, "\r\n");
-	if (*secretstr == 0) {
-		fprintf(stderr, "could not read key secret\n");
-		return (STATUS_SYNTAX);
-	}
-	secretlen = strlen(secretstr) * 3 / 4;
-	secret = isc_mem_allocate(mctx, secretlen);
-	if (secret == NULL)
-		fatal("out of memory");
-	
-	isc_buffer_init(&secretbuf, secret, secretlen);
-	result = isc_base64_decodestring(secretstr, &secretbuf);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not create key from %s: %s\n",
-			secretstr, isc_result_totext(result));
-		isc_mem_free(mctx, secret);
-		return (STATUS_SYNTAX);
-	}
-	secretlen = isc_buffer_usedlength(&secretbuf);
-
-	if (tsigkey != NULL)
-		dns_tsigkey_detach(&tsigkey);
-	result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name,
-				    secret, secretlen, ISC_TRUE, NULL, 0, 0,
-				    mctx, NULL, &tsigkey);
-	isc_mem_free(mctx, secret);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not create key from %s %s: %s\n",
-			namestr, secretstr, dns_result_totext(result));
-		return (STATUS_SYNTAX);
-	}
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_zone(char *cmdline) {
-	char *word;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
-		fprintf(stderr, "could not read zone name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	dns_fixedname_init(&fuserzone);
-	userzone = dns_fixedname_name(&fuserzone);
-	isc_buffer_init(&b, word, strlen(word));
-	isc_buffer_add(&b, strlen(word));
-	result = dns_name_fromtext(userzone, &b, dns_rootname, ISC_FALSE,
-				   NULL);
-	if (result != ISC_R_SUCCESS) {
-		userzone = NULL; /* Lest it point to an invalid name */
-		fprintf(stderr, "could not parse zone name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-evaluate_class(char *cmdline) {
-	char *word;
-	isc_textregion_t r;
-	isc_result_t result;
-	dns_rdataclass_t rdclass;
-
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
-		fprintf(stderr, "could not read class name\n");
-		return (STATUS_SYNTAX);
-	}
-
-	r.base = word;
-        r.length = strlen(word);
-        result = dns_rdataclass_fromtext(&rdclass, &r);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not parse class name: %s\n", word);
-		return (STATUS_SYNTAX);
-	}
-	switch (rdclass) {
-	case dns_rdataclass_none:
-	case dns_rdataclass_any:
-	case dns_rdataclass_reserved0:
-		fprintf(stderr, "bad default class: %s\n", word);
-		return (STATUS_SYNTAX);
-	default:
-		defaultclass = rdclass;
-	}
-
-	return (STATUS_MORE);
-}
-
-static isc_uint16_t
-update_addordelete(char *cmdline, isc_boolean_t isdelete) {
-	isc_result_t result;
-	dns_name_t *name = NULL;
-	isc_uint32_t ttl;
-	char *word;
-	dns_rdataclass_t rdataclass;
-	dns_rdatatype_t rdatatype;
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	isc_textregion_t region;
-	isc_uint16_t retval;
-
-	ddebug("update_addordelete()");
-
-	/*
-	 * Read the owner name.
-	 */
-	retval = parse_name(&cmdline, updatemsg, &name);
-	if (retval != STATUS_MORE)
-		return (retval);
-
-	result = dns_message_gettemprdata(updatemsg, &rdata);
-	check_result(result, "dns_message_gettemprdata");
-
-	rdata->rdclass = 0;
-	rdata->type = 0;
-	rdata->data = NULL;
-	rdata->length = 0;
-
-	/*
-	 * If this is an add, read the TTL and verify that it's in range.
-	 * If it's a delete, ignore a TTL if present (for compatibility).
-	 */
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
-		if (!isdelete) {
-			fprintf(stderr, "could not read owner ttl\n");
-			goto failure;
-		}
-		else {
-			ttl = 0;
-			rdataclass = dns_rdataclass_any;
-			rdatatype = dns_rdatatype_any;
-			rdata->flags = DNS_RDATA_UPDATE;
-			goto doneparsing;
-		}
-	}
-	result = isc_parse_uint32(&ttl, word, 10);
-	if (result != ISC_R_SUCCESS) {
-		if (isdelete) {
-			ttl = 0;
-			goto parseclass;
-		} else {
-			fprintf(stderr, "ttl '%s': %s\n", word,
-				isc_result_totext(result));
-			goto failure;
-		}
-	}
-
-	if (isdelete)
-		ttl = 0;
-	else if (ttl > TTL_MAX) {
-		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
-			word, TTL_MAX);
-		goto failure;
-	}
-
-	/*
-	 * Read the class or type.
-	 */
-	word = nsu_strsep(&cmdline, " \t\r\n");
- parseclass:
-	if (*word == 0) {
-		if (isdelete) {
-			rdataclass = dns_rdataclass_any;
-			rdatatype = dns_rdatatype_any;
-			rdata->flags = DNS_RDATA_UPDATE;
-			goto doneparsing;
-		} else {
-			fprintf(stderr, "could not read class or type\n");
-			goto failure;
-		}
-	}
-	region.base = word;
-	region.length = strlen(word);
-	result = dns_rdataclass_fromtext(&rdataclass, &region);
-	if (result == ISC_R_SUCCESS) {
-		if (!setzoneclass(rdataclass)) {
-			fprintf(stderr, "class mismatch: %s\n", word);
-			goto failure;
-		}
-		/*
-		 * Now read the type.
-		 */
-		word = nsu_strsep(&cmdline, " \t\r\n");
-		if (*word == 0) {
-			if (isdelete) {
-				rdataclass = dns_rdataclass_any;
-				rdatatype = dns_rdatatype_any;
-				rdata->flags = DNS_RDATA_UPDATE;
-				goto doneparsing;
-			} else {
-				fprintf(stderr, "could not read type\n");
-				goto failure;
-			}
-		}
-		region.base = word;
-		region.length = strlen(word);
-		result = dns_rdatatype_fromtext(&rdatatype, &region);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "'%s' is not a valid type: %s\n",
-				word, isc_result_totext(result));
-			goto failure;
-		}
-	} else {
-		rdataclass = getzoneclass();
-		result = dns_rdatatype_fromtext(&rdatatype, &region);
-		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "'%s' is not a valid class or type: "
-				"%s\n", word, isc_result_totext(result));
-			goto failure;
-		}
-	}
-
-	retval = parse_rdata(&cmdline, rdataclass, rdatatype, updatemsg,
-			     rdata);
-	if (retval != STATUS_MORE)
-		goto failure;
-
-	if (isdelete) {
-		if ((rdata->flags & DNS_RDATA_UPDATE) != 0)
-			rdataclass = dns_rdataclass_any;
-		else
-			rdataclass = dns_rdataclass_none;
-	} else {
-		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
-			fprintf(stderr, "could not read rdata\n");
-			goto failure;
-		}
-	}
-
- doneparsing:
-
-	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
-	check_result(result, "dns_message_gettemprdatalist");
-	result = dns_message_gettemprdataset(updatemsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdatalist_init(rdatalist);
-	rdatalist->type = rdatatype;
-	rdatalist->rdclass = rdataclass;
-	rdatalist->covers = rdatatype;
-	rdatalist->ttl = (dns_ttl_t)ttl;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	dns_rdataset_init(rdataset);
-	dns_rdatalist_tordataset(rdatalist, rdataset);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(updatemsg, name, DNS_SECTION_UPDATE);
-	return (STATUS_MORE);
-
- failure:
-	if (name != NULL)
-		dns_message_puttempname(updatemsg, &name);
-	if (rdata != NULL)
-		dns_message_puttemprdata(updatemsg, &rdata);
-	return (STATUS_SYNTAX);
-}
-
-static isc_uint16_t
-evaluate_update(char *cmdline) {
-	char *word;
-	isc_boolean_t isdelete;
-
-	ddebug("evaluate_update()");
-	word = nsu_strsep(&cmdline, " \t\r\n");
-	if (*word == 0) {
-		fprintf(stderr, "could not read operation code\n");
-		return (STATUS_SYNTAX);
-	}
-	if (strcasecmp(word, "delete") == 0)
-		isdelete = ISC_TRUE;
-	else if (strcasecmp(word, "add") == 0)
-		isdelete = ISC_FALSE;
-	else {
-		fprintf(stderr, "incorrect operation code: %s\n", word);
-		return (STATUS_SYNTAX);
-	}
-	return (update_addordelete(cmdline, isdelete));
-}
-
-static void
-show_message(dns_message_t *msg) {
-	isc_result_t result;
-	isc_buffer_t *buf = NULL;
-	int bufsz;
-
-	ddebug("show_message()");
-	bufsz = INITTEXT;
-	do { 
-		if (bufsz > MAXTEXT) {
-			fprintf(stderr, "could not allocate large enough "
-				"buffer to display message\n");
-			exit(1);
-		}
-		if (buf != NULL)
-			isc_buffer_free(&buf);
-		result = isc_buffer_allocate(mctx, &buf, bufsz);
-		check_result(result, "isc_buffer_allocate");
-		result = dns_message_totext(msg, style, 0, buf);
-		bufsz *= 2;
-	} while (result == ISC_R_NOSPACE);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "could not convert message to text format.\n");
-		isc_buffer_free(&buf);
-		return;
-	}
-	printf("Outgoing update query:\n%.*s",
-	       (int)isc_buffer_usedlength(buf),
-	       (char*)isc_buffer_base(buf));
-	isc_buffer_free(&buf);
-}
-
-
-static isc_uint16_t
-get_next_command(void) {
-	char cmdlinebuf[MAXCMD];
-	char *cmdline;
-	char *word;
-
-	ddebug("get_next_command()");
-	if (interactive)
-		fprintf(stdout, "> ");
-	isc_app_block();
-	cmdline = fgets(cmdlinebuf, MAXCMD, input);
-	isc_app_unblock();
-	if (cmdline == NULL)
-		return (STATUS_QUIT);
-	word = nsu_strsep(&cmdline, " \t\r\n");
-
-	if (feof(input))
-		return (STATUS_QUIT);
-	if (*word == 0)
-		return (STATUS_SEND);
-	if (word[0] == ';')
-		return (STATUS_MORE);
-	if (strcasecmp(word, "quit") == 0)
-		return (STATUS_QUIT);
-	if (strcasecmp(word, "prereq") == 0)
-		return (evaluate_prereq(cmdline));
-	if (strcasecmp(word, "update") == 0)
-		return (evaluate_update(cmdline));
-	if (strcasecmp(word, "server") == 0)
-		return (evaluate_server(cmdline));
-	if (strcasecmp(word, "local") == 0)
-		return (evaluate_local(cmdline));
-	if (strcasecmp(word, "zone") == 0)
-		return (evaluate_zone(cmdline));
-	if (strcasecmp(word, "class") == 0)
-		return (evaluate_class(cmdline));
-	if (strcasecmp(word, "send") == 0)
-		return (STATUS_SEND);
-	if (strcasecmp(word, "show") == 0) {
-		show_message(updatemsg);
-		return (STATUS_MORE);
-	}
-	if (strcasecmp(word, "answer") == 0) {
-		if (answer != NULL)
-			show_message(answer);
-		return (STATUS_MORE);
-	}
-	if (strcasecmp(word, "key") == 0)
-		return (evaluate_key(cmdline));
-	fprintf(stderr, "incorrect section name: %s\n", word);
-	return (STATUS_SYNTAX);
-}
-
-static isc_boolean_t
-user_interaction(void) {
-	isc_uint16_t result = STATUS_MORE;
-
-	ddebug("user_interaction()");
-	while ((result == STATUS_MORE) || (result == STATUS_SYNTAX))
-		result = get_next_command();
-	if (result == STATUS_SEND)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-
-}
-
-static void
-done_update(void) {
-	isc_event_t *event = global_event;
-	ddebug("done_update()");
-	isc_task_send(global_task, &event);
-}
-
-static void
-check_tsig_error(dns_rdataset_t *rdataset, isc_buffer_t *b) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_any_tsig_t tsig;
-
-	result = dns_rdataset_first(rdataset);
-	check_result(result, "dns_rdataset_first");
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &tsig, NULL);
-	check_result(result, "dns_rdata_tostruct");
-	if (tsig.error != 0) {
-		if (isc_buffer_remaininglength(b) < 1)
-		      check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength");
-		isc__buffer_putstr(b, "(" /*)*/);
-		result = dns_tsigrcode_totext(tsig.error, b);
-		check_result(result, "dns_tsigrcode_totext");
-		if (isc_buffer_remaininglength(b) < 1)
-		      check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength");
-		isc__buffer_putstr(b,  /*(*/ ")");
-	}
-}
-
-static void
-update_completed(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *reqev = NULL;
-	isc_result_t result;
-	dns_request_t *request;
-
-	UNUSED(task);
-
-	ddebug("update_completed()");
-
-	requests--;
-
-	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
-	reqev = (dns_requestevent_t *)event;
-	request = reqev->request;
-
-	if (shuttingdown) {
-		dns_request_destroy(&request);
-		isc_event_free(&event);
-		maybeshutdown();
-		return;
-	}
-
-	if (reqev->result != ISC_R_SUCCESS) {
-		fprintf(stderr, "; Communication with server failed: %s\n",
-			isc_result_totext(reqev->result));
-		seenerror = ISC_TRUE;
-		goto done;
-	}
-
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &answer);
-	check_result(result, "dns_message_create");
-	result = dns_request_getresponse(request, answer,
-					 DNS_MESSAGEPARSE_PRESERVEORDER);
-	switch (result) {
-	case ISC_R_SUCCESS:
-		break;
-	case DNS_R_CLOCKSKEW:
-	case DNS_R_EXPECTEDTSIG:
-	case DNS_R_TSIGERRORSET:
-	case DNS_R_TSIGVERIFYFAILURE:
-	case DNS_R_UNEXPECTEDTSIG:
-		fprintf(stderr, "; TSIG error with server: %s\n",
-			isc_result_totext(result));
-		seenerror = ISC_TRUE;
-		break;
-	default:
-		check_result(result, "dns_request_getresponse");
-	}
-
-	if (answer->rcode != dns_rcode_noerror) {
-		seenerror = ISC_TRUE;
-		if (!debugging) {
-			char buf[64];
-			isc_buffer_t b;
-			dns_rdataset_t *rds;
-			
-			isc_buffer_init(&b, buf, sizeof(buf) - 1);
-			result = dns_rcode_totext(answer->rcode, &b);
-			check_result(result, "dns_rcode_totext");
-			rds = dns_message_gettsig(answer, NULL);
-			if (rds != NULL)
-				check_tsig_error(rds, &b);
-			fprintf(stderr, "update failed: %.*s\n",
-				(int)isc_buffer_usedlength(&b), buf);
-		}
-	}
-	if (debugging) {
-		isc_buffer_t *buf = NULL;
-		int bufsz;
-
-		bufsz = INITTEXT;
-		do { 
-			if (bufsz > MAXTEXT) {
-				fprintf(stderr, "could not allocate large "
-					"enough buffer to display message\n");
-				exit(1);
-			}
-			if (buf != NULL)
-				isc_buffer_free(&buf);
-			result = isc_buffer_allocate(mctx, &buf, bufsz);
-			check_result(result, "isc_buffer_allocate");
-			result = dns_message_totext(answer, style, 0, buf);
-			bufsz *= 2;
-		} while (result == ISC_R_NOSPACE);
-		check_result(result, "dns_message_totext");
-		fprintf(stderr, "\nReply from update query:\n%.*s\n",
-			(int)isc_buffer_usedlength(buf),
-			(char*)isc_buffer_base(buf));
-		isc_buffer_free(&buf);
-	}
- done:
-	dns_request_destroy(&request);
-	isc_event_free(&event);
-	done_update();
-}
-
-static void
-send_update(dns_name_t *zonename, isc_sockaddr_t *master,
-	    isc_sockaddr_t *srcaddr)
-{
-	isc_result_t result;
-	dns_request_t *request = NULL;
-	dns_name_t *name = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	unsigned int options = 0;
-
-	ddebug("send_update()");
-
-	result = dns_message_gettempname(updatemsg, &name);
-	check_result(result, "dns_message_gettempname");
-	dns_name_init(name, NULL);
-	dns_name_clone(zonename, name);
-	result = dns_message_gettemprdataset(updatemsg, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(updatemsg, name, DNS_SECTION_ZONE);
-
-	if (usevc)
-		options |= DNS_REQUESTOPT_TCP;
-	if (tsigkey == NULL && sig0key != NULL) {
-		result = dns_message_setsig0key(updatemsg, sig0key);
-		check_result(result, "dns_message_setsig0key");
-	}
-	if (debugging) {
-		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-		isc_sockaddr_format(master, addrbuf, sizeof(addrbuf));
-		fprintf(stderr, "Sending update to %s\n", addrbuf);
-	}
-	result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
-					master, options, tsigkey, timeout,
-					udp_timeout, udp_retries, global_task,
-					update_completed, NULL, &request);
-	check_result(result, "dns_request_createvia3");
-
-	if (debugging)
-		show_message(updatemsg);
-
-	requests++;
-}
-
-static void
-recvsoa(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *reqev = NULL;
-	dns_request_t *request = NULL;
-	isc_result_t result, eresult;
-	dns_message_t *rcvmsg = NULL;
-	dns_section_t section;
-	dns_name_t *name = NULL;
-	dns_rdataset_t *soaset = NULL;
-	dns_rdata_soa_t soa;
-	dns_rdata_t soarr = DNS_RDATA_INIT;
-	int pass = 0;
-	dns_name_t master;
-	isc_sockaddr_t *serveraddr, tempaddr;
-	dns_name_t *zonename;
-	nsu_requestinfo_t *reqinfo;
-	dns_message_t *soaquery = NULL;
-	isc_sockaddr_t *addr;
-	isc_boolean_t seencname = ISC_FALSE;
-	dns_name_t tname;
-	unsigned int nlabels;
-
-	UNUSED(task);
-
-	ddebug("recvsoa()");
-
-	requests--;
-	
-	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
-	reqev = (dns_requestevent_t *)event;
-	request = reqev->request;
-	eresult = reqev->result;
-	reqinfo = reqev->ev_arg;
-	soaquery = reqinfo->msg;
-	addr = reqinfo->addr;
-
-	if (shuttingdown) {
-		dns_request_destroy(&request);
-		dns_message_destroy(&soaquery);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
-		isc_event_free(&event);
-		maybeshutdown();
-		return;
-	}
-
-	if (eresult != ISC_R_SUCCESS) {
-		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
-		fprintf(stderr, "; Communication with %s failed: %s\n",
-		       addrbuf, isc_result_totext(eresult));
-		if (userserver != NULL)
-			fatal("could not talk to specified name server");
-		else if (++ns_inuse >= lwconf->nsnext)
-			fatal("could not talk to any default name server");
-		ddebug("Destroying request [%p]", request);
-		dns_request_destroy(&request);
-		dns_message_renderreset(soaquery);
-		dns_message_settsigkey(soaquery, NULL);
-		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
-		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
-		isc_event_free(&event);
-		setzoneclass(dns_rdataclass_none);
-		return;
-	}
-	isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
-
-	isc_event_free(&event);
-	reqev = NULL;
-
-	ddebug("About to create rcvmsg");
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
-	check_result(result, "dns_message_create");
-	result = dns_request_getresponse(request, rcvmsg,
-					 DNS_MESSAGEPARSE_PRESERVEORDER);
-	if (result == DNS_R_TSIGERRORSET && userserver != NULL) {
-		dns_message_destroy(&rcvmsg);
-		ddebug("Destroying request [%p]", request);
-		dns_request_destroy(&request);
-		reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));
-		if (reqinfo == NULL)
-			fatal("out of memory");
-		reqinfo->msg = soaquery;
-		reqinfo->addr = addr;
-		dns_message_renderreset(soaquery);
-		ddebug("retrying soa request without TSIG");
-		result = dns_request_createvia3(requestmgr, soaquery,
-						localaddr, addr, 0, NULL,
-						FIND_TIMEOUT * 20,
-						FIND_TIMEOUT * 20, 3,
-						global_task, recvsoa, reqinfo,
-						&request);
-		check_result(result, "dns_request_createvia");
-		requests++;
-		return;
-	}
-	check_result(result, "dns_request_getresponse");
-	section = DNS_SECTION_ANSWER;
-	if (debugging) {
-		isc_buffer_t *buf = NULL;
-		int bufsz;
-		bufsz = INITTEXT;
-		do {
-			if (buf != NULL)
-				isc_buffer_free(&buf);
-			if (bufsz > MAXTEXT) {
-				fprintf(stderr, "could not allocate enough "
-					 "space for debugging message\n");
-				exit(1);
-			}
-			result = isc_buffer_allocate(mctx, &buf, bufsz);
-			check_result(result, "isc_buffer_allocate");
-			result = dns_message_totext(rcvmsg, style, 0, buf);
-		} while (result == ISC_R_NOSPACE);
-		check_result(result, "dns_message_totext");
-		fprintf(stderr, "Reply from SOA query:\n%.*s\n",
-			(int)isc_buffer_usedlength(buf),
-			(char*)isc_buffer_base(buf));
-		isc_buffer_free(&buf);
-	}
-
-	if (rcvmsg->rcode != dns_rcode_noerror &&
-	    rcvmsg->rcode != dns_rcode_nxdomain)
-		fatal("response to SOA query was unsuccessful");
-
- lookforsoa:
-	if (pass == 0)
-		section = DNS_SECTION_ANSWER;
-	else if (pass == 1)
-		section = DNS_SECTION_AUTHORITY;
-	else 
-		goto droplabel;
-
-	result = dns_message_firstname(rcvmsg, section);
-	if (result != ISC_R_SUCCESS) {
-		pass++;
-		goto lookforsoa;
-	}
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(rcvmsg, section, &name);
-		soaset = NULL;
-		result = dns_message_findtype(name, dns_rdatatype_soa, 0,
-					      &soaset);
-		if (result == ISC_R_SUCCESS)
-			break;
-		if (section == DNS_SECTION_ANSWER) {
-			dns_rdataset_t *tset = NULL;
-			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
-						 &tset) == ISC_R_SUCCESS
-			    ||
-			    dns_message_findtype(name, dns_rdatatype_dname, 0,
-						 &tset) == ISC_R_SUCCESS
-			    )
-			{
-				seencname = ISC_TRUE;
-				break;
-			}
-		}
-				
-		result = dns_message_nextname(rcvmsg, section);
-	}
-
-	if (soaset == NULL && !seencname) {
-		pass++;
-		goto lookforsoa;
-	}
-
-	if (seencname)
-		goto droplabel;
-
-	if (debugging) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof(namestr));
-		fprintf(stderr, "Found zone name: %s\n", namestr);
-	}
-
-	result = dns_rdataset_first(soaset);
-	check_result(result, "dns_rdataset_first");
-
-	dns_rdata_init(&soarr);
-	dns_rdataset_current(soaset, &soarr);
-	result = dns_rdata_tostruct(&soarr, &soa, NULL);
-	check_result(result, "dns_rdata_tostruct");
-
-	dns_name_init(&master, NULL);
-	dns_name_clone(&soa.origin, &master);
-
-	if (userzone != NULL)
-		zonename = userzone;
-	else
-		zonename = name;
-
-	if (debugging) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(&master, namestr, sizeof(namestr));
-		fprintf(stderr, "The master is: %s\n", namestr);
-	}
-
-	if (userserver != NULL)
-		serveraddr = userserver;
-	else {
-		char serverstr[DNS_NAME_MAXTEXT+1];
-		isc_buffer_t buf;
-
-		isc_buffer_init(&buf, serverstr, sizeof(serverstr));
-		result = dns_name_totext(&master, ISC_TRUE, &buf);
-		check_result(result, "dns_name_totext");
-		serverstr[isc_buffer_usedlength(&buf)] = 0;
-		get_address(serverstr, DNSDEFAULTPORT, &tempaddr);
-		serveraddr = &tempaddr;
-	}
-	dns_rdata_freestruct(&soa);
-
-	send_update(zonename, serveraddr, localaddr);
-	setzoneclass(dns_rdataclass_none);
-
-	dns_message_destroy(&soaquery);
-	dns_request_destroy(&request);
-
- out:
-	dns_message_destroy(&rcvmsg);
-	ddebug("Out of recvsoa");
-	return;
- 
- droplabel:
-	result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
-	INSIST(result == ISC_R_SUCCESS);
-	name = NULL;
-	dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
-	nlabels = dns_name_countlabels(name);
-	if (nlabels == 1)
-		fatal("could not find enclosing zone");
-	dns_name_init(&tname, NULL);
-	dns_name_getlabelsequence(name, 1, nlabels - 1, &tname);
-	dns_name_clone(&tname, name);
-	dns_request_destroy(&request);
-	dns_message_renderreset(soaquery);
-	dns_message_settsigkey(soaquery, NULL);
-	if (userserver != NULL)
-		sendrequest(localaddr, userserver, soaquery, &request);
-	else
-		sendrequest(localaddr, &servers[ns_inuse], soaquery,
-			    &request);
-	goto out;
-}
-
-static void
-sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	    dns_message_t *msg, dns_request_t **request)
-{
-	isc_result_t result;
-	nsu_requestinfo_t *reqinfo;
-
-	reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));
-	if (reqinfo == NULL)
-		fatal("out of memory");
-	reqinfo->msg = msg;
-	reqinfo->addr = destaddr;
-	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, 0,
-					(userserver != NULL) ? tsigkey : NULL,
-					FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
-					global_task, recvsoa, reqinfo, request);
-	check_result(result, "dns_request_createvia");
-	requests++;
-}
-
-static void
-start_update(void) {
-	isc_result_t result;
-	dns_rdataset_t *rdataset = NULL;
-	dns_name_t *name = NULL;
-	dns_request_t *request = NULL;
-	dns_message_t *soaquery = NULL;
-	dns_name_t *firstname;
-	dns_section_t section = DNS_SECTION_UPDATE;
-
-	ddebug("start_update()");
-
-	if (answer != NULL)
-		dns_message_destroy(&answer);
-	result = dns_message_firstname(updatemsg, section);
-	if (result == ISC_R_NOMORE) {
-		section = DNS_SECTION_PREREQUISITE;
-		result = dns_message_firstname(updatemsg, section);
-	}
-	if (result != ISC_R_SUCCESS) {
-		done_update();
-		return;
-	}
-
-	if (userzone != NULL && userserver != NULL) {
-		send_update(userzone, userserver, localaddr);
-		setzoneclass(dns_rdataclass_none);
-		return;
-	}
-
-	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
-				    &soaquery);
-	check_result(result, "dns_message_create");
-
-	soaquery->flags |= DNS_MESSAGEFLAG_RD;
-
-	result = dns_message_gettempname(soaquery, &name);
-	check_result(result, "dns_message_gettempname");
-
-	result = dns_message_gettemprdataset(soaquery, &rdataset);
-	check_result(result, "dns_message_gettemprdataset");
-
-	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
-
-	firstname = NULL;
-	dns_message_currentname(updatemsg, section, &firstname);
-	dns_name_init(name, NULL);
-	dns_name_clone(firstname, name);
-
-	ISC_LIST_INIT(name->list);
-	ISC_LIST_APPEND(name->list, rdataset, link);
-	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
-
-	if (userserver != NULL)
-		sendrequest(localaddr, userserver, soaquery, &request);
-	else {
-		ns_inuse = 0;
-		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
-	}
-}
-
-static void
-cleanup(void) {
-	ddebug("cleanup()");
-
-	if (answer != NULL)
-		dns_message_destroy(&answer);
-	ddebug("Shutting down task manager");
-	isc_taskmgr_destroy(&taskmgr);
-
-	ddebug("Destroying event");
-	isc_event_free(&global_event);
-
-	ddebug("Shutting down socket manager");
-	isc_socketmgr_destroy(&socketmgr);
-
-	ddebug("Shutting down timer manager");
-	isc_timermgr_destroy(&timermgr);
-
-	ddebug("Destroying hash context");
-	isc_hash_destroy();
-
-	ddebug("Destroying memory context");
-	if (memdebugging)
-		isc_mem_stats(mctx, stderr);
-	isc_mem_destroy(&mctx);
-}
-
-static void
-getinput(isc_task_t *task, isc_event_t *event) {
-	isc_boolean_t more;
-
-	UNUSED(task);
-
-	if (shuttingdown) {
-		maybeshutdown();
-		return;
-	}
-
-	if (global_event == NULL)
-		global_event = event;
-
-	reset_system();
-	more = user_interaction();
-	if (!more) {
-		isc_app_shutdown();
-		return;
-	}
-	start_update();
-	return;
-}
-
-int
-main(int argc, char **argv) {
-	isc_result_t result;
-	style = &dns_master_style_debug;
-
-	input = stdin;
-
-	interactive = ISC_TF(isatty(0));
-
-	isc_app_start();
-
-	parse_args(argc, argv);
-
-	setup_system();
-
-	result = isc_app_onrun(mctx, global_task, getinput, NULL);
-	check_result(result, "isc_app_onrun");
-
-	(void)isc_app_run();
-
-	cleanup();
-
-	isc_app_finish();
-
-	if (seenerror)
-		return (2);
-	else
-		return (0);
-}
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.docbook b/contrib/bind9/bin/nsupdate/nsupdate.docbook
deleted file mode 100644
index 7a2b4cfb7dd7..000000000000
--- a/contrib/bind9/bin/nsupdate/nsupdate.docbook
+++ /dev/null
@@ -1,658 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: nsupdate.docbook,v 1.8.2.3.2.10 2005/05/12 21:36:03 sra Exp $ -->
-
-<refentry>
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>nsupdate</refentrytitle>
-<manvolnum>8</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>nsupdate</refname>
-<refpurpose>Dynamic DNS update utility</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<cmdsynopsis>
-<command>nsupdate</command>
-<arg><option>-d</option></arg>
-<group>
-  <arg><option>-y <replaceable class="parameter">keyname:secret</replaceable></option></arg>
-  <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
-</group>
-<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
-<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
-<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
-<arg><option>-v</option></arg>
-<arg>filename</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>nsupdate</command>
-is used to submit Dynamic DNS Update requests as defined in RFC2136
-to a name server.
-This allows resource records to be added or removed from a zone
-without manually editing the zone file.
-A single update request can contain requests to add or remove more than one
-resource record.
-</para>
-<para>
-Zones that are under dynamic control via
-<command>nsupdate</command>
-or a DHCP server should not be edited by hand.
-Manual edits could
-conflict with dynamic updates and cause data to be lost.
-</para>
-<para>
-The resource records that are dynamically added or removed with
-<command>nsupdate</command>
-have to be in the same zone.
-Requests are sent to the zone's master server.
-This is identified by the MNAME field of the zone's SOA record.
-</para>
-<para>
-The
-<option>-d</option>
-option makes
-<command>nsupdate</command>
-operate in debug mode.
-This provides tracing information about the update requests that are
-made and the replies received from the name server.
-</para>
-<para>
-Transaction signatures can be used to authenticate the Dynamic DNS
-updates.
-These use the TSIG resource record type described in RFC2845 or the
-SIG(0) record described in RFC3535 and RFC2931.
-TSIG relies on a shared secret that should only be known to
-<command>nsupdate</command> and the name server.
-Currently, the only supported encryption algorithm for TSIG is
-HMAC-MD5, which is defined in RFC 2104.
-Once other algorithms are defined for TSIG, applications will need to
-ensure they select the appropriate algorithm as well as the key when
-authenticating each other.
-For instance suitable
-<type>key</type>
-and
-<type>server</type>
-statements would be added to
-<filename>/etc/named.conf</filename>
-so that the name server can associate the appropriate secret key
-and algorithm with the IP address of the
-client application that will be using TSIG authentication.
-SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-key must be stored in a KEY record in a zone served by the name server.
-<command>nsupdate</command>
-does not read
-<filename>/etc/named.conf</filename>.
-</para>
-<para>
-<command>nsupdate</command>
-uses the
-<option>-y</option>
-or
-<option>-k</option>
-option (with an HMAC-MD5 key) to provide the shared secret needed to generate
-a TSIG record for authenticating Dynamic DNS update requests.
-These options are mutually exclusive.
-With the
-<option>-k</option>
-option,
-<command>nsupdate</command>
-reads the shared secret from the file
-<parameter>keyfile</parameter>,
-whose name is of the form 
-<filename>K{name}.+157.+{random}.private</filename>.
-For historical
-reasons, the file 
-<filename>K{name}.+157.+{random}.key</filename>
-must also be present.  When the
-<option>-y</option>
-option is used, a signature is generated from
-<parameter>keyname:secret.</parameter>
-<parameter>keyname</parameter>
-is the name of the key,
-and
-<parameter>secret</parameter>
-is the base64 encoded shared secret.
-Use of the
-<option>-y</option>
-option is discouraged because the shared secret is supplied as a command
-line argument in clear text.
-This may be visible in the output from
-<citerefentry>
-<refentrytitle>ps</refentrytitle><manvolnum>1
-</manvolnum>
-</citerefentry>
-or in a history file maintained by the user's shell.
-</para>
-<para>
-The <option>-k</option> may also be used to specify a SIG(0) key used
-to authenticate Dynamic DNS update requests.  In this case, the key
-specified is not an HMAC-MD5 key.
-</para>
-<para>
-By default
-<command>nsupdate</command>
-uses UDP to send update requests to the name server unless they are too
-large to fit in a UDP request in which case TCP will be used.
-The
-<option>-v</option>
-option makes
-<command>nsupdate</command>
-use a TCP connection.
-This may be preferable when a batch of update requests is made.
-</para>
-<para>The <option>-t</option> option sets the maximum time a update request can
-take before it is aborted.  The default is 300 seconds.  Zero can be used
-to disable the timeout.
-</para>
-<para>The <option>-u</option> option sets the UDP retry interval.  The default is
-3 seconds.  If zero the interval will be computed from the timeout interval
-and number of UDP retries.
-</para>
-<para>The <option>-r</option> option sets the number of UDP retries. The default is
-3.  If zero only one update request will be made.
-</para>
-</refsect1>
-
-<refsect1>
-<title>INPUT FORMAT</title>
-<para>
-<command>nsupdate</command>
-reads input from
-<parameter>filename</parameter>
-or standard input.
-Each command is supplied on exactly one line of input.
-Some commands are for administrative purposes.
-The others are either update instructions or prerequisite checks on the
-contents of the zone.
-These checks set conditions that some name or set of
-resource records (RRset) either exists or is absent from the zone.
-These conditions must be met if the entire update request is to succeed.
-Updates will be rejected if the tests for the prerequisite conditions fail.
-</para>
-<para>
-Every update request consists of zero or more prerequisites
-and zero or more updates.
-This allows a suitably authenticated update request to proceed if some
-specified resource records are present or missing from the zone.
-A blank input line (or the <command>send</command> command) causes the
-accumulated commands to be sent as one Dynamic DNS update request to the
-name server.
-</para>
-<para>
-The command formats and their meaning are as follows:
-<variablelist>
-<varlistentry><term>
-<cmdsynopsis>
-<command>server</command>
-<arg choice="req">servername</arg>
-<arg choice="opt">port</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Sends all dynamic update requests to the name server
-<parameter>servername</parameter>.
-When no server statement is provided,
-<command>nsupdate</command>
-will send updates to the master server of the correct zone.
-The MNAME field of that zone's SOA record will identify the master
-server for that zone.
-<parameter>port</parameter>
-is the port number on
-<parameter>servername</parameter>
-where the dynamic update requests get sent.
-If no port number is specified, the default DNS port number of 53 is
-used.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>local</command>
-<arg choice="req">address</arg>
-<arg choice="opt">port</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Sends all dynamic update requests using the local
-<parameter>address</parameter>.
-
-When no local statement is provided,
-<command>nsupdate</command>
-will send updates using an address and port chosen by the system.
-<parameter>port</parameter>
-can additionally be used to make requests come from a specific port.
-If no port number is specified, the system will assign one.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>zone</command>
-<arg choice="req">zonename</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Specifies that all updates are to be made to the zone
-<parameter>zonename</parameter>.
-If no
-<parameter>zone</parameter>
-statement is provided,
-<command>nsupdate</command>
-will attempt determine the correct zone to update based on the rest of the input.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>class</command>
-<arg choice="req">classname</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Specify the default class.
-If no <parameter>class</parameter> is specified the default class is
-<parameter>IN</parameter>.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>key</command>
-<arg choice="req">name</arg>
-<arg choice="req">secret</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Specifies that all updates are to be TSIG signed using the
-<parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
-The <command>key</command> command
-overrides any key specified on the command line via
-<option>-y</option> or <option>-k</option>.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq nxdomain</command>
-<arg choice="req">domain-name</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Requires that no resource record of any type exists with name
-<parameter>domain-name</parameter>.
-</para>
-</listitem>
-</varlistentry>
-
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq yxdomain</command>
-<arg choice="req">domain-name</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Requires that
-<parameter>domain-name</parameter>
-exists (has as at least one resource record, of any type).
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq nxrrset</command>
-<arg choice="req">domain-name</arg>
-<arg choice="opt">class</arg>
-<arg choice="req">type</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Requires that no resource record exists of the specified
-<parameter>type</parameter>,
-<parameter>class</parameter>
-and
-<parameter>domain-name</parameter>.
-If
-<parameter>class</parameter>
-is omitted, IN (internet) is assumed.
-</para>
-</listitem>
-</varlistentry>
-
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq yxrrset</command>
-<arg choice="req">domain-name</arg>
-<arg choice="opt">class</arg>
-<arg choice="req">type</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-This requires that a resource record of the specified
-<parameter>type</parameter>,
-<parameter>class</parameter>
-and
-<parameter>domain-name</parameter>
-must exist.
-If
-<parameter>class</parameter>
-is omitted, IN (internet) is assumed.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>prereq yxrrset</command>
-<arg choice="req">domain-name</arg>
-<arg choice="opt">class</arg>
-<arg choice="req">type</arg>
-<arg choice="req" rep="repeat">data</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-The
-<parameter>data</parameter>
-from each set of prerequisites of this form
-sharing a common
-<parameter>type</parameter>,
-<parameter>class</parameter>,
-and 
-<parameter>domain-name</parameter>
-are combined to form a set of RRs.  This set of RRs must
-exactly match the set of RRs existing in the zone at the
-given 
-<parameter>type</parameter>,
-<parameter>class</parameter>,
-and 
-<parameter>domain-name</parameter>.
-The
-<parameter>data</parameter>
-are written in the standard text representation of the resource record's
-RDATA.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>update delete</command>
-<arg choice="req">domain-name</arg>
-<arg choice="opt">ttl</arg>
-<arg choice="opt">class</arg>
-<arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Deletes any resource records named
-<parameter>domain-name</parameter>.
-If
-<parameter>type</parameter>
-and
-<parameter>data</parameter>
-is provided, only matching resource records will be removed.
-The internet class is assumed if
-<parameter>class</parameter>
-is not supplied.  The
-<parameter>ttl</parameter>
-is ignored, and is only allowed for compatibility.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>update add</command>
-<arg choice="req">domain-name</arg>
-<arg choice="req">ttl</arg>
-<arg choice="opt">class</arg>
-<arg choice="req">type</arg>
-<arg choice="req" rep="repeat">data</arg>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Adds a new resource record with the specified
-<parameter>ttl</parameter>,
-<parameter>class</parameter>
-and
-<parameter>data</parameter>.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>show</command>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Displays the current message, containing all of the prerequisites and
-updates specified since the last send.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>send</command>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Sends the current message.  This is equivalent to entering a blank line.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term>
-<cmdsynopsis>
-<command>answer</command>
-</cmdsynopsis>
-</term>
-<listitem>
-<para>
-Displays the answer.
-</para>
-</listitem>
-</varlistentry>
-
-</variablelist>
-</para>
-
-<para>
-Lines beginning with a semicolon are comments and are ignored.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>EXAMPLES</title>
-<para>
-The examples below show how
-<command>nsupdate</command>
-could be used to insert and delete resource records from the
-<type>example.com</type>
-zone.
-Notice that the input in each example contains a trailing blank line so that
-a group of commands are sent as one dynamic update request to the
-master name server for
-<type>example.com</type>.
-
-<programlisting>
-# nsupdate
-> update delete oldhost.example.com A
-> update add newhost.example.com 86400 A 172.16.1.1
-> send
-</programlisting>
-</para>
-<para>
-Any A records for
-<type>oldhost.example.com</type>
-are deleted.
-and an A record for
-<type>newhost.example.com</type>
-it IP address 172.16.1.1 is added.
-The newly-added record has a 1 day TTL (86400 seconds)
-<programlisting>
-# nsupdate
-> prereq nxdomain nickname.example.com
-> update add nickname.example.com 86400 CNAME somehost.example.com
-> send
-</programlisting>
-</para>
-<para>
-The prerequisite condition gets the name server to check that there
-are no resource records of any type for
-<type>nickname.example.com</type>.
-
-If there are, the update request fails.
-If this name does not exist, a CNAME for it is added.
-This ensures that when the CNAME is added, it cannot conflict with the
-long-standing rule in RFC1034 that a name must not exist as any other
-record type if it exists as a CNAME.
-(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
-RRSIG, DNSKEY and NSEC records.)
-</para>
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-
-<variablelist>
-<varlistentry><term><constant>/etc/resolv.conf</constant></term>
-<listitem>
-<para>
-used to identify default name server
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term><constant>K{name}.+157.+{random}.key</constant></term>
-<listitem>
-<para>
-base-64 encoding of HMAC-MD5 key created by
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</listitem>
-</varlistentry>
-
-<varlistentry><term><constant>K{name}.+157.+{random}.private</constant></term>
-<listitem>
-<para>
-base-64 encoding of HMAC-MD5 key created by
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC2136</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC3007</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC2104</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC2845</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC1034</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC2535</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>RFC2931</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-<refsect1>
-<title>BUGS</title>
-<para>
-The TSIG key is redundantly stored in two separate files.
-This is a consequence of nsupdate using the DST library
-for its cryptographic operations, and may change in future
-releases.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.html b/contrib/bind9/bin/nsupdate/nsupdate.html
deleted file mode 100644
index 74ba2fbe2777..000000000000
--- a/contrib/bind9/bin/nsupdate/nsupdate.html
+++ /dev/null
@@ -1,468 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: nsupdate.html,v 1.9.2.3.2.12 2005/10/13 02:33:49 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>nsupdate</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>nsupdate &#8212; Dynamic DNS update utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525896"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">nsupdate</strong></span>
-is used to submit Dynamic DNS Update requests as defined in RFC2136
-to a name server.
-This allows resource records to be added or removed from a zone
-without manually editing the zone file.
-A single update request can contain requests to add or remove more than one
-resource record.
-</p>
-<p>
-Zones that are under dynamic control via
-<span><strong class="command">nsupdate</strong></span>
-or a DHCP server should not be edited by hand.
-Manual edits could
-conflict with dynamic updates and cause data to be lost.
-</p>
-<p>
-The resource records that are dynamically added or removed with
-<span><strong class="command">nsupdate</strong></span>
-have to be in the same zone.
-Requests are sent to the zone's master server.
-This is identified by the MNAME field of the zone's SOA record.
-</p>
-<p>
-The
-<code class="option">-d</code>
-option makes
-<span><strong class="command">nsupdate</strong></span>
-operate in debug mode.
-This provides tracing information about the update requests that are
-made and the replies received from the name server.
-</p>
-<p>
-Transaction signatures can be used to authenticate the Dynamic DNS
-updates.
-These use the TSIG resource record type described in RFC2845 or the
-SIG(0) record described in RFC3535 and RFC2931.
-TSIG relies on a shared secret that should only be known to
-<span><strong class="command">nsupdate</strong></span> and the name server.
-Currently, the only supported encryption algorithm for TSIG is
-HMAC-MD5, which is defined in RFC 2104.
-Once other algorithms are defined for TSIG, applications will need to
-ensure they select the appropriate algorithm as well as the key when
-authenticating each other.
-For instance suitable
-<span class="type">key</span>
-and
-<span class="type">server</span>
-statements would be added to
-<code class="filename">/etc/named.conf</code>
-so that the name server can associate the appropriate secret key
-and algorithm with the IP address of the
-client application that will be using TSIG authentication.
-SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-key must be stored in a KEY record in a zone served by the name server.
-<span><strong class="command">nsupdate</strong></span>
-does not read
-<code class="filename">/etc/named.conf</code>.
-</p>
-<p>
-<span><strong class="command">nsupdate</strong></span>
-uses the
-<code class="option">-y</code>
-or
-<code class="option">-k</code>
-option (with an HMAC-MD5 key) to provide the shared secret needed to generate
-a TSIG record for authenticating Dynamic DNS update requests.
-These options are mutually exclusive.
-With the
-<code class="option">-k</code>
-option,
-<span><strong class="command">nsupdate</strong></span>
-reads the shared secret from the file
-<em class="parameter"><code>keyfile</code></em>,
-whose name is of the form 
-<code class="filename">K{name}.+157.+{random}.private</code>.
-For historical
-reasons, the file 
-<code class="filename">K{name}.+157.+{random}.key</code>
-must also be present.  When the
-<code class="option">-y</code>
-option is used, a signature is generated from
-<em class="parameter"><code>keyname:secret.</code></em>
-<em class="parameter"><code>keyname</code></em>
-is the name of the key,
-and
-<em class="parameter"><code>secret</code></em>
-is the base64 encoded shared secret.
-Use of the
-<code class="option">-y</code>
-option is discouraged because the shared secret is supplied as a command
-line argument in clear text.
-This may be visible in the output from
-<span class="citerefentry"><span class="refentrytitle">ps</span>(1
-)</span>
-or in a history file maintained by the user's shell.
-</p>
-<p>
-The <code class="option">-k</code> may also be used to specify a SIG(0) key used
-to authenticate Dynamic DNS update requests.  In this case, the key
-specified is not an HMAC-MD5 key.
-</p>
-<p>
-By default
-<span><strong class="command">nsupdate</strong></span>
-uses UDP to send update requests to the name server unless they are too
-large to fit in a UDP request in which case TCP will be used.
-The
-<code class="option">-v</code>
-option makes
-<span><strong class="command">nsupdate</strong></span>
-use a TCP connection.
-This may be preferable when a batch of update requests is made.
-</p>
-<p>The <code class="option">-t</code> option sets the maximum time a update request can
-take before it is aborted.  The default is 300 seconds.  Zero can be used
-to disable the timeout.
-</p>
-<p>The <code class="option">-u</code> option sets the UDP retry interval.  The default is
-3 seconds.  If zero the interval will be computed from the timeout interval
-and number of UDP retries.
-</p>
-<p>The <code class="option">-r</code> option sets the number of UDP retries. The default is
-3.  If zero only one update request will be made.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526121"></a><h2>INPUT FORMAT</h2>
-<p>
-<span><strong class="command">nsupdate</strong></span>
-reads input from
-<em class="parameter"><code>filename</code></em>
-or standard input.
-Each command is supplied on exactly one line of input.
-Some commands are for administrative purposes.
-The others are either update instructions or prerequisite checks on the
-contents of the zone.
-These checks set conditions that some name or set of
-resource records (RRset) either exists or is absent from the zone.
-These conditions must be met if the entire update request is to succeed.
-Updates will be rejected if the tests for the prerequisite conditions fail.
-</p>
-<p>
-Every update request consists of zero or more prerequisites
-and zero or more updates.
-This allows a suitably authenticated update request to proceed if some
-specified resource records are present or missing from the zone.
-A blank input line (or the <span><strong class="command">send</strong></span> command) causes the
-accumulated commands to be sent as one Dynamic DNS update request to the
-name server.
-</p>
-<p>
-The command formats and their meaning are as follows:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">server</code>  {servername} [port]</p></div>
-</span></dt>
-<dd><p>
-Sends all dynamic update requests to the name server
-<em class="parameter"><code>servername</code></em>.
-When no server statement is provided,
-<span><strong class="command">nsupdate</strong></span>
-will send updates to the master server of the correct zone.
-The MNAME field of that zone's SOA record will identify the master
-server for that zone.
-<em class="parameter"><code>port</code></em>
-is the port number on
-<em class="parameter"><code>servername</code></em>
-where the dynamic update requests get sent.
-If no port number is specified, the default DNS port number of 53 is
-used.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">local</code>  {address} [port]</p></div>
-</span></dt>
-<dd><p>
-Sends all dynamic update requests using the local
-<em class="parameter"><code>address</code></em>.
-
-When no local statement is provided,
-<span><strong class="command">nsupdate</strong></span>
-will send updates using an address and port chosen by the system.
-<em class="parameter"><code>port</code></em>
-can additionally be used to make requests come from a specific port.
-If no port number is specified, the system will assign one.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">zone</code>  {zonename}</p></div>
-</span></dt>
-<dd><p>
-Specifies that all updates are to be made to the zone
-<em class="parameter"><code>zonename</code></em>.
-If no
-<em class="parameter"><code>zone</code></em>
-statement is provided,
-<span><strong class="command">nsupdate</strong></span>
-will attempt determine the correct zone to update based on the rest of the input.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">class</code>  {classname}</p></div>
-</span></dt>
-<dd><p>
-Specify the default class.
-If no <em class="parameter"><code>class</code></em> is specified the default class is
-<em class="parameter"><code>IN</code></em>.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">key</code>  {name} {secret}</p></div>
-</span></dt>
-<dd><p>
-Specifies that all updates are to be TSIG signed using the
-<em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
-The <span><strong class="command">key</strong></span> command
-overrides any key specified on the command line via
-<code class="option">-y</code> or <code class="option">-k</code>.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq nxdomain</code>  {domain-name}</p></div>
-</span></dt>
-<dd><p>
-Requires that no resource record of any type exists with name
-<em class="parameter"><code>domain-name</code></em>.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq yxdomain</code>  {domain-name}</p></div>
-</span></dt>
-<dd><p>
-Requires that
-<em class="parameter"><code>domain-name</code></em>
-exists (has as at least one resource record, of any type).
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq nxrrset</code>  {domain-name} [class] {type}</p></div>
-</span></dt>
-<dd><p>
-Requires that no resource record exists of the specified
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>
-and
-<em class="parameter"><code>domain-name</code></em>.
-If
-<em class="parameter"><code>class</code></em>
-is omitted, IN (internet) is assumed.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code>  {domain-name} [class] {type}</p></div>
-</span></dt>
-<dd><p>
-This requires that a resource record of the specified
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>
-and
-<em class="parameter"><code>domain-name</code></em>
-must exist.
-If
-<em class="parameter"><code>class</code></em>
-is omitted, IN (internet) is assumed.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">prereq yxrrset</code>  {domain-name} [class] {type} {data...}</p></div>
-</span></dt>
-<dd><p>
-The
-<em class="parameter"><code>data</code></em>
-from each set of prerequisites of this form
-sharing a common
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>,
-and 
-<em class="parameter"><code>domain-name</code></em>
-are combined to form a set of RRs.  This set of RRs must
-exactly match the set of RRs existing in the zone at the
-given 
-<em class="parameter"><code>type</code></em>,
-<em class="parameter"><code>class</code></em>,
-and 
-<em class="parameter"><code>domain-name</code></em>.
-The
-<em class="parameter"><code>data</code></em>
-are written in the standard text representation of the resource record's
-RDATA.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">update delete</code>  {domain-name} [ttl] [class] [type  [data...]]</p></div>
-</span></dt>
-<dd><p>
-Deletes any resource records named
-<em class="parameter"><code>domain-name</code></em>.
-If
-<em class="parameter"><code>type</code></em>
-and
-<em class="parameter"><code>data</code></em>
-is provided, only matching resource records will be removed.
-The internet class is assumed if
-<em class="parameter"><code>class</code></em>
-is not supplied.  The
-<em class="parameter"><code>ttl</code></em>
-is ignored, and is only allowed for compatibility.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">update add</code>  {domain-name} {ttl} [class] {type} {data...}</p></div>
-</span></dt>
-<dd><p>
-Adds a new resource record with the specified
-<em class="parameter"><code>ttl</code></em>,
-<em class="parameter"><code>class</code></em>
-and
-<em class="parameter"><code>data</code></em>.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">show</code> </p></div>
-</span></dt>
-<dd><p>
-Displays the current message, containing all of the prerequisites and
-updates specified since the last send.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">send</code> </p></div>
-</span></dt>
-<dd><p>
-Sends the current message.  This is equivalent to entering a blank line.
-</p></dd>
-<dt><span class="term">
-<div class="cmdsynopsis"><p><code class="command">answer</code> </p></div>
-</span></dt>
-<dd><p>
-Displays the answer.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-Lines beginning with a semicolon are comments and are ignored.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526749"></a><h2>EXAMPLES</h2>
-<p>
-The examples below show how
-<span><strong class="command">nsupdate</strong></span>
-could be used to insert and delete resource records from the
-<span class="type">example.com</span>
-zone.
-Notice that the input in each example contains a trailing blank line so that
-a group of commands are sent as one dynamic update request to the
-master name server for
-<span class="type">example.com</span>.
-
-</p>
-<pre class="programlisting">
-# nsupdate
-&gt; update delete oldhost.example.com A
-&gt; update add newhost.example.com 86400 A 172.16.1.1
-&gt; send
-</pre>
-<p>
-</p>
-<p>
-Any A records for
-<span class="type">oldhost.example.com</span>
-are deleted.
-and an A record for
-<span class="type">newhost.example.com</span>
-it IP address 172.16.1.1 is added.
-The newly-added record has a 1 day TTL (86400 seconds)
-</p>
-<pre class="programlisting">
-# nsupdate
-&gt; prereq nxdomain nickname.example.com
-&gt; update add nickname.example.com 86400 CNAME somehost.example.com
-&gt; send
-</pre>
-<p>
-</p>
-<p>
-The prerequisite condition gets the name server to check that there
-are no resource records of any type for
-<span class="type">nickname.example.com</span>.
-
-If there are, the update request fails.
-If this name does not exist, a CNAME for it is added.
-This ensures that when the CNAME is added, it cannot conflict with the
-long-standing rule in RFC1034 that a name must not exist as any other
-record type if it exists as a CNAME.
-(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
-RRSIG, DNSKEY and NSEC records.)
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526793"></a><h2>FILES</h2>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
-<dd><p>
-used to identify default name server
-</p></dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
-<dd><p>
-base-64 encoding of HMAC-MD5 key created by
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p></dd>
-<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
-<dd><p>
-base-64 encoding of HMAC-MD5 key created by
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525155"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
-<span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525226"></a><h2>BUGS</h2>
-<p>
-The TSIG key is redundantly stored in two separate files.
-This is a consequence of nsupdate using the DST library
-for its cryptographic operations, and may change in future
-releases.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/rndc/Makefile.in b/contrib/bind9/bin/rndc/Makefile.in
deleted file mode 100644
index e6773151126b..000000000000
--- a/contrib/bind9/bin/rndc/Makefile.in
+++ /dev/null
@@ -1,102 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.32.2.3.8.8 2004/07/20 07:01:50 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
-	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-BIND9LIBS =	../../lib/bind9/libbind9.@A@
-
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-DNSDEPLIBS =	../../lib/dns/libdns.@A@
-BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
-
-RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
-RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
-
-CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
-CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
-
-SUBDIRS =	unix
-
-TARGETS =	rndc@EXEEXT@ rndc-confgen@EXEEXT@
-
-MANPAGES =	rndc.8 rndc-confgen.8 rndc.conf.5
-
-HTMLPAGES =	rndc.html rndc-confgen.html rndc.conf.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-UOBJS =		unix/os.@O@
-
-@BIND9_MAKE_RULES@
-
-rndc.@O@: rndc.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DRNDC_CONFFILE=\"${sysconfdir}/rndc.conf\" \
-		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-		-c ${srcdir}/rndc.c
-
-rndc-confgen.@O@: rndc-confgen.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
-		-c ${srcdir}/rndc-confgen.c
-
-rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \
-		${RNDCLIBS}
-
-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS} 
-	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \
-		${UOBJS} ${CONFLIBS}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
-
-install:: rndc@EXEEXT@ rndc-confgen@EXEEXT@ installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
-	${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
-	${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5
-
-clean distclean maintainer-clean::
-	rm -f ${TARGETS}
diff --git a/contrib/bind9/bin/rndc/include/rndc/os.h b/contrib/bind9/bin/rndc/include/rndc/os.h
deleted file mode 100644
index b5ade476b9f1..000000000000
--- a/contrib/bind9/bin/rndc/include/rndc/os.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.h,v 1.4.206.1 2004/03/06 10:21:33 marka Exp $ */
-
-#ifndef RNDC_OS_H
-#define RNDC_OS_H 1
-
-#include <isc/lang.h>
-#include <stdio.h>
-
-ISC_LANG_BEGINDECLS
-
-FILE *safe_create(const char *filename);
-/*
- * Open 'filename' for writing, truncate if necessary.  If the file was
- * created ensure that only the owner can read/write it.
- */
-
-int set_user(FILE *fd, const char *user);
-/*
- * Set the owner of the file refernced by 'fd' to 'user'.
- * Returns:
- *   0 		success
- *   -1 	insufficient permissions, or 'user' does not exist.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.8 b/contrib/bind9/bin/rndc/rndc-confgen.8
deleted file mode 100644
index b29f0095cc0d..000000000000
--- a/contrib/bind9/bin/rndc/rndc-confgen.8
+++ /dev/null
@@ -1,183 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: rndc-confgen.8,v 1.3.2.5.2.7 2005/10/13 02:33:50 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-rndc\-confgen \- rndc key generation tool
-.SH "SYNOPSIS"
-.HP 13
-\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
-.SH "DESCRIPTION"
-.PP
-\fBrndc\-confgen\fR
-generates configuration files for
-\fBrndc\fR. It can be used as a convenient alternative to writing the
-\fIrndc.conf\fR
-file and the corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements in
-\fInamed.conf\fR
-by hand. Alternatively, it can be run with the
-\fB\-a\fR
-option to set up a
-\fIrndc.key\fR
-file and avoid the need for a
-\fIrndc.conf\fR
-file and a
-\fBcontrols\fR
-statement altogether.
-.SH "OPTIONS"
-.TP
-\-a
-Do automatic
-\fBrndc\fR
-configuration. This creates a file
-\fIrndc.key\fR
-in
-\fI/etc\fR
-(or whatever
-\fIsysconfdir\fR
-was specified as when
-BIND
-was built) that is read by both
-\fBrndc\fR
-and
-\fBnamed\fR
-on startup. The
-\fIrndc.key\fR
-file defines a default command channel and authentication key allowing
-\fBrndc\fR
-to communicate with
-\fBnamed\fR
-on the local host with no further configuration.
-.sp
-Running
-\fBrndc\-confgen \-a\fR
-allows BIND 9 and
-\fBrndc\fR
-to be used as drop\-in replacements for BIND 8 and
-\fBndc\fR, with no changes to the existing BIND 8
-\fInamed.conf\fR
-file.
-.sp
-If a more elaborate configuration than that generated by
-\fBrndc\-confgen \-a\fR
-is required, for example if rndc is to be used remotely, you should run
-\fBrndc\-confgen\fR
-without the
-\fB\-a\fR
-option and set up a
-\fIrndc.conf\fR
-and
-\fInamed.conf\fR
-as directed.
-.TP
-\-b \fIkeysize\fR
-Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
-.TP
-\-c \fIkeyfile\fR
-Used with the
-\fB\-a\fR
-option to specify an alternate location for
-\fIrndc.key\fR.
-.TP
-\-h
-Prints a short summary of the options and arguments to
-\fBrndc\-confgen\fR.
-.TP
-\-k \fIkeyname\fR
-Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
-\fBrndc\-key\fR.
-.TP
-\-p \fIport\fR
-Specifies the command channel port where
-\fBnamed\fR
-listens for connections from
-\fBrndc\fR. The default is 953.
-.TP
-\-r \fIrandomfile\fR
-Specifies a source of random data for generating the authorization. If the operating system does not provide a
-\fI/dev/random\fR
-or equivalent device, the default source of randomness is keyboard input.
-\fIrandomdev\fR
-specifies the name of a character device or file containing random data to be used instead of the default. The special value
-\fIkeyboard\fR
-indicates that keyboard input should be used.
-.TP
-\-s \fIaddress\fR
-Specifies the IP address where
-\fBnamed\fR
-listens for command channel connections from
-\fBrndc\fR. The default is the loopback address 127.0.0.1.
-.TP
-\-t \fIchrootdir\fR
-Used with the
-\fB\-a\fR
-option to specify a directory where
-\fBnamed\fR
-will run chrooted. An additional copy of the
-\fIrndc.key\fR
-will be written relative to this directory so that it will be found by the chrooted
-\fBnamed\fR.
-.TP
-\-u \fIuser\fR
-Used with the
-\fB\-a\fR
-option to set the owner of the
-\fIrndc.key\fR
-file generated. If
-\fB\-t\fR
-is also specified only the file in the chroot area has its owner changed.
-.SH "EXAMPLES"
-.PP
-To allow
-\fBrndc\fR
-to be used with no manual configuration, run
-.PP
-\fBrndc\-confgen \-a\fR
-.PP
-To print a sample
-\fIrndc.conf\fR
-file and corresponding
-\fBcontrols\fR
-and
-\fBkey\fR
-statements to be manually inserted into
-\fInamed.conf\fR, run
-.PP
-\fBrndc\-confgen\fR
-.SH "SEE ALSO"
-.PP
-\fBrndc\fR(8),
-\fBrndc.conf\fR(5),
-\fBnamed\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.c b/contrib/bind9/bin/rndc/rndc-confgen.c
deleted file mode 100644
index f6e578ed9878..000000000000
--- a/contrib/bind9/bin/rndc/rndc-confgen.c
+++ /dev/null
@@ -1,324 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rndc-confgen.c,v 1.9.2.6.2.5 2004/09/28 07:14:57 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <stdarg.h>
-
-#include <isc/assertions.h>
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/entropy.h>
-#include <isc/file.h>
-#include <isc/keyboard.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-#include <rndc/os.h>
-
-#include "util.h"
-
-#define DEFAULT_KEYLENGTH	128		/* Bits. */
-#define DEFAULT_KEYNAME		"rndc-key"
-#define DEFAULT_SERVER		"127.0.0.1"
-#define DEFAULT_PORT		953
-
-static char program[256];
-char *progname;
-
-isc_boolean_t verbose = ISC_FALSE;
-
-const char *keyfile, *keydef;
-
-static void
-usage(int status) {
-
-	fprintf(stderr, "\
-Usage:\n\
- %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
-[-s addr] [-t chrootdir] [-u user]\n\
-  -a:		generate just the key clause and write it to keyfile (%s)\n\
-  -b bits:	from 1 through 512, default %d; total length of the secret\n\
-  -c keyfile:	specify an alternate key file (requires -a)\n\
-  -k keyname:	the name as it will be used  in named.conf and rndc.conf\n\
-  -p port:	the port named will listen on and rndc will connect to\n\
-  -r randomfile: a file containing random data\n\
-  -s addr:	the address to which rndc should connect\n\
-  -t chrootdir:	write a keyfile in chrootdir as well (requires -a)\n\
-  -u user:	set the keyfile owner to \"user\" (requires -a)\n",
-		progname, keydef, DEFAULT_KEYLENGTH);
-
-	exit (status);
-}
-
-/*
- * Write an rndc.key file to 'keyfile'.  If 'user' is non-NULL,
- * make that user the owner of the file.  The key will have
- * the name 'keyname' and the secret in the buffer 'secret'.
- */
-static void
-write_key_file(const char *keyfile, const char *user,
-	       const char *keyname, isc_buffer_t *secret )
-{
-	FILE *fd;
-
-	fd = safe_create(keyfile);
-	if (fd == NULL)
-		fatal( "unable to create \"%s\"\n", keyfile);
-	if (user != NULL) {
-		if (set_user(fd, user) == -1)
-			fatal("unable to set file owner\n");
-	}
-	fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n"
-		"\tsecret \"%.*s\";\n};\n", keyname,
-		(int)isc_buffer_usedlength(secret),
-		(char *)isc_buffer_base(secret));
-	fflush(fd);
-	if (ferror(fd))
-		fatal("write to %s failed\n", keyfile);
-	if (fclose(fd))
-		fatal("fclose(%s) failed\n", keyfile);
-	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
-}
-
-int
-main(int argc, char **argv) {
-	isc_boolean_t show_final_mem = ISC_FALSE;
-	isc_buffer_t key_rawbuffer;
-	isc_buffer_t key_txtbuffer;
-	isc_region_t key_rawregion;
-	isc_mem_t *mctx = NULL;
-	isc_entropy_t *ectx = NULL;
-	isc_entropysource_t *entropy_source = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	dst_key_t *key = NULL;
-	const char *keyname = NULL;
-	const char *randomfile = NULL;
-	const char *serveraddr = NULL;
-	char key_rawsecret[64];
-	char key_txtsecret[256];
-	char *p;
-	int ch;
-	int port;
-	int keysize;
-	int entropy_flags = 0;
-	int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
-	struct in_addr addr4_dummy;
-	struct in6_addr addr6_dummy;
-	char *chrootdir = NULL;
-	char *user = NULL;
-	isc_boolean_t keyonly = ISC_FALSE;
-	int len;
-
- 	keydef = keyfile = RNDC_KEYFILE;
-
-	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS)
-		memcpy(program, "rndc-confgen", 13);
-	progname = program;
-
-	keyname = DEFAULT_KEYNAME;
-	keysize = DEFAULT_KEYLENGTH;
-	serveraddr = DEFAULT_SERVER;
-	port = DEFAULT_PORT;
-
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
-		switch (ch) {
-		case 'a':
-			keyonly = ISC_TRUE;
-			break;
-		case 'b':
-			keysize = strtol(isc_commandline_argument, &p, 10);
-			if (*p != '\0' || keysize < 0)
-				fatal("-b requires a non-negative number");
-			if (keysize < 1 || keysize > 512)
-				fatal("-b must be in the range 1 through 512");
-			break;
-		case 'c':
-			keyfile = isc_commandline_argument;
-			break;
-		case 'h':
-			usage(0);
-		case 'k':
-		case 'y':	/* Compatible with rndc -y. */
-			keyname = isc_commandline_argument;
-			break;
-		case 'M':
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
-			break;
-
-		case 'm':
-			show_final_mem = ISC_TRUE;
-			break;
-		case 'p':
-			port = strtol(isc_commandline_argument, &p, 10);
-			if (*p != '\0' || port < 0 || port > 65535)
-				fatal("port '%s' out of range",
-				      isc_commandline_argument);
-			break;
-		case 'r':
-			randomfile = isc_commandline_argument;
-			break;
-		case 's':
-			serveraddr = isc_commandline_argument;
-			if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
-			    inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
-				fatal("-s should be an IPv4 or IPv6 address");
-			break;
-		case 't':
-			chrootdir = isc_commandline_argument;
-			break;
-		case 'u':
-			user = isc_commandline_argument;
-			break;
-		case 'V':
-			verbose = ISC_TRUE;
-			break;
-		case '?':
-			usage(1);
-			break;
-		default:
-			fatal("unexpected error parsing command arguments: "
-			      "got %c\n", ch);
-			break;
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc > 0)
-		usage(1);
-
-	DO("create memory context", isc_mem_create(0, 0, &mctx));
-
-	DO("create entropy context", isc_entropy_create(mctx, &ectx));
-
-	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
-		randomfile = NULL;
-		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
-	}
-	DO("start entropy source", isc_entropy_usebestsource(ectx,
-							     &entropy_source,
-							     randomfile,
-							     open_keyboard));
-
-	entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
-
-	DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
-
-	DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
-					    keysize, 0, 0,
-					    DNS_KEYPROTO_ANY,
-					    dns_rdataclass_in, mctx, &key));
-
-	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
-
-	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
-
-	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
-	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
-
-	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
-						     &key_txtbuffer));
-
-	/*
-	 * Shut down the entropy source now so the "stop typing" message
-	 * does not muck with the output.
-	 */
-	if (entropy_source != NULL)
-		isc_entropy_destroysource(&entropy_source);
-
-	if (key != NULL)
-		dst_key_free(&key);
-
-	isc_entropy_detach(&ectx);
-	dst_lib_destroy();
-
-	if (keyonly) {
-		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
-			       keyname, &key_txtbuffer);
-
-		if (chrootdir != NULL) {
-			char *buf;
-			len = strlen(chrootdir) + strlen(keyfile) + 2;
-			buf = isc_mem_get(mctx, len);
-			if (buf == NULL)
-				fatal("isc_mem_get(%d) failed\n", len);
-			snprintf(buf, len, "%s%s%s", chrootdir,
-				 (*keyfile != '/') ? "/" : "", keyfile);
-			
-			write_key_file(buf, user, keyname, &key_txtbuffer);
-			isc_mem_put(mctx, buf, len);
-		}
-	} else {
-		printf("\
-# Start of rndc.conf\n\
-key \"%s\" {\n\
-	algorithm hmac-md5;\n\
-	secret \"%.*s\";\n\
-};\n\
-\n\
-options {\n\
-	default-key \"%s\";\n\
-	default-server %s;\n\
-	default-port %d;\n\
-};\n\
-# End of rndc.conf\n\
-\n\
-# Use with the following in named.conf, adjusting the allow list as needed:\n\
-# key \"%s\" {\n\
-# 	algorithm hmac-md5;\n\
-# 	secret \"%.*s\";\n\
-# };\n\
-# \n\
-# controls {\n\
-# 	inet %s port %d\n\
-# 		allow { %s; } keys { \"%s\"; };\n\
-# };\n\
-# End of named.conf\n",
-		       keyname,
-		       (int)isc_buffer_usedlength(&key_txtbuffer),
-		       (char *)isc_buffer_base(&key_txtbuffer),
-		       keyname, serveraddr, port,
-		       keyname,
-		       (int)isc_buffer_usedlength(&key_txtbuffer),
-		       (char *)isc_buffer_base(&key_txtbuffer),
-		       serveraddr, port, serveraddr, keyname);
-	}
-
-	if (show_final_mem)
-		isc_mem_stats(mctx, stderr);
-
-	isc_mem_destroy(&mctx);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.docbook b/contrib/bind9/bin/rndc/rndc-confgen.docbook
deleted file mode 100644
index e0c5a68cf6f6..000000000000
--- a/contrib/bind9/bin/rndc/rndc-confgen.docbook
+++ /dev/null
@@ -1,288 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: rndc-confgen.docbook,v 1.3.2.1.4.5 2005/05/13 01:22:34 marka Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>Aug 27, 2001</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>rndc-confgen</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>rndc-confgen</application></refname>
-    <refpurpose>rndc key generation tool</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>rndc-confgen</command>
-      <arg><option>-a</option></arg>
-      <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
-      <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
-      <arg><option>-h</option></arg>
-      <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">address</replaceable></option></arg>
-      <arg><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
-      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>rndc-confgen</command> generates configuration files
-	for <command>rndc</command>.  It can be used as a
-        convenient alternative to writing the
-        <filename>rndc.conf</filename> file
-        and the corresponding <command>controls</command>
-        and <command>key</command>
-	statements in <filename>named.conf</filename> by hand.
-        Alternatively, it can be run with the <command>-a</command>
-        option to set up a <filename>rndc.key</filename> file and
-        avoid the need for a <filename>rndc.conf</filename> file
-        and a <command>controls</command> statement altogether.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-a</term>
-	<listitem>
-	  <para>
-	      Do automatic <command>rndc</command> configuration.
-	      This creates a file <filename>rndc.key</filename>
-	      in <filename>/etc</filename> (or whatever
-              <varname>sysconfdir</varname>
-	      was specified as when <acronym>BIND</acronym> was built)
-              that is read by both <command>rndc</command>
-              and <command>named</command> on startup.  The
-	      <filename>rndc.key</filename> file defines a default
-              command channel and authentication key allowing
-	      <command>rndc</command> to communicate with
-	      <command>named</command> on the local host
-	      with no further configuration.  
-	  </para>
-	  <para>
-	      Running <command>rndc-confgen -a</command> allows
-	      BIND 9 and <command>rndc</command> to be used as drop-in
-	      replacements for BIND 8 and <command>ndc</command>,
-	      with no changes to the existing BIND 8
-	      <filename>named.conf</filename> file.
-	  </para>
-          <para>
-	      If a more elaborate configuration than that
-	      generated by <command>rndc-confgen -a</command>
-	      is required, for example if rndc is to be used remotely,
-	      you should run <command>rndc-confgen</command> without the
-	      <command>-a</command> option and set up a
-	      <filename>rndc.conf</filename> and
-	      <filename>named.conf</filename>
-	      as directed.
-          </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-b <replaceable class="parameter">keysize</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the size of the authentication key in bits.
-	       Must be between 1 and 512 bits; the default is 128.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-c <replaceable class="parameter">keyfile</replaceable></term>
-	<listitem>
-	  <para>
-	       Used with the <command>-a</command> option to specify
-	       an alternate location for <filename>rndc.key</filename>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-h</term>
-	<listitem>
-	  <para>
-	       Prints a short summary of the options and arguments to
-	       <command>rndc-confgen</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">keyname</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the key name of the rndc authentication key.
-	       This must be a valid domain name.
-	       The default is <constant>rndc-key</constant>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the command channel port where <command>named</command>
-	       listens for connections from <command>rndc</command>.
-	       The default is 953.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-r <replaceable class="parameter">randomfile</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies a source of random data for generating the
-	       authorization.  If the operating
-	       system does not provide a <filename>/dev/random</filename>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <filename>randomdev</filename> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <filename>keyboard</filename> indicates that keyboard
-	       input should be used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">address</replaceable></term>
-	<listitem>
-	  <para>
-	       Specifies the IP address where <command>named</command>
-	       listens for command channel connections from
-	       <command>rndc</command>.  The default is the loopback
-	       address 127.0.0.1.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-t <replaceable class="parameter">chrootdir</replaceable></term>
-	<listitem>
-	  <para>
-	       Used with the <command>-a</command> option to specify
-	       a directory where <command>named</command> will run
-	       chrooted.  An additional copy of the <filename>rndc.key</filename>
-	       will be written relative to this directory so that
-	       it will be found by the chrooted <command>named</command>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-u <replaceable class="parameter">user</replaceable></term>
-	<listitem>
-	  <para>
-	       Used with the <command>-a</command> option to set the owner
-	       of the <filename>rndc.key</filename> file generated.  If
-	       <command>-t</command> is also specified only the file in
-	       the chroot area has its owner changed.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLES</title>
-    <para>
-        To allow <command>rndc</command> to be used with
-	no manual configuration, run
-    </para>
-    <para>
-        <userinput>rndc-confgen -a</userinput>
-    </para>
-    <para>
-        To print a sample <filename>rndc.conf</filename> file and
-	corresponding <command>controls</command> and <command>key</command>
-	statements to be manually inserted into <filename>named.conf</filename>,
-	run
-    </para>
-    <para>
-        <userinput>rndc-confgen</userinput>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>rndc</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>rndc.conf</refentrytitle>
-	<manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.html b/contrib/bind9/bin/rndc/rndc-confgen.html
deleted file mode 100644
index ca7540084196..000000000000
--- a/contrib/bind9/bin/rndc/rndc-confgen.html
+++ /dev/null
@@ -1,185 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.11 2005/10/13 02:33:51 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc-confgen</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">rndc-confgen</span> &#8212; rndc key generation tool</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525911"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">rndc-confgen</strong></span> generates configuration files
-	for <span><strong class="command">rndc</strong></span>.  It can be used as a
-        convenient alternative to writing the
-        <code class="filename">rndc.conf</code> file
-        and the corresponding <span><strong class="command">controls</strong></span>
-        and <span><strong class="command">key</strong></span>
-	statements in <code class="filename">named.conf</code> by hand.
-        Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
-        option to set up a <code class="filename">rndc.key</code> file and
-        avoid the need for a <code class="filename">rndc.conf</code> file
-        and a <span><strong class="command">controls</strong></span> statement altogether.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525957"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-a</span></dt>
-<dd>
-<p>
-	      Do automatic <span><strong class="command">rndc</strong></span> configuration.
-	      This creates a file <code class="filename">rndc.key</code>
-	      in <code class="filename">/etc</code> (or whatever
-              <code class="varname">sysconfdir</code>
-	      was specified as when <span class="acronym">BIND</span> was built)
-              that is read by both <span><strong class="command">rndc</strong></span>
-              and <span><strong class="command">named</strong></span> on startup.  The
-	      <code class="filename">rndc.key</code> file defines a default
-              command channel and authentication key allowing
-	      <span><strong class="command">rndc</strong></span> to communicate with
-	      <span><strong class="command">named</strong></span> on the local host
-	      with no further configuration.  
-	  </p>
-<p>
-	      Running <span><strong class="command">rndc-confgen -a</strong></span> allows
-	      BIND 9 and <span><strong class="command">rndc</strong></span> to be used as drop-in
-	      replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
-	      with no changes to the existing BIND 8
-	      <code class="filename">named.conf</code> file.
-	  </p>
-<p>
-	      If a more elaborate configuration than that
-	      generated by <span><strong class="command">rndc-confgen -a</strong></span>
-	      is required, for example if rndc is to be used remotely,
-	      you should run <span><strong class="command">rndc-confgen</strong></span> without the
-	      <span><strong class="command">-a</strong></span> option and set up a
-	      <code class="filename">rndc.conf</code> and
-	      <code class="filename">named.conf</code>
-	      as directed.
-          </p>
-</dd>
-<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
-<dd><p>
-	       Specifies the size of the authentication key in bits.
-	       Must be between 1 and 512 bits; the default is 128.
-	  </p></dd>
-<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
-<dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to specify
-	       an alternate location for <code class="filename">rndc.key</code>.
-	  </p></dd>
-<dt><span class="term">-h</span></dt>
-<dd><p>
-	       Prints a short summary of the options and arguments to
-	       <span><strong class="command">rndc-confgen</strong></span>.
-	  </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
-<dd><p>
-	       Specifies the key name of the rndc authentication key.
-	       This must be a valid domain name.
-	       The default is <code class="constant">rndc-key</code>.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-	       Specifies the command channel port where <span><strong class="command">named</strong></span>
-	       listens for connections from <span><strong class="command">rndc</strong></span>.
-	       The default is 953.
-	  </p></dd>
-<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
-<dd><p>
-	       Specifies a source of random data for generating the
-	       authorization.  If the operating
-	       system does not provide a <code class="filename">/dev/random</code>
-	       or equivalent device, the default source of randomness
-	       is keyboard input.  <code class="filename">randomdev</code> specifies
-	       the name of a character device or file containing random
-	       data to be used instead of the default.  The special value
-	       <code class="filename">keyboard</code> indicates that keyboard
-	       input should be used.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
-<dd><p>
-	       Specifies the IP address where <span><strong class="command">named</strong></span>
-	       listens for command channel connections from
-	       <span><strong class="command">rndc</strong></span>.  The default is the loopback
-	       address 127.0.0.1.
-	  </p></dd>
-<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
-<dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to specify
-	       a directory where <span><strong class="command">named</strong></span> will run
-	       chrooted.  An additional copy of the <code class="filename">rndc.key</code>
-	       will be written relative to this directory so that
-	       it will be found by the chrooted <span><strong class="command">named</strong></span>.
-	  </p></dd>
-<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
-<dd><p>
-	       Used with the <span><strong class="command">-a</strong></span> option to set the owner
-	       of the <code class="filename">rndc.key</code> file generated.  If
-	       <span><strong class="command">-t</strong></span> is also specified only the file in
-	       the chroot area has its owner changed.
-	  </p></dd>
-</dl></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526270"></a><h2>EXAMPLES</h2>
-<p>
-        To allow <span><strong class="command">rndc</strong></span> to be used with
-	no manual configuration, run
-    </p>
-<p>
-        <strong class="userinput"><code>rndc-confgen -a</code></strong>
-    </p>
-<p>
-        To print a sample <code class="filename">rndc.conf</code> file and
-	corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
-	statements to be manually inserted into <code class="filename">named.conf</code>,
-	run
-    </p>
-<p>
-        <strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526314"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526357"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/rndc/rndc.8 b/contrib/bind9/bin/rndc/rndc.8
deleted file mode 100644
index fba5529e4053..000000000000
--- a/contrib/bind9/bin/rndc/rndc.8
+++ /dev/null
@@ -1,118 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: rndc.8,v 1.24.206.5 2005/10/13 02:33:49 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "RNDC" "8" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-rndc \- name server control utility
-.SH "SYNOPSIS"
-.HP 5
-\fBrndc\fR [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-k\ \fR\fB\fIkey\-file\fR\fR] [\fB\-s\ \fR\fB\fIserver\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-V\fR] [\fB\-y\ \fR\fB\fIkey_id\fR\fR] {command}
-.SH "DESCRIPTION"
-.PP
-\fBrndc\fR
-controls the operation of a name server. It supersedes the
-\fBndc\fR
-utility that was provided in old BIND releases. If
-\fBrndc\fR
-is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.
-.PP
-\fBrndc\fR
-communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of
-\fBrndc\fR
-and
-\fBnamed\fR
-named the only supported authentication algorithm is HMAC\-MD5, which uses a shared secret on each end of the connection. This provides TSIG\-style authentication for the command request and the name server's response. All commands sent over the channel must be signed by a key_id known to the server.
-.PP
-\fBrndc\fR
-reads a configuration file to determine how to contact the name server and decide what algorithm and key it should use.
-.SH "OPTIONS"
-.TP
-\-c \fIconfig\-file\fR
-Use
-\fIconfig\-file\fR
-as the configuration file instead of the default,
-\fI/etc/rndc.conf\fR.
-.TP
-\-k \fIkey\-file\fR
-Use
-\fIkey\-file\fR
-as the key file instead of the default,
-\fI/etc/rndc.key\fR. The key in
-\fI/etc/rndc.key\fR
-will be used to authenticate commands sent to the server if the
-\fIconfig\-file\fR
-does not exist.
-.TP
-\-s \fIserver\fR
-\fIserver\fR
-is the name or address of the server which matches a server statement in the configuration file for
-\fBrndc\fR. If no server is supplied on the command line, the host named by the default\-server clause in the option statement of the configuration file will be used.
-.TP
-\-p \fIport\fR
-Send commands to TCP port
-\fIport\fR
-instead of BIND 9's default control channel port, 953.
-.TP
-\-V
-Enable verbose logging.
-.TP
-\-y \fIkeyid\fR
-Use the key
-\fIkeyid\fR
-from the configuration file.
-\fIkeyid\fR
-must be known by named with the same algorithm and secret string in order for control message validation to succeed. If no
-\fIkeyid\fR
-is specified,
-\fBrndc\fR
-will first look for a key clause in the server statement of the server being used, or if no server statement is present for that host, then the default\-key clause of the options statement. Note that the configuration file contains shared secrets which are used to send authenticated control commands to name servers. It should therefore not have general read or write access.
-.PP
-For the complete set of commands supported by
-\fBrndc\fR, see the BIND 9 Administrator Reference Manual or run
-\fBrndc\fR
-without arguments to see its help message.
-.SH "LIMITATIONS"
-.PP
-\fBrndc\fR
-does not yet support all the commands of the BIND 8
-\fBndc\fR
-utility.
-.PP
-There is currently no way to provide the shared secret for a
-\fBkey_id\fR
-without using the configuration file.
-.PP
-Several error messages could be clearer.
-.SH "SEE ALSO"
-.PP
-\fBrndc.conf\fR(5),
-\fBnamed\fR(8),
-\fBnamed.conf\fR(5)\fBndc\fR(8),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/rndc/rndc.c b/contrib/bind9/bin/rndc/rndc.c
deleted file mode 100644
index 63e8f23b9ff5..000000000000
--- a/contrib/bind9/bin/rndc/rndc.c
+++ /dev/null
@@ -1,688 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rndc.c,v 1.77.2.5.2.15 2005/03/17 03:58:27 marka Exp $ */
-
-/*
- * Principal Author: DCL
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/app.h>
-#include <isc/buffer.h>
-#include <isc/commandline.h>
-#include <isc/file.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/random.h>
-#include <isc/socket.h>
-#include <isc/stdtime.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#include <isccfg/namedconf.h>
-
-#include <isccc/alist.h>
-#include <isccc/base64.h>
-#include <isccc/cc.h>
-#include <isccc/ccmsg.h>
-#include <isccc/result.h>
-#include <isccc/sexpr.h>
-#include <isccc/types.h>
-#include <isccc/util.h>
-
-#include <bind9/getaddresses.h>
-
-#include "util.h"
-
-#define SERVERADDRS 10
-
-char *progname;
-isc_boolean_t verbose;
-
-static const char *admin_conffile;
-static const char *admin_keyfile;
-static const char *version = VERSION;
-static const char *servername = NULL;
-static isc_sockaddr_t serveraddrs[SERVERADDRS];
-static int nserveraddrs;
-static int currentaddr = 0;
-static unsigned int remoteport = 0;
-static isc_socketmgr_t *socketmgr = NULL;
-static unsigned char databuf[2048];
-static isccc_ccmsg_t ccmsg;
-static isccc_region_t secret;
-static isc_boolean_t failed = ISC_FALSE;
-static isc_mem_t *mctx;
-static int sends, recvs, connects;
-static char *command;
-static char *args;
-static char program[256];
-static isc_socket_t *sock = NULL;
-static isc_uint32_t serial;
-
-static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task);
-
-static void
-usage(int status) {
-	fprintf(stderr, "\
-Usage: %s [-c config] [-s server] [-p port]\n\
-        [-k key-file ] [-y key] [-V] command\n\
-\n\
-command is one of the following:\n\
-\n\
-  reload	Reload configuration file and zones.\n\
-  reload zone [class [view]]\n\
-		Reload a single zone.\n\
-  refresh zone [class [view]]\n\
-		Schedule immediate maintenance for a zone.\n\
-  retransfer zone [class [view]]\n\
-		Retransfer a single zone without checking serial number.\n\
-  freeze zone [class [view]]\n\
-  		Suspend updates to a dynamic zone.\n\
-  thaw zone [class [view]]\n\
-  		Enable updates to a frozen dynamic zone and reload it.\n\
-  reconfig	Reload configuration file and new zones only.\n\
-  stats		Write server statistics to the statistics file.\n\
-  querylog	Toggle query logging.\n\
-  dumpdb [-all|-cache|-zones] [view ...]\n\
-		Dump cache(s) to the dump file (named_dump.db).\n\
-  stop		Save pending updates to master files and stop the server.\n\
-  stop -p	Save pending updates to master files and stop the server\n\
-		reporting process id.\n\
-  halt		Stop the server without saving pending updates.\n\
-  halt -p	Stop the server without saving pending updates reporting\n\
-		process id.\n\
-  trace		Increment debugging level by one.\n\
-  trace level	Change the debugging level.\n\
-  notrace	Set debugging level to 0.\n\
-  flush 	Flushes all of the server's caches.\n\
-  flush [view]	Flushes the server's cache for a view.\n\
-  flushname name [view]\n\
-		Flush the given name from the server's cache(s)\n\
-  status	Display status of the server.\n\
-  recursing	Dump the queries that are currently recursing (named.recursing)\n\
-  *restart	Restart the server.\n\
-\n\
-* == not yet implemented\n\
-Version: %s\n",
-		progname, version);
-
-	exit(status);
-}
-
-static void
-get_addresses(const char *host, in_port_t port) {
-	isc_result_t result;
-
-	isc_app_block();
-	result = bind9_getaddresses(servername, port,
-				    serveraddrs, SERVERADDRS, &nserveraddrs);
-	isc_app_unblock();
-	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      host, isc_result_totext(result));
-	INSIST(nserveraddrs > 0);
-}
-
-static void
-rndc_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-
-	UNUSED(task);
-
-	sends--;
-	if (sevent->result != ISC_R_SUCCESS)
-		fatal("send failed: %s", isc_result_totext(sevent->result));
-	isc_event_free(&event);
-}
-
-static void
-rndc_recvdone(isc_task_t *task, isc_event_t *event) {
-	isccc_sexpr_t *response = NULL;
-	isccc_sexpr_t *data;
-	isccc_region_t source;
-	char *errormsg = NULL;
-	char *textmsg = NULL;
-	isc_result_t result;
-
-	recvs--;
-
-	if (ccmsg.result == ISC_R_EOF)
-		fatal("connection to remote host closed\n"
-		      "This may indicate that the remote server is using "
-		      "an older version of \n"
-		      "the command protocol, this host is not authorized "
-		      "to connect,\nor the key is invalid.");
-
-	if (ccmsg.result != ISC_R_SUCCESS)
-		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
-
-	source.rstart = isc_buffer_base(&ccmsg.buffer);
-	source.rend = isc_buffer_used(&ccmsg.buffer);
-
-	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
-
-	data = isccc_alist_lookup(response, "_data");
-	if (data == NULL)
-		fatal("no data section in response");
-	result = isccc_cc_lookupstring(data, "err", &errormsg);
-	if (result == ISC_R_SUCCESS) {
-		failed = ISC_TRUE;
-		fprintf(stderr, "%s: '%s' failed: %s\n",
-			progname, command, errormsg);
-	}
-	else if (result != ISC_R_NOTFOUND)
-		fprintf(stderr, "%s: parsing response failed: %s\n",
-			progname, isc_result_totext(result));
-
-	result = isccc_cc_lookupstring(data, "text", &textmsg);
-	if (result == ISC_R_SUCCESS)
-		printf("%s\n", textmsg);
-	else if (result != ISC_R_NOTFOUND)
-		fprintf(stderr, "%s: parsing response failed: %s\n",
-			progname, isc_result_totext(result));
-
-	isc_event_free(&event);
-	isccc_sexpr_free(&response);
-	isc_socket_detach(&sock);
-	isc_task_shutdown(task);
-	RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
-}
-
-static void
-rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
-	isccc_sexpr_t *response = NULL;
-	isccc_sexpr_t *_ctrl;
-	isccc_region_t source;
-	isc_result_t result;
-	isc_uint32_t nonce;
-	isccc_sexpr_t *request = NULL;
-	isccc_time_t now;
-	isc_region_t r;
-	isccc_sexpr_t *data;
-	isccc_region_t message;
-	isc_uint32_t len;
-	isc_buffer_t b;
-
-	recvs--;
-
-	if (ccmsg.result == ISC_R_EOF)
-		fatal("connection to remote host closed\n"
-		      "This may indicate that the remote server is using "
-		      "an older version of \n"
-		      "the command protocol, this host is not authorized "
-		      "to connect,\nor the key is invalid.");
-
-	if (ccmsg.result != ISC_R_SUCCESS)
-		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
-
-	source.rstart = isc_buffer_base(&ccmsg.buffer);
-	source.rend = isc_buffer_used(&ccmsg.buffer);
-
-	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
-
-	_ctrl = isccc_alist_lookup(response, "_ctrl");
-	if (_ctrl == NULL)
-		fatal("_ctrl section missing");
-	nonce = 0;
-	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
-		nonce = 0;
-
-	isc_stdtime_get(&now);
-
-	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
-						    now, now + 60, &request));
-	data = isccc_alist_lookup(request, "_data");
-	if (data == NULL)
-		fatal("_data section missing");
-	if (isccc_cc_definestring(data, "type", args) == NULL)
-		fatal("out of memory");
-	if (nonce != 0) {
-		_ctrl = isccc_alist_lookup(request, "_ctrl");
-		if (_ctrl == NULL)
-			fatal("_ctrl section missing");
-		if (isccc_cc_defineuint32(_ctrl, "_nonce", nonce) == NULL)
-			fatal("out of memory");
-	}
-	message.rstart = databuf + 4;
-	message.rend = databuf + sizeof(databuf);
-	DO("render message", isccc_cc_towire(request, &message, &secret));
-	len = sizeof(databuf) - REGION_SIZE(message);
-	isc_buffer_init(&b, databuf, 4);
-	isc_buffer_putuint32(&b, len - 4);
-	r.length = len;
-	r.base = databuf;
-
-	isccc_ccmsg_cancelread(&ccmsg);
-	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
-						    rndc_recvdone, NULL));
-	recvs++;
-	DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
-					   NULL));
-	sends++;
-
-	isc_event_free(&event);
-	isccc_sexpr_free(&response);
-	return;
-}
-
-static void
-rndc_connected(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	isccc_sexpr_t *request = NULL;
-	isccc_sexpr_t *data;
-	isccc_time_t now;
-	isccc_region_t message;
-	isc_region_t r;
-	isc_uint32_t len;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	connects--;
-
-	if (sevent->result != ISC_R_SUCCESS) {
-		if (sevent->result != ISC_R_CANCELED &&
-		    currentaddr < nserveraddrs)
-		{
-			notify("connection failed: %s",
-			       isc_result_totext(sevent->result));
-			isc_socket_detach(&sock);
-			isc_event_free(&event);
-			rndc_startconnect(&serveraddrs[currentaddr++], task);
-			return;
-		} else
-			fatal("connect failed: %s",
-			      isc_result_totext(sevent->result));
-	}
-
-	isc_stdtime_get(&now);
-	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
-						    now, now + 60, &request));
-	data = isccc_alist_lookup(request, "_data");
-	if (data == NULL)
-		fatal("_data section missing");
-	if (isccc_cc_definestring(data, "type", "null") == NULL)
-		fatal("out of memory");
-	message.rstart = databuf + 4;
-	message.rend = databuf + sizeof(databuf);
-	DO("render message", isccc_cc_towire(request, &message, &secret));
-	len = sizeof(databuf) - REGION_SIZE(message);
-	isc_buffer_init(&b, databuf, 4);
-	isc_buffer_putuint32(&b, len - 4);
-	r.length = len;
-	r.base = databuf;
-
-	isccc_ccmsg_init(mctx, sock, &ccmsg);
-	isccc_ccmsg_setmaxsize(&ccmsg, 1024);
-
-	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
-						    rndc_recvnonce, NULL));
-	recvs++;
-	DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
-					   NULL));
-	sends++;
-	isc_event_free(&event);
-}
-
-static void
-rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
-	isc_result_t result;
-
-	char socktext[ISC_SOCKADDR_FORMATSIZE];
-
-	isc_sockaddr_format(addr, socktext, sizeof(socktext));
-
-	notify("using server %s (%s)", servername, socktext);
-
-	DO("create socket", isc_socket_create(socketmgr,
-					      isc_sockaddr_pf(addr),
-					      isc_sockettype_tcp, &sock));
-	DO("connect", isc_socket_connect(sock, addr, task, rndc_connected,
-					 NULL));
-	connects++;
-}
-
-static void
-rndc_start(isc_task_t *task, isc_event_t *event) {
-	isc_event_free(&event);
-
-	get_addresses(servername, (in_port_t) remoteport);
-
-	currentaddr = 0;
-	rndc_startconnect(&serveraddrs[currentaddr++], task);
-}
-
-static void
-parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
-	     cfg_parser_t **pctxp, cfg_obj_t **configp)
-{
-	isc_result_t result;
-	const char *conffile = admin_conffile;
-	cfg_obj_t *defkey = NULL;
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *server = NULL;
-	cfg_obj_t *keys = NULL;
-	cfg_obj_t *key = NULL;
-	cfg_obj_t *defport = NULL;
-	cfg_obj_t *secretobj = NULL;
-	cfg_obj_t *algorithmobj = NULL;
-	cfg_obj_t *config = NULL;
-	cfg_listelt_t *elt;
-	const char *secretstr;
-	const char *algorithm;
-	static char secretarray[1024];
-	const cfg_type_t *conftype = &cfg_type_rndcconf;
-	isc_boolean_t key_only = ISC_FALSE;
-
-	if (! isc_file_exists(conffile)) {
-		conffile = admin_keyfile;
-		conftype = &cfg_type_rndckey;
-
-		if (! isc_file_exists(conffile))
-			fatal("neither %s nor %s was found",
-			      admin_conffile, admin_keyfile);
-		key_only = ISC_TRUE;
-	}
-
-	DO("create parser", cfg_parser_create(mctx, log, pctxp));
-
-	/*
-	 * The parser will output its own errors, so DO() is not used.
-	 */
-	result = cfg_parse_file(*pctxp, conffile, conftype, &config);
-	if (result != ISC_R_SUCCESS)
-		fatal("could not load rndc configuration");
-
-	if (!key_only)
-		(void)cfg_map_get(config, "options", &options);
-
-	if (key_only && servername == NULL)
-		servername = "127.0.0.1";
-	else if (servername == NULL && options != NULL) {
-		cfg_obj_t *defserverobj = NULL;
-		(void)cfg_map_get(options, "default-server", &defserverobj);
-		if (defserverobj != NULL)
-			servername = cfg_obj_asstring(defserverobj);
-	}
-
-	if (servername == NULL)
-		fatal("no server specified and no default");
-
-	if (!key_only) {
-		(void)cfg_map_get(config, "server", &servers);
-		if (servers != NULL) {
-			for (elt = cfg_list_first(servers);
-			     elt != NULL; 
-			     elt = cfg_list_next(elt))
-			{
-				const char *name;
-				server = cfg_listelt_value(elt);
-				name = cfg_obj_asstring(cfg_map_getname(server));
-				if (strcasecmp(name, servername) == 0)
-					break;
-				server = NULL;
-			}
-		}
-	}
-
-	/*
-	 * Look for the name of the key to use.
-	 */
-	if (keyname != NULL)
-		;		/* Was set on command line, do nothing. */
-	else if (server != NULL) {
-		DO("get key for server", cfg_map_get(server, "key", &defkey));
-		keyname = cfg_obj_asstring(defkey);
-	} else if (options != NULL) {
-		DO("get default key", cfg_map_get(options, "default-key",
-						  &defkey));
-		keyname = cfg_obj_asstring(defkey);
-	} else if (!key_only)
-		fatal("no key for server and no default");
-
-	/*
-	 * Get the key's definition.
-	 */
-	if (key_only)
-		DO("get key", cfg_map_get(config, "key", &key));
-	else {
-		DO("get config key list", cfg_map_get(config, "key", &keys));
-		for (elt = cfg_list_first(keys);
-		     elt != NULL; 
-		     elt = cfg_list_next(elt))
-		{
-			key = cfg_listelt_value(elt);
-			if (strcasecmp(cfg_obj_asstring(cfg_map_getname(key)),
-				       keyname) == 0)
-				break;
-		}
-		if (elt == NULL)
-			fatal("no key definition for name %s", keyname);
-	}
-	(void)cfg_map_get(key, "secret", &secretobj);
-	(void)cfg_map_get(key, "algorithm", &algorithmobj);
-	if (secretobj == NULL || algorithmobj == NULL)
-		fatal("key must have algorithm and secret");
-
-	secretstr = cfg_obj_asstring(secretobj);
-	algorithm = cfg_obj_asstring(algorithmobj);
-
-	if (strcasecmp(algorithm, "hmac-md5") != 0)
-		fatal("unsupported algorithm: %s", algorithm);
-
-	secret.rstart = (unsigned char *)secretarray;
-	secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
-	DO("decode base64 secret", isccc_base64_decode(secretstr, &secret));
-	secret.rend = secret.rstart;
-	secret.rstart = (unsigned char *)secretarray;
-
-	/*
-	 * Find the port to connect to.
-	 */
-	if (remoteport != 0)
-		;		/* Was set on command line, do nothing. */
-	else {
-		if (server != NULL)
-			(void)cfg_map_get(server, "port", &defport);
-		if (defport == NULL && options != NULL)
-			(void)cfg_map_get(options, "default-port", &defport);
-	}
-	if (defport != NULL) {
-		remoteport = cfg_obj_asuint32(defport);
-		if (remoteport > 65535 || remoteport == 0)
-			fatal("port %d out of range", remoteport);
-	} else if (remoteport == 0)
-		remoteport = NS_CONTROL_PORT;
-
-	*configp = config;
-}
-
-int
-main(int argc, char **argv) {
-	isc_boolean_t show_final_mem = ISC_FALSE;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_taskmgr_t *taskmgr = NULL;
-	isc_task_t *task = NULL;
-	isc_log_t *log = NULL;
-	isc_logconfig_t *logconfig = NULL;
-	isc_logdestination_t logdest;
-	cfg_parser_t *pctx = NULL;
-	cfg_obj_t *config = NULL;
-	const char *keyname = NULL;
-	char *p;
-	size_t argslen;
-	int ch;
-	int i;
-
-	result = isc_file_progname(*argv, program, sizeof(program));
-	if (result != ISC_R_SUCCESS)
-		memcpy(program, "rndc", 5);
-	progname = program;
-
-	admin_conffile = RNDC_CONFFILE;
-	admin_keyfile = RNDC_KEYFILE;
-
-	result = isc_app_start();
-	if (result != ISC_R_SUCCESS)
-		fatal("isc_app_start() failed: %s", isc_result_totext(result));
-
-	while ((ch = isc_commandline_parse(argc, argv, "c:k:Mmp:s:Vy:"))
-	       != -1) {
-		switch (ch) {
-		case 'c':
-			admin_conffile = isc_commandline_argument;
-			break;
-
-		case 'k':
-			admin_keyfile = isc_commandline_argument;
-			break;
-
-		case 'M':
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
-			break;
-
-		case 'm':
-			show_final_mem = ISC_TRUE;
-			break;
-
-		case 'p':
-			remoteport = atoi(isc_commandline_argument);
-			if (remoteport > 65535 || remoteport == 0)
-				fatal("port '%s' out of range",
-				      isc_commandline_argument);
-			break;
-
-		case 's':
-			servername = isc_commandline_argument;
-			break;
-		case 'V':
-			verbose = ISC_TRUE;
-			break;
-		case 'y':
-			keyname = isc_commandline_argument;
-			break;
-		case '?':
-			usage(0);
-			break;
-		default:
-			fatal("unexpected error parsing command arguments: "
-			      "got %c\n", ch);
-			break;
-		}
-	}
-
-	argc -= isc_commandline_index;
-	argv += isc_commandline_index;
-
-	if (argc < 1)
-		usage(1);
-
-	isc_random_get(&serial);
-
-	DO("create memory context", isc_mem_create(0, 0, &mctx));
-	DO("create socket manager", isc_socketmgr_create(mctx, &socketmgr));
-	DO("create task manager", isc_taskmgr_create(mctx, 1, 0, &taskmgr));
-	DO("create task", isc_task_create(taskmgr, 0, &task));
-
-	DO("create logging context", isc_log_create(mctx, &log, &logconfig));
-	isc_log_setcontext(log);
-	DO("setting log tag", isc_log_settag(logconfig, progname));
-	logdest.file.stream = stderr;
-	logdest.file.name = NULL;
-	logdest.file.versions = ISC_LOG_ROLLNEVER;
-	logdest.file.maximum_size = 0;
-	DO("creating log channel",
-	   isc_log_createchannel(logconfig, "stderr",
-		   		 ISC_LOG_TOFILEDESC, ISC_LOG_INFO, &logdest,
-				 ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL));
-	DO("enabling log channel", isc_log_usechannel(logconfig, "stderr",
-						      NULL, NULL));
-
-	parse_config(mctx, log, keyname, &pctx, &config);
-
-	isccc_result_register();
-
-	command = *argv;
-
-	/*
-	 * Convert argc/argv into a space-delimited command string
-	 * similar to what the user might enter in interactive mode
-	 * (if that were implemented).
-	 */
-	argslen = 0;
-	for (i = 0; i < argc; i++)
-		argslen += strlen(argv[i]) + 1;
-
-	args = isc_mem_get(mctx, argslen);
-	if (args == NULL)
-		DO("isc_mem_get", ISC_R_NOMEMORY);
-
-	p = args;
-	for (i = 0; i < argc; i++) {
-		size_t len = strlen(argv[i]);
-		memcpy(p, argv[i], len);
-		p += len;
-		*p++ = ' ';
-	}
-
-	p--;
-	*p++ = '\0';
-	INSIST(p == args + argslen);
-
-	notify("%s", command);
-
-	if (strcmp(command, "restart") == 0)
-		fatal("'%s' is not implemented", command);
-
-	DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL));
-
-	result = isc_app_run();
-	if (result != ISC_R_SUCCESS)
-		fatal("isc_app_run() failed: %s", isc_result_totext(result));
-
-	if (connects > 0 || sends > 0 || recvs > 0)
-		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
-
-	isc_task_detach(&task);
-	isc_taskmgr_destroy(&taskmgr);
-	isc_socketmgr_destroy(&socketmgr);
-	isc_log_destroy(&log);
-	isc_log_setcontext(NULL);
-
-	cfg_obj_destroy(pctx, &config);
-	cfg_parser_destroy(&pctx);
-
-	isc_mem_put(mctx, args, argslen);
-	isccc_ccmsg_invalidate(&ccmsg);
-
-	if (show_final_mem)
-		isc_mem_stats(mctx, stderr);
-
-	isc_mem_destroy(&mctx);
-
-	if (failed)
-		return (1);
-
-	return (0);
-}
diff --git a/contrib/bind9/bin/rndc/rndc.conf b/contrib/bind9/bin/rndc/rndc.conf
deleted file mode 100644
index 1dc56074d715..000000000000
--- a/contrib/bind9/bin/rndc/rndc.conf
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rndc.conf,v 1.7.206.1 2004/03/06 10:21:32 marka Exp $ */
-
-/*
- * Sample rndc configuration file.
- */
-
-options {
-        default-server  localhost;
-        default-key     "key";
-};
-
-server localhost {
-        key     "key";
-};
-
-key "key" {
-        algorithm       hmac-md5;
-        secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
diff --git a/contrib/bind9/bin/rndc/rndc.conf.5 b/contrib/bind9/bin/rndc/rndc.conf.5
deleted file mode 100644
index 1c21e363d61a..000000000000
--- a/contrib/bind9/bin/rndc/rndc.conf.5
+++ /dev/null
@@ -1,154 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: rndc.conf.5,v 1.21.206.5 2005/10/13 02:33:50 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "\\FIRNDC.CONF\\FR" "5" "June 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-rndc.conf \- rndc configuration file
-.SH "SYNOPSIS"
-.HP 10
-\fBrndc.conf\fR
-.SH "DESCRIPTION"
-.PP
-\fIrndc.conf\fR
-is the configuration file for
-\fBrndc\fR, the BIND 9 name server control utility. This file has a similar structure and syntax to
-\fInamed.conf\fR. Statements are enclosed in braces and terminated with a semi\-colon. Clauses in the statements are also semi\-colon terminated. The usual comment styles are supported:
-.PP
-C style: /* */
-.PP
-C++ style: // to end of line
-.PP
-Unix style: # to end of line
-.PP
-\fIrndc.conf\fR
-is much simpler than
-\fInamed.conf\fR. The file uses three statements: an options statement, a server statement and a key statement.
-.PP
-The
-\fBoptions\fR
-statement contains three clauses. The
-\fBdefault\-server\fR
-clause is followed by the name or address of a name server. This host will be used when no name server is given as an argument to
-\fBrndc\fR. The
-\fBdefault\-key\fR
-clause is followed by the name of a key which is identified by a
-\fBkey\fR
-statement. If no
-\fBkeyid\fR
-is provided on the rndc command line, and no
-\fBkey\fR
-clause is found in a matching
-\fBserver\fR
-statement, this default key will be used to authenticate the server's commands and responses. The
-\fBdefault\-port\fR
-clause is followed by the port to connect to on the remote name server. If no
-\fBport\fR
-option is provided on the rndc command line, and no
-\fBport\fR
-clause is found in a matching
-\fBserver\fR
-statement, this default port will be used to connect.
-.PP
-After the
-\fBserver\fR
-keyword, the server statement includes a string which is the hostname or address for a name server. The statement has two possible clauses:
-\fBkey\fR
-and
-\fBport\fR. The key name must match the name of a key statement in the file. The port number specifies the port to connect to.
-.PP
-The
-\fBkey\fR
-statement begins with an identifying string, the name of the key. The statement has two clauses.
-\fBalgorithm\fR
-identifies the encryption algorithm for
-\fBrndc\fR
-to use; currently only HMAC\-MD5 is supported. This is followed by a secret clause which contains the base\-64 encoding of the algorithm's encryption key. The base\-64 string is enclosed in double quotes.
-.PP
-There are two common ways to generate the base\-64 string for the secret. The BIND 9 program
-\fBrndc\-confgen\fR
-can be used to generate a random key, or the
-\fBmmencode\fR
-program, also known as
-\fBmimencode\fR, can be used to generate a base\-64 string from known input.
-\fBmmencode\fR
-does not ship with BIND 9 but is available on many systems. See the EXAMPLE section for sample command lines for each.
-.SH "EXAMPLE"
-.sp
-.nf
-    options {
-        default\-server  localhost;
-        default\-key     samplekey;
-      };
-      server localhost {
-        key             samplekey;
-      };
-      key samplekey {
-        algorithm       hmac\-md5;
-        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-      };
-.fi
-.PP
-In the above example,
-\fBrndc\fR
-will by default use the server at localhost (127.0.0.1) and the key called samplekey. Commands to the localhost server will use the samplekey key, which must also be defined in the server's configuration file with the same name and secret. The key statement indicates that samplekey uses the HMAC\-MD5 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-MD5 secret enclosed in double quotes.
-.PP
-To generate a random secret with
-\fBrndc\-confgen\fR:
-.PP
-\fBrndc\-confgen\fR
-.PP
-A complete
-\fIrndc.conf\fR
-file, including the randomly generated key, will be written to the standard output. Commented out
-\fBkey\fR
-and
-\fBcontrols\fR
-statements for
-\fInamed.conf\fR
-are also printed.
-.PP
-To generate a base\-64 secret with
-\fBmmencode\fR:
-.PP
-\fBecho "known plaintext for a secret" | mmencode\fR
-.SH "NAME SERVER CONFIGURATION"
-.PP
-The name server must be configured to accept rndc connections and to recognize the key specified in the
-\fIrndc.conf\fR
-file, using the controls statement in
-\fInamed.conf\fR. See the sections on the
-\fBcontrols\fR
-statement in the BIND 9 Administrator Reference Manual for details.
-.SH "SEE ALSO"
-.PP
-\fBrndc\fR(8),
-\fBrndc\-confgen\fR(8),
-\fBmmencode\fR(1),
-BIND 9 Administrator Reference Manual.
-.SH "AUTHOR"
-.PP
-Internet Systems Consortium
diff --git a/contrib/bind9/bin/rndc/rndc.conf.docbook b/contrib/bind9/bin/rndc/rndc.conf.docbook
deleted file mode 100644
index 16b9caf43cbe..000000000000
--- a/contrib/bind9/bin/rndc/rndc.conf.docbook
+++ /dev/null
@@ -1,225 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: rndc.conf.docbook,v 1.4.206.4 2005/05/12 21:36:04 sra Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><filename>rndc.conf</filename></refentrytitle>
-    <manvolnum>5</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><filename>rndc.conf</filename></refname>
-    <refpurpose>rndc configuration file</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>rndc.conf</command>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <filename>rndc.conf</filename> is the configuration file
-	for <command>rndc</command>, the BIND 9 name server control
-	utility.  This file has a similar structure and syntax to
-	<filename>named.conf</filename>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
-    </para>
-    <para>
-        C style: /* */
-    </para>
-    <para>
-        C++ style: // to end of line
-    </para>
-    <para>
-        Unix style: # to end of line
-    </para>
-    <para>
-        <filename>rndc.conf</filename> is much simpler than
-	<filename>named.conf</filename>.  The file uses three
-	statements: an options statement, a server statement
-	and a key statement.
-    </para>
-    <para>
-        The <option>options</option> statement contains three clauses.
-	The <option>default-server</option> clause is followed by the
-	name or address of a name server.  This host will be used when
-	no name server is given as an argument to
-	<command>rndc</command>.  The <option>default-key</option>
-	clause is followed by the name of a key which is identified by
-	a <option>key</option> statement.  If no
-	<option>keyid</option> is provided on the rndc command line,
-	and no <option>key</option> clause is found in a matching
-	<option>server</option> statement, this default key will be
-	used to authenticate the server's commands and responses.  The
-	<option>default-port</option> clause is followed by the port
-	to connect to on the remote name server.  If no
-	<option>port</option> option is provided on the rndc command
-	line, and no <option>port</option> clause is found in a
-	matching <option>server</option> statement, this default port
-	will be used to connect.
-    </para>
-    <para>
-        After the <option>server</option> keyword, the server statement
-	includes a string which is the hostname or address for a name
-	server.  The statement has two possible clauses:
-	<option>key</option> and <option>port</option>. The key name must
-	match the name of a key statement in the file.  The port number
-	specifies the port to connect to.
-    </para>
-    <para>
-        The <option>key</option> statement begins with an identifying
-	string, the name of the key.  The statement has two clauses.
-	<option>algorithm</option> identifies the encryption algorithm
-	for <command>rndc</command> to use; currently only HMAC-MD5 is
-	supported.  This is followed by a secret clause which contains
-	the base-64 encoding of the algorithm's encryption key.  The
-	base-64 string is enclosed in double quotes.
-    </para>
-    <para>
-        There are two common ways to generate the base-64 string for the
-	secret.  The BIND 9 program <command>rndc-confgen</command> can
-	be used to generate a random key, or the
-	<command>mmencode</command> program, also known as
-	<command>mimencode</command>, can be used to generate a base-64
-	string from known input.  <command>mmencode</command> does not
-	ship with BIND 9 but is available on many systems.  See the
-	EXAMPLE section for sample command lines for each.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>EXAMPLE</title>
-
-    <programlisting>
-    options {
-        default-server  localhost;
-        default-key     samplekey;
-      };
-
-      server localhost {
-        key             samplekey;
-      };
-
-      key samplekey {
-        algorithm       hmac-md5;
-        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-      };
-    </programlisting>
-
-    <para>
-        In the above example, <command>rndc</command> will by default use
-	the server at localhost (127.0.0.1) and the key called samplekey.
-	Commands to the localhost server will use the samplekey key, which
-	must also be defined in the server's configuration file with the
-	same name and secret.  The key statement indicates that samplekey
-	uses the HMAC-MD5 algorithm and its secret clause contains the
-	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
-    </para>
-    <para>
-        To generate a random secret with <command>rndc-confgen</command>:
-    </para>
-    <para>
-        <userinput>rndc-confgen</userinput>
-    </para>
-    <para>
-        A complete <filename>rndc.conf</filename> file, including the
-        randomly generated key, will be written to the standard
-        output.  Commented out <option>key</option> and
-        <option>controls</option> statements for
-        <filename>named.conf</filename> are also printed.
-    </para>
-    <para>
-        To generate a base-64 secret with <command>mmencode</command>:
-    </para>
-    <para>
-        <userinput>echo "known plaintext for a secret" | mmencode</userinput>
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>NAME SERVER CONFIGURATION</title>
-    <para>
-        The name server must be configured to accept rndc connections and
-	to recognize the key specified in the <filename>rndc.conf</filename>
-	file, using the controls statement in <filename>named.conf</filename>.
-	See the sections on the <option>controls</option> statement in the
-	BIND 9 Administrator Reference Manual for details.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>rndc</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>rndc-confgen</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>mmencode</refentrytitle>
-	<manvolnum>1</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
-
diff --git a/contrib/bind9/bin/rndc/rndc.conf.html b/contrib/bind9/bin/rndc/rndc.conf.html
deleted file mode 100644
index 05db0eca644c..000000000000
--- a/contrib/bind9/bin/rndc/rndc.conf.html
+++ /dev/null
@@ -1,179 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: rndc.conf.html,v 1.5.2.1.4.10 2005/10/13 02:33:51 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc.conf</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><code class="filename">rndc.conf</code> &#8212; rndc configuration file</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525833"></a><h2>DESCRIPTION</h2>
-<p>
-        <code class="filename">rndc.conf</code> is the configuration file
-	for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
-	utility.  This file has a similar structure and syntax to
-	<code class="filename">named.conf</code>.  Statements are enclosed
-	in braces and terminated with a semi-colon.  Clauses in
-	the statements are also semi-colon terminated.  The usual
-	comment styles are supported:
-    </p>
-<p>
-        C style: /* */
-    </p>
-<p>
-        C++ style: // to end of line
-    </p>
-<p>
-        Unix style: # to end of line
-    </p>
-<p>
-        <code class="filename">rndc.conf</code> is much simpler than
-	<code class="filename">named.conf</code>.  The file uses three
-	statements: an options statement, a server statement
-	and a key statement.
-    </p>
-<p>
-        The <code class="option">options</code> statement contains three clauses.
-	The <code class="option">default-server</code> clause is followed by the
-	name or address of a name server.  This host will be used when
-	no name server is given as an argument to
-	<span><strong class="command">rndc</strong></span>.  The <code class="option">default-key</code>
-	clause is followed by the name of a key which is identified by
-	a <code class="option">key</code> statement.  If no
-	<code class="option">keyid</code> is provided on the rndc command line,
-	and no <code class="option">key</code> clause is found in a matching
-	<code class="option">server</code> statement, this default key will be
-	used to authenticate the server's commands and responses.  The
-	<code class="option">default-port</code> clause is followed by the port
-	to connect to on the remote name server.  If no
-	<code class="option">port</code> option is provided on the rndc command
-	line, and no <code class="option">port</code> clause is found in a
-	matching <code class="option">server</code> statement, this default port
-	will be used to connect.
-    </p>
-<p>
-        After the <code class="option">server</code> keyword, the server statement
-	includes a string which is the hostname or address for a name
-	server.  The statement has two possible clauses:
-	<code class="option">key</code> and <code class="option">port</code>. The key name must
-	match the name of a key statement in the file.  The port number
-	specifies the port to connect to.
-    </p>
-<p>
-        The <code class="option">key</code> statement begins with an identifying
-	string, the name of the key.  The statement has two clauses.
-	<code class="option">algorithm</code> identifies the encryption algorithm
-	for <span><strong class="command">rndc</strong></span> to use; currently only HMAC-MD5 is
-	supported.  This is followed by a secret clause which contains
-	the base-64 encoding of the algorithm's encryption key.  The
-	base-64 string is enclosed in double quotes.
-    </p>
-<p>
-        There are two common ways to generate the base-64 string for the
-	secret.  The BIND 9 program <span><strong class="command">rndc-confgen</strong></span> can
-	be used to generate a random key, or the
-	<span><strong class="command">mmencode</strong></span> program, also known as
-	<span><strong class="command">mimencode</strong></span>, can be used to generate a base-64
-	string from known input.  <span><strong class="command">mmencode</strong></span> does not
-	ship with BIND 9 but is available on many systems.  See the
-	EXAMPLE section for sample command lines for each.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525968"></a><h2>EXAMPLE</h2>
-<pre class="programlisting">
-    options {
-        default-server  localhost;
-        default-key     samplekey;
-      };
-
-      server localhost {
-        key             samplekey;
-      };
-
-      key samplekey {
-        algorithm       hmac-md5;
-        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-      };
-    </pre>
-<p>
-        In the above example, <span><strong class="command">rndc</strong></span> will by default use
-	the server at localhost (127.0.0.1) and the key called samplekey.
-	Commands to the localhost server will use the samplekey key, which
-	must also be defined in the server's configuration file with the
-	same name and secret.  The key statement indicates that samplekey
-	uses the HMAC-MD5 algorithm and its secret clause contains the
-	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
-    </p>
-<p>
-        To generate a random secret with <span><strong class="command">rndc-confgen</strong></span>:
-    </p>
-<p>
-        <strong class="userinput"><code>rndc-confgen</code></strong>
-    </p>
-<p>
-        A complete <code class="filename">rndc.conf</code> file, including the
-        randomly generated key, will be written to the standard
-        output.  Commented out <code class="option">key</code> and
-        <code class="option">controls</code> statements for
-        <code class="filename">named.conf</code> are also printed.
-    </p>
-<p>
-        To generate a base-64 secret with <span><strong class="command">mmencode</strong></span>:
-    </p>
-<p>
-        <strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526028"></a><h2>NAME SERVER CONFIGURATION</h2>
-<p>
-        The name server must be configured to accept rndc connections and
-	to recognize the key specified in the <code class="filename">rndc.conf</code>
-	file, using the controls statement in <code class="filename">named.conf</code>.
-	See the sections on the <code class="option">controls</code> statement in the
-	BIND 9 Administrator Reference Manual for details.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526049"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526091"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/rndc/rndc.docbook b/contrib/bind9/bin/rndc/rndc.docbook
deleted file mode 100644
index afb88f5f6ea2..000000000000
--- a/contrib/bind9/bin/rndc/rndc.docbook
+++ /dev/null
@@ -1,243 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: rndc.docbook,v 1.7.206.4 2005/05/12 21:36:05 sra Exp $ -->
-
-<refentry>
-  <refentryinfo>
-    <date>June 30, 2000</date>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle><application>rndc</application></refentrytitle>
-    <manvolnum>8</manvolnum>
-    <refmiscinfo>BIND9</refmiscinfo>
-  </refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-  <refnamediv>
-    <refname><application>rndc</application></refname>
-    <refpurpose>name server control utility</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>rndc</command>
-      <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
-      <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
-      <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
-      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
-      <arg><option>-V</option></arg>
-      <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
-      <arg choice="req">command</arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-  <refsect1>
-    <title>DESCRIPTION</title>
-    <para>
-        <command>rndc</command> controls the operation of a name
-	server.  It supersedes the <command>ndc</command> utility
-	that was provided in old BIND releases.  If
-	<command>rndc</command> is invoked with no command line
-	options or arguments, it prints a short summary of the
-	supported commands and the available options and their
-	arguments.
-    </para>
-    <para>
-        <command>rndc</command> communicates with the name server
-	over a TCP connection, sending commands authenticated with
-	digital signatures.  In the current versions of
-	<command>rndc</command> and <command>named</command> named
-        the only supported authentication algorithm is HMAC-MD5,
-	which uses a shared secret on each end of the connection.
-	This provides TSIG-style authentication for the command
-	request and the name server's response.  All commands sent
-	over the channel must be signed by a key_id known to the
-	server.
-    </para>
-    <para>
-        <command>rndc</command> reads a configuration file to
-	determine how to contact the name server and decide what
-	algorithm and key it should use.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>OPTIONS</title>
-
-    <variablelist>
-      <varlistentry>
-        <term>-c <replaceable class="parameter">config-file</replaceable></term>
-	<listitem>
-	  <para>
-	      Use <replaceable class="parameter">config-file</replaceable>
-	      as the configuration file instead of the default,
-	      <filename>/etc/rndc.conf</filename>.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-k <replaceable class="parameter">key-file</replaceable></term>
-	<listitem>
-	  <para>
-	      Use <replaceable class="parameter">key-file</replaceable>
-	      as the key file instead of the default,
-	      <filename>/etc/rndc.key</filename>.  The key in
-	      <filename>/etc/rndc.key</filename> will be used to authenticate
-	      commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
-	      does not exist.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-s <replaceable class="parameter">server</replaceable></term>
-	<listitem>
-	  <para>
-	       <replaceable class="parameter">server</replaceable> is
-	       the name or address of the server which matches a
-	       server statement in the configuration file for
-	       <command>rndc</command>.  If no server is supplied on the
-	       command line, the host named by the default-server clause
-	       in the option statement of the configuration file will be
-	       used.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-p <replaceable class="parameter">port</replaceable></term>
-	<listitem>
-	  <para>
-	       Send commands to TCP port
-	       <replaceable class="parameter">port</replaceable> instead
-	       of BIND 9's default control channel port, 953.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-V</term>
-	<listitem>
-	  <para>
-	       Enable verbose logging.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>-y <replaceable class="parameter">keyid</replaceable></term>
-	<listitem>
-	  <para>
-	       Use the key <replaceable class="parameter">keyid</replaceable>
-	       from the configuration file.
-	       <replaceable class="parameter">keyid</replaceable> must be
-	       known by named with the same algorithm and secret string
-	       in order for control message validation to succeed.
-	       If no <replaceable class="parameter">keyid</replaceable>
-	       is specified, <command>rndc</command> will first look
-	       for a key clause in the server statement of the server
-	       being used, or if no server statement is present for that
-	       host, then the default-key clause of the options statement.
-	       Note that the configuration file contains shared secrets
-	       which are used to send authenticated control commands
-	       to name servers.  It should therefore not have general read
-	       or write access.
-	  </para>
-	</listitem>
-      </varlistentry>
-
-    </variablelist>
-
-    <para>
-      For the complete set of commands supported by <command>rndc</command>,
-      see the BIND 9 Administrator Reference Manual or run
-      <command>rndc</command> without arguments to see its help message.
-    </para>
-
-  </refsect1>
-
-  <refsect1>
-    <title>LIMITATIONS</title>
-    <para>
-        <command>rndc</command> does not yet support all the commands of
-	the BIND 8 <command>ndc</command> utility.
-    </para>
-    <para>
-        There is currently no way to provide the shared secret for a
-        <option>key_id</option> without using the configuration file.
-    </para>
-    <para>
-        Several error messages could be clearer.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>SEE ALSO</title>
-    <para>
-      <citerefentry>
-        <refentrytitle>rndc.conf</refentrytitle>
-	<manvolnum>5</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citerefentry>
-        <refentrytitle>named.conf</refentrytitle>
-	<manvolnum>5</manvolnum>
-      </citerefentry>
-      <citerefentry>
-        <refentrytitle>ndc</refentrytitle>
-	<manvolnum>8</manvolnum>
-      </citerefentry>,
-      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
-    </para>
-  </refsect1>
-
-  <refsect1>
-    <title>AUTHOR</title>
-    <para>
-        <corpauthor>Internet Systems Consortium</corpauthor>
-    </para>
-  </refsect1>
-
-</refentry>
-
-<!--
- - Local variables:
- - mode: sgml
- - End:
--->
-
diff --git a/contrib/bind9/bin/rndc/rndc.html b/contrib/bind9/bin/rndc/rndc.html
deleted file mode 100644
index d23f4682c010..000000000000
--- a/contrib/bind9/bin/rndc/rndc.html
+++ /dev/null
@@ -1,156 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: rndc.html,v 1.7.2.1.4.10 2005/10/13 02:33:50 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>rndc</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p><span class="application">rndc</span> &#8212; name server control utility</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525886"></a><h2>DESCRIPTION</h2>
-<p>
-        <span><strong class="command">rndc</strong></span> controls the operation of a name
-	server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
-	that was provided in old BIND releases.  If
-	<span><strong class="command">rndc</strong></span> is invoked with no command line
-	options or arguments, it prints a short summary of the
-	supported commands and the available options and their
-	arguments.
-    </p>
-<p>
-        <span><strong class="command">rndc</strong></span> communicates with the name server
-	over a TCP connection, sending commands authenticated with
-	digital signatures.  In the current versions of
-	<span><strong class="command">rndc</strong></span> and <span><strong class="command">named</strong></span> named
-        the only supported authentication algorithm is HMAC-MD5,
-	which uses a shared secret on each end of the connection.
-	This provides TSIG-style authentication for the command
-	request and the name server's response.  All commands sent
-	over the channel must be signed by a key_id known to the
-	server.
-    </p>
-<p>
-        <span><strong class="command">rndc</strong></span> reads a configuration file to
-	determine how to contact the name server and decide what
-	algorithm and key it should use.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525927"></a><h2>OPTIONS</h2>
-<div class="variablelist"><dl>
-<dt><span class="term">-c <em class="replaceable"><code>config-file</code></em></span></dt>
-<dd><p>
-	      Use <em class="replaceable"><code>config-file</code></em>
-	      as the configuration file instead of the default,
-	      <code class="filename">/etc/rndc.conf</code>.
-	  </p></dd>
-<dt><span class="term">-k <em class="replaceable"><code>key-file</code></em></span></dt>
-<dd><p>
-	      Use <em class="replaceable"><code>key-file</code></em>
-	      as the key file instead of the default,
-	      <code class="filename">/etc/rndc.key</code>.  The key in
-	      <code class="filename">/etc/rndc.key</code> will be used to authenticate
-	      commands sent to the server if the <em class="replaceable"><code>config-file</code></em>
-	      does not exist.
-	  </p></dd>
-<dt><span class="term">-s <em class="replaceable"><code>server</code></em></span></dt>
-<dd><p>
-	       <em class="replaceable"><code>server</code></em> is
-	       the name or address of the server which matches a
-	       server statement in the configuration file for
-	       <span><strong class="command">rndc</strong></span>.  If no server is supplied on the
-	       command line, the host named by the default-server clause
-	       in the option statement of the configuration file will be
-	       used.
-	  </p></dd>
-<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
-<dd><p>
-	       Send commands to TCP port
-	       <em class="replaceable"><code>port</code></em> instead
-	       of BIND 9's default control channel port, 953.
-	  </p></dd>
-<dt><span class="term">-V</span></dt>
-<dd><p>
-	       Enable verbose logging.
-	  </p></dd>
-<dt><span class="term">-y <em class="replaceable"><code>keyid</code></em></span></dt>
-<dd><p>
-	       Use the key <em class="replaceable"><code>keyid</code></em>
-	       from the configuration file.
-	       <em class="replaceable"><code>keyid</code></em> must be
-	       known by named with the same algorithm and secret string
-	       in order for control message validation to succeed.
-	       If no <em class="replaceable"><code>keyid</code></em>
-	       is specified, <span><strong class="command">rndc</strong></span> will first look
-	       for a key clause in the server statement of the server
-	       being used, or if no server statement is present for that
-	       host, then the default-key clause of the options statement.
-	       Note that the configuration file contains shared secrets
-	       which are used to send authenticated control commands
-	       to name servers.  It should therefore not have general read
-	       or write access.
-	  </p></dd>
-</dl></div>
-<p>
-      For the complete set of commands supported by <span><strong class="command">rndc</strong></span>,
-      see the BIND 9 Administrator Reference Manual or run
-      <span><strong class="command">rndc</strong></span> without arguments to see its help message.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526109"></a><h2>LIMITATIONS</h2>
-<p>
-        <span><strong class="command">rndc</strong></span> does not yet support all the commands of
-	the BIND 8 <span><strong class="command">ndc</strong></span> utility.
-    </p>
-<p>
-        There is currently no way to provide the shared secret for a
-        <code class="option">key_id</code> without using the configuration file.
-    </p>
-<p>
-        Several error messages could be clearer.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526138"></a><h2>SEE ALSO</h2>
-<p>
-      <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-      <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>
-      <span class="citerefentry"><span class="refentrytitle">ndc</span>(8)</span>,
-      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
-    </p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526190"></a><h2>AUTHOR</h2>
-<p>
-        <span class="corpauthor">Internet Systems Consortium</span>
-    </p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/bin/rndc/unix/Makefile.in b/contrib/bind9/bin/rndc/unix/Makefile.in
deleted file mode 100644
index 0409a188838f..000000000000
--- a/contrib/bind9/bin/rndc/unix/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.12.3 2004/03/08 04:04:24 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
-		${DNS_INCLUDES} ${ISC_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		os.@O@
-
-SRCS =		os.c
-
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/rndc/unix/os.c b/contrib/bind9/bin/rndc/unix/os.c
deleted file mode 100644
index 1adfdee9f15e..000000000000
--- a/contrib/bind9/bin/rndc/unix/os.c
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.c,v 1.5.206.1 2004/03/06 10:21:33 marka Exp $ */
-
-#include <config.h>
-
-#include <rndc/os.h>
-
-#include <fcntl.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <pwd.h>
-#include <errno.h>
-#include <stdio.h>
-#include <sys/stat.h>
-
-int
-set_user(FILE *fd, const char *user) {
-	struct passwd *pw;
-
-	pw = getpwnam(user);
-	if (pw == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-	return (fchown(fileno(fd), pw->pw_uid, -1));
-}
-
-FILE *
-safe_create(const char *filename) {
-	int fd;
-	FILE *f;
-        struct stat sb;
-	int flags = O_WRONLY;
-
-        if (stat(filename, &sb) == -1) {
-                if (errno != ENOENT)
-			return (NULL);
-		flags = O_WRONLY | O_CREAT | O_EXCL;
-        } else if ((sb.st_mode & S_IFREG) == 0) {
-		errno = EOPNOTSUPP;
-		return (NULL);
-	} else
-		flags = O_WRONLY | O_TRUNC;
-
-	fd = open(filename, flags, S_IRUSR | S_IWUSR);
-	if (fd == -1)
-		return (NULL);
-	f = fdopen(fd, "w");
-	if (f == NULL)
-		close(fd);
-	return (f);
-}
diff --git a/contrib/bind9/bin/rndc/util.c b/contrib/bind9/bin/rndc/util.c
deleted file mode 100644
index 249cbe2ab1c1..000000000000
--- a/contrib/bind9/bin/rndc/util.c
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.c,v 1.2.206.1 2004/03/06 10:21:32 marka Exp $ */
-
-#include <config.h>
-
-#include <stdarg.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#include <isc/boolean.h>
-
-#include "util.h"
-
-extern isc_boolean_t verbose;
-extern const char *progname;
-
-void
-notify(const char *fmt, ...) {
-	va_list ap;
-
-	if (verbose) {
-		va_start(ap, fmt);
-		vfprintf(stderr, fmt, ap);
-		va_end(ap);
-		fputs("\n", stderr);
-	}
-}
-
-void            
-fatal(const char *format, ...) {
-	va_list args;
-
-	fprintf(stderr, "%s: ", progname);
-	va_start(args, format);
-	vfprintf(stderr, format, args);
-	va_end(args);
-	fprintf(stderr, "\n");
-	exit(1);
-}               
diff --git a/contrib/bind9/bin/rndc/util.h b/contrib/bind9/bin/rndc/util.h
deleted file mode 100644
index 3c19cd447575..000000000000
--- a/contrib/bind9/bin/rndc/util.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.h,v 1.5.206.1 2004/03/06 10:21:32 marka Exp $ */
-
-#ifndef RNDC_UTIL_H
-#define RNDC_UTIL_H 1
-
-#include <isc/lang.h>
-
-#include <isc/formatcheck.h>
-
-#define NS_CONTROL_PORT		953
-
-#undef DO
-#define DO(name, function) \
-	do { \
-		result = function; \
-		if (result != ISC_R_SUCCESS) \
-			fatal("%s: %s", name, isc_result_totext(result)); \
-		else \
-			notify("%s", name); \
-	} while (0)
-
-ISC_LANG_BEGINDECLS
-
-void
-notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
-
-void            
-fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
-
-ISC_LANG_ENDDECLS
-
-#endif /* RNDC_UTIL_H */
diff --git a/contrib/bind9/config.guess b/contrib/bind9/config.guess
deleted file mode 100644
index 7d0185e019ed..000000000000
--- a/contrib/bind9/config.guess
+++ /dev/null
@@ -1,1447 +0,0 @@
-#! /bin/sh
-# Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
-
-timestamp='2004-09-07'
-
-# This file is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Originally written by Per Bothner <per@bothner.com>.
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# This script attempts to guess a canonical system name similar to
-# config.sub.  If it succeeds, it prints the system name on stdout, and
-# exits with 0.  Otherwise, it exits with 1.
-#
-# The plan is that this can be called by configure scripts if you
-# don't specify an explicit build system type.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION]
-
-Output the configuration name of the system \`$me' is run on.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.guess ($timestamp)
-
-Originally written by Per Bothner.
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit 0 ;;
-    --version | -v )
-       echo "$version" ; exit 0 ;;
-    --help | --h* | -h )
-       echo "$usage"; exit 0 ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help" >&2
-       exit 1 ;;
-    * )
-       break ;;
-  esac
-done
-
-if test $# != 0; then
-  echo "$me: too many arguments$help" >&2
-  exit 1
-fi
-
-trap 'exit 1' 1 2 15
-
-# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
-# compiler to aid in system detection is discouraged as it requires
-# temporary files to be created and, as you can see below, it is a
-# headache to deal with in a portable fashion.
-
-# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
-# use `HOST_CC' if defined, but it is deprecated.
-
-# Portable tmp directory creation inspired by the Autoconf team.
-
-set_cc_for_build='
-trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
-trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
-: ${TMPDIR=/tmp} ;
- { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
- { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
- { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
- { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
-dummy=$tmp/dummy ;
-tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
-case $CC_FOR_BUILD,$HOST_CC,$CC in
- ,,)    echo "int x;" > $dummy.c ;
-	for c in cc gcc c89 c99 ; do
-	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
-	     CC_FOR_BUILD="$c"; break ;
-	  fi ;
-	done ;
-	if test x"$CC_FOR_BUILD" = x ; then
-	  CC_FOR_BUILD=no_compiler_found ;
-	fi
-	;;
- ,,*)   CC_FOR_BUILD=$CC ;;
- ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
-esac ;'
-
-# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
-# (ghazi@noc.rutgers.edu 1994-08-24)
-if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
-	PATH=$PATH:/.attbin ; export PATH
-fi
-
-UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
-UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
-UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
-UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
-
-# Note: order is significant - the case branches are not exclusive.
-
-case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
-    *:NetBSD:*:*)
-	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
-	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
-	# switched to ELF, *-*-netbsd* would select the old
-	# object file format.  This provides both forward
-	# compatibility and a consistent mechanism for selecting the
-	# object file format.
-	#
-	# Note: NetBSD doesn't particularly care about the vendor
-	# portion of the name.  We always set it to "unknown".
-	sysctl="sysctl -n hw.machine_arch"
-	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
-	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
-	case "${UNAME_MACHINE_ARCH}" in
-	    armeb) machine=armeb-unknown ;;
-	    arm*) machine=arm-unknown ;;
-	    sh3el) machine=shl-unknown ;;
-	    sh3eb) machine=sh-unknown ;;
-	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
-	esac
-	# The Operating System including object format, if it has switched
-	# to ELF recently, or will in the future.
-	case "${UNAME_MACHINE_ARCH}" in
-	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
-		eval $set_cc_for_build
-		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
-			| grep __ELF__ >/dev/null
-		then
-		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
-		    # Return netbsd for either.  FIX?
-		    os=netbsd
-		else
-		    os=netbsdelf
-		fi
-		;;
-	    *)
-	        os=netbsd
-		;;
-	esac
-	# The OS release
-	# Debian GNU/NetBSD machines have a different userland, and
-	# thus, need a distinct triplet. However, they do not need
-	# kernel version information, so it can be replaced with a
-	# suitable tag, in the style of linux-gnu.
-	case "${UNAME_VERSION}" in
-	    Debian*)
-		release='-gnu'
-		;;
-	    *)
-		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-		;;
-	esac
-	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
-	# contains redundant information, the shorter form:
-	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
-	echo "${machine}-${os}${release}"
-	exit 0 ;;
-    amd64:OpenBSD:*:*)
-	echo x86_64-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    amiga:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    cats:OpenBSD:*:*)
-	echo arm-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    hp300:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    luna88k:OpenBSD:*:*)
-    	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mac68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    macppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvme68k:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvme88k:OpenBSD:*:*)
-	echo m88k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    mvmeppc:OpenBSD:*:*)
-	echo powerpc-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    sgi:OpenBSD:*:*)
-	echo mips64-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    sun3:OpenBSD:*:*)
-	echo m68k-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    *:OpenBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
-	exit 0 ;;
-    *:ekkoBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
-	exit 0 ;;
-    macppc:MirBSD:*:*)
-	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
-	exit 0 ;;
-    *:MirBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
-	exit 0 ;;
-    alpha:OSF1:*:*)
-	case $UNAME_RELEASE in
-	*4.0)
-		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
-		;;
-	*5.*)
-	        UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'`
-		;;
-	esac
-	# According to Compaq, /usr/sbin/psrinfo has been available on
-	# OSF/1 and Tru64 systems produced since 1995.  I hope that
-	# covers most systems running today.  This code pipes the CPU
-	# types through head -n 1, so we only detect the type of CPU 0.
-	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
-	case "$ALPHA_CPU_TYPE" in
-	    "EV4 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV4.5 (21064)")
-		UNAME_MACHINE="alpha" ;;
-	    "LCA4 (21066/21068)")
-		UNAME_MACHINE="alpha" ;;
-	    "EV5 (21164)")
-		UNAME_MACHINE="alphaev5" ;;
-	    "EV5.6 (21164A)")
-		UNAME_MACHINE="alphaev56" ;;
-	    "EV5.6 (21164PC)")
-		UNAME_MACHINE="alphapca56" ;;
-	    "EV5.7 (21164PC)")
-		UNAME_MACHINE="alphapca57" ;;
-	    "EV6 (21264)")
-		UNAME_MACHINE="alphaev6" ;;
-	    "EV6.7 (21264A)")
-		UNAME_MACHINE="alphaev67" ;;
-	    "EV6.8CB (21264C)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8AL (21264B)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.8CX (21264D)")
-		UNAME_MACHINE="alphaev68" ;;
-	    "EV6.9A (21264/EV69A)")
-		UNAME_MACHINE="alphaev69" ;;
-	    "EV7 (21364)")
-		UNAME_MACHINE="alphaev7" ;;
-	    "EV7.9 (21364A)")
-		UNAME_MACHINE="alphaev79" ;;
-	esac
-	# A Pn.n version is a patched version.
-	# A Vn.n version is a released version.
-	# A Tn.n version is a released field test version.
-	# A Xn.n version is an unreleased experimental baselevel.
-	# 1.2 uses "1.2" for uname -r.
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-	exit 0 ;;
-    Alpha\ *:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# Should we change UNAME_MACHINE based on the output of uname instead
-	# of the specific Alpha model?
-	echo alpha-pc-interix
-	exit 0 ;;
-    21064:Windows_NT:50:3)
-	echo alpha-dec-winnt3.5
-	exit 0 ;;
-    Amiga*:UNIX_System_V:4.0:*)
-	echo m68k-unknown-sysv4
-	exit 0;;
-    *:[Aa]miga[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-amigaos
-	exit 0 ;;
-    *:[Mm]orph[Oo][Ss]:*:*)
-	echo ${UNAME_MACHINE}-unknown-morphos
-	exit 0 ;;
-    *:OS/390:*:*)
-	echo i370-ibm-openedition
-	exit 0 ;;
-    *:OS400:*:*)
-        echo powerpc-ibm-os400
-	exit 0 ;;
-    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
-	echo arm-acorn-riscix${UNAME_RELEASE}
-	exit 0;;
-    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
-	echo hppa1.1-hitachi-hiuxmpp
-	exit 0;;
-    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
-	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
-	if test "`(/bin/universe) 2>/dev/null`" = att ; then
-		echo pyramid-pyramid-sysv3
-	else
-		echo pyramid-pyramid-bsd
-	fi
-	exit 0 ;;
-    NILE*:*:*:dcosx)
-	echo pyramid-pyramid-svr4
-	exit 0 ;;
-    DRS?6000:unix:4.0:6*)
-	echo sparc-icl-nx6
-	exit 0 ;;
-    DRS?6000:UNIX_SV:4.2*:7*)
-	case `/usr/bin/uname -p` in
-	    sparc) echo sparc-icl-nx7 && exit 0 ;;
-	esac ;;
-    sun4H:SunOS:5.*:*)
-	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
-	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    i86pc:SunOS:5.*:*)
-	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:6*:*)
-	# According to config.sub, this is the proper way to canonicalize
-	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
-	# it's likely to be more like Solaris than SunOS4.
-	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    sun4*:SunOS:*:*)
-	case "`/usr/bin/arch -k`" in
-	    Series*|S4*)
-		UNAME_RELEASE=`uname -v`
-		;;
-	esac
-	# Japanese Language versions have a version number like `4.1.3-JL'.
-	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
-	exit 0 ;;
-    sun3*:SunOS:*:*)
-	echo m68k-sun-sunos${UNAME_RELEASE}
-	exit 0 ;;
-    sun*:*:4.2BSD:*)
-	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
-	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
-	case "`/bin/arch`" in
-	    sun3)
-		echo m68k-sun-sunos${UNAME_RELEASE}
-		;;
-	    sun4)
-		echo sparc-sun-sunos${UNAME_RELEASE}
-		;;
-	esac
-	exit 0 ;;
-    aushp:SunOS:*:*)
-	echo sparc-auspex-sunos${UNAME_RELEASE}
-	exit 0 ;;
-    # The situation for MiNT is a little confusing.  The machine name
-    # can be virtually everything (everything which is not
-    # "atarist" or "atariste" at least should have a processor
-    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
-    # to the lowercase version "mint" (or "freemint").  Finally
-    # the system name "TOS" denotes a system which is actually not
-    # MiNT.  But MiNT is downward compatible to TOS, so this should
-    # be no problem.
-    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit 0 ;;
-    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
-	echo m68k-atari-mint${UNAME_RELEASE}
-        exit 0 ;;
-    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
-        echo m68k-atari-mint${UNAME_RELEASE}
-	exit 0 ;;
-    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
-        echo m68k-milan-mint${UNAME_RELEASE}
-        exit 0 ;;
-    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
-        echo m68k-hades-mint${UNAME_RELEASE}
-        exit 0 ;;
-    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
-        echo m68k-unknown-mint${UNAME_RELEASE}
-        exit 0 ;;
-    m68k:machten:*:*)
-	echo m68k-apple-machten${UNAME_RELEASE}
-	exit 0 ;;
-    powerpc:machten:*:*)
-	echo powerpc-apple-machten${UNAME_RELEASE}
-	exit 0 ;;
-    RISC*:Mach:*:*)
-	echo mips-dec-mach_bsd4.3
-	exit 0 ;;
-    RISC*:ULTRIX:*:*)
-	echo mips-dec-ultrix${UNAME_RELEASE}
-	exit 0 ;;
-    VAX*:ULTRIX*:*:*)
-	echo vax-dec-ultrix${UNAME_RELEASE}
-	exit 0 ;;
-    2020:CLIX:*:* | 2430:CLIX:*:*)
-	echo clipper-intergraph-clix${UNAME_RELEASE}
-	exit 0 ;;
-    mips:*:*:UMIPS | mips:*:*:RISCos)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-#ifdef __cplusplus
-#include <stdio.h>  /* for printf() prototype */
-	int main (int argc, char *argv[]) {
-#else
-	int main (argc, argv) int argc; char *argv[]; {
-#endif
-	#if defined (host_mips) && defined (MIPSEB)
-	#if defined (SYSTYPE_SYSV)
-	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_SVR4)
-	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
-	#endif
-	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
-	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
-	#endif
-	#endif
-	  exit (-1);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c \
-	  && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
-	  && exit 0
-	echo mips-mips-riscos${UNAME_RELEASE}
-	exit 0 ;;
-    Motorola:PowerMAX_OS:*:*)
-	echo powerpc-motorola-powermax
-	exit 0 ;;
-    Motorola:*:4.3:PL8-*)
-	echo powerpc-harris-powermax
-	exit 0 ;;
-    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
-	echo powerpc-harris-powermax
-	exit 0 ;;
-    Night_Hawk:Power_UNIX:*:*)
-	echo powerpc-harris-powerunix
-	exit 0 ;;
-    m88k:CX/UX:7*:*)
-	echo m88k-harris-cxux7
-	exit 0 ;;
-    m88k:*:4*:R4*)
-	echo m88k-motorola-sysv4
-	exit 0 ;;
-    m88k:*:3*:R3*)
-	echo m88k-motorola-sysv3
-	exit 0 ;;
-    AViiON:dgux:*:*)
-        # DG/UX returns AViiON for all architectures
-        UNAME_PROCESSOR=`/usr/bin/uname -p`
-	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
-	then
-	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
-	       [ ${TARGET_BINARY_INTERFACE}x = x ]
-	    then
-		echo m88k-dg-dgux${UNAME_RELEASE}
-	    else
-		echo m88k-dg-dguxbcs${UNAME_RELEASE}
-	    fi
-	else
-	    echo i586-dg-dgux${UNAME_RELEASE}
-	fi
- 	exit 0 ;;
-    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
-	echo m88k-dolphin-sysv3
-	exit 0 ;;
-    M88*:*:R3*:*)
-	# Delta 88k system running SVR3
-	echo m88k-motorola-sysv3
-	exit 0 ;;
-    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
-	echo m88k-tektronix-sysv3
-	exit 0 ;;
-    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
-	echo m68k-tektronix-bsd
-	exit 0 ;;
-    *:IRIX*:*:*)
-	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
-	exit 0 ;;
-    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
-	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
-	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
-    i*86:AIX:*:*)
-	echo i386-ibm-aix
-	exit 0 ;;
-    ia64:AIX:*:*)
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
-	exit 0 ;;
-    *:AIX:2:3)
-	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
-		eval $set_cc_for_build
-		sed 's/^		//' << EOF >$dummy.c
-		#include <sys/systemcfg.h>
-
-		main()
-			{
-			if (!__power_pc())
-				exit(1);
-			puts("powerpc-ibm-aix3.2.5");
-			exit(0);
-			}
-EOF
-		$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
-		echo rs6000-ibm-aix3.2.5
-	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
-		echo rs6000-ibm-aix3.2.4
-	else
-		echo rs6000-ibm-aix3.2
-	fi
-	exit 0 ;;
-    *:AIX:*:[45])
-	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
-	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
-		IBM_ARCH=rs6000
-	else
-		IBM_ARCH=powerpc
-	fi
-	if [ -x /usr/bin/oslevel ] ; then
-		IBM_REV=`/usr/bin/oslevel`
-	else
-		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
-	fi
-	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
-	exit 0 ;;
-    *:AIX:*:*)
-	echo rs6000-ibm-aix
-	exit 0 ;;
-    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
-	echo romp-ibm-bsd4.4
-	exit 0 ;;
-    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
-	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
-	exit 0 ;;                           # report: romp-ibm BSD 4.3
-    *:BOSX:*:*)
-	echo rs6000-bull-bosx
-	exit 0 ;;
-    DPX/2?00:B.O.S.:*:*)
-	echo m68k-bull-sysv3
-	exit 0 ;;
-    9000/[34]??:4.3bsd:1.*:*)
-	echo m68k-hp-bsd
-	exit 0 ;;
-    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
-	echo m68k-hp-bsd4.4
-	exit 0 ;;
-    9000/[34678]??:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	case "${UNAME_MACHINE}" in
-	    9000/31? )            HP_ARCH=m68000 ;;
-	    9000/[34]?? )         HP_ARCH=m68k ;;
-	    9000/[678][0-9][0-9])
-		if [ -x /usr/bin/getconf ]; then
-		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
-                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
-                    case "${sc_cpu_version}" in
-                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
-                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
-                      532)                      # CPU_PA_RISC2_0
-                        case "${sc_kernel_bits}" in
-                          32) HP_ARCH="hppa2.0n" ;;
-                          64) HP_ARCH="hppa2.0w" ;;
-			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
-                        esac ;;
-                    esac
-		fi
-		if [ "${HP_ARCH}" = "" ]; then
-		    eval $set_cc_for_build
-		    sed 's/^              //' << EOF >$dummy.c
-
-              #define _HPUX_SOURCE
-              #include <stdlib.h>
-              #include <unistd.h>
-
-              int main ()
-              {
-              #if defined(_SC_KERNEL_BITS)
-                  long bits = sysconf(_SC_KERNEL_BITS);
-              #endif
-                  long cpu  = sysconf (_SC_CPU_VERSION);
-
-                  switch (cpu)
-              	{
-              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
-              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0:
-              #if defined(_SC_KERNEL_BITS)
-              	    switch (bits)
-              		{
-              		case 64: puts ("hppa2.0w"); break;
-              		case 32: puts ("hppa2.0n"); break;
-              		default: puts ("hppa2.0"); break;
-              		} break;
-              #else  /* !defined(_SC_KERNEL_BITS) */
-              	    puts ("hppa2.0"); break;
-              #endif
-              	default: puts ("hppa1.0"); break;
-              	}
-                  exit (0);
-              }
-EOF
-		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
-		    test -z "$HP_ARCH" && HP_ARCH=hppa
-		fi ;;
-	esac
-	if [ ${HP_ARCH} = "hppa2.0w" ]
-	then
-	    # avoid double evaluation of $set_cc_for_build
-	    test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
-	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null
-	    then
-		HP_ARCH="hppa2.0w"
-	    else
-		HP_ARCH="hppa64"
-	    fi
-	fi
-	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
-	exit 0 ;;
-    ia64:HP-UX:*:*)
-	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
-	echo ia64-hp-hpux${HPUX_REV}
-	exit 0 ;;
-    3050*:HI-UX:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <unistd.h>
-	int
-	main ()
-	{
-	  long cpu = sysconf (_SC_CPU_VERSION);
-	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
-	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
-	     results, however.  */
-	  if (CPU_IS_PA_RISC (cpu))
-	    {
-	      switch (cpu)
-		{
-		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
-		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
-		  default: puts ("hppa-hitachi-hiuxwe2"); break;
-		}
-	    }
-	  else if (CPU_IS_HP_MC68K (cpu))
-	    puts ("m68k-hitachi-hiuxwe2");
-	  else puts ("unknown-hitachi-hiuxwe2");
-	  exit (0);
-	}
-EOF
-	$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
-	echo unknown-hitachi-hiuxwe2
-	exit 0 ;;
-    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
-	echo hppa1.1-hp-bsd
-	exit 0 ;;
-    9000/8??:4.3bsd:*:*)
-	echo hppa1.0-hp-bsd
-	exit 0 ;;
-    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
-	echo hppa1.0-hp-mpeix
-	exit 0 ;;
-    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
-	echo hppa1.1-hp-osf
-	exit 0 ;;
-    hp8??:OSF1:*:*)
-	echo hppa1.0-hp-osf
-	exit 0 ;;
-    i*86:OSF1:*:*)
-	if [ -x /usr/sbin/sysversion ] ; then
-	    echo ${UNAME_MACHINE}-unknown-osf1mk
-	else
-	    echo ${UNAME_MACHINE}-unknown-osf1
-	fi
-	exit 0 ;;
-    parisc*:Lites*:*:*)
-	echo hppa1.1-hp-lites
-	exit 0 ;;
-    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
-	echo c1-convex-bsd
-        exit 0 ;;
-    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-        exit 0 ;;
-    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
-	echo c34-convex-bsd
-        exit 0 ;;
-    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
-	echo c38-convex-bsd
-        exit 0 ;;
-    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
-	echo c4-convex-bsd
-        exit 0 ;;
-    CRAY*Y-MP:*:*:*)
-	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*[A-Z]90:*:*:*)
-	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
-	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
-	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
-	      -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*TS:*:*:*)
-	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*T3E:*:*:*)
-	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    CRAY*SV1:*:*:*)
-	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    *:UNICOS/mp:*:*)
-	echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
-	exit 0 ;;
-    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
-	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
-        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-        exit 0 ;;
-    5000:UNIX_System_V:4.*:*)
-        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
-        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
-        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
-	exit 0 ;;
-    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
-	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    sparc*:BSD/OS:*:*)
-	echo sparc-unknown-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    *:BSD/OS:*:*)
-	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
-	exit 0 ;;
-    *:FreeBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
-	exit 0 ;;
-    i*:CYGWIN*:*)
-	echo ${UNAME_MACHINE}-pc-cygwin
-	exit 0 ;;
-    i*:MINGW*:*)
-	echo ${UNAME_MACHINE}-pc-mingw32
-	exit 0 ;;
-    i*:PW*:*)
-	echo ${UNAME_MACHINE}-pc-pw32
-	exit 0 ;;
-    x86:Interix*:[34]*)
-	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
-	exit 0 ;;
-    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
-	echo i${UNAME_MACHINE}-pc-mks
-	exit 0 ;;
-    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
-	# How do we know it's Interix rather than the generic POSIX subsystem?
-	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
-	# UNAME_MACHINE based on the output of uname instead of i386?
-	echo i586-pc-interix
-	exit 0 ;;
-    i*:UWIN*:*)
-	echo ${UNAME_MACHINE}-pc-uwin
-	exit 0 ;;
-    p*:CYGWIN*:*)
-	echo powerpcle-unknown-cygwin
-	exit 0 ;;
-    prep*:SunOS:5.*:*)
-	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
-	exit 0 ;;
-    *:GNU:*:*)
-	# the GNU system
-	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
-	exit 0 ;;
-    *:GNU/*:*:*)
-	# other systems with GNU libc and userland
-	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
-	exit 0 ;;
-    i*86:Minix:*:*)
-	echo ${UNAME_MACHINE}-pc-minix
-	exit 0 ;;
-    arm*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    cris:Linux:*:*)
-	echo cris-axis-linux-gnu
-	exit 0 ;;
-    crisv32:Linux:*:*)
-	echo crisv32-axis-linux-gnu
-	exit 0 ;;
-    frv:Linux:*:*)
-    	echo frv-unknown-linux-gnu
-	exit 0 ;;
-    ia64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    m32r*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    m68*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    mips:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips
-	#undef mipsel
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mipsel
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
-	;;
-    mips64:Linux:*:*)
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#undef CPU
-	#undef mips64
-	#undef mips64el
-	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
-	CPU=mips64el
-	#else
-	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
-	CPU=mips64
-	#else
-	CPU=
-	#endif
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
-	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
-	;;
-    ppc:Linux:*:*)
-	echo powerpc-unknown-linux-gnu
-	exit 0 ;;
-    ppc64:Linux:*:*)
-	echo powerpc64-unknown-linux-gnu
-	exit 0 ;;
-    alpha:Linux:*:*)
-	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
-	  EV5)   UNAME_MACHINE=alphaev5 ;;
-	  EV56)  UNAME_MACHINE=alphaev56 ;;
-	  PCA56) UNAME_MACHINE=alphapca56 ;;
-	  PCA57) UNAME_MACHINE=alphapca56 ;;
-	  EV6)   UNAME_MACHINE=alphaev6 ;;
-	  EV67)  UNAME_MACHINE=alphaev67 ;;
-	  EV68*) UNAME_MACHINE=alphaev68 ;;
-        esac
-	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
-	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
-	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
-	exit 0 ;;
-    parisc:Linux:*:* | hppa:Linux:*:*)
-	# Look for CPU level
-	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
-	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
-	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
-	  *)    echo hppa-unknown-linux-gnu ;;
-	esac
-	exit 0 ;;
-    parisc64:Linux:*:* | hppa64:Linux:*:*)
-	echo hppa64-unknown-linux-gnu
-	exit 0 ;;
-    s390:Linux:*:* | s390x:Linux:*:*)
-	echo ${UNAME_MACHINE}-ibm-linux
-	exit 0 ;;
-    sh64*:Linux:*:*)
-    	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    sh*:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    sparc:Linux:*:* | sparc64:Linux:*:*)
-	echo ${UNAME_MACHINE}-unknown-linux-gnu
-	exit 0 ;;
-    x86_64:Linux:*:*)
-	echo x86_64-unknown-linux-gnu
-	exit 0 ;;
-    i*86:Linux:*:*)
-	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us. cd to the root directory to prevent
-	# problems with other programs or directories called `ld' in the path.
-	# Set LC_ALL=C to ensure ld outputs messages in English.
-	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
-			 | sed -ne '/supported targets:/!d
-				    s/[ 	][ 	]*/ /g
-				    s/.*supported targets: *//
-				    s/ .*//
-				    p'`
-        case "$ld_supported_targets" in
-	  elf32-i386)
-		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
-		;;
-	  a.out-i386-linux)
-		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
-		exit 0 ;;
-	  coff-i386)
-		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
-		exit 0 ;;
-	  "")
-		# Either a pre-BFD a.out linker (linux-gnuoldld) or
-		# one that does not give us useful --help.
-		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
-		exit 0 ;;
-	esac
-	# Determine whether the default compiler is a.out or elf
-	eval $set_cc_for_build
-	sed 's/^	//' << EOF >$dummy.c
-	#include <features.h>
-	#ifdef __ELF__
-	# ifdef __GLIBC__
-	#  if __GLIBC__ >= 2
-	LIBC=gnu
-	#  else
-	LIBC=gnulibc1
-	#  endif
-	# else
-	LIBC=gnulibc1
-	# endif
-	#else
-	#ifdef __INTEL_COMPILER
-	LIBC=gnu
-	#else
-	LIBC=gnuaout
-	#endif
-	#endif
-	#ifdef __dietlibc__
-	LIBC=dietlibc
-	#endif
-EOF
-	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
-	test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
-	test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
-	;;
-    i*86:DYNIX/ptx:4*:*)
-	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
-	# earlier versions are messed up and put the nodename in both
-	# sysname and nodename.
-	echo i386-sequent-sysv4
-	exit 0 ;;
-    i*86:UNIX_SV:4.2MP:2.*)
-        # Unixware is an offshoot of SVR4, but it has its own version
-        # number series starting with 2...
-        # I am not positive that other SVR4 systems won't match this,
-	# I just have to hope.  -- rms.
-        # Use sysv4.2uw... so that sysv4* matches it.
-	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
-	exit 0 ;;
-    i*86:OS/2:*:*)
-	# If we were able to find `uname', then EMX Unix compatibility
-	# is probably installed.
-	echo ${UNAME_MACHINE}-pc-os2-emx
-	exit 0 ;;
-    i*86:XTS-300:*:STOP)
-	echo ${UNAME_MACHINE}-unknown-stop
-	exit 0 ;;
-    i*86:atheos:*:*)
-	echo ${UNAME_MACHINE}-unknown-atheos
-	exit 0 ;;
-	i*86:syllable:*:*)
-	echo ${UNAME_MACHINE}-pc-syllable
-	exit 0 ;;
-    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
-	echo i386-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    i*86:*DOS:*:*)
-	echo ${UNAME_MACHINE}-pc-msdosdjgpp
-	exit 0 ;;
-    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
-	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
-	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
-		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
-	else
-		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
-	fi
-	exit 0 ;;
-    i*86:*:5:[78]*)
-	case `/bin/uname -X | grep "^Machine"` in
-	    *486*)	     UNAME_MACHINE=i486 ;;
-	    *Pentium)	     UNAME_MACHINE=i586 ;;
-	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
-	esac
-	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
-	exit 0 ;;
-    i*86:*:3.2:*)
-	if test -f /usr/options/cb.name; then
-		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
-		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
-	elif /bin/uname -X 2>/dev/null >/dev/null ; then
-		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
-		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
-		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
-			&& UNAME_MACHINE=i586
-		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
-			&& UNAME_MACHINE=i686
-		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
-	else
-		echo ${UNAME_MACHINE}-pc-sysv32
-	fi
-	exit 0 ;;
-    pc:*:*:*)
-	# Left here for compatibility:
-        # uname -m prints for DJGPP always 'pc', but it prints nothing about
-        # the processor, so we play safe by assuming i386.
-	echo i386-pc-msdosdjgpp
-        exit 0 ;;
-    Intel:Mach:3*:*)
-	echo i386-pc-mach3
-	exit 0 ;;
-    paragon:*:*:*)
-	echo i860-intel-osf1
-	exit 0 ;;
-    i860:*:4.*:*) # i860-SVR4
-	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
-	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
-	else # Add other i860-SVR4 vendors below as they are discovered.
-	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
-	fi
-	exit 0 ;;
-    mini*:CTIX:SYS*5:*)
-	# "miniframe"
-	echo m68010-convergent-sysv
-	exit 0 ;;
-    mc68k:UNIX:SYSTEM5:3.51m)
-	echo m68k-convergent-sysv
-	exit 0 ;;
-    M680?0:D-NIX:5.3:*)
-	echo m68k-diab-dnix
-	exit 0 ;;
-    M68*:*:R3V[5678]*:*)
-	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
-    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0)
-	OS_REL=''
-	test -r /etc/.relid \
-	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
-	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
-	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
-	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
-    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
-        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
-          && echo i486-ncr-sysv4 && exit 0 ;;
-    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
-	echo m68k-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    mc68030:UNIX_System_V:4.*:*)
-	echo m68k-atari-sysv4
-	exit 0 ;;
-    TSUNAMI:LynxOS:2.*:*)
-	echo sparc-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    rs6000:LynxOS:2.*:*)
-	echo rs6000-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
-	echo powerpc-unknown-lynxos${UNAME_RELEASE}
-	exit 0 ;;
-    SM[BE]S:UNIX_SV:*:*)
-	echo mips-dde-sysv${UNAME_RELEASE}
-	exit 0 ;;
-    RM*:ReliantUNIX-*:*:*)
-	echo mips-sni-sysv4
-	exit 0 ;;
-    RM*:SINIX-*:*:*)
-	echo mips-sni-sysv4
-	exit 0 ;;
-    *:SINIX-*:*:*)
-	if uname -p 2>/dev/null >/dev/null ; then
-		UNAME_MACHINE=`(uname -p) 2>/dev/null`
-		echo ${UNAME_MACHINE}-sni-sysv4
-	else
-		echo ns32k-sni-sysv
-	fi
-	exit 0 ;;
-    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
-                      # says <Richard.M.Bartel@ccMail.Census.GOV>
-        echo i586-unisys-sysv4
-        exit 0 ;;
-    *:UNIX_System_V:4*:FTX*)
-	# From Gerald Hewes <hewes@openmarket.com>.
-	# How about differentiating between stratus architectures? -djm
-	echo hppa1.1-stratus-sysv4
-	exit 0 ;;
-    *:*:*:FTX*)
-	# From seanf@swdc.stratus.com.
-	echo i860-stratus-sysv4
-	exit 0 ;;
-    *:VOS:*:*)
-	# From Paul.Green@stratus.com.
-	echo hppa1.1-stratus-vos
-	exit 0 ;;
-    mc68*:A/UX:*:*)
-	echo m68k-apple-aux${UNAME_RELEASE}
-	exit 0 ;;
-    news*:NEWS-OS:6*:*)
-	echo mips-sony-newsos6
-	exit 0 ;;
-    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
-	if [ -d /usr/nec ]; then
-	        echo mips-nec-sysv${UNAME_RELEASE}
-	else
-	        echo mips-unknown-sysv${UNAME_RELEASE}
-	fi
-        exit 0 ;;
-    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
-	echo powerpc-be-beos
-	exit 0 ;;
-    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
-	echo powerpc-apple-beos
-	exit 0 ;;
-    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
-	echo i586-pc-beos
-	exit 0 ;;
-    SX-4:SUPER-UX:*:*)
-	echo sx4-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    SX-5:SUPER-UX:*:*)
-	echo sx5-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    SX-6:SUPER-UX:*:*)
-	echo sx6-nec-superux${UNAME_RELEASE}
-	exit 0 ;;
-    Power*:Rhapsody:*:*)
-	echo powerpc-apple-rhapsody${UNAME_RELEASE}
-	exit 0 ;;
-    *:Rhapsody:*:*)
-	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
-	exit 0 ;;
-    *:Darwin:*:*)
-	UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown
-	case $UNAME_PROCESSOR in
-	    *86) UNAME_PROCESSOR=i686 ;;
-	    unknown) UNAME_PROCESSOR=powerpc ;;
-	esac
-	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
-	exit 0 ;;
-    *:procnto*:*:* | *:QNX:[0123456789]*:*)
-	UNAME_PROCESSOR=`uname -p`
-	if test "$UNAME_PROCESSOR" = "x86"; then
-		UNAME_PROCESSOR=i386
-		UNAME_MACHINE=pc
-	fi
-	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
-	exit 0 ;;
-    *:QNX:*:4*)
-	echo i386-pc-qnx
-	exit 0 ;;
-    NSR-?:NONSTOP_KERNEL:*:*)
-	echo nsr-tandem-nsk${UNAME_RELEASE}
-	exit 0 ;;
-    *:NonStop-UX:*:*)
-	echo mips-compaq-nonstopux
-	exit 0 ;;
-    BS2000:POSIX*:*:*)
-	echo bs2000-siemens-sysv
-	exit 0 ;;
-    DS/*:UNIX_System_V:*:*)
-	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
-	exit 0 ;;
-    *:Plan9:*:*)
-	# "uname -m" is not consistent, so use $cputype instead. 386
-	# is converted to i386 for consistency with other x86
-	# operating systems.
-	if test "$cputype" = "386"; then
-	    UNAME_MACHINE=i386
-	else
-	    UNAME_MACHINE="$cputype"
-	fi
-	echo ${UNAME_MACHINE}-unknown-plan9
-	exit 0 ;;
-    *:TOPS-10:*:*)
-	echo pdp10-unknown-tops10
-	exit 0 ;;
-    *:TENEX:*:*)
-	echo pdp10-unknown-tenex
-	exit 0 ;;
-    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
-	echo pdp10-dec-tops20
-	exit 0 ;;
-    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
-	echo pdp10-xkl-tops20
-	exit 0 ;;
-    *:TOPS-20:*:*)
-	echo pdp10-unknown-tops20
-	exit 0 ;;
-    *:ITS:*:*)
-	echo pdp10-unknown-its
-	exit 0 ;;
-    SEI:*:*:SEIUX)
-        echo mips-sei-seiux${UNAME_RELEASE}
-	exit 0 ;;
-    *:DragonFly:*:*)
-	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
-	exit 0 ;;
-    *:*VMS:*:*)
-    	UNAME_MACHINE=`(uname -p) 2>/dev/null`
-	case "${UNAME_MACHINE}" in
-	    A*) echo alpha-dec-vms && exit 0 ;;
-	    I*) echo ia64-dec-vms && exit 0 ;;
-	    V*) echo vax-dec-vms && exit 0 ;;
-	esac
-esac
-
-#echo '(No uname command or uname output not recognized.)' 1>&2
-#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
-
-eval $set_cc_for_build
-cat >$dummy.c <<EOF
-#ifdef _SEQUENT_
-# include <sys/types.h>
-# include <sys/utsname.h>
-#endif
-main ()
-{
-#if defined (sony)
-#if defined (MIPSEB)
-  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
-     I don't know....  */
-  printf ("mips-sony-bsd\n"); exit (0);
-#else
-#include <sys/param.h>
-  printf ("m68k-sony-newsos%s\n",
-#ifdef NEWSOS4
-          "4"
-#else
-	  ""
-#endif
-         ); exit (0);
-#endif
-#endif
-
-#if defined (__arm) && defined (__acorn) && defined (__unix)
-  printf ("arm-acorn-riscix"); exit (0);
-#endif
-
-#if defined (hp300) && !defined (hpux)
-  printf ("m68k-hp-bsd\n"); exit (0);
-#endif
-
-#if defined (NeXT)
-#if !defined (__ARCHITECTURE__)
-#define __ARCHITECTURE__ "m68k"
-#endif
-  int version;
-  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
-  if (version < 4)
-    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
-  else
-    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
-  exit (0);
-#endif
-
-#if defined (MULTIMAX) || defined (n16)
-#if defined (UMAXV)
-  printf ("ns32k-encore-sysv\n"); exit (0);
-#else
-#if defined (CMU)
-  printf ("ns32k-encore-mach\n"); exit (0);
-#else
-  printf ("ns32k-encore-bsd\n"); exit (0);
-#endif
-#endif
-#endif
-
-#if defined (__386BSD__)
-  printf ("i386-pc-bsd\n"); exit (0);
-#endif
-
-#if defined (sequent)
-#if defined (i386)
-  printf ("i386-sequent-dynix\n"); exit (0);
-#endif
-#if defined (ns32000)
-  printf ("ns32k-sequent-dynix\n"); exit (0);
-#endif
-#endif
-
-#if defined (_SEQUENT_)
-    struct utsname un;
-
-    uname(&un);
-
-    if (strncmp(un.version, "V2", 2) == 0) {
-	printf ("i386-sequent-ptx2\n"); exit (0);
-    }
-    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
-	printf ("i386-sequent-ptx1\n"); exit (0);
-    }
-    printf ("i386-sequent-ptx\n"); exit (0);
-
-#endif
-
-#if defined (vax)
-# if !defined (ultrix)
-#  include <sys/param.h>
-#  if defined (BSD)
-#   if BSD == 43
-      printf ("vax-dec-bsd4.3\n"); exit (0);
-#   else
-#    if BSD == 199006
-      printf ("vax-dec-bsd4.3reno\n"); exit (0);
-#    else
-      printf ("vax-dec-bsd\n"); exit (0);
-#    endif
-#   endif
-#  else
-    printf ("vax-dec-bsd\n"); exit (0);
-#  endif
-# else
-    printf ("vax-dec-ultrix\n"); exit (0);
-# endif
-#endif
-
-#if defined (alliant) && defined (i860)
-  printf ("i860-alliant-bsd\n"); exit (0);
-#endif
-
-  exit (1);
-}
-EOF
-
-$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0
-
-# Apollos put the system type in the environment.
-
-test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
-
-# Convex versions that predate uname can use getsysinfo(1)
-
-if [ -x /usr/convex/getsysinfo ]
-then
-    case `getsysinfo -f cpu_type` in
-    c1*)
-	echo c1-convex-bsd
-	exit 0 ;;
-    c2*)
-	if getsysinfo -f scalar_acc
-	then echo c32-convex-bsd
-	else echo c2-convex-bsd
-	fi
-	exit 0 ;;
-    c34*)
-	echo c34-convex-bsd
-	exit 0 ;;
-    c38*)
-	echo c38-convex-bsd
-	exit 0 ;;
-    c4*)
-	echo c4-convex-bsd
-	exit 0 ;;
-    esac
-fi
-
-cat >&2 <<EOF
-$0: unable to guess system type
-
-This script, last modified $timestamp, has failed to recognize
-the operating system you are using. It is advised that you
-download the most up to date version of the config scripts from
-
-    ftp://ftp.gnu.org/pub/gnu/config/
-
-If the version you run ($0) is already up to date, please
-send the following data and any information you think might be
-pertinent to <config-patches@gnu.org> in order to provide the needed
-information to handle your system.
-
-config.guess timestamp = $timestamp
-
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
-
-hostinfo               = `(hostinfo) 2>/dev/null`
-/bin/universe          = `(/bin/universe) 2>/dev/null`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
-/bin/arch              = `(/bin/arch) 2>/dev/null`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
-
-UNAME_MACHINE = ${UNAME_MACHINE}
-UNAME_RELEASE = ${UNAME_RELEASE}
-UNAME_SYSTEM  = ${UNAME_SYSTEM}
-UNAME_VERSION = ${UNAME_VERSION}
-EOF
-
-exit 1
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/contrib/bind9/config.sub b/contrib/bind9/config.sub
deleted file mode 100644
index edb6b663ca2b..000000000000
--- a/contrib/bind9/config.sub
+++ /dev/null
@@ -1,1555 +0,0 @@
-#! /bin/sh
-# Configuration validation subroutine script.
-#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc.
-
-timestamp='2004-08-29'
-
-# This file is (in principle) common to ALL GNU software.
-# The presence of a machine in this file suggests that SOME GNU software
-# can handle that machine.  It does not imply ALL GNU software can.
-#
-# This file is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330,
-# Boston, MA 02111-1307, USA.
-
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# Please send patches to <config-patches@gnu.org>.  Submit a context
-# diff and a properly formatted ChangeLog entry.
-#
-# Configuration subroutine to validate and canonicalize a configuration type.
-# Supply the specified configuration type as an argument.
-# If it is invalid, we print an error message on stderr and exit with code 1.
-# Otherwise, we print the canonical config type on stdout and succeed.
-
-# This file is supposed to be the same for all GNU packages
-# and recognize all the CPU types, system types and aliases
-# that are meaningful with *any* GNU software.
-# Each package is responsible for reporting which valid configurations
-# it does not support.  The user should be able to distinguish
-# a failure to support a valid configuration from a meaningless
-# configuration.
-
-# The goal of this file is to map all the various variations of a given
-# machine specification into a single specification in the form:
-#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
-# or in some cases, the newer four-part form:
-#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
-# It is wrong to echo any other type of specification.
-
-me=`echo "$0" | sed -e 's,.*/,,'`
-
-usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
-       $0 [OPTION] ALIAS
-
-Canonicalize a configuration name.
-
-Operation modes:
-  -h, --help         print this help, then exit
-  -t, --time-stamp   print date of last modification, then exit
-  -v, --version      print version number, then exit
-
-Report bugs and patches to <config-patches@gnu.org>."
-
-version="\
-GNU config.sub ($timestamp)
-
-Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
-Free Software Foundation, Inc.
-
-This is free software; see the source for copying conditions.  There is NO
-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-
-help="
-Try \`$me --help' for more information."
-
-# Parse command line
-while test $# -gt 0 ; do
-  case $1 in
-    --time-stamp | --time* | -t )
-       echo "$timestamp" ; exit 0 ;;
-    --version | -v )
-       echo "$version" ; exit 0 ;;
-    --help | --h* | -h )
-       echo "$usage"; exit 0 ;;
-    -- )     # Stop option processing
-       shift; break ;;
-    - )	# Use stdin as input.
-       break ;;
-    -* )
-       echo "$me: invalid option $1$help"
-       exit 1 ;;
-
-    *local*)
-       # First pass through any local machine types.
-       echo $1
-       exit 0;;
-
-    * )
-       break ;;
-  esac
-done
-
-case $# in
- 0) echo "$me: missing argument$help" >&2
-    exit 1;;
- 1) ;;
- *) echo "$me: too many arguments$help" >&2
-    exit 1;;
-esac
-
-# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
-# Here we must recognize all the valid KERNEL-OS combinations.
-maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
-case $maybe_os in
-  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
-  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
-    os=-$maybe_os
-    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
-    ;;
-  *)
-    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
-    if [ $basic_machine != $1 ]
-    then os=`echo $1 | sed 's/.*-/-/'`
-    else os=; fi
-    ;;
-esac
-
-### Let's recognize common machines as not being operating systems so
-### that things like config.sub decstation-3100 work.  We also
-### recognize some manufacturers as not being operating systems, so we
-### can provide default operating systems below.
-case $os in
-	-sun*os*)
-		# Prevent following clause from handling this invalid input.
-		;;
-	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
-	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
-	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
-	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
-	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
-	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
-	-apple | -axis | -knuth | -cray)
-		os=
-		basic_machine=$1
-		;;
-	-sim | -cisco | -oki | -wec | -winbond)
-		os=
-		basic_machine=$1
-		;;
-	-scout)
-		;;
-	-wrs)
-		os=-vxworks
-		basic_machine=$1
-		;;
-	-chorusos*)
-		os=-chorusos
-		basic_machine=$1
-		;;
- 	-chorusrdb)
- 		os=-chorusrdb
-		basic_machine=$1
- 		;;
-	-hiux*)
-		os=-hiuxwe2
-		;;
-	-sco5)
-		os=-sco3.2v5
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco4)
-		os=-sco3.2v4
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2.[4-9]*)
-		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco3.2v[4-9]*)
-		# Don't forget version if it is 3.2v4 or newer.
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-sco*)
-		os=-sco3.2v2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-udk*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-isc)
-		os=-isc2.2
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-clix*)
-		basic_machine=clipper-intergraph
-		;;
-	-isc*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
-		;;
-	-lynx*)
-		os=-lynxos
-		;;
-	-ptx*)
-		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
-		;;
-	-windowsnt*)
-		os=`echo $os | sed -e 's/windowsnt/winnt/'`
-		;;
-	-psos*)
-		os=-psos
-		;;
-	-mint | -mint[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-esac
-
-# Decode aliases for certain CPU-COMPANY combinations.
-case $basic_machine in
-	# Recognize the basic CPU types without company name.
-	# Some are omitted here because they have special meanings below.
-	1750a | 580 \
-	| a29k \
-	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
-	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
-	| am33_2.0 \
-	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
-	| c4x | clipper \
-	| d10v | d30v | dlx | dsp16xx \
-	| fr30 | frv \
-	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
-	| i370 | i860 | i960 | ia64 \
-	| ip2k | iq2000 \
-	| m32r | m32rle | m68000 | m68k | m88k | mcore \
-	| mips | mipsbe | mipseb | mipsel | mipsle \
-	| mips16 \
-	| mips64 | mips64el \
-	| mips64vr | mips64vrel \
-	| mips64orion | mips64orionel \
-	| mips64vr4100 | mips64vr4100el \
-	| mips64vr4300 | mips64vr4300el \
-	| mips64vr5000 | mips64vr5000el \
-	| mipsisa32 | mipsisa32el \
-	| mipsisa32r2 | mipsisa32r2el \
-	| mipsisa64 | mipsisa64el \
-	| mipsisa64r2 | mipsisa64r2el \
-	| mipsisa64sb1 | mipsisa64sb1el \
-	| mipsisa64sr71k | mipsisa64sr71kel \
-	| mipstx39 | mipstx39el \
-	| mn10200 | mn10300 \
-	| msp430 \
-	| ns16k | ns32k \
-	| openrisc | or32 \
-	| pdp10 | pdp11 | pj | pjl \
-	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
-	| pyramid \
-	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
-	| sh64 | sh64le \
-	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 | sparcv9b \
-	| strongarm \
-	| tahoe | thumb | tic4x | tic80 | tron \
-	| v850 | v850e \
-	| we32k \
-	| x86 | xscale | xstormy16 | xtensa \
-	| z8k)
-		basic_machine=$basic_machine-unknown
-		;;
-	m6811 | m68hc11 | m6812 | m68hc12)
-		# Motorola 68HC11/12.
-		basic_machine=$basic_machine-unknown
-		os=-none
-		;;
-	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
-		;;
-
-	# We use `pc' rather than `unknown'
-	# because (1) that's what they normally are, and
-	# (2) the word "unknown" tends to confuse beginning users.
-	i*86 | x86_64)
-	  basic_machine=$basic_machine-pc
-	  ;;
-	# Object if more than one company name word.
-	*-*-*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-	# Recognize the basic CPU types with company name.
-	580-* \
-	| a29k-* \
-	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
-	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
-	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
-	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
-	| avr-* \
-	| bs2000-* \
-	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
-	| clipper-* | craynv-* | cydra-* \
-	| d10v-* | d30v-* | dlx-* \
-	| elxsi-* \
-	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
-	| h8300-* | h8500-* \
-	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
-	| i*86-* | i860-* | i960-* | ia64-* \
-	| ip2k-* | iq2000-* \
-	| m32r-* | m32rle-* \
-	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
-	| m88110-* | m88k-* | mcore-* \
-	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
-	| mips16-* \
-	| mips64-* | mips64el-* \
-	| mips64vr-* | mips64vrel-* \
-	| mips64orion-* | mips64orionel-* \
-	| mips64vr4100-* | mips64vr4100el-* \
-	| mips64vr4300-* | mips64vr4300el-* \
-	| mips64vr5000-* | mips64vr5000el-* \
-	| mipsisa32-* | mipsisa32el-* \
-	| mipsisa32r2-* | mipsisa32r2el-* \
-	| mipsisa64-* | mipsisa64el-* \
-	| mipsisa64r2-* | mipsisa64r2el-* \
-	| mipsisa64sb1-* | mipsisa64sb1el-* \
-	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
-	| mipstx39-* | mipstx39el-* \
-	| mmix-* \
-	| msp430-* \
-	| none-* | np1-* | ns16k-* | ns32k-* \
-	| orion-* \
-	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
-	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
-	| pyramid-* \
-	| romp-* | rs6000-* \
-	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
-	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-	| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
-	| tahoe-* | thumb-* \
-	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
-	| tron-* \
-	| v850-* | v850e-* | vax-* \
-	| we32k-* \
-	| x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
-	| xtensa-* \
-	| ymp-* \
-	| z8k-*)
-		;;
-	# Recognize the various machine names and aliases which stand
-	# for a CPU type and a company and sometimes even an OS.
-	386bsd)
-		basic_machine=i386-unknown
-		os=-bsd
-		;;
-	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
-		basic_machine=m68000-att
-		;;
-	3b*)
-		basic_machine=we32k-att
-		;;
-	a29khif)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-    	abacus)
-		basic_machine=abacus-unknown
-		;;
-	adobe68k)
-		basic_machine=m68010-adobe
-		os=-scout
-		;;
-	alliant | fx80)
-		basic_machine=fx80-alliant
-		;;
-	altos | altos3068)
-		basic_machine=m68k-altos
-		;;
-	am29k)
-		basic_machine=a29k-none
-		os=-bsd
-		;;
-	amd64)
-		basic_machine=x86_64-pc
-		;;
-	amd64-*)
-		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	amdahl)
-		basic_machine=580-amdahl
-		os=-sysv
-		;;
-	amiga | amiga-*)
-		basic_machine=m68k-unknown
-		;;
-	amigaos | amigados)
-		basic_machine=m68k-unknown
-		os=-amigaos
-		;;
-	amigaunix | amix)
-		basic_machine=m68k-unknown
-		os=-sysv4
-		;;
-	apollo68)
-		basic_machine=m68k-apollo
-		os=-sysv
-		;;
-	apollo68bsd)
-		basic_machine=m68k-apollo
-		os=-bsd
-		;;
-	aux)
-		basic_machine=m68k-apple
-		os=-aux
-		;;
-	balance)
-		basic_machine=ns32k-sequent
-		os=-dynix
-		;;
-	c90)
-		basic_machine=c90-cray
-		os=-unicos
-		;;
-	convex-c1)
-		basic_machine=c1-convex
-		os=-bsd
-		;;
-	convex-c2)
-		basic_machine=c2-convex
-		os=-bsd
-		;;
-	convex-c32)
-		basic_machine=c32-convex
-		os=-bsd
-		;;
-	convex-c34)
-		basic_machine=c34-convex
-		os=-bsd
-		;;
-	convex-c38)
-		basic_machine=c38-convex
-		os=-bsd
-		;;
-	cray | j90)
-		basic_machine=j90-cray
-		os=-unicos
-		;;
-	craynv)
-		basic_machine=craynv-cray
-		os=-unicosmp
-		;;
-	cr16c)
-		basic_machine=cr16c-unknown
-		os=-elf
-		;;
-	crds | unos)
-		basic_machine=m68k-crds
-		;;
-	crisv32 | crisv32-* | etraxfs*)
-		basic_machine=crisv32-axis
-		;;
-	cris | cris-* | etrax*)
-		basic_machine=cris-axis
-		;;
-	crx)
-		basic_machine=crx-unknown
-		os=-elf
-		;;
-	da30 | da30-*)
-		basic_machine=m68k-da30
-		;;
-	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
-		basic_machine=mips-dec
-		;;
-	decsystem10* | dec10*)
-		basic_machine=pdp10-dec
-		os=-tops10
-		;;
-	decsystem20* | dec20*)
-		basic_machine=pdp10-dec
-		os=-tops20
-		;;
-	delta | 3300 | motorola-3300 | motorola-delta \
-	      | 3300-motorola | delta-motorola)
-		basic_machine=m68k-motorola
-		;;
-	delta88)
-		basic_machine=m88k-motorola
-		os=-sysv3
-		;;
-	dpx20 | dpx20-*)
-		basic_machine=rs6000-bull
-		os=-bosx
-		;;
-	dpx2* | dpx2*-bull)
-		basic_machine=m68k-bull
-		os=-sysv3
-		;;
-	ebmon29k)
-		basic_machine=a29k-amd
-		os=-ebmon
-		;;
-	elxsi)
-		basic_machine=elxsi-elxsi
-		os=-bsd
-		;;
-	encore | umax | mmax)
-		basic_machine=ns32k-encore
-		;;
-	es1800 | OSE68k | ose68k | ose | OSE)
-		basic_machine=m68k-ericsson
-		os=-ose
-		;;
-	fx2800)
-		basic_machine=i860-alliant
-		;;
-	genix)
-		basic_machine=ns32k-ns
-		;;
-	gmicro)
-		basic_machine=tron-gmicro
-		os=-sysv
-		;;
-	go32)
-		basic_machine=i386-pc
-		os=-go32
-		;;
-	h3050r* | hiux*)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	h8300hms)
-		basic_machine=h8300-hitachi
-		os=-hms
-		;;
-	h8300xray)
-		basic_machine=h8300-hitachi
-		os=-xray
-		;;
-	h8500hms)
-		basic_machine=h8500-hitachi
-		os=-hms
-		;;
-	harris)
-		basic_machine=m88k-harris
-		os=-sysv3
-		;;
-	hp300-*)
-		basic_machine=m68k-hp
-		;;
-	hp300bsd)
-		basic_machine=m68k-hp
-		os=-bsd
-		;;
-	hp300hpux)
-		basic_machine=m68k-hp
-		os=-hpux
-		;;
-	hp3k9[0-9][0-9] | hp9[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k2[0-9][0-9] | hp9k31[0-9])
-		basic_machine=m68000-hp
-		;;
-	hp9k3[2-9][0-9])
-		basic_machine=m68k-hp
-		;;
-	hp9k6[0-9][0-9] | hp6[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hp9k7[0-79][0-9] | hp7[0-79][0-9])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k78[0-9] | hp78[0-9])
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
-		# FIXME: really hppa2.0-hp
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][13679] | hp8[0-9][13679])
-		basic_machine=hppa1.1-hp
-		;;
-	hp9k8[0-9][0-9] | hp8[0-9][0-9])
-		basic_machine=hppa1.0-hp
-		;;
-	hppa-next)
-		os=-nextstep3
-		;;
-	hppaosf)
-		basic_machine=hppa1.1-hp
-		os=-osf
-		;;
-	hppro)
-		basic_machine=hppa1.1-hp
-		os=-proelf
-		;;
-	i370-ibm* | ibm*)
-		basic_machine=i370-ibm
-		;;
-# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
-	i*86v32)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv32
-		;;
-	i*86v4*)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv4
-		;;
-	i*86v)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-sysv
-		;;
-	i*86sol2)
-		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
-		os=-solaris2
-		;;
-	i386mach)
-		basic_machine=i386-mach
-		os=-mach
-		;;
-	i386-vsta | vsta)
-		basic_machine=i386-unknown
-		os=-vsta
-		;;
-	iris | iris4d)
-		basic_machine=mips-sgi
-		case $os in
-		    -irix*)
-			;;
-		    *)
-			os=-irix4
-			;;
-		esac
-		;;
-	isi68 | isi)
-		basic_machine=m68k-isi
-		os=-sysv
-		;;
-	m88k-omron*)
-		basic_machine=m88k-omron
-		;;
-	magnum | m3230)
-		basic_machine=mips-mips
-		os=-sysv
-		;;
-	merlin)
-		basic_machine=ns32k-utek
-		os=-sysv
-		;;
-	mingw32)
-		basic_machine=i386-pc
-		os=-mingw32
-		;;
-	miniframe)
-		basic_machine=m68000-convergent
-		;;
-	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
-		basic_machine=m68k-atari
-		os=-mint
-		;;
-	mips3*-*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
-		;;
-	mips3*)
-		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
-		;;
-	monitor)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	morphos)
-		basic_machine=powerpc-unknown
-		os=-morphos
-		;;
-	msdos)
-		basic_machine=i386-pc
-		os=-msdos
-		;;
-	mvs)
-		basic_machine=i370-ibm
-		os=-mvs
-		;;
-	ncr3000)
-		basic_machine=i486-ncr
-		os=-sysv4
-		;;
-	netbsd386)
-		basic_machine=i386-unknown
-		os=-netbsd
-		;;
-	netwinder)
-		basic_machine=armv4l-rebel
-		os=-linux
-		;;
-	news | news700 | news800 | news900)
-		basic_machine=m68k-sony
-		os=-newsos
-		;;
-	news1000)
-		basic_machine=m68030-sony
-		os=-newsos
-		;;
-	news-3600 | risc-news)
-		basic_machine=mips-sony
-		os=-newsos
-		;;
-	necv70)
-		basic_machine=v70-nec
-		os=-sysv
-		;;
-	next | m*-next )
-		basic_machine=m68k-next
-		case $os in
-		    -nextstep* )
-			;;
-		    -ns2*)
-		      os=-nextstep2
-			;;
-		    *)
-		      os=-nextstep3
-			;;
-		esac
-		;;
-	nh3000)
-		basic_machine=m68k-harris
-		os=-cxux
-		;;
-	nh[45]000)
-		basic_machine=m88k-harris
-		os=-cxux
-		;;
-	nindy960)
-		basic_machine=i960-intel
-		os=-nindy
-		;;
-	mon960)
-		basic_machine=i960-intel
-		os=-mon960
-		;;
-	nonstopux)
-		basic_machine=mips-compaq
-		os=-nonstopux
-		;;
-	np1)
-		basic_machine=np1-gould
-		;;
-	nsr-tandem)
-		basic_machine=nsr-tandem
-		;;
-	op50n-* | op60c-*)
-		basic_machine=hppa1.1-oki
-		os=-proelf
-		;;
-	or32 | or32-*)
-		basic_machine=or32-unknown
-		os=-coff
-		;;
-	os400)
-		basic_machine=powerpc-ibm
-		os=-os400
-		;;
-	OSE68000 | ose68000)
-		basic_machine=m68000-ericsson
-		os=-ose
-		;;
-	os68k)
-		basic_machine=m68k-none
-		os=-os68k
-		;;
-	pa-hitachi)
-		basic_machine=hppa1.1-hitachi
-		os=-hiuxwe2
-		;;
-	paragon)
-		basic_machine=i860-intel
-		os=-osf
-		;;
-	pbd)
-		basic_machine=sparc-tti
-		;;
-	pbb)
-		basic_machine=m68k-tti
-		;;
-	pc532 | pc532-*)
-		basic_machine=ns32k-pc532
-		;;
-	pentium | p5 | k5 | k6 | nexgen | viac3)
-		basic_machine=i586-pc
-		;;
-	pentiumpro | p6 | 6x86 | athlon | athlon_*)
-		basic_machine=i686-pc
-		;;
-	pentiumii | pentium2 | pentiumiii | pentium3)
-		basic_machine=i686-pc
-		;;
-	pentium4)
-		basic_machine=i786-pc
-		;;
-	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
-		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumpro-* | p6-* | 6x86-* | athlon-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
-		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pentium4-*)
-		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	pn)
-		basic_machine=pn-gould
-		;;
-	power)	basic_machine=power-ibm
-		;;
-	ppc)	basic_machine=powerpc-unknown
-		;;
-	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppcle | powerpclittle | ppc-le | powerpc-little)
-		basic_machine=powerpcle-unknown
-		;;
-	ppcle-* | powerpclittle-*)
-		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64)	basic_machine=powerpc64-unknown
-		;;
-	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
-		basic_machine=powerpc64le-unknown
-		;;
-	ppc64le-* | powerpc64little-*)
-		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
-		;;
-	ps2)
-		basic_machine=i386-ibm
-		;;
-	pw32)
-		basic_machine=i586-unknown
-		os=-pw32
-		;;
-	rom68k)
-		basic_machine=m68k-rom68k
-		os=-coff
-		;;
-	rm[46]00)
-		basic_machine=mips-siemens
-		;;
-	rtpc | rtpc-*)
-		basic_machine=romp-ibm
-		;;
-	s390 | s390-*)
-		basic_machine=s390-ibm
-		;;
-	s390x | s390x-*)
-		basic_machine=s390x-ibm
-		;;
-	sa29200)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	sb1)
-		basic_machine=mipsisa64sb1-unknown
-		;;
-	sb1el)
-		basic_machine=mipsisa64sb1el-unknown
-		;;
-	sei)
-		basic_machine=mips-sei
-		os=-seiux
-		;;
-	sequent)
-		basic_machine=i386-sequent
-		;;
-	sh)
-		basic_machine=sh-hitachi
-		os=-hms
-		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparclite-wrs | simso-wrs)
-		basic_machine=sparclite-wrs
-		os=-vxworks
-		;;
-	sps7)
-		basic_machine=m68k-bull
-		os=-sysv2
-		;;
-	spur)
-		basic_machine=spur-unknown
-		;;
-	st2000)
-		basic_machine=m68k-tandem
-		;;
-	stratus)
-		basic_machine=i860-stratus
-		os=-sysv4
-		;;
-	sun2)
-		basic_machine=m68000-sun
-		;;
-	sun2os3)
-		basic_machine=m68000-sun
-		os=-sunos3
-		;;
-	sun2os4)
-		basic_machine=m68000-sun
-		os=-sunos4
-		;;
-	sun3os3)
-		basic_machine=m68k-sun
-		os=-sunos3
-		;;
-	sun3os4)
-		basic_machine=m68k-sun
-		os=-sunos4
-		;;
-	sun4os3)
-		basic_machine=sparc-sun
-		os=-sunos3
-		;;
-	sun4os4)
-		basic_machine=sparc-sun
-		os=-sunos4
-		;;
-	sun4sol2)
-		basic_machine=sparc-sun
-		os=-solaris2
-		;;
-	sun3 | sun3-*)
-		basic_machine=m68k-sun
-		;;
-	sun4)
-		basic_machine=sparc-sun
-		;;
-	sun386 | sun386i | roadrunner)
-		basic_machine=i386-sun
-		;;
-	sv1)
-		basic_machine=sv1-cray
-		os=-unicos
-		;;
-	symmetry)
-		basic_machine=i386-sequent
-		os=-dynix
-		;;
-	t3e)
-		basic_machine=alphaev5-cray
-		os=-unicos
-		;;
-	t90)
-		basic_machine=t90-cray
-		os=-unicos
-		;;
-	tic54x | c54x*)
-		basic_machine=tic54x-unknown
-		os=-coff
-		;;
-	tic55x | c55x*)
-		basic_machine=tic55x-unknown
-		os=-coff
-		;;
-	tic6x | c6x*)
-		basic_machine=tic6x-unknown
-		os=-coff
-		;;
-	tx39)
-		basic_machine=mipstx39-unknown
-		;;
-	tx39el)
-		basic_machine=mipstx39el-unknown
-		;;
-	toad1)
-		basic_machine=pdp10-xkl
-		os=-tops20
-		;;
-	tower | tower-32)
-		basic_machine=m68k-ncr
-		;;
-	tpf)
-		basic_machine=s390x-ibm
-		os=-tpf
-		;;
-	udi29k)
-		basic_machine=a29k-amd
-		os=-udi
-		;;
-	ultra3)
-		basic_machine=a29k-nyu
-		os=-sym1
-		;;
-	v810 | necv810)
-		basic_machine=v810-nec
-		os=-none
-		;;
-	vaxv)
-		basic_machine=vax-dec
-		os=-sysv
-		;;
-	vms)
-		basic_machine=vax-dec
-		os=-vms
-		;;
-	vpp*|vx|vx-*)
-		basic_machine=f301-fujitsu
-		;;
-	vxworks960)
-		basic_machine=i960-wrs
-		os=-vxworks
-		;;
-	vxworks68)
-		basic_machine=m68k-wrs
-		os=-vxworks
-		;;
-	vxworks29k)
-		basic_machine=a29k-wrs
-		os=-vxworks
-		;;
-	w65*)
-		basic_machine=w65-wdc
-		os=-none
-		;;
-	w89k-*)
-		basic_machine=hppa1.1-winbond
-		os=-proelf
-		;;
-	xps | xps100)
-		basic_machine=xps100-honeywell
-		;;
-	ymp)
-		basic_machine=ymp-cray
-		os=-unicos
-		;;
-	z8k-*-coff)
-		basic_machine=z8k-unknown
-		os=-sim
-		;;
-	none)
-		basic_machine=none-none
-		os=-none
-		;;
-
-# Here we handle the default manufacturer of certain CPU types.  It is in
-# some cases the only manufacturer, in others, it is the most popular.
-	w89k)
-		basic_machine=hppa1.1-winbond
-		;;
-	op50n)
-		basic_machine=hppa1.1-oki
-		;;
-	op60c)
-		basic_machine=hppa1.1-oki
-		;;
-	romp)
-		basic_machine=romp-ibm
-		;;
-	mmix)
-		basic_machine=mmix-knuth
-		;;
-	rs6000)
-		basic_machine=rs6000-ibm
-		;;
-	vax)
-		basic_machine=vax-dec
-		;;
-	pdp10)
-		# there are many clones, so DEC is not a safe bet
-		basic_machine=pdp10-unknown
-		;;
-	pdp11)
-		basic_machine=pdp11-dec
-		;;
-	we32k)
-		basic_machine=we32k-att
-		;;
-	sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
-		basic_machine=sh-unknown
-		;;
-	sh64)
-		basic_machine=sh64-unknown
-		;;
-	sparc | sparcv8 | sparcv9 | sparcv9b)
-		basic_machine=sparc-sun
-		;;
-	cydra)
-		basic_machine=cydra-cydrome
-		;;
-	orion)
-		basic_machine=orion-highlevel
-		;;
-	orion105)
-		basic_machine=clipper-highlevel
-		;;
-	mac | mpw | mac-mpw)
-		basic_machine=m68k-apple
-		;;
-	pmac | pmac-mpw)
-		basic_machine=powerpc-apple
-		;;
-	*-unknown)
-		# Make sure to match an already-canonicalized machine name.
-		;;
-	*)
-		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
-		exit 1
-		;;
-esac
-
-# Here we canonicalize certain aliases for manufacturers.
-case $basic_machine in
-	*-digital*)
-		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
-		;;
-	*-commodore*)
-		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
-		;;
-	*)
-		;;
-esac
-
-# Decode manufacturer-specific aliases for certain operating systems.
-
-if [ x"$os" != x"" ]
-then
-case $os in
-        # First match some system type aliases
-        # that might get confused with valid system types.
-	# -solaris* is a basic system type, with this one exception.
-	-solaris1 | -solaris1.*)
-		os=`echo $os | sed -e 's|solaris1|sunos4|'`
-		;;
-	-solaris)
-		os=-solaris2
-		;;
-	-svr4*)
-		os=-sysv4
-		;;
-	-unixware*)
-		os=-sysv4.2uw
-		;;
-	-gnu/linux*)
-		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
-		;;
-	# First accept the basic system types.
-	# The portable systems comes first.
-	# Each alternative MUST END IN A *, to match a version number.
-	# -sysv* is not here because it comes later, after sysvr4.
-	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
-	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
-	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
-	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
-	      | -aos* \
-	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
-	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
-	      | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \
-	      | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
-	      | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
-	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
-	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
-	      | -chorusos* | -chorusrdb* \
-	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
-	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
-	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
-	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
-	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
-	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
-	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly*)
-	# Remember, each alternative MUST END IN *, to match a version number.
-		;;
-	-qnx*)
-		case $basic_machine in
-		    x86-* | i*86-*)
-			;;
-		    *)
-			os=-nto$os
-			;;
-		esac
-		;;
-	-nto-qnx*)
-		;;
-	-nto*)
-		os=`echo $os | sed -e 's|nto|nto-qnx|'`
-		;;
-	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
-	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
-	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
-		;;
-	-mac*)
-		os=`echo $os | sed -e 's|mac|macos|'`
-		;;
-	-linux-dietlibc)
-		os=-linux-dietlibc
-		;;
-	-linux*)
-		os=`echo $os | sed -e 's|linux|linux-gnu|'`
-		;;
-	-sunos5*)
-		os=`echo $os | sed -e 's|sunos5|solaris2|'`
-		;;
-	-sunos6*)
-		os=`echo $os | sed -e 's|sunos6|solaris3|'`
-		;;
-	-opened*)
-		os=-openedition
-		;;
-        -os400*)
-		os=-os400
-		;;
-	-wince*)
-		os=-wince
-		;;
-	-osfrose*)
-		os=-osfrose
-		;;
-	-osf*)
-		os=-osf
-		;;
-	-utek*)
-		os=-bsd
-		;;
-	-dynix*)
-		os=-bsd
-		;;
-	-acis*)
-		os=-aos
-		;;
-	-atheos*)
-		os=-atheos
-		;;
-	-syllable*)
-		os=-syllable
-		;;
-	-386bsd)
-		os=-bsd
-		;;
-	-ctix* | -uts*)
-		os=-sysv
-		;;
-	-nova*)
-		os=-rtmk-nova
-		;;
-	-ns2 )
-		os=-nextstep2
-		;;
-	-nsk*)
-		os=-nsk
-		;;
-	# Preserve the version number of sinix5.
-	-sinix5.*)
-		os=`echo $os | sed -e 's|sinix|sysv|'`
-		;;
-	-sinix*)
-		os=-sysv4
-		;;
-        -tpf*)
-		os=-tpf
-		;;
-	-triton*)
-		os=-sysv3
-		;;
-	-oss*)
-		os=-sysv3
-		;;
-	-svr4)
-		os=-sysv4
-		;;
-	-svr3)
-		os=-sysv3
-		;;
-	-sysvr4)
-		os=-sysv4
-		;;
-	# This must come after -sysvr4.
-	-sysv*)
-		;;
-	-ose*)
-		os=-ose
-		;;
-	-es1800*)
-		os=-ose
-		;;
-	-xenix)
-		os=-xenix
-		;;
-	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-		os=-mint
-		;;
-	-aros*)
-		os=-aros
-		;;
-	-kaos*)
-		os=-kaos
-		;;
-	-none)
-		;;
-	*)
-		# Get rid of the `-' at the beginning of $os.
-		os=`echo $os | sed 's/[^-]*-//'`
-		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
-		exit 1
-		;;
-esac
-else
-
-# Here we handle the default operating systems that come with various machines.
-# The value should be what the vendor currently ships out the door with their
-# machine or put another way, the most popular os provided with the machine.
-
-# Note that if you're going to try to match "-MANUFACTURER" here (say,
-# "-sun"), then you have to tell the case statement up towards the top
-# that MANUFACTURER isn't an operating system.  Otherwise, code above
-# will signal an error saying that MANUFACTURER isn't an operating
-# system, and we'll never get to this point.
-
-case $basic_machine in
-	*-acorn)
-		os=-riscix1.2
-		;;
-	arm*-rebel)
-		os=-linux
-		;;
-	arm*-semi)
-		os=-aout
-		;;
-    c4x-* | tic4x-*)
-        os=-coff
-        ;;
-	# This must come before the *-dec entry.
-	pdp10-*)
-		os=-tops20
-		;;
-	pdp11-*)
-		os=-none
-		;;
-	*-dec | vax-*)
-		os=-ultrix4.2
-		;;
-	m68*-apollo)
-		os=-domain
-		;;
-	i386-sun)
-		os=-sunos4.0.2
-		;;
-	m68000-sun)
-		os=-sunos3
-		# This also exists in the configure program, but was not the
-		# default.
-		# os=-sunos4
-		;;
-	m68*-cisco)
-		os=-aout
-		;;
-	mips*-cisco)
-		os=-elf
-		;;
-	mips*-*)
-		os=-elf
-		;;
-	or32-*)
-		os=-coff
-		;;
-	*-tti)	# must be before sparc entry or we get the wrong os.
-		os=-sysv3
-		;;
-	sparc-* | *-sun)
-		os=-sunos4.1.1
-		;;
-	*-be)
-		os=-beos
-		;;
-	*-ibm)
-		os=-aix
-		;;
-    	*-knuth)
-		os=-mmixware
-		;;
-	*-wec)
-		os=-proelf
-		;;
-	*-winbond)
-		os=-proelf
-		;;
-	*-oki)
-		os=-proelf
-		;;
-	*-hp)
-		os=-hpux
-		;;
-	*-hitachi)
-		os=-hiux
-		;;
-	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
-		os=-sysv
-		;;
-	*-cbm)
-		os=-amigaos
-		;;
-	*-dg)
-		os=-dgux
-		;;
-	*-dolphin)
-		os=-sysv3
-		;;
-	m68k-ccur)
-		os=-rtu
-		;;
-	m88k-omron*)
-		os=-luna
-		;;
-	*-next )
-		os=-nextstep
-		;;
-	*-sequent)
-		os=-ptx
-		;;
-	*-crds)
-		os=-unos
-		;;
-	*-ns)
-		os=-genix
-		;;
-	i370-*)
-		os=-mvs
-		;;
-	*-next)
-		os=-nextstep3
-		;;
-	*-gould)
-		os=-sysv
-		;;
-	*-highlevel)
-		os=-bsd
-		;;
-	*-encore)
-		os=-bsd
-		;;
-	*-sgi)
-		os=-irix
-		;;
-	*-siemens)
-		os=-sysv4
-		;;
-	*-masscomp)
-		os=-rtu
-		;;
-	f30[01]-fujitsu | f700-fujitsu)
-		os=-uxpv
-		;;
-	*-rom68k)
-		os=-coff
-		;;
-	*-*bug)
-		os=-coff
-		;;
-	*-apple)
-		os=-macos
-		;;
-	*-atari*)
-		os=-mint
-		;;
-	*)
-		os=-none
-		;;
-esac
-fi
-
-# Here we handle the case where we know the os, and the CPU type, but not the
-# manufacturer.  We pick the logical manufacturer.
-vendor=unknown
-case $basic_machine in
-	*-unknown)
-		case $os in
-			-riscix*)
-				vendor=acorn
-				;;
-			-sunos*)
-				vendor=sun
-				;;
-			-aix*)
-				vendor=ibm
-				;;
-			-beos*)
-				vendor=be
-				;;
-			-hpux*)
-				vendor=hp
-				;;
-			-mpeix*)
-				vendor=hp
-				;;
-			-hiux*)
-				vendor=hitachi
-				;;
-			-unos*)
-				vendor=crds
-				;;
-			-dgux*)
-				vendor=dg
-				;;
-			-luna*)
-				vendor=omron
-				;;
-			-genix*)
-				vendor=ns
-				;;
-			-mvs* | -opened*)
-				vendor=ibm
-				;;
-			-os400*)
-				vendor=ibm
-				;;
-			-ptx*)
-				vendor=sequent
-				;;
-			-tpf*)
-				vendor=ibm
-				;;
-			-vxsim* | -vxworks* | -windiss*)
-				vendor=wrs
-				;;
-			-aux*)
-				vendor=apple
-				;;
-			-hms*)
-				vendor=hitachi
-				;;
-			-mpw* | -macos*)
-				vendor=apple
-				;;
-			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
-				vendor=atari
-				;;
-			-vos*)
-				vendor=stratus
-				;;
-		esac
-		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
-		;;
-esac
-
-echo $basic_machine$os
-exit 0
-
-# Local variables:
-# eval: (add-hook 'write-file-hooks 'time-stamp)
-# time-stamp-start: "timestamp='"
-# time-stamp-format: "%:y-%02m-%02d"
-# time-stamp-end: "'"
-# End:
diff --git a/contrib/bind9/config.threads.in b/contrib/bind9/config.threads.in
deleted file mode 100644
index f2816c447fb2..000000000000
--- a/contrib/bind9/config.threads.in
+++ /dev/null
@@ -1,152 +0,0 @@
-#
-# Begin pthreads checking.
-#
-# First, decide whether to use multithreading or not.
-#
-# Enable multithreading by default on systems where it is known
-# to work well, and where debugging of multithreaded programs
-# is supported.
-#
-
-AC_MSG_CHECKING(whether to build with thread support)
-
-case $host in
-*-dec-osf*)
-	use_threads=true ;;
-[*-solaris2.[0-6]])
-	# Thread signals are broken on Solaris 2.6; they are sometimes
-	# delivered to the wrong thread.
-	use_threads=false ;;
-*-solaris*)
-	use_threads=true ;;
-*-ibm-aix*)
-	use_threads=true ;;
-*-hp-hpux10*)
-	use_threads=false ;;
-*-hp-hpux11*)
-	use_threads=true ;;
-*-sgi-irix*)
-	use_threads=true ;;
-*-sco-sysv*uw*|*-*-sysv*UnixWare*)
-        # UnixWare
-	use_threads=false ;;
-*-*-sysv*OpenUNIX*)
-        # UnixWare
-	use_threads=true ;;
-*-netbsd*)
-	if test -r /usr/lib/libpthread.so ; then
-	    use_threads=true
-	else
-	    # Socket I/O optimizations introduced in 9.2 expose a
-	    # bug in unproven-pthreads; see PR #12650
-	    use_threads=false
-	fi
-	;;
-*-openbsd*)
-	# OpenBSD users have reported that named dumps core on
-	# startup when built with threads.
-	use_threads=false ;;
-*-freebsd*)
-	use_threads=false ;;
-*-bsdi[234]*)
-	# Thread signals do not work reliably on some versions of BSD/OS.
-	use_threads=false ;;
-*-bsdi5*)
-	use_threads=true ;;
-*-linux*)
-   	# Threads are disabled on Linux by default because most
-	# Linux kernels produce unusable core dumps from multithreaded
-	# programs, and because of limitations in setuid().
-	use_threads=false ;;	
-*)
-	use_threads=false ;;
-esac
-
-AC_ARG_ENABLE(threads,
-	[  --enable-threads	enable multithreading])
-case "$enable_threads" in
-	yes)
-		use_threads=true
-		;;
-	no)
-		use_threads=false
-		;;
-	'')
-		# Use system-dependent default
-		;;
-	*)
-	    	AC_MSG_ERROR([--enable-threads takes yes or no])
-		;;
-esac
-
-if $use_threads
-then
-	AC_MSG_RESULT(yes)
-else
-	AC_MSG_RESULT(no)	
-fi
-
-if $use_threads
-then
-	#
-	# Search for / configure pthreads in a system-dependent fashion.
-	#
-	case "$host" in
-	  *-netbsd*)
-		# NetBSD has multiple pthreads implementations.	 The
-		# recommended one to use is "unproven-pthreads".  The
-		# older "mit-pthreads" may also work on some NetBSD
-		# versions.  The PTL2 thread library does not
-		# currently work with bind9, but can be chosen with
-		# the --with-ptl2 option for those who wish to
-		# experiment with it.
-		CC="gcc"
-		AC_MSG_CHECKING(which NetBSD thread library to use)
-
-		AC_ARG_WITH(ptl2,
-[  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)],
-		    use_ptl2="$withval", use_ptl2="no")
-
-		: ${LOCALBASE:=/usr/pkg}
-
-		if test "X$use_ptl2" = "Xyes"
-		then
-			AC_MSG_RESULT(PTL2)
-			AC_MSG_WARN(
-[linking with PTL2 is highly experimental and not expected to work])
-			CC=ptlgcc
-		else
-			if test -r /usr/lib/libpthread.so
-			then
-				AC_MSG_RESULT(native)
-				LIBS="-lpthread $LIBS"
-			else
-				if test ! -d $LOCALBASE/pthreads
-				then
-					AC_MSG_RESULT(none)
-					AC_MSG_ERROR("could not find thread libraries")
-				fi
-
-				if $use_threads
-				then
-					AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
-					pkg="$LOCALBASE/pthreads"
-					lib1="-L$pkg/lib -Wl,-R$pkg/lib"
-					lib2="-lpthread -lm -lgcc -lpthread"
-					LIBS="$lib1 $lib2 $LIBS"
-					CPPFLAGS="$CPPFLAGS -I$pkg/include"
-					STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
-				fi
-			fi
-		fi
-		;;
-		*)
-			AC_CHECK_LIB(pthread, pthread_create,,
-				AC_CHECK_LIB(pthread, __pthread_create,,
-				AC_CHECK_LIB(pthread, __pthread_create_system,,
-				AC_CHECK_LIB(c_r, pthread_create,,
-				AC_CHECK_LIB(c, pthread_create,,
-				AC_MSG_ERROR("could not find thread libraries"))))))
-		;;
-	esac
-fi
diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in
deleted file mode 100644
index b14b489bb2b7..000000000000
--- a/contrib/bind9/configure.in
+++ /dev/null
@@ -1,2122 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-dnl
-AC_DIVERT_PUSH(1)dnl
-esyscmd([sed "s/^/# /" COPYRIGHT])dnl
-AC_DIVERT_POP()dnl
-
-AC_REVISION($Revision: 1.294.2.23.2.51 $)
-
-AC_INIT(lib/dns/name.c)
-AC_PREREQ(2.13)
-
-AC_CONFIG_HEADER(config.h)
-AC_CONFIG_SUBDIRS(lib/bind)
-
-AC_CANONICAL_HOST
-
-AC_PROG_MAKE_SET
-AC_PROG_RANLIB
-AC_PROG_INSTALL
-
-AC_SUBST(STD_CINCLUDES)
-AC_SUBST(STD_CDEFINES)
-AC_SUBST(STD_CWARNINGS)
-AC_SUBST(CCOPT)
-
-AC_PATH_PROG(AR, ar)
-ARFLAGS="cruv"
-AC_SUBST(AR)
-AC_SUBST(ARFLAGS)
-
-# The POSIX ln(1) program.  Non-POSIX systems may substitute
-# "copy" or something.
-LN=ln
-AC_SUBST(LN)
-
-case "$AR" in
-	"")
-		AC_MSG_ERROR([
-ar program not found.  Please fix your PATH to include the directory in
-which ar resides, or set AR in the environment with the full path to ar.
-])
-
-		;;
-esac
-
-#
-# Etags.
-#
-AC_PATH_PROGS(ETAGS, etags emacs-etags)
-
-#
-# Some systems, e.g. RH7, have the Exuberant Ctags etags instead of
-# GNU emacs etags, and it requires the -L flag.
-#
-if test "X$ETAGS" != "X"; then
-	AC_MSG_CHECKING(for Exuberant Ctags etags)
-	if $ETAGS --version 2>&1 | grep 'Exuberant Ctags' >/dev/null 2>&1; then
-		AC_MSG_RESULT(yes)
-		ETAGS="$ETAGS -L"
-	else
-		AC_MSG_RESULT(no)
-	fi
-fi
-AC_SUBST(ETAGS)
-
-#
-# Perl is optional; it is used only by some of the system test scripts.
-#
-AC_PATH_PROGS(PERL, perl5 perl)
-AC_SUBST(PERL)
-
-#
-# Special processing of paths depending on whether --prefix,
-# --sysconfdir or --localstatedir arguments were given.  What's
-# desired is some compatibility with the way previous versions
-# of BIND built; they defaulted to /usr/local for most parts of
-# the installation, but named.boot/named.conf was in /etc
-# and named.pid was in /var/run.
-#
-# So ... if none of --prefix, --sysconfdir or --localstatedir are
-# specified, set things up that way.  If --prefix is given, use
-# it for sysconfdir and localstatedir the way configure normally
-# would.  To change the prefix for everything but leave named.conf
-# in /etc or named.pid in /var/run, then do this the usual configure way:
-# ./configure --prefix=/somewhere --sysconfdir=/etc
-# ./configure --prefix=/somewhere --localstatedir=/var
-#
-# To put named.conf and named.pid in /usr/local with everything else,
-# set the prefix explicitly to /usr/local even though that's the default:
-# ./configure --prefix=/usr/local
-#
-case "$prefix" in
-        NONE)
-                case "$sysconfdir" in
-                        '${prefix}/etc')
-                                sysconfdir=/etc
-                                ;;
-                esac
-                case "$localstatedir" in
-                        '${prefix}/var')
-                                localstatedir=/var
-                                ;;
-                esac
-                ;;
-esac
-
-#
-# Make sure INSTALL uses an absolute path, else it will be wrong in all
-# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
-# configure based on the location of the file where it is substituted.
-# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
-# subdirectory of install-sh, This relative path will be wrong for all
-# directories more than one level down from install-sh.
-#
-case "$INSTALL" in
-	/*)
-                ;;
-        *)
-                #
-                # Not all systems have dirname.
-                #
-                changequote({, })
-                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
-                changequote([, ])
-
-                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
-                test "$ac_dir" = "$ac_prog" && ac_dir=.
-                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
-                INSTALL="$ac_dir/$ac_prog"
-                ;;
-esac
-
-#
-# On these hosts, we really want to use cc, not gcc, even if it is
-# found.  The gcc that these systems have will not correctly handle
-# pthreads.
-#
-# However, if the user sets $CC to be something, let that override
-# our change.
-#
-if test "X$CC" = "X" ; then
-	case "$host" in
-		*-dec-osf*)
-			CC="cc"
-			;;
-		*-solaris*)
-                        # Use Sun's cc if it is available, but watch
-                        # out for /usr/ucb/cc; it will never be the right
-                        # compiler to use.
-                        #
-                        # If setting CC here fails, the AC_PROG_CC done
-                        # below might still find gcc.
-			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
-			for ac_dir in $PATH; do
-				test -z "$ac_dir" && ac_dir=.
-				case "$ac_dir" in
-				/usr/ucb)
-					# exclude
-					;;
-				*)
-					if test -f "$ac_dir/cc"; then
-						CC="$ac_dir/cc"
-						break
-					fi
-					;;
-				esac
-			done
-			IFS="$ac_save_ifs"
-			;;
-		*-hp-hpux*)
-			CC="cc"
-			;;
-		mips-sgi-irix*)
-			CC="cc"
-			;;
-	esac
-fi
-
-AC_PROG_CC
-
-#
-# gcc's optimiser is broken at -02 for ultrasparc
-#
-if test "$ac_env_CFLAGS_set" != set -a "X$GCC" = "Xyes"; then
-	case "$host" in
-	sparc-*)
-		CCFLAGS="-g -O1"
-		;;
-	esac
-fi
-
-#
-# OS dependent CC flags
-#
-case "$host" in
-	# OSF 5.0: recv/send are only avaliable with -D_POSIX_PII_SOCKET or
-	# -D_XOPEN_SOURCE_EXTENDED.
-	*-dec-osf*)
-		STD_CDEFINES="$STD_CDEFINES -D_POSIX_PII_SOCKET"
-		CPPFLAGS="$CPPFLAGS -D_POSIX_PII_SOCKET"
-		;;
-	#HP-UX: need -D_XOPEN_SOURCE_EXTENDED and -lxnet for CMSG macros
-	*-hp-hpux*)
-		STD_CDEFINES="$STD_CDEFINES -D_XOPEN_SOURCE_EXTENDED"
-		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE_EXTENDED"
-		LIBS="-lxnet $LIBS"
-		;;
-	# Solaris: need -D_XPG4_2 and -D__EXTENSIONS__ for CMSG macros
-	*-solaris*)
-		STD_CDEFINES="$STD_CDEFINES -D_XPG4_2 -D__EXTENSIONS__"
-		CPPFLAGS="$CPPFLAGS -D_XPG4_2 -D__EXTENSIONS__"
-		;;
-esac
-
-AC_HEADER_STDC
-
-AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
-[$ac_includes_default
-#ifdef HAVE_SYS_PARAM_H
-# include <sys/param.h>
-#endif
-])
-
-AC_C_CONST
-AC_C_INLINE
-AC_CHECK_FUNC(sysctlbyname, AC_DEFINE(HAVE_SYSCTLBYNAME))
-
-#
-# UnixWare 7.1.1 with the feature supplement to the UDK compiler
-# is reported to not support "static inline" (RT #1212).
-#
-AC_MSG_CHECKING(for static inline breakage)
-AC_TRY_COMPILE(, [
-		foo1();
-	}
-
-	static inline int foo1() {
-		return 0;
-	}
-
-	static inline int foo2() {
-		return foo1();
-	],
-	[AC_MSG_RESULT(no)],
-	[AC_MSG_RESULT(yes)
-         AC_DEFINE(inline, )])
-
-AC_TYPE_SIZE_T
-AC_CHECK_TYPE(ssize_t, int)
-AC_CHECK_TYPE(uintptr_t,unsigned long)
-AC_CHECK_TYPE(socklen_t,
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, socklen_t)],
-[
-AC_TRY_COMPILE(
-[
-#include <sys/types.h>
-#include <sys/socket.h>
-int getsockname(int, struct sockaddr *, size_t *);
-],[],
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, size_t)],
-[AC_DEFINE(ISC_SOCKADDR_LEN_T, int)])
-],
-[
-#include <sys/types.h>
-#include <sys/socket.h>
-])
-AC_SUBST(ISC_SOCKADDR_LEN_T)
-AC_HEADER_TIME
-AC_MSG_CHECKING(for long long)
-AC_TRY_COMPILE([],[long long i = 0; return (0);],
-	[AC_MSG_RESULT(yes)
-		ISC_PLATFORM_HAVELONGLONG="#define ISC_PLATFORM_HAVELONGLONG 1"],
-	[AC_MSG_RESULT(no)
-		ISC_PLATFORM_HAVELONGLONG="#undef ISC_PLATFORM_HAVELONGLONG"])
-AC_SUBST(ISC_PLATFORM_HAVELONGLONG)
-
-#
-# check if we have lifconf
-#
-AC_MSG_CHECKING(for struct lifconf)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <net/if.h>
-],
-[
-struct lifconf lifconf;
-lifconf.lifc_len = 0;
-]
-,
-	[AC_MSG_RESULT(yes)
-		ISC_PLATFORM_HAVELIFCONF="#define ISC_PLATFORM_HAVELIFCONF 1"],
-	[AC_MSG_RESULT(no)
-		ISC_PLATFORM_HAVELIFCONF="#undef ISC_PLATFORM_HAVELIFCONF"])
-AC_SUBST(ISC_PLATFORM_HAVELIFCONF)
-
-
-#
-# check if we need to #include sys/select.h explicitly
-#
-case $ac_cv_header_unistd_h in
-yes)
-AC_MSG_CHECKING(if unistd.h or sys/types.h defines fd_set)
-AC_TRY_COMPILE([
-#include <sys/types.h> /* Ultrix */
-#include <unistd.h>],
-[fd_set read_set; return (0);],
-	[AC_MSG_RESULT(yes)
-	 ISC_PLATFORM_NEEDSYSSELECTH="#undef ISC_PLATFORM_NEEDSYSSELECTH"
-	 LWRES_PLATFORM_NEEDSYSSELECTH="#undef LWRES_PLATFORM_NEEDSYSSELECTH"],
-	[AC_MSG_RESULT(no)
-	case $ac_cv_header_sys_select_h in
-	yes)
-         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
-	 LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
-		;;
-	no)
-		AC_MSG_ERROR([need either working unistd.h or sys/select.h])
-		;;
-	esac
-	])
-	;;
-no)
-	case $ac_cv_header_sys_select_h in
-	yes)
-             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
-	     LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
-		;;
-	no)
-		AC_MSG_ERROR([need either unistd.h or sys/select.h])
-		;;
-	esac
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_NEEDSYSSELECTH)
-AC_SUBST(LWRES_PLATFORM_NEEDSYSSELECTH)
-
-#
-# Find the machine's endian flavor.
-#
-AC_C_BIGENDIAN
-
-#
-# was --with-openssl specified?
-#
-AC_MSG_CHECKING(for OpenSSL library)
-AC_ARG_WITH(openssl,
-[  --with-openssl[=PATH]   Build with OpenSSL [yes|no|path].
-                          (Required for DNSSEC)],
-    use_openssl="$withval", use_openssl="auto")
-
-openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg"
-if test "$use_openssl" = "auto"
-then
-	for d in $openssldirs
-	do
-		if test -f $d/include/openssl/opensslv.h
-		then
-			use_openssl=$d
-			break
-		fi
-	done
-fi
-case "$use_openssl" in
-	no)
-		AC_MSG_RESULT(no)
-		DST_OPENSSL_INC=""
-		USE_OPENSSL=""
-		;;
-	auto)
-		DST_OPENSSL_INC=""
-		USE_OPENSSL=""
-		AC_MSG_RESULT(not found)
-		;;
-	*)
-		if test "$use_openssl" = "yes"
-		then
-		    	# User did not specify a path - guess it
-			for d in $openssldirs
-			do
-				if test -f $d/include/openssl/opensslv.h
-				then
-				 	use_openssl=$d
-					break
-				fi
-			done
-			if test "$use_openssl" = "yes"
-			then
-			    	AC_MSG_RESULT(not found)
-				AC_MSG_ERROR(
-[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
-			fi
-		fi
-		USE_OPENSSL='-DOPENSSL'
-		if test "$use_openssl" = "/usr"
-		then
-			DST_OPENSSL_INC=""
-			DNS_OPENSSL_LIBS="-lcrypto"
-		else
-			DST_OPENSSL_INC="-I$use_openssl/include"
-			case $host in
-			*-solaris*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
-				;;
-			*)
-				DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
-				;;
-			esac
-		fi
-		AC_MSG_RESULT(using openssl from $use_openssl/lib and $use_openssl/include)
-
-		saved_cflags="$CFLAGS"
-		saved_libs="$LIBS"
-		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
-		LIBS="$LIBS $DNS_OPENSSL_LIBS"
-		AC_MSG_CHECKING(whether linking with OpenSSL works)
-		AC_TRY_RUN([
-#include <openssl/err.h>
-int main() {
-	ERR_clear_error();
-	return (0);
-}
-],
-	        [AC_MSG_RESULT(yes)],
-		[AC_MSG_RESULT(no)
-		 AC_MSG_ERROR(Could not run test program using OpenSSL from
-$use_openssl/lib and $use_openssl/include.
-Please check the argument to --with-openssl and your
-shared library configuration (e.g., LD_LIBRARY_PATH).)],
-		[AC_MSG_RESULT(assuming it does work on target platform)])
-
-		AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
-		AC_TRY_LINK([
-#include <openssl/err.h>],
-[ DSO_METHOD_dlfcn(); ],
-		[AC_MSG_RESULT(no)],
-		[LIBS="$LIBS -ldl"
-		AC_TRY_LINK([
-#include <openssl/err.h>
-],[ DSO_METHOD_dlfcn(); ],
-		[AC_MSG_RESULT(yes)
-		DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
-		],
-		 [AC_MSG_RESULT(unknown)
-		 AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)],
-		[AC_MSG_RESULT(assuming it does work on target platform)])
-		],
-		[AC_MSG_RESULT(assuming it does work on target platform)]
-		)
-		 
-#
-#	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
-#	have a patched library otherwise check that we are greater than
-#	the fixed versions
-#
-		AC_CHECK_FUNC(OpenSSLDie,
-		AC_MSG_CHECKING(OpenSSL library version)
-		AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-        if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
-                return (0);
-	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
-		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
-        return (1);
-}
-],
-	        [AC_MSG_RESULT(ok)],
-		[AC_MSG_RESULT(not compatible)
-		 AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
-		[AC_MSG_RESULT(assuming target platform has compatible version)])
-		,
-	        AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
-		AC_MSG_CHECKING(OpenSSL library version)
-		AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-        if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
-	     OPENSSL_VERSION_NUMBER < 0x009070000L) ||
-	     OPENSSL_VERSION_NUMBER >= 0x00907003L)
-                return (0);
-	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
-		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
-        return (1);
-}
-],
-	        [AC_MSG_RESULT(ok)],
-		[AC_MSG_RESULT(not compatible)
-		 AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
-		[AC_MSG_RESULT(assuming target platform has compatible version)]))
-		AC_MSG_CHECKING(for OpenSSL DSA support)
-		if test -f $use_openssl/include/openssl/dsa.h
-		then
-			AC_DEFINE(HAVE_OPENSSL_DSA)
-			AC_MSG_RESULT(yes)
-		else
-			AC_MSG_RESULT(no)
-		fi
-		CFLAGS="$saved_cflags"
-		LIBS="$saved_libs"
-		;;
-esac
-
-#
-# This would include the system openssl path (and linker options to use
-# it as needed) if it is found.
-#
-
-AC_SUBST(USE_OPENSSL)
-AC_SUBST(DST_OPENSSL_INC)
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
-
-#
-# was --with-gssapi specified?
-#
-#AC_MSG_CHECKING(for GSSAPI library)
-#AC_ARG_WITH(gssapi,
-#[  --with-gssapi=PATH   Specify path for system-supplied GSSAPI],
-#    use_gssapi="$withval", use_gssapi="no")
-#
-#case "$use_gssapi" in
-#	no)
-#		USE_GSSAPI=''
-#		DST_GSSAPI_INC=''
-#		DNS_GSSAPI_LIBS=''
-#		AC_MSG_RESULT(not specified)
-#		;;
-#	yes)
-#		AC_MSG_ERROR([--with-gssapi must specify a path])
-#		;;
-#	*)
-#		USE_GSSAPI='-DGSSAPI'
-#		DST_GSSAPI_INC="-I$use_gssapi/include"
-#		DNS_GSSAPI_LIBS="-L$use_gssapi/lib -lgssapi_krb5"
-#		AC_MSG_RESULT(using gssapi from $use_gssapi/lib and $use_gssapi/include)
-#		;;
-#esac
-
-USE_GSSAPI=''
-DST_GSSAPI_INC=''
-DNS_GSSAPI_LIBS=''
-
-AC_SUBST(USE_GSSAPI)
-AC_SUBST(DST_GSSAPI_INC)
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_GSSAPI_LIBS"
-
-#
-# Applications linking with libdns also need to link with these libraries.
-#
-
-AC_SUBST(DNS_CRYPTO_LIBS)
-
-#
-# was --with-randomdev specified?
-#
-AC_MSG_CHECKING(for random device)
-AC_ARG_WITH(randomdev,
-[  --with-randomdev=PATH Specify path for random device],
-    use_randomdev="$withval", use_randomdev="unspec")
-
-case "$use_randomdev" in
-	unspec)
-		case "$host" in
-			*-openbsd*)
-				devrandom=/dev/arandom
-				;;
-			*)
-				devrandom=/dev/random
-				;;
-		esac
-		AC_MSG_RESULT($devrandom)
-		AC_CHECK_FILE($devrandom,
-			      AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
-						 "$devrandom"),)
-		;;
-	yes)
-		AC_MSG_ERROR([--with-randomdev must specify a path])
-		;;
-	no)
-		AC_MSG_RESULT(disabled)
-		;;
-	*)
-		AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
-		AC_MSG_RESULT(using "$use_randomdev")
-		;;
-esac
-
-#
-# Do we have arc4random() ?
-#
-AC_CHECK_FUNC(arc4random, AC_DEFINE(HAVE_ARC4RANDOM))
-
-sinclude(config.threads.in)dnl
-
-if $use_threads
-then
-	#
-	# We'd like to use sigwait() too
-	#
-	AC_CHECK_LIB(c, sigwait,
-		     AC_DEFINE(HAVE_SIGWAIT),
-		     AC_CHECK_LIB(pthread, sigwait,
-				  AC_DEFINE(HAVE_SIGWAIT),
-				  AC_CHECK_LIB(pthread, _Psigwait,
-					       AC_DEFINE(HAVE_SIGWAIT),))
-	)
-
-	AC_CHECK_FUNC(pthread_attr_getstacksize,
-		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
-
-	AC_CHECK_FUNC(pthread_attr_setstacksize,
-		      AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
-
-	#
-	# Additional OS-specific issues related to pthreads and sigwait.
-	#
-	case "$host" in
-		#
-		# One more place to look for sigwait.
-		#
-		*-freebsd*)
-			AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
-			case $host in
-			*-freebsd5.[[012]]|*-freebsd5.[[012]].*);;
-			*-freebsd5.[[3456789]]|*-freebsd5.[[3456789]].*)
-				AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
-				;;
-			*-freebsd6.*)
-				AC_DEFINE(NEED_PTHREAD_SCOPE_SYSTEM)
-				;;
-			esac
-			;;
-		#
-		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
-		# called before certain pthreads calls.	 This is deprecated
-		# in BSD/OS 4.1.
-		#
-		*-bsdi3.*|*-bsdi4.0*)
-			AC_DEFINE(NEED_PTHREAD_INIT)
-			;;
-		#
-		# LinuxThreads requires some changes to the way we
-		# deal with signals.
-		#
-		*-linux*)
-			AC_DEFINE(HAVE_LINUXTHREADS)
-			;;
-		#
-		# Ensure the right sigwait() semantics on Solaris and make
-		# sure we call pthread_setconcurrency.
-		#
-		*-solaris*)
-			AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
-			AC_CHECK_FUNC(pthread_setconcurrency,
-				      AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
-			;;
-		#
-		# UnixWare does things its own way.
-		#
-		*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-			AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
-			;;
-	esac
-
-	#
-	# Look for sysconf to allow detection of the number of processors.
-	#
-	AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
-
-	if test "X$GCC" = "Xyes"; then
-		case "$host" in
-		*-freebsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-openbsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			LIBS="$LIBS -lthread"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		esac
-	else
-		case $host in
-		*-dec-osf*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			CC="$CC -mt"
-			CCOPT="$CCOPT -mt"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-sco-sysv*uw*|*-*-sysv*UnixWare*)
-			CC="$CC -Kthread"
-			CCOPT="$CCOPT -Kthread"
-			;;
-		*-*-sysv*OpenUNIX*)
-			CC="$CC -Kpthread"
-			CCOPT="$CCOPT -Kpthread"
-			;;
-		esac
-	fi
-	ALWAYS_DEFINES="-D_REENTRANT"
-	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
-	thread_dir=pthreads
-else
-	ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
-	thread_dir=nothreads
-	ALWAYS_DEFINES=""
-fi
-
-AC_SUBST(ALWAYS_DEFINES)
-AC_SUBST(ISC_PLATFORM_USETHREADS)
-ISC_THREAD_DIR=$thread_dir
-AC_SUBST(ISC_THREAD_DIR)
-
-#
-# In solaris 10, SMF can manage named service
-#
-AC_CHECK_LIB(scf, smf_enable_instance)
-
-#
-# flockfile is usually provided by pthreads, but we may want to use it
-# even if compiled with --disable-threads.  getc_unlocked might also not
-# be defined.
-#
-AC_CHECK_FUNC(flockfile, AC_DEFINE(HAVE_FLOCKFILE),)
-AC_CHECK_FUNC(getc_unlocked, AC_DEFINE(HAVE_GETCUNLOCKED),)
-
-# 
-# Indicate what the final decision was regarding threads.
-#
-AC_MSG_CHECKING(whether to build with threads)
-if $use_threads; then
-	AC_MSG_RESULT(yes)
-else
-	AC_MSG_RESULT(no)
-fi
-
-# 
-# End of pthreads stuff.
-#
-
-#
-# Large File
-#
-AC_ARG_ENABLE(largefile, [  --enable-largefile	  64-bit file support],
-	      want_largefile="yes", want_largefile="no")
-case $want_largefile in
-	yes)
-		ALWAYS_DEFINES="$ALWAYS_DEFINES -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
-		;;
-	*)
-		;;
-esac
-
-#
-# Additional compiler settings.
-#
-MKDEPCC="$CC"
-MKDEPCFLAGS="-M"
-IRIX_DNSSEC_WARNINGS_HACK=""
-
-if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat"
-	case "$host" in
-	*-hp-hpux*)
-		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
-		;;
-	esac
-else
-	case $host in
-	*-dec-osf*)
-		CC="$CC -std"
-		CCOPT="$CCOPT -std"
-		MKDEPCC="$CC"
-		;;
-	*-hp-hpux*)
-		CC="$CC -Ae -z"
-		# The version of the C compiler that constantly warns about
-                # 'const' as well as alignment issues is unfortunately not
-                # able to be discerned via the version of the operating
-                # system, nor does cc have a version flag.
-		case "`$CC +W 123 2>&1`" in
-		*Unknown?option*)
-			STD_CWARNINGS="+w1"
-			;;
-		*)
-			# Turn off the pointlessly noisy warnings.
-			STD_CWARNINGS="+w1 +W 474,530,2193,2236"
-			;;
-		esac
-		CCOPT="$CCOPT -Ae -z"
-		LDFLAGS="-Wl,+vnocompatwarnings $LDFLAGS"
-		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
-		;;
-	*-sgi-irix*)
-		STD_CWARNINGS="-fullwarn -woff 1209"
-		#
-		# Silence more than 250 instances of
-		#   "prototyped function redeclared without prototype"
-		# and 11 instances of
-		#   "variable ... was set but never used"
-		# from lib/dns/sec/openssl.
-		#
-		IRIX_DNSSEC_WARNINGS_HACK="-woff 1692,1552"
-		;;
-	*-solaris*)
-		MKDEPCFLAGS="-xM"
-		;;
-	*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-                # UnixWare
-		CC="$CC -w"
-		;;
-	esac
-fi
-
-AC_SUBST(MKDEPCC)
-AC_SUBST(MKDEPCFLAGS)
-AC_SUBST(MKDEPPROG)
-AC_SUBST(IRIX_DNSSEC_WARNINGS_HACK)
-
-#
-# NLS
-#
-AC_CHECK_FUNC(catgets, AC_DEFINE(HAVE_CATGETS),)
-
-#
-# -lxnet buys us one big porting headache...  standards, gotta love 'em.
-#
-# AC_CHECK_LIB(xnet, socket, ,
-#    AC_CHECK_LIB(socket, socket)
-#    AC_CHECK_LIB(nsl, inet_ntoa)
-# )
-#
-# Use this for now, instead:
-#
-case "$host" in
-	mips-sgi-irix*)
-		;;
-	*)
-		AC_CHECK_LIB(socket, socket)
-		AC_CHECK_LIB(nsl, inet_ntoa)
-		;;
-esac
-
-#
-# Purify support
-#
-AC_MSG_CHECKING(whether to use purify)
-AC_ARG_WITH(purify,
-	[  --with-purify[=PATH]	use Rational purify],
-	use_purify="$withval", use_purify="no")
-
-case "$use_purify" in
-	no)
-		;;
-	yes)
-		AC_PATH_PROG(purify_path, purify, purify)
-		;;
-	*)
-		purify_path="$use_purify"
-		;;
-esac
-
-case "$use_purify" in
-	no)
-		AC_MSG_RESULT(no)
-		PURIFY=""
-		;;
-	*)
-		if test -f $purify_path || test $purify_path = purify; then
-			AC_MSG_RESULT($purify_path)
-			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
-			PURIFY="$purify_path $PURIFYFLAGS"
-		else
-			AC_MSG_ERROR([$purify_path not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-purify=PATH
-])
-		fi
-		;;
-esac
-
-AC_SUBST(PURIFY)
-
-#
-# GNU libtool support
-#
-AC_ARG_WITH(libtool,
-	    [  --with-libtool	use GNU libtool (following indented options supported)],
-	    use_libtool="$withval", use_libtool="no")
-
-case $use_libtool in
-	yes)
-		AM_PROG_LIBTOOL
-		O=lo
-		A=la
-		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
-		LIBTOOL_MODE_COMPILE='--mode=compile'
-		LIBTOOL_MODE_INSTALL='--mode=install'
-		LIBTOOL_MODE_LINK='--mode=link'
-		case "$host" in
-		*) LIBTOOL_ALLOW_UNDEFINED= ;;
-		esac
-		case "$host" in
-		*-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;
-		*) LIBTOOL_IN_MAIN= ;;
-		esac;
-		;;
-	*)
-		O=o
-		A=a
-		LIBTOOL=
-		AC_SUBST(LIBTOOL)
-		LIBTOOL_MKDEP_SED=
-		LIBTOOL_MODE_COMPILE=
-		LIBTOOL_MODE_INSTALL=
-		LIBTOOL_MODE_LINK=
-		LIBTOOL_ALLOW_UNDEFINED=
-		LIBTOOL_IN_MAIN=
-		;;
-esac
-
-#
-# File name extension for static archive files, for those few places
-# where they are treated differently from dynamic ones.
-#
-SA=a
-
-AC_SUBST(O)
-AC_SUBST(A)
-AC_SUBST(SA)
-AC_SUBST(LIBTOOL_MKDEP_SED)
-AC_SUBST(LIBTOOL_MODE_COMPILE)
-AC_SUBST(LIBTOOL_MODE_INSTALL)
-AC_SUBST(LIBTOOL_MODE_LINK)
-AC_SUBST(LIBTOOL_ALLOW_UNDEFINED)
-AC_SUBST(LIBTOOL_IN_MAIN)
-
-#
-# build libbind?
-#
-AC_ARG_ENABLE(libbind,
-	[  --enable-libbind		build libbind [default=no]])
-
-case "$enable_libbind" in
-	yes)
-		LIBBIND=lib/bind
-		AC_SUBST(LIBBIND)
-		;;
-	no|'')
-		;;
-esac
-
-#
-# Here begins a very long section to determine the system's networking
-# capabilities.  The order of the tests is signficant.
-#
-
-#
-# IPv6
-#
-AC_ARG_ENABLE(ipv6,
-	[  --enable-ipv6		use IPv6 [default=autodetect]])
-
-case "$enable_ipv6" in
-	yes|''|autodetect)
-		AC_DEFINE(WANT_IPV6)
-		;;
-	no)
-		;;
-esac
-
-#
-# We do the IPv6 compilation checking after libtool so that we can put
-# the right suffix on the files.
-#
-AC_MSG_CHECKING(for IPv6 structures)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>],
-[struct sockaddr_in6 sin6; return (0);],
-	[AC_MSG_RESULT(yes)
-	 found_ipv6=yes],
-	[AC_MSG_RESULT(no)
-	 found_ipv6=no])
-
-#
-# See whether IPv6 support is provided via a Kame add-on.
-# This is done before other IPv6 linking tests to LIBS is properly set.
-#
-AC_MSG_CHECKING(for Kame IPv6 support)
-AC_ARG_WITH(kame,
-	[  --with-kame[=PATH]	use Kame IPv6 [default path /usr/local/v6]],
-	use_kame="$withval", use_kame="no")
-
-case "$use_kame" in
-	no)
-		;;
-	yes)
-		kame_path=/usr/local/v6
-		;;
-	*)
-		kame_path="$use_kame"
-		;;
-esac
-
-case "$use_kame" in
-	no)
-		AC_MSG_RESULT(no)
-		;;
-	*)
-		if test -f $kame_path/lib/libinet6.a; then
-			AC_MSG_RESULT($kame_path/lib/libinet6.a)
-			LIBS="-L$kame_path/lib -linet6 $LIBS"
-		else
-			AC_MSG_ERROR([$kame_path/lib/libinet6.a not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-kame=PATH
-])
-		fi
-		;;
-esac
-
-#
-# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
-# Including it on Kame-using platforms is very bad, though, because
-# Kame uses #error against direct inclusion.   So include it on only
-# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
-# This is done before the in6_pktinfo check because that's what
-# netinet6/in6.h is needed for.
-#
-changequote({, })
-case "$host" in
-*-bsdi4.[01]*)
-	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
-	LWRES_PLATFORM_NEEDNETINET6IN6H="#define LWRES_PLATFORM_NEEDNETINET6IN6H 1"
-	isc_netinet6in6_hack="#include <netinet6/in6.h>"
-	;;
-*)
-	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
-	LWRES_PLATFORM_NEEDNETINET6IN6H="#undef LWRES_PLATFORM_NEEDNETINET6IN6H"
-	isc_netinet6in6_hack=""
-	;;
-esac
-changequote([, ])
-
-#
-# This is similar to the netinet6/in6.h issue.
-#
-case "$host" in
-*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-        # UnixWare
-	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
-	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
-        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
-	isc_netinetin6_hack="#include <netinet/in6.h>"
-	;;
-*)
-	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
-	LWRES_PLATFORM_NEEDNETINETIN6H="#undef LWRES_PLATFORM_NEEDNETINETIN6H"
-        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
-	isc_netinetin6_hack=""
-	;;
-esac
-
-#
-# Now delve deeper into the suitability of the IPv6 support.
-#
-case "$found_ipv6" in
-	yes)
-		ISC_PLATFORM_HAVEIPV6="#define ISC_PLATFORM_HAVEIPV6 1"
-		LWRES_PLATFORM_HAVEIPV6="#define LWRES_PLATFORM_HAVEIPV6 1"
-
-		AC_MSG_CHECKING(for in6_addr)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-[struct in6_addr in6; return (0);],
-		[AC_MSG_RESULT(yes)
-		 ISC_PLATFORM_HAVEINADDR6="#undef ISC_PLATFORM_HAVEINADDR6"
-		 LWRES_PLATFORM_HAVEINADDR6="#undef LWRES_PLATFORM_HAVEINADDR6"
-		 isc_in_addr6_hack=""],
-		[AC_MSG_RESULT(no)
-		 ISC_PLATFORM_HAVEINADDR6="#define ISC_PLATFORM_HAVEINADDR6 1"
-		 LWRES_PLATFORM_HAVEINADDR6="#define LWRES_PLATFORM_HAVEINADDR6 1"
-		 isc_in_addr6_hack="#define in6_addr in_addr6"])
-
-		AC_MSG_CHECKING(for in6addr_any)
-		AC_TRY_LINK([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-$isc_in_addr6_hack
-],
-		[struct in6_addr in6; in6 = in6addr_any; return (in6.s6_addr[0]);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
-			 LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"],
-			[AC_MSG_RESULT(no)
-			 ISC_PLATFORM_NEEDIN6ADDRANY="#define ISC_PLATFORM_NEEDIN6ADDRANY 1"
-			 LWRES_PLATFORM_NEEDIN6ADDRANY="#define LWRES_PLATFORM_NEEDIN6ADDRANY 1"])
-
-		AC_MSG_CHECKING(for in6addr_loopback)
-		AC_TRY_LINK([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-$isc_in_addr6_hack
-],
-		[struct in6_addr in6; in6 = in6addr_loopback; return (in6.s6_addr[0]);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_NEEDIN6ADDRLOOPBACK="#undef ISC_PLATFORM_NEEDIN6ADDRLOOPBACK"
-			 LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK="#undef LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK"],
-			[AC_MSG_RESULT(no)
-			 ISC_PLATFORM_NEEDIN6ADDRLOOPBACK="#define ISC_PLATFORM_NEEDIN6ADDRLOOPBACK 1"
-			 LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK="#define LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK 1"])
-
-		AC_MSG_CHECKING(for sin6_scope_id in struct sockaddr_in6)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-		[struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
-			 result="#define LWRES_HAVE_SIN6_SCOPE_ID 1"],
-			[AC_MSG_RESULT(no)
-			 ISC_PLATFORM_HAVESCOPEID="#undef ISC_PLATFORM_HAVESCOPEID"
-			 result="#undef LWRES_HAVE_SIN6_SCOPE_ID"])
-		LWRES_HAVE_SIN6_SCOPE_ID="$result"
-
-		AC_MSG_CHECKING(for in6_pktinfo)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-		[struct in6_pktinfo xyzzy; return (0);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"],
-			[AC_MSG_RESULT(no -- disabling runtime ipv6 support)
-			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"])
-		;;
-	no)
-		ISC_PLATFORM_HAVEIPV6="#undef ISC_PLATFORM_HAVEIPV6"
-		LWRES_PLATFORM_HAVEIPV6="#undef LWRES_PLATFORM_HAVEIPV6"
-		ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
-		LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"
-		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
-		LWRES_HAVE_SIN6_SCOPE_ID="#define LWRES_HAVE_SIN6_SCOPE_ID 1"
-		ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
-		ISC_IPV6_H="ipv6.h"
-		ISC_IPV6_O="ipv6.$O"
-		ISC_ISCIPV6_O="unix/ipv6.$O"
-		ISC_IPV6_C="ipv6.c"
-		;;
-esac
-
-AC_SUBST(ISC_PLATFORM_HAVEIPV6)
-AC_SUBST(LWRES_PLATFORM_HAVEIPV6)
-AC_SUBST(ISC_PLATFORM_NEEDNETINETIN6H)
-AC_SUBST(LWRES_PLATFORM_NEEDNETINETIN6H)
-AC_SUBST(ISC_PLATFORM_NEEDNETINET6IN6H)
-AC_SUBST(LWRES_PLATFORM_NEEDNETINET6IN6H)
-AC_SUBST(ISC_PLATFORM_HAVEINADDR6)
-AC_SUBST(LWRES_PLATFORM_HAVEINADDR6)
-AC_SUBST(ISC_PLATFORM_NEEDIN6ADDRANY)
-AC_SUBST(LWRES_PLATFORM_NEEDIN6ADDRANY)
-AC_SUBST(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
-AC_SUBST(LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK)
-AC_SUBST(ISC_PLATFORM_HAVEIN6PKTINFO)
-AC_SUBST(ISC_PLATFORM_FIXIN6ISADDR)
-AC_SUBST(ISC_IPV6_H)
-AC_SUBST(ISC_IPV6_O)
-AC_SUBST(ISC_ISCIPV6_O)
-AC_SUBST(ISC_IPV6_C)
-AC_SUBST(LWRES_HAVE_SIN6_SCOPE_ID)
-AC_SUBST(ISC_PLATFORM_HAVESCOPEID)
-
-AC_MSG_CHECKING([for struct if_laddrreq])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <net/if6.h>
-],[ struct if_laddrreq a; ],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_HAVEIF_LADDRREQ="#define ISC_PLATFORM_HAVEIF_LADDRREQ 1"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_HAVEIF_LADDRREQ="#undef ISC_PLATFORM_HAVEIF_LADDRREQ"])
-AC_SUBST(ISC_PLATFORM_HAVEIF_LADDRREQ)
-
-AC_MSG_CHECKING([for struct if_laddrconf])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <net/if6.h>
-],[ struct if_laddrconf a; ],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_HAVEIF_LADDRCONF="#define ISC_PLATFORM_HAVEIF_LADDRCONF 1"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_HAVEIF_LADDRCONF="#undef ISC_PLATFORM_HAVEIF_LADDRCONF"])
-AC_SUBST(ISC_PLATFORM_HAVEIF_LADDRCONF)
-
-#
-# Check for network functions that are often missing.  We do this
-# after the libtool checking, so we can put the right suffix on
-# the files.  It also needs to come after checking for a Kame add-on,
-# which provides some (all?) of the desired functions.
-#
-
-AC_MSG_CHECKING([for inet_ntop with IPv6 support])
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-main() {
-char a[16],b[64]; return(inet_ntop(AF_INET6, a, b, sizeof(b)) == (char*)0);}],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
-
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"],
-        [AC_MSG_RESULT(assuming inet_ntop needed)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
-
-
-# On NetBSD 1.4.2 and maybe others, inet_pton() incorrectly accepts
-# addresses with less than four octets, like "1.2.3".  Also leading
-# zeros should also be rejected.
-
-AC_MSG_CHECKING([for working inet_pton with IPv6 support])
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-main() { char a[16]; return (inet_pton(AF_INET, "1.2.3", a) == 1 ? 1 :
-			     inet_pton(AF_INET, "1.2.3.04", a) == 1 ? 1 : 
-			     (inet_pton(AF_INET6, "::1.2.3.4", a) != 1)); }],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
-	[AC_MSG_RESULT(assuming target platform has working inet_pton)
-	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-        [AC_MSG_RESULT(assuming inet_pton needed)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
-        [AC_MSG_RESULT(assuming target platform has working inet_pton)
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"])
-
-AC_MSG_CHECKING([for inet_aton])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>],
-        [struct in_addr in; inet_aton(0, &in); return (0);],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
-
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
-        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"])
-
-AC_SUBST(ISC_PLATFORM_NEEDNTOP)
-AC_SUBST(ISC_PLATFORM_NEEDPTON)
-AC_SUBST(ISC_PLATFORM_NEEDATON)
-
-#
-# Look for a 4.4BSD-style sa_len member in struct sockaddr.
-#
-case "$host" in
-	*-dec-osf*)
-		# Turn on 4.4BSD style sa_len support.
-		AC_DEFINE(_SOCKADDR_LEN)
-		;;
-esac
-
-AC_MSG_CHECKING(for sa_len in struct sockaddr)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>],
-[struct sockaddr sa; sa.sa_len = 0; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1"
-	LWRES_PLATFORM_HAVESALEN="#define LWRES_PLATFORM_HAVESALEN 1"],
-	[AC_MSG_RESULT(no)
-	ISC_PLATFORM_HAVESALEN="#undef ISC_PLATFORM_HAVESALEN"
-	LWRES_PLATFORM_HAVESALEN="#undef LWRES_PLATFORM_HAVESALEN"])
-AC_SUBST(ISC_PLATFORM_HAVESALEN)
-AC_SUBST(LWRES_PLATFORM_HAVESALEN)
-
-#
-# Look for a 4.4BSD or 4.3BSD struct msghdr
-#
-AC_MSG_CHECKING(for struct msghdr flavor)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>],
-[struct msghdr msg; msg.msg_flags = 0; return (0);],
-	[AC_MSG_RESULT(4.4BSD)
-	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"],
-	[AC_MSG_RESULT(4.3BSD)
-	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"])
-AC_SUBST(ISC_PLATFORM_MSGHDRFLAVOR)
-
-#
-# Look for in_port_t.
-#
-AC_MSG_CHECKING(for type in_port_t)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <netinet/in.h>],
-[in_port_t port = 25; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"],
-        [AC_MSG_RESULT(no)
-	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"])
-AC_SUBST(ISC_PLATFORM_NEEDPORTT)
-
-#
-# Check for addrinfo
-#
-AC_MSG_CHECKING(for struct addrinfo)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[struct addrinfo a; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO"
-	AC_DEFINE(HAVE_ADDRINFO)],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"])
-AC_SUBST(ISC_LWRES_NEEDADDRINFO)
-
-#
-# Check for rrsetinfo
-#
-AC_MSG_CHECKING(for struct rrsetinfo)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[struct rrsetinfo r; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_NEEDRRSETINFO="#undef ISC_LWRES_NEEDRRSETINFO"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDRRSETINFO="#define ISC_LWRES_NEEDRRSETINFO 1"])
-AC_SUBST(ISC_LWRES_NEEDRRSETINFO)
-
-AC_MSG_CHECKING(for int sethostent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = sethostent(0); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_SETHOSTENTINT="#undef ISC_LWRES_SETHOSTENTINT"])
-AC_SUBST(ISC_LWRES_SETHOSTENTINT)
-
-AC_MSG_CHECKING(for int endhostent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = endhostent(); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"])
-AC_SUBST(ISC_LWRES_ENDHOSTENTINT)
-
-AC_MSG_CHECKING(for getnetbyaddr(in_addr_t, ...))
-AC_TRY_COMPILE([
-#include <netdb.h>
-struct netent *getnetbyaddr(in_addr_t, int);],
-[],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_GETNETBYADDRINADDR="#undef ISC_LWRES_GETNETBYADDRINADDR"])
-AC_SUBST(ISC_LWRES_GETNETBYADDRINADDR)
-
-AC_MSG_CHECKING(for int setnetent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = setnetent(0); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"])
-AC_SUBST(ISC_LWRES_SETNETENTINT)
-
-AC_MSG_CHECKING(for int endnetent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = endnetent(); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"])
-AC_SUBST(ISC_LWRES_ENDNETENTINT)
-
-AC_MSG_CHECKING(for gethostbyaddr(const void *, size_t, ...))
-AC_TRY_COMPILE([
-#include <netdb.h>
-struct hostent *gethostbyaddr(const void *, size_t, int);],
-[return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"])
-AC_SUBST(ISC_LWRES_GETHOSTBYADDRVOID)
-
-AC_MSG_CHECKING(for h_errno in netdb.h)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[h_errno = 1; return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"])
-AC_SUBST(ISC_LWRES_NEEDHERRNO)
-
-AC_CHECK_FUNC(getipnodebyname,
-        [ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
-        [ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
-AC_CHECK_FUNC(getnameinfo,
-        [ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
-        [ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
-AC_CHECK_FUNC(getaddrinfo,
-        [ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
-	AC_DEFINE(HAVE_GETADDRINFO)],
-        [ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
-AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
-AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
-AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
-AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
-
-AC_ARG_ENABLE(getifaddrs,
-[  --enable-getifaddrs    Enable the use of getifaddrs() [[yes|no|glibc]].
-             glibc: Use getifaddrs() in glibc if you know it supports IPv6.],
-    want_getifaddrs="$enableval",  want_getifaddrs="yes")
-
-case $want_getifaddrs in
-yes|glibc)
-#
-# Do we have getifaddrs() ?
-#
-case $host in
-*-linux*)
-	# Some recent versions of glibc support getifaddrs() which does not
-	# provide AF_INET6 addresses while the function provided by the USAGI
-	# project handles the AF_INET6 case correctly.  We need to avoid
-	# using the former but prefer the latter unless overridden by
-	# --enable-getifaddrs=glibc.
-	if test $want_getifaddrs = glibc
-	then
-		AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
-	else
-		save_LIBS="$LIBS"
-		LIBS="-L/usr/local/v6/lib $LIBS"
-		AC_CHECK_LIB(inet6, getifaddrs,
-			LIBS="$LIBS -linet6"
-			AC_DEFINE(HAVE_GETIFADDRS),
-			LIBS=${save_LIBS})
-	fi
-	;;
-*)
-	AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
-	;;
-esac
-;;
-no)
-;;
-esac
-
-#
-# Look for a sysctl call to get the list of network interfaces.
-#
-case $ac_cv_header_sys_sysctl_h in
-yes)
-AC_MSG_CHECKING(for interface list sysctl)
-AC_EGREP_CPP(found_rt_iflist, [
-#include <sys/param.h>
-#include <sys/sysctl.h>
-#include <sys/socket.h>
-#ifdef NET_RT_IFLIST
-found_rt_iflist
-#endif
-],
-	[AC_MSG_RESULT(yes)
-	 AC_DEFINE(HAVE_IFLIST_SYSCTL)],
-	[AC_MSG_RESULT(no)])
-;;
-esac
-
-#
-# Check for some other useful functions that are not ever-present.
-#
-
-# We test for strsep() using AC_TRY_LINK instead of AC_CHECK_FUNC
-# because AIX 4.3.3 with patches for bos.adt.include to version 4.3.3.77
-# reportedly defines strsep() without declaring it in <string.h> when
-# -D_LINUX_SOURCE_COMPAT is not defined [RT #2190], and
-# AC_CHECK_FUNC() incorrectly succeeds because it declares
-# the function itself.
-AC_MSG_CHECKING(for correctly declared strsep())
-AC_TRY_LINK([#include <string.h>], [char *sp; char *foo = strsep(&sp, ".");],
-	[AC_MSG_RESULT(yes); ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"],
-	[AC_MSG_RESULT(no); ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRSEP)
-
-AC_CHECK_FUNC(memmove,
-	[ISC_PLATFORM_NEEDMEMMOVE="#undef ISC_PLATFORM_NEEDMEMMOVE"],
-	[ISC_PLATFORM_NEEDMEMMOVE="#define ISC_PLATFORM_NEEDMEMMOVE 1"])
-AC_SUBST(ISC_PLATFORM_NEEDMEMMOVE)
-
-AC_CHECK_FUNC(strtoul,
-	[ISC_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
-	 LWRES_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"
-	 GENRANDOMLIB=""],
-	[ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"
-	 LWRES_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"
-	 "GENRANDOMLIB=${ISCLIBS}"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRTOUL)
-AC_SUBST(LWRES_PLATFORM_NEEDSTRTOUL)
-AC_SUBST(GENRANDOMLIB)
-
-AC_CHECK_FUNC(strlcpy,
-	[ISC_PLATFORM_NEEDSTRLCPY="#undef ISC_PLATFORM_NEEDSTRLCPY"],
-	[ISC_PLATFORM_NEEDSTRLCPY="#define ISC_PLATFORM_NEEDSTRLCPY 1"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRLCPY)
-
-AC_CHECK_FUNC(strlcat,
-	[ISC_PLATFORM_NEEDSTRLCAT="#undef ISC_PLATFORM_NEEDSTRLCAT"],
-	[ISC_PLATFORM_NEEDSTRLCAT="#define ISC_PLATFORM_NEEDSTRLCAT 1"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRLCAT)
-
-ISC_PRINT_OBJS=
-ISC_PRINT_SRCS=
-AC_MSG_CHECKING(sprintf)
-AC_TRY_COMPILE([
-#include <stdio.h>
-],
-[ char buf[2]; return(*sprintf(buf,"x"));],
-[
-ISC_PRINT_OBJS="print.$O"
-ISC_PRINT_SRCS="print.c"
-ISC_PLATFORM_NEEDSPRINTF="#define ISC_PLATFORM_NEEDSPRINTF"
-LWRES_PLATFORM_NEEDSPRINTF="#define LWRES_PLATFORM_NEEDSPRINTF"
-],
-[ISC_PLATFORM_NEEDSPRINTF="#undef ISC_PLATFORM_NEEDSPRINTF"
- LWRES_PLATFORM_NEEDSPRINTF="#undef LWRES_PLATFORM_NEEDSPRINTF"]
-)
-AC_SUBST(ISC_PLATFORM_NEEDSPRINTF)
-AC_SUBST(LWRES_PLATFORM_NEEDSPRINTF)
-
-AC_CHECK_FUNC(vsnprintf,
-	[ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"
-	 LWRES_PLATFORM_NEEDVSNPRINTF="#undef LWRES_PLATFORM_NEEDVSNPRINTF"],
-	[ISC_PRINT_OBJS="print.$O"
-	 ISC_PRINT_SRCS="print.c"
-	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
-	 LWRES_PLATFORM_NEEDVSNPRINTF="#define LWRES_PLATFORM_NEEDVSNPRINTF 1"])
-AC_SUBST(ISC_PLATFORM_NEEDVSNPRINTF)
-AC_SUBST(LWRES_PLATFORM_NEEDVSNPRINTF)
-ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS $ISC_PRINT_OBJS"
-ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS $ISC_PRINT_SRCS"
-
-AC_CHECK_FUNC(strerror, AC_DEFINE(HAVE_STRERROR))
-
-AC_SUBST(ISC_EXTRA_OBJS)
-AC_SUBST(ISC_EXTRA_SRCS)
-
-# Determine the printf format characters to use when printing
-# values of type isc_int64_t. This will normally be "ll", but where
-# the compiler treats "long long" as a alias for "long" and printf
-# doesn't know about "long long" use "l".  Hopefully the sprintf
-# will produce a inconsistant result in the later case.  If the compiler
-# fails due to seeing "%lld" we fall back to "l".
-#
-# Digital Unix 4.0 (gcc?) (long long) is 64 bits as is its long. It uses
-# %ld even for (long long)/
-#
-# Win32 uses "%I64d", but that's defined elsewhere since we don't use
-# configure on Win32.
-#
-AC_MSG_CHECKING(printf format modifier for 64-bit integers)
-AC_TRY_RUN([
-#include <stdio.h>
-main() {
-	long long int j = 0;
-	char buf[100];
-	buf[0] = 0;
-	sprintf(buf, "%lld", j);
-	exit((sizeof(long long int) != sizeof(long int))? 0 :
-	     (strcmp(buf, "0") != 0));
-} 
-],
-	[AC_MSG_RESULT(ll)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'],
-	[AC_MSG_RESULT(l)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "l"'],
-	[AC_MSG_RESULT(assuming target platform uses ll)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-	LWRES_PLATFORM_QUADFORMAT='#define LWRES_PLATFORM_QUADFORMAT "ll"'])
-AC_SUBST(ISC_PLATFORM_QUADFORMAT)
-AC_SUBST(LWRES_PLATFORM_QUADFORMAT)
-
-#
-# Security Stuff
-#
-AC_CHECK_FUNC(chroot, AC_DEFINE(HAVE_CHROOT))
-AC_ARG_ENABLE(linux-caps,
-	[  --disable-linux-caps	disable linux capabilities])
-case "$enable_linux_caps" in
-	yes|'')
-		AC_CHECK_HEADERS(linux/capability.h)
-		;;
-	no)
-		;;
-esac
-AC_CHECK_HEADERS(sys/prctl.h)
-
-#
-# Time Zone Stuff
-#
-AC_CHECK_FUNC(tzset, AC_DEFINE(HAVE_TZSET))
-
-AC_MSG_CHECKING(for optarg decarartion)
-AC_TRY_COMPILE([
-#include <unistd.h>
-],
-[optarg = 0;],
-[AC_MSG_RESULT(yes)],
-[AC_MSG_RESULT(no)
-AC_DEFINE(NEED_OPTARG, 1, [Defined if extern char *optarg is not declared.])])
-
-#
-# BSD/OS, and perhaps some others, don't define rlim_t.
-#
-AC_MSG_CHECKING(for type rlim_t)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>],
-[rlim_t rl = 19671212; return (0);],
-[AC_MSG_RESULT(yes)
- ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE rlim_t"],
-[AC_MSG_RESULT(no)
-
-AC_MSG_CHECKING(type of rlim_cur)
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-main() { struct rlimit r; exit(!(sizeof(r.rlim_cur) == sizeof(int)));}],
-[AC_MSG_RESULT(int)
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE int"],
-[
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-main() { struct rlimit r; exit(!(sizeof(r.rlim_cur) == sizeof(long int)));}],
-[AC_MSG_RESULT(long int)
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long int"],
-[
-AC_TRY_RUN([
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-main() { struct rlimit r; exit((!sizeof(r.rlim_cur) == sizeof(long long int)));}],
-[AC_MSG_RESULT(long long int)
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"],
-[AC_MSG_ERROR([unable to determine sizeof rlim_cur])
-],[AC_MSG_ERROR(this cannot happen)])
-],[AC_MSG_ERROR(this cannot happen)])
-],[
-ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"
-AC_MSG_RESULT(cannot determine type of rlim_cur when cross compiling - assuming long long int)])
-])
-AC_SUBST(ISC_PLATFORM_RLIMITTYPE)
-
-#
-# Compaq TruCluster requires more code for handling cluster IP aliases
-#
-case "$host" in
-	*-dec-osf*)
-		AC_CHECK_LIB(clua, clua_getaliasaddress, LIBS="-lclua $LIBS")
-		AC_CHECK_FUNC(clua_getaliasaddress,
-				AC_DEFINE(HAVE_TRUCLUSTER, 1,
-					[Define if running under Compaq TruCluster]))
-		;;
-	*)
-		;;
-esac
-
-#
-# Microsoft has their own way of handling shared libraries that requires
-# additional qualifiers on extern variables.  Unix systems don't need it.
-#
-AC_SUBST(ISC_PLATFORM_USEDECLSPEC)
-ISC_PLATFORM_USEDECLSPEC="#undef ISC_PLATFORM_USEDECLSPEC"
-AC_SUBST(LWRES_PLATFORM_USEDECLSPEC)
-LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
-
-#
-# Random remaining OS-specific issues involving compiler warnings.
-# XXXDCL print messages to indicate some compensation is being done?
-#
-AC_SUBST(ISC_PLATFORM_BRACEPTHREADONCEINIT)
-ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
-
-case "$host" in
-	*-aix5.1.*)
-		hack_shutup_pthreadonceinit=yes
-		;;
-	*-bsdi3.1*)
-		hack_shutup_sputaux=yes
-		;;
-	*-bsdi4.0*)
-		hack_shutup_sigwait=yes
-		hack_shutup_sputaux=yes
-		;;
-	[*-bsdi4.[12]*])
-		hack_shutup_stdargcast=yes
-		;;
-	[*-solaris2.[89]])
-		hack_shutup_pthreadonceinit=yes
-		;;
-esac
-
-case "$hack_shutup_pthreadonceinit" in
-	yes)
-		#
-		# Shut up PTHREAD_ONCE_INIT unbraced initializer warnings.
-		#
-		ISC_PLATFORM_BRACEPTHREADONCEINIT="#define ISC_PLATFORM_BRACEPTHREADONCEINIT 1"
-		;;
-esac
-
-case "$hack_shutup_sigwait" in
-	yes)
-		#
-		# Shut up a -Wmissing-prototypes warning for sigwait().
-		#
-		AC_DEFINE(SHUTUP_SIGWAIT)
-		;;
-esac
-
-case "$hack_shutup_sputaux" in
-	yes)
-		#
-		# Shut up a -Wmissing-prototypes warning from <stdio.h>.
-		#
-		AC_DEFINE(SHUTUP_SPUTAUX)
-		;;
-esac
-
-case "$hack_shutup_stdargcast" in
-	yes)
-		#
-		# Shut up a -Wcast-qual warning from va_start().
-		#
-		AC_DEFINE(SHUTUP_STDARG_CAST)
-		;;
-esac
-
-#
-# Check for if_nametoindex() for IPv6 scoped addresses support
-#
-AC_CHECK_FUNC(if_nametoindex, ac_cv_have_if_nametoindex=yes,
-		ac_cv_have_if_nametoindex=no)
-case $ac_cv_have_if_nametoindex in
-no)
-	case "$host" in
-  	*-hp-hpux*)
-  		AC_CHECK_LIB(ipv6, if_nametoindex,
-				ac_cv_have_if_nametoindex=yes
-				LIBS="-lipv6 $LIBS",)
-  	;;
-	esac
-esac
-case $ac_cv_have_if_nametoindex in
-yes)
-	ISC_PLATFORM_HAVEIFNAMETOINDEX="#define ISC_PLATFORM_HAVEIFNAMETOINDEX 1"
-	;;
-*)
-	ISC_PLATFORM_HAVEIFNAMETOINDEX="#undef ISC_PLATFORM_HAVEIFNAMETOINDEX"
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_HAVEIFNAMETOINDEX)
-
-#
-#  The following sets up how non-blocking i/o is established.
-#  Sunos, cygwin and solaris 2.x (x<5) require special handling.
-#
-case "$host" in
-*-sunos*) AC_DEFINE(PORT_NONBLOCK, O_NDELAY);;
-*-cygwin*) AC_DEFINE(PORT_NONBLOCK, O_NDELAY);;
-*-solaris2.[[01234]])
-	AC_DEFINE(PORT_NONBLOCK, O_NONBLOCK)
-	AC_DEFINE(USE_FIONBIO_IOCTL, 1,
-		  [Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make non-blocking.])
-	;;
-*) AC_DEFINE(PORT_NONBLOCK, O_NONBLOCK,
-	     [Sets which flag to pass to open/fcntl to make non-blocking (O_NDELAY/O_NONBLOCK).])
-	;;
-esac
-#
-# The following sections deal with tools used for formatting
-# the documentation.  They are all optional, unless you are
-# a developer editing the documentation source.
-#
-
-#
-# Look for TeX.
-#
-
-AC_PATH_PROGS(LATEX, latex, latex)
-AC_SUBST(LATEX)
-
-AC_PATH_PROGS(PDFLATEX, pdflatex, pdflatex)
-AC_SUBST(PDFLATEX)
-
-#
-# Look for xsltproc (libxslt)
-#
-
-AC_PATH_PROG(XSLTPROC, xsltproc, xsltproc)
-AC_SUBST(XSLTPROC)
-
-#
-# Look for xmllint (libxml2)
-#
-
-AC_PATH_PROG(XMLLINT, xmllint, xmllint)
-AC_SUBST(XMLLINT)
-
-#
-# Subroutine for searching for an ordinary file (e.g., a stylesheet)
-# in a number of directories:
-#
-#   NOM_PATH_FILE(VARIABLE, FILENAME, DIRECTORIES)
-#
-# If the file FILENAME is found in one of the DIRECTORIES, the shell
-# variable VARIABLE is defined to its absolute pathname.  Otherwise, 
-# it is set to FILENAME, with no directory prefix (that's not terribly
-# useful, but looks less confusing in substitutions than leaving it
-# empty).  The variable VARIABLE will be substituted into output files.
-# 
-
-AC_DEFUN(NOM_PATH_FILE, [
-$1=""
-AC_MSG_CHECKING(for $2)
-for d in $3
-do
-	f=$d/$2
-	if test -f $f
-	then
-		$1=$f
-		AC_MSG_RESULT($f)
-		break
-	fi
-done
-if test "X[$]$1" = "X"
-then
-	AC_MSG_RESULT("not found");
-	$1=$2
-fi
-AC_SUBST($1)
-])
-
-#
-# Look for Docbook-XSL stylesheets.  Location probably varies by
-# system.  Guessing where it might be found, based on where SGML stuff
-# lives on some systems.  FreeBSD is the only one I'm sure of at the
-# moment.
-#
-
-docbook_xsl_trees="/usr/pkg/share/xsl /usr/local/share/xsl /usr/share/xsl"
-
-#
-# Look for stylesheets we need.
-#
-
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_HTML, docbook/html/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_XHTML, docbook/xhtml/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_STYLE_MAN, docbook/manpages/docbook.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_HTML, docbook/html/chunk.xsl, $docbook_xsl_trees)
-NOM_PATH_FILE(XSLT_DOCBOOK_CHUNK_XHTML, docbook/xhtml/chunk.xsl, $docbook_xsl_trees)
-
-#
-# Same dance for db2latex
-#
-# No idea where this lives except on FreeBSD.
-#
-
-db2latex_xsl_trees="/usr/local/share"
-
-#
-# Look for stylesheets we need.
-#
-
-NOM_PATH_FILE(XSLT_DB2LATEX_STYLE, db2latex/xsl/docbook.xsl, $db2latex_xsl_trees)
-
-#
-# Look for "admonition" image directory.  Can't use NOM_PATH_FILE()
-# because it's a directory, so just do the same things, inline.
-#
-
-AC_MSG_CHECKING(for db2latex/xsl/figures)
-for d in $db2latex_xsl_trees
-do
-	dd=$d/db2latex/xsl/figures
-	if test -d $dd
-	then
-		XSLT_DB2LATEX_ADMONITIONS=$dd
-		AC_MSG_RESULT($dd)
-		break
-	fi
-done
-if test "X$XSLT_DB2LATEX_ADMONITIONS" = "X"
-then
-	AC_MSG_RESULT(not found)
-	XSLT_DB2LATEX_ADMONITIONS=db2latex/xsl/figures
-fi
-AC_SUBST(XSLT_DB2LATEX_ADMONITIONS)
-
-#
-# Substitutions
-#
-AC_SUBST(BIND9_TOP_BUILDDIR)
-BIND9_TOP_BUILDDIR=`pwd`
-
-AC_SUBST(BIND9_ISC_BUILDINCLUDE)
-AC_SUBST(BIND9_ISCCC_BUILDINCLUDE)
-AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
-AC_SUBST(BIND9_DNS_BUILDINCLUDE)
-AC_SUBST(BIND9_LWRES_BUILDINCLUDE)
-AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
-if test "X$srcdir" != "X"; then
-	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
-	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
-	BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
-	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
-	BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
-	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
-else
-	BIND9_ISC_BUILDINCLUDE=""
-	BIND9_ISCCC_BUILDINCLUDE=""
-	BIND9_ISCCFG_BUILDINCLUDE=""
-	BIND9_DNS_BUILDINCLUDE=""
-	BIND9_LWRES_BUILDINCLUDE=""
-	BIND9_BIND9_BUILDINCLUDE=""
-fi
-
-AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
-BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
-
-AC_SUBST_FILE(BIND9_MAKE_RULES)
-BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
-
-. $srcdir/version
-BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
-AC_SUBST(BIND9_VERSION)
-
-AC_SUBST_FILE(LIBISC_API)
-LIBISC_API=$srcdir/lib/isc/api
-
-AC_SUBST_FILE(LIBISCCC_API)
-LIBISCCC_API=$srcdir/lib/isccc/api
-
-AC_SUBST_FILE(LIBISCCFG_API)
-LIBISCCFG_API=$srcdir/lib/isccfg/api
-
-AC_SUBST_FILE(LIBDNS_API)
-LIBDNS_API=$srcdir/lib/dns/api
-
-AC_SUBST_FILE(LIBBIND9_API)
-LIBBIND9_API=$srcdir/lib/bind9/api
-
-AC_SUBST_FILE(LIBLWRES_API)
-LIBLWRES_API=$srcdir/lib/lwres/api
-
-AC_OUTPUT(
-	make/rules
-	make/includes
-	Makefile
-	make/Makefile
-	make/mkdep
-	lib/Makefile
-	lib/isc/Makefile
-	lib/isc/include/Makefile
-	lib/isc/include/isc/Makefile
-	lib/isc/include/isc/platform.h
-	lib/isc/unix/Makefile
-	lib/isc/unix/include/Makefile
-	lib/isc/unix/include/isc/Makefile
-	lib/isc/nls/Makefile
-	lib/isc/$thread_dir/Makefile
-	lib/isc/$thread_dir/include/Makefile
-	lib/isc/$thread_dir/include/isc/Makefile
-	lib/isccc/Makefile
-	lib/isccc/include/Makefile
-	lib/isccc/include/isccc/Makefile
-	lib/isccfg/Makefile
-	lib/isccfg/include/Makefile
-	lib/isccfg/include/isccfg/Makefile
-	lib/dns/Makefile
-	lib/dns/include/Makefile
-	lib/dns/include/dns/Makefile
-	lib/dns/include/dst/Makefile
-	lib/bind9/Makefile
-	lib/bind9/include/Makefile
-	lib/bind9/include/bind9/Makefile
-	lib/lwres/Makefile
-	lib/lwres/include/Makefile
-	lib/lwres/include/lwres/Makefile
-	lib/lwres/include/lwres/netdb.h
-	lib/lwres/include/lwres/platform.h
-	lib/lwres/man/Makefile
-	lib/lwres/unix/Makefile
-	lib/lwres/unix/include/Makefile
-	lib/lwres/unix/include/lwres/Makefile
-	lib/tests/Makefile
-	lib/tests/include/Makefile
-	lib/tests/include/tests/Makefile
-	bin/Makefile
-	bin/check/Makefile
-	bin/named/Makefile
-	bin/named/unix/Makefile
-	bin/rndc/Makefile
-	bin/rndc/unix/Makefile
-	bin/dig/Makefile
-	bin/nsupdate/Makefile
-	bin/tests/Makefile
-	bin/tests/names/Makefile
-	bin/tests/master/Makefile
-	bin/tests/rbt/Makefile
-	bin/tests/db/Makefile
-	bin/tests/tasks/Makefile
-	bin/tests/timers/Makefile
-	bin/tests/dst/Makefile
-	bin/tests/mem/Makefile
-	bin/tests/net/Makefile
-	bin/tests/sockaddr/Makefile
-	bin/tests/system/Makefile
-	bin/tests/system/conf.sh
-	bin/tests/system/lwresd/Makefile
-	bin/tests/system/tkey/Makefile
-	bin/tests/headerdep_test.sh
-	bin/dnssec/Makefile
-	doc/Makefile
-	doc/arm/Makefile
-	doc/misc/Makefile
-	doc/xsl/Makefile
-	isc-config.sh
-	doc/xsl/isc-docbook-chunk.xsl
-	doc/xsl/isc-docbook-html.xsl
-	doc/xsl/isc-docbook-latex.xsl
-	doc/xsl/isc-manpage.xsl
-)
-chmod a+x isc-config.sh
-
-# Tell Emacs to edit this file in shell mode.
-# Local Variables:
-# mode: sh
-# End:
diff --git a/contrib/bind9/doc/Makefile.in b/contrib/bind9/doc/Makefile.in
deleted file mode 100644
index 1e69dabdbabb..000000000000
--- a/contrib/bind9/doc/Makefile.in
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4.206.3 2005/09/13 00:34:54 marka Exp $
-
-# This Makefile is a placeholder.  It exists merely to make
-# sure that its directory gets created in the object directory
-# tree when doing a build using separate object directories.
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS = arm misc xsl
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/doc/arm/Bv9ARM-book.xml b/contrib/bind9/doc/arm/Bv9ARM-book.xml
deleted file mode 100644
index 28ccb360afe0..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM-book.xml
+++ /dev/null
@@ -1,6658 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.59 2005/10/10 00:22:24 marka Exp $ -->
-
-<book>
-<title>BIND 9 Administrator Reference Manual</title>
-
-  <bookinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </bookinfo>
-
-  <chapter id="Bv9ARM.ch01">
-  <title>Introduction </title>
-  <para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
-  to specify the names of entities in the Internet in a hierarchical
-  manner, the rules used for delegating authority over names, and the
-  system implementation that actually maps names to Internet
-  addresses.  <acronym>DNS</acronym> data is maintained in a group of distributed
-  hierarchical databases.</para>
-
-  <sect1>
-    <title>Scope of Document</title>
-
-    <para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements an
-    domain name server for a number of operating systems. This
-    document provides basic information about the installation and
-    care of the Internet Software Consortium (<acronym>ISC</acronym>)
-    <acronym>BIND</acronym> version 9 software package for system
-    administrators.</para>
-
-    <para>This version of the manual corresponds to BIND version 9.3.</para>
-    
-  </sect1>
-  <sect1><title>Organization of This Document</title>
-    <para>In this document, <emphasis>Section 1</emphasis> introduces
-    the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
-    describes resource requirements for running <acronym>BIND</acronym> in various
-    environments. Information in <emphasis>Section 3</emphasis> is
-    <emphasis>task-oriented</emphasis> in its presentation and is
-    organized functionally, to aid in the process of installing the
-    <acronym>BIND</acronym> 9 software. The task-oriented section is followed by
-    <emphasis>Section 4</emphasis>, which contains more advanced
-    concepts that the system administrator may need for implementing
-    certain options. <emphasis>Section 5</emphasis>
-    describes the <acronym>BIND</acronym> 9 lightweight
-    resolver.  The contents of <emphasis>Section 6</emphasis> are
-    organized as in a reference manual to aid in the ongoing
-    maintenance of the software. <emphasis>Section 7
-    </emphasis>addresses security considerations, and
-    <emphasis>Section 8</emphasis> contains troubleshooting help. The
-    main body of the document is followed by several
-    <emphasis>Appendices</emphasis> which contain useful reference
-    information, such as a <emphasis>Bibliography</emphasis> and
-    historic information related to <acronym>BIND</acronym> and the Domain Name
-    System.</para>
-  </sect1>
-  <sect1><title>Conventions Used in This Document</title>
-
-    <para>In this document, we use the following general typographic
-    conventions:</para>
-
-<informaltable>
-        <tgroup cols = "2">
-          <colspec colname = "1" colnum = "1" colwidth = "3.000in"/>
-          <colspec colname = "2" colnum = "2" colwidth = "2.625in"/>
-          <tbody>
-            <row>
-              <entry colname = "1">
-<para><emphasis>To
-describe:</emphasis></para></entry>
-              <entry colname = "2">
-<para><emphasis>We use the style:</emphasis></para></entry>
-            </row>
-            <row>
-              <entry colname = "1">
-<para>a pathname, filename, URL, hostname,
-mailing list name, or new term or concept</para></entry>
-              <entry colname = "2"><para><filename>Fixed width</filename></para></entry>
-            </row>
-            <row>
-              <entry colname = "1"><para>literal user
-input</para></entry>
-              <entry colname = "2"><para><userinput>Fixed Width Bold</userinput></para></entry>
-            </row>
-            <row>
-              <entry colname = "1"><para>program output</para></entry>
-              <entry colname = "2"><para><computeroutput>Fixed Width</computeroutput></para></entry>
-            </row>
-          </tbody>
-        </tgroup>
-</informaltable>
-
-    <para>The following conventions are used in descriptions of the
-<acronym>BIND</acronym> configuration file:<informaltable colsep = "0" frame = "all" rowsep = "0">
-        <tgroup cols = "2" colsep = "0" rowsep = "0"
-                tgroupstyle = "2Level-table">
-          <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
-          <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.625in"/>
-          <tbody>
-            <row rowsep = "0">
-              <entry colname = "1" colsep = "1" rowsep = "1"><para><emphasis>To
-describe:</emphasis></para></entry>
-              <entry colname = "2" rowsep = "1"><para><emphasis>We use the style:</emphasis></para></entry>
-            </row>
-            <row rowsep = "0">
-              <entry colname = "1" colsep = "1" rowsep = "1"><para>keywords</para></entry>
-              <entry colname = "2" rowsep = "1"><para><literal>Fixed Width</literal></para></entry>
-            </row>
-            <row rowsep = "0">
-              <entry colname = "1" colsep = "1" rowsep = "1"><para>variables</para></entry>
-              <entry colname = "2" rowsep = "1"><para><varname>Fixed Width</varname></para></entry>
-            </row>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1"><para>Optional input</para></entry>
-                <entry colname = "2"><para><optional>Text is enclosed in square brackets</optional></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></para></sect1>
-<sect1><title>The Domain Name System (<acronym>DNS</acronym>)</title>
-<para>The purpose of this document is to explain the installation
-and upkeep of the <acronym>BIND</acronym> software package, and we
-begin by reviewing the fundamentals of the Domain Name System
-(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
-</para>
-
-<sect2>
-<title>DNS Fundamentals</title>
-
-<para>The Domain Name System (DNS) is the hierarchical, distributed
-database.  It stores information for mapping Internet host names to IP
-addresses and vice versa, mail routing information, and other data
-used by Internet applications.</para>
-
-<para>Clients look up information in the DNS by calling a
-<emphasis>resolver</emphasis> library, which sends queries to one or
-more <emphasis>name servers</emphasis> and interprets the responses.
-The <acronym>BIND</acronym> 9 software distribution contains a
-name server, <command>named</command>, and two resolver
-libraries, <command>liblwres</command> and <command>libbind</command>.
-</para>
-
-</sect2><sect2>
-<title>Domains and Domain Names</title>
-
-<para>The data stored in the DNS is identified by <emphasis>domain
-names</emphasis> that are organized as a tree according to
-organizational or administrative boundaries. Each node of the tree,
-called a <emphasis>domain</emphasis>, is given a label. The domain name of the
-node is the concatenation of all the labels on the path from the
-node to the <emphasis>root</emphasis> node.  This is represented
-in written form as a string of labels listed from right to left and
-separated by dots. A label need only be unique within its parent
-domain.</para>
-
-<para>For example, a domain name for a host at the
-company <emphasis>Example, Inc.</emphasis> could be
-<literal>mail.example.com</literal>,
-where <literal>com</literal> is the
-top level domain to which
-<literal>ourhost.example.com</literal> belongs,
-<literal>example</literal> is
-a subdomain of <literal>com</literal>, and
-<literal>ourhost</literal> is the
-name of the host.</para>
-
-<para>For administrative purposes, the name space is partitioned into
-areas called <emphasis>zones</emphasis>, each starting at a node and
-extending down to the leaf nodes or to nodes where other zones start.
-The data for each zone is stored in a <emphasis>name
-server</emphasis>, which answers queries about the zone using the
-<emphasis>DNS protocol</emphasis>.
-</para>
-
-<para>The data associated with each domain name is stored in the
-form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
-Some of the supported resource record types are described in
-<xref linkend="types_of_resource_records_and_when_to_use_them"/>.</para>
-
-<para>For more detailed information about the design of the DNS and
-the DNS protocol, please refer to the standards documents listed in
-<xref linkend="rfcs"/>.</para>
-</sect2>
-
-<sect2><title>Zones</title>
-<para>To properly operate a name server, it is important to understand
-the difference between a <emphasis>zone</emphasis>
-and a <emphasis>domain</emphasis>.</para>
-
-<para>As we stated previously, a zone is a point of delegation in
-the <acronym>DNS</acronym> tree. A zone consists of
-those contiguous parts of the domain
-tree for which a name server has complete information and over which
-it has authority. It contains all domain names from a certain point
-downward in the domain tree except those which are delegated to
-other zones. A delegation point is marked by one or more
-<emphasis>NS records</emphasis> in the
-parent zone, which should be matched by equivalent NS records at
-the root of the delegated zone.</para>
-
-<para>For instance, consider the <literal>example.com</literal>
-domain which includes names
-such as <literal>host.aaa.example.com</literal> and
-<literal>host.bbb.example.com</literal> even though
-the <literal>example.com</literal> zone includes
-only delegations for the <literal>aaa.example.com</literal> and
-<literal>bbb.example.com</literal> zones.  A zone can map
-exactly to a single domain, but could also include only part of a
-domain, the rest of which could be delegated to other
-name servers. Every name in the <acronym>DNS</acronym> tree is a
-<emphasis>domain</emphasis>, even if it is
-<emphasis>terminal</emphasis>, that is, has no
-<emphasis>subdomains</emphasis>.  Every subdomain is a domain and
-every domain except the root is also a subdomain. The terminology is
-not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
-gain a complete understanding of this difficult and subtle
-topic.</para>
-
-<para>Though <acronym>BIND</acronym> is called a "domain name server",
-it deals primarily in terms of zones. The master and slave
-declarations in the <filename>named.conf</filename> file specify
-zones, not domains. When you ask some other site if it is willing to
-be a slave server for your <emphasis>domain</emphasis>, you are
-actually asking for slave service for some collection of zones.</para>
-</sect2>
-
-<sect2><title>Authoritative Name Servers</title>
-
-<para>Each zone is served by at least
-one <emphasis>authoritative name server</emphasis>,
-which contains the complete data for the zone.
-To make the DNS tolerant of server and network failures,
-most zones have two or more authoritative servers.
-</para>
-
-<para>Responses from authoritative servers have the "authoritative
-answer" (AA) bit set in the response packets.  This makes them 
-easy to identify when debugging DNS configurations using tools like
-<command>dig</command> (<xref linkend="diagnostic_tools"/>).</para>
-
-<sect3><title>The Primary Master</title>
-
-<para>
-The authoritative server where the master copy of the zone data is maintained is
-called the <emphasis>primary master</emphasis> server, or simply the
-<emphasis>primary</emphasis>.  It loads the zone contents from some
-local file edited by humans or perhaps generated mechanically from
-some other local file which is edited by humans.  This file is called
-the <emphasis>zone file</emphasis> or <emphasis>master file</emphasis>.</para>
-</sect3>
-
-<sect3><title>Slave Servers</title>
-<para>The other authoritative servers, the <emphasis>slave</emphasis>
-servers (also known as <emphasis>secondary</emphasis> servers) load
-the zone contents from another server using a replication process
-known as a <emphasis>zone transfer</emphasis>.  Typically the data are
-transferred directly from the primary master, but it is also possible
-to transfer it from another slave.  In other words, a slave server
-may itself act as a master to a subordinate slave server.</para>
-</sect3>
-
-<sect3><title>Stealth Servers</title>
-
-<para>Usually all of the zone's authoritative servers are listed in 
-NS records in the parent zone.  These NS records constitute
-a <emphasis>delegation</emphasis> of the zone from the parent.
-The authoritative servers are also listed in the zone file itself,
-at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
-of the zone.  You can list servers in the zone's top-level NS
-records that are not in the parent's NS delegation, but you cannot
-list servers in the parent's delegation that are not present at
-the zone's top level.</para>
-
-<para>A <emphasis>stealth server</emphasis> is a server that is
-authoritative for a zone but is not listed in that zone's NS
-records.  Stealth servers can be used for keeping a local copy of a
-zone to speed up access to the zone's records or to make sure that the
-zone is available even if all the "official" servers for the zone are
-inaccessible.</para>
-
-<para>A configuration where the primary master server itself is a
-stealth server is often referred to as a "hidden primary"
-configuration.  One use for this configuration is when the primary master
-is behind a firewall and therefore unable to communicate directly
-with the outside world.</para>
-
-</sect3>
-
-</sect2>
-<sect2>
-
-<title>Caching Name Servers</title>
-
-<para>The resolver libraries provided by most operating systems are 
-<emphasis>stub resolvers</emphasis>, meaning that they are not capable of
-performing the full DNS resolution process by themselves by talking
-directly to the authoritative servers.  Instead, they rely on a local
-name server to perform the resolution on their behalf.  Such a server
-is called a <emphasis>recursive</emphasis> name server; it performs
-<emphasis>recursive lookups</emphasis> for local clients.</para>
-
-<para>To improve performance, recursive servers cache the results of
-the lookups they perform.  Since the processes of recursion and
-caching are intimately connected, the terms
-<emphasis>recursive server</emphasis> and
-<emphasis>caching server</emphasis> are often used synonymously.</para>
-
-<para>The length of time for which a record may be retained in
-in the cache of a caching name server is controlled by the 
-Time To Live (TTL) field associated with each resource record.
-</para>
-
-<sect3><title>Forwarding</title>
-
-<para>Even a caching name server does not necessarily perform
-the complete recursive lookup itself.  Instead, it can
-<emphasis>forward</emphasis> some or all of the queries
-that it cannot satisfy from its cache to another caching name server,
-commonly referred to as a <emphasis>forwarder</emphasis>.
-</para>
-
-<para>There may be one or more forwarders,
-and they are queried in turn until the list is exhausted or an answer
-is found. Forwarders are typically used when you do not
-wish all the servers at a given site to interact directly with the rest of
-the Internet servers. A typical scenario would involve a number
-of internal <acronym>DNS</acronym> servers and an Internet firewall. Servers unable
-to pass packets through the firewall would forward to the server
-that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
-on the internal server's behalf. An added benefit of using the forwarding
-feature is that the central machine develops a much more complete
-cache of information that all the clients can take advantage
-of.</para>
-</sect3>
-
-</sect2>
-
-<sect2><title>Name Servers in Multiple Roles</title>
-
-<para>The <acronym>BIND</acronym> name server can simultaneously act as
-a master for some zones, a slave for other zones, and as a caching
-(recursive) server for a set of local clients.</para>
-
-<para>However, since the functions of authoritative name service
-and caching/recursive name service are logically separate, it is
-often advantageous to run them on separate server machines.
-
-A server that only provides authoritative name service
-(an <emphasis>authoritative-only</emphasis> server) can run with
-recursion disabled, improving reliability and security.
-
-A server that is not authoritative for any zones and only provides
-recursive service to local
-clients (a <emphasis>caching-only</emphasis> server)
-does not need to be reachable from the Internet at large and can
-be placed inside a firewall.</para>
-
-    </sect2>
-  </sect1>
-
-</chapter>
-
-<chapter id="Bv9ARM.ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
-
-<sect1>
-<title>Hardware requirements</title>
-
-<para><acronym>DNS</acronym> hardware requirements have traditionally been quite modest.
-For many installations, servers that have been pensioned off from
-active duty have performed admirably as <acronym>DNS</acronym> servers.</para>
-<para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
-CPU intensive however, so organizations that make heavy use of these
-features may wish to consider larger systems for these applications.
-<acronym>BIND</acronym> 9 is fully multithreaded, allowing full utilization of
-multiprocessor systems for installations that need it.</para></sect1>
-<sect1><title>CPU Requirements</title>
-<para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
-for serving of static zones without caching, to enterprise-class
-machines if you intend to process many dynamic updates and DNSSEC
-signed zones, serving many thousands of queries per second.</para></sect1>
-
-<sect1><title>Memory Requirements</title>
-<para>The memory of the server has to be large enough to fit the
-cache and zones loaded off disk.  The <command>max-cache-size</command>
-option can be used to limit the amount of memory used by the cache,
-at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
-traffic. It is still good practice to have enough memory to load
-all zone and cache data into memory &mdash; unfortunately, the best way
-to determine this for a given installation is to watch the name server
-in operation. After a few weeks the server process should reach
-a relatively stable size where entries are expiring from the cache as
-fast as they are being inserted.</para></sect1>
-
-<sect1><title>Name Server Intensive Environment Issues</title>
-<para>For name server intensive environments, there are two alternative
-configurations that may be used. The first is where clients and
-any second-level internal name servers query a main name server, which
-has enough memory to build a large cache. This approach minimizes
-the bandwidth used by external name lookups. The second alternative
-is to set up second-level internal name servers to make queries independently.
-In this configuration, none of the individual machines needs to
-have as much memory or CPU power as in the first alternative, but
-this has the disadvantage of making many more external queries,
-as none of the name servers share their cached data.</para></sect1>
-
-<sect1><title>Supported Operating Systems</title>
-<para>ISC <acronym>BIND</acronym> 9 compiles and runs on a large number
-of Unix-like operating system and on Windows NT / 2000.  For an up-to-date
-list of supported systems, see the README file in the top level directory
-of the BIND 9 source distribution.</para>
-</sect1>
-</chapter>
-
-<chapter id="Bv9ARM.ch03">
-<title>Name Server Configuration</title>
-<para>In this section we provide some suggested configurations along
-with guidelines for their use. We also address the topic of reasonable
-option setting.</para>
-
-<sect1 id="sample_configuration">
-<title>Sample Configurations</title>
-<sect2>
-<title>A Caching-only Name Server</title>
-<para>The following sample configuration is appropriate for a caching-only
-name server for use by clients internal to a corporation.  All queries
-from outside clients are refused using the <command>allow-query</command>
-option.  Alternatively, the same effect could be achieved using suitable
-firewall rules.</para>
-
-<programlisting>
-// Two corporate subnets we wish to allow queries from.
-acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
-options {
-     directory "/etc/namedb";           // Working directory
-     allow-query { corpnets; };
-};
-// Provide a reverse mapping for the loopback address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-</programlisting>
-</sect2>
-
-<sect2>
-<title>An Authoritative-only Name Server</title>
-<para>This sample configuration is for an authoritative-only server
-that is the master server for "<filename>example.com</filename>"
-and a slave for the subdomain "<filename>eng.example.com</filename>".</para>
-
-<programlisting>
-options {
-     directory "/etc/namedb";           // Working directory
-     allow-query { any; };              // This is the default
-     recursion no;                      // Do not provide recursive service
-};
-
-// Provide a reverse mapping for the loopback address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-// We are the master server for example.com
-zone "example.com" {
-     type master;
-     file "example.com.db";
-     // IP addresses of slave servers allowed to transfer example.com
-     allow-transfer {
-          192.168.4.14;
-          192.168.5.53;
-     };
-};
-// We are a slave server for eng.example.com
-zone "eng.example.com" {
-     type slave;
-     file "eng.example.com.bk";
-     // IP address of eng.example.com master server
-     masters { 192.168.4.12; };
-};
-</programlisting>
-</sect2>
-</sect1>
-
-<sect1>
-<title>Load Balancing</title>
-
-<para>A primitive form of load balancing can be achieved in
-the <acronym>DNS</acronym> by using multiple A records for one name.</para>
-
-<para>For example, if you have three WWW servers with network addresses
-of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-following means that clients will connect to each machine one third
-of the time:</para>
-
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "5" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "2.028in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>Name</para></entry>
-<entry colname = "2"><para>TTL</para></entry>
-<entry colname = "3"><para>CLASS</para></entry>
-<entry colname = "4"><para>TYPE</para></entry>
-<entry colname = "5"><para>Resource Record (RR) Data</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>www</literal></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.1</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.2</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>600</literal></para></entry>
-<entry colname = "3"><para><literal>IN</literal></para></entry>
-<entry colname = "4"><para><literal>A</literal></para></entry>
-<entry colname = "5"><para><literal>10.0.0.3</literal></para></entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-    <para>When a resolver queries for these records, <acronym>BIND</acronym> will rotate
-    them and respond to the query with the records in a different
-    order.  In the example above, clients will randomly receive
-    records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-    will use the first record returned and discard the rest.</para>
-    <para>For more detail on ordering responses, check the
-    <command>rrset-order</command> substatement in the
-    <command>options</command> statement, see
-    <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
-    This substatement is not supported in
-    <acronym>BIND</acronym> 9, and only the ordering scheme described above is
-    available.</para>
-
-</sect1>
-
-<sect1>
-<title>Name Server Operations</title>
-
-<sect2>
-<title>Tools for Use With the Name Server Daemon</title>
-<para>There are several indispensable diagnostic, administrative
-and monitoring tools available to the system administrator for controlling
-and debugging the name server daemon. We describe several in this
-section </para>
-<sect3 id="diagnostic_tools">
-<title>Diagnostic Tools</title>
-<para>The <command>dig</command>, <command>host</command>, and
-<command>nslookup</command> programs are all command line tools
-for manually querying name servers.  They differ in style and
-output format.
-</para>
-
-<variablelist>
-<varlistentry>
-<term id="dig"><command>dig</command></term>
-<listitem>
-<para>The domain information groper (<command>dig</command>)
-is the most versatile and complete of these lookup tools.
-It has two modes: simple interactive
-mode for a single query, and batch mode which executes a query for
-each in a list of several query lines. All query options are accessible
-from the command line.</para>
-<cmdsynopsis label="Usage">
-        <command>dig</command>
-        <arg>@<replaceable>server</replaceable></arg>
-        <arg choice="plain"><replaceable>domain</replaceable></arg>
-        <arg><replaceable>query-type</replaceable></arg>
-        <arg><replaceable>query-class</replaceable></arg>
-        <arg>+<replaceable>query-option</replaceable></arg>
-        <arg>-<replaceable>dig-option</replaceable></arg>
-        <arg>%<replaceable>comment</replaceable></arg>
-</cmdsynopsis>
-<para>The usual simple use of dig will take the form</para>
-<simpara><command>dig @server domain query-type query-class</command></simpara>
-<para>For more information and a list of available commands and
-options, see the <command>dig</command> man page.</para>
-</listitem>
-</varlistentry>
-
-<varlistentry>
-<term><command>host</command></term>
-<listitem>
-<para>The <command>host</command> utility emphasizes simplicity
-and ease of use.  By default, it converts
-between host names and Internet addresses, but its functionality
-can be extended with the use of options.</para>
-<cmdsynopsis label="Usage">
-        <command>host</command>
-        <arg>-aCdlrTwv</arg>
-        <arg>-c <replaceable>class</replaceable></arg>
-        <arg>-N <replaceable>ndots</replaceable></arg>
-        <arg>-t <replaceable>type</replaceable></arg>
-        <arg>-W <replaceable>timeout</replaceable></arg>
-        <arg>-R <replaceable>retries</replaceable></arg>
-        <arg choice="plain"><replaceable>hostname</replaceable></arg>
-        <arg><replaceable>server</replaceable></arg>
-</cmdsynopsis>
-<para>For more information and a list of available commands and
-options, see the <command>host</command> man page.</para>
-</listitem>
-</varlistentry>
-
-<varlistentry>
-<term><command>nslookup</command></term>
-<listitem>
-<para><command>nslookup</command> has two modes: interactive
-and non-interactive. Interactive mode allows the user to query name servers
-for information about various hosts and domains or to print a list
-of hosts in a domain. Non-interactive mode is used to print just
-the name and requested information for a host or domain.</para>
-<cmdsynopsis label="Usage">
-        <command>nslookup</command>
-        <arg rep="repeat">-option</arg>
-        <group>
-                <arg><replaceable>host-to-find</replaceable></arg>
-                <arg>- <arg>server</arg></arg>
-        </group>
-</cmdsynopsis>
-<para>Interactive mode is entered when no arguments are given (the
-default name server will be used) or when the first argument is a
-hyphen (`-') and the second argument is the host name or Internet address
-of a name server.</para>
-<para>Non-interactive mode is used when the name or Internet address
-of the host to be looked up is given as the first argument. The
-optional second argument specifies the host name or address of a name server.</para>
-<para>Due to its arcane user interface and frequently inconsistent
-behavior, we do not recommend the use of <command>nslookup</command>.
-Use <command>dig</command> instead.</para>
-</listitem>
-
-</varlistentry>
-</variablelist>
-</sect3>
-
-<sect3 id="admin_tools">
-        <title>Administrative Tools</title>
-        <para>Administrative tools play an integral part in the management
-of a server.</para>
-        <variablelist>
-          <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
-            <term><command>named-checkconf</command></term>
-            <listitem>
-              <para>The <command>named-checkconf</command> program
-              checks the syntax of a <filename>named.conf</filename> file.</para>
-              <cmdsynopsis label="Usage">
-                <command>named-checkconf</command>
-		<arg>-jvz</arg>
-                <arg>-t <replaceable>directory</replaceable></arg>
-                <arg><replaceable>filename</replaceable></arg>
-              </cmdsynopsis>
-            </listitem>
-          </varlistentry>
-          <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
-            <term><command>named-checkzone</command></term>
-            <listitem>
-              <para>The <command>named-checkzone</command> program checks a master file for
-              syntax and consistency.</para>
-              <cmdsynopsis label="Usage">
-                <command>named-checkzone</command>
-                <arg>-djqvD</arg>
-                <arg>-c <replaceable>class</replaceable></arg>
-                <arg>-o <replaceable>output</replaceable></arg>
-                <arg>-t <replaceable>directory</replaceable></arg>
-                <arg>-w <replaceable>directory</replaceable></arg>
-                <arg>-k <replaceable>(ignore|warn|fail)</replaceable></arg>
-                <arg>-n <replaceable>(ignore|warn|fail)</replaceable></arg>
-                <arg choice="plain"><replaceable>zone</replaceable></arg>
-                <arg><replaceable>filename</replaceable></arg>
-              </cmdsynopsis>
-            </listitem>
-          </varlistentry>
-          <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
-            <term><command>rndc</command></term>
-            <listitem>
-              <para>The remote name daemon control
-              (<command>rndc</command>) program allows the system
-              administrator to control the operation of a name server.
-              If you run <command>rndc</command> without any options
-              it will display a usage message as follows:</para>
-              <cmdsynopsis label="Usage">
-                <command>rndc</command>
-                <arg>-c <replaceable>config</replaceable></arg>
-                <arg>-s <replaceable>server</replaceable></arg>
-                <arg>-p <replaceable>port</replaceable></arg>
-                <arg>-y <replaceable>key</replaceable></arg>
-                <arg choice="plain"><replaceable>command</replaceable></arg>
-                <arg rep="repeat"><replaceable>command</replaceable></arg>
-              </cmdsynopsis>
-              <para><command>command</command> is one of the following:</para>
-
-<variablelist>
-
-   <varlistentry><term><userinput>reload</userinput></term>
-   <listitem><para>Reload configuration file and zones.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>reload <replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-   <listitem><para>Reload the given zone.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>refresh <replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-   <listitem><para>Schedule zone maintenance for the given zone.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>retransfer <replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-   <listitem><para>Retransfer the given zone from the master.</para></listitem>
-   </varlistentry>
-
-   <varlistentry> <term><userinput>freeze <optional><replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
-   <listitem><para>Suspend updates to a dynamic zone.  If no zone is specified
-	then all zones are suspended.  This allows manual
-    edits to be made to a zone normally updated by dynamic update.  It
-    also causes changes in the journal file to be synced into the master
-    and the journal file to be removed.  All dynamic update attempts will
-    be refused while the zone is frozen.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>thaw <optional><replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></optional></userinput></term>
-   <listitem><para>Enable updates to a frozen dynamic zone.  If no zone is
-    specified then all frozen zones are enabled.  This causes
-    the server to reload the zone from disk, and re-enables dynamic updates
-    after the load has completed.  After a zone is thawed, dynamic updates
-    will no longer be refused.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>notify <replaceable>zone</replaceable>
-       <optional><replaceable>class</replaceable>
-           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
-   <listitem><para>Resend NOTIFY messages for the zone</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>reconfig</userinput></term>
-   <listitem><para>Reload the configuration file and load new zones,
-   but do not reload existing zone files even if they have changed.
-   This is faster than a full <command>reload</command> when there
-   is a large number of zones because it avoids the need to examine the
-   modification times of the zones files.
-   </para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>stats</userinput></term>
-   <listitem><para>Write server statistics to the statistics file.</para></listitem>
-   </varlistentry>
-
-   <varlistentry><term><userinput>querylog</userinput></term>
-   <listitem><para>Toggle query logging. Query logging can also be enabled
-   by explicitly directing the <command>queries</command>
-   <command>category</command> to a <command>channel</command> in the
-   <command>logging</command> section of
-   <filename>named.conf</filename>.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>dumpdb <optional>-all|-cache|-zone</optional> <optional><replaceable>view ...</replaceable></optional></userinput></term>
-   <listitem><para>Dump the server's caches (default) and / or zones to the
-	 dump file for the specified views.  If no view is specified all
-	 views are dumped.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>stop <optional>-p</optional></userinput></term>
-   <listitem><para>Stop the server, making sure any recent changes
-   made through dynamic update or IXFR are first saved to the master files
-   of the updated zones.  If -p is specified named's process id is returned.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>halt <optional>-p</optional></userinput></term>
-   <listitem><para>Stop the server immediately.  Recent changes
-   made through dynamic update or IXFR are not saved to the master files,
-   but will be rolled forward from the journal files when the server
-   is restarted.  If -p is specified named's process id is returned.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>trace</userinput></term>
-   <listitem><para>Increment the servers debugging level by one. </para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>trace <replaceable>level</replaceable></userinput></term>
-   <listitem><para>Sets the server's debugging level to an explicit
-   value.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>notrace</userinput></term>
-   <listitem><para>Sets the server's debugging level to 0.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>flush</userinput></term>
-   <listitem><para>Flushes the server's cache.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>flushname</userinput> <replaceable>name</replaceable></term>
-   <listitem><para>Flushes the given name from the server's cache.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>status</userinput></term>
-   <listitem><para>Display status of the server.
-Note the number of zones includes the internal <command>bind/CH</command> zone
-and the default <command>./IN</command> hint zone if there is not a
-explicit root zone configured.</para></listitem></varlistentry>
-
-   <varlistentry><term><userinput>recursing</userinput></term>
-   <listitem><para>Dump the list of queries named is currently recursing
-   on.
-   </para></listitem></varlistentry>
-
-</variablelist>
-
-<para>In <acronym>BIND</acronym> 9.2, <command>rndc</command>
-supports all the commands of the BIND 8 <command>ndc</command>
-utility except <command>ndc start</command> and
-<command>ndc restart</command>, which were also
-not supported in <command>ndc</command>'s channel mode.</para>
-
-<para>A configuration file is required, since all
-communication with the server is authenticated with
-digital signatures that rely on a shared secret, and
-there is no way to provide that secret other than with a
-configuration file.  The default location for the
-<command>rndc</command> configuration file is
-<filename>/etc/rndc.conf</filename>, but an alternate
-location can be specified with the <option>-c</option>
-option.  If the configuration file is not found,
-<command>rndc</command> will also look in
-<filename>/etc/rndc.key</filename> (or whatever
-<varname>sysconfdir</varname> was defined when
-the <acronym>BIND</acronym> build was configured).
-The <filename>rndc.key</filename> file is generated by
-running <command>rndc-confgen -a</command> as described in
-<xref linkend="controls_statement_definition_and_usage"/>.</para>
-
-<para>The format of the configuration file is similar to
-that of <filename>named.conf</filename>, but limited to
-only four statements, the <command>options</command>,
-<command>key</command>, <command>server</command> and
-<command>include</command>
-statements.  These statements are what associate the
-secret keys to the servers with which they are meant to
-be shared.  The order of statements is not
-significant.</para>
-
-<para>The <command>options</command> statement has three clauses:
-<command>default-server</command>, <command>default-key</command>, 
-and <command>default-port</command>.
-<command>default-server</command> takes a
-host name or address argument  and represents the server that will
-be contacted if no <option>-s</option>
-option is provided on the command line.  
-<command>default-key</command> takes
-the name of a key as its argument, as defined by a <command>key</command> statement.
-<command>default-port</command> specifies the port to which
-<command>rndc</command> should connect if no
-port is given on the command line or in a
-<command>server</command> statement.</para>
-
-<para>The <command>key</command> statement defines an key to be used
-by <command>rndc</command> when authenticating with
-<command>named</command>.  Its syntax is identical to the
-<command>key</command> statement in named.conf.
-The keyword <userinput>key</userinput> is
-followed by a key name, which must be a valid
-domain name, though it need not actually be hierarchical; thus,
-a string like "<userinput>rndc_key</userinput>" is a valid name.
-The <command>key</command> statement has two clauses:
-<command>algorithm</command> and <command>secret</command>.
-While the configuration parser will accept any string as the argument
-to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
-has any meaning.  The secret is a base-64 encoded string.</para>
-
-<para>The <command>server</command> statement associates a key
-defined using the <command>key</command> statement with a server.
-The keyword <userinput>server</userinput> is followed by a
-host name or address.  The <command>server</command> statement
-has two clauses: <command>key</command> and <command>port</command>.
-The <command>key</command> clause specifies the name of the key
-to be used when communicating with this server, and the
-<command>port</command> clause can be used to
-specify the port <command>rndc</command> should connect
-to on the server.</para>
-
-<para>A sample minimal configuration file is as follows:</para>
-<programlisting>
-key rndc_key {
-     algorithm "hmac-md5";
-     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
-options {
-     default-server 127.0.0.1;
-     default-key    rndc_key;
-};
-</programlisting>
-
-<para>This file, if installed as <filename>/etc/rndc.conf</filename>,
-would allow the command:</para>
-
-<para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
-
-<para>to connect to 127.0.0.1 port 953 and cause the name server
-to reload, if a name server on the local machine were running with
-following controls statements:</para>
-<programlisting>
-controls {
-        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
-};
-</programlisting>
-<para>and it had an identical key statement for
-<literal>rndc_key</literal>.</para>
-
-<para>Running the <command>rndc-confgen</command> program will
-conveniently create a <filename>rndc.conf</filename>
-file for you, and also display the
-corresponding <command>controls</command> statement that you need to
-add to <filename>named.conf</filename>.  Alternatively,
-you can run <command>rndc-confgen -a</command> to set up
-a <filename>rndc.key</filename> file and not modify 
-<filename>named.conf</filename> at all.
-</para>
-
-            </listitem>
-          </varlistentry>
-        </variablelist>
-
-      </sect3>
-    </sect2>
-<sect2>
-
-<title>Signals</title>
-<para>Certain UNIX signals cause the name server to take specific
-actions, as described in the following table.  These signals can
-be sent using the <command>kill</command> command.</para>
-<informaltable frame = "all" ><tgroup cols = "2">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>SIGHUP</command></para></entry>
-<entry colname = "2"><para>Causes the server to read <filename>named.conf</filename> and
-reload the database. </para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>SIGTERM</command></para></entry>
-<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
-            </row>
-            <row rowsep = "0">
-              <entry colname = "1">
-<para><command>SIGINT</command></para>
-</entry>
-              <entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
-            </row>
-          </tbody>
-        </tgroup>
-      </informaltable>
-    </sect2>
-  </sect1>
-  </chapter>
-
-<chapter id="Bv9ARM.ch04">
-<title>Advanced DNS Features</title>
-
-<sect1 id="notify">
-
-<title>Notify</title>
-<para><acronym>DNS</acronym> NOTIFY is a mechanism that allows master
-servers to notify their slave servers of changes to a zone's data. In
-response to a <command>NOTIFY</command> from a master server, the
-slave will check to see that its version of the zone is the
-current version and, if not, initiate a zone transfer.</para>
-
-<para><acronym>DNS</acronym>
-For more information about
-<command>NOTIFY</command>, see the description of the
-<command>notify</command> option in <xref linkend="boolean_options"/> and
-the description of the zone option <command>also-notify</command> in
-<xref linkend="zone_transfers"/>.  The <command>NOTIFY</command>
-protocol is specified in RFC 1996.
-</para>
-
-</sect1>
-
-<sect1 id="dynamic_update">
-<title>Dynamic Update</title>
-
-    <para>Dynamic Update is a method for adding, replacing or deleting
-    records in a master server by sending it a special form of DNS
-    messages.  The format and meaning of these messages is specified
-    in RFC 2136.</para>
-
-    <para>Dynamic update is enabled on a zone-by-zone basis, by
-    including an <command>allow-update</command> or
-    <command>update-policy</command> clause in the
-    <command>zone</command> statement.</para>
-
-    <para>Updating of secure zones (zones using DNSSEC) follows
-    RFC 3007: RRSIG and NSEC records affected by updates are automatically
-    regenerated by the server using an online zone key.
-    Update authorization is based
-    on transaction signatures and an explicit server policy.</para>
-
-    <sect2 id="journal">
-    <title>The journal file</title>
-
-    <para>All changes made to a zone using dynamic update are stored in the
-    zone's journal file.  This file is automatically created by the
-    server when the first dynamic update takes place.  The name of
-    the journal file is formed by appending the
-    extension <filename>.jnl</filename> to the
-    name of the corresponding zone file.  The journal file is in a
-    binary format and should not be edited manually.</para>
-
-    <para>The server will also occasionally write ("dump")
-    the complete contents of the updated zone to its zone file.
-    This is not done immediately after
-    each dynamic update, because that would be too slow when a large
-    zone is updated frequently.  Instead, the dump is delayed by
-    up to 15 minutes, allowing additional updates to take place.</para>
-
-    <para>When a server is restarted after a shutdown or crash, it will replay
-    the journal file to incorporate into the zone any updates that took
-    place after the last zone dump.</para>
-
-    <para>Changes that result from incoming incremental zone transfers are also
-    journalled in a similar way.</para>
-
-    <para>The zone files of dynamic zones cannot normally be edited by
-    hand because they are not guaranteed to contain the most recent
-    dynamic changes - those are only in the journal file.
-    The only way to ensure that the zone file of a dynamic zone
-    is up to date is to run <command>rndc stop</command>.</para>
-
-    <para>If you have to make changes to a dynamic zone
-    manually, the following procedure will work: Disable dynamic updates
-    to the zone using
-    <command>rndc freeze <replaceable>zone</replaceable></command>.
-    This will also remove the zone's <filename>.jnl</filename> file
-    and update the master file.  Edit the zone file.  Run
-    <command>rndc unfreeze <replaceable>zone</replaceable></command>
-    to reload the changed zone and re-enable dynamic updates.</para>
-
-  </sect2>
-    
-</sect1>
-    
-<sect1 id="incremental_zone_transfers">
-<title>Incremental Zone Transfers (IXFR)</title>
-
-<para>The incremental zone transfer (IXFR) protocol is a way for
-slave servers to transfer only changed data, instead of having to
-transfer the entire zone. The IXFR protocol is specified in RFC
-1995. See <xref linkend="proposed_standards"/>.</para>
-
-<para>When acting as a master, <acronym>BIND</acronym> 9
-supports IXFR for those zones
-where the necessary change history information is available. These
-include master zones maintained by dynamic update and slave zones
-whose data was obtained by IXFR.  For manually maintained master
-zones, and for slave zones obtained by performing a full zone 
-transfer (AXFR), IXFR is supported only if the option
-<command>ixfr-from-differences</command> is set
-to <userinput>yes</userinput>.
-</para>
-
-<para>When acting as a slave, <acronym>BIND</acronym> 9 will 
-attempt to use IXFR unless
-it is explicitly disabled. For more information about disabling
-IXFR, see the description of the <command>request-ixfr</command> clause
-of the <command>server</command> statement.</para>
-</sect1>
-
-<sect1><title>Split DNS</title>
-<para>Setting up different views, or visibility, of the DNS space to
-internal and external resolvers is usually referred to as a <emphasis>Split
-DNS</emphasis> setup. There are several reasons an organization
-would want to set up its DNS this way.</para>
-<para>One common reason for setting up a DNS system this way is
-to hide "internal" DNS information from "external" clients on the
-Internet. There is some debate as to whether or not this is actually useful.
-Internal DNS information leaks out in many ways (via email headers,
-for example) and most savvy "attackers" can find the information
-they need using other means.</para>
-<para>Another common reason for setting up a Split DNS system is
-to allow internal networks that are behind filters or in RFC 1918
-space (reserved IP space, as documented in RFC 1918) to resolve DNS
-on the Internet. Split DNS can also be used to allow mail from outside
-back in to the internal network.</para>
-<para>Here is an example of a split DNS setup:</para>
-<para>Let's say a company named <emphasis>Example, Inc.</emphasis>
-(<literal>example.com</literal>)
-has several corporate sites that have an internal network with reserved
-Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-or "outside" section of a network, that is available to the public.</para>
-<para><emphasis>Example, Inc.</emphasis> wants its internal clients
-to be able to resolve external hostnames and to exchange mail with
-people on the outside. The company also wants its internal resolvers
-to have access to certain internal-only zones that are not available
-at all outside of the internal network.</para>
-<para>In order to accomplish this, the company will set up two sets
-of name servers. One set will be on the inside network (in the reserved
-IP space) and the other set will be on bastion hosts, which are "proxy"
-hosts that can talk to both sides of its network, in the DMZ.</para>
-<para>The internal servers will be configured to forward all queries,
-except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
-and <filename>site2.example.com</filename>, to the servers in the
-DMZ. These internal servers will have complete sets of information
-for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
-and <filename>site2.internal</filename>.</para>
-<para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
-the internal name servers must be configured to disallow all queries
-to these domains from any external hosts, including the bastion
-hosts.</para>
-<para>The external servers, which are on the bastion hosts, will
-be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
-This could include things such as the host records for public servers
-(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
-and mail exchange (MX)  records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).</para>
-<para>In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
-should have special MX records that contain wildcard (`*') records
-pointing to the bastion hosts. This is needed because external mail
-servers do not have any other way of looking up how to deliver mail
-to those internal hosts. With the wildcard records, the mail will
-be delivered to the bastion host, which can then forward it on to
-internal hosts.</para>
-<para>Here's an example of a wildcard MX record:</para>
-<programlisting>*   IN MX 10 external1.example.com.</programlisting>
-<para>Now that they accept mail on behalf of anything in the internal
-network, the bastion hosts will need to know how to deliver mail
-to internal hosts. In order for this to work properly, the resolvers on
-the bastion hosts will need to be configured to point to the internal
-name servers for DNS resolution.</para>
-<para>Queries for internal hostnames will be answered by the internal
-servers, and queries for external hostnames will be forwarded back
-out to the DNS servers on the bastion hosts.</para>
-<para>In order for all this to work properly, internal clients will
-need to be configured to query <emphasis>only</emphasis> the internal
-name servers for DNS queries. This could also be enforced via selective
-filtering on the network.</para>
-<para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
-internal clients will now be able to:</para>
-<itemizedlist><listitem>
-        <simpara>Look up any hostnames in the <literal>site1</literal> and 
-<literal>site2.example.com</literal> zones.</simpara></listitem>
-<listitem>
-        <simpara>Look up any hostnames in the <literal>site1.internal</literal> and 
-<literal>site2.internal</literal> domains.</simpara></listitem>
-<listitem>
-        <simpara>Look up any hostnames on the Internet.</simpara></listitem>
-<listitem>
-        <simpara>Exchange mail with internal AND external people.</simpara></listitem></itemizedlist>
-<para>Hosts on the Internet will be able to:</para>
-<itemizedlist><listitem>
-        <simpara>Look up any hostnames in the <literal>site1</literal> and 
-<literal>site2.example.com</literal> zones.</simpara></listitem>
-<listitem>
-        <simpara>Exchange mail with anyone in the <literal>site1</literal> and 
-<literal>site2.example.com</literal> zones.</simpara></listitem></itemizedlist>
-
-    <para>Here is an example configuration for the setup we just
-    described above. Note that this is only configuration information;
-    for information on how to configure your zone files, see <xref
-    linkend="sample_configuration"/></para>
-
-<para>Internal DNS server config:</para>
-<programlisting>
-
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { <varname>bastion-ips-go-here</varname>; };
-
-options {
-    ...
-    ...
-    forward only;
-    forwarders {                                // forward to external servers
-        <varname>bastion-ips-go-here</varname>; 
-    };
-    allow-transfer { none; };                   // sample allow-transfer (no one)
-    allow-query { internals; externals; };      // restrict query access
-    allow-recursion { internals; };             // restrict recursion
-    ...
-    ...
-};
-
-zone "site1.example.com" {                      // sample master zone
-  type master;
-  file "m/site1.example.com";
-  forwarders { };                               // do normal iterative
-                                                // resolution (do not forward)
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-zone "site2.example.com" {                      // sample slave zone
-  type slave;
-  file "s/site2.example.com";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-zone "site1.internal" {
-  type master;
-  file "m/site1.internal";
-  forwarders { };
-  allow-query { internals; };
-  allow-transfer { internals; }
-};
-
-zone "site2.internal" {
-  type slave;
-  file "s/site2.internal";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals };
-  allow-transfer { internals; }
-};
-</programlisting>
-    <para>External (bastion host) DNS server config:</para>
-<programlisting>
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { bastion-ips-go-here; };
-
-options {
-  ...
-  ...
-  allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { internals; externals; };        // restrict query access
-  allow-recursion { internals; externals; };    // restrict recursion
-  ...
-  ...
-};
-
-zone "site1.example.com" {                      // sample slave zone
-  type master;
-  file "m/site1.foo.com";
-  allow-query { any; };
-  allow-transfer { internals; externals; };
-};
-
-zone "site2.example.com" {
-  type slave;
-  file "s/site2.foo.com";
-  masters { another_bastion_host_maybe; };
-  allow-query { any; };
-  allow-transfer { internals; externals; }
-};
-</programlisting>
-<para>In the <filename>resolv.conf</filename> (or equivalent) on
-the bastion host(s):</para>
-<programlisting>
-search ...
-nameserver 172.16.72.2
-nameserver 172.16.72.3
-nameserver 172.16.72.4
-</programlisting>
-</sect1>
-<sect1 id="tsig"><title>TSIG</title>
-<para>This is a short guide to setting up Transaction SIGnatures
-(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
-to the configuration file as well as what changes are required for
-different features, including the process of creating transaction
-keys and using transaction signatures with <acronym>BIND</acronym>.</para>
-<para><acronym>BIND</acronym> primarily supports TSIG for server to server communication.
-This includes zone transfer, notify, and recursive query messages.
-Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
-for TSIG.</para>
-
-    <para>TSIG might be most useful for dynamic update. A primary
-    server for a dynamic zone should use access control to control
-    updates, but IP-based access control is insufficient.
-    The cryptographic access control provided by TSIG
-    is far superior. The <command>nsupdate</command>
-    program supports TSIG via the <option>-k</option> and
-    <option>-y</option> command line options.</para>
-
-<sect2><title>Generate Shared Keys for Each Pair of Hosts</title>
-<para>A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
-An arbitrary key name is chosen: "host1-host2.". The key name must
-be the same on both hosts.</para>
-<sect3><title>Automatic Generation</title>
-<para>The following command will generate a 128 bit (16 byte) HMAC-MD5
-key as described above. Longer keys are better, but shorter keys
-are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a 128
-bit key.</para>
-        <para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
-<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
-Nothing directly uses this file, but the base-64 encoded string
-following "<literal>Key:</literal>"
-can be extracted from the file and used as a shared secret:</para>
-<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
-<para>The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
-be used as the shared secret.</para></sect3>
-<sect3><title>Manual Generation</title>
-<para>The shared secret is simply a random sequence of bits, encoded
-in base-64. Most ASCII strings are valid base-64 strings (assuming
-the length is a multiple of 4 and only valid characters are used),
-so the shared secret can be manually generated.</para>
-<para>Also, a known string can be run through <command>mmencode</command> or
-a similar program to generate base-64 encoded data.</para></sect3></sect2>
-<sect2><title>Copying the Shared Secret to Both Machines</title>
-<para>This is beyond the scope of DNS. A secure transport mechanism
-should be used. This could be secure FTP, ssh, telephone, etc.</para></sect2>
-<sect2><title>Informing the Servers of the Key's Existence</title>
-<para>Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> are
-both servers. The following is added to each server's <filename>named.conf</filename> file:</para>
-<programlisting>
-key host1-host2. {
-  algorithm hmac-md5;
-  secret "La/E5CjG9O+os1jq0a2jdA==";
-};
-</programlisting>
-<para>The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
-The secret is the one generated above. Since this is a secret, it
-is recommended that either <filename>named.conf</filename> be non-world
-readable, or the key directive be added to a non-world readable
-file that is included by <filename>named.conf</filename>.</para>
-<para>At this point, the key is recognized. This means that if the
-server receives a message signed by this key, it can verify the
-signature. If the signature is successfully verified, the
-response is signed by the same key.</para></sect2>
-
-<sect2><title>Instructing the Server to Use the Key</title>
-<para>Since keys are shared between two hosts only, the server must
-be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
-for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
-10.1.2.3:</para>
-<programlisting>
-server 10.1.2.3 {
-  keys { host1-host2. ;};
-};
-</programlisting>
-<para>Multiple keys may be present, but only the first is used.
-This directive does not contain any secrets, so it may be in a world-readable
-file.</para>
-<para>If <emphasis>host1</emphasis> sends a message that is a request
-to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
-expect any responses to signed messages to be signed with the same
-key.</para>
-<para>A similar statement must be present in <emphasis>host2</emphasis>'s
-configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
-sign request messages to <emphasis>host1</emphasis>.</para></sect2>
-<sect2><title>TSIG Key Based Access Control</title>
-<para><acronym>BIND</acronym> allows IP addresses and ranges to be specified in ACL
-definitions and
-<command>allow-{ query | transfer | update }</command> directives.
-This has been extended to allow TSIG keys also. The above key would
-be denoted <command>key host1-host2.</command></para>
-<para>An example of an allow-update directive would be:</para>
-<programlisting>
-allow-update { key host1-host2. ;};
-</programlisting>
-
-      <para>This allows dynamic updates to succeed only if the request
-      was signed by a key named
-      "<command>host1-host2.</command>".</para> <para>You may want to read about the more
-      powerful <command>update-policy</command> statement in <xref
-      linkend="dynamic_update_policies"/>.</para>
-
-    </sect2>
-    <sect2>
-      <title>Errors</title>
-
-      <para>The processing of TSIG signed messages can result in
-      several errors. If a signed message is sent to a non-TSIG aware
-      server, a FORMERR will be returned, since the server will not
-      understand the record. This is a result of misconfiguration,
-      since the server must be explicitly configured to send a TSIG
-      signed message to a specific server.</para>
-
-      <para>If a TSIG aware server receives a message signed by an
-      unknown key, the response will be unsigned with the TSIG
-      extended error code set to BADKEY. If a TSIG aware server
-      receives a message with a signature that does not validate, the
-      response will be unsigned with the TSIG extended error code set
-      to BADSIG. If a TSIG aware server receives a message with a time
-      outside of the allowed range, the response will be signed with
-      the TSIG extended error code set to BADTIME, and the time values
-      will be adjusted so that the response can be successfully
-      verified. In any of these cases, the message's rcode is set to
-      NOTAUTH.</para>
-
-    </sect2>
-  </sect1>
-  <sect1>
-    <title>TKEY</title>
-
-    <para><command>TKEY</command> is a mechanism for automatically
-    generating a shared secret between two hosts.  There are several
-    "modes" of <command>TKEY</command> that specify how the key is
-    generated or assigned.  <acronym>BIND</acronym> 9
-    implements only one of these modes,
-    the Diffie-Hellman key exchange.  Both hosts are required to have
-    a Diffie-Hellman KEY record (although this record is not required
-    to be present in a zone).  The <command>TKEY</command> process
-    must use signed messages, signed either by TSIG or SIG(0).  The
-    result of <command>TKEY</command> is a shared secret that can be
-    used to sign messages with TSIG.  <command>TKEY</command> can also
-    be used to delete shared secrets that it had previously
-    generated.</para>
-
-    <para>The <command>TKEY</command> process is initiated by a client
-    or server by sending a signed <command>TKEY</command> query
-    (including any appropriate KEYs) to a TKEY-aware server.  The
-    server response, if it indicates success, will contain a
-    <command>TKEY</command> record and any appropriate keys.  After
-    this exchange, both participants have enough information to
-    determine the shared secret; the exact process depends on the
-    <command>TKEY</command> mode.  When using the Diffie-Hellman
-    <command>TKEY</command> mode, Diffie-Hellman keys are exchanged,
-    and the shared secret is derived by both participants.</para>
-  
-  </sect1>
-  <sect1>
-    <title>SIG(0)</title>
-
-    <para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
-    transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
-    uses public/private keys to authenticate messages.  Access control
-    is performed in the same manner as TSIG keys; privileges can be
-    granted or denied based on the key name.</para>
-
-    <para>When a SIG(0) signed message is received, it will only be
-    verified if the key is known and trusted by the server; the server
-    will not attempt to locate and/or validate the key.</para>
-
-    <para>SIG(0) signing of multiple-message TCP streams is not
-    supported.</para>
-
-    <para>The only tool shipped with <acronym>BIND</acronym> 9 that
-    generates SIG(0) signed messages is <command>nsupdate</command>.</para>
-
-  </sect1>
-  <sect1 id="DNSSEC">
-    <title>DNSSEC</title>
-
-    <para>Cryptographic authentication of DNS information is possible
-    through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
-    defined in RFC &lt;TBA&gt;. This section describes the creation and use
-    of DNSSEC signed zones.</para>
-
-    <para>In order to set up a DNSSEC secure zone, there are a series
-    of steps which must be followed.  <acronym>BIND</acronym> 9 ships
-    with several tools
-    that are used in this process, which are explained in more detail
-    below.  In all cases, the <option>-h</option> option prints a
-    full list of parameters.  Note that the DNSSEC tools require the
-    keyset files to be in the working directory or the
-    directory specified by the <option>-h</option> option, and
-    that the tools shipped with BIND 9.2.x and earlier are not compatible
-    with the current ones.</para>
-
-    <para>There must also be communication with the administrators of
-    the parent and/or child zone to transmit keys.  A zone's security
-    status must be indicated by the parent zone for a DNSSEC capable 
-    resolver to trust its data.  This is done through the presense
-    or absence of a <literal>DS</literal> record at the delegation
-    point.</para>
-
-    <para>For other servers to trust data in this zone, they must
-    either be statically configured with this zone's zone key or the
-    zone key of another zone above this one in the DNS tree.</para>
-
-    <sect2>
-      <title>Generating Keys</title>
-
-      <para>The <command>dnssec-keygen</command> program is used to
-      generate keys.</para>
-
-      <para>A secure zone must contain one or more zone keys.  The
-      zone keys will sign all other records in the zone, as well as
-      the zone keys of any secure delegated zones.  Zone keys must
-      have the same name as the zone, a name type of
-      <command>ZONE</command>, and must be usable for authentication.
-      It is recommended that zone keys use a cryptographic algorithm
-      designated as "mandatory to implement" by the IETF; currently
-      the only one is RSASHA1.</para>
-
-      <para>The following command will generate a 768 bit RSASHA1 key for
-      the <filename>child.example</filename> zone:</para>
-
-      <para><userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput></para>
-
-      <para>Two output files will be produced:
-      <filename>Kchild.example.+005+12345.key</filename> and
-      <filename>Kchild.example.+005+12345.private</filename> (where
-      12345 is an example of a key tag).  The key file names contain
-      the key name (<filename>child.example.</filename>), algorithm (3
-      is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
-      The private key (in the <filename>.private</filename> file) is
-      used to generate signatures, and the public key (in the
-      <filename>.key</filename> file) is used for signature
-      verification.</para>
-
-      <para>To generate another key with the same properties (but with
-      a different key tag), repeat the above command.</para>
-
-      <para>The public keys should be inserted into the zone file by
-      including the <filename>.key</filename> files using
-      <command>$INCLUDE</command> statements.
-      </para>
-
-    </sect2>
-    <sect2>
-      <title>Signing the Zone</title>
-
-      <para>The <command>dnssec-signzone</command> program is used to
-      sign a zone.</para>
-
-      <para>Any <filename>keyset</filename> files corresponding
-      to secure subzones should be present.  The zone signer will
-      generate <literal>NSEC</literal> and <literal>RRSIG</literal>
-      records for the zone, as well as <literal>DS</literal> for
-      the child zones if <literal>'-d'</literal> is specified.
-      If <literal>'-d'</literal> is not specified then DS RRsets for
-      the secure child zones need to be added manually.</para>
-
-      <para>The following command signs the zone, assuming it is in a
-      file called <filename>zone.child.example</filename>.  By
-      default, all zone keys which have an available private key are
-      used to generate signatures.</para>
-
-<para><userinput>dnssec-signzone -o child.example zone.child.example</userinput></para>
-
-      <para>One output file is produced:
-      <filename>zone.child.example.signed</filename>.  This file
-      should be referenced by <filename>named.conf</filename> as the
-      input file for the zone.</para>
-
-      <para><command>dnssec-signzone</command> will also produce a
-      keyset and dsset files and optionally a dlvset file.  These
-      are used to provide the parent zone administators with the
-      <literal>DNSKEYs</literal> (or their corresponding <literal>DS</literal>
-      records) that are the secure entry point to the zone.</para>
-
-    </sect2>
-
-<sect2><title>Configuring Servers</title>
-
-<para>Unlike <acronym>BIND</acronym> 8, 
-<acronym>BIND</acronym> 9 does not verify signatures on load,
-so zone keys for authoritative zones do not need to be specified
-in the configuration file.</para>
-
-<para>The public key for any security root must be present in
-the configuration file's <command>trusted-keys</command>
-statement, as described later in this document. </para>
-
-</sect2>
-
-</sect1>
-  <sect1>
-    <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
-
-    <para><acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6
-    name to address and address to name lookups.  It will also use
-    IPv6 addresses to make queries when running on an IPv6 capable
-    system.</para>
-
-    <para>For forward lookups, <acronym>BIND</acronym> 9 supports only AAAA
-    records.  The use of A6 records is deprecated by RFC 3363, and the
-    support for forward lookups in <acronym>BIND</acronym> 9 is
-    removed accordingly.
-    However, authoritative <acronym>BIND</acronym> 9 name servers still
-    load zone files containing A6 records correctly, answer queries
-    for A6 records, and accept zone transfer for a zone containing A6
-    records.</para>
-
-    <para>For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
-    the traditional "nibble" format used in the
-    <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
-    <emphasis>ip6.int</emphasis> domain.
-    <acronym>BIND</acronym> 9 formerly
-    supported the "binary label" (also known as "bitstring") format.
-    The support of binary labels, however, is now completely removed
-    according to the changes in RFC 3363.
-    Any applications in <acronym>BIND</acronym> 9 do not understand
-    the format any more, and will return an error if given.
-    In particular, an authoritative <acronym>BIND</acronym> 9 name
-    server rejects to load a zone file containing binary labels.</para>
-
-    <para>For an overview of the format and structure of IPv6 addresses,
-    see <xref linkend="ipv6addresses"/>.</para>
-
-    <sect2>
-      <title>Address Lookups Using AAAA Records</title>
-
-      <para>The AAAA record is a parallel to the IPv4 A record.  It
-      specifies the entire address in a single record.  For
-      example,</para>
-
-<programlisting>
-$ORIGIN example.com.
-host            3600    IN      AAAA    2001:db8::1
-</programlisting>
-
-        <para>It is recommended that IPv4-in-IPv6 mapped addresses not
-        be used.  If a host has an IPv4 address, use an A record, not
-        a AAAA, with <literal>::ffff:192.168.42.1</literal> as the
-        address.</para>
-    </sect2>
-    <sect2>
-      <title>Address to Name Lookups Using Nibble Format</title>
-
-      <para>When looking up an address in nibble format, the address
-      components are simply reversed, just as in IPv4, and
-      <literal>ip6.arpa.</literal> is appended to the resulting name.
-      For example, the following would provide reverse name lookup for
-      a host with address
-      <literal>2001:db8::1</literal>.</para>
-
-<programlisting>
-$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
-</programlisting>
-    </sect2>
-  </sect1>
-  </chapter>
-
-  <chapter id="Bv9ARM.ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
-<sect1><title>The Lightweight Resolver Library</title>
-<para>Traditionally applications have been linked with a stub resolver
-library that sends recursive DNS queries to a local caching name
-server.</para>
-<para>IPv6 once introduced new complexity into the resolution process,
-such as following A6 chains and DNAME records, and simultaneous
-lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
-then removed, these are hard or impossible
-to implement in a traditional stub resolver.</para>
-<para>Instead, <acronym>BIND</acronym> 9 provides resolution services to local clients
-using a combination of a lightweight resolver library and a resolver
-daemon process running on the local host.  These communicate using
-a simple UDP-based protocol, the "lightweight resolver protocol"
-that is distinct from and simpler than the full DNS protocol.</para></sect1>
-<sect1 id="lwresd"><title>Running a Resolver Daemon</title>
-
-<para>To use the lightweight resolver interface, the system must
-run the resolver daemon <command>lwresd</command> or a local
-name server configured with a <command>lwres</command> statement.</para>
-
-<para>By default, applications using the lightweight resolver library will make
-UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
-address can be overridden by <command>lwserver</command> lines in
-<filename>/etc/resolv.conf</filename>.</para>
-
-<para>The daemon currently only looks in the DNS, but in the future
-it may use other sources such as <filename>/etc/hosts</filename>,
-NIS, etc.</para>
-
-<para>The <command>lwresd</command> daemon is essentially a
-caching-only name server that responds to requests using the lightweight
-resolver protocol rather than the DNS protocol.  Because it needs
-to run on each host, it is designed to require no or minimal configuration.
-Unless configured otherwise, it uses the name servers listed on
-<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
-as forwarders, but is also capable of doing the resolution autonomously if
-none are specified.</para>
-<para>The <command>lwresd</command> daemon may also be configured with a
-<filename>named.conf</filename> style configuration file, in
-<filename>/etc/lwresd.conf</filename> by default.  A name server may also
-be configured to act as a lightweight resolver daemon using the
-<command>lwres</command> statement in <filename>named.conf</filename>.</para>
-
-</sect1></chapter>
-
-<chapter id="Bv9ARM.ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
-
-<para><acronym>BIND</acronym> 9 configuration is broadly similar
-to <acronym>BIND</acronym> 8; however, there are a few new areas
-of configuration, such as views. <acronym>BIND</acronym>
-8 configuration files should work with few alterations in <acronym>BIND</acronym>
-9, although more complex configurations should be reviewed to check
-if they can be more efficiently implemented using the new features
-found in <acronym>BIND</acronym> 9.</para>
-
-<para><acronym>BIND</acronym> 4 configuration files can be converted to the new format
-using the shell script
-<filename>contrib/named-bootconf/named-bootconf.sh</filename>.</para>
-<sect1 id="configuration_file_elements"><title>Configuration File Elements</title>
-<para>Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
-file documentation:</para>
-<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.855in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.770in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>acl_name</varname></para></entry>
-<entry colname = "2"><para>The name of an <varname>address_match_list</varname> as
-defined by the <command>acl</command> statement.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>address_match_list</varname></para></entry>
-<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>, 
-<varname>ip_prefix</varname>, <varname>key_id</varname>, 
-or <varname>acl_name</varname> elements, see
-<xref linkend="address_match_lists"/>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>domain_name</varname></para></entry>
-<entry colname = "2"><para>A quoted string which will be used as
-a DNS name, for example "<literal>my.test.domain</literal>".</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>dotted_decimal</varname></para></entry>
-<entry colname = "2"><para>One to four integers valued 0 through
-255 separated by dots (`.'), such as <command>123</command>, 
-<command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip4_addr</varname></para></entry>
-<entry colname = "2"><para>An IPv4 address with exactly four elements
-in <varname>dotted_decimal</varname> notation.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip6_addr</varname></para></entry>
-<entry colname = "2"><para>An IPv6 address, such as <command>2001:db8::1234</command>.
-IPv6 scoped addresses that have ambiguity on their scope zones must be
-disambiguated by an appropriate zone ID with the percent character
-(`%') as delimiter.
-It is strongly recommended to use string zone names rather than
-numeric identifiers, in order to be robust against system
-configuration changes.
-However, since there is no standard mapping for such names and
-identifier values, currently only interface names as link identifiers
-are supported, assuming one-to-one mapping between interfaces and links.
-For example, a link-local address <command>fe80::1</command> on the
-link attached to the interface <command>ne0</command>
-can be specified as <command>fe80::1%ne0</command>.
-Note that on most systems link-local addresses always have the
-ambiguity, and need to be disambiguated.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_addr</varname></para></entry>
-<entry colname = "2"><para>An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_port</varname></para></entry>
-<entry colname = "2"><para>An IP port <varname>number</varname>.
-<varname>number</varname> is limited to 0 through 65535, with values
-below 1024 typically restricted to use by processes running as root.
-In some cases an asterisk (`*') character can be used as a placeholder to
-select a random high-numbered port.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>ip_prefix</varname></para></entry>
-<entry colname = "2"><para>An IP network specified as an <varname>ip_addr</varname>,
-followed by a slash (`/') and then the number of bits in the netmask.
-Trailing zeros in a <varname>ip_addr</varname> may omitted.
-For example, <command>127/8</command> is the network <command>127.0.0.0</command> with
-netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
-network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>key_id</varname></para></entry>
-<entry colname = "2"><para>A <varname>domain_name</varname> representing
-the name of a shared key, to be used for transaction security.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>key_list</varname></para></entry>
-<entry colname = "2"><para>A list of one or more <varname>key_id</varname>s,
-separated by semicolons and ending with a semicolon.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>number</varname></para></entry>
-<entry colname = "2"><para>A non-negative 32 bit integer
-(i.e., a number between 0 and 4294967295, inclusive).
-Its acceptable value might further
-be limited by the context in which it is used.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>path_name</varname></para></entry>
-<entry colname = "2"><para>A quoted string which will be used as
-a pathname, such as <filename>zones/master/my.test.domain</filename>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>size_spec</varname></para></entry>
-<entry colname = "2"><para>A number, the word <userinput>unlimited</userinput>,
-or the word <userinput>default</userinput>.</para><para>
-An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
-use, or the maximum available amount. A <varname>default size_spec</varname> uses
-the limit that was in force when the server was started.</para><para>A <varname>number</varname> can
-optionally be followed by a scaling factor: <userinput>K</userinput> or <userinput>k</userinput> for
-kilobytes, <userinput>M</userinput> or <userinput>m</userinput> for
-megabytes, and <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
-which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</para>
-<para>The value must be representable as a 64-bit unsigned integer
-(0 to 18446744073709551615, inclusive).
-Using <varname>unlimited</varname> is the best way
-to safely set a really large number.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>yes_or_no</varname></para></entry>
-<entry colname = "2"><para>Either <userinput>yes</userinput> or <userinput>no</userinput>.
-The words <userinput>true</userinput> and <userinput>false</userinput> are
-also accepted, as are the numbers <userinput>1</userinput> and <userinput>0</userinput>.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>dialup_option</varname></para></entry>
-<entry colname = "2"><para>One of <userinput>yes</userinput>,
-<userinput>no</userinput>, <userinput>notify</userinput>,
-<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
-<userinput>passive</userinput>.
-When used in a zone, <userinput>notify-passive</userinput>,
-<userinput>refresh</userinput>, and <userinput>passive</userinput>
-are restricted to slave and stub zones.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<sect2 id="address_match_lists"><title>Address Match Lists</title>
-<sect3><title>Syntax</title>
-        <programlisting><varname>address_match_list</varname> = address_match_list_element ;
-  <optional> address_match_list_element; ... </optional>
-<varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
-   key key_id | acl_name | { address_match_list } )
-</programlisting>
-</sect3>
-<sect3><title>Definition and Usage</title>
-<para>Address match lists are primarily used to determine access
-control for various server operations. They are also used in
-the <command>listen-on</command> and <command>sortlist</command>
-statements. The elements
-which constitute an address match list can be any of the following:</para>
-<itemizedlist><listitem>
-            <simpara>an IP address (IPv4 or IPv6)</simpara></listitem>
-<listitem>
-            <simpara>an IP prefix (in `/' notation)</simpara></listitem>
-<listitem>
-            <simpara>a key ID, as defined by the <command>key</command> statement</simpara></listitem>
-<listitem>
-            <simpara>the name of an address match list defined with
-the <command>acl</command> statement</simpara></listitem>
-<listitem>
-            <simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist>
-
-<para>Elements can be negated with a leading exclamation mark (`!'),
-and the match list names "any", "none", "localhost", and "localnets"
-are predefined. More information on those names can be found in
-the description of the acl statement.</para>
-
-<para>The addition of the key clause made the name of this syntactic
-element something of a misnomer, since security keys can be used
-to validate access without regard to a host or network address. Nonetheless,
-the term "address match list" is still used throughout the documentation.</para>
-
-<para>When a given IP address or prefix is compared to an address
-match list, the list is traversed in order until an element matches.
-The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or in a sortlist,
-and whether the element was negated.</para>
-
-<para>When used as an access control list, a non-negated match allows
-access and a negated match denies access. If there is no match,
-access is denied. The clauses <command>allow-notify</command>,
-<command>allow-query</command>, <command>allow-transfer</command>,
-<command>allow-update</command>, <command>allow-update-forwarding</command>,
-and <command>blackhole</command> all
-use address match lists  this. Similarly, the listen-on option will cause
-the server to not accept queries on any of the machine's addresses
-which do not match the list.</para>
-
-<para>Because of the first-match aspect of the algorithm, an element
-that defines a subset of another element in the list should come
-before the broader element, regardless of whether either is negated. For
-example, in
-<command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13 element is
-completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element.
-Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
-that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</para>
-</sect3>
-</sect2>
-
-<sect2>
-<title>Comment Syntax</title>
-
-<para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a <acronym>BIND</acronym> configuration
-file. To appeal to programmers of all kinds, they can be written
-in the C, C++, or shell/perl style.</para>
-
-<sect3>
-<title>Syntax</title>
-
-<para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
-<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
-<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
-      </para>
-      </sect3>
-      <sect3>
-        <title>Definition and Usage</title>
-<para>Comments may appear anywhere that whitespace may appear in
-a <acronym>BIND</acronym> configuration file.</para>
-<para>C-style comments start with the two characters /* (slash,
-star) and end with */ (star, slash). Because they are completely
-delimited with these characters, they can be used to comment only
-a portion of a line or to span multiple lines.</para>
-<para>C-style comments cannot be nested. For example, the following
-is not valid because the entire comment ends with the first */:</para>
-        <para><programlisting>/* This is the start of a comment.
-   This is still part of the comment.
-/* This is an incorrect attempt at nesting a comment. */
-   This is no longer in any comment. */
-</programlisting></para>
-
-<para>C++-style comments start with the two characters // (slash,
-slash) and continue to the end of the physical line. They cannot
-be continued across multiple physical lines; to have one logical
-comment span multiple lines, each line must use the // pair.</para>
-<para>For example:</para>
-        <para><programlisting>// This is the start of a comment.  The next line
-// is a new comment, even though it is logically
-// part of the previous comment.
-</programlisting></para>
-<para>Shell-style (or perl-style, if you prefer) comments start
-with the character <literal>#</literal> (number sign) and continue to the end of the
-physical line, as in C++ comments.</para>
-<para>For example:</para>
-
-<para><programlisting># This is the start of a comment.  The next line
-# is a new comment, even though it is logically
-# part of the previous comment.
-</programlisting>
-</para>
-
-<warning>
-   <para>You cannot use the semicolon (`;') character
-   to start a comment such as you would in a zone file. The
-   semicolon indicates the end of a configuration
-   statement.</para>
-</warning>
-</sect3>
-</sect2>
-</sect1>
-
-<sect1 id="Configuration_File_Grammar">
-<title>Configuration File Grammar</title>
-
-    <para>A <acronym>BIND</acronym> 9 configuration consists of statements and comments.
-    Statements end with a semicolon. Statements and comments are the
-    only elements that can appear without enclosing braces. Many
-    statements contain a block of sub-statements, which are also
-    terminated with a semicolon.</para>
-
-    <para>The following statements are supported:</para>
-
-    <informaltable colsep = "0"  rowsep = "0">
-      <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle =
-              "2Level-table">
-        <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.336in"/>
-        <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.778in"/>
-        <tbody>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>acl</command></para></entry>
-            <entry colname = "2"><para>defines a named IP address
-matching list, for access control and other uses.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>controls</command></para></entry>
-            <entry colname = "2"><para>declares control channels to be used
-by the <command>rndc</command> utility.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>include</command></para></entry>
-            <entry colname = "2"><para>includes a file.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>key</command></para></entry>
-            <entry colname = "2"><para>specifies key information for use in
-authentication and authorization using TSIG.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>logging</command></para></entry>
-            <entry colname = "2"><para>specifies what the server logs, and where
-the log messages are sent.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>lwres</command></para></entry>
-            <entry colname = "2"><para>configures <command>named</command> to
-also act as a light weight resolver daemon (<command>lwresd</command>).</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>masters</command></para></entry>
-            <entry colname = "2"><para>defines a named masters list for
-inclusion in stub and slave zone masters clauses.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>options</command></para></entry>
-            <entry colname = "2"><para>controls global server configuration
-options and sets defaults for other statements.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>server</command></para></entry>
-            <entry colname = "2"><para>sets certain configuration options on
-a per-server basis.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>trusted-keys</command></para></entry>
-            <entry colname = "2"><para>defines trusted DNSSEC keys.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>view</command></para></entry>
-            <entry colname = "2"><para>defines a view.</para></entry>
-          </row>
-          <row rowsep = "0">
-            <entry colname = "1"><para><command>zone</command></para></entry>
-            <entry colname = "2"><para>defines a zone.</para></entry>
-          </row>
-        </tbody>
-      </tgroup></informaltable>
-    
-    <para>The <command>logging</command> and
-    <command>options</command> statements may only occur once per
-    configuration.</para>
-
-    <sect2>
-      <title><command>acl</command> Statement Grammar</title>
-
-      <programlisting><command>acl</command> acl-name { 
-    address_match_list 
-};
-</programlisting>
-    </sect2>
-    <sect2 id="acl">
-      <title><command>acl</command> Statement Definition and
-Usage</title>
-
-      <para>The <command>acl</command> statement assigns a symbolic
-      name to an address match list. It gets its name from a primary
-      use of address match lists: Access Control Lists (ACLs).</para>
-
-      <para>Note that an address match list's name must be defined
-      with <command>acl</command> before it can be used elsewhere; no
-      forward references are allowed.</para>
-
-      <para>The following ACLs are built-in:</para>
-
-<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.130in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>any</command></para></entry>
-<entry colname = "2"><para>Matches all hosts.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>none</command></para></entry>
-<entry colname = "2"><para>Matches no hosts.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>localhost</command></para></entry>
-<entry colname = "2"><para>Matches the IPv4 and IPv6 addresses of all network
-interfaces on the system.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>localnets</command></para></entry>
-<entry colname = "2"><para>Matches any host on an IPv4 or IPv6 network
-for which the system has an interface.
-Some systems do not provide a way to determine the prefix lengths of
-local IPv6 addresses.
-In such a case, <command>localnets</command> only matches the local
-IPv6 addresses, just like <command>localhost</command>.
-</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-</sect2>
-<sect2>
-      <title><command>controls</command> Statement Grammar</title>
-<programlisting><command>controls</command> {
-   inet ( ip_addr | * ) <optional> port ip_port </optional> allow { <replaceable> address_match_list </replaceable> }
-                keys { <replaceable> key_list </replaceable> };
-   <optional> inet ...; </optional>
-};
-</programlisting>
-</sect2>
-
-<sect2 id="controls_statement_definition_and_usage">
-<title><command>controls</command> Statement Definition and Usage</title>
-
-      <para>The <command>controls</command> statement declares control
-      channels to be used by system administrators to control the
-      operation of the name server. These control channels are
-      used by the <command>rndc</command> utility to send commands to
-      and retrieve non-DNS results from a name server.</para>
-
-      <para>An <command>inet</command> control channel is a TCP
-      socket listening at the specified
-      <command>ip_port</command> on the specified
-      <command>ip_addr</command>, which can be an IPv4 or IPv6
-      address.  An <command>ip_addr</command>
-      of <literal>*</literal> is interpreted as the IPv4 wildcard
-      address; connections will be accepted on any of the system's
-      IPv4 addresses.  To listen on the IPv6 wildcard address,
-      use an <command>ip_addr</command> of <literal>::</literal>.
-      If you will only use <command>rndc</command> on the local host,
-      using the loopback address (<literal>127.0.0.1</literal>
-      or <literal>::1</literal>) is recommended for maximum
-      security.
-      </para>
-
-      <para>
-      If no port is specified, port 953
-      is used.  "<literal>*</literal>" cannot be used for
-      <command>ip_port</command>.</para>
-
-      <para>The ability to issue commands over the control channel is
-      restricted by the <command>allow</command> and
-      <command>keys</command> clauses. Connections to the control
-      channel are permitted based on the
-      <command>address_match_list</command>.  This is for simple
-      IP address based filtering only; any <command>key_id</command>
-      elements of the <command>address_match_list</command> are
-      ignored.
-      </para>
-
-      <para>The primary authorization mechanism of the command
-      channel is the <command>key_list</command>, which contains
-      a list of <command>key_id</command>s.
-      Each <command>key_id</command> in
-      the <command>key_list</command> is authorized to execute
-      commands over the control channel.
-      See <xref linkend="rndc"/> in
-      <xref linkend="admin_tools"/>) for information about
-      configuring keys in <command>rndc</command>.</para>
-
-<para>
-If no <command>controls</command> statement is present,
-<command>named</command> will set up a default
-control channel listening on the loopback address 127.0.0.1
-and its IPv6 counterpart ::1.
-In this case, and also when the <command>controls</command> statement
-is present but does not have a <command>keys</command> clause,
-<command>named</command> will attempt to load the command channel key
-from the file <filename>rndc.key</filename> in
-<filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
-was specified as when <acronym>BIND</acronym> was built).
-To create a <filename>rndc.key</filename> file, run
-<userinput>rndc-confgen -a</userinput>.
-</para>
-
-      <para>The <filename>rndc.key</filename> feature was created to
-      ease the transition of systems from <acronym>BIND</acronym> 8,
-      which did not have digital signatures on its command channel messages
-      and thus did not have a <command>keys</command> clause.
-
-It makes it possible to use an existing <acronym>BIND</acronym> 8
-configuration file in <acronym>BIND</acronym> 9 unchanged,
-and still have <command>rndc</command> work the same way
-<command>ndc</command> worked in BIND 8, simply by executing the
-command <userinput>rndc-confgen -a</userinput> after BIND 9 is
-installed.
-</para>
-
-      <para>
-      Since the <filename>rndc.key</filename> feature
-      is only intended to allow the backward-compatible usage of
-      <acronym>BIND</acronym> 8 configuration files, this feature does not
-      have a high degree of configurability.  You cannot easily change
-      the key name or the size of the secret, so you should make a
-      <filename>rndc.conf</filename> with your own key if you wish to change
-      those things.  The <filename>rndc.key</filename> file also has its
-      permissions set such that only the owner of the file (the user that
-      <command>named</command> is running as) can access it.  If you
-      desire greater flexibility in allowing other users to access
-      <command>rndc</command> commands then you need to create an
-      <filename>rndc.conf</filename> and make it group readable by a group
-      that contains the users who should have access.</para>
-
-      <para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
-      in <acronym>BIND</acronym> 9, and is not expected to be added in future
-      releases.  If it is present in the controls statement from a
-      <acronym>BIND</acronym> 8 configuration file, it is ignored
-      and a warning is logged.</para>
-
-<para>
-To disable the command channel, use an empty <command>controls</command>
-statement: <command>controls { };</command>.
-</para>
-
-    </sect2>
-    <sect2>
-      <title><command>include</command> Statement Grammar</title>
-      <programlisting>include <replaceable>filename</replaceable>;</programlisting>
-    </sect2>
-    <sect2>
-      <title><command>include</command> Statement Definition and Usage</title>
-
-      <para>The <command>include</command> statement inserts the
-      specified file at the point where the <command>include</command>
-      statement is encountered. The <command>include</command>
-      statement facilitates the administration of configuration files
-      by permitting the reading or writing of some things but not
-      others. For example, the statement could include private keys
-      that are readable only by the name server.</para>
-
-    </sect2>
-    <sect2>
-      <title><command>key</command> Statement Grammar</title>
-<programlisting>key <replaceable>key_id</replaceable> {
-    algorithm <replaceable>string</replaceable>;
-    secret <replaceable>string</replaceable>;
-};
-</programlisting>
-    </sect2>
-
-<sect2>
-<title><command>key</command> Statement Definition and Usage</title>
-
-<para>The <command>key</command> statement defines a shared
-secret key for use with TSIG (see <xref linkend="tsig"/>)
-or the command channel
-(see <xref linkend="controls_statement_definition_and_usage"/>).
-</para>
-
-<para>
-The <command>key</command> statement can occur at the top level
-of the configuration file or inside a <command>view</command> 
-statement.  Keys defined in top-level <command>key</command>
-statements can be used in all views.  Keys intended for use in
-a <command>controls</command> statement
-(see <xref linkend="controls_statement_definition_and_usage"/>)
-must be defined at the top level.
-</para>
-
-<para>The <replaceable>key_id</replaceable>, also known as the
-key name, is a domain name uniquely identifying the key. It can
-be used in a <command>server</command>
-statement to cause requests sent to that
-server to be signed with this key, or in address match lists to
-verify that incoming requests have been signed with a key
-matching this name, algorithm, and secret.</para>
-
-<para>The <replaceable>algorithm_id</replaceable> is a string
-that specifies a security/authentication algorithm. The only
-algorithm currently supported with TSIG authentication is
-<literal>hmac-md5</literal>.  The
-<replaceable>secret_string</replaceable> is the secret to be
-used by the algorithm, and is treated as a base-64 encoded
-string.</para>
-
-</sect2>
-    <sect2>
-      <title><command>logging</command> Statement Grammar</title>
-      <programlisting><command>logging</command> {
-   [ <command>channel</command> <replaceable>channel_name</replaceable> {
-     ( <command>file</command> <replaceable>path name</replaceable>
-         [ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
-         [ <command>size</command> <replaceable>size spec</replaceable> ]
-       | <command>syslog</command> <replaceable>syslog_facility</replaceable>
-       | <command>stderr</command>
-       | <command>null</command> );
-     [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
-                 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
-     [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
-     [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
-     [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
-   }; ]
-   [ <command>category</command> <replaceable>category_name</replaceable> {
-     <replaceable>channel_name</replaceable> ; [ <replaceable>channel_nam</replaceable>e ; ... ]
-   }; ]
-   ...
-};
-</programlisting>
-</sect2>
-
-<sect2>
-<title><command>logging</command> Statement Definition and Usage</title>
-
-<para>The <command>logging</command> statement configures a wide
-variety of logging options for the name server. Its <command>channel</command> phrase
-associates output methods, format options and severity levels with
-a name that can then be used with the <command>category</command> phrase
-to select how various classes of messages are logged.</para>
-<para>Only one <command>logging</command> statement is used to define
-as many channels and categories as are wanted. If there is no <command>logging</command> statement,
-the logging configuration will be:</para>
-
-<programlisting>logging {
-     category default { default_syslog; default_debug; };
-     category unmatched { null; };
-};
-</programlisting>
-
-<para>In <acronym>BIND</acronym> 9, the logging configuration is only established when
-the entire configuration file has been parsed.  In <acronym>BIND</acronym> 8, it was
-established as soon as the <command>logging</command> statement
-was parsed. When the server is starting up, all logging messages
-regarding syntax errors in the configuration file go to the default
-channels, or to standard error if the "<option>-g</option>" option
-was specified.</para>
-
-<sect3>
-<title>The <command>channel</command> Phrase</title>
-
-<para>All log output goes to one or more <emphasis>channels</emphasis>;
-you can make as many of them as you want.</para>
-
-<para>Every channel definition must include a destination clause that
-says whether messages selected for the channel go to a file, to a
-particular syslog facility, to the standard error stream, or are
-discarded. It can optionally also limit the message severity level
-that will be accepted by the channel (the default is
-<command>info</command>), and whether to include a
-<command>named</command>-generated time stamp, the category name
-and/or severity level (the default is not to include any).</para>
-
-<para>The <command>null</command> destination clause 
-causes all messages sent to the channel to be discarded;
-in that case, other options for the channel are meaningless.</para>
-
-<para>The <command>file</command> destination clause directs the channel
-to a disk file.  It can include limitations
-both on how large the file is allowed to become, and how many versions
-of the file will be saved each time the file is opened.</para>
-
-<para>If you use the <command>versions</command> log file option, then
-<command>named</command> will retain that many backup versions of the file by
-renaming them when opening.  For example, if you choose to keep 3 old versions
-of the file <filename>lamers.log</filename> then just before it is opened
-<filename>lamers.log.1</filename> is renamed to
-<filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
-to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
-renamed to <filename>lamers.log.0</filename>.
-You can say <command>versions unlimited</command> to not limit
-the number of versions.
-If a <command>size</command> option is associated with the log file,
-then renaming is only done when the file being opened exceeds the
-indicated size.  No backup versions are kept by default; any existing
-log file is simply appended.</para>
-
-<para>The <command>size</command> option for files is used to limit log
-growth. If the file ever exceeds the size, then <command>named</command> will
-stop writing to the file unless it has a <command>versions</command> option
-associated with it.  If backup versions are kept, the files are rolled as
-described above and a new one begun.  If there is no
-<command>versions</command> option, no more data will be written to the log
-until some out-of-band mechanism removes or truncates the log to less than the
-maximum size.  The default behavior is not to limit the size of the
-file.</para>
-
-<para>Example usage of the <command>size</command> and
-<command>versions</command> options:</para>
-
-<programlisting>channel an_example_channel {
-    file "example.log" versions 3 size 20m;
-    print-time yes;
-    print-category yes;
-};
-</programlisting>
-
-<para>The <command>syslog</command> destination clause directs the
-channel to the system log.  Its argument is a
-syslog facility as described in the <command>syslog</command> man
-page. Known facilities are <command>kern</command>, <command>user</command>,
-<command>mail</command>, <command>daemon</command>, <command>auth</command>,
-<command>syslog</command>, <command>lpr</command>, <command>news</command>,
-<command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
-<command>ftp</command>, <command>local0</command>, <command>local1</command>,
-<command>local2</command>, <command>local3</command>, <command>local4</command>,
-<command>local5</command>, <command>local6</command> and
-<command>local7</command>, however not all facilities are supported on
-all operating systems.
-How <command>syslog</command> will handle messages sent to
-this facility is described in the <command>syslog.conf</command> man
-page. If you have a system which uses a very old version of <command>syslog</command> that
-only uses two arguments to the <command>openlog()</command> function,
-then this clause is silently ignored.</para>
-<para>The <command>severity</command> clause works like <command>syslog</command>'s
-"priorities", except that they can also be used if you are writing
-straight to a file rather than using <command>syslog</command>.
-Messages which are not at least of the severity level given will
-not be selected for the channel; messages of higher severity levels
-will be accepted.</para>
-<para>If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
-will also determine what eventually passes through. For example,
-defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
-only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
-cause messages of severity <command>info</command> and <command>notice</command> to
-be dropped. If the situation were reversed, with <command>named</command> writing
-messages of only <command>warning</command> or higher, then <command>syslogd</command> would
-print all messages it received from the channel.</para>
-
-<para>The <command>stderr</command> destination clause directs the
-channel to the server's standard error stream.  This is intended for
-use when the server is running as a foreground process, for example
-when debugging a configuration.</para>
-
-<para>The server can supply extensive debugging information when
-it is in debugging mode. If the server's global debug level is greater
-than zero, then debugging mode will be active. The global debug
-level is set either by starting the <command>named</command> server
-with the <option>-d</option> flag followed by a positive integer,
-or by running <command>rndc trace</command>.
-The global debug level
-can be set to zero, and debugging mode turned off, by running <command>ndc
-notrace</command>. All debugging messages in the server have a debug
-level, and higher debug levels give more detailed output. Channels
-that specify a specific debug severity, for example:</para>
-<programlisting>channel specific_debug_level {
-    file "foo";
-    severity debug 3;
-};
-</programlisting>
-        <para>will get debugging output of level 3 or less any time the
-server is in debugging mode, regardless of the global debugging
-level. Channels with <command>dynamic</command> severity use the
-server's global debug level to determine what messages to print.</para>
-        <para>If <command>print-time</command> has been turned on, then
-the date and time will be logged. <command>print-time</command> may
-be specified for a <command>syslog</command> channel, but is usually
-pointless since <command>syslog</command> also prints the date and
-time. If <command>print-category</command> is requested, then the
-category of the message will be logged as well. Finally, if <command>print-severity</command> is
-on, then the severity level of the message will be logged. The <command>print-</command> options may
-be used in any combination, and will always be printed in the following
-order: time, category, severity. Here is an example where all three <command>print-</command> options
-are on:</para>
-
-<para><computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput></para>
-
-<para>There are four predefined channels that are used for
-<command>named</command>'s default logging as follows. How they are
-used is described in <xref linkend="the_category_phrase"/>.
-</para>
-
-<programlisting>channel default_syslog {
-    syslog daemon;                      // send to syslog's daemon
-                                        // facility
-    severity info;                      // only send priority info
-                                        // and higher
-};
-
-channel default_debug {
-    file "named.run";                   // write to named.run in
-                                        // the working directory
-                                        // Note: stderr is used instead
-                                        // of "named.run"
-                                        // if the server is started
-                                        // with the '-f' option.
-    severity dynamic;                   // log at the server's
-                                        // current debug level
-};
-
-channel default_stderr {
-    stderr;                             // writes to stderr
-    severity info;                      // only send priority info
-                                        // and higher
-};
-
-channel null {
-   null;                                // toss anything sent to
-                                        // this channel
-};
-</programlisting>
-
-<para>The <command>default_debug</command> channel has the special
-property that it only produces output when the server's debug level is
-nonzero.  It normally writes to a file <filename>named.run</filename>
-in the server's working directory.</para>
-
-<para>For security reasons, when the "<option>-u</option>"
-command line option is used, the <filename>named.run</filename> file
-is created only after <command>named</command> has changed to the
-new UID, and any debug output generated while <command>named</command> is
-starting up and still running as root is discarded.  If you need
-to capture this output, you must run the server with the "<option>-g</option>"
-option and redirect standard error to a file.</para>
-
-<para>Once a channel is defined, it cannot be redefined. Thus you
-cannot alter the built-in channels directly, but you can modify
-the default logging by pointing categories at channels you have defined.</para>
-</sect3>
-
-<sect3 id="the_category_phrase"><title>The <command>category</command> Phrase</title>
-
-<para>There are many categories, so you can send the logs you want
-to see wherever you want, without seeing logs you don't want. If
-you don't specify a list of channels for a category, then log messages
-in that category will be sent to the <command>default</command> category
-instead. If you don't specify a default category, the following
-"default default" is used:</para>
-<programlisting>category default { default_syslog; default_debug; };
-</programlisting>
-<para>As an example, let's say you want to log security events to
-a file, but you also want keep the default logging behavior. You'd
-specify the following:</para>
-<programlisting>channel my_security_channel {
-    file "my_security_file";
-    severity info;
-};
-category security {
-    my_security_channel;
-    default_syslog;
-    default_debug;
-};</programlisting>
-<para>To discard all messages in a category, specify the <command>null</command> channel:</para>
-<programlisting>category xfer-out { null; };
-category notify { null; };
-</programlisting>
-<para>Following are the available categories and brief descriptions
-of the types of log information they contain. More
-categories may be added in future <acronym>BIND</acronym> releases.</para>
-<informaltable
-    colsep = "0" rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>default</command></para></entry>
-<entry colname = "2"><para>The default category defines the logging
-options for those categories where no specific configuration has been
-defined.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>general</command></para></entry>
-<entry colname = "2"><para>The catch-all. Many things still aren't
-classified into categories, and they all end up here.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>database</command></para></entry>
-<entry colname = "2"><para>Messages relating to the databases used
-internally by the name server to store zone and cache data.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>security</command></para></entry>
-<entry colname = "2"><para>Approval and denial of requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>config</command></para></entry>
-<entry colname = "2"><para>Configuration file parsing and processing.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>resolver</command></para></entry>
-<entry colname = "2"><para>DNS resolution, such as the recursive
-lookups performed on behalf of clients by a caching name server.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>xfer-in</command></para></entry>
-<entry colname = "2"><para>Zone transfers the server is receiving.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>xfer-out</command></para></entry>
-<entry colname = "2"><para>Zone transfers the server is sending.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify</command></para></entry>
-<entry colname = "2"><para>The NOTIFY protocol.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>client</command></para></entry>
-<entry colname = "2"><para>Processing of client requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>unmatched</command></para></entry>
-<entry colname = "2"><para>Messages that named was unable to determine the
-class of or for which there was no matching <command>view</command>.
-A one line summary is also logged to the <command>client</command> category.
-This category is best sent to a file or stderr, by default it is sent to
-the <command>null</command> channel.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>network</command></para></entry>
-<entry colname = "2"><para>Network operations.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>update</command></para></entry>
-<entry colname = "2"><para>Dynamic updates.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>update-security</command></para></entry>
-<entry colname = "2"><para>Approval and denial of update requests.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>queries</command></para></entry>
-<entry colname = "2"><para>Specify where queries should be logged to.</para>
-<para>
-At startup, specifing the category <command>queries</command> will also
-enable query logging unless <command>querylog</command> option has been
-specified.
-</para>
-<para>
-The query log entry reports the client's IP address and port number.  The
-query name, class and type.  It also reports whether the Recursion Desired
-flag was set (+ if set, - if not set), EDNS was in use (E) or if the
-query was signed (S).</para>
-<para><computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
-</para>
-<para><computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
-</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>dispatch</command></para></entry>
-<entry colname = "2"><para>Dispatching of incoming packets to the
-server modules where they are to be processed.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>dnssec</command></para></entry>
-<entry colname = "2"><para>DNSSEC and TSIG protocol processing.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>lame-servers</command></para></entry>
-<entry colname = "2"><para>Lame servers.  These are misconfigurations
-in remote servers, discovered by BIND 9 when trying to query
-those servers during resolution.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>delegation-only</command></para></entry>
-<entry colname = "2"><para>Delegation only.  Logs queries that have have
-been forced to NXDOMAIN as the result of a delegation-only zone or
-a <command>delegation-only</command> in a hint or stub zone declaration.
-</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-</sect3>
-</sect2>
-
-<sect2>
-<title><command>lwres</command> Statement Grammar</title>
-
-<para> This is the grammar of the <command>lwres</command>
-statement in the <filename>named.conf</filename> file:</para>
-
-<programlisting><command>lwres</command> {
-    <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> view <replaceable>view_name</replaceable>; </optional>
-    <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
-    <optional> ndots <replaceable>number</replaceable>; </optional>
-};
-</programlisting>
-
-</sect2>
-<sect2>
-<title><command>lwres</command> Statement Definition and Usage</title>
-
-<para>The <command>lwres</command> statement configures the name
-server to also act as a lightweight resolver server, see
-<xref linkend="lwresd"/>.  There may be be multiple
-<command>lwres</command> statements configuring
-lightweight resolver servers with different properties.</para>
-
-<para>The <command>listen-on</command> statement specifies a list of
-addresses (and ports) that this instance of a lightweight resolver daemon
-should accept requests on.  If no port is specified, port 921 is used.
-If this statement is omitted, requests will be accepted on 127.0.0.1,
-port 921.</para>
-
-<para>The <command>view</command> statement binds this instance of a
-lightweight resolver daemon to a view in the DNS namespace, so that the
-response will be constructed in the same manner as a normal DNS query
-matching this view.  If this statement is omitted, the default view is
-used, and if there is no default view, an error is triggered.</para>
-
-<para>The <command>search</command> statement is equivalent to the
-<command>search</command> statement in
-<filename>/etc/resolv.conf</filename>.  It provides a list of domains
-which are appended to relative names in queries.</para>
-
-<para>The <command>ndots</command> statement is equivalent to the
-<command>ndots</command> statement in
-<filename>/etc/resolv.conf</filename>.  It indicates the minimum
-number of dots in a relative domain name that should result in an
-exact match lookup before search path elements are appended.</para>
-</sect2>
-<sect2>
-      <title><command>masters</command> Statement Grammar</title>
-<programlisting>
-<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; 
-</programlisting>
-</sect2>
-<sect2>
-      <title><command>masters</command> Statement Definition and Usage </title>
-<para><command>masters</command> lists allow for a common set of masters
-to be easily used by multiple stub and slave zones.</para>
-</sect2>
-<sect2>
-<title><command>options</command> Statement Grammar</title>
-
-<para>This is the grammar of the <command>options</command>
-statement in the <filename>named.conf</filename> file:</para>
-
-<programlisting>options {
-    <optional> version <replaceable>version_string</replaceable>; </optional>
-    <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
-    <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
-    <optional> directory <replaceable>path_name</replaceable>; </optional>
-    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
-    <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
-    <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
-    <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
-    <optional> dump-file <replaceable>path_name</replaceable>; </optional>
-    <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
-    <optional> pid-file <replaceable>path_name</replaceable>; </optional>
-    <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
-    <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
-    <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> host-statistics-max <replaceable>number</replaceable>; </optional>
-    <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable>; </optional>
-    <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
-    <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
-    <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
-    <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable>response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
-    <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
-    <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
-    <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
-    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
-    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
-    <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
-    <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
-    <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
-    <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
-    <optional> tcp-clients <replaceable>number</replaceable>; </optional>
-    <optional> recursive-clients <replaceable>number</replaceable>; </optional>
-    <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
-    <optional> serial-queries <replaceable>number</replaceable>; </optional>
-    <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
-    <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
-    <optional> transfers-in  <replaceable>number</replaceable>; </optional>
-    <optional> transfers-out <replaceable>number</replaceable>; </optional>
-    <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
-    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
-    <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
-    <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
-    <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
-    <optional> files <replaceable>size_spec</replaceable> ; </optional>
-    <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
-    <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
-    <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
-    <optional> interface-interval <replaceable>number</replaceable>; </optional>
-    <optional> statistics-interval <replaceable>number</replaceable>; </optional>
-    <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
-    <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
-    <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
-    <optional> lame-ttl <replaceable>number</replaceable>; </optional>
-    <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
-    <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
-    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
-    <optional> min-roots <replaceable>number</replaceable>; </optional>
-    <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> port <replaceable>ip_port</replaceable>; </optional>
-    <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> random-device <replaceable>path_name</replaceable> ; </optional>
-    <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
-    <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
-    <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
-    <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
-    <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
-};
-</programlisting>
-</sect2>
-
-<sect2 id="options"><title><command>options</command> Statement Definition and Usage</title>
-
-<para>The <command>options</command> statement sets up global options
-to be used by <acronym>BIND</acronym>. This statement may appear only
-once in a configuration file. If there is no <command>options</command>
-statement, an options block with each option set to its default will
-be used.</para>
-
-<variablelist>
-
-<varlistentry><term><command>directory</command></term>
-<listitem><para>The working directory of the server.
-Any non-absolute pathnames in the configuration file will be taken
-as relative to this directory. The default location for most server
-output files (e.g. <filename>named.run</filename>) is this directory.
-If a directory is not specified, the working directory defaults
-to `<filename>.</filename>', the directory from which the server
-was started. The directory specified should be an absolute path.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>key-directory</command></term>
-<listitem><para>When performing dynamic update of secure zones, the
-directory where the public and private key files should be found,
-if different than the current working directory.  The directory specified
-must be an absolute path.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>named-xfer</command></term>
-<listitem><para><emphasis>This option is obsolete.</emphasis>
-It was used in <acronym>BIND</acronym> 8 to
-specify the pathname to the <command>named-xfer</command> program.
-In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
-needed; its functionality is built into the name server.</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>tkey-domain</command></term>
-<listitem><para>The domain appended to the names of all
-shared keys generated with <command>TKEY</command>. When a client
-requests a <command>TKEY</command> exchange, it may or may not specify
-the desired name for the key. If present, the name of the shared
-key will be "<varname>client specified part</varname>" + 
-"<varname>tkey-domain</varname>".
-Otherwise, the name of the shared key will be "<varname>random hex
-digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
-the <command>domainname</command> should be the server's domain
-name.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tkey-dhkey</command></term>
-<listitem><para>The Diffie-Hellman key used by the server
-to generate shared keys with clients using the Diffie-Hellman mode
-of <command>TKEY</command>. The server must be able to load the
-public and private keys from files in the working directory. In
-most cases, the keyname should be the server's host name.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>dump-file</command></term>
-<listitem><para>The pathname of the file the server dumps
-the database to when instructed to do so with
-<command>rndc dumpdb</command>.
-If not specified, the default is <filename>named_dump.db</filename>.</para>
-</listitem></varlistentry>
-<varlistentry><term><command>memstatistics-file</command></term>
-<listitem><para>The pathname of the file the server writes memory
-usage statistics to on exit. If not specified,
-the default is <filename>named.memstats</filename>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>pid-file</command></term>
-<listitem><para>The pathname of the file the server writes its process ID
-in. If not specified, the default is <filename>/var/run/named.pid</filename>.
-The pid-file is used by programs that want to send signals to the running
-name server. Specifying <command>pid-file none</command> disables the
-use of a PID file &mdash; no file will be written and any
-existing one will be removed.  Note that <command>none</command>
-is a keyword, not a file name, and therefore is not enclosed in
-double quotes.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>statistics-file</command></term>
-<listitem><para>The pathname of the file the server appends statistics
-to when instructed to do so using <command>rndc stats</command>.
-If not specified, the default is <filename>named.stats</filename> in the
-server's current directory.  The format of the file is described
-in <xref linkend="statsfile"/></para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>port</command></term>
-<listitem><para>
-The UDP/TCP port number the server uses for 
-receiving and sending DNS protocol traffic.
-The default is 53.  This option is mainly intended for server testing;
-a server using a port other than 53 will not be able to communicate with
-the global DNS.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>random-device</command></term>
-<listitem><para>
-The source of entropy to be used by the server.  Entropy is primarily needed
-for DNSSEC operations, such as TKEY transactions and dynamic update of signed
-zones.  This options specifies the device (or file) from which to read
-entropy.  If this is a file, operations requiring entropy will fail when the
-file has been exhausted.  If not specified, the default value is
-<filename>/dev/random</filename>
-(or equivalent) when present, and none otherwise.  The
-<command>random-device</command> option takes effect during
-the initial configuration load at server startup time and
-is ignored on subsequent reloads.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>preferred-glue</command></term>
-<listitem><para>
-If specified the listed type (A or AAAA) will be emitted before other glue
-in the additional section of a query response.
-The default is not to preference any type (NONE).
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>root-delegation-only</command></term>
-<listitem><para>
-Turn on enforcement of delegation-only in TLDs and root zones with an optional
-exclude list.
-</para>
-<para>
-Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
-</para>
-<programlisting>
-options {
-	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
-};
-</programlisting>
-</listitem></varlistentry>
-
-<varlistentry><term><command>disable-algorithms</command></term>
-<listitem><para>
-Disable the specified DNSSEC algorithms at and below the specified name.
-Multiple <command>disable-algorithms</command> statements are allowed.
-Only the most specific will be applied.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-lookaside</command></term>
-<listitem><para>
-When set <command>dnssec-lookaside</command> provides the
-validator with an alternate method to validate DNSKEY records at the
-top of a zone.  When a DNSKEY is at or below a domain specified by the
-deepest <command>dnssec-lookaside</command>, and the normal dnssec validation
-has left the key untrusted, the trust-anchor will be append to the key
-name and a DLV record will be looked up to see if it can validate the
-key.  If the DLV record validates a DNSKEY (similarly to the way a DS
-record does) the DNSKEY RRset is deemed to be trusted.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-must-be-secure</command></term>
-<listitem><para>
-Specify heirarchies which must / may not be secure (signed and validated).
-If <userinput>yes</userinput> then named will only accept answers if they
-are secure.
-If <userinput>no</userinput> then normal dnssec validation applies
-allowing for insecure answers to be accepted.
-The specified domain must be under a <command>trusted-key</command> or
-<command>dnssec-lookaside</command> must be active.
-</para></listitem></varlistentry>
-
-</variablelist>
-
-<sect3 id="boolean_options"><title>Boolean Options</title>
-
-<variablelist>
-
-<varlistentry><term><command>auth-nxdomain</command></term>
-<listitem><para>If <userinput>yes</userinput>, then the <command>AA</command> bit
-is always set on NXDOMAIN responses, even if the server is not actually
-authoritative. The default is <userinput>no</userinput>; this is
-a change from <acronym>BIND</acronym> 8. If you are using very old DNS software, you
-may need to set it to <userinput>yes</userinput>.</para></listitem></varlistentry>
-
-<varlistentry><term><command>deallocate-on-exit</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to enable checking
-for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
-the checks.</para></listitem></varlistentry>
-
-<varlistentry><term><command>dialup</command></term>
-<listitem><para>If <userinput>yes</userinput>, then the
-server treats all zones as if they are doing zone transfers across
-a dial on demand dialup link, which can be brought up by traffic
-originating from this server. This has different effects according
-to zone type and concentrates the zone maintenance so that it all
-happens in a short interval, once every <command>heartbeat-interval</command> and
-hopefully during the one call. It also suppresses some of the normal
-zone maintenance traffic. The default is <userinput>no</userinput>.</para>
-<para>The <command>dialup</command> option
-may also be specified in the <command>view</command> and 
-<command>zone</command> statements,
-in which case it overrides the global <command>dialup</command>
-option.</para>
-<para>If the zone is a master zone then the server will send out a NOTIFY 
-request to all the slaves (default). This should trigger the zone serial
-number check in the slave (providing it supports NOTIFY) allowing the slave
-to verify the zone while the connection is active.
-The set of servers to which NOTIFY is sent can be controlled by
-<command>notify</command> and <command>also-notify</command>.</para>
-<para>If the
-zone is a slave or stub zone, then the server will suppress the regular
-"zone up to date" (refresh) queries and only perform them when the
-<command>heartbeat-interval</command> expires in addition to sending
-NOTIFY requests.</para><para>Finer control can be achieved by using
-<userinput>notify</userinput> which only sends NOTIFY messages,
-<userinput>notify-passive</userinput> which sends NOTIFY messages and
-suppresses the normal refresh queries, <userinput>refresh</userinput>
-which suppresses normal refresh processing and sends refresh queries 
-when the <command>heartbeat-interval</command> expires, and
-<userinput>passive</userinput> which just disables normal refresh
-processing.</para>
-
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "4" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "1.150in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>dialup mode</para></entry>
-<entry colname = "2"><para>normal refresh</para></entry>
-<entry colname = "3"><para>heart-beat refresh</para></entry>
-<entry colname = "4"><para>heart-beat notify</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>no</command> (default)</para></entry>
-<entry colname = "2"><para>yes</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>yes</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>yes</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify</command></para></entry>
-<entry colname = "2"><para>yes</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>refresh</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>yes</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>passive</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>no</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>notify-passive</command></para></entry>
-<entry colname = "2"><para>no</para></entry>
-<entry colname = "3"><para>no</para></entry>
-<entry colname = "4"><para>yes</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>Note that normal NOTIFY processing is not affected by
-<command>dialup</command>.</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>fake-iquery</command></term>
-<listitem><para>In <acronym>BIND</acronym> 8, this option
-enabled simulating the obsolete DNS query type
-IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>fetch-glue</command></term>
-<listitem><para>This option is obsolete.
-In BIND 8, <userinput>fetch-glue yes</userinput>
-caused the server to attempt to fetch glue resource records it
-didn't have when constructing the additional
-data section of a response.  This is now considered a bad idea
-and BIND 9 never does it.</para></listitem></varlistentry>
-
-<varlistentry><term><command>flush-zones-on-shutdown</command></term>
-<listitem><para>When the nameserver exits due receiving SIGTERM,
-flush / do not flush any pending zone writes.  The default is
-<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>has-old-clients</command></term>
-<listitem><para>This option was incorrectly implemented
-in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
-To achieve the intended effect
-of
-<command>has-old-clients</command> <userinput>yes</userinput>, specify
-the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
-and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>host-statistics</command></term>
-<listitem><para>In BIND 8, this enables keeping of
-statistics for every host that the name server interacts with.
-Not implemented in BIND 9.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>maintain-ixfr-base</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
- It was used in <acronym>BIND</acronym> 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
-log whenever possible.  If you need to disable outgoing incremental zone
-transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>minimal-responses</command></term>
-<listitem><para>If <userinput>yes</userinput>, then when generating
-responses the server will only add records to the authority and
-additional data sections when they are required (e.g. delegations,
-negative responses).  This may improve the performance of the server.
-The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>multiple-cnames</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to allow
-a domain name to have multiple CNAME records in violation of the
-DNS standards.  <acronym>BIND</acronym> 9.2 always strictly
-enforces the CNAME rules both in master files and dynamic updates.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>notify</command></term>
-<listitem><para>If <userinput>yes</userinput> (the default),
-DNS NOTIFY messages are sent when a zone the server is authoritative for
-changes, see <xref linkend="notify"/>.  The messages are sent to the
-servers listed in the zone's NS records (except the master server identified
-in the SOA MNAME field), and to any servers listed in the
-<command>also-notify</command> option.
-</para><para>
-If <userinput>explicit</userinput>, notifies are sent only to
-servers explicitly listed using <command>also-notify</command>.
-If <userinput>no</userinput>, no notifies are sent.
-</para><para>
-The <command>notify</command> option may also be
-specified in the <command>zone</command> statement,
-in which case it overrides the <command>options notify</command> statement.
-It would only be necessary to turn off this option if it caused slaves
-to crash.</para></listitem></varlistentry>
-
-<varlistentry><term><command>recursion</command></term>
-<listitem><para>If <userinput>yes</userinput>, and a
-DNS query requests recursion, then the server will attempt to do
-all the work required to answer the query. If recursion is off
-and the server does not already know the answer, it will return a
-referral response. The default is <userinput>yes</userinput>.
-Note that setting <command>recursion no</command> does not prevent
-clients from getting data from the server's cache; it only
-prevents new data from being cached as an effect of client queries.
-Caching may still occur as an effect the server's internal
-operation, such as NOTIFY address lookups.
-See also <command>fetch-glue</command> above.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>rfc2308-type1</command></term>
-<listitem><para>Setting this to <userinput>yes</userinput> will
-cause the server to send NS records along with the SOA record for negative
-answers. The default is <userinput>no</userinput>.</para>
-<note><simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
-</listitem></varlistentry>
-
-<varlistentry><term><command>use-id-pool</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
-<acronym>BIND</acronym> 9 always allocates query IDs from a pool.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>zone-statistics</command></term>
-<listitem><para>If <userinput>yes</userinput>, the server will collect
-statistical data on all zones (unless specifically turned off
-on a per-zone basis by specifying <command>zone-statistics no</command>
-in the <command>zone</command> statement).  These statistics may be accessed
-using <command>rndc stats</command>, which will dump them to the file listed
-in the <command>statistics-file</command>.  See also <xref linkend="statsfile"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>use-ixfr</command></term>
-<listitem><para><emphasis>This option is obsolete</emphasis>.
-If you need to disable IXFR to a particular server or servers see
-the information on the <command>provide-ixfr</command> option
-in <xref linkend="server_statement_definition_and_usage"/>. See also
-<xref linkend="incremental_zone_transfers"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>provide-ixfr</command></term>
-<listitem>
-<para>
-See the description of
-<command>provide-ixfr</command> in
-<xref linkend="server_statement_definition_and_usage"/>
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>request-ixfr</command></term>
-<listitem>
-<para>
-See the description of
-<command>request-ixfr</command> in
-<xref linkend="server_statement_definition_and_usage"/>
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>treat-cr-as-space</command></term>
-<listitem><para>This option was used in <acronym>BIND</acronym> 8 to make
-the server treat carriage return ("<command>\r</command>") characters the same way
-as a space or tab character,
-to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
-and NT/DOS "<command>\r\n</command>" newlines are always accepted,
-and the option is ignored.</para></listitem></varlistentry>
-
-<varlistentry>
-<term><command>additional-from-auth</command></term>
-<term><command>additional-from-cache</command></term>
-<listitem>
-
-<para>
-These options control the behavior of an authoritative server when
-answering queries which have additional data, or when following CNAME
-and DNAME chains.
-</para>
-
-<para>
-When both of these options are set to <userinput>yes</userinput> 
-(the default) and a
-query is being answered from authoritative data (a zone
-configured into the server), the additional data section of the
-reply will be filled in using data from other authoritative zones
-and from the cache.  In some situations this is undesirable, such
-as when there is concern over the correctness of the cache, or
-in servers where slave zones may be added and modified by
-untrusted third parties.  Also, avoiding
-the search for this additional data will speed up server operations
-at the possible expense of additional queries to resolve what would
-otherwise be provided in the additional section.
-</para>
-
-<para>
-For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
-and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
-records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
-if known, even though they are not in the example.com zone.
-Setting these options to <command>no</command> disables this behavior and makes
-the server only search for additional data in the zone it answers from.
-</para>
-
-<para>
-These options are intended for use in authoritative-only 
-servers, or in authoritative-only views.  Attempts to set
-them to <command>no</command> without also specifying
-<command>recursion no</command> will cause the server to
-ignore the options and log a warning message.
-</para>
-
-<para>
-Specifying <command>additional-from-cache no</command> actually
-disables the use of the cache not only for additional data lookups
-but also when looking up the answer.  This is usually the desired
-behavior in an authoritative-only server where the correctness of
-the cached data is an issue.
-</para>
-
-<para>
-When a name server is non-recursively queried for a name that is not
-below the apex of any served zone, it normally answers with an
-"upwards referral" to the root servers or the servers of some other
-known parent of the query name.  Since the data in an upwards referral
-comes from the cache, the server will not be able to provide upwards
-referrals when <command>additional-from-cache no</command>
-has been specified.  Instead, it will respond to such queries
-with REFUSED.  This should not cause any problems since
-upwards referrals are not required for the resolution process.
-</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>match-mapped-addresses</command></term>
-<listitem><para>If <userinput>yes</userinput>, then an
-IPv4-mapped IPv6 address will match any address match
-list entries that match the corresponding IPv4 address.
-Enabling this option is sometimes useful on IPv6-enabled Linux
-systems, to work around a kernel quirk that causes IPv4
-TCP connections such as zone transfers to be accepted
-on an IPv6 socket using mapped addresses, causing
-address match lists designed for IPv4 to fail to match.
-The use of this option for any other purpose is discouraged.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-from-differences</command></term>
-<listitem>
-<para>
-When 'yes' and the server loads a new version of a master
-zone from its zone file or receives a new version of a slave
-file by a non-incremental zone transfer, it will compare
-the new version to the previous one and calculate a set
-of differences.  The differences are then logged in the
-zone's journal file such that the changes can be transmitted
-to downstream slaves as an incremental zone transfer.
-</para><para>
-By allowing incremental zone transfers to be used for
-non-dynamic zones, this option saves bandwidth at the
-expense of increased CPU and memory consumption at the master.
-In particular, if the new version of a zone is completely
-different from the previous one, the set of differences
-will be of a size comparable to the combined size of the
-old and new zone version, and the server will need to
-temporarily allocate memory to hold this complete
-difference set.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>multi-master</command></term>
-<listitem>
-<para>
-This should be set when you have multiple masters for a zone and the
-addresses refer to different machines.  If 'yes' named will not log
-when the serial number on the master is less than what named currently
-has.  The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>dnssec-enable</command></term>
-<listitem>
-<para>
-Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>
-named behaves as if it does not support DNSSEC.
-The default is <userinput>no</userinput>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>querylog</command></term>
-<listitem>
-<para>
-Specify whether query logging should be started when named start.
-If <command>querylog</command> is not specified then the query logging
-is determined by the presence of the logging category <command>queries</command>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>check-names</command></term>
-<listitem>
-<para>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received
-from the network.  The default varies according to usage area.  For
-<command>master</command> zones the default is <command>fail</command>.
-For <command>slave</command> zones the default is <command>warn</command>.
-For answer received from the network (<command>response</command>)
-the default is <command>ignore</command>.
-</para>
-<para>The rules for legal hostnames / mail domains are derived from RFC 952
-and RFC 821 as modified by RFC 1123.
-</para>
-<para><command>check-names</command> applies to the owner names of A, AAA and
-MX records.  It also applies to the domain names in the RDATA of NS, SOA and MX
-records.  It also applies to the RDATA of PTR records where the owner name
-indicated that it is a reverse lookup of a hostname (the owner name ends in
-IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
-</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Forwarding</title>
-<para>The forwarding facility can be used to create a large site-wide
-cache on a few servers, reducing traffic over links to external
-name servers. It can also be used to allow queries by servers that
-do not have direct access to the Internet, but wish to look up exterior
-names anyway. Forwarding occurs only on those queries for which
-the server is not authoritative and does not have the answer in
-its cache.</para>
-
-<variablelist>
-<varlistentry><term><command>forward</command></term>
-<listitem><para>This option is only meaningful if the
-forwarders list is not empty. A value of <varname>first</varname>,
-the default, causes the server to query the forwarders first, and
-if that doesn't answer the question the server will then look for
-the answer itself. If <varname>only</varname> is specified, the
-server will only query the forwarders.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>forwarders</command></term>
-<listitem><para>Specifies the IP addresses to be used
-for forwarding. The default is the empty list (no forwarding).
-</para></listitem></varlistentry>
-
-</variablelist>
-
-<para>Forwarding can also be configured on a per-domain basis, allowing
-for the global forwarding options to be overridden in a variety
-of ways. You can set particular domains to use different forwarders,
-or have a different <command>forward only/first</command> behavior,
-or not forward at all, see <xref linkend="zone_statement_grammar"/>.</para>
-</sect3>
-
-<sect3><title>Dual-stack Servers</title>
-<para>Dual-stack servers are used as servers of last resort to work around
-problems in reachability due the lack of support for either IPv4 or IPv6
-on the host machine.</para>
-
-<variablelist>
-<varlistentry><term><command>dual-stack-servers</command></term>
-<listitem><para>Specifies host names / addresses of machines with access to
-both IPv4 and IPv6 transports. If a hostname is used the server must be able
-to resolve the name using only the transport it has.  If the machine is dual
-stacked then the <command>dual-stack-servers</command> have no effect unless
-access to a transport has been disabled on the command line
-(e.g. <command>named -4</command>).</para></listitem>
-</varlistentry>
-</variablelist>
-</sect3>
-
-<sect3 id="access_control"><title>Access Control</title>
-
-<para>Access to the server can be restricted based on the IP address
-of the requesting system. See <xref linkend="address_match_lists"/> for
-details on how to specify IP address lists.</para>
-
-<variablelist>
-
-<varlistentry><term><command>allow-notify</command></term>
-<listitem><para>Specifies which hosts are allowed to
-notify this server, a slave, of zone changes in addition
-to the zone masters.
-<command>allow-notify</command> may also be specified in the
-<command>zone</command> statement, in which case it overrides the
-<command>options allow-notify</command> statement.  It is only meaningful
-for a slave zone.  If not specified, the default is to process notify messages
-only from a zone's master.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-query</command></term>
-<listitem><para>Specifies which hosts are allowed to
-ask ordinary DNS questions. <command>allow-query</command> may also
-be specified in the <command>zone</command> statement, in which
-case it overrides the <command>options allow-query</command> statement. If
-not specified, the default is to allow queries from all hosts.</para>
-</listitem></varlistentry>
-
-
-<varlistentry><term><command>allow-recursion</command></term>
-<listitem><para>Specifies which hosts are allowed to
-make recursive queries through this server. If not specified, the
-default is to allow recursive queries from all hosts. 
-Note that disallowing recursive queries for a host does not prevent the
-host from retrieving data that is already in the server's cache.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update-forwarding</command></term>
-<listitem><para>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master.  The default is <userinput>{ none; }</userinput>, which 
-means that no update forwarding will be performed.  To enable
-update forwarding, specify
-<userinput>allow-update-forwarding { any; };</userinput>.
-Specifying values other than <userinput>{ none; }</userinput> or
-<userinput>{ any; }</userinput> is usually counterproductive, since
-the responsibility for update access control should rest with the 
-master server, not the slaves.</para>
-<para>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <xref linkend="dynamic_update_security"/>
-for more details.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-v6-synthesis</command></term>
-<listitem><para>This option was introduced for the smooth transition from AAAA
-to A6 and from "nibble labels" to binary labels.
-However, since both A6 and binary labels were then deprecated,
-this option was also deprecated.
-It is now ignored with some warning messages.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-transfer</command></term>
-<listitem><para>Specifies which hosts are allowed to
-receive zone transfers from the server. <command>allow-transfer</command> may
-also be specified in the <command>zone</command> statement, in which
-case it overrides the <command>options allow-transfer</command> statement.
-If not specified, the default is to allow transfers to all hosts.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>blackhole</command></term>
-<listitem><para>Specifies a list of addresses that the
-server will not accept queries from or use to resolve a query. Queries
-from these addresses will not be responded to. The default is <userinput>none</userinput>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Interfaces</title>
-<para>The interfaces and ports that the server will answer queries
-from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
-an optional port, and an <varname>address_match_list</varname>.
-The server will listen on all interfaces allowed by the address
-match list. If a port is not specified, port 53 will be used.</para>
-<para>Multiple <command>listen-on</command> statements are allowed.
-For example,</para>
-
-<programlisting>listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };
-</programlisting>
-
-<para>will enable the name server on port 53 for the IP address
-5.6.7.8, and on port 1234 of an address on the machine in net
-1.2 that is not 1.2.3.4.</para>
-
-<para>If no <command>listen-on</command> is specified, the
-server will listen on port 53 on all interfaces.</para>
-
-<para>The <command>listen-on-v6</command> option is used to
-specify the interfaces and the ports on which the server will listen
-for incoming queries sent using IPv6.</para>
-
-<para>When <programlisting>{ any; }</programlisting> is specified
-as the <varname>address_match_list</varname> for the
-<command>listen-on-v6</command> option,
-the server does not bind a separate socket to each IPv6 interface
-address as it does for IPv4 if the operating system has enough API
-support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
-Instead, it listens on the IPv6 wildcard address.
-If the system only has incomplete API support for IPv6, however,
-the behavior is the same as that for IPv4.</para>
-
-<para>A list of particular IPv6 addresses can also be specified, in which case
-the server listens on a separate socket for each specified address,
-regardless of whether the desired API is supported by the system.</para>
-
-<para>Multiple <command>listen-on-v6</command> options can be used.
-For example,</para>
-
-<programlisting>listen-on-v6 { any; };
-listen-on-v6 port 1234 { !2001:db8::/32; any; };
-</programlisting>
-
-<para>will enable the name server on port 53 for any IPv6 addresses
-(with a single wildcard socket),
-and on port 1234 of IPv6 addresses that is not in the prefix
-2001:db8::/32 (with separate sockets for each matched address.)</para>
-
-<para>To make the server not listen on any IPv6 address, use</para>
-<programlisting>listen-on-v6 { none; };
-</programlisting>
-<para>If no <command>listen-on-v6</command> option is specified,
-the server will not listen on any IPv6 address.</para></sect3>
-
-<sect3><title>Query Address</title>
-<para>If the server doesn't know the answer to a question, it will
-query other name servers. <command>query-source</command> specifies
-the address and port used for such queries. For queries sent over
-IPv6, there is a separate <command>query-source-v6</command> option.
-If <command>address</command> is <command>*</command> or is omitted,
-a wildcard IP address (<command>INADDR_ANY</command>) will be used.
-If <command>port</command> is <command>*</command> or is omitted,
-a random unprivileged port will be used, <command>avoid-v4-udp-ports</command>
-and <command>avoid-v6-udp-ports</command> can be used to prevent named
-from selecting certain ports. The defaults are</para>
-<programlisting>query-source address * port *;
-query-source-v6 address * port *;
-</programlisting>
-<note>
-<para>The address specified in the <command>query-source</command> option
-is used for both UDP and TCP queries, but the port applies only to 
-UDP queries.  TCP queries always use a random
-unprivileged port.</para></note>
-<note>
-<para>See also <command>transfer-source</command> and
-<command>notify-source</command>.</para></note>
-</sect3>
-
-<sect3 id="zone_transfers"><title>Zone Transfers</title>
-<para><acronym>BIND</acronym> has mechanisms in place to facilitate zone transfers
-and set limits on the amount of load that transfers place on the
-system. The following options apply to zone transfers.</para>
-
-<variablelist>
-
-<varlistentry><term><command>also-notify</command></term>
-<listitem><para>Defines a global list of IP addresses of name servers
-that are also sent NOTIFY messages whenever a fresh copy of the
-zone is loaded, in addition to the servers listed in the zone's NS records.
-This helps to ensure that copies of the zones will
-quickly converge on stealth servers. If an <command>also-notify</command> list
-is given in a <command>zone</command> statement, it will override
-the <command>options also-notify</command> statement. When a <command>zone notify</command> statement
-is set to <command>no</command>, the IP addresses in the global <command>also-notify</command> list will
-not be sent NOTIFY messages for that zone. The default is the empty
-list (no global notification list).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-in</command></term>
-<listitem><para>Inbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours).  The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-in</command></term>
-<listitem><para>Inbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes
-(1 hour).  The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-out</command></term>
-<listitem><para>Outbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours).  The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-out</command></term>
-<listitem><para>Outbound zone transfers making no progress
-in this many minutes will be terminated.  The default is 60 minutes (1
-hour).  The maximum value is 28 days (40320 minutes).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>serial-query-rate</command></term>
-<listitem><para>Slave servers will periodically query master servers
-to find out if zone serial numbers have changed. Each such query uses
-a minute amount of the slave server's network bandwidth.  To limit the
-amount of bandwidth used, BIND 9 limits the rate at which queries are
-sent.  The value of the <command>serial-query-rate</command> option,
-an integer, is the maximum number of queries sent per second.
-The default is 20.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>serial-queries</command></term>
-<listitem><para>In BIND 8, the <command>serial-queries</command> option
-set the maximum number of concurrent serial number queries
-allowed to be outstanding at any given time.
-BIND 9 does not limit the number of outstanding
-serial queries and ignores the <command>serial-queries</command> option.
-Instead, it limits the rate at which the queries are sent
-as defined using the <command>serial-query-rate</command> option.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-format</command></term>
-<listitem>
-
-<para>
-Zone transfers can be sent using two different formats,
-<command>one-answer</command> and <command>many-answers</command>.
-The <command>transfer-format</command> option is used
-on the master server to determine which format it sends.
-<command>one-answer</command> uses one DNS message per
-resource record transferred.
-<command>many-answers</command> packs as many resource records as
-possible into a message. <command>many-answers</command> is more
-efficient, but is only supported by relatively new slave servers,
-such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym> 8.x and patched
-versions of <acronym>BIND</acronym> 4.9.5. The default is
-<command>many-answers</command>. <command>transfer-format</command>
-may be overridden on a per-server basis by using the
-<command>server</command> statement.
-</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-in</command></term>
-<listitem><para>The maximum number of inbound zone transfers
-that can be running concurrently. The default value is <literal>10</literal>.
-Increasing <command>transfers-in</command> may speed up the convergence
-of slave zones, but it also may increase the load on the local system.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-out</command></term>
-<listitem><para>The maximum number of outbound zone transfers
-that can be running concurrently. Zone transfer requests in excess
-of the limit will be refused. The default value is <literal>10</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfers-per-ns</command></term>
-<listitem><para>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote name server.
-The default value is <literal>2</literal>. Increasing <command>transfers-per-ns</command> may
-speed up the convergence of slave zones, but it also may increase
-the load on the remote name server. <command>transfers-per-ns</command> may
-be overridden on a per-server basis by using the <command>transfers</command> phrase
-of the <command>server</command> statement.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source</command></term>
-<listitem><para><command>transfer-source</command> determines
-which local address will be bound to IPv4 TCP connections used to
-fetch zones transferred inbound by the server.  It also determines
-the source IPv4 address, and optionally the UDP port, used for the
-refresh queries and forwarded dynamic updates.  If not set, it defaults
-to a system controlled value which will usually be the address of
-the interface "closest to" the remote end. This address must appear
-in the remote end's <command>allow-transfer</command> option for
-the zone being transferred, if one is specified. This statement
-sets the <command>transfer-source</command> for all zones, but can
-be overridden on a per-view or per-zone basis by including a
-<command>transfer-source</command> statement within the
-<command>view</command> or <command>zone</command> block
-in the configuration file.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source-v6</command></term>
-<listitem><para>The same as <command>transfer-source</command>,
-except zone transfers are performed using IPv6.</para>
-              </listitem></varlistentry>
-
-	    <varlistentry>
-	      <term><command>alt-transfer-source</command></term>
-	      <listitem>
-		<para>
-		  An alternate transfer source if the one listed in
-		  <command>transfer-source</command> fails and
-		  <command>use-alt-transfer-source</command> is
-		  set.
-		</para>
-		<note>
-		  If you do not wish the alternate transfer source
-		  to be used you should set
-		  <command>use-alt-transfer-source</command>
-		  appropriately and you should not depend upon
-		  getting a answer back to the first refresh
-		  query.
-		</note>
-              </listitem>
-	    </varlistentry>
-
-<varlistentry><term><command>alt-transfer-source-v6</command></term>
-<listitem><para>An alternate transfer source if the one listed in
-<command>transfer-source-v6</command> fails and
-<command>use-alt-transfer-source</command> is set.</para>
-              </listitem></varlistentry>
-
-<varlistentry><term><command>use-alt-transfer-source</command></term>
-<listitem><para>Use the alternate transfer sources or not.  If views are
-specified this defaults to <command>no</command> otherwise it defaults to
-<command>yes</command> (for BIND 8 compatibility).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source</command></term>
-<listitem><para><command>notify-source</command> determines
-which local source address, and optionally UDP port, will be used to
-send NOTIFY messages.
-This address must appear in the slave server's <command>masters</command>
-zone clause or in an <command>allow-notify</command> clause.
-This statement sets the <command>notify-source</command> for all zones,
-but can be overridden on a per-zone / per-view basis by including a
-<command>notify-source</command> statement within the <command>zone</command>
-or <command>view</command> block in the configuration file.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source-v6</command></term>
-<listitem><para>Like <command>notify-source</command>,
-but applies to notify messages sent to IPv6 addresses.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3>
-<title>Bad UDP Port Lists</title>
-<para>
-<command>avoid-v4-udp-ports</command> and <command>avoid-v6-udp-ports</command>
-specify a list of IPv4 and IPv6 UDP ports that will not be used as system
-assigned source ports for UDP sockets.  These lists prevent named
-from choosing as its random source port a port that is blocked by
-your firewall.  If a query went out with such a source port, the
-answer would not get by the firewall and the name server would have
-to query again.
-</para>
-</sect3>
-
-<sect3>
-<title>Operating System Resource Limits</title>
-
-<para>The server's usage of many system resources can be limited.
-Scaled values are allowed when specifying resource limits.  For
-example, <command>1G</command> can be used instead of
-<command>1073741824</command> to specify a limit of one
-gigabyte. <command>unlimited</command> requests unlimited use, or the
-maximum available amount. <command>default</command> uses the limit
-that was in force when the server was started. See the description of
-<command>size_spec</command> in <xref
-linkend="configuration_file_elements"/>.</para>
-
-<para>The following options set operating system resource limits for
-the name server process.  Some operating systems don't support some or
-any of the limits. On such systems, a warning will be issued if the
-unsupported limit is used.</para>
-
-<variablelist>
-
-<varlistentry><term><command>coresize</command></term>
-<listitem><para>The maximum size of a core dump. The default
-is <literal>default</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>datasize</command></term>
-<listitem><para>The maximum amount of data memory the server
-may use. The default is <literal>default</literal>.
-This is a hard limit on server memory usage.
-If the server attempts to allocate memory in excess of this
-limit, the allocation will fail, which may in turn leave
-the server unable to perform DNS service.  Therefore,
-this option is rarely useful as a way of limiting the
-amount of memory used by the server, but it can be used
-to raise an operating system data size limit that is
-too small by default.  If you wish to limit the amount
-of memory used by the server, use the
-<command>max-cache-size</command> and 
-<command>recursive-clients</command>
-options instead.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>files</command></term>
-<listitem><para>The maximum number of files the server
-may have open concurrently. The default is <literal>unlimited</literal>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>stacksize</command></term>
-<listitem><para>The maximum amount of stack memory the server
-may use. The default is <literal>default</literal>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3>
-<title>Server  Resource Limits</title>
-
-<para>The following options set limits on the server's
-resource consumption that are enforced internally by the
-server rather than the operating system.</para>
-
-<variablelist>
-
-<varlistentry><term><command>max-ixfr-log-size</command></term>
-<listitem><para>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility.  The option
-<command>max-journal-size</command> performs a similar
-function in BIND 8.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-journal-size</command></term>
-<listitem><para>Sets a maximum size for each journal file
-(<xref linkend="journal"/>).  When the journal file approaches
-the specified size, some of the oldest transactions in the journal
-will be automatically removed.  The default is
-<literal>unlimited</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>host-statistics-max</command></term>
-<listitem><para>In BIND 8, specifies the maximum number of host statistic
-entries to be kept.
-Not implemented in BIND 9.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>recursive-clients</command></term>
-<listitem><para>The maximum number of simultaneous recursive lookups
-the server will perform on behalf of clients.  The default is
-<literal>1000</literal>.  Because each recursing client uses a fair
-bit of memory, on the order of 20 kilobytes, the value of the
-<command>recursive-clients</command> option may have to be decreased
-on hosts with limited memory.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tcp-clients</command></term>
-<listitem><para>The maximum number of simultaneous client TCP
-connections that the server will accept.
-The default is <literal>100</literal>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-cache-size</command></term>
-<listitem><para>The maximum amount of memory to use for the
-server's cache, in bytes.  When the amount of data in the cache
-reaches this limit, the server will cause records to expire
-prematurely so that the limit is not exceeded.  In a server with
-multiple views, the limit applies separately to the cache of each
-view.  The default is <literal>unlimited</literal>, meaning that 
-records are purged from the cache only when their TTLs expire.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>tcp-listen-queue</command></term>
-<listitem><para>The listen queue depth.  The default and minimum is 3.
-If the kernel supports the accept filter "dataready" this also controls how
-many TCP connections that will be queued in kernel space waiting for
-some data before being passed to accept.  Values less than 3 will be
-silently raised.
-</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3><title>Periodic Task Intervals</title>
-
-<variablelist>
-
-<varlistentry><term><command>cleaning-interval</command></term>
-<listitem><para>The server will remove expired resource records
-from the cache every <command>cleaning-interval</command> minutes.
-The default is 60 minutes.  The maximum value is 28 days (40320 minutes).
-If set to 0, no  periodic cleaning will occur.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>heartbeat-interval</command></term>
-<listitem><para>The server will perform zone maintenance tasks
-for all zones marked as <command>dialup</command> whenever this
-interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes).  The maximum value is 28 days (40320 minutes).
-If set to 0, no zone maintenance for these zones will occur.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>interface-interval</command></term>
-<listitem><para>The server will scan the network interface list
-every <command>interface-interval</command> minutes. The default
-is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, interface scanning will only occur when
-the configuration file is  loaded. After the scan, the server will
-begin listening for queries on any newly discovered
-interfaces (provided they are allowed by the
-<command>listen-on</command> configuration), and will
-stop listening on interfaces that have gone away.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>statistics-interval</command></term>
-<listitem><para>Name server statistics will be logged
-every <command>statistics-interval</command> minutes. The default is 
-60. The maximum value is 28 days (40320 minutes).
-If set to 0, no statistics will be logged.</para><note>
-<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3 id="topology"><title>Topology</title>
-
-<para>All other things being equal, when the server chooses a name server
-to query from a list of name servers, it prefers the one that is
-topologically closest to itself. The <command>topology</command> statement
-takes an <command>address_match_list</command> and interprets it
-in a special way. Each top-level list element is assigned a distance.
-Non-negated elements get a distance based on their position in the
-list, where the closer the match is to the start of the list, the
-shorter the distance is between it and the server. A negated match
-will be assigned the maximum distance from the server. If there
-is no match, the address will get a distance which is further than
-any non-negated list element, and closer than any negated element.
-For example,</para>
-<programlisting>topology {
-    10/8;
-    !1.2.3/24;
-    { 1.2/16; 3/8; };
-};</programlisting>
-<para>will prefer servers on network 10 the most, followed by hosts
-on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-is preferred least of all.</para>
-<para>The default topology is</para>
-<programlisting>    topology { localhost; localnets; };
-</programlisting>
-<note><simpara>The <command>topology</command> option
-is not implemented in <acronym>BIND</acronym> 9.
-</simpara></note>
-</sect3>
-
-<sect3 id="the_sortlist_statement">
-
-<title>The <command>sortlist</command> Statement</title>
-
-<para>The response to a DNS query may consist of multiple resource
-records (RRs) forming a resource records set (RRset).
-The name server will normally return the
-RRs within the RRset in an indeterminate order
-(but see the <command>rrset-order</command>
-statement in <xref linkend="rrset_ordering"/>).
-The client resolver code should rearrange the RRs as appropriate,
-that is, using any addresses on the local net in preference to other addresses.
-However, not all resolvers can do this or are correctly configured.
-When a client is using a local server the sorting can be performed
-in the server, based on the client's address. This only requires
-configuring the name servers, not all the clients.</para>
-
-<para>The <command>sortlist</command> statement (see below) takes
-an <command>address_match_list</command> and interprets it even
-more specifically than the <command>topology</command> statement
-does (<xref linkend="topology"/>).
-Each top level statement in the <command>sortlist</command> must
-itself be an explicit <command>address_match_list</command> with
-one or two elements. The first element (which may be an IP address,
-an IP prefix, an ACL name or a nested <command>address_match_list</command>)
-of each top level list is checked against the source address of
-the query until a match is found.</para>
-<para>Once the source address of the query has been matched, if
-the top level statement contains only one element, the actual primitive
-element that matched the source address is used to select the address
-in the response to move to the beginning of the response. If the
-statement is a list of two elements, then the second element is
-treated the same as the <command>address_match_list</command> in
-a <command>topology</command> statement. Each top level element
-is assigned a distance and the address in the response with the minimum
-distance is moved to the beginning of the response.</para>
-<para>In the following example, any queries received from any of
-the addresses of the host itself will get responses preferring addresses
-on any of the locally connected networks. Next most preferred are addresses
-on the 192.168.1/24 network, and after that either the 192.168.2/24
-or
-192.168.3/24 network with no preference shown between these two
-networks. Queries received from a host on the 192.168.1/24 network
-will prefer other addresses on that network to the 192.168.2/24
-and
-192.168.3/24 networks. Queries received from a host on the 192.168.4/24
-or the 192.168.5/24 network will only prefer other addresses on
-their directly connected networks.</para>
-<programlisting>sortlist {
-    { localhost;                                   // IF   the local host
-        { localnets;                               // THEN first fit on the
-            192.168.1/24;                          //   following nets
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.1/24;                                // IF   on class C 192.168.1
-        { 192.168.1/24;                            // THEN use .1, or .2 or .3
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.2/24;                                // IF   on class C 192.168.2
-        { 192.168.2/24;                            // THEN use .2, or .1 or .3
-            { 192.168.1/24; 192.168.3/24; }; }; };
-    { 192.168.3/24;                                // IF   on class C 192.168.3
-        { 192.168.3/24;                            // THEN use .3, or .1 or .2
-            { 192.168.1/24; 192.168.2/24; }; }; };
-    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
-    };
-};</programlisting>
-<para>The following example will give reasonable behavior for the
-local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
-to queries from the local host will favor any of the directly connected
-networks. Responses sent to queries from any other hosts on a directly
-connected network will prefer addresses on that same network. Responses
-to other queries will not be sorted.</para>
-<programlisting>sortlist {
-           { localhost; localnets; };
-           { localnets; };
-};
-</programlisting>
-</sect3>
-<sect3 id="rrset_ordering"><title id="rrset_ordering_title">RRset Ordering</title>
-<para>When multiple records are returned in an answer it may be
-useful to configure the order of the records placed into the response.
-The <command>rrset-order</command> statement permits configuration
-of the ordering of the records in a multiple record response.
-See also the <command>sortlist</command> statement,
-<xref linkend="the_sortlist_statement"/>.
-</para>
-
-<para>An <command>order_spec</command> is defined as follows:</para>
-<programlisting><optional> class <replaceable>class_name</replaceable> </optional><optional> type <replaceable>type_name</replaceable> </optional><optional> name <replaceable>"domain_name"</replaceable></optional>
-      order <replaceable>ordering</replaceable>
-</programlisting>
-<para>If no class is specified, the default is <command>ANY</command>.
-If no type is specified, the default is <command>ANY</command>.
-If no name is specified, the default is "<command>*</command>".</para>
-<para>The legal values for <command>ordering</command> are:</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.750in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>fixed</command></para></entry>
-<entry colname = "2"><para>Records are returned in the order they
-are defined in the zone file.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>random</command></para></entry>
-<entry colname = "2"><para>Records are returned in some random order.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>cyclic</command></para></entry>
-<entry colname = "2"><para>Records are returned in a round-robin
-order.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>For example:</para>
-<programlisting>rrset-order {
-   class IN type A name "host.example.com" order random;
-   order cyclic;
-};
-</programlisting>
-<para>will cause any responses for type A records in class IN that
-have "<literal>host.example.com</literal>" as a suffix, to always be returned
-in random order. All other records are returned in cyclic order.</para>
-<para>If multiple <command>rrset-order</command> statements appear,
-they are not combined &mdash; the last one applies.</para>
-
-<note>
-<simpara>The <command>rrset-order</command> statement
-is not yet fully implemented in <acronym>BIND</acronym> 9.
-BIND 9 currently does not support "fixed" ordering.
-</simpara></note>
-</sect3>
-
-<sect3 id="tuning"><title>Tuning</title>
-
-<variablelist>
-
-<varlistentry><term><command>lame-ttl</command></term>
-<listitem><para>Sets the number of seconds to cache a
-lame server indication. 0 disables caching. (This is
-<emphasis role="bold">NOT</emphasis> recommended.)
-Default is <literal>600</literal> (10 minutes). Maximum value is 
-<literal>1800</literal> (30 minutes).</para>
-
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-ncache-ttl</command></term>
-<listitem><para>To reduce network traffic and increase performance
-the server stores negative answers. <command>max-ncache-ttl</command> is
-used to set a maximum retention time for these answers in the server
-in seconds. The default
-<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
-<command>max-ncache-ttl</command> cannot exceed 7 days and will
-be silently truncated to 7 days if set to a greater value.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-cache-ttl</command></term>
-<listitem><para><command>max-cache-ttl</command> sets
-the maximum time for which the server will cache ordinary (positive)
-answers. The default is one week (7 days).</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>min-roots</command></term>
-<listitem><para>The minimum number of root servers that
-is required for a request for the root servers to be accepted. Default
-is <userinput>2</userinput>.</para>
-<note>
-<simpara>Not implemented in <acronym>BIND</acronym>9.</simpara></note>
-</listitem></varlistentry>
-
-<varlistentry><term><command>sig-validity-interval</command></term>
-<listitem><para>Specifies the number of days into the
-future when DNSSEC signatures automatically generated as a result
-of dynamic updates (<xref linkend="dynamic_update"/>)
-will expire. The default is <literal>30</literal> days.
-The maximum value is 10 years (3660 days). The signature
-inception time is unconditionally set to one hour before the current time
-to allow for a limited amount of clock skew.</para>
-</listitem></varlistentry>
-
-<varlistentry>
-<term><command>min-refresh-time</command></term>
-<term><command>max-refresh-time</command></term>
-<term><command>min-retry-time</command></term>
-<term><command>max-retry-time</command></term>
-<listitem><para>
-These options control the server's behavior on refreshing a zone
-(querying for SOA changes) or retrying failed transfers.
-Usually the SOA values for the zone are used, but these values
-are set by the master, giving slave server administrators little
-control over their contents.
-</para><para>
-These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view, or globally.
-These options are valid for slave and stub zones,
-and clamp the SOA refresh and retry times to the specified values.
-</para></listitem></varlistentry>
-
-<varlistentry>
-<term><command>edns-udp-size</command></term>
-<listitem><para>
-<command>edns-udp-size</command> sets the advertised EDNS UDP buffer
-size.  Valid values are 512 to 4096 (values outside this range will be
-silently adjusted).  The default value is 4096.  The usual reason for
-setting edns-udp-size to a non default value it to get UDP answers to
-pass through broken firewalls that block fragmented packets and/or
-block UDP packets that are greater than 512 bytes.
-</para></listitem></varlistentry>
-</variablelist>
-
-</sect3>
-
-<sect3 id="builtin">
-<title>Built-in server information zones</title>
-
-<para>The server provides some helpful diagnostic information
-through a number of built-in zones under the
-pseudo-top-level-domain <literal>bind</literal> in the
-<command>CHAOS</command> class.  These zones are part of a
-built-in view (see <xref linkend="view_statement_grammar"/>) of class
-<command>CHAOS</command> which is separate from the default view of
-class <command>IN</command>; therefore, any global server options
-such as <command>allow-query</command> do not apply the these zones.
-If you feel the need to disable these zones, use the options
-below, or hide the built-in <command>CHAOS</command> view by
-defining an explicit view of class <command>CHAOS</command>
-that matches all clients.</para>
-
-<variablelist>
-
-<varlistentry><term><command>version</command></term>
-<listitem><para>The version the server should report
-via a query of the name <literal>version.bind</literal>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-The default is the real version number of this server.
-Specifying <command>version none</command>
-disables processing of the queries.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>hostname</command></term>
-<listitem><para>The hostname the server should report via a query of
-the name <filename>hostname.bind</filename>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-This defaults to the hostname of the machine hosting the name server as
-found by gethostname().  The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries.  Specifying <command>hostname none;</command>
-disables processing of the queries.</para> 
-</listitem></varlistentry>
-
-<varlistentry><term><command>server-id</command></term>
-<listitem><para>The ID of the server should report via a query of
-the name <filename>ID.SERVER</filename>
-with type <command>TXT</command>, class <command>CHAOS</command>.
-The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries.  Specifying <command>server-id none;</command>
-disables processing of the queries.
-Specifying <command>server-id hostname;</command> will cause named to
-use the hostname as found by gethostname().
-The default <command>server-id</command> is <command>none</command>.
-</para> 
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-
-<sect3 id="statsfile">
-<title>The Statistics File</title>
-
-<para>The statistics file generated by <acronym>BIND</acronym> 9
-is similar, but not identical, to that
-generated by <acronym>BIND</acronym> 8.
-</para>
-<para>The statistics dump begins with the line <command>+++ Statistics Dump
-+++ (973798949)</command>, where the number in parentheses is a standard
-Unix-style timestamp, measured as seconds since January 1, 1970.  Following
-that line are a series of lines containing a counter type, the value of the
-counter, optionally a zone name, and optionally a view name.
-The lines without view and zone listed are global statistics for the entire server.
-Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).  The statistics dump ends
-with the line <command>--- Statistics Dump --- (973798949)</command>, where the
-number is identical to the number in the beginning line.</para>
-<para>The following statistics counters are maintained:</para>
-<informaltable
-    colsep = "0" rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><command>success</command></para></entry>
-<entry colname = "2"><para>The number of
-successful queries made to the server or zone.  A successful query
-is defined as query which returns a NOERROR response with at least
-one answer RR.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>referral</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted
-in referral responses.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>nxrrset</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted in
-NOERROR responses with no data.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>nxdomain</command></para></entry>
-<entry colname = "2"><para>The number
-of queries which resulted in NXDOMAIN responses.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>failure</command></para></entry>
-<entry colname = "2"><para>The number of queries which resulted in a
-failure response other than those above.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><command>recursion</command></para></entry>
-<entry colname = "2"><para>The number of queries which caused the server
-to perform recursion in order to find the final answer.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>
-Each query received by the server will cause exactly one of
-<command>success</command>,
-<command>referral</command>,
-<command>nxrrset</command>,
-<command>nxdomain</command>, or
-<command>failure</command>
-to be incremented, and may additionally cause the
-<command>recursion</command> counter to be incremented.
-</para>
-
-</sect3>
-
-</sect2>
-
-<sect2 id="server_statement_grammar">
-<title><command>server</command> Statement Grammar</title>
-
-<programlisting>server <replaceable>ip_addr</replaceable> {
-    <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> transfers <replaceable>number</replaceable> ; </optional>
-    <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
-    <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
-    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-};
-</programlisting>
-
-</sect2>
-
-<sect2 id="server_statement_definition_and_usage">
-<title><command>server</command> Statement Definition and Usage</title>
-
-<para>The <command>server</command> statement defines characteristics
-to be associated with a remote name server.</para>
-
-<para>
-The <command>server</command> statement can occur at the top level of the
-configuration file or inside a <command>view</command> statement.  
-If a <command>view</command> statement contains
-one or more <command>server</command> statements, only those
-apply to the view and any top-level ones are ignored.
-If a view contains no <command>server</command> statements,
-any top-level <command>server</command> statements are used as
-defaults.
-</para>
-
-<para>If you discover that a remote server is giving out bad data,
-marking it as bogus will prevent further queries to it. The default
-value of <command>bogus</command> is <command>no</command>.</para>
-<para>The <command>provide-ixfr</command> clause determines whether
-the local server, acting as master, will respond with an incremental
-zone transfer when the given remote server, a slave, requests it.
-If set to <command>yes</command>, incremental transfer will be provided
-whenever possible. If set to <command>no</command>, all transfers
-to the remote server will be non-incremental. If not set, the value
-of the <command>provide-ixfr</command> option in the view or
-global options block is used as a default.</para>
-
-<para>The <command>request-ixfr</command> clause determines whether
-the local server, acting as a slave, will request incremental zone
-transfers from the given remote server, a master. If not set, the
-value of the <command>request-ixfr</command> option in the view or
-global options block is used as a default.</para>
-
-<para>IXFR requests to servers that do not support IXFR will automatically
-fall back to AXFR.  Therefore, there is no need to manually list
-which servers support IXFR and which ones do not; the global default
-of <command>yes</command> should always work.
-The purpose of the <command>provide-ixfr</command> and
-<command>request-ixfr</command> clauses is
-to make it possible to disable the use of IXFR even when both master
-and slave claim to support it, for example if one of the servers
-is buggy and crashes or corrupts data when IXFR is used.</para>
-
-<para>The <command>edns</command> clause determines whether the local server
-will attempt to use EDNS when communicating with the remote server.  The
-default is <command>yes</command>.</para>
-
-<para>The server supports two zone transfer methods. The first, <command>one-answer</command>,
-uses one DNS message per resource record transferred. <command>many-answers</command> packs
-as many resource records as possible into a message. <command>many-answers</command> is
-more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
-8.x, and patched versions of <acronym>BIND</acronym> 4.9.5. You can specify which method
-to use for a server with the <command>transfer-format</command> option.
-If <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
-by the <command>options</command> statement will be used.</para>
-
-<para><command>transfers</command> is used to limit the number of
-concurrent inbound zone transfers from the specified server. If
-no <command>transfers</command> clause is specified, the limit is
-set according to the <command>transfers-per-ns</command> option.</para>
-
-<para>The <command>keys</command> clause identifies a
-<command>key_id</command> defined by the <command>key</command> statement,
-to be used for transaction security (TSIG, <xref linkend="tsig"/>)
-when talking to the remote server. 
-When a request is sent to the remote server, a request signature
-will be generated using the key specified here and appended to the
-message. A request originating from the remote server is not required
-to be signed by this key.</para>
-
-<para>Although the grammar of the <command>keys</command> clause
-allows for multiple keys, only a single key per server is currently
-supported.</para>
-
-<para>The <command>transfer-source</command> and
-<command>transfer-source-v6</command> clauses specify the IPv4 and IPv6 source
-address to be used for zone transfer with the remote server, respectively.
-For an IPv4 remote server, only <command>transfer-source</command> can
-be specified.
-Similarly, for an IPv6 remote server, only
-<command>transfer-source-v6</command> can be specified.
-Form more details, see the description of
-<command>transfer-source</command> and
-<command>transfer-source-v6</command> in
-<xref linkend="zone_transfers"/>.</para>
-
-</sect2>
-
-<sect2><title><command>trusted-keys</command> Statement Grammar</title>
-<programlisting>trusted-keys {
-    <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
-    <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
-};
-</programlisting>
-</sect2>
-<sect2><title><command>trusted-keys</command> Statement Definition
-and Usage</title>
-<para>The <command>trusted-keys</command> statement defines DNSSEC
-security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A security root is defined when the public key for a non-authoritative
-zone is known, but cannot be securely obtained through DNS, either
-because it is the  DNS root zone or because its parent zone is unsigned.
-Once a key has been configured as a trusted key, it is treated as
-if it had been validated and proven secure. The resolver attempts
-DNSSEC validation on all DNS data in subdomains of a security root.</para>
-<para>The <command>trusted-keys</command> statement can contain
-multiple key entries, each consisting of the key's domain name,
-flags, protocol, algorithm, and the base-64 representation of the
-key data.</para></sect2>
-
-<sect2 id="view_statement_grammar">
-<title><command>view</command> Statement Grammar</title>
-<programlisting>view <replaceable>view_name</replaceable> 
-      <optional><replaceable>class</replaceable></optional> {
-      match-clients { <replaceable>address_match_list</replaceable> } ;
-      match-destinations { <replaceable>address_match_list</replaceable> } ;
-      match-recursive-only <replaceable>yes_or_no</replaceable> ;
-      <optional> <replaceable>view_option</replaceable>; ...</optional>
-      <optional> <replaceable>zone_statement</replaceable>; ...</optional>
-};
-</programlisting></sect2>
-<sect2><title><command>view</command> Statement Definition and Usage</title>
-
-<para>The <command>view</command> statement is a powerful new feature
-of <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differently
-depending on who is asking. It is particularly useful for implementing
-split DNS setups without having to run multiple servers.</para>
-
-<para>Each <command>view</command> statement defines a view of the
-DNS namespace that will be seen by a subset of clients.  A client matches
-a view if its source IP address matches the 
-<varname>address_match_list</varname> of the view's
-<command>match-clients</command> clause and its destination IP address matches
-the <varname>address_match_list</varname> of the view's
-<command>match-destinations</command> clause.  If not specified, both
-<command>match-clients</command> and <command>match-destinations</command>
-default to matching all addresses.  In addition to checking IP addresses
-<command>match-clients</command> and <command>match-destinations</command>
-can also take <command>keys</command> which provide an mechanism for the
-client to select the view.  A view can also be specified
-as <command>match-recursive-only</command>, which means that only recursive
-requests from matching clients will match that view.
-The order of the <command>view</command> statements is significant &mdash;
-a client request will be resolved in the context of the first
-<command>view</command> that it matches.</para>
-
-<para>Zones defined within a <command>view</command> statement will
-be only be accessible to clients that match the <command>view</command>.
- By defining a zone of the same name in multiple views, different
-zone data can be given to different clients, for example, "internal"
-and "external" clients in a split DNS setup.</para>
-
-<para>Many of the options given in the <command>options</command> statement
-can also be used within a <command>view</command> statement, and then
-apply only when resolving queries with that view.  When no view-specific
-value is given, the value in the <command>options</command> statement
-is used as a default.  Also, zone options can have default values specified
-in the <command>view</command> statement; these view-specific defaults
-take precedence over those in the <command>options</command> statement.</para>
-
-<para>Views are class specific.  If no class is given, class IN
-is assumed.  Note that all non-IN views must contain a hint zone,
-since only the IN class has compiled-in default hints.</para>
-
-<para>If there are no <command>view</command> statements in the config
-file, a default view that matches any client is automatically created
-in class IN. Any <command>zone</command> statements specified on
-the top level of the configuration file are considered to be part of
-this default view, and the <command>options</command> statement will
-apply to the default view. If any explicit <command>view</command>
-statements are present, all <command>zone</command> statements must
-occur inside <command>view</command> statements.</para>
-
-<para>Here is an example of a typical split DNS setup implemented
-using <command>view</command> statements.</para>
-<programlisting>view "internal" {
-      // This should match our internal networks.
-      match-clients { 10.0.0.0/8; };
-
-      // Provide recursive service to internal clients only.
-      recursion yes;
-
-      // Provide a complete view of the example.com zone
-      // including addresses of internal hosts.
-      zone "example.com" {
-            type master;
-            file "example-internal.db";
-      };
-};
-
-view "external" {
-      // Match all clients not matched by the previous view.
-      match-clients { any; };
-
-      // Refuse recursive service to external clients.
-      recursion no;
-
-      // Provide a restricted view of the example.com zone
-      // containing only publicly accessible hosts.
-      zone "example.com" {
-           type master;
-           file "example-external.db";
-      };
-};
-</programlisting>
-</sect2>
-<sect2 id="zone_statement_grammar"><title><command>zone</command>
-Statement Grammar</title>
-      <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> <optional>{ 
-    type ( master | slave | hint | stub | forward | delegation-only ) ;
-    <optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> allow-update { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> } ; </optional>
-    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> } ; </optional>
-    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
-    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
-    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> file <replaceable>string</replaceable> ; </optional>
-    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
-    <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
-    <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
-    <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
-    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; </optional>
-    <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
-    <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
-    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
-    <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
-    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
-    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
-    <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
-    <optional> database <replaceable>string</replaceable> ; </optional>
-    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
-    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
-    <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
-    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
-
-}</optional>;
-</programlisting>
-</sect2>
-<sect2><title><command>zone</command> Statement Definition and Usage</title>
-<sect3><title>Zone Types</title>
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "2" colsep = "0" rowsep = "0"
-    tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.908in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.217in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>master</varname></para></entry>
-<entry colname = "2"><para>The server has a master copy of the data
-for the zone and will be able to provide authoritative answers for
-it.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>slave</varname></para></entry>
-<entry colname = "2"><para>A slave zone is a replica of a master
-zone. The <command>masters</command> list specifies one or more IP addresses
-of master servers that the slave contacts to update its copy of the zone.
-Masters list elements can also be names of other masters lists.
-By default, transfers are made from port 53 on the servers; this can
-be changed for all servers by specifying a port number before the
-list of IP addresses, or on a per-server basis after the IP address.
-Authentication to the master can also be done with per-server TSIG keys.
-If a file is specified, then the
-replica will be written to this file whenever the zone is changed,
-and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server start-up and eliminates
-a needless waste of bandwidth. Note that for large numbers (in the
-tens or hundreds of thousands) of zones per server, it is best to
-use a two level naming scheme for zone file names. For example,
-a slave server for the zone <literal>example.com</literal> might place
-the zone contents into a file called
-<filename>ex/example.com</filename> where <filename>ex/</filename> is
-just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100 000 files into
-a single directory.)</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>stub</varname></para></entry>
-<entry colname = "2"><para>A stub zone is similar to a slave zone,
-except that it replicates only the NS records of a master zone instead
-of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the <acronym>BIND</acronym> implementation.
-</para>
-
-<para>Stub zones can be used to eliminate the need for glue NS record
-in a parent zone at the expense of maintaining a stub zone entry and
-a set of name server addresses in <filename>named.conf</filename>.
-This usage is not recommended for new configurations, and BIND 9
-supports it only in a limited way.
-In <acronym>BIND</acronym> 4/8, zone transfers of a parent zone
-included the NS records from stub children of that zone. This meant
-that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. <acronym>BIND</acronym>
-9 never mixes together zone data from different zones in this
-way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
-zone has child stub zones configured, all the slave servers for the
-parent zone also need to have the same child stub zones
-configured.</para>
-
-<para>Stub zones can also be used as a way of forcing the resolution
-of a given domain to use a particular set of authoritative servers.
-For example, the caching name servers on a private network using
-RFC1981 addressing may be configured with stub zones for
-<literal>10.in-addr.arpa</literal>
-to use a set of internal name servers as the authoritative
-servers for that domain.</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>forward</varname></para></entry>
-<entry colname = "2"><para>A "forward zone" is a way to configure
-forwarding on a per-domain basis.  A <command>zone</command> statement
-of type <command>forward</command> can contain a <command>forward</command> and/or <command>forwarders</command> statement,
-which will apply to queries within the domain given by the zone
-name. If no <command>forwarders</command> statement is present or
-an empty list for <command>forwarders</command> is given, then no
-forwarding will be done for the domain, canceling the effects of
-any forwarders in the <command>options</command> statement. Thus
-if you want to use this type of zone to change the behavior of the
-global <command>forward</command> option (that is, "forward first
-to", then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to re-specify the global forwarders.</para>
-</entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>hint</varname></para></entry>
-<entry colname = "2"><para>The initial set of root name servers is
-specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root name server and get the most recent
-list of root name servers. If no hint zone is specified for class
-IN, the server uses a compiled-in default set of root servers hints.
-Classes other than IN have no built-in defaults hints.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>delegation-only</varname></para></entry>
-<entry colname = "2"><para>This is used to enforce the delegation only
-status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
-is received without a explicit or implicit delegation in the authority
-section will be treated as NXDOMAIN.  This does not apply to the zone
-apex.  This SHOULD NOT be applied to leaf zones.</para>
-<para><varname>delegation-only</varname> has no effect on answers received
-from forwarders.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></sect3>
-
-<sect3><title>Class</title>
-<para>The zone's name may optionally be followed by a class. If
-a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
-is assumed. This is correct for the vast majority of cases.</para>
-<para>The <literal>hesiod</literal> class is
-named for an information service from MIT's Project Athena. It is
-used to share information about various systems databases, such
-as users, groups, printers and so on. The keyword 
-<literal>HS</literal> is
-a synonym for hesiod.</para>
-<para>Another MIT development is CHAOSnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
-<sect3>
-
-<title>Zone Options</title>
-
-<variablelist>
-
-<varlistentry><term><command>allow-notify</command></term>
-<listitem><para>See the description of
-<command>allow-notify</command> in <xref linkend="access_control"/></para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-query</command></term>
-<listitem><para>See the description of
-<command>allow-query</command> in <xref linkend="access_control"/></para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-transfer</command></term>
-<listitem><para>See the description of <command>allow-transfer</command>
-in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update</command></term>
-<listitem><para>Specifies which hosts are allowed to
-submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts.  Note that allowing updates based
-on the requestor's IP address is insecure; see
-<xref linkend="dynamic_update_security"/> for details.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>update-policy</command></term>
-<listitem><para>Specifies a "Simple Secure Update" policy. See
-<xref linkend="dynamic_update_policies"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>allow-update-forwarding</command></term>
-<listitem><para>See the description of <command>allow-update-forwarding</command>
-in <xref linkend="access_control"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>also-notify</command></term>
-<listitem><para>Only meaningful if <command>notify</command> is
-active for this zone. The set of machines that will receive a 
-<literal>DNS NOTIFY</literal> message
-for this zone is made up of all the listed name servers (other than
-the primary master) for the zone plus any IP addresses specified
-with <command>also-notify</command>. A port may be specified
-with each <command>also-notify</command> address to send the notify
-messages to a port other than the default of 53.
-<command>also-notify</command> is not meaningful for stub zones.
-The default is the empty list.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>check-names</command></term>
-<listitem><para>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received from the
-network.  The default varies according to zone type.  For <command>master</command> zones the default is <command>fail</command>.  For <command>slave</command>
-zones the default is <command>warn</command>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>database</command></term>
-<listitem><para>Specify the type of database to be used for storing the
-zone data.  The string following the <command>database</command> keyword
-is interpreted as a list of whitespace-delimited words.  The first word
-identifies the database type, and any subsequent words are passed
-as arguments to the database to be interpreted in a way specific
-to the database type.</para>
-<para>The default is <userinput>"rbt"</userinput>, BIND 9's native in-memory
-red-black-tree database.  This database does not take arguments.</para>
-<para>Other values are possible if additional database drivers
-have been linked into the server.  Some sample drivers are included
-with the distribution but none are linked in by default.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>dialup</command></term>
-<listitem><para>See the description of
-<command>dialup</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>delegation-only</command></term>
-<listitem><para>The flag only applies to hint and stub zones.  If set
-to <userinput>yes</userinput> then the zone will also be treated as if it
-is also a delegation-only type zone.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>forward</command></term>
-<listitem><para>Only meaningful if the zone has a forwarders
-list. The <command>only</command> value causes the lookup to fail
-after trying the forwarders and getting no answer, while <command>first</command> would
-allow a normal lookup to be tried.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>forwarders</command></term>
-<listitem><para>Used to override the list of global forwarders.
-If it is not specified in a zone of type <command>forward</command>,
-no forwarding is done for the zone; the global options are not used.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-base</command></term>
-<listitem><para>Was used in <acronym>BIND</acronym> 8 to specify the name
-of the transaction log (journal) file for dynamic update and IXFR.
-<acronym>BIND</acronym> 9 ignores the option and constructs the name of the journal
-file by appending "<filename>.jnl</filename>" to the name of the
-zone file.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-tmp-file</command></term>
-<listitem><para>Was an undocumented option in <acronym>BIND</acronym> 8.
-Ignored in <acronym>BIND</acronym> 9.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-in</command></term>
-<listitem><para>See the description of
-<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-in</command></term>
-<listitem><para>See the description of
-<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-time-out</command></term>
-<listitem><para>See the description of
-<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>max-transfer-idle-out</command></term>
-<listitem><para>See the description of
-<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify</command></term>
-<listitem><para>See the description of
-<command>notify</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>pubkey</command></term>
-<listitem><para>In <acronym>BIND</acronym> 8, this option was intended for specifying
-a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
-on load and ignores the option.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>zone-statistics</command></term>
-<listitem><para>If <userinput>yes</userinput>, the server will keep statistical
-information for this zone, which can be dumped to the
-<command>statistics-file</command> defined in the server options.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>sig-validity-interval</command></term>
-<listitem><para>See the description of
-<command>sig-validity-interval</command> in <xref linkend="tuning"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source</command></term>
-<listitem><para>See the description of
-<command>transfer-source</command> in <xref linkend="zone_transfers"/>
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>transfer-source-v6</command></term>
-<listitem><para>See the description of
-<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>alt-transfer-source</command></term>
-<listitem><para>See the description of
-<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>alt-transfer-source-v6</command></term>
-<listitem><para>See the description of
-<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>use-alt-transfer-source</command></term>
-<listitem><para>See the description of
-<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>
-</para>
-</listitem></varlistentry>
-
-
-<varlistentry><term><command>notify-source</command></term>
-<listitem><para>See the description of
-<command>notify-source</command> in <xref linkend="zone_transfers"/>
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>notify-source-v6</command></term>
-<listitem><para>See the description of
-<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
-</para>
-</listitem></varlistentry>
-
-<varlistentry>
-<term><command>min-refresh-time</command></term>
-<term><command>max-refresh-time</command></term>
-<term><command>min-retry-time</command></term>
-<term><command>max-retry-time</command></term>
-<listitem><para>
-See the description in <xref linkend="tuning"/>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><command>ixfr-from-differences</command></term>
-<listitem><para>See the description of
-<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>key-directory</command></term>
-<listitem><para>See the description of
-<command>key-directory</command> in <xref linkend="options"/></para>
-</listitem></varlistentry>
-
-<varlistentry><term><command>multi-master</command></term>
-<listitem><para>See the description of
-<command>multi-master</command> in <xref linkend="boolean_options"/>.</para>
-</listitem></varlistentry>
-
-</variablelist>
-
-</sect3>
-<sect3 id="dynamic_update_policies"><title>Dynamic Update Policies</title>
-<para><acronym>BIND</acronym> 9 supports two alternative methods of granting clients
-the right to perform dynamic updates to a zone, 
-configured by the <command>allow-update</command> and
-<command>update-policy</command> option, respectively.</para>
-<para>The <command>allow-update</command> clause works the same
-way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
-permission to update any record of any name in the zone.</para>
-<para>The <command>update-policy</command> clause is new in <acronym>BIND</acronym>
-9 and allows more fine-grained control over what updates are allowed.
-A set of rules is specified, where each rule either grants or denies
-permissions for one or more names to be updated by one or more identities.
- If the dynamic update request message is signed (that is, it includes
-either a TSIG or SIG(0) record), the identity of the signer can
-be determined.</para>
-<para>Rules are specified in the <command>update-policy</command> zone
-option, and are only meaningful for master zones.  When the <command>update-policy</command> statement
-is present, it is a configuration error for the <command>allow-update</command> statement
-to be present.  The <command>update-policy</command> statement only
-examines the signer of a message; the source address is not relevant.</para>
-<para>This is how a rule definition looks:</para>
-<programlisting>
-( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
-</programlisting>
-<para>Each rule grants or denies privileges.  Once a message has
-successfully matched a rule, the operation is immediately granted
-or denied and no further rules are examined.  A rule is matched
-when the signer matches the identity field, the name matches the
-name field in accordance with the nametype field, and the type matches
-the types specified in the type field.</para>
-
-<para>The identity field specifies a name or a wildcard name.  Normally, this
-is the name of the TSIG or SIG(0) key used to sign the update request.  When a
-TKEY exchange has been used to create a shared secret, the identity of the
-shared secret is the same as the identity of the key used to authenticate the
-TKEY exchange.  When the <replaceable>identity</replaceable> field specifies a
-wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
-to multiple identities.  The <replaceable>identity</replaceable> field must
-contain a fully qualified domain name.</para>
-
-<para>The <replaceable>nametype</replaceable> field has 4 values:
-<varname>name</varname>, <varname>subdomain</varname>,
-<varname>wildcard</varname>, and <varname>self</varname>.
-</para>
-<informaltable>
-            <tgroup cols = "2" colsep = "0"
-    rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.819in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.681in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>name</varname></para></entry>
-<entry colname = "2"><para>Exact-match semantics.  This rule matches when the
-name being updated is identical to the contents of the
-<replaceable>name</replaceable> field.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>subdomain</varname></para></entry>
-<entry colname = "2"><para>This rule matches when the name being updated
-is a subdomain of, or identical to, the contents of the
-<replaceable>name</replaceable> field.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>wildcard</varname></para></entry>
-<entry colname = "2"><para>The <replaceable>name</replaceable> field is
-subject to DNS wildcard expansion, and this rule matches when the name
-being updated name is a valid expansion of the wildcard.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><varname>self</varname></para></entry>
-<entry colname = "2"><para>This rule matches when the name being updated
-matches the contents of the <replaceable>identity</replaceable> field.
-The <replaceable>name</replaceable> field is ignored, but should be
-the same as the <replaceable>identity</replaceable> field.  The
-<varname>self</varname> nametype is most useful when allowing using
-one key per name to update, where the key has the same name as the name
-to be updated.  The <replaceable>identity</replaceable> would be
-specified as <constant>*</constant> in this case.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-
-<para>In all cases, the <replaceable>name</replaceable> field must
-specify a fully qualified domain name.</para>
-
-<para>If no types are explicitly specified, this rule matches all types except
-SIG, NS, SOA, and NXT. Types may be specified by name, including
-"ANY" (ANY matches all types except NXT, which can never be updated).
-Note that when an attempt is made to delete all records associated with a
-name, the rules are checked for each existing record type.
-</para>
-      </sect3>
-    </sect2>
-  </sect1>
-  <sect1>
-    <title>Zone File</title>
-    <sect2 id="types_of_resource_records_and_when_to_use_them">
-      <title>Types of Resource Records and When to Use Them</title>
-<para>This section, largely borrowed from RFC 1034, describes the
-concept of a Resource Record (RR) and explains when each is used.
-Since the publication of RFC 1034, several new RRs have been identified
-and implemented in the DNS. These are also included.</para>
-      <sect3>
-        <title>Resource Records</title>
-
-        <para>A domain name identifies a node.  Each node has a set of
-        resource information, which may be empty.  The set of resource
-        information associated with a particular name is composed of
-        separate RRs. The order of RRs in a set is not significant and
-        need not be preserved by name servers, resolvers, or other
-        parts of the DNS. However, sorting of multiple RRs is
-        permitted for optimization purposes, for example, to specify
-        that a particular nearby server be tried first. See <xref
-        linkend="the_sortlist_statement"/> and <xref
-        linkend="rrset_ordering"/>.</para>
-
-<para>The components of a Resource Record are:</para>
-<informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "2" colsep = "0"
-    rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.000in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.500in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>owner name</para></entry>
-<entry colname = "2"><para>the domain name where the RR is found.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>type</para></entry>
-<entry colname = "2"><para>an encoded 16 bit value that specifies
-the type of the resource record.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TTL</para></entry>
-<entry colname = "2"><para>the time to live of the RR. This field
-is a 32 bit integer in units of seconds, and is primarily used by
-resolvers when they cache RRs. The TTL describes how long a RR can
-be cached before it should be discarded.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>class</para></entry>
-<entry colname = "2"><para>an encoded 16 bit value that identifies
-a protocol family or instance of a protocol.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RDATA</para></entry>
-<entry colname = "2"><para>the resource data.  The format of the
-data is type (and sometimes class) specific.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The following are <emphasis>types</emphasis> of valid RRs:</para>
-<informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "2" colsep = "0"
-    rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>A</para></entry>
-<entry colname = "2"><para>a host address.  In the IN class, this is a
-32-bit IP address.  Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>AAAA</para></entry>
-<entry colname = "2"><para>IPv6 address.  Described in RFC 1886.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>A6</para></entry>
-<entry colname = "2"><para>IPv6 address.  This can be a partial
-address (a suffix) and an indirection to the name where the rest of the
-address (the prefix) can be found.  Experimental.  Described in RFC 2874.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>AFSDB</para></entry>
-<entry colname = "2"><para>location of AFS database servers.
-Experimental.  Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>APL</para></entry>
-<entry colname = "2"><para>address prefix list.  Experimental.
-Described in RFC 3123.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>CERT</para></entry>
-<entry colname = "2"><para>holds a digital certificate.
-Described in RFC 2538.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>CNAME</para></entry>
-<entry colname = "2"><para>identifies the canonical name of an alias.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>DNAME</para></entry>
-<entry colname = "2"><para>Replaces the domain name specified with
-another name to be looked up, effectively aliasing an entire
-subtree of the domain name space rather than a single record
-as in the case of the CNAME RR.
-Described in RFC 2672.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>GPOS</para></entry>
-<entry colname = "2"><para>Specifies the global position.  Superseded by LOC.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>HINFO</para></entry>
-<entry colname = "2"><para>identifies the CPU and OS used by a host.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>ISDN</para></entry>
-<entry colname = "2"><para>representation of ISDN addresses.
-Experimental.  Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>KEY</para></entry>
-<entry colname = "2"><para>stores a public key associated with a
-DNS name.  Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>KX</para></entry>
-<entry colname = "2"><para>identifies a key exchanger for this
-DNS name.  Described in RFC 2230.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>LOC</para></entry>
-<entry colname = "2"><para>for storing GPS info.  Described in RFC 1876.
-Experimental.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>MX</para></entry>
-<entry colname = "2"><para>identifies a mail exchange for the domain.
-a 16 bit preference value (lower is better)
-followed by the host name of the mail exchange.
-Described in RFC 974, RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NAPTR</para></entry>
-<entry colname = "2"><para>name authority pointer.  Described in RFC 2915.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NSAP</para></entry>
-<entry colname = "2"><para>a network service access point.
-Described in RFC 1706.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NS</para></entry>
-<entry colname = "2"><para>the authoritative name server for the
-domain.  Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NXT</para></entry>
-<entry colname = "2"><para>used in DNSSEC to securely indicate that
-RRs with an owner name in a certain name interval do not exist in
-a zone and indicate what RR types are present for an existing name.
-Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>PTR</para></entry>
-<entry colname = "2"><para>a pointer to another part of the domain
-name space.  Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>PX</para></entry>
-<entry colname = "2"><para>provides mappings between RFC 822 and X.400
-addresses.  Described in RFC 2163.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RP</para></entry>
-<entry colname = "2"><para>information on persons responsible
-for the domain.  Experimental.  Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RT</para></entry>
-<entry colname = "2"><para>route-through binding for hosts that
-do not have their own direct wide area network addresses.
-Experimental.  Described in RFC 1183.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SIG</para></entry>
-<entry colname = "2"><para>("signature") contains data authenticated
-in the secure DNS.  Described in RFC 2535.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SOA</para></entry>
-<entry colname = "2"><para>identifies the start of a zone of authority.
-Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SRV</para></entry>
-<entry colname = "2"><para>information about well known network
-services (replaces WKS).  Described in RFC 2782.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TXT</para></entry>
-<entry colname = "2"><para>text records.  Described in RFC 1035.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>WKS</para></entry>
-<entry colname = "2"><para>information about which well known
-network services, such as SMTP, that a domain supports. Historical.
-</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>X25</para></entry>
-<entry colname = "2"><para>representation of X.25 network addresses.
-Experimental.  Described in RFC 1183.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The following <emphasis>classes</emphasis> of resource records
-are currently valid in the DNS:</para><informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
-    tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
-<tbody>
-
-<row rowsep = "0">
-<entry colname = "1"><para>IN</para></entry>
-<entry colname = "2"><para>The Internet.</para></entry>
-</row>
-
-<row rowsep = "0">
-<entry colname = "1"><para>CH</para></entry>
-<entry colname = "2"><para>
-CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
-Rarely used for its historical purpose, but reused for BIND's
-built-in server information zones, e.g.,
-<literal>version.bind</literal>.
-</para></entry>
-</row>
-
-<row rowsep = "0">
-<entry colname = "1"><para>HS</para></entry>
-<entry colname = "2"><para>
-Hesiod, an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on.
-</para></entry>
-</row>
-
-</tbody>
-</tgroup></informaltable>
-
-<para>The owner name is often implicit, rather than forming an integral
-part of the RR.  For example, many name servers internally form tree
-or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
-which is consistent for all RRs, and a variable part (RDATA) that
-fits the needs of the resource being described.</para>
-<para>The meaning of the TTL field is a time limit on how long an
-RR can be kept in a cache.  This limit does not apply to authoritative
-data in zones; it is also timed out, but by the refreshing policies
-for the zone.  The TTL is assigned by the administrator for the
-zone where the data originates.  While short TTLs can be used to
-minimize caching, and a zero TTL prohibits caching, the realities
-of Internet performance suggest that these times should be on the
-order of days for the typical host.  If a change can be anticipated,
-the TTL can be reduced prior to the change to minimize inconsistency
-during the change, and then increased back to its former value following
-the change.</para>
-<para>The data in the RDATA section of RRs is carried as a combination
-of binary strings and domain names.  The domain names are frequently
-used as "pointers" to other data in the DNS.</para></sect3>
-<sect3><title>Textual expression of RRs</title>
-<para>RRs are represented in binary form in the packets of the DNS
-protocol, and are usually represented in highly encoded form when
-stored in a name server or resolver.  In the examples provided in
-RFC 1034, a style similar to that used in master files was employed
-in order to show the contents of RRs.  In this format, most RRs
-are shown on a single line, although continuation lines are possible
-using parentheses.</para>
-<para>The start of the line gives the owner of the RR.  If a line
-begins with a blank, then the owner is assumed to be the same as
-that of the previous RR.  Blank lines are often included for readability.</para>
-<para>Following the owner, we list the TTL, type, and class of the
-RR.  Class and type use the mnemonics defined above, and TTL is
-an integer before the type field.  In order to avoid ambiguity in
-parsing, type and class mnemonics are disjoint, TTLs are integers,
-and the type mnemonic is always last. The IN class and TTL values
-are often omitted from examples in the interests of clarity.</para>
-<para>The resource data or RDATA section of the RR are given using
-knowledge of the typical representation for the data.</para>
-<para>For example, we might show the RRs carried in a message as:</para> <informaltable
-    colsep = "0" rowsep = "0"><tgroup cols = "3"
-    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.381in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.020in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.099in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>ISI.EDU.</literal></para></entry>
-<entry colname = "2"><para><literal>MX</literal></para></entry>
-<entry colname = "3"><para><literal>10 VENERA.ISI.EDU.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>MX</literal></para></entry>
-<entry colname = "3"><para><literal>10 VAXA.ISI.EDU</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>VENERA.ISI.EDU</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>128.9.0.32</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.1.0.52</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>VAXA.ISI.EDU</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.2.0.27</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>128.9.0.33</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>The MX RRs have an RDATA section which consists of a 16 bit
-number followed by a domain name.  The address RRs use a standard
-IP address format to contain a 32 bit internet address.</para>
-<para>This example shows six RRs, with two RRs at each of three
-domain names.</para>
-<para>Similarly we might see:</para><informaltable colsep = "0"
-    rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
-    tgroupstyle = "4Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.491in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.067in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.067in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>XX.LCS.MIT.EDU. IN</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>10.0.0.44</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>CH</literal></para></entry>
-<entry colname = "2"><para><literal>A</literal></para></entry>
-<entry colname = "3"><para><literal>MIT.EDU. 2420</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>This example shows two addresses for <literal>XX.LCS.MIT.EDU</literal>,
-each of a different class.</para></sect3></sect2>
-
-<sect2><title>Discussion of MX Records</title>
-
-<para>As described above, domain servers store information as a
-series of resource records, each of which contains a particular
-piece of information about a given domain name (which is usually,
-but not always, a host). The simplest way to think of a RR is as
-a typed pair of data, a domain name matched with a relevant datum,
-and stored with some additional type information to help systems 
-determine when the RR is relevant.</para>
-
-<para>MX records are used to control delivery of email. The data
-specified in the record is a priority and a domain name. The priority
-controls the order in which email delivery is attempted, with the
-lowest number first. If two priorities are the same, a server is
-chosen randomly. If no servers at a given priority are responding,
-the mail transport agent will fall back to the next largest priority.
-Priority numbers do not have any absolute meaning &mdash; they are relevant
-only respective to other MX records for that domain name. The domain
-name given is the machine to which the mail will be delivered. It <emphasis>must</emphasis> have
-an associated A record &mdash; CNAME is not sufficient.</para>
-<para>For a given domain, if there is both a CNAME record and an
-MX record, the MX record is in error, and will be ignored. Instead,
-the mail will be delivered to the server specified in the MX record
-pointed to by the CNAME.</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "5"
-    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.708in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.444in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.444in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.976in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.553in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>10</literal></para></entry>
-<entry colname = "5"><para><literal>mail.example.com.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>10</literal></para></entry>
-<entry colname = "5"><para><literal>mail2.example.com.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>MX</literal></para></entry>
-<entry colname = "4"><para><literal>20</literal></para></entry>
-<entry colname = "5"><para><literal>mail.backup.org.</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>mail.example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>A</literal></para></entry>
-<entry colname = "4"><para><literal>10.0.0.1</literal></para></entry>
-<entry colname = "5"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>mail2.example.com.</literal></para></entry>
-<entry colname = "2"><para><literal>IN</literal></para></entry>
-<entry colname = "3"><para><literal>A</literal></para></entry>
-<entry colname = "4"><para><literal>10.0.0.2</literal></para></entry>
-<entry colname = "5"><para></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable><para>For example:</para>
-<para>Mail delivery will be attempted to <literal>mail.example.com</literal> and
-<literal>mail2.example.com</literal> (in
-any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
-be attempted.</para></sect2>
-<sect2 id="Setting_TTLs"><title>Setting TTLs</title>
-<para>The time to live of the RR field is a 32 bit integer represented
-in units of seconds, and is primarily used by resolvers when they
-cache RRs. The TTL describes how long a RR can be cached before it
-should be discarded. The following three types of TTL are currently
-used in a zone file.</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
-    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.375in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>SOA</para></entry>
-<entry colname = "2"><para>The last field in the SOA is the negative
-caching TTL. This controls how long other servers will cache no-such-domain
-(NXDOMAIN) responses from you.</para><para>The maximum time for
-negative caching is 3 hours (3h).</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>$TTL</para></entry>
-<entry colname = "2"><para>The $TTL directive at the top of the
-zone file (before the SOA) gives a default TTL for every RR without
-a specific TTL set.</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RR TTLs</para></entry>
-<entry colname = "2"><para>Each RR can have a TTL as the second
-field in the RR, which will control how long other servers can cache
-the it.</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-<para>All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, <literal>1h30m</literal>. </para></sect2>
-<sect2><title>Inverse Mapping in IPv4</title>
-<para>Reverse name resolution (that is, translation from IP address
-to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
-and PTR records. Entries in the in-addr.arpa domain are made in
-least-to-most significant order, read left to right. This is the
-opposite order to the way IP addresses are usually written. Thus,
-a machine with an IP address of 10.1.2.3 would have a corresponding
-in-addr.arpa name of
-3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-whose data field is the name of the machine or, optionally, multiple
-PTR records if the machine has more than one name. For example,
-in the <optional>example.com</optional> domain:</para>
-<informaltable colsep = "0" rowsep = "0">
-<tgroup cols = "2" colsep = "0" rowsep = "0"
-    tgroupstyle = "3Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>$ORIGIN</literal></para></entry>
-<entry colname = "2"><para><literal>2.1.10.in-addr.arpa</literal></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para><literal>3</literal></para></entry>
-<entry colname = "2"><para><literal>IN PTR foo.example.com.</literal></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-      <note>
-<para>The <command>$ORIGIN</command> lines in the examples
-are for providing context to the examples only-they do not necessarily
-appear in the actual usage. They are only used here to indicate
-that the example is relative to the listed origin.</para></note></sect2>
-<sect2><title>Other Zone File Directives</title>
-<para>The Master File Format was initially defined in RFC 1035 and
-has subsequently been extended. While the Master File Format itself
-is class independent all records in a Master File must be of the same
-class.</para>
-<para>Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
-and <command>$TTL.</command></para>
-<sect3><title>The <command>$ORIGIN</command> Directive</title>
-<para>Syntax: <command>$ORIGIN
-</command><replaceable>domain-name</replaceable> <optional> <replaceable>comment</replaceable></optional></para>
-<para><command>$ORIGIN</command> sets the domain name that will
-be appended to any unqualified records. When a zone is first read
-in there is an implicit <command>$ORIGIN</command> &#60;<varname>zone-name</varname>><command>.</command> The
-current <command>$ORIGIN</command> is appended to the domain specified
-in the <command>$ORIGIN</command> argument if it is not absolute.</para>
-<programlisting>$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER</programlisting>
-<para>is equivalent to</para>
-<programlisting>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</programlisting></sect3>
-<sect3><title>The <command>$INCLUDE</command> Directive</title>
-<para>Syntax: <command>$INCLUDE</command>
-<replaceable>filename</replaceable> <optional>
-<replaceable>origin</replaceable> </optional> <optional> <replaceable>comment</replaceable> </optional></para>
-<para>Read and process the file <filename>filename</filename> as
-if it were included into the file at this point.  If <command>origin</command> is
-specified the file is processed with <command>$ORIGIN</command> set
-to that value, otherwise the current <command>$ORIGIN</command> is
-used.</para>
-<para>The origin and the current domain name
-revert to the values they had prior to the <command>$INCLUDE</command> once
-the file has been read.</para>
-<note><para>
-RFC 1035 specifies that the current origin should be restored after
-an <command>$INCLUDE</command>, but it is silent on whether the current
-domain name should also be restored.  BIND 9 restores both of them.
-This could be construed as a deviation from RFC 1035, a feature, or both.
-</para></note>
-</sect3>
-<sect3><title>The <command>$TTL</command> Directive</title>
-<para>Syntax: <command>$TTL</command>
-<replaceable>default-ttl</replaceable> <optional>
-<replaceable>comment</replaceable> </optional></para>
-<para>Set the default Time To Live (TTL) for subsequent records
-with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</para>
-<para><command>$TTL</command> is defined in RFC 2308.</para></sect3></sect2>
-<sect2><title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title>
-        <para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>lhs</replaceable> <optional><replaceable>ttl</replaceable></optional> <optional><replaceable>class</replaceable></optional> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
-<para><command>$GENERATE</command> is used to create a series of
-resource records that only differ from each other by an iterator. <command>$GENERATE</command> can
-be used to easily generate the sets of records required to support
-sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
-delegation.</para>
-<programlisting>$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</programlisting>
-<para>is equivalent to</para>
-<programlisting>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
-0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-...
-127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</programlisting>
-      <informaltable colsep = "0" rowsep = "0">
-        <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
-          <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
-          <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.250in"/>
-          <tbody>
-            <row rowsep = "0">
-              <entry colname = "1"><para><command>range</command></para></entry>
-              <entry colname = "2"><para>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used then step is set to
-        1. All of start, stop and step must be positive.</para></entry>
-      </row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>lhs</command></para></entry>
-          <entry colname = "2"><para><command>lhs</command> describes the
-owner name of the resource records to be created.      Any single <command>$</command> symbols
-within the <command>lhs</command> side are replaced by the iterator
-value.
-To get a $ in the output you need to escape the <command>$</command>
-using a backslash <command>\</command>,
-e.g. <command>\$</command>. The <command>$</command> may optionally be followed
-by modifiers which change the offset from the iterator, field width and base. 
-Modifiers are introduced by a <command>{</command> immediately following the
-<command>$</command> as <command>${offset[,width[,base]]}</command>.
-e.g. <command>${-20,3,d}</command> which subtracts 20 from the current value,
-prints the result as a decimal in a zero padded field of with 3.  Available
-output forms are decimal (<command>d</command>), octal (<command>o</command>)
-and hexadecimal (<command>x</command> or <command>X</command> for uppercase).
-The default modifier is <command>${0,0,d}</command>.
-If the <command>lhs</command> is not
-absolute, the current <command>$ORIGIN</command> is appended to
-the name.</para>
-<para>For compatibility with earlier versions <command>$$</command> is still
-recognized a indicating a literal $ in the output.</para></entry>
-        </row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>ttl</command></para></entry>
-          <entry colname = "2"><para><command>ttl</command> specifies the
-	  ttl of the generated records. If not specified this will be
-	  inherited using the normal ttl inheritance rules.</para>
-	  <para><command>class</command> and <command>ttl</command> can be
-	  entered in either order.</para></entry>
-	</row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>class</command></para></entry>
-          <entry colname = "2"><para><command>class</command> specifies the
-	  class of the generated records.  This must match the zone class if
-	  it is specified.</para>
-	  <para><command>class</command> and <command>ttl</command> can be
-	  entered in either order.</para></entry>
-	</row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>type</command></para></entry>
-          <entry colname = "2"><para>At present the only supported types are
-PTR, CNAME, DNAME, A, AAAA and NS.</para></entry>
-        </row>
-        <row rowsep = "0">
-          <entry colname = "1"><para><command>rhs</command></para></entry>
-          <entry colname = "2"><para>rhs is a domain name. It is processed
-similarly to lhs.</para></entry>
-        </row>
-      </tbody>
-      </tgroup></informaltable>
-      <para>The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
-and not part of the standard zone file format.</para>
-      <para>BIND 8 does not support the optional TTL and CLASS fields.</para>
-    </sect2>
-  </sect1>
-</chapter>
-<chapter id="Bv9ARM.ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
-<sect1 id="Access_Control_Lists"><title>Access Control Lists</title>
-<para>Access Control Lists (ACLs), are address match lists that
-you can set up and nickname for future use in <command>allow-notify</command>,
-<command>allow-query</command>, <command>allow-recursion</command>,
-<command>blackhole</command>, <command>allow-transfer</command>,
-etc.</para>
-<para>Using ACLs allows you to have finer control over who can access
-your name server, without cluttering up your config files with huge
-lists of IP addresses.</para>
-<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
-control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and DoS attacks against
-your server.</para>
-<para>Here is an example of how to properly apply ACLs:</para>
-<programlisting>
-// Set up an ACL named "bogusnets" that will block RFC1918 space,
-// which is commonly used in spoofing attacks.
-acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
-// Set up an ACL called our-nets. Replace this with the real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
-options {
-  ...
-  ...
-  allow-query { our-nets; };
-  allow-recursion { our-nets; };
-  ...
-  blackhole { bogusnets; };
-  ...
-};
-zone "example.com" {
-  type master;
-  file "m/example.com";
-  allow-query { any; };
-};
-</programlisting>
-<para>This allows recursive queries of the server from the outside
-unless recursion has been previously disabled.</para>
-<para>For more information on how to use ACLs to protect your server,
-see the <emphasis>AUSCERT</emphasis> advisory at
-<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
-<sect1><title><command>chroot</command> and <command>setuid</command> (for
-UNIX servers)</title>
-<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
-(<command>chroot()</command>) by specifying the "<option>-t</option>"
-option. This can help improve system security by placing <acronym>BIND</acronym> in
-a "sandbox", which will limit the damage done if a server is compromised.</para>
-<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
-ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
-We suggest running as an unprivileged user when using the <command>chroot</command> feature.</para>
-<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox, 
-<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
-user 202:</para>
-<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
-
-<sect2><title>The <command>chroot</command> Environment</title>
-
-<para>In order for a <command>chroot()</command> environment to
-work properly in a particular directory
-(for example, <filename>/var/named</filename>),
-you will need to set up an environment that includes everything
-<acronym>BIND</acronym> needs to run.
-From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
-the root of the filesystem.  You will need to adjust the values of options like
-like <command>directory</command> and <command>pid-file</command> to account
-for this.
-</para>
-<para>
-Unlike with earlier versions of BIND, you will typically
-<emphasis>not</emphasis> need to compile <command>named</command>
-statically nor install shared libraries under the new root.
-However, depending on your operating system, you may need
-to set up things like
-<filename>/dev/zero</filename>,
-<filename>/dev/random</filename>,
-<filename>/dev/log</filename>, and/or
-<filename>/etc/localtime</filename>.
-</para>
-</sect2>
-
-<sect2><title>Using the <command>setuid</command> Function</title>
-
-<para>Prior to running the <command>named</command> daemon, use
-the <command>touch</command> utility (to change file access and
-modification times) or the <command>chown</command> utility (to
-set the user id and/or group id) on files
-to which you want <acronym>BIND</acronym>
-to write.  Note that if the <command>named</command> daemon is running as an
-unprivileged user, it will not be able to bind to new restricted ports if the
-server is reloaded.</para>
-</sect2>
-</sect1>
-
-<sect1 id="dynamic_update_security"><title>Dynamic Update Security</title> 
-
-<para>Access to the dynamic
-update facility should be strictly limited.  In earlier versions of
-<acronym>BIND</acronym> the only way to do this was based on the IP
-address of the host requesting the update, by listing an IP address or
-network prefix in the <command>allow-update</command> zone option.
-This method is insecure since the source address of the update UDP packet
-is easily forged.  Also note that if the IP addresses allowed by the
-<command>allow-update</command> option include the address of a slave
-server which performs forwarding of dynamic updates, the master can be
-trivially attacked by sending the update to the slave, which will
-forward it to the master with its own source IP address causing the
-master to approve it without question.</para>
-
-<para>For these reasons, we strongly recommend that updates be
-cryptographically authenticated by means of transaction signatures
-(TSIG).  That is, the <command>allow-update</command> option should
-list only TSIG key names, not IP addresses or network
-prefixes. Alternatively, the new <command>update-policy</command>
-option can be used.</para>
-
-<para>Some sites choose to keep all dynamically updated DNS data
-in a subdomain and delegate that subdomain to a separate zone. This
-way, the top-level zone containing critical data such as the IP addresses
-of public web and mail servers need not allow dynamic update at
-all.</para>
-
-</sect1></chapter>
-
-<chapter id="Bv9ARM.ch08">
-  <title>Troubleshooting</title>
-  <sect1>
-    <title>Common Problems</title>
-    <sect2>
-      <title>It's not working; how can I figure out what's wrong?</title>
-
-      <para>The best solution to solving installation and
-      configuration issues is to take preventative measures by setting
-      up logging files beforehand. The log files provide a
-      source of hints and information that can be used to figure out
-      what went wrong and how to fix the problem.</para>
-
-    </sect2>
-  </sect1>
-  <sect1>
-    <title>Incrementing and Changing the Serial Number</title>
-
-    <para>Zone serial numbers are just numbers-they aren't date
-    related.  A lot of people set them to a number that represents a
-    date, usually of the form YYYYMMDDRR. A number of people have been
-    testing these numbers for Y2K compliance and have set the number
-    to the year 2000 to see if it will work. They then try to restore
-    the old serial number. This will cause problems because serial
-    numbers are used to indicate that a zone has been updated. If the
-    serial number on the slave server is lower than the serial number
-    on the master, the slave server will attempt to update its copy of
-    the zone.</para>
-
-    <para>Setting the serial number to a lower number on the master
-    server than the slave server means that the slave will not perform
-    updates to its copy of the zone.</para>
-
-    <para>The solution to this is to add 2147483647 (2^31-1) to the
-    number, reload the zone and make sure all slaves have updated to
-    the new zone serial number, then reset the number to what you want
-    it to be, and reload the zone again.</para>
-
-  </sect1>
-  <sect1>
-    <title>Where Can I Get Help?</title>
-
-      <para>The Internet Software Consortium (<acronym>ISC</acronym>) offers a wide range
-    of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
-    levels of premium support are available and each level includes
-    support for all <acronym>ISC</acronym> programs, significant discounts on products
-    and training, and a recognized priority on bug fixes and
-    non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
-    support agreement package which includes services ranging from bug
-    fix announcements to remote support. It also includes training in
-    <acronym>BIND</acronym> and <acronym>DHCP</acronym>.</para>
-
-    <para>To discuss arrangements for support, contact
-    <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
-    <acronym>ISC</acronym> web page at <ulink
-    url="http://www.isc.org/services/support/">http://www.isc.org/services/support/</ulink>
-    to read more.</para>
-  </sect1>
-</chapter>
-<appendix id="Bv9ARM.ch09">
-  <title>Appendices</title>
-  <sect1>
-    <title>Acknowledgments</title>
-    <sect2>
-      <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
-
-      <para>Although the "official" beginning of the Domain Name
-      System occurred in 1984 with the publication of RFC 920, the
-      core of the new system was described in 1983 in RFCs 882 and
-      883. From 1984 to 1987, the ARPAnet (the precursor to today's
-      Internet) became a testbed of experimentation for developing the
-      new naming/addressing scheme in an rapidly expanding,
-      operational network environment.  New RFCs were written and
-      published in 1987 that modified the original documents to
-      incorporate improvements based on the working model. RFC 1034,
-      "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-      Names-Implementation and Specification" were published and
-      became the standards upon which all <acronym>DNS</acronym> implementations are
-      built.
-</para>
-
-      <para>The first working domain name server, called "Jeeves", was
-written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
-machines located at the University of Southern California's Information
-Sciences Institute (USC-ISI) and SRI International's Network Information
-Center (SRI-NIC). A <acronym>DNS</acronym> server for Unix machines, the Berkeley Internet
-Name Domain (<acronym>BIND</acronym>) package, was written soon after by a group of
-graduate students at the University of California at Berkeley under
-a grant from the US Defense Advanced Research Projects Administration
-(DARPA). Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
-Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
-project team. After that, additional work on the software package
-was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
-to 1987. Many other people also contributed to <acronym>BIND</acronym> development
-during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
-handled by Mike Karels and O. Kure.</para>
-      <para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
-Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. Paul was assisted
-by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
-Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-Wolfhugel, and others.</para>
-      <para><acronym>BIND</acronym> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
-      <para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
-by the Internet Software Consortium with support being provided
-by ISC's sponsors. As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of <acronym>BIND</acronym> version
-8 in May 1997.</para>
-      <para><acronym>BIND</acronym> development work is made possible today by the sponsorship
-of several corporations, and by the tireless work efforts of numerous
-individuals.</para>
-    </sect2>
-  </sect1>
-<sect1 id="historical_dns_information">
-
-<title>General <acronym>DNS</acronym> Reference Information</title>
-    <sect2 id="ipv6addresses">
-      <title>IPv6 addresses (AAAA)</title>
-      <para>IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
-scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
-an identifier for a single interface; <emphasis>Anycast</emphasis>,
-an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
-an identifier for a set of interfaces. Here we describe the global
-Unicast address scheme. For more information, see RFC 2374.</para>
-<para>The aggregatable global Unicast address format is as follows:</para>
-<informaltable colsep = "0" rowsep = "0"><tgroup cols = "6"
-    colsep = "0" rowsep = "0" tgroupstyle = "1Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.477in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.501in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.523in"/>
-<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.731in"/>
-<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.339in"/>
-<colspec colname = "6" colnum = "6" colsep = "0" colwidth = "2.529in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
-<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
-<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
-<entry colname = "4" colsep = "1" rowsep = "1"><para>24</para></entry>
-<entry colname = "5" colsep = "1" rowsep = "1"><para>16</para></entry>
-<entry colname = "6" rowsep = "1"><para>64 bits</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1" colsep = "1"><para>FP</para></entry>
-<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
-<entry colname = "3" colsep = "1"><para>RES</para></entry>
-<entry colname = "4" colsep = "1"><para>NLA ID</para></entry>
-<entry colname = "5" colsep = "1"><para>SLA ID</para></entry>
-<entry colname = "6"><para>Interface ID</para></entry>
-</row>
-<row rowsep = "0">
-<entry nameend = "4" namest = "1"><para>&#60;------ Public Topology
-------></para></entry>
-<entry colname = "5"><para></para></entry>
-<entry colname = "6"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para></para></entry>
-<entry colname = "3"><para></para></entry>
-<entry colname = "4"><para></para></entry>
-<entry colname = "5"><para>&#60;-Site Topology-></para></entry>
-<entry colname = "6"><para></para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para></para></entry>
-<entry colname = "2"><para></para></entry>
-<entry colname = "3"><para></para></entry>
-<entry colname = "4"><para></para></entry>
-<entry colname = "5"><para></para></entry>
-<entry colname = "6"><para>&#60;------ Interface Identifier ------></para></entry>
-</row>
-</tbody>
-</tgroup></informaltable>
-      <para>Where
-<informaltable colsep = "0"  rowsep = "0"><tgroup
-    cols = "3" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
-<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.375in"/>
-<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.250in"/>
-<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "3.500in"/>
-<tbody>
-<row rowsep = "0">
-<entry colname = "1"><para>FP</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Format Prefix (001)</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>TLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Top-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>RES</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Reserved for future use</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>NLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Next-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>SLA ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Site-Level Aggregation Identifier</para></entry>
-</row>
-<row rowsep = "0">
-<entry colname = "1"><para>INTERFACE ID</para></entry>
-<entry colname = "2"><para>=</para></entry>
-<entry colname = "3"><para>Interface Identifier</para></entry>
-</row>
-</tbody>
-</tgroup></informaltable></para>
-      <para>The <emphasis>Public Topology</emphasis> is provided by the
-upstream provider or ISP, and (roughly) corresponds to the IPv4 <emphasis>network</emphasis> section
-of the address range. The <emphasis>Site Topology</emphasis> is
-where you can subnet this space, much the same as subnetting an
-IPv4 /16 network into /24 subnets. The <emphasis>Interface Identifier</emphasis> is
-the address of an individual interface on a given network. (With
-IPv6, addresses belong to interfaces rather than machines.)</para>
-      <para>The subnetting capability of IPv6 is much more flexible than
-that of IPv4: subnetting can now be carried out on bit boundaries,
-in much the same way as Classless InterDomain Routing (CIDR).</para>
-<para>The Interface Identifier must be unique on that network. On
-ethernet networks, one way to ensure this is to set the address
-to the first three bytes of the hardware address, "FFFE", then the
-last three bytes of the hardware address. The lowest significant
-bit of the first byte should then be complemented. Addresses are
-written as 32-bit blocks separated with a colon, and leading zeros
-of a block may be omitted, for example:</para>
-<para><command>2001:db8:201:9:a00:20ff:fe81:2b32</command></para>
-<para>IPv6 address specifications are likely to contain long strings
-of zeros, so the architects have included a shorthand for specifying
-them. The double colon (`::') indicates the longest possible string
-of zeros that can fit, and can be used only once in an address.</para>
-    </sect2>
-  </sect1>
-  <sect1 id="bibliography">
-    <title>Bibliography (and Suggested Reading)</title>
-    <sect2 id="rfcs">
-      <title>Request for Comments (RFCs)</title>
-      <para>Specification documents for the Internet protocol suite, including
-the <acronym>DNS</acronym>, are published as part of the Request for Comments (RFCs)
-series of technical notes. The standards themselves are defined
-by the Internet Engineering Task Force (IETF) and the Internet Engineering
-Steering Group (IESG). RFCs can be obtained online via FTP at 
-<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/RFC<replaceable>xxx</replaceable>.txt</ulink> (where <replaceable>xxx</replaceable> is
-the number of the RFC). RFCs are also available via the Web at
-<ulink url="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</ulink>.
-</para>
-      <bibliography>
-        <bibliodiv>
-          <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
-          <title>Standards</title>
-          <biblioentry>
-            <abbrev>RFC974</abbrev>
-            <author>
-              <surname>Partridge</surname>
-              <firstname>C.</firstname>
-            </author>
-            <title>Mail Routing and the Domain System</title>
-            <pubdate>January 1986</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1034</abbrev>
-            <author>
-              <surname>Mockapetris</surname>
-              <firstname>P.V.</firstname>
-            </author> 
-            <title>Domain Names &mdash; Concepts and Facilities</title>
-            <pubdate>November 1987</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1035</abbrev>
-            <author>
-              <surname>Mockapetris</surname>
-              <firstname>P. V.</firstname>
-            </author> <title>Domain Names &mdash; Implementation and
-Specification</title>
-            <pubdate>November 1987</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
-
-          <title>Proposed Standards</title>
-          <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
-          <biblioentry>
-            <abbrev>RFC2181</abbrev>
-            <author>
-              <surname>Elz</surname>
-              <firstname>R., R. Bush</firstname>
-            </author>
-            <title>Clarifications to the <acronym>DNS</acronym> Specification</title>
-            <pubdate>July 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2308</abbrev>
-            <author>
-              <surname>Andrews</surname>
-              <firstname>M.</firstname>
-            </author>
-            <title>Negative Caching of <acronym>DNS</acronym> Queries</title>
-            <pubdate>March 1998</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1995</abbrev>
-            <author>
-              <surname>Ohta</surname>
-              <firstname>M.</firstname>
-            </author>
-            <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
-            <pubdate>August 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1996</abbrev>
-            <author>
-              <surname>Vixie</surname>
-              <firstname>P.</firstname>
-            </author>
-            <title>A Mechanism for Prompt Notification of Zone Changes</title>
-            <pubdate>August 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2136</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Vixie</surname>
-                <firstname>P.</firstname>
-              </author>
-              <author>
-                <firstname>S.</firstname>
-                <surname>Thomson</surname>
-              </author>
-              <author>
-                <firstname>Y.</firstname>
-                <surname>Rekhter</surname>
-              </author>
-              <author>
-                <firstname>J.</firstname>
-                <surname>Bound</surname>
-              </author>
-            </authorgroup> 
-            <title>Dynamic Updates in the Domain Name System</title>
-            <pubdate>April 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2845</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Vixie</surname>
-                <firstname>P.</firstname>
-              </author>
-              <author>
-                <firstname>O.</firstname>
-                <surname>Gudmundsson</surname>
-              </author>
-              <author>
-                <firstname>D.</firstname>
-                <surname>Eastlake</surname>
-                <lineage>3rd</lineage></author>
-              <author>
-                <firstname>B.</firstname>
-                <surname>Wellington</surname>
-              </author></authorgroup>
-            <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
-            <pubdate>May 2000</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Proposed Standards Still Under Development</title>
-          <note>
-            <para><emphasis>Note:</emphasis> the following list of
-RFCs are undergoing major revision by the IETF.</para>
-          </note>
-          <biblioentry>
-            <abbrev>RFC1886</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Thomson</surname>
-                <firstname>S.</firstname>
-              </author>
-              <author>
-                <firstname>C.</firstname>
-                <surname>Huitema</surname>
-              </author>
-            </authorgroup>
-            <title><acronym>DNS</acronym> Extensions to support IP version 6</title>
-            <pubdate>December 1995</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2065</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Eastlake</surname>
-                <lineage>3rd</lineage>
-                <firstname>D.</firstname>
-              </author>
-              <author>
-                <firstname>C.</firstname>
-                <surname>Kaufman</surname>
-              </author>
-            </authorgroup>
-            <title>Domain Name System Security Extensions</title>
-            <pubdate>January 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2137</abbrev>
-            <author>
-              <surname>Eastlake</surname>
-              <lineage>3rd</lineage>
-              <firstname>D.</firstname>
-            </author>
-            <title>Secure Domain Name System Dynamic Update</title>
-            <pubdate>April 1997</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Other Important RFCs About <acronym>DNS</acronym> Implementation</title>
-          <biblioentry>
-            <abbrev>RFC1535</abbrev>
-            <author>
-              <surname>Gavron</surname>
-              <firstname>E.</firstname>
-            </author>
-            <title>A Security Problem and Proposed Correction With Widely Deployed <acronym>DNS</acronym> Software.</title>
-            <pubdate>October 1993</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1536</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Kumar</surname>
-                <firstname>A.</firstname>
-              </author>
-              <author>
-                <firstname>J.</firstname>
-                <surname>Postel</surname>
-              </author>
-              <author>
-                <firstname>C.</firstname>
-                <surname>Neuman</surname></author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Danzig</surname>
-              </author>
-              <author>
-                <firstname>S.</firstname>
-                <surname>Miller</surname>
-              </author>
-            </authorgroup>
-            <title>Common <acronym>DNS</acronym> Implementation Errors and Suggested Fixes</title>
-            <pubdate>October 1993</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1982</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Elz</surname>
-                <firstname>R.</firstname>
-              </author>
-              <author>
-                <firstname>R.</firstname>
-                <surname>Bush</surname>
-              </author>
-            </authorgroup>
-            <title>Serial Number Arithmetic</title>
-            <pubdate>August 1996</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Resource Record Types</title>
-          <biblioentry>
-            <abbrev>RFC1183</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Everhart</surname>
-                <firstname>C.F.</firstname>
-              </author>
-              <author>
-                <firstname>L. A.</firstname>
-                <surname>Mamakos</surname>
-              </author>
-              <author>
-                <firstname>R.</firstname>
-                <surname>Ullmann</surname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Mockapetris</surname>
-              </author>
-            </authorgroup>
-            <title>New <acronym>DNS</acronym> RR Definitions</title>
-            <pubdate>October 1990</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1706</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Manning</surname>
-                <firstname>B.</firstname>
-              </author>
-              <author>
-                <firstname>R.</firstname>
-                <surname>Colella</surname>
-              </author>
-            </authorgroup>
-            <title><acronym>DNS</acronym> NSAP Resource Records</title>
-            <pubdate>October 1994</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2168</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Daniel</surname>
-                <firstname>R.</firstname>
-              </author>
-              <author>
-                <firstname>M.</firstname>
-                <surname>Mealling</surname>
-              </author>
-            </authorgroup>
-            <title>Resolution of Uniform Resource Identifiers using
-the Domain Name System</title>
-            <pubdate>June 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1876</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Davis</surname>
-                <firstname>C.</firstname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Vixie</surname>
-              </author>
-              <author>
-                <firstname>T.</firstname>
-                <firstname>Goodwin</firstname>
-              </author>
-              <author>
-                <firstname>I.</firstname>
-                <surname>Dickinson</surname>
-              </author>
-            </authorgroup> 
-            <title>A Means for Expressing Location Information in the Domain
-Name System</title>
-            <pubdate>January 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2052</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Gulbrandsen</surname>
-                <firstname>A.</firstname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Vixie</surname>
-              </author>
-            </authorgroup>
-            <title>A <acronym>DNS</acronym> RR for Specifying the Location of
-Services.</title>
-            <pubdate>October 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2163</abbrev>
-            <author>
-              <surname>Allocchio</surname>
-              <firstname>A.</firstname>
-            </author>
-            <title>Using the Internet <acronym>DNS</acronym> to Distribute MIXER
-Conformant Global Address Mapping</title>
-            <pubdate>January 1998</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2230</abbrev>
-            <author>
-              <surname>Atkinson</surname>
-              <firstname>R.</firstname>
-            </author>
-            <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
-            <pubdate>October 1997</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title><acronym>DNS</acronym> and the Internet</title>
-          <biblioentry>
-            <abbrev>RFC1101</abbrev>
-            <author>
-              <surname>Mockapetris</surname>
-              <firstname>P. V.</firstname>
-            </author>
-            <title><acronym>DNS</acronym> Encoding of Network Names and Other Types</title>
-            <pubdate>April 1989</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1123</abbrev>
-            <author>
-              <surname>Braden</surname>
-              <surname>R.</surname>
-            </author>
-            <title>Requirements for Internet Hosts - Application and Support</title>
-            <pubdate>October 1989</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1591</abbrev>
-            <author>
-              <surname>Postel</surname>
-              <firstname>J.</firstname></author>
-            <title>Domain Name System Structure and Delegation</title>
-            <pubdate>March 1994</pubdate></biblioentry>
-          <biblioentry>
-            <abbrev>RFC2317</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Eidnes</surname>
-                <firstname>H.</firstname>
-              </author>
-              <author>
-                <firstname>G.</firstname>
-                <surname>de Groot</surname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Vixie</surname>
-              </author>
-            </authorgroup>
-            <title>Classless IN-ADDR.ARPA Delegation</title>
-            <pubdate>March 1998</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title><acronym>DNS</acronym> Operations</title>
-          <biblioentry>
-            <abbrev>RFC1537</abbrev>
-            <author>
-              <surname>Beertema</surname>
-              <firstname>P.</firstname>
-            </author>
-            <title>Common <acronym>DNS</acronym> Data File Configuration Errors</title>
-            <pubdate>October 1993</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1912</abbrev>
-            <author>
-              <surname>Barr</surname>
-              <firstname>D.</firstname>
-            </author>
-            <title>Common <acronym>DNS</acronym> Operational and Configuration Errors</title>
-            <pubdate>February 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2010</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Manning</surname>
-                <firstname>B.</firstname>
-              </author>
-              <author>
-                <firstname>P.</firstname>
-                <surname>Vixie</surname>
-              </author>
-            </authorgroup>
-            <title>Operational Criteria for Root Name Servers.</title>
-            <pubdate>October 1996</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2219</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Hamilton</surname>
-                <firstname>M.</firstname>
-              </author>
-              <author>
-                <firstname>R.</firstname>
-                <surname>Wright</surname>
-              </author>
-            </authorgroup>
-            <title>Use of <acronym>DNS</acronym> Aliases for Network Services.</title>
-            <pubdate>October 1997</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Other <acronym>DNS</acronym>-related RFCs</title>
-          <note>
-            <para>Note: the following list of RFCs, although
-<acronym>DNS</acronym>-related, are not concerned with implementing software.</para>
-          </note>
-          <biblioentry>
-            <abbrev>RFC1464</abbrev>
-            <author>
-              <surname>Rosenbaum</surname>
-              <firstname>R.</firstname>
-            </author>
-            <title>Using the Domain Name System To Store Arbitrary String Attributes</title>
-            <pubdate>May 1993</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC1713</abbrev>
-            <author>
-              <surname>Romao</surname>
-              <firstname>A.</firstname>
-            </author>
-            <title>Tools for <acronym>DNS</acronym> Debugging</title>
-            <pubdate>November 1994</pubdate></biblioentry>
-          <biblioentry>
-            <abbrev>RFC1794</abbrev>
-            <author>
-              <surname>Brisco</surname>
-              <firstname>T.</firstname>
-            </author>
-            <title><acronym>DNS</acronym> Support for Load Balancing</title>
-            <pubdate>April 1995</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2240</abbrev>
-            <author>
-              <surname>Vaughan</surname>
-              <firstname>O.</firstname></author>
-            <title>A Legal Basis for Domain Name Allocation</title>
-            <pubdate>November 1997</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2345</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Klensin</surname>
-                <firstname>J.</firstname>
-              </author>
-              <author>
-                <firstname>T.</firstname>
-                <surname>Wolf</surname>
-              </author>
-              <author>
-                <firstname>G.</firstname>
-                <surname>Oglesby</surname>
-              </author>
-            </authorgroup>
-            <title>Domain Names and Company Name Retrieval</title>
-            <pubdate>May 1998</pubdate>
-          </biblioentry>
-          <biblioentry>
-            <abbrev>RFC2352</abbrev>
-            <author>
-              <surname>Vaughan</surname>
-              <firstname>O.</firstname>
-            </author>
-            <title>A Convention For Using Legal Names as Domain Names</title>
-            <pubdate>May 1998</pubdate>
-          </biblioentry>
-        </bibliodiv>
-        <bibliodiv>
-          <title>Obsolete and Unimplemented Experimental RRs</title>
-          <biblioentry>
-            <abbrev>RFC1712</abbrev>
-            <authorgroup>
-              <author>
-                <surname>Farrell</surname>
-                <firstname>C.</firstname>
-              </author>
-              <author>
-                <firstname>M.</firstname>
-                <surname>Schulze</surname>
-              </author>
-              <author>
-                <firstname>S.</firstname>
-                <surname>Pleitner</surname>
-              </author>
-              <author>
-                <firstname>D.</firstname>
-                <surname>Baldoni</surname>
-              </author>
-            </authorgroup>
-            <title><acronym>DNS</acronym> Encoding of Geographical
-Location</title>
-            <pubdate>November 1994</pubdate>
-          </biblioentry>
-        </bibliodiv>
-      </bibliography>
-    </sect2>
-    <sect2 id="internet_drafts">
-      <title>Internet Drafts</title>
-      <para>Internet Drafts (IDs) are rough-draft working documents of
-the Internet Engineering Task Force. They are, in essence, RFCs
-in the preliminary stages of development. Implementors are cautioned not
-to regard IDs as archival, and they should not be quoted or cited
-in any formal documents unless accompanied by the disclaimer that
-they are "works in progress." IDs have a lifespan of six months
-after which they are deleted unless updated by their authors.
-</para>
-    </sect2>
-    <sect2>
-      <title>Other Documents About <acronym>BIND</acronym></title>
-      <para></para>
-      <bibliography>
-        <biblioentry>
-          <authorgroup>
-            <author>
-              <surname>Albitz</surname>
-              <firstname>Paul</firstname>
-            </author>
-            <author>
-              <firstname>Cricket</firstname>
-              <surname>Liu</surname>
-            </author>
-          </authorgroup>
-          <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
-          <copyright>
-            <year>1998</year>
-            <holder>Sebastopol, CA: O'Reilly and Associates</holder>
-          </copyright>
-        </biblioentry>
-      </bibliography>
-    </sect2>
-  </sect1>
-
-</appendix>
-
-</book>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch01.html b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
deleted file mode 100644
index 37f1eec39ab7..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch01.html
+++ /dev/null
@@ -1,412 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch01.html,v 1.12.2.2.8.9 2005/10/13 02:33:58 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 1. Introduction </title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 1. Introduction </th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch01"></a>Chapter 1. Introduction </h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545879">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545905">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545976">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2546234">The Domain Name System (<span class="acronym">DNS</span>)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546254">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2544105">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546579">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546653">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546950">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2547076">Name Servers in Multiple Roles</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p>The Internet Domain Name System (<span class="acronym">DNS</span>) consists of the syntax
-  to specify the names of entities in the Internet in a hierarchical
-  manner, the rules used for delegating authority over names, and the
-  system implementation that actually maps names to Internet
-  addresses.  <span class="acronym">DNS</span> data is maintained in a group of distributed
-  hierarchical databases.</p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2545879"></a>Scope of Document</h2></div></div></div>
-<p>The Berkeley Internet Name Domain (<span class="acronym">BIND</span>) implements an
-    domain name server for a number of operating systems. This
-    document provides basic information about the installation and
-    care of the Internet Software Consortium (<span class="acronym">ISC</span>)
-    <span class="acronym">BIND</span> version 9 software package for system
-    administrators.</p>
-<p>This version of the manual corresponds to BIND version 9.3.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2545905"></a>Organization of This Document</h2></div></div></div>
-<p>In this document, <span class="emphasis"><em>Section 1</em></span> introduces
-    the basic <span class="acronym">DNS</span> and <span class="acronym">BIND</span> concepts. <span class="emphasis"><em>Section 2</em></span>
-    describes resource requirements for running <span class="acronym">BIND</span> in various
-    environments. Information in <span class="emphasis"><em>Section 3</em></span> is
-    <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
-    organized functionally, to aid in the process of installing the
-    <span class="acronym">BIND</span> 9 software. The task-oriented section is followed by
-    <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
-    concepts that the system administrator may need for implementing
-    certain options. <span class="emphasis"><em>Section 5</em></span>
-    describes the <span class="acronym">BIND</span> 9 lightweight
-    resolver.  The contents of <span class="emphasis"><em>Section 6</em></span> are
-    organized as in a reference manual to aid in the ongoing
-    maintenance of the software. <span class="emphasis"><em>Section 7
-    </em></span>addresses security considerations, and
-    <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
-    main body of the document is followed by several
-    <span class="emphasis"><em>Appendices</em></span> which contain useful reference
-    information, such as a <span class="emphasis"><em>Bibliography</em></span> and
-    historic information related to <span class="acronym">BIND</span> and the Domain Name
-    System.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2545976"></a>Conventions Used in This Document</h2></div></div></div>
-<p>In this document, we use the following general typographic
-    conventions:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-<p><span class="emphasis"><em>To
-describe:</em></span></p>
-</td>
-<td>
-<p><span class="emphasis"><em>We use the style:</em></span></p>
-</td>
-</tr>
-<tr>
-<td>
-<p>a pathname, filename, URL, hostname,
-mailing list name, or new term or concept</p>
-</td>
-<td><p><code class="filename">Fixed width</code></p></td>
-</tr>
-<tr>
-<td><p>literal user
-input</p></td>
-<td><p><strong class="userinput"><code>Fixed Width Bold</code></strong></p></td>
-</tr>
-<tr>
-<td><p>program output</p></td>
-<td><p><code class="computeroutput">Fixed Width</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The following conventions are used in descriptions of the
-<span class="acronym">BIND</span> configuration file:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span class="emphasis"><em>To
-describe:</em></span></p></td>
-<td><p><span class="emphasis"><em>We use the style:</em></span></p></td>
-</tr>
-<tr>
-<td><p>keywords</p></td>
-<td><p><code class="literal">Fixed Width</code></p></td>
-</tr>
-<tr>
-<td><p>variables</p></td>
-<td><p><code class="varname">Fixed Width</code></p></td>
-</tr>
-<tr>
-<td><p>Optional input</p></td>
-<td><p>[<span class="optional">Text is enclosed in square brackets</span>]</p></td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2546234"></a>The Domain Name System (<span class="acronym">DNS</span>)</h2></div></div></div>
-<p>The purpose of this document is to explain the installation
-and upkeep of the <span class="acronym">BIND</span> software package, and we
-begin by reviewing the fundamentals of the Domain Name System
-(<span class="acronym">DNS</span>) as they relate to <span class="acronym">BIND</span>.
-</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2546254"></a>DNS Fundamentals</h3></div></div></div>
-<p>The Domain Name System (DNS) is the hierarchical, distributed
-database.  It stores information for mapping Internet host names to IP
-addresses and vice versa, mail routing information, and other data
-used by Internet applications.</p>
-<p>Clients look up information in the DNS by calling a
-<span class="emphasis"><em>resolver</em></span> library, which sends queries to one or
-more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
-The <span class="acronym">BIND</span> 9 software distribution contains a
-name server, <span><strong class="command">named</strong></span>, and two resolver
-libraries, <span><strong class="command">liblwres</strong></span> and <span><strong class="command">libbind</strong></span>.
-</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2544105"></a>Domains and Domain Names</h3></div></div></div>
-<p>The data stored in the DNS is identified by <span class="emphasis"><em>domain
-names</em></span> that are organized as a tree according to
-organizational or administrative boundaries. Each node of the tree,
-called a <span class="emphasis"><em>domain</em></span>, is given a label. The domain name of the
-node is the concatenation of all the labels on the path from the
-node to the <span class="emphasis"><em>root</em></span> node.  This is represented
-in written form as a string of labels listed from right to left and
-separated by dots. A label need only be unique within its parent
-domain.</p>
-<p>For example, a domain name for a host at the
-company <span class="emphasis"><em>Example, Inc.</em></span> could be
-<code class="literal">mail.example.com</code>,
-where <code class="literal">com</code> is the
-top level domain to which
-<code class="literal">ourhost.example.com</code> belongs,
-<code class="literal">example</code> is
-a subdomain of <code class="literal">com</code>, and
-<code class="literal">ourhost</code> is the
-name of the host.</p>
-<p>For administrative purposes, the name space is partitioned into
-areas called <span class="emphasis"><em>zones</em></span>, each starting at a node and
-extending down to the leaf nodes or to nodes where other zones start.
-The data for each zone is stored in a <span class="emphasis"><em>name
-server</em></span>, which answers queries about the zone using the
-<span class="emphasis"><em>DNS protocol</em></span>.
-</p>
-<p>The data associated with each domain name is stored in the
-form of <span class="emphasis"><em>resource records</em></span> (<span class="acronym">RR</span>s).
-Some of the supported resource record types are described in
-<a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them" title="Types of Resource Records and When to Use Them">the section called &#8220;Types of Resource Records and When to Use Them&#8221;</a>.</p>
-<p>For more detailed information about the design of the DNS and
-the DNS protocol, please refer to the standards documents listed in
-<a href="Bv9ARM.ch09.html#rfcs" title="Request for Comments (RFCs)">the section called &#8220;Request for Comments (RFCs)&#8221;</a>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2546579"></a>Zones</h3></div></div></div>
-<p>To properly operate a name server, it is important to understand
-the difference between a <span class="emphasis"><em>zone</em></span>
-and a <span class="emphasis"><em>domain</em></span>.</p>
-<p>As we stated previously, a zone is a point of delegation in
-the <span class="acronym">DNS</span> tree. A zone consists of
-those contiguous parts of the domain
-tree for which a name server has complete information and over which
-it has authority. It contains all domain names from a certain point
-downward in the domain tree except those which are delegated to
-other zones. A delegation point is marked by one or more
-<span class="emphasis"><em>NS records</em></span> in the
-parent zone, which should be matched by equivalent NS records at
-the root of the delegated zone.</p>
-<p>For instance, consider the <code class="literal">example.com</code>
-domain which includes names
-such as <code class="literal">host.aaa.example.com</code> and
-<code class="literal">host.bbb.example.com</code> even though
-the <code class="literal">example.com</code> zone includes
-only delegations for the <code class="literal">aaa.example.com</code> and
-<code class="literal">bbb.example.com</code> zones.  A zone can map
-exactly to a single domain, but could also include only part of a
-domain, the rest of which could be delegated to other
-name servers. Every name in the <span class="acronym">DNS</span> tree is a
-<span class="emphasis"><em>domain</em></span>, even if it is
-<span class="emphasis"><em>terminal</em></span>, that is, has no
-<span class="emphasis"><em>subdomains</em></span>.  Every subdomain is a domain and
-every domain except the root is also a subdomain. The terminology is
-not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
-gain a complete understanding of this difficult and subtle
-topic.</p>
-<p>Though <span class="acronym">BIND</span> is called a "domain name server",
-it deals primarily in terms of zones. The master and slave
-declarations in the <code class="filename">named.conf</code> file specify
-zones, not domains. When you ask some other site if it is willing to
-be a slave server for your <span class="emphasis"><em>domain</em></span>, you are
-actually asking for slave service for some collection of zones.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2546653"></a>Authoritative Name Servers</h3></div></div></div>
-<p>Each zone is served by at least
-one <span class="emphasis"><em>authoritative name server</em></span>,
-which contains the complete data for the zone.
-To make the DNS tolerant of server and network failures,
-most zones have two or more authoritative servers.
-</p>
-<p>Responses from authoritative servers have the "authoritative
-answer" (AA) bit set in the response packets.  This makes them 
-easy to identify when debugging DNS configurations using tools like
-<span><strong class="command">dig</strong></span> (<a href="Bv9ARM.ch03.html#diagnostic_tools" title="Diagnostic Tools">the section called &#8220;Diagnostic Tools&#8221;</a>).</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2546676"></a>The Primary Master</h4></div></div></div>
-<p>
-The authoritative server where the master copy of the zone data is maintained is
-called the <span class="emphasis"><em>primary master</em></span> server, or simply the
-<span class="emphasis"><em>primary</em></span>.  It loads the zone contents from some
-local file edited by humans or perhaps generated mechanically from
-some other local file which is edited by humans.  This file is called
-the <span class="emphasis"><em>zone file</em></span> or <span class="emphasis"><em>master file</em></span>.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2546902"></a>Slave Servers</h4></div></div></div>
-<p>The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
-servers (also known as <span class="emphasis"><em>secondary</em></span> servers) load
-the zone contents from another server using a replication process
-known as a <span class="emphasis"><em>zone transfer</em></span>.  Typically the data are
-transferred directly from the primary master, but it is also possible
-to transfer it from another slave.  In other words, a slave server
-may itself act as a master to a subordinate slave server.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2546921"></a>Stealth Servers</h4></div></div></div>
-<p>Usually all of the zone's authoritative servers are listed in 
-NS records in the parent zone.  These NS records constitute
-a <span class="emphasis"><em>delegation</em></span> of the zone from the parent.
-The authoritative servers are also listed in the zone file itself,
-at the <span class="emphasis"><em>top level</em></span> or <span class="emphasis"><em>apex</em></span>
-of the zone.  You can list servers in the zone's top-level NS
-records that are not in the parent's NS delegation, but you cannot
-list servers in the parent's delegation that are not present at
-the zone's top level.</p>
-<p>A <span class="emphasis"><em>stealth server</em></span> is a server that is
-authoritative for a zone but is not listed in that zone's NS
-records.  Stealth servers can be used for keeping a local copy of a
-zone to speed up access to the zone's records or to make sure that the
-zone is available even if all the "official" servers for the zone are
-inaccessible.</p>
-<p>A configuration where the primary master server itself is a
-stealth server is often referred to as a "hidden primary"
-configuration.  One use for this configuration is when the primary master
-is behind a firewall and therefore unable to communicate directly
-with the outside world.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2546950"></a>Caching Name Servers</h3></div></div></div>
-<p>The resolver libraries provided by most operating systems are 
-<span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not capable of
-performing the full DNS resolution process by themselves by talking
-directly to the authoritative servers.  Instead, they rely on a local
-name server to perform the resolution on their behalf.  Such a server
-is called a <span class="emphasis"><em>recursive</em></span> name server; it performs
-<span class="emphasis"><em>recursive lookups</em></span> for local clients.</p>
-<p>To improve performance, recursive servers cache the results of
-the lookups they perform.  Since the processes of recursion and
-caching are intimately connected, the terms
-<span class="emphasis"><em>recursive server</em></span> and
-<span class="emphasis"><em>caching server</em></span> are often used synonymously.</p>
-<p>The length of time for which a record may be retained in
-in the cache of a caching name server is controlled by the 
-Time To Live (TTL) field associated with each resource record.
-</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2547050"></a>Forwarding</h4></div></div></div>
-<p>Even a caching name server does not necessarily perform
-the complete recursive lookup itself.  Instead, it can
-<span class="emphasis"><em>forward</em></span> some or all of the queries
-that it cannot satisfy from its cache to another caching name server,
-commonly referred to as a <span class="emphasis"><em>forwarder</em></span>.
-</p>
-<p>There may be one or more forwarders,
-and they are queried in turn until the list is exhausted or an answer
-is found. Forwarders are typically used when you do not
-wish all the servers at a given site to interact directly with the rest of
-the Internet servers. A typical scenario would involve a number
-of internal <span class="acronym">DNS</span> servers and an Internet firewall. Servers unable
-to pass packets through the firewall would forward to the server
-that can do it, and that server would query the Internet <span class="acronym">DNS</span> servers
-on the internal server's behalf. An added benefit of using the forwarding
-feature is that the central machine develops a much more complete
-cache of information that all the clients can take advantage
-of.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2547076"></a>Name Servers in Multiple Roles</h3></div></div></div>
-<p>The <span class="acronym">BIND</span> name server can simultaneously act as
-a master for some zones, a slave for other zones, and as a caching
-(recursive) server for a set of local clients.</p>
-<p>However, since the functions of authoritative name service
-and caching/recursive name service are logically separate, it is
-often advantageous to run them on separate server machines.
-
-A server that only provides authoritative name service
-(an <span class="emphasis"><em>authoritative-only</em></span> server) can run with
-recursion disabled, improving reliability and security.
-
-A server that is not authoritative for any zones and only provides
-recursive service to local
-clients (a <span class="emphasis"><em>caching-only</em></span> server)
-does not need to be reachable from the Internet at large and can
-be placed inside a firewall.</p>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch02.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">BIND 9 Administrator Reference Manual </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 2. <span class="acronym">BIND</span> Resource Requirements</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch02.html b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
deleted file mode 100644
index d3e946ad7706..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch02.html
+++ /dev/null
@@ -1,130 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch02.html,v 1.10.2.1.8.8 2005/10/13 02:33:59 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 2. BIND Resource Requirements</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction ">
-<link rel="next" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 2. <span class="acronym">BIND</span> Resource Requirements</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch01.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch02"></a>Chapter 2. <span class="acronym">BIND</span> Resource Requirements</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547108">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547132">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547143">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547158">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547303">Supported Operating Systems</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2547108"></a>Hardware requirements</h2></div></div></div>
-<p><span class="acronym">DNS</span> hardware requirements have traditionally been quite modest.
-For many installations, servers that have been pensioned off from
-active duty have performed admirably as <span class="acronym">DNS</span> servers.</p>
-<p>The DNSSEC and IPv6 features of <span class="acronym">BIND</span> 9 may prove to be quite
-CPU intensive however, so organizations that make heavy use of these
-features may wish to consider larger systems for these applications.
-<span class="acronym">BIND</span> 9 is fully multithreaded, allowing full utilization of
-multiprocessor systems for installations that need it.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2547132"></a>CPU Requirements</h2></div></div></div>
-<p>CPU requirements for <span class="acronym">BIND</span> 9 range from i486-class machines
-for serving of static zones without caching, to enterprise-class
-machines if you intend to process many dynamic updates and DNSSEC
-signed zones, serving many thousands of queries per second.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2547143"></a>Memory Requirements</h2></div></div></div>
-<p>The memory of the server has to be large enough to fit the
-cache and zones loaded off disk.  The <span><strong class="command">max-cache-size</strong></span>
-option can be used to limit the amount of memory used by the cache,
-at the expense of reducing cache hit rates and causing more <span class="acronym">DNS</span>
-traffic. It is still good practice to have enough memory to load
-all zone and cache data into memory &#8212; unfortunately, the best way
-to determine this for a given installation is to watch the name server
-in operation. After a few weeks the server process should reach
-a relatively stable size where entries are expiring from the cache as
-fast as they are being inserted.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2547158"></a>Name Server Intensive Environment Issues</h2></div></div></div>
-<p>For name server intensive environments, there are two alternative
-configurations that may be used. The first is where clients and
-any second-level internal name servers query a main name server, which
-has enough memory to build a large cache. This approach minimizes
-the bandwidth used by external name lookups. The second alternative
-is to set up second-level internal name servers to make queries independently.
-In this configuration, none of the individual machines needs to
-have as much memory or CPU power as in the first alternative, but
-this has the disadvantage of making many more external queries,
-as none of the name servers share their cached data.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2547303"></a>Supported Operating Systems</h2></div></div></div>
-<p>ISC <span class="acronym">BIND</span> 9 compiles and runs on a large number
-of Unix-like operating system and on Windows NT / 2000.  For an up-to-date
-list of supported systems, see the README file in the top level directory
-of the BIND 9 source distribution.</p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch01.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch03.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 1. Introduction  </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 3. Name Server Configuration</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch03.html b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
deleted file mode 100644
index 4d6d93be1f1b..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch03.html
+++ /dev/null
@@ -1,525 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch03.html,v 1.26.2.5.4.11 2005/10/13 02:33:59 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 3. Name Server Configuration</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch02.html" title="Chapter 2. BIND Resource Requirements">
-<link rel="next" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 3. Name Server Configuration</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch03"></a>Chapter 3. Name Server Configuration</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547334">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547350">An Authoritative-only Name Server</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2547372">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2547656">Name Server Operations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547661">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2548915">Signals</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p>In this section we provide some suggested configurations along
-with guidelines for their use. We also address the topic of reasonable
-option setting.</p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2547334"></a>A Caching-only Name Server</h3></div></div></div>
-<p>The following sample configuration is appropriate for a caching-only
-name server for use by clients internal to a corporation.  All queries
-from outside clients are refused using the <span><strong class="command">allow-query</strong></span>
-option.  Alternatively, the same effect could be achieved using suitable
-firewall rules.</p>
-<pre class="programlisting">
-// Two corporate subnets we wish to allow queries from.
-acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
-options {
-     directory "/etc/namedb";           // Working directory
-     allow-query { corpnets; };
-};
-// Provide a reverse mapping for the loopback address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2547350"></a>An Authoritative-only Name Server</h3></div></div></div>
-<p>This sample configuration is for an authoritative-only server
-that is the master server for "<code class="filename">example.com</code>"
-and a slave for the subdomain "<code class="filename">eng.example.com</code>".</p>
-<pre class="programlisting">
-options {
-     directory "/etc/namedb";           // Working directory
-     allow-query { any; };              // This is the default
-     recursion no;                      // Do not provide recursive service
-};
-
-// Provide a reverse mapping for the loopback address 127.0.0.1
-zone "0.0.127.in-addr.arpa" {
-     type master;
-     file "localhost.rev";
-     notify no;
-};
-// We are the master server for example.com
-zone "example.com" {
-     type master;
-     file "example.com.db";
-     // IP addresses of slave servers allowed to transfer example.com
-     allow-transfer {
-          192.168.4.14;
-          192.168.5.53;
-     };
-};
-// We are a slave server for eng.example.com
-zone "eng.example.com" {
-     type slave;
-     file "eng.example.com.bk";
-     // IP address of eng.example.com master server
-     masters { 192.168.4.12; };
-};
-</pre>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2547372"></a>Load Balancing</h2></div></div></div>
-<p>A primitive form of load balancing can be achieved in
-the <span class="acronym">DNS</span> by using multiple A records for one name.</p>
-<p>For example, if you have three WWW servers with network addresses
-of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
-following means that clients will connect to each machine one third
-of the time:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>Name</p></td>
-<td><p>TTL</p></td>
-<td><p>CLASS</p></td>
-<td><p>TYPE</p></td>
-<td><p>Resource Record (RR) Data</p></td>
-</tr>
-<tr>
-<td><p><code class="literal">www</code></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">600</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.3</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>When a resolver queries for these records, <span class="acronym">BIND</span> will rotate
-    them and respond to the query with the records in a different
-    order.  In the example above, clients will randomly receive
-    records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
-    will use the first record returned and discard the rest.</p>
-<p>For more detail on ordering responses, check the
-    <span><strong class="command">rrset-order</strong></span> substatement in the
-    <span><strong class="command">options</strong></span> statement, see
-    <a href="Bv9ARM.ch06.html#rrset_ordering">RRset Ordering</a>.
-    This substatement is not supported in
-    <span class="acronym">BIND</span> 9, and only the ordering scheme described above is
-    available.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2547656"></a>Name Server Operations</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2547661"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
-<p>There are several indispensable diagnostic, administrative
-and monitoring tools available to the system administrator for controlling
-and debugging the name server daemon. We describe several in this
-section </p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="diagnostic_tools"></a>Diagnostic Tools</h4></div></div></div>
-<p>The <span><strong class="command">dig</strong></span>, <span><strong class="command">host</strong></span>, and
-<span><strong class="command">nslookup</strong></span> programs are all command line tools
-for manually querying name servers.  They differ in style and
-output format.
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><a name="dig"></a><span><strong class="command">dig</strong></span></span></dt>
-<dd>
-<p>The domain information groper (<span><strong class="command">dig</strong></span>)
-is the most versatile and complete of these lookup tools.
-It has two modes: simple interactive
-mode for a single query, and batch mode which executes a query for
-each in a list of several query lines. All query options are accessible
-from the command line.</p>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@<em class="replaceable"><code>server</code></em>]  <em class="replaceable"><code>domain</code></em>  [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
-<p>The usual simple use of dig will take the form</p>
-<p><span><strong class="command">dig @server domain query-type query-class</strong></span></p>
-<p>For more information and a list of available commands and
-options, see the <span><strong class="command">dig</strong></span> man page.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">host</strong></span></span></dt>
-<dd>
-<p>The <span><strong class="command">host</strong></span> utility emphasizes simplicity
-and ease of use.  By default, it converts
-between host names and Internet addresses, but its functionality
-can be extended with the use of options.</p>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [-aCdlrTwv] [-c <em class="replaceable"><code>class</code></em>] [-N <em class="replaceable"><code>ndots</code></em>] [-t <em class="replaceable"><code>type</code></em>] [-W <em class="replaceable"><code>timeout</code></em>] [-R <em class="replaceable"><code>retries</code></em>]  <em class="replaceable"><code>hostname</code></em>  [<em class="replaceable"><code>server</code></em>]</p></div>
-<p>For more information and a list of available commands and
-options, see the <span><strong class="command">host</strong></span> man page.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">nslookup</strong></span></span></dt>
-<dd>
-<p><span><strong class="command">nslookup</strong></span> has two modes: interactive
-and non-interactive. Interactive mode allows the user to query name servers
-for information about various hosts and domains or to print a list
-of hosts in a domain. Non-interactive mode is used to print just
-the name and requested information for a host or domain.</p>
-<div class="cmdsynopsis"><p><code class="command">nslookup</code>  [-option...] [[<em class="replaceable"><code>host-to-find</code></em>] |  [-  [server]]]</p></div>
-<p>Interactive mode is entered when no arguments are given (the
-default name server will be used) or when the first argument is a
-hyphen (`-') and the second argument is the host name or Internet address
-of a name server.</p>
-<p>Non-interactive mode is used when the name or Internet address
-of the host to be looked up is given as the first argument. The
-optional second argument specifies the host name or address of a name server.</p>
-<p>Due to its arcane user interface and frequently inconsistent
-behavior, we do not recommend the use of <span><strong class="command">nslookup</strong></span>.
-Use <span><strong class="command">dig</strong></span> instead.</p>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="admin_tools"></a>Administrative Tools</h4></div></div></div>
-<p>Administrative tools play an integral part in the management
-of a server.</p>
-<div class="variablelist"><dl>
-<dt>
-<a name="named-checkconf"></a><span class="term"><span><strong class="command">named-checkconf</strong></span></span>
-</dt>
-<dd>
-<p>The <span><strong class="command">named-checkconf</strong></span> program
-              checks the syntax of a <code class="filename">named.conf</code> file.</p>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [-jvz] [-t <em class="replaceable"><code>directory</code></em>] [<em class="replaceable"><code>filename</code></em>]</p></div>
-</dd>
-<dt>
-<a name="named-checkzone"></a><span class="term"><span><strong class="command">named-checkzone</strong></span></span>
-</dt>
-<dd>
-<p>The <span><strong class="command">named-checkzone</strong></span> program checks a master file for
-              syntax and consistency.</p>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [-djqvD] [-c <em class="replaceable"><code>class</code></em>] [-o <em class="replaceable"><code>output</code></em>] [-t <em class="replaceable"><code>directory</code></em>] [-w <em class="replaceable"><code>directory</code></em>] [-k <em class="replaceable"><code>(ignore|warn|fail)</code></em>] [-n <em class="replaceable"><code>(ignore|warn|fail)</code></em>]  <em class="replaceable"><code>zone</code></em>  [<em class="replaceable"><code>filename</code></em>]</p></div>
-</dd>
-<dt>
-<a name="rndc"></a><span class="term"><span><strong class="command">rndc</strong></span></span>
-</dt>
-<dd>
-<p>The remote name daemon control
-              (<span><strong class="command">rndc</strong></span>) program allows the system
-              administrator to control the operation of a name server.
-              If you run <span><strong class="command">rndc</strong></span> without any options
-              it will display a usage message as follows:</p>
-<div class="cmdsynopsis"><p><code class="command">rndc</code>  [-c <em class="replaceable"><code>config</code></em>] [-s <em class="replaceable"><code>server</code></em>] [-p <em class="replaceable"><code>port</code></em>] [-y <em class="replaceable"><code>key</code></em>]  <em class="replaceable"><code>command</code></em>  [<em class="replaceable"><code>command</code></em>...]</p></div>
-<p><span><strong class="command">command</strong></span> is one of the following:</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><strong class="userinput"><code>reload</code></strong></span></dt>
-<dd><p>Reload configuration file and zones.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>reload <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Reload the given zone.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>refresh <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Schedule zone maintenance for the given zone.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>retransfer <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Retransfer the given zone from the master.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>freeze [<span class="optional"><em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>Suspend updates to a dynamic zone.  If no zone is specified
-	then all zones are suspended.  This allows manual
-    edits to be made to a zone normally updated by dynamic update.  It
-    also causes changes in the journal file to be synced into the master
-    and the journal file to be removed.  All dynamic update attempts will
-    be refused while the zone is frozen.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>thaw [<span class="optional"><em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</span>]</code></strong></span></dt>
-<dd><p>Enable updates to a frozen dynamic zone.  If no zone is
-    specified then all frozen zones are enabled.  This causes
-    the server to reload the zone from disk, and re-enables dynamic updates
-    after the load has completed.  After a zone is thawed, dynamic updates
-    will no longer be refused.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>notify <em class="replaceable"><code>zone</code></em>
-       [<span class="optional"><em class="replaceable"><code>class</code></em>
-           [<span class="optional"><em class="replaceable"><code>view</code></em></span>]</span>]</code></strong></span></dt>
-<dd><p>Resend NOTIFY messages for the zone</p></dd>
-<dt><span class="term"><strong class="userinput"><code>reconfig</code></strong></span></dt>
-<dd><p>Reload the configuration file and load new zones,
-   but do not reload existing zone files even if they have changed.
-   This is faster than a full <span><strong class="command">reload</strong></span> when there
-   is a large number of zones because it avoids the need to examine the
-   modification times of the zones files.
-   </p></dd>
-<dt><span class="term"><strong class="userinput"><code>stats</code></strong></span></dt>
-<dd><p>Write server statistics to the statistics file.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>querylog</code></strong></span></dt>
-<dd><p>Toggle query logging. Query logging can also be enabled
-   by explicitly directing the <span><strong class="command">queries</strong></span>
-   <span><strong class="command">category</strong></span> to a <span><strong class="command">channel</strong></span> in the
-   <span><strong class="command">logging</strong></span> section of
-   <code class="filename">named.conf</code>.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>dumpdb [<span class="optional">-all|-cache|-zone</span>] [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]</code></strong></span></dt>
-<dd><p>Dump the server's caches (default) and / or zones to the
-	 dump file for the specified views.  If no view is specified all
-	 views are dumped.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>stop [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd><p>Stop the server, making sure any recent changes
-   made through dynamic update or IXFR are first saved to the master files
-   of the updated zones.  If -p is specified named's process id is returned.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
-<dd><p>Stop the server immediately.  Recent changes
-   made through dynamic update or IXFR are not saved to the master files,
-   but will be rolled forward from the journal files when the server
-   is restarted.  If -p is specified named's process id is returned.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
-<dd><p>Increment the servers debugging level by one. </p></dd>
-<dt><span class="term"><strong class="userinput"><code>trace <em class="replaceable"><code>level</code></em></code></strong></span></dt>
-<dd><p>Sets the server's debugging level to an explicit
-   value.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>notrace</code></strong></span></dt>
-<dd><p>Sets the server's debugging level to 0.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>flush</code></strong></span></dt>
-<dd><p>Flushes the server's cache.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>flushname</code></strong> <em class="replaceable"><code>name</code></em></span></dt>
-<dd><p>Flushes the given name from the server's cache.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>status</code></strong></span></dt>
-<dd><p>Display status of the server.
-Note the number of zones includes the internal <span><strong class="command">bind/CH</strong></span> zone
-and the default <span><strong class="command">./IN</strong></span> hint zone if there is not a
-explicit root zone configured.</p></dd>
-<dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
-<dd><p>Dump the list of queries named is currently recursing
-   on.
-   </p></dd>
-</dl></div>
-<p>In <span class="acronym">BIND</span> 9.2, <span><strong class="command">rndc</strong></span>
-supports all the commands of the BIND 8 <span><strong class="command">ndc</strong></span>
-utility except <span><strong class="command">ndc start</strong></span> and
-<span><strong class="command">ndc restart</strong></span>, which were also
-not supported in <span><strong class="command">ndc</strong></span>'s channel mode.</p>
-<p>A configuration file is required, since all
-communication with the server is authenticated with
-digital signatures that rely on a shared secret, and
-there is no way to provide that secret other than with a
-configuration file.  The default location for the
-<span><strong class="command">rndc</strong></span> configuration file is
-<code class="filename">/etc/rndc.conf</code>, but an alternate
-location can be specified with the <code class="option">-c</code>
-option.  If the configuration file is not found,
-<span><strong class="command">rndc</strong></span> will also look in
-<code class="filename">/etc/rndc.key</code> (or whatever
-<code class="varname">sysconfdir</code> was defined when
-the <span class="acronym">BIND</span> build was configured).
-The <code class="filename">rndc.key</code> file is generated by
-running <span><strong class="command">rndc-confgen -a</strong></span> as described in
-<a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>.</p>
-<p>The format of the configuration file is similar to
-that of <code class="filename">named.conf</code>, but limited to
-only four statements, the <span><strong class="command">options</strong></span>,
-<span><strong class="command">key</strong></span>, <span><strong class="command">server</strong></span> and
-<span><strong class="command">include</strong></span>
-statements.  These statements are what associate the
-secret keys to the servers with which they are meant to
-be shared.  The order of statements is not
-significant.</p>
-<p>The <span><strong class="command">options</strong></span> statement has three clauses:
-<span><strong class="command">default-server</strong></span>, <span><strong class="command">default-key</strong></span>, 
-and <span><strong class="command">default-port</strong></span>.
-<span><strong class="command">default-server</strong></span> takes a
-host name or address argument  and represents the server that will
-be contacted if no <code class="option">-s</code>
-option is provided on the command line.  
-<span><strong class="command">default-key</strong></span> takes
-the name of a key as its argument, as defined by a <span><strong class="command">key</strong></span> statement.
-<span><strong class="command">default-port</strong></span> specifies the port to which
-<span><strong class="command">rndc</strong></span> should connect if no
-port is given on the command line or in a
-<span><strong class="command">server</strong></span> statement.</p>
-<p>The <span><strong class="command">key</strong></span> statement defines an key to be used
-by <span><strong class="command">rndc</strong></span> when authenticating with
-<span><strong class="command">named</strong></span>.  Its syntax is identical to the
-<span><strong class="command">key</strong></span> statement in named.conf.
-The keyword <strong class="userinput"><code>key</code></strong> is
-followed by a key name, which must be a valid
-domain name, though it need not actually be hierarchical; thus,
-a string like "<strong class="userinput"><code>rndc_key</code></strong>" is a valid name.
-The <span><strong class="command">key</strong></span> statement has two clauses:
-<span><strong class="command">algorithm</strong></span> and <span><strong class="command">secret</strong></span>.
-While the configuration parser will accept any string as the argument
-to algorithm, currently only the string "<strong class="userinput"><code>hmac-md5</code></strong>"
-has any meaning.  The secret is a base-64 encoded string.</p>
-<p>The <span><strong class="command">server</strong></span> statement associates a key
-defined using the <span><strong class="command">key</strong></span> statement with a server.
-The keyword <strong class="userinput"><code>server</code></strong> is followed by a
-host name or address.  The <span><strong class="command">server</strong></span> statement
-has two clauses: <span><strong class="command">key</strong></span> and <span><strong class="command">port</strong></span>.
-The <span><strong class="command">key</strong></span> clause specifies the name of the key
-to be used when communicating with this server, and the
-<span><strong class="command">port</strong></span> clause can be used to
-specify the port <span><strong class="command">rndc</strong></span> should connect
-to on the server.</p>
-<p>A sample minimal configuration file is as follows:</p>
-<pre class="programlisting">
-key rndc_key {
-     algorithm "hmac-md5";
-     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
-};
-options {
-     default-server 127.0.0.1;
-     default-key    rndc_key;
-};
-</pre>
-<p>This file, if installed as <code class="filename">/etc/rndc.conf</code>,
-would allow the command:</p>
-<p><code class="prompt">$ </code><strong class="userinput"><code>rndc reload</code></strong></p>
-<p>to connect to 127.0.0.1 port 953 and cause the name server
-to reload, if a name server on the local machine were running with
-following controls statements:</p>
-<pre class="programlisting">
-controls {
-        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
-};
-</pre>
-<p>and it had an identical key statement for
-<code class="literal">rndc_key</code>.</p>
-<p>Running the <span><strong class="command">rndc-confgen</strong></span> program will
-conveniently create a <code class="filename">rndc.conf</code>
-file for you, and also display the
-corresponding <span><strong class="command">controls</strong></span> statement that you need to
-add to <code class="filename">named.conf</code>.  Alternatively,
-you can run <span><strong class="command">rndc-confgen -a</strong></span> to set up
-a <code class="filename">rndc.key</code> file and not modify 
-<code class="filename">named.conf</code> at all.
-</p>
-</dd>
-</dl></div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2548915"></a>Signals</h3></div></div></div>
-<p>Certain UNIX signals cause the name server to take specific
-actions, as described in the following table.  These signals can
-be sent using the <span><strong class="command">kill</strong></span> command.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">SIGHUP</strong></span></p></td>
-<td><p>Causes the server to read <code class="filename">named.conf</code> and
-reload the database. </p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">SIGTERM</strong></span></p></td>
-<td><p>Causes the server to clean up and exit.</p></td>
-</tr>
-<tr>
-<td>
-<p><span><strong class="command">SIGINT</strong></span></p>
-</td>
-<td><p>Causes the server to clean up and exit.</p></td>
-</tr>
-</tbody>
-</table></div>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch02.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch04.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 2. <span class="acronym">BIND</span> Resource Requirements </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 4. Advanced DNS Features</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch04.html b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
deleted file mode 100644
index 8165dbba9675..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch04.html
+++ /dev/null
@@ -1,716 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch04.html,v 1.30.2.6.2.14 2005/10/13 02:33:59 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 4. Advanced DNS Features</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch03.html" title="Chapter 3. Name Server Configuration">
-<link rel="next" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 4. Advanced DNS Features</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch04"></a>Chapter 4. Advanced DNS Features</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2549203">Split DNS</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549627">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549830">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549838">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549878">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549998">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550042">Errors</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550056">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550173">SIG(0)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550308">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550375">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550450">Configuring Servers</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550473">IPv6 Support in <span class="acronym">BIND</span> 9</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550600">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550620">Address to Name Lookups Using Nibble Format</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="notify"></a>Notify</h2></div></div></div>
-<p><span class="acronym">DNS</span> NOTIFY is a mechanism that allows master
-servers to notify their slave servers of changes to a zone's data. In
-response to a <span><strong class="command">NOTIFY</strong></span> from a master server, the
-slave will check to see that its version of the zone is the
-current version and, if not, initiate a zone transfer.</p>
-<p><span class="acronym">DNS</span>
-For more information about
-<span><strong class="command">NOTIFY</strong></span>, see the description of the
-<span><strong class="command">notify</strong></span> option in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a> and
-the description of the zone option <span><strong class="command">also-notify</strong></span> in
-<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.  The <span><strong class="command">NOTIFY</strong></span>
-protocol is specified in RFC 1996.
-</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update"></a>Dynamic Update</h2></div></div></div>
-<p>Dynamic Update is a method for adding, replacing or deleting
-    records in a master server by sending it a special form of DNS
-    messages.  The format and meaning of these messages is specified
-    in RFC 2136.</p>
-<p>Dynamic update is enabled on a zone-by-zone basis, by
-    including an <span><strong class="command">allow-update</strong></span> or
-    <span><strong class="command">update-policy</strong></span> clause in the
-    <span><strong class="command">zone</strong></span> statement.</p>
-<p>Updating of secure zones (zones using DNSSEC) follows
-    RFC 3007: RRSIG and NSEC records affected by updates are automatically
-    regenerated by the server using an online zone key.
-    Update authorization is based
-    on transaction signatures and an explicit server policy.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="journal"></a>The journal file</h3></div></div></div>
-<p>All changes made to a zone using dynamic update are stored in the
-    zone's journal file.  This file is automatically created by the
-    server when the first dynamic update takes place.  The name of
-    the journal file is formed by appending the
-    extension <code class="filename">.jnl</code> to the
-    name of the corresponding zone file.  The journal file is in a
-    binary format and should not be edited manually.</p>
-<p>The server will also occasionally write ("dump")
-    the complete contents of the updated zone to its zone file.
-    This is not done immediately after
-    each dynamic update, because that would be too slow when a large
-    zone is updated frequently.  Instead, the dump is delayed by
-    up to 15 minutes, allowing additional updates to take place.</p>
-<p>When a server is restarted after a shutdown or crash, it will replay
-    the journal file to incorporate into the zone any updates that took
-    place after the last zone dump.</p>
-<p>Changes that result from incoming incremental zone transfers are also
-    journalled in a similar way.</p>
-<p>The zone files of dynamic zones cannot normally be edited by
-    hand because they are not guaranteed to contain the most recent
-    dynamic changes - those are only in the journal file.
-    The only way to ensure that the zone file of a dynamic zone
-    is up to date is to run <span><strong class="command">rndc stop</strong></span>.</p>
-<p>If you have to make changes to a dynamic zone
-    manually, the following procedure will work: Disable dynamic updates
-    to the zone using
-    <span><strong class="command">rndc freeze <em class="replaceable"><code>zone</code></em></strong></span>.
-    This will also remove the zone's <code class="filename">.jnl</code> file
-    and update the master file.  Edit the zone file.  Run
-    <span><strong class="command">rndc unfreeze <em class="replaceable"><code>zone</code></em></strong></span>
-    to reload the changed zone and re-enable dynamic updates.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="incremental_zone_transfers"></a>Incremental Zone Transfers (IXFR)</h2></div></div></div>
-<p>The incremental zone transfer (IXFR) protocol is a way for
-slave servers to transfer only changed data, instead of having to
-transfer the entire zone. The IXFR protocol is specified in RFC
-1995. See <a href="Bv9ARM.ch09.html#proposed_standards">Proposed Standards</a>.</p>
-<p>When acting as a master, <span class="acronym">BIND</span> 9
-supports IXFR for those zones
-where the necessary change history information is available. These
-include master zones maintained by dynamic update and slave zones
-whose data was obtained by IXFR.  For manually maintained master
-zones, and for slave zones obtained by performing a full zone 
-transfer (AXFR), IXFR is supported only if the option
-<span><strong class="command">ixfr-from-differences</strong></span> is set
-to <strong class="userinput"><code>yes</code></strong>.
-</p>
-<p>When acting as a slave, <span class="acronym">BIND</span> 9 will 
-attempt to use IXFR unless
-it is explicitly disabled. For more information about disabling
-IXFR, see the description of the <span><strong class="command">request-ixfr</strong></span> clause
-of the <span><strong class="command">server</strong></span> statement.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2549203"></a>Split DNS</h2></div></div></div>
-<p>Setting up different views, or visibility, of the DNS space to
-internal and external resolvers is usually referred to as a <span class="emphasis"><em>Split
-DNS</em></span> setup. There are several reasons an organization
-would want to set up its DNS this way.</p>
-<p>One common reason for setting up a DNS system this way is
-to hide "internal" DNS information from "external" clients on the
-Internet. There is some debate as to whether or not this is actually useful.
-Internal DNS information leaks out in many ways (via email headers,
-for example) and most savvy "attackers" can find the information
-they need using other means.</p>
-<p>Another common reason for setting up a Split DNS system is
-to allow internal networks that are behind filters or in RFC 1918
-space (reserved IP space, as documented in RFC 1918) to resolve DNS
-on the Internet. Split DNS can also be used to allow mail from outside
-back in to the internal network.</p>
-<p>Here is an example of a split DNS setup:</p>
-<p>Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
-(<code class="literal">example.com</code>)
-has several corporate sites that have an internal network with reserved
-Internet Protocol (IP) space and an external demilitarized zone (DMZ),
-or "outside" section of a network, that is available to the public.</p>
-<p><span class="emphasis"><em>Example, Inc.</em></span> wants its internal clients
-to be able to resolve external hostnames and to exchange mail with
-people on the outside. The company also wants its internal resolvers
-to have access to certain internal-only zones that are not available
-at all outside of the internal network.</p>
-<p>In order to accomplish this, the company will set up two sets
-of name servers. One set will be on the inside network (in the reserved
-IP space) and the other set will be on bastion hosts, which are "proxy"
-hosts that can talk to both sides of its network, in the DMZ.</p>
-<p>The internal servers will be configured to forward all queries,
-except queries for <code class="filename">site1.internal</code>, <code class="filename">site2.internal</code>, <code class="filename">site1.example.com</code>,
-and <code class="filename">site2.example.com</code>, to the servers in the
-DMZ. These internal servers will have complete sets of information
-for <code class="filename">site1.example.com</code>, <code class="filename">site2.example.com</code>,<span class="emphasis"><em> </em></span><code class="filename">site1.internal</code>,
-and <code class="filename">site2.internal</code>.</p>
-<p>To protect the <code class="filename">site1.internal</code> and <code class="filename">site2.internal</code> domains,
-the internal name servers must be configured to disallow all queries
-to these domains from any external hosts, including the bastion
-hosts.</p>
-<p>The external servers, which are on the bastion hosts, will
-be configured to serve the "public" version of the <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones.
-This could include things such as the host records for public servers
-(<code class="filename">www.example.com</code> and <code class="filename">ftp.example.com</code>),
-and mail exchange (MX)  records (<code class="filename">a.mx.example.com</code> and <code class="filename">b.mx.example.com</code>).</p>
-<p>In addition, the public <code class="filename">site1</code> and <code class="filename">site2.example.com</code> zones
-should have special MX records that contain wildcard (`*') records
-pointing to the bastion hosts. This is needed because external mail
-servers do not have any other way of looking up how to deliver mail
-to those internal hosts. With the wildcard records, the mail will
-be delivered to the bastion host, which can then forward it on to
-internal hosts.</p>
-<p>Here's an example of a wildcard MX record:</p>
-<pre class="programlisting">*   IN MX 10 external1.example.com.</pre>
-<p>Now that they accept mail on behalf of anything in the internal
-network, the bastion hosts will need to know how to deliver mail
-to internal hosts. In order for this to work properly, the resolvers on
-the bastion hosts will need to be configured to point to the internal
-name servers for DNS resolution.</p>
-<p>Queries for internal hostnames will be answered by the internal
-servers, and queries for external hostnames will be forwarded back
-out to the DNS servers on the bastion hosts.</p>
-<p>In order for all this to work properly, internal clients will
-need to be configured to query <span class="emphasis"><em>only</em></span> the internal
-name servers for DNS queries. This could also be enforced via selective
-filtering on the network.</p>
-<p>If everything has been set properly, <span class="emphasis"><em>Example, Inc.</em></span>'s
-internal clients will now be able to:</p>
-<div class="itemizedlist"><ul type="disc">
-<li>Look up any hostnames in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
-<li>Look up any hostnames in the <code class="literal">site1.internal</code> and 
-<code class="literal">site2.internal</code> domains.</li>
-<li>Look up any hostnames on the Internet.</li>
-<li>Exchange mail with internal AND external people.</li>
-</ul></div>
-<p>Hosts on the Internet will be able to:</p>
-<div class="itemizedlist"><ul type="disc">
-<li>Look up any hostnames in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
-<li>Exchange mail with anyone in the <code class="literal">site1</code> and 
-<code class="literal">site2.example.com</code> zones.</li>
-</ul></div>
-<p>Here is an example configuration for the setup we just
-    described above. Note that this is only configuration information;
-    for information on how to configure your zone files, see <a href="Bv9ARM.ch03.html#sample_configuration" title="Sample Configurations">the section called &#8220;Sample Configurations&#8221;</a></p>
-<p>Internal DNS server config:</p>
-<pre class="programlisting">
-
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { <code class="varname">bastion-ips-go-here</code>; };
-
-options {
-    ...
-    ...
-    forward only;
-    forwarders {                                // forward to external servers
-        <code class="varname">bastion-ips-go-here</code>; 
-    };
-    allow-transfer { none; };                   // sample allow-transfer (no one)
-    allow-query { internals; externals; };      // restrict query access
-    allow-recursion { internals; };             // restrict recursion
-    ...
-    ...
-};
-
-zone "site1.example.com" {                      // sample master zone
-  type master;
-  file "m/site1.example.com";
-  forwarders { };                               // do normal iterative
-                                                // resolution (do not forward)
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-zone "site2.example.com" {                      // sample slave zone
-  type slave;
-  file "s/site2.example.com";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals; externals; };
-  allow-transfer { internals; };
-};
-
-zone "site1.internal" {
-  type master;
-  file "m/site1.internal";
-  forwarders { };
-  allow-query { internals; };
-  allow-transfer { internals; }
-};
-
-zone "site2.internal" {
-  type slave;
-  file "s/site2.internal";
-  masters { 172.16.72.3; };
-  forwarders { };
-  allow-query { internals };
-  allow-transfer { internals; }
-};
-</pre>
-<p>External (bastion host) DNS server config:</p>
-<pre class="programlisting">
-acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-acl externals { bastion-ips-go-here; };
-
-options {
-  ...
-  ...
-  allow-transfer { none; };                     // sample allow-transfer (no one)
-  allow-query { internals; externals; };        // restrict query access
-  allow-recursion { internals; externals; };    // restrict recursion
-  ...
-  ...
-};
-
-zone "site1.example.com" {                      // sample slave zone
-  type master;
-  file "m/site1.foo.com";
-  allow-query { any; };
-  allow-transfer { internals; externals; };
-};
-
-zone "site2.example.com" {
-  type slave;
-  file "s/site2.foo.com";
-  masters { another_bastion_host_maybe; };
-  allow-query { any; };
-  allow-transfer { internals; externals; }
-};
-</pre>
-<p>In the <code class="filename">resolv.conf</code> (or equivalent) on
-the bastion host(s):</p>
-<pre class="programlisting">
-search ...
-nameserver 172.16.72.2
-nameserver 172.16.72.3
-nameserver 172.16.72.4
-</pre>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="tsig"></a>TSIG</h2></div></div></div>
-<p>This is a short guide to setting up Transaction SIGnatures
-(TSIG) based transaction security in <span class="acronym">BIND</span>. It describes changes
-to the configuration file as well as what changes are required for
-different features, including the process of creating transaction
-keys and using transaction signatures with <span class="acronym">BIND</span>.</p>
-<p><span class="acronym">BIND</span> primarily supports TSIG for server to server communication.
-This includes zone transfer, notify, and recursive query messages.
-Resolvers based on newer versions of <span class="acronym">BIND</span> 8 have limited support
-for TSIG.</p>
-<p>TSIG might be most useful for dynamic update. A primary
-    server for a dynamic zone should use access control to control
-    updates, but IP-based access control is insufficient.
-    The cryptographic access control provided by TSIG
-    is far superior. The <span><strong class="command">nsupdate</strong></span>
-    program supports TSIG via the <code class="option">-k</code> and
-    <code class="option">-y</code> command line options.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2549627"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
-<p>A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
-An arbitrary key name is chosen: "host1-host2.". The key name must
-be the same on both hosts.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2549643"></a>Automatic Generation</h4></div></div></div>
-<p>The following command will generate a 128 bit (16 byte) HMAC-MD5
-key as described above. Longer keys are better, but shorter keys
-are easier to read. Note that the maximum key length is 512 bits;
-keys longer than that will be digested with MD5 to produce a 128
-bit key.</p>
-<p><strong class="userinput"><code>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</code></strong></p>
-<p>The key is in the file <code class="filename">Khost1-host2.+157+00000.private</code>.
-Nothing directly uses this file, but the base-64 encoded string
-following "<code class="literal">Key:</code>"
-can be extracted from the file and used as a shared secret:</p>
-<pre class="programlisting">Key: La/E5CjG9O+os1jq0a2jdA==</pre>
-<p>The string "<code class="literal">La/E5CjG9O+os1jq0a2jdA==</code>" can
-be used as the shared secret.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2549677"></a>Manual Generation</h4></div></div></div>
-<p>The shared secret is simply a random sequence of bits, encoded
-in base-64. Most ASCII strings are valid base-64 strings (assuming
-the length is a multiple of 4 and only valid characters are used),
-so the shared secret can be manually generated.</p>
-<p>Also, a known string can be run through <span><strong class="command">mmencode</strong></span> or
-a similar program to generate base-64 encoded data.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2549830"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
-<p>This is beyond the scope of DNS. A secure transport mechanism
-should be used. This could be secure FTP, ssh, telephone, etc.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2549838"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
-<p>Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span> are
-both servers. The following is added to each server's <code class="filename">named.conf</code> file:</p>
-<pre class="programlisting">
-key host1-host2. {
-  algorithm hmac-md5;
-  secret "La/E5CjG9O+os1jq0a2jdA==";
-};
-</pre>
-<p>The algorithm, hmac-md5, is the only one supported by <span class="acronym">BIND</span>.
-The secret is the one generated above. Since this is a secret, it
-is recommended that either <code class="filename">named.conf</code> be non-world
-readable, or the key directive be added to a non-world readable
-file that is included by <code class="filename">named.conf</code>.</p>
-<p>At this point, the key is recognized. This means that if the
-server receives a message signed by this key, it can verify the
-signature. If the signature is successfully verified, the
-response is signed by the same key.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2549878"></a>Instructing the Server to Use the Key</h3></div></div></div>
-<p>Since keys are shared between two hosts only, the server must
-be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
-for <span class="emphasis"><em>host1</em></span>, if the IP address of <span class="emphasis"><em>host2</em></span> is
-10.1.2.3:</p>
-<pre class="programlisting">
-server 10.1.2.3 {
-  keys { host1-host2. ;};
-};
-</pre>
-<p>Multiple keys may be present, but only the first is used.
-This directive does not contain any secrets, so it may be in a world-readable
-file.</p>
-<p>If <span class="emphasis"><em>host1</em></span> sends a message that is a request
-to that address, the message will be signed with the specified key. <span class="emphasis"><em>host1</em></span> will
-expect any responses to signed messages to be signed with the same
-key.</p>
-<p>A similar statement must be present in <span class="emphasis"><em>host2</em></span>'s
-configuration file (with <span class="emphasis"><em>host1</em></span>'s address) for <span class="emphasis"><em>host2</em></span> to
-sign request messages to <span class="emphasis"><em>host1</em></span>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2549998"></a>TSIG Key Based Access Control</h3></div></div></div>
-<p><span class="acronym">BIND</span> allows IP addresses and ranges to be specified in ACL
-definitions and
-<span><strong class="command">allow-{ query | transfer | update }</strong></span> directives.
-This has been extended to allow TSIG keys also. The above key would
-be denoted <span><strong class="command">key host1-host2.</strong></span></p>
-<p>An example of an allow-update directive would be:</p>
-<pre class="programlisting">
-allow-update { key host1-host2. ;};
-</pre>
-<p>This allows dynamic updates to succeed only if the request
-      was signed by a key named
-      "<span><strong class="command">host1-host2.</strong></span>".</p>
-<p>You may want to read about the more
-      powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2550042"></a>Errors</h3></div></div></div>
-<p>The processing of TSIG signed messages can result in
-      several errors. If a signed message is sent to a non-TSIG aware
-      server, a FORMERR will be returned, since the server will not
-      understand the record. This is a result of misconfiguration,
-      since the server must be explicitly configured to send a TSIG
-      signed message to a specific server.</p>
-<p>If a TSIG aware server receives a message signed by an
-      unknown key, the response will be unsigned with the TSIG
-      extended error code set to BADKEY. If a TSIG aware server
-      receives a message with a signature that does not validate, the
-      response will be unsigned with the TSIG extended error code set
-      to BADSIG. If a TSIG aware server receives a message with a time
-      outside of the allowed range, the response will be signed with
-      the TSIG extended error code set to BADTIME, and the time values
-      will be adjusted so that the response can be successfully
-      verified. In any of these cases, the message's rcode is set to
-      NOTAUTH.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2550056"></a>TKEY</h2></div></div></div>
-<p><span><strong class="command">TKEY</strong></span> is a mechanism for automatically
-    generating a shared secret between two hosts.  There are several
-    "modes" of <span><strong class="command">TKEY</strong></span> that specify how the key is
-    generated or assigned.  <span class="acronym">BIND</span> 9
-    implements only one of these modes,
-    the Diffie-Hellman key exchange.  Both hosts are required to have
-    a Diffie-Hellman KEY record (although this record is not required
-    to be present in a zone).  The <span><strong class="command">TKEY</strong></span> process
-    must use signed messages, signed either by TSIG or SIG(0).  The
-    result of <span><strong class="command">TKEY</strong></span> is a shared secret that can be
-    used to sign messages with TSIG.  <span><strong class="command">TKEY</strong></span> can also
-    be used to delete shared secrets that it had previously
-    generated.</p>
-<p>The <span><strong class="command">TKEY</strong></span> process is initiated by a client
-    or server by sending a signed <span><strong class="command">TKEY</strong></span> query
-    (including any appropriate KEYs) to a TKEY-aware server.  The
-    server response, if it indicates success, will contain a
-    <span><strong class="command">TKEY</strong></span> record and any appropriate keys.  After
-    this exchange, both participants have enough information to
-    determine the shared secret; the exact process depends on the
-    <span><strong class="command">TKEY</strong></span> mode.  When using the Diffie-Hellman
-    <span><strong class="command">TKEY</strong></span> mode, Diffie-Hellman keys are exchanged,
-    and the shared secret is derived by both participants.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2550173"></a>SIG(0)</h2></div></div></div>
-<p><span class="acronym">BIND</span> 9 partially supports DNSSEC SIG(0)
-    transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
-    uses public/private keys to authenticate messages.  Access control
-    is performed in the same manner as TSIG keys; privileges can be
-    granted or denied based on the key name.</p>
-<p>When a SIG(0) signed message is received, it will only be
-    verified if the key is known and trusted by the server; the server
-    will not attempt to locate and/or validate the key.</p>
-<p>SIG(0) signing of multiple-message TCP streams is not
-    supported.</p>
-<p>The only tool shipped with <span class="acronym">BIND</span> 9 that
-    generates SIG(0) signed messages is <span><strong class="command">nsupdate</strong></span>.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="DNSSEC"></a>DNSSEC</h2></div></div></div>
-<p>Cryptographic authentication of DNS information is possible
-    through the DNS Security (<span class="emphasis"><em>DNSSEC-bis</em></span>) extensions,
-    defined in RFC &lt;TBA&gt;. This section describes the creation and use
-    of DNSSEC signed zones.</p>
-<p>In order to set up a DNSSEC secure zone, there are a series
-    of steps which must be followed.  <span class="acronym">BIND</span> 9 ships
-    with several tools
-    that are used in this process, which are explained in more detail
-    below.  In all cases, the <code class="option">-h</code> option prints a
-    full list of parameters.  Note that the DNSSEC tools require the
-    keyset files to be in the working directory or the
-    directory specified by the <code class="option">-h</code> option, and
-    that the tools shipped with BIND 9.2.x and earlier are not compatible
-    with the current ones.</p>
-<p>There must also be communication with the administrators of
-    the parent and/or child zone to transmit keys.  A zone's security
-    status must be indicated by the parent zone for a DNSSEC capable 
-    resolver to trust its data.  This is done through the presense
-    or absence of a <code class="literal">DS</code> record at the delegation
-    point.</p>
-<p>For other servers to trust data in this zone, they must
-    either be statically configured with this zone's zone key or the
-    zone key of another zone above this one in the DNS tree.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2550308"></a>Generating Keys</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-keygen</strong></span> program is used to
-      generate keys.</p>
-<p>A secure zone must contain one or more zone keys.  The
-      zone keys will sign all other records in the zone, as well as
-      the zone keys of any secure delegated zones.  Zone keys must
-      have the same name as the zone, a name type of
-      <span><strong class="command">ZONE</strong></span>, and must be usable for authentication.
-      It is recommended that zone keys use a cryptographic algorithm
-      designated as "mandatory to implement" by the IETF; currently
-      the only one is RSASHA1.</p>
-<p>The following command will generate a 768 bit RSASHA1 key for
-      the <code class="filename">child.example</code> zone:</p>
-<p><strong class="userinput"><code>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</code></strong></p>
-<p>Two output files will be produced:
-      <code class="filename">Kchild.example.+005+12345.key</code> and
-      <code class="filename">Kchild.example.+005+12345.private</code> (where
-      12345 is an example of a key tag).  The key file names contain
-      the key name (<code class="filename">child.example.</code>), algorithm (3
-      is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
-      The private key (in the <code class="filename">.private</code> file) is
-      used to generate signatures, and the public key (in the
-      <code class="filename">.key</code> file) is used for signature
-      verification.</p>
-<p>To generate another key with the same properties (but with
-      a different key tag), repeat the above command.</p>
-<p>The public keys should be inserted into the zone file by
-      including the <code class="filename">.key</code> files using
-      <span><strong class="command">$INCLUDE</strong></span> statements.
-      </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2550375"></a>Signing the Zone</h3></div></div></div>
-<p>The <span><strong class="command">dnssec-signzone</strong></span> program is used to
-      sign a zone.</p>
-<p>Any <code class="filename">keyset</code> files corresponding
-      to secure subzones should be present.  The zone signer will
-      generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
-      records for the zone, as well as <code class="literal">DS</code> for
-      the child zones if <code class="literal">'-d'</code> is specified.
-      If <code class="literal">'-d'</code> is not specified then DS RRsets for
-      the secure child zones need to be added manually.</p>
-<p>The following command signs the zone, assuming it is in a
-      file called <code class="filename">zone.child.example</code>.  By
-      default, all zone keys which have an available private key are
-      used to generate signatures.</p>
-<p><strong class="userinput"><code>dnssec-signzone -o child.example zone.child.example</code></strong></p>
-<p>One output file is produced:
-      <code class="filename">zone.child.example.signed</code>.  This file
-      should be referenced by <code class="filename">named.conf</code> as the
-      input file for the zone.</p>
-<p><span><strong class="command">dnssec-signzone</strong></span> will also produce a
-      keyset and dsset files and optionally a dlvset file.  These
-      are used to provide the parent zone administators with the
-      <code class="literal">DNSKEYs</code> (or their corresponding <code class="literal">DS</code>
-      records) that are the secure entry point to the zone.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2550450"></a>Configuring Servers</h3></div></div></div>
-<p>Unlike <span class="acronym">BIND</span> 8, 
-<span class="acronym">BIND</span> 9 does not verify signatures on load,
-so zone keys for authoritative zones do not need to be specified
-in the configuration file.</p>
-<p>The public key for any security root must be present in
-the configuration file's <span><strong class="command">trusted-keys</strong></span>
-statement, as described later in this document. </p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2550473"></a>IPv6 Support in <span class="acronym">BIND</span> 9</h2></div></div></div>
-<p><span class="acronym">BIND</span> 9 fully supports all currently defined forms of IPv6
-    name to address and address to name lookups.  It will also use
-    IPv6 addresses to make queries when running on an IPv6 capable
-    system.</p>
-<p>For forward lookups, <span class="acronym">BIND</span> 9 supports only AAAA
-    records.  The use of A6 records is deprecated by RFC 3363, and the
-    support for forward lookups in <span class="acronym">BIND</span> 9 is
-    removed accordingly.
-    However, authoritative <span class="acronym">BIND</span> 9 name servers still
-    load zone files containing A6 records correctly, answer queries
-    for A6 records, and accept zone transfer for a zone containing A6
-    records.</p>
-<p>For IPv6 reverse lookups, <span class="acronym">BIND</span> 9 supports
-    the traditional "nibble" format used in the
-    <span class="emphasis"><em>ip6.arpa</em></span> domain, as well as the older, deprecated
-    <span class="emphasis"><em>ip6.int</em></span> domain.
-    <span class="acronym">BIND</span> 9 formerly
-    supported the "binary label" (also known as "bitstring") format.
-    The support of binary labels, however, is now completely removed
-    according to the changes in RFC 3363.
-    Any applications in <span class="acronym">BIND</span> 9 do not understand
-    the format any more, and will return an error if given.
-    In particular, an authoritative <span class="acronym">BIND</span> 9 name
-    server rejects to load a zone file containing binary labels.</p>
-<p>For an overview of the format and structure of IPv6 addresses,
-    see <a href="Bv9ARM.ch09.html#ipv6addresses" title="IPv6 addresses (AAAA)">the section called &#8220;IPv6 addresses (AAAA)&#8221;</a>.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2550600"></a>Address Lookups Using AAAA Records</h3></div></div></div>
-<p>The AAAA record is a parallel to the IPv4 A record.  It
-      specifies the entire address in a single record.  For
-      example,</p>
-<pre class="programlisting">
-$ORIGIN example.com.
-host            3600    IN      AAAA    2001:db8::1
-</pre>
-<p>It is recommended that IPv4-in-IPv6 mapped addresses not
-        be used.  If a host has an IPv4 address, use an A record, not
-        a AAAA, with <code class="literal">::ffff:192.168.42.1</code> as the
-        address.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2550620"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
-<p>When looking up an address in nibble format, the address
-      components are simply reversed, just as in IPv4, and
-      <code class="literal">ip6.arpa.</code> is appended to the resulting name.
-      For example, the following would provide reverse name lookup for
-      a host with address
-      <code class="literal">2001:db8::1</code>.</p>
-<pre class="programlisting">
-$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
-</pre>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch03.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch05.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 3. Name Server Configuration </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch05.html b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
deleted file mode 100644
index 1720660b65ab..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch05.html
+++ /dev/null
@@ -1,115 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch05.html,v 1.24.2.5.2.12 2005/10/13 02:34:00 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 5. The BIND 9 Lightweight Resolver</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch04.html" title="Chapter 4. Advanced DNS Features">
-<link rel="next" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch05"></a>Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2550652">The Lightweight Resolver Library</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2550652"></a>The Lightweight Resolver Library</h2></div></div></div>
-<p>Traditionally applications have been linked with a stub resolver
-library that sends recursive DNS queries to a local caching name
-server.</p>
-<p>IPv6 once introduced new complexity into the resolution process,
-such as following A6 chains and DNAME records, and simultaneous
-lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
-then removed, these are hard or impossible
-to implement in a traditional stub resolver.</p>
-<p>Instead, <span class="acronym">BIND</span> 9 provides resolution services to local clients
-using a combination of a lightweight resolver library and a resolver
-daemon process running on the local host.  These communicate using
-a simple UDP-based protocol, the "lightweight resolver protocol"
-that is distinct from and simpler than the full DNS protocol.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="lwresd"></a>Running a Resolver Daemon</h2></div></div></div>
-<p>To use the lightweight resolver interface, the system must
-run the resolver daemon <span><strong class="command">lwresd</strong></span> or a local
-name server configured with a <span><strong class="command">lwres</strong></span> statement.</p>
-<p>By default, applications using the lightweight resolver library will make
-UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
-address can be overridden by <span><strong class="command">lwserver</strong></span> lines in
-<code class="filename">/etc/resolv.conf</code>.</p>
-<p>The daemon currently only looks in the DNS, but in the future
-it may use other sources such as <code class="filename">/etc/hosts</code>,
-NIS, etc.</p>
-<p>The <span><strong class="command">lwresd</strong></span> daemon is essentially a
-caching-only name server that responds to requests using the lightweight
-resolver protocol rather than the DNS protocol.  Because it needs
-to run on each host, it is designed to require no or minimal configuration.
-Unless configured otherwise, it uses the name servers listed on
-<span><strong class="command">nameserver</strong></span> lines in <code class="filename">/etc/resolv.conf</code>
-as forwarders, but is also capable of doing the resolution autonomously if
-none are specified.</p>
-<p>The <span><strong class="command">lwresd</strong></span> daemon may also be configured with a
-<code class="filename">named.conf</code> style configuration file, in
-<code class="filename">/etc/lwresd.conf</code> by default.  A name server may also
-be configured to act as a lightweight resolver daemon using the
-<span><strong class="command">lwres</strong></span> statement in <code class="filename">named.conf</code>.</p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch04.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch06.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 4. Advanced DNS Features </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 6. <span class="acronym">BIND</span> 9 Configuration Reference</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
deleted file mode 100644
index 4b5300069d1c..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch06.html
+++ /dev/null
@@ -1,3864 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch06.html,v 1.56.2.12.2.30 2005/10/13 02:34:00 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 6. BIND 9 Configuration Reference</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch05.html" title="Chapter 5. The BIND 9 Lightweight Resolver">
-<link rel="next" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 6. <span class="acronym">BIND</span> 9 Configuration Reference</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch06"></a>Chapter 6. <span class="acronym">BIND</span> 9 Configuration Reference</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2551817">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552302"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552471"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552808"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552823"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552845"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552867"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2553006"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2553269"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554474"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554547"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554610"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554653"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554668"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562233"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562281"><span><strong class="command">trusted-keys</strong></span> Statement Definition
-and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562349"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2563022"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2564557">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2565990">Discussion of MX Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566487">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566593">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566761"><span class="acronym">BIND</span> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<p><span class="acronym">BIND</span> 9 configuration is broadly similar
-to <span class="acronym">BIND</span> 8; however, there are a few new areas
-of configuration, such as views. <span class="acronym">BIND</span>
-8 configuration files should work with few alterations in <span class="acronym">BIND</span>
-9, although more complex configurations should be reviewed to check
-if they can be more efficiently implemented using the new features
-found in <span class="acronym">BIND</span> 9.</p>
-<p><span class="acronym">BIND</span> 4 configuration files can be converted to the new format
-using the shell script
-<code class="filename">contrib/named-bootconf/named-bootconf.sh</code>.</p>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="configuration_file_elements"></a>Configuration File Elements</h2></div></div></div>
-<p>Following is a list of elements used throughout the <span class="acronym">BIND</span> configuration
-file documentation:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="varname">acl_name</code></p></td>
-<td><p>The name of an <code class="varname">address_match_list</code> as
-defined by the <span><strong class="command">acl</strong></span> statement.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">address_match_list</code></p></td>
-<td><p>A list of one or more <code class="varname">ip_addr</code>, 
-<code class="varname">ip_prefix</code>, <code class="varname">key_id</code>, 
-or <code class="varname">acl_name</code> elements, see
-<a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">domain_name</code></p></td>
-<td><p>A quoted string which will be used as
-a DNS name, for example "<code class="literal">my.test.domain</code>".</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">dotted_decimal</code></p></td>
-<td><p>One to four integers valued 0 through
-255 separated by dots (`.'), such as <span><strong class="command">123</strong></span>, 
-<span><strong class="command">45.67</strong></span> or <span><strong class="command">89.123.45.67</strong></span>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip4_addr</code></p></td>
-<td><p>An IPv4 address with exactly four elements
-in <code class="varname">dotted_decimal</code> notation.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip6_addr</code></p></td>
-<td><p>An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
-IPv6 scoped addresses that have ambiguity on their scope zones must be
-disambiguated by an appropriate zone ID with the percent character
-(`%') as delimiter.
-It is strongly recommended to use string zone names rather than
-numeric identifiers, in order to be robust against system
-configuration changes.
-However, since there is no standard mapping for such names and
-identifier values, currently only interface names as link identifiers
-are supported, assuming one-to-one mapping between interfaces and links.
-For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
-link attached to the interface <span><strong class="command">ne0</strong></span>
-can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
-Note that on most systems link-local addresses always have the
-ambiguity, and need to be disambiguated.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip_addr</code></p></td>
-<td><p>An <code class="varname">ip4_addr</code> or <code class="varname">ip6_addr</code>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip_port</code></p></td>
-<td><p>An IP port <code class="varname">number</code>.
-<code class="varname">number</code> is limited to 0 through 65535, with values
-below 1024 typically restricted to use by processes running as root.
-In some cases an asterisk (`*') character can be used as a placeholder to
-select a random high-numbered port.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">ip_prefix</code></p></td>
-<td><p>An IP network specified as an <code class="varname">ip_addr</code>,
-followed by a slash (`/') and then the number of bits in the netmask.
-Trailing zeros in a <code class="varname">ip_addr</code> may omitted.
-For example, <span><strong class="command">127/8</strong></span> is the network <span><strong class="command">127.0.0.0</strong></span> with
-netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
-network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">key_id</code></p></td>
-<td><p>A <code class="varname">domain_name</code> representing
-the name of a shared key, to be used for transaction security.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">key_list</code></p></td>
-<td><p>A list of one or more <code class="varname">key_id</code>s,
-separated by semicolons and ending with a semicolon.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">number</code></p></td>
-<td><p>A non-negative 32 bit integer
-(i.e., a number between 0 and 4294967295, inclusive).
-Its acceptable value might further
-be limited by the context in which it is used.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">path_name</code></p></td>
-<td><p>A quoted string which will be used as
-a pathname, such as <code class="filename">zones/master/my.test.domain</code>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">size_spec</code></p></td>
-<td>
-<p>A number, the word <strong class="userinput"><code>unlimited</code></strong>,
-or the word <strong class="userinput"><code>default</code></strong>.</p>
-<p>
-An <code class="varname">unlimited</code> <code class="varname">size_spec</code> requests unlimited
-use, or the maximum available amount. A <code class="varname">default size_spec</code> uses
-the limit that was in force when the server was started.</p>
-<p>A <code class="varname">number</code> can
-optionally be followed by a scaling factor: <strong class="userinput"><code>K</code></strong> or <strong class="userinput"><code>k</code></strong> for
-kilobytes, <strong class="userinput"><code>M</code></strong> or <strong class="userinput"><code>m</code></strong> for
-megabytes, and <strong class="userinput"><code>G</code></strong> or <strong class="userinput"><code>g</code></strong> for gigabytes,
-which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</p>
-<p>The value must be representable as a 64-bit unsigned integer
-(0 to 18446744073709551615, inclusive).
-Using <code class="varname">unlimited</code> is the best way
-to safely set a really large number.</p>
-</td>
-</tr>
-<tr>
-<td><p><code class="varname">yes_or_no</code></p></td>
-<td><p>Either <strong class="userinput"><code>yes</code></strong> or <strong class="userinput"><code>no</code></strong>.
-The words <strong class="userinput"><code>true</code></strong> and <strong class="userinput"><code>false</code></strong> are
-also accepted, as are the numbers <strong class="userinput"><code>1</code></strong> and <strong class="userinput"><code>0</code></strong>.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">dialup_option</code></p></td>
-<td><p>One of <strong class="userinput"><code>yes</code></strong>,
-<strong class="userinput"><code>no</code></strong>, <strong class="userinput"><code>notify</code></strong>,
-<strong class="userinput"><code>notify-passive</code></strong>, <strong class="userinput"><code>refresh</code></strong> or
-<strong class="userinput"><code>passive</code></strong>.
-When used in a zone, <strong class="userinput"><code>notify-passive</code></strong>,
-<strong class="userinput"><code>refresh</code></strong>, and <strong class="userinput"><code>passive</code></strong>
-are restricted to slave and stub zones.</p></td>
-</tr>
-</tbody>
-</table></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2551560"></a>Syntax</h4></div></div></div>
-<pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
-  [<span class="optional"> address_match_list_element; ... </span>]
-<code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
-   key key_id | acl_name | { address_match_list } )
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2551587"></a>Definition and Usage</h4></div></div></div>
-<p>Address match lists are primarily used to determine access
-control for various server operations. They are also used in
-the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
-statements. The elements
-which constitute an address match list can be any of the following:</p>
-<div class="itemizedlist"><ul type="disc">
-<li>an IP address (IPv4 or IPv6)</li>
-<li>an IP prefix (in `/' notation)</li>
-<li>a key ID, as defined by the <span><strong class="command">key</strong></span> statement</li>
-<li>the name of an address match list defined with
-the <span><strong class="command">acl</strong></span> statement</li>
-<li>a nested address match list enclosed in braces</li>
-</ul></div>
-<p>Elements can be negated with a leading exclamation mark (`!'),
-and the match list names "any", "none", "localhost", and "localnets"
-are predefined. More information on those names can be found in
-the description of the acl statement.</p>
-<p>The addition of the key clause made the name of this syntactic
-element something of a misnomer, since security keys can be used
-to validate access without regard to a host or network address. Nonetheless,
-the term "address match list" is still used throughout the documentation.</p>
-<p>When a given IP address or prefix is compared to an address
-match list, the list is traversed in order until an element matches.
-The interpretation of a match depends on whether the list is being used
-for access control, defining listen-on ports, or in a sortlist,
-and whether the element was negated.</p>
-<p>When used as an access control list, a non-negated match allows
-access and a negated match denies access. If there is no match,
-access is denied. The clauses <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-<span><strong class="command">allow-update</strong></span>, <span><strong class="command">allow-update-forwarding</strong></span>,
-and <span><strong class="command">blackhole</strong></span> all
-use address match lists  this. Similarly, the listen-on option will cause
-the server to not accept queries on any of the machine's addresses
-which do not match the list.</p>
-<p>Because of the first-match aspect of the algorithm, an element
-that defines a subset of another element in the list should come
-before the broader element, regardless of whether either is negated. For
-example, in
-<span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13 element is
-completely useless because the algorithm will match any lookup for
-1.2.3.13 to the 1.2.3/24 element.
-Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
-that problem by having 1.2.3.13 blocked by the negation but all
-other 1.2.3.* hosts fall through.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2551817"></a>Comment Syntax</h3></div></div></div>
-<p>The <span class="acronym">BIND</span> 9 comment syntax allows for comments to appear
-anywhere that white space may appear in a <span class="acronym">BIND</span> configuration
-file. To appeal to programmers of all kinds, they can be written
-in the C, C++, or shell/perl style.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2551832"></a>Syntax</h4></div></div></div>
-<pre class="programlisting">/* This is a <span class="acronym">BIND</span> comment as in C */</pre>
-<p>
-</p>
-<pre class="programlisting">// This is a <span class="acronym">BIND</span> comment as in C++</pre>
-<p>
-</p>
-<pre class="programlisting"># This is a <span class="acronym">BIND</span> comment as in common UNIX shells and perl</pre>
-<p>
-      </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2551861"></a>Definition and Usage</h4></div></div></div>
-<p>Comments may appear anywhere that whitespace may appear in
-a <span class="acronym">BIND</span> configuration file.</p>
-<p>C-style comments start with the two characters /* (slash,
-star) and end with */ (star, slash). Because they are completely
-delimited with these characters, they can be used to comment only
-a portion of a line or to span multiple lines.</p>
-<p>C-style comments cannot be nested. For example, the following
-is not valid because the entire comment ends with the first */:</p>
-<pre class="programlisting">/* This is the start of a comment.
-   This is still part of the comment.
-/* This is an incorrect attempt at nesting a comment. */
-   This is no longer in any comment. */
-</pre>
-<p>C++-style comments start with the two characters // (slash,
-slash) and continue to the end of the physical line. They cannot
-be continued across multiple physical lines; to have one logical
-comment span multiple lines, each line must use the // pair.</p>
-<p>For example:</p>
-<pre class="programlisting">// This is the start of a comment.  The next line
-// is a new comment, even though it is logically
-// part of the previous comment.
-</pre>
-<p>Shell-style (or perl-style, if you prefer) comments start
-with the character <code class="literal">#</code> (number sign) and continue to the end of the
-physical line, as in C++ comments.</p>
-<p>For example:</p>
-<pre class="programlisting"># This is the start of a comment.  The next line
-# is a new comment, even though it is logically
-# part of the previous comment.
-</pre>
-<p>
-</p>
-<div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Warning</h3>
-<p>You cannot use the semicolon (`;') character
-   to start a comment such as you would in a zone file. The
-   semicolon indicates the end of a configuration
-   statement.</p>
-</div>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Configuration_File_Grammar"></a>Configuration File Grammar</h2></div></div></div>
-<p>A <span class="acronym">BIND</span> 9 configuration consists of statements and comments.
-    Statements end with a semicolon. Statements and comments are the
-    only elements that can appear without enclosing braces. Many
-    statements contain a block of sub-statements, which are also
-    terminated with a semicolon.</p>
-<p>The following statements are supported:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">acl</strong></span></p></td>
-<td><p>defines a named IP address
-matching list, for access control and other uses.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">controls</strong></span></p></td>
-<td><p>declares control channels to be used
-by the <span><strong class="command">rndc</strong></span> utility.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">include</strong></span></p></td>
-<td><p>includes a file.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">key</strong></span></p></td>
-<td><p>specifies key information for use in
-authentication and authorization using TSIG.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">logging</strong></span></p></td>
-<td><p>specifies what the server logs, and where
-the log messages are sent.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">lwres</strong></span></p></td>
-<td><p>configures <span><strong class="command">named</strong></span> to
-also act as a light weight resolver daemon (<span><strong class="command">lwresd</strong></span>).</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">masters</strong></span></p></td>
-<td><p>defines a named masters list for
-inclusion in stub and slave zone masters clauses.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">options</strong></span></p></td>
-<td><p>controls global server configuration
-options and sets defaults for other statements.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">server</strong></span></p></td>
-<td><p>sets certain configuration options on
-a per-server basis.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">trusted-keys</strong></span></p></td>
-<td><p>defines trusted DNSSEC keys.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">view</strong></span></p></td>
-<td><p>defines a view.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">zone</strong></span></p></td>
-<td><p>defines a zone.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span><strong class="command">logging</strong></span> and
-    <span><strong class="command">options</strong></span> statements may only occur once per
-    configuration.</p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552302"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name { 
-    address_match_list 
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="acl"></a><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</h3></div></div></div>
-<p>The <span><strong class="command">acl</strong></span> statement assigns a symbolic
-      name to an address match list. It gets its name from a primary
-      use of address match lists: Access Control Lists (ACLs).</p>
-<p>Note that an address match list's name must be defined
-      with <span><strong class="command">acl</strong></span> before it can be used elsewhere; no
-      forward references are allowed.</p>
-<p>The following ACLs are built-in:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">any</strong></span></p></td>
-<td><p>Matches all hosts.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">none</strong></span></p></td>
-<td><p>Matches no hosts.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">localhost</strong></span></p></td>
-<td><p>Matches the IPv4 and IPv6 addresses of all network
-interfaces on the system.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">localnets</strong></span></p></td>
-<td><p>Matches any host on an IPv4 or IPv6 network
-for which the system has an interface.
-Some systems do not provide a way to determine the prefix lengths of
-local IPv6 addresses.
-In such a case, <span><strong class="command">localnets</strong></span> only matches the local
-IPv6 addresses, just like <span><strong class="command">localhost</strong></span>.
-</p></td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552471"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">controls</strong></span> {
-   inet ( ip_addr | * ) [<span class="optional"> port ip_port </span>] allow { <em class="replaceable"><code> address_match_list </code></em> }
-                keys { <em class="replaceable"><code> key_list </code></em> };
-   [<span class="optional"> inet ...; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="controls_statement_definition_and_usage"></a><span><strong class="command">controls</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">controls</strong></span> statement declares control
-      channels to be used by system administrators to control the
-      operation of the name server. These control channels are
-      used by the <span><strong class="command">rndc</strong></span> utility to send commands to
-      and retrieve non-DNS results from a name server.</p>
-<p>An <span><strong class="command">inet</strong></span> control channel is a TCP
-      socket listening at the specified
-      <span><strong class="command">ip_port</strong></span> on the specified
-      <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
-      address.  An <span><strong class="command">ip_addr</strong></span>
-      of <code class="literal">*</code> is interpreted as the IPv4 wildcard
-      address; connections will be accepted on any of the system's
-      IPv4 addresses.  To listen on the IPv6 wildcard address,
-      use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
-      If you will only use <span><strong class="command">rndc</strong></span> on the local host,
-      using the loopback address (<code class="literal">127.0.0.1</code>
-      or <code class="literal">::1</code>) is recommended for maximum
-      security.
-      </p>
-<p>
-      If no port is specified, port 953
-      is used.  "<code class="literal">*</code>" cannot be used for
-      <span><strong class="command">ip_port</strong></span>.</p>
-<p>The ability to issue commands over the control channel is
-      restricted by the <span><strong class="command">allow</strong></span> and
-      <span><strong class="command">keys</strong></span> clauses. Connections to the control
-      channel are permitted based on the
-      <span><strong class="command">address_match_list</strong></span>.  This is for simple
-      IP address based filtering only; any <span><strong class="command">key_id</strong></span>
-      elements of the <span><strong class="command">address_match_list</strong></span> are
-      ignored.
-      </p>
-<p>The primary authorization mechanism of the command
-      channel is the <span><strong class="command">key_list</strong></span>, which contains
-      a list of <span><strong class="command">key_id</strong></span>s.
-      Each <span><strong class="command">key_id</strong></span> in
-      the <span><strong class="command">key_list</strong></span> is authorized to execute
-      commands over the control channel.
-      See <a href="Bv9ARM.ch03.html#rndc">Remote Name Daemon Control application</a> in
-      <a href="Bv9ARM.ch03.html#admin_tools" title="Administrative Tools">the section called &#8220;Administrative Tools&#8221;</a>) for information about
-      configuring keys in <span><strong class="command">rndc</strong></span>.</p>
-<p>
-If no <span><strong class="command">controls</strong></span> statement is present,
-<span><strong class="command">named</strong></span> will set up a default
-control channel listening on the loopback address 127.0.0.1
-and its IPv6 counterpart ::1.
-In this case, and also when the <span><strong class="command">controls</strong></span> statement
-is present but does not have a <span><strong class="command">keys</strong></span> clause,
-<span><strong class="command">named</strong></span> will attempt to load the command channel key
-from the file <code class="filename">rndc.key</code> in
-<code class="filename">/etc</code> (or whatever <code class="varname">sysconfdir</code>
-was specified as when <span class="acronym">BIND</span> was built).
-To create a <code class="filename">rndc.key</code> file, run
-<strong class="userinput"><code>rndc-confgen -a</code></strong>.
-</p>
-<p>The <code class="filename">rndc.key</code> feature was created to
-      ease the transition of systems from <span class="acronym">BIND</span> 8,
-      which did not have digital signatures on its command channel messages
-      and thus did not have a <span><strong class="command">keys</strong></span> clause.
-
-It makes it possible to use an existing <span class="acronym">BIND</span> 8
-configuration file in <span class="acronym">BIND</span> 9 unchanged,
-and still have <span><strong class="command">rndc</strong></span> work the same way
-<span><strong class="command">ndc</strong></span> worked in BIND 8, simply by executing the
-command <strong class="userinput"><code>rndc-confgen -a</code></strong> after BIND 9 is
-installed.
-</p>
-<p>
-      Since the <code class="filename">rndc.key</code> feature
-      is only intended to allow the backward-compatible usage of
-      <span class="acronym">BIND</span> 8 configuration files, this feature does not
-      have a high degree of configurability.  You cannot easily change
-      the key name or the size of the secret, so you should make a
-      <code class="filename">rndc.conf</code> with your own key if you wish to change
-      those things.  The <code class="filename">rndc.key</code> file also has its
-      permissions set such that only the owner of the file (the user that
-      <span><strong class="command">named</strong></span> is running as) can access it.  If you
-      desire greater flexibility in allowing other users to access
-      <span><strong class="command">rndc</strong></span> commands then you need to create an
-      <code class="filename">rndc.conf</code> and make it group readable by a group
-      that contains the users who should have access.</p>
-<p>The UNIX control channel type of <span class="acronym">BIND</span> 8 is not supported
-      in <span class="acronym">BIND</span> 9, and is not expected to be added in future
-      releases.  If it is present in the controls statement from a
-      <span class="acronym">BIND</span> 8 configuration file, it is ignored
-      and a warning is logged.</p>
-<p>
-To disable the command channel, use an empty <span><strong class="command">controls</strong></span>
-statement: <span><strong class="command">controls { };</strong></span>.
-</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552808"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">include <em class="replaceable"><code>filename</code></em>;</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552823"></a><span><strong class="command">include</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">include</strong></span> statement inserts the
-      specified file at the point where the <span><strong class="command">include</strong></span>
-      statement is encountered. The <span><strong class="command">include</strong></span>
-      statement facilitates the administration of configuration files
-      by permitting the reading or writing of some things but not
-      others. For example, the statement could include private keys
-      that are readable only by the name server.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552845"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">key <em class="replaceable"><code>key_id</code></em> {
-    algorithm <em class="replaceable"><code>string</code></em>;
-    secret <em class="replaceable"><code>string</code></em>;
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2552867"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">key</strong></span> statement defines a shared
-secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-or the command channel
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>).
-</p>
-<p>
-The <span><strong class="command">key</strong></span> statement can occur at the top level
-of the configuration file or inside a <span><strong class="command">view</strong></span> 
-statement.  Keys defined in top-level <span><strong class="command">key</strong></span>
-statements can be used in all views.  Keys intended for use in
-a <span><strong class="command">controls</strong></span> statement
-(see <a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage" title="controls Statement Definition and Usage">the section called &#8220;<span><strong class="command">controls</strong></span> Statement Definition and Usage&#8221;</a>)
-must be defined at the top level.
-</p>
-<p>The <em class="replaceable"><code>key_id</code></em>, also known as the
-key name, is a domain name uniquely identifying the key. It can
-be used in a <span><strong class="command">server</strong></span>
-statement to cause requests sent to that
-server to be signed with this key, or in address match lists to
-verify that incoming requests have been signed with a key
-matching this name, algorithm, and secret.</p>
-<p>The <em class="replaceable"><code>algorithm_id</code></em> is a string
-that specifies a security/authentication algorithm. The only
-algorithm currently supported with TSIG authentication is
-<code class="literal">hmac-md5</code>.  The
-<em class="replaceable"><code>secret_string</code></em> is the secret to be
-used by the algorithm, and is treated as a base-64 encoded
-string.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2553006"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting"><span><strong class="command">logging</strong></span> {
-   [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
-     ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
-         [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <code class="literal">unlimited</code> ) ]
-         [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
-       | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
-       | <span><strong class="command">stderr</strong></span>
-       | <span><strong class="command">null</strong></span> );
-     [ <span><strong class="command">severity</strong></span> (<code class="option">critical</code> | <code class="option">error</code> | <code class="option">warning</code> | <code class="option">notice</code> |
-                 <code class="option">info</code> | <code class="option">debug</code> [ <em class="replaceable"><code>level</code></em> ] | <code class="option">dynamic</code> ); ]
-     [ <span><strong class="command">print-category</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
-     [ <span><strong class="command">print-severity</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
-     [ <span><strong class="command">print-time</strong></span> <code class="option">yes</code> or <code class="option">no</code>; ]
-   }; ]
-   [ <span><strong class="command">category</strong></span> <em class="replaceable"><code>category_name</code></em> {
-     <em class="replaceable"><code>channel_name</code></em> ; [ <em class="replaceable"><code>channel_nam</code></em>e ; ... ]
-   }; ]
-   ...
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2553269"></a><span><strong class="command">logging</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">logging</strong></span> statement configures a wide
-variety of logging options for the name server. Its <span><strong class="command">channel</strong></span> phrase
-associates output methods, format options and severity levels with
-a name that can then be used with the <span><strong class="command">category</strong></span> phrase
-to select how various classes of messages are logged.</p>
-<p>Only one <span><strong class="command">logging</strong></span> statement is used to define
-as many channels and categories as are wanted. If there is no <span><strong class="command">logging</strong></span> statement,
-the logging configuration will be:</p>
-<pre class="programlisting">logging {
-     category default { default_syslog; default_debug; };
-     category unmatched { null; };
-};
-</pre>
-<p>In <span class="acronym">BIND</span> 9, the logging configuration is only established when
-the entire configuration file has been parsed.  In <span class="acronym">BIND</span> 8, it was
-established as soon as the <span><strong class="command">logging</strong></span> statement
-was parsed. When the server is starting up, all logging messages
-regarding syntax errors in the configuration file go to the default
-channels, or to standard error if the "<code class="option">-g</code>" option
-was specified.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2553321"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
-<p>All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
-you can make as many of them as you want.</p>
-<p>Every channel definition must include a destination clause that
-says whether messages selected for the channel go to a file, to a
-particular syslog facility, to the standard error stream, or are
-discarded. It can optionally also limit the message severity level
-that will be accepted by the channel (the default is
-<span><strong class="command">info</strong></span>), and whether to include a
-<span><strong class="command">named</strong></span>-generated time stamp, the category name
-and/or severity level (the default is not to include any).</p>
-<p>The <span><strong class="command">null</strong></span> destination clause 
-causes all messages sent to the channel to be discarded;
-in that case, other options for the channel are meaningless.</p>
-<p>The <span><strong class="command">file</strong></span> destination clause directs the channel
-to a disk file.  It can include limitations
-both on how large the file is allowed to become, and how many versions
-of the file will be saved each time the file is opened.</p>
-<p>If you use the <span><strong class="command">versions</strong></span> log file option, then
-<span><strong class="command">named</strong></span> will retain that many backup versions of the file by
-renaming them when opening.  For example, if you choose to keep 3 old versions
-of the file <code class="filename">lamers.log</code> then just before it is opened
-<code class="filename">lamers.log.1</code> is renamed to
-<code class="filename">lamers.log.2</code>, <code class="filename">lamers.log.0</code> is renamed
-to <code class="filename">lamers.log.1</code>, and <code class="filename">lamers.log</code> is
-renamed to <code class="filename">lamers.log.0</code>.
-You can say <span><strong class="command">versions unlimited</strong></span> to not limit
-the number of versions.
-If a <span><strong class="command">size</strong></span> option is associated with the log file,
-then renaming is only done when the file being opened exceeds the
-indicated size.  No backup versions are kept by default; any existing
-log file is simply appended.</p>
-<p>The <span><strong class="command">size</strong></span> option for files is used to limit log
-growth. If the file ever exceeds the size, then <span><strong class="command">named</strong></span> will
-stop writing to the file unless it has a <span><strong class="command">versions</strong></span> option
-associated with it.  If backup versions are kept, the files are rolled as
-described above and a new one begun.  If there is no
-<span><strong class="command">versions</strong></span> option, no more data will be written to the log
-until some out-of-band mechanism removes or truncates the log to less than the
-maximum size.  The default behavior is not to limit the size of the
-file.</p>
-<p>Example usage of the <span><strong class="command">size</strong></span> and
-<span><strong class="command">versions</strong></span> options:</p>
-<pre class="programlisting">channel an_example_channel {
-    file "example.log" versions 3 size 20m;
-    print-time yes;
-    print-category yes;
-};
-</pre>
-<p>The <span><strong class="command">syslog</strong></span> destination clause directs the
-channel to the system log.  Its argument is a
-syslog facility as described in the <span><strong class="command">syslog</strong></span> man
-page. Known facilities are <span><strong class="command">kern</strong></span>, <span><strong class="command">user</strong></span>,
-<span><strong class="command">mail</strong></span>, <span><strong class="command">daemon</strong></span>, <span><strong class="command">auth</strong></span>,
-<span><strong class="command">syslog</strong></span>, <span><strong class="command">lpr</strong></span>, <span><strong class="command">news</strong></span>,
-<span><strong class="command">uucp</strong></span>, <span><strong class="command">cron</strong></span>, <span><strong class="command">authpriv</strong></span>,
-<span><strong class="command">ftp</strong></span>, <span><strong class="command">local0</strong></span>, <span><strong class="command">local1</strong></span>,
-<span><strong class="command">local2</strong></span>, <span><strong class="command">local3</strong></span>, <span><strong class="command">local4</strong></span>,
-<span><strong class="command">local5</strong></span>, <span><strong class="command">local6</strong></span> and
-<span><strong class="command">local7</strong></span>, however not all facilities are supported on
-all operating systems.
-How <span><strong class="command">syslog</strong></span> will handle messages sent to
-this facility is described in the <span><strong class="command">syslog.conf</strong></span> man
-page. If you have a system which uses a very old version of <span><strong class="command">syslog</strong></span> that
-only uses two arguments to the <span><strong class="command">openlog()</strong></span> function,
-then this clause is silently ignored.</p>
-<p>The <span><strong class="command">severity</strong></span> clause works like <span><strong class="command">syslog</strong></span>'s
-"priorities", except that they can also be used if you are writing
-straight to a file rather than using <span><strong class="command">syslog</strong></span>.
-Messages which are not at least of the severity level given will
-not be selected for the channel; messages of higher severity levels
-will be accepted.</p>
-<p>If you are using <span><strong class="command">syslog</strong></span>, then the <span><strong class="command">syslog.conf</strong></span> priorities
-will also determine what eventually passes through. For example,
-defining a channel facility and severity as <span><strong class="command">daemon</strong></span> and <span><strong class="command">debug</strong></span> but
-only logging <span><strong class="command">daemon.warning</strong></span> via <span><strong class="command">syslog.conf</strong></span> will
-cause messages of severity <span><strong class="command">info</strong></span> and <span><strong class="command">notice</strong></span> to
-be dropped. If the situation were reversed, with <span><strong class="command">named</strong></span> writing
-messages of only <span><strong class="command">warning</strong></span> or higher, then <span><strong class="command">syslogd</strong></span> would
-print all messages it received from the channel.</p>
-<p>The <span><strong class="command">stderr</strong></span> destination clause directs the
-channel to the server's standard error stream.  This is intended for
-use when the server is running as a foreground process, for example
-when debugging a configuration.</p>
-<p>The server can supply extensive debugging information when
-it is in debugging mode. If the server's global debug level is greater
-than zero, then debugging mode will be active. The global debug
-level is set either by starting the <span><strong class="command">named</strong></span> server
-with the <code class="option">-d</code> flag followed by a positive integer,
-or by running <span><strong class="command">rndc trace</strong></span>.
-The global debug level
-can be set to zero, and debugging mode turned off, by running <span><strong class="command">ndc
-notrace</strong></span>. All debugging messages in the server have a debug
-level, and higher debug levels give more detailed output. Channels
-that specify a specific debug severity, for example:</p>
-<pre class="programlisting">channel specific_debug_level {
-    file "foo";
-    severity debug 3;
-};
-</pre>
-<p>will get debugging output of level 3 or less any time the
-server is in debugging mode, regardless of the global debugging
-level. Channels with <span><strong class="command">dynamic</strong></span> severity use the
-server's global debug level to determine what messages to print.</p>
-<p>If <span><strong class="command">print-time</strong></span> has been turned on, then
-the date and time will be logged. <span><strong class="command">print-time</strong></span> may
-be specified for a <span><strong class="command">syslog</strong></span> channel, but is usually
-pointless since <span><strong class="command">syslog</strong></span> also prints the date and
-time. If <span><strong class="command">print-category</strong></span> is requested, then the
-category of the message will be logged as well. Finally, if <span><strong class="command">print-severity</strong></span> is
-on, then the severity level of the message will be logged. The <span><strong class="command">print-</strong></span> options may
-be used in any combination, and will always be printed in the following
-order: time, category, severity. Here is an example where all three <span><strong class="command">print-</strong></span> options
-are on:</p>
-<p><code class="computeroutput">28-Feb-2000 15:05:32.863 general: notice: running</code></p>
-<p>There are four predefined channels that are used for
-<span><strong class="command">named</strong></span>'s default logging as follows. How they are
-used is described in <a href="Bv9ARM.ch06.html#the_category_phrase" title="The category Phrase">the section called &#8220;The <span><strong class="command">category</strong></span> Phrase&#8221;</a>.
-</p>
-<pre class="programlisting">channel default_syslog {
-    syslog daemon;                      // send to syslog's daemon
-                                        // facility
-    severity info;                      // only send priority info
-                                        // and higher
-};
-
-channel default_debug {
-    file "named.run";                   // write to named.run in
-                                        // the working directory
-                                        // Note: stderr is used instead
-                                        // of "named.run"
-                                        // if the server is started
-                                        // with the '-f' option.
-    severity dynamic;                   // log at the server's
-                                        // current debug level
-};
-
-channel default_stderr {
-    stderr;                             // writes to stderr
-    severity info;                      // only send priority info
-                                        // and higher
-};
-
-channel null {
-   null;                                // toss anything sent to
-                                        // this channel
-};
-</pre>
-<p>The <span><strong class="command">default_debug</strong></span> channel has the special
-property that it only produces output when the server's debug level is
-nonzero.  It normally writes to a file <code class="filename">named.run</code>
-in the server's working directory.</p>
-<p>For security reasons, when the "<code class="option">-u</code>"
-command line option is used, the <code class="filename">named.run</code> file
-is created only after <span><strong class="command">named</strong></span> has changed to the
-new UID, and any debug output generated while <span><strong class="command">named</strong></span> is
-starting up and still running as root is discarded.  If you need
-to capture this output, you must run the server with the "<code class="option">-g</code>"
-option and redirect standard error to a file.</p>
-<p>Once a channel is defined, it cannot be redefined. Thus you
-cannot alter the built-in channels directly, but you can modify
-the default logging by pointing categories at channels you have defined.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_category_phrase"></a>The <span><strong class="command">category</strong></span> Phrase</h4></div></div></div>
-<p>There are many categories, so you can send the logs you want
-to see wherever you want, without seeing logs you don't want. If
-you don't specify a list of channels for a category, then log messages
-in that category will be sent to the <span><strong class="command">default</strong></span> category
-instead. If you don't specify a default category, the following
-"default default" is used:</p>
-<pre class="programlisting">category default { default_syslog; default_debug; };
-</pre>
-<p>As an example, let's say you want to log security events to
-a file, but you also want keep the default logging behavior. You'd
-specify the following:</p>
-<pre class="programlisting">channel my_security_channel {
-    file "my_security_file";
-    severity info;
-};
-category security {
-    my_security_channel;
-    default_syslog;
-    default_debug;
-};</pre>
-<p>To discard all messages in a category, specify the <span><strong class="command">null</strong></span> channel:</p>
-<pre class="programlisting">category xfer-out { null; };
-category notify { null; };
-</pre>
-<p>Following are the available categories and brief descriptions
-of the types of log information they contain. More
-categories may be added in future <span class="acronym">BIND</span> releases.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">default</strong></span></p></td>
-<td><p>The default category defines the logging
-options for those categories where no specific configuration has been
-defined.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">general</strong></span></p></td>
-<td><p>The catch-all. Many things still aren't
-classified into categories, and they all end up here.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">database</strong></span></p></td>
-<td><p>Messages relating to the databases used
-internally by the name server to store zone and cache data.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">security</strong></span></p></td>
-<td><p>Approval and denial of requests.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">config</strong></span></p></td>
-<td><p>Configuration file parsing and processing.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">resolver</strong></span></p></td>
-<td><p>DNS resolution, such as the recursive
-lookups performed on behalf of clients by a caching name server.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">xfer-in</strong></span></p></td>
-<td><p>Zone transfers the server is receiving.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">xfer-out</strong></span></p></td>
-<td><p>Zone transfers the server is sending.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>The NOTIFY protocol.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">client</strong></span></p></td>
-<td><p>Processing of client requests.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">unmatched</strong></span></p></td>
-<td><p>Messages that named was unable to determine the
-class of or for which there was no matching <span><strong class="command">view</strong></span>.
-A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
-This category is best sent to a file or stderr, by default it is sent to
-the <span><strong class="command">null</strong></span> channel.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">network</strong></span></p></td>
-<td><p>Network operations.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">update</strong></span></p></td>
-<td><p>Dynamic updates.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">update-security</strong></span></p></td>
-<td><p>Approval and denial of update requests.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">queries</strong></span></p></td>
-<td>
-<p>Specify where queries should be logged to.</p>
-<p>
-At startup, specifing the category <span><strong class="command">queries</strong></span> will also
-enable query logging unless <span><strong class="command">querylog</strong></span> option has been
-specified.
-</p>
-<p>
-The query log entry reports the client's IP address and port number.  The
-query name, class and type.  It also reports whether the Recursion Desired
-flag was set (+ if set, - if not set), EDNS was in use (E) or if the
-query was signed (S).</p>
-<p><code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
-</p>
-<p><code class="computeroutput">client ::1#62537: query: www.example.net IN AAAA -SE</code>
-</p>
-</td>
-</tr>
-<tr>
-<td><p><span><strong class="command">dispatch</strong></span></p></td>
-<td><p>Dispatching of incoming packets to the
-server modules where they are to be processed.
-</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">dnssec</strong></span></p></td>
-<td><p>DNSSEC and TSIG protocol processing.
-</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">lame-servers</strong></span></p></td>
-<td><p>Lame servers.  These are misconfigurations
-in remote servers, discovered by BIND 9 when trying to query
-those servers during resolution.
-</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">delegation-only</strong></span></p></td>
-<td><p>Delegation only.  Logs queries that have have
-been forced to NXDOMAIN as the result of a delegation-only zone or
-a <span><strong class="command">delegation-only</strong></span> in a hint or stub zone declaration.
-</p></td>
-</tr>
-</tbody>
-</table></div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2554474"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
-<p> This is the grammar of the <span><strong class="command">lwres</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
-<pre class="programlisting"><span><strong class="command">lwres</strong></span> {
-    [<span class="optional"> listen-on { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> view <em class="replaceable"><code>view_name</code></em>; </span>]
-    [<span class="optional"> search { <em class="replaceable"><code>domain_name</code></em> ; [<span class="optional"> <em class="replaceable"><code>domain_name</code></em> ; ... </span>] }; </span>]
-    [<span class="optional"> ndots <em class="replaceable"><code>number</code></em>; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2554547"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">lwres</strong></span> statement configures the name
-server to also act as a lightweight resolver server, see
-<a href="Bv9ARM.ch05.html#lwresd" title="Running a Resolver Daemon">the section called &#8220;Running a Resolver Daemon&#8221;</a>.  There may be be multiple
-<span><strong class="command">lwres</strong></span> statements configuring
-lightweight resolver servers with different properties.</p>
-<p>The <span><strong class="command">listen-on</strong></span> statement specifies a list of
-addresses (and ports) that this instance of a lightweight resolver daemon
-should accept requests on.  If no port is specified, port 921 is used.
-If this statement is omitted, requests will be accepted on 127.0.0.1,
-port 921.</p>
-<p>The <span><strong class="command">view</strong></span> statement binds this instance of a
-lightweight resolver daemon to a view in the DNS namespace, so that the
-response will be constructed in the same manner as a normal DNS query
-matching this view.  If this statement is omitted, the default view is
-used, and if there is no default view, an error is triggered.</p>
-<p>The <span><strong class="command">search</strong></span> statement is equivalent to the
-<span><strong class="command">search</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>.  It provides a list of domains
-which are appended to relative names in queries.</p>
-<p>The <span><strong class="command">ndots</strong></span> statement is equivalent to the
-<span><strong class="command">ndots</strong></span> statement in
-<code class="filename">/etc/resolv.conf</code>.  It indicates the minimum
-number of dots in a relative domain name that should result in an
-exact match lookup before search path elements are appended.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2554610"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">
-<span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; 
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2554653"></a><span><strong class="command">masters</strong></span> Statement Definition and Usage </h3></div></div></div>
-<p><span><strong class="command">masters</strong></span> lists allow for a common set of masters
-to be easily used by multiple stub and slave zones.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2554668"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
-<p>This is the grammar of the <span><strong class="command">options</strong></span>
-statement in the <code class="filename">named.conf</code> file:</p>
-<pre class="programlisting">options {
-    [<span class="optional"> version <em class="replaceable"><code>version_string</code></em>; </span>]
-    [<span class="optional"> hostname <em class="replaceable"><code>hostname_string</code></em>; </span>]
-    [<span class="optional"> server-id <em class="replaceable"><code>server_id_string</code></em>; </span>]
-    [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
-    [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
-    [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> statistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> auth-nxdomain <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> deallocate-on-exit <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em>; </span>]
-    [<span class="optional"> fake-iquery <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> fetch-glue <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> flush-zones-on-shutdown <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> has-old-clients <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> host-statistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> host-statistics-max <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> minimal-responses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> multiple-cnames <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em>; </span>]
-    [<span class="optional"> recursion <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
-    [<span class="optional"> dnssec-must-be-secure <em class="replaceable"><code>domain yes_or_no</code></em>; </span>]
-    [<span class="optional"> forward ( <em class="replaceable"><code>only</code></em> | <em class="replaceable"><code>first</code></em> ); </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> dual-stack-servers [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>domain_name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ) ; ... }; </span>]
-    [<span class="optional"> check-names ( <em class="replaceable"><code>master</code></em> | <em class="replaceable"><code>slave</code></em> | <em class="replaceable"><code>response</code></em> )( <em class="replaceable"><code>warn</code></em> | <em class="replaceable"><code>fail</code></em> | <em class="replaceable"><code>ignore</code></em> ); </span>]
-    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> avoid-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
-    [<span class="optional"> avoid-v6-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
-    [<span class="optional"> listen-on [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> listen-on-v6 [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em> </span>] { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
-    [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
-    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> tcp-clients <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> recursive-clients <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> serial-query-rate <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> serial-queries <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> tcp-listen-queue <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em>; </span>]
-    [<span class="optional"> transfers-in  <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfers-out <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfers-per-ns <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
-    [<span class="optional"> coresize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> datasize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> files <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> stacksize <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> cleaning-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> heartbeat-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> interface-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> statistics-interval <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> topology { <em class="replaceable"><code>address_match_list</code></em> }</span>];
-    [<span class="optional"> sortlist { <em class="replaceable"><code>address_match_list</code></em> }</span>];
-    [<span class="optional"> rrset-order { <em class="replaceable"><code>order_spec</code></em> ; [<span class="optional"> <em class="replaceable"><code>order_spec</code></em> ; ... </span>] </span>] };
-    [<span class="optional"> lame-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> treat-cr-as-space <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> port <em class="replaceable"><code>ip_port</code></em>; </span>]
-    [<span class="optional"> additional-from-auth <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> additional-from-cache <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> random-device <em class="replaceable"><code>path_name</code></em> ; </span>]
-    [<span class="optional"> max-cache-size <em class="replaceable"><code>size_spec</code></em> ; </span>]
-    [<span class="optional"> match-mapped-addresses <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> preferred-glue ( <em class="replaceable"><code>A</code></em> | <em class="replaceable"><code>AAAA</code></em> | <em class="replaceable"><code>NONE</code></em> ); </span>]
-    [<span class="optional"> edns-udp-size <em class="replaceable"><code>number</code></em>; </span>]
-    [<span class="optional"> root-delegation-only [<span class="optional"> exclude { <em class="replaceable"><code>namelist</code></em> } </span>] ; </span>]
-    [<span class="optional"> querylog <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> disable-algorithms <em class="replaceable"><code>domain</code></em> { <em class="replaceable"><code>algorithm</code></em>; [<span class="optional"> <em class="replaceable"><code>algorithm</code></em>; </span>] }; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="options"></a><span><strong class="command">options</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">options</strong></span> statement sets up global options
-to be used by <span class="acronym">BIND</span>. This statement may appear only
-once in a configuration file. If there is no <span><strong class="command">options</strong></span>
-statement, an options block with each option set to its default will
-be used.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">directory</strong></span></span></dt>
-<dd><p>The working directory of the server.
-Any non-absolute pathnames in the configuration file will be taken
-as relative to this directory. The default location for most server
-output files (e.g. <code class="filename">named.run</code>) is this directory.
-If a directory is not specified, the working directory defaults
-to `<code class="filename">.</code>', the directory from which the server
-was started. The directory specified should be an absolute path.</p></dd>
-<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>When performing dynamic update of secure zones, the
-directory where the public and private key files should be found,
-if different than the current working directory.  The directory specified
-must be an absolute path.</p></dd>
-<dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete.</em></span>
-It was used in <span class="acronym">BIND</span> 8 to
-specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
-In <span class="acronym">BIND</span> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
-needed; its functionality is built into the name server.</p></dd>
-<dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
-<dd><p>The domain appended to the names of all
-shared keys generated with <span><strong class="command">TKEY</strong></span>. When a client
-requests a <span><strong class="command">TKEY</strong></span> exchange, it may or may not specify
-the desired name for the key. If present, the name of the shared
-key will be "<code class="varname">client specified part</code>" + 
-"<code class="varname">tkey-domain</code>".
-Otherwise, the name of the shared key will be "<code class="varname">random hex
-digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
-the <span><strong class="command">domainname</strong></span> should be the server's domain
-name.</p></dd>
-<dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
-<dd><p>The Diffie-Hellman key used by the server
-to generate shared keys with clients using the Diffie-Hellman mode
-of <span><strong class="command">TKEY</strong></span>. The server must be able to load the
-public and private keys from files in the working directory. In
-most cases, the keyname should be the server's host name.</p></dd>
-<dt><span class="term"><span><strong class="command">dump-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server dumps
-the database to when instructed to do so with
-<span><strong class="command">rndc dumpdb</strong></span>.
-If not specified, the default is <code class="filename">named_dump.db</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes memory
-usage statistics to on exit. If not specified,
-the default is <code class="filename">named.memstats</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server writes its process ID
-in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
-The pid-file is used by programs that want to send signals to the running
-name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
-use of a PID file &#8212; no file will be written and any
-existing one will be removed.  Note that <span><strong class="command">none</strong></span>
-is a keyword, not a file name, and therefore is not enclosed in
-double quotes.</p></dd>
-<dt><span class="term"><span><strong class="command">statistics-file</strong></span></span></dt>
-<dd><p>The pathname of the file the server appends statistics
-to when instructed to do so using <span><strong class="command">rndc stats</strong></span>.
-If not specified, the default is <code class="filename">named.stats</code> in the
-server's current directory.  The format of the file is described
-in <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a></p></dd>
-<dt><span class="term"><span><strong class="command">port</strong></span></span></dt>
-<dd><p>
-The UDP/TCP port number the server uses for 
-receiving and sending DNS protocol traffic.
-The default is 53.  This option is mainly intended for server testing;
-a server using a port other than 53 will not be able to communicate with
-the global DNS.
-</p></dd>
-<dt><span class="term"><span><strong class="command">random-device</strong></span></span></dt>
-<dd><p>
-The source of entropy to be used by the server.  Entropy is primarily needed
-for DNSSEC operations, such as TKEY transactions and dynamic update of signed
-zones.  This options specifies the device (or file) from which to read
-entropy.  If this is a file, operations requiring entropy will fail when the
-file has been exhausted.  If not specified, the default value is
-<code class="filename">/dev/random</code>
-(or equivalent) when present, and none otherwise.  The
-<span><strong class="command">random-device</strong></span> option takes effect during
-the initial configuration load at server startup time and
-is ignored on subsequent reloads.</p></dd>
-<dt><span class="term"><span><strong class="command">preferred-glue</strong></span></span></dt>
-<dd><p>
-If specified the listed type (A or AAAA) will be emitted before other glue
-in the additional section of a query response.
-The default is not to preference any type (NONE).
-</p></dd>
-<dt><span class="term"><span><strong class="command">root-delegation-only</strong></span></span></dt>
-<dd>
-<p>
-Turn on enforcement of delegation-only in TLDs and root zones with an optional
-exclude list.
-</p>
-<p>
-Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
-</p>
-<pre class="programlisting">
-options {
-	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
-};
-</pre>
-</dd>
-<dt><span class="term"><span><strong class="command">disable-algorithms</strong></span></span></dt>
-<dd><p>
-Disable the specified DNSSEC algorithms at and below the specified name.
-Multiple <span><strong class="command">disable-algorithms</strong></span> statements are allowed.
-Only the most specific will be applied.
-</p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-lookaside</strong></span></span></dt>
-<dd><p>
-When set <span><strong class="command">dnssec-lookaside</strong></span> provides the
-validator with an alternate method to validate DNSKEY records at the
-top of a zone.  When a DNSKEY is at or below a domain specified by the
-deepest <span><strong class="command">dnssec-lookaside</strong></span>, and the normal dnssec validation
-has left the key untrusted, the trust-anchor will be append to the key
-name and a DLV record will be looked up to see if it can validate the
-key.  If the DLV record validates a DNSKEY (similarly to the way a DS
-record does) the DNSKEY RRset is deemed to be trusted.
-</p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-must-be-secure</strong></span></span></dt>
-<dd><p>
-Specify heirarchies which must / may not be secure (signed and validated).
-If <strong class="userinput"><code>yes</code></strong> then named will only accept answers if they
-are secure.
-If <strong class="userinput"><code>no</code></strong> then normal dnssec validation applies
-allowing for insecure answers to be accepted.
-The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
-<span><strong class="command">dnssec-lookaside</strong></span> must be active.
-</p></dd>
-</dl></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="boolean_options"></a>Boolean Options</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">auth-nxdomain</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then the <span><strong class="command">AA</strong></span> bit
-is always set on NXDOMAIN responses, even if the server is not actually
-authoritative. The default is <strong class="userinput"><code>no</code></strong>; this is
-a change from <span class="acronym">BIND</span> 8. If you are using very old DNS software, you
-may need to set it to <strong class="userinput"><code>yes</code></strong>.</p></dd>
-<dt><span class="term"><span><strong class="command">deallocate-on-exit</strong></span></span></dt>
-<dd><p>This option was used in <span class="acronym">BIND</span> 8 to enable checking
-for memory leaks on exit. <span class="acronym">BIND</span> 9 ignores the option and always performs
-the checks.</p></dd>
-<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd>
-<p>If <strong class="userinput"><code>yes</code></strong>, then the
-server treats all zones as if they are doing zone transfers across
-a dial on demand dialup link, which can be brought up by traffic
-originating from this server. This has different effects according
-to zone type and concentrates the zone maintenance so that it all
-happens in a short interval, once every <span><strong class="command">heartbeat-interval</strong></span> and
-hopefully during the one call. It also suppresses some of the normal
-zone maintenance traffic. The default is <strong class="userinput"><code>no</code></strong>.</p>
-<p>The <span><strong class="command">dialup</strong></span> option
-may also be specified in the <span><strong class="command">view</strong></span> and 
-<span><strong class="command">zone</strong></span> statements,
-in which case it overrides the global <span><strong class="command">dialup</strong></span>
-option.</p>
-<p>If the zone is a master zone then the server will send out a NOTIFY 
-request to all the slaves (default). This should trigger the zone serial
-number check in the slave (providing it supports NOTIFY) allowing the slave
-to verify the zone while the connection is active.
-The set of servers to which NOTIFY is sent can be controlled by
-<span><strong class="command">notify</strong></span> and <span><strong class="command">also-notify</strong></span>.</p>
-<p>If the
-zone is a slave or stub zone, then the server will suppress the regular
-"zone up to date" (refresh) queries and only perform them when the
-<span><strong class="command">heartbeat-interval</strong></span> expires in addition to sending
-NOTIFY requests.</p>
-<p>Finer control can be achieved by using
-<strong class="userinput"><code>notify</code></strong> which only sends NOTIFY messages,
-<strong class="userinput"><code>notify-passive</code></strong> which sends NOTIFY messages and
-suppresses the normal refresh queries, <strong class="userinput"><code>refresh</code></strong>
-which suppresses normal refresh processing and sends refresh queries 
-when the <span><strong class="command">heartbeat-interval</strong></span> expires, and
-<strong class="userinput"><code>passive</code></strong> which just disables normal refresh
-processing.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>dialup mode</p></td>
-<td><p>normal refresh</p></td>
-<td><p>heart-beat refresh</p></td>
-<td><p>heart-beat notify</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">no</strong></span> (default)</p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">yes</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-<td><p>yes</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">notify</strong></span></p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">refresh</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-<td><p>no</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">passive</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">notify-passive</strong></span></p></td>
-<td><p>no</p></td>
-<td><p>no</p></td>
-<td><p>yes</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>Note that normal NOTIFY processing is not affected by
-<span><strong class="command">dialup</strong></span>.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">fake-iquery</strong></span></span></dt>
-<dd><p>In <span class="acronym">BIND</span> 8, this option
-enabled simulating the obsolete DNS query type
-IQUERY. <span class="acronym">BIND</span> 9 never does IQUERY simulation.
-</p></dd>
-<dt><span class="term"><span><strong class="command">fetch-glue</strong></span></span></dt>
-<dd><p>This option is obsolete.
-In BIND 8, <strong class="userinput"><code>fetch-glue yes</code></strong>
-caused the server to attempt to fetch glue resource records it
-didn't have when constructing the additional
-data section of a response.  This is now considered a bad idea
-and BIND 9 never does it.</p></dd>
-<dt><span class="term"><span><strong class="command">flush-zones-on-shutdown</strong></span></span></dt>
-<dd><p>When the nameserver exits due receiving SIGTERM,
-flush / do not flush any pending zone writes.  The default is
-<span><strong class="command">flush-zones-on-shutdown</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">has-old-clients</strong></span></span></dt>
-<dd><p>This option was incorrectly implemented
-in <span class="acronym">BIND</span> 8, and is ignored by <span class="acronym">BIND</span> 9.
-To achieve the intended effect
-of
-<span><strong class="command">has-old-clients</strong></span> <strong class="userinput"><code>yes</code></strong>, specify
-the two separate options <span><strong class="command">auth-nxdomain</strong></span> <strong class="userinput"><code>yes</code></strong>
-and <span><strong class="command">rfc2308-type1</strong></span> <strong class="userinput"><code>no</code></strong> instead.
-</p></dd>
-<dt><span class="term"><span><strong class="command">host-statistics</strong></span></span></dt>
-<dd><p>In BIND 8, this enables keeping of
-statistics for every host that the name server interacts with.
-Not implemented in BIND 9.
-</p></dd>
-<dt><span class="term"><span><strong class="command">maintain-ixfr-base</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
- It was used in <span class="acronym">BIND</span> 8 to determine whether a transaction log was
-kept for Incremental Zone Transfer. <span class="acronym">BIND</span> 9 maintains a transaction
-log whenever possible.  If you need to disable outgoing incremental zone
-transfers, use <span><strong class="command">provide-ixfr</strong></span> <strong class="userinput"><code>no</code></strong>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">minimal-responses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then when generating
-responses the server will only add records to the authority and
-additional data sections when they are required (e.g. delegations,
-negative responses).  This may improve the performance of the server.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">multiple-cnames</strong></span></span></dt>
-<dd><p>This option was used in <span class="acronym">BIND</span> 8 to allow
-a domain name to have multiple CNAME records in violation of the
-DNS standards.  <span class="acronym">BIND</span> 9.2 always strictly
-enforces the CNAME rules both in master files and dynamic updates.
-</p></dd>
-<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd>
-<p>If <strong class="userinput"><code>yes</code></strong> (the default),
-DNS NOTIFY messages are sent when a zone the server is authoritative for
-changes, see <a href="Bv9ARM.ch04.html#notify" title="Notify">the section called &#8220;Notify&#8221;</a>.  The messages are sent to the
-servers listed in the zone's NS records (except the master server identified
-in the SOA MNAME field), and to any servers listed in the
-<span><strong class="command">also-notify</strong></span> option.
-</p>
-<p>
-If <strong class="userinput"><code>explicit</code></strong>, notifies are sent only to
-servers explicitly listed using <span><strong class="command">also-notify</strong></span>.
-If <strong class="userinput"><code>no</code></strong>, no notifies are sent.
-</p>
-<p>
-The <span><strong class="command">notify</strong></span> option may also be
-specified in the <span><strong class="command">zone</strong></span> statement,
-in which case it overrides the <span><strong class="command">options notify</strong></span> statement.
-It would only be necessary to turn off this option if it caused slaves
-to crash.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, and a
-DNS query requests recursion, then the server will attempt to do
-all the work required to answer the query. If recursion is off
-and the server does not already know the answer, it will return a
-referral response. The default is <strong class="userinput"><code>yes</code></strong>.
-Note that setting <span><strong class="command">recursion no</strong></span> does not prevent
-clients from getting data from the server's cache; it only
-prevents new data from being cached as an effect of client queries.
-Caching may still occur as an effect the server's internal
-operation, such as NOTIFY address lookups.
-See also <span><strong class="command">fetch-glue</strong></span> above.
-</p></dd>
-<dt><span class="term"><span><strong class="command">rfc2308-type1</strong></span></span></dt>
-<dd>
-<p>Setting this to <strong class="userinput"><code>yes</code></strong> will
-cause the server to send NS records along with the SOA record for negative
-answers. The default is <strong class="userinput"><code>no</code></strong>.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Not yet implemented in <span class="acronym">BIND</span> 9.</p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">use-id-pool</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-<span class="acronym">BIND</span> 9 always allocates query IDs from a pool.
-</p></dd>
-<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will collect
-statistical data on all zones (unless specifically turned off
-on a per-zone basis by specifying <span><strong class="command">zone-statistics no</strong></span>
-in the <span><strong class="command">zone</strong></span> statement).  These statistics may be accessed
-using <span><strong class="command">rndc stats</strong></span>, which will dump them to the file listed
-in the <span><strong class="command">statistics-file</strong></span>.  See also <a href="Bv9ARM.ch06.html#statsfile" title="The Statistics File">the section called &#8220;The Statistics File&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">use-ixfr</strong></span></span></dt>
-<dd><p><span class="emphasis"><em>This option is obsolete</em></span>.
-If you need to disable IXFR to a particular server or servers see
-the information on the <span><strong class="command">provide-ixfr</strong></span> option
-in <a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>. See also
-<a href="Bv9ARM.ch04.html#incremental_zone_transfers" title="Incremental Zone Transfers (IXFR)">the section called &#8220;Incremental Zone Transfers (IXFR)&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">provide-ixfr</strong></span></span></dt>
-<dd><p>
-See the description of
-<span><strong class="command">provide-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>
-</p></dd>
-<dt><span class="term"><span><strong class="command">request-ixfr</strong></span></span></dt>
-<dd><p>
-See the description of
-<span><strong class="command">request-ixfr</strong></span> in
-<a href="Bv9ARM.ch06.html#server_statement_definition_and_usage" title="server Statement Definition and Usage">the section called &#8220;<span><strong class="command">server</strong></span> Statement Definition and Usage&#8221;</a>
-</p></dd>
-<dt><span class="term"><span><strong class="command">treat-cr-as-space</strong></span></span></dt>
-<dd><p>This option was used in <span class="acronym">BIND</span> 8 to make
-the server treat carriage return ("<span><strong class="command">\r</strong></span>") characters the same way
-as a space or tab character,
-to facilitate loading of zone files on a UNIX system that were generated
-on an NT or DOS machine. In <span class="acronym">BIND</span> 9, both UNIX "<span><strong class="command">\n</strong></span>"
-and NT/DOS "<span><strong class="command">\r\n</strong></span>" newlines are always accepted,
-and the option is ignored.</p></dd>
-<dt>
-<span class="term"><span><strong class="command">additional-from-auth</strong></span>, </span><span class="term"><span><strong class="command">additional-from-cache</strong></span></span>
-</dt>
-<dd>
-<p>
-These options control the behavior of an authoritative server when
-answering queries which have additional data, or when following CNAME
-and DNAME chains.
-</p>
-<p>
-When both of these options are set to <strong class="userinput"><code>yes</code></strong> 
-(the default) and a
-query is being answered from authoritative data (a zone
-configured into the server), the additional data section of the
-reply will be filled in using data from other authoritative zones
-and from the cache.  In some situations this is undesirable, such
-as when there is concern over the correctness of the cache, or
-in servers where slave zones may be added and modified by
-untrusted third parties.  Also, avoiding
-the search for this additional data will speed up server operations
-at the possible expense of additional queries to resolve what would
-otherwise be provided in the additional section.
-</p>
-<p>
-For example, if a query asks for an MX record for host <code class="literal">foo.example.com</code>,
-and the record found is "<code class="literal">MX 10 mail.example.net</code>", normally the address
-records (A and AAAA) for <code class="literal">mail.example.net</code> will be provided as well,
-if known, even though they are not in the example.com zone.
-Setting these options to <span><strong class="command">no</strong></span> disables this behavior and makes
-the server only search for additional data in the zone it answers from.
-</p>
-<p>
-These options are intended for use in authoritative-only 
-servers, or in authoritative-only views.  Attempts to set
-them to <span><strong class="command">no</strong></span> without also specifying
-<span><strong class="command">recursion no</strong></span> will cause the server to
-ignore the options and log a warning message.
-</p>
-<p>
-Specifying <span><strong class="command">additional-from-cache no</strong></span> actually
-disables the use of the cache not only for additional data lookups
-but also when looking up the answer.  This is usually the desired
-behavior in an authoritative-only server where the correctness of
-the cached data is an issue.
-</p>
-<p>
-When a name server is non-recursively queried for a name that is not
-below the apex of any served zone, it normally answers with an
-"upwards referral" to the root servers or the servers of some other
-known parent of the query name.  Since the data in an upwards referral
-comes from the cache, the server will not be able to provide upwards
-referrals when <span><strong class="command">additional-from-cache no</strong></span>
-has been specified.  Instead, it will respond to such queries
-with REFUSED.  This should not cause any problems since
-upwards referrals are not required for the resolution process.
-</p>
-</dd>
-<dt><span class="term"><span><strong class="command">match-mapped-addresses</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, then an
-IPv4-mapped IPv6 address will match any address match
-list entries that match the corresponding IPv4 address.
-Enabling this option is sometimes useful on IPv6-enabled Linux
-systems, to work around a kernel quirk that causes IPv4
-TCP connections such as zone transfers to be accepted
-on an IPv6 socket using mapped addresses, causing
-address match lists designed for IPv4 to fail to match.
-The use of this option for any other purpose is discouraged.
-</p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd>
-<p>
-When 'yes' and the server loads a new version of a master
-zone from its zone file or receives a new version of a slave
-file by a non-incremental zone transfer, it will compare
-the new version to the previous one and calculate a set
-of differences.  The differences are then logged in the
-zone's journal file such that the changes can be transmitted
-to downstream slaves as an incremental zone transfer.
-</p>
-<p>
-By allowing incremental zone transfers to be used for
-non-dynamic zones, this option saves bandwidth at the
-expense of increased CPU and memory consumption at the master.
-In particular, if the new version of a zone is completely
-different from the previous one, the set of differences
-will be of a size comparable to the combined size of the
-old and new zone version, and the server will need to
-temporarily allocate memory to hold this complete
-difference set.
-</p>
-</dd>
-<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>
-This should be set when you have multiple masters for a zone and the
-addresses refer to different machines.  If 'yes' named will not log
-when the serial number on the master is less than what named currently
-has.  The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
-<dd><p>
-Enable DNSSEC support in named.  Unless set to <strong class="userinput"><code>yes</code></strong>
-named behaves as if it does not support DNSSEC.
-The default is <strong class="userinput"><code>no</code></strong>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
-<dd><p>
-Specify whether query logging should be started when named start.
-If <span><strong class="command">querylog</strong></span> is not specified then the query logging
-is determined by the presence of the logging category <span><strong class="command">queries</strong></span>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
-<dd>
-<p>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received
-from the network.  The default varies according to usage area.  For
-<span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.
-For <span><strong class="command">slave</strong></span> zones the default is <span><strong class="command">warn</strong></span>.
-For answer received from the network (<span><strong class="command">response</strong></span>)
-the default is <span><strong class="command">ignore</strong></span>.
-</p>
-<p>The rules for legal hostnames / mail domains are derived from RFC 952
-and RFC 821 as modified by RFC 1123.
-</p>
-<p><span><strong class="command">check-names</strong></span> applies to the owner names of A, AAA and
-MX records.  It also applies to the domain names in the RDATA of NS, SOA and MX
-records.  It also applies to the RDATA of PTR records where the owner name
-indicated that it is a reverse lookup of a hostname (the owner name ends in
-IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
-</p>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2557350"></a>Forwarding</h4></div></div></div>
-<p>The forwarding facility can be used to create a large site-wide
-cache on a few servers, reducing traffic over links to external
-name servers. It can also be used to allow queries by servers that
-do not have direct access to the Internet, but wish to look up exterior
-names anyway. Forwarding occurs only on those queries for which
-the server is not authoritative and does not have the answer in
-its cache.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>This option is only meaningful if the
-forwarders list is not empty. A value of <code class="varname">first</code>,
-the default, causes the server to query the forwarders first, and
-if that doesn't answer the question the server will then look for
-the answer itself. If <code class="varname">only</code> is specified, the
-server will only query the forwarders.
-</p></dd>
-<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Specifies the IP addresses to be used
-for forwarding. The default is the empty list (no forwarding).
-</p></dd>
-</dl></div>
-<p>Forwarding can also be configured on a per-domain basis, allowing
-for the global forwarding options to be overridden in a variety
-of ways. You can set particular domains to use different forwarders,
-or have a different <span><strong class="command">forward only/first</strong></span> behavior,
-or not forward at all, see <a href="Bv9ARM.ch06.html#zone_statement_grammar" title="zone
-Statement Grammar">the section called &#8220;<span><strong class="command">zone</strong></span>
-Statement Grammar&#8221;</a>.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2557400"></a>Dual-stack Servers</h4></div></div></div>
-<p>Dual-stack servers are used as servers of last resort to work around
-problems in reachability due the lack of support for either IPv4 or IPv6
-on the host machine.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">dual-stack-servers</strong></span></span></dt>
-<dd><p>Specifies host names / addresses of machines with access to
-both IPv4 and IPv6 transports. If a hostname is used the server must be able
-to resolve the name using only the transport it has.  If the machine is dual
-stacked then the <span><strong class="command">dual-stack-servers</strong></span> have no effect unless
-access to a transport has been disabled on the command line
-(e.g. <span><strong class="command">named -4</strong></span>).</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="access_control"></a>Access Control</h4></div></div></div>
-<p>Access to the server can be restricted based on the IP address
-of the requesting system. See <a href="Bv9ARM.ch06.html#address_match_lists" title="Address Match Lists">the section called &#8220;Address Match Lists&#8221;</a> for
-details on how to specify IP address lists.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-notify this server, a slave, of zone changes in addition
-to the zone masters.
-<span><strong class="command">allow-notify</strong></span> may also be specified in the
-<span><strong class="command">zone</strong></span> statement, in which case it overrides the
-<span><strong class="command">options allow-notify</strong></span> statement.  It is only meaningful
-for a slave zone.  If not specified, the default is to process notify messages
-only from a zone's master.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-ask ordinary DNS questions. <span><strong class="command">allow-query</strong></span> may also
-be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-query</strong></span> statement. If
-not specified, the default is to allow queries from all hosts.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-make recursive queries through this server. If not specified, the
-default is to allow recursive queries from all hosts. 
-Note that disallowing recursive queries for a host does not prevent the
-host from retrieving data that is already in the server's cache.
-</p></dd>
-<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd>
-<p>Specifies which hosts are allowed to
-submit Dynamic DNS updates to slave zones to be forwarded to the
-master.  The default is <strong class="userinput"><code>{ none; }</code></strong>, which 
-means that no update forwarding will be performed.  To enable
-update forwarding, specify
-<strong class="userinput"><code>allow-update-forwarding { any; };</code></strong>.
-Specifying values other than <strong class="userinput"><code>{ none; }</code></strong> or
-<strong class="userinput"><code>{ any; }</code></strong> is usually counterproductive, since
-the responsibility for update access control should rest with the 
-master server, not the slaves.</p>
-<p>Note that enabling the update forwarding feature on a slave server
-may expose master servers relying on insecure IP address based
-access control to attacks; see <a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a>
-for more details.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">allow-v6-synthesis</strong></span></span></dt>
-<dd><p>This option was introduced for the smooth transition from AAAA
-to A6 and from "nibble labels" to binary labels.
-However, since both A6 and binary labels were then deprecated,
-this option was also deprecated.
-It is now ignored with some warning messages.
-</p></dd>
-<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-receive zone transfers from the server. <span><strong class="command">allow-transfer</strong></span> may
-also be specified in the <span><strong class="command">zone</strong></span> statement, in which
-case it overrides the <span><strong class="command">options allow-transfer</strong></span> statement.
-If not specified, the default is to allow transfers to all hosts.</p></dd>
-<dt><span class="term"><span><strong class="command">blackhole</strong></span></span></dt>
-<dd><p>Specifies a list of addresses that the
-server will not accept queries from or use to resolve a query. Queries
-from these addresses will not be responded to. The default is <strong class="userinput"><code>none</code></strong>.</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2557716"></a>Interfaces</h4></div></div></div>
-<p>The interfaces and ports that the server will answer queries
-from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
-an optional port, and an <code class="varname">address_match_list</code>.
-The server will listen on all interfaces allowed by the address
-match list. If a port is not specified, port 53 will be used.</p>
-<p>Multiple <span><strong class="command">listen-on</strong></span> statements are allowed.
-For example,</p>
-<pre class="programlisting">listen-on { 5.6.7.8; };
-listen-on port 1234 { !1.2.3.4; 1.2/16; };
-</pre>
-<p>will enable the name server on port 53 for the IP address
-5.6.7.8, and on port 1234 of an address on the machine in net
-1.2 that is not 1.2.3.4.</p>
-<p>If no <span><strong class="command">listen-on</strong></span> is specified, the
-server will listen on port 53 on all interfaces.</p>
-<p>The <span><strong class="command">listen-on-v6</strong></span> option is used to
-specify the interfaces and the ports on which the server will listen
-for incoming queries sent using IPv6.</p>
-<p>When </p>
-<pre class="programlisting">{ any; }</pre>
-<p> is specified
-as the <code class="varname">address_match_list</code> for the
-<span><strong class="command">listen-on-v6</strong></span> option,
-the server does not bind a separate socket to each IPv6 interface
-address as it does for IPv4 if the operating system has enough API
-support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
-Instead, it listens on the IPv6 wildcard address.
-If the system only has incomplete API support for IPv6, however,
-the behavior is the same as that for IPv4.</p>
-<p>A list of particular IPv6 addresses can also be specified, in which case
-the server listens on a separate socket for each specified address,
-regardless of whether the desired API is supported by the system.</p>
-<p>Multiple <span><strong class="command">listen-on-v6</strong></span> options can be used.
-For example,</p>
-<pre class="programlisting">listen-on-v6 { any; };
-listen-on-v6 port 1234 { !2001:db8::/32; any; };
-</pre>
-<p>will enable the name server on port 53 for any IPv6 addresses
-(with a single wildcard socket),
-and on port 1234 of IPv6 addresses that is not in the prefix
-2001:db8::/32 (with separate sockets for each matched address.)</p>
-<p>To make the server not listen on any IPv6 address, use</p>
-<pre class="programlisting">listen-on-v6 { none; };
-</pre>
-<p>If no <span><strong class="command">listen-on-v6</strong></span> option is specified,
-the server will not listen on any IPv6 address.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2557804"></a>Query Address</h4></div></div></div>
-<p>If the server doesn't know the answer to a question, it will
-query other name servers. <span><strong class="command">query-source</strong></span> specifies
-the address and port used for such queries. For queries sent over
-IPv6, there is a separate <span><strong class="command">query-source-v6</strong></span> option.
-If <span><strong class="command">address</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
-a wildcard IP address (<span><strong class="command">INADDR_ANY</strong></span>) will be used.
-If <span><strong class="command">port</strong></span> is <span><strong class="command">*</strong></span> or is omitted,
-a random unprivileged port will be used, <span><strong class="command">avoid-v4-udp-ports</strong></span>
-and <span><strong class="command">avoid-v6-udp-ports</strong></span> can be used to prevent named
-from selecting certain ports. The defaults are</p>
-<pre class="programlisting">query-source address * port *;
-query-source-v6 address * port *;
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>The address specified in the <span><strong class="command">query-source</strong></span> option
-is used for both UDP and TCP queries, but the port applies only to 
-UDP queries.  TCP queries always use a random
-unprivileged port.</p>
-</div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>See also <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">notify-source</strong></span>.</p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="zone_transfers"></a>Zone Transfers</h4></div></div></div>
-<p><span class="acronym">BIND</span> has mechanisms in place to facilitate zone transfers
-and set limits on the amount of load that transfers place on the
-system. The following options apply to zone transfers.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Defines a global list of IP addresses of name servers
-that are also sent NOTIFY messages whenever a fresh copy of the
-zone is loaded, in addition to the servers listed in the zone's NS records.
-This helps to ensure that copies of the zones will
-quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
-is given in a <span><strong class="command">zone</strong></span> statement, it will override
-the <span><strong class="command">options also-notify</strong></span> statement. When a <span><strong class="command">zone notify</strong></span> statement
-is set to <span><strong class="command">no</strong></span>, the IP addresses in the global <span><strong class="command">also-notify</strong></span> list will
-not be sent NOTIFY messages for that zone. The default is the empty
-list (no global notification list).</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours).  The maximum value is 28 days (40320 minutes).</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>Inbound zone transfers making no progress
-in this many minutes will be terminated. The default is 60 minutes
-(1 hour).  The maximum value is 28 days (40320 minutes).</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers running longer than
-this many minutes will be terminated. The default is 120 minutes
-(2 hours).  The maximum value is 28 days (40320 minutes).</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>Outbound zone transfers making no progress
-in this many minutes will be terminated.  The default is 60 minutes (1
-hour).  The maximum value is 28 days (40320 minutes).</p></dd>
-<dt><span class="term"><span><strong class="command">serial-query-rate</strong></span></span></dt>
-<dd><p>Slave servers will periodically query master servers
-to find out if zone serial numbers have changed. Each such query uses
-a minute amount of the slave server's network bandwidth.  To limit the
-amount of bandwidth used, BIND 9 limits the rate at which queries are
-sent.  The value of the <span><strong class="command">serial-query-rate</strong></span> option,
-an integer, is the maximum number of queries sent per second.
-The default is 20.
-</p></dd>
-<dt><span class="term"><span><strong class="command">serial-queries</strong></span></span></dt>
-<dd><p>In BIND 8, the <span><strong class="command">serial-queries</strong></span> option
-set the maximum number of concurrent serial number queries
-allowed to be outstanding at any given time.
-BIND 9 does not limit the number of outstanding
-serial queries and ignores the <span><strong class="command">serial-queries</strong></span> option.
-Instead, it limits the rate at which the queries are sent
-as defined using the <span><strong class="command">serial-query-rate</strong></span> option.
-</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-format</strong></span></span></dt>
-<dd><p>
-Zone transfers can be sent using two different formats,
-<span><strong class="command">one-answer</strong></span> and <span><strong class="command">many-answers</strong></span>.
-The <span><strong class="command">transfer-format</strong></span> option is used
-on the master server to determine which format it sends.
-<span><strong class="command">one-answer</strong></span> uses one DNS message per
-resource record transferred.
-<span><strong class="command">many-answers</strong></span> packs as many resource records as
-possible into a message. <span><strong class="command">many-answers</strong></span> is more
-efficient, but is only supported by relatively new slave servers,
-such as <span class="acronym">BIND</span> 9, <span class="acronym">BIND</span> 8.x and patched
-versions of <span class="acronym">BIND</span> 4.9.5. The default is
-<span><strong class="command">many-answers</strong></span>. <span><strong class="command">transfer-format</strong></span>
-may be overridden on a per-server basis by using the
-<span><strong class="command">server</strong></span> statement.
-</p></dd>
-<dt><span class="term"><span><strong class="command">transfers-in</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be running concurrently. The default value is <code class="literal">10</code>.
-Increasing <span><strong class="command">transfers-in</strong></span> may speed up the convergence
-of slave zones, but it also may increase the load on the local system.</p></dd>
-<dt><span class="term"><span><strong class="command">transfers-out</strong></span></span></dt>
-<dd><p>The maximum number of outbound zone transfers
-that can be running concurrently. Zone transfer requests in excess
-of the limit will be refused. The default value is <code class="literal">10</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">transfers-per-ns</strong></span></span></dt>
-<dd><p>The maximum number of inbound zone transfers
-that can be concurrently transferring from a given remote name server.
-The default value is <code class="literal">2</code>. Increasing <span><strong class="command">transfers-per-ns</strong></span> may
-speed up the convergence of slave zones, but it also may increase
-the load on the remote name server. <span><strong class="command">transfers-per-ns</strong></span> may
-be overridden on a per-server basis by using the <span><strong class="command">transfers</strong></span> phrase
-of the <span><strong class="command">server</strong></span> statement.</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p><span><strong class="command">transfer-source</strong></span> determines
-which local address will be bound to IPv4 TCP connections used to
-fetch zones transferred inbound by the server.  It also determines
-the source IPv4 address, and optionally the UDP port, used for the
-refresh queries and forwarded dynamic updates.  If not set, it defaults
-to a system controlled value which will usually be the address of
-the interface "closest to" the remote end. This address must appear
-in the remote end's <span><strong class="command">allow-transfer</strong></span> option for
-the zone being transferred, if one is specified. This statement
-sets the <span><strong class="command">transfer-source</strong></span> for all zones, but can
-be overridden on a per-view or per-zone basis by including a
-<span><strong class="command">transfer-source</strong></span> statement within the
-<span><strong class="command">view</strong></span> or <span><strong class="command">zone</strong></span> block
-in the configuration file.</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>The same as <span><strong class="command">transfer-source</strong></span>,
-except zone transfers are performed using IPv6.</p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd>
-<p>
-		  An alternate transfer source if the one listed in
-		  <span><strong class="command">transfer-source</strong></span> fails and
-		  <span><strong class="command">use-alt-transfer-source</strong></span> is
-		  set.
-		</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-		  If you do not wish the alternate transfer source
-		  to be used you should set
-		  <span><strong class="command">use-alt-transfer-source</strong></span>
-		  appropriately and you should not depend upon
-		  getting a answer back to the first refresh
-		  query.
-		</div>
-</dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>An alternate transfer source if the one listed in
-<span><strong class="command">transfer-source-v6</strong></span> fails and
-<span><strong class="command">use-alt-transfer-source</strong></span> is set.</p></dd>
-<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>Use the alternate transfer sources or not.  If views are
-specified this defaults to <span><strong class="command">no</strong></span> otherwise it defaults to
-<span><strong class="command">yes</strong></span> (for BIND 8 compatibility).</p></dd>
-<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd><p><span><strong class="command">notify-source</strong></span> determines
-which local source address, and optionally UDP port, will be used to
-send NOTIFY messages.
-This address must appear in the slave server's <span><strong class="command">masters</strong></span>
-zone clause or in an <span><strong class="command">allow-notify</strong></span> clause.
-This statement sets the <span><strong class="command">notify-source</strong></span> for all zones,
-but can be overridden on a per-zone / per-view basis by including a
-<span><strong class="command">notify-source</strong></span> statement within the <span><strong class="command">zone</strong></span>
-or <span><strong class="command">view</strong></span> block in the configuration file.</p></dd>
-<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>Like <span><strong class="command">notify-source</strong></span>,
-but applies to notify messages sent to IPv6 addresses.</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2558398"></a>Bad UDP Port Lists</h4></div></div></div>
-<p>
-<span><strong class="command">avoid-v4-udp-ports</strong></span> and <span><strong class="command">avoid-v6-udp-ports</strong></span>
-specify a list of IPv4 and IPv6 UDP ports that will not be used as system
-assigned source ports for UDP sockets.  These lists prevent named
-from choosing as its random source port a port that is blocked by
-your firewall.  If a query went out with such a source port, the
-answer would not get by the firewall and the name server would have
-to query again.
-</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2558414"></a>Operating System Resource Limits</h4></div></div></div>
-<p>The server's usage of many system resources can be limited.
-Scaled values are allowed when specifying resource limits.  For
-example, <span><strong class="command">1G</strong></span> can be used instead of
-<span><strong class="command">1073741824</strong></span> to specify a limit of one
-gigabyte. <span><strong class="command">unlimited</strong></span> requests unlimited use, or the
-maximum available amount. <span><strong class="command">default</strong></span> uses the limit
-that was in force when the server was started. See the description of
-<span><strong class="command">size_spec</strong></span> in <a href="Bv9ARM.ch06.html#configuration_file_elements" title="Configuration File Elements">the section called &#8220;Configuration File Elements&#8221;</a>.</p>
-<p>The following options set operating system resource limits for
-the name server process.  Some operating systems don't support some or
-any of the limits. On such systems, a warning will be issued if the
-unsupported limit is used.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">coresize</strong></span></span></dt>
-<dd><p>The maximum size of a core dump. The default
-is <code class="literal">default</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">datasize</strong></span></span></dt>
-<dd><p>The maximum amount of data memory the server
-may use. The default is <code class="literal">default</code>.
-This is a hard limit on server memory usage.
-If the server attempts to allocate memory in excess of this
-limit, the allocation will fail, which may in turn leave
-the server unable to perform DNS service.  Therefore,
-this option is rarely useful as a way of limiting the
-amount of memory used by the server, but it can be used
-to raise an operating system data size limit that is
-too small by default.  If you wish to limit the amount
-of memory used by the server, use the
-<span><strong class="command">max-cache-size</strong></span> and 
-<span><strong class="command">recursive-clients</strong></span>
-options instead.
-</p></dd>
-<dt><span class="term"><span><strong class="command">files</strong></span></span></dt>
-<dd><p>The maximum number of files the server
-may have open concurrently. The default is <code class="literal">unlimited</code>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">stacksize</strong></span></span></dt>
-<dd><p>The maximum amount of stack memory the server
-may use. The default is <code class="literal">default</code>.</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2558584"></a>Server  Resource Limits</h4></div></div></div>
-<p>The following options set limits on the server's
-resource consumption that are enforced internally by the
-server rather than the operating system.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">max-ixfr-log-size</strong></span></span></dt>
-<dd><p>This option is obsolete; it is accepted
-and ignored for BIND 8 compatibility.  The option
-<span><strong class="command">max-journal-size</strong></span> performs a similar
-function in BIND 8.
-</p></dd>
-<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
-<dd><p>Sets a maximum size for each journal file
-(<a href="Bv9ARM.ch04.html#journal" title="The journal file">the section called &#8220;The journal file&#8221;</a>).  When the journal file approaches
-the specified size, some of the oldest transactions in the journal
-will be automatically removed.  The default is
-<code class="literal">unlimited</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
-<dd><p>In BIND 8, specifies the maximum number of host statistic
-entries to be kept.
-Not implemented in BIND 9.
-</p></dd>
-<dt><span class="term"><span><strong class="command">recursive-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous recursive lookups
-the server will perform on behalf of clients.  The default is
-<code class="literal">1000</code>.  Because each recursing client uses a fair
-bit of memory, on the order of 20 kilobytes, the value of the
-<span><strong class="command">recursive-clients</strong></span> option may have to be decreased
-on hosts with limited memory.
-</p></dd>
-<dt><span class="term"><span><strong class="command">tcp-clients</strong></span></span></dt>
-<dd><p>The maximum number of simultaneous client TCP
-connections that the server will accept.
-The default is <code class="literal">100</code>.</p></dd>
-<dt><span class="term"><span><strong class="command">max-cache-size</strong></span></span></dt>
-<dd><p>The maximum amount of memory to use for the
-server's cache, in bytes.  When the amount of data in the cache
-reaches this limit, the server will cause records to expire
-prematurely so that the limit is not exceeded.  In a server with
-multiple views, the limit applies separately to the cache of each
-view.  The default is <code class="literal">unlimited</code>, meaning that 
-records are purged from the cache only when their TTLs expire.
-</p></dd>
-<dt><span class="term"><span><strong class="command">tcp-listen-queue</strong></span></span></dt>
-<dd><p>The listen queue depth.  The default and minimum is 3.
-If the kernel supports the accept filter "dataready" this also controls how
-many TCP connections that will be queued in kernel space waiting for
-some data before being passed to accept.  Values less than 3 will be
-silently raised.
-</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2558765"></a>Periodic Task Intervals</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
-<dd><p>The server will remove expired resource records
-from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
-The default is 60 minutes.  The maximum value is 28 days (40320 minutes).
-If set to 0, no  periodic cleaning will occur.</p></dd>
-<dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
-<dd><p>The server will perform zone maintenance tasks
-for all zones marked as <span><strong class="command">dialup</strong></span> whenever this
-interval expires. The default is 60 minutes. Reasonable values are up
-to 1 day (1440 minutes).  The maximum value is 28 days (40320 minutes).
-If set to 0, no zone maintenance for these zones will occur.</p></dd>
-<dt><span class="term"><span><strong class="command">interface-interval</strong></span></span></dt>
-<dd><p>The server will scan the network interface list
-every <span><strong class="command">interface-interval</strong></span> minutes. The default
-is 60 minutes. The maximum value is 28 days (40320 minutes).
-If set to 0, interface scanning will only occur when
-the configuration file is  loaded. After the scan, the server will
-begin listening for queries on any newly discovered
-interfaces (provided they are allowed by the
-<span><strong class="command">listen-on</strong></span> configuration), and will
-stop listening on interfaces that have gone away.</p></dd>
-<dt><span class="term"><span><strong class="command">statistics-interval</strong></span></span></dt>
-<dd>
-<p>Name server statistics will be logged
-every <span><strong class="command">statistics-interval</strong></span> minutes. The default is 
-60. The maximum value is 28 days (40320 minutes).
-If set to 0, no statistics will be logged.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Not yet implemented in <span class="acronym">BIND</span>9.</p>
-</div>
-</dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="topology"></a>Topology</h4></div></div></div>
-<p>All other things being equal, when the server chooses a name server
-to query from a list of name servers, it prefers the one that is
-topologically closest to itself. The <span><strong class="command">topology</strong></span> statement
-takes an <span><strong class="command">address_match_list</strong></span> and interprets it
-in a special way. Each top-level list element is assigned a distance.
-Non-negated elements get a distance based on their position in the
-list, where the closer the match is to the start of the list, the
-shorter the distance is between it and the server. A negated match
-will be assigned the maximum distance from the server. If there
-is no match, the address will get a distance which is further than
-any non-negated list element, and closer than any negated element.
-For example,</p>
-<pre class="programlisting">topology {
-    10/8;
-    !1.2.3/24;
-    { 1.2/16; 3/8; };
-};</pre>
-<p>will prefer servers on network 10 the most, followed by hosts
-on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
-exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
-is preferred least of all.</p>
-<p>The default topology is</p>
-<pre class="programlisting">    topology { localhost; localnets; };
-</pre>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>The <span><strong class="command">topology</strong></span> option
-is not implemented in <span class="acronym">BIND</span> 9.
-</p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="the_sortlist_statement"></a>The <span><strong class="command">sortlist</strong></span> Statement</h4></div></div></div>
-<p>The response to a DNS query may consist of multiple resource
-records (RRs) forming a resource records set (RRset).
-The name server will normally return the
-RRs within the RRset in an indeterminate order
-(but see the <span><strong class="command">rrset-order</strong></span>
-statement in <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>).
-The client resolver code should rearrange the RRs as appropriate,
-that is, using any addresses on the local net in preference to other addresses.
-However, not all resolvers can do this or are correctly configured.
-When a client is using a local server the sorting can be performed
-in the server, based on the client's address. This only requires
-configuring the name servers, not all the clients.</p>
-<p>The <span><strong class="command">sortlist</strong></span> statement (see below) takes
-an <span><strong class="command">address_match_list</strong></span> and interprets it even
-more specifically than the <span><strong class="command">topology</strong></span> statement
-does (<a href="Bv9ARM.ch06.html#topology" title="Topology">the section called &#8220;Topology&#8221;</a>).
-Each top level statement in the <span><strong class="command">sortlist</strong></span> must
-itself be an explicit <span><strong class="command">address_match_list</strong></span> with
-one or two elements. The first element (which may be an IP address,
-an IP prefix, an ACL name or a nested <span><strong class="command">address_match_list</strong></span>)
-of each top level list is checked against the source address of
-the query until a match is found.</p>
-<p>Once the source address of the query has been matched, if
-the top level statement contains only one element, the actual primitive
-element that matched the source address is used to select the address
-in the response to move to the beginning of the response. If the
-statement is a list of two elements, then the second element is
-treated the same as the <span><strong class="command">address_match_list</strong></span> in
-a <span><strong class="command">topology</strong></span> statement. Each top level element
-is assigned a distance and the address in the response with the minimum
-distance is moved to the beginning of the response.</p>
-<p>In the following example, any queries received from any of
-the addresses of the host itself will get responses preferring addresses
-on any of the locally connected networks. Next most preferred are addresses
-on the 192.168.1/24 network, and after that either the 192.168.2/24
-or
-192.168.3/24 network with no preference shown between these two
-networks. Queries received from a host on the 192.168.1/24 network
-will prefer other addresses on that network to the 192.168.2/24
-and
-192.168.3/24 networks. Queries received from a host on the 192.168.4/24
-or the 192.168.5/24 network will only prefer other addresses on
-their directly connected networks.</p>
-<pre class="programlisting">sortlist {
-    { localhost;                                   // IF   the local host
-        { localnets;                               // THEN first fit on the
-            192.168.1/24;                          //   following nets
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.1/24;                                // IF   on class C 192.168.1
-        { 192.168.1/24;                            // THEN use .1, or .2 or .3
-            { 192.168.2/24; 192.168.3/24; }; }; };
-    { 192.168.2/24;                                // IF   on class C 192.168.2
-        { 192.168.2/24;                            // THEN use .2, or .1 or .3
-            { 192.168.1/24; 192.168.3/24; }; }; };
-    { 192.168.3/24;                                // IF   on class C 192.168.3
-        { 192.168.3/24;                            // THEN use .3, or .1 or .2
-            { 192.168.1/24; 192.168.2/24; }; }; };
-    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
-    };
-};</pre>
-<p>The following example will give reasonable behavior for the
-local host and hosts on directly connected networks. It is similar
-to the behavior of the address sort in <span class="acronym">BIND</span> 4.9.x. Responses sent
-to queries from the local host will favor any of the directly connected
-networks. Responses sent to queries from any other hosts on a directly
-connected network will prefer addresses on that same network. Responses
-to other queries will not be sorted.</p>
-<pre class="programlisting">sortlist {
-           { localhost; localnets; };
-           { localnets; };
-};
-</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="rrset_ordering"></a>RRset Ordering</h4></div></div></div>
-<p>When multiple records are returned in an answer it may be
-useful to configure the order of the records placed into the response.
-The <span><strong class="command">rrset-order</strong></span> statement permits configuration
-of the ordering of the records in a multiple record response.
-See also the <span><strong class="command">sortlist</strong></span> statement,
-<a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a>.
-</p>
-<p>An <span><strong class="command">order_spec</strong></span> is defined as follows:</p>
-<pre class="programlisting">[<span class="optional"> class <em class="replaceable"><code>class_name</code></em> </span>][<span class="optional"> type <em class="replaceable"><code>type_name</code></em> </span>][<span class="optional"> name <em class="replaceable"><code>"domain_name"</code></em></span>]
-      order <em class="replaceable"><code>ordering</code></em>
-</pre>
-<p>If no class is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no type is specified, the default is <span><strong class="command">ANY</strong></span>.
-If no name is specified, the default is "<span><strong class="command">*</strong></span>".</p>
-<p>The legal values for <span><strong class="command">ordering</strong></span> are:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">fixed</strong></span></p></td>
-<td><p>Records are returned in the order they
-are defined in the zone file.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">random</strong></span></p></td>
-<td><p>Records are returned in some random order.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">cyclic</strong></span></p></td>
-<td><p>Records are returned in a round-robin
-order.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>For example:</p>
-<pre class="programlisting">rrset-order {
-   class IN type A name "host.example.com" order random;
-   order cyclic;
-};
-</pre>
-<p>will cause any responses for type A records in class IN that
-have "<code class="literal">host.example.com</code>" as a suffix, to always be returned
-in random order. All other records are returned in cyclic order.</p>
-<p>If multiple <span><strong class="command">rrset-order</strong></span> statements appear,
-they are not combined &#8212; the last one applies.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>The <span><strong class="command">rrset-order</strong></span> statement
-is not yet fully implemented in <span class="acronym">BIND</span> 9.
-BIND 9 currently does not support "fixed" ordering.
-</p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="tuning"></a>Tuning</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">lame-ttl</strong></span></span></dt>
-<dd><p>Sets the number of seconds to cache a
-lame server indication. 0 disables caching. (This is
-<span class="bold"><strong>NOT</strong></span> recommended.)
-Default is <code class="literal">600</code> (10 minutes). Maximum value is 
-<code class="literal">1800</code> (30 minutes).</p></dd>
-<dt><span class="term"><span><strong class="command">max-ncache-ttl</strong></span></span></dt>
-<dd><p>To reduce network traffic and increase performance
-the server stores negative answers. <span><strong class="command">max-ncache-ttl</strong></span> is
-used to set a maximum retention time for these answers in the server
-in seconds. The default
-<span><strong class="command">max-ncache-ttl</strong></span> is <code class="literal">10800</code> seconds (3 hours).
-<span><strong class="command">max-ncache-ttl</strong></span> cannot exceed 7 days and will
-be silently truncated to 7 days if set to a greater value.</p></dd>
-<dt><span class="term"><span><strong class="command">max-cache-ttl</strong></span></span></dt>
-<dd><p><span><strong class="command">max-cache-ttl</strong></span> sets
-the maximum time for which the server will cache ordinary (positive)
-answers. The default is one week (7 days).</p></dd>
-<dt><span class="term"><span><strong class="command">min-roots</strong></span></span></dt>
-<dd>
-<p>The minimum number of root servers that
-is required for a request for the root servers to be accepted. Default
-is <strong class="userinput"><code>2</code></strong>.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Not implemented in <span class="acronym">BIND</span>9.</p>
-</div>
-</dd>
-<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>Specifies the number of days into the
-future when DNSSEC signatures automatically generated as a result
-of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
-will expire. The default is <code class="literal">30</code> days.
-The maximum value is 10 years (3660 days). The signature
-inception time is unconditionally set to one hour before the current time
-to allow for a limited amount of clock skew.</p></dd>
-<dt>
-<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
-</dt>
-<dd>
-<p>
-These options control the server's behavior on refreshing a zone
-(querying for SOA changes) or retrying failed transfers.
-Usually the SOA values for the zone are used, but these values
-are set by the master, giving slave server administrators little
-control over their contents.
-</p>
-<p>
-These options allow the administrator to set a minimum and maximum
-refresh and retry time either per-zone, per-view, or globally.
-These options are valid for slave and stub zones,
-and clamp the SOA refresh and retry times to the specified values.
-</p>
-</dd>
-<dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
-<dd><p>
-<span><strong class="command">edns-udp-size</strong></span> sets the advertised EDNS UDP buffer
-size.  Valid values are 512 to 4096 (values outside this range will be
-silently adjusted).  The default value is 4096.  The usual reason for
-setting edns-udp-size to a non default value it to get UDP answers to
-pass through broken firewalls that block fragmented packets and/or
-block UDP packets that are greater than 512 bytes.
-</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="builtin"></a>Built-in server information zones</h4></div></div></div>
-<p>The server provides some helpful diagnostic information
-through a number of built-in zones under the
-pseudo-top-level-domain <code class="literal">bind</code> in the
-<span><strong class="command">CHAOS</strong></span> class.  These zones are part of a
-built-in view (see <a href="Bv9ARM.ch06.html#view_statement_grammar" title="view Statement Grammar">the section called &#8220;<span><strong class="command">view</strong></span> Statement Grammar&#8221;</a>) of class
-<span><strong class="command">CHAOS</strong></span> which is separate from the default view of
-class <span><strong class="command">IN</strong></span>; therefore, any global server options
-such as <span><strong class="command">allow-query</strong></span> do not apply the these zones.
-If you feel the need to disable these zones, use the options
-below, or hide the built-in <span><strong class="command">CHAOS</strong></span> view by
-defining an explicit view of class <span><strong class="command">CHAOS</strong></span>
-that matches all clients.</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">version</strong></span></span></dt>
-<dd><p>The version the server should report
-via a query of the name <code class="literal">version.bind</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-The default is the real version number of this server.
-Specifying <span><strong class="command">version none</strong></span>
-disables processing of the queries.</p></dd>
-<dt><span class="term"><span><strong class="command">hostname</strong></span></span></dt>
-<dd><p>The hostname the server should report via a query of
-the name <code class="filename">hostname.bind</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-This defaults to the hostname of the machine hosting the name server as
-found by gethostname().  The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries.  Specifying <span><strong class="command">hostname none;</strong></span>
-disables processing of the queries.</p></dd>
-<dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
-<dd><p>The ID of the server should report via a query of
-the name <code class="filename">ID.SERVER</code>
-with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
-The primary purpose of such queries is to
-identify which of a group of anycast servers is actually
-answering your queries.  Specifying <span><strong class="command">server-id none;</strong></span>
-disables processing of the queries.
-Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
-use the hostname as found by gethostname().
-The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
-</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>The statistics file generated by <span class="acronym">BIND</span> 9
-is similar, but not identical, to that
-generated by <span class="acronym">BIND</span> 8.
-</p>
-<p>The statistics dump begins with the line <span><strong class="command">+++ Statistics Dump
-+++ (973798949)</strong></span>, where the number in parentheses is a standard
-Unix-style timestamp, measured as seconds since January 1, 1970.  Following
-that line are a series of lines containing a counter type, the value of the
-counter, optionally a zone name, and optionally a view name.
-The lines without view and zone listed are global statistics for the entire server.
-Lines with a zone and view name for the given view and zone (the view name is
-omitted for the default view).  The statistics dump ends
-with the line <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>, where the
-number is identical to the number in the beginning line.</p>
-<p>The following statistics counters are maintained:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">success</strong></span></p></td>
-<td><p>The number of
-successful queries made to the server or zone.  A successful query
-is defined as query which returns a NOERROR response with at least
-one answer RR.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">referral</strong></span></p></td>
-<td><p>The number of queries which resulted
-in referral responses.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">nxrrset</strong></span></p></td>
-<td><p>The number of queries which resulted in
-NOERROR responses with no data.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">nxdomain</strong></span></p></td>
-<td><p>The number
-of queries which resulted in NXDOMAIN responses.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">failure</strong></span></p></td>
-<td><p>The number of queries which resulted in a
-failure response other than those above.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">recursion</strong></span></p></td>
-<td><p>The number of queries which caused the server
-to perform recursion in order to find the final answer.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>
-Each query received by the server will cause exactly one of
-<span><strong class="command">success</strong></span>,
-<span><strong class="command">referral</strong></span>,
-<span><strong class="command">nxrrset</strong></span>,
-<span><strong class="command">nxdomain</strong></span>, or
-<span><strong class="command">failure</strong></span>
-to be incremented, and may additionally cause the
-<span><strong class="command">recursion</strong></span> counter to be incremented.
-</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_grammar"></a><span><strong class="command">server</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">server <em class="replaceable"><code>ip_addr</code></em> {
-    [<span class="optional"> bogus <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> request-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> edns <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> transfers <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> transfer-format <em class="replaceable"><code>( one-answer | many-answers )</code></em> ; ]</span>]
-    [<span class="optional"> keys <em class="replaceable"><code>{ string ; [<span class="optional"> string ; [<span class="optional">...</span>]</span>] }</code></em> ; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="server_statement_definition_and_usage"></a><span><strong class="command">server</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">server</strong></span> statement defines characteristics
-to be associated with a remote name server.</p>
-<p>
-The <span><strong class="command">server</strong></span> statement can occur at the top level of the
-configuration file or inside a <span><strong class="command">view</strong></span> statement.  
-If a <span><strong class="command">view</strong></span> statement contains
-one or more <span><strong class="command">server</strong></span> statements, only those
-apply to the view and any top-level ones are ignored.
-If a view contains no <span><strong class="command">server</strong></span> statements,
-any top-level <span><strong class="command">server</strong></span> statements are used as
-defaults.
-</p>
-<p>If you discover that a remote server is giving out bad data,
-marking it as bogus will prevent further queries to it. The default
-value of <span><strong class="command">bogus</strong></span> is <span><strong class="command">no</strong></span>.</p>
-<p>The <span><strong class="command">provide-ixfr</strong></span> clause determines whether
-the local server, acting as master, will respond with an incremental
-zone transfer when the given remote server, a slave, requests it.
-If set to <span><strong class="command">yes</strong></span>, incremental transfer will be provided
-whenever possible. If set to <span><strong class="command">no</strong></span>, all transfers
-to the remote server will be non-incremental. If not set, the value
-of the <span><strong class="command">provide-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>The <span><strong class="command">request-ixfr</strong></span> clause determines whether
-the local server, acting as a slave, will request incremental zone
-transfers from the given remote server, a master. If not set, the
-value of the <span><strong class="command">request-ixfr</strong></span> option in the view or
-global options block is used as a default.</p>
-<p>IXFR requests to servers that do not support IXFR will automatically
-fall back to AXFR.  Therefore, there is no need to manually list
-which servers support IXFR and which ones do not; the global default
-of <span><strong class="command">yes</strong></span> should always work.
-The purpose of the <span><strong class="command">provide-ixfr</strong></span> and
-<span><strong class="command">request-ixfr</strong></span> clauses is
-to make it possible to disable the use of IXFR even when both master
-and slave claim to support it, for example if one of the servers
-is buggy and crashes or corrupts data when IXFR is used.</p>
-<p>The <span><strong class="command">edns</strong></span> clause determines whether the local server
-will attempt to use EDNS when communicating with the remote server.  The
-default is <span><strong class="command">yes</strong></span>.</p>
-<p>The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
-uses one DNS message per resource record transferred. <span><strong class="command">many-answers</strong></span> packs
-as many resource records as possible into a message. <span><strong class="command">many-answers</strong></span> is
-more efficient, but is only known to be understood by <span class="acronym">BIND</span> 9, <span class="acronym">BIND</span>
-8.x, and patched versions of <span class="acronym">BIND</span> 4.9.5. You can specify which method
-to use for a server with the <span><strong class="command">transfer-format</strong></span> option.
-If <span><strong class="command">transfer-format</strong></span> is not specified, the <span><strong class="command">transfer-format</strong></span> specified
-by the <span><strong class="command">options</strong></span> statement will be used.</p>
-<p><span><strong class="command">transfers</strong></span> is used to limit the number of
-concurrent inbound zone transfers from the specified server. If
-no <span><strong class="command">transfers</strong></span> clause is specified, the limit is
-set according to the <span><strong class="command">transfers-per-ns</strong></span> option.</p>
-<p>The <span><strong class="command">keys</strong></span> clause identifies a
-<span><strong class="command">key_id</strong></span> defined by the <span><strong class="command">key</strong></span> statement,
-to be used for transaction security (TSIG, <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
-when talking to the remote server. 
-When a request is sent to the remote server, a request signature
-will be generated using the key specified here and appended to the
-message. A request originating from the remote server is not required
-to be signed by this key.</p>
-<p>Although the grammar of the <span><strong class="command">keys</strong></span> clause
-allows for multiple keys, only a single key per server is currently
-supported.</p>
-<p>The <span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">transfer-source-v6</strong></span> clauses specify the IPv4 and IPv6 source
-address to be used for zone transfer with the remote server, respectively.
-For an IPv4 remote server, only <span><strong class="command">transfer-source</strong></span> can
-be specified.
-Similarly, for an IPv6 remote server, only
-<span><strong class="command">transfer-source-v6</strong></span> can be specified.
-Form more details, see the description of
-<span><strong class="command">transfer-source</strong></span> and
-<span><strong class="command">transfer-source-v6</strong></span> in
-<a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2562233"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">trusted-keys {
-    <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
-    [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2562281"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
-and Usage</h3></div></div></div>
-<p>The <span><strong class="command">trusted-keys</strong></span> statement defines DNSSEC
-security roots. DNSSEC is described in <a href="Bv9ARM.ch04.html#DNSSEC" title="DNSSEC">the section called &#8220;DNSSEC&#8221;</a>. A security root is defined when the public key for a non-authoritative
-zone is known, but cannot be securely obtained through DNS, either
-because it is the  DNS root zone or because its parent zone is unsigned.
-Once a key has been configured as a trusted key, it is treated as
-if it had been validated and proven secure. The resolver attempts
-DNSSEC validation on all DNS data in subdomains of a security root.</p>
-<p>The <span><strong class="command">trusted-keys</strong></span> statement can contain
-multiple key entries, each consisting of the key's domain name,
-flags, protocol, algorithm, and the base-64 representation of the
-key data.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="view_statement_grammar"></a><span><strong class="command">view</strong></span> Statement Grammar</h3></div></div></div>
-<pre class="programlisting">view <em class="replaceable"><code>view_name</code></em> 
-      [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
-      match-clients { <em class="replaceable"><code>address_match_list</code></em> } ;
-      match-destinations { <em class="replaceable"><code>address_match_list</code></em> } ;
-      match-recursive-only <em class="replaceable"><code>yes_or_no</code></em> ;
-      [<span class="optional"> <em class="replaceable"><code>view_option</code></em>; ...</span>]
-      [<span class="optional"> <em class="replaceable"><code>zone_statement</code></em>; ...</span>]
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2562349"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
-<p>The <span><strong class="command">view</strong></span> statement is a powerful new feature
-of <span class="acronym">BIND</span> 9 that lets a name server answer a DNS query differently
-depending on who is asking. It is particularly useful for implementing
-split DNS setups without having to run multiple servers.</p>
-<p>Each <span><strong class="command">view</strong></span> statement defines a view of the
-DNS namespace that will be seen by a subset of clients.  A client matches
-a view if its source IP address matches the 
-<code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-clients</strong></span> clause and its destination IP address matches
-the <code class="varname">address_match_list</code> of the view's
-<span><strong class="command">match-destinations</strong></span> clause.  If not specified, both
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-default to matching all addresses.  In addition to checking IP addresses
-<span><strong class="command">match-clients</strong></span> and <span><strong class="command">match-destinations</strong></span>
-can also take <span><strong class="command">keys</strong></span> which provide an mechanism for the
-client to select the view.  A view can also be specified
-as <span><strong class="command">match-recursive-only</strong></span>, which means that only recursive
-requests from matching clients will match that view.
-The order of the <span><strong class="command">view</strong></span> statements is significant &#8212;
-a client request will be resolved in the context of the first
-<span><strong class="command">view</strong></span> that it matches.</p>
-<p>Zones defined within a <span><strong class="command">view</strong></span> statement will
-be only be accessible to clients that match the <span><strong class="command">view</strong></span>.
- By defining a zone of the same name in multiple views, different
-zone data can be given to different clients, for example, "internal"
-and "external" clients in a split DNS setup.</p>
-<p>Many of the options given in the <span><strong class="command">options</strong></span> statement
-can also be used within a <span><strong class="command">view</strong></span> statement, and then
-apply only when resolving queries with that view.  When no view-specific
-value is given, the value in the <span><strong class="command">options</strong></span> statement
-is used as a default.  Also, zone options can have default values specified
-in the <span><strong class="command">view</strong></span> statement; these view-specific defaults
-take precedence over those in the <span><strong class="command">options</strong></span> statement.</p>
-<p>Views are class specific.  If no class is given, class IN
-is assumed.  Note that all non-IN views must contain a hint zone,
-since only the IN class has compiled-in default hints.</p>
-<p>If there are no <span><strong class="command">view</strong></span> statements in the config
-file, a default view that matches any client is automatically created
-in class IN. Any <span><strong class="command">zone</strong></span> statements specified on
-the top level of the configuration file are considered to be part of
-this default view, and the <span><strong class="command">options</strong></span> statement will
-apply to the default view. If any explicit <span><strong class="command">view</strong></span>
-statements are present, all <span><strong class="command">zone</strong></span> statements must
-occur inside <span><strong class="command">view</strong></span> statements.</p>
-<p>Here is an example of a typical split DNS setup implemented
-using <span><strong class="command">view</strong></span> statements.</p>
-<pre class="programlisting">view "internal" {
-      // This should match our internal networks.
-      match-clients { 10.0.0.0/8; };
-
-      // Provide recursive service to internal clients only.
-      recursion yes;
-
-      // Provide a complete view of the example.com zone
-      // including addresses of internal hosts.
-      zone "example.com" {
-            type master;
-            file "example-internal.db";
-      };
-};
-
-view "external" {
-      // Match all clients not matched by the previous view.
-      match-clients { any; };
-
-      // Refuse recursive service to external clients.
-      recursion no;
-
-      // Provide a restricted view of the example.com zone
-      // containing only publicly accessible hosts.
-      zone "example.com" {
-           type master;
-           file "example-external.db";
-      };
-};
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="zone_statement_grammar"></a><span><strong class="command">zone</strong></span>
-Statement Grammar</h3></div></div></div>
-<pre class="programlisting">zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] [<span class="optional">{ 
-    type ( master | slave | hint | stub | forward | delegation-only ) ;
-    [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] } ; </span>]
-    [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> } ; </span>]
-    [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
-    [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
-    [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
-    [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
-    [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] } ; </span>]
-    [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-idle-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> ; </span>]
-    [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> alt-transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> use-alt-transfer-source <em class="replaceable"><code>yes_or_no</code></em>; </span>]
-    [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
-    [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
-    [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> min-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> max-retry-time <em class="replaceable"><code>number</code></em> ; </span>]
-    [<span class="optional"> multi-master <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
-    [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
-
-}</span>];
-</pre>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2563022"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2563029"></a>Zone Types</h4></div></div></div>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="varname">master</code></p></td>
-<td><p>The server has a master copy of the data
-for the zone and will be able to provide authoritative answers for
-it.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">slave</code></p></td>
-<td><p>A slave zone is a replica of a master
-zone. The <span><strong class="command">masters</strong></span> list specifies one or more IP addresses
-of master servers that the slave contacts to update its copy of the zone.
-Masters list elements can also be names of other masters lists.
-By default, transfers are made from port 53 on the servers; this can
-be changed for all servers by specifying a port number before the
-list of IP addresses, or on a per-server basis after the IP address.
-Authentication to the master can also be done with per-server TSIG keys.
-If a file is specified, then the
-replica will be written to this file whenever the zone is changed,
-and reloaded from this file on a server restart. Use of a file is
-recommended, since it often speeds server start-up and eliminates
-a needless waste of bandwidth. Note that for large numbers (in the
-tens or hundreds of thousands) of zones per server, it is best to
-use a two level naming scheme for zone file names. For example,
-a slave server for the zone <code class="literal">example.com</code> might place
-the zone contents into a file called
-<code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
-just the first two letters of the zone name. (Most operating systems
-behave very slowly if you put 100 000 files into
-a single directory.)</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">stub</code></p></td>
-<td>
-<p>A stub zone is similar to a slave zone,
-except that it replicates only the NS records of a master zone instead
-of the entire zone. Stub zones are not a standard part of the DNS;
-they are a feature specific to the <span class="acronym">BIND</span> implementation.
-</p>
-
-<p>Stub zones can be used to eliminate the need for glue NS record
-in a parent zone at the expense of maintaining a stub zone entry and
-a set of name server addresses in <code class="filename">named.conf</code>.
-This usage is not recommended for new configurations, and BIND 9
-supports it only in a limited way.
-In <span class="acronym">BIND</span> 4/8, zone transfers of a parent zone
-included the NS records from stub children of that zone. This meant
-that, in some cases, users could get away with configuring child stubs
-only in the master server for the parent zone. <span class="acronym">BIND</span>
-9 never mixes together zone data from different zones in this
-way. Therefore, if a <span class="acronym">BIND</span> 9 master serving a parent
-zone has child stub zones configured, all the slave servers for the
-parent zone also need to have the same child stub zones
-configured.</p>
-
-<p>Stub zones can also be used as a way of forcing the resolution
-of a given domain to use a particular set of authoritative servers.
-For example, the caching name servers on a private network using
-RFC1981 addressing may be configured with stub zones for
-<code class="literal">10.in-addr.arpa</code>
-to use a set of internal name servers as the authoritative
-servers for that domain.</p>
-</td>
-</tr>
-<tr>
-<td><p><code class="varname">forward</code></p></td>
-<td>
-<p>A "forward zone" is a way to configure
-forwarding on a per-domain basis.  A <span><strong class="command">zone</strong></span> statement
-of type <span><strong class="command">forward</strong></span> can contain a <span><strong class="command">forward</strong></span> and/or <span><strong class="command">forwarders</strong></span> statement,
-which will apply to queries within the domain given by the zone
-name. If no <span><strong class="command">forwarders</strong></span> statement is present or
-an empty list for <span><strong class="command">forwarders</strong></span> is given, then no
-forwarding will be done for the domain, canceling the effects of
-any forwarders in the <span><strong class="command">options</strong></span> statement. Thus
-if you want to use this type of zone to change the behavior of the
-global <span><strong class="command">forward</strong></span> option (that is, "forward first
-to", then "forward only", or vice versa, but want to use the same
-servers as set globally) you need to re-specify the global forwarders.</p>
-</td>
-</tr>
-<tr>
-<td><p><code class="varname">hint</code></p></td>
-<td><p>The initial set of root name servers is
-specified using a "hint zone". When the server starts up, it uses
-the root hints to find a root name server and get the most recent
-list of root name servers. If no hint zone is specified for class
-IN, the server uses a compiled-in default set of root servers hints.
-Classes other than IN have no built-in defaults hints.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">delegation-only</code></p></td>
-<td>
-<p>This is used to enforce the delegation only
-status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
-is received without a explicit or implicit delegation in the authority
-section will be treated as NXDOMAIN.  This does not apply to the zone
-apex.  This SHOULD NOT be applied to leaf zones.</p>
-<p><code class="varname">delegation-only</code> has no effect on answers received
-from forwarders.</p>
-</td>
-</tr>
-</tbody>
-</table></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2563267"></a>Class</h4></div></div></div>
-<p>The zone's name may optionally be followed by a class. If
-a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
-is assumed. This is correct for the vast majority of cases.</p>
-<p>The <code class="literal">hesiod</code> class is
-named for an information service from MIT's Project Athena. It is
-used to share information about various systems databases, such
-as users, groups, printers and so on. The keyword 
-<code class="literal">HS</code> is
-a synonym for hesiod.</p>
-<p>Another MIT development is CHAOSnet, a LAN protocol created
-in the mid-1970s. Zone data for it can be specified with the <code class="literal">CHAOS</code> class.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2563434"></a>Zone Options</h4></div></div></div>
-<div class="variablelist"><dl>
-<dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-notify</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a></p></dd>
-<dt><span class="term"><span><strong class="command">allow-query</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a></p></dd>
-<dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-transfer</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
-<dd><p>Specifies which hosts are allowed to
-submit Dynamic DNS updates for master zones. The default is to deny
-updates from all hosts.  Note that allowing updates based
-on the requestor's IP address is insecure; see
-<a href="Bv9ARM.ch07.html#dynamic_update_security" title="Dynamic Update Security">the section called &#8220;Dynamic Update Security&#8221;</a> for details.
-</p></dd>
-<dt><span class="term"><span><strong class="command">update-policy</strong></span></span></dt>
-<dd><p>Specifies a "Simple Secure Update" policy. See
-<a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">allow-update-forwarding</strong></span></span></dt>
-<dd><p>See the description of <span><strong class="command">allow-update-forwarding</strong></span>
-in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">also-notify</strong></span></span></dt>
-<dd><p>Only meaningful if <span><strong class="command">notify</strong></span> is
-active for this zone. The set of machines that will receive a 
-<code class="literal">DNS NOTIFY</code> message
-for this zone is made up of all the listed name servers (other than
-the primary master) for the zone plus any IP addresses specified
-with <span><strong class="command">also-notify</strong></span>. A port may be specified
-with each <span><strong class="command">also-notify</strong></span> address to send the notify
-messages to a port other than the default of 53.
-<span><strong class="command">also-notify</strong></span> is not meaningful for stub zones.
-The default is the empty list.</p></dd>
-<dt><span class="term"><span><strong class="command">check-names</strong></span></span></dt>
-<dd><p>
-This option is used to restrict the character set and syntax of
-certain domain names in master files and/or DNS responses received from the
-network.  The default varies according to zone type.  For <span><strong class="command">master</strong></span> zones the default is <span><strong class="command">fail</strong></span>.  For <span><strong class="command">slave</strong></span>
-zones the default is <span><strong class="command">warn</strong></span>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
-<dd>
-<p>Specify the type of database to be used for storing the
-zone data.  The string following the <span><strong class="command">database</strong></span> keyword
-is interpreted as a list of whitespace-delimited words.  The first word
-identifies the database type, and any subsequent words are passed
-as arguments to the database to be interpreted in a way specific
-to the database type.</p>
-<p>The default is <strong class="userinput"><code>"rbt"</code></strong>, BIND 9's native in-memory
-red-black-tree database.  This database does not take arguments.</p>
-<p>Other values are possible if additional database drivers
-have been linked into the server.  Some sample drivers are included
-with the distribution but none are linked in by default.</p>
-</dd>
-<dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">dialup</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">delegation-only</strong></span></span></dt>
-<dd><p>The flag only applies to hint and stub zones.  If set
-to <strong class="userinput"><code>yes</code></strong> then the zone will also be treated as if it
-is also a delegation-only type zone.
-</p></dd>
-<dt><span class="term"><span><strong class="command">forward</strong></span></span></dt>
-<dd><p>Only meaningful if the zone has a forwarders
-list. The <span><strong class="command">only</strong></span> value causes the lookup to fail
-after trying the forwarders and getting no answer, while <span><strong class="command">first</strong></span> would
-allow a normal lookup to be tried.</p></dd>
-<dt><span class="term"><span><strong class="command">forwarders</strong></span></span></dt>
-<dd><p>Used to override the list of global forwarders.
-If it is not specified in a zone of type <span><strong class="command">forward</strong></span>,
-no forwarding is done for the zone; the global options are not used.</p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-base</strong></span></span></dt>
-<dd><p>Was used in <span class="acronym">BIND</span> 8 to specify the name
-of the transaction log (journal) file for dynamic update and IXFR.
-<span class="acronym">BIND</span> 9 ignores the option and constructs the name of the journal
-file by appending "<code class="filename">.jnl</code>" to the name of the
-zone file.</p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-tmp-file</strong></span></span></dt>
-<dd><p>Was an undocumented option in <span class="acronym">BIND</span> 8.
-Ignored in <span class="acronym">BIND</span> 9.</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-in</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-in</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-time-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-time-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">max-transfer-idle-out</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">max-transfer-idle-out</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">notify</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
-<dd><p>In <span class="acronym">BIND</span> 8, this option was intended for specifying
-a public zone key for verification of signatures in DNSSEC signed
-zones when they are loaded from disk. <span class="acronym">BIND</span> 9 does not verify signatures
-on load and ignores the option.</p></dd>
-<dt><span class="term"><span><strong class="command">zone-statistics</strong></span></span></dt>
-<dd><p>If <strong class="userinput"><code>yes</code></strong>, the server will keep statistical
-information for this zone, which can be dumped to the
-<span><strong class="command">statistics-file</strong></span> defined in the server options.</p></dd>
-<dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
-<dt><span class="term"><span><strong class="command">transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
-<dt><span class="term"><span><strong class="command">alt-transfer-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">alt-transfer-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
-<dt><span class="term"><span><strong class="command">use-alt-transfer-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">use-alt-transfer-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
-<dt><span class="term"><span><strong class="command">notify-source</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>
-</p></dd>
-<dt><span class="term"><span><strong class="command">notify-source-v6</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">notify-source-v6</strong></span> in <a href="Bv9ARM.ch06.html#zone_transfers" title="Zone Transfers">the section called &#8220;Zone Transfers&#8221;</a>.
-</p></dd>
-<dt>
-<span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
-</dt>
-<dd><p>
-See the description in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
-</p></dd>
-<dt><span class="term"><span><strong class="command">ixfr-from-differences</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
-<dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">key-directory</strong></span> in <a href="Bv9ARM.ch06.html#options" title="options Statement Definition and Usage">the section called &#8220;<span><strong class="command">options</strong></span> Statement Definition and Usage&#8221;</a></p></dd>
-<dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
-<dd><p>See the description of
-<span><strong class="command">multi-master</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.</p></dd>
-</dl></div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p><span class="acronym">BIND</span> 9 supports two alternative methods of granting clients
-the right to perform dynamic updates to a zone, 
-configured by the <span><strong class="command">allow-update</strong></span> and
-<span><strong class="command">update-policy</strong></span> option, respectively.</p>
-<p>The <span><strong class="command">allow-update</strong></span> clause works the same
-way as in previous versions of <span class="acronym">BIND</span>. It grants given clients the
-permission to update any record of any name in the zone.</p>
-<p>The <span><strong class="command">update-policy</strong></span> clause is new in <span class="acronym">BIND</span>
-9 and allows more fine-grained control over what updates are allowed.
-A set of rules is specified, where each rule either grants or denies
-permissions for one or more names to be updated by one or more identities.
- If the dynamic update request message is signed (that is, it includes
-either a TSIG or SIG(0) record), the identity of the signer can
-be determined.</p>
-<p>Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
-option, and are only meaningful for master zones.  When the <span><strong class="command">update-policy</strong></span> statement
-is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
-to be present.  The <span><strong class="command">update-policy</strong></span> statement only
-examines the signer of a message; the source address is not relevant.</p>
-<p>This is how a rule definition looks:</p>
-<pre class="programlisting">
-( <span><strong class="command">grant</strong></span> | <span><strong class="command">deny</strong></span> ) <em class="replaceable"><code>identity</code></em> <em class="replaceable"><code>nametype</code></em> <em class="replaceable"><code>name</code></em> [<span class="optional"> <em class="replaceable"><code>types</code></em> </span>]
-</pre>
-<p>Each rule grants or denies privileges.  Once a message has
-successfully matched a rule, the operation is immediately granted
-or denied and no further rules are examined.  A rule is matched
-when the signer matches the identity field, the name matches the
-name field in accordance with the nametype field, and the type matches
-the types specified in the type field.</p>
-<p>The identity field specifies a name or a wildcard name.  Normally, this
-is the name of the TSIG or SIG(0) key used to sign the update request.  When a
-TKEY exchange has been used to create a shared secret, the identity of the
-shared secret is the same as the identity of the key used to authenticate the
-TKEY exchange.  When the <em class="replaceable"><code>identity</code></em> field specifies a
-wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
-to multiple identities.  The <em class="replaceable"><code>identity</code></em> field must
-contain a fully qualified domain name.</p>
-<p>The <em class="replaceable"><code>nametype</code></em> field has 4 values:
-<code class="varname">name</code>, <code class="varname">subdomain</code>,
-<code class="varname">wildcard</code>, and <code class="varname">self</code>.
-</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="varname">name</code></p></td>
-<td><p>Exact-match semantics.  This rule matches when the
-name being updated is identical to the contents of the
-<em class="replaceable"><code>name</code></em> field.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">subdomain</code></p></td>
-<td><p>This rule matches when the name being updated
-is a subdomain of, or identical to, the contents of the
-<em class="replaceable"><code>name</code></em> field.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">wildcard</code></p></td>
-<td><p>The <em class="replaceable"><code>name</code></em> field is
-subject to DNS wildcard expansion, and this rule matches when the name
-being updated name is a valid expansion of the wildcard.</p></td>
-</tr>
-<tr>
-<td><p><code class="varname">self</code></p></td>
-<td><p>This rule matches when the name being updated
-matches the contents of the <em class="replaceable"><code>identity</code></em> field.
-The <em class="replaceable"><code>name</code></em> field is ignored, but should be
-the same as the <em class="replaceable"><code>identity</code></em> field.  The
-<code class="varname">self</code> nametype is most useful when allowing using
-one key per name to update, where the key has the same name as the name
-to be updated.  The <em class="replaceable"><code>identity</code></em> would be
-specified as <code class="constant">*</code> in this case.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>In all cases, the <em class="replaceable"><code>name</code></em> field must
-specify a fully qualified domain name.</p>
-<p>If no types are explicitly specified, this rule matches all types except
-SIG, NS, SOA, and NXT. Types may be specified by name, including
-"ANY" (ANY matches all types except NXT, which can never be updated).
-Note that when an attempt is made to delete all records associated with a
-name, the rules are checked for each existing record type.
-</p>
-</div>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564557"></a>Zone File</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
-<p>This section, largely borrowed from RFC 1034, describes the
-concept of a Resource Record (RR) and explains when each is used.
-Since the publication of RFC 1034, several new RRs have been identified
-and implemented in the DNS. These are also included.</p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2564576"></a>Resource Records</h4></div></div></div>
-<p>A domain name identifies a node.  Each node has a set of
-        resource information, which may be empty.  The set of resource
-        information associated with a particular name is composed of
-        separate RRs. The order of RRs in a set is not significant and
-        need not be preserved by name servers, resolvers, or other
-        parts of the DNS. However, sorting of multiple RRs is
-        permitted for optimization purposes, for example, to specify
-        that a particular nearby server be tried first. See <a href="Bv9ARM.ch06.html#the_sortlist_statement" title="The sortlist Statement">the section called &#8220;The <span><strong class="command">sortlist</strong></span> Statement&#8221;</a> and <a href="Bv9ARM.ch06.html#rrset_ordering" title="RRset Ordering">the section called &#8220;RRset Ordering&#8221;</a>.</p>
-<p>The components of a Resource Record are:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>owner name</p></td>
-<td><p>the domain name where the RR is found.</p></td>
-</tr>
-<tr>
-<td><p>type</p></td>
-<td><p>an encoded 16 bit value that specifies
-the type of the resource record.</p></td>
-</tr>
-<tr>
-<td><p>TTL</p></td>
-<td><p>the time to live of the RR. This field
-is a 32 bit integer in units of seconds, and is primarily used by
-resolvers when they cache RRs. The TTL describes how long a RR can
-be cached before it should be discarded.</p></td>
-</tr>
-<tr>
-<td><p>class</p></td>
-<td><p>an encoded 16 bit value that identifies
-a protocol family or instance of a protocol.</p></td>
-</tr>
-<tr>
-<td><p>RDATA</p></td>
-<td><p>the resource data.  The format of the
-data is type (and sometimes class) specific.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The following are <span class="emphasis"><em>types</em></span> of valid RRs:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>A</p></td>
-<td><p>a host address.  In the IN class, this is a
-32-bit IP address.  Described in RFC 1035.</p></td>
-</tr>
-<tr>
-<td><p>AAAA</p></td>
-<td><p>IPv6 address.  Described in RFC 1886.</p></td>
-</tr>
-<tr>
-<td><p>A6</p></td>
-<td><p>IPv6 address.  This can be a partial
-address (a suffix) and an indirection to the name where the rest of the
-address (the prefix) can be found.  Experimental.  Described in RFC 2874.</p></td>
-</tr>
-<tr>
-<td><p>AFSDB</p></td>
-<td><p>location of AFS database servers.
-Experimental.  Described in RFC 1183.</p></td>
-</tr>
-<tr>
-<td><p>APL</p></td>
-<td><p>address prefix list.  Experimental.
-Described in RFC 3123.</p></td>
-</tr>
-<tr>
-<td><p>CERT</p></td>
-<td><p>holds a digital certificate.
-Described in RFC 2538.</p></td>
-</tr>
-<tr>
-<td><p>CNAME</p></td>
-<td><p>identifies the canonical name of an alias.
-Described in RFC 1035.</p></td>
-</tr>
-<tr>
-<td><p>DNAME</p></td>
-<td><p>Replaces the domain name specified with
-another name to be looked up, effectively aliasing an entire
-subtree of the domain name space rather than a single record
-as in the case of the CNAME RR.
-Described in RFC 2672.</p></td>
-</tr>
-<tr>
-<td><p>GPOS</p></td>
-<td><p>Specifies the global position.  Superseded by LOC.</p></td>
-</tr>
-<tr>
-<td><p>HINFO</p></td>
-<td><p>identifies the CPU and OS used by a host.
-Described in RFC 1035.</p></td>
-</tr>
-<tr>
-<td><p>ISDN</p></td>
-<td><p>representation of ISDN addresses.
-Experimental.  Described in RFC 1183.</p></td>
-</tr>
-<tr>
-<td><p>KEY</p></td>
-<td><p>stores a public key associated with a
-DNS name.  Described in RFC 2535.</p></td>
-</tr>
-<tr>
-<td><p>KX</p></td>
-<td><p>identifies a key exchanger for this
-DNS name.  Described in RFC 2230.</p></td>
-</tr>
-<tr>
-<td><p>LOC</p></td>
-<td><p>for storing GPS info.  Described in RFC 1876.
-Experimental.</p></td>
-</tr>
-<tr>
-<td><p>MX</p></td>
-<td><p>identifies a mail exchange for the domain.
-a 16 bit preference value (lower is better)
-followed by the host name of the mail exchange.
-Described in RFC 974, RFC 1035.</p></td>
-</tr>
-<tr>
-<td><p>NAPTR</p></td>
-<td><p>name authority pointer.  Described in RFC 2915.</p></td>
-</tr>
-<tr>
-<td><p>NSAP</p></td>
-<td><p>a network service access point.
-Described in RFC 1706.</p></td>
-</tr>
-<tr>
-<td><p>NS</p></td>
-<td><p>the authoritative name server for the
-domain.  Described in RFC 1035.</p></td>
-</tr>
-<tr>
-<td><p>NXT</p></td>
-<td><p>used in DNSSEC to securely indicate that
-RRs with an owner name in a certain name interval do not exist in
-a zone and indicate what RR types are present for an existing name.
-Described in RFC 2535.</p></td>
-</tr>
-<tr>
-<td><p>PTR</p></td>
-<td><p>a pointer to another part of the domain
-name space.  Described in RFC 1035.</p></td>
-</tr>
-<tr>
-<td><p>PX</p></td>
-<td><p>provides mappings between RFC 822 and X.400
-addresses.  Described in RFC 2163.</p></td>
-</tr>
-<tr>
-<td><p>RP</p></td>
-<td><p>information on persons responsible
-for the domain.  Experimental.  Described in RFC 1183.</p></td>
-</tr>
-<tr>
-<td><p>RT</p></td>
-<td><p>route-through binding for hosts that
-do not have their own direct wide area network addresses.
-Experimental.  Described in RFC 1183.</p></td>
-</tr>
-<tr>
-<td><p>SIG</p></td>
-<td><p>("signature") contains data authenticated
-in the secure DNS.  Described in RFC 2535.</p></td>
-</tr>
-<tr>
-<td><p>SOA</p></td>
-<td><p>identifies the start of a zone of authority.
-Described in RFC 1035.</p></td>
-</tr>
-<tr>
-<td><p>SRV</p></td>
-<td><p>information about well known network
-services (replaces WKS).  Described in RFC 2782.</p></td>
-</tr>
-<tr>
-<td><p>TXT</p></td>
-<td><p>text records.  Described in RFC 1035.</p></td>
-</tr>
-<tr>
-<td><p>WKS</p></td>
-<td><p>information about which well known
-network services, such as SMTP, that a domain supports. Historical.
-</p></td>
-</tr>
-<tr>
-<td><p>X25</p></td>
-<td><p>representation of X.25 network addresses.
-Experimental.  Described in RFC 1183.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The following <span class="emphasis"><em>classes</em></span> of resource records
-are currently valid in the DNS:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>IN</p></td>
-<td><p>The Internet.</p></td>
-</tr>
-<tr>
-<td><p>CH</p></td>
-<td><p>
-CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
-Rarely used for its historical purpose, but reused for BIND's
-built-in server information zones, e.g.,
-<code class="literal">version.bind</code>.
-</p></td>
-</tr>
-<tr>
-<td><p>HS</p></td>
-<td><p>
-Hesiod, an information service
-developed by MIT's Project Athena. It is used to share information
-about various systems databases, such as users, groups, printers
-and so on.
-</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The owner name is often implicit, rather than forming an integral
-part of the RR.  For example, many name servers internally form tree
-or hash structures for the name space, and chain RRs off nodes.
- The remaining RR parts are the fixed header (type, class, TTL)
-which is consistent for all RRs, and a variable part (RDATA) that
-fits the needs of the resource being described.</p>
-<p>The meaning of the TTL field is a time limit on how long an
-RR can be kept in a cache.  This limit does not apply to authoritative
-data in zones; it is also timed out, but by the refreshing policies
-for the zone.  The TTL is assigned by the administrator for the
-zone where the data originates.  While short TTLs can be used to
-minimize caching, and a zero TTL prohibits caching, the realities
-of Internet performance suggest that these times should be on the
-order of days for the typical host.  If a change can be anticipated,
-the TTL can be reduced prior to the change to minimize inconsistency
-during the change, and then increased back to its former value following
-the change.</p>
-<p>The data in the RDATA section of RRs is carried as a combination
-of binary strings and domain names.  The domain names are frequently
-used as "pointers" to other data in the DNS.</p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2565564"></a>Textual expression of RRs</h4></div></div></div>
-<p>RRs are represented in binary form in the packets of the DNS
-protocol, and are usually represented in highly encoded form when
-stored in a name server or resolver.  In the examples provided in
-RFC 1034, a style similar to that used in master files was employed
-in order to show the contents of RRs.  In this format, most RRs
-are shown on a single line, although continuation lines are possible
-using parentheses.</p>
-<p>The start of the line gives the owner of the RR.  If a line
-begins with a blank, then the owner is assumed to be the same as
-that of the previous RR.  Blank lines are often included for readability.</p>
-<p>Following the owner, we list the TTL, type, and class of the
-RR.  Class and type use the mnemonics defined above, and TTL is
-an integer before the type field.  In order to avoid ambiguity in
-parsing, type and class mnemonics are disjoint, TTLs are integers,
-and the type mnemonic is always last. The IN class and TTL values
-are often omitted from examples in the interests of clarity.</p>
-<p>The resource data or RDATA section of the RR are given using
-knowledge of the typical representation for the data.</p>
-<p>For example, we might show the RRs carried in a message as:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="literal">ISI.EDU.</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VENERA.ISI.EDU.</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10 VAXA.ISI.EDU</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">VENERA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.32</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.1.0.52</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">VAXA.ISI.EDU</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.2.0.27</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">128.9.0.33</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The MX RRs have an RDATA section which consists of a 16 bit
-number followed by a domain name.  The address RRs use a standard
-IP address format to contain a 32 bit internet address.</p>
-<p>This example shows six RRs, with two RRs at each of three
-domain names.</p>
-<p>Similarly we might see:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="literal">XX.LCS.MIT.EDU. IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.44</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">CH</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">MIT.EDU. 2420</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>This example shows two addresses for <code class="literal">XX.LCS.MIT.EDU</code>,
-each of a different class.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2565990"></a>Discussion of MX Records</h3></div></div></div>
-<p>As described above, domain servers store information as a
-series of resource records, each of which contains a particular
-piece of information about a given domain name (which is usually,
-but not always, a host). The simplest way to think of a RR is as
-a typed pair of data, a domain name matched with a relevant datum,
-and stored with some additional type information to help systems 
-determine when the RR is relevant.</p>
-<p>MX records are used to control delivery of email. The data
-specified in the record is a priority and a domain name. The priority
-controls the order in which email delivery is attempted, with the
-lowest number first. If two priorities are the same, a server is
-chosen randomly. If no servers at a given priority are responding,
-the mail transport agent will fall back to the next largest priority.
-Priority numbers do not have any absolute meaning &#8212; they are relevant
-only respective to other MX records for that domain name. The domain
-name given is the machine to which the mail will be delivered. It <span class="emphasis"><em>must</em></span> have
-an associated A record &#8212; CNAME is not sufficient.</p>
-<p>For a given domain, if there is both a CNAME record and an
-MX record, the MX record is in error, and will be ignored. Instead,
-the mail will be delivered to the server specified in the MX record
-pointed to by the CNAME.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="literal">example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail.example.com.</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">10</code></p></td>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">MX</code></p></td>
-<td><p><code class="literal">20</code></p></td>
-<td><p><code class="literal">mail.backup.org.</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">mail.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.1</code></p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">mail2.example.com.</code></p></td>
-<td><p><code class="literal">IN</code></p></td>
-<td><p><code class="literal">A</code></p></td>
-<td><p><code class="literal">10.0.0.2</code></p></td>
-<td><p></p></td>
-</tr>
-</tbody>
-</table></div>
-<p>For example:</p>
-<p>Mail delivery will be attempted to <code class="literal">mail.example.com</code> and
-<code class="literal">mail2.example.com</code> (in
-any order), and if neither of those succeed, delivery to <code class="literal">mail.backup.org</code> will
-be attempted.</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="Setting_TTLs"></a>Setting TTLs</h3></div></div></div>
-<p>The time to live of the RR field is a 32 bit integer represented
-in units of seconds, and is primarily used by resolvers when they
-cache RRs. The TTL describes how long a RR can be cached before it
-should be discarded. The following three types of TTL are currently
-used in a zone file.</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>SOA</p></td>
-<td>
-<p>The last field in the SOA is the negative
-caching TTL. This controls how long other servers will cache no-such-domain
-(NXDOMAIN) responses from you.</p>
-<p>The maximum time for
-negative caching is 3 hours (3h).</p>
-</td>
-</tr>
-<tr>
-<td><p>$TTL</p></td>
-<td><p>The $TTL directive at the top of the
-zone file (before the SOA) gives a default TTL for every RR without
-a specific TTL set.</p></td>
-</tr>
-<tr>
-<td><p>RR TTLs</p></td>
-<td><p>Each RR can have a TTL as the second
-field in the RR, which will control how long other servers can cache
-the it.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>All of these TTLs default to units of seconds, though units
-can be explicitly specified, for example, <code class="literal">1h30m</code>. </p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2566487"></a>Inverse Mapping in IPv4</h3></div></div></div>
-<p>Reverse name resolution (that is, translation from IP address
-to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
-and PTR records. Entries in the in-addr.arpa domain are made in
-least-to-most significant order, read left to right. This is the
-opposite order to the way IP addresses are usually written. Thus,
-a machine with an IP address of 10.1.2.3 would have a corresponding
-in-addr.arpa name of
-3.2.1.10.in-addr.arpa. This name should have a PTR resource record
-whose data field is the name of the machine or, optionally, multiple
-PTR records if the machine has more than one name. For example,
-in the [<span class="optional">example.com</span>] domain:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><code class="literal">$ORIGIN</code></p></td>
-<td><p><code class="literal">2.1.10.in-addr.arpa</code></p></td>
-</tr>
-<tr>
-<td><p><code class="literal">3</code></p></td>
-<td><p><code class="literal">IN PTR foo.example.com.</code></p></td>
-</tr>
-</tbody>
-</table></div>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>The <span><strong class="command">$ORIGIN</strong></span> lines in the examples
-are for providing context to the examples only-they do not necessarily
-appear in the actual usage. They are only used here to indicate
-that the example is relative to the listed origin.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2566593"></a>Other Zone File Directives</h3></div></div></div>
-<p>The Master File Format was initially defined in RFC 1035 and
-has subsequently been extended. While the Master File Format itself
-is class independent all records in a Master File must be of the same
-class.</p>
-<p>Master File Directives include <span><strong class="command">$ORIGIN</strong></span>, <span><strong class="command">$INCLUDE</strong></span>,
-and <span><strong class="command">$TTL.</strong></span></p>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2566612"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$ORIGIN
-</strong></span><em class="replaceable"><code>domain-name</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em></span>]</p>
-<p><span><strong class="command">$ORIGIN</strong></span> sets the domain name that will
-be appended to any unqualified records. When a zone is first read
-in there is an implicit <span><strong class="command">$ORIGIN</strong></span> &lt;<code class="varname">zone-name</code>&gt;<span><strong class="command">.</strong></span> The
-current <span><strong class="command">$ORIGIN</strong></span> is appended to the domain specified
-in the <span><strong class="command">$ORIGIN</strong></span> argument if it is not absolute.</p>
-<pre class="programlisting">$ORIGIN example.com.
-WWW     CNAME   MAIN-SERVER</pre>
-<p>is equivalent to</p>
-<pre class="programlisting">WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</pre>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2566667"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$INCLUDE</strong></span>
-<em class="replaceable"><code>filename</code></em> [<span class="optional">
-<em class="replaceable"><code>origin</code></em> </span>] [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Read and process the file <code class="filename">filename</code> as
-if it were included into the file at this point.  If <span><strong class="command">origin</strong></span> is
-specified the file is processed with <span><strong class="command">$ORIGIN</strong></span> set
-to that value, otherwise the current <span><strong class="command">$ORIGIN</strong></span> is
-used.</p>
-<p>The origin and the current domain name
-revert to the values they had prior to the <span><strong class="command">$INCLUDE</strong></span> once
-the file has been read.</p>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>
-RFC 1035 specifies that the current origin should be restored after
-an <span><strong class="command">$INCLUDE</strong></span>, but it is silent on whether the current
-domain name should also be restored.  BIND 9 restores both of them.
-This could be construed as a deviation from RFC 1035, a feature, or both.
-</p>
-</div>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2566730"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
-<p>Syntax: <span><strong class="command">$TTL</strong></span>
-<em class="replaceable"><code>default-ttl</code></em> [<span class="optional">
-<em class="replaceable"><code>comment</code></em> </span>]</p>
-<p>Set the default Time To Live (TTL) for subsequent records
-with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</p>
-<p><span><strong class="command">$TTL</strong></span> is defined in RFC 2308.</p>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2566761"></a><span class="acronym">BIND</span> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
-<p>Syntax: <span><strong class="command">$GENERATE</strong></span> <em class="replaceable"><code>range</code></em> <em class="replaceable"><code>lhs</code></em> [<span class="optional"><em class="replaceable"><code>ttl</code></em></span>] [<span class="optional"><em class="replaceable"><code>class</code></em></span>] <em class="replaceable"><code>type</code></em> <em class="replaceable"><code>rhs</code></em> [<span class="optional"> <em class="replaceable"><code>comment</code></em> </span>]</p>
-<p><span><strong class="command">$GENERATE</strong></span> is used to create a series of
-resource records that only differ from each other by an iterator. <span><strong class="command">$GENERATE</strong></span> can
-be used to easily generate the sets of records required to support
-sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
-delegation.</p>
-<pre class="programlisting">$ORIGIN 0.0.192.IN-ADDR.ARPA.
-$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
-$GENERATE 1-127 $ CNAME $.0</pre>
-<p>is equivalent to</p>
-<pre class="programlisting">0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
-0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-...
-127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-</pre>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p><span><strong class="command">range</strong></span></p></td>
-<td><p>This can be one of two forms: start-stop
-or start-stop/step. If the first form is used then step is set to
-        1. All of start, stop and step must be positive.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">lhs</strong></span></p></td>
-<td>
-<p><span><strong class="command">lhs</strong></span> describes the
-owner name of the resource records to be created.      Any single <span><strong class="command">$</strong></span> symbols
-within the <span><strong class="command">lhs</strong></span> side are replaced by the iterator
-value.
-To get a $ in the output you need to escape the <span><strong class="command">$</strong></span>
-using a backslash <span><strong class="command">\</strong></span>,
-e.g. <span><strong class="command">\$</strong></span>. The <span><strong class="command">$</strong></span> may optionally be followed
-by modifiers which change the offset from the iterator, field width and base. 
-Modifiers are introduced by a <span><strong class="command">{</strong></span> immediately following the
-<span><strong class="command">$</strong></span> as <span><strong class="command">${offset[,width[,base]]}</strong></span>.
-e.g. <span><strong class="command">${-20,3,d}</strong></span> which subtracts 20 from the current value,
-prints the result as a decimal in a zero padded field of with 3.  Available
-output forms are decimal (<span><strong class="command">d</strong></span>), octal (<span><strong class="command">o</strong></span>)
-and hexadecimal (<span><strong class="command">x</strong></span> or <span><strong class="command">X</strong></span> for uppercase).
-The default modifier is <span><strong class="command">${0,0,d}</strong></span>.
-If the <span><strong class="command">lhs</strong></span> is not
-absolute, the current <span><strong class="command">$ORIGIN</strong></span> is appended to
-the name.</p>
-<p>For compatibility with earlier versions <span><strong class="command">$$</strong></span> is still
-recognized a indicating a literal $ in the output.</p>
-</td>
-</tr>
-<tr>
-<td><p><span><strong class="command">ttl</strong></span></p></td>
-<td>
-<p><span><strong class="command">ttl</strong></span> specifies the
-	  ttl of the generated records. If not specified this will be
-	  inherited using the normal ttl inheritance rules.</p>
-	  <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be
-	  entered in either order.</p>
-</td>
-</tr>
-<tr>
-<td><p><span><strong class="command">class</strong></span></p></td>
-<td>
-<p><span><strong class="command">class</strong></span> specifies the
-	  class of the generated records.  This must match the zone class if
-	  it is specified.</p>
-	  <p><span><strong class="command">class</strong></span> and <span><strong class="command">ttl</strong></span> can be
-	  entered in either order.</p>
-</td>
-</tr>
-<tr>
-<td><p><span><strong class="command">type</strong></span></p></td>
-<td><p>At present the only supported types are
-PTR, CNAME, DNAME, A, AAAA and NS.</p></td>
-</tr>
-<tr>
-<td><p><span><strong class="command">rhs</strong></span></p></td>
-<td><p>rhs is a domain name. It is processed
-similarly to lhs.</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span><strong class="command">$GENERATE</strong></span> directive is a <span class="acronym">BIND</span> extension
-and not part of the standard zone file format.</p>
-<p>BIND 8 does not support the optional TTL and CLASS fields.</p>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch05.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch07.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 5. The <span class="acronym">BIND</span> 9 Lightweight Resolver </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 7. <span class="acronym">BIND</span> 9 Security Considerations</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch07.html b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
deleted file mode 100644
index 86c2b6af0642..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch07.html
+++ /dev/null
@@ -1,200 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch07.html,v 1.50.2.9.2.24 2005/10/13 02:34:02 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 7. BIND 9 Security Considerations</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
-<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 7. <span class="acronym">BIND</span> 9 Security Considerations</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch07"></a>Chapter 7. <span class="acronym">BIND</span> 9 Security Considerations</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2567222"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567366">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567424">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
-<p>Access Control Lists (ACLs), are address match lists that
-you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
-<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
-<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
-etc.</p>
-<p>Using ACLs allows you to have finer control over who can access
-your name server, without cluttering up your config files with huge
-lists of IP addresses.</p>
-<p>It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
-control access to your server. Limiting access to your server by
-outside parties can help prevent spoofing and DoS attacks against
-your server.</p>
-<p>Here is an example of how to properly apply ACLs:</p>
-<pre class="programlisting">
-// Set up an ACL named "bogusnets" that will block RFC1918 space,
-// which is commonly used in spoofing attacks.
-acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
-// Set up an ACL called our-nets. Replace this with the real IP numbers.
-acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
-options {
-  ...
-  ...
-  allow-query { our-nets; };
-  allow-recursion { our-nets; };
-  ...
-  blackhole { bogusnets; };
-  ...
-};
-zone "example.com" {
-  type master;
-  file "m/example.com";
-  allow-query { any; };
-};
-</pre>
-<p>This allows recursive queries of the server from the outside
-unless recursion has been previously disabled.</p>
-<p>For more information on how to use ACLs to protect your server,
-see the <span class="emphasis"><em>AUSCERT</em></span> advisory at
-<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a></p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567222"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</h2></div></div></div>
-<p>On UNIX servers, it is possible to run <span class="acronym">BIND</span> in a <span class="emphasis"><em>chrooted</em></span> environment
-(<span><strong class="command">chroot()</strong></span>) by specifying the "<code class="option">-t</code>"
-option. This can help improve system security by placing <span class="acronym">BIND</span> in
-a "sandbox", which will limit the damage done if a server is compromised.</p>
-<p>Another useful feature in the UNIX version of <span class="acronym">BIND</span> is the
-ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
-We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.</p>
-<p>Here is an example command line to load <span class="acronym">BIND</span> in a <span><strong class="command">chroot()</strong></span> sandbox, 
-<span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
-user 202:</p>
-<p><strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong></p>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567366"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
-<p>In order for a <span><strong class="command">chroot()</strong></span> environment to
-work properly in a particular directory
-(for example, <code class="filename">/var/named</code>),
-you will need to set up an environment that includes everything
-<span class="acronym">BIND</span> needs to run.
-From <span class="acronym">BIND</span>'s point of view, <code class="filename">/var/named</code> is
-the root of the filesystem.  You will need to adjust the values of options like
-like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
-for this.
-</p>
-<p>
-Unlike with earlier versions of BIND, you will typically
-<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
-statically nor install shared libraries under the new root.
-However, depending on your operating system, you may need
-to set up things like
-<code class="filename">/dev/zero</code>,
-<code class="filename">/dev/random</code>,
-<code class="filename">/dev/log</code>, and/or
-<code class="filename">/etc/localtime</code>.
-</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567424"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
-<p>Prior to running the <span><strong class="command">named</strong></span> daemon, use
-the <span><strong class="command">touch</strong></span> utility (to change file access and
-modification times) or the <span><strong class="command">chown</strong></span> utility (to
-set the user id and/or group id) on files
-to which you want <span class="acronym">BIND</span>
-to write.  Note that if the <span><strong class="command">named</strong></span> daemon is running as an
-unprivileged user, it will not be able to bind to new restricted ports if the
-server is reloaded.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
-<p>Access to the dynamic
-update facility should be strictly limited.  In earlier versions of
-<span class="acronym">BIND</span> the only way to do this was based on the IP
-address of the host requesting the update, by listing an IP address or
-network prefix in the <span><strong class="command">allow-update</strong></span> zone option.
-This method is insecure since the source address of the update UDP packet
-is easily forged.  Also note that if the IP addresses allowed by the
-<span><strong class="command">allow-update</strong></span> option include the address of a slave
-server which performs forwarding of dynamic updates, the master can be
-trivially attacked by sending the update to the slave, which will
-forward it to the master with its own source IP address causing the
-master to approve it without question.</p>
-<p>For these reasons, we strongly recommend that updates be
-cryptographically authenticated by means of transaction signatures
-(TSIG).  That is, the <span><strong class="command">allow-update</strong></span> option should
-list only TSIG key names, not IP addresses or network
-prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
-option can be used.</p>
-<p>Some sites choose to keep all dynamically updated DNS data
-in a subdomain and delegate that subdomain to a separate zone. This
-way, the top-level zone containing critical data such as the IP addresses
-of public web and mail servers need not allow dynamic update at
-all.</p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 6. <span class="acronym">BIND</span> 9 Configuration Reference </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch08.html b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
deleted file mode 100644
index 9d486e1bd5b6..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch08.html
+++ /dev/null
@@ -1,124 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch08.html,v 1.50.2.9.2.24 2005/10/13 02:34:02 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Chapter 8. Troubleshooting</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch07.html" title="Chapter 7. BIND 9 Security Considerations">
-<link rel="next" href="Bv9ARM.ch09.html" title="Appendix A. Appendices">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Chapter 8. Troubleshooting</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="chapter" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch08"></a>Chapter 8. Troubleshooting</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567630">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2567636">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567648">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567665">Where Can I Get Help?</a></span></dt>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567630"></a>Common Problems</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567636"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
-<p>The best solution to solving installation and
-      configuration issues is to take preventative measures by setting
-      up logging files beforehand. The log files provide a
-      source of hints and information that can be used to figure out
-      what went wrong and how to fix the problem.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567648"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
-<p>Zone serial numbers are just numbers-they aren't date
-    related.  A lot of people set them to a number that represents a
-    date, usually of the form YYYYMMDDRR. A number of people have been
-    testing these numbers for Y2K compliance and have set the number
-    to the year 2000 to see if it will work. They then try to restore
-    the old serial number. This will cause problems because serial
-    numbers are used to indicate that a zone has been updated. If the
-    serial number on the slave server is lower than the serial number
-    on the master, the slave server will attempt to update its copy of
-    the zone.</p>
-<p>Setting the serial number to a lower number on the master
-    server than the slave server means that the slave will not perform
-    updates to its copy of the zone.</p>
-<p>The solution to this is to add 2147483647 (2^31-1) to the
-    number, reload the zone and make sure all slaves have updated to
-    the new zone serial number, then reset the number to what you want
-    it to be, and reload the zone again.</p>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567665"></a>Where Can I Get Help?</h2></div></div></div>
-<p>The Internet Software Consortium (<span class="acronym">ISC</span>) offers a wide range
-    of support and service agreements for <span class="acronym">BIND</span> and <span class="acronym">DHCP</span> servers. Four
-    levels of premium support are available and each level includes
-    support for all <span class="acronym">ISC</span> programs, significant discounts on products
-    and training, and a recognized priority on bug fixes and
-    non-funded feature requests. In addition, <span class="acronym">ISC</span> offers a standard
-    support agreement package which includes services ranging from bug
-    fix announcements to remote support. It also includes training in
-    <span class="acronym">BIND</span> and <span class="acronym">DHCP</span>.</p>
-<p>To discuss arrangements for support, contact
-    <a href="mailto:info@isc.org" target="_top">info@isc.org</a> or visit the
-    <span class="acronym">ISC</span> web page at <a href="http://www.isc.org/services/support/" target="_top">http://www.isc.org/services/support/</a>
-    to read more.</p>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch07.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch09.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 7. <span class="acronym">BIND</span> 9 Security Considerations </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> Appendix A. Appendices</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch09.html b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
deleted file mode 100644
index 8c7b2bf4450f..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.ch09.html
+++ /dev/null
@@ -1,388 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.ch09.html,v 1.50.2.9.2.25 2005/10/13 02:34:03 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>Appendix A. Appendices</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="prev" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">Appendix A. Appendices</th></tr>
-<tr>
-<td width="20%" align="left">
-<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> </td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="appendix" lang="en">
-<div class="titlepage"><div><div><h2 class="title">
-<a name="Bv9ARM.ch09"></a>Appendix A. Appendices</h2></div></div></div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2567795">Acknowledgments</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2567800">A Brief History of the <span class="acronym">DNS</span> and <span class="acronym">BIND</span></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">General <span class="acronym">DNS</span> Reference Information</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2570087">Other Documents About <span class="acronym">BIND</span></a></span></dt>
-</dl></dd>
-</dl>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567795"></a>Acknowledgments</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2567800"></a>A Brief History of the <span class="acronym">DNS</span> and <span class="acronym">BIND</span></h3></div></div></div>
-<p>Although the "official" beginning of the Domain Name
-      System occurred in 1984 with the publication of RFC 920, the
-      core of the new system was described in 1983 in RFCs 882 and
-      883. From 1984 to 1987, the ARPAnet (the precursor to today's
-      Internet) became a testbed of experimentation for developing the
-      new naming/addressing scheme in an rapidly expanding,
-      operational network environment.  New RFCs were written and
-      published in 1987 that modified the original documents to
-      incorporate improvements based on the working model. RFC 1034,
-      "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
-      Names-Implementation and Specification" were published and
-      became the standards upon which all <span class="acronym">DNS</span> implementations are
-      built.
-</p>
-<p>The first working domain name server, called "Jeeves", was
-written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
-machines located at the University of Southern California's Information
-Sciences Institute (USC-ISI) and SRI International's Network Information
-Center (SRI-NIC). A <span class="acronym">DNS</span> server for Unix machines, the Berkeley Internet
-Name Domain (<span class="acronym">BIND</span>) package, was written soon after by a group of
-graduate students at the University of California at Berkeley under
-a grant from the US Defense Advanced Research Projects Administration
-(DARPA). Versions of <span class="acronym">BIND</span> through 4.8.3 were maintained by the Computer
-Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
-Painter, David Riggle and Songnian Zhou made up the initial <span class="acronym">BIND</span>
-project team. After that, additional work on the software package
-was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
-employee on loan to the CSRG, worked on <span class="acronym">BIND</span> for 2 years, from 1985
-to 1987. Many other people also contributed to <span class="acronym">BIND</span> development
-during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
-Mike Muuss, Jim Bloom and Mike Schwartz. <span class="acronym">BIND</span> maintenance was subsequently
-handled by Mike Karels and O. Kure.</p>
-<p><span class="acronym">BIND</span> versions 4.9 and 4.9.1 were released by Digital Equipment
-Corporation (now Compaq Computer Corporation). Paul Vixie, then
-a DEC employee, became <span class="acronym">BIND</span>'s primary caretaker. Paul was assisted
-by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
-Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
-Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
-Wolfhugel, and others.</p>
-<p><span class="acronym">BIND</span> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
-Vixie became <span class="acronym">BIND</span>'s principal architect/programmer.</p>
-<p><span class="acronym">BIND</span> versions from 4.9.3 onward have been developed and maintained
-by the Internet Software Consortium with support being provided
-by ISC's sponsors. As co-architects/programmers, Bob Halley and
-Paul Vixie released the first production-ready version of <span class="acronym">BIND</span> version
-8 in May 1997.</p>
-<p><span class="acronym">BIND</span> development work is made possible today by the sponsorship
-of several corporations, and by the tireless work efforts of numerous
-individuals.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="historical_dns_information"></a>General <span class="acronym">DNS</span> Reference Information</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
-<p>IPv6 addresses are 128-bit identifiers for interfaces and
-sets of interfaces which were introduced in the <span class="acronym">DNS</span> to facilitate
-scalable Internet routing. There are three types of addresses: <span class="emphasis"><em>Unicast</em></span>,
-an identifier for a single interface; <span class="emphasis"><em>Anycast</em></span>,
-an identifier for a set of interfaces; and <span class="emphasis"><em>Multicast</em></span>,
-an identifier for a set of interfaces. Here we describe the global
-Unicast address scheme. For more information, see RFC 2374.</p>
-<p>The aggregatable global Unicast address format is as follows:</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>3</p></td>
-<td><p>13</p></td>
-<td><p>8</p></td>
-<td><p>24</p></td>
-<td><p>16</p></td>
-<td><p>64 bits</p></td>
-</tr>
-<tr>
-<td><p>FP</p></td>
-<td><p>TLA ID</p></td>
-<td><p>RES</p></td>
-<td><p>NLA ID</p></td>
-<td><p>SLA ID</p></td>
-<td><p>Interface ID</p></td>
-</tr>
-<tr>
-<td colspan="4"><p>&lt;------ Public Topology
-------&gt;</p></td>
-<td><p></p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p>&lt;-Site Topology-&gt;</p></td>
-<td><p></p></td>
-</tr>
-<tr>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p></p></td>
-<td><p>&lt;------ Interface Identifier ------&gt;</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>Where
-</p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td><p>FP</p></td>
-<td><p>=</p></td>
-<td><p>Format Prefix (001)</p></td>
-</tr>
-<tr>
-<td><p>TLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Top-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>RES</p></td>
-<td><p>=</p></td>
-<td><p>Reserved for future use</p></td>
-</tr>
-<tr>
-<td><p>NLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Next-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>SLA ID</p></td>
-<td><p>=</p></td>
-<td><p>Site-Level Aggregation Identifier</p></td>
-</tr>
-<tr>
-<td><p>INTERFACE ID</p></td>
-<td><p>=</p></td>
-<td><p>Interface Identifier</p></td>
-</tr>
-</tbody>
-</table></div>
-<p>The <span class="emphasis"><em>Public Topology</em></span> is provided by the
-upstream provider or ISP, and (roughly) corresponds to the IPv4 <span class="emphasis"><em>network</em></span> section
-of the address range. The <span class="emphasis"><em>Site Topology</em></span> is
-where you can subnet this space, much the same as subnetting an
-IPv4 /16 network into /24 subnets. The <span class="emphasis"><em>Interface Identifier</em></span> is
-the address of an individual interface on a given network. (With
-IPv6, addresses belong to interfaces rather than machines.)</p>
-<p>The subnetting capability of IPv6 is much more flexible than
-that of IPv4: subnetting can now be carried out on bit boundaries,
-in much the same way as Classless InterDomain Routing (CIDR).</p>
-<p>The Interface Identifier must be unique on that network. On
-ethernet networks, one way to ensure this is to set the address
-to the first three bytes of the hardware address, "FFFE", then the
-last three bytes of the hardware address. The lowest significant
-bit of the first byte should then be complemented. Addresses are
-written as 32-bit blocks separated with a colon, and leading zeros
-of a block may be omitted, for example:</p>
-<p><span><strong class="command">2001:db8:201:9:a00:20ff:fe81:2b32</strong></span></p>
-<p>IPv6 address specifications are likely to contain long strings
-of zeros, so the architects have included a shorthand for specifying
-them. The double colon (`::') indicates the longest possible string
-of zeros that can fit, and can be used only once in an address.</p>
-</div>
-</div>
-<div class="sect1" lang="en">
-<div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="bibliography"></a>Bibliography (and Suggested Reading)</h2></div></div></div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="rfcs"></a>Request for Comments (RFCs)</h3></div></div></div>
-<p>Specification documents for the Internet protocol suite, including
-the <span class="acronym">DNS</span>, are published as part of the Request for Comments (RFCs)
-series of technical notes. The standards themselves are defined
-by the Internet Engineering Task Force (IETF) and the Internet Engineering
-Steering Group (IESG). RFCs can be obtained online via FTP at 
-<a href="ftp://www.isi.edu/in-notes/" target="_top">ftp://www.isi.edu/in-notes/RFC<em class="replaceable"><code>xxx</code></em>.txt</a> (where <em class="replaceable"><code>xxx</code></em> is
-the number of the RFC). RFCs are also available via the Web at
-<a href="http://www.ietf.org/rfc/" target="_top">http://www.ietf.org/rfc/</a>.
-</p>
-<div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2568712"></a>Bibliography</h4></div></div></div>
-<div class="bibliodiv">
-<h3 class="title">Standards</h3>
-<div class="biblioentry"><p>[<span class="abbrev">RFC974</span>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1034</span>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1035</span>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
-Specification</i>. </span><span class="pubdate">November 1987. </span></p></div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<a name="proposed_standards"></a>Proposed Standards</h3>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2181</span>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <span class="acronym">DNS</span> Specification</i>. </span><span class="pubdate">July 1997. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2308</span>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <span class="acronym">DNS</span> Queries</i>. </span><span class="pubdate">March 1998. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1995</span>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <span class="acronym">DNS</span></i>. </span><span class="pubdate">August 1996. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1996</span>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2136</span>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2845</span>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <span class="acronym">DNS</span> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p></div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Proposed Standards Still Under Development</h3>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p><span class="emphasis"><em>Note:</em></span> the following list of
-RFCs are undergoing major revision by the IETF.</p>
-</div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1886</span>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i><span class="acronym">DNS</span> Extensions to support IP version 6</i>. </span><span class="pubdate">December 1995. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2065</span>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2137</span>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p></div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Other Important RFCs About <span class="acronym">DNS</span> Implementation</h3>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1535</span>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely Deployed <span class="acronym">DNS</span> Software.</i>. </span><span class="pubdate">October 1993. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1536</span>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <span class="acronym">DNS</span> Implementation Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1982</span>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p></div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Resource Record Types</h3>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1183</span>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <span class="acronym">DNS</span> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1706</span>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><span class="acronym">DNS</span> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2168</span>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
-the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1876</span>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the Domain
-Name System</i>. </span><span class="pubdate">January 1996. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2052</span>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <span class="acronym">DNS</span> RR for Specifying the Location of
-Services.</i>. </span><span class="pubdate">October 1996. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2163</span>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <span class="acronym">DNS</span> to Distribute MIXER
-Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2230</span>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <span class="acronym">DNS</span></i>. </span><span class="pubdate">October 1997. </span></p></div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<span class="acronym">DNS</span> and the Internet</h3>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1101</span>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><span class="acronym">DNS</span> Encoding of Network Names and Other Types</i>. </span><span class="pubdate">April 1989. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1123</span>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and Support</i>. </span><span class="pubdate">October 1989. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1591</span>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2317</span>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p></div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">
-<span class="acronym">DNS</span> Operations</h3>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1537</span>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <span class="acronym">DNS</span> Data File Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1912</span>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <span class="acronym">DNS</span> Operational and Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2010</span>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2219</span>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <span class="acronym">DNS</span> Aliases for Network Services.</i>. </span><span class="pubdate">October 1997. </span></p></div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Other <span class="acronym">DNS</span>-related RFCs</h3>
-<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
-<h3 class="title">Note</h3>
-<p>Note: the following list of RFCs, although
-<span class="acronym">DNS</span>-related, are not concerned with implementing software.</p>
-</div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1464</span>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String Attributes</i>. </span><span class="pubdate">May 1993. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1713</span>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <span class="acronym">DNS</span> Debugging</i>. </span><span class="pubdate">November 1994. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1794</span>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><span class="acronym">DNS</span> Support for Load Balancing</i>. </span><span class="pubdate">April 1995. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2240</span>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2345</span>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p></div>
-<div class="biblioentry"><p>[<span class="abbrev">RFC2352</span>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p></div>
-</div>
-<div class="bibliodiv">
-<h3 class="title">Obsolete and Unimplemented Experimental RRs</h3>
-<div class="biblioentry"><p>[<span class="abbrev">RFC1712</span>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><span class="acronym">DNS</span> Encoding of Geographical
-Location</i>. </span><span class="pubdate">November 1994. </span></p></div>
-</div>
-</div>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="internet_drafts"></a>Internet Drafts</h3></div></div></div>
-<p>Internet Drafts (IDs) are rough-draft working documents of
-the Internet Engineering Task Force. They are, in essence, RFCs
-in the preliminary stages of development. Implementors are cautioned not
-to regard IDs as archival, and they should not be quoted or cited
-in any formal documents unless accompanied by the disclaimer that
-they are "works in progress." IDs have a lifespan of six months
-after which they are deleted unless updated by their authors.
-</p>
-</div>
-<div class="sect2" lang="en">
-<div class="titlepage"><div><div><h3 class="title">
-<a name="id2570087"></a>Other Documents About <span class="acronym">BIND</span></h3></div></div></div>
-<p></p>
-<div class="bibliography">
-<div class="titlepage"><div><div><h4 class="title">
-<a name="id2570097"></a>Bibliography</h4></div></div></div>
-<div class="biblioentry"><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><span class="acronym">DNS</span> and <span class="acronym">BIND</span></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p></div>
-</div>
-</div>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left">
-<a accesskey="p" href="Bv9ARM.ch08.html">Prev</a> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> </td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top">Chapter 8. Troubleshooting </td>
-<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> </td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.html b/contrib/bind9/doc/arm/Bv9ARM.html
deleted file mode 100644
index 71ec32992eb0..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.html
+++ /dev/null
@@ -1,222 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: Bv9ARM.html,v 1.60.2.9.2.26 2005/10/13 02:33:59 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>BIND 9 Administrator Reference Manual</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
-<link rel="next" href="Bv9ARM.ch01.html" title="Chapter 1. Introduction ">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
-<div class="navheader">
-<table width="100%" summary="Navigation header">
-<tr><th colspan="3" align="center">BIND 9 Administrator Reference Manual</th></tr>
-<tr>
-<td width="20%" align="left"> </td>
-<th width="60%" align="center"> </th>
-<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
-</td>
-</tr>
-</table>
-<hr>
-</div>
-<div class="book" lang="en">
-<div class="titlepage">
-<div>
-<div><h1 class="title">
-<a name="id2463864"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="copyright">Copyright © 2004, 2005 Internet Systems Consortium, Inc. ("ISC")</p></div>
-<div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
-</div>
-<hr>
-</div>
-<div class="toc">
-<p><b>Table of Contents</b></p>
-<dl>
-<dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction </a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545879">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545905">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2545976">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2546234">The Domain Name System (<span class="acronym">DNS</span>)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546254">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2544105">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546579">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546653">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2546950">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2547076">Name Servers in Multiple Roles</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <span class="acronym">BIND</span> Resource Requirements</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547108">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547132">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547143">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547158">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2547303">Supported Operating Systems</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547334">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547350">An Authoritative-only Name Server</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2547372">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2547656">Name Server Operations</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2547661">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2548915">Signals</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#notify">Notify</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2549203">Split DNS</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549627">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549830">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549838">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549878">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2549998">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550042">Errors</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550056">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550173">SIG(0)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550308">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550375">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550450">Configuring Servers</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2550473">IPv6 Support in <span class="acronym">BIND</span> 9</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550600">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2550620">Address to Name Lookups Using Nibble Format</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <span class="acronym">BIND</span> 9 Lightweight Resolver</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2550652">The Lightweight Resolver Library</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <span class="acronym">BIND</span> 9 Configuration Reference</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2551817">Comment Syntax</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552302"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
-Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552471"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552808"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552823"><span><strong class="command">include</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552845"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2552867"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2553006"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2553269"><span><strong class="command">logging</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554474"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554547"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554610"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554653"><span><strong class="command">masters</strong></span> Statement Definition and Usage </a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2554668"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562233"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562281"><span><strong class="command">trusted-keys</strong></span> Statement Definition
-and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2562349"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
-Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2563022"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2564557">Zone File</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2565990">Discussion of MX Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566487">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566593">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2566761"><span class="acronym">BIND</span> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
-</dl></dd>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <span class="acronym">BIND</span> 9 Security Considerations</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2567222"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
-UNIX servers)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567366">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567424">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
-</dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
-</dl></dd>
-<dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567630">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2567636">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567648">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2567665">Where Can I Get Help?</a></span></dt>
-</dl></dd>
-<dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
-<dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2567795">Acknowledgments</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2567800">A Brief History of the <span class="acronym">DNS</span> and <span class="acronym">BIND</span></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#historical_dns_information">General <span class="acronym">DNS</span> Reference Information</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
-<dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2570087">Other Documents About <span class="acronym">BIND</span></a></span></dt>
-</dl></dd>
-</dl></dd>
-</dl>
-</div>
-</div>
-<div class="navfooter">
-<hr>
-<table width="100%" summary="Navigation footer">
-<tr>
-<td width="40%" align="left"> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch01.html">Next</a>
-</td>
-</tr>
-<tr>
-<td width="40%" align="left" valign="top"> </td>
-<td width="20%" align="center"> </td>
-<td width="40%" align="right" valign="top"> Chapter 1. Introduction </td>
-</tr>
-</table>
-</div>
-</body>
-</html>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.pdf b/contrib/bind9/doc/arm/Bv9ARM.pdf
deleted file mode 100755
index 6119ca4ce244..000000000000
--- a/contrib/bind9/doc/arm/Bv9ARM.pdf
+++ /dev/null
@@ -1,8964 +0,0 @@
-%PDF-1.4
-5 0 obj
-<< /S /GoTo /D (chapter.1) >>
-endobj
-8 0 obj
-(1 Introduction)
-endobj
-9 0 obj
-<< /S /GoTo /D (section.1.1) >>
-endobj
-12 0 obj
-(1.1 Scope of Document)
-endobj
-13 0 obj
-<< /S /GoTo /D (section.1.2) >>
-endobj
-16 0 obj
-(1.2 Organization of This Document)
-endobj
-17 0 obj
-<< /S /GoTo /D (section.1.3) >>
-endobj
-20 0 obj
-(1.3 Conventions Used in This Document)
-endobj
-21 0 obj
-<< /S /GoTo /D (section.1.4) >>
-endobj
-24 0 obj
-(1.4 The Domain Name System \(DNS\))
-endobj
-25 0 obj
-<< /S /GoTo /D (subsection.1.4.1) >>
-endobj
-28 0 obj
-(1.4.1 DNS Fundamentals)
-endobj
-29 0 obj
-<< /S /GoTo /D (subsection.1.4.2) >>
-endobj
-32 0 obj
-(1.4.2 Domains and Domain Names)
-endobj
-33 0 obj
-<< /S /GoTo /D (subsection.1.4.3) >>
-endobj
-36 0 obj
-(1.4.3 Zones)
-endobj
-37 0 obj
-<< /S /GoTo /D (subsection.1.4.4) >>
-endobj
-40 0 obj
-(1.4.4 Authoritative Name Servers)
-endobj
-41 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.1) >>
-endobj
-44 0 obj
-(1.4.4.1 The Primary Master)
-endobj
-45 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.2) >>
-endobj
-48 0 obj
-(1.4.4.2 Slave Servers)
-endobj
-49 0 obj
-<< /S /GoTo /D (subsubsection.1.4.4.3) >>
-endobj
-52 0 obj
-(1.4.4.3 Stealth Servers)
-endobj
-53 0 obj
-<< /S /GoTo /D (subsection.1.4.5) >>
-endobj
-56 0 obj
-(1.4.5 Caching Name Servers)
-endobj
-57 0 obj
-<< /S /GoTo /D (subsubsection.1.4.5.1) >>
-endobj
-60 0 obj
-(1.4.5.1 Forwarding)
-endobj
-61 0 obj
-<< /S /GoTo /D (subsection.1.4.6) >>
-endobj
-64 0 obj
-(1.4.6 Name Servers in Multiple Roles)
-endobj
-65 0 obj
-<< /S /GoTo /D (chapter.2) >>
-endobj
-68 0 obj
-(2 BIND Resource Requirements)
-endobj
-69 0 obj
-<< /S /GoTo /D (section.2.1) >>
-endobj
-72 0 obj
-(2.1 Hardware requirements)
-endobj
-73 0 obj
-<< /S /GoTo /D (section.2.2) >>
-endobj
-76 0 obj
-(2.2 CPU Requirements)
-endobj
-77 0 obj
-<< /S /GoTo /D (section.2.3) >>
-endobj
-80 0 obj
-(2.3 Memory Requirements)
-endobj
-81 0 obj
-<< /S /GoTo /D (section.2.4) >>
-endobj
-84 0 obj
-(2.4 Name Server Intensive Environment Issues)
-endobj
-85 0 obj
-<< /S /GoTo /D (section.2.5) >>
-endobj
-88 0 obj
-(2.5 Supported Operating Systems)
-endobj
-89 0 obj
-<< /S /GoTo /D (chapter.3) >>
-endobj
-92 0 obj
-(3 Name Server Configuration)
-endobj
-93 0 obj
-<< /S /GoTo /D (section.3.1) >>
-endobj
-96 0 obj
-(3.1 Sample Configurations)
-endobj
-97 0 obj
-<< /S /GoTo /D (subsection.3.1.1) >>
-endobj
-100 0 obj
-(3.1.1 A Caching-only Name Server)
-endobj
-101 0 obj
-<< /S /GoTo /D (subsection.3.1.2) >>
-endobj
-104 0 obj
-(3.1.2 An Authoritative-only Name Server)
-endobj
-105 0 obj
-<< /S /GoTo /D (section.3.2) >>
-endobj
-108 0 obj
-(3.2 Load Balancing)
-endobj
-109 0 obj
-<< /S /GoTo /D (section.3.3) >>
-endobj
-112 0 obj
-(3.3 Name Server Operations)
-endobj
-113 0 obj
-<< /S /GoTo /D (subsection.3.3.1) >>
-endobj
-116 0 obj
-(3.3.1 Tools for Use With the Name Server Daemon)
-endobj
-117 0 obj
-<< /S /GoTo /D (subsubsection.3.3.1.1) >>
-endobj
-120 0 obj
-(3.3.1.1 Diagnostic Tools)
-endobj
-121 0 obj
-<< /S /GoTo /D (subsubsection.3.3.1.2) >>
-endobj
-124 0 obj
-(3.3.1.2 Administrative Tools)
-endobj
-125 0 obj
-<< /S /GoTo /D (subsection.3.3.2) >>
-endobj
-128 0 obj
-(3.3.2 Signals)
-endobj
-129 0 obj
-<< /S /GoTo /D (chapter.4) >>
-endobj
-132 0 obj
-(4 Advanced DNS Features)
-endobj
-133 0 obj
-<< /S /GoTo /D (section.4.1) >>
-endobj
-136 0 obj
-(4.1 Notify)
-endobj
-137 0 obj
-<< /S /GoTo /D (section.4.2) >>
-endobj
-140 0 obj
-(4.2 Dynamic Update)
-endobj
-141 0 obj
-<< /S /GoTo /D (subsection.4.2.1) >>
-endobj
-144 0 obj
-(4.2.1 The journal file)
-endobj
-145 0 obj
-<< /S /GoTo /D (section.4.3) >>
-endobj
-148 0 obj
-(4.3 Incremental Zone Transfers \(IXFR\))
-endobj
-149 0 obj
-<< /S /GoTo /D (section.4.4) >>
-endobj
-152 0 obj
-(4.4 Split DNS)
-endobj
-153 0 obj
-<< /S /GoTo /D (section.4.5) >>
-endobj
-156 0 obj
-(4.5 TSIG)
-endobj
-157 0 obj
-<< /S /GoTo /D (subsection.4.5.1) >>
-endobj
-160 0 obj
-(4.5.1 Generate Shared Keys for Each Pair of Hosts)
-endobj
-161 0 obj
-<< /S /GoTo /D (subsubsection.4.5.1.1) >>
-endobj
-164 0 obj
-(4.5.1.1 Automatic Generation)
-endobj
-165 0 obj
-<< /S /GoTo /D (subsubsection.4.5.1.2) >>
-endobj
-168 0 obj
-(4.5.1.2 Manual Generation)
-endobj
-169 0 obj
-<< /S /GoTo /D (subsection.4.5.2) >>
-endobj
-172 0 obj
-(4.5.2 Copying the Shared Secret to Both Machines)
-endobj
-173 0 obj
-<< /S /GoTo /D (subsection.4.5.3) >>
-endobj
-176 0 obj
-(4.5.3 Informing the Servers of the Key's Existence)
-endobj
-177 0 obj
-<< /S /GoTo /D (subsection.4.5.4) >>
-endobj
-180 0 obj
-(4.5.4 Instructing the Server to Use the Key)
-endobj
-181 0 obj
-<< /S /GoTo /D (subsection.4.5.5) >>
-endobj
-184 0 obj
-(4.5.5 TSIG Key Based Access Control)
-endobj
-185 0 obj
-<< /S /GoTo /D (subsection.4.5.6) >>
-endobj
-188 0 obj
-(4.5.6 Errors)
-endobj
-189 0 obj
-<< /S /GoTo /D (section.4.6) >>
-endobj
-192 0 obj
-(4.6 TKEY)
-endobj
-193 0 obj
-<< /S /GoTo /D (section.4.7) >>
-endobj
-196 0 obj
-(4.7 SIG\(0\))
-endobj
-197 0 obj
-<< /S /GoTo /D (section.4.8) >>
-endobj
-200 0 obj
-(4.8 DNSSEC)
-endobj
-201 0 obj
-<< /S /GoTo /D (subsection.4.8.1) >>
-endobj
-204 0 obj
-(4.8.1 Generating Keys)
-endobj
-205 0 obj
-<< /S /GoTo /D (subsection.4.8.2) >>
-endobj
-208 0 obj
-(4.8.2 Signing the Zone)
-endobj
-209 0 obj
-<< /S /GoTo /D (subsection.4.8.3) >>
-endobj
-212 0 obj
-(4.8.3 Configuring Servers)
-endobj
-213 0 obj
-<< /S /GoTo /D (section.4.9) >>
-endobj
-216 0 obj
-(4.9 IPv6 Support in BIND 9)
-endobj
-217 0 obj
-<< /S /GoTo /D (subsection.4.9.1) >>
-endobj
-220 0 obj
-(4.9.1 Address Lookups Using AAAA Records)
-endobj
-221 0 obj
-<< /S /GoTo /D (subsection.4.9.2) >>
-endobj
-224 0 obj
-(4.9.2 Address to Name Lookups Using Nibble Format)
-endobj
-225 0 obj
-<< /S /GoTo /D (chapter.5) >>
-endobj
-228 0 obj
-(5 The BIND 9 Lightweight Resolver)
-endobj
-229 0 obj
-<< /S /GoTo /D (section.5.1) >>
-endobj
-232 0 obj
-(5.1 The Lightweight Resolver Library)
-endobj
-233 0 obj
-<< /S /GoTo /D (section.5.2) >>
-endobj
-236 0 obj
-(5.2 Running a Resolver Daemon)
-endobj
-237 0 obj
-<< /S /GoTo /D (chapter.6) >>
-endobj
-240 0 obj
-(6 BIND 9 Configuration Reference)
-endobj
-241 0 obj
-<< /S /GoTo /D (section.6.1) >>
-endobj
-244 0 obj
-(6.1 Configuration File Elements)
-endobj
-245 0 obj
-<< /S /GoTo /D (subsection.6.1.1) >>
-endobj
-248 0 obj
-(6.1.1 Address Match Lists)
-endobj
-249 0 obj
-<< /S /GoTo /D (subsubsection.6.1.1.1) >>
-endobj
-252 0 obj
-(6.1.1.1 Syntax)
-endobj
-253 0 obj
-<< /S /GoTo /D (subsubsection.6.1.1.2) >>
-endobj
-256 0 obj
-(6.1.1.2 Definition and Usage)
-endobj
-257 0 obj
-<< /S /GoTo /D (subsection.6.1.2) >>
-endobj
-260 0 obj
-(6.1.2 Comment Syntax)
-endobj
-261 0 obj
-<< /S /GoTo /D (subsubsection.6.1.2.1) >>
-endobj
-264 0 obj
-(6.1.2.1 Syntax)
-endobj
-265 0 obj
-<< /S /GoTo /D (subsubsection.6.1.2.2) >>
-endobj
-268 0 obj
-(6.1.2.2 Definition and Usage)
-endobj
-269 0 obj
-<< /S /GoTo /D (section.6.2) >>
-endobj
-272 0 obj
-(6.2 Configuration File Grammar)
-endobj
-273 0 obj
-<< /S /GoTo /D (subsection.6.2.1) >>
-endobj
-276 0 obj
-(6.2.1 acl Statement Grammar)
-endobj
-277 0 obj
-<< /S /GoTo /D (subsection.6.2.2) >>
-endobj
-280 0 obj
-(6.2.2 acl Statement Definition and Usage)
-endobj
-281 0 obj
-<< /S /GoTo /D (subsection.6.2.3) >>
-endobj
-284 0 obj
-(6.2.3 controls Statement Grammar)
-endobj
-285 0 obj
-<< /S /GoTo /D (subsection.6.2.4) >>
-endobj
-288 0 obj
-(6.2.4 controls Statement Definition and Usage)
-endobj
-289 0 obj
-<< /S /GoTo /D (subsection.6.2.5) >>
-endobj
-292 0 obj
-(6.2.5 include Statement Grammar)
-endobj
-293 0 obj
-<< /S /GoTo /D (subsection.6.2.6) >>
-endobj
-296 0 obj
-(6.2.6 include Statement Definition and Usage)
-endobj
-297 0 obj
-<< /S /GoTo /D (subsection.6.2.7) >>
-endobj
-300 0 obj
-(6.2.7 key Statement Grammar)
-endobj
-301 0 obj
-<< /S /GoTo /D (subsection.6.2.8) >>
-endobj
-304 0 obj
-(6.2.8 key Statement Definition and Usage)
-endobj
-305 0 obj
-<< /S /GoTo /D (subsection.6.2.9) >>
-endobj
-308 0 obj
-(6.2.9 logging Statement Grammar)
-endobj
-309 0 obj
-<< /S /GoTo /D (subsection.6.2.10) >>
-endobj
-312 0 obj
-(6.2.10 logging Statement Definition and Usage)
-endobj
-313 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.1) >>
-endobj
-316 0 obj
-(6.2.10.1 The channel Phrase)
-endobj
-317 0 obj
-<< /S /GoTo /D (subsubsection.6.2.10.2) >>
-endobj
-320 0 obj
-(6.2.10.2 The category Phrase)
-endobj
-321 0 obj
-<< /S /GoTo /D (subsection.6.2.11) >>
-endobj
-324 0 obj
-(6.2.11 lwres Statement Grammar)
-endobj
-325 0 obj
-<< /S /GoTo /D (subsection.6.2.12) >>
-endobj
-328 0 obj
-(6.2.12 lwres Statement Definition and Usage)
-endobj
-329 0 obj
-<< /S /GoTo /D (subsection.6.2.13) >>
-endobj
-332 0 obj
-(6.2.13 masters Statement Grammar)
-endobj
-333 0 obj
-<< /S /GoTo /D (subsection.6.2.14) >>
-endobj
-336 0 obj
-(6.2.14 masters Statement Definition and Usage)
-endobj
-337 0 obj
-<< /S /GoTo /D (subsection.6.2.15) >>
-endobj
-340 0 obj
-(6.2.15 options Statement Grammar)
-endobj
-341 0 obj
-<< /S /GoTo /D (subsection.6.2.16) >>
-endobj
-344 0 obj
-(6.2.16 options Statement Definition and Usage)
-endobj
-345 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.1) >>
-endobj
-348 0 obj
-(6.2.16.1 Boolean Options)
-endobj
-349 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.2) >>
-endobj
-352 0 obj
-(6.2.16.2 Forwarding)
-endobj
-353 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.3) >>
-endobj
-356 0 obj
-(6.2.16.3 Dual-stack Servers)
-endobj
-357 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.4) >>
-endobj
-360 0 obj
-(6.2.16.4 Access Control)
-endobj
-361 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.5) >>
-endobj
-364 0 obj
-(6.2.16.5 Interfaces)
-endobj
-365 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.6) >>
-endobj
-368 0 obj
-(6.2.16.6 Query Address)
-endobj
-369 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.7) >>
-endobj
-372 0 obj
-(6.2.16.7 Zone Transfers)
-endobj
-373 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.8) >>
-endobj
-376 0 obj
-(6.2.16.8 Bad UDP Port Lists)
-endobj
-377 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.9) >>
-endobj
-380 0 obj
-(6.2.16.9 Operating System Resource Limits)
-endobj
-381 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.10) >>
-endobj
-384 0 obj
-(6.2.16.10 Server Resource Limits)
-endobj
-385 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.11) >>
-endobj
-388 0 obj
-(6.2.16.11 Periodic Task Intervals)
-endobj
-389 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.12) >>
-endobj
-392 0 obj
-(6.2.16.12 Topology)
-endobj
-393 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.13) >>
-endobj
-396 0 obj
-(6.2.16.13 The sortlist Statement)
-endobj
-397 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.14) >>
-endobj
-400 0 obj
-(6.2.16.14 RRset Ordering)
-endobj
-401 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.15) >>
-endobj
-404 0 obj
-(6.2.16.15 Tuning)
-endobj
-405 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.16) >>
-endobj
-408 0 obj
-(6.2.16.16 Built-in server information zones)
-endobj
-409 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.17) >>
-endobj
-412 0 obj
-(6.2.16.17 The Statistics File)
-endobj
-413 0 obj
-<< /S /GoTo /D (subsection.6.2.17) >>
-endobj
-416 0 obj
-(6.2.17 server Statement Grammar)
-endobj
-417 0 obj
-<< /S /GoTo /D (subsection.6.2.18) >>
-endobj
-420 0 obj
-(6.2.18 server Statement Definition and Usage)
-endobj
-421 0 obj
-<< /S /GoTo /D (subsection.6.2.19) >>
-endobj
-424 0 obj
-(6.2.19 trusted-keys Statement Grammar)
-endobj
-425 0 obj
-<< /S /GoTo /D (subsection.6.2.20) >>
-endobj
-428 0 obj
-(6.2.20 trusted-keys Statement Definition and Usage)
-endobj
-429 0 obj
-<< /S /GoTo /D (subsection.6.2.21) >>
-endobj
-432 0 obj
-(6.2.21 view Statement Grammar)
-endobj
-433 0 obj
-<< /S /GoTo /D (subsection.6.2.22) >>
-endobj
-436 0 obj
-(6.2.22 view Statement Definition and Usage)
-endobj
-437 0 obj
-<< /S /GoTo /D (subsection.6.2.23) >>
-endobj
-440 0 obj
-(6.2.23 zone Statement Grammar)
-endobj
-441 0 obj
-<< /S /GoTo /D (subsection.6.2.24) >>
-endobj
-444 0 obj
-(6.2.24 zone Statement Definition and Usage)
-endobj
-445 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.1) >>
-endobj
-448 0 obj
-(6.2.24.1 Zone Types)
-endobj
-449 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.2) >>
-endobj
-452 0 obj
-(6.2.24.2 Class)
-endobj
-453 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.3) >>
-endobj
-456 0 obj
-(6.2.24.3 Zone Options)
-endobj
-457 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.4) >>
-endobj
-460 0 obj
-(6.2.24.4 Dynamic Update Policies)
-endobj
-461 0 obj
-<< /S /GoTo /D (section.6.3) >>
-endobj
-464 0 obj
-(6.3 Zone File)
-endobj
-465 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
-endobj
-468 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
-endobj
-469 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
-endobj
-472 0 obj
-(6.3.1.1 Resource Records)
-endobj
-473 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
-endobj
-476 0 obj
-(6.3.1.2 Textual expression of RRs)
-endobj
-477 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
-endobj
-480 0 obj
-(6.3.2 Discussion of MX Records)
-endobj
-481 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
-endobj
-484 0 obj
-(6.3.3 Setting TTLs)
-endobj
-485 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
-endobj
-488 0 obj
-(6.3.4 Inverse Mapping in IPv4)
-endobj
-489 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
-endobj
-492 0 obj
-(6.3.5 Other Zone File Directives)
-endobj
-493 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
-endobj
-496 0 obj
-(6.3.5.1 The \044ORIGIN Directive)
-endobj
-497 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
-endobj
-500 0 obj
-(6.3.5.2 The \044INCLUDE Directive)
-endobj
-501 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
-endobj
-504 0 obj
-(6.3.5.3 The \044TTL Directive)
-endobj
-505 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
-endobj
-508 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
-endobj
-509 0 obj
-<< /S /GoTo /D (chapter.7) >>
-endobj
-512 0 obj
-(7 BIND 9 Security Considerations)
-endobj
-513 0 obj
-<< /S /GoTo /D (section.7.1) >>
-endobj
-516 0 obj
-(7.1 Access Control Lists)
-endobj
-517 0 obj
-<< /S /GoTo /D (section.7.2) >>
-endobj
-520 0 obj
-(7.2 chroot and setuid \(for UNIX servers\))
-endobj
-521 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
-endobj
-524 0 obj
-(7.2.1 The chroot Environment)
-endobj
-525 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
-endobj
-528 0 obj
-(7.2.2 Using the setuid Function)
-endobj
-529 0 obj
-<< /S /GoTo /D (section.7.3) >>
-endobj
-532 0 obj
-(7.3 Dynamic Update Security)
-endobj
-533 0 obj
-<< /S /GoTo /D (chapter.8) >>
-endobj
-536 0 obj
-(8 Troubleshooting)
-endobj
-537 0 obj
-<< /S /GoTo /D (section.8.1) >>
-endobj
-540 0 obj
-(8.1 Common Problems)
-endobj
-541 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
-endobj
-544 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
-endobj
-545 0 obj
-<< /S /GoTo /D (section.8.2) >>
-endobj
-548 0 obj
-(8.2 Incrementing and Changing the Serial Number)
-endobj
-549 0 obj
-<< /S /GoTo /D (section.8.3) >>
-endobj
-552 0 obj
-(8.3 Where Can I Get Help?)
-endobj
-553 0 obj
-<< /S /GoTo /D (appendix.A) >>
-endobj
-556 0 obj
-(A Appendices)
-endobj
-557 0 obj
-<< /S /GoTo /D (section.A.1) >>
-endobj
-560 0 obj
-(A.1 Acknowledgments)
-endobj
-561 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
-endobj
-564 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
-endobj
-565 0 obj
-<< /S /GoTo /D (section.A.2) >>
-endobj
-568 0 obj
-(A.2 General DNS Reference Information)
-endobj
-569 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
-endobj
-572 0 obj
-(A.2.1 IPv6 addresses \(AAAA\))
-endobj
-573 0 obj
-<< /S /GoTo /D (section.A.3) >>
-endobj
-576 0 obj
-(A.3 Bibliography \(and Suggested Reading\))
-endobj
-577 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
-endobj
-580 0 obj
-(A.3.1 Request for Comments \(RFCs\))
-endobj
-581 0 obj
-<< /S /GoTo /D (subsection.A.3.2) >>
-endobj
-584 0 obj
-(A.3.2 Internet Drafts)
-endobj
-585 0 obj
-<< /S /GoTo /D (subsection.A.3.3) >>
-endobj
-588 0 obj
-(A.3.3 Other Documents About BIND)
-endobj
-589 0 obj
-<< /S /GoTo /D [590 0 R  /FitH ] >>
-endobj
-592 0 obj <<
-/Length 221       
-/Filter /FlateDecode
->>
-stream
-xÚ��OKAÅïû)rlÁ‰“Ý™£¥*
-ö s“Öv*…îÖêçw¶[‹ É!$ùñy¾A0ôê¨hžÖmåá­Üî+:3j‚¦"eøãê$
-•
-endobj
-590 0 obj <<
-/Type /Page
-/Contents 592 0 R
-/Resources 591 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
->> endobj
-593 0 obj <<
-/D [590 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-594 0 obj <<
-/D [590 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-591 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-604 0 obj <<
-/Length 302       
-/Filter /FlateDecode
->>
-stream
-xÚµ’ÁNÃ0@ïýŠWiõ;N–+CãºÞ4º±ÃZÔ¡ý=	ekCì‚zˆ-?ÙÉ«µÂði%¬'¯œ7 ¨E­v	ªM¨Ý%ú‹1 †9$ª»)’„ÈÀ4tR?hÍÈìTæăeâˆßÉdfXyð–¬*ÖJ³ƒxŸU<?ŒòúõÐl7/múXÜ+Apèõ€;`“™6ƒN�³>pËкC¿%���!šqš‘`¥‹æU[6UÙvÙâ°oËݾKòºÚ×M»}Û��ì
-ÒŒ5†y‚K"3_äñ©Žã“Ûâd&Šk­rF‡âåO�Ÿt6Ä/kã|ßõ7�ôŸ±÷¨û�ú�/Ú­×íûS“êé¨<WçþŽ›ÌqW¯ÞãÊ´­Jendstream
-endobj
-603 0 obj <<
-/Type /Page
-/Contents 604 0 R
-/Resources 602 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
->> endobj
-605 0 obj <<
-/D [603 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-602 0 obj <<
-/Font << /F43 600 0 R /F14 608 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-611 0 obj <<
-/Length 2204      
-/Filter /FlateDecode
->>
-stream
-xÚÝYK�ã6¾ûWø¨ÆZ>ÄWn;3›Å‹Yìv9$9¨%¶-Œ,)ztÇùõ[d‘¶lË3ƒ�6X4ЦJ,²XõÕWE›®	üѵ)á&[+“¥‚P±.ö+²Þ»¿¯h˜“	žŠŒsxXx»\§B3µÞÌyû°úË÷[3’JÉÄúá鸗T:5<3ë‡òçäÝ.ïFÛßm˜ 	½ûõáTËR¥uj¶©2D{…ÍØ·åTŒUÛ„é|mR#™Œ³肹nöÃÎÂÒZ:5Û7vħ÷í>¯Ì÷aÎýaíÇ¿AÞ¼‡ê*)Úf¨†qÀ×í~ŽqýáÐŒùïAØYg‹êép1³�ý.V±ÍX�JURÝѤÁ¡S‚3ºSQš!XôA8g$qáŒ&9>î*ÛçýÕI±«Š¼Fé>op³Ê’7 àíqoú;�LµÛÜ-2
¶DùSÛã ´µÝæcÕlÃ>Ó¸kûj3(iŸm˜ëvÈ›°RØŠ‚“¼ƒÏNDý‰ª}WÛ=ø!÷qÝ00tÜå.\J$y1Ny]P¾Ï»
GÑ•0ÅûD³8;Ųôž°Ã`‡ŒÐ<�¨âÔ2sœV
qå
-,¨ç÷ì!â–ÁÇ­_«�:”BôbSHúêqý"b)Nê6̽Uó4Ky&Y@qFR&9bž¦
-.ƒpŽ(
£cžÀØeÄÛ߇”
-Îzè°Ÿ-&¸
-D’­m<ìpҡèàíƵáGó¿sV­þöpüöÆHh5]S¡S"¡•+ö«ßV?ÿJÖ劬X‘”-Ö/ð
-ûUÆaH„Ž’zu¿úש혵7-@=k…aõùR›x¦
Í$l©éñû¨8ó”r
“J“…{ŽošÂ%Ö¼+·q&R˜§×ó-¾Íêã’_0›CØieÎÍþéñ&\†ñP_B¸ÎX
-ñŠ‡È\:4W› û¿ƒãPé¡Kÿú3E�›pbøÏðÓ×›|N®ÁÌ�mrǯÜÀÇ�û"ÄÑmÆáFOXm�–üøï¼Á™»vg3�×êX×.¾8¨�H1ºa¾¿ú†Ë}c_l¿?:ÖÛˆž�òÛ7Cô¥ç„ZDôÌsßW¿;Ž•@¿/U9înƒ÷Õìý�7ú¹�è
�I¾
-endobj
-610 0 obj <<
-/Type /Page
-/Contents 611 0 R
-/Resources 609 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
->> endobj
-612 0 obj <<
-/D [610 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-6 0 obj <<
-/D [610 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-613 0 obj <<
-/D [610 0 R /XYZ 85.0394 582.8476 null]
->> endobj
-10 0 obj <<
-/D [610 0 R /XYZ 85.0394 512.9824 null]
->> endobj
-614 0 obj <<
-/D [610 0 R /XYZ 85.0394 474.7837 null]
->> endobj
-14 0 obj <<
-/D [610 0 R /XYZ 85.0394 399.5462 null]
->> endobj
-615 0 obj <<
-/D [610 0 R /XYZ 85.0394 363.8828 null]
->> endobj
-18 0 obj <<
-/D [610 0 R /XYZ 85.0394 223.0066 null]
->> endobj
-619 0 obj <<
-/D [610 0 R /XYZ 85.0394 190.9009 null]
->> endobj
-620 0 obj <<
-/D [610 0 R /XYZ 85.0394 170.4169 null]
->> endobj
-621 0 obj <<
-/D [610 0 R /XYZ 85.0394 158.4617 null]
->> endobj
-609 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F58 627 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-630 0 obj <<
-/Length 3297      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛÆ×_ÁGhÆDï8àúæÄv£ÌÄN-u2m’�
-·ú]ù=ÛüTæýÃóÚ"FìŸ\]FB'_W—T°› xð˜ÊlS¨®F\üyue,ÄÇ(�¿®+�±6¦4óÁ…»¬ò‘°=öp�qðóݵUAñ¥ç9Ž‰E½­šYìì>'ÑusȶŸŠ¾ûõY�Žyý£4zÎ0ÿ�ðª„
Ó’Ò�Lk=Nu³”§’4ŒR
)Ï€ý4$ë³Õ@Ô(ÔäÃQÎ3°«° 9†`'
~;d¿7Í>óæxŸí™zûÔõÅ~ÜÕ˜¸dOØÄŽ²jª‚öxh‰SIˆýƒó äÍö¸‡4Kt¢Â|C³Å—¶"®ÜK¼KYw}VU>sÂTVç48¶ŸŠ¢½<Œßãô¤®Ùõ§³Ç!›àpÙ}ñ
-%g:”…vQpÂÅàÛ›âÞ1¤Í‘h¯Ç²`
-ßV%˜ÞÅî8¨šæ�Ž-='*%=rÅÞ�L°¹–Á
Á”ÃlpcN³f’f!$§&â4ËÚl*ÐÙ‚j
)AK^\•�<O%¾¢óNà=tZWÔ9KóùXJg ˜mĦf¾›=÷ìC\®•Ñ¡²6ö:§œX“·»Ãhå–!(§ŠÅ9¼h§<°MKç¡ÎµW$X	-XªèÐÓUÌ·-Ž9²áÈòÑ“
-^
±c$<‹0q7|9_²�­Õ†å}žW³kö'Fó;;
-¬´Ä‚T*L’T�
_�Å’º#H¸Âª‘¾v—‹17ûÍ6e½(¤V!ý^‹au­¢$Œ5:ÆexU>¼ºðØ]hâ2%àšQ¸•
-
-^OaÝÇ…¥ºðˆ¢©+Æßp©KHª4>•€ñ9”•=º–o~Íðƒox¼Ã{©¥… Û·^&­
-	v}¬ÏX0Ú¹w”ð«­á(ã'A…ý·}›ÕKaNÅ
-®ˆðNóvrüM½
—�J”¿šÛæXåtÞ¦Xh"D�°’Œ6Ë*d!C`ka{GR7Ÿ<3–¡ˆaÁÄ3O	Gx%™�ªdàré(È‚V¤^ôniSR”¬àZ-Qªâ=‡ÞnaCëqÍY��‰¡²õ±®9ÐF/ˆ/eÆ‘õ™\±©ï="˜l¯1’
-/!ﺄt˜Ê!âz)3â½;nÎ1Bfš„IES=Ãå\�Ü J^P0Öö*�C¡{
Ò
-B†O�ƒ³qù°à®ié	ŽÁtáK4¼Ý	«&÷cT¤Áà±þÂ…ãŠ
Ûýç›e8 ÀµÓÈxV‡eí¦o¶MµT«AôUƒ€¡�
-2”6¾¸/d€$e8Ž£¬ëšmÉ)~c^¤›#9GP³aäŒ
ω1�Î+{£	
Qir_T©ÑPýø"ëH�Þƒ¨€¬óE Ÿ
-nÏ´1Ì)*¡q<u´îض͡÷þµÀÓ@õhŸ-ûÔKŸãü‡ ³Ã^4ŽU1‚©‚úÍJ)±[Js‡û
>NÚ«´|=^?ï‰ÏvEán‹íù›ÔL¡¼d!¿”JN¸™µx‡U/01ßmä¨*
´!­ZDWæÜÞp•V^¸¸QVT‰%-3¬¾è
-N
-JÐ}y_s5·[®6¹æʹÙÔø: 5
-�ê<eX¿¿0·Ò|ß™¯¼^òñÒ)'üÌ?øU/p1ßíù.rlMªæ]Í]Œ=“{§=
-ü„6ÓC¨m‹ÖHÁ±kXkenׂÐbÒƒ‚âK	špxÞ(÷G²šÉ=Ÿe;¤�ž|NsºÀA^î�ƒgÖzË'oŠþT`y†‹–Ò\$L˜¥G¨c	tH@ª‰œ4öžÙЕ–PœG‹µøKå¿¿ÝLäËM
-�º±±ûZ�Ñô@­r µþ;Esì*בå>i¤`À5”RñÍ’wÊègÛ”NÑ@q÷HyQ÷>>Xêÿ"�n¹ÿë(Ü�”
pêLGõg¹nd³#:í�íOüv´pͱyYÞAjà¶x$F‹ g"
^sîF™‰C[	g%MšÅQ<¦ñ
]¢>d|ȶ�±ÐpŸ]bsÙ÷Ýl*oÒ‚õ„Úx{ê:8”=YÊ!½Ø}âÀUç®[êZ-ˆÿ1¹¡8‘Áà¹i
-endobj
-629 0 obj <<
-/Type /Page
-/Contents 630 0 R
-/Resources 628 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
-/Annots [ 640 0 R 641 0 R ]
->> endobj
-640 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [272.8897 231.1055 329.1084 243.1651]
-/Subtype /Link
-/A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
->> endobj
-641 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [190.6691 203.5826 249.6573 212.9922]
-/Subtype /Link
-/A << /S /GoTo /D (rfcs) >>
->> endobj
-631 0 obj <<
-/D [629 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-635 0 obj <<
-/D [629 0 R /XYZ 56.6929 756.8229 null]
->> endobj
-636 0 obj <<
-/D [629 0 R /XYZ 56.6929 744.8677 null]
->> endobj
-22 0 obj <<
-/D [629 0 R /XYZ 56.6929 651.295 null]
->> endobj
-637 0 obj <<
-/D [629 0 R /XYZ 56.6929 612.4036 null]
->> endobj
-26 0 obj <<
-/D [629 0 R /XYZ 56.6929 567.3837 null]
->> endobj
-638 0 obj <<
-/D [629 0 R /XYZ 56.6929 542.6255 null]
->> endobj
-30 0 obj <<
-/D [629 0 R /XYZ 56.6929 441.1968 null]
->> endobj
-639 0 obj <<
-/D [629 0 R /XYZ 56.6929 415.1634 null]
->> endobj
-34 0 obj <<
-/D [629 0 R /XYZ 56.6929 188.7253 null]
->> endobj
-642 0 obj <<
-/D [629 0 R /XYZ 56.6929 161.3171 null]
->> endobj
-628 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F42 597 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-647 0 obj <<
-/Length 3284      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsÛF¾ëWð¶TÕ™f
->悺¾­ßó=ñä-„¸Éüò~T”¡Òå6¯™tÈ�<€­·é¦»†‰9ÿ´eýPÉ›ì¾*:YnúŽUe@Vk¼
ªÒâ_}µ»]Y­—yÕ6<;àƒ3 ù˜Ÿ:5÷ò
-ÿaR>½xºÕé²h/^‘xÂá„÷FÞKBîD 6=ñÃŽGmqz*N-‡�:÷€·0CŠrò‚Q~I!­Øi
-ì(ÏÀ¸kŽåv?¬I6IiùZª…Ujùýû�oxÄü zçUE®8ƒ
-t6ƒôÎ.ž�EÛ
œ˜®ý"´†)ÐPÖ'Y >sú®Ø@1çL
ä8
-N]6öÌšbóg&r™¦Öž'O|žöäaýjúÂuO~½/Jð¥Ø²êW±…–êÂù†¼g#éèêB[
zOqª Ñ÷zöÖ`Xµš.»–ðz7Ñ‘ŽfÔ
¥12Ô-Æp0“Ú1ß‚ œq‚ü?¨xá‡¾™iS$ÉU*œ¤	œ~ÆÂ+u)d¤PÆÛæøÂÓ„^’$,ó!�IÒ^€ç°Jbº¤¤>¡¨K6ºÎæ1š;<í(
-`S‡¹3k^SÔd
gh&øäIL½Il9©A’oKHá¨âؼ"8žÎŒ»é²2‘.":ï;æR5ù®™MúìXSu�À—“,ˆòTâ=@<¸—»’šU¤o^øwßòZ¶÷ÚAJô…úŽìûü(IE
õ…w„àPl÷y]n²à‚i’Žƒx@$‡Ã )Ì’y¸Çb솤Ax“ð0Ç“�¤ÐË�ÂëâP3hyÞ”ÚGÐwøó[º±¤½glê"'á…f#ê(õ.´È!z¾ºk¬#§­\e&M "I-FòD<ÉFòÄƉ	‡qv@4%ÀPÌf’BK@H½ªL)FÒÌÄ!ä`
-‰\ù€�uó\ú›»‹ÐÊE&KÆ� lvó¡ÛbÜœóäzO ²¡®×˜€äFTŠ˜®–Úb1¢ÓËëP‰T�ù
-–Úñ S;É´v¬Ç@Ι‰÷XA\u·zIéGÞp[´Â!è·oÃת1ø©KÝ™cãâ b{?›ØÅÇzÌWÎgˆBÕòåâ݆û
ÜKò<Š"…ƒµ£{Ážçñ'Œy%
R¨%?Êbr†ø’€¶’dH²ô !%©;�é>‘Öl“ú‚¿rׂ4m[n(]$rQ‰5'hƒßêæd¬ˆSäÓ˜‰
-f²}¿¾e�wÅk<A{syFÍáòKWäU·ÿ‹æ—6ô·´YU8H?811ÐGÿÖʪ‹ä&HŸæ âǶ|9tí
¿„‡]ˆ«m0ÄtQpd‡È�×aD
#{k1=¶Å°çŒ½¯8`s€ß‚º²ë;iæB4M
->ðű„€q™°?
BBGÏ$3)ɶN.Žq
-,õ@ž/$½ñ�ŸI�:,ºHˆ>\)�H�÷R§oó…,È8šÊ/>R"<ã7$a RÚ…ÛɧaÝ”µé¹Û�ÂN‰
_�º‘o}K	¦è Hz,Š#
£áãH:t6ôžH¤(? „�µRבõ±(äƒMä©|Ë Š>¬4²<|i\ÃΔâxš½ÕjB5~ŵÃM
|á„RæCEÊË*ß„ò=€%ól¼¸jÆï#e^ÉUÖx»Æ¬ÚyþùTR€
-¤„H¯DÃÊhuy¿ÄÄÉÅ
>2/­& MO‹žÀ=A;ZT¢Éà²Á›.ß‘uÍ}Wˆ,À¾Ô�´ 'þ6Œ�¨­}¹Ûõ\§(b‹J!.�éÞÅËO\Ïbôd°¶½“ÏX3¯2‘'�\ç
-À‚I£Ê€:¨lòΦؗt�Ë��$dÀ§~FWùÚ—².Xê¾™Z¿¯Gÿ>½m‡ûü
-endobj
-646 0 obj <<
-/Type /Page
-/Contents 647 0 R
-/Resources 645 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
-/Annots [ 650 0 R 651 0 R ]
->> endobj
-650 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 488.7856 539.579 500.8452]
-/Subtype /Link
-/A << /S /GoTo /D (diagnostic_tools) >>
->> endobj
-651 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 477.498 133.308 488.8901]
-/Subtype /Link
-/A << /S /GoTo /D (diagnostic_tools) >>
->> endobj
-648 0 obj <<
-/D [646 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-38 0 obj <<
-/D [646 0 R /XYZ 85.0394 599.0929 null]
->> endobj
-649 0 obj <<
-/D [646 0 R /XYZ 85.0394 568.7172 null]
->> endobj
-42 0 obj <<
-/D [646 0 R /XYZ 85.0394 457.9037 null]
->> endobj
-652 0 obj <<
-/D [646 0 R /XYZ 85.0394 429.0681 null]
->> endobj
-46 0 obj <<
-/D [646 0 R /XYZ 85.0394 352.2747 null]
->> endobj
-653 0 obj <<
-/D [646 0 R /XYZ 85.0394 326.5176 null]
->> endobj
-50 0 obj <<
-/D [646 0 R /XYZ 85.0394 247.1936 null]
->> endobj
-654 0 obj <<
-/D [646 0 R /XYZ 85.0394 221.4964 null]
->> endobj
-645 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F42 597 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-658 0 obj <<
-/Length 2395      
-/Filter /FlateDecode
->>
-stream
-xڥ˒ã¶ñ>_¡[4UM|VNcï:;.ïl¼#RŽ�XK‚²HÎDùút£ )q*©Jé@ Ñh4úÝ�X…ð«$
Ò"*VYI(’UÙÜ…«XûÛ�`œ�CÚL±~ØÞ}ÿS­Š H£tµ=LhåA˜çbµÝÿ¾AÜ…p½ýôñ~%áú×Ï�O4~zøÌÐç<o?~¦ñ?Ã$üðôq¿"ÍÂõ�Ÿþ¾ýø•Ö“||Ú~ýòá··�_žîÿØþ|÷q빞ÞL„Yþóî÷?ÂÕ.øó]È"OVo0	QѪ¹‹$±”Rß=ßýê	NVíÖEI‰0ˆ$HåVTq´"(’$šÉ*)‚TFÒË*�‡!ÜW•Çʼ°”T£YJúüªÏ^HʉôÃÕ&Šƒ"±¥µ=âŽ<^ŸïE¾Ö][Ã>‚ÔÕî¬Î•îhz²íkµ×{‚ì.ômÚ®§Q{ÒgÕ?0í.]¯»?Y+:�XJÒ	KQ–"�"à
YêúawËÓÒ]’$ˆ£Hð¾ï`S!×�VÆsÐUïFšÙuŒØ‰i{$¼ÚH)ƒ4ò/~ Yª“ÚÕˆ›Âíô…KÚsC‡¤–4
C]Ó¬’þ
-C_µ†÷“$KÝu°‚$BM§á¶×pUó§í+¢Yöµ[n¯øPClÏÕÆÞ,t7"GëA?¯ˆ—%ë­ä^¬Ï8Ši<P˜Ú£$sáD–¹[Øó`›½|-Öm©j‚2@
-åäÿ÷E´ýÈ4_W�óq�€Â1®L©Á$ š]3ˆ»:5vG	áˆáý‘©°‚‡ºïhýz‡êîèö]fǃÎÓ4Y?WÀƸqÁ´'~e=Hä²q8åÛÚ,)³§µÒ‡P„úà
-é8¡‰<b)¢«„†—¤X&Á(tÀ`Ç€ÖØABzAŒvŠO\X¿�¤†Y/�(UH2D&§¦›H�Œc#âg
�Fj:”tŽ†ZaÍlñ;úêÕÐõŽŒc�lò¦Ð1Ý›UfL*ýÐf�OV°»kÞÈ2ßåTaIt¡5Šó¸ðvD‡FØ¥´o	@Vc$ꎴDF‡Î˜‹I9€GöŒFÓ—êÕïª~1‡[sM#L½ÐJ”=Íæ5/B(ÊTº*"r±�·P‘�Ë�HÑh^f6±¶ˆ³õã’P£ÔóóÖ—‰µWìHh¢ˆ	34;²ÜkM‘·Çt!c‰Ë„ú�â‚	Ù,+C€	Ï0Ãì@—|¹ÛÞVúNÏîu+ˆMŽU·êxõ¤Êoºç³ú#E�áåè
-E„©/XR.Wn_=˜Iú~†Æ£:ÕŒòµ­õÿü,’…ëŸ>ÐÈõ¶“ö2sB`ÕÀAÊhª�¡‡°‡ñmÌHððiÄy&@�hýCŽÂÔã{lX¬Õ«¾ÚÀùüfõ
-7c®ûrún„u謘+Òi+í{Lßf÷s»x¯÷¼j>µoz,)✌{»B¸ÂNL‰ÖÑ”ŠwáÞ6Ü3.¹Ú�¸­JžP4…-|×ﯛ×÷¶Šé[ÕµëöÅ'η�Ôjt¼ˆˆ¨fË9'g…k¥äí„ 6BgØ ç¹vÔ
�Z3?�p}w’‡ÎßmƒfåÁá�Ö/—’’qo9“W=k£éµ€§Ï:é(%£Ù,—Ì¡D$ÝÃÜŒâÆž½ðš‘Y^d®|¶—`3„£ØÍR/+rC”¥7í=,î«s!Wüˆåy”_…zÿâAÑL‘Ÿº*µ«êª¿�L	
A0uÀ›ò%Ê=_¼�#5Œ¬!À—j'$ue¿
-öºD‘äó‡÷
-ÈYÊ%…ÂÜÂÑÔÈhÛ=LÜ1÷t!8Žßb
eì}�’
€}ú'¥‡Ð7d©¸Š„µjòr—x¨î˜æ¨¯œjUºÆ¦2ˆ}¯Ë²wþ`€ô…ÿ
-,üúD÷ÿù0þg�Ìóhü_AÎzÚ0(2é™B±¤7Œ»?)n9ÿÔ‹ö`endstream
-endobj
-657 0 obj <<
-/Type /Page
-/Contents 658 0 R
-/Resources 656 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 601 0 R
->> endobj
-659 0 obj <<
-/D [657 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-54 0 obj <<
-/D [657 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-660 0 obj <<
-/D [657 0 R /XYZ 56.6929 749.4437 null]
->> endobj
-58 0 obj <<
-/D [657 0 R /XYZ 56.6929 609.0996 null]
->> endobj
-661 0 obj <<
-/D [657 0 R /XYZ 56.6929 584.3177 null]
->> endobj
-62 0 obj <<
-/D [657 0 R /XYZ 56.6929 437.466 null]
->> endobj
-662 0 obj <<
-/D [657 0 R /XYZ 56.6929 410.2571 null]
->> endobj
-656 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-665 0 obj <<
-/Length 1888      
-/Filter /FlateDecode
->>
-stream
-xÚ•XK“Û6¾çWø¨�‰UIÔÃ:6iÚ¦3Ítší©é�kÑgõpEÊŽóë -oÔN:>
�
-Œì„SxóþÃ$ý»2ã<í•ý=ëIõj°&˜IóXäeÆfÊ".ÅŽÖÍâôa›&Iý,§æ"'63}mFlê¸.³’­ˆ4Îïþ‡A­Ì¢VNé.BCøEc¥ˆˆFƒŽ@£idh²•gEÊv’�¶zd×]‰õ¤Ô@h[6×��26~ØŠ¼Š~'èåÀJz0LH4e^#¯ˆŒšÎjâ%m+-:…n¤i\EæÜà­€û¼.P'5°£Žtá@ƒƒógìi$÷V{ýf¶W¢n6Oj:ŒSï-ɦד|êXNúR(�àÇa£u¼KÚèc‹6«J|÷–h94D¼ÿí\uPÒÎtCœñ@_N júôòJĉœ:ó
-v¤ï�ý9
-Íž3
_·F^¢vß2Ëm	@=¦Â­FÍ�4F€!g,©£ïÖ‹HúÔ…ˆ‹Rφ´‚ñ¥É{ìÅI@Á®!šë8ìnåè$÷ØNý;+ß‚ÇO7Œî®:êÒª�‚0è»áª¼›ù|ÒS
-½z÷þËòÿP‰"Æÿ»Öþíò"Û›ýÕµDg(°±È’`Ý«^.þ7ûzµ
-endobj
-664 0 obj <<
-/Type /Page
-/Contents 665 0 R
-/Resources 663 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
->> endobj
-666 0 obj <<
-/D [664 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-66 0 obj <<
-/D [664 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-667 0 obj <<
-/D [664 0 R /XYZ 85.0394 573.1436 null]
->> endobj
-70 0 obj <<
-/D [664 0 R /XYZ 85.0394 573.1436 null]
->> endobj
-668 0 obj <<
-/D [664 0 R /XYZ 85.0394 538.4223 null]
->> endobj
-74 0 obj <<
-/D [664 0 R /XYZ 85.0394 433.7668 null]
->> endobj
-669 0 obj <<
-/D [664 0 R /XYZ 85.0394 392.81 null]
->> endobj
-78 0 obj <<
-/D [664 0 R /XYZ 85.0394 329.225 null]
->> endobj
-670 0 obj <<
-/D [664 0 R /XYZ 85.0394 290.8035 null]
->> endobj
-82 0 obj <<
-/D [664 0 R /XYZ 85.0394 191.4678 null]
->> endobj
-671 0 obj <<
-/D [664 0 R /XYZ 85.0394 156.6041 null]
->> endobj
-663 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-675 0 obj <<
-/Length 561       
-/Filter /FlateDecode
->>
-stream
-xÚ¥T]o›0}çWø¤áúƒý˜¦´K¥¤)MSׇ4¸
ÆÇÚþûl¢tOŠÌ=çúúÜÃu0@êÁ€ùÐD€@x�!ÌÀî`!°WÜ�…MŽ;&¹Ó¬ëĺºõ	PøÄÉ뤇ˆs’ôÉ&�AGU@v¼Y¯"‡vÞ8.aÈ~X‡ÑÌ	<;Y¬î4�“p;.¶ç_gë$Œ4EL¡ëÅÊì�ÂøaÍÃ1zÜ,¢p®’ØyNî­09ö0í#Ú7ðÛzzF UíÞ[RÁxS
‚X–Ç(d¥#’[±õx,8a‡­Ÿú†$TytiœG
-.â¹ÚáñÑ@/°…vå¡ÊrÙèh[¤ú¥v¸Ý�N-Ãê%ßÖæö^j¶è/²ÖTùª×M‘½»yöˤ”ÙŠmÙg'žùæ0fgEZ¾M«D¯W}›}cCÁ˜qJ™¤fƒ*þ¶ìEøD•ìWjw•Û–nºm¥Æó¬i53ÈTH3qWÁZWó¥�˜ÝH©áö§)…³›e¨Á‘ÜàYq–¨^ÊÊ)ÿÈ\ci6¸&wmYhVËÐûÎzÓ÷ç4ìB/MÙ
5vRÇ©j¨Î^º6+ø¯±§ö³úÉ�ªŸqò¿¯Äé 圜¦}:•„#(zÕwÉ/„�WçRù_`éendstream
-endobj
-674 0 obj <<
-/Type /Page
-/Contents 675 0 R
-/Resources 673 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
->> endobj
-676 0 obj <<
-/D [674 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-86 0 obj <<
-/D [674 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-677 0 obj <<
-/D [674 0 R /XYZ 56.6929 744.7247 null]
->> endobj
-673 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-680 0 obj <<
-/Length 1190      
-/Filter /FlateDecode
->>
-stream
-xÚÍW;�ã6î÷W[É@D‹¤ž¸j³y )‚
-.AŠ.D‡óøfæ“EW	üèªÌH«tUT)Éš­êÓC²:ÀÙ·Ôë¤'YÊ9lN㌗$+Y±Šo�|¹}Ø|“²KHž³lµmf_y
8\Ø�b0r\Ç,K"¾þeû=^KIQÔ^KÀENhÅ�þâ$Qù'9žÃÅgÕHv˜FaZÕ{3|U‘*g¹·’S’EêÌ|×ÃÅ*�̱ÕvÅ#-kwÕ‰/ŸÃ¸¦e¤Îkµ{/ÓêVÓá µ‘{´Pß¡QItª?x«­9¢êas]ÛK¯Ô¨ÌQ¶#Ê&-É:NS½_W,’ÁœV6=›¥¤Ê2æû½‹Uj��€%¿PC[ãR5øDM¡U/v�WSƒOÖZÓö2—ƒ¦„§9ó@¦”äIE�_Nè:¦Iõ§!{~
Ål(„ìqJXî
ͦž¼Q!ŒXõÝJÞT±Ð,³ý…¸l-<Ï
-¡Ä¸ØyýºkeoôR�ÛƤ(fÕ>Sç9³á�ƒÂСgr–FO�×üu’ckûÌnÌã„;5íÚÚZ
-®Ý‰ÀÁ
®v�ª“Fm
-�ó:ó=|ïß;O“9ª¦ÎÎö¿¤}GÞ´rDïXF÷-˃*–ž•A ü�XˆÆ*ÎT:æ(Jƒ?W{»@àß^™ý|`,] Ž4ÉHÁà­ˆ„(s	F‡w€×Àèo!¡©8+½ç
	¯÷\'<ÏuâìáÅÿ!wT:íöê$Z_¡¿ˆ™Be“„ç!føïâ^Ž­¬ào!¿�m‰CÁe5€B=—Òÿ1ëˆþåJ8q™ÞÇn´«ðœb/1ufi<!†iÔ®OÃÌÅ”³»_©pdp1Üò•¿oèÁ¶–‹'MøÌ…ìŸráÃ×Ûù»$|mðŒØo—¥/— _uð³å¶SyR
-endobj
-679 0 obj <<
-/Type /Page
-/Contents 680 0 R
-/Resources 678 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
->> endobj
-681 0 obj <<
-/D [679 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-90 0 obj <<
-/D [679 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-682 0 obj <<
-/D [679 0 R /XYZ 85.0394 575.896 null]
->> endobj
-94 0 obj <<
-/D [679 0 R /XYZ 85.0394 529.2011 null]
->> endobj
-683 0 obj <<
-/D [679 0 R /XYZ 85.0394 492.9468 null]
->> endobj
-98 0 obj <<
-/D [679 0 R /XYZ 85.0394 492.9468 null]
->> endobj
-684 0 obj <<
-/D [679 0 R /XYZ 85.0394 466.0581 null]
->> endobj
-102 0 obj <<
-/D [679 0 R /XYZ 85.0394 237.1121 null]
->> endobj
-685 0 obj <<
-/D [679 0 R /XYZ 85.0394 206.4074 null]
->> endobj
-678 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-688 0 obj <<
-/Length 1948      
-/Filter /FlateDecode
->>
-stream
-xÚÍXë�Û6ÿî¿BØO23|I¢.Ÿ6¯v‹d“sÜ.Š^?h-îZˆ®$ïvïÐÿ½C)Ë^9›Þ¸Â€5$‡Ãá�Ãy�~,ˆb§<
’T’ˆ²(XW3ÜÂØw3æxži1æz¹š=ó %iÌã`u3’¥UŠ«ü—PAæ �†—çïßÌ<¢á§7Ëy…?ÁǶ?||³<Ÿ'2\]|¸ü4_$4•á«ïÏ?®<ÇÓ2^}¸|{ñÝ�{9ó_W?ÌÞ¬†]Œwʨ0[ømö˯4ÈaÃ?Ì(©Š‚{hPÂÒ”ÕLF‚DRßSÎ>Íþ9�Ú©“È1J¸
-:ýÀ²¦ÜeVi2$$\Ù�·f"WÂ_àgÐJyXܘ^>4sî�ÞX»7¼ý•Ð8puu…ýƒÓ0�û¢ßàx­ûû¦ýŒÝÆ°ìdt?f¼¹Á!1æÇœ®Éݼ:Gn×-žMú@�JP¤GÂ�ÍpíÖ¤2Û¹S¡Oã°ð  Yip\Hö›ÌÉ^—…®{×}_”¥ënêZ¯�q–æ«3¿Teì¡vË4žè7ª†zxµ�>§Ù•þÇqZ�@Z�Pˆ2–~]^À ò+¥ó‚ÿn–×c¤ëI
pYŽô3E-üž"fDÄ’
IÇÁV‚P‹
-&�Ã¥îš�=€µF—±ŒÛÿ¢].áŸaûuÖgÇ' x­˜FÁXÛÿ

-<¯ŠºèzÀ�—hƒ NÑ7xn¦Ýã^-�Çß�¸ïÆ+òÐ-&Ë3ú¸âã…±Ìæ?  Lì1h–e
ÎÈÚ�™ƒu®1šëÝímáûX j(ÿüd¹-°`ÿÊÇ«9”ÏÚ‹AÛóSv¦aMÝŠ.º©(ÓA[àiM9
¹™˜¼Ã4x2õüÚ·é½S’	Üŧ½Á�)9¥ì!}¤¹Ä~¬úŸ<SÝendstream
-endobj
-687 0 obj <<
-/Type /Page
-/Contents 688 0 R
-/Resources 686 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
-/Annots [ 693 0 R ]
->> endobj
-693 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 208.0574 126.0739 220.117]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-689 0 obj <<
-/D [687 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-106 0 obj <<
-/D [687 0 R /XYZ 56.6929 492.2203 null]
->> endobj
-690 0 obj <<
-/D [687 0 R /XYZ 56.6929 453.7474 null]
->> endobj
-691 0 obj <<
-/D [687 0 R /XYZ 56.6929 385.673 null]
->> endobj
-692 0 obj <<
-/D [687 0 R /XYZ 56.6929 373.7178 null]
->> endobj
-110 0 obj <<
-/D [687 0 R /XYZ 56.6929 177.8714 null]
->> endobj
-694 0 obj <<
-/D [687 0 R /XYZ 56.6929 136.2124 null]
->> endobj
-114 0 obj <<
-/D [687 0 R /XYZ 56.6929 136.2124 null]
->> endobj
-695 0 obj <<
-/D [687 0 R /XYZ 56.6929 109.3045 null]
->> endobj
-686 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-699 0 obj <<
-/Length 2677      
-/Filter /FlateDecode
->>
-stream
-xÚÕZÝsÛ¸÷_¡—N¥éÅA°O—Ë%×ÜÌ%×ÄiÒÌ”– ‹w©);Îô�ïÀ$EJÎø©ã
àò·ËÅ~f3
-l¦SBE.gY.IJY:[î®èìžýtÅ<Mˆ’.Õ×W}­ø,'¹âjv½î`iBµf³ëÕ§ùË¿¿øõúÕûEÂS:d‘¤ŠÎß¾øå®|€Gi:ÿg xùîíë7?}|ÿb‘Éùõ›woIFs	o^~÷ݯ¯ßû°ø|ýóÕ«ëøÝ/eTØOøãêÓg:[Áÿ|E‰Èu:»‡	%,Ïùlw%SAR)DXÙ^}¸úGì<u¯Ži.š¤šg#ª“£ªKs¢Nuö›a‹„QJç?–ÅmU7m¹Ä¯½^0Ææu½mì—žèàÑYÂÉy–;¤ë�ñD]¦,'4eVVK³*oG€˜$¹ÚÓ|7‚"‰ÖÀ	6 àJN„ÊxDI¸dó¢Z�ÀqØ®¥'­šm]ÿ~Ü�`Ê´Ï2O¸?,˜ž×·‡b×
-;ÏÉÓ”õ?ভʵ•jm8/+ümÚ‡­Á!JƒúØî�-ŽA¨]Ñ’›¦°ƒàhJç`\9÷^O”t©¦M0RuŒ¢Ë3‡W´àçy¢ž=» `^J¦}¦ÖZN³ùªÞNCTƒ¦Pe]áÃ[Üñ½S%ÌÿMS:fäR°6ñ
VH1Ë™·A¢�µo7²›Ò¸]
-Ü5XÛoMëéëuhü’7h7vfq�çjþÆoŠÆÛR
-’S¡ú¶ÔÞ׋DP¢¬Ló·E"Ÿ7¥eŠëeÕšC±lË;óHˆ#gÚbI�óì9¼æìÛ…pOÁ$~‘}rS´ËÍê~S†EóÅ,�­ipVtáìwоüè^`Ò¦°
-¿rL6È‚ëær[4ͨJI–
-9
-˜êUM—jºª‰TÝ*µËÔ†<I•:Ï5R�°ƒÀ(lYÜã;]†3ÉÏWÐÜ™Æxx„£l]ešÎÍn5C¹`ó¯¦Á%gõå2’øŠWBÒu>
-\ñN
-‰S=ë4¡‹1�à#UÏE}6ÂpH�üÄøT¯+‘ª›K’¶NÖe8Ýíw¥š0ý¿È'ñìÐu>�&a4Uy/9ô=[çÁ(aäŒ~�%qVµÂ…û�+Zs
-ÑWðXèöh{Ѧ»ä¡n
¾Â¡=aDû…‰¯’qâ�Y‡ã`Ï»J¹ò4wÕçÊ�.Ž.škQÅ¢Õ2¦ü€fÝéÐsç½0Ý<ì"E‘ÿ“üÙŸhZçl]ðÆ@i¿º„�佂ÎQtÕ©êGBL§Ædfü	h4¨0“s�Ü®#ÐI<<
“0²Û_ŒGv„
-µ#÷‚+ÏÌ.¹Qø}lHì¬'¬#[÷BÏã–jü½ñO¬ÖÖ•,¿r4êÓ’À°Á_T3·Ü>íl‹kÖ´?ë€gè£î¸fq3où§{³,-²²ó»
-#¿UÃ¥ìœô­£e0fÆOØGG÷ãÑê‹aº°¿®Ï³”Z;Gà32’ØMZKÿ&žPÃ`3GÕÚû¤M4�Ý×Û•³)îÊÚIdϸ¹žß{¤•—¡ª=-âÕ
-ÅðEàð{»
åÈm–&™Œ%â¹J&•…S4¦ý±1ã7dh¿á¸Š†Ö+2–0‘Û®SÙ$F”d²sõÈýÕã‹Õ®¬@•‡"T
-ñPà·æ6žøï‹CÛ¿)ˆí<ÔÓ�F½…Ÿ•�	ŽÕÚLf„ju¡ÖîRM×Ú‘*8Â*YnÌòw°ÄõIÉ­R5Y~^€H5"A¿)�HÌû"Lž71;’1Øš“Œçüô¢Õ·RöÕf°/ÍCÕ_†{rZ8ë“ñfØ	C&äPœp¥ÒxIGùvú>Æ^ÄjÊÄs*¨.ÆtU©.VuŒAŸcK¥çÈÔÁ˜®ê"ÕØûâî·»¯gOF˜bŒZÇ8s0˶ÆK½á)�$Š§ì[ïEÖåÖLœ;€kNU÷¼`Ìy50¦ê¼ë>ÒL;®§hëk]™S·…�’LŸciNx÷]²¼ËüœÃêS‡
VÂƉ'9lÂhÓ†;t¬xõqêÏñ´$&Ø%^O_Ž¦Dpö¬kȈpæbi¦ÝÐo¶H‰ý¯�†4Œ=ûŸƒÿg
-LYhÍÇ�@P†žgA(+<cCÉã�Šþ?H·endstream
-endobj
-698 0 obj <<
-/Type /Page
-/Contents 699 0 R
-/Resources 697 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
->> endobj
-700 0 obj <<
-/D [698 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-118 0 obj <<
-/D [698 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-655 0 obj <<
-/D [698 0 R /XYZ 85.0394 749.3395 null]
->> endobj
-122 0 obj <<
-/D [698 0 R /XYZ 85.0394 221.8894 null]
->> endobj
-704 0 obj <<
-/D [698 0 R /XYZ 85.0394 197.4323 null]
->> endobj
-697 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F77 703 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-707 0 obj <<
-/Length 3116      
-/Filter /FlateDecode
->>
-stream
-xÚåZK“Û6¾Ï¯Ð-œªŒA‚{ó&vÖ©Z;±'û(ÇŽHiS¤"R3–+?~h
-Ð�Cm=3cÍ
-³`Á‚z‹ÿ)þY­@«É��ùQ{@ð—‚Šà•¥<×'loUpª¦”�ÓŽ˜¸¢8KÝ�,Ú€r;—êl'wÐm°SاOEYb++šC™ž85éά€û¼qxÜX¥$”(!Åð@mk³�p€
- Ž QÓ¶ù…·Ça|TœÃuDzJ?š¹ÏÍŽ`™ú=걘
<•ßÈOAÄknÛÁ0·ÅnÊ3GBqé
š«Àšä$GÎC~Éñp•ã¡>NÅC?àù�¯òû˜Oùu¦„RÑ;ƒM½ß§U6ÞŠp–87wÕ
,02þÒ’B>LãµP!
-MYM™²£2¦œ—uš]Še°ÎL~Y®§¨ƒ
Â…a%¿EÉF
pD~¢”ïN‘aP�”VCZϦ¡ãƒ†Ì©IÆ!x#ççÕÔ§šW“§ª	Ì,™�·zÑ‹š‹ôÞOp1Æ:•¨Ù6ËÆÙüc‘?MÍex¤Gqà,Y/ëÒS�•9ôm Ÿ$�´u ÍþÖûC°+óªÛäù=�Ssy�{T{ì¨p�·Ç¼y˜ÚäA¨¸´É>Ò½º=ÿå]9ìlÕ¢6=ÕX�»°Ëh¨Ïw�#g'w‚?{øÛ§EÕBT^m<ü«-°�0Éå[èQ-Ø‚£B[€³j¶ÎË6 ‚¨ZúLþa…è&fË
-õTc�Í
”PUú¶Séâf[›ÀP~A»O!°ÁøŒM„à¬á°FË6ѧš·	Oebãcžvõž?$JLÀ„6,YVª§kuh'Rð¡Zß�šC®Ý»ap:di›7ØÑ™�þOñ/;CRVl°ƒ°°–7ù˜ªêî¶
-ËlŠµÍ{$䢢K¹ÍI)ϵGJml¶R“`AÃDvógì48÷<ƒ©„2†$»hü«˜ÉB¢ÄSj9åYÑÚa“¸Âÿ}îȲ|ø$í¤c«ª�{àlbkÐý ŸEÕi=‚}ÞŸõ?Ó:»…œÕ}$Ò³�XðªEâ´ljlmÒSc´¯ÛiµÃ䜚ƒ¨?קc¥¥;.RÓ”­euo	›3à¼�à~m©lnN‡Û`�÷šsòqWà=™ºã£Ch}
å½í»Ç£Ù-ùyi_óF¤;¨
|7mÛ|0{OlnÍéÏ-èÇNëé¡('áÁªC3—XTûœWóðE!+9»_=ªørT8­ôi¼†€ò»âØÿìr!ê¢F»@v¤Òé@v ÓUzoŒ0”t鎱HøOñ¯ÛwÝ�zV-”	ª°´CUÝ=–± xs
-‚]
9½"ÙS�EKA"$¡þØ=�íë
ÂÁ4Æ5!ô^Ú @£{¹[0
ƒjLÄWXNÔ­-UmýüSÑ´Eµëxô¥Ú¹ `å!"SþèbÆbë!çŒ#飅©ÐtÁ"þ«`넘j€BÛÀǸ8É'¡nÓQ¡j yÁ i�Ù“�qaž]DÛ!\ŠÝ}ÂÎÅŸ§ý½Çz‹úàQ¨k±
-qnÅ ›ñ6jmAï±.²æÂð«<wU!‹�ù'€VEuY`�zO6½ja[ì�ÀQ}µ7»•³ÐÊeD”`W*
-}ªùóå©L;MÛf\geàÁc¹,ÖS�åƒÐ$þ‡Î–�Ekuá]µnÃœ´Åoš¡Ö½â.	P{óÊã WEWRï>Õ‚ò•^Ã/§üx.ëypZ”Ü�ÓHô48
dßÝ&<¨w;“à°碛p:`àBç¡Œ?Œà}�õ¨Í³`È$GúÐa�eíËù§CYlŠ¶<ãxVà
Ý´–¥réÓè;Åš˜×]áÌNL¾ó—.«�õç2ê*ÎÒ©ÏšŠDaâ(5¨Uy99žJé §¨:㚀±˜„Iä¼¾ÓßϘˆ(é>„m:@@ºü¾r÷uÕÜÝ!ÚÑM°–	�èÄÅ/³FÎTH’«FÞ§š7rOenÄœö‡ìÞ}cƒ€ý×õ&Ý<ä¿®5~}˜ÏÝ @!"ö‹4‘!&„L„FW.>ª¿GÓ+õTã•÷‹ÆàwØÅR¿�¥‚%DZ-(ÄÊã€ÕW
>3«·m}ý Ë·é©lñþ€~ÇD
-áòcìQ-££BwUüçã‘�0ÒE«eùžj<�!îBÐ,â„
gðÎÌ@gŶè¤zW1têÅE°O?·,0°Hu9ΩNS›Ûºaá3¯Zì÷*[ÊVÝP¦£§ÝtGª|­H·��	p á!Þ¾úçK}}€»ÛH†1ä±iñI!a†ãÆ™=zÀ×ÀXìOóÀ„5}J_ñÓ£öè	ÓŒ!Áú€ÏŒùi±Îü@gî=‰_Y{!g“cfv™ÙÐœq}íéX-˜¨Jà,²+Ÿd{DóêˆôTÒ²ýû\Þ™ç¥ôiëì‹Gãä`‚¶:É»À
-‹=(µ€Í
ÑÞb�ç jo„ú][ú5ìzF¨zKÞ+XŠ ¶²Œ½M™#î™7Bˆ1óÑ
k€ºiJ²,´§œ
ê¶5@}ÜÃLJc)C·îíKöæUé¸t>¡èÙwµ#Ô	ëêÈ�4+ä(Žx¢¸Ò�d‡	aë:}X^®€qw Ó?
-øÚbüîΘ˜¾Í<a~ÔßuùÝ—¦»»äúâ‰R3×0x¬Ë…ÀÄNJë�ññ½G
-fñ‰©ÿ_M¯endstream
-endobj
-706 0 obj <<
-/Type /Page
-/Contents 707 0 R
-/Resources 705 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 672 0 R
->> endobj
-708 0 obj <<
-/D [706 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-705 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F77 703 0 R /F14 608 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F79 711 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-714 0 obj <<
-/Length 3636      
-/Filter /FlateDecode
->>
-stream
-xÚ­Zm�Û6þ¾¿Âè—óµÂwQ—OIšä¶‡K{Iš¢o8hm­-D–¶–œíÞáþûÍpH½Ø´½@‹…(rć3ÏÍgþøÌê„ÉLÍÒL%šq=[n¯Øl
co¯¸§Y¢Å˜êåÇ«goŒ˜eIf„™}¼Íef-Ÿ}\ý2õ·ß|ýþz!4›Ëäz¡
›¿{ñ�×Ôó
†´ž
-¯¾{÷ææíï_\§jþñæ»w׋”e
-¾¼üíwß¿¾ûpýÛÇo¯^ìW1^)g—ðûÕ/¿±Ù
-üíKdfõì
^X³L̶WJËD+)COuõáêŸý„£Q÷iLs0œng †Ë(g
-t¨RЯâ‰PLôúÕv¤_Π­Ì¬§Býv»|Y®•Ë,±Rf³ñ„Ç|Õ1_%Ç|•J,×bÊø¦^�Û¢îhºMA�¶Ø})v-½¬ŠÛýz]Ökz­Š/EEÍÛGz6u‘-!(%å,±ÙEÍ
Tgç‰&z{ö&ÍF´R'Öh
ó#	{(Zª“¡)�-‰6Õ­e‰±ÌNdûPtmT£pÔü/õÚ5ôÌkzÜWå²ô»ô%¯ögô
Ò€YƒþÎ+|LvZã=.«nâƪy’ÚŒ_਎9OªM’¦LMYÿ¿4ÊÎèM£—°æ’ÞFdgô¨Pø»jßnNñó|û#~Ä7~Ä'Œß ãâ	Š[æËÍ9“â …æê’jFdgT¨zÕÔù6v’Á„µ™?É�h"`‹7~AÀ@u,àT‡™N¸0Æu¸.¿þp:Á\ëÎùÓfû§õ­maZ‰ú“�ÖwO…«i»¼Û·GŒ8M°à<ã@uÌøà³$Í„�rþ¦l陼T,ˆáÚÍ<eFúrƒ¤/P"†4›¿k:?ÔÓÔûí-ê´Ÿ
-Ôtžw :æ=µXc“Tèæßì·÷;Y•­×SãUþû¾Ø•Á= +XMuò“þê®z)¼_˜PN»x²À
-3¢[
-tÇ, Xp©‚Õ´�-šËªÜEæ7ü·æa9yK“¯
-Ôeí¼�ã…Ð[䧠áâ ³/xKŒ†09˜·û²BÛ@_•»`zŒ¯`96X1áåñB8hÛ šÚ	=

-¸SHqojŒÉ´ÄýÎ[øFÉM6=c˜SºZf‹AÙ¤'¢@ýŒñ‰[m#¢JdÁDZãlCI´�C
-´ò¶m–%†J‚’°h+
-hὧ÷ÖÈ¥?+˜aù<	øz	�aëÖÓ�_îò%…}xuu#”®‰8öEXÝÄË.ÚX5cvb¿x ”žzœç¬h„(t
-—.Œýð:W�êfÖŒŸðû8ÖÚø¯SýŒ‹ñ”‘‹'Q€]ödg<Dšd²7·ÖI}(§×°aŠ6É—�âŽ)C?l.ù%†ë±_[Ñ
=4Ôs°ÂTFõ!=¯ÖÍÜÆ6VôO!�ësÍ“I“Ô}–‡¹I-ëƒbBŒ}›ÿ¸)CuÍ;r-�»«©IEªsf~ŸïZ‡Ø”	8
ZùÒÝxP»~¤Fo¶J¨P!KRæ5*ŸHáHP•ÝD
	%דù<³Hqù)'c³Í—‹íJÇ÷Ê>wð¦ÛÞï?­/& FVç¯ÑG©ã(ÂûKÍÛ¼-ÆOZÔËfâ-)\°aZWQb!ï-í¥/°)uĸ%’ã–¼NNÝtá}Œ
¡ïo%;pÜOÒþ¶ìÄq³‰Í´ŒKäéA–Ém;dYáF€]=˜üã±8¬ÂœDBàL_*vQHðqT†Ä'F!Á|ú„„Ó±å
-¾H2¤Oø+
2c³X�HŸ
-endobj
-713 0 obj <<
-/Type /Page
-/Contents 714 0 R
-/Resources 712 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 716 0 R ]
->> endobj
-716 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 425.576 176.3563 434.7914]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-715 0 obj <<
-/D [713 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-712 0 obj <<
-/Font << /F62 634 0 R /F58 627 0 R /F43 600 0 R /F79 711 0 R /F42 597 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-721 0 obj <<
-/Length 1521      
-/Filter /FlateDecode
->>
-stream
-xÚÝXKoÛF¾ëWðЃ„ë}?š“k8‰ÄIc¥(�#ÒŠtEÊ®Qä¿wöEQ]©Q…ÚåÎÎÎ~ó̓$	†I„DÒP“(ÑÀD$‹Õ'W°örB‚L…Ò¡ÔOóÉÑIƒŒ¤2™_ti„µ&É<ÿ8eˆ¡hÀÓóã7§³”
-<½8}?búü¹ùÛw§ï�gŠOçgoÏ/f©Â†OO^¿›G‰‡uœ¼=qöòÃVÏìÓüõätÞßbxS‚™½Â“�Ÿp’Ã…_O0bF‹ä&ch²špÁ�àŒÅ'Õäbòs¯p°ê¶Ž"G0¢P:„N¨
t„ĵ‰IF™Ã./.³MÕ¥_Š;¸$Çxº®óÅï0}no—¤Ô ­8¶!¨ÛõÕ-½àlp
-[™ù²l=n¿aL«â™Ÿ”—á¿n»¬ªŠÜO³ÖkÜ5cd0
-vv^h
-øc¯žÅ+¥œC0¦ûr¶¢¡Hi¥É:]O¾‹³—¯>¼Û‰(HBR°d¨ñßÙ«±r׋;fžXþ·{íô–ö¸OB¡ åcI˜0È\}C6ˆgۻgY[Ð�CƒCˆyB ™aHa@n_Ôþ?fйIL`0ô	‚KïÕoî§ð@å“QøÀÌq
-í|4…USe_I#
‹?Ëî~Ž=ÙM¿;Ž‘§äÅоHñ
-endobj
-720 0 obj <<
-/Type /Page
-/Contents 721 0 R
-/Resources 719 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
->> endobj
-722 0 obj <<
-/D [720 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-126 0 obj <<
-/D [720 0 R /XYZ 56.6929 526.4445 null]
->> endobj
-723 0 obj <<
-/D [720 0 R /XYZ 56.6929 499.14 null]
->> endobj
-724 0 obj <<
-/D [720 0 R /XYZ 56.6929 469.6226 null]
->> endobj
-725 0 obj <<
-/D [720 0 R /XYZ 56.6929 457.6675 null]
->> endobj
-719 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F58 627 0 R /F42 597 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-728 0 obj <<
-/Length 2277      
-/Filter /FlateDecode
->>
-stream
-xÚ�XK“Ü6¾ûWô-š*·V"%JÚ[Öɤ¼o•=[[©x‰=­X-õêáÉä× @êÑ{K$’x|
-ùÇÛ¿Ý'â ¢P)‘N~-•Á„Lf‡‡ê·àÝY_GÓßEÉÝþIÓ’0˳§E°„
-ãTXþ«¯º-ME~úð‰÷F�So/ NB™(ÁTÆBÄV4ïŽqEÁ‡n¬O/<EŠ°PBñQ„Ìo×�RþõðþþWj×þ³@y1åY·õp!r<ë‘Ç›¦{˜Iö¤ØLÿÕô<0vÄÜÒ~X„©o£¿š›iYÐ�¨—~2Y�…‰ã°HYyv­ù
…LƒJ�:Þ(
Þ·ÔÕßÅy`†k׆zPþµ×묤X¨PÆY‹ lÖέ2“8T	X›ØNv‘îâäÚŸÓ¶éˆwY¼ÅŽ5Á#¤l>×MC­òlÊ/ëÍÆíÞš
[õȧFíÕŸˆJ:Æ*ƒÝ‚ß²²Èî´.øj�Zhuüû¡rêIiíH³| t[½å‰'úƒ…]O[�µYŽÞ®4öºN¤‡Ð›2ÄÏì”QÜw=5.턨º=uýE�v/Ø¡»iܳb
-GIö=+Ê"”‘Ìö–„ZMcÃ*•ʾ¾ÎëZ'eŽ=ŠÂ,ŽÝêík
)�MzêòëÙßüü0ÃU‡	ÐÈU˜ç©D8¢Áþé@��üòüÇ寕ßÈŽ|2弊0¬ÚnÉCär…o
-éÜäÖ8
-7Ŷíæá¯éw1ã¹CW΢à„ØfǪªnŸ9
	æ®�.¡�Æ_e3ú^b,	+^Æ~±œË<ÐæÌcÛ�/´H„qÐV$èz\çU>Ò„Õ¿nˆ@ü¥VwÚ+326úFYßðSôès‡c†ÂÂ.¿ñ;˜µ°u†Zºç›�ÑE,Õnfq†’R
-ÛTòÈuú±A±HX䃿¦ÂÉññåH°‚=�z¨L©´Jµ’Ú²™H§vîêHpÃ8U3ê@uœ^s5%Crù¡ßM5¡Ê…"’t¼vM]îáØQQ˜¨H®C§lôäï4ºŸÙÒ5ê¶oõq»
-Ä”nOÃ[º@)Af9æ�o
-Ã@uÝëR'@bF¥MMj#-ÉÙ"ÚŸ‰iì°”)Á	˜™†ŸLkz=Z‡N'‰“[>4ŠçS£¼–þ]ÛÔ-³º<˜_ÌË]Ç
§‡*Úȹëë?µË”Û³¸è§wqçjA[Ði—Ž0Bë§ï,Tso‚^3“ùã
-Z3&øó@›=—vê¡ÛíÅ‚¯Äú</vûk�Ǜ߻©o^!X4¯Áxê“À�XxC¢[Ü:€¸èÊPËÞ?à¯éÇ@�{·Ãfå!&—3Äà$_Â1Œ\ÑVDc¼ÙÎf–ýoÀ	:
-*8m=,»YØ°g¿O+i[/+ö½ìùlÚ�âªý0Ò$òÙã™]q¾�™Í¬RtÂ4nQ	ç(üÑwò’;±ÏÀŽIÆ9§;‹¾^�KrËë�ùc4íàËÂ4[â)”¡2÷
-呧Z°­½+º¥­˜É7+"Xç*'BOí&ºÄ¶�$oœîÙ‚¢ ÿ¤2hT$‡.à–x#¶§+bHT™Á˜Ñå™ù}
-endobj
-727 0 obj <<
-/Type /Page
-/Contents 728 0 R
-/Resources 726 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 732 0 R 733 0 R ]
->> endobj
-732 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [470.3398 483.0796 539.579 495.1392]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-733 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [316.7164 471.1244 385.3363 483.1841]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-729 0 obj <<
-/D [727 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-130 0 obj <<
-/D [727 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-730 0 obj <<
-/D [727 0 R /XYZ 85.0394 582.1251 null]
->> endobj
-134 0 obj <<
-/D [727 0 R /XYZ 85.0394 582.1251 null]
->> endobj
-731 0 obj <<
-/D [727 0 R /XYZ 85.0394 543.5676 null]
->> endobj
-138 0 obj <<
-/D [727 0 R /XYZ 85.0394 445.615 null]
->> endobj
-734 0 obj <<
-/D [727 0 R /XYZ 85.0394 406.7709 null]
->> endobj
-142 0 obj <<
-/D [727 0 R /XYZ 85.0394 289.0425 null]
->> endobj
-735 0 obj <<
-/D [727 0 R /XYZ 85.0394 261.2074 null]
->> endobj
-726 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-740 0 obj <<
-/Length 3604      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZYsÛF~ׯÐ[¨*‹¹päM±å�R‰ã•´»©™Xƒ
-Rç4-©—Ä„éb¿]eŠlTH"c#	€–»ö-Š
Ü@icóS(7I˜yïê•0~ØÅ—‚GÄéXÍ`œÊ(@30Ûñ^h¤h LVgAwë²eæ¼d”+«ZšU²i‹ñ"€§øªåI\<–EIUìgù_]͉`wVˆ~
C]ÉY½"ý.­Jƒ$�ÌTϬZ uZ„q
-ö»íŠ72/X\¤ìâjUvG´¢ý)¥[Üìë™�ÐÊ.Õfº0v_?»Q�ض"¬Ò~ƒÉD€+k»j²Ë*Bkñ�Õñ
-z]ÁŽÆëuÅ€Åì–EMFK828TÄLƒ~á
-¶Î‚Oƒ€`Þ6ÄšóØw±TaØWç»bSÔ]V	î±Û!î‘¿í²º}(víø�ê
¦ÑI+Ñ4wì¤á¢„YØôüLIØ;8(F&áö)Àb‹8u×ä�Œ-[™qõ�=qá¡&m%Åb÷ÈÀ©nœNÙÔ•0è·‰AŸÙ«9x(k°PÜVíÜ¢Aøs¢Ã´Ñ4Ð6š[IÐZ({x‚TX®Ñ±èÚP\:Z>Œ§åCO»-ò
Ÿ$ÆŽš;n޾戎8G‹Û¢8Ž5`1`·"«ƒØ¦„úܹûpÎ…›Q˜èé—ã
§aâ”/jí—÷¼�mÓ¢�Ž§ê½íÀ2"^µ¿­BØÐÄç‘	Wf6¢õTË1Ù©¨§ÜMY¼Œ9L€[ÒÅ–úþ».@ËÆÚE–w´ãTnåËÁ0ò°L”,¾¹~÷†»Rþ´ûí¶Ùu2ŒwKdÂXèÖ '.¢}áa]xËa")ÔE^´m¶{ª;æ.	]³†Óm²®lpI
-pB1“T
Ö‡IêwfW|Úm·$K9Ý"˜KýåUFŠzy:}Æ!}†=`¸RÎ[kÛ
¾`Ê1›Að
‹ˆlês#+¹‘•Üèö¤Nn/¦;·E'¶(±ßòwðÚ¸ºãæDz8   VÓæR[[Þ—0gÒ1¢ìe¤‡�"±Ðn³\ÚÈì4Æ€¬3,ã‘
-“Šâsw¡}O,¹dÛTœÑPùî[ÆÄãQ°.ZÎu´Y0þbdï�ÆY4œÖ²/^±@<¯Xkƒ$îói
-9�íz³œrÙk¿�d¢´�³FøíYœÜ0 HÂX<M„x�Nþ´3릠õõÜ<ßÝW”ö�Uf”ïÅœqÆhú[°RƨÃa‰ÏGáTØ„8�$@^±lhÆà•N0S#8;\ѹpæ¶ÏFÅ>““9£û1;Äθ�Ÿb‘×™_›�ÆXÉ›œD¦�¨-ù>5õ.Å#ÉüRÌ[8¨bjéRM�n´£qï \9”ÝšKS¿Áo«X‹ï§w*1#ïõ{¹tŠ�wD,ò‰�
-üõQ�k«bƒY[¶+¿øÉäØ!Û7?üÌç´„hŶ(n‹|
-g¯)
’²Ôãž)B
É°ؽ†`‡¾"ü$ïõѺ¿�V‚20/õôv�ŒÈD1œÎry,s@�%MÁÞ,ÌR"Í×vØŒ.,q=ö7ïPò�bÙF9ÄiJñó~Å3�ažó2JúÞ¼ØáEÃ>û–rôwÃÅÄf²1òQz4cA=qUÍ@±·Î¿
-ZÐ~ü(º0¦•”³ó	³áeå^ºYÁI˜ì¯‹YOI8Æ«”À�"Wâ…cèJ)äÓM6BÒp-.°”C}E·Þwú§/‰»tÛÍ=÷Y+è�èBtÃ…odë2_ËÃ+c”\F~"”š±9btl`}ÐeÕÇ) Ý7„Ùˆv ¤vjM¥g5E»²>26@ØYÓb·t_ƒZÿ$`\â·šï…8ojLÜ>ìûs.¶ò³NŒ9èA.§™AæÇÚ»’î	Mbt
-ºzzs±_š¢ÈC(†HôbŸ"nb‚(‰ü‘úÕÇ¥u*Ýñí:rÖ�s¨X™‰¤¿Ÿ-¨�V%iÏsiãÐ?x1×I
-endobj
-739 0 obj <<
-/Type /Page
-/Contents 740 0 R
-/Resources 738 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 743 0 R 744 0 R ]
->> endobj
-743 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [464.1993 638.9439 511.2325 651.0035]
-/Subtype /Link
-/A << /S /GoTo /D (proposed_standards) >>
->> endobj
-744 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 628.0049 105.4 639.0483]
-/Subtype /Link
-/A << /S /GoTo /D (proposed_standards) >>
->> endobj
-741 0 obj <<
-/D [739 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-146 0 obj <<
-/D [739 0 R /XYZ 56.6929 704.5459 null]
->> endobj
-742 0 obj <<
-/D [739 0 R /XYZ 56.6929 671.1703 null]
->> endobj
-150 0 obj <<
-/D [739 0 R /XYZ 56.6929 515.8828 null]
->> endobj
-745 0 obj <<
-/D [739 0 R /XYZ 56.6929 480.2977 null]
->> endobj
-738 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F79 711 0 R /F57 624 0 R /F58 627 0 R /F56 618 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-749 0 obj <<
-/Length 2227      
-/Filter /FlateDecode
->>
-stream
-xÚå]oã6ò=¿ÂØ—ÊEÅ�¢>¨æ)ífoS´A»›kè8EfbÝ*’kÉñ¦Eÿû
9¤LÉ´�öpOE€h4Î÷‡4›Qøc3‘Êóx–å1I(Kfåã�=À·œ1CZ¢Ð¥úêöìüMÍr’§Q:»½wx	B…`³ÛÅÏÁ×o/¿¿½z7£„1™‡IJƒË×?ÎcÁåÍ×W¯ñÓë›÷¼¹ºœgqpûÏwW€a"N¬³+ßÿíõínÅ/·ßœ]ÝšºÖ0Ê•š¿žýü�-À¨oÎ(á¹Hf[x¡„åy4{<‹N’˜s‹©ÏÞŸý00t¾ê¥>ï$\�DD™Ç=1÷¹'ÉIÊ#®ÝsÝÌC± X,ª¾j›/à•‹ _J…§ÁjsWW¥²óüM’9ÜÀ<�ÊrÐAñéª^2$	åBE†ªhV%4e£ˆÈOÅ㪖¤l=L�‰`Ürý­md‡ftËvS/Põeñ$
v%˪¨ýÝ¿¹ž3ȲÕÏ…Yß/‹^	œ…QÊx–ÏBÆHž$‘U¶M_TೈÇÁ¶ªe�ë†hBÿýùgð`H²'D!WmÕôUó€kú±Úå
-¸+:	üºl»¾ƒÜã4	n—U‡ØÊpj¤\È…Y&ËbÓI$�Ÿz¹n”ÉêÓcQ¨“ë'¹î´‰tlÚBé‘DAÓö ÿT4Ï´ äÁmaq÷êɃºm?¢Q€Ü¬�v‹@o¸/d]=YF/çsö¡à#k‚fdüÀÒà§y’U¿D¹è7¥‘Ž‘�Ø	&±ø«Ø,§ƒ2T12Ð�ùfµVf];Y¿¼(u�€í²*—–E3,2Ð}»ÞîRU�OËÉÊqÝA­;¬•ÉE.´•o�šŸuHiEšŠ2ÌïÍÇÁ`7‘,õûìKOñ*ñ9É8Ç,ú\ëq’«þÇHóÍÍ<L)rVOFñi3•¹5O<EZ¦ÆÜL³½Q	Æy‚•k ùŒPQ–re°^)Ïr]0Ë¢¾78ó„Lï—:‹Õ[Õ-ÂA½5²ß¶ë�ªe&éŽhHõ¢… ¦.”_	ªXsšm@Kà'±«…46
ŸsWA½‹&)6zÀ™PZ�†ƒn../eB+½¦]Éu=gÁ³Þ:•Õ‘éZŠ3¥kkÝ_PTcYK_=îL7-?í§QØ‚„>ü�Òèaã­IÝ`”鸎šâÑàmg´U9™
-ó6Jgoåý°‘ëJmD‘à†ƒµ1�í\Éìð£1>hÄjµÝÖi4êË3>Ñ‚=ŽFoÕlrª7X�þu§Ld•mF™Ð«¡·:Ëúý®(?šÆ²9ä÷Á“#G·Í©.êïr*›#Ø
-œlV¯h(ƒ:ÖZ³Ô¤µ†Z|bZ+h5×S@´
-+®–e_=Jå›Ô5ƒ'Lwõ‡ßì_,°
['LÑY…ìÛI“‘N³qÞ÷?K2ÂãÌNµW¸%™�üº)}S’?ì0j÷ÝqŸÙ¥Ï¸Ááx´s`qg·è¾ýòÐé"I``fâøQÉ!ÒG
;*ç
-¾ã¤ÿ@Y6•¨í<�³£"¢=™“¡à8ÉüfF4FjGM:ê”Ú�»ôðFxBàtÆOF"Â3‘=Œ@mñ$‹ÿäiŒKÝÓ9;Ð�Bó=<‡êHô,Õéð“êÄo*Ö@Wìÿ3‚ÄmhÓÃlJX–Š„’�By’¥-ýEÓUs$�,@¤'éP	¤¥:ÈcR�@NÅúéŠ}y ÷:õµö©ìú*ÎSBcq¢c¹T‡}5P�ôÕQ©;_í‰õúj$öêS¹,šÏÁ±_úºÿåÍk{sÑ+Ùª®bî@š¦ãÓÍÛÝT|Ðë‡æ´m%qªî^
-ÂjÕ…m¸”ky€níJ‘<Ü‹ÊÑ™âKâh¼Y WU¾+C¥ÜÆp
-wÝaÙkYnÖ�®Ò#ò•¼L”·câqñ‰'Y9�–["Øé”ÄWxfr6¥W»TãÑ�H=BÊØi^J†;¾œ~^�ÖøÓ¼²Œ_=žï+tq¤€ÜÒ2L¸]´6
a“°�4)ôµ’®ŠLMBŒ82÷·»ŒÜñìGu8¤ghxæ¾*ùKiz0ñ¼5çÉ»“ Œ¬ê—bÏŽA‡ˆþÏ?H;#eF¸‘ïá4%"‚ÁÆ(¥ŒÜ'‡_®÷Uÿ/“Õendstream
-endobj
-748 0 obj <<
-/Type /Page
-/Contents 749 0 R
-/Resources 747 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
-/Annots [ 751 0 R ]
->> endobj
-751 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [417.8476 408.3291 466.5943 420.3887]
-/Subtype /Link
-/A << /S /GoTo /D (sample_configuration) >>
->> endobj
-750 0 obj <<
-/D [748 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-747 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F14 608 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-754 0 obj <<
-/Length 767       
-/Filter /FlateDecode
->>
-stream
-xÚ½W[OÛ0~ϯˆxJâø–Ûxê lCb4Û ‚•r)q¸”‰ÿ>;ICÚ:¥P˜*µÎÉñwŽ¿Ï>ÇE:¤;.pè^@�‘£Ç©õkñkîdu½¾†š}àb=
-Š&yVnr^
-#Zªôœ÷219ŽóìB|ý¥¶PX—‚Eq¢daEhcÚ,ÒèÔ5ª7[ß–”øfaÖdÊ­ëܺaë�«‹B>•îüÕ
-
-endobj
-753 0 obj <<
-/Type /Page
-/Contents 754 0 R
-/Resources 752 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 717 0 R
->> endobj
-755 0 obj <<
-/D [753 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-752 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-758 0 obj <<
-/Length 2227      
-/Filter /FlateDecode
->>
-stream
-xÚ¥X[wÛ6~÷¯Ð#u1Á˜ž>¨¶“¸mÒl¬Ý—¦IILxQx±«ýõ;ƒR¤L7Û]ës0
-ß5"¥.Ò&­ÒšÄDèÚ"°á¿û÷ÄåT\|GÜc‹¹áÙÒ´Â)`¶�c#ifƒó–+á8gl]˜䥰•_£üæ�5`¯ °ú§¦Gs¨êIßÚwY’·­ømÚ¶Y¹§Aw¤çf	à®uÙè˜Ý
-G3©ŠÓ¦á`ÙÑ3¦Õt{ž3±60¾¦'ž¤Ë„ˆ®y^¼ÉöSï1kD‘“Xs×±H0Fs|
"¡ºf…®³üDæ;
{¸RŒ
ßØÊpt m
-–5~TNo> =ºß7ÏŠ¬¥…±&†‚ÆhÅ¡™gÝÄö—Ò*²ý¡%r›2r,Q]“hrÉ	’Y³Ä1ÑmŠ¾p<kM<òü‰ƒ[ÇK處Øa8åPuy2hÀSbƒú™CBˆ·¨©bô(ïéR¶ADžµíZ’»û¸|å÷úÉ
-k0%+›Î„6¦’8ƒÈFh	L¨âÔútl«}­�s¿Xy€è�¢1§8¾µ=Ñ“<‡ê‚Vßéš
-(ƒ1- Ãâý]ÀÐBÌÆy^=RºCl˜w�vCHíÏx)qƒ¬p�ÁìD`ó'fžÚ”;@�}÷~}½zãÓ;2®Ôгïæ’ÖÛêÁ”“0²~­ ëªçÒ#÷2¡:wc8
-j¶PSMTRc×Ìœrâ¨9 9wJCçyq!¥0\çM…j„‚>U…Öײz,‰Â
-hÚ³<륲:æµÊ+Ýþ0wíQ®-ƒ¨ï4‹‚ 1ƒUR/‚ÔtëAØ+@ÌrͼɕȨPÑsÔ7á0è‘H™\z¶‚"qñ�K·Ú~î²ômüð;óÅ×î(ÿ÷÷åóu/´¥Rîü§cé¶r£°W
-•Ñ¥æÇ觪ÿ¿ü+#endstream
-endobj
-757 0 obj <<
-/Type /Page
-/Contents 758 0 R
-/Resources 756 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
->> endobj
-759 0 obj <<
-/D [757 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-154 0 obj <<
-/D [757 0 R /XYZ 85.0394 638.3105 null]
->> endobj
-760 0 obj <<
-/D [757 0 R /XYZ 85.0394 600.2421 null]
->> endobj
-158 0 obj <<
-/D [757 0 R /XYZ 85.0394 433.5475 null]
->> endobj
-761 0 obj <<
-/D [757 0 R /XYZ 85.0394 403.0897 null]
->> endobj
-162 0 obj <<
-/D [757 0 R /XYZ 85.0394 351.2066 null]
->> endobj
-762 0 obj <<
-/D [757 0 R /XYZ 85.0394 325.7421 null]
->> endobj
-166 0 obj <<
-/D [757 0 R /XYZ 85.0394 166.6305 null]
->> endobj
-763 0 obj <<
-/D [757 0 R /XYZ 85.0394 141.1659 null]
->> endobj
-756 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R /F58 627 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-767 0 obj <<
-/Length 2286      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YY“Û¸~Ÿ_¡ÚK‹ƒà×>ŒÇcg6»ŽãѦ*µÙJ„$:)“”e%µÿ=
4@‘æp¶¦j„£Ñht7úëل›ȈD)O'qI™œ,·Wt²†¹wWÌÒŽ(R½ž_}ÿ6â“”¤�&óÕ€WBh’°É<ÿu
-È8ÐéüþîÝ,àŒ§tzó—ëóÛ�ЕH�àúÍ?fŒ±éõû›Û78õæý=6ÞÞ^Ïâp:ÿåãíýì·ù�W·ó^¾áZ¸ÏW¿þF'9åÇ+JDšÈÉ
:”°4å“íU(‘¡n¤¼º¿ú{Ïp0k–zuÂ(áΩ”�O#©”|¤™’HpÑk…ÏF)è¢Þ‹j�çì6
-÷›¬Q¹m«e£:KPãïëºÛ`ëçl¹)*ÕjµÀæb`:	xD$èÜì:ß-¬I¢)þÊéBë*Ç1ÜÛe½S8V¯ðì@pòZµÜ73–L-a7cÓ&«Ú]Ýt8²UËMVíÖ.ØÔû2w»âؾU9°
YÜ‹&§KGõtƒÍàŒúT¨_ô°·ó3pªéKTGÛnl«S¥ÚmêJÙ¾ê–Ä*id!à'Ó8ém#¬mîªUÝl=ÖQÍÕ´Ø1JÎþU_Ì$(»·_‹¶SÕR=m¡»m¶["¡Œ„ a$ÂhºMÝvÌÃŽ‡„F©´T˜ö’K‰�±pB1¹�ÈQîøõòEï€-*,)\s§…U]–õ¡×]aµ‘å¹ókçË
-<xÈjÀUaZÆCy$#”J§†*Û‚-ëjå‘=â„G‘ÓÅ¿(å¥ú³‡grF’4„K-(Œ
-¼¢ÿVÇY�]ú?'8ò_ã†Îƒ‚Þ•´ŠÊuÝÝfk×n³e°Íå+Ÿã¶öZkÂï~ʾ¿•7ŸÞ¥ûSݲOŸiÆ?å×?üð.
¼»ýþÊïRÃs{ÊO¢½Ô†
-{ÙlWÛG“uŽ¾®Ê£n1hÙ¡v¿Ó\ÛO�/Ž8üúîý‚CýnúpÆ[:œð°W8³V•j2ËÄ\Ô_ëO{_è;ˆ(.†_dņßLÿÈÁ¶úX)ŸÝ�NNqvYo·ª2Žˆì2K¦@Aà€Ï’0–ˆgyž !©%]X™«º
-uSÚ=Q�,Ï¥2²ŠiÝ8qìíƒÆú UrÎÇ”ö4]ñÅÝJõà-Ëðg †îÅÀ¼).¤eÝøú‚
Ê}Ï{qô©*
-P)ÝaaíÊ�X®..é¶e¨@çvaæXµm¶v+Šu…ZŠÍ=‹®¥Ô©ÎKŸŸ—¥át™UØ€­‹ÕÛöþ„fƒ¬³¸¨Q4fÓ»ÕcD8„¦öË%¼Ú—åñ´�6¾ÊMHˆOlp=€{Õžs±ÇÔíÅ…ˆ`z_às§.‡=·]³o
-®ËŠ
-G³ÊnwJÚ—¶‚¨
-´Úrx¨
zŽ'È4p<„”§\Å ^¯;Ÿw¥$‰x:…!w)7è57‡F”ÑèQ&î!ZNovQØÏ{ÕZM™Û<Z1¸FKáÉL£=EYbka§{l3³¦ˆÃP»SK$Љ*/Üx#Eq(¼¡¸þ¦bÇŠ©Ë‰¯ €5-úDŸç „µã
-û mÚ’šÓ{6f°±ü¶Èíöø#ìÀpБÔÁ”=¦CÖocliô½®¬U¸ Rã‘_ŽoŽÏ%<›�X|Ó±½ÉH8
eÐe$mdŸÑl:ƒoAYë¼òÚ$uؾ�àØÔåc)z¢®ß´rÔˆ�{pDN=v²‹Q‚Â7#ó䃚
zT0³®ÊFaÀ˜¨
-×7?a#Wzº*´›Y&ý“E8|YÔèIAwîBK ‡��‡•‡S‘(´ó`ãæèã’BúÑ'
Ÿ<\À®¼éô«×Ê•Œ#>`AÎÒð>A(©.€Ò±îw9„
Ç�°Ø…ŵǰ1‰X/ÚBÍóŒa¡Þd¦
y»I^uK}ílU¬	ŒAui­Õ�CÖù°4mÝt[æ¡}ûÑcºˆÇ%X�ÁØÁ>ì™q.W€ä*÷j†‘8eñ%f×¥<^ÿEÚÊ
C¶Ý9ðv¯v™ÃzãTVõfÄS^»3Lð%zgiÔ˜é g{äuéÕó^uúŒÝ]Y-ñòðb‰ÜõëtÕç‚…MÐ|ióE<dí%.Ž£<©7�©lŽÄyè»Ñ©¾ÑýåxžR¿°K—i–=°ÂUŒÂhüTðÏYʧõþ,¹;dÕÙºËèì!õ¾;Sö>yîêƒj `öœ‡k7í«!T}°«Ëbé+9#@ú’!ècòyö�C
-endobj
-766 0 obj <<
-/Type /Page
-/Contents 767 0 R
-/Resources 765 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
-/Annots [ 773 0 R ]
->> endobj
-773 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.9997 61.5153 458.6717 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-768 0 obj <<
-/D [766 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-170 0 obj <<
-/D [766 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-769 0 obj <<
-/D [766 0 R /XYZ 56.6929 748.9393 null]
->> endobj
-174 0 obj <<
-/D [766 0 R /XYZ 56.6929 700.6394 null]
->> endobj
-770 0 obj <<
-/D [766 0 R /XYZ 56.6929 671.7552 null]
->> endobj
-178 0 obj <<
-/D [766 0 R /XYZ 56.6929 470.7895 null]
->> endobj
-771 0 obj <<
-/D [766 0 R /XYZ 56.6929 441.9053 null]
->> endobj
-182 0 obj <<
-/D [766 0 R /XYZ 56.6929 233.8866 null]
->> endobj
-772 0 obj <<
-/D [766 0 R /XYZ 56.6929 205.0024 null]
->> endobj
-765 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F14 608 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-777 0 obj <<
-/Length 3193      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝ“Û¶¿¿BoÕÍXüw:s¶Ï‰Ó‰“ÚJ;�$”„;±¡H… î|ýë»_à×Ñvf:z
-‹8z'wÙcŒ½»Tä>�JîÌ‚³ßÄ`8ïjî(ê'žKnœ×ø:ë(ú„Ãòrðq#iDYÀ¥tKÇÆ*yÙ÷?nÑ—Þü¼ý.ü
-Ôò„Âñ5Ek4éúÕ»÷ox@.ÓOçÊž
-5	¸!T%Û¥ƒd)Þ$5x…’e�±Ç–HjšûƒdRÅIüÕí%aæÏŸ¥DÔ]9‰;Áã"ï(fle;é�(‚à¹W„ˆ+š€Z)å±�±bÈesqäT€Ö{)F÷›PGA’À½”?ä±çªm Óýš;M•‰—L:2ì-©¬Ë®do‰Mü	ÃZhî«’3R#ŽÊ¬ùáD«œ_s‡2?…ë¢ÔŸ’ßÇŒ?.¶•µðN@rW]dE !¤à›h²À$É,LgÙþ¹Å­¢cNÑå9¼YÜ"ø
-eÁÉ”ëõfTÃt’”mLÊCÃÐCõ/�[ÈôBrü;îEó T¶qœ0`%ƒÉÒЮ ×o‰L²èÏ^ƒê¢Îg^Ze+
¨1@CÊ\oØÑ
-ÁƒÎ“õÍ]G^LaòGŽCe}C·ôä ÏE˜¦<bq((ì³µ„ –5 ¡åò=ô Ñ'¡É¹ÜÐöTúÝÂÉ}Åv__b
#í§b/Pcêø‰û,Ûy€eæ3…¹Ugy�eæO`ã!N8ò¯£4pᇪÑf²iàK�k®f1ÇõçâÅ:ñb|M¼ÌdÑH¼ˆÝ“Ï!¸hX32A²·‚ƒ0 ãÂÆC0||@ÔEX
-ÛäVf“¿
"Yé!�¥�žªalj_Fû± ýTÐþ8æ.?32êg÷, 24"ÁÚia�í@u—ó¹iÉÜ¡óÍû�o_sÏdêí u`‰%™Yh¦Ï¢pÒç‹È¼¡£”IÞ¾f‚6‘aßk AŸÎ£pñím*Oé„CǵóeW•ûoÀ	<°÷š{.,PBÖ6Ü‘KcŠç`â)
-Míc¿íâJ
rÎÞíØdä¢Gü,ž~f	“ç„Ñ+1v0ŽŽÇO$ôT‹»›æü±Ï_€Æx:eäÂînòŒ‹ô£…ä±�¤­E"8·líß
�ûÓÀe1Ǹør¦§þ%–p‰ŒJk9]gOçY_5lZ4 >|ãÏÆ?�-¿ö-œÂLé((�/žë—'À×%¤…›ÉÃíöõO2‡mØ'1¦ÒÍ6"Àßp·^V9+ÚlSyÀYžÏÞÐ,,.jùwzH)B,ïÑsœbíÒ-¥NQè,ô8­†Í�žŸ»E.ÊôyƢǷ�°œ¿³dâyÅ;~Õç¾nŸÎ]·ô|,÷ŒCF®‡½'Ðès#ßÊòd+˜à¸<7Ε»Êr«Ìvd×Ĉ$÷/yy20ûh÷—¶ìž¸…jfÁ
”�ô—'°ã>õà
nvåÒ÷+
xH½}ô
]ÀúÚdSoGïˆvâ(¼„³x±ù�7MÙm¦äñy­0­j$ZûÔà¯â¤A÷‚o_Ý,q�jì‘Ìß¾Æb@’åò‰E„pÏG�r¬Û·åÎJŸ`„d-ˆ ð#S�#NÄ‘B/¼é]‰ù(9“0PIœMݾ¸E×ð®æçÁÆ„é?Å"™?,
-_‰ñÞ<ñQ9,‹ˆ|X�½¡ñ
-ý$D<V8¡k¨,?“o AÎâÈ<O¦†¯sr”zôIï±içl¨Yrß5”“CÓÎ&<“M1+Žñ—Dg&0qn¾x"&Ða¦''B_#½£Ð©·Û±pÞªQ(‰²œS)¤Iš.}ŽœÅÞ@Ÿz(Â[´UÙcÐþTÆp`ßœÎàÌ8ØLÂz[ÀsðÔºóØ@ÕÒß8"à/þt¡úÿUüßñþÓ§A”ezø÷Æ4yL‚Lç©
-u§Ã¹äýAž‹þ?ïp;2endstream
-endobj
-776 0 obj <<
-/Type /Page
-/Contents 777 0 R
-/Resources 775 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
->> endobj
-778 0 obj <<
-/D [776 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-186 0 obj <<
-/D [776 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-779 0 obj <<
-/D [776 0 R /XYZ 85.0394 751.9762 null]
->> endobj
-190 0 obj <<
-/D [776 0 R /XYZ 85.0394 588.2109 null]
->> endobj
-780 0 obj <<
-/D [776 0 R /XYZ 85.0394 552.101 null]
->> endobj
-194 0 obj <<
-/D [776 0 R /XYZ 85.0394 373.7735 null]
->> endobj
-781 0 obj <<
-/D [776 0 R /XYZ 85.0394 339.0798 null]
->> endobj
-198 0 obj <<
-/D [776 0 R /XYZ 85.0394 207.963 null]
->> endobj
-782 0 obj <<
-/D [776 0 R /XYZ 85.0394 174.5031 null]
->> endobj
-775 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F11 785 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-788 0 obj <<
-/Length 2920      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZYsãÆ~ׯÐCª*‹ã9p:OòJk¯�ȉ$§*>@”PK4
J¡}º§{†
-SäÉùü�B…>_ŸÅ‰IlŒã¬ÎîÏþé'µÚ¡A­()´

œª%6!µ$…H�6V-OõöBåQ�›K£õ®�J¢rÕwÄ›sÛ¢[¯wm³(‡¦k©ÓK3<QãðTó¸jÝ´M?lË¡ÛöÔØ-�:mJZ´¨¡l«/»-/óÔ¬*êö{×òÚËÓ¶ýºPñ°û™RNQÛ­|ª÷=œ_ÃùAï"¶ãß¡…‰úz±Û6ÞZú¡vÜÂ{®Ý)pš¶ÂmÖ³÷Ä&ñ�˜ˆÏëPËÒîX%ýv¶†¬E¹)ç+îHôÝê¹æ°ÅÀ¦†íEñ¡È¨z"ªr(a¯FI8Á†™î[±Ú$Hl×év�OŽÁ- n{æ�þeTÎ�¹pÌ%3Q¶/?$ÙÈžtV�)ˆŒ’^ßSŸ‰Í©XÄq’sZsÑÙoÅ3G’Uõª~ô6’vM;«ÔœÈTƒŽ
-!u\Øi? è&ÖQ7 5©à¸· Ùžøh=ö땉]P‡ÄoZâV•ÈÁ½2MP°=5¯y¨ŽêÆ­¤£ù…BïA­
-gµÚÓïE×þ"¥~ÜÑÆ+š†œÆÊ3Y,5`
-^¹ž®[×:n2`¼Îçïî¯î¿½RÂ÷9ôƒ}Ënµê^|àB�Ò�%ÞÙN‚EIŸ,͉˜7ÃdÅ£X½ôÓ<k$ÂXeØj,>õJTZÀÆr$]o<è¯xÒ|Ô"5o.Ó鶧Ñt–B¸™•ôõ²[朾v‹–Á½­á[j"§û‰Æ/
-Ð(fjS
-}¿Ò«Ý¢®¾
-¨O¥R¸)äû©\_H™|¡´‰�ç@0Y*2#5dz@!@àqúÚäN&É Bè©)Vßl›g4 €2ÆÐâRØ/2‘/ÔnŒŒìDZ@a0ïã�	Û‰ebøµ�ô±ˆÄP>¬
-‹ŸD‘éOÚéˆÆ€ÈkøLfç�²örOâ*Tçv#!sWB�ó†¬=dE¹ižêƒrâ¶l–LœÙÕ-L +ÄzuIEjÈÑÔÿ~�ð<ÉIº
7ÖÃBŒ×l+êMÚ€î¤Cä”�¬ÀĹŠã©! x|Œ‡Lì"re_ó!�@€ŠœÝØîR€‹ÓÑꕨ¢òLd±ŒYqŸ±¿D‚“&
£- $,iOK3€Âõ:úŽb"ü¢¤ÀɾÇÔ§3N}ÚoÜÎn¾‚ÄBh߀ˆi’ž”y-ý_�œ1 Å$q;û7àÍXªÐæ‚èÐÇêÉ~ˆGƒ3¸Äl7‘%"IÒ“PÉ	eùXKY1‚ëÛr¹Ìé	Xn€ÅñoSo‡=[Q5ó¤Îáx‚’U³ÄQËzTÈŽWäˆ`JÂ`bS—<K‘û2x�g¡d‹ÙòõkréŽÜÒ„FÀ†þ©Ûá=
-?$ø5Ãâ
-ÜD –”ÁÒ§ª»@UH¬?¤Ó£5~ÀyŒ®PDÚ(Òxæø}³:„óM2ï৲‚«`”)Dlüý·½¦r×ñÇ⸀ôœy¤QÁµkå0g"Î<,Á*ŠaÕ,ÖJÄyjŽ.jºvùÜ-û#‡oZ«LB×$}82øD|f<ÿg
"ˆ’¤p—g|­’gî
-¨Ñ9r}8›‹.Ò0ßxžO㣠eDètQ?š¬Z=
ÄÀ­mfîݺÞwòœ|‡`>ï`úxƒÂo„Ï�°›ª&©Ç�Iºp.�e:?¥ÙLO�iF:,o^+z4¨>3‰³èëÛûïoþºl�!µ.#±d°Ç̃¨üëü8p;5O¨õ�4æ�¬¬c•…
×\vñ’5áTM×'¹±:„MÊu¯¦*Pçv?z@šF¸Wì8§§
Ãé÷þUǃê{~mzNÿØ®šO¶b2Ñ×oñm9‹£ü’j(Ç1QA
UG�á¤,,2—{bNC3ñì³ô[ueÅÓZÊü¥/4r2ÉÜ­rF·Êx_µë3÷r9Z«ŽX(Fà²üup‚ANÞ–�d£G?ç}¯ÞÌbá‹.•Ž£Ú5w[Êø•
8£·_`“3v\òò¥;ðç“‚Úsj°"Šï, r–³Èïú@T41š’ÐÖ¬«Ù§ðXR-µ+C|ÕwÉÁ°E‘ÆEà9ƾ�ö‹m3wº^ÁØí±Ú¯Ä‹Ýºæ§ÕÐ?1˜Dàþå@zOùŸÿÁáð?�àLžëðÿ.€‚!ÇÁ$,nZëÉÝBœŠþ_�2ç;endstream
-endobj
-787 0 obj <<
-/Type /Page
-/Contents 788 0 R
-/Resources 786 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
->> endobj
-789 0 obj <<
-/D [787 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-202 0 obj <<
-/D [787 0 R /XYZ 56.6929 684.186 null]
->> endobj
-790 0 obj <<
-/D [787 0 R /XYZ 56.6929 655.2772 null]
->> endobj
-206 0 obj <<
-/D [787 0 R /XYZ 56.6929 387.8252 null]
->> endobj
-791 0 obj <<
-/D [787 0 R /XYZ 56.6929 356.2664 null]
->> endobj
-210 0 obj <<
-/D [787 0 R /XYZ 56.6929 153.01 null]
->> endobj
-792 0 obj <<
-/D [787 0 R /XYZ 56.6929 124.1011 null]
->> endobj
-786 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F58 627 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-795 0 obj <<
-/Length 2016      
-/Filter /FlateDecode
->>
-stream
-xÚ¥X_w£¶÷§ðÃ}ÀçĪ„@@ÞÜÝl›ž{²iÖÛûÐö�ØrLƒ8îöÓwF3`Àlúp“¤Ñh4YÍ%ü«y
-©“`%�¥
-ç›ÃLÎ_`퇙bžeË´ìs}¿ž}÷ÁøóD$Æ7óõ®'+2ŽÕ|½ýÕ{÷ãêq}÷´Xú¡ô±X†Fz«÷¿,”RÞêáÝÝ{Zzÿð‰îV‹(ðÖŸŸî€¢”‘ö%¼óþñC|Ÿ>?>~|ZèÈ[áþ�¾ßß?°Ìdñûú§Ùݺ³¤o­’Íøsöëïr¾£šI¡“8œŸa"…J~˜¡a uKÉgŸf?w{«në”÷B‹0ö£	÷þ\Bàƾÿ„†¡ó˜^�MmM?�eÕÐ$+&Íáº9_ú±0Q¢�Tf–0»Ïî”ç_qh¼š¤×´�æ9
6§ªZ¨Ø³ECœ‘·µ¿IévË2ÊêP“ŒrG$ÖFEz°4jJ–¼Ý’Àš7¥Åvrå²å"$/Ë/§c-ÐT4N)‘„¡ïŒ»gÏœ3§;ŒÒ¼.itª-gKçÍÞi¶&RÃ܇ô³ÿy²UÖ.Ÿ÷–�^-bïTYñBó’éi1>e“Ó眥Õ_ëÆ.ÊG"Ñ~ì”ÿPVÀê€7Ï©S½¢:“o`æma9¡O/lÀ\.H@_ÁÑÈÊMIBÁwK
iµÞ[Z&×À’V†æ£}DÌø ­=òzÚ¸D€ñ3ýôáÝ0>	Z}ƒ‡Gò$ô§ê.·ƒ> êÐ@`g›+
 ²O`”Ð'cÒðP¾ZÞžnZs tà)#ðGïÇòl_m…Ô*yjöe•5i“½Ú©„ãs}Š|8OaTÛ
-„Õ<i(#a˜—é–F—ób1å–y7eѤgÌ]0ü.åõâáø¹<7
Ûƒ‰¢5¸¸>ÛŠ˜.YìÇìÜkÑ­Ü›)S)`˜á›�=r¡±	X8·sÇÁŒN@æ1ßÀ:˜¯L[O£THÔ«£Úâ2í6t´¥¥^­ÝÆÇHXîÕ
-)÷€Úo³&+‹4§•ß ÒŠìêGÄ„(—6´%³%ªKA±·„¾¡é¡¯Ž•ý8
-Éð%©MÝT�p8
9Š–(šØ\È€ ©áá¿�^0vzazi­¼ý1€’ñÁ 
-
6åá˜ÛÆæ¼
-Ê
€œøÌÕH³QƳ%6+èÀ8öîw´”Ò
-YèF)ïvÃÇ2ïå„h$ðÁ0Ù"r&OµtŒ$¤Ü¥3D'Þ´¯¶f?A¥a,Ûêöv·*
0±	FWÊi‚˜7¥õ {&M×´† ,Ž¯kÚŸªéöÙø@wÈUþàšJþÁƒ`ú_ËüîÕ	häº[ê`r:Ò7åÅAu!!ã…‚ÏÄ1]
Ø­¨¶ûšÚŠmÜ`EÃó´-cœÔ”ÍW÷ð­“j¼?N˜TÚªô¢ÈÔk2ŒÁKê:ò
´Ä*Ñ£ÞYL8,„LˆUËØêUB…º¸þIê‹Ílð)oØ£�k
ð1Iºr‘­Ã–¡Çvež—ç.çò”óAÔc—¯ÙÖr·*
£‡}Âðå‚•Ñå½a¦_R\±m¹Œ³yª~’Xø*ˆØ;oC•	Eê¶ØÄ„8|Wai¨7€UŠá,žÅ¾ÊÍ|1å8-”�oýCùÅp„‚wŠ¤Ó:@~\?¹_6ÈKbïS¿Buã�x­‚ìðàÿþ­ðò3j	@aÿ��„W�ŸD­R.Zz¬y÷£âµêÿ
-endobj
-794 0 obj <<
-/Type /Page
-/Contents 795 0 R
-/Resources 793 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
-/Annots [ 798 0 R ]
->> endobj
-798 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [377.8384 566.941 436.8266 577.7254]
-/Subtype /Link
-/A << /S /GoTo /D (ipv6addresses) >>
->> endobj
-796 0 obj <<
-/D [794 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-214 0 obj <<
-/D [794 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-797 0 obj <<
-/D [794 0 R /XYZ 85.0394 745.0977 null]
->> endobj
-218 0 obj <<
-/D [794 0 R /XYZ 85.0394 552.7519 null]
->> endobj
-799 0 obj <<
-/D [794 0 R /XYZ 85.0394 524.1722 null]
->> endobj
-222 0 obj <<
-/D [794 0 R /XYZ 85.0394 397.0585 null]
->> endobj
-800 0 obj <<
-/D [794 0 R /XYZ 85.0394 368.4788 null]
->> endobj
-793 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-804 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-803 0 obj <<
-/Type /Page
-/Contents 804 0 R
-/Resources 802 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 764 0 R
->> endobj
-805 0 obj <<
-/D [803 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-802 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-808 0 obj <<
-/Length 1920      
-/Filter /FlateDecode
->>
-stream
-xÚ�XO“Û¶¿çSø¨�‰‘ÔßcÒm;yÓf:íöÔô@Kôš™ô3¥õÛoÿ
-A®¤Ç�ÓIÈ !íÙ9ˆêu2¼	)Špšæ;É
*
-®¨kÄI§ˆ=ŽÁ,0¦X O‹­0ÚŠÏ>n–üùøÛv'sÞ4ѽÁ¶¶Çô±àʾrž÷sTÆõ7»ÎÜ.¡Å„�(׎ž�vƒ6í@ò=­:’Œb
-¹,ƒ
³Š‰±gìÇ>¬‡R$æÞ¤w:Qž¥¼uèD<t¢ßcVfcÙƒ)¯ßÓ‚x‚õ+rÈ�"‚ò+°˜æ!ÉMH�«Î{Ù*LIQ\׺W8hGR:Žn2€%µøÌ[«SYƘ\ÝU#E^À>ÐýþrV®[Ù¦€(f
j68+éAe‹ÙÚæ�¬ºÕ2koZu1k¾fÉß
-ÕV�µ2,Û
è_ç³î:ù¯ke—U)¯Å5�¡.Þf2g)¯ò2*j£Â‡u(碚Û)/ò<hPCûáìÓR/j(OÆÅ2VPˆûµ"iòh,XˆÌEíÐ$[Öü#
ó…Ê8‰"ËšHá$âˆÔAˆF
-jSlïíùn°+¼²±œ Ç9hÉÞY¢Zy’þ–
hJ“60;Kƒ(�±šßŽúÔ|žVü¶¨å8Xc�pQó
-endobj
-807 0 obj <<
-/Type /Page
-/Contents 808 0 R
-/Resources 806 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 813 0 R
->> endobj
-809 0 obj <<
-/D [807 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-226 0 obj <<
-/D [807 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-810 0 obj <<
-/D [807 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-230 0 obj <<
-/D [807 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-811 0 obj <<
-/D [807 0 R /XYZ 85.0394 544.8207 null]
->> endobj
-234 0 obj <<
-/D [807 0 R /XYZ 85.0394 403.9445 null]
->> endobj
-812 0 obj <<
-/D [807 0 R /XYZ 85.0394 368.2811 null]
->> endobj
-806 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-816 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-815 0 obj <<
-/Type /Page
-/Contents 816 0 R
-/Resources 814 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 813 0 R
->> endobj
-817 0 obj <<
-/D [815 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-814 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-820 0 obj <<
-/Length 3052      
-/Filter /FlateDecode
->>
-stream
-xÚÍË’ã¶ñ>_¡‹+ÚÔÆ›àæä×&냓Ø{³]ŠâŒXK‘²HíxòõéF)Q£MF©ré
-
-Îtl<jt°
-,¨=ôq­<U–bŽnR
š¯Ûâ€ø×o‘þ»ï>þ?³ ôT/´�ÌòL¢óÿíîç_ùb
±âû;ÎTæÌâ	8
-æ¬ÊŽ€Ÿ!$É2çÜ<³É€1£œ!©3à
-
-â/³a%Ôq:ôj4u„`øö‡Ÿhɸ§µ8)Ï·É\‡d«¹_¤Ô3žê	¡xtµÛgÖ—]ÏŽ'q«S×l4\Äù‚šŽàœ
-˜A
~MM•d†giPÔö¢¢FتêåKÊ:¡²,ªm^_×Ø¿c2¥Dê{: l2íi¥júò±Üw´þ)¯¾Â€7<|rl6Œ4†Þtå.ßç=ÁÛP‘¤(»nNQá†ÿ‹ý	ã
-ɶh·àãÖÄž¿Cš‘dÀ�*ÈlÈ™¡Šâ*¦¿-Bz�7©~«¡Õæ°-÷UAËÕØ­°7
-Yh Ò™¿8C@jͦÍk5íµ.Œ>=‡‘øZù£Äçüez
-ï³!†ññÅ1>V�MKc×çÍšî‰×´²�!rNÕ‚‡ó&è¿ÂäØÛ_ÏIb,@ôY —¥�Ëâ°'ŠÂ…g–Á©ãÌÓÙãþ!�Ô�7붮š�
ö™=ŠáôÂåðpåš�h»]‹w’H
G�Ò¶Tg
(¨LÒ·‰×„„�/WeÿT–Íœü²ý–$?Ajýá�ò¼ó¥Wæ:ÞðÞÆŽ�IÝyPŒR‚sŸ'!·ÆEŸ÷P:þn¶)!'"BõR©!SW©�b…¥¼ïóbã“phO
-ø»~�‚YŸOLbÊV�Ãó;,E�9:~>ca‚Î[y/D+Û¶ëCiâí´£‡ñQáóè¨JªT’¸ÕDKòú)—¯&­Ç@!€®PÒäñî¾)‡ÛÚ–ÆU¼uG�Ë©Ð8ÅxeÚ2Ê…‚ðÿœá‹‹™�„È™kM 
$ÈT¸�k!%ÓG¸W§Bc2F9C¡pÌaGnBáÅdæ©Çdhæ2Â⟡ҡG¯Ï³w¨…3·ãuÀx…WPLã=ûçð:iàÎö¬§ñL~«´b’ky;NŒW8UÚÂ÷ŸÉh( ®ÕêcM�ñíQ§ÌÉ—î¡ÏPÆ/.Ùc
-ï­6×ÌQ¤PïY{Õ#Ü
Íq„ò%sSˆ)Àg™#D ¬Mh<~5ÙÂH–ò¡­¹äªÜ_½¢b3ˆ2¼t4WñdlØ̧s@å×kz �­|¿
'ý6X
-endobj
-819 0 obj <<
-/Type /Page
-/Contents 820 0 R
-/Resources 818 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 813 0 R
-/Annots [ 826 0 R ]
->> endobj
-826 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [356.2946 363.7923 412.5133 376.6291]
-/Subtype /Link
-/A << /S /GoTo /D (address_match_lists) >>
->> endobj
-821 0 obj <<
-/D [819 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-238 0 obj <<
-/D [819 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-822 0 obj <<
-/D [819 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-242 0 obj <<
-/D [819 0 R /XYZ 85.0394 479.565 null]
->> endobj
-823 0 obj <<
-/D [819 0 R /XYZ 85.0394 441.8891 null]
->> endobj
-824 0 obj <<
-/D [819 0 R /XYZ 85.0394 424.9629 null]
->> endobj
-825 0 obj <<
-/D [819 0 R /XYZ 85.0394 413.0077 null]
->> endobj
-818 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-830 0 obj <<
-/Length 3528      
-/Filter /FlateDecode
->>
-stream
-xÚÍÛr·õ]_Á>…ʘî—dúà$rê4qRG™>$gE®ä“KywiYiûï=¸rw	®”J™éxl€XàààÜÏ
Lfþ�™�HjfÊp$0³åæÏ®áÛ×'$ÌYÄI‹þ¬/.NÎ^H:3ÈH*gW=Xa­Éìbõó\"‚N
žùý«/¿þéõóSÅç/¿uº Ï_¼üöÜ÷ο=ÿîüÕÅ�ð33ÿòoϸ8í¿É
-ÎýÍ	FÌh1»…cèlsÂC‚3GÖ'?žü#
ì}uKsäœ I›-´DTIq|[¿†mCW¤”У]R#I°å	ÖˆÒ=K„ê±Dqd´š)
-%ˆ÷�ˆ
µÕ¥
�ŠÕªÉPˆ2d¬Lûc<ƒƒ&\m×ëí)™ß:R
-1
;‚¶Â›!�A ÿ	QDCøŒæHÄ)(¤2=<‘FxFÕPt�ˆ‚Ƈûæøbú›FòàiòÃe�<é/Ïí |PQ>ÐX_¸
…²¬ì¹›Ç90PÄ L
-ÉÝ�ß•wã#ðëD‰ý¼ÇZˆpч˜ñŠ ƒVçøU«¬G:€ˆE�˜smqE£`¯¶›¢ªl!ðž3¥žî¤	â=G¥
-УRÏZ›2o›À
F]qž ¼ñM[Ö�õ
-æÐ9Ûqp Ç�'²#…oÚ·…_·ò¿-ó	!ÖcRÎlë‡/ƒÕSÀ¡ÈÐèíZ·Ú9ØÆwº¦¨ÛbÙUÛÚ´år×T�~\¥úÒú8ëJ�’À+ÌÙ´N)�Àê�{u*Î{:�êAœÐ©>~ëªí¢U-q?Ùõ¬01&æÛº�o7[/U5´¬Æ,Zãa“ऄy:Ê$ˆ÷�†Y÷¦H›¼½	ÍŸ¢u
¦
-j³woEÔ£
-•È²R;ûè „ Þ­ƒà®´a¾ý�}Y‰‡&(Ç�TÔŽKØj¹Þµ€ŠÍlYýK›0
-@–Ëò¦+.×Q*çŠõ®ôŸ6ÕõÛÎ�^í°ç�y”¬+ˆ†£1¶Òçl±sÐYná¼;ÿ£
-†ùömµ"VÅO­o­]Ÿ³'jøƒ1’TO×$‘ˆ(ìixStol5ÄÄX›&>ÚV€‹>ÄCü¦ˆkØ	
-ÑÝÓ©çïw[oŽ ßv�3,LªÈv;|[­×¾wYúÖ;tÛsµÛúÆÒÆîn…Ú¨y»‹0`Þ¡¥éÄïà%Ú3ˆÑ»²9ÛÜ¡®l;´ÃƧ‘`
W÷Fá}?•¹³vœä‘í´ä˜$r	i'%Ó�¸0ãá¶ú½<&‰iâ“Ibâ„$1¼)—‘D—ŸyK
-!賑]ºõÁBp³�õ‚‚¤InvWGw¸§`HÝ+øXÈ)}ÀV�›Q¦bL½*¯ŠÝ:q‚4O¥7´¯X<°Æϳ6 �He…ý‰\Ð,ÇE€üu&40sýøp(B\ôAfÂ!°ðŒkºßy‚çT#NÈ0%y¿oýÑF'sê²�™c“LŬ�©Qá`S|¬6»
ÌÅ}(ªµw™îçf»«;p¬J˜|öÇ
›­ƒÈ’ÝÖ©5#b&@ƒ8óG“=A\ôA’�sŽ4ó”¦M‘]!mxR�¶lƒ@BäD	Õ/“8^DÝ(Bï¶h‡±Á•×–eTWãèS[6Êf´¼íŠ¦¡ÃØ	dYâHS’q4Ìc¶0•$lY¸@ÌÌ·76Ë,Öë;ÿÛ91h]±×WzíhøêÂ:p…Ëbí}¡�	‰ê¶ù,c(áÖþDKö÷V�àÄå¸Èµm2àC‹x‚wh�úãdÄ\6Í4Ÿ¿«ÖÛË;ð—Ï2@%
-c\ðÂÊLò!¾]"M°Ü×™=G¥­©Q>™¦Ë²Mv-fBÛ` Š+Kù`ÁºA‚í	é͉³”¾>v]Ž£˜ãi?Ò{dôøgV±8¤Í”�é*—)Á<mï¼wÉU±Ò¼'«bõ!¯b
ðó–£�Â-ØåÉðKïA�ŠlÈ4@°Þæ¢e¡dÒA¼Ï+—åš@†­Ÿ‰.ðb@¼,ÒåÍ1KŠ�ŠÊ”ÇhPܲWkšs‚cè6çŒÀÔ“t{Ü5»òÈMcl|5ô¼	m"–WźÍAbÌÊr¤\¨d{,a…µW¶Ò½Œ.
-	Ca¨A´ã•?wnB¬ûI—¬$ƒ+0Yj:yh
-
-„é~<B\ôA攜#Iñ
-f«è‡²À
3)̤¶{³Ÿàå‚Cè™tWú
-D%8ÄïŠ.^|[Ù¢Îá3l«Sº•€ýx™ÉÇ|‘¸¿ªð›¾ÙØýÞø›F[¢ù«o?¿)×åÒÿýsçé£]Hþñ¥Ÿûµ¡øök°œÜ³<!H(´	­»NºySD"Ú9gë²¾¶zöÇ¿�£j/EÝ輩Vq¾§ÀrýÆßæ÷ÿuŒ:~ü?¾qÏÖù¶?/W Á‹yöÑÀ¾¯Jû‚°®öú^3¡óS[\ç”ÄX+M^ç[ÿ¤`$
-ºk'QÐ¥=#
ã7Mµ)šÊ¥bð3¼3°ï³„UٕͦªË°x¹Làíe—"·öþmt>
-Xða{S6…=!˜«=6ä½Ëåð=$i4mowJæ
Eêkh*Õ4G4×(�̽=Y/²A·ázŠè�>Ù*¹­vÛtGîóG”é¬íŠÎI°?¯ð!¾E:Hv Q¼"TÄRµíªn×ÅÇSCîÒÀ]¯NZ bS¡ÑUeLÏ]%ÏgìQ´BîíÞªôp_Ó«êëÏŽ½e&h¡%Ÿ~¼ÝŸåL#áýÈ’(&{°|!„¨ñ¦
-àM§7�“7zt>|å`ÓHû°×Qf@fá­ÌË>ðáuŒÈ¨ìY"Ašˆ)&÷©7k‚HqÖ½DšÚtO¤ñ¦y"õ7)Ô¬Áú¸§R¬iÿvöIHæ¶�SöIBÙ[/ÁÔ=„êÍš Tœu/¡¦6Ýj¼ižPýMC…ËyG°¯FYïÊ[ùÜ‚ŒÑqE	>äg¬WªÊ&ƒsŒÞÖj­Ø4¹{“ŽS;Nº�ØS;&Z�wÌ’º¿ã¾bàßÝõlY”ÖUÞì#¬½mqdÿ(ÏJ9xÜT�X!Ç[ æ¡<‘1z�©ØÏ9Α0ç>†Ll—ø1Ú.ËŽÞvE| ܦ·1£~Y/×Ûô¸1Z�˦XBS8-�ý0üqŠ¾ýmö”‡��iMó´H¹@@Ê=Ö˜Q�¤Ôÿ½¬Vâendstream
-endobj
-829 0 obj <<
-/Type /Page
-/Contents 830 0 R
-/Resources 828 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 813 0 R
->> endobj
-831 0 obj <<
-/D [829 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-246 0 obj <<
-/D [829 0 R /XYZ 56.6929 363.2968 null]
->> endobj
-827 0 obj <<
-/D [829 0 R /XYZ 56.6929 335.217 null]
->> endobj
-250 0 obj <<
-/D [829 0 R /XYZ 56.6929 335.217 null]
->> endobj
-832 0 obj <<
-/D [829 0 R /XYZ 56.6929 306.9099 null]
->> endobj
-254 0 obj <<
-/D [829 0 R /XYZ 56.6929 226.5017 null]
->> endobj
-833 0 obj <<
-/D [829 0 R /XYZ 56.6929 197.9796 null]
->> endobj
-828 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F14 608 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-836 0 obj <<
-/Length 2750      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Â�{(G4Hð³}j\»u§u{‰2w3Mg&!‰cŠTI*Žþýíb %ÓIgÚÑ�]`±‹ý†‚s
¿à<‹}!óè<Í#?A|^lÏÄùp?œ¼fa-¦«Þ,Ï®n“ð<÷ó$LΗ«	­ÌYœ/Ëß½ë¿ûmyóöbÆÂKü‹EœïÍÝý÷ÉésýëýíÝïß~w‘FÞòî×{¿½¹½y{s}S 
û¦ð†ۻŸohtóóÍ/7÷Ëw,:»Y:a¦B¢$žýþ‡8/AîŸÎ„/ó,>‚‰ðƒ<Ï·gQ,ý8’ÒBê³wgÿv'X³uîc™ùq¦37ɹŒs?‘¡47xSë­n†ä’Ò+TCƒ�ßÐkôZ
º$àS5lh¤èSkUVÍš&úSQ«­ª¶¡½[Õ=ꃈÅÿ¾ú>Ák„$žj˜æ°Ñ4€�S¯«~ Q£¶º'jÂ0RÍ
?†Fj MÛh�&à:AàçqÙQ·…ª7m?ðÆ(äÃeŒ=ô8!°ê.‚ÌÓ4ÙѤÔ„]‚‰¤ÀÙ/í¸HxU³j;+;î²ß
ŽfB,Í5ãà�q«voyªÜN='S©û¢«v|Ë`ŠíŠ¾t‘0PEMƒ~
-Ý÷„A›o÷MHåk²�Š>hj„
-#!Zÿ�!úY3ΪޚCU³eð«1TÚýš¥œZRÙ{T”±ëY#úÏF£¹J�âË0÷ÖÕG¹û�@Gœ"/ìYèWŸƒ¬"¦h·;vÂ’0xˆ˜=îˆ( X|Ä¡ø`+2ÊI£…s1tê£îÌEpã˜CÝ‚ÅÍXؾ�;„»ÉÃH˜Om9Oˆ	�š�¢„=ÀUºci a¯±õœlÝî&L©wº){‚ÛåO4”Ž€¤$€r°ÄcxýÃEàir(˜±®a!jÎÀœµƒÆ‹¶È ê×l÷Ø?é"u³°Ñg×vCÏK�Á£Á1N±ÝÁV‰�6lz£8S››ÄX¢˜/NCŸ³AÐ6‰Š#Üg¾Œ±2Êc	iíÝ“ �U.ó!ÀZ’ªëö©?!kŽ²g3
·tN„—º© ÌXQÃ$N½»Ú£É�.Ñ@$ë…¼ÜÚFæc9rãÖI:­dšË
S¡Pn˜€aZe…‰ôEœk†#”uÑ´Cµ:ðâiA'~¥)/~=C.ñ…pˆÚŸ{ÝÍ‹}	{¿@+9¢>Üô+òÕr	`Y–|†Þ"Š�&ÇZ0”÷;“fèB!Èø3tc?
-epÄ'Q[€>©ÎTLÏ	A%c9Ê೑±ª-ÁR)­–jU<nÚzŽÝ(õ“$ÎFn€l{”ȳä8Ž"Æ!À¡_0S9Fµ õÞUÛªV]}¸‚À²i‹pVé'‘L�CÌ4h$PÙòJí'JJ	EÄUp4€A¯»�&D$”æH´÷�Ѫ*S*ÂJ{”‹|àêˆ.úc
%‡þºç…ã-h=m*s0,Û9o%6Ž¯‹b(ðl°z£­˜ANl…v
-{øTc`§•WÍæ*‰aØ>&˜èj›¤ß“"'°ãлmíêOj»«õlñEÒžx.Õ?ôåU}‹A8÷¾‚Pf'ývÆ'¡“inC•(¡t[pŽ—Ž(ª‹Ì=§ƒç3‹À’j®€°ºeÓBŒ£êL„¦än¸Â¦$\ÓÈ{óÔóàXµuÛ>îwh	ÒT0ˆ&¼"Øxf`•Hw'Ö5Þ=5" ÌÌ{ß�!ð(¬�PÂȆÀ¯hõx•ÆÆí盦~$6曺ÒØ:²ÈNqÕÙ>Àýêá@ˆ�úHUN0Ñ5h«ÃHäÇó
-n÷£#™ôYTâÊã·"A~´Šõ¾³ºI2c'µÆnbýò"½–怚vRòI­õ¬;’u=
)½d¬\
-0/u
u;õ£0e.„yGèí'âk." o;òôf)(zá—»mAÁ‘åš&mcÏVôÁ§z2	7Ñj(Í�Ÿ(u̬ìí¾ª]íêíŸ]>§ùðHóС¡DTÄf|ïî©D”Br‰PW"ÂÌ>yxÕbÒãp깑®#j^-}[÷Ë`$
-×âüí¿QÇ?™£Ô—YÎÿC
-	ÑÏÂ<µL¡ a~ʹû¿õ9ëÿ×kendstream
-endobj
-835 0 obj <<
-/Type /Page
-/Contents 836 0 R
-/Resources 834 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 813 0 R
->> endobj
-837 0 obj <<
-/D [835 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-258 0 obj <<
-/D [835 0 R /XYZ 85.0394 497.0473 null]
->> endobj
-838 0 obj <<
-/D [835 0 R /XYZ 85.0394 468.4726 null]
->> endobj
-262 0 obj <<
-/D [835 0 R /XYZ 85.0394 408.9221 null]
->> endobj
-839 0 obj <<
-/D [835 0 R /XYZ 85.0394 382.8699 null]
->> endobj
-266 0 obj <<
-/D [835 0 R /XYZ 85.0394 310.3501 null]
->> endobj
-840 0 obj <<
-/D [835 0 R /XYZ 85.0394 283.0525 null]
->> endobj
-834 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-844 0 obj <<
-/Length 2301      
-/Filter /FlateDecode
->>
-stream
-xÚÍZmoã6þž_! j£k._DRì}J³I.E7í%.‡¶À)2•%W’“fý
ßd9Vì¤ñÁ+¾‡ägž‡tH„ቸ@BQI#Ž	�²ÅŽî ïüˆx™Išô¥¾›}<4RH	*¢émOW‚p’�h:ûe$EcЀG'?^ž]œÿ|u<–ñhzñãåxB9�]üpêJçWÇŸ?_�'$ádtòÏ㟦§W®Kxß]\~r-Ê}žQzuzvzuzyr:þmúýÑé´ÛK¿3³‘?Ž~ù
G3Øö÷G1•ðè
*¥h´8Š9C<f,´G×GÿêözíÐAûŒ([m�Ë!r…£ÌðãÇñD`<šÎóƕ·�kWhÚ´n]±ºußÔ}²j±ÐeÖ#Ôêð#Jý§Pä¥6F‚•NAŠsº1m˜,
64p5}¯Ë°¨ju7÷cÛMEu—giQ<îšp¹µ—nŸËZßçÕªy²7Pöñ,f=C‚jªP’HeU_ÏuQLšö±
-ì²"†TrÒÍÌr³¼ðp^§‹EZ?ƒµ	L¬Xˆ>
-a扔”ûd[ú3�MÞX;ðµn
-è
-u‡jVG
-M Øk»†9°]øî@îotg^oó›Ç5¹wÓö—I€1Â}$p©ºœe‹ƒK‹,,nÕæEÞ>Ž	!£.\[çmæ~êAz@2Ž8gÉ2®ÁŽ�æ�´W3½×ƒ^®ÙH—Ží°Yo=‡2Zˆ‹Ãå*˜RÄŒï1•ˆ$>
ü®÷¬Yê,7²6Ø«Á½„¤³èhv9ÈôXrlZrß“®à˜ÃU8ëH�
-tÂuVƒt°Î¿ôXЪé�jz}q¾Ã]=K*KÜ]
-’1ºÇ]˜!*c-pg½3&x�˘FaÙ”Qb	0„úÞæ|h½–{ÄáåÂÑú¯ÇYY§`
(“ÞÁ½aÔ¸†À€¦¤õÁ]}KÖ]d@“QBéž”DaOLÄUŠ‡Zþ-ÉÂÊ6@ÆV<	Xàh¶ZfÀ€/e€‡¨Ä“F[ÊZ_hü×|À£ùÝÜ÷<èuÙ/§*ì11-³T/ íSVb^²˜Üt³¹ò,lCdx8³F\>hL:À3×æ'¦çŒ÷à
-6îBn«®¿iW7^eé55Ez?ø&÷Å> ˜dÜMféO‘î¦�}³¼ßh'
-t琉˜ß\r®–©^ï�0“A\ÝÕ�}Óߥehß¾ªƒ@˜ÆJ¸l­L6·w6èŸéÛtU<½”ºãuÞ{{|}çÛᲞ5Þ-ë§8F¸ÿ†9è1ó6Øð¨dm½Mu¸gº^_곡‡šµwLeóú¿t€:é\l.
i“ï2üzOï–«P�ÙŒDq$dâ¸z[¯ cÌ&À$_•ëìu©'#;ÜÕ?]^_Ÿž¸²Ñ÷¼1û}¿Ö`%Lˆ=ÖL’”¹¨¾ÏõÃk­è�¤ªèŽÛb=‡5Ú
CŸØjBö -‘I‘ôÐë¯ÍÝa°ÞZe°—¿Qÿ?ÞÕˆ"(–‚E	ýÂ�…ðÛúÖoìT&(NH+HµDÄý•¶b1JºWÉ¡‡˜SªÀŸ½
1	Ä[–i€qPã’y™ç
›	”`Òåÿ'¯¢‹ô1ä÷"”²l µÌô:ß!ų¿2`‚Œ
ýåŽö&š—þ�Äúw
-¸U°$¡ÃþéÜèeÁðÖÊÃTl/ýòÿ-Îendstream
-endobj
-843 0 obj <<
-/Type /Page
-/Contents 844 0 R
-/Resources 842 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 813 0 R
->> endobj
-841 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/warning.pdf)
-/PTEX.PageNumber 1
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 31.00000000 31.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
->>
-/Length 557
-/Filter [/FlateDecode]
->>
-stream
-xÚm”In1EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5oʯÅésÀó�ή¯�ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ùÆ [ÄIÚL’~”F ØPÈùYÌÀ¹�dˆÐzZ8å±Ýƒ²ÙËò‘–Œ€f¾Å(ÌÀ�E#@x˜oL Û¹[ƒ±ñðù
-ä
-6\>RgÈbÏWÖ¹j[†�›
-WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½�t•‹ùD„™Â²]°Ä(�‡;�„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^�˜h±�ÎW9AVªy­Â©/f�ýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&�Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ�_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
-endobj
-845 0 obj <<
-/D [843 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-270 0 obj <<
-/D [843 0 R /XYZ 56.6929 486.3415 null]
->> endobj
-849 0 obj <<
-/D [843 0 R /XYZ 56.6929 454.4975 null]
->> endobj
-850 0 obj <<
-/D [843 0 R /XYZ 56.6929 395.7282 null]
->> endobj
-851 0 obj <<
-/D [843 0 R /XYZ 56.6929 383.773 null]
->> endobj
-842 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F84 848 0 R /F42 597 0 R >>
-/XObject << /Im1 841 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-854 0 obj <<
-/Length 3138      
-/Filter /FlateDecode
->>
-stream
-xÚÅZKsãƾëWð*µÏƒÝ“,k¹ÖëÍ®|²].ˆ„$dI@! ••Äÿ=ÝÓ3x� %[J¥xÀ¼ÐÓÓϯ3?1s†q•éYšif¸0³ÅúˆÏ®aîÛ#Ö$qQ2\õõÅÑWo­œe,³ÒÎ.®´ãΉÙÅò§ùéßN>\œ}<N¤ásËŽcùüëó÷ßÐHF�ÓÞ¿=ÿöÇ�'Ç©ž_œÿðž†?ž½=ûxöþôì8Îx_
-{^x{þîŒZß~<ùþû“�Ç¿\|wtvÑ�ex^ÁäŸG?ýÂgK8öwGœ©Ì™Ù=t8Y&gë#m3Z©8²:útô÷Žà`Ö¿:%?£3N¦Ôr&ËŒ‘#	šŒY%•— Z€
-%éXÂ7–ËMÑ4¿®óvqóëªlZ¿6ÙZLÚþý
±0>ð SÆ­qÝ�ä#ú¦ø™sY•mYW4’WKjüØä×EØFí?éÅMÑñÒ/Âe°8Jc—�0LX×4Æ´™çMS^WMèУyX_Ö«rA=’*¶Ú:,«ÂDy,ÜĉvîeJs(X°mÅÝü<lu]´aŸ26zÚWžR½1r»)Á
-¨sפ)¥™tÒ�ÕZ_±Žx‚�È4‘§æ50%øüd±è–œÖUKÛå½Ã…Ôü™~rú®�§`~ЋHY¦Àþqã÷uGP
-Äs“·Ø²^@82b'38‡Ìü%“pt}×—adI–S,iø¾lo&ì@¦Že<‡
Á‚Ñê4¬¹,®jâŽ6*ÃÆ‹È=q`QðK)VMqSÐ[o`,ÍæUüBA–Š-µÀ÷¹_¬�Þ½
-4*PBÐ[dÅwV«ú¾XNÊýÀ/ºªqUY]S•4Aêò®\µIY½ÞŽœBh–¦©œ«˜SZ?%vB0¦é8vþ¹·"#¼—Ø^è=´B3¾1&•t‡J ‚1—fr™– ¢¼1†éÈòêaÂj2Å”0&XÍ÷hÁ�ÒVÁanjp¶-bÃÓÚêY`F=ÿ€
-¸±æÿ'2Spj©Åc2Ó�"'s¬êªøcB«ê§ÉlÀÌKÉ,渧“Œoì—¡Üc2S‚�­/ŽU½ÈWxü? ¸TA|EŸNåüüÃMC”DiȆ¡>æÆ}n€Ed®0Pí}½ùL�²j‹ÍU¾(ŽÅ<¾Pu‘gËÚyš‡Rè
Õ
dò<9÷ªÀá$ØÜÓIÆ7öªN[+Õ£æÎSfu��W]…‰üɪ™ö‘Ê=
!¢)š!¥ú™
=I§8×釯âüýM‰ÉxÕà©fJ{79*W(B/Böz˜"37ÿT{,+ˆHCË–5
VuK�[‚
-_À\Êex#§Ç}þ@�&Ã{˶Y—%z¦ÄÀ¤¤D}ªÿ�FVED®Û›†úÞˆq5@Í`ôн‡]b~^Ñ\sçñ�$.a`‘7Å«)
c
MRuÒ­ƒ°jõ0@]1âuŽy‡fà}ŒØŠæ�ýÃà ÂlŸ§p/6X·SC^÷DÍ
DÛˆŒö{íОçb½×öEÔÿYˆL2n¤ApƲ,Ãjn§ªSÜÂi2¨ê´JY
-J}¤ªSYÆ´tº+‚T(‚ˆ§ëUó'J;ËT
-žžJ_ÑE 8²:ð­–!X§Vyû«·+ßù½Ë˜,ÔJ‰`©V”ŠþJS�Ú`ñ>GÂë·õ¦í¨RÇ�{”¹C»Å%MüJÃœÁŽøÿ\<4c202zù
½�JŒ#HxÆØ›ÉRV.e
–”²Ó¢~Šÿd=ëÕkÔ³˜1©
ÎÚ±0éÕ’«ÝšVÙBîbŠ
-Àgªi
¨ˆ[)0¯÷
ó ä­dèoo¤¤Û)é.
-û¡h‚ÄÏaĆ5=óàQîó¼íÍÒ½R•:ƒ*OXpEwÏkG1’Ü•«4 ~
ñª[vH°ŠI¬€x¼9ÜÅ" RΕÜÅ
-[¤`í†À�¼ÛPy`}ëc.
-:L+¶�VÌü¾\-ýUÙX+oHûWªb�ù¢	™^pàÓȱ

-Œ	ë¶àÙë×SôbÂ…‚‹²‚„;€}Še¼­ÞÄÊø·r}·Žxdq·AÌ$„�$ékœ
29¿_R2Üu�_m¯ÉŒ/FÈèCÈÏRê)«ƒ„nœ!ê½а,À>Xå)úm ѵ	^ÄýÖ½H&lO0áºÐ¼*u.�	å°¨}>t‰“
Å	è’J¼73ݾ hΉL¯¨¾6&UcÅúÏ*»¿èY
:õå–Msæ{øŒ½a,-½éŒJÓƒNO‰n7±Ü@õ¢¥:ÇP�“š}Å
-:>ÿ¼êr.¬Øý“Àè+rgxÉÄå
-°]÷å³é›x	ò0…›5`}+²Þèw�3`nS̼ÂIý¸9L§`3‡XfL·¯�¹Ëiˆá2QH±ò×-A8ñÛû´W@x…"_<âì#}A
t@¥`ovK
-endobj
-853 0 obj <<
-/Type /Page
-/Contents 854 0 R
-/Resources 852 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 861 0 R
->> endobj
-855 0 obj <<
-/D [853 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-274 0 obj <<
-/D [853 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-856 0 obj <<
-/D [853 0 R /XYZ 85.0394 752.4085 null]
->> endobj
-278 0 obj <<
-/D [853 0 R /XYZ 85.0394 683.64 null]
->> endobj
-857 0 obj <<
-/D [853 0 R /XYZ 85.0394 653.5261 null]
->> endobj
-858 0 obj <<
-/D [853 0 R /XYZ 85.0394 576.1881 null]
->> endobj
-859 0 obj <<
-/D [853 0 R /XYZ 85.0394 564.2329 null]
->> endobj
-282 0 obj <<
-/D [853 0 R /XYZ 85.0394 420.3273 null]
->> endobj
-860 0 obj <<
-/D [853 0 R /XYZ 85.0394 391.7481 null]
->> endobj
-286 0 obj <<
-/D [853 0 R /XYZ 85.0394 295.8129 null]
->> endobj
-718 0 obj <<
-/D [853 0 R /XYZ 85.0394 264.2689 null]
->> endobj
-852 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-864 0 obj <<
-/Length 3271      
-/Filter /FlateDecode
->>
-stream
-xÚµZÝ“Û¶¿¿B�º‹Á7ÀøÉqÎ“ž/3í8™O¤$Ž%R)Ÿ¯�þïÝÅ)ò>ÚLG�åb±Ø�ßâ3?>Ó&1©Hg6U‰f\Ï–»6[ÃØûh‘hѧúîöâ›wFÌÒ$5ÂÌnW=^.aÎñÙmþin‘\6ûó‡w×ï½ysiÕüöúç—¡ÙüÝõ�WÔzó槟ÞÜ\.¸Ó|þöOo~¹½º¡!x|wýá{êIéñÓ›«wW7WÞ^]þ~ûÃÅÕm·–þz9“¸�\|ú�ÍrXö,‘©Ó³{xa	OS1Û](-­¤Œ=Û‹�éöFý§SúëhR%æG*=¬gÔ¸™Ô·N#…ìô­ä”¾#êûÓM±«ÛÔ`ÅüC¶ó-9ÿ>ƒîŠzßÖU{¸än^oi0Ûï·å2k˺úý\aBëD:-g}YF+쨞Yhjg|(sY�f5i¢¹àƒYŸÐXGÿÜü#¾8ÿÇb‰k'íÈD&<çIÉ%Õ3z訞‘cÌ
åø�iNB¬êmMYAs—�ÄËîêcKc˺ú�1±>ÊjM£Ÿ‹‡%�X•XÅÕlÁy’j-zšaú~ÜÙV€$‡*_¢�æX¢¬4	Í
‹0†��r—8Ë�»^�(\Ï«zb*!À‡¬l–hˆõ¶™˜N:`­y lÚ¬-vEÕ벡çÞ[qÑÀÀ«‰ÉRžXm¢ÌøB>5l·„8FT÷åvKÌ›"ÌvÜÓ3£G^¬²ã6Œ-®„›¬ªŠð²-›¶¨hsàÕo!<ÛMÆëz—-?“6!ê�¼úlDz<«„EK§æ\Ø„Á�ã+øn•SÙ‚ë_¾[ÖǪ-ûìÐÒзßr¤–óùuE$í¦Ÿ-³¦xu¹PÜžxfÛ¦&ºûMQQJ?Öµ;æF¿`gJ¥Ìxgý"‚õÊý”uº \ÒÛoP Pó»chäu�6!ÐìB×&ûRP+›²yÁ—ÊhôÑoÎ�^&Â(µÍŽ¨£‰ÕHx/04!:
-††âµ �}�º­iÛ:ËCÏ&,cYïv~güKggðÒÓW+²ÅÝéKŠœ×¸thY;¶a/µíëÆ@,w¼œa¼"Íp“t Œ±eÈ‹¯¨ÀoŠv2´@ÃœÀbdýXXÇ—â0ÁX£�töÖ<4`r«¼<Lð7V¯£ÅÝg
1oöŲD%9uÄ
²ul¸�}qðîXn[ÔàHÞo/S1¯ilIö™QúeÑðrÃÎÀ
-À1
-ÖÐÑ95övN�/;ˆøÙ:~ØÑ´›cèòÒa——ò<ùT�R61JñgBžJXzŠã>ä�©+È
×-1ßeŸI,\Gˆ×r-í³x]7My·Å
’†öNÚù±	YEÏâ+äIÊ’06ú=N0'Â  
-ÁË”�OüÒúâ
-L&©•bh
-ž€÷iÊcAAñ�„F5 ¾g
ùØ^fUè\.©¼Ã0ÒâÆéëhÉ¢=ÂH^4å)ñùºG‡¸*&!——A)Ì€a¨¢†µ‚®À€ž?|Uðn°m�q¬c ™šg%ÙFª®:ô¹%ÎÐÁm¿TlTEÄäícÐz²Ø
-W ËË&Xtß
-OšÅÚäUg aòŠžx‚1e.vµ÷S~d¹çÇBßNÁc<4é$O®å¹
-¾8y¾Û…§×S
,Q)3ýÒسè6
-{©EbSÊšñþC_.8cˆ]—Ûc4÷±gExùqÈ@ÛS'�·±IƒÑ&µWå¶À„ôzJ"6–ļ@’ï4Ë*–Ò~“ƒüêÁéX;g"ÞNbÅrª¨¢–`°LUG¿R#ü/EÈx�
-�áQ`§òPϳöŒz_—‘Ý=&ÂÍ#g›àŒ
-Ãí®¬ "ï•ÙÀÙ‰(梲¢ðu%<=ÂkCaÙgSh7R(‚×Y.=C"÷‡²
¸Å„‚¶»öˆŸ™
-Q–,|››šˆÚg
-çáx—¸_ÐR'Î4l"Á1žÓxªØHã
q'•C×ið„¸3@ã©uàâ©SqMž,ž˜"1ýå�ø×1¥]añ€Êªý“À鉄óyV¬õ01=âÐÜÊ
-9–�huÉcÿ½’:Á?CMÈͺÔþ‡ÿ—uú•²x�-ùC�u‰rÀ$…*�£?ÿh0�‹þo'àßendstream
-endobj
-863 0 obj <<
-/Type /Page
-/Contents 864 0 R
-/Resources 862 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 861 0 R
-/Annots [ 866 0 R 867 0 R 872 0 R 873 0 R 874 0 R ]
->> endobj
-866 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 755.8266 256.3816 767.8862]
-/Subtype /Link
-/A << /S /GoTo /D (rndc) >>
->> endobj
-867 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [268.5158 755.8266 332.4306 767.8862]
-/Subtype /Link
-/A << /S /GoTo /D (admin_tools) >>
->> endobj
-872 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [378.2799 116.2526 428.5017 128.3123]
-/Subtype /Link
-/A << /S /GoTo /D (tsig) >>
->> endobj
-873 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [112.234 104.965 168.4527 116.3571]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-874 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [75.273 61.5153 131.4917 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (controls_statement_definition_and_usage) >>
->> endobj
-865 0 obj <<
-/D [863 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-290 0 obj <<
-/D [863 0 R /XYZ 56.6929 441.8384 null]
->> endobj
-868 0 obj <<
-/D [863 0 R /XYZ 56.6929 416.1193 null]
->> endobj
-294 0 obj <<
-/D [863 0 R /XYZ 56.6929 378.9792 null]
->> endobj
-869 0 obj <<
-/D [863 0 R /XYZ 56.6929 348.5817 null]
->> endobj
-298 0 obj <<
-/D [863 0 R /XYZ 56.6929 276.8275 null]
->> endobj
-870 0 obj <<
-/D [863 0 R /XYZ 56.6929 248.1435 null]
->> endobj
-302 0 obj <<
-/D [863 0 R /XYZ 56.6929 167.2435 null]
->> endobj
-871 0 obj <<
-/D [863 0 R /XYZ 56.6929 135.7502 null]
->> endobj
-862 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F58 627 0 R /F14 608 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-878 0 obj <<
-/Length 2414      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ù’Û6ò}¾B�š*‹&^ñ“㌽“ÚØÙñ¤ò`»\	Ò°Ìc"RV´›üûv£!qâ©réA@hô}€bÃOÌò$ŠU¡gY¡£$ÉlY_ij
¬½¹¼gá7-Æ»~¼½xþ:•³"*R™În×#\y繘ݮ>Ì_ýë寷W7—™Äó4º\$i<ÿñúíO)èïÕ»·¯¯ßüvóò2ÓóÛëwo	|sõúêæêí««Ë…È
ç%cxäÀëë_ÑèÍÍË_~yysùéöç‹«Û�—1¿"VÈÈ>ų°ýóE©"Of{˜Ä‘(
-9«/t¢¢D+å!ÕÅû‹ÿG«îè”ü•GI.³	
j5%À¤ˆR%•àí½E&ž¿Î²ÑV‘G…J3À�{¾ØÃ)£BJ¸)M�ÈžÀªŒŠ<ϧ]c”Ž‹�4™DºHNØ(WÄEÀ°Q‘$’¹xšSbnª®…‘Ìæ_švßÐÐtô߃4h
X†A:oLmÝI9/y“¡•U[›’Ïã.íšò��­4+W¶éËõ¡l6t(¸@1ƒS±œ_÷^ÆxçñuÖ±j–‘B‚¤˜-Ç7nWh"öe¨D•Ä³ßÙíW»��’Š£Xx!u½ém
DÚE¥ è ÐöRäs<v}G‹ÝÙöþÞ0„o%hK0Çž+7
0ç`û²¿÷g�œ
æEäÄŸÏÛ-�‰ådnV+¢¥ãýµé—÷$+
¬§²eU•Drž)y>Ú@;#¢aT6˶&•Áž†aýÞ|µ´vgmC°�33°n@ÖG’YͳÁÊ
-°®jÓn
Aíç
é?öÌVç’ë£a˜ÖÙ?yuåR&¬êá¢3ßÇ’IV̲\Mù÷û¶Ç¸£œðíTFRCܶ=îÛ	ØX3/(G%R”·`YýÖ	A¤VuvY~Œci;Úfn—;Äá¹Ù�{‚¿.M_¶
côRÂÌgN²n¡mÐÉš± g‹BF*¶ÛƒH]MïŽi5ïví¶G£Á)�Òr~ûþú
ÁΰꤑŒ'AµY¦RÇ}m–‹z•LÈMg`±�ìÈT^<b.2�´ÎÒ!~,·¶?µ-2ÈO:™¥…ŠtªÓﶕ
ãbŒòÜV´Œ£DAf¶QüršŸˆr`�¹Pc{
aºpì”1¸/´¤‹;KJU™
'2tBœ]=pw Šï0Üç
ït.�;é>Ó{†c4�]¤š&"ÒÊo$£!âv¶Æ( RH�)Y4P�£ÄóªÝl(ò
-ÿçDê*”<1÷´cyošÆVÁä3åÊ> ø'1mZ—o0è!8r(ð¬TQ�uV ¾b{^ÓÑ숰ÙÕw˜’püòQ(
ûïhºkª².A1g�>…¡8`¶+ÿkÏFrÆ'“Ì2Ý¡ùŽÇŸ×fYVš¦2€?Õ¯ìv;E×_žßª:òñbL‡˜fÄbZ„KÁ-a
-A¨
-„·¶¡÷fÛÖáooá¤õ ¼;Q¦DÈKÙ¬ÛàØÊÞíSU
U•—e°õ
-&’VIUˆóÚ\)hÚ©Ûì¸
-F¨«8qq��¾šmiÑ&qÒ®i×À´>ô'q²F;Ã
¥FØK:DóÐcÝ�a×ÒMp§ ÚS±ð5†OçìQ®Ïrjøá~k¨ÛÀ¤ØµËøî¨{kwýÚö÷íª{FÕ?^^8r
ŸS™Ç5œ¹xÂ[ö奘S"\þU±oéT<t3‚»3²<¢fFû´så^€Kƒ	aQœø²dpɉº-ŽÒÜ‹t�¢m¹*°•]²ÝÞ·{ òÛË
-¤iy‚–€ÿ5´O`ɾö [¢	‰]±·eP`jî1ÒÂQñÎUÀRk¨…§XÓP|è�æ°ò,RBç( vå’N|©¥¹ÉÈŠœÓÔð¾Ú4LÛÃÉ
-L2.­_èÁÀ:
-«ƒRa¼iùDœÔƒsM9	G9î‘lœz|L5·’žLnG×'Q壔z"TàÓLZä^_‹Í7ß[""êa’|›{|�YEfå�ŽÒãªÂGm•�J·Hpñvë©:MœüJéñ›ÅÙK]Ûå(õåŒ7­ÏŠ^˜mcC)×-;-É+
Þ§ð@,Â"¨›òƒ*
-endobj
-877 0 obj <<
-/Type /Page
-/Contents 878 0 R
-/Resources 876 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 861 0 R
->> endobj
-879 0 obj <<
-/D [877 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-306 0 obj <<
-/D [877 0 R /XYZ 85.0394 662.5434 null]
->> endobj
-880 0 obj <<
-/D [877 0 R /XYZ 85.0394 634.6304 null]
->> endobj
-310 0 obj <<
-/D [877 0 R /XYZ 85.0394 376.1585 null]
->> endobj
-881 0 obj <<
-/D [877 0 R /XYZ 85.0394 345.4362 null]
->> endobj
-314 0 obj <<
-/D [877 0 R /XYZ 85.0394 136.7105 null]
->> endobj
-882 0 obj <<
-/D [877 0 R /XYZ 85.0394 113.7908 null]
->> endobj
-876 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F57 624 0 R /F56 618 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-885 0 obj <<
-/Length 4116      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sã¶ñݿ“—È3C|‘`ïéšÞ¥×6—öê>tÒN†–(™=‰TEÊŠÛéï.v
’dûÚŒ.@`±»ØOH\§ð×&K²B×y¡“
-s½Ø^¥×kèûîJð˜¹4�úõÝÕ7ï3y]$E&³ë»Õh.›¤ÖŠë»å�³,‘É
Ì�ξýáãûßýåÓÛ›\Ïî>üðñf.M:{ÿáï¨õݧ·ßÿöÓÍ\X#fßþöíïÞ}¢®Œçøõ‡�¿!HA�“~z÷þݧw¿}wó÷»ß]½»{ïW¤
-7òÏ«ÿž^/aÛ¿»JUXs}„—4E!¯·WÚ¨Äh¥<dsõç«?…	G½îÓ(ýDšH´:' V1š"É”TŽ€í®¯Û¦Ülž`k*Ÿ•›®Å–�mêmÝ°¨¶­º®\WíªÇj_÷O<Þ6~xÙðXovÏ•‹Eµë«%õß?�,°x(›ÆÏó·Ô¤¡gY­Êƪ;¤<ìo, ZÚ¤7V7«–�‰ lb�™Á
-âG]ϵΓ\ ¢Ia �Ê0U"Ÿ*@eO/}KϺYlËŠ^ÊJB˜Äjë5å6~Ž“J“¢Pñùºjª}éhä«·¼B×—ÛÝ-´•&Š!p
#×íþ‰Þp	F§Y~Ó2¾§ð�9…MOaG
¡³Ä*›M)0ÐèîžMË
-•ÚYëĆDLÀ!VÅ”¾t
-~ãÄK€ZY””¢.h[Ç£”žŸ«jG½Š§Þ,é}´¥”%0õŠ%“£oò1I i–{Êo€òû.A>ž“OˆàX:wfö�C×Së¾BåFêßk†ãqÃ'Ij
z?TÖ€O""å(Ê[?yà
-+ômd¥,Mr)#ÉØB`�”à±·‘ÙÀË�<Ÿ,ýŸ°&’9•MÏxt/0@ëWmº8–¤ÜΧ•:)´Ê_#™LŒ2z´'™çSN  Î	•¤Ff¯$Þ{8Rª³¿ÞrFŠ-'c‚�®|Š)6øÞæêT±¹/�³9QÝ3WYž€°'Â�'Skö‘´	Ž´ö
-`Ía{�Þ$Ýј_9!ÇÁégèŽú•9ðA^`ºú_1#¶~*Ò¹4¥c¬Xv]»¨ÉÕDø±FsŠ=Œ¨fý
Ò·¡»¡Ö‰¾“öš
kJQ˜$Íì‰ã³lçªf¬±Å^m.:©÷•›Á¬$\»úyQUËîäúYÖï<gŽ2Ü¥ÅìcK ¯ö±=0ß‚{…/Ÿ!LáØofOøMÌÎ’Q
¯¬ú¹F_iMoD=h2r¢»”=Vî`gË–ú¢ÏlÕË`³p½àfVXƬ〆Ÿà
-,©Û‡:,Įٮ©oíèÕû$±�Nd]ÈBÜ°6b­�svdpCps	œÔ,ϳ—|ˆ½MØ´ó	H{ª4R~âv}‹T™ÙB$⼸Sìã,B´xÝԦϒ
Ñó
-ÊÐj)_å<
Š/œYurV[:«€bÝ;�aHc@Wpl”«3œ$ð‚~;ÄßäÔ¤àåeö$
-ɈŸAÇ¿ÝlH\ “AÄ°Ø×÷
|ß>òQKÀ£©ŽÔ€�
-šV‘_Ø•.•óz‡•%‹*|ßÆ$ã—ÜšWÐ[$²�bBp”B™ãÌn…m;^wYö%G\Ô<=±Æ䃪”¼y|¢\õNñߦRŽ°A§	‡¦¯ùË®Ýro{èçíj~OTÀ¶Â¨ªî¶ôJ˜m�º°çù÷7¦DUØ]ZÑãBÂLcÊfªÞ‚CÇAgùs½=l½sÊU�¯zçLÒ÷ÕCùXû˜öbòÀÈqÜëšk9ó8îò
cDS¾#šÆ8Uu2ǹ´ø}™|Ù˜Ú
-ÞÑ©JVæÜ“ˆžrPdS©ë~q„æ"Ï€
ÚN÷"ë,ÅtËO8ü4�ÿÛQH*ˆÆR5åçªF"á ¯øSô®¾"Р22
-+ðAüÀ–L·ob2²Û×M?§(Ç=U]ÔTÒ¸!m5;�¢ûŸ7´ßÀ>k$�
np÷ÔÅ}U†¥rKr”[’Ót8o$Çy#Éy£Q/¬Ý»@ÚèÉÞ =š}ð³pbâ°å¼)8×¾'oÆU¹¨75¨K—|@IÁ?áüQqšÁt±.\¶
-Ÿñ³�›$Ó…~‘`2‘&óqÀ¶ä9wpâ0““f³ß7í‘¡„n_;MïÞ‚DØ¥MR¨p‚>Wû&žLOC¯©GŸH!<rÀ¹},Ãg5ËåkgÙ–õ&®t@÷â$^þ–%¨êØŽœg"Ï‘)`û/!óê-]d®´…a/γÙEé«’g74× ¬.È›hpb
-ÔB^¤Ï¡d!´—ÛÃa±‹Í"“lHa]œÅ»
‹}”Y 9…4¯Ey*ï1Æõ}ýÚ™Výî�SñÚI6í¢ÜÄ¢h	"˜¥ò‹æÿû<f<�ü…ðQ¿Ð<úÚ—ù…ðÉbóåäú%DgÊŽ§Ê_�Ò\f
-sÚ.bãÄS‘ä¹>1ËäÈÂ×XÄDÓ»ŽoÀKwØíÚ=0ðJÆ5|œbp¿/9ÃáÎ`vÎPªÙo)¯ZÍ
-þ9É<hCNØ£ïÞø$‰Güøc;®ˆ‘ÛÔM£Š$ΰXì>&”
-†Žî  8v�G¥"©•/EK:Åàóy×b!S¤CD¸Æš4\s¸?ô„™Ä86g£_hp¦R3µfë¸TA ‘ÛPž¡�$ÇrßÃÇhXØ�Ô!oTÇSȉ‘J¿N˜ô8>óIE÷b°)Gg;ðl"ôÄšLõ›€LçÏ_¯‚Ðܪ ò½R¼¾—zS/ªø¥(pÙ<M(U©8§*gKØÝ.˜Peó¤Pö¤ç’Ç©¿“�®†£Áex=9å4ãl*z6Õò–Ê.ÍÙƒ�¶xùz‚NRðP`À•Ç0Ì
-Ûé—Õ~!’Ò2�&ÿL1òœŠ“ä_°+Æ÷´Ø©0ÅÐÛU{Wý|Í_v=œ¾IFƒ;Üøž¿éi­r‹N‚²°Ir'‹Yx6½«r�N[*OT;Ùh+ùv¨v¾…b}nÒÊ€¶ÝÜ+X? U�pWÞ²”Ž„‡¿ÌÁ5Àƒ»
-Ÿíè}
¼¾¥°.`P…äü§›×Ã:ô
-£Cž Gɦ¯7í}‰âd3¶^Ðw7JŒÊ¸
-[•=q0÷¾*tý‹´[ë8ªö6ŸÒ<s˜RdzÊîÀZ¾óÝ%„<�n+ :ˆ¾ÐÅ00ÌÏ®¤±ÿ]õ¤Z«z¸QK5v‹§bÏ:’kÃ1e(!„S¯*‡ú8Ó;¨ôP§>¯¹ä)Ø°psg›ãt™šá¥*åUë¯
Ž·UÒcׂù©¹8Ž§¨½4³23_–÷_ŽŽa$–àÀ(=D8t6öÍr�×W€€û2j\µN¬åQwgF1gá«ÀÙ<œÍ‡ÞÐä5€&Õl±éøêmé9–>ëoKæv"|ðʇW�û¦âA`‘šî[C÷ÄÝí¡g¨¡
-	\	U5$B¨ûÚdg±Íâ(•
-endobj
-884 0 obj <<
-/Type /Page
-/Contents 885 0 R
-/Resources 883 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 861 0 R
->> endobj
-886 0 obj <<
-/D [884 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-883 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-889 0 obj <<
-/Length 2466      
-/Filter /FlateDecode
->>
-stream
-xÚÍMsÛ6öî_¡é%ôL„àƒ Áô”¦vâÎ6ÙuÝSÛÙ¡%Hæ,Eº$­v§ÿ½ïá
)#q:{ÙñAàðð¾¿,þÄÂhÆU‘.ò"eš½Xí.øb{ï.„?³‡–ÓSßÝ]¼ºÎä¢`E&³ÅÝf‚Ë0nŒXÜ­IÞ¾ó÷»«ÛË¥Ô<ÉØåRg<ùîæÃ÷)èçíÇ×7ï~¾}s™§ÉÝÍǾ½º¾º½úðöêr)Œp_zŸ¹p}ó·+Z½»}óã�on/»ûáâênäeʯà
-ùýâ—ßøb
lÿpÁ™*Œ^àƒ3Qr±»Hµb:U*@ê‹Ÿ.þ1"œìº«1ùie˜62�Pç1
ê‚eJ*'À?¾E^]§jr’/–J³"/´;s¨êú "ÙÚ�k{¿ßn«f‹Ÿ<i÷ÃãÞoµú­í'ë¯)¿ÓÑéÚö=AÊæH‹¡ÚY¿zð‹ÞvŸ¬¿QùóUy^$»vm_Â2Ï’îR˜ÄnK÷»>½T
ŸÈ™¬ÐZ:Îè1£’mÝÞ—H­IgÈaËñ
v‘‘¼}(›ÆÖ=íªáÁKoj¨’sÆy®á1|c}lÊ]µŠˆ9ULå�õðLW
GB½ï-3RÄ
ù¢§½ÑŠˆ&p<@‡Öq½”ø”ä:pO㶃ívUcɦå@«ˆ­ÜÚž¾
-Æs%<wîîÒi9"ÃL®Rô¡ÄwS‘Ü[Ûà
-(Øw�]´m^âB¡dÂ6Ê÷ÖåàWe³ö{ΰDVLˆé·n·[»f1jˆ1©Ö�ú]yœ>“þÑ®ª_9—��
¸�SŠÊRf2�ÎM²Œ�“CÈ1ý±Â#„(ÁTšþØŠL…¥‹ä~ïTkœ'I�ƒ�í˺>ð±þÈWp¯¯š•��!2ÃR9²ú•„”uß^'Æžž$�
Ðë@¤3
-¾B¸�¥ýBœNŽrÀŸF`uï!Á
—i‘%w1›“ª`JféŒÇo²€„[i‡ªmzODyœ?ÁuM+—ODÈC
-
ÿÕ+÷®°ºsw	-çt�ž:5�
Ϧ\UµÏ6ÀÀü¨<+lñBÕlÚ'Ô´M}<§âI;¿£FΨ)Ãå‡j‹ŽKD)L
êŒ
ê{œ»;¦Ÿ—º/­?+tB¸©0²â¡oœ“2ˆ1ß §P­œ8=
-¨\ǒ¨¶Í†¿ôtµ9£>´4Sú¡ì»þ×vÍ1½Xn^xš\~aQ{{ôÝÙE�„Q;Bõ‹þy5­ö]g›!XÓhET1E�SF�óK!a¢Ä/…w¹ÌŸ˜ccDïÿožüÕÂjöu=‘È!&ãÀdŠ!?Å”Ÿ¡íû@Ñqx}­õê[l)9Ïâž7=š@×”¡4ÆÐçF2i¨K¢“èhB’ÿyêUº
-í3A�¶àÓ¢£�º·n¦:6Cψ<—EðR¯ÄÙk+/ê‘$´VšåÐy>3Ú6Ú<à|ÀÈçzÅ´6b6~Ó¹s9šRà¸Æ�p¼e˜¤±‚ü|óýKZùù�¡nÚÍv‚˜Ñ©L­q§ÑǪ:Í@Ú,5Eþ—Èó-WGx;5ÉþÑ‹¯
-è3ÿ
ƒÂÿ…é§ùhKÿóÊNÿFLs¦Œ‘ñÆÒ3‚Š'
-E«ô9åã¿Ôž’þ'
µ[Bendstream
-endobj
-888 0 obj <<
-/Type /Page
-/Contents 889 0 R
-/Resources 887 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 861 0 R
-/Annots [ 891 0 R ]
->> endobj
-891 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [173.6261 554.783 242.2981 564.1926]
-/Subtype /Link
-/A << /S /GoTo /D (the_category_phrase) >>
->> endobj
-890 0 obj <<
-/D [888 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-887 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-895 0 obj <<
-/Length 2361      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝoÛ8Ï_aìK æñ[Òõ)ÛMzY\Ò^Ö÷°·»(d›Ž…Ê’×”“õ-ö¿’²%G¶Ók
-i8’¿ù¦Ìþ±�ÒD§<Ä©$Š25˜,ÎèàÆÞ�±À3l˜†m®ïGg»Ò|�’Ts=ÍZ²B“„
FÓ_"M89	4zûþöêúÝ¿ï.Îc�®ßßž¹¢ÑÕõ?/ýÓ»»‹››‹»ó!K‹ÞþãâÃèòÎé ãûëÛ<%õ½»¼º¼»¼}{yþÛèdzËÑö,íó2*ð ¿ŸýòLáØ?žQ"ÒD
á…–¦|°8“J%…h(ÅÙOgÿÚ
-l�º©½ø1J¸
-ëßfժÿÕc,‚3ê
-è"p:”�‚:ñ6Ѷ3&IR6똚Y¶.ê㊀Á{®öâ	lÕÖ&›¢[JíÐDª×¬ÐDÚM¤gžÖ¬èhO ’I³o
-S¿²~ÀfÏ€Ö�c
É«\yÛrÌf²^åu˜
îUÖALÚù×_)åÛÕÆëzo‰¬°�¿YLGŸŒY†e�שeEû
-[ºß*klæÙCî
ÌG0ý|žò¨Z¿šzŽ�ÿÁKÝÄ»­Î�ê/öúó¾é5°Ø|l øØøÓí•’2*÷,/Œgú®=Éß½ésR‹áË��“òrVy¶a¯ø¿ÞôÁÔµº�úîÕ/Ýs¾^ñû&{„%pß
Xë
-²Âc3£+j¸=ÔP$’ĉ`ýU(ï‘`ï’q\ùp…
-ãMñqp[»þ–ÁU‚ðXóà*
}èŸBoÿ¬¢¡º}?º¾ú¹ôëjRG°ó›úÖ“*—ŒÎN$U.%Ii’ª–'±ûÐÉ�}ñösj”ö>_
-N•B@SŸ�›áÄÛq%Õ‰Ú�[ã>ƒ®Ëvd�¦ž_ä³T…¯ØtaRšzâcú·u™�8Cs65P×/ò²!ÏÃkèúÒ'ªK$iT¹ï@ÔSAÂã<Ç|�´ºõý
-G2ëéØâ#Á
 ç«€¥cN÷�›Ç¾KAN˜Ði`‚ž½è¯�QÏ_‰R
�?ˆ¶o
-wT. Ò­‹Ì}™!ü	®Ñ!¾¹›W&ˆÐ·ˆC™º3&Ó¤¹¦<ä
-<&±ˆÕþ—¼5Å+v¨aFó܆/*±»2‡î"…nÏBH(^ð«R§% ¹Æ(™mªV$9}	ìæ§f劕׾ÅoüÀî».æ¶ÿ«^ã±Mk׸e©øÜ«Þîßö©/óÓ¯I™N¡¡£'")‹a±ö‘´4õcµútÒñoŸ�¡Pðº&åH´lïåN>ö«…LO@¦ᜅh¹œ‚cœî66óIs“„sŽÁÕÚÇ·—T/a¿Çá’)áZ‹\ïu¿´ñy¼}†/ÃERèG bF¨)áRÇ}?õ ƒ“ŠxîKv¿º‘1IÒª7»¡?
=€
ú^
B?ùÙKó”ÀÕÚúÿ
-endobj
-894 0 obj <<
-/Type /Page
-/Contents 895 0 R
-/Resources 893 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 861 0 R
->> endobj
-896 0 obj <<
-/D [894 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-318 0 obj <<
-/D [894 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-892 0 obj <<
-/D [894 0 R /XYZ 56.6929 749.9737 null]
->> endobj
-897 0 obj <<
-/D [894 0 R /XYZ 56.6929 433.0023 null]
->> endobj
-898 0 obj <<
-/D [894 0 R /XYZ 56.6929 421.0471 null]
->> endobj
-893 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-901 0 obj <<
-/Length 2759      
-/Filter /FlateDecode
->>
-stream
-xÚ¥koã6ò{~…�ûp
-zæŠ/‰Ú~J7Ù½»Ù^’´E¡ØŒ#T–\KNš;Ü¿)K¶7M()r83œçáðIÿøÄhËLMÒL1s=™-OâÉö>�p3
@Ó>Ôw·'ï>&b’±,Éäö¾‡Ë°Ø>¹�ÿ}øçÙ·קS¡ã(a§S�ÄÑw—Wç´’ÑðáëÕÇËO?^Ÿ�¦*º½üzEË×/®/®>\œN¹ÑÎ�áÀ��—Ÿ/höéúìË—³ëÓ_n¿?¹¸íîÒ¿/�%^ä÷“Ÿ~‰'s¸ö÷'1“™Ñ“'øˆÏ21Yž(-™VR†•òäæä_ÂÞ®;:&?sÆ…–¸gOÍaºD#º~ʵfŠ§»t§\¦Lé´’pÁ´‘i§Õ×
-W’)õ$ÕK¤�N-¿o캰
Šàe“j•„»YÙYqÿL2}z°ëSn"KŸ
‡ûhêM9§ù�(ëÅÂúµ¶fHÐN9È@ká🵰mDÔ´ùºÝ¬þ�_YÔ ÕŸãXTÚn¥áÑ,oí¢^?{ÆÕ1Ó™0žóÃ7”	ÓÚ¸§¢,‰H^65Q±ÕÔ1úJ×<2�ß•ÀŽ’$‚gšâeä?6Ui›fŒI!XÊEÚcòNŽp©4š{¸zÕuE¸ò†&wÖVžÍ$…s`
žMr½NŠv>*û['ÔÔ„[àyq[µa�t¾ª×mCm88+€û»_¾ü�Ƽ5šÏ½©ð¨qûY”Wó16ñéTŠ8ª6Ë;°0ðhôrXpâŽçÐ
åKf"%’Ï7®"n7iŸWÖ�æÑ¥Gëô: LòÜKÂì»E‡�”.‰«×v¶Y7Nüøyn›‚NÎ	$,ó…Ç�{T�miòs¬ãoÆ®]܃T²!ñ:qMi�6LTÕm
X¸‡º8¿º¡uGÌ�¨èĦ±´€D/ð}Öë>f5<@baŽP£[‹*¸0b½A¬ŒÌU§=sÝ‘-YÆé4‰ãÌ�Åð�ÿ-�G0yæ!b¯Ó÷£ÔŸž˜ý#_®JËfõ’°\^ÑxÿÑì››‹±Ó}ÒïßÑô%¢|�heÛCD§D´S•4�P؈ßøºKe˜„ :™
-	#V¯ÀI'äá€
�KR)�Œ$VLp/žyѬòvöp4bœ{@÷
-)¢úžÆ¢]úU­òÙoÖ=(°ÕÖ~t†	“Æ®Ñq¾¬ç›’ò=C$8î#U>X®‡aiå6ë¼ÐþeÕf_Jo“üV™Áà^a þº‡•™&QŒ8¢Lm€H¬)³‚«ÏŽ«òêææ⃗hå_�Û›ËO9¶õ¬.÷$Š~A´=žß&‡­h¥f&Ñú(ÉâU13ZK¬t<¨,q2+!<MÉ|�gWŸ
^u�yƒo rAǸ×ø�Î’ñcY4³ºÂ�¾Ø¬sL	0Ü@:Œ
-à˜ÓлòQw#Èñ’è?uei†Yˆ0ì§Õà�*–!¥?.Ï’ëLxç=@!§
BWK¤ˆdÕÉæ®ÇåÜ Ê$3ÉÐàç’RrÍÖÜ3‘·YÝÖ�·Õç±rϤqºSÎþµS�ždL¦PZNÔV‚|4”Á{å°Œ¸MÕŠJÆylúÎÒ™Á¶¡ $ÔÏ2ÖNÂØà�Øò²±òi
-ЛJÃ¥Ëü\ý¿Î—Kx<÷u¦&ËW¾
-*<†0R“…Çá>\ãwGê:¨•öE|íÓ†LXšàÆÍ�c—Å÷	òëL&
豚Cj\Ý�ÐHI@1X”öýF¬t7Ø•€êQ
-ÓãÜ¥ºÿu†.2fLš
ͼ,šÖ¢wH7«_s¬ûÜ•u~yûñ­OÄÿ$,Œ1èߎ=�…}"HœýŠÂùv<üåkH`ûÏëe^TîÈ�½±�—y!ÁTóºõâ£j– ¦;R$†Å®ÕÇè ݳwqÔÞÏ­ë—Û�M¾°ÆÆ[Ä;WGÌŒ?bß®1'Ùf,h•Êk˜T;9Î
e˜þ¸žŒ›Í<¾ÜcÈi(‹ÅCûdñÿýò	�¬CAkhï¹µ»�³†‹|l„NXSG›ëÅ„&×½G¬ƒŸöÐ#ÖÍ>^×V³3ßaR˜£Í«ø„(µË'gMeµ†R,Q:ŽÔ´¶ÏÝ>6d
-»†–°]Cm1€s].ê᥂¸Ñºð‡kEÔ«™ÝA(ö½L�{Q&õ·óÚ„¼tžCMRÑ<4ŠqžÏfvåe¡€„µ¡v�0…Ât:º¼§…ª¦ÑwaVxÐ^«]\$=˜Lp¢€7®ì`öR@L=
�±ôtY´­#µ-`ç®QN=å^Ï�n:iá‰î:c1í~ü¶Æ3†õg¼
‡#>¦�ÿd$÷02º+ªyCSζ�_.ÿ�1§
â”G}'”{N(;Å;Äõ
-¬ÝNü*Ÿa3XH¹Þ½3h4máŒÜÒÄóµ‚rÙ(¸/éã΃Á;Ó´ëSmf¤)ç
«j\¸ÂÙ2¯*êQQù#È[p¨êõ2÷Øé2°ºìîè¶Aæ]p$—pÊ„k†ÇÜÛªêlU
mUFayk�Rơ�
º°÷¹+dž¤�³p
-½ÂùNæ›é¸×‘ì"AŸù£êc–מ|^Œ]ÓCºî¨ŽøU».‹Ð‘رó²ýs•uy5åy#?üpqnä­ÊPö¯œ#�yÙ­;³UÙ¡¼p&‰o#]�¤ç�.taá�mgïÖγeý™†øÍCeô[ÁeK¼û öXÌ­¿eNœÕ÷äf2
D©ØÉ÷)¯ÛC�iô^Ÿ5_­l5ßþà×K(‰=œóêaÍãû¯S¹àAì”u�æ™ÉøX½¥|¹§‡
-‡ub\¿ ð,UÉ›(зÑÞ¿¤q!Iãß­y�¿•6þNTÒÂËSÀ»~Ý”ø‹p›¡®‹åf	ÈT~�ƒ9õop�ê\q]E9‰JwôL h4´ë³|Þgœu™€¶‹p/œË=ûåÿ°äOZ-ëú·ÍŠ–ï¬ïTÙCµŸkcyÃ]å­ŸÙ²Ë54;ôW�»+ú�`7�»ŠîÍa°ýó…݃~§ð„®Šg
-o-Ó½2G¦�HGXÿ? º€_endstream
-endobj
-900 0 obj <<
-/Type /Page
-/Contents 901 0 R
-/Resources 899 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 907 0 R
-/Annots [ 905 0 R 906 0 R ]
->> endobj
-905 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 252.798 539.579 264.8576]
-/Subtype /Link
-/A << /S /GoTo /D (lwresd) >>
->> endobj
-906 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 240.8428 118.7265 252.9024]
-/Subtype /Link
-/A << /S /GoTo /D (lwresd) >>
->> endobj
-902 0 obj <<
-/D [900 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-322 0 obj <<
-/D [900 0 R /XYZ 85.0394 451.0558 null]
->> endobj
-903 0 obj <<
-/D [900 0 R /XYZ 85.0394 423.9067 null]
->> endobj
-326 0 obj <<
-/D [900 0 R /XYZ 85.0394 301.4703 null]
->> endobj
-904 0 obj <<
-/D [900 0 R /XYZ 85.0394 271.3564 null]
->> endobj
-899 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-910 0 obj <<
-/Length 1238      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Xßs›8~÷_Ácò Uü†»§4uré\Ó;×}j;„­	 ŠDbß]ÿ÷“,aƒC<™LFBì~ÚýV»¬l[HþÙ–À vb+Œ=è#Û·’b‚¬•|w;±�h…@Wêý|òî&p¬Æ�Xó¬ƒAE¶5O¿]Ð�—
]\¾¿¹»ý:»º½‹ùÝçûKàøèâæîÏ©žÝή>}ºš];òí‹ë?®þšOgúU`0ÞßÝÐ+±^
-]ˆB/6ª*yR˜°2Ø%p ­5êØåä·
HàÄúq(Y–¸¡íõÌ7I(õ,'†QÊB¼‘”{”'dw˜•œyXpQÓrµËŵ–×y͸8$}û4¬¡wख¸€¦ZE?.hzJ'¥5I«M’WX¬jŸA“d-
-R¨£'ËMø-m\EÓÑ;œ¯UT-
-(ðÆ|í›bIêAË
-ZÒç &¼’u‡ŒÚ¨ýÌ€D�¨Q*%4;J¯� ›*§	ƒfÊ*Ñt
-Þé½ê,q\
±­ˆ=FA~He�cù˜hª/ä? ›¬KÌGŸ´äœ$€”x™Ÿ£�3ö ?ú)éV1=u##ŽËdÍêîÛA«
\¡T–2Û£˜¯ä
-endobj
-909 0 obj <<
-/Type /Page
-/Contents 910 0 R
-/Resources 908 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 907 0 R
->> endobj
-911 0 obj <<
-/D [909 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-330 0 obj <<
-/D [909 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-912 0 obj <<
-/D [909 0 R /XYZ 56.6929 752.2028 null]
->> endobj
-334 0 obj <<
-/D [909 0 R /XYZ 56.6929 693.9224 null]
->> endobj
-913 0 obj <<
-/D [909 0 R /XYZ 56.6929 663.1642 null]
->> endobj
-338 0 obj <<
-/D [909 0 R /XYZ 56.6929 628.9495 null]
->> endobj
-914 0 obj <<
-/D [909 0 R /XYZ 56.6929 601.0964 null]
->> endobj
-908 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F57 624 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-917 0 obj <<
-/Length 1160      
-/Filter /FlateDecode
->>
-stream
-xÚµX[sâ6~çWø1tFª.–/Ó§lJÒìt³-¥OÛF±EPklVìÒvÿ{eËÆ6�<8Èçûtî:v�ùÃNÀ ¢¡ëø¡Ẩ优w\É€Z4¥ÞLßß{Ä	aèÏ™Ì\
DA€�Iüáæî§Û_&£ñ†n<8ÌC7oŸ~´+¡}ܽº|ø}|;ôÝ›Éãû'»<Ý�Æ£§»Ñà€aƒ'Ã	ÀýãÏ#ûßÃøöÝ»Ûñðãäí`4ÙÚÒ´#Zòiðá#rbcöÛ
‚4˜óÙü@‡!q—QÈ\Jë•dðÛà×-aãm	mó£
d
ñ[Èü†1vaH|êø,„%´ôàs£¿æY"†ÀCèæûàq¬DžO\Gói"sm׿þP˜löÃ�1Rrðu&c°vÁ*^‚e¦t¾GV¬ôåð®ã°ÙP¼)ÈRPR�¬¼\Ní�rý*#·äFÉÿƒÿÓJ¨
ȳ•ŠDÅSXÔˆ¡ífÅûãß’‹ 
-	õCC	}—º%ãwå«ÚA�†
-9¿gÂÿnÙòc #!=ÉOŽù´µPF çûl?\M‹wN½Àh‚!ö‘W)ÅN)žÍhr	ÓhA#²æÿ´âi>
-h¹@¦–®ÏBµæÆ1([é>FÉ8¹|«Ô½•Eéh	¢DŠ´.Ûµ”ˆV*—kÑaÙs¡$O€Íŵ¸!Åy•
-õ«ú6�Õyþ­‡f™2å}˜LY*€ø,¶ùZ><ÝTë»üÆ�äeÌÊÂèÒ+Ý+X[饱 Íû[[w§ÚZ¹t�ª{>¤>q[ZƒaÑZ;EK/mÔö)¤n¶›Ýì!;Õ¼cÕÌùLÍŽ-]ªæµ×óÕBIyüîg‰—¹mGóšºù�xˆžÕí¬ë
-!ÁìdT½k¢jÍÐC÷ƒºÊMíœòÞFäÓLMÓ¬5OÓLËÙ¦Ÿ»ƒ.öÉëºÛÃfLsƒ­Îçè.Ó_ÏÑØ!%‡ç/OòXíöf­½£ö$±mJ=e‹„°}=yòÈ/3’ìäòoÑë¬úÓ¸55­~(þ›æKµ¶Ê(3ÓűlÓ]»Ä\óË3™Ô‡N·¸U)×f¿l‡(<•é‹9´PkžœõÕ\p¥Ÿ×} V¯RpÆ#ÑcŠ6稌òþ�-3òÍU •M®íd®¿•Ê…™Šë3»b)WöÂas¸e}—äÁé¯n†7­“^Ã[ñh~N|W
-ý¥sùLhd,õ¦5PÙº�)PYÖcl+:yQЭ»#­—*[˸ub”4ãZ®{È׃LQ
-endobj
-916 0 obj <<
-/Type /Page
-/Contents 917 0 R
-/Resources 915 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 907 0 R
->> endobj
-918 0 obj <<
-/D [916 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-915 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-921 0 obj <<
-/Length 3325      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]“ã4ò}~EÞÈDkI–-O;Ç.·uuçÄJâZDZ³³ÃÿýºÕ’?'Å̃äVKÝjõ§>‹àŸÏTÂ#Ì,51SW³Õî&šm`ì«îq
i1ÄúâáæÅëDÌ3‰HfëÁZšEZóÙCþÓ<a‚ÝÂ
-ÑüË·o^ßõã»—·i<¸ûæv!T4}ÿ�;ê}õîåwß½|w»àZñù—_¿üþáî
%~�/îß¼"ˆ¡æ¢ïî^ß½»{óåÝí/ßÜÜ=t{î—G7òÛÍO¿D³¶ýÍMĤÑjöãƈÙî&V’©XÊ
-H	Å’8N©‡­íꑸfƘ�'pp¾˜ë‘Ry¼fÀœ”óƶ
õŽ{j7e½ÌJê÷Û‚�¶Æ6ž/­ŸÐØœzË'jÑÐu¶…ŸvBp—yd´�ìàé8µ¢ÞÊÒÉ(…ló±à9Ë$™gؤóU]¡l7ÇCFÒÅ1„”øH”™ß¯	Øníá–ë¹¥‰È‚Aá&›h¦�áÏK6….˜þ‰d?ƒµ�‚S&Z�‘ಬWï©ûúH6[m	F¸Ô‡£¡a<Š¶ñJ%L+cNìî³cé•î±(Kê¹ã‚�‹�yVÎRΓ™ç%9ìjÚÒbˆåa<I:,2Úƒ]µõá锲IA¿µ¾N9 MPž�èJ$ƤÑjR¨ùc}x_Tú
-@ÒRžœE2JÆÇI'(c28ƒ
fïmE ¬¡–öRºRM#­3@ìõ;ÆírÎÝ–÷BŒ 9¸
-Ü�ÍÑš
�N3jÓMZž„é™rÇ
í&¤ ÑÏ$‘ñ{c»_ÄT[A3
-PŸ SvSB›S>„‰æk©w„ð¸-ÐÇà
-B�SÝ•¼zn@éEÂ1Ótß�Ýg‡¬�Lèã”
CüÏp¤ $5*„Ž
#DÅ%ßÐVÖæ6ÿY.tÐõ±ZáÁeeÑ>
'€½J!ñZϳ &ž°û>'çŸdäé‚IÈ<aÊŸ1‰!Öe“è°�‹Ö9s*Ï<yÌt?C¼Ãš >òåÜ°²ï1yr5 «P�bJ—¶Ê�Z+¯‘*(,ž�O¡ë\»J¡T-	Ðl3òZ~2lУnleQ‡ršá
-‰su’t¤‰B�øðíÝ¿'I¤�t—‚¸õ}`ÂйK�²4Rãs_•ùc“ú<júÆ%>ÆÏ<á(MYÉÜu†$$ÃZ³´W6¬(û*ZZÝU‘HØ¥§Ðz€ö)@z
$pÎmSôR…ï. G©®	§o>œ¤J`é¤�ÞS%JL9Û„0b¬2‰Öw®UýÐè�a€"ª«�`Éhièg!â‰,‹AeÒà5©à5‰ ÀµñO;!pÈG˜F†É8Ÿ^§+™€�àg�˜ß	‰D±Tu®d>Å€Ò‡'q:å[¬Ö‹O]ª(øw)}"$»¡h,H@}�%Êõ½,%sl/퉃,“NH…0�FámíGÝTl|!~V…rˆÚŒåÄ>%..Ñxÿ9Æ#9BmÌ1îø”
6 Nª*ÝÐA¯²Æ¥‰ÂõÜD¡$� ö@Œ8©O0#˜H’ w]æ?H™¨ÒèÃ"Ã'þ’,øIì#�‹C˜˜I_¤Ëñ" õrÞ¢¹MgP×	wHç”åyþ4&íkªtþŠò_—v.¾¶e¹£RI“@Ç ¥‡´avW½Š+�� C“äÎêÑÕâ�»h5—S3ùR°È€EŒô皃®å®$h¡)Žs�±þk1	&©Áº}ÕÊC–P§r
-?¥ÏX\�tÅâ<’ó%ÇÝ~Ñßz�MŽ3Åãë”;¤sÒc/œ°3ã!mÊÎd2*|4–I"áê˜j	¼uE�%âà>š“yP gK8.®©}¤4
-zEÕ´‡[=?®(i åµ'&M's°i¦MŸ<ÏTùÊëp•//xi•ˆA‚‡Ê¶öjP{}ßw�ôht­\4Ì7é°n9=b!>çî Â(nþÌ#ž`P{êé'¼E·âb¸äùûœä°LlLO9h#›XÌ¡Ò•|x)7e$°_,ž)d†X—ͤÃrÑÚîð%¡hÚbÕ\2™0‰‰ÀU.:¬	6F&[†â5óán4°üB›Á¶
ÃÁf@>pÒàÿEëœ#ôasty¨ñA¿\·ß°_§öÄ*jíÇ¢ÅɈ“êjR]z'‚rLž&ãOŸ#‰ï?CufþT¦ò>
1^,ì’Â(ÅâD>“È±®(LÀr…G‘_P��›Z^'�&H�®nÀÿ$&“~˜¾x!¿šö÷2½_\ÖôN5ítÄÝý´þ:Èßj¬lã
÷¯Âí¦½© ›} ¢O¦§÷öIÔ“ë9è²êüÜcð(Rwï~/B‰ânàO.=>d‡‡cõ‚´Žàù‚
-“ü‹CS¼sqI1vï‹R|ØÁæ{Ôì	A‘”’4k8êŸI¡·ÐÄÖV~ápÎSÕɪ'zê
-ÕæUï9@ºì<Rx³¿i±‚S:½J¿C:g`\
j–@q@.4Š‡.¾jÿfÙ†áÎ…Fqì\(¾nî÷`øþ!sPÝŒšZŸ’â“çIJ:@Ê}Ûø·K*'rR™²(>½¤œT&ÄÄTÀŒc¦”¸ÅDqÿC�ð‹³Ç®Üˆpi6|¯Nä…'�üóq¿ÄOn?MC
-u?;úÛ¿tëˆ�Z‹iÕ©f±†E<S(ˆ8:·Eÿ“¸sÖÿOÍÇendstream
-endobj
-920 0 obj <<
-/Type /Page
-/Contents 921 0 R
-/Resources 919 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 907 0 R
->> endobj
-922 0 obj <<
-/D [920 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-342 0 obj <<
-/D [920 0 R /XYZ 56.6929 659.6382 null]
->> endobj
-923 0 obj <<
-/D [920 0 R /XYZ 56.6929 628.8211 null]
->> endobj
-919 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-926 0 obj <<
-/Length 3376      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝsÛ6÷_¡é“<1¿
-'vE|\¸¡ÁÃfF�Çûý¢ÿÁ)û§ó"ÿO:mòª´
-×là-œÏ[Ò["hY¤œ
-¨õ×´h3>CÔ§óo`ôeªûÊÆ›ueí³†hèÐ/÷K‹0»/k¥Š×#T´³aHþêyÁíþ}ÃÃÐüé:öæu~~¿#«ˆ]Ÿ>?Ý}þ„­}#wçSº£ñö#ˆdþMÙ†¥óÔP:“°2ur£Ìã»L÷Ž›Ås×l뮹ƒ¸²ÝÙ×ÿ¼£ƒ-M,Òà”¡Ó®û
“ݧ:¯D•I®ò3ŽERlª€iWŸª�ë(W^fÁM°0P :¬ö�‡[â
“.Ž½È™pá°ÙöØ5cÆ·âÓ@Và_¾5#DÇÆH†bþ	£µÅx–Àó‡°ØSÑ‚Xp|1-Ì‘”r 1ôù
-ÏlH˜¡¤hô¡¤ä^wºÙV—Ls04ÑùJ�£P›ÙITÎ#[¬!7”q)'áêW| Q퉜’BSØÀzS�qYz½±þ*ùhb*EV{_A žä<Q_'’«Õ+y5càƒgÑ{]O]9®Ñÿ~tàì]
NŽ>x3rµÝŠ%Iö×fVjó�r"ásR…^7ÔÅsó/š÷Ñb.‰å£†r¸ <fÀçzj”PYúER¦[’©d­&é²h÷{M龤tùx´-oJ}ÉÎÒ[â„HnÉëRß0ç–DÙjm÷ý¥#Ð.&ÊL9£"MÊ©º
SO0Ω} 8µ‡î³ßà:êæ­ÏÀVš€¤Îwy‘ŠWž¾©ÆKÂ#öû§órÊ*]›taÍ�½¶˜‹ˆG4E£2;¸‚lŽ[ó}ÄÏYî)Ï	ÁF^¶à}ªó¼£ê)Õá¸Òh·‡S3® ¤	<y™�Žj‚���='öF|<¡ÑX£JÉh¾Õù�¼eºÍ�Ù•¡-á8rK­·Ü‘ð—\X	I¶Q›¶�ß…w•Æð�Œ|`a•Q̹
-“YÒnwÊííÕ‹*g§;€"Tá1ce5ÁºÈà”wk:¡Ý™N%ú¦“k*�¸~4Ô
-TPsã€B *ÉÅ>ßC@w^öÏÌZ	 �Ñdè\ÙA#*IÉ@ðÍH<Š‘°sQÐ&
-`<G=P¹x|oP�Jýýt…5k,LXðw"ãïãçï¤ý�¾õ#Š#Ñ…ßP0V’R�1
-`ˆ?¡;¨¿�©÷ì©'üãMvò%§)	ø‘­öb?M€G½ÑÑòà½kEÀ‚æt»†w©xM¼¦§JɸÕö�¨2ºÌ‚ŽŠ™Íôáa�æGN¤ðG[}ãÅg³ðÃp^äåtÊë®q¡s?Ó0qT™$­Ýn¶

Øï1íÇçà'"ô
8ŠM^&
Å‚@Ó»5Æ/èÖZƒ»z8{™
C&UÇɲœ¯üøŽ£9÷›.?tð‡XÀr;ÇòÿÞëøc¸@buç̯| KKË
-?cλ†�²þ_¬–ÙÒendstream
-endobj
-925 0 obj <<
-/Type /Page
-/Contents 926 0 R
-/Resources 924 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 907 0 R
-/Annots [ 928 0 R ]
->> endobj
-928 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [250.9056 758.4766 324.559 767.8862]
-/Subtype /Link
-/A << /S /GoTo /D (statsfile) >>
->> endobj
-927 0 obj <<
-/D [925 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-346 0 obj <<
-/D [925 0 R /XYZ 85.0394 227.5287 null]
->> endobj
-736 0 obj <<
-/D [925 0 R /XYZ 85.0394 201.8676 null]
->> endobj
-924 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F58 627 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-932 0 obj <<
-/Length 3418      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]sã¶ñÝ¿Bo•gŽñE‚�—Äwu¦¹4Ž3�4É-Q‰TEÊ>ç×w» H‰’œô:½ñx¸„–Àb¿°�“þäÄ&"ÉT6I3#l,íd¶¾Š'�ðÛû+É8Q@ŠúX_Þ_}ñ.Q“Ld‰J&÷‹Þ\NÄÎÉÉýüçi"”¸†âéWß}xwûþÇ»·×©™Þß~÷á:R6ž¾»ýÛ
AïïÞ~ûíÛ»ëH:+§_ýõíßïoî规çøòöÃ×4’ÑãĤw7ïnîn>|usýëý7W7÷Ý^úû•±Æ�üûêç_ãɶýÍU,tæìä^b!³LMÖWÆja�ÖaduõÃÕ÷Ý„½_ý§£ü“±PxuÌ@£{tRØ,³“Ôf"ÑJ{‹k馋bÖ6ב–fšÏfõÇæeõHCmMÏßëªà‘—
Cy5GÀNgu5+ªv›·ÏÔ.‹ÃïÖyYµE•*
4uÀÍ[‚J~æ«
Ë|³)*ž³¬hµ9Û�¤™µÊï¥YÖÛ%¤¦¸Ìö)_½¡×Ú/ˆPñTl_ðc`N_»¤4Â(•Âœ8ղȷíC‘·Q˜‰¿0TgMŸxNàËzS,v«Õ½Îw[ÏI„=Kˆ f°O�{J¦·L{¾B®(PÒf·ÙxYM\Å-GÔ_¥©>Øz½.H7ë=y©xZÕÛ5�ïáßyÝx(	�¿Í½*üÇjæ)Š§÷aŽy±Èw«–^ʆxa]�*Ñ"Mó¢ªGØè%AÛQ©©Ö ¼2™
à�¸ðˆŒ@o�Ëx‚y™¯v›‘u´΀žZ½iË´Fe6�2ɲÀbz(èÙlŠY‰{/æ4PV„ÚŽ“b�0‰‹<•Åó%Ê‚p¶§ £›rÚiÆñ™ì:‰ƒr6-ÙŒ­yCr
-´>/ËÙ’ÈŸå
ï

-Ÿ5h>
-8bÆ»v�™¡mË9šï@�WõC§ÿ}ÒS˜!5é+ä¡7”K_Æ(«Céß‚
-›˜)@€Ô!Ð=ÿÌé±Î°ÎC$ø®
-еœòhfpŸKô.4Šf‹P½ksøîþöÝO“þ{W4Œƒ.Ñã†y:Z›UþĶzàž~‰m̆ KÚîIÛÝ×n…Þ4Ak,‘Zÿâi¶ˆl¦D£F¸Ú­êlYÌ~£é¼«ìí)#I!ÏR?•ìèaØû^Ä¿®ttÄÜ
-�ƪó�-²aÄN H’‹ÞBÛÔpcÑÉùL&”íÌ3øÛV1΋s�Å©$œO
-Ð(´FÃ\–bÍyô…ž»†	:dš
-•˜Ë–‘�Κ\°ÉâÄ$„p×
�aw¯A«òÇʱÕ!¨v]üF«óé¨]"ÒL'C¾mò¦
¿3fkBp+(4qG—‘{º`8ÐE¿PmâÀÏÿHþÛì9$¤N‰	�xl¯ð�°¶;„·ð)~v¼‘£�«þŽdvL#ŽÒ>"
ù°™Á7þ¬À1¿k?#ñèäÇ�aâ™Bãæ¦�Öuáß«Ì-ê>lºgxoøÜ	NyÀ\k…sYˆKÏ(‰Zët¨$8í¿v
Ÿ2ó²ÉV!ë‡îGœÁÁ![Åa:šAòh“dbAúJËWå£:…€TÚl˜�þ¹¯=ß{’ú.†¹_§ŠÂž"«à|K9žìfÅ“³�„KQ)
ªçhWÎØólÖ±Ô¤EªÑ	,™êôkïÏúB1©áLÿ'`	2ßÈÔüO¸G�V=&«1&«XdqšœÉýŒ�2hþA q³rvú‚ZïbH€a†s"žj”y{²>cÞÅ2pç™;˜FÏš—¢á^fDº�ä:öì9ÆŸ�rªGħe•ü„¬2
-�MÐÙº¾‰aLÅœâÕmWLÙÇ#û8§Ÿçý—Cß®Qp¶Ø¡ 7}±(Á�Û׋�"W+E*e2ñRK�>Ñø ¤¨�u¬´¡)Óaùü?ÿ­ˆJÌ,Ž4	|tJëó‹wX#«ëƒÆ‚‹M2\þ“vz¸ãäÌÔaŠ‘a'ij~ë*×ðkQaZ0§šr½[å-ÉÊY.˜
-ùºªŠïÅÇÒ÷«
œï‡5¬(Ÿ¸Ÿ¡§?ܾ¿¿¹ûö
½ñ&éåþºæêvˆä5Ò
•:5Ôô¼zác“­‡}ŒmÙÍ«:¨ÃÒ>Ceg®gEr褡öꨯ뾎ª˜��F«>¹�uFÅ–/Äå°‹Õ<š­Jì\)–Ò"ÑàAÏÐa�P0Ø,L‰„@u@·ÚÒ¤sÌ?ç<X^ËiŠ©õ¥e_oV¾ÝêËÚ8À_’=#„‡·‰¹kàQÂœ�Uݹ	�Z*‰¾Í°èÜôþ:SSêQEŽˆ¯�jëûâ§|^p)u�ƒÞÁé�h†“¦‹ÑF$s _‰‡/M/£Ñ/nà3±¢®:öü$·Ïu(ünr¼0´z¡Œš†Á
-«Ê›ïÚeT}œ×x‰a„\0d)âì é1N¶Š…QÚ¼¢és»˜)»C)9Æ,ð}¯NÃŒ±¡^\ÂÙVäó“)!�Ï\|Áé÷±N[d‡åå^7m„w	ʦ-gljNEgÙy:¬
-†	–îmH‚�~¬ì�Œ>¶2„Á
-RÜ‘î„Mý.îŸ�}\ÖuÉN›^é´å$oxeU®óU´ådãØÑ¢q$-Ÿ[¿C:&`x´€�˜4Pp»aü.]òŠ#ÝõŽt›†‹Ö†ü GЮm(HØd�[5„¾Öö<¬
·@à¾e
c�Ípœ1©`oº|ÇûÌÀ‘ØÁm—5Dã8³Vœ‡i9Lµ
-	£–!alhœ7¨ýI&!²h8Ü�(÷™ ¦›'…xôÖ…>fU<ú:ˆWzmÁ ðÝg¹Z
yE÷ÂÎ&£t‡‘Ž¾ÁuxkŠ/ªìïvÝ	e!°‡ùƒ7=„Ô±Õÿ�Á…¢�x·yDßãÉÅÒök¯Pïï—¬¼:5n9�èa…E¢�p£Ž]ßµ>&ý? n}ÿendstream
-endobj
-931 0 obj <<
-/Type /Page
-/Contents 932 0 R
-/Resources 930 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 907 0 R
->> endobj
-933 0 obj <<
-/D [931 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-934 0 obj <<
-/D [931 0 R /XYZ 56.6929 553.585 null]
->> endobj
-935 0 obj <<
-/D [931 0 R /XYZ 56.6929 541.6298 null]
->> endobj
-930 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F56 618 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-939 0 obj <<
-/Length 3586      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Bo•g"Ÿ8÷”&NÏ�‹sç¸3½iû@S´Í	E*"Ç÷ëoPü’”»v4#‚Àb±Xì7È~|auÄd¢&Q‘f\/²Í[<ÂØOÜìЪõãÝÅë÷±X$Q‹xq÷ÐÃe#f-_Ü­[¾ýû›Þ]Ý^®„fË8º\é˜-¼¾yG=	=Þ~¼yýÓ/·o.�ZÞ]¼¡îÛ«÷W·W7o¯.WÜjó…ÇpdÂûë\Që§Û7>¼¹½üãîç‹«»n/ýýr&q#_.~ûƒ-Ö°íŸ/X$«ÏðÂ"ž$b±¹PZFZIzÊ‹OÿêöFÝÔ9þ)m#-T¼X
pK5Ïe1
\[Å"+¡¸¬f¹ �Ë›}ÙÛ2_eUºÉ›ñ®yÌ�:¡}Ô:¨
-d�Ç‘4ÒI¸{*`}¢—õ¶-êŠÚϩ댗û&_SWᇼ@ËH[ÓkZ–õ³oÒc]oRš/qƒÔàŸÒ¯¾'°� ßÞ¼ùp…¬
-¹&ˆÂﮃģýÁcwÃäÄ8¹“ä‚E‰’v¨þ(ƒù·,ß"%Ró¡:+€íNV ]¬�êí‚#	{ªÑÔOßPãC0AÊ’¼\ñÖš¬‰›WÓ3­^úË5ôÒm~´)WßH°¡�¦eS¯6btxšGFiå5‘¼Näí½aŒÀÕóã*Ÿ€Ë3A›óo۲Ȋvf1e"+˜ñ€°ag¾Wкy
a”
ì®+´õØr.Ëô؃�aÕ
-ˆ=Trféjfí�êIÅ’�?bÖ´eñÉ@¢D
-{PdçÜ\|˜Š¼90øþeŸ»Ã…&i/t4mCPÞY^u~°"xçT°|Ny.ÊÒ¯Ô‚¸¡ïÂnŠéDü~� ø
És½ûì�<&dóAý—}A
Ü
#ÿ$À«¦Uóì(`Þ×aƒ¶Æ9GÓ(…uƒm'·0tg¦<Ó‚GÇžn§Ð^×Np™³Ž~BI¨Óõ�|®\Æӧʓ
-Îm,—KrKãØßóQXO­×8xOûÝ`AÒ
`³³�GtX.ÔÁ1ÂÒKÑ̹ˆÄDR›ÿA´"ŠhnêÖ/Ò>¥n|jÛyg9ª£ô(v½S
-|
¸øâ˼�JIP½¶Ûì�	®ãõõF,ÞÕ°¥EW
óª�Úí˪ÁñÂ-
-bAJAå©ç´Œ]¾\
-^�^ŠÍ¶t¡9ÙyKõ>xúZ*´’Éá+pرŒå¢ÇÞ?w`ÒbE�ÉÅêPôþsâaW„ƒ�Ä€çæ„q„å9
-A6‚à�Ÿ)¾(4`ɸ²�%LWäMÐ7¡`;"ƒ\Ç5añúHËÑ­‹óàf™fXúpìÖñÑ‚h	xƒ .»j�Ñl\tN¼”ŒTÒù0Œ~µ
U"œç…
-V\ï7[êFm|«¦1’Gè K êìê‹ÐOFÇjJ‚Ð,Þç1håñÍda4Ǻo±djÇ]¨=œ¢Y¢ÎÝ.„`¡>£ê#œƒ›º‰àl#n¦·ÎçÙ>9S‹€ÎP1Æ5œuF,
-Õ挑íA�0²
ªs~ßÀêObpº	äØ'Wî ¦K=èDñpmò|@R¯«–]ßqÏ—Ìzrd”p…œ÷Rï©QåTªõ7ð\Mz_æôrýëûÛápJ�mº1Þ—éŽÞ»ü
‰ô5áÅ£ôŠ‚‚ˆA� ¼ÌݤAÏyÃó2IЯí®þZ¬‡5V-PF«âQMÛ_ûŽ¯É8
–`†Zr‰'Ôªƒ_õ'Ì\˜MðΫ–„A0ƒó죟ÈZ
-Ã
-Õ_»'¶J@t¤õ(V¯ò粨º/#û¥*j~Z•¯_�¾ ì¼È\M¯x¬jûYêHͿƺº÷Ÿþ>ùðñ¶‚´ÌZqÜ}X‘˜@òGM"V
îW[afHÿ/¢Lendstream
-endobj
-938 0 obj <<
-/Type /Page
-/Contents 939 0 R
-/Resources 937 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 941 0 R 942 0 R 943 0 R 944 0 R 945 0 R 946 0 R ]
->> endobj
-936 0 obj <<
-/Type /XObject
-/Subtype /Form
-/FormType 1
-/PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
-/PTEX.PageNumber 1
-/PTEX.InfoDict 948 0 R 
-/Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
-/BBox [0.00000000 0.00000000 27.00000000 27.00000000]
-/Resources <<
-/ProcSet [ /PDF ]
-/ExtGState <<
-/R4 949 0 R
->>>>
-/Length 950 0 R
-/Filter /FlateDecode
->>
-stream
-xœeU9²,GôûeË@@Q‡�!é¡%bd(dèúʤ—÷ÿ(žÑ¯
-’$¡T¬)ÿ®ïë¯ãïãÇ_¢ýþÏaíÏc‹®½Ú¿G—=ûÌöÓ1ÄF¬lÖ]töö×ãqu‰Ý¦‹÷5š�”�<8Ç—ý:\;âúãñ‰ü<q¸Í;.\ži2c¶û~ð¶e¸í×qc¸=7Ä+Àg
¯ã�ã×ctéa³ÙL1ca·cu™šmQOƒ½¥ì-¡
{wñ¨¼&kñÄÞ
-¨9xcH
-¤Ï’ÃigÙ¥—ÇáC6uéíÛ&”\ÊGTœ„Méêö–KòlÜ’Fyu|?é%åiÈ¥K”êNÊq{vˆ�*êèJE¢]8hÍò¤p0R±ˆ$Á(+ÁnÖN¬
-q�ª„Ñ«ò�^ÿï>‹«>÷—
.13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
-г2"ïE9~ 
-n*Œ1½÷¨¾x¥Æˆpîâ‹
&Xî
Ãœ§³±è\íD¤ß�ä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎ�r)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
-þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5
©/¨�vp�÷o`kA“ôr±ñœÓ4N.4Žæ
-endobj
-948 0 obj
-<<
-/Producer (AFPL Ghostscript 6.50)
->>
-endobj
-949 0 obj
-<<
-/Type /ExtGState
-/Name /R4
-/TR /Identity
-/OPM 1
-/SM 0.02
-/SA true
->>
-endobj
-950 0 obj
-1049
-endobj
-941 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [182.6146 670.4177 231.8861 682.4773]
-/Subtype /Link
-/A << /S /GoTo /D (notify) >>
->> endobj
-942 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [108.9497 246.9384 182.6031 256.1538]
-/Subtype /Link
-/A << /S /GoTo /D (statsfile) >>
->> endobj
-943 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.8042 201.5839 355.0043 213.6435]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-944 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [395.8905 201.5839 444.6373 213.6435]
-/Subtype /Link
-/A << /S /GoTo /D (incremental_zone_transfers) >>
->> endobj
-945 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [309.3157 170.8346 370.5157 182.8942]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-946 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [305.9683 140.0853 367.1684 152.1449]
-/Subtype /Link
-/A << /S /GoTo /D (server_statement_definition_and_usage) >>
->> endobj
-940 0 obj <<
-/D [938 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-937 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F84 848 0 R /F56 618 0 R /F14 608 0 R >>
-/XObject << /Im2 936 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-954 0 obj <<
-/Length 3752      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Ërã6òî¯ð-rUÄ
-t:eßX–:Êév˜�HcÁÀ?›Ú
-�›ú·0Ô�½ßÇËØBãt(±ðà™¾?ËÈŽ4g…ÆëA Ï
-†‡ºªˆÂ)Äo¶è[â‚d_
-.Å$Éâ²j”Np�ÅsS®Y4w…	J$[
b4ô7pÜY“»ËôT¸3å„FD^
Öî-‘À~Ï_gjq¸ÙÛƒ\²ã/û¦mKÛo{[·2DWuB†öVzæœæòEµMõ,úö²¥�±ÕôÕZ´ë¥l­W=úîYžK¾+€”õXí'þ”û¢ì³æú¥
-‚8\±Û“ÀëcƒÐÍ"ŠYÄfÑ>µÜÚðÔŒÜ>ý‡¿"×�ÄÙ¸}¶MÛ‰]OÇFÛ˜ ÍòT¬ö¦i¡(X�ºŸZùüvŽžñ…l[Ü…x�ûžÒ‚„÷OÀ"€
-q��39€p":”ô”;ó‡ƒÅÂá^DUÄòß#ù™Tø¾ØªB>@‚⇠§ºy©fŸÉâ<EÿˆfB‘=}•e¼†NÝtÜ(ýK
Ð"ìîlסe¢C»ƒ™Š`t¢‡bI«LâàT&óÁJÝ̉Bè²FY—-:�–7S«Q&ÂÅ6¸©§
×2Ì›7¤°&NбqÕ¬�8010 F4!/ClÈ ˜×\,#¦fWJ±`#µÜqîzÖô¸hÛ˜Q4�!4HFgkìÝØè[?Žßi¨}
²äÃã�øIô¢1{Q„òD3
<ü,³x.íË(Âþ²ëìnßáuÌF]'¶`kw~èT(T©1ïK…	²TE^‡Pàeõ©l¸·«ró*ò:³4�9=ØUh9àƒEf7…Ì)…‹Ÿ*. ¯
-b6nÉ×0/e#”�uãU�ù Š”!óÒ£pxPŸXì6ªæQ â‹Cͱtv`ÿŠG;+Lwïq#Ê‚L%.#˜O7!ÒÕo܆J•xûX¬ š¬86Öc•�œBƒYi‰­G#“Ý:AªÝr¬˜‘(&2ë&'Iäé‘&²ÂšY×<õ{Ô¡Â4”„²¼`‹#VDLÎi
-Ê\°E܇ï(øbÀ”âhJ±€ÈpœU£t�åÐ~תš·¬êÒÏŸÜÞ–¢Á8ƒC�º�!GÇ9(f“S|H;‹5†‰’È#óe
-—€´û†ÝJ&™Wîòx€øbÏ춌p{}óõîúCÀp¶|4që³Lô0ÎÅ3Έ «Þ�¬Á=ìÄδ,PØœð~È=ïÉ,�
žlìÿèsKÁVs82y>Ñì‡b��´Cœ”ž¥¾kÀc›ð/jÀ#¤·KÀ‰‹nµ]îŠýÞ®—˜Ò
-zà6+
¶FÁ,]ví�,ZQ|ÐÂeŸÏy{âJ_"ê–G
-`â ?P"Î!Å®Ž#ãÅ^&X»ƒŸæ­v`L)zƒq9 8¥Æ<é{6ÏBÃ�Xu@‡`ÏÅ�óµlËÁ·�ž�Iç ��]·…”ªoyHÈ‘z=BVEµê«¢sp†ò›ô™ùb�HŽŠWT©�ÓXÔtEÖê39;ÀS‰ü#¿YI
.r5¸(&6~×2ð¿ £\~‚Ž»l‹I�bg¤‡"|€¬­,±*dƒYŸ.gWv�£€l.|×�´ü”k‹�ìƒ"ÑòÄ¢�ç\¡ýH$¦°±HÌf�?bTˆ²è^±wºª4=´Vº
dŒéš[þ¡"€ô®_!‰)W<Bo>èŒûB…[‹íVX
-"þ,Bp¤Ž—;ÞïÙÞ¶IÒæ1ýnC¥'óLµuÉŽ·»}s(¥+¡r­ÈþqÉ�Åk<eÛ¸'6Q*!ñ¥Jyè„×®Õ½J¨(‚\#ù‹¤iŒõv(á±((ë«®\ŠäG* ÃŽÞßÝcÍl?‰4Ú¤Óý%	†;óIp¢åÍX‰œBCÄ¡õÚôŒ³•WgÅgØW®Ggi'O¨'>nö"2<nÅ·ò9³ 6òb…ÅìHG„Ók•×Þ]±Ú‚˜Sv&˜Xâ$lbAh=}[vÕ[hpÍ:ÓŽÃ2UjJ÷2\÷»~yÖæ�]Ô¤3)!âÂ\Ì$´bÖËÇŽD”åþàè”b[ÐC¼
-Ù½“ŒóOa|t&'ÎðI6ËÞ}©båMåÈÀeÞ×�ÒÛªá�è>k�ƒ•dŠ'ª
Âœ¥*wo�tºùT1â ‹�žì~]K}
üÒ‡Ïww×Wî·"{°HP…0äº.V¯"H%¿Ö|±„lqöÇNZë 9~ÿçN!\AæpDpI*¿[Ù¨h… �|ŵ®+#(Ïò^“½GÇ?QsÇByáóÜùD
-K”%Éß)WY‚|ÁÌÞjè—øÛ?�~W¥�ɲ7§N38,"D!áQtªTdÒ3¤ÿÆ Hïendstream
-endobj
-953 0 obj <<
-/Type /Page
-/Contents 954 0 R
-/Resources 952 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
->> endobj
-955 0 obj <<
-/D [953 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-952 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-958 0 obj <<
-/Length 3405      
-/Filter /FlateDecode
->>
-stream
-xÚ­Ërã6òî¯Ð-rÕƒ_GgY§6άí­Ú­$Z¢dÖP¤#RV¼_¿ÝèDR”|Ø­ÔD`£�n4ú
«™„ÿÔ,�„4™�%™‘TÑl¹½’³
Ìýt¥gá‘}¬¯>~�õ,Y¬ãÙ㺷W*dšªÙãê·ù§¿Ý|{ür½Ð‘œÇâzÅrþãíÝg‚dôóé×»¯·?ýóþæ:±óÇÛ_ï|ÿåë—û/wŸ¾\/T)X¯y‡3¾Þþý�~º¿ùå—›ûë?¾úòÎÒ?¯’òçÕoÈÙ
-Žýó•&K£Ù
>¤PY¦gÛ+Yc<¤ºz¸úGØ°7ë–NÉÏF©ˆ´�gcEÓR–BF µEe"6Ú)ÛI){,”òŸûb÷V5›ñq•Ž…”Q{ŠrÀš mz¤•‘"KãdHûá¥X–ë7»™ž‹î¹Øч㊆ÀÛ¦¬7ôÑ>7ûjEã§í¼íò]W¬Â.5�ê|ë�®ß¨l~»Æ“Ž$c”©Ñ	j,“ÑA¬6M<bÙ2­¦cJx¢®ƒKbab…RR"‹"í–ü.¥&¾ä¼cf݈áà²pÉ”ä|UtÅn[Ö~‹§·Ñ/»k•Î‹¶¨—iÖ#”ÁÆ˼+6
Ðœ�J,…µ¦/•²h'„bŒH"£OœX«g¢bTûŽ÷°.è°ÇBŠËçbù}�Þž¨1\XœfïXÔjlS'rDþñoÇØlÞ¼teWjøƶoñ®Ò5áêvå²ã¼œZ>ç»|Ù¡ ¼-®ÕœqòzE8í[ÝåïÖ­+v]^2åU³¥1L�Pˆ¡šõ2‰¶v¨–Û¼%ª&v*Z¹Uð
d?6<ñùî�|‚—¦n=�–EùêŽ�µ5[ú¢# .ºC³ûî¼q
-²cðªXçûª£�×Üi1°\6n§•ÓY·WãN"ý(^ìÛ|ƒžfóœ¸É�ˆÕñü+lpªÞ‰V[¯Ý,€Iå6ÊXFûOS#cH„ì	�uü(Û	Ri*²$ó¤ÖyYMR‘°™J‚
ëÉÖ5St¢„ÚVùk1±!øf¥eôäü�ïê)BFh«'8‡}SРö@’EŸ¨!ÀƒÐÊ7ÔôJGÝx.Öúø]Fr‚c¥µˆ¢4cnv¬¦S¾Ü^ï¶`;5"wÙó)±8‚‹ÊQnêf7y™0&Kúr›&t¤Y€Eš(bg‚Ä-T:ß;3%�¯�4
\›¼¢ásÓvlßøù‘0·¨]@~€gÙ$x<9É·>ʦî¿~¢Ai^Y3b˜Jµâ)ænÛ¬Jläëõ1ŠÖÃ@)И	iÊ¡(Fn}$SN‰	‘8y©œËЊ­–^Ï
Ðj—YÈàtM ›ô}ssC:1Ìüò/°‚²jAÃuÏo;F¯Z&x™öËîò=÷Ayg-“¹óßÒ»M
-Áßâ)ÐíÝ#úœ)C
-ÞÓÚ-ê…SA<Z–UÙ½Æ2¯	üÄK8�
HÇZ²äðÚ1FNÓm¼ah[vÅâP®
-š]æKÏDÃræ©8ðŠb‡÷�2u"²Ú/™Q0†]¾F ºšåÔE4¯.‡±pëeý½¥¡ãÚdóâ/ð5:O„ҭ∩bBâmÂJƒõÖ�£'^À�-»ÆãTÍ�†>K¦o„Ç$˜§Â8ZñrW>àà™ùø\«’Í
-ñ ¶BNT´-�:e+Àm�ç,:#øè§}G‡²}î/IœiÐ
qœŒJ—ï
Ôû#¤X¿ò·k¥Æ÷ÈjV¿ž&
V³\îw¼¢©«7Ú´©§¼@Ö×+zÈmbèw‘‡çrù<ŠÈ$ÈaIÄÅÜÂöÜ•]ÞApcPÍ	Ū)ÆèNØÃí9U¡í٨ˮõ•(ðÙâÆƉ€„ûrmÓC:_Úx$—*’�ŸçJD‰Ê.R
H§di'ø‰’˜
].iÀc…’&Só
-qDêBƒ^\@
1–«Xx,©Øü”ÉüŒœŽ0/«™îšòJî°‘=›¡ª÷ˆ‡ôÊ'Tñ°À‡0­#Šû8à¬^S"䦚åµÙsfBÐÆãÓÏå¶ß„qäm‰Y�6œ*j$5í�›ªyrÍžðGþ¸åUÍd½…[ÅÆeC»rµr¶[Šh
-Rñ-ÿvÿòâx$ÖEéZ°}µC}Hì-d”c½L£-ðVÖç³am•ˆµz'îc��˜
Ë¥cáíñê‘ÒX›dÑeփؙ@ÞËtÈÅ všD±dpäk&~Ä}£pãIêt�X’¼ä
-ÁÂuµ"í†3œU$^Ä„G9Gâ‰FN›(�I}&œ…º`Üy�¤0˜KÉê8%‘°Rû><—�@�’DZ%i_WxõÔ0_ùJ:Š€¬š_•\”áÏžx\‘ËhO…k\•-ÞÒꌑ/›í6”ÍÉ�»í…ØLyn�fø*æ[±ááUÎvªí®D’Õk»O‡ƒŸO!vOõÀ,‡ƒ›ž >5u·kª÷›aa×k`Ú||
-ÿÎàê
k‚üðÙ,&NGô‡ V¡á¦µ‹=>
ÜñL•ƒðËGp�k!”
‰fl!†{­d�3ÀÅ·Iš…”§Þx†¨~r´�
È€E¤õèýÚE›ÔwAa@[âˆ^vÛ)'“¹×Mÿ„4º�Ó÷&£Lž‹ßhwnÃè‰éõšpYó6ñ^i´�ÖƽgÚ©>	Ä�( AÄ
Ï
-rYp dÇɘuðkqQ¿6)}^DñFƒÞbÂG�~èÙÛ
Qh~¿5�°,sÇW‰™‰õ0‚Ž:L—^}…þ¼¦9F� ü˜4ßí±ÀœzÍæ@�<ÿÐútÚýñ
ØŠ8÷ggñoÅ&Ü
-™Šg
-j£³áà”õÿÃA'endstream
-endobj
-957 0 obj <<
-/Type /Page
-/Contents 958 0 R
-/Resources 956 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 961 0 R 964 0 R ]
->> endobj
-961 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 342.5455 428.747 354.4457]
-/Subtype /Link
-/A << /S /GoTo /D (zone_statement_grammar) >>
->> endobj
-964 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 140.0267 539.579 152.0863]
-/Subtype /Link
-/A << /S /GoTo /D (address_match_lists) >>
->> endobj
-959 0 obj <<
-/D [957 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-350 0 obj <<
-/D [957 0 R /XYZ 85.0394 576.6195 null]
->> endobj
-960 0 obj <<
-/D [957 0 R /XYZ 85.0394 549.9907 null]
->> endobj
-354 0 obj <<
-/D [957 0 R /XYZ 85.0394 326.4739 null]
->> endobj
-962 0 obj <<
-/D [957 0 R /XYZ 85.0394 302.824 null]
->> endobj
-358 0 obj <<
-/D [957 0 R /XYZ 85.0394 185.8791 null]
->> endobj
-963 0 obj <<
-/D [957 0 R /XYZ 85.0394 162.3886 null]
->> endobj
-956 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-968 0 obj <<
-/Length 3222      
-/Filter /FlateDecode
->>
-stream
-xÚµ]“Û¶ñý~…úTÝŒ…_8yrœsr™ÚqÎ×éC’J¢,Ž%R©»¨�þ÷.°ˆ¤(�3IÏãáX.‹ý†ø$�|¢S–f"›˜L1�p=Ylo’É'˜ûî†Î, ͺXß<Þ|õ6“Œe©H'�«-Ëkùäqùó4e‚Ý…dúæÇ÷oï¿ûçÃë[£¦�÷?¾¿�	�LßÞÿã¡ï^¿{÷úávÆ­æÓ7ß¿þðx÷€S)Ñøæþý·8’áãч»·wwïßÜÝþúøÃÍÝcÜKw¿<‘n#¿Ýüük2Y¶¸I˜Ì¬ž<ÃKÂx–‰ÉöFiÉ´’2Œln>Þü	vfý§còSÚ2-T
-’”ÌÊÌŒK™3Ã9 •°4å6JY�J9`9)ç›Mý<ûíPì�Ãs.X"U烱Å#ÖÈê²³:ç†%<•ýå?îŠEùK’ˆ¢
ù[;}^—‹µ³éºnZÍ÷·ÜN÷,Kœikl>ã@íQ—e•ÃŽüÔ·ï?âì²i˺j˜Ûê@:"ÓL¤VÀ®Fä2Ø‹à)'Üm~$67Mí°'3i-ËîåÃ2­…Gœ»€º5q×K(+|¶ëb„5+€HWûw]#,	Å$qš6o‹mQµ¯cI¤¤à"oˆ›²uO9­ŸŠý¾\ú“¸È·	3VÆ…ê�(~q]f _CY˜d‰¶2}Àý
-­²ª[:’{…#ŽM,‹U~Ø^ÙÐl�OÏ‚Ž¿² ù•×–z±ðªÇÎ\
-9C6ÿ¹�¥‰Uñ5‚ÿ‹Í’A¾y…äƒLCEî–cíÒ
>QB8»ÂTb†²&c–ݷΰ}´ge¦Ï¥wÊ¢�`dWì�Ò¶X’{¼ÍÄ´Fœ¢Êç‹KÜ,P~…ÈÞ«­ŽcrÊ8ãZôs—Qå†} îÀc’hóê$ûõ‹¢u™5¤Û‘-t2™>囃÷E
-]“h?…[ˆAÅQ9@±10ÀpØ›ƒûÚNcEÞ‚Ësu…Ï	¡×ò#!Æ8اâ~ÙßwuS„AÜî	y4ájÔd—º%}2Y5.Bÿ#÷(a\.IØ”OÎ!«^Ò\81íô¦êW7/mÛ|ñ¹ùš²Û¢F içv&²:	.²àÜþÓ�‡N(
-è³.þy$:£êQ±pÉ<²b˜²¢ ‚ÓiÚçå¼d
X/° Dégšõy@݇õ·uWÞË¢ÍËÍåŒ\e†©Ä¼Pw±.ç	ëäJŸÒYs¬@wS½A�
-%Â\ç!b�0ÑKTʬU}&16šÊ-„Ÿs?˜‚z¶ÑaA©IŽ&&¾zÚlëÚ;7¸‡XRi/™ÕÓ×ðGx5�¤øÌ«åàïýR¨œ­R}7ñ‹ª*çÞà“M>/6�Åw¤m¦óP©G'¡lÿ2œ“göäD
sN{I‰·4ð6Fáç"j”[~]T¡" Dy
	ê…Ï@‰s	»“‰à
ø²±©ƒžviù„œÅ &­B%Z~ªHËÉe�«vž Þa•}=Ò<Jþ©¸bJ0mø	sëŠ!¬“!xÅYûóÊü‰åúúúk„�ž(HÓ!½<Y	r:Rž¬D§2uã1Ov/NãÜ“N¨ð…�ðD¡ý­“]øÉ5au«Òó‰Ôš¥®ÕÙMÆ(MÈ ‡L!ïïkWG¨g~Ú%\Y¯Ï$³ p
-\žöÍuñe‰Qç-'´ËÿCs©£@Œ/i,Iç-_j,u±.[oÄò�Ç
dëzs–^ð„3
AçúÒkdížá&)S™,Þ3\)„Oáà±)} zE§t*àR"é¡�˜ï	Aå–ƒ°íáˆ@Þµ#øÔ<�—N¯Ã­I>KXܺ
â Þ<�],œ³Yªú¶‹ÍNÎù””ê§ËÝE—?gycÀ¥Â±«�sÂ>
-Ë)ÚšÖ{¼¤¡ç%‘sP&	5QuÙèÝýF¨ñÎÍ” …€oœ:¤LÛLÄûï· .PaÝ»Bi•C<²ÄW(íUªC‚ãçSâG¾PÁ »zï!
-‡°_|Ì�)(ÿ¸óG(4§ØE5««‘�Ï"nO�Ðç�†Hm¿€´’,µÁÙµùg,Â9È
Ÿ¸F¾ÁRÖIÔU|š£”	ÕÆô*t¨ðôébT×Õ5Ã:ê@m!TË$aÆ@ýd‚eÖÚñë±Y¤8ë’ôN§ÇŸàœÜlDÃXÙBT2©…«9ä_Èd ø“�$
-N½Ç¤÷€/›à´mÄRt2(»ƒP1è +<bu0p
-ÁD:ì]õŒ-„±à`æÇA<+uQÂt‹‚jŽ§eÃì÷b´=!k9tŠÁ‚»^ŽöÞ�ó+w›QóL@Ù—˜�`ÖÄ|+&A@Ý’”¤EÛ~êÖâ÷|\¼1¤™•L;S&¾Õ€ߘ¢N¤�Ì0ÛkÆ
«’Á—(=Av§zÔþÆÁ7K¦ˆ¼}ÅÓk�¾Äé3Ë„F=¥c€„76,Mh'Á`•oi(:bÅâR†S…ª&4¸èŠÑ¾Ÿ3}%sŸ œ‚˜,Ôxc´qÏþsE·‘Õšuÿ²u(Öm¾X—UZ?¤µi&È.F~I³IÚ5Uƒͱ;hP¿Lýa=
\É_ãÁôŒ*8�n³ëÜÃLLbOŽƒÅ€1îgÝ�>ŽçúKRu¶ÇÙS:Ö‘…\–KÕ«¨¾ òà€í6E©v¨„VG\‡z¤ëëdФˆ
#!ÃP´axBes˧xûÙ¡eéŠj÷wd	£+lIOfôטA½WV‹zKúÞutãïêÐÏEŒûOé¨.ýËõ0ÎýÌÀ1~Qï{@Ù‹71ƒT(±Óœ&bÔ[Ù¨|ã.d
-þRȉ͘�\þé	Î:ÏC073`÷qÝ‹i‚à	ªã¿ŠÃHð:‡€ÂD³‡—r
§•†´=j÷\ú9$ÀSµÿ²ÑAlzFçÜ	OÉœ^
-endobj
-967 0 obj <<
-/Type /Page
-/Contents 968 0 R
-/Resources 966 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
-/Annots [ 970 0 R ]
->> endobj
-970 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 524.5277 418.5625 536.5873]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
->> endobj
-969 0 obj <<
-/D [967 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-362 0 obj <<
-/D [967 0 R /XYZ 56.6929 355.3526 null]
->> endobj
-971 0 obj <<
-/D [967 0 R /XYZ 56.6929 331.517 null]
->> endobj
-966 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-975 0 obj <<
-/Length 2574      
-/Filter /FlateDecode
->>
-stream
-xÚ­YOwÛ8¿çSxO#ï«Xþ—Øž2mÚͼmÚI=‡Ù™9(¶ëU–\ËN&³o¿û%K¶’v·}9ˆ
A�
XL8ü‰IjWNO§™áÂLæë3>¹…¹·g"ðÄ-SÜçúqvöü�•Çœ•v2[öd¥Œ§©˜Ì¿E¯þqþavq=�¥á‘eÓØXýxyõš(Ž>¯Þ_½¹|ûËõù4ÑÑìòý‘¯/Þ\\_\½º˜Æ"5ÖË á‘o.ÿyA£·×çïÞ�_Oÿ˜ýtv1ëÎÒ?¯à
-òùì·?ød
ÇþéŒ3åR3¹‡8ÎÉÉúLÅŒVª¥”gÏ~îöfýÒ1û•2“ÊdÄ€Z�Ð8f•TÞ€Ùb±�Š4Ê›ήœ‹.—pÄÄE»Uƒ”GÍC³Ë×D¬«ò�¨«¬!RQÍëõ¦Ìw�ýüÃ%M4ûͦÞ¬·D½üpgŸ!-‰Võ}~—oÑÆ�Òíy“¯²»©ˆ
-¿EC_â@éÙ:ð‚"p
`‹X挑þ`»U¶£»¢­a
-¶[µ| i700…HSÏ?åǦÈ3ÜG=ÕˆÐ;Ù3¢Ð¿·™ÿ.J˜ :Z	¿÷«4’é‚`°È›‚VÁä&Ü%nMÒÎß<I ǽ±wûrW€Óá¸y'4g0r°Éjq]ÅpsÄÜ�	cY":æz³+ê*hç¯ÓëÔÙ7ùcD
-]?ÂT0"ÏœJÒ°¬¯¼p
-B6¦˜9Þv	7ýäÎÓéÖj�$Àlb†{¿öíÊÊw#dJÕsÝ–õMV)üP#‡0K•tzÒÊí±„ö
PBû†ÈÔMõk»®†LÛßP€!tC€võ~vùæW¯a‡ì6oB‚
P#}Ðõ¼æ~•Wyh pj�ˆP¶äÍŠ¨ózó@#òÆö·Ë;—ç¡Ã"¼£RS!MCüøľ $	ÿ£êI9œÕ†~ß‚8Úõƒý~;]}kè’êóšZXRiOÒÊW»ŽG«¼Ü„¡÷døæU³oÍ*�hsþä”ê¸ðCŽk£ØP—0ª`‡]¹bþɇŠ_^ÝQê6B*ZGÌJÌ‘Øu꼪Ô)­KÃ_9G\™wo÷7ÿ˜zÀf�ÀÓ”Êñ PܲTBÙ”BÓëäXóîW×SÕÿ’úžçendstream
-endobj
-974 0 obj <<
-/Type /Page
-/Contents 975 0 R
-/Resources 973 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
->> endobj
-976 0 obj <<
-/D [974 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-366 0 obj <<
-/D [974 0 R /XYZ 85.0394 532.5775 null]
->> endobj
-977 0 obj <<
-/D [974 0 R /XYZ 85.0394 507.7956 null]
->> endobj
-370 0 obj <<
-/D [974 0 R /XYZ 85.0394 170.1477 null]
->> endobj
-737 0 obj <<
-/D [974 0 R /XYZ 85.0394 148.8279 null]
->> endobj
-973 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R /F84 848 0 R /F86 980 0 R >>
-/XObject << /Im2 936 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-983 0 obj <<
-/Length 3570      
-/Filter /FlateDecode
->>
-stream
-xÚÝZÝoã6Ï_‘·:ÀšÇQ"·Ûl/Åuwo›âp×öA±åX¨-¹–½iÎP_–�wÀ
…L‘#r8󛥮%üÔµME굿Î|"¬Töz±½’×�0öí•bšy$š÷©¾¾¿úËûT_{áS�^߯zs9!�S×÷ËŸf©Ðâf�³w?¼¿ûöÇÏoo²dv÷ñÃÍ\[9{÷·[j}ûùí÷ß¿ý|3WΪٻ¿¾ýtû™†Ržãë»ßP�§¿3“~¾}ûùöûۛ_î¿»º½o÷Ò߯’7òÛÕO¿Èë%lû»+)Œwöú	¤PÞëëíUb�°‰1±gsõÃÕßÛ	{£áÕIù))´
Y�
-01=
:%¬÷ö:³^¤F› À¼Â=
-^9(Ü÷h7õC¾™Ô‚*iwòä´P™µCÈÁì¬xk!ga@¤-<dÇ
É
-Z>Þß½ÿ'µ·°ƒü1ì
žVõž‡uÎĨðFÉÙýš§Z«ü¸a‚²‰¯ðh±Ýž©ÉìBëgi%È;´Y0¡�ûþYJ½ÈŠÝ[@¯Ä‰Ç
»Q*½Î¤ZfÙADó>9ˆI©PVÛü÷ùaŸWͪê�Êm1/«1#ÊJaÝe>˜f‚�
Ü
-^žJFlÑ»ÁSIÂÖ
bˆGØSI‚Wx‹EÂ
-:»ÞÓÎ`ÛÒg­¢rÒ­AJpΩ$༷Ée§Ò§:ïTZª‘xqoc�¢œH_X�i&xmDš€G¬~‡êÑ>‚S»™Cõs©…c9X¸<ÃûhÑ4:I’
0hA*nÀz¤~èéÔ½­úa ¨ú@¹‹ãž t¦aWDïp|S�Œ÷üP,àyÒ¸FÆ€'Ùlê§bI#èñ?DMøØÀ )D#õ�(òBƒ«d8†Ù+Ö#3ËÒÄqOËšÖs¡ÂÈÙ¡„e×¼^Ü5ŽÃ®§ì¶ÏY=àÄ7GŽGœÇªæT¢ó5•ªõmAé5ªUR§Õ²û¹« Îää÷4•÷î.–€—±»KÐÝ�¯jÔ‰‡3U6²Ü¶8Óm:W8¨åMÌbBlCEãã±!
r­gB™DòÇ|`–dn$�3îÄx)Re_(ûô©Î»“–*H§Ÿ
-L}óáêáZ0õ†
{Ù
Âዢ߻ '¹¤W¢èil9µ'
öü'¯D†‰jkß»|ñ+óž7´b8ÍQí;Õd“Q)é”w­²ï
uæü¿«›¦|Ø0)d`5�ÓËHLâPçÔkQï„TíõGÉ«oë.;ÍfE°ãP/ùêG›ÙC8d süR]…s´šãnWïá@ʱ •€ «F1=Gnò„ã
÷UÅ5ây
-8Î4‡&‚o¼_„’sÐÿj¬.‚A“KŽÐŠ—ò4ç
-“Í‹5äaÙ÷Ô‚�5pms�W™ð*¯D’¥ö2
-ûTçQØR
Q#ZuZºÑN$‰Q—¹h©&Ø0£Ï]8ùàB_¿°]팋'Jv«×ᑾ•�ŒEìz`Êì
Þß³ÓbuppâpEWÈŸ—!ÿ„¿ø…‘�ØÙÖ¡
-endobj
-982 0 obj <<
-/Type /Page
-/Contents 983 0 R
-/Resources 981 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 947 0 R
->> endobj
-984 0 obj <<
-/D [982 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-981 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-987 0 obj <<
-/Length 3209      
-/Filter /FlateDecode
->>
-stream
-xÚ­Z[sÛ¶~÷¯Ð[å™�ÅàcÚ:9î´IŽã>œiû@K´Í‰Dª¢dÅùõÝÅ)A²;=ã—%°Xì~{!ù„ÁŸ8�3Y¨‰-T®דÙò‚M`îý4Y$ʆT?Ü^|ÿΈI‘F˜Éíý`-—3çøävþûôÇÿ¼ýt{us™	ͦ&¿Ì´aÓ®?üD#ýüøñûë÷¿Ý¼½´jz{ýñ
ß\½»º¹úðãÕeÆ�æð¼+œxàÝõ/WÔzóö×_ßÞ\þyûóÅÕm–áy9“x�¿.~ÿ“MæpìŸ/X.§';è°œ…˜,/”–¹VRÆ‘ÅÅç‹ÿöfý£)ùiérí„MPÉ�
-PV�~Ãj¯«“¿&ÐQ覧´ýa÷Bðß_/Å䧎4ž*®œ
—öçrjhŽèpP€ýZKfp�-Øôùþµ[ìðé¼¥Á¦ÝÐÀ®îiˆ4†¼Ý &Lƒñà$(à¨Ô¥°ZeÐ+¢+ß…U@Iç	ºÇv» g$zg§acEŽÊN
-�\Àîð°WjlDÅ‹„‹\hA¶\­Öí
-¸†0¡†C- ‚P‚¬
xäÅù-MD6±íe…�yµªš0¸]µ
Ù_¿U`›¢ì‡j³!@¶ÃÿÓt(½]8„»+gxˆ/ÔC!ú_ï~ �žxÝm¨³®î×^vþÚú[@ñòM�V€JÒÈÉÀ$þ�‘I+¢gûÈúßA@&Š'A×r)%?ã“Àx‘3 xÖ%*yÎ%¥b
-xBêOz¥@”
©^É™ÜX+Ǽ W–
½v÷^	{C¯$,§œÁÆp
@#z%l§½s9ç}\ZÜ;Œ‚”{&ÏxÚ3
PZfž‰¬B
"C‚¥ÆÆ|&F8d4‚yÄ|É3ŘEY
zî^l†T§µ¨§:F óÁ
^=#ç™é©ÜŒ©
-Ç÷*“{•êhº

-àëXC2°ùÔXš6qé�¬qu©…ó­Á=…p·Áñ`GÍÒ;r&s+Š˜F=W]j/qŒŠ40Í(õÕÃbˆ‹IÒréÑ]½¨7Ï@ÊO+¡8˜”p@uF	#ÉkSß?ŸR;Ö‚yÿÙí{ªöç�\Apzž�ìFæR›˜	Í+PÉeÝ ÒaEc÷XÏ0Î`z
-Éh¹ ÑQSå|Nz×uo0§wä ‘´]azZ.Ðscÿ·Ÿ>Ñ3«v½	Ä»z¾«‚oFMв8
-)pUCþ;ï×¥±Óo¯ßý�F—ÀGùPu`&ÆÈP•Á‰
Ÿ�r‹>ÚO­VU¹¦6&Û¸&EV¸Í¢|ŠÍjý„&jÕô»Tb)M
™e�.K€ûuJ�±’%¤8¨ 
-VâTÁª¹ÒœŸ/4y5c
-’ß‘š½¢rõª
-Øÿ»r%µÌ{©r5¤:
Ï=ÕÑ]¤âK0
�Š³ôT	F¾Ë€£tÜ�yø¥þR%˹uîµ:Ð/$צ‚�0·E]í]¯ÿ
hàÛ1c´ÖlÆ´X™
-Kí!
66pÃ!¯Âº†´„
-PSÉ¡ØS[ϳ'•mç«ýG
-W!•–²/§ƒ_ˆï­áQ¶aYóŠe£~ûÈʯàF
-Šìi ½§�š
-$è¦Â�¡!:84hG?»y,ÃäqÌg±81
# ›ò�Âùz'üBÆþ®gǺú¡!
->ÎV`6r
-&”avt
-š\?„—7ƒð²§Oð8R�£uqÿÏÕl/x“ó£‚3 ¶àªqsâöT/ðp¼ò�¥Óç˜e�I­õ
-ìPqÅqÂu‡ß¯t[�ìØì—8ζ	ŒÇ·Õ\0±ëâl´üSŸ€6@¨ýÂ{¢3"ïªÚu•‚9“ö_œÙ¶':Þwä…ÁÏ‘Æ÷ŸìAáY‰¸FARLu‡/þçÛå*@äí	ç£D=˜h;ŽobÌ‹ŽA�½©>ÌO}¯%uŽY%$ÃúW®ÿú[®ý‡nàW¥s'òaÉ
-endobj
-986 0 obj <<
-/Type /Page
-/Contents 987 0 R
-/Resources 985 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 992 0 R
-/Annots [ 991 0 R ]
->> endobj
-991 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.4645 148.047 438.2112 160.1067]
-/Subtype /Link
-/A << /S /GoTo /D (configuration_file_elements) >>
->> endobj
-988 0 obj <<
-/D [986 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-374 0 obj <<
-/D [986 0 R /XYZ 85.0394 332.07 null]
->> endobj
-989 0 obj <<
-/D [986 0 R /XYZ 85.0394 307.6688 null]
->> endobj
-378 0 obj <<
-/D [986 0 R /XYZ 85.0394 231.2958 null]
->> endobj
-990 0 obj <<
-/D [986 0 R /XYZ 85.0394 204.4238 null]
->> endobj
-985 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F84 848 0 R /F86 980 0 R /F57 624 0 R >>
-/XObject << /Im2 936 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-995 0 obj <<
-/Length 3216      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sã¶ñÝ¿Bo•g" œ>].¾Ô™ä’úÔö!ÉDQ{©ˆ”}ê¯ï.vÁ‰’{Óñx¸
-ùóî·?Äl
lÿx'•={…†dš†³Ý]¤U #¥|Oy÷éîïÝ‚ƒQ7uêü"mFñl¡¢ÀÀþÓ§,ƒDJ@JtÄ*TÝ)G“§ì±ð”׶µMñŸüœÝTI¬’ÙpÉ‹�=ÒÄÆj°1H5‰´o¼Üæpâ©œïì—bwÜQÃîêcÕ\oð+‰ŒšïêÉàÖÏoòÃK~ðkñè±ÉAð‘
-û}ÖùÆK^»h�áo?èd@§RÀOšh`Î
Opˆ#†"˜HIÆs)Ø,2Kà 1 é)ƒTëС;^ô|k÷ÒÌ×Ô*‹]ÑXWôíùŠŒk`Í>;æ"=ÜPÆp’žÛ¶Íwû{8ª†±j(Ë:³-O®]ðÞù—,oxVÝíÁ|‰1?ŽôoîJ$žŽØoQ3ñüµ(K‚6¶(¶™¿n‹lK½,¸˜)ˆçíñÀP™Û^µ[¾g3ž+»*=BMß}~ØÔ‡5¾ÿø©ŸUdpv#.¤WG'�æ¹/ÒÊç¸^¨8œ×{baßw !æå‰Ú v›c‰°š[ƱôyµŒƒç‰_wnEõL-ÇšCg¢zñkÚ`¢=ˆ³'DÃǸ	U:_QÉÚ}ãyf+p±œ@Ú
!wœ€}°Eÿ†#¶D>b4§”�†Ø^
rŽÅ�{ýÆE·–!g/
-õ²fü�uj‚ôœhŒ�0@�‰Qß'Ø<ÕG@)hYƒúªå(‡¿/v9å�¾ÎÇ@§SnèëŒ
-¥MÄ«‘Ž7
-‹
-dj×ÁE$äpë$ˆô[1iˆu=&uXHÅïB„eÞœï›hH! zÜÜ×#Mì;dÛˆ 2*ïK¡B%ƒ��ê¸[9_°Søz
-]£õÓ:¯ä–p
-lÀÏ¿ð0˜LEPVW 5rUÎCJ9w*®{"úx�éx•¨ ÂøKÂ;VNÛóõ„˜5F6£ºˆuM¤a™¼%Ò
Ö
‘z,ç‰Z›}žÌ3’ †˜y{g�4±ó�I) –B�·¦}î¥
-�Î	
-_G$ãz Ëǽ|Ýb<J™†’¢ß¨—ZÑt¦!#´ùêLãÒ,"p:ŽµËÓä³gC¦
-I±bþi@ûSÞÔÇCÆÔþ„J3åÀˆ:H´$l*L盂û+E®Ðô>Çš¼% ¤U	£¢¾Ö¯àüè_x"ÐqÈÁã‚­4Ç��½nË{pð¥MòŠ#wæâ#U›*ˆ('jƒ7Ÿ“҅жõ0ìW�)Â0øáLü®•Á%§ Ä›F5ĺnT–'Å—�ãzQÖÏ‹)“�ÔF*Šn“ÑaMÐ121e‚H‚⎡ÔW¥ªO’RN’°oÕÔeÞæ…œ5Ž\ê1¶Y–ï['4lUk~®8ã¯è*‡8†:²z·q¬Š²h;_š€ï]rZ„÷P#Ïq¦õÒ¤””‡Aûß`/ IWö	Œîü0'ŸE-ëØCiY¥6Ç*ãÜØÅYúöWTsU—"#ƒ(Õém]b]×¥ë—çj$ôx¤	ΕH@ðSð)wþ‚�¥Oç¯U—Jb7é

-]8Õ!ñ”•¤+.v‡‚ÚŸ‹²^�Ú¼AsUÚÏKæ/¶<ú%6Ô5]‘sF_T,®W%’ª0U%h+wï½è^�]hÜسâö:Ïè\-•Ê�)>Š0†{Q¬ÎŒÝHãu¬Ý²>²G^)µ¼fíp‹”1oXû
-:¬	ÆY©¦êˆvXX€DB&jàZˆ�aßn�C1=n¯?èÜ\
-€]Q±Ë£â:Ï}ÜŒZ
-WŠC•—7Çý¾>¸r'³>C
ÅÅs°‹ix9æëwë21l…a„~‹½Òú„4į’
-á®·öï�.	Pg7&‰ïC
-œÙEŠÞãñÙù@M’
B}iÛzàÔÖC|ÅðOˆvá�µw¸‘¿½Dîá;ÛúÕ!†Ÿ¦ÊÀ�A"äëÀÝÁù‡ÖÈä¬^08ÔóÚ\Š¿ò	'8—#§6	WžT2È[±ál¾± ï•9}j
+L
¯mO®Gº²(Ü}ÃñºT'ä_®­#ô×ùœójgŒðßзª»ëù@íý¹�_âëî�ø”\û©8xü}Ô„þÁ?úÿý3¬þ7jQ€³»ò¶&_Œ•'
-䲶¬¥
-endobj
-994 0 obj <<
-/Type /Page
-/Contents 995 0 R
-/Resources 993 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 992 0 R
-/Annots [ 998 0 R ]
->> endobj
-998 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [329.7108 477.6902 386.7943 489.7498]
-/Subtype /Link
-/A << /S /GoTo /D (journal) >>
->> endobj
-996 0 obj <<
-/D [994 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-382 0 obj <<
-/D [994 0 R /XYZ 56.6929 607.7231 null]
->> endobj
-997 0 obj <<
-/D [994 0 R /XYZ 56.6929 584.5979 null]
->> endobj
-386 0 obj <<
-/D [994 0 R /XYZ 56.6929 145.2693 null]
->> endobj
-999 0 obj <<
-/D [994 0 R /XYZ 56.6929 119.4941 null]
->> endobj
-993 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1002 0 obj <<
-/Length 2505      
-/Filter /FlateDecode
->>
-stream
-xÚ­Y_sÛ8ϧð½)3•Ê¿’8}ÊvÓ^vnÓ»\îiw›Ž5•¥ÔRšfwî»@�2eËioÚé¤"AÈ@€æÿø¢Ô“F-
-£2͸^,·glqcïϸçISsýt{öú].&3¹È·ëHV™±²ä‹ÛÕoÉÛ¿_üóöòæ<š%yvžêœ%?]]ÿLCŸ·®ß]½ÿÏÍÅy¡’Û«×D¾¹|wysyýöò<å¥æ0_x	'&¼»úÇ%µÞß\üúëÅÍù·¿œ]ÞŽ¶Äör&Ñ�Og¿ýÁ+0û—3–ISêÅtXÆ�‹í™Ò2ÓJÊ@iÎþ}ö¯Q`4ê¦ÎíŸÒe¦…Ê©V™Ê>¿Ë,cv--´¤Rã.«Ù]\¸Ë[í†;[
iÝv÷¹j
çyžÉR–‹Xú‘#׌2R‚<“¹æS-n7ö<U¬LzPÁî°]$OuÓõÁîÖÝnKä?»Ö3o+Ô¹­Ú¥¥¡¡ê?ö4üD«‚œ×m[í>Ú‘«
>Ø*)‹L©€m¨Þª®šÇÏ[“OVèÒÀðÌh-ÿÓƶÖÙ!‹26u�-“Œ[ìèöËC½;çÐè
›¹Ñ´
8´²ë걨fçŒúÛº}Æ97¶ê»¶ºküTÿh{jW$ž¦ƒ
¤NG_NäUõŒ†�¥Þò¾ß¸«R°¤(tXˆ–•eAªº¡êK½}Üb'§Å‰ŽZ#I”Ô‡u<E+&Å	Ùyrµ&ÆÞÄ‚*#�½‚o)’¶#:A
Gb(L¬¡qh@ç6¶·ÔôxÀ&!
[Ýrù¸ÃÈ�ù¿w²¼YεyÙc®Óž8r¡Žëji_ðD	ìêeÓŒ
-?Ì!²-§:Щj3ú¡È÷»ÔeÕRkŒ­žºÝGâM ±¦îj¡3<Ïø™�b É½ŸÍoÁ�æ%ϸž¹÷)K§>ž>
-qÜhÈïDX',>Žq,—ú(È©Rú$�í“ŠxlQþä
�3Œ�œ…
- ‚ë,ªXh©¡” ›÷:B�ÎwŒp9J¡<
->@¾Ç“[ø_$—G;2¥€kQ–™B¹[ñi
8R6ÊqEmgì~áõÕV,~îÀ¤ElU�œÆ¢�Y¥Šq80%C
ÐÅŒ÷¬Î¥peò|.Xb}§Þ>4vk
ÿ+Ohé‹å�9:veŠ,—¹\Äû}g)l–(ãÒ}õõ}Hš?¸£|9*™CE—»]Âê”çpÛ3¸Ko]8î:ðƒç™ð
-€ï|áN6²F§9}ãUg
¢ÞïŽA½ÇÏÐvŸ¦ƒü
-·çMÔûû	"ç~Oá
-öLˆoûA’c´z±–üÿ­åpÆA&±ÿáŠec§J9¨ˆ
-^B*#LÆÿ!¥ÈTX>•
-–)~\!䦑à™2
-V`¶$ð¡„�
-��,:f
-žñÖjYfº{¶Hùÿ
#v`endstream
-endobj
-1001 0 obj <<
-/Type /Page
-/Contents 1002 0 R
-/Resources 1000 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 992 0 R
->> endobj
-1003 0 obj <<
-/D [1001 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-390 0 obj <<
-/D [1001 0 R /XYZ 85.0394 452.263 null]
->> endobj
-1004 0 obj <<
-/D [1001 0 R /XYZ 85.0394 426.0265 null]
->> endobj
-1000 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F84 848 0 R /F57 624 0 R /F86 980 0 R >>
-/XObject << /Im2 936 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1007 0 obj <<
-/Length 3047      
-/Filter /FlateDecode
->>
-stream
-xÚµ]sã6î=¿Âo§Ì¬µü%jú´ÝfÛtÚ´ÍææÚ>(¶œhjK©%ov§sÿý
-N“û»
×Á‹èñ—áz!Çt‘�÷媫šš˜ñï#9âÉš8JŽx:z›=ÖSœQcñ£©<e-†VÛª—”WØ-iÎ6kÆkï›Ãvâû}Qßwè
-ŒX�…\îŠnu?åQƒMMlb¿�=Å'xÔp�I¦Ó1“'nRf±Nµôò®×t9U
N”�RÇVut‡`ijÙ5Þ`¯}(WjóÊùx2¹Î’h;Ö`0ªø¤RyÂÑ¢$yÆLuÍC³mî>ÍpŸè\Êœ—Úëƽ²T9�<ö¸‚E:¤àêEfžô¸Œ¿ÌyÜ)ݱÇƼÇUÇz­àæ º
·˜ñ¸Œõ'GÔ�«“$º(@m隶p¹[ÚDšÕgoL& G¹4Ï2R'qwh=ý®-·ÒšD
-�;�@ ž%B?•H€�ƒ|ca´ŠÁ~›/�H0ÅeHr.‘б̀L�ö™LÂÅD™/ÇdOñ	&Ñ)H-õ˜ÉÓ™„I”e�c¸èniΊXH¥ŸÞH¦á=Ö²¥_�v8»‘‰!û¬1ƲɬéÀ�“�'„žEÛVwµËöS2²Ð¬á”Õap°^á/�Œl8R«©e9}Ç0EqÑiWÕÕî°›Û³bÂøêýîÍiËaÄÈÌy•±9¢t‰·f-?7
-®£î”(Œ¤9w\m2¯“
-ß"~š|ýšf.ßá7\Á–»Ç%ÐI| �œ¦
¬·_!¥4 }óÝÅA›jï™ÝT „RÞx†Ò“ð }ãé;ž—�ãÈÄÜõ0£¡ö~5ÒÃÐ�[*e±ËóYÊžË\ÍIØxµ-Б#øv²~NØòs;¥vVÞ‡–/3–¯XÚ{P“¾~Ryþy¹©ÊM=[nê¹rSS¹É¿-7ù�ÉM¿PnúÙrÓÏ•›~Jnê%rS/“Ûdƒäx3Þ �‹åw„dr$Ãg~Ø“¯ «Vt½Ušó€žßYIÐäÌOCÆŸÕ POC#ˆ]Ž›©Ã¿‡
-:aœJ\Ì\—ÿ‰€ÕýÝ[Åß®é@ÐLT
-endobj
-1006 0 obj <<
-/Type /Page
-/Contents 1007 0 R
-/Resources 1005 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 992 0 R
-/Annots [ 1010 0 R 1011 0 R ]
->> endobj
-1010 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [213.6732 702.2957 286.8984 714.3554]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-1011 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [209.702 621.4019 283.4678 633.4615]
-/Subtype /Link
-/A << /S /GoTo /D (topology) >>
->> endobj
-1008 0 obj <<
-/D [1006 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-394 0 obj <<
-/D [1006 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1009 0 obj <<
-/D [1006 0 R /XYZ 56.6929 750.9506 null]
->> endobj
-1005 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1014 0 obj <<
-/Length 2676      
-/Filter /FlateDecode
->>
-stream
-xÚÅZmoÇþ®_AøY„›}I>)¶ì*häVfQIPœÉ“tÈñŽá-«Eÿ{gwv�wä‘’›…
ßr_fgfgfŸ™›PøÇ&V*œœ'‰¢LM–ë:¹‡±w,Ι§Ióþ¬ï_¿Õ|âˆÓ\Ow=Z–PkÙd±úqúú�—^\ÝÎæ\Ñ©&³¹ÒtúÝõÍìqøyýþæíõ»¿Þ^ÎŒœ.®ßß`÷íÕÛ«Û«›×W³9³ŠÁz)œXðöúOWØzw{ù×·³Ÿß_\-:Yúò2*¼ ¿^üø3�¬@ìï/(ΪÉ#ü „9Ç'ë©QRˆÔS^|¸øKG°7–ŽéO	K”åfD�rT�Ê-¸
-ô23M˜P
-:¹mòe|¿]åÛ¢º÷B)Ñ#E's.‰“L"{È+X£Õt½+ÛbSæþ—žngÌNóe¾«§dØÛŸÑî¶U¾Âá¢Â‘,R̪æ1ßƱÇÖÙv|ŒdvM~·+±¯­ñ»¬«Ÿ(å÷»þ~íCŽ£‘'¤¬§õ]\üp‚uÐ�—š1â”âAêM™-×R
-ͦ®šÌJP;]À*³.L0•¶@ß“ÝnáæµWþˆæ%Êpç6mÖæë¼jqËM¾]mƒŒìåÏÚ¢®pF�¾—�üA‡uGSÆT
ÈåÎ$• ;†ÃÓÉðÓ³ø5¤ÓïÛ+‰Ñé‡<ÎÏʦÆV;®7kÀ7¤Jº¨·mY4íˆÒ„$”óC�}uè½BI¢�šF‰±4¸Žmï'ظíù]š>ïÏG·l~HÕ3ñ!_ÆC	q}P2$¹&B(;àèÈÿ»YÏ0rLÍsBð<…#t¢03Ä	ˆ&~ð²Ó»öqÄDuv†Úgœq?üD;N¬4ö%‘�g­�ƒóŽâ¼Oò8È1îà¬å~ãpä›|9bœIUò»¢ÁÓXåÞm0y+ŒÝwuYÖ�Í7HG™�¹¦D2n“îpÓe™5°VCP
ÍTÙ,›qèhŸ69ùV›~äÕª^gE_…CѬ5nèr¨ÿ°¢>°ÁX‰Õ
-Œ5ñk¯ÁÕ…rÓªö_›Xö]ÅŒMcÓk¯ð:ÉW_A��QÔ/Xåwøx\ÒŒ\NÚ$%_Þü}ü ´“É¢’CældÎ�¦€¥MÞíOòæú¼Ù¼A$ïÈ9ÞôyÞðÔö�¾!8	Ëôðʲ›B[4»È®ÿ‘lñ'ÎåãÔÂ!¾@¦þ0¶É„Œ<™èçŒ	"¨0C[]$.Êü>+±ù)+wygüÛ6¬
-JôÁ¸õAl1®»´"
-[I&ۥ
-�þ³®ò1 äW•99ºÝ
-xé_!X%¼;Y=ðv}³GjغÄOª=ÔMK"'dY¯_õ
-GÄtŠhÙ-dQ´ÈD†Ÿfwç¹
—§GY†ùš@De€, •@V>fO1||ÖûÏ„Ú�¿^–@Õp1nÇRß/‹61˜�ˆ,‡Fî‘é õ>†mÒA¶)_\nÐÞ÷Rç$Áf“g�—=š}®ª#®…s…(™$„4(,*NõX"mRyCNÕÚ|æ
-ˆÖ½¨ØÆ Étp…Ÿ~Æ­õ—
-ø˜Þ3ÆSS4ȧÓÎ(ôÜùv¤&ÇľÁä|ãÉÓÉÃ1½Û•åSœè�_ç­1tTøÅê±o9_
¦¦ßƒŸån;Ç€b$ZØaŒÞU¿
7à«u²ÆF'€F³Ûl|ÀõÐ{|(áj&€×UŒl0¯æË¢÷ÇHÂ�íÁö“¾�ý6³õ¢À¨/@ç�jè	ýôtqšsE$©ƒâ´ŠÅéÅŒq7ÝU1ËDJ¨?òEA*(iˆ“æýY§yéfy^J¸íçm[—ºÀ‚%hòìÎݬ‘­ÅÀu$îF÷þ�cQ—ÕnýÓ5+¶üfYW˜
-,ƒCç2[âîG)nÁÛO‰HQ­Še¨Çb5ÅþUÑdË<RõÔÀQØô>Îú‰*ºx("{£ea¡ÍºÐuó~1V ’T‘`&OŠ÷æu•¯ìÆð–}sP.9Æð“6mðj¬ºCu†Ñx�ծͿc¼ØÈ>ëݺW9·»qdG™Ùñí5‘”õvc»Ÿ2u陬xÆÔ{³Î˜zšåYgŸçU°›Qƒ–$wîüþݬ¯@Þß,fÌÚÛ”�6°Ú-sü]åíc½ýÅÿ
-~]üZˆïyxÓib_”U7žöŠúè%†pýUk‰‰ñ
˜Ž¥DÓ4�õ÷7Ûǃ—èÇ©îùfÔÛѶ«ƒ�:›à‚]÷\ÔKà5¸6êÝvïw‡î7•üË8Oþ½Ìª„
d­Ëa°™š¨¯˜ƒ˜`Á˜®ø§¯Ø�AÅô®—¬4E™ ‡ÓÛ™…K‚yÚm|G‹h{Õe;E̺7ß43–8)‘	aïdDP
w×3wooÒ™7ê8)©ùt4
-q–Û³{w“ÎoÎ Û
ˆÍÎï~xÆœçlgU˜±}J³wSß[¤Šú$t=>ˇAÄöî�é¸Yw•«®`[TÙ6žº7áMÝ>R…kk|;u1,Ük‹³O]ö˜ç¿ì·ê™Òø%•²3À3bôŠ “g«…/ý+‰=Æ”þÕÅò/±©à™òªPG�®ÝŸS³þ‹åL’endstream
-endobj
-1013 0 obj <<
-/Type /Page
-/Contents 1014 0 R
-/Resources 1012 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 992 0 R
-/Annots [ 1016 0 R ]
->> endobj
-1016 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6787 706.9749 427.332 719.0345]
-/Subtype /Link
-/A << /S /GoTo /D (the_sortlist_statement) >>
->> endobj
-1015 0 obj <<
-/D [1013 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-398 0 obj <<
-/D [1013 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-696 0 obj <<
-/D [1013 0 R /XYZ 85.0394 749.9737 null]
->> endobj
-1017 0 obj <<
-/D [1013 0 R /XYZ 85.0394 600.3746 null]
->> endobj
-1018 0 obj <<
-/D [1013 0 R /XYZ 85.0394 588.4195 null]
->> endobj
-402 0 obj <<
-/D [1013 0 R /XYZ 85.0394 240.5427 null]
->> endobj
-1019 0 obj <<
-/D [1013 0 R /XYZ 85.0394 215.3468 null]
->> endobj
-1012 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F84 848 0 R /F86 980 0 R >>
-/XObject << /Im2 936 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1022 0 obj <<
-/Length 3569      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[sÛ¶~÷¯ÐÛ‘g*†¸Ó§4qRwN“Ç휙¶”DY<•(U$íª¿þìb
Š¤(¹�N<!.K,°Øýð-(6Iá›(�hÇÝÄ8™¨”©Éb{“Nž ïã
2³(4ëJ}óxóæƒæ—8ÍõäqÕË&©µlò¸üyªžÜÂéôÝçOî?þøðöÖÈéãýçO·3®Òé‡ûßQéãÃÛï¿ûp;cV±é»oßþðx÷@]:ŒñÍý§÷ÔâèqaЇ»wwŸÞÝÝþúøÝÍÝc»–îzY*p!¿ßüük:Y²¿»Iᬚ¼@%M˜s|²½‘J$J
-[67_nþÓØéõ¯ŽÙO*›(.5X’'V§rÜÊ,1Œ��‘,Ñ’±ÖÊrÔÊQ
-­¼-ÊÙa·««ázYšÂ›ZLºƒž©n¥Ft‹Žn–ªÄIcúÊ×9ZÝâ,Šm³ÅŠ›–Ívž¨c·¢çá–AeW“D•žóCE]õ:«©TTÔí…óß›‚
-Kê]í˜Y_*¯ê�@MÓr=­v uG"ó
7™q™iÑ",qJq¿¾l±È÷u¾,�¾ÏWY³©ÉÑ
-oñ7”í˜ÉºD0áÀ¶ø:'‰ž!ÁŒÆè �7ͲD9§&IHiÿŠ—
-ëƒÎŽ{i
-;ƒè¸8½—ÂX¡ßè5‹³›ÁZ£•îúJk7°‚I¸±|¢­J“ʯõSÇ
-<ˆ¼*Q‚Ë`�Ï·3ͦ�ð?Ÿž…¯Õ`8''Z‚ÃZ
-¤Éï–¤Ò9AB�²_ëɾáÍý–OÞï`E“î¢ÂÀ³îÈ~QVv€‹D˜½–&qÎZ”÷-®»Ýoòm^ÖÞ[±¡¤'â–;Ûg©]­³“®%ÿÙæ°ºv
-�,J�̣d
-�!Ôyx
-�õð±ë0A~Ö}á|ÎÇõ»�/êbWÒÜd‡³(…´º7›3Gh¥^™Ãùh8°£	¼›
Y&ÿcN"8¤ctìykÆ
_hÓƒ
•h¦M€8‘Ž	L
pAh’zWB> áÐd{N@ÚÓtºÍþ C+8Mh/*z²”žÇ<;„&Üd¡5tpç¼*\0.(V;pÏ;Ø%ž„´;P­‹í@YS.v%Ä1ˆÅ�òÚ¯$�+ Ú@g/8e™Sa½kTšçxŠ“^¬‡£<�.šµ—áü¥)øRôî^¨¨@J\!�nŠmAÐŒmÛ]G!~Ãov‹ß¨Xý–¿Ü:~~8G¤SB'Êju»R—á°•j¹\¾:äÕz†ËûŠ&û<Úì¥ëÃñ\66žE�ò–jy}	­ÔÈz¤±8aoàEls`\ï1UÀ=jâcjð[‹âe·À@§ÿª³Îâ!›çëì¹ð[+
-Û¬‚csª0îSñLë…Îj“=¹¸i~è嬿4ݹ¨À,õŽH7†a]ob@wýÁ‡"�GA_NRò
Q
²/Æ»®&´8¹šÐ2
¶Ó¹ŒmËÎtBߎžÞ^†êm2ãÛÊehmÑVŸùÜ@´uj�‘8´O^Àìp�RL÷¹i†ûŒ¡,eÛô\ùfEÞ(ùôi³›{ïb°IÞçl4Ø+§½‡Š'\T$?ƒBÜX”-—¤ ª›95ᤪ >tC˜l²í~Ý#d“kCáÌZ…Ëe·×[+âzÕövĪåiá]rð‹H-9ð#Øu¤îJ]FêVÊoݲ¬fÍr?«Š?ÏP–qàn†¹ëê[©Wô#ƒ°�%½2�
6k™—‹‰(x¸G
ãöq	áV•·$ÔbIO|ÿ5Í›nÍŠÂ\MQRð‚Ÿnb
-°oõ+ÛR–µ—ƒ/ëb±¦aý51C
-
-›
-«<ßôÒ3-sâáޞˢÊæ›ÞÈÄ	tš0aœ 2P¡-æ<P�2 Nä¨É<GòO|Yhãù2¶¯‰CtßkCzdÿሀ�±¯A
KRe¢—PÀ‘�¤t™ã™YÒ¹/1E gþÇ~S,üù
µøž"Ì�–Kn9ãZ%Æ:Õ'W�X`„Öø¡o	êÅ:²ìl³‰w E›j�±iHJ'¥¾Î¦»R—Ùt+åí¥ úÔÕ‹÷rêµAfDk×N%ˆf_+}¼2¶Uï+ulm£Ëë]³	ûÕûÝ!Üü?ƒÎ=ÈtÇ,³m>rN?H”Ã|’ç¥Á/±i¼.|�$2h9îÇŽL©!\D©Çÿ>Ž!Eñ«pùÈ�ÉA^„K‰=
ÑM¢y{0cÎêx EP8Ñp¨xî
Ï:ö¾·¡Z»eXiù
”}
-­Øf‡ ¿oû]z(ÜTdQP
-ñF•"<éÒIN�.”5àµFúÙ's
-I×~Ð[YU�eR§ß!hºdÀg¶¨›pYŒ5Ÿ·R@õHßG4;A„§	W¡ŒÃéo-o¦q˾?\Ó--<a˜fç¦Y-ÖÞnC怹�ÜÜ¿Šlqž¾†l©+È¥:\ïQ‹åÁЉcÀ¾¯j�B#ÚÅ�|;Ñ×°ÍLïßw‘ÈŒ¡›é › › ›9G7ó:º
³vRÇ„êþ}òåî᧻‡±ä@«b€m â|ñË`,Õ‡eø/]™r à� ôüè/Ã�Ì‚;ÖÁh=aB øŒ™ë`B`!ø¤¤…L
-œ°„þÿŠÌÔEÓGÓ¢ƒé¢ƒæ¯ CjxåtCÜ�?ØEˆ
-_ýIæ›ü¡M£‡åºÒÿ(ÇŒ|ßG:	ñ¹
Oœi£íã†Y DRêbàcáæÍD4èžË9à«´—~ºÖ^Ma®%Æ 4m#ö�{yº/“&
”¸ô;ð-ia�0)œ¸’ç‡Pšp˜‘©ÿc5Èhendstream
-endobj
-1021 0 obj <<
-/Type /Page
-/Contents 1022 0 R
-/Resources 1020 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 992 0 R
-/Annots [ 1024 0 R 1026 0 R ]
->> endobj
-1024 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [297.8955 586.6375 347.2449 598.6972]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update) >>
->> endobj
-1026 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 306.9508 116.59 319.0104]
-/Subtype /Link
-/A << /S /GoTo /D (view_statement_grammar) >>
->> endobj
-1023 0 obj <<
-/D [1021 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-406 0 obj <<
-/D [1021 0 R /XYZ 56.6929 374.8758 null]
->> endobj
-1025 0 obj <<
-/D [1021 0 R /XYZ 56.6929 352.4787 null]
->> endobj
-1020 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F58 627 0 R /F84 848 0 R /F57 624 0 R >>
-/XObject << /Im2 936 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1030 0 obj <<
-/Length 2589      
-/Filter /FlateDecode
->>
-stream
-xÚÍZëoÛFÿî¿BåKÅã¾—×Onâä4Î�ã
-×Ëê*]Ry`ࢪ©ƒ¤
-»t$c8Ðà<ÛQÀªáÑÁÿ.úû#gkN¹ÓéðÛ{±"¼Þ9
-Ìöá¶è°eô¬ó.ìk½@ep��‘gÛ�˜0‘TFN42+ØAу�PÞìDlVØp-Mdylöï€æÅ@ËÃŒmR³Ž)« $b±�M˜‘BMt
�öo6óyÞ4#f�ŽQÒx+¢3à ;Æ ŒÈ*àLðD›%µÿ¼ñ Ž•Ušù©h2îK´T
-ß,ÇP¨tiý17™@qSÌoÆ`�©ÝÔlpaŒÃçüýéÅÅ{‚

-iP³®Ê&§nïý8¾¥ïN[_$àƾ²¹g÷â"ÚµU	±¤Ñžµúu–‚6) ®‡xRDÉ“Áó#’aÆ~ã“1¢ŽxÆø”¶$q]狼®
P2>Éxg|XFã“LôƆ�¤XWôZ€GCÀD¥¾Ç¯íhPËlô tjnžÐÏ€ñ¯æÿV?páÉsÚ
-Œ ¡¼¯ë&o„k{h€²ƒïtÖí`q[;Ø‚ÚÁÁÕFÜdèxú½ç¹{
-}³´MŸÐV'†o«+ù-u%Lò�«NNå}VáÑw˜º8Ä7ý�­(F†o§.¬xuaq[]bØ¥’ŠçÿzõþÝÉÙù³*Û¯–!Çb'’ÚFR'Ï�œ´2ŠáÇ"-–›:?Ћ”pj
Ù:G‚ªs$5€9¡:˜ÃöGRsØ“R•6n¤ê
-;gÅ0±“ÉÛþ‚ƒpuoð¼«<8蜴½‚;wž}¼.W\ŸYM³¬¤�ðbLº®;¢VvÖñô”
÷
-¹Ã›´†S‚¯ABqÑÒ¦©æEÿ–Õß3ÓaXµªÚ�þt¹h—«¤Î)Å
-aƒ�hkI++žfÎy
-ç\.nM-Ëü6_úñ‹­A_Pr×›:õz…Æî™gxòEÙ™§œŽ°%œ%J„‡8—ÁÌœLVÙG\a:Þ$Ó³Å~ú˜8ˆlŒ
ýÐÂ÷¯cb.ƌń'g>DÂfÇ)4¬ªþÍäÑe!Æcíåqˆ	w—oÜ)ŸÀ’t–Ûþ²e¦ézݵVÔä#s‹p¹¾=øAÕzF&„JTdY²
Q=ìĢϣ‹XN‹ëÒóšaÖÄNn
¸Å€{Š�J/6
gÔˆ|ŒÁ×Xu€|tbù˜|3Ä.²ÅÛîZLFÜJþGב]Ê\s3x½U	Û6:ÿªô8ÙÑEú*ŸŒüÎ î€ø«ÕÐÿäCÂIg-¿}t·¿)d@©Ý�w?x¼õÿŠÕ“™endstream
-endobj
-1029 0 obj <<
-/Type /Page
-/Contents 1030 0 R
-/Resources 1028 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1035 0 R
->> endobj
-1031 0 obj <<
-/D [1029 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-410 0 obj <<
-/D [1029 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-929 0 obj <<
-/D [1029 0 R /XYZ 85.0394 752.4444 null]
->> endobj
-1032 0 obj <<
-/D [1029 0 R /XYZ 85.0394 624.285 null]
->> endobj
-1033 0 obj <<
-/D [1029 0 R /XYZ 85.0394 612.3298 null]
->> endobj
-414 0 obj <<
-/D [1029 0 R /XYZ 85.0394 362.0579 null]
->> endobj
-1034 0 obj <<
-/D [1029 0 R /XYZ 85.0394 336.0649 null]
->> endobj
-418 0 obj <<
-/D [1029 0 R /XYZ 85.0394 167.8903 null]
->> endobj
-951 0 obj <<
-/D [1029 0 R /XYZ 85.0394 136.123 null]
->> endobj
-1028 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1038 0 obj <<
-/Length 3695      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sã¶ñÝ¿Â�òÌ	%¾H`òäÜùÒË´—ôìLÛIò@I´Í9‰TDÊŽÛéï.vÁ/Ñg_Óу€°Ø]ì'@yžÀOžÛT¤^ùóÌaiÏ×»³äüƾ;“<g'-‡³¾½9ûÓûT�{áS•žßÜp9‘8'Ïo6?/R¡Ä`HoøøþÃw?}º¼ÈÌâæÃ/–Ê&‹÷þrE­ï>]þõ¯—Ÿ.–ÒY¹xûçËo®>ÑPÊ8¾ýðñA<ý=ƒôÓÕû«OWß^]üzóýÙÕMÇË�_™hdä·³ŸMÎ7Àö÷g‰ÐÞÙóGè$Bz¯ÎwgÆja�Ö²=»>û[‡p0–ÎÊO&Bi�Õ©
-Êâ‘	8Ðÿݶ^¡5XXÚPgfû™Ñ0LÃ’Ñ<™7cÉäìTó‘�~Ñ3I/ŒÓŠ99�¹<˶¾×‰è™”Sä™Ø-)'{·„ƒ,ÝÂF¬|ï–p^à
-&å<—�Z9•Ç©¡yÓªY«ƒc5‰·c©‘RY:Öc»¸%kÛñ i³�ŽacŶ>˜f˜×{T´L—²e¦¬­aeûf(‹Ú
-£õmOÃŒg4ªZ/›K퉶ö’Ý·‘Z€tõÄ7ÅÀÌ:Œ¡ø@ÿ�#¬ÓaèDÆ
-°™ll¡P"ä4ÕÅÓƒFç•)äu:­‚™Óœoá¬U�ÙÂØi…6é4‚÷¥™ÀI¹ãÍjí4:%Å_¹¸­Kñ{¾ÃÔ1ÒX2E䀱qÛ?c*½–Êêxw÷Äž¤bײ>äÍ},1¢—ZׇÅ[÷-`ÅC-fZ,œ‰Ãúºꌌ¾¸ØTsꯌÈL§�]R/Ý(tj™
2z¤\ 1£XWèA›ót˜�·m±Û·¼¬¦Þ$[\½ûxÍ+(ÏغÞíŽ8½x)@Õ꬟
eû¡t‹
a¡ßGÁ/Öt³å—L3‘(i¾"ÍŽ˜*Ó@îä� âö9§îÕEì V<ÖæbÄéa1‚†
-æ÷Ë4X¶1£š`öþ,ÚwòoÚ¼
åm¢_n$B§™›Ùª˜Ô	“ðÚc§tð™Z¹¡Mf]i‘I¾�H WÞ…D*‹Ñ
-Õq·¢ËÉu¦ÕúȾ¯âeµª�Áš kD9®“Q�8Ød$\6Ž‰0ƒT‚,³2RÎj²L93ÑŠgÄ£u⦕ù ©+â(šG™
gÈ×Ñ%Su>¸À�W,¥’AîÛѼܳ:ÏjYf„2�áEC%ͲR$ÞËW^³J«¢¼>OÏdb6IÕ43�›o@HF
Aò9KÕÂô´Â&Ó§•À¹z°#ÁBñ9à�JxçÜüÓòø¢¤w…1ÿàÂ]šö;cÙÌ%TJ¸þ˜6r]×aØu˜çj+-NÛ‰
-¤
-läÄéÌö/!%çúc?£4J2Ž­žâ~ÊGJ¹˜-Œ/·�ÿï •%$"±qwÈw»ü@Œ¼qt.ÔyÐb›¾à»­HäÉ4bÍ·Ûú±¡vp"ØØAåYî·<qb±¥¦åp^OE£N¦R£�²|±Me,H …¢ÞÉIš9H+¶,E®>¿öVA*¥æ2B,�ÖÅ\…È¢¼{éKK™=�wù�Π†Œ
-õìäJžcQ L¼3è‡�¸@	 ”—‹?œ²ÙpUÈ8©DJ¹D²ƒwé!TjiÆ™&Å�ÄtÏ‹vô¼hb¡�pz^4“7E;}StÝÓ'ºó‡bõi „½¯ùÝ2”F€�øEȯ9Ŋ¹ZÇB0qéWù²[5VÂ@–¢wDüx5üÄBe‹kÈú¶ù�ÙBÒ›ΧõšÏ!#¶Ôä×>ÖJS‘ô–ý5çûŒÿÁ‘ìbΘ@¾ä&©Á €Sm^n›7Ñ}»)šõ¡Œo%Ï~…`-Ô=Ö|µ™fÝšçÍÔfúš’:¢¦ç�aê¡}&�
-
-6«’ô…4¨›¿.8MBNñŽ!ú´G�Ù”$“jHE¥‘t’
u³^ ä[wa$Ü)¾H$@tæ<¤äVw2I±”	«Ã±
¿½ñ(°qÝ—Àá[&q
¿ÍÆÅ­J…vÚñ1¥€ûßAY•†H�L®\›ö
-¸ºÄ§c
ìä­e'oêÑ£«–ºJwï@0À�Ÿr±?®¶åšÚ!Ľhiºr†?üd%?BÖû嘘o�tÒíî}ë°åëa
-£ÓR¡^AÀ¢]bžEì…¤
 Mo¨U”ñýó§u|iJé»>É_Êø¡­¥F/2ìq.­zãÙçý=Úx]ÜéXQq!æû¡Z‡‚)¡OÆR,Y܇ïÓ,Ê(”žáI¯Âó»;v¥Œæp^NÝ6¼ú5mŽµK¸~`9p�„«Z•·ctIx­Ä	qÁ}ør2Ðå‘$ñ«�r3X\ñ¤øéVQ�¹–ü²�{údßG¶]AÇo{ì!;¿A_IâÞ}’�ävÛMž>}–U¬JV›z:Õt	ÎðëŒ�ó²½óÏ}h«->¸ÏÙÒƒ?ünÿ…²ÉÀÃ;5ïHTæð«&‰ByÛô„òøµî)éÿÊ[¨-endstream
-endobj
-1037 0 obj <<
-/Type /Page
-/Contents 1038 0 R
-/Resources 1036 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1035 0 R
-/Annots [ 1040 0 R 1041 0 R 1044 0 R ]
->> endobj
-1040 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [87.6538 396.2754 137.7628 408.335]
-/Subtype /Link
-/A << /S /GoTo /D (tsig) >>
->> endobj
-1041 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [396.1961 286.7149 464.8681 298.7746]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1044 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [432.8521 109.336 481.8988 121.3956]
-/Subtype /Link
-/A << /S /GoTo /D (DNSSEC) >>
->> endobj
-1039 0 obj <<
-/D [1037 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-422 0 obj <<
-/D [1037 0 R /XYZ 56.6929 270.2232 null]
->> endobj
-1042 0 obj <<
-/D [1037 0 R /XYZ 56.6929 241.4762 null]
->> endobj
-426 0 obj <<
-/D [1037 0 R /XYZ 56.6929 160.4328 null]
->> endobj
-1043 0 obj <<
-/D [1037 0 R /XYZ 56.6929 128.8764 null]
->> endobj
-1036 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1047 0 obj <<
-/Length 3050      
-/Filter /FlateDecode
->>
-stream
-xÚ­Z[oë6~ϯ0úR8Ö‘x‘Hô)msÚÛ´{šîÛŠLÇ‘%×’“fýï;ÃÊ’#×)ZøAˆÃá77ÊÉ,†_23:Š¥U³ÌªHljž›‹xö
-º�i$�V^Z„§H
-l�Q¥ƒ…ÿ
-„£‹”@,˜cà ��Y9Œ$R¦ó›ºë7ËQŠ¨µ+>r¬¶ŽùLmâo‰Ìkµ'#%cñ‡Ú`*¥õŸÑžÁWDï‰ò°ÑªåÍuùÇ©ts!- 
l”Áœ¨Aa«©V
~OëKGŸXQQ÷X.Ñ R9Ï9?Û¸b�×e»¥X’-zB
-IJ’D·/Ž°�
-ð�å}Åmoåz€YßI¥ƒî1K�S0Y‰$>‡3ˆé2
‰N#‘óÏCé	‰›±*«�ŒJ4aý=uxøû8Ôúú»êžò°£Ë7A	‚¿
ƒ0ö¢Æ¥)a믪¨�9÷<ô
-é£{
ìû8>¸Äm¸áj–Êf_‚5#U¸P6Õ·ÆKõm^û»:É·x2˜tlù~
-A@–õaâÀU%ZL&òxÈ¥˜À8òæ`*û`*é4à	Ù×’¨`k~Þ”(Ú@–�‰óî@÷‰X/‡?Âï¶9P
-é„8ºDÉ·[Y¬
1¨§µWPWHP‡.¼–)}}‹3a/H™à� o ”Îæÿî™á…^˜°èmÁ�yµwD–ÌÜÞ›Á…Âñ¼z
-°'Î
-@•ÚóÇcâ²LXÅb©p’Öçô¤'¢¸o%æW
-–æ”J2
Ⱦ*vÄÖš‰è
¼¹Ì
-¨yCÀ@|LÞNÅ‘ÒýÕÛŸÜjˆp”/âëk7Ô@ÔR�Rãñgev¹Ýó­ýL’Ë|ÃÇ$Çiô¾å+¬ãºêgÈ­þÂ>�.8a×2Š�Òãøxø"ýIHö?~sžü2ýö-M¹óƇT»nöÕ’h®Ù�Ä/*ž¼©U»î©Ù}l£?÷Y;‰#ÿ{køûîïýggØ›w8’îû_Aacw¸PIùeYp£k¦„I€asRZæ‹.�?l¿^¦œj�;ü1€×\±xkbF^û`G0¸c¡Âjö«=}&|Ãwí˜ÿxÛ�µuíÉOì•�$C´Lý-
-ð—,îJgÇ’÷ÿíy)úÿ
Ó
-endobj
-1046 0 obj <<
-/Type /Page
-/Contents 1047 0 R
-/Resources 1045 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1035 0 R
->> endobj
-1048 0 obj <<
-/D [1046 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-430 0 obj <<
-/D [1046 0 R /XYZ 85.0394 728.7887 null]
->> endobj
-1027 0 obj <<
-/D [1046 0 R /XYZ 85.0394 703.8893 null]
->> endobj
-434 0 obj <<
-/D [1046 0 R /XYZ 85.0394 574.0702 null]
->> endobj
-1049 0 obj <<
-/D [1046 0 R /XYZ 85.0394 543.3965 null]
->> endobj
-1045 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1052 0 obj <<
-/Length 1252      
-/Filter /FlateDecode
->>
-stream
-xÚ­XKoÛ8¾ûW9Ùˆ)Qô”f�lŠMÚu½§naÈ’œÕÃ)'nœÿ¾”H=-%jø`’ÎÌ÷qfø€ŠÆPÁ&0ä(–c
-}­ÔÏ—¨c½CTÞZÅn”ÑäRÚâKJOÍ×֚̉öAFoè–�,GîHÌÚ",[·6Izï¦~kÌÂàÖe<ŽÕ:F¸e(Z‚\Ë2ÛÔòüOîUžïd³o§¦ïóȦ«"yW!¡Ò«§¦ÆÎúe?³ }/],ucº)I{•º&Îlëóhx³oB�ºMx
-¶‘Š/+ñe•fe>
-ymÕQ@¹×“bËR;ÆÆð,ê#}êcQ¥�T8Œ�îÁ¾Óh®ÒøÌ�Ü
8LnUJ~IÐq­ËÚ5ÀÖCUâTâGƧ¢�©IÆ^3—‘h”Y80u¼Ùf	êÄá< myá$ì%üàS-VÓâPûň­ÐÐ$K½Æ¦M¶F#‚Å\hZ@·�ÁU
-×÷®Áo0ùcDÏ+„VÝ^ÞüæQ?ñ+�nÛ¨zÎ0ôÆ�Y60l®D:•ãÃö‘çåãȱëÿQví}endstream
-endobj
-1051 0 obj <<
-/Type /Page
-/Contents 1052 0 R
-/Resources 1050 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1035 0 R
->> endobj
-1053 0 obj <<
-/D [1051 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-438 0 obj <<
-/D [1051 0 R /XYZ 56.6929 516.9892 null]
->> endobj
-965 0 obj <<
-/D [1051 0 R /XYZ 56.6929 489.6463 null]
->> endobj
-1050 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1056 0 obj <<
-/Length 2937      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ÙrÛ8òÝ_¡GºjÅ€
-’ð|n¼½º~Ϙœ‡w?__^}øõæÍywW?_3úæâòâæâúÝÅù<ÊlüZ$¼Àpyõ�†>ܼùøñÍÍùw?�]Ü
gŸ7RòŸ³ßþP³ŽýÓ™
-MžÙÙ>T幞­ÏbkBã1õÙíÙ?�£Yb�ÒŸ5Yh3�N(Ц#FQæ:5³Ôæab´!
®w÷®+Ïç‰RA×o«æ�á×x:XbEan­&òuÕÌ·år[v«y_­…­Ù­ïËí—ØÜçïc‹F«õÛ§ï_ë{™vu_Í×®ë=ÙSÙ}j·Ÿšöûû³|šÕ¶\ôíö‰é6®_}jܺd†¹ÎÃ,Ks
-~íÜC9,t0XGƒ)ÄQ<Z'Œd¥
+Ý�ç †MÙ�š9Y’Mã™M@j
-r¾ÁÐMnÂT¥'†þÿqù�(¯Ö/¸ó)�% ç855·q·E/¸‘ŽBcŒ…ÃGa¢t.FG–ÃÊ6#ò4jpIEdw+Ômlƒ®Ü>¢¥é8	V®c¤ãÁ[!‹vóÄTí’1½�žËSËv{2'æ‚2É€h_Õ5£îýÔ}]NùBßòýo¶çQ´�U!ávýªÝV`€Õ£G5ݾÜvüÁû
-ëÃÂxð4î‡ð¸Vû0¹Þ>1AQ.$­¿¡è8è·à‰Ë�Á
*'QäÀ€^²G¯¿i·=ã­‘õ›©,GÚ0CÐê^ãF ÉZ!´Ð‘�DB¬\óPŒ¤¨€€Ã
-"
-Ð^ÌJo˜†wÀqøç ä¿ŸÌ<{H.=ŠÑÅ(
¥Vì1~#ïa¹’S(ҒæCâ”g[$?Ñ’
Í{«[ð�‚Y瘼Kå‡=hE†‚8ÇŸCN”\tï¶=ú­ÂjÌs-�¸�€¢E
-“9çTÄW
):aý&• ¼€¼><q‚(Á’3ŽðêäPédï¾ñË<µ_•’ož¯
-ucz´èW¥‘Y™4ø÷ŽÌ
- Vˆásn,
-…³�Ò“Â

-Bïß“­Æ¸†ÿ±¾`Ôj$&T‘I¿G¦gy±ÙHÀm¥×0Z‡qžK¯Ñïî¿¥ÕÐPº-@ÆÀqª�9üŠéƒR®6œšâ!„
-s2K³L<hÀı/4�”—1f¸‚1œóâCÍ è•PbÑÀ(ÉõqðPï„
-o1Ç7ÍsÕd%ã8ðoDOMš*¨²8d0PèÒ>o Z�oŠ�0®ÄøãwH&ìˆ8…u(ÊÁ4Ij£’b`‰ËC¥U¤ÉóS¾ÎNOÛ]dàãž:»MÂØÝ7
-+BH†Ë	_·y˜¦6R¬Ýµ†ÞŸKônÌ=ÈN*Y�—S¦F•ÄÇG:);±Ä”öMGx¯{ÆÀvÐv[2ªŽâB$Å$ÌËû;°äŒèvlã:Fríj}T@ÌK¯“(@+ëi3ð±w÷ÙŠ®FËŠ
-�¿oòBá
ÉEâ|õ…‡虇–àq[½ô-x.ì‰�<?‚7dB¹wDæ<HKHkTŸAH)]zßÂWÓ�úÁëùI¡ÑÍA( º�Ïe9ŽA‡æ
@êV(UR³ŽLÊA|“cfÿT�wÕzµÅ¢áDÀŸOÿ¶!ɺT_|8ŽŒ9œ
-uà|2/úVTûß#𤮈l5Ê$CâóÅÁRÐÙ›mõÈoµÚ4?Û?yf×
¢n.ßEy6Ùá�2.‘Ç_BŸÀ+ÃñÔË¡!ö�XºªŽ‘Ò°Ÿv›¾›ät©°j渉ºMIrÛ�›j©s�D]¦Iä2MêŸgøò¤DÔ7å¶q5cEÏfôàJÌòÆ#ÕñpåàAí›áÖeó²Ÿ#
?÷H€™àË?þŒ�lžbmB­èÈtEšƒ<ým\
?¯þð/ñ‡ÿ¦C‹•ezhÖŽ<QI˜é<�¢,Ô“ÍŸéÃÿd/T£­ÿX�‡™endstream
-endobj
-1055 0 obj <<
-/Type /Page
-/Contents 1056 0 R
-/Resources 1054 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1035 0 R
->> endobj
-1057 0 obj <<
-/D [1055 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-442 0 obj <<
-/D [1055 0 R /XYZ 85.0394 636.8504 null]
->> endobj
-1058 0 obj <<
-/D [1055 0 R /XYZ 85.0394 606.7365 null]
->> endobj
-446 0 obj <<
-/D [1055 0 R /XYZ 85.0394 606.7365 null]
->> endobj
-1059 0 obj <<
-/D [1055 0 R /XYZ 85.0394 582.3251 null]
->> endobj
-1060 0 obj <<
-/D [1055 0 R /XYZ 85.0394 582.3251 null]
->> endobj
-1061 0 obj <<
-/D [1055 0 R /XYZ 85.0394 570.37 null]
->> endobj
-1054 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1064 0 obj <<
-/Length 3269      
-/Filter /FlateDecode
->>
-stream
-xÚ­ZKsã6¾ûWèºj„àE�¨=93ž§2vÖvj·6É�–(‹Y‰TDÊŽòë·
R|IrvR.ÁFh4¾~�bf¬´“ÈjrNfë>y†¾OÂóLk¦i›ë»Ç‹o?9±Ìi&�‹Ö\1ãq,&�óŸÃ$»„xðþîöãͧŸî¯.#<ÞÜÝ^Neȃ�7?\SëÓýÕ—/W÷—S‡"xÿùêÇÇë{ê2~Žïnn?ÅÒãȤ÷ׯï¯oß__þúøýÅõc³—ö~W¸‘ß/~þ•Oæ°íï/8S6'¯ð™°VNÖ:T,ÔJÕ”ÕÅÃÅ?›	[½nè˜þ´TÌÈPM¦BÆCyb]ZƒÃº¾)„ea(¢ÞºÓv"8ŠÑ1Ó8ëC	£Ö¡XÉlM¢Ð2£`a<“E±}M¶sÔÍ·µjqGS
-Η;¾+Pfă_¤Ô4äRÄÁœˆyŠô–•ôLèñšì©Qôœù/œËç�›"%bkÎ,&Z‘w&Ú¤®:/ÖI–£À ÚTfÃP:Ÿ’2+
Ö*�—vÔ%(<RBù¡Ô#Û–†)kÏTVI•®Ó¼ºœê(Š>£ ÚoÒ‘â�ck•W­Lº“E¶Y’Óä ˜
-wæVHF¦7ãÚÚ³ÓO%rZ!ºêIòù·Åvd^z‰bÕ�7Ý–#S‡š)!e_;ïÀ$¹^—Ùl	ò‡ÐÌV+l‰ ÙlV{""ðùû.Ýf—"HËš¹Zú#�Z
¢ó°�<Gµœ(þð]û9{I]ÓO{"5|îp]+OÖ)`ÂpÜ,<©Q‚°`D±�ߤÅ@ÅÑ#8{VÒF¤†
avaC¨/»Œ
R[|Â�çôž®7Õžš«¬ôL‹ÑsR3)¢7I,™‰l}ÄÎDaZ§A8;i�ê¼yAõlÒmJD†ÅÖ¨î¦è°•àÁj]8'§á,›t6®Ž�VVÒ 
ÌÒ•3ûÒ®½HgUIÑú°#É÷Íܵ„~Û—@ÀA¬H
-PeW¦µD™圉£¢zý0§wv¡£«öÙ2ÉŸQYJz­)'°L^2§t ;•
ÕwËàyU<%«10
¨c!Î:eYfÝÑMýyµL*Z1+ñxC5„#a04=…qaë06]8Ñ©ã�@F °¹"_íîˆl
-x_²YJ”ÀGâ{Ÿv~:è7
-¢ÐéÔŽ)%¸�1`•éç¤#ñÏ2­¨AZ™x(ˆâ!Áƒ<MçÔ"Hð€<´ܤ³l±÷}nýf&jwáÎúùŒŽà”„�&í,à+3ç¤ �ƒ|O`ðüSú
ÇR•<I$âÓ©ŠÑÒGnœÊ!DTgó”ÇèYžUj:é`ö HçEá©#¨Õ+2e¥'âÉ 6ñä�°+1z9‡o‰‡?àωèÆÖ9KTþåЬ¤ðv)ë…‰fë|Ðw4#eƒ¬¢N€¨ïòc;›�7”¡æ(ˆ„²çs¢%ccò“(#1} Æ³S¦©0*X¥'–gá�B¶œækZØ4š‡9¼æ1TƒÙÝxnŒEø¬Ï¾¯Iï)a_ΛJÕ=,ìp
³UR–Ô¼¹}GÜdg-ýc›TŒÝ‰Y¬7Ù*�O]8
Â<]$»UUÍ9sÛÞ0¾ü$©î¨`ÇZ™à=JçÖ®äÚOH[ºä
-²±ù˜º\Tapûïw_®nnQ
Âø£ÅŽy‘úVî̾XA>ž…?Ulx_]É&ýg³qk¶‡Ïw?ýðaL�Û»G
-àO>¨ã*Y?
X¥É‚Zîœa´ƒìžÊσÚjàVu¹¶D�„œÐiàó�aÓ;ªŸÏ\»tC¨ !—¶¦~oS_¾ù»õÁ[²––M�—88žÃ=̹‹ñ¨w±óÿ�ªPÊÆ&íÒb�!ÚBƒ‹!AÒ£æ´QLðX7ÞM�ݬi(^´nîÕ°¼œ
-e®‹$#`àx1À¸ê�)	Kpû¦¤6Åcl­ñÞ”âc6KïOžaQ¬VÅ+bÂQ}oBk™)Æò~5³zU4?l´‚7º0^í¡)(:lÑCãpÃ*Õ.]fSGwæ³\ÖuôM^¥Û<K5uÄbɣÄâ¡
-"	w¯ÖÏšò Ü­Ó9£¢Õ{Œ�7ý³bë�¬jý^ð’”¾o�üV{Hx+¼Ë˜%¥wÎIÄ€ï$ëÊ·»ehò°VÍ2-³âH±Ç­ªdrJjJ�á‰x™S“
-}h$¹çÁø¸öî	˜û¸ŠÌ±7Nß¾Ü<~ã§ü‘:~sÚ@Â	ÞúB–}Su °Œ-Jv!Ä.“V�†1³ÖêÞÉ´Es�牢Ä™—d›®¢G@îK¨õKê™'Uò„ŠÆ”œCž¾ÃÛ.7Üs€4[ê…Ê�ö±ÛÔì›m†Ðò3»tÇ”=‹Üe‚‚)ÿM÷¯Å¡j>hKŸÆ,@ƒ�ãöµOHªX­îó"߯{�#,0_¦ûñD]åuzªÜÁa‚iú’®Š
݃a�[
žï?_Ý=€=¡A«Ø-Ô®ni]ˆU1+VÔ5k…uš)'V² ¬³9¸‹ˆ£‡Q�Iý‡"3ôà3mGWDÀ{Ö±Kcoaݺ
˜ò¬p¨ðý!¯Uë69f@’©(6mb#—/S!CÇÆ@ôÂ;äXµ»òŽÝo$º;\Uu¾h@".À'J-!–@�ý‚㙦m®ãq¦ár)ºü)œ?^Tôàn…ïxrõ†kdùr
qxÑÜYþ!M{~qž–³mæ/¡¼Cª×FŒK]ŸUý«Rpªù
-ñ¸þ>
-%D°,ÊÊS“æC8¾ÔE2¹«
 –»§µKc ýa9w6#†·D¥M–D¥Ô¨k¨Rßö—
-`覮	 n�ª6ŽeÿZ¡¾Ü4¶ùšïD�÷yšûïù‡%�|ÈæÝ{wSd·KwIeƒÛ¢J‰ê±x¥þ@?Ì]˜hω^ÿ€Ì¤0ðÑe…[�tð�uóãèMÐ|î?»ö*¯,/Ó™¿qûGý
gˆˆÌ‘ŒÑI
Ì°è<m°
ÿ´=`5ƒyAò×1ÊÅxÕ‘fèÏk®32@†Ìl„–Ó–¡©æi•d«ò¨íÚF‹3Á¢ÅtÜrk&\ž€0Ý«l6’J@<‹B{rí†i¸¸ê}A�ÂHuVïší¡^ÂÏ9x¡éƒÇCzÿÉIíï^|!DàKÿ‡!¶”-Å�n¶ä<jöÓûÌ:	`óÃH
-endobj
-1063 0 obj <<
-/Type /Page
-/Contents 1064 0 R
-/Resources 1062 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1035 0 R
-/Annots [ 1068 0 R 1069 0 R 1070 0 R 1071 0 R 1072 0 R 1073 0 R ]
->> endobj
-1068 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [284.2769 238.6772 352.9489 250.7369]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1069 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [282.0654 208.0269 350.7374 220.0865]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1070 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [299.7586 177.3766 368.4306 189.4362]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1071 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [184.7318 124.0912 233.4785 134.8756]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_security) >>
->> endobj
-1072 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [330.7921 92.1656 399.4641 104.2252]
-/Subtype /Link
-/A << /S /GoTo /D (dynamic_update_policies) >>
->> endobj
-1073 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [401.5962 61.5153 470.2682 73.5749]
-/Subtype /Link
-/A << /S /GoTo /D (access_control) >>
->> endobj
-1065 0 obj <<
-/D [1063 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-450 0 obj <<
-/D [1063 0 R /XYZ 56.6929 446.1352 null]
->> endobj
-1066 0 obj <<
-/D [1063 0 R /XYZ 56.6929 419.8946 null]
->> endobj
-454 0 obj <<
-/D [1063 0 R /XYZ 56.6929 296.3851 null]
->> endobj
-1067 0 obj <<
-/D [1063 0 R /XYZ 56.6929 270.5629 null]
->> endobj
-1062 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F43 600 0 R /F42 597 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1076 0 obj <<
-/Length 3397      
-/Filter /FlateDecode
->>
-stream
-xÚµ]oã6ò=¿"èË9@ÍŠ%R¸§ínÒKqÍö’w‡¶Š-'jdɵäÍú~ýÍpHZ_–Z´E˜93ä|Kü2€?~©#„‰¼T‰dQÀ£ËÕö"¸|†¹o.¸ÅY:¤eëëÇ‹¯nbq™°$ñå㦵—f�Öüòqýãâý?Þ}ÿx}µQ°ˆÙÕ2ŠƒÅ×·w’ÐÏû�w7·ßüpÿîJÉÅãíÇ;ß_ß\ß_ß½¿¾ZrqX/ìgÜÜþóšFßÜ¿ûî»w÷W??~{qýèeiË˃ùõâÇŸƒË5ˆýíEÀÂDG—oð0ž$âr{!£�E2¤¸x¸ø—ß°5k–Ž�ŸŒ4‹„Œ/—€,%ÆO9`A§¶T’3‘ÈП²=e‡…§œuµ,«&ßûóP"¿lo; î±F¨‡-ê<L˜PQ�üDz8±‹d±ÍÒ2/Ÿ7‡‚žó
ò3!	ᬳøÄv�–€a¤‹–×´cºjòO�7՞͋›þ_Uf #a._,Z�54¨6–Ëtõ’—Yí§vþ-/,ßû+®Ù*ó¤Rb0RmãˆI¥…åðÃÝ"Á}ó€©
-ÀyË›—±`"Šµ=Õž}ôn@‚NGRY\ô0Z-ÞYöª}C£mjÙ{Êz¼\ñ°CÇ
Çqð�ö<È	&Íéf y#ìʘ…JD¿‰ÛH°PÄŽÛÖ…¦r—Z®-„.N;K#­!=ë,�±7LBÀk‚j‚^¬³Mz(ê†fÁÇ�H¸„ £ûì(ÊŒ¤œ)	¾¦å
-¥r	’&ÐMíÝ>=^ÖYÙäK›[Z¾;ÎÂ$Dh‰²6
ƒÓE0\ä— �ïE˜I¸pPžêì×�¡gÏ¥Å#ùéa—ÖæŽÍDáù°…Õ4;vú)s~ƒSäñÍoJ?o©�Ò>
[Y§Põ�ɲw§Ž¨fa¨mÜCÉ[¾œ/‰tÛáBÆç&¾Ø?5_Œ—/ZûòåKÜ/t•/ìœü
¢aMã2µ5
R,—Ûl[í�ôH‡°^>)d
=:N­`¦ÞQ6r‹Ž�´*st u2Z”¨eu/koÒW{F�ûì–"oñÑæ…¡„ðV(¼…'MÁ‰]U×ùS‘ÑT¾!($¬9æiAð¶?‘‹õ>·¥L½`80à§,+	Väå+Åd‰jRÔú+iKl
-˜�ÌÕvTÅêt»+œ‚8¢'Ù3§s«â°vHi|W·rtUOÊ”c—§–ÙÈ–N€¶J?;aìlà‘ªš�Ïž6ÖùÀ㱌£Ìáwƒ°Ã%8U%¦éz¬Â�°.Zc‹¤Cù!˱¼^íóÝéD«±B¢X ¤³®ÿä'Œ}«�’ƶˆ" „OTGDšÜ?_Òà¾%¬ÇŸv¸/	»:‰…Í,3Þg	\>ãQ2sêk†‘án“©�„š+	µžÑ°Ö„†9,sCY‘=§(ý²ÂnQ_Õ¢2Ádš¾C¡ßQ´f±®é0ðèÚ*ÂôÙvJLãÊT¾»]AYz�øú%/›VÌD<ª-äjK©ÕâÖv\L§Éî0Œàša,]ÒqÌê±°ÁY$.M«è·_\HÛv•aêhÙ€
-9wÈ’D÷šP6~¤>¨¦Öë¡w6¿½²˜6n…Ýþ=ú˜z*¸Ï+W�°8	¢åjaM(—Ã2…Hµ‡Œ~=L›9‹¨ü$a�5B¹›6Ç,Š é�¦ÖgF�v„‰N‚ÛØù”WB`«	”ÒñoR.ü¤m>@“FuGj§»Œ¾ä¬jXÒh®\Ýcb5Ñ\¥[îÊ‹EU½š."ò]Ѥ«òÀù%œq,¢º=œ�©µ…=ØMž.·þ\áp’RP˜|ΚÆ/)+¦eýFA³&c>]Œ
g±Ö®2t9ôÈ)˜î¼¯þªCaé§X[XžRVû-æ&rÇad«æL(Á,ÏÖg
 Œ 4Ös…cë¼
x¬–
àùŽ´ÿ507IÚ!��î7ÿ5âÚ?P9ÀmR�]Ȧö9v¥
ôŨN‘éÃc†YTOæ¬
ÖU†åAbü*Næv¡qK\Û 
-cÛÍ{£IrÖp8‹ ~&
§�uÞp<VÇpšíni�sð
-endobj
-1075 0 obj <<
-/Type /Page
-/Contents 1076 0 R
-/Resources 1074 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1084 0 R
-/Annots [ 1078 0 R 1079 0 R 1080 0 R 1081 0 R 1082 0 R 1083 0 R ]
->> endobj
-1078 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [259.4835 478.4263 328.1555 490.4859]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1079 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [387.5019 224.9363 456.1739 236.9959]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1080 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [381.9629 194.6431 450.6349 206.7028]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1081 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [398.5803 164.35 467.2523 176.4096]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1082 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.0412 134.0568 461.7132 146.1164]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1083 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [255.0796 103.7636 323.7516 115.8233]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1077 0 obj <<
-/D [1075 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1074 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F58 627 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1087 0 obj <<
-/Length 2798      
-/Filter /FlateDecode
->>
-stream
-xÚµZK“Û6¾Ï¯ÐQS"x`öä8cï¤6N2žÔ’	Ò°,‘
-IÍX©ýñÛ`ƒ)¾”ʸ\c’à§F?>4Ø‚Â?¶P!	#-t$‰¢L-VûºØ»÷7Ìc‚´Qß>Þ|ý.䋈D!�›–,C¨1lñ¸þuNnA]¾ýñûû÷¿<¼¹Õrùxÿã‡Û€+º|wÿŸ;¼{ÿðæ‡Þ<ÜÌ(¶|ûï7?=Þ=à«ÐËøöþÃwØáeDèÃÝ»»‡»oïnüþæî±±¥m/£Âòçͯ¿ÓÅÌþþ†µx�JXñÅþF*A”¢nÙÝ|¼ù¹Øz[ýtÐŒ.ÀW}JÑr aDE‘Zh‘PpQ90KѤ]¯ñ.NýM²M³ü–™¥-°¡|²x“Ê$KIÏzF4cáBsC”alD[m*;íå”ý+KmP”q™e²*.ûgœ2=­@ƒРí.Æ1ÐÒÑà~ã:ýú�2-$¸“Òâd„t…i	^c¾º
ÕÞŸQ¸,lþls¼Iv;¼ûdíÁ¿¯MŽý«$Ýdù>vQÀxÄ›ò))ðÎ9«êÈ,_ž’Õ¶®bÿ‹?|ßëãþ`×Nep#†Rç#F"¥x¥l™�£�†µãÄ5‘&TÞ°sl‚ß(å;;à
-`ŸTÍ/ÖÖ
S[s.½ Z㚆vÅ(ïB£ˆÒÒLó®�ç]ƒªÌJ¶Ás¼KÖIy
-’´� —ì“à
-	¼šT£A
èÑ!ŒâDÂíèñÑÚ÷¬m±Ê“ƒ'‚óÑf H‘&”˨Ò˜5*DÒJ$ý¯ 2ÈMFKÚ–àË|»À›‡–é
~Æô¾\´}u¶Ò¥}¦.u’0h•˜¡B
šÑ£'Ë©1N>¹ÒðùZ¨	òÕ¨jüåqZll•‰ƒ";æ+ÛO|€×zF‰5 E7ñED©-þõêÄ7bË…&;­&ˆG
�qÄ:æN¯ÆÏÞ—;F<ÝSIKb8dµÉÀ¤Kƒ�F¨b|†,
-5÷8k`©Á¤éØ<É�Ÿ±¾/÷o°FBAÚdT‘áúÊD£B—Δâ
jÂÉCɦs!aÝÑî¥Oœ5 L·.2D@¢îjóE‰3œq¢ÈÍÜ	¸­­èwjüŒúr¯çŽàîb:ÂP*s5wÌÖÌD3Ü©QNÙcaƒk³Ž7wÖ¶º �G
hÓ!O$£œwÕy�©jƨKM`3fÂqúh3Ì.çèSãg\З{=}$ÐÎd(Dì�Üvå|%añPÏ,Æ”Ó5ÍÊdsã,´)nËíÓŃzïÖÁ°
-Ž´èvÿ:©¦gÄEß!'†	=J‹3ê>:´M˜ GƒŸ±¹/÷úö�\Ä´ïÕàTvmv‘¡�Â.œY/5¨žk‹_J¬.Ú¢ê
(Сˆ+ÿ`½ÚÕàPdxÒ`¿bã,�œŠLÇÖ©$RãgÌî˽ž%FÃÔ‰i÷7¨9EzÒ&×èRhPJÉεPœ«Q®Ç}’¹Ýä¶x
-Êdï¾»9'ìãσͺÌO}lÝد&¤ÕPN›Ð lèÖ!�^w�¨hË"O[wÓ¡­kèSLB—,d¦£ØÅüŒŠ}¹Š9eF?)¨s¸›™§ã]£f4éK›æ
Ý_Ìp¬…šàX�ª†÷ç
›<Ûëdã Ð°éÊö?…Àjøå¤:
j@ŸnÑ
™I©°«ÐëÔM³f]ÖÝš˜É²[@]N»†O–Ý?ゾÜÑ�’ýo’Læ.[NÅ¢AÍ(Ò—6IGWïÑPÌ”amÔ8”ëñ“=A´rp@–Ÿ†Ê0¥åtï5h ÷nƉR0ÇvºòõŒ¸,Ã`½ ™™(àŒŒ¶	“e˜ÇÏØÜ—;¶¡oòBj1íyAažêÚ"LH	õ2›Yâ5¨jB<îÊ$ØÇE	+¡9èÈå¢-w€5Ð}—°áP*wúz\ZqÉæRg‡‰H¨CÕ1tŠ5~Æä¾Ü«s‘€hÁß´ëkÐŒ=YM"ºp*ÐvdÚJ£óÞ=—DÂlN)]~wJã}²Bý9¬ãÒGî§l—¬’ÁÉ€‚lWSܪôû÷2¬öïáR‡,/ÝŽ¨TËò%ÃfX§Û<�ËäÙbÃÞ–OÙºÀ FuÝÂJ¾LnÙ2ÝbÃj—Ø´ô($ÜäÉö©ômvt°¹ÛŸÅÆuc<+»Š6Ô©v_i½ízÞëö¥á*KÝ&éöˆ»ñ~«ô�ÓÔ¾,s³CHMóik—½ØûÈr“ÊzVu'
-r¬›Ì×¥•Åƒû¤áçlPŒûb¯爤<ºbY�a€kj_|ƒÓKðz„CK„<­ânüÏöþÜ
->á
ƒ
-­n4$NQ»®FIj@æ±�€µquˆã,Ã7'¬_Ôäª:ÌñýÚ¦‰õmgêø†M�‚0wÖøp 79¾8
F!ùŒÄã$ðŒ>[ûÆ6¢pw“ã‹V€ 5
ˤ-Áw’Iwʦ‚!
qΡMˆ@1mQâKP¬ˆ·þmâ•,’-F–.Ä»0‚IáSTRÖÃaµ;®ëóOgOÃØÁËãÇû÷~PùÐຠð‚®ý«‹AæpêÏó§¾�çw\úoêšÒ5uÄëÓOµP7®Z|s
!°P�Í&L@5yþÖ=?°µduaô†„Ÿ§
ÍüÈí*“oº;aóÞÆi’n7Ç>#UݬÇ*¸“íX#B¶üï“Mqx2m`>SQ?�˜õƒ¦êzË"¡ÚÇ�ìbç¨zºézv(à…³5Rȧ"ÆÇóÄ^å‚F›cbÊñÍ6c‘á’’¦�ŸÝ'²AÝqkG«Ê…Â@
ïŽû–aÎçZ�LÊNÙß(t¤£
½4¯ù ÅÒ~ŽÍlÇÁ
ÍÍàpà
¶ÅøèsÁ¿ÚÉÄý"ÃBje¯×Þ®
‰ï#ÍJÏ'.`^‹x—Oø£�}Ž�;†¦ÈÄ'Žúú”½t²G+�Óú$\r.âwYö©øÆ8Ôݲ·^¸¹Ž\¾¹
B¨¡«ü�·ÿÃd–ÞaBrwçtãž\2/O{~ºug$!ÿ@c1vÂUÀÜ-¿dÀŸwÒ?>ýz>,5Æð‘õwi@ˆWªZ\ðþL¶¯úÿ
à Žendstream
-endobj
-1086 0 obj <<
-/Type /Page
-/Contents 1087 0 R
-/Resources 1085 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1084 0 R
-/Annots [ 1089 0 R 1090 0 R 1091 0 R 1092 0 R 1093 0 R 1094 0 R 1095 0 R 1096 0 R 1097 0 R 1098 0 R 1099 0 R 1100 0 R ]
->> endobj
-1089 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [352.879 681.7691 426.5323 693.8287]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1090 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [307.1508 650.7179 375.8228 662.7776]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1091 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [334.8268 619.6668 403.4988 631.7264]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1092 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [337.0185 588.6156 405.6905 600.6752]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1093 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [364.6945 557.5644 433.3665 569.6241]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1094 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [374.6372 526.5133 443.3092 538.5729]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1095 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [292.0276 495.4621 360.6996 507.5217]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1096 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [319.7036 464.4109 388.3756 476.4706]
-/Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
->> endobj
-1097 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [460.1655 433.3598 533.2211 445.4194]
-/Subtype /Link
-/A << /S /GoTo /D (tuning) >>
->> endobj
-1098 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [362.144 402.3086 430.816 414.3682]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1099 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [293.1435 371.2574 354.3435 383.3171]
-/Subtype /Link
-/A << /S /GoTo /D (options) >>
->> endobj
-1100 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [288.6803 340.2063 357.3523 352.2659]
-/Subtype /Link
-/A << /S /GoTo /D (boolean_options) >>
->> endobj
-1088 0 obj <<
-/D [1086 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-458 0 obj <<
-/D [1086 0 R /XYZ 56.6929 323.2894 null]
->> endobj
-774 0 obj <<
-/D [1086 0 R /XYZ 56.6929 296.7987 null]
->> endobj
-1085 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F42 597 0 R /F58 627 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1103 0 obj <<
-/Length 3157      
-/Filter /FlateDecode
->>
-stream
-xÚÅÙr#·ñ]_ÁG*%ŽqÎá·õZ»V’Ò&]‰¯‡á'&9\ÎpåÍקݘƒ.×^W¥T¥
�ÐhôI9ð''©�„ÎÌ$ÉLd…´“bs%&Ï0ööJ2Î, ÍúXß̯¾z«Ie±Š'ó§­4i*'óåOÓ×ß½úÇüöáz¦¬˜ÆÑõÌÆbúÍÝý·ÉèóúÝý›»·ß?¼ºNÌt~÷îžÀ·onnï_ß^Ϥ6V

Í$~|wKHoîþ~{ýËü¯W·óvËýcI¡q¿ï¯~úEL–pº¿^‰Hg©�¼@GD2ËÔdse¬Ž¬Ñ:@ÖW�Wÿl	öFýÔ16Y�F6UÉŸŒã“Í¢X+íùt›+8OO÷×éô°vÔyÞçÛ¦¦vµÇo2]ºmé¶Û—ʵ{v5ðEÛtún[ðÔœ>W×ù³£©«œçÕ‡¢€�§Ãzý‘ñò¦X¹å`.oåz‰˜6+¦\íÜ>oÊjKDËÙ<˜IeÖ* r³qË2oœ_ Íè(~�4¥³
-†AöM—Bªkjå»Yå/•gmë¦ÜlfNI†ÌX¯N9
-›‹2¥“Ë,µ"2*•',õ+×
m¸¨¶Mîn“>­MTÓ÷Ø.€åt
�NëÁвÚàDÏ›H[™ßiž3šïôd2‹dœd¼ßV™�LK©Oú–Ì;4}>äkÐ_Û_-•‘ÖFõVYI
¯Ñ{"¤›2&ÊR䄬ãÊñ¦un¡ºD*¬Å¹{*I”*‘´”üAÙ¾‘Tp-:
¨µ[?]<dtìIJ�DÆ&fKÁºÉçø’Ú¤Q"’#_ò�Í
-
!¢­šó; yhq3nHjÖjf3©,Ñ­§:` 4:Jµ¶“XXhdòSÒ’|™áŠoË‹fæ½	xÏ	è1·ÉQÙâûŽSP±ÞòâH«5°ÓúØ!MCL@š@añcͼpåö™„�¬gðNøE�¦(ò5û(Õ‘Ó‚šÀ‘«mÉŒ„á1%$#xóé…×GFéŸñ2$1„Qý‹ø²ËE1ÒyѪ¼Ä‚¥Éq± ^2p·/ª…¡Ì�H(Û7$Ð鹤2øìÐâ«“ÁQƒV+²/rÈæôñ;š�;ùÁ›­žXµxoL€n¾@‚d
-!²QæO• îjþ,
ÒðêckÉ0ã¼
-F¼wpJV™íÆO%Ù7úGý„8ö.úË„§“ÇTGq
-´?Ÿd˜qV�‰Aâì%h•Š¤øžÄ˜2“pñí…Ê,î.GèB±å™‹ãt]âE`{¡P`õr¬Ç:]¤•¡ H™3º(Î"0hŸãQC`2}¬�àI«3/$ݤF_|yRg'/ö[òþ!@®8dñHf¢)dxqð¯ÓBˆYèùZŒ}á<¤
-KÂ÷ŒŽ6 À6µŸÅƒœ?fLlMǘ¡³ξh�ý3ò4SuI%ãáÝvyÐjÓ 56UÝ]a†Lßz]½°†@œVYT[¦Ä‘²šîÆ`¬HRCÊ/Õ,– Þ@»âR!'çqVÜ ²€MÙˆþßDª{´ûH#jŠm½ŽÛHšv
-•h4_¶h½ÌG{Y@XÉc˜ÎÇzøÀ�¥/‹!”vv‡Åû>ŠÁ¿cøÒ‘¡Ž¬ ²ƒ§¸ÇÀá[÷B$x©Uþ�É/\Ø9
¬^F^n{ßåf·v·mÎ–Ë „ŒZ
²ÐÕ7½)ª«0–[v²>�
"*¹ðî嵕ØqѼ(l¯P뤭�Á6»j"é󠦱œQª¥óµ*Íeí
-F÷õ
…s�Ãë¬
-û÷ÿ‘Cv¢.\Ž
åRðÐw é€j0½–ÔÕžMGof¯ôPÏ+Å<A
-endobj
-1102 0 obj <<
-/Type /Page
-/Contents 1103 0 R
-/Resources 1101 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1084 0 R
-/Annots [ 1109 0 R 1110 0 R ]
->> endobj
-1109 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [341.1654 116.9088 414.8187 128.9684]
-/Subtype /Link
-/A << /S /GoTo /D (the_sortlist_statement) >>
->> endobj
-1110 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [434.6742 116.9088 508.3275 128.9684]
-/Subtype /Link
-/A << /S /GoTo /D (rrset_ordering) >>
->> endobj
-1104 0 obj <<
-/D [1102 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1105 0 obj <<
-/D [1102 0 R /XYZ 85.0394 626.5613 null]
->> endobj
-1106 0 obj <<
-/D [1102 0 R /XYZ 85.0394 614.6062 null]
->> endobj
-462 0 obj <<
-/D [1102 0 R /XYZ 85.0394 327.2191 null]
->> endobj
-1107 0 obj <<
-/D [1102 0 R /XYZ 85.0394 295.1135 null]
->> endobj
-466 0 obj <<
-/D [1102 0 R /XYZ 85.0394 295.1135 null]
->> endobj
-643 0 obj <<
-/D [1102 0 R /XYZ 85.0394 265.2577 null]
->> endobj
-470 0 obj <<
-/D [1102 0 R /XYZ 85.0394 208.5998 null]
->> endobj
-1108 0 obj <<
-/D [1102 0 R /XYZ 85.0394 186.2886 null]
->> endobj
-1111 0 obj <<
-/D [1102 0 R /XYZ 85.0394 99.9723 null]
->> endobj
-1112 0 obj <<
-/D [1102 0 R /XYZ 85.0394 88.0171 null]
->> endobj
-1101 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F77 703 0 R /F57 624 0 R /F42 597 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1115 0 obj <<
-/Length 3081      
-/Filter /FlateDecode
->>
-stream
-xÚÍ[_sÛ6÷§Ð#=S±øðÞ\ÇNݦŽOVgr×ö�é˜YÔ‰´�ܧ¿],HQ¶I&µ2çvZ
-'ƒŠñdÊæ‹~®ÂkŒáªLp	Úsµþ²–et”÷¤PQ¾Z”YžaCGÜñª¨©rŸ.ïrê«oÒ@¬Öù¢ø“1‘WDðŒöcüüH*¯u‘`¦Èô‰“Ä­V×pmUyçÇ,‚ÐèƒEéË!iuØð2Ön¥
-à³ß0eóE¯´ŒÕq¢ÌØ€~ƒ82Ÿ¿aé$h2,-ª‹[_K¢º$ʲ¸}žåØÓžÍbªÌoPó±ÏKm™™ˆ.J©O
-j’ð±Uçñb/œ¶^ÑÝ­Š�–´~XV ¹UVý
-I¿*—÷ù&|§›ÖÐ)²ø°_üÈðh‘.ü‘‡êlVá敀͒g'V²¼ZlŠ+Ô^lÞ”XaѲ\}$RÚLÒÌ»¢ÊU¾»
-Œf–…ËÞS;�­h�
-rvN¢À½KƒGÖC	 RIÖ
-)¦dº¡ëìâ™ßÀókÕ3ç÷MðÑYcŒƒxO�©Ñýg·Ë’}�Ýrì1.Ò’ÇÆ�ÅEv*lˆ‹Žà0�Š#CïM8U;b“œ�³Ï93À¾Îºö
-Ýk[†¡Zwƒ¯8}'­‰…IÆ”J+‚
bÐNE³|½L^˜Å%õR€z›È†z
Ô¶ÖŒE}C5�Z}ãSã;_
-Û¯a&‰º9„­N	2"Þëi#Š
-¥¯€ò!VŒÚnâ¤íŽn²$�-¿bÁh	¬gcoò’˜	âß/áÃ;|VG*Å¢¦„ø­*W5£×@(®|^]5>X5)\Å:>˜5wËçåÙûÏÞã3˜Ëêìÿe,íŠ-Dý°R3eåsKÁ&£øôkÿrcû×+`p¥ëáÃó:‰ñÌþxE=ùÃÎb!�h‡uÿ?³Y¦tendstream
-endobj
-1114 0 obj <<
-/Type /Page
-/Contents 1115 0 R
-/Resources 1113 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1084 0 R
->> endobj
-1116 0 obj <<
-/D [1114 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1117 0 obj <<
-/D [1114 0 R /XYZ 56.6929 579.9063 null]
->> endobj
-1118 0 obj <<
-/D [1114 0 R /XYZ 56.6929 567.9511 null]
->> endobj
-1113 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1121 0 obj <<
-/Length 3408      
-/Filter /FlateDecode
->>
-stream
-xÚÍZYsã6~÷¯Ð[èªC
-6ÃTžR•–
- ­µ/ES
-e¤ Þ±Ÿg<wÎÛ|0kÞ¥¬÷Nʳ|iÀ¾"@X³¥cƒN±µ¢¡›.A_TN¼^£ÿ Í&$ñ
%äŽ{CCtóŒ-b  @òwüL
-òâÂþô
Ûe·LƒÁ*«? x@9œ�Žœ\ò€ø¶ˆFÇ c㪅ƒ Ø’/
Bë®ByR�°·ßÓÕ
-E9þ@ürKM§«ÃÈÎ¥8çØj[¸ NX_ádE6/«Ýïö4Gµÿå.½¢o“‘Cƒ„N�q,ÅÏãD¯J‹À†S
¥¼b•‘8ßÆ=¤Ùz’÷¼;XIE>4Þì&õq3jm[s°pU›US—ù¨ý¾îsô¼¹·Î¹h9}ZÏ8÷Ú
-2Ôñ]ÓË}ˆˆ7lqm‡ï
-
-�˜÷wÁÄNoˆœÝ7¥ã
-�Âb‹ªÙÃ'àl-Ch4Q<fä
é5Tè„‹Í�Hlwg/Ð)Êö7Lñ¸­J\©p8‹_Ýì*ÞBo�
zëÁaØÓ$CÜ­z°ÈÛÀBc„`~ïØq=þ†$õ8 x¨`»Þ(û¬¤è3Ón±¨‡’\wpW
-endobj
-1120 0 obj <<
-/Type /Page
-/Contents 1121 0 R
-/Resources 1119 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1084 0 R
->> endobj
-1122 0 obj <<
-/D [1120 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1123 0 obj <<
-/D [1120 0 R /XYZ 85.0394 552.4093 null]
->> endobj
-1124 0 obj <<
-/D [1120 0 R /XYZ 85.0394 540.4542 null]
->> endobj
-474 0 obj <<
-/D [1120 0 R /XYZ 85.0394 225.1659 null]
->> endobj
-1125 0 obj <<
-/D [1120 0 R /XYZ 85.0394 200.3885 null]
->> endobj
-1119 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F42 597 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1128 0 obj <<
-/Length 2798      
-/Filter /FlateDecode
->>
-stream
-xÚÍZ[sÛ¶~÷¯Ð£<ãà~é››8­:�“ã¸g2§éMÑ6§©CRqüï»À%Q¶“8s2ž1@\‹o‹€Ø„›(M´ãnbœ$Š25É—Gtru¿±Øæ$5:¶úùòè_¯5Ÿ8â4דËë�,K¨µlr9ÿsª‰ Ç �Nÿûöüìø„+:}=ûrLHŧ/=}wyv�:6ýyvþ
-K&/ßž¿žýòÇÅ鱑ÓËÙÛs,¾8{}vqvþòìø¯ËߎÎ.{•‡ÓbTx}ÿwôç_t2‡ÙývD‰pVMîàƒæŸ,�¤DI!RÉâèýÑ¿{�ƒÚÐu&F	
-[3”íß·øZ,ÍQú¼
z°ð°7îü#Á+îŒÞè‚;@²Êš®Ì×°}Äï²<�
ðAº5…Ðõª^{{	š¤¤;Èö[äý–…¹�TÑHI‚Ȩĺ]gØ·ÄMï1BM¯P4t®c&[Üe÷0ß­)áUž‘‰émÝv0ƒ0#�‰<
-ÊÛÒ¯…Ö3ˆE ‹=UðÝmYý�E
<Æ“@1å?½žþ;Kiìx¿
->
%«¬l°Eˆp�ä�ÃmjÞû
-Ô"$>ˆæ (›FIHp”ë¡ùŧ,¬.àÖK�šT@çXØ»_üŽ4Ä×ÔÁ�ƒPzk†ë2)Ât°fÛÔPX¤·ÅbÅÜ·]±l£
-ð¨eYÅîw·Eê3™ÄE¼UMÑj8©Qê˜0øÀŽócam(‚+“@.˜W -êVÌ‹øis�_Á^�`œ…¿åU"zŽo.7}®]�‰Š¼üH)O#cú‘Rómõb£¤%&«¦¬›²‹ƒ{aíL½ÃH©uØ>Q;(È’z8Ïë»Ô0*ø<|¢LÝ (̳x|ÛÛf˜{ÕsïÓ†%7ŽâÏ°ÈF&’\Ø©°iÁÌ'@�¦³\\Ü— :Î)Cÿ½¹†¼G…æ­_>+dŒa6Æ_lPÆî9ÄIvÚ
-Ÿ
+EÅ·ŸYžbb(­1Mkn»aX{*Ûç®Ò°¸1–G�f]äizÀ]„“„ú;<$^ËuÛ�0 7À×ulï`˜q
-wp
-
‡š|Ûä<ŒÌþìx,$1ܪwØòVI8ÁZ"X\O»è¸„Žèð'ÀÃÜd8òóâÞ͉1B>†�†Ó³rî
-endobj
-1127 0 obj <<
-/Type /Page
-/Contents 1128 0 R
-/Resources 1126 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1084 0 R
->> endobj
-1129 0 obj <<
-/D [1127 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1130 0 obj <<
-/D [1127 0 R /XYZ 56.6929 726.9349 null]
->> endobj
-1131 0 obj <<
-/D [1127 0 R /XYZ 56.6929 714.9798 null]
->> endobj
-1132 0 obj <<
-/D [1127 0 R /XYZ 56.6929 546.8104 null]
->> endobj
-1133 0 obj <<
-/D [1127 0 R /XYZ 56.6929 534.8553 null]
->> endobj
-478 0 obj <<
-/D [1127 0 R /XYZ 56.6929 435.1867 null]
->> endobj
-1134 0 obj <<
-/D [1127 0 R /XYZ 56.6929 410.8471 null]
->> endobj
-1135 0 obj <<
-/D [1127 0 R /XYZ 56.6929 210.9925 null]
->> endobj
-1136 0 obj <<
-/D [1127 0 R /XYZ 56.6929 199.0374 null]
->> endobj
-1126 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F57 624 0 R /F42 597 0 R /F56 618 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1139 0 obj <<
-/Length 2707      
-/Filter /FlateDecode
->>
-stream
-xÚÍY_sÛ6÷§ÐÃ=P3!
-	ö-Mìœ:­�SÔ¹›æò@‹°ÅŠTD*ŽûéoP¤LÅé%7½ñŒ
-`±~Š‡?1ÓŠq™Å³4‹™âBÍÖÛ>»‡±7Âñ„ž)rý´ºøá*‰fË’(™­î²4ãZ‹Ùªx¼úûË·«Ëå<Œ6UƒŸׯ‰’Qóêæújñæ·åËy«ÅÍ5‘——W—ËËëW—óPÈXE @:¿ß\_ÓÕâ—Ëù‡ÕÏ—«~ËÃc	.q¿/Þà³N÷óg2Ójö
-úQ¶Øê §Ÿ2¢ö¶ìÜxÝ™{³§û¹Ð�ÙQÓòRjjuÙµãå[³nê¢}
¿RäuAë•s¸¥wûr›ïËêÑÉhA*¨
-Ûüs¹=8nþ¬‡ì©3Tª‹;Õò@R.¹o½‰+.7¸é'f®¸fQ©ohßfdhÎr&Ätɲ/f¬'"ýŒóvZ'ê9»•‹#MÊý›
ðS’že¤MF)D&ºÃ5©óŽÚŽ¸1û숂
ȼŠ#Ø£8Bèða¬	_ ûAê=,ÚºUÏ›qaîòCÕ�¿Þ(˜³xK‡NÊ żvgÖ%ns}"¨5Ýc ño»ÅSÈ¿§a¨Ì MÄs†!S"¥€æ•eQ	äïT—àQÐ�
FÊ%DèlrëvÐË©!ýáï–Z
-j‘r €úÇÀ?Êú„s¹DäAÚ”~e’píc´;o”Óá>Øñc°ãÃ`ÇÝY\àðéÕwÊ/ÁP»ßËŽèó¯H«"L§€WáÞOÇ0ø	–<�X—
ViÄâ,;cg
+ 9IξÄë”™ è‘E¨òÖ‰L‰…
ÈèÜÜ25Äá0'’h¾`ÎØÆ¢æp¿9at×8ëÖ-e>ïªr]Zl„ô>˜ÂJJ( à�ùœow•yAP]¥c¨>4>±‘|;�è£‚¸·\ÌqŒ*‡Ðó„R1!xÒ—±+5š®3Ï_óÝî˜ëœ/Þ~ŠŸ¯'–ÆÉ‘dГªÔÙiº²©i#w·±	
-lVaœècÝã‡ö�W¶bÁÙû²§ bgjfQìô€v)9ev4‹Q\F©ŸÈ6Ú;óŒNÍ3rö…B$‹°d·\1.çeýJ`GÈ[�?¢E?¹øÈY}¿ÐÄ‘$¬),~:Dõ°_{I*=–š@u»jNk¼øÛ»öÁvÖ††Ç&Mœ›¦uÃEÞåD3ÚájÿÐ0ÚÕ£Úûç)ö\‹µO2LÉÑ¢0”Ø[BU[þå®rè0Ð9ñD"–wÔÒ® cƒâ×ÛäŽs{,Ù-?YìÁsâyдd\YH9Ì
-E	¦4=yÌ>Îã
- 4ñU�u„,ë#„´3¿"r,ùÞ
ÝáÕ
-Ô¡4^yÙ•£#öG€XÛ{²£4uyõŠ‚KE=ú¤µCcÀÔn[óñà¿QÀЭ±_w g>ȧï#Xtþsƒ»š°ÉxõGi£?‚}ÔiMu7~ ^WyÛú:º0;\³öO…ôÎ'@çÓ�(ÓËo­vkÆŸmú}·¹ض{9>‰k(Úej9-üõðµ¶ßÕº:¦cDZ	¦ŽÏVásd#>#ȨÄ÷bB -¤´¸~õËo¯/§Jì-ø(‰ôU"Á'$@A/Ó~î°13J ™e±G‚�MúèL8�è¿ôøqäÏûÁ»ÇºË?ÿ8±/‰O¤ÉdÎIÓ'JKF¯	¡-Žž.ž
-endobj
-1138 0 obj <<
-/Type /Page
-/Contents 1139 0 R
-/Resources 1137 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1149 0 R
->> endobj
-1140 0 obj <<
-/D [1138 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-482 0 obj <<
-/D [1138 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1141 0 obj <<
-/D [1138 0 R /XYZ 85.0394 749.4437 null]
->> endobj
-1142 0 obj <<
-/D [1138 0 R /XYZ 85.0394 707.9711 null]
->> endobj
-1143 0 obj <<
-/D [1138 0 R /XYZ 85.0394 696.016 null]
->> endobj
-486 0 obj <<
-/D [1138 0 R /XYZ 85.0394 527.3014 null]
->> endobj
-1144 0 obj <<
-/D [1138 0 R /XYZ 85.0394 497.312 null]
->> endobj
-1145 0 obj <<
-/D [1138 0 R /XYZ 85.0394 408.0188 null]
->> endobj
-1146 0 obj <<
-/D [1138 0 R /XYZ 85.0394 396.0636 null]
->> endobj
-490 0 obj <<
-/D [1138 0 R /XYZ 85.0394 202.1472 null]
->> endobj
-1147 0 obj <<
-/D [1138 0 R /XYZ 85.0394 177.8748 null]
->> endobj
-494 0 obj <<
-/D [1138 0 R /XYZ 85.0394 109.157 null]
->> endobj
-1148 0 obj <<
-/D [1138 0 R /XYZ 85.0394 83.1291 null]
->> endobj
-1137 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F57 624 0 R /F56 618 0 R /F84 848 0 R /F86 980 0 R /F77 703 0 R >>
-/XObject << /Im2 936 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1152 0 obj <<
-/Length 2290      
-/Filter /FlateDecode
->>
-stream
-xÚµYÝoÛ8Ï_á‡<ÈÀš¿ô±XàMÜž‰Ós¼ÛÅuû Øt,À¶Knšýëo†CÊR¬¦)z‹å˜
g†3?Î0¼Â?ÞÓ‹R‘öâT1rÝ›oÎÂÞ=¬½;ãŽgà™M®_ggoÞF¢—²4Qo¶lÈJX˜$¼7[|"&Y$„Áo&£þ@è0x;¾ŠK¥EpñïáûÙhJ‘cýu<¹¤™”†‹›ÉÛñ»ß§Ã~¬‚ÙøfBÓÓÑÛÑt4¹õ?Í~;Íj•›fñP¢¾g?…½X÷ÛYÈdšèÞ#üOSÑÛœ)-™VRú™õÙíÙj��Uûi§›xÈ„—œúIuúI§,’BZ?�ßLÇïÆ4Øeƒ]ÅL
-ÃÈWšªDãyP­‹b“å[¤E°Í6Æ/gQ�ùzMÔ�!®l·3Û…Y8΂ÆlûDÄaûpÈÖù_a(ˆGû>O3/ì¸(áœ$—Á‡•qûfôåßÅÖmŸ;-QȾ¬Ð®ÞÀ›2àœ¥Zk‰Îp#®kŒ`-¸é’ÆÌ.Ë ßìÖù<¯œ¿šîå\3'©sX˱œ7�‚;¾_ˆCÇ
Ž˜Å*ñžGÛÖ¿§¢ : ê¥ãüW‡V-Q¬ã˜5S:õÊÌVÎîùaOnØv™ªKâZê!d-ulµ+�A€þ.j¿“‡]TÙs“ðH·®Ü™y#HB:;QÆ©²QÊxœFßV‚„¯mfÍ¿?lдËÒ�þwIã¶pÙ]Y¬•a'
-DL¥<

-P*Òª¥Í 
-ÃÀ|É º›+4iÙýáÃÿ8/&ÃkD²èëáx2¸Mÿ
-U.XšÂytª
-
T6 §¤%Êf¢ñ`6ØLÀYX®Êœ(WÅa½ N,ÐqnoʪØ7›-+
-Êk‘¤I¯™«?–þ4:…ùÁ±éý1pj"Š†Ž)ä/wÈ2Å�£Fu*OªÓÙìêÿ^™Ö7
-?­ýÀʼnª›µ…Yf‡u5¨ªuÇΠŒRüµ…éwV’ð!\l¡lßÒ·¶ÄH}Õ
-Ãów£Éh:D—ÎFÿ\F´v9
æê÷Pú+¾q6ëUÙUo	–„âµÉÑ�a<f©É÷¶lë¬ìÒH¤š¢´™fÏ{RP9ñ:WO;gà¾Ó@ç
ùÿ�¤ÿ³ƒ‚®*…B,}קÖÆ'ÁbÉf€m
¢la-¢`îŠØÊÐ|FCiö¹qÙD…‘8Ëâ`	[Bƒ€Sœ@éÔûàÇÛõQhA�eic~/©#Û�“ÍWîª3�¼sŸÚçAsHœ®~|.îÊý�·º…$ßt•b<âþ渙Œ"ª¢ØùgÐg8š*¤'¢ïÍur¼6kqšÞs‘²E	,�ø	iòá�ÑÚ'HÞí
-l¢¬ÄÃo„j~mVéŠ)oHËú…Y›û+•äÊù>¿{
äxì@è“iM¯°èðòrʆÓ÷èÌ¡—ç7`/½ru¼ÈA³å„`
¹ÃΧ9w‚3÷ÆÂ	 arK#=Ž�ׯcmQ¼[1‘ç'/nç,|éÍOÿÀ›ypê‚.£øWŒ/Èa]‚Ä‹‚øK‚ž!¾ož¹\¼R¨x�PÒ”±nDüZçWöëjçáÊÄ¿uü‘(¬‹�þ“T£˜Ž™LÑìÎ÷Yœ0¨ˆ¤WÊÖɉæþoW§ªÿÛ°ËDendstream
-endobj
-1151 0 obj <<
-/Type /Page
-/Contents 1152 0 R
-/Resources 1150 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1149 0 R
->> endobj
-1153 0 obj <<
-/D [1151 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-498 0 obj <<
-/D [1151 0 R /XYZ 56.6929 653.8847 null]
->> endobj
-1154 0 obj <<
-/D [1151 0 R /XYZ 56.6929 627.8019 null]
->> endobj
-502 0 obj <<
-/D [1151 0 R /XYZ 56.6929 405.3123 null]
->> endobj
-1155 0 obj <<
-/D [1151 0 R /XYZ 56.6929 382.8411 null]
->> endobj
-506 0 obj <<
-/D [1151 0 R /XYZ 56.6929 301.1931 null]
->> endobj
-1156 0 obj <<
-/D [1151 0 R /XYZ 56.6929 273.8371 null]
->> endobj
-1150 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F11 785 0 R /F57 624 0 R /F77 703 0 R /F84 848 0 R /F86 980 0 R >>
-/XObject << /Im2 936 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1159 0 obj <<
-/Length 2375      
-/Filter /FlateDecode
->>
-stream
-xÚÕYKsÛȾëWð X%bç�AnZ/íhË+od¦*Ç�
-`iS¹¼hÛr^ ¹´‡ÍC]l‰¬³uDSéä0k;æ6*ÚfçˆÅÑè¢qÏ<pnè9÷“4+ëŠÜ
-ÄN@i�qw]?Ž1 DmYßWÁ…úZ€€d”T^žË!‰AÝÒo×ó¦j‰çCÙ­ÊiádzÊ”ŤÑ~ñ°B¹ÅkÃe^÷Œ$¤¢7cUÙç^6§O$Ê®p'A#"N¹HŽñ�uèÖ
-¦}ɪÀ|bÁ?fãTD
�ߣÓ!‘Ñã’NTî͇Í®ÛìüÔÇfGD]¸ãq2™r^d¿dXM¢hû¼ qù	»ÖK(@ÁJóc›ƒ¥a3%Ýñ•ŠæÙâßm•µ+bËU?€B‚SÖx¾õÀÆàK–óC|Q §"¾�˜I¹-'ÌÄ9f—/톦I„õ!�I”\ÈgU°
-ÖÙ#)¥ÙteSgUõèµSÐø²©ªæÁÙN9h„X&…mŽ4¼nòƒ}±EïTiô°*+$Á1W.W¹art ÀóÁøKŠæð¾t0mÖ´d?
ñëà	Õ†òDºœRT¹ß¦Ì»‘Ø‚÷<kÑŠñè—þ!…凖
H::C¾sþ„Пð[6`[nXl¹]%ã8Itðõr½.òÂSå™’~6q¯aGà‚Å
-Â3V=Ú%k˜€W˜*6sl´Ë
©ÜÔ‰Lg
{°â§+gŠOW¨ïÏŸ8§<6F'~åýw@]
ÔŽu’œkå© ò%A‚¤Á®äU>ÀG€Óˆ4}æØ­FÀ=gQ»›wÛlѵô*={H‡7ou0Œ…X!NM´Øm	£5ø‰HEhôf¢Í0ÛÒ8•\©tWùYKã½æÅ¢\g�aüvsèõ劆7Yž;?
-LìñùuÐïŠþ˜Û!5ñز½$ÿÌ,{wwÕ=i·ÙàÌ(Z”Y(	xäp¦HËŒ@/‡ð�ï®X8MÀþj§
ØvYõç/Euˆ4(œk^”:‡%‹S¦Ógë6W|`ù}lé–ºéºéˆÈæmSíºâŠ^És�èûú�-1{ïãÌ击›w7·C²AÕËE@~Ø=“Öäϸgs²7–ä¡j6�+˜°Çîý–:¿$Z4ëMÖ•ó²*»Gò®T‘m«²ð3¿ † |mêa4`Û`‚F/‡2Ðöó´/
-ðm»[=$Ccp_—ßœl0–Ñ£¬ór‘u¡ðµ`rcí@]è´C�Ê•½\ÒÃÅȾª(†�ïû-Ö+û¶C3ø'Ü:h¬­â/´‚Z§è,N_]º1ZhG
dÂà¿Ií"¹‹
-h8®�@>H¸»‡þ—û¢Æ‚ÏÙR<iüœ§
-òTøJÄa§<ð+ýž„aCo?
P	!Í)VŶì‚ìÚ=4.ù*`ƒpèpë²zágmÇ6ÚUE;T´œdÌt CaD¨"; «óÁCßá°5@P(ÜC   8áÜŸÂù t@z
îì|ÁNš/\
þæ{Xú£î?þȃWƆۗn? ‹9ødÏJà-:=k±Ó(׃¸×&@H^8æ�ßÿÖG>Œ _$á>¾Ó�•£²n±"ûbÒ	`NJŽot凙&œŒ¾ôOŸœB¾è¹Ô«¡lþŸ ÜÇÈe!ãôÙËò',ÊóP†ô™0+_€²² 
¹{ܼ|a|í.Bh-¨�p}‡ä¡#‡/M�ý+µP&6ÛŽ.mÇ¿¥/ûzÇ�Ý]Ñð›Ûë_¦W4úÓž†Fájè‚øþ|v®½Yo?>c·žB^§äÞ¬?ÎïÈä~Åy»'Z¾”u•Q@¤þ®°Ú<6œÓøª=vb_ÖäÍ:A…žk=oN\žlÞ,Š¶
~Ô–kh߶îÆ¢W6BùûŒ!z¾NkC~ú_üêÃS裼òilm’ö¤zòctæ±`º‰‚¦A“l-~ÔSÜ4ØÚÿ`S‡Hn’}©ünz;½sÝõl:Ôùʘ±ýýu^úT‚¿`Âãð›añµ+j,ØOünߺl²­§šåIyÔB”“ãûU‡|ƒy¤ò4¶ýYç{
‹ý—îª>…çN|8�
ø-N{({NKs“Io³Ùû9Þ¼¿þøñp¤¢ÊŸâ8˜‚º’„âS³Ñ‹�á{ý<üŒm›íÇsyÔ}zL…S¡žLúÄ¥�µÉÐá©Fëendstream
-endobj
-1158 0 obj <<
-/Type /Page
-/Contents 1159 0 R
-/Resources 1157 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1149 0 R
->> endobj
-1160 0 obj <<
-/D [1158 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1161 0 obj <<
-/D [1158 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1162 0 obj <<
-/D [1158 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1157 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F14 608 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1165 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-1164 0 obj <<
-/Type /Page
-/Contents 1165 0 R
-/Resources 1163 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1149 0 R
->> endobj
-1166 0 obj <<
-/D [1164 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1163 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-1169 0 obj <<
-/Length 1537      
-/Filter /FlateDecode
->>
-stream
-xÚ•XÝoÛ6÷_!äÉ*Z¤¾Ûa@š¶[»bØšô©íƒ,Ó¶YÔô7ö¿ïŽGʲ­¶‚@Gòøãñ¾iîxðÇ�$džŸNœ,ôxèäû™çlaí—7<Aè³0ð}L¬º¡Ÿ°0±ãŽA^ÞÍ–oá�E‘�»ÍpVûÌ÷îÜ­?ÍovYÝÉfáŠÐ›Ç‹/wïh[Àâ$æ¸Ís܈³€Ç‘Þðòí﯈;¥Ï­Ìû¦èit£ª¶XË&ë
- <0?ˆ„ÅK™ŸÄ‰Æ‹_¸Üó¼ùužË¶`ºF•4x_´�…ò�”¥‘ˆ’±45Ðq{HÛ<™D` ôÚg/ô®oÞ·ðåÏp*šgšWÒz¶^Ó�À‚ù>ëò­•G˜n—u´þ¨zšÊ³ŠˆVš¥¾6˜ÕšˆªÈï«loŽÚ¨†ø6}×�eè[Cՠ“{sÎÒ0úâYYªƒ[©®Ø<Nh)ŒXÄ1ìBægx
KîBû«—Í$Xvüi`
zHþ0
spý_ÀU™å÷;UÊ	¨ `‰àO¼h×dU»�
-7Ù2{:©”û-Èè‡þ¼h雑­Âhd+‘2�-ÈV[¥ÖfÏZfS®ÂY’ÆÖ�ÑȬ£	´hÉ�SŠ\BÔ2åãÔ¢Å1ŠGš˜£(œ9ª�- �¦�‰öE§}/7û—›5½z$·ƒ€áQpj0#&]Rh�5]a�aRØB–ƈ5©ûAVM´µRÚõŒ5M²òæ¯Ô­™é:;™m³¢j»s�_ôĈ¿Êc~ó´)é(U_³}]ÊSÙ©:RÉU-›ÒT›¬®-‰6{n<#>+!yk9–K0ƒ‡U«#}¿(
-~
‡�5‘W+µíÛJvíMPòGêP”%Q«Rå÷D~xsÃSžÐ ­³\>›
-++ËaW`�Aƒß\í÷ªÂ»i[+IQYP¥6Ú‹´ìd6uH–[ùìhø}<¦ÿ–Éó³±8_Oqþ—"°,Ð,“o™.PcÈ•‘žâb„Ä£„&#3ùï‹Ó;ð'-‡Tku®éâ}™1Š¬¡xHk@«iJW4g™�a’Ò¾ÐïW²ù�‚íy'úýÊôßQ[ÃÿÆ•MH×Ô@,ä°9Q
c“B}cz\ÜÇRZÑ¿k…óbþ€ï
-u¬écÄÁ]¿+“…tÏ”CÈÓbü­*sÔ•É;Âíꇪîk³oŸµP,'Á7…½ÇÕ~9†ñ{dÕãéµÝI‰hq¢+Ö	�úë;íé>÷‡.iJÆÚ’Ø}àJ¡ë0û< ˜À‰¡
½¡<¼§ÑÀ2T!ôUI…íô0tœÚefm%eEGÙºT`ãÓ·˜ûpz]´î¤êVè“ýÂêªù|¯Ž5G@ê„v{¯ß%´L_aë7uFØî›Û¦h‰ÛÔɼ£[
-endobj
-1168 0 obj <<
-/Type /Page
-/Contents 1169 0 R
-/Resources 1167 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1149 0 R
-/Annots [ 1173 0 R 1174 0 R ]
->> endobj
-1173 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [513.6761 73.4705 539.579 85.5301]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
->> endobj
-1174 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 62.7606 448.7754 72.9224]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
->> endobj
-1170 0 obj <<
-/D [1168 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-510 0 obj <<
-/D [1168 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1171 0 obj <<
-/D [1168 0 R /XYZ 85.0394 565.4467 null]
->> endobj
-514 0 obj <<
-/D [1168 0 R /XYZ 85.0394 565.4467 null]
->> endobj
-1172 0 obj <<
-/D [1168 0 R /XYZ 85.0394 528.8591 null]
->> endobj
-1167 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F11 785 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1177 0 obj <<
-/Length 3185      
-/Filter /FlateDecode
->>
-stream
-xڥ˒Û6ò>_¡ÛJU‡$@Ü›�“ÉÁN<ò #qM‘
-£(_¿ÝèEJœ²«Ö>h4èF¿5Á‡ÿÁ"Š½8
ÓE’J/òƒh‘îüÅÖ~¸gí�Öc¬ï6w÷ïãp‘ziÆ‹Íóˆ–ò|¥‚Å&ÿm™x¡·úcóÓýûÔᆾ…È#Î÷?~úøqCXŠRy2P!£½ýðnŽRì…"�Œóô°ùüønŽT
-á åÝÓÝ/ÁѪÝ:ûŽ�B
-õí™…s4Yñ|.ª`Ï’ø=%³™Œè)åEñ`ZënæÈ ðÒ(r(ŽÎb-%î-r¸\»¢®Ð<DºÜìñUD/3]Ñ`oÊ#�ŠÃ‘dôbОÛÎpœÀg}StgZÙò÷XêÌr†zFK©¢Mš¦xÃôq[ÿ…CÐ!£åi_d{B8eI£²8 þàf²å;~Èoåú w†ô6¯+Ϭõc…楖¾Yíø;­É½�xâ¥"TäɪŽÅ�Ò_ö­yîKËg£»Þî6´h5Uºç”ƒ5
O†w©Ó¼~&Vsɦ
Þú¾-J+\­é;˜Èø˜\›ƒ#¬™Œæy_›â¥(ÍŽLâ":R`¨¹ø�ÝÁ•ˆÄ9ãuO(Éœ‘”‘SwKñVAÁõK?™¨Ÿüå¿Wi¸äkûÝδ쬈Պ�Ä'Î"æ¾Î2ðrÚ‡ÕXy®L;L"/UA:±í9›†˜”Qpôö¤4k�‘'8sVžÄâýhQüÆðµ,À×ü¥Ç’Aä •:_1ؾ<|ËZç4b�QìÕà§|�‚¨­¾Ùg)/"Ç›æ›Â|¡Œ]¿ÑÍ}¥³"’£‰±@¥„Î�¾=)’^šnt8œZˆwH“©*sP›aÍ÷_&L‡¢ÍX[B?ü'k¾m[»}“½ïÛ澬3]Þo‹ŠY_ÇiÁ6ìÈ1 £ï�ŒÂÁ]S(…§
-?r°€c÷fφ1â·8fÍf›„$©=¢×UbY[5Ì‘cœÚx�ƒ9͉cÈýoWH;D¾Uñ9~Ouó…Fìu�¦)Ï)*w#BÐMWd}©ù¢9Q5YW7¼cH\p¦ôfƃ‰@A²N4Öé‘ðâ(’Óhòš6‡©§T’Ž\F­$\žë×r1F•A­À‘å¾ �4è1´ÊÄ:
œßJwí5�Š*+ûÜ´Œ�äÜí)¾Âœã+�ÃÛé‘dX*¡\¾ç8Gœ;^&„Äþ�.*M!C+ì]@m¬ÐKaNè¬çdœ¦^¢Òà[œäRI”¸×(ø<Ìð4—ÁØ�M±¿û~XÊB€3;Ë_ñRø¸ÎO
-¨Ë|gém§;¾¯=¥ª—ïÁ0Eñ?Ï­¢ø*&í5ù-¼a’‚²lÝVáæ0Ö%ã
-i¸B½=ÄY&J©ZþXŸÐú±Jµ‘4
w~4UNù
àۀę&úW¸»E€²»9æw
èAŸ	›å¨l¶9“e[f#çqPŸj×^[ÁÄ/$‰§yïsórÿ·iê¹TAxI:”8s.Fbš&Ǥ°rh×.&#ä׈‰1±²ÞÍÙ&Ü?ô“QCeô}ÝÌEð‚Ñ€}oºŒ2…®8ÌYªh©ÎExsÉ
ĨߔR·I‚+ð?O3Ü›úþ}_e踾ž,üÜu3¶¤pš„sÍqkU©ïA4Œ¿ÅªRg{T´X'!0£óæé'P`„áŧõP$ÎÄgx«Øw~´ï†ò‰ÊzÇR¶×ÕÎ8¸u¢.Ò´-WQ6Gà¡ÎDÊt7ÔnøšC_$‚¶Añ:5+H½Zt@ø•—š£>Í=�€r±žC@v`HÄl—|–…pj «
-Nˆû„.W:hÈ�›9­Ï¨±È<‹ÅÀi?€u×áÛæ´¸eh;dà‘³q€^Tƒ}}äì
-‹Ä´>Öe‘�çËÆ(ñµ´¬!ð`k†æqîÿ�LÅPýO['OõÁ8
èèá±�[×-ƒ­åÀ÷‹1GZÕÖþ
Ä~Œ]
-endobj
-1176 0 obj <<
-/Type /Page
-/Contents 1177 0 R
-/Resources 1175 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1149 0 R
->> endobj
-1178 0 obj <<
-/D [1176 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-518 0 obj <<
-/D [1176 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1182 0 obj <<
-/D [1176 0 R /XYZ 56.6929 747.0488 null]
->> endobj
-522 0 obj <<
-/D [1176 0 R /XYZ 56.6929 613.0366 null]
->> endobj
-1183 0 obj <<
-/D [1176 0 R /XYZ 56.6929 586.6546 null]
->> endobj
-526 0 obj <<
-/D [1176 0 R /XYZ 56.6929 473.2336 null]
->> endobj
-1184 0 obj <<
-/D [1176 0 R /XYZ 56.6929 445.9291 null]
->> endobj
-530 0 obj <<
-/D [1176 0 R /XYZ 56.6929 376.148 null]
->> endobj
-972 0 obj <<
-/D [1176 0 R /XYZ 56.6929 340.4845 null]
->> endobj
-1175 0 obj <<
-/Font << /F62 634 0 R /F90 1181 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F57 624 0 R /F77 703 0 R /F58 627 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1187 0 obj <<
-/Length 1975      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Û’«Æñý|…ÞÌVY,Ã'ÇÞÛ—].Ÿ­J99yÁH"Œƒ”õק{º�ĉS•Ý5}Ÿ¾MƒØð/6yâQo²"ö“@$›²}l@ûö�`ž8‰ü$Ž"xX¡n“(÷“<Ì6Û¥’¯_Þ=~‡›0ðÓ4L6/ûÉVšå~ÅÅæ¥ú‡÷t”'£ú‡m˜^þðÏ—¿’Xìgy&P,
-Þü�žŽúB@)ÙÚ3ý|‚ð0öŠžôè¤�òJí¥×ÝáKö,Ú~‘†);á)bS@Ž )Š…·Sƒ!hÐÍhj<$>=aÏ,ûPwÀ,<Ù4ræ”]E@©;örA­‡aTƒƒ¯uùÊ^œú‘{ê¬:²gƶJ#QXr÷†GÃÃL1‡ÃÊØ„nÃ,óÆþ¦^£‡	‰~5¨);µ×¤õ¾û ¹( ,w'“±ƒú\WÌ&	?hr°d´ÞþXw†ÍÙø ®îÀn˱AŠ�䉲
ÀN]PØŽƒª(¿ºE9ØS¬”CNWÖ}x$—–å¶ÔûoFY3ŸkÞÿDÓÄ�¦‘«ùÐU|Wöª'ê;ÃÐÁÝaBO¦>¨¾–
Á?Žíz|½”sè±"²öþ®;¬—(„: é(^g¥"H(¤ük´hæÙ‚ù7¢1c÷sTÒ° îVL÷±4Ú¦'¥O
KAeL´„²Å�>-}X«j®ŽÐÙæUVhU �üÁ
-e„æ|#¼­Å0äèË�P¿Àß?¼ÿóÏ>‘¾"<{s%î΃¸£<+Âî”êg`‚P&ÉÖ ÖN3å#Lt„€_Âï	(u{j`´Ô²³­”ºZ
€�dÉ
-fqd"‰½
-pTÀ4 pјéß©ù^5+“³K™›-“ç9Ì©ª.±ð?]”00%ýüf»¡£àÒ
-Ç
'\ÞÝ0	™YhíŸ#:GqÚ�NªçÉ5…q¸ŽíÿOºùEºX€BÁÝ Ðe[f€¡ßt¢Èª"B(â,Σ4Έð1H‚ðc(‚Hl<ˆ[�Šs¿Ûñ¹KFËꆓ»L¸mB`†^™8Ì{
-­Ýv?v•ÕšÁ>¦ð­ÎÌspÿ
-/o“¥9”,‰Ãà«qP¢ßÐý'À_U$ò‘¦Á€aJ"۟˹–G¨“,_å�¹kÈëÊq©‰+b~êÝë>ì)-=ÙH!Àï:Ê®ƒÔ•®æe÷tÔD¥©í‹
-endobj
-1186 0 obj <<
-/Type /Page
-/Contents 1187 0 R
-/Resources 1185 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1196 0 R
-/Annots [ 1194 0 R 1195 0 R ]
->> endobj
-1194 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [348.3486 128.9523 463.9152 141.0119]
-/Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
->> endobj
-1195 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [147.3629 116.9971 364.5484 129.0567]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
->> endobj
-1188 0 obj <<
-/D [1186 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-534 0 obj <<
-/D [1186 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1189 0 obj <<
-/D [1186 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-538 0 obj <<
-/D [1186 0 R /XYZ 85.0394 576.7004 null]
->> endobj
-1190 0 obj <<
-/D [1186 0 R /XYZ 85.0394 548.3785 null]
->> endobj
-542 0 obj <<
-/D [1186 0 R /XYZ 85.0394 548.3785 null]
->> endobj
-1191 0 obj <<
-/D [1186 0 R /XYZ 85.0394 518.5228 null]
->> endobj
-546 0 obj <<
-/D [1186 0 R /XYZ 85.0394 460.6968 null]
->> endobj
-1192 0 obj <<
-/D [1186 0 R /XYZ 85.0394 425.0333 null]
->> endobj
-550 0 obj <<
-/D [1186 0 R /XYZ 85.0394 260.2468 null]
->> endobj
-1193 0 obj <<
-/D [1186 0 R /XYZ 85.0394 224.698 null]
->> endobj
-1185 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R /F11 785 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1199 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-1198 0 obj <<
-/Type /Page
-/Contents 1199 0 R
-/Resources 1197 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1196 0 R
->> endobj
-1200 0 obj <<
-/D [1198 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1197 0 obj <<
-/ProcSet [ /PDF ]
->> endobj
-1203 0 obj <<
-/Length 2607      
-/Filter /FlateDecode
->>
-stream
-xÚ}ÉrÛ8öž¯ð­éªH!	R¤æfËYœ´=.Ë™®šé9@$,aB‘AÚQý¼
”ì°S:xððv@ÑY¿è,Oç¡Z&gÙ2™§a”žû7áÙpßDB“¤jž&JÁd;KU>Oó8;›�.rùðæ݇$>‹Ãùb§g�ã^‹l1O�ãì¡üOpѶ¦.í�óYœ†ÁÅù>3_2Ïò,B¾öÈçÑ"KN9
-ãFâ(™«dñb1�T–2ñ<:ŸEaKßêæ¹2åvoêþ„7š/ÓÔóª6R‘ç=r³|—�5�<üd]ßtž4ìw†W·kèºÖëÛ+ÙT�-çËE¼�=ã|ž(ÐíYõ»fØî€G-e9üÇ	ìåÁŸaVWaÜæ<
-ÌÖÖµ­·!iNÙ¯š½¶5�oõ^ ëƒëÍ^XŠbè:ÜÀ ¼*<}´Ìe£gÛ¿–«6•-to›zÜΈ§õ
-§ºÿ°B%$Á2ßòH4•EÃÛâL‰"G´
-jóÌç¥à³v,�+:»!™
N2dV<bˆB	„%Ïc‰e¢æç3‡Á¥Ù�«$"MÃ,
-T“¥‡RD¡J@ʼnJ([ø�G†¼›­šº0-JŠ0R>èÂV¶·Æ!›¬ ØüÅòéÛ)Õ¿ØL-d³ë}[™7T*•E�dÝš‚ôË™ƒS"ŽfDúƒ!rd÷±€4¬ 
-Á¢å“oC
-!mg8iP¦
üoð?SP­ (®ÐDŽñ04È•ï!¼¿Àzÿ:�"èòà윓BiòàK}%õ;QóVöLæù\ñð¤@Â=`ò@= |ÞÙHTö>«­š};ˆcgÒ=JD¾:/ ?MÎ1
Wëû�lc6
-�ÿDï}�ðÁ+ýd©µ
ƒ{»ÝVx¨ØÇ<
-.8bxÝã)´¢ei}K„(É-0š®`âŸ1„âcÿ<V'„H
-¦¼JW[¾,…{L
/cW<€õ‚ßÈÆœU†¨rè¸9È߀"#´ðÿ`Ù1ýáÎY£ÓäQ°ê´Ì�î`ï’ò6¢Öû¦‘•Vº«&CýÆöÐÂWYWÁôjÒÈÍ08R\Ÿíž�—UCê%bˆpdY;ðÂþ/ô <ñF	sJ4P7032€=VqÃÆ™ïƒ
}Õ=Ý
-Q}¯¿qÆýiîOq;¸3ºþ6ÍÓàng+]T{Ж£¼÷Óûfc:Ô[¾ÞW	ô¢¢,
ä—ZÞ,zÏ!ÐRÛ{–Ëî0òSìŽÍ6®WËõöYÄ
WÖõy`
V;±þtét˜Y$=1>"À�õw»Ç{WUYÂÆXçú]S•Œ¾Óôªó¦Ü	û‡�²
- FÏæé{*úú§3/Å‘÷‚Ÿ¨�Ï(ˆòÞ�pà®Ûjáò­Ìô­¢‡ÂþNŠ<´�û½��¿O3¹:M30;V¤¶G(F4µÔó’ç;ýd˜hc(„
&EÄ	
-endobj
-1202 0 obj <<
-/Type /Page
-/Contents 1203 0 R
-/Resources 1201 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1196 0 R
->> endobj
-1204 0 obj <<
-/D [1202 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-554 0 obj <<
-/D [1202 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1205 0 obj <<
-/D [1202 0 R /XYZ 85.0394 572.1453 null]
->> endobj
-558 0 obj <<
-/D [1202 0 R /XYZ 85.0394 572.1453 null]
->> endobj
-1206 0 obj <<
-/D [1202 0 R /XYZ 85.0394 536.5761 null]
->> endobj
-562 0 obj <<
-/D [1202 0 R /XYZ 85.0394 536.5761 null]
->> endobj
-1207 0 obj <<
-/D [1202 0 R /XYZ 85.0394 506.7869 null]
->> endobj
-1201 0 obj <<
-/Font << /F42 597 0 R /F43 600 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1210 0 obj <<
-/Length 3135      
-/Filter /FlateDecode
->>
-stream
-xÚÍZëoã6ÿž¿ÂßÎ
ÖZ¾$‘é]�l^M»—æb½C[àd[‰…•%×’“øþú›á�z$v²½Mq»‹À|g~3ä‡âÿù Œ‚È3ˆ�
-BÆÃÁlyÀwÐwqÀݘ‘4êŽú09x‰�	L$¢Áä¶CKLk>˜Ì28
-løáòÃÇË/nŽ¯¿û×áH„lø+ÙñÕ)UÆ?]\œ�'g®zsv|zyu
Cøá(Ž__Ÿ]�^þ“ú�‘*kZOÎƇ¿M¾?8›4lwEãL"Ï¿üòÌAÂïX �Pa
7F–*”A¨¤ô-ùÁøà
ÁN¯�º*Î!
–çX)1à*�
-:»`…&:,q8âĺH‹t�ä$ëéÕØ�’ަ봘¥T½,nËõ2©³²@ái	˜0´K°ÁH² Š¹öÄîÈ_^ßGD#™Ï×iU¥UG%ðÏâN4eGÅ@R¨À(®,IGFÇ–Ì!×COJëaB
ÔÏ…M³šz²yZÔÙ!‡Õ˜H×n<ÈBc³¢N׷ɬ!TÌ©£JëŠJå­£ÔÙláŠi»¾h«å|3Kç~ê«)ŠŠÂ5è�p„zl†uI¿°N–guR§T¯fIžLsW»DVŠ´¦-¶©³âUšx8Y´Á€¤[©TóÕíÊ
-E+(ïâ{Dš	£Žf¤ŠÐlR ó?Ù,©ê*”<ˆe3îB
Ä´i†Ôâ„­ 8#k˜È=F´»�Mñab"R±V%ßìàR‹@j)ÜâÇÅv“Æ©“2’–I\­Ï$¶XÓÁÅ=?¨, |=¦ªo Á
-<ßÁ×a ¥ˆÝºßäõ^M b.ß‚C‚W± ŒyÜ·Á–o´"ΆߵF»õÁýÎÓj¶Î¦®†ölwy9õgˆ7ˆfÓ;k¢†j¶H—©[ãÜnDh]–ÝŲö´yçf¥®ëæü„
-BÆ*h6S)èð™xž’»;"z—Ônóü!N‰Ç‘kKš¾</h{ìò‘TAÌA½Ÿá
-BPC,LØwÿÛ,ÏGç€ÙË
Íc@ËýŒ>©Ö'GBqwüL×L#°$xE›VŽà
-ã!t½™æٌʓC#†åªÌË»­QüXK³·8çQ
-'¾n�é(Ðf�ÊD̃Ð(¨0pj:ú<��ÆY�>WÒh‡^¢¨;ñÛ½ößaóë…<œ‘‘Þ�¥Œ¡Æz
-®(
-ÇýÚ³‹š
-K°"¥z¬‚tŠÆz1k†QÙUúX¿‘™u˜úzÍ,Œ
7 W�‹ (Š°ëG÷:
v
½v¶¾^ì�Öòè„Ù‘¡€òòjrvs~ÛñÉY¢â²5À—"Ÿ½pµœ¼ZŸÇü¾››8€p¿„¨\òÏŒb
-Iz¼mkV òl¿P]RÕ‹Ø	L‘ÇMê»sÖØEŸœ5O¯kpÚ°¸�Ÿö"맪ÔVÙVÇ…çyž�9o’Üå{…4„yý|zÖ?ÿ¼ÛH\–4»O]‹ÃÃelÑø>ÃaV/ÜÉy}½{–Bõ¯<Ó4/t›-.}z·ó”õuR/ü}³^$nÝe2[dEZ>F·W
�6);‰^ÑW.ÖgÉ*™âûÉ–êv7íß� dO{‹‚–Nj ™>f”4ÚsE¥úUu„Æ`v0âf妩ïY¯³t¾ë1¨ÜÔ}•ÐcÊM1O`^õÎé "1º	y»1(sŸlû¹ë“<©ª¼Is[ã<-—‰§vC�Ií=éäòô•ôµ :Z`QÏ¡²ði*
,76Õ¥©›²)²ß7n¼•ÚÀPj
.âÃ]Š¶âŠÐ�±€p$â(“Ð0ÀÚN+ª6·ËX€RVíÒ‚�'bz=Á!+¢'ïØSöFÄö­q]5óÚ7¨N·µ5{ DÔ™· —ºùCûb'zï�(¥ä˜“Qçççgøk›Ò(žð™'¯±÷XØ
†¢Þ.ÇCAgЕ—)½§ÀfÈî
-«Ø5u“%CÁ®ïY2¶¥lÐX”›|N­NDìw“får•ƒ§M—`jé< g¯ãÞ!ԓʽ$za¤ÔÇuV×H+¸CP)èÛ¦y9ûTQ¹JW	V]عöÄ		5ÌÀ%ö�ŽQ¸€}yšÌívÂÿ!'X:‚öѦ¡v-jY¢
Ûõ£å�[ê¼y+}¢°ô1
HÒ£æ�¾÷žÞ=<Á‹ò£ùT	ø5G	cPºEÞn�nSÍ�ÄTŠÝÏòÝÝïŽTóôùÌpðÜéÌé“Ê
k,	†äÙ§4ßR‡ÝE•ZÔtá
-~ÏI‹ƒ�|ò¬p�÷YB…ó	>,s5Ä�
-nëÕÑû÷(w�UY�Î7ï³bdUó?®°ö—…Î5“É
-endobj
-1209 0 obj <<
-/Type /Page
-/Contents 1210 0 R
-/Resources 1208 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1196 0 R
-/Annots [ 1218 0 R 1219 0 R ]
->> endobj
-1218 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [401.6435 61.5153 511.2325 73.5749]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
->> endobj
-1219 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [55.6967 30.8502 511.2325 44.7979]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
->> endobj
-1211 0 obj <<
-/D [1209 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-566 0 obj <<
-/D [1209 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1212 0 obj <<
-/D [1209 0 R /XYZ 56.6929 748.2826 null]
->> endobj
-570 0 obj <<
-/D [1209 0 R /XYZ 56.6929 748.2826 null]
->> endobj
-801 0 obj <<
-/D [1209 0 R /XYZ 56.6929 720.3635 null]
->> endobj
-1213 0 obj <<
-/D [1209 0 R /XYZ 56.6929 647.0664 null]
->> endobj
-1214 0 obj <<
-/D [1209 0 R /XYZ 56.6929 635.1112 null]
->> endobj
-1215 0 obj <<
-/D [1209 0 R /XYZ 56.6929 529.3677 null]
->> endobj
-1216 0 obj <<
-/D [1209 0 R /XYZ 56.6929 517.4125 null]
->> endobj
-574 0 obj <<
-/D [1209 0 R /XYZ 56.6929 180.3481 null]
->> endobj
-1217 0 obj <<
-/D [1209 0 R /XYZ 56.6929 143.7717 null]
->> endobj
-578 0 obj <<
-/D [1209 0 R /XYZ 56.6929 143.7717 null]
->> endobj
-644 0 obj <<
-/D [1209 0 R /XYZ 56.6929 116.6563 null]
->> endobj
-1208 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F11 785 0 R /F77 703 0 R /F57 624 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1222 0 obj <<
-/Length 2590      
-/Filter /FlateDecode
->>
-stream
-xÚ­Z[s£8~ϯð£]µV�„lmm•c;wwÜ;½³³=ó@Û$¦Úà\æ×ï’@`�{j·ò!tÄùÎå“d<pà|†¸¸ˆ9˜
6‡+gðcwWXÉŒµÐØ”ºy¼º¾õÈ @�G¼Áã“1—�ßǃÇí×áäáa¾œ-þ=æ'h4fŽ£{§óõh̽@P1ä9ÛÅͧÅç»Õäá§_åK¿9Ì™,gòaýåîn¾~œ«ÇÕ|2[,ï@�~üp5¬–m~v¨XóW_w[øÂW¢�ϯðà dp¸rEÌ¥T÷ì¯ÖW?W£å«]¦bÔGÌ'¼ÃVŒwÙŠÈ£„–¶Š“±0Ï0I‹(¿n¦
¢”ùõ;]¨¤Æ¦X¹
-|·™â²ô˜æ‘ö”K	�AžÀܽ�ðL©~ì*©*¼‚À^VÕ5xgº»Ák(_$YõËR8þ'Md�# “üI;¸Fp¶\wÁçb„=ßmÂw¯àû¼+BÕ59=ŸòBx½1ÃD�
-%Åú0=Ž±WcA^c!f1±ƒkÕÿ¸Kyš¨Þ_ËØTC«èû®€实±Ì¿bè’L·RÜ`º7é)ÙjÌ�™Nå
-U
ùÿæ”ïdk¾ÿS¶ÓþýG�0æ�0¤,Hh©
-	êø$lª
$Úº{�0•/£g0é‹ÎjáfW±
-�ô*~>EYí†í9&é.E“d+ß«æq÷rÿ»ÙUv÷ûíDÂeÀRìv7¤,v×R•Ý}×B¬ª
»·u÷ØÝT¾ŽyŸ²áÇè]6jnT
¢”Š¤ˆ«¢’²‚AC
qÚñ¸^TçKg•‰"ÇgØ@	^ªK<@:t‡ñUu¢Áð³º;m�¿r™	õ‡352ób,_¥¢‘øöáw]ëhùÕ:VÄõF¹Š<ßØïÁ	©§ôŸÄqœnÖ	Û>ŸºøÇX§zŒ÷*
I¶šqÍ¢—hŸCëóGêäòK$É”ê÷ÇJª"I¾o)ÂVÕµ?žéîödžò*ÈçoE”äçI9?�i¦XÊâAþ‰²¼"I^Wb
-²ö
ÉÙR˜y¯:§ªs�Ê<.¹œž·�sã$c&ÆÏm2§Ëû=0¬jŸü×\û
‚
õ—0¥ú]¢’ªO¢|ÒïVÕµKœéîv‰†ò5ìŸôÁßòT³™	äƒÝ!zßy¡ÉsÏw¶Õ6¶e}s«k;`:Ëô˜{ˆr¯ut»Šòô”mT}ZE›4ÛêËÀ¾£Þc\ØŠKÛÖB•P… ö©A‹^À–âüÍËè¾SÎÐX­TG$'’¸è£[Ž‹<1M�aIŸnÅvÉ9æ/òšzfE)€‡ŸÔÐDý¿%+Ks%°R_ö{ˆÛDÍ+]
ºëX/›·)’›éU5¼¤No�Š›fâÛá­eúÑU2¸Ü±dl‹ÒÛ–Önh
µ?Y®'ÚÓ…ß—§
ßï„—À.'à­‹½§½dίjt˜NÓ=ìwÞéöŸsD¸‡/ü¦ê7¿ª÷ Üb›Þ€¶ânLÍ┞ðá}–;Oâ©ó
蛿%WÉsiGü”VG! ±H@øPuxò愨“cѨè6*º
½½'ÇÔÁˆCã¨Ë2)&_ä•$ôÕ1F§É’*éiT„ÉO}%µ«æB×Ôxó=NòŠGµîÝ,×”!ñ{Ÿdœ*ÑÿÏ?+2��Ûú=×oÔñ º®%¾›ó³£èß�/ý¿‚¨¦endstream
-endobj
-1221 0 obj <<
-/Type /Page
-/Contents 1222 0 R
-/Resources 1220 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1196 0 R
-/Annots [ 1223 0 R 1225 0 R 1226 0 R 1227 0 R ]
->> endobj
-1223 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 793.5053 539.579 807.4529]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
->> endobj
-1225 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 756.4942 140.332 767.8862]
-/Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
->> endobj
-1226 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [507.6985 756.4942 539.579 767.8862]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
->> endobj
-1227 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[0 1 1]
-/Rect [84.0431 745.1168 199.6097 755.2785]
-/Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
->> endobj
-1224 0 obj <<
-/D [1221 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1228 0 obj <<
-/D [1221 0 R /XYZ 85.0394 694.0474 null]
->> endobj
-1229 0 obj <<
-/D [1221 0 R /XYZ 85.0394 694.0474 null]
->> endobj
-1230 0 obj <<
-/D [1221 0 R /XYZ 85.0394 660.6469 null]
->> endobj
-1231 0 obj <<
-/D [1221 0 R /XYZ 85.0394 660.6469 null]
->> endobj
-1232 0 obj <<
-/D [1221 0 R /XYZ 85.0394 660.6469 null]
->> endobj
-1233 0 obj <<
-/D [1221 0 R /XYZ 85.0394 654.2654 null]
->> endobj
-1234 0 obj <<
-/D [1221 0 R /XYZ 85.0394 639.5008 null]
->> endobj
-1235 0 obj <<
-/D [1221 0 R /XYZ 85.0394 635.7135 null]
->> endobj
-1236 0 obj <<
-/D [1221 0 R /XYZ 85.0394 620.9489 null]
->> endobj
-1237 0 obj <<
-/D [1221 0 R /XYZ 85.0394 617.1617 null]
->> endobj
-1238 0 obj <<
-/D [1221 0 R /XYZ 85.0394 557.6417 null]
->> endobj
-746 0 obj <<
-/D [1221 0 R /XYZ 85.0394 557.6417 null]
->> endobj
-1239 0 obj <<
-/D [1221 0 R /XYZ 85.0394 557.6417 null]
->> endobj
-1240 0 obj <<
-/D [1221 0 R /XYZ 85.0394 554.1294 null]
->> endobj
-1241 0 obj <<
-/D [1221 0 R /XYZ 85.0394 539.3648 null]
->> endobj
-1242 0 obj <<
-/D [1221 0 R /XYZ 85.0394 535.5776 null]
->> endobj
-1243 0 obj <<
-/D [1221 0 R /XYZ 85.0394 520.813 null]
->> endobj
-1244 0 obj <<
-/D [1221 0 R /XYZ 85.0394 517.0257 null]
->> endobj
-1245 0 obj <<
-/D [1221 0 R /XYZ 85.0394 490.306 null]
->> endobj
-1246 0 obj <<
-/D [1221 0 R /XYZ 85.0394 486.5187 null]
->> endobj
-1247 0 obj <<
-/D [1221 0 R /XYZ 85.0394 471.7541 null]
->> endobj
-1248 0 obj <<
-/D [1221 0 R /XYZ 85.0394 467.9669 null]
->> endobj
-1249 0 obj <<
-/D [1221 0 R /XYZ 85.0394 453.2621 null]
->> endobj
-1250 0 obj <<
-/D [1221 0 R /XYZ 85.0394 449.415 null]
->> endobj
-1251 0 obj <<
-/D [1221 0 R /XYZ 85.0394 377.9399 null]
->> endobj
-1252 0 obj <<
-/D [1221 0 R /XYZ 85.0394 377.9399 null]
->> endobj
-1253 0 obj <<
-/D [1221 0 R /XYZ 85.0394 377.9399 null]
->> endobj
-1254 0 obj <<
-/D [1221 0 R /XYZ 85.0394 374.4276 null]
->> endobj
-1255 0 obj <<
-/D [1221 0 R /XYZ 85.0394 359.7228 null]
->> endobj
-1256 0 obj <<
-/D [1221 0 R /XYZ 85.0394 355.8757 null]
->> endobj
-1257 0 obj <<
-/D [1221 0 R /XYZ 85.0394 331.806 null]
->> endobj
-1258 0 obj <<
-/D [1221 0 R /XYZ 85.0394 325.3687 null]
->> endobj
-1259 0 obj <<
-/D [1221 0 R /XYZ 85.0394 265.8487 null]
->> endobj
-1260 0 obj <<
-/D [1221 0 R /XYZ 85.0394 265.8487 null]
->> endobj
-1261 0 obj <<
-/D [1221 0 R /XYZ 85.0394 265.8487 null]
->> endobj
-1262 0 obj <<
-/D [1221 0 R /XYZ 85.0394 262.3364 null]
->> endobj
-1263 0 obj <<
-/D [1221 0 R /XYZ 85.0394 236.8919 null]
->> endobj
-1264 0 obj <<
-/D [1221 0 R /XYZ 85.0394 231.8294 null]
->> endobj
-1265 0 obj <<
-/D [1221 0 R /XYZ 85.0394 205.1097 null]
->> endobj
-1266 0 obj <<
-/D [1221 0 R /XYZ 85.0394 201.3224 null]
->> endobj
-1267 0 obj <<
-/D [1221 0 R /XYZ 85.0394 141.7069 null]
->> endobj
-1268 0 obj <<
-/D [1221 0 R /XYZ 85.0394 141.7069 null]
->> endobj
-1269 0 obj <<
-/D [1221 0 R /XYZ 85.0394 141.7069 null]
->> endobj
-1270 0 obj <<
-/D [1221 0 R /XYZ 85.0394 138.2901 null]
->> endobj
-1271 0 obj <<
-/D [1221 0 R /XYZ 85.0394 114.2204 null]
->> endobj
-1272 0 obj <<
-/D [1221 0 R /XYZ 85.0394 107.7831 null]
->> endobj
-1273 0 obj <<
-/D [1221 0 R /XYZ 85.0394 93.0186 null]
->> endobj
-1274 0 obj <<
-/D [1221 0 R /XYZ 85.0394 89.2313 null]
->> endobj
-1220 0 obj <<
-/Font << /F62 634 0 R /F57 624 0 R /F11 785 0 R /F43 600 0 R /F77 703 0 R /F42 597 0 R /F56 618 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1277 0 obj <<
-/Length 2680      
-/Filter /FlateDecode
->>
-stream
-xÚ¥Z[“Ú:~Ÿ_Á#T¯%ßÉÀ�ÉÉ\–™œs¶’<£
WŒMl3Éì¯ß–uA6²È©-Ð¥¥OîOÝjµ�F.üÐ(�0ÁÉ(J|'pQ0J÷Wîh}Ë+$d¦RhªK½¾ú×MˆG‰“„8=¿hsÅŽÇhô¼ù2ž9ž3�ÜñûÛ÷Ÿn–«Ùã‡ÿL¦8pÇ_ÝÀ�ÝÏyåéór¹xz^ˆêj1›ßÞ/AM¦Q˜¸ãÙããâ~~û7Y]Õz½xš|{þxµxVËÖ
¹[ó�«/ßÜÑžðã•ëxIŒ~BÅuP’àÑþÊ<'ð=O¶äWOWÿVj½íP“ª”ÌÔó�ð/(4HœÐÞR¨ï™*¥˜B¿¬n®±àoýçEt�ôIÏ •Ô9vjØGN€£.öl2õP0žß?±‚?^­xÃKYñÂÓ�¦ÙË[Vly½ÙQ.ù©LI“•o._„8­^³”Ö{–ÞÃc7q�‡1,›A¿ƒjig#—Ç|]‘bSÓ‚@™÷<NNÆBìÏIŒ³_ÃÒ¦\ÓŠÁ�¦
-aŠ�“
n�€øÐÜK†à8¼Àª&eaUJ)VQèYXµAk¬ö±Í¬êØŸkÎÆ‚/(Ü
­
-Úð'œõ—¢!«›*[!~wû÷bÅ‹×e
ÛaO
-1v™—k’óòl³©&(ÓºãÈáÀÀÏé÷üÄñ4�è÷¹Õ·åSΡëp˜—iºËÊwÜU|$Å‘To¼ôƃô†ÐâNP&W
-iÜÆÃÜÚpOÔö��ÌêÀ+Z—ù‘›öÂÖì°�?£ˆ72¡cËJJyËí†MöÕu1­jÞtä[„
n·k›—{’‰™ïÉžòº¡{¡®çDq Š½d¼rÄd¤ÈhΧhM™5Þ9‚d9´Cò%yË’,ª(Ž†)cØùÈ»À±&e!YJ)–±çZX¶Ak4÷±Í<ëØP±»¿Ò)¶BsšÓ­p»í™JÓ²Úðrë²Y�óɤïŸ´¡8p°§³Æ&rÄ!Ü|ÏŠº,D³ô®]`B<RĽ€ßý¹aíEŠ\þ­�a9ýúÊ”3âÔ
à„.œµº”…S)%9EÈENmЧ}l3§:¶ÒÇ¢HË
7?¨µ6ÿ÷´ùYVßE̯îiï
Ô'¨xž$xüv
-Þ¿²³C•å’ó8´¼ � #;KºÔ0KJêĶœ�VèKgØF–:Ø+úã˜ñ3m^³î×éeµe-%¦Rw‡<K5Uô=‡²jLŒ�Õ$�“‘É¿¯¸m³!ÚH
7âºñÓÑ¥,¤H)EJ�XLÇ
-­‘ÒÇ6“¢c«“I˜†Ð(?™x¹©ŽiÃ�=ÚÓ¼æ5
î0	œ0òü®ò?
-ãx‚i.ï?UwÊúÃ4°0&H.Ù†&e¡AJ©SÉC‘…´FCÛLƒŽ}�“ºÎÛX¯µ…ûél>_9³÷.³ßQ7<TÔSö¡ìE¶)¨tBKѸl.[Ý—eó®Çnϳ�®fÊâ�#Œ=oäaZµ�Tîƒñ}ïB¨©K
®¤NvçY·BŸ?Ã6ÞÁ¾.÷{éÈ”.æ¤!¼t“傸#°ðr{¬4×·¨8gUmC"Ç}ßrL½§´'Áˆ7h|~9qr‰Š“�…	!¤ˆH�åžnÃÕxè
›iЀ�,¨IòžAüs.0ǸËÅ\Ò@`läË溮&ñ¸s
¾_ûà?<?¼p¿Ö¥,dH©SÖY¢s+´FGÛ̇Ž}¦ûë*ƒ° #½`aîêìТÕ+ÜÂL	Aä†àß�dœFŠB�¿çýúc¡És�(‰Ñš4)MRêt‰B‰…&´FSÛL“Žý¹¦Ý[Ï,ÏHMû±]'·e²àêïD¸ï»îÈ>Ë›³øO^±þb¶TeÛ]ó/Y^QjtO(íR
-Y«Yëó!4.EGSÊ’õͪuÖT­«ã½•B˜5"afô¨pº¹ºCõ`N¶Ø,«²¦Åš÷¢ýŽ¼‰ü¥ÕO_Ÿtì]Šöu)�RJÑ!ËÌ
-­ÑØÇ6Ó¨cBʼo §„®�Û­9Ï÷mPbß8gŽtÉ{"Óˆ÷å+Ýë–7ÎM`ñI|AÏš”EÏRê¤çÄf.6hMÏ}l³žul¥Ny5íjûSI62ÈI‘¨Ûó!vèç“ž™““ñC•ÕiiÊ-ÀÕkPá®ë øRVO—²(\J�$ß7X¡5…÷±Í
-×±Åé\�r©Ù:;ÛåÆËî,ÏåSäàA9èr𠢂�Éq»#ÅÐÆήâ±·E6¾.5̃’:Ýcý`˜+ô‰‡3l#lu&„¾Ì´±"㸤x;	ðÒŠ%Éè+pgJ#`Ç�ãHóø‰×¦ØÈ?rZÀÙÔ¶be¬ç/FN™¿ˆ
j	KÑÿ°…ûöú­õˆb¸:.fÿ¼~‚ä@Àx!ÎÓ¥,tJ©�¶—˜Vh�Î>¶™N{¦î=¯ì=‡Œ¼n¤A‰° gzzŠµ6[žñd‡3Æý®­1¶.ä<ö&«t#»u]æ´é'³>Ùþ�·¹Iç-~Á}$c-òÙV«ÁÀűƒ.ùUMh˜)¤…úm¸'öûÀFòu`~†áPOªcñbþ—´ÜVä°ËÒV5ÐòÉâECìÄA�è/´ÐøÚáo¿BÓ<=mÀ�!*LwÇü¿T´>	ùÇœfMAÕÕº8‰Ð72p°nÊ"{'ìYâwìy J9ÛEìK¯ŸÀbkàɹn?u=¯ÈKcÚà.³A'öSk£â@Ž‚²ß~ìq;¯ù¬“¨ì+Txº
,aºacx#»^qŽ`ü¦L�2ÅóOØ?Iý]äE
ñ¥•ðw ¤þÎ…oJñÆ4ë#èÝQî%Ý®6Å�ß�Çí!Eìõ5-RÞšð{´‡ªŸß& p[ Ûg¿@cÝ�m{†@¹ýFnè+ÍË{>XQ˜ ñ­4[–ƒie”¾ØÀ”´ïu™M³jÁ2-tÙ}îòøÈ-Ÿ�m*ØdÀ/´î,òÆ2÷™Á‘Åv`,ÝHÔÞ�Þ¸T½+�¹hmQYaMùÿ�cÉÝ¶îÚÒL4ù­~ZÄBLÖ~(�óF�_¨‘9fòiZî§&~ìµ1›¹ãõÿç;
-$sž®’¤Q"Bø´	¡ò"=¶çj^m—ÿœEðâÓ‡Éñ.®D(ìÈ«˜„ð¿<{¡5,�×ÚÝ
-ÿuö‹öeÑìÄXØïr‰?ÁõìL*Vè+nÓÝÌçÇ®TÆʇÍéf¿~S/T3á`ûìJ‘W2Ô�þb2¸_W¹‘ÿûƒ*-U9^<tã„›.0‰XÓGŸ­¹öBlXúÿ
-endobj
-1276 0 obj <<
-/Type /Page
-/Contents 1277 0 R
-/Resources 1275 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1196 0 R
->> endobj
-1278 0 obj <<
-/D [1276 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-1279 0 obj <<
-/D [1276 0 R /XYZ 56.6929 769.5949 null]
->> endobj
-1280 0 obj <<
-/D [1276 0 R /XYZ 56.6929 771.5874 null]
->> endobj
-1281 0 obj <<
-/D [1276 0 R /XYZ 56.6929 747.5177 null]
->> endobj
-1282 0 obj <<
-/D [1276 0 R /XYZ 56.6929 741.0838 null]
->> endobj
-1283 0 obj <<
-/D [1276 0 R /XYZ 56.6929 714.364 null]
->> endobj
-1284 0 obj <<
-/D [1276 0 R /XYZ 56.6929 710.5801 null]
->> endobj
-1285 0 obj <<
-/D [1276 0 R /XYZ 56.6929 683.8604 null]
->> endobj
-1286 0 obj <<
-/D [1276 0 R /XYZ 56.6929 680.0765 null]
->> endobj
-1287 0 obj <<
-/D [1276 0 R /XYZ 56.6929 623.4385 null]
->> endobj
-1288 0 obj <<
-/D [1276 0 R /XYZ 56.6929 623.4385 null]
->> endobj
-1289 0 obj <<
-/D [1276 0 R /XYZ 56.6929 623.4385 null]
->> endobj
-1290 0 obj <<
-/D [1276 0 R /XYZ 56.6929 617.0603 null]
->> endobj
-1291 0 obj <<
-/D [1276 0 R /XYZ 56.6929 602.2957 null]
->> endobj
-1292 0 obj <<
-/D [1276 0 R /XYZ 56.6929 598.5118 null]
->> endobj
-1293 0 obj <<
-/D [1276 0 R /XYZ 56.6929 583.8071 null]
->> endobj
-1294 0 obj <<
-/D [1276 0 R /XYZ 56.6929 579.9633 null]
->> endobj
-1295 0 obj <<
-/D [1276 0 R /XYZ 56.6929 565.2586 null]
->> endobj
-1296 0 obj <<
-/D [1276 0 R /XYZ 56.6929 561.4149 null]
->> endobj
-1297 0 obj <<
-/D [1276 0 R /XYZ 56.6929 501.9076 null]
->> endobj
-1298 0 obj <<
-/D [1276 0 R /XYZ 56.6929 501.9076 null]
->> endobj
-1299 0 obj <<
-/D [1276 0 R /XYZ 56.6929 501.9076 null]
->> endobj
-1300 0 obj <<
-/D [1276 0 R /XYZ 56.6929 498.3987 null]
->> endobj
-1301 0 obj <<
-/D [1276 0 R /XYZ 56.6929 483.694 null]
->> endobj
-1302 0 obj <<
-/D [1276 0 R /XYZ 56.6929 479.8502 null]
->> endobj
-1303 0 obj <<
-/D [1276 0 R /XYZ 56.6929 465.0856 null]
->> endobj
-1304 0 obj <<
-/D [1276 0 R /XYZ 56.6929 461.3017 null]
->> endobj
-1305 0 obj <<
-/D [1276 0 R /XYZ 56.6929 446.5371 null]
->> endobj
-1306 0 obj <<
-/D [1276 0 R /XYZ 56.6929 442.7532 null]
->> endobj
-1307 0 obj <<
-/D [1276 0 R /XYZ 56.6929 386.1153 null]
->> endobj
-1308 0 obj <<
-/D [1276 0 R /XYZ 56.6929 386.1153 null]
->> endobj
-1309 0 obj <<
-/D [1276 0 R /XYZ 56.6929 386.1153 null]
->> endobj
-1310 0 obj <<
-/D [1276 0 R /XYZ 56.6929 379.7371 null]
->> endobj
-1311 0 obj <<
-/D [1276 0 R /XYZ 56.6929 355.6674 null]
->> endobj
-1312 0 obj <<
-/D [1276 0 R /XYZ 56.6929 349.2334 null]
->> endobj
-1313 0 obj <<
-/D [1276 0 R /XYZ 56.6929 334.5287 null]
->> endobj
-1314 0 obj <<
-/D [1276 0 R /XYZ 56.6929 330.6849 null]
->> endobj
-1315 0 obj <<
-/D [1276 0 R /XYZ 56.6929 315.9203 null]
->> endobj
-1316 0 obj <<
-/D [1276 0 R /XYZ 56.6929 312.1364 null]
->> endobj
-1317 0 obj <<
-/D [1276 0 R /XYZ 56.6929 297.3719 null]
->> endobj
-1318 0 obj <<
-/D [1276 0 R /XYZ 56.6929 293.5879 null]
->> endobj
-1319 0 obj <<
-/D [1276 0 R /XYZ 56.6929 269.5182 null]
->> endobj
-1320 0 obj <<
-/D [1276 0 R /XYZ 56.6929 263.0843 null]
->> endobj
-1321 0 obj <<
-/D [1276 0 R /XYZ 56.6929 203.5771 null]
->> endobj
-1322 0 obj <<
-/D [1276 0 R /XYZ 56.6929 203.5771 null]
->> endobj
-1323 0 obj <<
-/D [1276 0 R /XYZ 56.6929 203.5771 null]
->> endobj
-1324 0 obj <<
-/D [1276 0 R /XYZ 56.6929 200.0681 null]
->> endobj
-582 0 obj <<
-/D [1276 0 R /XYZ 56.6929 159.3692 null]
->> endobj
-1325 0 obj <<
-/D [1276 0 R /XYZ 56.6929 131.475 null]
->> endobj
-1275 0 obj <<
-/Font << /F62 634 0 R /F43 600 0 R /F56 618 0 R /F42 597 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-1328 0 obj <<
-/Length 550       
-/Filter /FlateDecode
->>
-stream
-xÚ¥S]oÚ0}ϯðÛ‚´xן±÷ cT0ȤM”i-4	šº_?;†4´t{˜òbû~œsÏ=!ÌG�˜æ(Ô ¥;Ð�‰�<rÌ	NIA7«Ÿx>IŠ4Ö’J”Üvz)J”l—~4›Å“áø[/ ü÷
pzÄ‹^Jm̆$øýqÿz<Í£Ùçï®èD“¡»,¾ŽFñ"‰�×y
Ç“‘I!½UråÅIK»;
f9ÿô–+@[3ᕘi%Ð/s
L´¦hçqÁ°àŒ�^
-oá}iv¢Mé%©SX(^ЊSDÖBÐ3±„Æ’QæÄ2*°^@ÀH4­ï³½rX¦‡]öPWG7å¡vÇþØèbævÝ9f\6Ý
°&ºi;Ïn³}ö�fÕ›
˜ÿÇöŸ“Ü@¬³|Â4¦¡Pm+¼$«—ˆD
-�UÈÄæpb<EAø뇭=È®H]Æ’c­Ì2›ª÷®f¶>®(*6yýû¬“ðû<ý‘Õ.ã:?Ø*ÂýAùø´Ïïîk‹‚Hh,À¹²6
p‹M>áü€bc}ã”NÞ�1̪„b
-endobj
-1327 0 obj <<
-/Type /Page
-/Contents 1328 0 R
-/Resources 1326 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1335 0 R
->> endobj
-1329 0 obj <<
-/D [1327 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-586 0 obj <<
-/D [1327 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1330 0 obj <<
-/D [1327 0 R /XYZ 85.0394 752.4085 null]
->> endobj
-1331 0 obj <<
-/D [1327 0 R /XYZ 85.0394 717.7086 null]
->> endobj
-1332 0 obj <<
-/D [1327 0 R /XYZ 85.0394 717.7086 null]
->> endobj
-1333 0 obj <<
-/D [1327 0 R /XYZ 85.0394 717.7086 null]
->> endobj
-1334 0 obj <<
-/D [1327 0 R /XYZ 85.0394 717.7086 null]
->> endobj
-1326 0 obj <<
-/Font << /F62 634 0 R /F42 597 0 R /F43 600 0 R /F56 618 0 R /F14 608 0 R >>
-/ProcSet [ /PDF /Text ]
->> endobj
-875 0 obj
-[590 0 R /Fit]
-endobj
-1336 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
->> endobj
-1180 0 obj <<
-/Length1 1628
-/Length2 8040
-/Length3 532
-/Length 8905      
-/Filter /FlateDecode
->>
-stream
-xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?�³?½¿w¾Ìÿ^×Z׺î7�¶‡Œ5Ü
-¬‡¹rðpr‹t�´�P(ÐWç�…C­
�f
L9g0ЇÉ]Á¢
-Äü{fXE
-0Üú÷äè¹aÖ�ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{x�Âœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
-rn­�êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
-b¬Å7ÎßÊçÏVð™h9�Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇ�î)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–Âw�Í<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
-~"ÅVöè=”Žòíí`õ§ï3t;k‡–Bf?õ[¼„Y®¤¾ša£„+gl’ft]ÎB‚²w3ë‹,£ªˆôkêyô’­úÅ>¡ï„móW¯µrÅý¼0Ï”dË#»§BŠ¸ÝUJàžuÕñÆIÍôaòÔã·×¸§™	žL¦€Ädô<­cË-8àÒ—£t‰Äº4ú£|©D„¡¹šŒ]¸ãÏßE¯¡>ÓR·9xyôöŽ[Ìï`º~ͲûDœ¨'ˆº5e[-0GMÓ=KÊÊJþ&â&’PøS¤8ëãin,õ	2PU«r`ZÅÄí¢v8Q—ÁèÍ	×ë¯oã»o[�2ÝO2Ó¾Ðm/Ÿß×Y¿üìvV¹"_=5Ó›é�¶è áaÖ™7þv|g	“y×&"YæЖ(¾+ÐMoûÁ|°>›à¦±vZÎI ÏW´Ä%�^‘›üˆ¯­Ú]Ö%½ZÆÁ_Ï@ÄR�dçÒÄ9è©‚†õ‘kã�C¾¥HzõOlnÕž
ÝÍà™>{óbÙ7U^|ä-)G?
-8òÞ¼x“mì¾%ÿjã=!•š[žž;[#ÆŠ™éJ©/A%Ñv–µû`éióöí؜njP~^z•çQ•7˜¿\扯â	ÈÛ.|âùúÁèéá™
-¸È÷»Œq„z`²\F棖ûEœ!~õT¦¾\Ž'4/ýCîe–7,î9tãÒ¾Â1¦’·IM^y/¢˜kIm;˜¨½}O«•oÐHâ•¡Ç6—]í
7ôh`†J­TÂcweófœkÔ­—ÕRÐÓ(9%�Ö¯c
-Ó·_Ü€¡èüêr_7ýGmÔ&œÐ‰lÞÆŽ
-Kê#�TðÖ†§øñÞ¿šûDE&ñžËœ^QH¶!’Þ»¸>àáÉà̹ç$ÚxþF`Š×Í4IŽ@N@ÒÖ>_9²J¾ÃEúOê
-uÿ'¢µ?s_¯Ð‡öÿŠ˜'u
-BêH—‚?ý
-$O�íœàÅ€DÈ
-¶_O®ð-¡;…®u§uªºXÄ[AŒù××¼^L¹ê=_󱑵ħŠfJ—äÌ;7œ1¾,`_q”�¾´9›Œx•±tþ”
->C{(�©¼Ê°nwð,K
?EÚ7þBq&‚´”jÉ�¸ˆ�·?è¦ú-ŸCØüƒ%¥uXcýøââBïÅ ´;ÁµÜ3höŬ¶÷Ét(‡„šœì :î´cØ¢>:ƒ‚¯úò‚#ÑǤ_VItSÏ$ëŽ`ø~"ÔܲÜr$ŒU–Y7÷“ø?¢ê¹iâ¯ÉqÅõãÏØ�ISª5ñ4Â…èÑb“EÝêÑÑn
›p³ú†-.ä‰ìošå•Hû~B»ÎÂ�î‚T§Z§Ï_)�©OqÓzèß�÷>ë˜Ê;­dpI¡rr1ÛA
-öÝPî2Pw]¶u¢èúä»(£ý/Ž¾ªˆ§þßÜ¿~&æ[1¸Aé-KžÚEО5JÃ÷.føzßwi°h“bLñB³ß6ˆ
-ÃÐÙ²¶©HÈ 9^©�;¢Ìœp»Ãm%{r7E•�€�ÏŒµÂE±…ʨ*o,„óQÞúʭ䦀(ô$íªy{Çgk9©‘�5Â1ª0Û˜F3ŒÛ!s0¸4XàŠú#r¥Æ2á\8nqå°Ãs}䮀„s–è5)q…i¹
C9ad¼¿`u	
^<‰2@´ÄR­×$âƳ—xº>áÈïž¡wdª‡}Té†×ÎÂËõ€Èøt\1Ü~‚9 ÿ½8iaD9©ì"Ð!gÑßqÝùA“ׯøŠ
-»]‚Ä�ÙªAÓ8ﯙÎd@Iî?_ɽŽbÎJÊ8&1ß’bçy·ÌJü®J_ƒ|¡iïÂC®¡L;¡Æ–=x8"ÆÝù\šGd'—®®ðÖ/B¿ÝÞpRÆ'µsñX'MÂÁd;ŸäÕEûtGmý«†g¾ ¿¨öùWí},¾Ï†Ä›tÓk„fªõžÑ »›&�oô/L¿ÇGìü²•âBZmÎOw݉Úñ¼>–¶ü^ÝvšÉŽHk6Œ´­¶DM0¦›}Öda'¨šßo·é˾xWp¼311ïçdϘ9óÅ­Ô§?¯jò>*§¨¦‰Ð:’-+X}7¿$ÏL\œö¦nD™ðì�¡ÉX˜vWŠñ=mç¡|'M}„ç‹çÄ_’øÏ£÷rci%Åës܃ ¨ÄÏ,n±±ˆ" 5Ù½6ìÉ6úQèÒõmŽ¬öó–à+q®Æ�¾ùÃ$ô|Òî]¾öÒñÕäË&�æèñ²€Õ„KfVº”DfƒŒåZóbúä`#öZ·<Ò_Ç÷-¦�ªÏôª
-_˜lg˜¨Î>«ŠTÂ70¡ðW~—ÛC!<ZüòþÅ#(·�3¨bæ:ߨn¢Œè½Ù$ÞÄ‘Îf;®Ì*=ËnÙ†b…ƒ´ÂVE¼Á<öuBgˆÿׯxî×_ò­Ìz—XˆÖ`©Ö4s�iÝÏAí+<¾ŸãÁE.Q˜ÒQqúÖDõ”ÏÓ$`d�lÚ/BŒñY<xŽ%Á„+{æÔ¢´®³N‡­”TøTõ”V3Tj+"}âžÂr}©Xž\L$ÓÇÈš÷ŽEh®Š-x�ù
->_ŽÎr¦x‰|„ŠúNx‡<7M–/&×gaÅj[²Ë±‹4—À¤ÀÖO–|¾1_JSw{ðÐıDÃP~�ÜFY­Yy³]ˆ:¬aÔ_|žjÓM+ý­‚0@îhÅtÙl¿Êgšê…µAbDå·�Ôw¿þ}û�YÕ×iîBÕ*jòýZö˦ÏN’FéT/H
n±úÁÖ“4ÑOEìØœz~Ÿ
Þ88‡á ‹w|q£ªšîFªãÆÇ
-TT>/5—䬽%‰”dðqÚnCÃ%Î4Ã
XDmeß:#ƒU¹Ø•l1~à4±GL§%ÕëEЈ®ìÒ\;ãÛ8Å+§êJZdº×d¡K©¡ZÅIŽf3zV#W•c[Û¡*_-�߈¯Þ­—¶5k
ª€º—,ìd¿»Ìë÷S/úò¢×Ž Nâ)uóÒY~	]ßjÑ×Ù˜fšuž²K,tÊ�÷“\'gy¿÷5­<TÏ4CUMà£Æ�gÿ3Q£8Nð²Ã‰ËzN5\/MØr®]�SÝé}pæ§VD@™:]¬ÔË7>1ÌÈéC•'ÛEÆŒ!…Ù7aVì:ASQ×µ{|ãÇj9YÈ4Ö|m Î·*_íw4ø!D1 ñX¿Ù¤X•³ç
-t�‡Í=žÝbóÆÃwî6ß"£“˵?�”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ�­(e÷åû È
"QÔüFØs(úF�$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“�†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
-ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx�(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?�ÒK áéá@F)Ø,êw÷ó?�È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%
Å~jÉwXjz1�îi´·î¬%uÕ3^¿±g�¸`d+ÎK[ŽDe—„]âò†Yè�ÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·�âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0�ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_�ï‚¿œ%�%½¥åŒìé|°
D>W²7}C–Í#—ZR¸
­$º`bÛGο…a¿9gÝS%\”Á/œîñ�hC|�?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
-üõí+uqfº`Îa‡„°£â,I§ã¯½/‘�˜÷�ÇÝ›Á¤'P6ߢH‚
Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’
¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)�wL=(‚Œ£± L|�)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9Û�B±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
-endobj
-1181 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 67
-/LastChar 85
-/Widths 1337 0 R
-/BaseFont /SPHEIW+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1179 0 R
->> endobj
-1179 0 obj <<
-/Ascent 708
-/CapHeight 672
-/Descent -266
-/FontName /SPHEIW+URWPalladioL-Bold-Slant_167
-/ItalicAngle -9
-/StemV 123
-/XHeight 471
-/FontBBox [-152 -301 1000 935]
-/Flags 4
-/CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1180 0 R
->> endobj
-1337 0 obj
-[722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
-endobj
-979 0 obj <<
-/Length1 1608
-/Length2 6751
-/Length3 532
-/Length 7596      
-/Filter /FlateDecode
->>
-stream
-xÚítuTÔíÖ6Ò’J �Cw·ô€ 
-3383´t‡ ”´„ÒÝ 
ÒÒ-%)!)ˆä‡>ï9ç]Ïwþzßó×·¾YkÖúí¸¯}í}íûfg1
-€RRRDì
-fg�
p™™róòòýËó;`ãþ�ÈÍI4Ì
à¸ùp�‘NŽPæâ|…0öP€-¨è<ÖÒÓ
-ö‡†3†°û>
-jg�‚À¡hô
Ì
öïéü«OÀëÞÚÉ	îþç4òOÖ?9À0h(ÜV€(|SŒ¹©mC	þ^-„-
-Äé
-rÊ­4~Ÿå[‚lñI]’*|vQ$P5(}Uï>±åt¹ªÍ³ÖÓJçlI€îf2x±q·eÝ�çø(Á»æ/h•Kš´mé¹7®³ˆk..ôhí뀡‘UÎãàGÁÞOn_6—,_ª'Nw¼Áo+¢©É«°(ʲ·¶9b¿ý<áììíîúÔrp»m•ž7=š�]Æ—”#Â÷E:½‚¹I¡ç+›`lgI\kp›	—Èüô
Mõ¢À|ƒ°²
-œ…›±Ø§Ï«Fc³}m½}ä®V‡6Gr\> "KªY�Ió½1Ÿ·²Ÿ÷9Qg††1„K<O›ÎQî,,ÿxtä’3¹ÂtÐ#¦»è+Õ8+ìǤÈF¾‚¡Ëñê>¬”(æ33óÞ5±§Kí9uæêMæŶ¯’–÷O÷‘™÷Å㣛Rð�sZ1ÆŒ^&}ÐùQ íívRæXnú
v�†e^êÛ¤J³T×_+'wßsšßÚ&ŽŸjUH§¹ÿ0Ä~QzNÂí#(êyžJéêAB¢]±\ꞚǼû¼Å‰#¢
-»øã}y{ꔣx$�󙹕Ä7ì)	–/ˆ„³Îé4»×c§zœ�ïÈjYÔRy°©ûJæ—V‹V¦wß“ó
ÚÞÆdêˆô÷Ô·³0øò…i°sOí?¡Ðd˜¹ò@ÏéÞcxL
-çÚ“9q93š¹“Ù10Îd6NÞ”QáW}Þi¢ioRŠäqY"ã¿›	&Ù‹²'IU{ö+º#Phq"�!Ô}q§t°<>J*KIý s]/wûW3´¡Îú㌜LgŒq~2Ê΃U.{òªÄþ²Ô²LPšPPn
-%5èëÖ,»;e9øüNŠY‘
vÅ—/<<vǨqA%EªŠ�·Y
-GáÊCÚÅ*¼ä7/*§Åín‹+¤½oèg¼cèÿ jÇ7^96Ü@xÕÙf}¡ñÂSµË¸õh‚AF—GÌ‘ÿZÙx~åÓ‹ú®2OBëðғͦ´z+! v2gÅÜ‹†‡´©h³+®,:®1wJ:ŒéÜÊ�éxK‰ûž�q³¾êüX¢'ßV �IUm;³ª€‡HS@ž=T_ê ÙöHWçËm_åè˜#hcWÂWF– ©R
8O°rD›ö
-­¯Àäzú~ø£<)¸4<~v
-é‘XÜ…AÉ/½3JÈ…–ÆÊ¥íÆ„›€ˆÅèažÜ‹[òú6!C“�KZvââ‰Ê¨\ïFfþÌIòÅê ”×½]’À"ÒÖ0ìª:ðžD¢Â�“P•7vîÙú¶ß‘Øݬ��¢š³›Å1]»õ¢[Æ0áë¥z‹Þ°3éØ)ÏuµO"n`·¥(mèž<p=i9:
sPSk_A8ãÀ¯Ì4د¼#tH$Á›¥®k—f¿‡§7'2̃æä¢XañîÖ:ô”ä¦ò[ãDäfU½•Íß«š²�íYóå/õ$´PìHK׋~(¢‹E÷I9)°I­4áüÕæ=©Œã5öVQìºÒ
-hY$7U3~ñ4päáÕLÔ
-U¿ÍChùLð(+G ÞNÒ±˜¸åyB{v€SÐjñpÅʦDÀ�ú´ÐFˆå¬ÞõËþÝ�ýKxŠ|¢[ô‘tU¯™ÞUgkÿ*C‰wt{®Áå;»ïöøͪÍ%ç‚Ý'×k®DzÓ	±ri;Ìi/[ˆ?–¡zí¾ï‡÷$ƵèÜi“¤Ï�+õÎqM­ÆJ:¯V£#NWßÕ}èõ˜{¤lŽ­.NPGIÀ}5ÙéŸ8rè“2–î±"`ÅîpMûspÏ~ÉŸr Õ[âÜ+\øv»•èkIʦEæÑØ./îœN3ÅEÒlÜ9‡f�²AÊ“!ü¢µö<qÕ§>›¹Jjÿ˜¸{…öÚ1U÷¼05§lî¸:—ŠÕ­¸”ä&ö
ƒÝ]Ôßû%gÀŠ%ÉëO¶LK¹]ŠT”I¹eÓõ–FAh]A·Ã/@Ú>Pw"d:¹.ë”19M¦àÑ£ðs?Ù¢––~§wøÆÌ°£_ÙVŽÏ^¯ÓåÝ_ì#ê97¸›6!”UñuŠÞE(ÚÃkj't…×É¿è9ÑSLy¥Ïyîqk·s»ùµ¾Á’yˆFQù¤	[Üëĉåûæ‘>s\N«:òܵ„Ø™³=7ZQØ··B¿gð*ù�&¯½Œ}^&¾óDžgçµ|ÿODKoââÕ¯Oþƒ¤£j¤óÅʬ~Ö³Œ_ñ�ådNT_/üd¥×’ÙH�*$hç¤2/û-0Òó)Ëÿ¸’(4æd‰nÿœLõIÊ=·ŠQª¢|kA89Ç»=¯°ãá>kŠv3ROn&Àñ‰ô9DÖ<}£º‚P³Õœ2~„û¸¶wÑ·Q±@HfÝÑ=RUˆ`¹”~k+³x˜’x·Š}Ì;a—r‘­2`å-Å0{ªÎ817™†Ý€)2hô»}hïëõÔÚ+W/5¼zæÖm(³ìxÿ›tŽú9B*«tË[p{•¾ò3\>ŽJï,ä6>à•ð좒
-É7)¬G»ýØѱ†ùÛ#3/éµåhÈM
-Z²Û¢:
äL²%T1ãͨ—¥^‹?BAI_ì¹øŠ\3&Â…§Í-0�ÙySŠ¨W³4¬«·;çæ±û«ˆk	U,~уû�áNp¾÷�Uê¶]RÏìŒ{g|õóÒî8,-’-ë÷síKiØíÒ_zQP¢Y§Ï>3Y«ËÍgAg(æ)„ºkß-µE¤çÂuŠ¨émº.?}&í;!æ&B)ž(;H…uz\J.‡”
é²ìQ·óˬŸÑËM:Û{gjÜt|ï¦Öz½ÚŒyfE.:ð�“+ÿŠ~z=ŽóJñ¼Á@ÔHÈ:Âû¬º,À:¶ìâ5ôê¾]Ø�‡ðI[í2ñêá×n­Þ/5mêÉ«¸¿-Êä’8\ëã“ãÌȺ)ÓIsN~{ØE§Ÿ)n[,÷Úix„Ci?éÍÿ)ãTâëu|SÃ5^¦V²…÷èû ü¨HÖ°GîxWÖ"/‹Uí®lF³“ƒ™¨Îý@ÝZ{¤ë;
!‘›	±À]¾�dOÉ›ñ«²àýa0ØÇ««â}£@Ýä§oºtÍJF:ܺ²8Ê^œ1‘ûl�§ªæEéRûošD?÷®=¼»=ÓX#ô
-]‹g<V³-£¦ŒrœBBÅ–ù°�\DÍ`>k
h ¢.@3‰\§NýVró²C#Ô?Ö¿`죋žÚªJò‘
-꧛qÚüw…£·ñb
-Ðj¥×‰"̨"Œ 'ËÑ7úׯ‡Ø:�W¼¤Fü¤H®b¹j†CV¿UÜLzßìÕ‡OSS\�W$?KÍX	uçP(îVš#ÒîøÇÌv¶×{ª'Z‰=ìx©oïUë*^„Í›Ú\^OiJdXÜÛÖoQy>lÞ)ˆö�ó(ÏXäãè÷[nÔGÑ‹®ÝWèq±ÎÿÍ‹³n/²1EÅlæqéF0Ÿ‚õ—¦ìk#BÕibÅÓ‰h>ª
-ʃsdLðén4r¼™¼
Á=äÖ<º<@Úúšg×ʶÉÆ‘*<ã#
bowP›$ÖÌç»ÂËlöh¼ŸrevVMRMÐ�8t=jÀhqí»±¼bGP¹Cú•32°AöÍf»ïQ)‰•5W¤¹¶ÙŽà×¾€ ½>î‚ÒäÔC.ýR÷f‰9sï,çë„
: ~±+2ö$5è)ª8vM_wç¾Äè>ÉJˆûNn‚”ëäkƒ
ãÀb6²F=kJÿÃÉ%1%c”oYfðkxÒ¶ZzhÛ~¡bÈÚô‘­’ó͈7VÒ®Óìç¢j0·Š«qW;éKsF‡·ÚZ;�25߆o›�2Ü�KÉMšyh|µµÞ˜{JæÀT\]·B�/âfÇ@xP™�‡ò|d1£z†Žî›Seå]MtÞSø:WRÊ*ÊŽØ[cñ�Žð"àPE?îk'
ÚÓÆêù

²ŒHûÀ#²²£×G®–®/5¿âiËÑÓP[ñ¹Û?1ðßÁm“·»×@ks)j[Q¡1bD"¯‹[kbî%Ö”àbéÞ¾ÄLwðžî–“écʽ¾ÍÝÉÈQî"å$×3Ѓuq²wžõ$GM³þßviJ¾ÔË×d=5g»S–¦þÃsÒ;êiYŽÃý…Rnä®&nÇô�;\·ªLÙqÄü�˜²Ir™˜íµ½5e¶f""Áµj£èÓÒãdÂFÆט)ûó§¸ïôeQ™²ÏºùH{u׎ÈzÝsš…0æ=q<¨œ\¤Z©ÇûR‡\¾óc;™)‚ƒpt`
õV«c�‚pãøf“€6�0±‚]%]çtv�…~ýͨ‚¢$ÙÔpœSõÃÐÍéóÂ7mgíq‚�2ì¹yßÚ±œL“­ªr	ªÁ~y³Û
†o¼ú
îå~ácìðd�ùÊö�æÕ«“B¨U/‡¬S¬è
=g×
-v
-Åõn`ÑSd)-Š…ÕY¤Ch§ÕÍt%-�‡ÃÊ
-ãFaàÁHœ1a™ŒƒÍ°.Ç®üØí*¹Ô0y‰FÝ
-Ï6Ý_Uô]#ó±ä
-ŠŽt39‡nßh˜ãÀÑ0½1¢|=FL§d’æsÙ_Ù£“-"¦‹Ï*³8/©h…—¨ÃçäLrÏ¢·rb¥{›±\&®¼jÌ	I_¾l�‰Ï¯ÔB² �2Ýݪ'Þô\E–j“Ðò͈?Kåd—¡·–Î#·È÷!t%)G¬”�–Ò¼çF–ß?ϸˆ¼'ùY3{Ä&v(£ÑÅòÌïPA¨¦,‹vä@)!~®RìõôÉ7ЙF®è”{¸ûäº2™ vFéä9�"¹nqx§Ä
4þ5;G\tHê!2ìM)­Ä‚E,vµæ-ô¿üý€ÿ'
-ƒt´F='ú?ö-žKendstream
-endobj
-980 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 36
-/LastChar 121
-/Widths 1338 0 R
-/BaseFont /GEALIJ+NimbusSanL-Bold
-/FontDescriptor 978 0 R
->> endobj
-978 0 obj <<
-/Ascent 722
-/CapHeight 722
-/Descent -217
-/FontName /GEALIJ+NimbusSanL-Bold
-/ItalicAngle 0
-/StemV 141
-/XHeight 532
-/FontBBox [-173 -307 1003 949]
-/Flags 4
-/CharSet (/dollar/hyphen/C/D/E/G/I/L/N/O/R/U/a/c/d/e/f/g/i/l/n/o/p/q/r/s/t/u/y)
-/FontFile 979 0 R
->> endobj
-1338 0 obj
-[556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 722 722 667 0 778 0 278 0 0 611 0 722 778 0 0 722 0 0 722 0 0 0 0 0 0 0 0 0 0 0 556 0 556 611 556 333 611 0 278 0 0 278 0 611 611 611 611 389 556 333 611 0 0 0 556 ]
-endobj
-847 0 obj <<
-/Length1 1166
-/Length2 7568
-/Length3 544
-/Length 8381      
-/Filter /FlateDecode
->>
-stream
-xÚízU\›Ûömq§Å‚+(îZ(ÅŠ $8Å-îÖâîRÜÝŠ(ZŠC”â.åÒ½ÿûì{ö9÷é¾ÝßM¾µæ˜ß˜sŽ5ÖÛÇʨ©Ã-v´„<s„»póñ
- —{\×Ö B
-¿‡­\ pW''Ö† ]V¤Àú¾³ÿ¬
-�wtòD@ml]
-$Ôx|¿pƒÀ�~Wº§P‚À!ˆû¦Á¿s5­AŠ`¨Ëïq
ì¶..Nb¼¼NÖ È}Œi͇¸ðrÜ7ªË;:ü&@âþÖL
Š€XÝåÉûOÝìáŽîpïÿ[Cáà?F»:ñêÁ¡Î®�ç
-ÿ“|Âý;fq
ù�¢@~
-ññþß�ßáòñ
ÀP+€%Äæþþf¿C¬ÿÜ«�\PÀK È
-ï]sÿàû¯–ú7ü¿ëŸ5ž¹Â`¨Âþ§€{=�
-w~ÆÑJüµÝ‡×­U²4îÜ›cO{„ôÎî\p#a(ë<¨Ýê”öÅ4Ù§"‰é
-šÃ¶R/ÑÔÐPBbh#…ÝíEåÚx°ˆI‚‰Q•C©wyj$ÔÅð°ÙÇ�=Ô±”É™ÛòžýÊûŒ¥gF¬Rò£Ä:!Žd~tÆß·œ50ièKsËq4¶f8Dɯ÷4”a¾Zb˜SCí
-@»À7Éx*õ—l*Æxõ»ç$åmÄÓ3½r‚~S!J¸.,iŒŠ…ÅÚG;ø¯lKZ¬¯ª†œrUžš:-<éË„×ÏÚ~¯‹˜oå²÷%ÂŒï+Š´ÅCÄ,S%­7VH0“"ü/:æúñdõ´�l¨2ÔÚ”OOkžÑ÷¨¸‘>�_©QÓë×F™3LÀÉ›l´¨WuÎõÚŽdc×{¾j‡Cëš}Ú$<<® åß5‰r:x
°¶ø'Ç|î†Ô0ˆ“jj?sSª\
Ow“®ØhF§‰èÙî½ì0Ôíö8\Q2±Ø’úüTñqø&/_]4�ç��–@”·¯ÎÔ[Þúxù¶’-_å³-
-�Ÿw?P®œÓ�3ñbO©µtª•‰•R"½
…zK�¶Mç”|²²z”®¢æbÓÀ�^:*ÌÑ)ª!v×¥^x4ÆðÔ\ý¯³[¹i½ZJ¬ïÐÄð
©žñVóàãœëÇ =£›çf¶=Vtg@ù4I,Ô¬}®.ôéEkÚBÎ>¨<>§I®8Ô›jßhC&˜¶)#tðÍ�åm†ßÛSõ—]sÔæ­NÐ@M?Û¬ëK*¼ò@Ö‚ã�•ü—­J{¢ÖþôOæ�éá+k›¿|Yß^JJ©ó§}cšP«xµ¦_dâåËÅ~{sR˜ƒýÑ|?S<QN‰�ç‹„·äèí°þÝŠ¸Ð‚�nºZ¿O‘;'/’“lÉÆ”Ÿ¸;r@o}œÌÎÝû””ˆ³eC˜s8y6H™d5øaÌئ|mçûÕma¹�”Æ�#87½“Ff»Sφäö
-P‰®|Z‰ÆBÒõ:ð}ûK\|?T<©ánÒÅ_[	Œå:ÓM[Hn¹<ø"—V<hUÏ!‹¬KPÐû®d
Ø£5?¬ë=j 	VþŠÓáw4Q�]ºËY±�I@ÉÙVó·Ÿms0hë„;f&u5R–Y‰—‘6ºÅEÍW²ÿñO´9-èjÙ¤ýÆ…t1SB€�P I”†j)y
-%;³}«Õ!�ù˜R"ÑãMä“´Þ¥O,7-32ŠGbG#á–ôüΖX‚C]´ŒÖ#iý?uŒ£ž
-Ìxª1”)‘>Æc¢ˆ2¤ ¯ Qž¸õ©4mO¸6u˜¸9[ØŸTq®@۪РMMØi#r™±§žÉ!Ð��r�tèõGÓŧvsíõ>8­¡gGÅP0Ynˆb쟣z]¢xÍ"ÍH´äX<öLfòú�"Uγ",,Dø¶ÊúUåÉδæÎt
š�˜¼:Þuß½‘°¸[®]�汎 çÒ0@ˆFÚ<‹ëŒœ^PéxѼ¹²±k°0íî|È–&,
&£$ô'ÙfÒ§m2WHéfÜßùVGºH8Ci¦cZW‹/)R#ĵ¤1ôíA›ì:žþ\4wmIεGcØh‚çôÖ8(ôòã|¿DÍp)B:[™LjÔ¡pkTÀFÕUNšÍéü†Î –kP‘U
'#Ëz9b„�œ/E7[èÛ‹(VÚÅ%ÑH‘R'Gj½ÞXsÇ=io"I&ñ£”8`ÅFјúÏ‹Ö±(Aé3úè:È‚�ýÖä†9kévˆØ8Í+{U˜NEsS9¬�)ÓUâ•/´›vU`c¦jVb¬+64¡…#ò†å®m§gôXj0�F§ÎNÑvÚï«Jí8?|ü	Ñl[]טf~@Í­RÐdíyS²øÂç€ê
-•0ž²Ü™÷.U:„{&�û¤?xJ›ZTHHô\¼2Q¼y¹EÆPÔ‰ãÓþʘ¥éµX²›æ(m
-7sïTîTÒ­_2æ%~Ä©kÖÜ3Œ: ZGíÞ•–sœ	±óéš(cœe¬2X.3¹qo"â}-ÂßȃϬò…¸`%v—ºþB’´ªL0Õ†çöõ7¼/Áó²ª0–ÜçŸiq.ítðÅ…º1w¢s:ÜÍLË»D�\h1qYÇÑ�‹ ÚÞ4€kÂ�¾—!7_S�ϘV?“¼#p}í>ãß)BO&´ƒrƒË7Ÿ)¡&Ô&²Ëõåuv/ÑÅÅkéWŒeoG2¤(RôºlÛ¿²Ø2Kn¥*ƒ9Õ
Bžõ¼×¶©x¤ŸßUû=œ•p#úŸN&“p÷Iƒ;ï»Dk Cá!aºÝÍ$ŠÞó5Í(BIÉñÏ8¾·ä¨¶Ëy}'œúÊi"º¬Z>�‡+Øv®Ç¯‚ÊEM­Ñ±¹EEª¬�%ÅŠ†Q¢UÊÒÒ‹èÓ…^%T‹ç¾Ð¨fýf¨³Œ1ùVGA«@`ÇJ–‹ßÓET²‡äzR…¨ro�-nùŸwódËÍ æ“•¼“Õ-ˆ–÷Œ¼F“TåŒ{*éöFA×r GœWçÐÛ2	¹xiaq
:Oê.«<U�6i9�#ñæS‹»
"W»ú€FŸ¡’:fZän†äŸ®cŒk˜údªl†­;¡†Ñµ{xµ	8XWuMÚÔ$Ï™œ´ã¸âoMN®2ž3MS”:]}:¨Ê~ב—L|årýJrtp¢1½ð«O/¾4HÝÝ_ñ—�Õj<ª]h£¬µëHø£˜¨ŠE~u‹ZEýÓtÀ
-ʉŸ¸Ã¾ÌܳBÑ'ŒVÞ¥‚½þ¾øECÉunŠ”|Q!RsÍÅ~bP˜œ¢ÊÁ]UQÿî Ãý^-“@E ÐÉËwÆ%R£1ù³
��*õͨ”²u)ˉ}šˆÐ"îž²u0”i�J%�JÓqc^GÝrTâÅ£YTìo­N½æBµ'¦Àүʶ­®4ïü˜ÔД’Ÿ¡_(ó¥ƒI�òœÖüŸú¾[�
‹O³(Áûc3‚á(&™a—`.qÓm·]ðS\ÞÁãlòX'Æ0eSË«¿µ
-'ÞÁÝ%·TœnKMõòw-Vקª�¯ß‰”s[¶Û½åÕµý9ÜŠÆ2v‡z¸
-Ø�F”oýBtM®',ql|J
-S&WÑ-‹Qc”É°¯ˆ"ã±�¨¬:¹ïÁ2ØV·l°!r!¼Ô™ÖG§¡d7çâ"Ù1$–õDÇ\[ÓjøQxg]õ^áˆZ=fÑJ¹£
Qð${÷­û"Ýз+ü„
VpHÒ‚ûìb�äÿÊCÔVpÒz~)oôã\<£vö¥›ŒKwB;€æôöF]®×mHVíà7H°?–ŠÒ�ÿU–ãk¨
-ü•èÚz0B_­,èPÏ?þL@Ê
-шèA*aÑaö蹋¢£”<±àOUv;Œxé9¯Ûû¬EïÑ�è%¢®h”ƒ­gÞ|‡aV28„Za”äJœŸÞ�Ü-bëÝÝžAvþ”|#ï³eVC�ØŒƒ´�:dâŸÊZ	Ö@©WvŸVnS›ègÍlÙÐ0p»¦^iÍ^¦¢•]äœïC@¶/œýiì•zZ§>¦8Ñx�Ôåb*“³íh-ö�0Bcåipù¸Nœæ¾ tLç&D•¿iÀ¿‘ª‡[øBttj°�t’>®µJy7$áò\+KÒ�Õn0úƒ$E˜ÏEÿ�)V!€¿,¬íÔž?Œ]�­×_ëÔ£2Ôëúp—±‰<M0–XÎ
‹‘ÿFƒ3®Y“t#%e(Î~¹Ùÿ%
xÈ^/^2ª|ŽjƒåZiA¸ªðLÍÝf®”è5ÅÁïj“ö—daEx¦Ò8è5˜ñ�^�aà÷5DÁ¯TK—EÓ†˜3ö
-kEtº›‹b
-r“ƒá?ÄwÍÏŠo>ò¯”)<jìò˜¸ )÷‹pÑG¹ØŒ‹Nœ3»n�·îkÌ¡°øDu¦…¡ÎºT¤	ˆ|�d›LN}45A[“bœFŒ^&±ñ,�äQ~«Æ‰L2rrdw="á!·‹ÃšK}|‘·puù5aƃ‰ý5Á2:–5êÆqÕ{2wˆ²#}@‰—±Âøö@‡OüŒå¸
�ô-){’TòkàbTŠx^ÖRØJ%�~tÒ^©¡ý�å¦�	s›ç�0?&%Ÿð—ÔœžFSõÑDóhd±.wvV€Ç›ËMl=įRÂÙçûõ—§4”\q¡É Ë”Éˈ|iöò9øÖÝ+׺doç3îùµà·æÆ›T<Î
*‘ž�åÏFÊ™ÇUvÈÄJ3y’?�È(6è?ñ3ÛdÊO³+—Csuî“æ>pxÏfã0Ô­X®fÚSm±ú$²î‰5·¬�¼ë_µÓ¡|ª?WÃKå‡Z+5@Ê"Ùèð_¼û²¼*j_´:¯y¹Ø-÷†Œêk-[)SüŽmЮØÞEÄê¬rê[S`–)¾™�Ћñ§WÏuò‘9°w"3àŽÇFGôÞßgFÚÀBîÇ&×"CkjÃ?½®Èk@™¹É&ŒÇä�[ûcI2™§
-]ª>úÀ”¤þÛE1Ûyô½Iåjë$�aÐDx!}2ŠÍrÇ`úZL’F—­àí¯–0±—t?{G
ˆ¦õ^ðª¢Þ¡P|1;p]cÔ£_¼þ~ÌKÞ~å¹’%^§Èüq„ñ3¸Ä´³Æ…Ï­VÅo£õ‰Áƒ—8H˜-ߥ5ZÛ‘ÎÙš#žü]“n4˜t=‹
“ôÁ[Jï((ñ˜|Õî~úÔ&¶µ=Oèå	wx°üOßTû>zÚƘÆñTņÊí‡Ç Ï
-2U*¢
-endobj
-848 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 2
-/LastChar 148
-/Widths 1339 0 R
-/BaseFont /VLBJNQ+NimbusSanL-Regu
-/FontDescriptor 846 0 R
->> endobj
-846 0 obj <<
-/Ascent 712
-/CapHeight 712
-/Descent -213
-/FontName /VLBJNQ+NimbusSanL-Regu
-/ItalicAngle 0
-/StemV 85
-/XHeight 523
-/FontBBox [-174 -285 1001 953]
-/Flags 4
-/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/three/five/nine/semicolon/B/C/D/F/I/N/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright)
-/FontFile 847 0 R
->> endobj
-1339 0 obj
-[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 0 556 0 556 0 0 0 556 0 278 0 0 0 0 0 0 667 722 722 0 611 0 0 278 0 0 0 0 722 0 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 0 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 ]
-endobj
-784 0 obj <<
-/Length1 771
-/Length2 1151
-/Length3 532
-/Length 1712      
-/Filter /FlateDecode
->>
-stream
-xÚíRkTSW‘ª¡¬òRIÕzX%2yj	 b,Þ/‰¹7ä–ä^z¹�¤
D|PIU–EltÉST”
-«Š@} Ô«0|‘V†°©Z
_sÁººJÎüš5çü9ûÛßÙû;ßÙ4�HCaáP%&G‚¥R	‡
È3›M¡Ñ‚qXN "'`!à>`µV
¸+
-9
-¤rBkÈ
-¹È0z&©Õ`ýä�L°΄ñ,bR8
-l„Ó”šÔ$A•à¿…!mÆ»TŒg’¢€×”L: EBªÖVRXk1²LjùoÈš^<T«V¯•k&ËO9õ—¼\ƒ¨õ¿30M†–€q Å G§Scá·â¤0„h5Ó³B®F"4M
g%“½ò-Žd†":ŠD…
-(åêLx
-‡QhºÒ¿)¬8qB\¬Ìû÷¯�JFÊ”ˆÒgÀ€ý{*æü“&áˆ$²™l6‡$’ûÝ)yZ31ªÀ M\ž�ã¸\O!‡ˆŒxÀÀ

-Á:
-¿­Ÿî;½½6O\ÝuÌžž¹ÐtdkÇùm§L~Ìá>?—ëxÓOQðG¿9osþ9îT:ñ
Ròú©§E9fƒŒµ­×ÙìèF¯Ü/›õP1œ”2ãry{Ûšƒ;îY[3š¼þìùìnÖyûú5÷9ü*êHÑÌÚ[7_=ÉKßÔÙoqøò*¥$—ŸY³ŽùçÝâ«°jÌRsy~Òþg®¯-Ô¶;=é·Mc¹Ôî†Éÿå6]§è¤p¤/¶Ä•	VË„³ú\�©0
›ý=Lq
-ÍÒ_gvÓƒ¦÷{$¹¥á±’èÑÇ*]µÔþa5T[¸¡-¡U€^,´6¬+pIoèâú—p2šöÒÖ§Ž¿¢ý¶dç̧É/^ô=c¤¶>T<lÜÖõö=˜åå=Lï`Sí¯}aöˆ—«¾ºGˆÃûVÛ5Èi“‚8Á�|·›G¿ð´p)÷…ãš}“&xÛlÞ“$ÖÙâ/¡T=ú×¥Vã
nJhpb_êÙ¨[Þ—ë/T‡¸ÖÎL67‡†V/iž�õÍ÷p]è7×I”d�ª]–‹=ºâªs9.¼‰ñEÇ…>{^ú
ýTmn9â³(Ï~hË‚ô]ÌQË
¾¿Ú��¨KÕwùÖ�4ÿ8oÙ>(*‡±n_úñÚˆÚíýcÁœ½Ç
�8v9瞊šP–ãÅ Þ+bÓ³åôvÚ†+u�	§âÈU©L<>ðlkŠ£Öã†,îÙO6ðü’Ò^÷Y¨Æ°{ÓÃÇ·V.Ú±�"tèP3ÄŸ—æ½Ù:Ú¦up7w$ZÐ{ÇLw~ìGƒ[ÎrÖzúÇ}³4 •Zác«Ö1¸ÎÊ([ï]d;0AƒZª4un4ÈÍz9Hžæeq7K]¿—<uGÍ-Æí¡íð«“Õ¥1¬<kïªS>Äš±*!*[*9­^n3ãÎ̱'¥îÖgøæƒ×Âù�» ÀÛ•‘	£•þw»'´ù®WFŠ:9³Bª”¾I”íM�¯ÌÖëºæe7w—-pªÐ3¼¶žùÄð%÷«ÓƦÍ6óðµ’Hè;[UÇöë®WÃc5œ-±÷ùѸλ÷s‹VS©Ÿ¡Æ¥õcºýõáeÖþ£;/eGXh¾ëã^&.}mS?Ôa[žt˜+tiR45÷\¬*qü8FŒ—E(Úo§lY=,­o<±Ûaç�*§¤{naˬ…;7ÿìöxY–¬òë„€óü‚¬˜s¡¼þÀ9ß{..VPJîÉ¡bqÍÁ´{âÞðœç�?|
-endobj
-785 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1340 0 R
-/FirstChar 60
-/LastChar 62
-/Widths 1341 0 R
-/BaseFont /XEZXWS+CMMI10
-/FontDescriptor 783 0 R
->> endobj
-783 0 obj <<
-/Ascent 694
-/CapHeight 683
-/Descent -194
-/FontName /XEZXWS+CMMI10
-/ItalicAngle -14.04
-/StemV 72
-/XHeight 431
-/FontBBox [-32 -250 1048 750]
-/Flags 4
-/CharSet (/less/greater)
-/FontFile 784 0 R
->> endobj
-1341 0 obj
-[778 0 778 ]
-endobj
-1340 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
->> endobj
-710 0 obj <<
-/Length1 1624
-/Length2 5655
-/Length3 532
-/Length 6501      
-/Filter /FlateDecode
->>
-stream
-xÚíWgP“붦ˆH•Þ…€
é½ÒA¤W
��„$$¡ƒô^¤
)*½Ez¯
-"]št¥H“"Üè¾ûì3ûž_÷œ_wnf’ùÞ÷YëYåYßš	»¾‘€aQGÀ1"‚²
-Ä@d
f0@ˆŠDdddˆ¹
-êàˆ
Ü114ãåç¿û×Í/€�ןÖ
u€¸±îé�c°ÿkG#€q„
-
-�µpÁbX2}ƒ¡ H
-…U÷÷›�-úÏóï�‡@<! âéO�\ˆSzf¦Š>§÷�ªeg»~o(²°Öøe~@¢Í?=bQ¦Ôö¢2T°nXöò­×Äòç—|«ýít0ž¶TÈN‹ßmÞŽ|Êyî&)þÕ !ëB²Œm³ŸÝ�®YH
-›®.½30´.¸¸~k¸Iuc÷„7à¶{~
-ä÷wvÇ«éRèJV¡e’ìr¼9ùâ‚œô0˜"Än%Ÿ•MsÒºYìÎUBu¨9‡çͪ�¸qæÍì}ÍlÓ}|e±ŸrºE©?G‚ü¯’ÍóEK0&•’O®&œ¾TÒ3©¢—]™7F�=«Æo¬ÌS
-8O,llH?I76µTèXD œö³Sè.NwiçD8T¥2u¼Á
ÏÔÈCi�ÂUЛAJéTH®gÜöI”1MëM`*o•æ¾ÐbÔõô©¹,V-u4ý†ýCÝÑUOKz‚—âÛë—ëÄä5~%šct]­§h¤²ÛNå¹öÿ Ûö’ñ?‰�·ÏÊ*åI“y[qo.oZqO—f4!OòìC'=[b°ëL‡\ö¬WK+õîI¢
-0…Ødgç•771ô|Ÿ¢‹y¾ÌõºbÓü–u0Æ_røªvùMc®ç¹ÃBÅ\n}HòýÇHyðîµ³p%Èuë@k+…–ß×ÏÔ\|©bû¬�ç´ËOª?XçsË,[Õ©EWJaoD’ןÚªÙ‚(eT"Œµ6¼AhÒ7Y*¿é½|8ÍÒäÒx5Ámê#)ѹ å€n_7¯Ë,f™·­ž³ö-üæ��S17É1I©wŠ—&ÍÄ°}ðnñô«ù\
t§kôaLs(‹‰Ó�³ÅÇ?=1òJ8¹¬_Ãkvy˪7—‹´nK°°=içé0Â!O³v£þ@ë¬QueniÊ<¾³ÕµÑ”ÒÂIm¶ŽìQ#wœïa8ú<�z/gÈlŠår¢g4t&*ÀD‘@(-=V›HÑü"§�KÀF§kìqDœ4F—î>á‹
ï¶ù´eöä—ñsç•2´9µrœ%´5“Å%:ø”rBSÛÔ†Çàš¶/BÄ)¯o�½ÑäNÜèÖ|ÂvthùL—XÿUš^ðöá÷FŽy
-ÀÛËÏ›ë"±¦­\E‚ñ<\þìa#®0G£Í¾ìÑž÷š¶˜œ ƧW3K2aØ•Ê/Õn$¦y½–î•Þ�ç�ùÊ1(µVÓ"bª�ùº©:¢OÃOò†Ÿ–Å°.(±Šb}ç”i¢Â˜¬ÿqî‡É{+_V®�¸Ä´$¥¢P_[QeYjçWZo—¡ÀŠæUYþÇ»®i):q #ÏÙ@öN­³…sèw^—”ŠÖ¬®I)kæ¤Å‘s˲QMµd9^bU·ü½çw£
-÷oŽC
Ò^ï'‰¶>ù
-ßX?zóä½ãÁÊñF—òû\šµæ–­ÎÆ:Û}|í.Mœ“îL#Ø*ê>~CÊ<Æ“¸R芧æxê2¾D0ùÜšãæ­Üh<U±n\n:K›øš`9X£9§K@Ø4½` ?‹x;˜"’L�œùñb¯T�íhSþºÖ©"/xý¹\ƒsûÈQÒZ#d¶(ùX@/ÍïŠ.jf#ÏÕùÕõŒ	ƒÈ¸Ñ�D/ù	$³s_H|�óÔyû­æëä³ë*åµÛÞ!›…9KçdäÌó¸ñoÒ>—gIè0�Û„^áÒ%	ÃéRÃ~îïQñE¸È~R<™¯—ÆksRÜx¦õ4«œßg‰½V?^ `ÚÖݪ3G6PøAb+aDoU¯ïN—íhø
h.�Ó FPïÉÃàFñä"}†ü»Š— á º㜒žêHÿG¯2‡Ä
*e&è°Ôóå[CVÆk´ø“ìtùÊœo$ô‡ÄÓ¯­ûÐ< ¯ZÁéEºð.œd¤˜]KȮ۰ūe«úž\¤�ãó.¥õ—ïæ :@Ú55,g|ßæö7úh;6XÄ/>¶"ynö#®¼QóÀ�<³{5”–SÐ/8*У‹‹GO	JøL©‚¼�EzÆÄǪµR¥xÂ]åÁ½œÎ+ñ6ý§ƒ÷ÎÆ`�bINÇQˆƒ›§ôý6†�„øågÑåîp&Ã8”ËöaKÚdagØ[Ä~¢�ÇS/e:¯|¯ñÞ昮¡»œY¶šÄÐî«�ŒLnc¶{ÂÏzõ/+åæ_9@irø˜crûó—?VpK[´Áúùp÷ãÌ�Wâi{m¶Ý�šÍš^¯ƒkBlïøôô¾™™úN‰¼·9˜¶Ë8ƒØdX'E?Šª!6œi<Á·
-MwY}6ŽûV¶Œ—n:÷ymO}€KQNUÁÆ®2¾)õ¼‘A”ɼÆÅ­…H?òês9úóØ‘)ª¦Ïý¥�¼O8â­‰`ù�£4ýÌÍͽ"/㬂ìÂ>ÂÇfSgL,D Ï\¤¶â2íÓ8MÇÇB3£[
~„ûðü¡í)9ú{N»\˜"¯¬ê9AäÍÜBvLœ¿xa1ýÐÙ‡?¦•J§®2ˆÄ‹"]¥ø4wLôn´¼lûÚ¡ï§.|‚ ³®2èEs^Þ=ÒNQã·;\Ð2>“»ÕWl�ª”›
-ÉZI²L%g}W
�f±½‘¸»=ñLù’óZۉ׎¬fž6‡û|vØz½¨ê¤Ù›«™œç«R};·C:)†æ½QßÈ›x» ¾ˆhQ	¤Ç¹Z&âþ±þ6(Õ†i”U·À·³•>ÖõðpÉúP9w1Oêë@Œ#Ú¢Ð\Â�H´èÅ“ˆ²]WúÔùýÁ�—¨£ÐtGÓÑ{£ˆÜ
-/%É =Þ0gè‚ž•/Š³=K%äØï˜méð©_8êZr1�OIE¯}}FºæÙ÷Qí0
-ÓKd÷5>£FÇíêN^)+&yä¬>Ki?bKÃþÂ5Ih\ðpX1„¦ ;ñ OÁµýËw•¢:ÙÔãoŽgX÷‘5XË2R²‹£ŸöŒ¼Ôö· ¾9ëȶÇ@‹këtÛ�6~lŠlÖúÊ›§29BÍÊS$ÔÑд¢Ý!œ_�4ÿ’‹Ó§GÂXH×rcbé>U&tã”%…àJ6ìdÌ$�V{
-ßѦ
-o>‡…~¼GYøüÈuQâ*³AÙŸK ¾ôµ‹«ñ–Åad
|KtY;…Ü©_–èe
5ÍŸˆ¾#�¾ïE’Ô{Éq;_þZˆ
�1ÔQ;—›ÎªD=!avhzìâ°l#<~á>Y×w<öì[oçü*Ö�s·ìûä(î·Æk*gÉç:]¢'�‰!%y]¦ZdTŸšnS Uß\&xyu%S–9²�îƒ'"šÇ†\ááº*ùx8"Üé÷žäæ
G»éÊB;âÊ(â
-¥~-1ßÊ·Sí·ÃÔ:�Ö©—JZFß�”-¦
âJ²FDDµ©�›¹�â1ËîÓHâÌäÅÖÓ�~ì†Þr·ÂCÅS#\iŸ5뫃O�Ë=iåw—3v0|¯†FHFú®Q…k<Œ"X1Ë”vuÔ4–¼¶uèSŒöÀ�îÛ
-Ú#ÎÝÅ)šjÀMs¤ârruRb&�l^5!Í¢W#
-¼RK·=Ž–ùóoú©G–c£m¨f�k
-³Ÿ“öÐ^£²P¶yWmnÏÄÄ�T‹Ë^­ZïÚ]:Ê>9mTl´ô£i¥OäáàÑýlú±Ê�(À•ªûjÊ,µrAAx-fLjpŒ
>¬ŽÐþÐ3ú¾3êÔ
-yîoÜlŒ�à㹶_ µ'Õ ÍO.׸µ6}¾Â£×˜^N!Ý´�’»ÒvµA±çþ�ð
kOg
-�Ówí2ëƒ'Î`p+p	¬ã�™CÏ?dÃÉ!¸äëõé)§»Å8Ë÷Ó»nübçG®ú•u™€ùw¾jaŸKè\¨§*A
䦢3$ÚˆåúŸád‡9�ðÖB¶€Á5
³m({ôTá{~·sF'[‹»zèêæ±Hží:¼“þ"2ÉaÊ�øàý´ƒ¸KðÒ‹,—‚aQú²¤þ+¿9PáÝÄúÈMU:‰b2Ù	œÂ�áÆ–€œÉ§mle,sm&,Võ£r—�“Gf—nÇßí¥ú2ÑÅu´SEÈŒÀKG9éìT\?µì/8—ù
-—
-IÃ%¢§¸ÁMÏ­W[öÉ%ä¢*¿gš]T›®æÅÖX=„~í�uÊÌ»Ñi©Xp
ÓYÂaE´=pÃõ{ó­›óŽ¾™É"ö÷¥	F8
4ÒL”ÆÙžÌ[;ôé‹�åŽ~¼ãl¸jä!@šjUâŸs5ÌÃO‘Å7o­\)ÄÈ’±0øzi*‘ƒu[ä	Ùxm3È!5œˆ£x‚
-endobj
-711 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 46
-/LastChar 122
-/Widths 1342 0 R
-/BaseFont /BFFAIL+NimbusMonL-BoldObli
-/FontDescriptor 709 0 R
->> endobj
-709 0 obj <<
-/Ascent 624
-/CapHeight 552
-/Descent -126
-/FontName /BFFAIL+NimbusMonL-BoldObli
-/ItalicAngle -12
-/StemV 103
-/XHeight 439
-/FontBBox [-61 -278 840 871]
-/Flags 4
-/CharSet (/period/a/c/e/i/l/m/n/o/s/v/w/z)
-/FontFile 710 0 R
->> endobj
-1342 0 obj
-[600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 0 600 0 0 0 600 0 0 600 600 600 600 0 0 0 600 0 0 600 600 0 0 600 ]
-endobj
-702 0 obj <<
-/Length1 1630
-/Length2 8144
-/Length3 532
-/Length 9011      
-/Filter /FlateDecode
->>
-stream
-xÚíwePœí²-î®ÁNpww‡à>ÀÀ
-h
àà
-ºÃ¡¿ŽpÊ!Õ×®ðŽdÚ�©Û£ˆëIÌå1ñ:–¹M	!LŸ+ÏS·×Ö:çñkÏñù È[œÒ¡±�Tlü+Û¿-ë•øET�×—mÚ<oR[¼Óf0ïw&±½‰2eé²G$QnXß´gÕíÂ_ÙM0¿³­Ë]ûÛv¢�^íH•%Ü’(ª»Mðîïp[¸x³ŒÎ¶imæéú‡¿ë'
Ú„ÔEÛ¬Ó]ö~!�þãømý­g­Rj$¸¤g2¤’Ä¿ïßæ�BýôQ2í¡8¹�ò*Ö!rEºg²Y颺.€ú¡Yœày¢f°‚mÆ™¹@aæ�t˺—�X[Y¶˦’åA$o,çí„Ùš”ÜÝU—w3&´|!|—
Ã8¸XÁ⨡	
-µÚ4‹î§AmëÁ$‘u]žœ¢¤é{þé
o)¯v­zÞ·þ°ŠÇ~”0†S¶_EÑä¿XA^Àe#Ì”ŒCš¹þv৭
-ýƒ¹`Z¤†.,¡®Çsõ*haç"¿ñíéâ2üE2î$ÏOt:Š«
ŸÛ¨C™`öQÄ–ìëñçO¤¶"æ$:lþa8§}îsž©j“vå°yD±^¦ã z—FŽÝ†ˆ©DÏ®Bcvg�Ö5XØwχ,Ðiu–ŸòD~i|Ó²DR8T‘ð³ý@(åÚþ{7ŽvŽa±�Ñz]|vJUånÖ7ý°z -’„Q¡¨o�3mïønò¶ÿõò"±ë«Ä(,XF�µÞ.¸�qK0I4îÇîÄ{¾4{_(ÓLéfÉIˆ*aGÏ]¬]¬jaáv…õªø²!�]J
-jEÅÖ*
-Ý–”èíC›ÇO/äÊBEQwÚüEšm˜§/ÞôRų#m ¨ŠçöØ
-o<sW,³âVݘ”43>Jªb¯-ûÏ¥š¯:ÜÒmSÂcòªÄòGµ›½�d–�ÝÒ±çfÐ
‡ï*7? Œø¹éݦÕáˆú»2Âœ;ä!X25#ÐjÓ¯*™Zðg‰æ²M¦Û�&=N
„¡#‰�ñô�¤—l.gýiŽõŒ'S"œ+€êæíFý=õ1¸nWQ5’F”ÕØ#Äù4]P³sÀ‚Y~ך4Á†Ç®~„ír	ݯ¨¨è&K‹�F¶òmis–rùÐe'¶“ná}%’,Rñ|ë,ã>aL¦CÁ!0Y1'Ü¥çý�üªPXXÊH<–êĨŸer¥¹ãy�På`C—@Gr›Ô!à–Áa•NºÎÄ{eBÀ…P}jlî'qþ	z#„y	ڬȧ¯úc
ArÅþÃqf§7ÅFù{ÂÎ;x’›¨ÇOÇ™œØνC;óA%‰|�ó;ÚŒHö“IÁi²Š1€À+,lÙFl¥Á�xI¢ŠØcØ,ûœÐ×­o±©yÞ<œ_4Žø&Ñ337c†u¯ëКuÞp¥Ò+¥ÖU´vûŒ�±³Æ¡ŠyT$Aø<)^�Ô1&‘»¿¶Ã†ídD™.w2ž¯œ$à°î„�!ðØÌÎfíàUœÚ¾QbÓ“›Û™¾ù*¹»$‚ññ8Ÿ°íBŒaº¹?'‡emj#§„böm«]²x.+„ä¨ð.]Ã8$Goÿ“1ŸjÏ‘¯G…%Z%½3WÈs&¾CÏñ=	é>4Méݲk×]GÕªßMÓN~|ð‰�,ï0Jž±�öfË”Äzž²"Ö,¨Àå¼A
-/–Tª1KÄ"}žŒ"Ô,®ÿØm<n�^Ú¯™»F¾*õ’ÝB>o¸Ny\ém<
-~Ç€ŸF�š[pcù¢3yŠ˜…Š\ØrJn‚Kµú‹ÙváçÔN_1oÞAM¤œ“*‘~à0sæQ@Út
íÁ~Ȧ.ìó?–µçã’»ÿ˜ûnW¿	mC­åÚÅ‚¯•Rî“CùW&Þ„Ù-’ˆ»[—CxþѧgT`&1|ÑJã—1`
~	�PVƒs
Ù
Ç„ Ú)a4»ZÇ[X€ÆF¹”2‡;mS¢ª&ä GÅ*‚b˜Xõê¬ÌyÏë:°íMhÛÔÑÜ-¨‚Þ¦!anPÏÇ”díFÚüÚI·«³J 95ò«‹iYïIôÉúqËñú“=ŸÑÒ~±úMuk°¿„‡dbM�Tß\46ê:Úq-u.Á
-fežÜrßCï£
Üvµ~�~1«e¥#Zç»×ÍÀ n®hÆÎJ/_Rîd{!ÏԺǤò3ìóðæ÷`¹’„¾%1íc-qlÇÙ‚iW¶tcL{þÂ�ÄkIcl1‡E5Ã6Ѭ 3€wXGZ´/dÖýÞ=“?Â5¨r!>Æh~X¾2
-×IÙ.Ch’Ŭø^AQ¾f!2¥ý+RS¢°k¾R•]ÍmËç ëDuÙ˸‡è™¨tÓv-º'÷W¿6ÐØW#ŽÛBÐô6Qº9É&˜7`~b8Ìêa²Èé’gΧñu NvA —’ÕW”Ÿm´ifø!:ú4$¹	÷p_£¬eæš÷ײ‚®LO„yÆ0Ž6O Û—�‡œjæýgWp„å^eÖTiDÞ6}Óû—FrV=+ìs¶ÔÈ·Þ:Û;§)^O¯©ótoibçWÒóÑ©„#þ²])Š2ã°À7
-�ZC¨JBöjü
-|Ò‡b9¢Ý—B”Óeß¡#Ï^+X¤½š^Ô€�ã„R|ÿVöàÕâÞ¼ÒDNètúÁQµd¢L¤–²ž3TKâ³°Ñ.ëÚÑÕ�S�ÜO3†<—7?¿t—Æ<ôÆè¶?„^K”½û‰ßè€wºÌyÕ…O=Ña
Ô]:»4aNÚYW¦$ñX“S
-sÆ@es‘Xü>¹eéN!I±rÝ<¥ImÓávL^Vc°èé4%ÐvcŒ~ŽuŸÚ:æšÐ(^V©FšÉFÊ„5¦@w:¤ªO!¸Ò:¨M„Páüòonñ=¹/)‰=D¬™‘x™( ;o•94‡Í‚¹m.Ïÿ&yj:f•…
-�ã¯ç´½y5âC̆7’gjóÄâ|ÈÂÚÔ¤à¤ò„[ZÓôÁûòúêFù³‚V"vÏ[´¯'›0¡'Øüˆu‡Haq>æ–‡›äã#‚
-[ê©úɱշÆ#]ðN«³¼6m¥‰8\mm×–æO*Ídœà?Ôd&ùãͼbÀ`›ÂQ EÑö�ý¸R>™üý‡Âk<7½¢ŸhTª*ñ!þ™ï¹ûXâ%|‰ddu:Ò_'r䕯w–Möaª4¸Í(#在žÜköÓ?%
sö)Y~;=N³2�€�†»F�
-ØŸ;Â[·^[VÕG
ô…›�Ë5a¯Õ<M±kÕ¦1±¼âÜ0°«Áé&%=ösݨÃ8àŽd*vHᓯÜh¦îÇm0²‘¹Ñ5ŸkÞ²±�ê"Ÿ¤Çµ©éì¹Ö-w^þbYm�(<rq=ÍÆ$fò»Qf?1áùšÖ—æ“|!Ž(]U˜Z²*¹¯êëýe<®mÒ…œ¡—7Å~·À2ÂC®,0¸úG”ý
)ÛùáHÁšCEÅC2ÁL>þ·«Ê/qhÃP៻AxàIèŽòÔ*a‰íŸñýi�"ñ”Î�èa¦J‚ãU«¿hè6[é¹Î]¶ú£^þ
Wœ
­„úž@Ô	ú<O#&—)‰fÔ—†Ã¿7EÆ{ö`A#£(ø.‘Ä�âW¨J¦½¹}+4zØ4ûuÍ”�[1[Èhü]	¯VÒM¬Ãò˜ìy/*ï³›b÷	ÎÎ/ÊèÒšiçWOcFb)-}�q‰Ïœ#6ŠW*Ü¢ï|Ë>ØÁq‚'QÞG«Á.·C—‡¬ö™Õš#ñÕY”…ý!A¦S3çìºâÆe²OÙð<è4ËÕ�hB\ÎÛ/f–Ѿ39ó6
©ÇfžÝ†ÒanÂÁÏ×áá–>Ï€V=Æ]‘ïÈ|zˆ•T°¹ÝH’“=æö+•ÜÐ�~áâ>è?¥ðR­M	:Öª�”¬¯¤1ÕUÓ2jmƒ<ì &oÅ•M<Ã,Aí‹KoLÇ/ ÝžKÅ7™ ¡„<¾Cšì+Í5Êhk£JVY+x°ÀBú€ÛH¬æó§˜W+°
-Ú�n3!©E:qg^˜½“çEÉHûK뵋Ùãi¬r°"×$n�{G4.ö5b
-C'75¾caÁ¢ãmƒž•å ûZ *œ®ÉÙ
@œË¼,A¾‚úqhîA¨øy#³
-1�jÚlÑ&³¤=
-Øcîmë5+¨38…y-5�*6Ó¼'G†I¡s*Éžš<ªf'&Â÷ç)7+9Si|пŠ·ÖC7¿¦´kEª3¡1/�`@;ý‚·ÕØ%T¿h¿÷mUBÉg€Kj2ç3gžE>Én+p×úˆlJ<2A1ƒÊÆø4œ/¥Epz¬&ôìÜ­ÿH\tõœÓ%±_~MgþD	õ*ÖÆÇûÔ³� K½?€÷£–ò>#¹ë��lY–ýaIø�
-•ªÿ­^²~wå0§÷>¬­i¡”Ðer;á2\ŸS2ûkÿÚÙJ=ñ8��ªÓ�;åȲ¦p«.©I*ΪoFãÄjèŸ*˜®$rرpVxO)ß-.LòV"ëàÁËð:¾ßOw(ʽ +X£ÏÕ½ÞÀ
¶aøz·#
OÈ
-B–y´S,¯K.Œ¾ÄJ�'7Z¤Ýiõ•®G@QÀn•?—‰†Í_#ppÚ“úëslg°ˆ!PB0ŽÇ0!)ô	j«ïY:FŒ›|ƒYÞ+[#’¯f•YÞifýP!`9†„øQ1º*˜¹’οçÿ1›†•Ò»=Iù NeõÉ #˜'g€"C-†óçþ9#Èï³Æ<4Wkë]
-�bvÑCª¶<áVÅák…î4ÛFüÀãó´[OÝ­É›þ(œ6®°Gɹ|ðzCà"å:.B*´
-ÌÇý¦”ït†ˆQF'£•W”‚Jî‹ö¨RZ»å>Õ;v×òu
"Bä—,IÆ÷
-?tBVå äÓÒ·&ŸõaðÎ��Ñ3ã?ì‰ðˆz)ýþŠË¬MÜöõÇÈR‹[uY­Êâ™xŽ(ä©rLx¹d0©Ù�¹9›—€¹`eîWœŠjÍ`«
rëáeÕ0Eg—¬ÀpÛco:,Cú‰–èÓT`T콈l×ÓkŽÊ]5É�_oÖÏ
-¿Ø„×óF¶?0PA–ßâeP¼šxoyT×]ƒ߯q‚éWëÆóªVüš
'ƒ³DŠgªš­µ©’((�_«¿ª²*ÉêjÂÉÀhýìÀß,[Rz<™ð<ËXs×;åäÚg&Ú
-¢…~/Œ%뺋
Í_
g>êµÓ~ãYbŠ5|
-ËÐÿÁÓ6æ›.æÏcÖ(‰…4�Sü4ºÖ. ³îñ à“ò<¯¬ˆ.76Ÿ?õ#»��Âoyù£ðc
™2ô2Íû>Úé	\‘ðc"l誤çoIk§†²ÇÝ‘Ïs§§+Û¤ßÈ„ÊMðʪìW¯> ÕÅŠJ~à‹“ç—=�6óÎ/QP<Ž}%´5�*¦²ÍÌà‹r][¸„ìWMfRA¾.¼Ôã
·v’ówØøÍÄVn®q»7OçÙ`°W¹(ã#ðmL¢mÚ¬61$"ã”’OãÙ¿
-�F
]bI“•C·v0ô�]ïsŠ×V*à&Æ:-H<c°1ñõZvO(MDÁ™Un�çÖÃMLw¦¼9Ìʘ'f	{­‚HòZÆpQ¹e熶c08*k¿^Z¨¤�ü”÷« jÒ ®íVÅFDøqÍGLÎL[Þ»@7U92ÇŠ ®•pTæÁ_Š6E{E-”»ì“¡ï–á䨓Ôò‰÷Aé‘E
-�ö;)Ó5†90öê8’ÊøïSÏ]m/‚ƒÐ	_èìûD"6ÅÐ
-ó/
¤¤IÝn×ャÃH£�J©´Á×í£\^"^?m¸î#ÜÓã­¡]?Âǫ̀ôÍÄ?õ}ŸÔ½�ºCCv‰ØÕÅóØôÉ‹ŽcÄqÙÅÄ 1È‚ÓÏAK–&ÇqJáw‡í¥óðq-²º5{Ü�9cúxsœ…vtàtf>Ø.V/èàl)]ÆüjEÞ)â06¦±/ˆÅˆÅðŸ—Â>¦O9L:»åcþ‘o†,
1ÜÊÈ6dðdrx·±+
-þuch`’WZÔ�6¿©Rì2oŒ`¨ÍÍj“(	FM›c¢JÃ�«Ê<^=¢fÎ(V«¯|^z‹D­Þ
»©ÚÇ�«×4úóeÍQCf¼5-LØñè‹9¤ÓlêÏÈßiÚNŽKš.¨¿’ò+sÈî/	ÙXй'ŠÝSu÷ _g““X®d–²žÃ2ÈÄÀÅtÑ"Ý
-GŽ—z�¥YƹQëкtšI–X˜‡1·Ee#§r}›áŸz±g˜$>ÈÕ­&)׬H1ì¶SdrvëOËx0P(îée¬-ÒM`¢!03ðÜW‰M^®#Yâ
-.„²5ÚþÈÖñ^ž/|†Saï½	ô»ØIvê
-Ý»ê}­€‘D=Tÿéâö·½‡žëÑG]#ÂâuöñçP2ÀÂ,
-ï:/ÿ©Aàéžµ@vô®ž å—þA·žÈFàQ=á'ê²_Z»ÔÙÄη+YS1¹Êƒ”ÞTRcÖì`Q�œú�}V›v1g1�ÒŒŠ$|OIq
@Ýsêç?ú¾óã°!¾,»Ö.qðŠ×þeËŠ”l~a;$gõ…<¾9K„‹DüÆ©8®À¶IÁI3ýSÈ�±$FïßûBßP5åqÏ' KÇ|µˆ€€
‰¥ÿî`Ëf_>´«Í@MãSì7nDAðù�g·u{<úzoáiC&‘RÊVçÇTA¿
Wb-Î�ŸØ]2PÉ™Ð.8ÙËÍÙ.ò¯j|ƒz�]÷ÞkZlü!½989Ÿðd¶aw¨É¾ ŽµQ
1ŸŒ¸9ŸTv2@&*•šíùAùÿÿOX€�fήŽöfÎv(ÿgbjendstream
-endobj
-703 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 40
-/LastChar 122
-/Widths 1343 0 R
-/BaseFont /RKTXHV+NimbusMonL-ReguObli
-/FontDescriptor 701 0 R
->> endobj
-701 0 obj <<
-/Ascent 625
-/CapHeight 557
-/Descent -147
-/FontName /RKTXHV+NimbusMonL-ReguObli
-/ItalicAngle -12
-/StemV 43
-/XHeight 426
-/FontBBox [-61 -237 774 811]
-/Flags 4
-/CharSet (/parenleft/parenright/hyphen/a/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
-/FontFile 702 0 R
->> endobj
-1343 0 obj
-[600 600 0 0 0 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-633 0 obj <<
-/Length1 1630
-/Length2 15731
-/Length3 532
-/Length 16611     
-/Filter /FlateDecode
->>
-stream
-xÚí¹UT¤]“%Œ»kቻ;îîîNâZ¸»»;…»»»;…»Z¸ÃÔûõt÷¬ž¹šé«ýy“ω±#Nì8çY¹’œXQ…^ÈÔÞØLÜÞÎ…ž™�‰ ¦¬¡hdccd
-´—¥W¶·5ü5³Ã‘“‹8™¹
-rp²ÿëaûûK¦hïìâlâtp
üͪ(*þouºX¹ü“ÛøØ›ÿõ4µ7qýgKÿÂþÒüE]Œ€vÎ
-±ªVõ¶ý^Nc_ñõiÜ�¬æ§•Q¿ÑŠÔ+«ñïP�Y
ŸÌôZ#Ûõ½¼6SºßS7Cç0ÂþD¶X>ªO¯Æ¶aÕl¾JüÁøÒŠuwßùöüh¨ÁŽ7n-	ª}»›ËÏì¯ò[ùwµ gïèÕËä‡× †¸ºŽïÛ­�IZR
» ˜Yâu#1¯›t,’‹¤×CMMW•M�¬îÓ–$�IÁ]•Ð}}™ß×(+�X{—üÓHï=s]Ô�½í<›Øáb57U
‘Ct¸¹# ¹@
²KCúFúØì¸5Ö0ë
-ƒŽÊ©ˆtÝÊNõ‹æíùu§TþÝ4F¯ä‚™ϸý§:Ù0Ìîz2.‡8Á¤¥"ð�@b¹ð:Í(o`Ô¿kM.Z’#ï£2GYŠ
nplwÌÙm݆øf[8³")Ý-Ì>ØÐÀ"¤¹ú,�ï6çš#±VEÿú4Í ÙTÙ	ƒ˜êççX}×¹�F; yhȱ½ýx˜!:Á<œ?-p©yó�>sd³aEG2 ‰iħØä¢_,Ì:ý¡ÒI“
-Èú€èç“.ª¡Ü^ó!Ozü(~”@½ð¤Ê¨JïŽ	÷(ù)I¡É’!Ë[í¿7O’0	™(Öê/Êó#?ŸòtssÕï“wÏgWWÂù;í
-ivPS“
ÙL+¥6º:]ø¹à s¡†U²;nü[Þþ¥ºÈ…\F˜+6ØU«Iæ´ÿµ´*mg_^ú3Q;.~ÄHB/׌0w=>>b¦u¨„Ê>D_×$,?z^ŽÄ'dð�1QèQïþ®Ä‡:RdDc]ØS
-y­)øM˯ìý>z¦ÓÁ‘,£¸º!6ãã
-d-ãµ!2AnXî}uM#Ek}ÚÛÀ£>ñ´0¥š¥b˜)£9Ëà_dö%ÐþÄd'~}?
-<$Œ^ƒ™yJŠ³Þ·|f¯¡_XÍé65È‹‡xȳT#¢Ê›c˜Fn²äjvb¡"£Dñuô‰ŽÔ7pô¨Þ3kµ¢ÃgnI\H�ý•ŽxÅaÙvè#Ýü½ä®ªª	Å9ñD“‹.š¾S2Àôõî”a½)m¾Úò~€ûó …â#_ôI\§êë•/»šžÇ¬"ñI4/á°ø¹;øë3  ËÍÄõ?X"M4Óþ0ÿÔžóë:i·áèÿ„X
µOTª—‚ wgÞZ%•ùÂkéúq¬4Ò7&Võ1;»:牦¯NªÞºŠÃ™5ÛUÆTŠ1 þäX›V­!ó™!*N4�3cÅß^uu”ûZ¹b«îÖÀì䱇R©ù)sÈ3:ð¸$®ÃÜ}þUœEc—Ìuø
-ÌŠÚø,Å@Hˆ¹´z$¦“¢Rõ„¾®û£6pzñŸZTyûÈ2(†4–²7h®GœÅ‰Ý?5ëË€ 7m›TÞQ¤‚+̇�ßG.¬¿sŸ‘7¢ÉnYFV³œÜÛQ$yÄE%û²±Q´…P”‡¹°Ý�Üï…Žžbÿ	_0}}rÅZ¥¶	š¦K.…¢ÌUkÎÖ »iÖý	MÒwÎûÃä˜‚ÊPÁ„Ð’
-ÒÀ^Ò6¾©Þ°´äÀÏqTÑíö® çŸ$@ÆOo‰…¿§ dêVMäáêh‘´B
-ODµóš\ÕåQÝ¥Út‰f»G	û*NèlÂò�;Ö× y<n‘G£4°»HÆßyᆣ§…‘ÙÊF-x/þ	%³ znj·<Ÿè„­÷ô
í	‰ª	šR˜*¯xM®Ì6`C¨€qÑÂzýÖóçÑú;þ¨#f\êŠ��³pÉôâˆ9£ö…¿4ðÕ«är	ã%�MKÂê·³©3[¯ïm©ð–J)”úகç'ï”oéa} “S\±Š£zÿGtÀàØ
-�µùœw¡ƒ Ì´ç+;ž"¶ë¦Ñ?doû‘ööb"!äMeßÙ°°XƒÛ"b±-`OX‹1Õ�û_µ²F„«WaŸï£˜@p+ëakqÛ€ŸÐˆnYôbôóºL¨�RÌaóå Çfh#-!”„pe·EŸ¥ìªäÂh��-lS–Úq•—;`âB=)vÎ?{w
Ùh`U“m1Q2X—Y˜õœj‡ú[µ®æ4öZ$DT›ß°Ó5'B~´)2Ï#*�pãŠCñ}t¬Akª#òô%ä`)~¨ä½{�ZXܱÄÃÇ’@K'‚Ú3Œ…¯�QÄüäYÁE›kÔïœÖ€w»îTð³'aH»xÙ^ôÃÛ²ö³›úRÆŽæl帘k%Ǧ‹ÀŽ¬ßkN¶óš×„~Yy¬Öåwã;™¾ex±xª}Î�fÖ†'ñg%·”Kkø“
-ü…ä”÷FT‹K¨âŸ‚øŠRʲŽ[	Ž�_n™N>ßÎ2rWìÐc”r…£ã‘mµ%Ç}6	Z_æ6?ë¦VS¡|Y=!j­¬å ÎÿùPÔ¶ÌÅì€Íˆëb޸ʮòu[É¢Ü%f)0ÅÊE�6¾7�ô§N«E[.©ß<¼ÆÓ,
-ë®o|:o•ÚœÅSŠ%)Õ}ø=™)WÜÔµÑ;¦Í“Øøæ�“úm±a
εVsJvö@K£áûç(BÂ^àwðg�®Ð‰'cÃfBÇ…¼"(Q
¦î†÷´sø¬kÿåõƒk¤3N}óx=©ZÍg´¼˜ù?¯…šÉ€—\E¢ŒíoAËLÕ‡õ©Û¹FCcËo÷³¸Ïá€Ò‘îÚ~ÿü…On4G!>Ü-[·,3!E‚VQ¥H¤HÿÇ°
-+¢±�'£ë(‘gå]h’
v–i`PÚEÞ…W‰¨¹úmõ'>Më³&#kÃ^z’0†i¹"Qrå>+o
’BP,ºðü R¥ ¯0˜÷—Ü]�ý°ùc‡’_´6iY"ëf¶á=µŽpe 
îìI‹vfê"
.Ÿ£ËæDáišó„TýL-k,I•:ðkÃæ&ïJŽáóÆfø	”fŠ×Mž-
æ,Eˆ,‹bù8#^à0T§L’‡Tvn轸ÿT,5÷S> +‹o7ëX¾õ±“¸K«¶CÕTå)#«:
-W£Ì8DB¡ÏUÿ,”…œ'‡n#íÀ‹ªUI“ƒè®œB �
-ÎÓq$Mö—YêqH$Ã…ýuQóë®_¡Eë´½ó:`$ËÄÉ•!‹‰@3^[�ůiF@êU›ÈxcmÄ*k�â\yýqj_¯*]U|ë•ð;š:Ýc¬Qz�
-j*
-Ô^Ó�ã¦6¼ÕìÀU\{~t
-¨2e¹ð={f´Wdo´@°£Hüd·J¬‰+z$Õ²Õ(
;Vœ¬~]1B\ØLäë{u*ûä èrƒË�WƤÍy^ݘ˜Ó\2Æ,´Nƒ	‹ù}Ì3Ý¿Úû|^žM‡Ó]¦�
-áÙœ´7S‡zõ¶lܵº"+7Uý	dÎÞ2jèá+ÏÊ�"eåc¯/äcà Ã±m¯h:ÙÙåUFñì>Ä&ûk©³=]§¬¨ßîaêÉv)£°®4Ê	+pö–fÛ˦ȃâ²o•LdšŽÍV?H%ù¡¬éBi©WO.Gßæ@X¬Ù¬†ÐøÒ‹@jGxô¾±–rƒ�Š%}ê0ÿB"jì
4
-cyÑ=—Ó2ÂÊnüžÚî`Ìëá(å9Úv˜t,‚v¤©©äX
?r—ýØJH¸Œ›Ámòƒ å’†ðº£Nk9'~µÕAœ Xs{c�ήz§O9�M‡GÒ§]I-þ3‡Õ6Œ°€ã1bµ9ü»:ˆŸ¡
-ÝtÅ	çÊzȆ¦ÏÇ3œ—5”Ö<ÝÊU½‰bâånm
-l_:¾
-ÃY_ÂK¬ìüvE\aÐNJð�ÿÞ¹nèbWo@ü7•öÙ58±£–%\É^
-òÌ%_Kì
-w½Á-Bõ?ïmif‹
:¯
í² ŠÔ|ÑŽé.QØ
l(è®!mW´»âŸ˜Å>2adQ”ÄpO}UŸN†}¤‹—çäsê2„|97pŸY^½VSz¯‰*ýsŠüä͸Î
=¶ù
Á
;ݽZ¸k²[lC)Â0ÐÐx·8äý=ÊÕi~°‰Œ÷æ	
¦j>ÝÏ	cê
^´5»kú¨Û®¢ð
-Õ8§¥rצT~& ¾}÷+Z?/_Èà£�w4E+^o:g’,¸’/f‚Ò MüFœ;xóÝ†—Åà`öÇ‘y´ºù‡Ú÷òD€Õð•MU‰¸ÑµEh&¼¤(Ýn�VŒè.lX@ÄôÑDvx™ƒïˆß†)~–EËKNæpר0-Ô§(†3øÚ8»!¹ þÚY‡Lcù°ô4à7¬wO[(V›âz'O]’ùÌ1Ô‡ã�MÇ‘+¹Ù“}ï`¢7aj?ýÇËš–x¾1ß÷»0Á3ðy—œbHey‹é¶ßí“£…™âa44•bô|ëi¾«!Öø±w€fïü@åÀuƒwt�—œû,a—ž�eú:o¤Õ”]aXS¹/Yv¶N£oúƒMU�G9–П9XoìÌ‹eóš_•·pI^Ç|B/ôÏpüÊ[®ÒnvÈp×6Ó¼îZ™ ?¼ð`Í‘‹…U¾£
-SUŽDŸ˜ƒpjU=y(Ž~{×R'¶7UÔG.!ÜÃe®ÉA+ðÔ±·v0H­7)m(pÍ~û%ƶ*¥â9êÊ<¢¨›]`Òël=�šV¾�ê5³ÝF2…2ÀG›±‘ƺ�»8Öñ‡%…x‚©ÙŒx&rq],`Ïcj!¬¢L›‰‚ꌻx
-—”tšJ°7ͼû	›¹yéÐjA0/Á ³	bHgnÁ�¯'Š€•é?d+lDVmË$;6†º—u™ 9>üAZØÁíšw`MíÙÝF:d”ç‚y³ñ\fË_3e4S
-CÔ„0XWÄQ(8@XKp9ätñHkaìÙ¶[öƒ!×�¿oT_N1;aµ<2WN¤øùÕBãAqÉBa@PNYocYÍ\Dç™ô’žÓ	…¸ßëö¡^uCGd¹êU¡RÌè>áëLúƒ¡¾\‹û¦_[³$$�ËÓ#¿%,8Kú—ËÀ
—ºé?ðZ;RÝèŒT@¾ïÝ­;s|ûÃìÓöYÊ[(T©ž™PLýMJÚ§âÐ×:®C:”P¥qg$)¦)šp4kÖÀ§B´#�¶á×çûsVÁ²!ÁÓ÷ú9ÅÂ|5/
…}Ù¸W�6:mº“Q7Œ£{PØUA%fBë*N`s´B1ÒMO‡b
-„v‡‡²˜¯ñ!�
+^×ÞJ{u¢õˆ8Æðl™GÓÉ`S‡„d9ªsiã¼™wnÌäz3ÉÞ}­ì#$ؘŸáÇ´.E‘Û<œÞ]oÀ×}¶Àå�d“‰CÌ®™§jÈ{ò3¯�÷bƱÒÂ$·+6ó(¸ÍÝ%3^E‹Y\~Òˆv/;˜˜ßï–ª%—â�Ž.’
-\1$xo«ñ—«zÂH•`öè€üFt©økbL"eŒ"Y�²ÚcQ½9O£ÎÂ&&¥-
É3íØ9ýz^–‘¥Áh†�~‘Ó_ˆ	xÃOZr@‰Uâ #1Ôq90½�dò«§”-˜=H\2†PÅ^äÝ9jÿšY ŒÞȃ°Dêp4?¢ð¢F
y™;:�š¿‰þÏ]Y›vÎ
ý12ÿX߶ï Z˜F‘ê+¨�Á+ª
’³HÌ•éq·¥óþê— S¶^5nJ,ŸÐ=ØâÄàѯÁVdÙÑ‚ýWÁ^‡„5ÐÓJ�<;POSgkÍÅ=Û‚Çj^i
-`‚Õ´¶È·ŽÈ:ã‹
'ê#&nnv
¿qÿt”êÄæ‰
-ÝKž*gÍ)âM3íålÉ+VÂRa°xÚ·^Ôp«=„j°®¡�HQÑ:8CiZ[
-J(˜LÝ
-ÐýÛ¹\g|Æ\ѤÇ/1—«ÂzwîP|MF¦‘ƒBXOèÈ�ªUŸâD b³N
-ªõ'M˜CkC
Ú„àŒìŽŸÊsÚb‹t&oYy•G%œ+šÏs/'KS8°È¿œf‰�_­³(V›tŒðI'ìÚ
-]RÎîà]­ÄÖÔ6h	Rû·@3¹9¦–P.áYä’v7êÀ!çbkú26«&¶Ýs8ðd·XåëGⲶ Í
-tþZè
-,,SÄ³®Û·Q–Ú‡Ý6%€¹·„SCTÛæ0nǽ]r	U¸¥Îô ÿ×7u)“q›&Kñáè×D\Oì!Hç‚íÄV¼²�¢8‡èä¨ÐM¿Ê-ú o<öž¿þ†îܬ²;¼½
:èå9ô“6s:Þ$ùÛõ}ü9ß[™ÎáÕU=u[h†J ¯ã®`/Ô Å-!¼:G%…R¾"¯�Éç›Ø…¿{føšÃw²rT(Ú<e?
-ÅŒ ò}¸‰2íFz�¡;f$Mµ÷KvQJ~4
-ug°{ŠÌ™‘ùjǼ­Q>ýR	Cþ 2U9BS×û¨þøDáɈ‚œmhºßa¾Eí¬ÇCøw[fÝQ¬ê_1ð¶
-㧣<¡žH4Ðé;7F9y¼Ì§@xcד;çUæõ<+sühUÌ-­F$F=©�
Åòƒ¼»vQº%‡Óò0j1±dÉpQfVëtFçÔq!›5V(ð¹s¼Q—6
-E
WÎ^ÌË#ÅwÂWÊö‰·²mý$ï�ãœ9ž"��ã�abH¶Ë'B÷Ô"žiØ¥±AËݧå—F‡(È-'ˆÏÕ)ŸÔ38ÝH—ð¢9p
Ï«1ç•¥)³Ðûí4�&P"tœ{#§ˆ:’úa@û#¿½ßsÒ¢ñ4:‹â¾%lÊ[PLxUµY¾L‰à'v4ûd)ÿR
-·ãtÛ”I67ˆ-
-ï3º¢\ïLV´m4ó
-2c
-·î:LH,rÍ̘}�”©”ÏmôwqDUp˜¢¦`ï³KÜÂM‘C¸2Ò¨æLëQ{ÐC¬,Ë•ºõtv@þýï$&�|Gh­–yšÔ=•€L�Â×�þ´9QÞìž/ú¾dÊO
-¥$y{o/ºÊ…-â^	³7˜ÞÌu7î×æÕ]ÞÕÛ 7K–
ö
Llœ®èBÉ0ä]F�ç Ã.Ȇ•O‘J®B�$¨QLJ‘
IxÖ-€I¨9
-ý +�î$aÉÚ ¼MÚÄ17œf
-µ…¬÷TýMŒpq�lî^²�²jd»¸m]
-ÑL=&†ØÚ稺Y²?·SjJJ}-ôäÀNT ftŸ
s %–þ²8—NŒ ÷¢—?³¼B¬ý�Ðã&~1$*nGTÌ1÷>¬�œå4>‹
šÁöm¡Jv6õg/Š0¦Î2¤׶j*ž™¥Ißëã¼é¤Tœ´g»ìr¦Âé‡Ô{vÆP>ý$ez.´r™Âòêc>«y.AžXn�7å�s"p.w¥Y¶üÁVc°rÆúÄÇ’QN¸ÿ‹)®D?â1œJŽJúwI×9õ€ž´ò3–\æsNçAS*Ö0a gîêv¦EËÕÔª
-ÃÕ³5šQ^­šõÙZfé©4ûå-IeU“®é	
-šÉ,‹^Ì*hÞÔ�@k
-ÙOâî¯4*ÐHÛŠå«<Ôš>OïY�ò™ì˜„_ó×Kßž6ÒóÕ�¹�“äÁ;áfÐ	ft°‰]vÁsò¾x¯»?N¶1…þªYGtìmÐp¥Ó¾ÉtZƉâ‚^¬·JHëƒÎE[+Í;þ ØÞ_�×�†ás·ÚW¾}Â]Ϫ'ÅOÍÜ“Ë£øЬããêd7
¦‰0Fª�kº‘*äýêLk¬ÔE¦ÜXÚ@Ùà#Œ]ËNÆ›y³?}/Ø­ÚÝö»µšqÁ§‡šMO×ÒNП
-î€þ™X
-â*áz^.\¥„!Á“{d¿ÜÐ#ü
-ïH
--|ò0¡÷F¢$ßñGÊÌká{ËâÈÍL–±¨ÀËäýŒÛª‡k[£·3žÐ îF§¦¹äð”Â-kû4•5}Â;²©%Ÿêm&øɈ`r}‹¼
ÇZöŸN�p±Q†}É |~+±Ú<¶Ð1öŸm*ÌCÃ!̤A©„=í«(OÈnœ¥cã7äG“dÊ}O²º¼óçžê‹T&Ý&ÚpÎZæ2«�æ\Y=9xb•	ž/PʹK¾âµm@0zõI:ì›`ßAhÃðæq¾g{o÷ ÖA;{Õ`ÓY£º\zÒUuxVè3óxðÛ‰¢¢3Ø­Vb&š
m¦G3I §¶„¤Ý1�Ž`°Êã>(•X‡¡=xô´¸®N×›ì€èLb”ˆC‚yÆ­G‡^
B[5zÜa¨(Ï:R7ÑÎœHü­b^ÏV.»(…âKY×÷¤M¨¬y0rôYÅOxÞœ“Ü‹Z¾ƒ4X�ÝáJ[K/pêٱ傥‰žeÐh˜8ÎS×R]öVa’ƃ|Qh Ú¡ÿî>†2v£O8xÍÕ�HØ媚:_øÓ秜ØGÞ8hùõáyQyáíšßål0ÌÃxñ¶ât× ½<•W°Fôä‰Yä)«Ë’%¦H¯Ø�Ñä冰<–ý&Í—.!l/C2CÉ›ÿÃ’i�WMvM´a¯à¢¨ ºÛåòÏ’«€G¯M+ëèr(“
-÷z¦iB‡®”wufX]¹©ô£~n¼N-ã1JtIà³7–›fãm~|GË×è§õE’N¥h­ÿÁ†‘ÿÜÖ1„ÖZE”BôÎ&ÕaÁðÃ_ç€Õ¶�ÇÍX¤kÅǠĀ%_, Å¥oCÝÃu´
-ù¹ñmá>¬$=Þp™i—à
-èÝŽòN½‡©*;€5'®­¾¯l�š²^~ÍPó­œ1ý®Ëôƒ¹q[½	zÊhwäºÂ�êáG:É:JÌ7�ƒ…?Ý�Ù¢|�³D2˹})ÔÍ4槄ªF?Îa
â[×’©©eÛKúyÛÜÞX]Ÿp�w’“?…Z$­ŠîÛÀÖ¬^ù¶ßu›¾3ˆ|
ÚãUi`�TîjRÑÜšZ�kôúŠW4*™º´Rþ.å
-HÇ’#Ñ6aG
HÄÖËvx�@³öÀþ­ÑȪ/áïba·DI)Rán®1.ŒxÏS[
¾¼m(ß�¹I$á(Á!Ý{æið¤ÆÙßuuòûk?–ÿ”_;Â2u9ifï›ïéÞ.WË,ß¼I•r
-·Kæ1š3rÇÖC´žBhŒ/ 7�¬-éËíâD™Ø¤Â½3ÇÚô89 ÝÁÁei?ääï‡à�)gLÄÐ'ЗDvf¥#|8Ì{êc!¡"M?Æ"Wfßîé5D¤EÕ,˲üŠËÜzät*VõÔ„òp	¥ö7Ñý
-º¶ÏŽmná›Á¹àŒ¹ŠF0„éY)Åšá«P�ñ‹6œ0`z)ú…Ý«Èg\¬<ÐãF�DQIòl¡_¨(¹XÀÄ.Ìšú¥ÎÛÏÕèU—æâïJ[�èhÜîè{”iÐÍî6®"#çÝcî]©%¡î!û1Bá¿^î:ê'\>•«wz¿Škb0	ç®OøñÍ!¬ªc!@¢ìp((‘åÏPCæàü�ùËóZü;(º›´Ÿ…pSõ‰Ô:®‚tÝîó7å²¥_!ÅZm¸Šý¶¬Î´ Eý¶5|JZ®DÊC|63^âaµ'ÐϺ)ÞÉßBÕ]¯žZ$•OAž¥€¥·qàvlàê±xh¯ØŒ¾Æ\O@Á\àqc–	$úfX›ŒMÿºÝâ	Ï—_~ÿ¥Œ;Ñþ™MN¶í/–ÌlŽöŒó bDTh‰·K,¹#To-—Ô‡ç·ÚÐÃ>¼—‡rùˆÏР$&ú"„Q.4éÎÿÖ¿v¡
	QXʽ֟ÿžÍÆZ¦|Ï?õ•òL›ï!u¶øZ†w^ v�OT˜ÿáKKîŠj*ìKía·iØÖ+TnÚ˜.PÑoÐV-š°ܶæ.Uä:MP 6J·-hé|î›õJãH”jh·UÜáU4|‡†ÍÈlŠ×=F|•Ž¸R�õË’ŒTL<“À>ó‡Hk;ÐØú!×½‹~%g E´·P”�Úíf×$Aœ¦‘Gþ°u†Wý‡czfb
WÔÅX�Ú´Ö\ü	|+B›·ñS€­)è7RD¬ós:?y‚Ã-r]þ
½^ó�nv-Ï]/žVcà·~6•ažBÖeÃH¸ïòYr£ìË$³°^(„*Œ©cÈ=¶1®waÖn÷>¿ÈžQSÌ«¯UßÍ ™?œ
-Ó2±_,¬0?$éýœEAíÓ!yyÊ$ð¦Ïœ6{‹1‹'®[+\Á‰�3‡ŽŒóàyp)
BèÐãk3¼Ý(ì08á^,Ánœÿÿ‘^‰{zË0
-PпÜ ¼ST 
-þè»ÜÔÕòø9¾ŸØþžÅe´8kô;_¿÷‰³RªLϳ÷7÷rÏ’XÈàð�ÆZ
-ªjDÒG�@œ=ù¢0Vþ23qð8@R‚¢Sx†€ÀˆQšk>Ö˜IÛ»åÆnÕ@ Šœ+7ƒ¥	#xA&
-V°î2»“u=œÕÏ"¨¡
¥}ŨRpÔG0Ò|Ëÿ°Á÷v¯×ã#Ði¹j3ÍTâè(3Z÷†]ö‰6$áHý.ù2rä"Šñ.Q}Œ[ô(~áa¼ô|·g7LÜëèi	GÕzBƒ¤�ìò°ôÉy,<ri5¢Ó<øQ°–"ß@X1páJ9¥œÜ{5ÖXOù!Òâ™DŒŸ-ƒÞÒ{ßî|¥Þ‹|õÈ”…;°ßUÃFrEþ÷÷>£–¢€%ÝÞû.îcäG�3*Ùºr¢ê.ûÝS²Z°¶¯Üi𥰛‰àò"ë8׊Ê[¬oœæiªÈtB!N²Ma3_#”Ö‘3?z25Q«û%Tb÷‹ºðƒS‰\	”Ë`�DðÌø¹Õ"†Ò»K$šù‘ W»P-$Ô"taâ5í.§œi�"2a îÎEg|鞢³‹O-,Œ'²Æ¤ùp|’Ì”‹Ò7rž´­‘€µ‘‹Üä!ðvƒŸÖß0ÕBöy\åqýXkÊ€XƒÆ;my»”(~aŸ›{á|±ob’ØÏÖ­Ùxœ=†¤…` Ö罦(h
ö˜85]‰„C¬…ù×UÎu×ÞÃ4
- ?0
-tâï¯tãq·˜þ?pÿ?Áÿ'LlÌŒœ\ìm�œ¬áþ”Þendstream
-endobj
-634 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 40
-/LastChar 90
-/Widths 1344 0 R
-/BaseFont /XTDQTY+URWPalladioL-Roma-Slant_167
-/FontDescriptor 632 0 R
->> endobj
-632 0 obj <<
-/Ascent 715
-/CapHeight 680
-/Descent -282
-/FontName /XTDQTY+URWPalladioL-Roma-Slant_167
-/ItalicAngle -9
-/StemV 84
-/XHeight 469
-/FontBBox [-166 -283 1021 943]
-/Flags 4
-/CharSet (/parenleft/parenright/period/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
-/FontFile 633 0 R
->> endobj
-1344 0 obj
-[333 333 0 0 0 0 250 0 0 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
-endobj
-626 0 obj <<
-/Length1 1606
-/Length2 15226
-/Length3 532
-/Length 16089     
-/Filter /FlateDecode
->>
-stream
-xÚí·ePeݲ%
-…»;ww(ܽpw6°qwwwww/ (ܽpw—ÂÝáÕwNß¾÷õ¯îûëÅ[+bÍÌœ#GæÈ9#ÉwaS;c „�­3#3/@
dcìâ$og+Ç bgm
-øk䀣 u9ƒìlÅŒœ�¼
-’
-tüWƒ¨ÿ™š¿$ŒLíl­=
-F6àßàï
c�üsÇü¿b�l@Öÿ›èÿ¨
ü7Ãÿˆ´³Ñß6Ûšÿ•‚™‘ùßF�“Èhúälb
03²þÛ£ÙÕlM�ŽÖ [à_-ÿÕF
-ñ½¿Ý¡$ý6;›˜ ½S‘F�‡‡9Lq®÷#7ùºÞAæOy�«Æk™¬0\™òã�)àÚŠ¯Põýè_°ÏÈ𸯪+WX½À4�qW%¸3A	pÇ‚yçNјŠhÙFƒ´¼òàH«Qûv¡;±0p•]ßt’~xd,Š‹÷xÂÍ6m$ˆ¤bŽè›a»èýa–Qº ÅZCE{˜Í¸V>$zytg�C¿ Ëûž~^üZ΢ë—'¿4vÌ¢€œQ(߈¼ÚóE$9�>RÛòvJr—Ž!V•�Qê-¦ 
ç]kˆ«#L¹)N[
-Y'L
-Ml%£:Tid„‡
-†{z¼*†ÆO0R�Õ[|+uØ<»×xB–)ûµjÃñáÛTK!ëßP.GJ¦
šïHídÏ·Âó‡8�ÍÈÝÑìᣮ¨¹)K�Ô«£"	[ßáØÓz'f?r÷g‡ÏÁ­õûd„» Ë}áY‘
’¡žRÞÃþÛÈžiuMÛqÁÞÚÖ:ÏÝu)âì¾
-´mg!™Õ[º±dúrTýÛ·
àÑï;¾Sh4+mpæN#{•x9)Âv]²O_ÊÚ"¸g)ˬÀ	ó6ÌúäT¤q6`Ü,ÎÄÊ“Ê.ÆmRúuZ}
-u¯Ôeø9‰ùXg©v«½~ô¤™ÎbfÓ@ËZ€'púÎfjûµ+4Šð9µ?çyG Åš2Ã>öá¡èÓÍõ‹æ©íq½j]F4ÊQc	&ÚWÊ¥Œ!¤)Ô¡W;êíˆkúë¥|ÂO!xËl|Ê/"Ë ¥Y8Þg™t‹}1ü¸ê²áüs,écbDŠ‚<ÕÔ&0S™2(Ãmz\�Ì#wÔJ$G”ûsuQ#�JöõÖ1Œsoæˆ 	•X1K÷·XøZ°˜©T†fzUàÝô¤˜:%)=ÿ¢NýÌýßáB0$awϬ&8Ž÷SMÕ@: ÿ��÷6²±‰ðJe Êq»‘€¿Cø# /ÒT
ÚÁû­B2cQ˜ãSŸ_1IãÛóù´P$O´›ä…™±<œBn�|\©žêŒ.ymõ¶9ŠLrd¤¼]‰mæâ¥ËNÛ” CSÿ
-Ôw(ˆ)¸ôèg¾ÜFþRM–”T–VRƒú¡âÕ€9«\æÁ	r˜.°ׄZÎAÆØRöuaÓ^z¾A}É €1X•¢Ä<”BÅ2Ý)×B
öÔÚó–7L}ƒ.DMZÖËçÒÌ¡sìÕzÇ<ï§PÙpK`Û¶—
-d„½-˜vNªÊ:&¬.U~ø
-S–2¶ò¦,|Uº•¹åÿŒ ²]d§ûHÛ±^'Óàrê¥�Ñ'Wží¼IëÛË­lž�œ‹¯‡ýôÊ0àU\|¬¹.wÑ`7ÐÛå/—êâY쵚ûU¿ð½@'�Ã\Û#ÿ¨tÓ"¥ÍSûã†ÖÑÖ
9X³*¶?"�D'Ö	ótÉ‘mtå
-6¾íè†

i#¦‡¨#d]™P8-ÆŒt8�ñOÑÇ,«ñæ¿V´Dze<
xzÄz
-ÉËh¶*”zT©
:ê%Ë×úì±m,0¼Z©“`Šì£ç!(ÐÖ2Y
-<«<Æ;ƒÎdä”4éPйë×¥ß"á§KHe
-¬Ÿþðåg¿ÐžT1‚ŒÙ{§ë³÷<¥·qÒVÍïl—ÎЕÑi„¦¨DäÒ)ìW¾V “{©¬1›
-�ºs„ŒÍDÔTQóÖÉ_+y’‡2„æSu•P¾1YÙÑ"®—tI+Œ,r]
 ¤'Ü~ÙŠÃüó²-e–´cOKs�wfÞé¬y�òÒƒâÌ’.ËLÿµ_·_Ú•bȼ±ÞõŒCⶓСš¬©%˜î­vNBÄ3Àu®*ó^Ú£e3ÐWE>qßiSgb`ÑÞXpœõ
ú~0èu†£ÆBß^ ¨íHßÿó1p}PŠÇ
-ÿ¡QÁ{þ­
-Pä±\7Š‡òÝÐBÞz¾–ܶ<
-hÞãBÚ'¡ê{üŸ[gq«JNi9ª	J¡ö–”ÍÎBÚ&eš"¡„™G
-0ũ㻢×J�ïØÄæv
-®t·Té„Ã}5§¯kŸ1öÖ¥¼?Pe;ö•Pö‘rû0ï}Bϼ˜\ˆÉ6ù·ÒšÏ¹äçM�I9!Èèm)L(ãÌSŠ›öž™{ÔˆV"X¡…-’?.ESö®žªAÝP! j#HA±}…KXžÌÕ§Ð�ÉMŠ[¤ã('©m»Ÿ>¾+­›™Q…ºCTmr9ðn«!dØ}û\>KdÚžïËeš»ùØã‚�„À¹b¼ôd *Ç£GhU×¹
->3;J¦@ÝÀ¯ÓrZþ@)%È€Êz¤a¨ädèji|µ€)	eãCÊuÙ.ƒæqô~l»JöUþŽžØóáxf‘n#©[6ú<—¼FL¨Õ�‚¢p¦áâþòþttÁo¬‚¡:ks_V]º¨ž�*Yº‚ÖS,"ƒTæ{à':¨²Ãêﳓ+xòä½o�»äß(!\Z,ÓræÁÚÉŸ ðµµV$n�« BA†lmº'U'ž½R›~nØõãç":E›çÎy?ž‡
?CÑ<,ê‹DÜ(8Óv}å~õìòÙ¼ŸêGF¾nƒU
„­]¢6¼óÈ¡@¦]¹:@¾"¹&~žûÔëâÈm!Êê½–B¿™—´¢´
-]éû.@U¥”¹7n0B¹TñÖ€•Ü’ü=²Øü;ApÊ|,êº�JCåD…rÿ}œ_PHqÆ»LO…
NEt"†‚©Û�AѲ‚÷&¾½&WáõÔ7j§qÝÄ´Öoºêe--Cª±G.y–æQ12Ò7C�}Ϥ$)S¢›#qò8R|ﬗT%’„`Ô‡>{|ÓÑ(~‰M€ì¡öÔõ|µ÷•Ý RÙŸ¿°xðÆÜï$xÂ1
ùê”
"B/J#_“�ÕK`ô!™"WX¥ž]
58�áqA8Rkªk7bfRCèç`…�oŽRÈeé'¶‚©&#É;°õCd€nzc¦}ϛ«ó~×€�#\K"™qø$â~FÛŽ›–‰K¹Zð®=¿Í<ÍšQƒT¼hçî�uÈÞ	Œ&©ò§=&—àÈjóAŸVËpý~‹wåhß\">ÿĺrÁI�~¹8îÖ²Øeçmב[~_‡Õ)Úùá!¼Gâƪ̣}^jèÍe�ìGHj{FƒÏDI‰áž>�ç;Ž;
:«^/lü²ÏÜ!*‚v5Bw®vªz‚/{¿É!Ä)Ý_Ò½,0‡Ä83ËqPA¨ÏÀB¤¬PA$�.Z„^™ùà À_q\E¯§nT©E|i¢jHm¯©
-mO´ø$ZEZ»ß÷êSùâþqÆtd±ã±ïäœ1·+}�py�Éi"�¾!¼ÈÓ‹ÞBêI†¾y¨‹5Á·n¤l¬	î¹2íib’-þa/mBrZJ¨g
“mˆêia1éØæŽÌQt¡ÓÆ˃¨
-¢j)ü™pÒŠb÷
"…í¬LÅí^²0�Ôô{k>—
¹§‚�ˆà�êÒ|%
ýˆëã_d;lEO㷳ߗœ×Rfå
-ZcÁ²Z!å5Zn;£°¤Êîž4Üb
-“â7+:¿ßå²p€‘ßTbºLJzù:˜cÇZ�ŸQyØCV`ÔÖ .ý\ø£é¬—Ò8~û§vYg“ÕŒ1…·ÁÅz
ýãÚWÕºÌÚùYÞ‘G½	µq€¥Žh”G	;èXîÙ7š%�›ŠK–YtÙ÷¿q;Â*ò¾¤ÈfRʽC@Óz†¾>ÑRKíóðdêZ+�%{<V6KiH|žz:]6•Æåý̧(j›ÀM¾dxÅ]©äh1=[SîKØ{²Y¿×Û3
fãï[4HâÀfppï}:´$ŠÖ‘1
`â;Ø8§QŽ�Vê’ÝýIX† ò«ˆ¤üYL^R3‚ŸW:o»é9¾5¾æÃÿÉ#¡ÊSºyØànJ¾w|fjvä|ðý®PRñgž‡�°¼äÃ!Šì1¬è¹Ø”9qζ3™u°œº­ª¥?™l*¼~þ²[q)7Š–%ñ,L�­2Û#Šôï[IÒÖÆÂJÏ®B*öç¥6ÙâµÅÀìÝŸ#zç*ûlãoô«âWýr)¿/©Ê»êrBIö…Úäé]›Ê®ß@¾	sL
.ƒ6ß!•}º‹É÷E‹šÏrW¹ý	¿ô¦®�V*sŠâʨîø»iaŽv|Ýj0=Ø$Q>SÚ¯‘n¾€ûà3µ¨¯¹|Ï‚·#ø2òJ_×Kà?ew5²ò�!msZYÝþ³Ûš6·—O,o|iVð”@DOXå¡g�g'\ÔQUáÏ‹wƒ§ tÔи7uû]J8IÓ~«]Õgb+©�‚±ë­õúZ÷0©Ýæ�öœÉgp£è½»Í¾÷QöÅÒ+*A¶3M{#ˆ2¡éŸ‹\®þK§Œæx'wÅw�÷q‡Ø™³G›Is%ößÕlÕ×ÙYó$;ƒ"d™ˆÞ›3™×Vc:DŸ!H™ØºASöò;ªÄ‚3:¬§µˆ6· ¿+><Æögn% ãïcªK�Z¬	ýÒEÓý°¡©
-oöw¡‰�Ç÷ �LN(Ú–�Ç•ë|¦ÙV0f†BckÔ/ÖözåÄò�«ÎMüPC‘&§¤sâQOŸîì?`øá
-u€2DZT‡ÿan<øF¢àƒKï�¼ƒÒÞxpÂä_µB…•’Ä5$(Z£½X÷˜,Çn=F„I1°�Sk€/ô¿Ñû’-Ú%6©`Û/XwܸýŒPä°X{�]‹{ÁõIê=/uµJLÒ	"nÏÖ9 
-ÊnQu}±”ÇËÂo¾ÀxÂO¦ßi“Ÿž„Z”ž¬ù�áXßâjøLƒMw®ÝÉ¡þ‰à0߉òÐaàð1͈o®ŒKÔ2û%걓ºîöC·wÕ‹Þ«WI±á‰šæN&`­†[Ë~©à}ã‘ë!–{«-ƒÐKÜQ>µÓ™ÚHh[“+ÊäŠw˜Œ~š‘o;UK䊋íó¢/¯sö6†>ûþøM7f“wcåwÛƒS^‡ãIÔˆ·œ­‘‘O¡�"è£á²
N´(*–ñYaZÿnŽš
-/†¿
-¯)$QF!ËêbVqâ!Š–i× ÛÔáZ4�z³2„«#�µùjÆa0Ž¢”½¦wÝ̳
Mx¹c"ve·yäÒ0Ëdao†
˜’|¨äÊÎ	|ýªm¯;°”`È$ùúgH÷ôT¼‰K6lºæð°1I§Áü<Mø—Ùî¹A�‘†*›Ý´ß4èN]ÐL:òs@ˆv.BBÓØ
~�©ç0ϽxØȸŒ�§´zŸÌ¹1lðhSe@¦¹Kz˜$Aˆ�"ÆÀô¢A $Õs‚ݸHªêmªœÒòûÜ™\ð€Èª&¿o¢újt§ã;»ô°Š lñëÒñLÅ–ÞÎÙÆòÛÞ¢bòê�/Èá‡@°‹Ôp;C¹@˜T¯+,OëBš—U
Òæ7v¾µŽó"zÌžƒu¸WÖŠŽ®‰Úƒ6äfôT!m¹dÒ«?¢-gÊsŒÅ¿î•n!yªWƒ¨¡õ…*‚�´Û˜d®Ë’Àî¤a‘ð7Àãk¦·nÖdsÈãMU„¼Ž8ðA;²Ÿ�‡–œGC¹éâ¿q…”½ïyB�–þ�|;kßá4\àç¹òNJes
æ¶3ìãdœx1y¼\�ø<µè¦>°¯Ì�~δ¨ñ¬
&d‰tñ‚Üè>øŒº§ðTÍ”­µq¥|rüꆸ´åxùòr¿j�ÖÑy„æOä¬-d�‘Òä[ºz@z6>"Ò(K)+è¸Ê]‚éÉëß-Z¿¹ùÁßP£«•O?.
Ÿ7©`ñ§„nºn´ˆ©AÅ
-®K·¶M“‹PÐ-øeó�ù(,•ÐqšW×,׃ññ£™”¦£W…á觇²H•ª£ën“¼ºUÕq/ßíÇ%–Þqÿ	J†tù›á8îe	�p©�SíÊw¥N¶oéÑ!í3ày
<Áév…‡~ñ¦g‰ûÓGÃPûÅ•'ëyçÅÙö°ê"б2¦<N[—ŸeD·^¸Ï×C2'!ðœþ…`—åæõ¤Ó.Çiæ’,Ýã�I�~d¿z`4¤‚+õë5e>¯ge&ü¿ˆh8#u­÷$å†7 ~g¤ Ì�Ój7#)¸"ãbø=�ËÈÓF7mõÏx|)Ê¦R+ËY'¢Æ‹f¯
-é0;
êÈÞšGû)¼ÕÝÛ•qòG­‚}¢v7~ýUÌØ{/ª//¶£@¢’BxP
?×㺽v/Ò"¢³�¬É–²7~õ¥-°ú¾Yâb²4GáY±Þ\ÛêùÑò:u|?í¥LTj/Ïäœän”…xÞN[³Ö´Yg$<o8ó!¯S庅{–¸¾£“7Bb¤ÖRƒû�°)©5Õ‘
5e'îäuõÄ]ºv&cÀ…oÊÄ8büR š?òré
-GZläÞ¢Åë6}oÛ,“Nxúœ½™§~ãIf7Ù,’y®�KuT§Ä�‹óˆÞˆ:‘¼	'³é~”*=Ï¥aæ½L
šá(ˆ#}�AÀ·�åÖ•INø™Õqy»±ýQÐBþtSè³í¸Ç
-Oùl_t>»ˆ„Q@·z×À!»Qqf¢Y �Îë"Ìãì]/©¦pš¶¢þz¨´ «E¹f‘SÑ”,Y¸!µx·?q¼ÀRœh·×ÚâOÐ`8 Ž÷PÚÑ¡lŽ~ñ¢ª ”HÓVß�Qk6˜qØ `?'7Àw1²£;Äk§ÕùI…²­™e£
-ÁÊ�ýŠ{Eoa’¥VÖôJŠD¢VØ+çòêqgkSÃúæœÖJ!¾íѹ‚§š@.¯¡?4�÷k¯Æp�HmÉKHÆ`ÅÀgç»C~\þëÔƱ
�)m®ðrô©:ã.ÓŒ±þ(pôs°¶†Yi†u1`kîxÍræN6Ór§‘Ó¾‡‡8êaì%ª?áXhu*‹e²ö×VÒôbÝMcÚí.ä	Ü
SߟýŠw×ë±AV‚,“gBsEû&·9Ó3÷–òÎöÀ¥[Œ»ÆT*UD-.ô€]¨ô€–'OWsá€TO›¦õ`¡Š»Ù†ÖáÂuþ¾ñFl	©>ØNRȘa»CSÔ—Ÿ¶†Ë�ÆÁdõÜBx½oÌ«�·†)Ô›.hþ¬ng¬ûÛöVhNÁ4ýÔ¦zçŒi=÷·ZÁ¸ö‰ÝbáÂóû=™‰¡-�í§ç)Cm=Úy«ôÇÅ“SwCðï—9C$~™¤9Ï…Û‡_ÚóWs¸	ù0.n' ’8_Jù�ïMæ­üÝRÄbI’OîÚë;Ãwh¯“J¬J´Š^kû³ÅJŽm™ªó‘'i‹lÛüŠßGÀCÿçù#K‰}¢orL-–cƒ9MºNöÊ^âæYj—aíLY&.þˆf$Qžþjõ0Cñɇ\›€®ì³¼kÔ42uR0Ó…µöµ©k)¶¡)–—Í …
‚‚Tuº—Æ6°�…5ÚÅ(˳«mÀšÇÊõ™¶Ôî^H™¯Ì¯ò,µêiÝò�¸:
-SþÅ•ù°�?UÆh´ÛÆ~‹Ü­³µ´��FŽ̽¨
÷`2�±Í¾ø_ÑÛ¥¥†%º%B\aáPbs�–�’´¯xÛŠÍ�Pßí"2¸'�\sïa øçÑõØ�ê
-ùôÀ®ß`&„jsJ·Ý�qüÚy»©N¨ªÊ‚a
'±ð¾•ìýʤhö\êøÔ<{,üág`™ÁZ±Mãêà7G¤¢œ‚ñ¹ÍÃ5¼tÈŠµΔࢼ'}ÍÈž›¹cU{œœ”ñ’£��Ñ8þ» *\þ:X)8ìÆäG4k·D«S ½</psð8M´vÊ#'®È?Ý(æDœ&jž]RBqf„I+=µ×õ;˜AüÂÛ©4€…Ï3‘«)Ã`&ùÄ.3Sª[‘¾vÒE&Q†üÕ¤Â3$H˜3ÈX)Òö
-Ûfãu¡ÀÐZK�Ï¢�ÊôG„�“ ?î]¢ozNS¥•oNüÖA797mÄÚ¥âFËë
-!üÂlŠÏY™Vß‚-#õÛ"�òæ)ê§4|÷4û•¦Ç\£Ù.,u˜XÞçAO¯é8h‘$?³DUŽ$ÐN—ýÀôZO�¾h¹)8’]íPlÒó!ÌÖ¦¾óí3„@ÍÿBkj�û"qJº„‡›áûÛ>Ä£c¤ùÄþâ<NI×–áä‚b…&y�K`à3r€ ‹¶ôfæX:„
¡'*?§ºnQ~ÓRÙüÌ¢÷­¿Ãs¦yÞ$Â9{¶Å*+'QÅö*§H(ð›xrPßÞÐFñ`$•†ÔXóþÈÖxÊ	¥ô*$ƒn%Õu{¸‡£Û"Ýft
/æ.;FÑ÷·ßà9èf¤û�*
Žn5ˆò§\S¨ƒÆ+’Iñ$ÉÆ­ãЩ$ÐÈ~f›hD"°[Ir·»FªÁ�>ÂnÆmp¥Z[ÆóžC|ø{}Í°†¡P®��¦é§
-@á–ŸŽšó‘ŸqJB¬Í×H¬íÅ]¦mš_-Áµd‰[…©ÝG}kÂ'†¹ZñEïJ/2Ž¿I¢Û¼Œ;ÀJ?ЗXÒ²se¥[ñԆص–3—ñ>(ìí,�¡’Ó7¿­o­Øc›ŒÆrOã·¨Ó½¹`­Ò^�¼>¼aˆË;hŒ¹ÿÙÿå`@HZa½¥×¶9‘àÕâ¡[Ü·Å’Øß©UøgéQuz`@ÝD�7… 6˜^³&s %qß�Õ±%zs‹É«I)Œ—þ[~x4ir:
�ÿ•Ä5¿‡¼c@'�dPí¼+Ê-ußvxØ
€F
-‹˜>cîÕ‡¬òš¢úcÓÕVAcB8‰à–à3†(�¿Ÿ->2$§‰#ϲf~µÉOR¢}Ì^Ô*ëT¦9Ï^°Q¦òÌ0Ò@§…×õ™Û¡f}O†kÞ�Ü9ìFÄ«òwÛÍbµËØq„ÂL™§ÇÙ宕NÔuKJL:˜Ü
õÚšöÀÎß
-�--˜TÎÁ?åשּׁ~Ig.äs#IR³1Þdà0säÐl„ë¤)wÜ�ÔC‚5ZêD¡˜A|aK]¾öQŒ)ŠÑ�ßÛ¥fÜ-6wâœÌn¿Ô‘ëZ¬×ñÂe²€KQÊÉ!qäl†ä Ã;¼Â`¯ˆ«Ýjƒ"àFd’(�ñ¹%Ð¥åŸ¤­:ìKÐÙÖ�»ûúj?ã0GLÝå/—�‡ÕsÉmtèŠ7@F.°vš\õ`òƒ_¨à@�ó+ß­'9/þ´îQöñ;*œî~¿ˆ\Ý‚°¥ù
"@Ãw¥>
-�«ñh²°�þ;f&õÏýtYPXÉ(ÄÑ—îÿ*ìRâ͋MI.riAÛ�³eBapX,&L˜”FÄqOÕi/zÌ-JîÙŽX!|½ôÔ{/¥Êl“”2êL¦›$ôéy¶r×òètA3È׸„–MT•˹#“Ÿ_«ê±C˜Ä%3(ØBN®fMݱd[ï0i®§�¬Þe˜nùÃ,2†•�³>Q~Eó“l¤Ñ‡d�¥K
-È	¿X¤ô��	á€S¥M†kh_v.ÊZ°X�Y–×~dŠZ£þq z3„=pÔÍ*SÈá£�.rYÎ8xz¡ªm:è«íƒÂfkl®õ3V°yÇݪ"|pA´q+K¯ìñÄ5ÄÆòX”ñ3³S“K¸8”Xgúy6VœOÉÒÀn‹|@aµ»§Õÿþ\1-óò$jô½·Yâ6I�ÞåQˆÿ¨Û.†î†!ÿ"	Žíë½#kÒŸ@nüšÂ.MV5âÒžpɾT	“L$*jsK�€kU3P"¢÷ÇÇ‚“\e,Ѷ™ßUeÅATIˆ
¼Š#DRÏãþfž‡ïDŒ4ùä;¬«"_u´©+E¸8å´•È.
a«MçeÉ™¸m»ÝbîBß_S¨�—,ò5žL(Áœ½¼«lè„OÞÐë³,­ÜV"éˆeÛæÅ—¶‡~,¡¸ŸÆü€¾µ¦gq8¿¯Z‹—Å}á/Å'laÿ†SÙq³t‡º¶^H·âœNwÌútaES<hpFEž u‹F,p?º°8*ü²z"¼ñ…>«¬¾lfœêð~,¯±Ni`—…Ï�gCž@2|§ãÓ>ú6.ûW˜ï>µ½Ø“M¿+Ÿ
$g;µÆñGïÞ—Æ
øE×®Ú§qkERãÒÆc{…ŽZ²ÊZd;_Pº·t‡Èû/QOûIàÏg»�–�%E:)‰7‰‹zz÷Ÿt¸ZúŠ
-É9û×ÖN¨Ó©Þ¶Gn‚‰å”÷,Œó¹ñ:Ÿ5Å=©x¹=Z©¥…»Qò‚Gc]qŒð_¿³�—«º'í(åDZþ´î€J®­‚Iç'«_ßÂ:ŸÇHjDõlÝå„,©qØ`G¾¬†\È@éø¦‚œ—éܪðX¢ÈQ<Ñi8ºÄ|#ñ°Åò­õ›O(m£mŸ8½7¸r¯já—"Tày¨
Zì|AúßPqéí
[ÈÃù3Vìlî¾
™
VÉlb¼¤.ÛžF
ûoŸJ�¶ô
-endobj
-627 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 34
-/LastChar 125
-/Widths 1345 0 R
-/BaseFont /EGFRJS+NimbusMonL-Bold
-/FontDescriptor 625 0 R
->> endobj
-625 0 obj <<
-/Ascent 624
-/CapHeight 552
-/Descent -126
-/FontName /EGFRJS+NimbusMonL-Bold
-/ItalicAngle 0
-/StemV 101
-/XHeight 439
-/FontBBox [-43 -278 681 871]
-/Flags 4
-/CharSet (/quotedbl/hyphen/period/slash/zero/one/two/five/six/seven/eight/semicolon/A/B/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 626 0 R
->> endobj
-1345 0 obj
-[600 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 0 0 600 600 600 600 0 0 600 0 0 0 0 0 600 600 0 0 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-623 0 obj <<
-/Length1 1612
-/Length2 18185
-/Length3 532
-/Length 19104     
-/Filter /FlateDecode
->>
-stream
-xÚ¬·eT^ÝÒ%Š» øƒ»www÷÷w‚»»w‚»»w‚ww½yÏéî¯Ç¹}ÿôý~ì1öªª5kVÍZkìMA¢¤Ê læ`”p°wa`adæ
(XÙ™¸‚äìåT€®€¿Fv
-
-Qg ±‹•ƒ½˜±� 	4ˆ
M
¬¬
-€¨ƒ£§³•…¥€Z]E“†ŽŽþ¿,ÿ„
-ähkìù7÷_0Gg«ÑpYÙ[üz€3ÐÂØÙÌý…ù‹ýOwþ«NÀÿV½±££­ç¿v;ü+êq°r

mÍXXÿæ4uù›ÛÂÊ�éŸA‘¶7w
-$aå
4S²r1µ˜ÛþíÔ¿ìêöf@g[+{à_EÿÕL
-pÊÅÔQ¯ôŽ �ÉhB¿n¿ü Öìö6È£ Ç#�´“{Q²È_³o—{K†ÎhäK’w–jÝ«Ò¾š›ŠâNšâžýñ¹îJ!Âák"øÔ3cC4�[O4|qEÝ
-÷®µûIûÒ‡òc~dZ¹³´Þ½f�‚™a$µ
-E´ÕD᥷,"k	|+Ë	·�K|XÐ4áïè�µ©9•3û¡ï\›õU‰ñ¤9ì븉£Ð¸ñZlà—ÜpPÓ•ŽÂ„Yñ©²g‡ßE”[?>yB¹ÜK”–.buúSc©zg‹Ü¼Úcòhwqj›%þbpŽ8¹wR8y<
-¶É|öx˜îçÉÀa¦Ç¦=Fzåq ×q¨ë 6)ÂÌ|!0à‚‰§"ŸÜVØN«hˆ©ƒ²â¶ùQë[M,Oy*ILM±ÓëÈø*ÊTv8_ v´AhÇ*‚^ƒ=;ÃÞxÞÓ<©¿ó´Í«î¸Íó0
-¤Š˜B_g&î­çxL¢±rd´«	Þ’ÄÅ\�I¡?YÔLÆ$ë
hø0¸á´ðæ�(#©Í/’ëII*É/%Ž`åÍÞMJ͘]£í…ø
½Í,Ž
-jýÊDAD›oʺ´ÆdüË”zj.�ÃZ8^KïJ9xí–j-`Ûcõ1Î�zÉÀ¨cw]Û
¶mžÇ£HB²‘¼{™™Û
-Ç¡¢ßÇ
-Ÿ¯‚T¾ÒK©M^
o…Å+e‡»kñ'æj BÔÌ[ÒôÁÓùGv¬Åië'�fMçÜÔ­µ¦4/íûOÂeu÷yIýC‹F~Œ—hYÇiJÚ«�ÞtB$HÎDÈ89ÆÞ¾J»Æ1.rÑ©¾j‡~Žïb
-@ì
œËîÙ‘SÊÞW4^vF­ñ Å›`ã¢Q–wëÙdæÍ_DqWÕFv´±.ä	¦xû˜e5eËl!•�ð_�Ü)_öSNðâ+¿CUFøØ‘P²I'�£X}Õƒ›
žR1^T{o£Ù5O§ÁX?—2ïL @Ë­²&µ”UD­¿|ïÊD 2z3ôx!ìn\Ó„ó>4¥ž;Txé)7xr>o�m&äØœq$�#z“T·²ŽË	&QQ2_`ôÍbo~kh̾Õòœù
-B�1â+$ê .7f˜Ïv󎋸ì\¦ÞòÖÌ&†±Ê½€‚q9ÝS…ÆyðX¤¨«•IÝÜûz®üa=‘-Éc'µ<?†�á¯ôü•Èõ\â;†Kgœ‘á
“[Ÿî12+ç;†dÕˆ3ñ¼n
-þSÙR÷ex±$z¹„Äg\Ïpuã÷[áÅYUEãÓœGÆÝ}À¼;LÅ•\tUÇ’Óâ3íAà’àÙ:Æ‚¸©ØÞàµ�#.ùz]^¡¯¦ÔT¼½	OB¥Ì%KoÉÍd1Ø»
[Mq	7u¨£<“KRÀ1¥j-²Ÿ”Lx�Ô;Î'Š¬ŽºbîU^¤óÛ§Uq72q€yОô‡r2-î@˜­<š=Ñ×¹îåIÁ/³íõ<W| {‰/‰-´é61¼­»ªv	?è,TÐŽÊ„=ŋȱڎ+xöFáµÇ5kû`ŒªTæ+–¹lb³Š}Ö¬ü‡ÚÎlËZ´„-½#¸HаyÈ%;¾Š™ï#ÏEl�0w\ôð䊫¥Í‚a ÜÓ\·ÜQH\?§ÀÞ5N¿8VVÈ&E\Nw?¬‰â|˜Wú³l?ÑÛùÏÂcwæ.�LÀëojÐ	s„†å^¡£~ÁwŽº:�eÕš,A’¿>3éSúÔ»&ŒvÊô«Òî¯ÓkQÓðêF¬6}»	Š�„üíÞÈÕ¼û£í>d	;ˆ›¶j¨š)æñ1š}16§¢rzsµ™
-ðóOÈÌ€ºö3ÊòsFdÐàÏêþÀöïÎtº[ëqõŒQ v$yÖÙbw
-_Õ'ÙW/t¥)³Bkl@ÒuoY‘$�žÆ�ybP¤ÉˆÑinµdè—ô{Uþ6ÕËôÁ½¸ðLǼ«‰ð¯™ÄmÐFZ¯Ôçt5ìÁÉjqTW�eec±²¯�nB=´ŽÚÍkV7�pê¬I�Äu=ø€}~	µ}–ò%UUz&�á꬯ræ^…+"£‹8ízƶ õìù4Þ‡ºq’ÎŽqÈêA1jäáŠU ÂAi<)釭“ïÓÉ3ëÂSU#ìœdÅçsÄò17ÛbÉøÙ÷5°®;ºì’L•z]õ»ð…)}
-3_^‡¶š. ’‚…)ÉçŠá£�ùbK�§„pNšÿ
-9’þ!î8IÑ›C	r-ÿs[{�œP–óe›&~b«I¨/÷­cG@X«â}Q%´ÚkV{=¼{<IÛÙ
-Ú?q�Ÿ6B˜zÐÓ�jõDqÍë`ãçy3:*íHAvfÉF ênÐMêŠ]T€w1FUe/»ª|¯S¥ç‘äÉçÐV?�—x¤ ¦D7&é¦F!Ò%cqdK�ÚsYÒëÉå-ÊYÞ}Ӈђ,øQ´Û¯Àú—m-ßµ†O6}—í¬pùÝ<ý)Ûb²Ï�àš#*yp,só0ƒÅÞxU€f\±µrü¶…5j«÷WmºÍåV†¯Q²Ÿ4®¾ü™^
7½Ä˜o‡g¨ÓŸDÙÑ—æ!ÎÓI_'üx벉—gŒY…-µ}";}xí
{”l½ÓˆÆ"Ä(ЯNÞ¨(i@M‘{0ûPåø›E¹b‹ñºÛÂeûà¸ý·²·Šâ9§O½P²Ù�
Ç«›®§Ã³Øn¢ÍMÉ´šöÀ 1ÕʪgIÃý…ýó’\îKÊ·ƒBætÞ¬0Ö’Bë13ѽSÝü§žsõ‰™0ñUU¢��H§:ÁV8§Þ¥�(#>H÷0ü	"ahâx‘[Z0EvøæzÍÀ¯	qi#Q&û¬i$€?Á^,rP-j&b’ŠÊ‚q	Ø•¡1à03œÏÞ7ñbäzI¬|�â·Öß­G÷?ï=�´�÷B�`�Øm€ŸDÇ6}0i:ÆeÃùUpgŒ-}-§¼~`[ç=BbW;’«š)FâuÆ,D9ýÂ4Z�ÅæÈúü±ËêŠ_5¾ó¥£74�ª™ö4M¯w#íç�NW51ª-?îÅò†Ÿ£�+ߎ!±iëêxÐIUñôvdBYB½‰”×
-,°ãzy—øg;Šy¹}ÂÿÌø±UûF¥’­k'Ú¤#È3¾^*
-•W½Š
�1W\ÁMÞ7ì’)Ò”Èã=ß�›¥Ùµ·`º¬e
 ŠAÿú‡g¬µ¥ê˜'(¯Æ¨¼H¿
V€zà´
-R*F/qY ¶Ã÷¼ö"A±yjat�_ȧÅfTEJ}�Œ;íUý�Êe„s—Dà¾Átµ
-Lþ#ú%L4VWm.„½dlŒ‡`uÜ~¬;K|ì�Wwºˆ¿B¢ýàqŸ�ÉL,Õà¹ê2âÛDOä¤Ï…ŠªÜï?FôÅ6ɘª$37T:΄M”Ü|û*FÄ‹#b
Î-Âç{ýÛ…#CˆÂmbË:V÷Ê`ÏMFSNó|N2y]"cPiY
-w.LKuûzrsàv� YõLk�ôÊx¼Í!	ðgÞzW	7)QâM¦°Ü8i�¥ÔaëJn’Óó�Ì
-<à°ƒ>LUÆ4 ¤�f�pÚZ6½M®�'{6üÝ
ühÎv¾sñ–7`ô>â�'Ec©ËçÔ8�Œ)ŒvND–·;Ó1µ¬Ðô«€1 lœiL‡?FßÞìj`ŒÓ/DX*›úMH•|ª¶xíK:"ñ�œœ†ýúH™J$¾‘ËV­d|¼’{‡äZ©¬ÐðSÿ;Ü®Ý9îÒc)»âÁ|Qžn^KLæBuîû¬£Òî–“0ü,¤Ðï‚›¹Ÿ�òJÍ^½¬}	ÁÅL"wEV+*…–:óohåZ—àøÛ;Òl„Éñ£½zŸY åŒ¼«}Ñ¡ç–‰¨O†xBùQŽºÏÅ*‡Ö<nWw"¬�&ˆD^ªEÑ׶!‚‹oû@bô¤V–‰µÌ‚u‰æ„s¹ž5[èµÒ¸¼ÇM×æÉÛÉêTþTÙ#±¤ãlÑXÄqÂûÁìرl=þûôÁ<Ȳ˜ý! ²ÇŽákz:¹o~·ƒÛŠ>+µ÷—¯žX"þ�›B©Oi¬a
-«UìúªAŒßDÌü(Ç€5QR«ÒÛ™^ý-5vò×Ëb„º`§[î¢JÎêKÛm-o“%Saã¿sáÐÿÞZÃö¡�|œ^ŠþÊã9ŒR´k%¨X³i‰ºpó›å�ö	WÌXÈô‘›¦£5~ôHá(•VnWï�ç½~ÎÙ…Cî�_Fh6“ŠüУD;0OW~½	¥0^wyr÷Oü­U>?ò»ÌICÔ„üôjC{p“tÿÐôDIåö­Q‚—ê!J¹iBÒ
”„–—0)òÊ4w}QjL!=;Îi5”§Ìô>%÷³|jÊ)ÍY%Úß}Vñvï‰
!sfƒÁñ½ý�ÐùDÒ�-(œOw™	ÆöúèÞ]m(ïâ<଩ªeÝ_ ~k§~¤ùLÇGxø_w™£×B‹'ØÁT“íY2%‚ÏÔG@ßçRÏ;üݶ²“¥4ÔŠ/he_q
-.6Š¯AýoÆ�%ßð‘+�‘©gœˆÀÛ²ØÅ4%f­æËP1
-½ÉA=Å
-	sE]©‰`ò6™=>î8é%ÂÐs>N´žô08òî~ÿµûcUð¤¾Á.5Æ��Ä*¬ó8/¤zWt÷
-}r/öewÿ¬É¶וqk鿾ä**'âqùypaˆ'-K?¯ÙÀ–ƒÁØwMA»+²ÒA)u…uô1¬Ÿn…0ĉ»)¾TZ•§^ÐõbØJVíbsÑ`®¢•óäµ>–`$I(�qÌø÷Ï¥CÍÝbÊ¥§Å.öBŽð¶/Ø×™Õ¢ß(²-aþ
-¹—¥Ž²*?ŒO,âîN¿$Ý#
-�Û{Í6˜«¾·í'ÍÇ°8ÿšŠèK�Oå¬eŠ3«Ñ
�[s …¡Áà<‰–Ï´œt`Húýëu¯ÜØÊ�_kŠ	Ñaöç{­²\óJ$¢ÀmáþùKÒÁ†×~×ïâ¬H,ã§d.ý‘Þê÷ÉË%ú¤™s Öµû+uJõšÐÓ@×^#;¸�r„
TÔ…šÝ¸?†sˆ«2ã`ñ
-J½Èðo˜Ðæy‰‚áˆÛ¡9dõváïv¸ü:²Ã¾ÊISc…öQ1}¤u¢Ш¤×©õ©º¾Ô,#mõp<>ÞGìa
F™c›ßß*
‚¿ØÁVÙh4gÅçÃj·¥FÂtšöÞ‰á¿+ÑÚ0§Ï~Ì»ž&±k²àæ‘éoÌø–Öæ(?ÝãäjÍÞè)Ü�æ!,^š
-Îj�ªN§Ì‚¡êZ/(âiÓiÍmáú‡�E´r•¿Þ`]©	«Ô†-UuܼMøIA
ÔæDr)|ò¥9Zvw¢¾2lÕÈ¥⨡gÍfs2ë�éÅV|gÐØìÓo³’›ÌŠÎ}Žk:åw�éf—FÞ´{çªÙÂ@Vžf#ÙU�Þúµ¬Šˆj+�·[i!ÊÁG1-¶5\{”ôã0Ò­…ü¦ôÝÖæêëùd”­Hæ Ò	·)Õjëy#�ñj5¸ôŸ’LÒèÎQÚA�£ug㞥iE7^å‰òæØo¡Hã…B€úÙÚë¥éëуk’)Iï>Á2CeN£©e¾hwLñ‹WI$5>íU£n2úé�+çLR'CßF¾]¬¼ÍªŽ”ùÀø¸
-ÓÇr„>›jì‚é‰é‡f´¸ñ°ëí
–Í„Z‰uk&0¯NRÒXÃã'c¤­û~­?…ÖÛ½2q´ûº7E)‡þ¸ÖjƒéÞ$YêƒkÕ”	—äJAŸM)9€ÅíñÍ jd.ÇöÓ>±8‘~« kÏP¬ío­ÎP‚»+læY"áñ·8pó
-”±v“²Žk@9â¡i"›¾8üäs5q|±µ¸ ,´£êú5X_Ǹò õA²‹‘ŠâðpøQÛ+é[¢ëù³ªüÈqêõBo�>�‘îðŽ„©u§¼�^ F¹èó«z[(�<J…3Öoòˆ®v‹Þž(0YN3£ÂcçÍ‹Ç'fG$’:“eww
Ë6A¥8ƒÿâ%ÿµLöî�T‘
-›½6(t(³rM¯ÆpŽ®Kg�EMIúbëv%6bKA,ôI0ü!Ð=ÃNîÐyjÚÇ:`¼‰ŽêÀYS§ýKñ[ýêþ˸ƒG6°Éðáu_ŒÔ &DI�{ÚÛú�Eƒ™º%É“€Óäê+žiàÄ|FÉ^u˜æÒ¨ú	((T!wì­;/A
-~_Êó-’wûH�`ŠÛ
-36ë�ánˆQyÖ‹ëôrˆû}¡ÓeG;ž[äRÂtCHó,5[ô‡p}sÍÝé†áV(VŽïeXöDò�õ(DðOèR~ëCž ~gGòiڽ߾_‰¦:·™×ûŠÈ÷—¿ºéö¨ßĶ•`ìýìëñöÂBÅëׄ€G)zŠ;¥1­ò·ò|–†ŒYëÏég$ôI)wËäVbY©V Õ>]Ú&øK<ä„æpðW+xO*c.SÒa”}“œ‘þþF)J~)m‚P^1Þk Tù1¿{_ ];‰‘5¨Sù‹Üâã�ãjð[â™cûMË·têÌ!ªpÓzSª3y<0âß-iÔ|ò–œ%_oU°~7¥XíÎ,ÊÇÂ�Úv�S_}Ü]LçŽ°½¿zÈ=®ûêšmjæj³'ø‰²•ždZí|ø.²$Õ@=‰ùå–ˆÌw
-ØÚÝ®-ñX¿?¾‘}ÑEµÞÄ)¦…‡!Ö†Žü™³&Âù-èo.‰ånUbÒHV›rjúx¥ÒP´^1,´àõd%%3ƽ.|<Ô�çgÓI˜Û+<§0ƒ5ÛVЗu™¨¡t?ÿ2ö‡Qü!‰@ú,cq!e¸èX:¿6°^ŠÌ¹¾e%eG&Ù&4.³Ž{[Š8u^Þ¼ÿcÉöI¬1¾‰Sã+�&wTwe®Fa…ÿJC`‡üjtË ¦zÄétø·^â¹ãX
­.mP®ÆÏ°àòÑ×IÓÎ�$þq[M¥%;fH)Þ&•Ž7¥fjúV�½Iо�2K0^AloH€k9Ùõ.œZÀȻ褴{¤?\„*&¥¢Ñ¡cò�#{Ä�uÈsuÑ`©Ïœø‰3£¼iÉÓ®™CÁÀ¥³o[;Š
,mÍ1é?)r·ä£_0žžž~M¦ÔD�þò�ŒoP"XúI‚ø<ªŽÄš¶•4Qr±Ñ—YW7¯�Zä*Ÿ?5T†¸EÉ¥+�ÓÙV%Ù@ØdÅeÑ-M7êë®D¾¾$ÁÿE_h/Sìžul<8E¢]'0JüzzÌj:йf\ÖÐøpu”V!ùäT?î—ûò!Öî)êaäùÁîÇát3{íüÐþI»äÙ3¥eµ{^l&vãIÊ>Á«£v“ÖýÃ^–¾M_.@«˜*Æ€áM*DJwˆ}¯8þ”I»A¼¥Aî;­Ü(áT¢#¾¥.��ª\bÌJ±¬ô‰d"7NÅ8뿹÷³…ìE$m_8Tâoݨ±ZvQÆ&MŸˆ6cqlê›NU°¸}™µ¥+H§ýðŒxH�Ä„GJ¤JT…Ýξ©Ml}@=ÁV&rP‰’Ë™bäN_Ê-€}�xŠñYpèŸÔEWÇ
8í]eE³-d�
mÏhC†ýÛj=ÿè(3
®–>é¦K #N
-Ópà>¼àèÉL¦!JÂ|?$°Ë h‘`G0oä´ÖÈ9Èý•í¢o†yI€û¥œ^i0+V+z¾'0óT*))ôòzßy�ׄfË£R>•
-ßìàÝ'­³ÝBû¢ÉEyc;8ÂVl®?'Å|T¼GÒp´˜´eååD×Ò÷4îˆ-JG‚…L†ëAù¦ÌáUe~­æŸwƉÙ”4Ønf‡ª×&‚êÚ‰„ÑÌ	Ó4m!Dbô£û
¡šX𰚴߃¨E¼½Çü²ƒ1PVQycáÿü`J�¼°i¾"ïSZ¢î`ƒ|LðBú•Q¥f°ZæØ2o¿
;ø�éžK•½x8ÊÙ_v6^¥5R{C0ã&¨Sæ§,Y�Ht=­z!§­:|aÿ�°JüÅá�
-¤òøïlÑ×ù>Tq­@»È:…~Öõ2Ry”ά­Ù÷A”µs¿oÍ8¿™Õ)w€C
pÜÓt“ûηwÉÜQáÄè-Äl)á
ŒyO7¥væÏö±0âª2/‰O–ßù†ô¥¢–¿¹dÕ…*\Vȉ\‰H*´Ëœ‡Ã‰D²¿™9\
Qš‘ƒÖ碴�›ö¶MÚ[éÓ�umMU[ú©î²Þ~
p:LDË~bŒãŽ¦²§OäYC餤2¼¡böC„í¡ÑÐçYT9´Å3Wx«Žbhø“79ˆˆ"x|:ø€ØàO7—_Ö ×´
-/9mö'z´H¤ò «xMö+­qÊ×C15{‡)äxŽ!£/ñó�kÅPºÜ_Rá�ÖÝ�ÁÉMYTA?¢-=?ƉPßó{¥¸DZÕmëM9Ä+1¾´Æêõw0û,š£D›BhL‡T)ó˜Öº’wMŠ»pê/æp…;ÙuË×q(*È¡âµÁàÙòyÃEË#	Càž4°Bíø"pèT^Óèœt¤©§²«TãÃI;†ö–à“5ö…	•8?¨�Puãgs¶yXOt7ï€Þ’tÙåñÅ&%�l‹Ç{õÅOІ”óù²”®'Ø9ðùW#Rã¥�V+SlF¡zEi�¡8š¨é¦v�F"qIø|ÒpÜ7:O•ZöN›Wö¤R1O´
±ÂA—Š˜òÃr»U>µvXW^Ë9·ô"d‚õe›Ö‚´®–ÎWO+©��ÃU1{´–à/íw¶[¯ìKô¤Ú”ªÛ&¤�ñnœ7úv_˜n
rŠæ+¦”Þæb"éÆg6Ï“öÝñ¬Kà-'Fšá£K·šès§ñ¥7x\,S¥¦1ERÍçŠ}-j9V®ùu©‰I÷�ÝßDó¦!=dt·PìKÆg(ÿ€þF‚%'ɤ^»WñŽI÷´¢ÂÓV"	áÁu»¦T
­	ný‚kpqƒOr“\é*9Õé=–ø»}ô”ÔÈ…jÝâ3Ö×»"›`~Ÿ®u àÙÇä�¿¶ICNè1ÌÂT8¡'Ž–¯½Ú–äæŒ`ê§ùNj“[–ÁÉ0Ããgá÷IJ6†RÒ-;8sµ±�x‘?¶Jœ
Lü¾�°ß
-`ž·»IÃ^6ìì F!Z§éý&Ø­Ï:6’—(ü²6ÙŠ¯pÖól’²^Zgié^íèéÓ_ÉfñýI lnŒ´«ˆ7T^®O¦–ÝX7Bˆ|ý.k¯cò®õ
-5,	u\âuºS˜©G
-¦3\磈[°élµ(G
Ïã©Sø#Bgñyn©>³}?źæ9gœ©¬‹Ýªµ;Vö¦PìöîxÀÓŒw.éWÕØrÅEYÞS&¶p;N~銤€4·§jòN
-|ÓØÍ	Q
Þl�£
-çK±le‡MD¥ú¦—ƒG!úÇu5Wå’,:µöùÒ�Ék6ßx
%LÑ·'ëœt/ÄCçäœ�¿râ!•Ò-Á—:–ío£3mg±F�8E<>pÂkÜâHn[yÖ€‚Œ=«zÅÙ©êg=:�$bÛ&°§Œ.

-3•˜pÑܲWö‡0ÃüÂÌì£VäZÏ^„Ì΄|¸œ�Å¡§` ô/_ò,fwµ«�¿]îÄ·ú…àüû0 ¶pc9쮶�|Ú[5ðX*Œ‘tUJ¯¶Í�kÖć¾ob–3ÎYEÎ{Çç¼	‹†ã„7ÉtíX¥0ÕŽmÐÂxÕ†ö÷Ó	Ü¢Â[Ö7`ÌC¬³i¯Ù‰Úµ�
-ÏY‹}ÿà¯ÈCÚ5¢8¥>$Þ uh©@[ÿ8­•®êLíjûÐþîbømWò,_ÁÿöÜ×·•&#û%k_º¥êÏ©–$¶6Ôcä®Ä“ÊQ†)w€aÐ)üÖ–èóŃ5:•°Hf(NÙva‚ð/byÒó
é|ýï'§°˜ýæLyk¦ÅÌßô4M(2™Ë:ó"÷–D&› ©š‘½Ù}~e&œòU•[Ö4É‚92åôBG(¬2ÁÙ;°4¸‚Jp¶66Óž¹X¨Ã�€Un[кCaÐNdÆ4£ËüÇI”¬~fä½\¤†øö×æxò¥ÞÓñb,Šó7:ܘ�‚Î/ó„¤ÉÁ�:_¸|hfp”ëÞO³ÿ~î:
·�·Gû_<–âé䧷—Rr”¿œ 'æ+Ð8ÿZ</$ò=ĸUoßèz©lZÏl®êÁ‡-iÁ*Á«s+�ið÷>"ÖÕ+À¾Fz‘@\æCȃyèȹì ïŠd[…=ßõCÓb ®™Ø@<¸ºñ;*Í’Ug ›.h"+DÜýJ
-¿®îÁùª]=þð>+û§ tEŒ%üQ8v$
3 ;øüñÍ¡0 Ÿ(%ã¨ÑóGßõ#~ˆ?ef ò½Óù=EoGKñ�=™
-¥Bõ&ä"ÝûipÈ[9l{6¨C˜•*ݳ¸
-é&»ÜÂoø0]þS*(:‚‰Îüí'mn¡ÝòÕWnÉ
|Ur²30£à¼Ä¡tI•ßö›m0l×o§©QLÔR,óècʳ‰/Õ>‡QÉcöYU�Ûãw‰à;•žöz µ½Ží›'çð¿}
©Ÿa8Œò’ŠPQß‘·Ïý4‡Bឧ5nD'­7ÜmݹJÅ«¬Ä¦9cìa„à^”T
P)¯ÍNÊê!¶k*H{RwÃ!-
-“jÿQ$6]ÂÎ׻،õU…ÙI´Ú ÑLÌÎQEÒýwu’å OËôiwïèc¨ä<^_®•XÌx÷ñoù6âZiÿMmþ†Ÿùå”áƒ_³ÇšÐ~8¬ëÊ	eSœb�DƒüÄ¡ð»<¦Ý„¡´ï‹ö|·Û"#ŠR:¨¸�ŠŠ´`•HÞ:ë×(¤
=ô!üˆ ímpéçö+ÂzL!â<èÚ¬bÐJÑ8¸NŽPÝ8û‚aðŽ
-5{V¼ƒëÁ¤}bªyñEg(+TÍúïA/ö1å Œrâ-ôeÅø<¨YÄ&ú²:¶j´Õ@ß$Å
[?z®
²ÇáÅ9í)DÖa{t:7¾"eÑÜØ¥¬î|<ü‚,þ$²©î»ÜÏv,�’"?Ç1èÀ3J."Ì|ý‰ÖO>�ü4?m$¨¾™Òêb	‘­åàV¥— ž¯v_¶ÞQÞºÙ,�‹y›Lñ2™¶b‰‘´}�•VõÆÞÁFBv•¹ý&ò!‡U„Y&ÿV#ŽØ_ €Ús.
-ZËNêj̹ØÂF‚ÍÍSxG\â½»¥]!(Qq#–î	\zË÷šéB4ŸDö3zëCY»lÁ­«z›b%J
}?LDªEÊOÇŽÌ0ÀÙjöDöí¶Dx×›ïí­|moÇÇüAjy˜/QÚ0ÊEÔÓùv›¶ß¼É…¨G|×個ÔÙÓ̘’sø{M,®^.š
-v‹ yIF†ù‡VBcðà-�Òæż8šFaëòØAJ|ÿ=5>ô³}�œ?ÔÒˆ½	XV'ëæ/¾9;kEséjãLÌ|ßã÷;&Ô[û	á®ÂÒ_6B¥E¿Ê®¢wÀ—Õ¼v)£™µWåw‡XO;zpAn…‰Šþ»Ö41ŒO>$,_?¿2’›mÀ4e\Ú¶ÀÝýšSÏa ãåPWbeGWý=‚Ûsõ8ülÁ½]�x†V’²“5!Ù1S€‚7+ý‚œ´X¼RUûôˆz¦Þ¶¤8;-½Ç0"ôv »§ïp.‰Ä×�»B¨õNåyÞÃï§�óE^É«�»ìÅ%çÞèÙ	êÊÕŒâ›çRæ�æ”òïi ¬ML÷É87â诺9�ýèî¤NbÝ2t‹WÝsT{´$8˜ë§òüŸ-ÈRÃtGÓh¥ìÈJUSÉU°Kˆ+.´By`Ö-ŠQ3gföÄêüQCp
-c2
-øJGT˜âÿ§:ÿgÂa
-œÝ£Àá²&<"ê¶v|`PÐr‡•þÉï(*È?$�ºÁt÷ùG¦Ò=“®ÿŒ·õ:Ã,]9Π,2wAÛÍýGu¤Vä{ÿɉÝ…NÂRWÒF­¯;ÙߣˆiϤUqÕyymõtÐЌ͘<d�1b‹ND¥(I�0}oŒ¬O@Ñ)méEåª%5´n¢ÞÙ°â–Ÿ „Ó�•›Ø-Ö¾hiÔÕ§¨”û|)ÈÑnÿ]�:ú›Œ#–À7£“$ž@/4ª\Íy(<Bf¦;z”šSÀ¨×¶ä^3^ö¬ÁýJÁ•6šµ^�
áñ•îór}�µúÍ�£¿ÈFs4™>‘F¿}ÑFÀÛÁ‡J¹º’|µÖ¿¸ðZ»l݇\šµr­ü!NTã“LW
-wZ
éðÑwuɾ{Á÷Ü<
Ëb¼ÖÅÇ'Iª0
-?å¶	÷Ð9ì,ó
-Žµa‚BØÇ)“VÝíµl
-Cp?zõ	ú+¾¬P\þE8v¿DœÇ<ѪñqNš`wÍÑüûkàC¡QP]š°�_œ'ðaÛA<è£y<glÁRÆÊfIg»r$–AÆXEœoŸ{'ÄiÀZÖ´ïX<(£	–²®‘mšŠ7}öÇÿ0\Æ‚ryJgi+‘cׄ=,ð¼{5ͺœGÚ°EuC€	§Ç
-e1ðž6¨ÒT‹‹ìo#ÛS·tЬ3Ã�'ãé7+>kÕ¦� sûÿŒ–Á¿
ˆöꮪ={mÃÅyÁc~ÿ�¶`ÙséÉø9´œßçÀ©2™uIžµ7ˆ�á¶Êu‘ô�Ü/c"çí~_OIïk8{µ¢¤:¸Ýô‡²(š÷\QßZå5(²îÿr¿óÒÆÈÄf4<W=A±æ!�ù$sF¬E‚û$ëz=nÉ}lVJG•�XG²a
-ºr”ýW§F»@1“ÛËí§BßCßMdÁê`É#3綗U-±ÿ5e(¿g%ê‚j�UÙʆŽµÒ½&?QÖú÷Yô
-Q´Oè!Yè…¸‰ý©‹øžÌzA4`(õm —R¾_üÞãW6µÇA�:1<à#EY’‚vª­ÿŠ“ÆlâÁ[–n&ñÇm̱QO·K7ÿðÖ&�0ËázH»/s»éZÄ
-„	0`I™4#pv
-Eàf›ù*f®[u÷z‰¾!9ü6ÌÙ
-CÒ3ÉwÙ_&'€›ÏìA¿.﫸E
�®wð“3e©g±T×ÎŒ!Ý­ÛçC4uº¹už×Å›ý4Þ7’Õœ±¸2¹¿3½¾„c�¶"!4¦ZŸY•›S>Ó¢<€$Lc'occ”÷ÑçgØGwtm†ÉEA�Ë9Ë?,râÃyç…ÁË@ã/€7-PÕYòÄ»¼×HVìçÙ4aý̯ø¼!9²R‡KHàP'áX|Àú[
-]Aîú26û�ZSQûuR‡èᲘ¦)95¹¥#²B=S�\Ƽõ v·CW×¢)&wÉíâÙY]>Fª¤º0F
-üòãVaï‚-Â}‘#Ô–oÞ>ã·8'…SJ6¨î£’s¹5Bùè,͈®x®*
·‘|â¶\T˲PÝ0œB�}±n{ïËPò#í½·/¬o‰.4Vz´cš×ÌÐû_�t§ô–¼’ßÉspãMüƒ
-Âý,š«»omž§t~®»MzEåQÒZEƒ5tUàÓógó´i�N5u}3ïÌì±ONâiZù
-or)vúm˜„Æf|!¥œ*¹Ö~Â’Y]µ|þF¡œV
-îêõ´ì�“&©jå�N[N/¸†³ˆ=õÞ~¸kÆ~?Í¢ðH1{Ì)ê++?<rnþ
›ò�˧{Yb€œ¤ 'é0@¨u–-ä¿øàðDxÃÂ"‚aa
ÀæíÀiendstream
-endobj
-624 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 33
-/LastChar 125
-/Widths 1346 0 R
-/BaseFont /FNUUJC+NimbusMonL-Regu
-/FontDescriptor 622 0 R
->> endobj
-622 0 obj <<
-/Ascent 625
-/CapHeight 557
-/Descent -147
-/FontName /FNUUJC+NimbusMonL-Regu
-/ItalicAngle 0
-/StemV 41
-/XHeight 426
-/FontBBox [-12 -237 650 811]
-/Flags 4
-/CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 623 0 R
->> endobj
-1346 0 obj
-[600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-617 0 obj <<
-/Length1 1620
-/Length2 19156
-/Length3 532
-/Length 20062     
-/Filter /FlateDecode
->>
-stream
-xÚ¬zSx¥]·eœTlcÇv%©Ø¶íìضmÛ¨Šm£b£bÛ6»¾ÿïÓ§ŸÓ}Õ}.ö~Þ5Çœcb¬µö¾xɉ”éM쌀bv¶ÎôÌL\
-´¶³·
Ú:ÿ¥øT
Îæ@€©…5 ,¯ ))' —Sˆm�Ž›Pp1²¶0ÈXm�€Ô
-Ë(gçü7%€êÿMe†ÿ>‘ÿ$þoø¿EÞÿ?qÿ«FÿÛ!þÿ=Ïÿ•ZÌÅÚZÎÐø¯ ÀÜ1
-Hk
-
-\P3ÏØ©®â%ª«Q¶°sy1*õŸ�ƒð3›Wž®õ;7 K³y²mÇZÉh\H�ÐçãîäÑ|Àÿ´_˜D®á!)?¬oöër$q0>°±�ÏO„<X)
-V¼TC	ÝÐÆÕ»ýÈû]…:€n&)‹ãº}°Äk’…ÀUꜹþ®æSM¼^ž“O›@õò.ŽŠå†"5sÝ€ÐV›¿eXšÑÎI´Üû‹#k•ÚÖ®§alaUÑbPh¬4'Û´~ô2þy×DEã)
-É{<D¶¤
}[DY¶¤T­±ê-úcØ'Ÿ[z‘.J(›
ôb#Ö¹_{—Újå1ã�ysœÃ
--0ñö®ˆ(É0fö‡óÁ0–\Â9Šüµn3ÿ�>J¾™Ê
-Sò¹ °žô9w:%x?RŒ¾÷å9:…œÖÄáöýŠÞ‰Mb*x:�lô-1Y+„-0ÃÂâÒ�
-Ú8äWó	<'Æ–©läÍM*i�Þ
3E2
-r&Õ}Yðù0qLW*€2V:ãJÙ™³œ
-9O¥Ýò“O.2&ÀŒp&'¼(5
-rØàŽ:—UïÃ3;&^ƒH¾÷Ä¡@\³cöW¥ËĤo9z”ðq£9ÊÂÉ�¶Ò]èä´|Í6ّ͸;këá²êäQËÖË”W¯˜›}M;¦ºù“
-nƒ¡”C�ÓÓÚëíûDÌuU£–¡b½³i»´lÜUšd�¼mîRiSgC¡-kÖ;Uõü§3ƒsèº(sT
ØÔw{vUˆ?*?Èñ'f27ØÄbLà×I(~o뜫’°P/>³�ŠÖ²,9Cæp6ª%"Sš¼�ä¿Õ
-ý>Óv¯"žKa†­dLWA¤;a#
>ûëöêÍ¢®Ú:¾"
)¸-!Ó#Kþ=ñ]õû3¿fö™	† ›[ý9‘3Q�"mn±`÷Hé-ɦ
‘=]“¤GÇëÎ'*¨j
¦—œ�1*\
-Úâ\ô3†JÌtÂD†‚V­¹˜=ŠÛXüh¬‹:L›m8}äœZ¢Z¥UŽâý“kZM<íYáʦ¬b”Žnhuë²fè@–KüT‚GÐ_2ž�Ÿ=\kAõÛ;Ÿ¹š@t�å|#Žì¸bK]˜ÑÕa1%­• ÓÞÑÑgñ÷½«É®,Ï|ÒKp(À·ê»²“£K¶z7÷›Xi!P0L#‹
-K™ázŠŽï“ÕOG‚î
-é5[¬xv”C°‹S=ßPWâ±Géšæ­iúaÒ�~öäÁy�	o¿µþ¬�ís@q+@ñ›�¯0/<ϵº¸gÆ+útÊEQ”§ÎOƒÉ!qÝãÉ›¾e“Ø;E†èÏð‘#VÃèlµÃwÛ‡¥Y¿ÜºDöâã§7™“
m­*<„"ÉSé0
-$¦äh]�™!î;Ö¦xµ;5rÀDW’GT>—0Nzœý¼�
èè8FÃñ;Ó�‚ñ-ßFIüëJvë~-bñ¥=`°Êvýlö¸E‚æ!Äímâ/º�=ü1Ÿ/ˆÍX)²È<w×Øߣ¶ã™÷‘/‘Í“ì%mFÔÈøDÉÄÄRߎpHÀÒµÎÍäŒÊ‘
"X9€ãv-Þsçþ
æ¢	Ô'ÕžQ›©(Â8ø„˜º“lŒO!âàºBw‹IËd !�¸_a§\ünÉýùâH ]«y8û"VºÔìJ\+;£´ñ¦LÖŠ
�ÚhHõtñ¯^v÷Ý}²p¬|ú•¾<îög—#á5ñ¥;QÛöNW³#M²Ž#í³?Ð_ÀöÐGR¤
0\.%B
-À”ö¢+ˆÞ)Á÷
Ð?ŽGíL€êd´-1ucÊÅåâzh�4${Gg¬Øÿò¾Æʇ­’NÌå¥fdã€U{h%õIí®Ïyö¢˜Iw¯e,á#ooó§–Êù’¬°<ã5quèËîЂsºêJ&ÆŠÙÈ…_+LCi¬Å»oGö"ÑâÕ2þn¿ÆÇjPÁ¸:’¿¶XS0`ÕÔ*‘>Ø“}‹ÏÔ»•…w2øÜÝO1<¡½¹†’Œ8
-+ˆC:S¡€5‡a|°k÷gHƽ´)�2t•§©oš5O}ÞÉ({9nŠ5\·iøH@O°·ôŠB‹#"—r;uî?Û܇X©>pŒßú’•SŠÂòq¾Uãt´}	õåùb�#1,Z±jçX@7¼ •§ÉZ—rc?™”�AUäûÖ»+[ä»zÄ+G ÓÖ�_ÍÎðv_Mól
‰YKW£ðÌ”‚ 4vÚÖ©.æÛ™@ãÄÄý~´¥Ôx+3Ê
-Wi�7í”rU¾µ;a‘
-ž�¾\’’‡†@™´DÍ_7w[}æ˜ã£1™dªÓfGÑïÙä’e¸¡cî–\‘Aú”÷G¨ùøã¿ÇØs£â‚|cˆ¶zÅr}¿¡5oÅ_¯ÞðP­2þYìŒR TËašÚuAC¼	ñÙEωt¸²ž5ŽèÖä~ì¢ÛœD³ÅD“Ùµ”êR/ÍbÕeŠ%Æší®*²(D
lûU�czﲎT““)ëûm?i&lëlëWà<Û�Z¸ýd´GS€•/qV N“=
ŽÂÚ di¼fÑa2ð ú‰{Š›�âÄÊRm!ƒt‘Ùé7p‰œ„—ƒs;
ï÷ÄŸ¼Ý¬ÎQÎ2¬fqÇf!>ZSäÕ‹Üq{	àðŠi^
-Âhû'zO`Ícõ¤õ0P±rLYβ›G^¦È¥Þ#©ì
-ºR…ÒBnÖÂϾîÆ¿
-y5~Psòí>x7ªU•$峀ݪü´vƈ´5@àƒ³ä¡ïý’8JôF~¨FGÃü‰0¯ji�ô…q°…Ü€õRVË#»“é¦mV!‹·ä0B0IÅOا$—Á4à�¶]ãNáÙv™Ÿ—³#1zl»,¹	ãÄ5#\û‹zQÜ‹Žïi¬Ö#nÝÕ–¯µ(¾U¨“„f
p/¡Esªjˆé^©n6 „.ëÖ^
+"®
ÏeV¾¢
-8ðÞaí"Œ}9£tÍ\ÿ*÷Ü^"ªs/ü.Äöì0_
-ØÁ({0/“GÖ-m«Ôá>ñÔ‚Üb¹ýQ»ð�Ök¦«Ô«sö28¯âªV–Ñþ$JYÒ3ñî—ðZk‹w½¥·BJ¢?mÁ¢`g?%uÓÂÄ9§‰.‘älʤq+4ìcXä_¶=né£fóÑ�¸5­){_Ð�'Ëš”sO+Ú¢{~Œ¹#Ï\%5
ɸ„êdʺÖZ²¾`•[%UP+âóJ¬�~g½U8n( ö
£ó·( £Hž7á$m�¡D¹µ�hO�ëHíW„;hKÈß8φó�ú	†H~Â$+·CO‹-y�ÿB©˜R"g[¹dIP3(EÙKµSÄcm%==„ÕÅ»ÀrpÔÕRÈ q¥6úà +Ú,ë…4|¿‚
¯Yì-EI—m4’ªiE+D¨ZD2£BÌ%Hݼ³‘ö£~·ã»]bË	'ò|ŸÞtÿ½¢P)¯…¹'ÆÝ±¿IÒ/)>€j¸u™T-gí’;l´Ë'ÿ(sQÉd#r¹ÀFá3€m°¨^LuRñom×7ÿ\ _+3‘ñ›‘¢Ä1öXá
-^õÙ´ bš:®Ý~ì
-fÂéN~aŒ?á°¼¦‡·®_"ÎI¨}˜ÇØöµ`u7ñ›9“p°”¿�M�ûKJ�¡m
-|•n�ýÒˆÚXýyaݯℎºé
„J‰ÇI^}mèD„·_GN¢¢óÉRs±ì}o†|
-Mö¨Eçe€z§½Ð@ñômú³”ÞÇŨ¶¼�+D쇕a<¯‡»A´’– ¦r³S¿ÀóI!/LÕ¯GK^X"âQ¸ê9µ¦›µé�‹º
-Nl}MI{kIËJß.¿&ëƱʟ˜„èºã«mL²´,\…½´PνᆤyêÑc„MJ/›Î
xÎS,‡ñ4�C«uÌJh[Ž0ïoZËëûo=‰XR¯ÒFl�0JøÓŸ;ýQ
-0ª‰ø³»À5F%n{zY„v¶näâk‘†,¡œÊ}¬©©ÂåzŠ”Ý/ð)H\
-á	·óGÿ-ãæÄ`öS¢ç¤^wS‹6ÁŸù×õ�ÍÔýˆ_h±rà6zó|:èX£«~c&#ôÈîhzó'(Z{+<†r¹P­®ï’8­%·´	"™[n—�hsè7ßC'Üo³íV¤æYò›Aè�|ÒHnŽµÉ³“&<ÆÔâA—„w#ŒNH
-üzdùp»ºÇºû=Ì3j<óòSàìlúÊÖƒÛf|­µæ�Î÷eìgûÝ™0±�H{4Ê
-
Èo÷mxÖ¼þÒ‚âÌ×åBÍ–9Nhé#Äy»Ò«Ã{ÄÈTŒMmS
-î:Ó¯+1³¼+–ý0§ŽÕ’Ä:[”ð‰d覹,�J„ŸÒNE‰Ý	Ïq5þ&Ã
îVwmÌð¾ß;0´Œà0»’Âóüֺĩd¨¦M ;
ÛMM;4²¡>š/£û3/r3¬Å#šÙç¼ø•èwW˜Õh)¡ŒòÏæ¼³öFlò„ºWR†é^mLÉŒÂ{ðsLF6¨.ûžŠè,¨êz¬·f�o
-+ý¯Ü—Û¦@¼
�kn‡–°‰Ë-ÏvCø +W²žkFV옘rºË^ø¸ábçvœ»š±¨K?u4ŽP¢+‘ý—ÃT»¸ÇaÁéçytQ8árj”ôH¸
¥²�b®I5íÀù¼Uù¹Á[صuuH´éêìœHjûµ{Ã">gf'y»[8.¢|¿lA˜$‰
æ¨èH!K¿»Tl]²Qã­þßI
-»y¼¯ÈŸùt:Ùå6
-ðš$3:ÁHªËÖx×ÊÐùŸ'O&©>“ús)pCŠê–¤‚埌Ÿ÷dðqøÌûúçlsËçÆÓðž_pUwôû�ß;^š”ûÀ¤à<“¤TµzŸ�ÁDEdká6�]A=5ìƒË	"ûDMOò䃛½%[êÓ�×*{=F¹"ï£Ã?
-‘XE†™xð†Itò	ö~›sóUúˆ£©Ç“µäÍC]0𬼕”„€¢
ƒÇ‰?§×N®ÎANš±D¢¸Á1ø=Ði!íø'(ßMêá—ï­R�bøÚá²áCPþ(�¾8Lµ:$PøÍ
¥×èX;—Ý�­1'?�¶dUou±K…wõÔˆ“x4êºÓ»Ÿ*Ä·"+ìiÎUk|º;ÀÄZ2۽̹ºz×óä€ÍÍÄø0]*bí ¹àÅ�¼òªìš16
-¾9¡¶çÜ@Oƒ+'ÔÝ{Us~Íxeoèí×}ÔûhµÙ<rã.
-’/=ÿÀÔèÍD±Rî9œÓd -(‚*’NE畲é^:,SÄÔZR·âj ɺc�]žŽ’´’ø¶V¬µ=yf§F>Cˆ!Aÿqø�L•z35G0�ÿ3TxY¤ñYS“Ø»äOö–VÆÅ}¦×ºXGˆÈ° v�Ÿ8»úŒgŽŒ‹´ëuZÛ‚ì@ËŽk¤¨éN“ú|›EILœpöêñïDMfG ÏSk‰úºÀWVú›õˆ<	é5§ü”Kùiã“#OiÝcäM²RA+�Õ\Òuä8/)ˆ3ôžwû›eÈëDñ9æ7 «³‚�Ü1µóL8”(µåD:lU
Ùg>	‰>ˆ“9°-A–ãÒ
-é3ž¬¼·µ9ŸœJ#iy£LCpøWØJñ¬fHêÐCÚ¢ÀVÑ

é^¤Ç‹oCÔ‰bêb΢Bê7A”$qIË5i�Ôò`ŸØLtuŠ�·ÂÍ:Y‘¨:EÖìò¹fì…žÔ&Îœä? FQÈ
-åF¤zÍÜ-E¬%õ@ÄÄ:ƒ}Ñ„dœ­v4KÿÈ«Ùø€	 ìîrµßõ¦…!Q<u¬:\�ƒ|79l‚MVþ˜
ªfç·„�”
-[‰Wèûáù©>«�OæI¾¶C‡KV;%Œä¨ðò%rÚàŠ™"ßj@d+ËÔ5z¢fvrÃÕ¿uõzÆ‘¼Å–=]çÿêÌ
ikðšv)ÝrrÊJ¸
-¥¼¢ÏÉyÓ½¼Þ2Ÿeþh
-,ÏsË(ÙÁ½Á.(s8…›oAΖ¤*êæî¶}‰ý'·—õ*�ÈQðUXëjúé›úŸ8æ!õ5*|÷,ÚÜ­GïËopŒˆz´¾¹øãGRê
òù«M³t³”–ŸLæ
A�t,­c…Èc¾7]Aèùù¶£ÉN€ºÉ
-(‰ª¢û.t<bÎ2o;ˆ}¾â³±Ãã¤Ib$æ‘"­é[”‹
-Žìdh
-´D¨1a2(iégµ;x{‚7\©A0‚’yyáóäVv¾ªÙDâû:MTƒÔ’í)‘rrê7׋?,{œt˜O3q‡©r¥…Û”çÎÕÂLéÄ*ÝûÌò¦°Ã³·¥À1`äuÔ›¹$pÔ…RûmJ
-‚¶=ÆŽÍÉnù-4­0
-7{¢Wk¸»× 7µÇ�†»jåË%‡‚ó
ºÉ×E�&¦ Ü¦žüâW†g�Ô;7ŠÎ[R'P¾¿ÝÈÍè�ÒO¸L�^¾óuY�Î6ûÀj/ÎHÌ5¬¥ØÔ¼ºÇ`jT!I9%f|°‘"XÝJî&3ýÀþz›&ƒ¶q¨ç¬&6ŽäåÙäcŒ˜L16Zó61GŒÃÛ).1äÔSz‚(ãu—-ø(øi~pçrYÜ—�6^
õ\𛪗.ü]øš1‡½}l¬]m:¯|¥?D²sWFÇç¤>§�Èù›ýtÓáX ö§È%¦‹òf5T]ĨX;ÝöŠÖ–»	¡Ç–Et0ÞÛ8ë%
-EU¸ò€d+uQꞥz²™j#™f‰«
-ÊË'5lZ)c®wŒë¦éCD(¬G©ãe²µP³´5~PÏi¶L™æd!ɱnO�;Ë}i¦$²AbD�µ[¶¿o3˜g³!©\#ö³FU¾-Þ¹ÿæí>ú9¤ 2áUÉk�ûª»¦�|óíDIÀÙ
Þ@¡Ä
-»_C¶Mãl@â:}j·@Ý´2¥½Ú²•¿…à9SäfƺyJ-gj"ôøÜû4A±ƒÿ!=Ò]¥õ"/ïäl•N»"ïQE¨û]'œÌ¤O™|…KÄeЧXšcõ»³öûDCïJMÁ“„‚b`úÆĦL$ýš­Á­·™³4"Â-c ®'•–äÇvŒZ•Ræ�êêOÍ/Ø5¾¥lÌÂïkiLÄÙf
°k9rÆü³š#ª¿'•Õ
-052BÍ6�¸~ëϬ*“Þã“׫BL^x¹bÂ~;ý°^0æè
Z±!拵Å=>÷1•/µþÁ…Ÿ9y.×›k�ôÈ ÷=r�¼†=Eq‡q·ýçžáБš?	ÃMÒ ,:ä§j4rŒ
E¸ÅlôÍoÞ¢‡5fBµþFo˜@ÓÒJ1xÚ>véÙ!ùl"Ô><|qbŠúÇ”›_BŒ=÷úÖÏ#ð
4Øvg{ÎŽƒ`#µ“‹ëEB1útȯ_y
-ÐV×p™%V˜5ÞÒîm08ÂDyTø¤—ûAQe
-.Ú¢6‰Ài¤õ™qUÌGŒOËç”AÙ•B¯ß8¾?‡6Ë5yª4�VBô@ý¹ŽIÉõ*'Çïy•Ãˆ>qѦB-z¿:ÙýW–	ÊW‹;_ºdð°
«&µ#h™8†ÊŠ®Išëmw÷ Xg =sSi§ÅÄ5ãÈôÓKB?Ó›µT�ÉÌ]~ð�
l{ü(Œs`.¦¼o]çè_“3x¼ê_’o9å÷×Z•“ÒêȨd6Ê
-$bðê0eN½™•â­ÉŽÓG2f*Um‡�}÷WEySV8!#CŠØ§¯é(¥½óÁ9¿;-Z[3ù*³ôVžüzãa¬ïÆPcÑ
-‡À/Ä�‚u‚’í|£.襡=͋¼ÉÄ38:¢•¡j-rç·
Ã�(¬¨ L8;çFû>´P]bð®NX1ZÅy.Ê°>®®ªŠ³F7”åõÒ÷ý!ù†’½²ú®Y±¨Ñã?S×ü‹žÃÛ¡)ì­(­ý&GÔ‰]¾27t‡{Fn*+i{wBŒE0øÕ¹žà2Ý+y y#ÏnÕ0ÊÑókóôìN¹‘૬¼�í4Kã*ìŠÛg§n�4L”�l¹{6‡Çá7t¬UË>_šS.u
á¬r`<>¸ÆÕ>ÛçïWgdØô’Ö³2�å˜údG_ÇñœDßzn*q×ZŠÄ ñ%¨ó/F‡Fb‚öÙÀˆž&Ú%5ÄíÔ�RÍüÊgfêûWže‘Þé�ÒšÏØtôük{øÙ¿b©½×	춨q¯.Y©¿Â§kqçîW!öÏt£œìçL×ÀkèbmÝÑ:g=�G½ÐLk·þçÛ#&Êßnø`‰†Á&·»"
-�ž°ÍXVë/h$S¶ƒŒ:Añ¾÷TS!Ê!Œ?Ì�
¢-®%ÞöjÈ3”\uèD¡v»[M¯ TªõjW,‘@4\2‚¦Ür²€$ðã©Ü“ƒ*íÙˆH%ˆŸŠEgó¨è©~°ë
-ýqž\Q\²Ã‹±ûÍ—˜lËûâ¸æ­ph]ß,‚Üžúòš¿Â6Í%•¢ð“;‚)¬¼*¡¹ÀÜ'{‡Éõ(ÍÜö\CÈWýÈîƾýÂÓË
-†bJ6¾öÕûžõpIËÄZõ¶Ãp%}Eœ7*X§ïcáÄOÊòµúf3`#û¯é9	vqñ„§x§p b%c»šÌØ7¨D³¤ùF|X1/§¬ñFÛÌxË./U
­Åß4
-ˆ~_È‹õì盽ׂR¬£� U«Ö퟼¿52Wëýà9ZOÚ$a߶mO¼ësm@ƒÏJ>4¹5Êe3iöÅlê<$ê;4¼&™’ãÄÙОiÖ�Ütþùê;^1]öÐP½†Ä
-¨p9¹¸LNüÒÇÀÍБi'ëVên­_ÖËX¼L+UíZ÷¾÷\£–/ܱ šeý‘ne#x=XJ±RúS�ô‰�ÔÑ{£¡otdKaðĤåd@ˆ›Oàš595´ºà³Ù‡ꔨÒõ÷ÍvJH\µè&©)rp´T{þ-mñ¾äšuåžÏ(t6#=êåV§¨
øBKFôJ‹„vÍCÐ’Ã
-¤ê
-¾Õx;x�ŽM„}ÌÅȺéf‚øL��¶Ãpr6Ë(ÔTà£'ŽãáÜ–½‰Læ‰=¼�’cÉDÛ­¡“â-‚¶:àž k„Τ/ýjº‰/®ÙÉŠaÑ¡&©£Î•4#¨–͸Ò
Ú‹¦b-ùÜu¸ò
]ΚÊi^-6Š¹ÇºCè×Êu}M={ØÁj"¹/¶Îž\].¼ÜkYèä$U6“B¤l÷Jß"bÈÊ";„Fuj§&0$¼ò/Äé»c†ÈÌ�kñéP/¾�I”³,[R!&À$µ'¾?Á¥1Öaи¡€f(9
ÿ&œÐò
-EÉ�Ãc9²ÎÄS‡õ<z™,ÿZ^‰»;ôAÃÆÓýÕÙRÞìÕËï³xvvZ6ÿ)~——sÇéŒm¿ƒ)çÁK͘Ã"¹æhae™MH!Oî1¾ÂyxÅ aà…P£ÌMv]ZÞ…jTH™œ…ÂÍbdù`7ˉlO˜—K›�‡h”¸%Ì›uŭ§ë×½'EÙ3ú]ö@
ñƬ‘aÊY‹^ȸ"PÙóÂ(¿*Î8³h[d)yLšOãg°Èž f:Ì>(.&{>AY›uS)/âȈ†óôi‰‹V<èXÞl˾�)jÊ22ø~ÁU؆ҰfNmi%:iš~Vò]moòãªkYÞB5�òûõêÃ�4º8Tq$1òUé¼y§lP6Ö_ó½c^yÝø}·øš�£”™ãD6­Ûˇ=Sœ/ƒ‡ªKȶº‹áÆ#JŒ�0âüØoÛÖmf¼9ŽýS�&çùÍ:\Ã<ä¢B�©"H{f¢y®«Ÿ· d¶uzýØüøD…ŸbÝØ/”¿"ΦU_³µ/!0?Ù”Ìa£zêÙëDÔH¿îBqi›i–Œ`HËöCŤÇLéòñK'oùº�æ…–à@(ê×-[„rh–H~BV´Ü4è¡@O€h‚œ±¢¶—ÛÛ/f¦¨–‚p[—È"„ÇzúQòüÐ;­­äš/èN@öµÇ¶æwÒ$é;ÉYP›:r=Ñï9„
EÿBx'aËdzI–ᵇ^ÕTä摨	¬-Xœ¨ðoOòW<[z9sá›p
ß:—¾Ûl~(æ„B²b	ø>KƒSÐþ2•ŒûÄšåêx꼄JýX�§;
{B v
-
-¥&ôÙÝxK”ætªü«*Ã}Eñ($
kbAk²
-Íï!VS@ù¯b;8
~‡ÛUgžƒ¥ÎŸ“µ~ÑÆìåÔú<ÂŽ}¸K­¾�jﮣj„Þ²’çç�IYBÀõ<K®ß°”—ÚQ…”S" Ð<™—ÄÇÈãÚnÙûW-úÕ9ôTæ¹£;4E&x%v˜ˆZ	Éô±zÏBð­„¿‘Á;Ž)ÎÈJ…5ÓKÚ(1d¾>�ðœ{ûZ„Ì¿Q>3¬
-®Ã±U
,m;Œê*§Éáèï7‚§¯¨»×¹n[¡Óˆè¶bÌž �þ$”ŸÏid÷cvXqh@ú‚DmÛâÄWÅ
èôsÃù£í«Ó:
-kÅAž—v|étå@òó0´U]¼Y¨ß©ðYôsÚ÷/þGûôý…ã8pÜÂÙqöÞÎ&ãì¬d22Îv!ãrÙÊ9#3ûçÌtÙºÌã"{d�d¼…Ì>ßÿáûÛçñyý
Ïß^Ñð%¥Õ“ó/½Þ�x+¢ç«À:C_j=�ä¦DÅÈÖë8ÍT\Ln Íæ¹°†DŽ%‘ÍÐL÷ʵûYÈSEkþý÷•,¨8=ñt³Ô‰¦EP&§!ÉIÆ
ÿ:Ú
ËítüFkû!®9:<ÚMÂÀŒOÅEàg€R&Ö
¿_n›âT�Ë�1ê¾ç·Ÿ[~òTýpD÷ni³Y3ÀÜ–ês¨½”‹‹Ôñõz–bÚzÍísÃú ëgša9ZlÈê_Ö�mO‡�çH¦ª­Çʬû�%!#Ÿ£”ªÂ�÷¾Ù¨ÙÈÕ•ëË�Àå¾$1¹—bT!PÅÚhº¡Îî^Ôˆ6ëáÐr‡Ý£=�e[
]t×w“ãŠóùzmæE	DƒL%½ó\}°�¡·¬ÿ
å„|;®–ÚRÑX
-3ŸÖrÿFíöJÞL–¿8ÁϘ/»«Ð,!DÇ…î<ÆiÊOµSÙ”ñ£ÝT²Ç‘N�#èxîj«»�åuûoñ:Þ֧׹‹»ÄózFê’½Tõœý
-˜‰âüÝTRŠ‡ì¶NòØ]Æ_Ó”i¬ŽŸ_úú‘Å‚¼K‚ΆÇSIÊe°µ{ˆ×Xsë(ÛÜT+ö®ë^º
-+ •QͲƒâ„Þ˜Ò¸.É Ôï­]Wpü½¯vëùëBåP•®ðDÐ8©ôNr°z¼‡ïæìñ6ù]“ó˜Õ¥™ß‡ÄÂ9.æw™þ�ИݺÓ
-…%lÜOÍßc†ó‰
é4Ü´Ê0Kñ•ªA[lØAuâÂØáÑÂ÷>DÙÇ+ø³ûôëófÔÈóÖ)ñ�ÄIw�‹ªè×J#4RH΋‘¯¤ÐÛCé_ﾈņkŒKº·mWfö/…	<å"èq:”$±öñå”M¸уÜVý*Ž¼ù餱Î-ÎcH“í`ן,¬ùô­O­@™˜À<xc´á°2Š9L1.Î33µ±¹sWk¨gç@B¯8ßô+£@™Èv~¾”J©“öJ°ûZ€•0ÉDjëœÑ¾õ0õx9(Ç©Þ8×
}ñžûð»	Ý<#ÃÛƒ®
ºX6�GG†ßd�±œÎ
-lÅŸœ$f_dq_“ÉñøC–C'O§_œ„Í¢z™À7Í°5åAƒí`Eû�Kࣃ„>­Ò„rÖ:«Í·ä—ˆ•Ö’"îJ�ìK4åäNϲN^U©çuÃ̼ß!¿|gbTM‡H³™¢"
1�WK‹pr)*Ó:ô}øù&X}¿³�¼åð¡øúùDÊ’‰‰à†£/ÿ©“€óD-z°,¢L“4G{¨îwN
-Ã磵E˜±Ÿºùxünôqbßd˜[<ÇfÎ@ߤ»Pª p§vŠ,à ÈY·“›Úˆg”þ½#©Ø¦”üëÈ`�…>—âI�¼¤®;p»ï“‚ºúÈÞ˜Ôm}*�Ð÷î7zžôCDuQÒé”c§„Ë/οc�Ö”�N~?¾¨À¦Œâ~ Ò®QR__èeýrå
-@¤õÃo_U¡;¤¢æªe?Z*½¿ÚOæËͦcZ¢6zÓ*î
-€mK1”£»ã
ß:¹�<f:µ¦V.sF»øÎN®õÎîÅEQ‡gŒ�‹uà,�¥vz­!ìuS,ñš#\¥€ª6KѯAÃIá)è˜SX1ïŒ~†‰<& �;Ã]zÜ)ZP=ëN¾Ðºg¼)Q�µ°}¼>Õ˜z_#å*’Ðs,b½“o&‰ð]ÎÎì†Ò¬¦{˜±�ãxÂZ©–\å.ÉÉq™5í—]Í_ã
Ó~wX~˜½UÖ"bg¬%Ì—ÊÉbÙ¶Õ¾VÂ3a¾�$�þ—ì!íL;ENLãÖ[µô(ÁzŠþÐÞÂ
:\¦oŽìÿÞÉðdþÌn¤j’Pïn‰“Ì{:}*PDvŸw*[ð@9‚
-Ô0a¸­¦û[ßÅräÛ%Ó\qŸž]£÷Àëð|O-FêkÞ‹³€'‰Qö.ÊÂTqëÚĵ¦Îš)RžcÀ¾ôßØDã“V¶¢Ååž5yÔLùR„w
Oƒùͳ¬¯ãƲ¹ûx¥óuj2a�™	dêMèaÁxö³]&e9õ};ªÄqÜm–íʳì $j´’V¢_yŸ¹6€W3‚èíRõ�ѹc§EsšN1}œÇ‹”Çžácž!\°­1£�,,ᄬ¨\XMÔ�›ÖÁ€DÊŸ&ë«~9F=Þ'KJk®
-ÀÝÏói<ÐÿiŒö?	ͪ¾endstream
-endobj
-618 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1347 0 R
-/BaseFont /VGVTRI+URWPalladioL-Ital
-/FontDescriptor 616 0 R
->> endobj
-616 0 obj <<
-/Ascent 722
-/CapHeight 693
-/Descent -261
-/FontName /VGVTRI+URWPalladioL-Ital
-/ItalicAngle -9.5
-/StemV 78
-/XHeight 482
-/FontBBox [-170 -305 1010 941]
-/Flags 4
-/CharSet (/fi/parenleft/parenright/comma/hyphen/period/one/two/three/four/five/six/seven/eight/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 617 0 R
->> endobj
-1347 0 obj
-[528 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 0 0 500 500 500 500 500 500 500 500 0 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 0 944 722 0 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
-endobj
-607 0 obj <<
-/Length1 862
-/Length2 1251
-/Length3 532
-/Length 1862      
-/Filter /FlateDecode
->>
-stream
-xÚíUkTgnõJÀ+Å€€¸T
-æ2��M°hZ 䢘Ê�LÈ@’�I¢	Tp�E*TE�J+¥õ‚.R.+
-ž
-rÓ(˜€`E.º¢î€zìÚŸ»¿öìÌŸyŸçùÞï™çýÎùœxA$–�„}Q™‚’A&àã´¤ ™JpròÁ`H� ²õ�f §'°”Q
-*cßP;`LŽ›œq“Ÿ
-¿2ç¥ô]–£€$ˆ€%‹’À
-憆¸¾žë,Ƀ™b³:¨oÕ³5ø¶ÆSÂN%S© .Äß7_üw6ûL&@…ˆ,
- Ñ=
-”˳g�ÿM-Bð‘Á°
-º:P�WjtauZEâgǯÿ
Åìis¥±Ë´!ì|b"ÜD?¼É!JQ:T¢?»WKŒÑY.ðÚo‰�±ÉÈúrü˜åɳ™GËÃrwÓëÉ�ADuJ¦fÞוCm\È�â¯õ¶Ìzìî¡oV¬ê_‘ÔlqXh`o=^7Õ×a¾Ø%pŸ‹ãRF×	ÓÞ÷—Õ½÷Û–��O*¼¼F0zí–‡G”ûf®Ô‰¼Í#Ç¡É{¾h‡Nçºi�ÕxÓ ßi-œ^ÈͪW=°ÏpLwzÔT®šÈL´Møýj¬)ñFÆpvÉÄW\3B½=ûRïumêe=%g÷†:{?»æ»nâgK›]4EQûÜæœ<oÓ}/øç*0ý¥ÁtiYâ“r(¦ø\�ýúñqß]X3LÌÞEþ¢úÀ–‡¥´æ¬@˵7»|rž1h5ɤù+ÏNj΋÷Sˆ#î­×7”ÞÝ-}ÏÂæÛ¯6ñϲ¹�ï“ìÆ�¾=—bifŽšv†ÝÊ/Cžqæ–Ï—s^"?vj÷p
-³g'Xu¥­¼mÉÞ–ŸÈãdZD]L†	ÔÝžU.
‹55V�çi´Ýö¦=úÜx+�ƒ¦R�ˆšOædeóø
›Â¾0IÚÖP˜Êçò�ÝO*–¡‡V/K5¦qö6=íu},	2gžj/
K·]©†OÕz»O›²Ê-4pth~ËvØÉÍíâ#iyâøLJs|šÔ÷ÇØw‹�F“~Lpé5A¯nÌ›Hô·ÙW&~¤çÖxU—Ù;�»<G©�Ñ;Þ˜&µE?ï
ñŠ[DÛÖ�·iöqI¹Ûã†x&–ÜrÍ/óäd©Qì·Œö<§#f4&ÿŸ•ºqY“ýc^68¯kùêõcšŸ.Ü¿úG#ÍEÙôí¹ÍˆÛãÕÁK^æ„<je[|óËÉ0㳸ÂéíÆ=®¦[{šð~Q�ê{éë/‹[Xtñªö¢–ìKjmê¹zÔƒ®ÛygL©òò°²öŠ×J
E�œ|0W^Zzò#W-8cp¾WU_×Y3�Ñ'ÝÔU}ÌœÆD}G*¼Æ*KÙŸmü5‰®íc=ùe?åeJÇ“š&•]Y(»*ýñø1³¦—Ëy¹-ýÜ>+Í”«›V=O¹±�dz®ë±]½^4uâw•gã‚‘P]J‚§E`T�ÁåC‹?ÝhX÷B\ôp�IBºvà(›˜² ü–aŽÁxÀ.–yK˯&×É<ñkÀÚ#úô´éËŠú/ÕU¬
)ä45ÞaìY4Yÿ,ÅÙðMNÏq®}I÷óc•
-endobj
-608 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1348 0 R
-/FirstChar 13
-/LastChar 110
-/Widths 1349 0 R
-/BaseFont /VAUOWV+CMSY10
-/FontDescriptor 606 0 R
->> endobj
-606 0 obj <<
-/Ascent 750
-/CapHeight 683
-/Descent -194
-/FontName /VAUOWV+CMSY10
-/ItalicAngle -14.035
-/StemV 85
-/XHeight 431
-/FontBBox [-29 -960 1116 775]
-/Flags 4
-/CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
-/FontFile 607 0 R
->> endobj
-1349 0 obj
-[1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
-endobj
-1348 0 obj <<
-/Type /Encoding
-/Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
->> endobj
-599 0 obj <<
-/Length1 1616
-/Length2 24746
-/Length3 532
-/Length 25639     
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºS�ek´&š•¶Í•¶mÛ¶mÛvf¥mÛf¥mVªÒ¶}kïÓ§OÇé~êÛ3bþßÀ7þ±VLRBeZA{#S1{;ZF:.€ª’º‚¡��¡‰¥½­’½­!௘š”TØÉÔÐÅÒÞNÄÐÅ” nj1501
999¡I
ÂöžN–æ.
-0±tv°1ôüû/˜ƒ“å¿i¸:[Ú™ÿW4
-õÿ¾SÿµSø˽‹Š§ÃßÔþG)²ö&ÿóðŠ��½À›–‘�
@ËÄÁü÷Ê118Y˜}ÿÿbü¯³¬¡‹“¥@ûoÙŒÿÿ?žÿ:éþ7Q;c{“¦EÙÅÐÎäï€ýOÁ?jcW'§¿¼þ{çÿýŸçGÝÔÔÃÔz}ÅÞ˜;Ä*=+Ã¥#odJD{ Ÿd$Ô¡¬I¥¸0 Ö¾Ï?=âg•ÁG](]ó×W‡çò™Ãç�ÕáX?º
y_ªéU
®/1å¯B¤-².vêà z½2¸Œsõïë%™P-6µÃÝ)E%½Òp¼™.f'ÈëgÊ
-å< (&.ÕÃè25)�hTbp§bâßVv*—èTï/o;eÚ0&±º¥Œ¤8FOX5Éávדñ9Ä–ªA àÊü<xâË…×i†y£
Ýë*ÐAlyŸU9J’ô(°ÐƒcÆœÝÛÞne£U&¥»‡Û‡蛇¶Ôœ¥1áÜå\³%Ö)ë]ŸüHÓO6QrB%¤(úkè>·Sog´mY²mÄl?dEŠL0ç…ÿœæ¿Ô¸Å¤ÍÙl\Õ–lfñm³lvÑ+bžþTê¢Jd‚þâ•*®%ß^÷%Mzú,yGºð¢È¨Nï‰�ð,-’ Ó`Ê�á®	Ø�'J˜KnárËÏÅ%?ÙÜ\óÿâÞõý#„-îÌC½Jœn)„¦Á‚…`ª�XS“.ôR°ßµPË,Ñ?Ž™·w©&|!Ž
|Õfœ9p-¡BÝÕŸ—þBÐ��9’ÐÇ1#ÄÙ€‹—i&®¼Úß=	Ň’—cú²LcDvØ·÷GüS
>*²)œ&ü9?·»b“Ä);âxˆðpÆò÷<q{¬œ
šNبkßÄ^µN�ú:v–ˆóO[P�ÐfkpÛìÓä…&懦ÅnŠNZË,¯#j‹ìeؽ%
üî†A°ÜÍBÚ<´	�iÌItxÍþSƒçŸˆ›ø¹C0¥	òym)¸ÍË•o¬¿|uM¦C¢˜F±uBmÆÇåIZÇëB¥ƒÝÑ=úë›GŠ×ûµ¶-ûÅÒÂoñ¨&N“N
d—âCMwvh¿2v�Yòj¢W*œÆX•_
-£õ¼ÓíøZ
-ÅÓcA¢\k†Ø8+Ff
-%VQ&4«à\ùœÝ¤á×/)ul
3ù‹—I]
-˜ã“×ôq¯Û»ÎU÷«V’5¯…ªì¿�à!ôù	âr¿Žò}(šâ*¥›Kr`ܼÝWUi-�ÁòCò=Jª”´z`Ë™A9ˆRzí†RDÞå·Zhk‚•µå‘Lþ©±æUñè‘/—R©ZC‰oô¯·‘²o�$i¡nô�óÁ¡L°ê„{e>«AtãSZøx®
-Xf’W9wðc
-æl®Ù¥èÝ}£AIS˜çèÕeCkCh Õ":Êâ$nOn‰²î¬ü›T1†õPXÅÎÈ‚«H�ͤ» "ä‹?gìé8ék@Mdùi¿ÖšB\µôÁÍ•#з4Í�÷–ç¹tÔ‚©±*	×£+!·_§
-¶Ãp¿I~!½æÀV(®Ž·SXF|3Áq‚åh½Ím~Û Xã3w™úN#
’	L>¯�·åí
-D$¹\¨	qìk[;$å;£W­>wFc)F%‚WF)ˆWJ�d½‚L›M�e©F}qyY÷×¾+¼¸ç³óVRhÉ”¶Úþ¥¸â¤Æs¬[¶ÈªCŠ"ÔÛÒº:-«J™$
-&ÿ%h�r½ÚoçLá3ï³°4�:®ò¨ç“ë°×6pvh‘«
F€Å*±‰ƒTêœWÏÁ¼ÕÆÆ#®’Š,§~Õ\ÀoØ5¸Øgk¼ÁÐ<7dYiÕʦ|¹ªROØò5z&< Hú½Ü”B(îwâšÕÃp”Õ†A§êžé¯�hï…‰’ªZÛeÃÓ¦{äÛ«¢�ù}Ë÷�r8±PȈ½WhPÁîŒËŸ"=°:³zã>ÖP¼	þ-´mÆfX´ä�dÄòt´ÊD©Ÿx‚Ìr†u¥‰çP;õj ÓzužØ¼ô¦F
"YµŠ†'–$Y5häâ<<ÄËaÚ!�[.)ýâfÙL¯s¡Føǘ…ÌÍþ-KJþÎ~Þ(™Ø™ôi.xˆÚ’øÓcºTQ[ CN^|*TOû;¨:ãEò–NÚ–.›$Çòþõéº=òR€ÙDg1´¡øk¥Œ-ûÑñÚ”c	šc²» ˜�Ç:Øз‰ôœp¸Â®²:±÷Î Pâi�ÈÅ´VýÛ9*kc-J|ý#$	eöy6?ãgÙ—šNÝÌaÅó3Z×iÑF?$‡Kd4Š:?\ôp¥ðYvŽRp¾_Ñ#Õaä–!/ ‰é6ã˜7(LáöÏj¾ŒÍ­†/Cz=ôõ7WxR„àQrGÈ(/èñ¼ßômãˆ9¶À{‹Âi’©±•f~õhi5ÄRX`²\ãYq¥.ܦ|ÌFŒÅ6YÚ„ÊõiSXI?ù
êT•
ú×~IÌ�¨rl„Rü°±SÆñŸ3„@]½[
ÏŽýõ�~_Œr*Œ~Ûp’°7™õÇ2-û±ˆT¬8Ug>^-š=´é5Ö_¯¡oU,Žr¦õWÙª¯1Çû:	Ã÷°ÝQÀ°‹klRW&Àüq-î¿\bú›!@ïÞP[þ!0¹ºQ�°‚7hh`ª1½å4 èÉ_}~Ýz——7u~+
-3ï•r¤Ü×\¹û Hj±Z9ôÛšWò0R1öë<üëJÃB�U²æ©6.Èj¯¥SB?ú%ig-šô"
Ózõg-	
-»µmF	È÷06úgûFíÊ%;'iòºó°0`Í0“s*�aÙ¨6
xcAˆðÄW»Û_‡’è{õÖ¬þÔÐ…1‰’6j†
-­ñJñ¶LöP£�4R'Ç¡rkuÌ[Xñ1H'°à‘ñ£Û¤Ÿ"‘m¼LÐAÈ{~íë£Q§³Î•‡\
%"ÞÔn¿ƒKZÖÕxKiߣƒEÁÅ-\´!ˆ|’	w§©ÊB>
-
âœ]
qO%¦Ÿ™¼^–
-éæÉçz¸ùë�S�%¸ªB(\ɤP›<î‚jßuäF4gºË»©_}VÞoJ¶Œ[†óOL�ÊaYë)¨�vZÏÛR"ó†ôµ4¥%)eÈöüD�Á¥‚˜û;Ïh
úg(—óÏ>’Å“àýßYÝó±‹<¾l¨1y-�i•éö`ãx­3ú Ø_š±ÚúÖí÷‚ï…(F·01æ?_y­|P.Êd<¹91†Î…9ÓÜVô¡ms"jHÒ+fkµnäPBüdI 1†Ý—xiµÿ„ík#vý$b{ÙVv)+W¦dŽò™Œ“Û‘VöJd•UþÞ€ôÓŠè7V!KC.Pw¶‘ÙðNF/åó´žœ0ºøÖCýÑ4söûÒcÂâ©Bü9+ןxDå>÷Ü%÷�Lè�Ðäpï2…âÌ2Ka	.ÉfÏš=Þmi'ªn#Ú7}@G™?õ
-íY»7üTç¶Ù®©´!È©»5ad&-	5ìÜ°
+@ô«³RbHïÚƾñäuò±›¿T¤;§ÑjÜŸ]q¸Kïê¥]6�ýT½µ‰ù¦P°u"ÌÝ*p¯œ]D ÜZHÆ@Ð^�Ä/x"sRCšSÊxVéûdzJãâeG»ÍwQE£5·ÕZ…X,ö²IÒ;ö]¦M~­ˆÏž˜0sßgµk¥Š~@
ëóøœt]­+
-J9¦êhÉ[Aºª¿é0C»òc²œ=µfÞš]E©I@˜üuŽomÏz£Í¥#¨Ûw+iu” 0Ðo÷
-v<Ò„O·Â¸‘óÓ¼”I ÿ´õ™6ŸÜ(Œ¡ˆ|lc`kÖ‰àøûÅ1õ”¾JK¾àÕ¶e8KœÛBTÿ�íü	”«�>ÏüoD2‚‰Žtý¯üW
ßéZFTJ
-ú=úCÓÜYMÑÕÇÓ#J$ø_Ò¶jRbqš©Ÿc¶
G2Aê£ü/-Öt³/?¶Mº½´¯’yÖØg½h
-¯ìØEV‹¤uíwü�Ô—ì{’ZÞ䢜çtÒU'àÃùº'à(>€µÏHUo-XY¾tCßNƒ�ÿ4Éh³GoWøíntOï ¬°nû‚½—W´�²éÝÌ[¤´*KQÝ•_ŠFãLX¥hš|=Ú«nµ;)Ú^Û×™¯ÏÖÙY ”ðæŒÌ˜vK€„
BUfC›ŠA…>¢.¬¶Á_BÅ13Á¢ñ-=Ÿ�?£ n¦€!ܰ°›&re€Õð$åŒKúÔx`:�—=T"Ðu¢ö­TL'ë;õ¦üÄ�sÂxë�9"§¥PicRQ#‹;Ðœ|§°lèö„¨jÂÓSdÎq�SdÒB¢´ŸdƘ4I{r¹ëKºÿ($É�É�¯c�ºVUÉj˜3>…2==LN§p\zNO¼cð
“6nX ‰·nLLgŸòå�ÜÖLh•ÒþÅnÞÆèÙÂÈâªôŠ«½
-Ò\¨4›± “ÙHIB™4ÍÀ4ÄÍ\Üidf�ùæý„³Ù••çÆLYmýNYvž«:ÿË	Øg$e*#åÕa>zÑ™çüƒä*:Šê
þ7yl‰@,‚~¢X~cþžúÌx}tÚ´¢ºîÉàÄÛŒcšž+ÊšÝoŠúÆßÉ®‹¢Äñl…ÀD0N°E·¼C´N¨,
–t3‡H±aÓpÒ¯a%é 3L„’¾—(¥¹¦H„»mÏM,§ðX©i

�«›dý  îÏãAugUd=-–�
þ‘ýkÙŸÉù_‚ЋÜøæuÂ,ªëöW³b°/ô l£³'Û
JÒIœ(\cº¡ýkC!7¸Ëtä­¡Ã+Š•~O÷�]IiÖΠ›éP?áSñÀì®sð~Ì�Ïý1¥âŒþVÿ~@à¨sÍÄô·ð³¤³ªˆkSGÄߧðY”X3GB„üIj5ÓÎ2\J5ÍIÚáŸw�À¥7ó>MÅÒð‹¼”%¤½÷Xu´tYð"wàK±>,Ö5:™Í
œ'ÓûÊÉïš$šPéÅ™�emÕaÎh7‚¶»<ö]Çc6Ô}Ñ
„yÛŒ×áF¶º…[`w$ù#¼FcÛ·âû²XG5wžâé[�Ǿ§Þ€ømõ§Q¼JfÐ2hÒPÙ+š%t	q“�àk Ó.Ói¥4ôÞ”³·P<»
Чã'*€¯îËþ””ìôzÚðÔ…ÿ$Äâ¿"lTœÜÝA‘ãê…älOaW”æi‘?û Иñ2Z‘6Ü°7…úZê|Ôü9—Í#ˆ‡YE
Bs
þãÍ[ã)YVîUuä½”Åõ�³κ(Ð{D¾ÿe»1�i™ëã1­Öu®|ã\®@sW12ïz·mL
½+O$;Œä¾mÉu…™ÏXF?y­	]¼„a×7f(üÙþ×–ÛTÒ¢�äÃùݺîÒ‰èhî`(\Äƾ´5–$ð²ïOÖ*µóŸËÎñÆö0àE…guÉØ…
-‰Ë2„Ò�,Å>Ô@B�CRÑ;ueAíßÑN06»Øa¶Uy Ì;N.£ýÜõ¤4«%ræ›Õª6£eŒÔ:³WãQ2“b.[oÁ!ñÀv è2¦ïü¸à|ƒ^TX§^Ã/¨ã*ÂÒ+pÙR.x¢d½tFšòo˜šÇÄ_°¿#Ö=£÷#�ªÒ›»"ž<DAW…9s­,1ËÃUÀ€>/�×ïͬävUÅ­oÈÃê`W�I3wï[õ<;,¹X¬š£}y¨^%±¤õ©5µˆ]ôO®ej¯¯·�a"­›LáÜ]¿Ä8ÀnÕ¨dà©PÏ[œ¢�Auï9]m´~sÀŒËó°�¬&¹¬Ú{Éóû
-oBší=Ñ¢KÓ·\ôV×±õŒ!ªEö¯î÷Ì«ŽŸ¥ÇýEWÕ’±mB¹_Š$X	¢Jª‘$â�¨YL¿¸¶’Æ‚'¯ä½,ê¦'ÈnÃáå¨X¸Y;x*J_gÀåÂíìd²p\b’&“—®p×îšêà¬ìî—�?í9{•¦,ž�ýߟh-��ã£ÙâYutX
-–Òê¸e$ö$®á-MÖFÅØ…ÝëöýJ|Kü„#?¥®¤ìÈ#‚!Óp'v%`qÊ!
žÀy‹œnäÎçN—/+‹.Ì"¬ã@Љ­¢•ým·a•µ‰RÙD9oeÉ¤› iHÉVb¿†Ï")Pê`ò]^€Æ¶T®†˜¿†§†-	§ÅÛÖÁ	Oó³þŒåeFXƒ$ÊS¸Ÿ¯÷kŽŠòÍ™fL¢˜šëʲF‘9‚�‰_«õï+Ê‹\™¿¢úƒª¸QÏís‘ʲH§µÈ=ÉŽ±ÿˆ`#
-”—�¦e•>KDØ£8ë<^=
\üH93�Ñ2W‡¡aàÚÃÉø\þAݪˆøZä¨"ú<¦å­O±gVV­S´je먌�(“ïÂ�Þ°¸�6EPÀf­ßÁ×zÍ°Ÿ©/†¥eÝ鳨7�µ‹&‹öŠôºG2ag�D±ˆÀ|6À�í	9s
ö¦€Ý1c`¼×멘îªÙHv-Ë3ðîß‹áü«ACrÔÇš¼^=Yã
Z�¨ÐzT]'¹Û‚MÏì™ÓbÑÚØ»-Ó®1eZ.Ò+£¦ä5Ú×#í7h¿Øþµ.'�ÏŸMï°òR¢ÔÂÅ+oê·ûåþhMí_W6"u¦+&V“‚…ÞWÑ0{‚!ýÓ2üq�ô¨_š?Yob|_‡™ŠA«¼ƒKµ�Ëà<<ZõÛfeC¸–óc¬à¼
/9Hoäcóµäþ
3K¨ô•�?[àX
çOµ
hsë]§Y*“ëƒ5<F2v€²¥¼|¬r{%ÂSì(‰%ºÙ_üy~.¥ÊpìÅæGår›�ï–Å ñ:‹&/ì}*û¸P6CC)+XÒ´éüÞGî
-k¯gÚ†ÃâI1J8žœ�1÷‰òõNˆßñó÷¦ùèbTÿñÑ#¥YÒ�T§O¤¨ƒï2;º8Л�ȃ[@2
-”¤eû”/Æk„Øsã½”“ ëWÀØW-7‘ÙÌ“&Œ
ŠÙS�ÕçY'9üÈm™ó÷úŒI»~Ç9ýɾ�!ì-\Œ%h“Z56ys&˜a
]¼g"ô¬	ȆOúC™])[Eýt�BNÊDThÅY�I±£�²ÈȲ&d-ëd¸q°t!çëìÙ:TÞÖj®›o/\(7B�–¬ÆöC ýN²Æº‘”.U-'‡:1íªËaŸ)ƒßÖ½ÞÂÞë^#šÕ
õƒKÖ1Ö1Ê5�¾Ì§1v%áïz<¾6Í8eâÝëÁîÛA¿nºüzf½$É×Y…\þ�þÍÜ“O”?-,ʬ´<\ÅÇ/+«S“"\TÓÃiY+†
Vz)üìZÂèNdM¿ã›–ó³›ÅG
ŒkC\?™^QÅA±DNI»„Ï�3›moFªõØœ€Ï=ö[´ÕNÅàRu4x}ªs
-�¦�}Õà`‹›µ/#’Êì)ó(ôŸÁ—
´fŒg§‰ßhð–;ÛÌsøV2ÚƒšÚ!T³^ä´²i÷ Ðá©uó@‡e‘ëü“ý*=î<³ùs<¹¸~mIpHèRÕÙ>¾í¿oD÷"é†dÃåv©ùÑøŒ¿ ´Â§�¸“ ÁO?%cÅùoÑÞK«›àc¾ƒLÀùKè:+y7H³àÉ×ÊuЪhCt�d8ü;|�£ðÐÐT/Ô2,uÉz˜}ôÚP8ºø~úàµL˜î¥1XÓ…ç�E'9ìQWKöu@a2ø
-}zˆ‹ÀœëD1ÝÆ54­º+²�ZW™jEá&+jJ”Nr·°ˆZNj“Ût³ÅDwû+gõ(ê¦ÎáߪYð]p‚'fNùä“#É™’UŠÉ}¯Û))âO]¨Üõ� 
-·.�'�;A^…
?Aǵä(_F%XybS¶Öiî™y6
-¼ÁjõŒ8^–ScŽ…O¥–"};J¸„18—šP£íÝFÁ[²òéMÊqT,ø®}«ó³1YQÍ‹ã$ð'ˆ[_
ÜÚ üÄÜ¥l˜V
X)¯4’�ÍҌÜ)%èyjµý0Oê¼-ª ÄˆÈ¶wÕ:¢¢diËƇmZ·]„ûòB-½_
ëd“8¡4Û=ѴúK(÷ãô×Ú±�Žÿ!�>:*ÒHˆÙÂWæŽ!B¸ýË!Aȱò‡âGù¸8íÃqWA‚?
-øE«µÉØ
óÊ\
-jGžvCÂÚ,ÿ»â.éø*â	QÖlþØóR™äæåU÷Ù;[å]w”‘}{·X~=dðƒ½7¼—æËy©Ÿ†Lâ¦q4ÇÐûr4Sg$ØE…cø¢Å!q‘F8�dS}gìY?èOÚÛ–¯W_ü�'¼Î£A9nc?R¿p.?t3G¿ÝþBîÞ×prƒp´Ô¹ÓV«§í¯á|»¹5ÄQEû^Khóð{"�²µ·‡ŸÎ²ý®0=ü½NX¤é}±·�ÅZõÖRÒs,ûïÁ7ýC&¨ž–×ÁX‚f.ë½1l
 ú”0âu!–Œì·ýÎSÁ69¨…îl¹Z^îØÏhûiR±oæÊw•¼™"Çý„˜’Ј”.Ò¢; …xb“LôLiÇø}¤CÈú­¶ÈFe�‰ÞŸ¨ùŠ¡wG¸¢%à°Ù寃áÞËÛ¯†žxÅÉ��ts9ýwI©Ã¶
-­/h`p¦‚ùЃþ¾nA´JWŠ¯C;ÜyúûV¹¡zŽ�íx웋(ŸêªÞŸ2Iµ‰Vd“7%ÈL«X3u”‚Ô¡\•µñ\¨Ák
œÅÝõ×ÑëVñD`„<òú%#ŠÀC.-Ýw¿U©IAÍ\¿eXÕëʲ¹8¾q4׸¿\Éë»sø?®(P=2r±>¾)—x÷…~Ü¥3dn©å\Û-=âÁ_Iø´ytTl§w`˜»q¯eIÁ4š“é‚°§¹ô[K¬¯dV´ÏW~†å¬­Œ¹¶ø'Î_lûoú7³rÍÈ<¹*Î]?…÷ù6°·ßIË)òzâÇt‡o$pCt$Ôó�_dŽVè@2]FwA¤‹Ð®Û€¸‡}–ðKÖ·'û~$¥Ï•*€‘þ~… º
èax̢㒲¬
\ÏBó©œR]Æÿe´úx( øêådKi��7ö…•Øà�§l@�.q]®É%vò~k5öwð
-$Uù‡:ƒ�sŽßHQºš§p¯ìn©"¯‚Nux€yRÂL
-"a¹�Âz£t°p[ÅH¯cAq˜h½>þ… ûsö¡i®¡k%lûÖ.›Wz¥"*Gb&øÆB<Aza¾ØXâ«‹\¬Ë#9ÜY »é†vÿò7]î½(\ÚŸô*2÷v
-°ÞQd›vèµw89’9.„[>;häe¸c\_ë‘Yf`¢ÆZCº$ò5ˆÕn!ÛɦæÞ¤
sx½®ÄrR=*À@:×9ï+Û»%êÓ­fþ
-‚BàuÀT·n�*ÏŒ ÜóÙRF�”àêkRà?�
™mD)ÙÊ$¾Ôô‡6õÆcíؔʊÊfú[áŠ
-‘HòGNè½W¯¸;¡Máן!ÒPÆAÞò?‘é©ú@ãß}{¿Bß”ZŽŽ2ÐeXk®ÍÑ=&"Òp¯.$Yªûïññœ´é¢q{ónÂ#K÷¼Õß,SÊ×z¥vçSÅ`/r´ÔtUnέ�¯¥IàÓé´{y{õ‹¸%—ÃhIËÉ3”27—Ôë¤"YOK Ý~Lƒ&ºA7?¾ð."nzš+Ø´z'î,`J)D—ˆ*ª× OUym‚`•–

W7Ð!pu6†Æè4âœêq÷9!¯³îÑ3T‘!?9šFÙºÿY %ìär9�göó&ÇjÅ-jw­„ ‰µ??˜‚U¶†?3Ýö·5dœ•àÕ).b[yÀë53àí­¶cÄEw
yQ}NdIF,kéAŽ…Ù¶`'9¨ÊðôÀϲ…�R‹úÚ£?èôî¬lКZ6~N³{þVš‰Ï[Úp³Æz»œJ`Ž�¿9ÉT¢cšåZXø»z4×Zul=Ñ6»p	né´¿–KN
-‘IÜ11‡yÔÞ·k—J؉÷…Êy~Úµá*�'t†&.{^åÜùÉuö×ßW_wûeð{2?X%KûN›ÏÈ‚œ={T;‡d}5ËŽœ¼uo{µÓæ®mEi7hRïáÈyNo
��0P2ûI8Õí'Üàü5FÈ5rjuñµãÖm´‰Ý5‘
±Á#âÓ¹~³»''Óm�=^mÌ%°ÞJU#Í?çgE||ë÷£}HréƒÿàVŠD6åËÌq^CLwˆ|Gƒé�n‡ :0ኽæïR_Æ�V1†øQ�/Úà­¯ˆ¨`QN¿T7ŒÔöi@ÍÌ®åθ
»MÔEì¾	Ì´®CÅ 8;mžT�­í£J2«X8K˜èº­í¿û³1ĆQÈ}ñÄ
U
â…îäî'&5«{ƒpF^¸G
-§ŠçÍ%Vš›)|CÓîÏ9vÉÓôpXRH.…]ÃÌ	ò›øþTu{¾zÖÚ9p†a«hÿ	Ž©æµ¨󞽘Q\5KñíÀعQòJØysé±–W?yj,S=¦¥¾jCÃYd…ÂNˆ£¶Y<oò‡Ÿ¨çÝ@Ð.F9-EO,û·#,Ó•5XsÉtµD�XW¬,¨
-Л|:²$±pà¡Ô€ÕN4�”Öè}|O¨ÈîÜO«„ Òðf^MÌæs*Ü”>HzŠb^Pkè¾	$Ôs1¥\ÂQü[ê`Ƽ$˱ÞÒNr·äæJŸ�¾óáv½_ ·»~xu 4“õ¼P&;±¤Ï=ÓÇAÒógÁÂ_	|0™›¾À:ÔqE9®uÜÏqr„.aaéeõßÁûì6Ī/ÝûàtvˆË
-ªDÌ1ñÕ òX¿äzcƒ>2ë4c"fî
-t­Q:ÔÄ|éò�ýÞ~¾Ÿ/:�Øü U` ì(›ËwzæÖÃÚS3dú@x�N%jFîjüÚcZÂè)	8\"}Gˆö—}×ì0!ñÃ/ñŠFÙqhÕL`è_
-†ÊµßhÂĺ3Þ#4RÀ© “ì×›Q&êI([ê
t
-‡Û6Òú×ë_ ‰kYhJÛœN*A?7ƒƒ~åjØîZ€ás/äMTÉ:¾ãÃÝò¦³NŒ²¹é+ <í|0N<ûDCÌ2@@Ð"‹Ržâ‚4g*%ZŸóĺk‹y™OÁÕ.ŒZâõ³Ø×7ö<üÎe¼‰å³À’Šp÷^ú…*˜U‚§äfäQÔÏF
-ùf¶Bïô;‹y9ûWu FjÁ
ô…Õ2~pls%BUî-ÖŸ^ é”†ß‡‡Ø÷q‡×¹Óv*j9•¬ï®£"›ƒ~¼cR;ôÚ™ØÕà„°™}tkà>9
-=%?“Ž·ðV‰üì?´ë|ÜúHä/§_«IæˆrCÒioìÓ€±•£ò¢€<'¤tuÌΖÌdÕ«eM~Æ4"žôüO=	hTQàxT^,6§EÈ'C’|“à—-ЗŸA4ˆ#Ì %ŽIù.e›
Ò“ŽòYžÞd¶tvó]³ßDóßã­ø®åtÉÁÚœ1qHo²#�^ØšÀ&šÅÞÏÐç÷ZT,þ”Ç=… ä9ΩµWN0™­§¦DÚ¨®–®«„¥Ä¿pzú6+ZTÜ=µ÷™{牞Êü)Úð8é=±¾€ÍrUW˜AÊ/>¤¡J»®_³]ï£çj’Ý“E¯û¡
ƒ÷Ò÷òÚkž‡…æxÖ¨u8xŒ
RO7#0'k¸×É¦Ù�3¸úó+Ô¤ÞLݤ‰LÄ
-Çžž�–ˆJç\þ,ûÀŽF×T�|©�xöA4ªàJe"7³(ý ü±^|›üfŸ×Ÿ†ÁÒþÊ$¯«éFòK0Y²ÖoÔ‰ÁÁúSƒ`ÍjTT¨C¨¾øÆä¹<·}1L¹œ7óˆÙÑEÚäHµ×gÞ\
]¬<W­k;†ïXm
-�QÑf+ã9@/h0i‘ý;뀽…ÎßE§YÈFCÛíù¡Ô™Ëþäƒf¾­Aö5[Œ–0—Úñ¬søKláÁ䢣4 0f\ïª]Ç‘¾”û’àY/q!œArÍ	ò35K‡¯¾ïMئ½*KšNu°×OçvdúKÆRk¼NÌlÜÍegÁf�<™˜×,O	ú~’Ï@xm š„[àšÇ«—2£d!õÓÈ…¾„77z–Z¯×8¦çó3Ç:ÔíeS¬”÷#xY&‹º—�º=tkÙ”œ¼À.€Ugž\¤†zç8¢ÔçZ¼íZJ
-ïGdÀvÇ@?/ÐÜF𤬨¹CêÔ÷úžD¨ZÆ	‹éµÌ7”»ºÙ扂Ȋê0É"Ñ ñEŠk�hµW÷oT¸t—‡÷Ú‡á¿ówÖSg6;Ò®Yf­1²4ñûÆ®-
Ñ]£œœøÁêË.bð=ZÁ?Ô*·h2¨�÷@f
-ÀË¡Jšu©ö�aÚÍærsOÎ
Iñ{É«ÓΚh.ŸÂ0Ù®p^ÏD	Dz~ZÚ¬ÑÙ}á
HàSѯ‘G×µXt‹”úg*(7(ìÑ#pÊšAL”b71а••=ÉkæÎ
-‰ÉðÏ[SQOmGéQO”ùóú*sê9L¢ßcçý7Á.°˜XóØ'ð»h”Ëj*¦DÊsª:èÒMu÷´© $qY°$h“ÍFøñÙFÔV’È 3~ö3¾½þe§!Ö°Ù±íGaùÀ
-™¸8œî�LéÅYŸÀ-é§àê… —+²’�Ù7ge\!d%ÇçÙ
/ì|F››WÀ3͆qD¤ÈúGüʯäŠ%�dRºÆ(·½·¼Ð¦†¾…VšL>äÀº©–•ùh´GÉh¯úr¯PGáÒªÚ(_aœ�Så‹a‰·ê0Ù|ýP_v$kø£Yù%ùœ~‚:\á‚‚É–~NÖCIÂAíÕ]˜¯¿n0»	«'‚pu�”¢é·|õõ/@ҸȊ
-¥³mÈ*¤tZ®œf‘k™Qr‚ŸiµYéJ–“ríÃ;¶˜”æŽ×uqµlŽ/Í£ëûñQò3ÆNQé[!›`SJ�9†v/ú9ï1ѹ¶qã~‘—:‹^º¨˜Q¥žcsö²¹¶tÃò³™AÎmé9
-«ó/¶õ<øvçsK³~¨’mxÒ£€'´…ðîðRûPȆÏé‰=
¢6X7º
-å‚3Ÿ»¶¥+
FL{‘¥™É¸Ê{¦›dwE<Ûðöuª¡b~$.›�	o1P�YyàZ°„íãq»÷ê6›Kw¨Ð@Òøm!p–wB
¢ÓxÙpܾâÏÆšuÖŒP9IL“Fˆü“VðW¡˜N¾«5Šoé
-¹;~—ÿ409±‰z…:Ƀ
˲Ï�l'ˆÅÉO‡:⼤ßT�ÿŸg½0Ö‘ãC
-‰)`Ül®Èå©`—«dÛeö‚÷PÅ=õ>©k¿Ç“ù1UâÔÏÎS9¾8¦¸ÉÏh(óÛÔA»SmÖIˆUH~bóŠ`®õ¥P>ÊÛD²D£¾æ¦“³ÂiϸlZE¼jJ2à‹£®£ž¼òÑÆ;JäüÈ»Iúâòã–øèÑz¸;4ýƒoŽÕ�z¿ÍnÑŒlœv»fºü±±7†p•Efí¤t”ͤêNy(IF(¼Á_
¥Î
-’p6°’{�çOt\AŠw2¢VúaMŸxJ
äÑÈ®BZ骿² rL?¯1
-G”=Ë�ò…#†Õ4ä ñK"´µð°“Þy�¿Ä½¬ãpÜ-�Ñ[É~JheæÉŽraaî%7U�ŸÔòŒ”1²,	ûWæ³Û/¨^
-$9mhoàpÝ0V™/
-ÍÔ¼¦³ÂØ´VEíRÔæ¹^
hÊ;2¾'ºîGÂ"òåå㊻¥ÉG‰Ò½’ïÛH£-êí'Ee›_·á•žŽk²	ȼ\éÑ,úa+¾Ð¡};½#&Sÿ¦á*�²ôhP³Ñ¯sn
·×7o¶EŠbÎÞsî\ô·oÛê`
-�ò‚
-â†tãÓˆ'—%CVÓIšb¤–§µë~ç&à!;°ë-GÂÞ YÞ�œÇê+ÄNä‚b|—AtFÄÅwÇóZ;žÌfíáLÖ
#•«µ	Zzêdí8žÁÊ,`P�ðª°àògqæó	ýhí¾>¾ÆþPÐZ7“:®fìãèrÖΰ¦xÑ]Ôãa‘s~ç»+V
úšu\X`…À䌜÷ǧ”ÖÍÕÏîõ€4+3wQt1ûAYh¯‰/~òÙÉøM‡ô¦øÈ_—³•œi0!šœäjª÷yÙl±‚r€ éED
-蘭(Æ|(h„ÈA½®îÈGs%ÛA’Ã+©	Ûb2ý—�¼ŠÊÆ·ÍšíhÁó¹)[ǃ¥ Ôµ ︌2¾½¡'ÔÃ,N]¼tâÕå[²u&Ô˜?!&ôP{PÌóÀ´êì0Yͱ=·º�e ÖÁ¸‰‹ûyŽÆ»ZAKÕª}-¬þäs3C:3	,»€DŸÃ#‡ÒÓ¼°Ÿ)þD°;·�Zßj	°’êp_$S¢�¸=\<8âg(Êî/vSÈÍTõŒ¥¤rÙ �ߦ8N‹‡mpl;û|~kPæiÀä?¦
ÁDͦœ1ÜwÆ#EÏ’dï"ñ`S¤!²ÒœC:lCÌô~}WìÙP–3")Z&ýn2ôYp•Ä:Ï~¢rÓu}²6dÅMCO¹¹6+‡$€�'@®Mm`Å-º6V^¹SWnwFbJgG¦h_
-¼Ÿ'Ïû¨H³·Âë ä!ªEüñžë£?ßFïíÉs+ØšˆO¢)þç½ð²Ç’×QúSòiãF& v¬¨5ef˜ï2xœÀPÔk»ã±5ekÒ;Êx¿Ï•fa?E–õéè•yMhΣ º�r�yì�Váå09Âf	¹®ÑÁÈ?Lö²©«’â¾­^爛0è8ðvr·áj;øë{Yèâr¡_›LÐÎ<ë‚6ã‰!týÕÍ㳌+MÆ’$,ËúåIòrJ�AÏ�R§9sÄŽH:{ÇRÿ¹•FÜ]Šß[ñB¾ù[�^¢Wu¸ÛE ¤89„Õ'ù�êâÒIŽyü†ê=º—ÌÒ£6æžê:´:žåGëZ{<ï!ÈLãóUýÁ¯öå¾8)yÁ´²'ÛN�WÃð#bžÃ«�«óXU›þ|>KÞ°_Ñ£(Z¯ûÞYåx™O÷6t
B™W³ÈÊZ#Ç ¥Ù.W@£7eÌá=j¶ÇÅ[t›~SØÀf[Þ¿”8#E	í´KlkäJIó°ünQ²&»ŸäbeɾdÅb«B˦àJ³…PçȽ#ïExwö÷W+ü(3 Ü3ß¾ÎâÐ"¶lTƤ%Âç5™“˜ÉÍÌ�|
¢Î—ùªPk$ã4�·‹r{$‹¬ä— è½0	˜ã1–òÂÈm_—ö\ùfɸ…ìÄäƒïS�Ú‡» 
'93�!Åœ,ùÏkÅõ®“ù³§Z`Ì:v÷D)™éŸüJÔÙ³…6<åY¢'°~S渊ØNÝ]öËPNGˆÔ”F]g$p€9K†ûÐ:ÉÊÜ®f­Ù˜N£o/¿Ò§Ð+÷TìxÝgä—J.ì#­^I�d—§jè›ð{O†>ÈÝqYãºUj
-Vèp‡�—-,9,©Áz*[5í¶�V‰µ}¶ÔµNÛK­`TRø
ðôÐå}¼Ëº,5®¼S<PÍôŠ£˜8éà2Sr‰ÉòUŸŠ Z_â•RÛc¥CyÌi¼åʵ­cÞûCTò]¢6rÄO`3.²€’Íñ–ïË"hz
PKœÎ5³SÜžb9N§’:j‘ŒOÆà5Å7¤i7ô¡¦h9i|žÞ£
p¯�/ÕësÍO
s|“̇
MÅD§á
Ô@^wöÀ3�VÇŽG@EšCµ'´­Yƒ®­‰(e¢ÿ_;óØ	(
-Yø—E[ŒOÞê­žMnŸV¬‹Â¦‡Dð‡X7ù7RbŸóöo‚57Mß•y
-fkþŠP¼Œ°á ÀBŽ)3Nå
Häš{¶Ç¦e(dŽšã-´‹qÚ¾óƒÿ’ö%©Ë!Ut™îõEÀ·ÅÃe§á¨õOúÄĦKßd&oëdã�¤Lo›ƒ×£Hd—MÞj
-”ËÚ Íö+$hpýÛnü¼¯/Uâbõëú$×
-§´Ë¶ðp^þÄ—EÖþ�BÚfbwþLWw:³Èrš"þ¦UHF³Š�Ñ9¢˜”Í�f¬£­‚}Ÿj_5)¸palê
-’!c«ý”ý¢F)
0ÀðJXÜ|—Y«N¯ÛØ¡O1:ï¢f2˜³��ë¡»žï¦Ì+‘L,xÂ9¢Þ¸rQÒ'䘞ˆ˜lÏF~‚æ—Ã?a¾Ý0YZùCÀQ/Èk ã4G“ç+Ž´,´õÔ§‰ÎŠ[

-�g�ñc¦ÕŽ™¡Ü�3€ä˜î¸î
-Nïƒ_8B÷Œý±?·¡R¨[œå7Ø\ë!“Û¤QIÜ](äãZ9/!;aß�îJ7(d§¹.·òŽíÙ"ÁãP[½ô¯t*ë·ZŸÏu2ÖX¿hrG¢éùÞ¿P¹÷$plñbì%4ªÝù£7-ÿ¬eØ­uLôùôfŸ šZÆw¤–H9»S?à5ùö\¸$$iÄh±Àßj ½}æøè—.3’L—íçv"X£ÇŒKfd”v¿�ï[}™<‹âÍÁ,Ô:&—â„)Wßͦ¿¾öHâ¨o·±‰@ꃼZe2Þí1›È÷2ȸA@/½Lj¡=Ø-æ©.ò&ŒÔ‘þObw
æØ	CJ\q¦û6_¼AÅèØJæ�Ö´ö˜Øë2ÊB÷	
©�zhÛúXQ½îò#ETÄÝ*lÊ6×ÖOéþéetX%í$TÉÊȃËrrÙË«�³Raµ'p¤›€®Þ½ÐüB:ËbF“•¢õ”«Ú0dieš†¡¬Í|iÄYõÿ6ü dòž�su	#EËên³ø…>°‡&¾%TÅÄ�êâúÔ>¡)TÀ8ì2‹Rà?ì)œñÎJ“�F7J
�]ÚkúDG‰œ·^ßÂÑ$”mË8?äò›U–ãêw8”dR׎º™þ×)Uªžàa*�Ç%n'
-5”û´¦LÀu¬cA‹æ¤(ž¯ÏúÓ/YNRZÕcù˽Ð)€�¾¢_M\¼íöú£˜:l#¶Q_DE¶¶ü’yÓ
ðL©NlKõß·h„#�£3įÎ/Þ>€ºL&?Ê6æÂc
-sìm<ßò“ûöüàÏû@n6“$ZÿbáÌóå•h
-ßÄCù	 6#11ß7ÎQb­Üc󨮎ê*„QÖżÿ°H<Z®º„O|í6LDôÏÀ€�w¢Íð�ô¹é…éýL‚øU0?Å ºŸ4òCæ¦Ð\
øÍê¬EoDÁú‘ß{hÊä¾bÈ“*yb¢€·ÒËÓi_R½�ÀåSZ	Vé~ð£%ú’¯d‚t–…<xTÕ¬¸!ˆ‡(ZV¥2Œ�Þ|Ò××&ÜÈSÃHX»x.ÌÔY‹�°kDH=£ òivR‰ö‡OÙŒ¸É“:Õè& Á�#K¶kð0¬Ï¯èCYý
-–|Ú–¨ZjVሠ¡~ü;È»¬«ójoœ ¸Ö’@·Î§,1ؾ~hW2Ѻ¦“sËRsIÛiv‰XCt”€™Wg$Œe0‘.Öƒg†-‰>HÒ¬jÉ4!™¢'±ßõãÈ2Jt°™ñ/£ºÌQ>Yý¤ª•IŽá’,ÊV;á�._—7€yØ«UËbG
dŽ�cÖ^]Œð
-' Œä××6nÕ÷_¨ïo=›öÊ`Êp˜—#aèôhëܺÂqá’Ÿ槆71�|uå,'ÿ P
w\=X•ËÎWB«¸¸ñ|_<­8Œ
¥ùè×᪗é”|À¶ šÀ8Ýø²:yº„>¥‚x߉¸[Ð} °8}Ì‘™÷‘¡K³Ô–ða\“…¬¼ëDŠ±ýi9®±eËš€¬üKýÄ…ÿ’"€ØSJqÎT.ŸêŠ—BRÝ�„ðú“W¢@Ú(|í!lÝ4Ð:°ŠŸ-TËWSÞX“Bo‹ëÇ£’¬\U‰
-lŸUÄÙ!1îõJk&eüù'Ègw¹Còd¯"ýú{['�^Ì3Y»GÑ{K¾|ˆ‹-ï?1âɳZöQ™±šjA!ÏqÎp¦D9Ï°1‰æ—ßÏ�ñšyªJ߇Àè€ü?±2àÙ°«³´~w¨�‹Æ¢˜˜‘°vN*·nø‚(Y/¿åã^Uûº�ö¶+
FDû±_HÿOŸ˜­ìw] \�˜Ó—1é6+Û“†CE]Ïï›l¦Zh8{BÂjP1æöÐÑÕ2ÌS9Y–Ïð-Æ^èØi<<Dgø‚sÆôÅ«fðŽÝ.YŒC›I@Í/ ‹.¾kÝA•1›Ä4%ù
-0ôCV�»(hãÍߨ£Ø‘ôÍL÷ø¤”zs·/Ê·wâŽr²\„1íNkó³«ãI¢úb‚°í˧‰xªå1!Rxižÿ§þþ‹�T66»”yBØ,[™f

-øm(m
-=ÿPA8¢R–Ž&}«(òý†Ú¯:¡W0Ì˽xÝÄPSUrô�s{Ûžfk‹üYyü±z¢ŠÒn”ÍÛá’šúeäZ€¥L
-VwWØàÏ<ø7ýç»oG‡^pM‡yFÙæ^m<`ué$om2Û¥õ<¦>¬ÞÀÏl$Þ‚ˆgY\î·e]ø‡·‰í¤LH¨V_àó-AhRah—JéÂ2­ÍX\L/ê[ºÚ1qNd„Ì�@­µÏÛ÷
-¨ëcR÷aƒ>½x™&¥\—Kº>�VG—Gá·oT&Íe'\¥«Ð"9
-÷�¿Ï�TÊRáÕä´ã—ámñ[©“Ö¢ÈÕoÜTÔr³I,¨ìÚâƒèr“DÒk×.iOGEÃŒïpì} dö¤�™È}-wÆNMÛýV«*oðË]|VN×ÉÄÐdIÍ]n[ìJ!&�°žc�,ÂÙ„~G3^>Ðb&b÷6›$¤qUUø[�S
K^“€“8U³æ1x�âºòq³ÛÆïw
…:×=€%¦¥¶äÄF·
-;�*¬{Çšª(ÛQ„J54p0P�É©Ámp�®ïÅü­nmà,)X�ÓOÏsé£Ù™«ÔËÒŒ_È5Pðö_AnygÞP“�%ðYYú>r~|vÇÞéÆvý
ù4p¥v
-Ò0ÃøNðE»L`À÷%ìë±ðQËš/À{ú.-ävÓoo@W éÒ¯ñ2wCÍÈí$_±NÁ³æq˜FÔfTiu׳Ï5uò¶û¾¼l¼«õ‰à-Xˆ&½²æ'ù€ L©¬ÿÃÏBeZYIgŽïÝ;š!< $B…ýíÁXI±<ƒ”@hš³¬÷DP.·æBúþ­€dö"¢žHÀ½¦©e|B܇KÉ£û'c~{…±Kí!FfBýÊ>5—ÅË@Ge!¯{Óô^aÐÏë ñR@Í‹N�„¤ú£…Q@�â`�c?èá»ä¦Ý»ÁŒ#Ì/cáôPä²´µêÍÞ=¡±Ÿ/Wgžƒö“
Ã]íµ¹š[ÊŸ 0t¶w�pí,øß:œŒ!*}_›Ï¨œ=ËCiN�@“Fk(2‰Æ!¿Ðì´V•Á£Ü¿7š@×Ímãå@Ð$5ÚÜ´V+«ÐqqãÞ fÖˤׄð²:ħirmhѲP&#ãê`Ä/Û¶<Še´ZmbÉÒbÖ^ë€8ø2¸Ê-æ½èž~¦»¦¤¥�ÕeY�"é"¿èßÔÕB*Šÿëæ"#¼1’/EzÎH,�6�M¼¼„•ê�­ÏĦ¯àÈí_[‰z ‹‹ì…A؈å~×\ñâ´¹êÃu;ÖN/CÜ~ê,N�Ì“÷üÙ¿‚NÙÇûhü³Ù1ê¹VK
-#7�k9+~FÑØ™¤wI¡Ý5?xIõMœb»o~—
9ûn`Bâñ«ƒ›ù=—ì¨Þâ¡Ó=:R®Üæ±³
§Ïýë;Ü
Þ°ë�2©p¡ÔWì	(˜=ÝYr„9òç$ž:®ãBZ:óæ²È¾HwE>…T²;ëÐÑš?Eg:Ç/BóÃ"gwCšíYŠ+•9¨Ñ(©öþ‹)ÍTVƒ±Ù¹/žãÇŠp0þ
8RÌ×ó€€Y÷Žˆ6øÑþÆÈ]“aVÅ;6
̃.ÊÏË7N
-×C&©ü7ÙÖì€ÓåÅ;¨Ý�.
ô©qF…0W¬tÛ€¸œ&Æ,0þ¯�ÆÝx	}B¹�âáÃÍÃlr²ÁÿCPZ_>Y>÷ñu%ëÓTÁÊè@6%ë»î(_þOÒ[})ì׌#*¶XgËñ{u•8×€.´7Z˜gJ‚Hz
Õ
-½»ôúaDz—\nT£î©Ãc¢@ºÍšèU#í´j,*'YimщA­Ø*�–WÀ°;šQôÜøA¼ê.ŸcmˆD9Ò>#ÉôÅÿdUÚ¾ÞRÓU=þ”äê1Ë�PžÿRÇýÉžÀÂŒÇ7 ÉçKpÁ&‹ž¿ØßA4›DP§­¬ã²4äôCð�Q?èâ‰
-i7Žk¯¢¦Vúìë1=:—�1nÁƒd‰ÄÇbŠê€ñ-þÞ2–R–,*ؼB²:¦È½
WŠãŠ’Ïæ8ªóŽ[MTÄmëA¸ÛrŠ
-®?ìÑÈ:Ì>n.¦„Ú…†AW�y1ÔÑ3mÕ]}íËd¯‰�Ïá¼�!yÂú/1½º²6Ⱦž�»(…è5Åß�Þ-S©-פlÝHÄÒÙ$øªèÿõ\ú²ÍÚBašÔCSQ¬?{÷Õn‚Å©"¦R꟢âLJ­ÿYz–œÁã5¡4dÁ/* Þ÷ÊJïYÁ³ož–yh\Y< ¼&ÊoKqÐfÜÚüÃxÙµµÓÝO…+åb|ìý­Þ·â˜¸ :$eÂ]ä‹[}"{µËq:V¬yšèBA	¨äì¨Ú‚þÚVNF�¼ÃÚW¨$Æý·qÝ?j¥Wж1m
Pe6�SôóJÛõ˜�Šy°·KZeë*X.º’Àm›¬�*/—"÷Ë\ŸŒdõ}�˜ÆLºŠ@/å>n®ÚÐÒ�HT‹ƒÌŽÆAÊõx$ôA.Äž@'¨ç‡š,
-T!}³ÝÎäýð†â £/=Åÿcvz#þ#k”ˆ£ÉÄ㻑„ì¿aÝ f…¼…$â”3|t(Ž¾4hléŒØ×ÿw®ˆ[Žë;ÕØ¿©í?O�¶ÿ¼3–a}+Æj¹3Fm˜¸"ÝM£lçòþ¤VÊ 
I‡§i�Êßà‡‡ãDù¤‹¬…9þû.ƈú›£’à@¤=KTxçyO
nZ[Ž/Bý®g\ÝÅi‰�	KÖÒMýœÆ}jÿ+ë±5d7í:oæc¨‰€!póúŸDͽ†/Gªæ‰·ŽTï0î#E�/ÃrÉM~+À.…*ó'©oŒžã˜qÑàö�B¹�ÇÉm£ÅéúÝò‚9hnì˜ÕM~£Y:À¬ª|å_SÑ÷E¤÷Jåƒè@¸¤&_÷ä¾iº /×E>UR'UàÍm˜óµ¦•k�`°¡«Íù¤@); sžŸC¦²áB?§°[RIx ¯‹‰"5ÌZ÷Æß•3
tm›Ð²ýÀ«B«Ïc”õŸj'Áþqƒt„®

-pS>FŽÇ_è|/ÉQ�꣰–—þù"t5@Ó
ºá÷Qу;vä=­íÚ�[|r9>t4™ynÓry>lä�<þ“ýÖˆ•ÑÓpeBïaÂ)&ÓôF(ÜlŽª<ÖÆÑÇÚ‹çÊ6B¹ìÎÑd¹p†��¯UÝwŠø ¦šŠœ}J%æN.á�Ÿ·-Yg¦I&ÞÅoÂÂÝ
áòŒÖÝ’ëüîÅ%ÙºR¹å‡fǼ¶øá
SŸ¦RNëê·P¹	Žý§ RVª,ukªZž5ð°dã
ê/z’#ѱ‰·V„ÆáÛ5åcSŸaŸ®ÔŽ½YŒg<^ƒßL‘àŒ>îâô?8}˜fý£Ö,<B"j·ÞþÓd¥Äi¬S7™ÔS*Í�peK5PàfâõõxîxÇwe5¼±Ô;Ì&áw�ïY+wc­
-Úܾƒ•˜½j^ÇO³?�DkÅÕ(„)¾áãOÚ¾À³—g´àÚÓ¿cŒª(ú}øjJ;ó‚à,*Ìhz{Ž…˜•K¸+;¨(®hn¸‡­1„•êP]Mõ,Nýåq,snÚ€©÷hçõÛEõ™™‘´Æ÷k²êMé`÷j¶È;¥\²\¯]6öÀ©P�Á•YÞ@DÕãáV
-¬|°½ûjãœÙwÝœd^fÈž€©9F<ö$¥½WïCåì<¦fg)½<ËÖ¶ølÝôÆ5Ÿ�º'æ¶âgà;ºŸ[SM
+ý€i¬óJÁ@èaÀâøÌœMjY�ÜuòQþe³?†9]ÑðK…Õ\ì4« ƒŸë�à‹½KŽöíÍ9YäÕí½Tí„L¡oů	‘ÃAQÅÃ[Wo¤,C5m”`~É@ëè.4[®ö‡ÛAÉðFŒ}
Ñúò¤��Îk­ç~ÜØëiµ@š
1klî{–ñ;‹~.|xàyÁÏ·A|ËAþêòÅJ©‰dV¡³öî7“`g‡ÚÛ>}$ú릷;Úã5ÒÌZQ�ø$k»o^ËòøC@„�Çlª
-L€-²¥ø»¼Jîýý
-¡YÆS4{Ú0…b3ð?°äVf‹±Ò‚"©†¾£:iHß^Áa1`IÊRŠOÊGë½qPÌŽ3†aµæÁ¶ìêÒZ	(¾QûÈ´µ*½TÌ~4W�l?tnt49$ºÚÉ-zs^"ΉTŽ ¿ÚLi‹¨'}ãN~)™ØËžIS–+×XC” œï€tsai9£–Óv4êø&O¶ê¾ùš\CV昃ÉZLÞRÈ�ÇHýI½…àV8’ãÚ«#w}Ýá¸û"--xõôLd:ÞÂ9cœBŒÂÙ*ï#»Ã¡áÕô„u	‰¨Ù³)ŸáB¤É®…uÏÎÛoU†LÁÄÙ�WsÞ×£ö>ÅÉÚéH\"ü…ô›šu0a&†
¸V•Úð¥;T§’›î:¾Ð×'—LÕ=¸‡ Bí;`51&®séUÐœ`¤‘	øŽºT¸
‹¥{
-Ð]ŸXêy‘ß²oÓ€$ð;ñ^¯�$bМǒƒeR¨õJQ°~ð’½¢h•ƒöjtÁð’£� Aš–ÝHFþŒßæ¦>ù~~ÛŽÂÒ“]Ž3	Îk¥@\-`y-Œì|Šò
-8¨™€¢íuÉu(
{¤”ðßÁá*¬�χpr^!Þ¢�ë0SQPVÆ;�”M°(Î
E0’A		æÛ£Ÿq	E©¸›sFÍ5Ñ¥·¬XÌÖX;q¡{{ïHäP'Iðmå¨u葅ʲz­~Ì�|™Á¦­¤Ê×춻r­ŠŸ�
2µÕГ(ÚÆDÕ	Š�·Ž¾Lb`�Ån\a#ð-7ÊaÐ@ß™HÙ¶-dØä.`séBÈ�‹Å(Óâ‚4æ/gËÏÂ1‹´ˆ¶êC�-
-endobj
-600 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1350 0 R
-/BaseFont /ZSDOCT+URWPalladioL-Roma
-/FontDescriptor 598 0 R
->> endobj
-598 0 obj <<
-/Ascent 715
-/CapHeight 680
-/Descent -282
-/FontName /ZSDOCT+URWPalladioL-Roma
-/ItalicAngle 0
-/StemV 84
-/XHeight 469
-/FontBBox [-166 -283 1021 943]
-/Flags 4
-/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash)
-/FontFile 599 0 R
->> endobj
-1350 0 obj
-[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 0 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
-endobj
-596 0 obj <<
-/Length1 1614
-/Length2 24485
-/Length3 532
-/Length 25368     
-/Filter /FlateDecode
->>
-stream
-xÚ¬zc�eß³eÙ¶ë–m£Ë¶mÛ¶mWuÙ¶mÛ6»Œ®.×ôïÿ4ñf>ͼ'âìÌÜ+WæʽãÞˆCF¤ L'hbod*foçBÇDÏÈ
PURW0´±14±´—¡²·1
ü5³Á�‘	;™ºXÚÛ‰º˜rÔMM
-7µ3u2´
(¸ÙXd,�MíœM©
-ð|I¨
-‘wÈ»8hN‚ôÊà3/Õc¼o—eöÀ´ØÕN¦•ôJ? ðg»Xœ nÿP�¸ ‘>; ø§7Æ£w#5¡Ôýº$O>ÿóL1<16:Òw>pŒK“MÆãOà˜‹Ë¯¥Z)ZÝL~Ó‘mÂ{ôÔ*’»RÆ¢)ï0=ã½Ég—\"nsYâ‚{s’?ËçžiE«vY«Ôè€9¡ÇΗ©5{ý‰÷r=Fa‘ŠÚòBLÖÔ—J|‚íuÿáq™ßx&™å2‹r&G-H.‹Û"]pYÝÝÝÜ
-"+0TjêkÉ™”“Œ†yF
-3o¡a³ìR€Á¥äËG—$5]Ÿk&”ÈÔ›îª7[ãúÞÛÕ3Üî2R×HŽƒvž>kMt]ËwE*–3¼m–ô»°˜(×5ƒ>ìÛ:¸øJ¼ü;xÏÙúãÌôÆë2àÑÞJìîKéÑTXŠ
�Ñv…—ÇP¤úJzöJèXëÈ0¨Ê@-œéÇ=$!áFŽÚdÉr
¸Ò*û3JE›1�*-Yé
-5=Wx²à¶$_?äÑåŒ6i7ei¸�pÄ9ÎA÷ H»æ(»Ñ4@ïêŠRaï†cû •cœ¦Ã™¸�ß÷Rž¾Ï¬º/säæ¤Ux\Wx!’™²–
-ûˆÝ{Y„Í!\®©E.M.û¬BÛ)°÷�d)”(Ü}LxÜž s1Ôú~ã^ZˆUø‹t¦íÝ]TV!ò³þ"«ˆêVØ¥ÅBŸ‰òc yGOiEåŸáÉ[1*‡¸8E[¹ähÕï9
¸Z˜3q¥MÕ2^¾dŠ¼Da—ÌLŒû\ﶓ×G
hàºõ¦‚Úr¤ïåXØx·à외[]tWÚ*¢�å#îÑfÙ
-<ËnJ;ØW9EÛÛW0Òˆ¨š¡ý=OésmàìPr‚ž!at5nd‰÷GJ—‰ŽsÍï:¨›+|}]›�2Bjr¹“Þ14Á©
¾qêE®l=ÎÙqXñEpõÐëLïgß*R-h^è¶yn�ªÖö�«$¿1mcqm›àÍÌGm­` …ð×K𗎲©«t»­e‰åû—´´,‰#7Êc1^Ë XSú33<þÔ‚Q*¤ž´@·‹´ñi 2Äí­kÔȸ7�0ƒ@9}¥áejÎÐ
-d„Ü)-l	ÕZv±uãV �Ò‘ÈU¤‡éœÙù¶›náBFöR`i# VGö{C�à
-µ<ćI‰¡ÿ&)õduä.lõÚ…¾�UF¯*
뛦‡7æÛ
–�8
*²I°m~¾9ÀP‹U¡ÐIûVó(B–)l;߸´JŸÒðQ]ìF¨ñÏ1J�ò+î;©³5à"^Er5ä�g¶Ð�ò¦.‹í5ÄéÄùm
¿Ž+[ñCJuM2Þ‰@
¥q‘~+á Ûå(
�c¶öäÝ÷�°œX³ þŽ8¾cçz°RŠžØàW+@U<G£»íã4k¨t‰ÜÕÏUcÌƒv™DÄkËGÙ’¤ÈÏC—ÝRÀÈcí¬–žÃMuk
T»1ê¯c6n陌¡@3;måâò±ã3Î?jÛ—
-ûy›–C¬g›ë¾lñÀ¹>`q¸2�'Ô÷éöu3GLiÖÌP‹!Œ�	²ý}Æ>$�íég“œá�œ·íç‚ÖU½½˜.ˆU-”Y2„bIi—I�ª@Vóàï¢ø=ú/÷!ÁÈϹ5ä`¨xÏb¨ðrŽeA¸ìö˜:0µ.m
¦¸.#3
Ù\ˆc­t”àŒ´Ñl-U­™ésÿÏÕYÝ…žƒPòÝ×­uóÍŸÓð,ŠM{ˆê
BCœ¾vb¸ÔTCR§dÚc¸��eëq61»y«Ä'ù
-\®¨c­?šœö©?Q®ÉóeŒCÝ»ñ§š˜PE˜©•Øõ!™»ïë¿x/ëí-¤Kñ1(LùË\1ñyBµ³õ¢§X‰¶ Îç°w¸­)Šë–·ö
 H!û!|½Ž(§‚	ÿ&W;©2
-çüø±Pu¯Žq÷¹<¦^RvÂÃÀGuOܶBžÃD@ ˆ•ŒVÇ8	¿öýG^ÅÐ…ÂÔÜ’‚×4bãÝ#¼c£NðÀK%ÝíÖˆÓúÛÙ’<@´çªÜßp–oè°B/::â±Ý.û›QW3´ÐK¨Sû–Ab­ˆ‘¾IìxˆV©]ºü
-.o¥¢è›xÛŽ=m§<°·‡Ñ"a¿YDUrç�Ó8å<Ñ綉¯àç�ËgX´½xD‘WÕ^¤�ú]ÏbݸDÆ~œiÐÙŒ9BWØðÅ
-ÀcYûÞ´�Nƒ%„›#5ÆT½”÷
µ“)¶;ч*þý³mÃ{ÀÓš¿†xÙ:~rƒ‚æ¢p¡ÊOGÊ|‡{�Â]D‡R—xdHi?¯e8ß#�u0ë�«²ÒAR¢×ã“ŠomE°“Ž˜¹Ö1W¼V6­ºÜEÍ8X“ÂA÷M™*=´Î„ÒzÓôž½žCÂ
©ÁýÖv§”åfk&¡îKYŽè \ý¼üÎ-�{�7±¤mí‚0o….†)Ž‘TûáYª{è•ïÉ«ö»±�
-!ä/woD3“*·â—þzöq¼7VwJ
-áèñ!r±Otž˜¹f{«› (‡*Qs­�#òèRMc}çè–ßþî©vâl¿Ëñ{¸Q7(P#,L¿Om�ƒ�qäµ<­§5:Q™op`[õ�9†rïõNy�’ ÃTñEs(ê”#„&ü¦»pÜlUÛ/æž@ûTn|«ywrõ¿
-Yî€ÈôU`%vÑʽѠƒ OÞû®JxàuÕL¾ñ’Ã}änwJ×áL=ƒãMnižgT2älÕ§9¿ÜžYÄ'H£�Öþ…öL=òlÆ4×…F”ÖÜ+gruǦÒ�3&T
-ŒÓ2l8¨¦…þJoË¥Ò§c½}„B
-þ£ÁuâÖW¨ÌÜ|ò h0�®&Ÿ#ñ
Éúp覻Q¢Áîjg”�Þþ€Òƒ
-¹Œ'µ@O§þKlЭí÷¡‰ŠÆŸ@,Û—š·%¡°„`鸘\,˜3›}y§O’¢Av(˜igísø?/Æ¢ÉÇ1w«rû
ñîäÐnfÁ‚ê;+êÙáN�ïõƒÓé2‡l §Áœúî„]î"¹àᛇ?
ÉPl
¾^·f˜SÊËq²æøÐuÑ�R™lkOVöÿ=išA1Øêþ�ìÄ~Iȼ¼÷Ï(ÄXkÂç?[¡ƒ4"Ô <ºeYA/,vÈ•±%sK
-į´^ÑæJ4«KsGØèx8¤õH¯H{s‚Ï+³ûuŠwœ‹ä”ã¶EÊŒ˜©øzV᫃‚³]ÃÎ+6%ô,ñ%ËZ"3vò;îÇšmç�Êi-å:L~�NY|Je™ç›¯¢
x*.�º¾<Èzíò��iw^�ª(xw6ôÁu¥v8£½/DÕýˆ*Túøˆô´å˜ÜÍ-‰úøL…µ0[0îßÓƒíÅ·³nÜÁ.yÉ8vJvd;~­ë½cæ,�²3ŒÙŶçŸ]
ÊÞDx‘¸¯ˆpt¶n3õy(ƒ[øô¼}!µ}IDM	/@ã¾#�Á‹1éós�ùÉ©
õZ˜F©bÓÄ$²>th	mpÇÖ´i
QgdË÷¯„â–œý”'÷t‰jP
-¨a§ÎßÿñóÅ,ÿÓÄ‹‡îRmÍAšMžbã÷Dý0ɤATédEü~܆¾Ë@¦KØjv¸ÉâU—xêÚ¢ÆhÉã\a<zµcé$§¥%¶Í¶pƒ¹&å}UfÍ`4ý�ÎÇ—Íþ–âløÑç%|·‹ùþ¾Z9}ÞE�JS8M‚›¡W…U8¿ŒË$w¿ ¥Þ¬¬—Þ�Ÿ9†êOw<Bì%ü®8~9):)AoÞ¸7ªü­ä�«:jð²ó�ð:±£Ù„x�J�Iñ‰Ë¨X«`±�eú~Ž‡÷ax^?�
-!¨£ë¨…]–Õ•zXYá�êàõ%\yÌ캶7Eiç0ˆY#@å¸÷}½Œd [¯)pQÓNøœhp‹]Ï£héFÕà5‰_¡l}ì„3\JÍŒ£“|V(TœàJÈ`/öç}¨³ƒú"-ŠÞÕH+áK!EUé�_
Œ{GÀÙð¥*®Ž±ä‘ôªýh¼WpbO½¯àXÒ´²öªºÕY¶)G¼�—�…V(�n|rm¬6éC¢9q#˃r8|;Ô^Vü¡løà
-Y
-?ž®Ëm´¢˜^ÝkB°�gmpŸÇhAÁ›ã+�’½ ¦´ùCºìÛ*
¶‘ÊÌèmiÔ�YHjÈêo‘©ma¥î¨ÆŸ­´º�ÁtPäšP¥i¢‰Ã	Gö]
 Û,[wdbÕ8ì`Hj•¬F(!2"L<ý蔸ÙÌvØä_C8Z¢=|„Àh[œ_sbN~�•–F‰Èå/‚œ69v98 ÛúIÀ[µ!w3¢ï‰=R‡x*’ÁÃ�~ú!ñT�™N
c•Öd)ƒ—®²Å³`¤@À6«Ù
â··ÚþóÿU±3«Š”ì ûe“öà ;ˆût­án‡úÝqرØ9î]OÖăkp§OŠºçhÚqèìùœ*é4!QÅ]leo
P¯°
û(ŠpžOH;Àpn}XÈ&ùhzb}>-�o1‚לä<OàÀ¦
@¬½*Ý·V†òh
-­F&bÊ_ë8$Þx£§Ë©Ã¤EpPKyuVTe͸H$ët+áÈC0ù“9©!I[ô6[ñãœöŽ
D)K²su;f–JîEu—û!šâ’ÿC4áÉ� 69-úý£*ÁÅ-æu½!Œ±–‘©jM0™é'¨C¨Uä[,6ÒCé›@c=ÌÒ¾æpû�³5meX†p>¥Qò{qAb0hºAxô�¬eš–G¡ž« ÷·=³^þ•Ø;¶)ît�Ÿ~FjÒÃ÷°&….V’‘bP5Çzj;êü;¼N–åW' ̓3Mçzª~®¤?ú%öRRl{3!¸ýGT˜òýªêbј?ÄOO‡ö?é‘ä4�~#ÀLÝš7æ´n¢™hfì÷$¡Tk2­_+šçä[{p¿¥¦Ñ§t±¸s;Eº·øeÙ'ÉsH°]á#e­pÝÚB[NÖ©Ìì9ôŠ~+CK¹’´5vôÏ”¿§Åû$‚rq|xØÃñz˜¥-`)®þÙšî(‚–ÂPªã4·Áq…e•Š©™.\Æ
-·ò4«4é5Tò÷¢uv¶GÜL܈%Z
štÏ�ÆY²éw*žw6Ÿ+¿	m;ÆèfûºlA“]
-OcòÖ†›k<²8ÞCà8
-?
-©çœ.Ñ1FЋd4èõ
ŸDú½åÜüÒª»x+˜ôL½›’jËe�ÆYîÎ)}hïÌ)Ô…9Õ1$5zü6Åhæ¨dlxMË‘¥]Žÿ�F„k§±œ¬Óš¥E]T‹æu¹ÓyEì±ûÜT¨&š(H‰Z­—¢ö³Ž½%ÒánôâÜë#ê…“ jš-¢Í-ÿ1¶ˆ†£iµÝéËõ¬õXbßÄÂxò6
Q‡kWPNÇ<0z%ª$A‹\Âœð²j÷À®HÕ©”Ó"¡°~¾üós¿›é�ùÀ_íÝ 2mµ9ÐQ€’TB†@t�ÁTõ£;ËEßWEÌDÌ­ŒguÅ]gÊf)"PÆÖâ1¿í^‰šVÝæI×ÐK‹qùÍÐX	ŒÊY€²Âú1Ž»vp9t#ûÎvCkÏ�ToòÏ�Ħ.Ú�Ò	Åp¥Øð*ÞÅAš�àal.‹Òj¨BNš®)s\¬AØ(-¾Â‚`}¢þ•¿¹t€ƒ'ÚÞÇØç¦Á ¥‹i†Ö«nµðý“kf—P.Ye8ÚF‚Hôóž‚^AÅô“͉a'Ô
0Ñú||{†aÑSOKn§
a·¯dŸ‘æjlšTŸxCbyŒÔí£ÝñÔMÊuÇiYðr‚ÐurÚëxªnø˜n©œ0’Ýø$^´' J#æ›<BR3o°Ð‚¶.×Ò¾²8tEiÄ™h¢x]{
*—áª-fÓ�´‚.$žÂÅà>Q[ÝèøyE˱éëˆî¯Gj(Ûïh>4±ï3vÇ]«×3…1Ox/n±êψ´Ph|
\k±Z/BÛØ;n~� åá*`Ñ,n·¬§C�ßÓ5‚óÑÜßÃû‘aèTq«ý�’„,é±®²ð%¨¸¦¸H™˜þ_8²ºlH,ÏÉP?2N'Ë¢Cs32Œµ]•Ôtf… p”-Ϩ,ùï“Û³�É
-×ÝÀýr2`c�Ñ•:ï_ï6ësˆBª
-c[/ì¶}1?�ƒ8»ãe§Tº¬lÊ£ÇÉ�r´Ð–†)ˆ?~%@{$û뤓Ñ_•LrH›¨XòÅz£²á‹¼££N5R�?Pâ¦&+û•VÕ¯5t×PF¢×=�Œ'SÙÖÆš•âˆ7”Di´ÔÍÌÐø×u¬÷“„Á§ïj¾¨Œ*Æ'mÓåÍF×™9j>"þ ªƒÎZ—©®›k²‚ŠÁ¨ùéCÌÂ\ìżÁ5ÉëòöƒlLÆ£Ú€víE
•(Š_‡EW¹ÞOè�IBai°…@Ôóþ11šÏ[;„
-mø-³²a£7	™ˆÑ4yª¦”
Š.éw- áÏA&7–æ˜hæØ-syÊýem5ÖÔ¸ÙR—¹Õ
ð™$¥£–1u*Z&‰%6Ù0å!Ù$‡"˜«¸&%‡ÒæÖzMUôG+40\ëGBÝÍßYi”¿¯Ã�„Ä€¶MõtÞé1ûi
-˜¥^nè ”íêç�•âÎ,ÅŽÓ²:$!¨5]š¼úuØÍÿò´¢·8“å‹ W"°ˆý¡VN
-Z„1Û÷
ÿêséGe<hˆ-r°-n®õTÂg
“„ÖŸÜ9ëZšÀl«zÜ•k²¬•2¥�‡…à§+3m¶X&Œ5Hãe,*Vw¢®_��d÷¼ø
jdnÅ”ÍfreƒîL¸nüfI‚�[xÓåƒ÷T%Í*pîj¦xKÙ•P¶d¤”¾Ò–f
-Ã,7p“o#ØxpÀÔ�ÄàZ×LÎÌæ(4= Úö]’p×-¦’�­×s0‰!±�§²
;)‰²†Ó½zK­P°,v�“)˜¼6=.½3Œ¥NN4uwÁçkŒÔi?ßÛ‡½ �|#ÝIgÓ>³¾’!!\¡»NfM;–ù€y¾u/‰m_L‚{Hàéš41,³ø·YŠ†�ÈEh+þ¼¡�ÿ1ÿÁc¤Kw‰æ@áðB­>sÑX»ÒVücdåªïÄ‹5Ëb7½ÆR¥çEŽ[/Ò†Ôü�‘Î
-)<=U|xxtp9Wlz7;B#Jk•ï*$¥:˛ɚ§rSWí»ü¾‚6Ƀ`"ëP�ÑÙ8f’cDÍ3UO°úOZ5i”ö
›¸¯Z¹³uzÏýåkÒªŸÆû‰Ô8èAiµåD¬Ê¯ÌÌ
-¹J)�°•§Ù´0	×)NÇv*‡
B×ýD:)‡‘>}†�r�B¯csÏïq\þ%2Òû
à<óÐYZ
-Doµ~‘á�NÞÍžb…ü÷­æ»!µ«u`º3漺ç•E ¹ùÐÇð”‚çR­¾m¹mì?£••
-Ÿ‚�„¨Õ¯êF‡Ü–Ђ
-z®Ìx"q¬\?™Lüú)#¸§˜y
^d1]
ÀGó¥­KÝØL·);68Ƨ!i�›Jb“<šžôO!™¹n-º’l$ø‚æiÚ	Ö†/­
-ÉØ!úzZû�E¹¡Ü˜V]‡`ü—½H€'cÝ›Å.æö–b:ßü3Ù 
¤#sÀL¥ü­&(ÉÂËsõÉX›èœ2?hv†¿óÌïÀR‰¦Ý‡uZËpdÛO6-ÿ(¬:I�m¨àXsièë³Ñ=Û:«OÇEû±êï)­ådÚå_n5~G¾¨íÆØ"6M=‡”Bä|àaá•$t&0c®ŽN,–zQÜ!ÙBþ†Ó	-)˜¢½ëò{^¸ƒÞQ3@TÞù™4ïU½G7©æÀ7òyÎ%]öH|½éx\|Ýso§k5k„«º§8çQ]g®êWø·]`h§ͧÂUŒ 5¾yoÆ‘Ä ‘
-¢�š~µ9•v7N€¨Þ„J‡ØÜwº€µ´íµ·S*�ñ¦×“ç–«,yóîö†ã‡>κüXÎ!M	]ÜAÃÒ(V %?9s6÷%:+ÜÃhë¹8±Ã2Çœ»Ädñ†’¸ÆbäØ\Ô&PèaåÜS~žE¤ºÃ•P³e}ŒC’37@Ðì=Cù¦9Ü°hcW7£v)P½¹3ùx%ì=Q
M–ýHÕøÄžª	™Iú+|W"ÁÚÑöq¿
–‰c#}~8ÄldTÔ›#�ì‚zŸŠËb8ƒ½Ì
àÚ
/V}zÑEê2eâƒÂIyP™!Âp@÷CxKŒK³ó�ì>5A3…Ê‘–r0صàŵ€?Ž=µ~‰l~lE½ ÚÝÄ>=Æš”,S ð–lö-ok8‡ªâ7�}
-æb¶+Mƒ $(-TbaÄnÜÏ€³î¸‡ë7›KæÓ�ËŽê¼`ËØ”!�ê�QÊ—`µ{�y±>Ñ:ésHçz¸$-©žY¬|ÄýÁP/[0«'ý–~õ™�î!;Þžù 
-Åñf�!*BJpc3w”Ò
¥õ½�
-_¥êûRô9>Î1t%¿Y¯ÉIÍefæ%ÕÇtìÁS=·Û;éÇË»â Ófé¢òðÒ?­Ç^|cgGKgËhçÞÓü
ñ�æ³ø[ <£ªFö:&Ë
¿H28*§ªƒe*ÙYƒ”p>Ÿå‚žq$®!W¤²ÉIÒᆘÍìôµ2'h	Õü›eÌ‚¯©ÑðúÀ†\¯E>æ$ü¿ÁpnNÌðªÌyÝ„¤Ã	ÈÄp©É?·~ºÇiÚŽÐYçÝzC£‚un`×HK`ÀiájÿP~Á«ÕáR*Uk(ñ�Þjóe~?�r/]S7� éÆRúí;|@“
-ðÊÂ
C@
-]Ç]½|ˆmë‹0µZ~Vy¾
-‡.Wƒ”½‘ð®¯c[æ±`¸}Õ�p{Ù§
EÞ…lž=E9�Yðuh­`‚ø-s™Ê‡¡Eæú䊬Ï
›1
-|Éûw°©ØâjrÉHÒ,É‹Æ,CbE¶—»Þ^èFêÛ9¹çnx,9�c¤œãÖxrí“Í$åÈ£˜Ð^òK~_“â¨ö «48
-+ÇRaçÉç²�7[BÞºé¥4\faZ€T
¨ÏŒg"”¦¡�9¨™_Ûü Cµµ’)µ
ëËÏ
‡8Ÿ]ÛŒ±î}èÀ,??õbÒfÞÑ5MË$_ÿözÞ?=¬
-
F]|N—éUÍQÌ�Vá°ÊEšŸk´`ô—Y±fD
T‹¾g뉓Ä�w„Óg"‡ÓZ3<Ýãýøð£ÈZžpÍ  M>3�ίðåñ—2ºÔ7¨ažb8»×éŒ�5!‰Ñ~þš‚ ¾dm>Ú¡³^óZ¾7±YijûvV	+Ö²¯LL³fúêW‘¬ñExmíˆ/˜Ö39¢N1ÒŠyógõ4R–(,wV:Ív¡³)·…âÃÚx‰y¡þ3éT–V²`mÁ¦oA¼,×Qf*Å
-†ìÓg¤…žVVÔMˆ"óC>”-²™é=$uÖI€å°•p„Â�
Ô䪀]ƒy€
-áSý qÓS¿ª†R.“=©Àô®¸å)léj“%ÕÐ}PˆJ®D‘é=œ¼™–Ïßõ‰¼ØÇ´:4]‡ÔÇž¤=ðøsÃuú³�ä0A*›Â«mõß¿5Ä%#6ä@¾*æCàK}‡õdƒÖô_?±íÒÑaÑçpZöñj¤F{ªUpþ¶«EAHJÉûµGCåF=f
-wÔ84<õòN!…OÑÑ
-Ü*¢èp^ö}ÿLl QÛÊyÞò0æ[¢-C »=šK\ËÏ]E4ÈÐùëx´¾O^ƒÅZR=á¡ÂiüÆnnÆL´—tžú[­!ÖŽôbkÌzøCt0p
n€òA–Ý
-ÉÚëTÓ:ó%½ó»ê�ó×o~EGvQw—a“Çu!à­ð|"È�®]åû2Å[_“Eœ(Û$¤ú±KÊ'lÞ‚�l¾R‡è|n8²D®|a/EÃÌ62ØatŒ„RàU`©ÌÚIËÅ«|¨8[d J¸–3Ò–SÖåä9�òsÛétiô6jÅÍ©uÂd\þö|ƒ±¡]Ê7`WªŒÉ?¹´RÜð¤ukaØŸSñƒZÂì뛋ÂðÌ‹Wõ?ÕxZJKu`Ò£{žÉ‡?z:RÎ܃u™ÞrZï°æWð\¦� ÐÝB¯Ü$±
-•m›;ÆÖ‚N‘�šI‰Ì>0åœ\×ÔÁrÁ–~¿ß¦Wp—
|@(’ý$&hdž–mGë¿L‹a1Dx,}Š�Êq—›ƒEr²S¤ÌÂ*—;
ÒžÏpòbÜ‚7§"suÊ–XŽ¢jÅVvdJ9e°ù�ZØü¢·±›¡6 Fj’uoß@žÕÂÏRØA£šÏè7±R³ÜŸC¿«=¬z«R(–&HÍéE×`l¹�Õé<˧2&žù?Ñj›]#Èvÿ£ïo¨ðk£â„ÕˆH@ü‹õëE 5XVº[੨1?\ýbûìS£Ao!b1�/ѳ§‰J<<×*½´—Ô[,'{11ÅÓät—�«‹�É«˜Ù½U,ÓF•€û?çIIïºÒÂëGS#Íç‚FÄg	ñ�f¬"Gh€ãÄ.OÙ[‰]W‡BáSdSÔV�Ùþ´¥àÍü‚íLjÚ</p´žlÅ
-"ˆ§§³�±ªn†QÆöš»æuðÕ¥L(¥âŠ
v0Bo f¢Ü{¸ï�ÛÖˆ,`,3Ìýá”H¶ÛçÅ×í,°�Ÿ\ýýæf‰­_[äÙAL·É<ê}<òZYšŽ¯×ÎQ6§�¨Ñ<¨ð¼Æ5¸¸@7:ë=zÎ0É
/¢¡§ZGVv9ÏÞ9­ô%çŽüû΋tå1áy¨œ½¡¸­d)稬ª2Nš vï“ÞÆkoö¢@~¶Ï©žä­ö»cµÞð(’/gQMšÉcùüZÞ‡pªÀÖugâ2±tcÀ‚ûcâåwÁÀ‚û"”�ñ3džQ0eƒ¸®#8¶W¾‚.�¡tøš‰f@¤¶HðÀz+›4í¤?Õ_ù`
-�W;«Ä‚üUh&�ÕŠÒ¥HSnFi@YüáŠFr�¹ûjØ©�ô‚üîŒL0æÂú]ˆ<�‚V!}–K/iú â uXoJ–{N4YcAC†ÿÛ€/i}hXxQ_²·vS|PIpL‹OÎÄÿ×éÉÂNâÎþ§%ò¢�®#q=‹ß˜‘ëÞÊXì¸o^t7eˆ×WTæ4Sö0XÏÖYò€}6Ü›Z²ÈÄ]}rƒÌ:±l:#	bkäÝ–aÌý·€®Ï:$œäDDöÌǃêŽO
-³š}±ômCa¨œs¥”—žÀÔ|%«¯bå„ÊÁ®U‰P¤ÑU£3ÊšØ=çäÁὦ½Ü j Ë”“0ÂÀ²Ú/ÕH«’º}Ÿ½'ÒôÃûψW–˜k†ô@k«Fì¨,çl÷Œû[o½­¯åÏ HQÒ‰�…< v:Qñ7~to‹ôîÍñˆ”µÏŠaT'�cΜֹE8«™É&Ö+¯«exÞÓIþ#êÀK„N¨à;=/mÒ,ŽÞ5êgné*š^D‡S"‰±­pÍq>Ým…’º>Ãìöû×ÇãJ@zæxÕÕFW8^
-
.@ ü,ñ“`aMJ!λŠ6N‡ú:žØ7y�|‘Rä,,²àMgBˆ·»¦8o¹®(QF
™³nZˆpZª„;¶ƒ¤Ää.«³:‹�}ïþí�¸<$ÈñÄÙ“†öú¬�v�dž“IF#ûeyùéëBCⲶtÊgìv�ve] Š|(Ü©½ÞŽÖ2Ç
-"IúvœÝ~ÙuÊ)k˜ˆB­±©R…Vd›}��‚Á�à,‰$™ØmŸF3S)�pŸœOigRD['ù<пi[Ïe2rÃ2;í¢Ð
ŸUATþV]¤·êœUÃþe½ø¹7ã “àìxáO¹¦€`¼Æ!³†…˜I®‘fþ²¸<Üzm7—‡£©ŠT›ä%	€ȯ•“º»®bÔq᎕ÂÙxú§Åd%]ò�R¾ˆNa†PåÛ‘Ô›§­ÅË·o
#=ç’™¦™›ý&à¼)g‘^%›Ï¥ ‘¹m8®à†aiå==çƒÀ¶ 	rAao¼¶5–‚ñbP¥C‹ð¿Ú7‡õJ@Ùƶ�Û¶m³cÛöŽmu:¶mÛîØêØæù'÷	îì|§`M«Ö „í±-!‹°!Š£ñFll«šuÿ�¶³àEl°è^÷ìQú)æ<3¶ÄeóçUU$…»j×~a»XL^äMΊþùýê㉃j[‡‡·CÄ*Ä⮈àÒh‚»¦QË;u|ºUw">,œ
¤âÔ;û2Ùöí„gè‚s+‘뻹ˆ5'
ò5lÞ¢
-|dà3E¹Æ:[qáÚ™£ò|Q²îî
-¦A½­! V™Ñ«ô¸õ!UÖ‘»¿ûZì´àž÷¼ˆ_ÉxºËEµz™ãŸæ`ߎµ1BT5¢S.t´ÕãGéÓª›Jfƒ@á
ƒüZ~9:מÊF&–es×A·„^_Òj:Š54e°ñ2ZÅ[»É8
-ïZgUñYÄÙšf8Âôd¿ÜÕÌ°Š
kÄÇ‘­Pöd¼ùCSÖèJEAPÖ6ÿÝĸî­$˜ç¥Ç§¤F§Íä0'tÀ¸í•kØ0-öÈ*¯X&ÜÞÎe0ª"Óž`1Ò‘ÿZ�JPé‰|ϪâŽëH¸
Äo¯"0‘y‡�Äúyú#gcqê‡�ót}_/^ÈdkwÜÙíúòÜ×›ã“3ųʶe/oJ„yÍ,½ä!…‘NV§7S£dò=á`ëNŠ°›½7›.5ö_4cå6Ä}|3mÏ
‚¡há9é4Î…c ÄæeG(½¯üª§!Dî§Â‰ë%mëÒI¿lbÿr?¤áoÛTZô=Éé–‡™Ã¦…ñL22–ÏÔW‚b²’BžÕ”1Ó¾=neAŸ˜ç¾cqaZ*^"MïpØ
-f�‰ª^±Ü‹	é¼E..ƒ§úW÷#^ߥ3áÖøfF,þ­œ{L$ÆLÜ#b
-%Ue
-�ÖÇÿ$»R‚0°*kpC›5D$*|º™¼g®yÓà\'\óK[3;pÎ�H·û¬Bêš<\)Á\K¨mù*ªýùÂýÌââr¹é'É�‹ªí³=F
ûš°«'d<šgîcŠé'U�
¾³ò)2.�š9V×Ú›õgö#Ë£b@KÎåUÉ¢*@!ïXw·)2Íö«+¬CY�q4¿1ww¾\ò.—Ôd]?Ù'œ¥”c8
-†n|�»Aº§D�f2=]SÞºž2])ø.¡st£%²pΉ“�Wz6kJgýòÇ“ô‡a³�ö—‰ù®9y3jžð:¯·®sa³*|Ë—~Þ²A'±j"‚a<tÝÜ¿cžB[ŸË´}!ÃqÛ.tÞ¯ÕŒ£ã¶ƒ3
-ƒË[ÓôÚ¯^dþþÂ()<е€â¬‰fL^:Q+
-*ç+Ë7t±;¶Ý�¢
*%:‘�Õ]=âï›Ëu'–¸bȦ•@ø¶$®ä“Ns5>7;mjo'õ£NL)H?”ÌsŒÈÔ$aËê×�tPf\D:. 3Üí]0ŒEF�öáGÌåëd\W”%mÔÀàWíQÎ1‚Ôé^ȃÂgì/}™ïTJ@f¢”³ìr'
-Ÿ–YBAí¿†ÒŒê§äkÖÁ[„Xé„5ÔOBÌåçŒ�;ç0NGGw¶�;è‹q
-~êŸch]8-ož¨­`¤÷
3oi>ýß"	C¸ð*$4üÊVÊÇ�à�-
L>?´<²èl7“xxÞŠâƒsÌ™ú	sŠÒµÅG
-‹I: "0�²sŠ|¯ÕÁí›góij§6W]�˜d
Ý£,P•9Q¦%·Þ$,æv'){Ù¨«w�Æ
-š
-éɃ�Saåò5¨îŠ‘NK÷É“äQgÀeÁ��Šã*C†QÊú;±W¨+Ì(=ð¶ðr	¶}!YÏÍê»pD™Vµp¦ÔÃHã/°²\k‹÷ï-7•g;먴R‡:�g\;ìÇiw^îmÖºÔ�£…&ú§uâ@’åàº\s�›eðV
-ÕÊz]¹§0Ë0Ôo�{„ù9fJY?ó*î^”ƒðé )U_‚)(ƒ+ |õ÷±íàõ§¼�Õæ÷ãæGTjO×~ªØ:_†Üª63+‹êËí[ºšŽjJ�½põŽÚìt
-®Çïu;¢¸a
-X§äÊÎL‚|]BuKÚãª�X›ŠŠji·ýÜÉL5ÕvÜ4±bY(G¹Á©{»QR3œ”äï³IgÒ�ü»IlštêÉÛ|ÃÓD ¬k{�[Åi6Þˆâàô@ðww=ã›{Qúã¿TêFióLmò¤llÃ?æáúnÝöþÆžçètÒn¢³¯?>
-ukóñð^$r­…ùÛ0¬˜¡dâ,ö§éi¶h9PϹçÏX+#œá-1kÂ`þ73´>�ÕÏiÕ€â9rµÖîÍu1‡[
-.òvŒÆ›ãWa°r՜ܔ`Ÿ}ö¿¯ÂýÛwq¹ÙïÖ”‚·0®„i‘%Áüwþ!W¤Ìëe²Ó
-¿£JÄäôÀÈ~ïbþCñ÷a¼™V£;Ò9Dáö$hGSú‰</Ñ¥ÿ‘)Ƶèl["ŸV±N5Ò«m‡®ÆH©)§âÀ­ŠÐûÏIÐK¸ÖÕ«�\U…ïÁ#ÅXa!=*ˆª]!ÁîÞYÃÂídï1šÅ|âe9}âF+$r$SêxÜ”d2Ä“qChŸMH•ÛaÄN¨¹kl˜’?r´š•mnr"CÀÂ8Ô@æõ%<"ɾ@#Û™ÀÓÞ�â™	–ÚÈöÀ0ít­Ež”ïû´€šÚ¡MÜ™�:ãZÕBL•wÛ{1+(Úéï³´æ8ÿïÕaÐÓ#ËãŽÑOE‚šy¯ý”lî:¬¿_À­×þË=“	{E‰¶hvî~s2Ѭo¢Æ7u	ñdØJü7¶ài˜ñÑ»[ïtQÅ ™ÅèøŒË;pÕKôÂãÃì³
Ùì§{´3Óàr^ìI¹Úw°Úç)k%P>]À¼#A97±§ãÈ*Á¡atìm}¶—†mK•8ù6T«Ç}þÖ�åãÜxò`žüyþÕ\ÈqïN51FA1Â'Œ‘uôÐÅ42î²8ݕ沊° Fô„«Ô¬àCøb&å�ûlÅ
-.ô.!¯ ùŒl}‹²-ꦚ!Î(®d�ìQl’ç0(oih7»"âØS	~M¹û<w]óÓË»Tá!±Ú¢$‘
6¢�þ‚hx}}åPyOÖ”ñÄ.¯ºHƒƒ>¶%úÇõ+°jÐMᶵ=$,ƒ‰½=öPSÆO>ßʳqa—ïñˆëo"èäËÇt>U¦©Cði‘‚1åÄÀU±l¾ØÉB½Wiõã(¼�š�Qí‹Ù».¬@Üÿ ÄñŽ�š‰49c̤H�D–…P=ºÝXt>-š-”ã¸4•öv‰_1E‡1;K-ÏŽØõÆ©É-4�iž æ5¿Ó³ƒæ‡ÈÌÞ\Ô†ë1tD‹ÈÄtŽËd6_Eó�fNñŸZ�
-…¯oÏà’X³`G
ÊŸ�MjâVQ̼ó{?#ü{¨�
-ÿ†%ôAn÷«Et_�I^}Ü<&ì°ÄªäcY:/‹Èš
7Ôöyvcªð, +´Âpmê_oS´±KR*\ÍeãzÜ­bfú0óz30s–ÙXsø1ðniȹ‡"�/]vºrÊO‚0Ð4.²'‚çàž³ÖVŠ¢2ðm+ø�«Ö°ÎhP_		P^ÉòâR
ý;Ð<Pyâ6°™ba]a

~”ÿ¬˜òr�¸2–æj	âÌi@ç‹Ù­b’“¿ý«M²ìÖ@o“ð)4âéØIM.Ñá}ó´Oqu#Ú­<ko²öžü°ƒ“2N%Ûk¥Žw¾_ÃÓ�|·,xr»¼uÁ=…–/SVÊGã¬l¹`³–½ä{íi
¼X\n®^>Ä“œjÒ	Ë&Oæng�•Ûlý0kôÂ7¢mWÌçO5�RŒ0
-ŠÇ½Íè÷å/‘:Ìé5b"=žOæýÕ0Z꛳Ùø¹'sä3âçDç&EÇ
-‘ƒúS¼×¨,î$‚Ñ¢±Í97ÅÖ�àb+𶡸5f‰ôÍÄEáÄŠ\u’
Ϲs?
-¸ÑàXÎRP*;Výt”ÄùYh.H­� ‘¦P‡mºx¬KÆ2¥¶­^’f�²­åå¨�t¤Ç´gˆîPsÐ;�íÆžÿ|>w…Äv»Úhwò®â€n ÷¯ü×@(áÆzø­³�Æ)±GÈû
Ðú¹'»ÐÛºäz÷
-ªCð’󬧌¤p
iÅ2{Oe«pFañp¨“�òK¯Áf¤wÍÍF¯×p˜û$ð«—þ£R>,ÈÃð2*ÍpÃÛ@Hd/¿«–e†‘[Ã~“®ä“Ô‹Ëq˜øeˆ ÛvŒëkmÆ{iâñø�*@À˜BAY¸9“X±Än©�S�tÞSÖL( J[/ÎtS>üÆ�3Ý[מ¢ÿ}×yáõ
-êä;ã¶,¤
R††§t«É–¯Îo$–Nžù˜ªÏÍê;~6owAõÁf=c³½ŒÎF[Å„æù–¢
k¦ƒùœrÏ%ǨTá…äé~BÖ|®âËGbÏîå
ȲÆà|RMì^ï6QÌHè6 jRjôäßÄËèT[\ûâ‰�RµÃÂ/H]\qfˆN¼fc*)¥Ö`õâÌ<ò&$´­†»€ËVÑ’oþ¤qP¥`•i«ìÅ“/‚®iø=ÃØ…®¤	ØH’‘·LŸwžðˆVßÉÛ¤Xù¹ ‡¸N‰UÈF)Ÿ�ùÍ/'!xx2¼yT.o|³ìŽò©ÏÍ#$£A:Â>§%÷ˆºjôyáÄÅ ïaÿa$îÉ·FrQòÖü›¹Ó+üy»¡B•oV”`¦Úv
-&®[öà"¥ƒÊr0—®£½	O
-‘pGÌœ'¡v�éÏjËN‘D "jÀ=DÆ/¬?õKjNêps÷yEgð¸›âæÑÅÀ�é¸ eZÊ�ÌÓÉj¸-•0Ýàµ%‚aÄ€%’'ðX
ŒÞy˜ ž9˳Õ-AŠ^¢&‡†¡Äú¢|;“õ’ð­[Õƒ
¼“x¦Ñëc-£V^ùéïÎ$W‚
-c�d(¨[÷[qJDü­5›UÁï¦ùúª“|i‹DÞø£

– ¶8ÐÄ�Î9�_µàé4dað@˜Ÿ
P´¼jp-sð}Æ÷FþP³‹3ó#¢•Cø°¯‹À�À«£“TK|å�÷lfËZ¬h'B‘@á4u®°8ó]0tƒˆ‚Ÿ·Èr»‹•Å!¦¿Ñ TŽºéør:4xé"&ÅN Œ/S;8gw¿…×Û¦‰*™ÎûTáž	“axe4ܧ•>³î@E ƒÉhª…Ê(ˆ·êÃÖ&L}n³‘ƒÉ1rǺj,�ƒ©}j¯�Ø`�í}¦|ÙQì¼¼ó.òE)K�ïÝ’|³I4.Î3qÉ-™ÑŽa‰~Ó»š—8Ãd®HÎù¢záá~oÍ•ƒtfž
-®RÁ1�æ"+Ob´½ÞnšŸF±¡é’Þù4g?nhO)Õ"AD·â™¥ïŸÜõ׶auE‰ø�–ßl·
-ØNB†@–·üa`laø¯"kÝ =“¿'pr
-3c]MŽ<Z�!ÖYЙÖÄÊq̼RüÄ“xìqñm>*9Œz±â{¥ò˜r»¨A®€ÎVÝÁã¤þ칧ǘ¡O–•½¬€�K�™òLÞ“N¿b ª:"eä%‰zÖ¾˜+°¢	v¯
–=üµ{nváû¸iɳ5@“¥¼ ŽÀQEG}Ò="ÎÊg2¹k}rgÁÎaïÄbF2§«:ôq‘l5eúY[Ûh[Pz
-Õ"W›
‚HóoHëgAÐÐYqo!a{
In&Ýq7õµÊ´…B„ì©™-‡–¸	²“ÑÉ@ùïå¿ûïz‡^Âö[ÏŠëN¥
Ê
‰/\Œ«6Å:ê×c·•©àÀ®Dº¶6?i�&Ç]ÊÕ#¼Ð‚Æ›d¡&~	1¬çúàˆÚa;ÙzðBì•9|ÄyôÔùõ䢕)²röTÇÈ]Óu�Å…CäW®iCê««(LjS——VL¬'@벎3ŽPœ2sJƒWŸ’÷/-pxÇåjØ�!Ã1WÕ3ûg¯èê­ø�;øßïv!Çs8mÝ{¦b
µÏTfkŽžý¥]ÂÕþÚ¼þ ä@’èQ§üKþDЃ�U³øøäܯ
Éí£sfàb8äª*neð¿¾=à8XçRâÛ5‰æAD>D?¯[6ènºMeÒÊЪ“Ž\Ì¡Œ�@\$ì1‰ìÒ%$¸˜¿Ó�‚j
)Û±œžhÄßF%²&â}–ž9÷»¸nqôM‘棆dŽà
5<ƒ(»°äHd´
-ÿm“'èZÿm+‰pÁB"ÊÚO‹a££‘Úàÿa¥Å�Cîp�7¨Ûw_¬QOuü"�’­8ÏΓX£ìì?³F£,  »«V�H¤nÈ8�ò»‡Ö
œ»Œ¯WhHâÍQ6ååõ�0bÞwþOäÀG•tÙAz‚ÿr½S{–§ÝrðÃF5'va¿	ƪb…T›»¬ñ�º´=:I£V‹åc¢pf€ÅFw”™þ¡±šç©‰Øô:î»:·€·^Ï�¨„¯¶qzº
QVàD~Í‘6‰
-Æ94£ë
Fsf‡U…ÞpÃxò¯*N.sžuÒ7#0÷Óc‚HÕ˜ –âYph9ÅUG— Þ¿¯çÖë�Y:/¾=¶'·2€ùµG³<~ª:™HJë¸p”£0L;µ/$
-Š�ÝØfxö7w÷Aꎎ­L¤³íXUòW³.’¼ª’;ÓÓ¡E"Så]FÞÉÊÏ"iòmþò¯Ñ7„ò—Ú+ÝظqŸKÓ™û˜Žz„Œ¼{R�?5ùÁ.’ª–).ÄYðñ¡“ÿ’‡èa£öî3Mä¬8;
O'ÂÒÃ{(:õ„
-2 _LØÅ£™>÷R¤½¼
-NÜßúú
-Lœ›Ê%…LeÌ¿+1Œ-•*ŒÂ0�G70ýo2ˆ
…"³ôd°Ç\g¶i�7±Ýâs�qLÆ7!õòîÏ�¢{ßr%tCáÃ�²A@òÊý»ÑÕ*k„ï:qÉê“2²)]dÀÒ‚¸ê‚ƒL/j”ª®äQéâ	a“H�'‘±èñä^¹®˜%ö/ïŽö»Gž¤ò÷»F¬Píù'€.wÉ¢‰ç’‘H=¨>9ŸhxÓ~TÑMÖìÜ‘œ\nÁ¼)¬2ÂÆP¶R7w�õ/qiÉ#·gD^�&Ñ6JD»‡ùþþµ˜‹VÕz<ƒªÕ!
-6_mŠq'2~‹Ò=aFŠ†þÐœ²?Ç	¯Z¡._|;l[×OX˜àJÁ+QGýiÜZÉ�P&Yyf2
—<²
è•rŒGÜ75·ïá3òŽÃ#z‡FF⨾ãúF4þN¸ü5àcíÚ6P·¡“eä	è‡Ék¢œu_KŸ¥°L‹*·éñ0MH¼CrœT>Ü㇟x
 FÿàRÂB_!äµi¨NÙ%$hâ]tÞ‰¢èÛîûs¶¼ª=nù�<ü¨òÁËY©ÞØîƒQKñ™ÆýgF==ˆ3šöùsCì¶G’Ð!YŠ
W�aðŠ	+·�Yà¾]ˆh�‘!{â#iŽ»¤"”¯ùù4bwËZ¨Xà2&£‘.¿l=b,	¢,Ùl<aâr�7à')¬Í‹RQÜ.)ö2—.‘Ñ�
‡¥r×u�ü)RÖ\-Cà"
-¨{0öÊðeh饑@­s£²çäV>ÔúAœ¦Gôì©5W0!ÒãBîV\Êå6ÔÔëߥåíýŽá;RЭ$øžv(Ó@ÃICM«Çv¹Ì_�§/#	È
-ÙÌÑ‚§õ±Á¿2å6ôw’ä�{0ëó¬+/6A3C¿X	¬Ÿ�?

-¥0©jT™¶„qÚ]�¡ÁÂ'DY¸
ö.g¬Âñ¨û;AJÒ´á¿ÔÍ­[ßÇHûaA@Ôñ ?ÍJµAì»tI•%[Ø­$Ò�ð³"ɾs™ÿ?÷€ÿ
-endobj
-597 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1336 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1351 0 R
-/BaseFont /NEGMHA+URWPalladioL-Bold
-/FontDescriptor 595 0 R
->> endobj
-595 0 obj <<
-/Ascent 708
-/CapHeight 672
-/Descent -266
-/FontName /NEGMHA+URWPalladioL-Bold
-/ItalicAngle 0
-/StemV 123
-/XHeight 471
-/FontBBox [-152 -301 1000 935]
-/Flags 4
-/CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 596 0 R
->> endobj
-1351 0 obj
-[611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 0 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
-endobj
-601 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1352 0 R
-/Kids [590 0 R 603 0 R 610 0 R 629 0 R 646 0 R 657 0 R]
->> endobj
-672 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1352 0 R
-/Kids [664 0 R 674 0 R 679 0 R 687 0 R 698 0 R 706 0 R]
->> endobj
-717 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1352 0 R
-/Kids [713 0 R 720 0 R 727 0 R 739 0 R 748 0 R 753 0 R]
->> endobj
-764 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1352 0 R
-/Kids [757 0 R 766 0 R 776 0 R 787 0 R 794 0 R 803 0 R]
->> endobj
-813 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1352 0 R
-/Kids [807 0 R 815 0 R 819 0 R 829 0 R 835 0 R 843 0 R]
->> endobj
-861 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1352 0 R
-/Kids [853 0 R 863 0 R 877 0 R 884 0 R 888 0 R 894 0 R]
->> endobj
-907 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1353 0 R
-/Kids [900 0 R 909 0 R 916 0 R 920 0 R 925 0 R 931 0 R]
->> endobj
-947 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1353 0 R
-/Kids [938 0 R 953 0 R 957 0 R 967 0 R 974 0 R 982 0 R]
->> endobj
-992 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1353 0 R
-/Kids [986 0 R 994 0 R 1001 0 R 1006 0 R 1013 0 R 1021 0 R]
->> endobj
-1035 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1353 0 R
-/Kids [1029 0 R 1037 0 R 1046 0 R 1051 0 R 1055 0 R 1063 0 R]
->> endobj
-1084 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1353 0 R
-/Kids [1075 0 R 1086 0 R 1102 0 R 1114 0 R 1120 0 R 1127 0 R]
->> endobj
-1149 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1353 0 R
-/Kids [1138 0 R 1151 0 R 1158 0 R 1164 0 R 1168 0 R 1176 0 R]
->> endobj
-1196 0 obj <<
-/Type /Pages
-/Count 6
-/Parent 1354 0 R
-/Kids [1186 0 R 1198 0 R 1202 0 R 1209 0 R 1221 0 R 1276 0 R]
->> endobj
-1335 0 obj <<
-/Type /Pages
-/Count 1
-/Parent 1354 0 R
-/Kids [1327 0 R]
->> endobj
-1352 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 1355 0 R
-/Kids [601 0 R 672 0 R 717 0 R 764 0 R 813 0 R 861 0 R]
->> endobj
-1353 0 obj <<
-/Type /Pages
-/Count 36
-/Parent 1355 0 R
-/Kids [907 0 R 947 0 R 992 0 R 1035 0 R 1084 0 R 1149 0 R]
->> endobj
-1354 0 obj <<
-/Type /Pages
-/Count 7
-/Parent 1355 0 R
-/Kids [1196 0 R 1335 0 R]
->> endobj
-1355 0 obj <<
-/Type /Pages
-/Count 79
-/Kids [1352 0 R 1353 0 R 1354 0 R]
->> endobj
-1356 0 obj <<
-/Type /Outlines
-/First 7 0 R
-/Last 555 0 R
-/Count 9
->> endobj
-587 0 obj <<
-/Title 588 0 R
-/A 585 0 R
-/Parent 575 0 R
-/Prev 583 0 R
->> endobj
-583 0 obj <<
-/Title 584 0 R
-/A 581 0 R
-/Parent 575 0 R
-/Prev 579 0 R
-/Next 587 0 R
->> endobj
-579 0 obj <<
-/Title 580 0 R
-/A 577 0 R
-/Parent 575 0 R
-/Next 583 0 R
->> endobj
-575 0 obj <<
-/Title 576 0 R
-/A 573 0 R
-/Parent 555 0 R
-/Prev 567 0 R
-/First 579 0 R
-/Last 587 0 R
-/Count -3
->> endobj
-571 0 obj <<
-/Title 572 0 R
-/A 569 0 R
-/Parent 567 0 R
->> endobj
-567 0 obj <<
-/Title 568 0 R
-/A 565 0 R
-/Parent 555 0 R
-/Prev 559 0 R
-/Next 575 0 R
-/First 571 0 R
-/Last 571 0 R
-/Count -1
->> endobj
-563 0 obj <<
-/Title 564 0 R
-/A 561 0 R
-/Parent 559 0 R
->> endobj
-559 0 obj <<
-/Title 560 0 R
-/A 557 0 R
-/Parent 555 0 R
-/Next 567 0 R
-/First 563 0 R
-/Last 563 0 R
-/Count -1
->> endobj
-555 0 obj <<
-/Title 556 0 R
-/A 553 0 R
-/Parent 1356 0 R
-/Prev 535 0 R
-/First 559 0 R
-/Last 575 0 R
-/Count -3
->> endobj
-551 0 obj <<
-/Title 552 0 R
-/A 549 0 R
-/Parent 535 0 R
-/Prev 547 0 R
->> endobj
-547 0 obj <<
-/Title 548 0 R
-/A 545 0 R
-/Parent 535 0 R
-/Prev 539 0 R
-/Next 551 0 R
->> endobj
-543 0 obj <<
-/Title 544 0 R
-/A 541 0 R
-/Parent 539 0 R
->> endobj
-539 0 obj <<
-/Title 540 0 R
-/A 537 0 R
-/Parent 535 0 R
-/Next 547 0 R
-/First 543 0 R
-/Last 543 0 R
-/Count -1
->> endobj
-535 0 obj <<
-/Title 536 0 R
-/A 533 0 R
-/Parent 1356 0 R
-/Prev 511 0 R
-/Next 555 0 R
-/First 539 0 R
-/Last 551 0 R
-/Count -3
->> endobj
-531 0 obj <<
-/Title 532 0 R
-/A 529 0 R
-/Parent 511 0 R
-/Prev 519 0 R
->> endobj
-527 0 obj <<
-/Title 528 0 R
-/A 525 0 R
-/Parent 519 0 R
-/Prev 523 0 R
->> endobj
-523 0 obj <<
-/Title 524 0 R
-/A 521 0 R
-/Parent 519 0 R
-/Next 527 0 R
->> endobj
-519 0 obj <<
-/Title 520 0 R
-/A 517 0 R
-/Parent 511 0 R
-/Prev 515 0 R
-/Next 531 0 R
-/First 523 0 R
-/Last 527 0 R
-/Count -2
->> endobj
-515 0 obj <<
-/Title 516 0 R
-/A 513 0 R
-/Parent 511 0 R
-/Next 519 0 R
->> endobj
-511 0 obj <<
-/Title 512 0 R
-/A 509 0 R
-/Parent 1356 0 R
-/Prev 239 0 R
-/Next 535 0 R
-/First 515 0 R
-/Last 531 0 R
-/Count -3
->> endobj
-507 0 obj <<
-/Title 508 0 R
-/A 505 0 R
-/Parent 463 0 R
-/Prev 491 0 R
->> endobj
-503 0 obj <<
-/Title 504 0 R
-/A 501 0 R
-/Parent 491 0 R
-/Prev 499 0 R
->> endobj
-499 0 obj <<
-/Title 500 0 R
-/A 497 0 R
-/Parent 491 0 R
-/Prev 495 0 R
-/Next 503 0 R
->> endobj
-495 0 obj <<
-/Title 496 0 R
-/A 493 0 R
-/Parent 491 0 R
-/Next 499 0 R
->> endobj
-491 0 obj <<
-/Title 492 0 R
-/A 489 0 R
-/Parent 463 0 R
-/Prev 487 0 R
-/Next 507 0 R
-/First 495 0 R
-/Last 503 0 R
-/Count -3
->> endobj
-487 0 obj <<
-/Title 488 0 R
-/A 485 0 R
-/Parent 463 0 R
-/Prev 483 0 R
-/Next 491 0 R
->> endobj
-483 0 obj <<
-/Title 484 0 R
-/A 481 0 R
-/Parent 463 0 R
-/Prev 479 0 R
-/Next 487 0 R
->> endobj
-479 0 obj <<
-/Title 480 0 R
-/A 477 0 R
-/Parent 463 0 R
-/Prev 467 0 R
-/Next 483 0 R
->> endobj
-475 0 obj <<
-/Title 476 0 R
-/A 473 0 R
-/Parent 467 0 R
-/Prev 471 0 R
->> endobj
-471 0 obj <<
-/Title 472 0 R
-/A 469 0 R
-/Parent 467 0 R
-/Next 475 0 R
->> endobj
-467 0 obj <<
-/Title 468 0 R
-/A 465 0 R
-/Parent 463 0 R
-/Next 479 0 R
-/First 471 0 R
-/Last 475 0 R
-/Count -2
->> endobj
-463 0 obj <<
-/Title 464 0 R
-/A 461 0 R
-/Parent 239 0 R
-/Prev 271 0 R
-/First 467 0 R
-/Last 507 0 R
-/Count -6
->> endobj
-459 0 obj <<
-/Title 460 0 R
-/A 457 0 R
-/Parent 443 0 R
-/Prev 455 0 R
->> endobj
-455 0 obj <<
-/Title 456 0 R
-/A 453 0 R
-/Parent 443 0 R
-/Prev 451 0 R
-/Next 459 0 R
->> endobj
-451 0 obj <<
-/Title 452 0 R
-/A 449 0 R
-/Parent 443 0 R
-/Prev 447 0 R
-/Next 455 0 R
->> endobj
-447 0 obj <<
-/Title 448 0 R
-/A 445 0 R
-/Parent 443 0 R
-/Next 451 0 R
->> endobj
-443 0 obj <<
-/Title 444 0 R
-/A 441 0 R
-/Parent 271 0 R
-/Prev 439 0 R
-/First 447 0 R
-/Last 459 0 R
-/Count -4
->> endobj
-439 0 obj <<
-/Title 440 0 R
-/A 437 0 R
-/Parent 271 0 R
-/Prev 435 0 R
-/Next 443 0 R
->> endobj
-435 0 obj <<
-/Title 436 0 R
-/A 433 0 R
-/Parent 271 0 R
-/Prev 431 0 R
-/Next 439 0 R
->> endobj
-431 0 obj <<
-/Title 432 0 R
-/A 429 0 R
-/Parent 271 0 R
-/Prev 427 0 R
-/Next 435 0 R
->> endobj
-427 0 obj <<
-/Title 428 0 R
-/A 425 0 R
-/Parent 271 0 R
-/Prev 423 0 R
-/Next 431 0 R
->> endobj
-423 0 obj <<
-/Title 424 0 R
-/A 421 0 R
-/Parent 271 0 R
-/Prev 419 0 R
-/Next 427 0 R
->> endobj
-419 0 obj <<
-/Title 420 0 R
-/A 417 0 R
-/Parent 271 0 R
-/Prev 415 0 R
-/Next 423 0 R
->> endobj
-415 0 obj <<
-/Title 416 0 R
-/A 413 0 R
-/Parent 271 0 R
-/Prev 343 0 R
-/Next 419 0 R
->> endobj
-411 0 obj <<
-/Title 412 0 R
-/A 409 0 R
-/Parent 343 0 R
-/Prev 407 0 R
->> endobj
-407 0 obj <<
-/Title 408 0 R
-/A 405 0 R
-/Parent 343 0 R
-/Prev 403 0 R
-/Next 411 0 R
->> endobj
-403 0 obj <<
-/Title 404 0 R
-/A 401 0 R
-/Parent 343 0 R
-/Prev 399 0 R
-/Next 407 0 R
->> endobj
-399 0 obj <<
-/Title 400 0 R
-/A 397 0 R
-/Parent 343 0 R
-/Prev 395 0 R
-/Next 403 0 R
->> endobj
-395 0 obj <<
-/Title 396 0 R
-/A 393 0 R
-/Parent 343 0 R
-/Prev 391 0 R
-/Next 399 0 R
->> endobj
-391 0 obj <<
-/Title 392 0 R
-/A 389 0 R
-/Parent 343 0 R
-/Prev 387 0 R
-/Next 395 0 R
->> endobj
-387 0 obj <<
-/Title 388 0 R
-/A 385 0 R
-/Parent 343 0 R
-/Prev 383 0 R
-/Next 391 0 R
->> endobj
-383 0 obj <<
-/Title 384 0 R
-/A 381 0 R
-/Parent 343 0 R
-/Prev 379 0 R
-/Next 387 0 R
->> endobj
-379 0 obj <<
-/Title 380 0 R
-/A 377 0 R
-/Parent 343 0 R
-/Prev 375 0 R
-/Next 383 0 R
->> endobj
-375 0 obj <<
-/Title 376 0 R
-/A 373 0 R
-/Parent 343 0 R
-/Prev 371 0 R
-/Next 379 0 R
->> endobj
-371 0 obj <<
-/Title 372 0 R
-/A 369 0 R
-/Parent 343 0 R
-/Prev 367 0 R
-/Next 375 0 R
->> endobj
-367 0 obj <<
-/Title 368 0 R
-/A 365 0 R
-/Parent 343 0 R
-/Prev 363 0 R
-/Next 371 0 R
->> endobj
-363 0 obj <<
-/Title 364 0 R
-/A 361 0 R
-/Parent 343 0 R
-/Prev 359 0 R
-/Next 367 0 R
->> endobj
-359 0 obj <<
-/Title 360 0 R
-/A 357 0 R
-/Parent 343 0 R
-/Prev 355 0 R
-/Next 363 0 R
->> endobj
-355 0 obj <<
-/Title 356 0 R
-/A 353 0 R
-/Parent 343 0 R
-/Prev 351 0 R
-/Next 359 0 R
->> endobj
-351 0 obj <<
-/Title 352 0 R
-/A 349 0 R
-/Parent 343 0 R
-/Prev 347 0 R
-/Next 355 0 R
->> endobj
-347 0 obj <<
-/Title 348 0 R
-/A 345 0 R
-/Parent 343 0 R
-/Next 351 0 R
->> endobj
-343 0 obj <<
-/Title 344 0 R
-/A 341 0 R
-/Parent 271 0 R
-/Prev 339 0 R
-/Next 415 0 R
-/First 347 0 R
-/Last 411 0 R
-/Count -17
->> endobj
-339 0 obj <<
-/Title 340 0 R
-/A 337 0 R
-/Parent 271 0 R
-/Prev 335 0 R
-/Next 343 0 R
->> endobj
-335 0 obj <<
-/Title 336 0 R
-/A 333 0 R
-/Parent 271 0 R
-/Prev 331 0 R
-/Next 339 0 R
->> endobj
-331 0 obj <<
-/Title 332 0 R
-/A 329 0 R
-/Parent 271 0 R
-/Prev 327 0 R
-/Next 335 0 R
->> endobj
-327 0 obj <<
-/Title 328 0 R
-/A 325 0 R
-/Parent 271 0 R
-/Prev 323 0 R
-/Next 331 0 R
->> endobj
-323 0 obj <<
-/Title 324 0 R
-/A 321 0 R
-/Parent 271 0 R
-/Prev 311 0 R
-/Next 327 0 R
->> endobj
-319 0 obj <<
-/Title 320 0 R
-/A 317 0 R
-/Parent 311 0 R
-/Prev 315 0 R
->> endobj
-315 0 obj <<
-/Title 316 0 R
-/A 313 0 R
-/Parent 311 0 R
-/Next 319 0 R
->> endobj
-311 0 obj <<
-/Title 312 0 R
-/A 309 0 R
-/Parent 271 0 R
-/Prev 307 0 R
-/Next 323 0 R
-/First 315 0 R
-/Last 319 0 R
-/Count -2
->> endobj
-307 0 obj <<
-/Title 308 0 R
-/A 305 0 R
-/Parent 271 0 R
-/Prev 303 0 R
-/Next 311 0 R
->> endobj
-303 0 obj <<
-/Title 304 0 R
-/A 301 0 R
-/Parent 271 0 R
-/Prev 299 0 R
-/Next 307 0 R
->> endobj
-299 0 obj <<
-/Title 300 0 R
-/A 297 0 R
-/Parent 271 0 R
-/Prev 295 0 R
-/Next 303 0 R
->> endobj
-295 0 obj <<
-/Title 296 0 R
-/A 293 0 R
-/Parent 271 0 R
-/Prev 291 0 R
-/Next 299 0 R
->> endobj
-291 0 obj <<
-/Title 292 0 R
-/A 289 0 R
-/Parent 271 0 R
-/Prev 287 0 R
-/Next 295 0 R
->> endobj
-287 0 obj <<
-/Title 288 0 R
-/A 285 0 R
-/Parent 271 0 R
-/Prev 283 0 R
-/Next 291 0 R
->> endobj
-283 0 obj <<
-/Title 284 0 R
-/A 281 0 R
-/Parent 271 0 R
-/Prev 279 0 R
-/Next 287 0 R
->> endobj
-279 0 obj <<
-/Title 280 0 R
-/A 277 0 R
-/Parent 271 0 R
-/Prev 275 0 R
-/Next 283 0 R
->> endobj
-275 0 obj <<
-/Title 276 0 R
-/A 273 0 R
-/Parent 271 0 R
-/Next 279 0 R
->> endobj
-271 0 obj <<
-/Title 272 0 R
-/A 269 0 R
-/Parent 239 0 R
-/Prev 243 0 R
-/Next 463 0 R
-/First 275 0 R
-/Last 443 0 R
-/Count -24
->> endobj
-267 0 obj <<
-/Title 268 0 R
-/A 265 0 R
-/Parent 259 0 R
-/Prev 263 0 R
->> endobj
-263 0 obj <<
-/Title 264 0 R
-/A 261 0 R
-/Parent 259 0 R
-/Next 267 0 R
->> endobj
-259 0 obj <<
-/Title 260 0 R
-/A 257 0 R
-/Parent 243 0 R
-/Prev 247 0 R
-/First 263 0 R
-/Last 267 0 R
-/Count -2
->> endobj
-255 0 obj <<
-/Title 256 0 R
-/A 253 0 R
-/Parent 247 0 R
-/Prev 251 0 R
->> endobj
-251 0 obj <<
-/Title 252 0 R
-/A 249 0 R
-/Parent 247 0 R
-/Next 255 0 R
->> endobj
-247 0 obj <<
-/Title 248 0 R
-/A 245 0 R
-/Parent 243 0 R
-/Next 259 0 R
-/First 251 0 R
-/Last 255 0 R
-/Count -2
->> endobj
-243 0 obj <<
-/Title 244 0 R
-/A 241 0 R
-/Parent 239 0 R
-/Next 271 0 R
-/First 247 0 R
-/Last 259 0 R
-/Count -2
->> endobj
-239 0 obj <<
-/Title 240 0 R
-/A 237 0 R
-/Parent 1356 0 R
-/Prev 227 0 R
-/Next 511 0 R
-/First 243 0 R
-/Last 463 0 R
-/Count -3
->> endobj
-235 0 obj <<
-/Title 236 0 R
-/A 233 0 R
-/Parent 227 0 R
-/Prev 231 0 R
->> endobj
-231 0 obj <<
-/Title 232 0 R
-/A 229 0 R
-/Parent 227 0 R
-/Next 235 0 R
->> endobj
-227 0 obj <<
-/Title 228 0 R
-/A 225 0 R
-/Parent 1356 0 R
-/Prev 131 0 R
-/Next 239 0 R
-/First 231 0 R
-/Last 235 0 R
-/Count -2
->> endobj
-223 0 obj <<
-/Title 224 0 R
-/A 221 0 R
-/Parent 215 0 R
-/Prev 219 0 R
->> endobj
-219 0 obj <<
-/Title 220 0 R
-/A 217 0 R
-/Parent 215 0 R
-/Next 223 0 R
->> endobj
-215 0 obj <<
-/Title 216 0 R
-/A 213 0 R
-/Parent 131 0 R
-/Prev 199 0 R
-/First 219 0 R
-/Last 223 0 R
-/Count -2
->> endobj
-211 0 obj <<
-/Title 212 0 R
-/A 209 0 R
-/Parent 199 0 R
-/Prev 207 0 R
->> endobj
-207 0 obj <<
-/Title 208 0 R
-/A 205 0 R
-/Parent 199 0 R
-/Prev 203 0 R
-/Next 211 0 R
->> endobj
-203 0 obj <<
-/Title 204 0 R
-/A 201 0 R
-/Parent 199 0 R
-/Next 207 0 R
->> endobj
-199 0 obj <<
-/Title 200 0 R
-/A 197 0 R
-/Parent 131 0 R
-/Prev 195 0 R
-/Next 215 0 R
-/First 203 0 R
-/Last 211 0 R
-/Count -3
->> endobj
-195 0 obj <<
-/Title 196 0 R
-/A 193 0 R
-/Parent 131 0 R
-/Prev 191 0 R
-/Next 199 0 R
->> endobj
-191 0 obj <<
-/Title 192 0 R
-/A 189 0 R
-/Parent 131 0 R
-/Prev 155 0 R
-/Next 195 0 R
->> endobj
-187 0 obj <<
-/Title 188 0 R
-/A 185 0 R
-/Parent 155 0 R
-/Prev 183 0 R
->> endobj
-183 0 obj <<
-/Title 184 0 R
-/A 181 0 R
-/Parent 155 0 R
-/Prev 179 0 R
-/Next 187 0 R
->> endobj
-179 0 obj <<
-/Title 180 0 R
-/A 177 0 R
-/Parent 155 0 R
-/Prev 175 0 R
-/Next 183 0 R
->> endobj
-175 0 obj <<
-/Title 176 0 R
-/A 173 0 R
-/Parent 155 0 R
-/Prev 171 0 R
-/Next 179 0 R
->> endobj
-171 0 obj <<
-/Title 172 0 R
-/A 169 0 R
-/Parent 155 0 R
-/Prev 159 0 R
-/Next 175 0 R
->> endobj
-167 0 obj <<
-/Title 168 0 R
-/A 165 0 R
-/Parent 159 0 R
-/Prev 163 0 R
->> endobj
-163 0 obj <<
-/Title 164 0 R
-/A 161 0 R
-/Parent 159 0 R
-/Next 167 0 R
->> endobj
-159 0 obj <<
-/Title 160 0 R
-/A 157 0 R
-/Parent 155 0 R
-/Next 171 0 R
-/First 163 0 R
-/Last 167 0 R
-/Count -2
->> endobj
-155 0 obj <<
-/Title 156 0 R
-/A 153 0 R
-/Parent 131 0 R
-/Prev 151 0 R
-/Next 191 0 R
-/First 159 0 R
-/Last 187 0 R
-/Count -6
->> endobj
-151 0 obj <<
-/Title 152 0 R
-/A 149 0 R
-/Parent 131 0 R
-/Prev 147 0 R
-/Next 155 0 R
->> endobj
-147 0 obj <<
-/Title 148 0 R
-/A 145 0 R
-/Parent 131 0 R
-/Prev 139 0 R
-/Next 151 0 R
->> endobj
-143 0 obj <<
-/Title 144 0 R
-/A 141 0 R
-/Parent 139 0 R
->> endobj
-139 0 obj <<
-/Title 140 0 R
-/A 137 0 R
-/Parent 131 0 R
-/Prev 135 0 R
-/Next 147 0 R
-/First 143 0 R
-/Last 143 0 R
-/Count -1
->> endobj
-135 0 obj <<
-/Title 136 0 R
-/A 133 0 R
-/Parent 131 0 R
-/Next 139 0 R
->> endobj
-131 0 obj <<
-/Title 132 0 R
-/A 129 0 R
-/Parent 1356 0 R
-/Prev 91 0 R
-/Next 227 0 R
-/First 135 0 R
-/Last 215 0 R
-/Count -9
->> endobj
-127 0 obj <<
-/Title 128 0 R
-/A 125 0 R
-/Parent 111 0 R
-/Prev 115 0 R
->> endobj
-123 0 obj <<
-/Title 124 0 R
-/A 121 0 R
-/Parent 115 0 R
-/Prev 119 0 R
->> endobj
-119 0 obj <<
-/Title 120 0 R
-/A 117 0 R
-/Parent 115 0 R
-/Next 123 0 R
->> endobj
-115 0 obj <<
-/Title 116 0 R
-/A 113 0 R
-/Parent 111 0 R
-/Next 127 0 R
-/First 119 0 R
-/Last 123 0 R
-/Count -2
->> endobj
-111 0 obj <<
-/Title 112 0 R
-/A 109 0 R
-/Parent 91 0 R
-/Prev 107 0 R
-/First 115 0 R
-/Last 127 0 R
-/Count -2
->> endobj
-107 0 obj <<
-/Title 108 0 R
-/A 105 0 R
-/Parent 91 0 R
-/Prev 95 0 R
-/Next 111 0 R
->> endobj
-103 0 obj <<
-/Title 104 0 R
-/A 101 0 R
-/Parent 95 0 R
-/Prev 99 0 R
->> endobj
-99 0 obj <<
-/Title 100 0 R
-/A 97 0 R
-/Parent 95 0 R
-/Next 103 0 R
->> endobj
-95 0 obj <<
-/Title 96 0 R
-/A 93 0 R
-/Parent 91 0 R
-/Next 107 0 R
-/First 99 0 R
-/Last 103 0 R
-/Count -2
->> endobj
-91 0 obj <<
-/Title 92 0 R
-/A 89 0 R
-/Parent 1356 0 R
-/Prev 67 0 R
-/Next 131 0 R
-/First 95 0 R
-/Last 111 0 R
-/Count -3
->> endobj
-87 0 obj <<
-/Title 88 0 R
-/A 85 0 R
-/Parent 67 0 R
-/Prev 83 0 R
->> endobj
-83 0 obj <<
-/Title 84 0 R
-/A 81 0 R
-/Parent 67 0 R
-/Prev 79 0 R
-/Next 87 0 R
->> endobj
-79 0 obj <<
-/Title 80 0 R
-/A 77 0 R
-/Parent 67 0 R
-/Prev 75 0 R
-/Next 83 0 R
->> endobj
-75 0 obj <<
-/Title 76 0 R
-/A 73 0 R
-/Parent 67 0 R
-/Prev 71 0 R
-/Next 79 0 R
->> endobj
-71 0 obj <<
-/Title 72 0 R
-/A 69 0 R
-/Parent 67 0 R
-/Next 75 0 R
->> endobj
-67 0 obj <<
-/Title 68 0 R
-/A 65 0 R
-/Parent 1356 0 R
-/Prev 7 0 R
-/Next 91 0 R
-/First 71 0 R
-/Last 87 0 R
-/Count -5
->> endobj
-63 0 obj <<
-/Title 64 0 R
-/A 61 0 R
-/Parent 23 0 R
-/Prev 55 0 R
->> endobj
-59 0 obj <<
-/Title 60 0 R
-/A 57 0 R
-/Parent 55 0 R
->> endobj
-55 0 obj <<
-/Title 56 0 R
-/A 53 0 R
-/Parent 23 0 R
-/Prev 39 0 R
-/Next 63 0 R
-/First 59 0 R
-/Last 59 0 R
-/Count -1
->> endobj
-51 0 obj <<
-/Title 52 0 R
-/A 49 0 R
-/Parent 39 0 R
-/Prev 47 0 R
->> endobj
-47 0 obj <<
-/Title 48 0 R
-/A 45 0 R
-/Parent 39 0 R
-/Prev 43 0 R
-/Next 51 0 R
->> endobj
-43 0 obj <<
-/Title 44 0 R
-/A 41 0 R
-/Parent 39 0 R
-/Next 47 0 R
->> endobj
-39 0 obj <<
-/Title 40 0 R
-/A 37 0 R
-/Parent 23 0 R
-/Prev 35 0 R
-/Next 55 0 R
-/First 43 0 R
-/Last 51 0 R
-/Count -3
->> endobj
-35 0 obj <<
-/Title 36 0 R
-/A 33 0 R
-/Parent 23 0 R
-/Prev 31 0 R
-/Next 39 0 R
->> endobj
-31 0 obj <<
-/Title 32 0 R
-/A 29 0 R
-/Parent 23 0 R
-/Prev 27 0 R
-/Next 35 0 R
->> endobj
-27 0 obj <<
-/Title 28 0 R
-/A 25 0 R
-/Parent 23 0 R
-/Next 31 0 R
->> endobj
-23 0 obj <<
-/Title 24 0 R
-/A 21 0 R
-/Parent 7 0 R
-/Prev 19 0 R
-/First 27 0 R
-/Last 63 0 R
-/Count -6
->> endobj
-19 0 obj <<
-/Title 20 0 R
-/A 17 0 R
-/Parent 7 0 R
-/Prev 15 0 R
-/Next 23 0 R
->> endobj
-15 0 obj <<
-/Title 16 0 R
-/A 13 0 R
-/Parent 7 0 R
-/Prev 11 0 R
-/Next 19 0 R
->> endobj
-11 0 obj <<
-/Title 12 0 R
-/A 9 0 R
-/Parent 7 0 R
-/Next 15 0 R
->> endobj
-7 0 obj <<
-/Title 8 0 R
-/A 5 0 R
-/Parent 1356 0 R
-/Next 67 0 R
-/First 11 0 R
-/Last 23 0 R
-/Count -4
->> endobj
-1357 0 obj <<
-/Names [(Access_Control_Lists) 1172 0 R (Bv9ARM.ch01) 613 0 R (Bv9ARM.ch02) 667 0 R (Bv9ARM.ch03) 682 0 R (Bv9ARM.ch04) 730 0 R (Bv9ARM.ch05) 810 0 R (Bv9ARM.ch06) 822 0 R (Bv9ARM.ch07) 1171 0 R (Bv9ARM.ch08) 1189 0 R (Bv9ARM.ch09) 1205 0 R (Configuration_File_Grammar) 849 0 R (DNSSEC) 782 0 R (Doc-Start) 594 0 R (Setting_TTLs) 1141 0 R (access_control) 963 0 R (acl) 857 0 R (address_match_lists) 827 0 R (admin_tools) 704 0 R (appendix.A) 554 0 R (bibliography) 1217 0 R (boolean_options) 736 0 R (builtin) 1025 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 226 0 R (chapter.6) 238 0 R (chapter.7) 510 0 R (chapter.8) 534 0 R (cite.RFC1034) 1233 0 R (cite.RFC1035) 1235 0 R (cite.RFC1101) 1290 0 R (cite.RFC1123) 1292 0 R (cite.RFC1183) 1270 0 R (cite.RFC1464) 1310 0 R (cite.RFC1535) 1262 0 R (cite.RFC1536) 1264 0 R (cite.RFC1537) 1300 0 R (cite.RFC1591) 1294 0 R (cite.RFC1706) 1272 0 R (cite.RFC1712) 1324 0 R (cite.RFC1713) 1312 0 R (cite.RFC1794) 1314 0 R (cite.RFC1876) 1274 0 R (cite.RFC1886) 1254 0 R (cite.RFC1912) 1302 0 R (cite.RFC1982) 1266 0 R (cite.RFC1995) 1240 0 R (cite.RFC1996) 1242 0 R (cite.RFC2010) 1304 0 R (cite.RFC2052) 1280 0 R (cite.RFC2065) 1256 0 R (cite.RFC2136) 1244 0 R (cite.RFC2137) 1258 0 R (cite.RFC2163) 1282 0 R (cite.RFC2168) 1284 0 R (cite.RFC2181) 1246 0 R (cite.RFC2219) 1306 0 R (cite.RFC2230) 1286 0 R (cite.RFC2240) 1316 0 R (cite.RFC2308) 1248 0 R (cite.RFC2317) 1296 0 R (cite.RFC2345) 1318 0 R (cite.RFC2352) 1320 0 R (cite.RFC2845) 1250 0 R (cite.RFC974) 1237 0 R (cite.id2492354) 1333 0 R (configuration_file_elements) 823 0 R (controls_statement_definition_and_usage) 718 0 R (diagnostic_tools) 655 0 R (dynamic_update) 734 0 R (dynamic_update_policies) 774 0 R (dynamic_update_security) 972 0 R (historical_dns_information) 1212 0 R (id2465864) 614 0 R (id2466744) 615 0 R (id2466798) 619 0 R (id2466807) 620 0 R (id2467648) 690 0 R (id2467665) 691 0 R (id2468484) 635 0 R (id2468627) 637 0 R (id2468647) 638 0 R (id2468664) 999 0 R (id2468955) 639 0 R (id2469040) 642 0 R (id2469114) 649 0 R (id2469205) 652 0 R (id2469226) 653 0 R (id2469245) 654 0 R (id2469274) 660 0 R (id2469306) 661 0 R (id2469332) 662 0 R (id2469364) 668 0 R (id2469388) 669 0 R (id2469399) 670 0 R (id2469481) 671 0 R (id2469490) 677 0 R (id2469521) 684 0 R (id2469537) 685 0 R (id2470116) 694 0 R (id2470121) 695 0 R (id2471306) 723 0 R (id2471318) 724 0 R (id2471731) 745 0 R (id2472292) 761 0 R (id2472308) 762 0 R (id2472342) 763 0 R (id2472358) 769 0 R (id2472366) 770 0 R (id2472406) 771 0 R (id2472458) 772 0 R (id2472502) 779 0 R (id2472516) 780 0 R (id2472633) 781 0 R (id2472699) 790 0 R (id2472766) 791 0 R (id2472909) 792 0 R (id2472933) 797 0 R (id2472992) 799 0 R (id2473012) 800 0 R (id2473180) 811 0 R (id2473387) 824 0 R (id2474020) 832 0 R (id2474046) 833 0 R (id2474140) 838 0 R (id2474155) 839 0 R (id2474184) 840 0 R (id2474329) 850 0 R (id2474694) 856 0 R (id2474736) 858 0 R (id2474862) 860 0 R (id2475131) 868 0 R (id2475146) 869 0 R (id2475169) 870 0 R (id2475190) 871 0 R (id2475261) 880 0 R (id2475456) 881 0 R (id2475508) 882 0 R (id2476201) 897 0 R (id2476729) 903 0 R (id2476870) 904 0 R (id2476933) 912 0 R (id2476977) 913 0 R (id2476992) 914 0 R (id2478674) 934 0 R (id2479741) 960 0 R (id2479792) 962 0 R (id2479971) 971 0 R (id2480128) 977 0 R (id2480722) 989 0 R (id2480738) 990 0 R (id2480976) 997 0 R (id2483475) 1017 0 R (id2483930) 1032 0 R (id2484556) 1042 0 R (id2484673) 1043 0 R (id2484741) 1049 0 R (id2485414) 1058 0 R (id2485420) 1059 0 R (id2485425) 1060 0 R (id2485658) 1066 0 R (id2485689) 1067 0 R (id2486790) 1105 0 R (id2486949) 1107 0 R (id2486967) 1108 0 R (id2486988) 1111 0 R (id2487128) 1117 0 R (id2487779) 1123 0 R (id2487888) 1125 0 R (id2487909) 1130 0 R (id2488198) 1132 0 R (id2488313) 1134 0 R (id2488331) 1135 0 R (id2488705) 1142 0 R (id2488878) 1144 0 R (id2488892) 1145 0 R (id2488984) 1147 0 R (id2489003) 1148 0 R (id2489059) 1154 0 R (id2489122) 1155 0 R (id2489153) 1156 0 R (id2489213) 1161 0 R (id2489545) 1182 0 R (id2489621) 1183 0 R (id2489678) 1184 0 R (id2489885) 1190 0 R (id2489891) 1191 0 R (id2489902) 1192 0 R (id2489920) 1193 0 R (id2490050) 1206 0 R (id2490055) 1207 0 R (id2490243) 1213 0 R (id2490554) 1215 0 R (id2490899) 1229 0 R (id2490901) 1231 0 R (id2490909) 1236 0 R (id2491001) 1232 0 R (id2491025) 1234 0 R (id2491062) 1245 0 R (id2491088) 1247 0 R (id2491113) 1239 0 R (id2491138) 1241 0 R (id2491161) 1243 0 R (id2491217) 1249 0 R (id2491277) 1252 0 R (id2491292) 1253 0 R (id2491331) 1255 0 R (id2491370) 1257 0 R (id2491398) 1260 0 R (id2491406) 1261 0 R (id2491432) 1263 0 R (id2491499) 1265 0 R (id2491536) 1268 0 R (id2491541) 1269 0 R (id2491598) 1271 0 R (id2491636) 1283 0 R (id2491671) 1273 0 R (id2491725) 1279 0 R (id2491765) 1281 0 R (id2491792) 1285 0 R (id2491818) 1288 0 R (id2491826) 1289 0 R (id2491851) 1291 0 R (id2491875) 1293 0 R (id2491896) 1295 0 R (id2491943) 1298 0 R (id2491950) 1299 0 R (id2491976) 1301 0 R (id2492003) 1303 0 R (id2492039) 1305 0 R (id2492078) 1308 0 R (id2492099) 1309 0 R (id2492121) 1311 0 R (id2492146) 1313 0 R (id2492170) 1315 0 R (id2492193) 1317 0 R (id2492238) 1319 0 R (id2492263) 1322 0 R (id2492269) 1323 0 R (id2492342) 1330 0 R (id2492352) 1332 0 R (id2492354) 1334 0 R (incremental_zone_transfers) 742 0 R (internet_drafts) 1325 0 R (ipv6addresses) 801 0 R (journal) 735 0 R (lwresd) 812 0 R (notify) 731 0 R (options) 923 0 R (page.1) 593 0 R (page.10) 689 0 R (page.11) 700 0 R (page.12) 708 0 R (page.13) 715 0 R (page.14) 722 0 R (page.15) 729 0 R (page.16) 741 0 R (page.17) 750 0 R (page.18) 755 0 R (page.19) 759 0 R (page.2) 605 0 R (page.20) 768 0 R (page.21) 778 0 R (page.22) 789 0 R (page.23) 796 0 R (page.24) 805 0 R (page.25) 809 0 R (page.26) 817 0 R (page.27) 821 0 R (page.28) 831 0 R (page.29) 837 0 R (page.3) 612 0 R (page.30) 845 0 R (page.31) 855 0 R (page.32) 865 0 R (page.33) 879 0 R (page.34) 886 0 R (page.35) 890 0 R (page.36) 896 0 R (page.37) 902 0 R (page.38) 911 0 R (page.39) 918 0 R (page.4) 631 0 R (page.40) 922 0 R (page.41) 927 0 R (page.42) 933 0 R (page.43) 940 0 R (page.44) 955 0 R (page.45) 959 0 R (page.46) 969 0 R (page.47) 976 0 R (page.48) 984 0 R (page.49) 988 0 R (page.5) 648 0 R (page.50) 996 0 R (page.51) 1003 0 R (page.52) 1008 0 R (page.53) 1015 0 R (page.54) 1023 0 R (page.55) 1031 0 R (page.56) 1039 0 R (page.57) 1048 0 R (page.58) 1053 0 R (page.59) 1057 0 R (page.6) 659 0 R (page.60) 1065 0 R (page.61) 1077 0 R (page.62) 1088 0 R (page.63) 1104 0 R (page.64) 1116 0 R (page.65) 1122 0 R (page.66) 1129 0 R (page.67) 1140 0 R (page.68) 1153 0 R (page.69) 1160 0 R (page.7) 666 0 R (page.70) 1166 0 R (page.71) 1170 0 R (page.72) 1178 0 R (page.73) 1188 0 R (page.74) 1200 0 R (page.75) 1204 0 R (page.76) 1211 0 R (page.77) 1224 0 R (page.78) 1278 0 R (page.79) 1329 0 R (page.8) 676 0 R (page.9) 681 0 R (proposed_standards) 746 0 R (rfcs) 644 0 R (rndc) 875 0 R (rrset_ordering) 696 0 R (sample_configuration) 683 0 R (section*.1) 1228 0 R (section*.10) 1321 0 R (section*.11) 1331 0 R (section*.2) 1230 0 R (section*.3) 1238 0 R (section*.4) 1251 0 R (section*.5) 1259 0 R (section*.6) 1267 0 R (section*.7) 1287 0 R (section*.8) 1297 0 R (section*.9) 1307 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 154 0 R (section.4.6) 190 0 R (section.4.7) 194 0 R (section.4.8) 198 0 R (section.4.9) 214 0 R (section.5.1) 230 0 R (section.5.2) 234 0 R (section.6.1) 242 0 R (section.6.2) 270 0 R (section.6.3) 462 0 R (section.7.1) 514 0 R (section.7.2) 518 0 R (section.7.3) 530 0 R (section.8.1) 538 0 R (section.8.2) 546 0 R (section.8.3) 550 0 R (section.A.1) 558 0 R (section.A.2) 566 0 R (section.A.3) 574 0 R (server_statement_definition_and_usage) 951 0 R (server_statement_grammar) 1034 0 R (statsfile) 929 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.5.1) 158 0 R (subsection.4.5.2) 170 0 R (subsection.4.5.3) 174 0 R (subsection.4.5.4) 178 0 R (subsection.4.5.5) 182 0 R (subsection.4.5.6) 186 0 R (subsection.4.8.1) 202 0 R (subsection.4.8.2) 206 0 R (subsection.4.8.3) 210 0 R (subsection.4.9.1) 218 0 R (subsection.4.9.2) 222 0 R (subsection.6.1.1) 246 0 R (subsection.6.1.2) 258 0 R (subsection.6.2.1) 274 0 R (subsection.6.2.10) 310 0 R (subsection.6.2.11) 322 0 R (subsection.6.2.12) 326 0 R (subsection.6.2.13) 330 0 R (subsection.6.2.14) 334 0 R (subsection.6.2.15) 338 0 R (subsection.6.2.16) 342 0 R (subsection.6.2.17) 414 0 R (subsection.6.2.18) 418 0 R (subsection.6.2.19) 422 0 R (subsection.6.2.2) 278 0 R (subsection.6.2.20) 426 0 R (subsection.6.2.21) 430 0 R (subsection.6.2.22) 434 0 R (subsection.6.2.23) 438 0 R (subsection.6.2.24) 442 0 R (subsection.6.2.3) 282 0 R (subsection.6.2.4) 286 0 R (subsection.6.2.5) 290 0 R (subsection.6.2.6) 294 0 R (subsection.6.2.7) 298 0 R (subsection.6.2.8) 302 0 R (subsection.6.2.9) 306 0 R (subsection.6.3.1) 466 0 R (subsection.6.3.2) 478 0 R (subsection.6.3.3) 482 0 R (subsection.6.3.4) 486 0 R (subsection.6.3.5) 490 0 R (subsection.6.3.6) 506 0 R (subsection.7.2.1) 522 0 R (subsection.7.2.2) 526 0 R (subsection.8.1.1) 542 0 R (subsection.A.1.1) 562 0 R (subsection.A.2.1) 570 0 R (subsection.A.3.1) 578 0 R (subsection.A.3.2) 582 0 R (subsection.A.3.3) 586 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 162 0 R (subsubsection.4.5.1.2) 166 0 R (subsubsection.6.1.1.1) 250 0 R (subsubsection.6.1.1.2) 254 0 R (subsubsection.6.1.2.1) 262 0 R (subsubsection.6.1.2.2) 266 0 R (subsubsection.6.2.10.1) 314 0 R (subsubsection.6.2.10.2) 318 0 R (subsubsection.6.2.16.1) 346 0 R (subsubsection.6.2.16.10) 382 0 R (subsubsection.6.2.16.11) 386 0 R (subsubsection.6.2.16.12) 390 0 R (subsubsection.6.2.16.13) 394 0 R (subsubsection.6.2.16.14) 398 0 R (subsubsection.6.2.16.15) 402 0 R (subsubsection.6.2.16.16) 406 0 R (subsubsection.6.2.16.17) 410 0 R (subsubsection.6.2.16.2) 350 0 R (subsubsection.6.2.16.3) 354 0 R (subsubsection.6.2.16.4) 358 0 R (subsubsection.6.2.16.5) 362 0 R (subsubsection.6.2.16.6) 366 0 R (subsubsection.6.2.16.7) 370 0 R (subsubsection.6.2.16.8) 374 0 R (subsubsection.6.2.16.9) 378 0 R (subsubsection.6.2.24.1) 446 0 R (subsubsection.6.2.24.2) 450 0 R (subsubsection.6.2.24.3) 454 0 R (subsubsection.6.2.24.4) 458 0 R (subsubsection.6.3.1.1) 470 0 R (subsubsection.6.3.1.2) 474 0 R (subsubsection.6.3.5.1) 494 0 R (subsubsection.6.3.5.2) 498 0 R (subsubsection.6.3.5.3) 502 0 R (table.1.1) 621 0 R (table.1.2) 636 0 R (table.3.1) 692 0 R (table.3.2) 725 0 R (table.6.1) 825 0 R (table.6.10) 1112 0 R (table.6.11) 1118 0 R (table.6.12) 1124 0 R (table.6.13) 1131 0 R (table.6.14) 1133 0 R (table.6.15) 1136 0 R (table.6.16) 1143 0 R (table.6.17) 1146 0 R (table.6.18) 1162 0 R (table.6.2) 851 0 R (table.6.3) 859 0 R (table.6.4) 898 0 R (table.6.5) 935 0 R (table.6.6) 1018 0 R (table.6.7) 1033 0 R (table.6.8) 1061 0 R (table.6.9) 1106 0 R (table.A.1) 1214 0 R (table.A.2) 1216 0 R (the_category_phrase) 892 0 R (the_sortlist_statement) 1009 0 R (topology) 1004 0 R (tsig) 760 0 R (tuning) 1019 0 R (types_of_resource_records_and_when_to_use_them) 643 0 R (view_statement_grammar) 1027 0 R (zone_statement_grammar) 965 0 R (zone_transfers) 737 0 R]
-/Limits [(Access_Control_Lists) (zone_transfers)]
->> endobj
-1358 0 obj <<
-/Kids [1357 0 R]
->> endobj
-1359 0 obj <<
-/Dests 1358 0 R
->> endobj
-1360 0 obj <<
-/Type /Catalog
-/Pages 1355 0 R
-/Outlines 1356 0 R
-/Names 1359 0 R
-/PageMode /UseOutlines 
-/OpenAction 589 0 R
->> endobj
-1361 0 obj <<
-/Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20051104123603+11'00')
-/PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
->> endobj
-xref
-0 1362
-0000000001 65535 f 
-0000000002 00000 f 
-0000000003 00000 f 
-0000000004 00000 f 
-0000000000 00000 f 
-0000000009 00000 n 
-0000018859 00000 n 
-0000483529 00000 n 
-0000000054 00000 n 
-0000000086 00000 n 
-0000018983 00000 n 
-0000483457 00000 n 
-0000000133 00000 n 
-0000000173 00000 n 
-0000019108 00000 n 
-0000483371 00000 n 
-0000000221 00000 n 
-0000000273 00000 n 
-0000019233 00000 n 
-0000483285 00000 n 
-0000000321 00000 n 
-0000000377 00000 n 
-0000023668 00000 n 
-0000483175 00000 n 
-0000000425 00000 n 
-0000000478 00000 n 
-0000023792 00000 n 
-0000483101 00000 n 
-0000000531 00000 n 
-0000000572 00000 n 
-0000023917 00000 n 
-0000483014 00000 n 
-0000000625 00000 n 
-0000000674 00000 n 
-0000024042 00000 n 
-0000482927 00000 n 
-0000000727 00000 n 
-0000000757 00000 n 
-0000028190 00000 n 
-0000482803 00000 n 
-0000000810 00000 n 
-0000000861 00000 n 
-0000028315 00000 n 
-0000482729 00000 n 
-0000000919 00000 n 
-0000000964 00000 n 
-0000028440 00000 n 
-0000482642 00000 n 
-0000001022 00000 n 
-0000001062 00000 n 
-0000028565 00000 n 
-0000482568 00000 n 
-0000001120 00000 n 
-0000001162 00000 n 
-0000031474 00000 n 
-0000482444 00000 n 
-0000001215 00000 n 
-0000001260 00000 n 
-0000031599 00000 n 
-0000482383 00000 n 
-0000001318 00000 n 
-0000001355 00000 n 
-0000031724 00000 n 
-0000482309 00000 n 
-0000001408 00000 n 
-0000001463 00000 n 
-0000034112 00000 n 
-0000482184 00000 n 
-0000001509 00000 n 
-0000001556 00000 n 
-0000034237 00000 n 
-0000482110 00000 n 
-0000001604 00000 n 
-0000001648 00000 n 
-0000034362 00000 n 
-0000482023 00000 n 
-0000001696 00000 n 
-0000001735 00000 n 
-0000034485 00000 n 
-0000481936 00000 n 
-0000001783 00000 n 
-0000001825 00000 n 
-0000034609 00000 n 
-0000481849 00000 n 
-0000001873 00000 n 
-0000001936 00000 n 
-0000035645 00000 n 
-0000481775 00000 n 
-0000001984 00000 n 
-0000002034 00000 n 
-0000037323 00000 n 
-0000481647 00000 n 
-0000002080 00000 n 
-0000002126 00000 n 
-0000037447 00000 n 
-0000481534 00000 n 
-0000002174 00000 n 
-0000002218 00000 n 
-0000037572 00000 n 
-0000481458 00000 n 
-0000002271 00000 n 
-0000002323 00000 n 
-0000037697 00000 n 
-0000481381 00000 n 
-0000002377 00000 n 
-0000002436 00000 n 
-0000040313 00000 n 
-0000481290 00000 n 
-0000002485 00000 n 
-0000002523 00000 n 
-0000040564 00000 n 
-0000481173 00000 n 
-0000002572 00000 n 
-0000002618 00000 n 
-0000040690 00000 n 
-0000481055 00000 n 
-0000002672 00000 n 
-0000002739 00000 n 
-0000043869 00000 n 
-0000480976 00000 n 
-0000002798 00000 n 
-0000002842 00000 n 
-0000043995 00000 n 
-0000480897 00000 n 
-0000002901 00000 n 
-0000002949 00000 n 
-0000053818 00000 n 
-0000480818 00000 n 
-0000003003 00000 n 
-0000003036 00000 n 
-0000057084 00000 n 
-0000480686 00000 n 
-0000003083 00000 n 
-0000003126 00000 n 
-0000057210 00000 n 
-0000480607 00000 n 
-0000003175 00000 n 
-0000003205 00000 n 
-0000057336 00000 n 
-0000480475 00000 n 
-0000003254 00000 n 
-0000003292 00000 n 
-0000057461 00000 n 
-0000480410 00000 n 
-0000003346 00000 n 
-0000003388 00000 n 
-0000061908 00000 n 
-0000480317 00000 n 
-0000003437 00000 n 
-0000003496 00000 n 
-0000062034 00000 n 
-0000480224 00000 n 
-0000003545 00000 n 
-0000003578 00000 n 
-0000068735 00000 n 
-0000480092 00000 n 
-0000003627 00000 n 
-0000003655 00000 n 
-0000068861 00000 n 
-0000479974 00000 n 
-0000003709 00000 n 
-0000003778 00000 n 
-0000068987 00000 n 
-0000479895 00000 n 
-0000003837 00000 n 
-0000003885 00000 n 
-0000069113 00000 n 
-0000479816 00000 n 
-0000003944 00000 n 
-0000003989 00000 n 
-0000072115 00000 n 
-0000479723 00000 n 
-0000004043 00000 n 
-0000004111 00000 n 
-0000072241 00000 n 
-0000479630 00000 n 
-0000004165 00000 n 
-0000004235 00000 n 
-0000072367 00000 n 
-0000479537 00000 n 
-0000004289 00000 n 
-0000004352 00000 n 
-0000072493 00000 n 
-0000479444 00000 n 
-0000004406 00000 n 
-0000004461 00000 n 
-0000076214 00000 n 
-0000479365 00000 n 
-0000004515 00000 n 
-0000004547 00000 n 
-0000076340 00000 n 
-0000479272 00000 n 
-0000004596 00000 n 
-0000004624 00000 n 
-0000076465 00000 n 
-0000479179 00000 n 
-0000004673 00000 n 
-0000004705 00000 n 
-0000076591 00000 n 
-0000479047 00000 n 
-0000004754 00000 n 
-0000004784 00000 n 
-0000080038 00000 n 
-0000478968 00000 n 
-0000004838 00000 n 
-0000004879 00000 n 
-0000080163 00000 n 
-0000478875 00000 n 
-0000004933 00000 n 
-0000004975 00000 n 
-0000080289 00000 n 
-0000478796 00000 n 
-0000005029 00000 n 
-0000005074 00000 n 
-0000082997 00000 n 
-0000478678 00000 n 
-0000005123 00000 n 
-0000005169 00000 n 
-0000083123 00000 n 
-0000478599 00000 n 
-0000005223 00000 n 
-0000005283 00000 n 
-0000083249 00000 n 
-0000478520 00000 n 
-0000005337 00000 n 
-0000005406 00000 n 
-0000086059 00000 n 
-0000478387 00000 n 
-0000005453 00000 n 
-0000005506 00000 n 
-0000086185 00000 n 
-0000478308 00000 n 
-0000005555 00000 n 
-0000005611 00000 n 
-0000086311 00000 n 
-0000478229 00000 n 
-0000005660 00000 n 
-0000005709 00000 n 
-0000090413 00000 n 
-0000478096 00000 n 
-0000005756 00000 n 
-0000005808 00000 n 
-0000090539 00000 n 
-0000477978 00000 n 
-0000005857 00000 n 
-0000005908 00000 n 
-0000094681 00000 n 
-0000477860 00000 n 
-0000005962 00000 n 
-0000006007 00000 n 
-0000094806 00000 n 
-0000477781 00000 n 
-0000006066 00000 n 
-0000006100 00000 n 
-0000094931 00000 n 
-0000477702 00000 n 
-0000006159 00000 n 
-0000006207 00000 n 
-0000098209 00000 n 
-0000477584 00000 n 
-0000006261 00000 n 
-0000006301 00000 n 
-0000098335 00000 n 
-0000477505 00000 n 
-0000006360 00000 n 
-0000006394 00000 n 
-0000098461 00000 n 
-0000477426 00000 n 
-0000006453 00000 n 
-0000006501 00000 n 
-0000102189 00000 n 
-0000477293 00000 n 
-0000006550 00000 n 
-0000006600 00000 n 
-0000105995 00000 n 
-0000477214 00000 n 
-0000006654 00000 n 
-0000006701 00000 n 
-0000106121 00000 n 
-0000477121 00000 n 
-0000006755 00000 n 
-0000006815 00000 n 
-0000106371 00000 n 
-0000477028 00000 n 
-0000006869 00000 n 
-0000006921 00000 n 
-0000106497 00000 n 
-0000476935 00000 n 
-0000006975 00000 n 
-0000007040 00000 n 
-0000111147 00000 n 
-0000476842 00000 n 
-0000007094 00000 n 
-0000007145 00000 n 
-0000111273 00000 n 
-0000476749 00000 n 
-0000007199 00000 n 
-0000007263 00000 n 
-0000111399 00000 n 
-0000476656 00000 n 
-0000007317 00000 n 
-0000007364 00000 n 
-0000111525 00000 n 
-0000476563 00000 n 
-0000007418 00000 n 
-0000007478 00000 n 
-0000114467 00000 n 
-0000476470 00000 n 
-0000007532 00000 n 
-0000007583 00000 n 
-0000114593 00000 n 
-0000476338 00000 n 
-0000007638 00000 n 
-0000007703 00000 n 
-0000114719 00000 n 
-0000476259 00000 n 
-0000007763 00000 n 
-0000007810 00000 n 
-0000125127 00000 n 
-0000476180 00000 n 
-0000007870 00000 n 
-0000007918 00000 n 
-0000128845 00000 n 
-0000476087 00000 n 
-0000007973 00000 n 
-0000008023 00000 n 
-0000128971 00000 n 
-0000475994 00000 n 
-0000008078 00000 n 
-0000008141 00000 n 
-0000130711 00000 n 
-0000475901 00000 n 
-0000008196 00000 n 
-0000008248 00000 n 
-0000130837 00000 n 
-0000475808 00000 n 
-0000008303 00000 n 
-0000008368 00000 n 
-0000130963 00000 n 
-0000475715 00000 n 
-0000008423 00000 n 
-0000008475 00000 n 
-0000136313 00000 n 
-0000475582 00000 n 
-0000008530 00000 n 
-0000008595 00000 n 
-0000140379 00000 n 
-0000475503 00000 n 
-0000008655 00000 n 
-0000008699 00000 n 
-0000159492 00000 n 
-0000475410 00000 n 
-0000008759 00000 n 
-0000008798 00000 n 
-0000159618 00000 n 
-0000475317 00000 n 
-0000008858 00000 n 
-0000008905 00000 n 
-0000159743 00000 n 
-0000475224 00000 n 
-0000008965 00000 n 
-0000009008 00000 n 
-0000163657 00000 n 
-0000475131 00000 n 
-0000009068 00000 n 
-0000009107 00000 n 
-0000166745 00000 n 
-0000475038 00000 n 
-0000009167 00000 n 
-0000009209 00000 n 
-0000166871 00000 n 
-0000474945 00000 n 
-0000009269 00000 n 
-0000009312 00000 n 
-0000174775 00000 n 
-0000474852 00000 n 
-0000009372 00000 n 
-0000009419 00000 n 
-0000174899 00000 n 
-0000474759 00000 n 
-0000009479 00000 n 
-0000009540 00000 n 
-0000178845 00000 n 
-0000474666 00000 n 
-0000009601 00000 n 
-0000009653 00000 n 
-0000178971 00000 n 
-0000474573 00000 n 
-0000009714 00000 n 
-0000009767 00000 n 
-0000181984 00000 n 
-0000474480 00000 n 
-0000009828 00000 n 
-0000009866 00000 n 
-0000185943 00000 n 
-0000474387 00000 n 
-0000009927 00000 n 
-0000009979 00000 n 
-0000189321 00000 n 
-0000474294 00000 n 
-0000010040 00000 n 
-0000010084 00000 n 
-0000189579 00000 n 
-0000474201 00000 n 
-0000010145 00000 n 
-0000010181 00000 n 
-0000194073 00000 n 
-0000474108 00000 n 
-0000010242 00000 n 
-0000010305 00000 n 
-0000197229 00000 n 
-0000474029 00000 n 
-0000010366 00000 n 
-0000010415 00000 n 
-0000197486 00000 n 
-0000473936 00000 n 
-0000010470 00000 n 
-0000010521 00000 n 
-0000197615 00000 n 
-0000473843 00000 n 
-0000010576 00000 n 
-0000010640 00000 n 
-0000202325 00000 n 
-0000473750 00000 n 
-0000010695 00000 n 
-0000010752 00000 n 
-0000202454 00000 n 
-0000473657 00000 n 
-0000010807 00000 n 
-0000010877 00000 n 
-0000206017 00000 n 
-0000473564 00000 n 
-0000010932 00000 n 
-0000010981 00000 n 
-0000206146 00000 n 
-0000473471 00000 n 
-0000011036 00000 n 
-0000011098 00000 n 
-0000207911 00000 n 
-0000473378 00000 n 
-0000011153 00000 n 
-0000011202 00000 n 
-0000211360 00000 n 
-0000473260 00000 n 
-0000011257 00000 n 
-0000011319 00000 n 
-0000211489 00000 n 
-0000473181 00000 n 
-0000011379 00000 n 
-0000011418 00000 n 
-0000216452 00000 n 
-0000473088 00000 n 
-0000011478 00000 n 
-0000011512 00000 n 
-0000216581 00000 n 
-0000472995 00000 n 
-0000011572 00000 n 
-0000011613 00000 n 
-0000226764 00000 n 
-0000472916 00000 n 
-0000011673 00000 n 
-0000011725 00000 n 
-0000230938 00000 n 
-0000472798 00000 n 
-0000011774 00000 n 
-0000011807 00000 n 
-0000231067 00000 n 
-0000472680 00000 n 
-0000011861 00000 n 
-0000011933 00000 n 
-0000231195 00000 n 
-0000472601 00000 n 
-0000011992 00000 n 
-0000012036 00000 n 
-0000238969 00000 n 
-0000472522 00000 n 
-0000012095 00000 n 
-0000012148 00000 n 
-0000242553 00000 n 
-0000472429 00000 n 
-0000012202 00000 n 
-0000012252 00000 n 
-0000245916 00000 n 
-0000472336 00000 n 
-0000012306 00000 n 
-0000012344 00000 n 
-0000246174 00000 n 
-0000472243 00000 n 
-0000012398 00000 n 
-0000012447 00000 n 
-0000246432 00000 n 
-0000472111 00000 n 
-0000012501 00000 n 
-0000012553 00000 n 
-0000246561 00000 n 
-0000472032 00000 n 
-0000012612 00000 n 
-0000012664 00000 n 
-0000249442 00000 n 
-0000471939 00000 n 
-0000012723 00000 n 
-0000012776 00000 n 
-0000249571 00000 n 
-0000471860 00000 n 
-0000012835 00000 n 
-0000012884 00000 n 
-0000249700 00000 n 
-0000471781 00000 n 
-0000012938 00000 n 
-0000013018 00000 n 
-0000255562 00000 n 
-0000471648 00000 n 
-0000013065 00000 n 
-0000013117 00000 n 
-0000255691 00000 n 
-0000471569 00000 n 
-0000013166 00000 n 
-0000013210 00000 n 
-0000259402 00000 n 
-0000471437 00000 n 
-0000013259 00000 n 
-0000013321 00000 n 
-0000259531 00000 n 
-0000471358 00000 n 
-0000013375 00000 n 
-0000013423 00000 n 
-0000259660 00000 n 
-0000471279 00000 n 
-0000013477 00000 n 
-0000013528 00000 n 
-0000259789 00000 n 
-0000471200 00000 n 
-0000013577 00000 n 
-0000013624 00000 n 
-0000262719 00000 n 
-0000471067 00000 n 
-0000013671 00000 n 
-0000013708 00000 n 
-0000262848 00000 n 
-0000470949 00000 n 
-0000013757 00000 n 
-0000013796 00000 n 
-0000262977 00000 n 
-0000470884 00000 n 
-0000013850 00000 n 
-0000013928 00000 n 
-0000263106 00000 n 
-0000470791 00000 n 
-0000013977 00000 n 
-0000014044 00000 n 
-0000263235 00000 n 
-0000470712 00000 n 
-0000014093 00000 n 
-0000014138 00000 n 
-0000266737 00000 n 
-0000470593 00000 n 
-0000014186 00000 n 
-0000014218 00000 n 
-0000266866 00000 n 
-0000470475 00000 n 
-0000014267 00000 n 
-0000014306 00000 n 
-0000266995 00000 n 
-0000470410 00000 n 
-0000014360 00000 n 
-0000014421 00000 n 
-0000271002 00000 n 
-0000470278 00000 n 
-0000014470 00000 n 
-0000014527 00000 n 
-0000271131 00000 n 
-0000470213 00000 n 
-0000014581 00000 n 
-0000014630 00000 n 
-0000271519 00000 n 
-0000470095 00000 n 
-0000014679 00000 n 
-0000014741 00000 n 
-0000271648 00000 n 
-0000470016 00000 n 
-0000014795 00000 n 
-0000014850 00000 n 
-0000284749 00000 n 
-0000469923 00000 n 
-0000014904 00000 n 
-0000014945 00000 n 
-0000285811 00000 n 
-0000469844 00000 n 
-0000014999 00000 n 
-0000015051 00000 n 
-0000015405 00000 n 
-0000015653 00000 n 
-0000015104 00000 n 
-0000015527 00000 n 
-0000015590 00000 n 
-0000466703 00000 n 
-0000441039 00000 n 
-0000466529 00000 n 
-0000439990 00000 n 
-0000414055 00000 n 
-0000439816 00000 n 
-0000467708 00000 n 
-0000016305 00000 n 
-0000016120 00000 n 
-0000015738 00000 n 
-0000016242 00000 n 
-0000413370 00000 n 
-0000411224 00000 n 
-0000413206 00000 n 
-0000019484 00000 n 
-0000018674 00000 n 
-0000016390 00000 n 
-0000018796 00000 n 
-0000018920 00000 n 
-0000019045 00000 n 
-0000019170 00000 n 
-0000410370 00000 n 
-0000390012 00000 n 
-0000410196 00000 n 
-0000019295 00000 n 
-0000019358 00000 n 
-0000019421 00000 n 
-0000389071 00000 n 
-0000369672 00000 n 
-0000388898 00000 n 
-0000368945 00000 n 
-0000352561 00000 n 
-0000368772 00000 n 
-0000024167 00000 n 
-0000022985 00000 n 
-0000019608 00000 n 
-0000023479 00000 n 
-0000352026 00000 n 
-0000335109 00000 n 
-0000351842 00000 n 
-0000023542 00000 n 
-0000023605 00000 n 
-0000023729 00000 n 
-0000023854 00000 n 
-0000023979 00000 n 
-0000023135 00000 n 
-0000023328 00000 n 
-0000024104 00000 n 
-0000231131 00000 n 
-0000271712 00000 n 
-0000028690 00000 n 
-0000027655 00000 n 
-0000024291 00000 n 
-0000028127 00000 n 
-0000028252 00000 n 
-0000027805 00000 n 
-0000027967 00000 n 
-0000028377 00000 n 
-0000028502 00000 n 
-0000028627 00000 n 
-0000043932 00000 n 
-0000031848 00000 n 
-0000031289 00000 n 
-0000028814 00000 n 
-0000031411 00000 n 
-0000031536 00000 n 
-0000031661 00000 n 
-0000031785 00000 n 
-0000034734 00000 n 
-0000033927 00000 n 
-0000031959 00000 n 
-0000034049 00000 n 
-0000034174 00000 n 
-0000034299 00000 n 
-0000034424 00000 n 
-0000034546 00000 n 
-0000034671 00000 n 
-0000467826 00000 n 
-0000035770 00000 n 
-0000035460 00000 n 
-0000034819 00000 n 
-0000035582 00000 n 
-0000035707 00000 n 
-0000037823 00000 n 
-0000037138 00000 n 
-0000035868 00000 n 
-0000037260 00000 n 
-0000037385 00000 n 
-0000037509 00000 n 
-0000037634 00000 n 
-0000037760 00000 n 
-0000040816 00000 n 
-0000039949 00000 n 
-0000037921 00000 n 
-0000040250 00000 n 
-0000040376 00000 n 
-0000040439 00000 n 
-0000040501 00000 n 
-0000040091 00000 n 
-0000040627 00000 n 
-0000040753 00000 n 
-0000189385 00000 n 
-0000044121 00000 n 
-0000043684 00000 n 
-0000040927 00000 n 
-0000043806 00000 n 
-0000334582 00000 n 
-0000325273 00000 n 
-0000334405 00000 n 
-0000044058 00000 n 
-0000047626 00000 n 
-0000047441 00000 n 
-0000044245 00000 n 
-0000047563 00000 n 
-0000324830 00000 n 
-0000318031 00000 n 
-0000324653 00000 n 
-0000051895 00000 n 
-0000051505 00000 n 
-0000047789 00000 n 
-0000051832 00000 n 
-0000051647 00000 n 
-0000467944 00000 n 
-0000106560 00000 n 
-0000054068 00000 n 
-0000053633 00000 n 
-0000052032 00000 n 
-0000053755 00000 n 
-0000053881 00000 n 
-0000053942 00000 n 
-0000054005 00000 n 
-0000057587 00000 n 
-0000056549 00000 n 
-0000054192 00000 n 
-0000057021 00000 n 
-0000057147 00000 n 
-0000057273 00000 n 
-0000056699 00000 n 
-0000056860 00000 n 
-0000057398 00000 n 
-0000057524 00000 n 
-0000140442 00000 n 
-0000166934 00000 n 
-0000062160 00000 n 
-0000061369 00000 n 
-0000057685 00000 n 
-0000061845 00000 n 
-0000061971 00000 n 
-0000061519 00000 n 
-0000061684 00000 n 
-0000062097 00000 n 
-0000276260 00000 n 
-0000064989 00000 n 
-0000064617 00000 n 
-0000062310 00000 n 
-0000064926 00000 n 
-0000064759 00000 n 
-0000066145 00000 n 
-0000065960 00000 n 
-0000065113 00000 n 
-0000066082 00000 n 
-0000069239 00000 n 
-0000068550 00000 n 
-0000066243 00000 n 
-0000068672 00000 n 
-0000068798 00000 n 
-0000068924 00000 n 
-0000069050 00000 n 
-0000069176 00000 n 
-0000468062 00000 n 
-0000072619 00000 n 
-0000071742 00000 n 
-0000069376 00000 n 
-0000072052 00000 n 
-0000072178 00000 n 
-0000072304 00000 n 
-0000072430 00000 n 
-0000072556 00000 n 
-0000071884 00000 n 
-0000226828 00000 n 
-0000076716 00000 n 
-0000076029 00000 n 
-0000072756 00000 n 
-0000076151 00000 n 
-0000076277 00000 n 
-0000076403 00000 n 
-0000076528 00000 n 
-0000076653 00000 n 
-0000317678 00000 n 
-0000315683 00000 n 
-0000317515 00000 n 
-0000080413 00000 n 
-0000079853 00000 n 
-0000076853 00000 n 
-0000079975 00000 n 
-0000080100 00000 n 
-0000080226 00000 n 
-0000080350 00000 n 
-0000083375 00000 n 
-0000082633 00000 n 
-0000080537 00000 n 
-0000082934 00000 n 
-0000083060 00000 n 
-0000082775 00000 n 
-0000083186 00000 n 
-0000083312 00000 n 
-0000271195 00000 n 
-0000083833 00000 n 
-0000083648 00000 n 
-0000083499 00000 n 
-0000083770 00000 n 
-0000086437 00000 n 
-0000085874 00000 n 
-0000083874 00000 n 
-0000085996 00000 n 
-0000086122 00000 n 
-0000086248 00000 n 
-0000086374 00000 n 
-0000468180 00000 n 
-0000086869 00000 n 
-0000086684 00000 n 
-0000086535 00000 n 
-0000086806 00000 n 
-0000090790 00000 n 
-0000090042 00000 n 
-0000086910 00000 n 
-0000090350 00000 n 
-0000090476 00000 n 
-0000090601 00000 n 
-0000090664 00000 n 
-0000090727 00000 n 
-0000090184 00000 n 
-0000094744 00000 n 
-0000095057 00000 n 
-0000094496 00000 n 
-0000090888 00000 n 
-0000094618 00000 n 
-0000094868 00000 n 
-0000094994 00000 n 
-0000098587 00000 n 
-0000098024 00000 n 
-0000095194 00000 n 
-0000098146 00000 n 
-0000098272 00000 n 
-0000098398 00000 n 
-0000098524 00000 n 
-0000101201 00000 n 
-0000102440 00000 n 
-0000101079 00000 n 
-0000098698 00000 n 
-0000102126 00000 n 
-0000314870 00000 n 
-0000306196 00000 n 
-0000314698 00000 n 
-0000102252 00000 n 
-0000102315 00000 n 
-0000102378 00000 n 
-0000106623 00000 n 
-0000105810 00000 n 
-0000102592 00000 n 
-0000105932 00000 n 
-0000106058 00000 n 
-0000106182 00000 n 
-0000106245 00000 n 
-0000106308 00000 n 
-0000106434 00000 n 
-0000468298 00000 n 
-0000111651 00000 n 
-0000110085 00000 n 
-0000106734 00000 n 
-0000111084 00000 n 
-0000110259 00000 n 
-0000110409 00000 n 
-0000111210 00000 n 
-0000111336 00000 n 
-0000111462 00000 n 
-0000111588 00000 n 
-0000110567 00000 n 
-0000110718 00000 n 
-0000110902 00000 n 
-0000286325 00000 n 
-0000114845 00000 n 
-0000114282 00000 n 
-0000111788 00000 n 
-0000114404 00000 n 
-0000114530 00000 n 
-0000114656 00000 n 
-0000114782 00000 n 
-0000119363 00000 n 
-0000119178 00000 n 
-0000114982 00000 n 
-0000119300 00000 n 
-0000122390 00000 n 
-0000122020 00000 n 
-0000119474 00000 n 
-0000122327 00000 n 
-0000122162 00000 n 
-0000125190 00000 n 
-0000125379 00000 n 
-0000124942 00000 n 
-0000122501 00000 n 
-0000125064 00000 n 
-0000125253 00000 n 
-0000125316 00000 n 
-0000129097 00000 n 
-0000128329 00000 n 
-0000125490 00000 n 
-0000128782 00000 n 
-0000128908 00000 n 
-0000129034 00000 n 
-0000128479 00000 n 
-0000128630 00000 n 
-0000468416 00000 n 
-0000131089 00000 n 
-0000130526 00000 n 
-0000129208 00000 n 
-0000130648 00000 n 
-0000130774 00000 n 
-0000130900 00000 n 
-0000131026 00000 n 
-0000132625 00000 n 
-0000132440 00000 n 
-0000131200 00000 n 
-0000132562 00000 n 
-0000136439 00000 n 
-0000136128 00000 n 
-0000132723 00000 n 
-0000136250 00000 n 
-0000136376 00000 n 
-0000140505 00000 n 
-0000140019 00000 n 
-0000136563 00000 n 
-0000140316 00000 n 
-0000140161 00000 n 
-0000197293 00000 n 
-0000144437 00000 n 
-0000144127 00000 n 
-0000140629 00000 n 
-0000144249 00000 n 
-0000144312 00000 n 
-0000144374 00000 n 
-0000148409 00000 n 
-0000151142 00000 n 
-0000148227 00000 n 
-0000144561 00000 n 
-0000151079 00000 n 
-0000150045 00000 n 
-0000150198 00000 n 
-0000150354 00000 n 
-0000150538 00000 n 
-0000150711 00000 n 
-0000150895 00000 n 
-0000468534 00000 n 
-0000149877 00000 n 
-0000149934 00000 n 
-0000150023 00000 n 
-0000197679 00000 n 
-0000155337 00000 n 
-0000155152 00000 n 
-0000151320 00000 n 
-0000155274 00000 n 
-0000159869 00000 n 
-0000158946 00000 n 
-0000155461 00000 n 
-0000159429 00000 n 
-0000159555 00000 n 
-0000159096 00000 n 
-0000159681 00000 n 
-0000159806 00000 n 
-0000159264 00000 n 
-0000207975 00000 n 
-0000163782 00000 n 
-0000163282 00000 n 
-0000159980 00000 n 
-0000163594 00000 n 
-0000163424 00000 n 
-0000163720 00000 n 
-0000259852 00000 n 
-0000166997 00000 n 
-0000166560 00000 n 
-0000163906 00000 n 
-0000166682 00000 n 
-0000166808 00000 n 
-0000305670 00000 n 
-0000297780 00000 n 
-0000305497 00000 n 
-0000170997 00000 n 
-0000170812 00000 n 
-0000167162 00000 n 
-0000170934 00000 n 
-0000175025 00000 n 
-0000174397 00000 n 
-0000171108 00000 n 
-0000174712 00000 n 
-0000174836 00000 n 
-0000174962 00000 n 
-0000174539 00000 n 
-0000468652 00000 n 
-0000179097 00000 n 
-0000178486 00000 n 
-0000175190 00000 n 
-0000178782 00000 n 
-0000178908 00000 n 
-0000178628 00000 n 
-0000179034 00000 n 
-0000182112 00000 n 
-0000181794 00000 n 
-0000179208 00000 n 
-0000181919 00000 n 
-0000182047 00000 n 
-0000186072 00000 n 
-0000185406 00000 n 
-0000182278 00000 n 
-0000185878 00000 n 
-0000186007 00000 n 
-0000185561 00000 n 
-0000185723 00000 n 
-0000189708 00000 n 
-0000188941 00000 n 
-0000186184 00000 n 
-0000189256 00000 n 
-0000189087 00000 n 
-0000189449 00000 n 
-0000189514 00000 n 
-0000189643 00000 n 
-0000194202 00000 n 
-0000193524 00000 n 
-0000189874 00000 n 
-0000194008 00000 n 
-0000193679 00000 n 
-0000194137 00000 n 
-0000193841 00000 n 
-0000206081 00000 n 
-0000197742 00000 n 
-0000197038 00000 n 
-0000194368 00000 n 
-0000197164 00000 n 
-0000197357 00000 n 
-0000197421 00000 n 
-0000197550 00000 n 
-0000468774 00000 n 
-0000202583 00000 n 
-0000201630 00000 n 
-0000197854 00000 n 
-0000202260 00000 n 
-0000201795 00000 n 
-0000201945 00000 n 
-0000202389 00000 n 
-0000202518 00000 n 
-0000202107 00000 n 
-0000206275 00000 n 
-0000205826 00000 n 
-0000202695 00000 n 
-0000205952 00000 n 
-0000206210 00000 n 
-0000208039 00000 n 
-0000207720 00000 n 
-0000206387 00000 n 
-0000207846 00000 n 
-0000211746 00000 n 
-0000211169 00000 n 
-0000208151 00000 n 
-0000211295 00000 n 
-0000211424 00000 n 
-0000211553 00000 n 
-0000211618 00000 n 
-0000211683 00000 n 
-0000216710 00000 n 
-0000215208 00000 n 
-0000211858 00000 n 
-0000216387 00000 n 
-0000216516 00000 n 
-0000216645 00000 n 
-0000215400 00000 n 
-0000215562 00000 n 
-0000215724 00000 n 
-0000215886 00000 n 
-0000216057 00000 n 
-0000216227 00000 n 
-0000221529 00000 n 
-0000220300 00000 n 
-0000216822 00000 n 
-0000221464 00000 n 
-0000220492 00000 n 
-0000220655 00000 n 
-0000220817 00000 n 
-0000220979 00000 n 
-0000221139 00000 n 
-0000221301 00000 n 
-0000468899 00000 n 
-0000226892 00000 n 
-0000224533 00000 n 
-0000221654 00000 n 
-0000226699 00000 n 
-0000224779 00000 n 
-0000224932 00000 n 
-0000225094 00000 n 
-0000225256 00000 n 
-0000225418 00000 n 
-0000225580 00000 n 
-0000225742 00000 n 
-0000225904 00000 n 
-0000226066 00000 n 
-0000226220 00000 n 
-0000226381 00000 n 
-0000226536 00000 n 
-0000231452 00000 n 
-0000230255 00000 n 
-0000227017 00000 n 
-0000230743 00000 n 
-0000230808 00000 n 
-0000230873 00000 n 
-0000231002 00000 n 
-0000231259 00000 n 
-0000230411 00000 n 
-0000230581 00000 n 
-0000231324 00000 n 
-0000231388 00000 n 
-0000235060 00000 n 
-0000234739 00000 n 
-0000231577 00000 n 
-0000234865 00000 n 
-0000234930 00000 n 
-0000234995 00000 n 
-0000239098 00000 n 
-0000238648 00000 n 
-0000235159 00000 n 
-0000238774 00000 n 
-0000238839 00000 n 
-0000238904 00000 n 
-0000239033 00000 n 
-0000242812 00000 n 
-0000242102 00000 n 
-0000239223 00000 n 
-0000242228 00000 n 
-0000242293 00000 n 
-0000242358 00000 n 
-0000242423 00000 n 
-0000242488 00000 n 
-0000242617 00000 n 
-0000242682 00000 n 
-0000242747 00000 n 
-0000246688 00000 n 
-0000245725 00000 n 
-0000242937 00000 n 
-0000245851 00000 n 
-0000245980 00000 n 
-0000246045 00000 n 
-0000246110 00000 n 
-0000246238 00000 n 
-0000246302 00000 n 
-0000246367 00000 n 
-0000246496 00000 n 
-0000246624 00000 n 
-0000469024 00000 n 
-0000249829 00000 n 
-0000249251 00000 n 
-0000246880 00000 n 
-0000249377 00000 n 
-0000249506 00000 n 
-0000249635 00000 n 
-0000249764 00000 n 
-0000252798 00000 n 
-0000252477 00000 n 
-0000250021 00000 n 
-0000252603 00000 n 
-0000252668 00000 n 
-0000252733 00000 n 
-0000253251 00000 n 
-0000253060 00000 n 
-0000252910 00000 n 
-0000253186 00000 n 
-0000255820 00000 n 
-0000254911 00000 n 
-0000253293 00000 n 
-0000255497 00000 n 
-0000255626 00000 n 
-0000255755 00000 n 
-0000255067 00000 n 
-0000255282 00000 n 
-0000259916 00000 n 
-0000259211 00000 n 
-0000255945 00000 n 
-0000259337 00000 n 
-0000297459 00000 n 
-0000288246 00000 n 
-0000297273 00000 n 
-0000259466 00000 n 
-0000259595 00000 n 
-0000259724 00000 n 
-0000263363 00000 n 
-0000262137 00000 n 
-0000260081 00000 n 
-0000262654 00000 n 
-0000262783 00000 n 
-0000262912 00000 n 
-0000263041 00000 n 
-0000263170 00000 n 
-0000263299 00000 n 
-0000262293 00000 n 
-0000262465 00000 n 
-0000469149 00000 n 
-0000263816 00000 n 
-0000263625 00000 n 
-0000263475 00000 n 
-0000263751 00000 n 
-0000267124 00000 n 
-0000266546 00000 n 
-0000263858 00000 n 
-0000266672 00000 n 
-0000266801 00000 n 
-0000266930 00000 n 
-0000267059 00000 n 
-0000271776 00000 n 
-0000270426 00000 n 
-0000267210 00000 n 
-0000270937 00000 n 
-0000271066 00000 n 
-0000271259 00000 n 
-0000271324 00000 n 
-0000271389 00000 n 
-0000271454 00000 n 
-0000271583 00000 n 
-0000270582 00000 n 
-0000270760 00000 n 
-0000278658 00000 n 
-0000274598 00000 n 
-0000271927 00000 n 
-0000274772 00000 n 
-0000275480 00000 n 
-0000274950 00000 n 
-0000275128 00000 n 
-0000275304 00000 n 
-0000275545 00000 n 
-0000275610 00000 n 
-0000275675 00000 n 
-0000275740 00000 n 
-0000275805 00000 n 
-0000275870 00000 n 
-0000275935 00000 n 
-0000276000 00000 n 
-0000276065 00000 n 
-0000276130 00000 n 
-0000276195 00000 n 
-0000276324 00000 n 
-0000276389 00000 n 
-0000276454 00000 n 
-0000276519 00000 n 
-0000276584 00000 n 
-0000276648 00000 n 
-0000276713 00000 n 
-0000276777 00000 n 
-0000276842 00000 n 
-0000276907 00000 n 
-0000276972 00000 n 
-0000277037 00000 n 
-0000277101 00000 n 
-0000277166 00000 n 
-0000277231 00000 n 
-0000277296 00000 n 
-0000277361 00000 n 
-0000277426 00000 n 
-0000277491 00000 n 
-0000277555 00000 n 
-0000277620 00000 n 
-0000277685 00000 n 
-0000277750 00000 n 
-0000277815 00000 n 
-0000277880 00000 n 
-0000277945 00000 n 
-0000278010 00000 n 
-0000278075 00000 n 
-0000278140 00000 n 
-0000278205 00000 n 
-0000278270 00000 n 
-0000278335 00000 n 
-0000278400 00000 n 
-0000278465 00000 n 
-0000278530 00000 n 
-0000278594 00000 n 
-0000284877 00000 n 
-0000281570 00000 n 
-0000278809 00000 n 
-0000281696 00000 n 
-0000281761 00000 n 
-0000281826 00000 n 
-0000281891 00000 n 
-0000281956 00000 n 
-0000282021 00000 n 
-0000282085 00000 n 
-0000282150 00000 n 
-0000282215 00000 n 
-0000282280 00000 n 
-0000282345 00000 n 
-0000282410 00000 n 
-0000282475 00000 n 
-0000282540 00000 n 
-0000282605 00000 n 
-0000282670 00000 n 
-0000282735 00000 n 
-0000282800 00000 n 
-0000282865 00000 n 
-0000282930 00000 n 
-0000282995 00000 n 
-0000283060 00000 n 
-0000283125 00000 n 
-0000283190 00000 n 
-0000283254 00000 n 
-0000283319 00000 n 
-0000283384 00000 n 
-0000283449 00000 n 
-0000283514 00000 n 
-0000283579 00000 n 
-0000283644 00000 n 
-0000283709 00000 n 
-0000283774 00000 n 
-0000283839 00000 n 
-0000283904 00000 n 
-0000283969 00000 n 
-0000284034 00000 n 
-0000284099 00000 n 
-0000284164 00000 n 
-0000284229 00000 n 
-0000284294 00000 n 
-0000284359 00000 n 
-0000284424 00000 n 
-0000284489 00000 n 
-0000284554 00000 n 
-0000284619 00000 n 
-0000284684 00000 n 
-0000284813 00000 n 
-0000286200 00000 n 
-0000285620 00000 n 
-0000284989 00000 n 
-0000285746 00000 n 
-0000285875 00000 n 
-0000285940 00000 n 
-0000286005 00000 n 
-0000286070 00000 n 
-0000286135 00000 n 
-0000469274 00000 n 
-0000286357 00000 n 
-0000297701 00000 n 
-0000305945 00000 n 
-0000315264 00000 n 
-0000317923 00000 n 
-0000317892 00000 n 
-0000325072 00000 n 
-0000334868 00000 n 
-0000352366 00000 n 
-0000369353 00000 n 
-0000389635 00000 n 
-0000410774 00000 n 
-0000413857 00000 n 
-0000413627 00000 n 
-0000440544 00000 n 
-0000467222 00000 n 
-0000469354 00000 n 
-0000469474 00000 n 
-0000469597 00000 n 
-0000469686 00000 n 
-0000469768 00000 n 
-0000483639 00000 n 
-0000495601 00000 n 
-0000495642 00000 n 
-0000495682 00000 n 
-0000495816 00000 n 
-trailer
-<<
-/Size 1362
-/Root 1360 0 R
-/Info 1361 0 R
-/ID [<398C74303A70323E9600C964366A931D> <398C74303A70323E9600C964366A931D>]
->>
-startxref
-496080
-%%EOF
diff --git a/contrib/bind9/doc/arm/Makefile.in b/contrib/bind9/doc/arm/Makefile.in
deleted file mode 100644
index 88a54e30a542..000000000000
--- a/contrib/bind9/doc/arm/Makefile.in
+++ /dev/null
@@ -1,63 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.8.2.2.8.5 2005/05/13 01:22:35 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_RULES@
-
-MANOBJS = Bv9ARM.html
-
-PDFOBJS = Bv9ARM.pdf
-
-distclean::
-	rm -f validate.sh
-	rm -f nominum-docbook-html.dsl nominum-docbook-print.dsl
-	rm -f HTML.index HTML.manifest
-
-doc man:: ${MANOBJS} ${PDFOBJS}
-
-clean::
-	rm -f Bv9ARM.aux Bv9ARM.brf Bv9ARM.glo Bv9ARM.idx
-	rm -f Bv9ARM.log Bv9ARM.out Bv9ARM.tex Bv9ARM.tex.tmp
-
-docclean manclean maintainer-clean:: clean
-	rm -f *.html *.pdf
-
-Bv9ARM.html: Bv9ARM-book.xml
-	${XSLTPROC} --stringparam root.filename Bv9ARM \
-		${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl \
-		Bv9ARM-book.xml
-
-Bv9ARM.tex: Bv9ARM-book.xml
-	${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl Bv9ARM-book.xml | \
-	${XSLTPROC} ${top_srcdir}/doc/xsl/isc-docbook-latex.xsl - | \
-	@PERL@ latex-fixup.pl >$@.tmp 
-	if test -s $@.tmp; then mv $@.tmp $@; else rm -f $@.tmp; exit 1; fi
-
-Bv9ARM.dvi: Bv9ARM.tex
-	rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log
-	${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-	${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-	${LATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-
-Bv9ARM.pdf: Bv9ARM.tex
-	rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
-	${PDFLATEX} '\batchmode\input Bv9ARM.tex' || rm -f $@
diff --git a/contrib/bind9/doc/arm/README-SGML b/contrib/bind9/doc/arm/README-SGML
deleted file mode 100644
index 8e7bc4ebd849..000000000000
--- a/contrib/bind9/doc/arm/README-SGML
+++ /dev/null
@@ -1,329 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-The BIND v9 ARM master document is now kept in DocBook XML format.
-
-Version: $Id: README-SGML,v 1.16.206.1 2004/03/06 13:16:14 marka Exp $
-
-The entire ARM is in the single file:
-
-    Bv9ARM-book.xml
-
-All of the other documents - HTML, PDF, etc - are generated from this
-master source.
-
-This file attempts to describe what tools are necessary for the
-maintenance of this document as well as the generation of the
-alternate formats of this document.
-
-This file will also spend a very little time describing the XML and
-SGML headers so you can understand a bit what you may need to do to be
-able to work with this document in any fashion other than simply
-editing it. 
-
-We will spend almost no time on the actual tags and how to write an
-XML DocBook compliant document. If you are at all familiar with SGML
-or HTML it will be very evident. You only need to know what the tags
-are and how to use them. You can find a good resource either for this
-either online or in printed form:
-
-    DocBook: The Definitive Guide
-    By Norman Walsh and Leonard Muellner
-    ISBN: 156592-580-7
-    1st Edition, October 1999
-    Copyright (C) 1999 by O'Reilly & Associates, Inc. All rights reserved.
-
-The book is available online in HTML format:
-
-    http://docbook.org/
-
-and buried in:
-
-    http://www.nwalsh.com/docbook/defguide/index.html
-
-A lot of useful stuff is at NWalsh's site in general. You may also
-want to look at:
-
-    http://www.xml.com/
-
-The BIND v9 ARM is based on the XML 4.0 DocBook DTD. Every XML and
-SGML document begins with a prefix that tells where to find the file
-that describes the meaning and structure of the tags used in the rest
-of the document.
-
-For our XML DocBook 4.0 based document this prefix looks like this:
-
-    <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-		   "/usr/local/share/xml/dtd/docbook/docbookx.dtd">
-
-This "DOCTYPE" statement has three parts, of which we are only using
-two:
-
-o The highest level term that represents this document (in this case
-  it is "book"
-
-o The identifier that tells us which DTD to use. This identifier has
-  two parts, the "Formal Public Identifier" (or FPI) and the system
-  identifier. In SGML you can have either a FPI or a SYSTEM identifier
-  but you have to have at least one of them. In XML you have to have a
-  SYSTEM identifier.
-
-FP & SYSTEM identifiers - These are names/lookups for the actual
-DTD. The FPI is a globally unique name that should, on a properly
-configured system, tell you exactly what DTD to use. The SYSTEM
-identifier gives an absolute location for the DTD. In XML these are
-supposed to be properly formatted URL's.
-
-SGML has these things called "catalogs" that are files that map FPI's
-in to actual files. A "catalog" can also be used to remap a SYSTEM
-identifier so you can say something like: "http://www.oasis.org/foo"
-is actually "/usr/local/share/xml/foo.dtd"
-
-When you use various SGML/XML tools they need to be configured to look
-at the same "catalog" files so that as you move from tool to tool they
-all refer to the same DTD for the same document.
-
-We will be spending most of our configuration time making sure our
-tools use the same "catalog" files and that we have the same DTD's
-installed on our machines. XML's requirement of the SYSTEM identifier
-over the FPI will probably lead to more problems as it does not
-guarantee that everyone is using the same DTD.
-
-I did my initial work with the "sgmltools" the XML 4.0 DocBook DTD and
-"jade" or "openjade."
-
-You can get the 4.0 XML DocBook DTD from:
-
-    http://www.docbook.org/xml/4.0/
-
-(download the .zip file.) NOTE: We will eventually be changing the
-SYSTEM identifier to the recommended value of:
-
-    http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd
-
-NOTE: Under FreeBSD this is the package: 
-
-    /usr/ports/textproc/docbook-xml
-
-NetBSD instructions are coming soon.
-
-With packages listed below installed under FreeBSD the "catalog" file
-that all the tools refer to at least one is in:
-
-    /usr/local/share/sgml/catalog
-
-In order for our SYSTEM identifier for the XML DocBook dtd to be found
-I create a new catalog file at the top of the XML directory created on
-FreeBSD:
-
-   /usr/local/share/xml/catalog
-
-This file has one line:
-
-   SYSTEM "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" "/usr/local/share/xml/dtd/docbook/docbookx.dtd"
-
-Then in the main "catalog" I have it include this XML catalog:
-
-   CATALOG "/usr/local/share/xml/catalog"
-
-
-On your systems you need to replace "/usr/local/share" with your
-prefix root (probably /usr/pkg under NetBSD.)
-
-NOTE: The URL used above is supposed to the be the proper one for this
-XML DocBook DTD... but there is nothing at that URL so you really do
-need the "SYSTEM" identifier mapping in your catalog (or make the
-SYSTEM identifier in your document refer to the real location of the
-file on your local system.)
-
-HOW TO VALIDATE A DOCUMENT:
-
-I use the sgmltools "nsgmls" document validator. Since we are using
-XML we need to use the XML declarations, which are installed as part
-of the modular DSSL style sheets:
-
-    nsgmls -sv /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
-	   Bv9ARM-book.xml
-
-A convenient shell script "validate.sh" is now generated by configure
-to invoke the above command with the correct system-dependent paths.
-
-The SGML tools can be found at:
-
-    ftp://ftp.us.sgmltools.org/pub/SGMLtools/v2.0/source/ \
-    ftp://ftp.nllgg.nl/pub/SGMLtools/v2.0/source/
-
-FreeBSD package for these is: 
-
-    /usr/ports/textproc/sgmltools
-
-HOW TO RENDER A DOCUMENT AS HTML or TeX:
-
-o Generate html doc with:
-
-    openjade -v -d ./nominum-docbook-html.dsl \
-	 -t sgml \
-	 /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
-	 Bv9ARM-book.xml
-
-A convenient shell script "genhtml.sh" is now generated by configure to
-invoke the above command with the correct system-dependent paths.
-
-On NetBSD there is no port for "openjade" however "jade" does still
-work. However you need to specify the "catalog" file to use for style
-sheets on the command line AND you need to have a default "catalog"
-mapping where to find various DTDs. It seems that "jade" installed out
-of the box on NetBSD does not use a globally defined "catalog" file
-for mapping PUBLIC identifiers in to SYSTEM identifiers.
-
-So you need to have a "catalog" file in your current working directory
-that has in it this: (these are probably more entries than you need!)
-
-     CATALOG "/usr/pkg/share/sgml/iso8879/catalog"
-     CATALOG "/usr/pkg/share/sgml/docbook/2.4.1/catalog"
-     CATALOG "/usr/pkg/share/sgml/docbook/3.0/catalog"
-     CATALOG "/usr/pkg/share/sgml/docbook/3.1/catalog"
-     CATALOG "/usr/pkg/share/sgml/jade/catalog"
-     CATALOG "/usr/local/share/xml/catalog"
-
-(These would all be "/usr/local" on FreeBSD)
-
-So the command for jade on NetBSD will look like this:
-
-jade -v -c /usr/pkg/share/sgml/catalog -t sgml \
-     -d ./nominum-docbook-html.dsl \
-     /usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
-     ./Bv9ARM-book.xml
-
-Furthermore, since the style sheet subset we define has in it a hard
-coded path to the style sheet is based, it is actually generated by
-configure from a .in file so that it will contain the correct
-system-dependent path: where on FreeBSD the second line reads:
-
-    <!ENTITY dbstyle SYSTEM "/usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL>
-  
-On NetBSD it needs to read:
-
-    <!ENTITY dbstyle SYSTEM "/usr/pkg/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL>
-
-NOTE: This is usually solved by having this style sheet modification
-be installed in a system directory and have it reference the style
-sheet it is based on via a relative path.
-
-o Generate TeX documentation:
-
-openjade -d ./nominum-docbook-print.dsl -t tex -v \
-     /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
-     Bv9ARM-book.xml
-
-If you have "jade" installed instead of "openjade" then use that as
-the command. There is little difference, openjade has some bug fixes
-and is in more active development.
-
-To convert the resulting TeX file in to a DVI file you need to do:
-
-    tex "&jadetex" Bv9ARM-book.tex
-
-You can also directly generate the pdf file via:
-
-    pdftex "&pdfjadetex" Bv9ARM-book.tex
-
-The scripts "genpdf.sh" and "gendvi." have been added to simply
-generating the  PDF and DVI output. These substitute the correct paths
-of NetBSD & FreeBSD. You still need to have TeX, jadeTeX, and pdfTeX
-installed and configured properly for these to work.
-
-You will need to up both the "pool_size" and "hash_extra" variables in
-your texmf.cnf file and regenerate them. See below.
-
-You can see that I am using a DSSSL style sheet for DocBook. Actually
-two different ones - one for rendering html, and one for 'print'
-media.
-
-NOTE: For HTML we are using a Nominum DSSSL style instead of the
-default one (all it does is change the chunking to the chapter level
-and makes the files end with ".html" instead of ".htm" so far.) If you
-want to use the plain jane DSSSL style sheet replace the:
-
-    -d ./nominum-docbook-html.dsl
-
-with
-
-    -d /usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl
-
-This style sheet will attempt to reference the one above.
-
-I am currently working on fixing these up so that it works the same on
-our various systems. The main trick is knowing which DTD's and DSSSL
-stylesheets you have installed, installing the right ones, and
-configuring a CATALOG that refers to them in the same way. We will
-probably end up putting our CATALOG's in the same place and then we
-should be able to generate and validate our documents with a minimal
-number of command line arguments.
-
-When running these commands you will get a lot of messages about a
-bunch of general entities not being defined and having no default
-entity. You can ignore those for now.
-
-Also with the style sheets we have and jade as it is you will get
-messages about "xref to title" being unsupported. You can ignore these
-for now as well.
-
-=== Getting the various tools installed on FreeBSD
-(NetBSD coming soon..)
-
-o On freebsd you need to install the following packages:
-  o print/teTeX
-  o textproc/openjade
-  o textproc/docbook
-  o textproc/docbook-xml
-  o textproc/dsssl-docbook-modular
-  o textproc/dtd-catalogs
-
-o on freebsd you need to make some entities visible to the docbook xml
-  dtd by making a symlink (can probably be done with a catalog too)
-  ln -s /usr/local/share/xml/entity /usr/local/share/xml/dtd/docbook/ent
-
-o you may need to edit /usr/local/share/sgml/catalog and add the line:
-
-  CATALOG "/usr/local/share/sgml/openjade/catalog"
-
-o add "hugelatex," Enlarge pool sizes, install the jadetex TeX driver
-  file.
-
-  cd /usr/local/share/texmf/web2c/
-  sudo cp texmf.cnf texmf.cnf.bak
-
-  o edit the lines in texmf.cnf with these keys to these values:
-
-                  main_memory = 1100000
-                  hash_extra = 15000
-                  pool_size = 500000
-                  string_vacancies = 45000
-                  max_strings = 55000
-                  pool_free = 47500
-                  nest_size = 500
-                  param_size = 1500
-                  save_size = 5000
-                  stack_size = 1500
-
-  sudo tex -ini -progname=hugelatex -fmt=hugelatex latex.ltx
-  sudo texconfig init
-  sudo texhash
-
-  o For the jadetex macros you will need I recommend you get a more
-    current version than what is packaged with openjade or jade.
-
-    Checkout http://www.tug.org/applications/jadetex/
-    
-    Unzip the file you get from there (should be jadetex-2.20 or
-    newer.) 
-
-    In the directory you unzip: 
-
-      sudo make install
-      sudo texhash
-
-    NOTE: In the most uptodate "ports" for FreeBSD, jadetext is 2.20+
-    so on this platform you should be set as of 2001.01.08.
diff --git a/contrib/bind9/doc/arm/isc.color.gif b/contrib/bind9/doc/arm/isc.color.gif
deleted file mode 100644
index 09c327cca65d..000000000000
--- a/contrib/bind9/doc/arm/isc.color.gif
+++ /dev/null
diff --git a/contrib/bind9/doc/arm/nominum-docbook-html.dsl.in b/contrib/bind9/doc/arm/nominum-docbook-html.dsl.in
deleted file mode 100644
index 33fc938777a4..000000000000
--- a/contrib/bind9/doc/arm/nominum-docbook-html.dsl.in
+++ /dev/null
@@ -1,148 +0,0 @@
-<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
-<!ENTITY dbstyle SYSTEM "@HTMLSTYLE@" CDATA DSSSL>
-]>
-
-<style-sheet>
-<style-specification use="docbook">
-<style-specification-body>
-
-<!-- ;; your stuff goes here... -->
-
-(define %html-prefix% 
-  ;; Add the specified prefix to HTML output filenames
-  "Bv9ARM.")
-
-(define %use-id-as-filename%
-  ;; Use ID attributes as name for component HTML files?
-  #t)
-
-(define %root-filename%
-  ;; Name for the root HTML document
-  "Bv9ARM")
-
-(define %section-autolabel%
-  ;; REFENTRY section-autolabel
-  ;; PURP Are sections enumerated?
-  ;; DESC
-  ;; If true, unlabeled sections will be enumerated.
-  ;; /DESC
-  ;; AUTHOR N/A
-  ;; /REFENTRY
-  #t)
-
-(define %html-ext% 
-  ;; REFENTRY html-ext
-  ;; PURP Default extension for HTML output files
-  ;; DESC
-  ;; The default extension for HTML output files.
-  ;; /DESC
-  ;; AUTHOR N/A
-  ;; /REFENTRY
-  ".html")
-
-(define nochunks
-  ;; REFENTRY nochunks
-  ;; PURP Suppress chunking of output pages
-  ;; DESC
-  ;; If true, the entire source document is formatted as a single HTML
-  ;; document and output on stdout.
-  ;; (This option can conveniently be set with '-V nochunks' on the 
-  ;; Jade command line).
-  ;; /DESC
-  ;; AUTHOR N/A
-  ;; /REFENTRY
-  #f)
-
-(define rootchunk
-  ;; REFENTRY rootchunk
-  ;; PURP Make a chunk for the root element when nochunks is used
-  ;; DESC
-  ;; If true, a chunk will be created for the root element, even though
-  ;; nochunks is specified. This option has no effect if nochunks is not
-  ;; true.
-  ;; (This option can conveniently be set with '-V rootchunk' on the 
-  ;; Jade command line).
-  ;; /DESC
-  ;; AUTHOR N/A
-  ;; /REFENTRY
-  #t)
-
-(define html-index
-  ;; REFENTRY html-index
-  ;; PURP HTML indexing?
-  ;; DESC
-  ;; Turns on HTML indexing.  If true, then index data will be written
-  ;; to the file defined by 'html-index-filename'.  This data can be
-  ;; collated and turned into a DocBook index with bin/collateindex.pl.
-  ;; /DESC
-  ;; AUTHOR N/A
-  ;; /REFENTRY
-  #t)
-
-(define html-manifest
-  ;; REFENTRY html-manifest
-  ;; PURP Write a manifest?
-  ;; DESC
-  ;; If not '#f' then the list of HTML files created by the stylesheet
-  ;; will be written to the file named by 'html-manifest-filename'.
-  ;; /DESC
-  ;; AUTHOR N/A
-  ;; /REFENTRY
-  #t)
-
-(define (chunk-element-list)
-  (list (normalize "preface")
-	(normalize "chapter")
-	(normalize "appendix") 
-	(normalize "article")
-	(normalize "glossary")
-	(normalize "bibliography")
-	(normalize "index")
-	(normalize "colophon")
-	(normalize "setindex")
-	(normalize "reference")
-	(normalize "refentry")
-	(normalize "part")
-	(normalize "book") ;; just in case nothing else matches...
-	(normalize "set")  ;; sets are definitely chunks...
-	))
-
-;
-; Add some cell padding to tables so that they don't look so cramped
-; in Netscape.
-;
-; The following definition was cut-and-pasted from dbtable.dsl and the 
-; single line containing the word CELLPADDING was added.
-;
-(element tgroup
-  (let* ((wrapper   (parent (current-node)))
-	 (frameattr (attribute-string (normalize "frame") wrapper))
-	 (pgwide    (attribute-string (normalize "pgwide") wrapper))
-	 (footnotes (select-elements (descendants (current-node)) 
-				     (normalize "footnote")))
-	 (border (if (equal? frameattr (normalize "none"))
-		     '(("BORDER" "0"))
-		     '(("BORDER" "1"))))
-	 (width (if (equal? pgwide "1")
-		    (list (list "WIDTH" ($table-width$)))
-		    '()))
-	 (head (select-elements (children (current-node)) (normalize "thead")))
-	 (body (select-elements (children (current-node)) (normalize "tbody")))
-	 (feet (select-elements (children (current-node)) (normalize "tfoot"))))
-    (make element gi: "TABLE"
-	  attributes: (append
-		       '(("CELLPADDING" "3"))
-		       border
-		       width
-		       (if %cals-table-class%
-			   (list (list "CLASS" %cals-table-class%))
-			   '()))
-	  (process-node-list head)
-	  (process-node-list body)
-	  (process-node-list feet)
-	  (make-table-endnotes))))
-
-</style-specification-body>
-</style-specification>
-<external-specification id="docbook" document="dbstyle">
-</style-sheet>
diff --git a/contrib/bind9/doc/arm/nominum-docbook-print.dsl.in b/contrib/bind9/doc/arm/nominum-docbook-print.dsl.in
deleted file mode 100644
index 511d6c48bc8c..000000000000
--- a/contrib/bind9/doc/arm/nominum-docbook-print.dsl.in
+++ /dev/null
@@ -1,42 +0,0 @@
-<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
-<!ENTITY dbstyle SYSTEM "@PRINTSTYLE@" CDATA DSSSL>
-]>
-
-
-<style-sheet>
-<style-specification use="docbook">
-<style-specification-body>
-
-<!-- ;; your stuff goes here... -->
-
-(define %generate-book-titlepage% #t)
-
-(define %section-autolabel%
-  ;; REFENTRY section-autolabel
-  ;; PURP Are sections enumerated?
-  ;; DESC
-  ;; If true, unlabeled sections will be enumerated.
-  ;; /DESC
-  ;; AUTHOR N/A
-  ;; /REFENTRY
-  #t)
-
-;; Margins around cell contents
-;; (define %cals-cell-before-row-margin% 20pt)
-;; (define %cals-cell-after-row-margin% 20pt)
-
-;; seems to be a bug in JadeTeX -- we get a wierd indent on table
-;;   cells for the first line only.  This is a workaround.
-;; Adam Di Carlo, adam@onshore.com
-(define %cals-cell-before-column-margin% 5pt)
-(define %cals-cell-after-column-margin% 5pt)
-
-;; Inheritable start and end indent for cell contents
-(define %cals-cell-content-start-indent% 5pt)
-(define %cals-cell-content-end-indent% 5pt)
-
-
-</style-specification-body>
-</style-specification>
-<external-specification id="docbook" document="dbstyle">
-</style-sheet>
diff --git a/contrib/bind9/doc/arm/validate.sh.in b/contrib/bind9/doc/arm/validate.sh.in
deleted file mode 100644
index f50d8a09dbda..000000000000
--- a/contrib/bind9/doc/arm/validate.sh.in
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: validate.sh.in,v 1.2.206.1 2004/03/06 13:16:14 marka Exp $
-
-nsgmls -sv @SGMLDIR@/docbook/dsssl/modular/dtds/decls/xml.dcl \
-       Bv9ARM-book.xml
diff --git a/contrib/bind9/doc/draft/draft-baba-dnsext-acl-reqts-01.txt b/contrib/bind9/doc/draft/draft-baba-dnsext-acl-reqts-01.txt
deleted file mode 100644
index 1030e5782ef9..000000000000
--- a/contrib/bind9/doc/draft/draft-baba-dnsext-acl-reqts-01.txt
+++ /dev/null
@@ -1,336 +0,0 @@
-
-
-
-
-Internet-Draft                                                   T. Baba
-Expires: March 11, 2004                                         NTT Data
-                                                      September 11, 2003
-
-
-         Requirements for Access Control in Domain Name Systems
-                   draft-baba-dnsext-acl-reqts-01.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-   Distribution of this memo is unlimited.
-
-   This Internet-Draft will expire on March 11, 2004.
-
-Abstract
-
-   This document describes the requirements for access control
-   mechanisms in the Domain Name System (DNS), which authenticate
-   clients and then allow or deny access to resource records in the
-   zone according to the access control list (ACL).
-
-1. Introduction
-
-   The Domain Name System (DNS) is a hierarchical, distributed, highly
-   available database used for bi-directional mapping between domain
-   names and IP addresses, for email routing, and for other information
-   [RFC1034, 1035].  DNS security extensions (DNSSEC) have been defined
-   to authenticate the data in DNS and provide key distribution services
-   using SIG, KEY, and NXT resource records (RRs) [RFC2535].
-
-
-
-Baba                     Expires March 11, 2004                 [Page 1]
-
-Internet-Draft       DNS Access Control Requirements      September 2003
-
-
-   At the 28th IETF Meeting in Houston in 1993, DNS security design team
-   started a discussion about DNSSEC and agreed to accept the assumption
-   that "DNS data is public".  Accordingly, confidentiality for queries
-   or responses is not provided by DNSSEC, nor are any sort of access
-   control lists or other means to differentiate inquirers.  However,
-   about ten years has passed, access control in DNS has been more
-   important than before.  Currently, new RRs are proposed to add new
-   functionality to DNS such as ENUM [RFC2916].  Such new RRs may
-   contain private information.  Thus, DNS access control will be
-   needed.
-
-   Furthermore, with DNS access control mechanism, access from
-   unauthorized clients can be blocked when they perform DNS name
-   resolution.  Thus, for example, Denial of Service (DoS) attacks
-   against a server used by a closed user group can be prevented using
-   this mechanism if IP address of the server is not revealed by other
-   sources.
-
-   This document describes the requirements for access control
-   mechanisms in DNS.
-
-2. Terminology
-
-   AC-aware client
-      This is the client that understands the DNS access control
-      extensions. This client may be an end host which has a stub
-      resolver, or a cashing/recursive name server which has a
-      full-service resolver.
-
-   AC-aware server
-      This is the authoritative name server that understands the DNS
-      access control extensions.
-
-   ACE
-      An Access Control Entry.  This is the smallest unit of access
-      control policy.  It grants or denies a given set of access
-      rights to a set of principals.  An ACE is a component of an ACL,
-      which is associated with a resource.
-
-   ACL
-      An Access Control List.  This contains all of the access control
-      policies which are directly associated with a particular
-      resource.  These policies are expressed as ACEs.
-
-   Client
-      A program or host which issues DNS requests and accepts its
-      responses. A client may be an end host or a cashing/recursive name
-      server.
-
-
-
-Baba                     Expires March 11, 2004                 [Page 2]
-
-Internet-Draft       DNS Access Control Requirements      September 2003
-
-
-   RRset
-      All resource records (RRs) having the same NAME, CLASS and TYPE
-      are called a Resource Record Set (RRset).
-
-3. Requirements
-
-   This section describes the requirements for access control in DNS.
-
-3.1 Authentication
-
-3.1.1 Client Authentication Mechanism
-
-   The AC-aware server must identify AC-aware clients based on IP
-   address and/or domain name (user ID or host name), and must
-   authenticate them using strong authentication mechanism such as
-   digital signature or message authentication code (MAC).
-
-   SIG(0) RR [RFC2931] contains a domain name associated with sender's
-   public key in its signer's name field, and TSIG RR [RFC2845] also
-   contains a domain name associated with shared secret key in its key
-   name field.  Each of these domain names can be a host name or a user
-   name, and can be used as a sender's identifier for access control.
-   Furthermore, SIG(0) uses digital signatures, and TSIG uses MACs for
-   message authentication.  These mechanisms can be used to authenticate
-   AC-aware clients.
-
-   Server authentication may be also provided.
-
-3.1.2 End-to-End Authentication
-
-   In current DNS model, caching/recursive name servers are deployed
-   between end hosts and authoritative name servers.  Although
-   authoritative servers can authenticate caching/recursive name servers
-   using SIG(0) or TSIG, they cannot authenticate end hosts behind them.
-   For end-to-end authentication, the mechanism for an end host to
-   discover the target authoritative name server and directly access to
-   it bypassing caching/recursive name servers is needed.  For example,
-   an end host can get the IP addresses of the authoritative name
-   servers by retrieving NS RRs for the zone via local caching/recursive
-   name server.
-
-   In many enterprise networks, however, there are firewalls that block
-   all DNS packets other than those going to/from the particular
-   caching/recursive servers.  To deal with this problem, one can
-   implement packet forwarding function on the caching/recursive servers
-   and enable end-to-end authentication via the caching/recursive
-   servers.
-
-
-
-
-Baba                     Expires March 11, 2004                 [Page 3]
-
-Internet-Draft       DNS Access Control Requirements      September 2003
-
-
-3.1.3 Authentication Key Retrieval
-
-   Keys which are used to authenticate clients should be able to be
-   automatically retrieved.  The KEY RR is used to store a public key
-   for a zone or a host that is associated with a domain name.  SIG(0)
-   RR uses a public key in KEY RR for verifying the signature.  If
-   DNSSEC is available, the KEY RR would be protected by the SIG RR.
-   KEY RR or newly defined RR can be used to automatic key retrieval.
-
-3.2 Confidentiality
-
-3.2.1 Data Encryption
-
-   To avoid disclosure to eavesdroppers, the response containing the
-   RRsets which are restricted to access from particular users should be
-   encrypted.  Currently, no encryption mechanism is specified in DNS.
-   Therefore, new RRs should be defined for DNS message encryption.
-   Instead, IPsec [RFC2401] can be used to provide confidentiality if
-   name server and resolver can set up security associations dynamically
-   using IPsec API [IPSECAPI] when encryption is required.
-
-   In case encryption is applied, entire DNS message including DNS
-   header should be encrypted to hide information including error code.
-
-   Query encryption may be also provided for hiding query information.
-
-3.2.2 Key Exchange
-
-   If DNS message encryption is provided, automatic key exchange
-   mechanism should be also provided.  [RFC2930] specifies a TKEY RR
-   that can be used to establish and delete shared secret keys used by
-   TSIG between a client and a server.  With minor extensions, TKEY can
-   be used to establish shared secret keys used for message encryption.
-
-3.2.3 Caching
-
-   The RRset that is restricted to access from particular users must not
-   be cached.  To avoid caching, the TTL of the RR that is restricted to
-   access should be set to zero during transit.
-
-3.3 Access Control
-
-3.3.1 Granularity of Access Control
-
-   Control of access on a per-user/per-host granularity must be
-   supported.  Control of access to individual RRset (not just the
-   entire zone) must be also supported.  However, SOA, NS, SIG, NXT,
-   KEY, and DS RRs must be publicly accessible to avoid unexpected
-   results.
-   
-
-Baba                     Expires March 11, 2004                 [Page 4]
-
-Internet-Draft       DNS Access Control Requirements      September 2003
-
-
-3.3.2 ACL Representation
-
-   Access Control List (ACL) format must be standardized so that both
-   the primary and secondary AC-aware servers can recognize the same
-   ACL.  Although ACL may appear in or out of zone data, it must be
-   transferred to the secondary AC-aware server with associated zone
-   data.  It is a good idea to contain ACL in zone data, because ACL can
-   be transferred with zone data using existing zone transfer mechanisms
-   automatically.  However, ACL must not be published except for
-   authorized secondary master servers.
-   
-   In zone data master files, ACL should be specified using TXT RRs or
-   newly defined RRs.  In each access control entry (ACE), authorized
-   entities (host or user) must be described using domain name (host
-   name, user name, or IP address in in-addr.arpa/ip6.arpa format).
-   There may be other access control attributes such as access time.
-
-   It must be possible to create publicly readable entries, which may be
-   read even by unauthenticated clients.
-
-3.3.3 Zone/ACL Transfer
-
-   As mentioned above, ACL should be transferred from a primary AC-aware
-   server to a secondary AC-aware server with associated zone data.
-   When an AC-aware server receives a zone/ACL transfer request, the
-   server must authenticate the client, and should encrypt the zone
-   data and associated ACL during transfer.
-
-3.4 Backward/co-existence Compatibility
-
-   Any new protocols to be defined for access control in DNS must be
-   backward compatible with existing DNS protocol.  AC-aware servers
-   must be able to process normal DNS query without authentication, and
-   must respond if retrieving RRset is publicly accessible.
-   
-   Modifications to root/gTLD/ccTLD name servers are not allowed.
-
-4. Security Considerations
-
-   This document discusses the requirements for access control
-   mechanisms in DNS.
-
-5. Acknowledgements
-
-   This work is funded by the Telecommunications Advancement
-   Organization of Japan (TAO).
-
-   The author would like to thank the members of the NTT DATA network
-   security team for their important contribution to this work.
-
-
-Baba                     Expires March 11, 2004                 [Page 5]
-
-Internet-Draft       DNS Access Control Requirements      September 2003
-
-
-6. References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2401]  Kent, S. and R. Atkinson, "Security Architecture for the
-              Internet Protocol", RFC 2401, November 1998.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-              "Secret Key Transaction Authentication for DNS (TSIG)", 
-              RFC 2845, May 2000.
-
-   [RFC2916]  Faltstrom, P., "E.164 number and DNS", RFC 2916,
-              September 2000.
-
-   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)",
-              RFC 2930, September 2000.
-
-   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures
-              (SIG(0)s)", RFC 2931, September 2000.
-
-   [IPSECAPI] Sommerfeld, W., "Requirements for an IPsec API",
-              draft-ietf-ipsp-ipsec-apireq-00.txt, June 2003, Work in
-              Progress.
-
-
-Author's Address
-
-   Tatsuya Baba
-   NTT Data Corporation
-   Research and Development Headquarters
-   Kayabacho Tower, 1-21-2, Shinkawa, Chuo-ku,
-   Tokyo 104-0033, Japan
-   
-   Tel: +81 3 3523 8081
-   Fax: +81 3 3523 8090
-   Email: babatt@nttdata.co.jp
-
-
-
-
-
-
-
-
-Baba                     Expires March 11, 2004                 [Page 6]
diff --git a/contrib/bind9/doc/draft/draft-daigle-napstr-04.txt b/contrib/bind9/doc/draft/draft-daigle-napstr-04.txt
deleted file mode 100644
index fffa8a5f20b3..000000000000
--- a/contrib/bind9/doc/draft/draft-daigle-napstr-04.txt
+++ /dev/null
@@ -1,1232 +0,0 @@
-
-
-Network Working Group                                          L. Daigle
-Internet-Draft                                                 A. Newton
-Expires: August 15, 2004                                  VeriSign, Inc.
-                                                       February 15, 2004
-
-
-    Domain-based Application Service Location Using SRV RRs and the
-              Dynamic Delegation Discovery Service (DDDS)
-                       draft-daigle-napstr-04.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 15, 2004.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   This memo defines a generalized mechanism for application service
-   naming that allows service location without relying on rigid domain
-   naming conventions (so-called name hacks).  The proposal defines a
-   Dynamic Delegation Discovery System (DDDS) Application to map domain
-   name, application service name, and application protocol to target
-   server and port, dynamically.
-
-
-
-
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 1]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-Table of Contents
-
-   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.    Straightforward-NAPTR (S-NAPTR) Specification  . . . . . . .  4
-   2.1   Key Terms  . . . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.2   S-NAPTR DDDS Application Usage . . . . . . . . . . . . . . .  5
-   2.2.1 Ordering and Preference  . . . . . . . . . . . . . . . . . .  5
-   2.2.2 Matching and non-Matching NAPTR Records  . . . . . . . . . .  5
-   2.2.3 Terminal and Non-Terminal NAPTR Records  . . . . . . . . . .  5
-   2.2.4 S-NAPTR and Successive Resolution  . . . . . . . . . . . . .  6
-   2.2.5 Clients Supporting Multiple Protocols  . . . . . . . . . . .  6
-   3.    Guidelines . . . . . . . . . . . . . . . . . . . . . . . . .  7
-   3.1   Guidelines for Application Protocol Developers . . . . . . .  7
-   3.1.1 Registration of application service and protocol tags  . . .  7
-   3.1.2 Definition of conditions for retry/failure . . . . . . . . .  8
-   3.1.3 Server identification and handshake  . . . . . . . . . . . .  8
-   3.2   Guidelines for Domain Administrators . . . . . . . . . . . .  8
-   3.3   Guidelines for Client Software Writers . . . . . . . . . . .  9
-   4.    Illustrations  . . . . . . . . . . . . . . . . . . . . . . .  9
-   4.1   Use Cases  . . . . . . . . . . . . . . . . . . . . . . . . .  9
-   4.2   Service Discovery within a Domain  . . . . . . . . . . . . . 10
-   4.3   Multiple Protocols . . . . . . . . . . . . . . . . . . . . . 10
-   4.4   Remote Hosting . . . . . . . . . . . . . . . . . . . . . . . 11
-   4.5   Sets of NAPTR RRs  . . . . . . . . . . . . . . . . . . . . . 12
-   4.6   Sample sequence diagram  . . . . . . . . . . . . . . . . . . 12
-   5.    Motivation and Discussion  . . . . . . . . . . . . . . . . . 14
-   5.1   So, why not just SRV records?  . . . . . . . . . . . . . . . 15
-   5.2   So, why not just NAPTR records?  . . . . . . . . . . . . . . 15
-   6.    IANA Considerations  . . . . . . . . . . . . . . . . . . . . 16
-   7.    Security Considerations  . . . . . . . . . . . . . . . . . . 16
-   8.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17
-         References . . . . . . . . . . . . . . . . . . . . . . . . . 17
-         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 18
-   A.    Application Service Location Application of DDDS . . . . . . 18
-   A.1   Application Unique String  . . . . . . . . . . . . . . . . . 18
-   A.2   First Well Known Rule  . . . . . . . . . . . . . . . . . . . 18
-   A.3   Expected Output  . . . . . . . . . . . . . . . . . . . . . . 18
-   A.4   Flags  . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
-   A.5   Service Parameters . . . . . . . . . . . . . . . . . . . . . 19
-   A.5.1 Application Services . . . . . . . . . . . . . . . . . . . . 19
-   A.5.2 Application Protocols  . . . . . . . . . . . . . . . . . . . 20
-   A.6   Valid Rules  . . . . . . . . . . . . . . . . . . . . . . . . 20
-   A.7   Valid Databases  . . . . . . . . . . . . . . . . . . . . . . 20
-   B.    Pseudo pseudocode for S-NAPTR  . . . . . . . . . . . . . . . 20
-   B.1   Finding the first (best) target  . . . . . . . . . . . . . . 20
-   B.2   Finding subsequent targets . . . . . . . . . . . . . . . . . 21
-         Full Copyright Statement . . . . . . . . . . . . . . . . . . 23
-
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 2]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-1. Introduction
-
-   This memo defines a generalized mechanism for application service
-   naming that allows service location without relying on rigid domain
-   naming conventions (so-called name hacks).  The proposal defines a
-   Dynamic Delegation Discovery System (DDDS -- see [6]) Application to
-   map domain name, application service name, and application protocol
-   to target server and port, dynamically.
-
-   As discussed in Section 5, existing approaches to using DNS records
-   to dynamically determining the current host for a given application
-   service are limited in terms of the use cases supported.  To address
-   some of the limitations, this document defines a DDDS Application to
-   map service+protocol+domain to specific server addresses using both
-   NAPTR [7] and SRV ([5]) DNS resource records.  This can be viewed as
-   a more general version of the use of SRV and/or a very restricted
-   application of the use of NAPTR resource records.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC2119 ([2]).
-
-2. Straightforward-NAPTR (S-NAPTR) Specification
-
-   The precise details of the specification of this DDDS application are
-   given in Appendix A.  This section defines the usage of the DDDS
-   application.
-
-2.1 Key Terms
-
-   An "application service" is a generic term for some type of
-   application, indpendent of the protocol that may be used to offer it.
-   Each application service will be associated with an IANA-registered
-   tag.  For example, instant messaging is a type of application
-   service, which can be implemented by many different application-layer
-   protocols, and the tag "IM" (used as an illustration here) could be
-   registered for it.
-
-   An "application protocol" is used to implement the application
-   service.  These are also associated with IANA-registered tags.  In
-   the case where multiple transports are available for the application,
-   separate tags should be defined for each transport.
-
-   The intention is that the combination of application service and
-   protocol tags should be specific enough that finding a known pair
-   (e.g., "IM:ProtC") is sufficient for a client to identify a server
-   with which it can communicate.
-
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 3]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   Some protocols support multiple application services.  For example,
-   LDAP is an application protocol, and can be found supporting various
-   services (e.g., "whitepages", "directory enabled networking", etc).
-
-2.2 S-NAPTR DDDS Application Usage
-
-   As outlined in Appendix A, NAPTR records are used to store
-   application service+protocol information for a given domain.
-   Following the DDDS standard, these records are looked up,  and the
-   rewrite rules (contained in the NAPTR records) are used to determine
-   the successive DNS lookups, until a desirable target is found.
-
-   For the rest of this section, refer to the set of NAPTR resource
-   records for example.com shown in the figure below.
-
-   example.com.
-   ;;       order pref flags service     regexp replacement
-   IN NAPTR 100   10   ""    "WP:whois++" ""    bunyip.example.
-   IN NAPTR 100   20   "s"   "WP:ldap"    ""    _ldap._tcp.myldap.example.com.
-   IN NAPTR 200   10   ""    "IM:protA"   ""    someisp.example.
-   IN NAPTR 200   30   "a"   "IM:protB"   ""    myprotB.example.com.
-
-
-2.2.1 Ordering and Preference
-
-   A client retrieves all of the NAPTR records associated with the
-   target domain name (example.com, above).  These are to be sorted in
-   terms of increasing ORDER, and increasing PREF within each ORDER.
-
-2.2.2 Matching and non-Matching NAPTR Records
-
-   Starting with the first sorted NAPTR record, the client examines the
-   SERVICE field to find a match.  In the case of the S-NAPTR DDDS
-   application, that means a SERVICE field that includes the tags for
-   the desired application service and a supported application protocol.
-
-   If more than one NAPTR record matches, they are processed in
-   increasing sort order.
-
-2.2.3 Terminal and Non-Terminal NAPTR Records
-
-   A NAPTR record with an empty FLAG field is "non-terminal".  That is,
-   more NAPTR RR lookups are to be performed.  Thus, to process a NAPTR
-   record with an empty FLAG field in S-NAPTR, the REPLACEMENT field is
-   used as the target of the next DNS lookup -- for NAPTR RRs.
-
-   In S-NAPTR, the only terminal flags are "S" and "A".  These are
-   called "terminal" NAPTR lookups because they denote the end of the
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 4]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   DDDS/NAPTR processing rules.  In the case of an "S" flag, the
-   REPLACEMENT field is used as the target of a DNS query for SRV RRs,
-   and normal SRV processing is applied.  In the case of an "A" flag, an
-   address record is sought for the REPLACEMENT field target (and the
-   default protocol port is assumed).
-
-2.2.4 S-NAPTR and Successive Resolution
-
-   As shown in the example NAPTR RR set above, it is possible to have
-   multiple possible targets for a single application service+protocol
-   pair.  These are to be pursued in order until a server is
-   successfully contacted or all possible matching NAPTR records have
-   been successively pursued to terminal lookups and servers contacted.
-   That is, a client must backtrack and attempt other resolution paths
-   in the case of failure.
-
-   "Failure" is declared, and backtracking must be used when
-
-   o  the designated remote server (host and port) fail to provide
-      appropriate security credentials for the *originating* domain
-
-   o  connection to the designated remote server otherwise fails -- the
-      specifics terms of which are defined when an application protocol
-      is registered
-
-   o  the S-NAPTR-designated DNS lookup fails to yield expected results
-      -- e.g., no A RR for an "A" target, no SRV record for an "S"
-      target, or no NAPTR record with appropriate application service
-      and protocol for a NAPTR lookup.  Except in the case of the very
-      first NAPTR lookup, this last is a configuration error:  the fact
-      that example.com has a NAPTR record pointing to "bunyip.example"
-      for the "WP:Whois++" service and protocol means the administrator
-      of example.com believes that service exists.  If bunyip.example
-      has no "WP:Whois++" NAPTR record, the application client MUST
-      backtrack and try the next available "WP:Whois++" option from
-      example.com.  As there is none, the whole resolution fails.
-
-   An application client first queries for the NAPTR RRs for the domain
-   of a named application service.  The application client MUST select
-   one protocol to choose The PREF field of the NAPTR RRs may be used by
-   the domain administrator to The first DNS query is for the NAPTR RRs
-   in the original target domain (example.com, above).
-
-2.2.5 Clients Supporting Multiple Protocols
-
-   In the case of an application client that supports more than one
-   protocol for a given application service, it MUST pursue S-NAPTR
-   resolution completely for one protocol before trying another.j It MAY
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 5]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   choose which protocol to try first based on its own preference, or
-   from the PREF ranking in the first set of NAPTR records (i.e., those
-   for the target named domain).    However, the chosen protocol MUST be
-   listed in that first NAPTR RR set.
-
-   That is, what the client MUST NOT do is start looking for one
-   protocol, observe that a successive NAPTR RR set supports another of
-   its preferred protocols, and continue the S-NAPTR resolution based on
-   that protocol.  For example, even if someisp.example offers the "IM"
-   service with protocol "ProtB", there is no reason to believe it does
-   so on behalf of example.com (since there is no such pointer in
-   example.com's NAPTR RR set).
-
-3. Guidelines
-
-3.1 Guidelines for Application Protocol Developers
-
-   The purpose of S-NAPTR is to provide application standards developers
-   with a more powerful framework (than SRV RRs alone) for naming
-   service targets, without requiring each application protocol (or
-   service) standard to define a separate DDDS application.
-
-   Note that this approach is intended specifically for use when it
-   makes sense to associate services with particular domain names (e.g.,
-   e-mail addresses, SIP addresses, etc).  A non-goal is having all
-   manner of label mapped into domain names in order to use this.
-
-   Specifically not addressed in this document is how to select the
-   domain for which the service+protocol is being sought.  It is up to
-   other conventions to define how that might be used (e.g., instant
-   messaging standards can define what domain to use from IM URIs, how
-   to step down from foobar.example.com to example.com, and so on, if
-   that is applicable).
-
-   Although this document proposes a DDDS application that does not use
-   all the features of NAPTR resource records, it does not mean to imply
-   that DNS resolvers should fail to implement all aspects of the NAPTR
-   RR standard.  A DDDS application is a client use convention.
-
-   The rest of this section outlines the specific elements that protocol
-   developers must determine and document in order to make use of S-
-   NAPTR.
-
-3.1.1 Registration of application service and protocol tags
-
-   Application protocol developers that wish to make use of S-NAPTR must
-   make provision to register any relevant application service and
-   application protocol tags, as described in Section 6.
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 6]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-3.1.2 Definition of conditions for retry/failure
-
-   One other important aspect that must be defined is the expected
-   behaviour for interacting with the servers that are reached via S-
-   NAPTR.  Specifically,  under what circumstances should the client
-   retry a target that was found via S-NAPTR?  What should it consider a
-   failure that causes it to return to the S-NAPTR process to determine
-   the next serviceable target (a less preferred target)?
-
-   For example, if the client gets a "connection refused" from a server,
-   should it retry for some (protocol-dependent) period of time?  Or,
-   should it try the next-preferred target in the S-NAPTR chain of
-   resolution?  Should it only try the next-preferred target if it
-   receives a protocol-specific permanent error message?
-
-   The most important thing is to select one expected behaviour and
-   document it as part of the use of S-NAPTR.
-
-   As noted earlier, failure to provide appropriate credentials to
-   identify the server as being authoritative for the original taret
-   domain is always considered a failure condition.
-
-3.1.3 Server identification and handshake
-
-   As noted in Section 7, use of the DNS for server location increases
-   the importance of using protocol-specific handshakes to determine and
-   confirm the identity of the server that is eventually reached.
-
-   Therefore, application protocol developers using S-NAPTR should
-   identify the mechanics of the expected identification handshake when
-   the client connects to a server found through S-NAPTR.
-
-3.2 Guidelines for Domain Administrators
-
-   Although S-NAPTR aims to provide a "straightforward" application of
-   DDDS and use of NAPTR records, it is still possible to create very
-   complex chains and dependencies with the NAPTR and SRV records.
-
-   Therefore, domain administrators are called upon to use S-NAPTR with
-   as much restraint as possible, while still achieving their service
-   design goals.
-
-   The complete set of NAPTR, SRV and A RRs that are "reachable" through
-   the S-NAPTR process for a particular application service can be
-   thought of as a "tree".  Each NAPTR RR retrieved points to more NAPTR
-   or SRV records; each SRV record points to several A record lookups.
-   Even though a particular client can "prune" the tree to use only
-   those records referring to application protocols supported by the
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 7]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   client, the tree could be quite deep, and retracing the tree to retry
-   other targets can become expensive if the tree has many branches.
-
-   Therefore,
-
-   o  Fewer branches is better:  for both NAPTR and SRV records, provide
-      different targets with varying preferences where appropriate
-      (e.g., to provide backup services, etc), but don't look for
-      reasons to provide more.
-
-   o  Shallower is better:  avoid using NAPTR records to "rename"
-      services within a zone.  Use NAPTR records to identify services
-      hosted elsewhere (i.e., where you cannot reasonably provide the
-      SRV records in your own zone).
-
-
-3.3 Guidelines for Client Software Writers
-
-   To properly understand DDDS/NAPTR, an implementor must read [6].
-   However, the most important aspect to keep in mind is that, if one
-   target fails to work for the application, it is expected that the
-   application will continue through the S-NAPTR tree to try the (less
-   preferred) alternatives.
-
-4. Illustrations
-
-4.1 Use Cases
-
-   The basic intended use cases for which S-NAPTR has been developed
-   are:
-
-   o  Service discovery within a domain.  For example, this can be used
-      to find the "authoritative" server for some type of service within
-      a domain (see the specific example in Section 4.2).
-
-   o  Multiple protocols.  This is increasingly common as new
-      application services are defined.  This includes the case of
-      instant messaging (a service) which can be offered with multiple
-      protocols (see Section 4.3).
-
-   o  Remote hosting.  Each of the above use cases applies within the
-      administration of a single domain.  However, one domain operator
-      may elect to engage another organization to provide an application
-      service.  See Section 4.4 for an example that cannot be served by
-      SRV records alone.
-
-
-
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 8]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-4.2 Service Discovery within a Domain
-
-   There are occasions when it is useful to be able to determine the
-   "authoritative" server for a given application service within a
-   domain.  This is "discovery", because there is no a priori knowledge
-   as to whether or where the service is offered; it is therefore
-   important to determine the location and characteristics of the
-   offered service.
-
-   For example, there is growing discussion of having a generic
-   mechanism for locating the keys or certificates associated with
-   particular application (servers) operated in (or for) a particular
-   domain.  Here's a hypothetical case for storing application key or
-   certificate data for a given domain.  The premise is that some
-   credentials registry (CredReg) service has been defined to be a leaf
-   node service holding the keys/certs for the servers operated by (or
-   for) the domain.  Furthermore, it is assumed that more than one
-   protocol is available to provide the service for a particular domain.
-   This DDDS-based approach is used to find the CredReg server that
-   holds the information.
-
-   Thus, the set of NAPTR records for thinkingcat.example might look
-   like this:
-
-   thinkingcat.example.
-   ;;       order pref flags service                 regexp  replacement
-   IN NAPTR 100   10   ""    "CREDREG:ldap:iris-beep" ""     theserver.thinkingcat.example.
-
-   Note that another domain, offering the same application service,
-   might offer it using a different set of application protocols:
-
-   anotherdomain.example.
-   ;;       order pref flags service                    regexp replacement
-   IN NAPTR 100   10   ""    "CREDREG:iris-lw:iris-beep" ""    foo.anotherdomain.example.
-
-
-4.3 Multiple Protocols
-
-   As it stands, there are several different protocols proposed for
-   offering "instant message" services.  Assuming that "IM" was
-   registered as an application service, this DDDS application could be
-   used to determine the available services for delivering to a target.
-
-   Two particular features of instant messaging should be noted:
-
-   1.  gatewaying is expected to bridge communications across protocols
-
-   2.  instant messaging servers are likely to be operated out of a
-
-
-
-Daigle & Newton          Expires August 15, 2004                [Page 9]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-       different domain than the instant messaging address, and servers
-       of different protocols may be offered by independent
-       organizations
-
-   For example, "thinkingcat.example" may support its own servers for
-   the "ProtA" instant messaging protocol, but rely on outsourcing from
-   "example.com" for "ProtC" and "ProtB" servers.
-
-   Using this DDDS-based approach, thinkingcat.example can indicate a
-   preference ranking for the different types of servers for the instant
-   messaging service, and yet the out-sourcer can independently rank the
-   preference and ordering of servers.  This independence is not
-   achievable through the use of SRV records alone.
-
-   Thus, to find the IM services for thinkingcat.example, the NAPTR
-   records for thinkingcat.example are retrieved:
-
-   thinkingcat.example.
-   ;;	order pref flags service   regexp replacement
-   IN NAPTR 100  10   "s"   "IM:ProtA" ""    _ProtA._tcp.thinkingcat.example.
-   IN NAPTR 100  20   "s"   "IM:ProtB" ""    _ProtB._tcp.example.com.
-   IN NAPTR 100  30   "s"   "IM:ProtC" ""    _ProtC._tcp.example.com.
-
-   and then the administrators at example.com can manage the preference
-   rankings of the servers they use to support the ProtB service:
-
-   _ProtB._tcp.example.com.
-    ;;    Pref Weight Port  Target
-   IN SRV 10    0     10001 bigiron.example.com
-   IN SRV 20    0     10001 backup.im.example.com
-   IN SRV 30    0     10001 nuclearfallout.australia-isp.example
-
-
-4.4 Remote Hosting
-
-   In the Instant Message hosting example in Section 4.3, the service
-   owner (thinkingcat.example) had to host pointers to the hosting
-   service's SRV records in the thinkingcat.example domain.
-
-   A better way to approach this is to have one NAPTR RR in the
-   thinkingcat.example domain pointing to all the hosted services, and
-   the hosting domain has NAPTR records for each service to map them to
-   whatever local hosts it chooses (and may change from time to time).
-
-
-
-
-
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 10]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   thinkingcat.example.
-   ;;      order pref flags service         regexp replacement
-   IN NAPTR 100  10   "s"   "IM:ProtA"       ""    _ProtA._tcp.thinkingcat.example.
-   IN NAPTR 100  20   ""    "IM:ProtB:ProtC" ""    thinkingcat.example.com.
-
-
-   and then the administrators at example.com can break out the
-   individual application protocols and manage the preference rankings
-   of the servers they use to support the ProtB service (as before):
-
-   thinkingcat.example.com.
-   ;;      order pref flags service   regexp  replacement
-   IN NAPTR 100  10   "s"   "IM:ProtC" ""     _ProtC._tcp.example.com.
-   IN NAPTR 100  20   "s"   "IM:ProtB" ""     _ProtB._tcp.example.com.
-
-
-
-   _ProtC._tcp.example.com.
-    ;;    Pref Weight Port  Target
-   IN SRV 10    0     10001 bigiron.example.com
-   IN SRV 20    0     10001 backup.im.example.com
-   IN SRV 30    0     10001 nuclearfallout.australia-isp.example
-
-
-4.5 Sets of NAPTR RRs
-
-   Note that the above sections assumed that there was one service
-   available (via S-NAPTR) per domain.  Often, that will not be the
-   case.  Assuming thinkingcat.example had the CredReg service set up as
-   described in Section 4.2 and the instant messaging service set up as
-   described in Section 4.4, then a client querying for the NAPTR RR set
-   from thinkingcat.com would get the following answer:
-
-   thinkingcat.example.
-   ;;       order pref flags service          regexp  replacement
-   IN NAPTR 100   10   "s"   "IM:ProtA"        ""     _ProtA._tcp.thinkingcat.example.
-   IN NAPTR 100   20   ""    "IM:ProtB:ProtC:" ""     thinkingcat.example.com.
-   IN NAPTR 200   10   ""    "CREDREG:ldap:iris-beep" "" bouncer.thinkingcat.example.
-
-   Sorting them by increasing "ORDER", the client would look through the
-   SERVICE strings to determine if there was a NAPTR RR that matched the
-   application service it was looking for, with an application protocol
-   it could use.  The first (lowest PREF) record that so matched is the
-   one the client would use to continue.
-
-4.6 Sample sequence diagram
-
-   Consider the example in Section 4.3.  Visually, the sequence of steps
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 11]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   required for the client to reach the final server for a "ProtB"
-   service for IM for the thinkingcat.example domain is as follows:
-
-
-   Client   NS for                NS for
-            thinkingcat.example   example.com    backup.im.example.com
-                |                     |                  |
-     1 -------->|                     |                  |
-     2 <--------|                     |                  |
-     3 ------------------------------>|                  |
-     4 <------------------------------|                  |
-     5 ------------------------------>|                  |
-     6 <------------------------------|                  |
-     7 ------------------------------>|                  |
-     8 <------------------------------|                  |
-     9 ------------------------------------------------->|
-    10 <-------------------------------------------------|
-    11 ------------------------------------------------->|
-    12 <-------------------------------------------------|
-   (...)
-
-
-
-   1.  the name server (NS) for thinkingcat.example is reached with a
-        request for all NAPTR records
-
-   2.  the server responds with the NAPTR records shown in Section 4.3.
-
-   3.  the second NAPTR record matches the desired criteria; that has an
-        "s" flag and a replacement fields of "_ProtB._tcp.example.com".
-        So, the client looks up SRV records for that target, ultimately
-        making the request of the NS for example.com.
-
-   4.  the response includes the SRV records listed in Section 4.3.
-
-   5.  the client attempts to reach the server with the lowest PREF in
-        the SRV list -- looking up the A record for the SRV record's
-        target (bigiron.example.com).
-
-   6.  the example.com NS responds with an error message -- no such
-        machine!
-
-   7.  the client attempts to reach the second server in the SRV list,
-        and looks up the A record for backup.im.example.com
-
-   8.  the client gets the A record with the IP address for
-        backup.im.example.com from example.com's NS.
-
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 12]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   9.  the client connects to that IP address, on port 10001 (from the
-        SRV record), using ProtB over tcp.
-
-   10.  the server responds with an "OK" message.
-
-   11.  the client uses ProtB to challenge that this server has
-        credentials to operate the service for the original domain
-        (thinkingcat.example)
-
-   12.  the server responds, and the rest is IM.
-
-
-5. Motivation and Discussion
-
-   Increasingly, application protocol standards are using domain names
-   to identify server targets, and stipulating that clients should look
-   up SRV resource records to determine the host and port providing the
-   server.  This enables a distinction between naming an application
-   service target and actually hosting the server.  It also increases
-   flexibility in hosting the target service:
-
-   o  the server may be operated by a completely different organization
-      without having to list the details of that organization's DNS
-      setup (SRVs)
-
-   o  multiple instances can be set up (e.g., for load balancing or
-      secondaries)
-
-   o  it can be moved from time to time without disrupting clients'
-      access, etc.
-
-   This is quite useful, but Section 5.1 outlines some of the
-   limitations inherent in the approach.
-
-   That is, while SRV records can be used to map from a specific service
-   name and protocol for a specific domain to a specific server, SRV
-   records are limited to one layer of indirection, and are focused on
-   server administration rather than on application naming.  And, while
-   the DDDS specification and use of NAPTR allows multiple levels of
-   redirection before locating the target server machine with an SRV
-   record, this proposal requires only a subset of NAPTR strictly bound
-   to domain names, without making use of the REGEXP field of NAPTR.
-   These restrictions make the client's resolution process much more
-   predictable and efficient than with some potential uses of NAPTR
-   records.  This is dubbed "S-NAPTR" -- a "S"traightforward use of
-   NAPTR records.
-
-
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 13]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-5.1 So, why not just SRV records?
-
-   An expected question at this point is: this is so similar in
-   structure to SRV records, why are we doing this with DDDS/NAPTR?
-
-   Limitations of SRV include:
-
-   o  SRV provides a single layer of indirection -- the outcome of an
-      SRV lookup is a new domain name for which the A RR is to be found.
-
-   o  the purpose of SRV is focused on individual server administration,
-      not application naming: as stated in [5] "The SRV RR allows
-      administrators to use several servers for a single domain, to move
-      services from host to host with little fuss, and to designate some
-      hosts as primary servers for a service and others as backups."
-
-   o  target servers by "service" (e.g., "ldap") and "protocol" (e.g.,
-      "tcp") in a given domain.  The definition of these terms implies
-      specific things (e.g., that protocol should be one of UDP or TCP)
-      without being precise.  Restriction to UDP and TCP is insufficient
-      for the uses described here.
-
-   The basic answer is that SRV records provide mappings from protocol
-   names to host and port.  The use cases described herein require an
-   additional layer -- from some service label to servers that may in
-   fact be hosted within different administrative domains.  We could
-   tweak SRV to say that the next lookup could be something other than
-   an address record, but that is more complex than is necessary for
-   most applications of SRV.
-
-5.2 So, why not just NAPTR records?
-
-   That's a trick question.  NAPTR records cannot appear in the wild --
-   see [6].  They must be part of a DDDS application.
-
-   The purpose here is to define a single, common mechanism (the DDDS
-   application) to use NAPTR when all that is desired is simple DNS-
-   based location of services.  This should be easy for applications to
-   use -- some simple IANA registrations and it's done.
-
-   Also, NAPTR has very powerful tools for expressing "rewrite" rules.
-   That power (==complexity) makes some protocol designers and service
-   administrators nervous.  The concern is that it can translate into
-   unintelligible, noodle-like rule sets that are difficult to test and
-   administer.
-
-   This proposed DDDS application specifically uses a subset of NAPTR's
-   abilities.  Only "replacement" expressions are allowed, not "regular
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 14]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   expressions".
-
-6. IANA Considerations
-
-   This document calls for 2 IANA registries:  one for application
-   service tags, and one for application protocol tags.
-
-   Application service and protocol tags should be defined in an RFC
-   (unless the "x-" experimental form is used, in which case they are
-   unregistered).  There are no restrictions placed on the tags other
-   than that they must conform with the syntax defined below (Appendix
-   A.5).  The IANA registries should list the tags and the RFC that
-   defines their use.
-
-7. Security Considerations
-
-   The security of this approach to application service location is only
-   as good as the security of the DNS servers along the way.  If any of
-   them is compromised, bogus NAPTR and SRV records could be inserted to
-   redirect clients to unintended destinations.  This problem is hardly
-   unique to S-NAPTR (or NAPTR in general).
-
-   To protect against DNS-vectored attacks, applications should define
-   some form of end-to-end authentication to ensure that the correct
-   destination has been reached.  Many application protocols such as
-   HTTPS, BEEP, IMAP, etc...  define the necessary handshake mechansims
-   to accomplish this task.
-
-   The basic mechanism works in the following way:
-
-   1.  During some portion of the protocol handshake, the client sends
-       to the server the original name of the desired destination (i.e.
-       no transformations that may have resulted from NAPTR
-       replacements, SRV targets, or CNAME changes).  In certain cases
-       where the application protocol does not have such a feature but
-       TLS may be used, it is possible to use the "server_name" TLS
-       extension.
-
-   2.  The server sends back to the client a credential with the
-       appropriate name.  For X.509 certificates, the name would either
-       be in the subjectDN or subjectAltName fields.  For Kerberos, the
-       name would be a service principle name.
-
-   3.  Using the matching semantics defined by the application protocol,
-       the client compares the name in the credential with the name sent
-       to the server.
-
-   4.  If the names match, there is reasonable assurance that the
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 15]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-       correct end point has been reached.
-
-   It is important to note that this document does not define either the
-   handshake mechanism, the specific credenential naming fields, nor the
-   name matching semantics.  Definitions of S-NAPTR for particular
-   application protocols MUST define these.
-
-8. Acknowledgements
-
-   Many thanks to Dave Blacka, Patrik Faltstrom, Sally Floyd for
-   discussion and input that has (hopefully!) provoked clarifying
-   revisions of this document.
-
-References
-
-   [1]  Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource
-        Identifiers (URI): Generic Syntax", RFC 2396, August 1998.
-
-   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [3]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
-        Specifications: ABNF", RFC 2234, November 1997.
-
-   [4]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [5]  Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
-        specifying the location of services (DNS SRV)", RFC 2782,
-        February 2000.
-
-   [6]  Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
-        One: The Comprehensive DDDS", RFC 3401, October 2002.
-
-   [7]  Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
-        Three: The Domain Name System (DNS) Database", RFC 3403, October
-        2002.
-
-   [8]  Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
-        Four: The Uniform Resource Identifiers (URI)", RFC 3404, October
-        2002.
-
-
-
-
-
-
-
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 16]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-Authors' Addresses
-
-   Leslie Daigle
-   VeriSign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   EMail: leslie@verisignlabs.com; leslie@thinkingcat.com
-
-
-   Andrew Newton
-   VeriSign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   EMail: anewton@verisignlabs.com
-
-Appendix A. Application Service Location Application of DDDS
-
-   This section defines the DDDS application, as described in [6].
-
-A.1 Application Unique String
-
-   The Application Unique String is domain label for which an
-   authoritative server for a particular service is sought.
-
-A.2 First Well Known Rule
-
-   The "First Well Known Rule" is identity -- that is, the output of the
-   rule is the Application Unique String, the domain label for which the
-   authoritative server for a particular service is sought.
-
-A.3 Expected Output
-
-   The expected output of this Application is the information necessary
-   to connect to authoritative server(s) (host, port, protocol) for an
-   application service within a given a given domain.
-
-A.4 Flags
-
-   This DDDS Application uses only 2 of the Flags defined for the
-   URI/URN Resolution Application ([8]): "S" and "A".  No other Flags
-   are valid.
-
-   Both are for terminal lookups.  This means that the Rule is the last
-   one and that the flag determines what the next stage should be.  The
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 17]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   "S" flag means that the output of this Rule is a domain label for
-   which one or more SRV [5] records exist.  "A" means that the output
-   of the Rule is a domain name and should be used to lookup address
-   records for that domain.
-
-   Consistent with the DDDS algorithm, if the Flag string is empty the
-   next lookup is for another NAPTR record (for the replacement target).
-
-A.5 Service Parameters
-
-   Service Parameters for this Application take the form of a string of
-   characters that follow this ABNF ([3]):
-
-      service-parms = [ [app-service] *(":" app-protocol)]
-      app-service   = experimental-service  / iana-registered-service
-      app-protocol  = experimental-protocol / iana-registered-protocol
-      experimental-service      = "x-" 1*30ALPHANUMSYM
-      experimental-protocol     = "x-" 1*30ALPHANUMSYM
-      iana-registered-service   = ALPHA *31ALPHANUMSYM
-      iana-registered-protocol  = ALPHA *31ALPHANUM
-      ALPHA         =  %x41-5A / %x61-7A   ; A-Z / a-z
-      DIGIT         =  %x30-39 ; 0-9
-      SYM           =  %x2B / %x2D / %x2E  ; "+" / "-" / "."
-      ALPHANUMSYM   =  ALPHA / DIGIT / SYM
-      ; The app-service and app-protocol tags are limited to 32
-      ; characters and must start with an alphabetic character.
-      ; The service-parms are considered case-insensitive.
-
-   Thus, the Service Parameters may consist of an empty string, just an
-   app-service, or an app-service with one or more app-protocol
-   specifications separated by the ":" symbol.
-
-   Note that this is similar to, but not the same as the syntax used in
-   the URI DDDS application ([8]).  The DDDS DNS database requires each
-   DDDS application to define the syntax of allowable service strings.
-   The syntax here is expanded to allow the characters that are valid in
-   any URI scheme name (see [1]).  Since "+" (the separator used in the
-   RFC3404 service parameter string) is an allowed character for URI
-   scheme names, ":" is chosen as the separator here.
-
-A.5.1 Application Services
-
-   The "app-service" must be a registered service [this will be an IANA
-   registry; this is not the IANA port registry, because we want to
-   define services for which there is no single protocol, and we don't
-   want to use up port space for nothing].
-
-
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 18]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-A.5.2 Application Protocols
-
-   The protocol identifiers that are valid for the "app-protocol"
-   production are any standard, registered protocols [IANA registry
-   again -- is this the list of well known/registered ports?].
-
-A.6 Valid Rules
-
-   Only substitution Rules are permitted for this application.  That is,
-   no regular expressions are allowed.
-
-A.7 Valid Databases
-
-   At present only one DDDS Database is specified for this Application.
-   [7] specifies a DDDS Database that uses the NAPTR DNS resource record
-   to contain the rewrite rules.  The Keys for this database are encoded
-   as domain-names.
-
-   The First Well Known Rule produces a domain name, and this is the Key
-   that is used for the first lookup -- the NAPTR records for that
-   domain are requested.
-
-   DNS servers MAY interpret Flag values and use that information to
-   include appropriate NAPTR, SRV or A records in the Additional
-   Information portion of the DNS packet.  Clients are encouraged to
-   check for additional information but are not required to do so.  See
-   the Additional Information Processing section of [7] for more
-   information on NAPTR records and the Additional Information section
-   of a DNS response packet.
-
-Appendix B. Pseudo pseudocode for S-NAPTR
-
-B.1 Finding the first (best) target
-
-   Assuming the client supports 1 protocol for a particular application
-   service, the following pseudocode outlines the expected process to
-   find the first (best) target for the client, using S-NAPTR.
-
-
-    target = [initial domain]
-    naptr-done = false
-
-    while (not naptr-done)
-     {
-      NAPTR-RRset = [DNSlookup of NAPTR RRs for target]
-      [sort NAPTR-RRset by ORDER, and PREF within each ORDER]
-      rr-done = false
-      cur-rr = [first NAPTR RR]
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 19]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-      while (not rr-done)
-         if ([SERVICE field of cur-rr contains desired application
-              service and application protocol])
-            rr-done = true
-            target= [REPLACEMENT target of NAPTR RR]
-         else
-            cur-rr = [next rr in list]
-
-         if (not empty [FLAG in cur-rr])
-            naptr-done = true
-     }
-
-    port = -1
-
-    if ([FLAG in cur-rr is "S"])
-     {
-      SRV-RRset = [DNSlookup of SRV RRs for target]
-      [sort SRV-RRset based on PREF]
-      target = [target of first RR of SRV-RRset]
-      port = [port in first RR of SRV-RRset]
-     }
-
-    ; now, whether it was an "S" or an "A" in the NAPTR, we
-    ; have the target for an A record lookup
-
-    host = [DNSlookup of target]
-
-    return (host, port)
-
-
-
-B.2 Finding subsequent targets
-
-   The pseudocode in Appendix B is crafted to find the first, most
-   preferred, host-port pair for a particular application service an
-   protocol.  If, for any reason, that host-port pair did not work
-   (connection refused, application-level error), the client is expected
-   to try the next host-port in the S-NAPTR tree.
-
-   The pseudocode above does not permit retries -- once complete, it
-   sheds all context of where in the S-NAPTR tree it finished.
-   Therefore, client software writers could
-
-   o  entwine the application-specific protocol with the DNS lookup and
-      RRset processing described in the pseudocode and continue the S-
-      NAPTR processing if the application code fails to connect to a
-      located host-port pair;
-
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 20]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-   o  use callbacks for the S-NAPTR processing;
-
-   o  use an S-NAPTR resolution routine that finds *all* valid servers
-      for the required application service and protocol from the
-      originating domain, and provides them in sorted order for the
-      application to try in order.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 21]
-
-Internet-Draft           draft-daigle-napstr-04            February 2004
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Daigle & Newton          Expires August 15, 2004               [Page 22]
-
diff --git a/contrib/bind9/doc/draft/draft-danisch-dns-rr-smtp-03.txt b/contrib/bind9/doc/draft/draft-danisch-dns-rr-smtp-03.txt
deleted file mode 100644
index 4a01d91b9a8b..000000000000
--- a/contrib/bind9/doc/draft/draft-danisch-dns-rr-smtp-03.txt
+++ /dev/null
@@ -1,1960 +0,0 @@
-
-
-
-INTERNET-DRAFT                                           Hadmut Danisch
-Category: Experimental                                         Oct 2003
-Expires: Apr 1, 2004
-
- The RMX DNS RR and method for lightweight SMTP sender authorization
-                   draft-danisch-dns-rr-smtp-03.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six
-   months and may be updated, replaced, or obsoleted by other
-   documents at any time.  It is inappropriate to use Internet-Drafts
-   as reference material or to cite them other than as "work in
-   progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-Abstract
-
-   This memo introduces a new authorization scheme for SMTP e-mail
-   transport. It is designed to be a simple and robust protection
-   against e-mail fraud, spam and worms. It is based solely on
-   organisational security mechanisms and does not require but still
-   allow use of cryptography. This memo also focuses on security and
-   privacy problems and requirements in context of spam defense. In
-   contrast to prior versions of the draft a new RR type is not
-   required anymore.
-
-
-
-
-
-
-
-
-
-
-
-
-Hadmut Danisch                Experimental                      [Page 1]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-                           Table of Contents
-
-
-1.  General Issues . . . . . . . . . . . . . . . . . . . . . . . . .   4
-2.  Problem and threat description . . . . . . . . . . . . . . . . .   4
-    2.1.  Mail sender forgery  . . . . . . . . . . . . . . . . . . .   4
-          2.1.1  Definition of sender forgery  . . . . . . . . . . .   4
-          2.1.2  Spam  . . . . . . . . . . . . . . . . . . . . . . .   5
-          2.1.3  E-Mail Worms  . . . . . . . . . . . . . . . . . . .   5
-          2.1.4  E-Mail spoofing and fraud . . . . . . . . . . . . .   5
-    2.2.  Indirect damage caused by forgery  . . . . . . . . . . . .   6
-    2.3.  Technical problem analysis . . . . . . . . . . . . . . . .   6
-    2.4.  Shortcomings of cryptographical approaches . . . . . . . .   7
-3.  A DNS based sender address verification  . . . . . . . . . . . .   7
-    3.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . .   7
-    3.2.  Envelope vs. header sender address . . . . . . . . . . . .   9
-    3.3.  Domain part vs. full sender address  . . . . . . . . . . .   9
-4.  Mapping of E-Mail addresses to DNS names . . . . . . . . . . . .  10
-    4.1.  Domain part only . . . . . . . . . . . . . . . . . . . . .  10
-    4.2.  Full address . . . . . . . . . . . . . . . . . . . . . . .  11
-    4.3.  Empty address  . . . . . . . . . . . . . . . . . . . . . .  11
-5.  Mandatory entry types and their syntax . . . . . . . . . . . . .  11
-    5.1.  Overall structure  . . . . . . . . . . . . . . . . . . . .  11
-    5.2.  Unused . . . . . . . . . . . . . . . . . . . . . . . . . .  12
-    5.3.  IPv4 and IPv6 address ranges . . . . . . . . . . . . . . .  12
-    5.4.  DNS Hostname . . . . . . . . . . . . . . . . . . . . . . .  13
-          5.4.1  Road warriors and DynDNS entries  . . . . . . . . .  13
-    5.5.  APL Reference  . . . . . . . . . . . . . . . . . . . . . .  14
-    5.6.  Domain Member  . . . . . . . . . . . . . . . . . . . . . .  14
-    5.7.  Full Address Query . . . . . . . . . . . . . . . . . . . .  15
-    5.8.  DNS mapped authorization . . . . . . . . . . . . . . . . .  15
-    5.9.  RMX reference  . . . . . . . . . . . . . . . . . . . . . .  16
-6.  Optional and experimental entry types  . . . . . . . . . . . . .  16
-    6.1.  TLS fingerprint  . . . . . . . . . . . . . . . . . . . . .  16
-    6.2.  TLS and LDAP . . . . . . . . . . . . . . . . . . . . . . .  16
-    6.3.  PGP or S/MIME signature  . . . . . . . . . . . . . . . . .  16
-    6.4.  Transparent Challenge/Response . . . . . . . . . . . . . .  17
-    6.5.  SASL Challenge/Response  . . . . . . . . . . . . . . . . .  17
-7.  Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . .  17
-    7.1.  Alternative encoding as TXT records  . . . . . . . . . . .  17
-    7.2.  RMX Records  . . . . . . . . . . . . . . . . . . . . . . .  17
-          7.2.1  Overall structure . . . . . . . . . . . . . . . . .  18
-          7.2.2  Record encoding . . . . . . . . . . . . . . . . . .  18
-          7.2.3  Encoding of IPv4 and IPv6 address ranges  . . . . .  18
-          7.2.4  Encoding of DNS . . . . . . . . . . . . . . . . . .  18
-          7.2.5  Encoding of unused and full query . . . . . . . . .  19
-          7.2.6  Additional Records  . . . . . . . . . . . . . . . .  19
-8.  Message Headers  . . . . . . . . . . . . . . . . . . . . . . . .  19
-
-
-
-Hadmut Danisch                Experimental                      [Page 2]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-9.  SMTP error messages  . . . . . . . . . . . . . . . . . . . . . .  20
-10.  Message relaying and forwarding . . . . . . . . . . . . . . . .  20
-    10.1.  Problem description . . . . . . . . . . . . . . . . . . .  20
-    10.2.  Trusted relaying/forwarding . . . . . . . . . . . . . . .  21
-    10.3.  Untrusted relaying/forwarding . . . . . . . . . . . . . .  21
-11.  Security Considerations . . . . . . . . . . . . . . . . . . . .  22
-    11.1.  Draft specific considerations . . . . . . . . . . . . . .  22
-          11.1.1  Authentication strength  . . . . . . . . . . . . .  22
-          11.1.2  Where Authentication and Authorization end . . . .  22
-          11.1.3  Vulnerability of DNS . . . . . . . . . . . . . . .  23
-          11.1.4  Sneaking RMX attack?   . . . . . . . . . . . . . .  25
-          11.1.5  Open SMTP relays . . . . . . . . . . . . . . . . .  25
-          11.1.6  Unforged Spam  . . . . . . . . . . . . . . . . . .  25
-          11.1.7  Reliability of Whois Entries . . . . . . . . . . .  26
-          11.1.8  Hazards for Freedom of Speech  . . . . . . . . . .  26
-    11.2.  General Considerations about spam defense . . . . . . . .  27
-          11.2.1  Action vs. reaction  . . . . . . . . . . . . . . .  27
-          11.2.2  Content based Denial of Service attacks  . . . . .  27
-12.  Privacy Considerations  . . . . . . . . . . . . . . . . . . . .  28
-    12.1.  Draft specific considerations . . . . . . . . . . . . . .  28
-          12.1.1  No content leaking . . . . . . . . . . . . . . . .  28
-          12.1.2  Message reception and sender domain  . . . . . . .  28
-          12.1.3  Network structure  . . . . . . . . . . . . . . . .  29
-          12.1.4  Owner information distribution . . . . . . . . . .  29
-    12.2.  General Considerations about spam defense . . . . . . . .  29
-          12.2.1  Content leaking of content filters . . . . . . . .  29
-          12.2.2  Black- and Whitelists  . . . . . . . . . . . . . .  30
-13.  Deployment Considerations . . . . . . . . . . . . . . . . . . .  30
-    13.1.  Compatibility . . . . . . . . . . . . . . . . . . . . . .  30
-          13.1.1  Compatibility with old mail receivers  . . . . . .  30
-          13.1.2  Compatibility with old mail senders  . . . . . . .  30
-          13.1.3  Compatibility with old DNS clients . . . . . . . .  30
-          13.1.4  Compatibility with old DNS servers . . . . . . . .  30
-    13.2.  Enforcement policy  . . . . . . . . . . . . . . . . . . .  31
-14.  General considerations about fighting spam  . . . . . . . . . .  31
-    14.1.  The economical problem  . . . . . . . . . . . . . . . . .  31
-    14.2.  The POP problem . . . . . . . . . . . . . . . . . . . . .  32
-    14.3.  The network structure problem . . . . . . . . . . . . . .  33
-    14.4.  The mentality problem . . . . . . . . . . . . . . . . . .  33
-    14.5.  The identity problem  . . . . . . . . . . . . . . . . . .  33
-    14.6.  The multi-legislation problem . . . . . . . . . . . . . .  34
-Implementation and further Information . . . . . . . . . . . . . . .  34
-References . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  34
-Draft History  . . . . . . . . . . . . . . . . . . . . . . . . . . .  35
-Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . .  35
-
-
-
-
-
-
-Hadmut Danisch                Experimental                      [Page 3]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-1.  General Issues
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
-   this document are to be interpreted as described in RFC 2119 [1].
-
-2.  Problem and threat description
-
-2.1.  Mail sender forgery
-
-   The amount of e-mails with forged sender addresses has dramatically
-   increased. As a consequence, damages and annoyances caused by such
-   e-mails increased as well. In the majority of examined e-mails the
-   domain name of the envelope sender address was forged, and the e-
-   mail was sent from an IP address which does not belong to a network
-   used by the actual owner of the domain.
-
-2.1.1.  Definition of sender forgery
-
-   As discussions, comments to prior versions of this draft, and
-   different approaches to stop forgery showed, different perceptions
-   of "mail forgery" exist. For example, there are mechanisms to
-   verify e-mail addresses for mailing lists, web servers, or to stop
-   spam, which do send a message with a random number to the given
-   address and expect the user to send a reply. Here, someone is
-   considered to be allowed to use a particular e-mail address, if and
-   only if he is able to receive informations sent to this address,
-   and is able to reply to such a message. While this definition
-   appears to be quite plausible and natural, it can't be used for a
-   simple technical solution. Sending back a challenge and expecting a
-   reply is simply too much overhead and time delay, and not every
-   authorized sender is able or willing to reply (e.g. because he went
-   offline or is not a human).
-
-   Within the scope of this memo, sender forgery means that the
-   initiator of an e-mail transfer (which is the original sender in
-   contrast to relays) uses a sender address which he was not
-   authorized to use. Being authorized to use an address means that
-   the owner (administrator) of the internet domain has given
-   permission, i.e. agrees with the use of the address by that
-   particular sender. This memo will cover both the permission of the
-   full e-mail address and the domain part only for simplicity.
-
-   Within context of Internet and SMTP, the sender address usually
-   occurs twice, once as the envelope sender address in SMTP, and once
-   as the address given in the RFC822 mail header. While the following
-   considerations apply to both addresses in principle, it is
-   important to stress that both addresses have distinct semantics and
-
-
-
-Hadmut Danisch                Experimental                      [Page 4]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   are not neccessarily the same. The envelope address identifies the
-   initiator of the transport, while the header identifies the author
-   of the message content. Since this memo deals with the message
-   transport only and completely ignores the message content, the
-   method should naturally be applied to the envelope sender address.
-
-2.1.2.  Spam
-
-   A common and well known problem is the dramatic increase of
-   unsolicited e-mail, commonly called "spam". Again, the majority of
-   examined e-mails had forged sender addresses.  The abused domains
-   were mainly those of common webmailers as hotmail or yahoo, or
-   well-known companies.
-
-   Unfortunately, there is no accurate definition of spam availabe
-   yet, and neither are the concise technical criterions to filter or
-   block spam with technical mechanisms. There are efforts to design
-   content based filters, but these filters are expensive in
-   calculation time (and sometimes money), and they do not reliably
-   provide predictable results. Usually they give false positives
-   and/or require user interaction. Content filters in general suffer
-   from a design problem described later in this memo.  Therefore,
-   this proposal does not use the content based approach to block
-   spam.
-
-   As analysis of spam messages showed, most of spam messages were
-   sent with forged envelope sender addresses. This has mainly three
-   reasons.  The first reason is, that spam senders usually do not
-   want to be contacted by e-mail. The second reason is, that they do
-   not want to be blacklisted easily. The third reason is, that spam
-   is or is going to be unlawful in many countries, and the sender
-   does not want to reveal his identity. Therefore, spam is considered
-   to be a special case of sender forgery.
-
-2.1.3.  E-Mail Worms
-
-   Another example of sender forgery is the reproduction of e-mail
-   worms. Most worms do choose random sender addresses, e.g.  using
-   the addresses found in mailboxes on the infected system. In most
-   cases analyzed by the author, the e-mails sent by the reproduction
-   process can also be categorized as forged, since the infected
-   system would under normal circumstances not be authorized to send
-   e-mails with such e-mail addresses. So forgery does not require a
-   malicious human to be directly involved. This memo covers any kind
-   of e-mail sender address forgery, included those generated by
-   malicious software.
-
-2.1.4.  E-Mail spoofing and fraud
-
-
-
-Hadmut Danisch                Experimental                      [Page 5]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   Forging e-mail sender addresses for fraud or other kinds of
-   deception ("human engineering") has also dramatically increased.
-   There are many known cases where single or mass e-mails were sent
-   with wrong sender addresses, pretending to come from service
-   provider, software manufacturers etc., and asking the receiver to
-   install any software or patches, or to reply with any confidential
-   information. The Internet is becoming more and more a scene of
-   crime, and so are it's services, including e-mail. It is obvious
-   that crime based on e-mail is eased by the fact that SMTP allows
-   arbitrary sender address spoofing.
-
-2.2.  Indirect damage caused by forgery
-
-   As observed by the author, mass mails and worms with forged sender
-   addresses can cause a severe damage for the real owner of the
-   abused sender addresses. If a sender A is sending an e-mail to the
-   receiver B, pretending to be C by using a sender address of C's
-   domain, then C has currently no chance to prevent this, since C's
-   machines and software are not involved in any way in the delivery
-   process between A and B.  B will nevertheless send any error
-   messages (virus/spam alert, "no such user", etc.) to C, erroneously
-   assuming that the message was sent by C. The author found several
-   cases where this flood of error messages caused a severe denial of
-   service or a dramatic increase of costs, e.g. when C was
-   downloading the e-mail through expensive or low bandwidth
-   connections (e.g. modem or mobile phones), or where disk space was
-   limited. The author examined mass mailings, where several tens or
-   hundreds of thousands of messages were sent to several addresses
-   around the world, where these messages caused only annoyance. But
-   since several thousands of these addresses were invalid or didn't
-   accept the message, the owner of the DNS domain which was abused by
-   the spammer to forge sender addresses was flooded for several
-   months with thousands of error messages, jamming the e-mail system
-   and causing severe costs and damages.
-
-   As a consequence, when A sends a message to B, pretending to be C,
-   there must be any mechanism to allow C to inform B about the fact,
-   that A is not authorized to use C as a sender address. This is what
-   this memo is about.
-
-2.3.  Technical problem analysis
-
-   Why does e-mail forgery actually exist? Because of the lack of the
-   Simple Mail Transfer Protocol SMTP[2] to provide any kind of sender
-   authentication, authorisation, or verification. This protocol was
-   designed at a time where security was not an issue. Efforts have
-   been made to block forged e-mails by requiring the sender address
-   domain part to be resolvable.  This method provides protection from
-
-
-
-Hadmut Danisch                Experimental                      [Page 6]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   e-mails with non-existing sender domains, and indeed, for some time
-   it blocked most spam e-mails. However, since attackers and spam
-   senders began to abuse existing domain names, this method was
-   rendered ineffective.
-
-2.4.  Shortcomings of cryptographical approaches
-
-   At a first glance, the problem of sender address forgery might
-   appear to be solvable with cryptographic methods such as challenge
-   response authentications or digital signatures. A deeper analysis
-   shows that only a small, closed user group could be covered with
-   cryptographical methods. Any method used to stop spam forgery must
-   be suitable to detect forgery not only for a small number of
-   particular addresses, but for all addresses on the world. An
-   attacker does not need to know the secrets belonging to a
-   particular address. It is sufficient to be able to forge any
-   address and thus to know any secret key. Since there are several
-   hundreds of millions of users, there will always be a large amount
-   of compromised keys, thus spoiling any common cryptographic method.
-   Furthermore, cryptography has proven to be far too complicated and
-   error prone to be commonly administered and reliably implemented.
-   Many e-mail and DNS administrators do not have the knowledge
-   required to deal with cryptographic mechanisms. Many legislations
-   do not allow the general deployment of cryptography and a directory
-   service with public keys. For these reasons, cryptography is
-   applicable only to a small and closed group of users, but not to
-   all participants of the e-mail service.
-
-3.  A DNS based sender address verification
-
-3.1.  Overview
-
-   To gain improvement in e-mail authenticity while keeping as much
-   SMTP compatibility as possible, a method is suggested which doesn't
-   change SMTP at all.
-
-   The idea is to store informations about how to verify who is
-   authorized to transmit e-mails through SMTP with a particular
-   sender address (either full address or - for simplicity - only the
-   domain part of the address) in a directory service, which is
-   currently the DNS. To be precise, the verification consists of two
-   steps, the classical pair of authentication and authorization:
-
-   The first step is the authentication. While several methods are
-   possible to perform authentication (see below), the most important
-   and robust method is the verification of the sender's IP address.
-   This is done implicitely by TCP/IP and the TCP sequence number. The
-   authenticated identity is the IP address. It has to be stressed
-
-
-
-Hadmut Danisch                Experimental                      [Page 7]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   that this TCP/IP "authentication" is a weak authentication and
-   vulnerable to several attacks. It is nevertheless sufficient for
-   this purpose, especially for blocking spam. It doesn't take any
-   implementation and it doesn't cost: It is already there, it is a
-   functionality of TCP/IP. An incoming SMTP connection based on
-   TCP/IP already carries the sender's IP address without any
-   modification of SMTP. See below (section Entry types) for more
-   details about authentication methods.
-
-   The second step is the authorization. It is based on the identity
-   given by the previous authentication step, e.g. the IP address of
-   the originator of the incoming SMTP connection,  and on the
-   envelope sender address. The mechanism proposed in this memo
-   answers the question "Is that particular sender (IP address,...)
-   allowed to send with that sender address" by querying and
-   processing informations stored in a directory service, which is
-   DNS.
-
-   When the sender has issued the "MAIL FROM:" SMTP command, the
-   receiving mail transfer agent (MTA) can - and modern MTAs do -
-   perform some authorization checks, e.g. run a local rule database
-   or check whether the sender domain is resolvable.
-
-   The suggested method is to let the DNS server for the sender domain
-   provide informations about who - this means for example which IP
-   address - is authorized to use an address or a domain as a part of
-   it.  After receiving the "MAIL FROM:" SMTP command, the receiving
-   MTA can verify, whether e. g. the IP address of the sending MTA is
-   authorized to send mails with this domain name. Therefore, a list
-   of entries with authorized IP addresses or other informations is
-   provided by the authoritative DNS server of that domain. The entry
-   types are described in the subsequent chapters. Some of these
-   methods are
-
-     - An IPv4 or IPv6 network address and mask
-     - A fully qualified domain name referring to an A record
-     - A fully qualified domain name referring to an APL record
-
-   RMX records of these types would look like this:
-
-      somedomain.de.      IN RMX ipv4:10.0.0.0/8
-      rmxtest.de.         IN RMX host:relay.provider.com
-      danisch.de.         IN RMX apl:relays.rackland.de
-      relays.rackland.de. IN APL 1:213.133.101.23/32 1:1.2.3.0/24
-
-   where the machine with the example address 213.133.101.23 and the
-   machines in the example subnet 1.2.3.0/24 are the only machines
-   allowed to send e-mails with an envelope sender address of domain
-
-
-
-Hadmut Danisch                Experimental                      [Page 8]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   danisch.de. Since the APL records do not necessarily belong to the
-   same domain or zone table as the RMX records, this easily allows to
-   refer to APL records defined by someone else, e.g. the internet
-   access or server hosting provider, thus reducing administrative
-   overhead to a minimum. In the example given above, the domain
-   danisch.de and several other domains are hosted by the service
-   provider Rackland. So if the relay structure of Rackland is
-   modified, only the zone of rackland.de needs to be modified. The
-   domain owners don't need to care about such details.
-
-3.2.  Envelope vs. header sender address
-
-   Questions were raised why the proposed mechanism is based on the
-   envelope sender address, and not on the sender address given in the
-   message header. Technically, both can be used. Actually, it makes
-   sense to use the envelope address.
-
-   In common, the header sender address identifies the author of the
-   content, while the envelope sender tells who caused the
-   transmission.  The approach proposed in this memo is transmission
-   based, not content based. We can not authorize the author of a
-   message if we don't have contact with him, if the message does not
-   already contain a signature. In contrast, the sending MTA is linked
-   to an IP address which can be used for authentication. This
-   mechanism might not be very strong, but it is available and
-   sufficient to solve today's e-mail security problems.
-
-   Some people argued that it is the header address and not the sender
-   address, which is displayed in common mail readers (MUAs), and
-   where the receiver believes the mail comes from. That's true, but
-   it doesn't help. There are many cases where the header sender
-   differs from the envelope sender for good reasons (see below in the
-   consequences chapter for the discussion about relaying).  Relaying,
-   mailing lists etc. require to replace the sender address used for
-   RMX. If this were the header address, the message header would have
-   to be modified. This is undesirable.
-
-3.3.  Domain part vs. full sender address
-
-   Former versions of this draft were limited to the domain part of
-   the sender address. The first reason is that it is common and MX-
-   like, to lookup only the domain part of an e-mail address in DNS.
-   The second reason is, that it was left to the private business of
-   the domain administration to handle details of user verification.
-   The idea was that the domain administration takes care to verify
-   the left part of an e-mail address with an arbitrary method of
-   their individual taste. RMX was originally designed to ignore the
-   left part of the address and to expect the domain administration to
-
-
-
-Hadmut Danisch                Experimental                      [Page 9]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   take over responsibility for enforcing their policy. If, e.g., a
-   spam message arrived and passed the RMX mechanism, it is known to
-   be authorized by the domain administration and they can be blamed,
-   no matter what is on the left side of the sender address - it's
-   their private problem what happens on the left side of the @. By
-   far the most of the comments to prior versions of this draft agreed
-   with that. A few comments asked for a finer granularity.
-
-   And indeed, there is no technical reason against a finer
-   granularity.  All it takes is a mapping from a given envelope
-   sender address to a DNS name, and the RMX lookup for that
-   particular e-mail address could be done instead of a lookup for the
-   domain part only.  However, to my knowledge, most domain
-   administrators would not like to provide an RMX entry for every
-   single e-mail address. In many cases, this would also overload DNS
-   servers.
-
-   It is to be discussed how to cover both views. One method could be
-   to query the full address, and if no RMX records were found to
-   query the domain part only. A different approach would be to query
-   the domain part only, and if it's RMX record contain a special
-   entry, then a new query for the full address is triggered. A third
-   way would be to always query the full address and to leave the
-   problem to the wildcard mechanism of DNS. This still has to be
-   discussed and will be described in future versions of this draft.
-
-
-
-
-
-
-
-
-
-
-
-4.  Mapping of E-Mail addresses to DNS names
-
-   To perform the RMX query, a mapping is needed from E-Mail addresses
-   to DNS fully qualified domain names.
-
-   This chapter is under development and just a first approach.
-
-4.1.  Domain part only
-
-   Mapping of the domain part is trivial, since the domain part of an
-   e-mail address itself is a valid DNS name and does not need
-   translation. It might be nevertheless desirable to distinguish the
-
-
-
-Hadmut Danisch                Experimental                     [Page 10]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   RMX entries from other entries, depending of the encoding of the
-   records. If the RMX entries are encoded in TXT record types, they
-   might collide with other uses of TXT records.  It might be
-   necessary to prepend the domain part with a special prefix, e.g.
-   _rmx. So the e-mail address some.user@example.com could be mapped
-   to example.com or _rmx.example.com.
-
-4.2.  Full address
-
-   Mapping a full address is slightly more difficult. The @ sign must
-   be unambiguously translated, and therefore can not be simply
-   translated into a dot. The e-mail addresses some.user@example.com
-   and some@user.example.com must have different mappings. Therefore,
-   the @ sign could be translated into _rmx, implicitely assuming that
-   this is not an allowed domain name component of normal domain
-   names. Then the rightmost _rmx in the mapped DNS name always
-   corresponds to the @ sign. some.user@example.com would e translated
-   into some.user._rmx.example.com and can be covered by a wildcard
-   entry like *._rmx.example.com.
-
-   Character encoding and character sets are still to be discussed.
-
-4.3.  Empty address
-
-   Unfortunately, SMTP allows empty envelope sender addresses to be
-   used for error messages. Empty sender addresses can therefore not
-   be prohibited. As observed, a significant amount of spam was sent
-   with such an empty sender address. To solve this problem, the host
-   name given in the HELO or EHLO command is taken to lookup the RMX
-   records instead. This makes sense, since such messages were
-   generated by the machine, not a human.
-
-
-
-
-5.  Mandatory entry types and their syntax
-
-   The entry types described in this section MUST be supported by any
-   implementation of this draft.
-
-5.1.  Overall structure
-
-   Similar to APL, an RMX record is just a concatenation of zero or
-   more RMX entries. The entries within one record form an ordered
-   rule base as commonly usual in packet filtes and firewall rulesets,
-   i. e. they are processed one ofter another until the first entry
-   matches. This entry determines the result of the query. Once a
-   matching entry is found, the RMX processing is finished.
-
-
-
-Hadmut Danisch                Experimental                     [Page 11]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   For any domain name there should not exist more than a single RMX
-   record. Due to the structure of DNS, it is nevertheless possible to
-   have more than a single RMX record. Multiple RMX records are
-   treated as a single record consisting of the concatenation of all
-   records. While the entries in a record are ordered, the records are
-   not ordered and may be processed in arbitrary order. If the order
-   of the entries matters, it is the zone maintainer's responsibility
-   to keep those entries in a single record. For example, there are
-   negative entries, which exclude IP addresses from authorization.
-   It is important that these entries are processed before positive
-   entries giving permission to a wider address range. Since order is
-   guaranteed only within a record, corresponding negative and
-   positive entries must be put in the same record.
-
-   An RMX record may consist of one or more entries, where the entries
-   are separated by whitespace. An entry must not contain white space.
-   Each entry consists of an optional exclamation sign, a tag, a
-   colon, and the entry data:
-
-      [!] TAG : ENTRY-SPECIFIC-DATA
-
-   If the entry starts with an exclamation sign, the entry is negated.
-   See the entry type description below for details.
-
-   The TAG is the mnemonic type identifier or the decimal number of
-   the entry. The TAG is case-insensitive. It is immediately followed
-   by a colon.
-
-   The syntax and semantics of ENTRY-SPECIFIC-DATA depends of the the
-   entry type. See description below.
-
-   Example:
-
-      danisch.de.  IN RMX apl:relays.rackland.de !ipv4:1.2.3.5
-   ipv4:1.2.3.0/24
-
-5.2.  Unused
-
-   This is a primitive entry which just says that this sender address
-   will never be used as a sender address under any circumstances.
-   Example:
-
-   testdomain.danisch.de    IN RMX unused:
-
-5.3.  IPv4 and IPv6 address ranges
-
-   These entry types contain a bit sequence representing a CIDR
-   address part. If that bit sequence matches the given IP address,
-
-
-
-Hadmut Danisch                Experimental                     [Page 12]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   authorization is granted or denied, depending on the negation flag.
-
-   The entry is prepended with the tag "IPv4" or "IPv6". The colon is
-   followed with an IPv4 or IPv6 address in standard notation,
-   optionally followed by a slash and a mask length. If the negation
-   flag is set, then the given address range is excluded.  Examples:
-
-   danisch.de   IN RMX ipv4:213.133.101.23 ipv6:fe00::0
-                IN RMX ipv4:10.0.0.0/8     ipv6:fec0::0/16
-                IN RMX !ipv4:1.2.3.4
-
-   (Please note that it does not make much sense to use
-   RFC1918-Addresses in RMX records, this is just to give a syntax
-   example.)
-
-
-5.4.  DNS Hostname
-
-   This entry type simply contains a regular DNS name, which is to be
-   resolved as a host name (fetch the A record or IPv6 equivalent). If
-   the given IP address matches the result, authorization is granted
-   or denied, depending on the negation flag.  It is still to be
-   defined how to treat unresolvable entries.
-
-   The entry is prepended with the tag "host", followed by a colon and
-   the hostname. Examples:
-
-   danisch.de  IN RMX host:relay.provider.de
-               IN RMX !host:badmachine.domain.de apl:relays.domain.de
-
-5.4.1.  Road warriors and DynDNS entries
-
-   Several people argued against RMX that it would break their
-   existing installation which delivers e-mail from dynamically
-   assigned IP addresses, because their IP providers didn't assign a
-   static address, or because they are a road warrior, plugging their
-   notebook in any hotel room on the world.
-
-   RMX provides a simple solution. If such a machine has a dynamically
-   updated DNS entry (e.g. DynDNS), all it takes is an RMX entry of
-   the hostname type pointing to this dynamic DNS entry.
-
-   The cleaner solution would be to deliver mail the same way as it is
-   received: If downloaded by POP from a central relay with a static
-   address, where the MX points to, then it would be a good idea to
-   deliver e-mail the same way in reverse direction. Unfortunately,
-   plain POP does not support uploading yet.
-
-
-
-
-Hadmut Danisch                Experimental                     [Page 13]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-5.5.  APL Reference
-
-   This entry type simply contains a regular DNS name, which is to be
-   resolved as an APL record index  (fetch the APL record).  If the
-   given IP address positively  matches the APL, authorization is
-   granted. Details of the semantic (espially when the negation bit is
-   set) are still to be defined.  It is still to be defined how to
-   treat unresolvable entries.
-
-   The entry is prepended with the tag "host", followed by a colon and
-   the hostname. Example:
-
-   danisch.de     IN RMX apl:relays.rackland.de
-
-5.6.  Domain Member
-
-   In many cases it is desirable to cover all hosts of a given domain
-   with an RMX record without the need to duplicate the list of these
-   hosts. This entry type does it (thanks to Eric A. Hall for pointing
-   out this entry type).  It contains a regular DNS name.
-
-   If this entry type is given, a reverse DNS query for the IP address
-   of the sending MTA is performed to find its official fully
-   qualified domain name. To prevent spoofing, this domain name is
-   accepted only if a subsequent address query to the given domain
-   name points to exactly the IP address of the sending MTA (the usual
-   procedure to verify PTR records).
-
-   The entry matches if the fully qualified domain name of the sending
-   MTA ends in the given domain. The negation flag works as usual.
-
-   The tag for this entry type is "domain". After the colon the domain
-   name is given, but might be empty, thus pointing to itself.
-   Example:
-
-      somedomain.org  IN RMX domain:somedomain.org domain:provider.com
-
-   would authorize all machines which's hostname can be verified
-   through an PTR and A query, and which ends in "somedomain.org" or
-   "provider.com".
-
-   With such an entry, large companies with different networks can
-   easily be covered with just a single and simple RMX entry.
-   Obviously, it requires proper PTR records.
-
-   As a special shortcut, the DNS name may be empty. In this case the
-   domain name of the zone itself is taken. Thus, with a very simple
-   entry of the type
-
-
-
-Hadmut Danisch                Experimental                     [Page 14]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-     somecompany.com  IN RMX domain:
-
-   a company could authorize all machines which's IP addresses map to
-   DNS names end in somecompany.com, which applies in the majority of
-   companies.
-
-
-
-
-5.7.  Full Address Query
-
-   As described above, RMX records will in most cases apply to the
-   domain part of the sender address. In special cases it might be
-   desirable to query the RMX record for a particular address.  An RMX
-   entry of the Full Address Query type may occur in a domain RMX
-   record only. It signals that the RMX record for the full address is
-   to be fetched and processed.
-
-   This entry type does not take arguments. The negation flag is not
-   supported. The tag is "full".
-
-   If such a full address query is to be performed, the mail address
-   must be mapped to a valid and non-ambiguos DNS name. This mapping
-   is still to be defined. It is not sufficient to simply replace the
-   @ with a dot, because of case sensitivity, character sets, etc. The
-   e-mail addresses
-
-      john.doe@example.org
-      John.Doe@example.org
-      john@doe.example.org
-
-   must all be mapped to different DNS entries. This entry type might
-   vanish in future versions of the draft, depending on the discussion
-   about whether to query the domain name part only or the full
-   address.
-
-5.8.  DNS mapped authorization
-
-   As I learned from comments to prior versions of the draft and from
-   alternative proposals, many users wish to have a DNS mapped
-   authorization table, i. e. the client queries a DNS entry of the
-   form a.b.c.d.domain, where a.b.c.d is the sender's IP address.
-   Since people wish to have this, RMX will now include such a mapping
-   entry. The entry has a parameter giving the DNS domain name where
-   to look at. If the parameter is empty, then the same domain is
-   taken as for the RMX lookup.
-
-   As this is currently under construction and discussion in an IETF
-
-
-
-Hadmut Danisch                Experimental                     [Page 15]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   group, details will be published in future versions of this draft.
-
-5.9.  RMX reference
-
-   This entry type has no parameters. It means that all those machines
-   are authorized, which are pointed to by an MX record.
-
-6.  Optional and experimental entry types
-
-   The following subsections roughly describe further entry types
-   which might not be supported by all implementations and might not
-   be allowed in all legislations. These methods might vanish in
-   future versions of the draft and are just considerations about what
-   to include in RMX and what to not include. The main purpose of this
-   section is to start discussion about such entry types.
-
-   The disadvantage of the following methods is that they violate the
-   basic idea of RMX, i. e. to be simple, robust, easy to implement
-   and easy to administer. I personally do not believe that it is a
-   good idea or even feasible to implement cryptography for a world
-   wide e-mail transfer network. Keep in mind that cryptographic keys
-   can be copied.  If only <0.1% of cryptographic keys were revealed,
-   this completely compromises and spoils RMX. Cryptography is simply
-   the wrong tool for the problem RMX is intended to solve. I
-   nevertheless like to discuss these methods.
-
-6.1.  TLS fingerprint
-
-   The sender is considered to be authorized if the message was
-   transmitted through SMTP and TLS, and the sender used a certificate
-   matching the fingerprint given in the RMX record.
-
-6.2.  TLS and LDAP
-
-   This means that the receiver should perform an LDAP query for the
-   sender address (through the LDAP SRV record or given in the RMX
-   record), fetch the X.509 certificate for the sender. The sender is
-   considered to be authorized when the message was transmitted
-   through SMTP and TLS using this certificate.
-
-6.3.  PGP or S/MIME signature
-
-   It would be possible to accept a message only if it was signed with
-   PGP or S/MIME with a key which's fingerprint is given in the RMX
-   record or to be fetched from LDAP or any PGP database.  This is
-   just for discussion, since it violates the idea of RMX to focus on
-   the transport, not on the content. It would also allow replay
-   attacks and not cover the envelope sender address or message
-
-
-
-Hadmut Danisch                Experimental                     [Page 16]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   header.
-
-6.4.  Transparent Challenge/Response
-
-   It would also be possible to implement a challenge-response
-   mechanism without modifying the syntax of SMTP. For example, the
-   receiving MTA could issue a challenge with it's very first greeting
-   message, the sending MTA could hide the response in the HELO
-   parameter and when the receiving MTA later learns the sender
-   envelope address, it could verify the response based on
-   informations in the RMX record.
-
-6.5.  SASL Challenge/Response
-
-   Modern SMTP implementations already include a SASL mechanisms,
-   which easily allows to plugin new authentication mechanisms. While
-   common SASL mechanisms require to use a previously shared password,
-   a new mechanism could perform a challenge response authentication
-   as a SASL method.
-
-
-
-
-
-
-7.  Encoding
-
-7.1.  Alternative encoding as TXT records
-
-   The main objection against the prior versions of this draft was
-   that it requires a new RR entry type and upgrading all DNS servers.
-
-   Therefore and alternative encoding is proposed. Instead of using a
-   new RR type, the TXT record type is used to contain the RMX record.
-   The records would simply look as described in the entry type
-   chapters above, e.g.
-
-      _rmx.danisch.de.   IN TXT "apl:relays.rackland.de"
-
-   To allow smooth introduction of RMX without the need to immediately
-   upgrade all DNS servers, all clients (which have to be newly
-   installed anyway) MUST support both the TXT and the RMX records. A
-   client has to perform an ANY or a TXT and a RMX query. Servers/zone
-   tables may currently use TXT entries but SHOULD use RMX entries in
-   future.
-
-7.2.  RMX Records
-
-
-
-
-Hadmut Danisch                Experimental                     [Page 17]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-7.2.1.  Overall structure
-
-   Each entry starts with an octet containting the entry type and the
-   negation flag:
-
-      +---+---+---+---+---+---+---+---+------
-      | N |    Entry Type Code        | Parameters...
-      +---+---+---+---+---+---+---+---+------
-
-      N           If this bit (MSB) is set, an IP address
-                  matching this entry is not authorized,
-                  but explicitely rejected. See entry
-                  type descriptions for details.
-
-      Entry Type  A 7bit number simply determining the entry
-                  type.
-
-
-   Currently, entries do not have an explicit length field, the entry
-   length is determined implicitely by the entry type. Applications
-   are required to abort if an unknown entry type is found, instead of
-   skipping unknown entries.
-
-7.2.2.  Record encoding
-
-   A RMX record is simply a concatenation of RMX entries.
-
-7.2.3.  Encoding of IPv4 and IPv6 address ranges
-
-   After the entry type tag as described above, one octet follows
-   giving the length L of the bit sequence. Then a sequence of exactly
-   as many octets follows as needed to carry L bits of information (=
-   trunc((L+7)/8) ).
-
-      +---+---+---+---+---+---+---+---+
-      | N | Entry Type Code  (1 or 2) |
-      +---+---+---+---+---+---+---+---+
-      |         Length Field L        |
-      +---+---+---+---+---+---+---+---+
-      |           Bit Field           |
-      /        ((L+7)/8) Octets       /
-      +---+---+---+---+---+---+---+---+
-
-
-7.2.4.  Encoding of DNS
-
-   After the entry type tag immediately follows a DNS encoded and
-   compressed [3] domain name.
-
-
-
-Hadmut Danisch                Experimental                     [Page 18]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-      +---+---+---+---+---+---+---+---+
-      | N |  Entry Type Code  (3..5)  |
-      +---+---+---+---+---+---+---+---+
-      |         Length Field L        |
-      +---+---+---+---+---+---+---+---+
-      |  Encoded DNS                  |
-      /  Name as described in RFC1035 /
-      +---+---+---+---+---+---+---+---+
-
-   In contrast to earlier versions of this draft, the DNS name cannot
-   be compressed, since this would cause decompression errors when a
-   DNS server is part of the query chain which does not know this
-   particular RR type.
-
-7.2.5.  Encoding of unused and full query
-
-   These entries do not contain parameters and does not allow the
-   negation flag.  So the encoding is quite simple:
-
-      +---+---+---+---+---+---+---+---+
-      | 0 |  Entry Type Code  (6 or 7)|
-      +---+---+---+---+---+---+---+---+
-
-
-
-7.2.6.  Additional Records
-
-   In order to avoid the need of a second query to resolve the given
-   host name, a DNS server should enclose the A record for that domain
-   name in the additional section of the additional section of the DNS
-   reply, if the server happens to be authoritative.
-
-   In order to avoid the need of a second query to resolve the given
-   host name, a DNS server should enclose the APL record for that
-   domain name in the additional section of the additional section of
-   the DNS reply, if the server happens to be authoritative.
-
-
-
-8.  Message Headers
-
-   An RMX query must be followed by any kind of action depending on
-   the RMX result. One action might be to reject the message.  Another
-   action might be to add a header line to the message body, thus
-   allowing MUAs and delivery programs to filter or sort messages.
-
-   In future, the RMX result might be melted into the Received: header
-   line.
-
-
-
-Hadmut Danisch                Experimental                     [Page 19]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   The details of such entries are to be discussed. As a proposal the
-   following form is suggested:
-
-     X-RMX: RESULT addr ADDRESS by HOST on DATE mechanism MECHANISM
-
-   where
-
-   RESULT is one of "Granted", "Denied", "NotInRMX", "NoRMX",
-   "TempFail", "BadData", "Trusted".
-
-   ADDRESS is the IP address of the sending machine
-
-   HOST is the name of the machine performing the RMX query.
-
-   DATE is the date of the query.
-
-   MECHANISM is the RMX method used to authorize the sender.
-
-
-
-9.  SMTP error messages
-
-   If a message is rejected because of RMX records, an error message
-   should be issued which explains the details.  It is to be discussed
-   whether new SMTP error codes are to be defined.
-
-
-10.  Message relaying and forwarding
-
-10.1.  Problem description
-
-   Message forwarding and relaying means that an MTA which received an
-   e-mail by SMTP does not deliver it locally, but resends the message
-   - usually unchanged except for an additional Received header line
-   and maybe the recipient's address rewritten - to the next SMTP MTA.
-   Message forwarding is an essential functionality of e-mail
-   transport services, for example:
-
-     - Message transport from outer MX relay to the intranet
-     - Message forwarding and Cc-ing by .forward or .procmail-alike
-       mechanisms
-     - Mailing list processing
-     - Message reception by mail relays with low MX priority,
-       usually provided by third parties as a stand-by service
-       in case of relay failure or maintenance
-     - "Forwarding" and "Bouncing" as a MUA functionality
-
-   In all these cases a message is sent by SMTP from a host which is
-
-
-
-Hadmut Danisch                Experimental                     [Page 20]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   not covered by the original sender domain's RMX records.  While the
-   RMX records would forbid accepting this message, it still must be
-   accepted. The following subsections explain how to cope with
-   relaying.
-
-10.2.  Trusted relaying/forwarding
-
-   In some cases the receiving MTA trusts the sending MTA to not fake
-   messages and to already have checked the RMX records at message
-   reception. As a typical example, a company might have an outer mail
-   relay which receives messages from the Internet and checks the RMX
-   records. This relay then forwards the messages to the different
-   department's mail servers. It does not make sense for these
-   department mail servers to check the RMX record, since the RMX
-   records have already been checked and - since the message was
-   relayed by the outer relay - always would deny the message. In this
-   case there is a trust relationship between the department relays
-   and the outer relay.  So RMX checking is turned off for trusted
-   relays. In this example, the department relays would not check
-   messages from the outer relay (but for intranet security, they
-   could still check RMX records of the other departments sub-domains
-   to avoid internal forgery between departments).
-
-   Another common example are the low-priority MX relays, which
-   receive and cache e-mails when the high-priority relays are down.
-   In this case, the high-priority relay would trust the low-priority
-   relay to have verified the sender authorization and would not
-   perform another RMX verification (which would obviously fail).
-
-   When a relay forwards a message to a trusting machine, the envelope
-   sender address should remain unchanged.
-
-10.3.  Untrusted relaying/forwarding
-
-   If the receiving MTA does not trust the forwarding MTA, then there
-   is no chance to leave the sender envelope address unchanged. At a
-   first glance this might appear impracticable, but this is
-   absolutely necessary. If an untrusted MTA could claim to have
-   forwarded a message from a foreign sender address, it could have
-   forged the message as well. Spammers and forgers would just have to
-   act as such a relay.
-
-   Therefore, it is required that, when performing untrusted
-   forwarding, the envelope sender address has to be replaced by the
-   sender address of someone responsible for the relaying mechanism,
-   e.g. the owner of the mailing list or the mail address of the user
-   who's .forward caused the transmission. It is important to stress
-   that untrusted relaying/forwarding means taking over responsibility
-
-
-
-Hadmut Danisch                Experimental                     [Page 21]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   for the message.  It is the idea of RMX records to tie
-   responsibility to message transmission. Untrusted relaying without
-   replacing the sender address would mean to transmit without taking
-   responsibility.
-
-   The disadvantage is that the original sender address is lost.
-   Therefore, whenever a sender address replacement happens, the
-   Received-Line must contain the old address. Many of today's MTAs
-   already insert the envelope recipient address, but not the sender
-   address into the Received header line. It seems reasonable to
-   require every Received line to include both the sender and
-   recipient address of the incoming SMTP connection.
-
-
-11.  Security Considerations
-
-11.1.  Draft specific considerations
-
-11.1.1.  Authentication strength
-
-   It is important to stress, that the suggested method does not
-   provide high level security and does not completely prevent forged
-   e-mails or spam under any circumstances. It is a robust, but not
-   highly reliable and completely secure security mechanism. Keep in
-   mind that it is based on DNS, and DNS is not secure today.
-   Authorization is based on the IP address. The very same machine
-   with the very same IP address could be authorized to send e-mail
-   with a given sender address and sending spam at the same time.
-   Maybe because several users are logged in. Or because several
-   customers use the same relay of the same ISP, where one customer
-   could use the sender address of a different customer. It is up to
-   the ISP to prevent this or not. Machines can still be hijacked.
-   Spammers are also domain owners. They can simply use their own
-   domain and authorize themselves. You will always find people on the
-   world who do not care about security and open their relays and RMX
-   records for others to abuse them.  RMX is to be considered as a
-   very cheap and simple light weight mechanism, which can
-   nevertheless provide a significant improvement in mail security
-   against a certain class of attacks, until a successor of SMTP has
-   been defined and commonly accepted.
-
-11.1.2.  Where Authentication and Authorization end
-
-   Previous versions of RMX records did not cover the local part of
-   the e-mail address, i.e. what's on the left side of the @ sign.
-   This is still to be discussed. Authentication and authorization are
-   limited to the sending MTA's IP address. The authentication is
-   limited to the TCP functionality, which is sufficient for light
-
-
-
-Hadmut Danisch                Experimental                     [Page 22]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   weight authentication. The RMX records authorize the IP address of
-   the sending host only, not the particular sender of the message. So
-   if a machine is authorized to use sender addresses of more than a
-   single domain, the authentication scheme does not prevent that any
-   user on this machine can send with any of these domains. RMX is not
-   a substitute for the host security of the involved machines.
-
-   The proposed authentication scheme can be seen as a "half way
-   authentication": It does not track back an e-mail to the effective
-   sender. It tracks only half of the way, i. e. it tracks back to the
-   domain and it's DNS administrators who authorized that particular
-   sender IP address to use it for sending e-mail. How the party
-   responsible for that domain performs user authentication, whom it
-   grants access to, how it helds people responsible for abuse, is
-   completely left as the private business of those who are in charge
-   of that domain. So this draft does not interfere with the domain's
-   individual security policy or any legislation about such policies.
-   On the other hand, the proposed authentication scheme does not give
-   any statement about the nature and quality of the domain's security
-   policy. This is an essential feature of the proposal: E-mail
-   authentication must be deployed world wide, otherwise it won't do
-   the job. Any security scheme interfering with the local
-   legislations or the domain's security policy will not be accepted
-   and can't effectively deployed. Therefore, the security policy must
-   remain the domain's private business, no matter how lousy the
-   policy might be.
-
-   In order to achieve this and to make use of the only existing world
-   wide Internet directory scheme (DNS), the approach of this proposal
-   is to just ignore the local part of the sender address (i.e. what's
-   left of the @ part) and limit view to the domain part. After all,
-   that's what we do anyway when delivering to a given address with
-   SMTP.
-
-11.1.3.  Vulnerability of DNS
-
-   DNS is an essential part of the proposed authentication scheme,
-   since it requires any directory service, and DNS is currently the
-   only one available. Unfortunately, DNS is vulnerable and can be
-   spoofed and poisoned. This flaw is commonly known and weakens many
-   network services, but for reasons beyond that draft DNS has not
-   been significantly improved yet. After the first version of this
-   draft, I received several comments who asked me not to use DNS
-   because of its lack of security. I took this into consideration,
-   but came to the conclusion that this is unfeasible: Any
-   authentication scheme linked to some kind of symbolic identity (in
-   this case the domain name) needs some kind of infrastructure and
-   trusted assignment. There are basically two ways to do it: Do it
-
-
-
-Hadmut Danisch                Experimental                     [Page 23]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   yourself and trust nobody else, or let someone else do it. There
-   are methods to do it the former way, e.g. to give someone some kind
-   of authentication information after a first successful e-mail
-   exchange, e.g. some kind of cookie or special e-mail address. This
-   is certainly interesting and powerful, but it does not solve the
-   problem on a world wide scale and is far to complicated and error
-   prone for the average user, i. e. 99% of the users.
-
-   The latter method to let someone else do the symbolic name
-   assignment and create the authentication framework is well known.
-   It context of public key cryptography, this is called a Public Key
-   Infrastructure (PKI). On of the best known facts about PKIs is
-   that, until now, we don't have any covering a significant part of
-   the Internet. And we won't have any in near future. The complexity
-   is far too high, it is too expensive, and it involves cooperation
-   of every single user, which is simply unrealistic and extremely
-   error prone. So what do we have we can use? All we have is the DNS
-   and the Whois database. And we have countries who don't allow
-   cryptography. So the proposal was designed to use DNS without
-   cryptography. It does not avoid DNS because of its vulnerability,
-   it asks for a better DNS, but accepts the DNS as it is for the
-   moment. Currently there are two main threats caused by the DNS
-   weakness:
-
-      - A spammer/forger could spoof DNS in order to gain false
-        authorization to send fake e-mails.
-
-      - An attacker could spoof DNS in order to block delivery from
-        authorized machines, i. e. perform a Denial of Service attack.
-
-   The first one is rather unrealistic, because it would require an
-   average spammer to poison a significant part of the DNS servers of
-   its victims. A spammer sending messages to one million receipients
-   would need to poison at least 1-10% which is 10,000 to 100,000
-   receipient's DNS servers. This should be unfeasible in most cases.
-
-   In contrast, the second threat is a severe one. If an attacker
-   wanted to block messages from one company to another, he just needs
-   to poison the recipients DNS server with a wrong RMX record in
-   order to make the recipient's SMTP machine reject all messages. And
-   this is feasible since the attacker needs to poison only a single
-   DNS server. But does this make SMTP more vulnerable? No. Because
-   the attacker can already do even more without RMX. By poisoning the
-   sender's DNS server with wrong MX records, the attacker can also
-   block message delivery or even redirect the messages to the
-   attacker's machine, thus preventing any delivery error messages and
-   furthermore getting access to the messages.
-
-
-
-
-Hadmut Danisch                Experimental                     [Page 24]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   As a consequence, e-mail delivery by SMTP requires a better DNS
-   anyway. The requirements are not significantly expanded by RMX.
-
-11.1.4.  Sneaking RMX attack?
-
-   While writing a test implementation, a certain kind of attack came
-   into my mind. I'm still not sure, whether this attack is possible
-   on any DNS server, but I believe it should be mentioned:
-
-   Imagine an unauthorized sender is sending a forged mail (e.g.
-   spam).  At connection time, before querying the RMX record, the
-   receiving MTA usually performs a PTR query for the IP address of
-   the sending MTA. If the sender has control over the authoritative
-   name server for that particular IP address, the sender could give a
-   normal PTR answer, but could append a wrong RMX, APL, or A record
-   in the additional section of the query. A subsequent RMX query
-   could receive wrong DNS data if the DNS server used by the
-   receiving MTA accepted those forged records.
-
-11.1.5.  Open SMTP relays
-
-   Open SMTP relays (i.e. machines who accept any e-mail message from
-   anyone and deliver to the world) abused by spammers are a one of
-   the main problems of spam defense and sender backtracking. In most
-   cases this problem just vanishes because foreign open relay
-   machines will not be covered by the RMX records of the forged
-   sender address. But there are two special cases:
-
-   If the spammer knows about a domain which authorizes this
-   particular machine, that domain can be used for forgery. But in
-   this case, the IP address of the relay machine and the RMX records
-   of the domain track back to the persons responsible. Both can be
-   demanded to fix the relay or remove the RMX record for this
-   machine. An open relay is a security flaw like leaving the machine
-   open for everybody to login and send random mails from inside. Once
-   the administrative persons refuse to solve the problem, they can be
-   identified as spammers and held responsible.
-
-   The second special case is when a domain authorizes all IP
-   addresses by having the network 0.0.0.0/0 in the RMX/APL record. In
-   this case, open relays don't make things worse. It's up to the
-   recipient's MTA to reject mails from domains with loose security
-   policies.
-
-11.1.6.  Unforged Spam
-
-   This proposal does not prevent spam (which is, by the way, not yet
-   exactly defined), it prevents forgery. Since spam is against law
-
-
-
-Hadmut Danisch                Experimental                     [Page 25]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   and violates the recipients rights, spam depends on untracability
-   of the sender. In practice the sender forges the sender address
-   (other cases see below). This proposal is designed to detect such
-   forgeries.
-
-   However, the RMX approach is rendered ineffective, if the sender
-   doesn't forge. If the sender uses just a normal address of it's own
-   domain, this is just a plain, normal e-mail, which needs to be let
-   through. Since it is up to the human's taste whether this is spam
-   or not, there's no technical way to reliably identify this as spam.
-   But since the sender domain is known, this domain can be
-   blacklisted or legal steps can be gone into.
-
-11.1.7.  Reliability of Whois Entries
-
-   Once the RMX infrastructure gets deployed, what's the security
-   gain?  It allows to determine the domain which's DNS zone
-   authorized the sending machine. What's that good for? There are
-   some immediate uses of the domain name, e.g. in black- and
-   whitelisting. But in most cases this is just the starting point of
-   further investigations, either performed automatically before
-   message acceptance, or manually after spam has been received and
-   complainted about.
-
-   The next step after determining the domain is determining the
-   people responsible for this domain. This can sometimes be achieved
-   by querying the Whois databases. Unfortunately, many whois entries
-   are useless because they are incomplete, wrong, obsolete, or in
-   uncommon languages. Furthermore, there are several formats of
-   address informations which make it difficult to automatically
-   extract the address. Sometimes the whois entry identifies the
-   provider and not the owner of the domain. Whois servers are not
-   built for high availability and sometimes unreachable.
-
-   Therefore, a mandatory standard is required about the contents and
-   the format of whois entries, and the availability of the servers.
-   After receiving the MAIL FROM SMTP command with the sender envelope
-   address, the receiving MTA could check the RMX record and Whois
-   entry. If it doesn't point to a real human, the message could be
-   rejected and an error message like "Ask your provider to fix your
-   Whois entry" could be issued. Obviously, domain providers must be
-   held responsible for wrong entries. It might still be acceptable to
-   allow anonymous domains, i. e. domains which don't point to a
-   responsible human. But it is the receivers choice to accept e-mails
-   from such domains or not.
-
-11.1.8.  Hazards for Freedom of Speech
-
-
-
-
-Hadmut Danisch                Experimental                     [Page 26]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   Currently, some governments try to enforce limitations of internet
-   traffic in order to cut unwanted content providers from the
-   network. Some of these governments try to hide a whole country
-   behind firewalls, others try to force Internet providers to poison
-   DNS servers with wrong A records for web servers, e.g. one county
-   administration in Germany tries to do so. If message reception
-   depends on DNS entries, the same governments will try to block not
-   only HTTP, but SMTP also.
-
-   However, since most MTAs already reject messages from unresolvable
-   domain names this is not a new threat.
-
-11.2.  General Considerations about spam defense
-
-   After discussing security requirements of the proposal, now the
-   security advantages of the RMX approach over content based filters
-   will be explained. Basically, there are three kinds of content
-   filters:
-
-      - Those who upload the message or some digest to an external
-        third party and ask "Is this spam"?
-
-      - Those who download a set of patterns and rules from a third
-        party and apply this set to incoming messages in order to
-        determine whether it is spam.
-
-      - Those who are independent and don't contact any third party,
-        but try to learn themselves what is spam and what isn't.
-
-
-   The message filters provided by some e-mail service providers are
-   usually not a kind of their own, but a combination of the first two
-   kinds.
-
-11.2.1.  Action vs. reaction
-
-   Content filters suffer from a fundamental design problem: They are
-   late. They need to see some content of the same kind before in
-   order to learn and to block further distribution.
-
-   This works for viruses and worms, which redistribute. This doesn't
-   work for spam, since spam is usually not redistributed after the
-   first delivery. When the filters have learned or downloaded new
-   pattern sets, it's too late.
-
-   This proposal does not have this problem.
-
-11.2.2.  Content based Denial of Service attacks
-
-
-
-Hadmut Danisch                Experimental                     [Page 27]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   All three kinds of content filters, but especially the second and
-   the third kind are vulnerable to content based Denial of Service
-   attacks.
-
-   If some kind of third party (e.g. non-democratic government,
-   intellectual property warriors, religious groups, military, secret
-   services, patriots, public relation agents, etc.) wants certain
-   contents not to be distributed, they could either poison the
-   pattern/rule databases or feed wrong sets to particular receivers.
-
-   Such pattern/rule sets are the perfect tool for censoring e-mail
-   traffic and denial of service attacks by governments and other
-   parties, and a similar threat are virus filters. E. g. the content
-   industry could demand to teach all virus and spam filters to delete
-   all e-mails containing the URL of an MP3 web server outside the
-   legislations. Software manufacturers could try to block all e-mails
-   containing software license keys, thus trying to make unallowed
-   distribution more difficult. Governments could try to block
-   distribution of unwanted informations.
-
-   This proposal does not have this problem.
-
-
-12.  Privacy Considerations
-
-   (It was proposed on the 56th IETF meeting to have a privacy section
-   in drafts and RFCs.)
-
-12.1.  Draft specific considerations
-
-12.1.1.  No content leaking
-
-   Since the RMX approach doesn't touch the contents of a message in
-   any way, there is obviously no way of leaking out any information
-   about the content of the message. RMX is based solely on the
-   envelope recipient address. However, methods to fix problems not
-   covered by RMX might allow content leaking, e.g. if the acceptance
-   of a message with an empty sender address requires the reference to
-   the message id of an e-mail recently sent, this allows an attacker
-   to verify whether a certain message was delivered from there.
-
-12.1.2.  Message reception and sender domain
-
-   Message delivery triggers RMX and APL requests by the recipient.
-   Thus, the admin of the DNS server or an eavesdropper could learn
-   that the given machine has just received a message with a sender
-   from this address, even if the SMTP traffic itself had been
-   encrypted.
-
-
-
-Hadmut Danisch                Experimental                     [Page 28]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   However, most of today's MTAs do query the MX and A records of the
-   domain after the MAIL FROM command, so this is not a real new
-   threat.
-
-12.1.3.  Network structure
-
-   Since RMX and its associated APL records provide a complete list of
-   all IP addresses of hosts authorized to send messages from this
-   address, they do reveal informations about the network structure
-   and maybe the lifestyle of the domain owner, since a growing number
-   of domains are owned by single persons or families. E.g. the RMX
-   records could reveal where someone has his job or spends his time
-   at weekends.
-
-   If such informations are to be kept secret, it is the user's job to
-   not sent e-mails from there and to relay them from non-compromising
-   IP addresses.
-
-12.1.4.  Owner information distribution
-
-   As described above, RMX depends partly on the reliability of the
-   whois database entries. It does not make anonymous domains
-   impossible, but it requires to keep the database entries "true", i.
-   e. if a whois entry does not contain informations about the
-   responsible person, this must be unambigously labeled as anonymous.
-   It must not contain fake names and addresses to pretend a non-
-   existing person. However, since most Internet users on the world
-   feel extremely annoyed by spam, they will urge their MTA admin to
-   reject messages from anonymous domains. The domain owner will have
-   the choice to either remain anonymous but be not able to send e-
-   mail to everyone in the world, or to be able but to reveal his
-   identity to everyone on the world.
-
-   It would be possible to provide whois-like services only to
-   recipients of recent messages, but this would make things too
-   complicated to be commonly adopted.
-
-12.2.  General Considerations about spam defense
-
-12.2.1.  Content leaking of content filters
-
-   As described above in the Security chapter, there are spam filters
-   which inherently allow leakage of the message body. Those filters
-   upload either the message body, or in most cases just some kind of
-   checksum to a third party, which replies whether this is to be seen
-   as spam or not. The idea is to keep a databases of all digests of
-   all messages.  If a message is sent more often than some threshold,
-   it is to be considered as a mass mail and therefore tagged as spam.
-
-
-
-Hadmut Danisch                Experimental                     [Page 29]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   While the digest itself does not reveal the content of the message,
-   it perfectly reveals where a particular message has been delivered
-   to. If a government finds just a single unwanted message, if a
-   software manufacturer finds a single message with a stolen product
-   license key, if someone finds a message with unpatriotic content,
-   it takes just a single database lookup to get a list of all people
-   who received this particular message. Content filters with digest
-   upload are the perfect "Big Brother".
-
-12.2.2.  Black- and Whitelists
-
-   Some proposals against spam are based on a central database of
-   white- or blacklisted IP addresses, Sender names, Message IDs or
-   whatever. Again, there is a central database which learns who has
-   received which e-mail or from which sender with every query. This
-   allows tracking relations between persons, which is also a breach
-   of privacy.
-
-
-
-13.  Deployment Considerations
-
-13.1.  Compatibility
-
-13.1.1.  Compatibility with old mail receivers
-
-   Since the suggested extension doesn't change the SMTP protocol at
-   all, it is fully compatible with old mail receivers. They simply
-   don't ask for the RMX records and don't perform the check.
-
-13.1.2.  Compatibility with old mail senders
-
-   Since the SMTP protocol is unchanged and the SMTP sender is not
-   involved in the check, the method is fully compatible with old mail
-   senders.
-
-13.1.3.  Compatibility with old DNS clients
-
-   Since the RMX is a new RR, the existing DNS protocol and zone
-   informations remain completely untouched.
-
-   If RMX is provided as a TXT record instead, it must be ensured that
-   no other software is misinterpreting this entry.
-
-13.1.4.  Compatibility with old DNS servers
-
-   Full compatibility: If the server does not support RMX records, RMX
-   in TXT records can be used.
-
-
-
-Hadmut Danisch                Experimental                     [Page 30]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-13.2.  Enforcement policy
-
-   Obviously, for reasons of backward compatibility and smooth
-   introduction of this scheme, RMX records can't be required
-   immediately. Domains without RMX records must temporarily be
-   treated the same way as they are treated right now, i.e. e-mail
-   must be accepted from anywhere. But once the scheme becomes
-   sufficiently widespread, mail relays can start to refuse e-mails
-   with sender addresses from domains without RMX records, thus
-   forcing the owner of the domain to include a statement of
-   authorization into the domain's zone table.  Domain owners will
-   still be free to have an RMX record with a network and mask
-   0.0.0.0/0, i.e. to allow e-mails with that domain from everywhere.
-   On the other hand, mail receivers will be free to refuse mails from
-   domains without RMX records or RMX records which are too loose.
-   Advanced MTAs might have a configuration option to set the maximum
-   number of IP addresses authorized to use a domain. E-mails from a
-   domain, which's RMX records exceed this limit, would be rejected.
-   For example, a relay could reject e-mails from domains which
-   authorize more than 8 IP addresses. That allows to accept e-mails
-   only from domains with a reasonable security policy.
-
-
-
-14.  General considerations about fighting spam
-
-   Is there a concise technical solution against spam? Yes.
-
-   Will it be deployed? Certainly not.
-
-   Why not? Because of the strong non-technical interests of several
-   parties against a solution to the problem, as described below.
-   Since these are non-technical reasons, they might be beyond the
-   scope of such a draft. But since they are the main problems that
-   prevent fighting spam, it is unavoidable to address them. This
-   chapter exists temporarily only and should support the discussion
-   of solutions. It is not supposed to be included in a later RFC.
-
-14.1.  The economical problem
-
-   As has been recently illustrated in the initial session of the
-   IRTF's Anti Spam Research Group (ASRG) on the 56th IETF meeting,
-   sending spam is a business with significant revenues.
-
-   But a much bigger business is selling Anti-Spam software. This is a
-   billion dollar market, and it is rapidly growing. Any simple and
-   effective solution against spam would defeat revenues and drive
-   several companies into bankrupt, would make consultants jobless.
-
-
-
-Hadmut Danisch                Experimental                     [Page 31]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   Therefore, spam is essential for the Anti-Spam business. If there
-   is no spam, then no Anti-Spam software can be sold, similar to the
-   Anti-Virus business. There are extremely strong efforts to keep
-   this market growing. Viruses, Worms, and now spam are just perfect
-   to keep this market alive: It is not sufficient to just buy a
-   software. Databases need to be updated continuously, thus making
-   the cash flow continuously. Have a single, simple, and permanent
-   solution to the problem and - boom - this billion dollar market is
-   dead.
-
-   That's one of the reasons why people are expected to live with
-   spam. They have to live with it to make them buy Anti-Spam
-   software.  Content filters are perfect products to keep this market
-   alive.
-
-14.2.  The POP problem
-
-   Another problem is the history of mail delivery. Once upon a time,
-   there used to be very few SMTP relays which handled the e-mail
-   traffic of all the world, and everybody was happy with that. Then
-   odd things like Personal Computers, which are sometimes switched
-   off, portable computers, dynamicly assigned IP addresses, IP access
-   from hotel rooms, etc. was invented, and people became unhappy,
-   because SMTP does not support delivery to such machines. To make
-   them happy again, the Post Office Protocol[4] was invented, which
-   turned the last part of message delivery from SMTP's push style
-   into a pull style, thus making virtually every computer on the
-   world with any random IP address a potential receiver of mails for
-   random domains. Unfortunately, only receiving e-mail was covered,
-   but sending e-mail was left to SMTP.
-
-   The result is that today we have only very few SMTP relays pointed
-   to by MX records, but an extreme number of hosts sending e-mail
-   with SMTP from any IP address with sender addresses from any
-   domain. Mail delivery has become very asymmetric. Insecurity,
-   especially forgeability, has become an essential part of mail
-   transport.
-
-   That problem could easily be fixed: Use protocols which allow
-   uploading of messages to be delivered. If a host doesn't receive
-   messages by SMTP, it shouldn't deliver by SMTP.  Mail delivery
-   should go the same way back that incoming mail went in.  This is
-   not a limitation to those people on the road who plug their
-   portable computer in any hotel room's phone plug and use any
-   provider. If there is a POP server granting download access from
-   anywhere, then the same server should be ready to accept uploading
-   of outgoing messages.
-
-
-
-
-Hadmut Danisch                Experimental                     [Page 32]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   But as I saw from the comments on the first version of this draft,
-   people religiously insist on sending e-mail with their domain from
-   any computer with any IP address in the world, e.g. when visiting a
-   friend using her computer. It appears to be impossible to convince
-   people that stopping mail forgery requires every one of them to
-   give up forging.
-
-14.3.  The network structure problem
-
-   A subsequent problem is that many organisations failed to implement
-   a proper mail delivery structure and heavily based their network on
-   this asymmetry. I received harsh comments from Universities who
-   were unable to give their network a good structure. While they do
-   have a central mail relay for incoming mail to the universities
-   domain, they developed a structure where every member of the
-   University randomly sends e-mails with that University's domain as
-   a sender address from home or everywhere in the world with any
-   dynamically assigned IP address from any provider. So this domain
-   is to be used from every possible IP address on earth, and they are
-   unable to operate any authentication scheme. Furthermore, they were
-   unable to understand that such a policy heavily supports spam and
-   that they have to expect that people don't accept such e-mails
-   anymore once they become blacklisted.
-
-   As long as organisations insist on having such policies, spammers
-   will have a perfect playground.
-
-14.4.  The mentality problem
-
-   Another problem is the mentality of many internet users of certain
-   countries. I received harsh comments from people who strongly
-   insisted on the freedom to send any e-mail with any sender address
-   from anywhere, and who heavily refused any kind of authentication
-   step or any limitation, because they claimed that this would
-   infringe their constitutional "Freedom of speech". They are
-   undeviatingly convinced that "Freedom of speech" guarantees their
-   right to talk to everybody with any sender address, and that is has
-   to be kept the recipient's own problem to sort out what he doesn't
-   want to read - on the recipient's expense.
-
-   It requires a clear statement that the constitutional "Freedom of
-   Speech" does not cover molesting people with unsolicited e-mail
-   with forged sender address.
-
-14.5.  The identity problem
-
-   How does one fight against mail forgery? With authentication.  What
-   is authentication? In simple words: Making sure that the sender's
-
-
-
-Hadmut Danisch                Experimental                     [Page 33]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-   real identity meets the recipients idea of who is the sender, based
-   on the sender address which came with the message.
-
-   What is identity? It is the main problem. Several countries have
-   different ideas of "identity", which turn out to be somehow
-   incompatible. In some countries people have identity cards and
-   never change their name and birthday. Identities are created by
-   human birth, not by identity changes. Other countries do not have
-   such a tight idea about identity. People's temporary identity is
-   based on nothing more than a driving license and a social security
-   number.  With this background, it is virtually impossible to create
-   a trustworthy PKI covering all Internet users. I learned that it is
-   extremely difficult to convince some people to give up random e-
-   mail sending.
-
-14.6.  The multi-legislation problem
-
-   Many proposals about fighting spam are feasible under certain
-   legislations only, and are inacceptable under some of the
-   legislations. But a world wide applicable method is required.
-   That's why the approach to ask everone on the world to sign
-   messages with cryptographic keys is not feasible.
-
-
-Implementation and further Information
-
-   Further informations and a test implementation are available at
-
-      http://www.danisch.de/work/security/antispam.html
-      http://www.danisch.de/software/rmx/
-
-
-   Additional informations and a technology overview are also
-   available at
-
-      http://www.mikerubel.org/computers/rmx_records/
-
-
-References
-
-
-
-1.   S. Bradner, "Key words for use in RFCs to Indicate Requirement Lev-
-     els," RFC 2119 (March 1997).
-
-2.   J. Klensin, "Simple Mail Transfer Protocol," RFC 2821 (April 2001).
-
-
-
-
-
-Hadmut Danisch                Experimental                     [Page 34]
-
-INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
-
-
-3.   P. Mockapetris, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION,"
-     RFC 1035 (November 1987).
-
-4.   J. Myers, M. Rose, "Post Office Protocol - Version 3," RFC 1939
-     (May 1996).
-
-
-Draft History
-
-   00  Dec 2002
-   01  Apr 2003
-   02  Jun 2003
-   03  Oct 2003
-
-Author's Address
-
-   Hadmut Danisch
-
-   Tennesseeallee 58
-   76149 Karlsruhe
-   Germany
-
-   Phone:  ++49-721-843004 or ++49-351-4850477
-   E-Mail: rfc@danisch.de
-
-Comments
-
-   Please send comments to rfc@danisch.de.
-
-Expiry
-
-   This drafts expires on Apr 1, 2004.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hadmut Danisch                Experimental                     [Page 35]
-
diff --git a/contrib/bind9/doc/draft/draft-dnsext-opcode-discover-02.txt b/contrib/bind9/doc/draft/draft-dnsext-opcode-discover-02.txt
deleted file mode 100644
index 7b5e8cc4455b..000000000000
--- a/contrib/bind9/doc/draft/draft-dnsext-opcode-discover-02.txt
+++ /dev/null
@@ -1,241 +0,0 @@
-
-IETF DNSEXT WG                                             Bill Manning
-draft-dnsext-opcode-discover-02.txt                              ep.net
-                                                             Paul Vixie
-                                                                    ISC
-                                                            13 Oct 2003
-
-
-                         The DISCOVER opcode
-
-This document is an Internet-Draft and is subject to all provisions of
-Section 10 of RFC2026.
-
-Comments may be submitted to the group mailing list at "mdns@zocalo.net"
-or the authors.
-
-Distribution of this memo is unlimited.
-
-Internet-Drafts are working documents of the Internet Engineering Task
-Force (IETF), its areas, and its working groups.  Note that other groups
-may also distribute working documents as Internet-Drafts.
-
-Internet-Drafts are draft documents valid for a maximum of six months and
-may be updated, replaced, or obsoleted by other documents at any time.  It
-is inappropriate to use Internet-Drafts as reference material or to cite
-them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-The capitalized keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-document are to be interpreted as described in RFC 2119
-
-0. Abstract:
-
-   The QUERY opcode in the DNS is designed for unicast. With the
-   development of multicast capabilities in the DNS, it is desireable
-   to have a more robust opcode for server interactions since a single
-   request may generate replies from multiple responders. So DISCOVER
-   is defined to deal with replies from multiple responders.
-
-   As such, this document extends the core DNS specifications to allow
-   clients to have a method for coping with replies from multiple
-   responders. Use of this new opcode may facilitate DNS operations in
-   modern networking topologies. A prototype of the DISCOVER opcode
-   was developed during the TBDS project (1999-2000), funded under DARPA
-   grant F30602-99-1-0523.
-
-1. Introduction:
-
-   This document describes an experimental extension to the DNS to receive
-   multiple responses which is the likely result when using DNS that has
-   enabled multicast queries.  This approach was developed as part of the
-   TBDS research project, funded under DARPA grant F30602-99-1-0523.  The
-   full processing rules used by TBDS are documented here for possible
-   incorporation in a future revision of the DNS specification."
-
-2. Method:
-
-        DISCOVER works like QUERY except:
-
-        1. it can be sent to a broadcast or multicast destination. QUERY
-           isn't defined for non-unicast, and arguably shouldn't be.
-
-        2. the Question section, if present, has <QNAME=zonename,QTYPE=SOA>
-           tuples. TBDS tried to augment this structure as follows:
-           <QNAME=service,QTYPE=SRV>. While this worked for our purposes in
-           TBDS, it is cleaner to place the SRV question in a separate pass.
-
-        3. if QDCOUNT equals 0 then only servers willing to do recursion should
-           answer. Other servers must silently discard the DISCOVER request.
-
-        4. if QDCOUNT is not equal to 0 then only servers who are authoritative
-           for the zones named by some QNAME should answer.
-
-        5. responses may echo the request's Question section or leave it blank,
-           just like QUERY.
-
-        6. responses have standard Answer, Authority, and Additional sections.
-           e.g. the response is the same as that to a QUERY. It is desireable
-           that zero content answers not be sent to avoid badly formed or
-           unfulfilled requests. Responses should be sent to the unicast
-           address of the requester and the source address should reflect
-           the unicast address of the responder.
-
-   Example usage for gethostby{name,addr}-style requestors:
-
-        Compute the zone name of the enclosing in-addr.arpa, ip6.int, or
-        ip6.arpa domain.
-
-        DISCOVER whether anyone in-scope is authoritative for this zone.
-
-                If so, query these authoritative servers for local
-                in-addr/ip6 names.
-
-        If not, DISCOVER whether there are recursive servers available.
-
-                If so, query these recursive servers for local
-                in-addr/ip6 names.
-
-        So, a node will issue a multicast request with the DISCOVER opcode at
-        some particular multicast scope.  Then determine, from the replies,
-        whether there are any DNS servers which are authoritative (or support
-        recursion) for the zone. Replies to DISCOVER requests MUST set the
-        Recursion Available (RA) flag in the DNS message header.
-
-        It is important to recognize that a requester must be prepared to
-        receive multiple replies from multiple responders. We expect that
-        there will be a single response per responder.
-
-        Once one learns a host's FQDN by the above means, repeat the process
-        for discovering the closest enclosing authoritative server of such
-        local name.
-
-        Cache all NS and A data learned in this process, respecting TTL's.
-
-   TBDS usage for SRV requestors:
-
-        Do the gethostbyaddr() and gethostbyname() on one's own link-local
-        address, using the above process.
-
-        Assume that the closest enclosing zone for which an authority server
-        answers an in-scope DISCOVER packet is "this host's parent domain".
-
-        Compute the SRV name as _service._transport.*.parentdomain.
-
-        This is a change to the definition as defined in RFC 1034.
-        A wildcard label ("*") in the QNAME used in a DNS message with
-        opcode DISCOVER SHOULD be evaluated with special rules.  The
-        wildcard matches any label for which the DNS server data is
-        authoritative.  For example 'x.*.example.com.' would match
-        'x.y.example.com.' and 'x.yy.example.com.' provided that the
-        server was authoritative for 'example.com.'  In this particular
-        case, we suggest the follwing considerations be made:
-
-   getservbyname() can be satisfied by issuing a request with
-   this computed SRV name.  This structure can be
-   populated by values returned from a request as follows:
-
-        s_name    The name of the service, "_service" without the
-                  preceding underscore.
-        s_aliases The names returned in the SRV RRs in replies
-                  to the query.
-        s_port    The port number in the SRV RRs replies to the
-                  query.  If these port numbers disagree - one
-                  of the port numbers is chosen, and only those
-                  names which correspond are returned.
-        s_proto   The transport protocol from named by the
-                  "_transport" label, without the preceding
-                  underscore.
-
-        Send SRV query for this name to discovered local authoritative servers.
-
-     Usage for disconnected networks with no authoritative servers:
-
-        Hosts should run a "stub server" which acts as though its FQDN is a
-        zone name.  Computed SOA gives the host's FQDN as MNAME, "." as the
-        ANAME, seconds-since-1Jan2000 as the SERIAL, low constants for EXPIRE
-        and the other timers.  Compute NS as the host's FQDN.  Compute the
-        glue as the host's link-local address. Or Hosts may run a
-        "DNS stub server" which acts as though its FQDN is a zone name.  The
-        rules governing the behavior of this stub server are given elsewhere
-        [1] [2].
-
-        Such stub servers should answer DISCOVER packets for its zone, and
-        will be found by the iterative "discover closest enclosing authority
-        server" by DISCOVER clients, either in the gethostbyname() or SRV
-        cases described above.  Note that stub servers only answer with
-        zone names which exactly match QNAME's, not with zone names which
-        are owned by QNAME's.
-
-   The main deviation from the DNS[3][4] model is that a host (like, say, a
-   printer offering LPD services) has a DNS server which answers authoritatively
-   for something which hasn't been delegated to it.  However, the only way that
-   such DNS servers can be discovered is with a new opcode, DISCOVER, which
-   is explicitly defined to discover undelegated zones for tightly scoped
-   purposes.  Therefore this isn't officially a violation of DNS's coherency
-   principles. In some cases a responder to DISCOVER may not be traditional
-   DNS software, it could be special purpose software.
-
-3. IANA Considerations
-
-        As a new opcode, the IANA will need to assign a numeric value
-        for the memnonic. The last OPCODE assigned was "5", for UPDATE.
-        Test implementations have used OPCODE "6".
-
-4. Security Considerations
-
-        No new security considerations are known to be introduced with any new
-        opcode, however using multicast for service discovery has the potential
-        for denial of service, primarly from flooding attacks. It may also be
-        possible to enable deliberate misconfiguration of clients simply by
-        running a malicious DNS resolver that claims to be authoritative for
-        things that it is not. One possible way to mitigate this effect is by
-        use of credentials, such as CERT resource records within an RR set.
-        The TBDS project took this approach.
-
-5. Attribution:
-
-        This material was generated in discussions on the mdns mailing list
-hosted by Zocalo in March 2000. Updated by discussion in September/October
-2003.  David Lawrence, Scott Rose, Stuart Cheshire, Bill Woodcock,
-Erik Guttman, Bill Manning and Paul Vixie were active contributors.
-
-6. Author's Address
-
-   Bill Manning
-   PO 12317
-   Marina del Rey, CA. 90295
-   +1.310.322.8102
-   bmanning@karoshi.com
-
-   Paul Vixie
-   Internet Software Consortium
-   950 Charter Street
-   Redwood City, CA 94063
-   +1 650 779 7001
-   <vixie@isc.org>
-
-7. References
-
-Informational References:
-
-[1]  Esibov, L., Aboba, B., Thaler, D., "Multicast DNS",
-        draft-ietf-dnsext-mdns-00.txt, November 2000. Expired
-
-[2] Woodcock, B., Manning, B., "Multicast Domain Name Service",
-        draft-manning-dnsext-mdns-00.txt,  August 2000.  Expired.
-
-Normative References:
-[3]  Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES",
-        RFC 1034, November 1987.
-[4]  Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION",
-        RFC 1035, November 1987
-
-        ----------------------------EOL-----------------------
-
diff --git a/contrib/bind9/doc/draft/draft-durand-dnsop-dynreverse-00.txt b/contrib/bind9/doc/draft/draft-durand-dnsop-dynreverse-00.txt
deleted file mode 100644
index 224e7ad1697e..000000000000
--- a/contrib/bind9/doc/draft/draft-durand-dnsop-dynreverse-00.txt
+++ /dev/null
@@ -1,240 +0,0 @@
-Internet Engineering Task Force                             Alain Durand
-INTERNET-DRAFT                                          SUN Microsystems
-Feb 21, 2003
-Expires Aug 2, 2003
-
-
-
-                Dynamic reverse DNS for IPv6
-              <draft-durand-dnsop-dynreverse-00.txt>
-
-
-
-Status of this memo
-
-
-   This memo provides information to the Internet community.  It does
-   not specify an Internet standard of any kind.  This memo is in full
-   conformance with all provisions of Section 10 of RFC2026 [RFC2026].
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-
-Abstract
-
-   This document describes a method to dynamically generate PTR records
-   and corresponding A or AAAA records when the reverse path DNS tree is
-   not populated.
-
-   A special domain dynrev.arpa. is reserved for that purpose.
-
-
-1. Introduction
-
-   In IPv4, the reverse path tree of the DNS under in-addr.arpa.
-   although not perfectly maintained, is still mostly usable and its
-   existence is important for a number of applications that relies on
-   its existence and decent status.  Some applications performs some
-   (very) weak security checks based on it. Mail relays relies on it for
-   some anti-spams checks an some FTP server will not let you in unless
-   your IP address resolve properly with a PTR record.
-
-   IPv6 addresses being much longer (and cumbersome) than IPv4
-   addresses, it is to fear that the reverse path tree under ip6.arpa.
-   would not be as well maintained.  Also, tools like 6to4, Isatap and
-   others have made creative use of the 128 bits of an IPv6 address to
-   automatically embed an IPv4 address to enable seamless connection to
-   the IPv6 Internet. However, no provision has been made to make sure
-   the reverse path tree gets automatically updated as well for those
-   new IPv6 addresses.  One step furter, RFC3041 describes a mechanism
-   to basically use random bits in the bottom part of an IPv6 address to
-   preserver anonymity. If those addresses are to resolve in the reverse
-   path tree, it obviously has to be with anonymous data as well.
-   Another point to note is that home customer ISPs in IPv4 have a
-   current practice to pre-populate the reverse path tree with names
-   automatically derived from the IP addresses. This practice is no
-   longer possible in IPv6, where IP address allocation is not dense as
-   it is the case in IPv4. The mere size of typical customer allocation
-   (2^48 according to the recommendation of RFC3177) makes it
-   impossible.
-
-   Applications that check the existence of PTR records usually follow
-   this by checking if the name pointed by the PTR resolve in a A (or
-   AAAA for IPv6) that match the original IP address. Thus the forward
-   path tree must also include the corresponding data.
-
-   One simple approach of this problem is to simply declare the usage of
-   the reverse path DNS as described above obsolete.  The author believe
-   this is too strong an approach for now.
-
-   Similarly, a completely different approach would be to deprecate the
-   usage of DNS for the reverse tree altogether and replace it by
-   something inspired from ICMP name-info messages. The author believes
-   that this approached is an important departure from the current
-   practise and thus not very realistic.  Also, there are some concerns
-   about the the security implications of this method as any node could
-   easily impersonate any name. This approach would fundamentally change
-   the underlying assumption of "I trust what has been put in the DNS by
-   the local administrators" to "I trust what has been configured on
-   each machine I query directly".
-
-
-
-2. Dynamic record generation
-
-   If static pre-population of the tree is not possible anymore and data
-   still need to be returned to applications using getnameinfo(), the
-   alternative is dynamic record generation.  This can be done is two
-   places: in the DNS servers responsible for the allocated space (/64
-   or /48) in the ip6.arpa. domain.  or in the DNS resolvers (either the
-   sub resolver library or the recursive DNS server).
-
-   2.1. On the resolver side.
-
-   The resolver, either in the recursive DNS server or in the stub
-   library could theoretically generate this data.
-
-   In case DNSsec is in place, the recursive DNS server would have to
-   pretend these records are authentic.
-
-   If the synthesis is done in the stub-resolver library, no record
-   needs to be actually generated, only the right information needs to
-   be passed to getnameinfo() and getaddrinfo().  If the synthesis is
-   done in the recursive DNS server, no modification is required to
-   existing stub resolvers.
-
-
-2.2. On the server side.
-
-   PTR records could be generated automatically by the server
-   responsible for the reverse path tree of an IPv6 prefix (a /64 or /48
-   prefixes or basically anything in between) when static data is not
-   available.
-
-   There could be impact on DNSsec as the zone or some parts of the zone
-   may need to be resigned each time a DNS query is made for an
-   unpopulated address. This can be seen as a DOS attack on a DNSsec
-   zone, so server side synthesis is not recommended if DNSsec is
-   deployed.
-
-
-
-3. Synthesis
-
-   The algorithm is simple: Do the normal queries. If the query returns
-   No such domain, replace this answer by the synthetized one if
-   possible.
-
-3.1. PTR synthesis
-
-   The synthetized PTR for a DNS string [X] is simply [X].dynrev.arpa.
-   where [X] is any valid DNS name.
-
-   The fact that the synthetized PTR points to the dynrev.arpa. domain
-   is an indication to the applications that this record has been
-   dynamically generated.
-
-
-3.2. A synthesis
-
-   If [X] is in the form a.b.c.d.in-addr.arpa, one can synthetized an A
-   record for the string [X].dynrev.arpa. which value is d.c.b.a. with
-   a,b,c & d being integer [0..255]
-
-
-3.3. AAAA synthesis
-
-   If [X] is in the form
-   a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.s.t.u.v.w.x.y.z.A.B.C.D.E.F.in-
-   addr.arpa, one can synthetized a AAAA record for the string
-   [X].dynrev.arpa. which value is
-   FEDC:BAzy:xwvu:tsrq:ponm:lkji:hgfe:dcba with
-   a,b,c....x,y,z,A,B,C,D,E,F being hexadecimal digits.
-
-
-3.4. Server side synthesis
-
-   If synthesis is done on the server side, PTR could be set not to use
-   the dynrev.arpa domain but the local domain name instead.  It culd be
-   for instance dynrev.mydomain.com.
-
-   Note also that server side synthesis is not incompatible with
-   resolver side synthesis.
-
-
-
-4. IANA considerations
-
-   The dynrev.arpa. domain is reserved for the purpose of this document.
-
-
-
-5. Security considerations
-
-   Section 2. discusses the the interactions with DNSsec.
-
-
-
-6. Authors addresses
-
-   Alain Durand
-   SUN Microsystems, Inc
-   17, Network Circle
-   UMPK17-202
-   Menlo Park, CA 94025
-   USA
-   Mail: Alain.Durand@sun.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-2929bis-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-2929bis-01.txt
deleted file mode 100644
index fa41e7635e2f..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-2929bis-01.txt
+++ /dev/null
@@ -1,928 +0,0 @@
-
-INTERNET-DRAFT                                    Donald E. Eastlake 3rd
-Obsoletes RFC 2929, Updates RFC 1183               Motorola Laboratories
-Expires: February 2006                                       August 2005
-
-
-
-              Domain Name System (DNS) IANA Considerations
-              ------ ---- ------ ----- ---- --------------
-                   <draft-ietf-dnsext-2929bis-01.txt>
-
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Distribution of this draft is unlimited.  It is intended to become
-   the new BCP 42 obsoleting RFC 2929.  Comments should be sent to the
-   DNS Working Group mailing list <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-
-Abstract
-
-   Internet Assigned Number Authority (IANA) parameter assignment
-   considerations are given for the allocation of Domain Name System
-   (DNS) classes, RR types, operation codes, error codes, RR header
-   bits, and AFSDB subtypes.
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. DNS Query/Response Headers..............................3
-      2.1 One Spare Bit?.........................................4
-      2.2 Opcode Assignment......................................4
-      2.3 RCODE Assignment.......................................5
-      3. DNS Resource Records....................................6
-      3.1 RR TYPE IANA Considerations............................7
-      3.1.1 DNS TYPE Allocation Policy...........................8
-      3.1.2 Special Note on the OPT RR...........................9
-      3.1.3 The AFSDB RR Subtype Field...........................9
-      3.2 RR CLASS IANA Considerations...........................9
-      3.3 RR NAME Considerations................................11
-      4. Security Considerations................................11
-
-      Appendix: Changes from RFC 2929...........................12
-
-      Copyright and Disclaimer..................................13
-      Normative References......................................13
-      Informative References....................................14
-
-      Authors Addresses.........................................16
-      Expiration and File Name..................................16
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-1. Introduction
-
-   The Domain Name System (DNS) provides replicated distributed secure
-   hierarchical databases which hierarchically store "resource records"
-   (RRs) under domain names.  DNS data is structured into CLASSes and
-   zones which can be independently maintained.  See [RFC 1034, 1035,
-   2136, 2181, 4033] familiarity with which is assumed.
-
-   This document provides, either directly or by reference, general IANA
-   parameter assignment considerations applying across DNS query and
-   response headers and all RRs.  There may be additional IANA
-   considerations that apply to only a particular RR type or
-   query/response opcode.  See the specific RFC defining that RR type or
-   query/response opcode for such considerations if they have been
-   defined, except for AFSDB RR considerations [RFC 1183] which are
-   included herein. This RFC obsoletes [RFC 2929].
-
-   IANA currently maintains a web page of DNS parameters.  See
-   <http://www.iana.org/numbers.htm>.
-
-   "IETF Standards Action", "IETF Consensus", "Specification Required",
-   and "Private Use" are as defined in [RFC 2434].
-
-
-
-2. DNS Query/Response Headers
-
-   The header for DNS queries and responses contains field/bits in the
-   following diagram taken from [RFC 2136, 2929]:
-
-                                              1  1  1  1  1  1
-                0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                      ID                       |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                QDCOUNT/ZOCOUNT                |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                ANCOUNT/PRCOUNT                |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                NSCOUNT/UPCOUNT                |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-               |                    ARCOUNT                    |
-               +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   The ID field identifies the query and is echoed in the response so
-   they can be matched.
-
-   The QR bit indicates whether the header is for a query or a response.
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   The AA, TC, RD, RA, AD, and CD bits are each theoretically meaningful
-   only in queries or only in responses, depending on the bit.  However,
-   many DNS implementations copy the query header as the initial value
-   of the response header without clearing bits.  Thus any attempt to
-   use a "query" bit with a different meaning in a response or to define
-   a query meaning for a "response" bit is dangerous given existing
-   implementation.  Such meanings may only be assigned by an IETF
-   Standards Action.
-
-   The unsigned fields query count (QDCOUNT), answer count (ANCOUNT),
-   authority count (NSCOUNT), and additional information count (ARCOUNT)
-   express the number of records in each section for all opcodes except
-   Update.  These fields have the same structure and data type for
-   Update but are instead the counts for the zone (ZOCOUNT),
-   prerequisite (PRCOUNT), update (UPCOUNT), and additional information
-   (ARCOUNT) sections.
-
-
-
-2.1 One Spare Bit?
-
-   There have been ancient DNS implementations for which the Z bit being
-   on in a query meant that only a response from the primary server for
-   a zone is acceptable.  It is believed that current DNS
-   implementations ignore this bit.
-
-   Assigning a meaning to the Z bit requires an IETF Standards Action.
-
-
-
-2.2 Opcode Assignment
-
-   Currently DNS OpCodes are assigned as follows:
-
-          OpCode Name                      Reference
-
-           0     Query                     [RFC 1035]
-           1     IQuery  (Inverse Query, Obsolete) [RFC 3425]
-           2     Status                    [RFC 1035]
-           3     available for assignment
-           4     Notify                    [RFC 1996]
-           5     Update                    [RFC 2136]
-          6-15   available for assignment
-
-   New OpCode assignments require an IETF Standards Action as modified
-   by [RFC 4020].
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-2.3 RCODE Assignment
-
-   It would appear from the DNS header above that only four bits of
-   RCODE, or response/error code are available.  However, RCODEs can
-   appear not only at the top level of a DNS response but also inside
-   OPT RRs [RFC 2671], TSIG RRs [RFC 2845], and TKEY RRs [RFC 2930].
-   The OPT RR provides an eight bit extension resulting in a 12 bit
-   RCODE field and the TSIG and TKEY RRs have a 16 bit RCODE field.
-
-   Error codes appearing in the DNS header and in these three RR types
-   all refer to the same error code space with the single exception of
-   error code 16 which has a different meaning in the OPT RR from its
-   meaning in other contexts.  See table below.
-
-        RCODE   Name    Description                        Reference
-        Decimal
-          Hexadecimal
-         0    NoError   No Error                           [RFC 1035]
-         1    FormErr   Format Error                       [RFC 1035]
-         2    ServFail  Server Failure                     [RFC 1035]
-         3    NXDomain  Non-Existent Domain                [RFC 1035]
-         4    NotImp    Not Implemented                    [RFC 1035]
-         5    Refused   Query Refused                      [RFC 1035]
-         6    YXDomain  Name Exists when it should not     [RFC 2136]
-         7    YXRRSet   RR Set Exists when it should not   [RFC 2136]
-         8    NXRRSet   RR Set that should exist does not  [RFC 2136]
-         9    NotAuth   Server Not Authoritative for zone  [RFC 2136]
-        10    NotZone   Name not contained in zone         [RFC 2136]
-        11 - 15         Available for assignment
-        16    BADVERS   Bad OPT Version                    [RFC 2671]
-        16    BADSIG    TSIG Signature Failure             [RFC 2845]
-        17    BADKEY    Key not recognized                 [RFC 2845]
-        18    BADTIME   Signature out of time window       [RFC 2845]
-        19    BADMODE   Bad TKEY Mode                      [RPC 2930]
-        20    BADNAME   Duplicate key name                 [RPF 2930]
-        21    BADALG    Algorithm not supported            [RPF 2930]
-
-        22 - 3,840
-          0x0016 - 0x0F00   Available for assignment
-
-        3,841 - 4,095
-          0x0F01 - 0x0FFF   Private Use
-
-        4,096 - 65,534
-          0x1000 - 0xFFFE   Available for assignment
-
-        65,535
-          0xFFFF            Reserved, can only be allocated by an IETF
-                            Standards Action.
-
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   Since it is important that RCODEs be understood for interoperability,
-   assignment of new RCODE listed above as "available for assignment"
-   requires an IETF Consensus.
-
-
-
-3. DNS Resource Records
-
-   All RRs have the same top level format shown in the figure below
-   taken from [RFC 1035]:
-
-                                       1  1  1  1  1  1
-         0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                                               |
-       /                                               /
-       /                      NAME                     /
-       |                                               |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                      TYPE                     |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                     CLASS                     |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                      TTL                      |
-       |                                               |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-       |                   RDLENGTH                    |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
-       /                     RDATA                     /
-       /                                               /
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   NAME is an owner name, i.e., the name of the node to which this
-   resource record pertains.  NAMEs are specific to a CLASS as described
-   in section 3.2.  NAMEs consist of an ordered sequence of one or more
-   labels each of which has a label type [RFC 1035, 2671].
-
-   TYPE is a two octet unsigned integer containing one of the RR TYPE
-   codes.  See section 3.1.
-
-   CLASS is a two octet unsigned integer containing one of the RR CLASS
-   codes.  See section 3.2.
-
-   TTL is a four octet (32 bit) bit unsigned integer that specifies the
-   number of seconds that the resource record may be cached before the
-   source of the information should again be consulted.  Zero is
-   interpreted to mean that the RR can only be used for the transaction
-   in progress.
-
-   RDLENGTH is an unsigned 16 bit integer that specifies the length in
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   octets of the RDATA field.
-
-   RDATA is a variable length string of octets that constitutes the
-   resource. The format of this information varies according to the TYPE
-   and in some cases the CLASS of the resource record.
-
-
-
-3.1 RR TYPE IANA Considerations
-
-   There are three subcategories of RR TYPE numbers: data TYPEs, QTYPEs,
-   and MetaTYPEs.
-
-   Data TYPEs are the primary means of storing data.  QTYPES can only be
-   used in queries.  Meta-TYPEs designate transient data associated with
-   an particular DNS message and in some cases can also be used in
-   queries.  Thus far, data TYPEs have been assigned from 1 upwards plus
-   the block from 100 through 103 while Q and Meta Types have been
-   assigned from 255 downwards except for the OPT Meta-RR which is
-   assigned TYPE 41.  There have been DNS implementations which made
-   caching decisions based on the top bit of the bottom byte of the RR
-   TYPE.
-
-   There are currently three Meta-TYPEs assigned: OPT [RFC 2671], TSIG
-   [RFC 2845], and TKEY [RFC 2930].
-
-   There are currently five QTYPEs assigned: * (all), MAILA, MAILB,
-   AXFR, and IXFR.
-
-   Considerations for the allocation of new RR TYPEs are as follows:
-
-     Decimal
-   Hexadecimal
-
-     0
-   0x0000 - TYPE zero is used as a special indicator for the SIG RR [RFC
-          2535] and in other circumstances and must never be allocated
-          for ordinary use.
-
-     1 - 127
-   0x0001 - 0x007F - remaining TYPEs in this range are assigned for data
-          TYPEs by the DNS TYPE Allocation Policy as specified in
-          section 3.1.1.
-
-     128 - 255
-   0x0080 - 0x00FF - remaining TYPEs in this rage are assigned for Q and
-          Meta TYPEs by the DNS TYPE Allocation Policy as specified in
-          section 3.1.1.
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-     256 - 32,767
-   0x0100 - 0x7FFF - assigned for data, Q, or Meta TYPE use by the DNS
-          TYPE Allocation Policy as specified in section 3.1.1.
-
-     32,768 - 65,279
-   0x8000 - 0xFEFF - Specification Required as defined in [RFC 2434].
-
-     65,280 - 65534
-   0xFF00 - 0xFFFE - Private Use.
-
-     65,535
-   0xFFFF - Reserved, can only be assigned by an IETF Standards Action.
-
-
-
-3.1.1 DNS TYPE Allocation Policy
-
-   Parameter values specified above as assigned based on DNS TYPE
-   Allocation Policy. That is, Expert Review with the additional
-   requirement that the review be based on a complete template as
-   specified below which has been posted for three weeks to the
-   namedroppers@ops.ietf.org mailing list.
-
-   Partial or draft templates may be posted with the intend of
-   soliciting feedback.
-
-
-                 DNS RR TYPE PARAMETER ALLOCATION TEMPLATE
-
-        Date:
-
-        Name and email of originator:
-
-        Pointer to internet-draft or other document giving a detailed
-        description of the protocol use of the new RR Type:
-
-        What need is the new RR TYPE intended to fix?
-
-        What existing RR TYPE(s) come closest to filling that need and why are
-        they unsatisfactory?
-
-        Does the proposed RR TYPR require special handling within the DNS
-        different from an Unknown RR TYPE?
-
-        Comments:
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-3.1.2 Special Note on the OPT RR
-
-   The OPT (OPTion) RR, number 41, is specified in [RFC 2671].  Its
-   primary purpose is to extend the effective field size of various DNS
-   fields including RCODE, label type, OpCode, flag bits, and RDATA
-   size.  In particular, for resolvers and servers that recognize it, it
-   extends the RCODE field from 4 to 12 bits.
-
-
-
-3.1.3 The AFSDB RR Subtype Field
-
-   The AFSDB RR [RFC 1183] is a CLASS insensitive RR that has the same
-   RDATA field structure as the MX RR but the 16 bit unsigned integer
-   field at the beginning of the RDATA is interpreted as a subtype as
-   follows:
-
-     Decimal
-   Hexadecimal
-
-     0
-   0x0000 -  Allocation requires IETF Standards Action.
-
-     1
-   0x0001 - Andrews File Service v3.0 Location Service [RFC 1183].
-
-     2
-   0x0002 - DCE/NCA root cell directory node [RFC 1183].
-
-     3 - 65,279
-   0x0003 - 0xFEFF - Allocation by IETF Consensus.
-
-     65,280 - 65,534
-   0xFF00 - 0xFFFE - Private Use.
-
-     65,535
-   0xFFFF - Reserved, allocation requires IETF Standards Action.
-
-
-
-3.2 RR CLASS IANA Considerations
-
-   DNS CLASSes have been little used but constitute another dimension of
-   the DNS distributed database.  In particular, there is no necessary
-   relationship between the name space or root servers for one CLASS and
-   those for another CLASS.  The same name can have completely different
-   meanings in different CLASSes; however, the label types are the same
-   and the null label is usable only as root in every CLASS.  However,
-   as global networking and DNS have evolved, the IN, or Internet, CLASS
-   has dominated DNS use.
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   There are two subcategories of DNS CLASSes: normal data containing
-   classes and QCLASSes that are only meaningful in queries or updates.
-
-   The current CLASS assignments and considerations for future
-   assignments are as follows:
-
-     Decimal
-   Hexadecimal
-
-     0
-   0x0000 - Reserved, assignment requires an IETF Standards Action.
-
-     1
-   0x0001 - Internet (IN).
-
-     2
-   0x0002 - Available for assignment by IETF Consensus as a data CLASS.
-
-     3
-   0x0003 - Chaos (CH) [Moon 1981].
-
-     4
-   0x0004 - Hesiod (HS) [Dyer 1987].
-
-     5 - 127
-   0x0005 - 0x007F - available for assignment by IETF Consensus for data
-          CLASSes only.
-
-     128 - 253
-   0x0080 - 0x00FD - available for assignment by IETF Consensus for
-          QCLASSes only.
-
-     254
-   0x00FE - QCLASS None [RFC 2136].
-
-     255
-   0x00FF - QCLASS Any [RFC 1035].
-
-     256 - 32,767
-   0x0100 - 0x7FFF - Assigned by IETF Consensus.
-
-     32,768 - 65,279
-   0x8000 - 0xFEFF - Assigned based on Specification Required as defined
-          in [RFC 2434].
-
-     65,280 - 65,534
-   0xFF00 - 0xFFFE - Private Use.
-
-     65,535
-   0xFFFF - Reserved, can only be assigned by an IETF Standards Action.
-
-
-D. Eastlake 3rd                                                [Page 10]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-3.3 RR NAME Considerations
-
-   DNS NAMEs are sequences of labels [RFC 1035].  The last label in each
-   NAME is "ROOT" which is the zero length label.  By definition, the
-   null or ROOT label can not be used for any other NAME purpose.
-
-   At the present time, there are two categories of label types, data
-   labels and compression labels.  Compression labels are pointers to
-   data labels elsewhere within an RR or DNS message and are intended to
-   shorten the wire encoding of NAMEs.  The two existing data label
-   types are sometimes referred to as Text and Binary.  Text labels can,
-   in fact, include any octet value including zero value octets but most
-   current uses involve only [US-ASCII].  For retrieval, Text labels are
-   defined to treat ASCII upper and lower case letter codes as matching
-   [insensitive].  Binary labels are bit sequences [RFC 2673]. The
-   Binary label type is Experimental [RFC 3363].
-
-   IANA considerations for label types are given in [RFC 2671].
-
-   NAMEs are local to a CLASS.  The Hesiod [Dyer 1987] and Chaos [Moon
-   1981] CLASSes are essentially for local use.  The IN or Internet
-   CLASS is thus the only DNS CLASS in global use on the Internet at
-   this time.
-
-   A somewhat out-of-date description of name allocation in the IN Class
-   is given in [RFC 1591].  Some information on reserved top level
-   domain names is in BCP 32 [RFC 2606].
-
-
-
-4. Security Considerations
-
-   This document addresses IANA considerations in the allocation of
-   general DNS parameters, not security.  See [RFC 4033, 4034, 4035] for
-   secure DNS considerations.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 11]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-Appendix: Changes from RFC 2929
-
-   RFC Editor: This Appendix should be deleted for publication.
-
-   Changes from RFC 2929 to this draft:
-
-   1. Changed many "IETF Consensus" for RR TYPEs to be "DNS TYPE
-   Allocation Policy" and add the specification of that policy. Change
-   some remaining "IETF Standards Action" allocation requirements to say
-   "as modified by [RFC 4020]".
-
-   2. Updated various RFC references.
-
-   3. Mentioned that the Binary label type is now Experimental and
-   IQuery is Obsolete.
-
-   4. Changed allocation status of RR Type 0xFFFF and RCODE 0xFFFF to be
-   IETF Standards Action required.
-
-   5. Add an IANA allocation policy for the AFSDB RR Subtype field.
-
-   6. Addition of reference to case insensitive draft.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 12]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Normative References
-
-   [RFC 1034] - Mockapetris, P., "Domain Names - Concepts and
-   Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035] - Mockapetris, P., "Domain Names - Implementation and
-   Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC 1183] - Everhart, C., Mamakos, L., Ullmann, R., and P.
-   Mockapetris, "New DNS RR Definitions", RFC 1183, October 1990.
-
-   [RFC 1996] - Vixie, P., "A Mechanism for Prompt Notification of Zone
-   Changes (DNS NOTIFY)", RFC 1996, August 1996.
-
-   [RFC 2136] - Vixie, P., Thomson, S., Rekhter, Y. and J. Bound,
-   "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-   April 1997.
-
-   [RFC 2181] - Elz, R. and R. Bush, "Clarifications to the DNS
-   Specification", RFC 2181, July 1997.
-
-   [RFC 2434] - Narten, T. and H. Alvestrand, "Guidelines for Writing an
-   IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-   [RFC 2671] - Vixie, P., "Extension mechanisms for DNS (EDNS0)", RFC
-   2671, August 1999.
-
-   [RFC 2673] - Crawford, M., "Binary Labels in the Domain Name System",
-   RFC 2673, August 1999.
-
-   [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake, D. and B.
-   Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
-   RFC 2845, May 2000.
-
-
-D. Eastlake 3rd                                                [Page 13]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   [RFC 2930] - Eastlake, D., "Secret Key Establishment for DNS (TKEY
-   RR)", September 2000.
-
-   [RFC 3363] - Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
-   Hain, "Representing Internet Protocol version 6 (IPv6) Addresses in
-   the Domain Name System (DNS)", RFC 3363, August 2002.
-
-   [RFC 3425] - Lawrence, D., "Obsoleting IQUERY", RFC 3425, November
-   2002.
-
-   [RFC 4020] - Kompella, K. and A. Zinin, "Early IANA Allocation of
-   Standards Track Code Points", BCP 100, RFC 4020, February 2005.
-
-   [RFC 4033] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "DNS Security Introduction and Requirements", RFC 4033, March
-   2005.
-
-   [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
-   March 2005.
-
-   [RFC 4044] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Protocol Modifications for the DNS Security Extensions", RFC
-   4035, March 2005.
-
-   [US-ASCII] - ANSI, "USA Standard Code for Information Interchange",
-   X3.4, American National Standards Institute: New York, 1968.
-
-
-
-Informative References
-
-   [Dyer 1987] - Dyer, S., and F. Hsu, "Hesiod", Project Athena
-   Technical Plan - Name Service, April 1987,
-
-   [Moon 1981] - D. Moon, "Chaosnet", A.I. Memo 628, Massachusetts
-   Institute of Technology Artificial Intelligence Laboratory, June
-   1981.
-
-   [RFC 1591] - Postel, J., "Domain Name System Structure and
-   Delegation", RFC 1591, March 1994.
-
-   [RFC 2929] - Eastlake 3rd, D., Brunner-Williams, E., and B. Manning,
-   "Domain Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
-   September 2000.
-
-   [RFC 2606] - Eastlake, D. and A. Panitz, "Reserved Top Level DNS
-   Names", RFC 2606, June 1999.
-
-   [insensitive] - Eastlake, D., "Domain Name System (DNS) Case
-
-
-D. Eastlake 3rd                                                [Page 14]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-   Insensitivity Clarification", draft-ietf-dnsext-insensitive-*.txt,
-   work in progress.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 15]
-
-
-INTERNET-DRAFT           DNS IANA Considerations             August 2005
-
-
-Authors Addresses
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554 (w)
-   email:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires February 2006.
-
-   Its file name is draft-ietf-dnsext-2929bis-01.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 16]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-axfr-clarify-05.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-axfr-clarify-05.txt
deleted file mode 100644
index f0ce70ab1c99..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-axfr-clarify-05.txt
+++ /dev/null
@@ -1,393 +0,0 @@
-
-
-
-INTERNET-DRAFT                                      Andreas Gustafsson
-draft-ietf-dnsext-axfr-clarify-05.txt                     Nominum Inc.
-                                                         November 2002
-
-
-               DNS Zone Transfer Protocol Clarifications
-
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-Abstract
-
-   In the Domain Name System, zone data is replicated among
-   authoritative DNS servers by means of the "zone transfer" protocol,
-   also known as the "AXFR" protocol.  This memo clarifies, updates, and
-   adds missing detail to the original AXFR protocol specification in
-   RFC1034.
-
-1. Introduction
-
-   The original definition of the DNS zone transfer protocol consists of
-   a single paragraph in [RFC1034] section 4.3.5 and some additional
-   notes in [RFC1035] section 6.3.  It is not sufficiently detailed to
-   serve as the sole basis for constructing interoperable
-   implementations.  This document is an attempt to provide a more
-   complete definition of the protocol.  Where the text in RFC1034
-   conflicts with existing practice, the existing practice has been
-   codified in the interest of interoperability.
-
-
-
-
-Expires May 2003                                                [Page 1]
-
-draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
-
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-2. The zone transfer request
-
-   To initiate a zone transfer, the slave server sends a zone transfer
-   request to the master server over a reliable transport such as TCP.
-   The form of this request is specified in sufficient detail in RFC1034
-   and needs no further clarification.
-
-   Implementers are advised that one server implementation in widespread
-   use sends AXFR requests where the TCP message envelope size exceeds
-   the DNS request message size by two octets.
-
-3. The zone transfer response
-
-   If the master server is unable or unwilling to provide a zone
-   transfer, it MUST respond with a single DNS message containing an
-   appropriate RCODE other than NOERROR.  If the master is not
-   authoritative for the requested zone, the RCODE SHOULD be 9
-   (NOTAUTH).
-
-   Slave servers should note that some master server implementations
-   will simply close the connection when denying the slave access to the
-   zone.  Therefore, slaves MAY interpret an immediate graceful close of
-   the TCP connection as equivalent to a "Refused" response (RCODE 5).
-
-   If a zone transfer can be provided, the master server sends one or
-   more DNS messages containing the zone data as described below.
-
-3.1. Multiple answers per message
-
-   The zone data in a zone transfer response is a sequence of answer
-   RRs.  These RRs are transmitted in the answer section(s) of one or
-   more DNS response messages.
-
-   The AXFR protocol definition in RFC1034 does not make a clear
-   distinction between response messages and answer RRs.  Historically,
-   DNS servers always transmitted a single answer RR per message.  This
-   encoding is wasteful due to the overhead of repeatedly sending DNS
-   message headers and the loss of domain name compression
-   opportunities.  To improve efficiency, some newer servers support a
-   mode where multiple RRs are transmitted in a single DNS response
-   message.
-
-   A master MAY transmit multiple answer RRs per response message up to
-   the largest number that will fit within the 65535 byte limit on TCP
-
-
-
-Expires May 2003                                                [Page 2]
-
-draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
-
-
-   DNS message size.  In the case of a small zone, this can cause the
-   entire transfer to be transmitted in a single response message.
-
-   Slaves MUST accept messages containing any number of answer RRs.  For
-   compatibility with old slaves, masters that support sending multiple
-   answers per message SHOULD be configurable to revert to the
-   historical mode of one answer per message, and the configuration
-   SHOULD be settable on a per-slave basis.
-
-3.2. DNS message header contents
-
-   RFC1034 does not specify the contents of the DNS message header of
-   the zone transfer response messages.  The header of each message MUST
-   be as follows:
-
-       ID      Copy from request
-       QR      1
-       OPCODE  QUERY
-       AA      1, but MAY be 0 when RCODE is not NOERROR
-       TC      0
-       RD      Copy from request, or 0
-       RA      Set according to availability of recursion, or 0
-       Z       0
-       AD      0
-       CD      0
-       RCODE   NOERROR on success, error code otherwise
-
-   The slave MUST check the RCODE in each message and abort the transfer
-   if it is not NOERROR.  It SHOULD check the ID of the first message
-   received and abort the transfer if it does not match the ID of the
-   request.  The ID SHOULD be ignored in subsequent messages, and fields
-   other than RCODE and ID SHOULD be ignored in all messages, to ensure
-   interoperability with certain older implementations which transmit
-   incorrect or arbitrary values in these fields.
-
-3.3. Additional section and SIG processing
-
-   Zone transfer responses are not subject to any kind of additional
-   section processing or automatic inclusion of SIG records.  SIG RRs in
-   the zone data are treated exactly the same as any other RR type.
-
-3.4. The question section
-
-   RFC1034 does not specify whether zone transfer response messages have
-   a question section or not.  The initial message of a zone transfer
-   response SHOULD have a question section identical to that in the
-   request.  Subsequent messages SHOULD NOT have a question section,
-   though the final message MAY.  The receiving slave server MUST accept
-
-
-
-Expires May 2003                                                [Page 3]
-
-draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
-
-
-   any combination of messages with and without a question section.
-
-3.5. The authority section
-
-   The master server MUST transmit messages with an empty authority
-   section.  Slaves MUST ignore any authority section contents they may
-   receive from masters that do not comply with this requirement.
-
-3.6. The additional section
-
-   The additional section MAY contain additional RRs such as transaction
-   signatures.  The slave MUST ignore any unexpected RRs in the
-   additional section.  It MUST NOT treat additional section RRs as zone
-   data.
-
-4. Zone data
-
-   The purpose of the zone transfer mechanism is to exactly replicate at
-   each slave the set of RRs associated with a particular zone at its
-   primary master.  An RR is associated with a zone by being loaded from
-   the master file of that zone at the primary master server, or by some
-   other, equivalent method for configuring zone data.
-
-   This replication shall be complete and unaltered, regardless of how
-   many and which intermediate masters/slaves are involved, and
-   regardless of what other zones those intermediate masters/slaves do
-   or do not serve, and regardless of what data may be cached in
-   resolvers associated with the intermediate masters/slaves.
-
-   Therefore, in a zone transfer the master MUST send exactly those
-   records that are associated with the zone, whether or not their owner
-   names would be considered to be "in" the zone for purposes of
-   resolution, and whether or not they would be eligible for use as glue
-   in responses.  The transfer MUST NOT include any RRs that are not
-   associated with the zone, such as RRs associated with zones other
-   than the one being transferred or present in the cache of the local
-   resolver, even if their owner names are in the zone being transferred
-   or are pointed to by NS records in the zone being transferred.
-
-   The slave MUST associate the RRs received in a zone transfer with the
-   specific zone being transferred, and maintain that association for
-   purposes of acting as a master in outgoing transfers.
-
-5. Transmission order
-
-   RFC1034 states that "The first and last messages must contain the
-   data for the top authoritative node of the zone".  This is not
-   consistent with existing practice.  All known master implementations
-
-
-
-Expires May 2003                                                [Page 4]
-
-draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
-
-
-   send, and slave implementations expect to receive, the zone's SOA RR
-   as the first and last record of the transfer.
-
-   Therefore, the quoted sentence is hereby superseded by the sentence
-   "The first and last RR transmitted must be the SOA record of the
-   zone".
-
-   The initial and final SOA record MUST be identical, with the possible
-   exception of case and compression.  In particular, they MUST have the
-   same serial number.  The slave MUST consider the transfer to be
-   complete when, and only when, it has received the message containing
-   the second SOA record.
-
-   The transmission order of all other RRs in the zone is undefined.
-   Each of them SHOULD be transmitted only once, and slaves MUST ignore
-   any duplicate RRs received.
-
-6. Security Considerations
-
-   The zone transfer protocol as defined in [RFC1034] and clarified by
-   this memo does not have any built-in mechanisms for the slave to
-   securely verify the identity of the master server and the integrity
-   of the transferred zone data.  The use of a cryptographic mechanism
-   for ensuring authenticity and integrity, such as TSIG [RFC2845],
-   IPSEC, or TLS, is RECOMMENDED.
-
-   The zone transfer protocol allows read-only public access to the
-   complete zone data.  Since data in the DNS is public by definition,
-   this is generally acceptable.  Sites that wish to avoid disclosing
-   their full zone data MAY restrict zone transfer access to authorized
-   slaves.
-
-   These clarifications are not believed to themselves introduce any new
-   security problems, nor to solve any existing ones.
-
-Acknowledgements
-
-   Many people have contributed input and commentary to earlier versions
-   of this document, including but not limited to Bob Halley, Dan
-   Bernstein, Eric A. Hall, Josh Littlefield, Kevin Darcy, Robert Elz,
-   Levon Esibov, Mark Andrews, Michael Patton, Peter Koch, Sam
-   Trenholme, and Brian Wellington.
-
-References
-
-   [RFC1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
-   November 1987.
-
-
-
-
-Expires May 2003                                                [Page 5]
-
-draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
-
-
-   [RFC1035] - Domain Names - Implementation and Specifications, P.
-   Mockapetris, November 1987.
-
-   [RFC2119] - Key words for use in RFCs to Indicate Requirement Levels,
-   S. Bradner, BCP 14, March 1997.
-
-   [RFC2845] - Secret Key Transaction Authentication for DNS (TSIG).  P.
-   Vixie, O. Gudmundsson, D. Eastlake, B. Wellington, May 2000.
-
-Author's Address
-
-   Andreas Gustafsson
-   Nominum Inc.
-   2385 Bay Rd
-   Redwood City, CA 94063
-   USA
-
-   Phone: +1 650 381 6004
-
-   Email: gson@nominum.com
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000 - 2002).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implmentation may be prepared, copied, published and
-   distributed, in whole or in part, without restriction of any kind,
-   provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-
-
-
-Expires May 2003                                                [Page 6]
-
-draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
-
-
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Expires May 2003                                                [Page 7]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-08.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-08.txt
deleted file mode 100644
index 09776618f2ae..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-08.txt
+++ /dev/null
@@ -1,561 +0,0 @@
-
-
-DNSEXT                                                          M. Stapp
-Internet-Draft                                       Cisco Systems, Inc.
-Expires: January 14, 2005                                       T. Lemon
-                                                           A. Gustafsson
-                                                           Nominum, Inc.
-                                                           July 16, 2004
-
-
-           A DNS RR for Encoding DHCP Information (DHCID RR)
-                  <draft-ietf-dnsext-dhcid-rr-08.txt>
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at http://
-   www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 14, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   It is possible for multiple DHCP clients to attempt to update the
-   same DNS FQDN as they obtain DHCP leases.  Whether the DHCP server or
-   the clients themselves perform the DNS updates, conflicts can arise.
-   To resolve such conflicts, "Resolution of DNS Name Conflicts" [1]
-   proposes storing client identifiers in the DNS to unambiguously
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 1]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-   associate domain names with the DHCP clients to which they refer.
-   This memo defines a distinct RR type for this purpose for use by DHCP
-   clients and servers, the "DHCID" RR.
-
-Table of Contents
-
-   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   3.  The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     3.1   DHCID RDATA format . . . . . . . . . . . . . . . . . . . .  4
-     3.2   DHCID Presentation Format  . . . . . . . . . . . . . . . .  4
-     3.3   The DHCID RR Type Codes  . . . . . . . . . . . . . . . . .  4
-     3.4   Computation of the RDATA . . . . . . . . . . . . . . . . .  4
-     3.5   Examples . . . . . . . . . . . . . . . . . . . . . . . . .  5
-       3.5.1   Example 1  . . . . . . . . . . . . . . . . . . . . . .  6
-       3.5.2   Example 2  . . . . . . . . . . . . . . . . . . . . . .  6
-   4.  Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . . .  6
-   5.  Updater Behavior . . . . . . . . . . . . . . . . . . . . . . .  6
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
-   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  7
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-   9.1   Normative References . . . . . . . . . . . . . . . . . . . .  8
-   9.2   Informative References . . . . . . . . . . . . . . . . . . .  8
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  9
-       Intellectual Property and Copyright Statements . . . . . . . . 10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 2]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-1.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [2].
-
-2.  Introduction
-
-   A set of procedures to allow DHCP [7] clients and servers to
-   automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
-   in "Resolution of DNS Name Conflicts" [1].
-
-   Conflicts can arise if multiple DHCP clients wish to use the same DNS
-   name.  To resolve such conflicts, "Resolution of DNS Name Conflicts"
-   [1] proposes storing client identifiers in the DNS to unambiguously
-   associate domain names with the DHCP clients using them.  In the
-   interest of clarity, it is preferable for this DHCP information to
-   use a distinct RR type.  This memo defines a distinct RR for this
-   purpose for use by DHCP clients or servers, the "DHCID" RR.
-
-   In order to avoid exposing potentially sensitive identifying
-   information, the data stored is the result of a one-way MD5 [5] hash
-   computation.  The hash includes information from the DHCP client's
-   REQUEST message as well as the domain name itself, so that the data
-   stored in the DHCID RR will be dependent on both the client
-   identification used in the DHCP protocol interaction and the domain
-   name.  This means that the DHCID RDATA will vary if a single client
-   is associated over time with more than one name.  This makes it
-   difficult to 'track' a client as it is associated with various domain
-   names.
-
-   The MD5 hash algorithm has been shown to be weaker than the SHA-1
-   algorithm; it could therefore be argued that SHA-1 is a better
-   choice.  However, SHA-1 is significantly slower than MD5.  A
-   successful attack of MD5's weakness does not reveal the original data
-   that was used to generate the signature, but rather provides a new
-   set of input data that will produce the same signature.  Because we
-   are using the MD5 hash to conceal the original data, the fact that an
-   attacker could produce a different plaintext resulting in the same
-   MD5 output is not significant concern.
-
-3.  The DHCID RR
-
-   The DHCID RR is defined with mnemonic DHCID and type code [TBD].  The
-   DHCID RR is only defined in the IN class.  DHCID RRs cause no
-   additional section processing.  The DHCID RR is not a singleton type.
-
-
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 3]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-3.1  DHCID RDATA format
-
-   The RDATA section of a DHCID RR in transmission contains RDLENGTH
-   bytes of binary data.  The format of this data and its interpretation
-   by DHCP servers and clients are described below.
-
-   DNS software should consider the RDATA section to be opaque.  DHCP
-   clients or servers use the DHCID RR to associate a DHCP client's
-   identity with a DNS name, so that multiple DHCP clients and servers
-   may deterministically perform dynamic DNS updates to the same zone.
-   From the updater's perspective, the DHCID resource record RDATA
-   consists of a 16-bit identifier type, in network byte order, followed
-   by one or more bytes representing the actual identifier:
-
-     	< 16 bits >	DHCP identifier used
-     	< n bytes >	MD5 digest
-
-
-3.2  DHCID Presentation Format
-
-   In DNS master files, the RDATA is represented as a single block in
-   base 64 encoding identical to that used for representing binary data
-   in RFC 2535 [8].  The data may be divided up into any number of white
-   space separated substrings, down to single base 64 digits, which are
-   concatenated to form the complete RDATA.  These substrings can span
-   lines using the standard parentheses.
-
-3.3  The DHCID RR Type Codes
-
-   The DHCID RR Type Code specifies what data from the DHCP client's
-   request was used as input into the hash function.  The type codes are
-   defined in a registry maintained by IANA, as specified in Section 7.
-   The initial list of assigned values for the type code is:
-
-   0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7].
-   0x0001 = The data portion from a DHCPv4 client's Client Identifier
-      option [9].
-   0x0002 = The client's DUID (i.e., the data portion of a DHCPv6
-      client's Client Identifier option [10] or the DUID field from a
-      DHCPv4 client's Client Identifier option [12]).
-
-   0x0003 - 0xfffe = Available to be assigned by IANA.
-
-   0xffff = RESERVED
-
-3.4  Computation of the RDATA
-
-   The DHCID RDATA is formed by concatenating the two type bytes with
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 4]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-   some variable-length identifying data.
-
-       < type > < data >
-
-   The RDATA for all type codes other than 0xffff, which is reserved for
-   future expansion, is formed by concatenating the two type bytes and a
-   16-byte MD5 hash value.  The input to the hash function is defined to
-   be:
-
-       data = MD5(< identifier > < FQDN >)
-
-   The FQDN is represented in the buffer in unambiguous canonical form
-   as described in RFC 2535 [8], section 8.1.  The type code and the
-   identifier are related as specified in Section 3.3: the type code
-   describes the source of the identifier.
-
-   When the updater is using the client's link-layer address as the
-   identifier, the first two bytes of the DHCID RDATA MUST be zero.  To
-   generate the rest of the resource record, the updater computes a
-   one-way hash using the MD5 algorithm across a buffer containing the
-   client's network hardware type, link-layer address, and the FQDN
-   data.  Specifically, the first byte of the buffer contains the
-   network hardware type as it appeared in the DHCP 'htype' field of the
-   client's DHCPREQUEST message.  All of the significant bytes of the
-   chaddr field in the client's DHCPREQUEST message follow, in the same
-   order in which the bytes appear in the DHCPREQUEST message.  The
-   number of significant bytes in the 'chaddr' field is specified in the
-   'hlen' field of the DHCPREQUEST message.  The FQDN data, as specified
-   above, follows.
-
-   When the updater is using the DHCPv4 Client Identifier option sent by
-   the client in its DHCPREQUEST message, the first two bytes of the
-   DHCID RR MUST be 0x0001, in network byte order.  The rest of the
-   DHCID RR MUST contain the results of computing an MD5 hash across the
-   payload of the option, followed by the FQDN.  The payload of the
-   option consists of the bytes of the option following the option code
-   and length.
-
-   When the updater is using the DHCPv6 DUID sent by the client in its
-   REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
-   in network byte order.  The rest of the DHCID RR MUST contain the
-   results of computing an MD5 hash across the payload of the option,
-   followed by the FQDN.  The payload of the option consists of the
-   bytes of the option following the option code and length.
-
-3.5  Examples
-
-
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 5]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-3.5.1  Example 1
-
-   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
-   Ethernet MAC address 01:02:03:04:05:06 using domain name
-   "client.example.com" uses the client's link-layer address to identify
-   the client.  The DHCID RDATA is composed by setting the two type
-   bytes to zero, and performing an MD5 hash computation across a buffer
-   containing the Ethernet MAC type byte, 0x01, the six bytes of MAC
-   address, and the domain name (represented as specified in Section
-   3.4).
-
-     client.example.com.	A   	10.0.0.1
-     client.example.com. 	DHCID 	AAAUMru0ZM5OK/PdVAJgZ/HU
-
-
-3.5.2  Example 2
-
-   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
-   included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
-   in its DHCP request.  The server updates the name "chi.example.com"
-   on the client's behalf, and uses the DHCP client identifier option
-   data as input in forming a DHCID RR.  The DHCID RDATA is formed by
-   setting the two type bytes to the value 0x0001, and performing an MD5
-   hash computation across a buffer containing the seven bytes from the
-   client-id option and the FQDN (represented as specified in Section
-   3.4).
-
-     chi.example.com.	A    	10.0.12.99
-     chi.example.com.	DHCID 	AAHdd5jiQ3kEjANDm82cbObk\012
-
-
-4.  Use of the DHCID RR
-
-   This RR MUST NOT be used for any purpose other than that detailed in
-   "Resolution of DNS Name Conflicts" [1].  Although this RR contains
-   data that is opaque to DNS servers, the data must be consistent
-   across all entities that update and interpret this record.
-   Therefore, new data formats may only be defined through actions of
-   the DHC Working Group, as a result of revising [1].
-
-5.  Updater Behavior
-
-   The data in the DHCID RR allows updaters to determine whether more
-   than one DHCP client desires to use a particular FQDN.  This allows
-   site administrators to establish policy about DNS updates.  The DHCID
-   RR does not establish any policy itself.
-
-   Updaters use data from a DHCP client's request and the domain name
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 6]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-   that the client desires to use to compute a client identity hash, and
-   then compare that hash to the data in any DHCID RRs on the name that
-   they wish to associate with the client's IP address.  If an updater
-   discovers DHCID RRs whose RDATA does not match the client identity
-   that they have computed, the updater SHOULD conclude that a different
-   client is currently associated with the name in question.  The
-   updater SHOULD then proceed according to the site's administrative
-   policy.  That policy might dictate that a different name be selected,
-   or it might permit the updater to continue.
-
-6.  Security Considerations
-
-   The DHCID record as such does not introduce any new security problems
-   into the DNS.  In order to avoid exposing private information about
-   DHCP clients to public scrutiny, a one-way hash is used to obscure
-   all client information.  In order to make it difficult to 'track' a
-   client by examining the names associated with a particular hash
-   value, the FQDN is included in the hash computation.  Thus, the RDATA
-   is dependent on both the DHCP client identification data and on each
-   FQDN associated with the client.
-
-   Administrators should be wary of permitting unsecured DNS updates to
-   zones which are exposed to the global Internet.  Both DHCP clients
-   and servers SHOULD use some form of update authentication (e.g., TSIG
-   [11]) when performing DNS updates.
-
-7.  IANA Considerations
-
-   IANA is requested to allocate an RR type number for the DHCID record
-   type.
-
-   This specification defines a new number-space for the 16-bit type
-   codes associated with the DHCID RR.  IANA is requested to establish a
-   registry of the values for this number-space.
-
-   Three initial values are assigned in Section 3.3, and the value
-   0xFFFF is reserved for future use.  New DHCID RR type codes are
-   tentatively assigned after the specification for the associated type
-   code, published as an Internet Draft, has received expert review by a
-   designated expert.  The final assignment of DHCID RR type codes is
-   through Standards Action, as defined in RFC 2434 [6].
-
-8.  Acknowledgements
-
-   Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and
-   Ralph Droms for their review and suggestions.
-
-
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 7]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-9.  References
-
-9.1  Normative References
-
-   [1]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
-        DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2004.
-
-   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [3]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [4]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [5]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
-        1992.
-
-   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-9.2  Informative References
-
-   [7]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
-         March 1997.
-
-   [8]   Eastlake, D., "Domain Name System Security Extensions", RFC
-         2535, March 1999.
-
-   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
-         Extensions", RFC 2132, March 1997.
-
-   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
-         Carney, "Dynamic Host Configuration Protocol for IPv6
-         (DHCPv6)", RFC 3315, July 2003.
-
-   [11]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
-         2845, May 2000.
-
-   [12]  Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers
-         for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", February 2004.
-
-
-
-
-
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 8]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-Authors' Addresses
-
-   Mark Stapp
-   Cisco Systems, Inc.
-   1414 Massachusetts Ave.
-   Boxborough, MA  01719
-   USA
-
-   Phone: 978.936.1535
-   EMail: mjs@cisco.com
-
-
-   Ted Lemon
-   Nominum, Inc.
-   950 Charter St.
-   Redwood City, CA  94063
-   USA
-
-   EMail: mellon@nominum.com
-
-
-   Andreas Gustafsson
-   Nominum, Inc.
-   950 Charter St.
-   Redwood City, CA  94063
-   USA
-
-   EMail: gson@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stapp, et al.           Expires January 14, 2005                [Page 9]
-
-Internet-Draft                The DHCID RR                     July 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Stapp, et al.           Expires January 14, 2005               [Page 10]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt
deleted file mode 100644
index 2cd972473d0c..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-09.txt
+++ /dev/null
@@ -1,562 +0,0 @@
-
-
-
-
-DNSEXT                                                          M. Stapp
-Internet-Draft                                       Cisco Systems, Inc.
-Expires: August 13, 2005                                        T. Lemon
-                                                           A. Gustafsson
-                                                           Nominum, Inc.
-                                                        February 9, 2005
-
-
-           A DNS RR for Encoding DHCP Information (DHCID RR)
-                  <draft-ietf-dnsext-dhcid-rr-09.txt>
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 13, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   It is possible for multiple DHCP clients to attempt to update the
-   same DNS FQDN as they obtain DHCP leases.  Whether the DHCP server or
-   the clients themselves perform the DNS updates, conflicts can arise.
-   To resolve such conflicts, "Resolution of DNS Name Conflicts" [1]
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 1]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   proposes storing client identifiers in the DNS to unambiguously
-   associate domain names with the DHCP clients to which they refer.
-   This memo defines a distinct RR type for this purpose for use by DHCP
-   clients and servers, the "DHCID" RR.
-
-Table of Contents
-
-   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   3.  The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     3.1   DHCID RDATA format . . . . . . . . . . . . . . . . . . . .  4
-     3.2   DHCID Presentation Format  . . . . . . . . . . . . . . . .  4
-     3.3   The DHCID RR Type Codes  . . . . . . . . . . . . . . . . .  4
-     3.4   Computation of the RDATA . . . . . . . . . . . . . . . . .  4
-     3.5   Examples . . . . . . . . . . . . . . . . . . . . . . . . .  5
-       3.5.1   Example 1  . . . . . . . . . . . . . . . . . . . . . .  6
-       3.5.2   Example 2  . . . . . . . . . . . . . . . . . . . . . .  6
-   4.  Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . . .  6
-   5.  Updater Behavior . . . . . . . . . . . . . . . . . . . . . . .  6
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
-   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  7
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     9.1   Normative References . . . . . . . . . . . . . . . . . . .  8
-     9.2   Informative References . . . . . . . . . . . . . . . . . .  8
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  9
-       Intellectual Property and Copyright Statements . . . . . . . . 10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 2]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-1.  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [2].
-
-2.  Introduction
-
-   A set of procedures to allow DHCP [7] clients and servers to
-   automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
-   in "Resolution of DNS Name Conflicts" [1].
-
-   Conflicts can arise if multiple DHCP clients wish to use the same DNS
-   name.  To resolve such conflicts, "Resolution of DNS Name Conflicts"
-   [1] proposes storing client identifiers in the DNS to unambiguously
-   associate domain names with the DHCP clients using them.  In the
-   interest of clarity, it is preferable for this DHCP information to
-   use a distinct RR type.  This memo defines a distinct RR for this
-   purpose for use by DHCP clients or servers, the "DHCID" RR.
-
-   In order to avoid exposing potentially sensitive identifying
-   information, the data stored is the result of a one-way MD5 [5] hash
-   computation.  The hash includes information from the DHCP client's
-   REQUEST message as well as the domain name itself, so that the data
-   stored in the DHCID RR will be dependent on both the client
-   identification used in the DHCP protocol interaction and the domain
-   name.  This means that the DHCID RDATA will vary if a single client
-   is associated over time with more than one name.  This makes it
-   difficult to 'track' a client as it is associated with various domain
-   names.
-
-   The MD5 hash algorithm has been shown to be weaker than the SHA-1
-   algorithm; it could therefore be argued that SHA-1 is a better
-   choice.  However, SHA-1 is significantly slower than MD5.  A
-   successful attack of MD5's weakness does not reveal the original data
-   that was used to generate the signature, but rather provides a new
-   set of input data that will produce the same signature.  Because we
-   are using the MD5 hash to conceal the original data, the fact that an
-   attacker could produce a different plaintext resulting in the same
-   MD5 output is not significant concern.
-
-3.  The DHCID RR
-
-   The DHCID RR is defined with mnemonic DHCID and type code [TBD].  The
-   DHCID RR is only defined in the IN class.  DHCID RRs cause no
-   additional section processing.  The DHCID RR is not a singleton type.
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 3]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-3.1  DHCID RDATA format
-
-   The RDATA section of a DHCID RR in transmission contains RDLENGTH
-   bytes of binary data.  The format of this data and its interpretation
-   by DHCP servers and clients are described below.
-
-   DNS software should consider the RDATA section to be opaque.  DHCP
-   clients or servers use the DHCID RR to associate a DHCP client's
-   identity with a DNS name, so that multiple DHCP clients and servers
-   may deterministically perform dynamic DNS updates to the same zone.
-   From the updater's perspective, the DHCID resource record RDATA
-   consists of a 16-bit identifier type, in network byte order, followed
-   by one or more bytes representing the actual identifier:
-
-     	< 16 bits >	DHCP identifier used
-     	< n bytes >	MD5 digest
-
-
-3.2  DHCID Presentation Format
-
-   In DNS master files, the RDATA is represented as a single block in
-   base 64 encoding identical to that used for representing binary data
-   in RFC 2535 [8].  The data may be divided up into any number of white
-   space separated substrings, down to single base 64 digits, which are
-   concatenated to form the complete RDATA.  These substrings can span
-   lines using the standard parentheses.
-
-3.3  The DHCID RR Type Codes
-
-   The DHCID RR Type Code specifies what data from the DHCP client's
-   request was used as input into the hash function.  The type codes are
-   defined in a registry maintained by IANA, as specified in Section 7.
-   The initial list of assigned values for the type code is:
-
-   0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7].
-   0x0001 = The data portion from a DHCPv4 client's Client Identifier
-      option [9].
-   0x0002 = The client's DUID (i.e., the data portion of a DHCPv6
-      client's Client Identifier option [10] or the DUID field from a
-      DHCPv4 client's Client Identifier option [12]).
-
-   0x0003 - 0xfffe = Available to be assigned by IANA.
-
-   0xffff = RESERVED
-
-3.4  Computation of the RDATA
-
-   The DHCID RDATA is formed by concatenating the two type bytes with
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 4]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   some variable-length identifying data.
-
-       < type > < data >
-
-   The RDATA for all type codes other than 0xffff, which is reserved for
-   future expansion, is formed by concatenating the two type bytes and a
-   16-byte MD5 hash value.  The input to the hash function is defined to
-   be:
-
-       data = MD5(< identifier > < FQDN >)
-
-   The FQDN is represented in the buffer in unambiguous canonical form
-   as described in RFC 2535 [8], section 8.1.  The type code and the
-   identifier are related as specified in Section 3.3: the type code
-   describes the source of the identifier.
-
-   When the updater is using the client's link-layer address as the
-   identifier, the first two bytes of the DHCID RDATA MUST be zero.  To
-   generate the rest of the resource record, the updater computes a
-   one-way hash using the MD5 algorithm across a buffer containing the
-   client's network hardware type, link-layer address, and the FQDN
-   data.  Specifically, the first byte of the buffer contains the
-   network hardware type as it appeared in the DHCP 'htype' field of the
-   client's DHCPREQUEST message.  All of the significant bytes of the
-   chaddr field in the client's DHCPREQUEST message follow, in the same
-   order in which the bytes appear in the DHCPREQUEST message.  The
-   number of significant bytes in the 'chaddr' field is specified in the
-   'hlen' field of the DHCPREQUEST message.  The FQDN data, as specified
-   above, follows.
-
-   When the updater is using the DHCPv4 Client Identifier option sent by
-   the client in its DHCPREQUEST message, the first two bytes of the
-   DHCID RR MUST be 0x0001, in network byte order.  The rest of the
-   DHCID RR MUST contain the results of computing an MD5 hash across the
-   payload of the option, followed by the FQDN.  The payload of the
-   option consists of the bytes of the option following the option code
-   and length.
-
-   When the updater is using the DHCPv6 DUID sent by the client in its
-   REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
-   in network byte order.  The rest of the DHCID RR MUST contain the
-   results of computing an MD5 hash across the payload of the option,
-   followed by the FQDN.  The payload of the option consists of the
-   bytes of the option following the option code and length.
-
-3.5  Examples
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 5]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-3.5.1  Example 1
-
-   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
-   Ethernet MAC address 01:02:03:04:05:06 using domain name
-   "client.example.com" uses the client's link-layer address to identify
-   the client.  The DHCID RDATA is composed by setting the two type
-   bytes to zero, and performing an MD5 hash computation across a buffer
-   containing the Ethernet MAC type byte, 0x01, the six bytes of MAC
-   address, and the domain name (represented as specified in
-   Section 3.4).
-
-     client.example.com.	A   	10.0.0.1
-     client.example.com. 	DHCID 	AAAUMru0ZM5OK/PdVAJgZ/HU
-
-
-3.5.2  Example 2
-
-   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
-   included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
-   in its DHCP request.  The server updates the name "chi.example.com"
-   on the client's behalf, and uses the DHCP client identifier option
-   data as input in forming a DHCID RR.  The DHCID RDATA is formed by
-   setting the two type bytes to the value 0x0001, and performing an MD5
-   hash computation across a buffer containing the seven bytes from the
-   client-id option and the FQDN (represented as specified in
-   Section 3.4).
-
-     chi.example.com.	A    	10.0.12.99
-     chi.example.com.	DHCID 	AAHdd5jiQ3kEjANDm82cbObk\012
-
-
-4.  Use of the DHCID RR
-
-   This RR MUST NOT be used for any purpose other than that detailed in
-   "Resolution of DNS Name Conflicts" [1].  Although this RR contains
-   data that is opaque to DNS servers, the data must be consistent
-   across all entities that update and interpret this record.
-   Therefore, new data formats may only be defined through actions of
-   the DHC Working Group, as a result of revising [1].
-
-5.  Updater Behavior
-
-   The data in the DHCID RR allows updaters to determine whether more
-   than one DHCP client desires to use a particular FQDN.  This allows
-   site administrators to establish policy about DNS updates.  The DHCID
-   RR does not establish any policy itself.
-
-   Updaters use data from a DHCP client's request and the domain name
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 6]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-   that the client desires to use to compute a client identity hash, and
-   then compare that hash to the data in any DHCID RRs on the name that
-   they wish to associate with the client's IP address.  If an updater
-   discovers DHCID RRs whose RDATA does not match the client identity
-   that they have computed, the updater SHOULD conclude that a different
-   client is currently associated with the name in question.  The
-   updater SHOULD then proceed according to the site's administrative
-   policy.  That policy might dictate that a different name be selected,
-   or it might permit the updater to continue.
-
-6.  Security Considerations
-
-   The DHCID record as such does not introduce any new security problems
-   into the DNS.  In order to avoid exposing private information about
-   DHCP clients to public scrutiny, a one-way hash is used to obscure
-   all client information.  In order to make it difficult to 'track' a
-   client by examining the names associated with a particular hash
-   value, the FQDN is included in the hash computation.  Thus, the RDATA
-   is dependent on both the DHCP client identification data and on each
-   FQDN associated with the client.
-
-   Administrators should be wary of permitting unsecured DNS updates to
-   zones which are exposed to the global Internet.  Both DHCP clients
-   and servers SHOULD use some form of update authentication (e.g., TSIG
-   [11]) when performing DNS updates.
-
-7.  IANA Considerations
-
-   IANA is requested to allocate an RR type number for the DHCID record
-   type.
-
-   This specification defines a new number-space for the 16-bit type
-   codes associated with the DHCID RR.  IANA is requested to establish a
-   registry of the values for this number-space.
-
-   Three initial values are assigned in Section 3.3, and the value
-   0xFFFF is reserved for future use.  New DHCID RR type codes are
-   tentatively assigned after the specification for the associated type
-   code, published as an Internet Draft, has received expert review by a
-   designated expert.  The final assignment of DHCID RR type codes is
-   through Standards Action, as defined in RFC 2434 [6].
-
-8.  Acknowledgements
-
-   Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and
-   Ralph Droms for their review and suggestions.
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 7]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-9.  References
-
-9.1  Normative References
-
-   [1]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
-        DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2004.
-
-   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [3]  Mockapetris, P., "Domain names - concepts and facilities",
-        STD 13, RFC 1034, November 1987.
-
-   [4]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [5]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
-        1992.
-
-   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-9.2  Informative References
-
-   [7]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
-         March 1997.
-
-   [8]   Eastlake, D., "Domain Name System Security Extensions",
-         RFC 2535, March 1999.
-
-   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
-         Extensions", RFC 2132, March 1997.
-
-   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
-         Carney, "Dynamic Host Configuration Protocol for IPv6
-         (DHCPv6)", RFC 3315, July 2003.
-
-   [11]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-         "Secret Key Transaction Authentication for DNS (TSIG)",
-         RFC 2845, May 2000.
-
-   [12]  Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers
-         for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", February 2004.
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 8]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-Authors' Addresses
-
-   Mark Stapp
-   Cisco Systems, Inc.
-   1414 Massachusetts Ave.
-   Boxborough, MA  01719
-   USA
-
-   Phone: 978.936.1535
-   Email: mjs@cisco.com
-
-
-   Ted Lemon
-   Nominum, Inc.
-   950 Charter St.
-   Redwood City, CA  94063
-   USA
-
-   Email: mellon@nominum.com
-
-
-   Andreas Gustafsson
-   Nominum, Inc.
-   950 Charter St.
-   Redwood City, CA  94063
-   USA
-
-   Email: gson@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stapp, et al.            Expires August 13, 2005                [Page 9]
-
-Internet-Draft                The DHCID RR                 February 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Stapp, et al.            Expires August 13, 2005               [Page 10]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dns-name-p-s-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dns-name-p-s-00.txt
deleted file mode 100644
index 438e8008a4c7..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dns-name-p-s-00.txt
+++ /dev/null
@@ -1,1397 +0,0 @@
-DNS Extensions Working Group                                   G. Sisson
-Internet-Draft                                                 B. Laurie
-Expires: January 11, 2006                                        Nominet
-                                                           July 10, 2005
-
-
-            Derivation of DNS Name Predecessor and Successor
-                   draft-ietf-dnsext-dns-name-p-s-00
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 11, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes two methods for deriving the canonically-
-   ordered predecessor and successor of a DNS name.  These methods may
-   be used for dynamic NSEC resource record synthesis, enabling
-   security-aware name servers to provide authenticated denial of
-   existence without disclosing other owner names in a DNSSEC-secured
-   zone.
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 1]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Notational Conventions . . . . . . . . . . . . . . . . . . . .  3
-   3.  Absolute Method  . . . . . . . . . . . . . . . . . . . . . . .  4
-     3.1.  Derivation of DNS Name Predecessor . . . . . . . . . . . .  4
-     3.2.  Derivation of DNS Name Successor . . . . . . . . . . . . .  4
-   4.  Modified Method  . . . . . . . . . . . . . . . . . . . . . . .  5
-     4.1.  Derivation of DNS Name Predecessor . . . . . . . . . . . .  6
-     4.2.  Derivation of DNS Name Successor . . . . . . . . . . . . .  6
-   5.  Notes  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7
-     5.1.  Case Considerations  . . . . . . . . . . . . . . . . . . .  7
-     5.2.  Choice of Range  . . . . . . . . . . . . . . . . . . . . .  7
-     5.3.  Wild Card Considerations . . . . . . . . . . . . . . . . .  8
-     5.4.  Possible Modifications . . . . . . . . . . . . . . . . . .  8
-       5.4.1.  Restriction of Effective Maximum DNS Name Length . . .  8
-       5.4.2.  Use of Modified Method With Zones Containing
-               SRV RRs  . . . . . . . . . . . . . . . . . . . . . . .  9
-   6.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
-     6.1.  Examples of Immediate Predecessors Using Absolute
-           Method . . . . . . . . . . . . . . . . . . . . . . . . . . 10
-     6.2.  Examples of Immediate Successors Using Absolute Method . . 13
-     6.3.  Examples of Predecessors Using Modified Method . . . . . . 19
-     6.4.  Examples of Successors Using Modified Method . . . . . . . 20
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 21
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 21
-   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22
-     10.1. Normative References . . . . . . . . . . . . . . . . . . . 22
-     10.2. Informative References . . . . . . . . . . . . . . . . . . 22
-   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 21
-   Appendix A.  Change History  . . . . . . . . . . . . . . . . . . . 22
-     A.1.  Changes from sisson-02 to ietf-00  . . . . . . . . . . . . 22
-     A.2.  Changes from sisson-01 to sisson-02  . . . . . . . . . . . 23
-     A.3.  Changes from sisson-00 to sisson-01  . . . . . . . . . . . 23
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
-   Intellectual Property and Copyright Statements . . . . . . . . . . 25
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 2]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-1.  Introduction
-
-   One of the proposals for avoiding the exposure of zone information
-   during the deployment DNSSEC is dynamic NSEC resource record (RR)
-   synthesis.  This technique is described in [I-D.ietf-dnsext-dnssec-
-   trans] and [I-D.ietf-dnsext-dnssec-online-signing], and involves the
-   generation of NSEC RRs that just span the query name for non-existent
-   owner names.  In order to do this, the DNS names which would occur
-   just prior to and just following a given query name must be
-   calculated in real time, as maintaining a list of all possible owner
-   names that might occur in a zone would be impracticable.
-
-   Section 6.1 of [RFC4034] defines canonical DNS name order.  This
-   document does not amend or modify this definition.  However, the
-   derivation of immediate predecessor and successor, while trivial, is
-   non-obvious.  Accordingly, several methods are described here as an
-   aid to implementors and a reference to other interested parties.
-
-   This document describes two methods:
-
-   1.  An ``absolute method'', which returns the immediate predecessor
-       or successor of a domain name such that no valid DNS name could
-       exist between that DNS name and the predecessor or successor.
-
-   2.  A ``modified method'', which returns a predecessor and successor
-       which are more economical in size and computation.  This method
-       is restricted to use with zones consisting only of single-label
-       owner names where a maximum-length owner name would not result in
-       a DNS name exceeding the maximum DNS name length.  This is,
-       however, the type of zone for which the technique of online-
-       signing is most likely to be used.
-
-
-2.  Notational Conventions
-
-   The following notational conventions are used in this document for
-   economy of expression:
-
-   N: An unspecified DNS name.
-
-   P(N): Immediate predecessor to N (absolute method).
-
-   S(N): Immediate successor to N (absolute method).
-
-   P'(N): Predecessor to N (modified method).
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 3]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   S'(N): Successor to N (modified method).
-
-
-3.  Absolute Method
-
-   These derivations assume that all uppercase US-ASCII letters in N
-   have already been replaced by their corresponding lowercase
-   equivalents.  Unless otherwise specified, processing stops after the
-   first step in which a condition is met.
-
-3.1.  Derivation of DNS Name Predecessor
-
-   To derive P(N):
-
-   1.  If N is the same as the owner name of the zone apex, prepend N
-       repeatedly with labels of the maximum length possible consisting
-       of octets of the maximum sort value (e.g. 0xff) until N is the
-       maximum length possible; otherwise continue to the next step.
-
-   2.  If the least significant (left-most) label of N consists of a
-       single octet of the minimum sort value (e.g. 0x00), remove that
-       label; otherwise continue to the next step.
-
-   3.  If the least significant (right-most) octet in the least
-       significant (left-most) label of N is the minimum sort value,
-       remove the least significant octet and continue with step 5.
-
-   4.  Decrement the value of the least significant (right-most) octet,
-       skipping any values that correspond to uppercase US-ASCII
-       letters, and then append the label with as many octets as
-       possible of the maximum sort value.  Continue to the next step.
-
-   5.  Prepend N repeatedly with labels of as long a length as possible
-       consisting of octets of the maximum sort value until N is the
-       maximum length possible.
-
-3.2.  Derivation of DNS Name Successor
-
-   To derive S(N):
-
-   1.  If N is two or more octets shorter than the maximum DNS name
-       length, prepend N with a label containing a single octet of the
-       minimum sort value (e.g. 0x00); otherwise continue to the next
-       step.
-
-   2.  If N is one or more octets shorter than the maximum DNS name
-       length and the least significant (left-most) label is one or more
-       octets shorter than the maximum label length, append an octet of
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 4]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-       the minimum sort value to the least significant label; otherwise
-       continue to the next step.
-
-   3.  Increment the value of the least significant (right-most) octet
-       in the least significant (left-most) label that is less than the
-       maximum sort value (e.g. 0xff), skipping any values that
-       correspond to uppercase US-ASCII letters, and then remove any
-       octets to the right of that one.  If all octets in the label are
-       the maximum sort value, then continue to the next step.
-
-   4.  Remove the least significant (left-most) label.  If N is now the
-       same as the owner name of the zone apex, do nothing.  (This will
-       occur only if N is the maximum possible name in canonical DNS
-       name order, and thus has wrapped to the owner name of zone apex.)
-       Otherwise repeat starting at step 2.
-
-
-4.  Modified Method
-
-   This method is for use with zones consisting only of single-label
-   owner names where an owner name consisting of label of maximum length
-   would not result in a DNS name which exceeded the maximum DNS name
-   length.  This method is computationally simpler and returns values
-   which are more economical in size than the absolute method.  It
-   differs from the absolute method detailed above in the following
-   ways:
-
-   1.  Step 1 of the derivation P(N) has been omitted as the existence
-       of the owner name of the zone apex never requires denial.
-
-   2.  A new step 1 has been introduced which removes unnecessary
-       labels.
-
-   3.  Step 4 of the derivation P(N) has been omitted as it is only
-       necessary for zones containing owner names consisting of more
-       than one label.  This omission generally results in a significant
-       reduction of the length of derived predecessors.
-
-   4.  Step 1 of the derivation S(N) had been omitted as it is only
-       necessary for zones containing owner names consisting of more
-       than one label.  This omission results in a tiny reduction of the
-       length of derived successors, and maintains consistency with the
-       modification of step 4 of the derivation P(N) described above.
-
-   5.  Steps 2 and 4 of the derivation S(N) have been modified to
-       eliminate checks for maximum DNS name length, as it is an
-       assumption of this method that no DNS name in the zone can exceed
-       the maximum DNS name length.
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 5]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   These derivations assume that all uppercase US-ASCII letters in N
-   have already been replaced by their corresponding lowercase
-   equivalents.  Unless otherwise specified, processing stops after the
-   first step in which a condition is met.
-
-4.1.  Derivation of DNS Name Predecessor
-
-   To derive P'(N):
-
-   1.  If N has more labels than the number of labels in the owner name
-       of the apex + 1, repeatedly remove the least significant (left-
-       most) label until N has no more labels than the number of labels
-       in the owner name of the apex + 1; otherwise continue to next
-       step.
-
-   2.  If the least significant (left-most) label of N consists of a
-       single octet of the minimum sort value (e.g. 0x00), remove that
-       label; otherwise continue to the next step.
-
-   3.  If the least significant (right-most) octet in the least
-       significant (left-most) label of N is the minimum sort value,
-       remove the least significant octet.
-
-   4.  Decrement the value of the least significant (right-most) octet,
-       skipping any values which correspond to uppercase US-ASCII
-       letters, and then append the label with as many octets as
-       possible of the maximum sort value.
-
-4.2.  Derivation of DNS Name Successor
-
-   To derive S'(N):
-
-   1.  If N has more labels than the number of labels in the owner name
-       of the apex + 1, repeatedly remove the least significant (left-
-       most) label until N has no more labels than the number of labels
-       in the owner name of the apex + 1.  Continue to next step.
-
-   2.  If the least significant (left-most) label of N is one or more
-       octets shorter than the maximum label length, append an octet of
-       the minimum sort value to the least significant label; otherwise
-       continue to the next step.
-
-   3.  Increment the value of the least significant (right-most) octet
-       in the least significant (left-most) label that is less than the
-       maximum sort value (e.g. 0xff), skipping any values which
-       correspond to uppercase US-ASCII letters, and then remove any
-       octets to the right of that one.  If all octets in the label are
-       the maximum sort value, then continue to the next step.
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 6]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   4.  Remove the least significant (left-most) label.  (This will occur
-       only if the least significant label is the maximum label length
-       and consists entirely of octets of the maximum sort value, and
-       thus has wrapped to the owner name of the zone apex.)
-
-
-5.  Notes
-
-5.1.  Case Considerations
-
-   Section 3.5 of [RFC1034] specifies that "while upper and lower case
-   letters are allowed in [DNS] names, no significance is attached to
-   the case".  Additionally, Section 6.1 of [RFC4034] states that when
-   determining canonical DNS name order, "uppercase US-ASCII letters are
-   treated as if they were lowercase US-ASCII letters".  Consequently,
-   values corresponding to US-ASCII uppercase letters must be skipped
-   when decrementing and incrementing octets in the derivations
-   described in Section 3.1 and Section 3.2.
-
-   The following pseudo-code is illustrative:
-
-   Decrement the value of an octet:
-
-      if (octet == '[')       // '[' is just after uppercase 'Z'
-              octet = '@';    // '@' is just prior to uppercase 'A'
-      else
-              octet--;
-
-   Increment the value of an octet:
-
-      if (octet == '@')       // '@' is just prior to uppercase 'A'
-              octet = '[';    // '[' is just after uppercase 'Z'
-      else
-              octet++;
-
-5.2.  Choice of Range
-
-   [RFC2181] makes the clarification that "any binary string whatever
-   can be used as the label of any resource record".  Consequently the
-   minimum sort value may be set as 0x00 and the maximum sort value as
-   0xff, and the range of possible values will be any DNS name which
-   contains octets of any value other than those corresponding to
-   uppercase US-ASCII letters.
-
-   However, if all owner names in a zone are in the letter-digit-hyphen,
-   or LDH, format specified in [RFC1034], it may be desirable to
-   restrict the range of possible values to DNS names containing only
-   LDH values.  This has the effect of:
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 7]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   1.  making the output of tools such as `dig' and `nslookup' less
-       subject to confusion;
-
-   2.  minimising the impact that NSEC RRs containing DNS names with
-       non-LDH values (or non-printable values) might have on faulty DNS
-       resolver implementations; and
-
-   3.  preventing the possibility of results which are wildcard DNS
-       names (see Section 5.3).
-
-   This may be accomplished by using a minimum sort value of 0x1f (US-
-   ASCII character `-') and a maximum sort value of 0x7a (US-ASCII
-   character lowercase `z'), and then skipping non-LDH, non-lowercase
-   values when incrementing or decrementing octets.
-
-5.3.  Wild Card Considerations
-
-   Neither derivation avoids the possibility that the result may be a
-   DNS name containing a wildcard label, i.e. a label containing a
-   single octet with the value 0x2a (US-ASCII character `*').  With
-   additional tests, wildcard DNS names may be explicitly avoided;
-   alternatively, if the range of octet values can be restricted to
-   those corresponding to letter-digit-hyphen, or LDH, characters (see
-   Section 5.2), such DNS names will not occur.
-
-   Note that it is improbable that a result which is a wildcard DNS name
-   will occur unintentionally; even if one does occur either as the
-   owner name of, or in the RDATA of an NSEC RR, it is treated as a
-   literal DNS name with no special meaning.
-
-5.4.  Possible Modifications
-
-5.4.1.  Restriction of Effective Maximum DNS Name Length
-
-   [RFC1034] specifies that "the total number of octets that represent a
-   [DNS] name (i.e., the sum of all label octets and label lengths) is
-   limited to 255", including the null (zero-length) label which
-   represents the root.  For the purpose of deriving predecessors and
-   successors during NSEC RR synthesis, the maximum DNS name length may
-   be effectively restricted to the length of the longest DNS name in
-   the zone.  This will minimise the size of responses containing
-   synthesised NSEC RRs but, especially in the case of the modified
-   method, may result in some additional computational complexity.
-
-   Note that this modification will have the effect of revealing
-   information about the longest name in the zone.  Moreover, when the
-   contents of the zone changes, e.g. during dynamic updates and zone
-   transfers, care must be taken to ensure that the effective maximum
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 8]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   DNS name length agrees with the new contents.
-
-5.4.2.  Use of Modified Method With Zones Containing SRV RRs
-
-   Normally the modified method cannot be used in zones that contain
-   SRV RRs [RFC2782], as SRV RRs have owner names which contain multiple
-   labels.  However the use of SRV RRs can be accommodated by various
-   techniques.  There are at least four possible ways to do this:
-
-   1.  Use conventional NSEC RRs for the region of the zone that
-       contains first-level labels beginning with the underscore (`_')
-       character.  For the purposes of generating these NSEC RRs, the
-       existence of (possibly fictional) ownernames `9{63}' and `a'
-       could be assumed, providing a lower and upper bound for this
-       region.  Then all queries where the QNAME doesn't exist but
-       contains a first-level label beginning with an underscore could
-       be handled using the normal DNSSEC protocol.
-
-       This approach would make it possible to enumerate all DNS names
-       in the zone containing a first-level label beginning with
-       underscore, including all SRV RRs, but this may be of less a
-       concern to the zone administrator than incurring the overhead of
-       the absolute method or of the following variants of the modified
-       method.
-
-   2.  The absolute method could be used for synthesising NSEC RRs for
-       all queries where the QNAME contains a leading underscore.
-       However this re-introduces the susceptibility of the absolute
-       method to denial of service activity, as an attacker could send
-       queries for an effectively inexhaustible supply of domain names
-       beginning with a leading underscore.
-
-   3.  A variant of the modified method could be used for synthesising
-       NSEC RRs for all queries where the QNAME contains a leading
-       underscore.  This variant would assume that all predecessors and
-       successors to queries where the QNAME contains a leading
-       underscore may consist of two lablels rather than only one.  This
-       introduces a little additional complexity without incurring the
-       full increase in response size and computational complexity as
-       the absolute method.
-
-   4.  Finally, a variant the modified method which assumes that all
-       owner names in the zone consist of one or two labels could be
-       used.  However this negates much of the reduction in response
-       size of the modified method and may be nearly as computationally
-       complex as the absolute method.
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006                [Page 9]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-6.  Examples
-
-   In the following examples:
-
-      the owner name of the zone apex is "example.com.";
-
-      the range of octet values is 0x00 - 0xff excluding values
-      corresponding to uppercase US-ASCII letters; and
-
-      non-printable octet values are expressed as three-digit decimal
-      numbers preceded by a backslash (as specified in Section 5.1 of
-      [RFC1035]).
-
-6.1.  Examples of Immediate Predecessors Using Absolute Method
-
-   Example of typical case:
-
-      P(foo.example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.fon\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.\255{63}.\255{63}.fon\255{60}.example.com.
-
-      where {n} represents the number of repetitions of an octet.
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 10]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where least significant (left-most) label of DNS name
-   consists of a single octet of the minimum sort value:
-
-      P(\000.foo.example.com.) = foo.example.com.
-
-   Example where least significant (right-most) octet of least
-   significant (left-most) label has the minimum sort value:
-
-      P(foo\000.example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.foo.example.com.
-
-      or, in alternate notation:
-
-           \255{45}.\255{63}.\255{63}.\255{63}.foo.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 11]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name contains an octet which must be decremented by
-   skipping values corresponding to US-ASCII uppercase letters:
-
-      P(fo\[.example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.fo\@\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.\255{63}.\255{63}.fo\@\255{60}.example.com.
-
-      where {n} represents the number of repetitions of an octet.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 12]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the owner name of the zone apex, and
-   consequently wraps to the DNS name with the maximum possible sort
-   order in the zone:
-
-      P(example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.\255{63}.\255{63}.\255{63}.example.com.
-
-6.2.  Examples of Immediate Successors Using Absolute Method
-
-   Example of typical case:
-
-      S(foo.example.com.) = \000.foo.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 13]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is one octet short of the maximum DNS name
-   length:
-
-      N =  fooooooooooooooooooooooooooooooooooooooooooooooo
-           .ooooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooo.ooooooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooo.ooooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo.example.com.
-
-      or, in alternate notation:
-
-           fo{47}.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           fooooooooooooooooooooooooooooooooooooooooooooooo
-           \000.ooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooooo.ooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooooo.ooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oooo.example.com.
-
-      or, in alternate notation:
-
-           fo{47}\000.o{63}.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 14]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the maximum DNS name length:
-
-      N  = fooooooooooooooooooooooooooooooooooooooooooooooo
-           o.oooooooooooooooooooooooooooooooooooooooooooooo
-           ooooooooooooooooo.oooooooooooooooooooooooooooooo
-           ooooooooooooooooooooooooooooooooo.oooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           o.example.com.
-
-      or, in alternate notation:
-
-           fo{48}.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           fooooooooooooooooooooooooooooooooooooooooooooooo
-           p.oooooooooooooooooooooooooooooooooooooooooooooo
-           ooooooooooooooooo.oooooooooooooooooooooooooooooo
-           ooooooooooooooooooooooooooooooooo.oooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           o.example.com.
-
-      or, in alternate notation:
-
-           fo{47}p.o{63}.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 15]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the maximum DNS name length and the least
-   significant (left-most) label has the maximum sort value:
-
-      N =  \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.ooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooooo.ooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooooo.ooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oooo.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooop.oooooooooooooooooooooooooooooooo
-           ooooooooooooooooooooooooooooooo.oooooooooooooooo
-           ooooooooooooooooooooooooooooooooooooooooooooooo.
-           example.com.
-
-      or, in alternate notation:
-
-           o{62}p.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 16]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the maximum DNS name length and the eight
-   least significant (right-most) octets of the least significant (left-
-   most) label have the maximum sort value:
-
-      N  = foooooooooooooooooooooooooooooooooooooooo\255
-           \255\255\255\255\255\255\255.ooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooo.ooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooo.ooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooo.example.com.
-
-      or, in alternate notation:
-
-           fo{40}\255{8}.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           fooooooooooooooooooooooooooooooooooooooop.oooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           ooooooooo.oooooooooooooooooooooooooooooooooooooo
-           ooooooooooooooooooooooooo.oooooooooooooooooooooo
-           ooooooooooooooooooooooooooooooooooooooooo.example.com.
-
-      or, in alternate notation:
-
-           fo{39}p.o{63}.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 17]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name is the maximum DNS name length and contains an
-   octet which must be incremented by skipping values corresponding to
-   US-ASCII uppercase letters:
-
-      N  = fooooooooooooooooooooooooooooooooooooooooooooooo
-           \@.ooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooo.ooooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooo.ooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oo.example.com.
-
-      or, in alternate notation:
-
-           fo{47}\@.o{63}.o{63}.o{63}.example.com.
-
-      S(N) =
-
-           fooooooooooooooooooooooooooooooooooooooooooooooo
-           \[.ooooooooooooooooooooooooooooooooooooooooooooo
-           oooooooooooooooooo.ooooooooooooooooooooooooooooo
-           oooooooooooooooooooooooooooooooooo.ooooooooooooo
-           oooooooooooooooooooooooooooooooooooooooooooooooo
-           oo.example.com.
-
-      or, in alternate notation:
-
-           fo{47}\[.o{63}.o{63}.o{63}.example.com.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 18]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name has the maximum possible sort order in the
-   zone, and consequently wraps to the owner name of the zone apex:
-
-      N  = \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255.\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255.\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.example.com.
-
-      or, in alternate notation:
-
-           \255{49}.\255{63}.\255{63}.\255{63}.example.com.
-
-      S(N) = example.com.
-
-6.3.  Examples of Predecessors Using Modified Method
-
-   Example of typical case:
-
-      P'(foo.example.com.) =
-
-           fon\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255.example.com.
-
-      or, in alternate notation:
-
-           fon\255{60}.example.com.
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 19]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where DNS name contains more labels than DNS names in the
-   zone:
-
-      P'(bar.foo.example.com.) = foo.example.com.
-
-   Example where least significant (right-most) octet of least
-   significant (left-most) label has the minimum sort value:
-
-      P'(foo\000.example.com.) = foo.example.com.
-
-   Example where least significant (left-most) label has the minimum
-   sort value:
-
-      P'(\000.example.com.) = example.com.
-
-   Example where DNS name is the owner name of the zone apex, and
-   consequently wraps to the DNS name with the maximum possible sort
-   order in the zone:
-
-      P'(example.com.) =
-
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255.example.com.
-
-      or, in alternate notation:
-
-           \255{63}.example.com.
-
-6.4.  Examples of Successors Using Modified Method
-
-   Example of typical case:
-
-      S'(foo.example.com.) = foo\000.example.com.
-
-   Example where DNS name contains more labels than DNS names in the
-   zone:
-
-      S'(bar.foo.example.com.) = foo\000.example.com.
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 20]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-   Example where least significant (left-most) label has the maximum
-   sort value, and consequently wraps to the owner name of the zone
-   apex:
-
-      N  = \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255\255\255\255\255\255\255\255\255\255
-           \255\255\255.example.com.
-
-      or, in alternate notation:
-
-           \255{63}.example.com.
-
-      S'(N) = example.com.
-
-
-7.  Security Considerations
-
-   The derivation of some predecessors/successors requires the testing
-   of more conditions than others.  Consequently the effectiveness of a
-   denial-of-service attack may be enhanced by sending queries that
-   require more conditions to be tested.  The modified method involves
-   the testing of fewer conditions than the absolute method and
-   consequently is somewhat less susceptible to this exposure.
-
-
-8.  IANA Considerations
-
-   This document has no IANA actions.
-
-   Note to RFC Editor: This section is included to make it clear during
-   pre-publication review that this document has no IANA actions.  It
-   may therefore be removed should it be published as an RFC.
-
-
-9.  Acknowledgments
-
-   The authors would like to thank Olaf Kolkman, Olafur Gudmundsson and
-   Niall O'Reilly for their review and input.
-
-
-10.  References
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 21]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-10.1  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
-              specifying the location of services (DNS SRV)", RFC 2782,
-              February 2000.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
-
-10.2  Informative References
-
-   [I-D.ietf-dnsext-dnssec-online-signing]
-              Ihren, J. and S. Weiler, "Minimally Covering NSEC Records
-              and DNSSEC On-line Signing",
-              draft-ietf-dnsext-dnssec-online-signing-00 (work in
-              progress), May 2005.
-
-   [I-D.ietf-dnsext-dnssec-trans]
-              Arends, R., Koch, P., and J. Schlyter, "Evaluating DNSSEC
-              Transition Mechanisms",
-              draft-ietf-dnsext-dnssec-trans-02 (work in progress),
-              February 2005.
-
-
-Appendix A.  Change History
-
-A.1.  Changes from sisson-02 to ietf-00
-
-   o  Added notes on use of SRV RRs with modified method.
-
-   o  Changed reference from weiler-dnssec-online-signing to ietf-
-      dnsext-dnssec-online-signing.
-
-   o  Changed reference from ietf-dnsext-dnssec-records to RFC 4034.
-
-   o  Miscellaneous minor changes to text.
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 22]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-A.2.  Changes from sisson-01 to sisson-02
-
-   o  Added modified version of derivation (with supporting examples).
-
-   o  Introduced notational conventions N, P(N), S(N), P'(N) and S'(N).
-
-   o  Added clarification to derivations about when processing stops.
-
-   o  Miscellaneous minor changes to text.
-
-A.3.  Changes from sisson-00 to sisson-01
-
-   o  Split step 3 of derivation of DNS name predecessor into two
-      distinct steps for clarity.
-
-   o  Added clarifying text and examples related to the requirement to
-      avoid uppercase characters when decrementing or incrementing
-      octets.
-
-   o  Added optimisation using restriction of effective maximum DNS name
-      length.
-
-   o  Changed examples to use decimal rather than octal notation as per
-      [RFC1035].
-
-   o  Corrected DNS name length of some examples.
-
-   o  Added reference to weiler-dnssec-online-signing.
-
-   o  Miscellaneous minor changes to text.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 23]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-Authors' Addresses
-
-   Geoffrey Sisson
-   Nominet
-   Sandford Gate
-   Sandy Lane West
-   Oxford
-   OX4 6LB
-   GB
-
-   Phone: +44 1865 332339
-   Email: geoff@nominet.org.uk
-
-
-   Ben Laurie
-   Nominet
-   17 Perryn Road
-   London
-   W3 7LR
-   GB
-
-   Phone: +44 20 8735 0686
-   Email: ben@algroup.co.uk
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 24]
-
-Internet-Draft     DNS Name Predecessor and Successor          July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Sisson & Laurie         Expires January 11, 2006               [Page 25]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-2535typecode-change-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-2535typecode-change-06.txt
deleted file mode 100644
index bcc2b4ec516e..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-2535typecode-change-06.txt
+++ /dev/null
@@ -1,442 +0,0 @@
-
-
-INTERNET-DRAFT                                             Samuel Weiler
-Expires: June 2004                                     December 15, 2003
-Updates: RFC 2535, [DS]
-
-	 Legacy Resolver Compatibility for Delegation Signer
-	 draft-ietf-dnsext-dnssec-2535typecode-change-06.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six
-   months and may be updated, replaced, or obsoleted by other
-   documents at any time.  It is inappropriate to use Internet-Drafts
-   as reference material or to cite them other than as "work in
-   progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-   Comments should be sent to the author or to the DNSEXT WG mailing
-   list: namedroppers@ops.ietf.org
-
-Abstract
-
-   As the DNS Security (DNSSEC) specifications have evolved, the
-   syntax and semantics of the DNSSEC resource records (RRs) have
-   changed.  Many deployed nameservers understand variants of these
-   semantics.  Dangerous interactions can occur when a resolver that
-   understands an earlier version of these semantics queries an
-   authoritative server that understands the new delegation signer
-   semantics, including at least one failure scenario that will cause
-   an unsecured zone to be unresolvable.  This document changes the
-   type codes and mnemonics of the DNSSEC RRs (SIG, KEY, and NXT) to
-   avoid those interactions.
-
-Changes between 05 and 06:
-
-   Signifigantly reworked the IANA section -- went back to one
-   algorithm registry.
-
-   Removed Diffie-Hellman from the list of zone-signing algorithms
-   (leaving only DSA, RSA/SHA-1, and private algorithms).
-
-   Added a DNSKEY flags field registry.
-
-Changes between 04 and 05:
-
-   IESG approved publication.
-
-   Cleaned up an internal reference in the acknowledgements section.
-
-   Retained KEY and SIG for TKEY, too.  Added TKEY (2930) reference.
-
-   Changed the names of both new registries.  Added algorithm
-   mnemonics to the new zone signing algorithm registry.  Minor
-   rewording in the IANA section for clarity.
-
-   Cleaned up formatting of references.  Replaced unknown-rr draft
-   references with RFC3597.  Bumped DS version number.
-
-Changes between 03 and 04:
-
-   Clarified that RRSIG(0) may be defined by standards action.
-
-   Created a new algorithm registry and renamed the old algorithm
-   registry for SIG(0) only.  Added references to the appropriate
-   crypto algorithm and format specifications.
-
-   Several minor rephrasings.
-
-Changes between 02 and 03:
-
-   KEY (as well as SIG) retained for SIG(0) use only.
-
-Changes between 01 and 02:
-
-   SIG(0) still uses SIG, not RRSIG.  Added 2931 reference.
-
-   Domain names embedded in NSECs and RRSIGs are not compressible and
-   are not downcased.  Added unknown-rrs reference (as informative).
-
-   Simplified the last paragraph of section 3 (NSEC doesn't always
-   signal a negative answer).
-
-   Changed the suggested type code assignments.
-
-   Added 2119 reference.
-
-   Added definitions of "unsecure delegation" and "unsecure referral",
-   since they're not clearly defined elsewhere.
-
-   Moved 2065 to informative references, not normative.
-
-1. Introduction
-
-   The DNSSEC protocol has been through many iterations whose syntax
-   and semantics are not completely compatible.  This has occurred as
-   part of the ordinary process of proposing a protocol, implementing
-   it, testing it in the increasingly complex and diverse environment
-   of the Internet, and refining the definitions of the initial
-   Proposed Standard.  In the case of DNSSEC, the process has been
-   complicated by DNS's criticality and wide deployment and the need
-   to add security while minimizing daily operational complexity.
-
-   A weak area for previous DNS specifications has been lack of detail
-   in specifying resolver behavior, leaving implementors largely on
-   their own to determine many details of resolver function.  This,
-   combined with the number of iterations the DNSSEC spec has been
-   through, has resulted in fielded code with a wide variety of
-   behaviors.  This variety makes it difficult to predict how a
-   protocol change will be handled by all deployed resolvers.  The
-   risk that a change will cause unacceptable or even catastrophic
-   failures makes it difficult to design and deploy a protocol change.
-   One strategy for managing that risk is to structure protocol
-   changes so that existing resolvers can completely ignore input that
-   might confuse them or trigger undesirable failure modes.
-
-   This document addresses a specific problem caused by Delegation
-   Signer's [DS] introduction of new semantics for the NXT RR that are
-   incompatible with the semantics in RFC 2535 [RFC2535].  Answers
-   provided by DS-aware servers can trigger an unacceptable failure
-   mode in some resolvers that implement RFC 2535, which provides a
-   great disincentive to sign zones with DS.  The changes defined in
-   this document allow for the incremental deployment of DS.
-
-1.1 Terminology
-
-   In this document, the term "unsecure delegation" means any
-   delegation for which no DS record appears at the parent.  An
-   "unsecure referral" is an answer from the parent containing an NS
-   RRset and a proof that no DS record exists for that name.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-1.2 The Problem
-
-   Delegation Signer introduces new semantics for the NXT RR that are
-   incompatible with the semantics in RFC 2535.  In RFC 2535, NXT
-   records were only required to be returned as part of a
-   non-existence proof.  With DS, an unsecure referral returns, in
-   addition to the NS, a proof of non-existence of a DS RR in the form
-   of an NXT and SIG(NXT).  RFC 2535 didn't specify how a resolver was
-   to interpret a response with both an NS and an NXT in the authority
-   section, RCODE=0, and AA=0.  Some widely deployed 2535-aware
-   resolvers interpret any answer with an NXT as a proof of
-   non-existence of the requested record.  This results in unsecure
-   delegations being invisible to 2535-aware resolvers and violates
-   the basic architectural principle that DNSSEC must do no harm --
-   the signing of zones must not prevent the resolution of unsecured
-   delegations.
-
-2. Possible Solutions
-
-   This section presents several solutions that were considered.
-   Section 3 describes the one selected.
-
-2.1. Change SIG, KEY, and NXT type codes
-
-   To avoid the problem described above, legacy (RFC2535-aware)
-   resolvers need to be kept from seeing unsecure referrals that
-   include NXT records in the authority section.  The simplest way to
-   do that is to change the type codes for SIG, KEY, and NXT.
-
-   The obvious drawback to this is that new resolvers will not be able
-   to validate zones signed with the old RRs.  This problem already
-   exists, however, because of the changes made by DS, and resolvers
-   that understand the old RRs (and have compatibility issues with DS)
-   are far more prevalent than 2535-signed zones.
-
-2.2. Change a subset of type codes
-
-   The observed problem with unsecure referrals could be addressed by
-   changing only the NXT type code or another subset of the type codes
-   that includes NXT.  This has the virtue of apparent simplicity, but
-   it risks introducing new problems or not going far enough.  It's
-   quite possible that more incompatibilities exist between DS and
-   earlier semantics.  Legacy resolvers may also be confused by seeing
-   records they recognize (SIG and KEY) while being unable to find
-   NXTs.  Although it may seem unnecessary to fix that which is not
-   obviously broken, it's far cleaner to change all of the type codes
-   at once.  This will leave legacy resolvers and tools completely
-   blinded to DNSSEC -- they will see only unknown RRs.
-
-2.3. Replace the DO bit
-
-   Another way to keep legacy resolvers from ever seeing DNSSEC
-   records with DS semantics is to have authoritative servers only
-   send that data to DS-aware resolvers.  It's been proposed that
-   assigning a new EDNS0 flag bit to signal DS-awareness (tentatively
-   called "DA"), and having authoritative servers send DNSSEC data
-   only in response to queries with the DA bit set, would accomplish
-   this.  This bit would presumably supplant the DO bit described in
-   RFC 3225.
-
-   This solution is sufficient only if all 2535-aware resolvers zero
-   out EDNS0 flags that they don't understand.  If one passed through
-   the DA bit unchanged, it would still see the new semantics, and it
-   would probably fail to see unsecure delegations.  Since it's
-   impractical to know how every DNS implementation handles unknown
-   EDNS0 flags, this is not a universal solution.  It could, though,
-   be considered in addition to changing the RR type codes.
-
-2.4. Increment the EDNS version
-
-   Another possible solution is to increment the EDNS version number
-   as defined in RFC 2671 [RFC2671], on the assumption that all
-   existing implementations will reject higher versions than they
-   support, and retain the DO bit as the signal for DNSSEC awareness.
-   This approach has not been tested.
-
-2.5. Do nothing
-
-   There is a large deployed base of DNS resolvers that understand
-   DNSSEC as defined by the standards track RFC 2535 and RFC 2065
-   and, due to under specification in those documents, interpret any
-   answer with an NXT as a non-existence proof.  So long as that is
-   the case, zone owners will have a strong incentive to not sign any
-   zones that contain unsecure delegations, lest those delegations be
-   invisible to such a large installed base.  This will dramatically
-   slow DNSSEC adoption.
-
-   Unfortunately, without signed zones there's no clear incentive for
-   operators of resolvers to upgrade their software to support the new
-   version of DNSSEC, as defined in [DS].  Historical data suggests
-   that resolvers are rarely upgraded, and that old nameserver code
-   never dies.
-
-   Rather than wait years for resolvers to be upgraded through natural
-   processes before signing zones with unsecure delegations,
-   addressing this problem with a protocol change will immediately
-   remove the disincentive for signing zones and allow widespread
-   deployment of DNSSEC.
-
-3. Protocol changes
-
-   This document changes the type codes of SIG, KEY, and NXT.  This
-   approach is the cleanest and safest of those discussed above,
-   largely because the behavior of resolvers that receive unknown type
-   codes is well understood.  This approach has also received the most
-   testing.
-
-   To avoid operational confusion, it's also necessary to change the
-   mnemonics for these RRs.  DNSKEY will be the replacement for KEY,
-   with the mnemonic indicating that these keys are not for
-   application use, per [RFC3445].  RRSIG (Resource Record SIGnature)
-   will replace SIG, and NSEC (Next SECure) will replace NXT.  These
-   new types completely replace the old types, except that SIG(0)
-   [RFC2931] and TKEY [RFC2930] will continue to use SIG and KEY.
-
-   The new types will have exactly the same syntax and semantics as
-   specified for SIG, KEY, and NXT in RFC 2535 and [DS] except for
-   the following:
-
-      1) Consistent with [RFC3597], domain names embedded in
-      RRSIG and NSEC RRs MUST NOT be compressed,
-
-      2) Embedded domain names in RRSIG and NSEC RRs are not downcased
-      for purposes of DNSSEC canonical form and ordering nor for
-      equality comparison, and
-
-      3) An RRSIG with a type-covered field of zero has undefined
-      semantics.  The meaning of such a resource record may only be
-      defined by IETF Standards Action.
-
-   If a resolver receives the old types, it SHOULD treat them as
-   unknown RRs and SHOULD NOT assign any special meaning to them or
-   give them any special treatment.  It MUST NOT use them for DNSSEC
-   validations or other DNS operational decision making.  For example,
-   a resolver MUST NOT use DNSKEYs to validate SIGs or use KEYs to
-   validate RRSIGs.  If SIG, KEY, or NXT RRs are included in a zone,
-   they MUST NOT receive special treatment.  As an example, if a SIG
-   is included in a signed zone, there MUST be an RRSIG for it.
-   Authoritative servers may wish to give error messages when loading
-   zones containing SIG or NXT records (KEY records may be included
-   for SIG(0) or TKEY).
-
-   As a clarification to previous documents, some positive responses,
-   particularly wildcard proofs and unsecure referrals, will contain
-   NSEC RRs.  Resolvers MUST NOT treat answers with NSEC RRs as
-   negative answers merely because they contain an NSEC.
-
-4. IANA Considerations
-
-4.1 DNS Resource Record Types
-
-   This document updates the IANA registry for DNS Resource Record
-   Types by assigning types 46, 47, and 48 to the RRSIG, NSEC, and
-   DNSKEY RRs, respectively.
-
-   Types 24 and 25 (SIG and KEY) are retained for SIG(0) [RFC2931] and
-   TKEY [RFC2930] use only.
-
-   Type 30 (NXT) should be marked as Obsolete.
-
-4.2 DNS Security Algorithm Numbers
-
-   To allow zone signing (DNSSEC) and transaction security mechanisms
-   (SIG(0) and TKEY) to use different sets of algorithms, the existing
-   "DNS Security Algorithm Numbers" registry is modified to include
-   the applicability of each algorithm.  Specifically, two new columns
-   are added to the registry, showing whether each algorithm may be
-   used for zone signing, transaction security mechanisms, or both.
-   Only algorithms usable for zone signing may be used in DNSKEY,
-   RRSIG, and DS RRs.  Only algorithms usable for SIG(0) and/or TSIG
-   may be used in SIG and KEY RRs.
-
-   All currently defined algorithms remain usable for transaction
-   security mechanisms.  Only RSA/SHA-1, DSA/SHA-1, and private
-   algorithms (types 253 and 254) may be used for zone signing.  Note
-   that the registry does not contain the requirement level of each
-   algorithm, only whether or not an algorithm may be used for the
-   given purposes.  For example, RSA/MD5, while allowed for
-   transaction security mechanisms, is NOT RECOMMENDED, per RFC3110.
-
-   Additionally, the presentation format algorithm mnemonics from
-   RFC2535 Section 7 are added to the registry.  This document assigns
-   RSA/SHA-1 the mnemonic RSASHA1.
-
-   As before, assignment of new algorithms in this registry requires
-   IETF Standards Action.  Additionally, modification of algorithm
-   mnemonics or applicability requires IETF Standards Action.
-   Documents defining a new algorithm must address the applicability
-   of the algorithm and should assign a presentation mnemonic to the
-   algorithm.
-
-4.3 DNSKEY Flags
-
-   Like the KEY resource record, DNSKEY contains a 16-bit flags field.
-   This document creates a new registry for the DNSKEY flags field.
-
-   Initially, this registry only contains an assignment for bit 7 (the
-   ZONE bit).  Bits 0-6 and 8-15 are available for assignment by IETF
-   Standards Action.
-
-4.4 DNSKEY Protocol Octet
-
-   Like the KEY resource record, DNSKEY contains an eight bit protocol
-   field.  The only defined value for this field is 3 (DNSSEC).  No
-   other values are allowed, hence no IANA registry is needed for this
-   field.
-
-5. Security Considerations
-
-   The changes introduced here do not materially affect security.
-   The implications of trying to use both new and legacy types
-   together are not well understood, and attempts to do so would
-   probably lead to unintended and dangerous results.
-
-   Changing type codes will leave code paths in legacy resolvers that
-   are never exercised.  Unexercised code paths are a frequent source
-   of security holes, largely because those code paths do not get
-   frequent scrutiny.
-
-   Doing nothing, as described in section 2.5, will slow DNSSEC
-   deployment.  While this does not decrease security, it also fails
-   to increase it.
-
-6. Normative references
-
-   [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
-             RFC 2535, March 1999.
-
-   [DS]      Gudmundsson, O., "Delegation Signer Resource Record",
-             draft-ietf-dnsext-delegation-signer-15.txt, work in
-             progress, June 2003.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures
-             (SIG(0)s)", RFC 2931, September 2000.
-
-   [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY
-             RR)", RFC 2930, September 2000.
-
-   [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name
-             System (DNS)", RFC 2436, March 1999.
-
-   [RFC2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the
-             Domain Name System (DNS)", RFC 2539, March 1999.
-
-   [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the
-             Domain Name System (DNS)", RFC 3110, May 2001.
-
-7. Informative References
-
-   [RFC2065] Eastlake, D. and C. Kaufman, "Domain Name System Security
-             Extensions", RFC 2065, January 1997.
-
-   [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-	     2671, August 1999.
-
-   [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-             3225, December 2001.
-
-   [RFC2929] Eastlake, D., E. Brunner-Williams, and B. Manning,
-	     "Domain Name System (DNS) IANA Considerations", BCP 42,
-	     RFC 2929, September 2000.
-
-   [RFC3445] Massey, D., and S. Rose, "Limiting the Scope of the KEY
-	     Resource Record (RR)", RFC 3445, December 2002.
-
-   [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource
-             Record (RR) Types", RFC 3597, September 2003.
-
-8. Acknowledgments
-
-   The changes introduced here and the analysis of alternatives had
-   many contributors.  With apologies to anyone overlooked, those
-   include: Micheal Graff, John Ihren, Olaf Kolkman, Mark Kosters, Ed
-   Lewis, Bill Manning, and Suzanne Woolf.
-
-   Thanks to Jakob Schlyter and Mark Andrews for identifying the
-   incompatibility described in section 1.2.
-
-   In addition to the above, the author would like to thank Scott
-   Rose, Olafur Gudmundsson, and Sandra Murphy for their substantive
-   comments.
-
-9. Author's Address
-
-   Samuel Weiler
-   SPARTA, Inc.
-   7075 Samuel Morse Drive
-   Columbia, MD 21046
-   USA
-   weiler@tislabs.com
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt
deleted file mode 100644
index 3a800f98880d..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-bis-updates-01.txt
+++ /dev/null
@@ -1,616 +0,0 @@
-
-
-
-Network Working Group                                          S. Weiler
-Internet-Draft                                               SPARTA, Inc
-Updates: 4034, 4035 (if approved)                           May 23, 2005
-Expires: November 24, 2005
-
-
-         Clarifications and Implementation Notes for DNSSECbis
-                draft-ietf-dnsext-dnssec-bis-updates-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on November 24, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document is a collection of minor technical clarifications to
-   the DNSSECbis document set.  It is meant to serve as a resource to
-   implementors as well as an interim repository of possible DNSSECbis
-   errata.
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 1]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Proposed additions in future versions
-
-   An index sorted by the section of DNSSECbis being clarified.
-
-   A list of proposed protocol changes being made in other documents,
-   such as NSEC3 and Epsilon.  This document would not make those
-   changes, merely provide an index into the documents that are making
-   changes.
-
-Changes between -00 and -01
-
-   Document significantly restructured.
-
-   Added section on QTYPE=ANY.
-
-Changes between personal submission and first WG draft
-
-   Added Section 2.1 based on namedroppers discussions from March 9-10,
-   2005.
-
-   Added Section 3.4, Section 3.3, Section 4.3, and Section 2.2.
-
-   Added the DNSSECbis RFC numbers.
-
-   Figured out the confusion in Section 4.1.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 2]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Table of Contents
-
-   1.  Introduction and Terminology . . . . . . . . . . . . . . . . .  4
-     1.1   Structure of this Document . . . . . . . . . . . . . . . .  4
-     1.2   Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  Significant Concerns . . . . . . . . . . . . . . . . . . . . .  4
-     2.1   Clarifications on Non-Existence Proofs . . . . . . . . . .  4
-     2.2   Empty Non-Terminal Proofs  . . . . . . . . . . . . . . . .  5
-     2.3   Validating Responses to an ANY Query . . . . . . . . . . .  5
-   3.  Interoperability Concerns  . . . . . . . . . . . . . . . . . .  5
-     3.1   Unknown DS Message Digest Algorithms . . . . . . . . . . .  5
-     3.2   Private Algorithms . . . . . . . . . . . . . . . . . . . .  6
-     3.3   Caution About Local Policy and Multiple RRSIGs . . . . . .  6
-     3.4   Key Tag Calculation  . . . . . . . . . . . . . . . . . . .  7
-   4.  Minor Corrections and Clarifications . . . . . . . . . . . . .  7
-     4.1   Finding Zone Cuts  . . . . . . . . . . . . . . . . . . . .  7
-     4.2   Clarifications on DNSKEY Usage . . . . . . . . . . . . . .  7
-     4.3   Errors in Examples . . . . . . . . . . . . . . . . . . . .  8
-   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
-   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     7.1   Normative References . . . . . . . . . . . . . . . . . . .  8
-     7.2   Informative References . . . . . . . . . . . . . . . . . .  9
-       Author's Address . . . . . . . . . . . . . . . . . . . . . . .  9
-   A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . .  9
-       Intellectual Property and Copyright Statements . . . . . . . . 11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 3]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-1.  Introduction and Terminology
-
-   This document lists some minor clarifications and corrections to
-   DNSSECbis, as described in [1], [2], and [3].
-
-   It is intended to serve as a resource for implementors and as a
-   repository of items that need to be addressed when advancing the
-   DNSSECbis documents from Proposed Standard to Draft Standard.
-
-   In this version (-01 of the WG document), feedback is particularly
-   solicited on the structure of the document and whether the text in
-   the recently added sections is correct and sufficient.
-
-   Proposed substantive additions to this document should be sent to the
-   namedroppers mailing list as well as to the editor of this document.
-   The editor would greatly prefer text suitable for direct inclusion in
-   this document.
-
-1.1  Structure of this Document
-
-   The clarifications to DNSSECbis are sorted according to the editor's
-   impression of their importance, starting with ones which could, if
-   ignored, lead to security and stability problems and progressing down
-   to clarifications that are likely to have little operational impact.
-   Mere typos and awkward phrasings are not addressed unless they could
-   lead to misinterpretation of the DNSSECbis documents.
-
-1.2  Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [4].
-
-2.  Significant Concerns
-
-   This section provides clarifications that, if overlooked, could lead
-   to security issues or major interoperability problems.
-
-2.1  Clarifications on Non-Existence Proofs
-
-   RFC4035 Section 5.4 slightly underspecifies the algorithm for
-   checking non-existence proofs.  In particular, the algorithm there
-   might incorrectly allow the NSEC from the parent side of a zone cut
-   to prove the non-existence of either other RRs at that name in the
-   child zone or other names in the child zone.  It might also allow a
-   NSEC at the same name as a DNAME to prove the non-existence of names
-   beneath that DNAME.
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 4]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   A parent-side delegation NSEC (one with the NS bit set, but no SOA
-   bit set, and with a singer field that's shorter than the owner name)
-   must not be used to assume non-existence of any RRs below that zone
-   cut (both RRs at that ownername and at ownernames with more leading
-   labels, no matter their content).  Similarly, an NSEC with the DNAME
-   bit set must not be used to assume the non-existence of any
-   descendant of that NSEC's owner name.
-
-2.2  Empty Non-Terminal Proofs
-
-   To be written, based on Roy Arends' May 11th message to namedroppers.
-
-2.3  Validating Responses to an ANY Query
-
-   RFC4035 does not address now to validate responses when QTYPE=*.  As
-   described in Section 6.2.2 of RFC1034, a proper response to QTYPE=*
-   may include a subset of the RRsets at a given name -- it is not
-   necessary to include all RRsets at the QNAME in the response.
-
-   When validating a response to QTYPE=*, validate all received RRsets
-   that match QNAME and QCLASS.  If any of those RRsets fail validation,
-   treat the answer as Bogus.  If there are no RRsets matching QNAME and
-   QCLASS, validate that fact using the rules in RFC4035 Section 5.4 (as
-   clarified in this document).  To be clear, a validator must not
-   insist on receiving all records at the QNAME in response to QTYPE=*.
-
-3.  Interoperability Concerns
-
-3.1  Unknown DS Message Digest Algorithms
-
-   Section 5.2 of RFC4035 includes rules for how to handle delegations
-   to zones that are signed with entirely unsupported algorithms, as
-   indicated by the algorithms shown in those zone's DS RRsets.  It does
-   not explicitly address how to handle DS records that use unsupported
-   message digest algorithms.  In brief, DS records using unknown or
-   unsupported message digest algorithms MUST be treated the same way as
-   DS records referring to DNSKEY RRs of unknown or unsupported
-   algorithms.
-
-   The existing text says:
-
-      If the validator does not support any of the algorithms listed
-      in an authenticated DS RRset, then the resolver has no supported
-      authentication path leading from the parent to the child.  The
-      resolver should treat this case as it would the case of an
-      authenticated NSEC RRset proving that no DS RRset exists, as
-      described above.
-
-
-
-
-Weiler                  Expires November 24, 2005               [Page 5]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   To paraphrase the above, when determining the security status of a
-   zone, a validator discards (for this purpose only) any DS records
-   listing unknown or unsupported algorithms.  If none are left, the
-   zone is treated as if it were unsigned.
-
-   Modified to consider DS message digest algorithms, a validator also
-   discards any DS records using unknown or unsupported message digest
-   algorithms.
-
-3.2  Private Algorithms
-
-   As discussed above, section 5.2 of RFC4035 requires that validators
-   make decisions about the security status of zones based on the public
-   key algorithms shown in the DS records for those zones.  In the case
-   of private algorithms, as described in RFC4034 Appendix A.1.1, the
-   eight-bit algorithm field in the DS RR is not conclusive about what
-   algorithm(s) is actually in use.
-
-   If no private algorithms appear in the DS set or if any supported
-   algorithm appears in the DS set, no special processing will be
-   needed.  In the remaining cases, the security status of the zone
-   depends on whether or not the resolver supports any of the private
-   algorithms in use (provided that these DS records use supported hash
-   functions, as discussed in Section 3.1).  In these cases, the
-   resolver MUST retrieve the corresponding DNSKEY for each private
-   algorithm DS record and examine the public key field to determine the
-   algorithm in use.  The security-aware resolver MUST ensure that the
-   hash of the DNSKEY RR's owner name and RDATA matches the digest in
-   the DS RR.  If they do not match, and no other DS establishes that
-   the zone is secure, the referral should be considered BAD data, as
-   discussed in RFC4035.
-
-   This clarification facilitates the broader use of private algorithms,
-   as suggested by [5].
-
-3.3  Caution About Local Policy and Multiple RRSIGs
-
-   When multiple RRSIGs cover a given RRset, RFC4035 Section 5.3.3
-   suggests that "the local resolver security policy determines whether
-   the resolver also has to test these RRSIG RRs and how to resolve
-   conflicts if these RRSIG RRs lead to differing results."  In most
-   cases, a resolver would be well advised to accept any valid RRSIG as
-   sufficient.  If the first RRSIG tested fails validation, a resolver
-   would be well advised to try others, giving a successful validation
-   result if any can be validated and giving a failure only if all
-   RRSIGs fail validation.
-
-   If a resolver adopts a more restrictive policy, there's a danger that
-
-
-
-Weiler                  Expires November 24, 2005               [Page 6]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   properly-signed data might unnecessarily fail validation, perhaps
-   because of cache timing issues.  Furthermore, certain zone management
-   techniques, like the Double Signature Zone-signing Key Rollover
-   method described in section 4.2.1.2 of [6] might not work reliably.
-
-3.4  Key Tag Calculation
-
-   RFC4034 Appendix B.1 incorrectly defines the Key Tag field
-   calculation for algorithm 1.  It correctly says that the Key Tag is
-   the most significant 16 of the least significant 24 bits of the
-   public key modulus.  However, RFC4034 then goes on to incorrectly say
-   that this is 4th to last and 3rd to last octets of the public key
-   modulus.  It is, in fact, the 3rd to last and 2nd to last octets.
-
-4.  Minor Corrections and Clarifications
-
-4.1  Finding Zone Cuts
-
-   Appendix C.8 of RFC4035 discusses sending DS queries to the servers
-   for a parent zone.  To do that, a resolver may first need to apply
-   special rules to discover what those servers are.
-
-   As explained in Section 3.1.4.1 of RFC4035, security-aware name
-   servers need to apply special processing rules to handle the DS RR,
-   and in some situations the resolver may also need to apply special
-   rules to locate the name servers for the parent zone if the resolver
-   does not already have the parent's NS RRset.  Section 4.2 of RFC4035
-   specifies a mechanism for doing that.
-
-4.2  Clarifications on DNSKEY Usage
-
-   Questions of the form "can I use a different DNSKEY for signing the
-   X" have occasionally arisen.
-
-   The short answer is "yes, absolutely".  You can even use a different
-   DNSKEY for each RRset in a zone, subject only to practical limits on
-   the size of the DNSKEY RRset.  However, be aware that there is no way
-   to tell resolvers what a particularly DNSKEY is supposed to be used
-   for -- any DNSKEY in the zone's signed DNSKEY RRset may be used to
-   authenticate any RRset in the zone.  For example, if a weaker or less
-   trusted DNSKEY is being used to authenticate NSEC RRsets or all
-   dynamically updated records, that same DNSKEY can also be used to
-   sign any other RRsets from the zone.
-
-   Furthermore, note that the SEP bit setting has no effect on how a
-   DNSKEY may be used -- the validation process is specifically
-   prohibited from using that bit by RFC4034 section 2.1.2.  It possible
-   to use a DNSKEY without the SEP bit set as the sole secure entry
-
-
-
-Weiler                  Expires November 24, 2005               [Page 7]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   point to the zone, yet use a DNSKEY with the SEP bit set to sign all
-   RRsets in the zone (other than the DNSKEY RRset).  It's also possible
-   to use a single DNSKEY, with or without the SEP bit set, to sign the
-   entire zone, including the DNSKEY RRset itself.
-
-4.3  Errors in Examples
-
-   The text in RFC4035 Section C.1 refers to the examples in B.1 as
-   "x.w.example.com" while B.1 uses "x.w.example".  This is painfully
-   obvious in the second paragraph where it states that the RRSIG labels
-   field value of 3 indicates that the answer was not the result of
-   wildcard expansion.  This is true for "x.w.example" but not for
-   "x.w.example.com", which of course has a label count of 4
-   (antithetically, a label count of 3 would imply the answer was the
-   result of a wildcard expansion).
-
-   The first paragraph of RFC4035 Section C.6 also has a minor error:
-   the reference to "a.z.w.w.example" should instead be "a.z.w.example",
-   as in the previous line.
-
-5.  IANA Considerations
-
-   This document specifies no IANA Actions.
-
-6.  Security Considerations
-
-   This document does not make fundamental changes to the DNSSEC
-   protocol, as it was generally understood when DNSSECbis was
-   published.  It does, however, address some ambiguities and omissions
-   in those documents that, if not recognized and addressed in
-   implementations, could lead to security failures.  In particular, the
-   validation algorithm clarifications in Section 2 are critical for
-   preserving the security properties DNSSEC offers.  Furthermore,
-   failure to address some of the interoperability concerns in Section 3
-   could limit the ability to later change or expand DNSSEC, including
-   by adding new algorithms.
-
-7.  References
-
-7.1  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-
-
-Weiler                  Expires November 24, 2005               [Page 8]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-7.2  Informative References
-
-   [5]  Blacka, D., "DNSSEC Experiments",
-        draft-blacka-dnssec-experiments-00 (work in progress),
-        December 2004.
-
-   [6]  Gieben, R. and O. Kolkman, "DNSSEC Operational Practices",
-        draft-ietf-dnsop-dnssec-operational-practices-04 (work in
-        progress), May 2005.
-
-
-Author's Address
-
-   Samuel Weiler
-   SPARTA, Inc
-   7075 Samuel Morse Drive
-   Columbia, Maryland  21046
-   US
-
-   Email: weiler@tislabs.com
-
-Appendix A.  Acknowledgments
-
-   The editor is extremely grateful to those who, in addition to finding
-   errors and omissions in the DNSSECbis document set, have provided
-   text suitable for inclusion in this document.
-
-   The lack of specificity about handling private algorithms, as
-   described in Section 3.2, and the lack of specificity in handling ANY
-   queries, as described in Section 2.3, were discovered by David
-   Blacka.
-
-   The error in algorithm 1 key tag calculation, as described in
-   Section 3.4, was found by Abhijit Hayatnagarkar.  Donald Eastlake
-   contributed text for Section 3.4.
-
-   The bug relating to delegation NSEC RR's in Section 2.1 was found by
-   Roy Badami.  Roy Arends found the related problem with DNAME.
-
-   The errors in the RFC4035 examples were found by Roy Arends, who also
-   contributed text for Section 4.3 of this document.
-
-
-
-Weiler                  Expires November 24, 2005               [Page 9]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-   The editor would like to thank Olafur Gudmundsson and Scott Rose for
-   their substantive comments on the text of this document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler                  Expires November 24, 2005              [Page 10]
-
-Internet-Draft       DNSSECbis Implementation Notes             May 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Weiler                  Expires November 24, 2005              [Page 11]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
deleted file mode 100644
index ee03583a1306..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-experiments-01.txt
+++ /dev/null
@@ -1,784 +0,0 @@
-
-
-
-DNSEXT                                                         D. Blacka
-Internet-Draft                                            Verisign, Inc.
-Expires: January 19, 2006                                  July 18, 2005
-
-
-                           DNSSEC Experiments
-                draft-ietf-dnsext-dnssec-experiments-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 19, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   In the long history of the development of the DNS security extensions
-   [1] (DNSSEC), a number of alternate methodologies and modifications
-   have been proposed and rejected for practical, rather than strictly
-   technical, reasons.  There is a desire to be able to experiment with
-   these alternate methods in the public DNS.  This document describes a
-   methodology for deploying alternate, non-backwards-compatible, DNSSEC
-   methodologies in an experimental fashion without disrupting the
-   deployment of standard DNSSEC.
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 1]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-Table of Contents
-
-   1.   Definitions and Terminology  . . . . . . . . . . . . . . . .   3
-   2.   Overview . . . . . . . . . . . . . . . . . . . . . . . . . .   4
-   3.   Experiments  . . . . . . . . . . . . . . . . . . . . . . . .   5
-   4.   Method . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
-   5.   Defining an Experiment . . . . . . . . . . . . . . . . . . .   8
-   6.   Considerations . . . . . . . . . . . . . . . . . . . . . . .   9
-   7.   Transitions  . . . . . . . . . . . . . . . . . . . . . . . .  10
-   8.   Security Considerations  . . . . . . . . . . . . . . . . . .  11
-   9.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .  12
-   10.  References . . . . . . . . . . . . . . . . . . . . . . . . .  13
-     10.1   Normative References . . . . . . . . . . . . . . . . . .  13
-     10.2   Informative References . . . . . . . . . . . . . . . . .  13
-        Author's Address . . . . . . . . . . . . . . . . . . . . . .  13
-        Intellectual Property and Copyright Statements . . . . . . .  14
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 2]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-1.  Definitions and Terminology
-
-   Throughout this document, familiarity with the DNS system (RFC 1035
-   [4]) and the DNS security extensions ([1], [2], and [3].
-
-   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [5].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 3]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-2.  Overview
-
-   Historically, experimentation with DNSSEC alternatives has been a
-   problematic endeavor.  There has typically been a desire to both
-   introduce non-backwards-compatible changes to DNSSEC, and to try
-   these changes on real zones in the public DNS.  This creates a
-   problem when the change to DNSSEC would make all or part of the zone
-   using those changes appear bogus (bad) or otherwise broken to
-   existing DNSSEC-aware resolvers.
-
-   This document describes a standard methodology for setting up public
-   DNSSEC experiments.  This methodology addresses the issue of co-
-   existence with standard DNSSEC and DNS by using unknown algorithm
-   identifiers to hide the experimental DNSSEC protocol modifications
-   from standard DNSSEC-aware resolvers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 4]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-3.  Experiments
-
-   When discussing DNSSEC experiments, it is necessary to classify these
-   experiments into two broad categories:
-
-   Backwards-Compatible: describes experimental changes that, while not
-      strictly adhering to the DNSSEC standard, are nonetheless
-      interoperable with clients and server that do implement the DNSSEC
-      standard.
-
-   Non-Backwards-Compatible: describes experiments that would cause a
-      standard DNSSEC-aware resolver to (incorrectly) determine that all
-      or part of a zone is bogus, or to otherwise not interoperable with
-      standard DNSSEC clients and servers.
-
-   Not included in these terms are experiments with the core DNS
-   protocol itself.
-
-   The methodology described in this document is not necessary for
-   backwards-compatible experiments, although it certainly could be used
-   if desired.
-
-   Note that, in essence, this metholodolgy would also be used to
-   introduce a new DNSSEC algorithm, independently from any DNSSEC
-   experimental protocol change.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 5]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-4.  Method
-
-   The core of the methodology is the use of strictly "unknown"
-   algorithms to sign the experimental zone, and more importantly,
-   having only unknown algorithm DS records for the delegation to the
-   zone at the parent.
-
-   This technique works because of the way DNSSEC-compliant validators
-   are expected to work in the presence of a DS set with only unknown
-   algorithms.  From [3], Section 5.2:
-
-      If the validator does not support any of the algorithms listed in
-      an authenticated DS RRset, then the resolver has no supported
-      authentication path leading from the parent to the child.  The
-      resolver should treat this case as it would the case of an
-      authenticated NSEC RRset proving that no DS RRset exists, as
-      described above.
-
-   And further:
-
-      If the resolver does not support any of the algorithms listed in
-      an authenticated DS RRset, then the resolver will not be able to
-      verify the authentication path to the child zone.  In this case,
-      the resolver SHOULD treat the child zone as if it were unsigned.
-
-   While this behavior isn't strictly mandatory (as marked by MUST), it
-   is unlikely that a validator would not implement the behavior, or,
-   more to the point, it will not violate this behavior in an unsafe way
-   (see below (Section 6).)
-
-   Because we are talking about experiments, it is RECOMMENDED that
-   private algorithm numbers be used (see [2], appendix A.1.1.  Note
-   that secure handling of private algorithms requires special handing
-   by the validator logic.  See [6] for futher details.)  Normally,
-   instead of actually inventing new signing algorithms, the recommended
-   path is to create alternate algorithm identifiers that are aliases
-   for the existing, known algorithms.  While, strictly speaking, it is
-   only necessary to create an alternate identifier for the mandatory
-   algorithms, it is RECOMMENDED that all OPTIONAL defined algorithms be
-   aliased as well.
-
-   It is RECOMMENDED that for a particular DNSSEC experiment, a
-   particular domain name base is chosen for all new algorithms, then
-   the algorithm number (or name) is prepended to it.  For example, for
-   experiment A, the base name of "dnssec-experiment-a.example.com" is
-   chosen.  Then, aliases for algorithms 3 (DSA) and 5 (RSASHA1) are
-   defined to be "3.dnssec-experiment-a.example.com" and "5.dnssec-
-   experiment-a.example.com".  However, any unique identifier will
-
-
-
-Blacka                  Expires January 19, 2006                [Page 6]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-   suffice.
-
-   Using this method, resolvers (or, more specificially, DNSSEC
-   validators) essentially indicate their ability to understand the
-   DNSSEC experiment's semantics by understanding what the new algorithm
-   identifiers signify.
-
-   This method creates two classes of DNSSEC-aware servers and
-   resolvers: servers and resolvers that are aware of the experiment
-   (and thus recognize the experiments algorithm identifiers and
-   experimental semantics), and servers and resolvers that are unware of
-   the experiment.
-
-   This method also precludes any zone from being both in an experiment
-   and in a classic DNSSEC island of security.  That is, a zone is
-   either in an experiment and only experimentally validatable, or it
-   isn't.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 7]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-5.  Defining an Experiment
-
-   The DNSSEC experiment must define the particular set of (previously
-   unknown) algorithms that identify the experiment, and define what
-   each unknown algorithm identifier means.  Typically, unless the
-   experiment is actually experimenting with a new DNSSEC algorithm,
-   this will be a mapping of private algorithm identifiers to existing,
-   known algorithms.
-
-   Normally the experiment will choose a DNS name as the algorithm
-   identifier base.  This DNS name SHOULD be under the control of the
-   authors of the experiment.  Then the experiment will define a mapping
-   between known mandatory and optional algorithms into this private
-   algorithm identifier space.  Alternately, the experiment MAY use the
-   OID private algorithm space instead (using algorithm number 254), or
-   may choose non-private algorithm numbers, although this would require
-   an IANA allocation (see below (Section 9).)
-
-   For example, an experiment might specify in its description the DNS
-   name "dnssec-experiment-a.example.com" as the base name, and provide
-   the mapping of "3.dnssec-experiment-a.example.com" is an alias of
-   DNSSEC algorithm 3 (DSA), and "5.dnssec-experiment-a.example.com" is
-   an alias of DNSSEC algorithm 5 (RSASHA1).
-
-   Resolvers MUST then only recognize the experiment's semantics when
-   present in a zone signed by one or more of these private algorithms.
-
-   In general, however, resolvers involved in the experiment are
-   expected to understand both standard DNSSEC and the defined
-   experimental DNSSEC protocol, although this isn't required.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 8]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-6.  Considerations
-
-   There are a number of considerations with using this methodology.
-
-   1.  Under some circumstances, it may be that the experiment will not
-       be sufficiently masked by this technique and may cause resolution
-       problem for resolvers not aware of the experiment.  For instance,
-       the resolver may look at the not validatable response and
-       conclude that the response is bogus, either due to local policy
-       or implementation details.  This is not expected to be the common
-       case, however.
-
-   2.  In general, it will not be possible for DNSSEC-aware resolvers
-       not aware of the experiment to build a chain of trust through an
-       experimental zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006                [Page 9]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-7.  Transitions
-
-   If an experiment is successful, there may be a desire to move the
-   experiment to a standards-track extension.  One way to do so would be
-   to move from private algorithm numbers to IANA allocated algorithm
-   numbers, with otherwise the same meaning.  This would still leave a
-   divide between resolvers that understood the extension versus
-   resolvers that did not.  It would, in essence, create an additional
-   version of DNSSEC.
-
-   An alternate technique might be to do a typecode rollover, thus
-   actually creating a definitive new version of DNSSEC.  There may be
-   other transition techniques available, as well.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 10]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-8.  Security Considerations
-
-   Zones using this methodology will be considered insecure by all
-   resolvers except those aware of the experiment.  It is not generally
-   possible to create a secure delegation from an experimental zone that
-   will be followed by resolvers unaware of the experiment.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 11]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-9.  IANA Considerations
-
-   IANA may need to allocate new DNSSEC algorithm numbers if that
-   transition approach is taken, or the experiment decides to use
-   allocated numbers to begin with.  No IANA action is required to
-   deploy an experiment using private algorithm identifiers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 12]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-10.  References
-
-10.1  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-10.2  Informative References
-
-   [4]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [5]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [6]  Weiler, S., "Clarifications and Implementation Notes for
-        DNSSECbis", draft-weiler-dnsext-dnssec-bis-updates-00 (work in
-        progress), March 2005.
-
-
-Author's Address
-
-   David Blacka
-   Verisign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   Phone: +1 703 948 3200
-   Email: davidb@verisign.com
-   URI:   http://www.verisignlabs.com
-
-
-
-
-
-
-
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 13]
-
-Internet-Draft             DNSSEC Experiments                  July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Blacka                  Expires January 19, 2006               [Page 14]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-intro-11.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-intro-11.txt
deleted file mode 100644
index 0783e7b26e14..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-intro-11.txt
+++ /dev/null
@@ -1,1457 +0,0 @@
-
-
-DNS Extensions                                                 R. Arends
-Internet-Draft                                      Telematica Instituut
-Expires: January 13, 2005                                     R. Austein
-                                                                     ISC
-                                                               M. Larson
-                                                                VeriSign
-                                                               D. Massey
-                                                                 USC/ISI
-                                                                 S. Rose
-                                                                    NIST
-                                                           July 15, 2004
-
-
-               DNS Security Introduction and Requirements
-                   draft-ietf-dnsext-dnssec-intro-11
-
-Status of this Memo
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which I become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 13, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   The Domain Name System Security Extensions (DNSSEC) add data origin
-   authentication and data integrity to the Domain Name System.  This
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 1]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-   document introduces these extensions, and describes their
-   capabilities and limitations.  This document also discusses the
-   services that the DNS security extensions do and do not provide.
-   Last, this document describes the interrelationships between the
-   group of documents that collectively describe DNSSEC.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Definitions of Important DNSSEC Terms  . . . . . . . . . . . .  4
-   3.  Services Provided by DNS Security  . . . . . . . . . . . . . .  8
-     3.1   Data Origin Authentication and Data Integrity  . . . . . .  8
-     3.2   Authenticating Name and Type Non-Existence . . . . . . . .  9
-   4.  Services Not Provided by DNS Security  . . . . . . . . . . . . 11
-   5.  Scope of the DNSSEC Document Set and Last Hop Issues . . . . . 12
-   6.  Resolver Considerations  . . . . . . . . . . . . . . . . . . . 14
-   7.  Stub Resolver Considerations . . . . . . . . . . . . . . . . . 15
-   8.  Zone Considerations  . . . . . . . . . . . . . . . . . . . . . 16
-     8.1   TTL values vs. RRSIG validity period . . . . . . . . . . . 16
-     8.2   New Temporal Dependency Issues for Zones . . . . . . . . . 16
-   9.  Name Server Considerations . . . . . . . . . . . . . . . . . . 17
-   10.   DNS Security Document Family . . . . . . . . . . . . . . . . 18
-   11.   IANA Considerations  . . . . . . . . . . . . . . . . . . . . 19
-   12.   Security Considerations  . . . . . . . . . . . . . . . . . . 20
-   13.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
-   14.   References . . . . . . . . . . . . . . . . . . . . . . . . . 23
-   14.1  Normative References . . . . . . . . . . . . . . . . . . . . 23
-   14.2  Informative References . . . . . . . . . . . . . . . . . . . 23
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
-       Intellectual Property and Copyright Statements . . . . . . . . 26
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 2]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-1.  Introduction
-
-   This document introduces the Domain Name System Security Extensions
-   (DNSSEC).  This document and its two companion documents
-   ([I-D.ietf-dnsext-dnssec-records] and
-   [I-D.ietf-dnsext-dnssec-protocol]) update, clarify, and refine the
-   security extensions defined in RFC 2535 [RFC2535] and its
-   predecessors.  These security extensions consist of a set of new
-   resource record types and modifications to the existing DNS protocol
-   [RFC1035].  The new records and protocol modifications are not fully
-   described in this document, but are described in a family of
-   documents outlined in Section 10.  Section 3 and Section 4 describe
-   the capabilities and limitations of the security extensions in
-   greater detail.  Section 5 discusses the scope of the document set.
-   Section 6, Section 7, Section 8, and Section 9 discuss the effect
-   that these security extensions will have on resolvers, stub
-   resolvers, zones and name servers.
-
-   This document and its two companions update and obsolete RFCs 2535
-   [RFC2535], 3008 [RFC3008], 3090 [RFC3090], 3445 [RFC3445], 3655
-   [RFC3655], 3658 [RFC3658], 3755 [RFC3755], and the Work in Progress
-   [I-D.ietf-dnsext-nsec-rdata].  This document set also updates, but
-   does not obsolete, RFCs 1034 [RFC1034], 1035 [RFC1035], 2136
-   [RFC2136], 2181 [RFC2181], 2308 [RFC2308], 3597 [RFC3597], and parts
-   of 3226 [RFC3226] (dealing with DNSSEC).
-
-   The DNS security extensions provide origin authentication and
-   integrity protection for DNS data, as well as a means of public key
-   distribution.  These extensions do not provide confidentiality.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 3]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-2.  Definitions of Important DNSSEC Terms
-
-   This section defines a number of terms used in this document set.
-   Since this is intended to be useful as a reference while reading the
-   rest of the document set, first-time readers may wish to skim this
-   section quickly, read the rest of this document, then come back to
-   this section.
-
-   Authentication Chain: An alternating sequence of DNSKEY RRsets and DS
-      RRsets forms a chain of signed data, with each link in the chain
-      vouching for the next.  A DNSKEY RR is used to verify the
-      signature covering a DS RR and allows the DS RR to be
-      authenticated.  The DS RR contains a hash of another DNSKEY RR and
-      this new DNSKEY RR is authenticated by matching the hash in the DS
-      RR.  This new DNSKEY RR in turn authenticates another DNSKEY RRset
-      and, in turn, some DNSKEY RR in this set may be used to
-      authenticate another DS RR and so forth until the chain finally
-      ends with a DNSKEY RR whose corresponding private key signs the
-      desired DNS data.  For example, the root DNSKEY RRset can be used
-      to authenticate the DS RRset for "example."  The "example." DS
-      RRset contains a hash that matches some "example." DNSKEY, and
-      this DNSKEY's corresponding private key signs the "example."
-      DNSKEY RRset.  Private key counterparts of the "example." DNSKEY
-      RRset sign data records such as "www.example." as well as DS RRs
-      for delegations such as "subzone.example."
-
-   Authentication Key: A public key that a security-aware resolver has
-      verified and can therefore use to authenticate data.  A
-      security-aware resolver can obtain authentication keys in three
-      ways.  First, the resolver is generally configured to know about
-      at least one public key; this configured data is usually either
-      the public key itself or a hash of the public key as found in the
-      DS RR (see "trust anchor").  Second, the resolver may use an
-      authenticated public key to verify a DS RR and the DNSKEY RR to
-      which the DS RR refers.  Third, the resolver may be able to
-      determine that a new public key has been signed by the private key
-      corresponding to another public key which the resolver has
-      verified.  Note that the resolver must always be guided by local
-      policy when deciding whether to authenticate a new public key,
-      even if the local policy is simply to authenticate any new public
-      key for which the resolver is able verify the signature.
-
-   Delegation Point: Term used to describe the name at the parental side
-      of a zone cut.  That is, the delegation point for "foo.example"
-      would be the foo.example node in the "example" zone (as opposed to
-      the zone apex of the "foo.example" zone).
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 4]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-   Island of Security: Term used to describe a signed, delegated zone
-      that does not have an authentication chain from its delegating
-      parent.  That is, there is no DS RR containing a hash of a DNSKEY
-      RR for the island in its delegating parent zone (see
-      [I-D.ietf-dnsext-dnssec-records]).  An island of security is
-      served by security-aware name servers and may provide
-      authentication chains to any delegated child zones.  Responses
-      from an island of security or its descendents can only be
-      authenticated if its authentication keys can be authenticated by
-      some trusted means out of band from the DNS protocol.
-
-   Key Signing Key (KSK): An authentication key that corresponds to a
-      private key used to sign one or more other authentication keys for
-      a given zone.  Typically, the private key corresponding to a key
-      signing key will sign a zone signing key, which in turn has a
-      corresponding private key which will sign other zone data.  Local
-      policy may require the zone signing key to be changed frequently,
-      while the key signing key may have a longer validity period in
-      order to provide a more stable secure entry point into the zone.
-      Designating an authentication key as a key signing key is purely
-      an operational issue: DNSSEC validation does not distinguish
-      between key signing keys and other DNSSEC authentication keys, and
-      it is possible to use a single key as both a key signing key and a
-      zone signing key.  Key signing keys are discussed in more detail
-      in [RFC3757].  Also see: zone signing key.
-
-   Non-Validating Security-Aware Stub Resolver: A security-aware stub
-      resolver which trusts one or more security-aware recursive name
-      servers to perform most of the tasks discussed in this document
-      set on its behalf.  In particular, a non-validating security-aware
-      stub resolver is an entity which sends DNS queries, receives DNS
-      responses, and is capable of establishing an appropriately secured
-      channel to a security-aware recursive name server which will
-      provide these services on behalf of the security-aware stub
-      resolver.  See also: security-aware stub resolver, validating
-      security-aware stub resolver.
-
-   Non-Validating Stub Resolver: A less tedious term for a
-      non-validating security-aware stub resolver.
-
-   Security-Aware Name Server: An entity acting in the role of a name
-      server (defined in section 2.4 of [RFC1034]) that understands the
-      DNS security extensions defined in this document set.  In
-      particular, a security-aware name server is an entity which
-      receives DNS queries, sends DNS responses, supports the EDNS0
-      [RFC2671] message size extension and the DO bit [RFC3225], and
-      supports the RR types and message header bits defined in this
-      document set.
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 5]
-
-
-   Security-Aware Recursive Name Server: An entity which acts in both
-      the security-aware name server and security-aware resolver roles.
-      A more cumbersome equivalent phrase would be "a security-aware
-      name server which offers recursive service".
-
-   Security-Aware Resolver: An entity acting in the role of a resolver
-      (defined in section 2.4 of [RFC1034]) which understands the DNS
-      security extensions defined in this document set.  In particular,
-      a security-aware resolver is an entity which sends DNS queries,
-      receives DNS responses, supports the EDNS0 [RFC2671] message size
-      extension and the DO bit [RFC3225], and is capable of using the RR
-      types and message header bits defined in this document set to
-      provide DNSSEC services.
-
-   Security-Aware Stub Resolver: An entity acting in the role of a stub
-      resolver (defined in section 5.3.1 of [RFC1034]) which has enough
-      of an understanding the DNS security extensions defined in this
-      document set to provide additional services not available from a
-      security-oblivious stub resolver.  Security-aware stub resolvers
-      may be either "validating" or "non-validating" depending on
-      whether the stub resolver attempts to verify DNSSEC signatures on
-      its own or trusts a friendly security-aware name server to do so.
-      See also: validating stub resolver, non-validating stub resolver.
-
-   Security-Oblivious <anything>: An <anything> that is not
-      "security-aware".
-
-   Signed Zone: A zone whose RRsets are signed and which contains
-      properly constructed DNSKEY, RRSIG, NSEC and (optionally) DS
-      records.
-
-   Trust Anchor: A configured DNSKEY RR or DS RR hash of a DNSKEY RR.  A
-      validating security-aware resolver uses this public key or hash as
-      a starting point for building the authentication chain to a signed
-      DNS response.  In general, a validating resolver will need to
-      obtain the initial values of its trust anchors via some secure or
-      trusted means outside the DNS protocol.  Presence of a trust
-      anchor also implies that the resolver should expect the zone to
-      which the trust anchor points to be signed.
-
-   Unsigned Zone: A zone that is not signed.
-
-   Validating Security-Aware Stub Resolver: A security-aware resolver
-      that sends queries in recursive mode but which performs signature
-      validation on its own rather than just blindly trusting an
-      upstream security-aware recursive name server.  See also:
-      security-aware stub resolver, non-validating security-aware stub
-      resolver.
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 6]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-   Validating Stub Resolver: A less tedious term for a validating
-      security-aware stub resolver.
-
-   Zone Signing Key (ZSK): An authentication key that corresponds to a
-      private key used to sign a zone.  Typically a zone signing key
-      will be part of the same DNSKEY RRset as the key signing key whose
-      corresponding private key signs this DNSKEY RRset, but the zone
-      signing key is used for a slightly different purpose, and may
-      differ from the key signing key in other ways, such as validity
-      lifetime.  Designating an authentication key as a zone signing key
-      is purely an operational issue: DNSSEC validation does not
-      distinguish between zone signing keys and other DNSSEC
-      authentication keys, and it is possible to use a single key as
-      both a key signing key and a zone signing key.  See also: key
-      signing key.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 7]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-3.  Services Provided by DNS Security
-
-   The Domain Name System (DNS) security extensions provide origin
-   authentication and integrity assurance services for DNS data,
-   including mechanisms for authenticated denial of existence of DNS
-   data.  These mechanisms are described below.
-
-   These mechanisms require changes to the DNS protocol.  DNSSEC adds
-   four new resource record types (RRSIG, DNSKEY, DS and NSEC) and two
-   new message header bits (CD and AD).  In order to support the larger
-   DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also
-   requires EDNS0 support [RFC2671].  Finally, DNSSEC requires support
-   for the DO bit [RFC3225], so that a security-aware resolver can
-   indicate in its queries that it wishes to receive DNSSEC RRs in
-   response messages.
-
-   These services protect against most of the threats to the Domain Name
-   System described in [I-D.ietf-dnsext-dns-threats].
-
-3.1  Data Origin Authentication and Data Integrity
-
-   DNSSEC provides authentication by associating cryptographically
-   generated digital signatures with DNS RRsets.  These digital
-   signatures are stored in a new resource record, the RRSIG record.
-   Typically, there will be a single private key that signs a zone's
-   data, but multiple keys are possible: for example, there may be keys
-   for each of several different digital signature algorithms.  If a
-   security-aware resolver reliably learns a zone's public key, it can
-   authenticate that zone's signed data.  An important DNSSEC concept is
-   that the key that signs a zone's data is associated with the zone
-   itself and not with the zone's authoritative name servers (public
-   keys for DNS transaction authentication mechanisms may also appear in
-   zones, as described in [RFC2931], but DNSSEC itself is concerned with
-   object security of DNS data, not channel security of DNS
-   transactions.  The keys associated with transaction security may be
-   stored in different RR types.  See [RFC3755] for details.).
-
-   A security-aware resolver can learn a zone's public key either by
-   having a trust anchor configured into the resolver or by normal DNS
-   resolution.  To allow the latter, public keys are stored in a new
-   type of resource record, the DNSKEY RR.  Note that the private keys
-   used to sign zone data must be kept secure, and should be stored
-   offline when practical to do so.  To discover a public key reliably
-   via DNS resolution, the target key itself needs to be signed by
-   either a configured authentication key or another key that has been
-   authenticated previously.  Security-aware resolvers authenticate zone
-   information by forming an authentication chain from a newly learned
-   public key back to a previously known authentication public key,
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 8]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-   which in turn either has been configured into the resolver or must
-   have been learned and verified previously.  Therefore, the resolver
-   must be configured with at least one trust anchor.  If the configured
-   key is a zone signing key, then it will authenticate the associated
-   zone; if the configured key is a key signing key, it will
-   authenticate a zone signing key.  If the resolver has been configured
-   with the hash of a key rather than the key itself, the resolver may
-   need to obtain the key via a DNS query.  To help security-aware
-   resolvers establish this authentication chain, security-aware name
-   servers attempt to send the signature(s) needed to authenticate a
-   zone's public key(s) in the DNS reply message along with the public
-   key itself, provided there is space available in the message.
-
-   The Delegation Signer (DS) RR type simplifies some of the
-   administrative tasks involved in signing delegations across
-   organizational boundaries.  The DS RRset resides at a delegation
-   point in a parent zone and indicates the public key(s) corresponding
-   to the private key(s) used to self-sign the DNSKEY RRset at the
-   delegated child zone's apex.  The administrator of the child zone, in
-   turn, uses the private key(s) corresponding to one or more of the
-   public keys in this DNSKEY RRset to sign the child zone's data.  The
-   typical authentication chain is therefore
-   DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
-   DS->DNSKEY subchains.  DNSSEC permits more complex authentication
-   chains, such as additional layers of DNSKEY RRs signing other DNSKEY
-   RRs within a zone.
-
-   A security-aware resolver normally constructs this authentication
-   chain from the root of the DNS hierarchy down to the leaf zones based
-   on configured knowledge of the public key for the root.  Local
-   policy, however, may also allow a security-aware resolver to use one
-   or more configured public keys (or hashes of public keys) other than
-   the root public key, or may not provide configured knowledge of the
-   root public key, or may prevent the resolver from using particular
-   public keys for arbitrary reasons even if those public keys are
-   properly signed with verifiable signatures.  DNSSEC provides
-   mechanisms by which a security-aware resolver can determine whether
-   an RRset's signature is "valid" within the meaning of DNSSEC.  In the
-   final analysis however, authenticating both DNS keys and data is a
-   matter of local policy, which may extend or even override the
-   protocol extensions defined in this document set.  See Section 5 for
-   further discussion.
-
-3.2  Authenticating Name and Type Non-Existence
-
-   The security mechanism described in Section 3.1 only provides a way
-   to sign existing RRsets in a zone.  The problem of providing negative
-   responses with the same level of authentication and integrity
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 9]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-   requires the use of another new resource record type, the NSEC
-   record.  The NSEC record allows a security-aware resolver to
-   authenticate a negative reply for either name or type non-existence
-   via the same mechanisms used to authenticate other DNS replies.  Use
-   of NSEC records requires a canonical representation and ordering for
-   domain names in zones.  Chains of NSEC records explicitly describe
-   the gaps, or "empty space", between domain names in a zone, as well
-   as listing the types of RRsets present at existing names.  Each NSEC
-   record is signed and authenticated using the mechanisms described in
-   Section 3.1.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 10]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-4.  Services Not Provided by DNS Security
-
-   DNS was originally designed with the assumptions that the DNS will
-   return the same answer to any given query regardless of who may have
-   issued the query, and that all data in the DNS is thus visible.
-   Accordingly, DNSSEC is not designed to provide confidentiality,
-   access control lists, or other means of differentiating between
-   inquirers.
-
-   DNSSEC provides no protection against denial of service attacks.
-   Security-aware resolvers and security-aware name servers are
-   vulnerable to an additional class of denial of service attacks based
-   on cryptographic operations.  Please see Section 12 for details.
-
-   The DNS security extensions provide data and origin authentication
-   for DNS data.  The mechanisms outlined above are not designed to
-   protect operations such as zone transfers and dynamic update
-   [RFC3007].  Message authentication schemes described in [RFC2845] and
-   [RFC2931] address security operations that pertain to these
-   transactions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 11]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-5.  Scope of the DNSSEC Document Set and Last Hop Issues
-
-   The specification in this document set defines the behavior for zone
-   signers and security-aware name servers and resolvers in such a way
-   that the validating entities can unambiguously determine the state of
-   the data.
-
-   A validating resolver can determine these 4 states:
-
-   Secure: The validating resolver has a trust anchor, a chain of trust
-      and is able to verify all the signatures in the response.
-
-   Insecure: The validating resolver has a trust anchor, a chain of
-      trust, and, at some delegation point, signed proof of the
-      non-existence of a DS record.  That indicates that subsequent
-      branches in the tree are provably insecure.  A validating resolver
-      may have local policy to mark parts of the domain space as
-      insecure.
-
-   Bogus: The validating resolver has a trust anchor and there is a
-      secure delegation which is indicating that subsidiary data will be
-      signed, but the response fails to validate due to one or more
-      reasons: missing signatures, expired signatures, signatures with
-      unsupported algorithms, data missing which the relevant NSEC RR
-      says should be present, and so forth.
-
-   Indeterminate: There is no trust anchor which would indicate that a
-      specific portion of the tree is secure.  This is the default
-      operation mode.
-
-   This specification only defines how security aware name servers can
-   signal non-validating stub resolvers that data was found to be bogus
-   (using RCODE=2, "Server Failure" -- see
-   [I-D.ietf-dnsext-dnssec-protocol]).
-
-   There is a mechanism for security aware name servers to signal
-   security-aware stub resolvers that data was found to be secure (using
-   the AD bit, see [I-D.ietf-dnsext-dnssec-protocol]).
-
-   This specification does not define a format for communicating why
-   responses were found to be bogus or marked as insecure.  The current
-   signaling mechanism does not distinguish between indeterminate and
-   insecure.
-
-   A method for signaling advanced error codes and policy between a
-   security aware stub resolver and security aware recursive nameservers
-   is a topic for future work, as is the interface between a security
-   aware resolver and the applications that use it.  Note, however, that
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 12]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-   the lack of the specification of such communication does not prohibit
-   deployment of signed zones or the deployment of security aware
-   recursive name servers that prohibit propagation of bogus data to the
-   applications.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 13]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-6.  Resolver Considerations
-
-   A security-aware resolver needs to be able to perform cryptographic
-   functions necessary to verify digital signatures using at least the
-   mandatory-to-implement algorithm(s).  Security-aware resolvers must
-   also be capable of forming an authentication chain from a newly
-   learned zone back to an authentication key, as described above.  This
-   process might require additional queries to intermediate DNS zones to
-   obtain necessary DNSKEY, DS and RRSIG records.  A security-aware
-   resolver should be configured with at least one trust anchor as the
-   starting point from which it will attempt to establish authentication
-   chains.
-
-   If a security-aware resolver is separated from the relevant
-   authoritative name servers by a recursive name server or by any sort
-   of device which acts as a proxy for DNS, and if the recursive name
-   server or proxy is not security-aware, the security-aware resolver
-   may not be capable of operating in a secure mode.  For example, if a
-   security-aware resolver's packets are routed through a network
-   address translation device that includes a DNS proxy which is not
-   security-aware, the security-aware resolver may find it difficult or
-   impossible to obtain or validate signed DNS data.
-
-   If a security-aware resolver must rely on an unsigned zone or a name
-   server that is not security aware, the resolver may not be able to
-   validate DNS responses, and will need a local policy on whether to
-   accept unverified responses.
-
-   A security-aware resolver should take a signature's validation period
-   into consideration when determining the TTL of data in its cache, to
-   avoid caching signed data beyond the validity period of the
-   signature, but should also allow for the possibility that the
-   security-aware resolver's own clock is wrong.  Thus, a security-aware
-   resolver which is part of a security-aware recursive name server will
-   need to pay careful attention to the DNSSEC "checking disabled" (CD)
-   bit [I-D.ietf-dnsext-dnssec-records].  This is in order to avoid
-   blocking valid signatures from getting through to other
-   security-aware resolvers which are clients of this recursive name
-   server.  See [I-D.ietf-dnsext-dnssec-protocol] for how a secure
-   recursive server handles queries with the CD bit set.
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 14]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-7.  Stub Resolver Considerations
-
-   Although not strictly required to do so by the protocol, most DNS
-   queries originate from stub resolvers.  Stub resolvers, by
-   definition, are minimal DNS resolvers which use recursive query mode
-   to offload most of the work of DNS resolution to a recursive name
-   server.  Given the widespread use of stub resolvers, the DNSSEC
-   architecture has to take stub resolvers into account, but the
-   security features needed in a stub resolver differ in some respects
-   from those needed in a full security-aware resolver.
-
-   Even a security-oblivious stub resolver may get some benefit from
-   DNSSEC if the recursive name servers it uses are security-aware, but
-   for the stub resolver to place any real reliance on DNSSEC services,
-   the stub resolver must trust both the recursive name servers in
-   question and the communication channels between itself and those name
-   servers.  The first of these issues is a local policy issue: in
-   essence, a security-oblivious stub resolver has no real choice but to
-   place itself at the mercy of the recursive name servers that it uses,
-   since it does not perform DNSSEC validity checks on its own.  The
-   second issue requires some kind of channel security mechanism; proper
-   use of DNS transaction authentication mechanisms such as SIG(0) or
-   TSIG would suffice, as would appropriate use of IPsec, and particular
-   implementations may have other choices available, such as operating
-   system specific interprocess communication mechanisms.
-   Confidentiality is not needed for this channel, but data integrity
-   and message authentication are.
-
-   A security-aware stub resolver that does trust both its recursive
-   name servers and its communication channel to them may choose to
-   examine the setting of the AD bit in the message header of the
-   response messages it receives.  The stub resolver can use this flag
-   bit as a hint to find out whether the recursive name server was able
-   to validate signatures for all of the data in the Answer and
-   Authority sections of the response.
-
-   There is one more step that a security-aware stub resolver can take
-   if, for whatever reason, it is not able to establish a useful trust
-   relationship with the recursive name servers which it uses: it can
-   perform its own signature validation, by setting the Checking
-   Disabled (CD) bit in its query messages.  A validating stub resolver
-   is thus able to treat the DNSSEC signatures as a trust relationship
-   between the zone administrator and the stub resolver itself.
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 15]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-8.  Zone Considerations
-
-   There are several differences between signed and unsigned zones.  A
-   signed zone will contain additional security-related records (RRSIG,
-   DNSKEY, DS and NSEC records).  RRSIG and NSEC records may be
-   generated by a signing process prior to serving the zone.  The RRSIG
-   records that accompany zone data have defined inception and
-   expiration times, which establish a validity period for the
-   signatures and the zone data the signatures cover.
-
-8.1  TTL values vs. RRSIG validity period
-
-   It is important to note the distinction between a RRset's TTL value
-   and the signature validity period specified by the RRSIG RR covering
-   that RRset.  DNSSEC does not change the definition or function of the
-   TTL value, which is intended to maintain database coherency in
-   caches.  A caching resolver purges RRsets from its cache no later
-   than the end of the time period specified by the TTL fields of those
-   RRsets, regardless of whether or not the resolver is security-aware.
-
-   The inception and expiration fields in the RRSIG RR
-   [I-D.ietf-dnsext-dnssec-records], on the other hand, specify the time
-   period during which the signature can be used to validate the covered
-   RRset.  The signatures associated with signed zone data are only
-   valid for the time period specified by these fields in the RRSIG RRs
-   in question.  TTL values cannot extend the validity period of signed
-   RRsets in a resolver's cache, but the resolver may use the time
-   remaining before expiration of the signature validity period of a
-   signed RRset as an upper bound for the TTL of the signed RRset and
-   its associated RRSIG RR in the resolver's cache.
-
-8.2  New Temporal Dependency Issues for Zones
-
-   Information in a signed zone has a temporal dependency which did not
-   exist in the original DNS protocol.  A signed zone requires regular
-   maintenance to ensure that each RRset in the zone has a current valid
-   RRSIG RR.  The signature validity period of an RRSIG RR is an
-   interval during which the signature for one particular signed RRset
-   can be considered valid, and the signatures of different RRsets in a
-   zone may expire at different times.  Re-signing one or more RRsets in
-   a zone will change one or more RRSIG RRs, which in turn will require
-   incrementing the zone's SOA serial number to indicate that a zone
-   change has occurred and re-signing the SOA RRset itself.  Thus,
-   re-signing any RRset in a zone may also trigger DNS NOTIFY messages
-   and zone transfers operations.
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 16]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-9.  Name Server Considerations
-
-   A security-aware name server should include the appropriate DNSSEC
-   records (RRSIG, DNSKEY, DS and NSEC) in all responses to queries from
-   resolvers which have signaled their willingness to receive such
-   records via use of the DO bit in the EDNS header, subject to message
-   size limitations.  Since inclusion of these DNSSEC RRs could easily
-   cause UDP message truncation and fallback to TCP, a security-aware
-   name server must also support the EDNS "sender's UDP payload"
-   mechanism.
-
-   If possible, the private half of each DNSSEC key pair should be kept
-   offline, but this will not be possible for a zone for which DNS
-   dynamic update has been enabled.  In the dynamic update case, the
-   primary master server for the zone will have to re-sign the zone when
-   updated, so the private key corresponding to the zone signing key
-   will have to be kept online.  This is an example of a situation where
-   the ability to separate the zone's DNSKEY RRset into zone signing
-   key(s) and key signing key(s) may be useful, since the key signing
-   key(s) in such a case can still be kept offline and may have a longer
-   useful lifetime than the zone signing key(s).
-
-   DNSSEC, by itself, is not enough to protect the integrity of an
-   entire zone during zone transfer operations, since even a signed zone
-   contains some unsigned, nonauthoritative data if the zone has any
-   children.  Therefore, zone maintenance operations will require some
-   additional mechanisms (most likely some form of channel security,
-   such as TSIG, SIG(0), or IPsec).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 17]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-10.  DNS Security Document Family
-
-   The DNSSEC document set can be partitioned into several main groups,
-   under the larger umbrella of the DNS base protocol documents.
-
-   The "DNSSEC protocol document set" refers to the three documents
-   which form the core of the DNS security extensions:
-   1.  DNS Security Introduction and Requirements (this document)
-   2.  Resource Records for DNS Security Extensions
-       [I-D.ietf-dnsext-dnssec-records]
-   3.  Protocol Modifications for the DNS Security Extensions
-       [I-D.ietf-dnsext-dnssec-protocol]
-
-   Additionally, any document that would add to, or change the core DNS
-   Security extensions would fall into this category.  This includes any
-   future work on the communication between security-aware stub
-   resolvers and upstream security-aware recursive name servers.
-
-   The "Digital Signature Algorithm Specification" document set refers
-   to the group of documents that describe how specific digital
-   signature algorithms should be implemented to fit the DNSSEC resource
-   record format.  Each document in this set deals with a specific
-   digital signature algorithm.
-
-   The "Transaction Authentication Protocol" document set refers to the
-   group of documents that deal with DNS message authentication,
-   including secret key establishment and verification.  While not
-   strictly part of the DNSSEC specification as defined in this set of
-   documents, this group is noted because of its relationship to DNSSEC.
-
-   The final document set, "New Security Uses", refers to documents that
-   seek to use proposed DNS Security extensions for other security
-   related purposes.  DNSSEC does not provide any direct security for
-   these new uses, but may be used to support them.  Documents that fall
-   in this category include the use of DNS in the storage and
-   distribution of certificates [RFC2538].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 18]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-11.  IANA Considerations
-
-   This overview document introduces no new IANA considerations.  Please
-   see [I-D.ietf-dnsext-dnssec-records] for a complete review of the
-   IANA considerations introduced by DNSSEC.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 19]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-12.  Security Considerations
-
-   This document introduces the DNS security extensions and describes
-   the document set that contains the new security records and DNS
-   protocol modifications.  The extensions provide data origin
-   authentication and data integrity using digital signatures over
-   resource record sets.This document discusses the capabilities and
-   limitations of these extensions.
-
-   In order for a security-aware resolver to validate a DNS response,
-   all zones along the path from the trusted starting point to the zone
-   containing the response zones must be signed, and all name servers
-   and resolvers involved in the resolution process must be
-   security-aware, as defined in this document set.  A security-aware
-   resolver cannot verify responses originating from an unsigned zone,
-   from a zone not served by a security-aware name server, or for any
-   DNS data which the resolver is only able to obtain through a
-   recursive name server which is not security-aware.  If there is a
-   break in the authentication chain such that a security-aware resolver
-   cannot obtain and validate the authentication keys it needs, then the
-   security-aware resolver cannot validate the affected DNS data.
-
-   This document briefly discusses other methods of adding security to a
-   DNS query, such as using a channel secured by IPsec or using a DNS
-   transaction authentication mechanism, but transaction security is not
-   part of DNSSEC per se.
-
-   A non-validating security-aware stub resolver, by definition, does
-   not perform DNSSEC signature validation on its own, and thus is
-   vulnerable both to attacks on (and by) the security-aware recursive
-   name servers which perform these checks on its behalf and also to
-   attacks on its communication with those security-aware recursive name
-   servers.  Non-validating security-aware stub resolvers should use
-   some form of channel security to defend against the latter threat.
-   The only known defense against the former threat would be for the
-   security-aware stub resolver to perform its own signature validation,
-   at which point, again by definition, it would no longer be a
-   non-validating security-aware stub resolver.
-
-   DNSSEC does not protect against denial of service attacks.  DNSSEC
-   makes DNS vulnerable to a new class of denial of service attacks
-   based on cryptographic operations against security-aware resolvers
-   and security-aware name servers, since an attacker can attempt to use
-   DNSSEC mechanisms to consume a victim's resources.  This class of
-   attacks takes at least two forms.  An attacker may be able to consume
-   resources in a security-aware resolver's signature validation code by
-   tampering with RRSIG RRs in response messages or by constructing
-   needlessly complex signature chains.  An attacker may also be able to
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 20]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-   consume resources in a security-aware name server which supports DNS
-   dynamic update, by sending a stream of update messages that force the
-   security-aware name server to re-sign some RRsets in the zone more
-   frequently than would otherwise be necessary.
-
-   DNSSEC does not provide confidentiality, due to a deliberate design
-   choice.
-
-   DNSSEC introduces the ability for a hostile party to enumerate all
-   the names in a zone by following the NSEC chain.  NSEC RRs assert
-   which names do not exist in a zone by linking from existing name to
-   existing name along a canonical ordering of all the names within a
-   zone.  Thus, an attacker can query these NSEC RRs in sequence to
-   obtain all the names in a zone.  While not an attack on the DNS
-   itself, this could allow an attacker to map network hosts or other
-   resources by enumerating the contents of a zone.
-
-   DNSSEC introduces significant additional complexity to the DNS, and
-   thus introduces many new opportunities for implementation bugs and
-   misconfigured zones.  In particular, enabling DNSSEC signature
-   validation in a resolver may cause entire legitimate zones to become
-   effectively unreachable due to DNSSEC configuration errors or bugs.
-
-   DNSSEC does not protect against tampering with unsigned zone data.
-   Non-authoritative data at zone cuts (glue and NS RRs in the parent
-   zone) are not signed.  This does not pose a problem when validating
-   the authentication chain, but does mean that the non-authoritative
-   data itself is vulnerable to tampering during zone transfer
-   operations.  Thus, while DNSSEC can provide data origin
-   authentication and data integrity for RRsets, it cannot do so for
-   zones, and other mechanisms must be used to protect zone transfer
-   operations.
-
-   Please see [I-D.ietf-dnsext-dnssec-records] and
-   [I-D.ietf-dnsext-dnssec-protocol] for additional security
-   considerations.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 21]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-13.  Acknowledgements
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group.  While explicitly listing everyone
-   who has contributed during the decade during which DNSSEC has been
-   under development would be an impossible task, the editors would
-   particularly like to thank the following people for their
-   contributions to and comments on this document set: Jaap Akkerhuis,
-   Mark Andrews, Derek Atkins, Roy Badami, Alan Barrett, Dan Bernstein,
-   David Blacka, Len Budney, Randy Bush, Francis Dupont, Donald
-   Eastlake, Robert Elz, Miek Gieben, Michael Graff, Olafur Gudmundsson,
-   Gilles Guette, Andreas Gustafsson, Jun-ichiro itojun Hagino, Phillip
-   Hallam-Baker, Bob Halley, Ted Hardie, Walter Howard, Greg Hudson,
-   Christian Huitema, Johan Ihren, Stephen Jacob, Jelte Jansen, Simon
-   Josefsson, Andris Kalnozols, Peter Koch, Olaf Kolkman, Mark Kosters,
-   Suresh Krishnaswamy, Ben Laurie, David Lawrence, Ted Lemon, Ed Lewis,
-   Ted Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Russ
-   Mundy, Mans Nilsson, Masataka Ohta, Mike Patton, Rob Payne, Jim Reid,
-   Michael Richardson, Erik Rozendaal, Marcos Sanz, Pekka Savola, Jakob
-   Schlyter, Mike StJohns, Paul Vixie, Sam Weiler, Brian Wellington, and
-   Suzanne Woolf.
-
-   No doubt the above list is incomplete.  We apologize to anyone we
-   left out.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 22]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-14.  References
-
-14.1  Normative References
-
-   [I-D.ietf-dnsext-dnssec-protocol]
-              Arends, R., Austein, R., Larson, M., Massey, D. and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work in
-              progress), May 2004.
-
-   [I-D.ietf-dnsext-dnssec-records]
-              Arends, R., Austein, R., Larson, M., Massey, D. and S.
-              Rose, "Resource Records for DNS Security Extensions",
-              draft-ietf-dnsext-dnssec-records-08 (work in progress),
-              May 2004.
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-              3225, December 2001.
-
-   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
-              message size requirements", RFC 3226, December 2001.
-
-   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
-              Resource Record (RR)", RFC 3445, December 2002.
-
-14.2  Informative References
-
-   [I-D.ietf-dnsext-dns-threats]
-              Atkins, D. and R. Austein, "Threat Analysis Of The Domain
-              Name System", draft-ietf-dnsext-dns-threats-07 (work in
-              progress), April 2004.
-
-   [I-D.ietf-dnsext-nsec-rdata]
-              Schlyter, J., "DNSSEC NSEC RDATA Format",
-              draft-ietf-dnsext-nsec-rdata-06 (work in progress), May
-              2004.
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 23]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
-              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-              April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2538]  Eastlake, D. and O. Gudmundsson, "Storing Certificates in
-              the Domain Name System (DNS)", RFC 2538, March 1999.
-
-   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
-              Wellington, "Secret Key Transaction Authentication for DNS
-              (TSIG)", RFC 2845, May 2000.
-
-   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
-              SIG(0)s)", RFC 2931, September 2000.
-
-   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-              Update", RFC 3007, November 2000.
-
-   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
-              Signing Authority", RFC 3008, November 2000.
-
-   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
-              Status", RFC 3090, March 2001.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
-
-   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
-              Authenticated Data (AD) bit", RFC 3655, November 2003.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
-              Signer", RFC 3755, April 2004.
-
-   [RFC3757]  Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure
-              Entry Point Flag", RFC 3757, April 2004.
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 24]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Drienerlolaan 5
-   7522 NB  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Dan Massey
-   USC Information Sciences Institute
-   3811 N. Fairfax Drive
-   Arlington, VA  22203
-   USA
-
-   EMail: masseyd@isi.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 25]
-
-Internet-Draft    DNSSEC Introduction and Requirements         July 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 26]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-00.txt
deleted file mode 100644
index f7abddc43e4a..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-online-signing-00.txt
+++ /dev/null
@@ -1,560 +0,0 @@
-
-
-
-Network Working Group                                          S. Weiler
-Internet-Draft                                               SPARTA, Inc
-Updates: 4034, 4035 (if approved)                               J. Ihren
-Expires: November 13, 2005                                 Autonomica AB
-                                                            May 12, 2005
-
-
-       Minimally Covering NSEC Records and DNSSEC On-line Signing
-               draft-ietf-dnsext-dnssec-online-signing-00
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on November 13, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes how to construct DNSSEC NSEC resource records
-   that cover a smaller range of names than called for by RFC4034.  By
-   generating and signing these records on demand, authoritative name
-   servers can effectively stop the disclosure of zone contents
-   otherwise made possible by walking the chain of NSEC records in a
-   signed zone.
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 1]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-Changes from weiler-01 to ietf-00
-
-   Inserted RFC numbers for 4033, 4034, and 4035.
-
-   Specified contents of bitmap field in synthesized NSEC RR's, pointing
-   out that this relaxes a constraint in 4035.  Added 4035 to the
-   Updates header.
-
-Changes from weiler-00 to weiler-01
-
-   Clarified that this updates RFC4034 by relaxing requirements on the
-   next name field.
-
-   Added examples covering wildcard names.
-
-   In the 'better functions' section, reiterated that perfect functions
-   aren't needed.
-
-   Added a reference to RFC 2119.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 2]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-Table of Contents
-
-   1.   Introduction and Terminology . . . . . . . . . . . . . . . .   4
-   2.   Minimally Covering NSEC Records  . . . . . . . . . . . . . .   4
-   3.   Better Increment & Decrement Functions . . . . . . . . . . .   6
-   4.   IANA Considerations  . . . . . . . . . . . . . . . . . . . .   7
-   5.   Security Considerations  . . . . . . . . . . . . . . . . . .   7
-   6.   Normative References . . . . . . . . . . . . . . . . . . . .   8
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .   8
-   A.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . .   8
-        Intellectual Property and Copyright Statements . . . . . . .  10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 3]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-1.  Introduction and Terminology
-
-   With DNSSEC [1], an NSEC record lists the next instantiated name in
-   its zone, proving that no names exist in the "span" between the
-   NSEC's owner name and the name in the "next name" field.  In this
-   document, an NSEC record is said to "cover" the names between its
-   owner name and next name.
-
-   Through repeated queries that return NSEC records, it is possible to
-   retrieve all of the names in the zone, a process commonly called
-   "walking" the zone.  Some zone owners have policies forbidding zone
-   transfers by arbitrary clients; this side-effect of the NSEC
-   architecture subverts those policies.
-
-   This document presents a way to prevent zone walking by constructing
-   NSEC records that cover fewer names.  These records can make zone
-   walking take approximately as many queries as simply asking for all
-   possible names in a zone, making zone walking impractical.  Some of
-   these records must be created and signed on demand, which requires
-   on-line private keys.  Anyone contemplating use of this technique is
-   strongly encouraged to review the discussion of the risks of on-line
-   signing in Section 5.
-
-   The technique presented here may be useful to a zone owner that wants
-   to use DNSSEC, is concerned about exposure of its zone contents via
-   zone walking, and is willing to bear the costs of on-line signing.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [4].
-
-2.  Minimally Covering NSEC Records
-
-   This mechanism involves changes to NSEC records for instantiated
-   names, which can still be generated and signed in advance, as well as
-   the on-demand generation and signing of new NSEC records whenever a
-   name must be proven not to exist.
-
-   In the 'next name' field of instantiated names' NSEC records, rather
-   than list the next instantiated name in the zone, list any name that
-   falls lexically after the NSEC's owner name and before the next
-   instantiated name in the zone, according to the ordering function in
-   RFC4034 [2] section 6.2.  This relaxes the requirement in section
-   4.1.1 of RFC4034 that the 'next name' field contains the next owner
-   name in the zone.  This change is expected to be fully compatible
-   with all existing DNSSEC validators.  These NSEC records are returned
-   whenever proving something specifically about the owner name (e.g.
-   that no resource records of a given type appear at that name).
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 4]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   Whenever an NSEC record is needed to prove the non-existence of a
-   name, a new NSEC record is dynamically produced and signed.  The new
-   NSEC record has an owner name lexically before the QNAME but
-   lexically following any existing name and a 'next name' lexically
-   following the QNAME but before any existing name.
-
-   The generated NSEC record's type bitmap SHOULD have the RRSIG and
-   NSEC bits set and SHOULD NOT have any other bits set.  This relaxes
-   the requirement in Section 2.3 of RFC4035 that NSEC RRs not appear at
-   names that did not exist before the zone wsa signed.
-
-   The functions to generate the lexically following and proceeding
-   names need not be perfect nor consistent, but the generated NSEC
-   records must not cover any existing names.  Furthermore, this
-   technique works best when the generated NSEC records cover as few
-   names as possible.
-
-   An NSEC record denying the existence of a wildcard may be generated
-   in the same way.  Since the NSEC record covering a non-existent
-   wildcard is likely to be used in response to many queries,
-   authoritative name servers using the techniques described here may
-   want to pregenerate or cache that record and its corresponding RRSIG.
-
-   For example, a query for an A record at the non-instantiated name
-   example.com might produce the following two NSEC records, the first
-   denying the existence of the name example.com and the second denying
-   the existence of a wildcard:
-
-             exampld.com 3600 IN NSEC example-.com ( RRSIG NSEC )
-
-             ).com 3600 IN NSEC +.com ( RRSIG NSEC )
-
-   Before answering a query with these records, an authoritative server
-   must test for the existence of names between these endpoints.  If the
-   generated NSEC would cover existing names (e.g. exampldd.com or
-   *bizarre.example.com), a better increment or decrement function may
-   be used or the covered name closest to the QNAME could be used as the
-   NSEC owner name or next name, as appropriate.  If an existing name is
-   used as the NSEC owner name, that name's real NSEC record MUST be
-   returned.  Using the same example, assuming an exampldd.com
-   delegation exists, this record might be returned from the parent:
-
-             exampldd.com 3600 IN NSEC example-.com ( NS DS RRSIG NSEC )
-
-   Like every authoritative record in the zone, each generated NSEC
-   record MUST have corresponding RRSIGs generated using each algorithm
-   (but not necessarily each DNSKEY) in the zone's DNSKEY RRset, as
-   described in RFC4035 [3] section 2.2.  To minimize the number of
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 5]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   signatures that must be generated, a zone may wish to limit the
-   number of algorithms in its DNSKEY RRset.
-
-3.  Better Increment & Decrement Functions
-
-   Section 6.2 of RFC4034 defines a strict ordering of DNS names.
-   Working backwards from that definition, it should be possible to
-   define increment and decrement functions that generate the
-   immediately following and preceding names, respectively.  This
-   document does not define such functions.  Instead, this section
-   presents functions that come reasonably close to the perfect ones.
-   As described above, an authoritative server should still ensure than
-   no generated NSEC covers any existing name.
-
-   To increment a name, add a leading label with a single null (zero-
-   value) octet.
-
-   To decrement a name, decrement the last character of the leftmost
-   label, then fill that label to a length of 63 octets with octets of
-   value 255.  To decrement a null (zero-value) octet, remove the octet
-   -- if an empty label is left, remove the label.  Defining this
-   function numerically: fill the left-most label to its maximum length
-   with zeros (numeric, not ASCII zeros) and subtract one.
-
-   In response to a query for the non-existent name foo.example.com,
-   these functions produce NSEC records of:
-
-     fon\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255.example.com 3600 IN NSEC \000.foo.example.com ( NSEC RRSIG )
-
-     )\255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255\255\255\255\255\255\255\255\255\255\255\255\255\255
-     \255\255.example.com 3600 IN NSEC \000.*.example.com ( NSEC RRSIG )
-
-   The first of these NSEC RRs proves that no exact match for
-   foo.example.com exists, and the second proves that there is no
-   wildcard in example.com.
-
-   Both of these functions are imperfect: they don't take into account
-   constraints on number of labels in a name nor total length of a name.
-   As noted in the previous section, though, this technique does not
-   depend on the use of perfect increment or decrement functions: it is
-   sufficient to test whether any instantiated names fall into the span
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 6]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   covered by the generated NSEC and, if so, substitute those
-   instantiated owner names for the NSEC owner name or next name, as
-   appropriate.
-
-4.  IANA Considerations
-
-   Per RFC4041, IANA should think carefully about the protection of
-   their immortal souls.
-
-5.  Security Considerations
-
-   This approach requires on-demand generation of RRSIG records.  This
-   creates several new vulnerabilities.
-
-   First, on-demand signing requires that a zone's authoritative servers
-   have access to its private keys.  Storing private keys on well-known
-   internet-accessible servers may make them more vulnerable to
-   unintended disclosure.
-
-   Second, since generation of public key signatures tends to be
-   computationally demanding, the requirement for on-demand signing
-   makes authoritative servers vulnerable to a denial of service attack.
-
-   Lastly, if the increment and decrement functions are predictable, on-
-   demand signing may enable a chosen-plaintext attack on a zone's
-   private keys.  Zones using this approach should attempt to use
-   cryptographic algorithms that are resistant to chosen-plaintext
-   attacks.  It's worth noting that while DNSSEC has a "mandatory to
-   implement" algorithm, that is a requirement on resolvers and
-   validators -- there is no requirement that a zone be signed with any
-   given algorithm.
-
-   The success of using minimally covering NSEC record to prevent zone
-   walking depends greatly on the quality of the increment and decrement
-   functions chosen.  An increment function that chooses a name
-   obviously derived from the next instantiated name may be easily
-   reverse engineered, destroying the value of this technique.  An
-   increment function that always returns a name close to the next
-   instantiated name is likewise a poor choice.  Good choices of
-   increment and decrement functions are the ones that produce the
-   immediately following and preceding names, respectively, though zone
-   administrators may wish to use less perfect functions that return
-   more human-friendly names than the functions described in Section 3
-   above.
-
-   Another obvious but misguided concern is the danger from synthesized
-   NSEC records being replayed.  It's possible for an attacker to replay
-   an old but still validly signed NSEC record after a new name has been
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 7]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   added in the span covered by that NSEC, incorrectly proving that
-   there is no record at that name.  This danger exists with DNSSEC as
-   defined in [-bis].  The techniques described here actually decrease
-   the danger, since the span covered by any NSEC record is smaller than
-   before.  Choosing better increment and decrement functions will
-   further reduce this danger.
-
-6.  Normative References
-
-   [1]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [4]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-
-Authors' Addresses
-
-   Samuel Weiler
-   SPARTA, Inc
-   7075 Samuel Morse Drive
-   Columbia, Maryland  21046
-   US
-
-   Email: weiler@tislabs.com
-
-
-   Johan Ihren
-   Autonomica AB
-   Bellmansgatan 30
-   Stockholm  SE-118 47
-   Sweden
-
-   Email: johani@autonomica.se
-
-Appendix A.  Acknowledgments
-
-   Many individuals contributed to this design.  They include, in
-   addition to the authors of this document, Olaf Kolkman, Ed Lewis,
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 8]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-   Peter Koch, Matt Larson, David Blacka, Suzanne Woolf, Jaap Akkerhuis,
-   Jakob Schlyter, Bill Manning, and Joao Damas.
-
-   The key innovation of this document, namely that perfect increment
-   and decrement functions are not necessary, arose during a discussion
-   among the above-listed people at the RIPE49 meeting in September
-   2004.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005               [Page 9]
-
-Internet-Draft                NSEC Epsilon                      May 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Weiler & Ihren          Expires November 13, 2005              [Page 10]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt
deleted file mode 100644
index 17e28e8286e2..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-opt-in-07.txt
+++ /dev/null
@@ -1,896 +0,0 @@
-
-
-
-DNSEXT                                                         R. Arends
-Internet-Draft                                      Telematica Instituut
-Expires: January 19, 2006                                     M. Kosters
-                                                               D. Blacka
-                                                          Verisign, Inc.
-                                                           July 18, 2005
-
-
-                             DNSSEC Opt-In
-                   draft-ietf-dnsext-dnssec-opt-in-07
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 19, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   In the DNS security extensions (DNSSEC, defined in RFC 4033 [3], RFC
-   4034 [4], and RFC 4035 [5]), delegations to unsigned subzones are
-   cryptographically secured.  Maintaining this cryptography is not
-   practical or necessary.  This document describes an experimental
-   "Opt-In" model that allows administrators to omit this cryptography
-   and manage the cost of adopting DNSSEC with large zones.
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 1]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-Table of Contents
-
-   1.  Definitions and Terminology  . . . . . . . . . . . . . . . . .  3
-   2.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   3.  Experimental Status  . . . . . . . . . . . . . . . . . . . . .  4
-   4.  Protocol Additions . . . . . . . . . . . . . . . . . . . . . .  4
-     4.1   Server Considerations  . . . . . . . . . . . . . . . . . .  5
-       4.1.1   Delegations Only . . . . . . . . . . . . . . . . . . .  5
-       4.1.2   Insecure Delegation Responses  . . . . . . . . . . . .  6
-       4.1.3   Wildcards and Opt-In . . . . . . . . . . . . . . . . .  6
-       4.1.4   Dynamic Update . . . . . . . . . . . . . . . . . . . .  7
-     4.2   Client Considerations  . . . . . . . . . . . . . . . . . .  7
-       4.2.1   Delegations Only . . . . . . . . . . . . . . . . . . .  7
-       4.2.2   Validation Process Changes . . . . . . . . . . . . . .  7
-       4.2.3   NSEC Record Caching  . . . . . . . . . . . . . . . . .  8
-       4.2.4   Use of the AD bit  . . . . . . . . . . . . . . . . . .  8
-   5.  Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-   6.  Example  . . . . . . . . . . . . . . . . . . . . . . . . . . .  9
-   7.  Transition Issues  . . . . . . . . . . . . . . . . . . . . . . 10
-   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11
-   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
-   10.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . 12
-   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 13
-     11.1  Normative References . . . . . . . . . . . . . . . . . . . 13
-     11.2  Informative References . . . . . . . . . . . . . . . . . . 13
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
-   A.  Implementing Opt-In using "Views"  . . . . . . . . . . . . . . 14
-       Intellectual Property and Copyright Statements . . . . . . . . 16
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 2]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-1.  Definitions and Terminology
-
-   Throughout this document, familiarity with the DNS system (RFC 1035
-   [1]), DNS security extensions ([3], [4], and [5], referred to in this
-   document as "standard DNSSEC"), and DNSSEC terminology (RFC 3090
-   [10]) is assumed.
-
-   The following abbreviations and terms are used in this document:
-
-   RR: is used to refer to a DNS resource record.
-   RRset: refers to a Resource Record Set, as defined by [8].  In this
-      document, the RRset is also defined to include the covering RRSIG
-      records, if any exist.
-   signed name: refers to a DNS name that has, at minimum, a (signed)
-      NSEC record.
-   unsigned name: refers to a DNS name that does not (at least) have a
-      NSEC record.
-   covering NSEC record/RRset: is the NSEC record used to prove
-      (non)existence of a particular name or RRset.  This means that for
-      a RRset or name 'N', the covering NSEC record has the name 'N', or
-      has an owner name less than 'N' and "next" name greater than 'N'.
-   delegation: refers to a NS RRset with a name different from the
-      current zone apex (non-zone-apex), signifying a delegation to a
-      subzone.
-   secure delegation: refers to a signed name containing a delegation
-      (NS RRset), and a signed DS RRset, signifying a delegation to a
-      signed subzone.
-   insecure delegation: refers to a signed name containing a delegation
-      (NS RRset), but lacking a DS RRset, signifying a delegation to an
-      unsigned subzone.
-   Opt-In insecure delegation: refers to an unsigned name containing
-      only a delegation NS RRset.  The covering NSEC record uses the
-      Opt-In methodology described in this document.
-
-   The key words "MUST, "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY, and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [7].
-
-2.  Overview
-
-   The cost to cryptographically secure delegations to unsigned zones is
-   high for large delegation-centric zones and zones where insecure
-   delegations will be updated rapidly.  For these zones, the costs of
-   maintaining the NSEC record chain may be extremely high relative to
-   the gain of cryptographically authenticating existence of unsecured
-   zones.
-
-   This document describes an experimental method of eliminating the
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 3]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   superfluous cryptography present in secure delegations to unsigned
-   zones.  Using "Opt-In", a zone administrator can choose to remove
-   insecure delegations from the NSEC chain.  This is accomplished by
-   extending the semantics of the NSEC record by using a redundant bit
-   in the type map.
-
-3.  Experimental Status
-
-   This document describes an EXPERIMENTAL extension to DNSSEC.  It
-   interoperates with non-experimental DNSSEC using the technique
-   described in [6].  This experiment is identified with the following
-   private algorithms (using algorithm 253):
-
-   "3.optin.verisignlabs.com": is an alias for DNSSEC algorithm 3, DSA,
-      and
-   "5.optin.verisignlabs.com": is an alias for DNSSEC algorithm 5,
-      RSASHA1.
-
-   Servers wishing to sign and serve zones that utilize Opt-In MUST sign
-   the zone with only one or more of these private algorithms.  This
-   requires the signing tools and servers to support private algorithms,
-   as well as Opt-In.
-
-   Resolvers wishing to validate Opt-In zones MUST only do so when the
-   zone is only signed using one or more of these private algorithms.
-
-   The remainder of this document assumes that the servers and resolvers
-   involved are aware of and are involved in this experiment.
-
-4.  Protocol Additions
-
-   In DNSSEC, delegation NS RRsets are not signed, but are instead
-   accompanied by a NSEC RRset of the same name and (possibly) a DS
-   record.  The security status of the subzone is determined by the
-   presence or absence of the DS RRset, cryptographically proven by the
-   NSEC record.  Opt-In expands this definition by allowing insecure
-   delegations to exist within an otherwise signed zone without the
-   corresponding NSEC record at the delegation's owner name.  These
-   insecure delegations are proven insecure by using a covering NSEC
-   record.
-
-   Since this represents a change of the interpretation of NSEC records,
-   resolvers must be able to distinguish between RFC standard DNSSEC
-   NSEC records and Opt-In NSEC records.  This is accomplished by
-   "tagging" the NSEC records that cover (or potentially cover) insecure
-   delegation nodes.  This tag is indicated by the absence of the NSEC
-   bit in the type map.  Since the NSEC bit in the type map merely
-   indicates the existence of the record itself, this bit is redundant
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 4]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   and safe for use as a tag.
-
-   An Opt-In tagged NSEC record does not assert the (non)existence of
-   the delegations that it covers (except for a delegation with the same
-   name).  This allows for the addition or removal of these delegations
-   without recalculating or resigning records in the NSEC chain.
-   However, Opt-In tagged NSEC records do assert the (non)existence of
-   other RRsets.
-
-   An Opt-In NSEC record MAY have the same name as an insecure
-   delegation.  In this case, the delegation is proven insecure by the
-   lack of a DS bit in type map and the signed NSEC record does assert
-   the existence of the delegation.
-
-   Zones using Opt-In MAY contain a mixture of Opt-In tagged NSEC
-   records and standard DNSSEC NSEC records.  If a NSEC record is not
-   Opt-In, there MUST NOT be any insecure delegations (or any other
-   records) between it and the RRsets indicated by the 'next domain
-   name' in the NSEC RDATA.  If it is Opt-In, there MUST only be
-   insecure delegations between it and the next node indicated by the
-   'next domain name' in the NSEC RDATA.
-
-   In summary,
-
-   o  An Opt-In NSEC type is identified by a zero-valued (or not-
-      specified) NSEC bit in the type bit map of the NSEC record.
-   o  A RFC2535bis NSEC type is identified by a one-valued NSEC bit in
-      the type bit map of the NSEC record.
-
-   and,
-
-   o  An Opt-In NSEC record does not assert the non-existence of a name
-      between its owner name and "next" name, although it does assert
-      that any name in this span MUST be an insecure delegation.
-   o  An Opt-In NSEC record does assert the (non)existence of RRsets
-      with the same owner name.
-
-4.1  Server Considerations
-
-   Opt-In imposes some new requirements on authoritative DNS servers.
-
-4.1.1  Delegations Only
-
-   This specification dictates that only insecure delegations may exist
-   between the owner and "next" names of an Opt-In tagged NSEC record.
-   Signing tools SHOULD NOT generate signed zones that violate this
-   restriction.  Servers SHOULD refuse to load and/or serve zones that
-   violate this restriction.  Servers also SHOULD reject AXFR or IXFR
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 5]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   responses that violate this restriction.
-
-4.1.2  Insecure Delegation Responses
-
-   When returning an Opt-In insecure delegation, the server MUST return
-   the covering NSEC RRset in the Authority section.
-
-   In standard DNSSEC, NSEC records already must be returned along with
-   the insecure delegation.  The primary difference that this proposal
-   introduces is that the Opt-In tagged NSEC record will have a
-   different owner name from the delegation RRset.  This may require
-   implementations to search for the covering NSEC RRset.
-
-4.1.3  Wildcards and Opt-In
-
-   Standard DNSSEC describes the practice of returning NSEC records to
-   prove the non-existence of an applicable wildcard in non-existent
-   name responses.  This NSEC record can be described as a "negative
-   wildcard proof".  The use of Opt-In NSEC records changes the
-   necessity for this practice.  For non-existent name responses when
-   the query name (qname) is covered by an Opt-In tagged NSEC record,
-   servers MAY choose to omit the wildcard proof record, and clients
-   MUST NOT treat the absence of this NSEC record as a validation error.
-
-   The intent of the standard DNSSEC negative wildcard proof requirement
-   is to prevent malicious users from undetectably removing valid
-   wildcard responses.  In order for this cryptographic proof to work,
-   the resolver must be able to prove:
-
-   1.  The exact qname does not exist.  This is done by the "normal"
-       NSEC record.
-   2.  No applicable wildcard exists.  This is done by returning a NSEC
-       record proving that the wildcard does not exist (this is the
-       negative wildcard proof).
-
-   However, if the NSEC record covering the exact qname is an Opt-In
-   NSEC record, the resolver will not be able to prove the first part of
-   this equation, as the qname might exist as an insecure delegation.
-   Thus, since the total proof cannot be completed, the negative
-   wildcard proof NSEC record is not useful.
-
-   The negative wildcard proof is also not useful when returned as part
-   of an Opt-In insecure delegation response for a similar reason: the
-   resolver cannot prove that the qname does or does not exist, and
-   therefore cannot prove that a wildcard expansion is valid.
-
-   The presence of an Opt-In tagged NSEC record does not change the
-   practice of returning a NSEC along with a wildcard expansion.  Even
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 6]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   though the Opt-In NSEC will not be able to prove that the wildcard
-   expansion is valid, it will prove that the wildcard expansion is not
-   masking any signed records.
-
-4.1.4  Dynamic Update
-
-   Opt-In changes the semantics of Secure DNS Dynamic Update [9].  In
-   particular, it introduces the need for rules that describe when to
-   add or remove a delegation name from the NSEC chain.  This document
-   does not attempt to define these rules.  Until these rules are
-   defined, servers MUST NOT process DNS Dynamic Update requests against
-   zones that use Opt-In NSEC records.  Servers SHOULD return responses
-   to update requests with RCODE=REFUSED.
-
-4.2  Client Considerations
-
-   Opt-In imposes some new requirements on security-aware resolvers
-   (caching or otherwise).
-
-4.2.1  Delegations Only
-
-   As stated in the "Server Considerations" section above, this
-   specification restricts the namespace covered by Opt-In tagged NSEC
-   records to insecure delegations only.  Thus, resolvers MUST reject as
-   invalid any records that fall within an Opt-In NSEC record's span
-   that are not NS records or corresponding glue records.
-
-4.2.2  Validation Process Changes
-
-   This specification does not change the resolver's resolution
-   algorithm.  However, it does change the DNSSEC validation process.
-   Resolvers MUST be able to use Opt-In tagged NSEC records to
-   cryptographically prove the validity and security status (as
-   insecure) of a referral.  Resolvers determine the security status of
-   the referred-to zone as follows:
-
-   o  In standard DNSSEC, the security status is proven by the existence
-      or absence of a DS RRset at the same name as the delegation.  The
-      existence of the DS RRset indicates that the referred-to zone is
-      signed.  The absence of the DS RRset is proven using a verified
-      NSEC record of the same name that does not have the DS bit set in
-      the type map.  This NSEC record MAY also be tagged as Opt-In.
-   o  Using Opt-In, the security status is proven by the existence of a
-      DS record (for signed) or the presence of a verified Opt-In tagged
-      NSEC record that covers the delegation name.  That is, the NSEC
-      record does not have the NSEC bit set in the type map, and the
-      delegation name falls between the NSEC's owner and "next" name.
-
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 7]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   Using Opt-In does not substantially change the nature of following
-   referrals within DNSSEC.  At every delegation point, the resolver
-   will have cryptographic proof that the referred-to subzone is signed
-   or unsigned.
-
-   When receiving either an Opt-In insecure delegation response or a
-   non-existent name response where that name is covered by an Opt-In
-   tagged NSEC record, the resolver MUST NOT require proof (in the form
-   of a NSEC record) that a wildcard did not exist.
-
-4.2.3  NSEC Record Caching
-
-   Caching resolvers MUST be able to retrieve the appropriate covering
-   Opt-In NSEC record when returning referrals that need them.  This
-   requirement differs from standard DNSSEC in that the covering NSEC
-   will not have the same owner name as the delegation.  Some
-   implementations may have to use new methods for finding these NSEC
-   records.
-
-4.2.4  Use of the AD bit
-
-   The AD bit, as defined by [2] and [5], MUST NOT be set when:
-
-   o  sending a Name Error (RCODE=3) response where the covering NSEC is
-      tagged as Opt-In.
-   o  sending an Opt-In insecure delegation response, unless the
-      covering (Opt-In) NSEC record's owner name equals the delegation
-      name.
-
-   This rule is based on what the Opt-In NSEC record actually proves:
-   for names that exist between the Opt-In NSEC record's owner and
-   "next" names, the Opt-In NSEC record cannot prove the non-existence
-   or existence of the name.  As such, not all data in the response has
-   been cryptographically verified, so the AD bit cannot be set.
-
-5.  Benefits
-
-   Using Opt-In allows administrators of large and/or changing
-   delegation-centric zones to minimize the overhead involved in
-   maintaining the security of the zone.
-
-   Opt-In accomplishes this by eliminating the need for NSEC records for
-   insecure delegations.  This, in a zone with a large number of
-   delegations to unsigned subzones, can lead to substantial space
-   savings (both in memory and on disk).  Additionally, Opt-In allows
-   for the addition or removal of insecure delegations without modifying
-   the NSEC record chain.  Zones that are frequently updating insecure
-   delegations (e.g., TLDs) can avoid the substantial overhead of
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 8]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   modifying and resigning the affected NSEC records.
-
-6.  Example
-
-   Consider the zone EXAMPLE, shown below.  This is a zone where all of
-   the NSEC records are tagged as Opt-In.
-
-   Example A: Fully Opt-In Zone.
-
-         EXAMPLE.               SOA    ...
-         EXAMPLE.               RRSIG  SOA ...
-         EXAMPLE.               NS     FIRST-SECURE.EXAMPLE.
-         EXAMPLE.               RRSIG  NS ...
-         EXAMPLE.               DNSKEY ...
-         EXAMPLE.               RRSIG  DNSKEY ...
-         EXAMPLE.               NSEC   FIRST-SECURE.EXAMPLE. (
-                                       SOA NS RRSIG DNSKEY )
-         EXAMPLE.               RRSIG  NSEC ...
-
-         FIRST-SECURE.EXAMPLE.  A      ...
-         FIRST-SECURE.EXAMPLE.  RRSIG  A ...
-         FIRST-SECURE.EXAMPLE.  NSEC   NOT-SECURE-2.EXAMPLE. A RRSIG
-         FIRST-SECURE.EXAMPLE.  RRSIG  NSEC ...
-
-         NOT-SECURE.EXAMPLE.    NS     NS.NOT-SECURE.EXAMPLE.
-         NS.NOT-SECURE.EXAMPLE. A      ...
-
-         NOT-SECURE-2.EXAMPLE.  NS     NS.NOT-SECURE.EXAMPLE.
-         NOT-SECURE-2.EXAMPLE   NSEC   SECOND-SECURE.EXAMPLE NS RRSIG
-         NOT-SECURE-2.EXAMPLE   RRSIG  NSEC ...
-
-         SECOND-SECURE.EXAMPLE. NS     NS.ELSEWHERE.
-         SECOND-SECURE.EXAMPLE. DS     ...
-         SECOND-SECURE.EXAMPLE. RRSIG  DS ...
-         SECOND-SECURE.EXAMPLE. NSEC   EXAMPLE. NS RRSIG DNSKEY
-         SECOND-SECURE.EXAMPLE. RRSIG  NSEC ...
-
-         UNSIGNED.EXAMPLE.      NS     NS.UNSIGNED.EXAMPLE.
-         NS.UNSIGNED.EXAMPLE.   A      ...
-
-
-   In this example, a query for a signed RRset (e.g., "FIRST-
-   SECURE.EXAMPLE A"), or a secure delegation ("WWW.SECOND-
-   SECURE.EXAMPLE A") will result in a standard DNSSEC response.
-
-   A query for a nonexistent RRset will result in a response that
-   differs from standard DNSSEC by: the NSEC record will be tagged as
-   Opt-In, there may be no NSEC record proving the non-existence of a
-
-
-
-Arends, et al.          Expires January 19, 2006                [Page 9]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   matching wildcard record, and the AD bit will not be set.
-
-   A query for an insecure delegation RRset (or a referral) will return
-   both the answer (in the Authority section) and the corresponding
-   Opt-In NSEC record to prove that it is not secure.
-
-   Example A.1: Response to query for WWW.UNSIGNED.EXAMPLE.  A
-
-
-         RCODE=NOERROR, AD=0
-
-         Answer Section:
-
-         Authority Section:
-         UNSIGNED.EXAMPLE.      NS     NS.UNSIGNED.EXAMPLE
-         SECOND-SECURE.EXAMPLE. NSEC   EXAMPLE. NS RRSIG DS
-         SECOND-SECURE.EXAMPLE. RRSIG  NSEC ...
-
-         Additional Section:
-         NS.UNSIGNED.EXAMPLE.   A      ...
-
-   In the Example A.1 zone, the EXAMPLE. node MAY use either style of
-   NSEC record, because there are no insecure delegations that occur
-   between it and the next node, FIRST-SECURE.EXAMPLE.  In other words,
-   Example A would still be a valid zone if the NSEC record for EXAMPLE.
-   was changed to the following RR:
-
-         EXAMPLE.               NSEC   FIRST-SECURE.EXAMPLE. (SOA NS
-                                       RRSIG DNSKEY NSEC )
-
-   However, the other NSEC records (FIRST-SECURE.EXAMPLE. and SECOND-
-   SECURE.EXAMPLE.)  MUST be tagged as Opt-In because there are insecure
-   delegations in the range they define.  (NOT-SECURE.EXAMPLE. and
-   UNSIGNED.EXAMPLE., respectively).
-
-   NOT-SECURE-2.EXAMPLE. is an example of an insecure delegation that is
-   part of the NSEC chain and also covered by an Opt-In tagged NSEC
-   record.  Because NOT-SECURE-2.EXAMPLE. is a signed name, it cannot be
-   removed from the zone without modifying and resigning the prior NSEC
-   record.  Delegations with names that fall between NOT-SECURE-
-   2.EXAMPLE. and SECOND-SECURE.EXAMPLE. may be added or removed without
-   resigning any NSEC records.
-
-7.  Transition Issues
-
-   Opt-In is not backwards compatible with standard DNSSEC and is
-   considered experimental.  Standard DNSSEC compliant implementations
-   would not recognize Opt-In tagged NSEC records as different from
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 10]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   standard NSEC records.  Because of this, standard DNSSEC
-   implementations, if they were to validate Opt-In style responses,
-   would reject all Opt-In insecure delegations within a zone as
-   invalid.  However, by only signing with private algorithms, standard
-   DNSSEC implementations will treat Opt-In responses as unsigned.
-
-   It should be noted that all elements in the resolution path between
-   (and including) the validator and the authoritative name server must
-   be aware of the Opt-In experiment and implement the Opt-In semantics
-   for successful validation to be possible.  In particular, this
-   includes any caching middleboxes between the validator and
-   authoritative name server.
-
-8.  Security Considerations
-
-   Opt-In allows for unsigned names, in the form of delegations to
-   unsigned subzones, to exist within an otherwise signed zone.  All
-   unsigned names are, by definition, insecure, and their validity or
-   existence cannot by cryptographically proven.
-
-   In general:
-
-   o  Records with unsigned names (whether existing or not) suffer from
-      the same vulnerabilities as records in an unsigned zone.  These
-      vulnerabilities are described in more detail in [12] (note in
-      particular sections 2.3, "Name Games" and 2.6, "Authenticated
-      Denial").
-   o  Records with signed names have the same security whether or not
-      Opt-In is used.
-
-   Note that with or without Opt-In, an insecure delegation may have its
-   contents undetectably altered by an attacker.  Because of this, the
-   primary difference in security that Opt-In introduces is the loss of
-   the ability to prove the existence or nonexistence of an insecure
-   delegation within the span of an Opt-In NSEC record.
-
-   In particular, this means that a malicious entity may be able to
-   insert or delete records with unsigned names.  These records are
-   normally NS records, but this also includes signed wildcard
-   expansions (while the wildcard record itself is signed, its expanded
-   name is an unsigned name).
-
-   For example, if a resolver received the following response from the
-   example zone above:
-
-
-
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 11]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   Example S.1: Response to query for WWW.DOES-NOT-EXIST.EXAMPLE.  A
-
-         RCODE=NOERROR
-
-         Answer Section:
-
-         Authority Section:
-         DOES-NOT-EXIST.EXAMPLE. NS     NS.FORGED.
-         EXAMPLE.                NSEC   FIRST-SECURE.EXAMPLE. SOA NS \
-                                        RRSIG DNSKEY
-         EXAMPLE.                RRSIG  NSEC ...
-
-         Additional Section:
-
-
-   The resolver would have no choice but to believe that the referral to
-   NS.FORGED. is valid.  If a wildcard existed that would have been
-   expanded to cover "WWW.DOES-NOT-EXIST.EXAMPLE.", an attacker could
-   have undetectably removed it and replaced it with the forged
-   delegation.
-
-   Note that being able to add a delegation is functionally equivalent
-   to being able to add any record type: an attacker merely has to forge
-   a delegation to nameserver under his/her control and place whatever
-   records needed at the subzone apex.
-
-   While in particular cases, this issue may not present a significant
-   security problem, in general it should not be lightly dismissed.
-   Therefore, it is strongly RECOMMENDED that Opt-In be used sparingly.
-   In particular, zone signing tools SHOULD NOT default to Opt-In, and
-   MAY choose to not support Opt-In at all.
-
-9.  IANA Considerations
-
-   None.
-
-10.  Acknowledgments
-
-   The contributions, suggestions and remarks of the following persons
-   (in alphabetic order) to this draft are acknowledged:
-
-      Mats Dufberg, Miek Gieben, Olafur Gudmundsson, Bob Halley, Olaf
-      Kolkman, Edward Lewis, Ted Lindgreen, Rip Loomis, Bill Manning,
-      Dan Massey, Scott Rose, Mike Schiraldi, Jakob Schlyter, Brian
-      Wellington.
-
-11.  References
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 12]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-11.1  Normative References
-
-   [1]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [2]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
-        Authenticated Data (AD) bit", RFC 3655, November 2003.
-
-   [3]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-   [4]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Resource Records for the DNS Security Extensions", RFC 4034,
-        March 2005.
-
-   [5]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        RFC 4035, March 2005.
-
-   [6]  Blacka, D., "DNSSEC Experiments",
-        draft-ietf-dnsext-dnssec-experiments-01 (work in progress),
-        July 2005.
-
-11.2  Informative References
-
-   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [8]   Elz, R. and R. Bush, "Clarifications to the DNS Specification",
-         RFC 2181, July 1997.
-
-   [9]   Eastlake, D., "Secure Domain Name System Dynamic Update",
-         RFC 2137, April 1997.
-
-   [10]  Lewis, E., "DNS Security Extension Clarification on Zone
-         Status", RFC 3090, March 2001.
-
-   [11]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC 3225,
-         December 2001.
-
-   [12]  Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
-         System (DNS)", RFC 3833, August 2004.
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 13]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Drienerlolaan 5
-   7522 NB  Enschede
-   NL
-
-   Email: roy.arends@telin.nl
-
-
-   Mark Kosters
-   Verisign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   Phone: +1 703 948 3200
-   Email: markk@verisign.com
-   URI:   http://www.verisignlabs.com
-
-
-   David Blacka
-   Verisign, Inc.
-   21355 Ridgetop Circle
-   Dulles, VA  20166
-   US
-
-   Phone: +1 703 948 3200
-   Email: davidb@verisign.com
-   URI:   http://www.verisignlabs.com
-
-Appendix A.  Implementing Opt-In using "Views"
-
-   In many cases, it may be convenient to implement an Opt-In zone by
-   combining two separately maintained "views" of a zone at request
-   time.  In this context, "view" refers to a particular version of a
-   zone, not to any specific DNS implementation feature.
-
-   In this scenario, one view is the secure view, the other is the
-   insecure (or legacy) view.  The secure view consists of an entirely
-   signed zone using Opt-In tagged NSEC records.  The insecure view
-   contains no DNSSEC information.  It is helpful, although not
-   necessary, for the secure view to be a subset (minus DNSSEC records)
-   of the insecure view.
-
-   In addition, the only RRsets that may solely exist in the insecure
-   view are non-zone-apex NS RRsets.  That is, all non-NS RRsets (and
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 14]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-   the zone apex NS RRset) MUST be signed and in the secure view.
-
-   These two views may be combined at request time to provide a virtual,
-   single Opt-In zone.  The following algorithm is used when responding
-   to each query:
-      V_A is the secure view as described above.
-      V_B is the insecure view as described above.
-      R_A is a response generated from V_A, following RFC 2535bis.
-      R_B is a response generated from V_B, following DNS resolution as
-      per RFC 1035 [1].
-      R_C is the response generated by combining R_A with R_B, as
-      described below.
-      A query is DNSSEC-aware if it either has the DO bit [11] turned
-      on, or is for a DNSSEC-specific record type.
-
-
-
-   1.  If V_A is a subset of V_B and the query is not DNSSEC-aware,
-       generate and return R_B, otherwise
-   2.  Generate R_A.
-   3.  If R_A's RCODE != NXDOMAIN, return R_A, otherwise
-   4.  Generate R_B and combine it with R_A to form R_C:
-          For each section (ANSWER, AUTHORITY, ADDITIONAL), copy the
-          records from R_A into R_B, EXCEPT the AUTHORITY section SOA
-          record, if R_B's RCODE = NOERROR.
-   5.  Return R_C.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 15]
-
-Internet-Draft                DNSSEC Opt-In                    July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Arends, et al.          Expires January 19, 2006               [Page 16]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-protocol-07.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-protocol-07.txt
deleted file mode 100644
index 5728b35c9ba5..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-protocol-07.txt
+++ /dev/null
@@ -1,3193 +0,0 @@
-
-
-DNS Extensions                                                 R. Arends
-Internet-Draft                                      Telematica Instituut
-Expires: January 13, 2005                                      M. Larson
-                                                                VeriSign
-                                                              R. Austein
-                                                                     ISC
-                                                               D. Massey
-                                                                 USC/ISI
-                                                                 S. Rose
-                                                                    NIST
-                                                           July 15, 2004
-
-
-         Protocol Modifications for the DNS Security Extensions
-                  draft-ietf-dnsext-dnssec-protocol-07
-
-Status of this Memo
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which I become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 13, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   This document is part of a family of documents which describe the DNS
-   Security Extensions (DNSSEC).  The DNS Security Extensions are a
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 1]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   collection of new resource records and protocol modifications which
-   add data origin authentication and data integrity to the DNS.  This
-   document describes the DNSSEC protocol modifications.  This document
-   defines the concept of a signed zone, along with the requirements for
-   serving and resolving using DNSSEC.  These techniques allow a
-   security-aware resolver to authenticate both DNS resource records and
-   authoritative DNS error indications.
-
-   This document obsoletes RFC 2535 and incorporates changes from all
-   updates to RFC 2535.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   Background and Related Documents . . . . . . . . . . . . .  4
-     1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . . .  5
-     2.1   Including DNSKEY RRs in a Zone . . . . . . . . . . . . . .  5
-     2.2   Including RRSIG RRs in a Zone  . . . . . . . . . . . . . .  5
-     2.3   Including NSEC RRs in a Zone . . . . . . . . . . . . . . .  6
-     2.4   Including DS RRs in a Zone . . . . . . . . . . . . . . . .  7
-     2.5   Changes to the CNAME Resource Record.  . . . . . . . . . .  7
-     2.6   DNSSEC RR Types Appearing at Zone Cuts.  . . . . . . . . .  8
-     2.7   Example of a Secure Zone . . . . . . . . . . . . . . . . .  8
-   3.  Serving  . . . . . . . . . . . . . . . . . . . . . . . . . . .  9
-     3.1   Authoritative Name Servers . . . . . . . . . . . . . . . . 10
-       3.1.1   Including RRSIG RRs in a Response  . . . . . . . . . . 10
-       3.1.2   Including DNSKEY RRs In a Response . . . . . . . . . . 11
-       3.1.3   Including NSEC RRs In a Response . . . . . . . . . . . 11
-       3.1.4   Including DS RRs In a Response . . . . . . . . . . . . 14
-       3.1.5   Responding to Queries for Type AXFR or IXFR  . . . . . 15
-       3.1.6   The AD and CD Bits in an Authoritative Response  . . . 16
-     3.2   Recursive Name Servers . . . . . . . . . . . . . . . . . . 17
-       3.2.1   The DO bit . . . . . . . . . . . . . . . . . . . . . . 17
-       3.2.2   The CD bit . . . . . . . . . . . . . . . . . . . . . . 17
-       3.2.3   The AD bit . . . . . . . . . . . . . . . . . . . . . . 18
-     3.3   Example DNSSEC Responses . . . . . . . . . . . . . . . . . 18
-   4.  Resolving  . . . . . . . . . . . . . . . . . . . . . . . . . . 19
-     4.1   EDNS Support . . . . . . . . . . . . . . . . . . . . . . . 19
-     4.2   Signature Verification Support . . . . . . . . . . . . . . 19
-     4.3   Determining Security Status of Data  . . . . . . . . . . . 20
-     4.4   Configured Trust Anchors . . . . . . . . . . . . . . . . . 20
-     4.5   Response Caching . . . . . . . . . . . . . . . . . . . . . 21
-     4.6   Handling of the CD and AD bits . . . . . . . . . . . . . . 22
-     4.7   Caching BAD Data . . . . . . . . . . . . . . . . . . . . . 22
-     4.8   Synthesized CNAMEs . . . . . . . . . . . . . . . . . . . . 23
-     4.9   Stub resolvers . . . . . . . . . . . . . . . . . . . . . . 23
-       4.9.1   Handling of the DO Bit . . . . . . . . . . . . . . . . 23
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 2]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-       4.9.2   Handling of the CD Bit . . . . . . . . . . . . . . . . 23
-       4.9.3   Handling of the AD Bit . . . . . . . . . . . . . . . . 24
-   5.  Authenticating DNS Responses . . . . . . . . . . . . . . . . . 25
-     5.1   Special Considerations for Islands of Security . . . . . . 26
-     5.2   Authenticating Referrals . . . . . . . . . . . . . . . . . 26
-     5.3   Authenticating an RRset Using an RRSIG RR  . . . . . . . . 27
-       5.3.1   Checking the RRSIG RR Validity . . . . . . . . . . . . 28
-       5.3.2   Reconstructing the Signed Data . . . . . . . . . . . . 28
-       5.3.3   Checking the Signature . . . . . . . . . . . . . . . . 30
-       5.3.4   Authenticating A Wildcard Expanded RRset Positive
-               Response . . . . . . . . . . . . . . . . . . . . . . . 31
-     5.4   Authenticated Denial of Existence  . . . . . . . . . . . . 31
-     5.5   Resolver Behavior When Signatures Do Not Validate  . . . . 32
-     5.6   Authentication Example . . . . . . . . . . . . . . . . . . 32
-   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 33
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 34
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 35
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 36
-   9.1   Normative References . . . . . . . . . . . . . . . . . . . . 36
-   9.2   Informative References . . . . . . . . . . . . . . . . . . . 36
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 37
-   A.  Signed Zone Example  . . . . . . . . . . . . . . . . . . . . . 39
-   B.  Example Responses  . . . . . . . . . . . . . . . . . . . . . . 45
-     B.1   Answer . . . . . . . . . . . . . . . . . . . . . . . . . . 45
-     B.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . 46
-     B.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . 47
-     B.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . 48
-     B.5   Referral to Unsigned Zone  . . . . . . . . . . . . . . . . 49
-     B.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 50
-     B.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . 51
-     B.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . 52
-   C.  Authentication Examples  . . . . . . . . . . . . . . . . . . . 54
-     C.1   Authenticating An Answer . . . . . . . . . . . . . . . . . 54
-       C.1.1   Authenticating the example DNSKEY RR . . . . . . . . . 54
-     C.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . 55
-     C.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . 55
-     C.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . 55
-     C.5   Referral to Unsigned Zone  . . . . . . . . . . . . . . . . 55
-     C.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 56
-     C.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . 56
-     C.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . 56
-       Intellectual Property and Copyright Statements . . . . . . . . 57
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 3]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-1.  Introduction
-
-   The DNS Security Extensions (DNSSEC) are a collection of new resource
-   records and protocol modifications which add data origin
-   authentication and data integrity to the DNS.  This document defines
-   the DNSSEC protocol modifications.  Section 2 of this document
-   defines the concept of a signed zone and lists the requirements for
-   zone signing.  Section 3 describes the modifications to authoritative
-   name server behavior necessary to handle signed zones.  Section 4
-   describes the behavior of entities which include security-aware
-   resolver functions.  Finally, Section 5 defines how to use DNSSEC RRs
-   to authenticate a response.
-
-1.1  Background and Related Documents
-
-   The reader is assumed to be familiar with the basic DNS concepts
-   described in [RFC1034] and [RFC1035].
-
-   This document is part of a family of documents that define DNSSEC.
-   An introduction to DNSSEC and definition of common terms can be found
-   in [I-D.ietf-dnsext-dnssec-intro]; the reader is assumed to be
-   familiar with this document.  A definition of the DNSSEC resource
-   records can be found in [I-D.ietf-dnsext-dnssec-records].
-
-1.2  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119.  [RFC2119].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 4]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-2.  Zone Signing
-
-   DNSSEC introduces the concept of signed zones.  A signed zone
-   includes DNSKEY, RRSIG, NSEC and (optionally) DS records according to
-   the rules specified in Section 2.1, Section 2.2, Section 2.3 and
-   Section 2.4, respectively.  A zone that does not include these
-   records according to the rules in this section is an unsigned zone.
-
-   DNSSEC requires a change to the definition of the CNAME resource
-   record [RFC1035].  Section 2.5 changes the CNAME RR to allow RRSIG
-   and NSEC RRs to appear at the same owner name as a CNAME RR.
-
-   DNSSEC specifies the placement of two new RR types, NSEC and DS,
-   which can be placed at the parental side of a zone cut (that is, at a
-   delegation point).  This is an exception to the general prohibition
-   against putting data in the parent zone at a zone cut.  Section 2.6
-   describes this change.
-
-2.1  Including DNSKEY RRs in a Zone
-
-   To sign a zone, the zone's administrator generates one or more
-   public/private key pairs and uses the private key(s) to sign
-   authoritative RRsets in the zone.  For each private key used to
-   create RRSIG RRs in a zone, the zone SHOULD include a zone DNSKEY RR
-   containing the corresponding public key.  A zone key DNSKEY RR MUST
-   have the Zone Key bit of the flags RDATA field set -- see Section
-   2.1.1 of [I-D.ietf-dnsext-dnssec-records].  Public keys associated
-   with other DNS operations MAY be stored in DNSKEY RRs that are not
-   marked as zone keys but MUST NOT be used to verify RRSIGs.
-
-   If the zone administrator intends a signed zone to be usable other
-   than as an island of security, the zone apex MUST contain at least
-   one DNSKEY RR to act as a secure entry point into the zone.  This
-   secure entry point could then be used as the target of a secure
-   delegation via a corresponding DS RR in the parent zone (see
-   [I-D.ietf-dnsext-dnssec-records]).
-
-2.2  Including RRSIG RRs in a Zone
-
-   For each authoritative RRset in a signed zone, there MUST be at least
-   one RRSIG record that meets all of the following requirements:
-   o  The RRSIG owner name is equal to the RRset owner name;
-   o  The RRSIG class is equal to the RRset class;
-   o  The RRSIG Type Covered field is equal to the RRset type;
-   o  The RRSIG Original TTL field is equal to the TTL of the RRset;
-   o  The RRSIG RR's TTL is equal to the TTL of the RRset;
-   o  The RRSIG Labels field is equal to the number of labels in the
-      RRset owner name, not counting the null root label and not
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 5]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-      counting the leftmost label if it is a wildcard;
-   o  The RRSIG Signer's Name field is equal to the name of the zone
-      containing the RRset; and
-   o  The RRSIG Algorithm, Signer's Name, and Key Tag fields identify a
-      zone key DNSKEY record at the zone apex.
-
-   The process for constructing the RRSIG RR for a given RRset is
-   described in [I-D.ietf-dnsext-dnssec-records].  An RRset MAY have
-   multiple RRSIG RRs associated with it.
-
-   An RRSIG RR itself MUST NOT be signed, since signing an RRSIG RR
-   would add no value and would create an infinite loop in the signing
-   process.
-
-   The NS RRset that appears at the zone apex name MUST be signed, but
-   the NS RRsets that appear at delegation points (that is, the NS
-   RRsets in the parent zone that delegate the name to the child zone's
-   name servers) MUST NOT be signed.  Glue address RRsets associated
-   with delegations MUST NOT be signed.
-
-   There MUST be an RRSIG for each RRset using at least one DNSKEY of
-   each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
-   itself MUST be signed by each algorithm appearing in the DS RRset
-   located at the delegating parent (if any).
-
-2.3  Including NSEC RRs in a Zone
-
-   Each owner name in the zone which has authoritative data or a
-   delegation point NS RRset MUST have an NSEC resource record.  The
-   format of NSEC RRs and the process for constructing the NSEC RR for a
-   given name is described in [I-D.ietf-dnsext-dnssec-records].
-
-   The TTL value for any NSEC RR SHOULD be the same as the minimum TTL
-   value field in the zone SOA RR.
-
-   An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
-   RRset at any particular owner name.  That is, the signing process
-   MUST NOT create NSEC or RRSIG RRs for owner names nodes which were
-   not the owner name of any RRset before the zone was signed.  The main
-   reasons for this are a desire for namespace consistency between
-   signed and unsigned versions of the same zone and a desire to reduce
-   the risk of response inconsistency in security oblivious recursive
-   name servers.
-
-   The type bitmap of every NSEC resource record in a signed zone MUST
-   indicate the presence of both the NSEC record itself and its
-   corresponding RRSIG record.
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 6]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   The difference between the set of owner names that require RRSIG
-   records and the set of owner names that require NSEC records is
-   subtle and worth highlighting.  RRSIG records are present at the
-   owner names of all authoritative RRsets.  NSEC records are present at
-   the owner names of all names for which the signed zone is
-   authoritative and also at the owner names of delegations from the
-   signed zone to its children.  Neither NSEC nor RRSIG records are
-   present (in the parent zone) at the owner names of glue address
-   RRsets.  Note, however, that this distinction is for the most part is
-   only visible during the zone signing process, because NSEC RRsets are
-   authoritative data, and are therefore signed, thus any owner name
-   which has an NSEC RRset will have RRSIG RRs as well in the signed
-   zone.
-
-   The bitmap for the NSEC RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and any
-   RRsets for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
-2.4  Including DS RRs in a Zone
-
-   The DS resource record establishes authentication chains between DNS
-   zones.  A DS RRset SHOULD be present at a delegation point when the
-   child zone is signed.  The DS RRset MAY contain multiple records,
-   each referencing a public key in the child zone used to verify the
-   RRSIGs in that zone.  All DS RRsets in a zone MUST be signed and DS
-   RRsets MUST NOT appear at a zone's apex.
-
-   A DS RR SHOULD point to a DNSKEY RR which is present in the child's
-   apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed
-   by the corresponding private key.
-
-   The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset
-   (that is, the NS RRset from the same zone containing the DS RRset).
-
-   Construction of a DS RR requires knowledge of the corresponding
-   DNSKEY RR in the child zone, which implies communication between the
-   child and parent zones.  This communication is an operational matter
-   not covered by this document.
-
-2.5  Changes to the CNAME Resource Record.
-
-   If a CNAME RRset is present at a name in a signed zone, appropriate
-   RRSIG and NSEC RRsets are REQUIRED at that name.  A KEY RRset at that
-   name for secure dynamic update purposes is also allowed.  Other types
-   MUST NOT be present at that name.
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 7]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   This is a modification to the original CNAME definition given in
-   [RFC1034].  The original definition of the CNAME RR did not allow any
-   other types to coexist with a CNAME record, but a signed zone
-   requires NSEC and RRSIG RRs for every authoritative name.  To resolve
-   this conflict, this specification modifies the definition of the
-   CNAME resource record to allow it to coexist with NSEC and RRSIG RRs.
-
-2.6  DNSSEC RR Types Appearing at Zone Cuts.
-
-   DNSSEC introduced two new RR types that are unusual in that they can
-   appear at the parental side of a zone cut.  At the parental side of a
-   zone cut (that is, at a delegation point), NSEC RRs are REQUIRED at
-   the owner name.  A DS RR could also be present if the zone being
-   delegated is signed and wishes to have a chain of authentication to
-   the parent zone.  This is an exception to the original DNS
-   specification ([RFC1034]) which states that only NS RRsets could
-   appear at the parental side of a zone cut.
-
-   This specification updates the original DNS specification to allow
-   NSEC and DS RR types at the parent side of a zone cut.  These RRsets
-   are authoritative for the parent when they appear at the parent side
-   of a zone cut.
-
-2.7  Example of a Secure Zone
-
-   Appendix A shows a complete example of a small signed zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 8]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-3.  Serving
-
-   This section describes the behavior of entities that include
-   security-aware name server functions.  In many cases such functions
-   will be part of a security-aware recursive name server, but a
-   security-aware authoritative name server has some of the same
-   requirements.  Functions specific to security-aware recursive name
-   servers are described in Section 3.2; functions specific to
-   authoritative servers are described in Section 3.1.
-
-   The terms "SNAME", "SCLASS", and "STYPE" in the following discussion
-   are as used in [RFC1034].
-
-   A security-aware name server MUST support the EDNS0 [RFC2671] message
-   size extension, MUST support a message size of at least 1220 octets,
-   and SHOULD support a message size of 4000 octets [RFC3226].
-
-   A security-aware name server which receives a DNS query that does not
-   include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
-   treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset,
-   and MUST NOT perform any of the additional processing described
-   below.  Since the DS RR type has the peculiar property of only
-   existing in the parent zone at delegation points, DS RRs always
-   require some special processing, as described in Section 3.1.4.1.
-
-   Security aware name servers that receive explicit queries for
-   security RR types which match the content of more than one zone that
-   it serves (for example, NSEC and RRSIG RRs above and below a
-   delegation point where the server is authoritative for both zones)
-   should behave self-consistently.  The name server MAY return one of
-   the following:
-   o  The above-delegation RRsets
-   o  The below-delegation RRsets
-   o  Both above and below-delegation RRsets
-   o  Empty answer section (no records)
-   o  Some other response
-   o  An error
-   As long as the response is always consistent for each query to the
-   name server.
-
-   DNSSEC allocates two new bits in the DNS message header: the CD
-   (Checking Disabled) bit and the AD (Authentic Data) bit.  The CD bit
-   is controlled by resolvers; a security-aware name server MUST copy
-   the CD bit from a query into the corresponding response.  The AD bit
-   is controlled by name servers; a security-aware name server MUST
-   ignore the setting of the AD bit in queries.  See Section 3.1.6,
-   Section 3.2.2, Section 3.2.3, Section 4, and Section 4.9 for details
-   on the behavior of these bits.
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 9]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   A security aware name server which synthesizes CNAME RRs from DNAME
-   RRs as described in [RFC2672] SHOULD NOT generate signatures for the
-   synthesized CNAME RRs.
-
-3.1  Authoritative Name Servers
-
-   Upon receiving a relevant query that has the EDNS [RFC2671] OPT
-   pseudo-RR DO bit [RFC3225] set, a security-aware authoritative name
-   server for a signed zone MUST include additional RRSIG, NSEC, and DS
-   RRs according to the following rules:
-   o  RRSIG RRs that can be used to authenticate a response MUST be
-      included in the response according to the rules in Section 3.1.1;
-   o  NSEC RRs that can be used to provide authenticated denial of
-      existence MUST be included in the response automatically according
-      to the rules in Section 3.1.3;
-   o  Either a DS RRset or an NSEC RR proving that no DS RRs exist MUST
-      be included in referrals automatically according to the rules in
-      Section 3.1.4.
-
-   These rules only apply to responses the semantics of which convey
-   information about the presence or absence of resource records.  That
-   is, these rules are not intended to rule out responses such as RCODE
-   4 ("Not Implemented") or RCODE 5 ("Refused").
-
-   DNSSEC does not change the DNS zone transfer protocol.  Section 3.1.5
-   discusses zone transfer requirements.
-
-3.1.1  Including RRSIG RRs in a Response
-
-   When responding to a query that has the DO bit set, a security-aware
-   authoritative name server SHOULD attempt to send RRSIG RRs that a
-   security-aware resolver can use to authenticate the RRsets in the
-   response.  A name server SHOULD make every attempt to keep the RRset
-   and its associated RRSIG(s) together in a response.  Inclusion of
-   RRSIG RRs in a response is subject to the following rules:
-   o  When placing a signed RRset in the Answer section, the name server
-      MUST also place its RRSIG RRs in the Answer section.  The RRSIG
-      RRs have a higher priority for inclusion than any other RRsets
-      that may need to be included.  If space does not permit inclusion
-      of these RRSIG RRs, the name server MUST set the TC bit.
-   o  When placing a signed RRset in the Authority section, the name
-      server MUST also place its RRSIG RRs in the Authority section.
-      The RRSIG RRs have a higher priority for inclusion than any other
-      RRsets that may need to be included.  If space does not permit
-      inclusion of these RRSIG RRs, the name server MUST set the TC bit.
-   o  When placing a signed RRset in the Additional section, the name
-      server MUST also place its RRSIG RRs in the Additional section.
-      If space does not permit inclusion of both the RRset and its
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 10]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-      associated RRSIG RRs, the name server MAY drop the RRSIG RRs.  If
-      this happens, the name server MUST NOT set the TC bit solely
-      because these RRSIG RRs didn't fit.
-
-3.1.2  Including DNSKEY RRs In a Response
-
-   When responding to a query that has the DO bit set and that requests
-   the SOA or NS RRs at the apex of a signed zone, a security-aware
-   authoritative name server for that zone MAY return the zone apex
-   DNSKEY RRset in the Additional section.  In this situation, the
-   DNSKEY RRset and associated RRSIG RRs have lower priority than any
-   other information that would be placed in the additional section.
-   The name server SHOULD NOT include the DNSKEY RRset unless there is
-   enough space in the response message for both the DNSKEY RRset and
-   its associated RRSIG RR(s).  If there is not enough space to include
-   these DNSKEY and RRSIG RRs, the name server MUST omit them and MUST
-   NOT set the TC bit solely because these RRs didn't fit (see Section
-   3.1.1).
-
-3.1.3  Including NSEC RRs In a Response
-
-   When responding to a query that has the DO bit set, a security-aware
-   authoritative name server for a signed zone MUST include NSEC RRs in
-   each of the following cases:
-
-   No Data: The zone contains RRsets that exactly match <SNAME, SCLASS>,
-      but does not contain any RRsets that exactly match <SNAME, SCLASS,
-      STYPE>.
-
-   Name Error: The zone does not contain any RRsets that match <SNAME,
-      SCLASS> either exactly or via wildcard name expansion.
-
-   Wildcard Answer: The zone does not contain any RRsets that exactly
-      match <SNAME, SCLASS> but does contain an RRset that matches
-      <SNAME, SCLASS, STYPE> via wildcard name expansion.
-
-   Wildcard No Data: The zone does not contain any RRsets that exactly
-      match <SNAME, SCLASS>, does contain one or more RRsets that match
-      <SNAME, SCLASS> via wildcard name expansion, but does not contain
-      any RRsets that match <SNAME, SCLASS, STYPE> via wildcard name
-      expansion.
-
-   In each of these cases, the name server includes NSEC RRs in the
-   response to prove that an exact match for <SNAME, SCLASS, STYPE> was
-   not present in the zone and that the response that the name server is
-   returning is correct given the data that are in the zone.
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 11]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-3.1.3.1  Including NSEC RRs: No Data Response
-
-   If the zone contains RRsets matching <SNAME, SCLASS> but contains no
-   RRset matching <SNAME, SCLASS, STYPE>, then the name server MUST
-   include the NSEC RR for <SNAME, SCLASS> along with its associated
-   RRSIG RR(s) in the Authority section of the response (see Section
-   3.1.1).  If space does not permit inclusion of the NSEC RR or its
-   associated RRSIG RR(s), the name server MUST set the TC bit (see
-   Section 3.1.1).
-
-   Since the search name exists, wildcard name expansion does not apply
-   to this query, and a single signed NSEC RR suffices to prove the
-   requested RR type does not exist.
-
-3.1.3.2  Including NSEC RRs: Name Error Response
-
-   If the zone does not contain any RRsets matching <SNAME, SCLASS>
-   either exactly or via wildcard name expansion, then the name server
-   MUST include the following NSEC RRs in the Authority section, along
-   with their associated RRSIG RRs:
-   o  An NSEC RR proving that there is no exact match for <SNAME,
-      SCLASS>; and
-   o  An NSEC RR proving that the zone contains no RRsets that would
-      match <SNAME, SCLASS> via wildcard name expansion.
-
-   In some cases a single NSEC RR may prove both of these points, in
-   that case the name server SHOULD only include the NSEC RR and its
-   RRSIG RR(s) once in the Authority section.
-
-   If space does not permit inclusion of these NSEC and RRSIG RRs, the
-   name server MUST set the TC bit (see Section 3.1.1).
-
-   The owner names of these NSEC and RRSIG RRs are not subject to
-   wildcard name expansion when these RRs are included in the Authority
-   section of the response.
-
-   Note that this form of response includes cases in which SNAME
-   corresponds to an empty non-terminal name within the zone (a name
-   which is not the owner name for any RRset but which is the parent
-   name of one or more RRsets).
-
-3.1.3.3  Including NSEC RRs: Wildcard Answer Response
-
-   If the zone does not contain any RRsets which exactly match <SNAME,
-   SCLASS> but does contain an RRset which matches <SNAME, SCLASS,
-   STYPE> via wildcard name expansion, the name server MUST include the
-   wildcard-expanded answer and the corresponding wildcard-expanded
-   RRSIG RRs in the Answer section, and MUST include in the Authority
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 12]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   section an NSEC RR and associated RRSIG RR(s) proving that the zone
-   does not contain a closer match for <SNAME, SCLASS>.  If space does
-   not permit inclusion of the answer, NSEC and RRSIG RRs, the name
-   server MUST set the TC bit (see Section 3.1.1).
-
-3.1.3.4  Including NSEC RRs: Wildcard No Data Response
-
-   This case is a combination of the previous cases.  The zone does not
-   contain an exact match for <SNAME, SCLASS>, and while the zone does
-   contain RRsets which match <SNAME, SCLASS> via wildcard expansion,
-   none of those RRsets match STYPE.  The name server MUST include the
-   following NSEC RRs in the Authority section, along with their
-   associated RRSIG RRs:
-   o  An NSEC RR proving that there are no RRsets matching STYPE at the
-      wildcard owner name which matched <SNAME, SCLASS> via wildcard
-      expansion; and
-   o  An NSEC RR proving that there are no RRsets in the zone which
-      would have been a closer match for <SNAME, SCLASS>.
-
-   In some cases a single NSEC RR may prove both of these points, in
-   which case the name server SHOULD only include the NSEC RR and its
-   RRSIG RR(s) once in the Authority section.
-
-   The owner names of these NSEC and RRSIG RRs are not subject to
-   wildcard name expansion when these RRs are included in the Authority
-   section of the response.
-
-   If space does not permit inclusion of these NSEC and RRSIG RRs, the
-   name server MUST set the TC bit (see Section 3.1.1).
-
-3.1.3.5  Finding The Right NSEC RRs
-
-   As explained above, there are several situations in which a
-   security-aware authoritative name server needs to locate an NSEC RR
-   which proves that no RRsets matching a particular SNAME exist.
-   Locating such an NSEC RR within an authoritative zone is relatively
-   simple, at least in concept.  The following discussion assumes that
-   the name server is authoritative for the zone which would have held
-   the nonexistent RRsets matching SNAME.  The algorithm below is
-   written for clarity, not efficiency.
-
-   To find the NSEC which proves that no RRsets matching name N exist in
-   the zone Z which would have held them, construct sequence S
-   consisting of the owner names of every RRset in Z, sorted into
-   canonical order [I-D.ietf-dnsext-dnssec-records], with no duplicate
-   names.  Find the name M which would have immediately preceded N in S
-   if any RRsets with owner name N had existed.  M is the owner name of
-   the NSEC RR which proves that no RRsets exist with owner name N.
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 13]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   The algorithm for finding the NSEC RR which proves that a given name
-   is not covered by any applicable wildcard is similar, but requires an
-   extra step.  More precisely, the algorithm for finding the NSEC
-   proving that no RRsets exist with the applicable wildcard name is
-   precisely the same as the algorithm for finding the NSEC RR which
-   proves that RRsets with any other owner name do not exist: the part
-   that's missing is how to determine the name of the nonexistent
-   applicable wildcard.  In practice, this is easy, because the
-   authoritative name server has already checked for the presence of
-   precisely this wildcard name as part of step (1)(c) of the normal
-   lookup algorithm described in Section 4.3.2 of [RFC1034].
-
-3.1.4  Including DS RRs In a Response
-
-   When responding to a query which has the DO bit set, a security-aware
-   authoritative name server returning a referral includes DNSSEC data
-   along with the NS RRset.
-
-   If a DS RRset is present at the delegation point, the name server
-   MUST return both the DS RRset and its associated RRSIG RR(s) in the
-   Authority section along with the NS RRset.  The name server MUST
-   place the NS RRset before the DS RRset and its associated RRSIG
-   RR(s).
-
-   If no DS RRset is present at the delegation point, the name server
-   MUST return both the NSEC RR which proves that the DS RRset is not
-   present and the NSEC RR's associated RRSIG RR(s) along with the NS
-   RRset.  The name server MUST place the NS RRset before the NSEC RRset
-   and its associated RRSIG RR(s).
-
-   Including these DS, NSEC, and RRSIG RRs increases the size of
-   referral messages, and may cause some or all glue RRs to be omitted.
-   If space does not permit inclusion of the DS or NSEC RRset and
-   associated RRSIG RRs, the name server MUST set the TC bit (see
-   Section 3.1.1).
-
-3.1.4.1  Responding to Queries for DS RRs
-
-   The DS resource record type is unusual in that it appears only on the
-   parent zone's side of a zone cut.  For example, the DS RRset for the
-   delegation of "foo.example" is stored in the "example" zone rather
-   than in the "foo.example" zone.  This requires special processing
-   rules for both name servers and resolvers, since the name server for
-   the child zone is authoritative for the name at the zone cut by the
-   normal DNS rules but the child zone does not contain the DS RRset.
-
-   A security-aware resolver sends queries to the parent zone when
-   looking for a needed DS RR at a delegation point (see Section 4.2).
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 14]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   However, special rules are necessary to avoid confusing
-   security-oblivious resolvers which might become involved in
-   processing such a query (for example, in a network configuration that
-   forces a security-aware resolver to channel its queries through a
-   security-oblivious recursive name server).  The rest of this section
-   describes how a security-aware name server processes DS queries in
-   order to avoid this problem.
-
-   The need for special processing by a security-aware name server only
-   arises when all the following conditions are met:
-   o  the name server has received a query for the DS RRset at a zone
-      cut; and
-   o  the name server is authoritative for the child zone; and
-   o  the name server is not authoritative for the parent zone; and
-   o  the name server does not offer recursion.
-
-   In all other cases, the name server either has some way of obtaining
-   the DS RRset or could not have been expected to have the DS RRset
-   even by the pre-DNSSEC processing rules, so the name server can
-   return either the DS RRset or an error response according to the
-   normal processing rules.
-
-   If all of the above conditions are met, however, the name server is
-   authoritative for SNAME but cannot supply the requested RRset.  In
-   this case, the name server MUST return an authoritative "no data"
-   response showing that the DS RRset does not exist in the child zone's
-   apex.  See Appendix B.8 for an example of such a response.
-
-3.1.5  Responding to Queries for Type AXFR or IXFR
-
-   DNSSEC does not change the DNS zone transfer process.  A signed zone
-   will contain RRSIG, DNSKEY, NSEC, and DS resource records, but these
-   records have no special meaning with respect to a zone transfer
-   operation.
-
-   An authoritative name server is not required to verify that a zone is
-   properly signed before sending or accepting a zone transfer.
-   However, an authoritative name server MAY choose to reject the entire
-   zone transfer if the zone fails meets any of the signing requirements
-   described in Section 2.  The primary objective of a zone transfer is
-   to ensure that all authoritative name servers have identical copies
-   of the zone.  An authoritative name server that chooses to perform
-   its own zone validation MUST NOT selectively reject some RRs and
-   accept others.
-
-   DS RRsets appear only on the parental side of a zone cut and are
-   authoritative data in the parent zone.  As with any other
-   authoritative RRset, the DS RRset MUST be included in zone transfers
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 15]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   of the zone in which the RRset is authoritative data: in the case of
-   the DS RRset, this is the parent zone.
-
-   NSEC RRs appear in both the parent and child zones at a zone cut, and
-   are authoritative data in both the parent and child zones.  The
-   parental and child NSEC RRs at a zone cut are never identical to each
-   other, since the NSEC RR in the child zone's apex will always
-   indicate the presence of the child zone's SOA RR while the parental
-   NSEC RR at the zone cut will never indicate the presence of an SOA
-   RR.  As with any other authoritative RRs, NSEC RRs MUST be included
-   in zone transfers of the zone in which they are authoritative data:
-   the parental NSEC RR at a zone cut MUST be included zone transfers of
-   the parent zone, while the NSEC at the zone apex of the child zone
-   MUST be included in zone transfers of the child zone.
-
-   RRSIG RRs appear in both the parent and child zones at a zone cut,
-   and are authoritative in whichever zone contains the authoritative
-   RRset for which the RRSIG RR provides the signature.  That is, the
-   RRSIG RR for a DS RRset or a parental NSEC RR at a zone cut will be
-   authoritative in the parent zone, while the RRSIG for any RRset in
-   the child zone's apex will be authoritative in the child zone.
-   Parental and child RRSIG RRs at a zone cut will never be identical to
-   each other, since the Signer's Name field of an RRSIG RR in the child
-   zone's apex will indicate a DNSKEY RR in the child zone's apex while
-   the same field of a parental RRSIG RR at the zone cut will indicate a
-   DNSKEY RR in the parent zone's apex.  As with any other authoritative
-   RRs, RRSIG RRs MUST be included in zone transfers of the zone in
-   which they are authoritative data.
-
-3.1.6  The AD and CD Bits in an Authoritative Response
-
-   The CD and AD bits are designed for use in communication between
-   security-aware resolvers and security-aware recursive name servers.
-   These bits are for the most part not relevant to query processing by
-   security-aware authoritative name servers.
-
-   A security-aware name server does not perform signature validation
-   for authoritative data during query processing even when the CD bit
-   is clear.  A security-aware name server SHOULD clear the CD bit when
-   composing an authoritative response.
-
-   A security-aware name server MUST NOT set the AD bit in a response
-   unless the name server considers all RRsets in the Answer and
-   Authority sections of the response to be authentic.  A security-aware
-   name server's local policy MAY consider data from an authoritative
-   zone to be authentic without further validation, but the name server
-   MUST NOT do so unless the name server obtained the authoritative zone
-   via secure means (such as a secure zone transfer mechanism), and MUST
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 16]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   NOT do so unless this behavior has been configured explicitly.
-
-   A security-aware name server which supports recursion MUST follow the
-   rules for the CD and AD bits given in Section 3.2 when generating a
-   response that involves data obtained via recursion.
-
-3.2  Recursive Name Servers
-
-   As explained in [I-D.ietf-dnsext-dnssec-intro], a security-aware
-   recursive name server is an entity which acts in both the
-   security-aware name server and security-aware resolver roles.  This
-   section uses the terms "name server side" and "resolver side" to
-   refer to the code within a security-aware recursive name server which
-   implements the security-aware name server role and the code which
-   implements the security-aware resolver role, respectively.
-
-   The resolver side follows the usual rules for caching and negative
-   caching which would apply to any security-aware resolver.
-
-3.2.1  The DO bit
-
-   The resolver side of a security-aware recursive name server MUST set
-   the DO bit when sending requests, regardless of the state of the DO
-   bit in the initiating request received by the name server side.  If
-   the DO bit in an initiating query is not set, the name server side
-   MUST strip any authenticating DNSSEC RRs from the response, but MUST
-   NOT strip any DNSSEC RR types that the initiating query explicitly
-   requested.
-
-3.2.2  The CD bit
-
-   The CD bit exists in order to allow a security-aware resolver to
-   disable signature validation in a security-aware name server's
-   processing of a particular query.
-
-   The name server side MUST copy the setting of the CD bit from a query
-   to the corresponding response.
-
-   The name server side of a security-aware recursive name server MUST
-   pass the sense of the CD bit to the resolver side along with the rest
-   of an initiating query, so that the resolver side will know whether
-   or not it is required to verify the response data it returns to the
-   name server side.  If the CD bit is set, it indicates that the
-   originating resolver is willing to perform whatever authentication
-   its local policy requires, thus the resolver side of the recursive
-   name server need not perform authentication on the RRsets in the
-   response.  When the CD bit is set the recursive name server SHOULD,
-   if possible, return the requested data to the originating resolver
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 17]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   even if the recursive name server's local authentication policy would
-   reject the records in question.  That is, by setting the CD bit, the
-   originating resolver has indicated that it takes responsibility for
-   performing its own authentication, and the recursive name server
-   should not interfere.
-
-   If the resolver side implements a BAD cache (see Section 4.7) and the
-   name server side receives a query which matches an entry in the
-   resolver side's BAD cache, the name server side's response depends on
-   the sense of the CD bit in the original query.  If the CD bit is set,
-   the name server side SHOULD return the data from the BAD cache; if
-   the CD bit is not set, the name server side MUST return RCODE 2
-   (server failure).
-
-   The intent of the above rule is to provide the raw data to clients
-   which are capable of performing their own signature verification
-   checks while protecting clients which depend on the resolver side of
-   a security-aware recursive name server to perform such checks.
-   Several of the possible reasons why signature validation might fail
-   involve conditions which may not apply equally to the recursive name
-   server and the client which invoked it: for example, the recursive
-   name server's clock may be set incorrectly, or the client may have
-   knowledge of a relevant island of security which the recursive name
-   server does not share.  In such cases, "protecting" a client which is
-   capable of performing its own signature validation from ever seeing
-   the "bad" data does not help the client.
-
-3.2.3  The AD bit
-
-   The name server side of a security-aware recursive name server MUST
-   NOT set the AD bit in a response unless the name server considers all
-   RRsets in the Answer and Authority sections of the response to be
-   authentic.  The name server side SHOULD set the AD bit if and only if
-   the resolver side considers all RRsets in the Answer section and any
-   relevant negative response RRs in the Authority section to be
-   authentic.  The resolver side MUST follow the procedure described in
-   Section 5 to determine whether the RRs in question are authentic.
-   However, for backwards compatibility, a recursive name server MAY set
-   the AD bit when a response includes unsigned CNAME RRs if those CNAME
-   RRs demonstrably could have been synthesized from an authentic DNAME
-   RR which is also included in the response according to the synthesis
-   rules described in [RFC2672].
-
-3.3  Example DNSSEC Responses
-
-   See Appendix B for example response packets.
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 18]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-4.  Resolving
-
-   This section describes the behavior of entities that include
-   security-aware resolver functions.  In many cases such functions will
-   be part of a security-aware recursive name server, but a stand-alone
-   security-aware resolver has many of the same requirements.  Functions
-   specific to security-aware recursive name servers are described in
-   Section 3.2.
-
-4.1  EDNS Support
-
-   A security-aware resolver MUST include an EDNS [RFC2671] OPT
-   pseudo-RR with the DO [RFC3225] bit set when sending queries.
-
-   A security-aware resolver MUST support a message size of at least
-   1220 octets, SHOULD support a message size of 4000 octets, and MUST
-   advertise the supported message size using the "sender's UDP payload
-   size" field in the EDNS OPT pseudo-RR.  A security-aware resolver
-   MUST handle fragmented UDP packets correctly regardless of whether
-   any such fragmented packets were received via IPv4 or IPv6.  Please
-   see [RFC3226] for discussion of these requirements.
-
-4.2  Signature Verification Support
-
-   A security-aware resolver MUST support the signature verification
-   mechanisms described in Section 5, and SHOULD apply them to every
-   received response except when:
-   o  The security-aware resolver is part of a security-aware recursive
-      name server, and the response is the result of recursion on behalf
-      of a query received with the CD bit set;
-   o  The response is the result of a query generated directly via some
-      form of application interface which instructed the security-aware
-      resolver not to perform validation for this query; or
-   o  Validation for this query has been disabled by local policy.
-
-   A security-aware resolver's support for signature verification MUST
-   include support for verification of wildcard owner names.
-
-   Security aware resolvers MAY query for missing security RRs in an
-   attempt to perform validation; implementations that choose to do so
-   must be aware that the answers received may not be sufficient to
-   validate the original response.
-
-   When attempting to retrieve missing NSEC RRs which reside on the
-   parental side at a zone cut, a security-aware iterative-mode resolver
-   MUST query the name servers for the parent zone, not the child zone.
-
-   When attempting to retrieve a missing DS, a security-aware
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 19]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   iterative-mode resolver MUST query the name servers for the parent
-   zone, not the child zone.  As explained in Section 3.1.4.1,
-   security-aware name servers need to apply special processing rules to
-   handle the DS RR, and in some situations the resolver may also need
-   to apply special rules to locate the name servers for the parent zone
-   if the resolver does not already have the parent's NS RRset.  To
-   locate the parent NS RRset, the resolver can start with the
-   delegation name, strip off the leftmost label, and query for an NS
-   RRset by that name; if no NS RRset is present at that name, the
-   resolver then strips of the leftmost remaining label and retries the
-   query for that name, repeating this process of walking up the tree
-   until it either finds the NS RRset or runs out of labels.
-
-4.3  Determining Security Status of Data
-
-   A security-aware resolver MUST be able to determine whether or not it
-   should expect a particular RRset to be signed.  More precisely, a
-   security-aware resolver must be able to distinguish between four
-   cases:
-
-   Secure: An RRset for which the resolver is able to build a chain of
-      signed DNSKEY and DS RRs from a trusted security anchor to the
-      RRset.  In this case, the RRset should be signed, and is subject
-      to signature validation as described above.
-
-   Insecure: An RRset for which the resolver knows that it has no chain
-      of signed DNSKEY and DS RRs from any trusted starting point to the
-      RRset.  This can occur when the target RRset lies in an unsigned
-      zone or in a descendent of an unsigned zone.  In this case, the
-      RRset may or may not be signed, but the resolver will not be able
-      to verify the signature.
-
-   Bogus: An RRset for which the resolver believes that it ought to be
-      able to establish a chain of trust but is unable to do so, either
-      due to signatures that for some reason fail to validate or due to
-      missing data which the relevant DNSSEC RRs indicate should be
-      present.  This case may indicate an attack, but may also indicate
-      a configuration error or some form of data corruption.
-
-   Indeterminate: An RRset for which the resolver is not able to
-      determine whether or not the RRset should be signed, because the
-      resolver is not able to obtain the necessary DNSSEC RRs.  This can
-      occur when the security-aware resolver is not able to contact
-      security-aware name servers for the relevant zones.
-
-4.4  Configured Trust Anchors
-
-   A security-aware resolver MUST be capable of being configured with at
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 20]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   least one trusted public key or DS RR, and SHOULD be capable of being
-   configured with multiple trusted public keys or DS RRs.  Since a
-   security-aware resolver will not be able to validate signatures
-   without such a configured trust anchor, the resolver SHOULD have some
-   reasonably robust mechanism for obtaining such keys when it boots;
-   examples of such a mechanism would be some form of non-volatile
-   storage (such as a disk drive) or some form of trusted local network
-   configuration mechanism.
-
-   Note that trust anchors also covers key material that is updated in a
-   secure manner.  This secure manner could be through physical media, a
-   key exchange protocol, or some other out of band means.
-
-4.5  Response Caching
-
-   A security-aware resolver SHOULD cache each response as a single
-   atomic entry containing the entire answer, including the named RRset
-   and any associated DNSSEC RRs.  The resolver SHOULD discard the
-   entire atomic entry when any of the RRs contained in it expire.  In
-   most cases the appropriate cache index for the atomic entry will be
-   the triple <QNAME, QTYPE, QCLASS>, but in cases such as the response
-   form described in Section 3.1.3.2 the appropriate cache index will be
-   the double <QNAME,QCLASS>.
-
-   The reason for these recommendations is that, between the initial
-   query and the expiration of the data from the cache, the
-   authoritative data might have been changed (for example, via dynamic
-   update).
-
-   There are two situations for which this is relevant:
-   1.  By using the RRSIG record, it is possible to deduce that an
-       answer was synthesized from a wildcard.  A security aware
-       recursive name server could store this wildcard data and use it
-       to generate positive responses to queries other than the name for
-       which the original answer was first received.
-   2.  NSEC RRs received to prove the non-existence of a name could be
-       reused by a security aware resolver to prove the non-existence of
-       any name in the name range it spans.
-
-   In theory, a resolver could use wildcards or NSEC RRs to generate
-   positive and negative responses (respectively) until the TTL or
-   signatures on the records in question expire.  However, it seems
-   prudent for resolvers to avoid blocking new authoritative data or
-   synthesizing new data on their own.  Resolvers which follow this
-   recommendation will have a more consistent view of the namespace.
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 21]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-4.6  Handling of the CD and AD bits
-
-   A security-aware resolver MAY set a query's CD bit in order to
-   indicate that the resolver takes responsibility for performing
-   whatever authentication its local policy requires on the RRsets in
-   the response.  See Section 3.2 for the effect this bit has on the
-   behavior of security-aware recursive name servers.
-
-   A security-aware resolver MUST clear the AD bit when composing query
-   messages to protect against buggy name servers which blindly copy
-   header bits which they do not understand from the query message to
-   the response message.
-
-   A resolver MUST disregard the meaning of the CD and AD bits in a
-   response unless the response was obtained using a secure channel or
-   the resolver was specifically configured to regard the message header
-   bits without using a secure channel.
-
-4.7  Caching BAD Data
-
-   While many validation errors will be transient, some are likely to be
-   more persistent, such as those caused by administrative error
-   (failure to re-sign a zone, clock skew, and so forth).  Since
-   requerying will not help in these cases, validating resolvers might
-   generate a significant amount of unnecessary DNS traffic as a result
-   of repeated queries for RRsets with persistent validation failures.
-
-   To prevent such unnecessary DNS traffic, security-aware resolvers MAY
-   cache data with invalid signatures, with some restrictions.
-   Conceptually, caching such data is similar to negative caching
-   [RFC2308], except that instead of caching a valid negative response,
-   the resolver is caching the fact that a particular answer failed to
-   validate.  This document refers to a cache of data with invalid
-   signatures as a "BAD cache".
-
-   Resolvers which implement a BAD cache MUST take steps to prevent the
-   cache from being useful as a denial-of-service attack amplifier.  In
-   particular:
-   o  Since RRsets which fail to validate do not have trustworthy TTLs,
-      the implementation MUST assign a TTL.  This TTL SHOULD be small,
-      in order to mitigate the effect of caching the results of an
-      attack.
-   o  In order to prevent caching of a transient validation failure
-      (which might be the result of an attack), resolvers SHOULD track
-      queries that result in validation failures, and SHOULD only answer
-      from the BAD cache after the number of times that responses to
-      queries for that particular <QNAME, QTYPE, QCLASS> have failed to
-      validate exceeds a threshold value.
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 22]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   Resolvers MUST NOT return RRsets from the BAD cache unless the
-   resolver is not required to validate the signatures of the RRsets in
-   question under the rules given in Section 4.2 of this document.  See
-   Section 3.2.2 for discussion of how the responses returned by a
-   security-aware recursive name server interact with a BAD cache.
-
-4.8  Synthesized CNAMEs
-
-   A validating security-aware resolver MUST treat the signature of a
-   valid signed DNAME RR as also covering unsigned CNAME RRs which could
-   have been synthesized from the DNAME RR as described in [RFC2672], at
-   least to the extent of not rejecting a response message solely
-   because it contains such CNAME RRs.  The resolver MAY retain such
-   CNAME RRs in its cache or in the answers it hands back, but is not
-   required to do so.
-
-4.9  Stub resolvers
-
-   A security-aware stub resolver MUST support the DNSSEC RR types, at
-   least to the extent of not mishandling responses just because they
-   contain DNSSEC RRs.
-
-4.9.1  Handling of the DO Bit
-
-   A non-validating security-aware stub resolver MAY include the DNSSEC
-   RRs returned by a security-aware recursive name server as part of the
-   data that the stub resolver hands back to the application which
-   invoked it but is not required to do so.  A non-validating stub
-   resolver that wishes to do this will need to set the DO bit in
-   receive DNSSEC RRs from the recursive name server.
-
-   A validating security-aware stub resolver MUST set the DO bit, since
-   otherwise it will not receive the DNSSEC RRs it needs to perform
-   signature validation.
-
-4.9.2  Handling of the CD Bit
-
-   A non-validating security-aware stub resolver SHOULD NOT set the CD
-   bit when sending queries unless requested by the application layer,
-   since by definition, a non-validating stub resolver depends on the
-   security-aware recursive name server to perform validation on its
-   behalf.
-
-   A validating security-aware stub resolver SHOULD set the CD bit,
-   since otherwise the security-aware recursive name server will answer
-   the query using the name server's local policy, which may prevent the
-   stub resolver from receiving data which would be acceptable to the
-   stub resolver's local policy.
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 23]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-4.9.3  Handling of the AD Bit
-
-   A non-validating security-aware stub resolver MAY chose to examine
-   the setting of the AD bit in response messages that it receives in
-   order to determine whether the security-aware recursive name server
-   which sent the response claims to have cryptographically verified the
-   data in the Answer and Authority sections of the response message.
-   Note, however, that the responses received by a security-aware stub
-   resolver are heavily dependent on the local policy of the
-   security-aware recursive name server, so as a practical matter there
-   may be little practical value to checking the status of the AD bit
-   except perhaps as a debugging aid.  In any case, a security-aware
-   stub resolver MUST NOT place any reliance on signature validation
-   allegedly performed on its behalf except when the security-aware stub
-   resolver obtained the data in question from a trusted security-aware
-   recursive name server via a secure channel.
-
-   A validating security-aware stub resolver SHOULD NOT examine the
-   setting of the AD bit in response messages, since, by definition, the
-   stub resolver performs its own signature validation regardless of the
-   setting of the AD bit.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 24]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-5.  Authenticating DNS Responses
-
-   In order to use DNSSEC RRs for authentication, a security-aware
-   resolver requires configured knowledge of at least one authenticated
-   DNSKEY or DS RR.  The process for obtaining and authenticating this
-   initial trust anchors is achieved via some external mechanism.  For
-   example, a resolver could use some off-line authenticated exchange to
-   obtain a zone's DNSKEY RR or obtain a DS RR that identifies and
-   authenticates a zone's DNSKEY RR.  The remainder of this section
-   assumes that the resolver has somehow obtained an initial set of
-   trust anchors.
-
-   An initial DNSKEY RR can be used to authenticate a zone's apex DNSKEY
-   RRset.  To authenticate an apex DNSKEY RRset using an initial key,
-   the resolver MUST:
-   1.  Verify that the initial DNSKEY RR appears in the apex DNSKEY
-       RRset, and verify that the DNSKEY RR MUST have the Zone Key Flag
-       (DNSKEY RDATA bit 7) set.
-   2.  Verify that there is some RRSIG RR that covers the apex DNSKEY
-       RRset, and that the combination of the RRSIG RR and the initial
-       DNSKEY RR authenticates the DNSKEY RRset.  The process for using
-       an RRSIG RR to authenticate an RRset is described in Section 5.3.
-
-   Once the resolver has authenticated the apex DNSKEY RRset using an
-   initial DNSKEY RR, delegations from that zone can be authenticated
-   using DS RRs.  This allows a resolver to start from an initial key,
-   and use DS RRsets to proceed recursively down the DNS tree obtaining
-   other apex DNSKEY RRsets.  If the resolver were configured with a
-   root DNSKEY RR, and if every delegation had a DS RR associated with
-   it, then the resolver could obtain and validate any apex DNSKEY
-   RRset.  The process of using DS RRs to authenticate referrals is
-   described in Section 5.2.
-
-   Once the resolver has authenticated a zone's apex DNSKEY RRset,
-   Section 5.3 shows how the resolver can use DNSKEY RRs in the apex
-   DNSKEY RRset and RRSIG RRs from the zone to authenticate any other
-   RRsets in the zone.  Section 5.4 shows how the resolver can use
-   authenticated NSEC RRsets from the zone to prove that an RRset is not
-   present in the zone.
-
-   When a resolver indicates support for DNSSEC (by setting the DO bit),
-   a security-aware name server should attempt to provide the necessary
-   DNSKEY, RRSIG, NSEC, and DS RRsets in a response (see Section 3).
-   However, a security-aware resolver may still receive a response that
-   that lacks the appropriate DNSSEC RRs, whether due to configuration
-   issues such as an upstream security-oblivious recursive name server
-   that accidentally interferes with DNSSEC RRs or due to a deliberate
-   attack in which an adversary forges a response, strips DNSSEC RRs
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 25]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   from a response, or modifies a query so that DNSSEC RRs appear not to
-   be requested.  The absence of DNSSEC data in a response MUST NOT by
-   itself be taken as an indication that no authentication information
-   exists.
-
-   A resolver SHOULD expect authentication information from signed
-   zones.  A resolver SHOULD believe that a zone is signed if the
-   resolver has been configured with public key information for the
-   zone, or if the zone's parent is signed and the delegation from the
-   parent contains a DS RRset.
-
-5.1  Special Considerations for Islands of Security
-
-   Islands of security (see [I-D.ietf-dnsext-dnssec-intro]) are signed
-   zones for which it is not possible to construct an authentication
-   chain to the zone from its parent.  Validating signatures within an
-   island of security requires the validator to have some other means of
-   obtaining an initial authenticated zone key for the island.  If a
-   validator cannot obtain such a key, it SHOULD switch to operating as
-   if the zones in the island of security are unsigned.
-
-   All the normal processes for validating responses apply to islands of
-   security.  The only difference between normal validation and
-   validation within an island of security is in how the validator
-   obtains a trust anchor for the authentication chain.
-
-5.2  Authenticating Referrals
-
-   Once the apex DNSKEY RRset for a signed parent zone has been
-   authenticated, DS RRsets can be used to authenticate the delegation
-   to a signed child zone.  A DS RR identifies a DNSKEY RR in the child
-   zone's apex DNSKEY RRset, and contains a cryptographic digest of the
-   child zone's DNSKEY RR.  A strong cryptographic digest algorithm
-   ensures that an adversary can not easily generate a DNSKEY RR that
-   matches the digest.  Thus, authenticating the digest allows a
-   resolver to authenticate the matching DNSKEY RR.  The resolver can
-   then use this child DNSKEY RR to authenticate the entire child apex
-   DNSKEY RRset.
-
-   Given a DS RR for a delegation, the child zone's apex DNSKEY RRset
-   can be authenticated if all of the following hold:
-   o  The DS RR has been authenticated using some DNSKEY RR in the
-      parent's apex DNSKEY RRset (see Section 5.3);
-   o  The Algorithm and Key Tag in the DS RR match the Algorithm field
-      and the key tag of a DNSKEY RR in the child zone's apex DNSKEY
-      RRset and, when hashed using the digest algorithm specified in the
-      DS RR's Digest Type field, results in a digest value that matches
-      the Digest field of the DS RR; and
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 26]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   o  The matching DNSKEY RR in the child zone has the Zone Flag bit
-      set, the corresponding private key has signed the child zone's
-      apex DNSKEY RRset, and the resulting RRSIG RR authenticates the
-      child zone's apex DNSKEY RRset.
-
-   If the referral from the parent zone did not contain a DS RRset, the
-   response should have included a signed NSEC RRset proving that no DS
-   RRset exists for the delegated name (see Section 3.1.4).  A
-   security-aware resolver MUST query the name servers for the parent
-   zone for the DS RRset if the referral includes neither a DS RRset nor
-   a NSEC RRset proving that the DS RRset does not exist (see Section
-   4).
-
-   If the validator authenticates an NSEC RRset that proves that no DS
-   RRset is present for this zone, then there is no authentication path
-   leading from the parent to the child.  If the resolver has an initial
-   DNSKEY or DS RR that belongs to the child zone or to any delegation
-   below the child zone, this initial DNSKEY or DS RR MAY be used to
-   re-establish an authentication path.  If no such initial DNSKEY or DS
-   RR exists, the validator can not authenticate RRsets in or below the
-   child zone.
-
-   If the validator does not support any of the algorithms listed in an
-   authenticated DS RRset, then the resolver has no supported
-   authentication path leading from the parent to the child.  The
-   resolver should treat this case as it would the case of an
-   authenticated NSEC RRset proving that no DS RRset exists, as
-   described above.
-
-   Note that, for a signed delegation, there are two NSEC RRs associated
-   with the delegated name.  One NSEC RR resides in the parent zone, and
-   can be used to prove whether a DS RRset exists for the delegated
-   name.  The second NSEC RR resides in the child zone, and identifies
-   which RRsets are present at the apex of the child zone.  The parent
-   NSEC RR and child NSEC RR can always be distinguished, since the SOA
-   bit will be set in the child NSEC RR and clear in the parent NSEC RR.
-   A security-aware resolver MUST use the parent NSEC RR when attempting
-   to prove that a DS RRset does not exist.
-
-   If the resolver does not support any of the algorithms listed in an
-   authenticated DS RRset, then the resolver will not be able to verify
-   the authentication path to the child zone.  In this case, the
-   resolver SHOULD treat the child zone as if it were unsigned.
-
-5.3  Authenticating an RRset Using an RRSIG RR
-
-   A validator can use an RRSIG RR and its corresponding DNSKEY RR to
-   attempt to authenticate RRsets.  The validator first checks the RRSIG
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 27]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   RR to verify that it covers the RRset, has a valid time interval, and
-   identifies a valid DNSKEY RR.  The validator then constructs the
-   canonical form of the signed data by appending the RRSIG RDATA
-   (excluding the Signature Field) with the canonical form of the
-   covered RRset.  Finally, the validator uses the public key and
-   signature to authenticate the signed data.  Section 5.3.1, Section
-   5.3.2, and Section 5.3.3 describe each step in detail.
-
-5.3.1  Checking the RRSIG RR Validity
-
-   A security-aware resolver can use an RRSIG RR to authenticate an
-   RRset if all of the following conditions hold:
-   o  The RRSIG RR and the RRset MUST have the same owner name and the
-      same class;
-   o  The RRSIG RR's Signer's Name field MUST be the name of the zone
-      that contains the RRset;
-   o  The RRSIG RR's Type Covered field MUST equal the RRset's type;
-   o  The number of labels in the RRset owner name MUST be greater than
-      or equal to the value in the RRSIG RR's Labels field;
-   o  The validator's notion of the current time MUST be less than or
-      equal to the time listed in the RRSIG RR's Expiration field;
-   o  The validator's notion of the current time MUST be greater than or
-      equal to the time listed in the RRSIG RR's Inception field;
-   o  The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST
-      match the owner name, algorithm, and key tag for some DNSKEY RR in
-      the zone's apex DNSKEY RRset;
-   o  The matching DNSKEY RR MUST be present in the zone's apex DNSKEY
-      RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7)
-      set.
-
-   It is possible for more than one DNSKEY RR to match the conditions
-   above.  In this case, the validator cannot predetermine which DNSKEY
-   RR to use to authenticate the signature, MUST try each matching
-   DNSKEY RR until either the signature is validated or the validator
-   has run out of matching public keys to try.
-
-   Note that this authentication process is only meaningful if the
-   validator authenticates the DNSKEY RR before using it to validate
-   signatures.  The matching DNSKEY RR is considered to be authentic if:
-   o  The apex DNSKEY RRset containing the DNSKEY RR is considered
-      authentic; or
-   o  The RRset covered by the RRSIG RR is the apex DNSKEY RRset itself,
-      and the DNSKEY RR either matches an authenticated DS RR from the
-      parent zone or matches a trust anchor.
-
-5.3.2  Reconstructing the Signed Data
-
-   Once the RRSIG RR has met the validity requirements described in
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 28]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   Section 5.3.1, the validator needs to reconstruct the original signed
-   data.  The original signed data includes RRSIG RDATA (excluding the
-   Signature field) and the canonical form of the RRset.  Aside from
-   being ordered, the canonical form of the RRset might also differ from
-   the received RRset due to DNS name compression, decremented TTLs, or
-   wildcard expansion.  The validator should use the following to
-   reconstruct the original signed data:
-
-         signed_data = RRSIG_RDATA | RR(1) | RR(2)...  where
-
-            "|" denotes concatenation
-
-            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
-               with the Signature field excluded and the Signer's Name
-               in canonical form.
-
-            RR(i) = name | type | class | OrigTTL | RDATA length | RDATA
-
-               name is calculated according to the function below
-
-               class is the RRset's class
-
-               type is the RRset type and all RRs in the class
-
-               OrigTTL is the value from the RRSIG Original TTL field
-
-               All names in the RDATA field are in canonical form
-
-               The set of all RR(i) is sorted into canonical order.
-
-            To calculate the name:
-               let rrsig_labels = the value of the RRSIG Labels field
-
-               let fqdn = RRset's fully qualified domain name in
-                               canonical form
-
-               let fqdn_labels = Label count of the fqdn above.
-
-               if rrsig_labels = fqdn_labels,
-                   name = fqdn
-
-               if rrsig_labels < fqdn_labels,
-                  name = "*." | the rightmost rrsig_label labels of the
-                                fqdn
-
-               if rrsig_labels > fqdn_labels
-                  the RRSIG RR did not pass the necessary validation
-                  checks and MUST NOT be used to authenticate this
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 29]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-                  RRset.
-
-   The canonical forms for names and RRsets are defined in
-   [I-D.ietf-dnsext-dnssec-records].
-
-   NSEC RRsets at a delegation boundary require special processing.
-   There are two distinct NSEC RRsets associated with a signed delegated
-   name.  One NSEC RRset resides in the parent zone, and specifies which
-   RRset are present at the parent zone.  The second NSEC RRset resides
-   at the child zone, and identifies which RRsets are present at the
-   apex in the child zone.  The parent NSEC RRset and child NSEC RRset
-   can always be distinguished since only the child NSEC RRs will
-   specify an SOA RRset exists at the name.  When reconstructing the
-   original NSEC RRset for the delegation from the parent zone, the NSEC
-   RRs MUST NOT be combined with NSEC RRs from the child zone, and when
-   reconstructing the original NSEC RRset for the apex of the child
-   zone, the NSEC RRs MUST NOT be combined with NSEC RRs from the parent
-   zone.
-
-   Note also that each of the two NSEC RRsets at a delegation point has
-   a corresponding RRSIG RR with an owner name matching the delegated
-   name, and each of these RRSIG RRs is authoritative data associated
-   with the same zone that contains the corresponding NSEC RRset.  If
-   necessary, a resolver can tell these RRSIG RRs apart by checking the
-   Signer's Name field.
-
-5.3.3  Checking the Signature
-
-   Once the resolver has validated the RRSIG RR as described in Section
-   5.3.1 and reconstructed the original signed data as described in
-   Section 5.3.2, the validator can attempt to use the cryptographic
-   signature to authenticate the signed data, and thus (finally!)
-   authenticate the RRset.
-
-   The Algorithm field in the RRSIG RR identifies the cryptographic
-   algorithm used to generate the signature.  The signature itself is
-   contained in the Signature field of the RRSIG RDATA, and the public
-   key used to verify the signature is contained in the Public Key field
-   of the matching DNSKEY RR(s) (found in Section 5.3.1).
-   [I-D.ietf-dnsext-dnssec-records] provides a list of algorithm types
-   and provides pointers to the documents that define each algorithm's
-   use.
-
-   Note that it is possible for more than one DNSKEY RR to match the
-   conditions in Section 5.3.1.  In this case, the validator can only
-   determine which DNSKEY RR by trying each matching public key until
-   the validator either succeeds in validating the signature or runs out
-   of keys to try.
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 30]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   If the Labels field of the RRSIG RR is not equal to the number of
-   labels in the RRset's fully qualified owner name, then the RRset is
-   either invalid or the result of wildcard expansion.  The resolver
-   MUST verify that wildcard expansion was applied properly before
-   considering the RRset to be authentic.  Section 5.3.4 describes how
-   to determine whether a wildcard was applied properly.
-
-   If other RRSIG RRs also cover this RRset, the local resolver security
-   policy determines whether the resolver also needs to test these RRSIG
-   RRs, and determines how to resolve conflicts if these RRSIG RRs lead
-   to differing results.
-
-   If the resolver accepts the RRset as authentic, the validator MUST
-   set the TTL of the RRSIG RR and each RR in the authenticated RRset to
-   a value no greater than the minimum of:
-   o  The RRset's TTL as received in the response;
-   o  The RRSIG RR's TTL as received in the response;
-   o  The value in the RRSIG RR's Original TTL field; and
-   o  The difference of the RRSIG RR's Signature Expiration time and the
-      current time.
-
-5.3.4  Authenticating A Wildcard Expanded RRset Positive Response
-
-   If the number of labels in an RRset's owner name is greater than the
-   Labels field of the covering RRSIG RR, then the RRset and its
-   covering RRSIG RR were created as a result of wildcard expansion.
-   Once the validator has verified the signature as described in Section
-   5.3, it must take additional steps to verify the non-existence of an
-   exact match or closer wildcard match for the query.  Section 5.4
-   discusses these steps.
-
-   Note that the response received by the resolver should include all
-   NSEC RRs needed to authenticate the response (see Section 3.1.3).
-
-5.4  Authenticated Denial of Existence
-
-   A resolver can use authenticated NSEC RRs to prove that an RRset is
-   not present in a signed zone.  Security-aware name servers should
-   automatically include any necessary NSEC RRs for signed zones in
-   their responses to security-aware resolvers.
-
-   Denial of existence is determined by the following rules:
-   o  If the requested RR name matches the owner name of an
-      authenticated NSEC RR, then the NSEC RR's type bit map field lists
-      all RR types present at that owner name, and a resolver can prove
-      that the requested RR type does not exist by checking for the RR
-      type in the bit map.  If the number of labels in an authenticated
-      NSEC RR's owner name equals the Labels field of the covering RRSIG
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 31]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-      RR, then the existence of the NSEC RR proves that wildcard
-      expansion could not have been used to match the request.
-   o  If the requested RR name would appear after an authenticated NSEC
-      RR's owner name and before the name listed in that NSEC RR's Next
-      Domain Name field according to the canonical DNS name order
-      defined in [I-D.ietf-dnsext-dnssec-records], then no RRsets with
-      the requested name exist in the zone.  However, it is possible
-      that a wildcard could be used to match the requested RR owner name
-      and type, so proving that the requested RRset does not exist also
-      requires proving that no possible wildcard RRset exists that could
-      have been used to generate a positive response.
-
-   In addition, security-aware resolvers MUST authenticate the NSEC
-   RRsets that comprise the non-existence proof as described in Section
-   5.3.
-
-   To prove non-existence of an RRset, the resolver must be able to
-   verify both that the queried RRset does not exist and that no
-   relevant wildcard RRset exists.  Proving this may require more than
-   one NSEC RRset from the zone.  If the complete set of necessary NSEC
-   RRsets is not present in a response (perhaps due to message
-   truncation), then a security-aware resolver MUST resend the query in
-   order to attempt to obtain the full collection of NSEC RRs necessary
-   to verify non-existence of the requested RRset.  As with all DNS
-   operations, however, the resolver MUST bound the work it puts into
-   answering any particular query.
-
-   Since a validated NSEC RR proves the existence of both itself and its
-   corresponding RRSIG RR, a validator MUST ignore the settings of the
-   NSEC and RRSIG bits in an NSEC RR.
-
-5.5  Resolver Behavior When Signatures Do Not Validate
-
-   If for whatever reason none of the RRSIGs can be validated, the
-   response SHOULD be considered BAD.  If the validation was being done
-   to service a recursive query, the name server MUST return RCODE 2 to
-   the originating client.  However, it MUST return the full response if
-   and only if the original query had the CD bit set.  See also Section
-   4.7 on caching responses that do not validate.
-
-5.6  Authentication Example
-
-   Appendix C shows an example the authentication process.
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 32]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-6.  IANA Considerations
-
-   [I-D.ietf-dnsext-dnssec-records] contains a review of the IANA
-   considerations introduced by DNSSEC.  The additional IANA
-   considerations discussed in this document:
-
-   [RFC2535] reserved the CD and AD bits in the message header.  The
-   meaning of the AD bit was redefined in [RFC3655] and the meaning of
-   both the CD and AD bit are restated in this document.  No new bits in
-   the DNS message header are defined in this document.
-
-   [RFC2671] introduced EDNS and [RFC3225] reserved the DNSSEC OK bit
-   and defined its use.  The use is restated but not altered in this
-   document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 33]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-7.  Security Considerations
-
-   This document describes how the DNS security extensions use public
-   key cryptography to sign and authenticate DNS resource record sets.
-   Please see [I-D.ietf-dnsext-dnssec-intro] for terminology and general
-   security considerations related to DNSSEC; see
-   [I-D.ietf-dnsext-dnssec-intro] for considerations specific to the
-   DNSSEC resource record types.
-
-   An active attacker who can set the CD bit in a DNS query message or
-   the AD bit in a DNS response message can use these bits to defeat the
-   protection which DNSSEC attempts to provide to security-oblivious
-   recursive-mode resolvers.  For this reason, use of these control bits
-   by a security-aware recursive-mode resolver requires a secure
-   channel.  See Section 3.2.2 and Section 4.9 for further discussion.
-
-   The protocol described in this document attempts to extend the
-   benefits of DNSSEC to security-oblivious stub resolvers.  However,
-   since recovery from validation failures is likely to be specific to
-   particular applications, the facilities that DNSSEC provides for stub
-   resolvers may prove inadequate.  Operators of security-aware
-   recursive name servers will need to pay close attention to the
-   behavior of the applications which use their services when choosing a
-   local validation policy; failure to do so could easily result in the
-   recursive name server accidentally denying service to the clients it
-   is intended to support.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 34]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-8.  Acknowledgements
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group and working group mailing list.  The
-   editors would like to express their thanks for the comments and
-   suggestions received during the revision of these security extension
-   specifications.  While explicitly listing everyone who has
-   contributed during the decade during which DNSSEC has been under
-   development would be an impossible task,
-   [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the
-   participants who were kind enough to comment on these documents.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 35]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-9.  References
-
-9.1  Normative References
-
-   [I-D.ietf-dnsext-dnssec-intro]
-              Arends, R., Austein, R., Larson, M., Massey, D. and S.
-              Rose, "DNS Security Introduction and Requirements",
-              draft-ietf-dnsext-dnssec-intro-10 (work in progress), May
-              2004.
-
-   [I-D.ietf-dnsext-dnssec-records]
-              Arends, R., Austein, R., Larson, M., Massey, D. and S.
-              Rose, "Resource Records for DNS Security Extensions",
-              draft-ietf-dnsext-dnssec-records-08 (work in progress),
-              May 2004.
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
-              August 1996.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection", RFC
-              2672, August 1999.
-
-   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-              3225, December 2001.
-
-   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
-              message size requirements", RFC 3226, December 2001.
-
-9.2  Informative References
-
-   [I-D.ietf-dnsext-nsec-rdata]
-              Schlyter, J., "DNSSEC NSEC RDATA Format",
-              draft-ietf-dnsext-nsec-rdata-06 (work in progress), May
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 36]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-              2004.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
-              RR)", RFC 2930, September 2000.
-
-   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
-              SIG(0)s)", RFC 2931, September 2000.
-
-   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
-              Authenticated Data (AD) bit", RFC 3655, November 2003.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Drienerlolaan 5
-   7522 NB  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 37]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   Dan Massey
-   USC Information Sciences Institute
-   3811 N. Fairfax Drive
-   Arlington, VA  22203
-   USA
-
-   EMail: masseyd@isi.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 38]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-Appendix A.  Signed Zone Example
-
-   The following example shows a (small) complete signed zone.
-
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-                  3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-                  3600 NS     ns1.example.
-                  3600 NS     ns2.example.
-                  3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-                  3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              HyDHYVT5KHSZ7HtO/vypumPmSZQrcOP3tzWB
-                              2qaKkHVPfau/DgLgS/IKENkYOGL95G4N+NzE
-                              VyNU8dcTOckT+ChPcGeVjguQ7a3Ao9Z/ZkUO
-                              6gmmUW4b89rz1PUxW4jzUxj66PTwoVtUU/iM
-                              W6OISukd1EQt7a0kygkg+PEDxdI= )
-                  3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-                  3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-                  3600 DNSKEY 256 3 5 (
-                              AQOy1bZVvpPqhg4j7EJoM9rI3ZmyEx2OzDBV
-                              rZy/lvI5CQePxXHZS4i8dANH4DX3tbHol61e
-                              k8EFMcsGXxKciJFHyhl94C+NwILQdzsUlSFo
-                              vBZsyl/NX6yEbtw/xN9ZNcrbYvgjjZ/UVPZI
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 39]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-                              ySFNsgEYvh0z2542lzMKR4Dh8uZffQ==
-                              )
-                  3600 DNSKEY 257 3 5 (
-                              AQOeX7+baTmvpVHb2CcLnL1dMRWbuscRvHXl
-                              LnXwDzvqp4tZVKp1sZMepFb8MvxhhW3y/0QZ
-                              syCjczGJ1qk8vJe52iOhInKROVLRwxGpMfzP
-                              RLMlGybr51bOV/1se0ODacj3DomyB4QB5gKT
-                              Yot/K9alk5/j8vfd4jWCWD+E1Sze0Q==
-                              )
-                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
-                              20040409183619 9465 example.
-                              ZxgauAuIj+k1YoVEOSlZfx41fcmKzTFHoweZ
-                              xYnz99JVQZJ33wFS0Q0jcP7VXKkaElXk9nYJ
-                              XevO/7nAbo88iWsMkSpSR6jWzYYKwfrBI/L9
-                              hjYmyVO9m6FjQ7uwM4dCP/bIuV/DKqOAK9NY
-                              NC3AHfvCV1Tp4VKDqxqG7R5tTVM= )
-                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              eGL0s90glUqcOmloo/2y+bSzyEfKVOQViD9Z
-                              DNhLz/Yn9CQZlDVRJffACQDAUhXpU/oP34ri
-                              bKBpysRXosczFrKqS5Oa0bzMOfXCXup9qHAp
-                              eFIku28Vqfr8Nt7cigZLxjK+u0Ws/4lIRjKk
-                              7z5OXogYVaFzHKillDt3HRxHIZM= )
-   a.example.     3600 IN NS  ns1.a.example.
-                  3600 IN NS  ns2.a.example.
-                  3600 DS     57855 5 1 (
-                              B6DCD485719ADCA18E5F3D48A2331627FDD3
-                              636B )
-                  3600 RRSIG  DS 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
-                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
-                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
-                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
-                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
-                  3600 NSEC   ai.example. NS DS RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              cOlYgqJLqlRqmBQ3iap2SyIsK4O5aqpKSoba
-                              U9fQ5SMApZmHfq3AgLflkrkXRXvgxTQSKkG2
-                              039/cRUs6Jk/25+fi7Xr5nOVJsb0lq4zsB3I
-                              BBdjyGDAHE0F5ROJj87996vJupdm1fbH481g
-                              sdkOW6Zyqtz3Zos8N0BBkEx+2G4= )
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-   ai.example.    3600 IN A   192.0.2.9
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 40]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
-                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
-                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
-                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
-                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
-                  3600 HINFO  "KLH-10" "ITS"
-                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Iq/RGCbBdKzcYzlGE4ovbr5YcB+ezxbZ9W0l
-                              e/7WqyvhOO9J16HxhhL7VY/IKmTUY0GGdcfh
-                              ZEOCkf4lEykZF9NPok1/R/fWrtzNp8jobuY7
-                              AZEcZadp1WdDF3jc2/ndCa5XZhLKD3JzOsBw
-                              FvL8sqlS5QS6FY/ijFEDnI4RkZA= )
-                  3600 AAAA   2001:db8::f00:baa9
-                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
-                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
-                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
-                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
-                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
-                  3600 NSEC   b.example. A HINFO AAAA RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              QoshyPevLcJ/xcRpEtMft1uoIrcrieVcc9pG
-                              CScIn5Glnib40T6ayVOimXwdSTZ/8ISXGj4p
-                              P8Sh0PlA6olZQ84L453/BUqB8BpdOGky4hsN
-                              3AGcLEv1Gr0QMvirQaFcjzOECfnGyBm+wpFL
-                              AhS+JOVfDI/79QtyTI0SaDWcg8U= )
-   b.example.     3600 IN NS  ns1.b.example.
-                  3600 IN NS  ns2.b.example.
-                  3600 NSEC   ns1.example. NS RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-   ns1.example.   3600 IN A   192.0.2.1
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
-                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
-                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
-                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 41]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
-                  3600 NSEC   ns2.example. A RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
-                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
-                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
-                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
-                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
-   ns2.example.   3600 IN A   192.0.2.2
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
-                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
-                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
-                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
-                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
-                  3600 NSEC   *.w.example. A RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              N0QzHvaJf5NRw1rE9uxS1Ltb2LZ73Qb9bKGE
-                              VyaISkqzGpP3jYJXZJPVTq4UVEsgT3CgeHvb
-                              3QbeJ5Dfb2V9NGCHj/OvF/LBxFFWwhLwzngH
-                              l+bQAgAcMsLu/nL3nDi1y/JSQjAcdZNDl4bw
-                              Ymx28EtgIpo9A0qmP08rMBqs1Jw= )
-   *.w.example.   3600 IN MX  1 ai.example.
-                  3600 RRSIG  MX 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
-                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
-                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
-                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
-                              4kX18MMR34i8lC36SR5xBni8vHI= )
-                  3600 NSEC   x.w.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
-                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
-                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
-                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
-                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
-   x.w.example.   3600 IN MX  1 xx.example.
-                  3600 RRSIG  MX 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
-                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
-                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
-                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 42]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
-                  3600 NSEC   x.y.w.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              aRbpHftxggzgMXdDlym9SsADqMZovZZl2QWK
-                              vw8J0tZEUNQByH5Qfnf5N1FqH/pS46UA7A4E
-                              mcWBN9PUA1pdPY6RVeaRlZlCr1IkVctvbtaI
-                              NJuBba/VHm+pebTbKcAPIvL9tBOoh+to1h6e
-                              IjgiM8PXkBQtxPq37wDKALkyn7Q= )
-   x.y.w.example. 3600 IN MX  1 xx.example.
-                  3600 RRSIG  MX 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              k2bJHbwP5LH5qN4is39UiPzjAWYmJA38Hhia
-                              t7i9t7nbX/e0FPnvDSQXzcK7UL+zrVA+3MDj
-                              q1ub4q3SZgcbLMgexxIW3Va//LVrxkP6Xupq
-                              GtOB9prkK54QTl/qZTXfMQpW480YOvVknhvb
-                              +gLcMZBnHJ326nb/TOOmrqNmQQE= )
-                  3600 NSEC   xx.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-   xx.example.    3600 IN A   192.0.2.10
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
-                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
-                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
-                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
-                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
-                  3600 HINFO  "KLH-10" "TOPS-20"
-                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GY2PLSXmMHkWHfLdggiox8+chWpeMNJLkML0
-                              t+U/SXSUsoUdR91KNdNUkTDWamwcF8oFRjhq
-                              BcPZ6EqrF+vl5v5oGuvSF7U52epfVTC+wWF8
-                              3yCUeUw8YklhLWlvk8gQ15YKth0ITQy8/wI+
-                              RgNvuwbioFSEuv2pNlkq0goYxNY= )
-                  3600 AAAA   2001:db8::f00:baaa
-                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
-                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
-                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
-                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 43]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
-                  3600 NSEC   example. A HINFO AAAA RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ZFWUln6Avc8bmGl5GFjD3BwT530DUZKHNuoY
-                              9A8lgXYyrxu+pqgFiRVbyZRQvVB5pccEOT3k
-                              mvHgEa/HzbDB4PIYY79W+VHrgOxzdQGGCZzi
-                              asXrpSGOWwSOElghPnMIi8xdF7qtCntr382W
-                              GghLahumFIpg4MO3LS/prgzVVWo= )
-
-   The apex DNSKEY set includes two DNSKEY RRs, and the DNSKEY RDATA
-   Flags indicate that each of these DNSKEY RRs is a zone key.  One of
-   these DNSKEY RRs also has the SEP flag set and has been used to sign
-   the apex DNSKEY RRset; this is the key which should be hashed to
-   generate a DS record to be inserted into the parent zone.  The other
-   DNSKEY is used to sign all the other RRsets in the zone.
-
-   The zone includes a wildcard entry "*.w.example".  Note that the name
-   "*.w.example" is used in constructing NSEC chains, and that the RRSIG
-   covering the "*.w.example" MX RRset has a label count of 2.
-
-   The zone also includes two delegations.  The delegation to
-   "b.example" includes an NS RRset, glue address records, and an NSEC
-   RR; note that only the NSEC RRset is signed.  The delegation to
-   "a.example" provides a DS RR; note that only the NSEC and DS RRsets
-   are signed.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 44]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-Appendix B.  Example Responses
-
-   The examples in this section show response messages using the signed
-   zone example in Appendix A.
-
-B.1  Answer
-
-   A successful query to an authoritative server.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   x.w.example.        IN MX
-
-   ;; Answer
-   x.w.example.   3600 IN MX  1 xx.example.
-   x.w.example.   3600 RRSIG  MX 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
-                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
-                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
-                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
-                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
-
-   ;; Authority
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-
-   ;; Additional
-   xx.example.    3600 IN A   192.0.2.10
-   xx.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
-                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
-                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
-                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
-                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
-   xx.example.    3600 AAAA   2001:db8::f00:baaa
-   xx.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 45]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
-                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
-                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
-                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
-   ns1.example.   3600 IN A   192.0.2.1
-   ns1.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
-                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
-                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
-                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
-                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
-   ns2.example.   3600 IN A   192.0.2.2
-   ns2.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
-                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
-                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
-                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
-                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
-
-
-B.2  Name Error
-
-   An authoritative name error.  The NSEC RRs prove that the name does
-   not exist and that no covering wildcard exists.
-
-   ;; Header: QR AA DO RCODE=3
-   ;;
-   ;; Question
-   ml.example.         IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 46]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
-   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-
-   ;; Additional
-   ;; (empty)
-
-
-B.3  No Data Error
-
-   A "no data" response.  The NSEC RR proves that the name exists and
-   that the requested RR type does not.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 47]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   ns1.example.        IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   ns1.example.   3600 NSEC   ns2.example. A RRSIG NSEC
-   ns1.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
-                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
-                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
-                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
-                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
-
-   ;; Additional
-   ;; (empty)
-
-
-B.4  Referral to Signed Zone
-
-   Referral to a signed zone.  The DS RR contains the data which the
-   resolver will need to validate the corresponding DNSKEY RR in the
-   child zone's apex.
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 48]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   ;; Header: QR DO RCODE=0
-   ;;
-   ;; Question
-   mc.a.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   a.example.     3600 IN NS  ns1.a.example.
-   a.example.     3600 IN NS  ns2.a.example.
-   a.example.     3600 DS     57855 5 1 (
-                              B6DCD485719ADCA18E5F3D48A2331627FDD3
-                              636B )
-   a.example.     3600 RRSIG  DS 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
-                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
-                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
-                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
-                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
-
-   ;; Additional
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-
-
-B.5  Referral to Unsigned Zone
-
-   Referral to an unsigned zone.  The NSEC RR proves that no DS RR for
-   this delegation exists in the parent zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 49]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   ;; Header: QR DO RCODE=0
-   ;;
-   ;; Question
-   mc.b.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   b.example.     3600 IN NS  ns1.b.example.
-   b.example.     3600 IN NS  ns2.b.example.
-   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
-   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-
-   ;; Additional
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-
-
-B.6  Wildcard Expansion
-
-   A successful query which was answered via wildcard expansion.  The
-   label count in the answer's RRSIG RR indicates that a wildcard RRset
-   was expanded to produce this response, and the NSEC RR proves that no
-   closer match exists in the zone.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN MX
-
-   ;; Answer
-   a.z.w.example. 3600 IN MX  1 ai.example.
-   a.z.w.example. 3600 RRSIG  MX 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
-                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
-                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
-                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
-                              4kX18MMR34i8lC36SR5xBni8vHI= )
-
-   ;; Authority
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 50]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
-   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-
-   ;; Additional
-   ai.example.    3600 IN A   192.0.2.9
-   ai.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
-                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
-                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
-                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
-                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
-   ai.example.    3600 AAAA   2001:db8::f00:baa9
-   ai.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
-                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
-                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
-                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
-                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
-
-
-B.7  Wildcard No Data Error
-
-   A "no data" response for a name covered by a wildcard.  The NSEC RRs
-   prove that the matching wildcard name does not have any RRs of the
-   requested type and that no closer match exists in the zone.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN AAAA
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 51]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
-   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-   *.w.example.   3600 NSEC   x.w.example. MX RRSIG NSEC
-   *.w.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
-                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
-                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
-                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
-                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
-
-   ;; Additional
-   ;; (empty)
-
-
-B.8  DS Child Zone No Data Error
-
-   A "no data" response for a QTYPE=DS query which was mistakenly sent
-   to a name server for the child zone.
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 52]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   example.            IN DS
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-
-   ;; Additional
-   ;; (empty)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 53]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-Appendix C.  Authentication Examples
-
-   The examples in this section show how the response messages in
-   Appendix B are authenticated.
-
-C.1  Authenticating An Answer
-
-   The query in section Appendix B.1 returned an MX RRset for
-   "x.w.example.com".  The corresponding RRSIG indicates the MX RRset
-   was signed by an "example" DNSKEY with algorithm 5 and key tag 38519.
-   The resolver needs the corresponding DNSKEY RR in order to
-   authenticate this answer.  The discussion below describes how a
-   resolver might obtain this DNSKEY RR.
-
-   The RRSIG indicates the original TTL of the MX RRset was 3600 and,
-   for the purpose of authentication, the current TTL is replaced by
-   3600.  The RRSIG labels field value of 3 indicates the answer was not
-   the result of wildcard expansion.  The "x.w.example.com" MX RRset is
-   placed in canonical form and, assuming the current time falls between
-   the signature inception and expiration dates, the signature is
-   authenticated.
-
-C.1.1  Authenticating the example DNSKEY RR
-
-   This example shows the logical authentication process that starts
-   from the a configured root DNSKEY (or DS RR) and moves down the tree
-   to authenticate the desired "example" DNSKEY RR.  Note the logical
-   order is presented for clarity and an implementation may choose to
-   construct the authentication as referrals are received or may choose
-   to construct the authentication chain only after all RRsets have been
-   obtained, or in any other combination it sees fit.  The example here
-   demonstrates only the logical process and does not dictate any
-   implementation rules.
-
-   We assume the resolver starts with an configured DNSKEY RR for the
-   root zone (or a configured DS RR for the root zone).  The resolver
-   checks this configured DNSKEY RR is present in the root DNSKEY RRset
-   (or the DS RR matches some DNSKEY in the root DNSKEY RRset), this
-   DNSKEY RR has signed the root DNSKEY RRset and the signature lifetime
-   is valid.  If all these conditions are met, all keys in the DNSKEY
-   RRset are considered authenticated.  The resolver then uses one (or
-   more) of the root DNSKEY RRs to authenticate the "example" DS RRset.
-   Note the resolver may need to query the root zone to obtain the root
-   DNSKEY RRset or "example" DS RRset.
-
-   Once the DS RRset has been authenticated using the root DNSKEY, the
-   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
-   RR that matches one of the authenticated "example" DS RRs.  If such a
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 54]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   matching "example" DNSKEY is found, the resolver checks this DNSKEY
-   RR has signed the "example" DNSKEY RRset and the signature lifetime
-   is valid.  If all these conditions are met, all keys in the "example"
-   DNSKEY RRset are considered authenticated.
-
-   Finally the resolver checks that some DNSKEY RR in the "example"
-   DNSKEY RRset uses algorithm 5 and has a key tag of 38519.  This
-   DNSKEY is used to authenticated the RRSIG included in the response.
-   If multiple "example" DNSKEY RRs match this algorithm and key tag,
-   then each DNSKEY RR is tried and the answer is authenticated if any
-   of the matching DNSKEY RRs validates the signature as described
-   above.
-
-C.2  Name Error
-
-   The query in section Appendix B.2 returned NSEC RRs that prove the
-   requested data does not exist and no wildcard applies.  The negative
-   reply is authenticated by verifying both NSEC RRs.  The NSEC RRs are
-   authenticated in a manner identical to that of the MX RRset discussed
-   above.
-
-C.3  No Data Error
-
-   The query in section Appendix B.3 returned an NSEC RR that proves the
-   requested name exists, but the requested RR type does not exist.  The
-   negative reply is authenticated by verifying the NSEC RR.  The NSEC
-   RR is authenticated in a manner identical to that of the MX RRset
-   discussed above.
-
-C.4  Referral to Signed Zone
-
-   The query in section Appendix B.4 returned a referral to the signed
-   "a.example." zone.  The DS RR is authenticated in a manner identical
-   to that of the MX RRset discussed above.  This DS RR is used to
-   authenticate the "a.example" DNSKEY RRset.
-
-   Once the "a.example" DS RRset has been authenticated using the
-   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
-   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
-   matching "a.example" DNSKEY is found, the resolver checks this DNSKEY
-   RR has signed the "a.example" DNSKEY RRset and the signature lifetime
-   is valid.  If all these conditions are met, all keys in the
-   "a.example" DNSKEY RRset are considered authenticated.
-
-C.5  Referral to Unsigned Zone
-
-   The query in section Appendix B.5 returned a referral to an unsigned
-   "b.example." zone.  The NSEC proves that no authentication leads from
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 55]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-   "example" to "b.example" and the NSEC RR is authenticated in a manner
-   identical to that of the MX RRset discussed above.
-
-C.6  Wildcard Expansion
-
-   The query in section Appendix B.6 returned an answer that was
-   produced as a result of wildcard expansion.  The RRset expanded as
-   the similar to The corresponding RRSIG indicates the MX RRset was
-   signed by an "example" DNSKEY with algorithm 5 and key tag 38519.
-   The RRSIG indicates the original TTL of the MX RRset was 3600 and,
-   for the purpose of authentication, the current TTL is replaced by
-   3600.  The RRSIG labels field value of 2 indicates the answer the
-   result of wildcard expansion since the "a.z.w.example" name contains
-   4 labels.  The name "a.z.w.w.example" is replaced by "*.w.example",
-   the MX RRset is placed in canonical form and, assuming the current
-   time falls between the signature inception and expiration dates, the
-   signature is authenticated.
-
-   The NSEC proves that no closer match (exact or closer wildcard) could
-   have been used to answer this query and the NSEC RR must also be
-   authenticated before the answer is considered valid.
-
-C.7  Wildcard No Data Error
-
-   The query in section Appendix B.7 returned NSEC RRs that prove the
-   requested data does not exist and no wildcard applies.  The negative
-   reply is authenticated by verifying both NSEC RRs.
-
-C.8  DS Child Zone No Data Error
-
-   The query in section Appendix B.8 returned NSEC RRs that shows the
-   requested was answered by a child server ("example" server).  The
-   NSEC RR indicates the presence of an SOA RR, showing the answer is
-   from the child .  Queries for the "example" DS RRset should be sent
-   to the parent servers ("root" servers).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 56]
-
-Internet-Draft       DNSSEC Protocol Modifications             July 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 57]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-records-09.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-records-09.txt
deleted file mode 100644
index 79a17284357c..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-records-09.txt
+++ /dev/null
@@ -1,1849 +0,0 @@
-
-
-DNS Extensions                                                 R. Arends
-Internet-Draft                                      Telematica Instituut
-Expires: January 13, 2005                                     R. Austein
-                                                                     ISC
-                                                               M. Larson
-                                                                VeriSign
-                                                               D. Massey
-                                                                 USC/ISI
-                                                                 S. Rose
-                                                                    NIST
-                                                           July 15, 2004
-
-
-            Resource Records for the DNS Security Extensions
-                  draft-ietf-dnsext-dnssec-records-09
-
-Status of this Memo
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which I become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 13, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   This document is part of a family of documents that describes the DNS
-   Security Extensions (DNSSEC).  The DNS Security Extensions are a
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 1]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   collection of resource records and protocol modifications that
-   provide source authentication for the DNS.  This document defines the
-   public key (DNSKEY), delegation signer (DS), resource record digital
-   signature (RRSIG), and authenticated denial of existence (NSEC)
-   resource records.  The purpose and format of each resource record is
-   described in detail, and an example of each resource record is given.
-
-   This document obsoletes RFC 2535 and incorporates changes from all
-   updates to RFC 2535.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   Background and Related Documents . . . . . . . . . . . . .  4
-     1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  The DNSKEY Resource Record . . . . . . . . . . . . . . . . . .  5
-     2.1   DNSKEY RDATA Wire Format . . . . . . . . . . . . . . . . .  5
-       2.1.1   The Flags Field  . . . . . . . . . . . . . . . . . . .  5
-       2.1.2   The Protocol Field . . . . . . . . . . . . . . . . . .  6
-       2.1.3   The Algorithm Field  . . . . . . . . . . . . . . . . .  6
-       2.1.4   The Public Key Field . . . . . . . . . . . . . . . . .  6
-       2.1.5   Notes on DNSKEY RDATA Design . . . . . . . . . . . . .  6
-     2.2   The DNSKEY RR Presentation Format  . . . . . . . . . . . .  6
-     2.3   DNSKEY RR Example  . . . . . . . . . . . . . . . . . . . .  7
-   3.  The RRSIG Resource Record  . . . . . . . . . . . . . . . . . .  8
-     3.1   RRSIG RDATA Wire Format  . . . . . . . . . . . . . . . . .  8
-       3.1.1   The Type Covered Field . . . . . . . . . . . . . . . .  9
-       3.1.2   The Algorithm Number Field . . . . . . . . . . . . . .  9
-       3.1.3   The Labels Field . . . . . . . . . . . . . . . . . . .  9
-       3.1.4   Original TTL Field . . . . . . . . . . . . . . . . . . 10
-       3.1.5   Signature Expiration and Inception Fields  . . . . . . 10
-       3.1.6   The Key Tag Field  . . . . . . . . . . . . . . . . . . 10
-       3.1.7   The Signer's Name Field  . . . . . . . . . . . . . . . 11
-       3.1.8   The Signature Field  . . . . . . . . . . . . . . . . . 11
-     3.2   The RRSIG RR Presentation Format . . . . . . . . . . . . . 12
-     3.3   RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . 12
-   4.  The NSEC Resource Record . . . . . . . . . . . . . . . . . . . 14
-     4.1   NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . 14
-       4.1.1   The Next Domain Name Field . . . . . . . . . . . . . . 14
-       4.1.2   The Type Bit Maps Field  . . . . . . . . . . . . . . . 15
-       4.1.3   Inclusion of Wildcard Names in NSEC RDATA  . . . . . . 16
-     4.2   The NSEC RR Presentation Format  . . . . . . . . . . . . . 16
-     4.3   NSEC RR Example  . . . . . . . . . . . . . . . . . . . . . 16
-   5.  The DS Resource Record . . . . . . . . . . . . . . . . . . . . 18
-     5.1   DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . 18
-       5.1.1   The Key Tag Field  . . . . . . . . . . . . . . . . . . 19
-       5.1.2   The Algorithm Field  . . . . . . . . . . . . . . . . . 19
-       5.1.3   The Digest Type Field  . . . . . . . . . . . . . . . . 19
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 2]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-       5.1.4   The Digest Field . . . . . . . . . . . . . . . . . . . 19
-     5.2   Processing of DS RRs When Validating Responses . . . . . . 19
-     5.3   The DS RR Presentation Format  . . . . . . . . . . . . . . 20
-     5.4   DS RR Example  . . . . . . . . . . . . . . . . . . . . . . 20
-   6.  Canonical Form and Order of Resource Records . . . . . . . . . 21
-     6.1   Canonical DNS Name Order . . . . . . . . . . . . . . . . . 21
-     6.2   Canonical RR Form  . . . . . . . . . . . . . . . . . . . . 21
-     6.3   Canonical RR Ordering Within An RRset  . . . . . . . . . . 22
-   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 23
-   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 24
-   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 25
-   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 26
-   10.1  Normative References . . . . . . . . . . . . . . . . . . . . 26
-   10.2  Informative References . . . . . . . . . . . . . . . . . . . 27
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 27
-   A.  DNSSEC Algorithm and Digest Types  . . . . . . . . . . . . . . 29
-     A.1   DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . 29
-       A.1.1   Private Algorithm Types  . . . . . . . . . . . . . . . 29
-     A.2   DNSSEC Digest Types  . . . . . . . . . . . . . . . . . . . 30
-   B.  Key Tag Calculation  . . . . . . . . . . . . . . . . . . . . . 31
-     B.1   Key Tag for Algorithm 1 (RSA/MD5)  . . . . . . . . . . . . 32
-       Intellectual Property and Copyright Statements . . . . . . . . 33
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 3]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-1.  Introduction
-
-   The DNS Security Extensions (DNSSEC) introduce four new DNS resource
-   record types: DNSKEY, RRSIG, NSEC, and DS.  This document defines the
-   purpose of each resource record (RR), the RR's RDATA format, and its
-   presentation format (ASCII representation).
-
-1.1  Background and Related Documents
-
-   The reader is assumed to be familiar with the basic DNS concepts
-   described in [RFC1034], [RFC1035] and subsequent RFCs that update
-   them:  [RFC2136], [RFC2181] and [RFC2308].
-
-   This document is part of a family of documents that define the DNS
-   security extensions.  The DNS security extensions (DNSSEC) are a
-   collection of resource records and DNS protocol modifications that
-   add source authentication and data integrity to the Domain Name
-   System (DNS).  An introduction to DNSSEC and definitions of common
-   terms can be found in [I-D.ietf-dnsext-dnssec-intro]; the reader is
-   assumed to be familiar with this document.  A description of DNS
-   protocol modifications can be found in
-   [I-D.ietf-dnsext-dnssec-protocol].
-
-   This document defines the DNSSEC resource records.
-
-1.2  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 4]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-2.  The DNSKEY Resource Record
-
-   DNSSEC uses public key cryptography to sign and authenticate DNS
-   resource record sets (RRsets).  The public keys are stored in DNSKEY
-   resource records and are used in the DNSSEC authentication process
-   described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its
-   authoritative RRsets using a private key and stores the corresponding
-   public key in a DNSKEY RR.  A resolver can then use the public key to
-   authenticate signatures covering the RRsets in the zone.
-
-   The DNSKEY RR is not intended as a record for storing arbitrary
-   public keys and MUST NOT be used to store certificates or public keys
-   that do not directly relate to the DNS infrastructure.
-
-   The Type value for the DNSKEY RR type is 48.
-
-   The DNSKEY RR is class independent.
-
-   The DNSKEY RR has no special TTL requirements.
-
-2.1  DNSKEY RDATA Wire Format
-
-   The RDATA for a DNSKEY RR consists of a 2 octet Flags Field, a 1
-   octet Protocol Field, a 1 octet Algorithm Field, and the Public Key
-   Field.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |              Flags            |    Protocol   |   Algorithm   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Public Key                         /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-
-2.1.1  The Flags Field
-
-   Bit 7 of the Flags field is the Zone Key flag.  If bit 7 has value 1,
-   then the DNSKEY record holds a DNS zone key and the DNSKEY RR's owner
-   name MUST be the name of a zone.  If bit 7 has value 0, then the
-   DNSKEY record holds some other type of DNS public key and MUST NOT be
-   used to verify RRSIGs that cover RRsets.
-
-   Bit 15 of the Flags field is the Secure Entry Point flag, described
-   in [RFC3757].  If bit 15 has value 1, then the DNSKEY record holds a
-   key intended for use as a secure entry point.  This flag is only
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 5]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   intended to be to a hint to zone signing or debugging software as to
-   the intended use of this DNSKEY record; validators MUST NOT alter
-   their behavior during the signature validation process in any way
-   based on the setting of this bit.  This also means a DNSKEY RR with
-   the SEP bit set would also need the Zone Key flag set in order to
-   legally be able to generate signatures.  A DNSKEY RR with the SEP set
-   and the Zone Key flag not set MUST NOT be used to verify RRSIGs that
-   cover RRsets.
-
-   Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon
-   creation of the DNSKEY RR, and MUST be ignored upon reception.
-
-2.1.2  The Protocol Field
-
-   The Protocol Field MUST have value 3 and the DNSKEY RR MUST be
-   treated as invalid during signature verification if found to be some
-   value other than 3.
-
-2.1.3  The Algorithm Field
-
-   The Algorithm field identifies the public key's cryptographic
-   algorithm and determines the format of the Public Key field.  A list
-   of DNSSEC algorithm types can be found in Appendix A.1
-
-2.1.4  The Public Key Field
-
-   The Public Key Field holds the public key material.  The format
-   depends on the algorithm of the key being stored and are described in
-   separate documents.
-
-2.1.5  Notes on DNSKEY RDATA Design
-
-   Although the Protocol Field always has value 3, it is retained for
-   backward compatibility with early versions of the KEY record.
-
-2.2  The DNSKEY RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Flag field MUST be represented as an unsigned decimal integer.
-   Given the currently defined flags, the possible values are: 0, 256,
-   or 257.
-
-   The Protocol Field MUST be represented as an unsigned decimal integer
-   with a value of 3.
-
-   The Algorithm field MUST be represented either as an unsigned decimal
-   integer or as an algorithm mnemonic as specified in Appendix A.1.
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 6]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   The Public Key field MUST be represented as a Base64 encoding of the
-   Public Key.  Whitespace is allowed within the Base64 text.  For a
-   definition of Base64 encoding, see [RFC3548].
-
-2.3  DNSKEY RR Example
-
-   The following DNSKEY RR stores a DNS zone key for example.com.
-
-   example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3
-                                          Cbl+BBZH4b/0PY1kxkmvHjcZc8no
-                                          kfzj31GajIQKY+5CptLr3buXA10h
-                                          WqTkF7H6RfoRqXQeogmMHfpftf6z
-                                          Mv1LyBUgia7za6ZEzOJBOztyvhjL
-                                          742iU/TpPSEDhm2SNKLijfUppn1U
-                                          aNvv4w==  )
-
-   The first four text fields specify the owner name, TTL, Class, and RR
-   type (DNSKEY).  Value 256 indicates that the Zone Key bit (bit 7) in
-   the Flags field has value 1.  Value 3 is the fixed Protocol value.
-   Value 5 indicates the public key algorithm.  Appendix A.1 identifies
-   algorithm type 5 as RSA/SHA1 and indicates that the format of the
-   RSA/SHA1 public key field is defined in [RFC3110].  The remaining
-   text is a Base64 encoding of the public key.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 7]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-3.  The RRSIG Resource Record
-
-   DNSSEC uses public key cryptography to sign and authenticate DNS
-   resource record sets (RRsets).  Digital signatures are stored in
-   RRSIG resource records and are used in the DNSSEC authentication
-   process described in [I-D.ietf-dnsext-dnssec-protocol].  A validator
-   can use these RRSIG RRs to authenticate RRsets from the zone.  The
-   RRSIG RR MUST only be used to carry verification material (digital
-   signatures) used to secure DNS operations.
-
-   An RRSIG record contains the signature for an RRset with a particular
-   name, class, and type.  The RRSIG RR specifies a validity interval
-   for the signature and uses the Algorithm, the Signer's Name, and the
-   Key Tag to identify the DNSKEY RR containing the public key that a
-   validator can use to verify the signature.
-
-   Because every authoritative RRset in a zone must be protected by a
-   digital signature, RRSIG RRs must be present for names containing a
-   CNAME RR.  This is a change to the traditional DNS specification
-   [RFC1034] that stated that if a CNAME is present for a name, it is
-   the only type allowed at that name.  A RRSIG and NSEC (see Section 4)
-   MUST exist for the same name as a CNAME resource record in a signed
-   zone.
-
-   The Type value for the RRSIG RR type is 46.
-
-   The RRSIG RR is class independent.
-
-   An RRSIG RR MUST have the same class as the RRset it covers.
-
-   The TTL value of an RRSIG RR MUST match the TTL value of the RRset it
-   covers.  This is an exception to the [RFC2181] rules for TTL values
-   of individual RRs within a RRset: individual RRSIG with the same
-   owner name will have different TTL values if the RRsets they cover
-   have different TTL values.
-
-3.1  RRSIG RDATA Wire Format
-
-   The RDATA for an RRSIG RR consists of a 2 octet Type Covered field, a
-   1 octet Algorithm field, a 1 octet Labels field, a 4 octet Original
-   TTL field, a 4 octet Signature Expiration field, a 4 octet Signature
-   Inception field, a 2 octet Key tag, the Signer's Name field, and the
-   Signature field.
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 8]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |        Type Covered           |  Algorithm    |     Labels    |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                         Original TTL                          |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                      Signature Expiration                     |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                      Signature Inception                      |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |            Key Tag            |                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         Signer's Name         /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Signature                          /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-
-3.1.1  The Type Covered Field
-
-   The Type Covered field identifies the type of the RRset that is
-   covered by this RRSIG record.
-
-3.1.2  The Algorithm Number Field
-
-   The Algorithm Number field identifies the cryptographic algorithm
-   used to create the signature.  A list of DNSSEC algorithm types can
-   be found in Appendix A.1
-
-3.1.3  The Labels Field
-
-   The Labels field specifies the number of labels in the original RRSIG
-   RR owner name.  The significance of this field is that a validator
-   uses it to determine if the answer was synthesized from a wildcard.
-   If so, it can be used to determine what owner name was used in
-   generating the signature.
-
-   To validate a signature, the validator needs the original owner name
-   that was used to create the signature.  If the original owner name
-   contains a wildcard label ("*"), the owner name may have been
-   expanded by the server during the response process, in which case the
-   validator will need to reconstruct the original owner name in order
-   to validate the signature.  [I-D.ietf-dnsext-dnssec-protocol]
-   describes how to use the Labels field to reconstruct the original
-   owner name.
-
-
-
-Arends, et al.          Expires January 13, 2005                [Page 9]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   The value of the Labels field MUST NOT count either the null (root)
-   label that terminates the owner name or the wildcard label (if
-   present).  The value of the Labels field MUST be less than or equal
-   to the number of labels in the RRSIG owner name.  For example,
-   "www.example.com." has a Labels field value of 3, and
-   "*.example.com." has a Labels field value of 2.  Root (".") has a
-   Labels field value of 0.
-
-   Although the wildcard label is not included in the count stored in
-   the Labels field of the RRSIG RR, the wildcard label is part of the
-   RRset's owner name when generating or verifying the signature.
-
-3.1.4  Original TTL Field
-
-   The Original TTL field specifies the TTL of the covered RRset as it
-   appears in the authoritative zone.
-
-   The Original TTL field is necessary because a caching resolver
-   decrements the TTL value of a cached RRset.  In order to validate a
-   signature, a validator requires the original TTL.
-   [I-D.ietf-dnsext-dnssec-protocol] describes how to use the Original
-   TTL field value to reconstruct the original TTL.
-
-3.1.5  Signature Expiration and Inception Fields
-
-   The Signature Expiration and Inception fields specify a validity
-   period for the signature.  The RRSIG record MUST NOT be used for
-   authentication prior to the inception date and MUST NOT be used for
-   authentication after the expiration date.
-
-   Signature Expiration and Inception field values are in POSIX.1 time
-   format: a 32-bit unsigned number of seconds elapsed since 1 January
-   1970 00:00:00 UTC, ignoring leap seconds, in network byte order.  The
-   longest interval which can be expressed by this format without
-   wrapping is approximately 136 years.  An RRSIG RR can have an
-   Expiration field value which is numerically smaller than the
-   Inception field value if the expiration field value is near the
-   32-bit wrap-around point or if the signature is long lived.  Because
-   of this, all comparisons involving these fields MUST use "Serial
-   number arithmetic" as defined in [RFC1982].  As a direct consequence,
-   the values contained in these fields cannot refer to dates more than
-   68 years in either the past or the future.
-
-3.1.6  The Key Tag Field
-
-   The Key Tag field contains the key tag value of the DNSKEY RR that
-   validates this signature, in network byte order.  Appendix B explains
-   how to calculate Key Tag values.
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 10]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-3.1.7  The Signer's Name Field
-
-   The Signer's Name field value identifies the owner name of the DNSKEY
-   RR which a validator is supposed to use to validate this signature.
-   The Signer's Name field MUST contain the name of the zone of the
-   covered RRset.  A sender MUST NOT use DNS name compression on the
-   Signer's Name field when transmitting a RRSIG RR.
-
-3.1.8  The Signature Field
-
-   The Signature field contains the cryptographic signature that covers
-   the RRSIG RDATA (excluding the Signature field) and the RRset
-   specified by the RRSIG owner name, RRSIG class, and RRSIG Type
-   Covered field.  The format of this field depends on the algorithm in
-   use and these formats are described in separate companion documents.
-
-3.1.8.1  Signature Calculation
-
-   A signature covers the RRSIG RDATA (excluding the Signature Field)
-   and covers the data RRset specified by the RRSIG owner name, RRSIG
-   class, and RRSIG Type Covered fields.  The RRset is in canonical form
-   (see Section 6) and the set RR(1),...RR(n) is signed as follows:
-
-         signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) where
-
-            "|" denotes concatenation;
-
-            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
-               with the Signer's Name field in canonical form and
-               the Signature field excluded;
-
-            RR(i) = owner | type | class | TTL | RDATA length | RDATA
-
-               "owner" is the fully qualified owner name of the RRset in
-               canonical form (for RRs with wildcard owner names, the
-               wildcard label is included in the owner name);
-
-               Each RR MUST have the same owner name as the RRSIG RR;
-
-               Each RR MUST have the same class as the RRSIG RR;
-
-               Each RR in the RRset MUST have the RR type listed in the
-               RRSIG RR's Type Covered field;
-
-               Each RR in the RRset MUST have the TTL listed in the
-               RRSIG Original TTL Field;
-
-               Any DNS names in the RDATA field of each RR MUST be in
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 11]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-               canonical form; and
-
-               The RRset MUST be sorted in canonical order.
-
-   See Section 6.2 and Section 6.3 for details on canonical form and
-   ordering of RRsets.
-
-3.2  The RRSIG RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Type Covered field is represented as a RR type mnemonic.  When
-   the mnemonic is not known, the TYPE representation as described in
-   [RFC3597] (section 5) MUST be used.
-
-   The Algorithm field value MUST be represented either as an unsigned
-   decimal integer or as an algorithm mnemonic as specified in Appendix
-   A.1.
-
-   The Labels field value MUST be represented as an unsigned decimal
-   integer.
-
-   The Original TTL field value MUST be represented as an unsigned
-   decimal integer.
-
-   The Signature Expiration Time and Inception Time field values MUST be
-   represented either as seconds since 1 January 1970 00:00:00 UTC or in
-   the form YYYYMMDDHHmmSS in UTC, where:
-      YYYY is the year (0001-9999, but see Section 3.1.5);
-      MM is the month number (01-12);
-      DD is the day of the month (01-31);
-      HH is the hour in 24 hours notation (00-23);
-      mm is the minute (00-59); and
-      SS is the second (00-59).
-
-   The Key Tag field MUST be represented as an unsigned decimal integer.
-
-   The Signer's Name field value MUST be represented as a domain name.
-
-   The Signature field is represented as a Base64 encoding of the
-   signature.  Whitespace is allowed within the Base64 text.  See
-   Section 2.2.
-
-3.3  RRSIG RR Example
-
-   The following RRSIG RR stores the signature for the A RRset of
-   host.example.com:
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 12]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 (
-                                  20030220173103 2642 example.com.
-                                  oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr
-                                  PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o
-                                  B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t
-                                  GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG
-                                  J5D6fwFm8nN+6pBzeDQfsS3Ap3o= )
-
-   The first four fields specify the owner name, TTL, Class, and RR type
-   (RRSIG).  The "A" represents the Type Covered field.  The value 5
-   identifies the algorithm used (RSA/SHA1) to create the signature.
-   The value 3 is the number of Labels in the original owner name.  The
-   value 86400 in the RRSIG RDATA is the Original TTL for the covered A
-   RRset.  20030322173103 and 20030220173103 are the expiration and
-   inception dates, respectively.  2642 is the Key Tag, and example.com.
-   is the Signer's Name.  The remaining text is a Base64 encoding of the
-   signature.
-
-   Note that combination of RRSIG RR owner name, class, and Type Covered
-   indicate that this RRSIG covers the "host.example.com" A RRset.  The
-   Label value of 3 indicates that no wildcard expansion was used.  The
-   Algorithm, Signer's Name, and Key Tag indicate this signature can be
-   authenticated using an example.com zone DNSKEY RR whose algorithm is
-   5 and key tag is 2642.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 13]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-4.  The NSEC Resource Record
-
-   The NSEC resource record lists two separate things: the next owner
-   name (in the canonical ordering of the zone) which contains
-   authoritative data or a delegation point NS RRset, and the set of RR
-   types present at the NSEC RR's owner name.  The complete set of NSEC
-   RRs in a zone both indicate which authoritative RRsets exist in a
-   zone and also form a chain of authoritative owner names in the zone.
-   This information is used to provide authenticated denial of existence
-   for DNS data, as described in [I-D.ietf-dnsext-dnssec-protocol].
-
-   Because every authoritative name in a zone must be part of the NSEC
-   chain, NSEC RRs must be present for names containing a CNAME RR.
-   This is a change to the traditional DNS specification [RFC1034] that
-   stated that if a CNAME is present for a name, it is the only type
-   allowed at that name.  An RRSIG (see Section 3) and NSEC MUST exist
-   for the same name as a CNAME resource record in a signed zone.
-
-   See [I-D.ietf-dnsext-dnssec-protocol] for discussion of how a zone
-   signer determines precisely which NSEC RRs it needs to include in a
-   zone.
-
-   The type value for the NSEC RR is 47.
-
-   The NSEC RR is class independent.
-
-   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching [RFC2308].
-
-4.1  NSEC RDATA Wire Format
-
-   The RDATA of the NSEC RR is as shown below:
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                      Next Domain Name                         /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                       Type Bit Maps                           /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-
-4.1.1  The Next Domain Name Field
-
-   The Next Domain field contains the next owner name (in the canonical
-   ordering of the zone) which has authoritative data or contains a
-   delegation point NS RRset; see Section 6.1 for an explanation of
-   canonical ordering.  The value of the Next Domain Name field in the
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 14]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   last NSEC record in the zone is the name of the zone apex (the owner
-   name of the zone's SOA RR).  This indicates that the owner name of
-   the NSEC RR is the last name in the canonical ordering of the zone.
-
-   A sender MUST NOT use DNS name compression on the Next Domain Name
-   field when transmitting an NSEC RR.
-
-   Owner names of RRsets not authoritative for the given zone (such as
-   glue records) MUST NOT be listed in the Next Domain Name unless at
-   least one authoritative RRset exists at the same owner name.
-
-4.1.2  The Type Bit Maps Field
-
-   The Type Bit Maps field identifies the RRset types which exist at the
-   NSEC RR's owner name.
-
-   The RR type space is split into 256 window blocks, each representing
-   the low-order 8 bits of the 16-bit RR type space.  Each block that
-   has at least one active RR type is encoded using a single octet
-   window number (from 0 to 255), a single octet bitmap length (from 1
-   to 32) indicating the number of octets used for the window block's
-   bitmap, and up to 32 octets (256 bits) of bitmap.
-
-   Blocks are present in the NSEC RR RDATA in increasing numerical
-   order.
-
-      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
-
-      where "|" denotes concatenation.
-
-   Each bitmap encodes the low-order 8 bits of RR types within the
-   window block, in network bit order.  The first bit is bit 0.  For
-   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
-   to RR type 2 (NS), and so forth.  For window block 1, bit 1
-   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set,
-   it indicates that an RRset of that type is present for the NSEC RR's
-   owner name.  If a bit is clear, it indicates that no RRset of that
-   type is present for the NSEC RR's owner name.
-
-   Bits representing pseudo-types MUST be clear, since they do not
-   appear in zone data.  If encountered, they MUST be ignored upon
-   reading.
-
-   Blocks with no types present MUST NOT be included.  Trailing zero
-   octets in the bitmap MUST be omitted.  The length of each block's
-   bitmap is determined by the type code with the largest numerical
-   value, within that block, among the set of RR types present at the
-   NSEC RR's owner name.  Trailing zero octets not specified MUST be
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 15]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   interpreted as zero octets.
-
-   The bitmap for the NSEC RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and the RR
-   types for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
-   A zone MUST NOT include an NSEC RR for any domain name that only
-   holds glue records.
-
-4.1.3  Inclusion of Wildcard Names in NSEC RDATA
-
-   If a wildcard owner name appears in a zone, the wildcard label ("*")
-   is treated as a literal symbol and is treated the same as any other
-   owner name for purposes of generating NSEC RRs.  Wildcard owner names
-   appear in the Next Domain Name field without any wildcard expansion.
-   [I-D.ietf-dnsext-dnssec-protocol] describes the impact of wildcards
-   on authenticated denial of existence.
-
-4.2  The NSEC RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Next Domain Name field is represented as a domain name.
-
-   The Type Bit Maps field is represented as a sequence of RR type
-   mnemonics.  When the mnemonic is not known, the TYPE representation
-   as described in [RFC3597] (section 5) MUST be used.
-
-4.3  NSEC RR Example
-
-   The following NSEC RR identifies the RRsets associated with
-   alfa.example.com.  and identifies the next authoritative name after
-   alfa.example.com.
-
-   alfa.example.com. 86400 IN NSEC host.example.com. (
-                                   A MX RRSIG NSEC TYPE1234 )
-
-   The first four text fields specify the name, TTL, Class, and RR type
-   (NSEC).  The entry host.example.com.  is the next authoritative name
-   after alfa.example.com.  in canonical order.  The A, MX, RRSIG, NSEC,
-   and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, and
-   TYPE1234 RRsets associated with the name alfa.example.com.
-
-   The RDATA section of the NSEC RR above would be encoded as:
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 16]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-            0x04 'h'  'o'  's'  't'
-            0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
-            0x03 'c'  'o'  'm'  0x00
-            0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
-            0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x20
-
-   Assuming that the validator can authenticate this NSEC record, it
-   could be used to prove that beta.example.com does not exist, or could
-   be used to prove there is no AAAA record associated with
-   alfa.example.com.  Authenticated denial of existence is discussed in
-   [I-D.ietf-dnsext-dnssec-protocol].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 17]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-5.  The DS Resource Record
-
-   The DS Resource Record refers to a DNSKEY RR and is used in the DNS
-   DNSKEY authentication process.  A DS RR refers to a DNSKEY RR by
-   storing the key tag, algorithm number, and a digest of the DNSKEY RR.
-   Note that while the digest should be sufficient to identify the
-   public key, storing the key tag and key algorithm helps make the
-   identification process more efficient.  By authenticating the DS
-   record, a resolver can authenticate the DNSKEY RR to which the DS
-   record points.  The key authentication process is described in
-   [I-D.ietf-dnsext-dnssec-protocol].
-
-   The DS RR and its corresponding DNSKEY RR have the same owner name,
-   but they are stored in different locations.  The DS RR appears only
-   on the upper (parental) side of a delegation, and is authoritative
-   data in the parent zone.  For example, the DS RR for "example.com" is
-   stored in the "com" zone (the parent zone) rather than in the
-   "example.com" zone (the child zone).  The corresponding DNSKEY RR is
-   stored in the "example.com" zone (the child zone).  This simplifies
-   DNS zone management and zone signing, but introduces special response
-   processing requirements for the DS RR; these are described in
-   [I-D.ietf-dnsext-dnssec-protocol].
-
-   The type number for the DS record is 43.
-
-   The DS resource record is class independent.
-
-   The DS RR has no special TTL requirements.
-
-5.1  DS RDATA Wire Format
-
-   The RDATA for a DS RR consists of a 2 octet Key Tag field, a one
-   octet Algorithm field, a one octet Digest Type field, and a Digest
-   field.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |           Key Tag             |  Algorithm    |  Digest Type  |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Digest                             /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 18]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-5.1.1  The Key Tag Field
-
-   The Key Tag field lists the key tag of the DNSKEY RR referred to by
-   the DS record, in network byte order.
-
-   The Key Tag used by the DS RR is identical to the Key Tag used by
-   RRSIG RRs.  Appendix B describes how to compute a Key Tag.
-
-5.1.2  The Algorithm Field
-
-   The Algorithm field lists the algorithm number of the DNSKEY RR
-   referred to by the DS record.
-
-   The algorithm number used by the DS RR is identical to the algorithm
-   number used by RRSIG and DNSKEY RRs.  Appendix A.1 lists the
-   algorithm number types.
-
-5.1.3  The Digest Type Field
-
-   The DS RR refers to a DNSKEY RR by including a digest of that DNSKEY
-   RR.  The Digest Type field identifies the algorithm used to construct
-   the digest.  Appendix A.2 lists the possible digest algorithm types.
-
-5.1.4  The Digest Field
-
-   The DS record refers to a DNSKEY RR by including a digest of that
-   DNSKEY RR.
-
-   The digest is calculated by concatenating the canonical form of the
-   fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA,
-   and then applying the digest algorithm.
-
-     digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
-
-      "|" denotes concatenation
-
-     DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
-
-
-   The size of the digest may vary depending on the digest algorithm and
-   DNSKEY RR size.  As of the time of writing, the only defined digest
-   algorithm is SHA-1, which produces a 20 octet digest.
-
-5.2  Processing of DS RRs When Validating Responses
-
-   The DS RR links the authentication chain across zone boundaries, so
-   the DS RR requires extra care in processing.  The DNSKEY RR referred
-   to in the DS RR MUST be a DNSSEC zone key.  The DNSKEY RR Flags MUST
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 19]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   have Flags bit 7 set.  If the DNSKEY flags do not indicate a DNSSEC
-   zone key, the DS RR (and DNSKEY RR it references) MUST NOT be used in
-   the validation process.
-
-5.3  The DS RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Key Tag field MUST be represented as an unsigned decimal integer.
-
-   The Algorithm field MUST be represented either as an unsigned decimal
-   integer or as an algorithm mnemonic specified in Appendix A.1.
-
-   The Digest Type field MUST be represented as an unsigned decimal
-   integer.
-
-   The Digest MUST be represented as a sequence of case-insensitive
-   hexadecimal digits.  Whitespace is allowed within the hexadecimal
-   text.
-
-5.4  DS RR Example
-
-   The following example shows a DNSKEY RR and its corresponding DS RR.
-
-   dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
-                                             fwJr1AYtsmx3TGkJaNXVbfi/
-                                             2pHm822aJ5iI9BMzNXxeYCmZ
-                                             DRD99WYwYqUSdjMmmAphXdvx
-                                             egXd/M5+X7OrzKBaMbCVdFLU
-                                             Uh6DhweJBjEVv5f2wwjM9Xzc
-                                             nOf+EPbtG9DMBmADjFDc2w/r
-                                             ljwvFw==
-                                             ) ;  key id = 60485
-
-   dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
-                                              98631FAD1A292118 )
-
-
-   The first four text fields specify the name, TTL, Class, and RR type
-   (DS).  Value 60485 is the key tag for the corresponding
-   "dskey.example.com." DNSKEY RR, and value 5 denotes the algorithm
-   used by this "dskey.example.com." DNSKEY RR.  The value 1 is the
-   algorithm used to construct the digest, and the rest of the RDATA
-   text is the digest in hexadecimal.
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 20]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-6.  Canonical Form and Order of Resource Records
-
-   This section defines a canonical form for resource records, a
-   canonical ordering of DNS names, and a canonical ordering of resource
-   records within an RRset.  A canonical name order is required to
-   construct the NSEC name chain.  A canonical RR form and ordering
-   within an RRset are required to construct and verify RRSIG RRs.
-
-6.1  Canonical DNS Name Order
-
-   For purposes of DNS security, owner names are ordered by treating
-   individual labels as unsigned left-justified octet strings.  The
-   absence of a octet sorts before a zero value octet, and upper case
-   US-ASCII letters are treated as if they were lower case US-ASCII
-   letters.
-
-   To compute the canonical ordering of a set of DNS names, start by
-   sorting the names according to their most significant (rightmost)
-   labels.  For names in which the most significant label is identical,
-   continue sorting according to their next most significant label, and
-   so forth.
-
-   For example, the following names are sorted in canonical DNS name
-   order.  The most significant label is "example".  At this level,
-   "example" sorts first, followed by names ending in "a.example", then
-   names ending "z.example".  The names within each level are sorted in
-   the same way.
-
-             example
-             a.example
-             yljkjljk.a.example
-             Z.a.example
-             zABC.a.EXAMPLE
-             z.example
-             \001.z.example
-             *.z.example
-             \200.z.example
-
-
-6.2  Canonical RR Form
-
-   For purposes of DNS security, the canonical form of an RR is the wire
-   format of the RR where:
-   1.  Every domain name in the RR is fully expanded (no DNS name
-       compression) and fully qualified;
-   2.  All uppercase US-ASCII letters in the owner name of the RR are
-       replaced by the corresponding lowercase US-ASCII letters;
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 21]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   3.  If the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
-       HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
-       SRV, DNAME, A6, RRSIG or NSEC, all uppercase US-ASCII letters in
-       the DNS names contained within the RDATA are replaced by the
-       corresponding lowercase US-ASCII letters;
-   4.  If the owner name of the RR is a wildcard name, the owner name is
-       in its original unexpanded form, including the "*" label (no
-       wildcard substitution); and
-   5.  The RR's TTL is set to its original value as it appears in the
-       originating authoritative zone or the Original TTL field of the
-       covering RRSIG RR.
-
-6.3  Canonical RR Ordering Within An RRset
-
-   For purposes of DNS security, RRs with the same owner name, class,
-   and type are sorted by treating the RDATA portion of the canonical
-   form of each RR as a left-justified unsigned octet sequence where the
-   absence of an octet sorts before a zero octet.
-
-   [RFC2181] specifies that an RRset is not allowed to contain duplicate
-   records (multiple RRs with the same owner name, class, type, and
-   RDATA).  Therefore, if an implementation detects duplicate RRs when
-   putting the RRset in canonical form, the implementation MUST treat
-   this as a protocol error.  If the implementation chooses to handle
-   this protocol error in the spirit of the robustness principle (being
-   liberal in what it accepts), the implementation MUST remove all but
-   one of the duplicate RR(s) for purposes of calculating the canonical
-   form of the RRset.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 22]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-7.  IANA Considerations
-
-   This document introduces no new IANA considerations, because all of
-   the protocol parameters used in this document have already been
-   assigned by previous specifications.  However, since the evolution of
-   DNSSEC has been long and somewhat convoluted, this section attempts
-   to describe the current state of the IANA registries and other
-   protocol parameters which are (or once were) related to DNSSEC.
-
-   Please refer to [I-D.ietf-dnsext-dnssec-protocol] for additional IANA
-   considerations.
-
-   DNS Resource Record Types: [RFC2535] assigned types 24, 25, and 30 to
-      the SIG, KEY, and NXT RRs, respectively.  [RFC3658] assigned DNS
-      Resource Record Type 43 to DS.  [RFC3755] assigned types 46, 47,
-      and 48 to the RRSIG, NSEC, and DNSKEY RRs, respectively.
-      [RFC3755] also marked type 30 (NXT) as Obsolete, and restricted
-      use of types 24 (SIG) and 25 (KEY) to the "SIG(0)" transaction
-      security protocol described in [RFC2931] and the transaction KEY
-      Resource Record described in [RFC2930].
-
-   DNS Security Algorithm Numbers: [RFC2535] created an IANA registry
-      for DNSSEC Resource Record Algorithm field numbers, and assigned
-      values 1-4 and 252-255.  [RFC3110] assigned value 5.  [RFC3755]
-      altered this registry to include flags for each entry regarding
-      its use with the DNS security extensions.  Each algorithm entry
-      could refer to an algorithm that can be used for zone signing,
-      transaction security (see [RFC2931]) or both.  Values 6-251 are
-      available for assignment by IETF standards action.  See Appendix A
-      for a full listing of the DNS Security Algorithm Numbers entries
-      at the time of writing and their status of use in DNSSEC.
-
-      [RFC3658] created an IANA registry for DNSSEC DS Digest Types, and
-      assigned value 0 to reserved and value 1 to SHA-1.
-
-   KEY Protocol Values: [RFC2535] created an IANA Registry for KEY
-      Protocol Values, but [RFC3445] re-assigned all values other than 3
-      to reserved and closed this IANA registry.  The registry remains
-      closed, and all KEY and DNSKEY records are required to have
-      Protocol Octet value of 3.
-
-   Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA
-      registry for the DNSSEC KEY and DNSKEY RR flag bits.  Initially,
-      this registry only contains an assignment for bit 7 (the ZONE bit)
-      and a reservation for bit 15 for the Secure Entry Point flag (SEP
-      bit) [RFC3757].  Bits 0-6 and 8-14 are available for assignment by
-      IETF Standards Action.
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 23]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-8.  Security Considerations
-
-   This document describes the format of four DNS resource records used
-   by the DNS security extensions, and presents an algorithm for
-   calculating a key tag for a public key.  Other than the items
-   described below, the resource records themselves introduce no
-   security considerations.  Please see [I-D.ietf-dnsext-dnssec-intro]
-   and [I-D.ietf-dnsext-dnssec-protocol] for additional security
-   considerations related to the use of these records.
-
-   The DS record points to a DNSKEY RR using a cryptographic digest, the
-   key algorithm type and a key tag.  The DS record is intended to
-   identify an existing DNSKEY RR, but it is theoretically possible for
-   an attacker to generate a DNSKEY that matches all the DS fields.  The
-   probability of constructing such a matching DNSKEY depends on the
-   type of digest algorithm in use.  The only currently defined digest
-   algorithm is SHA-1, and the working group believes that constructing
-   a public key which would match the algorithm, key tag, and SHA-1
-   digest given in a DS record would be a sufficiently difficult problem
-   that such an attack is not a serious threat at this time.
-
-   The key tag is used to help select DNSKEY resource records
-   efficiently, but it does not uniquely identify a single DNSKEY
-   resource record.  It is possible for two distinct DNSKEY RRs to have
-   the same owner name, the same algorithm type, and the same key tag.
-   An implementation which uses only the key tag to select a DNSKEY RR
-   might select the wrong public key in some circumstances.
-
-   The table of algorithms in Appendix A and the key tag calculation
-   algorithms in Appendix B include the RSA/MD5 algorithm for
-   completeness, but the RSA/MD5 algorithm is NOT RECOMMENDED, as
-   explained in [RFC3110].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 24]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-9.  Acknowledgments
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group and working group mailing list.  The
-   editors would like to express their thanks for the comments and
-   suggestions received during the revision of these security extension
-   specifications.  While explicitly listing everyone who has
-   contributed during the decade during which DNSSEC has been under
-   development would be an impossible task,
-   [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the
-   participants who were kind enough to comment on these documents.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 25]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-10.  References
-
-10.1  Normative References
-
-   [I-D.ietf-dnsext-dnssec-intro]
-              Arends, R., Austein, R., Larson, M., Massey, D. and S.
-              Rose, "DNS Security Introduction and Requirements",
-              draft-ietf-dnsext-dnssec-intro-10 (work in progress), May
-              2004.
-
-   [I-D.ietf-dnsext-dnssec-protocol]
-              Arends, R., Austein, R., Larson, M., Massey, D. and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work in
-              progress), May 2004.
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
-              August 1996.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
-              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-              April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
-              SIG(0)s)", RFC 2931, September 2000.
-
-   [RFC3110]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
-              Name System (DNS)", RFC 3110, May 2001.
-
-   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 26]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-              Resource Record (RR)", RFC 3445, December 2002.
-
-   [RFC3548]  Josefsson, S., "The Base16, Base32, and Base64 Data
-              Encodings", RFC 3548, July 2003.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
-              Signer", RFC 3755, April 2004.
-
-   [RFC3757]  Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure
-              Entry Point Flag", RFC 3757, April 2004.
-
-10.2  Informative References
-
-   [I-D.ietf-dnsext-nsec-rdata]
-              Schlyter, J., "DNSSEC NSEC RDATA Format",
-              draft-ietf-dnsext-nsec-rdata-06 (work in progress), May
-              2004.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
-              RR)", RFC 2930, September 2000.
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Drienerlolaan 5
-   7522 NB  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 27]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Dan Massey
-   USC Information Sciences Institute
-   3811 N. Fairfax Drive
-   Arlington, VA  22203
-   USA
-
-   EMail: masseyd@isi.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 28]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-Appendix A.  DNSSEC Algorithm and Digest Types
-
-   The DNS security extensions are designed to be independent of the
-   underlying cryptographic algorithms.  The DNSKEY, RRSIG, and DS
-   resource records all use a DNSSEC Algorithm Number to identify the
-   cryptographic algorithm in use by the resource record.  The DS
-   resource record also specifies a Digest Algorithm Number to identify
-   the digest algorithm used to construct the DS record.  The currently
-   defined Algorithm and Digest Types are listed below.  Additional
-   Algorithm or Digest Types could be added as advances in cryptography
-   warrant.
-
-   A DNSSEC aware resolver or name server MUST implement all MANDATORY
-   algorithms.
-
-A.1  DNSSEC Algorithm Types
-
-   The DNSKEY, RRSIG, and DS RRs use an 8-bit number used to identify
-   the security algorithm being used.  These values are stored in the
-   "Algorithm number" field in the resource record RDATA.
-
-   Some algorithms are usable only for zone signing (DNSSEC), some only
-   for transaction security mechanisms (SIG(0) and TSIG), and some for
-   both.  Those usable for zone signing may appear in DNSKEY, RRSIG, and
-   DS RRs.  Those usable for transaction security would be present in
-   SIG(0) and KEY RRs as described in [RFC2931]
-
-                                Zone
-   Value Algorithm [Mnemonic]  Signing  References   Status
-   ----- -------------------- --------- ----------  ---------
-     0   reserved
-     1   RSA/MD5 [RSAMD5]         n      RFC 2537   NOT RECOMMENDED
-     2   Diffie-Hellman [DH]      n      RFC 2539    -
-     3   DSA/SHA-1 [DSA]          y      RFC 2536   OPTIONAL
-     4   Elliptic Curve [ECC]              TBA       -
-     5   RSA/SHA-1 [RSASHA1]      y      RFC 3110   MANDATORY
-   252   Indirect [INDIRECT]      n                  -
-   253   Private [PRIVATEDNS]     y      see below  OPTIONAL
-   254   Private [PRIVATEOID]     y      see below  OPTIONAL
-   255   reserved
-
-   6 - 251  Available for assignment by IETF Standards Action.
-
-A.1.1  Private Algorithm Types
-
-   Algorithm number 253 is reserved for private use and will never be
-   assigned to a specific algorithm.  The public key area in the DNSKEY
-   RR and the signature area in the RRSIG RR begin with a wire encoded
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 29]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   domain name, which MUST NOT be compressed.  The domain name indicates
-   the private algorithm to use and the remainder of the public key area
-   is determined by that algorithm.  Entities should only use domain
-   names they control to designate their private algorithms.
-
-   Algorithm number 254 is reserved for private use and will never be
-   assigned to a specific algorithm.  The public key area in the DNSKEY
-   RR and the signature area in the RRSIG RR begin with an unsigned
-   length byte followed by a BER encoded Object Identifier (ISO OID) of
-   that length.  The OID indicates the private algorithm in use and the
-   remainder of the area is whatever is required by that algorithm.
-   Entities should only use OIDs they control to designate their private
-   algorithms.
-
-A.2  DNSSEC Digest Types
-
-   A "Digest Type" field in the DS resource record types identifies the
-   cryptographic digest algorithm used by the resource record.  The
-   following table lists the currently defined digest algorithm types.
-
-              VALUE   Algorithm                 STATUS
-                0      Reserved                   -
-                1      SHA-1                   MANDATORY
-              2-255    Unassigned                 -
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 30]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-Appendix B.  Key Tag Calculation
-
-   The Key Tag field in the RRSIG and DS resource record types provides
-   a mechanism for selecting a public key efficiently.  In most cases, a
-   combination of owner name, algorithm, and key tag can efficiently
-   identify a DNSKEY record.  Both the RRSIG and DS resource records
-   have corresponding DNSKEY records.  The Key Tag field in the RRSIG
-   and DS records can be used to help select the corresponding DNSKEY RR
-   efficiently when more than one candidate DNSKEY RR is available.
-
-   However, it is essential to note that the key tag is not a unique
-   identifier.  It is theoretically possible for two distinct DNSKEY RRs
-   to have the same owner name, the same algorithm, and the same key
-   tag.  The key tag is used to limit the possible candidate keys, but
-   it does not uniquely identify a DNSKEY record.  Implementations MUST
-   NOT assume that the key tag uniquely identifies a DNSKEY RR.
-
-   The key tag is the same for all DNSKEY algorithm types except
-   algorithm 1 (please see Appendix B.1 for the definition of the key
-   tag for algorithm 1).  The key tag algorithm is the sum of the wire
-   format of the DNSKEY RDATA broken into 2 octet groups.  First the
-   RDATA (in wire format) is treated as a series of 2 octet groups,
-   these groups are then added together ignoring any carry bits.
-
-   A reference implementation of the key tag algorithm is as an ANSI C
-   function is given below with the RDATA portion of the DNSKEY RR is
-   used as input.  It is not necessary to use the following reference
-   code verbatim, but the numerical value of the Key Tag MUST be
-   identical to what the reference implementation would generate for the
-   same input.
-
-   Please note that the algorithm for calculating the Key Tag is almost
-   but not completely identical to the familiar ones complement checksum
-   used in many other Internet protocols.  Key Tags MUST be calculated
-   using the algorithm described here rather than the ones complement
-   checksum.
-
-   The following ANSI C reference implementation calculates the value of
-   a Key Tag.  This reference implementation applies to all algorithm
-   types except algorithm 1 (see Appendix B.1).  The input is the wire
-   format of the RDATA portion of the DNSKEY RR.  The code is written
-   for clarity, not efficiency.
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 31]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-   /*
-    * Assumes that int is at least 16 bits.
-    * First octet of the key tag is the most significant 8 bits of the
-    * return value;
-    * Second octet of the key tag is the least significant 8 bits of the
-    * return value.
-    */
-
-   unsigned int
-   keytag (
-           unsigned char key[],  /* the RDATA part of the DNSKEY RR */
-           unsigned int keysize  /* the RDLENGTH */
-          )
-   {
-           unsigned long ac;     /* assumed to be 32 bits or larger */
-           int i;                /* loop index */
-
-           for ( ac = 0, i = 0; i < keysize; ++i )
-                   ac += (i & 1) ? key[i] : key[i] << 8;
-           ac += (ac >> 16) & 0xFFFF;
-           return ac & 0xFFFF;
-   }
-
-
-B.1  Key Tag for Algorithm 1 (RSA/MD5)
-
-   The key tag for algorithm 1 (RSA/MD5) is defined differently than the
-   key tag for all other algorithms, for historical reasons.  For a
-   DNSKEY RR with algorithm 1, the key tag is defined to be the most
-   significant 16 bits of the least significant 24 bits in the public
-   key modulus (in other words, the 4th to last and 3rd to last octets
-   of the public key modulus).
-
-   Please note that Algorithm 1 is NOT RECOMMENDED.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 32]
-
-Internet-Draft          DNSSEC Resource Records                July 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Arends, et al.          Expires January 13, 2005               [Page 33]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-trans-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-trans-02.txt
deleted file mode 100644
index dd8cbf0682e0..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-trans-02.txt
+++ /dev/null
@@ -1,839 +0,0 @@
-
-DNS Extensions Working Group                                   R. Arends
-Internet-Draft                                      Telematica Instituut
-Expires: August 25, 2005                                         P. Koch
-                                                                DENIC eG
-                                                             J. Schlyter
-                                                                  NIC-SE
-                                                       February 21, 2005
-
-
-                Evaluating DNSSEC Transition Mechanisms
-                 draft-ietf-dnsext-dnssec-trans-02.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 25, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document collects and summarizes different proposals for
-   alternative and additional strategies for authenticated denial in DNS
-   responses, evaluates these proposals and gives a recommendation for a
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 1]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   way forward.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Transition Mechanisms  . . . . . . . . . . . . . . . . . . . .  3
-     2.1   Mechanisms With Need of Updating DNSSEC-bis  . . . . . . .  4
-       2.1.1   Dynamic NSEC Synthesis . . . . . . . . . . . . . . . .  4
-       2.1.2   Add Versioning/Subtyping to Current NSEC . . . . . . .  5
-       2.1.3   Type Bit Map NSEC Indicator  . . . . . . . . . . . . .  6
-       2.1.4   New Apex Type  . . . . . . . . . . . . . . . . . . . .  6
-       2.1.5   NSEC White Lies  . . . . . . . . . . . . . . . . . . .  7
-       2.1.6   NSEC Optional via DNSSKEY Flag . . . . . . . . . . . .  8
-       2.1.7   New Answer Pseudo RR Type  . . . . . . . . . . . . . .  9
-       2.1.8   SIG(0) Based Authenticated Denial  . . . . . . . . . .  9
-     2.2   Mechanisms Without Need of Updating DNSSEC-bis . . . . . . 10
-       2.2.1   Partial Type-code and Signal Rollover  . . . . . . . . 10
-       2.2.2   A Complete Type-code and Signal Rollover . . . . . . . 11
-       2.2.3   Unknown Algorithm in RRSIG . . . . . . . . . . . . . . 11
-   3.  Recommendation . . . . . . . . . . . . . . . . . . . . . . . . 12
-   4.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
-   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
-     5.1   Normative References . . . . . . . . . . . . . . . . . . . 13
-     5.2   Informative References . . . . . . . . . . . . . . . . . . 13
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
-       Intellectual Property and Copyright Statements . . . . . . . . 15
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 2]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-1.  Introduction
-
-   This report shall document the process of dealing with the NSEC
-   walking problem late in the Last Call for
-   [I-D.ietf-dnsext-dnssec-intro, I-D.ietf-dnsext-dnssec-protocol,
-   I-D.ietf-dnsext-dnssec-records].  It preserves some of the discussion
-   that took place in the DNSEXT WG during the first half of June 2004
-   as well as some additional ideas that came up subsequently.
-
-   This is an edited excerpt of the chairs' mail to the WG:
-      The working group consents on not including NSEC-alt in the
-      DNSSEC-bis documents.  The working group considers to take up
-      "prevention of zone enumeration" as a work item.
-      There may be multiple mechanisms to allow for co-existence with
-      DNSSEC-bis.  The chairs allow the working group a little over a
-      week (up to June 12, 2004) to come to consensus on a possible
-      modification to the document to enable gentle rollover.  If that
-      consensus cannot be reached the DNSSEC-bis documents will go out
-      as-is.
-
-   To ease the process of getting consensus, a summary of the proposed
-   solutions and analysis of the pros and cons were written during the
-   weekend.
-
-   This summary includes:
-
-      An inventory of the proposed mechanisms to make a transition to
-      future work on authenticated denial of existence.
-      List the known Pros and Cons, possibly provide new arguments, and
-      possible security considerations of these mechanisms.
-      Provide a recommendation on a way forward that is least disruptive
-      to the DNSSEC-bis specifications as they stand and keep an open
-      path to other methods for authenticated denial of existence.
-
-   The descriptions of the proposals in this document are coarse and do
-   not cover every detail necessary for implementation.  In any case,
-   documentation and further study is needed before implementaion and/or
-   deployment, including those which seem to be solely operational in
-   nature.
-
-2.  Transition Mechanisms
-
-   In the light of recent discussions and past proposals, we have found
-   several ways to allow for transition to future expansion of
-   authenticated denial.  We tried to illuminate the paths and pitfalls
-   in these ways forward.  Some proposals lead to a versioning of
-   DNSSEC, where DNSSEC-bis may co-exist with DNSSEC-ter, other
-   proposals are 'clean' but may cause delay, while again others may be
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 3]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   plain hacks.
-
-   Some paths do not introduce versioning, and might require the current
-   DNSSEC-bis documents to be fully updated to allow for extensions to
-   authenticated denial mechanisms.  Other paths introduce versioning
-   and do not (or minimally) require DNSSEC-bis documents to be updated,
-   allowing DNSSEC-bis to be deployed, while future versions can be
-   drafted independent from or partially depending on DNSSEC-bis.
-
-2.1  Mechanisms With Need of Updating DNSSEC-bis
-
-   Mechanisms in this category demand updates to the DNSSEC-bis document
-   set.
-
-2.1.1  Dynamic NSEC Synthesis
-
-   This proposal assumes that NSEC RRs and the authenticating RRSIG will
-   be generated dynamically to just cover the (non existent) query name.
-   The owner name is (the) one preceding the name queried for, the Next
-   Owner Name Field has the value of the Query Name Field + 1 (first
-   successor in canonical ordering).  A separate key (the normal ZSK or
-   a separate ZSK per authoritative server) would be used for RRSIGs on
-   NSEC RRs.  This is a defense against enumeration, though it has the
-   presumption of online signing.
-
-2.1.1.1  Coexistence and Migration
-
-   There is no change in interpretation other then that the next owner
-   name might or might not exist.
-
-2.1.1.2  Limitations
-
-   This introduces an unbalanced cost between query and response
-   generation due to dynamic generation of signatures.
-
-2.1.1.3  Amendments to DNSSEC-bis
-
-   The current DNSSEC-bis documents might need to be updated to indicate
-   that the next owner name might not be an existing name in the zone.
-   This is not a real change to the spec since implementers have been
-   warned not to synthesize with previously cached NSEC records.  A
-   specific bit to identify the dynamic signature generating key might
-   be useful as well, to prevent it from being used to fake positive
-   data.
-
-2.1.1.4  Cons
-
-   Unbalanced cost is a ground for DDoS.  Though this protects against
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 4]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   enumeration, it is not really a path for versioning.
-
-2.1.1.5  Pros
-
-   Hardly any amendments to DNSSEC-bis.
-
-2.1.2  Add Versioning/Subtyping to Current NSEC
-
-   This proposal introduces versioning for the NSEC RR type (a.k.a.
-   subtyping) by adding a (one octet) version field to the NSEC RDATA.
-   Version number 0 is assigned to the current (DNSSEC-bis) meaning,
-   making this an 'Must Be Zero' (MBZ) for the to be published docset.
-
-2.1.2.1  Coexistence and Migration
-
-   Since the versioning is done inside the NSEC RR, different versions
-   may coexist.  However, depending on future methods, that may or may
-   not be useful inside a single zone.  Resolvers cannot ask for
-   specific NSEC versions but may be able to indicate version support by
-   means of a to be defined EDNS option bit.
-
-2.1.2.2  Limitations
-
-   There are no technical limitations, though it will cause delay to
-   allow testing of the (currently unknown) new NSEC interpretation.
-
-   Since the versioning and signaling is done inside the NSEC RR, future
-   methods will likely be restricted to a single RR type authenticated
-   denial (as opposed to e.g.  NSEC-alt, which currently proposes three
-   RR types).
-
-2.1.2.3  Amendments to DNSSEC-bis
-
-   Full Update of the current DNSSEC-bis documents to provide for new
-   fields in NSEC, while specifying behavior in case of unknown field
-   values.
-
-2.1.2.4  Cons
-
-   Though this is a clean and clear path without versioning DNSSEC, it
-   takes some time to design, gain consensus, update the current
-   dnssec-bis document, test and implement a new authenticated denial
-   record.
-
-2.1.2.5  Pros
-
-   Does not introduce an iteration to DNSSEC while providing a clear and
-   clean migration strategy.
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 5]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.1.3  Type Bit Map NSEC Indicator
-
-   Bits in the type-bit-map are reused or allocated to signify the
-   interpretation of NSEC.
-
-   This proposal assumes that future extensions make use of the existing
-   NSEC RDATA syntax, while it may need to change the interpretation of
-   the RDATA or introduce an alternative denial mechanism, invoked by
-   the specific type-bit-map-bits.
-
-2.1.3.1  Coexistence and migration
-
-   Old and new NSEC meaning could coexist, depending how the signaling
-   would be defined.  The bits for NXT, NSEC, RRSIG or other outdated RR
-   types are available  as well as those covering meta/query types or
-   types to be specifically allocated.
-
-2.1.3.2  Limitations
-
-   This mechanism uses an NSEC field that was not designed for that
-   purpose.  Similar methods were discussed during the Opt-In discussion
-   and the Silly-State discussion.
-
-2.1.3.3  Amendments to DNSSEC-bis
-
-   The specific type-bit-map-bits must be allocated and they need to be
-   specified as 'Must Be Zero' (MBZ) when used for standard (dnssec-bis)
-   interpretation.  Also, behaviour of the resolver and validator must
-   be documented in case unknown values are encountered for the MBZ
-   field.  Currently the protocol document specifies that the validator
-   MUST ignore the setting of the NSEC and the RRSIG bits, while other
-   bits are only used for the specific purpose of the type-bit-map field
-
-2.1.3.4  Cons
-
-   The type-bit-map was not designed for this purpose.  It is a
-   straightforward hack.  Text in protocol section 5.4 was put in
-   specially to defend against this usage.
-
-2.1.3.5  Pros
-
-   No change needed to the on-the-wire protocol as specified in the
-   current docset.
-
-2.1.4  New Apex Type
-
-   This introduces a new Apex type (parallel to the zone's SOA)
-   indicating the DNSSEC version (or authenticated denial) used in or
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 6]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   for this zone.
-
-2.1.4.1  Coexistence and Migration
-
-   Depending on the design of this new RR type multiple denial
-   mechanisms may coexist in a zone.  Old validators will not understand
-   and thus ignore the new type, so interpretation of the new NSEC
-   scheme may fail, negative responses may appear 'bogus'.
-
-2.1.4.2  Limitations
-
-   A record of this kind is likely to carry additional
-   feature/versioning indications unrelated to the current question of
-   authenticated denial.
-
-2.1.4.3  Amendments to DNSSEC-bis
-
-   The current DNSSEC-bis documents need to be updated to indicate that
-   the absence of this type indicates dnssec-bis, and that the (mere)
-   presence of this type indicated unknown versions.
-
-2.1.4.4  Cons
-
-   The only other 'zone' or 'apex' record is the SOA record.  Though
-   this proposal is not new, it is yet unknown how it might fulfill
-   authenticated denial extensions.  This new RR type would only provide
-   for a generalized signaling mechanism, not the new authenticated
-   denial scheme.  Since it is likely to be general in nature, due to
-   this generality consensus is not to be reached soon.
-
-2.1.4.5  Pros
-
-   This approach would allow for a lot of other per zone information to
-   be transported or signaled to both (slave) servers and resolvers.
-
-2.1.5  NSEC White Lies
-
-   This proposal disables one part of NSEC (the pointer part) by means
-   of a special target (root, apex, owner, ...), leaving intact only the
-   ability to authenticate denial of existence of RR sets, not denial of
-   existence of domain names (NXDOMAIN).  It may be necessary to have
-   one working NSEC to prove the absence of a wildcard.
-
-2.1.5.1  Coexistence and Migration
-
-   The NSEC target can be specified per RR, so standard NSEC and 'white
-   lie' NSEC can coexist in a zone.  There is no need for migration
-   because no versioning is introduced or intended.
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 7]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.1.5.2  Limitations
-
-   This proposal breaks the protocol and is applicable to certain types
-   of zones only (no wildcard, no deep names, delegation only).  Most of
-   the burden is put on the resolver side and operational consequences
-   are yet to be studied.
-
-2.1.5.3  Amendments to DNSSEC-bis
-
-   The current DNSSEC-bis documents need to be updated to indicate that
-   the NXDOMAIN responses may be insecure.
-
-2.1.5.4  Cons
-
-   Strictly speaking this breaks the protocol and doesn't fully fulfill
-   the requirements for authenticated denial of existence.  Security
-   implications need to be carefully documented: search path problems
-   (forged denial of existence may lead to wrong expansion of non-FQDNs
-   [RFC1535]) and replay attacks to deny existence of records.
-
-2.1.5.5  Pros
-
-   Hardly any amendments to DNSSEC-bis.  Operational "trick" that is
-   available anyway.
-
-2.1.6  NSEC Optional via DNSSKEY Flag
-
-   A new DNSKEY may be defined to declare NSEC optional per zone.
-
-2.1.6.1  Coexistence and Migration
-
-   Current resolvers/validators will not understand the Flag bit and
-   will have to treat negative responses as bogus.  Otherwise, no
-   migration path is needed since NSEC is simply turned off.
-
-2.1.6.2  Limitations
-
-   NSEC can only be made completely optional at the cost of being unable
-   to prove unsecure delegations (absence of a DS RR [RFC3658]).  A next
-   to this approach would just disable authenticated denial for
-   non-existence of nodes.
-
-2.1.6.3  Amendments to DNSSEC-bis
-
-   New DNSKEY Flag to be defined.  Resolver/Validator behaviour needs to
-   be specified in the light of absence of authenticated denial.
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 8]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.1.6.4  Cons
-
-   Doesn't fully meet requirements.  Operational consequences to be
-   studied.
-
-2.1.6.5  Pros
-
-   Official version of the "trick" presented in (8).  Operational
-   problems can be addressed during future work on validators.
-
-2.1.7  New Answer Pseudo RR Type
-
-   A new pseudo RR type may be defined that will be dynamically created
-   (and signed) by the responding authoritative server.  The RR in the
-   response will cover the QNAME, QCLASS and QTYPE and will authenticate
-   both denial of existence of name (NXDOMAIN) or RRset.
-
-2.1.7.1  Coexistence and Migration
-
-   Current resolvers/validators will not understand the pseudo RR and
-   will thus not be able to process negative responses so testified.  A
-   signaling or solicitation method would have to be specified.
-
-2.1.7.2  Limitations
-
-   This method can only be used with online keys and online signing
-   capacity.
-
-2.1.7.3  Amendments to DNSSEC-bis
-
-   Signaling method needs to be defined.
-
-2.1.7.4  Cons
-
-   Keys have to be held and processed online with all security
-   implications.  An additional flag for those keys identifying them as
-   online or negative answer only keys should be considered.
-
-2.1.7.5  Pros
-
-   Expands DNSSEC authentication to the RCODE.
-
-2.1.8  SIG(0) Based Authenticated Denial
-
-
-2.1.8.1  Coexistence and Migration
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005                [Page 9]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.1.8.2  Limitations
-
-
-2.1.8.3  Amendments to DNSSEC-bis
-
-
-2.1.8.4  Cons
-
-
-2.1.8.5  Pros
-
-
-2.2  Mechanisms Without Need of Updating DNSSEC-bis
-
-2.2.1  Partial Type-code and Signal Rollover
-
-   Carefully crafted type code/signal rollover to define a new
-   authenticated denial space that extends/replaces DNSSEC-bis
-   authenticated denial space.  This particular path is illuminated by
-   Paul Vixie in a Message-Id <20040602070859.0F50913951@sa.vix.com>
-   posted to <namedroppers@ops.ietf.org> 2004-06-02.
-
-2.2.1.1  Coexistence and Migration
-
-   To protect the current resolver for future versions, a new DNSSEC-OK
-   bit must be allocated to make clear it does or does not understand
-   the future version.  Also, a new DS type needs to be allocated to
-   allow differentiation between a current signed delegation and a
-   'future' signed delegation.  Also, current NSEC needs to be rolled
-   into a new authenticated denial type.
-
-2.2.1.2  Limitations
-
-   None.
-
-2.2.1.3  Amendments to DNSSEC-bis
-
-   None.
-
-2.2.1.4  Cons
-
-   It is cumbersome to carefully craft an TCR that 'just fits'.  The
-   DNSSEC-bis protocol has many 'borderline' cases that needs special
-   consideration.  It might be easier to do a full TCR, since a few of
-   the types and signals need upgrading anyway.
-
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 10]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-2.2.1.5  Pros
-
-   Graceful adoption of future versions of NSEC, while there are no
-   amendments to DNSSEC-bis.
-
-2.2.2  A Complete Type-code and Signal Rollover
-
-   A new DNSSEC space is defined which can exist independent of current
-   DNSSEC-bis space.
-
-   This proposal assumes that all current DNSSEC type-codes
-   (RRSIG/DNSKEY/NSEC/DS) and signals (DNSSEC-OK) are not used in any
-   future versions of DNSSEC.  Any future version of DNSSEC has its own
-   types to allow for keys, signatures, authenticated denial, etcetera.
-
-2.2.2.1  Coexistence and Migration
-
-   Both spaces can co-exist.  They can be made completely orthogonal.
-
-2.2.2.2  Limitations
-
-   None.
-
-2.2.2.3  Amendments to DNSSEC-bis
-
-   None.
-
-2.2.2.4  Cons
-
-   With this path we abandon the current DNSSEC-bis.  Though it is easy
-   to role specific well-known and well-tested parts into the re-write,
-   once deployment has started this path is very expensive for
-   implementers, registries, registrars and registrants as well as
-   resolvers/users.  A TCR is not to be expected to occur frequently, so
-   while a next generation authenticated denial may be enabled by a TCR,
-   it is likely that that TCR will only be agreed upon if it serves a
-   whole basket of changes or additions.  A quick introduction of
-   NSEC-ng should not be expected from this path.
-
-2.2.2.5  Pros
-
-   No amendments/changes to current DNSSEC-bis docset needed.  It is
-   always there as last resort.
-
-2.2.3  Unknown Algorithm in RRSIG
-
-   This proposal assumes that future extensions make use of the existing
-   NSEC RDATA syntax, while it may need to change the interpretation of
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 11]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   the RDATA or introduce an alternative denial mechanism, invoked by
-   the specific unknown signing algorithm.  The different interpretation
-   would be signaled by use of different signature algorithms in the
-   RRSIG records covering the NSEC RRs.
-
-   When an entire zone is signed with a single unknown algorithm, it
-   will cause implementations that follow current dnssec-bis documents
-   to treat individual RRsets as unsigned.
-
-2.2.3.1  Coexistence and migration
-
-   Old and new NSEC RDATA interpretation or known and unknown Signatures
-   can NOT coexist in a zone since signatures cover complete (NSEC)
-   RRSets.
-
-2.2.3.2  Limitations
-
-   Validating resolvers agnostic of new interpretation will treat the
-   NSEC RRset as "not signed".  This affects wildcard and non-existence
-   proof, as well as proof for (un)secured delegations.  Also, all
-   positive signatures (RRSIGs on RRSets other than DS, NSEC) appear
-   insecure/bogus to an old validator.
-
-   The algorithm version space is split for each future version of
-   DNSSEC.  Violation of the 'modular components' concept.  We use the
-   'validator' to protect the 'resolver' from unknown interpretations.
-
-2.2.3.3  Amendments to DNSSEC-bis
-
-   None.
-
-2.2.3.4  Cons
-
-   The algorithm field was not designed for this purpose.  This is a
-   straightforward hack.
-
-2.2.3.5  Pros
-
-   No amendments/changes to current DNSSEC-bis docset needed.
-
-3.  Recommendation
-
-   The authors recommend that the working group commits to and starts
-   work on a partial TCR, allowing graceful transition towards a future
-   version of NSEC.  Meanwhile, to accomodate the need for an
-   immediately, temporary, solution against zone-traversal, we recommend
-   On-Demand NSEC synthesis.
-
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 12]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-   This approach does not require any mandatory changes to DNSSEC-bis,
-   does not violate the protocol and fulfills the requirements.  As a
-   side effect, it moves the cost of implementation and deployment to
-   the users (zone owners) of this mechanism.
-
-4.  Acknowledgements
-
-   The authors would like to thank Sam Weiler and Mark Andrews for their
-   input and constructive comments.
-
-5.  References
-
-5.1  Normative References
-
-   [I-D.ietf-dnsext-dnssec-intro]
-              Arends, R., Austein, R., Massey, D., Larson, M. and S.
-              Rose, "DNS Security Introduction and Requirements",
-              Internet-Draft draft-ietf-dnsext-dnssec-intro-13, October
-              2004.
-
-   [I-D.ietf-dnsext-dnssec-protocol]
-              Arends, R., "Protocol Modifications for the DNS Security
-              Extensions",
-              Internet-Draft draft-ietf-dnsext-dnssec-protocol-09,
-              October 2004.
-
-   [I-D.ietf-dnsext-dnssec-records]
-              Arends, R., "Resource Records for the DNS Security
-              Extensions",
-              Internet-Draft draft-ietf-dnsext-dnssec-records-11,
-              October 2004.
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
-              SIG(0)s)", RFC 2931, September 2000.
-
-5.2  Informative References
-
-   [RFC1535]  Gavron, E., "A Security Problem and Proposed Correction
-              With Widely Deployed DNS Software", RFC 1535, October
-              1993.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 13]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-              RFC 2535, March 1999.
-
-   [RFC2629]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
-              June 1999.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   Enschede  7523 XC
-   The Netherlands
-
-   Phone: +31 53 4850485
-   Email: roy.arends@telin.nl
-
-
-   Peter Koch
-   DENIC eG
-   Wiesenh"uttenplatz 26
-   Frankfurt  60329
-   Germany
-
-   Phone: +49 69 27235 0
-   Email: pk@DENIC.DE
-
-
-   Jakob Schlyter
-   NIC-SE
-   Box 5774
-   Stockholm  SE-114 87
-   Sweden
-
-   Email: jakob@nic.se
-   URI:   http://www.nic.se/
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 14]
-
-Internet-Draft    Evaluating DNSSEC Transition Mechanisms  February 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Arends, et al.           Expires August 25, 2005               [Page 15]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-ecc-key-07.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-ecc-key-07.txt
deleted file mode 100644
index 2cdcdb16c920..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-ecc-key-07.txt
+++ /dev/null
@@ -1,928 +0,0 @@
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-Expires: January 2006                                          July 2005
-
-
-
-                     Elliptic Curve KEYs in the DNS
-                     -------- ----- ---- -- --- ---
-                   <draft-ietf-dnsext-ecc-key-07.txt>
-
-                         Richard C. Schroeppel
-                          Donald Eastlake 3rd
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   This draft is intended to be become a Proposed Standard RFC.
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNS mailing list <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   The standard method for storing elliptic curve cryptographic keys and
-   signatures in the Domain Name System is specified.
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005). All Rights Reserved.
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 1]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-Acknowledgement
-
-   The assistance of Hilarie K. Orman in the production of this document
-   is greatfully acknowledged.
-
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright Notice...........................................1
-
-      Acknowledgement............................................2
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. Elliptic Curve Data in Resource Records.................3
-      3. The Elliptic Curve Equation.............................9
-      4. How do I Compute Q, G, and Y?..........................10
-      5. Elliptic Curve SIG Resource Records....................11
-      6. Performance Considerations.............................13
-      7. Security Considerations................................13
-      8. IANA Considerations....................................13
-      Copyright and Disclaimer..................................14
-
-      Informational References..................................15
-      Normative Refrences.......................................15
-
-      Author's Addresses........................................16
-      Expiration and File Name..................................16
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 2]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information. The DNS has been extended to include digital
-   signatures and cryptographic keys as described in [RFC 4033, 4034,
-   4035].
-
-   This document describes how to store elliptic curve cryptographic
-   (ECC) keys and signatures in the DNS so they can be used for a
-   variety of security purposes.  Familiarity with ECC cryptography is
-   assumed [Menezes].
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-
-
-2. Elliptic Curve Data in Resource Records
-
-   Elliptic curve public keys are stored in the DNS within the RDATA
-   portions of key RRs, such as RRKEY and KEY [RFC 4034] RRs, with the
-   structure shown below.
-
-   The research world continues to work on the issue of which is the
-   best elliptic curve system, which finite field to use, and how to
-   best represent elements in the field.  So, representations are
-   defined for every type of finite field, and every type of elliptic
-   curve.  The reader should be aware that there is a unique finite
-   field with a particular number of elements, but many possible
-   representations of that field and its elements.  If two different
-   representations of a field are given, they are interconvertible with
-   a tedious but practical precomputation, followed by a fast
-   computation for each field element to be converted.  It is perfectly
-   reasonable for an algorithm to work internally with one field
-   representation, and convert to and from a different external
-   representation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 3]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-                            1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |S M -FMT- A B Z|
-       +-+-+-+-+-+-+-+-+
-       |       LP      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        P (length determined from LP)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LF      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        F (length determined from LF)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             DEG               |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             DEGH              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             DEGI              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             DEGJ              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             TRDV              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |S|     LH      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        H (length determined from LH)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |S|     LK      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        K (length determined from LK)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LQ      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        Q (length determined from LQ)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LA      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        A (length determined from LA)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |             ALTA              |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LB      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        B (length determined from LB)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LC      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        C (length determined from LC)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LG      |
-
-
-R. Schroeppel, et al                                            [Page 4]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        G (length determined from LG)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |       LY      |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |                        Y (length determined from LY)       .../
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   SMFMTABZ is a flags octet as follows:
-
-        S = 1 indicates that the remaining 7 bits of the octet selects
-           one of 128 predefined choices of finite field, element
-           representation, elliptic curve, and signature parameters.
-           MFMTABZ are omitted, as are all parameters from LP through G.
-           LY and Y are retained.
-
-        If S = 0, the remaining parameters are as in the picture and
-           described below.
-
-        M determines the type of field underlying the elliptic curve.
-
-        M = 0 if the field is a GF[2^N] field;
-
-        M = 1 if the field is a (mod P) or GF[P^D] field with P>2.
-
-        FMT is a three bit field describing the format of the field
-           representation.
-
-        FMT = 0  for a (mod P) field.
-            > 0  for an extension field, either GF[2^D] or GF[P^D].
-                The degree D of the extension, and the field polynomial
-                must be specified.  The field polynomial is always monic
-                (leading coefficient 1.)
-
-        FMT = 1  The field polynomial is given explicitly; D is implied.
-
-        If FMT >=2, the degree D is given explicitly.
-
-           = 2  The field polynomial is implicit.
-           = 3  The field polynomial is a binomial.  P>2.
-           = 4  The field polynomial is a trinomial.
-           = 5  The field polynomial is the quotient of a trinomial by a
-                short polynomial.  P=2.
-           = 6  The field polynomial is a pentanomial.  P=2.
-
-        Flags A and B apply to the elliptic curve parameters.
-
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 5]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-        A = 1 When P>=5, the curve parameter A is negated.  If P=2, then
-              A=1 indicates that the A parameter is special.  See the
-              ALTA parameter below, following A.  The combination A=1,
-              P=3 is forbidden.
-
-        B = 1 When P>=5, the curve parameter B is negated.  If P=2 or 3,
-              then B=1 indicates an alternate elliptic curve equation is
-              used.  When P=2 and B=1, an additional curve parameter C
-              is present.
-
-        The Z bit SHOULD be set to zero on creation of an RR and MUST be
-           ignored when processing an RR (when S=0).
-
-   Most of the remaining parameters are present in some formats and
-   absent in others.  The presence or absence of a parameter is
-   determined entirely by the flags.  When a parameter occurs, it is in
-   the order defined by the picture.
-
-   Of the remaining parameters, PFHKQABCGY are variable length.  When
-   present, each is preceded by a one-octet length field as shown in the
-   diagram above.  The length field does not include itself.  The length
-   field may have values from 0 through 110.  The parameter length in
-   octets is determined by a conditional formula: If LL<=64, the
-   parameter length is LL.  If LL>64, the parameter length is 16 times
-   (LL-60).  In some cases, a parameter value of 0 is sensible, and MAY
-   be represented by an LL value of 0, with the data field omitted.  A
-   length value of 0 represents a parameter value of 0, not an absent
-   parameter.  (The data portion occupies 0 space.)  There is no
-   requirement that a parameter be represented in the minimum number of
-   octets; high-order 0 octets are allowed at the front end.  Parameters
-   are always right adjusted, in a field of length defined by LL.  The
-   octet-order is always most-significant first, least-significant last.
-   The parameters H and K may have an optional sign bit stored in the
-   unused high-order bit of their length fields.
-
-   LP defines the length of the prime P.  P must be an odd prime.  The
-   parameters LP,P are present if and only if the flag M=1.  If M=0, the
-   prime is 2.
-
-   LF,F define an explicit field polynomial.  This parameter pair is
-   present only when FMT = 1.  The length of a polynomial coefficient is
-   ceiling(log2 P) bits.  Coefficients are in the numerical range
-   [0,P-1].  The coefficients are packed into fixed-width fields, from
-   higher order to lower order.  All coefficients must be present,
-   including any 0s and also the leading coefficient (which is required
-   to be 1).  The coefficients are right justified into the octet string
-   of length specified by LF, with the low-order "constant" coefficient
-   at the right end.  As a concession to storage efficiency, the higher
-   order bits of the leading coefficient may be elided, discarding high-
-   order 0 octets and reducing LF.  The degree is calculated by
-
-
-R. Schroeppel, et al                                            [Page 6]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-   determining the bit position of the left most 1-bit in the F data
-   (counting the right most bit as position 0), and dividing by
-   ceiling(log2 P).  The division must be exact, with no remainder.  In
-   this format, all of the other degree and field parameters are
-   omitted.  The next parameters will be LQ,Q.
-
-   If FMT>=2, the degree of the field extension is specified explicitly,
-   usually along with other parameters to define the field polynomial.
-
-   DEG is a two octet field that defines the degree of the field
-   extension.  The finite field will have P^DEG elements.  DEG is
-   present when FMT>=2.
-
-   When FMT=2, the field polynomial is specified implicitly.  No other
-   parameters are required to define the field; the next parameters
-   present will be the LQ,Q pair.  The implicit field poynomial is the
-   lexicographically smallest irreducible (mod P) polynomial of the
-   correct degree.  The ordering of polynomials is by highest-degree
-   coefficients first -- the leading coefficient 1 is most important,
-   and the constant term is least important.  Coefficients are ordered
-   by sign-magnitude: 0 < 1 < -1 < 2 < -2 < ...  The first polynomial of
-   degree D is X^D (which is not irreducible).  The next is X^D+1, which
-   is sometimes irreducible, followed by X^D-1, which isn't.  Assuming
-   odd P, this series continues to X^D - (P-1)/2, and then goes to X^D +
-   X, X^D + X + 1, X^D + X - 1, etc.
-
-   When FMT=3, the field polynomial is a binomial, X^DEG + K.  P must be
-   odd.  The polynomial is determined by the degree and the low order
-   term K.  Of all the field parameters, only the LK,K parameters are
-   present.  The high-order bit of the LK octet stores on optional sign
-   for K; if the sign bit is present, the field polynomial is X^DEG - K.
-
-   When FMT=4, the field polynomial is a trinomial, X^DEG + H*X^DEGH +
-   K.  When P=2, the H and K parameters are implicitly 1, and are
-   omitted from the representation.  Only DEG and DEGH are present; the
-   next parameters are LQ,Q.  When P>2, then LH,H and LK,K are
-   specified.  Either or both of LH, LK may contain a sign bit for its
-   parameter.
-
-   When FMT=5, then P=2 (only).  The field polynomial is the exact
-   quotient of a trinomial divided by a small polynomial, the trinomial
-   divisor.  The small polynomial is right-adjusted in the two octet
-   field TRDV.  DEG specifies the degree of the field.  The degree of
-   TRDV is calculated from the position of the high-order 1 bit.  The
-   trinomial to be divided is X^(DEG+degree(TRDV)) + X^DEGH + 1.  If
-   DEGH is 0, the middle term is omitted from the trinomial.  The
-   quotient must be exact, with no remainder.
-
-   When FMT=6, then P=2 (only).  The field polynomial is a pentanomial,
-   with the degrees of the middle terms given by the three 2-octet
-
-
-R. Schroeppel, et al                                            [Page 7]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-   values DEGH, DEGI, DEGJ.  The polynomial is X^DEG + X^DEGH + X^DEGI +
-   X^DEGJ + 1.  The values must satisfy the inequality DEG > DEGH > DEGI
-   > DEGJ > 0.
-
-        DEGH, DEGI, DEGJ  are two-octet fields that define the degree of
-           a term in a field polynomial.   DEGH is present when FMT = 4,
-           5, or 6.  DEGI and DEGJ are present only when FMT = 6.
-
-        TRDV is a two-octet right-adjusted binary polynomial of degree <
-           16.  It is present only for FMT=5.
-
-        LH and H define the H parameter, present only when FMT=4 and P
-           is odd.  The high bit of LH is an optional sign bit for H.
-
-        LK and K define the K parameter, present when FMT = 3 or 4, and
-           P is odd.  The high bit of LK is an optional sign bit for K.
-
-   The remaining parameters are concerned with the elliptic curve and
-   the signature algorithm.
-
-        LQ defines the length of the prime Q.  Q is a prime > 2^159.
-
-   In all 5 of the parameter pairs LA+A,LB+B,LC+C,LG+G,LY+Y, the data
-   member of the pair is an element from the finite field defined
-   earlier.  The length field defines a long octet string.  Field
-   elements are represented as (mod P) polynomials of degree < DEG, with
-   DEG or fewer coefficients.  The coefficients are stored from left to
-   right, higher degree to lower, with the constant term last.  The
-   coefficients are represented as integers in the range [0,P-1].  Each
-   coefficient is allocated an area of ceiling(log2 P) bits.  The field
-   representation is right-justified; the "constant term" of the field
-   element ends at the right most bit.  The coefficients are fitted
-   adjacently without regard for octet boundaries.  (Example: if P=5,
-   three bits are used for each coefficient.  If the field is GF[5^75],
-   then 225 bits are required for the coefficients, and as many as 29
-   octets may be needed in the data area.  Fewer octets may be used if
-   some high-order coefficients are 0.)  If a flag requires a field
-   element to be negated, each non-zero coefficient K is replaced with
-   P-K.  To save space, 0 bits may be removed from the left end of the
-   element representation, and the length field reduced appropriately.
-   This would normally only happen with A,B,C, because the designer
-   chose curve parameters with some high-order 0 coefficients or bits.
-
-   If the finite field is simply (mod P), then the field elements are
-   simply numbers (mod P), in the usual right-justified notation.  If
-   the finite field is GF[2^D], the field elements are the usual right-
-   justified polynomial basis representation.
-
-
-
-
-
-R. Schroeppel, et al                                            [Page 8]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-        LA,A is the first parameter of the elliptic curve equation.
-           When P>=5, the flag A = 1 indicates A should be negated (mod
-           P).  When P=2 (indicated by the flag M=0), the flag A = 1
-           indicates that the parameter pair LA,A is replaced by the two
-           octet parameter ALTA.  In this case, the parameter A in the
-           curve equation is x^ALTA, where x is the field generator.
-           Parameter A often has the value 0, which may be indicated by
-           LA=0 (with no A data field), and sometimes A is 1, which may
-           be represented with LA=1 and a data field of 1, or by setting
-           the A flag and using an ALTA value of 0.
-
-        LB,B is the second parameter of the elliptic curve equation.
-           When P>=5, the flag B = 1 indicates B should be negated (mod
-           P).  When P=2 or 3, the flag B selects an alternate curve
-           equation.
-
-        LC,C is the third parameter of the elliptic curve equation,
-           present only when P=2 (indicated by flag M=0) and flag B=1.
-
-        LG,G defines a point on the curve, of order Q.  The W-coordinate
-           of the curve point is given explicitly; the Z-coordinate is
-           implicit.
-
-        LY,Y is the user's public signing key, another curve point of
-           order Q.  The W-coordinate is given explicitly; the Z-
-           coordinate is implicit.  The LY,Y parameter pair is always
-           present.
-
-
-
-3. The Elliptic Curve Equation
-
-   (The coordinates of an elliptic curve point are named W,Z instead of
-   the more usual X,Y to avoid confusion with the Y parameter of the
-   signing key.)
-
-   The elliptic curve equation is determined by the flag octet, together
-   with information about the prime P.  The primes 2 and 3 are special;
-   all other primes are treated identically.
-
-   If M=1, the (mod P) or GF[P^D] case, the curve equation is Z^2 = W^3
-   + A*W + B.  Z,W,A,B are all numbers (mod P) or elements of GF[P^D].
-   If A and/or B is negative (i.e., in the range from P/2 to P), and
-   P>=5, space may be saved by putting the sign bit(s) in the A and B
-   bits of the flags octet, and the magnitude(s) in the parameter
-   fields.
-
-   If M=1 and P=3, the B flag has a different meaning: it specifies an
-   alternate curve equation, Z^2 = W^3 + A*W^2 + B.  The middle term of
-   the right-hand-side is different.  When P=3, this equation is more
-
-
-R. Schroeppel, et al                                            [Page 9]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-   commonly used.
-
-   If M=0, the GF[2^N] case, the curve equation is Z^2 + W*Z = W^3 +
-   A*W^2 + B.  Z,W,A,B are all elements of the field GF[2^N].  The A
-   parameter can often be 0 or 1, or be chosen as a single-1-bit value.
-   The flag B is used to select an alternate curve equation, Z^2 + C*Z =
-   W^3 + A*W + B.  This is the only time that the C parameter is used.
-
-
-
-4. How do I Compute Q, G, and Y?
-
-   The number of points on the curve is the number of solutions to the
-   curve equation, + 1 (for the "point at infinity").  The prime Q must
-   divide the number of points.  Usually the curve is chosen first, then
-   the number of points is determined with Schoof's algorithm.  This
-   number is factored, and if it has a large prime divisor, that number
-   is taken as Q.
-
-   G must be a point of order Q on the curve, satisfying the equation
-
-        Q * G  =  the point at infinity (on the elliptic curve)
-
-   G may be chosen by selecting a random [RFC 1750] curve point, and
-   multiplying it by (number-of-points-on-curve/Q).  G must not itself
-   be the "point at infinity"; in this astronomically unlikely event, a
-   new random curve point is recalculated.
-
-   G is specified by giving its W-coordinate.  The Z-coordinate is
-   calculated from the curve equation.  In general, there will be two
-   possible Z values.  The rule is to choose the "positive" value.
-
-   In the (mod P) case, the two possible Z values sum to P.  The smaller
-   value is less than P/2; it is used in subsequent calculations.  In
-   GF[P^D] fields, the highest-degree non-zero coefficient of the field
-   element Z is used; it is chosen to be less than P/2.
-
-   In the GF[2^N] case, the two possible Z values xor to W (or to the
-   parameter C with the alternate curve equation).  The numerically
-   smaller Z value (the one which does not contain the highest-order 1
-   bit of W (or C)) is used in subsequent calculations.
-
-   Y is specified by giving the W-coordinate of the user's public
-   signature key.  The Z-coordinate value is determined from the curve
-   equation.  As with G, there are two possible Z values; the same rule
-   is followed for choosing which Z to use.
-
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 10]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-   During the key generation process, a random [RFC 1750] number X must
-   be generated such that 1 <= X <= Q-1.  X is the private key and is
-   used in the final step of public key generation where Y is computed
-   as
-
-        Y = X * G (as points on the elliptic curve)
-
-   If the Z-coordinate of the computed point Y is wrong (i.e., Z > P/2
-   in the (mod P) case, or the high-order non-zero coefficient of Z >
-   P/2 in the GF[P^D] case, or Z sharing a high bit with W(C) in the
-   GF[2^N] case), then X must be replaced with Q-X.  This will
-   correspond to the correct Z-coordinate.
-
-
-
-5. Elliptic Curve SIG Resource Records
-
-   The signature portion of an RR RDATA area when using the EC
-   algorithm, for example in the RRSIG and SIG [RFC records] RRs is
-   shown below.
-
-                       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                   R, (length determined from LQ)           .../
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                   S, (length determined from LQ)           .../
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   R and S are integers (mod Q).  Their length is specified by the LQ
-   field of the corresponding KEY RR and can also be calculated from the
-   SIG RR's RDLENGTH. They are right justified, high-order-octet first.
-   The same conditional formula for calculating the length from LQ is
-   used as for all the other length fields above.
-
-   The data signed is determined as specified in [RFC 2535].  Then the
-   following steps are taken where Q, P, G, and Y are as specified in
-   the public key [Schneier]:
-
-     hash = SHA-1 ( data )
-
-     Generate random [RFC 4086] K such that 0 < K < Q.  (Never sign two
-          different messages with the same K.  K should be chosen from a
-          very large space: If an opponent learns a K value for a single
-          signature, the user's signing key is compromised, and a forger
-          can sign arbitrary messages. There is no harm in signing the
-          same message multiple times with the same key or different
-          keys.)
-
-     R = (the W-coordinate of ( K*G on the elliptic curve )) interpreted
-
-
-R. Schroeppel, et al                                           [Page 11]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-          as an integer, and reduced (mod Q).  (R must not be 0.  In
-          this astronomically unlikely event, generate a new random K
-          and recalculate R.)
-
-     S = ( K^(-1) * (hash + X*R) ) mod Q.
-
-     S must not be 0.  In this astronomically unlikely event, generate a
-          new random K and recalculate R and S.
-
-     If S > Q/2, set S = Q - S.
-
-     The pair (R,S) is the signature.
-
-     Another party verifies the signature as follows:
-
-          Check that 0 < R < Q and 0 < S < Q/2.  If not, it can not be a
-               valid EC sigature.
-
-          hash = SHA-1 ( data )
-
-          Sinv = S^(-1) mod Q.
-
-          U1 = (hash * Sinv) mod Q.
-
-          U2 = (R * Sinv) mod Q.
-
-          (U1 * G + U2 * Y) is computed on the elliptic curve.
-
-          V = (the W-coordinate of this point) interpreted as an integer
-               and reduced (mod Q).
-
-          The signature is valid if V = R.
-
-     The reason for requiring S < Q/2 is that, otherwise, both (R,S) and
-     (R,Q-S) would be valid signatures for the same data.  Note that a
-     signature that is valid for hash(data) is also valid for
-     hash(data)+Q or hash(data)-Q, if these happen to fall in the range
-     [0,2^160-1].  It's believed to be computationally infeasible to
-     find data that hashes to an assigned value, so this is only a
-     cosmetic blemish.  The blemish can be eliminated by using Q >
-     2^160, at the cost of having slightly longer signatures, 42 octets
-     instead of 40.
-
-     We must specify how a field-element E ("the W-coordinate") is to be
-     interpreted as an integer.  The field-element E is regarded as a
-     radix-P integer, with the digits being the coefficients in the
-     polynomial basis representation of E.  The digits are in the ragne
-     [0,P-1].  In the two most common cases, this reduces to "the
-     obvious thing".  In the (mod P) case, E is simply a residue mod P,
-     and is taken as an integer in the range [0,P-1].  In the GF[2^D]
-
-
-R. Schroeppel, et al                                           [Page 12]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-     case, E is in the D-bit polynomial basis representation, and is
-     simply taken as an integer in the range [0,(2^D)-1].  For other
-     fields GF[P^D], it's necessary to do some radix conversion
-     arithmetic.
-
-
-
-  6. Performance Considerations
-
-     Elliptic curve signatures use smaller moduli or field sizes than
-     RSA and DSA.  Creation of a curve is slow, but not done very often.
-     Key generation is faster than RSA or DSA.
-
-     DNS implementations have been optimized for small transfers,
-     typically less than 512 octets including DNS overhead. Larger
-     transfers will perform correctly and and extensions have been
-     standardized to make larger transfers more efficient [RFC 2671].
-     However, it is still advisable at this time to make reasonable
-     efforts to minimize the size of RR sets stored within the DNS
-     consistent with adequate security.
-
-
-
-  7. Security Considerations
-
-     Keys retrieved from the DNS should not be trusted unless (1) they
-     have been securely obtained from a secure resolver or independently
-     verified by the user and (2) this secure resolver and secure
-     obtainment or independent verification conform to security policies
-     acceptable to the user.  As with all cryptographic algorithms,
-     evaluating the necessary strength of the key is essential and
-     dependent on local policy.
-
-     Some specific key generation considerations are given in the body
-     of this document.
-
-
-
-  8. IANA Considerations
-
-     The key and signature data structures defined herein correspond to
-     the value 4 in the Algorithm number field of the IANA registry
-
-     Assignment of meaning to the remaining ECC data flag bits or to
-     values of ECC fields outside the ranges for which meaning in
-     defined in this document requires an IETF consensus as defined in
-     [RFC 2434].
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 13]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-  Copyright and Disclaimer
-
-     Copyright (C) The Internet Society 2005.  This document is subject
-     to the rights, licenses and restrictions contained in BCP 78, and
-     except as set forth therein, the authors retain all their rights.
-
-
-     This document and the information contained herein are provided on
-     an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
-     REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
-     THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
-     EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
-     THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
-     ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
-     PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 14]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-  Informational References
-
-     [RFC 1034] - P. Mockapetris, "Domain names - concepts and
-     facilities", 11/01/1987.
-
-     [RFC 1035] - P. Mockapetris, "Domain names - implementation and
-     specification", 11/01/1987.
-
-     [RFC 2671] - P. Vixie, "Extension Mechanisms for DNS (EDNS0)",
-     August 1999.
-
-     [RFC 4033] - Arends, R., Austein, R., Larson, M., Massey, D., and
-     S. Rose, "DNS Security Introduction and Requirements", RFC 4033,
-     March 2005.
-
-     [RFC 4035] - Arends, R., Austein, R., Larson, M., Massey, D., and
-     S. Rose, "Protocol Modifications for the DNS Security Extensions",
-     RFC 4035, March 2005.
-
-     [RFC 4086] - Eastlake, D., 3rd, Schiller, J., and S. Crocker,
-     "Randomness Requirements for Security", BCP 106, RFC 4086, June
-     2005.
-
-     [Schneier] - Bruce Schneier, "Applied Cryptography: Protocols,
-     Algorithms, and Source Code in C", 1996, John Wiley and Sons
-
-     [Menezes] - Alfred Menezes, "Elliptic Curve Public Key
-     Cryptosystems", 1993 Kluwer.
-
-     [Silverman] - Joseph Silverman, "The Arithmetic of Elliptic
-     Curves", 1986, Springer Graduate Texts in mathematics #106.
-
-
-
-  Normative Refrences
-
-     [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
-     Requirement Levels", March 1997.
-
-     [RFC 2434] - T. Narten, H. Alvestrand, "Guidelines for Writing an
-     IANA Considerations Section in RFCs", October 1998.
-
-     [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and
-     S. Rose, "Resource Records for the DNS Security Extensions", RFC
-     4034, March 2005.
-
-
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 15]
-
-
-INTERNET-DRAFT                                       ECC Keys in the DNS
-
-
-  Author's Addresses
-
-     Rich Schroeppel
-     500 S. Maple Drive
-     Woodland Hills, UT 84653 USA
-
-     Telephone:   +1-505-844-9079(w)
-     Email:       rschroe@sandia.gov
-
-
-     Donald E. Eastlake 3rd
-     Motorola Laboratories
-     155 Beaver Street
-     Milford, MA 01757 USA
-
-     Telephone:   +1 508-786-7554 (w)
-     EMail:       Donald.Eastlake@motorola.com
-
-
-
-  Expiration and File Name
-
-     This draft expires in January 2006.
-
-     Its file name is draft-ietf-dnsext-ecc-key-07.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-R. Schroeppel, et al                                           [Page 16]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-04.txt
deleted file mode 100644
index 4cfd417804d3..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-04.txt
+++ /dev/null
@@ -1,639 +0,0 @@
-
-INTERNET-DRAFT                                    Donald E. Eastlake 3rd
-Clarifies STD0013                                  Motorola Laboratories
-Expires December 2004                                          July 2004
-
-
-
-       Domain Name System (DNS) Case Insensitivity Clarification
-       ------ ---- ------ ----- ---- ------------- -------------
-                 <draft-ietf-dnsext-insensitive-04.txt>
-
-                         Donald E. Eastlake 3rd
-
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which I become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNSEXT working group at namedroppers@ops.ietf.org.
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC 2026.  Internet-Drafts are
-   working documents of the Internet Engineering Task Force (IETF), its
-   areas, and its working groups.  Note that other groups may also
-   distribute working documents as Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-
-   Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-
-Abstract
-
-   Domain Name System (DNS) names are "case insensitive". This document
-   explains exactly what that means and provides a clear specification
-   of the rules. This clarification should not have any interoperability
-   consequences.
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Acknowledgements
-
-   The contributions to this document of Rob Austein, Olafur
-   Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
-   Andreas Gustafsson, Andrew Main, and Scott Seligman are gratefully
-   acknowledged.
-
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-
-      Acknowledgements...........................................2
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. Case Insensitivity of DNS Labels........................3
-      2.1 Escaping Unusual DNS Label Octets......................3
-      2.2 Example Labels with Escapes............................4
-      3. Name Lookup, Label Types, and CLASS.....................4
-      3.1 Original DNS Label Types...............................5
-      3.2 Extended Label Type Case Insensitivity Considerations..5
-      3.3 CLASS Case Insensitivity Considerations................5
-      4. Case on Input and Output................................6
-      4.1 DNS Output Case Preservation...........................6
-      4.2 DNS Input Case Preservation............................6
-      5. Internationalized Domain Names..........................7
-      6. Security Considerations.................................7
-
-      Copyright and Disclaimer...................................9
-      Normative References.......................................9
-      Informative References....................................10
-      -02 to -03 Changes........................................10
-      -03 to -04 Changes........................................11
-      Author's Address..........................................11
-      Expiration and File Name..................................11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information. Each node in the DNS tree has a name consisting of
-   zero or more labels [STD 13][RFC 1591, 2606] that are treated in a
-   case insensitive fashion. This document clarifies the meaning of
-   "case insensitive" for the DNS.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-
-
-2. Case Insensitivity of DNS Labels
-
-   DNS was specified in the era of [ASCII]. DNS names were expected to
-   look like most host names or Internet email address right halves (the
-   part after the at-sign, "@") or be numeric as in the in-addr.arpa
-   part of the DNS name space. For example,
-
-       foo.example.net.
-       aol.com.
-       www.gnu.ai.mit.edu.
-   or  69.2.0.192.in-addr.arpa.
-
-   Case varied alternatives to the above would be DNS names like
-
-       Foo.ExamplE.net.
-       AOL.COM.
-       WWW.gnu.AI.mit.EDU.
-   or  69.2.0.192.in-ADDR.ARPA.
-
-   However, the individual octets of which DNS names consist are not
-   limited to valid ASCII character codes. They are 8-bit bytes and all
-   values are allowed. Many applications, however, interpret them as
-   ASCII characters.
-
-
-
-2.1 Escaping Unusual DNS Label Octets
-
-   In Master Files [STD 13] and other human readable and writable ASCII
-   contexts, an escape is needed for the byte value for period (0x2E,
-   ".") and all octet values outside of the inclusive range of 0x21
-   ("!")  to 0x7E ("~"). That is to say, 0x2E and all octet values in
-   the two inclusive ranges 0x00 to 0x20 and 0x7F to 0xFF.
-
-   One typographic convention for octets that do not correspond to an
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   ASCII printing graphic is to use a back-slash followed by the value
-   of the octet as an unsigned integer represented by exactly three
-   decimal digits.
-
-   The same convention can be used for printing ASCII characters so that
-   they will be treated as a normal label character.  This includes the
-   back-slash character used in this convention itself which can be
-   expressed as \092 or \\ and the special label separator period (".")
-   which can be expressed as and \046 or \.  respectively. It is
-   advisable to avoid using a backslash to quote an immediately
-   following non-printing ASCII character code to avoid implementation
-   difficulties.
-
-   A back-slash followed by only one or two decimal digits is undefined.
-   A back-slash followed by four decimal digits produces two octets, the
-   first octet having the value of the first three digits considered as
-   a decimal number and the second octet being the character code for
-   the fourth decimal digit.
-
-
-
-2.2 Example Labels with Escapes
-
-   The first example below shows embedded spaces and a period (".")
-   within a label. The second one show a 5 octet label where the second
-   octet has all bits zero, the third is a backslash, and the fourth
-   octet has all bits one.
-
-         Donald\032E\.\032Eastlake\0323rd.example.
-   and   a\000\\\255z.example.
-
-
-
-3. Name Lookup, Label Types, and CLASS
-
-   The design decision was made that comparisons on name lookup for DNS
-   queries should be case insensitive [STD 13]. That is to say, a lookup
-   string octet with a value in the inclusive range of 0x41 to 0x5A, the
-   upper case ASCII letters, MUST match the identical value and also
-   match the corresponding value in the inclusive range 0x61 to 0x7A,
-   the lower case ASCII letters. And a lookup string octet with a lower
-   case ASCII letter value MUST similarly match the identical value and
-   also match the corresponding value in the upper case ASCII letter
-   range.
-
-   (Historical Note: the terms "upper case" and "lower case" were
-   invented after movable type.  The terms originally referred to the
-   two font trays for storing, in partitioned areas, the different
-   physical type elements.  Before movable type, the nearest equivalent
-   terms were "majuscule" and "minuscule".)
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   One way to implement this rule would be, when comparing octets, to
-   subtract 0x20 from all octets in the inclusive range 0x61 to 0x7A
-   before the comparison. Such an operation is commonly known as "case
-   folding" but implementation via case folding is not required. Note
-   that the DNS case insensitivity does NOT correspond to the case
-   folding specified in iso-8859-1 or iso-8859-2. For example, the
-   octets 0xDD (\221) and 0xFD (\253) do NOT match although in other
-   contexts, where they are interpreted as the upper and lower case
-   version of "Y" with an acute accent, they might.
-
-
-
-3.1 Original DNS Label Types
-
-   DNS labels in wire encoded names have a type associated with them.
-   The original DNS standard [RFC 1035] had only two types. ASCII
-   labels, with a length of from zero to 63 octets, and indirect labels
-   which consist of an offset pointer to a name location elsewhere in
-   the wire encoding on a DNS message. (The ASCII label of length zero
-   is reserved for use as the name of the root node of the name tree.)
-   ASCII labels follow the ASCII case conventions described herein and,
-   as stated above, can actually contain arbitrary byte values. Indirect
-   labels are, in effect, replaced by the name to which they point which
-   is then treated with the case insensitivity rules in this document.
-
-
-
-3.2 Extended Label Type Case Insensitivity Considerations
-
-   DNS was extended by [RFC 2671] to have additional label type numbers
-   available. (The only such type defined so far is the BINARY type [RFC
-   2673].)
-
-   The ASCII case insensitivity conventions only apply to ASCII labels,
-   that is to say, label type 0x0, whether appearing directly or invoked
-   by indirect labels.
-
-
-
-3.3 CLASS Case Insensitivity Considerations
-
-   As described in [STD 13] and [RFC 2929], DNS has an additional axis
-   for data location called CLASS. The only CLASS in global use at this
-   time is the "IN" or Internet CLASS.
-
-   The handling of DNS label case is not CLASS dependent.
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-4. Case on Input and Output
-
-   While ASCII label comparisons are case insensitive, [STD 13] says
-   case MUST be preserved on output, and preserved when convenient on
-   input. However, this means less than it would appear since the
-   preservation of case on output is NOT required when output is
-   optimized by the use of indirect labels, as explained below.
-
-
-
-4.1 DNS Output Case Preservation
-
-   [STD 13] views the DNS namespace as a node tree. ASCII output is as
-   if a name was marshaled by taking the label on the node whose name is
-   to be output, converting it to a typographically encoded ASCII
-   string, walking up the tree outputting each label encountered, and
-   preceding all labels but the first with a period ("."). Wire output
-   follows the same sequence but each label is wire encoded and no
-   periods inserted. No "case conversion" or "case folding" is done
-   during such output operations, thus "preserving" case.  However, to
-   optimize output, indirect labels may be used to point to names
-   elsewhere in the DNS answer. In determining whether the name to be
-   pointed to, for example the QNAME, is the "same" as the remainder of
-   the name being optimized, the case insensitive comparison specified
-   above is done. Thus such optimization MAY easily destroy the output
-   preservation of case. This type of optimization is commonly called
-   "name compression".
-
-
-
-4.2 DNS Input Case Preservation
-
-   Originally, DNS input came from an ASCII Master File as defined in
-   [STD 13] or a zone transfer.  DNS Dynamic update and incremental zone
-   transfers [RFC 1995] have been added as a source of DNS data [RFC
-   2136, 3007]. When a node in the DNS name tree is created by any of
-   such inputs, no case conversion is done. Thus the case of ASCII
-   labels is preserved if they are for nodes being created. However,
-   when a name label is input for a node that already exist in DNS data
-   being held, the situation is more complex. Implementations may retain
-   the case first input for such a label or allow new input to override
-   the old case or even maintain separate copies preserving the input
-   case.
-
-   For example, if data with owner name "foo.bar.example" is input and
-   then later data with owner name "xyz.BAR.example" is input, the name
-   of the label on the "bar.example" node, i.e. "bar", might or might
-   not be changed to "BAR" or the actual input case could be preserved.
-   Thus later retrieval of data stored under "xyz.bar.example" in this
-   case can easily return data with "xyz.BAR.example".  The same
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   considerations apply when inputting multiple data records with owner
-   names differing only in case. For example, if an "A" record is stored
-   as the first resourced record under owner name "xyz.BAR.example" and
-   then a second "A" record is stored under "XYZ.BAR.example", the
-   second MAY be stored with the first (lower case initial label) name
-   or the second MAY override the first so that only an upper case
-   initial label is retained or both capitalizations MAY be kept.
-
-   Note that the order of insertion into a server database of the DNS
-   name tree nodes that appear in a Master File is not defined so that
-   the results of inconsistent capitalization in a Master File are
-   unpredictable output capitalization.
-
-
-
-5. Internationalized Domain Names
-
-   A scheme has been adopted for "internationalized domain names" and
-   "internationalized labels" as described in [RFC 3490, 3454, 3491, and
-   3492]. It makes most of [UNICODE] available through a separate
-   application level transformation from internationalized domain name
-   to DNS domain name and from DNS domain name to internationalized
-   domain name. Any case insensitivity that internationalized domain
-   names and labels have varies depending on the script and is handled
-   entirely as part of the transformation described in [RFC 3454] and
-   [RFC 3491] which should be seen for further details.  This is not a
-   part of the DNS as standardized in STD 13.
-
-
-
-6. Security Considerations
-
-   The equivalence of certain DNS label types with case differences, as
-   clarified in this document, can lead to security problems. For
-   example, a user could be confused by believing two domain names
-   differing only in case were actually different names.
-
-   Furthermore, a domain name may be used in contexts other than the
-   DNS.  It could be used as a case sensitive index into some data base
-   system. Or it could be interpreted as binary data by some integrity
-   or authentication code system. These problems can usually be handled
-   by using a standardized or "canonical" form of the DNS ASCII type
-   labels, that is, always mapping the ASCII letter value octets in
-   ASCII labels to some specific pre-chosen case, either upper case or
-   lower case. An example of a canonical form for domain names (and also
-   a canonical ordering for them) appears in Section 8 of [RFC 2535].
-   See also [RFC 3597].
-
-   Finally, a non-DNS name may be stored into DNS with the false
-   expectation that case will always be preserved. For example, although
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   this would be quite rare, on a system with case sensitive email
-   address local parts, an attempt to store two "RP" records that
-   differed only in case would probably produce unexpected results that
-   might have security implications. That is because the entire email
-   address, including the possibly case sensitive local or left hand
-   part, is encoded into a DNS name in a readable fashion where the case
-   of some letters might be changed on output as described above.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society 2004.  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Normative References
-
-   [ASCII] - ANSI, "USA Standard Code for Information Interchange",
-   X3.4, American National Standards Institute: New York, 1968.
-
-   [RFC 1034, 1035] - See [STD 13].
-
-   [RFC 1995] - M. Ohta, "Incremental Zone Transfer in DNS", August
-   1996.
-
-   [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
-   Requirement Levels", March 1997.
-
-   [RFC 2136] - P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
-   "Dynamic Updates in the Domain Name System (DNS UPDATE)", April 1997.
-
-   [RFC 2535] - D. Eastlake, "Domain Name System Security Extensions",
-   March 1999.
-
-   [RFC 3007] - B. Wellington, "Secure Domain Name System (DNS) Dynamic
-   Update", November 2000.
-
-   [RFC 3597] - Andreas Gustafsson, "Handling of Unknown DNS RR Types",
-   draft-ietf-dnsext-unknown-rrs-05.txt, March 2003.
-
-   [STD 13]
-       - P. Mockapetris, "Domain names - concepts and facilities", RFC
-   1034, November 1987.
-       - P. Mockapetris, "Domain names - implementation and
-   specification", RFC 1035, November 1987.
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Informative References
-
-   [RFC 1591] - J. Postel, "Domain Name System Structure and
-   Delegation", March 1994.
-
-   [RFC 2606] - D. Eastlake, A. Panitz, "Reserved Top Level DNS Names",
-   June 1999.
-
-   [RFC 2929] - D. Eastlake, E. Brunner-Williams, B. Manning, "Domain
-   Name System (DNS) IANA Considerations", September 2000.
-
-   [RFC 2671] - P. Vixie, "Extension mechanisms for DNS (EDNS0)", August
-   1999.
-
-   [RFC 2673] - M. Crawford, "Binary Labels in the Domain Name System",
-   August 1999.
-
-   [RFC 3092] - D. Eastlake 3rd, C. Manros, E. Raymond, "Etymology of
-   Foo", 1 April 2001.
-
-   [RFC 3454] - P. Hoffman, M. Blanchet, "Preparation of
-   Internationalized String ("stringprep")", December 2002.
-
-   [RFC 3490] - P. Faltstrom, P. Hoffman, A. Costello,
-   "Internationalizing Domain Names in Applications (IDNA)", March 2003.
-
-   [RFC 3491] - P. Hoffman, M. Blanchet, "Nameprep: A Stringprep Profile
-   for Internationalized Domain Names (IDN)", March 2003.
-
-   [RFC 3492] - A. Costello, "Punycode: A Bootstring encoding of Unicode
-   for Internationalized Domain Names in Applications (IDNA)", March
-   2003.
-
-   [UNICODE] - The Unicode Consortium, "The Unicode Standard",
-   <http://www.unicode.org/unicode/standard/standard.html>.
-
-
-
--02 to -03 Changes
-
-   The following changes were made between draft version -02 and -03:
-
-   1. Add internationalized domain name section and references.
-
-   2. Change to indicate that later input of a label for an existing DNS
-   name tree node may or may not be normalized to the earlier input or
-   override it or both may be preserved.
-
-   3. Numerous minor wording changes.
-
-
-
-D. Eastlake 3rd                                                [Page 10]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
--03 to -04 Changes
-
-   The following changes were made between draft version -03 and -04:
-
-   1. Change to conform to the new IPR, Copyright, etc., notice
-   requirements.
-
-   2. Change in some section headers for clarity.
-
-   3. Drop section on wildcards.
-
-   4. Add emphasis on loss of case preservation due to name compression.
-
-   5. Add references to RFCs 1995 and 3092.
-
-
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1 508-786-7554 (w)
-                +1 508-634-2066 (h)
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires December 2004.
-
-   Its file name is draft-ietf-dnsext-insensitive-04.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 11]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-06.txt
deleted file mode 100644
index 1c4c3f635e37..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-06.txt
+++ /dev/null
@@ -1,754 +0,0 @@
-
-INTERNET-DRAFT                                    Donald E. Eastlake 3rd
-Updates RFC 1034, 1035                             Motorola Laboratories
-Expires January 2006                                           July 2005
-
-
-
-       Domain Name System (DNS) Case Insensitivity Clarification
-       ------ ---- ------ ----- ---- ------------- -------------
-                 <draft-ietf-dnsext-insensitive-06.txt>
-
-                         Donald E. Eastlake 3rd
-
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNSEXT working group at namedroppers@ops.ietf.org.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005). All Rights Reserved.
-
-
-
-Abstract
-
-   Domain Name System (DNS) names are "case insensitive". This document
-   explains exactly what that means and provides a clear specification
-   of the rules. This clarification updates RFCs 1034 and 1035.
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Acknowledgements
-
-   The contributions to this document of Rob Austein, Olafur
-   Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
-   Andreas Gustafsson, Andrew Main, Thomas Narten, and Scott Seligman
-   are gratefully acknowledged.
-
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Copyright Notice...........................................1
-      Abstract...................................................1
-
-      Acknowledgements...........................................2
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. Case Insensitivity of DNS Labels........................3
-      2.1 Escaping Unusual DNS Label Octets......................3
-      2.2 Example Labels with Escapes............................4
-      3. Name Lookup, Label Types, and CLASS.....................4
-      3.1 Original DNS Label Types...............................5
-      3.2 Extended Label Type Case Insensitivity Considerations..5
-      3.3 CLASS Case Insensitivity Considerations................5
-      4. Case on Input and Output................................6
-      4.1 DNS Output Case Preservation...........................6
-      4.2 DNS Input Case Preservation............................6
-      5. Internationalized Domain Names..........................7
-      6. Security Considerations.................................8
-
-      Copyright and Disclaimer...................................9
-      Normative References.......................................9
-      Informative References....................................10
-
-      Changes Between Draft Version.............................11
-      -02 to -03 Changes........................................11
-      -03 to -04 Changes........................................11
-      -04 to -05 Changes........................................11
-      -05 to -06 Changes........................................12
-
-      Author's Address..........................................13
-      Expiration and File Name..................................13
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information. Each node in the DNS tree has a name consisting of
-   zero or more labels [STD 13][RFC 1591, 2606] that are treated in a
-   case insensitive fashion. This document clarifies the meaning of
-   "case insensitive" for the DNS. This clarification updates RFCs 1034
-   and 1035 [STD 13].
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-
-
-2. Case Insensitivity of DNS Labels
-
-   DNS was specified in the era of [ASCII]. DNS names were expected to
-   look like most host names or Internet email address right halves (the
-   part after the at-sign, "@") or be numeric as in the in-addr.arpa
-   part of the DNS name space. For example,
-
-       foo.example.net.
-       aol.com.
-       www.gnu.ai.mit.edu.
-   or  69.2.0.192.in-addr.arpa.
-
-   Case varied alternatives to the above would be DNS names like
-
-       Foo.ExamplE.net.
-       AOL.COM.
-       WWW.gnu.AI.mit.EDU.
-   or  69.2.0.192.in-ADDR.ARPA.
-
-   However, the individual octets of which DNS names consist are not
-   limited to valid ASCII character codes. They are 8-bit bytes and all
-   values are allowed. Many applications, however, interpret them as
-   ASCII characters.
-
-
-
-2.1 Escaping Unusual DNS Label Octets
-
-   In Master Files [STD 13] and other human readable and writable ASCII
-   contexts, an escape is needed for the byte value for period (0x2E,
-   ".") and all octet values outside of the inclusive range of 0x21
-   ("!")  to 0x7E ("~"). That is to say, 0x2E and all octet values in
-   the two inclusive ranges 0x00 to 0x20 and 0x7F to 0xFF.
-
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   One typographic convention for octets that do not correspond to an
-   ASCII printing graphic is to use a back-slash followed by the value
-   of the octet as an unsigned integer represented by exactly three
-   decimal digits.
-
-   The same convention can be used for printing ASCII characters so that
-   they will be treated as a normal label character.  This includes the
-   back-slash character used in this convention itself which can be
-   expressed as \092 or \\ and the special label separator period (".")
-   which can be expressed as and \046 or \.  respectively. It is
-   advisable to avoid using a backslash to quote an immediately
-   following non-printing ASCII character code to avoid implementation
-   difficulties.
-
-   A back-slash followed by only one or two decimal digits is undefined.
-   A back-slash followed by four decimal digits produces two octets, the
-   first octet having the value of the first three digits considered as
-   a decimal number and the second octet being the character code for
-   the fourth decimal digit.
-
-
-
-2.2 Example Labels with Escapes
-
-   The first example below shows embedded spaces and a period (".")
-   within a label. The second one show a 5-octet label where the second
-   octet has all bits zero, the third is a backslash, and the fourth
-   octet has all bits one.
-
-         Donald\032E\.\032Eastlake\0323rd.example.
-   and   a\000\\\255z.example.
-
-
-
-3. Name Lookup, Label Types, and CLASS
-
-   The original DNS design decision was made that comparisons on name
-   lookup for DNS queries should be case insensitive [STD 13]. That is
-   to say, a lookup string octet with a value in the inclusive range of
-   0x41 to 0x5A, the upper case ASCII letters, MUST match the identical
-   value and also match the corresponding value in the inclusive range
-   0x61 to 0x7A, the lower case ASCII letters. And a lookup string octet
-   with a lower case ASCII letter value MUST similarly match the
-   identical value and also match the corresponding value in the upper
-   case ASCII letter range.
-
-   (Historical Note: the terms "upper case" and "lower case" were
-   invented after movable type.  The terms originally referred to the
-   two font trays for storing, in partitioned areas, the different
-   physical type elements.  Before movable type, the nearest equivalent
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   terms were "majuscule" and "minuscule".)
-
-   One way to implement this rule would be, when comparing octets, to
-   subtract 0x20 from all octets in the inclusive range 0x61 to 0x7A
-   before the comparison. Such an operation is commonly known as "case
-   folding" but implementation via case folding is not required. Note
-   that the DNS case insensitivity does NOT correspond to the case
-   folding specified in [iso-8859-1] or [iso-8859-2]. For example, the
-   octets 0xDD (\221) and 0xFD (\253) do NOT match although in other
-   contexts, where they are interpreted as the upper and lower case
-   version of "Y" with an acute accent, they might.
-
-
-
-3.1 Original DNS Label Types
-
-   DNS labels in wire-encoded names have a type associated with them.
-   The original DNS standard [RFC 1035] had only two types. ASCII
-   labels, with a length of from zero to 63 octets, and indirect (or
-   compression) labels which consist of an offset pointer to a name
-   location elsewhere in the wire encoding on a DNS message. (The ASCII
-   label of length zero is reserved for use as the name of the root node
-   of the name tree.) ASCII labels follow the ASCII case conventions
-   described herein and, as stated above, can actually contain arbitrary
-   byte values. Indirect labels are, in effect, replaced by the name to
-   which they point which is then treated with the case insensitivity
-   rules in this document.
-
-
-
-3.2 Extended Label Type Case Insensitivity Considerations
-
-   DNS was extended by [RFC 2671] to have additional label type numbers
-   available. (The only such type defined so far is the BINARY type [RFC
-   2673] which is now Experimental [RFC 3363].)
-
-   The ASCII case insensitivity conventions only apply to ASCII labels,
-   that is to say, label type 0x0, whether appearing directly or invoked
-   by indirect labels.
-
-
-
-3.3 CLASS Case Insensitivity Considerations
-
-   As described in [STD 13] and [RFC 2929], DNS has an additional axis
-   for data location called CLASS. The only CLASS in global use at this
-   time is the "IN" or Internet CLASS.
-
-   The handling of DNS label case is not CLASS dependent. With the
-   original design of DNS, it was intended that a recursive DNS resolver
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   be able to handle new CLASSes that were unknown at the time of its
-   implementation. This requires uniform handling of label case
-   insensitivity. Should it become desireable, for example, to allocate
-   a CLASS with "case sensitive ASCII labels" for example, it would be
-   necessary to allocate a new label type for these labels.
-
-
-
-4. Case on Input and Output
-
-   While ASCII label comparisons are case insensitive, [STD 13] says
-   case MUST be preserved on output, and preserved when convenient on
-   input. However, this means less than it would appear since the
-   preservation of case on output is NOT required when output is
-   optimized by the use of indirect labels, as explained below.
-
-
-
-4.1 DNS Output Case Preservation
-
-   [STD 13] views the DNS namespace as a node tree. ASCII output is as
-   if a name was marshaled by taking the label on the node whose name is
-   to be output, converting it to a typographically encoded ASCII
-   string, walking up the tree outputting each label encountered, and
-   preceding all labels but the first with a period ("."). Wire output
-   follows the same sequence but each label is wire encoded and no
-   periods inserted. No "case conversion" or "case folding" is done
-   during such output operations, thus "preserving" case.  However, to
-   optimize output, indirect labels may be used to point to names
-   elsewhere in the DNS answer. In determining whether the name to be
-   pointed to, for example the QNAME, is the "same" as the remainder of
-   the name being optimized, the case insensitive comparison specified
-   above is done. Thus such optimization may easily destroy the output
-   preservation of case. This type of optimization is commonly called
-   "name compression".
-
-
-
-4.2 DNS Input Case Preservation
-
-   Originally, DNS data came from an ASCII Master File as defined in
-   [STD 13] or a zone transfer.  DNS Dynamic update and incremental zone
-   transfers [RFC 1995] have been added as a source of DNS data [RFC
-   2136, 3007]. When a node in the DNS name tree is created by any of
-   such inputs, no case conversion is done. Thus the case of ASCII
-   labels is preserved if they are for nodes being created. However,
-   when a name label is input for a node that already exist in DNS data
-   being held, the situation is more complex. Implementations are free
-   to retain the case first loaded for such a label or allow new input
-   to override the old case or even maintain separate copies preserving
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-   the input case.
-
-   For example, if data with owner name "foo.bar.example" is loaded and
-   then later data with owner name "xyz.BAR.example" is input, the name
-   of the label on the "bar.example" node, i.e. "bar", might or might
-   not be changed to "BAR" in the DNS stored data or the actual input
-   case could be preserved.  Thus later retrieval of data stored under
-   "xyz.bar.example" in this case can return all data with
-   "xyz.BAR.example" or all data with "xyz.bar.example" or even, when
-   more than one RR is being returned, a mixture of these two cases.
-   This last case is unlikely because optimization of answer length
-   through indirect labels tends to cause only copy of the name tail
-   ("bar.example" or "BAR.example") to be used for all returned RRs.
-   Note that none of this has any effect on the number of completeness
-   of the RR set returned, only on the case of the names in the RR set
-   returned.
-
-   The same considerations apply when inputting multiple data records
-   with owner names differing only in case. For example, if an "A"
-   record is the first resourced record stored under owner name
-   "xyz.BAR.example" and then a second "A" record is stored under
-   "XYZ.BAR.example", the second MAY be stored with the first (lower
-   case initial label) name or the second MAY override the first so that
-   only an upper case initial label is retained or both capitalizations
-   MAY be kept in the DNS stored data. In any case, a retrieval with
-   either capitalization will retrieve all RRs with either
-   capitalization.
-
-   Note that the order of insertion into a server database of the DNS
-   name tree nodes that appear in a Master File is not defined so that
-   the results of inconsistent capitalization in a Master File are
-   unpredictable output capitalization.
-
-
-
-5. Internationalized Domain Names
-
-   A scheme has been adopted for "internationalized domain names" and
-   "internationalized labels" as described in [RFC 3490, 3454, 3491, and
-   3492]. It makes most of [UNICODE] available through a separate
-   application level transformation from internationalized domain name
-   to DNS domain name and from DNS domain name to internationalized
-   domain name. Any case insensitivity that internationalized domain
-   names and labels have varies depending on the script and is handled
-   entirely as part of the transformation described in [RFC 3454] and
-   [RFC 3491] which should be seen for further details.  This is not a
-   part of the DNS as standardized in STD 13.
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-6. Security Considerations
-
-   The equivalence of certain DNS label types with case differences, as
-   clarified in this document, can lead to security problems. For
-   example, a user could be confused by believing two domain names
-   differing only in case were actually different names.
-
-   Furthermore, a domain name may be used in contexts other than the
-   DNS.  It could be used as a case sensitive index into some data base
-   or file system. Or it could be interpreted as binary data by some
-   integrity or authentication code system. These problems can usually
-   be handled by using a standardized or "canonical" form of the DNS
-   ASCII type labels, that is, always mapping the ASCII letter value
-   octets in ASCII labels to some specific pre-chosen case, either upper
-   case or lower case. An example of a canonical form for domain names
-   (and also a canonical ordering for them) appears in Section 6 of [RFC
-   4034]. See also [RFC 3597].
-
-   Finally, a non-DNS name may be stored into DNS with the false
-   expectation that case will always be preserved. For example, although
-   this would be quite rare, on a system with case sensitive email
-   address local parts, an attempt to store two "RP" records that
-   differed only in case would probably produce unexpected results that
-   might have security implications. That is because the entire email
-   address, including the possibly case sensitive local or left hand
-   part, is encoded into a DNS name in a readable fashion where the case
-   of some letters might be changed on output as described above.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Normative References
-
-   [ASCII] - ANSI, "USA Standard Code for Information Interchange",
-   X3.4, American National Standards Institute: New York, 1968.
-
-   [RFC 1034, 1035] - See [STD 13].
-
-   [RFC 1995] - M. Ohta, "Incremental Zone Transfer in DNS", August
-   1996.
-
-   [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
-   Requirement Levels", March 1997.
-
-   [RFC 2136] - P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
-   "Dynamic Updates in the Domain Name System (DNS UPDATE)", April 1997.
-
-   [RFC 3007] - B. Wellington, "Secure Domain Name System (DNS) Dynamic
-   Update", November 2000.
-
-   [RFC 3597] - Andreas Gustafsson, "Handling of Unknown DNS RR Types",
-   draft-ietf-dnsext-unknown-rrs-05.txt, March 2003.
-
-   [RFC 4034} - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
-   March 2005.
-
-   [STD 13]
-       - P. Mockapetris, "Domain names - concepts and facilities", RFC
-   1034, November 1987.
-       - P. Mockapetris, "Domain names - implementation and
-   specification", RFC 1035, November 1987.
-
-
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Informative References
-
-   [ISO 8859-1] - International Standards Organization, Standard for
-   Character Encodings, Latin-1.
-
-   [ISO 8859-2] - International Standards Organization, Standard for
-   Character Encodings, Latin-2.
-
-   [RFC 1591] - J. Postel, "Domain Name System Structure and
-   Delegation", March 1994.
-
-   [RFC 2606] - D. Eastlake, A. Panitz, "Reserved Top Level DNS Names",
-   June 1999.
-
-   [RFC 2929] - D. Eastlake, E. Brunner-Williams, B. Manning, "Domain
-   Name System (DNS) IANA Considerations", September 2000.
-
-   [RFC 2671] - P. Vixie, "Extension mechanisms for DNS (EDNS0)", August
-   1999.
-
-   [RFC 2673] - M. Crawford, "Binary Labels in the Domain Name System",
-   August 1999.
-
-   [RFC 3092] - D. Eastlake 3rd, C. Manros, E. Raymond, "Etymology of
-   Foo", 1 April 2001.
-
-   [RFC 3363] - Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
-   Hain, "Representing Internet Protocol version 6 (IPv6) Addresses in
-   the Domain Name System (DNS)", RFC 3363, August 2002.
-
-   [RFC 3454] - P. Hoffman, M. Blanchet, "Preparation of
-   Internationalized String ("stringprep")", December 2002.
-
-   [RFC 3490] - P. Faltstrom, P. Hoffman, A. Costello,
-   "Internationalizing Domain Names in Applications (IDNA)", March 2003.
-
-   [RFC 3491] - P. Hoffman, M. Blanchet, "Nameprep: A Stringprep Profile
-   for Internationalized Domain Names (IDN)", March 2003.
-
-   [RFC 3492] - A. Costello, "Punycode: A Bootstring encoding of Unicode
-   for Internationalized Domain Names in Applications (IDNA)", March
-   2003.
-
-   [UNICODE] - The Unicode Consortium, "The Unicode Standard",
-   <http://www.unicode.org/unicode/standard/standard.html>.
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 10]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Changes Between Draft Version
-
-   RFC Editor: The following summaries of changes between draft versions
-   are to be removed before publication.
-
-
-
--02 to -03 Changes
-
-   The following changes were made between draft version -02 and -03:
-
-   1. Add internationalized domain name section and references.
-
-   2. Change to indicate that later input of a label for an existing DNS
-   name tree node may or may not be normalized to the earlier input or
-   override it or both may be preserved.
-
-   3. Numerous minor wording changes.
-
-
-
--03 to -04 Changes
-
-   The following changes were made between draft versions -03 and -04:
-
-   1. Change to conform to the new IPR, Copyright, etc., notice
-   requirements.
-
-   2. Change in some section headers for clarity.
-
-   3. Drop section on wildcards.
-
-   4. Add emphasis on loss of case preservation due to name compression.
-
-   5. Add references to RFCs 1995 and 3092.
-
-
-
--04 to -05 Changes
-
-   The following changes were made between draft versions -04 and -05:
-
-   1. More clearly state that this draft updates RFCs 1034, 1035 [STD
-   13].
-
-   2. Add informative references to ISO 8859-1 and ISO 8859-2.
-
-   3. Fix hyphenation and capitalization nits.
-
-
-
-
-D. Eastlake 3rd                                                [Page 11]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
--05 to -06 Changes
-
-   The following changes were made between draft version -05 and -06.
-
-   1. Add notation to the RFC Editor that the draft version change
-   summaries are to be removed before RFC publication.
-
-   2. Additional text explaining why labe case insensitivity is CLASS
-   independent.
-
-   3. Changes and additional text clarifying that the fact that
-   inconsistent case in data loaded into DNS may result in
-   unpredicatable or inconsistent case in DNS storage but has no effect
-   on the completeness of RR sets retrieved.
-
-   4. Add reference to [RFC 3363] and update reference to [RFC 2535] to
-   be to [RFC 4034].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 12]
-
-
-INTERNET-DRAFT                                    DNS Case Insensitivity
-
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1 508-786-7554 (w)
-
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires January 2006.
-
-   Its file name is draft-ietf-dnsext-insensitive-06.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 13]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-01.txt
deleted file mode 100644
index 123d3cc09611..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-01.txt
+++ /dev/null
@@ -1,335 +0,0 @@
-
-DNS Extensions Working Group                                 J. Schlyter
-Internet-Draft                                           August 24, 2004
-Expires: February 22, 2005
-
-
-                     RFC 3597 Interoperability Report
-                   draft-ietf-dnsext-interop3597-01.txt
-
-Status of this Memo
-
-    By submitting this Internet-Draft, I certify that any applicable
-    patent or other IPR claims of which I am aware have been disclosed,
-    and any of which I become aware will be disclosed, in accordance with
-    RFC 3667.
-
-    Internet-Drafts are working documents of the Internet Engineering
-    Task Force (IETF), its areas, and its working groups. Note that other
-    groups may also distribute working documents as Internet-Drafts.
-
-    Internet-Drafts are draft documents valid for a maximum of six months
-    and may be updated, replaced, or obsoleted by other documents at any
-    time. It is inappropriate to use Internet-Drafts as reference
-    material or to cite them other than as "work in progress."
-
-    The list of current Internet-Drafts can be accessed at http://
-    www.ietf.org/ietf/1id-abstracts.txt.
-
-    The list of Internet-Draft Shadow Directories can be accessed at
-    http://www.ietf.org/shadow.html.
-
-    This Internet-Draft will expire on February 22, 2005.
-
-Copyright Notice
-
-    Copyright (C) The Internet Society (2004). All Rights Reserved.
-
-Abstract
-
-    This memo documents the result from the RFC 3597 (Handling of Unknown
-    DNS Resource Record Types) interoperability testing.
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter               Expires February 22, 2005                [Page 1]
-
-Internet-Draft      RFC 3597 Interoperability Report         August 2004
-
-
-Table of Contents
-
-    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-    2.  Implementations  . . . . . . . . . . . . . . . . . . . . . . .  3
-    3.  Tests  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-    3.1 Authoritative Primary Name Server  . . . . . . . . . . . . . .  3
-    3.2 Authoritative Secondary Name Server  . . . . . . . . . . . . .  3
-    3.3 Full Recursive Resolver  . . . . . . . . . . . . . . . . . . .  3
-    3.4 Stub Resolver  . . . . . . . . . . . . . . . . . . . . . . . .  3
-    3.5 DNSSEC Signer  . . . . . . . . . . . . . . . . . . . . . . . .  4
-    4.  Problems found . . . . . . . . . . . . . . . . . . . . . . . .  4
-    5.  Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
-        Normative References . . . . . . . . . . . . . . . . . . . . .  4
-        Author's Address . . . . . . . . . . . . . . . . . . . . . . .  4
-    A.  Test zone data . . . . . . . . . . . . . . . . . . . . . . . .  5
-        Intellectual Property and Copyright Statements . . . . . . . .  6
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter               Expires February 22, 2005                [Page 2]
-
-Internet-Draft      RFC 3597 Interoperability Report         August 2004
-
-
-1. Introduction
-
-    This memo documents the result from the RFC 3597 (Handling of Unknown
-    DNS Resource Record Types) interoperability testing.  The test was
-    performed during June and July 2004 by request of the IETF DNS
-    Extensions Working Group.
-
-2. Implementations
-
-    The following is a list, in alphabetic order, of implementations for
-    compliance of RFC 3597:
-
-       DNSJava 1.6.4
-       ISC BIND 8.4.5rc4
-       ISC BIND 9.3.0rc2
-       NSD 2.1.1
-       Net::DNS 0.47 patchlevel 1
-       Nominum ANS 2.2.1.0.d
-
-    These implementations covers the following functions (number of
-    implementations tested for each function in paranthesis):
-
-       Authoritative Name Servers (4)
-       Full Recursive Resolver (2)
-       Stub Resolver (4)
-       DNSSEC Zone Signers (2)
-
-3. Tests
-
-3.1 Authoritative Primary Name Server
-
-    The test zone data (Appendix A) was loaded into the name server
-    implementation and the server was queried for the loaded information.
-
-3.2 Authoritative Secondary Name Server
-
-    The test zone data (Appendix A) was transferred using AXFR from
-    another name server implementation and the server was queried for the
-    transferred information.
-
-3.3 Full Recursive Resolver
-
-    A recursive resolver was queried for resource records from a domain
-    with the test zone data (Appendix A).
-
-3.4 Stub Resolver
-
-    A stub resolver was used to query resource records from a domain with
-
-
-
-Schlyter               Expires February 22, 2005                [Page 3]
-
-Internet-Draft      RFC 3597 Interoperability Report         August 2004
-
-
-    the test zone data (Appendix A).
-
-3.5 DNSSEC Signer
-
-    A DNSSEC signer was used to sign a zone with test zone data (Appendix
-    A).
-
-4. Problems found
-
-    Two implementations had problems with text presentation of zero
-    length RDATA.
-
-    One implementation had problems with text presentation of RR type
-    code and classes >= 4096.
-
-    Bug reports were filed for problems found.
-
-5. Summary
-
-    Unknown type codes works in the tested authoritative servers,
-    recursive resolvers and stub clients.
-
-    No changes are needed to advance RFC 3597 to draft standard.
-
-Normative References
-
-    [1]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
-         Types", RFC 3597, September 2003.
-
-
-Author's Address
-
-    Jakob Schlyter
-
-    EMail: jakob@rfc.se
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter               Expires February 22, 2005                [Page 4]
-
-Internet-Draft      RFC 3597 Interoperability Report         August 2004
-
-
-Appendix A. Test zone data
-
-    ; A-record encoded as TYPE1
-    a  TYPE1  \# 4 7f000001
-    a  TYPE1  192.0.2.1
-    a  A      \# 4 7f000002
-
-    ; draft-ietf-secsh-dns-05.txt
-    sshfp  TYPE44  \# 22 01 01 c691e90714a1629d167de8e5ee0021f12a7eaa1e
-
-    ; bogus test record (from RFC 3597)
-    type731    TYPE731    \# 6 abcd (
-                               ef 01 23 45 )
-
-    ; zero length RDATA (from RFC 3597)
-    type62347  TYPE62347  \# 0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter               Expires February 22, 2005                [Page 5]
-
-Internet-Draft      RFC 3597 Interoperability Report         August 2004
-
-
-Intellectual Property Statement
-
-    The IETF takes no position regarding the validity or scope of any
-    Intellectual Property Rights or other rights that might be claimed to
-    pertain to the implementation or use of the technology described in
-    this document or the extent to which any license under such rights
-    might or might not be available; nor does it represent that it has
-    made any independent effort to identify any such rights. Information
-    on the IETF's procedures with respect to rights in IETF Documents can
-    be found in BCP 78 and BCP 79.
-
-    Copies of IPR disclosures made to the IETF Secretariat and any
-    assurances of licenses to be made available, or the result of an
-    attempt made to obtain a general license or permission for the use of
-    such proprietary rights by implementers or users of this
-    specification can be obtained from the IETF on-line IPR repository at
-    http://www.ietf.org/ipr.
-
-    The IETF invites any interested party to bring to its attention any
-    copyrights, patents or patent applications, or other proprietary
-    rights that may cover technology that may be required to implement
-    this standard. Please address the information to the IETF at
-    ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-    This document and the information contained herein are provided on an
-    "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-    OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-    ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-    INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-    Copyright (C) The Internet Society (2004). This document is subject
-    to the rights, licenses and restrictions contained in BCP 78, and
-    except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-    Funding for the RFC Editor function is currently provided by the
-    Internet Society.
-
-
-
-
-Schlyter               Expires February 22, 2005                [Page 6]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-02.txt
deleted file mode 100644
index 160afc356a07..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-02.txt
+++ /dev/null
@@ -1,334 +0,0 @@
-DNS Extensions Working Group                                 J. Schlyter
-Internet-Draft                                              May 19, 2005
-Expires: November 20, 2005
-
-
-                     RFC 3597 Interoperability Report
-                   draft-ietf-dnsext-interop3597-02.txt
-
-Status of this Memo
-
-    By submitting this Internet-Draft, each author represents that any
-    applicable patent or other IPR claims of which he or she is aware
-    have been or will be disclosed, and any of which he or she becomes
-    aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-    Internet-Drafts are working documents of the Internet Engineering
-    Task Force (IETF), its areas, and its working groups.  Note that
-    other groups may also distribute working documents as Internet-
-    Drafts.
-
-    Internet-Drafts are draft documents valid for a maximum of six months
-    and may be updated, replaced, or obsoleted by other documents at any
-    time.  It is inappropriate to use Internet-Drafts as reference
-    material or to cite them other than as "work in progress."
-
-    The list of current Internet-Drafts can be accessed at
-    http://www.ietf.org/ietf/1id-abstracts.txt.
-
-    The list of Internet-Draft Shadow Directories can be accessed at
-    http://www.ietf.org/shadow.html.
-
-    This Internet-Draft will expire on November 20, 2005.
-
-Copyright Notice
-
-    Copyright (C) The Internet Society (2005).
-
-Abstract
-
-    This memo documents the result from the RFC 3597 (Handling of Unknown
-    DNS Resource Record Types) interoperability testing.
-
-
-
-
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 1]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-Table of Contents
-
-    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-    2.  Implementations  . . . . . . . . . . . . . . . . . . . . . . .  3
-    3.  Tests  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-      3.1   Authoritative Primary Name Server  . . . . . . . . . . . .  3
-      3.2   Authoritative Secondary Name Server  . . . . . . . . . . .  3
-      3.3   Full Recursive Resolver  . . . . . . . . . . . . . . . . .  4
-      3.4   Stub Resolver  . . . . . . . . . . . . . . . . . . . . . .  4
-      3.5   DNSSEC Signer  . . . . . . . . . . . . . . . . . . . . . .  4
-    4.  Problems found . . . . . . . . . . . . . . . . . . . . . . . .  4
-    5.  Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
-    6.  Normative References . . . . . . . . . . . . . . . . . . . . .  4
-        Author's Address . . . . . . . . . . . . . . . . . . . . . . .  4
-    A.  Test zone data . . . . . . . . . . . . . . . . . . . . . . . .  5
-        Intellectual Property and Copyright Statements . . . . . . . .  6
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 2]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-1.  Introduction
-
-    This memo documents the result from the RFC 3597 (Handling of Unknown
-    DNS Resource Record Types) interoperability testing.  The test was
-    performed during June and July 2004 by request of the IETF DNS
-    Extensions Working Group.
-
-2.  Implementations
-
-    The following is a list, in alphabetic order, of implementations
-    tested for compliance with RFC 3597:
-
-       DNSJava 1.6.4
-       ISC BIND 8.4.5
-       ISC BIND 9.3.0
-       NSD 2.1.1
-       Net::DNS 0.47 patchlevel 1
-       Nominum ANS 2.2.1.0.d
-
-    These implementations covers the following functions (number of
-    implementations tested for each function in paranthesis):
-
-       Authoritative Name Servers (4)
-       Full Recursive Resolver (2)
-       Stub Resolver (4)
-       DNSSEC Zone Signers (2)
-
-    All listed implementations are genetically different.
-
-3.  Tests
-
-    The following tests was been performed to validate compliance with
-    RFC 3597 section 3 ("Transparency"), 4 ("Domain Name Compression")
-    and 5 ("Text Representation").
-
-3.1  Authoritative Primary Name Server
-
-    The test zone data (Appendix A) was loaded into the name server
-    implementation and the server was queried for the loaded information.
-
-3.2  Authoritative Secondary Name Server
-
-    The test zone data (Appendix A) was transferred using AXFR from
-    another name server implementation and the server was queried for the
-    transferred information.
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 3]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-3.3  Full Recursive Resolver
-
-    A recursive resolver was queried for resource records from a domain
-    with the test zone data (Appendix A).
-
-3.4  Stub Resolver
-
-    A stub resolver was used to query resource records from a domain with
-    the test zone data (Appendix A).
-
-3.5  DNSSEC Signer
-
-    A DNSSEC signer was used to sign a zone with test zone data
-    (Appendix A).
-
-4.  Problems found
-
-    Two implementations had problems with text presentation of zero
-    length RDATA.
-
-    One implementation had problems with text presentation of RR type
-    code and classes >= 4096.
-
-    Bug reports were filed for problems found.
-
-5.  Summary
-
-    Unknown type codes works in the tested authoritative servers,
-    recursive resolvers and stub clients.
-
-    No changes are needed to advance RFC 3597 to draft standard.
-
-6.  Normative References
-
-    [1]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
-         Types", RFC 3597, September 2003.
-
-
-Author's Address
-
-    Jakob Schlyter
-
-    Email: jakob@rfc.se
-
-
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 4]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-Appendix A.  Test zone data
-
-    ; A-record encoded as TYPE1
-    a  TYPE1  \# 4 7f000001
-    a  TYPE1  192.0.2.1
-    a  A      \# 4 7f000002
-
-    ; draft-ietf-secsh-dns-05.txt
-    sshfp  TYPE44  \# 22 01 01 c691e90714a1629d167de8e5ee0021f12a7eaa1e
-
-    ; bogus test record (from RFC 3597)
-    type731    TYPE731    \# 6 abcd (
-                               ef 01 23 45 )
-
-    ; zero length RDATA (from RFC 3597)
-    type62347  TYPE62347  \# 0
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 5]
-
-Internet-Draft      RFC 3597 Interoperability Report            May 2005
-
-
-Intellectual Property Statement
-
-    The IETF takes no position regarding the validity or scope of any
-    Intellectual Property Rights or other rights that might be claimed to
-    pertain to the implementation or use of the technology described in
-    this document or the extent to which any license under such rights
-    might or might not be available; nor does it represent that it has
-    made any independent effort to identify any such rights.  Information
-    on the procedures with respect to rights in RFC documents can be
-    found in BCP 78 and BCP 79.
-
-    Copies of IPR disclosures made to the IETF Secretariat and any
-    assurances of licenses to be made available, or the result of an
-    attempt made to obtain a general license or permission for the use of
-    such proprietary rights by implementers or users of this
-    specification can be obtained from the IETF on-line IPR repository at
-    http://www.ietf.org/ipr.
-
-    The IETF invites any interested party to bring to its attention any
-    copyrights, patents or patent applications, or other proprietary
-    rights that may cover technology that may be required to implement
-    this standard.  Please address the information to the IETF at
-    ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-    This document and the information contained herein are provided on an
-    "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-    OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-    ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-    INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-    Copyright (C) The Internet Society (2005).  This document is subject
-    to the rights, licenses and restrictions contained in BCP 78, and
-    except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-    Funding for the RFC Editor function is currently provided by the
-    Internet Society.
-
-
-
-
-Schlyter                Expires November 20, 2005               [Page 6]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-keyrr-key-signing-flag-12.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-keyrr-key-signing-flag-12.txt
deleted file mode 100644
index 6bffb70423f4..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-keyrr-key-signing-flag-12.txt
+++ /dev/null
@@ -1,560 +0,0 @@
-
-DNS Extensions                                                O. Kolkman
-Internet-Draft                                                  RIPE NCC
-Expires: June 17, 2004                                       J. Schlyter
-
-                                                                E. Lewis
-                                                                    ARIN
-                                                       December 18, 2003
-
-
-                   DNSKEY RR Secure Entry Point Flag
-              draft-ietf-dnsext-keyrr-key-signing-flag-12
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups. Note that other
-   groups may also distribute working documents as Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time. It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at http://
-   www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on June 17, 2004.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-Abstract
-
-   With the Delegation Signer (DS) resource record the concept of a
-   public key acting as a secure entry point has been introduced. During
-   exchanges of public keys with the parent there is a need to
-   differentiate secure entry point keys from other public keys in the
-   DNSKEY resource record (RR) set.  A flag bit in the DNSKEY RR is
-   defined to indicate that DNSKEY is to be used as a secure entry
-   point. The flag bit is intended to assist in operational procedures
-   to correctly generate DS resource records, or to indicate what
-   DNSKEYs are intended for static configuration. The flag bit is not to
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 1]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-   be used in the DNS verification protocol. This document updates RFC
-   2535 and RFC 3445.
-
-Table of Contents
-
-   1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
-   2. The Secure Entry Point (SEP) Flag  . . . . . . . . . . . . . . . 4
-   3. DNSSEC Protocol Changes  . . . . . . . . . . . . . . . . . . . . 5
-   4. Operational Guidelines . . . . . . . . . . . . . . . . . . . . . 5
-   5. Security Considerations  . . . . . . . . . . . . . . . . . . . . 6
-   6. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . . 6
-   7. Internationalization Considerations  . . . . . . . . . . . . . . 6
-   8. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . . 6
-      Normative References . . . . . . . . . . . . . . . . . . . . . . 7
-      Informative References . . . . . . . . . . . . . . . . . . . . . 7
-      Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
-      Intellectual Property and Copyright Statements . . . . . . . . . 9
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 2]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-1. Introduction
-
-   "All keys are equal but some keys are more equal than others" [6]
-
-   With the definition of the Delegation Signer Resource Record (DS RR)
-   [5] it has become important to differentiate between the keys in the
-   DNSKEY RR set that are (to be) pointed to by parental DS RRs and the
-   other keys in the DNSKEY RR set.  We refer to these public keys as
-   Secure Entry Point (SEP) keys.  A SEP key either used to generate a
-   DS RR or is distributed to resolvers that use the key as the root of
-   a trusted subtree[3].
-
-   In early deployment tests, the use of two (kinds of) key pairs for
-   each zone has been prevalent.  For one kind of key pair the private
-   key is used to sign just the zone's DNSKEY resource record (RR) set.
-   Its public key is intended to be referenced by a DS RR at the parent
-   or configured statically in a resolver.  The private key of the other
-   kind of key pair is used to sign the rest of the zone's data sets.
-   The former key pair is called a key-signing key (KSK) and the latter
-   is called a zone-signing key (ZSK).  In practice there have been
-   usually one of each kind of key pair, but there will be multiples of
-   each at times.
-
-   It should be noted that division of keys pairs into KSK's and ZSK's
-   is not mandatory in any definition of DNSSEC, not even with the
-   introduction of the DS RR.  But, in testing, this distinction has
-   been helpful when designing key roll over (key super-cession)
-   schemes.  Given that the distinction has proven helpful, the labels
-   KSK and ZSK have begun to stick.
-
-   There is a need to differentiate the public keys for the key pairs
-   that are used for key signing from keys that are not used key signing
-   (KSKs vs ZSKs). This need is driven by knowing which DNSKEYs are to
-   be sent for generating DS RRs, which DNSKEYs are to be distributed to
-   resolvers, and which keys are fed to the signer application at the
-   appropriate time.
-
-   In other words, the SEP bit provides an in-band method to communicate
-   a DNSKEY RR's intended use to third parties. As an example we present
-   3 use cases in which the bit is useful:
-
-      The parent is a registry, the parent and the child use secured DNS
-      queries and responses, with a preexisting trust-relation, or plain
-      DNS over a secured channel to exchange the child's  DNSKEY RR
-      sets. Since a DNSKEY RR set will contain a complete DNSKEY RRset
-      the SEP bit can be used to isolate the DNSKEYs for which a DS RR
-      needs to be created.
-
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 3]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-      An administrator has configured a DNSKEY as root for a trusted
-      subtree into security aware resolver. Using a special purpose tool
-      that queries for the KEY RRs from that domain's apex, the
-      administrator will be able to notice the roll over of the trusted
-      anchor by a change of the subset of KEY RRs with the DS flag set.
-
-      A signer might use the SEP bit on the public key to determine
-      which private key to use to exclusively sign the DNSKEY RRset and
-      which private key to use to sign the other RRsets in the zone.
-
-   As demonstrated in the above examples it is important to be able to
-   differentiate the SEP keys from the other keys in a DNSKEY RR set in
-   the flow between signer and (parental) key-collector and in the flow
-   between the signer and the resolver configuration. The SEP flag is to
-   be of no interest to the flow between the verifier and the
-   authoritative data store.
-
-   The reason for the term "SEP" is a result of the observation that the
-   distinction between KSK and ZSK key pairs is made by the signer, a
-   key pair could be used as both a KSK and a ZSK at the same time. To
-   be clear, the term SEP was coined to lessen the confusion caused by
-   the overlap. ( Once this label was applied, it had the side effect of
-   removing the temptation to have both a KSK flag bit and a ZSK flag
-   bit.)
-
-   The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
-   "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
-   interpreted as described in RFC2119 [1].
-
-2. The Secure Entry Point (SEP) Flag
-
-
-                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |              flags          |S|   protocol    |   algorithm   |
-      |                             |E|               |               |
-      |                             |P|               |               |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |                                                               /
-      /                        public key                             /
-      /                                                               /
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-                                DNSKEY RR Format
-
-
-
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 4]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-   This document assigns the 15'th bit in the flags field as the secure
-   entry point (SEP) bit.  If the the bit is set to 1 the key is
-   intended to be used as secure entry point key.  One SHOULD NOT assign
-   special meaning to the key if the bit is set to 0.  Operators can
-   recognize the secure entry point key by the even or odd-ness of the
-   decimal representation of the flag field.
-
-3. DNSSEC Protocol Changes
-
-   The bit MUST NOT be used during the resolving and verification
-   process. The SEP flag is only used to provide a hint about the
-   different administrative properties of the key and therefore the use
-   of the SEP flag does not change the DNS resolution protocol or the
-   resolution process.
-
-4. Operational Guidelines
-
-   The SEP bit is set by the key-pair-generator and MAY be used by the
-   zone signer to decide whether the public part of the key pair is to
-   be prepared for input to a DS RR generation function.  The SEP bit is
-   recommended to be set (to 1) whenever the public key of the key pair
-   will be distributed to the parent zone to build the authentication
-   chain or if the public key is to be distributed for static
-   configuration in verifiers.
-
-   When a key pair is created, the operator needs to indicate whether
-   the SEP bit is to be set in the DNSKEY RR.  As the SEP bit is within
-   the data that is used to compute the 'key tag field' in the SIG RR,
-   changing the SEP bit will change the identity of the key within DNS.
-   In other words, once a key is used to generate signatures, the
-   setting of the SEP bit is to remain constant. If not, a verifier will
-   not be able to find the relevant KEY RR.
-
-   When signing a zone, it is intended that the key(s) with the SEP bit
-   set (if such keys exist) are used to sign the KEY RR set of the zone.
-   The same key can be used to sign the rest of the zone data too.  It
-   is conceivable that not all keys with a SEP bit set will sign the
-   DNSKEY RR set, such keys might be pending retirement or not yet in
-   use.
-
-   When verifying a RR set, the SEP bit is not intended to play a role.
-   How the key is used by the verifier is not intended to be a
-   consideration at key creation time.
-
-   Although the SEP flag provides a hint on which public key is to be
-   used as trusted root, administrators can choose to ignore the fact
-   that a DNSKEY has its SEP bit set or not when configuring a trusted
-   root for their resolvers.
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 5]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-   Using the SEP flag a key roll over can be automated. The parent can
-   use an existing trust relation to verify DNSKEY RR sets in which a
-   new DNSKEY RR with the SEP flag appears.
-
-5. Security Considerations
-
-   As stated in Section 3 the flag is not to be used in the resolution
-   protocol or to determine the security status of a key. The flag is to
-   be used for administrative purposes only.
-
-   No trust in a key should be inferred from this flag - trust MUST be
-   inferred from an existing chain of trust or an out-of-band exchange.
-
-   Since this flag might be used for automating public key exchanges, we
-   think the following consideration is in place.
-
-   Automated mechanisms for roll over of the DS RR might be vulnerable
-   to a class of replay attacks.  This might happen after a public key
-   exchange where a DNSKEY RR set, containing two DNSKEY RRs with the
-   SEP flag set, is sent to the parent.  The parent verifies the DNSKEY
-   RR set with the existing trust relation and creates the new DS RR
-   from the DNSKEY RR that the current DS RR is not pointing to.  This
-   key exchange might be replayed. Parents are encouraged to implement a
-   replay defense. A simple defense can be based on a registry of keys
-   that have been used to generate DS RRs during the most recent roll
-   over. These same considerations apply to entities that configure keys
-   in resolvers.
-
-6. IANA Considerations
-
-   The flag bits  in the DNSKEY RR are assigned by IETF consensus and
-   registered in the DNSKEY Flags registry (created by [4]). This
-   document assigns the 15th bit in the DNSKEY RR as the Secure Entry
-   Point (SEP) bit.
-
-7. Internationalization Considerations
-
-   Although SEP is a popular acronym in many different languages, there
-   are no internationalization considerations.
-
-8. Acknowledgments
-
-   The ideas documented in this document are inspired by communications
-   we had with numerous people and ideas published by other folk. Among
-   others Mark Andrews, Rob Austein, Miek Gieben, Olafur Gudmundsson,
-   Daniel Karrenberg, Dan Massey, Scott Rose, Marcos Sanz and Sam Weiler
-   have contributed ideas and provided feedback.
-
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 6]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-   This document saw the light during a workshop on DNSSEC operations
-   hosted by USC/ISI in August 2002.
-
-Normative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [3]  Lewis, E., "DNS Security Extension Clarification on Zone
-        Status", RFC 3090, March 2001.
-
-   [4]  Weiler, S., "Legacy Resolver Compatibility for Delegation
-        Signer", draft-ietf-dnsext-dnssec-2535typecode-change-05 (work
-        in progress), October 2003.
-
-Informative References
-
-   [5]  Gudmundsson, O., "Delegation Signer Resource Record",
-        draft-ietf-dnsext-delegation-signer-15 (work in progress), June
-        2003.
-
-   [6]  Orwell, G. and R. Steadman (illustrator), "Animal Farm; a Fairy
-        Story", ISBN 0151002177 (50th anniversary edition), April 1996.
-
-
-Authors' Addresses
-
-   Olaf M. Kolkman
-   RIPE NCC
-   Singel 256
-   Amsterdam  1016 AB
-   NL
-
-   Phone: +31 20 535 4444
-   EMail: olaf@ripe.net
-   URI:   http://www.ripe.net/
-
-
-   Jakob Schlyter
-   Karl Gustavsgatan 15
-   Goteborg  SE-411 25
-   Sweden
-
-   EMail: jakob@schlyter.se
-
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 7]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-   Edward P. Lewis
-   ARIN
-   3635 Concorde Parkway Suite 200
-   Chantilly, VA  20151
-   US
-
-   Phone: +1 703 227 9854
-   EMail: edlewis@arin.net
-   URI:   http://www.arin.net/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 8]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights. Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11. Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard. Please address the information to the IETF Executive
-   Director.
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works. However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-
-
-
-Kolkman, et al.          Expires June 17, 2004                  [Page 9]
-
-Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
-
-
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman, et al.          Expires June 17, 2004                 [Page 10]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-33.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-33.txt
deleted file mode 100644
index 8dcacc8bb9ec..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-33.txt
+++ /dev/null
@@ -1,1559 +0,0 @@
-
-
-
-
-
-
-DNSEXT Working Group                                        Levon Esibov
-INTERNET-DRAFT                                             Bernard Aboba
-Category: Standards Track                                    Dave Thaler
-<draft-ietf-dnsext-mdns-33.txt>                                Microsoft
-18 July 2004
-
-
-              Linklocal Multicast Name Resolution (LLMNR)
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which I become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 2, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society 2004.  All rights reserved.
-
-Abstract
-
-   Today, with the rise of home networking, there are an increasing
-   number of ad-hoc networks operating without a Domain Name System
-   (DNS) server.  The goal of Link-Local Multicast Name Resolution
-   (LLMNR) is to enable name resolution in scenarios in which
-   conventional DNS name resolution is not possible.  LLMNR supports all
-   current and future DNS formats, types and classes, while operating on
-   a separate port from DNS, and with a distinct resolver cache.  Since
-   LLMNR only operates on the local link, it cannot be considered a
-   substitute for DNS.
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 1]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-Table of Contents
-
-1.     Introduction ..........................................    3
-   1.1       Requirements ....................................    4
-   1.2       Terminology .....................................    4
-2.     Name resolution using LLMNR ...........................    4
-   2.1       LLMNR packet format .............................    6
-   2.2       Sender behavior .................................    8
-   2.3       Responder behavior ..............................    8
-   2.4       Unicast queries .................................   11
-   2.5       Off-link detection ..............................   11
-   2.6       Responder responsibilities ......................   12
-   2.7       Retransmission and jitter .......................   13
-   2.8       DNS TTL .........................................   13
-   2.9       Use of the authority and additional sections ....   14
-3.     Usage model ...........................................   14
-   3.1       LLMNR configuration .............................   15
-4.     Conflict resolution ...................................   16
-   4.1       Considerations for multiple interfaces ..........   18
-   4.2       API issues ......................................   19
-5.     Security considerations ...............................   20
-   5.1       Scope restriction ...............................   20
-   5.2       Usage restriction ...............................   21
-   5.3       Cache and port separation .......................   22
-   5.4       Authentication ..................................   22
-6.     IANA considerations ...................................   22
-7.     References ............................................   22
-   7.1       Normative References ............................   22
-   7.2       Informative References ..........................   23
-Acknowledgments ..............................................   24
-Authors' Addresses ...........................................   25
-Intellectual Property Statement ..............................   25
-Disclaimer of Validity .......................................   26
-Full Copyright Statement .....................................   26
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 2]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-1.  Introduction
-
-   This document discusses Link Local Multicast Name Resolution (LLMNR),
-   which utilizes the DNS packet format and supports all current and
-   future DNS formats, types and classes.  LLMNR operates on a separate
-   port from the Domain Name System (DNS), with a distinct resolver
-   cache.
-
-   The goal of LLMNR is to enable name resolution in scenarios in which
-   conventional DNS name resolution is not possible.  These include
-   scenarios in which hosts are not configured with the address of a DNS
-   server, where configured DNS servers do not reply to a query, or
-   where they respond with errors, as described in Section 2.  Since
-   LLMNR only operates on the local link, it cannot be considered a
-   substitute for DNS.
-
-   Link-scope multicast addresses are used to prevent propagation of
-   LLMNR traffic across routers, potentially flooding the network.
-   LLMNR queries can also be sent to a unicast address, as described in
-   Section 2.4.
-
-   Propagation of LLMNR packets on the local link is considered
-   sufficient to enable name resolution in small networks.  The
-   assumption is that if a network has a gateway, then the network is
-   able to provide DNS server configuration.   Configuration issues are
-   discussed in Section 3.1.
-
-   In the future, it may be desirable to consider use of multicast name
-   resolution with multicast scopes beyond the link-scope.  This could
-   occur if LLMNR deployment is successful, the need arises for
-   multicast name resolution beyond the link-scope, or multicast routing
-   becomes ubiquitous.  For example, expanded support for multicast name
-   resolution might be required for mobile ad-hoc networking scenarios,
-   or where no DNS server is available that is authoritative for the
-   names of local hosts, and can support dynamic DNS, such as in
-   wireless hotspots.
-
-   Once we have experience in LLMNR deployment in terms of
-   administrative issues, usability and impact on the network, it will
-   be possible to reevaluate which multicast scopes are appropriate for
-   use with multicast name resolution.
-
-   Service discovery in general, as well as discovery of DNS servers
-   using LLMNR in particular, is outside of the scope of this document,
-   as is name resolution over non-multicast capable media.
-
-
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 3]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-1.1.  Requirements
-
-   In this document, several words are used to signify the requirements
-   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
-   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY",
-   and "OPTIONAL" in this document are to be interpreted as described in
-   [RFC2119].
-
-1.2.  Terminology
-
-   This document assumes familiarity with DNS terminology defined in
-   [RFC1035].  Other terminology used in this document includes:
-
-Positively Resolved
-     Responses with RCODE set to zero are referred to in this document
-     as "positively resolved".
-
-Routable Address
-     An address other than a Link-Local address.  This includes globally
-     routable addresses, as well as private addresses.
-
-Reachable
-     An address is considered reachable over a link if either an ARP or
-     neighbor discovery cache entry exists for the address on the link.
-
-Responder
-     A host that listens to LLMNR queries, and responds to those for
-     which it is authoritative.
-
-Sender
-     A host that sends an LLMNR query.
-
-2.  Name resolution using LLMNR
-
-   LLMNR is a peer-to-peer name resolution protocol that is not intended
-   as a replacement for DNS.  LLMNR queries are sent to and received on
-   port 5355.  IPv4 administratively scoped multicast usage is specified
-   in "Administratively Scoped IP Multicast" [RFC2365].  The IPv4 link-
-   scope multicast address a given responder listens to, and to which a
-   sender sends queries, is 224.0.0.252.  The IPv6 link-scope multicast
-   address a given responder listens to, and to which a sender sends all
-   queries, is FF02:0:0:0:0:0:1:3.
-
-   Typically a host is configured as both an LLMNR sender and a
-   responder.  A host MAY be configured as a sender, but not a
-   responder.  However, a host configured as a responder MUST act as a
-   sender to verify the uniqueness of names as described in Section 4.
-   This document does not specify how names are chosen or configured.
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 4]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   This may occur via any mechanism, including DHCPv4 [RFC2131] or
-   DHCPv6 [RFC3315].
-
-   LLMNR usage MAY be configured manually or automatically on a per
-   interface basis.  By default, LLMNR responders SHOULD be enabled on
-   all interfaces, at all times.  Enabling LLMNR for use in situations
-   where a DNS server has been configured will result in a change in
-   default behavior without a simultaneous update to configuration
-   information. Where this is considered undesirable, LLMNR SHOULD NOT
-   be enabled by default, so that hosts will neither listen on the link-
-   scope multicast address, nor will they send queries to that address.
-
-   An LLMNR sender may send a request for any name.  However, by
-   default, LLMNR requests SHOULD be sent only when one of the following
-   conditions are met:
-
-   [1] No manual or automatic DNS configuration has been
-       performed.  If an interface has been configured with DNS
-       server address(es),  then LLMNR SHOULD NOT be used as the
-       primary name resolution mechanism on that interface, although
-       it MAY be used as a name resolution mechanism of last resort.
-
-   [2] DNS servers do not respond.
-
-   [3] DNS servers respond to a DNS query with RCODE=3
-       (Authoritative Name Error) or RCODE=0, and an empty
-       answer section.
-
-   A typical sequence of events for LLMNR usage is as follows:
-
-   [a]  DNS servers are not configured or do not respond to a
-        DNS query, or respond with RCODE=3, or RCODE=0 and an
-        empty answer section.
-
-   [b]  An LLMNR sender sends an LLMNR query to the link-scope
-        multicast address(es) defined in Section 2, unless a
-        unicast query is indicated.  A sender SHOULD send LLMNR
-        queries for PTR RRs via unicast, as specified in Section 2.4.
-
-   [c]  A responder responds to this query only if it is authoritative
-        for the domain name in the query.  A responder responds to a
-        multicast query by sending a unicast UDP response to the sender.
-        Unicast queries are responded to as indicated in Section 2.4.
-
-   [d]  Upon reception of the response, the sender processes it.
-
-   Further details of sender and responder behavior are provided in the
-   sections that follow.
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 5]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-2.1.  LLMNR packet format
-
-   LLMNR utilizes the DNS packet format defined in [RFC1035] Section 4
-   for both queries and responses.  LLMNR implementations SHOULD send
-   UDP queries and responses only as large as are known to be
-   permissible without causing fragmentation.  When in doubt a maximum
-   packet size of 512 octets SHOULD be used.  LLMNR implementations MUST
-   accept UDP queries and responses as large as permitted by the link
-   MTU.
-
-2.1.1.  LLMNR header format
-
-   LLMNR queries and responses utilize the DNS header format defined in
-   [RFC1035] with exceptions noted below:
-
-                                   1  1  1  1  1  1
-     0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                      ID                       |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |QR|   Opcode  | Z|TC| Z| Z| Z| Z| Z|   RCODE   |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    QDCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    ANCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    NSCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    ARCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   where:
-
-ID   A 16 bit identifier assigned by the program that generates any kind
-     of query.  This identifier is copied from the query to the response
-     and can be used by the sender to match responses to outstanding
-     queries. The ID field in a query SHOULD be set to a pseudo-random
-     value.
-
-QR   A one bit field that specifies whether this message is an LLMNR
-     query (0), or an LLMNR response (1).
-
-OPCODE
-     A four bit field that specifies the kind of query in this message.
-     This value is set by the originator of a query and copied into the
-     response.  This specification defines the behavior of standard
-     queries and responses (opcode value of zero).  Future
-     specifications may define the use of other opcodes with LLMNR.
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 6]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-     LLMNR senders and responders MUST support standard queries (opcode
-     value of zero).  LLMNR queries with unsupported OPCODE values MUST
-     be silently discarded by responders.
-
-TC   TrunCation - specifies that this message was truncated due to
-     length greater than that permitted on the transmission channel.
-     The TC bit MUST NOT be set in an LLMNR query and if set is ignored
-     by an LLMNR responder.  If the TC bit is set an LLMNR response,
-     then the sender MAY use the response if it contains all necessary
-     information, or the sender MAY discard the response and resend the
-     LLMNR query over TCP using the unicast address of the responder as
-     the destination address.  See  [RFC2181] and Section 2.4 of this
-     specification for further discussion of the TC bit.
-
-Z    Reserved for future use.  Implementations of this specification
-     MUST set these bits to zero in both queries and responses.  If
-     these bits are set in a LLMNR query or response, implementations of
-     this specification MUST ignore them.  Since reserved bits could
-     conceivably be used for different purposes than in DNS,
-     implementors are advised not to enable processing of these bits in
-     an LLMNR implementation starting from a DNS code base.
-
-RCODE
-     Response code -- this 4 bit field is set as part of LLMNR
-     responses.  In an LLMNR query, the RCODE MUST be zero, and is
-     ignored by the responder.  The response to a multicast LLMNR query
-     MUST have RCODE set to zero.  A sender MUST silently discard an
-     LLMNR response with a non-zero RCODE sent in response to a
-     multicast query.
-
-     If an LLMNR responder is authoritative for the name in a multicast
-     query, but an error is encountered, the responder SHOULD send an
-     LLMNR response with an RCODE of zero, no RRs in the answer section,
-     and the TC bit set.  This will cause the query to be resent using
-     TCP, and allow the inclusion of a non-zero RCODE in the response to
-     the TCP query.  Responding with the TC bit set is preferrable to
-     not sending a response, since it enables errors to be diagnosed.
-
-     Since LLMNR responders only respond to LLMNR queries for names for
-     which they are authoritative, LLMNR responders MUST NOT respond
-     with an RCODE of 3; instead, they should not respond at all.
-
-     LLMNR implementations MUST support EDNS0 [RFC2671] and extended
-     RCODE values.
-
-QDCOUNT
-     An unsigned 16 bit integer specifying the number of entries in the
-     question section. A sender MUST place only one question into the
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 7]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-     question section of an LLMNR query.  LLMNR responders MUST silently
-     discard LLMNR queries with QDCOUNT not equal to one.  LLMNR senders
-     MUST silently discard LLMNR responses with QDCOUNT not equal to
-     one.
-
-ANCOUNT
-     An unsigned 16 bit integer specifying the number of resource
-     records in the answer section.  LLMNR responders MUST silently
-     discard LLMNR queries with ANCOUNT not equal to zero.
-
-NSCOUNT
-     An unsigned 16 bit integer specifying the number of name server
-     resource records in the authority records section.  Authority
-     record section processing is described in Section 2.9.
-
-ARCOUNT
-     An unsigned 16 bit integer specifying the number of resource
-     records in the additional records section.  Additional record
-     section processing is described in Section 2.9.
-
-2.2.  Sender behavior
-
-   A sender may send an LLMNR query for any legal resource record  type
-   (e.g.  A, AAAA, SRV, etc.) to the link-scope multicast address.
-
-   As described in Section 2.4, a sender may also send a unicast query.
-   Sections 2 and 3 describe the circumstances in which LLMNR queries
-   may be sent.
-
-   The sender MUST anticipate receiving no replies to some LLMNR
-   queries, in the event that no responders are available within the
-   link-scope or in the event no positive non-null responses exist for
-   the transmitted query.  If no positive response is received, a
-   resolver treats it as a response that no records of the specified
-   type and class exist for the specified name (it is treated the same
-   as a response with RCODE=0 and an empty answer section).
-
-   Since the responder may order the RRs in the response so as to
-   indicate preference, the sender SHOULD preserve ordering in the
-   response to the querying application.
-
-2.3.  Responder behavior
-
-   An LLMNR response MUST be sent to the sender via unicast.
-
-   Upon configuring an IP address responders typically will synthesize
-   corresponding A, AAAA and PTR RRs so as to be able to respond to
-   LLMNR queries for these RRs.  An SOA RR is synthesized only when a
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 8]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   responder has another RR as well;  the SOA RR MUST NOT be the only RR
-   that a responder has.  However, in general whether RRs are manually
-   or automatically created is an implementation decision.
-
-   For example, a host configured to have computer name "host1" and to
-   be a member of the "example.com" domain, and with IPv4 address
-   10.1.1.1 and IPv6 address 2001:0DB8::1:2:3:FF:FE:4:5:6 might be
-   authoritative for the following records:
-
-   host1. IN A 10.1.1.1
-   IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
-
-   host1.example.com. IN A 10.1.1.1
-   IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
-
-   1.1.1.10.in-addr.arpa. IN PTR host1.
-   IN PTR host1.example.com.
-
-   6.0.5.0.4.0.E.F.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
-   IN PTR host1.
-   IN PTR host1.example.com
-
-   An LLMNR responder might be further manually configured with the name
-   of a local mail server with an MX RR included in the "host1." and
-   "host1.example.com." records.
-
-   In responding to queries:
-
-[a]  Responders MUST listen on UDP port 5355 on the link-scope multicast
-     address(es) defined in Section 2, and on UDP and TCP port 5355 on
-     the unicast address(es) that could be set as the source address(es)
-     when the responder responds to the LLMNR query.
-
-[b]  Responders MUST direct responses to the port from which the query
-     was sent.  When queries are received via TCP this is an inherent
-     part of the transport protocol.  For queries received by UDP the
-     responder MUST take note of the source port and use that as the
-     destination port in the response.  Responses SHOULD always be sent
-     from the port to which they were directed.
-
-[c]  Responders MUST respond to LLMNR queries for names and addresses
-     they are authoritative for.  This applies to both forward and
-     reverse lookups.
-
-[d]  Responders MUST NOT respond to LLMNR queries for names they are not
-     authoritative for.
-
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                    [Page 9]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-[e]  Responders MUST NOT respond using cached data.
-
-[f]  If a DNS server is running on a host that supports LLMNR, the DNS
-     server MUST respond to LLMNR queries only for the RRSets relating
-     to the host on which the server is running, but MUST NOT respond
-     for other records for which the server is authoritative.  DNS
-     servers also MUST NOT send LLMNR queries in order to resolve DNS
-     queries.
-
-[g]  If a responder is authoritative for a name, it MAY respond with
-     RCODE=0 and an empty answer section, if the type of query does not
-     match a RR that the responder has.
-
-   As an example, a host configured to respond to LLMNR queries for the
-   name "foo.example.com."  is authoritative for the name
-   "foo.example.com.".  On receiving an LLMNR query for an A RR with the
-   name "foo.example.com." the host authoritatively responds with A
-   RR(s) that contain IP address(es) in the RDATA of the resource
-   record.  If the responder has a AAAA RR, but no A RR, and an A RR
-   query is received, the responder would respond with RCODE=0 and an
-   empty answer section.
-
-   In conventional DNS terminology a DNS server authoritative for a zone
-   is authoritative for all the domain names under the zone apex except
-   for the branches delegated into separate zones.  Contrary to
-   conventional DNS terminology, an LLMNR responder is authoritative
-   only for the zone apex.
-
-   For example the host "foo.example.com." is not authoritative for the
-   name "child.foo.example.com." unless the host is configured with
-   multiple names, including "foo.example.com."  and
-   "child.foo.example.com.".  As a result, "foo.example.com." cannot
-   reply to an LLMNR query for "child.foo.example.com." with RCODE=3
-   (authoritative name error).  The purpose of limiting the name
-   authority scope of a responder is to prevent complications that could
-   be caused by coexistence of two or more hosts with the names
-   representing child and parent (or grandparent) nodes in the DNS tree,
-   for example, "foo.example.com." and "child.foo.example.com.".
-
-   In this example (unless this limitation is introduced) an LLMNR query
-   for an A resource record for the name "child.foo.example.com." would
-   result in two authoritative responses: RCODE=3 (authoritative name
-   error) received from "foo.example.com.", and a requested A record -
-   from "child.foo.example.com.".  To prevent this ambiguity, LLMNR
-   enabled hosts could perform a dynamic update of the parent (or
-   grandparent) zone with a delegation to a child zone.  In this example
-   a host "child.foo.example.com." would send a dynamic update for the
-   NS and glue A record to "foo.example.com.", but this approach
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 10]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   significantly complicates implementation of LLMNR and would not be
-   acceptable for lightweight hosts.
-
-2.4.  Unicast queries and responses
-
-   Unicast queries SHOULD be sent when:
-
-   [a] A sender repeats a query after it received a response
-       with the TC bit set to the previous LLMNR multicast query, or
-
-   [b] The sender queries for a PTR RR of a fully formed IP address
-       within the "in-addr.arpa" or "ip6.arpa" zones.
-
-   Unicast LLMNR queries MUST be done using TCP and the responses MUST
-   be sent using the same TCP connection as the query.  Senders MUST
-   support sending TCP queries, and responders MUST support listening
-   for TCP queries. If the sender of a TCP query receives a response to
-   that query not using TCP, the response MUST be silently discarded.
-
-   Unicast UDP queries MUST be silently discarded.
-
-   If TCP connection setup cannot be completed in order to send a
-   unicast TCP query, this is treated as a response that no records of
-   the specified type and class exist for the specified name (it is
-   treated the same as a response with RCODE=0 and an empty answer
-   section).
-
-2.5.  "Off link" detection
-
-   For IPv4, an "on link" address is defined as a link-local address
-   [IPv4Link] or an address whose prefix belongs to a subnet on the
-   local link.  For IPv6 [RFC2460] an "on link" address is either a
-   link-local address, defined in [RFC2373], or an address whose prefix
-   belongs to a subnet on the local link.
-
-   A sender MUST select a source address for LLMNR queries that is "on
-   link".  The destination address of an LLMNR query MUST be a link-
-   scope multicast address or an "on link" unicast address.
-
-   A responder MUST select a source address for responses that is "on
-   link". The destination address of an LLMNR response MUST be an "on
-   link" unicast address.
-
-   On receiving an LLMNR query, the responder MUST check whether it was
-   sent to a LLMNR multicast addresses defined in Section 2.  If it was
-   sent to another multicast address, then the query MUST be silently
-   discarded.
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 11]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   Section 2.4 discusses use of TCP for LLMNR queries and responses.  In
-   composing an LLMNR query using TCP, the sender MUST set the Hop Limit
-   field in the IPv6 header and the TTL field in the IPv4 header of the
-   response to one (1).  The responder SHOULD set the TTL or Hop Limit
-   settings on the TCP listen socket to one (1) so that SYN-ACK packets
-   will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This
-   prevents an incoming connection from off-link since the sender will
-   not receive a SYN-ACK from the responder.
-
-   For UDP queries and responses the Hop Limit field in the IPv6 header,
-   and the TTL field in the IPV4 header MAY be set to any value.
-   However, it is RECOMMENDED that the value 255 be used for
-   compatibility with Apple Rendezvous.
-
-   Implementation note:
-
-      In the sockets API for IPv4 [POSIX], the IP_TTL and
-      IP_MULTICAST_TTL socket options are used to set the TTL of
-      outgoing unicast and multicast packets. The IP_RECVTTL socket
-      option is available on some platforms to retrieve the IPv4 TTL of
-      received packets with recvmsg().  [RFC2292] specifies similar
-      options for setting and retrieving the IPv6 Hop Limit.
-
-2.6.  Responder responsibilities
-
-   It is the responsibility of the responder to ensure that RRs returned
-   in LLMNR responses MUST only include values that are valid on the
-   local interface, such as IPv4 or IPv6 addresses valid on the local
-   link or names defended using the mechanism described in Section 4.
-   In particular:
-
-   [a] If a link-scope IPv6 address is returned in a AAAA RR,
-       that address MUST be valid on the local link over which
-       LLMNR is used.
-
-   [b] If an IPv4 address is returned, it MUST be reachable
-       through the link over which LLMNR is used.
-
-   [c] If a name is returned (for example in a CNAME, MX
-       or SRV RR), the name MUST be resolvable on the local
-       link over which LLMNR is used.
-
-   Routable addresses MUST be included first in the response, if
-   available.  This encourages use of routable address(es) for
-   establishment of new connections.
-
-
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 12]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-2.7.  Retransmission and jitter
-
-   An LLMNR sender uses the timeout interval LLMNR_TIMEOUT to determine
-   when to retransmit an LLMNR query and how long to collect responses
-   to an LLMNR query.
-
-   If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT,
-   then a sender MAY repeat the transmission of the query in order to
-   assure that it was received by a host capable of responding to it.
-   Retransmission of UDP queries SHOULD NOT be attempted more than 3
-   times. Where LLMNR queries are sent using TCP, retransmission is
-   handled by the transport layer.
-
-   Because an LLMNR sender cannot know in advance if a query sent using
-   multicast will receive no response, one response, or more than one
-   response, the sender SHOULD wait for LLMNR_TIMEOUT in order to
-   collect all possible responses, rather than considering the multicast
-   query answered after the first response is received. A unicast query
-   sender considers the query answered after the first response is
-   received, so that it only waits for LLMNR_TIMEOUT if no response has
-   been received.
-
-   An LLMNR sender SHOULD dynamically compute the value of LLMNR_TIMEOUT
-   for each transmission. It is suggested that the computation of
-   LLMNR_TIMEOUT be based on the response times for earlier LLMNR
-   queries sent on the same interface.
-
-   For example, the algorithms described in RFC 2988 [RFC2988]
-   (including exponential backoff) compute an RTO, which is used as the
-   value of LLMNR_TIMEOUT.  Smaller values MAY be used for the initial
-   RTO (discussed in Section 2 of [RFC2988], paragraph 2.1), the minimum
-   RTO (discussed in Section 2 of [RFC2988], paragraph 2.4), and the
-   maximum RTO (discussed in Section 2 of [RFC2988], paragraph 2.5).
-
-   Recommended values are an initial RTO of 1 second, a minimum RTO of
-   200ms, and a maximum RTO of 5 seconds.  In order to avoid
-   synchronization, the transmission of each LLMNR query and response
-   SHOULD delayed by a time randomly selected from the interval 0 to 100
-   ms.  This delay MAY be avoided by responders responding with RRs
-   which they have previously determined to be UNIQUE (see Section 4 for
-   details).
-
-2.8.  DNS TTL
-
-   The responder should use a pre-configured TTL value in the records
-   returned an LLMNR response.  A default value of 30 seconds is
-   RECOMMENDED.  In highly dynamic environments (such as mobile ad-hoc
-   networks), the TTL value may need to be reduced.
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 13]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   Due to the TTL minimalization necessary when caching an RRset, all
-   TTLs in an RRset MUST be set to the same value.
-
-2.9.  Use of the authority and additional sections
-
-   Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a
-   concept of delegation.  In LLMNR, the NS resource record type may be
-   stored and queried for like any other type, but it has no special
-   delegation semantics as it does in the DNS.  Responders MAY have NS
-   records associated with the names for which they are authoritative,
-   but they SHOULD NOT include these NS records in the authority
-   sections of responses.
-
-   Responders SHOULD insert an SOA record into the authority section of
-   a negative response, to facilitate negative caching as specified in
-   [RFC2308].  The owner name of this SOA record MUST be equal to the
-   query name.
-
-   Responders SHOULD NOT perform DNS additional section processing,
-   except as required for EDNS0 and DNSSEC.
-
-   Senders MUST NOT cache RRs from the authority or additional section
-   of a response as answers, though they may be used for other purposes
-   such as negative caching.
-
-3.  Usage model
-
-   Since LLMNR is a secondary name resolution mechanism, its usage is in
-   part determined by the behavior of DNS implementations.  This
-   document does not specify any changes to DNS resolver behavior, such
-   as searchlist processing or retransmission/failover policy.  However,
-   robust DNS resolver implementations are more likely to avoid
-   unnecessary LLMNR queries.
-
-   As noted in [DNSPerf], even when DNS servers are configured, a
-   significant fraction of DNS queries do not receive a response, or
-   result in negative responses due to missing inverse mappings or NS
-   records that point to nonexistent or inappropriate hosts.  This has
-   the potential to result in a large number of unnecessary LLMNR
-   queries.
-
-   [RFC1536] describes common DNS implementation errors and fixes.  If
-   the proposed fixes are implemented, unnecessary LLMNR queries will be
-   reduced substantially, and so implementation of [RFC1536] is
-   recommended.
-
-   For example, [RFC1536] Section 1 describes issues with retransmission
-   and recommends implementation of a retransmission policy based on
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 14]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   round trip estimates, with exponential backoff.  [RFC1536] Section 4
-   describes issues with failover, and recommends that resolvers try
-   another server when they don't receive a response to a query.  These
-   policies are likely to avoid unnecessary LLMNR queries.
-
-   [RFC1536] Section 3 describes zero answer bugs, which if addressed
-   will also reduce unnecessary LLMNR queries.
-
-   [RFC1536] Section 6 describes name error bugs and recommended
-   searchlist processing that will reduce unnecessary RCODE=3
-   (authoritative name) errors, thereby also reducing unnecessary LLMNR
-   queries.
-
-3.1.  LLMNR configuration
-
-   Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
-   possible for a dual stack host to be configured with the address of a
-   DNS server over IPv4, while remaining unconfigured with a DNS server
-   suitable for use over IPv6.
-
-   In these situations, a dual stack host will send AAAA queries to the
-   configured DNS server over IPv4.  However, an IPv6-only host
-   unconfigured with a DNS server suitable for use over IPv6 will be
-   unable to resolve names using DNS.  Automatic IPv6 DNS configuration
-   mechanisms (such as [RFC3315] and [DNSDisc]) are not yet widely
-   deployed, and not all DNS servers support IPv6. Therefore lack of
-   IPv6 DNS configuration may be a common problem in the short term, and
-   LLMNR may prove useful in enabling linklocal name resolution over
-   IPv6.
-
-   Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315],
-   IPv6-only hosts may not be configured with a DNS server.  Where there
-   is no DNS server authoritative for the name of a host or the
-   authoritative DNS server does not support dynamic client update over
-   IPv6 or DHCPv6-based dynamic update, then an IPv6-only host will not
-   be able to do DNS dynamic update, and other hosts will not be able to
-   resolve its name.
-
-   For example, if the configured DNS server responds to AAAA RR queries
-   sent over IPv4 or IPv6 with an authoritative name error (RCODE=3),
-   then it will not be possible to resolve the names of IPv6-only hosts.
-   In this situation, LLMNR over IPv6 can be used for local name
-   resolution.
-
-   Similarly, if a DHCPv4 server is available providing DNS server
-   configuration, and DNS server(s) exist which are authoritative for
-   the A RRs of local hosts and support either dynamic client update
-   over IPv4 or DHCPv4-based dynamic update, then the names of local
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 15]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   IPv4 hosts can be resolved over IPv4 without LLMNR.  However,  if no
-   DNS server is authoritative for the names of local hosts, or the
-   authoritative DNS server(s) do not support dynamic update, then LLMNR
-   enables linklocal name resolution over IPv4.
-
-   Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
-   configure LLMNR on an interface.  The LLMNR Enable Option, described
-   in [LLMNREnable], can be used to explicitly enable or disable use of
-   LLMNR on an interface.  The LLMNR Enable Option does not determine
-   whether or in which order DNS itself is used for name resolution.
-   The order in which various name resolution mechanisms should be used
-   can be specified using the Name Service Search Option (NSSO) for DHCP
-   [RFC2937], using the LLMNR Enable Option code carried in the NSSO
-   data.
-
-   It is possible that DNS configuration mechanisms will go in and out
-   of service.  In these circumstances, it is possible for hosts within
-   an administrative domain to be inconsistent in their DNS
-   configuration.
-
-   For example, where DHCP is used for configuring DNS servers, one or
-   more DHCP servers can fail.  As a result, hosts configured prior to
-   the outage will be configured with a DNS server, while hosts
-   configured after the outage will not.  Alternatively, it is possible
-   for the DNS configuration mechanism to continue functioning while
-   configured DNS servers fail.
-
-   Unless unconfigured hosts periodically retry configuration, an outage
-   in the DNS configuration mechanism will result in hosts continuing to
-   use LLMNR even once the outage is repaired.  Since LLMNR only enables
-   linklocal name resolution, this represents an unnecessary degradation
-   in capabilities.  As a result, it is recommended that hosts without a
-   configured DNS server periodically attempt to obtain DNS
-   configuration.  For example, where DHCP is used for DNS
-   configuration, [RFC2131] recommends a maximum retry interval of 64
-   seconds.  In the absence of other guidance, a default retry interval
-   of one (1) minute is RECOMMENDED.
-
-4.  Conflict resolution
-
-   The sender MUST anticipate receiving multiple replies to the same
-   LLMNR query, in the event that several LLMNR enabled computers
-   receive the query and respond with valid answers.  When this occurs,
-   the responses may first be concatenated, and then treated in the same
-   manner that multiple RRs received from the same DNS server would; the
-   sender perceives no inherent conflict in the receipt of multiple
-   responses.
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 16]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   There are some scenarios when multiple responders MAY respond to the
-   same query.  There are other scenarios when only one responder MAY
-   respond to a query.  Resource records for which the latter queries
-   are submitted are referred as UNIQUE throughout this document.  The
-   uniqueness of a resource record depends on a nature of the name in
-   the query and type of the query.  For example it is expected that:
-
-      - multiple hosts may respond to a query for an SRV type record
-      - multiple hosts may respond to a query for an A or AAAA type
-        record for a cluster name (assigned to multiple hosts in
-        the cluster)
-      - only a single host may respond to a query for an A or AAAA
-        type record for a name.
-
-   Every responder that responds to an LLMNR query AND includes a UNIQUE
-   record in the response:
-
-   [1]  MUST verify that there is no other host within the
-        scope of the LLMNR query propagation that can return
-        a resource record for the same name, type and class.
-
-   [2]  MUST NOT include a UNIQUE resource record in the
-        response without having verified its uniqueness.
-
-   Where a host is configured to issue LLMNR queries on more than one
-   interface, each interface should have its own independent LLMNR
-   cache.  For each UNIQUE resource record in a given interface's
-   configuration, the host MUST verify resource record uniqueness on
-   that interface.  To accomplish this, the host MUST send an LLMNR
-   query for each UNIQUE resource record.
-
-   By default, a host SHOULD be configured to behave as though all RRs
-   are UNIQUE.  Uniqueness verification is carried out when the host:
-
-     - starts up or is rebooted
-     - wakes from sleep (if the network interface was inactive during sleep)
-     - is configured to respond to the LLMNR queries on an interface
-       enabled for transmission and reception of IP traffic
-     - is configured to respond to the LLMNR queries using additional
-       UNIQUE resource records
-     - detects that an interface is connected and is usable
-       (e.g. an IEEE 802 hardware link-state change indicating
-       that a cable was attached or completion of authentication
-       (and if needed, association) with a wireless base station
-       or adhoc network
-
-   When a host that has a UNIQUE record receives an LLMNR query for that
-   record, the host MUST respond.  After the client receives a response,
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 17]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   it MUST check whether the response arrived on an interface different
-   from the one on which the query was sent.  If the response arrives on
-   a different interface, the client can use the UNIQUE resource record
-   in response to LLMNR queries.  If not, then it MUST NOT use the
-   UNIQUE resource record in response to LLMNR queries.
-
-   The name conflict detection mechanism doesn't prevent name conflicts
-   when previously partitioned segments are connected by a bridge. In
-   order to minimize the chance of conflicts in such a situation, it is
-   recommended that steps be taken to ensure name uniqueness. For
-   example, the name could be chosen randomly from a large pool of
-   potential names, or the name could be assigned via a process designed
-   to guarantee uniqueness.
-
-   When name conflicts are detected, they SHOULD be logged.  To detect
-   duplicate use of a name, an administrator can use a name resolution
-   utility which employs LLMNR and lists both responses and responders.
-   This would allow an administrator to diagnose behavior and
-   potentially to intervene and reconfigure LLMNR responders who should
-   not be configured to respond to the same name.
-
-4.1.  Considerations for Multiple Interfaces
-
-   A multi-homed host may elect to configure LLMNR on only one of its
-   active interfaces.  In many situations this will be adequate.
-   However, should a host need to configure LLMNR on more than one of
-   its active interfaces, there are some additional precautions it MUST
-   take.  Implementers who are not planning to support LLMNR on multiple
-   interfaces simultaneously may skip this section.
-
-   A multi-homed host checks the uniqueness of UNIQUE records as
-   described in Section 4.  The situation is illustrated in figure 1.
-
-        ----------  ----------
-         |      |    |      |
-        [A]    [myhost]   [myhost]
-
-      Figure 1.  Link-scope name conflict
-
-   In this situation, the multi-homed myhost will probe for, and defend,
-   its host name on both interfaces.  A conflict will be detected on one
-   interface, but not the other.  The multi-homed myhost will not be
-   able to respond with a host RR for "myhost" on the interface on the
-   right (see Figure 1).  The multi-homed host may, however, be
-   configured to use the "myhost" name on the interface on the left.
-
-   Since names are only unique per-link, hosts on different links could
-   be using the same name.  If an LLMNR client sends requests over
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 18]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   multiple interfaces, and receives replies from more than one, the
-   result returned to the client is defined by the implementation.  The
-   situation is illustrated in figure 2.
-
-        ----------  ----------
-         |      |    |     |
-        [A]    [myhost]   [A]
-
-
-      Figure 2.  Off-segment name conflict
-
-   If host myhost is configured to use LLMNR on both interfaces, it will
-   send LLMNR queries on both interfaces.  When host myhost sends a
-   query for the host RR for name "A" it will receive a response from
-   hosts on both interfaces.
-
-   Host myhost cannot distinguish between the situation shown in Figure
-   2, and that shown in Figure 3 where no conflict exists.
-
-                [A]
-               |   |
-           -----   -----
-               |   |
-              [myhost]
-
-      Figure 3.  Multiple paths to same host
-
-   This illustrates that the proposed name conflict resolution mechanism
-   does not support detection or resolution of conflicts between hosts
-   on different links.  This problem can also occur with unicast DNS
-   when a multi-homed host is connected to two different networks with
-   separated name spaces.  It is not the intent of this document to
-   address the issue of uniqueness of names within DNS.
-
-4.2.  API issues
-
-   [RFC2553] provides an API which can partially solve the name
-   ambiguity problem for applications written to use this API, since the
-   sockaddr_in6 structure exposes the scope within which each scoped
-   address exists, and this structure can be used for both IPv4 (using
-   v4-mapped IPv6 addresses) and IPv6 addresses.
-
-   Following the example in Figure 2, an application on 'myhost' issues
-   the request getaddrinfo("A", ...) with ai_family=AF_INET6 and
-   ai_flags=AI_ALL|AI_V4MAPPED.  LLMNR requests will be sent from both
-   interfaces and the resolver library will return a list containing
-   multiple addrinfo structures, each with an associated sockaddr_in6
-   structure.  This list will thus contain the IPv4 and IPv6 addresses
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 19]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   of both hosts responding to the name 'A'.  Link-local addresses will
-   have a sin6_scope_id value that disambiguates which interface is used
-   to reach the address.  Of course, to the application, Figures 2 and 3
-   are still indistinguishable, but this API allows the application to
-   communicate successfully with any address in the list.
-
-5.  Security Considerations
-
-   LLMNR is by nature a peer-to-peer name resolution protocol. It is
-   therefore inherently more vulnerable than DNS, since existing DNS
-   security mechanisms are difficult to apply to LLMNR. While tools
-   exist to alllow an attacker to spoof a response to a DNS query,
-   spoofing a response to an LLMNR query is easier since the query is
-   sent to a link-scope multicast address, where every host on the
-   logical link will be made aware of it.
-
-   In order to address the security vulnerabilities, the following
-   mechanisms are contemplated:
-
-      [1]  Scope restrictions.
-      [2]  Usage restrictions.
-      [3]  Cache and port separation.
-      [4]  Authentication.
-
-   These techniques are described in the following sections.
-
-5.1.  Scope restriction
-
-   With LLMNR it is possible that hosts will allocate conflicting names
-   for a period of time, or that attackers will attempt to deny service
-   to other hosts by allocating the same name. Such attacks also allow
-   hosts to receive packets destined for other hosts.
-
-   Since LLMNR is typically deployed in situations where no trust model
-   can be assumed, it is likely that LLMNR queries and responses will be
-   unauthenticated.  In the absence of authentication, LLMNR reduces the
-   exposure to such threats by utilizing UDP queries sent to a link-
-   scope multicast address, as well as setting the TTL (IPv4) or Hop
-   Limit (IPv6) fields to one (1) on TCP queries and responses.
-
-   Using a TTL of one (1) to set up a TCP connection in order to send a
-   unicast LLMNR query reduces the likelihood of both denial of service
-   attacks and spoofed responses.  Checking that an LLMNR query is sent
-   to a link-scope multicast address should prevent spoofing of
-   multicast queries by off-link attackers.
-
-   While this limits the ability of off-link attackers to spoof LLMNR
-   queries and responses, it does not eliminate it. For example, it is
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 20]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   possible for an attacker to spoof a response to a frequent query
-   (such as an A or AAAA query for a popular Internet host), and by
-   using a TTL or Hop Limit field larger than one (1), for the forged
-   response to reach the LLMNR sender.
-
-   When LLMNR queries are sent to a link-scope multicast address, it is
-   possible that some routers may not properly implement link-scope
-   multicast, or that link-scope multicast addresses may leak into the
-   multicast routing system.
-
-   Setting the IPv6 Hop Limit or IPv4 TTL field to a value larger than
-   one in an LLMNR UDP response may enable denial of service attacks
-   across the Internet.  However, since LLMNR responders only respond to
-   queries for which they are authoritative, and LLMNR does not provide
-   wildcard query support, it is believed that this threat is minimal.
-
-   There also are scenarios such as public "hotspots" where attackers
-   can be present on the same link.  These threats are most serious in
-   wireless networks such as 802.11, since attackers on a wired network
-   will require physical access to the home network, while wireless
-   attackers may reside outside the home.  Link-layer security can be of
-   assistance against these threats if it is available.
-
-5.2.  Usage restriction
-
-   As noted in Sections 2 and 3, LLMNR is intended for usage in a
-   limited set of scenarios.
-
-   If an LLMNR query is sent whenever a DNS server does not respond in a
-   timely way, then an attacker can poison the LLMNR cache by responding
-   to the query with incorrect information.  To some extent, these
-   vulnerabilities exist today, since DNS response spoofing tools are
-   available that can allow an attacker to respond to a query more
-   quickly than a distant DNS server.
-
-   Since LLMNR queries are sent and responded to on the local-link, an
-   attacker will need to respond more quickly to provide its own
-   response prior to arrival of the response from a legitimate
-   responder. If an LLMNR query is sent for an off-link host, spoofing a
-   response in a timely way is not difficult, since a legitimate
-   response will never be received.
-
-   The vulnerability is more serious if LLMNR is given higher priority
-   than DNS among the enabled name resolution mechanisms. In such a
-   configuration, a denial of service attack on the DNS server would not
-   be necessary in order to poison the LLMNR cache, since LLMNR queries
-   would be sent even when the DNS server is available. In addition, the
-   LLMNR cache, once poisoned, would take precedence over the DNS cache,
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 21]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-   eliminating the benefits of cache separation. As a result, LLMNR is
-   only used as a name resolution mechanism of last resort.
-
-5.3.  Cache and port separation
-
-   In order to prevent responses to LLMNR queries from polluting the DNS
-   cache, LLMNR implementations MUST use a distinct, isolated cache for
-   LLMNR on each interface. The use of separate caches is most effective
-   when LLMNR is used as a name resolution mechanism of last resort,
-   since this minimizes the opportunities for poisoning the LLMNR cache,
-   and decreases reliance on it.
-
-   LLMNR operates on a separate port from DNS, reducing the likelihood
-   that a DNS server will unintentionally respond to an LLMNR query.
-
-5.4.  Authentication
-
-   LLMNR implementations may not support DNSSEC or TSIG, and as a
-   result, responses to LLMNR queries may be unauthenticated.  If
-   authentication is desired, and a pre-arranged security configuration
-   is possible, then IPsec ESP with a null-transform MAY be used to
-   authenticate LLMNR responses.  In a small network without a
-   certificate authority, this can be most easily accomplished through
-   configuration of a group pre-shared key for trusted hosts.
-
-6.  IANA Considerations
-
-   This specification creates one new name space:  the reserved bits in
-   the LLMNR header.  These are allocated by IETF Consensus, in
-   accordance with BCP 26 [RFC2434].
-
-   LLMNR requires allocation of port 5355 for both TCP and UDP.
-
-   LLMNR requires allocation of link-scope multicast IPv4 address
-   224.0.0.252, as well as link-scope multicast IPv6 address
-   FF02:0:0:0:0:0:1:3.
-
-7.  References
-
-7.1.  Normative References
-
-[RFC1035] Mockapetris, P., "Domain Names - Implementation and
-          Specification", RFC 1035, November 1987.
-
-[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
-          April 1992.
-
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 22]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-          Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
-          Specification", RFC 2181, July 1997.
-
-[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-          RFC 2308, March 1998.
-
-[RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC
-          2365, July 1998.
-
-[RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing
-          Architecture", RFC 2373, July 1998.
-
-[RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
-          Considerations Section in RFCs", BCP 26, RFC 2434, October
-          1998.
-
-[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
-          (IPv6) Specification", RFC 2460, December 1998.
-
-[RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
-          2535, March 1999.
-
-[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
-          August 1999.
-
-[RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission
-          Timer", RFC 2988, November 2000.
-
-7.2.  Informative References
-
-[RFC1536] Kumar, A., et. al., "DNS Implementation Errors and Suggested
-          Fixes", RFC 1536, October 1993.
-
-[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
-          March 1997.
-
-[RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
-          Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-          April 1997.
-
-[RFC2292] Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6",
-          RFC 2292, February 1998.
-
-[RFC2553] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic
-          Socket Interface Extensions for IPv6", RFC 2553, March 1999.
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 23]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC
-          2937, September 2000.
-
-[RFC3315] Droms, R., et al., "Dynamic Host Configuration Protocol for
-          IPv6 (DHCPv6)", RFC 3315, July 2003.
-
-[DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of
-          Caching", IEEE/ACM Transactions on Networking, Volume 10,
-          Number 5, pp. 589, October 2002.
-
-[DNSDisc] Durand, A., Hagino, I. and D. Thaler, "Well known site local
-          unicast addresses to communicate with recursive DNS servers",
-          Internet draft (work in progress), draft-ietf-ipv6-dns-
-          discovery-07.txt, October 2002.
-
-[IPV4Link]
-          Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
-          of IPv4 Link-Local Addresses", Internet draft (work in
-          progress), draft-ietf-zeroconf-ipv4-linklocal-15.txt, May
-          2004.
-
-[POSIX]   IEEE Std. 1003.1-2001 Standard for Information Technology --
-          Portable Operating System Interface (POSIX). Open Group
-          Technical Standard: Base Specifications, Issue 6, December
-          2001.  ISO/IEC 9945:2002.  http://www.opengroup.org/austin
-
-[LLMNREnable]
-          Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work
-          in progress), draft-guttman-mdns-enable-02.txt, April 2002.
-
-[NodeInfo]
-          Crawford, M., "IPv6 Node Information Queries", Internet draft
-          (work in progress), draft-ietf-ipn-gwg-icmp-name-
-          lookups-09.txt, May 2002.
-
-Acknowledgments
-
-   This work builds upon original work done on multicast DNS by Bill
-   Manning and Bill Woodcock. Bill Manning's work was funded under DARPA
-   grant #F30602-99-1-0523. The authors gratefully acknowledge their
-   contribution to the current specification.  Constructive input has
-   also been received from Mark Andrews, Stuart Cheshire, Randy Bush,
-   Robert Elz, Rob Austein, James Gilroy, Olafur Gudmundsson, Erik
-   Guttman, Myron Hattig, Thomas Narten, Christian Huitema, Erik
-   Nordmark, Sander Van-Valkenburg, Tomohide Nagashima, Brian Zill,
-   Keith Moore and Markku Savela.
-
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 24]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-Authors' Addresses
-
-   Levon Esibov
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   EMail: levone@microsoft.com
-
-   Bernard Aboba
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   Phone: +1 425 706 6605
-   EMail: bernarda@microsoft.com
-
-   Dave Thaler
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   Phone: +1 425 703 8835
-   EMail: dthaler@microsoft.com
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights.  Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11.  Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 25]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                     18 July 2004
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-Open Issues
-
-   Open issues with this specification are tracked on the following web
-   site:
-
-   http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Esibov, Aboba & Thaler       Standards Track                   [Page 26]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-43.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-43.txt
deleted file mode 100644
index 5de6e85ecf65..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-43.txt
+++ /dev/null
@@ -1,1740 +0,0 @@
-
-
-
-
-
-
-DNSEXT Working Group                                       Bernard Aboba
-INTERNET-DRAFT                                               Dave Thaler
-Category: Standards Track                                   Levon Esibov
-<draft-ietf-dnsext-mdns-43.txt>                    Microsoft Corporation
-29 August 2005
-
-              Linklocal Multicast Name Resolution (LLMNR)
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on March 15, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society 2005.
-
-Abstract
-
-   The goal of Link-Local Multicast Name Resolution (LLMNR) is to enable
-   name resolution in scenarios in which conventional DNS name
-   resolution is not possible.  LLMNR supports all current and future
-   DNS formats, types and classes, while operating on a separate port
-   from DNS, and with a distinct resolver cache.  Since LLMNR only
-   operates on the local link, it cannot be considered a substitute for
-   DNS.
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 1]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-Table of Contents
-
-1.     Introduction ..........................................    3
-   1.1       Requirements ....................................    4
-   1.2       Terminology .....................................    4
-2.     Name Resolution Using LLMNR ...........................    4
-   2.1       LLMNR Packet Format .............................    6
-   2.2       Sender Behavior .................................    9
-   2.3       Responder Behavior ..............................   10
-   2.4       Unicast Queries and Responses ...................   12
-   2.5       Off-link Detection ..............................   13
-   2.6       Responder Responsibilities ......................   13
-   2.7       Retransmission and Jitter .......................   14
-   2.8       DNS TTL .........................................   15
-   2.9       Use of the Authority and Additional Sections ....   15
-3.     Usage model ...........................................   16
-   3.1       LLMNR Configuration .............................   17
-4.     Conflict Resolution ...................................   18
-   4.1       Uniqueness Verification .........................   19
-   4.2       Conflict Detection and Defense ..................   20
-   4.3       Considerations for Multiple Interfaces ..........   21
-   4.4       API issues ......................................   22
-5.     Security Considerations ...............................   22
-   5.1       Denial of Service ...............................   23
-   5.2       Spoofing ...............,........................   23
-   5.3       Authentication ..................................   24
-   5.4       Cache and Port Separation .......................   25
-6.     IANA considerations ...................................   25
-7.     Constants .............................................   25
-8.     References ............................................   25
-   8.1       Normative References ............................   25
-   8.2       Informative References ..........................   26
-Acknowledgments ..............................................   27
-Authors' Addresses ...........................................   28
-Intellectual Property Statement ..............................   28
-Disclaimer of Validity .......................................   29
-Copyright Statement ..........................................   29
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 2]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-1.  Introduction
-
-   This document discusses Link Local Multicast Name Resolution (LLMNR),
-   which is based on the DNS packet format and supports all current and
-   future DNS formats, types and classes.  LLMNR operates on a separate
-   port from the Domain Name System (DNS), with a distinct resolver
-   cache.
-
-   The goal of LLMNR is to enable name resolution in scenarios in which
-   conventional DNS name resolution is not possible.  Usage scenarios
-   (discussed in more detail in Section 3.1) include situations in which
-   hosts are not configured with the address of a DNS server; where the
-   DNS server is unavailable or unreachable; where there is no DNS
-   server authoritative for the name of a host, or where the
-   authoritative DNS server does not have the desired RRs, as described
-   in Section 2.
-
-   Since LLMNR only operates on the local link, it cannot be considered
-   a substitute for DNS.  Link-scope multicast addresses are used to
-   prevent propagation of LLMNR traffic across routers, potentially
-   flooding the network.  LLMNR queries can also be sent to a unicast
-   address, as described in Section 2.4.
-
-   Propagation of LLMNR packets on the local link is considered
-   sufficient to enable name resolution in small networks.  In such
-   networks, if a network has a gateway, then typically the network is
-   able to provide DNS server configuration.  Configuration issues are
-   discussed in Section 3.1.
-
-   In the future, it may be desirable to consider use of multicast name
-   resolution with multicast scopes beyond the link-scope.  This could
-   occur if LLMNR deployment is successful, the need arises for
-   multicast name resolution beyond the link-scope, or multicast routing
-   becomes ubiquitous.  For example, expanded support for multicast name
-   resolution might be required for mobile ad-hoc networks.
-
-   Once we have experience in LLMNR deployment in terms of
-   administrative issues, usability and impact on the network, it will
-   be possible to reevaluate which multicast scopes are appropriate for
-   use with multicast name resolution.  IPv4 administratively scoped
-   multicast usage is specified in "Administratively Scoped IP
-   Multicast" [RFC2365].
-
-   Service discovery in general, as well as discovery of DNS servers
-   using LLMNR in particular, is outside of the scope of this document,
-   as is name resolution over non-multicast capable media.
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 3]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-1.1.  Requirements
-
-   In this document, several words are used to signify the requirements
-   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
-   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY",
-   and "OPTIONAL" in this document are to be interpreted as described in
-   [RFC2119].
-
-1.2.  Terminology
-
-   This document assumes familiarity with DNS terminology defined in
-   [RFC1035].  Other terminology used in this document includes:
-
-Positively Resolved
-     Responses with RCODE set to zero are referred to in this document
-     as "positively resolved".
-
-Routable Address
-     An address other than a Link-Local address.  This includes globally
-     routable addresses, as well as private addresses.
-
-Reachable
-     An LLMNR responder considers one of its addresses reachable over a
-     link if it will respond to an ARP or Neighbor Discovery query for
-     that address received on that link.
-
-Responder
-     A host that listens to LLMNR queries, and responds to those for
-     which it is authoritative.
-
-Sender
-     A host that sends an LLMNR query.
-
-UNIQUE
-     There are some scenarios when multiple responders may respond to
-     the same query.  There are other scenarios when only one responder
-     may respond to a query.  Names for which only a single responder is
-     anticipated are referred to as UNIQUE.  Name uniqueness is
-     configured on the responder, and therefore uniqueness verification
-     is the responder's responsibility.
-
-2.  Name Resolution Using LLMNR
-
-   LLMNR is a peer-to-peer name resolution protocol that is not intended
-   as a replacement for DNS.  LLMNR queries are sent to and received on
-   port 5355.  The IPv4 link-scope multicast address a given responder
-   listens to, and to which a sender sends queries, is 224.0.0.252.  The
-   IPv6 link-scope multicast address a given responder listens to, and
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 4]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   to which a sender sends all queries, is FF02:0:0:0:0:0:1:3.
-
-   Typically a host is configured as both an LLMNR sender and a
-   responder.  A host MAY be configured as a sender, but not a
-   responder.  However, a host configured as a responder MUST act as a
-   sender, if only to verify the uniqueness of names as described in
-   Section 4.  This document does not specify how names are chosen or
-   configured.  This may occur via any mechanism, including DHCPv4
-   [RFC2131] or DHCPv6 [RFC3315].
-
-   LLMNR usage MAY be configured manually or automatically on a per
-   interface basis.  By default, LLMNR responders SHOULD be enabled on
-   all interfaces, at all times.  Enabling LLMNR for use in situations
-   where a DNS server has been configured will result in a change in
-   default behavior without a simultaneous update to configuration
-   information.  Where this is considered undesirable, LLMNR SHOULD NOT
-   be enabled by default, so that hosts will neither listen on the link-
-   scope multicast address, nor will they send queries to that address.
-
-   By default, LLMNR queries MAY be sent only when one of the following
-   conditions are met:
-
-   [1] No manual or automatic DNS configuration has been performed.
-       If DNS server address(es) have been configured, then LLMNR
-       SHOULD NOT be used as the primary name resolution mechanism,
-       although it MAY be used as a secondary name resolution
-       mechanism.  A dual stack host SHOULD attempt to reach DNS
-       servers overall protocols on which DNS server address(es) are
-       configured, prior to sending LLMNR queries.  For dual stack
-       hosts configured with DNS server address(es) for one protocol
-       but not another, this inplies that DNS queries SHOULD be sent
-       over the protocol configured with a DNS server, prior to
-       sending LLMNR queries.
-
-   [2] All attempts to resolve the name via DNS on all interfaces
-       have failed after exhausting the searchlist.  This can occur
-       because DNS servers did not respond, or because they
-       responded to DNS queries with RCODE=3 (Authoritative Name
-       Error) or RCODE=0, and an empty answer section.  Where a
-       single resolver call generates DNS queries for A and AAAA RRs,
-       an implementation MAY choose not to send LLMNR queries if any
-       of the DNS queries is successful.  An LLMNR query SHOULD only
-       be sent for the originally requested name;  a searchlist
-       is not used to form additional LLMNR queries.
-
-   While these conditions are necessary for sending an LLMNR query, they
-   are not sufficient.  While an LLMNR sender MAY send a query for any
-   name, it also MAY impose additional conditions on sending LLMNR
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 5]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   queries.  For example, a sender configured with a DNS server MAY send
-   LLMNR queries only for unqualified names and for fully qualified
-   domain names within configured zones.
-
-   A typical sequence of events for LLMNR usage is as follows:
-
-   [a]  DNS servers are not configured or attempts to resolve the
-        name via DNS have failed, after exhausting the searchlist.
-        Also, the name to be queried satisfies the restrictions
-        imposed by the implementation.
-
-   [b]  An LLMNR sender sends an LLMNR query to the link-scope
-        multicast address(es), unless a unicast query is indicated,
-        as specified in Section 2.4.
-
-   [c]  A responder responds to this query only if it is authoritative
-        for the domain name in the query.  A responder responds to a
-        multicast query by sending a unicast UDP response to the sender.
-        Unicast queries are responded to as indicated in Section 2.4.
-
-   [d]  Upon reception of the response, the sender processes it.
-
-   The sections that follow provide further details on sender and
-   responder behavior.
-
-2.1.  LLMNR Packet Format
-
-   LLMNR is based on the DNS packet format defined in [RFC1035] Section
-   4 for both queries and responses.  LLMNR implementations SHOULD send
-   UDP queries and responses only as large as are known to be
-   permissible without causing fragmentation.  When in doubt a maximum
-   packet size of 512 octets SHOULD be used.  LLMNR implementations MUST
-   accept UDP queries and responses as large as the smaller of the link
-   MTU or 9194 octets (Ethernet jumbo frame size of 9KB (9216) minus 22
-   octets for the header, VLAN tag and CRC).
-
-2.1.1.  LLMNR Header Format
-
-   LLMNR queries and responses utilize the DNS header format defined in
-   [RFC1035] with exceptions noted below:
-
-
-
-
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 6]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-                                   1  1  1  1  1  1
-     0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                      ID                       |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |QR|   Opcode  | C|TC| T| Z| Z| Z| Z|   RCODE   |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    QDCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    ANCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    NSCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   |                    ARCOUNT                    |
-   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   where:
-
-ID   A 16 bit identifier assigned by the program that generates any kind
-     of query.  This identifier is copied from the query to the response
-     and can be used by the sender to match responses to outstanding
-     queries. The ID field in a query SHOULD be set to a pseudo-random
-     value.  For advice on generation of pseudo-random values, please
-     consult [RFC1750].
-
-QR   Query/Response.  A one bit field, which if set indicates that the
-     message is an LLMNR response; if clear then the message is an LLMNR
-     query.
-
-OPCODE
-     A four bit field that specifies the kind of query in this message.
-     This value is set by the originator of a query and copied into the
-     response.  This specification defines the behavior of standard
-     queries and responses (opcode value of zero).  Future
-     specifications may define the use of other opcodes with LLMNR.
-     LLMNR senders and responders MUST support standard queries (opcode
-     value of zero).  LLMNR queries with unsupported OPCODE values MUST
-     be silently discarded by responders.
-
-C    Conflict.  When set within a request, the 'C'onflict bit indicates
-     that a sender has received multiple LLMNR responses to this query.
-     In an LLMNR response, if the name is considered UNIQUE, then the
-     'C' bit is clear, otherwise it is set.  LLMNR senders do not
-     retransmit queries with the 'C' bit set.  Responders MUST NOT
-     respond to LLMNR queries with the 'C' bit set, but may start the
-     uniqueness verification process, as described in Section 4.2.
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 7]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-TC   TrunCation - specifies that this message was truncated due to
-     length greater than that permitted on the transmission channel.
-     The TC bit MUST NOT be set in an LLMNR query and if set is ignored
-     by an LLMNR responder.  If the TC bit is set in an LLMNR response,
-     then the sender SHOULD discard the response and resend the LLMNR
-     query over TCP using the unicast address of the responder as the
-     destination address.  See  [RFC2181] and Section 2.4 of this
-     specification for further discussion of the TC bit.
-
-T    Tentative.  The 'T'entative bit is set in a response if the
-     responder is authoritative for the name, but has not yet verified
-     the uniqueness of the name.  A responder MUST ignore the 'T' bit in
-     a query, if set.  A response with the 'T' bit set is silently
-     discarded by the sender, except if it is a uniqueness query, in
-     which case a conflict has been detected and a responder MUST
-     resolve the conflict as described in Section 4.1.
-
-Z    Reserved for future use.  Implementations of this specification
-     MUST set these bits to zero in both queries and responses.  If
-     these bits are set in a LLMNR query or response, implementations of
-     this specification MUST ignore them.  Since reserved bits could
-     conceivably be used for different purposes than in DNS,
-     implementors are advised not to enable processing of these bits in
-     an LLMNR implementation starting from a DNS code base.
-
-RCODE
-     Response code -- this 4 bit field is set as part of LLMNR
-     responses.  In an LLMNR query, the sender MUST set RCODE to zero;
-     the responder ignores the RCODE and assumes it to be zero.  The
-     response to a multicast LLMNR query MUST have RCODE set to zero.  A
-     sender MUST silently discard an LLMNR response with a non-zero
-     RCODE sent in response to a multicast query.
-
-     If an LLMNR responder is authoritative for the name in a multicast
-     query, but an error is encountered, the responder SHOULD send an
-     LLMNR response with an RCODE of zero, no RRs in the answer section,
-     and the TC bit set.  This will cause the query to be resent using
-     TCP, and allow the inclusion of a non-zero RCODE in the response to
-     the TCP query.  Responding with the TC bit set is preferable to not
-     sending a response, since it enables errors to be diagnosed.
-     Errors include those defined in [RFC2845], such as BADSIG(16),
-     BADKEY(17) and BADTIME(18).
-
-     Since LLMNR responders only respond to LLMNR queries for names for
-     which they are authoritative, LLMNR responders MUST NOT respond
-     with an RCODE of 3; instead, they should not respond at all.
-
-     LLMNR implementations MUST support EDNS0 [RFC2671] and extended
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 8]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-     RCODE values.
-
-QDCOUNT
-     An unsigned 16 bit integer specifying the number of entries in the
-     question section.  A sender MUST place only one question into the
-     question section of an LLMNR query.  LLMNR responders MUST silently
-     discard LLMNR queries with QDCOUNT not equal to one.  LLMNR senders
-     MUST silently discard LLMNR responses with QDCOUNT not equal to
-     one.
-
-ANCOUNT
-     An unsigned 16 bit integer specifying the number of resource
-     records in the answer section.  LLMNR responders MUST silently
-     discard LLMNR queries with ANCOUNT not equal to zero.
-
-NSCOUNT
-     An unsigned 16 bit integer specifying the number of name server
-     resource records in the authority records section.  Authority
-     record section processing is described in Section 2.9.  LLMNR
-     responders MUST silently discard LLMNR queries with NSCOUNT not
-     equal to zero.
-
-ARCOUNT
-     An unsigned 16 bit integer specifying the number of resource
-     records in the additional records section.  Additional record
-     section processing is described in Section 2.9.
-
-2.2.  Sender Behavior
-
-   A sender MAY send an LLMNR query for any legal resource record  type
-   (e.g., A, AAAA, PTR, SRV, etc.) to the link-scope multicast address.
-   As described in Section 2.4, a sender MAY also send a unicast query.
-
-   The sender MUST anticipate receiving no replies to some LLMNR
-   queries, in the event that no responders are available within the
-   link-scope.  If no response is received, a resolver treats it as a
-   response that the name does not exist (RCODE=3 is returned).  A
-   sender can handle duplicate responses by discarding responses with a
-   source IP address and ID field that duplicate a response already
-   received.
-
-   When multiple valid LLMNR responses are received with the 'C' bit
-   set, they SHOULD be concatenated and treated in the same manner that
-   multiple RRs received from the same DNS server would be.  However,
-   responses with the 'C' bit set SHOULD NOT be concatenated with
-   responses with the 'C' bit clear; instead, only the responses with
-   the 'C' bit set SHOULD be returned.  If valid LLMNR response(s) are
-   received along with error response(s), then the error responses are
-
-
-
-Aboba, Thaler & Esibov       Standards Track                    [Page 9]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   silently discarded.
-
-   If error responses are received from both DNS and LLMNR, then the
-   lowest RCODE value should be returned. For example, if either DNS or
-   LLMNR receives a response with RCODE=0, then this should returned to
-   the caller.
-
-   Since the responder may order the RRs in the response so as to
-   indicate preference, the sender SHOULD preserve ordering in the
-   response to the querying application.
-
-2.3.  Responder Behavior
-
-   An LLMNR response MUST be sent to the sender via unicast.
-
-   Upon configuring an IP address, responders typically will synthesize
-   corresponding A, AAAA and PTR RRs so as to be able to respond to
-   LLMNR queries for these RRs.  An SOA RR is synthesized only when a
-   responder has another RR in addition to the SOA RR;  the SOA RR MUST
-   NOT be the only RR that a responder has.  However, in general whether
-   RRs are manually or automatically created is an implementation
-   decision.
-
-   For example, a host configured to have computer name "host1" and to
-   be a member of the "example.com" domain, and with IPv4 address
-   192.0.2.1 and IPv6 address 2001:0DB8::1:2:3:FF:FE:4:5:6 might be
-   authoritative for the following records:
-
-   host1. IN A 192.0.2.1
-          IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
-
-   host1.example.com. IN A 192.0.2.1
-          IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
-
-   1.2.0.192.in-addr.arpa. IN PTR host1.
-          IN PTR host1.example.com.
-
-   6.0.5.0.4.0.E.F.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.
-   ip6.arpa IN PTR host1.  (line split for formatting reasons)
-            IN PTR host1.example.com.
-
-   An LLMNR responder might be further manually configured with the name
-   of a local mail server with an MX RR included in the "host1." and
-   "host1.example.com." records.
-
-   In responding to queries:
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 10]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-[a]  Responders MUST listen on UDP port 5355 on the link-scope multicast
-     address(es) defined in Section 2, and on UDP and TCP port 5355 on
-     the unicast address(es) that could be set as the source address(es)
-     when the responder responds to the LLMNR query.
-
-[b]  Responders MUST direct responses to the port from which the query
-     was sent.  When queries are received via TCP this is an inherent
-     part of the transport protocol.  For queries received by UDP the
-     responder MUST take note of the source port and use that as the
-     destination port in the response.  Responses MUST always be sent
-     from the port to which they were directed.
-
-[c]  Responders MUST respond to LLMNR queries for names and addresses
-     they are authoritative for.  This applies to both forward and
-     reverse lookups, with the exception of queries with the 'C' bit
-     set, which do not elicit a response.
-
-[d]  Responders MUST NOT respond to LLMNR queries for names they are not
-     authoritative for.
-
-[e]  Responders MUST NOT respond using data from the LLMNR or DNS
-     resolver cache.
-
-[f]  If a DNS server is running on a host that supports LLMNR, the DNS
-     server MUST respond to LLMNR queries only for the RRSets relating
-     to the host on which the server is running, but MUST NOT respond
-     for other records for which the server is authoritative.  DNS
-     servers also MUST NOT send LLMNR queries in order to resolve DNS
-     queries.
-
-[g]  If a responder is authoritative for a name, it MUST respond with
-     RCODE=0 and an empty answer section, if the type of query does not
-     match a RR that the responder has.
-
-   As an example, a host configured to respond to LLMNR queries for the
-   name "foo.example.com."  is authoritative for the name
-   "foo.example.com.".  On receiving an LLMNR query for an A RR with the
-   name "foo.example.com." the host authoritatively responds with A
-   RR(s) that contain IP address(es) in the RDATA of the resource
-   record.  If the responder has a AAAA RR, but no A RR, and an A RR
-   query is received, the responder would respond with RCODE=0 and an
-   empty answer section.
-
-   In conventional DNS terminology a DNS server authoritative for a zone
-   is authoritative for all the domain names under the zone apex except
-   for the branches delegated into separate zones.  Contrary to
-   conventional DNS terminology, an LLMNR responder is authoritative
-   only for the zone apex.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 11]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   For example the host "foo.example.com." is not authoritative for the
-   name "child.foo.example.com." unless the host is configured with
-   multiple names, including "foo.example.com."  and
-   "child.foo.example.com.".  As a result, "foo.example.com." cannot
-   reply to an LLMNR query for "child.foo.example.com." with RCODE=3
-   (authoritative name error).  The purpose of limiting the name
-   authority scope of a responder is to prevent complications that could
-   be caused by coexistence of two or more hosts with the names
-   representing child and parent (or grandparent) nodes in the DNS tree,
-   for example, "foo.example.com." and "child.foo.example.com.".
-
-   Without the restriction on authority an LLMNR query for an A resource
-   record for the name "child.foo.example.com." would result in two
-   authoritative responses: RCODE=3 (authoritative name error) received
-   from "foo.example.com.", and a requested A record - from
-   "child.foo.example.com.".  To prevent this ambiguity, LLMNR enabled
-   hosts could perform a dynamic update of the parent (or grandparent)
-   zone with a delegation to a child zone;  for example a host
-   "child.foo.example.com." could send a dynamic update for the NS and
-   glue A record to "foo.example.com.".  However, this approach
-   significantly complicates implementation of LLMNR and would not be
-   acceptable for lightweight hosts.
-
-2.4.  Unicast Queries and Responses
-
-   Unicast queries SHOULD be sent when:
-
-   [a] A sender repeats a query after it received a response
-       with the TC bit set to the previous LLMNR multicast query, or
-
-   [b] The sender queries for a PTR RR of a fully formed IP address
-       within the "in-addr.arpa" or "ip6.arpa" zones.
-
-   Unicast LLMNR queries MUST be done using TCP and the responses MUST
-   be sent using the same TCP connection as the query.  Senders MUST
-   support sending TCP queries, and responders MUST support listening
-   for TCP queries. If the sender of a TCP query receives a response to
-   that query not using TCP, the response MUST be silently discarded.
-
-   Unicast UDP queries MUST be silently discarded.
-
-   If TCP connection setup cannot be completed in order to send a
-   unicast TCP query, this is treated as a response that no records of
-   the specified type and class exist for the specified name (it is
-   treated the same as a response with RCODE=0 and an empty answer
-   section).
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 12]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-2.5.  "Off link" Detection
-
-   A sender MUST select a source address for LLMNR queries that is
-   assigned on the interface on which the query is sent.  The
-   destination address of an LLMNR query MUST be a link-scope multicast
-   address or a unicast address.
-
-   A responder MUST select a source address for responses that is
-   assigned on the interface on which the query was received.  The
-   destination address of an LLMNR response MUST be a unicast address.
-
-   On receiving an LLMNR query, the responder MUST check whether it was
-   sent to a LLMNR multicast addresses defined in Section 2.  If it was
-   sent to another multicast address, then the query MUST be silently
-   discarded.
-
-   Section 2.4 discusses use of TCP for LLMNR queries and responses.  In
-   composing an LLMNR query using TCP, the sender MUST set the Hop Limit
-   field in the IPv6 header and the TTL field in the IPv4 header of the
-   response to one (1).  The responder SHOULD set the TTL or Hop Limit
-   settings on the TCP listen socket to one (1) so that SYN-ACK packets
-   will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This
-   prevents an incoming connection from off-link since the sender will
-   not receive a SYN-ACK from the responder.
-
-   For UDP queries and responses, the Hop Limit field in the IPv6 header
-   and the TTL field in the IPV4 header MAY be set to any value.
-   However, it is RECOMMENDED that the value 255 be used for
-   compatibility with Apple Bonjour [Bonjour].
-
-   Implementation note:
-
-      In the sockets API for IPv4 [POSIX], the IP_TTL and
-      IP_MULTICAST_TTL socket options are used to set the TTL of
-      outgoing unicast and multicast packets. The IP_RECVTTL socket
-      option is available on some platforms to retrieve the IPv4 TTL of
-      received packets with recvmsg().  [RFC2292] specifies similar
-      options for setting and retrieving the IPv6 Hop Limit.
-
-2.6.  Responder Responsibilities
-
-   It is the responsibility of the responder to ensure that RRs returned
-   in LLMNR responses MUST only include values that are valid on the
-   local interface, such as IPv4 or IPv6 addresses valid on the local
-   link or names defended using the mechanism described in Section 4.
-   IPv4 Link-Local addresses are defined in [RFC3927].  IPv6 Link-Local
-   addresses are defined in [RFC2373].  In particular:
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 13]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   [a] If a link-scope IPv6 address is returned in a AAAA RR,
-       that address MUST be valid on the local link over which
-       LLMNR is used.
-
-   [b] If an IPv4 address is returned, it MUST be reachable
-       through the link over which LLMNR is used.
-
-   [c] If a name is returned (for example in a CNAME, MX
-       or SRV RR), the name MUST be resolvable on the local
-       link over which LLMNR is used.
-
-   Where multiple addresses represent valid responses to a query, the
-   order in which the addresses are returned is as follows:
-
-   [d] If the source address of the query is a link-scope address,
-       then the responder SHOULD include a link-scope address first
-       in the response, if available.
-
-   [e] If the source address of the query is a routable address,
-       then the responder MUST include a routable address first
-       in the response, if available.
-
-2.7.  Retransmission and Jitter
-
-   An LLMNR sender uses the timeout interval LLMNR_TIMEOUT to determine
-   when to retransmit an LLMNR query.  An LLMNR sender SHOULD either
-   estimate the LLMNR_TIMEOUT for each interface, or set a reasonably
-   high initial timeout.  Suggested constants are described in Section
-   7.
-
-   If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT,
-   then a sender SHOULD repeat the transmission of the query in order to
-   assure that it was received by a host capable of responding to it,
-   while increasing the value of LLMNR_TIMEOUT exponentially.  An LLMNR
-   query SHOULD NOT be sent more than three times.
-
-   Where LLMNR queries are sent using TCP, retransmission is handled by
-   the transport layer.  Queries with the 'C' bit set MUST be sent using
-   multicast UDP and MUST NOT be retransmitted.
-
-   An LLMNR sender cannot know in advance if a query sent using
-   multicast will receive no response, one response, or more than one
-   response.  An LLMNR sender MUST wait for LLMNR_TIMEOUT if no response
-   has been received, or if it is necessary to collect all potential
-   responses, such as if a uniqueness verification query is being made.
-   Otherwise an LLMNR sender SHOULD consider a multicast query answered
-   after the first response is received, if that response has the 'C'
-   bit clear.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 14]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   However, if the first response has the 'C' bit set, then the sender
-   SHOULD wait for LLMNR_TIMEOUT in order to collect all possible
-   responses.  When multiple valid answers are received, they may first
-   be concatenated, and then treated in the same manner that multiple
-   RRs received from the same DNS server would.  A unicast query sender
-   considers the query answered after the first response is received, so
-   that it only waits for LLMNR_TIMEOUT if no response has been
-   received.
-
-   Since it is possible for a response with the 'C' bit clear to be
-   followed by a response with the 'C' bit set, an LLMNR sender SHOULD
-   be prepared to process additional responses for the purposes of
-   conflict detection and LLMNR_TIMEOUT estimation, even after it has
-   considered a query answered.
-
-   In order to avoid synchronization, the transmission of each LLMNR
-   query and response SHOULD delayed by a time randomly selected from
-   the interval 0 to JITTER_INTERVAL. This delay MAY be avoided by
-   responders responding with names which they have previously
-   determined to be UNIQUE (see Section 4 for details).
-
-2.8.  DNS TTL
-
-   The responder should insert a pre-configured TTL value in the records
-   returned in an LLMNR response.  A default value of 30 seconds is
-   RECOMMENDED.  In highly dynamic environments (such as mobile ad-hoc
-   networks), the TTL value may need to be reduced.
-
-   Due to the TTL minimalization necessary when caching an RRset, all
-   TTLs in an RRset MUST be set to the same value.
-
-2.9.  Use of the Authority and Additional Sections
-
-   Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a
-   concept of delegation.  In LLMNR, the NS resource record type may be
-   stored and queried for like any other type, but it has no special
-   delegation semantics as it does in the DNS.  Responders MAY have NS
-   records associated with the names for which they are authoritative,
-   but they SHOULD NOT include these NS records in the authority
-   sections of responses.
-
-   Responders SHOULD insert an SOA record into the authority section of
-   a negative response, to facilitate negative caching as specified in
-   [RFC2308]. The TTL of this record is set from the minimum of the
-   MINIMUM field of the SOA record and the TTL of the SOA itself, and
-   indicates how long a resolver may cache the negative answer.  The
-   owner name of the SOA record (MNAME) MUST be set to the query name.
-   The RNAME, SERIAL, REFRESH, RETRY and EXPIRE values MUST be ignored
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 15]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   by senders.  Negative responses without SOA records SHOULD NOT be
-   cached.
-
-   In LLMNR, the additional section is primarily intended for use by
-   EDNS0, TSIG and SIG(0).  As a result, unless the 'C' bit is set,
-   senders MAY only include pseudo RR-types in the additional section of
-   a query; unless the 'C' bit is set, responders MUST ignore the
-   additional section of queries containing other RR types.
-
-   In queries where the 'C' bit is set, the sender SHOULD include the
-   conflicting RRs in the additional section.  Since conflict
-   notifications are advisory, responders SHOULD log information from
-   the additional section, but otherwise MUST ignore the additional
-   section.
-
-   Senders MUST NOT cache RRs from the authority or additional section
-   of a response as answers, though they may be used for other purposes
-   such as negative caching.
-
-3.  Usage Model
-
-   Since LLMNR is a secondary name resolution mechanism, its usage is in
-   part determined by the behavior of DNS implementations.  This
-   document does not specify any changes to DNS resolver behavior, such
-   as searchlist processing or retransmission/failover policy.  However,
-   robust DNS resolver implementations are more likely to avoid
-   unnecessary LLMNR queries.
-
-   As noted in [DNSPerf], even when DNS servers are configured, a
-   significant fraction of DNS queries do not receive a response, or
-   result in negative responses due to missing inverse mappings or NS
-   records that point to nonexistent or inappropriate hosts.  This has
-   the potential to result in a large number of unnecessary LLMNR
-   queries.
-
-   [RFC1536] describes common DNS implementation errors and fixes.  If
-   the proposed fixes are implemented, unnecessary LLMNR queries will be
-   reduced substantially, and so implementation of [RFC1536] is
-   recommended.
-
-   For example, [RFC1536] Section 1 describes issues with retransmission
-   and recommends implementation of a retransmission policy based on
-   round trip estimates, with exponential backoff.  [RFC1536] Section 4
-   describes issues with failover, and recommends that resolvers try
-   another server when they don't receive a response to a query.  These
-   policies are likely to avoid unnecessary LLMNR queries.
-
-   [RFC1536] Section 3 describes zero answer bugs, which if addressed
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 16]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   will also reduce unnecessary LLMNR queries.
-
-   [RFC1536] Section 6 describes name error bugs and recommended
-   searchlist processing that will reduce unnecessary RCODE=3
-   (authoritative name) errors, thereby also reducing unnecessary LLMNR
-   queries.
-
-3.1.  LLMNR Configuration
-
-   Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
-   possible for a dual stack host to be configured with the address of a
-   DNS server over IPv4, while remaining unconfigured with a DNS server
-   suitable for use over IPv6.
-
-   In these situations, a dual stack host will send AAAA queries to the
-   configured DNS server over IPv4.  However, an IPv6-only host
-   unconfigured with a DNS server suitable for use over IPv6 will be
-   unable to resolve names using DNS.  Automatic IPv6 DNS configuration
-   mechanisms (such as [RFC3315] and [DNSDisc]) are not yet widely
-   deployed, and not all DNS servers support IPv6.  Therefore lack of
-   IPv6 DNS configuration may be a common problem in the short term, and
-   LLMNR may prove useful in enabling link-local name resolution over
-   IPv6.
-
-   Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315],
-   IPv6-only hosts may not be configured with a DNS server.  Where there
-   is no DNS server authoritative for the name of a host or the
-   authoritative DNS server does not support dynamic client update over
-   IPv6 or DHCPv6-based dynamic update, then an IPv6-only host will not
-   be able to do DNS dynamic update, and other hosts will not be able to
-   resolve its name.
-
-   For example, if the configured DNS server responds to a AAAA RR query
-   sent over IPv4 or IPv6 with an authoritative name error (RCODE=3) or
-   RCODE=0 and an empty answer section, then a AAAA RR query sent using
-   LLMNR over IPv6 may be successful in resolving the name of an
-   IPv6-only host on the local link.
-
-   Similarly, if a DHCPv4 server is available providing DNS server
-   configuration, and DNS server(s) exist which are authoritative for
-   the A RRs of local hosts and support either dynamic client update
-   over IPv4 or DHCPv4-based dynamic update, then the names of local
-   IPv4 hosts can be resolved over IPv4 without LLMNR.  However,  if no
-   DNS server is authoritative for the names of local hosts, or the
-   authoritative DNS server(s) do not support dynamic update, then LLMNR
-   enables linklocal name resolution over IPv4.
-
-   Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 17]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   configure LLMNR on an interface.  The LLMNR Enable Option, described
-   in [LLMNREnable], can be used to explicitly enable or disable use of
-   LLMNR on an interface.  The LLMNR Enable Option does not determine
-   whether or in which order DNS itself is used for name resolution.
-   The order in which various name resolution mechanisms should be used
-   can be specified using the Name Service Search Option (NSSO) for DHCP
-   [RFC2937], using the LLMNR Enable Option code carried in the NSSO
-   data.
-
-   It is possible that DNS configuration mechanisms will go in and out
-   of service.  In these circumstances, it is possible for hosts within
-   an administrative domain to be inconsistent in their DNS
-   configuration.
-
-   For example, where DHCP is used for configuring DNS servers, one or
-   more DHCP servers can fail.  As a result, hosts configured prior to
-   the outage will be configured with a DNS server, while hosts
-   configured after the outage will not.  Alternatively, it is possible
-   for the DNS configuration mechanism to continue functioning while
-   configured DNS servers fail.
-
-   An outage in the DNS configuration mechanism may result in hosts
-   continuing to use LLMNR even once the outage is repaired.  Since
-   LLMNR only enables linklocal name resolution, this represents a
-   degradation in capabilities.  As a result, hosts without a configured
-   DNS server may wish to periodically attempt to obtain DNS
-   configuration if permitted by the configuration mechanism in use.  In
-   the absence of other guidance, a default retry interval of one (1)
-   minute is RECOMMENDED.
-
-4.  Conflict Resolution
-
-   By default, a responder SHOULD be configured to behave as though its
-   name is UNIQUE on each interface on which LLMNR is enabled.  However,
-   it is also possible to configure multiple responders to be
-   authoritative for the same name.  For example, multiple responders
-   MAY respond to a query for an A or AAAA type record for a cluster
-   name (assigned to multiple hosts in the cluster).
-
-   To detect duplicate use of a name, an administrator can use a name
-   resolution utility which employs LLMNR and lists both responses and
-   responders.  This would allow an administrator to diagnose behavior
-   and potentially to intervene and reconfigure LLMNR responders who
-   should not be configured to respond to the same name.
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 18]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-4.1.  Uniqueness Verification
-
-   Prior to sending an LLMNR response with the 'T' bit clear, a
-   responder configured with a UNIQUE name MUST verify that there is no
-   other host within the scope of LLMNR query propagation that is
-   authoritative for the same name on that interface.
-
-   Once a responder has verified that its name is UNIQUE, if it receives
-   an LLMNR query for that name, with the 'C' bit clear, it MUST
-   respond, with the 'T' bit clear. Prior to verifying that its name is
-   UNIQUE, a responder MUST set the 'T' bit in responses.
-
-   Uniqueness verification is carried out when the host:
-
-     - starts up or is rebooted
-     - wakes from sleep (if the network interface was inactive
-       during sleep)
-     - is configured to respond to LLMNR queries on an interface
-       enabled for transmission and reception of IP traffic
-     - is configured to respond to LLMNR queries using additional
-       UNIQUE resource records
-     - verifies the acquisition of a new IP address and configuration
-       on an interface
-
-   To verify uniqueness, a responder MUST send an LLMNR query with the
-   'C' bit clear, over all protocols on which it responds to LLMNR
-   queries (IPv4 and/or IPv6).  It is RECOMMENDED that responders verify
-   uniqueness of a name by sending a query for the name with type='ANY'.
-
-   If no response is received, the sender retransmits the query, as
-   specified in Section 2.7.  If a response is received, the sender MUST
-   check if the source address matches the address of any of its
-   interfaces; if so, then the response is not considered a conflict,
-   since it originates from the sender.  To avoid triggering conflict
-   detection, a responder that detects that it is connected to the same
-   link on multiple interfaces SHOULD set the 'C' bit in responses.
-
-   If a response is received with the 'T' bit clear, the responder MUST
-   NOT use the name in response to LLMNR queries received over any
-   protocol (IPv4 or IPv6).  If a response is received with the 'T' bit
-   set, the responder MUST check if the source IP address in the
-   response, interpreted as an unsigned integer, is less than the source
-   IP address in the query.  If so, the responder MUST NOT use the name
-   in response to LLMNR queries received over any protocol (IPv4 or
-   IPv6).  For the purpose of uniqueness verification, the contents of
-   the answer section in a response is irrelevant.
-
-   Periodically carrying out uniqueness verification in an attempt to
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 19]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   detect name conflicts is not necessary, wastes network bandwidth, and
-   may actually be detrimental.  For example, if network links are
-   joined only briefly, and are separated again before any new
-   communication is initiated, temporary conflicts are benign and no
-   forced reconfiguration is required.  LLMNR responders SHOULD NOT
-   periodically attempt uniqueness verification.
-
-4.2.  Conflict Detection and Defense
-
-   Hosts on disjoint network links may configure the same name for use
-   with LLMNR.  If these separate network links are later joined or
-   bridged together, then there may be multiple hosts which are now on
-   the same link, trying to use the same name.
-
-   In order to enable ongoing detection of name conflicts, when an LLMNR
-   sender receives multiple LLMNR responses to a query, it MUST check if
-   the 'C' bit is clear in any of the responses.  If so, the sender
-   SHOULD send another query for the same name, type and class, this
-   time with the 'C' bit set, with the potentially conflicting resource
-   records included in the additional section.
-
-   Queries with the 'C' bit set are considered advisory and responders
-   MUST verify the existence of a conflict before acting on it.  A
-   responder receiving a query with the 'C' bit set MUST NOT respond.
-
-   If the query is for a UNIQUE name, then the responder MUST send its
-   own query for the same name, type and class, with the 'C' bit clear.
-   If a response is received, the sender MUST check if the source
-   address matches the address of any of its interfaces; if so, then the
-   response is not considered a conflict, since it originates from the
-   sender.  To avoid triggering conflict detection, a responder that
-   detects that it is connected to the same link on multiple interfaces
-   SHOULD set the 'C' bit in responses.
-
-   An LLMNR responder MUST NOT ignore conflicts once detected and SHOULD
-   log them.  Upon detecting a conflict, an LLMNR responder MUST
-   immediately stop using the conflicting name in response to LLMNR
-   queries received over any supported protocol, if the source IP
-   address in the response, interpreted as an unsigned integer, is less
-   than the source IP address in the uniqueness verification query.
-
-   After stopping the use of a name, the responder MAY elect to
-   configure a new name.  However, since name reconfiguration may be
-   disruptive, this is not required, and a responder may have been
-   configured to respond to multiple names so that alternative names may
-   already be available.  A host that has stopped the use of a name may
-   attempt uniqueness verification again after the expiration of the TTL
-   of the conflicting response.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 20]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-4.3.  Considerations for Multiple Interfaces
-
-   A multi-homed host may elect to configure LLMNR on only one of its
-   active interfaces.  In many situations this will be adequate.
-   However, should a host need to configure LLMNR on more than one of
-   its active interfaces, there are some additional precautions it MUST
-   take.  Implementers who are not planning to support LLMNR on multiple
-   interfaces simultaneously may skip this section.
-
-   Where a host is configured to issue LLMNR queries on more than one
-   interface, each interface maintains its own independent LLMNR
-   resolver cache, containing the responses to LLMNR queries.
-
-   A multi-homed host checks the uniqueness of UNIQUE records as
-   described in Section 4.  The situation is illustrated in figure 1.
-
-        ----------  ----------
-         |      |    |      |
-        [A]    [myhost]   [myhost]
-
-      Figure 1.  Link-scope name conflict
-
-   In this situation, the multi-homed myhost will probe for, and defend,
-   its host name on both interfaces.  A conflict will be detected on one
-   interface, but not the other.  The multi-homed myhost will not be
-   able to respond with a host RR for "myhost" on the interface on the
-   right (see Figure 1).  The multi-homed host may, however, be
-   configured to use the "myhost" name on the interface on the left.
-
-   Since names are only unique per-link, hosts on different links could
-   be using the same name.  If an LLMNR client sends requests over
-   multiple interfaces, and receives replies from more than one, the
-   result returned to the client is defined by the implementation.  The
-   situation is illustrated in figure 2.
-
-        ----------  ----------
-         |      |    |     |
-        [A]    [myhost]   [A]
-
-
-      Figure 2.  Off-segment name conflict
-
-   If host myhost is configured to use LLMNR on both interfaces, it will
-   send LLMNR queries on both interfaces.  When host myhost sends a
-   query for the host RR for name "A" it will receive a response from
-   hosts on both interfaces.
-
-   Host myhost cannot distinguish between the situation shown in Figure
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 21]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   2, and that shown in Figure 3 where no conflict exists.
-
-                [A]
-               |   |
-           -----   -----
-               |   |
-              [myhost]
-
-      Figure 3.  Multiple paths to same host
-
-   This illustrates that the proposed name conflict resolution mechanism
-   does not support detection or resolution of conflicts between hosts
-   on different links.  This problem can also occur with DNS when a
-   multi-homed host is connected to two different networks with
-   separated name spaces.  It is not the intent of this document to
-   address the issue of uniqueness of names within DNS.
-
-4.4.  API Issues
-
-   [RFC2553] provides an API which can partially solve the name
-   ambiguity problem for applications written to use this API, since the
-   sockaddr_in6 structure exposes the scope within which each scoped
-   address exists, and this structure can be used for both IPv4 (using
-   v4-mapped IPv6 addresses) and IPv6 addresses.
-
-   Following the example in Figure 2, an application on 'myhost' issues
-   the request getaddrinfo("A", ...) with ai_family=AF_INET6 and
-   ai_flags=AI_ALL|AI_V4MAPPED.  LLMNR requests will be sent from both
-   interfaces and the resolver library will return a list containing
-   multiple addrinfo structures, each with an associated sockaddr_in6
-   structure.  This list will thus contain the IPv4 and IPv6 addresses
-   of both hosts responding to the name 'A'.  Link-local addresses will
-   have a sin6_scope_id value that disambiguates which interface is used
-   to reach the address.  Of course, to the application, Figures 2 and 3
-   are still indistinguishable, but this API allows the application to
-   communicate successfully with any address in the list.
-
-5.  Security Considerations
-
-   LLMNR is a peer-to-peer name resolution protocol designed for use on
-   the local link.  While LLMNR limits the vulnerability of responders
-   to off-link senders, it is possible for an off-link responder to
-   reach a sender.
-
-   In scenarios such as public "hotspots" attackers can be present on
-   the same link.  These threats are most serious in wireless networks
-   such as 802.11, since attackers on a wired network will require
-   physical access to the network, while wireless attackers may mount
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 22]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   attacks from a distance.  Link-layer security such as [IEEE-802.11i]
-   can be of assistance against these threats if it is available.
-
-   This section details security measures available to mitigate threats
-   from on and off-link attackers.
-
-5.1.  Denial of Service
-
-   Attackers may take advantage of LLMNR conflict detection by
-   allocating the same name, denying service to other LLMNR responders
-   and possibly allowing an attacker to receive packets destined for
-   other hosts.  By logging conflicts, LLMNR responders can provide
-   forensic evidence of these attacks.
-
-   An attacker may spoof LLMNR queries from a victim's address in order
-   to mount a denial of service attack.  Responders setting the IPv6 Hop
-   Limit or IPv4 TTL field to a value larger than one in an LLMNR UDP
-   response may be able to reach the victim across the Internet.
-
-   While LLMNR responders only respond to queries for which they are
-   authoritative and LLMNR does not provide wildcard query support, an
-   LLMNR response may be larger than the query, and an attacker can
-   generate multiple responses to a query for a name used by multiple
-   responders.  A sender may protect itself against unsolicited
-   responses by silently discarding them as rapidly as possible.
-
-5.2.  Spoofing
-
-   LLMNR is designed to prevent reception of queries sent by an off-link
-   attacker.  LLMNR requires that responders receiving UDP queries check
-   that they are sent to a link-scope multicast address.  However, it is
-   possible that some routers may not properly implement link-scope
-   multicast, or that link-scope multicast addresses may leak into the
-   multicast routing system.  To prevent successful setup of TCP
-   connections by an off-link sender, responders receiving a TCP SYN
-   reply with a TCP SYN-ACK with TTL set to one (1).
-
-   While it is difficult for an off-link attacker to send an LLMNR query
-   to a responder,  it is possible for an off-link attacker to spoof a
-   response to a query (such as an A or AAAA query for a popular
-   Internet host), and by using a TTL or Hop Limit field larger than one
-   (1), for the forged response to reach the LLMNR sender.  Since the
-   forged response will only be accepted if it contains a matching ID
-   field, choosing a pseudo-random ID field within queries provides some
-   protection against off-link responders.
-
-   Since LLMNR queries can be sent when DNS server(s) do not respond, an
-   attacker can execute a denial of service attack on the DNS server(s)
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 23]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   and then poison the LLMNR cache by responding to an LLMNR query with
-   incorrect information.  As noted in "Threat Analysis of the Domain
-   Name System (DNS)" [RFC3833] these threats also exist with DNS, since
-   DNS response spoofing tools are available that can allow an attacker
-   to respond to a query more quickly than a distant DNS server.
-   However, while switched networks or link layer security may make it
-   difficult for an on-link attacker to snoop unicast DNS queries,
-   multicast LLMNR queries are propagated to all hosts on the link,
-   making it possible for an on-link attacker to spoof LLMNR responses
-   without having to guess the value of the ID field in the query.
-
-   Since LLMNR queries are sent and responded to on the local-link, an
-   attacker will need to respond more quickly to provide its own
-   response prior to arrival of the response from a legitimate
-   responder.   If an LLMNR query is sent for an off-link host, spoofing
-   a response in a timely way is not difficult, since a legitimate
-   response will never be received.
-
-   Limiting the situations in which LLMNR queries are sent, as described
-   in Section 2, is the best protection against these attacks.  If LLMNR
-   is given higher priority than DNS among the enabled name resolution
-   mechanisms, a denial of service attack on the DNS server would not be
-   necessary in order to poison the LLMNR cache, since LLMNR queries
-   would be sent even when the DNS server is available.  In addition,
-   the LLMNR cache, once poisoned, would take precedence over the DNS
-   cache, eliminating the benefits of cache separation.  As a result,
-   LLMNR is only used as a name resolution mechanism of last resort.
-
-5.3.  Authentication
-
-   LLMNR is a peer-to-peer name resolution protocol, and as a result,
-   it is often deployed in situations where no trust model can be
-   assumed.  This makes it difficult to apply existing DNS security
-   mechanisms to LLMNR.
-
-   LLMNR does not support "delegated trust" (CD or AD bits).  As a
-   result, unless LLMNR senders are DNSSEC aware, it is not feasible to
-   use DNSSEC [RFC4033] with LLMNR.
-
-   If authentication is desired, and a pre-arranged security
-   configuration is possible, then the following security mechanisms may
-   be used:
-
-[a]  LLMNR implementations MAY support TSIG [RFC2845] and/or SIG(0)
-     [RFC2931] security mechanisms. "DNS Name Service based on Secure
-     Multicast DNS for IPv6 Mobile Ad Hoc Networks" [LLMNRSec] describes
-     the use of TSIG to secure LLMNR responses, based on group keys.
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 24]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-[b]  IPsec ESP with a null-transform MAY be used to authenticate unicast
-     LLMNR queries and responses or LLMNR responses to multicast
-     queries.  In a small network without a certificate authority, this
-     can be most easily accomplished through configuration of a group
-     pre-shared key for trusted hosts.
-
-   Where these mechanisms cannot be supported, responses to LLMNR
-   queries may be unauthenticated.
-
-5.4.  Cache and Port Separation
-
-   In order to prevent responses to LLMNR queries from polluting the DNS
-   cache, LLMNR implementations MUST use a distinct, isolated cache for
-   LLMNR on each interface.  The use of separate caches is most
-   effective when LLMNR is used as a name resolution mechanism of last
-   resort, since this minimizes the opportunities for poisoning the
-   LLMNR cache, and decreases reliance on it.
-
-   LLMNR operates on a separate port from DNS, reducing the likelihood
-   that a DNS server will unintentionally respond to an LLMNR query.
-
-6.  IANA Considerations
-
-   This specification creates one new name space:  the reserved bits in
-   the LLMNR header.  These are allocated by IETF Consensus, in
-   accordance with BCP 26 [RFC2434].
-
-   LLMNR requires allocation of port 5355 for both TCP and UDP.
-
-   LLMNR requires allocation of link-scope multicast IPv4 address
-   224.0.0.252, as well as link-scope multicast IPv6 address
-   FF02:0:0:0:0:0:1:3.
-
-7.  Constants
-
-   The following timing constants are used in this protocol; they are
-   not intended to be user configurable.
-
-      JITTER_INTERVAL      100 ms
-      LLMNR_TIMEOUT        1 second (if set statically on all interfaces)
-                           100 ms (IEEE 802 media, including IEEE 802.11)
-
-8.  References
-
-8.1.  Normative References
-
-[RFC1035] Mockapetris, P., "Domain Names - Implementation and
-          Specification", RFC 1035, November 1987.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 25]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-          Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
-          Specification", RFC 2181, July 1997.
-
-[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-          RFC 2308, March 1998.
-
-[RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing
-          Architecture", RFC 2373, July 1998.
-
-[RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
-          Considerations Section in RFCs", BCP 26, RFC 2434, October
-          1998.
-
-[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
-          August 1999.
-
-[RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-          "Secret Key Transaction Authentication for DNS (TSIG)", RFC
-          2845, May 2000.
-
-[RFC2931] Eastlake, D., "DNS Request and Transaction Signatures
-          (SIG(0)s)", RFC 2931, September 2000.
-
-8.2.  Informative References
-
-[Bonjour] Cheshire, S. and M. Krochmal, "Multicast DNS", Internet draft
-          (work in progress), draft-cheshire-dnsext-multicastdns-05.txt,
-          June 2005.
-
-[DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of
-          Caching", IEEE/ACM Transactions on Networking, Volume 10,
-          Number 5, pp. 589, October 2002.
-
-[DNSDisc] Durand, A., Hagino, I. and D. Thaler, "Well known site local
-          unicast addresses to communicate with recursive DNS servers",
-          Internet draft (work in progress), draft-ietf-ipv6-dns-
-          discovery-07.txt, October 2002.
-
-[IEEE-802.11i]
-          Institute of Electrical and Electronics Engineers, "Supplement
-          to Standard for Telecommunications and Information Exchange
-          Between Systems - LAN/MAN Specific Requirements - Part 11:
-          Wireless LAN Medium Access Control (MAC) and Physical Layer
-          (PHY) Specifications: Specification for Enhanced Security",
-          IEEE 802.11i, July 2004.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 26]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-[LLMNREnable]
-          Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work
-          in progress), draft-guttman-mdns-enable-02.txt, April 2002.
-
-[LLMNRSec]
-          Jeong, J., Park, J. and H. Kim, "DNS Name Service based on
-          Secure Multicast DNS for IPv6 Mobile Ad Hoc Networks", ICACT
-          2004, Phoenix Park, Korea, February 9-11, 2004.
-
-[POSIX]   IEEE Std. 1003.1-2001 Standard for Information Technology --
-          Portable Operating System Interface (POSIX). Open Group
-          Technical Standard: Base Specifications, Issue 6, December
-          2001.  ISO/IEC 9945:2002.  http://www.opengroup.org/austin
-
-[RFC1536] Kumar, A., et. al., "DNS Implementation Errors and Suggested
-          Fixes", RFC 1536, October 1993.
-
-[RFC1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness
-          Recommendations for Security", RFC 1750, December 1994.
-
-[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
-          March 1997.
-
-[RFC2292] Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6",
-          RFC 2292, February 1998.
-
-[RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC
-          2365, July 1998.
-
-[RFC2553] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic
-          Socket Interface Extensions for IPv6", RFC 2553, March 1999.
-
-[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC
-          2937, September 2000.
-
-[RFC3315] Droms, R., et al., "Dynamic Host Configuration Protocol for
-          IPv6 (DHCPv6)", RFC 3315, July 2003.
-
-[RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name
-          System (DNS)", RFC 3833, August 2004.
-
-[RFC3927] Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
-          of Link-Local IPv4 Addresses", RFC 3927, October 2004.
-
-[RFC4033] Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-          "DNS Security Introduction and Requirement", RFC 4033, March
-          2005.
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 27]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-Acknowledgments
-
-   This work builds upon original work done on multicast DNS by Bill
-   Manning and Bill Woodcock.  Bill Manning's work was funded under
-   DARPA grant #F30602-99-1-0523.  The authors gratefully acknowledge
-   their contribution to the current specification.  Constructive input
-   has also been received from Mark Andrews, Rob Austein, Randy Bush,
-   Stuart Cheshire, Ralph Droms, Robert Elz, James Gilroy, Olafur
-   Gudmundsson, Andreas Gustafsson, Erik Guttman, Myron Hattig,
-   Christian Huitema, Olaf Kolkman, Mika Liljeberg, Keith Moore,
-   Tomohide Nagashima, Thomas Narten, Erik Nordmark, Markku Savela, Mike
-   St. Johns, Sander Van-Valkenburg, and Brian Zill.
-
-Authors' Addresses
-
-   Bernard Aboba
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   Phone: +1 425 706 6605
-   EMail: bernarda@microsoft.com
-
-   Dave Thaler
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   Phone: +1 425 703 8835
-   EMail: dthaler@microsoft.com
-
-   Levon Esibov
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   EMail: levone@microsoft.com
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 28]
-
-
-
-
-
-INTERNET-DRAFT                    LLMNR                   29 August 2005
-
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-Open Issues
-
-   Open issues with this specification are tracked on the following web
-   site:
-
-   http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html
-
-
-
-
-
-
-
-
-
-
-
-Aboba, Thaler & Esibov       Standards Track                   [Page 29]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-02.txt
deleted file mode 100644
index cc3c276b99a7..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-nsec3-02.txt
+++ /dev/null
@@ -1,2072 +0,0 @@
-
-
-
-Network Working Group                                          B. Laurie
-Internet-Draft                                                 G. Sisson
-Expires: December 3, 2005                                        Nominet
-                                                               R. Arends
-                                                    Telematica Instituut
-                                                               june 2005
-
-
-             DNSSEC Hash Authenticated Denial of Existence
-                       draft-ietf-dnsext-nsec3-02
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on December 3, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   The DNS Security (DNSSEC) NSEC resource record (RR) is intended to be
-   used to provide authenticated denial of existence of DNS ownernames
-   and types; however, it permits any user to traverse a zone and obtain
-   a listing of all ownernames.
-
-   A complete zone file can be used either directly as a source of
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 1]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   probable e-mail addresses for spam, or indirectly as a key for
-   multiple WHOIS queries to reveal registrant data which many
-   registries (particularly in Europe) may be under strict legal
-   obligations to protect.  Many registries therefore prohibit copying
-   of their zone file; however the use of NSEC RRs renders policies
-   unenforceable.
-
-   This document proposes a scheme which obscures original ownernames
-   while permitting authenticated denial of existence of non-existent
-   names.  Non-authoritative delegation point NS RR types may be
-   excluded.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   Rationale  . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
-     1.3   Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
-   2.  The NSEC3 Resource Record  . . . . . . . . . . . . . . . . . .  5
-     2.1   NSEC3 RDATA Wire Format  . . . . . . . . . . . . . . . . .  5
-       2.1.1   The Authoritative Only Flag Field  . . . . . . . . . .  6
-       2.1.2   The Hash Function Field  . . . . . . . . . . . . . . .  6
-       2.1.3   The Iterations Field . . . . . . . . . . . . . . . . .  7
-       2.1.4   The Salt Length Field  . . . . . . . . . . . . . . . .  7
-       2.1.5   The Salt Field . . . . . . . . . . . . . . . . . . . .  7
-       2.1.6   The Next Hashed Ownername Field  . . . . . . . . . . .  7
-       2.1.7   The list of Type Bit Map(s) Field  . . . . . . . . . .  8
-     2.2   The NSEC3 RR Presentation Format . . . . . . . . . . . . .  9
-   3.  Creating Additional NSEC3 RRs for Empty Non Terminals  . . . .  9
-   4.  Calculation of the Hash  . . . . . . . . . . . . . . . . . . . 10
-   5.  Including NSEC3 RRs in a Zone  . . . . . . . . . . . . . . . . 10
-   6.  Special Considerations . . . . . . . . . . . . . . . . . . . . 11
-     6.1   Delegation Points  . . . . . . . . . . . . . . . . . . . . 11
-       6.1.1   Unsigned Delegations . . . . . . . . . . . . . . . . . 11
-     6.2   Proving Nonexistence . . . . . . . . . . . . . . . . . . . 12
-     6.3   Salting  . . . . . . . . . . . . . . . . . . . . . . . . . 13
-     6.4   Hash Collision . . . . . . . . . . . . . . . . . . . . . . 13
-       6.4.1   Avoiding Hash Collisions during generation . . . . . . 14
-       6.4.2   Second Preimage Requirement Analysis . . . . . . . . . 14
-       6.4.3   Possible Hash Value Truncation Method  . . . . . . . . 14
-   7.  Performance Considerations . . . . . . . . . . . . . . . . . . 15
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 15
-   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 15
-   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 16
-     10.1  Normative References . . . . . . . . . . . . . . . . . . . 16
-     10.2  Informative References . . . . . . . . . . . . . . . . . . 17
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 17
-   A.  Example Zone . . . . . . . . . . . . . . . . . . . . . . . . . 18
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 2]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   B.  Example Responses  . . . . . . . . . . . . . . . . . . . . . . 23
-     B.1   answer . . . . . . . . . . . . . . . . . . . . . . . . . . 23
-       B.1.1   Authenticating the Example DNSKEY RRset  . . . . . . . 25
-     B.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . 26
-     B.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . 28
-       B.3.1   No Data Error, Empty Non-Terminal  . . . . . . . . . . 29
-     B.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . 30
-     B.5   Referral to Unsigned Zone using Opt-In . . . . . . . . . . 31
-     B.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 32
-     B.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . 34
-     B.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . 35
-       Intellectual Property and Copyright Statements . . . . . . . . 37
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 3]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-1.  Introduction
-
-   The DNS Security Extensions (DNSSEC) introduced the NSEC Resource
-   Record (RR) for authenticated denial of existence.  This document
-   introduces a new RR as an alternative to NSEC that provides measures
-   against zone traversal and allows for gradual expansion of
-   delegation-centric zones.
-
-1.1  Rationale
-
-   The DNS Security Extensions included the NSEC RR to provide
-   authenticated denial of existence.  Though the NSEC RR meets the
-   requirements for authenticated denial of existence, it introduced a
-   side-effect in that the contents of a zone can be enumerated.  This
-   property introduces undesired policy issues.
-
-   A second problem was the requirement that the existence of all record
-   types in a zone - including delegation point NS record types - must
-   be accounted for, despite the fact that delegation point NS RRsets
-   are not authoritative and not signed.  This requirement has a side-
-   effect that the overhead of delegation-centric signed zones is not
-   related to the increase in security of subzones.  This requirement
-   does not allow delegation-centric zones size to grow in relation to
-   the growth of signed subzones.
-
-   In the past, solutions have been proposed as a measure against these
-   side effects but at the time were regarded as secondary over the need
-   to have a stable DNSSEC specification.  With (draft-vixie-dnssec-ter)
-   a graceful transition path to future enhancements is introduced,
-   while current DNSSEC deployment can continue.  This document presents
-   the NSEC3 Resource Record which mitigates these issues with the NSEC
-   RR.
-
-   The reader is assumed to be familiar with the basic DNS concepts
-   described in RFC1034 [RFC1034], RFC1035 [RFC1035] and subsequent RFCs
-   that update them:  RFC2136 [RFC2136], RFC2181 [RFC2181] and RFC2308
-   [RFC2308].
-
-1.2  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
-
-1.3  Terminology
-
-   In this document the term "original ownername" refers to a standard
-   ownername.  Because this proposal uses the result of a hash function
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 4]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   over the original (unmodified) ownername, this result is referred to
-   as "hashed ownername".
-
-   "Canonical ordering of the zone" means the order in which hashed
-   ownernames are arranged according to their numerical value, treating
-   the leftmost (lowest numbered) byte as the most significant byte.
-
-2.  The NSEC3 Resource Record
-
-   The NSEC3 RR provides Authenticated Denial of Existence for DNS
-   Resource Record Sets.
-
-   The NSEC3 Resource Record lists RR types present at the NSEC3 RR's
-   original ownername.  It includes the next hashed ownername in the
-   canonical ordering of the zone.  The complete set of NSEC3 RRs in a
-   zone indicates which RRsets exist for the original ownername of the
-   RRset and form a chain of hashed ownernames in the zone.  This
-   information is used to provide authenticated denial of existence for
-   DNS data, as described in RFC 4035 [RFC4035].  Unsigned delegation
-   point NS RRsets can optionally be excluded.  To provide protection
-   against zone traversal, the ownernames used in the NSEC3 RR are
-   cryptographic hashes of the original ownername prepended to the name
-   of the zone.  The NSEC3 RR indicates which hash function is used to
-   construct the hash, which salt is used, and how many iterations of
-   the hash function are performed over the original ownername.
-
-   The ownername for the NSEC3 RR is the base32 encoding of the hashed
-   ownername.
-
-   The type value for the NSEC3 RR is XX.
-
-   The NSEC3 RR RDATA format is class independent.
-
-   The NSEC3 RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching [RFC2308].
-
-2.1  NSEC3 RDATA Wire Format
-
-   The RDATA of the NSEC3 RR is as shown below:
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 5]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |A|Hash Function|                  Iterations                   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |  Salt Length  |                     Salt                      /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                     Next Hashed Ownername                     /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                         Type Bit Maps                         /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-
-2.1.1  The Authoritative Only Flag Field
-
-   The Authoritative Only Flag field indicates whether the Type Bit Maps
-   include delegation point NS record types.
-
-   If the flag is set to 1, the NS RR type bit for a delegation point
-   ownername SHOULD be clear when the NSEC3 RR is generated.  The NS RR
-   type bit MUST be ignored during processing of the NSEC3 RR.  The NS
-   RR type bit has no meaning in this context (it is not authoritative),
-   hence the NSEC3 does not contest the existence of a NS RRset for this
-   ownername.  When a delegation is not secured, there exist no DS RR
-   type nor any other authoritative types for this delegation, hence the
-   unsecured delegation has no NSEC3 record associated.  Please see the
-   Special Consideration section for implications for unsigned
-   delegations.
-
-   If the flag is set to 0, the NS RR type bit for a delegation point
-   ownername MUST be set if the NSEC3 covers a delegation, even though
-   the NS RR itself is not authoritative.  This implies that all
-   delegations, signed or unsigned, have an NSEC3 record associated.
-   This behaviour is identical to NSEC behaviour.
-
-2.1.2  The Hash Function Field
-
-   The Hash Function field identifies the cryptographic hash function
-   used to construct the hash-value.
-
-   This document defines Value 1 for SHA-1 and Value 127 for
-   experimental.  All other values are reserved.
-
-   On reception, a resolver MUST discard an NSEC3 RR with an unknown
-   hash function value.
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 6]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-2.1.3  The Iterations Field
-
-   The Iterations field defines the number of times the hash has been
-   iterated.  More iterations results in greater resiliency of the hash
-   value against dictionary attacks, but at a higher cost for both the
-   server and resolver.
-
-2.1.4  The Salt Length Field
-
-   The salt length field defines the length of the salt in octets.
-
-2.1.5  The Salt Field
-
-   The Salt field is not present when the Salt Length Field has a value
-   of 0.
-
-   The Salt field is prepended to the original ownername before hashing
-   in order to defend against precalculated dictionary attacks.
-
-   The salt is also prepended during iterations of the hash function.
-
-   Note that although it is theoretically possible to cover the entire
-   possible ownername space with different salt values, it is
-   computationally infeasible to do so, and so there MUST be at least
-   one salt which is the same for all NSEC3 records.  This means that no
-   matter what name is asked for in a query, it is guaranteed to be
-   possible to find a covering NSEC3 record.  Note that this does not
-   preclude the use of two different salts at the same time - indeed
-   this may well occur naturally, due to rolling the salt value
-   periodically.
-
-   The salt value SHOULD be changed from time to time - this is to
-   prevent the use of a precomputed dictionary to reduce the cost of
-   enumeration.
-
-2.1.6  The Next Hashed Ownername Field
-
-   The Next Hashed Ownername field contains the hash of the ownername of
-   the next RR in the canonical ordering of the hashed ownernames of the
-   zone.  The value of the Next Hashed Ownername Field in the last NSEC3
-   record in the zone is the same as the ownername of the first NSEC3 RR
-   in the zone in canonical order.
-
-   Hashed ownernames of RRsets not authoritative for the given zone
-   (such as glue records) MUST NOT be listed in the Next Hashed
-   Ownername unless at least one authoritative RRset exists at the same
-   ownername.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 7]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   Note that the Next Hashed Ownername field is not encoded, unlike the
-   NSEC3 RR's ownername.  It is the unmodified binary hash value.
-
-2.1.7  The list of Type Bit Map(s) Field
-
-   The Type Bit Maps field identifies the RRset types which exist at the
-   NSEC3 RR's ownername.
-
-   The Type bits for the NSEC3 RR and RRSIG RR MUST be set during
-   generation, and MUST be ignored during processing.
-
-   The RR type space is split into 256 window blocks, each representing
-   the low-order 8 bits of the 16-bit RR type space.  Each block that
-   has at least one active RR type is encoded using a single octet
-   window number (from 0 to 255), a single octet bitmap length (from 1
-   to 32) indicating the number of octets used for the window block's
-   bitmap, and up to 32 octets (256 bits) of bitmap.
-
-   Blocks are present in the NSEC3 RR RDATA in increasing numerical
-   order.
-
-   "|" denotes concatenation
-
-   Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
-
-   Each bitmap encodes the low-order 8 bits of RR types within the
-   window block, in network bit order.  The first bit is bit 0.  For
-   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
-   to RR type 2 (NS), and so forth.  For window block 1, bit 1
-   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set to
-   1, it indicates that an RRset of that type is present for the NSEC3
-   RR's ownername.  If a bit is set to 0, it indicates that no RRset of
-   that type is present for the NSEC3 RR's ownername.
-
-   The RR type 2 (NS) is authoritative at the apex of a zone and is not
-   authoritative at delegation points.  If the Authoritative Only Flag
-   is set to 1, the delegation point NS RR type MUST NOT be included in
-   the type bit maps.  If the Authoritative Only Flag is set to 0, the
-   NS RR type at a delegation point MUST be included in the type bit
-   maps.
-
-   Since bit 0 in window block 0 refers to the non-existing RR type 0,
-   it MUST be set to 0.  After verification, the validator MUST ignore
-   the value of bit 0 in window block 0.
-
-   Bits representing Meta-TYPEs or QTYPEs as specified in RFC 2929
-   [RFC2929] (section 3.1) or within the range reserved for assignment
-   only to QTYPEs and Meta-TYPEs MUST be set to 0, since they do not
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 8]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   appear in zone data.  If encountered, they must be ignored upon
-   reading.
-
-   Blocks with no types present MUST NOT be included.  Trailing zero
-   octets in the bitmap MUST be omitted.  The length of each block's
-   bitmap is determined by the type code with the largest numerical
-   value, within that block, among the set of RR types present at the
-   NSEC3 RR's actual ownername.  Trailing zero octets not specified MUST
-   be interpreted as zero octets.
-
-2.2  The NSEC3 RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Authoritative Only Field is represented as an unsigned decimal
-   integer.  The value are either 0 or 1.
-
-   The Hash field is presented as the name of the hash or as an unsigned
-   decimal integer.  The value has a maximum of 127.
-
-   The Iterations field is presented as an unsigned decimal integer.
-
-   The Salt Length field is not presented.
-
-   The Salt field is represented as a sequence of case-insensitive
-   hexadecimal digits.  Whitespace is not allowed within the sequence.
-   The Salt Field is represented as 00 when the Salt Length field has
-   value 0.
-
-   The Next Hashed Ownername field is represented as a sequence of case-
-   insensitive base32 digits.  Whitespace is allowed within the
-   sequence.
-
-   The List of Type Bit Map(s) Field is represented as a sequence of RR
-   type mnemonics.  When the mnemonic is not known, the TYPE
-   representation as described in RFC 3597 [RFC3597] (section 5) MUST be
-   used.
-
-3.  Creating Additional NSEC3 RRs for Empty Non Terminals
-
-   In order to prove the non-existence of a record that might be covered
-   by a wildcard, it is necessary to prove the existence of its closest
-   encloser.  A closest encloser might be an Empty Non Terminal.
-
-   Additional NSEC3 RRs are synthesized which cover every existing
-   intermediate label level.  Additional NSEC3 RRs are identical in
-   format to NSEC3 RRs that cover existing RRs in the zone.  The
-   difference is that the type-bit-maps only indicate the existence of
-
-
-
-Laurie, et al.          Expires December 3, 2005                [Page 9]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   an NSEC3 RR type and an RRSIG RR type.
-
-4.  Calculation of the Hash
-
-   Define H(x) to be the hash of x using the hash function selected by
-   the NSEC3 record and || to indicate concatenation.  Then define:
-
-   IH(salt,x,0)=H(x || salt)
-
-   IH(salt,x,k)=H(IH(salt,x,k-1) || salt) if k > 0
-
-   Then the calculated hash of an ownername is
-   IH(salt,ownername,iterations-1), where the ownername is the canonical
-   form.
-
-   The canonical form of the ownername is the wire format of the
-   ownername where:
-   1.  The ownername is fully expanded (no DNS name compression) and
-       fully qualified;
-   2.  All uppercase US-ASCII letters are replaced by the corresponding
-       lowercase US-ASCII letters;
-   3.  If the ownername is a wildcard name, the ownername is in its
-       original unexpanded form, including the "*" label (no wildcard
-       substitution);
-
-5.  Including NSEC3 RRs in a Zone
-
-   Each owner name in the zone which has authoritative data or a secured
-   delegation point NS RRset MUST have an NSEC3 resource record.
-
-   An unsecured delegation point NS RRset MAY have an NSEC3 resource
-   record.  This is different from NSEC records where an unsecured
-   delegation point NS RRset MUST have an NSEC record.
-
-   The TTL value for any NSEC3 RR SHOULD be the same as the minimum TTL
-   value field in the zone SOA RR.
-
-   The type bitmap of every NSEC3 resource record in a signed zone MUST
-   indicate the presence of both the NSEC3 RR type itself and its
-   corresponding RRSIG RR type.
-
-   The bitmap for the NSEC3 RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and any
-   RRsets for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
-   The following steps describe the proper construction of NSEC3
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 10]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   records.
-   1.  For each unique original owner name in the zone, add an NSEC3
-       RRset.  This includes NSEC3 RRsets for unsigned delegation point
-       NS RRsets, unless the policy is to have Authoritative Only NSEC3
-       RRsets.  The ownername of the NSEC3 RR is the hashed equivalent
-       of the original owner name, prepended to the zone name.
-   2.  For each RRset at the original owner, set the corresponding bit
-       in the type bit map.
-   3.  If the difference in number of labels between the apex and the
-       original ownername is greater then 1, additional NSEC3s need to
-       be added for every empty non-terminal between the apex and the
-       original ownername.
-   4.  Sort the set of NSEC3 RRs.
-   5.  In each NSEC3 RR, insert the Next Hashed Ownername.  The Next
-       Hashed Ownername of the last NSEC3 in the zone contains the value
-       of the hashed ownername of the first NSEC3 in the zone.
-   6.  If the policy is to have authoritative only, set the
-       Authoritative Only bit in those NSEC3 RRs that cover unsecured
-       delegation points.
-
-6.  Special Considerations
-
-   The following paragraphs clarify specific behaviour explain special
-   considerations for implementations.
-
-6.1  Delegation Points
-
-   This proposal introduces the Authoritative Only Flag which indicates
-   whether non authoritative delegation point NS records are included in
-   the type bit Maps.  As discussed in paragraph 2.1.1, a flag value of
-   0 indicates that the interpretation of the type bit maps is identical
-   to NSEC records.
-
-   The following subsections describe behaviour when the flag value is
-   1.
-
-6.1.1  Unsigned Delegations
-
-   Delegation point NS records are not authoritative.  They are
-   authoritative in the delegated zone.  No other data exists at the
-   ownername of an unsigned delegation point.
-
-   Since no authoritative data exist at this ownername, it is excluded
-   from the NSEC3 chain.  This is an optimization, since it relieves the
-   zone of including an NSEC3 record and its associated signature for
-   this name.
-
-   An NSEC3 that denies existence of ownernames between X and X' with
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 11]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   the Authoritative Only Flag set to 1 can not be used to prove the
-   presence or the absence of delegation point NS records for unsigned
-   delegations in the interval (X, X').  The Authoritative Only Flag
-   effectively states No Contest on the presence of delegation point NS
-   resource records.
-
-   Since proof is absent, there exists a new attack vector.  Unsigned
-   delegation point NS records can be deleted during a man in the middle
-   attack, effectively denying existence of the delegation.  This is a
-   form of Denial of Service, where the victim has no information it is
-   under attack, since all signatures are valid and the fabricated
-   response form is a known type of response.
-
-   The only possible mitigation is to either not use this method, hence
-   proving existence or absence of unsigned delegations, or to sign all
-   delegations, regardless of whether the delegated zone is signed or
-   not.
-
-   A second attack vector exists in that an adversary is able to
-   successfully fabricate an (unsigned) response claiming a nonexistent
-   delegation exists.
-
-   The only possible mitigation is to mandate the signing of all
-   delegations.
-
-6.2  Proving Nonexistence
-
-   If a wildcard resource record appears in a zone, its asterisk label
-   is treated as a literal symbol and is treated in the same way as any
-   other ownername for purposes of generating NSEC3 RRs.  RFC 4035
-   [RFC4035] describes the impact of wildcards on authenticated denial
-   of existence.
-
-   In order to prove there exist no RRs for a domain, as well as no
-   source of synthesis, an RR must be shown for the closest encloser,
-   and non-existence must be shown for all closer labels and for the
-   wildcard at the closest encloser.
-
-   This can be done as follows.  If the QNAME in the query is
-   omega.alfa.beta.example, and the closest encloser is beta.example
-   (the nearest ancestor to omega.alfa.beta.example), then the server
-   should return an NSEC3 that demonstrates the nonexistence of
-   alfa.beta.example, an NSEC3 that demonstrates the nonexistence of
-   *.beta.example, and an NSEC3 that demonstrates the existence of
-   beta.example.  This takes between one and three NSEC3 records, since
-   a single record can, by chance, prove more than one of these facts.
-
-   When a verifier checks this response, then the existence of
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 12]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   beta.example together with the non-existence of alfa.beta.example
-   proves that the closest encloser is indeed beta.example.  The non-
-   existence of *.beta.example shows that there is no wildcard at the
-   closest encloser, and so no source of synthesis for
-   omega.alfa.beta.example.  These two facts are sufficient to satisfy
-   the resolver that the QNAME cannot be resolved.
-
-   In practice, since the NSEC3 owner and next names are hashed, if the
-   server responds with an NSEC3 for beta.example, the resolver will
-   have to try successively longer names, starting with example, moving
-   to beta.example, alfa.beta.example, and so on, until one of them
-   hashes to a value that matches the interval (but not the ownername
-   nor next owner name) of one of the returned NSEC3s (this name will be
-   alfa.beta.example).  Once it has done this, it knows the closest
-   encloser (i.e. beta.example), and can then easily check the other two
-   required proofs.
-
-   Note that it is not possible for one of the shorter names tried by
-   the resolver to be denied by one of the returned NSEC3s, since, by
-   definition, all these names exist and so cannot appear within the
-   range covered by an NSEC3.  Note, however, that the first name that
-   the resolver tries MUST be the apex of the zone, since names above
-   the apex could be denied by one of the returned NSEC3s.
-
-6.3  Salting
-
-   Augmenting original ownernames with salt before hashing increases the
-   cost of a dictionary of pre-generated hash-values.  For every bit of
-   salt, the cost of the dictionary doubles.  The NSEC3 RR can use a
-   maximum of 2040 bits of salt, multiplying the cost by 2^2040.
-
-   There MUST be a complete set of NSEC3s for the zone using the same
-   salt value.  The salt value for each NSEC3 RR MUST be equal for a
-   single version of the zone.
-
-   The salt SHOULD be changed every time the zone is resigned to prevent
-   precomputation using a single salt.
-
-6.4  Hash Collision
-
-   Hash collisions occur when different messages have the same hash
-   value.  The expected number of domain names needed to give a 1 in 2
-   chance of a single collision is about 2^(n/2) for a hash of length n
-   bits (i.e. 2^80 for SHA-1).  Though this probability is extremely
-   low, the following paragraphs deal with avoiding collisions and
-   assessing possible damage in the event of an attack using hash
-   collisions.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 13]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-6.4.1  Avoiding Hash Collisions during generation
-
-   During generation of NSEC3 RRs, hash values are supposedly unique.
-   In the (academic) case of a collision occurring, an alternative salt
-   SHOULD be chosen and all hash values SHOULD be regenerated.
-
-   If hash values are not regenerated on collision, the NSEC3 RR MUST
-   list all authoritative RR types that exist for both owners, to avoid
-   a replay attack, spoofing an existing type as non-existent.
-
-6.4.2  Second Preimage Requirement Analysis
-
-   A cryptographic hash function has a second-preimage resistance
-   property.  The second-preimage resistance property means that it is
-   computationally infeasible to find another message with the same hash
-   value as a given message, i.e. given preimage X, to find a second
-   preimage X' <> X such that hash(X) = hash(X').  The work factor for
-   finding a second preimage is of the order of 2^160 for SHA-1.  To
-   mount an attack using an existing NSEC3 RR, an adversary needs to
-   find a second preimage.
-
-   Assuming an adversary is capable of mounting such an extreme attack,
-   the actual damage is that a response message can be generated which
-   claims that a certain QNAME (i.e. the second pre-image) does exist,
-   while in reality QNAME does not exist (a false positive), which will
-   either cause a security aware resolver to re-query for the non-
-   existent name, or to fail the initial query.  Note that the adversary
-   can't mount this attack on an existing name but only on a name that
-   the adversary can't choose and does not yet exist.
-
-6.4.3  Possible Hash Value Truncation Method
-
-   The previous sections outlined the low probability and low impact of
-   a second-preimage attack.  When impact and probability are low, while
-   space in a DNS message is costly, truncation is tempting.  Truncation
-   might be considered to allow for shorter ownernames and rdata for
-   hashed labels.  In general, if a cryptographic hash is truncated to n
-   bits, then the expected number of domains required to give a 1 in 2
-   probability of a single collision is approximately 2^(n/2) and the
-   work factor to produce a second preimage resistance is 2^n.
-
-   An extreme hash value truncation would be truncating to the shortest
-   possible unique label value.  Considering that hash values are
-   presented in base32, which represents 5 bits per label character,
-   truncation must be done on a 5 bit boundary.  This would be unwise,
-   since the work factor to produce collisions would then approximate
-   the size of the zone.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 14]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   Though the mentioned truncation can be maximized to a certain
-   extreme, the probability of collision increases exponentially for
-   every truncated bit.  Given the low impact of hash value collisions
-   and limited space in DNS messages, the balance between truncation
-   profit and collision damage may be determined by local policy.  Of
-   course, the size of the corresponding RRSIG RR is not reduced, so
-   truncation is of limited benefit.
-
-   Truncation could be signalled simply by reducing the length of the
-   first label in the ownername.  Note that there would have to be a
-   corresponding reduction in the length of the Next Hashed Ownername
-   field.
-
-7.  Performance Considerations
-
-   Iterated hashes will obviously impose a performance penalty on both
-   authoritative servers and resolvers.  Therefore, the number of
-   iterations should be carefully chosen.  In particular it should be
-   noted that a high value for iterations gives an attacker a very good
-   denial of service attack, since the attacker need not bother to
-   verify the results of their queries, and hence has no performance
-   penalty of his own.
-
-   On the other hand, nameservers with low query rates and limited
-   bandwidth are already subject to a bandwidth based denial of service
-   attack, since responses are typically an order of magnitude larger
-   than queries, and hence these servers may choose a high value of
-   iterations in order to increase the difficulty of offline attempts to
-   enumerate their namespace without significantly increasing their
-   vulnerability to denial of service attacks.
-
-8.  IANA Considerations
-
-   IANA has to create a new registry for NSEC3 Hash Functions.  The
-   range for this registry is 0-127.  Value 0 is the identity function.
-   Value 1 is SHA-1.  Values 2-126 are Reserved For Future Use. Value
-   127 is marked as Experimental.
-
-9.  Security Considerations
-
-   The NSEC3 records are still susceptible to dictionary attacks (i.e.
-   the attacker retrieves all the NSEC3 records, then calculates the
-   hashes of all likely domain names, comparing against the hashes found
-   in the NSEC3 records, and thus enumerating the zone).  These are
-   substantially more expensive than traversing the original NSEC
-   records would have been, and in any case, such an attack could also
-   be used directly against the name server itself by performing queries
-   for all likely names, though this would obviously be more detectable.
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 15]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   The expense of this off-line attack can be chosen by setting the
-   number of iterations in the NSEC3 RR.
-
-   High-value domains are also susceptible to a precalculated dictionary
-   attack - that is, a list of hashes for all likely names is computed
-   once, then NSEC3 is scanned periodically and compared against the
-   precomputed hashes.  This attack is prevented by changing the salt on
-   a regular basis.
-
-   Walking the NSEC3 RRs will reveal the total number of records in the
-   zone, and also what types they are.  This could be mitigated by
-   adding dummy entries, but certainly an upper limit can always be
-   found.
-
-   Hash collisions may occur.  If they do, it will be impossible to
-   prove the non-existence of the colliding domain - however, this is
-   fantastically unlikely, and, in any case, DNSSEC already relies on
-   SHA-1 to not collide.
-
-10.  References
-
-10.1  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
-              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-              RFC 2136, April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2929]  Eastlake, D., Brunner-Williams, E., and B. Manning,
-              "Domain Name System (DNS) IANA Considerations", BCP 42,
-              RFC 2929, September 2000.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 16]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements",
-              RFC 4033, March 2005.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-10.2  Informative References
-
-   [I-D.ietf-dnsext-trustupdate-threshold]
-              Ihren, J., "An In-Band Rollover Mechanism and an Out-Of-
-              Band Priming Method for DNSSEC  Trust Anchors.",
-              draft-ietf-dnsext-trustupdate-threshold-00 (work in
-              progress), October 2004.
-
-   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
-              3", BCP 9, RFC 2026, October 1996.
-
-   [RFC2418]  Bradner, S., "IETF Working Group Guidelines and
-              Procedures", BCP 25, RFC 2418, September 1998.
-
-
-Authors' Addresses
-
-   Ben Laurie
-   Nominet
-   17 Perryn Road
-   London  W3 7LR
-   England
-
-   Phone: +44 (20) 8735 0686
-   Email: ben@algroup.co.uk
-
-
-   Geoffrey Sisson
-   Nominet
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 17]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   The Netherlands
-
-   Phone: +31 (53) 485 0485
-   Email: roy.arends@telin.nl
-
-Appendix A.  Example Zone
-
-   This is a zone showing its NSEC3 records.  They can also be used as
-   test vectors for the hash algorithm.
-
-
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600 )
-                  3600 RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-                  3600 NS     ns1.example.
-                  3600 NS     ns2.example.
-                  3600 RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-                  3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              L/ZDLMSZJKITmSxmM9Kni37/wKQsdSg6FT0l
-                              NMm14jy2Stp91Pwp1HQ1hAMkGWAqCMEKPMtU
-                              S/o/g5C8VM6ftQ== )
-                  3600 DNSKEY 257 3 5 (
-                              AQOnsGyJvywVjYmiLbh0EwIRuWYcDiB/8blX
-                              cpkoxtpe19Oicv6Zko+8brVsTMeMOpcUeGB1
-                              zsYKWJ7BvR2894hX
-                              ) ; Key ID = 21960
-                  3600 DNSKEY 256 3 5 (
-                              AQO0gEmbZUL6xbD/xQczHbnwYnf+jQjwz/sU
-                              5k44rHTt0Ty+3aOdYoome9TjGMhwkkGby1TL
-                              ExXT48OGGdbfIme5
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 18]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                              ) ; Key ID = 62699
-                  3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              e6EB+K21HbyZzoLUeRDb6+g0+n8XASYe6h+Z
-                              xtnB31sQXZgq8MBHeNFDQW9eZw2hjT9zMClx
-                              mTkunTYzqWJrmQ== )
-                  3600 RRSIG  DNSKEY 5 1 3600 20050712112304 (
-                              20050612112304 21960 example.
-                              SnWLiNWLbOuiKU/F/wVMokvcg6JVzGpQ2VUk
-                              ZbKjB9ON0t3cdc+FZbOCMnEHRJiwgqlnncik
-                              3w7ZY2UWyYIvpw== )
-   5pe7ctl7pfs2cilroy5dcofx4rcnlypd.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              7nomf47k3vlidh4vxahhpp47l3tgv7a2
-                              NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PTWYq4WZmmtgh9UQif342HWf9DD9RuuM4ii5
-                              Z1oZQgRi5zrsoKHAgl2YXprF2Rfk1TLgsiFQ
-                              sb7KfbaUo/vzAg== )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
-                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
-                              MEFQmc/gEuxojA== )
-   a.example.     3600 IN NS  ns1.a.example.
-                  3600 IN NS  ns2.a.example.
-                  3600 DS     58470 5 1 3079F1593EBAD6DC121E202A8B
-                              766A6A4837206C )
-                  3600 RRSIG  DS 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
-                              cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
-                              0kx7rGKTc3RQDA== )
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-   ai.example.    3600 IN A   192.0.2.9
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
-                              6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
-                              ZXW5S+1VjMZYzQ== )
-                  3600 HINFO  "KLH-10" "ITS"
-                  3600 RRSIG  HINFO 5 2 3600 20050712112304 (
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 19]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                              20050612112304 62699 example.
-                              AR0hG/Z/e+vlRhxRQSVIFORzrJTBpdNHhwUk
-                              tiuqg+zGqKK84eIqtrqXelcE2szKnF3YPneg
-                              VGNmbgPnqDVPiA== )
-                  3600 AAAA   2001:db8:0:0:0:0:f00:baa9
-                  3600 RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
-                              ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
-                              l5/UqLCJJ9BDMg== )
-   b.example.     3600 IN NS  ns1.b.example.
-                  3600 IN NS  ns2.b.example.
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              gmnfcccja7wkax3iv26bs75myptje3qk
-                              MX DNSKEY NS SOA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
-                              C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
-                              MOiKMSHozVebqw== )
-   gmnfcccja7wkax3iv26bs75myptje3qk.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              jt4bbfokgbmr57qx4nqucvvn7fmo6ab6
-                              DS NS NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ZqkdmF6eICpHyn1Cj7Yvw+nLcbji46Qpe76/
-                              ZetqdZV7K5sO3ol5dOc0dZyXDqsJp1is5StW
-                              OwQBGbOegrW/Zw== )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              kcll7fqfnisuhfekckeeqnmbbd4maanu
-                              NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
-                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
-                              94Zbq3k8lgdpZA== )
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 NSEC3  1 1 1 (
-                              deadbeaf
-                              n42hbhnjj333xdxeybycax5ufvntux5d
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 20]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                              IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
-                              TOLtc5jPrkL4zQ== )
-   n42hbhnjj333xdxeybycax5ufvntux5d.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              nimwfwcnbeoodmsc6npv3vuaagaevxxu
-                              A NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              MZGzllh+YFqZbY8SkHxARhXFiMDPS0tvQYyy
-                              91tj+lbl45L/BElD3xxB/LZMO8vQejYtMLHj
-                              xFPFGRIW3wKnrA== )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
-                              HINFO A AAAA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
-                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
-                              jL33Wm1p07TBdw== )
-   ns1.example.   3600 A      192.0.2.1
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
-                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
-                              nWWLepz1PjjShQ== )
-   ns2.example.   3600 A      192.0.2.2
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
-                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
-                              AkeTJu3J3auUiA== )
-   vhgwr2qgykdkf4m6iv6vkagbxozphazr.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              wbyijvpnyj33pcpi3i44ecnibnaj7eiw
-                              HINFO A AAAA NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              leFhoF5FXZAiNOxK4OBOOA0WKdbaD5lLDT/W
-                              kLoyWnQ6WGBwsUOdsEcVmqz+1n7q9bDf8G8M
-                              5SNSHIyfpfsi6A== )
-   *.w.example.   3600 MX     1 ai.example.
-                  3600 RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
-                              xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
-                              gQlgxEwhvQDEaQ== )
-   x.w.example.   3600 MX     1 xx.example.
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 21]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-                  3600 RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
-                              lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
-                              U9VazOa1KEIq1w== )
-   x.y.w.example. 3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 4 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              aKVCGO/Fx9rm04UUsHRTTYaDA8o8dGfyq6t7
-                              uqAcYxU9xiXP+xNtLHBv7er6Q6f2JbOs6SGF
-                              9VrQvJjwbllAfA== )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
-                              A NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
-                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
-                              oorBv4xkb0flXw== )
-   xx.example.    3600 A      192.0.2.10
-                  3600 RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
-                              tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
-                              cxwCXWj82GVGdw== )
-                  3600 HINFO  "KLH-10" "TOPS-20"
-                  3600 RRSIG  HINFO 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              ghS2DimOqPSacG9j6KMgXSfTMSjLxvoxvx3q
-                              OKzzPst4tEbAmocF2QX8IrSHr67m4ZLmd2Fk
-                              KMf4DgNBDj+dIQ== )
-                  3600 AAAA   2001:db8:0:0:0:0:f00:baaa
-                  3600 RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
-                              w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
-                              rzKKwb8J04/ILw== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-                  3600 RRSIG  NSEC3 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 22]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-Appendix B.  Example Responses
-
-   The examples in this section show response messages using the signed
-   zone example in Appendix A.
-
-B.1  answer
-
-   A successful query to an authoritative server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 23]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   x.w.example.        IN MX
-
-   ;; Answer
-   x.w.example.   3600 IN MX  1 xx.example.
-   x.w.example.   3600 IN RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              s1XQ/8SlViiEDik9edYs1Ooe3XiXo453Dg7w
-                              lqQoewuDzmtd6RaLNu52W44zTM1EHJES8ujP
-                              U9VazOa1KEIq1w== )
-
-   ;; Authority
-   example.       3600 IN NS  ns1.example.
-   example.       3600 IN NS  ns2.example.
-   example.       3600 IN RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-
-   ;; Additional
-   xx.example.    3600 IN A   192.0.2.10
-   xx.example.    3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              XSuMVjNxovbZUsnKU6oQDygaK+WB+O5HYQG9
-                              tJgphHIX7TM4uZggfR3pNM+4jeC8nt2OxZZj
-                              cxwCXWj82GVGdw== )
-   xx.example.    3600 IN AAAA   2001:db8::f00:baaa
-   xx.example.    3600 IN RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              rto7afZkXYB17IfmQCT5QoEMMrlkeOoAGXzo
-                              w8Wmcg86Fc+MQP0hyXFScI1gYNSgSSoDMXIy
-                              rzKKwb8J04/ILw== )
-   ns1.example.   3600 IN A   192.0.2.1
-   ns1.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QLGkaqWXxRuE+MHKkMvVlswg65HcyjvD1fyb
-                              BDZpcfiMHH9w4x1eRqRamtSDTcqLfUrcYkrr
-                              nWWLepz1PjjShQ== )
-   ns2.example.   3600 IN A   192.0.2.2
-   ns2.example.   3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              UoIZaC1O6XHRWGHBOl8XFQKPdYTkRCz6SYh3
-                              P2mZ3xfY22fLBCBDrEnOc8pGDGijJaLl26Cz
-                              AkeTJu3J3auUiA== )
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 24]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   The query returned an MX RRset for "x.w.example".  The corresponding
-   RRSIG RR indicates that the MX RRset was signed by an "example"
-   DNSKEY with algorithm 5 and key tag 62699.  The resolver needs the
-   corresponding DNSKEY RR in order to authenticate this answer.  The
-   discussion below describes how a resolver might obtain this DNSKEY
-   RR.
-
-   The RRSIG RR indicates the original TTL of the MX RRset was 3600,
-   and, for the purpose of authentication, the current TTL is replaced
-   by 3600.  The RRSIG RR's labels field value of 3 indicates that the
-   answer was not the result of wildcard expansion.  The "x.w.example"
-   MX RRset is placed in canonical form, and, assuming the current time
-   falls between the signature inception and expiration dates, the
-   signature is authenticated.
-
-B.1.1  Authenticating the Example DNSKEY RRset
-
-   This example shows the logical authentication process that starts
-   from a configured root DNSKEY RRset (or DS RRset) and moves down the
-   tree to authenticate the desired "example" DNSKEY RRset.  Note that
-   the logical order is presented for clarity.  An implementation may
-   choose to construct the authentication as referrals are received or
-   to construct the authentication chain only after all RRsets have been
-   obtained, or in any other combination it sees fit.  The example here
-   demonstrates only the logical process and does not dictate any
-   implementation rules.
-
-   We assume the resolver starts with a configured DNSKEY RRset for the
-   root zone (or a configured DS RRset for the root zone).  The resolver
-   checks whether this configured DNSKEY RRset is present in the root
-   DNSKEY RRset (or whether a DS RR in the DS RRset matches some DNSKEY
-   RR in the root DNSKEY RRset), whether this DNSKEY RR has signed the
-   root DNSKEY RRset, and whether the signature lifetime is valid.  If
-   all these conditions are met, all keys in the DNSKEY RRset are
-   considered authenticated.  The resolver then uses one (or more) of
-   the root DNSKEY RRs to authenticate the "example" DS RRset.  Note
-   that the resolver may have to query the root zone to obtain the root
-   DNSKEY RRset or "example" DS RRset.
-
-   Once the DS RRset has been authenticated using the root DNSKEY, the
-   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
-   RR that matches one of the authenticated "example" DS RRs.  If such a
-   matching "example" DNSKEY is found, the resolver checks whether this
-   DNSKEY RR has signed the "example" DNSKEY RRset and the signature
-   lifetime is valid.  If these conditions are met, all keys in the
-   "example" DNSKEY RRset are considered authenticated.
-
-   Finally, the resolver checks that some DNSKEY RR in the "example"
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 25]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   DNSKEY RRset uses algorithm 5 and has a key tag of 62699.  This
-   DNSKEY is used to authenticate the RRSIG included in the response.
-   If multiple "example" DNSKEY RRs match this algorithm and key tag,
-   then each DNSKEY RR is tried, and the answer is authenticated if any
-   of the matching DNSKEY RRs validate the signature as described above.
-
-B.2  Name Error
-
-   An authoritative name error.  The NSEC3 RRs prove that the name does
-   not exist and that no covering wildcard exists.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 26]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=3
-   ;;
-   ;; Question
-   a.c.x.w.example.         IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              dw4o7j64wnel3j4jh7fb3c5n7w3js2yb
-                              MX NSEC3 RRSIG )
-   7nomf47k3vlidh4vxahhpp47l3tgv7a2.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              YTcqole3h8EOsTT3HKnwhR1QS8borR0XtZaA
-                              ZrLsx6n0RDC1AAdZONYOvdqvcal9PmwtWjlo
-                              MEFQmc/gEuxojA== )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              vhgwr2qgykdkf4m6iv6vkagbxozphazr
-                              HINFO A AAAA NSEC3 RRSIG )
-   nimwfwcnbeoodmsc6npv3vuaagaevxxu.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              c3zQdK68cYTHTjh1cD6pi0vblXwzyoU/m7Qx
-                              z8kaPYikbJ9vgSl9YegjZukgQSwybHUC0SYG
-                              jL33Wm1p07TBdw== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned two NSEC3 RRs that prove that the requested data
-   does not exist and no wildcard applies.  The negative reply is
-   authenticated by verifying both NSEC3 RRs.  The NSEC3 RRs are
-   authenticated in a manner identical to that of the MX RRset discussed
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 27]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   above.  At least one of the owner names of the NSEC3 RRs will match
-   the closest encloser.  At least one of the NSEC3 RRs prove that there
-   exists no longer name.  At least one of the NSEC3 RRs prove that
-   there exists no wildcard RRsets that should have been expanded.  The
-   closest encloser can be found by hasing the apex ownername (The SOA
-   RR's ownername, or the ownername of the DNSKEY RRset referred by an
-   RRSIG RR), matching it to the ownername of one of the NSEC3 RRs, and
-   if that fails, continue by adding labels.
-
-   In the above example, the name 'x.w.example' hashes to
-   '7nomf47k3vlidh4vxahhpp47l3tgv7a2'.  This indicates that this might
-   be the closest encloser.  To prove that 'c.x.w.example' and
-   '*.x.w.example' do not exists, these names are hashed to respectively
-   'qsgoxsf2lanysajhtmaylde4tqwnqppl' and
-   'cvljzyf6nsckjowghch4tt3nohocpdka'.  The two NSEC3 records prove that
-   these hashed ownernames do not exists, since the names are within the
-   given intervals.
-
-B.3  No Data Error
-
-   A "no data" response.  The NSEC3 RR proves that the name exists and
-   that the requested RR type does not.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 28]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   ns1.example.        IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui
-                              A NSEC3 RRSIG )
-   wbyijvpnyj33pcpi3i44ecnibnaj7eiw.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              ledFAaDCqDxapQ1FvBAjjK2DP06iQj8AN6gN
-                              ZycTeSmobKLTpzbgQp8uKYYe/DPHjXYmuEhd
-                              oorBv4xkb0flXw== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned an NSEC3 RR that proves that the requested name
-   exists ("ns1.example." hashes to "wbyijvpnyj33pcpi3i44ecnibnaj7eiw"),
-   but the requested RR type does not exist (type MX is absent in the
-   type code list of the NSEC RR).  The negative reply is authenticated
-   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
-   identical to that of the MX RRset discussed above.
-
-B.3.1  No Data Error, Empty Non-Terminal
-
-   A "no data" response because of an empty non-terminal.  The NSEC3 RR
-   proves that the name exists and that the requested RR type does not.
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 29]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   y.w.example.        IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              kcll7fqfnisuhfekckeeqnmbbd4maanu
-                              NSEC3 RRSIG )
-   jt4bbfokgbmr57qx4nqucvvn7fmo6ab6.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              FXyCVQUdFF1EW1NcgD2V724/It0rn3lr+30V
-                              IyjmqwOMvQ4G599InTpiH46xhX3U/FmUzHOK
-                              94Zbq3k8lgdpZA== )
-
-   The query returned an NSEC3 RR that proves that the requested name
-   exists ("y.w.example." hashes to "jt4bbfokgbmr57qx4nqucvvn7fmo6ab6"),
-   but the requested RR type does not exist (Type A is absent in the
-   type-bit-maps of the NSEC3 RR).  The negative reply is authenticated
-   by verifying the NSEC3 RR.  The NSEC3 RR is authenticated in a manner
-   identical to that of the MX RRset discussed above.  Note that, unlike
-   generic empty non terminal proof using NSECs, this is identical to
-   proving a No Data Error.  This example is solely mentioned to be
-   complete.
-
-B.4  Referral to Signed Zone
-
-   Referral to a signed zone.  The DS RR contains the data which the
-   resolver will need to validate the corresponding DNSKEY RR in the
-   child zone's apex.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 30]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR DO RCODE=0
-   ;;
-
-   ;; Question
-   mc.a.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   a.example.     3600 IN NS  ns1.a.example.
-   a.example.     3600 IN NS  ns2.a.example.
-   a.example.     3600 IN DS  58470 5 1 (
-                              3079F1593EBAD6DC121E202A8B766A6A4837
-                              206C )
-   a.example.     3600 IN RRSIG  DS 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              QavhbsSmEvJLSUzGoTpsV3SKXCpaL1UO3Ehn
-                              cB0ObBIlex/Zs9kJyG/9uW1cYYt/1wvgzmX2
-                              0kx7rGKTc3RQDA== )
-
-   ;; Additional
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-
-   The query returned a referral to the signed "a.example." zone.  The
-   DS RR is authenticated in a manner identical to that of the MX RRset
-   discussed above.  This DS RR is used to authenticate the "a.example"
-   DNSKEY RRset.
-
-   Once the "a.example" DS RRset has been authenticated using the
-   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
-   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
-   matching "a.example" DNSKEY is found, the resolver checks whether
-   this DNSKEY RR has signed the "a.example" DNSKEY RRset and whether
-   the signature lifetime is valid.  If all these conditions are met,
-   all keys in the "a.example" DNSKEY RRset are considered
-   authenticated.
-
-B.5  Referral to Unsigned Zone using Opt-In
-
-   Referral to an unsigned zone using Opt-In.  The NSEC3 RR proves that
-   nothing for this delegation was signed in the parent zone.  There is
-   no proof that the delegation exists
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 31]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR DO RCODE=0
-   ;;
-   ;; Question
-   mc.b.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   b.example.     3600 IN NS  ns1.b.example.
-   b.example.     3600 IN NS  ns2.b.example.
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN NSEC3  1 1 1 (
-                              deadbeaf
-                              n42hbhnjj333xdxeybycax5ufvntux5d
-                              MX NSEC3 RRSIG )
-   kcll7fqfnisuhfekckeeqnmbbd4maanu.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              d0g8MTOvVwByOAIwvYV9JrTHwJof1VhnMKuA
-                              IBj6Xaeney86RBZYgg7Qyt9WnQSK3uCEeNpx
-                              TOLtc5jPrkL4zQ== )
-
-   ;; Additional
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-
-   The query returned a referral to the unsigned "b.example." zone.  The
-   NSEC3 proves that no authentication leads from "example" to
-   "b.example", since the hash of "b.example"
-   ("ldjpfcucebeks5azmzpty4qlel4cftzo") is within the NSEC3 interval and
-   the NSEC3 opt-in bit is set.  The NSEC3 RR is authenticated in a
-   manner identical to that of the MX RRset discussed above.
-
-B.6  Wildcard Expansion
-
-   A successful query that was answered via wildcard expansion.  The
-   label count in the answer's RRSIG RR indicates that a wildcard RRset
-   was expanded to produce this response, and the NSEC3 RR proves that
-   no closer match exists in the zone.
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 32]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN MX
-
-   ;; Answer
-   a.z.w.example. 3600 IN MX  1 ai.example.
-   a.z.w.example. 3600 IN RRSIG  MX 5 3 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              sYNUPHn1/gJ87wTHNksGdRm3vfnSFa2BbofF
-                              xGfJLF5A4deRu5f0hvxhAFDCcXfIASj7z0wQ
-                              gQlgxEwhvQDEaQ== )
-   ;; Authority
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 IN RRSIG  NS 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              hNyyin2JpECIFxW4vsj8RhHcWCQKUXgO+z4l
-                              m7g2zM8q3Qpsm/gYIXSF2Rhj6lAG7esR/X9d
-                              1SH5r/wfjuCg+g== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-   ;; Additional
-   ai.example.    3600 IN A   192.0.2.9
-   ai.example.    3600 IN RRSIG  A 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              plY5M26ED3Owe3YX0pBIhgg44j89NxUaoBrU
-                              6bLRr99HpKfFl1sIy18JiRS7evlxCETZgubq
-                              ZXW5S+1VjMZYzQ== )
-   ai.example.    3600 AAAA   2001:db8::f00:baa9
-   ai.example.    3600 IN RRSIG  AAAA 5 2 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              PNF/t7+DeosEjhfuL0kmsNJvn16qhYyLI9FV
-                              ypSCorFx/PKIlEL3syomkYM2zcXVSRwUXMns
-                              l5/UqLCJJ9BDMg== )
-
-   The query returned an answer that was produced as a result of
-   wildcard expansion.  The answer section contains a wildcard RRset
-   expanded as it would be in a traditional DNS response, and the
-   corresponding RRSIG indicates that the expanded wildcard MX RRset was
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 33]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   signed by an "example" DNSKEY with algorithm 5 and key tag 62699.
-   The RRSIG indicates that the original TTL of the MX RRset was 3600,
-   and, for the purpose of authentication, the current TTL is replaced
-   by 3600.  The RRSIG labels field value of 2 indicates that the answer
-   is the result of wildcard expansion, as the "a.z.w.example" name
-   contains 4 labels.  The name "a.z.w.example" is replaced by
-   "*.w.example", the MX RRset is placed in canonical form, and,
-   assuming that the current time falls between the signature inception
-   and expiration dates, the signature is authenticated.
-
-   The NSEC3 proves that no closer match (exact or closer wildcard)
-   could have been used to answer this query, and the NSEC3 RR must also
-   be authenticated before the answer is considered valid.
-
-B.7  Wildcard No Data Error
-
-   A "no data" response for a name covered by a wildcard.  The NSEC3 RRs
-   prove that the matching wildcard name does not have any RRs of the
-   requested type and that no closer match exists in the zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 34]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN AAAA
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              5pe7ctl7pfs2cilroy5dcofx4rcnlypd
-                              MX NSEC3 RRSIG )
-   zjxfz5o7t4ty4u3f6fa7mhhqzjln4mui.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              eULkdWjcjmM+wXQcr7zXNfnGLgHjZSJINGkt
-                              7Zmvp7WKVAqoHMm1RXV8IfBH1aRgv5+/Lgny
-                              OcFlrPGPMm48/A== )
-   ;; Additional
-   ;; (empty)
-
-   The query returned NSEC3 RRs that prove that the requested data does
-   not exist and no wildcard applies.  The negative reply is
-   authenticated by verifying both NSEC3 RRs.
-
-B.8  DS Child Zone No Data Error
-
-   A "no data" response for a QTYPE=DS query that was mistakenly sent to
-   a name server for the child zone.
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 35]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   example.            IN DS
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 IN RRSIG  SOA 5 1 3600 20050712112304 (
-                              20050612112304 62699 example.
-                              RtctD6aLUU5Md5wOOItilS7JXX1tf58Ql3sK
-                              mTXkL13jqLiUFOGg0uzqRh1U9GbydS0P7M0g
-                              qYIt90txzE/4+g== )
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN NSEC3  0 1 1 (
-                              deadbeaf
-                              gmnfcccja7wkax3iv26bs75myptje3qk
-                              MX DNSKEY NS SOA NSEC3 RRSIG )
-   dw4o7j64wnel3j4jh7fb3c5n7w3js2yb.example. 3600 IN RRSIG  NSEC3 (
-                              5 2 3600 20050712112304
-                              20050612112304 62699 example.
-                              VqEbXiZLJVYmo25fmO3IuHkAX155y8NuA50D
-                              C0NmJV/D4R3rLm6tsL6HB3a3f6IBw6kKEa2R
-                              MOiKMSHozVebqw== )
-
-   ;; Additional
-   ;; (empty)
-
-   The query returned NSEC RRs that shows the requested was answered by
-   a child server ("example" server).  The NSEC RR indicates the
-   presence of an SOA RR, showing that the answer is from the child .
-   Queries for the "example" DS RRset should be sent to the parent
-   servers ("root" servers).
-
-
-
-
-
-
-
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 36]
-
-Internet-Draft                    nsec3                        june 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Laurie, et al.          Expires December 3, 2005               [Page 37]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt
deleted file mode 100644
index 5b6d655297e8..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2536bis-dsa-06.txt
+++ /dev/null
@@ -1,464 +0,0 @@
-
-INTERNET-DRAFT                                DSA Information in the DNS
-OBSOLETES: RFC 2536                               Donald E. Eastlake 3rd
-                                                   Motorola Laboratories
-Expires: January 2006                                          July 2005
-
-
-            DSA Keying and Signature Information in the DNS
-            --- ------ --- --------- ----------- -- --- ---
-               <draft-ietf-dnsext-rfc2536bis-dsa-06.txt>
-                         Donald E. Eastlake 3rd
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNS extensions working group mailing list
-   <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   The standard method of encoding US Government Digital Signature
-   Algorithm keying and signature information for use in the Domain Name
-   System is specified.
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society 2005. All Rights Reserved.
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright Notice...........................................1
-
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      2. DSA Keying Information..................................3
-      3. DSA Signature Information...............................4
-      4. Performance Considerations..............................4
-      5. Security Considerations.................................5
-      6. IANA Considerations.....................................5
-      Copyright and Disclaimer...................................5
-
-      Normative References.......................................7
-      Informative References.....................................7
-
-      Authors Address............................................8
-      Expiration and File Name...................................8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information [RFC 1034, 1035]. The DNS has been extended to
-   include digital signatures and cryptographic keys as described in
-   [RFC 4033, 4034, 4035] and additional work is underway which would
-   require the storage of keying and signature information in the DNS.
-
-   This document describes how to encode US Government Digital Signature
-   Algorithm (DSA) keys and signatures in the DNS.  Familiarity with the
-   US Digital Signature Algorithm is assumed [FIPS 186-2, Schneier].
-
-
-
-2. DSA Keying Information
-
-   When DSA public keys are stored in the DNS, the structure of the
-   relevant part of the RDATA part of the RR being used is the fields
-   listed below in the order given.
-
-   The period of key validity is not included in this data but is
-   indicated separately, for example by an RR such as RRSIG which signs
-   and authenticates the RR containing the keying information.
-
-        Field     Size
-        -----     ----
-         T         1  octet
-         Q        20  octets
-         P        64 + T*8  octets
-         G        64 + T*8  octets
-         Y        64 + T*8  octets
-
-   As described in [FIPS 186-2] and [Schneier], T is a key size
-   parameter chosen such that 0 <= T <= 8.  (The meaning if the T octet
-   is greater than 8 is reserved and the remainder of the data may have
-   a different format in that case.)  Q is a prime number selected at
-   key generation time such that 2**159 < Q < 2**160. Thus Q is always
-   20 octets long and, as with all other fields, is stored in "big-
-   endian" network order.  P, G, and Y are calculated as directed by the
-   [FIPS 186-2] key generation algorithm [Schneier].  P is in the range
-   2**(511+64T) < P < 2**(512+64T) and thus is 64 + 8*T octets long.  G
-   and Y are quantities modulo P and so can be up to the same length as
-   P and are allocated fixed size fields with the same number of octets
-   as P.
-
-   During the key generation process, a random number X must be
-   generated such that 1 <= X <= Q-1.  X is the private key and is used
-   in the final step of public key generation where Y is computed as
-
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-        Y = G**X mod P
-
-
-
-3. DSA Signature Information
-
-   The portion of the RDATA area used for US Digital Signature Algorithm
-   signature information is shown below with fields in the order they
-   are listed and the contents of each multi-octet field in "big-endian"
-   network order.
-
-        Field     Size
-        -----     ----
-         T         1 octet
-         R        20 octets
-         S        20 octets
-
-   First, the data signed must be determined.  Then the following steps
-   are taken, as specified in [FIPS 186-2], where Q, P, G, and Y are as
-   specified in the public key [Schneier]:
-
-        hash = SHA-1 ( data )
-
-        Generate a random K such that 0 < K < Q.
-
-        R = ( G**K mod P ) mod Q
-
-        S = ( K**(-1) * (hash + X*R) ) mod Q
-
-   For information on the SHA-1 hash function see [FIPS 180-2] and [RFC
-   3174].
-
-   Since Q is 160 bits long, R and S can not be larger than 20 octets,
-   which is the space allocated.
-
-   T is copied from the public key.  It is not logically necessary in
-   the SIG but is present so that values of T > 8 can more conveniently
-   be used as an escape for extended versions of DSA or other algorithms
-   as later standardized.
-
-
-
-4. Performance Considerations
-
-   General signature generation speeds are roughly the same for RSA [RFC
-   3110] and DSA.  With sufficient pre-computation, signature generation
-   with DSA is faster than RSA.  Key generation is also faster for DSA.
-   However, signature verification is an order of magnitude slower than
-   RSA when the RSA public exponent is chosen to be small, as is
-   recommended for some applications.
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-   Current DNS implementations are optimized for small transfers,
-   typically less than 512 bytes including DNS overhead.  Larger
-   transfers will perform correctly and extensions have been
-   standardized [RFC 2671] to make larger transfers more efficient, it
-   is still advisable at this time to make reasonable efforts to
-   minimize the size of RR sets containing keying and/or signature
-   inforamtion consistent with adequate security.
-
-
-
-5. Security Considerations
-
-   Keys retrieved from the DNS should not be trusted unless (1) they
-   have been securely obtained from a secure resolver or independently
-   verified by the user and (2) this secure resolver and secure
-   obtainment or independent verification conform to security policies
-   acceptable to the user.  As with all cryptographic algorithms,
-   evaluating the necessary strength of the key is essential and
-   dependent on local policy.
-
-   The key size limitation of a maximum of 1024 bits ( T = 8 ) in the
-   current DSA standard may limit the security of DSA.  For particular
-   applications, implementors are encouraged to consider the range of
-   available algorithms and key sizes.
-
-   DSA assumes the ability to frequently generate high quality random
-   numbers.  See [random] for guidance.  DSA is designed so that if
-   biased rather than random numbers are used, high bandwidth covert
-   channels are possible.  See [Schneier] and more recent research.  The
-   leakage of an entire DSA private key in only two DSA signatures has
-   been demonstrated.  DSA provides security only if trusted
-   implementations, including trusted random number generation, are
-   used.
-
-
-
-6. IANA Considerations
-
-   Allocation of meaning to values of the T parameter that are not
-   defined herein (i.e., > 8 ) requires an IETF standards actions.  It
-   is intended that values unallocated herein be used to cover future
-   extensions of the DSS standard.
-
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-Normative References
-
-   [FIPS 186-2] - U.S. Federal Information Processing Standard: Digital
-   Signature Standard, 27 January 2000.
-
-   [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
-   March 2005.
-
-
-
-Informative References
-
-   [RFC 1034] - "Domain names - concepts and facilities", P.
-   Mockapetris, 11/01/1987.
-
-   [RFC 1035] - "Domain names - implementation and specification", P.
-   Mockapetris, 11/01/1987.
-
-   [RFC 2671] - "Extension Mechanisms for DNS (EDNS0)", P. Vixie, August
-   1999.
-
-   [RFC 3110] - "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
-   (DNS)", D.  Eastlake 3rd. May 2001.
-
-   [RFC 3174] - "US Secure Hash Algorithm 1 (SHA1)", D. Eastlake, P.
-   Jones, September 2001.
-
-   [RFC 4033] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "DNS Security Introduction and Requirements", RFC 4033, March
-   2005.
-
-   [RFC 4035] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Protocol Modifications for the DNS Security Extensions", RFC
-   4035, March 2005.
-
-   [RFC 4086] - Eastlake, D., 3rd, Schiller, J., and S. Crocker,
-   "Randomness Requirements for Security", BCP 106, RFC 4086, June 2005.
-
-   [Schneier] - "Applied Cryptography Second Edition: protocols,
-   algorithms, and source code in C" (second edition), Bruce Schneier,
-   1996, John Wiley and Sons, ISBN 0-471-11709-9.
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                                DSA Information in the DNS
-
-
-Authors Address
-
-   Donald E. Eastlake 3rd
-   Motorola Labortories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554(w)
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires in January 2006.
-
-   Its file name is draft-ietf-dnsext-rfc2536bis-dsa-06.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
deleted file mode 100644
index 2ec9dbec512e..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2538bis-04.txt
+++ /dev/null
@@ -1,840 +0,0 @@
-
-
-
-Network Working Group                                       S. Josefsson
-Internet-Draft                                           August 30, 2005
-Expires: March 3, 2006
-
-
-          Storing Certificates in the Domain Name System (DNS)
-                    draft-ietf-dnsext-rfc2538bis-04
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on March 3, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   Cryptographic public keys are frequently published and their
-   authenticity demonstrated by certificates.  A CERT resource record
-   (RR) is defined so that such certificates and related certificate
-   revocation lists can be stored in the Domain Name System (DNS).
-
-   This document obsoletes RFC 2538.
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 1]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  The CERT Resource Record . . . . . . . . . . . . . . . . . . .  3
-     2.1.  Certificate Type Values  . . . . . . . . . . . . . . . . .  4
-     2.2.  Text Representation of CERT RRs  . . . . . . . . . . . . .  5
-     2.3.  X.509 OIDs . . . . . . . . . . . . . . . . . . . . . . . .  6
-   3.  Appropriate Owner Names for CERT RRs . . . . . . . . . . . . .  6
-     3.1.  Content-based X.509 CERT RR Names  . . . . . . . . . . . .  7
-     3.2.  Purpose-based X.509 CERT RR Names  . . . . . . . . . . . .  8
-     3.3.  Content-based OpenPGP CERT RR Names  . . . . . . . . . . .  9
-     3.4.  Purpose-based OpenPGP CERT RR Names  . . . . . . . . . . .  9
-     3.5.  Owner names for IPKIX, ISPKI, and IPGP . . . . . . . . . .  9
-   4.  Performance Considerations . . . . . . . . . . . . . . . . . . 10
-   5.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 10
-   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
-   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
-   9.  Changes since RFC 2538 . . . . . . . . . . . . . . . . . . . . 11
-   Appendix A.  Copying conditions  . . . . . . . . . . . . . . . . . 12
-   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
-     10.1. Normative References . . . . . . . . . . . . . . . . . . . 12
-     10.2. Informative References . . . . . . . . . . . . . . . . . . 13
-   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
-   Intellectual Property and Copyright Statements . . . . . . . . . . 15
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 2]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-1.  Introduction
-
-   Public keys are frequently published in the form of a certificate and
-   their authenticity is commonly demonstrated by certificates and
-   related certificate revocation lists (CRLs).  A certificate is a
-   binding, through a cryptographic digital signature, of a public key,
-   a validity interval and/or conditions, and identity, authorization,
-   or other information.  A certificate revocation list is a list of
-   certificates that are revoked, and incidental information, all signed
-   by the signer (issuer) of the revoked certificates.  Examples are
-   X.509 certificates/CRLs in the X.500 directory system or OpenPGP
-   certificates/revocations used by OpenPGP software.
-
-   Section 2 below specifies a CERT resource record (RR) for the storage
-   of certificates in the Domain Name System [1] [2].
-
-   Section 3 discusses appropriate owner names for CERT RRs.
-
-   Sections 4, 5, and 6 below cover performance, IANA, and security
-   considerations, respectively.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [3].
-
-
-2.  The CERT Resource Record
-
-   The CERT resource record (RR) has the structure given below.  Its RR
-   type code is 37.
-
-                       1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |             type              |             key tag           |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |   algorithm   |                                               /
-   +---------------+            certificate or CRL                 /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-   The type field is the certificate type as defined in section 2.1
-   below.
-
-   The key tag field is the 16 bit value computed for the key embedded
-   in the certificate, using the RRSIG Key Tag algorithm described in
-   Appendix B of [10].  This field is used as an efficiency measure to
-   pick which CERT RRs may be applicable to a particular key.  The key
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 3]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   tag can be calculated for the key in question and then only CERT RRs
-   with the same key tag need be examined.  However, the key must always
-   be transformed to the format it would have as the public key portion
-   of a DNSKEY RR before the key tag is computed.  This is only possible
-   if the key is applicable to an algorithm (and limits such as key size
-   limits) defined for DNS security.  If it is not, the algorithm field
-   MUST BE zero and the tag field is meaningless and SHOULD BE zero.
-
-   The algorithm field has the same meaning as the algorithm field in
-   DNSKEY and RRSIG RRs [10], except that a zero algorithm field
-   indicates the algorithm is unknown to a secure DNS, which may simply
-   be the result of the algorithm not having been standardized for
-   DNSSEC.
-
-2.1.  Certificate Type Values
-
-   The following values are defined or reserved:
-
-       Value  Mnemonic  Certificate Type
-       -----  --------  ----------------
-           0            reserved
-           1  PKIX      X.509 as per PKIX
-           2  SPKI      SPKI certificate
-           3  PGP       OpenPGP packet
-           4  IPKIX     The URL of an X.509 data object
-           5  ISPKI     The URL of an SPKI certificate
-           6  IPGP      The URL of an OpenPGP packet
-       7-252            available for IANA assignment
-         253  URI       URI private
-         254  OID       OID private
-   255-65534            available for IANA assignment
-       65535            reserved
-
-   The PKIX type is reserved to indicate an X.509 certificate conforming
-   to the profile being defined by the IETF PKIX working group.  The
-   certificate section will start with a one-byte unsigned OID length
-   and then an X.500 OID indicating the nature of the remainder of the
-   certificate section (see 2.3 below).  (NOTE: X.509 certificates do
-   not include their X.500 directory type designating OID as a prefix.)
-
-   The SPKI type is reserved to indicate the SPKI certificate format
-   [13], for use when the SPKI documents are moved from experimental
-   status.
-
-   The PGP type indicates an OpenPGP packet as described in [6] and its
-   extensions and successors.  Two uses are to transfer public key
-   material and revocation signatures.  The data is binary, and MUST NOT
-   be encoded into an ASCII armor.  An implementation SHOULD process
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 4]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   transferable public keys as described in section 10.1 of [6], but it
-   MAY handle additional OpenPGP packets.
-
-   The IPKIX, ISPKI and IPGP types indicate a URL which will serve the
-   content that would have been in the "certificate, CRL or URL" field
-   of the corresponding (PKIX, SPKI or PGP) packet types.  These types
-   are known as "indirect".  These packet types MUST be used when the
-   content is too large to fit in the CERT RR, and MAY be used at the
-   implementer's discretion.  They SHOULD NOT be used where the entire
-   UDP packet would have fit in 512 bytes.
-
-   The URI private type indicates a certificate format defined by an
-   absolute URI.  The certificate portion of the CERT RR MUST begin with
-   a null terminated URI [5] and the data after the null is the private
-   format certificate itself.  The URI SHOULD be such that a retrieval
-   from it will lead to documentation on the format of the certificate.
-   Recognition of private certificate types need not be based on URI
-   equality but can use various forms of pattern matching so that, for
-   example, subtype or version information can also be encoded into the
-   URI.
-
-   The OID private type indicates a private format certificate specified
-   by an ISO OID prefix.  The certificate section will start with a one-
-   byte unsigned OID length and then a BER encoded OID indicating the
-   nature of the remainder of the certificate section.  This can be an
-   X.509 certificate format or some other format.  X.509 certificates
-   that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
-   type, not the OID private type.  Recognition of private certificate
-   types need not be based on OID equality but can use various forms of
-   pattern matching such as OID prefix.
-
-2.2.  Text Representation of CERT RRs
-
-   The RDATA portion of a CERT RR has the type field as an unsigned
-   decimal integer or as a mnemonic symbol as listed in section 2.1
-   above.
-
-   The key tag field is represented as an unsigned decimal integer.
-
-   The algorithm field is represented as an unsigned decimal integer or
-   a mnemonic symbol as listed in [10].
-
-   The certificate / CRL portion is represented in base 64 [14] and may
-   be divided up into any number of white space separated substrings,
-   down to single base 64 digits, which are concatenated to obtain the
-   full signature.  These substrings can span lines using the standard
-   parenthesis.
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 5]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   Note that the certificate / CRL portion may have internal sub-fields,
-   but these do not appear in the master file representation.  For
-   example, with type 254, there will be an OID size, an OID, and then
-   the certificate / CRL proper.  But only a single logical base 64
-   string will appear in the text representation.
-
-2.3.  X.509 OIDs
-
-   OIDs have been defined in connection with the X.500 directory for
-   user certificates, certification authority certificates, revocations
-   of certification authority, and revocations of user certificates.
-   The following table lists the OIDs, their BER encoding, and their
-   length-prefixed hex format for use in CERT RRs:
-
-       id-at-userCertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 36 }
-              == 0x 03 55 04 24
-       id-at-cACertificate
-           = { joint-iso-ccitt(2) ds(5) at(4) 37 }
-              == 0x 03 55 04 25
-       id-at-authorityRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 38 }
-              == 0x 03 55 04 26
-       id-at-certificateRevocationList
-           = { joint-iso-ccitt(2) ds(5) at(4) 39 }
-              == 0x 03 55 04 27
-
-
-3.  Appropriate Owner Names for CERT RRs
-
-   It is recommended that certificate CERT RRs be stored under a domain
-   name related to their subject, i.e., the name of the entity intended
-   to control the private key corresponding to the public key being
-   certified.  It is recommended that certificate revocation list CERT
-   RRs be stored under a domain name related to their issuer.
-
-   Following some of the guidelines below may result in the use in DNS
-   names of characters that require DNS quoting which is to use a
-   backslash followed by the octal representation of the ASCII code for
-   the character (e.g., \000 for NULL).
-
-   The choice of name under which CERT RRs are stored is important to
-   clients that perform CERT queries.  In some situations, the clients
-   may not know all information about the CERT RR object it wishes to
-   retrieve.  For example, a client may not know the subject name of an
-   X.509 certificate, or the e-mail address of the owner of an OpenPGP
-   key.  Further, the client might only know the hostname of a service
-   that uses X.509 certificates or the Key ID of an OpenPGP key.
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 6]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   Therefore, two owner name guidelines are defined: content-based owner
-   names and purpose-based owner names.  A content-based owner name is
-   derived from the content of the CERT RR data; for example, the
-   Subject field in an X.509 certificate or the User ID field in OpenPGP
-   keys.  A purpose-based owner name is a name that a client retrieving
-   CERT RRs MUST already know; for example, the host name of an X.509
-   protected service or the Key ID of an OpenPGP key.  The content-based
-   and purpose-based owner name MAY be the same; for example, when a
-   client looks up a key based on the From: address of an incoming
-   e-mail.
-
-   Implementations SHOULD use the purpose-based owner name guidelines
-   described in this document, and MAY use CNAMEs of content-based owner
-   names (or other names), pointing to the purpose-based owner name.
-
-3.1.  Content-based X.509 CERT RR Names
-
-   Some X.509 versions permit multiple names to be associated with
-   subjects and issuers under "Subject Alternate Name" and "Issuer
-   Alternate Name".  For example, X.509v3 has such Alternate Names with
-   an ASN.1 specification as follows:
-
-        GeneralName ::= CHOICE {
-           otherName                  [0] INSTANCE OF OTHER-NAME,
-           rfc822Name                 [1] IA5String,
-           dNSName                    [2] IA5String,
-           x400Address                [3] EXPLICIT OR-ADDRESS.&Type,
-           directoryName              [4] EXPLICIT Name,
-           ediPartyName               [5] EDIPartyName,
-           uniformResourceIdentifier  [6] IA5String,
-           iPAddress                  [7] OCTET STRING,
-           registeredID               [8] OBJECT IDENTIFIER
-        }
-
-   The recommended locations of CERT storage are as follows, in priority
-   order:
-   1.  If a domain name is included in the identification in the
-       certificate or CRL, that should be used.
-   2.  If a domain name is not included but an IP address is included,
-       then the translation of that IP address into the appropriate
-       inverse domain name should be used.
-   3.  If neither of the above is used, but a URI containing a domain
-       name is present, that domain name should be used.
-   4.  If none of the above is included but a character string name is
-       included, then it should be treated as described for OpenPGP
-       names below.
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 7]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   5.  If none of the above apply, then the distinguished name (DN)
-       should be mapped into a domain name as specified in [4].
-
-   Example 1: An X.509v3 certificate is issued to /CN=John Doe /DC=Doe/
-   DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative Names of (a)
-   string "John (the Man) Doe", (b) domain name john-doe.com, and (c)
-   uri <https://www.secure.john-doe.com:8080/>.  The storage locations
-   recommended, in priority order, would be
-   1.  john-doe.com,
-   2.  www.secure.john-doe.com, and
-   3.  Doe.com.xy.
-
-   Example 2: An X.509v3 certificate is issued to /CN=James Hacker/
-   L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names of (a)
-   domain name widget.foo.example, (b) IPv4 address 10.251.13.201, and
-   (c) string "James Hacker <hacker@mail.widget.foo.example>".  The
-   storage locations recommended, in priority order, would be
-   1.  widget.foo.example,
-   2.  201.13.251.10.in-addr.arpa, and
-   3.  hacker.mail.widget.foo.example.
-
-3.2.  Purpose-based X.509 CERT RR Names
-
-   Due to the difficulty for clients that do not already possess a
-   certificate to reconstruct the content-based owner name, purpose-
-   based owner names are recommended in this section.  Recommendations
-   for purpose-based owner names vary per scenario.  The following table
-   summarizes the purpose-based X.509 CERT RR owner name guidelines for
-   use with S/MIME [16], SSL/TLS [11], and IPSEC [12]:
-
-    Scenario             Owner name
-    ------------------   ----------------------------------------------
-    S/MIME Certificate   Standard translation of an RFC 2822 email
-                         address.  Example: An S/MIME certificate for
-                         "postmaster@example.org" will use a standard
-                         hostname translation of the owner name,
-                         "postmaster.example.org".
-
-    TLS Certificate      Hostname of the TLS server.
-
-    IPSEC Certificate    Hostname of the IPSEC machine and/or, for IPv4
-                         or IPv6 addresses, the fully qualified domain
-                         name in the appropriate reverse domain.
-
-   An alternate approach for IPSEC is to store raw public keys [15].
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 8]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-3.3.  Content-based OpenPGP CERT RR Names
-
-   OpenPGP signed keys (certificates) use a general character string
-   User ID [6].  However, it is recommended by OpenPGP that such names
-   include the RFC 2822 [8] email address of the party, as in "Leslie
-   Example <Leslie@host.example>".  If such a format is used, the CERT
-   should be under the standard translation of the email address into a
-   domain name, which would be leslie.host.example in this case.  If no
-   RFC 2822 name can be extracted from the string name, no specific
-   domain name is recommended.
-
-   If a user has more than one email address, the CNAME type can be used
-   to reduce the amount of data stored in the DNS.  Example:
-
-      $ORIGIN example.org.
-      smith        IN CERT PGP 0 0 <OpenPGP binary>
-      john.smith   IN CNAME smith
-      js           IN CNAME smith
-
-3.4.  Purpose-based OpenPGP CERT RR Names
-
-   Applications that receive an OpenPGP packet containing encrypted or
-   signed data but do not know the email address of the sender will have
-   difficulties constructing the correct owner name and cannot use the
-   content-based owner name guidelines.  However, these clients commonly
-   know the key fingerprint or the Key ID.  The key ID is found in
-   OpenPGP packets, and the key fingerprint is commonly found in
-   auxilliary data that may be available.  In this case, use of an owner
-   name identical to the key fingerprint and the key ID expressed in
-   hexadecimal [14] is recommended.  Example:
-
-      $ORIGIN example.org.
-      0424D4EE81A0E3D119C6F835EDA21E94B565716F IN CERT PGP ...
-      F835EDA21E94B565716F                     IN CERT PGP ...
-      B565716F                                 IN CERT PGP ...
-
-   If the same key material is stored for several owner names, the use
-   of CNAME may be used to avoid data duplication.  Note that CNAME is
-   not always applicable, because it maps one owner name to the other
-   for all purposes, which may be sub-optimal when two keys with the
-   same Key ID are stored.
-
-3.5.  Owner names for IPKIX, ISPKI, and IPGP
-
-   These types are stored under the same owner names, both purpose- and
-   content-based, as the PKIX, SPKI and PGP types.
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                 [Page 9]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-4.  Performance Considerations
-
-   Current Domain Name System (DNS) implementations are optimized for
-   small transfers, typically not more than 512 bytes including
-   overhead.  While larger transfers will perform correctly and work is
-   underway to make larger transfers more efficient, it is still
-   advisable at this time to make every reasonable effort to minimize
-   the size of certificates stored within the DNS.  Steps that can be
-   taken may include using the fewest possible optional or extension
-   fields and using short field values for necessary variable length
-   fields.
-
-   The RDATA field in the DNS protocol may only hold data of size 65535
-   octets (64kb) or less.  This means that each CERT RR MUST NOT contain
-   more than 64kb of payload, even if the corresponding certificate or
-   certificate revocation list is larger.  This document addresses this
-   by defining "indirect" data types for each normal type.
-
-
-5.  Contributors
-
-   The majority of this document is copied verbatim from RFC 2538, by
-   Donald Eastlake 3rd and Olafur Gudmundsson.
-
-
-6.  Acknowledgements
-
-   Thanks to David Shaw and Michael Graff for their contributions to
-   earlier works that motivated, and served as inspiration for, this
-   document.
-
-   This document was improved by suggestions and comments from Olivier
-   Dubuisson, Olaf M. Kolkman, Ben Laurie, Edward Lewis, Jason
-   Sloderbeck, Samuel Weiler, and Florian Weimer.  No doubt the list is
-   incomplete.  We apologize to anyone we left out.
-
-
-7.  Security Considerations
-
-   By definition, certificates contain their own authenticating
-   signature.  Thus, it is reasonable to store certificates in non-
-   secure DNS zones or to retrieve certificates from DNS with DNS
-   security checking not implemented or deferred for efficiency.  The
-   results MAY be trusted if the certificate chain is verified back to a
-   known trusted key and this conforms with the user's security policy.
-
-   Alternatively, if certificates are retrieved from a secure DNS zone
-   with DNS security checking enabled and are verified by DNS security,
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 10]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   the key within the retrieved certificate MAY be trusted without
-   verifying the certificate chain if this conforms with the user's
-   security policy.
-
-   If an organization chooses to issue certificates for it's employees,
-   placing CERT RR's in the DNS by owner name, and if DNSSEC (with NSEC)
-   is in use, it is possible for someone to enumerate all employees of
-   the organization.  This is usually not considered desirable, for the
-   same reason enterprise phone listings are not often publicly
-   published and are even mark confidential.
-
-   When the URI type is used, it should be understood that it introduces
-   an additional indirection that may allow for a new attack vector.
-   One method to secure that indirection is to include a hash of the
-   certificate in the URI itself.
-
-   CERT RRs are not used by DNSSEC [9], so there are no security
-   considerations related to CERT RRs and securing the DNS itself.
-
-   If DNSSEC is used, then the non-existence of a CERT RR and,
-   consequently, certificates or revocation lists can be securely
-   asserted.  Without DNSSEC, this is not possible.
-
-
-8.  IANA Considerations
-
-   Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
-   only be assigned by an IETF standards action [7].  This document
-   assigns 0x0001 through 0x0006 and 0x00FD and 0x00FE.  Certificate
-   types 0x0100 through 0xFEFF are assigned through IETF Consensus [7]
-   based on RFC documentation of the certificate type.  The availability
-   of private types under 0x00FD and 0x00FE should satisfy most
-   requirements for proprietary or private types.
-
-   The CERT RR reuses the DNS Security Algorithm Numbers registry.  In
-   particular, the CERT RR requires that algorithm number 0 remain
-   reserved, as described in Section 2.  The IANA is directed to
-   reference the CERT RR as a user of this registry and value 0, in
-   particular.
-
-
-9.  Changes since RFC 2538
-
-   1.   Editorial changes to conform with new document requirements,
-        including splitting reference section into two parts and
-        updating the references to point at latest versions, and to add
-        some additional references.
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 11]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-   2.   Improve terminology.  For example replace "PGP" with "OpenPGP",
-        to align with RFC 2440.
-   3.   In section 2.1, clarify that OpenPGP public key data are binary,
-        not the ASCII armored format, and reference 10.1 in RFC 2440 on
-        how to deal with OpenPGP keys, and acknowledge that
-        implementations may handle additional packet types.
-   4.   Clarify that integers in the representation format are decimal.
-   5.   Replace KEY/SIG with DNSKEY/RRSIG etc, to align with DNSSECbis
-        terminology.  Improve reference for Key Tag Algorithm
-        calculations.
-   6.   Add examples that suggest use of CNAME to reduce bandwidth.
-   7.   In section 3, appended the last paragraphs that discuss
-        "content-based" vs "purpose-based" owner names.  Add section 3.2
-        for purpose-based X.509 CERT owner names, and section 3.4 for
-        purpose-based OpenPGP CERT owner names.
-   8.   Added size considerations.
-   9.   The SPKI types has been reserved, until RFC 2692/2693 is moved
-        from the experimental status.
-   10.  Added indirect types IPKIX, ISPKI, and IPGP.
-
-
-Appendix A.  Copying conditions
-
-   Regarding the portion of this document that was written by Simon
-   Josefsson ("the author", for the remainder of this section), the
-   author makes no guarantees and is not responsible for any damage
-   resulting from its use.  The author grants irrevocable permission to
-   anyone to use, modify, and distribute it in any way that does not
-   diminish the rights of anyone else to use, modify, and distribute it,
-   provided that redistributed derivative works do not contain
-   misleading author or version information.  Derivative works need not
-   be licensed under similar terms.
-
-
-10.  References
-
-10.1.  Normative References
-
-   [1]   Mockapetris, P., "Domain names - concepts and facilities",
-         STD 13, RFC 1034, November 1987.
-
-   [2]   Mockapetris, P., "Domain names - implementation and
-         specification", STD 13, RFC 1035, November 1987.
-
-   [3]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]   Kille, S., Wahl, M., Grimstad, A., Huber, R., and S. Sataluri,
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 12]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-         "Using Domains in LDAP/X.500 Distinguished Names", RFC 2247,
-         January 1998.
-
-   [5]   Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
-         Resource Identifiers (URI): Generic Syntax", RFC 2396,
-         August 1998.
-
-   [6]   Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
-         "OpenPGP Message Format", RFC 2440, November 1998.
-
-   [7]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-         Considerations Section in RFCs", BCP 26, RFC 2434,
-         October 1998.
-
-   [8]   Resnick, P., "Internet Message Format", RFC 2822, April 2001.
-
-   [9]   Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "DNS Security Introduction and Requirements", RFC 4033,
-         March 2005.
-
-   [10]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-         "Resource Records for the DNS Security Extensions", RFC 4034,
-         March 2005.
-
-10.2.  Informative References
-
-   [11]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
-         RFC 2246, January 1999.
-
-   [12]  Kent, S. and R. Atkinson, "Security Architecture for the
-         Internet Protocol", RFC 2401, November 1998.
-
-   [13]  Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B.,
-         and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
-         September 1999.
-
-   [14]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
-         RFC 3548, July 2003.
-
-   [15]  Richardson, M., "A Method for Storing IPsec Keying Material in
-         DNS", RFC 4025, March 2005.
-
-   [16]  Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
-         (S/MIME) Version 3.1 Message Specification", RFC 3851,
-         July 2004.
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 13]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Author's Address
-
-   Simon Josefsson
-
-   Email: simon@josefsson.org
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 14]
-
-Internet-Draft       Storing Certificates in the DNS         August 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Josefsson                 Expires March 3, 2006                [Page 15]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt
deleted file mode 100644
index 5e6cb1d09e2a..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-rfc2539bis-dhk-06.txt
+++ /dev/null
@@ -1,580 +0,0 @@
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-OBSOLETES: RFC 2539                               Donald E. Eastlake 3rd
-                                                   Motorola Laboratories
-Expires: January 2006                                          July 2005
-
-
-
-
-        Storage of Diffie-Hellman Keying Information in the DNS
-        ------- -- -------------- ------ ----------- -- --- ---
-               <draft-ietf-dnsext-rfc2539bis-dhk-06.txt>
-
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNS extensions working group mailing list
-   <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   The standard method for encoding Diffie-Hellman keys in the Domain
-   Name System is specified.
-
-
-
-Copyright
-
-   Copyright (C) The Internet Society 2005.
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-Acknowledgements
-
-   Part of the format for Diffie-Hellman keys and the description
-   thereof was taken from a work in progress by Ashar Aziz, Tom Markson,
-   and Hemma Prafullchandra.  In addition, the following persons
-   provided useful comments that were incorporated into the predecessor
-   of this document: Ran Atkinson, Thomas Narten.
-
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright..................................................1
-
-      Acknowledgements...........................................2
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-      1.1 About This Document....................................3
-      1.2 About Diffie-Hellman...................................3
-      2. Encoding Diffie-Hellman Keying Information..............4
-      3. Performance Considerations..............................5
-      4. IANA Considerations.....................................5
-      5. Security Considerations.................................5
-      Copyright and Disclaimer...................................5
-
-      Normative References.......................................7
-      Informative Refences.......................................7
-
-      Author Address.............................................8
-      Expiration and File Name...................................8
-
-      Appendix A: Well known prime/generator pairs...............9
-      A.1. Well-Known Group 1:  A 768 bit prime..................9
-      A.2. Well-Known Group 2:  A 1024 bit prime.................9
-      A.3. Well-Known Group 3:  A 1536 bit prime................10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   similar information [RFC 1034, 1035]. The DNS has been extended to
-   include digital signatures and cryptographic keys as described in
-   [RFC 4033, 4034, 4035] and additonal work is underway which would use
-   the storage of keying information in the DNS.
-
-
-
-1.1 About This Document
-
-   This document describes how to store Diffie-Hellman keys in the DNS.
-   Familiarity with the Diffie-Hellman key exchange algorithm is assumed
-   [Schneier, RFC 2631].
-
-
-
-1.2 About Diffie-Hellman
-
-   Diffie-Hellman requires two parties to interact to derive keying
-   information which can then be used for authentication.  Thus Diffie-
-   Hellman is inherently a key agreement algorithm. As a result, no
-   format is defined for Diffie-Hellman "signature information".  For
-   example, assume that two parties have local secrets "i" and "j".
-   Assume they each respectively calculate X and Y as follows:
-
-        X = g**i ( mod p )
-
-        Y = g**j ( mod p )
-
-   They exchange these quantities and then each calculates a Z as
-   follows:
-
-        Zi = Y**i ( mod p )
-
-        Zj = X**j ( mod p )
-
-   Zi and Zj will both be equal to g**(i*j)(mod p) and will be a shared
-   secret between the two parties that an adversary who does not know i
-   or j will not be able to learn from the exchanged messages (unless
-   the adversary can derive i or j by performing a discrete logarithm
-   mod p which is hard for strong p and g).
-
-   The private key for each party is their secret i (or j).  The public
-   key is the pair p and g, which must be the same for the parties, and
-   their individual X (or Y).
-
-   For further information about Diffie-Hellman and precautions to take
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-   in deciding on a p and g, see [RFC 2631].
-
-
-
-2. Encoding Diffie-Hellman Keying Information
-
-   When Diffie-Hellman keys appear within the RDATA portion of a RR,
-   they are encoded as shown below.
-
-   The period of key validity is not included in this data but is
-   indicated separately, for example by an RR such as RRSIG which signs
-   and authenticates the RR containing the keying information.
-
-                            1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |           KEY flags           |    protocol   |  algorithm=2  |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |     prime length (or flag)    |  prime (p) (or special)       /
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       /  prime (p)  (variable length) |       generator length        |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       | generator (g) (variable length)                               |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       |     public value length       | public value (variable length)/
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-       /  public value (g^i mod p)    (variable length)                |
-       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   Prime length is the length of the Diffie-Hellman prime (p) in bytes
-   if it is 16 or greater.  Prime contains the binary representation of
-   the Diffie-Hellman prime with most significant byte first (i.e., in
-   network order). If "prime length" field is 1 or 2, then the "prime"
-   field is actually an unsigned index into a table of 65,536
-   prime/generator pairs and the generator length SHOULD be zero.  See
-   Appedix A for defined table entries and Section 4 for information on
-   allocating additional table entries.  The meaning of a zero or 3
-   through 15 value for "prime length" is reserved.
-
-   Generator length is the length of the generator (g) in bytes.
-   Generator is the binary representation of generator with most
-   significant byte first.  PublicValueLen is the Length of the Public
-   Value (g**i (mod p)) in bytes.  PublicValue is the binary
-   representation of the DH public value with most significant byte
-   first.
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-3. Performance Considerations
-
-   Current DNS implementations are optimized for small transfers,
-   typically less than 512 bytes including DNS overhead.  Larger
-   transfers will perform correctly and extensions have been
-   standardized [RFC 2671] to make larger transfers more efficient. But
-   it is still advisable at this time to make reasonable efforts to
-   minimize the size of RR sets containing keying information consistent
-   with adequate security.
-
-
-
-4. IANA Considerations
-
-   Assignment of meaning to Prime Lengths of 0 and 3 through 15 requires
-   an IETF consensus as defined in [RFC 2434].
-
-   Well known prime/generator pairs number 0x0000 through 0x07FF can
-   only be assigned by an IETF standards action. [RFC 2539], the
-   Proposed Standard predecessor of this document, assigned 0x0001
-   through 0x0002. This document additionally assigns 0x0003.  Pairs
-   number 0s0800 through 0xBFFF can be assigned based on RFC
-   documentation. Pairs number 0xC000 through 0xFFFF are available for
-   private use and are not centrally coordinated. Use of such private
-   pairs outside of a closed environment may result in conflicts and/or
-   security failures.
-
-
-
-5. Security Considerations
-
-   Keying information retrieved from the DNS should not be trusted
-   unless (1) it has been securely obtained from a secure resolver or
-   independently verified by the user and (2) this secure resolver and
-   secure obtainment or independent verification conform to security
-   policies acceptable to the user.  As with all cryptographic
-   algorithms, evaluating the necessary strength of the key is important
-   and dependent on security policy.
-
-   In addition, the usual Diffie-Hellman key strength considerations
-   apply. (p-1)/2 should also be prime, g should be primitive mod p, p
-   should be "large", etc. See [RFC 2631, Schneier].
-
-
-
-Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-Normative References
-
-   [RFC 2631] - "Diffie-Hellman Key Agreement Method", E. Rescorla, June
-   1999.
-
-   [RFC 2434] - "Guidelines for Writing an IANA Considerations Section
-   in RFCs", T.  Narten, H. Alvestrand, October 1998.
-
-   [RFC 4034] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Resource Records for the DNS Security Extensions", RFC 4034,
-   March 2005.
-
-
-
-Informative Refences
-
-   [RFC 1034] - "Domain names - concepts and facilities", P.
-   Mockapetris, November 1987.
-
-   [RFC 1035] - "Domain names - implementation and specification", P.
-   Mockapetris, November 1987.
-
-   [RFC 2539] - "Storage of Diffie-Hellman Keys in the Domain Name
-   System (DNS)", D. Eastlake, March 1999, obsoleted by this RFC.
-
-   [RFC 2671] - "Extension Mechanisms for DNS (EDNS0)", P. Vixie, August
-   1999.
-
-   [RFC 4033] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "DNS Security Introduction and Requirements", RFC 4033, March
-   2005.
-
-   [RFC 4035] - Arends, R., Austein, R., Larson, M., Massey, D., and S.
-   Rose, "Protocol Modifications for the DNS Security Extensions", RFC
-   4035, March 2005.
-
-   [Schneier] - Bruce Schneier, "Applied Cryptography: Protocols,
-   Algorithms, and Source Code in C" (Second Edition), 1996, John Wiley
-   and Sons.
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-Author Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires in January 2006.
-
-   Its file name is draft-ietf-dnsext-rfc2539bis-dhk-06.txt.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-Appendix A: Well known prime/generator pairs
-
-   These numbers are copied from the IPSEC effort where the derivation of
-   these values is more fully explained and additional information is
-   available.
-   Richard Schroeppel performed all the mathematical and computational
-   work for this appendix.
-
-
-
-A.1. Well-Known Group 1:  A 768 bit prime
-
-   The prime is 2^768 - 2^704 - 1 + 2^64 * { [2^638 pi] + 149686 }.  Its
-   decimal value is
-          155251809230070893513091813125848175563133404943451431320235
-          119490296623994910210725866945387659164244291000768028886422
-          915080371891804634263272761303128298374438082089019628850917
-          0691316593175367469551763119843371637221007210577919
-
-   Prime modulus: Length (32 bit words): 24, Data (hex):
-            FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-            29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-            EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-            E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF
-
-   Generator: Length (32 bit words): 1, Data (hex): 2
-
-
-
-A.2. Well-Known Group 2:  A 1024 bit prime
-
-   The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
-   Its decimal value is
-         179769313486231590770839156793787453197860296048756011706444
-         423684197180216158519368947833795864925541502180565485980503
-         646440548199239100050792877003355816639229553136239076508735
-         759914822574862575007425302077447712589550957937778424442426
-         617334727629299387668709205606050270810842907692932019128194
-         467627007
-
-   Prime modulus:  Length (32 bit words): 32, Data (hex):
-            FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-            29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-            EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-            E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
-            EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
-            FFFFFFFF FFFFFFFF
-
-   Generator: Length (32 bit words): 1, Data (hex): 2
-
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT                     Diffie-Hellman Information in the DNS
-
-
-A.3. Well-Known Group 3:  A 1536 bit prime
-
-   The prime is 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] +  741804 }.
-   Its decimal value is
-            241031242692103258855207602219756607485695054850245994265411
-            694195810883168261222889009385826134161467322714147790401219
-            650364895705058263194273070680500922306273474534107340669624
-            601458936165977404102716924945320037872943417032584377865919
-            814376319377685986952408894019557734611984354530154704374720
-            774996976375008430892633929555996888245787241299381012913029
-            459299994792636526405928464720973038494721168143446471443848
-            8520940127459844288859336526896320919633919
-
-   Prime modulus Length (32 bit words): 48, Data (hex):
-              FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-              29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-              EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-              E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
-              EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D
-              C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F
-              83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D
-              670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF
-
-   Generator: Length (32 bit words):  1, Data (hex): 2
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 10]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-signed-nonexistence-requirements-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-signed-nonexistence-requirements-01.txt
deleted file mode 100644
index 0af13c616f99..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-signed-nonexistence-requirements-01.txt
+++ /dev/null
@@ -1,755 +0,0 @@
-
-
-Network Working Group                                          B. Laurie
-Internet-Draft                                                   Nominet
-Expires: March 2, 2005                                         R. Loomis
-                                                                    SAIC
-                                                          September 2004
-
-
-
-      Requirements related to DNSSEC Signed Proof of Non-Existence
-         draft-ietf-dnsext-signed-nonexistence-requirements-01
-
-
-Status of this Memo
-
-
-   This document is an Internet-Draft and is subject to all provisions
-   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-   This Internet-Draft will expire on March 2, 2005.
-
-
-Copyright Notice
-
-
-   Copyright (C) The Internet Society (2004).
-
-
-Abstract
-
-
-   DNSSEC-bis uses the NSEC record to provide authenticated denial of
-   existence of RRsets.  NSEC also has the side-effect of permitting
-   zone enumeration, even if zone transfers have been forbidden.
-   Because some see this as a problem, this document has been assembled
-   to detail the possible requirements for denial of existence A/K/A
-   signed proof of non-existence.
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 1]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-Table of Contents
-
-
-   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
-   2.   Non-purposes . . . . . . . . . . . . . . . . . . . . . . . .   3
-   3.   Zone Enumeration . . . . . . . . . . . . . . . . . . . . . .   3
-   4.   Zone Enumeration II  . . . . . . . . . . . . . . . . . . . .   4
-   5.   Zone Enumeration III . . . . . . . . . . . . . . . . . . . .   4
-   6.   Exposure of Contents . . . . . . . . . . . . . . . . . . . .   4
-   7.   Zone Size  . . . . . . . . . . . . . . . . . . . . . . . . .   4
-   8.   Single Method  . . . . . . . . . . . . . . . . . . . . . . .   5
-   9.   Empty Non-terminals  . . . . . . . . . . . . . . . . . . . .   5
-   10.  Prevention of Precomputed Dictionary Attacks . . . . . . . .   6
-   11.  DNSSEC-Adoption and Zone-Growth Relationship . . . . . . . .   6
-   12.  Non-overlap of denial records with possible zone records . .   7
-   13.  Exposure of Private Keys . . . . . . . . . . . . . . . . . .   7
-   14.  Minimisation of Zone Signing Cost  . . . . . . . . . . . . .   8
-   15.  Minimisation of Asymmetry  . . . . . . . . . . . . . . . . .   8
-   16.  Minimisation of Client Complexity  . . . . . . . . . . . . .   8
-   17.  Completeness . . . . . . . . . . . . . . . . . . . . . . . .   8
-   18.  Purity of Namespace  . . . . . . . . . . . . . . . . . . . .   8
-   19.  Replay Attacks . . . . . . . . . . . . . . . . . . . . . . .   8
-   20.  Compatibility with NSEC  . . . . . . . . . . . . . . . . . .   8
-   21.  Compatibility with NSEC II . . . . . . . . . . . . . . . . .   9
-   22.  Compatibility with NSEC III  . . . . . . . . . . . . . . . .   9
-   23.  Coexistence with NSEC  . . . . . . . . . . . . . . . . . . .   9
-   24.  Coexistence with NSEC II . . . . . . . . . . . . . . . . . .   9
-   25.  Protocol Design  . . . . . . . . . . . . . . . . . . . . . .   9
-   26.  Process  . . . . . . . . . . . . . . . . . . . . . . . . . .   9
-   27.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . .   9
-   28.  Requirements notation  . . . . . . . . . . . . . . . . . . .   9
-   29.  Security Considerations  . . . . . . . . . . . . . . . . . .  10
-   30.  References . . . . . . . . . . . . . . . . . . . . . . . . .  10
-   30.1   Normative References . . . . . . . . . . . . . . . . . . .  10
-   30.2   Informative References . . . . . . . . . . . . . . . . . .  10
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  10
-        Intellectual Property and Copyright Statements . . . . . . .  11
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 2]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-1.  Introduction
-
-
-   NSEC records allow trivial enumeration of zones - a situation that
-   has existed for several years but which has recently been raised as a
-   significant concern for DNSSECbis deployment in several zones.
-   Alternate proposals have been made that make zone enumeration more
-   difficult, and some previous proposals to modify DNSSEC had related
-   requirements/desirements that are relevant to the discussion.  In
-   addition the original designs for NSEC/NXT records were based on
-   working group discussions and the choices made were not always
-   documented with context and requirements-- so some of those choices
-   may need to be restated as requirements.  Overall, the working group
-   needs to better understand the requirements for denial of existence
-   (and certain other requirements related to DNSSECbis deployment) in
-   order to evaluate the proposals that may replace NSEC.
-
-
-   In the remainder of this document, "NSEC++" is used as shorthand for
-   "a denial of existence proof that will replace NSEC".  "NSECbis" has
-   also been used as shorthand for this, but we avoid that usage since
-   NSECbis will not be part of DNSSECbis and therefore there might be
-   some confusion.
-
-
-2.  Non-purposes
-
-
-   This document does not currently document the reasons why zone
-   enumeration might be "bad" from a privacy, security, business, or
-   other perspective--except insofar as those reasons result in
-   requirements.  Once the list of requirements is complete and vaguely
-   coherent, the trade-offs (reducing zone enumeration will have X cost,
-   while providing Y benefit) may be revisited.  The editors of this
-   compendium received inputs on the potential reasons why zone
-   enumeration is bad (and there was significant discussion on the
-   DNSEXT WG mailing list) but that information fell outside the scope
-   of this document.
-
-
-   Note also that this document does not assume that NSEC *must* be
-   replaced with NSEC++, if the requirements can be met through other
-   methods (e.g., "white lies" with the current NSEC).  As is stated
-   above, this document is focused on requirements collection and
-   (ideally) prioritization rather than on the actual implementation.
-
-
-3.  Zone Enumeration
-
-
-   Authenticated denial should not permit trivial zone enumeration.
-
-
-   Additional discussion:  NSEC (and NXT before it) provide a linked
-   list that could be "walked" to trivially enumerate all the signed
-   records in a zone.  This requirement is primarily (though not
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 3]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   exclusively) important for zones that either are delegation-only/
-   -mostly or do not have reverse lookup (PTR) records configured, since
-   enterprises that have PTR records for all A records have already
-   provided a similar capability to enumerate the contents of DNS zones.
-
-
-   Contributor: various
-
-
-4.  Zone Enumeration II
-
-
-   Zone enumeration should be at least as difficult as it would be to
-   effect a dictionary attack using simple DNS queries to do the same in
-   an unsecured zone.
-
-
-   (Editor comment: it is not clear how to measure difficulty in this
-   case.  Some examples could be monetary cost, bandwidth, processing
-   power or some combination of these.  It has also been suggested that
-   the requirement is that the graph of difficulty of enumeration vs.
-   the fraction of the zone enumerated should be approximately the same
-   shape in the two cases)
-
-
-   Contributor: Nominet
-
-
-5.  Zone Enumeration III
-
-
-   Enumeration of a zone with random contents should computationally
-   infeasible.
-
-
-   Editor comment: this is proposed as a way of evaluating the
-   effectiveness of a proposal rather than as a requirement anyone would
-   actually have in practice.
-
-
-   Contributor: Alex Bligh
-
-
-6.  Exposure of Contents
-
-
-   NSEC++ should not expose any of the contents of the zone (apart from
-   the NSEC++ records themselves, of course).
-
-
-   Editor comment: this is a weaker requirement than prevention of
-   enumeration, but certainly any zone that satisfied this requirement
-   would also satisfy the trivial prevention of enumeration requirement.
-
-
-   Contributor: Ed Lewis
-
-
-7.  Zone Size
-
-
-   Requirement:  NSEC++ should make it possible to take precautions
-   against trivial zone size estimates.  Since not all zone owners care
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 4]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   about others estimation of the size of a zone, it is not always
-   necessary to prohibit trivial estimation of the size of the zone but
-   NSEC++ should allow such measures.
-
-
-   Additional Discussion: Even with proposals based on obfuscating names
-   with hashes it is trivial to give very good estimates of the number
-   of domains in a certain zone.  Just send 10 random queries and look
-   at the range between the two hash values returned in each NSEC++.  As
-   hash output can be assumed to follow a rectangular random
-   distribution, using the mean difference between the two values, you
-   can estimate the total number of records.  It is probably sufficient
-   to look at even one NSEC++, since the two hash values should follow a
-   (I believe) Poisson distribution.
-
-
-   The concern is motivated by some wording remembered from NSEC, which
-   stated that NSEC MUST only be present for existing owner names in the
-   zone, and MUST NOT be present for non-existing owner names.  If
-   similar wording were carried over to NSEC++, introducing bogus owner
-   names in the hash chain (an otherwise simple solution to guard
-   against trivial estimates of zone size) wouldn't be allowed.
-
-
-   One simple attempt at solving this is to describe in the
-   specifications how zone signer tools can add a number of random
-   "junk" records.
-
-
-   Editor's comment: it is interesting that obfuscating names might
-   actually make it easier to estimate zone size.
-
-
-   Contributor: Simon Josefsson.
-
-
-8.  Single Method
-
-
-   Requirement:  A single NSEC++ method must be able to carry both
-   old-style denial (i.e.  plain labels) and whatever the new style
-   looks like.  Having two separate denial methods could result in
-   cornercases where one method can deny the other and vice versa.
-
-
-   Additional discussion:  This requirement can help -bis folks to a
-   smooth upgrade to -ter.  First they'd change the method while the
-   content is the same, then they can change content of the method.
-
-
-   Contributor: Roy Arends.
-
-
-9.  Empty Non-terminals
-
-
-   Requirement:  Empty-non-terminals (ENT) should remain empty.  In
-   other words, adding NSEC++ records to an existing DNS structure
-   should not cause the creation of NSEC++ records (or related records)
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 5]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   at points that are otherwise ENT.
-
-
-   Additional discussion:  Currently NSEC complies with ENT requirement:
-   b.example.com NSEC a.c.example.com implies the existence of an ENT
-   with ownername c.example.com.  NSEC2 breaks that requirement, since
-   the ownername is entirely hashed causing the structure to disappear.
-   This is why EXIST was introduced.  But EXIST causes ENT to be
-   non-empty-terminals.  Next to the dissappearance of ENT, it causes
-   (some) overhead since an EXIST record needs a SIG, NSEC2 and
-   SIG(NSEC2).  DNSNR honours this requirement by hashing individual
-   labels instead of ownernames.  However this causes very long labels.
-   Truncation is a measure against very long ownernames, but that is
-   controversial.  There is a fair discussion of the validity of
-   truncation in the DNSNR draft, but that hasn't got proper review yet.
-
-
-   Contributor: Roy Arends.
-
-
-   (Editor comment: it is not clear to us that an EXIST record needs an
-   NSEC2 record, since it is a special purpose record only used for
-   denial of existence)
-
-
-10.  Prevention of Precomputed Dictionary Attacks
-
-
-   Requirement:  NSEC++ needs to provide a method to reduce the
-   effectiveness of precomputed dictionary attacks.
-
-
-   Additional Discussion:  Salt is a measure against dictionary attacks.
-   There are other possible measures (such as iterating hashes in
-   NSEC2).  The salt needs to be communicated in every response, since
-   it is needed in every verification.  Some have suggested to move the
-   salt to a special record instead of the denial record.  I think this
-   is not wise.  Response size has more priority over zone size.  An
-   extra record causes a larger response than a larger existing record.
-
-
-   Contributor: Roy Arends.
-
-
-   (Editor comment: the current version of NSEC2 also has the salt in
-   every NSEC2 record)
-
-
-11.  DNSSEC-Adoption and Zone-Growth Relationship
-
-
-   Background:  Currently with NSEC, when a delegation centric zone
-   deploys DNSSEC, the zone-size multiplies by a non-trivial factor even
-   when the DNSSEC-adoption rate of the subzones remains low--because
-   each delegation point creates at least one NSEC record and
-   corresponding signature in the parent even if the child is not
-   signed.
-
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 6]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   Requirements:  A delegation-only (or delegation-mostly) zone that is
-   signed but which has no signed child zones should initially need only
-   to add SIG(SOA), DNSKEY, and SIG(DNSKEY) at the apex, along with some
-   minimal set of NSEC++ records to cover zone contents.  Further,
-   during the transition of a delegation-only zone from 0% signed
-   children to 100% signed children, the growth in the delegation-only
-   zone should be roughly proportional to the percentage of signed child
-   zones.
-
-
-   Additional Discussion: This is why DNSNR has the Authoritative Only
-   bit.  This is similar to opt-in for delegations only.  This (bit) is
-   currently the only method to help delegation-centric zone cope with
-   zone-growth due to DNSSEC adoption.  As an example, A delegation only
-   zone which deploys DNSSEC with the help of this bit, needs to add
-   SIG(SOA), DNSKEY, SIG(DNSKEY), DNSNR, SIG(DNSNR) at the apex.  No
-   more than that.
-
-
-   Contributor: Roy Arends.
-
-
-12.  Non-overlap of denial records with possible zone records
-
-
-   Requirement:  NSEC++ records should in some way be differentiated
-   from regular zone records, so that there is no possibility that a
-   record in the zone could be duplicated by a non-existence proof
-   (NSEC++) record.
-
-
-   Additional discussion:  This requirement is derived from a discussion
-   on the DNSEXT mailing list related to copyrights and domain names.
-   As was outlined there, one solution is to put NSEC++ records in a
-   separate namespace, e.g.: $ORIGIN co.uk.
-   873bcdba87401b485022b8dcd4190e3e IN NS jim.rfc1035.com ; your
-   delegation 873bcdba87401b485022b8dcd4190e3e._no IN NSEC++ 881345...
-   ; for amazon.co.uk.
-
-
-   Contributor: various
-
-
-   (Editor comment:  One of us still does not see why a conflict
-   matters.  Even if there is an apparent conflict or overlap, the
-   "conflicting" NSEC2 name _only_ appears in NSEC2 records, and the
-   other name _never_ appears in NSEC2 records.)
-
-
-13.  Exposure of Private Keys
-
-
-   Private keys associated with the public keys in the DNS should be
-   exposed as little as possible.  It is highly undesirable for private
-   keys to be distributed to nameservers, or to otherwise be available
-   in the run-time environment of nameservers.
-
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 7]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   Contributors: Nominet, Olaf Kolkman, Ed Lewis
-
-
-14.  Minimisation of Zone Signing Cost
-
-
-   The additional cost of creating an NSEC++ signed zone should not
-   significantly exceed the cost of creating an ordinary signed zone.
-
-
-   Contributor: Nominet
-
-
-15.  Minimisation of Asymmetry
-
-
-   Nameservers should have to do as little additional work as necessary.
-   More precisely, it is desirable for any increase in cost incurred by
-   the nameservers to be offset by a proportionate increase in cost to
-   DNS `clients', e.g.  stub and/or `full-service' resolvers.
-
-
-   Contributor: Nominet
-
-
-16.  Minimisation of Client Complexity
-
-
-   Caching, wildcards, CNAMEs, DNAMEs should continue to work without
-   adding too much complexity at the client side.
-
-
-   Contributor: Olaf Kolkman
-
-
-17.  Completeness
-
-
-   A proof of nonexistence should be possible for all nonexistent data
-   in the zone.
-
-
-   Contributor: Olaf Kolkman
-
-
-18.  Purity of Namespace
-
-
-   The name space should not be muddied with fake names or data sets.
-
-
-   Contributor: Ed Lewis
-
-
-19.  Replay Attacks
-
-
-   NSEC++ should not allow a replay to be used to deny existence of an
-   RR that actually exists.
-
-
-   Contributor: Ed Lewis
-
-
-20.  Compatibility with NSEC
-
-
-   NSEC++ should not introduce changes incompatible with NSEC.
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 8]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   Contributor: Ed Lewis
-
-
-21.  Compatibility with NSEC II
-
-
-   NSEC++ should differ from NSEC in a way that is transparent to the
-   resolver or validator.
-
-
-   Contributor: Ed Lewis
-
-
-22.  Compatibility with NSEC III
-
-
-   NSEC++ should differ from NSEC as little as possible whilst achieving
-   other requirements.
-
-
-   Contributor: Alex Bligh
-
-
-23.  Coexistence with NSEC
-
-
-   NSEC++ should be optional, allowing NSEC to be used instead.
-
-
-   Contributor: Ed Lewis, Alex Bligh
-
-
-24.  Coexistence with NSEC II
-
-
-   NSEC++ should not impose extra work on those content with NSEC.
-
-
-   Contributor: Ed Lewis
-
-
-25.  Protocol Design
-
-
-   A good security protocol would allow signing the nonexistence of some
-   selected names without revealing anything about other names.
-
-
-   Contributor: Dan Bernstein
-
-
-26.  Process
-
-
-   Clearly not all of these requirements can be met.  Therefore the next
-   phase of this document will be to either prioritise them or narrow
-   them down to a non-contradictory set, which should then allow us to
-   judge proposals on the basis of their fit.
-
-
-27.  Acknowledgements
-
-
-28.  Requirements notation
-
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                  [Page 9]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-   document are to be interpreted as            described in [RFC2119].
-
-
-29.  Security Considerations
-
-
-   There are currently no security considerations called out in this
-   draft.  There will be security considerations in the choice of which
-   requirements will be implemented, but there are no specific security
-   requirements during the requirements collection process.
-
-
-30.  References
-
-
-30.1  Normative References
-
-
-   [dnssecbis-protocol]
-              "DNSSECbis Protocol Definitions", BCP XX, RFC XXXX, Some
-              Month 2004.
-
-
-30.2  Informative References
-
-
-   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
-              3", BCP 9, RFC 2026, October 1996.
-
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-
-   [RFC2418]  Bradner, S., "IETF Working Group Guidelines and
-              Procedures", BCP 25, RFC 2418, September 1998.
-
-
-
-Authors' Addresses
-
-
-   Ben Laurie
-   Nominet
-   17 Perryn Road
-   London  W3 7LR
-   England
-
-
-   Phone: +44 (20) 8735 0686
-   EMail: ben@algroup.co.uk
-
-
-
-   Rip Loomis
-   Science Applications International Corporation
-   7125 Columbia Gateway Drive, Suite 300
-   Columbia, MD  21046
-   US
-
-
-   EMail: gilbert.r.loomis@saic.com
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                 [Page 10]
-Internet-Draft      signed-nonexistence-requirements      September 2004
-
-
-
-Intellectual Property Statement
-
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-
-Disclaimer of Validity
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Copyright Statement
-
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-
-Acknowledgment
-
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-Laurie & Loomis          Expires March 2, 2005                 [Page 11]
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-04.txt
deleted file mode 100644
index c5c3b84ba3d5..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-04.txt
+++ /dev/null
@@ -1,1235 +0,0 @@
-
-
-
-
-
-
-DNSEXT Working Group                                        Yuji Kamite
-INTERNET-DRAFT                                       NTT Communications
-<draft-ietf-dnsext-tkey-renewal-mode-04.txt>            Masaya Nakayama
-Expires: Aug. 2004                              The University of Tokyo
-                                                              Feb. 2004
-
-
-
-
-                      TKEY Secret Key Renewal Mode
-
-
-Status of this Memo
-
-  This document is an Internet-Draft and is in full conformance with all
-  provisions of Section 10 of RFC2026.
-
-  Internet-Drafts are working documents of the Internet Engineering Task
-  Force (IETF), its areas, and its working groups.  Note that other
-  groups may also distribute working documents as Internet-Drafts.
-
-  Internet-Drafts are draft documents valid for a maximum of six months
-  and may be updated, replaced, or obsoleted by other documents at any
-  time.  It is inappropriate to use Internet-Drafts as reference
-  material or to cite them other than as ``work in progress.''
-
-  The list of current Internet-Drafts can be accessed at
-  http://www.ietf.org/ietf/1id-abstracts.txt
-
-  The list of Internet-Draft Shadow Directories can be accessed at
-  http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   This document defines a new mode in TKEY and proposes an atomic
-   method for changing secret keys used for TSIG periodically.
-   Originally, TKEY provides methods of setting up shared secrets other
-   than manual exchange, but it cannot control timing of key renewal
-   very well though it can add or delete shared keys separately. This
-   proposal is a systematical key renewal procedure intended for
-   preventing signing DNS messages with old and non-safe keys
-   permanently.
-
-
-
-
-
-
-
-
-Kamite, et. al.                                                 [Page 1]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-                           Table of Contents
-
-
-1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
-  1.1  Defined Words . . . . . . . . . . . . . . . . . . . . . . . .   3
-  1.2  New Format and Assigned Numbers . . . . . . . . . . . . . . .   4
-  1.3  Overview of Secret Key Renewal Mode . . . . . . . . . . . . .   4
-2  Shared Secret Key Renewal . . . . . . . . . . . . . . . . . . . .   5
-  2.1  Key Usage Time Check  . . . . . . . . . . . . . . . . . . . .   5
-  2.2  Partial Revocation  . . . . . . . . . . . . . . . . . . . . .   6
-  2.3  Key Renewal Message Exchange  . . . . . . . . . . . . . . . .   7
-    2.3.1  Query for Key Renewal . . . . . . . . . . . . . . . . . .   7
-    2.3.2  Response for Key Renewal  . . . . . . . . . . . . . . . .   7
-    2.3.3  Attributes of Generated Key . . . . . . . . . . . . . . .   8
-    2.3.4  TKEY RR structure . . . . . . . . . . . . . . . . . . . .   8
-  2.4  Key Adoption  . . . . . . . . . . . . . . . . . . . . . . . .  10
-    2.4.1  Query for Key Adoption  . . . . . . . . . . . . . . . . .  10
-    2.4.2  Response for Key Adoption . . . . . . . . . . . . . . . .  10
-  2.5  Keying Schemes  . . . . . . . . . . . . . . . . . . . . . . .  11
-    2.5.1  DH Exchange for Key Renewal . . . . . . . . . . . . . . .  11
-    2.5.2  Server Assigned Keying for Key Renewal  . . . . . . . . .  12
-    2.5.3  Resolver Assigned Keying for Key Renewal  . . . . . . . .  13
-  2.6  Considerations about Non-compliant Hosts  . . . . . . . . . .  14
-3  Secret Storage  . . . . . . . . . . . . . . . . . . . . . . . . .  15
-4  Compulsory Key Revocation . . . . . . . . . . . . . . . . . . . .  15
-  4.1  Compulsory Key Revocation by Server . . . . . . . . . . . . .  15
-  4.2  Authentication Methods Considerations . . . . . . . . . . . .  15
-5  Special Considerations for Two Servers' Case  . . . . . . . . . .  16
-  5.1  To Cope with Collisions of Renewal Requests . . . . . . . . .  16
-6  Key Name Considerations . . . . . . . . . . . . . . . . . . . . .  17
-7  Example Usage of Secret Key Renewal Mode  . . . . . . . . . . . .  17
-8  Security Considerations . . . . . . . . . . . . . . . . . . . . .  20
-9  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . .  20
-10 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . .  21
-11 References  . . . . . . . . . . . . . . . . . . . . . . . . . . .  21
-Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . .  22
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kamite, et. al.                                                 [Page 2]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-1.  Introduction
-
-   TSIG [RFC2845] provides DNS message integrity and the
-   request/transaction authentication by means of message authentication
-   codes (MAC). TSIG is a practical solution in view of calculation
-   speed and availability. However, TSIG does not have exchanging
-   mechanism of shared secret keys between server and resolver, and
-   administrators might have to exchange secret keys manually. TKEY
-   [RFC2930] is introduced to solve such problem and it can exchange
-   secrets for TSIG via networks.
-
-   In various modes of TKEY, a server and a resolver can add or delete a
-   secret key be means of TKEY message exchange. However, the existing
-   TKEY does not care fully about the management of keys which became
-   too old, or dangerous after long time usage.
-
-   It is ideal that the number of secret which a pair of hosts share
-   should be limited only one, because having too many keys for the same
-   purpose might not only be a burden to resolvers for managing and
-   distinguishing according to servers to query, but also does not seem
-   to be safe in terms of storage and protection against attackers.
-   Moreover, perhaps holding old keys long time might give attackers
-   chances to compromise by scrupulous calculation.
-
-   Therefore, when a new shared secret is established by TKEY, the
-   previous old secret should be revoked immediately. To accomplish
-   this, DNS servers must support a protocol for key renewal. This
-   document specifies procedure to refresh secret keys between two hosts
-   which is defined within the framework of TKEY, and it is called "TKEY
-   Secret Key Renewal Mode".
-
-   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" and
-   "OPTIONAL" in this document are to be interpreted as described in
-   [RFC2119].
-
-
-1.1.  Defined Words
-
-   * Inception Time: Beginning of the shared secret key lifetime. This
-   value is determined when the key is generated.
-
-   * Expiry Limit: Time limit of the key's validity. This value is
-   determined when a new key is generated. After Expiry Limit, server
-   and client (resolver) must not authenticate TSIG signed with the key.
-   Therefore, Renewal to the next key should be carried out before
-   Expiry Limit.
-
-   * Partial Revocation Time: Time when server judges the key is too old
-
-
-
-Kamite, et. al.                                                 [Page 3]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   and must be updated. It must be between Inception Time and Expiry
-   Limit.  This value is determined by server freely following its
-   security policy. e.g., If the time from Inception to Partial
-   Revocation is short, renewal will be carried out more often, which
-   might be safer.
-
-   * Revocation Time: Time when the key becomes invalid and can be
-   removed. This value is not determined in advance because it is the
-   actual time when revocation is completed.
-
-   * Adoption Time: Time when the new key is adopted as the next key
-   formally. After Adoption, the key is valid and server and client can
-   generate or verify TSIG making use of it. Adoption Time also means
-   the time when it becomes possible to remove the previous key, so
-   Revocation and Adoption are usually done at the same time.
-
-
-                  Partial
-    Inception     Revocation    Revocation         Expiry Limit
-     |                |              |             |
-     |----------------|- - - - - - >>|- (revoked) -|
-     |                |              |             |
-    previous key      |      |       |
-                             |- - - -|-------------------->> time
-                             |       |               new key
-                         Inception   Adoption
-
-
-1.2.  New Format and Assigned Numbers
-
-   TSIG
-         ERROR = (PartialRevoke), TBD
-
-   TKEY
-         Mode  = (server assignment for key renewal), TBD
-         Mode  = (Diffie-Hellman exchange for key renewal), TBD
-         Mode  = (resolver assignment for key renewal), TBD
-         Mode  = (key adoption), TBD
-
-
-1.3.  Overview of Secret Key Renewal Mode
-
-   When a server receives a query from a client signed with a TSIG key,
-   It always checks if the present time is within the range of usage
-   duration it considers safe. If it is judged that the key is too old,
-   i.e., after Partial Revocation Time, the server comes to be in
-   Partial Revocation state about the key, and this key is called
-   partially revoked.
-
-
-
-Kamite, et. al.                                                 [Page 4]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   In this state, if a client sends a normal query (e.g., question about
-   A RR) other than TKEY Renewal request with TSIG signed with the old
-   key, the server returns an error message to notify that the time to
-   renew has come. This is called "PartialRevoke" error message. It is
-   server's choice whether it returns PartialRevoke or not. If and only
-   if the server is ready for changing its own key, it decides to return
-   PartialRevoke.
-
-   The client which got this error is able to notice that it is
-   necessary to refresh the secret. To make a new shared secret, it
-   sends a TKEY Renewal request, in which several keying methods are
-   available. It can make use of TSIG authentication signed with the
-   partially revoked key mentioned above.
-
-   After new secret establishment, the client sends a TKEY Adoption
-   request for renewal confirmation. This can also be authenticated with
-   the partially revoked key. If this is admitted by the server, the new
-   key is formally adopted, and at the same time the corresponding old
-   secret is invalidated. Then the client can send the first query again
-   signed with the new key.
-
-   Key renewal procedure is executed based on two-phase commit
-   mechanism. The first phase is the TKEY Renewal request and its
-   response, which means preparatory confirmation for key update. The
-   second phase is Adoption request and its response. If the server gets
-   request and client receives the response successfully, they can
-   finish renewal process. If any error happens and renewal process
-   fails during these phases, client should roll back to the beginning
-   of the first phase, and send TKEY Renewal request again. This
-   rollback can be done until the Expiry Limit of the key.
-
-
-2.  Shared Secret Key Renewal
-
-   Suppose a server and a client agree to change their TSIG keys
-   periodically. Key renewal procedure is defined between two hosts.
-
-2.1.  Key Usage Time Check
-
-   Whenever a server receives a query with TSIG and can find a key that
-   is used for signing it, the server checks its Inception Time, Partial
-   Revocation Time and Expiry Limit (this information is usually
-   memorized by the server).
-
-   When the present time is before Inception Time, the server MUST NOT
-   verify TSIG with the key, and server acts the same way as when the
-   key used by the client is not recognized. It follows [RFC2845] 4.5.1.
-
-
-
-
-Kamite, et. al.                                                 [Page 5]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   When the present time is equal to Inception Time, or between
-   Inception Time and Partial Revocation Time, the behavior of the
-   server is the same as when a valid key is found. It follows [RFC2845]
-   4.5.2 and 4.5.3.
-
-   When the present time is the same as the Partial Revocation Time, or
-   between the Partial Revocation Time and Expiry Limit, the server
-   comes to be in Partial Revocation state about the TSIG key and
-   behaves according to the next section.
-
-   When the present time is the same as the Expiry Time or after it, the
-   server MUST NOT verify TSIG with the key, and returns error messages
-   in the same way as when the key used by the client is not recognized.
-   It follows [RFC2845] 4.5.1.
-
-
-2.2.  Partial Revocation
-
-   In Partial Revocation state, we say the server has partially revoked
-   the key and the key has become a "partially revoked key".
-
-   If server has received a query signed with the partially revoked key
-   for TKEY Renewal request (See section 2.3.) or Key Adoption request
-   (See section 2.4.), then server does proper process following each
-   specification. If it is for TKEY key deletion request ([RFC2930]
-   4.2), server MAY process usual deletion operation defined therein.
-
-   If server receives other types of query signed with the partially
-   revoked key, and both the corresponding MAC and signed TIME are
-   verified, then server begins returning answer whose TSIG error code
-   is "PartialRevoke" (See section 9.). Server MUST randomly but with
-   increasing frequency return PartialRevoke when in the Partial
-   Revocation state.
-
-   Server can decide when it actually sends PartialRevoke, checking if
-   it is appropriate time for renewal. Server MUST NOT return
-   PartialRevoke if this is apart long lived TSIG transaction (such as
-   AXFR) that started before the Partial Revocation Time.
-
-   If the client receives PartialRevoke and understands it, then it MUST
-   retry the query with the old key unless a new key has been adopted.
-   Client SHOULD start the process to renew the TSIG key. For key
-   renewal procedure, see details in Section 2.3 and 2.4.
-
-   PartialRevoke period (i.e., time while server returns PartialRevoke
-   randomely) SHOULD be small, say 2-5% of key lifetime. This is
-   server's choice.
-
-
-
-
-Kamite, et. al.                                                 [Page 6]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   Server MUST keep track of clients ignoring PartialRevoke, thus
-   indicating ignorance of this TKEY mode.
-
-   PartialRevoke error messages have the role to inform clients of the
-   keys' partial revocation and urge them to send TKEY Renewal requests.
-   These error responses MUST be signed with those partial revoked keys
-   if the queries are signed with them. They are sent only when the
-   signing keys are found to be partially revoked. If the MAC of TSIG
-   cannot be verified with the partially revoked keys, servers MUST NOT
-   return PartialRevoke error with MAC, but MUST return another error
-   such as "BADSIG" without MAC (following [RFC2845] 4.5.3); in other
-   words, a server informs its key's partial revocation only when the
-   MAC in the received query is valid.
-
-
-2.3.  Key Renewal Message Exchange
-
-2.3.1.  Query for Key Renewal
-
-   If a client has received a PartialRevoke error and authenticated the
-   response based on TSIG MAC, it sends a TKEY query for Key Renewal (in
-   this document, we call it Renewal request, too.) to the server. The
-   request MUST be signed with TSIG or SIG(0) [RFC2931] for
-   authentication. If TSIG is selected, the client can sign it with the
-   partial revoked key.
-
-   Key Renewal can use one of several keying methods which is indicated
-   in "Mode" field of TKEY RR, and its message structure is dependent on
-   that method.
-
-
-2.3.2.  Response for Key Renewal
-
-   The server which has received Key Renewal request first tries to
-   verify TSIG or SIG(0) accompanying it. If the TSIG is signed and
-   verified with the partially revoked key, the request MUST be
-   authenticated.
-
-   After authentication, server must check existing old key's validity.
-   If the partially revoked key indicated in the request TKEY's OldName
-   and OldAlgorithm field (See section 2.3.4.) does not exist at the
-   server, "BADKEY" [RFC2845] is given in Error field for response. If
-   any other error happens, server returns appropriate error messages
-   following the specification described in section 2.5. If there are no
-   errors, server returns a Key Renewal answer. This answer MUST be
-   signed with TSIG or SIG(0) for authentication.
-
-   When this answer is successfully returned and no error is detected by
-
-
-
-Kamite, et. al.                                                 [Page 7]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   client, a new shared secret can be established. The details of
-   concrete keying procedure are given in the section 2.5.
-
-   Note:
-      Sometimes Adoption message and new Renewal request will cross on
-      the wire. In this case the newly generated key Adoption message is
-      resent.
-
-
-2.3.3.  Attributes of Generated Key
-
-   As a result of this message exchange, client comes to know the newly
-   generated key's attributes such as key's name, Inception Time and
-   Expiry Limit. They are decided by the server and told to the client;
-   in particular, however, once the server has decided Expiry Limit and
-   returned a response, it should obey the decision as far as it can. In
-   other words, they SHOULD NOT change time values for checking Expiry
-   Limit in the future without any special reason, such as security
-   issue like "Emergency Compulsory Revocation" described in section 8.
-
-   On the other hand, Partial Revocation Time of this generated key is
-   not decided based on the request, and not informed to the client. The
-   server can determine any value as long as it is between Inception
-   Time and Expiry Limit. However, the period from Inception to Partial
-   Revocation SHOULD be fixed as the server side's configuration or be
-   set the same as the corresponding old key's one.
-
-   Note:
-      Even if client sends Key Renewal request though the key described
-      in OldName has not been partially revoked yet, server does renewal
-      processes.  At the moment when the server accepts such requests
-      with valid authentication, it MUST forcibly consider the key is
-      already partially revoked, that is, the key's Partial Revocation
-      Time must be changed into the present time (i.e., the time when
-      the server receives the request).
-
-
-2.3.4.  TKEY RR structure
-
-   TKEY RR for Key Renewal message has the structure given below. In
-   principle, format and definition for each field follows [RFC2930].
-   Note that each keying scheme sometimes needs different interpretation
-   of RDATA field; for detail, see section 2.5.
-
-        Field        Type         Comment
-        -------      ------       -------
-        NAME         domain       used for a new key, see below
-        TYPE         u_int16_t    (defined in [RFC2930])
-
-
-
-Kamite, et. al.                                                 [Page 8]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-        CLASS        u_int16_t    (defined in [RFC2930])
-        TTL          u_int32_t    (defined in [RFC2930])
-        RDLEN        u_int16_t    (defined in [RFC2930])
-        RDATA:
-         Algorithm:   domain       algorithm for a new key
-         Inception:   u_int32_t    about the keying material
-         Expiration:  u_int32_t    about the keying material
-         Mode:        u_int16_t    scheme for key agreement
-                                   see section 9.
-         Error:       u_int16_t    see description below
-         Key Size:    u_int16_t    see description below
-         Key Data:    octet-stream
-         Other Size:  u_int16_t    (defined in [RFC2930])
-                                   size of other data
-         Other Data:               newly defined: see description below
-
-
-     For "NAME" field, both non-root and root name are allowed. It may
-     be used for a new key's name in the same manner as [RFC2930] 2.1.
-
-     "Algorithm" specifies which algorithm is used for agreed keying
-     material, which is used for identification of the next key.
-
-     "Inception" and "Expiration" are used for the valid period of
-     keying material. The meanings differ somewhat according to whether
-     the message is request or answer, and its keying scheme.
-
-     "Key Data" has different meanings according to keying schemes.
-
-     "Mode" field stores the value in accordance with the keying method,
-     and see section 2.5. Servers and clients supporting TKEY Renewal
-     method MUST implement "Diffie-Hellman exchange for key renewal"
-     scheme. All other modes are OPTIONAL.
-
-     "Error" is an extended RCODE which includes "PartialRevoke" value
-     too. See section 9.
-
-     "Other Data" field has the structure given below.  They describe
-     attributes of the key to be renewed.
-
-        in Other Data filed:
-
-          Field          Type     Comment
-          -------        ------   -------
-          OldNAME        domain   name of the old key
-          OldAlgorithm   domain   algorithm of the old key
-
-
-
-
-
-Kamite, et. al.                                                 [Page 9]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-          "OldName" indicates the name of the previous key (usually,
-          this is partially revoked key's name that client noticed by
-          PartialRevoke answer from server), and "OldAlogirthm"
-          indicates its algorithm.
-
-
-2.4.  Key Adoption
-
-2.4.1.  Query for Key Adoption
-
-   After receiving a TKEY Renewal answer, the client gets the same
-   secret as the server. Then, it sends a TKEY Adoption request. The
-   request's question section's QNAME field is the same as the NAME
-   filed of TKEY written below. In additional section, there is one TKEY
-   RR that has the structure and values described below.
-
-     "NAME" field is the new key's name to be adopted which was already
-     generated by Renewal message exchange. "Algorithm" is its
-     algorithm. "Inception" means the key's Inception Time, and
-     "Expiration" means Expiry Limit.
-
-     "Mode" field is the value of "key adoption". See section 9.
-
-     "Other Data" field in Adoption has the same structure as that of
-     Renewal request message. "OldName" means the previous old key, and
-     "OldAlogirthm" means its algorithm.
-
-   Key Adoption request MUST be signed with TSIG or SIG(0) for
-   authentication. The client can sign TSIG with the previous key. Note
-   that until Adoption is finished, the new key is treated as invalid,
-   thus it cannot be used for authentication immediately.
-
-
-2.4.2.  Response for Key Adoption
-
-   The server which has received Adoption request, it verifies TSIG or
-   SIG(0) accompanying it. If the TSIG is signed with the partially
-   revoked key and can be verified, the message MUST be authenticated.
-
-   If the next new key indicated by the request TKEY's "NAME" is not
-   present at the server, BADNAME [RFC2845] is given in Error field and
-   the error message is returned.
-
-   If the next key exists but it has not been adopted formally yet, the
-   server confirms the previous key's existence indicated by the
-   "OldName" and "OldAlgorithm" field. If it succeeds, the server
-   executes Adoption of the next key and Revocation of the previous key.
-   Response message duplicates the request's TKEY RR with NOERROR,
-
-
-
-Kamite, et. al.                                                [Page 10]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   including "OldName" and "OldAlgorithm" that indicate the revoked key.
-
-   If the next key exists but it is already adopted, the server returns
-   a response message regardless of the substance of the request TKEY's
-   "OldName". In this response, Response TKEY RR has the same data as
-   the request's one except as to its "Other Data" that is changed into
-   null (i.e., "Other Size" is zero), which is intended for telling the
-   client that the previous key name was ignored, and the new key is
-   already available.
-
-   Client sometimes has to retry Adoption request. Suppose the client
-   sent request signed with the partially revoked key, but its response
-   did not return successfully (e.g., due to the drop of UDP packet).
-   Client will probably retry Adoption request; however, the request
-   will be refused in the form of TSIG "BADKEY" error because the
-   previous key was already revoked. In this case, client will
-   retransmit Adoption request signed with the next key, and expect a
-   response which has null "Other Data" for confirming the completion of
-   renewal.
-
-
-2.5.  Keying Schemes
-
-   In Renewal message exchanges, there are no limitations as to which
-   keying method is actually used. The specification of keying
-   algorithms is independent of the general procedure of Renewal that is
-   described in section 2.3.
-
-   Now this document specifies three algorithms in this section, but
-   other future documents can make extensions defining other methods.
-
-
-2.5.1.  DH Exchange for Key Renewal
-
-   This scheme is defined as an extended method of [RFC2930] 4.1. This
-   specification only describes the difference from it and special
-   notice; assume that all other points, such as keying material
-   computation, are the exactly same as the specification of [RFC2930]
-   4.1.
-
-   Query
-      In Renewal request for type TKEY with this mode, there is one TKEY
-      RR and one KEY RR in the additional information section. KEY RR is
-      the client's Diffie-Hellman public key [RFC2539].
-
-      QNAME in question section is the same as that of "NAME" field in
-      TKEY RR, i.e., it means the requested new key's name.
-
-
-
-
-Kamite, et. al.                                                [Page 11]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-      TKEY "Mode" field stores the value of "DH exchange for key
-      renewal". See section 9.
-
-      TKEY "Inception" and "Expiration" are those requested for the
-      keying material, that is, requested usage period of a new key.
-
-      TKEY "Key Data" is used as a random, following [RFC2930] 4.1.
-
-   Response
-      The server which received this request first verifies the TSIG,
-      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
-      old key's existence validity is checked, following section 2.3. If
-      any incompatible DH key is found in the request, "BADKEY"
-      [RFC2845] is given in Error field for response. "FORMERR" is given
-      if the query included no DH KEY.
-
-      If there are no errors, the server processes a response according
-      to Diffie-Hellman algorithm and returns the answer. In this
-      answer, there is one TKEY RR in answer section and KEY RR(s) in
-      additional section.
-
-      As long as no error has occurred, all values of TKEY are equal to
-      that of the request message except TKEY NAME, TKEY RDLEN, RDATA's
-      Inception, Expiration, Key Size and Key Data.
-
-      TKEY "NAME" field in the answer specifies the name of newly
-      produced key which the client MUST use.
-
-      TKEY "Inception" and "Expiration" mean the periods of the produced
-      key usage. "Inception" is set to be the time when the new key is
-      actually generated or the time before it, and it will be regarded
-      as Inception Time. "Expiration" is determined by the server, and
-      it will be regarded as Expiry Limit.
-
-      TKEY "Key Data" is used as an additional nonce, following
-      [RFC2930] 4.1.
-
-      The resolver supplied Diffie-Hellman KEY RR SHOULD be echoed in
-      the additional section and a server Diffie-Hellman KEY RR will
-      also be present in the answer section, following [RFC2930] 4.1.
-
-
-2.5.2.  Server Assigned Keying for Key Renewal
-
-   This scheme is defined as an extended method of [RFC2930] 4.4. This
-   specification only describes the difference from it and special
-   notice; assume that all other points, such as secret encrypting
-   method, are the exactly same as the specification of [RFC2930] 4.4.
-
-
-
-Kamite, et. al.                                                [Page 12]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   Query
-      In Renewal request for type TKEY with this mode, there is one TKEY
-      RR and one KEY RR in the additional information section. KEY RR is
-      used in encrypting the response.
-
-      QNAME in question section is the same as that of "NAME" field in
-      TKEY RR, i.e., it means the requested new key's name.
-
-      TKEY "Mode" field stores the value of "server assignment for key
-      renewal". See section 9.
-
-      TKEY "Inception" and "Expiration" are those requested for the
-      keying material, that is, requested usage period of a new key.
-
-      TKEY "Key Data" is provided following the specification of
-      [RFC2930] 4.4.
-
-   Response
-      The server which received this request first verifies the TSIG,
-      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
-      old key's existence validity is checked, following section 2.3.
-      "FORMERR" is given if the query specified no encryption key.
-
-      If there are no errors, the server response contains one TKEY RR
-      in the answer section, and echoes the KEY RR provided in the query
-      in the additional information section.
-
-      TKEY "NAME" field in the answer specifies the name of newly
-      produced key which the client MUST use.
-
-      TKEY "Inception" and "Expiration" mean the periods of the produced
-      key usage. "Inception" is set to be the time when the new key is
-      actually generated or the time before it, and it will be regarded
-      as Inception Time. "Expiration" is determined by the server, and
-      it will be regarded as Expiry Limit.
-
-      TKEY "Key Data" is the assigned keying data encrypted under the
-      public key in the resolver provided KEY RR, which is the same as
-      [RFC2930] 4.4.
-
-
-2.5.3.  Resolver Assigned Keying for Key Renewal
-
-   This scheme is defined as an extended method of [RFC2930] 4.5. This
-   specification only describes the difference from it and special
-   notice; assume that all other points, such as secret encrypting
-   method, are the exactly same as the specification of [RFC2930] 4.5.
-
-
-
-
-Kamite, et. al.                                                [Page 13]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   Query
-      In Renewal request for type TKEY with this mode, there is one TKEY
-      RR and one KEY RR in the additional information section. TKEY RR
-      has the encrypted keying material and KEY RR is the server public
-      key used to encrypt the data.
-
-      QNAME in question section is the same as that of "NAME" field in
-      TKEY RR, i.e., it means the requested new key's name.
-
-      TKEY "Mode" field stores the value of "resolver assignment for key
-      renewal". See section 9.
-
-      TKEY "Inception" and "Expiration" are those requested for the
-      keying material, that is, requested usage period of a new key.
-
-      TKEY "Key Data" is the encrypted keying material.
-
-   Response
-      The server which received this request first verifies the TSIG,
-      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
-      old key's existence validity is checked, following section 2.3.
-      "FORMERR" is given if the server does not have the corresponding
-      private key for the KEY RR that was shown sin the request.
-
-      If there are no errors, the server returns a response. The
-      response contains a TKEY RR in the answer section to tell the
-      shared key's name and its usage time values.
-
-      TKEY "NAME" field in the answer specifies the name of newly
-      produced key which the client MUST use.
-
-      TKEY "Inception" and "Expiration" mean the periods of the produced
-      key usage. "Inception" is set to be the time when the new key is
-      actually generated or the time before it, and it will be regarded
-      as Inception Time. "Expiration" is determined by the server, and
-      it will be regarded as Expiry Limit.
-
-
-2.6.  Considerations about Non-compliant Hosts
-
-   Key Renewal requests and responses must be exchanged between hosts
-   which can understand them and do proper processes. PartialRevoke
-   error messages will be only ignored if they should be returned to
-   non-compliant hosts.
-
-   Note that server does not inform actively the necessity of renewal to
-   clients, but inform it as responses invoked by client's query.
-   Server needs not care whether the PartialRevoke errors has reached
-
-
-
-Kamite, et. al.                                                [Page 14]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   client or not. If client has not received yet because of any reasons
-   such as packet drops, it will resend the queries, and finally will be
-   able to get PartialRevoke information.
-
-
-3.  Secret Storage
-
-   Every server keeps all secrets and attached information, e.g.,
-   Inception Time, Expiry Limit, etc. safely to be able to recover from
-   unexpected stop. To accomplish this, formally adopted keys SHOULD be
-   memorized not only on memory, but also be stored in the form of some
-   files. It will become more secure if they are stored in ecrypted
-   form.
-
-
-4.  Compulsory Key Revocation
-
-4.1.  Compulsory Key Revocation by Server
-
-   There is a rare but possible case that although servers have already
-   partially revoked keys, clients do not try to send any Renewal
-   requests. If this state continues, in the future it will become the
-   time of Expiry Limit. After Expiry Limit, the keys will be expired
-   and completely removed, so this is called Compulsory Key Revocation
-   by server.
-
-   If Expiry Limit is too distant from the Partial Revocation Time, then
-   even though very long time passes, clients will be able to refresh
-   secrets only if they add TSIG signed with those old partially revoked
-   keys into requests, which is not safe.
-
-   On the other hand, if Expiry Limit is too close to Partial Revocation
-   Time, perhaps clients might not be able to notice their keys' Partial
-   Revocation by getting "PartialRevoke" errors.
-
-   Therefore, servers should set proper Expiry Limit to their keys,
-   considering both their keys' safety, and enough time for clients to
-   send requests and process renewal.
-
-
-4.2.  Authentication Methods Considerations
-
-   It might be ideal to provide both SIG(0) and TSIG as authentication
-   methods. For example:
-
-     A client and a server start SIG(0) authentication at first, to
-     establish TSIG shared keys by means of "Query for Diffie-Hellman
-     Exchanged Keying" as described in [RFC2930] 4.1. Once they get
-
-
-
-Kamite, et. al.                                                [Page 15]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-     shared secret, they keep using TSIG for queries and responses.
-     After a while the server returns a "ParitalRevoke" error and they
-     begin a key renewal process. Both TSIG signed with partially
-     revoked keys and SIG(0) are okay for authentication, but TSIG would
-     be easier to use considering calculation efficiency.
-
-     Suppose now client is halted for long time with some reason.
-     Because server does not execute any renewal process, it will
-     finally do Compulsory Revocation. Even if client restarts and sends
-     a key Renewal request, it will fail because old key is already
-     deleted at server.
-
-     At this moment, however, if client also uses SIG(0) as another
-     authentication method, it can make a new shared key again and
-     recover successfully by sending "Query for Diffie-Hellman Exchanged
-     Keying" with SIG(0).
-
-
-5.  Special Considerations for Two servers' Case
-
-   This section refers to the case where both hosts are DNS servers
-   which can act as full resolvers as well and using one shared key
-   only. If one server (called Server A) wants to refresh a shared key
-   (called "Key A-B"), it will await a TKEY Renewal request from the
-   other server (called Server B). However, perhaps Server A wants to
-   refresh the key right now.
-
-   In this case, Server A is allowed to send a Renewal request to Server
-   B, if Server A knows the Key A-B is too old and wants to renew it
-   immediately.
-
-   Note that the initiative in key renewal belongs to Server A because
-   it can notice the Partial Revocation Time and decide key renewal. If
-   Server B has information about Partial Revocation Time as well, it
-   can also decide for itself to send Renewal request to Server A.
-   However, it is not essential for both two servers have information
-   about key renewal timing.
-
-5.1.  To Cope with Collisions of Renewal Requests
-
-   At least one of two hosts which use Key Renewal must know their key
-   renewal information such as Partial Revocation Time. It is okay that
-   both hosts have it.
-
-   Provided that both two servers know key renewal timing information,
-   there is possibility for them to begin partial revocation and sending
-   Renewal requests to each other at the same time. Such collisions will
-   not happen so often because Renewal requests are usually invoked when
-
-
-
-Kamite, et. al.                                                [Page 16]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-   hosts want to send queries, but it is possible.
-
-   When one of two servers tries to send Renewal requests, it MUST
-   protect old secrets that it has partially revoked and prevent it from
-   being refreshed by any requests from the other server (i.e., it must
-   lock the old secret during the process of renewal). While the server
-   is sending Renewal requests and waiting responses, it ignores the
-   other server's Renewal requests.
-
-   Therefore, servers might fail to change secrets by means of their own
-   requests to others. After failure they will try to resend, but they
-   should wait for random delays by the next retries. If they get any
-   Renewal requests from others while they are waiting, their shared
-   keys may be refreshed, then they do not need to send any Renewal
-   requests now for themselves.
-
-
-6.  Key Name Considerations
-
-   Since both servers and clients have only to distinguish new secrets
-   and old ones, keys' names do not need to be specified strictly.
-   However, it is recommended that some serial number or key generation
-   time be added to the name and that the names of keys between the same
-   pair of hosts should have some common labels among their keys. For
-   example, suppose A.example.com. and B.example.com. share the key
-   "<serial number>.A.example.com.B.example.com." such as
-   "10010.A.example.com.B.example.com.". After key renewal, they change
-   their secret and name into "10011.A.example.com.B.example.com."
-
-   Servers and clients must be able to use keys properly for each query.
-   Because TSIG secret keys themselves do not have any particular IDs to
-   be distinguished and would be identified by their names and
-   algorithm, it must be understood correctly what keys are refreshed.
-
-
-7.  Example Usage of Secret Key Renewal Mode
-
-   This is an example of Renewal mode usage where a Server,
-   server.example.com, and a Client, client.exmple.com have an initial
-   shared secret key named "00.client.example.com.server.example.com".
-
-     (1) The time values for key
-     "00.client.example.com.server.example.com" was set as follows:
-     Inception Time is at 1:00, Expiry Limit is at 21:00.
-
-     (2) At Server, renewal time has been set: Partial Revocation Time
-     is at 20:00.
-
-
-
-
-Kamite, et. al.                                                [Page 17]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-     (3) Suppose the present time is 19:55. If Client sends a query
-     signed with key "00.client.example.com.server.example.com" to ask
-     the IP address of "www.example.com", finally it will get a proper
-     answer from Server with valid TSIG (NOERROR).
-
-     (4) At 20:05. Client sends a query to ask the IP address of
-     "www2.example.com". It is signed with key
-     "00.client.example.com.server.example.com". Server returns an
-     answer for the IP address. However, server has begun retuning
-     PartialRevoke Error randomely. This answer includes valid TSIG MAC
-     signed with "00.client.example.com.server.example.com", and its
-     Error Code indicates PartialRevoke. Client understands that the
-     current key is partially revoked.
-
-     (5) At 20:06. Client sends a Renewal request to Server. This
-     request is signed with key
-     "00.client.example.com.server.example.com". It includes data such
-     as:
-
-      Question Section:
-         QNAME = 01.client.example.com. (Client can set this freely)
-         TYPE  = TKEY
-
-      Additional Section:
-         01.client.example.com. TKEY
-          Algorithm    = hmac-md5-sig-alg.reg.int.
-          Inception    = (value meaning 20:00)
-          Expiration   = (value meaning next day's 16:00)
-          Mode         = (DH exchange for key renewal)
-          OldName      = 00.client.example.com.server.example.com.
-          OldAlgorithm = hmac-md5-sig-alg.reg.int.
-
-      Additional Section also contains a KEY RR for DH and a TSIG RR.
-
-     (6) As soon as Server receives this request, it verifies TSIG. It
-     is signed with the partially revoked key
-     "00.client.example.com.server.example.com". and Server accepts the
-     request. It creates a new key by Diffie-Hellman calculation and
-     returns an answer which includes data such as:
-
-      Answer Section:
-         01.client.example.com.server.example.com. TKEY
-          Algorithm    = hmac-md5-sig-alg.reg.int.
-          Inception    = (value meaning 20:00)
-          Expiration   = (value meaning next day's 16:00)
-          Mode         = (DH exchange for key renewal)
-          OldName      = 00.client.example.com.server.example.com.
-          OldAlgorithm = hmac-md5-sig-alg.reg.int.
-
-
-
-Kamite, et. al.                                                [Page 18]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-     Answer Section also contains KEY RRs for DH.
-
-      Additional Section also contains a TSIG RR.
-     This response is signed with key
-     "00.client.example.com.server.example.com" without error.
-
-     At the same time, Server decides to set the Partial Revocation Time
-     of this new key "01.client.example.com.server.example.com." as next
-     day's 15:00.
-
-     (7) Client gets the response and checks TSIG MAC, and calculates
-     Diffie-Hellman. It will get a new key, and it has been named
-     "01.client.example.com.server.example.com" by Server.
-
-     (8) At 20:07. Client sends an Adoption request to Server. This
-     request is signed with the previous key
-     "00.client.example.com.server.example.com". It includes:
-
-      Question Section:
-         QNAME = 01.client.example.com.server.example.com.
-         TYPE  = TKEY
-
-      Additional Section:
-         01.client.example.com.server.example.com. TKEY
-          Algorithm    = hmac-md5-sig-alg.reg.int.
-          Inception    = (value meaning 20:00)
-          Expiration   = (value meaning next day's 16:00)
-          Mode         = (key adoption)
-          OldName      = 00.client.example.com.server.example.com.
-          OldAlgorithm = hmac-md5-sig-alg.reg.int.
-
-     Additional Section also contains a TSIG RR.
-
-     (9) Server verifies the query's TSIG. It is signed with the
-     previous key and authenticated. It returns a response whose TKEY RR
-     is the same as the request's one. The response is signed with key
-     "00.client.example.com.server.example.com.". As soon as the
-     response is sent, Server revokes and removes the previous key. At
-     the same time, key "01.client.example.com.server.example.com." is
-     validated.
-
-     (10) Client acknowledges the success of Adoption by receiving the
-     response.  Then, it retries to send an original question about
-     "www2.example.com". It is signed with the adopted key
-     "01.client.example.com.server.example.com", so Server authenticates
-     it and returns an answer.
-
-
-
-
-
-Kamite, et. al.                                                [Page 19]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-     (11) This key is used until next day's 15:00. After that, it will
-     be partially revoked again.
-
-
-8.  Security Considerations
-
-   This document considers about how to refresh shared secret. Secret
-   changed by this method is used at servers in support of TSIG
-   [RFC2845].
-
-   [RFC2104] says that current attacks to HMAC do not indicate a
-   specific recommended frequency for key changes but periodic key
-   refreshment is a fundamental security practice that helps against
-   potential weaknesses of the function and keys, and limits the damage
-   of an exposed key. TKEY Secret Key Renewal provides the method of
-   periodical key refreshment.
-
-   In TKEY Secret Key Renewal, clients need to send two requests
-   (Renewal and Adoption) and spend time to finish their key renewal
-   processes. Thus the usage period of secrets should be considered
-   carefully based on both TKEY processing performance and security.
-
-   This document specifies the procedure of periodical key renewal, but
-   actually there is possibility for servers to have no choice other
-   than revoking their secret keys immediately especially when the keys
-   are found to be compromised by attackers. This is called "Emergency
-   Compulsory Revocation". For example, suppose the original Expiry
-   Limit was set at 21:00, Partial Revocation Time at 20:00 and
-   Inception Time at 1:00.  if at 11:00 the key is found to be
-   compromised, the server sets Expiry Limit forcibly to be 11:00 or
-   before it.
-
-   Consequently, once Compulsory Revocation (See section 4.) is carried
-   out, normal renewal process described in this document cannot be done
-   any more as far as the key is concerned. However, after such
-   accidents happened, the two hosts are able to establish secret keys
-   and begin renewal procedure only if they have other (non-compromised)
-   shared TSIG keys or safe SIG(0) keys for the authentication of
-   initial secret establishment such as Diffie-Hellman Exchanged Keying.
-
-
-9.  IANA Considerations
-
-   IANA needs to allocate a value for "DH exchange for key renewal",
-   "server assignment for key renewal", "resolver assignment for key
-   renewal" and "key adoption" in the mode filed of TKEY. It also needs
-   to allocate a value for "PartialRevoke" from the extended RCODE
-   space.
-
-
-
-Kamite, et. al.                                                [Page 20]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-10.  Acknowledgement
-
-   The authors would like to thank Olafur Gudmundsson, whose helpful
-   input and comments contributed greatly to this document.
-
-
-11.  References
-
-[RFC2104]
-     H. Krawczyk, M.Bellare, R. Canetti, "Keyed-Hashing for Message
-     Authentication", RFC2104, February 1997.
-
-[RFC2119]
-     Bradner, S., "Key words for use in RFCs to Indicate Requirement
-     Levels", RFC 2119, March 1997.
-
-[RFC2539]
-     D. Eastlake 3rd, "Storage of Diffie-Hellman Keys in the Domain Name
-     System (DNS)", RFC 2539, March 1999.
-
-[RFC2845]
-     Vixie, P., Gudmundsson, O., Eastlake, D. and B.  Wellington,
-     "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845,
-     May 2000.
-
-[RFC2930]
-     D. Eastlake 3rd, ``Secret Key Establishment for DNS (TKEY RR)'',
-     RFC 2930, September 2000.
-
-[RFC2931]
-     D. Eastlake 3rd, "DNS Request and Transaction Signatures (SIG(0)s
-     )", RFC 2931, September 2000.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kamite, et. al.                                                [Page 21]
-
-INTERNET-DRAFT                                                 Feb. 2004
-
-
-Authors' Addresses
-
-   Yuji Kamite
-   NTT Communications Corporation
-   Tokyo Opera City Tower
-   3-20-2 Nishi Shinjuku, Shinjuku-ku, Tokyo
-   163-1421, Japan
-   EMail: y.kamite@ntt.com
-
-
-   Masaya Nakayama
-   Information Technology Center, The University of Tokyo
-   2-11-16 Yayoi, Bunkyo-ku, Tokyo
-   113-8658, Japan
-   EMail: nakayama@nc.u-tokyo.ac.jp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kamite, et. al.                                                [Page 22]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-05.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-05.txt
deleted file mode 100644
index 9c73c68befdc..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-05.txt
+++ /dev/null
@@ -1,1292 +0,0 @@
-
-
-
-
-
-DNS Extensions                                              Yuji Kamite
-Internet-Draft                                       NTT Communications
-Expires: April 15, 2005                                 Masaya Nakayama
-                                                The University of Tokyo
-                                                       October 14, 2004
-
-
-
-                      TKEY Secret Key Renewal Mode
-                 draft-ietf-dnsext-tkey-renewal-mode-05
-
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on April 15, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).
-
-Abstract
-
-   This document defines a new mode in TKEY and proposes an atomic
-   method for changing secret keys used for TSIG periodically.
-   Originally, TKEY provides methods of setting up shared secrets other
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 1]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   than manual exchange, but it cannot control timing of key renewal
-   very well though it can add or delete shared keys separately. This
-   proposal is a systematical key renewal procedure intended for
-   preventing signing DNS messages with old and non-safe keys
-   permanently.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     1.1   Defined Words  . . . . . . . . . . . . . . . . . . . . . .  3
-     1.2   New Format and Assigned Numbers  . . . . . . . . . . . . .  4
-     1.3   Overview of Secret Key Renewal Mode  . . . . . . . . . . .  4
-   2.  Shared Secret Key Renewal  . . . . . . . . . . . . . . . . . .  5
-     2.1   Key Usage Time Check . . . . . . . . . . . . . . . . . . .  5
-     2.2   Partial Revocation . . . . . . . . . . . . . . . . . . . .  6
-     2.3   Key Renewal Message Exchange . . . . . . . . . . . . . . .  7
-       2.3.1   Query for Key Renewal  . . . . . . . . . . . . . . . .  7
-       2.3.2   Response for Key Renewal . . . . . . . . . . . . . . .  7
-       2.3.3   Attributes of Generated Key  . . . . . . . . . . . . .  8
-       2.3.4   TKEY RR structure  . . . . . . . . . . . . . . . . . .  8
-     2.4   Key Adoption . . . . . . . . . . . . . . . . . . . . . . . 10
-       2.4.1   Query for Key Adoption . . . . . . . . . . . . . . . . 10
-       2.4.2   Response for Key Adoption  . . . . . . . . . . . . . . 10
-     2.5   Keying Schemes . . . . . . . . . . . . . . . . . . . . . . 11
-       2.5.1   DH Exchange for Key Renewal  . . . . . . . . . . . . . 11
-       2.5.2   Server Assigned Keying for Key Renewal . . . . . . . . 12
-       2.5.3   Resolver Assigned Keying for Key Renewal . . . . . . . 13
-     2.6   Considerations about Non-compliant Hosts . . . . . . . . . 14
-   3.  Secret Storage . . . . . . . . . . . . . . . . . . . . . . . . 15
-   4.  Compulsory Key Revocation  . . . . . . . . . . . . . . . . . . 15
-     4.1   Compulsory Key Revocation by Server  . . . . . . . . . . . 15
-     4.2   Authentication Methods Considerations  . . . . . . . . . . 15
-   5.  Special Considerations for Two Servers' Case   . . . . . . . . 16
-     5.1   To Cope with Collisions of Renewal Requests  . . . . . . . 16
-   6.  Key Name Considerations  . . . . . . . . . . . . . . . . . . . 17
-   7.  Example Usage of Secret Key Renewal Mode   . . . . . . . . . . 17
-   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 20
-   9.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 20
-  10.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 21
-  11.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
-    11.1   Normative References . . . . . . . . . . . . . . . . . . . 21
-    11.2   Informative References . . . . . . . . . . . . . . . . . . 21
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 22
-       Intellectual Property and Copyright Statements . . . . . . . . 23
-
-
-
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 2]
-
-INTERNET-DRAFT                                              October 2004
-
-
-1.  Introduction
-
-   TSIG [RFC2845] provides DNS message integrity and the
-   request/transaction authentication by means of message authentication
-   codes (MAC). TSIG is a practical solution in view of calculation
-   speed and availability. However, TSIG does not have exchanging
-   mechanism of shared secret keys between server and resolver, and
-   administrators might have to exchange secret keys manually. TKEY
-   [RFC2930] is introduced to solve such problem and it can exchange
-   secrets for TSIG via networks.
-
-   In various modes of TKEY, a server and a resolver can add or delete a
-   secret key be means of TKEY message exchange. However, the existing
-   TKEY does not care fully about the management of keys which became
-   too old, or dangerous after long time usage.
-
-   It is ideal that the number of secret which a pair of hosts share
-   should be limited only one, because having too many keys for the same
-   purpose might not only be a burden to resolvers for managing and
-   distinguishing according to servers to query, but also does not seem
-   to be safe in terms of storage and protection against attackers.
-   Moreover, perhaps holding old keys long time might give attackers
-   chances to compromise by scrupulous calculation.
-
-   Therefore, when a new shared secret is established by TKEY, the
-   previous old secret should be revoked immediately. To accomplish
-   this, DNS servers must support a protocol for key renewal. This
-   document specifies procedure to refresh secret keys between two hosts
-   which is defined within the framework of TKEY, and it is called "TKEY
-   Secret Key Renewal Mode".
-
-   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" and
-   "OPTIONAL" in this document are to be interpreted as described in
-   [RFC2119].
-
-
-1.1.  Defined Words
-
-   * Inception Time: Beginning of the shared secret key lifetime. This
-   value is determined when the key is generated.
-
-   * Expiry Limit: Time limit of the key's validity. This value is
-   determined when a new key is generated. After Expiry Limit, server
-   and client (resolver) must not authenticate TSIG signed with the key.
-   Therefore, Renewal to the next key should be carried out before
-   Expiry Limit.
-
-   * Partial Revocation Time: Time when server judges the key is too old
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 3]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   and must be updated. It must be between Inception Time and Expiry
-   Limit.  This value is determined by server freely following its
-   security policy. e.g., If the time from Inception to Partial
-   Revocation is short, renewal will be carried out more often, which
-   might be safer.
-
-   * Revocation Time: Time when the key becomes invalid and can be
-   removed. This value is not determined in advance because it is the
-   actual time when revocation is completed.
-
-   * Adoption Time: Time when the new key is adopted as the next key
-   formally. After Adoption, the key is valid and server and client can
-   generate or verify TSIG making use of it. Adoption Time also means
-   the time when it becomes possible to remove the previous key, so
-   Revocation and Adoption are usually done at the same time.
-
-
-                  Partial
-    Inception     Revocation    Revocation         Expiry Limit
-     |                |              |             |
-     |----------------|- - - - - - >>|- (revoked) -|
-     |                |              |             |
-    previous key      |      |       |
-                             |- - - -|-------------------->> time
-                             |       |               new key
-                         Inception   Adoption
-
-
-1.2.  New Format and Assigned Numbers
-
-   TSIG
-         ERROR = (PartialRevoke), TBD
-
-   TKEY
-         Mode  = (server assignment for key renewal), TBD
-         Mode  = (Diffie-Hellman exchange for key renewal), TBD
-         Mode  = (resolver assignment for key renewal), TBD
-         Mode  = (key adoption), TBD
-
-
-1.3.  Overview of Secret Key Renewal Mode
-
-   When a server receives a query from a client signed with a TSIG key,
-   It always checks if the present time is within the range of usage
-   duration it considers safe. If it is judged that the key is too old,
-   i.e., after Partial Revocation Time, the server comes to be in
-   Partial Revocation state about the key, and this key is called
-   partially revoked.
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 4]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   In this state, if a client sends a normal query (e.g., question about
-   A RR) other than TKEY Renewal request with TSIG signed with the old
-   key, the server returns an error message to notify that the time to
-   renew has come. This is called "PartialRevoke" error message. It is
-   server's choice whether it returns PartialRevoke or not. If and only
-   if the server is ready for changing its own key, it decides to return
-   PartialRevoke.
-
-   The client which got this error is able to notice that it is
-   necessary to refresh the secret. To make a new shared secret, it
-   sends a TKEY Renewal request, in which several keying methods are
-   available. It can make use of TSIG authentication signed with the
-   partially revoked key mentioned above.
-
-   After new secret establishment, the client sends a TKEY Adoption
-   request for renewal confirmation. This can also be authenticated with
-   the partially revoked key. If this is admitted by the server, the new
-   key is formally adopted, and at the same time the corresponding old
-   secret is invalidated. Then the client can send the first query again
-   signed with the new key.
-
-   Key renewal procedure is executed based on two-phase commit
-   mechanism. The first phase is the TKEY Renewal request and its
-   response, which means preparatory confirmation for key update. The
-   second phase is Adoption request and its response. If the server gets
-   request and client receives the response successfully, they can
-   finish renewal process. If any error happens and renewal process
-   fails during these phases, client should roll back to the beginning
-   of the first phase, and send TKEY Renewal request again. This
-   rollback can be done until the Expiry Limit of the key.
-
-
-2.  Shared Secret Key Renewal
-
-   Suppose a server and a client agree to change their TSIG keys
-   periodically. Key renewal procedure is defined between two hosts.
-
-2.1.  Key Usage Time Check
-
-   Whenever a server receives a query with TSIG and can find a key that
-   is used for signing it, the server checks its Inception Time, Partial
-   Revocation Time and Expiry Limit (this information is usually
-   memorized by the server).
-
-   When the present time is before Inception Time, the server MUST NOT
-   verify TSIG with the key, and server acts the same way as when the
-   key used by the client is not recognized. It follows [RFC2845] 4.5.1.
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 5]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   When the present time is equal to Inception Time, or between
-   Inception Time and Partial Revocation Time, the behavior of the
-   server is the same as when a valid key is found. It follows [RFC2845]
-   4.5.2 and 4.5.3.
-
-   When the present time is the same as the Partial Revocation Time, or
-   between the Partial Revocation Time and Expiry Limit, the server
-   comes to be in Partial Revocation state about the TSIG key and
-   behaves according to the next section.
-
-   When the present time is the same as the Expiry Time or after it, the
-   server MUST NOT verify TSIG with the key, and returns error messages
-   in the same way as when the key used by the client is not recognized.
-   It follows [RFC2845] 4.5.1.
-
-
-2.2.  Partial Revocation
-
-   In Partial Revocation state, we say the server has partially revoked
-   the key and the key has become a "partially revoked key".
-
-   If server has received a query signed with the partially revoked key
-   for TKEY Renewal request (See section 2.3.) or Key Adoption request
-   (See section 2.4.), then server does proper process following each
-   specification. If it is for TKEY key deletion request ([RFC2930]
-   4.2), server MAY process usual deletion operation defined therein.
-
-   If server receives other types of query signed with the partially
-   revoked key, and both the corresponding MAC and signed TIME are
-   verified, then server begins returning answer whose TSIG error code
-   is "PartialRevoke" (See section 9.). Server MUST randomly but with
-   increasing frequency return PartialRevoke when in the Partial
-   Revocation state.
-
-   Server can decide when it actually sends PartialRevoke, checking if
-   it is appropriate time for renewal. Server MUST NOT return
-   PartialRevoke if this is apart long lived TSIG transaction (such as
-   AXFR) that started before the Partial Revocation Time.
-
-   If the client receives PartialRevoke and understands it, then it MUST
-   retry the query with the old key unless a new key has been adopted.
-   Client SHOULD start the process to renew the TSIG key. For key
-   renewal procedure, see details in Section 2.3 and 2.4.
-
-   PartialRevoke period (i.e., time while server returns PartialRevoke
-   randomely) SHOULD be small, say 2-5% of key lifetime. This is
-   server's choice.
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 6]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   Server MUST keep track of clients ignoring PartialRevoke, thus
-   indicating ignorance of this TKEY mode.
-
-   PartialRevoke error messages have the role to inform clients of the
-   keys' partial revocation and urge them to send TKEY Renewal requests.
-   These error responses MUST be signed with those partial revoked keys
-   if the queries are signed with them. They are sent only when the
-   signing keys are found to be partially revoked. If the MAC of TSIG
-   cannot be verified with the partially revoked keys, servers MUST NOT
-   return PartialRevoke error with MAC, but MUST return another error
-   such as "BADSIG" without MAC (following [RFC2845] 4.5.3); in other
-   words, a server informs its key's partial revocation only when the
-   MAC in the received query is valid.
-
-
-2.3.  Key Renewal Message Exchange
-
-2.3.1.  Query for Key Renewal
-
-   If a client has received a PartialRevoke error and authenticated the
-   response based on TSIG MAC, it sends a TKEY query for Key Renewal (in
-   this document, we call it Renewal request, too.) to the server. The
-   request MUST be signed with TSIG or SIG(0) [RFC2931] for
-   authentication. If TSIG is selected, the client can sign it with the
-   partial revoked key.
-
-   Key Renewal can use one of several keying methods which is indicated
-   in "Mode" field of TKEY RR, and its message structure is dependent on
-   that method.
-
-
-2.3.2.  Response for Key Renewal
-
-   The server which has received Key Renewal request first tries to
-   verify TSIG or SIG(0) accompanying it. If the TSIG is signed and
-   verified with the partially revoked key, the request MUST be
-   authenticated.
-
-   After authentication, server must check existing old key's validity.
-   If the partially revoked key indicated in the request TKEY's OldName
-   and OldAlgorithm field (See section 2.3.4.) does not exist at the
-   server, "BADKEY" [RFC2845] is given in Error field for response. If
-   any other error happens, server returns appropriate error messages
-   following the specification described in section 2.5. If there are no
-   errors, server returns a Key Renewal answer. This answer MUST be
-   signed with TSIG or SIG(0) for authentication.
-
-   When this answer is successfully returned and no error is detected by
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 7]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   client, a new shared secret can be established. The details of
-   concrete keying procedure are given in the section 2.5.
-
-   Note:
-      Sometimes Adoption message and new Renewal request will cross on
-      the wire. In this case the newly generated key Adoption message is
-      resent.
-
-
-2.3.3.  Attributes of Generated Key
-
-   As a result of this message exchange, client comes to know the newly
-   generated key's attributes such as key's name, Inception Time and
-   Expiry Limit. They are decided by the server and told to the client;
-   in particular, however, once the server has decided Expiry Limit and
-   returned a response, it should obey the decision as far as it can. In
-   other words, they SHOULD NOT change time values for checking Expiry
-   Limit in the future without any special reason, such as security
-   issue like "Emergency Compulsory Revocation" described in section 8.
-
-   On the other hand, Partial Revocation Time of this generated key is
-   not decided based on the request, and not informed to the client. The
-   server can determine any value as long as it is between Inception
-   Time and Expiry Limit. However, the period from Inception to Partial
-   Revocation SHOULD be fixed as the server side's configuration or be
-   set the same as the corresponding old key's one.
-
-   Note:
-      Even if client sends Key Renewal request though the key described
-      in OldName has not been partially revoked yet, server does renewal
-      processes.  At the moment when the server accepts such requests
-      with valid authentication, it MUST forcibly consider the key is
-      already partially revoked, that is, the key's Partial Revocation
-      Time must be changed into the present time (i.e., the time when
-      the server receives the request).
-
-
-2.3.4.  TKEY RR structure
-
-   TKEY RR for Key Renewal message has the structure given below. In
-   principle, format and definition for each field follows [RFC2930].
-   Note that each keying scheme sometimes needs different interpretation
-   of RDATA field; for detail, see section 2.5.
-
-        Field        Type         Comment
-        -------      ------       -------
-        NAME         domain       used for a new key, see below
-        TYPE         u_int16_t    (defined in [RFC2930])
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 8]
-
-INTERNET-DRAFT                                              October 2004
-
-
-        CLASS        u_int16_t    (defined in [RFC2930])
-        TTL          u_int32_t    (defined in [RFC2930])
-        RDLEN        u_int16_t    (defined in [RFC2930])
-        RDATA:
-         Algorithm:   domain       algorithm for a new key
-         Inception:   u_int32_t    about the keying material
-         Expiration:  u_int32_t    about the keying material
-         Mode:        u_int16_t    scheme for key agreement
-                                   see section 9.
-         Error:       u_int16_t    see description below
-         Key Size:    u_int16_t    see description below
-         Key Data:    octet-stream
-         Other Size:  u_int16_t    (defined in [RFC2930])
-                                   size of other data
-         Other Data:               newly defined: see description below
-
-
-     For "NAME" field, both non-root and root name are allowed. It may
-     be used for a new key's name in the same manner as [RFC2930] 2.1.
-
-     "Algorithm" specifies which algorithm is used for agreed keying
-     material, which is used for identification of the next key.
-
-     "Inception" and "Expiration" are used for the valid period of
-     keying material. The meanings differ somewhat according to whether
-     the message is request or answer, and its keying scheme.
-
-     "Key Data" has different meanings according to keying schemes.
-
-     "Mode" field stores the value in accordance with the keying method,
-     and see section 2.5. Servers and clients supporting TKEY Renewal
-     method MUST implement "Diffie-Hellman exchange for key renewal"
-     scheme. All other modes are OPTIONAL.
-
-     "Error" is an extended RCODE which includes "PartialRevoke" value
-     too. See section 9.
-
-     "Other Data" field has the structure given below.  They describe
-     attributes of the key to be renewed.
-
-        in Other Data filed:
-
-          Field            Type       Comment
-          -------          ------     -------
-          OldNAME          domain     name of the old key
-          OldAlgorithm     domain     algorithm of the old key
-
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                 [Page 9]
-
-INTERNET-DRAFT                                              October 2004
-
-
-          "OldName" indicates the name of the previous key (usually,
-          this is partially revoked key's name that client noticed by
-          PartialRevoke answer from server), and "OldAlogirthm"
-          indicates its algorithm.
-
-
-2.4.  Key Adoption
-
-2.4.1.  Query for Key Adoption
-
-   After receiving a TKEY Renewal answer, the client gets the same
-   secret as the server. Then, it sends a TKEY Adoption request. The
-   request's question section's QNAME field is the same as the NAME
-   filed of TKEY written below. In additional section, there is one TKEY
-   RR that has the structure and values described below.
-
-     "NAME" field is the new key's name to be adopted which was already
-     generated by Renewal message exchange. "Algorithm" is its
-     algorithm. "Inception" means the key's Inception Time, and
-     "Expiration" means Expiry Limit.
-
-     "Mode" field is the value of "key adoption". See section 9.
-
-     "Other Data" field in Adoption has the same structure as that of
-     Renewal request message. "OldName" means the previous old key, and
-     "OldAlogirthm" means its algorithm.
-
-   Key Adoption request MUST be signed with TSIG or SIG(0) for
-   authentication. The client can sign TSIG with the previous key. Note
-   that until Adoption is finished, the new key is treated as invalid,
-   thus it cannot be used for authentication immediately.
-
-
-2.4.2.  Response for Key Adoption
-
-   The server which has received Adoption request, it verifies TSIG or
-   SIG(0) accompanying it. If the TSIG is signed with the partially
-   revoked key and can be verified, the message MUST be authenticated.
-
-   If the next new key indicated by the request TKEY's "NAME" is not
-   present at the server, BADNAME [RFC2845] is given in Error field and
-   the error message is returned.
-
-   If the next key exists but it has not been adopted formally yet, the
-   server confirms the previous key's existence indicated by the
-   "OldName" and "OldAlgorithm" field. If it succeeds, the server
-   executes Adoption of the next key and Revocation of the previous key.
-   Response message duplicates the request's TKEY RR with NOERROR,
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 10]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   including "OldName" and "OldAlgorithm" that indicate the revoked key.
-
-   If the next key exists but it is already adopted, the server returns
-   a response message regardless of the substance of the request TKEY's
-   "OldName". In this response, Response TKEY RR has the same data as
-   the request's one except as to its "Other Data" that is changed into
-   null (i.e., "Other Size" is zero), which is intended for telling the
-   client that the previous key name was ignored, and the new key is
-   already available.
-
-   Client sometimes has to retry Adoption request. Suppose the client
-   sent request signed with the partially revoked key, but its response
-   did not return successfully (e.g., due to the drop of UDP packet).
-   Client will probably retry Adoption request; however, the request
-   will be refused in the form of TSIG "BADKEY" error because the
-   previous key was already revoked. In this case, client will
-   retransmit Adoption request signed with the next key, and expect a
-   response which has null "Other Data" for confirming the completion of
-   renewal.
-
-
-2.5.  Keying Schemes
-
-   In Renewal message exchanges, there are no limitations as to which
-   keying method is actually used. The specification of keying
-   algorithms is independent of the general procedure of Renewal that is
-   described in section 2.3.
-
-   Now this document specifies three algorithms in this section, but
-   other future documents can make extensions defining other methods.
-
-
-2.5.1.  DH Exchange for Key Renewal
-
-   This scheme is defined as an extended method of [RFC2930] 4.1. This
-   specification only describes the difference from it and special
-   notice; assume that all other points, such as keying material
-   computation, are the exactly same as the specification of [RFC2930]
-   4.1.
-
-   Query
-      In Renewal request for type TKEY with this mode, there is one TKEY
-      RR and one KEY RR in the additional information section. KEY RR is
-      the client's Diffie-Hellman public key [RFC2539].
-
-      QNAME in question section is the same as that of "NAME" field in
-      TKEY RR, i.e., it means the requested new key's name.
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 11]
-
-INTERNET-DRAFT                                              October 2004
-
-
-      TKEY "Mode" field stores the value of "DH exchange for key
-      renewal". See section 9.
-
-      TKEY "Inception" and "Expiration" are those requested for the
-      keying material, that is, requested usage period of a new key.
-
-      TKEY "Key Data" is used as a random, following [RFC2930] 4.1.
-
-   Response
-      The server which received this request first verifies the TSIG,
-      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
-      old key's existence validity is checked, following section 2.3. If
-      any incompatible DH key is found in the request, "BADKEY"
-      [RFC2845] is given in Error field for response. "FORMERR" is given
-      if the query included no DH KEY.
-
-      If there are no errors, the server processes a response according
-      to Diffie-Hellman algorithm and returns the answer. In this
-      answer, there is one TKEY RR in answer section and KEY RR(s) in
-      additional section.
-
-      As long as no error has occurred, all values of TKEY are equal to
-      that of the request message except TKEY NAME, TKEY RDLEN, RDATA's
-      Inception, Expiration, Key Size and Key Data.
-
-      TKEY "NAME" field in the answer specifies the name of newly
-      produced key which the client MUST use.
-
-      TKEY "Inception" and "Expiration" mean the periods of the produced
-      key usage. "Inception" is set to be the time when the new key is
-      actually generated or the time before it, and it will be regarded
-      as Inception Time. "Expiration" is determined by the server, and
-      it will be regarded as Expiry Limit.
-
-      TKEY "Key Data" is used as an additional nonce, following
-      [RFC2930] 4.1.
-
-      The resolver supplied Diffie-Hellman KEY RR SHOULD be echoed in
-      the additional section and a server Diffie-Hellman KEY RR will
-      also be present in the answer section, following [RFC2930] 4.1.
-
-
-2.5.2.  Server Assigned Keying for Key Renewal
-
-   This scheme is defined as an extended method of [RFC2930] 4.4. This
-   specification only describes the difference from it and special
-   notice; assume that all other points, such as secret encrypting
-   method, are the exactly same as the specification of [RFC2930] 4.4.
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 12]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   Query
-      In Renewal request for type TKEY with this mode, there is one TKEY
-      RR and one KEY RR in the additional information section. KEY RR is
-      used in encrypting the response.
-
-      QNAME in question section is the same as that of "NAME" field in
-      TKEY RR, i.e., it means the requested new key's name.
-
-      TKEY "Mode" field stores the value of "server assignment for key
-      renewal". See section 9.
-
-      TKEY "Inception" and "Expiration" are those requested for the
-      keying material, that is, requested usage period of a new key.
-
-      TKEY "Key Data" is provided following the specification of
-      [RFC2930] 4.4.
-
-   Response
-      The server which received this request first verifies the TSIG,
-      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
-      old key's existence validity is checked, following section 2.3.
-      "FORMERR" is given if the query specified no encryption key.
-
-      If there are no errors, the server response contains one TKEY RR
-      in the answer section, and echoes the KEY RR provided in the query
-      in the additional information section.
-
-      TKEY "NAME" field in the answer specifies the name of newly
-      produced key which the client MUST use.
-
-      TKEY "Inception" and "Expiration" mean the periods of the produced
-      key usage. "Inception" is set to be the time when the new key is
-      actually generated or the time before it, and it will be regarded
-      as Inception Time. "Expiration" is determined by the server, and
-      it will be regarded as Expiry Limit.
-
-      TKEY "Key Data" is the assigned keying data encrypted under the
-      public key in the resolver provided KEY RR, which is the same as
-      [RFC2930] 4.4.
-
-
-2.5.3.  Resolver Assigned Keying for Key Renewal
-
-   This scheme is defined as an extended method of [RFC2930] 4.5. This
-   specification only describes the difference from it and special
-   notice; assume that all other points, such as secret encrypting
-   method, are the exactly same as the specification of [RFC2930] 4.5.
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 13]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   Query
-      In Renewal request for type TKEY with this mode, there is one TKEY
-      RR and one KEY RR in the additional information section. TKEY RR
-      has the encrypted keying material and KEY RR is the server public
-      key used to encrypt the data.
-
-      QNAME in question section is the same as that of "NAME" field in
-      TKEY RR, i.e., it means the requested new key's name.
-
-      TKEY "Mode" field stores the value of "resolver assignment for key
-      renewal". See section 9.
-
-      TKEY "Inception" and "Expiration" are those requested for the
-      keying material, that is, requested usage period of a new key.
-
-      TKEY "Key Data" is the encrypted keying material.
-
-   Response
-      The server which received this request first verifies the TSIG,
-      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
-      old key's existence validity is checked, following section 2.3.
-      "FORMERR" is given if the server does not have the corresponding
-      private key for the KEY RR that was shown sin the request.
-
-      If there are no errors, the server returns a response. The
-      response contains a TKEY RR in the answer section to tell the
-      shared key's name and its usage time values.
-
-      TKEY "NAME" field in the answer specifies the name of newly
-      produced key which the client MUST use.
-
-      TKEY "Inception" and "Expiration" mean the periods of the produced
-      key usage. "Inception" is set to be the time when the new key is
-      actually generated or the time before it, and it will be regarded
-      as Inception Time. "Expiration" is determined by the server, and
-      it will be regarded as Expiry Limit.
-
-
-2.6.  Considerations about Non-compliant Hosts
-
-   Key Renewal requests and responses must be exchanged between hosts
-   which can understand them and do proper processes. PartialRevoke
-   error messages will be only ignored if they should be returned to
-   non-compliant hosts.
-
-   Note that server does not inform actively the necessity of renewal to
-   clients, but inform it as responses invoked by client's query.
-   Server needs not care whether the PartialRevoke errors has reached
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 14]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   client or not. If client has not received yet because of any reasons
-   such as packet drops, it will resend the queries, and finally will be
-   able to get PartialRevoke information.
-
-
-3.  Secret Storage
-
-   Every server keeps all secrets and attached information, e.g.,
-   Inception Time, Expiry Limit, etc. safely to be able to recover from
-   unexpected stop. To accomplish this, formally adopted keys SHOULD be
-   memorized not only on memory, but also be stored in the form of some
-   files. It will become more secure if they are stored in ecrypted
-   form.
-
-
-4.  Compulsory Key Revocation
-
-4.1.  Compulsory Key Revocation by Server
-
-   There is a rare but possible case that although servers have already
-   partially revoked keys, clients do not try to send any Renewal
-   requests. If this state continues, in the future it will become the
-   time of Expiry Limit. After Expiry Limit, the keys will be expired
-   and completely removed, so this is called Compulsory Key Revocation
-   by server.
-
-   If Expiry Limit is too distant from the Partial Revocation Time, then
-   even though very long time passes, clients will be able to refresh
-   secrets only if they add TSIG signed with those old partially revoked
-   keys into requests, which is not safe.
-
-   On the other hand, if Expiry Limit is too close to Partial Revocation
-   Time, perhaps clients might not be able to notice their keys' Partial
-   Revocation by getting "PartialRevoke" errors.
-
-   Therefore, servers should set proper Expiry Limit to their keys,
-   considering both their keys' safety, and enough time for clients to
-   send requests and process renewal.
-
-
-4.2.  Authentication Methods Considerations
-
-   It might be ideal to provide both SIG(0) and TSIG as authentication
-   methods. For example:
-
-     A client and a server start SIG(0) authentication at first, to
-     establish TSIG shared keys by means of "Query for Diffie-Hellman
-     Exchanged Keying" as described in [RFC2930] 4.1. Once they get
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 15]
-
-INTERNET-DRAFT                                              October 2004
-
-
-     shared secret, they keep using TSIG for queries and responses.
-     After a while the server returns a "ParitalRevoke" error and they
-     begin a key renewal process. Both TSIG signed with partially
-     revoked keys and SIG(0) are okay for authentication, but TSIG would
-     be easier to use considering calculation efficiency.
-
-     Suppose now client is halted for long time with some reason.
-     Because server does not execute any renewal process, it will
-     finally do Compulsory Revocation. Even if client restarts and sends
-     a key Renewal request, it will fail because old key is already
-     deleted at server.
-
-     At this moment, however, if client also uses SIG(0) as another
-     authentication method, it can make a new shared key again and
-     recover successfully by sending "Query for Diffie-Hellman Exchanged
-     Keying" with SIG(0).
-
-
-5.  Special Considerations for Two servers' Case
-
-   This section refers to the case where both hosts are DNS servers
-   which can act as full resolvers as well and using one shared key
-   only. If one server (called Server A) wants to refresh a shared key
-   (called "Key A-B"), it will await a TKEY Renewal request from the
-   other server (called Server B). However, perhaps Server A wants to
-   refresh the key right now.
-
-   In this case, Server A is allowed to send a Renewal request to Server
-   B, if Server A knows the Key A-B is too old and wants to renew it
-   immediately.
-
-   Note that the initiative in key renewal belongs to Server A because
-   it can notice the Partial Revocation Time and decide key renewal. If
-   Server B has information about Partial Revocation Time as well, it
-   can also decide for itself to send Renewal request to Server A.
-   However, it is not essential for both two servers have information
-   about key renewal timing.
-
-5.1.  To Cope with Collisions of Renewal Requests
-
-   At least one of two hosts which use Key Renewal must know their key
-   renewal information such as Partial Revocation Time. It is okay that
-   both hosts have it.
-
-   Provided that both two servers know key renewal timing information,
-   there is possibility for them to begin partial revocation and sending
-   Renewal requests to each other at the same time. Such collisions will
-   not happen so often because Renewal requests are usually invoked when
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 16]
-
-INTERNET-DRAFT                                              October 2004
-
-
-   hosts want to send queries, but it is possible.
-
-   When one of two servers tries to send Renewal requests, it MUST
-   protect old secrets that it has partially revoked and prevent it from
-   being refreshed by any requests from the other server (i.e., it must
-   lock the old secret during the process of renewal). While the server
-   is sending Renewal requests and waiting responses, it ignores the
-   other server's Renewal requests.
-
-   Therefore, servers might fail to change secrets by means of their own
-   requests to others. After failure they will try to resend, but they
-   should wait for random delays by the next retries. If they get any
-   Renewal requests from others while they are waiting, their shared
-   keys may be refreshed, then they do not need to send any Renewal
-   requests now for themselves.
-
-
-6.  Key Name Considerations
-
-   Since both servers and clients have only to distinguish new secrets
-   and old ones, keys' names do not need to be specified strictly.
-   However, it is recommended that some serial number or key generation
-   time be added to the name and that the names of keys between the same
-   pair of hosts should have some common labels among their keys. For
-   example, suppose A.example.com. and B.example.com. share the key
-   "<serial number>.A.example.com.B.example.com." such as
-   "10010.A.example.com.B.example.com.". After key renewal, they change
-   their secret and name into "10011.A.example.com.B.example.com."
-
-   Servers and clients must be able to use keys properly for each query.
-   Because TSIG secret keys themselves do not have any particular IDs to
-   be distinguished and would be identified by their names and
-   algorithm, it must be understood correctly what keys are refreshed.
-
-
-7.  Example Usage of Secret Key Renewal Mode
-
-   This is an example of Renewal mode usage where a Server,
-   server.example.com, and a Client, client.exmple.com have an initial
-   shared secret key named "00.client.example.com.server.example.com".
-
-     (1) The time values for key
-     "00.client.example.com.server.example.com" was set as follows:
-     Inception Time is at 1:00, Expiry Limit is at 21:00.
-
-     (2) At Server, renewal time has been set: Partial Revocation Time
-     is at 20:00.
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 17]
-
-INTERNET-DRAFT                                              October 2004
-
-
-     (3) Suppose the present time is 19:55. If Client sends a query
-     signed with key "00.client.example.com.server.example.com" to ask
-     the IP address of "www.example.com", finally it will get a proper
-     answer from Server with valid TSIG (NOERROR).
-
-     (4) At 20:05. Client sends a query to ask the IP address of
-     "www2.example.com". It is signed with key
-     "00.client.example.com.server.example.com". Server returns an
-     answer for the IP address. However, server has begun retuning
-     PartialRevoke Error randomely. This answer includes valid TSIG MAC
-     signed with "00.client.example.com.server.example.com", and its
-     Error Code indicates PartialRevoke. Client understands that the
-     current key is partially revoked.
-
-     (5) At 20:06. Client sends a Renewal request to Server. This
-     request is signed with key
-     "00.client.example.com.server.example.com". It includes data such
-     as:
-
-      Question Section:
-         QNAME = 01.client.example.com. (Client can set this freely)
-         TYPE  = TKEY
-
-      Additional Section:
-         01.client.example.com. TKEY
-          Algorithm    = hmac-md5-sig-alg.reg.int.
-          Inception    = (value meaning 20:00)
-          Expiration   = (value meaning next day's 16:00)
-          Mode         = (DH exchange for key renewal)
-          OldName      = 00.client.example.com.server.example.com.
-          OldAlgorithm = hmac-md5-sig-alg.reg.int.
-
-      Additional Section also contains a KEY RR for DH and a TSIG RR.
-
-     (6) As soon as Server receives this request, it verifies TSIG. It
-     is signed with the partially revoked key
-     "00.client.example.com.server.example.com". and Server accepts the
-     request. It creates a new key by Diffie-Hellman calculation and
-     returns an answer which includes data such as:
-
-      Answer Section:
-         01.client.example.com.server.example.com. TKEY
-          Algorithm    = hmac-md5-sig-alg.reg.int.
-          Inception    = (value meaning 20:00)
-          Expiration   = (value meaning next day's 16:00)
-          Mode         = (DH exchange for key renewal)
-          OldName      = 00.client.example.com.server.example.com.
-          OldAlgorithm = hmac-md5-sig-alg.reg.int.
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 18]
-
-INTERNET-DRAFT                                              October 2004
-
-
-     Answer Section also contains KEY RRs for DH.
-
-      Additional Section also contains a TSIG RR.
-     This response is signed with key
-     "00.client.example.com.server.example.com" without error.
-
-     At the same time, Server decides to set the Partial Revocation Time
-     of this new key "01.client.example.com.server.example.com." as next
-     day's 15:00.
-
-     (7) Client gets the response and checks TSIG MAC, and calculates
-     Diffie-Hellman. It will get a new key, and it has been named
-     "01.client.example.com.server.example.com" by Server.
-
-     (8) At 20:07. Client sends an Adoption request to Server. This
-     request is signed with the previous key
-     "00.client.example.com.server.example.com". It includes:
-
-      Question Section:
-         QNAME = 01.client.example.com.server.example.com.
-         TYPE  = TKEY
-
-      Additional Section:
-         01.client.example.com.server.example.com. TKEY
-          Algorithm    = hmac-md5-sig-alg.reg.int.
-          Inception    = (value meaning 20:00)
-          Expiration   = (value meaning next day's 16:00)
-          Mode         = (key adoption)
-          OldName      = 00.client.example.com.server.example.com.
-          OldAlgorithm = hmac-md5-sig-alg.reg.int.
-
-     Additional Section also contains a TSIG RR.
-
-     (9) Server verifies the query's TSIG. It is signed with the
-     previous key and authenticated. It returns a response whose TKEY RR
-     is the same as the request's one. The response is signed with key
-     "00.client.example.com.server.example.com.". As soon as the
-     response is sent, Server revokes and removes the previous key. At
-     the same time, key "01.client.example.com.server.example.com." is
-     validated.
-
-     (10) Client acknowledges the success of Adoption by receiving the
-     response.  Then, it retries to send an original question about
-     "www2.example.com". It is signed with the adopted key
-     "01.client.example.com.server.example.com", so Server authenticates
-     it and returns an answer.
-
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 19]
-
-INTERNET-DRAFT                                              October 2004
-
-
-     (11) This key is used until next day's 15:00. After that, it will
-     be partially revoked again.
-
-
-8.  Security Considerations
-
-   This document considers about how to refresh shared secret. Secret
-   changed by this method is used at servers in support of TSIG
-   [RFC2845].
-
-   [RFC2104] says that current attacks to HMAC do not indicate a
-   specific recommended frequency for key changes but periodic key
-   refreshment is a fundamental security practice that helps against
-   potential weaknesses of the function and keys, and limits the damage
-   of an exposed key. TKEY Secret Key Renewal provides the method of
-   periodical key refreshment.
-
-   In TKEY Secret Key Renewal, clients need to send two requests
-   (Renewal and Adoption) and spend time to finish their key renewal
-   processes. Thus the usage period of secrets should be considered
-   carefully based on both TKEY processing performance and security.
-
-   This document specifies the procedure of periodical key renewal, but
-   actually there is possibility for servers to have no choice other
-   than revoking their secret keys immediately especially when the keys
-   are found to be compromised by attackers. This is called "Emergency
-   Compulsory Revocation". For example, suppose the original Expiry
-   Limit was set at 21:00, Partial Revocation Time at 20:00 and
-   Inception Time at 1:00.  if at 11:00 the key is found to be
-   compromised, the server sets Expiry Limit forcibly to be 11:00 or
-   before it.
-
-   Consequently, once Compulsory Revocation (See section 4.) is carried
-   out, normal renewal process described in this document cannot be done
-   any more as far as the key is concerned. However, after such
-   accidents happened, the two hosts are able to establish secret keys
-   and begin renewal procedure only if they have other (non-compromised)
-   shared TSIG keys or safe SIG(0) keys for the authentication of
-   initial secret establishment such as Diffie-Hellman Exchanged Keying.
-
-
-9.  IANA Considerations
-
-   IANA needs to allocate a value for "DH exchange for key renewal",
-   "server assignment for key renewal", "resolver assignment for key
-   renewal" and "key adoption" in the mode filed of TKEY. It also needs
-   to allocate a value for "PartialRevoke" from the extended RCODE
-   space.
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 20]
-
-INTERNET-DRAFT                                              October 2004
-
-
-10.  Acknowledgements
-
-   The authors would like to thank Olafur Gudmundsson, whose helpful
-   input and comments contributed greatly to this document.
-
-
-11.  References
-
-11.1.  Normative References
-
-[RFC2119]
-     Bradner, S., "Key words for use in RFCs to Indicate Requirement
-     Levels", RFC 2119, March 1997.
-
-[RFC2539]
-     D. Eastlake 3rd, "Storage of Diffie-Hellman Keys in the Domain Name
-     System (DNS)", RFC 2539, March 1999.
-
-[RFC2845]
-     Vixie, P., Gudmundsson, O., Eastlake, D. and B.  Wellington,
-     "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845,
-     May 2000.
-
-[RFC2930]
-     D. Eastlake 3rd, ``Secret Key Establishment for DNS (TKEY RR)'',
-     RFC 2930, September 2000.
-
-[RFC2931]
-     D. Eastlake 3rd, "DNS Request and Transaction Signatures (SIG(0)s
-     )", RFC 2931, September 2000.
-
-11.2.  Informative References
-
-[RFC2104]
-     H. Krawczyk, M.Bellare, R. Canetti, "Keyed-Hashing for Message
-     Authentication", RFC2104, February 1997.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 21]
-
-INTERNET-DRAFT                                              October 2004
-
-
-Authors' Addresses
-
-   Yuji Kamite
-   NTT Communications Corporation
-   Tokyo Opera City Tower
-   3-20-2 Nishi Shinjuku, Shinjuku-ku, Tokyo
-   163-1421, Japan
-   EMail: y.kamite@ntt.com
-
-
-   Masaya Nakayama
-   Information Technology Center, The University of Tokyo
-   2-11-16 Yayoi, Bunkyo-ku, Tokyo
-   113-8658, Japan
-   EMail: nakayama@nc.u-tokyo.ac.jp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 22]
-
-INTERNET-DRAFT                                              October 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Kamite, et. al.          Expires April 15, 2005                [Page 23]
-
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
deleted file mode 100644
index b5aaad2b8599..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-threshold-00.txt
+++ /dev/null
@@ -1,1501 +0,0 @@
-Network Working Group                                           J. Ihren
-Internet-Draft                                             Autonomica AB
-Expires: April 18, 2005                                       O. Kolkman
-                                                                RIPE NCC
-                                                              B. Manning
-                                                                  EP.net
-                                                        October 18, 2004
-
-
-
-  An In-Band Rollover Mechanism and an Out-Of-Band Priming Method for
-                         DNSSEC Trust Anchors.
-               draft-ietf-dnsext-trustupdate-threshold-00
-
-
-Status of this Memo
-
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which I become aware will be disclosed, in accordance with
-   RFC 3668.
-
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-   This Internet-Draft will expire on April 18, 2005.
-
-
-Copyright Notice
-
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-
-Abstract
-
-
-   The DNS Security Extensions (DNSSEC) works by validating so called
-   chains of authority.  The start of these chains of authority are
-   usually public keys that are anchored in the DNS clients.  These keys
-   are known as the so called trust anchors.
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 1]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   This memo describes a method how these client trust anchors can be
-   replaced using the DNS validation and querying mechanisms (in-band)
-   when the key pairs used for signing by zone owner are rolled.
-
-
-   This memo also describes a method to establish the validity of trust
-   anchors for initial configuration, or priming, using out of band
-   mechanisms.
-
-
-Table of Contents
-
-
-   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     1.1   Key Signing Keys, Zone Signing Keys and Secure Entry
-           Points . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Introduction and Background  . . . . . . . . . . . . . . . . .  5
-     2.1   Dangers of Stale Trust Anchors . . . . . . . . . . . . . .  5
-   3.  Threshold-based Trust Anchor Rollover  . . . . . . . . . . . .  7
-     3.1   The Rollover . . . . . . . . . . . . . . . . . . . . . . .  7
-     3.2   Threshold-based Trust Update . . . . . . . . . . . . . . .  8
-     3.3   Possible Trust Update States . . . . . . . . . . . . . . .  9
-     3.4   Implementation notes . . . . . . . . . . . . . . . . . . . 10
-     3.5   Possible transactions  . . . . . . . . . . . . . . . . . . 11
-       3.5.1   Single DNSKEY replaced . . . . . . . . . . . . . . . . 12
-       3.5.2   Addition of a new DNSKEY (no removal)  . . . . . . . . 12
-       3.5.3   Removal of old DNSKEY (no addition)  . . . . . . . . . 12
-       3.5.4   Multiple DNSKEYs replaced  . . . . . . . . . . . . . . 12
-     3.6   Removal of trust anchors for a trust point . . . . . . . . 12
-     3.7   No need for resolver-side overlap of old and new keys  . . 13
-   4.  Bootstrapping automatic rollovers  . . . . . . . . . . . . . . 14
-     4.1   Priming Keys . . . . . . . . . . . . . . . . . . . . . . . 14
-       4.1.1   Bootstrapping trust anchors using a priming key  . . . 14
-       4.1.2   Distribution of priming keys . . . . . . . . . . . . . 15
-   5.  The Threshold Rollover Mechanism vs Priming  . . . . . . . . . 16
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 17
-     6.1   Threshold-based Trust Update Security Considerations . . . 17
-     6.2   Priming Key Security Considerations  . . . . . . . . . . . 17
-   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 19
-   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
-   8.1   Normative References . . . . . . . . . . . . . . . . . . . . 20
-   8.2   Informative References . . . . . . . . . . . . . . . . . . . 20
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 20
-   A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 22
-   B.  Document History . . . . . . . . . . . . . . . . . . . . . . . 23
-     B.1   prior to version 00  . . . . . . . . . . . . . . . . . . . 23
-     B.2   version 00 . . . . . . . . . . . . . . . . . . . . . . . . 23
-       Intellectual Property and Copyright Statements . . . . . . . . 24
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 2]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-1.  Terminology
-
-
-   The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
-   and "MAY" in this document are to be interpreted as described in
-   RFC2119 [1].
-
-
-   The term "zone" refers to the unit of administrative control in the
-   Domain Name System.  In this document "name server" denotes a DNS
-   name server that is authoritative (i.e.  knows all there is to know)
-   for a DNS zone.  A "zone owner" is the entity responsible for signing
-   and publishing a zone on a name server.  The terms "authentication
-   chain", "bogus", "trust anchors" and "Island of Security" are defined
-   in [4].  Throughout this document we use the term "resolver" to mean
-   "Validating Stub Resolvers" as defined in [4].
-
-
-   We use the term "security apex" as the zone for which a trust anchor
-   has been configured (by validating clients) and which is therefore,
-   by definition, at the root of an island of security.  The
-   configuration of trust anchors is a client side issue.  Therefore a
-   zone owner may not always know if their zone has become a security
-   apex.
-
-
-   A "stale anchor" is a trust anchor (a public key) that relates to a
-   key that is not used for signing.  Since trust anchors indicate that
-   a zone is supposed to be secure a validator will mark the all data in
-   an island of security as bogus when all trust anchors become stale.
-
-
-   It is assumed that the reader is familiar with public key
-   cryptography concepts [REF: Schneier Applied Cryptography] and is
-   able to distinguish between the private and public parts of a key
-   based on the context in which we use the term "key".  If there is a
-   possible ambiguity we will explicitly mention if a private or a
-   public part of a key is used.
-
-
-   The term "administrator" is used loosely throughout the text.  In
-   some cases an administrator is meant to be a person, in other cases
-   the administrator may be a process that has been delegated certain
-   responsibilities.
-
-
-1.1  Key Signing Keys, Zone Signing Keys and Secure Entry Points
-
-
-   Although the DNSSEC protocol does not make a distinction between
-   different keys the operational practice is that a distinction is made
-   between zone signing keys and key signing keys.  A key signing key is
-   used to exclusively sign the DNSKEY Resource Record (RR) set at the
-   apex of a zone and the zone signing keys sign all the data in the
-   zone (including the DNSKEY RRset at the apex).
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 3]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   Keys that are intended to be used as the start of the authentication
-   chain for a particular zone, either because they are pointed to by a
-   parental DS RR or because they are configured as a trust anchor, are
-   called Secure Entry Point (SEP) keys.  In practice these SEP keys
-   will be key signing keys.
-
-
-   In order for the mechanism described herein to work the keys that are
-   intended to be used as secure entry points MUST have the SEP [2] flag
-   set.  In the examples it is assumed that keys with the SEP flag set
-   are used as key signing keys and thus exclusively sign the DNSKEY
-   RRset published at the apex of the zone.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 4]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-2.  Introduction and Background
-
-
-   When DNSSEC signatures are validated the resolver constructs a chain
-   of authority from a pre-configured trust anchor to the DNSKEY
-   Resource Record (RR), which contains the public key that validates
-   the signature stored in an RRSIG RR.  DNSSEC is designed so that the
-   administrator of a resolver can validate data in multiple islands of
-   security by configuring multiple trust anchors.
-
-
-   It is expected that resolvers will have more than one trust anchor
-   configured.  Although there is no deployment experience it is not
-   unreasonable to expect resolvers to be configured with a number of
-   trust anchors that varies between order 1 and order 1000.  Because
-   zone owners are expected to roll their keys, trust anchors will have
-   to be maintained (in the resolver end) in order not to become stale.
-
-
-   Since there is no global key maintenance policy for zone owners and
-   there are no mechanisms in the DNS to signal the key maintenance
-   policy it may be very hard for resolvers administrators to keep their
-   set of trust anchors up to date.  For instance, if there is only one
-   trust anchor configured and the key maintenance policy is clearly
-   published, through some out of band trusted channel, then a resolver
-   administrator can probably keep track of key rollovers and update the
-   trust anchor manually.  However, with an increasing number of trust
-   anchors all rolled according to individual policies that are all
-   published through different channels this soon becomes an
-   unmanageable problem.
-
-
-2.1  Dangers of Stale Trust Anchors
-
-
-   Whenever a SEP key at a security apex is rolled there exists a danger
-   that "stale anchors" are created.  A stale anchor is a trust anchor
-   (i.e.  a public key configured in a validating resolver) that relates
-   to a private key that is no longer used for signing.
-
-
-   The problem with a stale anchors is that they will (from the
-   validating resolvers point of view) prove data to be false even
-   though it is actually correct.  This is because the data is either
-   signed by a new key or is no longer signed and the resolver expects
-   data to be signed by the old (now stale) key.
-
-
-   This situation is arguably worse than not having a trusted key
-   configured for the secure entry point, since with a stale key no
-   lookup is typically possible (presuming that the default
-   configuration of a validating recursive nameserver is to not give out
-   data that is signed but failed to verify.
-
-
-   The danger of making configured trust anchors become stale anchors
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 5]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   may be a reason for zone owners not to roll their keys.  If a
-   resolver is configured with many trust anchors that need manual
-   maintenance it may be easy to not notice a key rollover at a security
-   apex, resulting in a stale anchor.
-
-
-   In Section 3 this memo sets out a lightweight, in-DNS, mechanism to
-   track key rollovers and modify the configured trust anchors
-   accordingly.  The mechanism is stateless and does not need protocol
-   extensions.  The proposed design is that this mechanism is
-   implemented as a "trust updating machine" that is run entirely
-   separate from the validating resolver except that the trust updater
-   will have influence over the trust anchors used by the latter.
-
-
-   In Section 4 we describe a method [Editors note: for now only the
-   frame work and a set of requirements] to install trust anchors.  This
-   method can be used at first configuration or when the trust anchors
-   became stale (typically due to a failure to track several rollover
-   events).
-
-
-   The choice for which domains trust anchors are to be configured is a
-   local policy issue.  So is the choice which trust anchors has
-   prevalence if there are multiple chains of trust to a given piece of
-   DNS data (e.g.  when a parent zone and its child both have trust
-   anchors configured).  Both issues are out of the scope of this
-   document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 6]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-3.  Threshold-based Trust Anchor Rollover
-
-
-3.1  The Rollover
-
-
-   When a key pair is replaced all signatures (in DNSSEC these are the
-   RRSIG records) created with the old key will be replaced by new
-   signatures created by the new key.  Access to the new public key is
-   needed to verify these signatures.
-
-
-   Since zone signing keys are in "the middle" of a chain of authority
-   they can be verified using the signature made by a key signing key.
-   Rollover of zone signing keys is therefore transparent to validators
-   and requires no action in the validator end.
-
-
-   But if a key signing key is rolled a resolver can determine its
-   authenticity by either following the authorization chain from the
-   parents DS record, an out-of-DNS authentication mechanism or by
-   relying on other trust anchors known for the zone in which the key is
-   rolled.
-
-
-   The threshold trust anchor rollover mechanism (or trust update),
-   described below, is based on using existing trust anchors to verify a
-   subset of the available signatures.  This is then used as the basis
-   for a decision to accept the new keys as valid trust anchors.
-
-
-   Our example pseudo zone below contains a number of key signing keys
-   numbered 1 through Y and two zone signing keys A and B.  During a key
-   rollover key 2 is replaced by key Y+1.  The zone content changes
-   from:
-
-
-          example.com.  DNSKEY key1
-          example.com.  DNSKEY key2
-          example.com.  DNSKEY key3
-          ...
-          example.com.  DNSKEY keyY
-
-
-          example.com.  DNSKEY keyA
-          example.com.  DNSKEY keyB
-
-
-          example.com.  RRSIG DNSKEY ... (key1)
-          example.com.  RRSIG DNSKEY ... (key2)
-          example.com.  RRSIG DNSKEY ... (key3)
-          ...
-          example.com.  RRSIG DNSKEY ... (keyY)
-          example.com.  RRSIG DNSKEY ... (keyA)
-          example.com.  RRSIG DNSKEY ... (keyB)
-
-
-    to:
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 7]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-          example.com.  DNSKEY key1
-          example.com.  DNSKEY key3
-          ...
-          example.com.  DNSKEY keyY
-          example.com.  DNSKEY keyY+1
-
-
-          example.com.  RRSIG DNSKEY ... (key1)
-          example.com.  RRSIG DNSKEY ... (key3)
-          ...
-          example.com.  RRSIG DNSKEY ... (keyY)
-          example.com.  RRSIG DNSKEY ... (keyY+1)
-          example.com.  RRSIG DNSKEY ... (keyA)
-          example.com.  RRSIG DNSKEY ... (keyB)
-
-
-   When the rollover becomes visible to the verifying stub resolver it
-   will be able to verify the RRSIGs associated with key1, key3 ...
-   keyY.  There will be no RRSIG by key2 and the RRSIG by keyY+1 will
-   not be used for validation, since that key is previously unknown and
-   therefore not trusted.
-
-
-   Note that this example is simplified.  Because of operational
-   considerations described in [5] having a period during which the two
-   key signing keys are both available is necessary.
-
-
-3.2  Threshold-based Trust Update
-
-
-   The threshold-based trust update algorithm applies as follows.  If
-   for a particular secure entry point
-   o  if the DNSKEY RRset in the zone has been replaced by a more recent
-      one (as determined by comparing the RRSIG inception dates)
-   and
-   o  if at least M configured trust anchors directly verify the related
-      RRSIGs over the new DNSKEY RRset
-   and
-   o  the number of configured trust anchors that verify the related
-      RRSIGs over the new DNSKEY RRset exceed a locally defined minimum
-      number that should be greater than one
-   then all the trust anchors for the particular secure entry point are
-   replaced by the set of keys from the zones DNSKEY RRset that have the
-   SEP flag set.
-
-
-   The choices for the rollover acceptance policy parameter M is left to
-   the administrator of the resolver.  To be certain that a rollover is
-   accepted up by resolvers using this mechanism zone owners should roll
-   as few SEP keys at a time as possible (preferably just one).  That
-   way they comply to the most strict rollover acceptance policy of
-   M=N-1.
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 8]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   The value of M has an upper bound, limited by the number of of SEP
-   keys a zone owner publishes (i.e.  N).  But there is also a lower
-   bound, since it will not be safe to base the trust in too few
-   signatures.  The corner case is M=1 when any validating RRSIG will be
-   sufficient for a complete replacement of the trust anchors for that
-   secure entry point.  This is not a recommended configuration, since
-   that will allow an attacker to initiate rollover of the trust anchors
-   himself given access to just one compromised key.  Hence M should in
-   be strictly larger than 1 as shown by the third requirement above.
-
-
-   If the rollover acceptance policy is M=1 then the result for the
-   rollover in our example above should be that the local database of
-   trust anchors is updated by removing key "key2" from and adding key
-   "keyY+1" to the key store.
-
-
-3.3  Possible Trust Update States
-
-
-   We define five states for trust anchor configuration at the client
-   side.
-   PRIMING: There are no trust anchors configured.  There may be priming
-      keys available for initial priming of trust anchors.
-   IN-SYNC: The set of trust anchors configured exactly matches the set
-      of SEP keys used by the zone owner to sign the zone.
-   OUT-OF-SYNC: The set of trust anchors is not exactly the same as the
-      set of SEP keys used by the zone owner to sign the zone but there
-      are enough SEP key in use by the zone owner that is also in the
-      trust anchor configuration.
-   UNSYNCABLE: There is not enough overlap between the configured trust
-      anchors and the set of SEP keys used to sign the zone for the new
-      set to be accepted by the validator (i.e.  the number of
-      signatures that verify is not sufficient).
-   STALE: There is no overlap between the configured trust anchors and
-      the set of SEP keys used to sign the zone.  Here validation of
-      data is no longer possible and hence we are in a situation where
-      the trust anchors are stale.
-
-
-   Of these five states only two (IN-SYNC and OUT-OF-SYNC) are part of
-   the automatic trust update mechanism.  The PRIMING state is where a
-   validator is located before acquiring an up-to-date set of trust
-   anchors.  The transition from PRIMING to IN-SYNC is manual (see
-   Section 4 below).
-
-
-   Example: assume a secure entry point with four SEP keys and a
-   validator with the policy that it will accept any update to the set
-   of trust anchors as long as no more than two signatures fail to
-   validate (i.e.  M >= N-2) and at least two signature does validate
-   (i.e.  M >= 2).  In this case the rollover of a single key will move
-   the validator from IN-SYNC to OUT-OF-SYNC.  When the trust update
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                 [Page 9]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   state machine updates the trust anchors it returns to state IN-SYNC.
-
-
-   If if for some reason it fails to update the trust anchors then the
-   next rollover (of a different key) will move the validator from
-   OUT-OF-SYNC to OUT-OF-SYNC (again), since there are still two keys
-   that are configured as trust anchors and that is sufficient to accpt
-   an automatic update of the trust anchors.
-
-
-   The UNSYNCABLE state is where a validator is located if it for some
-   reason fails to incorporate enough updates to the trust anchors to be
-   able to accept new updates according to its local policy.  In this
-   example (i.e.  with the policy specified above) this will either be
-   because M < N-2 or M < 2, which does not suffice to authenticate a
-   successful update of trust anchors.
-
-
-   Continuing with the previous example where two of the four SEP keys
-   have already rolled, but the validator has failed to update the set
-   of trust anchors.  When the third key rolls over there will only be
-   one trust anchor left that can do successful validation.  This is not
-   sufficient to enable automatic update of the trust anchors, hence the
-   new state is UNSYNCABLE.  Note, however, that the remaining
-   up-to-date trust anchor is still enough to do successful validation
-   so the validator is still "working" from a DNSSEC point of view.
-
-
-   The STALE state, finally, is where a validator ends up when it has
-   zero remaining current trust anchors.  This is a dangerous state,
-   since the stale trust anchors will cause all validation to fail.  The
-   escape is to remove the stale trust anchors and thereby revert to the
-   PRIMING state.
-
-
-3.4  Implementation notes
-
-
-   The DNSSEC protocol specification ordains that a DNSKEY to which a DS
-   record points should be self-signed.  Since the keys that serve as
-   trust anchors and the keys that are pointed to by DS records serve
-   the same purpose, they are both secure entry points, we RECOMMEND
-   that zone owners who want to facilitate the automated rollover scheme
-   documented herein self-sign DNSKEYs with the SEP bit set and that
-   implementation check that DNSKEYs with the SEP bit set are
-   self-signed.
-
-
-   In order to maintain a uniform way of determining that a keyset in
-   the zone has been replaced by a more recent set the automatic trust
-   update machine SHOULD only accept new DNSKEY RRsets if the
-   accompanying RRSIGs show a more recent inception date than the
-   present set of trust anchors.  This is also needed as a safe guard
-   against possible replay attacks where old updates are replayed
-   "backwards" (i.e.  one change at a time, but going in the wrong
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 10]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   direction, thereby luring the validator into the UNSYNCABLE and
-   finally STALE states).
-
-
-   In order to be resilient against failures the implementation should
-   collect the DNSKEY RRsets from (other) authoritative servers if
-   verification of the self signatures fails.
-
-
-   The threshold-based trust update mechanism SHOULD only be applied to
-   algorithms, as represented in the algorithm field in the DNSKEY/RRSIG
-   [3], that the resolver is aware of.  In other words the SEP keys of
-   unknown algorithms should not be used when counting the number of
-   available signatures (the N constant) and the SEP keys of unknown
-   algorithm should not be entered as trust anchors.
-
-
-   When in state UNSYNCABLE or STALE manual intervention will be needed
-   to return to the IN-SYNC state.  These states should be flagged.  The
-   most appropriate action is human audit possibly followed by
-   re-priming (Section 4) the keyset (i.e.  manual transfer to the
-   PRIMING state through removal of the configured trust anchors).
-
-
-   An implementation should regularly probe the the authoritative
-   nameservers for new keys.  Since there is no mechanism to publish
-   rollover frequencies this document RECOMMENDS zone owners not to roll
-   their key signing keys more often than once per month and resolver
-   administrators to probe for key rollsovers (and apply the threshold
-   criterion for acceptance of trust update) not less often than once
-   per month.  If the rollover frequency is higher than the probing
-   frequency then trust anchors may become stale.  The exact relation
-   between the frequencies depends on the number of SEP keys rolled by
-   the zone owner and the value M configured by the resolver
-   administrator.
-
-
-   In all the cases below a transaction where the threshold criterion is
-   not satisfied should be considered bad (i.e.  possibly spoofed or
-   otherwise corrupted data).  The most appropriate action is human
-   audit.
-
-
-   There is one case where a "bad" state may be escaped from in an
-   automated fashion.  This is when entering the STALE state where all
-   DNSSEC validation starts to fail.  If this happens it is concievable
-   that it is better to completely discard the stale trust anchors
-   (thereby reverting to the PRIMING state where validation is not
-   possible).  A local policy that automates removal of stale trust
-   anchors is therefore suggested.
-
-
-3.5  Possible transactions
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 11]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-3.5.1  Single DNSKEY replaced
-
-
-   This is probably the most typical transaction on the zone owners
-   part.  The result should be that if the threshold criterion is
-   satisfied then the key store is updated by removal of the old trust
-   anchor and addition of the new key as a new trust anchor.  Note that
-   if the DNSKEY RRset contains exactly M keys replacement of keys is
-   not possible, i.e.  for automatic rollover to work M must be stricly
-   less than N.
-
-
-3.5.2  Addition of a new DNSKEY (no removal)
-
-
-   If the threshold criterion is satisfied then the new key is added as
-   a configured trust anchor.  Not more than N-M keys can be added at
-   once, since otherwise the algorithm will fail.
-
-
-3.5.3  Removal of old DNSKEY (no addition)
-
-
-   If the threshold criterion is satisfied then the old key is removed
-   from being a configured trust anchor.  Note that it is not possible
-   to reduce the size of the DNSKEY RRset to a size smaller than the
-   minimum required value for M.
-
-
-3.5.4  Multiple DNSKEYs replaced
-
-
-   Arguably it is not a good idea for the zone administrator to replace
-   several keys at the same time, but from the resolver point of view
-   this is exactly what will happen if the validating resolver for some
-   reason failed to notice a previous rollover event.
-
-
-   Not more than N-M keys can be replaced at one time or the threshold
-   criterion will not be satisfied.  Or, expressed another way: as long
-   as the number of changed keys is less than or equal to N-M the
-   validator is in state OUT-OF-SYNC.  When the number of changed keys
-   becomes greater than N-M the state changes to UNSYNCABLE and manual
-   action is needed.
-
-
-3.6  Removal of trust anchors for a trust point
-
-
-   If the parent of a secure entry point gets signed and it's trusted
-   keys get configured in the key store of the validating resolver then
-   the configured trust anchors for the child should be removed entirely
-   unless explicitly configured (in the utility configuration) to be an
-   exception.
-
-
-   The reason for such a configuration would be that the resolver has a
-   local policy that requires maintenance of trusted keys further down
-   the tree hierarchy than strictly needed from the point of view.
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 12]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   The default action when the parent zone changes from unsigned to
-   signed should be to remove the configured trust anchors for the
-   child.  This form of "garbage collect" will ensure that the automatic
-   rollover machinery scales as DNSSEC deployment progresses.
-
-
-3.7  No need for resolver-side overlap of old and new keys
-
-
-   It is worth pointing out that there is no need for the resolver to
-   keep state about old keys versus new keys, beyond the requirement of
-   tracking signature inception time for the covering RRSIGs as
-   described in Section 3.4.
-
-
-   From the resolver point of view there are only trusted and not
-   trusted keys.  The reason is that the zone owner needs to do proper
-   maintenance of RRSIGs regardless of the resolver rollover mechanism
-   and hence must ensure that no key rolled out out the DNSKEY set until
-   there cannot be any RRSIGs created by this key still legally cached.
-
-
-   Hence the rollover mechanism is entirely stateless with regard to the
-   keys involved: as soon as the resolver (or in this case the rollover
-   tracking utility) detects a change in the DNSKEY RRset (i.e.  it is
-   now in the state OUT-OF-SYNC) with a sufficient number of matching
-   RRSIGs the configured trust anchors are immediately updated (and
-   thereby the machine return to state IN-SYNC).  I.e.  the rollover
-   machine changes states (mostly oscillating between IN-SYNC and
-   OUT-OF-SYNC), but the status of the DNSSEC keys is stateless.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 13]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-4.  Bootstrapping automatic rollovers
-
-
-   It is expected that with the ability to automatically roll trust
-   anchors at trust points will follow a diminished unwillingness to
-   roll these keys, since the risks associated with stale keys are
-   minimized.
-
-
-   The problem of "priming" the trust anchors, or bringing them into
-   sync (which could happen if a resolver is off line for a long period
-   in which a set of SEP keys in a zone 'evolve' away from its trust
-   anchor configuration) remains.
-
-
-   For (re)priming we can rely on out of band technology and we propose
-   the following framework.
-
-
-4.1  Priming Keys
-
-
-   If all the trust anchors roll somewhat frequently (on the order of
-   months or at most about a year) then it will not be possible to
-   design a device, or a software distribution that includes trust
-   anchors, that after being manufactured is put on a shelf for several
-   key rollover periods before being brought into use (since no trust
-   anchors that were known at the time of manufacture remain active).
-
-
-   To alleviate this we propose the concept of "priming keys".  Priming
-   keys are ordinary DNSSEC Key Signing Keys with the characteristic
-   that
-   o  The private part of a priming key signs the DNSKEY RRset at the
-      security apex, i.e.  at least one RRSIG DNSKEY is created by a
-      priming key rather than by an "ordinary" trust anchor
-   o  the public parts of priming keys are not included in the DNSKEY
-      RRset.  Instead the public parts of priming keys are only
-      available out-of-band.
-   o  The public parts of the priming keys have a validity period.
-      Within this period they can be used to obtain trust anchors.
-   o  The priming key pairs are long lived (relative to the key rollover
-      period.)
-
-
-4.1.1  Bootstrapping trust anchors using a priming key
-
-
-   To install the trust anchors for a particular security apex an
-   administrator of a validating resolver will need to:
-   o  query for the DNSKEY RRset of the zone at the security apex;
-   o  verify the self signatures of all DNSKEYs in the RRset;
-   o  verify the signature of the RRSIG made with a priming key --
-      verification using one of the public priming keys that is valid at
-      that moment is sufficient;
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 14]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   o  create the trust anchors by extracting the DNSKEY RRs with the SEP
-      flag set.
-   The SEP keys with algorithms unknown to the validating resolver
-   SHOULD be ignored during the creation of the trust anchors.
-
-
-4.1.2  Distribution of priming keys
-
-
-   The public parts of the priming keys SHOULD be distributed
-   exclusively through out-of-DNS mechanisms.  The requirements for a
-   distribution mechanism are:
-   o  it can carry the "validity" period for the priming keys;
-   o  it can carry the self-signature of the priming keys;
-   o  and it allows for verification using trust relations outside the
-      DNS.
-   A distribution mechanism would benefit from:
-   o  the availability of revocation lists;
-   o  the ability of carrying zone owners policy information such as
-      recommended values for "M" and "N" and a rollover frequency;
-   o  and the technology on which is based is readily available.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 15]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-5.  The Threshold Rollover Mechanism vs Priming
-
-
-   There is overlap between the threshold-based trust updater and the
-   Priming method.  One could exclusively use the Priming method for
-   maintaining the trust anchors.  However the priming method probably
-   relies on "non-DNS' technology and may therefore not be available for
-   all devices that have a resolver.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 16]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-6.  Security Considerations
-
-
-6.1  Threshold-based Trust Update Security Considerations
-
-
-   A clear issue for resolvers will be how to ensure that they track all
-   rollover events for the zones they have configure trust anchors for.
-   Because of temporary outages validating resolvers may have missed a
-   rollover of a KSK.  The parameters that determine the robustness
-   against failures are: the length of the period between rollovers
-   during which the KSK set is stable and validating resolvers can
-   actually notice the change; the number of available KSKs (i.e.  N)
-   and the number of signatures that may fail to validate (i.e.  N-M).
-
-
-   With a large N (i.e.  many KSKs) and a small value of M this
-   operation becomes more robust since losing one key, for whatever
-   reason, will not be crucial.  Unfortunately the choice for the number
-   of KSKs is a local policy issue for the zone owner while the choice
-   for the parameter M is a local policy issue for the resolver
-   administrator.
-
-
-   Higher values of M increase the resilience against attacks somewhat;
-   more signatures need to verify for a rollover to be approved.  On the
-   other hand the number of rollover events that may pass unnoticed
-   before the resolver reaches the UNSYNCABLE state goes down.
-
-
-   The threshold-based trust update intentionally does not provide a
-   revocation mechanism.  In the case that a sufficient number of
-   private keys of a zone owner are simultaneously compromised the the
-   attacker may use these private keys to roll the trust anchors of (a
-   subset of) the resolvers.  This is obviously a bad situation but it
-   is not different from most other public keys systems.
-
-
-   However, it is important to point out that since any reasonable trust
-   anchor rollover policy (in validating resolvers) will require more
-   than one RRSIG to validate this proposal does provide security
-   concious zone administrators with the option of not storing the
-   individual private keys in the same location and thereby decreasing
-   the likelihood of simultaneous compromise.
-
-
-6.2  Priming Key Security Considerations
-
-
-   Since priming keys are not included in the DNSKEY RR set they are
-   less sensitive to packet size constraints and can be chosen
-   relatively large.  The private parts are only needed to sign the
-   DNSKEY RR set during the validity period of the particular priming
-   key pair.  Note that the private part of the priming key is used each
-   time when a DNSKEY RRset has to be resigned.  In practice there is
-   therefore little difference between the usage pattern of the private
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 17]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   part of key signing keys and priming keys.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 18]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-7.  IANA Considerations
-
-
-   NONE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 19]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-8.  References
-
-
-8.1  Normative References
-
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-
-   [2]  Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-
-   [3]  Arends, R., "Resource Records for the DNS Security Extensions",
-        draft-ietf-dnsext-dnssec-records-10 (work in progress),
-        September 2004.
-
-
-8.2  Informative References
-
-
-   [4]  Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
-        "DNS Security Introduction and Requirements",
-        draft-ietf-dnsext-dnssec-intro-12 (work in progress), September
-        2004.
-
-
-   [5]  Kolkman, O., "DNSSEC Operational Practices",
-        draft-ietf-dnsop-dnssec-operational-practices-01 (work in
-        progress), May 2004.
-
-
-   [6]  Housley, R., Ford, W., Polk, T. and D. Solo, "Internet X.509
-        Public Key Infrastructure Certificate and CRL Profile", RFC
-        2459, January 1999.
-
-
-
-Authors' Addresses
-
-
-   Johan Ihren
-   Autonomica AB
-   Bellmansgatan 30
-   Stockholm  SE-118 47
-   Sweden
-
-
-   EMail: johani@autonomica.se
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 20]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-   Olaf M. Kolkman
-   RIPE NCC
-   Singel 256
-   Amsterdam  1016 AB
-   NL
-
-
-   Phone: +31 20 535 4444
-   EMail: olaf@ripe.net
-   URI:   http://www.ripe.net/
-
-
-
-   Bill Manning
-   EP.net
-   Marina del Rey, CA  90295
-   USA
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 21]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-Appendix A.  Acknowledgments
-
-
-   The present design for in-band automatic rollovers of DNSSEC trust
-   anchors is the result of many conversations and it is no longer
-   possible to remember exactly who contributed what.
-
-
-   In addition we've also had appreciated help from (in no particular
-   order) Paul Vixie, Sam Weiler, Suzanne Woolf, Steve Crocker, Matt
-   Larson and Mark Kosters.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 22]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-Appendix B.  Document History
-
-
-   This appendix will be removed if and when the document is submitted
-   to the RFC editor.
-
-
-   The version you are reading is tagged as $Revision: 1.1.232.1 $.
-
-
-   Text between square brackets, other than references, are editorial
-   comments and will be removed.
-
-
-B.1  prior to version 00
-
-
-   This draft was initially published as a personal submission under the
-   name draft-kolkman-dnsext-dnssec-in-band-rollover-00.txt.
-
-
-   Kolkman documented the ideas provided by Ihren and Manning.  In the
-   process of documenting (and prototyping) Kolkman changed some of the
-   details of the M-N algorithms working.  Ihren did not have a chance
-   to review the draft before Kolkman posted;
-
-
-   Kolkman takes responsibilities for omissions, fuzzy definitions and
-   mistakes.
-
-
-B.2  version 00
-   o  The name of the draft was changed as a result of the draft being
-      adopted as a working group document.
-   o  A small section on the concept of stale trust anchors was added.
-   o  The different possible states are more clearly defined, including
-      examples of transitions between states.
-   o  The terminology is changed throughout the document.  The old term
-      "M-N" is replaced by "threshold" (more or less).  Also the
-      interpretation of the constants M and N is significantly
-      simplified to bring the usage more in line with "standard"
-      threshold terminlogy.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 23]
-Internet-Draft    DNSSEC Threshold-based Trust Update       October 2004
-
-
-
-Intellectual Property Statement
-
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-
-Disclaimer of Validity
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Copyright Statement
-
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-
-Acknowledgment
-
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Ihren, et al.            Expires April 18, 2005                [Page 24] 
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-01.txt
deleted file mode 100644
index df702b41ec98..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-trustupdate-timers-01.txt
+++ /dev/null
@@ -1,730 +0,0 @@
-
-
-
-
-Network Working Group                                         M. StJohns
-Internet-Draft                                             Nominum, Inc.
-Expires: February 16, 2006                               August 15, 2005
-
-
-               Automated Updates of DNSSEC Trust Anchors
-                draft-ietf-dnsext-trustupdate-timers-01
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on February 16, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes a means for automated, authenticated and
-   authorized updating of DNSSEC "trust anchors".  The method provides
-   protection against single key compromise of a key in the trust point
-   key set.  Based on the trust established by the presence of a current
-   anchor, other anchors may be added at the same place in the
-   hierarchy, and, ultimately, supplant the existing anchor.
-
-   This mechanism, if adopted, will require changes to resolver
-   management behavior (but not resolver resolution behavior), and the
-
-
-
-StJohns                 Expires February 16, 2006               [Page 1]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   addition of a single flag bit to the DNSKEY record.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-     1.1   Compliance Nomenclature  . . . . . . . . . . . . . . . . .  3
-     1.2   Changes since -00  . . . . . . . . . . . . . . . . . . . .  3
-   2.  Theory of Operation  . . . . . . . . . . . . . . . . . . . . .  4
-     2.1   Revocation . . . . . . . . . . . . . . . . . . . . . . . .  4
-     2.2   Add Hold-Down  . . . . . . . . . . . . . . . . . . . . . .  4
-     2.3   Remove Hold-down . . . . . . . . . . . . . . . . . . . . .  5
-     2.4   Active Refresh . . . . . . . . . . . . . . . . . . . . . .  6
-     2.5   Resolver Parameters  . . . . . . . . . . . . . . . . . . .  6
-       2.5.1   Add Hold-Down Time . . . . . . . . . . . . . . . . . .  6
-       2.5.2   Remove Hold-Down Time  . . . . . . . . . . . . . . . .  6
-       2.5.3   Minimum Trust Anchors per Trust Point  . . . . . . . .  6
-   3.  Changes to DNSKEY RDATA Wire Format  . . . . . . . . . . . . .  6
-   4.  State Table  . . . . . . . . . . . . . . . . . . . . . . . . .  6
-     4.1   Events . . . . . . . . . . . . . . . . . . . . . . . . . .  7
-     4.2   States . . . . . . . . . . . . . . . . . . . . . . . . . .  7
-   5.  Scenarios  . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-     5.1   Adding A Trust Anchor  . . . . . . . . . . . . . . . . . .  8
-     5.2   Deleting a Trust Anchor  . . . . . . . . . . . . . . . . .  9
-     5.3   Key Roll-Over  . . . . . . . . . . . . . . . . . . . . . .  9
-     5.4   Active Key Compromised . . . . . . . . . . . . . . . . . .  9
-     5.5   Stand-by Key Compromised . . . . . . . . . . . . . . . . .  9
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
-     6.1   Key Ownership vs Acceptance Policy . . . . . . . . . . . . 10
-     6.2   Multiple Key Compromise  . . . . . . . . . . . . . . . . . 10
-     6.3   Dynamic Updates  . . . . . . . . . . . . . . . . . . . . . 10
-   7.  Normative References . . . . . . . . . . . . . . . . . . . . . 10
-       Editorial Comments . . . . . . . . . . . . . . . . . . . . . . 11
-       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 11
-       Intellectual Property and Copyright Statements . . . . . . . . 12
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-StJohns                 Expires February 16, 2006               [Page 2]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-1.  Introduction
-
-   As part of the reality of fielding DNSSEC (Domain Name System
-   Security Extensions) [RFC2535] [RFC4033][RFC4034][RFC4035], the
-   community has come to the realization that there will not be one
-   signed name space, but rather islands of signed name space each
-   originating from specific points (i.e. 'trust points') in the DNS
-   tree.  Each of those islands will be identified by the trust point
-   name, and validated by at least one associated public key.  For the
-   purpose of this document we'll call the association of that name and
-   a particular key a 'trust anchor'.  A particular trust point can have
-   more than one key designated as a trust anchor.
-
-   For a DNSSEC-aware resolver to validate information in a DNSSEC
-   protected branch of the hierarchy, it must have knowledge of a trust
-   anchor applicable to that branch.  It may also have more than one
-   trust anchor for any given trust point.  Under current rules, a chain
-   of trust for DNSSEC-protected data that chains its way back to ANY
-   known trust anchor is considered 'secure'.
-
-   Because of the probable balkanization of the DNSSEC tree due to
-   signing voids at key locations, a resolver may need to know literally
-   thousands of trust anchors to perform its duties. (e.g.  Consider an
-   unsigned ".COM".)  Requiring the owner of the resolver to manually
-   manage this many relationships is problematic.  It's even more
-   problematic when considering the eventual requirement for key
-   replacement/update for a given trust anchor.  The mechanism described
-   herein won't help with the initial configuration of the trust anchors
-   in the resolvers, but should make trust point key replacement/
-   rollover more viable.
-
-   As mentioned above, this document describes a mechanism whereby a
-   resolver can update the trust anchors for a given trust point, mainly
-   without human intervention at the resolver.  There are some corner
-   cases discussed (e.g. multiple key compromise) that may require
-   manual intervention, but they should be few and far between.  This
-   document DOES NOT discuss the general problem of the initial
-   configuration of trust anchors for the resolver.
-
-1.1  Compliance Nomenclature
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in BCP 14, [RFC2119].
-
-1.2  Changes since -00
-
-   Added the concept of timer triggered resolver queries to refresh the
-
-
-
-StJohns                 Expires February 16, 2006               [Page 3]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   resolvers view of the trust anchor key RRSet.
-
-   Re-submitted expired draft as -01.  Updated DNSSEC RFC References.
-
-2.  Theory of Operation
-
-   The general concept of this mechanism is that existing trust anchors
-   can be used to authenticate new trust anchors at the same point in
-   the DNS hierarchy.  When a new SEP key is added to a trust point
-   DNSKEY RRSet, and when that RRSet is validated by an existing trust
-   anchor, then the new key can be added to the set of trust anchors.
-
-   There are some issues with this approach which need to be mitigated.
-   For example, a compromise of one of the existing keys could allow an
-   attacker to add their own 'valid' data.  This implies a need for a
-   method to revoke an existing key regardless of whether or not that
-   key is compromised.  As another example assuming a single key
-   compromise, an attacker could add a new key and revoke all the other
-   old keys.
-
-2.1  Revocation
-
-   Assume two trust anchor keys A and B. Assume that B has been
-   compromised.  Without a specific revocation bit, B could invalidate A
-   simply by sending out a signed trust point key set which didn't
-   contain A. To fix this, we add a mechanism which requires knowledge
-   of the private key of a DNSKEY to revoke that DNSKEY.
-
-   A key is considered revoked when the resolver sees the key in a self-
-   signed RRSet and the key has the REVOKE bit set to '1'.  Once the
-   resolver sees the REVOKE bit, it MUST NOT use this key as a trust
-   anchor or for any other purposes except validating the RRSIG over the
-   DNSKEY RRSet specifically for the purpose of validating the
-   revocation.  Unlike the 'Add' operation below, revocation is
-   immediate and permanent upon receipt of a valid revocation at the
-   resolver.
-
-   N.B. A DNSKEY with the REVOKE bit set has a different fingerprint
-   than one without the bit set.  This affects the matching of a DNSKEY
-   to DS records in the parent, or the fingerprint stored at a resolver
-   used to configure a trust point. [msj3]
-
-   In the given example, the attacker could revoke B because it has
-   knowledge of B's private key, but could not revoke A.
-
-2.2  Add Hold-Down
-
-   Assume two trust point keys A and B. Assume that B has been
-
-
-
-StJohns                 Expires February 16, 2006               [Page 4]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   compromised.  An attacker could generate and add a new trust anchor
-   key - C (by adding C to the DNSKEY RRSet and signing it with B), and
-   then invalidate the compromised key.  This would result in the both
-   the attacker and owner being able to sign data in the zone and have
-   it accepted as valid by resolvers.
-
-   To mitigate, but not completely solve, this problem, we add a hold-
-   down time to the addition of the trust anchor.  When the resolver
-   sees a new SEP key in a validated trust point DNSKEY RRSet, the
-   resolver starts an acceptance timer, and remembers all the keys that
-   validated the RRSet.  If the resolver ever sees the DNSKEY RRSet
-   without the new key but validly signed, it stops the acceptance
-   process and resets the acceptance timer.  If all of the keys which
-   were originally used to validate this key are revoked prior to the
-   timer expiring, the resolver stops the acceptance process and resets
-   the timer.
-
-   Once the timer expires, the new key will be added as a trust anchor
-   the next time the validated RRSet with the new key is seen at the
-   resolver.  The resolver MUST NOT treat the new key as a trust anchor
-   until the hold down time expires AND it has retrieved and validated a
-   DNSKEY RRSet after the hold down time which contains the new key.
-
-   N.B.: Once the resolver has accepted a key as a trust anchor, the key
-   MUST be considered a valid trust anchor by that resolver until
-   explictly revoked as described above.
-
-   In the given example, the zone owner can recover from a compromise by
-   revoking B and adding a new key D and signing the DNSKEY RRSet with
-   both A and B.
-
-   The reason this does not completely solve the problem has to do with
-   the distributed nature of DNS.  The resolver only knows what it sees.
-   A determined attacker who holds one compromised key could keep a
-   single resolver from realizing that key had been compromised by
-   intercepting 'real' data from the originating zone and substituting
-   their own (e.g. using the example, signed only by B).  This is no
-   worse than the current situation assuming a compromised key.
-
-2.3  Remove Hold-down
-
-   A new key which has been seen by the resolver, but hasn't reached
-   it's add hold-down time, MAY be removed from the DNSKEY RRSet by the
-   zone owner.  If the resolver sees a validated DNSKEY RRSet without
-   this key, it waits for the remove hold-down time and then, if the key
-   hasn't reappeared, SHOULD discard any information about the key.
-
-
-
-
-
-StJohns                 Expires February 16, 2006               [Page 5]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-2.4  Active Refresh
-
-   A resolver which has been configured for automatic update of keys
-   from a particular trust point MUST query that trust point (e.g. do a
-   lookup for the DNSKEY RRSet and related RRSIG records) no less often
-   than the lesser of 15 days or half the original TTL for the DNSKEY
-   RRSet or half the RRSIG expiration interval.  The expiration interval
-   is the amount of time from when the RRSIG was last retrieved until
-   the expiration time in the RRSIG.
-
-   If the query fails, the resolver MUST repeat the query until
-   satisfied no more often than once an hour and no less often than the
-   lesser of 1 day or 10% of the original TTL or 10% of the original
-   expiration interval.
-
-2.5  Resolver Parameters
-
-2.5.1  Add Hold-Down Time
-
-   The add hold-down time is 30 days or the expiration time of the TTL
-   of the first trust point DNSKEY RRSet which contained the key,
-   whichever is greater.  This ensures that at least two validated
-   DNSKEY RRSets which contain the new key MUST be seen by the resolver
-   prior to the key's acceptance.
-
-2.5.2  Remove Hold-Down Time
-
-   The remove hold-down time is 30 days.
-
-2.5.3  Minimum Trust Anchors per Trust Point
-
-   A compliant resolver MUST be able to manage at least five SEP keys
-   per trust point.
-
-3.  Changes to DNSKEY RDATA Wire Format
-
-   Bit n [msj2] of the DNSKEY Flags field is designated as the 'REVOKE'
-   flag.  If this bit is set to '1', AND the resolver sees an
-   RRSIG(DNSKEY) signed by the associated key, then the resolver MUST
-   consider this key permanently invalid for all purposes except for
-   validing the revocation.
-
-4.  State Table
-
-   The most important thing to understand is the resolver's view of any
-   key at a trust point.  The following state table describes that view
-   at various points in the key's lifetime.  The table is a normative
-   part of this specification.  The initial state of the key is 'Start'.
-
-
-
-StJohns                 Expires February 16, 2006               [Page 6]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   The resolver's view of the state of the key changes as various events
-   occur.
-
-   [msj1] This is the state of a trust point key as seen from the
-   resolver.  The column on the left indicates the current state.  The
-   header at the top shows the next state.  The intersection of the two
-   shows the event that will cause the state to transition from the
-   current state to the next.
-
-                             NEXT STATE
-           --------------------------------------------------
-    FROM   |Start  |AddPend |Valid  |Missing|Revoked|Removed|
-   ----------------------------------------------------------
-   Start   |       |NewKey  |       |       |       |       |
-   ----------------------------------------------------------
-   AddPend |KeyRem |        |AddTime|       |       |
-   ----------------------------------------------------------
-   Valid   |       |        |       |KeyRem |Revbit |       |
-   ----------------------------------------------------------
-   Missing |       |        |KeyPres|       |Revbit |       |
-   ----------------------------------------------------------
-   Revoked |       |        |       |       |       |RemTime|
-   ----------------------------------------------------------
-   Removed |       |        |       |       |       |       |
-   ----------------------------------------------------------
-
-
-4.1  Events
-   NewKey The resolver sees a valid DNSKEY RRSet with a new SEP key.
-      That key will become a new trust anchor for the named trust point
-      after its been present in the RRSet for at least 'add time'.
-   KeyPres The key has returned to the valid DNSKEY RRSet.
-   KeyRem The resolver sees a valid DNSKEY RRSet that does not contain
-      this key.
-   AddTime The key has been in every valid DNSKEY RRSet seen for at
-      least the 'add time'.
-   RemTime A revoked key has been missing from the trust point DNSKEY
-      RRSet for sufficient time to be removed from the trust set.
-   RevBit The key has appeared in the trust anchor DNSKEY RRSet with its
-      "REVOKED" bit set, and there is an RRSig over the DNSKEY RRSet
-      signed by this key.
-
-4.2  States
-   Start The key doesn't yet exist as a trust anchor at the resolver.
-      It may or may not exist at the zone server, but hasn't yet been
-      seen at the resolver.
-
-
-
-
-
-StJohns                 Expires February 16, 2006               [Page 7]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   AddPend The key has been seen at the resolver, has its 'SEP' bit set,
-      and has been included in a validated DNSKEY RRSet.  There is a
-      hold-down time for the key before it can be used as a trust
-      anchor.
-   Valid The key has been seen at the resolver and has been included in
-      all validated DNSKEY RRSets from the time it was first seen up
-      through the hold-down time.  It is now valid for verifying RRSets
-      that arrive after the hold down time.  Clarification:  The DNSKEY
-      RRSet does not need to be continuously present at the resolver
-      (e.g. its TTL might expire).  If the RRSet is seen, and is
-      validated (i.e. verifies against an existing trust anchor), this
-      key MUST be in the RRSet otherwise  a 'KeyRem' event is triggered.
-   Missing This is an abnormal state.  The key remains as a valid trust
-      point key, but was not seen at the resolver in the last validated
-      DNSKEY RRSet.  This is an abnormal state because the zone operator
-      should be using the REVOKE bit prior to removal.  [Discussion
-      item:  Should a missing key be considered revoked after some
-      period of time?]
-   Revoked This is the state a key moves to once the resolver sees an
-      RRSIG(DNSKEY) signed by this key where that DNSKEY RRSet contains
-      this key with its REVOKE bit set to '1'.  Once in this state, this
-      key MUST permanently be considered invalid as a trust anchor.
-   Removed After a fairly long hold-down time, information about this
-      key may be purged from the resolver.  A key in the removed state
-      MUST NOT be considered a valid trust anchor.
-
-5.  Scenarios
-
-   The suggested model for operation is to have one active key and one
-   stand-by key at each trust point.  The active key will be used to
-   sign the DNSKEY RRSet.  The stand-by key will not normally sign this
-   RRSet, but the resolver will accept it as a trust anchor if/when it
-   sees the signature on the trust point DNSKEY RRSet.
-
-   Since the stand-by key is not in active signing use, the associated
-   private key may (and SHOULD) be provided with additional protections
-   not normally available to a key that must be used frequently.  E.g.
-   locked in a safe, split among many parties, etc.  Notionally, the
-   stand-by key should be less subject to compromise than an active key,
-   but that will be dependent on operational concerns not addressed
-   here.
-
-5.1  Adding A Trust Anchor
-
-   Assume an existing trust anchor key 'A'.
-   1.  Generate a new key pair.
-
-
-
-
-
-StJohns                 Expires February 16, 2006               [Page 8]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   2.  Create a DNSKEY record from the key pair and set the SEP and Zone
-       Key  bits.
-   3.  Add the DNSKEY to the RRSet.
-   4.  Sign the DNSKEY RRSet ONLY with the existing trust anchor key -
-       'A'.
-   5.  Wait a while.
-
-5.2  Deleting a Trust Anchor
-
-   Assume existing trust anchors 'A' and 'B' and that you want to revoke
-   and delete 'A'.
-   1.  Set the revolcation bit on key 'A'.
-   2.  Sign the DNSKEY RRSet with both 'A' and 'B'.
-   'A' is now revoked.  The operator SHOULD include the revoked 'A' in
-   the RRSet for at least the remove hold-down time, but then may remove
-   it from the DNSKEY RRSet.
-
-5.3  Key Roll-Over
-
-   Assume existing keys A and B. 'A' is actively in use (i.e. has been
-   signing the DNSKEY RRSet.)  'B' was the stand-by key. (i.e. has been
-   in the DNSKEY RRSet and is a valid trust anchor, but wasn't being
-   used to sign the RRSet.)
-   1.  Generate a new key pair 'C'.
-   2.  Add 'C' to the DNSKEY RRSet.
-   3.  Set the revocation bit on key 'A'.
-   4.  Sign the RRSet with 'A' and 'B'.
-   'A' is now revoked, 'B' is now the active key, and 'C' will be  the
-   stand-by key once the hold-down expires.  The operator SHOULD include
-   the revoked 'A' in the RRSet for at least the remove hold-down time,
-   but may then remove it from the DNSKEY RRSet.
-
-5.4  Active Key Compromised
-
-   This is the same as the mechanism for Key Roll-Over (Section 5.3)
-   above assuming 'A' is the active key.
-
-5.5  Stand-by Key Compromised
-
-   Using the same assumptions and naming conventions as Key Roll-Over
-   (Section 5.3) above:
-   1.  Generate a new key pair 'C'.
-   2.  Add 'C' to the DNSKEY RRSet.
-   3.  Set the revocation bit on key 'B'.
-   4.  Sign the RRSet with 'A' and 'B'.
-   'B' is now revoked, 'A' remains the active key, and 'C' will be the
-   stand-by key once the hold-down expires.  'B' SHOULD continue to be
-   included in the RRSet for the remove hold-down time.
-
-
-
-StJohns                 Expires February 16, 2006               [Page 9]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-6.  Security Considerations
-
-6.1  Key Ownership vs Acceptance Policy
-
-   The reader should note that, while the zone owner is responsible
-   creating and distributing keys, it's wholly the decision of the
-   resolver owner as to whether to accept such keys for the
-   authentication of the zone information.  This implies the decision
-   update trust anchor keys based on trust for a current trust anchor
-   key is also the resolver owner's decision.
-
-   The resolver owner (and resolver implementers) MAY choose to permit
-   or prevent key status updates based on this mechanism for specific
-   trust points.  If they choose to prevent the automated updates, they
-   will need to establish a mechanism for manual or other out-of-band
-   updates outside the scope of this document.
-
-6.2  Multiple Key Compromise
-
-   This scheme permits recovery as long as at least one valid trust
-   anchor key remains uncompromised.  E.g. if there are three keys, you
-   can recover if two of them are compromised.  The zone owner should
-   determine their own level of comfort with respect to the number of
-   active valid trust anchors in a zone and should be prepared to
-   implement recovery procedures once they detect a compromise.  A
-   manual or other out-of-band update of all resolvers will be required
-   if all trust anchor keys at a trust point are compromised.
-
-6.3  Dynamic Updates
-
-   Allowing a resolver to update its trust anchor set based in-band key
-   information is potentially less secure than a manual process.
-   However, given the nature of the DNS, the number of resolvers that
-   would require update if a trust anchor key were compromised, and the
-   lack of a standard management framework for DNS, this approach is no
-   worse than the existing situation.
-
-7.  Normative References
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements",
-              RFC 4033, March 2005.
-
-
-
-StJohns                 Expires February 16, 2006              [Page 10]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for the DNS Security Extensions",
-              RFC 4034, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-Editorial Comments
-
-   [msj1]  msj: N.B. This table is preliminary and will be revised to
-           match implementation experience.  For example, should there
-           be a state for "Add hold-down expired, but haven't seen the
-           new RRSet"?
-
-   [msj2]  msj: To be assigned.
-
-   [msj3]  msj: For discussion: What's the implementation guidance for
-           resolvers currently with respect to the non-assigned flag
-           bits?  If they consider the flag bit when doing key matching
-           at the trust anchor, they won't be able to match.
-
-
-Author's Address
-
-   Michael StJohns
-   Nominum, Inc.
-   2385 Bay Road
-   Redwood City, CA  94063
-   USA
-
-   Phone: +1-301-528-4729
-   Email: Mike.StJohns@nominum.com
-   URI:   www.nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-StJohns                 Expires February 16, 2006              [Page 11]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-   The IETF has been notified of intellectual property rights claimed in
-   regard to some or all of the specification contained in this
-   document.  For more information consult the online list of claimed
-   rights.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-
-
-
-StJohns                 Expires February 16, 2006              [Page 12]
-
-Internet-Draft             trustanchor-update                August 2005
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-StJohns                 Expires February 16, 2006              [Page 13]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt
deleted file mode 100644
index 1133b0c87d49..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt
+++ /dev/null
@@ -1,466 +0,0 @@
-
-
-INTERNET-DRAFT                                    Donald E. Eastlake 3rd
-UPDATES RFC 2845                                   Motorola Laboratories
-Expires: February 2005                                       August 2004
-
-
-                  HMAC SHA TSIG Algorithm Identifiers
-                  ---- --- ---- --------- -----------
-                  <draft-ietf-dnsext-tsig-sha-00.txt>
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   or will be disclosed, and any of which I become aware will be
-   disclosed, in accordance with RFC 3668.
-
-   This draft is intended to be become a Proposed Standard RFC.
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNSEXT working group mailing list <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   Use of the TSIG DNS resource record requires specification of a
-   cryptographic message authentication code.  Currently identifiers
-   have been specified only for the HMAC-MD5 and GSS TSIG algorithms.
-   This document standardizes identifiers for additional HMAC SHA TSIG
-   algorithms and standardizes how to specify the truncation of HMAC
-   values.
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society 2004. All Rights Reserved.
-
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright Notice...........................................1
-
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-
-      2. Algorithms and Identifiers..............................4
-
-      3. Specifying Truncation...................................5
-
-      4. IANA Considerations.....................................6
-      5. Security Considerations.................................6
-      6. Copyright and Disclaimer................................6
-
-      7. Normative References....................................7
-      8. Informative References..................................7
-
-      Authors Address............................................8
-      Expiration and File Name...................................8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-1. Introduction
-
-   [RFC 2845] specifies a TSIG Resource Record (RR) that can be used to
-   authenticate DNS queries and responses. This RR contains a domain
-   name syntax data item which names the authentication algorithm used.
-   [RFC 2845] defines the HMAC-MD5.SIG-ALG.REG.INT name for
-   authentication codes using the HMAC [RFC 2104] algorithm with the MD5
-   [RFC 1321] hash algorithm. IANA has also registered "gss-tsig" as an
-   identifier for TSIG authentication where the cryptographic operations
-   are delegated to GSS [RFC 3645].
-
-   In section 2, this document specifies additional names for TSIG
-   authentication algorithms based on US NIST SHA algorithms and HMAC.
-
-   In section 3, this document specifies the meaning of inequality
-   between the normal output size of the specified hash function and the
-   length of MAC (message authentication code) data given in the TSIG
-   RR. In particular, it specifies that a shorter length field value
-   specifies truncation and a longer length field is an error.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-2. Algorithms and Identifiers
-
-   TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS
-   queries and responses.  They are intended to be efficient symmetric
-   authentication codes based on a shared secret. (Asymmetric signatures
-   can be provided using the SIG RR [RFC 2931]. In particular, SIG(0)
-   can be used for transaction signatures.) Used with a strong hash
-   function, HMAC [RFC 2104] provides a way to calculate such symmetric
-   authentication codes. The only specified HMAC based TSIG algorithm
-   identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321].
-
-   The use of SHA-1 [FIPS 180-1, RFC 3174], which is a 160 bit hash, as
-   compared with the 128 bits for MD5, and additional hash algorithms in
-   the SHA family [FIPS 180-2, RFC sha224] with 224, 256, 384, and 512
-   bits, may be preferred in some case. Use of TSIG between a DNS
-   resolver and server is by mutual agreement. That agreement can
-   include the support of additional algorithms.
-
-   For completeness in relation to HMAC based algorithms, the current
-   HMAC-MD5.SIG-ALG.REG.INT identifier is included in the table below.
-   Implementations which support TSIG MUST implement HMAC MD5, SHOULD
-   implement HMAC SHA-1, and MAY implement gss-tsig and the other
-   algorithms listed below.
-
-         Mandatory      HMAC-MD5.SIG-ALG.REG.INT
-         Recommended    hmac-sha1
-         Optional       hmac-sha224
-         Optional       hmac-sha256
-         Optional       hamc-sha384
-         Optional       hmac-sha512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-3. Specifying Truncation
-
-   In some cases, it is reasonable to truncate the output of HMAC and
-   use the truncated value for authentication. HMAC SHA-1 truncated to
-   96 bits is an optional available in several IETF protocols including
-   IPSEC and TLS.
-
-   The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the
-   size of the MAC field in octets. But [RFC 2845] does not specify what
-   to do if this MAC size differs from the length of the output of HMAC
-   for a particular hash function.
-
-   The specification for TSIG handling is changed as follows:
-
-   1. If The "MAC size" field is larger than the HMAC output length or
-      is zero: This case MUST NOT be generated and if received MUST
-      cause the packet to be dropped and RCODE 1 (FORMERR) to be
-      returned.
-
-   2. If the "MAC size" field equals the HMAC output length: Operation
-      is as described in [RFC 2845].
-
-   3. If the "MAC size" field is less than the HMAC output length but is
-      not zero: This is sent when the signer has truncated the HMAC
-      output as described in RFC 2104, taking initial octets and
-      discarding trailing octets. TSIG truncation can only be to an
-      integral number of octets. On receipt of a packet with truncation
-      thus indicated, the locally calculated MAC is similarly truncated
-      and only the truncated values compared for authentication.
-
-   TSIG implementations SHOULD implement SHA-1 truncated to 96 bits (12
-   octets) and MAY implement any or all other truncations valid under
-   case 3 above.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-4. IANA Considerations
-
-   This document, on approval for publication as a standards track RFC,
-   registers the new TSIG algorithm identifiers listed in Section 2 with
-   IANA.
-
-
-
-5. Security Considerations
-
-   For all of the message authentication code algorithms listed herein,
-   those producing longer values are believed to be stronger; however,
-   while there are some arguments that mild truncation can strengthen a
-   MAC by reducing the information available to an attacker, excessive
-   truncation clearly weakens authentication by reducing the number of
-   bits an attacker has to try to force. See [RFC 2104] which recommends
-   that ah HMAC never be truncated to less than half its length nor to
-   less than 80 bits (10 octets).
-
-   See also the Security Considerations section of [RFC 2845].
-
-
-
-6. Copyright and Disclaimer
-
-   Copyright (C) The Internet Society 2004.  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78 and except
-   as set forth therein, the authors retain all their rights.
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-7. Normative References
-
-   [FIPS 180-2] - "Secure Hash Standard", (SHA-1/256/384/512) US Federal
-   Information Processing Standard, Draft, 1 August 2002.
-
-   [RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
-   1321, April 1992.
-
-   [RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
-   Hashing for Message Authentication", RFC 2104, February 1997.
-
-   [RFC 2434] - Narten, T. and H. Alvestrand, "Guidelines for Writing an
-   IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-   [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
-   Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
-   RFC 2845, May 2000.
-
-   [RFC sha224] - "A 224-bit One-way Hash Function: SHA-224", R.
-   Housley, December 2003, work in progress, draft-ietf-pkix-
-   sha224-*.txt.
-
-
-
-8. Informative References.
-
-   [FIPS 180-1] - Secure Hash Standard, (SHA-1) US Federal Information
-   Processing Standard, 17 April 1995.
-
-   [RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction
-   Signatures ( SIG(0)s )", RFC 2931, September 2000.
-
-   [RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
-   1 (SHA1)", RFC 3174, September 2001.
-
-   [RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead,
-   J., and R. Hall, "Generic Security Service Algorithm for Secret Key
-   Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October
-   2003.
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-Authors Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554 (w)
-                +1-508-634-2066 (h)
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires in February 2005.
-
-   Its file name is draft-ietf-dnsext-tsig-sha-00.txt
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-04.txt
deleted file mode 100644
index a59595f5901d..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-04.txt
+++ /dev/null
@@ -1,580 +0,0 @@
-
-INTERNET-DRAFT                                    Donald E. Eastlake 3rd
-UPDATES RFC 2845                                   Motorola Laboratories
-Expires: December 2005                                         June 2005
-
-
-                  HMAC SHA TSIG Algorithm Identifiers
-                  ---- --- ---- --------- -----------
-                  <draft-ietf-dnsext-tsig-sha-04.txt>
-
-
-Status of This Document
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   This draft is intended to be become a Proposed Standard RFC.
-   Distribution of this document is unlimited. Comments should be sent
-   to the DNSEXT working group mailing list <namedroppers@ops.ietf.org>.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than a "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Abstract
-
-   Use of the TSIG DNS resource record requires specification of a
-   cryptographic message authentication code.  Currently identifiers
-   have been specified only for the HMAC-MD5 and GSS TSIG algorithms.
-   This document standardizes identifiers and implementation
-   requirements for additional HMAC SHA TSIG algorithms and standardizes
-   how to specify and handle the truncation of HMAC values.
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society 2005. All Rights Reserved.
-
-
-
-
-D. Eastlake 3rd                                                 [Page 1]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-Table of Contents
-
-      Status of This Document....................................1
-      Abstract...................................................1
-      Copyright Notice...........................................1
-
-      Table of Contents..........................................2
-
-      1. Introduction............................................3
-
-      2. Algorithms and Identifiers..............................4
-
-      3. Specifying Truncation...................................5
-      3.1 Truncation Specification...............................5
-
-      4. TSIG Policy Provisions and Truncation Error.............7
-
-      5. IANA Considerations.....................................8
-      6. Security Considerations.................................8
-      6. Copyright and Disclaimer................................8
-
-      7. Normative References....................................9
-      8. Informative References..................................9
-
-      Author's Address..........................................10
-      Expiration and File Name..................................10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 2]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-1. Introduction
-
-   [RFC 2845] specifies a TSIG Resource Record (RR) that can be used to
-   authenticate DNS queries and responses. This RR contains a domain
-   name syntax data item which names the authentication algorithm used.
-   [RFC 2845] defines the HMAC-MD5.SIG-ALG.REG.INT name for
-   authentication codes using the HMAC [RFC 2104] algorithm with the MD5
-   [RFC 1321] hash algorithm. IANA has also registered "gss-tsig" as an
-   identifier for TSIG authentication where the cryptographic operations
-   are delegated to GSS [RFC 3645].
-
-   In Section 2, this document specifies additional names for TSIG
-   authentication algorithms based on US NIST SHA algorithms and HMAC
-   and specifies the implementation requirements for those algorithms.
-
-   In Section 3, this document specifies the meaning of inequality
-   between the normal output size of the specified hash function and the
-   length of MAC (message authentication code) data given in the TSIG
-   RR. In particular, it specifies that a shorter length field value
-   specifies truncation and a longer length field is an error.
-
-   In Section 4, policy restrictions and implications related to
-   truncation and a new error code to indicate truncation shorter than
-   permitted by policy are described and specified.
-
-   The use herein of MUST, SHOULD, MAY, MUST NOT, and SHOULD NOT is as
-   defined in [RFC 2119].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 3]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-2. Algorithms and Identifiers
-
-   TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS
-   queries and responses.  They are intended to be efficient symmetric
-   authentication codes based on a shared secret. (Asymmetric signatures
-   can be provided using the SIG RR [RFC 2931]. In particular, SIG(0)
-   can be used for transaction signatures.) Used with a strong hash
-   function, HMAC [RFC 2104] provides a way to calculate such symmetric
-   authentication codes. The only specified HMAC based TSIG algorithm
-   identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321].
-
-   The use of SHA-1 [FIPS 180-2, RFC 3174], which is a 160 bit hash, as
-   compared with the 128 bits for MD5, and additional hash algorithms in
-   the SHA family [FIPS 180-2, RFC 3874, SHA2draft] with 224, 256, 384,
-   and 512 bits, may be preferred in some cases particularly since
-   increasingly successful cryptanalytic attacks are being made on the
-   shorter hashes.  Use of TSIG between a DNS resolver and server is by
-   mutual agreement. That agreement can include the support of
-   additional algorithms and may specify policies as to which algorithms
-   and truncations are acceptable subject to the restrication and
-   guidelines in Section 3 and 4 below.
-
-   The current HMAC-MD5.SIG-ALG.REG.INT identifier is included in the
-   table below for convenience.  Implementations which support TSIG MUST
-   also implement HMAC SHA1 and HMAC SHA256 and MAY implement gss-tsig
-   and the other algorithms listed below.
-
-         Mandatory      HMAC-MD5.SIG-ALG.REG.INT
-         Mandatory      hmac-sha1
-         Optional       hmac-sha224
-         Mandatory      hmac-sha256
-         Optional       hamc-sha384
-         Optional       hmac-sha512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 4]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-3. Specifying Truncation
-
-   When space is at a premium and the strength of the full length of an
-   HMAC is not needed, it is reasonable to truncate the HMAC output and
-   use the truncated value for authentication. HMAC SHA-1 truncated to
-   96 bits is an option available in several IETF protocols including
-   IPSEC and TLS.
-
-   The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the
-   size of the MAC field in octets. But [RFC 2845] does not specify what
-   to do if this MAC size differs from the length of the output of HMAC
-   for a particular hash function. Truncation is indicated by a MAC size
-   less than the HMAC size as specified below.
-
-
-
-3.1 Truncation Specification
-
-   The specification for TSIG handling is changed as follows:
-
-   1. If "MAC size" field is greater than HMAC output length:
-         This case MUST NOT be generated and if received MUST cause the
-      packet to be dropped and RCODE 1 (FORMERR) to be returned.
-
-   2. If "MAC size" field equals HMAC output length:
-         Operation is as described in [RFC 2845] with the entire output
-      HMAC output present.
-
-   3. "MAC size" field is less than HMAC output length but greater than
-      that specified in case 4 below:
-         This is sent when the signer has truncated the HMAC output to
-      an allowable length, as described in RFC 2104, taking initial
-      octets and discarding trailing octets. TSIG truncation can only be
-      to an integral number of octets. On receipt of a packet with
-      truncation thus indicated, the locally calculated MAC is similarly
-      truncated and only the truncated values compared for
-      authentication. The request MAC used when calculating the TSIG MAC
-      for a reply is the trucated request MAC.
-
-   4. "MAC size" field is less than the larger of 10 (octets) and half
-      the length of the hash function in use:
-         With the exception of certain TSIG error messages described in
-      RFC 2845 section 3.2 where it is permitted that the MAC size be
-      zero, this case MUST NOT be generated and if received MUST cause
-      the packet to be dropped and RCODE 1 (FORMERR) to be returned. The
-      size limit for this case can also, for the hash functions
-      mentioned in this document, be stated as less than half the hash
-      function length for hash functions other than MD5 and less than 10
-      octets for MD5.
-
-
-
-D. Eastlake 3rd                                                 [Page 5]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-   SHA-1 truncated to 96 bits (12 octets) SHOULD be implemented.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 6]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-4. TSIG Policy Provisions and Truncation Error
-
-   Use of TSIG is by mutual agreement between a resolver and server.
-   Implicit in such "agreement" are policies as to acceptable keys and
-   algorithms and, with the extensions in this doucment, truncations. In
-   particular note the following:
-
-      Such policies MAY require the rejection of TSIGs even though they
-   use an algorithm for which implementation is mandatory.
-
-      When a policy calls for the acceptance of a TSIG with a particular
-   algorithm and a particular non-zero amount of trunction it SHOULD
-   also permit the use of that algorithm with lesser truncation (a
-   longer MAC) up to the full HMAC output.
-
-      Regardless of a lower acceptable truncated MAC length specified by
-   policy, a reply SHOULD be sent with a MAC at least as long as that in
-   the corresponding request unless the request specified a MAC length
-   longer than the HMAC output.
-
-      Implementations permitting policies with multiple acceptable
-   algorithms and/or truncations SHOULD permit this list to be ordered
-   by presumed strength and SHOULD allow different truncations for the
-   same algorithm to be treatred as spearate entities in this list. When
-   so implemented, policies SHOULD accept a presumed stronger algorithm
-   and truncation than the minimum strength required by the policy.
-
-      If a TSIG is received with truncation which is permitted under
-   Section 3 above but the MAC is too short for the policy in force, an
-   RCODE of TBA [22 suggested](BADTRUNC) MUST be returned.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 7]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-5. IANA Considerations
-
-   This document, on approval for publication as a standards track RFC,
-   (1) registers the new TSIG algorithm identifiers listed in Section 2
-   with IANA and (2) Section 4 allocates the BADTRUNC RCODE TBA [22
-   suggested].
-
-
-
-
-6. Security Considerations
-
-   For all of the message authentication code algorithms listed herein,
-   those producing longer values are believed to be stronger; however,
-   while there have been some arguments that mild truncation can
-   strengthen a MAC by reducing the information available to an
-   attacker, excessive truncation clearly weakens authentication by
-   reducing the number of bits an attacker has to try to brute force
-   [RFC 2104].
-
-   Significant progress has been made recently in cryptanalysis of hash
-   function of the type used herein, all of which ultimately derive from
-   the design of MD4. While the results so far should not effect HMAC,
-   the stronger SHA-1 and SHA-256 algorithms are being made mandatory
-   due to caution.
-
-   See the Security Considerations section of [RFC 2845].  See also the
-   Security Considerations section of [RFC 2104] from which the limits
-   on truncation in this RFC were taken.
-
-
-
-6. Copyright and Disclaimer
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except
-   as set forth therein, the authors retain all their rights.
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 8]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-7. Normative References
-
-   [FIPS 180-2] - "Secure Hash Standard", (SHA-1/224/256/384/512) US
-   Federal Information Processing Standard, with Change Notice 1,
-   February 2004.
-
-   [RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
-   1321, April 1992.
-
-   [RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
-   Hashing for Message Authentication", RFC 2104, February 1997.
-
-   [RFC 2119] - Bradner, S., "Key words for use in RFCs to Indicate
-   Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
-   Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
-   RFC 2845, May 2000.
-
-
-
-8. Informative References.
-
-   [RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction
-   Signatures ( SIG(0)s )", RFC 2931, September 2000.
-
-   [RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
-   1 (SHA1)", RFC 3174, September 2001.
-
-   [RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead,
-   J., and R. Hall, "Generic Security Service Algorithm for Secret Key
-   Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October
-   2003.
-
-   [RFC 3874] - R. Housely, "A 224-bit One-way Hash Function: SHA-224",
-   September 2004,
-
-   [SHA2draft] - Eastlake, D., T. Hansen, "US Secure Hash Algorithms
-   (SHA)", work in progress.
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                 [Page 9]
-
-
-INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
-
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola Laboratories
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Telephone:   +1-508-786-7554 (w)
-
-   EMail:       Donald.Eastlake@motorola.com
-
-
-
-Expiration and File Name
-
-   This draft expires in December 2005.
-
-   Its file name is draft-ietf-dnsext-tsig-sha-04.txt
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd                                                [Page 10]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
deleted file mode 100644
index d65fa7104251..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
+++ /dev/null
@@ -1,1010 +0,0 @@
-
-
-
-
-
-
-dnsext Working Group                                           B. Halley
-Internet Draft                                                   Nominum
-Expiration Date: March 2004
-                                                                E. Lewis
-                                                                    ARIN
-
-                                                          September 2003
-
-
-                Clarifying the Role of Wild Card Domains
-                       in the Domain Name System
-
-
-                 draft-ietf-dnsext-wcard-clarify-02.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   To view the list Internet-Draft Shadow Directories, see
-   http://www.ietf.org/shadow.html.
-
-Abstract
-
-   The definition of wild cards is recast from the original in RFC 1034,
-   in words that are more specific and in line with RFC 2119.  This
-   document is meant to supplement the definition in RFC 1034 and to
-   alter neither the spirit nor intent of that definition.
-
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 1]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-Table of Contents
-
-          Abstract  ................................................   1
-    1     Introduction  ............................................   2
-    1.1   Document Limits  .........................................   3
-    1.2   Existence  ...............................................   4
-    1.3   An Example  ..............................................   4
-    1.4   Empty Non-terminals  .....................................   5
-    1.5   Terminology  .............................................   6
-    2     Defining the Wild Card Domain Name  ......................   7
-    3     Defining Existence  ......................................   8
-    4     Impact of a Wild Card In a Query or in RDATA  ............   8
-    5     Impact of a Wild Card Domain On a Response  ..............   9
-    6     Considerations with Special Types  .......................  12
-    6.1   SOA RR's at a Wild Card Domain Name  .....................  12
-    6.2   NS RR's at a Wild Card Domain Name  ......................  12
-    6.3   CNAME RR's at a Wild Card Domain Name  ...................  13
-    6.4   DNAME RR's at a Wild Card Domain Name  ...................  13
-    7     Security Considerations  .................................  14
-    8     References  ..............................................  14
-    9     Others Contributing to This Document  ....................  14
-   10     Editors  .................................................  15
-          Appendix A: Subdomains of Wild Card Domain Names  ........  16
-          Full Copyright Statement  ................................  18
-          Acknowledgement  .........................................  18
-
-
-
-
-1. Introduction
-
-   The first section of this document will give a crisp overview of what
-   is begin defined, as well as the motivation rewording of an original
-   document and making a change to bring the specification in line with
-   implementations.  Examples are included to help orient the reader.
-
-   Wild card domain names are defined in Section 4.3.3. of RFC 1034 as
-   "instructions for synthesizing RRs." [RFC1034].  The meaning of this
-   is that a specific, special domain name is used to construct
-   responses in instances in which the query name is not otherwise
-   represented in a zone.
-
-   A wild card domain name has a specific range of influence on query
-   names (QNAMEs) within a given class, which is rooted at the domain
-   name containing the wild card label, and is limited by explicit
-   entries, zone cuts and empty non-terminal domains (see section 1.3 of
-   this document).
-
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 2]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   Note that a wild card domain name has no special impact on the search
-   for a query type (QTYPE).  If a domain name is found that matches the
-   QNAME (exact or a wild card) but the QTYPE is not found at that
-   point, the proper response is that there is no data available.  The
-   search does not continue on to seek other wild cards that might match
-   the QTYPE.  To illustrate, a wild card owning an MX RR does not
-   'cover' other names in the zone that own an A RR.  There are certain
-   special case RR types that will be singled out for discussion, the
-   SOA RR, NS RR, CNAME RR, and DNAME RR.
-
-   Why is this document needed?  Empirical evidence suggests that the
-   words in RFC 1034 are not clear enough.  There exist a number of
-   implementations that have strayed (each differently) from that
-   definition.  There also exists a misconception of operators that the
-   wild card can be used to add a specific RR type to all names, such as
-   the MX RR example cited above.  This document is also needed as input
-   to efforts to extend DNS, such as the DNS Security Extensions [RFC
-   2535].  Lack of a clear base specification has proven to result in
-   extension documents that have unpredictable consequences.  (This is
-   true in general, not just for DNS.)
-
-   Another reason this clarification is needed is to answer questions
-   regarding authenticated denial of existence, a service introduced in
-   the DNS Security Extensions [RFC 2535].  Prior to the work leading up
-   to this document, it had been feared that a large number of proof
-   records (NXTs) might be needed in each reply because of the unknown
-   number of potential wild card domains that were thought to be
-   applicable.  One outcome of this fear is a now discontinued document
-   solving a problem that is now known not to exist.  I.e., this
-   clarification has the impact of defending against unwarranted
-   protocol surgery.  It is not "yet another" effort to just rewrite the
-   early specifications for the sake of purity.
-
-   Although the effort to define the DNS Security Extensions has
-   prompted this document, the clarifications herein relate to basic DNS
-   only.  No DNS Security Extensions considerations are mentioned in the
-   document.
-
-1.1. Document Limits
-
-   This document limits itself to reinforcing the concepts in RFC 1034.
-   In the effort to do this, a few issues have been discussed that
-   change parts of what is in RFC 1034.  The discussions have been held
-   within the DNS Extensions Working Group.
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 3]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   Briefly, the issues raised include:
-     - The lack of clarity in the definition of domain name existence
-     - Implications of a wild card domain name owning any of the
-       following resource record sets: DNAME [RFC 2672], CNAME, NS, and
-       SOA
-     - Whether RFC 1034 meant to allow special processing of CNAME RR's
-       owned by wild card domain names
-
-1.2. Existence
-
-   The notion that a domain name 'exists' will arise numerous times in
-   this discussion.  RFC 1034 raises the issue of existence in a number
-   of places, usually in reference to non-existence and often in
-   reference to processing involving wild card domain names.  RFC 1034
-   contains algorithms that describe how domain names impact the
-   preparation of an answer and does define wild cards as a means of
-   synthesizing answers.  Because of this a discussion on wild card
-   domain names has to start with the issue of existence.
-
-   To help clarify the topic of wild cards, a positive definition of
-   existence is needed.  Complicating matters, though, is the
-   realization that existence is relative.  To an authoritative server,
-   a domain name exists if the domain name plays a role following the
-   algorithms of preparing a response.  To a resolver, a domain name
-   exists if there is any data available corresponding to the name.  The
-   difference between the two is the synthesis of records according to a
-   wild card.
-
-   For the purposes of this document, the point of view of an
-   authoritative server is adopted.  A domain name is said to exist if
-   it plays a role in the execution of the algorithms in RFC 1034.
-
-1.3. An Example
-
-   For example, consider this wild card domain name: *.example.  Any
-   query name under example. is a candidate to be matched (answered) by
-   this wild card, i.e., to have an response returned that is
-   synthesized from the wild card's RR sets.  Although any name is a
-   candidate, not all queries will match.
-
-
-
-
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 4]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   To further illustrate this, consider this zone:
-
-             $ORIGIN example.
-             @                IN  SOA
-                                  NS
-                                  NS
-             *                    TXT "this is a wild card"
-                                  MX  10 mailhost.example.
-             host1                A   10.0.0.1
-             _ssh._tcp.host1      SRV
-             _ssh._tcp.host2      SRV
-             subdel               NS
-
-
-   The following queries would be synthesized from the wild card:
-
-        QNAME=host3.example. QTYPE=MX, QCLASS=IN
-             the answer will be a "host3.example. IN MX ..."
-        QNAME=host3.example. QTYPE=A, QCLASS=IN
-             the answer will reflect "no error, but no data"
-             because there is no A RR set at '*'
-
-   The following queries would not be synthesized from the wild card:
-
-        QNAME=host1.example., QTYPE=MX, QCLASS=IN
-             because host1.example. exists
-        QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
-             because _tcp.host1.example. exists (without data)
-        QNAME=_telnet._tcp.host2.example., QTYPE=SRV, QCLASS=IN
-             because host2.example. exists (without data)
-        QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
-             because subdel.example. exists and is a zone cut
-
-   To the server, the following domains are considered to exist in the
-   zone: *, host1, _tcp.host1, _ssh._tcp.host1, host2, _tcp.host2,
-   _ssh._tcp.host2, and subdel.  To a resolver, many more domains appear
-   to exist via the synthesis of the wild card.
-
-1.4. Empty Non-terminals
-
-   Empty non-terminals are domain names that own no data but have
-   subdomains.  This is defined in section 3.1 of RFC 1034:
-
-#    The domain name space is a tree structure.  Each node and leaf on the
-#    tree corresponds to a resource set (which may be empty).  The domain
-#    system makes no distinctions between the uses of the interior nodes and
-#    leaves, and this memo uses the term "node" to refer to both.
-
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 5]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   The parenthesized "which may be empty" specifies that empty non-
-   terminals are explicitly recognized.  According to the definition of
-   existence in this document, empty non-terminals do exist at the
-   server.
-
-   Carefully reading the above paragraph can lead to an interpretation
-   that all possible domains exist - up to the suggested limit of 255
-   octets for a domain name [RFC 1035].  For example, www.example. may
-   have an A RR, and as far as is practically concerned, is a leaf of
-   the domain tree.  But the definition can be taken to mean that
-   sub.www.example. also exists, albeit with no data.  By extension, all
-   possible domains exist, from the root on down.  As RFC 1034 also
-   defines "an authoritative name error indicating that the name does
-   not exist" in section 4.3.1, this is not the intent of the original
-   document.
-
-   RFC1034's wording is to be clarified by adding the following
-   paragraph:
-
-        A node is considered to have an impact on the algorithms of
-        4.3.2 if it is a leaf node with any resource sets or an interior
-        node, with or without a resource set, that has a subdomain that
-        is a leaf node with a resource set.  A QNAME and QCLASS matching
-        an existing node never results in a response return code of
-        authoritative name error.
-
-   The terminology in the above paragraph is chosen to remain as close
-   to that in the original document.  The term "with" is a alternate
-   form for "owning" in this case, hence "a leaf node owning resources
-   sets, or an interior node, owning or not owning any resource set,
-   that has a leaf node owning a resource set as a subdomain," is the
-   proper interpretation of the middle sentence.
-
-   As an aside, an "authoritative name error" has been called NXDOMAIN
-   in some RFCs, such as RFC 2136 [RFC 2136].  NXDOMAIN is the mnemonic
-   assigned to such an error by at least one implementation of DNS.  As
-   this mnemonic is specific to implementations, it is avoided in the
-   remainder of this document.
-
-1.5. Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in the document entitled
-   "Key words for use in RFCs to Indicate Requirement Levels." [RFC2119]
-
-   Requirements are denoted by paragraphs that begin with with the
-   following convention: 'R'<sect>.<count>.
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 6]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   Quotations of RFC 1034 (as has already been done once above) are
-   denoted by a '#' in the leftmost column.
-
-2. Defining the Wild Card Domain Name
-
-   A wild card domain name is defined by having the initial label be:
-
-        0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
-
-   This defines domain names that may play a role in being a wild card,
-   that is, being a source for synthesized answers.  Domain names
-   conforming to this definition that appear in queries and RDATA
-   sections do not have any special role.  These cases will be described
-   in more detail in following sections.
-
-   R2.1 A domain name that is to be interpreted as a wild card MUST
-        begin with a label of '0000 0001 0010 1010' in binary.
-
-   The first octet is the normal label type and length for a 1 octet
-   long label, the second octet is the ASCII representation [RFC 20] for
-   the '*' character.  In RFC 1034, ASCII encoding is assumed to be the
-   character encoding.
-
-   In the master file formats used in RFCs, a "*" is a legal
-   representation for the wild card label.  Even if the "*" is escaped,
-   it is still interpreted as the wild card when it is the only
-   character in the label.
-
-   R2.2 A server MUST treat a wild card domain name as the basis of
-        synthesized answers regardless of any "escape" sequences in the
-        input format.
-
-   RFC 1034 and RFC 1035 ignore the case in which a domain name might be
-   "the*.example.com." The interpretation is that this domain name in a
-   zone would only match queries for "the*.example.com" and not have any
-   other role.
-
-   Note: By virtue of this definition, a wild card domain name may have
-   a subdomain.  The subdomain (or sub-subdomain) itself may also be a
-   wild card.  E.g., *.*.example. is a wild card, so is *.sub.*.example.
-   More discussion on this is given in Appendix A.
-
-
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 7]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-3. Defining Existence
-
-   As described in the Introduction, a precise definition of existence
-   is needed.
-
-   R3.1 An authoritative server MUST treat a domain name as existing
-        during the execution of the algorithms in RFC 1034 when the
-        domain name conforms to the following definition.  A domain name
-        is defined to exist if the domain name owns data and/or has a
-        subdomain that exists.
-
-   Note that at a zone boundary, the domain name owns data, including
-   the NS RR set.  At the delegating server, the NS RR set is not
-   authoritative, but that is of no consequence here.  The domain name
-   owns data, therefore, it exists.
-
-   R3.2 An authoritative server MUST treat a domain name that has
-        neither a resource record set nor an existing subdomain as non-
-        existent when executing the algorithm in section 4.3.2. of RFC
-        1034.
-
-   A note on terminology.  A domain transcends zones, i.e., all DNS data
-   is in the root domain but segmented into zones of control.  In this
-   document, there are references to a "domain name" in the context of
-   existing "in a zone." In this usage, a domain name is the root of a
-   domain, not the entire domain.  The domain's root point is said to
-   "exist in a zone" if the zone is authoritative for the name.  RR sets
-   existing in a domain need not be owned by the domain's root domain
-   name, but are owned by other domain names in the domain.
-
-4. Impact of a Wild Card In a Query or in RDATA
-
-   When a wild card domain name appears in a question, e.g., the query
-   name is "*.example.", the response in no way differs from any other
-   query.  In other words, the wild card label in a QNAME has no special
-   meaning, and query processing will proceed using '*' as a literal
-   query name.
-
-   R4.1 A wild card domain name acting as a QNAME MUST be treated as any
-        other QNAME, there MUST be no special processing accorded it.
-
-   If a wild card domain name appears in the RDATA of a CNAME RR or any
-   other RR that has a domain name in it, the same rule applies.  In the
-   instance of a CNAME RR, the wild card domain name is used in the same
-   manner of as being the original QNAME.  For other RR's, rules vary
-   regarding what is done with the domain name(s) appearing in them, in
-   no case does the wild card hold special meaning.
-
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 8]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   R4.2 A wild card domain name appearing in any RR's RDATA MUST be
-        treated as any other domain name in that situation, there MUST
-        be no special processing accorded it.
-
-5. Impact of a Wild Card Domain On a Response
-
-   The description of how wild cards impact response generation is in
-   RFC 1034, section 4.3.2.  That passage contains the algorithm
-   followed by a server in constructing a response.  Within that
-   algorithm, step 3, part 'c' defines the behavior of the wild card.
-   The algorithm is directly quoted in lines that begin with a '#' sign.
-   Commentary is interleaved.
-
-   There is a documentation issue deserving some explanation.  The
-   algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo
-   code, i.e., it's steps are not intended to be followed in strict
-   order.  The "algorithm" is a suggestion.  As such, in step 3, parts
-   a, b, and c, do not have to be implemented in that order.
-
-   Another issue needing explanation is that RFC 1034 is a full
-   standard.  There is another RFC, RFC 2672, which makes, or proposes
-   an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME
-   RR.  RFC 2672 is a proposed standard.  The dilemma in writing these
-   clarifications is knowing which document is the one being clarified.
-   Fortunately, the difference between RFC 1034 and RFC 2672 is not
-   significant with respect to wild card synthesis, so this document
-   will continue to state that it is clarifying RFC 1034.  If RFC 2672
-   progresses along the standards track, it will need to refer to
-   modifying RFC 1034's algorithm as amended here.
-
-   The context of part 'c' is that the search is progressing label by
-   label through the QNAME.  (Note that the data being searched is the
-   authoritative data in the server, the cache is searched in step 4.)
-   Step 3's part 'a' covers the case that the QNAME has been matched in
-   full, regardless of the presence of a CNAME RR.  Step 'b' covers
-   crossing a cut point, resulting in a referral.  All that is left is
-   to look for the wild card.
-
-   Step 3 of the algorithm also assumes that the search is looking in
-   the zone closest to the answer, i.e., in the same class as QCLASS and
-   as close to the authority as possible on this server.  If the zone is
-   not the authority, then a referral is given, possibly one indicating
-   lameness.
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                  [Page 9]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-#         c. If at some label, a match is impossible (i.e., the
-#            corresponding label does not exist), look to see if a
-#            the "*" label exists.
-
-   The above paragraph refers to finding the domain name that exists in
-   the zone and that most encloses the QNAME.  Such a domain name will
-   mark the boundary of candidate wild card domain names that might be
-   used to synthesize an answer.  (Remember that at this point, if the
-   most enclosing name is the same as the QNAME, part 'a' would have
-   recorded an exact match.)  The existence of the enclosing name means
-   that no wild card name higher in the tree is a candidate to answer
-   the query.
-
-   Once the closest enclosing node is identified, there's the matter of
-   what exists below it.  It may have subdomains, but none will be
-   closer to the QNAME.  One of the subdomains just might be a wild
-   card.  If it exists, this is the only wild card eligible to be used
-   to synthesize an answer for the query.  Even if the closest enclosing
-   node conforms to the syntax rule in section 2 for being a wild card
-   domain name, the closest enclosing node is not eligible to be a
-   source of a synthesized answer.
-
-   The only wild card domain name that is a candidate to synthesize an
-   answer will be the "*" subdomain of the closest enclosing domain
-   name.  Three possibilities can happen.  The "*" subdomain does not
-   exist, the "*" subdomain does but does not have an RR set of the same
-   type as the QTYPE, or it exists and has the desired RR set.
-
-   For the sake of brevity, the closest enclosing node can be referred
-   to as the "closest encloser." The closest encloser is the most
-   important concept in this clarification.  Describing the closest
-   encloser is a bit tricky, but it is an easy concept.
-
-   To find the closest encloser, you have to first locate the zone that
-   is the authority for the query name.  This eliminates the need to be
-   concerned that the closest encloser is a cut point.  In addition, we
-   can assume too that the query name does not exist, hence the closest
-   encloser is not equal to the query name.  We can assume away these
-   two cases because they are handled in steps 2, 3a and 3b of section
-   4.3.2.'s algorithm.
-
-   What is left is to identify the existing domain name that would have
-   been up the tree (closer to the root) from the query name.  Knowing
-   that an exact match is impossible, if there is a "*" label descending
-   from the unique closest encloser, this is the one and only wild card
-   from which an answer can be synthesized for the query.
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 10]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   To illustrate, using the example in section 1.2 of this document, the
-   following chart shows QNAMEs and the closest enclosers.  In
-   Appendix A there is another chart showing unusual cases.
-
-        QNAME                        Closest Encloser     Wild Card Source
-        host3.example.               example.             *.example.
-        _telnet._tcp.host1.example.  _tcp.host1.example.  no wild card
-        _telnet._tcp.host2.example.  host2.example.       no wild card
-        _telnet._tcp.host3.example.  example.             *.example.
-        _chat._udp.host3.example.    example.             *.example.
-
-   Note that host1.subdel.example. is in a subzone, so the search for it
-   ends in a referral in part 'b', thus does not enter into finding a
-   closest encloser.
-
-   The fact that a closest encloser will be the only superdomain that
-   can have a candidate wild card will have an impact when it comes to
-   designing authenticated denial of existence proofs.
-
-#            If the "*" label does not exist, check whether the name
-#            we are looking for is the original QNAME in the query
-#            or a name we have followed due to a CNAME.  If the name
-#            is original, set an authoritative name error in the
-#            response and exit.  Otherwise just exit.
-
-   The above passage says that if there is not even a wild card domain
-   name to match at this point (failing to find an explicit answer
-   elsewhere), we are to return an authoritative name error at this
-   point.  If we were following a CNAME, the specification is unclear,
-   but seems to imply that a no error return code is appropriate, with
-   just the CNAME RR (or sequence of CNAME RRs) in the answer section.
-
-#            If the "*" label does exist, match RRs at that node
-#            against QTYPE.  If any match, copy them into the answer
-#            section, but set the owner of the RR to be QNAME, and
-#            not the node with the "*" label.  Go to step 6.
-
-   This final paragraph covers the role of the QTYPE in the process.
-   Note that if no resource record set matches the QTYPE the result is
-   that no data is copied, but the search still ceases ("Go to step
-   6.").  In the following section, a suggested change is made to this,
-   under the heading "CNAME RRs at a Wild Card Domain Name."
-
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 11]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-6. Considerations with Special Types
-
-   For the purposes of this section, "special" means that a record
-   induces processing at the server beyond simple lookup.  The special
-   types in this section are SOA, NS, CNAME, and DNAME.  SOA is special
-   because it is used as a zone marker and has an impact on step 2 of
-   the algorithm in 4.3.2.  NS denotes a cut point and has an impact on
-   step 3b.  CNAME redirects the query and is mentioned in steps 3a and
-   3b.  DNAME is a "CNAME generator."
-
-6.1. SOA RR's at a Wild Card Domain Name
-
-   If the owner of an SOA record conforms to the basic rules of owning
-   an SOA RR (meaning it is the apex of a zone) the impact on the search
-   algorithm is not in section 3c (where records are synthesized) as
-   would be expected.  The impact is really in step 2 of the algorithm,
-   the choice of zone.
-
-   We are no longer talking about whether or not an SOA RR can be
-   synthesized in a response because we are shifting attention to step
-   2.  We are now talking about what it means for a name server to
-   synthesize a zone for a response.  To date, no implementation has
-   done this.  Thinking ahead though, anyone choosing to pursue this
-   would have to be aware that a server would have to be able to
-   distinguish between queries for data it will have to synthesize and
-   queries that ought to be treated as if they were prompted by a lame
-   delegation.
-
-   It is not a protocol error to have an SOA RR owned by a wild card
-   domain name, just as it is not an error to have zone name be
-   syntactically equivalent to a domain name.  However, this situation
-   requires careful consideration of how a server chooses the
-   appropriate zone for an answer.  And an SOA RR is not able to be
-   synthesized as in step 3c.
-
-6.2. NS RR's at a Wild Card Domain Name
-
-   Complimentary to the issue of an SOA RR owned by a wild card domain
-   name is the issue of NS RR's owned by a wild card domain name.  In
-   this instance, each machine being referred to in the RDATA of the NS
-   RR has to be able to understand the impact of this on step 2, the
-   choosing of the authoritative zone.
-
-   Referring to the same machine in such a NS RR will probably not work
-   well.  This is because the server may become confused as to whether
-   the query name ought to be answered by the zone owning the NS RR in
-   question or a synthesized zone.  (It isn't known in advance that the
-   query name will invoke the wild card synthesis.)
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 12]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   The status of other RR's owned by a wild card domain name is the same
-   as if the owner name was not a wild card domain name.  I.e., when
-   there is a NS RR at a wild card domain name, other records are
-   treated as being below the zone cut.
-
-   Is it not a protocol error to have a NS RR owned by a wild card
-   domian name, complimentary to the case of a SOA RR.  However, for
-   this to work, an implementation has to know how to synthesize a zone.
-
-6.3. CNAME RR's at a Wild Card Domain Name
-
-   The issue of CNAME RR's owned by wild card domain names has prompted
-   a suggested change to the last paragraph of step 3c of the algorithm
-   in 4.3.2.  The changed text is this:
-
-        If the "*" label does exist and if the data at the node is a
-        CNAME and QTYPE doesn't match CNAME, copy the CNAME RR into the
-        answer section of the response, set the owner of the CNAME RR to
-        be QNAME, and then change QNAME to the canonical name in the
-        CNAME RR, and go back to step 1.
-
-        If the "*" label does exist and either QTYPE is CNAME or the
-        data at the node is not a CNAME, then match RRs at that node
-        against QTYPE.  If any match, copy them into the answer section,
-        but set the owner of the RR to be QNAME, and not the node with
-        the "*" label.  Go to step 6.
-
-   Apologies if the above isn't clear, but an attempt was made to stitch
-   together the passage using just the phrases in section 3a and 3c of
-   the algorithm so as to preserve the original flavor.
-
-   In case the passage as suggested isn't clear enough, the intent is to
-   make "landing" at a wild card name and finding a CNAME the same as if
-   this happened as a result of a direct match.  I.e., Finding a CNAME
-   at the name matched in step 3c is supposed to have the same impact as
-   finding the CNAME in step 3a.
-
-6.4. DNAME RR's at a Wild Card Domain Name
-
-   The specification of the DNAME RR, which is at the proposed level of
-   standardization, is not as mature as the full standard in RFC 1034.
-   Because of this, or the reason for this is, there appears to be a
-   host of issues with that definition and it's rewrite of the algorithm
-   in 4.3.2.  For the time being, when it comes to wild card processing
-   issues, a DNAME can be considered to be a CNAME synthesizer.  A DNAME
-   at a wild card domain name is effectively the same as a CNAME at a
-   wild card domain name.
-
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 13]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-7. Security Considerations
-
-   This document is refining the specifications to make it more likely
-   that security can be added to DNS.  No functional additions are being
-   made, just refining what is considered proper to allow the DNS,
-   security of the DNS, and extending the DNS to be more predictable.
-
-8. References
-
-   Normative References
-
-   [RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969
-
-   [RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris,
-               Nov-01-1987
-
-   [RFC 1035] Domain Names - Implementation and Specification, P.V
-               Mockapetris, Nov-01-1987
-
-   [RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S
-               Bradner, March 1997
-
-   Informative References
-
-   [RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P. Vixie,
-               Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997
-
-   [RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999
-
-   [RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999
-
-9. Others Contributing to This Document
-
-   Others who have directly caused text to appear in the document: Paul
-   Vixie and Olaf Kolkman.  Many others have indirect influences on the
-   content.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 14]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-10. Editors
-
-        Name:         Bob Halley
-        Affiliation:  Nominum, Inc.
-        Address:      2385 Bay Road, Redwood City, CA 94063 USA
-        Phone:        +1-650-381-6016
-        EMail:        Bob.Halley@nominum.com
-
-        Name:         Edward Lewis
-        Affiliation:  ARIN
-        Address:      3635 Concorde Pkwy, Suite 200, Chantilly, VA 20151 USA
-        Phone:        +1-703-227-9854
-        Email:        edlewis@arin.net
-
-   Comments on this document can be sent to the editors or the mailing
-   list for the DNSEXT WG, namedroppers@ops.ietf.org.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 15]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-Appendix A: Subdomains of Wild Card Domain Names
-
-   In reading the definition of section 2 carefully, it is possible to
-   rationalize unusual names as legal.  In the example given,
-   *.example. could have subdomains of *.sub.*.example. and even the
-   more direct *.*.example.  (The implication here is that these domain
-   names own explicit resource records sets.)  Although defining these
-   names is not easy to justify, it is important that implementions
-   account for the possibility.  This section will give some further
-   guidence on handling these names.
-
-   The first thing to realize is that by all definitions, subdomains of
-   wild card domain names are legal.  In analyzing them, one realizes
-   that they cause no harm by their existence.  Because of this, they
-   are allowed to exist, i.e., there are no special case rules made to
-   disallow them.  The reason for not preventing these names is that the
-   prevention would just introduce more code paths to put into
-   implementations.
-
-   The concept of "closest enclosing" existing names is important to
-   keep in mind.  It is also important to realize that a wild card
-   domain name can be a closest encloser of a query name.  For example,
-   if *.*.example. is defined in a zone, and the query name is
-   a.*.example., then the closest enclosing domain name is *.example.
-   Keep in mind that the closest encloser is not eligible to be a source
-   of synthesized answers, just the subdomain of it that has the first
-   label "*".
-
-   To illustrate this, the following chart shows some matches.  Assume
-   that the names *.example., *.*.example., and *.sub.*.example. are
-   defined in the zone.
-
-        QNAME               Closest Encloser  Wild Card Source
-        a.example.          example.          *.example.
-        b.a.example.        example.          *.example.
-        a.*.example.        *.example.        *.*.example.
-        b.a.*.example.      *.example.        *.*.example.
-        b.a.*.*.example.    *.*.example.      no wild card
-        a.sub.*.example.    sub.*.example.    *.sub.*.example.
-        b.a.sub.*.example.  sub.*.example.    *.sub.*.example.
-        a.*.sub.*.example.  *.sub.*.example.  no wild card
-        *.a.example.        example.          *.example.
-        a.sub.b.example.    example.          *.example.
-
-   Recall that the closest encloser itself cannot be the wild card.
-   Therefore the match for b.a.*.*.example. has no applicable wild card.
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 16]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-   Finally, if a query name is sub.*.example., any answer available will
-   come from an exact name match for sub.*.example.  No wild card
-   synthesis is performed in this case.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 17]
-
-Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society 2003.  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Halley & Lewis            [Expires March 2004]                 [Page 18]
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-08.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-08.txt
deleted file mode 100644
index fad88aedaba9..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-08.txt
+++ /dev/null
@@ -1,956 +0,0 @@
-DNSEXT Working Group                                          E. Lewis
-INTERNET DRAFT                                                 NeuStar
-Expiration Date: January 6, 2006                          July 6, 2005
-Updates RFC 1034, RFC 2672
-
-                             The Role of Wildcards
-                           in the Domain Name System
-                     draft-ietf-dnsext-wcard-clarify-08.txt
-
-Status of this Memo
-
-     By submitting this Internet-Draft, each author represents that
-     any applicable patent or other IPR claims of which he or she is
-     aware have been or will be disclosed, and any of which he or she
-     becomes aware will be disclosed, in accordance with Section 6 of
-     BCP 79.
-
-     Internet-Drafts are working documents of the Internet Engineering
-     Task Force (IETF), its areas, and its working groups.  Note that
-     other groups may also distribute working documents as Internet-
-     Drafts.
-
-     Internet-Drafts are draft documents valid for a maximum of six
-     months and may be updated, replaced, or obsoleted by other
-     documents at any time.  It is inappropriate to use Internet-Drafts
-     as reference material or to cite them other than as "work in
-     progress."
-
-     The list of current Internet-Drafts can be accessed at
-       http://www.ietf.org/ietf/1id-abstracts.txt
-
-     The list of Internet-Draft Shadow Directories can be accessed at
-       http://www.ietf.org/shadow.html
-
-     This Internet-Draft will expire on January 6, 2006.
-
-Copyright Notice
-
-     Copyright (C) The Internet Society (2005).
-
-Abstract
-
-     This is an update to the wildcard definition of RFC 1034.  The
-     interaction with wildcards and CNAME is changed, an error
-     condition removed, and the words defining some concepts central
-     to wildcards are changed.  The overall goal is not to change
-     wildcards, but to refine the definition of RFC 1034.
-
-Table of Contents
-
-1.    Introduction
-1.1   Motivation
-1.2   The Original Definition
-1.3   Roadmap to This Document
-1.3.1 New Terms
-1.3.2 Changed Text
-1.3.3 Considerations with Special Types
-1.4   Standards Terminology
-2.    Wildcard Syntax
-2.1   Identifying a Wildcard
-2.1.1 Wild Card Domain Name and Asterisk Label
-2.1.2 Asterisks and Other Characters
-2.1.3 Non-terminal Wild Card Domain Names
-2.2   Existence Rules
-2.2.1 An Example
-2.2.2 Empty Non-terminals
-2.2.3 Yet Another Definition of Existence
-2.3   When is a Wild Card Domain Name Not Special
-3.    Impact of a Wild Card Domain Name On a Response
-3.1   Step 2
-3.2   Step 3
-3.3   Part 'c'
-3.3.1 Closest Encloser and the Source of Synthesis
-3.3.2 Closest Encloser and Source of Synthesis Examples
-3.3.3 Type Matching
-4.    Considerations with Special Types
-4.1   SOA RRSet at a Wild Card Domain Name
-4.2   NS RRSet at a Wild Card Domain Name
-4.2.1 Discarded Notions
-4.3   CNAME RRSet at a Wild Card Domain Name
-4.4   DNAME RRSet at a Wild Card Domain Name
-4.5   SRV RRSet at a Wild Card Domain Name
-4.6   DS RRSet at a Wild Card Domain Name
-4.7   NSEC RRSet at a Wild Card Domain Name
-4.8   RRSIG at a Wild Card Domain Name
-4.9   Empty Non-terminal Wild Card Domain Name
-5.    Security Considerations
-6.    IANA Considerations
-7.    References
-8.    Editor
-9.    Others Contributing to the Document
-10.   Trailing Boilerplate
-
-1. Introduction
-
-     In RFC 1034 [RFC1034], sections 4.3.2 and 4.3.3 describe the
-     synthesis of answers from special resource records called
-     wildcards.  The definition in RFC 1034 is incomplete and has
-     proven to be confusing.  This document describes the wildcard
-     synthesis by adding to the discussion and making limited
-     modifications.  Modifications are made to close inconsistencies
-     that have led to interoperability issues.  This description
-     does not expand the service intended by the original definition.
-
-     Staying within the spirit and style of the original documents,
-     this document avoids specifying rules for DNS implementations
-     regarding wildcards.  The intention is to only describe what is
-     needed for interoperability, not restrict implementation choices.
-     In addition, consideration is given to minimize any backwards
-     compatibility issues with implementations that comply with RFC
-     1034's definition.
-
-     This document is focused on the concept of wildcards as defined
-     in RFC 1034.  Nothing is implied regarding alternative means of
-     synthesizing resource record sets, nor are alternatives discussed.
-
-1.1 Motivation
-
-     Many DNS implementations diverge, in different ways, from the
-     original definition of wildcards.  Although there is clearly a
-     need to clarify the original documents in light of this alone,
-     the impetus for this document lay in the engineering of the DNS
-     security extensions [RFC4033].  With an unclear definition of
-     wildcards the design of authenticated denial became entangled.
-
-     This document is intended to limit its changes, documenting only
-     those based on implementation experience, and to remain as close
-     to the original document as possible.  To reinforce that this
-     document is meant to clarify and adjust and not redefine wildcards,
-     relevant sections of RFC 1034 are repeated verbatim to facilitate
-     comparison of the old and new text.
-
-1.2 The Original Definition
-
-     The defintion of the wildcard concept is comprised by the
-     documentation of the algorithm by which a name server prepares
-     a response (in RFC 1034's section 4.3.2) and the way in which
-     a resource record (set) is identified as being a source of
-     synthetic data (section 4.3.3).
-
-     This is the definition of the term "wildcard" as it appears in
-     RFC 1034, section 4.3.3.
-
-# In the previous algorithm, special treatment was given to RRs with
-# owner names starting with the label "*".  Such RRs are called
-# wildcards. Wildcard RRs can be thought of as instructions for
-# synthesizing RRs.  When the appropriate conditions are met, the name
-# server creates RRs with an owner name equal to the query name and
-# contents taken from the wildcard RRs.
-
-     This passage follows the algorithm in which the term wildcard
-     is first used.   In this definition, wildcard refers to resource
-     records.  In other usage, wildcard has referred to domain names,
-     and it has been used to describe the operational practice of
-     relying on wildcards to generate answers.  It is clear from this
-     that there is a need to define clear and unambiguous terminology
-     in the process of discussing wildcards.
-
-     The mention of the use of wildcards in the preparation of a
-     response is contained in step 3c of RFC 1034's section 4.3.2
-     entitled "Algorithm."  Note that "wildcard" does not appear in
-     the algorithm, instead references are made to the "*" label.
-     The portion of the algorithm relating to wildcards is
-     deconstructed in detail in section 3 of this document, this is
-     the beginning of the relevant portion of the "Algorithm."
-
-#    c. If at some label, a match is impossible (i.e., the
-#       corresponding label does not exist), look to see if [...]
-#       the "*" label exists.
-
-     The scope of this document is the RFC 1034 definition of
-     wildcards and the implications of updates to those documents,
-     such as DNSSEC.  Alternate schemes for synthesizing answers are
-     not considered.  (Note that there is no reference listed.  No
-     document is known to describe any alternate schemes, although
-     there has been some mention of them in mailing lists.)
-
-1.3 Roadmap to This Document
-
-     This document accomplishes these three items.
-     o Defines new terms
-     o Makes minor changes to avoid conflicting concepts
-     o Describes the actions of certain resource records as wildcards
-
-1.3.1 New Terms
-
-     To help in discussing what resource records are wildcards, two
-     terms will be defined - "asterisk label" and "wild card domain
-     name".  These are defined in section 2.1.1.
-
-     To assist in clarifying the role of wildcards in the name server
-     algorithm in RFC 1034, 4.3.2, "source of synthesis" and "closest
-     encloser" are defined.  These definitions are in section 3.3.2.
-     "Label match" is defined in section 3.2.
-
-     The new terms are used to make discussions of wildcards clearer.
-     Terminology doesn't directly have an impact on implementations.
-
-1.3.2 Changed Text
-
-     The definition of "existence" is changed superficially.  This
-     change will not be apparent to implementations; it is needed to
-     make descriptions more precise.  The change appears in section
-     2.2.3.
-
-     RFC 1034, section 4.3.3., seems to prohibit having two asterisk
-     labels in a wildcard owner name.  With this document the
-     restriction is removed entirely.  This change and its implications
-     are in section 2.1.3.
-
-     The actions when a source of synthesis owns a CNAME RR are
-     changed to mirror the actions if an exact match name owns a
-     CNAME RR.  This is an addition to the words in RFC 1034,
-     section 4.3.2, step 3, part c.  The discussion of this is in
-     section 3.3.3.
-
-     Only the latter change represents an impact to implementations.
-     The definition of existence is not a protocol impact.  The change
-     to the restriction on names is unlikely to have an impact, as
-     RFC 1034 contained no specification on when and how to enforce the
-     restriction.
-
-1.3.3 Considerations with Special Types
-
-     This document describes semantics of wildcard RRSets for
-     "interesting" types as well as empty non-terminal wildcards.
-     Understanding these situations in the context of wildcards has
-     been clouded because these types incur special processing if
-     they are the result of an exact match.  This discussion is in
-     section 4.
-
-     These discussions do not have an implementation impact, they cover
-     existing knowledge of the types, but to a greater level of detail.
-
-1.4 Standards Terminology
-
-     This document does not use terms as defined in "Key words for use
-     in RFCs to Indicate Requirement Levels." [RFC2119]
-
-     Quotations of RFC 1034 are denoted by a '#' in the leftmost
-     column.  References to section "4.3.2" are assumed to refer
-     to RFC 1034's section 4.3.2, simply titled "Algorithm."
-
-2. Wildcard Syntax
-
-     The syntax of a wildcard is the same as any other DNS resource
-     record, across all classes and types.  The only significant
-     feature is the owner name.
-
-     Because wildcards are encoded as resource records with special
-     names, they are included in zone transfers and incremental zone
-     transfers[RFC1995] just as non-wildcard resource records are.
-     This feature has been underappreciated until discussions on
-     alternative approaches to wildcards appeared on mailing lists.
-
-2.1 Identifying a Wildcard
-
-     To provide a more accurate description of wildcards, the
-     definition has to start with a discussion of the domain names
-     that appear as owners.  Two new terms are needed, "Asterisk
-     Label" and "Wild Card Domain Name."
-
-2.1.1 Wild Card Domain Name and Asterisk Label
-
-     A "wild card domain name" is defined by having its initial
-     (i.e., left-most or least significant) label be, in binary format:
-
-          0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
-
-     The first octet is the normal label type and length for a 1 octet
-     long label, the second octet is the ASCII representation [RFC20]
-     for the '*' character.
-
-     A descriptive name of a label equaling that value is an "asterisk
-     label."
-
-     RFC 1034's definition of wildcard would be "a resource record
-     owned by a wild card domain name."
-
-2.1.2 Asterisks and Other Characters
-
-     No label values other than that in section 2.1.1 are asterisk
-     labels, hence names beginning with other labels are never wild
-     card domain names.  Labels such as 'the*' and '**' are not
-     asterisk labels so these labels do not start wild card domain
-     names.
-
-2.1.3 Non-terminal Wild Card Domain Names
-
-     In section 4.3.3, the following is stated:
-
-# ..........................  The owner name of the wildcard RRs is of
-# the form "*.<anydomain>", where <anydomain> is any domain name.
-# <anydomain> should not contain other * labels......................
-
-     The restriction is now removed.  The original documentation of it
-     is incomplete and the restriction does not serve any purpose given
-     years of operational experience.
-
-     There are three possible reasons for putting the restriction in
-     place, but none of the three has held up over time.  One is
-     that the restriction meant that there would never be subdomains
-     of wild card domain names, but the restriciton as stated still
-     permits "example.*.example." for instance.  Another is that
-     wild card domain names are not intended to be empty non-terminals,
-     but this situation does not disrupt the algorithm in 4.3.2.
-     Finally, "nested" wild card domain names are not ambiguous once
-     the concept of the closest encloser had been documented.
-
-     A wild card domain name can have subdomains.  There is no need
-     to inspect the subdomains to see if there is another asterisk
-     label in any subdomain.
-
-     A wild card domain name can be an empty non-terminal.  (See the
-     upcoming sections on empty non-terminals.)  In this case, any
-     lookup encountering it will terminate as would any empty
-     non-terminal match.
-
-2.2 Existence Rules
-
-     The notion that a domain name 'exists' is mentioned in the
-     definition of wildcards.  In section 4.3.3 of RFC 1034:
-
-# Wildcard RRs do not apply:
-#
-...
-#   - When the query name or a name between the wildcard domain and
-#     the query name is know[n] to exist.  For example, if a wildcard
-
-     "Existence" is therefore an important concept in the understanding
-     of wildcards.  Unfortunately, the definition of what exists, in RFC
-     1034, is unlcear.  So, in sections 2.2.2. and 2.2.3, another look is
-     taken at the definition of existence.
-
-2.2.1 An Example
-
-     To illustrate what is meant by existence consider this complete
-     zone:
-
-       $ORIGIN example.
-       example.                 3600 IN  SOA   <SOA RDATA>
-       example.                 3600     NS    ns.example.com.
-       example.                 3600     NS    ns.example.net.
-       *.example.               3600     TXT   "this is a wild card"
-       *.example.               3600     MX    10 host1.example.
-       sub.*.example.           3600     TXT   "this is not a wild card"
-       host1.example.           3600     A     192.0.4.1
-       _ssh._tcp.host1.example. 3600     SRV  <SRV RDATA>
-       _ssh._tcp.host2.example. 3600     SRV  <SRV RDATA>
-       subdel.example.          3600     NS   ns.example.com.
-       subdel.example.          3600     NS   ns.example.net.
-
-     A look at the domain names in a tree structure is helpful:
-
-                                   |
-                   -------------example------------
-                  /           /         \          \
-                 /           /           \          \
-                /           /             \          \
-               *          host1          host2      subdel
-               |            |             |
-               |            |             |
-              sub         _tcp          _tcp
-                            |             |
-                            |             |
-                          _ssh          _ssh
-
-     The following responses would be synthesized from one of the
-     wildcards in the zone:
-
-         QNAME=host3.example. QTYPE=MX, QCLASS=IN
-              the answer will be a "host3.example. IN MX ..."
-
-         QNAME=host3.example. QTYPE=A, QCLASS=IN
-              the answer will reflect "no error, but no data"
-              because there is no A RR set at '*.example.'
-
-         QNAME=foo.bar.example. QTYPE=TXT, QCLASS=IN
-              the answer will be "foo.bar.example. IN TXT ..."
-              because bar.example. does not exist, but the wildcard
-              does.
-
-     The following responses would not be synthesized from any of the
-     wildcards in the zone:
-
-         QNAME=host1.example., QTYPE=MX, QCLASS=IN
-              because host1.example. exists
-
-         QNAME=sub.*.example., QTYPE=MX, QCLASS=IN
-              because sub.*.example. exists
-
-         QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
-              because _tcp.host1.example. exists (without data)
-
-         QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
-              because subdel.example. exists (and is a zone cut)
-
-         QNAME=ghost.*.example., QTYPE=MX, QCLASS=IN
-              because *.example. exists
-
-     The final example highlights one common misconception about
-     wildcards.  A wildcard "blocks itself" in the sense that a
-     wildcard does not match its own subdomains.  I.e. "*.example."
-     does not match all names in the "example." zone, it fails to
-     match the names below "*.example." To cover names under
-     "*.example.", another wild card domain name is needed -
-     "*.*.example." - which covers all but it's own subdomains.
-
-2.2.2 Empty Non-terminals
-
-     Empty non-terminals [RFC2136, Section 7.16] are domain names
-     that own no resource records but have subdomains that do.  In
-     section 2.2.1, "_tcp.host1.example." is an example of a empty
-     non-terminal name.  Empty non-terminals are introduced by this
-     text in section 3.1 of RFC 1034:
-
-# The domain name space is a tree structure.  Each node and leaf on
-# the tree corresponds to a resource set (which may be empty).  The
-# domain system makes no distinctions between the uses of the
-# interior nodes and leaves, and this memo uses the term "node" to
-# refer to both.
-
-     The parenthesized "which may be empty" specifies that empty non-
-     terminals are explicitly recognized, and that empty non-terminals
-     "exist."
-
-     Pedantically reading the above paragraph can lead to an
-     interpretation that all possible domains exist - up to the
-     suggested limit of 255 octets for a domain name [RFC1035].
-     For example, www.example. may have an A RR, and as far as is
-     practically concerned, is a leaf of the domain tree.  But the
-     definition can be taken to mean that sub.www.example. also
-     exists, albeit with no data.  By extension, all possible domains
-     exist, from the root on down.
-
-     As RFC 1034 also defines "an authoritative name error indicating
-     that the name does not exist" in section 4.3.1, so this apparently
-     is not the intent of the original definition, justifying the
-     need for an updated definition in the next section.
-
-2.2.3 Yet Another Definition of Existence
-
-     RFC1034's wording is fixed by the following paragraph:
-
-     The domain name space is a tree structure.  Nodes in the tree
-     either own at least one RRSet and/or have descendants that
-     collectively own at least one RRSet.  A node may exist with no
-     RRSets only if it has descendents that do, this node is an empty
-     non-terminal.
-
-     A node with no descendants is a leaf node.  Empty leaf nodes do
-     not exist.
-
-     Note that at a zone boundary, the domain name owns data,
-     including the NS RR set.  In the delegating zone, the NS RR
-     set is not authoritative, but that is of no consequence here.
-     The domain name owns data, therefore, it exists.
-
-2.3 When is a Wild Card Domain Name Not Special
-
-     When a wild card domain name appears in a message's query section,
-     no special processing occurs.  An asterisk label in a query name
-     only matches a single, corresponding asterisk label in the
-     existing zone tree when the 4.3.2 algorithm is being followed.
-
-     When a wild card domain name appears in the resource data of a
-     record, no special processing occurs.  An asterisk label in that
-     context literally means just an asterisk.
-
-3. Impact of a Wild Card Domain Name On a Response
-
-     RFC 1034's description of how wildcards impact response
-     generation is in its section 4.3.2.  That passage contains the
-     algorithm followed by a server in constructing a response.
-     Within that algorithm, step 3, part 'c' defines the behavior of
-     the wildcard.
-
-     The algorithm in section 4.3.2. is not intended to be pseudo-code,
-     i.e., its steps are not intended to be followed in strict order.
-     The "algorithm" is a suggested means of implementing the
-     requirements.  As such, in step 3, parts a, b, and c, do not have
-     to be implemented in that order, provided that the result of the
-     implemented code is compliant with the protocol's specification.
-
-3.1 Step 2
-
-     Step 2 of the section 4.3.2 reads:
-
-#   2. Search the available zones for the zone which is the nearest
-#      ancestor to QNAME.  If such a zone is found, go to step 3,
-#      otherwise step 4.
-
-     In this step, the most appropriate zone for the response is
-     chosen.  The significance of this step is that it means all of
-     step 3 is being performed within one zone.  This has significance
-     when considering whether or not an SOA RR can be ever be used for
-     synthesis.
-
-3.2 Step 3
-
-     Step 3 is dominated by three parts, labelled 'a', 'b', and 'c'.
-     But the beginning of the step is important and needs explanation.
-
-#   3. Start matching down, label by label, in the zone.  The
-#      matching process can terminate several ways:
-
-     The word 'matching' refers to label matching.  The concept
-     is based in the view of the zone as the tree of existing names.
-     The query name is considered to be an ordered sequence of
-     labels - as if the name were a path from the root to the owner
-     of the desired data.  (Which it is - 3rd paragraph of RFC 1034,
-     section 3.1.)
-
-     The process of label matching a query name ends in exactly one of
-     three choices, the parts 'a', 'b', and 'c'.  Either the name is
-     found, the name is below a cut point, or the name is not found.
-
-     Once one of the parts is chosen, the other parts are not
-     considered.  (E.g., do not execute part 'c' and then change
-     the execution path to finish in part 'b'.)  The process of label
-     matching is also done independent of the query type (QTYPE).
-
-     Parts 'a' and 'b' are not an issue for this clarification as they
-     do not relate to record synthesis.  Part 'a' is an exact match
-     that results in an answer, part 'b' is a referral.
-
-3.3 Part 'c'
-
-     The context of part 'c' is that the process of label matching the
-     labels of the query name has resulted in a situation in which
-     there is no corresponding label in the tree.  It is as if the
-     lookup has "fallen off the tree."
-
-#     c. If at some label, a match is impossible (i.e., the
-#        corresponding label does not exist), look to see if [...]
-#        the "*" label exists.
-
-     To help describe the process of looking 'to see if [...] the "*"
-     label exists' a term has been coined to describe the last domain
-     (node) matched.  The term is "closest encloser."
-
-3.3.1 Closest Encloser and the Source of Synthesis
-
-     The closest encloser is the node in the zone's tree of existing
-     domain names that has the most labels matching the query name
-     (consecutively, counting from the root label downward). Each match
-     is a "label match" and the order of the labels is the same.
-
-     The closest encloser is, by definition, an existing name in the
-     zone.  The closest encloser might be an empty non-terminal or even
-     be a wild card domain name itself.  In no circumstances is the
-     closest encloser to be used to synthesize records for the current
-     query.
-
-     The source of synthesis is defined in the context of a query
-     process as that wild card domain name immediately descending
-     from the closest encloser, provided that this wild card domain
-     name exists.  "Immediately descending" means that the source
-     of synthesis has a name of the form:
-           <asterisk label>.<closest encloser>.
-     A source of synthesis does not guarantee having a RRSet to use
-     for synthesis.  The source of synthesis could be an empty
-     non-terminal.
-
-     If the source of synthesis does not exist (not on the domain
-     tree), there will be no wildcard synthesis.  There is no search
-     for an alternate.
-
-     The important concept is that for any given lookup process, there
-     is at most one place at which wildcard synthetic records can be
-     obtained.  If the source of synthesis does not exist, the lookup
-     terminates, the lookup does not look for other wildcard records.
-
-3.3.2 Closest Encloser and Source of Synthesis Examples
-
-     To illustrate, using the example zone in section 2.2.1 of this
-     document, the following chart shows QNAMEs and the closest
-     enclosers.
-
-     QNAME                       Closest Encloser    Source of Synthesis
-     host3.example.              example.            *.example.
-     _telnet._tcp.host1.example. _tcp.host1.example. no source
-     _telnet._tcp.host2.example. host2.example.      no source
-     _telnet._tcp.host3.example. example.            *.example.
-     _chat._udp.host3.example.   example.            *.example.
-     foobar.*.example.           *.example.          no source
-
-3.3.3 Type Matching
-
-      RFC 1034 concludes part 'c' with this:
-
-#            If the "*" label does not exist, check whether the name
-#            we are looking for is the original QNAME in the query
-#            or a name we have followed due to a CNAME.  If the name
-#            is original, set an authoritative name error in the
-#            response and exit.  Otherwise just exit.
-#
-#            If the "*" label does exist, match RRs at that node
-#            against QTYPE.  If any match, copy them into the answer
-#            section, but set the owner of the RR to be QNAME, and
-#            not the node with the "*" label.  Go to step 6.
-
-     The final paragraph covers the role of the QTYPE in the lookup
-     process.
-
-     Based on implementation feedback and similarities between step
-     'a' and step 'c' a change to this passage has been made.
-
-     The change is to add the following text to step 'c' prior to the
-     instructions to "go to step 6":
-
-              If the data at the source of synthesis is a CNAME, and
-              QTYPE doesn't match CNAME, copy the CNAME RR into the
-              answer section of the response changing the owner name
-              to the QNAME, change QNAME to the canonical name in the
-              CNAME RR, and go back to step 1.
-
-     This is essentially the same text in step a covering the
-     processing of CNAME RRSets.
-
-4. Considerations with Special Types
-
-     Sections 2 and 3 of this document discuss wildcard synthesis
-     with respect to names in the domain tree and ignore the impact
-     of types.  In this section, the implication of wildcards of
-     specific types are discussed.  The types covered are those
-     that have proven to be the most difficult to understand.  The
-     types are SOA, NS, CNAME, DNAME, SRV, DS, NSEC, RRSIG and
-     "none," i.e., empty non-terminal wild card domain names.
-
-4.1 SOA RRSet at a Wild Card Domain Name
-
-     A wild card domain name owning an SOA RRSet means that the
-     domain is at the root of the zone (apex).  The domain can not
-     be a source of synthesis because that is, by definition, a
-     descendent node (of the closest encloser) and a zone apex is
-     at the top of the zone.
-
-     Although a wild card domain name owning an SOA RRSet can never
-     be a source of synthesis, there is no reason to forbid the
-     ownership of an SOA RRSet.
-
-     E.g., given this zone:
-            $ORIGIN *.example.
-            @                 3600 IN  SOA   <SOA RDATA>
-                              3600     NS    ns1.example.com.
-                              3600     NS    ns1.example.net.
-            www               3600     TXT   "the www txt record"
-
-     A query for www.*.example.'s TXT record would still find the
-     "the www txt record" answer.  The reason is that the asterisk
-     label only becomes significant when section's 4.3.2, step 3
-     part 'c' in in effect.
-
-     Of course, there would need to be a delegation in the parent
-     zone, "example." for this to work too.  This is covered in the
-     next section.
-
-4.2 NS RRSet at a Wild Card Domain Name
-
-     With the definition of DNSSEC [RFC4033, RFC4034, RFC4035] now
-     in place, the semantics of a wild card domain name owning an
-     NS RRSet has come to be poorly defined.  The dilemma relates to
-     a conflict between the rules for synthesis in part 'c' and the
-     fact that the resulting synthesis generates a record for which
-     the zone is not authoritative.  In a DNSSEC signed zone, the
-     mechanics of signature management (generation and inclusion
-     in a message) become unclear.
-
-     After some lengthy discussions, there has been no clear "best
-     answer" on how to document the semantics of such a situation.
-     Barring such records from the DNS would require definition of
-     rules for that, as well as introducing a restriction on records
-     that were once legal.  Allowing such records and amending the
-     process of signature management would entail complicating the
-     DNSSEC definition.
-
-     There is one more ingredient to the discussion, that being the
-     utility of a wild card domain name owned NS RRSet.  Although
-     there are cases of this use, it is an operational rarity.
-     Expending effort to close this topic has proven to be an
-     exercise in diminishing returns.
-
-     In summary, there is no definition given for wild card domain
-     names owning an NS RRSet.  The semantics are left undefined until
-     there is a clear need to have a set defined, and until there is
-     a clear direction to proceed.  Operationally, inclusion of wild
-     card NS RRSets in a zone is discouraged, but not barred.
-
-4.2.1 Discarded Notions
-
-     Prior to DNSSEC, a wild card domain name owning a NS RRSet
-     appeared to be workable, and there are some instances in which
-     it is found in deployments using implementations that support
-     this.  Continuing to allow this in the specificaion is not
-     tenable with DNSSEC.  The reason is that the synthesis of the
-     NS RRSet is being done in a zone that has delegated away the
-     responsibility for the name.  This "unauthorized" synthesis is
-     not a problem for the base DNS protocol, but DNSSEC, in affirming
-     the authorization model for DNS exposes the problem.
-
-     Outright banning of wildcards of type NS is also untenable as
-     the DNS protocol does not define how to handle "illegal" data.
-     Implementations may choose not to load a zone, but there is no
-     protocol definition.  The lack of the definition is complicated
-     by having to cover dynamic update [RFC 2136], zone transfers,
-     as well as loading at the master server.  The case of a client
-     (resolver, cacheing server) getting a wildcard of type NS in
-     a reply would also have to be considered.
-
-     Given the daunting challenge of a complete definition of how to
-     ban such records, dealing with existing implementations that
-     permit the records today is a further complication.  There are
-     uses of wild card domain name owning NS RRSets.
-
-     One compromise proposed would have redefined wildcards of type
-     NS to not be used in synthesis, this compromise fell apart
-     because it would have required significant edits to the DNSSEC
-     signing and validation work.  (Again, DNSSEC catches
-     unauthorized data.)
-
-     With no clear consensus forming on the solution to this dilemma,
-     and the realization that wildcards of type NS are a rarity in
-     operations, the best course of action is to leave this open-ended
-     until "it matters."
-
-4.3 CNAME RRSet at a Wild Card Domain Name
-
-     The issue of a CNAME RRSet owned by a wild card domain name has
-     prompted a suggested change to the last paragraph of step 3c of
-     the algorithm in 4.3.2.  The changed text appears in section
-     3.3.3 of this document.
-
-4.4 DNAME RRSet at a Wild Card Domain Name
-
-     Ownership of a DNAME [RFC2672] RRSet by a wild card domain name
-     represents a threat to the coherency of the DNS and is to be
-     avoided or outright rejected.  Such a DNAME RRSet represents
-     non-deterministic synthesis of rules fed to different caches.
-     As caches are fed the different rules (in an unpredictable
-     manner) the caches will cease to be coherent.  ("As caches
-     are fed" refers to the storage in a cache of records obtained
-     in responses by recursive or iterative servers.)
-
-     For example, assume one cache, responding to a recursive
-     request, obtains the record:
-        "a.b.example. DNAME foo.bar.example.net."
-     and another cache obtains:
-        "b.example.  DNAME foo.bar.example.net."
-     both generated from the record:
-        "*.example. DNAME foo.bar.example.net."
-     by an authoritative server.
-
-     The DNAME specification is not clear on whether DNAME records
-     in a cache are used to rewrite queries.  In some interpretations,
-     the rewrite occurs, in some, it is not.  Allowing for the
-     occurrence of rewriting, queries for "sub.a.b.example. A" may
-     be rewritten as "sub.foo.bar.tld. A" by the former caching
-     server and may be rewritten as "sub.a.foo.bar.tld. A" by the
-     latter.  Coherency is lost, an operational nightmare ensues.
-
-     Another justification for banning or avoiding wildcard DNAME
-     records is the observation that such a record could synthesize
-     a DNAME owned by "sub.foo.bar.example." and "foo.bar.example."
-     There is a restriction in the DNAME definition that no domain
-     exist below a DNAME-owning domain, hence, the wildcard DNAME
-     is not to be permitted.
-
-4.5 SRV RRSet at a Wild Card Domain Name
-
-     The definition of the SRV RRset is RFC 2782 [RFC2782].  In the
-     definition of the record, there is some confusion over the term
-     "Name."  The definition reads as follows:
-
-# The format of the SRV RR
-...
-#    _Service._Proto.Name TTL Class SRV Priority Weight Port Target
-...
-#  Name
-#   The domain this RR refers to.  The SRV RR is unique in that the
-#   name one searches for is not this name; the example near the end
-#   shows this clearly.
-
-     Do not confuse the definition "Name" with the owner name.  I.e.,
-     once removing the _Service and _Proto labels from the owner name
-     of the SRV RRSet, what remains could be a wild card domain name
-     but this is immaterial to the SRV RRSet.
-
-     E.g.,  If an SRV record is:
-        _foo._udp.*.example. 10800 IN SRV 0 1 9 old-slow-box.example.
-
-     *.example is a wild card domain name and although it it the Name
-     of the SRV RR, it is not the owner (domain name).  The owner
-     domain name is "_foo._udp.*.example." which is not a wild card
-     domain name.
-
-     The confusion is likely based on the mixture of the specification
-     of the SRV RR and the description of a "use case."
-
-4.6 DS RRSet at a Wild Card Domain Name
-
-     A DS RRSet owned by a wild card domain name is meaningless and
-     harmless.  This statement is made in the context that an NS RRSet
-     at a wild card domain name is undefined.  At a non-delegation
-     point, a DS RRSet has no value (no corresponding DNSKEY RRSet
-     will be used in DNSSEC validation).  If there is a synthesized
-     DS RRSet, it alone will not be very useful as it exists in the
-     context of a delegation point.
-
-4.7 NSEC RRSet at a Wild Card Domain Name
-
-     Wild card domain names in DNSSEC signed zones will have an NSEC
-     RRSet.  Synthesis of these records will only occur when the
-     query exactly matches the record.  Synthesized NSEC RR's will not
-     be harmful as they will never be used in negative caching or to
-     generate a negative response.
-
-4.8 RRSIG at a Wild Card Domain Name
-
-     RRSIG records will be present at a wild card domain name in a
-     signed zone, and will be synthesized along with data sought in a
-     query.  The fact that the owner name is synthesized is not a
-     problem as the label count in the RRSIG will instruct the
-     verifying code to ignore it.
-
-4.9 Empty Non-terminal Wild Card Domain Name
-
-     If a source of synthesis is an empty non-terminal, then the
-     response will be one of no error in the return code and no RRSet
-     in the answer section.
-
-5. Security Considerations
-
-     This document is refining the specifications to make it more
-     likely that security can be added to DNS.  No functional
-     additions are being made, just refining what is considered
-     proper to allow the DNS, security of the DNS, and extending
-     the DNS to be more predictable.
-
-6. IANA Considerations
-
-      None.
-
-7. References
-
-     Normative References
-
-     [RFC20]   ASCII Format for Network Interchange, V.G. Cerf,
-               Oct-16-1969
-
-     [RFC1034] Domain Names - Concepts and Facilities,
-               P.V. Mockapetris, Nov-01-1987
-
-     [RFC1035] Domain Names - Implementation and Specification, P.V
-               Mockapetris, Nov-01-1987
-
-     [RFC1995] Incremental Zone Transfer in DNS, M. Ohta, August 1996
-
-     [RFC2119] Key Words for Use in RFCs to Indicate Requirement
-               Levels, S Bradner, March 1997
-
-     [RFC2181] Clarifications to the DNS Specification, R. Elz and
-               R. Bush, July 1997
-
-     [RFC2308] Negative Caching of DNS Queries (DNS NCACHE),
-               M. Andrews, March 1998
-
-     [RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
-               August 1999.
-
-     [RFC2782] A DNS RR for specifying the location of services (DNS
-               SRV), A. Gulbrandsen, et.al., February 2000
-
-     [RFC4033] DNS Security Introduction and Requirements, R. Arends,
-               et.al., March 2005
-
-     [RFC4034] Resource Records for the DNS Security Extensions,
-               R. Arends, et.al., March 2005
-
-     [RFC4035] Protocol Modifications for the DNS Security Extensions,
-               R. Arends, et.al., March 2005
-
-     [RFC2672] Non-Terminal DNS Name Redirection, M. Crawford,
-               August 1999
-
-     Informative References
-
-     [RFC2136] Dynamic Updates in the Domain Name System (DNS UPDATE),
-               P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
-               April 1997
-
-8. Editor
-
-          Name:         Edward Lewis
-          Affiliation:  NeuStar
-          Address:      46000 Center Oak Plaza, Sterling, VA, 20166, US
-          Phone:        +1-571-434-5468
-          Email:        ed.lewis@neustar.biz
-
-     Comments on this document can be sent to the editor or the mailing
-     list for the DNSEXT WG, namedroppers@ops.ietf.org.
-
-9. Others Contributing to the Document
-
-     This document represents the work of a large working group.  The
-     editor merely recorded the collective wisdom of the working group.
-
-10. Trailing Boilerplate
-
-     Copyright (C) The Internet Society (2005).
-
-     This document is subject to the rights, licenses and restrictions
-     contained in BCP 78, and except as set forth therein, the authors
-     retain all their rights.
-
-     This document and the information contained herein are provided
-     on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION
-     HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET
-     SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
-     WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
-     ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
-     INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-     MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-     The IETF takes no position regarding the validity or scope of
-     any Intellectual Property Rights or other rights that might
-     be claimed to pertain to the implementation or use of the
-     technology described in this document or the extent to which
-     any license under such rights might or might not be available;
-     nor does it represent that it has made any independent effort
-     to identify any such rights.  Information on the procedures
-     with respect to rights in RFC documents can be found in BCP 78
-     and BCP 79.
-
-     Copies of IPR disclosures made to the IETF Secretariat and any
-     assurances of licenses to be made available, or the result of an
-     attempt made to obtain a general license or permission for the
-     use of such proprietary rights by implementers or users of this
-     specification can be obtained from the IETF on-line IPR
-     repository at http://www.ietf.org/ipr.  The IETF invites any
-     interested party to bring to its attention any copyrights,
-     patents or patent applications, or other proprietary rights
-     that may cover technology that may be required to implement
-     this standard.  Please address the information to the IETF at
-     ietf-ipr@ietf.org.
-
-Acknowledgement
-
-     Funding for the RFC Editor function is currently provided by the
-     Internet Society.
-
-Expiration
-
-     This document expires on or about January 6, 2006.
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt
deleted file mode 100644
index e9943015e4e9..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt
+++ /dev/null
@@ -1,1120 +0,0 @@
-
-
-DNS Operations                                                 M. Larson
-Internet-Draft                                                 P. Barber
-Expires: August 16, 2004                                        VeriSign
-                                                       February 16, 2004
-
-
-                  Observed DNS Resolution Misbehavior
-                    draft-ietf-dnsop-bad-dns-res-02
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups. Note that other
-   groups may also distribute working documents as Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time. It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at http://
-   www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on August 16, 2004.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004). All Rights Reserved.
-
-Abstract
-
-   This Internet-Draft describes DNS name server and resolver behavior
-   that results in a significant query volume sent to the root and
-   top-level domain (TLD) name servers.  In some cases we recommend
-   minor additions to the DNS protocol specification and corresponding
-   changes in name server implementations to alleviate these unnecessary
-   queries. The recommendations made in this document are a direct
-   byproduct of observation and analysis of abnormal query traffic
-   patterns seen at two of the thirteen root name servers and all
-   thirteen com/net TLD name servers.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 1]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   document are to be interpreted as described in RFC 2119 [1].
-
-Table of Contents
-
-   1.     Introduction . . . . . . . . . . . . . . . . . . . . . . .   3
-   2.     Observed name server misbehavior . . . . . . . . . . . . .   4
-   2.1    Aggressive requerying for delegation information . . . . .   4
-   2.1.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   5
-   2.2    Repeated queries to lame servers . . . . . . . . . . . . .   5
-   2.2.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   6
-   2.3    Inability to follow multiple levels of out-of-zone glue  .   6
-   2.3.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   7
-   2.4    Aggressive retransmission when fetching glue . . . . . . .   7
-   2.4.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   8
-   2.5    Aggressive retransmission behind firewalls . . . . . . . .   8
-   2.5.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   8
-   2.6    Misconfigured NS records . . . . . . . . . . . . . . . . .   9
-   2.6.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  10
-   2.7    Name server records with zero TTL  . . . . . . . . . . . .  10
-   2.7.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  11
-   2.8    Unnecessary dynamic update messages  . . . . . . . . . . .  11
-   2.8.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  11
-   2.9    Queries for domain names resembling IP addresses . . . . .  12
-   2.9.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  12
-   2.10   Misdirected recursive queries  . . . . . . . . . . . . . .  12
-   2.10.1 Recommendation . . . . . . . . . . . . . . . . . . . . . .  13
-   2.11   Suboptimal name server selection algorithm . . . . . . . .  13
-   2.11.1 Recommendation . . . . . . . . . . . . . . . . . . . . . .  13
-   3.     IANA considerations  . . . . . . . . . . . . . . . . . . .  15
-   4.     Security considerations  . . . . . . . . . . . . . . . . .  16
-   5.     Internationalization considerations  . . . . . . . . . . .  17
-          Normative References . . . . . . . . . . . . . . . . . . .  18
-          Authors' Addresses . . . . . . . . . . . . . . . . . . . .  18
-          Intellectual Property and Copyright Statements . . . . . .  19
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 2]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-1. Introduction
-
-   Observation of query traffic received by two root name servers and
-   the thirteen com/net TLD name servers has revealed that a large
-   proportion of the total traffic often consists of "requeries".  A
-   requery is the same question (<qname, qtype, qclass>) asked
-   repeatedly at an unexpectedly high rate.  We have observed requeries
-   from both a single IP address and multiple IP addresses.
-
-   By analyzing requery events we have found that the cause of the
-   duplicate traffic is almost always a deficient name server, stub
-   resolver and/or application implementation combined with an
-   operational anomaly.  The implementation deficiencies we have
-   identified to date include well-intentioned recovery attempts gone
-   awry, insufficient caching of failures, early abort when multiple
-   levels of glue records must be followed, and aggressive retry by stub
-   resolvers and/or applications.  Anomalies that we have seen trigger
-   requery events include lame delegations, unusual glue records, and
-   anything that makes all authoritative name servers for a zone
-   unreachable (DoS attacks, crashes, maintenance, routing failures,
-   congestion, etc.).
-
-   In the following sections, we provide a detailed explanation of the
-   observed behavior and recommend changes that will reduce the requery
-   rate.  Some of the changes recommended affect the core DNS protocol
-   specification, described principally in RFC 1034 [2], RFC 1035 [3]
-   and RFC 2181 [4].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 3]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-2. Observed name server misbehavior
-
-2.1 Aggressive requerying for delegation information
-
-   There can be times when every name server in a zone's NS RRset is
-   unreachable (e.g., during a network outage), unavailable (e.g., the
-   name server process is not running on the server host) or
-   misconfigured (e.g., the name server is not authoritative for the
-   given zone, also known as "lame").  Consider a recursive name server
-   that attempts to resolve a query for a domain name in such a zone and
-   discovers that none of the zone's name servers can provide an answer.
-   We have observed a recursive name server implementation that then
-   verifies the zone's NS RRset in its cache by querying for the zone's
-   delegation information: it sends a query for the zone's NS RRset to
-   one of the parent zone's name servers.
-
-   For example, suppose that "example.com" has the following NS RRset:
-
-     example.com.   IN   NS   ns1.example.com.
-     example.com.   IN   NS   ns2.example.com.
-
-   Upon receipt of a query for "www.example.com" and assuming that
-   neither "ns1.example.com" nor "ns2.example.com" can provide an
-   answer, this recursive name server implementation immediately queries
-   a "com" zone name server for the "example.com" NS RRset to verify it
-   has the proper delegation information.  This name server
-   implementation performs this query to a zone's parent zone for each
-   recursive query it receives that fails because of a completely
-   unresponsive set of name servers for the target zone.  Consider the
-   effect when a popular zone experiences a catastrophic failure of all
-   its name servers: now every recursive query for domain names in that
-   zone sent to this name server implementation results in a query to
-   the failed zone's parent name servers.  On one occasion when several
-   dozen popular zones became unreachable, the query load on the com/net
-   name servers increased by 50%.
-
-   We believe this verification query is not reasonable.  Consider the
-   circumstances: When a recursive name server is resolving a query for
-   a domain name in a zone it has not previously searched, it uses the
-   list of name servers in the referral from the target zone's parent.
-   If on its first attempt to search the target zone, none of the name
-   servers in the referral is reachable, a verification query to the
-   parent is pointless: this query to the parent would come so quickly
-   on the heels of the referral that it would be almost certain to
-   contain the same list of name servers.  The chance of discovering any
-   new information is slim.
-
-   The other possibility is that the recursive name server successfully
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 4]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   contacts one of the target zone's name servers and then caches the NS
-   RRset from the authority section of a response, the proper behavior
-   according to section 5.4.1 of RFC 2181 [4], because the NS RRset from
-   the target zone is more trustworthy than delegation information from
-   the parent zone.  If, while processing a subsequent recursive query,
-   the recursing name server discovers that none of the name servers
-   specified in the cached NS RRset is available or authoritative,
-   querying the parent would be wrong.  An NS RRset from the parent zone
-   would now be less trustworthy than data already in the cache.
-
-   For this query of the parent zone to be useful, the target zone's
-   entire set of name servers would have to change AND the former set of
-   name servers would have to be deconfigured and/or decommissioned AND
-   the delegation information in the parent zone would have to be
-   updated with the new set of name servers, all within the TTL of the
-   target zone's NS RRset.  We believe this scenario is uncommon:
-   administrative best practices dictate that changes to a zone's set of
-   name servers happen gradually, with servers that are removed from the
-   NS RRset left authoritative for the zone as long as possible.  The
-   scenarios that we can envision that would benefit from the parent
-   requery behavior do not outweigh its damaging effects.
-
-2.1.1 Recommendation
-
-   Name servers offering recursion MUST NOT send a query for the NS
-   RRset of a non-responsive zone to any of the name servers for that
-   zone's parent zone.  For the purposes of this injunction, a
-   non-responsive zone is defined as a zone for which every name server
-   listed in the zone's NS RRset:
-
-   1.  is not authoritative for the zone (i.e., lame), or,
-
-   2.  returns a server failure response (RCODE=2), or,
-
-   3.  is dead or unreachable according to section 7.2 of RFC 2308 [5].
-
-
-2.2 Repeated queries to lame servers
-
-   Section 2.1 describes a catastrophic failure: when every name server
-   for a zone is unable to provide an answer for one reason or another.
-   A more common occurrence is a subset of a zone's name servers being
-   unavailable or misconfigured.  Different failure modes have different
-   expected durations.  Some symptoms indicate problems that are
-   potentially transient: various types of ICMP unreachable messages
-   because a name server process is not running or a host or network is
-   unreachable, or a complete lack of a response to a query.  Such
-   responses could be the result of a host rebooting or temporary
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 5]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   outages; these events don't necessarily require any human
-   intervention and can be reasonably expected to be temporary.
-
-   Other symptoms clearly indicate a condition requiring human
-   intervention, such as lame server: if a name server is misconfigured
-   and not authoritative for a zone delegated to it, it is reasonable to
-   assume that this condition has potential to last longer than
-   unreachability or unresponsiveness.  Consequently, repeated queries
-   to known lame servers are not useful.  In this case of a condition
-   with potential to persist for a long time, a better practice would be
-   to maintain a list of known lame servers and avoid querying them
-   repeatedly in a short interval.
-
-2.2.1 Recommendation
-
-   Recursive name servers SHOULD cache name servers that they discover
-   are not authoritative for zones delegated to them (i.e. lame
-   servers). Lame servers MUST be cached against the specific query
-   tuple <zone name, class, server IP address>.  Zone name can be
-   derived from the owner name of the NS record that was referenced to
-   query the name server that was discovered to be lame.
-   Implementations that perform lame server caching MUST refrain from
-   sending queries to known lame servers based on a time interval from
-   when the server is discovered to be lame.  A minimum interval of
-   thirty minutes is RECOMMENDED.
-
-2.3 Inability to follow multiple levels of out-of-zone glue
-
-   Some recursive name server implementations are unable to follow more
-   than one level of out-of-zone glue.  For example, consider the
-   following delegations:
-
-     foo.example.        IN   NS   ns1.example.com.
-     foo.example.        IN   NS   ns2.example.com.
-
-     example.com.        IN   NS   ns1.test.example.net.
-     example.com.        IN   NS   ns2.test.example.net.
-
-     test.example.net.   IN   NS   ns1.test.example.net.
-     test.example.net.   IN   NS   ns2.test.example.net.
-
-   A name server processing a recursive query for "www.foo.example" must
-   follow two levels of indirection, first obtaining address records for
-   "ns1.test.example.net" and/or "ns2.test.example.net" in order to
-   obtain address records for "ns1.example.com" and/or "ns2.example.com"
-   in order to query those name servers for the address records of
-   "www.foo.example".  While this situation may appear contrived, we
-   have seen multiple similar occurrences and expect more as new generic
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 6]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   top-level domains (gTLDs) become active.  We anticipate many zones in
-   the new gTLDs will use name servers in other gTLDs, increasing the
-   amount of inter-zone glue.
-
-2.3.1 Recommendation
-
-   Clearly constructing a delegation that relies on multiple levels of
-   out-of-zone glue is not a good administrative practice.  This issue
-   could be mitigated with an operational injunction in an RFC to
-   refrain from construction of such delegations.  In our opinion the
-   practice is widespread enough to merit clarifications to the DNS
-   protocol specification to permit it on a limited basis.
-
-   Name servers offering recursion SHOULD be able to handle at least
-   three levels of indirection resulting from out-of-zone glue.
-
-2.4 Aggressive retransmission when fetching glue
-
-   When an authoritative name server responds with a referral, it
-   includes NS records in the authority section of the response.
-   According to the algorithm in section 4.3.2 of RFC 1034 [2], the name
-   server should also "put whatever addresses are available into the
-   additional section, using glue RRs if the addresses are not available
-   from authoritative data or the cache."  Some name server
-   implementations take this address inclusion a step further with a
-   feature called "glue fetching".  A name server that implements glue
-   fetching attempts to include A records for every NS record in the
-   authority section.  If necessary, the name server issues multiple
-   queries of its own to obtain any missing A records.
-
-   Problems with glue fetching can arise in the context of
-   "authoritative-only" name servers, which only serve authoritative
-   data and ignore requests for recursion.  Such a server will not
-   generate any queries of its own.  Instead it answers non-recursive
-   queries from resolvers looking for information in zones it serves.
-   With glue fetching enabled, however, an authoritative server will
-   generate queries whenever it needs to look up an unknown address
-   record to complete the additional section of a response.
-
-   We have observed situations where a glue-fetching name server can
-   send queries that reach other name servers, but apparently is
-   prevented from receiving the responses.  For example, perhaps the
-   name server is authoritative-only and therefore its administrators
-   expect it to receive only queries.  Perhaps unaware of glue fetching
-   and presuming that the name server will generate no queries, its
-   administrators place the name server behind a network device that
-   prevents it from receiving responses.  If this is the case, all
-   glue-fetching queries will go answered.
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 7]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   We have observed name server implementations that retry excessively
-   when glue-fetching queries are unanswered.  A single com/net name
-   server has received hundreds of queries per second from a single name
-   server.  Judging from the specific queries received and based on
-   additional analysis, we believe these queries result from overly
-   aggressive glue fetching.
-
-2.4.1 Recommendation
-
-   Implementers whose name servers support glue fetching should take
-   care to avoid sending queries at excessive rates.  Implementations
-   should support throttling logic to detect when queries are sent but
-   no responses are received.
-
-2.5 Aggressive retransmission behind firewalls
-
-   A common occurrence and one of the largest sources of repeated
-   queries at the com/net and root name servers appears to result from
-   resolvers behind misconfigured firewalls.  In this situation, a
-   recursive name server is apparently allowed to send queries through a
-   firewall to other name servers, but not receive the responses.  The
-   result is more queries than necessary because of retransmission, all
-   of which are useless because the responses are never received.  Just
-   as with the glue-fetching scenario described in Section 2.4, the
-   queries are sometimes sent at excessive rates.  To make matters
-   worse, sometimes the responses, sent in reply to legitimate queries,
-   trigger an alarm on the originator's intrusion detection system.  We
-   are frequently contacted by administrators responding to such alarms
-   who believe our name servers are attacking their systems.
-
-   Not only do some resolvers in this situation retransmit queries at an
-   excessive rate, but they continue to do so for days or even weeks.
-   This scenario could result from an organization with multiple
-   recursive name servers, only a subset of whose traffic is improperly
-   filtered in this manner.  Stub resolvers in the organization could be
-   configured to query multiple name servers.  Consider the case where a
-   stub resolver queries a filtered name server first.  This name server
-   sends one or more queries whose replies are filtered, so it can't
-   respond to the stub resolver, which times out.  The resolver
-   retransmits to a name server that is able to provide an answer.
-   Since resolution ultimately succeeds the underlying problem might not
-   be recognized or corrected.  A popular stub resolver has a very
-   aggressive retransmission schedule, including simultaneous queries to
-   multiple name servers, which could explain how such a situation could
-   persist without being detected.
-
-2.5.1 Recommendation
-
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 8]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   The most obvious recommendation is that administrators should take
-   care not to place recursive name servers behind a firewall that
-   prohibits queries to pass through but not the resulting replies.
-
-   Name servers should take care to avoid sending queries at excessive
-   rates.  Implementations should support throttling logic to detect
-   when queries are sent but no responses are received.
-
-2.6 Misconfigured NS records
-
-   Sometimes a zone administrator forgets to add the trailing dot on the
-   domain names in the RDATA of a zone's NS records.  Consider this
-   fragment of the zone file for "example.com":
-
-     $ORIGIN example.com.
-     example.com.      3600   IN   NS   ns1.example.com  ; Note missing
-     example.com.      3600   IN   NS   ns2.example.com  ; trailing dots
-
-   The zone's authoritative servers will parse the NS RDATA as
-   "ns1.example.com.example.com" and "ns2.example.com.example.com" and
-   return NS records with this incorrect RDATA in responses, including
-   typically the authority section of every response containing records
-   from the "example.com" zone.
-
-   Now consider a typical sequence of queries.  A recursive name server
-   attempting to resolve A records for "www.example.com" with no cached
-   information for this zone will query a "com" authoritative server.
-   The "com" server responds with a referral to the "example.com" zone,
-   consisting of NS records with valid RDATA and associated glue
-   records. (This example assumes that the "example.com" zone
-   information is correct in the "com" zone.)  The recursive name server
-   caches the NS RRset from the "com" server and follows the referral by
-   querying one of the "example.com" authoritative servers.  This server
-   responds with the "www.example.com" A record in the answer section
-   and, typically, the "example.com" NS records in the authority section
-   and, if space in the message remains, glue A records in the
-   additional section. According to Section 5.4 of RFC 2181 [4], NS
-   records in the authority section of an authoritative answer are more
-   trustworthy than NS records from the authority section of a
-   non-authoritative answer.  Thus the "example.com" NS RRset just
-   received from the "example.com" authoritative server displaces the
-   "example.com" NS RRset received moments ago from the "com"
-   authoritative server.
-
-   But the "example.com" zone contains the erroneous NS RRset as shown
-   in the example above.  Subsequent queries for names in "example.com"
-   will cause the server to attempt to use the incorrect NS records and
-   so the server will try to resolve the nonexistent names
-
-
-
-Larson & Barber         Expires August 16, 2004                 [Page 9]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   "ns1.example.com.example.com" and "ns2.example.com.example.com".  In
-   this example, since all of the zone's name servers are named in the
-   zone itself (i.e., "ns1.example.com.example.com" and
-   "ns2.example.com.example.com" both end in "example.com") and all are
-   bogus, the recursive server cannot reach any "example.com" name
-   servers.  Therefore attempts to resolve these names result in A
-   record queries to the "com' authoritative servers.  Queries for such
-   obviously bogus glue A records occur frequently at the com/net name
-   servers.
-
-2.6.1 Recommendation
-
-   An authoritative server can detect this situation.  A trailing dot
-   missing from an NS record's RDATA always results by definition in a
-   name server name that is in the zone.  But any in-zone name server
-   should have a corresponding glue A record also in the zone.  An
-   authoritative name server should report an error when a zone's NS
-   record references an in-zone name server without a corresponding glue
-   A record.
-
-2.7 Name server records with zero TTL
-
-   Sometimes a popular com/net subdomain's zone is configured with a TTL
-   of zero on the zone's NS records, which prohibits these records from
-   being cached and will result in a higher query volume to the zone's
-   authoritative servers.  The zone's administrator should understand
-   the consequences of such a configuration and provision resources
-   accordingly.  A zero TTL on the zone's NS RRset, however, carries
-   additional consequences beyond the zone itself: if a recursive name
-   server cannot cache a zone's NS records because of a zero TTL, it
-   will be forced to query that zone's parent's name servers each time
-   it resolves a name in the zone.  The com/net authoritative servers do
-   see an increased query load when a popular com/net subdomain's zone
-   is configured with a TTL of zero on the zone's NS records.
-
-   A zero TTL on an RRset expected to change frequently is extreme but
-   permissible.  A zone's NS RRset is a special case, however, because
-   changes to it must be coordinated with the zone's parent.  In most
-   zone parent/child relationships we are aware of, there is typically
-   some delay involved in effecting changes.  Further, changes to the
-   set of a zone's authoritative name servers (and therefore to the
-   zone's NS RRset) are typically relatively rare: providing reliable
-   authoritative service requires a reasonably stable set of servers.
-   Therefore an extremely low or zero TTL on a zone's NS RRset rarely
-   makes sense, except in anticipation of an upcoming change.  In this
-   case, when the zone's administrator has planned a change and does not
-   want recursive name servers throughout the Internet to cache the NS
-   RRset for a long period of time, a low TTL is reasonable.
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 10]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-2.7.1 Recommendation
-
-   Because of the additional load placed on a zone's parent's
-   authoritative servers imposed by a zero TTL on a zone's NS RRset,
-   under such circumstances authoritative name servers should issue a
-   warning when loading a zone or refuse to load the zone altogether.
-
-2.8 Unnecessary dynamic update messages
-
-   The UPDATE message specified in RFC 2136 [6] allows an authorized
-   agent to update a zone's data on an authoritative name server using a
-   DNS message sent over the network.  Consider the case of an agent
-   desiring to add a particular resource record. Because of zone cuts,
-   the agent does not necessarily know the proper zone to which the
-   record should be added.  The dynamic update process requires that the
-   agent determine the appropriate zone so the UPDATE message can be
-   sent to one of the zone's authoritative servers (typically the
-   primary master as specified in the zone's SOA MNAME field).
-
-   The appropriate zone to update is the closest enclosing zone, which
-   is the lowest zone in the name space.  The closest enclosing zone
-   cannot be determined only by inspecting the domain name of the record
-   to be updated, since zone cuts can occur anywhere.  One way to
-   determine the closest enclosing zone involves working up the name
-   space tree and sending repeated UPDATE messages until success.  For
-   example, consider an agent attempting to add an A record with the
-   name "foo.bar.example.com".  The agent could first attempt to update
-   the "foo.bar.example.com" zone.  If the attempt failed, the update
-   could be directed to the "bar.example.com" zone, then the
-   "example.com" zone, then the "com" zone, and finally the root zone.
-
-   A popular dynamic agent follows this algorithm.  The result is many
-   UPDATE messages received by the root name servers, the com/net
-   authoritative servers, and presumably other TLD authoritative
-   servers. A reasonable question is why the algorithm proceeds with
-   sending updates all the way to TLD and root name servers.  In
-   enterprise DNS architectures with an "internal root" design, there
-   could conceivably be private, non-public TLD or root zones that would
-   be the appropriate target for a dynamic update.  However, we question
-   if designing an algorithm to accommodate these limited cases is worth
-   the load it places on the public DNS in the form of unnecessary
-   UPDATE messages.
-
-2.8.1 Recommendation
-
-   Dynamic update agents should not attempt to send UPDATE messages to
-   authoritative servers for TLD zones or the root zone by default.  If
-   this functionality is supported, it should be require specific action
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 11]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   by a user to be enabled.
-
-2.9 Queries for domain names resembling IP addresses
-
-   The root name servers receive a significant number of A record
-   queries where the qname is an IP address.  The source of these
-   queries is unknown.  It could be attributed to situations where a
-   user believes an application will accept either a domain name or an
-   IP address in a given configuration option.  The user enters an IP
-   address, but the application assumes any input is a domain name and
-   attempts to resolve it, resulting in an A record lookup.  There could
-   also be applications that produce such queries in a misguided attempt
-   to reverse map IP addresses.
-
-   These queries result in Name Error (RCODE=3) responses.  A recursive
-   name server can negatively cache such responses, but each response
-   requires a separate cache entry, i.e., a negative cache entry for the
-   domain name "192.0.2.1" does not prevent a subsequent query for the
-   domain name "192.0.2.2".
-
-2.9.1 Recommendation
-
-   It would be desirable for the root name servers not to have to answer
-   these queries: they unnecessarily consume CPU resources and network
-   bandwidth.  One possibility is for recursive name server
-   implementations to produce the Name Error response directly.  We
-   suggest that implementors consider the option of synthesizing Name
-   Error responses at the recursive name server.  The server could claim
-   authority for synthesized TLD zones corresponding to the first octet
-   of every possible IP address, e.g. 1., 2., through 255.  This
-   behavior could be configurable in the (probably unlikely) event that
-   numeric TLDs are ever put into use.
-
-   Another option is to delegate these numeric TLDs from the root zone
-   to a separate set of servers to absorb the traffic.  The "blackhole
-   servers" used by the the AS 112 Project [8], which are currently
-   delegated the in-addr.arpa zones corresponding to RFC 1918 [7]
-   private use address space, would be a possible choice to receive
-   these delegations.
-
-2.10 Misdirected recursive queries
-
-   The root name servers receive a significant number of recursive
-   queries (i.e., queries with the RD bit set in the header).  Since
-   none of the root servers offer recursion, the servers' response in
-   such a situation ignores the request for recursion and the response
-   probably does not contain the data the querier anticipated.  Some of
-   these queries result from users configuring stub resolvers to query a
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 12]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   root server.  (This situation is not hypothetical: we have received
-   complaints from users when this configuration does not work as
-   hoped.) Of course, users should not direct stub resolvers to use name
-   servers that do not offer recursion, but we are not aware of any stub
-   resolver implementation that offers any feedback to the user when so
-   configured, aside from simply "not working".
-
-2.10.1 Recommendation
-
-   When the IP address of a (supposedly) recursive name server is
-   configured in a stub resolver using an interactive user interface,
-   the resolver could send a test query to verify that the server
-   supports recursion (i.e., the response has the RA bit set in the
-   header).  The user could be immediately notified if the server is
-   non-recursive.
-
-   The stub resolver could also report an error, either through a user
-   interface or in a log file, if the queried server does not support
-   recursion.  Error reporting should be throttled to avoid a
-   notification or log message for every response from a non-recursive
-   server.
-
-2.11 Suboptimal name server selection algorithm
-
-   An entire document could be devoted to the topic of problems with
-   different implementations of the recursive resolution algorithm.  The
-   entire process of recursion is woefully underspecified, requiring
-   each implementor to design an algorithm.  Sometimes implementors make
-   poor design choices that could be avoided if a suggested algorithm
-   and best practices were documented, but that is a topic for another
-   document.
-
-   Some deficiencies cause significant operational impact and are
-   therefore worth mentioning here.  One of these is name server
-   selection by a recursive name server.  When a recursive name server
-   wants to contact one of a zone's authoritative name servers, how does
-   it choose from the NS records listed in the zone's NS RRset?  If the
-   selection mechanism is suboptimal, queries are not spread evenly
-   among a zone's authoritative servers.  The details of the selection
-   mechanism are up to the implementor, but we offer some suggestions.
-
-2.11.1 Recommendation
-
-   This list is not conclusive, but reflects the changes that would
-   produce the most impact in terms of reducing disproportionate query
-   load among a zone's authoritative servers.  I.e., these changes would
-   help spread the query load evenly.
-
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 13]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   o  Do not make assumptions based on NS RRset order: all NS RRs should
-      be treated equally.  (In the case of the "com" zone, for example,
-      most of the root servers return the NS record for
-      "a.gtld-servers.net" first in the authority section of referrals.
-      As a result, this server receives disproportionately more traffic
-      than the other 12 authoritative servers for "com".)
-
-   o  Use all NS records in an RRset.  (For example, we are aware of
-      implementations that hard-coded information for a subset of the
-      root servers.)
-
-   o  Maintain state and favor the best-performing of a zone's
-      authoritative servers.  A good definition of performance is
-      response time. Non-responsive servers can be penalized with an
-      extremely high response time.
-
-   o  Do not lock onto the best-performing of a zone's name servers.  A
-      recursive name server should periodically check the performance of
-      all of a zone's name servers to adjust its determination of the
-      best-performing one.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 14]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-3. IANA considerations
-
-   There are no new IANA considerations introduced by this
-   Internet-Draft.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 15]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-4. Security considerations
-
-   Name server and resolver misbehaviors identical or similar to those
-   discussed in this document expose the root and TLD name servers to
-   increased risk of both intentional and unintentional denial of
-   service.
-
-   We believe that implementation of the recommendations offered in this
-   document will reduce the amount of unnecessary traffic seen at root
-   and TLD name servers, thus reducing the opportunity for an attacker
-   to use such queries to his or her advantage.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 16]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-5. Internationalization considerations
-
-   We do not believe this document introduces any new
-   internationalization considerations to the DNS protocol
-   specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 17]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-Normative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [3]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [4]  Elz, R. and R. Bush, "Clarifications to the DNS Specification",
-        RFC 2181, July 1997.
-
-   [5]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
-        2308, March 1998.
-
-   [6]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
-        Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April
-        1997.
-
-   [7]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G. and E.
-        Lear, "Address Allocation for Private Internets", BCP 5, RFC
-        1918, February 1996.
-
-   [8]  <http://www.as112.net>
-
-
-Authors' Addresses
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Piet Barber
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: pbarber@verisign.com
-
-
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 18]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights. Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11. Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard. Please address the information to the IETF Executive
-   Director.
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004). All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works. However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 19]
-
-Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
-
-
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires August 16, 2004                [Page 20]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-04.txt
deleted file mode 100644
index a56969e57f66..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-04.txt
+++ /dev/null
@@ -1,1176 +0,0 @@
-
-
-
-DNS Operations                                                 M. Larson
-Internet-Draft                                                 P. Barber
-Expires: January 18, 2006                                       VeriSign
-                                                           July 17, 2005
-
-
-                  Observed DNS Resolution Misbehavior
-                    draft-ietf-dnsop-bad-dns-res-04
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 18, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This memo describes DNS iterative resolver behavior that results in a
-   significant query volume sent to the root and top-level domain (TLD)
-   name servers.  We offer implementation advice to iterative resolver
-   developers to alleviate these unnecessary queries.  The
-   recommendations made in this document are a direct byproduct of
-   observation and analysis of abnormal query traffic patterns seen at
-   two of the thirteen root name servers and all thirteen com/net TLD
-   name servers.
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 1]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [1].
-
-Table of Contents
-
-   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
-     1.1  A note about terminology in this memo  . . . . . . . . . .   3
-   2.   Observed iterative resolver misbehavior  . . . . . . . . . .   5
-     2.1  Aggressive requerying for delegation information . . . . .   5
-       2.1.1  Recommendation . . . . . . . . . . . . . . . . . . . .   6
-     2.2  Repeated queries to lame servers . . . . . . . . . . . . .   7
-       2.2.1  Recommendation . . . . . . . . . . . . . . . . . . . .   7
-     2.3  Inability to follow multiple levels of indirection . . . .   8
-       2.3.1  Recommendation . . . . . . . . . . . . . . . . . . . .   9
-     2.4  Aggressive retransmission when fetching glue . . . . . . .   9
-       2.4.1  Recommendation . . . . . . . . . . . . . . . . . . . .  10
-     2.5  Aggressive retransmission behind firewalls . . . . . . . .  10
-       2.5.1  Recommendation . . . . . . . . . . . . . . . . . . . .  11
-     2.6  Misconfigured NS records . . . . . . . . . . . . . . . . .  11
-       2.6.1  Recommendation . . . . . . . . . . . . . . . . . . . .  12
-     2.7  Name server records with zero TTL  . . . . . . . . . . . .  12
-       2.7.1  Recommendation . . . . . . . . . . . . . . . . . . . .  13
-     2.8  Unnecessary dynamic update messages  . . . . . . . . . . .  13
-       2.8.1  Recommendation . . . . . . . . . . . . . . . . . . . .  14
-     2.9  Queries for domain names resembling IPv4 addresses . . . .  14
-       2.9.1  Recommendation . . . . . . . . . . . . . . . . . . . .  14
-     2.10   Misdirected recursive queries  . . . . . . . . . . . . .  15
-       2.10.1   Recommendation . . . . . . . . . . . . . . . . . . .  15
-     2.11   Suboptimal name server selection algorithm . . . . . . .  15
-       2.11.1   Recommendation . . . . . . . . . . . . . . . . . . .  16
-   3.   IANA considerations  . . . . . . . . . . . . . . . . . . . .  17
-   4.   Security considerations  . . . . . . . . . . . . . . . . . .  18
-   5.   Internationalization considerations  . . . . . . . . . . . .  19
-   6.   Informative References . . . . . . . . . . . . . . . . . . .  19
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  19
-        Intellectual Property and Copyright Statements . . . . . . .  21
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 2]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-1.  Introduction
-
-   Observation of query traffic received by two root name servers and
-   the thirteen com/net TLD name servers has revealed that a large
-   proportion of the total traffic often consists of "requeries".  A
-   requery is the same question (<QNAME, QTYPE, QCLASS>) asked
-   repeatedly at an unexpectedly high rate.  We have observed requeries
-   from both a single IP address and multiple IP addresses (i.e., the
-   same query received simultaneously from multiple IP addresses).
-
-   By analyzing requery events we have found that the cause of the
-   duplicate traffic is almost always a deficient iterative resolver,
-   stub resolver or application implementation combined with an
-   operational anomaly.  The implementation deficiencies we have
-   identified to date include well-intentioned recovery attempts gone
-   awry, insufficient caching of failures, early abort when multiple
-   levels of indirection must be followed, and aggressive retry by stub
-   resolvers or applications.  Anomalies that we have seen trigger
-   requery events include lame delegations, unusual glue records, and
-   anything that makes all authoritative name servers for a zone
-   unreachable (DoS attacks, crashes, maintenance, routing failures,
-   congestion, etc.).
-
-   In the following sections, we provide a detailed explanation of the
-   observed behavior and recommend changes that will reduce the requery
-   rate.  None of the changes recommended affects the core DNS protocol
-   specification; instead, this document consists of guidelines to
-   implementors of iterative resolvers.
-
-1.1  A note about terminology in this memo
-
-   To recast an old saying about standards, the nice thing about DNS
-   terms is that there are so many of them to choose from.  Writing or
-   talking about DNS can be difficult and cause confusion resulting from
-   a lack of agreed-upon terms for its various components.  Further
-   complicating matters are implementations that combine multiple roles
-   into one piece of software, which makes naming the result
-   problematic.  An example is the entity that accepts recursive
-   queries, issues iterative queries as necessary to resolve the initial
-   recursive query, caches responses it receives, and which is also able
-   to answer questions about certain zones authoritatively.  This entity
-   is an iterative resolver combined with an authoritative name server
-   and is often called a "recursive name server" or a "caching name
-   server".
-
-   This memo is concerned principally with the behavior of iterative
-   resolvers, which are typically found as part of a recursive name
-   server.  This memo uses the more precise term "iterative resolver",
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 3]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   because the focus is usually on that component.  In instances where
-   the name server role of this entity requires mentioning, this memo
-   uses the term "recursive name server".  As an example of the
-   difference, the name server component of a recursive name server
-   receives DNS queries and the iterative resolver component sends
-   queries.
-
-   The advent of IPv6 requires mentioning AAAA records as well as A
-   records when discussing glue.  To avoid continuous repetition and
-   qualification, this memo uses the general term "address record" to
-   encompass both A and AAAA records when a particular situation is
-   relevant to both types.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 4]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-2.  Observed iterative resolver misbehavior
-
-2.1  Aggressive requerying for delegation information
-
-   There can be times when every name server in a zone's NS RRset is
-   unreachable (e.g., during a network outage), unavailable (e.g., the
-   name server process is not running on the server host) or
-   misconfigured (e.g., the name server is not authoritative for the
-   given zone, also known as "lame").  Consider an iterative resolver
-   that attempts to resolve a query for a domain name in such a zone and
-   discovers that none of the zone's name servers can provide an answer.
-   We have observed a recursive name server implementation whose
-   iterative resolver then verifies the zone's NS RRset in its cache by
-   querying for the zone's delegation information: it sends a query for
-   the zone's NS RRset to one of the parent zone's name servers.  (Note
-   that queries with QTYPE=NS are not required by the standard
-   resolution algorithm described in section 4.3.2 of RFC 1034 [2].
-   These NS queries represent this implementation's addition to that
-   algorithm.)
-
-   For example, suppose that "example.com" has the following NS RRset:
-
-     example.com.   IN   NS   ns1.example.com.
-     example.com.   IN   NS   ns2.example.com.
-
-   Upon receipt of a query for "www.example.com" and assuming that
-   neither "ns1.example.com" nor "ns2.example.com" can provide an
-   answer, this iterative resolver implementation immediately queries a
-   "com" zone name server for the "example.com" NS RRset to verify it
-   has the proper delegation information.  This implementation performs
-   this query to a zone's parent zone for each recursive query it
-   receives that fails because of a completely unresponsive set of name
-   servers for the target zone.  Consider the effect when a popular zone
-   experiences a catastrophic failure of all its name servers: now every
-   recursive query for domain names in that zone sent to this recursive
-   name server implementation results in a query to the failed zone's
-   parent name servers.  On one occasion when several dozen popular
-   zones became unreachable, the query load on the com/net name servers
-   increased by 50%.
-
-   We believe this verification query is not reasonable.  Consider the
-   circumstances: When an iterative resolver is resolving a query for a
-   domain name in a zone it has not previously searched, it uses the
-   list of name servers in the referral from the target zone's parent.
-   If on its first attempt to search the target zone, none of the name
-   servers in the referral is reachable, a verification query to the
-   parent would be pointless: this query to the parent would come so
-   quickly on the heels of the referral that it would be almost certain
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 5]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   to contain the same list of name servers.  The chance of discovering
-   any new information is slim.
-
-   The other possibility is that the iterative resolver successfully
-   contacts one of the target zone's name servers and then caches the NS
-   RRset from the authority section of a response, the proper behavior
-   according to section 5.4.1 of RFC 2181 [3], because the NS RRset from
-   the target zone is more trustworthy than delegation information from
-   the parent zone.  If, while processing a subsequent recursive query,
-   the iterative resolver discovers that none of the name servers
-   specified in the cached NS RRset is available or authoritative,
-   querying the parent would be wrong.  An NS RRset from the parent zone
-   would now be less trustworthy than data already in the cache.
-
-   For this query of the parent zone to be useful, the target zone's
-   entire set of name servers would have to change AND the former set of
-   name servers would have to be deconfigured or decommissioned AND the
-   delegation information in the parent zone would have to be updated
-   with the new set of name servers, all within the TTL of the target
-   zone's NS RRset.  We believe this scenario is uncommon:
-   administrative best practices dictate that changes to a zone's set of
-   name servers happen gradually when at all possible, with servers
-   removed from the NS RRset left authoritative for the zone as long as
-   possible.  The scenarios that we can envision that would benefit from
-   the parent requery behavior do not outweigh its damaging effects.
-
-   This section should not be understood to claim that all queries to a
-   zone's parent are bad.  In some cases, such queries are not only
-   reasonable but required.  Consider the situation when required
-   information, such as the address of a name server (i.e., the address
-   record corresponding to the RDATA of an NS record), has timed out of
-   an iterative resolver's cache before the corresponding NS record.  If
-   the name of the name server is below the apex of the zone, then the
-   name server's address record is only available as glue in the parent
-   zone.  For example, consider this NS record:
-
-     example.com.        IN   NS   ns.example.com.
-
-   If a cache has this NS record but not the address record for
-   "ns.example.com", it is unable to contact the "example.com" zone
-   directly and must query the "com" zone to obtain the address record.
-   Note, however, that such a query would not have QTYPE=NS according to
-   the standard resolution algorithm.
-
-2.1.1  Recommendation
-
-   An iterative resolver MUST NOT send a query for the NS RRset of a
-   non-responsive zone to any of the name servers for that zone's parent
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 6]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   zone.  For the purposes of this injunction, a non-responsive zone is
-   defined as a zone for which every name server listed in the zone's NS
-   RRset:
-
-   1.  is not authoritative for the zone (i.e., lame), or,
-
-   2.  returns a server failure response (RCODE=2), or,
-
-   3.  is dead or unreachable according to section 7.2 of RFC 2308 [4].
-
-
-2.2  Repeated queries to lame servers
-
-   Section 2.1 describes a catastrophic failure: when every name server
-   for a zone is unable to provide an answer for one reason or another.
-   A more common occurrence is when a subset of a zone's name servers
-   are unavailable or misconfigured.  Different failure modes have
-   different expected durations.  Some symptoms indicate problems that
-   are potentially transient; for example, various types of ICMP
-   unreachable messages because a name server process is not running or
-   a host or network is unreachable, or a complete lack of a response to
-   a query.  Such responses could be the result of a host rebooting or
-   temporary outages; these events don't necessarily require any human
-   intervention and can be reasonably expected to be temporary.
-
-   Other symptoms clearly indicate a condition requiring human
-   intervention, such as lame server: if a name server is misconfigured
-   and not authoritative for a zone delegated to it, it is reasonable to
-   assume that this condition has potential to last longer than
-   unreachability or unresponsiveness.  Consequently, repeated queries
-   to known lame servers are not useful.  In this case of a condition
-   with potential to persist for a long time, a better practice would be
-   to maintain a list of known lame servers and avoid querying them
-   repeatedly in a short interval.
-
-   It should also be noted, however, that some authoritative name server
-   implementations appear to be lame only for queries of certain types
-   as described in RFC 4074 [5].  In this case, it makes sense to retry
-   the "lame" servers for other types of queries, particularly when all
-   known authoritative name servers appear to be "lame".
-
-2.2.1  Recommendation
-
-   Iterative resolvers SHOULD cache name servers that they discover are
-   not authoritative for zones delegated to them (i.e. lame servers).
-   If this caching is performed, lame servers MUST be cached against the
-   specific query tuple <zone name, class, server IP address>.  Zone
-   name can be derived from the owner name of the NS record that was
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 7]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   referenced to query the name server that was discovered to be lame.
-   Implementations that perform lame server caching MUST refrain from
-   sending queries to known lame servers based on a time interval from
-   when the server is discovered to be lame.  A minimum interval of
-   thirty minutes is RECOMMENDED.
-
-   An exception to this recommendation occurs if all name servers for a
-   zone are marked lame.  In that case, the iterative resolver SHOULD
-   temporarily ignore the servers' lameness status and query one or more
-   servers.  This behavior is a workaround for the type-specific
-   lameness issue described in the previous section.
-
-   Implementors should take care not to make lame server avoidance logic
-   overly broad: note that a name server could be lame for a parent zone
-   but not a child zone, e.g., lame for "example.com" but properly
-   authoritative for "sub.example.com".  Therefore a name server should
-   not be automatically considered lame for subzones.  In the case
-   above, even if a name server is known to be lame for "example.com",
-   it should be queried for QNAMEs at or below "sub.example.com" if an
-   NS record indicates it should be authoritative for that zone.
-
-2.3  Inability to follow multiple levels of indirection
-
-   Some iterative resolver implementations are unable to follow
-   sufficient levels of indirection.  For example, consider the
-   following delegations:
-
-     foo.example.        IN   NS   ns1.example.com.
-     foo.example.        IN   NS   ns2.example.com.
-
-     example.com.        IN   NS   ns1.test.example.net.
-     example.com.        IN   NS   ns2.test.example.net.
-
-     test.example.net.   IN   NS   ns1.test.example.net.
-     test.example.net.   IN   NS   ns2.test.example.net.
-
-   An iterative resolver resolving the name "www.foo.example" must
-   follow two levels of indirection, first obtaining address records for
-   "ns1.test.example.net" or "ns2.test.example.net" in order to obtain
-   address records for "ns1.example.com" or "ns2.example.com" in order
-   to query those name servers for the address records of
-   "www.foo.example".  While this situation may appear contrived, we
-   have seen multiple similar occurrences and expect more as new generic
-   top-level domains (gTLDs) become active.  We anticipate many zones in
-   new gTLDs will use name servers in existing gTLDs, increasing the
-   number of delegations using out-of-zone name servers.
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 8]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-2.3.1  Recommendation
-
-   Clearly constructing a delegation that relies on multiple levels of
-   indirection is not a good administrative practice.  However, the
-   practice is widespread enough to require that iterative resolvers be
-   able to cope with it.  Iterative resolvers SHOULD be able to handle
-   arbitrary levels of indirection resulting from out-of-zone name
-   servers.  Iterative resolvers SHOULD implement a level-of-effort
-   counter to avoid loops or otherwise performing too much work in
-   resolving pathological cases.
-
-   A best practice that avoids this entire issue of indirection is to
-   name one or more of a zone's name servers in the zone itself.  For
-   example, if the zone is named "example.com", consider naming some of
-   the name servers "ns{1,2,...}.example.com" (or similar).
-
-2.4  Aggressive retransmission when fetching glue
-
-   When an authoritative name server responds with a referral, it
-   includes NS records in the authority section of the response.
-   According to the algorithm in section 4.3.2 of RFC 1034 [2], the name
-   server should also "put whatever addresses are available into the
-   additional section, using glue RRs if the addresses are not available
-   from authoritative data or the cache."  Some name server
-   implementations take this address inclusion a step further with a
-   feature called "glue fetching".  A name server that implements glue
-   fetching attempts to include address records for every NS record in
-   the authority section.  If necessary, the name server issues multiple
-   queries of its own to obtain any missing address records.
-
-   Problems with glue fetching can arise in the context of
-   "authoritative-only" name servers, which only serve authoritative
-   data and ignore requests for recursion.  Such an entity will not
-   normally generate any queries of its own.  Instead it answers non-
-   recursive queries from iterative resolvers looking for information in
-   zones it serves.  With glue fetching enabled, however, an
-   authoritative server invokes an iterative resolver to look up an
-   unknown address record to complete the additional section of a
-   response.
-
-   We have observed situations where the iterative resolver of a glue-
-   fetching name server can send queries that reach other name servers,
-   but is apparently prevented from receiving the responses.  For
-   example, perhaps the name server is authoritative-only and therefore
-   its administrators expect it to receive only queries and not
-   responses.  Perhaps unaware of glue fetching and presuming that the
-   name server's iterative resolver will generate no queries, its
-   administrators place the name server behind a network device that
-
-
-
-Larson & Barber         Expires January 18, 2006                [Page 9]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   prevents it from receiving responses.  If this is the case, all glue-
-   fetching queries will go answered.
-
-   We have observed name server implementations whose iterative
-   resolvers retry excessively when glue-fetching queries are
-   unanswered.  A single com/net name server has received hundreds of
-   queries per second from a single such source.  Judging from the
-   specific queries received and based on additional analysis, we
-   believe these queries result from overly aggressive glue fetching.
-
-2.4.1  Recommendation
-
-   Implementers whose name servers support glue fetching SHOULD take
-   care to avoid sending queries at excessive rates.  Implementations
-   SHOULD support throttling logic to detect when queries are sent but
-   no responses are received.
-
-2.5  Aggressive retransmission behind firewalls
-
-   A common occurrence and one of the largest sources of repeated
-   queries at the com/net and root name servers appears to result from
-   resolvers behind misconfigured firewalls.  In this situation, an
-   iterative resolver is apparently allowed to send queries through a
-   firewall to other name servers, but not receive the responses.  The
-   result is more queries than necessary because of retransmission, all
-   of which are useless because the responses are never received.  Just
-   as with the glue-fetching scenario described in Section 2.4, the
-   queries are sometimes sent at excessive rates.  To make matters
-   worse, sometimes the responses, sent in reply to legitimate queries,
-   trigger an alarm on the originator's intrusion detection system.  We
-   are frequently contacted by administrators responding to such alarms
-   who believe our name servers are attacking their systems.
-
-   Not only do some resolvers in this situation retransmit queries at an
-   excessive rate, but they continue to do so for days or even weeks.
-   This scenario could result from an organization with multiple
-   recursive name servers, only a subset of whose iterative resolvers'
-   traffic is improperly filtered in this manner.  Stub resolvers in the
-   organization could be configured to query multiple recursive name
-   servers.  Consider the case where a stub resolver queries a filtered
-   recursive name server first.  The iterative resolver of this
-   recursive name server sends one or more queries whose replies are
-   filtered, so it can't respond to the stub resolver, which times out.
-   Then the stub resolver retransmits to a recursive name server that is
-   able to provide an answer.  Since resolution ultimately succeeds the
-   underlying problem might not be recognized or corrected.  A popular
-   stub resolver implementation has a very aggressive retransmission
-   schedule, including simultaneous queries to multiple recursive name
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 10]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   servers, which could explain how such a situation could persist
-   without being detected.
-
-2.5.1  Recommendation
-
-   The most obvious recommendation is that administrators SHOULD take
-   care not to place iterative resolvers behind a firewall that allows
-   queries to pass through but not the resulting replies.
-
-   Iterative resolvers SHOULD take care to avoid sending queries at
-   excessive rates.  Implementations SHOULD support throttling logic to
-   detect when queries are sent but no responses are received.
-
-2.6  Misconfigured NS records
-
-   Sometimes a zone administrator forgets to add the trailing dot on the
-   domain names in the RDATA of a zone's NS records.  Consider this
-   fragment of the zone file for "example.com":
-
-     $ORIGIN example.com.
-     example.com.      3600   IN   NS   ns1.example.com  ; Note missing
-     example.com.      3600   IN   NS   ns2.example.com  ; trailing dots
-
-   The zone's authoritative servers will parse the NS RDATA as
-   "ns1.example.com.example.com" and "ns2.example.com.example.com" and
-   return NS records with this incorrect RDATA in responses, including
-   typically the authority section of every response containing records
-   from the "example.com" zone.
-
-   Now consider a typical sequence of queries.  An iterative resolver
-   attempting to resolve address records for "www.example.com" with no
-   cached information for this zone will query a "com" authoritative
-   server.  The "com" server responds with a referral to the
-   "example.com" zone, consisting of NS records with valid RDATA and
-   associated glue records.  (This example assumes that the
-   "example.com" zone delegation information is correct in the "com"
-   zone.)  The iterative resolver caches the NS RRset from the "com"
-   server and follows the referral by querying one of the "example.com"
-   authoritative servers.  This server responds with the
-   "www.example.com" address record in the answer section and,
-   typically, the "example.com" NS records in the authority section and,
-   if space in the message remains, glue address records in the
-   additional section.  According to Section 5.4 of RFC 2181 [3], NS
-   records in the authority section of an authoritative answer are more
-   trustworthy than NS records from the authority section of a non-
-   authoritative answer.  Thus the "example.com" NS RRset just received
-   from the "example.com" authoritative server overrides the
-   "example.com" NS RRset received moments ago from the "com"
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 11]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   authoritative server.
-
-   But the "example.com" zone contains the erroneous NS RRset as shown
-   in the example above.  Subsequent queries for names in "example.com"
-   will cause the iterative resolver to attempt to use the incorrect NS
-   records and so it will try to resolve the nonexistent names
-   "ns1.example.com.example.com" and "ns2.example.com.example.com".  In
-   this example, since all of the zone's name servers are named in the
-   zone itself (i.e., "ns1.example.com.example.com" and
-   "ns2.example.com.example.com" both end in "example.com") and all are
-   bogus, the iterative resolver cannot reach any "example.com" name
-   servers.  Therefore attempts to resolve these names result in address
-   record queries to the "com" authoritative servers.  Queries for such
-   obviously bogus glue address records occur frequently at the com/net
-   name servers.
-
-2.6.1  Recommendation
-
-   An authoritative server can detect this situation.  A trailing dot
-   missing from an NS record's RDATA always results by definition in a
-   name server name that exists somewhere under the apex of the zone the
-   NS record appears in.  Note that further levels of delegation are
-   possible, so a missing trailing dot could inadvertently create a name
-   server name that actually exists in a subzone.
-
-   An authoritative name server SHOULD issue a warning when one of a
-   zone's NS records references a name server below the zone's apex when
-   a corresponding address record does not exist in the zone AND there
-   are no delegated subzones where the address record could exist.
-
-2.7  Name server records with zero TTL
-
-   Sometimes a popular com/net subdomain's zone is configured with a TTL
-   of zero on the zone's NS records, which prohibits these records from
-   being cached and will result in a higher query volume to the zone's
-   authoritative servers.  The zone's administrator should understand
-   the consequences of such a configuration and provision resources
-   accordingly.  A zero TTL on the zone's NS RRset, however, carries
-   additional consequences beyond the zone itself: if an iterative
-   resolver cannot cache a zone's NS records because of a zero TTL, it
-   will be forced to query that zone's parent's name servers each time
-   it resolves a name in the zone.  The com/net authoritative servers do
-   see an increased query load when a popular com/net subdomain's zone
-   is configured with a TTL of zero on the zone's NS records.
-
-   A zero TTL on an RRset expected to change frequently is extreme but
-   permissible.  A zone's NS RRset is a special case, however, because
-   changes to it must be coordinated with the zone's parent.  In most
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 12]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   zone parent/child relationships we are aware of, there is typically
-   some delay involved in effecting changes.  Further, changes to the
-   set of a zone's authoritative name servers (and therefore to the
-   zone's NS RRset) are typically relatively rare: providing reliable
-   authoritative service requires a reasonably stable set of servers.
-   Therefore an extremely low or zero TTL on a zone's NS RRset rarely
-   makes sense, except in anticipation of an upcoming change.  In this
-   case, when the zone's administrator has planned a change and does not
-   want iterative resolvers throughout the Internet to cache the NS
-   RRset for a long period of time, a low TTL is reasonable.
-
-2.7.1  Recommendation
-
-   Because of the additional load placed on a zone's parent's
-   authoritative servers resulting from a zero TTL on a zone's NS RRset,
-   under such circumstances authoritative name servers SHOULD issue a
-   warning when loading a zone.
-
-2.8  Unnecessary dynamic update messages
-
-   The UPDATE message specified in RFC 2136 [6] allows an authorized
-   agent to update a zone's data on an authoritative name server using a
-   DNS message sent over the network.  Consider the case of an agent
-   desiring to add a particular resource record.  Because of zone cuts,
-   the agent does not necessarily know the proper zone to which the
-   record should be added.  The dynamic update process requires that the
-   agent determine the appropriate zone so the UPDATE message can be
-   sent to one of the zone's authoritative servers (typically the
-   primary master as specified in the zone's SOA MNAME field).
-
-   The appropriate zone to update is the closest enclosing zone, which
-   cannot be determined only by inspecting the domain name of the record
-   to be updated, since zone cuts can occur anywhere.  One way to
-   determine the closest enclosing zone entails walking up the name
-   space tree by sending repeated UPDATE messages until success.  For
-   example, consider an agent attempting to add an address record with
-   the name "foo.bar.example.com".  The agent could first attempt to
-   update the "foo.bar.example.com" zone.  If the attempt failed, the
-   update could be directed to the "bar.example.com" zone, then the
-   "example.com" zone, then the "com" zone, and finally the root zone.
-
-   A popular dynamic agent follows this algorithm.  The result is many
-   UPDATE messages received by the root name servers, the com/net
-   authoritative servers, and presumably other TLD authoritative
-   servers.  A valid question is why the algorithm proceeds to send
-   updates all the way to TLD and root name servers.  This behavior is
-   not entirely unreasonable: in enterprise DNS architectures with an
-   "internal root" design, there could conceivably be private, non-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 13]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   public TLD or root zones that would be the appropriate targets for a
-   dynamic update.
-
-   A significant deficiency with this algorithm is that knowledge of a
-   given UPDATE message's failure is not helpful in directing future
-   UPDATE messages to the appropriate servers.  A better algorithm would
-   be to find the closest enclosing zone by walking up the name space
-   with queries for SOA or NS rather than "probing" with UPDATE
-   messages.  Once the appropriate zone is found, an UPDATE message can
-   be sent.  In addition, the results of these queries can be cached to
-   aid in determining closest enclosing zones for future updates.  Once
-   the closest enclosing zone is determined with this method, the update
-   will either succeed or fail and there is no need to send further
-   updates to higher-level zones.  The important point is that walking
-   up the tree with queries yields cacheable information, whereas
-   walking up the tree by sending UPDATE messages does not.
-
-2.8.1  Recommendation
-
-   Dynamic update agents SHOULD send SOA or NS queries to progressively
-   higher-level names to find the closest enclosing zone for a given
-   name to update.  Only after the appropriate zone is found should the
-   client send an UPDATE message to one of the zone's authoritative
-   servers.  Update clients SHOULD NOT "probe" using UPDATE messages by
-   walking up the tree to progressively higher-level zones.
-
-2.9  Queries for domain names resembling IPv4 addresses
-
-   The root name servers receive a significant number of A record
-   queries where the QNAME looks like an IPv4 address.  The source of
-   these queries is unknown.  It could be attributed to situations where
-   a user believes an application will accept either a domain name or an
-   IP address in a given configuration option.  The user enters an IP
-   address, but the application assumes any input is a domain name and
-   attempts to resolve it, resulting in an A record lookup.  There could
-   also be applications that produce such queries in a misguided attempt
-   to reverse map IP addresses.
-
-   These queries result in Name Error (RCODE=3) responses.  An iterative
-   resolver can negatively cache such responses, but each response
-   requires a separate cache entry, i.e., a negative cache entry for the
-   domain name "192.0.2.1" does not prevent a subsequent query for the
-   domain name "192.0.2.2".
-
-2.9.1  Recommendation
-
-   It would be desirable for the root name servers not to have to answer
-   these queries: they unnecessarily consume CPU resources and network
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 14]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   bandwidth.  A possible solution is to delegate these numeric TLDs
-   from the root zone to a separate set of servers to absorb the
-   traffic.  The "black hole servers" used by the AS 112 Project [8],
-   which are currently delegated the in-addr.arpa zones corresponding to
-   RFC 1918 [7] private use address space, would be a possible choice to
-   receive these delegations.  Of course, the proper and usual root zone
-   change procedures would have to be followed to make such a change to
-   the root zone.
-
-2.10  Misdirected recursive queries
-
-   The root name servers receive a significant number of recursive
-   queries (i.e., queries with the RD bit set in the header).  Since
-   none of the root servers offers recursion, the servers' response in
-   such a situation ignores the request for recursion and the response
-   probably does not contain the data the querier anticipated.  Some of
-   these queries result from users configuring stub resolvers to query a
-   root server.  (This situation is not hypothetical: we have received
-   complaints from users when this configuration does not work as
-   hoped.)  Of course, users should not direct stub resolvers to use
-   name servers that do not offer recursion, but we are not aware of any
-   stub resolver implementation that offers any feedback to the user
-   when so configured, aside from simply "not working".
-
-2.10.1  Recommendation
-
-   When the IP address of a name server that supposedly offers recursion
-   is configured in a stub resolver using an interactive user interface,
-   the resolver could send a test query to verify that the server indeed
-   supports recursion (i.e., verify that the response has the RA bit set
-   in the header).  The user could be immediately notified if the server
-   is non-recursive.
-
-   The stub resolver could also report an error, either through a user
-   interface or in a log file, if the queried server does not support
-   recursion.  Error reporting SHOULD be throttled to avoid a
-   notification or log message for every response from a non-recursive
-   server.
-
-2.11  Suboptimal name server selection algorithm
-
-   An entire document could be devoted to the topic of problems with
-   different implementations of the recursive resolution algorithm.  The
-   entire process of recursion is woefully under specified, requiring
-   each implementor to design an algorithm.  Sometimes implementors make
-   poor design choices that could be avoided if a suggested algorithm
-   and best practices were documented, but that is a topic for another
-   document.
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 15]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   Some deficiencies cause significant operational impact and are
-   therefore worth mentioning here.  One of these is name server
-   selection by an iterative resolver.  When an iterative resolver wants
-   to contact one of a zone's authoritative name servers, how does it
-   choose from the NS records listed in the zone's NS RRset?  If the
-   selection mechanism is suboptimal, queries are not spread evenly
-   among a zone's authoritative servers.  The details of the selection
-   mechanism are up to the implementor, but we offer some suggestions.
-
-2.11.1  Recommendation
-
-   This list is not conclusive, but reflects the changes that would
-   produce the most impact in terms of reducing disproportionate query
-   load among a zone's authoritative servers.  I.e., these changes would
-   help spread the query load evenly.
-
-   o  Do not make assumptions based on NS RRset order: all NS RRs SHOULD
-      be treated equally.  (In the case of the "com" zone, for example,
-      most of the root servers return the NS record for "a.gtld-
-      servers.net" first in the authority section of referrals.
-      Apparently as a result, this server receives disproportionately
-      more traffic than the other 12 authoritative servers for "com".)
-
-   o  Use all NS records in an RRset.  (For example, we are aware of
-      implementations that hard-coded information for a subset of the
-      root servers.)
-
-   o  Maintain state and favor the best-performing of a zone's
-      authoritative servers.  A good definition of performance is
-      response time.  Non-responsive servers can be penalized with an
-      extremely high response time.
-
-   o  Do not lock onto the best-performing of a zone's name servers.  An
-      iterative resolver SHOULD periodically check the performance of
-      all of a zone's name servers to adjust its determination of the
-      best-performing one.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 16]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-3.  IANA considerations
-
-   There are no new IANA considerations introduced by this memo.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 17]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-4.  Security considerations
-
-   The iterative resolver misbehavior discussed in this document exposes
-   the root and TLD name servers to increased risk of both intentional
-   and unintentional denial of service attacks.
-
-   We believe that implementation of the recommendations offered in this
-   document will reduce the amount of unnecessary traffic seen at root
-   and TLD name servers, thus reducing the opportunity for an attacker
-   to use such queries to his or her advantage.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 18]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-5.  Internationalization considerations
-
-   There are no new internationalization considerations introduced by
-   this memo.
-
-6.  Informative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Mockapetris, P., "Domain names - concepts and facilities",
-        STD 13, RFC 1034, November 1987.
-
-   [3]  Elz, R. and R. Bush, "Clarifications to the DNS Specification",
-        RFC 2181, July 1997.
-
-   [4]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-        RFC 2308, March 1998.
-
-   [5]  Morishita, Y. and T. Jinmei, "Common Misbehavior Against DNS
-        Queries for IPv6 Addresses", RFC 4074, May 2005.
-
-   [6]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, "Dynamic
-        Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-        April 1997.
-
-   [7]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E.
-        Lear, "Address Allocation for Private Internets", BCP 5,
-        RFC 1918, February 1996.
-
-   [8]  <http://www.as112.net>
-
-
-Authors' Addresses
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   Email: mlarson@verisign.com
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 19]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-   Piet Barber
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   Email: pbarber@verisign.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 20]
-
-Internet-Draft     Observed DNS Resolution Misbehavior         July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Larson & Barber         Expires January 18, 2006               [Page 21]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt
deleted file mode 100644
index 04815175fdba..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt
+++ /dev/null
@@ -1,1344 +0,0 @@
-

-DNSOP                                                         O. Kolkman

-Internet-Draft                                                  RIPE NCC

-Expires: August 30, 2004                                       R. Gieben

-                                                              NLnet Labs

-                                                              March 2004

-

-

-                      DNSSEC Operational Practices

-         draft-ietf-dnsop-dnssec-operational-practices-01.txt

-

-Status of this Memo

-

-   This document is an Internet-Draft and is in full conformance with

-   all provisions of Section 10 of RFC2026.

-

-   Internet-Drafts are working documents of the Internet Engineering

-   Task Force (IETF), its areas, and its working groups. Note that other

-   groups may also distribute working documents as Internet-Drafts.

-

-   Internet-Drafts are draft documents valid for a maximum of six months

-   and may be updated, replaced, or obsoleted by other documents at any

-   time. It is inappropriate to use Internet-Drafts as reference

-   material or to cite them other than as "work in progress."

-

-   The list of current Internet-Drafts can be accessed at http://

-   www.ietf.org/ietf/1id-abstracts.txt.

-

-   The list of Internet-Draft Shadow Directories can be accessed at

-   http://www.ietf.org/shadow.html.

-

-   This Internet-Draft will expire on August 30, 2004.

-

-Copyright Notice

-

-   Copyright (C) The Internet Society (2004). All Rights Reserved.

-

-Abstract

-

-   This document describes a set of practices for operating a DNSSEC

-   aware environment.  The target audience is zone administrators

-   deploying DNSSEC that need a guide to help them chose appropriate

-   values for DNSSEC parameters.  It also discusses operational matters

-   such as key rollovers, KSK and ZSK considerations and related

-   matters.

-

-

-

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 1]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-Table of Contents

-

-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3

-     1.1   The Use of the Term 'key'  . . . . . . . . . . . . . . . .  3

-     1.2   Keeping the Chain of Trust Intact  . . . . . . . . . . . .  3

-   2.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . .  4

-     2.1   Time Definitions . . . . . . . . . . . . . . . . . . . . .  4

-     2.2   Time Considerations  . . . . . . . . . . . . . . . . . . .  5

-   3.  Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6

-     3.1   Motivations for the KSK and ZSK Functions  . . . . . . . .  7

-     3.2   Key Security Considerations  . . . . . . . . . . . . . . .  8

-       3.2.1   Key Validity Period  . . . . . . . . . . . . . . . . .  8

-       3.2.2   Key Algorithm  . . . . . . . . . . . . . . . . . . . .  8

-       3.2.3   Key Sizes  . . . . . . . . . . . . . . . . . . . . . .  8

-     3.3   Key Rollovers  . . . . . . . . . . . . . . . . . . . . . .  9

-       3.3.1   Zone-signing Key Rollovers . . . . . . . . . . . . . . 10

-       3.3.2   Key-signing Key Rollovers  . . . . . . . . . . . . . . 13

-   4.  Planning for Emergency Key Rollover  . . . . . . . . . . . . . 14

-     4.1   KSK Compromise . . . . . . . . . . . . . . . . . . . . . . 15

-     4.2   ZSK Compromise . . . . . . . . . . . . . . . . . . . . . . 15

-     4.3   Compromises of Keys Anchored in Resolvers  . . . . . . . . 16

-   5.  Parental Policies  . . . . . . . . . . . . . . . . . . . . . . 16

-     5.1   Initial Key Exchanges and Parental Policies

-           Considerations . . . . . . . . . . . . . . . . . . . . . . 16

-     5.2   Storing Keys So Hashes Can Be Regenerated  . . . . . . . . 16

-     5.3   Security Lameness Checks . . . . . . . . . . . . . . . . . 17

-     5.4   DS Signature Validity Period . . . . . . . . . . . . . . . 17

-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 17

-   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 17

-   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 18

-   8.1   Normative References . . . . . . . . . . . . . . . . . . . . 18

-   8.2   Informative References . . . . . . . . . . . . . . . . . . . 18

-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19

-   A.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 19

-   B.  Zone-signing Key Rollover Howto  . . . . . . . . . . . . . . . 20

-   C.  Typographic Conventions  . . . . . . . . . . . . . . . . . . . 20

-   D.  Document Details and Changes . . . . . . . . . . . . . . . . . 22

-     D.1   draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 22

-     D.2   draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 22

-       Intellectual Property and Copyright Statements . . . . . . . . 23

-

-

-

-

-

-

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 2]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-1.  Introduction

-

-   During workshops and early operational deployment tests, operators

-   and system administrators gained experience about operating DNSSEC

-   aware DNS services.  This document translates these experiences into

-   a set of practices for zone administrators. At the time of writing,

-   there exists very little experience with DNSSEC in production

-   environments, this document should therefore explicitly not be seen

-   as represented 'Best Current Practices'.

-

-   The procedures herein are focused on the maintenance of signed zones

-   (i.e. signing and publishing zones on authoritative servers). It is

-   intended that maintenance of zones such as resigning or key rollovers

-   be transparent to any verifying clients on the Internet.

-

-   The structure of this document is as follows: It begins with

-   discussing some of the considerations with respect to timing

-   parameters of DNS in relation to DNSSEC (Section 2). Aspects of key

-   management such as key rollover schemes are described in Section 3.

-   Emergency rollover considerations are addressed in Section 4.  The

-   typographic conventions used in this document are explained in

-   Appendix C.

-

-   Since this is a document with operational suggestions and there are

-   no protocol specifications, the RFC2119 [5] language does not apply.

-

-1.1  The Use of the Term 'key'

-

-   It is assumed that the reader is familiar with the concept of

-   asymmetric keys on which DNSSEC is based (Public Key Cryptography

-   [Ref to Schneider?]). Therefore, this document will use the term

-   'key' rather loosely. Where it is written that 'a key is used to sign

-   data' it is assumed that the reader understands that it is the

-   private part of the key-pair that is used for signing. It is also

-   assumed that the reader understands that the public part of the

-   key-pair is published in the DNSKEY resource record and that it is

-   used in key-exchanges.

-

-1.2  Keeping the Chain of Trust Intact

-

-   Maintaining a valid chain of trust is important because broken chains

-   of trust will result in data being marked as bogus, which may cause

-   entire (sub)domains to become invisible to verifying clients. The

-   administrators of secured zones have to realise that their zone is,

-   to their clients, part of a chain of trust.

-

-   As mentioned in the introduction, the procedures herein are intended

-   to ensure maintenance of zones, such as resigning or key rollovers,

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 3]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   be transparent to the verifying clients on the Internet.

-   Administrators of secured zones will have to keep in mind that data

-   published on an authoritative primary server will not be immediately

-   seen by verifying clients; it may take some time for the data to be

-   transfered to other secondary authoritative nameservers, during which

-   period clients may be fetching data from caching non-authoritative

-   servers.  For the verifying clients it is important that  data from

-   secured zones can be used to build chains of trust regardless of

-   whether the  data came directly from an authoritative server, a

-   caching nameserver or some middle box. Only by carefully using the

-   available timing parameters can a zone administrator  assure that the

-   data necessary for verification can be obtained.

-

-   The responsibility for maintaining the chain of trust is shared by

-   administrators of secured zones in the chain of trust. This is most

-   obvious in the case of a 'key compromise' when a trade off between

-   maintaining a valid chain of trust and the fact that the key has been

-   stolen, must be made.

-

-   The zone administrator will have to make a tradeoff between keeping

-   the chain of trust intact  -thereby allowing for attacks with the

-   compromised key- or to deliberately break the chain of trust thereby

-   making secured subdomains invisible to security aware resolvers. Also

-   see Section 4.

-

-2.  Time in DNSSEC

-

-   Without DNSSEC all times in DNS are relative. The SOA's refresh,

-   retry and expiration timers are counters that are used to determine

-   the time elapsed after a slave server syncronised (or tried to

-   syncronise) with a master server. The Time to Live (TTL) value and

-   the SOA minimum TTL parameter [6] are used to determine how long a

-   forwarder should cache data after it has been fetched from an

-   authoritative server. DNSSEC introduces the notion of an absolute

-   time in the DNS. Signatures in DNSSEC have an expiration date after

-   which the signature is marked as invalid and the signed data is to be

-   considered bogus.

-

-2.1  Time Definitions

-

-   In this document we will be using a number of time related terms.

-   Within the context of this document the following definitions apply:

-   o  "Signature validity period"

-         The period that a signature is valid. It starts at the time

-         specified in the signature inception field of the RRSIG RR and

-         ends at the time specified in the expiration field of the RRSIG

-         RR.

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 4]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   o  "Signature publication period"

-         Time after which a signature (made with a specific key) is

-         replaced with a new signature (made with the same key). This

-         replacement takes place by publishing the relevant RRSIG in the

-         master zone file.  If a signature is published at time T0 and a

-         new signature is published at time T1, the signature

-         publication period is T1 - T0.

-         If all signatures are refreshed at zone (re)signing then the

-         signature publication period is equal signature validity

-         period.

-   o  "Maximum/Minimum Zone TTL"

-         The maximum or minimum value of all the TTLs in a zone.

-

-2.2  Time Considerations

-

-   Because of the expiration of signatures, one should consider the

-   following.

-   o  The Maximum Zone TTL of your zone data should be a fraction of

-      your signature validity period.

-         If the TTL would be of similar order as the signature validity

-         period, then all RRsets fetched during the validity period

-         would be cached until the signature expiration time.  As a

-         result query load on authoritative servers would peak at

-         signature expiration time.

-         To avoid query load peaks we suggest the TTL on all the RRs in

-         your zone to be at least a few times smaller than your

-         signature validity period.

-   o  The signature publication period should be at least one maximum

-      TTL smaller than the signature validity period.

-         Resigning a zone shortly before the end of the signature

-         validity period may cause simultaneous expiration of data from

-         caches. This in turn may lead to peaks in the load on

-         authoritative servers.

-   o  The Minimum zone TTL should be long enough to both fetch and

-      verify all the RRs in the authentication chain.

-            1. During validation, some data may expire before the

-            validation is complete. The validator should be able to keep

-            all data, until is completed. This applies to all RRs needed

-            to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and

-            the final answers i.e. the RR that is returned for the

-            initial query.

-            2. Frequent verification causes load on recursive

-            nameservers. Data at delegation points, DSs, DNSKEYs and

-            RRSIGs benefit from caching. The TTL on those should be

-            relatively long.

-

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 5]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-         We have seen events where data needed for verification of an

-         authentication chain had expired from caches.

-         We suggest the TTL on DNSKEY and DSs to be between ten minutes

-         and one hour.  We recommend zone administrators to chose TTLs

-         longer than half a minute.

-         [Editor's Note: this observation could be implementation

-         specific. We are not sure if we should leave this item]

-   o  Slave servers will need to be able to fetch newly signed zones

-      well before the data expires from your zone.

-         'Better no answers than bad answers.'

-         If a properly implemented slave server is not able to contact a

-         master server for an extended period the data will at some

-         point expire and the slave server will not hand out any data.

-         If the server serves a DNSSEC zone than it may well happen that

-         the signatures expire well before the SOA expiration timer

-         counts down to zero. It is not possible to completely prevent

-         this from happening by tweaking the SOA parameters. However,

-         the effects can be minimized where the SOA expiration time is

-         equal or smaller than the signature validity period.

-         The consequence of an authoritative server not being able to

-         update a zone, whilst that zone includes expired signaturs, is

-         that non-secure resolvers will continue to be able to resolve

-         data served by the particular slave servers. Security aware

-         resolvers will experience problems.

-         We suggest the SOA expiration timer being approximately one

-         third or one fourth of the signature validity period. It will

-         allow problems with transfers from the master server to be

-         noticed before the actual signature time out.

-         We suggest that operators of nameservers with slave zones

-         develop 'watch dogs' to spot upcoming signature expirations in

-         slave zones, and take appropriate action.

-         When determining the value for the expiration parameter one has

-         to take the following into account: What are the chances that

-         all my secondary zones expire; How quickly can I reach an

-         administrator and load a valid zone? All these arguments are

-         not DNSSEC specific.

-

-3.  Keys

-

-   In the DNSSEC protocol there is only one type of key, the zone key.

-   With this key, the data in a zone is signed.

-

-   To make zone re-signing and key rollovers procedures easier to

-   implement, it is possible to use one or more keys as Key Signing Keys

-   (KSK) these keys will only sign the apex DNSKEY RRs in a zone. Other

-   keys can be used to sign all the RRsets in a zone and are referred to

-   as Zone Signing Keys (ZSK). In this document we assume that KSKs are

-   the subset of keys that are used for key exchanges with the parents

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 6]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   and potentially for configuration as trusted anchors - the so called

-   Secure Entry Point keys (SEP). In this document we assume a

-   one-to-one mapping between KSK and SEP keys and we assume the SEP

-   flag [4] to be set on KSKs.

-

-3.1  Motivations for the KSK and ZSK Functions

-

-   Differentiating between the KSK to ZSK functions has several

-   advantages:

-

-   o  Making the KSK stronger (i.e. using more bits in the key material)

-      has little operational impact since it is only used to sign a

-      small fraction of the zone data.

-   o  As the KSK is only used to sign a keyset, which is most probably

-      updated less frequently than other data in the zone, it can be

-      stored separately from (and thus in a safer location than) the

-      ZSK.

-   o  A KSK can be used for longer periods.

-   o  No parent/child interaction is required when ZSKs are updated.

-

-   The KSK is used less than ZSK, once a keyset is signed with the KSK

-   all the keys in the keyset can be used as ZSK. If a ZSK is

-   compromised, it can be simply dropped from the keyset. The new keyset

-   is then resigned with the KSK.

-

-   Given the assumption that for KSKs the SEP flag is set, the KSK can

-   be distinguished from a ZSK by examining the flag field in the DNSKEY

-   RR. If the flag field is an odd number it is a KSK if it is an even

-   number it is a ZSK e.g. a value of 256 and a key signing key has 257.

-

-   The zone-signing key can be used to sign all the data in a zone on a

-   regular basis. When a zone-signing key is to be rolled, no

-   interaction with the parent is needed.  This allows for relatively

-   short "Signature Validity Periods". That is, Signature Validity

-   Periods of the order of days.

-

-   The key-signing key is only to be used to sign the Key RR set from

-   the zone apex. If a key-signing key is to be rolled over, there will

-   be interactions with parties other than the zone administrator such

-   as the registry of the parent zone or administrators of verifying

-   resolvers that have the particular key configured as trusted entry

-   points. Hence, the "Key Usage Time" of these keys can and should be

-   made much longer. Although, given a long enough key, the "Key Usage

-   Time" can be on the order of years we suggest to plan for a "Key

-   Usage Time" of the order of a few months so that a key rollover

-   remains an operational routine.

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 7]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-3.2  Key Security Considerations

-

-   Keys in DNSSEC have a number of parameters which should all be chosen

-   with care, the most important once are: size, algorithm and the key

-   validity period (its lifetime).

-

-3.2.1  Key Validity Period

-

-   RFC2541 [2] describes a number of considerations with respect to the

-   security of keys. The document deals with the generation, lifetime,

-   size and storage of private keys.

-

-   In Section 3 of RFC2541 [2] there are some suggestions for a key

-   validity period: 13 months for long-lived keys and 36 days for

-   transaction keys but suggestions for key sizes are not made.

-

-   If we say long-lived keys are key-signing keys and transactions keys

-   are zone-signing keys, these recommendations will lead to rollovers

-   occurring frequently enough to become part of 'operational habits';

-   the procedure does not have to be reinvented every time a key is

-   replaced.

-

-3.2.2  Key Algorithm

-

-   We recommend you choose RSA/SHA-1 as the preferred algorithm for the

-   key. RSA has been developed in an open and transparent manner. As the

-   patent on RSA expired in 2001, its use is now also free. The current

-   known attacks on RSA can be defeated by making your key longer. As

-   the MD5 hashing algorithm is showing (theoretical) cracks, we

-   recommend the usage of SHA1.

-

-3.2.3  Key Sizes

-

-   When choosing key sizes, zone administrators will need to take into

-   account how long a key will be used and how much data will be signed

-   during the key publication period. It is hard to give precise

-   recommendations but Lenstra and Verheul [9] supplied the following

-   table with lower bound estimates for cryptographic key sizes. Their

-   recommendations are based on a set of explicitly formulated parameter

-   settings, combined with existing data points about cryptosystems. For

-   details we refer to the original paper.

-

-   [Editor's Note: DSA???]

-

-

-

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 8]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   	Year		RSA Key Sizes	Elliptic Curve Key Size

-   	2000		952			132

-   	2001		990			135

-   	2002		1028			139

-   	2003		1068			140

-   	2004		1108			143

-

-   	2005		1149			147

-   	2006		1191			148

-   	2007		1235			152

-   	2008		1279			155

-   	2009		1323			157

-

-

-   	2010		1369			160

-   	2011		1416			163

-   	2012		1464			165

-   	2013		1513			168

-   	2014		1562			172

-

-   	2015		1613			173

-   	2016		1664			177

-   	2017		1717			180

-   	2018		1771			181

-   	2019		1825			185

-

-

-   	2020		1881			188

-   	2021		1937			190

-   	2022		1995			193

-   	2023		2054			197

-   	2024		2113			198

-

-   	2025		2174			202

-   	2026		2236			205

-   	2027		2299			207

-   	2028		2362			210

-   	2029		2427			213

-

-   For example, should you wish your key to last three years from 2003,

-   check the RSA keysize values for 2006 in this table. In this case

-   1191.

-

-3.3  Key Rollovers

-

-   Key rollovers are a fact of life when using DNSSEC. A DNSSEC key

-   cannot be used forever (see RFC2541 [2] and Section 3.2 ).  Zone

-   administrators who are in the process of rolling their keys have to

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                 [Page 9]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   take into account that data published in previous versions of their

-   zone still lives in caches. When deploying DNSSEC, this becomes an

-   important consideration; ignoring data that may be in caches may lead

-   to loss of service for clients.

-

-   The most pressing example of this is when zone material signed with

-   an old key is being validated by a resolver which does not have the

-   old zone key cached. If the old key is no longer present in the

-   current zone, this validation fails, marking the data bogus.

-   Alternatively, an attempt could be made to validate data which is

-   signed with a new key against an old key that lives in a local cache,

-   also resulting in data being marked bogus.

-

-   To appreciate the situation one could think of a number of

-   authoritative servers that may not be instantaneously running the

-   same version of a zone and a security aware non-recursive resolver

-   that sits behind security aware caching forwarders.

-

-   Note that KSK rollovers and ZSK rollovers are different. A zone-key

-   rollover can be handled in two different ways: pre-publish (Section

-   Section 3.3.1.1) and double signature (Section Section 3.3.1.2). The

-   pre-publish technique works because the key-signing key stays the

-   same during this ZSK rollover. With this KSK a cache is able to

-   validate the new keyset of a zone. With a KSK rollover a cache can

-   not validate the new keyset, because it does not trust the new KSK.

-

-   [Editors note: This needs more verbose explanation, nobody will

-   appreciate the situation just yet. Help with text and examples is

-   appreciated]

-

-3.3.1  Zone-signing Key Rollovers

-

-   For zone-signing key rollovers there are two ways to make sure that

-   during the rollover data still cached can be verified with the new

-   keysets or newly generated signatures can be verified with the keys

-   still in caches. One schema uses double signatures, it is described

-   in Section 3.3.1.2, the other uses key pre-publication (Section

-   3.3.1.1). The pros, cons and recommendations are described in Section

-   3.3.1.3.

-

-3.3.1.1  Pre-publish Keyset Rollover

-

-   This section shows how to perform a ZSK rollover without the need to

-   sign all the data in a zone twice - the so called "prepublish

-   rollover". We recommend this method because it has advantages in the

-   case of key compromise. If the old key is compromised, the new key

-   has already been distributed in the DNS. The zone administrator is

-   then able to quickly switch to the new key and remove the compromised

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 10]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   key from the zone. Another major advantage is that the zone size does

-   not double, as is the case with the double signature ZSK rollover. A

-   small "HOWTO" for this kind of rollover can be found in Appendix B.

-

-       normal          pre-roll         roll            after

-

-       SOA0            SOA1             SOA2            SOA3

-       RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)

-

-       DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1

-       DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11

-                       DNSKEY11         DNSKEY11

-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)

-       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)

-

-

-   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.

-      DNSKEY 10 is used to sign all the data of the zone, the

-      zone-signing key.

-   pre-roll: DNSKEY 11 is introduced into the keyset. Note that no

-      signatures are generated with this key yet, but this does not

-      secure against brute force attacks on the public key.  The minimum

-      duration of this pre-roll phase is the time it takes for the data

-      to propagate to the authoritative servers plus TTL value of the

-      keyset. This equates to two times the Maximum Zone TTL.

-   roll: At the rollover stage (SOA serial 1) DNSKEY 11 is used to sign

-      the data in the zone exclusively  (i.e. all the signatures from

-      DNSKEY 10 are removed from the zone). DNSKEY 10 remains published

-      in the keyset. This way data that was loaded into caches from

-      version 1 of the zone can still be verified with key sets fetched

-      from version 2 of the zone.

-      The minimum time that the keyset including DNSKEY 10 is to be

-      published is the time that it takes for zone data from the

-      previous version of the zone to expire from old caches i.e. the

-      time it takes for this zone to propagate to all authoritative

-      servers plus the Maximum Zone TTL value of any of the data in the

-      previous version of the zone.

-   after: DNSKEY 10 is removed from the zone. The keyset, now only

-      containing DNSKEY 11 is resigned with the DNSKEY 1.

-

-   The above scheme can be simplified by always publishing the "future"

-   key immediately after the rollover. The scheme would look as follows

-   (we show two rollovers); the future key is introduced in "after" as

-   DNSKEY 12 and again a newer one, numbered 13, in "2nd after":

-

-

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 11]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-       normal          roll            after           2nd roll        2nd after

-

-       SOA0            SOA2            SOA3            SOA4            SOA5

-       RRSIG10(SOA0)   RRSIG11(SOA2)   RRSIG11(SOA3)   RRSIG12(SOA4)   RRSIG12(SOA5)

-

-       DNSKEY1         DNSKEY1         DNSKEY1         DNSKEY1         DNSKEY1

-       DNSKEY10        DNSKEY10        DNSKEY11        DNSKEY11        DNSKEY12

-       DNSKEY11        DNSKEY11        DNSKEY12        DNSKEY12        DNSKEY13

-       RRSIG1(DNSKEY)  RRSIG1 (DNSKEY) RRSIG1(DNSKEY)  RRSIG1(DNSKEY)  RRSIG1(DNSKEY)

-       RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) RRSIG12(DNSKEY) RRSIG12(DNSKEY)

-

-

-   Note that the key introduced after the rollover is not used for

-   production yet; the private key can thus be stored in a physically

-   secure manner and does not need to be 'fetched' every time a zone

-   needs to be signed.

-

-   This scheme has the benefit that the key that is intended for future

-   use: immediately during an emergency rollover assuming that the

-   private key was stored in a physically secure manner.

-

-3.3.1.2  Double Signature Zone-signing Key Rollover

-

-   This section shows how to perform a ZSK key rollover using the double

-   zone data signature scheme, aptly named "double sig rollover".

-

-   During the rollover stage the new version of the zone file will need

-   to propagate to all authoritative servers and the data that exists in

-   (distant) caches will need to expire, this will take at least the

-   maximum Zone TTL .

-

-       normal              roll              after

-

-       SOA0                SOA1              SOA2

-       RRSIG10(SOA0)       RRSIG10(SOA1)     RRSIG11(SOA2)

-                           RRSIG11(SOA1)

-

-       DNSKEY1             DNSKEY1           DNSKEY1

-       DNSKEY10            DNSKEY10          DNSKEY11

-                           DNSKEY11

-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)    RRSIG1(DNSKEY)

-       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)   RRSIG11(DNSKEY)

-                           RRSIG11(DNSKEY)

-

-   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.

-      DNSKEY 10 is used to sign all the data of the zone, the

-      zone-signing key.

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 12]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   roll: At the rollover stage (SOA serial 1) DNSKEY 11 is introduced

-      into the keyset and all the data in the zone is signed with DNSKEY

-      10 and DNSKEY 11. The rollover period will need to exist until all

-      data from version 0 of the zone has expired from remote caches.

-      This will take at least the maximum Zone TTL of version 0 of the

-      zone.

-   after: DNSKEY 10 is removed from the zone. All the signatures from

-      DNSKEY 10 are removed from the zone. The keyset, now only

-      containing DNSKEY 11, is resigned with DNSKEY 1.

-

-   At every instance the data from the previous version of the zone can

-   be verified with the key from the current version and vice verse. The

-   data from the current version can be verified with the data from the

-   previous version of the zone. The duration of the rollover phase and

-   the period between rollovers should be at least the "Maximum Zone

-   TTL".

-

-   Making sure that the rollover phase lasts until the signature

-   expiration time of the data in version 0 of the zone is recommended.

-   However, this date could be considerably longer than the Maximum Zone

-   TTL, making the rollover a lengthy procedure.

-

-   Note that in this example we assumed that the zone was not modified

-   during the rollover. New data can be introduced in the zone as long

-   as it is signed with both keys.

-

-3.3.1.3  Pros and Cons of the Schemes

-

-   Prepublish-keyset rollover: This rollover does not involve signing

-      the zone data twice. Instead, just before the actual rollover, the

-      new key is published in the keyset and thus available for

-      cryptanalysis attacks. A small disavantage is that this process

-      requires four steps. Also the prepublish scheme will not work for

-      KSKs as explained in Section 3.3.

-   Double signature rollover: The drawback of this signing scheme is

-      that during the rollover the number of signatures in your zone

-      doubles, this may be prohibitive if you have very big zones.  An

-      advantage is that it only requires three steps.

-

-3.3.2  Key-signing Key Rollovers

-

-   For the rollover of a key-signing key the same considerations as for

-   the rollover of a zone-signing key apply. However we can use a double

-   signature scheme to guarantee that old data (only the apex keyset) in

-   caches can be verified with a new keyset and vice versa.

-

-   Since only the keyset is signed with a KSK, zone size considerations

-   do not apply.

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 13]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-       normal          roll            after

-

-       SOA0            SOA1            SOA2

-       RRSIG10(SOA0)   RRSIG10(SOA1)   RRSIG10(SOA2)

-

-       DNSKEY1         DNSKEY1         DNSKEY2

-                       DNSKEY2

-       DNSKEY10        DNSKEY10        DNSKEY10

-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY)

-                       RRSIG2 (DNSKEY)

-       RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY)

-

-   normal: Version 0 of the zone.  The parental DS points to DNSKEY1.

-      Before the rollover starts the child will have to verify what the

-      TTL is of the DS RR that points to DNSKEY1 - it is needed during

-      the rollover and we refer to the value as TTL_DS.

-   roll: During the rollover phase the zone administrator generates a

-      second KSK, DNSKEY2. The key is provided to the parent and the

-      child will have to wait until a new DS RR has been generated that

-      points to DNSKEY2. After that DS RR has been published on _all_

-      servers authoritative for the parents zone, the zone administrator

-      has to wait at least TTL_DS to make sure that the old DS RR has

-      expired from distant caches.

-   after: DNSKEY1 has been removed.

-

-   The scenario above puts the responsibility for maintaining a valid

-   chain of trust with the child. It also is based on the premises that

-   the parent only has one DS RR (per algorithm) per zone. St John [The

-   draft has expired] proposed a mechanism where using an established

-   trust relation, the interaction can be performed in-band. In this

-   mechanism there are periods where there are two DS RRs at the parent.

-

-   [Editors note: We probably need to mention more]

-

-4.  Planning for Emergency Key Rollover

-

-   This section deals with preparation for a possible key compromise.

-   Our advice is to have a documented procedure ready for when a key

-   compromise is suspected or confirmed.

-

-   [Editors note: We are much in favor of a rollover tactic that keeps

-   the authentication chain intact as long as possible. This means that

-   one has to take all the regular rollover properties into account.]

-

-   When the private material of one of your keys is compromised it can

-   be used for as long as a valid authentication chain exists.  An

-   authentication chain remains intact for:

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 14]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   o  as long as a signature over the compromised key in the

-      authentication chain is valid,

-   o  as long as a parental DS RR (and signature) points to the

-      compromised key,

-   o  as long as the key is anchored in a resolver and is used as a

-      starting point for validation. (This is the hardest to update.)

-   While an authentication chain to your compromised key exists, your

-   name-space is vulnerable to abuse by the malicious key holder (i.e.

-   the owner of the compromised key). Zone operators have to make a

-   trade off if the abuse of the compromised key is worse than having

-   data in caches that cannot be validated. If the zone operator chooses

-   to break the authentication chain to the compromised key, data in

-   caches signed with this key cannot be validated. However, if the zone

-   administrator chooses to take the path of a regular roll-over, the

-   malicious key holder can spoof data so that it appears to be valid,

-   note that this kind of attack will usually be localised in the

-   Internet topology.

-

-

-4.1  KSK Compromise

-

-   When the KSK has been compromised the parent must be notified as soon

-   as possible using secure means. The keyset of the zone should be

-   resigned as soon as possible. Care must be taken to not break the

-   authentication chain. The local zone can only be resigned with the

-   new KSK after the parent's zone has been updated with the new KSK.

-   Before this update takes place it would be best to drop the security

-   status of a zone all together: the parent removes the DS of the child

-   at the next zone update.  After that the child can be made secure

-   again.

-

-   An additional danger of a key compromise is that the compromised key

-   can be used to facilitate a legitimate DNSKEY/DS and/or nameserver

-   rollover at the parent. When that happens the domain can be in

-   dispute. An out of band and secure notify mechanism to contact a

-   parent is needed in this case.

-

-4.2  ZSK Compromise

-

-   Primarily because there is no parental interaction required when a

-   ZSK is compromised, the situation is less severe than with with a KSK

-   compromise.  The zone must still be resigned with a new ZSK as soon

-   as possible. As this is a local operation and requires no

-   communication between the parent and child this can be achieved

-   fairly quickly. However, one has to take into account that just as

-   with a normal rollover the immediate disappearance from the old

-   compromised key may lead to verification problems. The

-   pre-publication scheme as discussed above minimises such problems.

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 15]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-4.3  Compromises of Keys Anchored in Resolvers

-

-   A key can also be pre-configured in resolvers. If DNSSEC is rolled

-   out as planned the root key should be pre-configured in every secure

-   aware resolver on the planet. [Editors Note: add more about

-   authentication of a newly received  resolver key]

-

-   If trust-anchor keys are compromised, the resolvers using these keys

-   should be notified of this fact. Zone administrators may consider

-   setting up a mailing list to communicate the fact that a SEP key is

-   about to be rolled over. This communication will of course need to be

-   authenticated e.g. by using digital signatures.

-

-5.  Parental Policies

-

-5.1  Initial Key Exchanges and Parental Policies Considerations

-

-   The initial key exchange is always subject to the policies set by the

-   parent (or its registry). When designing a key exchange policy one

-   should take into account that the authentication and authorisation

-   mechanisms used during a key exchange should be as strong as the

-   authentication and authorisation mechanisms used for the exchange of

-   delegation information between parent and child.

-

-   Using the DNS itself as the source for the actual DNSKEY material,

-   with an off-band check on the validity of the DNSKEY, has the benefit

-   that it reduces the chances of user error. A parental DNSKEY download

-   tool can make use of the SEP bit [4] to select the proper key from a

-   DNSSEC keyset; thereby reducing the chance that the wrong DNSKEY is

-   sent. It can validate the self-signature over a key; thereby

-   verifying the ownership of the private key material. Fetching the

-   DNSKEY from the DNS ensures that the child will not become bogus once

-   the parent publishes the DS RR indicating the child is secure.

-

-   Note: the off-band verification is still needed when the key-material

-   is fetched by a tool. The parent can not be sure whether the DNSKEY

-   RRs have been spoofed.

-

-5.2  Storing Keys So Hashes Can Be Regenerated

-

-   When designing a registry system one should consider if the DNSKEYs

-   and/or the corresponding DSs are stored. Storing DNSKEYs will help

-   during troubleshooting while the overhead of calculating DS records

-   from them is minimal.

-

-   Having an out-of-band mechanism, such as a Whois database, to find

-   out which keys are used to generate DS Resource Records for specific

-   owners may also help with troubleshooting.

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 16]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-5.3  Security Lameness Checks

-

-   Security Lameness is defined as what happens when a parent has a DS

-   Resource Record pointing to a non-existing DNSKEY RR. During key

-   exchange a parent should make sure that the child's key is actually

-   configured in the DNS before publishing a DS RR in its zone. Failure

-   to do so would render the child's zone being marked as bogus.

-

-   Child zones should be very careful removing DNSKEY material,

-   specifically SEP keys, for which a DS RR exists.

-

-   Once a zone is "security lame" a fix (e.g. by removing a DS RR) will

-   take time to propagate through the DNS.

-

-5.4  DS Signature Validity Period

-

-   Since the DS can be replayed as long as it has a valid signature a

-   short signature validity period over the DS minimises the time a

-   child is vulnerable in the case of a compromise of the child's

-   KSK(s).  A signature validity period that is too short introduces the

-   possibility that a zone is marked bogus in case of a configuration

-   error in the signer; there may not be enough time to fix the problems

-   before signatures expire.  Something as mundane as operator

-   unavailability during weekends shows the need for DS signature

-   lifetimes longer than 2 days. We recommend the minimum for a DS

-   signature validity period to be a few days.

-

-   The maximum signature lifetime of the DS record depends on how long

-   child zones are willing to be vulnerable after a key compromise. We

-   consider a signature validity period of around one week to be a good

-   compromise between the operational constraints of the parent and

-   minimising damage for the child.

-

-6.  Security Considerations

-

-   DNSSEC adds data integrity to the DNS. This document tries to assess

-   considerations to operate a stable and secure DNSSEC service. Not

-   taking into account the 'data propagation' properties in the DNS will

-   cause validation failures and may make secured zones unavailable to

-   security aware resolvers.

-

-7.  Acknowledgments

-

-   We, the folk mentioned as authors, only acted as editors. Most of the

-   ideas in this draft were the result of collective efforts during

-   workshops, discussions and try outs.

-

-   At the risk of forgetting individuals who where the original

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 17]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   contributors of the ideas we would like to acknowledge people who

-   where actively involved in the compilation of this document. In

-   random order: Olafur Gudmundsson, Wesley Griffin, Michael Richardson,

-   Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette and Olivier

-   Courtay, Sam Weiler.

-

-   Emma Bretherick and Adrian Bedford corrected many of the spelling and

-   style issues.

-

-   Kolkman and Gieben take the blame for introducing all miscakes(SIC).

-

-8.  References

-

-8.1  Normative References

-

-   [1]  Eastlake, D., "Domain Name System Security Extensions", RFC

-        2535, March 1999.

-

-   [2]  Eastlake, D., "DNS Security Operational Considerations", RFC

-        2541, March 1999.

-

-   [3]  Lewis, E., "DNS Security Extension Clarification on Zone

-        Status", RFC 3090, March 2001.

-

-   [4]  Lewis, E., Kolkman, O. and J. Schlyter, "KEY RR Key-Signing Key

-        (KSK) Flag", draft-ietf-dnsext-keyrr-key-signing-flag-06 (work

-        in progress), February 2003.

-

-8.2  Informative References

-

-   [5]  Bradner, S., "Key words for use in RFCs to Indicate Requirement

-        Levels", BCP 14, RFC 2119, March 1997.

-

-   [6]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC

-        2308, March 1998.

-

-   [7]  Gudmundsson, O., "Delegation Signer Resource Record",

-        draft-ietf-dnsext-delegation-signer-13 (work in progress), March

-        2003.

-

-   [8]  Arends, R., "Protocol Modifications for the DNS Security

-        Extensions", draft-ietf-dnsext-dnssec-protocol-01 (work in

-        progress), March 2003.

-

-   [9]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key Sizes",

-        The Journal of Cryptology 14 (255-293), 2001.

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 18]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-Authors' Addresses

-

-   Olaf M. Kolkman

-   RIPE NCC

-   Singel 256

-   Amsterdam  1016 AB

-   The Netherlands

-

-   Phone: +31 20 535 4444

-   EMail: olaf@ripe.net

-   URI:   http://www.ripe.net/

-

-

-   Miek Gieben

-   NLnet Labs

-   Kruislaan 419

-   Amsterdam  1098 VA

-   The Netherlands

-

-   EMail: miek@nlnetlabs.nl

-   URI:   http://www.nlnetlabs.nl

-

-Appendix A.  Terminology

-

-   In this document there is some jargon used that is defined in other

-   documents. In most cases we have not copied the text from the

-   documents defining the terms but given a more elaborate explanation

-   of the meaning. Note that these explanations should not be seen as

-   authoritative.

-

-   Private and Public Keys: DNSSEC secures the DNS through the use of

-      public key cryptography. Public key cryptography is based on the

-      existence of two keys, a public key and a private key. The public

-      keys are published in the DNS by use of the DNSKEY Resource Record

-      (DNSKEY RR). Private keys should remain private i.e. should not be

-      exposed to parties not-authorised to do the actual signing.

-   Signer: The system that has access to the private key material and

-      signs the Resource Record sets in a zone. A signer may be

-      configured to sign only parts of the zone e.g. only those RRsets

-      for which existing signatures are about to expire.

-   KSK: A Key-Signing Key (KSK) is a key that is used exclusively for

-      signing the apex keyset.  The fact that a key is a KSK is only

-      relevant to the signing tool.

-   ZSK: A Zone Signing Key (ZSK) is a key that is used for signing all

-      data in a zone.  The fact that a key is a ZSK is only relevant to

-      the signing tool.

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 19]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   SEP Key: A KSK that has a parental DS record pointing to it. Note:

-      this is not enforced in the protocol. A SEP Key with no parental

-      DS is security lame.

-   Anchored Key: A DNSKEY configured in resolvers around the globe. This

-      Key is hard to update, hence the term anchored.

-   Bogus: [Editors Note: a reference here] An RRset in DNSSEC is marked

-      "Bogus" when a signature of a RRset does not validate against the

-      DNSKEY. Even if the key itself was not marked Bogus. A cache may

-      choose to cache Bogus data for various reasons.

-   Singing the Zone File: The term used for the event where an

-      administrator joyfully signs its zone file while producing melodic

-      sound patterns.

-   Zone Administrator: The 'role' that is responsible for signing a zone

-      and publishing it on the primary authoritative server.

-

-Appendix B.  Zone-signing Key Rollover Howto

-

-   Using the pre-published signature scheme and the most conservative

-   method to assure oneself that data does not live in distant caches

-   here follows the "HOWTO". [WES: has some comments about this]

-   Key notation:

-   Step 0: The preparation: Create two keys and publish both in your

-      keyset.  Mark one of the keys as "active" and the other as

-      "published". Use the "active" key for signing your zone data.

-      Store the private part of the "published" key, preferably

-      off-line.

-   Step 1: Determine expiration: At the beginning of the rollover make a

-      note of the highest expiration time of signatures in your zone

-      file created with the current key marked as "active".

-      Wait until the expiration time marked in Step 1 has passed

-   Step 2: Then start using the key that was marked as "published" to

-      sign your data i.e. mark it as "active". Stop using the key that

-      was marked as "active", mark it as "rolled".

-   Step 3: It is safe to engage in a new rollover (Step 1) after at

-      least one "signature validity period".

-

-Appendix C.  Typographic Conventions

-

-   The following typographic conventions are used in this document:

-   Key notation: A key is denoted by KEYx, where x is a number, x could

-      be thought of as the key id.

-   RRset notations: RRs are only denoted by the type. All other

-      information - owner, class, rdata and TTL - is left out. Thus:

-      example.com 3600 IN A 192.168.1.1 is reduced to: A. RRsets are a

-      list of RRs. A example of this would be: A1,A2, specifying the

-      RRset containing two A records. This could again be abbreviated to

-      just: A.

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 20]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   Signature notation: Signatures are denoted as RRSIGx(RRset), which

-      means that RRset is signed with DNSKEYx.

-   Zone representation: Using the above notation we have simplified the

-      representation of a signed zone by leaving out all unnecessary

-      details such as the names and by  representing all data by "SOAx"

-   SOA representation: SOA's are represented as SOAx, where x is the

-      serial number.

-   Using this notation the following zone :

-

-

-   example.net.      600     IN SOA  ns.example.net. ernie.example.net. (

-                                     10         ; serial

-                                     450        ; refresh (7 minutes 30 seconds)

-                                     600        ; retry (10 minutes)

-                                     345600     ; expire (4 days)

-                                     300        ; minimum (5 minutes)

-                                     )

-                     600     RRSIG   SOA 5 2 600 20130522213204 (

-                                     20130422213204 14 example.net.

-                                     cmL62SI6iAX46xGNQAdQ... )

-                     600     NS      a.iana-servers.net.

-                     600     NS      b.iana-servers.net.

-                     600     RRSIG   NS 5 2 600 20130507213204 (

-                                     20130407213204 14 example.net.

-                                     SO5epiJei19AjXoUpFnQ ... )

-                     3600    DNSKEY  256 3 5 (

-                                     EtRB9MP5/AvOuVO0I8XDxy0...

-                                     ) ; key id = 14

-                     3600    DNSKEY  256 3 5 (

-                                     gsPW/Yy19GzYIY+Gnr8HABU...

-                                     ) ; key id = 15

-                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (

-                                     20130422213204 14 example.net.

-                                     J4zCe8QX4tXVGjV4e1r9... )

-                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (

-                                     20130422213204 15 example.net.

-                                     keVDCOpsSeDReyV6O... )

-                     600     NSEC    a.example.net. NS SOA TXT RRSIG DNSKEY NSEC

-                     600     RRSIG   NSEC 5 2 600 20130507213204 (

-                                     20130407213204 14 example.net.

-                                     obj3HEp1GjnmhRjX... )

-   a.example.net.    600     IN TXT  "A label"

-                     600     RRSIG   TXT 5 3 600 20130507213204 (

-                                     20130407213204 14 example.net.

-                                     IkDMlRdYLmXH7QJnuF3v... )

-                     600     NSEC    b.example.com. TXT RRSIG NSEC

-                     600     RRSIG   NSEC 5 3 600 20130507213204 (

-                                     20130407213204 14 example.net.

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 21]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-                                     bZMjoZ3bHjnEz0nIsPMM... )

-

-                     ...

-

-

-    is reduced to the following represenation:

-

-       SOA10

-       RRSIG14(SOA10)

-

-       DNSKEY14

-       DNSKEY15

-

-       RRSIG14(KEY)

-       RRSIG15(KEY)

-

-    The rest of the zone data has the same signature as the SOA record,

-   i.e a RRSIG created with DNSKEY 14.

-

-Appendix D.  Document Details and Changes

-

-   This section is to be removed by the RFC editor if and when the

-   document is published.

-

-   $Header: /var/cvs/dnssec-key/

-   draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.22 2004/05/12

-   08:29:11 dnssec Exp $

-

-D.1  draft-ietf-dnsop-dnssec-operational-practices-00

-

-   Submission as working group document. This document is a modified and

-   updated version of draft-kolkman-dnssec-operational-practices-00.

-

-D.2  draft-ietf-dnsop-dnssec-operational-practices-01

-

-   changed the definition of "Bogus" to reflect the one in the protocol

-   draft.

-

-   Bad to Bogus

-

-   Style and spelling corrections

-

-   KSK - SEP mapping made explicit.

-

-   Updates from Sam Weiler added

-

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 22]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-Intellectual Property Statement

-

-   The IETF takes no position regarding the validity or scope of any

-   intellectual property or other rights that might be claimed to

-   pertain to the implementation or use of the technology described in

-   this document or the extent to which any license under such rights

-   might or might not be available; neither does it represent that it

-   has made any effort to identify any such rights. Information on the

-   IETF's procedures with respect to rights in standards-track and

-   standards-related documentation can be found in BCP-11. Copies of

-   claims of rights made available for publication and any assurances of

-   licenses to be made available, or the result of an attempt made to

-   obtain a general license or permission for the use of such

-   proprietary rights by implementors or users of this specification can

-   be obtained from the IETF Secretariat.

-

-   The IETF invites any interested party to bring to its attention any

-   copyrights, patents or patent applications, or other proprietary

-   rights which may cover technology that may be required to practice

-   this standard. Please address the information to the IETF Executive

-   Director.

-

-

-Full Copyright Statement

-

-   Copyright (C) The Internet Society (2004). All Rights Reserved.

-

-   This document and translations of it may be copied and furnished to

-   others, and derivative works that comment on or otherwise explain it

-   or assist in its implementation may be prepared, copied, published

-   and distributed, in whole or in part, without restriction of any

-   kind, provided that the above copyright notice and this paragraph are

-   included on all such copies and derivative works. However, this

-   document itself may not be modified in any way, such as by removing

-   the copyright notice or references to the Internet Society or other

-   Internet organizations, except as needed for the purpose of

-   developing Internet standards in which case the procedures for

-   copyrights defined in the Internet Standards process must be

-   followed, or as required to translate it into languages other than

-   English.

-

-   The limited permissions granted above are perpetual and will not be

-   revoked by the Internet Society or its successors or assignees.

-

-   This document and the information contained herein is provided on an

-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 23]

-

-Internet-Draft        DNSSEC Operational Practices            March 2004

-

-

-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

-

-

-Acknowledgment

-

-   Funding for the RFC Editor function is currently provided by the

-   Internet Society.

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-Kolkman & Gieben        Expires August 30, 2004                [Page 24]

-

-

diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt
deleted file mode 100644
index a5d0d6079a70..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-04.txt
+++ /dev/null
@@ -1,1736 +0,0 @@
-
-
-
-DNSOP                                                         O. Kolkman
-Internet-Draft                                                  RIPE NCC
-Expires: September 2, 2005                                     R. Gieben
-                                                              NLnet Labs
-                                                              March 2005
-
-
-                      DNSSEC Operational Practices
-          draft-ietf-dnsop-dnssec-operational-practices-04.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 2, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes a set of practices for operating the DNS with
-   security extensions (DNSSEC).  The target audience is zone
-   administrators deploying DNSSEC.
-
-   The document discusses operational aspects of using keys and
-   signatures in the DNS.  It discusses issues as key generation, key
-   storage, signature generation, key rollover and related policies.
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 1]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   The Use of the Term 'key'  . . . . . . . . . . . . . . . .  4
-     1.2   Time Definitions . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Keeping the Chain of Trust Intact  . . . . . . . . . . . . . .  5
-   3.  Keys Generation and Storage  . . . . . . . . . . . . . . . . .  6
-     3.1   Zone and Key Signing Keys  . . . . . . . . . . . . . . . .  6
-       3.1.1   Motivations for the KSK and ZSK Separation . . . . . .  6
-       3.1.2   KSKs for high level zones  . . . . . . . . . . . . . .  7
-     3.2   Randomness . . . . . . . . . . . . . . . . . . . . . . . .  8
-     3.3   Key Effectivity Period . . . . . . . . . . . . . . . . . .  8
-     3.4   Key Algorithm  . . . . . . . . . . . . . . . . . . . . . .  9
-     3.5   Key Sizes  . . . . . . . . . . . . . . . . . . . . . . . .  9
-     3.6   Private Key Storage  . . . . . . . . . . . . . . . . . . . 10
-   4.  Signature generation, Key Rollover and Related Policies  . . . 11
-     4.1   Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . 11
-       4.1.1   Time Considerations  . . . . . . . . . . . . . . . . . 11
-     4.2   Key Rollovers  . . . . . . . . . . . . . . . . . . . . . . 13
-       4.2.1   Zone-signing Key Rollovers . . . . . . . . . . . . . . 13
-       4.2.2   Key-signing Key Rollovers  . . . . . . . . . . . . . . 17
-       4.2.3   Difference Between ZSK and KSK Rollovers . . . . . . . 18
-       4.2.4   Automated Key Rollovers  . . . . . . . . . . . . . . . 19
-     4.3   Planning for Emergency Key Rollover  . . . . . . . . . . . 19
-       4.3.1   KSK Compromise . . . . . . . . . . . . . . . . . . . . 20
-       4.3.2   ZSK Compromise . . . . . . . . . . . . . . . . . . . . 20
-       4.3.3   Compromises of Keys Anchored in Resolvers  . . . . . . 20
-     4.4   Parental Policies  . . . . . . . . . . . . . . . . . . . . 21
-       4.4.1   Initial Key Exchanges and Parental Policies
-               Considerations . . . . . . . . . . . . . . . . . . . . 21
-       4.4.2   Storing Keys or Hashes?  . . . . . . . . . . . . . . . 21
-       4.4.3   Security Lameness  . . . . . . . . . . . . . . . . . . 22
-       4.4.4   DS Signature Validity Period . . . . . . . . . . . . . 22
-   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 23
-   6.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 23
-   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
-     7.1   Normative References . . . . . . . . . . . . . . . . . . . 24
-     7.2   Informative References . . . . . . . . . . . . . . . . . . 24
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
-   A.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 25
-   B.  Zone-signing Key Rollover Howto  . . . . . . . . . . . . . . . 26
-   C.  Typographic Conventions  . . . . . . . . . . . . . . . . . . . 26
-   D.  Document Details and Changes . . . . . . . . . . . . . . . . . 29
-     D.1   draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 29
-     D.2   draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 29
-     D.3   draft-ietf-dnsop-dnssec-operational-practices-02 . . . . . 29
-     D.4   draft-ietf-dnsop-dnssec-operational-practices-03 . . . . . 29
-     D.5   draft-ietf-dnsop-dnssec-operational-practices-04 . . . . . 30
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 2]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       Intellectual Property and Copyright Statements . . . . . . . . 31
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 3]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-1.  Introduction
-
-   During workshops and early operational deployment tests, operators
-   and system administrators gained experience about operating the DNS
-   with security extensions (DNSSEC).  This document translates these
-   experiences into a set of practices for zone administrators.  At the
-   time of writing, there exists very little experience with DNSSEC in
-   production environments; this document should therefore explicitly
-   not be seen as representing 'Best Current Practices'.
-
-   The procedures herein are focused on the maintenance of signed zones
-   (i.e. signing and publishing zones on authoritative servers).  It is
-   intended that maintenance of zones such as resigning or key rollovers
-   be transparent to any verifying clients on the Internet.
-
-   The structure of this document is as follows.  In Section 2 we
-   discuss the importance of keeping the "chain of trust" intact.
-   Aspects of key generation and storage of private keys are discussed
-   in Section 3; the focus in this section is mainly on the private part
-   of the key(s).  Section 4 describes considerations concerning the
-   public part of the keys.  Since these public keys appear in the DNS
-   one has to take into account all kinds of timing issues, which are
-   discussed in Section 4.1.  Section 4.2 and Section 4.3 deal with the
-   rollover, or which, of keys.  Finally Section 4.4 discusses
-   considerations on how parents deal with their children's public keys
-   in order to maintain chains of trust.
-
-   The typographic conventions used in this document are explained in
-   Appendix C.
-
-   Since this is a document with operational suggestions and there are
-   no protocol specifications, the RFC2119 [4] language does not apply.
-
-   This document obsoletes RFC2541 [7]
-
-1.1  The Use of the Term 'key'
-
-   It is assumed that the reader is familiar with the concept of
-   asymmetric keys on which DNSSEC is based (Public Key Cryptography
-   [11]).  Therefore, this document will use the term 'key' rather
-   loosely.  Where it is written that 'a key is used to sign data' it is
-   assumed that the reader understands that it is the private part of
-   the key-pair that is used for signing.  It is also assumed that the
-   reader understands that the public part of the key-pair is published
-   in the DNSKEY resource record and that it is the public part that is
-   used in key-exchanges.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 4]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-1.2  Time Definitions
-
-   In this document we will be using a number of time related terms.
-   The following definitions apply:
-   o  "Signature validity period"
-         The period that a signature is valid.  It starts at the time
-         specified in the signature inception field of the RRSIG RR and
-         ends at the time specified in the expiration field of the RRSIG
-         RR.
-   o  "Signature publication period"
-         Time after which a signature (made with a specific key) is
-         replaced with a new signature (made with the same key).  This
-         replacement takes place by publishing the relevant RRSIG in the
-         master zone file.
-         After one stopped publishing an RRSIG in a zone it may take a
-         while before the RRSIG has expired from caches and has actually
-         been removed from the DNS.
-   o  "Key effectivity period"
-         The period which a key pair is expected to be effective.  This
-         period is defined as the time between the first inception time
-         stamp and the last expiration date of any signature made with
-         this key.
-         The key effectivity period can span multiple signature validity
-         periods.
-   o  "Maximum/Minimum Zone TTL"
-         The maximum or minimum value of the TTLs from the complete set
-         of RRs in a zone.
-
-2.  Keeping the Chain of Trust Intact
-
-   Maintaining a valid chain of trust is important because broken chains
-   of trust will result in data being marked as Bogus (as defined in [2]
-   section 5), which may cause entire (sub)domains to become invisible
-   to verifying clients.  The administrators of secured zones have to
-   realize that their zone is, to their clients, part of a chain of
-   trust.
-
-   As mentioned in the introduction, the procedures herein are intended
-   to ensure maintenance of zones, such as resigning or key rollovers,
-   will be transparent to the verifying clients on the Internet.
-
-   Administrators of secured zones will have to keep in mind that data
-   published on an authoritative primary server will not be immediately
-   seen by verifying clients; it may take some time for the data to be
-   transfered to other secondary authoritative nameservers and clients
-   may be fetching data from caching non-authoritative servers.
-
-   For the verifying clients it is important that data from secured
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 5]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   zones can be used to build chains of trust regardless of whether the
-   data came directly from an authoritative server, a caching nameserver
-   or some middle box.  Only by carefully using the available timing
-   parameters can a zone administrator assure that the data necessary
-   for verification can be obtained.
-
-   The responsibility for maintaining the chain of trust is shared by
-   administrators of secured zones in the chain of trust.  This is most
-   obvious in the case of a 'key compromise' when a trade off between
-   maintaining a valid chain of trust and replacing the compromised keys
-   as soon as possible must be made.  Then zone administrators will have
-   to make a trade off, between keeping the chain of trust intact -
-   thereby allowing for attacks with the compromised key - or to
-   deliberately break the chain of trust and making secured sub domains
-   invisible to security aware resolvers.  Also see Section 4.3.
-
-3.  Keys Generation and Storage
-
-   This section describes a number of considerations with respect to the
-   security of keys.  It deals with the generation, effectivity period,
-   size and storage of private keys.
-
-3.1  Zone and Key Signing Keys
-
-   The DNSSEC validation protocol does not distinguish between DNSKEYs.
-   All DNSKEYs can be used during the validation.  In practice operators
-   use Key Signing and Zone Signing Keys and use the so-called (Secure
-   Entry Point) SEP flag to distinguish between them during operations.
-   The dynamics and considerations are discussed below.
-
-   To make zone resigning and key rollover procedures easier to
-   implement, it is possible to use one or more keys as Key Signing Keys
-   (KSK).  These keys will only sign the apex DNSKEY RR set in a zone.
-   Other keys can be used to sign all the RRsets in a zone and are
-   referred to as Zone Signing Keys (ZSK).  In this document we assume
-   that KSKs are the subset of keys that are used for key exchanges with
-   the parent and potentially for configuration as trusted anchors - the
-   SEP keys.  In this document we assume a one-to-one mapping between
-   KSK and SEP keys and we assume the SEP flag [1] to be set on all
-   KSKs.
-
-3.1.1  Motivations for the KSK and ZSK Separation
-
-   Differentiating between the KSK and ZSK functions has several
-   advantages:
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 6]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   o  No parent/child interaction is required when ZSKs are updated.
-   o  The KSK can be made stronger (i.e. using more bits in the key
-      material).  This has little operational impact since it is only
-      used to sign a small fraction of the zone data.  Also when
-      verifying the KSK is only used to verify the zone's keyset.
-   o  As the KSK is only used to sign a key set, which is most probably
-      updated less frequently than other data in the zone, it can be
-      stored separately from and in a safer location than the ZSK.
-   o  A KSK can have a longer key effectivity period.
-
-   For almost any method of key management and zone signing the KSK is
-   used less frequently than the ZSK.  Once a key set is signed with the
-   KSK all the keys in the key set can be used as ZSK.  If a ZSK is
-   compromised, it can be simply dropped from the key set.  The new key
-   set is then resigned with the KSK.
-
-   Given the assumption that for KSKs the SEP flag is set, the KSK can
-   be distinguished from a ZSK by examining the flag field in the DNSKEY
-   RR.  If the flag field is an odd number it is a KSK.  If it is an
-   even number it is a ZSK.
-
-   The zone-signing key can be used to sign all the data in a zone on a
-   regular basis.  When a zone-signing key is to be rolled, no
-   interaction with the parent is needed.  This allows for "Signature
-   Validity Periods" on the order of days.
-
-   The key-signing key is only to be used to sign the DNSKEY RRs in a
-   zone.  If a key-signing key is to be rolled over, there will be
-   interactions with parties other than the zone administrator.  These
-   can include the registry of the parent zone or administrators of
-   verifying resolvers that have the particular key configured as
-   trusted entry points.  Hence, the key effectivity period of these
-   keys can and should be made much longer.  Although, given a long
-   enough key, the Key Usage Time can be on the order of years we
-   suggest planning for a key effectivity of the order of a few months
-   so that a key rollover remains an operational routine.
-
-3.1.2  KSKs for high level zones
-
-   Higher level zones are generally more sensitive than lower level
-   zones.  Anyone controlling or breaking the security of a zone thereby
-   obtains authority over all of its sub domains (except in the case of
-   resolvers that have locally configured the public key of a sub
-   domain).  Therefore, extra care should be taken with high level zones
-   and strong keys used.
-
-   The root zone is the most critical of all zones.  Someone controlling
-   or compromising the security of the root zone would control the
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 7]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   entire DNS name space of all resolvers using that root zone (except
-   in the case of resolvers that have locally configured the public key
-   of a sub domain).  Therefore, the utmost care must be taken in the
-   securing of the root zone.  The strongest and most carefully handled
-   keys should be used.  The root zone private key should always be kept
-   off line.
-
-   Many resolvers will start at a root server for their access to and
-   authentication of DNS data.  Securely updating the trust anchors in
-   an enormous population of resolvers around the world will be
-   extremely difficult.
-
-3.2  Randomness
-
-   Careful generation of all keys is a sometimes overlooked but
-   absolutely essential element in any cryptographically secure system.
-   The strongest algorithms used with the longest keys are still of no
-   use if an adversary can guess enough to lower the size of the likely
-   key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in
-   RFC1750 [3].  One should carefully assess if the random number
-   generator used during key generation adheres to these suggestions.
-
-   Keys with a long effectivity period are particularly sensitive as
-   they will represent a more valuable target and be subject to attack
-   for a longer time than short period keys.  It is strongly recommended
-   that long term key generation occur off-line in a manner isolated
-   from the network via an air gap or, at a minimum, high level secure
-   hardware.
-
-3.3  Key Effectivity Period
-
-   For various reasons keys in DNSSEC need to be changed once in a
-   while.  The longer a key is in use, the greater the probability that
-   it will have been compromised through carelessness, accident,
-   espionage, or cryptanalysis.  Furthermore when key rollovers are too
-   rare an event, they will not become part of the operational habit and
-   there is risk that nobody on-site will remember the procedure for
-   rollover when the need is there.
-
-   For Key Signing Keys a reasonable key effectivity period is 13
-   months, with the intent to replace them after 12 months.  An intended
-   key effectivity period of a month is reasonable for Zone Signing
-   Keys.
-
-   Using these recommendations will lead to rollovers occurring
-   frequently enough to become part of 'operational habits'; the
-   procedure does not have to be reinvented every time a key is
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 8]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   replaced.
-
-   Key effectivity periods can be made very short, as in the order of a
-   few minutes.  But when replacing keys one has to take the
-   considerations from Section 4.1 and Section 4.2 into account.
-
-3.4  Key Algorithm
-
-   There are currently three different types of algorithms that can be
-   used in DNSSEC: RSA, DSA and elliptic curve cryptography.  The latter
-   is fairly new and still needs to be standardized for usage in DNSSEC.
-
-   RSA has been developed in an open and transparent manner.  As the
-   patent on RSA expired in 2000, its use is now also free.
-
-   DSA has been developed by NIST.  The creation of signatures is
-   roughly done at the same speed as with RSA, but is 10 to 40 times as
-   slow for verification [11].
-
-   We suggest the use of RSA/SHA-1 as the preferred algorithm for the
-   key.  The current known attacks on RSA can be defeated by making your
-   key longer.  As the MD5 hashing algorithm is showing (theoretical)
-   cracks, we recommend the usage of SHA1.
-
-   In 2005 some discoveries were made that SHA-1 also has some
-   weaknesses.  Currently SHA-1 is strong enough for DNSSEC.  It is
-   expected that a new hashing algorithm is rolled out, before any
-   attack becomes practical.
-
-3.5  Key Sizes
-
-   When choosing key sizes, zone administrators will need to take into
-   account how long a key will be used and how much data will be signed
-   during the key publication period.  It is hard to give precise
-   recommendations but Lenstra and Verheul [10] supplied the following
-   table with lower bound estimates for cryptographic key sizes.  Their
-   recommendations are based on a set of explicitly formulated parameter
-   settings, combined with existing data points about cryptographic
-   systems.  For details we refer to the original paper.
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005               [Page 9]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       Year    RSA Key Sizes       Year    RSA Key Sizes
-
-       2000        952             2015        1613
-       2001        990             2016        1664
-       2002        1028            2017        1717
-       2003        1068            2018        1771
-       2004        1108            2019        1825
-
-
-       2005        1149            2020        1881
-       2006        1191            2021        1937
-       2007        1235            2022        1995
-       2008        1279            2023        2054
-       2009        1323            2024        2113
-
-
-       2026        2236            2025        2174
-       2010        1369            2027        2299
-       2011        1416            2028        2362
-       2012        1464            2029        2427
-       2013        1513
-       2014        1562
-
-   For example, should you wish your key to last three years from 2003,
-   check the RSA key size values for 2006 in this table.  In this case
-   it should be at least 1191 bits.
-
-   Please keep in mind that nobody can see into the future, and that
-   these key lengths are only provided here as a guide.
-
-   When determining a key size one should take into account that a large
-   key will be slower during generation and verification.  For RSA,
-   verification, the most common operation, will vary roughly with the
-   square of the key size; signing will vary with the cube of the key
-   size length; and key generation will vary with the fourth power of
-   the modulus length.  Besides larger keys will increase the sizes of
-   the RRSIG and DNSKEY records and will therefore increase the chance
-   of DNS UDP packet overflow.  Also see Section 3.1.1 for a discussion
-   of how keys serving different roles (ZSK v.  KSK) may need different
-   key strengths.
-
-3.6  Private Key Storage
-
-   It is recommended that, where possible, zone private keys and the
-   zone file master copy be kept and used in off-line, non-network
-   connected, physically secure machines only.  Periodically an
-   application can be run to add authentication to a zone by adding
-   RRSIG and NSEC RRs.  Then the augmented file can be transferred,
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 10]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   perhaps by sneaker-net, to the networked zone primary server machine.
-
-   The ideal situation is to have a one way information flow to the
-   network to avoid the possibility of tampering from the network.
-   Keeping the zone master file on-line on the network and simply
-   cycling it through an off-line signer does not do this.  The on-line
-   version could still be tampered with if the host it resides on is
-   compromised.  For maximum security, the master copy of the zone file
-   should be off net and should not be updated based on an unsecured
-   network mediated communication.
-
-   In general keeping a zone-file off-line will not be practical and the
-   machines on which zone files are maintained will be connected to a
-   network.  Operators are advised to take security measures to shield
-   unauthorized access to the master copy.
-
-   For dynamically updated secured zones [5] both the master copy and
-   the private key that is used to update signatures on updated RRs will
-   need to be on line.
-
-4.  Signature generation, Key Rollover and Related Policies
-
-4.1  Time in DNSSEC
-
-   Without DNSSEC all times in DNS are relative.  The SOA RR's refresh,
-   retry and expiration timers are counters that are used to determine
-   the time elapsed after a slave server synchronized (or tried to
-   synchronize) with a master server.  The Time to Live (TTL) value and
-   the SOA RR minimum TTL parameter [6] are used to determine how long a
-   forwarder should cache data after it has been fetched from an
-   authoritative server.  By using a signature validity period, DNSSEC
-   introduces the notion of an absolute time in the DNS.  Signatures in
-   DNSSEC have an expiration date after which the signature is marked as
-   invalid and the signed data is to be considered Bogus.
-
-4.1.1  Time Considerations
-
-   Because of the expiration of signatures, one should consider the
-   following:
-   o  We suggest the Maximum Zone TTL of your zone data to be a fraction
-      of your signature validity period.
-         If the TTL would be of similar order as the signature validity
-         period, then all RRsets fetched during the validity period
-         would be cached until the signature expiration time.  Section
-         7.1 of [2] suggests that "the resolver may use the time
-         remaining before expiration of the signature validity period of
-         a signed RRset as an upper bound for the TTL".  As a result
-         query load on authoritative servers would peak at signature
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 11]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-         expiration time, as this is also the time at which records
-         simultaneously expire from caches.
-         To avoid query load peaks we suggest the TTL on all the RRs in
-         your zone to be at least a few times smaller than your
-         signature validity period.
-   o  We suggest the signature publication period to be at least one
-      maximum TTL smaller than the signature validity period.
-         Resigning a zone shortly before the end of the signature
-         validity period may cause simultaneous expiration of data from
-         caches.  This in turn may lead to peaks in the load on
-         authoritative servers.
-   o  We suggest the minimum zone TTL to be long enough to both fetch
-      and verify all the RRs in the authentication chain.  A low TTL
-      could cause two problems:
-         1.  During validation, some data may expire before the
-         validation is complete.  The validator should be able to keep
-         all data, until is completed.  This applies to all RRs needed
-         to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and the
-         final answers i.e. the RR set that is returned for the initial
-         query.
-         2.  Frequent verification causes load on recursive nameservers.
-         Data at delegation points, DSs, DNSKEYs and RRSIGs benefit from
-         caching.  The TTL on those should be relatively long.
-   o  Slave servers will need to be able to fetch newly signed zones
-      well before the RRSIGs in the zone served by the slave server pass
-      their signature expiration time.
-         When a slave server is out of sync with its master and data in
-         a zone is signed by expired signatures it may be better for the
-         slave server not to give out any answer.
-         Normally a slave server that is not able to contact a master
-         server for an extended period will expire a zone.  When that
-         happens the zone will not respond on queries.  The time of
-         expiration is set in the SOA record and is relative to the last
-         successful refresh between the master and the slave server.
-         There exists no coupling between the signature expiration of
-         RRSIGs in the zone and the expire parameter in the SOA.
-         If the server serves a DNSSEC zone than it may well happen that
-         the signatures expire well before the SOA expiration timer
-         counts down to zero.  It is not possible to completely prevent
-         this from happening by tweaking the SOA parameters.
-         However, the effects can be minimized where the SOA expiration
-         time is equal or smaller than the signature validity period.
-         The consequence of an authoritative server not being able to
-         update a zone, whilst that zone includes expired signatures, is
-         that non-secure resolvers will continue to be able to resolve
-         data served by the particular slave servers while security
-         aware resolvers will experience problems because of answers
-         being marked as Bogus.
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 12]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-         We suggest the SOA expiration timer being approximately one
-         third or one fourth of the signature validity period.  It will
-         allow problems with transfers from the master server to be
-         noticed before the actual signature time out.
-         We also suggest that operators of nameservers that supply
-         secondary services develop 'watch dogs' to spot upcoming
-         signature expirations in zones they slave, and take appropriate
-         action.
-         When determining the value for the expiration parameter one has
-         to take the following into account: What are the chances that
-         all my secondary zones expire; How quickly can I reach an
-         administrator of secondary servers to load a valid zone?  All
-         these arguments are not DNSSEC specific but may influence the
-         choice of your signature validity intervals.
-
-4.2  Key Rollovers
-
-   A DNSSEC key cannot be used forever (see Section 3.3).  So key
-   rollovers -- or supercessions, as they are sometimes called -- are a
-   fact of life when using DNSSEC.  Zone administrators who are in the
-   process of rolling their keys have to take into account that data
-   published in previous versions of their zone still lives in caches.
-   When deploying DNSSEC, this becomes an important consideration;
-   ignoring data that may be in caches may lead to loss of service for
-   clients.
-
-   The most pressing example of this is when zone material signed with
-   an old key is being validated by a resolver which does not have the
-   old zone key cached.  If the old key is no longer present in the
-   current zone, this validation fails, marking the data Bogus.
-   Alternatively, an attempt could be made to validate data which is
-   signed with a new key against an old key that lives in a local cache,
-   also resulting in data being marked Bogus.
-
-4.2.1  Zone-signing Key Rollovers
-
-   For zone-signing key rollovers there are two ways to make sure that
-   during the rollover data still cached can be verified with the new
-   key sets or newly generated signatures can be verified with the keys
-   still in caches.  One schema, described in Section 4.2.1.2, uses
-   double signatures; the other uses key pre-publication
-   (Section 4.2.1.1).  The pros, cons and recommendations are described
-   in Section 4.2.1.3.
-
-4.2.1.1  Pre-publish key set Rollover
-
-   This section shows how to perform a ZSK rollover without the need to
-   sign all the data in a zone twice - the so-called "pre-publish
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 13]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   rollover".This method has advantages in the case of a key compromise.
-   If the old key is compromised, the new key has already been
-   distributed in the DNS.  The zone administrator is then able to
-   quickly switch to the new key and remove the compromised key from the
-   zone.  Another major advantage is that the zone size does not double,
-   as is the case with the double signature ZSK rollover.  A small
-   "HOWTO" for this kind of rollover can be found in Appendix B.
-
-    normal          pre-roll         roll            after
-
-    SOA0            SOA1             SOA2            SOA3
-    RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)
-
-    DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1
-    DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11
-                    DNSKEY11         DNSKEY11
-    RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)
-    RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)
-
-
-   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.
-      DNSKEY 10 is used to sign all the data of the zone, the zone-
-      signing key.
-   pre-roll: DNSKEY 11 is introduced into the key set.  Note that no
-      signatures are generated with this key yet, but this does not
-      secure against brute force attacks on the public key.  The minimum
-      duration of this pre-roll phase is the time it takes for the data
-      to propagate to the authoritative servers plus TTL value of the
-      key set.  This equates to two times the Maximum Zone TTL.
-   roll: At the rollover stage (SOA serial 2) DNSKEY 11 is used to sign
-      the data in the zone exclusively  (i.e. all the signatures from
-      DNSKEY 10 are removed from the zone).  DNSKEY 10 remains published
-      in the key set.  This way data that was loaded into caches from
-      version 1 of the zone can still be verified with key sets fetched
-      from version 2 of the zone.
-      The minimum time that the key set including DNSKEY 10 is to be
-      published is the time that it takes for zone data from the
-      previous version of the zone to expire from old caches i.e. the
-      time it takes for this zone to propagate to all authoritative
-      servers plus the Maximum Zone TTL value of any of the data in the
-      previous version of the zone.
-   after: DNSKEY 10 is removed from the zone.  The key set, now only
-      containing DNSKEY 1 and DNSKEY 11 is resigned with the DNSKEY 1.
-
-   The above scheme can be simplified by always publishing the "future"
-   key immediately after the rollover.  The scheme would look as follows
-   (we show two rollovers); the future key is introduced in "after" as
-   DNSKEY 12 and again a newer one, numbered 13, in "2nd after":
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 14]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       normal              roll                after
-
-       SOA0                SOA2                SOA3
-       RRSIG10(SOA0)       RRSIG11(SOA2)       RRSIG11(SOA3)
-
-       DNSKEY1             DNSKEY1             DNSKEY1
-       DNSKEY10            DNSKEY10            DNSKEY11
-       DNSKEY11            DNSKEY11            DNSKEY12
-       RRSIG1(DNSKEY)      RRSIG1 (DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG11(DNSKEY)     RRSIG11(DNSKEY)
-
-
-       2nd roll            2nd after
-
-       SOA4                SOA5
-       RRSIG12(SOA4)       RRSIG12(SOA5)
-
-       DNSKEY1             DNSKEY1
-       DNSKEY11            DNSKEY12
-       DNSKEY12            DNSKEY13
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)
-       RRSIG12(DNSKEY)     RRSIG12(DNSKEY)
-
-
-   Note that the key introduced after the rollover is not used for
-   production yet; the private key can thus be stored in a physically
-   secure manner and does not need to be 'fetched' every time a zone
-   needs to be signed.
-
-4.2.1.2  Double Signature Zone-signing Key Rollover
-
-   This section shows how to perform a ZSK key rollover using the double
-   zone data signature scheme, aptly named "double sig rollover".
-
-   During the rollover stage the new version of the zone file will need
-   to propagate to all authoritative servers and the data that exists in
-   (distant) caches will need to expire, requiring at least the maximum
-   Zone TTL.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 15]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       normal              roll               after
-
-       SOA0                SOA1               SOA2
-       RRSIG10(SOA0)       RRSIG10(SOA1)      RRSIG11(SOA2)
-                           RRSIG11(SOA1)
-
-       DNSKEY1             DNSKEY1            DNSKEY1
-       DNSKEY10            DNSKEY10           DNSKEY11
-                           DNSKEY11
-       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)     RRSIG1(DNSKEY)
-       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)    RRSIG11(DNSKEY)
-                           RRSIG11(DNSKEY)
-
-   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.
-      DNSKEY 10 is used to sign all the data of the zone, the zone-
-      signing key.
-   roll: At the rollover stage (SOA serial 1) DNSKEY 11 is introduced
-      into the key set and all the data in the zone is signed with
-      DNSKEY 10 and DNSKEY 11.  The rollover period will need to exist
-      until all data from version 0 of the zone has expired from remote
-      caches.  This will take at least the maximum Zone TTL of version 0
-      of the zone.
-   after: DNSKEY 10 is removed from the zone.  All the signatures from
-      DNSKEY 10 are removed from the zone.  The key set, now only
-      containing DNSKEY 11, is resigned with DNSKEY 1.
-
-   At every instance, RRSIGs from the previous version of the zone can
-   be verified with the DNSKEY RRset from the current version and the
-   other way around.  The data from the current version can be verified
-   with the data from the previous version of the zone.  The duration of
-   the rollover phase and the period between rollovers should be at
-   least the "Maximum Zone TTL".
-
-   Making sure that the rollover phase lasts until the signature
-   expiration time of the data in version 0 of the zone is recommended.
-   This way all caches are cleared of the old signatures.  However, this
-   date could be considerably longer than the Maximum Zone TTL, making
-   the rollover a lengthy procedure.
-
-   Note that in this example we assumed that the zone was not modified
-   during the rollover.  New data can be introduced in the zone as long
-   as it is signed with both keys.
-
-4.2.1.3  Pros and Cons of the Schemes
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 16]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   Pre-publish-key set rollover: This rollover does not involve signing
-      the zone data twice.  Instead, before the actual rollover, the new
-      key is published in the key set and thus available for
-      cryptanalysis attacks.  A small disadvantage is that this process
-      requires four steps.  Also the pre-publish scheme involves more
-      parental work when used for KSK rollovers as explained in
-      Section 4.2.
-   Double signature rollover: The drawback of this signing scheme is
-      that during the rollover the number of signatures in your zone
-      doubles, this may be prohibitive if you have very big zones.  An
-      advantage is that it only requires three steps.
-
-4.2.2  Key-signing Key Rollovers
-
-   For the rollover of a key-signing key the same considerations as for
-   the rollover of a zone-signing key apply.  However we can use a
-   double signature scheme to guarantee that old data (only the apex key
-   set) in caches can be verified with a new key set and vice versa.
-
-   Since only the key set is signed with a KSK, zone size considerations
-   do not apply.
-
-
-       normal          roll            after
-
-       SOA0            SOA1            SOA2
-       RRSIG10(SOA0)   RRSIG10(SOA1)   RRSIG10(SOA2)
-
-       DNSKEY1         DNSKEY1         DNSKEY2
-                       DNSKEY2
-       DNSKEY10        DNSKEY10        DNSKEY10
-       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY)
-                       RRSIG2 (DNSKEY)
-       RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-
-   normal: Version 0 of the zone.  The parental DS points to DNSKEY1.
-      Before the rollover starts the child will have to verify what the
-      TTL is of the DS RR that points to DNSKEY1 - it is needed during
-      the rollover and we refer to the value as TTL_DS.
-   roll: During the rollover phase the zone administrator generates a
-      second KSK, DNSKEY2.  The key is provided to the parent and the
-      child will have to wait until a new DS RR has been generated that
-      points to DNSKEY2.  After that DS RR has been published on all
-      servers authoritative for the parent's zone, the zone
-      administrator has to wait at least TTL_DS to make sure that the
-      old DS RR has expired from caches.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 17]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   after: DNSKEY1 has been removed.
-
-   The scenario above puts the responsibility for maintaining a valid
-   chain of trust with the child.  It also is based on the premises that
-   the parent only has one DS RR (per algorithm) per zone.  An
-   alternative mechanism has been considered.  Using an established
-   trust relation, the interaction can be performed in-band, and the
-   removal of the keys by the child can possibly be signaled by the
-   parent.  In this mechanism there are periods where there are two DS
-   RRs at the parent.  Since at the moment of writing the protocol for
-   this interaction has not been developed further discussion is out of
-   scope for this document.
-
-4.2.3  Difference Between ZSK and KSK Rollovers
-
-   Note that KSK rollovers and ZSK rollovers are different.  A zone-key
-   rollover can be handled in two different ways: pre-publish (Section
-   Section 4.2.1.1) and double signature (Section Section 4.2.1.2).
-
-   As the KSK is used to validate the key set and because the KSK is not
-   changed during a ZSK rollover, a cache is able to validate the new
-   key set of the zone.  The pre-publish method would work for a KSK
-   rollover.  The record that are to be pre-published are the parental
-   DS RRs.
-
-   The pre-publish method has some drawbacks.  We first describe the
-   rollover scheme and then indicate these drawbacks.
-
-     normal          pre-roll         roll            after
-   Parent:
-     SOA0            SOA1             SOA2            SOA3
-     RRSIGpar(SOA0)  RRSIGpar(SOA1)   RRSIGpar(SOA2)  RRSIGpar(SOA3)
-     DS1             DS1              DS1             DS2
-                     DS2              DS2
-     RRSIGpar(DS)    RRSIGpar(DS)     RRSIGpar(DS)    RRSIGpar(DS)
-
-
-
-   Child:
-     SOA0            SOA0             SOA1            SOA1
-     RRSIG10(SOA0)   RRSIG10(SOA0)    RRSIG10(SOA1)   RRSIG10(SOA1)
-
-     DNSKEY1         DNSKEY1          DNSKEY2         DNSKEY2
-
-     DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY10
-     RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG2(DNSKEY)  RRSIG2 (DNSKEY)
-     RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG10(DNSKEY) RRSIG10(DNSKEY)
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 18]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   When the child zone wants to roll it notifies the parent during the
-   pre-roll phase and submits the new key to the parent.  The parent
-   publishes DS1 and DS2, pointing to DNSKEY1 and DNSKEY2 respectively.
-   During the rollover, which can take place as soon as the new DS set
-   propagated through the DNS, the child replaces DNSKEY1 with DNSKEY2.
-   Immediately after that it can notify the parent that the old DS
-   record can be deleted.
-
-   The drawbacks of these scheme are that during the pre-roll phase the
-   parent cannot verify the match between the DS RR and DNSKEY2 using
-   the DNS.  Besides, we introduce a "security lame" DS record
-   Section 4.4.3.  Finally the child-parent interaction consists of two
-   steps.  The "double signature" method only needs one interaction.
-
-4.2.4  Automated Key Rollovers
-
-   As keys must be renewed periodically, there is some motivation to
-   automate the rollover process.  Consider that:
-
-   o  ZSK rollovers are easy to automate as only the local zone is
-      involved.
-   o  A KSK rollover needs interaction between the parent and child.
-      Data exchange is needed to provide the new keys to the parent,
-      consequently, this data must be authenticated and integrity must
-      be guaranteed in order to avoid attacks on the rollover.
-   o  All time and TTL considerations presented in Section 4.2 apply to
-      an automated rollover.
-
-4.3  Planning for Emergency Key Rollover
-
-   This section deals with preparation for a possible key compromise.
-   Our advice is to have a documented procedure ready for when a key
-   compromise is suspected or confirmed.
-
-   When the private material of one of your keys is compromised it can
-   be used for as long as a valid authentication chain exists.  An
-   authentication chain remains intact for:
-   o  as long as a signature over the compromised key in the
-      authentication chain is valid,
-   o  as long as a parental DS RR (and signature) points to the
-      compromised key,
-   o  as long as the key is anchored in a resolver and is used as a
-      starting point for validation.  (This is generally the hardest to
-      update.)
-
-   While an authentication chain to your compromised key exists, your
-   name-space is vulnerable to abuse by anyone who has obtained
-   illegitimate possession of the key.Zone operators have to make a
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 19]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   trade off if the abuse of the compromised key is worse than having
-   data in caches that cannot be validated.  If the zone operator
-   chooses to break the authentication chain to the compromised key,
-   data in caches signed with this key cannot be validated.  However, if
-   the zone administrator chooses to take the path of a regular roll-
-   over, the malicious key holder can spoof data so that it appears to
-   be valid.  Note that this kind of attack is more likely to occur in a
-   localized part of the network topology i.e. downstream from where the
-   spoof takes place.
-
-
-4.3.1  KSK Compromise
-
-   When the KSK has been compromised the parent must be notified as soon
-   as possible using secure means.  The key set of the zone should be
-   resigned as soon as possible.  Care must be taken to not break the
-   authentication chain.  The local zone can only be resigned with the
-   new KSK after the parent's zone has created and reloaded its zone
-   with the DS created from the new KSK.  Before this update takes place
-   it would be best to drop the security status of a zone all together:
-   the parent removes the DS of the child at the next zone update.
-   After that the child can be made secure again.
-
-   An additional danger of a key compromise is that the compromised key
-   can be used to facilitate a legitimate DNSKEY/DS and/or nameserver
-   rollover at the parent.  When that happens the domain can be in
-   dispute.  An authenticated out of band and secure notify mechanism to
-   contact a parent is needed in this case.
-
-4.3.2  ZSK Compromise
-
-   Primarily because there is no parental interaction required when a
-   ZSK is compromised, the situation is less severe than with with a KSK
-   compromise.  The zone must still be resigned with a new ZSK as soon
-   as possible.  As this is a local operation and requires no
-   communication between the parent and child this can be achieved
-   fairly quickly.  However, one has to take into account that just as
-   with a normal rollover the immediate disappearance from the old
-   compromised key may lead to verification problems.  The pre-
-   publication scheme as discussed above minimizes such problems.
-
-4.3.3  Compromises of Keys Anchored in Resolvers
-
-   A key can also be pre-configured in resolvers.  For instance, if
-   DNSSEC is successfully deployed the root key may be pre-configured in
-   most security aware resolvers.
-
-   If trust-anchor keys are compromised, the resolvers using these keys
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 20]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   should be notified of this fact.  Zone administrators may consider
-   setting up a mailing list to communicate the fact that a SEP key is
-   about to be rolled over.  This communication will of course need to
-   be authenticated e.g. by using digital signatures.
-
-   End-users faced with the task of updating an anchored key should
-   always validate the new key.  New keys should be authenticated out of
-   the DNS, for example, looking them up on an SSL secured announcement
-   website.
-
-4.4  Parental Policies
-
-4.4.1  Initial Key Exchanges and Parental Policies Considerations
-
-   The initial key exchange is always subject to the policies set by the
-   parent (or its registry).  When designing a key exchange policy one
-   should take into account that the authentication and authorization
-   mechanisms used during a key exchange should be as strong as the
-   authentication and authorization mechanisms used for the exchange of
-   delegation information between parent and child.  I.e. there is no
-   implicit need in DNSSEC to make the authentication process stronger
-   than it was in DNS.
-
-   Using the DNS itself as the source for the actual DNSKEY material,
-   with an off-band check on the validity of the DNSKEY, has the benefit
-   that it reduces the chances of user error.  A parental DNSKEY
-   download tool can make use of the SEP bit [1] to select the proper
-   key from a DNSSEC key set; thereby reducing the chance that the wrong
-   DNSKEY is sent.  It can validate the self-signature over a key;
-   thereby verifying the ownership of the private key material.
-   Fetching the DNSKEY from the DNS ensures that the chain of trust
-   remains intact once the parent publishes the DS RR indicating the
-   child is secure.
-
-   Note: the off-band verification is still needed when the key-material
-   is fetched via the DNS.  The parent can never be sure whether the
-   DNSKEY RRs have been spoofed or not.
-
-4.4.2  Storing Keys or Hashes?
-
-   When designing a registry system one should consider which of the
-   DNSKEYs and/or the corresponding DSs to store.  Since a child zone
-   might wish to have a DS published using a message digest algorithm
-   not yet understood by the registry, the registry can't count on being
-   able to generate the DS record from a raw DNSKEY.  Thus, we recommend
-   that registry system at least support storing DS records.
-
-   It may also be useful to store DNSKEYs, since having them may help
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 21]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   during troubleshooting and, so long as the child's chosen message
-   digest is supported, the overhead of generating DS records from them
-   is minimal.  Having an out-of-band mechanism, such as a Whois
-   database, to find out which keys are used to generate DS Resource
-   Records for specific owners and/or zones may also help with
-   troubleshooting.
-
-   The storage considerations also relate the design of the customer
-   interface and the method by which data is transfered between
-   registrant and registry; Will the child zone owner be able to upload
-   DS RRs with unknown hash algorithms or does the interface only allows
-   DNSKEYs?  In the registry-registrar model one can use the DNSSEC EPP
-   protocol extensions [9] which allows transfer of DS RRs and
-   optionally DNSKEY RRs.
-
-4.4.3  Security Lameness
-
-   Security Lameness is defined as what happens when a parent has a DS
-   RR pointing to a non-existing DNSKEY RR.  During key exchange a
-   parent should make sure that the child's key is actually configured
-   in the DNS before publishing a DS RR in its zone.  Failure to do so
-   could cause the child's zone being marked as Bogus.
-
-   Child zones should be very careful removing DNSKEY material,
-   specifically SEP keys, for which a DS RR exists.
-
-   Once a zone is "security lame", a fix (e.g. removing a DS RR) will
-   take time to propagate through the DNS.
-
-4.4.4  DS Signature Validity Period
-
-   Since the DS can be replayed as long as it has a valid signature, a
-   short signature validity period over the DS minimizes the time a
-   child is vulnerable in the case of a compromise of the child's
-   KSK(s).  A signature validity period that is too short introduces the
-   possibility that a zone is marked Bogus in case of a configuration
-   error in the signer.  There may not be enough time to fix the
-   problems before signatures expire.  Something as mundane as operator
-   unavailability during weekends shows the need for DS signature
-   validity periods longer than 2 days.  We recommend the minimum for a
-   DS signature validity period of a few days.
-
-   The maximum signature validity period of the DS record depends on how
-   long child zones are willing to be vulnerable after a key compromise.
-   Other considerations, such as how often the zone is (re)signed can
-   also be taken into account.
-
-   We consider a signature validity period of around one week to be a
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 22]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   good compromise between the operational constraints of the parent and
-   minimizing damage for the child.
-
-   In addition to the signature validity period, which sets a lower
-   bound on the amount of times the zone owner will need to sign the
-   zone data and which sets an upper bound to the time a child is
-   vulnerable after key compromise,  there is the TTL value on the DS
-   RRs.  By lowering the TTL, the authoritative servers will see more
-   queries, on the other hand a low TTL increases the speed with which
-   new DS RRs propagate through the DNS.  As argued in Section 4.1.1,
-   the TTL should be a fraction of the signature validity period.
-
-5.  Security Considerations
-
-   DNSSEC adds data integrity to the DNS.  This document tries to assess
-   the operational considerations to maintain a stable and secure DNSSEC
-   service.  Not taking into account the 'data propagation' properties
-   in the DNS will cause validation failures and may make secured zones
-   unavailable to security aware resolvers.
-
-6.  Acknowledgments
-
-   Most of the ideas in this draft were the result of collective efforts
-   during workshops, discussions and try outs.
-
-   At the risk of forgetting individuals who were the original
-   contributors of the ideas we would like to acknowledge people who
-   were actively involved in the compilation of this document.  In
-   random order: Rip Loomis, Olafur Gudmundsson, Wesley Griffin, Michael
-   Richardson, Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette
-   Olivier Courtay, Sam Weiler, Jelte Jansen and Niall O'Reilly.
-
-   Some material in this document has been shamelessly copied from
-   RFC2541 [7] by Donald Eastlake.
-
-   Mike StJohns designed the key exchange between parent and child
-   mentioned in the last paragraph of Section 4.2.2
-
-   Section 4.2.4 was supplied by G. Guette and O. Courtay.
-
-   Emma Bretherick, Adrian Bedford and Lindy Foster corrected many of
-   the spelling and style issues.
-
-   Kolkman and Gieben take the blame for introducing all miscakes(SIC).
-
-7.  References
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 23]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-7.1  Normative References
-
-   [1]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name System KEY
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-   [2]  Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose,
-        "DNS Security Introduction and Requirements", RFC 4033,
-        March 2005.
-
-7.2  Informative References
-
-   [3]   Eastlake, D., Crocker, S., and J. Schiller, "Randomness
-         Recommendations for Security", RFC 1750, December 1994.
-
-   [4]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [5]   Eastlake, D., "Secure Domain Name System Dynamic Update",
-         RFC 2137, April 1997.
-
-   [6]   Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
-         RFC 2308, March 1998.
-
-   [7]   Eastlake, D., "DNS Security Operational Considerations",
-         RFC 2541, March 1999.
-
-   [8]   Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-         RFC 3658, December 2003.
-
-   [9]   Hollenbeck, S., "Domain Name System (DNS) Security Extensions
-         Mapping for the Extensible  Provisioning Protocol (EPP)",
-         draft-hollenbeck-epp-secdns-07 (work in progress), March 2005.
-
-   [10]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key
-         Sizes", The Journal of Cryptology 14 (255-293), 2001.
-
-   [11]  Schneier, B., "Applied Cryptography: Protocols, Algorithms, and
-         Source Code in C", 1996.
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 24]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Authors' Addresses
-
-   Olaf M. Kolkman
-   RIPE NCC
-   Singel 256
-   Amsterdam  1016 AB
-   The Netherlands
-
-   Phone: +31 20 535 4444
-   Email: olaf@ripe.net
-   URI:   http://www.ripe.net/
-
-
-   Miek Gieben
-   NLnet Labs
-   Kruislaan 419
-   Amsterdam  1098 VA
-   The Netherlands
-
-   Email: miek@nlnetlabs.nl
-   URI:   http://www.nlnetlabs.nl
-
-Appendix A.  Terminology
-
-   In this document there is some jargon used that is defined in other
-   documents.  In most cases we have not copied the text from the
-   documents defining the terms but given a more elaborate explanation
-   of the meaning.  Note that these explanations should not be seen as
-   authoritative.
-
-   Anchored Key: A DNSKEY configured in resolvers around the globe.
-      This key is hard to update, hence the term anchored.
-   Bogus: Also see Section 5 of [2].  An RRset in DNSSEC is marked
-      "Bogus" when a signature of a RRset does not validate against a
-      DNSKEY.
-   Key-Signing Key or KSK: A Key-Signing Key (KSK) is a key that is used
-      exclusively for signing the apex key set.  The fact that a key is
-      a KSK is only relevant to the signing tool.
-   Private and Public Keys: DNSSEC secures the DNS through the use of
-      public key cryptography.  Public key cryptography is based on the
-      existence of two keys, a public key and a private key.  The public
-      keys are published in the DNS by use of the DNSKEY Resource Record
-      (DNSKEY RR).  Private keys should remain private.
-   Key Rollover: A key rollover (also called key supercession in some
-      environments) is the act of replacing one key pair by another at
-      the end of a key effectivity period.
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 25]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   Secure Entry Point key or SEP Key: A KSK that has a parental DS
-      record pointing to it.  Note: this is not enforced in the
-      protocol.  A SEP Key with no parental DS is security lame.
-   Singing the Zone File: The term used for the event where an
-      administrator joyfully signs its zone file while producing melodic
-      sound patterns.
-   Signer: The system that has access to the private key material and
-      signs the Resource Record sets in a zone.  A signer may be
-      configured to sign only parts of the zone e.g. only those RRsets
-      for which existing signatures are about to expire.
-   Zone-Signing Key or ZSK: A Zone Signing Key (ZSK) is a key that is
-      used for signing all data in a zone.  The fact that a key is a ZSK
-      is only relevant to the signing tool.
-   Zone Administrator: The 'role' that is responsible for signing a zone
-      and publishing it on the primary authoritative server.
-
-Appendix B.  Zone-signing Key Rollover Howto
-
-   Using the pre-published signature scheme and the most conservative
-   method to assure oneself that data does not live in caches here
-   follows the "HOWTO".
-   Step 0: The preparation: Create two keys and publish both in your key
-      set.  Mark one of the keys as "active" and the other as
-      "published".  Use the "active" key for signing your zone data.
-      Store the private part of the "published" key, preferably off-
-      line.
-      The protocol does not provide for attributes to mark a key as
-      active or published.  This is something you have to do on your
-      own, through the use of a notebook or key management tool.
-   Step 1: Determine expiration: At the beginning of the rollover make a
-      note of the highest expiration time of signatures in your zone
-      file created with the current key marked as "active".
-      Wait until the expiration time marked in Step 1 has passed
-   Step 2: Then start using the key that was marked as "published" to
-      sign your data i.e. mark it as "active".  Stop using the key that
-      was marked as "active", mark it as "rolled".
-   Step 3: It is safe to engage in a new rollover (Step 1) after at
-      least one "signature validity period".
-
-Appendix C.  Typographic Conventions
-
-   The following typographic conventions are used in this document:
-   Key notation: A key is denoted by KEYx, where x is a number, x could
-      be thought of as the key id.
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 26]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   RRset notations: RRs are only denoted by the type.  All other
-      information - owner, class, rdata and TTL - is left out.  Thus:
-      "example.com 3600 IN A 192.168.1.1" is reduced to "A".  RRsets are
-      a list of RRs.  A example of this would be: "A1,A2", specifying
-      the RRset containing two "A" records.  This could again be
-      abbreviated to just "A".
-   Signature notation: Signatures are denoted as RRSIGx(RRset), which
-      means that RRset is signed with DNSKEYx.
-   Zone representation: Using the above notation we have simplified the
-      representation of a signed zone by leaving out all unnecessary
-      details such as the names and by representing all data by "SOAx"
-   SOA representation: SOA's are represented as SOAx, where x is the
-      serial number.
-   Using this notation the following zone:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 27]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   example.net.     600     IN SOA  ns.example.net. bert.example.net. (
-                            10         ; serial
-                            450        ; refresh (7 minutes 30 seconds)
-                            600        ; retry (10 minutes)
-                            345600     ; expire (4 days)
-                            300        ; minimum (5 minutes)
-                             )
-                     600     RRSIG   SOA 5 2 600 20130522213204 (
-                                     20130422213204 14 example.net.
-                                     cmL62SI6iAX46xGNQAdQ... )
-                     600     NS      a.iana-servers.net.
-                     600     NS      b.iana-servers.net.
-                     600     RRSIG   NS 5 2 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     SO5epiJei19AjXoUpFnQ ... )
-                     3600    DNSKEY  256 3 5 (
-                                     EtRB9MP5/AvOuVO0I8XDxy0...
-                                     ) ; key id = 14
-                     3600    DNSKEY  256 3 5 (
-                                     gsPW/Yy19GzYIY+Gnr8HABU...
-                                     ) ; key id = 15
-                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (
-                                     20130422213204 14 example.net.
-                                     J4zCe8QX4tXVGjV4e1r9... )
-                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (
-                                     20130422213204 15 example.net.
-                                     keVDCOpsSeDReyV6O... )
-                     600     RRSIG   NSEC 5 2 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     obj3HEp1GjnmhRjX... )
-   a.example.net.    600     IN TXT  "A label"
-                     600     RRSIG   TXT 5 3 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     IkDMlRdYLmXH7QJnuF3v... )
-                     600     NSEC    b.example.com. TXT RRSIG NSEC
-                     600     RRSIG   NSEC 5 3 600 20130507213204 (
-                                     20130407213204 14 example.net.
-                                     bZMjoZ3bHjnEz0nIsPMM... )
-
-                     ...
-
-
-   is reduced to the following representation:
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 28]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-       SOA10
-       RRSIG14(SOA10)
-
-       DNSKEY14
-       DNSKEY15
-
-       RRSIG14(KEY)
-       RRSIG15(KEY)
-
-   The rest of the zone data has the same signature as the SOA record,
-   i.e a RRSIG created with DNSKEY 14.
-
-Appendix D.  Document Details and Changes
-
-   This section is to be removed by the RFC editor if and when the
-   document is published.
-
-   $Id: draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.31.2.14
-   2005/03/21 15:51:41 dnssec Exp $
-
-D.1  draft-ietf-dnsop-dnssec-operational-practices-00
-
-   Submission as working group document.  This document is a modified
-   and updated version of draft-kolkman-dnssec-operational-practices-00.
-
-D.2  draft-ietf-dnsop-dnssec-operational-practices-01
-
-   changed the definition of "Bogus" to reflect the one in the protocol
-   draft.
-
-   Bad to Bogus
-
-   Style and spelling corrections
-
-   KSK - SEP mapping made explicit.
-
-   Updates from Sam Weiler added
-
-D.3  draft-ietf-dnsop-dnssec-operational-practices-02
-
-   Style and errors corrected.
-
-   Added Automatic rollover requirements from I-D.ietf-dnsop-key-
-   rollover-requirements.
-
-D.4  draft-ietf-dnsop-dnssec-operational-practices-03
-
-   Added the definition of Key effectivity period and used that term
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 29]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-   instead of Key validity period.
-
-   Modified the order of the sections, based on a suggestion by Rip
-   Loomis.
-
-   Included parts from RFC2541 [7].  Most of its ground was already
-   covered.  This document obsoletes RFC2541 [7].  Section 3.1.2
-   deserves some review as it in contrast to RFC2541 does _not_ give
-   recomendations about root-zone keys.
-
-   added a paragraph to Section 4.4.4
-
-D.5  draft-ietf-dnsop-dnssec-operational-practices-04
-
-   Somewhat more details added about the pre-publish KSK rollover.  Also
-   moved that subsection down a bit.
-
-   Editorial and content nits that came in during wg last call were
-   fixed.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 30]
-
-Internet-Draft        DNSSEC Operational Practices            March 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Kolkman & Gieben        Expires September 2, 2005              [Page 31]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-inaddr-required-07.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-inaddr-required-07.txt
deleted file mode 100644
index bcd0d14e4b54..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-inaddr-required-07.txt
+++ /dev/null
@@ -1,396 +0,0 @@
-
-
-
-
-
-
-INTERNET-DRAFT                                                  D. Senie
-Category: BCP                                     Amaranth Networks Inc.
-Expires in six months                                          July 2005
-
-               Encouraging the use of DNS IN-ADDR Mapping
-		    draft-ietf-dnsop-inaddr-required-07.txt 
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-Abstract
-
-   Mapping of addresses to names has been a feature of DNS.  Many sites,
-   implement it, many others don't.  Some applications attempt to use it
-   as a part of a security strategy. The goal of this document is to
-   encourage proper deployment of address to name mappings, and provide
-   guidance for their use.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society. (2005)
-
-1. Introduction
-
-   The Domain Name Service has provision for providing mapping of IP
-   addresses to host names. It is common practice to ensure both name to
-   address, and address to name mappings are provided for networks. This
-   practice, while documented, has never been required, though it is
-   generally encouraged.  This document both encourages the presence of
-
-
-
-Senie                                                           [Page 1]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   these mappings and discourages reliance on such mappings for security
-   checks.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
-
-2. Discussion
-
-
-   From the early days of the Domain Name Service [RFC883] a special
-   domain has been set aside for resolving mappings of IP addresses to
-   domain names.  This was refined in [RFC1035], describing the .IN-
-   ADDR.ARPA in use today.  For the in the IPv6 address space, .IP6.ARPA
-   was added [RFC3152]. This document uses IPv4 CIDR block sizes and
-   allocation strategy where there are differences and uses IPv4
-   terminology.  Aside from these differences, this document can and
-   should be applied to both address spaces.
-
-   The assignment of blocks of IP address space was delegated to three
-   regional registries. Guidelines for the registries are specified in
-   [RFC2050], which requires regional registries to maintain IN-ADDR
-   records on the large blocks of space issued to ISPs and others.
-
-   ARIN's policy requires ISPs to maintain IN-ADDR for /16 or larger
-   allocations. For smaller allocations, ARIN can provide IN-ADDR for
-   /24 and shorter prefixes. [ARIN].  APNIC provides methods for ISPs to
-   update IN-ADDR, however the present version of its policy document
-   for IPv4 [APNIC] dropped the IN-ADDR requirements that were in draft
-   copies of this document. As of this writing, it appears APNIC has no
-   actual policy on IN-ADDR.  RIPE appears to have the strongest policy
-   in this area [RIPE302] indicating Local Internet Registries should
-   provide IN-ADDR services, and delegate those as appropriate when
-   address blocks are delegated.
-
-   As we can see, the regional registries have their own policies for
-   recommendations and/or requirements for IN-ADDR maintenance. It
-   should be noted, however, that many address blocks were allocated
-   before the creation of the regional registries, and thus it is
-   unclear whether any of the policies of the registries are binding on
-   those who hold blocks from that era.
-
-   Registries allocate address blocks on CIDR [RFC1519] boundaries.
-   Unfortunately the IN-ADDR zones are based on classful allocations.
-   Guidelines [RFC2317] for delegating on non-octet-aligned boundaries
-   exist, but are not always implemented.
-
-3. Examples of impact of missing IN-ADDR
-
-
-
-Senie                                                           [Page 2]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   These are some examples of problems that may be introduced by
-   reliance on IN-ADDR.
-
-   Some applications use DNS lookups for security checks. To ensure
-   validity of claimed names, some applications will look up IN-ADDR
-   records to get names, and then look up the resultant name to see if
-   it maps back to the address originally known. Failure to resolve
-   matching names is seen as a potential security concern.
-
-   Some FTP sites will flat-out reject users, even for anonymous FTP, if
-   the IN-ADDR lookup fails or if the result of the IN-ADDR lookup when
-   itself resolved, does not match. Some Telnet servers also implement
-   this check.
-
-   Web sites are in some cases using IN-ADDR checks to verify whether
-   the client is located within a certain geopolitical entity. This
-   approach has been employed for downloads of crypto software, for
-   example, where export of that software is prohibited to some locales.
-   Credit card anti-fraud systems also use these methods for geographic
-   placement purposes.
-
-   The popular TCP Wrappers program found on most Unix and Linux systems
-   has options to enforce IN-ADDR checks and to reject any client that
-   does not resolve. This program also has a way to check to see that
-   the name given by a PTR record then resolves back to the same IP
-   address. This method provdes more comfort but no appreciable
-   additional security.
-
-   Some anti-spam (anti junk email) systems use IN-ADDR to verify the
-   presence of a PTR record, or validate the PTR value points back to
-   the same address.
-
-   Many web servers look up the IN-ADDR of visitors to be used in log
-   analysis.  This adds to the server load, but in the case of IN-ADDR
-   unavailability, it can lead to delayed responses for users.
-
-   Traceroutes with descriptive IN-ADDR naming proves useful when
-   debugging problems spanning large areas. When this information is
-   missing, the traceroutes take longer, and it takes additional steps
-   to determine that network is the cause of problems.
-
-   Wider-scale implementation of IN-ADDR on dialup, wireless access and
-   other such client-oriented portions of the Internet would result in
-   lower latency for queries (due to lack of negative caching), and
-   lower name server load and DNS traffic.
-
-4. Recommendations
-
-
-
-
-Senie                                                           [Page 3]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   4.1 Delegation Recommendations
-
-
-   Regional Registries and any Local Registries to whom they delegate
-   should establish and convey a policy to those to whom they delegate
-   blocks that IN-ADDR mappings are recommended.  Policies should
-   recommend those receiving delegations to provide IN-ADDR service
-   and/or delegate to downstream customers.
-
-   Network operators should define and implement policies and procedures
-   which delegate IN-ADDR to their clients who wish to run their own IN-
-   ADDR DNS services, and provide IN-ADDR services for those who do not
-   have the resources to do it themselves.  Delegation mechanisms should
-   permit the downstream customer to implement and comply with IETF
-   recommendations application of IN-ADDR to CIDR [RFC2317].
-
-   All IP address space assigned and in use should be resolved by IN-
-   ADDR records. All PTR records must use canonical names.
-
-   All IP addresses in use within a block should have an IN-ADDR
-   mapping. Those addresses not in use, and those that are not valid for
-   use (zeros or ones broadcast addresses within a CIDR block) need not
-   have mappings.
-
-   It should be noted that due to CIDR, many addresses that appear to be
-   otherwise valid host addresses may actually be zeroes or ones
-   broadcast addresses. As such, attempting to audit a site's degree of
-   compliance may only be done with knowledge of the internal subnet
-   architecture of the site.  It can be assumed, however, any host that
-   originates an IP packet necessarily will have a valid host address,
-   and must therefore have an IN-ADDR mapping.
-
-4.2 Application Recommendations
-
-
-   Applications SHOULD NOT rely on IN-ADDR for proper operation. The use
-   of IN-ADDR, sometimes in conjunction with a lookup of the name
-   resulting from the PTR record provides no real security, can lead to
-   erroneous results and generally just increases load on DNS servers.
-   Further, in cases where address block holders fail to properly
-   configure IN-ADDR, users of those blocks are penalized.
-
-5. Security Considerations
-
-   This document has no negative impact on security. While it could be
-   argued that lack of PTR record capabilities provides a degree of
-   anonymity, this is really not valid. Trace routes, whois lookups and
-   other sources will still provide methods for discovering identity.
-
-
-
-Senie                                                           [Page 4]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   By recommending applications avoid using IN-ADDR as a security
-   mechanism this document points out that this practice, despite its
-   use by many applications, is an ineffective form of security.
-   Applications should use better mechanisms of authentication.
-
-6. IANA Considerations
-
-   There are no IANA considerations for this document.
-
-7. References
-
-7.1 Normative References
-
-   [RFC883] P.V. Mockapetris, "Domain names: Implementation
-   specification," RFC883, November 1983.
-
-   [RFC1035] P.V. Mockapetris, "Domain Names: Implementation
-   Specification," RFC 1035, November 1987.
-
-   [RFC1519] V. Fuller, et. al., "Classless Inter-Domain Routing (CIDR):
-   an Address Assignment and Aggregation Strategy," RFC 1519, September
-   1993.
-
-   [RFC2026] S. Bradner, "The Internet Standards Process -- Revision 3",
-   RFC 2026, BCP 9, October 1996.
-
-   [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate
-   Requirement Levels", RFC 2119, BCP 14, March 1997.
-
-   [RFC2050] K. Hubbard, et. al., "Internet Registry IP Allocation
-   Guidelines", RFC2050, BCP 12, Novebmer 1996.
-
-   [RFC2317] H. Eidnes, et. al., "Classless IN-ADDR.ARPA delegation,"
-   RFC 2317, March 1998.
-
-   [RFC3152] R. Bush, "Delegation of IP6.ARPA," RFC 3152, BCP 49, August
-   2001.
-
-7.2 Informative References
-
-   [ARIN] "ISP Guidelines for Requesting Initial IP Address Space," date
-   unknown, http://www.arin.net/regserv/initial-isp.html
-
-   [APNIC] "Policies For IPv4 Address Space Management in the Asia
-   Pacific Region," APNIC-086, 13 January 2003.
-
-   [RIPE302] "Policy for Reverse Address Delegation of IPv4 and IPv6
-   Address Space in the RIPE NCC Service Region", RIPE-302, April 26,
-
-
-
-Senie                                                           [Page 5]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-   2004. http://www.ripe.net//ripe/docs/rev-del.html
-
-
-
-8. Acknowledgements
-
-   Thanks to Peter Koch and Gary Miller for their input, and to many
-   people who encouraged me to write this document.
-
-9. Author's Address
-
-   Daniel Senie
-   Amaranth Networks Inc.
-   324 Still River Road
-   Bolton, MA 01740
-
-   Phone: (978) 779-5100
-
-   EMail: dts@senie.com
-
-10.  Full Copyright Statement
-
-      Copyright (C) The Internet Society (2005).
-
-      This document is subject to the rights, licenses and restrictions
-      contained in BCP 78, and except as set forth therein, the authors
-      retain all their rights.
-
-      This document and the information contained herein are provided
-      on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
-      REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
-      THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
-      EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
-      THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
-      ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
-      PARTICULAR PURPOSE.
-
-Intellectual Property
-
-      The IETF takes no position regarding the validity or scope of any
-      Intellectual Property Rights or other rights that might be claimed
-      to pertain to the implementation or use of the technology
-      described in this document or the extent to which any license
-      under such rights might or might not be available; nor does it
-      represent that it has made any independent effort to identify any
-      such rights.  Information on the procedures with respect to
-      rights in RFC documents can be found in BCP 78 and BCP 79.
-
-
-
-
-Senie                                                           [Page 6]
-
-Internet-Draft Encouraging the use of DNS IN-ADDR Mapping      July 2005
-
-
-      Copies of IPR disclosures made to the IETF Secretariat and any
-      assurances of licenses to be made available, or the result of an
-      attempt made to obtain a general license or permission for the use
-      of such proprietary rights by implementers or users of this
-      specification can be obtained from the IETF on-line IPR repository
-      at http://www.ietf.org/ipr.
-
-      The IETF invites any interested party to bring to its attention
-      any copyrights, patents or patent applications, or other
-      proprietary rights that may cover technology that may be required
-      to implement this standard.  Please address the information to the
-      IETF at ietf-ipr@ietf.org.
-
-      Internet-Drafts are working documents of the
-      Internet Engineering Task Force (IETF), its areas, and its
-      working groups. Note that other groups may also distribute
-      working documents as Internet-Drafts.
-
-      Internet-Drafts are draft documents valid for a maximum of
-      six months and may be updated, replaced, or obsoleted by
-      other documents at any time. It is inappropriate to use
-      Internet-Drafts as reference material or to cite them other
-      than as "work in progress."
-
-      The list of current Internet-Drafts can be accessed at
-      http://www.ietf.org/1id-abstracts.html
-
-      The list of Internet-Draft Shadow Directories can be
-      accessed at http://www.ietf.org/shadow.html
-
-Acknowledgement
-
-      Funding for the RFC Editor function is currently provided by the
-      Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Senie                                                           [Page 7]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-02.txt
deleted file mode 100644
index 42c3c0b7c7e3..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-02.txt
+++ /dev/null
@@ -1,1321 +0,0 @@
-
-DNS Operations WG                                                     
-Internet-Draft                                         J. Jeong (ed.) 
-                                                                 ETRI 
-                                                                      
-Expires: January 2005                                    18 July 2004 
-    
-    
-      IPv6 Host Configuration of DNS Server Information Approaches 
-             draft-ietf-dnsop-ipv6-dns-configuration-02.txt 
-    
-    
-Status of this Memo 
-    
-   By submitting this Internet-Draft, I certify that any applicable 
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which we become aware will be disclosed, in accordance 
-   with RFC3668. 
-    
-   Internet-Drafts are working documents of the Internet Engineering 
-   Task Force (IETF), its areas, and its working groups.  Note that 
-   other groups may also distribute working documents as Internet-
-   Drafts. 
-    
-   Internet-Drafts are draft documents valid for a maximum of six 
-   months and may be updated, replaced, or obsoleted by other 
-   documents at any time.  It is inappropriate to use Internet-Drafts 
-   as reference material or to cite them other than as "work in 
-   progress." 
-    
-   The list of current Internet-Drafts can be accessed at 
-   http://www.ietf.org/ietf/1id-abstracts.txt. 
-    
-   The list of Internet-Draft Shadow Directories can be accessed at 
-   http://www.ietf.org/shadow.html. 
-    
-   This Internet-Draft will expire on January 17, 2005. 
-    
-Copyright Notice 
-    
-   Copyright (C) The Internet Society (2004). All Rights Reserved. 
-    
-Abstract 
-    
-   This document describes three approaches for IPv6 recursive DNS 
-   server address configuration.  It details the operational 
-   attributes of three solutions: RA option, DHCPv6 option, and Well-
-   known anycast addresses for recursive DNS servers.  Additionally, 
-   it suggests four deployment scenarios considering multi-solution 
-   resolution.  Therefore, this document will give the audience a 
-
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 1] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   guideline of IPv6 DNS configuration to select approaches suitable 
-   for their host DNS configuration. 
-    
-Table of Contents 
-    
-   1. Introduction...................................................3
-   2. Terminology....................................................3
-   3. IPv6 DNS Configuration Approaches..............................3
-      3.1 RA Option..................................................3
-          3.1.1 Advantages...........................................4
-          3.1.2 Disadvantages........................................5
-          3.1.3 Observations.........................................5
-      3.2 DHCPv6 Option..............................................6
-          3.2.1 Advantages...........................................7
-          3.2.2 Disadvantages........................................8
-          3.2.3 Observations.........................................9
-      3.3 Well-known Anycast Addresses...............................9
-          3.3.1 Advantages...........................................9
-          3.3.2 Disadvantages.......................................10
-          3.3.3 Observations........................................10
-   4. Interworking among IPv6 DNS Configuration Approaches..........11
-   5. Deployment Scenarios..........................................12
-      5.1 ISP Network...............................................12
-          5.1.1 RA Option Approach..................................12
-          5.1.2 DHCPv6 Option Approach..............................13
-          5.1.3 Well-known Addresses Approach.......................13
-      5.2 Enterprise Network........................................14
-      5.3 3GPP Network..............................................14
-          5.3.1 Currently Available Mechanisms and Recommendations..15
-          5.3.2 RA Extension........................................16
-          5.3.3 Stateless DHCPv6....................................16
-          5.3.4 Well-known Addresses................................17
-          5.3.5 Recommendations.....................................17
-      5.4 Unmanaged Network.........................................18
-          5.4.1 Case A: Gateway does not provide IPv6 at all........18
-          5.4.2 Case B: A dual-stack gateway connected to a dual-stack
-                        ISP.........................................18
-          5.4.3 Case C: A dual-stack gateway connected to an IPv4-only
-                        ISP.........................................19
-          5.4.4 Case D: A gateway connected to an IPv6-only ISP.....19
-   6. Security Considerations.......................................19
-   7. Acknowledgements..............................................19
-   8. Normative References..........................................20
-   9. Informative References........................................20
-   10. Authors' Addresses...........................................21
-   Intellectual Property Statement..................................23
-   Full Copyright Statement.........................................23
-   Acknowledgement..................................................24
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 2] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-    
-1. Introduction 
-    
-   Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address 
-   Autoconfiguration provide ways to configure either fixed or mobile 
-   nodes with one or more IPv6 addresses, default routes and some 
-   other parameters [3][4].  To support access to additional services 
-   in the Internet that are identified by a DNS name, such as a web 
-   server, the configuration of at least one recursive DNS server is 
-   also needed for DNS name resolution. 
-    
-   This document describes three approaches of recursive DNS server 
-   address configuration for IPv6 host: (a) RA option [8], (b) DHCPv6 
-   option [5]-[7], and (c) Well-known anycast addresses for recursive 
-   DNS servers [9].  Also, it suggests applicable scenarios for four 
-   kinds of networks: (a) ISP network, (b) Enterprise network, (c) 
-   3GPP network, and (d) Unmanaged network. 
-    
-   This document is just an analysis of each possible approach, and 
-   does not make any recommendation on particular one or on a 
-   combination of particular ones.  Some approaches may even not be 
-   adopted at all as a result of further discussion. 
-    
-   Therefore, the objective of this document is to help the audience 
-   select approaches suitable for IPv6 host configuration of recursive 
-   DNS server. 
-    
-2. Terminology 
-    
-   This document uses the terminology described in [3]-[9].  In 
-   addition, a new term is defined below: 
-    
-   Recursive DNS Server (RDNSS)    A Recursive DNS Server is a name 
-                                   server that offers the recursive 
-                                   service of DNS name resolution. 
-    
-3. IPv6 DNS Configuration Approaches 
-    
-   In this section, the operational attributes of three solutions are 
-   described in detail. 
-     
-3.1 RA Option 
-    
-   RA approach is to define a new ND option called RDNSS option that 
-   contains a recursive DNS server address.  Existing ND transport 
-   mechanisms (i.e., advertisements and solicitations) are used.  This 
-   works in the same way that nodes learn about routers and prefixes, 
-   etc.  An IPv6 host can configure the IPv6 addresses of one or more 
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 3] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   RDNSSes via RA message periodically sent by router or solicited by 
-   a Router Solicitation (RS) [8].  This approach needs RDNSS 
-   information to be configured in the routers doing the 
-   advertisements.  The configuration of RDNSS address can be 
-   performed manually by operator or other ways, such as automatic 
-   configuration through DHCPv6 client running on the router.  When 
-   advertising more than one RDNSS options, an RA message includes as 
-   many RDNSS options as RDNSSes.  Through ND protocol and RDNSS 
-   option along with prefix information option, an IPv6 host can 
-   perform its network configuration of its IPv6 address and RDNSS 
-   simultaneously [3][4].  The RA option for RDNSS can be used on any 
-   network that supports the use of ND.  However, RA approach performs
-   poorly in some wireless environments where RA message is used for 
-   IPv6 address autoconfiguration, such as WLAN networks. 
-    
-   The RA approach is useful in some non-WLAN mobile environments 
-   where the addresses of the RDNSSes are changing because the RA 
-   option includes a lifetime field.  This can be configured to a 
-   value that will require the client to time out the entry and switch 
-   over to another RDNSS address [8].  However, from the viewpoint of 
-   implementation, lifetime would seem to make matters a bit more 
-   complex.  Instead of just writing DNS configuration file, such as 
-   resolv.conf for the list of RDNSS addresses, we have to have a 
-   daemon around (or a program that is called at the defined 
-   intervals) that keeps monitoring the lifetime of RDNSSes all the 
-   time. 
-    
-   The preference value of RDNSS, included in RDNSS option, allows 
-   IPv6 hosts to select primary RDNSS among several RDNSSes; this can 
-   be used for load balancing of RDNSSes [8]. 
-    
-3.1.1 Advantages 
-    
-   The RA option for RDNSS has a number of advantages.  These include: 
-    
-   1) The RA option is an extension of existing ND/Autoconfig  
-   mechanisms [3][4], and does not require a change in the base ND 
-   protocol. 
-    
-   2) This approach, like ND, works well on a variety of link types  
-   including point-to-point links, point-to-multipoint, and multi-
-   point (i.e., Ethernet LANs), etc.  RFC2461 [3] states, however, 
-   that there may be some link type on which ND is not possible; on 
-   such a link, some other mechanism will be needed for DNS 
-   configuration. 
-    
-   3) All of the information a host needs to run basic Internet  
-   applications such as email, the web, ftp, etc., can be performed 
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 4] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   with the addition of this option to ND and address auto-
-   configuration.  The use of a single mechanism is more reliable and 
-   easier to provide than when the RDNSS information is learned via 
-   another protocol mechanism.  Debugging problems when multiple 
-   protocol mechanisms are being used is harder and much more complex.
-    
-   4) This mechanism works over a broad range of scenarios and 
-   leverages IPv6 ND.  This works well on links that support broadcast
-   reliably (e.g., Ethernet LANs) but not necessarily on other links 
-   (e.g., Wireless LANs).  Also, this works well on links that are 
-   high performance (e.g., Ethernet LANs) and low performance (e.g., 
-   Cellular networks).  In the latter case, combining the RDNSS 
-   information with the other information in the RA, the host can 
-   learn all of the information needed to use most Internet 
-   applications such as the web in a single packet.  This not only 
-   saves bandwidth where this is an issue, but also minimizes the 
-   delay to learn the RDNSS information. 
-    
-   5) The RA approach could be used as a model for other similar types 
-   of configuration information.  New RA options for other server 
-   addresses that are common to all clients on a subnet would be easy 
-   to define.  This includes things like NTP servers, SIP servers, etc.
-    
-3.1.2 Disadvantages 
-    
-   1) ND is mostly implemented in kernel part of operating system.  
-   Therefore, if ND supports the configuration of some additional 
-   services, such as DNS, NTP and SIP servers, ND should be extended 
-   in kernel part.  DHCPv6, however, has more flexibility for 
-   extension of service discovery because it is an application layer 
-   protocol. 
-    
-   2) The current ND framework should be modified due to the 
-   synchronization between another ND cache for RDNSSes in kernel 
-   space and DNS configuration file in user space.  Because it is 
-   unacceptable to write and rewrite the DNS configuration file (e.g.,
-   resolv.conf) from the kernel, another approach is needed.  One 
-   simple approach to solve this is to have a daemon listening to what 
-   the kernel conveys, and to have the daemon do these steps, but such 
-   a daemon is not necessary with the current ND framework. 
-    
-   3) It is necessary to configure RDNSS addresses at least at one 
-   router on every link where this information needs to be configured 
-   by RA option. 
-    
-3.1.3 Observations 
-    
-
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 5] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   The proposed RDNSS RA option along with IPv6 ND and Auto-
-   configuration allows a host to obtain all of the information it 
-   needs to access basic Internet services like the web, email, ftp, 
-   etc.  This is preferable in environments where hosts use RAs to 
-   autoconfigure their addresses and all hosts on the subnet share the
-   same router and server addresses.  If the configuration information
-   can be obtained from a single mechanism, it is preferable because 
-   it does not add additional delay, and it uses a minimum of 
-   bandwidth.  Environments like this include homes, public cellular 
-   networks, and enterprise environments where no per host 
-   configuration is needed, but exclude public WLAN hot spots. 
-    
-   DHCPv6 is preferable where it is being used for address 
-   configuration and if there is a need for host specific 
-   configuration [5]-[7].  Environments like this are most likely 
-   enterprise environments where the local administration chooses to 
-   have per host configuration control. 
-    
-   Note: the observation section is based on what the proponents of 
-   each approach think makes a good overall solution. 
-    
-3.2 DHCPv6 Option 
-    
-   DHCPv6 [5] includes the "DNS Recursive Name Server" option, through
-   which a host can obtain a list of IP addresses of recursive DNS 
-   servers [7].  The DNS Recursive Name Server option carries a list 
-   of IPv6 addresses of RDNSSes to which the host may send DNS queries.
-   The DNS servers are listed in the order of preference for use by 
-   the DNS resolver on the host. 
-    
-   The DNS Recursive Name Server option can be carried in any DHCPv6 
-   Reply message, in response to either a Request or an Information-
-   request message.  Thus, the DNS Recursive Name Server option can be
-   used either when DHCPv6 is used for address assignment, or when 
-   DHCPv6 is used only for other configuration information as 
-   stateless DHCPv6 [6]. 
-    
-   Stateless DHCPv6 can be deployed either using DHCPv6 servers 
-   running on general-purpose computers, or on router hardware.  
-   Several router vendors currently implement stateless DHCPv6 servers.
-   Deploying stateless DHCPv6 in routers has the advantage that no 
-   special hardware is required, and should work well for networks 
-   where DHCPv6 is needed for very straightforward configuration of 
-   network devices. 
-    
-   However, routers can also act as DHCPv6 relay agents.  In this case,
-   the DHCPv6 server need not be on the router - it can be on a 
-   general purpose computer.  This has the potential to give the 
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 6] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   operator of the DHCPv6 server more flexibility in how the DHCPv6 
-   server responds to individual clients - clients can easily be given
-   different configuration information based on their identity, or for
-   any other reason.  Nothing precludes adding this flexibility to a 
-   router, but generally in current practice, DHCP servers running on 
-   general-purpose hosts tend to have more configuration options than 
-   those that are embedded in routers. 
-    
-   DHCPv6 currently provides a mechanism for reconfiguring DHCPv6 
-   clients that use stateful configuration assignment.  To do this, 
-   the DHCPv6 server sends a Reconfigure message to the client.  The 
-   client validates the Reconfigure message, and then contacts the 
-   DHCPv6 server to obtain updated configuration information.  Using 
-   this mechanism, it is currently possible to propagate new 
-   configuration information to DHCPv6 clients as this information 
-   changes. 
-    
-   The DHC Working Group is currently studying an additional mechanism
-   through which configuration information, including the list of 
-   RDNSSes, can be updated.  The Lifetime Option for DHCPv6 [10], 
-   assigns a lifetime to configuration information obtained through 
-   DHCPv6.  At the expiration of the lifetime, the host contacts the 
-   DHCPv6 server to obtain updated configuration information, 
-   including the list of RDNSSes.  This lifetime gives the network 
-   administrator another mechanism to configure hosts with new RDNSSes
-   by controlling the time at which the host refreshes the list. 
-    
-   The DHC Working Group has also discussed the possibility of 
-   defining an extension to DHCPv6 that would allow the use of 
-   multicast to provide configuration information to multiple hosts 
-   with a single DHCPv6 message.  Because of the lack of deployment 
-   experience, the WG has deferred consideration of multicast DHCPv6 
-   configuration at this time.  Experience with DHCPv4 has not 
-   identified a requirement for multicast message delivery, even in 
-   large service provider networks with tens of thousands of hosts 
-   that may initiate a DHCPv4 message exchange simultaneously. 
-    
-3.2.1 Advantages 
-    
-   The DHCPv6 option for RDNSS has a number of advantages.  These 
-   include: 
-    
-   1) DHCPv6 currently provides a general mechanism for conveying 
-   network configuration information to clients.  So configuring 
-   DHCPv6 servers allows the network administrator to configure 
-   RDNSSes along with the addresses of other network services, as well
-   as location-specific information like time zones. 
-    
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 7] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   2) As a consequence, when the network administrator goes to 
-   configure DHCPv6, all the configuration information can be managed 
-   through a single service, typically with a single user interface 
-   and a single configuration database. 
-    
-   3) DHCPv6 allows for the configuration of a host with information 
-   specific to that host, so that hosts on the same link can be  
-   configured with different RDNSSes as well as other configuration 
-   information.  This capability is important in some network 
-   deployments such as service provider networks or WiFi hot spots. 
-    
-   4) A mechanism exists for extending DHCPv6 to support the 
-   transmission of additional configuration that has not yet been 
-   anticipated. 
-    
-   5) Hosts that require other configuration information such as the 
-   addresses of SIP servers and NTP servers are likely to need DHCPv6 
-   for other configuration information. 
-    
-   6) The specification for configuration of RDNSSes through DHCPv6 is
-   available as an RFC.  No new protocol extensions such as new 
-   options are necessary. 
-    
-   7) Interoperability among independent implementations has been 
-   demonstrated. 
-    
-3.2.2 Disadvantages 
-    
-   The DHCPv6 option for RDNSS has a few disadvantages.  These 
-   include: 
-    
-   1) Update currently requires message from server (however, see 
-   [10]). 
-    
-   2) Because DNS information is not contained in RA message, the host
-   must receive two messages from the router, and must transmit at  
-   least one message to the router.  On networks where bandwidth is at
-   a premium, this is a disadvantage, although on most networks it is 
-   not a practical concern. 
-    
-   3) Increased latency for initial configuration - in addition to  
-   waiting for an RA message, the client must now exchange packets  
-   with a DHCPv6 server; even if it is locally installed on a router,  
-   this will slightly extend the time required to configure the client.
-   For clients that are moving rapidly from one network to another, 
-   this will be a disadvantage. 
-    
-
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 8] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-3.2.3 Observations 
-    
-   In the general case, on general-purpose networks, stateless DHCPv6 
-   provides significant advantages and no significant disadvantages.  
-   Even in the case where bandwidth is at a premium and low latency is
-   desired, if hosts require other configuration information in 
-   addition to a list of RDNSSes or if hosts must be configured 
-   selectively, those hosts will use DHCPv6 and the use of the DHCPv6 
-   DNS recursive name server option will be advantageous. 
-    
-   However, we are aware of some applications where it would be 
-   preferable to put the RDNSS information into an RA packet; for 
-   example, on a cell phone network, where bandwidth is at a premium 
-   and extremely low latency is desired.  The final DNS configuration 
-   draft should be written so as to allow these special applications 
-   to be handled using DNS information in the RA packet. 
-    
-3.3 Well-known Anycast Addresses 
-    
-   First of all, the well-known anycast addresses approach is much 
-   different from that discussed in IPv6 Working Group in the past. 
-    
-   The approach with well-known anycast addresses is to set well-known
-   anycast addresses in clients' resolver configuration files from the
-   beginning, say, as factory default.  Thus, there is no transport 
-   mechanism and no packet format [9]. 
-    
-   An anycast address is an address shared by multiple servers (in 
-   this case, the servers are RDNSSes).  Request from a client to the 
-   anycast address is routed to a server selected by the routing 
-   system.  However, it is a bad idea to mandate "site" boundary on 
-   anycast addresses, because most users just do not have their own 
-   servers and want to access their ISPs' across their site boundaries.
-   Larger sites may also depend on their ISPs or may have their own 
-   RDNSSes within "site" boundaries. 
-    
-   It should be noted that "anycast" in this memo is simpler than that
-   of RFC1546 [11] and RFC3513 [12] where it is assumed to be 
-   prohibited to have multiple servers on a single link sharing an 
-   anycast address.  That is, on a link, anycast address is assumed to 
-   be unique.  DNS clients today already have redundancy by having 
-   multiple well-known anycast addresses configured as RDNSS addresses.
-   There is no point to have multiple RDNSSes sharing an anycast 
-   address on a single link. 
-    
-3.3.1 Advantages 
-    
-
- 
- 
-Jeong, et al.             Expires - January 2005              [Page 9] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   The basic advantage of the well-known addresses approach is that it
-   uses no transport mechanism.  Thus, 
-   1) There is no delay to get response and no further delay by packet
-   losses. 
-    
-   2) The approach can be combined with any other configuration 
-   mechanisms including but not limited to factory default 
-   configuration, RA-based approach and DHCP based approach. 
-    
-   3) The approach works over any environment where DNS works. 
-    
-   Another advantage is that the approach needs to configure DNS 
-   servers as a router, but nothing else.  Considering that DNS 
-   servers do need configuration, the amount of overall configuration 
-   effort is proportional to the number of the DNS servers and scales 
-   linearly.  It should be noted that, in the simplest case where a 
-   subscriber to an ISP does not have any DNS server, the subscriber 
-   naturally access DNS servers of the ISP even though the subscriber 
-   and the ISP do nothing and there is no protocol to exchange DNS 
-   server information between the subscriber and the ISP. 
-    
-3.3.2 Disadvantages 
-    
-   Well-known anycast addresses approach requires that DNS servers (or
-   routers near it as a proxy) act as routers to advertise their 
-   anycast addresses to the routing system, which requires some 
-   configuration (see the last paragraph of the previous section on 
-   the scalability of the effort). 
-    
-3.3.3 Observations 
-    
-   If other approaches are used in addition, the well-known anycast 
-   addresses should also be set in RA or DHCP configuration files to 
-   reduce configuration effort of users.
-    
-   Redundancy by multiple RDNSSes is better provided by multiple 
-   servers having different anycast addresses than multiple servers 
-   sharing same anycast address because the former approach allows 
-   stale servers to still generate routes to their anycast addresses. 
-   Thus, in a routing domain (or domains sharing DNS servers), there 
-   will be only one server having an anycast address unless the domain
-   is so large that load distribution is necessary. 
-    
-   Small ISPs will operate one RDNSS at each anycast address which is 
-   shared by all the subscribers.  Large ISPs may operate multiple 
-   RDNSSes at each anycast address to distribute and reduce load, 
-   where boundary between RDNSSes may be fixed (redundancy is still 
-   provided by multiple addresses) or change dynamically.  DNS packets
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 10] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   with the well-known anycast addresses are not expected (though not 
-   prohibited) to cross ISP boundaries, as ISPs are expected to be 
-   able to take care of themselves. 
-    
-   Because "anycast" in this memo is simpler than that of RFC1546 [11]
-   and RFC3513 [12] where it is assumed to be administratively 
-   prohibited to have multiple servers on a single link sharing an 
-   anycast address, anycast in this memo should be implemented as 
-   UNICAST of RFC2461 [3] and RFC3513 [12].  As a result, ND-related 
-   instability disappears.  Thus, anycast in well-known anycast 
-   addresses approach can and should use the anycast address as a 
-   source unicast (according to RFC3513 [12]) address of packets of 
-   UDP and TCP responses.  With TCP, if route flips and packets to an 
-   anycast address are routed to a new server, it is expected that the
-   flip is detected by ICMP or sequence number inconsistency and the 
-   TCP connection is reset and retried.
-    
-4. Interworking among IPv6 DNS Configuration Approaches 
-    
-   Three approaches can work together for IPv6 host configuration of 
-   RDNSS.  This section shows a consideration on how these approaches 
-   can interwork each other. 
-    
-   For ordering between RA and DHCP approaches, O (Other stateful 
-   configuration) flag in RA message can be used [8].  If no RDNSS 
-   option is included, an IPv6 Host may perform DNS configuration 
-   through DHCPv6 [5]-[7] regardless of whether the O flag is set or 
-   not. 
-    
-   The well-known anycast addresses approach fully interworks with the
-   other approaches.  That is, the other approaches can remove 
-   configuration effort on servers by using the well-known addresses 
-   as the default configuration.  Moreover, clients preconfigured with
-   well-known anycast addresses can be further configured to use other
-   approaches to override the well-known addresses, if configuration 
-   information from other approaches are available.  That is, all the 
-   clients should have the well-known anycast addresses preconfigured,
-   in the case where there are no other mechanisms available.  In 
-   order to fly anycast approach with the other solutions, there are 
-   three options. 
-    
-   The first option is that well-known addresses are used as last 
-   resort, when an IPv6 host can not get RDNSS information through RA 
-   and DHCP.  The well-known anycast addresses have to be pre-
-   configured in IPv6 hosts' resolver configuration files. 
-    
-
-
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 11] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   The second is that an IPv6 host can configure well-known addresses 
-   as the most preferable in its configuration file even though either
-   RA option or DHCP option is available. 
-    
-   The last is that the well-known anycast addresses can be set in RA 
-   or DHCP configuration to reduce configuration effort of users.  
-   According to either RA or DHCP mechanism, the well-known addresses 
-   can be obtained by IPv6 host.  Because this approach is the most 
-   convenient for users, the last option is recommended. 
- 
-   Note: this section does not necessarily mean this document suggests
-   adopting all these three approaches and making them interwork in 
-   the way described here.  In fact, some approaches may even not be 
-   adopted at all as a result of further discussion. 
-    
-5. Deployment Scenarios 
-    
-   Regarding DNS configuration on the IPv6 host, several mechanisms 
-   have being considered at the DNSOP Working Group such as RA option,
-   DHCPv6 option and well-known preconfigured anycast addresses as of 
-   today, and this document is a final result from the long thread.  
-   In this section, we suggest four applicable scenarios of three 
-   approaches for IPv6 DNS configuration. 
-    
-   Note: in the applicable scenarios, authors do not implicitly push 
-   any specific approaches into the restricted environments.  No 
-   enforcement is in each scenario and all mentioned scenarios are 
-   probable.  The main objective of this work is to provide a useful 
-   guideline of IPv6 DNS configuration. 
-    
-5.1 ISP Network 
-    
-   A characteristic of ISP network is that multiple Customer Premises 
-   Equipment (CPE) devices are connected to IPv6 PE (Provider Edge) 
-   routers and each PE connects multiple CPE devices to the backbone 
-   network infrastructure [13].  The CPEs may be hosts or routers. 
-    
-   In the case where the CPE is a router, there is a customer network 
-   that is connected to the ISP backbone through the CPE.  Typically, 
-   each customer network gets a different IPv6 prefix from an IPv6 PE 
-   router, but the same RDNSS configuration will be distributed. 
-    
-   This section discusses how the different approaches to distributing
-   DNS information are compared in an ISP network. 
-    
-5.1.1 RA Option Approach 
-    
-
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 12] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   When the CPE is a host, the RA option for RDNSS can be used to 
-   allow the CPE to get RDNSS information as well as /64 prefix 
-   information for stateless address autoconfiguration at the same 
-   time when the host is attached to a new subnet [8].  Because an 
-   IPv6 host must receive at least one RA message for stateless 
-   address autoconfiguration and router configuration, the host could 
-   receive RDNSS configuration information in that RA without the 
-   overhead of an additional message exchange. 
-    
-   When the CPE is a router, the CPE may accept the RDNSS information 
-   from the RA on the interface connected to the ISP, and copy that 
-   information into the RAs advertised in the customer network. 
-    
-   This approach is more valuable in the mobile host scenario, in 
-   which the host must receive at least an RA message for detecting a 
-   new network, than in other scenarios generally although 
-   administrator should configure RDNSS information on the routers.  
-   Secure ND [14] can provide extended security when using RA message.
-    
-5.1.2 DHCPv6 Option Approach 
-    
-   DHCPv6 can be used for RDNSS configuration through the use of the 
-   DNS option, and can provide other configuration information in the 
-   same message with RDNSS configuration [5]-[7].  DHCPv6 DNS option 
-   is already in place for DHCPv6 as RFC 3646 [7] and moreover DHCPv6-
-   lite or stateless DHCP [6] is nowhere as complex as a full DHCPv6 
-   implementation.  DHCP is a client-server model protocol, so ISP can
-   handle user identification on its network intentionally, and also 
-   authenticated DHCP [15] can be used for secure message exchange. 
-    
-   The expected model for deployment of IPv6 service by ISPs is to 
-   assign a prefix to each customer, which will be used by the 
-   customer gateway to assign a /64 prefix to each network in the 
-   customer's network.  Prefix delegation with DHCP (DHCPv6 PD) has 
-   already been adopted by ISPs for automating the assignment of the 
-   customer prefix to the customer gateway [17].  DNS configuration 
-   can be carried in the same DHCPv6 message exchange used for DHCPv6 
-   to efficiently provide that information, along with any other 
-   configuration information needed by the customer gateway or 
-   customer network.  This service model can be useful to Home or SOHO
-   subscribers.  The Home or SOHO gateway, which is a customer gateway
-   for ISP, can then pass that RDNSS configuration information to the 
-   hosts in the customer network through DHCP. 
-    
-5.1.3 Well-known Addresses Approach 
-    
-   Well-known anycast addresses approach is also a feasible and simple
-   mechanism for ISP [9].  The use of well-known anycast addresses 
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 13] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   avoids some of the security risks in rogue messages sent through an
-   external protocol like RA or DHCPv6.  The configuration of hosts 
-   for the use of well-known anycast addresses requires no protocol or
-   manual configuration, but the configuration of routing for the 
-   anycast addresses requires intervention on the part of the network
-   administrator.  Also, the number of special addresses would be 
-   equal to the number of RDNSSes that could be made available to 
-   subscribers. 
-    
-5.2 Enterprise Network 
-    
-   Enterprise network is defined as a network that has multiple 
-   internal links, one or more router connections, to one or more 
-   Providers and is actively managed by a network operations entity 
-   [16].  An enterprise network can get network prefixes from ISP by 
-   either manual configuration or prefix delegation [17].  In most 
-   cases, because an enterprise network manages its own DNS domains, 
-   it operates its own DNS servers for the domains.  These DNS servers
-   within enterprise network process recursive DNS name resolution 
-   requests of IPv6 hosts as RDNSS.  RDNSS configuration in enterprise
-   network can be performed like in Section 4, in which three 
-   approaches can be used together. 
-    
-   IPv6 host can decide which approach is or may be used in its subnet
-   with O flag in RA message [8].  As the first option in Section 4, 
-   well-known anycast addresses can be used as a last resort when 
-   RDNSS information can not be obtained through either RA option or 
-   DHCP option.  This case needs IPv6 hosts to preconfigure the well-
-   known anycast addresses in their DNS configuration files. 
-    
-   When the enterprise prefers well-known anycast approach to the 
-   others, IPv6 hosts should preconfigure the well-known anycast 
-   addresses like in the first option. 
-    
-   The last option, a more convenient and transparent way, does not 
-   need IPv6 hosts to preconfigure the well-known anycast addresses 
-   because the addresses are delivered to IPv6 hosts through either RA
-   option or DHCPv6 option as if they were unicast addresses.  This 
-   way is most recommended for the sake of user's convenience. 
-    
-5.3 3GPP Network 
-    
-   IPv6 DNS configuration is a missing part of IPv6 autoconfiguration 
-   and an important part of the basic IPv6 functionality in the 3GPP 
-   User Equipment (UE).  Higher level description of the 3GPP 
-   architecture can be found in [18], and transition to IPv6 in 3GPP 
-   networks is analyzed in [19] and [20]. 
-    
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 14] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   In 3GPP architecture, there is a dedicated link between the UE and 
-   the GGSN called the Packet Data Protocol (PDP) Context.  This link 
-   is created through the PDP Context activation procedure [21].  
-   There is a separate PDP context type for IPv4 and IPv6 traffic.  If
-   a 3GPP UE user is communicating using IPv6 (having an active IPv6 
-   PDP context), it can not be assumed that (s)he has simultaneously 
-   active IPv4 PDP context, and DNS queries could be done using IPv4. 
-   A 3GPP UE can thus be an IPv6 node, and it needs to somehow 
-   discover the address of the RDNSS.  Before IP-based services (e.g.,
-   web browsing or e-mail) can be used, the IPv6 (and IPv4) RDNSS 
-   addresses need to be discovered in the 3GPP UE. 
-    
-   Section 5.3.1 briefly summarizes currently available mechanisms in 
-   3GPP networks and recommendations.  5.3.2 analyzes the Router  
-   Advertisement based solution, 5.3.3 analyzes the Stateless DHCPv6 
-   mechanism, and 5.3.4 analyzes the Well-known addresses approach.  
-   Section 5.3.5 finally summarizes the recommendations. 
-    
-5.3.1 Currently Available Mechanisms and Recommendations 
-    
-   3GPP has defined a mechanism, in which RDNSS addresses can be  
-   received in the PDP context activation (a control plane mechanism).
-   That is called the Protocol Configuration Options Information  
-   Element (PCO-IE) mechanism [22].  The RDNSS addresses can also be 
-   received over the air (using text messages), or typed in manually 
-   in the UE.  Note that the two last mechanisms are not very well  
-   scalable.  The UE user most probably does not want to type IPv6 
-   RDNSS addresses manually in his/her UE.  The use of well-known 
-   addresses is briefly discussed in section 5.3.4. 
-    
-   It is seen that the mechanisms above most probably are not  
-   sufficient for the 3GPP environment.  IPv6 is intended to operate 
-   in a zero-configuration manner, no matter what the underlying 
-   network infrastructure is.  Typically, the RDNSS address is needed 
-   to make an IPv6 node operational - and the DNS configuration should
-   be as simple as the address autoconfiguration mechanism.  It must 
-   also be noted that there will be additional IP interfaces in some 
-   near future 3GPP UEs, e.g., Wireless LAN (WLAN), and 3GPP-specific 
-   DNS configuration mechanisms (such as PCO-IE [22]) do not work for 
-   those IP interfaces.  In other words, a good IPv6 DNS configuration
-   mechanism should also work in a multi-access network environment. 
-    
-   From 3GPP point of view, the best IPv6 DNS configuration solution 
-   is feasible for a very large number of IPv6-capable UEs (can be 
-   even hundreds of millions in one operator's network), is automatic 
-   and thus requires no user action.  It is suggested to standardize a
-   lightweight, stateless mechanism that works in all network  
-   environments.  The solution could then be used for 3GPP, 3GPP2, 
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 15] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   WLAN and other access network technologies.  A light, stateless 
-   IPv6 DNS configuration mechanism is thus not only needed in 3GPP 
-   networks, but also 3GPP networks and UEs would certainly benefit 
-   from the new mechanism. 
-    
-5.3.2 RA Extension 
-    
-   Router Advertisement extension [8] is a lightweight IPv6 DNS  
-   configuration mechanism that requires minor changes in 3GPP UE IPv6
-   stack and Gateway GPRS Support Node (GGSN, the default router in  
-   the 3GPP architecture) IPv6 stack.  This solution can be specified 
-   in the IETF (no action needed in the 3GPP) and taken in use in 3GPP 
-   UEs and GGSNs. 
-    
-   In this solution, an IPv6-capable UE configures DNS information  
-   via RA message sent by its default router (GGSN), i.e., RDNSS 
-   option for recursive DNS server is included in the RA message.  
-   This solution is easily scalable for a very large number of UEs.  
-   The operator can configure the RDNSS addresses in the GGSN as a 
-   part of normal GGSN configuration.  The IPv6 RDNSS address is 
-   received in the Router Advertisement, and an extra Round Trip Time
-   (RTT) for asking RDNSS addresses can be avoided. 
-    
-   If thinking about cons, this mechanism still requires 
-   standardization effort in the IETF, and the end nodes and routers 
-   need to support this mechanism.  The equipment software update 
-   should, however, be pretty straightforward, and new IPv6 equipment 
-   could support RA extension already from the beginning. 
-    
-5.3.3 Stateless DHCPv6 
-    
-   DHCPv6-based solution needs the implementation of Stateless DHCP  
-   [6] and DHCPv6 DNS options [7] in the UE, and a DHCPv6 server in  
-   the operator's network.  A possible configuration is such that the
-   GGSN works as a DHCP relay. 
-    
-   Pros for Stateless DHCPv6-based solution are 
-   1) Stateless DHCPv6 is a standardized mechanism. 
-    
-   2) DHCPv6 can be used for receiving other configuration information
-   than RDNSS addresses, e.g., SIP server addresses. 
-    
-   3) DHCPv6 works in different network environments. 
-    
-   4) When DHCPv6 service is deployed through a single, centralized 
-   server, the RDNSS configuration information can be updated by the 
-   network administrator at a single source. 
-    
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 16] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   Some issues with DHCPv6 in 3GPP networks are listed below: 
-   1) DHCPv6 requires an additional server in the network unless the 
-   (Stateless) DHCPv6 functionality is integrated into an existing 
-   router already, and it is one box more to be maintained. 
-    
-   2) DHCPv6 is not necessarily needed for 3GPP UE IPv6 addressing 
-   (3GPP Stateless Address Autoconfiguration is typically used), and 
-   not automatically implemented in 3GPP IPv6 UEs. 
-    
-   3) Scalability and reliability of DHCPv6 in very large 3GPP 
-   networks (with tens or hundreds of millions of UEs) may be an issue,
-   at least the redundancy needs to be taken care of.  However, if the 
-   DHCPv6 service is integrated into the network elements, such as 
-   router operating system, scalability and reliability is comparable 
-   with other DNS configuration approaches. 
-    
-   4) It is sub-optimal to utilize the radio resources in 3GPP 
-   networks for DHCPv6 messages if there is a simpler alternative 
-   available. 
-    
-      a) Use of Stateless DHCPv6 adds one round trip delay to the case
-      in which the UE can start transmitting data right after the 
-      Router Advertisement. 
-    
-   5) If the DNS information (suddenly) changes, Stateless DHCPv6 can 
-   not automatically update the UE, see [23]. 
-    
-5.3.4 Well-known Addresses 
-    
-   Using well-known addresses is also a feasible and a light mechanism
-   for 3GPP UEs.  Those well-known addresses can be preconfigured in  
-   the UE software and the operator makes the corresponding  
-   configuration on the network side.  So this is a very easy 
-   mechanism for the UE, but requires some configuration work in the 
-   network.  When using well-known addresses, UE forwards queries to 
-   any of the preconfigured addresses.  In the current proposal [9], 
-   IPv6 anycast addresses are suggested. 
-    
-   Note: IPv6 DNS configuration proposal based on the use of well-
-   known site-local addresses developed at the IPv6 Working Group was
-   seen as a feasible mechanism for 3GPP UEs, but opposition by some 
-   people in the IETF and finally deprecating IPv6 site-local 
-   addresses made it impossible to standardize it.  Note that this 
-   mechanism is implemented in some existing operating systems today 
-   (also in some 3GPP UEs) as a last resort of IPv6 DNS configuration.
-    
-5.3.5 Recommendations  
-    
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 17] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   It is suggested that a lightweight, stateless DNS configuration 
-   mechanism is specified as soon as possible.  From 3GPP UE's and 
-   networks' point of view, Router Advertisement based mechanism looks
-   most promising.  The sooner a light, stateless mechanism is 
-   specified, the sooner we can get rid of using well-known site-local
-   addresses for IPv6 DNS configuration. 
-    
-5.4 Unmanaged Network 
-    
-   There are 4 deployment scenarios of interest in unmanaged networks 
-   [24]: 
-    
-   1) A gateway which does not provide IPv6 at all; 
-    
-   2) A dual-stack gateway connected to a dual-stack ISP; 
-    
-   3) A dual-stack gateway connected to an IPv4-only ISP; and 
-    
-   4) A gateway connected to an IPv6-only ISP. 
-    
-5.4.1 Case A: Gateway does not provide IPv6 at all 
-    
-   In this case, the gateway does not provide IPv6; the ISP may or may
-   not provide IPv6.  Automatic or Configured tunnels are the 
-   recommended transition mechanisms for this scenario. 
-    
-   The case where dual-stack hosts behind an NAT, that need access to 
-   an IPv6 RDNSS, can not be entirely ruled out.  The DNS 
-   configuration mechanism has to work over the tunnel, and the 
-   underlying tunneling mechanism could be implementing NAT traversal.
-   The tunnel server assumes the role of a relay (both for DHCP and 
-   Well-known anycast addresses approaches). 
-    
-   RA-based mechanism is relatively straightforward in its operation, 
-   assuming the tunnel server is also the IPv6 router emitting RAs. 
-   Well-known anycast addresses approach seems also simple in 
-   operation across the tunnel, but the deployment model using Well-
-   known anycast addresses in a tunneled environment is unclear or not 
-   well understood. 
-    
-5.4.2 Case B: A dual-stack gateway connected to a dual-stack ISP 
-    
-   This is similar to a typical IPv4 home user scenario, where DNS 
-   configuration parameters are obtained using DHCP.  Except that 
-   Stateless DHCPv6 is used, as opposed to the IPv4 scenario where the
-   DHCP server is stateful (maintains the state for clients). 
-    
-
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 18] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-5.4.3 Case C: A dual-stack gateway connected to an IPv4-only ISP 
-    
-   This is similar to Case B.  If a gateway provides IPv6 connectivity
-   by managing tunnels, then it is also supposed to provide access to 
-   an RDNSS.  Like this, the tunnel for IPv6 connectivity originates 
-   from the dual-stack gateway instead of the host. 
-    
-5.4.4 Case D: A gateway connected to an IPv6-only ISP 
-    
-   This is similar to Case B. 
-    
-6. Security Considerations 
-    
-   As security requirements depend solely on applications and are 
-   different application by application, there can be no generic 
-   requirement defined at higher IP or lower application layer of DNS.
-    
-   However, it should be noted that cryptographic security requires 
-   configured secret information that full autoconfiguration and 
-   cryptographic security are mutually exclusive.  People insisting on
-   secure full autoconfiguration will get false security, false 
-   autoconfiguration or both. 
-    
-   In some deployment scenario [19], where cryptographic security is 
-   required for applications, secret information for the cryptographic
-   security is preconfigured through which application specific 
-   configuration data, including those for DNS, can be securely 
-   configured.  It should be noted that if applications requiring 
-   cryptographic security depend on DNS, the applications also require
-   cryptographic security to DNS.  Therefore, the full auto-
-   configuration of DNS is not acceptable. 
-    
-   However, with full autoconfiguration, weaker but still reasonable 
-   security is being widely accepted and will continue to be 
-   acceptable.  That is, with full autoconfiguration, which means 
-   there is no cryptographic security for the autoconfiguration, it is
-   already assumed that local environment is secure enough that 
-   information from local autoconfiguration server has acceptable 
-   security even without cryptographic security.  Thus, communication 
-   between a local DNS client and a local DNS server has the 
-   acceptable security. 
-    
-   For security considerations of each approach, refer to the 
-   corresponding drafts [5]-[9]. 
-    
-7. Acknowledgements 
-    
-
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 19] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   This draft has greatly benefited from inputs by David Meyer, Rob 
-   Austein, Tatuya Jinmei, Pekka Savola, Tim Chown, Luc Beloeil, 
-   Christian Huitema, and Thomas Narten.  The authors appreciate their
-   contribution. 
-    
-8. Normative References 
-    
-   [1]  S. Bradner, "Intellectual Property Rights in IETF Technology",
-        RFC 3668, February 2004.  
-    
-   [2]  S. Bradner, "IETF Rights in Contributions", RFC 3667, February
-        2004. 
-    
-   [3]  T. Narten, E. Nordmark and W. Simpson, "Neighbor Discovery for
-        IP Version 6 (IPv6)", RFC 2461, December 1998. 
-    
-   [4]  S. Thomson and T. Narten, "IPv6 Stateless Address 
-        Autoconfiguration", RFC 2462, December 1998. 
-    
-   [5]  R. Droms et al., "Dynamic Host Configuration Protocol for IPv6
-        (DHCPv6)", RFC 3315, July 2003. 
-    
-   [6]  R. Droms, "Stateless Dynamic Host Configuration Protocol 
-        (DHCP) Service for IPv6", RFC 3736, April 2004. 
-    
-   [7]  R. Droms et al., "DNS Configuration options for Dynamic Host 
-        Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, December 
-        2003. 
-    
-9. Informative References 
-    
-   [8]  J. Jeong, S. Park, L. Beloeil and S. Madanapalli, "IPv6 DNS 
-        Discovery based on Router Advertisement", draft-jeong-dnsop-
-        ipv6-dns-discovery-02.txt, July 2004. 
-    
-   [9]  M. Ohta, "Preconfigured DNS Server Addresses", draft-ohta-
-        preconfigured-dns-01.txt, February 2004. 
-    
-   [10] S. Venaas and T. Chown, "Lifetime Option for DHCPv6", draft-
-        ietf-dhc-lifetime-00.txt, March 2004. 
-    
-   [11] C. Partridge, T. Mendez and W. Milliken, "Host Anycasting 
-        Service", RFC 1546, November 1993. 
-    
-   [12] R. Hinden and S. Deering, "Internet Protocol Version 6 (IPv6)
-        Addressing Architecture", RFC 3513, April 2003. 
-    
-
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 20] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   [13] M. Lind et al., "Scenarios and Analysis for Introduction IPv6
-        into ISP Networks", draft-ietf-v6ops-isp-scenarios-analysis-
-        02.txt, April 2004. 
-    
-   [14] J. Arkko et al., "SEcure Neighbor Discovery (SEND)", draft-
-        ietf-send-ndopt-05.txt, April 2004. 
-    
-   [15] R. Droms and W. Arbaugh, "Authentication for DHCP Messages", 
-        RFC 3118, June 2001. 
-    
-   [16] J. Bound et al., "IPv6 Enterprise Network Scenarios", draft-
-        ietf-v6ops-ent-scenarios-01.txt, February 2004. 
-    
-   [17] O. Troan and R. Droms, "IPv6 Prefix Options for Dynamic Host 
-        Configuration Protocol (DHCP) version 6", RFC 3633, December 
-        2003. 
-    
-   [18] M. Wasserman, Ed., "Recommendations for IPv6 in 3GPP     
-        Standards", RFC 3314, September 2002. 
-    
-   [19] J. Soininen, Ed., "Transition Scenarios for 3GPP Networks", 
-        RFC 3574, August 2003. 
-    
-   [20] J. Wiljakka, Ed., "Analysis on IPv6 Transition in 3GPP     
-        Networks", draft-ietf-v6ops-3gpp-analysis-09.txt, March 2004. 
-    
-   [21] 3GPP TS 23.060 V5.4.0, "General Packet Radio Service (GPRS); 
-        Service description; Stage 2 (Release 5)", December 2002. 
-    
-   [22] 3GPP TS 24.008 V5.8.0, "Mobile radio interface Layer 3 
-        specification; Core network protocols; Stage 3 (Release 5)",
-        June 2003. 
-    
-   [23] T. Chown, S. Venaas and A. Vijayabhaskar, "Renumbering  
-        Requirements for Stateless DHCPv6", draft-ietf-dhc-stateless-
-        dhcpv6-renumbering-00.txt, March 2004. 
-    
-   [24] C. Huitema et al., "Unmanaged Networks IPv6 Transition 
-        Scenarios", RFC 3750, April 2004. 
-    
-10. Authors' Addresses 
-    
-   Jaehoon Paul Jeong, Editor 
-   ETRI / PEC 
-   161 Gajeong-dong, Yuseong-gu 
-   Daejeon 305-350 
-   Korea 
-    
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 21] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   Phone: +82 42 860 1664 
-   Fax: +82 42 861 5404 
-   EMail: paul@etri.re.kr 
-    
-   Ralph Droms 
-   Cisco Systems 
-   1414 Massachusetts Ave. 
-   Boxboro, MA 01719 
-   USA 
-    
-   Phone: +1 978 936 1674 
-   EMail: rdroms@cisco.com 
-    
-   Robert M. Hinden 
-   Nokia 
-   313 Fairchild Drive 
-   Mountain View, CA 94043 
-   USA 
-    
-   Phone: +1 650 625 2004 
-   EMail: bob.hinden@nokia.com 
-    
-   Ted Lemon 
-   Nominum, Inc. 
-   950 Charter Street 
-   Redwood City, CA 94043 
-   USA 
-    
-   EMail: Ted.Lemon@nominum.com 
-    
-   Masataka Ohta 
-   Graduate School of Information Science and Engineering 
-   Tokyo Institute of Technology 
-   2-12-1, O-okayama, Meguro-ku 
-   Tokyo 152-8552 
-   Japan 
-    
-   Phone: +81 3 5734 3299 
-   Fax: +81 3 5734 3299 
-   EMail: mohta@necom830.hpcl.titech.ac.jp 
-    
-   Soohong Daniel Park 
-   Mobile Platform Laboratory, SAMSUNG Electronics 
-   416, Maetan-3dong, Paldal-gu, Suwon 
-   Gyeonggi-Do 
-   Korea 
-    
-   Phone: +82 31 200 4508 
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 22] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   EMail: soohong.park@samsung.com 
-    
-   Suresh Satapati 
-   Cisco Systems, Inc. 
-   San Jose, CA 95134 
-   USA 
-    
-   EMail: satapati@cisco.com 
-    
-   Juha Wiljakka 
-   Nokia 
-   Visiokatu 3 
-   FIN-33720 TAMPERE 
-   Finland 
-    
-   Phone: +358 7180 48372 
-   EMail: juha.wiljakka@nokia.com 
-    
-Intellectual Property Statement 
-    
-   The following intellectual property notice is copied from RFC3668,
-   Section 5. 
-    
-   The IETF takes no position regarding the validity or scope of any 
-   Intellectual Property Rights or other rights that might be claimed 
-   to pertain to the implementation or use of the technology described
-   in this document or the extent to which any license under such 
-   rights might or might not be available; nor does it represent that 
-   it has made any independent effort to identify any such rights.  
-   Information on the procedures with respect to rights in RFC 
-   documents can be found in BCP 78 and BCP 79. 
-    
-   Copies of IPR disclosures made to the IETF Secretariat and any 
-   assurances of licenses to be made available, or the result of an 
-   attempt made to obtain a general license or permission for the use 
-   of such proprietary rights by implementers or users of this 
-   specification can be obtained from the IETF on-line IPR repository 
-   at http://www.ietf.org/ipr. 
-    
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary 
-   rights that may cover technology that may be required to implement 
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org. 
-    
-Full Copyright Statement 
-    
-
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 23] 
- 
-Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
- 
- 
-   The following copyright notice is copied from RFC3667, Section 5.4.
-   It describes the applicable copyright for this document. 
-    
-   Copyright (C) The Internet Society (2004).  This document is 
-   subject to the rights, licenses and restrictions contained in BCP 
-   78, and except as set forth therein, the authors retain all their 
-   rights. 
-    
-   This document and the information contained herein are provided on 
-   an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 
-   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND 
-   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, 
-   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT 
-   THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR 
-   ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 
-   PARTICULAR PURPOSE. 
-    
-Acknowledgement 
-    
-   Funding for the RFC Editor function is currently provided by the 
-   Internet Society. 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 
- 
-Jeong, et al.             Expires - January 2005             [Page 24] 
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-06.txt
deleted file mode 100644
index bf2afcdfb3ac..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-06.txt
+++ /dev/null
@@ -1,1848 +0,0 @@
-
-
-
-DNS Operations WG                                          J. Jeong, Ed.
-Internet-Draft                              ETRI/University of Minnesota
-Expires: November 6, 2005                                    May 5, 2005
-
-
-      IPv6 Host Configuration of DNS Server Information Approaches
-             draft-ietf-dnsop-ipv6-dns-configuration-06.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on November 6, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes three approaches for IPv6 recursive DNS
-   server address configuration.  It details the operational attributes
-   of three solutions: RA option, DHCPv6 option, and Well-known anycast
-   addresses for recursive DNS servers.  Additionally, it suggests the
-   deployment scenarios in four kinds of networks, such as ISP,
-   Enterprise, 3GPP, and Unmanaged networks, considering multi-solution
-   resolution.  Therefore, this document will give the audience a
-
-
-
-Jeong                   Expires November 6, 2005                [Page 1]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   guideline for IPv6 host DNS configuration.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005                [Page 2]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
-   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  6
-   3.  IPv6 DNS Configuration Approaches  . . . . . . . . . . . . . .  7
-     3.1   RA Option  . . . . . . . . . . . . . . . . . . . . . . . .  7
-       3.1.1   Advantages . . . . . . . . . . . . . . . . . . . . . .  8
-       3.1.2   Disadvantages  . . . . . . . . . . . . . . . . . . . .  8
-       3.1.3   Observations . . . . . . . . . . . . . . . . . . . . .  9
-     3.2   DHCPv6 Option  . . . . . . . . . . . . . . . . . . . . . .  9
-       3.2.1   Advantages . . . . . . . . . . . . . . . . . . . . . . 11
-       3.2.2   Disadvantages  . . . . . . . . . . . . . . . . . . . . 12
-       3.2.3   Observations . . . . . . . . . . . . . . . . . . . . . 12
-     3.3   Well-known Anycast Addresses . . . . . . . . . . . . . . . 12
-       3.3.1   Advantages . . . . . . . . . . . . . . . . . . . . . . 13
-       3.3.2   Disadvantages  . . . . . . . . . . . . . . . . . . . . 14
-       3.3.3   Observations . . . . . . . . . . . . . . . . . . . . . 14
-   4.  Interworking among IPv6 DNS Configuration Approaches . . . . . 15
-   5.  Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . 16
-     5.1   ISP Network  . . . . . . . . . . . . . . . . . . . . . . . 16
-       5.1.1   RA Option Approach . . . . . . . . . . . . . . . . . . 16
-       5.1.2   DHCPv6 Option Approach . . . . . . . . . . . . . . . . 17
-       5.1.3   Well-known Anycast Addresses Approach  . . . . . . . . 17
-     5.2   Enterprise Network . . . . . . . . . . . . . . . . . . . . 17
-     5.3   3GPP Network . . . . . . . . . . . . . . . . . . . . . . . 18
-       5.3.1   Currently Available Mechanisms and Recommendations . . 19
-       5.3.2   RA Extension . . . . . . . . . . . . . . . . . . . . . 19
-       5.3.3   Stateless DHCPv6 . . . . . . . . . . . . . . . . . . . 20
-       5.3.4   Well-known Addresses . . . . . . . . . . . . . . . . . 21
-       5.3.5   Recommendations  . . . . . . . . . . . . . . . . . . . 21
-     5.4   Unmanaged Network  . . . . . . . . . . . . . . . . . . . . 22
-       5.4.1   Case A: Gateway does not provide IPv6 at all . . . . . 22
-       5.4.2   Case B: A dual-stack gateway connected to a
-               dual-stack ISP . . . . . . . . . . . . . . . . . . . . 22
-       5.4.3   Case C: A dual-stack gateway connected to an
-               IPv4-only ISP  . . . . . . . . . . . . . . . . . . . . 22
-       5.4.4   Case D: A gateway connected to an IPv6-only ISP  . . . 23
-   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 24
-     6.1   RA Option  . . . . . . . . . . . . . . . . . . . . . . . . 25
-     6.2   DHCPv6 Option  . . . . . . . . . . . . . . . . . . . . . . 25
-     6.3   Well-known Anycast Addresses . . . . . . . . . . . . . . . 25
-   7.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 26
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 28
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 29
-     9.1   Normative References . . . . . . . . . . . . . . . . . . . 29
-     9.2   Informative References . . . . . . . . . . . . . . . . . . 29
-       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 31
-   A.  Link-layer Multicast Acknowledgements for RA Option  . . . . . 32
-
-
-
-Jeong                   Expires November 6, 2005                [Page 3]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-       Intellectual Property and Copyright Statements . . . . . . . . 33
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005                [Page 4]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-1.  Introduction
-
-   Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address
-   Autoconfiguration provide the ways to configure either fixed or
-   mobile nodes with one or more IPv6 addresses, default routes and some
-   other parameters [3][4].  To support the access to additional
-   services in the Internet that are identified by a DNS name, such as a
-   web server, the configuration of at least one recursive DNS server is
-   also needed for DNS name resolution.
-
-   This document describes three approaches of recursive DNS server
-   address configuration for IPv6 host: (a) RA option [8], (b) DHCPv6
-   option [5]-[7], and (c) Well-known anycast addresses for recursive
-   DNS servers [9].  Also, it suggests the applicable scenarios for four
-   kinds of networks: (a) ISP network, (b) Enterprise network, (c) 3GPP
-   network, and (d) Unmanaged network.
-
-   This document is just an analysis of each possible approach, and does
-   not make any recommendation on a particular one or on a combination
-   of particular ones.  Some approaches may even not be adopted at all
-   as a result of further discussion.
-
-   Therefore, the objective of this document is to help the audience
-   select the approaches suitable for IPv6 host configuration of
-   recursive DNS servers.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005                [Page 5]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-2.  Terminology
-
-   This document uses the terminology described in [3]-[9].  In
-   addition, a new term is defined below:
-
-   o  Recursive DNS Server (RDNSS): A Recursive DNS Server is a name
-      server that offers the recursive service of DNS name resolution.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005                [Page 6]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-3.  IPv6 DNS Configuration Approaches
-
-   In this section, the operational attributes of the three solutions
-   are described in detail.
-
-3.1  RA Option
-
-   The RA approach is to define a new ND option called the RDNSS option
-   that contains a recursive DNS server address.  Existing ND transport
-   mechanisms (i.e., advertisements and solicitations) are used.  This
-   works in the same way that nodes learn about routers and prefixes.
-   An IPv6 host can configure the IPv6 addresses of one or more RDNSSes
-   via RA message periodically sent by a router or solicited by a Router
-   Solicitation (RS) [8].
-
-   This approach needs RDNSS information to be configured in the routers
-   doing the advertisements.  The configuration of RDNSS addresses can
-   be performed manually by an operator or other ways, such as automatic
-   configuration through a DHCPv6 client running on the router.  When
-   advertising more than one RDNSS option, an RA message includes as
-   many RDNSS options as RDNSSes.
-
-   Through the ND protocol and RDNSS option along with a prefix
-   information option, an IPv6 host can perform its network
-   configuration of its IPv6 address and RDNSS simultaneously [3][4].
-   The RA option for RDNSS can be used on any network that supports the
-   use of ND.
-
-   However, it is worth noting that some link layers, such as Wireless
-   LANs (e.g., IEEE 802.11 a/b/g), do not support reliable multicast,
-   which means that they cannot guarantee the timely delivery of RA
-   messages [25]-[28].  This is discussed in Appendix A.
-
-   The RA approach is useful in some mobile environments where the
-   addresses of the RDNSSes are changing because the RA option includes
-   a lifetime field that allows client to use RDNSSes nearer to the
-   client.  This can be configured to a value that will require the
-   client to time out the entry and switch over to another RDNSS address
-   [8].  However, from the viewpoint of implementation, the lifetime
-   field would seem to make matters a bit more complex.  Instead of just
-   writing to a DNS configuration file, such as resolv.conf for the list
-   of RDNSS addresses, we have to have a daemon around (or a program
-   that is called at the defined intervals) that keeps monitoring the
-   lifetime of RDNSSes all the time.
-
-   The preference value of RDNSS, included in the RDNSS option, allows
-   IPv6 hosts to select primary RDNSS among several RDNSSes; this can be
-   used for the load balancing of RDNSSes [8].
-
-
-
-Jeong                   Expires November 6, 2005                [Page 7]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-3.1.1  Advantages
-
-   The RA option for RDNSS has a number of advantages.  These include:
-
-   1.  The RA option is an extension of existing ND/Autoconfig
-       mechanisms [3][4], and does not require a change in the base ND
-       protocol.
-
-   2.  This approach, like ND, works well on a variety of link types
-       including point-to-point links, point-to-multipoint, and
-       multipoint-to-multipoint (i.e., Ethernet LANs), etc.  RFC 2461
-       [3] states, however, that there may be some link types on which
-       ND is not feasible; on such links, some other mechanisms will be
-       needed for DNS configuration.
-
-   3.  All of the information a host needs to run the basic Internet
-       applications such as the email, web, ftp, etc., can be obtained
-       with the addition of this option to ND and address
-       autoconfiguration.  The use of a single mechanism is more
-       reliable and easier to provide than when the RDNSS information is
-       learned via another protocol mechanism.  Debugging problems when
-       multiple protocol mechanisms are being used is harder and much
-       more complex.
-
-   4.  This mechanism works over a broad range of scenarios and
-       leverages IPv6 ND.  This works well on links that support
-       broadcast reliably (e.g., Ethernet LANs) but not necessarily on
-       other links (e.g., Wireless LANs): Refer to Appendix A.  Also,
-       this works well on links that are high performance (e.g.,
-       Ethernet LANs) and low performance (e.g., Cellular networks).  In
-       the latter case, by combining the RDNSS information with the
-       other information in the RA, the host can learn all of the
-       information needed to use most Internet applications, such as the
-       web in a single packet.  This not only saves bandwidth where this
-       is an issue, but also minimizes the delay needed to learn the
-       RDNSS information.
-
-   5.  The RA approach could be used as a model for other similar types
-       of configuration information.  New RA options for other server
-       addresses, such as NTP server address, that are common to all
-       clients on a subnet would be easy to define.
-
-
-3.1.2  Disadvantages
-
-   1.  ND is mostly implemented in the kernel of operating system.
-       Therefore, if ND supports the configuration of some additional
-       services, such as DNS servers, ND should be extended in the
-
-
-
-Jeong                   Expires November 6, 2005                [Page 8]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-       kernel, and complemented by a user-land process.  DHCPv6,
-       however, has more flexibility for the extension of service
-       discovery because it is an application layer protocol.
-
-   2.  The current ND framework should be modified to facilitate the
-       synchronization between another ND cache for RDNSSes in the
-       kernel space and the DNS configuration file in the user space.
-       Because it is unacceptable to write and rewrite to the DNS
-       configuration file (e.g., resolv.conf) from the kernel, another
-       approach is needed.  One simple approach to solve this is to have
-       a daemon listening to what the kernel conveys, and to have the
-       daemon do these steps, but such a daemon is not needed with the
-       current ND framework.
-
-   3.  It is necessary to configure RDNSS addresses at least at one
-       router on every link where this information needs to be
-       configured via the RA option.
-
-
-3.1.3  Observations
-
-   The proposed RDNSS RA option along with the IPv6 ND and
-   Autoconfiguration allows a host to obtain all of the information it
-   needs to access the basic Internet services like the web, email, ftp,
-   etc.  This is preferable in the environments where hosts use RAs to
-   autoconfigure their addresses and all the hosts on the subnet share
-   the same router and server addresses.  If the configuration
-   information can be obtained from a single mechanism, it is preferable
-   because it does not add additional delay, and it uses a minimum of
-   bandwidth.  The environments like this include the homes, public
-   cellular networks, and enterprise environments where no per host
-   configuration is needed, but exclude public WLAN hot spots.
-
-   DHCPv6 is preferable where it is being used for address configuration
-   and if there is a need for host specific configuration [5]-[7].  The
-   environments like this are most likely to be the enterprise
-   environments where the local administration chooses to have per host
-   configuration control.
-
-Note
-
-   The observation section is based on what the proponents of each
-   approach think makes a good overall solution.
-
-3.2  DHCPv6 Option
-
-   DHCPv6 [5] includes the "DNS Recursive Name Server" option, through
-   which a host can obtain a list of IP addresses of recursive DNS
-
-
-
-Jeong                   Expires November 6, 2005                [Page 9]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   servers [7].  The DNS Recursive Name Server option carries a list of
-   IPv6 addresses of RDNSSes to which the host may send DNS queries.
-   The DNS servers are listed in the order of preference for use by the
-   DNS resolver on the host.
-
-   The DNS Recursive Name Server option can be carried in any DHCPv6
-   Reply message, in response to either a Request or an Information
-   request message.  Thus, the DNS Recursive Name Server option can be
-   used either when DHCPv6 is used for address assignment, or when
-   DHCPv6 is used only for other configuration information as stateless
-   DHCPv6 [6].
-
-   Stateless DHCPv6 can be deployed either using DHCPv6 servers running
-   on general-purpose computers, or on router hardware.  Several router
-   vendors currently implement stateless DHCPv6 servers.  Deploying
-   stateless DHCPv6 in routers has the advantage that no special
-   hardware is required, and should work well for networks where DHCPv6
-   is needed for very straightforward configuration of network devices.
-
-   However, routers can also act as DHCPv6 relay agents.  In this case,
-   the DHCPv6 server need not be on the router - it can be on a general
-   purpose computer.  This has the potential to give the operator of the
-   DHCPv6 server more flexibility in how the DHCPv6 server responds to
-   individual clients - clients can easily be given different
-   configuration information based on their identity, or for any other
-   reason.  Nothing precludes adding this flexibility to a router, but
-   generally in current practice, DHCP servers running on general-
-   purpose hosts tend to have more configuration options than those that
-   are embedded in routers.
-
-   DHCPv6 currently provides a mechanism for reconfiguring DHCPv6
-   clients that use a stateful configuration assignment.  To do this,
-   the DHCPv6 server sends a Reconfigure message to the client.  The
-   client validates the Reconfigure message, and then contacts the
-   DHCPv6 server to obtain updated configuration information.  Using
-   this mechanism, it is currently possible to propagate new
-   configuration information to DHCPv6 clients as this information
-   changes.
-
-   The DHC Working Group is currently studying an additional mechanism
-   through which configuration information, including the list of
-   RDNSSes, can be updated.  The lifetime option for DHCPv6 [10] assigns
-   a lifetime to configuration information obtained through DHCPv6.  At
-   the expiration of the lifetime, the host contacts the DHCPv6 server
-   to obtain updated configuration information, including the list of
-   RDNSSes.  This lifetime gives the network administrator another
-   mechanism to configure hosts with new RDNSSes by controlling the time
-   at which the host refreshes the list.
-
-
-
-Jeong                   Expires November 6, 2005               [Page 10]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   The DHC Working Group has also discussed the possibility of defining
-   an extension to DHCPv6 that would allow the use of multicast to
-   provide configuration information to multiple hosts with a single
-   DHCPv6 message.  Because of the lack of deployment experience, the WG
-   has deferred consideration of multicast DHCPv6 configuration at this
-   time.  Experience with DHCPv4 has not identified a requirement for
-   multicast message delivery, even in large service provider networks
-   with tens of thousands of hosts that may initiate a DHCPv4 message
-   exchange simultaneously.
-
-3.2.1  Advantages
-
-   The DHCPv6 option for RDNSS has a number of advantages.  These
-   include:
-
-   1.  DHCPv6 currently provides a general mechanism for conveying
-       network configuration information to clients.  So configuring
-       DHCPv6 servers allows the network administrator to configure
-       RDNSSes along with the addresses of other network services, as
-       well as location-specific information like time zones.
-
-   2.  As a consequence, when the network administrator goes to
-       configure DHCPv6, all the configuration information can be
-       managed through a single service, typically with a single user
-       interface and a single configuration database.
-
-   3.  DHCPv6 allows for the configuration of a host with information
-       specific to that host, so that hosts on the same link can be
-       configured with different RDNSSes as well as with other
-       configuration information.  This capability is important in some
-       network deployments such as service provider networks or WiFi hot
-       spots.
-
-   4.  A mechanism exists for extending DHCPv6 to support the
-       transmission of additional configuration that has not yet been
-       anticipated.
-
-   5.  Hosts that require other configuration information such as the
-       addresses of SIP servers and NTP servers are likely to need
-       DHCPv6 for other configuration information.
-
-   6.  The specification for configuration of RDNSSes through DHCPv6 is
-       available as an RFC.  No new protocol extensions such as new
-       options are necessary.
-
-   7.  Interoperability among independent implementations has been
-       demonstrated.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 11]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-3.2.2  Disadvantages
-
-   The DHCPv6 option for RDNSS has a few disadvantages.  These include:
-
-   1.  Update currently requires message from server (however, see
-       [10]).
-
-   2.  Because DNS information is not contained in RA messages, the host
-       must receive two messages from the router, and must transmit at
-       least one message to the router.  On networks where bandwidth is
-       at a premium, this is a disadvantage, although on most networks
-       it is not a practical concern.
-
-   3.  Increased latency for initial configuration - in addition to
-       waiting for an RA message, the client must now exchange packets
-       with a DHCPv6 server; even if it is locally installed on a
-       router, this will slightly extend the time required to configure
-       the client.  For clients that are moving rapidly from one network
-       to another, this will be a disadvantage.
-
-
-3.2.3  Observations
-
-   In the general case, on general-purpose networks, stateless DHCPv6
-   provides significant advantages and no significant disadvantages.
-   Even in the case where bandwidth is at a premium and low latency is
-   desired, if hosts require other configuration information in addition
-   to a list of RDNSSes or if hosts must be configured selectively,
-   those hosts will use DHCPv6 and the use of the DHCPv6 DNS recursive
-   name server option will be advantageous.
-
-   However, we are aware of some applications where it would be
-   preferable to put the RDNSS information into an RA packet; for
-   example, on a cell phone network, where bandwidth is at a premium and
-   extremely low latency is desired.  The final DNS configuration draft
-   should be written so as to allow these special applications to be
-   handled using DNS information in the RA packet.
-
-3.3  Well-known Anycast Addresses
-
-   Anycast uses the same routing system as unicast [11].  However,
-   administrative entities are local ones.  The local entities may
-   accept unicast routes (including default routes) to anycast servers
-   from adjacent entities.  The administrative entities should not
-   advertise their peers routes to their internal anycast servers, if
-   they want to prohibit external access from some peers to the servers.
-   If some advertisement is inevitable (such as the case with default
-   routes), the packets to the servers should be blocked at the boundary
-
-
-
-Jeong                   Expires November 6, 2005               [Page 12]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   of the entities.  Thus, for this anycast, not only unicast routing
-   but also unicast ND protocols can be used as is.
-
-   First of all, the well-known anycast addresses approach is much
-   different from that discussed at IPv6 Working Group in the past [9].
-   It should be noted that "anycast" in this memo is simpler than that
-   of RFC 1546 [11] and RFC 3513 [12] where it is assumed to be
-   prohibited to have multiple servers on a single link sharing an
-   anycast address.  That is, on a link, an anycast address is assumed
-   to be unique.  DNS clients today already have redundancy by having
-   multiple well-known anycast addresses configured as RDNSS addresses.
-   There is no point in having multiple RDNSSes sharing an anycast
-   address on a single link.
-
-   The approach with well-known anycast addresses is to set multiple
-   well-known anycast addresses in clients' resolver configuration files
-   from the beginning, say, as factory default.  Thus, there is no
-   transport mechanism and no packet format [9].
-
-   An anycast address is an address shared by multiple servers (in this
-   case, the servers are RDNSSes).  A request from a client to the
-   anycast address is routed to a server selected by the routing system.
-   However, it is a bad idea to mandate "site" boundary on anycast
-   addresses, because most users just do not have their own servers and
-   want to access their ISPs' across their site boundaries.  Larger
-   sites may also depend on their ISPs or may have their own RDNSSes
-   within "site" boundaries.
-
-3.3.1  Advantages
-
-   The basic advantage of the well-known addresses approach is that it
-   uses no transport mechanism.  Thus,
-
-   1.  There is no delay to get the response and no further delay by
-       packet losses.
-
-   2.  The approach can be combined with any other configuration
-       mechanisms, such as the RA-based approach and DHCP based
-       approach, as well as the factory default configuration.
-
-   3.  The approach works over any environment where DNS works.
-
-   Another advantage is that the approach needs to configure DNS servers
-   as a router, but nothing else.  Considering that DNS servers do need
-   configuration, the amount of overall configuration effort is
-   proportional to the number of the DNS servers and scales linearly.
-   It should be noted that, in the simplest case where a subscriber to
-   an ISP does not have any DNS server, the subscriber naturally
-
-
-
-Jeong                   Expires November 6, 2005               [Page 13]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   accesses DNS servers of the ISP even though the subscriber and the
-   ISP do nothing and there is no protocol to exchange DNS server
-   information between the subscriber and the ISP.
-
-3.3.2  Disadvantages
-
-   Well-known anycast addresses approach requires that DNS servers (or
-   routers near it as a proxy) act as routers to advertise their anycast
-   addresses to the routing system, which requires some configuration
-   (see the last paragraph of the previous section on the scalability of
-   the effort).
-
-3.3.3  Observations
-
-   If other approaches are used in addition, the well-known anycast
-   addresses should also be set in RA or DHCP configuration files to
-   reduce the configuration effort of users.
-
-   The redundancy by multiple RDNSSes is better provided by multiple
-   servers having different anycast addresses than multiple servers
-   sharing the same anycast address because the former approach allows
-   stale servers to still generate routes to their anycast addresses.
-   Thus, in a routing domain (or domains sharing DNS servers), there
-   will be only one server having an anycast address unless the domain
-   is so large that load distribution is necessary.
-
-   Small ISPs will operate one RDNSS at each anycast address which is
-   shared by all the subscribers.  Large ISPs may operate multiple
-   RDNSSes at each anycast address to distribute and reduce load, where
-   the boundary between RDNSSes may be fixed (redundancy is still
-   provided by multiple addresses) or change dynamically.  DNS packets
-   with the well-known anycast addresses are not expected (though not
-   prohibited) to cross ISP boundaries, as ISPs are expected to be able
-   to take care of themselves.
-
-   Because "anycast" in this memo is simpler than that of RFC 1546 [11]
-   and RFC 3513 [12] where it is assumed to be administratively
-   prohibited to have multiple servers on a single link sharing an
-   anycast address, anycast in this memo should be implemented as
-   UNICAST of RFC 2461 [3] and RFC 3513 [12].  As a result, ND-related
-   instability disappears.  Thus, anycast in well-known anycast
-   addresses approach can and should use the anycast address as a source
-   unicast (according to RFC 3513 [12]) address of packets of UDP and
-   TCP responses.  With TCP, if a route flips and packets to an anycast
-   address are routed to a new server, it is expected that the flip is
-   detected by ICMP or sequence number inconsistency and the TCP
-   connection is reset and retried.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 14]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-4.  Interworking among IPv6 DNS Configuration Approaches
-
-   Three approaches can work together for IPv6 host configuration of
-   RDNSS.  This section shows a consideration on how these approaches
-   can interwork each other.
-
-   For ordering between RA and DHCP approaches, the O (Other stateful
-   configuration) flag in RA message can be used [8][32].  If no RDNSS
-   option is included, an IPv6 host may perform DNS configuration
-   through DHCPv6 [5]-[7] regardless of whether the O flag is set or
-   not.
-
-   The well-known anycast addresses approach fully interworks with the
-   other approaches.  That is, the other approaches can remove the
-   configuration effort on servers by using the well-known addresses as
-   the default configuration.  Moreover, the clients preconfigured with
-   the well-known anycast addresses can be further configured to use
-   other approaches to override the well-known addresses, if the
-   configuration information from other approaches is available.
-   Otherwise, all the clients need to have the well-known anycast
-   addresses preconfigured.  In order to use the anycast approach along
-   with two other approaches, there are three choices as follows:
-
-   1.  The first choice is that well-known addresses are used as last
-       resort, when an IPv6 host cannot get RDNSS information through RA
-       and DHCP.  The well-known anycast addresses have to be
-       preconfigured in all of IPv6 hosts' resolver configuration files.
-
-   2.  The second is that an IPv6 host can configure well-known
-       addresses as the most preferable in its configuration file even
-       though either an RA option or DHCP option is available.
-
-   3.  The last is that the well-known anycast addresses can be set in
-       RA or DHCP configuration to reduce the configuration effort of
-       users.  According to either the RA or DHCP mechanism, the well-
-       known addresses can be obtained by an IPv6 host.  Because this
-       approach is the most convenient for users, the last option is
-       recommended.
-
-
-Note
-
-   This section does not necessarily mean this document suggests
-   adopting all these three approaches and making them interwork in the
-   way described here.  In fact, some approaches may even not be adopted
-   at all as a result of further discussion.
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 15]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-5.  Deployment Scenarios
-
-   Regarding the DNS configuration on the IPv6 host, several mechanisms
-   are being considered at the DNSOP Working Group such as RA option,
-   DHCPv6 option and well-known preconfigured anycast addresses as of
-   today, and this document is a final result from the long thread.  In
-   this section, we suggest four applicable scenarios of three
-   approaches for IPv6 DNS configuration.
-
-Note
-
-   In the applicable scenarios, authors do not implicitly push any
-   specific approaches into the restricted environments.  No enforcement
-   is in each scenario and all mentioned scenarios are probable.  The
-   main objective of this work is to provide a useful guideline for IPv6
-   DNS configuration.
-
-5.1  ISP Network
-
-   A characteristic of ISP network is that multiple Customer Premises
-   Equipment (CPE) devices are connected to IPv6 PE (Provider Edge)
-   routers and each PE connects multiple CPE devices to the backbone
-   network infrastructure [13].  The CPEs may be hosts or routers.
-
-   In the case where the CPE is a router, there is a customer network
-   that is connected to the ISP backbone through the CPE.  Typically,
-   each customer network gets a different IPv6 prefix from an IPv6 PE
-   router, but the same RDNSS configuration will be distributed.
-
-   This section discusses how the different approaches to distributing
-   DNS information are compared in an ISP network.
-
-5.1.1  RA Option Approach
-
-   When the CPE is a host, the RA option for RDNSS can be used to allow
-   the CPE to get RDNSS information as well as /64 prefix information
-   for stateless address autoconfiguration at the same time when the
-   host is attached to a new subnet [8].  Because an IPv6 host must
-   receive at least one RA message for stateless address
-   autoconfiguration and router configuration, the host could receive
-   RDNSS configuration information in that RA without the overhead of an
-   additional message exchange.
-
-   When the CPE is a router, the CPE may accept the RDNSS information
-   from the RA on the interface connected to the ISP, and copy that
-   information into the RAs advertised in the customer network.
-
-   This approach is more valuable in the mobile host scenario, in which
-
-
-
-Jeong                   Expires November 6, 2005               [Page 16]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   the host must receive at least an RA message for detecting a new
-   network, than in other scenarios generally although administrator
-   should configure RDNSS information on the routers.  Secure ND [14]
-   can provide extended security when using RA messages.
-
-5.1.2  DHCPv6 Option Approach
-
-   DHCPv6 can be used for RDNSS configuration through the use of the DNS
-   option, and can provide other configuration information in the same
-   message with RDNSS configuration [5]-[7].  The DHCPv6 DNS option is
-   already in place for DHCPv6 as RFC 3646 [7] and DHCPv6-lite or
-   stateless DHCP [6] is nowhere as complex as a full DHCPv6
-   implementation.  DHCP is a client-server model protocol, so ISPs can
-   handle user identification on its network intentionally, and also
-   authenticated DHCP [15] can be used for secure message exchange.
-
-   The expected model for deployment of IPv6 service by ISPs is to
-   assign a prefix to each customer, which will be used by the customer
-   gateway to assign a /64 prefix to each network in the customer's
-   network.  Prefix delegation with DHCP (DHCPv6 PD) has already been
-   adopted by ISPs for automating the assignment of the customer prefix
-   to the customer gateway [17].  DNS configuration can be carried in
-   the same DHCPv6 message exchange used for DHCPv6 to efficiently
-   provide that information, along with any other configuration
-   information needed by the customer gateway or customer network.  This
-   service model can be useful to Home or SOHO subscribers.  The Home or
-   SOHO gateway, which is a customer gateway for ISP, can then pass that
-   RDNSS configuration information to the hosts in the customer network
-   through DHCP.
-
-5.1.3  Well-known Anycast Addresses Approach
-
-   The well-known anycast addresses approach is also a feasible and
-   simple mechanism for ISP [9].  The use of well-known anycast
-   addresses avoids some of the security risks in rogue messages sent
-   through an external protocol like RA or DHCPv6.  The configuration of
-   hosts for the use of well-known anycast addresses requires no
-   protocol or manual configuration, but the configuration of routing
-   for the anycast addresses requires intervention on the part of the
-   network administrator.  Also, the number of special addresses would
-   be equal to the number of RDNSSes that could be made available to
-   subscribers.
-
-5.2  Enterprise Network
-
-   Enterprise network is defined as a network that has multiple internal
-   links, one or more router connections, to one or more Providers and
-   is actively managed by a network operations entity [16].  An
-
-
-
-Jeong                   Expires November 6, 2005               [Page 17]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   enterprise network can get network prefixes from an ISP by either
-   manual configuration or prefix delegation [17].  In most cases,
-   because an enterprise network manages its own DNS domains, it
-   operates its own DNS servers for the domains.  These DNS servers
-   within enterprise network process recursive DNS name resolution
-   requests from IPv6 hosts as RDNSSes.  The RDNSS configuration in the
-   enterprise network can be performed like in Section 4, in which three
-   approaches can be used together as follows:
-
-   1.  An IPv6 host can decide which approach is or may be used in its
-       subnet with the O flag in RA message [8][32].  As the first
-       choice in Section 4, well-known anycast addresses can be used as
-       a last resort when RDNSS information cannot be obtained through
-       either an RA option or DHCP option.  This case needs IPv6 hosts
-       to preconfigure the well-known anycast addresses in their DNS
-       configuration files.
-
-   2.  When the enterprise prefers the well-known anycast approach to
-       others, IPv6 hosts should preconfigure the well-known anycast
-       addresses like in the first choice.
-
-   3.  The last choice, a more convenient and transparent way, does not
-       need IPv6 hosts to preconfigure the well-known anycast addresses
-       because the addresses are delivered to IPv6 hosts via either the
-       RA option or DHCPv6 option as if they were unicast addresses.
-       This way is most recommended for the sake of user's convenience.
-
-
-5.3  3GPP Network
-
-   The IPv6 DNS configuration is a missing part of IPv6
-   autoconfiguration and an important part of the basic IPv6
-   functionality in the 3GPP User Equipment (UE).  The higher level
-   description of the 3GPP architecture can be found in [18], and
-   transition to IPv6 in 3GPP networks is analyzed in [19] and [20].
-
-   In the 3GPP architecture, there is a dedicated link between the UE
-   and the GGSN called the Packet Data Protocol (PDP) Context.  This
-   link is created through the PDP Context activation procedure [21].
-   There is a separate PDP context type for IPv4 and IPv6 traffic.  If a
-   3GPP UE user is communicating using IPv6 (having an active IPv6 PDP
-   context), it cannot be assumed that (s)he has simultaneously an
-   active IPv4 PDP context, and DNS queries could be done using IPv4.  A
-   3GPP UE can thus be an IPv6 node, and it needs to somehow discover
-   the address of the RDNSS.  Before IP-based services (e.g., web
-   browsing or e-mail) can be used, the IPv6 (and IPv4) RDNSS addresses
-   need to be discovered in the 3GPP UE.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 18]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   Section 5.3.1 briefly summarizes currently available mechanisms in
-   3GPP networks and recommendations. 5.3.2 analyzes the Router
-   Advertisement based solution, 5.3.3 analyzes the Stateless DHCPv6
-   mechanism, and 5.3.4 analyzes the Well-known addresses approach.
-   Section 5.3.5 finally summarizes the recommendations.
-
-5.3.1  Currently Available Mechanisms and Recommendations
-
-   3GPP has defined a mechanism, in which RDNSS addresses can be
-   received in the PDP context activation (a control plane mechanism).
-   That is called the Protocol Configuration Options Information Element
-   (PCO-IE) mechanism [22].  The RDNSS addresses can also be received
-   over the air (using text messages), or typed in manually in the UE.
-   Note that the two last mechanisms are not very well scalable.  The UE
-   user most probably does not want to type IPv6 RDNSS addresses
-   manually in his/her UE.  The use of well-known addresses is briefly
-   discussed in section 5.3.4.
-
-   It is seen that the mechanisms above most probably are not sufficient
-   for the 3GPP environment.  IPv6 is intended to operate in a zero-
-   configuration manner, no matter what the underlying network
-   infrastructure is.  Typically, the RDNSS address is needed to make an
-   IPv6 node operational - and the DNS configuration should be as simple
-   as the address autoconfiguration mechanism.  It must also be noted
-   that there will be additional IP interfaces in some near future 3GPP
-   UEs, e.g., WLAN, and 3GPP-specific DNS configuration mechanisms (such
-   as PCO-IE [22]) do not work for those IP interfaces.  In other words,
-   a good IPv6 DNS configuration mechanism should also work in a multi-
-   access network environment.
-
-   From a 3GPP point of view, the best IPv6 DNS configuration solution
-   is feasible for a very large number of IPv6-capable UEs (can be even
-   hundreds of millions in one operator's network), is automatic and
-   thus requires no user action.  It is suggested to standardize a
-   lightweight, stateless mechanism that works in all network
-   environments.  The solution could then be used for 3GPP, 3GPP2, WLAN
-   and other access network technologies.  A light, stateless IPv6 DNS
-   configuration mechanism is thus not only needed in 3GPP networks, but
-   also 3GPP networks and UEs would certainly benefit from the new
-   mechanism.
-
-5.3.2  RA Extension
-
-   Router Advertisement extension [8] is a lightweight IPv6 DNS
-   configuration mechanism that requires minor changes in the 3GPP UE
-   IPv6 stack and Gateway GPRS Support Node (GGSN, the default router in
-   the 3GPP architecture) IPv6 stack.  This solution can be specified in
-   the IETF (no action needed in the 3GPP) and taken in use in 3GPP UEs
-
-
-
-Jeong                   Expires November 6, 2005               [Page 19]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   and GGSNs
-
-   In this solution, an IPv6-capable UE configures DNS information via
-   RA message sent by its default router (GGSN), i.e., RDNSS option for
-   recursive DNS server is included in the RA message.  This solution is
-   easily scalable for a very large number of UEs.  The operator can
-   configure the RDNSS addresses in the GGSN as a part of normal GGSN
-   configuration.  The IPv6 RDNSS address is received in the Router
-   Advertisement, and an extra Round Trip Time (RTT) for asking RDNSS
-   addresses can be avoided.
-
-   If thinking about the cons, this mechanism still requires
-   standardization effort in the IETF, and the end nodes and routers
-   need to support this mechanism.  The equipment software update
-   should, however, be pretty straightforward, and new IPv6 equipment
-   could support RA extension already from the beginning.
-
-5.3.3  Stateless DHCPv6
-
-   DHCPv6-based solution needs the implementation of Stateless DHCP [6]
-   and DHCPv6 DNS options [7] in the UE, and a DHCPv6 server in the
-   operator's network.  A possible configuration is such that the GGSN
-   works as a DHCP relay.
-
-   Pros for Stateless DHCPv6-based solution are
-
-   1.  Stateless DHCPv6 is a standardized mechanism.
-
-   2.  DHCPv6 can be used for receiving other configuration information
-       than RDNSS addresses, e.g., SIP server addresses.
-
-   3.  DHCPv6 works in different network environments.
-
-   4.  When DHCPv6 service is deployed through a single, centralized
-       server, the RDNSS configuration information can be updated by the
-       network administrator at a single source.
-
-   Some issues with DHCPv6 in 3GPP networks are listed below:
-
-   1.  DHCPv6 requires an additional server in the network unless the
-       (Stateless) DHCPv6 functionality is integrated into a router
-       already existing, and that means one box more to be maintained.
-
-   2.  DHCPv6 is not necessarily needed for 3GPP UE IPv6 addressing
-       (3GPP Stateless Address Autoconfiguration is typically used), and
-       not automatically implemented in 3GPP IPv6 UEs.
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 20]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   3.  Scalability and reliability of DHCPv6 in very large 3GPP networks
-       (with tens or hundreds of millions of UEs) may be an issue, at
-       least the redundancy needs to be taken care of.  However, if the
-       DHCPv6 service is integrated into the network elements, such as a
-       router operating system, scalability and reliability is
-       comparable with other DNS configuration approaches.
-
-   4.  It is sub-optimal to utilize the radio resources in 3GPP networks
-       for DHCPv6 messages if there is a simpler alternative available.
-
-       *  The use of Stateless DHCPv6 adds one round trip delay to the
-          case in which the UE can start transmitting data right after
-          the Router Advertisement.
-
-   5.  If the DNS information (suddenly) changes, Stateless DHCPv6 can
-       not automatically update the UE, see [23].
-
-
-5.3.4  Well-known Addresses
-
-   Using well-known addresses is also a feasible and a light mechanism
-   for 3GPP UEs.  Those well-known addresses can be preconfigured in the
-   UE software and the operator makes the corresponding configuration on
-   the network side.  So this is a very easy mechanism for the UE, but
-   requires some configuration work in the network.  When using well-
-   known addresses, UE forwards queries to any of the preconfigured
-   addresses.  In the current proposal [9], IPv6 anycast addresses are
-   suggested.
-
-Note
-
-   The IPv6 DNS configuration proposal based on the use of well-known
-   site-local addresses developed at the IPv6 Working Group was seen as
-   a feasible mechanism for 3GPP UEs, but opposition by some people in
-   the IETF and finally deprecating IPv6 site-local addresses made it
-   impossible to standardize it.  Note that this mechanism is
-   implemented in some existing operating systems today (also in some
-   3GPP UEs) as a last resort of IPv6 DNS configuration.
-
-5.3.5  Recommendations
-
-   It is suggested that a lightweight, stateless DNS configuration
-   mechanism is specified as soon as possible.  From a 3GPP UE and
-   network point of view, the Router Advertisement based mechanism looks
-   most promising.  The sooner a light, stateless mechanism is
-   specified, the sooner we can get rid of using well-known site-local
-   addresses for IPv6 DNS configuration.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 21]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-5.4  Unmanaged Network
-
-   There are 4 deployment scenarios of interest in unmanaged networks
-   [24]:
-
-   1.  A gateway which does not provide IPv6 at all;
-
-   2.  A dual-stack gateway connected to a dual-stack ISP;
-
-   3.  A dual-stack gateway connected to an IPv4-only ISP; and
-
-   4.  A gateway connected to an IPv6-only ISP.
-
-
-5.4.1  Case A: Gateway does not provide IPv6 at all
-
-   In this case, the gateway does not provide IPv6; the ISP may or may
-   not provide IPv6.  Automatic or Configured tunnels are the
-   recommended transition mechanisms for this scenario.
-
-   The case where dual-stack hosts behind an NAT, that need access to an
-   IPv6 RDNSS, cannot be entirely ruled out.  The DNS configuration
-   mechanism has to work over the tunnel, and the underlying tunneling
-   mechanism could be implementing NAT traversal.  The tunnel server
-   assumes the role of a relay (both for DHCP and Well-known anycast
-   addresses approaches).
-
-   RA-based mechanism is relatively straightforward in its operation,
-   assuming the tunnel server is also the IPv6 router emitting RAs.
-   Well-known anycast addresses approach seems also simple in operation
-   across the tunnel, but the deployment model using Well-known anycast
-   addresses in a tunneled environment is unclear or not well
-   understood.
-
-5.4.2  Case B: A dual-stack gateway connected to a dual-stack ISP
-
-   This is similar to a typical IPv4 home user scenario, where DNS
-   configuration parameters are obtained using DHCP.  Except that
-   Stateless DHCPv6 is used, as opposed to the IPv4 scenario where the
-   DHCP server is stateful (maintains the state for clients).
-
-5.4.3  Case C: A dual-stack gateway connected to an IPv4-only ISP
-
-   This is similar to Case B. If a gateway provides IPv6 connectivity by
-   managing tunnels, then it is also supposed to provide access to an
-   RDNSS.  Like this, the tunnel for IPv6 connectivity originates from
-   the dual-stack gateway instead of the host.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 22]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-5.4.4  Case D: A gateway connected to an IPv6-only ISP
-
-   This is similar to Case B.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 23]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-6.  Security Considerations
-
-   As security requirements depend solely on applications and are
-   different application by application, there can be no generic
-   requirement defined at IP or application layer for DNS.
-
-   However, it should be noted that cryptographic security requires
-   configured secret information that full autoconfiguration and
-   cryptographic security are mutually exclusive.  People insisting on
-   secure full autoconfiguration will get false security, false
-   autoconfiguration or both.
-
-   In some deployment scenarios [19], where cryptographic security is
-   required for applications, the secret information for the
-   cryptographic security is preconfigured through which application
-   specific configuration data, including those for DNS, can be securely
-   configured.  It should be noted that if applications requiring
-   cryptographic security depend on DNS, the applications also require
-   cryptographic security to DNS.  Therefore, the full autoconfiguration
-   of DNS is not acceptable.
-
-   However, with full autoconfiguration, weaker but still reasonable
-   security is being widely accepted and will continue to be acceptable.
-   That is, with full autoconfiguration, which means there is no
-   cryptographic security for the autoconfiguration, it is already
-   assumed that the local environment is secure enough that the
-   information from the local autoconfiguration server has acceptable
-   security even without cryptographic security.  Thus, the
-   communication between the local DNS client and local DNS server has
-   acceptable security.
-
-   In autoconfiguring recursive servers, DNSSEC may be overkill, because
-   DNSSEC [29] needs the configuration and reconfiguration of clients at
-   root key roll-over [30][31].  Even if additional keys for secure key
-   roll-over are added at the initial configuration, they are as
-   vulnerable as the original keys to some forms of attacks, such as
-   social hacking.  Another problem of using DNSSEC and
-   autoconfiguration together is that DNSSEC requires secure time, which
-   means secure communication with autoconfigured time servers, which
-   requires configured secret information.  Therefore, in order that the
-   autoconfiguration may be secure, it requires configured secret
-   information.
-
-   If DNSSEC [29] is used and the signatures are verified on the client
-   host, the misconfiguration of a DNS server may be simply denial of
-   service.  Also, if local routing environment is not reliable, clients
-   may be directed to a false resolver with the same IP address as the
-   true one.
-
-
-
-Jeong                   Expires November 6, 2005               [Page 24]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-6.1  RA Option
-
-   The security of RA option for RDNSS is the same as the ND protocol
-   security [3][8].  The RA option does not add any new vulnerability.
-
-   It should be noted that the vulnerability of ND is not worse and is a
-   subset of the attacks that any node attached to a LAN can do
-   independently of ND.  A malicious node on a LAN can promiscuously
-   receive packets for any router's MAC address and send packets with
-   the router's MAC address as the source MAC address in the L2 header.
-   As a result, the L2 switches send packets addressed to the router to
-   the malicious node.  Also, this attack can send redirects that tell
-   the hosts to send their traffic somewhere else.  The malicious node
-   can send unsolicited RA or NA replies, answer RS or NS requests, etc.
-   All of this can be done independently of implementing ND.  Therefore,
-   the RA option for RDNSS does not add to the vulnerability.
-
-   Security issues regarding the ND protocol were discussed at IETF SEND
-   (Securing Neighbor Discovery) Working Group and RFC 3971 for the ND
-   security has been published [14].
-
-6.2  DHCPv6 Option
-
-   The DNS Recursive Name Server option may be used by an intruder DHCP
-   server to cause DHCP clients to send DNS queries to an intruder DNS
-   recursive name server [7].  The results of these misdirected DNS
-   queries may be used to spoof DNS names.
-
-   To avoid attacks through the DNS Recursive Name Server option, the
-   DHCP client SHOULD require DHCP authentication (see section
-   "Authentication of DHCP messages" in RFC 3315 [5]) before installing
-   a list of DNS recursive name servers obtained through authenticated
-   DHCP.
-
-6.3  Well-known Anycast Addresses
-
-   Well-known anycast addresses does not require configuration security
-   since there is no protocol [9].
-
-   The DNS server with the preconfigured addresses are still reasonably
-   reliable, if local environment is reasonably secure, that is, there
-   is no active attackers receiving queries to the anycast addresses of
-   the servers and reply to them.
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 25]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-7.  Contributors
-
-   Ralph Droms
-   Cisco Systems, Inc.
-   1414 Massachusetts Ave.
-   Boxboro, MA  01719
-   US
-
-   Phone: +1 978 936 1674
-   Email: rdroms@cisco.com
-
-
-   Robert M. Hinden
-   Nokia
-   313 Fairchild Drive
-   Mountain View, CA  94043
-   US
-
-   Phone: +1 650 625 2004
-   Email: bob.hinden@nokia.com
-
-
-   Ted Lemon
-   Nominum, Inc.
-   950 Charter Street
-   Redwood City, CA  94043
-   US
-
-   Email: Ted.Lemon@nominum.com
-
-
-   Masataka Ohta
-   Tokyo Institute of Technology
-   2-12-1, O-okayama, Meguro-ku
-   Tokyo  152-8552
-   Japan
-
-   Phone: +81 3 5734 3299
-   Fax:   +81 3 5734 3299
-   Email: mohta@necom830.hpcl.titech.ac.jp
-
-
-   Soohong Daniel Park
-   Mobile Platform Laboratory, SAMSUNG Electronics
-   416 Maetan-3dong, Yeongtong-Gu
-   Suwon, Gyeonggi-Do  443-742
-   Korea
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 26]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   Phone: +82 31 200 4508
-   Email: soohong.park@samsung.com
-
-
-   Suresh Satapati
-   Cisco Systems, Inc.
-   San Jose, CA  95134
-   US
-
-   Email: satapati@cisco.com
-
-
-   Juha Wiljakka
-   Nokia
-   Visiokatu 3
-   FIN-33720, TAMPERE
-   Finland
-
-   Phone: +358 7180 48372
-   Email: juha.wiljakka@nokia.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 27]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-8.  Acknowledgements
-
-   This draft has greatly benefited from inputs by David Meyer, Rob
-   Austein, Tatuya Jinmei, Pekka Savola, Tim Chown, Luc Beloeil,
-   Christian Huitema, Thomas Narten, Pascal Thubert, and Greg Daley.
-   Also, Tony Bonanno proofread this draft.  The authors appreciate
-   their contribution.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 28]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-9.  References
-
-9.1  Normative References
-
-   [1]  Bradner, S., "IETF Rights in Contributions", RFC 3667,
-        February 2004.
-
-   [2]  Bradner, S., "Intellectual Property Rights in IETF Technology",
-        RFC 3668, February 2004.
-
-   [3]  Narten, T., Nordmark, E., and W. Simpson, "Neighbor Discovery
-        for IP Version 6 (IPv6)", RFC 2461, December 1998.
-
-   [4]  Thomson, S. and T. Narten, "IPv6 Stateless Address
-        Autoconfiguration", RFC 2462, December 1998.
-
-   [5]  Droms, R., Ed., "Dynamic Host Configuration Protocol for IPv6
-        (DHCPv6)", RFC 3315, July 2003.
-
-   [6]  Droms, R., "Stateless Dynamic Host Configuration Protocol (DHCP)
-        Service for IPv6", RFC 3736, April 2004.
-
-   [7]  Droms, R., Ed., "DNS Configuration options for Dynamic Host
-        Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
-        December 2003.
-
-9.2  Informative References
-
-   [8]   Jeong, J., Park, S., Beloeil, L., and S. Madanapalli, "IPv6 DNS
-         Discovery based on Router Advertisement",
-         draft-jeong-dnsop-ipv6-dns-discovery-04.txt (Work in Progress),
-         February 2005.
-
-   [9]   Ohta, M., "Preconfigured DNS Server Addresses",
-         draft-ohta-preconfigured-dns-01.txt (Work in Progress),
-         February 2004.
-
-   [10]  Venaas, S., Chown, T., and B. Volz, "Information Refresh Time
-         Option for DHCPv6", draft-ietf-dhc-lifetime-03.txt (Work in
-         Progress), January 2005.
-
-   [11]  Partridge, C., Mendez, T., and W. Milliken, "Host Anycasting
-         Service", RFC 1546, November 1993.
-
-   [12]  Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
-         Addressing Architecture", RFC 3513, April 2003.
-
-   [13]  Lind, M., Ed., "Scenarios and Analysis for Introduction IPv6
-
-
-
-Jeong                   Expires November 6, 2005               [Page 29]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-         into ISP Networks", RFC 4029, March 2005.
-
-   [14]  Arkko, J., Ed., "SEcure Neighbor Discovery (SEND)", RFC 3971,
-         March 2005.
-
-   [15]  Droms, R. and W. Arbaugh, "Authentication for DHCP Messages",
-         RFC 3118, June 2001.
-
-   [16]  Bound, J., Ed., "IPv6 Enterprise Network Scenarios",
-         draft-ietf-v6ops-ent-scenarios-05.txt (Work in Progress),
-         July 2004.
-
-   [17]  Troan, O. and R. Droms, "IPv6 Prefix Options for Dynamic Host
-         Configuration Protocol (DHCP) version 6", RFC 3633,
-         December 2003.
-
-   [18]  Wasserman, M., Ed., "Recommendations for IPv6 in 3GPP
-         Standards", RFC 3314, September 2002.
-
-   [19]  Soininen, J., Ed., "Transition Scenarios for 3GPP Networks",
-         RFC 3574, August 2003.
-
-   [20]  Wiljakka, J., Ed., "Analysis on IPv6 Transition in 3GPP
-         Networks", draft-ietf-v6ops-3gpp-analysis-11.txt (Work in
-         Progress), October 2004.
-
-   [21]  3GPP TS 23.060 V5.4.0, "General Packet Radio Service (GPRS);
-         Service description; Stage 2 (Release 5)", December 2002.
-
-   [22]  3GPP TS 24.008 V5.8.0, "Mobile radio interface Layer 3
-         specification; Core network protocols; Stage 3 (Release 5)",
-         June 2003.
-
-   [23]  Chown, T., Venaas, S., and A. Vijayabhaskar, "Renumbering
-         Requirements for Stateless DHCPv6",
-         draft-ietf-dhc-stateless-dhcpv6-renumbering-02.txt (Work in
-         Progress), October 2004.
-
-   [24]  Huitema, C., Ed., "Unmanaged Networks IPv6 Transition
-         Scenarios", RFC 3750, April 2004.
-
-   [25]  ANSI/IEEE Std 802.11, "Part 11: Wireless LAN Medium Access
-         Control (MAC) and Physical Layer (PHY) Specifications",
-         March 1999.
-
-   [26]  IEEE Std 802.11a, "Part 11: Wireless LAN Medium Access Control
-         (MAC) and Physical Layer (PHY) specifications: High-speed
-         Physical Layer in the 5 GHZ Band", September 1999.
-
-
-
-Jeong                   Expires November 6, 2005               [Page 30]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-   [27]  IEEE Std 802.11b, "Part 11: Wireless LAN Medium Access Control
-         (MAC) and Physical Layer (PHY) specifications: Higher-Speed
-         Physical Layer Extension in the 2.4 GHz Band", September 1999.
-
-   [28]  IEEE P802.11g/D8.2, "Part 11: Wireless LAN Medium Access
-         Control (MAC) and Physical Layer (PHY) specifications: Further
-         Higher Data Rate Extension in the 2.4 GHz Band", April 2003.
-
-   [29]  Eastlake, D., "Domain Name System Security Extensions",
-         RFC 2535, March 1999.
-
-   [30]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
-         draft-ietf-dnsop-dnssec-operational-practices-03.txt (Work in
-         Progress), December 2004.
-
-   [31]  Guette, G. and O. Courtay, "Requirements for Automated Key
-         Rollover in DNSSEC",
-         draft-ietf-dnsop-key-rollover-requirements-02.txt (Work in
-         Progress), January 2005.
-
-   [32]  Park, S., Madanapalli, S., and T. Jinmei, "Considerations on M
-         and O Flags of IPv6 Router Advertisement",
-         draft-ietf-ipv6-ra-mo-flags-01.txt (Work in Progress),
-         March 2005.
-
-
-Author's Address
-
-   Jaehoon Paul Jeong (editor)
-   ETRI/Department of Computer Science and Engineering
-   University of Minnesota
-   117 Pleasant Street SE
-   Minneapolis, MN  55455
-   US
-
-   Phone: +1 651 587 7774
-   Fax:   +1 612 625 2002
-   Email: jjeong@cs.umn.edu
-   URI:   http://www.cs.umn.edu/~jjeong/
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 31]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-Appendix A.  Link-layer Multicast Acknowledgements for RA Option
-
-   One benefit of an RA option [8] is to be able to multicast the
-   advertisements, reducing the need for duplicated unicast
-   communications.
-
-   However, some link-layers may not support this as well as others.
-   Consider, for example, WLAN networks where multicast is unreliable.
-   The unreliability problem is caused by lack of ACK for multicast,
-   especially on the path from the Access Point (AP) to the Station
-   (STA), which is specific to CSMA/CA of WLAN, such as IEEE 802.11
-   a/b/g [25]-[28].  That is, a multicast packet is unacknowledged on
-   the path from the AP to the STA, but acknowledged in the reverse
-   direction from the STA to the AP [25].  For example, when a router is
-   placed at wired network connected to an AP, a host may sometimes not
-   receive RA message advertised through the AP.  Therefore, the RA
-   option solution might not work well on a congested medium that uses
-   unreliable multicast for RA.
-
-   The fact that this problem has not been addressed in Neighbor
-   Discovery [3] indicates that the extra link-layer acknowledgements
-   have not been considered a serious problem till now.
-
-   A possible mitigation technique could be to map all-nodes link- local
-   multicast address to the link-layer broadcast address, and to rely on
-   the ND retransmissions for message delivery in order to achieve more
-   reliability.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 32]
-
-Internet-Draft    IPv6 Host Configuration of DNS Server         May 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Jeong                   Expires November 6, 2005               [Page 33]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-09.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-09.txt
deleted file mode 100644
index b14f711d5314..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-09.txt
+++ /dev/null
@@ -1,1969 +0,0 @@
-
-
-DNS Operations WG                                              A. Durand
-Internet-Draft                                    SUN Microsystems, Inc.
-Expires: February 7, 2005                                       J. Ihren
-                                                              Autonomica
-                                                               P. Savola
-                                                               CSC/FUNET
-                                                          August 9, 2004
-
-
-
-          Operational Considerations and Issues with IPv6 DNS
-                draft-ietf-dnsop-ipv6-dns-issues-09.txt
-
-
-Status of this Memo
-
-
-   This document is an Internet-Draft and is subject to all provisions
-   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-
-   The list of current Internet-Drafts can be accessed at http://
-   www.ietf.org/ietf/1id-abstracts.txt.
-
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-   This Internet-Draft will expire on February 7, 2005.
-
-
-Copyright Notice
-
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-
-Abstract
-
-
-   This memo presents operational considerations and issues with IPv6
-   Domain Name System (DNS), including a summary of special IPv6
-   addresses, documentation of known DNS implementation misbehaviour,
-   recommendations and considerations on how to perform DNS naming for
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 1]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   service provisioning and for DNS resolver IPv6 support,
-   considerations for DNS updates for both the forward and reverse
-   trees, and miscellaneous issues.  This memo is aimed to include a
-   summary of information about IPv6 DNS considerations for those who
-   have experience with IPv4 DNS.
-
-
-Table of Contents
-
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   Representing IPv6 Addresses in DNS Records . . . . . . . .  4
-     1.2   Independence of DNS Transport and DNS Records  . . . . . .  4
-     1.3   Avoiding IPv4/IPv6 Name Space Fragmentation  . . . . . . .  5
-     1.4   Query Type '*' and A/AAAA Records  . . . . . . . . . . . .  5
-   2.  DNS Considerations about Special IPv6 Addresses  . . . . . . .  5
-     2.1   Limited-scope Addresses  . . . . . . . . . . . . . . . . .  6
-     2.2   Temporary Addresses  . . . . . . . . . . . . . . . . . . .  6
-     2.3   6to4 Addresses . . . . . . . . . . . . . . . . . . . . . .  6
-     2.4   Other Transition Mechanisms  . . . . . . . . . . . . . . .  6
-   3.  Observed DNS Implementation Misbehaviour . . . . . . . . . . .  7
-     3.1   Misbehaviour of DNS Servers and Load-balancers . . . . . .  7
-     3.2   Misbehaviour of DNS Resolvers  . . . . . . . . . . . . . .  7
-   4.  Recommendations for Service Provisioning using DNS . . . . . .  8
-     4.1   Use of Service Names instead of Node Names . . . . . . . .  8
-     4.2   Separate vs the Same Service Names for IPv4 and IPv6 . . .  8
-     4.3   Adding the Records Only when Fully IPv6-enabled  . . . . .  9
-     4.4   Behaviour of Additional Data in IPv4/IPv6 Environments . . 10
-       4.4.1   Description of Additional Data Scenarios . . . . . . . 10
-       4.4.2   Discussion of the Problems . . . . . . . . . . . . . . 11
-     4.5   The Use of TTL for IPv4 and IPv6 RRs . . . . . . . . . . . 12
-     4.6   IPv6 Transport Guidelines for DNS Servers  . . . . . . . . 13
-   5.  Recommendations for DNS Resolver IPv6 Support  . . . . . . . . 13
-     5.1   DNS Lookups May Query IPv6 Records Prematurely . . . . . . 14
-     5.2   Obtaining a List of DNS Recursive Resolvers  . . . . . . . 15
-     5.3   IPv6 Transport Guidelines for Resolvers  . . . . . . . . . 16
-   6.  Considerations about Forward DNS Updating  . . . . . . . . . . 16
-     6.1   Manual or Custom DNS Updates . . . . . . . . . . . . . . . 16
-     6.2   Dynamic DNS  . . . . . . . . . . . . . . . . . . . . . . . 17
-   7.  Considerations about Reverse DNS Updating  . . . . . . . . . . 18
-     7.1   Applicability of Reverse DNS . . . . . . . . . . . . . . . 18
-     7.2   Manual or Custom DNS Updates . . . . . . . . . . . . . . . 19
-     7.3   DDNS with Stateless Address Autoconfiguration  . . . . . . 19
-     7.4   DDNS with DHCP . . . . . . . . . . . . . . . . . . . . . . 20
-     7.5   DDNS with Dynamic Prefix Delegation  . . . . . . . . . . . 21
-   8.  Miscellaneous DNS Considerations . . . . . . . . . . . . . . . 22
-     8.1   NAT-PT with DNS-ALG  . . . . . . . . . . . . . . . . . . . 22
-     8.2   Renumbering Procedures and Applications' Use of DNS  . . . 22
-   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
-   10.   Security Considerations  . . . . . . . . . . . . . . . . . . 22
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 2]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 23
-   11.1  Normative References . . . . . . . . . . . . . . . . . . . . 23
-   11.2  Informative References . . . . . . . . . . . . . . . . . . . 25
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 27
-   A.  Site-local Addressing Considerations for DNS . . . . . . . . . 28
-   B.  Issues about Additional Data or TTL  . . . . . . . . . . . . . 28
-       Intellectual Property and Copyright Statements . . . . . . . . 30
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 3]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-1.  Introduction
-
-
-   This memo presents operational considerations and issues with IPv6
-   DNS; it is meant to be an extensive summary and a list of pointers
-   for more information about IPv6 DNS considerations for those with
-   experience with IPv4 DNS.
-
-
-   The purpose of this document is to give information about various
-   issues and considerations related to DNS operations with IPv6; it is
-   not meant to be a normative specification or standard for IPv6 DNS.
-
-
-   The first section gives a brief overview of how IPv6 addresses and
-   names are represented in the DNS, how transport protocols and
-   resource records (don't) relate, and what IPv4/IPv6 name space
-   fragmentation means and how to avoid it; all of these are described
-   at more length in other documents.
-
-
-   The second section summarizes the special IPv6 address types and how
-   they relate to DNS.  The third section describes observed DNS
-   implementation misbehaviours which have a varying effect on the use
-   of IPv6 records with DNS.  The fourth section lists recommendations
-   and considerations for provisioning services with DNS.  The fifth
-   section in turn looks at recommendations and considerations about
-   providing IPv6 support in the resolvers.  The sixth and seventh
-   sections describe considerations with forward and reverse DNS
-   updates, respectively.  The eighth section introduces several
-   miscellaneous IPv6 issues relating to DNS for which no better place
-   has been found in this memo.  Appendix A looks briefly at the
-   requirements for site-local addressing.
-
-
-1.1  Representing IPv6 Addresses in DNS Records
-
-
-   In the forward zones, IPv6 addresses are represented using AAAA
-   records.  In the reverse zones, IPv6 address are represented using
-   PTR records in the nibble format under the ip6.arpa.  tree.  See
-   [RFC3596] for more about IPv6 DNS usage, and [RFC3363] or [RFC3152]
-   for background information.
-
-
-   In particular one should note that the use of A6 records in the
-   forward tree or Bitlabels in the reverse tree is not recommended
-   [RFC3363].  Using DNAME records is not recommended in the reverse
-   tree in conjunction with A6 records; the document did not mean to
-   take a stance on any other use of DNAME records [RFC3364].
-
-
-1.2  Independence of DNS Transport and DNS Records
-
-
-   DNS has been designed to present a single, globally unique name space
-   [RFC2826].  This property should be maintained, as described here and
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 4]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   in Section 1.3.
-
-
-   The IP version used to transport the DNS queries and responses is
-   independent of the records being queried: AAAA records can be queried
-   over IPv4, and A records over IPv6.  The DNS servers must not make
-   any assumptions about what data to return for Answer and Authority
-   sections based on the underlying transport used in a query.
-
-
-   However, there is some debate whether the addresses in Additional
-   section could be selected or filtered using hints obtained from which
-   transport was being used; this has some obvious problems because in
-   many cases the transport protocol does not correlate with the
-   requests, and because a "bad" answer is in a way worse than no answer
-   at all (consider the case where the client is led to believe that a
-   name received in the additional record does not have any AAAA records
-   at all).
-
-
-   As stated in [RFC3596]:
-
-
-      The IP protocol version used for querying resource records is
-      independent of the protocol version of the resource records; e.g.,
-      IPv4 transport can be used to query IPv6 records and vice versa.
-
-
-
-1.3  Avoiding IPv4/IPv6 Name Space Fragmentation
-
-
-   To avoid the DNS name space from fragmenting into parts where some
-   parts of DNS are only visible using IPv4 (or IPv6) transport, the
-   recommendation is to always keep at least one authoritative server
-   IPv4-enabled, and to ensure that recursive DNS servers support IPv4.
-   See DNS IPv6 transport guidelines
-   [I-D.ietf-dnsop-ipv6-transport-guidelines] for more information.
-
-
-1.4  Query Type '*' and A/AAAA Records
-
-
-   QTYPE=* is typically only used for debugging or management purposes;
-   it is worth keeping in mind that QTYPE=* ("ANY" queries) only return
-   any available RRsets, not *all* the RRsets, because the caches do not
-   necessarily have all the RRsets and have no way of guaranteeing that
-   they have all the RRsets.  Therefore, to get both A and AAAA records
-   reliably, two separate queries must be made.
-
-
-2.  DNS Considerations about Special IPv6 Addresses
-
-
-   There are a couple of IPv6 address types which are somewhat special;
-   these are considered here.
-
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 5]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-2.1  Limited-scope Addresses
-
-
-   The IPv6 addressing architecture [RFC3513] includes two kinds of
-   local-use addresses: link-local (fe80::/10) and site-local (fec0::/
-   10).  The site-local addresses have been deprecated
-   [I-D.ietf-ipv6-deprecate-site-local], and are only discussed in
-   Appendix A.
-
-
-   Link-local addresses should never be published in DNS (whether in
-   forward or reverse tree), because they have only local (to the
-   connected link) significance
-   [I-D.ietf-dnsop-dontpublish-unreachable].
-
-
-2.2  Temporary Addresses
-
-
-   Temporary addresses defined in RFC3041 [RFC3041] (sometimes called
-   "privacy addresses") use a random number as the interface identifier.
-   Publishing (useful) DNS records relating to such addresses would
-   defeat the purpose of the mechanism and is not recommended.  However,
-   it would still be possible to return a non-identifiable name (e.g.,
-   the IPv6 address in hexadecimal format), as described in [RFC3041].
-
-
-2.3  6to4 Addresses
-
-
-   6to4 [RFC3056] specifies an automatic tunneling mechanism which maps
-   a public IPv4 address V4ADDR to an IPv6 prefix 2002:V4ADDR::/48.
-
-
-   If the reverse DNS population would be desirable (see Section 7.1 for
-   applicability), there are a number of possible ways to do so
-   [I-D.moore-6to4-dns], some more applicable than the others.
-
-
-   The main proposal [I-D.huston-6to4-reverse-dns] aims to design an
-   autonomous reverse-delegation system that anyone being capable of
-   communicating using a specific 6to4 address would be able to set up a
-   reverse delegation to the corresponding 6to4 prefix.  This could be
-   deployed by e.g., Regional Internet Registries (RIRs).  This is a
-   practical solution, but may have some scalability concerns.
-
-
-2.4  Other Transition Mechanisms
-
-
-   6to4, above, is mentioned as a case of an IPv6 transition mechanism
-   requiring special considerations.  In general, mechanisms which
-   include a special prefix may need a custom solution; otherwise, for
-   example when IPv4 address is embedded as the suffix or not embedded
-   at all, special solutions are likely not needed.  This is why only
-   6to4 and Teredo [I-D.huitema-v6ops-teredo] are described.
-
-
-   Note that it does not seem feasible to provide reverse DNS with
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 6]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   another automatic tunneling mechanism, Teredo; this is because the
-   IPv6 address is based on the IPv4 address and UDP port of the current
-   NAT mapping which is likely to be relatively short-lived.
-
-
-3.  Observed DNS Implementation Misbehaviour
-
-
-   Several classes of misbehaviour in DNS servers, load-balancers and
-   resolvers have been observed.  Most of these are rather generic, not
-   only applicable to IPv6 -- but in some cases, the consequences of
-   this misbehaviour are extremely severe in IPv6 environments and
-   deserve to be mentioned.
-
-
-3.1  Misbehaviour of DNS Servers and Load-balancers
-
-
-   There are several classes of misbehaviour in certain DNS servers and
-   load-balancers which have been noticed and documented
-   [I-D.ietf-dnsop-misbehavior-against-aaaa]: some implementations
-   silently drop queries for unimplemented DNS records types, or provide
-   wrong answers to such queries (instead of a proper negative reply).
-   While typically these issues are not limited to AAAA records, the
-   problems are aggravated by the fact that AAAA records are being
-   queried instead of (mainly) A records.
-
-
-   The problems are serious because when looking up a DNS name, typical
-   getaddrinfo() implementations, with AF_UNSPEC hint given, first try
-   to query the AAAA records of the name, and after receiving a
-   response, query the A records.  This is done in a serial fashion --
-   if the first query is never responded to (instead of properly
-   returning a negative answer), significant timeouts will occur.
-
-
-   In consequence, this is an enormous problem for IPv6 deployments, and
-   in some cases, IPv6 support in the software has even been disabled
-   due to these problems.
-
-
-   The solution is to fix or retire those misbehaving implementations,
-   but that is likely not going to be effective.  There are some
-   possible ways to mitigate the problem, e.g., by performing the
-   lookups somewhat in parallel and reducing the timeout as long as at
-   least one answer has been received; but such methods remain to be
-   investigated; slightly more on this is included in Section 5.
-
-
-3.2  Misbehaviour of DNS Resolvers
-
-
-   Several classes of misbehaviour have also been noticed in DNS
-   resolvers [I-D.ietf-dnsop-bad-dns-res].  However, these do not seem
-   to directly impair IPv6 use, and are only referred to for
-   completeness.
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 7]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-4.  Recommendations for Service Provisioning using DNS
-
-
-   When names are added in the DNS to facilitate a service, there are
-   several general guidelines to consider to be able to do it as
-   smoothly as possible.
-
-
-4.1  Use of Service Names instead of Node Names
-
-
-   When a node provides multiple services which should not be
-   fate-sharing, or might support different IP versions, one should keep
-   them logically separate in the DNS.  Using SRV records [RFC2782]
-   would avoid these problems.  Unfortunately, those are not
-   sufficiently widely used to be applicable in most cases.  Hence an
-   operation technique is to use service names instead of node names
-   (or, "hostnames").  This operational technique is not specific to
-   IPv6, but required to understand the considerations described in
-   Section 4.2 and Section 4.3.
-
-
-   For example, assume a node named "pobox.example.com" provides both
-   SMTP and IMAP service.  Instead of configuring the MX records to
-   point at "pobox.example.com", and configuring the mail clients to
-   look up the mail via IMAP from "pobox.example.com", one should use
-   e.g., "smtp.example.com" for SMTP (for both message submission and
-   mail relaying between SMTP servers) and "imap.example.com" for IMAP.
-   Note that in the specific case of SMTP relaying, the server itself
-   must typically also be configured to know all its names to ensure
-   loops do not occur.  DNS can provide a layer of indirection between
-   service names and where the service actually is, and using which
-   addresses.  (Obviously, when wanting to reach a specific node, one
-   should use the hostname rather than a service name.)
-
-
-   This is a good practice with IPv4 as well, because it provides more
-   flexibility and enables easier migration of services from one host to
-   another.  A specific reason why this is relevant for IPv6 is that the
-   different services may have a different level of IPv6 support -- that
-   is, one node providing multiple services might want to enable just
-   one service to be IPv6-visible while keeping some others as
-   IPv4-only, improving flexibility.
-
-
-4.2  Separate vs the Same Service Names for IPv4 and IPv6
-
-
-   The service naming can be achieved in basically two ways: when a
-   service is named "service.example.com" for IPv4, the IPv6-enabled
-   service could be either added to "service.example.com", or added
-   separately under a different name, e.g., in a sub-domain, like,
-   "service.ipv6.example.com".
-
-
-   These two methods have different characteristics.  Using a different
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 8]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   name allows for easier service piloting, minimizing the disturbance
-   to the "regular" users of IPv4 service; however, the service would
-   not be used transparently, without the user/application explicitly
-   finding it and asking for it -- which would be a disadvantage in most
-   cases.  When the different name is under a sub-domain, if the
-   services are deployed within a restricted network (e.g., inside an
-   enterprise), it's possible to prefer them transparently, at least to
-   a degree, by modifying the DNS search path; however, this is a
-   suboptimal solution.  Using the same service name is the "long-term"
-   solution, but may degrade performance for those clients whose IPv6
-   performance is lower than IPv4, or does not work as well (see Section
-   4.3 for more).
-
-
-   In most cases, it makes sense to pilot or test a service using
-   separate service names, and move to the use of the same name when
-   confident enough that the service level will not degrade for the
-   users unaware of IPv6.
-
-
-4.3  Adding the Records Only when Fully IPv6-enabled
-
-
-   The recommendation is that AAAA records for a service should not be
-   added to the DNS until all of following are true:
-
-
-   1.  The address is assigned to the interface on the node.
-
-
-   2.  The address is configured on the interface.
-
-
-   3.  The interface is on a link which is connected to the IPv6
-       infrastructure.
-
-
-   In addition, if the AAAA record is added for the node, instead of
-   service as recommended, all the services of the node should be
-   IPv6-enabled prior to adding the resource record.
-
-
-   For example, if an IPv6 node is isolated from an IPv6 perspective
-   (e.g., it is not connected to IPv6 Internet) constraint #3 would mean
-   that it should not have an address in the DNS.
-
-
-   Consider the case of two dual-stack nodes, which both have IPv6
-   enabled, but the server does not have (global) IPv6 connectivity.  As
-   the client looks up the server's name, only A records are returned
-   (if the recommendations above are followed), and no IPv6
-   communication, which would have been unsuccessful, is even attempted.
-
-
-   The issues are not always so black-and-white.  Usually it's important
-   if the service offered using both protocols is of roughly equal
-   quality, using the appropriate metrics for the service (e.g.,
-   latency, throughput, low packet loss, general reliability, etc.) --
-
-
-
-
-Durand, et al.          Expires February 7, 2005                [Page 9]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   this is typically very important especially for interactive or
-   real-time services.  In many cases, the quality of IPv6 connectivity
-   may not yet be equal to that of IPv4, at least globally -- this has
-   to be taken into consideration when enabling services
-   [I-D.savola-v6ops-6bone-mess].
-
-
-4.4  Behaviour of Additional Data in IPv4/IPv6 Environments
-
-
-4.4.1  Description of Additional Data Scenarios
-
-
-   Consider the case where the query name is so long, the number of the
-   additional records is so high, or for other reasons that the entire
-   response would not fit in a single UDP packet.  In some cases, the
-   responder truncates the response with the TC bit being set (leading
-   to a retry with TCP), in order for the querier to get the entire
-   response later.
-
-
-   There are two kinds of additional data:
-
-
-   1.  glue, i.e., "critical" additional data; this must be included in
-       all scenarios, with all the RRsets as possible, and
-
-
-   2.  "courtesy" additional data; this could be sent in full, with only
-       a few RRsets, or with no RRsets, and can be fetched separately as
-       well, but at the cost of additional queries.  This data must
-       never cause setting of the TC bit.
-
-
-   The responding server can algorithmically determine which type the
-   additional data is by checking whether it's at or below a zone cut.
-
-
-   Meanwhile, resource record sets (RRsets) are never "broken up", so if
-   a name has 4 A records and 5 AAAA records, you can either return all
-   9, all 4 A records, all 5 AAAA records or nothing.  In particular,
-   notice that for the "critical" additional data getting all the RRsets
-   can be critical.
-
-
-   An example of the "courtesy" additional data is A/AAAA records in
-   conjunction of MX records as shown in Section 4.5; an example of the
-   "critical" additional data is shown below (where getting both the A
-   and AAAA RRsets is critical):
-
-
-      child.example.com.    IN   NS ns.child.example.com.
-      ns.child.example.com. IN    A 192.0.2.1
-      ns.child.example.com. IN AAAA 2001:db8::1
-
-
-   When there is too much courtesy additional data, some or all of it
-   need to be removed [RFC2181]; if some is left in the response, the
-   issue is which data should be retained.  When there is too much
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 10]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   critical additional data, TC bit will have to be set, and some or all
-   of it need to be removed; if some is left in the response, the issue
-   is which data should be retained.
-
-
-   If the implementation decides to keep as much data as possible, it
-   might be tempting to use the transport of the DNS query as a hint in
-   either of these cases: return the AAAA records if the query was done
-   over IPv6, or return the A records if the query was done over IPv4.
-   However, this breaks the model of independence of DNS transport and
-   resource records, as noted in Section 1.2.
-
-
-   It is worth remembering that often the host using the records is
-   different from the node requesting them from the authoritative DNS
-   server (or even a caching resolver).  So, whichever version the
-   requestor (e.g., a recursive server in the middle) uses makes no
-   difference to the ultimate user of the records, whose transport
-   capabilities might differ from those of the requestor.  This might
-   result in e.g., inappropriately returning A records to an IPv6-only
-   node, going through a translation, or opening up another IP-level
-   session (e.g., a PDP context [I-D.ietf-v6ops-3gpp-analysis]).
-   Therefore, at least in many scenarios, it would be very useful if the
-   information returned would be consistent and complete -- or if that
-   is not feasible, return no misleading information but rather leave it
-   to the client to query again.
-
-
-4.4.2  Discussion of the Problems
-
-
-   As noted above, the temptation for omitting only some of the
-   additional data based on the transport of the query could be
-   problematic.  In particular, there appears to be little justification
-   for doing so in the case of "courtesy" data.
-
-
-   However, with critical additional data, the alternatives are either
-   returning nothing (and requiring a retry with TCP) or returning
-   something (possibly obviating the need for a retry with TCP).  If the
-   process for selecting "something" from the critical data would
-   otherwise be practically "flipping the coin" between A and AAAA
-   records, it could be argued that if one looked at the transport of
-   the query, it would have a larger possibility of being right than
-   just 50/50.  In other words, if the returned critical additional data
-   would have to be selected somehow, using something more sophisticated
-   than a random process would seem justifiable.
-
-
-   The problem of too much additional data seems to be an operational
-   one: the zone administrator entering too many records which will be
-   returned either truncated or missing some RRsets to the users.  A
-   protocol fix for this is using EDNS0 [RFC2671] to signal the capacity
-   for larger UDP packet sizes, pushing up the relevant threshold.
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 11]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   Further, DNS server implementations should rather omit courtesy
-   additional data completely rather than including only some RRsets
-   [RFC2181].  An operational fix for this is having the DNS server
-   implementations return a warning when the administrators create zones
-   which would result in too much additional data being returned.
-   Further, DNS server implementations should warn of or disallow such
-   zone configurations which are recursive or otherwise difficult to
-   manage by the protocol.
-
-
-   Additionally, to avoid the case where an application would not get an
-   address at all due to some of "courtesy" additional data being
-   omitted, the resolvers should be able to query the specific records
-   of the desired protocol, not just rely on getting all the required
-   RRsets in the additional section.
-
-
-4.5  The Use of TTL for IPv4 and IPv6 RRs
-
-
-   In the previous section, we discussed a danger with queries,
-   potentially leading to omitting RRsets from the additional section;
-   this could happen to both critical and "courtesy" additional data.
-   This section discusses another problem with the latter, leading to
-   omitting RRsets in cached data, highlighted in the IPv4/IPv6
-   environment.
-
-
-   The behaviour of DNS caching when different TTL values are used for
-   different RRsets of the same name requires explicit discussion.  For
-   example, let's consider a part of a zone:
-
-
-      example.com.        300    IN    MX     foo.example.com.
-      foo.example.com.    300    IN    A      192.0.2.1
-      foo.example.com.    100    IN    AAAA   2001:db8::1
-
-
-   When a caching resolver asks for the MX record of example.com, it
-   gets back "foo.example.com".  It may also get back either one or both
-   of the A and AAAA records in the additional section.  So, there are
-   three cases about returning records for the MX in the additional
-   section:
-
-
-   1.  We get back no A or AAAA RRsets: this is the simplest case,
-       because then we have to query which information is required
-       explicitly, guaranteeing that we get all the information we're
-       interested in.
-
-
-   2.  We get back all the RRsets: this is an optimization as there is
-       no need to perform more queries, causing lower latency.  However,
-       it is impossible to guarantee that in fact we would always get
-       back all the records (the only way to ensure that is to send a
-       AAAA query for the name after getting the cached reply with A
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 12]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-       records or vice versa).
-
-
-   3.  We only get back A or AAAA RRsets even if both existed: this is
-       indistinguishable from the previous case, and may have problems
-       at least in certain environments as described in the previous
-       section.
-
-
-   As the third case was considered in the previous section, we assume
-   we get back both A and AAAA records of foo.example.com, or the stub
-   resolver explicitly asks, in two separate queries, both A and AAAA
-   records.
-
-
-   After 100 seconds, the AAAA record is removed from the cache(s)
-   because its TTL expired.  It could be argued to be useful for the
-   caching resolvers to discard the A record when the shorter TTL (in
-   this case, for the AAAA record) expires; this would avoid the
-   situation where there would be a window of 200 seconds when
-   incomplete information is returned from the cache.  The behaviour in
-   this scenario is unspecified.
-
-
-   To simplify the situation, it might help to use the same TTL for all
-   the resource record sets referring to the same name, unless there is
-   a particular reason for not doing so.  However, there are some
-   scenarios (e.g., when renumbering IPv6 but keeping IPv4 intact) where
-   a different strategy is preferable.
-
-
-   Thus, applications that use the response should not rely on a
-   particular TTL configuration.  For example, even if an application
-   gets a response that only has the A record in the example described
-   above, it should be still aware that there could be a AAAA record for
-   "foo.example.com".  That is, the application should try to fetch the
-   missing records itself if it needs the record.
-
-
-4.6  IPv6 Transport Guidelines for DNS Servers
-
-
-   As described in Section 1.3 and
-   [I-D.ietf-dnsop-ipv6-transport-guidelines], there should continue to
-   be at least one authoritative IPv4 DNS server for every zone, even if
-   the zone has only IPv6 records.  (Note that obviously, having more
-   servers with robust connectivity would be preferable, but this is the
-   minimum recommendation; also see [RFC2182].)
-
-
-5.  Recommendations for DNS Resolver IPv6 Support
-
-
-   When IPv6 is enabled on a node, there are several things to consider
-   to ensure that the process is as smooth as possible.
-
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 13]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-5.1  DNS Lookups May Query IPv6 Records Prematurely
-
-
-   The system library that implements the getaddrinfo() function for
-   looking up names is a critical piece when considering the robustness
-   of enabling IPv6; it may come in basically three flavours:
-
-
-   1.  The system library does not know whether IPv6 has been enabled in
-       the kernel of the operating system: it may start looking up AAAA
-       records with getaddrinfo() and AF_UNSPEC hint when the system is
-       upgraded to a system library version which supports IPv6.
-
-
-   2.  The system library might start to perform IPv6 queries with
-       getaddrinfo() only when IPv6 has been enabled in the kernel.
-       However, this does not guarantee that there exists any useful
-       IPv6 connectivity (e.g., the node could be isolated from the
-       other IPv6 networks, only having link-local addresses).
-
-
-   3.  The system library might implement a toggle which would apply
-       some heuristics to the "IPv6-readiness" of the node before
-       starting to perform queries; for example, it could check whether
-       only link-local IPv6 address(es) exists, or if at least one
-       global IPv6 address exists.
-
-
-   First, let us consider generic implications of unnecessary queries
-   for AAAA records: when looking up all the records in the DNS, AAAA
-   records are typically tried first, and then A records.  These are
-   done in serial, and the A query is not performed until a response is
-   received to the AAAA query.  Considering the misbehaviour of DNS
-   servers and load-balancers, as described in Section 3.1, the look-up
-   delay for AAAA may incur additional unnecessary latency, and
-   introduce a component of unreliability.
-
-
-   One option here could be to do the queries partially in parallel; for
-   example, if the final response to the AAAA query is not received in
-   0.5 seconds, start performing the A query while waiting for the
-   result (immediate parallelism might be unoptimal, at least without
-   information sharing between the look-up threads, as that would
-   probably lead to duplicate non-cached delegation chain lookups).
-
-
-   An additional concern is the address selection, which may, in some
-   circumstances, prefer AAAA records over A records even when the node
-   does not have any IPv6 connectivity [I-D.ietf-v6ops-v6onbydefault].
-   In some cases, the implementation may attempt to connect or send a
-   datagram on a physical link [I-D.ietf-v6ops-onlinkassumption],
-   incurring very long protocol timeouts, instead of quickly failing
-   back to IPv4.
-
-
-   Now, we can consider the issues specific to each of the three
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 14]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   possibilities:
-
-
-   In the first case, the node performs a number of completely useless
-   DNS lookups as it will not be able to use the returned AAAA records
-   anyway.  (The only exception is where the application desires to know
-   what's in the DNS, but not use the result for communication.)  One
-   should be able to disable these unnecessary queries, for both latency
-   and reliability reasons.  However, as IPv6 has not been enabled, the
-   connections to IPv6 addresses fail immediately, and if the
-   application is programmed properly, the application can fall
-   gracefully back to IPv4 [I-D.ietf-v6ops-application-transition].
-
-
-   The second case is similar to the first, except it happens to a
-   smaller set of nodes when IPv6 has been enabled but connectivity has
-   not been provided yet; similar considerations apply, with the
-   exception that IPv6 records, when returned, will be actually tried
-   first which may typically lead to long timeouts.
-
-
-   The third case is a bit more complex: optimizing away the DNS lookups
-   with only link-locals is probably safe (but may be desirable with
-   different lookup services which getaddrinfo() may support), as the
-   link-locals are typically automatically generated when IPv6 is
-   enabled, and do not indicate any form of IPv6 connectivity.  That is,
-   performing DNS lookups only when a non-link-local address has been
-   configured on any interface could be beneficial -- this would be an
-   indication that either the address has been configured either from a
-   router advertisement, DHCPv6 [RFC3315], or manually.  Each would
-   indicate at least some form of IPv6 connectivity, even though there
-   would not be guarantees of it.
-
-
-   These issues should be analyzed at more depth, and the fixes found
-   consensus on, perhaps in a separate document.
-
-
-5.2  Obtaining a List of DNS Recursive Resolvers
-
-
-   In scenarios where DHCPv6 is available, a host can discover a list of
-   DNS recursive resolvers through DHCPv6 "DNS Recursive Name Server"
-   option [RFC3646].  This option can be passed to a host through a
-   subset of DHCPv6 [RFC3736].
-
-
-   The IETF is considering the development of alternative mechanisms for
-   obtaining the list of DNS recursive name servers when DHCPv6 is
-   unavailable or inappropriate.  No decision about taking on this
-   development work has been reached as of this writing (Aug 2004)
-   [I-D.ietf-dnsop-ipv6-dns-configuration].
-
-
-   In scenarios where DHCPv6 is unavailable or inappropriate, mechanisms
-   under consideration for development include the use of well-known
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 15]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   addresses [I-D.ohta-preconfigured-dns] and the use of Router
-   Advertisements to convey the information
-   [I-D.jeong-dnsop-ipv6-dns-discovery].
-
-
-   Note that even though IPv6 DNS resolver discovery is a recommended
-   procedure, it is not required for dual-stack nodes in dual-stack
-   networks as IPv6 DNS records can be queried over IPv4 as well as
-   IPv6.  Obviously, nodes which are meant to function without manual
-   configuration in IPv6-only networks must implement the DNS resolver
-   discovery function.
-
-
-5.3  IPv6 Transport Guidelines for Resolvers
-
-
-   As described in Section 1.3 and
-   [I-D.ietf-dnsop-ipv6-transport-guidelines], the recursive resolvers
-   should be IPv4-only or dual-stack to be able to reach any IPv4-only
-   DNS server.  Note that this requirement is also fulfilled by an
-   IPv6-only stub resolver pointing to a dual-stack recursive DNS
-   resolver.
-
-
-6.  Considerations about Forward DNS Updating
-
-
-   While the topic how to enable updating the forward DNS, i.e., the
-   mapping from names to the correct new addresses, is not specific to
-   IPv6, it should be considered especially due to the advent of
-   Stateless Address Autoconfiguration [RFC2462].
-
-
-   Typically forward DNS updates are more manageable than doing them in
-   the reverse DNS, because the updater can often be assumed to "own" a
-   certain DNS name -- and we can create a form of security relationship
-   with the DNS name and the node which is allowed to update it to point
-   to a new address.
-
-
-   A more complex form of DNS updates -- adding a whole new name into a
-   DNS zone, instead of updating an existing name -- is considered out
-   of scope for this memo as it could require zone-wide authentication.
-   Adding a new name in the forward zone is a problem which is still
-   being explored with IPv4, and IPv6 does not seem to add much new in
-   that area.
-
-
-6.1  Manual or Custom DNS Updates
-
-
-   The DNS mappings can also be maintained by hand, in a semi-automatic
-   fashion or by running non-standardized protocols.  These are not
-   considered at more length in this memo.
-
-
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 16]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-6.2  Dynamic DNS
-
-
-   Dynamic DNS updates (DDNS) [RFC2136][RFC3007] is a standardized
-   mechanism for dynamically updating the DNS.  It works equally well
-   with stateless address autoconfiguration (SLAAC), DHCPv6 or manual
-   address configuration.  It is important to consider how each of these
-   behave if IP address-based authentication, instead of stronger
-   mechanisms [RFC3007], was used in the updates.
-
-
-   1.  manual addresses are static and can be configured
-
-
-   2.  DHCPv6 addresses could be reasonably static or dynamic, depending
-       on the deployment, and could or could not be configured on the
-       DNS server for the long term
-
-
-   3.  SLAAC addresses are typically stable for a long time, but could
-       require work to be configured and maintained.
-
-
-   As relying on IP addresses for Dynamic DNS is rather insecure at
-   best, stronger authentication should always be used; however, this
-   requires that the authorization keying will be explicitly configured
-   using unspecified operational methods.
-
-
-   Note that with DHCP it is also possible that the DHCP server updates
-   the DNS, not the host.  The host might only indicate in the DHCP
-   exchange which hostname it would prefer, and the DHCP server would
-   make the appropriate updates.  Nonetheless, while this makes setting
-   up a secure channel between the updater and the DNS server easier, it
-   does not help much with "content" security, i.e., whether the
-   hostname was acceptable -- if the DNS server does not include
-   policies, they must be included in the DHCP server (e.g., a regular
-   host should not be able to state that its name is "www.example.com").
-   DHCP-initiated DDNS updates have been extensively described in
-   [I-D.ietf-dhc-ddns-resolution], [I-D.ietf-dhc-fqdn-option] and
-   [I-D.ietf-dnsext-dhcid-rr].
-
-
-   The nodes must somehow be configured with the information about the
-   servers where they will attempt to update their addresses, sufficient
-   security material for authenticating themselves to the server, and
-   the hostname they will be updating.  Unless otherwise configured, the
-   first could be obtained by looking up the authoritative name servers
-   for the hostname; the second must be configured explicitly unless one
-   chooses to trust the IP address-based authentication (not a good
-   idea); and lastly, the nodename is typically pre-configured somehow
-   on the node, e.g., at install time.
-
-
-   Care should be observed when updating the addresses not to use longer
-   TTLs for addresses than are preferred lifetimes for the addresses, so
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 17]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   that if the node is renumbered in a managed fashion, the amount of
-   stale DNS information is kept to the minimum.  That is, if the
-   preferred lifetime of an address expires, the TTL of the record needs
-   be modified unless it was already done before the expiration.  For
-   better flexibility, the DNS TTL should be much shorter (e.g., a half
-   or a third) than the lifetime of an address; that way, the node can
-   start lowering the DNS TTL if it seems like the address has not been
-   renewed/refreshed in a while.  Some discussion on how an
-   administrator could manage the DNS TTL is included in
-   [I-D.ietf-v6ops-renumbering-procedure]; this could be applied to
-   (smart) hosts as well.
-
-
-7.  Considerations about Reverse DNS Updating
-
-
-   Updating the reverse DNS zone may be difficult because of the split
-   authority over an address.  However, first we have to consider the
-   applicability of reverse DNS in the first place.
-
-
-7.1  Applicability of Reverse DNS
-
-
-   Today, some applications use reverse DNS to either look up some hints
-   about the topological information associated with an address (e.g.
-   resolving web server access logs), or as a weak form of a security
-   check, to get a feel whether the user's network administrator has
-   "authorized" the use of the address (on the premises that adding a
-   reverse record for an address would signal some form of
-   authorization).
-
-
-   One additional, maybe slightly more useful usage is ensuring that the
-   reverse and forward DNS contents match (by looking up the pointer to
-   the name by the IP address from the reverse tree, and ensuring that a
-   record under the name in the forward tree points to the IP address)
-   and correspond to a configured name or domain.  As a security check,
-   it is typically accompanied by other mechanisms, such as a user/
-   password login; the main purpose of the reverse+forward DNS check is
-   to weed out the majority of unauthorized users, and if someone
-   managed to bypass the checks, he would still need to authenticate
-   "properly".
-
-
-   It may also be desirable to store IPsec keying material corresponding
-   to an IP address to the reverse DNS, as justified and described in
-   [I-D.ietf-ipseckey-rr].
-
-
-   It is not clear whether it makes sense to require or recommend that
-   reverse DNS records be updated.  In many cases, it would just make
-   more sense to use proper mechanisms for security (or topological
-   information lookup) in the first place.  At minimum, the applications
-   which use it as a generic authorization (in the sense that a record
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 18]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   exists at all) should be modified as soon as possible to avoid such
-   lookups completely.
-
-
-   The applicability is discussed at more length in
-   [I-D.ietf-dnsop-inaddr-required].
-
-
-7.2  Manual or Custom DNS Updates
-
-
-   Reverse DNS can of course be updated using manual or custom methods.
-   These are not further described here, except for one special case.
-
-
-   One way to deploy reverse DNS would be to use wildcard records, for
-   example, by configuring one name for a subnet (/64) or a site (/48).
-   As a concrete example, a site (or the site's ISP) could configure the
-   reverses of the prefix 2001:db8:f00::/48 to point to one name using a
-   wildcard record like "*.0.0.f.0.8.b.d.0.1.0.0.2.ip6.arpa.  IN PTR
-   site.example.com." Naturally, such a name could not be verified from
-   the forward DNS, but would at least provide some form of "topological
-   information" or "weak authorization" if that is really considered to
-   be useful.  Note that this is not actually updating the DNS as such,
-   as the whole point is to avoid DNS updates completely by manually
-   configuring a generic name.
-
-
-7.3  DDNS with Stateless Address Autoconfiguration
-
-
-   Dynamic reverse DNS with SLAAC is simpler than forward DNS updates in
-   some regard, while being more difficult in another, as described
-   below.
-
-
-   The address space administrator decides whether the hosts are trusted
-   to update their reverse DNS records or not.  If they are, a simple
-   address-based authorization is typically sufficient (i.e., check that
-   the DNS update is done from the same IP address as the record being
-   updated); stronger security can also be used [RFC3007].  If they
-   aren't allowed to update the reverses, no update can occur.  (Such
-   address-based update authorization operationally requires that
-   ingress filtering [RFC3704] has been set up at the border of the site
-   where the updates occur, and as close to the updater as possible.)
-
-
-   Address-based authorization is simpler with reverse DNS (as there is
-   a connection between the record and the address) than with forward
-   DNS.  However, when a stronger form of security is used, forward DNS
-   updates are simpler to manage because the host can be assumed to have
-   an association with the domain.  Note that the user may roam to
-   different networks, and does not necessarily have any association
-   with the owner of that address space -- so, assuming stronger form of
-   authorization for reverse DNS updates than an address association is
-   generally unfeasible.
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 19]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   Moreover, the reverse zones must be cleaned up by an unspecified
-   janitorial process: the node does not typically know a priori that it
-   will be disconnected, and cannot send a DNS update using the correct
-   source address to remove a record.
-
-
-   A problem with defining the clean-up process is that it is difficult
-   to ensure that a specific IP address and the corresponding record are
-   no longer being used.  Considering the huge address space, and the
-   unlikelihood of collision within 64 bits of the interface
-   identifiers, a process which would remove the record after no traffic
-   has been seen from a node in a long period of time (e.g., a month or
-   year) might be one possible approach.
-
-
-   To insert or update the record, the node must discover the DNS server
-   to send the update to somehow, similar to as discussed in Section
-   6.2.  One way to automate this is looking up the DNS server
-   authoritative (e.g., through SOA record) for the IP address being
-   updated, but the security material (unless the IP address-based
-   authorization is trusted) must also be established by some other
-   means.
-
-
-   One should note that Cryptographically Generated Addresses
-   [I-D.ietf-send-cga] (CGAs) may require a slightly different kind of
-   treatment.  CGAs are addresses where the interface identifier is
-   calculated from a public key, a modifier (used as a nonce), the
-   subnet prefix, and other data.  Depending on the usage profile, CGAs
-   might or might not be changed periodically due to e.g., privacy
-   reasons.  As the CGA address is not predicatable, a reverse record
-   can only reasonably be inserted in the DNS by the node which
-   generates the address.
-
-
-7.4  DDNS with DHCP
-
-
-   With DHCPv4, the reverse DNS name is typically already inserted to
-   the DNS that reflects to the name (e.g., "dhcp-67.example.com").  One
-   can assume similar practice may become commonplace with DHCPv6 as
-   well; all such mappings would be pre-configured, and would require no
-   updating.
-
-
-   If a more explicit control is required, similar considerations as
-   with SLAAC apply, except for the fact that typically one must update
-   a reverse DNS record instead of inserting one (if an address
-   assignment policy that reassigns disused addresses is adopted) and
-   updating a record seems like a slightly more difficult thing to
-   secure.  However, it is yet uncertain how DHCPv6 is going to be used
-   for address assignment.
-
-
-   Note that when using DHCP, either the host or the DHCP server could
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 20]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   perform the DNS updates; see the implications in Section 6.2.
-
-
-   If disused addresses were to be reassigned, host-based DDNS reverse
-   updates would need policy considerations for DNS record modification,
-   as noted above.  On the other hand, if disused address were not to be
-   assigned, host-based DNS reverse updates would have similar
-   considerations as SLAAC in Section 7.3.  Server-based updates have
-   similar properties except that the janitorial process could be
-   integrated with DHCP address assignment.
-
-
-7.5  DDNS with Dynamic Prefix Delegation
-
-
-   In cases where a prefix, instead of an address, is being used and
-   updated, one should consider what is the location of the server where
-   DDNS updates are made.  That is, where the DNS server is located:
-
-
-   1.  At the same organization as the prefix delegator.
-
-
-   2.  At the site where the prefixes are delegated to.  In this case,
-       the authority of the DNS reverse zone corresponding to the
-       delegated prefix is also delegated to the site.
-
-
-   3.  Elsewhere; this implies a relationship between the site and where
-       DNS server is located, and such a relationship should be rather
-       straightforward to secure as well.  Like in the previous case,
-       the authority of the DNS reverse zone is also delegated.
-
-
-   In the first case, managing the reverse DNS (delegation) is simpler
-   as the DNS server and the prefix delegator are in the same
-   administrative domain (as there is no need to delegate anything at
-   all); alternatively, the prefix delegator might forgo DDNS reverse
-   capability altogether, and use e.g., wildcard records (as described
-   in Section 7.2).  In the other cases, it can be slighly more
-   difficult, particularly as the site will have to configure the DNS
-   server to be authoritative for the delegated reverse zone, implying
-   automatic configuration of the DNS server -- as the prefix may be
-   dynamic.
-
-
-   Managing the DDNS reverse updates is typically simple in the second
-   case, as the updated server is located at the local site, and
-   arguably IP address-based authentication could be sufficient (or if
-   not, setting up security relationships would be simpler).  As there
-   is an explicit (security) relationship between the parties in the
-   third case, setting up the security relationships to allow reverse
-   DDNS updates should be rather straightforward as well (but IP
-   address-based authentication might not be acceptable).  In the first
-   case, however, setting up and managing such relationships might be a
-   lot more difficult.
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 21]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-8.  Miscellaneous DNS Considerations
-
-
-   This section describes miscellaneous considerations about DNS which
-   seem related to IPv6, for which no better place has been found in
-   this document.
-
-
-8.1  NAT-PT with DNS-ALG
-
-
-   The DNS-ALG component of NAT-PT mangles A records  to look like AAAA
-   records to the IPv6-only nodes.  Numerous problems have been
-   identified with DNS-ALG [I-D.durand-v6ops-natpt-dns-alg-issues].
-   This is a strong reason not to use NAT-PT in the first place.
-
-
-8.2  Renumbering Procedures and Applications' Use of DNS
-
-
-   One of the most difficult problems of systematic IP address
-   renumbering procedures [I-D.ietf-v6ops-renumbering-procedure] is that
-   an application which looks up a DNS name disregards information such
-   as TTL, and uses the result obtained from DNS as long as it happens
-   to be stored in the memory of the application.  For applications
-   which run for a long time, this could be days, weeks or even months;
-   some applications may be clever enough to organize the data
-   structures and functions in such a manner that look-ups get refreshed
-   now and then.
-
-
-   While the issue appears to have a clear solution, "fix the
-   applications", practically this is not reasonable immediate advice;
-   the TTL information is not typically available in the APIs and
-   libraries (so, the advice becomes "fix the applications, APIs and
-   libraries"), and a lot more analysis is needed on how to practically
-   go about to achieve the ultimate goal of avoiding using the names
-   longer than expected.
-
-
-9.  Acknowledgements
-
-
-   Some recommendations (Section 4.3, Section 5.1) about IPv6 service
-   provisioning were moved here from [I-D.ietf-v6ops-mech-v2] by Erik
-   Nordmark and Bob Gilligan.  Havard Eidnes and Michael Patton provided
-   useful feedback and improvements.  Scott Rose, Rob Austein, Masataka
-   Ohta, and Mark Andrews helped in clarifying the issues regarding
-   additional data and the use of TTL.  Jefsey Morfin, Ralph Droms,
-   Peter Koch, Jinmei Tatuya, Iljitsch van Beijnum, Edward Lewis, and
-   Rob Austein provided useful feedback during the WG last call.  Thomas
-   Narten provided extensive feedback during the IESG evaluation.
-
-
-10.  Security Considerations
-
-
-   This document reviews the operational procedures for IPv6 DNS
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 22]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   operations and does not have security considerations in itself.
-
-
-   However, it is worth noting that in particular with Dynamic DNS
-   Updates, security models based on the source address validation are
-   very weak and cannot be recommended -- they could only be considered
-   in the environments where ingress filtering [RFC3704] has been
-   deployed.  On the other hand, it should be noted that setting up an
-   authorization mechanism (e.g., a shared secret, or public-private
-   keys) between a node and the DNS server has to be done manually, and
-   may require quite a bit of time and expertise.
-
-
-   To re-emphasize which was already stated, the reverse+forward DNS
-   check provides very weak security at best, and the only
-   (questionable) security-related use for them may be in conjunction
-   with other mechanisms when authenticating a user.
-
-
-11.  References
-
-
-11.1  Normative References
-
-
-   [I-D.ietf-dnsop-ipv6-dns-configuration]
-              Jeong, J., "IPv6 Host Configuration of DNS Server
-              Information Approaches",
-              draft-ietf-dnsop-ipv6-dns-configuration-02 (work in
-              progress), July 2004.
-
-
-   [I-D.ietf-dnsop-ipv6-transport-guidelines]
-              Durand, A. and J. Ihren, "DNS IPv6 transport operational
-              guidelines", draft-ietf-dnsop-ipv6-transport-guidelines-02
-              (work in progress), March 2004.
-
-
-   [I-D.ietf-dnsop-misbehavior-against-aaaa]
-              Morishita, Y. and T. Jinmei, "Common Misbehavior against
-              DNS Queries for IPv6 Addresses",
-              draft-ietf-dnsop-misbehavior-against-aaaa-01 (work in
-              progress), April 2004.
-
-
-   [I-D.ietf-ipv6-deprecate-site-local]
-              Huitema, C. and B. Carpenter, "Deprecating Site Local
-              Addresses", draft-ietf-ipv6-deprecate-site-local-03 (work
-              in progress), March 2004.
-
-
-   [I-D.ietf-v6ops-application-transition]
-              Shin, M., "Application Aspects of IPv6 Transition",
-              draft-ietf-v6ops-application-transition-03 (work in
-              progress), June 2004.
-
-
-   [I-D.ietf-v6ops-renumbering-procedure]
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 23]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-              Baker, F., Lear, E. and R. Droms, "Procedures for
-              Renumbering an IPv6 Network without a Flag Day",
-              draft-ietf-v6ops-renumbering-procedure-01 (work in
-              progress), July 2004.
-
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
-              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-              April 1997.
-
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-
-   [RFC2182]  Elz, R., Bush, R., Bradner, S. and M. Patton, "Selection
-              and Operation of Secondary DNS Servers", BCP 16, RFC 2182,
-              July 1997.
-
-
-   [RFC2462]  Thomson, S. and T. Narten, "IPv6 Stateless Address
-              Autoconfiguration", RFC 2462, December 1998.
-
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-
-   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-              Update", RFC 3007, November 2000.
-
-
-   [RFC3041]  Narten, T. and R. Draves, "Privacy Extensions for
-              Stateless Address Autoconfiguration in IPv6", RFC 3041,
-              January 2001.
-
-
-   [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
-              via IPv4 Clouds", RFC 3056, February 2001.
-
-
-   [RFC3152]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152,
-              August 2001.
-
-
-   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and
-              M. Carney, "Dynamic Host Configuration Protocol for IPv6
-              (DHCPv6)", RFC 3315, July 2003.
-
-
-   [RFC3363]  Bush, R., Durand, A., Fink, B., Gudmundsson, O. and T.
-              Hain, "Representing Internet Protocol version 6 (IPv6)
-              Addresses in the Domain Name System (DNS)", RFC 3363,
-              August 2002.
-
-
-   [RFC3364]  Austein, R., "Tradeoffs in Domain Name System (DNS)
-              Support for Internet Protocol version 6 (IPv6)", RFC 3364,
-              August 2002.
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 24]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   [RFC3513]  Hinden, R. and S. Deering, "Internet Protocol Version 6
-              (IPv6) Addressing Architecture", RFC 3513, April 2003.
-
-
-   [RFC3596]  Thomson, S., Huitema, C., Ksinant, V. and M. Souissi, "DNS
-              Extensions to Support IP Version 6", RFC 3596, October
-              2003.
-
-
-   [RFC3646]  Droms, R., "DNS Configuration options for Dynamic Host
-              Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
-              December 2003.
-
-
-   [RFC3736]  Droms, R., "Stateless Dynamic Host Configuration Protocol
-              (DHCP) Service for IPv6", RFC 3736, April 2004.
-
-
-11.2  Informative References
-
-
-   [I-D.durand-v6ops-natpt-dns-alg-issues]
-              Durand, A., "Issues with NAT-PT DNS ALG in RFC2766",
-              draft-durand-v6ops-natpt-dns-alg-issues-00 (work in
-              progress), February 2003.
-
-
-   [I-D.huitema-v6ops-teredo]
-              Huitema, C., "Teredo: Tunneling IPv6 over UDP through
-              NATs", draft-huitema-v6ops-teredo-02 (work in progress),
-              June 2004.
-
-
-   [I-D.huston-6to4-reverse-dns]
-              Huston, G., "6to4 Reverse DNS",
-              draft-huston-6to4-reverse-dns-02 (work in progress), April
-              2004.
-
-
-   [I-D.ietf-dhc-ddns-resolution]
-              Stapp, M., "Resolution of DNS Name Conflicts Among DHCP
-              Clients", draft-ietf-dhc-ddns-resolution-07 (work in
-              progress), July 2004.
-
-
-   [I-D.ietf-dhc-fqdn-option]
-              Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option",
-              draft-ietf-dhc-fqdn-option-07 (work in progress), July
-              2004.
-
-
-   [I-D.ietf-dnsext-dhcid-rr]
-              Stapp, M., Lemon, T. and A. Gustafsson, "A DNS RR for
-              encoding DHCP information (DHCID RR)",
-              draft-ietf-dnsext-dhcid-rr-08 (work in progress), July
-              2004.
-
-
-   [I-D.ietf-dnsop-bad-dns-res]
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 25]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-              Larson, M. and P. Barber, "Observed DNS Resolution
-              Misbehavior", draft-ietf-dnsop-bad-dns-res-02 (work in
-              progress), July 2004.
-
-
-   [I-D.ietf-dnsop-dontpublish-unreachable]
-              Hazel, P., "IP Addresses that should never appear in the
-              public DNS", draft-ietf-dnsop-dontpublish-unreachable-03
-              (work in progress), February 2002.
-
-
-   [I-D.ietf-dnsop-inaddr-required]
-              Senie, D., "Requiring DNS IN-ADDR Mapping",
-              draft-ietf-dnsop-inaddr-required-05 (work in progress),
-              April 2004.
-
-
-   [I-D.ietf-ipseckey-rr]
-              Richardson, M., "A method for storing IPsec keying
-              material in DNS", draft-ietf-ipseckey-rr-11 (work in
-              progress), July 2004.
-
-
-   [I-D.ietf-ipv6-unique-local-addr]
-              Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
-              Addresses", draft-ietf-ipv6-unique-local-addr-05 (work in
-              progress), June 2004.
-
-
-   [I-D.ietf-send-cga]
-              Aura, T., "Cryptographically Generated Addresses (CGA)",
-              draft-ietf-send-cga-06 (work in progress), April 2004.
-
-
-   [I-D.ietf-v6ops-3gpp-analysis]
-              Wiljakka, J., "Analysis on IPv6 Transition in 3GPP
-              Networks", draft-ietf-v6ops-3gpp-analysis-10 (work in
-              progress), May 2004.
-
-
-   [I-D.ietf-v6ops-mech-v2]
-              Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
-              for IPv6 Hosts and Routers", draft-ietf-v6ops-mech-v2-04
-              (work in progress), July 2004.
-
-
-   [I-D.ietf-v6ops-onlinkassumption]
-              Roy, S., Durand, A. and J. Paugh, "IPv6 Neighbor Discovery
-              On-Link Assumption Considered Harmful",
-              draft-ietf-v6ops-onlinkassumption-02 (work in progress),
-              May 2004.
-
-
-   [I-D.ietf-v6ops-v6onbydefault]
-              Roy, S., Durand, A. and J. Paugh, "Issues with Dual Stack
-              IPv6 on by Default", draft-ietf-v6ops-v6onbydefault-03
-              (work in progress), July 2004.
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 26]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   [I-D.jeong-dnsop-ipv6-dns-discovery]
-              Jeong, J., "IPv6 DNS Discovery based on Router
-              Advertisement", draft-jeong-dnsop-ipv6-dns-discovery-02
-              (work in progress), July 2004.
-
-
-   [I-D.moore-6to4-dns]
-              Moore, K., "6to4 and DNS", draft-moore-6to4-dns-03 (work
-              in progress), October 2002.
-
-
-   [I-D.ohta-preconfigured-dns]
-              Ohta, M., "Preconfigured DNS Server Addresses",
-              draft-ohta-preconfigured-dns-01 (work in progress),
-              February 2004.
-
-
-   [I-D.savola-v6ops-6bone-mess]
-              Savola, P., "Moving from 6bone to IPv6 Internet",
-              draft-savola-v6ops-6bone-mess-01 (work in progress),
-              November 2002.
-
-
-   [RFC2766]  Tsirtsis, G. and P. Srisuresh, "Network Address
-              Translation - Protocol Translation (NAT-PT)", RFC 2766,
-              February 2000.
-
-
-   [RFC2782]  Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
-              specifying the location of services (DNS SRV)", RFC 2782,
-              February 2000.
-
-
-   [RFC2826]  Internet Architecture Board, "IAB Technical Comment on the
-              Unique DNS Root", RFC 2826, May 2000.
-
-
-   [RFC3704]  Baker, F. and P. Savola, "Ingress Filtering for Multihomed
-              Networks", BCP 84, RFC 3704, March 2004.
-
-
-
-Authors' Addresses
-
-
-   Alain Durand
-   SUN Microsystems, Inc.
-   17 Network circle UMPL17-202
-   Menlo Park, CA  94025
-   USA
-
-
-   EMail: Alain.Durand@sun.com
-
-
-
-
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 27]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   Johan Ihren
-   Autonomica
-   Bellmansgatan 30
-   SE-118 47 Stockholm
-   Sweden
-
-
-   EMail: johani@autonomica.se
-
-
-
-   Pekka Savola
-   CSC/FUNET
-   Espoo
-   Finland
-
-
-   EMail: psavola@funet.fi
-
-
-Appendix A.  Site-local Addressing Considerations for DNS
-
-
-   As site-local addressing has been deprecated, the considerations for
-   site-local addressing are discussed briefly here.  Unique local
-   addressing format [I-D.ietf-ipv6-unique-local-addr] has been proposed
-   as a replacement, but being work-in-progress, it is not considered
-   further.
-
-
-   The interactions with DNS come in two flavors: forward and reverse
-   DNS.
-
-
-   To actually use site-local addresses within a site, this implies the
-   deployment of a "split-faced" or a fragmented DNS name space, for the
-   zones internal to the site, and the outsiders' view to it.  The
-   procedures to achieve this are not elaborated here.  The implication
-   is that site-local addresses must not be published in the public DNS.
-
-
-   To faciliate reverse DNS (if desired) with site-local addresses, the
-   stub resolvers must look for DNS information from the local DNS
-   servers, not e.g.  starting from the root servers, so that the
-   site-local information may be provided locally.  Note that the
-   experience of private addresses in IPv4 has shown that the root
-   servers get loaded for requests for private address lookups in any
-   case.
-
-
-Appendix B.  Issues about Additional Data or TTL
-
-
-   [[ note to the RFC-editor: remove this section upon publication.  ]]
-
-
-   This appendix tries to describe the apparent rought consensus about
-   additional data and TTL issues (sections 4.4 and 4.5), and present
-   questions when there appears to be no consensus.  The point of
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 28]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-   recording them here is to focus the discussion and get feedback.
-
-
-   Resolved:
-
-
-   a.  If some critical additional data RRsets wouldn't fit, you set the
-       TC bit even if some RRsets did fit.
-
-
-   b.  If some courtesy additional data RRsets wouldn't fit, you never
-       set the TC bit, but rather remove (at least some of) the courtesy
-       RRsets.
-
-
-   c.  DNS servers should implement sanity checks on the resulting glue,
-       e.g., to disable circular dependencies.  Then the responding
-       servers can use at-or-below-a-zone-cut criterion to determine
-       whether the additional data is critical or not.
-
-
-   Open issues (at least):
-
-
-   1.  if some critical additional data RRsets would fit, but some
-       wouldn't, and TC has to be set (see above), should one rather
-       remove the additional data that did fit, keep it, or leave
-       unspecified?
-
-
-   2.  if some courtesy additional data RRsets would fit, but some
-       wouldn't, and some will have to be removed from the response (no
-       TC is set, see above), what to do -- remove all courtesy RRsets,
-       keep all that fit, or leave unspecified?
-
-
-   3.  is it acceptable to use the transport used in the DNS query as a
-       hint which records to keep if not removing all the RRsets, if: a)
-       having to decide which critical additional data to keep, or b)
-       having to decide which courtesy additional data to keep?
-
-
-   4.  (this issue was discussed in section 4.5) if one RRset has TTL of
-       100 seconds, and another the TTL of 300 seconds, what should the
-       caching server do after 100 seconds?  Keep returning just one
-       RRset when returning additional data, or discard the other RRset
-       from the cache?
-
-
-   5.  how do we move forward from here?  If we manage to get to some
-       form of consensus, how do we record it: a) just in
-       draft-ietf-dnsop-ipv6-dns-issues (note that it's Informational
-       category only!), b) a separate BCP or similar by DNSEXT WG(?),
-       clarifying and giving recommendations, c) something else, what?
-
-
-
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 29]
-Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
-
-
-
-Intellectual Property Statement
-
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-
-Disclaimer of Validity
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-Copyright Statement
-
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-
-Acknowledgment
-
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-Durand, et al.          Expires February 7, 2005               [Page 30]
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-11.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-11.txt
deleted file mode 100644
index 1276f9f91d62..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-11.txt
+++ /dev/null
@@ -1,1682 +0,0 @@
-
-
-
-
-DNS Operations WG                                              A. Durand
-Internet-Draft                                    SUN Microsystems, Inc.
-Expires: January 17, 2006                                       J. Ihren
-                                                              Autonomica
-                                                               P. Savola
-                                                               CSC/FUNET
-                                                           July 16, 2005
-
-
-          Operational Considerations and Issues with IPv6 DNS
-                draft-ietf-dnsop-ipv6-dns-issues-11.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, each author represents that any
-   applicable patent or other IPR claims of which he or she is aware
-   have been or will be disclosed, and any of which he or she becomes
-   aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 17, 2006.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This memo presents operational considerations and issues with IPv6
-   Domain Name System (DNS), including a summary of special IPv6
-   addresses, documentation of known DNS implementation misbehaviour,
-   recommendations and considerations on how to perform DNS naming for
-   service provisioning and for DNS resolver IPv6 support,
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 1]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   considerations for DNS updates for both the forward and reverse
-   trees, and miscellaneous issues.  This memo is aimed to include a
-   summary of information about IPv6 DNS considerations for those who
-   have experience with IPv4 DNS.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
-     1.1   Representing IPv6 Addresses in DNS Records . . . . . . . .  4
-     1.2   Independence of DNS Transport and DNS Records  . . . . . .  4
-     1.3   Avoiding IPv4/IPv6 Name Space Fragmentation  . . . . . . .  5
-     1.4   Query Type '*' and A/AAAA Records  . . . . . . . . . . . .  5
-   2.  DNS Considerations about Special IPv6 Addresses  . . . . . . .  5
-     2.1   Limited-scope Addresses  . . . . . . . . . . . . . . . . .  6
-     2.2   Temporary Addresses  . . . . . . . . . . . . . . . . . . .  6
-     2.3   6to4 Addresses . . . . . . . . . . . . . . . . . . . . . .  6
-     2.4   Other Transition Mechanisms  . . . . . . . . . . . . . . .  6
-   3.  Observed DNS Implementation Misbehaviour . . . . . . . . . . .  7
-     3.1   Misbehaviour of DNS Servers and Load-balancers . . . . . .  7
-     3.2   Misbehaviour of DNS Resolvers  . . . . . . . . . . . . . .  7
-   4.  Recommendations for Service Provisioning using DNS . . . . . .  7
-     4.1   Use of Service Names instead of Node Names . . . . . . . .  8
-     4.2   Separate vs the Same Service Names for IPv4 and IPv6 . . .  8
-     4.3   Adding the Records Only when Fully IPv6-enabled  . . . . .  9
-     4.4   The Use of TTL for IPv4 and IPv6 RRs . . . . . . . . . . . 10
-       4.4.1   TTL With Courtesy Additional Data  . . . . . . . . . . 10
-       4.4.2   TTL With Critical Additional Data  . . . . . . . . . . 10
-     4.5   IPv6 Transport Guidelines for DNS Servers  . . . . . . . . 11
-   5.  Recommendations for DNS Resolver IPv6 Support  . . . . . . . . 11
-     5.1   DNS Lookups May Query IPv6 Records Prematurely . . . . . . 11
-     5.2   Obtaining a List of DNS Recursive Resolvers  . . . . . . . 13
-     5.3   IPv6 Transport Guidelines for Resolvers  . . . . . . . . . 13
-   6.  Considerations about Forward DNS Updating  . . . . . . . . . . 13
-     6.1   Manual or Custom DNS Updates . . . . . . . . . . . . . . . 14
-     6.2   Dynamic DNS  . . . . . . . . . . . . . . . . . . . . . . . 14
-   7.  Considerations about Reverse DNS Updating  . . . . . . . . . . 15
-     7.1   Applicability of Reverse DNS . . . . . . . . . . . . . . . 15
-     7.2   Manual or Custom DNS Updates . . . . . . . . . . . . . . . 16
-     7.3   DDNS with Stateless Address Autoconfiguration  . . . . . . 16
-     7.4   DDNS with DHCP . . . . . . . . . . . . . . . . . . . . . . 18
-     7.5   DDNS with Dynamic Prefix Delegation  . . . . . . . . . . . 18
-   8.  Miscellaneous DNS Considerations . . . . . . . . . . . . . . . 19
-     8.1   NAT-PT with DNS-ALG  . . . . . . . . . . . . . . . . . . . 19
-     8.2   Renumbering Procedures and Applications' Use of DNS  . . . 19
-   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 20
-   10.   Security Considerations  . . . . . . . . . . . . . . . . . . 20
-   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 20
-     11.1  Normative References . . . . . . . . . . . . . . . . . . . 20
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 2]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-     11.2  Informative References . . . . . . . . . . . . . . . . . . 22
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 24
-   A.  Unique Local Addressing Considerations for DNS . . . . . . . . 25
-   B.  Behaviour of Additional Data in IPv4/IPv6 Environments . . . . 25
-     B.1   Description of Additional Data Scenarios . . . . . . . . . 26
-     B.2   Which Additional Data to Keep, If Any? . . . . . . . . . . 27
-     B.3   Discussion of the Potential Problems . . . . . . . . . . . 28
-       Intellectual Property and Copyright Statements . . . . . . . . 30
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 3]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-1.  Introduction
-
-   This memo presents operational considerations and issues with IPv6
-   DNS; it is meant to be an extensive summary and a list of pointers
-   for more information about IPv6 DNS considerations for those with
-   experience with IPv4 DNS.
-
-   The purpose of this document is to give information about various
-   issues and considerations related to DNS operations with IPv6; it is
-   not meant to be a normative specification or standard for IPv6 DNS.
-
-   The first section gives a brief overview of how IPv6 addresses and
-   names are represented in the DNS, how transport protocols and
-   resource records (don't) relate, and what IPv4/IPv6 name space
-   fragmentation means and how to avoid it; all of these are described
-   at more length in other documents.
-
-   The second section summarizes the special IPv6 address types and how
-   they relate to DNS.  The third section describes observed DNS
-   implementation misbehaviours which have a varying effect on the use
-   of IPv6 records with DNS.  The fourth section lists recommendations
-   and considerations for provisioning services with DNS.  The fifth
-   section in turn looks at recommendations and considerations about
-   providing IPv6 support in the resolvers.  The sixth and seventh
-   sections describe considerations with forward and reverse DNS
-   updates, respectively.  The eighth section introduces several
-   miscellaneous IPv6 issues relating to DNS for which no better place
-   has been found in this memo.  Appendix A looks briefly at the
-   requirements for unique local addressing.
-
-1.1  Representing IPv6 Addresses in DNS Records
-
-   In the forward zones, IPv6 addresses are represented using AAAA
-   records.  In the reverse zones, IPv6 address are represented using
-   PTR records in the nibble format under the ip6.arpa. tree.  See
-   [RFC3596] for more about IPv6 DNS usage, and [RFC3363] or [RFC3152]
-   for background information.
-
-   In particular one should note that the use of A6 records in the
-   forward tree or Bitlabels in the reverse tree is not recommended
-   [RFC3363].  Using DNAME records is not recommended in the reverse
-   tree in conjunction with A6 records; the document did not mean to
-   take a stance on any other use of DNAME records [RFC3364].
-
-1.2  Independence of DNS Transport and DNS Records
-
-   DNS has been designed to present a single, globally unique name space
-   [RFC2826].  This property should be maintained, as described here and
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 4]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   in Section 1.3.
-
-   The IP version used to transport the DNS queries and responses is
-   independent of the records being queried: AAAA records can be queried
-   over IPv4, and A records over IPv6.  The DNS servers must not make
-   any assumptions about what data to return for Answer and Authority
-   sections based on the underlying transport used in a query.
-
-   However, there is some debate whether the addresses in Additional
-   section could be selected or filtered using hints obtained from which
-   transport was being used; this has some obvious problems because in
-   many cases the transport protocol does not correlate with the
-   requests, and because a "bad" answer is in a way worse than no answer
-   at all (consider the case where the client is led to believe that a
-   name received in the additional record does not have any AAAA records
-   at all).
-
-   As stated in [RFC3596]:
-
-      The IP protocol version used for querying resource records is
-      independent of the protocol version of the resource records; e.g.,
-      IPv4 transport can be used to query IPv6 records and vice versa.
-
-
-1.3  Avoiding IPv4/IPv6 Name Space Fragmentation
-
-   To avoid the DNS name space from fragmenting into parts where some
-   parts of DNS are only visible using IPv4 (or IPv6) transport, the
-   recommendation is to always keep at least one authoritative server
-   IPv4-enabled, and to ensure that recursive DNS servers support IPv4.
-   See DNS IPv6 transport guidelines [RFC3901] for more information.
-
-1.4  Query Type '*' and A/AAAA Records
-
-   QTYPE=* is typically only used for debugging or management purposes;
-   it is worth keeping in mind that QTYPE=* ("ANY" queries) only return
-   any available RRsets, not *all* the RRsets, because the caches do not
-   necessarily have all the RRsets and have no way of guaranteeing that
-   they have all the RRsets.  Therefore, to get both A and AAAA records
-   reliably, two separate queries must be made.
-
-2.  DNS Considerations about Special IPv6 Addresses
-
-   There are a couple of IPv6 address types which are somewhat special;
-   these are considered here.
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 5]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-2.1  Limited-scope Addresses
-
-   The IPv6 addressing architecture [RFC3513] includes two kinds of
-   local-use addresses: link-local (fe80::/10) and site-local
-   (fec0::/10).  The site-local addresses have been deprecated [RFC3879]
-   but are discussed with unique local addresses in Appendix A.
-
-   Link-local addresses should never be published in DNS (whether in
-   forward or reverse tree), because they have only local (to the
-   connected link) significance [I-D.durand-dnsop-dont-publish].
-
-2.2  Temporary Addresses
-
-   Temporary addresses defined in RFC3041 [RFC3041] (sometimes called
-   "privacy addresses") use a random number as the interface identifier.
-   Having DNS AAAA records that are updated to always contain the
-   current value of a node's temporary address would defeat the purpose
-   of the mechanism and is not recommended.  However, it would still be
-   possible to return a non-identifiable name (e.g., the IPv6 address in
-   hexadecimal format), as described in [RFC3041].
-
-2.3  6to4 Addresses
-
-   6to4 [RFC3056] specifies an automatic tunneling mechanism which maps
-   a public IPv4 address V4ADDR to an IPv6 prefix 2002:V4ADDR::/48.
-
-   If the reverse DNS population would be desirable (see Section 7.1 for
-   applicability), there are a number of possible ways to do so.
-
-   The main proposal [I-D.huston-6to4-reverse-dns] aims to design an
-   autonomous reverse-delegation system that anyone being capable of
-   communicating using a specific 6to4 address would be able to set up a
-   reverse delegation to the corresponding 6to4 prefix.  This could be
-   deployed by e.g., Regional Internet Registries (RIRs).  This is a
-   practical solution, but may have some scalability concerns.
-
-2.4  Other Transition Mechanisms
-
-   6to4 is mentioned as a case of an IPv6 transition mechanism requiring
-   special considerations.  In general, mechanisms which include a
-   special prefix may need a custom solution; otherwise, for example
-   when IPv4 address is embedded as the suffix or not embedded at all,
-   special solutions are likely not needed.
-
-   Note that it does not seem feasible to provide reverse DNS with
-   another automatic tunneling mechanism, Teredo [I-D.huitema-v6ops-
-   teredo]; this is because the IPv6 address is based on the IPv4
-   address and UDP port of the current NAT mapping which is likely to be
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 6]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   relatively short-lived.
-
-3.  Observed DNS Implementation Misbehaviour
-
-   Several classes of misbehaviour in DNS servers, load-balancers and
-   resolvers have been observed.  Most of these are rather generic, not
-   only applicable to IPv6 -- but in some cases, the consequences of
-   this misbehaviour are extremely severe in IPv6 environments and
-   deserve to be mentioned.
-
-3.1  Misbehaviour of DNS Servers and Load-balancers
-
-   There are several classes of misbehaviour in certain DNS servers and
-   load-balancers which have been noticed and documented [RFC4074]: some
-   implementations silently drop queries for unimplemented DNS records
-   types, or provide wrong answers to such queries (instead of a proper
-   negative reply).  While typically these issues are not limited to
-   AAAA records, the problems are aggravated by the fact that AAAA
-   records are being queried instead of (mainly) A records.
-
-   The problems are serious because when looking up a DNS name, typical
-   getaddrinfo() implementations, with AF_UNSPEC hint given, first try
-   to query the AAAA records of the name, and after receiving a
-   response, query the A records.  This is done in a serial fashion --
-   if the first query is never responded to (instead of properly
-   returning a negative answer), significant timeouts will occur.
-
-   In consequence, this is an enormous problem for IPv6 deployments, and
-   in some cases, IPv6 support in the software has even been disabled
-   due to these problems.
-
-   The solution is to fix or retire those misbehaving implementations,
-   but that is likely not going to be effective.  There are some
-   possible ways to mitigate the problem, e.g., by performing the
-   lookups somewhat in parallel and reducing the timeout as long as at
-   least one answer has been received; but such methods remain to be
-   investigated; slightly more on this is included in Section 5.
-
-3.2  Misbehaviour of DNS Resolvers
-
-   Several classes of misbehaviour have also been noticed in DNS
-   resolvers [I-D.ietf-dnsop-bad-dns-res].  However, these do not seem
-   to directly impair IPv6 use, and are only referred to for
-   completeness.
-
-4.  Recommendations for Service Provisioning using DNS
-
-   When names are added in the DNS to facilitate a service, there are
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 7]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   several general guidelines to consider to be able to do it as
-   smoothly as possible.
-
-4.1  Use of Service Names instead of Node Names
-
-   It makes sense to keep information about separate services logically
-   separate in the DNS by using a different DNS hostname for each
-   service.  There are several reasons for doing this, for example:
-
-   o  It allows more flexibility and ease for migration of (only a part
-      of) services from one node to another,
-
-   o  It allows configuring different properties (e.g., TTL) for each
-      service, and
-
-   o  It allows deciding separately for each service whether to publish
-      the IPv6 addresses or not (in cases where some services are more
-      IPv6-ready than others).
-
-   Using SRV records [RFC2782] would avoid these problems.
-   Unfortunately, those are not sufficiently widely used to be
-   applicable in most cases.  Hence an operation technique is to use
-   service names instead of node names (or, "hostnames").  This
-   operational technique is not specific to IPv6, but required to
-   understand the considerations described in Section 4.2 and
-   Section 4.3.
-
-   For example, assume a node named "pobox.example.com" provides both
-   SMTP and IMAP service.  Instead of configuring the MX records to
-   point at "pobox.example.com", and configuring the mail clients to
-   look up the mail via IMAP from "pobox.example.com", one could use
-   e.g., "smtp.example.com" for SMTP (for both message submission and
-   mail relaying between SMTP servers) and "imap.example.com" for IMAP.
-   Note that in the specific case of SMTP relaying, the server itself
-   must typically also be configured to know all its names to ensure
-   loops do not occur.  DNS can provide a layer of indirection between
-   service names and where the service actually is, and using which
-   addresses.  (Obviously, when wanting to reach a specific node, one
-   should use the hostname rather than a service name.)
-
-4.2  Separate vs the Same Service Names for IPv4 and IPv6
-
-   The service naming can be achieved in basically two ways: when a
-   service is named "service.example.com" for IPv4, the IPv6-enabled
-   service could either be added to "service.example.com", or added
-   separately under a different name, e.g., in a sub-domain, like,
-   "service.ipv6.example.com".
-
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 8]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   These two methods have different characteristics.  Using a different
-   name allows for easier service piloting, minimizing the disturbance
-   to the "regular" users of IPv4 service; however, the service would
-   not be used transparently, without the user/application explicitly
-   finding it and asking for it -- which would be a disadvantage in most
-   cases.  When the different name is under a sub-domain, if the
-   services are deployed within a restricted network (e.g., inside an
-   enterprise), it's possible to prefer them transparently, at least to
-   a degree, by modifying the DNS search path; however, this is a
-   suboptimal solution.  Using the same service name is the "long-term"
-   solution, but may degrade performance for those clients whose IPv6
-   performance is lower than IPv4, or does not work as well (see
-   Section 4.3 for more).
-
-   In most cases, it makes sense to pilot or test a service using
-   separate service names, and move to the use of the same name when
-   confident enough that the service level will not degrade for the
-   users unaware of IPv6.
-
-4.3  Adding the Records Only when Fully IPv6-enabled
-
-   The recommendation is that AAAA records for a service should not be
-   added to the DNS until all of following are true:
-
-   1.  The address is assigned to the interface on the node.
-
-   2.  The address is configured on the interface.
-
-   3.  The interface is on a link which is connected to the IPv6
-       infrastructure.
-
-   In addition, if the AAAA record is added for the node, instead of
-   service as recommended, all the services of the node should be IPv6-
-   enabled prior to adding the resource record.
-
-   For example, if an IPv6 node is isolated from an IPv6 perspective
-   (e.g., it is not connected to IPv6 Internet) constraint #3 would mean
-   that it should not have an address in the DNS.
-
-   Consider the case of two dual-stack nodes, which both have IPv6
-   enabled, but the server does not have (global) IPv6 connectivity.  As
-   the client looks up the server's name, only A records are returned
-   (if the recommendations above are followed), and no IPv6
-   communication, which would have been unsuccessful, is even attempted.
-
-   The issues are not always so black-and-white.  Usually it's important
-   that the service offered using both protocols is of roughly equal
-   quality, using the appropriate metrics for the service (e.g.,
-
-
-
-Durand, et al.          Expires January 17, 2006                [Page 9]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   latency, throughput, low packet loss, general reliability, etc.) --
-   this is typically very important especially for interactive or real-
-   time services.  In many cases, the quality of IPv6 connectivity may
-   not yet be equal to that of IPv4, at least globally -- this has to be
-   taken into consideration when enabling services.
-
-4.4  The Use of TTL for IPv4 and IPv6 RRs
-
-   The behaviour of DNS caching when different TTL values are used for
-   different RRsets of the same name calls for explicit discussion.  For
-   example, let's consider two unrelated zone fragments:
-
-      example.com.        300    IN    MX     foo.example.com.
-      foo.example.com.    300    IN    A      192.0.2.1
-      foo.example.com.    100    IN    AAAA   2001:db8::1
-
-   ...
-
-      child.example.com.    300  IN    NS     ns.child.example.com.
-      ns.child.example.com. 300  IN    A      192.0.2.1
-      ns.child.example.com. 100  IN    AAAA   2001:db8::1
-
-   In the former case, we have "courtesy" additional data; in the
-   latter, we have "critical" additional data.  See more extensive
-   background discussion of additional data handling in Appendix B.
-
-4.4.1  TTL With Courtesy Additional Data
-
-   When a caching resolver asks for the MX record of example.com, it
-   gets back "foo.example.com".  It may also get back either one or both
-   of the A and AAAA records in the additional section.  The resolver
-   must explicitly query for both A and AAAA records [RFC2821].
-
-   After 100 seconds, the AAAA record is removed from the cache(s)
-   because its TTL expired.  It could be argued to be useful for the
-   caching resolvers to discard the A record when the shorter TTL (in
-   this case, for the AAAA record) expires; this would avoid the
-   situation where there would be a window of 200 seconds when
-   incomplete information is returned from the cache.  Further argument
-   for discarding is that in the normal operation, the TTL values are so
-   high that very likely the incurred additional queries would not be
-   noticeable, compared to the obtained performance optimization.  The
-   behaviour in this scenario is unspecified.
-
-4.4.2  TTL With Critical Additional Data
-
-   The difference to courtesy additional data is that the A/AAAA records
-   served by the parent zone cannot be queried explicitly.  Therefore
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 10]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   after 100 seconds the AAAA record is removed from the cache(s), but
-   the A record remains.  Queries for the remaining 200 seconds
-   (provided that there are no further queries from the parent which
-   could refresh the caches) only return the A record, leading to a
-   potential opererational situation with unreachable servers.
-
-   Similar cache flushing strategies apply in this scenario; the record.
-
-4.5  IPv6 Transport Guidelines for DNS Servers
-
-   As described in Section 1.3 and [RFC3901], there should continue to
-   be at least one authoritative IPv4 DNS server for every zone, even if
-   the zone has only IPv6 records.  (Note that obviously, having more
-   servers with robust connectivity would be preferable, but this is the
-   minimum recommendation; also see [RFC2182].)
-
-5.  Recommendations for DNS Resolver IPv6 Support
-
-   When IPv6 is enabled on a node, there are several things to consider
-   to ensure that the process is as smooth as possible.
-
-5.1  DNS Lookups May Query IPv6 Records Prematurely
-
-   The system library that implements the getaddrinfo() function for
-   looking up names is a critical piece when considering the robustness
-   of enabling IPv6; it may come in basically three flavours:
-
-   1.  The system library does not know whether IPv6 has been enabled in
-       the kernel of the operating system: it may start looking up AAAA
-       records with getaddrinfo() and AF_UNSPEC hint when the system is
-       upgraded to a system library version which supports IPv6.
-
-   2.  The system library might start to perform IPv6 queries with
-       getaddrinfo() only when IPv6 has been enabled in the kernel.
-       However, this does not guarantee that there exists any useful
-       IPv6 connectivity (e.g., the node could be isolated from the
-       other IPv6 networks, only having link-local addresses).
-
-   3.  The system library might implement a toggle which would apply
-       some heuristics to the "IPv6-readiness" of the node before
-       starting to perform queries; for example, it could check whether
-       only link-local IPv6 address(es) exists, or if at least one
-       global IPv6 address exists.
-
-   First, let us consider generic implications of unnecessary queries
-   for AAAA records: when looking up all the records in the DNS, AAAA
-   records are typically tried first, and then A records.  These are
-   done in serial, and the A query is not performed until a response is
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 11]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   received to the AAAA query.  Considering the misbehaviour of DNS
-   servers and load-balancers, as described in Section 3.1, the look-up
-   delay for AAAA may incur additional unnecessary latency, and
-   introduce a component of unreliability.
-
-   One option here could be to do the queries partially in parallel; for
-   example, if the final response to the AAAA query is not received in
-   0.5 seconds, start performing the A query while waiting for the
-   result (immediate parallelism might be unoptimal, at least without
-   information sharing between the look-up threads, as that would
-   probably lead to duplicate non-cached delegation chain lookups).
-
-   An additional concern is the address selection, which may, in some
-   circumstances, prefer AAAA records over A records even when the node
-   does not have any IPv6 connectivity [I-D.ietf-v6ops-v6onbydefault].
-   In some cases, the implementation may attempt to connect or send a
-   datagram on a physical link [I-D.ietf-v6ops-onlinkassumption],
-   incurring very long protocol timeouts, instead of quickly failing
-   back to IPv4.
-
-   Now, we can consider the issues specific to each of the three
-   possibilities:
-
-   In the first case, the node performs a number of completely useless
-   DNS lookups as it will not be able to use the returned AAAA records
-   anyway.  (The only exception is where the application desires to know
-   what's in the DNS, but not use the result for communication.)  One
-   should be able to disable these unnecessary queries, for both latency
-   and reliability reasons.  However, as IPv6 has not been enabled, the
-   connections to IPv6 addresses fail immediately, and if the
-   application is programmed properly, the application can fall
-   gracefully back to IPv4 [RFC4038].
-
-   The second case is similar to the first, except it happens to a
-   smaller set of nodes when IPv6 has been enabled but connectivity has
-   not been provided yet; similar considerations apply, with the
-   exception that IPv6 records, when returned, will be actually tried
-   first which may typically lead to long timeouts.
-
-   The third case is a bit more complex: optimizing away the DNS lookups
-   with only link-locals is probably safe (but may be desirable with
-   different lookup services which getaddrinfo() may support), as the
-   link-locals are typically automatically generated when IPv6 is
-   enabled, and do not indicate any form of IPv6 connectivity.  That is,
-   performing DNS lookups only when a non-link-local address has been
-   configured on any interface could be beneficial -- this would be an
-   indication that either the address has been configured either from a
-   router advertisement, DHCPv6 [RFC3315], or manually.  Each would
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 12]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   indicate at least some form of IPv6 connectivity, even though there
-   would not be guarantees of it.
-
-   These issues should be analyzed at more depth, and the fixes found
-   consensus on, perhaps in a separate document.
-
-5.2  Obtaining a List of DNS Recursive Resolvers
-
-   In scenarios where DHCPv6 is available, a host can discover a list of
-   DNS recursive resolvers through DHCPv6 "DNS Recursive Name Server"
-   option [RFC3646].  This option can be passed to a host through a
-   subset of DHCPv6 [RFC3736].
-
-   The IETF is considering the development of alternative mechanisms for
-   obtaining the list of DNS recursive name servers when DHCPv6 is
-   unavailable or inappropriate.  No decision about taking on this
-   development work has been reached as of this writing (Aug 2004)
-   [I-D.ietf-dnsop-ipv6-dns-configuration].
-
-   In scenarios where DHCPv6 is unavailable or inappropriate, mechanisms
-   under consideration for development include the use of well-known
-   addresses [I-D.ohta-preconfigured-dns] and the use of Router
-   Advertisements to convey the information [I-D.jeong-dnsop-ipv6-dns-
-   discovery].
-
-   Note that even though IPv6 DNS resolver discovery is a recommended
-   procedure, it is not required for dual-stack nodes in dual-stack
-   networks as IPv6 DNS records can be queried over IPv4 as well as
-   IPv6.  Obviously, nodes which are meant to function without manual
-   configuration in IPv6-only networks must implement the DNS resolver
-   discovery function.
-
-5.3  IPv6 Transport Guidelines for Resolvers
-
-   As described in Section 1.3 and [RFC3901], the recursive resolvers
-   should be IPv4-only or dual-stack to be able to reach any IPv4-only
-   DNS server.  Note that this requirement is also fulfilled by an IPv6-
-   only stub resolver pointing to a dual-stack recursive DNS resolver.
-
-6.  Considerations about Forward DNS Updating
-
-   While the topic of how to enable updating the forward DNS, i.e., the
-   mapping from names to the correct new addresses, is not specific to
-   IPv6, it should be considered especially due to the advent of
-   Stateless Address Autoconfiguration [RFC2462].
-
-   Typically forward DNS updates are more manageable than doing them in
-   the reverse DNS, because the updater can often be assumed to "own" a
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 13]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   certain DNS name -- and we can create a form of security relationship
-   with the DNS name and the node which is allowed to update it to point
-   to a new address.
-
-   A more complex form of DNS updates -- adding a whole new name into a
-   DNS zone, instead of updating an existing name -- is considered out
-   of scope for this memo as it could require zone-wide authentication.
-   Adding a new name in the forward zone is a problem which is still
-   being explored with IPv4, and IPv6 does not seem to add much new in
-   that area.
-
-6.1  Manual or Custom DNS Updates
-
-   The DNS mappings can also be maintained by hand, in a semi-automatic
-   fashion or by running non-standardized protocols.  These are not
-   considered at more length in this memo.
-
-6.2  Dynamic DNS
-
-   Dynamic DNS updates (DDNS) [RFC2136] [RFC3007] is a standardized
-   mechanism for dynamically updating the DNS.  It works equally well
-   with stateless address autoconfiguration (SLAAC), DHCPv6 or manual
-   address configuration.  It is important to consider how each of these
-   behave if IP address-based authentication, instead of stronger
-   mechanisms [RFC3007], was used in the updates.
-
-   1.  manual addresses are static and can be configured
-
-   2.  DHCPv6 addresses could be reasonably static or dynamic, depending
-       on the deployment, and could or could not be configured on the
-       DNS server for the long term
-
-   3.  SLAAC addresses are typically stable for a long time, but could
-       require work to be configured and maintained.
-
-   As relying on IP addresses for Dynamic DNS is rather insecure at
-   best, stronger authentication should always be used; however, this
-   requires that the authorization keying will be explicitly configured
-   using unspecified operational methods.
-
-   Note that with DHCP it is also possible that the DHCP server updates
-   the DNS, not the host.  The host might only indicate in the DHCP
-   exchange which hostname it would prefer, and the DHCP server would
-   make the appropriate updates.  Nonetheless, while this makes setting
-   up a secure channel between the updater and the DNS server easier, it
-   does not help much with "content" security, i.e., whether the
-   hostname was acceptable -- if the DNS server does not include
-   policies, they must be included in the DHCP server (e.g., a regular
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 14]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   host should not be able to state that its name is "www.example.com").
-   DHCP-initiated DDNS updates have been extensively described in
-   [I-D.ietf-dhc-ddns-resolution], [I-D.ietf-dhc-fqdn-option] and
-   [I-D.ietf-dnsext-dhcid-rr].
-
-   The nodes must somehow be configured with the information about the
-   servers where they will attempt to update their addresses, sufficient
-   security material for authenticating themselves to the server, and
-   the hostname they will be updating.  Unless otherwise configured, the
-   first could be obtained by looking up the authoritative name servers
-   for the hostname; the second must be configured explicitly unless one
-   chooses to trust the IP address-based authentication (not a good
-   idea); and lastly, the nodename is typically pre-configured somehow
-   on the node, e.g., at install time.
-
-   Care should be observed when updating the addresses not to use longer
-   TTLs for addresses than are preferred lifetimes for the addresses, so
-   that if the node is renumbered in a managed fashion, the amount of
-   stale DNS information is kept to the minimum.  That is, if the
-   preferred lifetime of an address expires, the TTL of the record needs
-   be modified unless it was already done before the expiration.  For
-   better flexibility, the DNS TTL should be much shorter (e.g., a half
-   or a third) than the lifetime of an address; that way, the node can
-   start lowering the DNS TTL if it seems like the address has not been
-   renewed/refreshed in a while.  Some discussion on how an
-   administrator could manage the DNS TTL is included in [I-D.ietf-
-   v6ops-renumbering-procedure]; this could be applied to (smart) hosts
-   as well.
-
-7.  Considerations about Reverse DNS Updating
-
-   Updating the reverse DNS zone may be difficult because of the split
-   authority over an address.  However, first we have to consider the
-   applicability of reverse DNS in the first place.
-
-7.1  Applicability of Reverse DNS
-
-   Today, some applications use reverse DNS to either look up some hints
-   about the topological information associated with an address (e.g.
-   resolving web server access logs), or as a weak form of a security
-   check, to get a feel whether the user's network administrator has
-   "authorized" the use of the address (on the premises that adding a
-   reverse record for an address would signal some form of
-   authorization).
-
-   One additional, maybe slightly more useful usage is ensuring that the
-   reverse and forward DNS contents match (by looking up the pointer to
-   the name by the IP address from the reverse tree, and ensuring that a
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 15]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   record under the name in the forward tree points to the IP address)
-   and correspond to a configured name or domain.  As a security check,
-   it is typically accompanied by other mechanisms, such as a user/
-   password login; the main purpose of the reverse+forward DNS check is
-   to weed out the majority of unauthorized users, and if someone
-   managed to bypass the checks, he would still need to authenticate
-   "properly".
-
-   It may also be desirable to store IPsec keying material corresponding
-   to an IP address in the reverse DNS, as justified and described in
-   [RFC4025].
-
-   It is not clear whether it makes sense to require or recommend that
-   reverse DNS records be updated.  In many cases, it would just make
-   more sense to use proper mechanisms for security (or topological
-   information lookup) in the first place.  At minimum, the applications
-   which use it as a generic authorization (in the sense that a record
-   exists at all) should be modified as soon as possible to avoid such
-   lookups completely.
-
-   The applicability is discussed at more length in [I-D.ietf-dnsop-
-   inaddr-required].
-
-7.2  Manual or Custom DNS Updates
-
-   Reverse DNS can of course be updated using manual or custom methods.
-   These are not further described here, except for one special case.
-
-   One way to deploy reverse DNS would be to use wildcard records, for
-   example, by configuring one name for a subnet (/64) or a site (/48).
-   As a concrete example, a site (or the site's ISP) could configure the
-   reverses of the prefix 2001:db8:f00::/48 to point to one name using a
-   wildcard record like "*.0.0.f.0.8.b.d.0.1.0.0.2.ip6.arpa.  IN PTR
-   site.example.com."  Naturally, such a name could not be verified from
-   the forward DNS, but would at least provide some form of "topological
-   information" or "weak authorization" if that is really considered to
-   be useful.  Note that this is not actually updating the DNS as such,
-   as the whole point is to avoid DNS updates completely by manually
-   configuring a generic name.
-
-7.3  DDNS with Stateless Address Autoconfiguration
-
-   Dynamic reverse DNS with SLAAC is simpler than forward DNS updates in
-   some regard, while being more difficult in another, as described
-   below.
-
-   The address space administrator decides whether the hosts are trusted
-   to update their reverse DNS records or not.  If they are trusted and
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 16]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   deployed at the same site (e.g., not across the Internet), a simple
-   address-based authorization is typically sufficient (i.e., check that
-   the DNS update is done from the same IP address as the record being
-   updated); stronger security can also be used [RFC3007].  If they
-   aren't allowed to update the reverses, no update can occur.  However,
-   such address-based update authorization operationally requires that
-   ingress filtering [RFC3704] has been set up at the border of the site
-   where the updates occur, and as close to the updater as possible.
-
-   Address-based authorization is simpler with reverse DNS (as there is
-   a connection between the record and the address) than with forward
-   DNS.  However, when a stronger form of security is used, forward DNS
-   updates are simpler to manage because the host can be assumed to have
-   an association with the domain.  Note that the user may roam to
-   different networks, and does not necessarily have any association
-   with the owner of that address space -- so, assuming stronger form of
-   authorization for reverse DNS updates than an address association is
-   generally infeasible.
-
-   Moreover, the reverse zones must be cleaned up by an unspecified
-   janitorial process: the node does not typically know a priori that it
-   will be disconnected, and cannot send a DNS update using the correct
-   source address to remove a record.
-
-   A problem with defining the clean-up process is that it is difficult
-   to ensure that a specific IP address and the corresponding record are
-   no longer being used.  Considering the huge address space, and the
-   unlikelihood of collision within 64 bits of the interface
-   identifiers, a process which would remove the record after no traffic
-   has been seen from a node in a long period of time (e.g., a month or
-   year) might be one possible approach.
-
-   To insert or update the record, the node must discover the DNS server
-   to send the update to somehow, similar to as discussed in
-   Section 6.2.  One way to automate this is looking up the DNS server
-   authoritative (e.g., through SOA record) for the IP address being
-   updated, but the security material (unless the IP address-based
-   authorization is trusted) must also be established by some other
-   means.
-
-   One should note that Cryptographically Generated Addresses [RFC3972]
-   (CGAs) may require a slightly different kind of treatment.  CGAs are
-   addresses where the interface identifier is calculated from a public
-   key, a modifier (used as a nonce), the subnet prefix, and other data.
-   Depending on the usage profile, CGAs might or might not be changed
-   periodically due to e.g., privacy reasons.  As the CGA address is not
-   predicatable, a reverse record can only reasonably be inserted in the
-   DNS by the node which generates the address.
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 17]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-7.4  DDNS with DHCP
-
-   With DHCPv4, the reverse DNS name is typically already inserted to
-   the DNS that reflects to the name (e.g., "dhcp-67.example.com").  One
-   can assume similar practice may become commonplace with DHCPv6 as
-   well; all such mappings would be pre-configured, and would require no
-   updating.
-
-   If a more explicit control is required, similar considerations as
-   with SLAAC apply, except for the fact that typically one must update
-   a reverse DNS record instead of inserting one (if an address
-   assignment policy that reassigns disused addresses is adopted) and
-   updating a record seems like a slightly more difficult thing to
-   secure.  However, it is yet uncertain how DHCPv6 is going to be used
-   for address assignment.
-
-   Note that when using DHCP, either the host or the DHCP server could
-   perform the DNS updates; see the implications in Section 6.2.
-
-   If disused addresses were to be reassigned, host-based DDNS reverse
-   updates would need policy considerations for DNS record modification,
-   as noted above.  On the other hand, if disused address were not to be
-   assigned, host-based DNS reverse updates would have similar
-   considerations as SLAAC in Section 7.3.  Server-based updates have
-   similar properties except that the janitorial process could be
-   integrated with DHCP address assignment.
-
-7.5  DDNS with Dynamic Prefix Delegation
-
-   In cases where a prefix, instead of an address, is being used and
-   updated, one should consider what is the location of the server where
-   DDNS updates are made.  That is, where the DNS server is located:
-
-   1.  At the same organization as the prefix delegator.
-
-   2.  At the site where the prefixes are delegated to.  In this case,
-       the authority of the DNS reverse zone corresponding to the
-       delegated prefix is also delegated to the site.
-
-   3.  Elsewhere; this implies a relationship between the site and where
-       DNS server is located, and such a relationship should be rather
-       straightforward to secure as well.  Like in the previous case,
-       the authority of the DNS reverse zone is also delegated.
-
-   In the first case, managing the reverse DNS (delegation) is simpler
-   as the DNS server and the prefix delegator are in the same
-   administrative domain (as there is no need to delegate anything at
-   all); alternatively, the prefix delegator might forgo DDNS reverse
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 18]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   capability altogether, and use e.g., wildcard records (as described
-   in Section 7.2).  In the other cases, it can be slighly more
-   difficult, particularly as the site will have to configure the DNS
-   server to be authoritative for the delegated reverse zone, implying
-   automatic configuration of the DNS server -- as the prefix may be
-   dynamic.
-
-   Managing the DDNS reverse updates is typically simple in the second
-   case, as the updated server is located at the local site, and
-   arguably IP address-based authentication could be sufficient (or if
-   not, setting up security relationships would be simpler).  As there
-   is an explicit (security) relationship between the parties in the
-   third case, setting up the security relationships to allow reverse
-   DDNS updates should be rather straightforward as well (but IP
-   address-based authentication might not be acceptable).  In the first
-   case, however, setting up and managing such relationships might be a
-   lot more difficult.
-
-8.  Miscellaneous DNS Considerations
-
-   This section describes miscellaneous considerations about DNS which
-   seem related to IPv6, for which no better place has been found in
-   this document.
-
-8.1  NAT-PT with DNS-ALG
-
-   The DNS-ALG component of NAT-PT mangles A records  to look like AAAA
-   records to the IPv6-only nodes.  Numerous problems have been
-   identified with DNS-ALG [I-D.ietf-v6ops-natpt-to-exprmntl].  This is
-   a strong reason not to use NAT-PT in the first place.
-
-8.2  Renumbering Procedures and Applications' Use of DNS
-
-   One of the most difficult problems of systematic IP address
-   renumbering procedures [I-D.ietf-v6ops-renumbering-procedure] is that
-   an application which looks up a DNS name disregards information such
-   as TTL, and uses the result obtained from DNS as long as it happens
-   to be stored in the memory of the application.  For applications
-   which run for a long time, this could be days, weeks or even months;
-   some applications may be clever enough to organize the data
-   structures and functions in such a manner that look-ups get refreshed
-   now and then.
-
-   While the issue appears to have a clear solution, "fix the
-   applications", practically this is not reasonable immediate advice;
-   the TTL information is not typically available in the APIs and
-   libraries (so, the advice becomes "fix the applications, APIs and
-   libraries"), and a lot more analysis is needed on how to practically
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 19]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   go about to achieve the ultimate goal of avoiding using the names
-   longer than expected.
-
-9.  Acknowledgements
-
-   Some recommendations (Section 4.3, Section 5.1) about IPv6 service
-   provisioning were moved here from [I-D.ietf-v6ops-mech-v2] by Erik
-   Nordmark and Bob Gilligan.  Havard Eidnes and Michael Patton provided
-   useful feedback and improvements.  Scott Rose, Rob Austein, Masataka
-   Ohta, and Mark Andrews helped in clarifying the issues regarding
-   additional data and the use of TTL.  Jefsey Morfin, Ralph Droms,
-   Peter Koch, Jinmei Tatuya, Iljitsch van Beijnum, Edward Lewis, and
-   Rob Austein provided useful feedback during the WG last call.  Thomas
-   Narten provided extensive feedback during the IESG evaluation.
-
-10.  Security Considerations
-
-   This document reviews the operational procedures for IPv6 DNS
-   operations and does not have security considerations in itself.
-
-   However, it is worth noting that in particular with Dynamic DNS
-   Updates, security models based on the source address validation are
-   very weak and cannot be recommended -- they could only be considered
-   in the environments where ingress filtering [RFC3704] has been
-   deployed.  On the other hand, it should be noted that setting up an
-   authorization mechanism (e.g., a shared secret, or public-private
-   keys) between a node and the DNS server has to be done manually, and
-   may require quite a bit of time and expertise.
-
-   To re-emphasize what was already stated, the reverse+forward DNS
-   check provides very weak security at best, and the only
-   (questionable) security-related use for them may be in conjunction
-   with other mechanisms when authenticating a user.
-
-11.  References
-
-11.1  Normative References
-
-   [I-D.ietf-dnsop-ipv6-dns-configuration]
-              Jeong, J., "IPv6 Host Configuration of DNS Server
-              Information Approaches",
-              draft-ietf-dnsop-ipv6-dns-configuration-06 (work in
-              progress), May 2005.
-
-   [I-D.ietf-ipv6-unique-local-addr]
-              Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
-              Addresses", draft-ietf-ipv6-unique-local-addr-09 (work in
-              progress), January 2005.
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 20]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   [I-D.ietf-v6ops-renumbering-procedure]
-              Baker, F., "Procedures for Renumbering an IPv6 Network
-              without a Flag Day",
-              draft-ietf-v6ops-renumbering-procedure-05 (work in
-              progress), March 2005.
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
-              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-              RFC 2136, April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2182]  Elz, R., Bush, R., Bradner, S., and M. Patton, "Selection
-              and Operation of Secondary DNS Servers", BCP 16, RFC 2182,
-              July 1997.
-
-   [RFC2462]  Thomson, S. and T. Narten, "IPv6 Stateless Address
-              Autoconfiguration", RFC 2462, December 1998.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
-              RFC 2671, August 1999.
-
-   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
-              April 2001.
-
-   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-              Update", RFC 3007, November 2000.
-
-   [RFC3041]  Narten, T. and R. Draves, "Privacy Extensions for
-              Stateless Address Autoconfiguration in IPv6", RFC 3041,
-              January 2001.
-
-   [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
-              via IPv4 Clouds", RFC 3056, February 2001.
-
-   [RFC3152]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152,
-              August 2001.
-
-   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
-              and M. Carney, "Dynamic Host Configuration Protocol for
-              IPv6 (DHCPv6)", RFC 3315, July 2003.
-
-   [RFC3363]  Bush, R., Durand, A., Fink, B., Gudmundsson, O., and T.
-              Hain, "Representing Internet Protocol version 6 (IPv6)
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 21]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-              Addresses in the Domain Name System (DNS)", RFC 3363,
-              August 2002.
-
-   [RFC3364]  Austein, R., "Tradeoffs in Domain Name System (DNS)
-              Support for Internet Protocol version 6 (IPv6)", RFC 3364,
-              August 2002.
-
-   [RFC3513]  Hinden, R. and S. Deering, "Internet Protocol Version 6
-              (IPv6) Addressing Architecture", RFC 3513, April 2003.
-
-   [RFC3596]  Thomson, S., Huitema, C., Ksinant, V., and M. Souissi,
-              "DNS Extensions to Support IP Version 6", RFC 3596,
-              October 2003.
-
-   [RFC3646]  Droms, R., "DNS Configuration options for Dynamic Host
-              Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
-              December 2003.
-
-   [RFC3736]  Droms, R., "Stateless Dynamic Host Configuration Protocol
-              (DHCP) Service for IPv6", RFC 3736, April 2004.
-
-   [RFC3879]  Huitema, C. and B. Carpenter, "Deprecating Site Local
-              Addresses", RFC 3879, September 2004.
-
-   [RFC3901]  Durand, A. and J. Ihren, "DNS IPv6 Transport Operational
-              Guidelines", BCP 91, RFC 3901, September 2004.
-
-   [RFC4038]  Shin, M-K., Hong, Y-G., Hagino, J., Savola, P., and E.
-              Castro, "Application Aspects of IPv6 Transition",
-              RFC 4038, March 2005.
-
-   [RFC4074]  Morishita, Y. and T. Jinmei, "Common Misbehavior Against
-              DNS Queries for IPv6 Addresses", RFC 4074, May 2005.
-
-11.2  Informative References
-
-   [I-D.durand-dnsop-dont-publish]
-              Durand, A. and T. Chown, "To publish, or not to publish,
-              that is the question.", draft-durand-dnsop-dont-publish-00
-              (work in progress), February 2005.
-
-   [I-D.huitema-v6ops-teredo]
-              Huitema, C., "Teredo: Tunneling IPv6 over UDP through
-              NATs", draft-huitema-v6ops-teredo-05 (work in progress),
-              April 2005.
-
-   [I-D.huston-6to4-reverse-dns]
-              Huston, G., "6to4 Reverse DNS Delegation",
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 22]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-              draft-huston-6to4-reverse-dns-03 (work in progress),
-              October 2004.
-
-   [I-D.ietf-dhc-ddns-resolution]
-              Stapp, M. and B. Volz, "Resolution of FQDN Conflicts among
-              DHCP Clients", draft-ietf-dhc-ddns-resolution-09 (work in
-              progress), June 2005.
-
-   [I-D.ietf-dhc-fqdn-option]
-              Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option",
-              draft-ietf-dhc-fqdn-option-10 (work in progress),
-              February 2005.
-
-   [I-D.ietf-dnsext-dhcid-rr]
-              Stapp, M., Lemon, T., and A. Gustafsson, "A DNS RR for
-              encoding DHCP information (DHCID RR)",
-              draft-ietf-dnsext-dhcid-rr-09 (work in progress),
-              February 2005.
-
-   [I-D.ietf-dnsop-bad-dns-res]
-              Larson, M. and P. Barber, "Observed DNS Resolution
-              Misbehavior", draft-ietf-dnsop-bad-dns-res-03 (work in
-              progress), October 2004.
-
-   [I-D.ietf-dnsop-inaddr-required]
-              Senie, D., "Encouraging the use of DNS IN-ADDR Mapping",
-              draft-ietf-dnsop-inaddr-required-06 (work in progress),
-              February 2005.
-
-   [I-D.ietf-v6ops-3gpp-analysis]
-              Wiljakka, J., "Analysis on IPv6 Transition in 3GPP
-              Networks", draft-ietf-v6ops-3gpp-analysis-11 (work in
-              progress), October 2004.
-
-   [I-D.ietf-v6ops-mech-v2]
-              Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
-              for IPv6 Hosts and Routers", draft-ietf-v6ops-mech-v2-07
-              (work in progress), March 2005.
-
-   [I-D.ietf-v6ops-natpt-to-exprmntl]
-              Aoun, C. and E. Davies, "Reasons to Move NAT-PT to
-              Experimental", draft-ietf-v6ops-natpt-to-exprmntl-01 (work
-              in progress), July 2005.
-
-   [I-D.ietf-v6ops-onlinkassumption]
-              Roy, S., "IPv6 Neighbor Discovery On-Link Assumption
-              Considered Harmful", draft-ietf-v6ops-onlinkassumption-03
-              (work in progress), May 2005.
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 23]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   [I-D.ietf-v6ops-v6onbydefault]
-              Roy, S., Durand, A., and J. Paugh, "Issues with Dual Stack
-              IPv6 on by Default", draft-ietf-v6ops-v6onbydefault-03
-              (work in progress), July 2004.
-
-   [I-D.jeong-dnsop-ipv6-dns-discovery]
-              Jeong, J., "IPv6 DNS Configuration based on Router
-              Advertisement", draft-jeong-dnsop-ipv6-dns-discovery-04
-              (work in progress), February 2005.
-
-   [I-D.ohta-preconfigured-dns]
-              Ohta, M., "Preconfigured DNS Server Addresses",
-              draft-ohta-preconfigured-dns-01 (work in progress),
-              February 2004.
-
-   [RFC2766]  Tsirtsis, G. and P. Srisuresh, "Network Address
-              Translation - Protocol Translation (NAT-PT)", RFC 2766,
-              February 2000.
-
-   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
-              specifying the location of services (DNS SRV)", RFC 2782,
-              February 2000.
-
-   [RFC2826]  Internet Architecture Board, "IAB Technical Comment on the
-              Unique DNS Root", RFC 2826, May 2000.
-
-   [RFC3704]  Baker, F. and P. Savola, "Ingress Filtering for Multihomed
-              Networks", BCP 84, RFC 3704, March 2004.
-
-   [RFC3972]  Aura, T., "Cryptographically Generated Addresses (CGA)",
-              RFC 3972, March 2005.
-
-   [RFC4025]  Richardson, M., "A Method for Storing IPsec Keying
-              Material in DNS", RFC 4025, March 2005.
-
-
-Authors' Addresses
-
-   Alain Durand
-   SUN Microsystems, Inc.
-   17 Network circle UMPL17-202
-   Menlo Park, CA  94025
-   USA
-
-   Email: Alain.Durand@sun.com
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 24]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   Johan Ihren
-   Autonomica
-   Bellmansgatan 30
-   SE-118 47 Stockholm
-   Sweden
-
-   Email: johani@autonomica.se
-
-
-   Pekka Savola
-   CSC/FUNET
-   Espoo
-   Finland
-
-   Email: psavola@funet.fi
-
-Appendix A.  Unique Local Addressing Considerations for DNS
-
-   Unique local addresses [I-D.ietf-ipv6-unique-local-addr] have
-   replaced the now-deprecated site-local addresses [RFC3879].  From the
-   perspective of the DNS, the locally generated unique local addresses
-   (LUL) and site-local addresses have similar properties.
-
-   The interactions with DNS come in two flavors: forward and reverse
-   DNS.
-
-   To actually use local addresses within a site, this implies the
-   deployment of a "split-faced" or a fragmented DNS name space, for the
-   zones internal to the site, and the outsiders' view to it.  The
-   procedures to achieve this are not elaborated here.  The implication
-   is that local addresses must not be published in the public DNS.
-
-   To faciliate reverse DNS (if desired) with local addresses, the stub
-   resolvers must look for DNS information from the local DNS servers,
-   not e.g. starting from the root servers, so that the local
-   information may be provided locally.  Note that the experience of
-   private addresses in IPv4 has shown that the root servers get loaded
-   for requests for private address lookups in any case.  This
-   requirement is discussed in [I-D.ietf-ipv6-unique-local-addr].
-
-Appendix B.  Behaviour of Additional Data in IPv4/IPv6 Environments
-
-   DNS responses do not always fit in a single UDP packet.  We'll
-   examine the cases which happen when this is due to too much data in
-   the Additional Section.
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 25]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-B.1  Description of Additional Data Scenarios
-
-   There are two kinds of additional data:
-
-   1.  "critical" additional data; this must be included in all
-       scenarios, with all the RRsets, and
-
-   2.  "courtesy" additional data; this could be sent in full, with only
-       a few RRsets, or with no RRsets, and can be fetched separately as
-       well, but at the cost of additional queries.
-
-   The responding server can algorithmically determine which type the
-   additional data is by checking whether it's at or below a zone cut.
-
-   Only those additional data records (even if sometimes carelessly
-   termed "glue") are considered "critical" or real "glue" if and only
-   if they meet the abovementioned condition, as specified in Section
-   4.2.1 of [RFC1034].
-
-   Remember that resource record sets (RRsets) are never "broken up", so
-   if a name has 4 A records and 5 AAAA records, you can either return
-   all 9, all 4 A records, all 5 AAAA records or nothing.  In
-   particular, notice that for the "critical" additional data getting
-   all the RRsets can be critical.
-
-   In particular, [RFC2181] specifies (in Section 9) that:
-
-   a.  if all the "critical" RRsets do not fit, the sender should set
-       the TC bit, and the recipient should discard the whole response
-       and retry using mechanism allowing larger responses such as TCP.
-
-   b.  "courtesy" additional data should not cause the setting of TC
-       bit, but instead all the non-fitting additional data RRsets
-       should be removed.
-
-   An example of the "courtesy" additional data is A/AAAA records in
-   conjunction with MX records as shown in Section 4.4; an example of
-   the "critical" additional data is shown below (where getting both the
-   A and AAAA RRsets is critical w.r.t. to the NS RR):
-
-      child.example.com.    IN   NS ns.child.example.com.
-      ns.child.example.com. IN    A 192.0.2.1
-      ns.child.example.com. IN AAAA 2001:db8::1
-
-   When there is too much "courtesy" additional data, at least the non-
-   fitting RRsets should be removed [RFC2181]; however, as the
-   additional data is not critical, even all of it could be safely
-   removed.
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 26]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   When there is too much "critical" additional data, TC bit will have
-   to be set, and the recipient should ignore the response and retry
-   using TCP; if some data were to be left in the UDP response, the
-   issue is which data could be retained.
-
-   Failing to discard the response with TC bit or omitting critical
-   information but not setting TC bit lead to an unrecoverable problem.
-   Omitting only some of the RRsets if all would not fit (but not
-   setting TC bit) leads to a performance problem.  These are discussed
-   in the next two subsections.
-
-B.2  Which Additional Data to Keep, If Any?
-
-   If the implementation decides to keep as much data (whether
-   "critical" or "courtesy") as possible in the UDP responses, it might
-   be tempting to use the transport of the DNS query as a hint in either
-   of these cases: return the AAAA records if the query was done over
-   IPv6, or return the A records if the query was done over IPv4.
-   However, this breaks the model of independence of DNS transport and
-   resource records, as noted in Section 1.2.
-
-   With courtesy additional data, as long as enough RRsets will be
-   removed so that TC will not be set, it is allowed to send as many
-   complete RRsets as the implementations prefers.  However, the
-   implementations are also free to omit all such RRsets, even if
-   complete.  Omitting all the RRsets (when removing only some would
-   suffice) may create a performance penalty, whereby the client may
-   need to issue one or more additional queries to obtain necessary
-   and/or consistent information.
-
-   With critical additional data, the alternatives are either returning
-   nothing (and absolutely requiring a retry with TCP) or returning
-   something (working also in the case if the recipient does not discard
-   the response and retry using TCP) in addition to setting the TC bit.
-   If the process for selecting "something" from the critical data would
-   otherwise be practically "flipping the coin" between A and AAAA
-   records, it could be argued that if one looked at the transport of
-   the query, it would have a larger possibility of being right than
-   just 50/50.  In other words, if the returned critical additional data
-   would have to be selected somehow, using something more sophisticated
-   than a random process would seem justifiable.
-
-   That is, leaving in some intelligently selected critical additional
-   data is a tradeoff between creating an optimization for those
-   resolvers which ignore the "should discard" recommendation, and
-   causing a protocol problem by propagating inconsistent information
-   about "critical" records in the caches.
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 27]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   Similarly, leaving in the complete courtesy additional data RRsets
-   instead of removing all the RRsets is a performance tradeoff as
-   described in the next section.
-
-B.3  Discussion of the Potential Problems
-
-   As noted above, the temptation for omitting only some of the
-   additional data could be problematic.  This is discussed more below.
-
-   For courtesy additional data, this causes a potential performance
-   problem as this requires that the clients issue re-queries for the
-   potentially omitted RRsets.  For critical additional data, this
-   causes a potential unrecoverable problem if the response is not
-   discarded and the query not re-tried with TCP, as the nameservers
-   might be reachable only through the omitted RRsets.
-
-   If an implementation would look at the transport used for the query,
-   it is worth remembering that often the host using the records is
-   different from the node requesting them from the authoritative DNS
-   server (or even a caching resolver).  So, whichever version the
-   requestor (e.g., a recursive server in the middle) uses makes no
-   difference to the ultimate user of the records, whose transport
-   capabilities might differ from those of the requestor.  This might
-   result in e.g., inappropriately returning A records to an IPv6-only
-   node, going through a translation, or opening up another IP-level
-   session (e.g., a PDP context [I-D.ietf-v6ops-3gpp-analysis]).
-   Therefore, at least in many scenarios, it would be very useful if the
-   information returned would be consistent and complete -- or if that
-   is not feasible, return no misleading information but rather leave it
-   to the client to query again.
-
-   The problem of too much additional data seems to be an operational
-   one: the zone administrator entering too many records which will be
-   returned either truncated (or missing some RRsets, depending on
-   implementations) to the users.  A protocol fix for this is using
-   EDNS0 [RFC2671] to signal the capacity for larger UDP packet sizes,
-   pushing up the relevant threshold.  Further, DNS server
-   implementations should rather omit courtesy additional data
-   completely rather than including only some RRsets [RFC2181].  An
-   operational fix for this is having the DNS server implementations
-   return a warning when the administrators create zones which would
-   result in too much additional data being returned.  Further, DNS
-   server implementations should warn of or disallow such zone
-   configurations which are recursive or otherwise difficult to manage
-   by the protocol.
-
-   Additionally, to avoid the case where an application would not get an
-   address at all due to some of courtesy additional data being omitted,
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 28]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-   the resolvers should be able to query the specific records of the
-   desired protocol, not just rely on getting all the required RRsets in
-   the additional section.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 29]
-
-Internet-Draft        Considerations with IPv6 DNS             July 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Durand, et al.          Expires January 17, 2006               [Page 30]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-transport-guidelines-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-transport-guidelines-01.txt
deleted file mode 100644
index b2e2341be9f1..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-transport-guidelines-01.txt
+++ /dev/null
@@ -1,300 +0,0 @@
-Internet Engineering Task Force                         A.Durand
-INTERNET-DRAFT                             SUN Microsystems,inc.
-November, 24, 2003                                      J. Ihren
-Expires May 25, 2004                                  Autonomica
-
-
-               DNS IPv6 transport operational guidelines
-          <draft-ietf-dnsop-ipv6-transport-guidelines-01.txt>
-
-
-
-Status of this Memo
-
-   This memo provides information to the Internet community. It does not
-   specify an Internet standard of any kind. This memo is in full
-   conformance with all provisions of Section 10 of RFC2026
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet- Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/1id-abstracts.html
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html
-
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-
-Abstract
-
-   This memo provides guidelines and Best Current Practice to operate
-   DNS in a world where queries and responses are carried in a mixed
-   environment of IPv4 and IPv6 networks.
-
-
-Acknowledgment
-
-   This document is the result of many conversations that happened in
-   the DNS community at IETF and elsewhere since 2001. During that
-   period of time, a number of Internet drafts have been published to
-   clarify various aspects of the issues at stake. This document focuses
-   on the conclusion of those discussions.
-
-   The authors would like to acknowledge the role of Pekka Savola in his
-   thorough review of the document.
-
-
-1. Terminology
-
-   The phrase "IPv4 name server" indicates a name server available over
-   IPv4 transport. It does not imply anything about what DNS data is
-   served. Likewise, "IPv6 name server" indicates a name server
-   available over IPv6 transport. The phrase "dual-stack DNS server"
-   indicates a DNS server that is actually configured to run both
-   protocols, IPv4 and IPv6, and not merely a server running on a system
-   capable of running both but actually configured to run only one.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [2119].
-
-
-2. Introduction to the Problem of Name Space Fragmentation:
-     following the referral chain
-
-   The caching resolver that tries to look up a name starts out at the
-   root, and follows referrals until it is referred to a nameserver that
-   is authoritative for the name.  If somewhere down the chain of
-   referrals it is referred to a nameserver that is only accessible over
-   an unavailable type of transport, a traditional nameserver is unable
-   to finish the task.
-
-   When the Internet moves from IPv4 to a mixture of IPv4 and IPv6 it is
-   only a matter of time until this starts to happen. The complete DNS
-   hierarchy then starts to fragment into a graph where authoritative
-   nameservers for certain nodes are only accessible over a certain
-   transport. What is feared is that a node using only a particular
-   version of IP, querying information about another node using the same
-   version of IP can not do it because, somewhere in the chain of
-   servers accessed during the resolution process, one or more of them
-   will only be accessible with the other version of IP.
-
-   With all DNS data only available over IPv4 transport everything is
-   simple. IPv4 resolvers can use the intended mechanism of following
-   referrals from the root and down while IPv6 resolvers have to work
-   through a "translator", i.e. they have to use a second name server on
-   a so-called "dual stack" host as a "forwarder" since they cannot
-   access the DNS data directly.
-
-   With all DNS data only available over IPv6 transport everything would
-   be equally simple, with the exception of old legacy IPv4 name servers
-   having to switch to a forwarding configuration.
-
-   However, the second situation will not arise in a foreseeable time.
-   Instead, it is expected that the transition will be from IPv4 only to
-   a mixture of IPv4 and IPv6, with DNS data of theoretically three
-   categories depending on whether it is available only over IPv4
-   transport, only over IPv6 or both.
-
-   Having DNS data available on both transports is the best situation.
-   The major question is how to ensure that it as quickly as possible
-   becomes the norm. However, while it is obvious that some DNS data
-   will only be available over v4 transport for a long time it is also
-   obvious that it is important to avoid fragmenting the name space
-   available to IPv4 only hosts. I.e. during transition it is not
-   acceptable to break the name space that we presently have available
-   for IPv4-only hosts.
-
-
-3. Policy Based Avoidance of Name Space Fragmentation
-
-   Today there are only a few DNS "zones" on the public Internet that
-   are  available over IPv6 transport, and most of them can be regarded
-   as "experimental". However, as soon as the root and top level domains
-   are available over IPv6 transport, it is reasonable to expect that it
-   will become more common to have zones served by IPv6 servers.
-
-   Having those zones served only by IPv6-only name server would not be
-   a good development, since this will fragment the previously
-   unfragmented IPv4 name space and there are strong reasons to find a
-   mechanism to avoid it.
-
-   The RECOMMENDED approach to maintain name space continuity is to use
-   administrative policies, as described in the next section.
-
-
-4. DNS IPv6 Transport RECOMMENDED Guidelines
-
-   In order to preserve name space continuity, the following administrative
-   policies are RECOMMENDED:
-      - every recursive DNS server SHOULD be either IPv4-only or dual
-      stack,
-      - every single DNS zone SHOULD be served by at least one IPv4
-      reachable DNS server.
-
-   This rules out IPv6-only DNS servers performing full recursion and
-   DNS zones served only by IPv6-only DNS servers.  However, one could
-   very well design a configuration where a chain of IPv6 only DNS
-   servers forward queries to a set of dual stack DNS servers actually
-   performing those recursive queries.  This approach could be revisited
-   if/when translation techniques between IPv4 and IPv6 were to be
-   widely deployed.
-
-   In order to help enforcing the second point, the optional operational
-   zone validation processes SHOULD ensure that there is at least one
-   IPv4 address record available for the name servers of any child
-   delegations within the zone.
-
-
-5. Security Considerations
-
-   Being a critical piece of the Internet infrastructure, the DNS is a
-   potential value target and thus should be protected.  Great care
-   should be taken not to weaken the security of DNS while introducing
-   IPv6 operation.
-
-   Keeping the DNS name space from fragmenting is a critical thing for
-   the availability and the operation of the Internet; this memo
-   addresses this issue by clear and simple operational guidelines.
-
-   The RECOMMENDED guidelines are compatible with the operation of
-   DNSSEC and do not introduce any new security issues.
-
-
-6. Author Addresses
-
-   Alain Durand
-   SUN Microsystems, Inc
-   17 Network circle UMPK17-202
-   Menlo Park, CA, 94025
-   USA
-   Mail: Alain.Durand@sun.com
-
-   Johan Ihren
-   Autonomica
-   Bellmansgatan 30
-   SE-118 47 Stockholm, Sweden
-   Mail: johani@autonomica.se
-
-
-7. Normative References
-
-   [2119]  Bradner, S., "Key Words for Use in RFCs to Indicate
-           Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-
-8. Full Copyright Statement
-
-   "Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-01.txt
deleted file mode 100644
index 2311ee6c18a0..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-01.txt
+++ /dev/null
@@ -1,391 +0,0 @@
-
-DNSOP                                                          G. Guette
-Internet-Draft                                             IRISA / INRIA
-Expires: February 5, 2005                                     O. Courtay
-                                                             Thomson R&D
-                                                          August 7, 2004
-
-
-           Requirements for Automated Key Rollover in DNSSEC
-           draft-ietf-dnsop-key-rollover-requirements-01.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, I certify that any applicable
-   patent or other IPR claims of which I am aware have been disclosed,
-   and any of which I become aware will be disclosed, in accordance with
-   RFC 3668.
-	 
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time. It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on February 5, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   This document describes problems that appear during an automated
-   rollover and gives the requirements for the design of communication
-   between parent zone and child zone in an automated rollover process.
-   This document is essentially about key rollover, the rollover of
-   another Resource Record present at delegation point (NS RR) is also
-   discussed.
-
-
-
-
-
-Guette & Courtay        Expires February 5, 2005                [Page 1]
-
-Internet-Draft      Automated Rollover Requirements          August 2004
-
-
-Table of Contents
-
-   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
-   2.   The Key Rollover Process . . . . . . . . . . . . . . . . . . . 3
-   3.   Basic Requirements . . . . . . . . . . . . . . . . . . . . . . 4
-   4.   Messages authentication and information exchanged  . . . . . . 4
-   5.   Emergency Rollover . . . . . . . . . . . . . . . . . . . . . . 5
-   6.   Other Resource Record concerned by automatic rollover  . . . . 5
-   7.   Security consideration . . . . . . . . . . . . . . . . . . . . 5
-   8.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 5
-   9.   Normative References . . . . . . . . . . . . . . . . . . . . . 5
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 6
-        Intellectual Property and Copyright Statements . . . . . . . . 7
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Guette & Courtay        Expires February 5, 2005                [Page 2]
-
-Internet-Draft      Automated Rollover Requirements          August 2004
-
-
-1.  Introduction
-
-   The DNS security extensions (DNSSEC) [4][8][7][9] uses public-key
-   cryptography and digital signatures.  It stores the public part of
-   keys in DNSKEY Resource Records (RRs).  Because old keys and
-   frequently used keys are vulnerable, they must be renewed
-   periodically.  In DNSSEC, this is the case for Zone Signing Keys
-   (ZSKs) and Key Signing Keys (KSKs) [1][2].  Automation of key
-   rollover process is necessary for large zones because there are too
-   many changes to handle a manual administration.
-
-   Let us consider for example a zone with 100000 secure delegations.
-   If the child zones change their keys once a year on average, that
-   implies 300 changes per day for the parent zone.  This amount of
-   changes are hard to manage manually.
-
-   Automated rollover is optional and resulting from an agreement
-   between the administrator of the parent zone and the administrator of
-   the child zone.  Of course, key rollover can also be done manually by
-   administrators.
-
-   This document describes the requirements for the design of messages
-   of automated key rollover process and focusses on interaction between
-   parent and child zone.
-
-2.  The Key Rollover Process
-
-   Key rollover consists in renewing the DNSSEC keys used to sign
-   resource records in a given DNS zone file.  There are two types of
-   rollover, ZSK rollovers and KSK rollovers.
-
-   In a ZSK rollover, all changes are local to the zone that renews its
-   key: there is no need to contact other zones (e.g., parent zone) to
-   propagate the performed changes because a ZSK has no associated DS
-   record in the parent zone.
-
-   In a KSK rollover, new DS RR(s) must be created and stored in the
-   parent zone.  In consequence, the child zone must contact its parent
-   zone and must notify it about the KSK change(s).
-
-   Manual key rollover exists and works [3].  The key rollover is built
-   from two parts of different nature:
-   o  An algorithm that generates new keys and signs the zone file.  It
-      could be local to the zone
-   o  The interaction between parent and child zones
-
-   One example of manual key rollover is:
-
-
-
-
-Guette & Courtay        Expires February 5, 2005                [Page 3]
-
-Internet-Draft      Automated Rollover Requirements          August 2004
-
-
-   o  The child zone creates a new KSK
-   o  The child zone waits for the creation of the DS RR in its parent
-      zone
-   o  The child zone deletes the old key.
-
-   In manual rollover, communications are managed by the zone
-   administrators and the security of these communications is out of
-   scope of DNSSEC.
-
-   Automated key rollover should use a secure communication between
-   parent and child zones.  This document concentrates on defining
-   interactions between entities present in key rollover process.
-
-3.  Basic Requirements
-
-   The main constraint to respect during a key rollover is that the
-   chain of trust MUST be preserved, even if a resolver retrieves some
-   RRs from recursive cache server.  Every RR MUST be verifiable at any
-   time, every RRs exchanged during the rollover should be authenticated
-   and their integrity should be guaranteed.
-
-   Two entities act during a KSK rollover: the child zone and its parent
-   zone.  These zones are generally managed by different administrators.
-   These administrators should agree on some parameters like
-   availability of automated rollover, the maximum delay between
-   notification of changes in the child zone and the resigning of the
-   parent zone.  The child zone needs to know this delay to schedule its
-   changes.
-
-4.  Messages authentication and information exchanged
-
-   Every exchanged message MUST be authenticated and the authentication
-   tool MUST be a DNSSEC tool such as TSIG [6], SIG(0) [5] or DNSSEC
-   request with verifiable SIG records.
-
-   Once the changes related to a KSK are made in a child zone, this zone
-   MUST notify its parent zone in order to create the new DS RR and
-   store this DS RR in parent zone file.
-
-   The parent zone MUST receive all the child keys that needs the
-   creation of associated DS RRs in the parent zone.
-
-   Some errors could occur during transmission between child zone and
-   parent zone.  Key rollover solution MUST be fault tolerant, i.e.  at
-   any time the rollover MUST be in a consistent state and all RRs MUST
-   be verifiable, even if an error occurs.  That is to say that it MUST
-   remain a valid chain of trust.
-
-
-
-
-Guette & Courtay        Expires February 5, 2005                [Page 4]
-
-Internet-Draft      Automated Rollover Requirements          August 2004
-
-
-5.  Emergency Rollover
-
-   A key of a zone might be compromised and this key MUST be changed as
-   soon as possible.  Fast changes could break the chain of trust.  The
-   part of DNS tree having this zone as apex can become unverifiable,
-   but the break of the chain of trust is necessary if we want to no one
-   can use the compromised key to spoof DNS data.
-
-   In case of emergency rollover, the administrators of parent and child
-   zones should create new key(s) and DS RR(s) as fast as possible in
-   order to reduce the time the chain of trust is broken.
-
-6.  Other Resource Record concerned by automatic rollover
-
-   NS records are also present at delegation point, so when the child
-   zone renews some NS RR, the corresponding records at delegation point
-   in parent zone (glue) MUST be updated.  NS records are concerned by
-   rollover and this rollover could be automated too.  In this case,
-   when the child zone notifies its parent zone that some NS records
-   have been changed, the parent zone MUST verify that these NS records
-   are present in child zone before doing any changes in its own zone
-   file.  This allows to avoid inconsistency between NS records at
-   delegation point and NS records present in the child zone.
-
-7.  Security consideration
-
-   This document describes requirements to design an automated key
-   rollover in DNSSEC based on DNSSEC security.  In the same way, as
-   plain DNSSEC, the automatic key rollover contains no mechanism
-   protecting against denial of service (DoS).  The security level
-   obtain after an automatic key rollover, is the security level
-   provided by DNSSEC.
-
-8.  Acknowledgments
-
-   The authors want to acknowledge Francis Dupont, Mohsen Souissi,
-   Bernard Cousin, Bertrand L‰onard and members of IDsA project for
-   their contribution to this document.
-
-9  Normative References
-
-   [1]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-        RFC 3658, December 2003.
-
-   [2]  Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-
-
-
-Guette & Courtay        Expires February 5, 2005                [Page 5]
-
-Internet-Draft      Automated Rollover Requirements          August 2004
-
-
-   [3]  Kolkman, O., "DNSSEC Operational Practices",
-        draft-ietf-dnsop-dnssec-operational-practice-01 (work in
-        progress), May 2004.
-
-   [4]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [5]  Eastlake, D., "DNS Request and Transaction Signatures (
-        SIG(0)s)", RFC 2931, September 2000.
-
-   [6]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-        "Secret Key Transaction Authentication for DNS (TSIG)", RFC
-        2845, May 2000.
-
-   [7]  Arends, R., "Resource Records for the DNS Security Extensions",
-        draft-ietf-dnsext-dnssec-records-09 (work in progress), July
-        2004.
-
-   [8]  Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
-        "DNS Security Introduction and Requirements",
-        draft-ietf-dnsext-dnssec-intro-11 (work in progress), July 2004.
-
-   [9]  Arends, R., "Protocol Modifications for the DNS Security
-        Extensions", draft-ietf-dnsext-dnssec-protocol-07 (work in
-        progress), July 2004.
-
-
-Authors' Addresses
-
-   Gilles Guette
-   IRISA / INRIA
-   Campus de Beaulieu
-   35042  Rennes CEDEX
-   FR
-
-   EMail: gilles.guette@irisa.fr
-   URI:   http://www.irisa.fr
-
-
-   Olivier Courtay
-   Thomson R&D
-   1, avenue Belle Fontaine
-   35510  Cesson S‰vign‰ CEDEX
-   FR
-
-   EMail: olivier.courtay@thomson.net
-
-
-
-
-
-Guette & Courtay        Expires February 5, 2005                [Page 6]
-
-Internet-Draft      Automated Rollover Requirements          August 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Guette & Courtay        Expires February 5, 2005                [Page 7]
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-02.txt
deleted file mode 100644
index 6bece56182cf..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-02.txt
+++ /dev/null
@@ -1,389 +0,0 @@
-
-DNSOP                                                          G. Guette
-Internet-Draft                                             IRISA / INRIA
-Expires: July 19, 2005                                        O. Courtay
-                                                             Thomson R&D
-                                                        January 18, 2005
-
-           Requirements for Automated Key Rollover in DNSSEC
-           draft-ietf-dnsop-key-rollover-requirements-02.txt
-
-Status of this Memo
-
-   By submitting this Internet-Draft, I certify that any applicable 
-   patent or other IPR claims of which I am aware have been disclosed, 
-   and any of which I become aware will be disclosed, in accordance with 
-   RFC 3668.  
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on July 19, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).  All Rights Reserved.
-
-Abstract
-
-   This document describes problems that appear during an automated
-   rollover and gives the requirements for the design of communication
-   between parent zone and child zone during an automated rollover
-   process.  This document is essentially about in-band key rollover.
-
-
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 1]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-Table of Contents
-
-   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
-   2.   The Key Rollover Process . . . . . . . . . . . . . . . . . . . 3
-   3.   Basic Requirements . . . . . . . . . . . . . . . . . . . . . . 4
-   4.   Messages authentication and information exchanged  . . . . . . 5
-   5.   Emergency Rollover . . . . . . . . . . . . . . . . . . . . . . 5
-   6.   Security consideration . . . . . . . . . . . . . . . . . . . . 6
-   7.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 6
-   8.   Normative References . . . . . . . . . . . . . . . . . . . . . 6
-        Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 7
-   A.   Documents details and changes  . . . . . . . . . . . . . . . . 7
-        Intellectual Property and Copyright Statements . . . . . . . . 8
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 2]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-1.  Introduction
-
-   The DNS security extensions (DNSSEC) [4][6][5][7] uses public-key
-   cryptography and digital signatures.  It stores the public part of
-   keys in DNSKEY Resource Records (RRs).  Because old keys and
-   frequently used keys are vulnerable, they must be renewed
-   periodically.  In DNSSEC, this is the case for Zone Signing Keys
-   (ZSKs) and Key Signing Keys (KSKs) [1][2].  Automation of key
-   exchanges between parents and children is necessary for large zones
-   because there are too many changes to handle.
-
-   Let us consider for example a zone with 100000 secure delegations.
-   If the child zones change their keys once a year on average, that
-   implies 300 changes per day for the parent zone.  This amount of
-   changes is hard to manage manually.
-
-   Automated rollover is optional and resulting from an agreement
-   between the administrator of the parent zone and the administrator of
-   the child zone.  Of course, key rollover can also be done manually by
-   administrators.
-
-   This document describes the requirements for a protocol to perform
-   the automated key rollover process and focusses on interaction
-   between parent and child zone.
-
-2.  The Key Rollover Process
-
-   Key rollover consists of renewing the DNSSEC keys used to sign
-   resource records in a given DNS zone file.  There are two types of
-   rollover, ZSK rollovers and KSK rollovers.
-
-   During a ZSK rollover, all changes are local to the zone that renews
-   its key: there is no need to contact other zones administrators to
-   propagate the performed changes because a ZSK has no associated DS
-   record in the parent zone.
-
-   During a KSK rollover, new DS RR(s) must be created and stored in the
-   parent zone.  In consequence, data must be exchanged between child
-   and parent zones.
-
-   The key rollover is built from two parts of different nature:
-   o  An algorithm that generates new keys and signs the zone file.  It
-      can be local to the zone,
-   o  the interaction between parent and child zones.
-
-   One example of manual key rollover [3] is:
-   o  The child zone creates a new KSK,
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 3]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-   o  the child zone waits for the creation of the DS RR in its parent
-      zone,
-   o  the child zone deletes the old key,
-   o  the parent zone deletes the old DS RR.
-
-   This document concentrates on defining interactions between entities
-   present in key rollover process.
-
-3.  Basic Requirements
-
-   This section provides the requirements for automated key rollover in
-   case of normal use.  Exceptional case like emergency rollover is
-   specifically described later in this document.
-
-   The main condition during a key rollover is that the chain of trust
-   must be preserved to every validating DNS client.  No matter if this
-   client retrieves some of the RRs from recursive caching name server
-   or from the authoritative servers for the zone involved in the
-   rollover.
-
-   Automated key rollover solution may be interrupted by a manual
-   intervention.  This manual intervention should not compromise the
-   security state of the chain of trust.  If the chain is safe before
-   the manual intervention, the chain of trust must remain safe during
-   and after the manual intervention
-
-   Two entities act during a KSK rollover: the child zone and its parent
-   zone.  These zones are generally managed by different administrators.
-   These administrators should agree on some parameters like
-   availability of automated rollover, the maximum delay between
-   notification of changes in the child zone and the resigning of the
-   parent zone.  The child zone needs to know this delay to schedule its
-   changes and/or to verify that the changes had been taken into account
-   in the parent zone.  Hence, the child zone can also avoid some
-   critical cases where all child key are changed prior to the DS RR
-   creation.
-
-   By keeping some resource records during a given time, the recursive
-   cache servers can act on the automated rollover.  The existence of
-   recursive cache servers must be taken into account by automated
-   rollover solution.
-
-   Indeed, during an automated key rollover a name server could have to
-   retrieve some DNSSEC data.  An automated key rollover solution must
-   ensure that these data are not old DNSSEC material retrieved from a
-   recursive name server.
-
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 4]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-4.  Messages authentication and information exchanged
-
-   This section addresses in-band rollover, security of out-of-band
-   mechanisms is out of scope of this document.
-
-   The security provided by DNSSEC must not be compromised by the key
-   rollover, thus every exchanged message must be authenticated to avoid
-   fake rollover messages from malicious parties.
-
-   Once the changes related to a KSK are made in a child zone, there are
-   two ways for the parent zone to take this changes into account:
-   o  the child zone notify directly or not directly its parent zone in
-      order to create the new DS RR and store this DS RR in parent zone
-      file,
-   o  or the parent zone poll the child zone.
-
-   In both cases, the parent zone must receive all the child keys that
-   need the creation of associated DS RRs in the parent zone.
-
-   Because errors could occur during the transmission of keys between
-   child and parent, the key exchange protocol must be fault tolerant.
-   Should an error occured during the automated key rollover, an
-   automated key rollover solution must be able to keep the zone files
-   in a consistent state.
-
-5.  Emergency Rollover
-
-   Emergency key rollover is a special case of rollover decided by the
-   zone administrator generally for security reasons.  In consequence,
-   emergency key rollover can break some of the requirement described
-   above.
-
-   A zone key might be compromised and an attacker can use the
-   compromised key to create and sign fake records.  To avoid this, the
-   zone administrator may change the compromised key or all its keys as
-   soon as possible, without waiting for the creation of new DS RRs in
-   its parent zone.
-
-   Fast changes may break the chain of trust.  The part of DNS tree
-   having this zone as apex can become unverifiable, but the break of
-   the chain of trust is necessary if the administrator wants to prevent
-   the compromised key from being used (to spoof DNS data).
-
-   Parent and child zones sharing an automated rollover mechanism,
-   should have an out-of-band way to re-establish a consistent state at
-   the delegation point (DS and DNSKEY RRs).  This allows to avoid that
-   a malicious party uses the compromised key to roll the zone keys.
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 5]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-6.  Security consideration
-
-   The automated key rollover process in DNSSEC allows automated renewal
-   of any kind of DNS key (ZSK or KSK).  It is essential that parent
-   side and child side can do mutual authentication.  Moreover,
-   integrity of the material exchanged between the parent and child zone
-   must be provided to ensure the right DS are created.
-
-   As in any application using public key cryptography, in DNSSEC a key
-   may be compromised.  What to do in such a case can be describe in the
-   zone local policy and can violate some requirements described in this
-   draft.  The emergency rollover can break the chain of trust in order
-   to protect the zone against the use of the compromised key.
-
-7.  Acknowledgments
-
-   The authors want to thank members of IDsA project for their
-   contribution to this document.
-
-8  Normative References
-
-   [1]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-        RFC 3658, December 2003.
-
-   [2]  Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
-        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
-        RFC 3757, May 2004.
-
-   [3]  Kolkman, O., "DNSSEC Operational Practices",
-        draft-ietf-dnsop-dnssec-operational-practice-01 (work in
-        progress), May 2004.
-
-   [4]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [5]  Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-        "Resource Records for the DNS Security Extensions",
-        draft-ietf-dnsext-dnssec-records-11 (work in progress), October
-        2004.
-
-   [6]  Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-        "DNS Security Introduction and Requirements",
-        draft-ietf-dnsext-dnssec-intro-13 (work in progress), October
-        2004.
-
-   [7]  Arends, R., Austein, R., Larson, M., Massey, D. and S. Rose,
-        "Protocol Modifications for the DNS Security Extensions",
-        draft-ietf-dnsext-dnssec-protocol-09 (work in progress), October
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 6]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-        2004.
-
-Authors' Addresses
-
-   Gilles Guette
-   IRISA / INRIA
-   Campus de Beaulieu
-   35042  Rennes CEDEX
-   FR
-
-   EMail: gilles.guette@irisa.fr
-   URI:   http://www.irisa.fr
-
-   Olivier Courtay
-   Thomson R&D
-   1, avenue Belle Fontaine
-   35510  Cesson S?vign? CEDEX
-   FR
-
-   EMail: olivier.courtay@thomson.net
-
-Appendix A.  Documents details and changes
-
-   This section is to be removed by the RFC editor if and when the
-   document is published.
-
-   Section about NS RR rollover has been removed
-
-   Remarks from Samuel Weiler and Rip Loomis added
-
-   Clarification about in-band rollover and in emergency section
-
-   Section 3, details about recursive cache servers added
-
-
-
-
-
-
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 7]
-Internet-Draft      Automated Rollover Requirements         January 2005
-
-Intellectual Property Statement
-
-     The IETF takes no position regarding the validity or scope of any 
-     intellectual property or other rights that might be claimed to 
-     pertain to the implementation or use of the technology described 
-     in this document or the extent to which any license under such 
-     rights might or might not be available; neither does it represent 
-     that it has made any effort to identify any such rights. 
-     Information on the IETF's procedures with respect to rights in 
-     IETF Documents can be found in BCP 78 and 79.   
-          
-     Copies of IPR disclosures made to the IETF Secretariat and any 
-     assurances of licenses to be made available, or the result of an 
-     attempt made to obtain a general license or permission for the use 
-     of such proprietary rights by implementers or users of this 
-     specification can be obtained from the IETF on-line IPR repository 
-     at http://www.ietf.org/ipr. 
-      
-     The IETF invites any interested party to bring to its attention 
-     any copyrights, patents or patent applications, or other 
-     proprietary rights which may cover technology that may be required 
-     to implement this standard. Please address the information to the 
-     IETF at ietf-ipr.org. 
-      
-    
- Full Copyright Statement 
-    
-   Copyright (C) The Internet Society (2005).  This document is subject 
-   to the rights, licenses and restrictions contained in BCP 78, and 
-   except as set forth therein, the authors retain all their rights. 
-    
-   This document and the information contained herein are provided on an 
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
- Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-         
-
-
-Guette & Courtay         Expires July 19, 2005                  [Page 8]
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
deleted file mode 100644
index 1094275d3e40..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
+++ /dev/null
@@ -1,505 +0,0 @@
-
-
-IETF DNSOP Working Group                                    Y. Morishita
-Internet-Draft                                                      JPRS
-Expires: July 11, 2004                                         T. Jinmei
-                                                                 Toshiba
-                                                        January 11, 2004
-
-
-       Common Misbehavior against DNS Queries for IPv6 Addresses
-            draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups. Note that other
-   groups may also distribute working documents as Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time. It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at http://
-   www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on July 11, 2004.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004). All Rights Reserved.
-
-Abstract
-
-   There is some known misbehavior of DNS authoritative servers when
-   they are queried for AAAA resource records. Such behavior can block
-   IPv4 communication which should actually be available, cause a
-   significant delay in name resolution, or even make a denial of
-   service attack. This memo describes details of the known cases and
-   discusses the effect of the cases.
-
-1. Introduction
-
-   Many DNS clients (resolvers) that support IPv6 first search for AAAA
-   Resource Records (RRs) of a target host name, and then for A RRs of
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 1]
-
-Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
-
-
-   the same name. This fallback mechanism is based on the DNS
-   specifications, which if not obeyed by authoritative servers can
-   produce unpleasant results. In some cases, for example, a web browser
-   fails to connect to a web server it could otherwise. In the following
-   sections, this memo describes some typical cases of the misbehavior
-   and its (bad) effects.
-
-   Note that the misbehavior is not specific to AAAA RRs. In fact, all
-   known examples also apply to the cases of queries for MX, NS, and SOA
-   RRs. The authors even believe this can be generalized for all types
-   of queries other than those for A RRs. In this memo, however, we
-   concentrate on the case for AAAA queries, since the problem is
-   particularly severe for resolvers that support IPv6, which thus
-   affects many end users. Resolvers at end users normally send A and/or
-   AAAA queries only, and so the problem for the other cases is
-   relatively minor.
-
-2. Network Model
-
-   In this memo, we assume a typical network model of name resolution
-   environment using DNS. It consists of three components; stub
-   resolvers, caching servers, and authoritative servers. A stub
-   resolver issues a recursive query to a caching server, which then
-   handles the entire name resolution procedure recursively. The caching
-   server caches the result of the query as well as sends the result to
-   the stub resolver. The authoritative servers respond to queries for
-   names for which they have the authority, normally in a non-recursive
-   manner.
-
-3. Expected Behavior
-
-   Suppose that an authoritative server has an A RR but not a AAAA RR
-   for a host name. Then the server should return a response to a query
-   for a AAAA RR of the name with the RCODE being 0 (indicating no
-   error) and with an empty answer section [1]. Such a response
-   indicates that there is at least one RR of a different type than AAAA
-   for the queried name, and the stub resolver can then look for A RRs.
-
-   This way, the caching server can cache the fact that the queried name
-   does not have a AAAA RR (but may have other types of RRs), and thus
-   can improve the response time to further queries for a AAAA RR of the
-   name.
-
-4. Problematic Behaviors
-
-   There are some known cases at authoritative servers that do not
-   conform to the expected behavior. This section describes those
-   problematic cases.
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 2]
-
-Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
-
-
-4.1 Return NXDOMAIN
-
-   This type of server returns a response with the RCODE being 3
-   (NXDOMAIN) to a query for a AAAA RR, indicating it does not have any
-   RRs of any type for the queried name.
-
-   With this response, the stub resolver may immediately give up and
-   never fall back. Even if the resolver retries with a query for an A
-   RR, the negative response for the name has been cached in the caching
-   server, and the caching server will simply return the negative
-   response. As a result, the stub resolver considers this as a fatal
-   error in name resolution.
-
-   There have been several known examples of this behavior, but all the
-   examples that the authors know have changed their behavior as of this
-   writing.
-
-4.2 Return NOTIMP
-
-   Other authoritative servers return a response with the RCODE being 4
-   (NOTIMP), indicating the servers do not support the requested type of
-   query.
-
-   This case is less harmful than the previous one; if the stub resolver
-   falls back to querying for an A RR, the caching server will process
-   the query correctly and return an appropriate response.
-
-   In this case, the caching server does not cache the fact that the
-   queried name has no AAAA RR, resulting in redundant queries for AAAA
-   RRs in the future. The behavior will waste network bandwidth and
-   increase the load of the authoritative server.
-
-   Using SERVFAIL or FORMERR would cause the same effect, though the
-   authors have not seen such implementations yet.
-
-4.3 Return a Broken Response
-
-   Another different type of authoritative servers returns broken
-   responses to AAAA queries. A known behavior of this category is to
-   return a response whose RR type is AAAA, but the length of the RDATA
-   is 4 bytes. The 4-byte data looks like the IPv4 address of the
-   queried host name. That is, the RR in the answer section would be
-   described like this:
-
-     www.bad.example. 600 IN AAAA 192.0.2.1
-
-   which is, of course, bogus (or at least meaningless).
-
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 3]
-
-Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
-
-
-   A widely deployed caching server implementation transparently returns
-   the broken response (as well as caches it) to the stub resolver.
-   Another known server implementation parses the response by
-   themselves, and sends a separate response with the RCODE being 2
-   (SERVFAIL).
-
-   In either case, the broken response does not affect queries for an A
-   RR of the same name. If the stub resolver falls back to A queries, it
-   will get an appropriate response.
-
-   The latter case, however, causes the same bad effect as that
-   described in the previous section: redundant queries for AAAA RRs.
-
-4.4 Make Lame Delegation
-
-   Some authoritative servers respond to AAAA queries in a way causing
-   lame delegation. In this case the parent zone specifies that the
-   authoritative server should have the authority of a zone, but the
-   server does not return an authoritative response for AAAA queries
-   within the zone (i.e., the AA bit in the response is not set). On the
-   other hand, the authoritative server returns an authoritative
-   response for A queries.
-
-   When a caching server asks the server for AAAA RRs in the zone, it
-   recognizes the delegation is lame, and return a response with the
-   RCODE being 2 (SERVFAIL) to the stub resolver.
-
-   Furthermore, some caching servers record the authoritative server as
-   lame for the zone and will not use it for a certain period of time.
-   With this type of caching server, even if the stub resolver falls
-   back to querying for an A RR, the caching server will simply return a
-   response with the RCODE being SERVFAIL, since all the servers are
-   known to be "lame."
-
-   There is also an implementation that relaxes the behavior a little
-   bit. It basically tries to avoid using the lame server, but still
-   continues to try it as a last resort. With this type of caching
-   server, the stub resolver will get a correct response if it falls
-   back after SERVFAIL. However, this still causes redundant AAAA
-   queries as explained in the previous sections.
-
-4.5 Ignore Queries for AAAA
-
-   Some authoritative severs seem to ignore queries for a AAAA RR,
-   causing a delay at the stub resolver to fall back to a query for an A
-   RR. This behavior may even cause a fatal timeout at the resolver.
-
-
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 4]
-
-Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
-
-
-5. Security Considerations
-
-   The CERT/CC pointed out that the response with NXDOMAIN described in
-   Section 4.1 can be used for a denial of service attack [2]. The same
-   argument applies to the case of "lame delegation" described in
-   Section 4.4 with a certain type of caching server.
-
-6. Acknowledgements
-
-   Erik Nordmark encouraged the authors to publish this document as an
-   Internet Draft. Akira Kato and Paul Vixie reviewed a preliminary
-   version of this document. Pekka Savola carefully reviewed a previous
-   version and provided detailed comments.
-
-Informative References
-
-   [1]  Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
-        1034, November 1987.
-
-   [2]  The CERT Coordination Center, "Incorrect NXDOMAIN responses from
-        AAAA queries could cause denial-of-service conditions", March
-        2003, <http://www.kb.cert.org/vuls/id/714121>.
-
-
-Authors' Addresses
-
-   MORISHITA Orange Yasuhiro
-   Research and Development Department, Japan Registry Service Co.,Ltd.
-   Fuundo Bldg 3F, 1-2 Kanda-Ogawamachi
-   Chiyoda-ku, Tokyo  101-0052
-   Japan
-
-   EMail: yasuhiro@jprs.co.jp
-
-
-   JINMEI Tatuya
-   Corporate Research & Development Center, Toshiba Corporation
-   1 Komukai Toshiba-cho, Saiwai-ku
-   Kawasaki-shi, Kanagawa  212-8582
-   Japan
-
-   EMail: jinmei@isl.rdc.toshiba.co.jp
-
-Appendix A. Live Examples
-
-   In this appendix, we show concrete implementations and domain names
-   that may cause problematic cases so that the behavior can be
-   reproduced in a practical environment. The examples are for
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 5]
-
-Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
-
-
-   informational purposes only, and the authors do not intend to accuse
-   any implementations or zone administrators.
-
-   The behavior described in Section 4.2 (return NOTIMP) can be found by
-   looking for a AAAA RR of www.css.vtext.com at 66.174.3.4.
-
-   The behavior described in Section 4.3 (broken responses) can be seen
-   by querying for a AAAA RR of "www.gslb.mainichi.co.jp," which is an
-   alias of "www.mainichi.co.jp," at 210.173.172.2. The same behavior
-   can be found with the name "vip.alt.ihp.sony.co.jp," an alias of
-   "www.sony.co.jp," at 210.139.255.204.
-
-   The behavior described in Section 4.4 (lame delegation) can be found
-   by querying for a AAAA RR of "www.ual.com" at 209.87.113.4.
-
-   The behavior described in Section 4.5 (ignore queries) can be seen by
-   trying to ask for a AAAA RR of "ad.3jp.doubleclick.net," which is an
-   alias of "ad.jp.doubleclick.net," at 210.153.90.9.
-
-   Many authoritative server implementations show the expected behavior
-   described in Section 3. Some DNS load balancers reportedly have a
-   problematic behavior shown in Section 4, but the authors do not have
-   a concrete example. The CERT/CC provides a list of implementations
-   that behave as described in Section 4.1 [2].
-
-   The BIND9 caching server implementation is an example of the latter
-   cases described in Section 4.3 and Section 4.4, respectively. The
-   BIND8 caching server implementation is an example of the former case
-   described in Section 4.3. As for the issue shown in Section 4.4,
-   BIND8 caching servers prior to 8.3.5 show the behavior described as
-   the former case in this section. The versions 8.3.5 and later of
-   BIND8 caching server behave like the BIND9 caching server
-   implementation with this matter.
-
-   Regarding resolver implementations, the authors are only familiar
-   with the ones derived from the BIND implementation. These
-   implementations always fall back regardless of the RCODE; NXDOMAIN,
-   NOTIMP, or SERVFAIL. It even falls back when getting a broken
-   response. However, the behavior does not help the situation in the
-   NXDOMAIN case (see Section 4.1). Lame delegation (Section 4.4) also
-   causes a fatal error at the resolver side if the resolver is using
-   some older versions of BIND8 caching server.
-
-   The authors hear that a stub resolver routine implemented in some web
-   browsers interprets the broken response described in Section 4.3 as a
-   fatal error and does not fall back to A queries. However, we have not
-   confirmed this information.
-
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 6]
-
-Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
-
-
-Appendix B. Change History
-
-   Changes since draft-morishita-dnsop-misbehavior-against-aaaa-00 are:
-
-   o  Made a separate appendix and moved live examples to appendix so
-      that we can remove them when this document is (ever) officially
-      published.
-
-   o  Revised some live examples based on the recent status.
-
-   o  Noted in introduction that the misbehavior is not specific to AAAA
-      and that this document still concentrates on the AAAA case.
-
-   o  Changed the section title of "delegation loop" to "lame
-      delegation" in order to reflect the essential point of the issue.
-      Wording on this matter was updated accordingly.
-
-   o  Updated the Acknowledgements list.
-
-   o  Changed the reference category from normative to informative (this
-      is an informational document after all).
-
-   o  Changed the draft name to an IETF dnsop working group document (as
-      agreed).
-
-   o  Applied several editorial fixes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 7]
-
-Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights. Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11. Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard. Please address the information to the IETF Executive
-   Director.
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004). All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works. However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 8]
-
-Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
-
-
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Morishita & Jinmei       Expires July 11, 2004                  [Page 9]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-01.txt
deleted file mode 100644
index f6ece8821034..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-01.txt
+++ /dev/null
@@ -1,485 +0,0 @@
-   DNSOP Working Group                               Paul Vixie, ISC (Ed.)
-   INTERNET-DRAFT                                         Akira Kato, WIDE
-   <draft-ietf-dnsop-respsize-01.txt>                           July, 2004
-
-
-                           DNS Response Size Issues
-
-
-   Status of this Memo
-      This document is an Internet-Draft and is subject to all provisions
-      of section 3 of RFC 3667.  By submitting this Internet-Draft, each
-      author represents that any applicable patent or other IPR claims of
-      which we are aware have been or will be disclosed, and any of which
-      we become aware will be disclosed, in accordance with RFC 3668.
-
-
-      Internet-Drafts are working documents of the Internet Engineering
-      Task Force (IETF), its areas, and its working groups.  Note that
-      other groups may also distribute working documents as Internet-
-      Drafts.
-
-
-      Internet-Drafts are draft documents valid for a maximum of six months
-      and may be updated, replaced, or obsoleted by other documents at any
-      time.  It is inappropriate to use Internet-Drafts as reference
-      material or to cite them other than as "work in progress."
-
-
-      The list of current Internet-Drafts can be accessed at
-      http://www.ietf.org/ietf/1id-abstracts.txt
-
-
-      The list of Internet-Draft Shadow Directories can be accessed at
-      http://www.ietf.org/shadow.html.
-
-
-   Copyright Notice
-
-
-      Copyright (C) The Internet Society (2003-2004).  All Rights Reserved.
-
-
-
-
-
-                                    Abstract
-
-
-      With a mandated default minimum maximum message size of 512 octets,
-      the DNS protocol presents some special problems for zones wishing to
-      expose a moderate or high number of authority servers (NS RRs).  This
-      document explains the operational issues caused by, or related to
-      this response size limit.
-
-
-
-
-
-
-   Expires December 2004                                           [Page 1]
-   INTERNET-DRAFT                  June 2003                       RESPSIZE
-
-
-
-   1 - Introduction and Overview
-
-
-   1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512
-   octets.  Even though this limitation was due to the required minimum UDP
-   reassembly limit for IPv4, it is a hard DNS protocol limit and is not
-   implicitly relaxed by changes in transport, for example to IPv6.
-
-
-   1.2. The EDNS0 standard (see [RFC2671 2.3, 4.5]) permits larger
-   responses by mutual agreement of the requestor and responder.  However,
-   deployment of EDNS0 cannot be expected to reach every Internet resolver
-   in the short or medium term.  The 512 octet message size limit remains
-   in practical effect at this time.
-
-
-   1.3. Since DNS responses include a copy of the request, the space
-   available for response data is somewhat less than the full 512 octets.
-   For negative responses, there is rarely a space constraint.  For
-   positive and delegation responses, though, every octet must be carefully
-   and sparingly allocated.  This document specifically addresses
-   delegation response sizes.
-
-
-   2 - Delegation Details
-
-
-   2.1. A delegation response will include the following elements:
-
-
-      Header Section: fixed length (12 octets)
-      Question Section: original query (name, class, type)
-      Answer Section: (empty)
-      Authority Section: NS RRset (nameserver names)
-      Additional Section: A and AAAA RRsets (nameserver addresses)
-
-
-   2.2. If the total response size would exceed 512 octets, and if the data
-   that would not fit was in the question, answer, or authority section,
-   then the TC bit will be set (indicating truncation) which may cause the
-   requestor to retry using TCP, depending on what information was present
-   and what was omitted.  If a retry using TCP is needed, the total cost of
-   the transaction is much higher.
-
-
-   2.3. RRsets are never sent partially, so if truncation occurs, entire
-   RRsets are omitted.  Note that the authority section consists of a
-   single RRset.  It is absolutely essential that truncation not occur in
-   the authority section.
-
-
-
-
-
-
-
-
-   Expires December 2004                                           [Page 2]
-   INTERNET-DRAFT                  June 2003                       RESPSIZE
-
-
-
-   2.4. DNS label compression allows a domain name to be instantiated only
-   once per DNS message, and then referenced with a two-octet "pointer"
-   from other locations in that same DNS message.  If all nameserver names
-   in a message are similar (for example, all ending in ".ROOT-
-   SERVERS.NET"), then more space will be available for uncompressable data
-   (such as nameserver addresses).
-
-
-   2.5. The query name can be as long as 255 characters of presentation
-   data, which can be up to 256 octets of network data.  In this worst case
-   scenario, the question section will be 260 octets in size, which would
-   leave only 240 octets for the authority and additional sections (after
-   deducting 12 octets for the fixed length header.)
-
-
-   2.6. Average and maximum question section sizes can be predicted by the
-   zone owner, since they will know what names actually exist, and can
-   measure which ones are queried for most often.  For cost and performance
-   reasons, the majority of requests should be satisfied without truncation
-   or TCP retry.
-
-
-   2.7. Requestors who deliberately send large queries to force truncation
-   are only increasing their own costs, and cannot effectively attack the
-   resources of an authority server since the requestor would have to retry
-   using TCP to complete the attack.  An attack that always used TCP would
-   have a lower cost.
-
-
-   2.8. The minimum useful number of address records is two, since with
-   only one address, the probability that it would refer to an unreachable
-   server is too high.  Truncation which occurs after two address records
-   have been added to the additional data section is therefore less
-   operationally significant than truncation which occurs earlier.
-
-
-   2.9. The best case is no truncation.  (This is because many requestors
-   will retry using TCP by reflex, without considering whether the omitted
-   data was actually necessary.)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-   Expires December 2004                                           [Page 3]
-   INTERNET-DRAFT                  June 2003                       RESPSIZE
-
-
-
-   3 - Analysis
-
-
-   3.1. An instrumented protocol trace of a best case delegation response
-   follows.  Note that 13 servers are named, and 13 addresses are given.
-   This query was artificially designed to exactly reach the 512 octet
-   limit.
-
-
-      ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13
-      ;; QUERY SECTION:
-      ;;  [23456789.123456789.123456789.\
-           123456789.123456789.123456789.com A IN]        ;; @80
-
-
-      ;; AUTHORITY SECTION:
-      com.                 86400 NS  E.GTLD-SERVERS.NET.  ;; @112
-      com.                 86400 NS  F.GTLD-SERVERS.NET.  ;; @128
-      com.                 86400 NS  G.GTLD-SERVERS.NET.  ;; @144
-      com.                 86400 NS  H.GTLD-SERVERS.NET.  ;; @160
-      com.                 86400 NS  I.GTLD-SERVERS.NET.  ;; @176
-      com.                 86400 NS  J.GTLD-SERVERS.NET.  ;; @192
-      com.                 86400 NS  K.GTLD-SERVERS.NET.  ;; @208
-      com.                 86400 NS  L.GTLD-SERVERS.NET.  ;; @224
-      com.                 86400 NS  M.GTLD-SERVERS.NET.  ;; @240
-      com.                 86400 NS  A.GTLD-SERVERS.NET.  ;; @256
-      com.                 86400 NS  B.GTLD-SERVERS.NET.  ;; @272
-      com.                 86400 NS  C.GTLD-SERVERS.NET.  ;; @288
-      com.                 86400 NS  D.GTLD-SERVERS.NET.  ;; @304
-
-
-      ;; ADDITIONAL SECTION:
-      A.GTLD-SERVERS.NET.  86400 A   192.5.6.30           ;; @320
-      B.GTLD-SERVERS.NET.  86400 A   192.33.14.30         ;; @336
-      C.GTLD-SERVERS.NET.  86400 A   192.26.92.30         ;; @352
-      D.GTLD-SERVERS.NET.  86400 A   192.31.80.30         ;; @368
-      E.GTLD-SERVERS.NET.  86400 A   192.12.94.30         ;; @384
-      F.GTLD-SERVERS.NET.  86400 A   192.35.51.30         ;; @400
-      G.GTLD-SERVERS.NET.  86400 A   192.42.93.30         ;; @416
-      H.GTLD-SERVERS.NET.  86400 A   192.54.112.30        ;; @432
-      I.GTLD-SERVERS.NET.  86400 A   192.43.172.30        ;; @448
-      J.GTLD-SERVERS.NET.  86400 A   192.48.79.30         ;; @464
-      K.GTLD-SERVERS.NET.  86400 A   192.52.178.30        ;; @480
-      L.GTLD-SERVERS.NET.  86400 A   192.41.162.30        ;; @496
-      M.GTLD-SERVERS.NET.  86400 A   192.55.83.30         ;; @512
-
-
-      ;; MSG SIZE  sent: 80  rcvd: 512
-
-
-
-
-
-
-   Expires December 2004                                           [Page 4]
-   INTERNET-DRAFT                  June 2003                       RESPSIZE
-
-
-
-   3.2. For longer query names, the number of address records supplied will
-   be lower.  Furthermore, it is only by using a common parent name (which
-   is GTLD-SERVERS.NET in this example) that all 13 addresses are able to
-   fit.  The following output from a response simulator demonstrates these
-   properties:
-
-
-      % perl respsize.pl 13 13 0
-        common name, average case: msg:303    nsaddr#13 (green)
-        common name,   worst case: msg:495    nsaddr# 1 (red)
-      uncommon name, average case: msg:457    nsaddr# 3 (orange)
-      uncommon name,   worst case: msg:649(*) nsaddr# 0 (red)
-      % perl respsize.pl 13 13 2
-        common name, average case: msg:303    nsaddr#11 (orange)
-        common name,   worst case: msg:495    nsaddr# 1 (red)
-      uncommon name, average case: msg:457    nsaddr# 2 (orange)
-      uncommon name,   worst case: msg:649(*) nsaddr# 0 (red)
-
-
-   (Note: The response simulator program is shown in Section 5.)
-
-
-   Here we use the term "green" if all address records could fit, or
-   "orange" if two or more could fit, or "red" if fewer than two could fit.
-   It's clear that without a common parent for nameserver names, much space
-   would be lost.
-
-
-   We're assuming an average query name size of 64 since that is the
-   typical average maximum size seen in trace data at the time of this
-   writing.  If Internationalized Domain Name (IDN) or any other technology
-   which results in larger query names be deployed significantly in advance
-   of EDNS, then more new measurements and new estimates will have to be
-   made.
-
-
-   4 - Conclusions
-
-
-   4.1. The current practice of giving all nameserver names a common parent
-   (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS
-   responses and allows for more nameservers to be enumerated than would
-   otherwise be possible.  (Note that in this case it is wise to serve the
-   common parent domain's zone from the same servers that are named within
-   it, in order to limit external dependencies when all your eggs are in a
-   single basket.)
-
-
-   4.2. Thirteen (13) seems to be the effective maximum number of
-   nameserver names usable traditional (non-extended) DNS, assuming a
-   common parent domain name, and assuming that additional-data truncation
-   is undesirable in the average case.
-
-
-
-
-   Expires December 2004                                           [Page 5]
-   INTERNET-DRAFT                  June 2003                       RESPSIZE
-
-
-
-   4.3. Adding two to five IPv6 nameserver address records (AAAA RRs) to a
-   prototypical delegation that currently contains thirteen (13) IPv4
-   nameserver addresses (A RRs) for thirteen (13) nameserver names under a
-   common parent, would not have a significant negative operational impact
-   on the domain name system.
-
-
-   5 - Source Code
-
-
-   #!/usr/bin/perl -w
-
-
-   $asize = 2+2+2+4+2+4;
-   $aaaasize = 2+2+2+4+2+16;
-   ($nns, $na, $naaaa) = @ARGV;
-   test("common", "average", common_name_average($nns),
-        $na, $naaaa);
-   test("common", "worst", common_name_worst($nns),
-        $na, $naaaa);
-   test("uncommon", "average", uncommon_name_average($nns),
-        $na, $naaaa);
-   test("uncommon", "worst", uncommon_name_worst($nns),
-        $na, $naaaa);
-   exit 0;
-
-
-   sub test { my ($namekind, $casekind, $msg, $na, $naaaa) = @_;
-        my $nglue = numglue($msg, $na, $naaaa);
-        printf "%8s name, %7s case: msg:%3d%s nsaddr#%2d (%s)\n",
-             $namekind, $casekind,
-             $msg, ($msg > 512) ? "(*)" : "   ",
-             $nglue, ($nglue == $na + $naaaa) ? "green"
-                  : ($nglue >= 2) ? "orange"
-                       : "red";
-   }
-
-
-   sub pnum { my ($num, $tot) = @_;
-        return sprintf "%3d%s",
-   }
-
-
-   sub numglue { my ($msg, $na, $naaaa) = @_;
-        my $space = ($msg > 512) ? 0 : (512 - $msg);
-        my $num = 0;
-
-
-        while ($space && ($na || $naaaa )) {
-             if ($na) {
-                  if ($space >= $asize) {
-                       $space -= $asize;
-
-
-
-
-   Expires December 2004                                           [Page 6]
-   INTERNET-DRAFT                  June 2003                       RESPSIZE
-
-
-
-                       $num++;
-                  }
-                  $na--;
-             }
-             if ($naaaa) {
-                  if ($space >= $aaaasize) {
-                       $space -= $aaaasize;
-                       $num++;
-                  }
-                  $naaaa--;
-             }
-        }
-        return $num;
-   }
-
-
-   sub msgsize { my ($qname, $nns, $nsns) = @_;
-        return  12 +                            # header
-                $qname+2+2 +                    # query
-                0 +                             # answer
-                $nns * (4+2+2+4+2+$nsns);       # authority
-   }
-
-
-   sub average_case { my ($nns, $nsns) = @_;
-        return msgsize(64, $nns, $nsns);
-   }
-
-
-   sub worst_case { my ($nns, $nsns) = @_;
-        return msgsize(256, $nns, $nsns);
-   }
-
-
-   sub common_name_average { my ($nns) = @_;
-        return 15 + average_case($nns, 2);
-   }
-
-
-   sub common_name_worst { my ($nns) = @_;
-        return 15 + worst_case($nns, 2);
-   }
-
-
-   sub uncommon_name_average { my ($nns) = @_;
-        return average_case($nns, 15);
-   }
-
-
-   sub uncommon_name_worst { my ($nns) = @_;
-        return worst_case($nns, 15);
-   }
-
-
-
-
-   Expires December 2004                                           [Page 7]
-   INTERNET-DRAFT                  June 2003                       RESPSIZE
-
-
-
-   Security Considerations
-
-
-   The recommendations contained in this document have no known security
-   implications.
-
-
-   IANA Considerations
-
-
-   This document does not call for changes or additions to any IANA
-   registry.
-
-
-   IPR Statement
-
-
-   Copyright (C) The Internet Society (2003-2004).  This document is
-   subject to the rights, licenses and restrictions contained in BCP 78,
-   and except as set forth therein, the authors retain all their rights.
-
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
-   IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-   Authors' Addresses
-
-
-   Paul Vixie
-      950 Charter Street
-      Redwood City, CA 94063
-      +1 650 423 1301
-      vixie@isc.org
-
-
-   Akira Kato
-      University of Tokyo, Information Technology Center
-      2-11-16 Yayoi Bunkyo
-      Tokyo 113-8658, JAPAN
-      +81 3 5841 2750
-      kato@wide.ad.jp
-
-
-
-
-
-
-
-
-
-
-   Expires December 2004                                           [Page 8] 
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-02.txt
deleted file mode 100644
index 63fe2de521ae..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-02.txt
+++ /dev/null
@@ -1,480 +0,0 @@
-
-
-
-
-
-
-   DNSOP Working Group                                     Paul Vixie, ISC
-   INTERNET-DRAFT                                         Akira Kato, WIDE
-   <draft-ietf-dnsop-respsize-02.txt>                            July 2005
-
-                           DNS Response Size Issues
-
-   Status of this Memo
-      By submitting this Internet-Draft, each author represents that any
-      applicable patent or other IPR claims of which he or she is aware
-      have been or will be disclosed, and any of which he or she becomes
-      aware will be disclosed, in accordance with Section 6 of BCP 79.
-
-      Internet-Drafts are working documents of the Internet Engineering
-      Task Force (IETF), its areas, and its working groups.  Note that
-      other groups may also distribute working documents as Internet-
-      Drafts.
-
-      Internet-Drafts are draft documents valid for a maximum of six months
-      and may be updated, replaced, or obsoleted by other documents at any
-      time.  It is inappropriate to use Internet-Drafts as reference
-      material or to cite them other than as "work in progress."
-
-      The list of current Internet-Drafts can be accessed at
-      http://www.ietf.org/ietf/1id-abstracts.txt
-
-      The list of Internet-Draft Shadow Directories can be accessed at
-      http://www.ietf.org/shadow.html.
-
-   Copyright Notice
-
-      Copyright (C) The Internet Society (2005).  All Rights Reserved.
-
-
-
-
-                                    Abstract
-
-      With a mandated default minimum maximum message size of 512 octets,
-      the DNS protocol presents some special problems for zones wishing to
-      expose a moderate or high number of authority servers (NS RRs).  This
-      document explains the operational issues caused by, or related to
-      this response size limit.
-
-
-
-
-
-
-   Expires December 2005                                           [Page 1]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   1 - Introduction and Overview
-
-   1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512
-   octets.  Even though this limitation was due to the required minimum UDP
-   reassembly limit for IPv4, it is a hard DNS protocol limit and is not
-   implicitly relaxed by changes in transport, for example to IPv6.
-
-   1.2. The EDNS0 standard (see [RFC2671 2.3, 4.5]) permits larger
-   responses by mutual agreement of the requestor and responder.  However,
-   deployment of EDNS0 cannot be expected to reach every Internet resolver
-   in the short or medium term.  The 512 octet message size limit remains
-   in practical effect at this time.
-
-   1.3. Since DNS responses include a copy of the request, the space
-   available for response data is somewhat less than the full 512 octets.
-   For negative responses, there is rarely a space constraint.  For
-   positive and delegation responses, though, every octet must be carefully
-   and sparingly allocated.  This document specifically addresses
-   delegation response sizes.
-
-   2 - Delegation Details
-
-   2.1. A delegation response will include the following elements:
-
-      Header Section: fixed length (12 octets)
-      Question Section: original query (name, class, type)
-      Answer Section: (empty)
-      Authority Section: NS RRset (nameserver names)
-      Additional Section: A and AAAA RRsets (nameserver addresses)
-
-   2.2. If the total response size would exceed 512 octets, and if the data
-   that would not fit belonged in the question, answer, or authority
-   section, then the TC bit will be set (indicating truncation) which may
-   cause the requestor to retry using TCP, depending on what information
-   was desired and what information was omitted.  If a retry using TCP is
-   needed, the total cost of the transaction is much higher.  (See [RFC1123
-   6.1.3.2] for details on the protocol requirement that UDP be attempted
-   before falling back to TCP.)
-
-   2.3. RRsets are never sent partially unless truncation occurs, in which
-   case the final apparent RRset in the final nonempty section must be
-   considered "possibly damaged".  With or without truncation, the glue
-   present in the additional data section should be considered "possibly
-   incomplete", and requestors should be prepared to re-query for any
-   damaged or missing RRsets.  For multi-transport name or mail services,
-
-
-
-   Expires December 2005                                           [Page 2]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   this can mean querying for an IPv6 (AAAA) RRset even when an IPv4 (A)
-   RRset is present.
-
-   2.4. DNS label compression allows a domain name to be instantiated only
-   once per DNS message, and then referenced with a two-octet "pointer"
-   from other locations in that same DNS message.  If all nameserver names
-   in a message are similar (for example, all ending in ".ROOT-
-   SERVERS.NET"), then more space will be available for uncompressable data
-   (such as nameserver addresses).
-
-   2.5. The query name can be as long as 255 characters of presentation
-   data, which can be up to 256 octets of network data.  In this worst case
-   scenario, the question section will be 260 octets in size, which would
-   leave only 240 octets for the authority and additional sections (after
-   deducting 12 octets for the fixed length header.)
-
-   2.6. Average and maximum question section sizes can be predicted by the
-   zone owner, since they will know what names actually exist, and can
-   measure which ones are queried for most often.  For cost and performance
-   reasons, the majority of requests should be satisfied without truncation
-   or TCP retry.
-
-   2.7. Requestors who deliberately send large queries to force truncation
-   are only increasing their own costs, and cannot effectively attack the
-   resources of an authority server since the requestor would have to retry
-   using TCP to complete the attack.  An attack that always used TCP would
-   have a lower cost.
-
-   2.8. The minimum useful number of address records is two, since with
-   only one address, the probability that it would refer to an unreachable
-   server is too high.  Truncation which occurs after two address records
-   have been added to the additional data section is therefore less
-   operationally significant than truncation which occurs earlier.
-
-   2.9. The best case is no truncation.  This is because many requestors
-   will retry using TCP by reflex, or will automatically re-query for
-   RRsets that are "possibly truncated", without considering whether the
-   omitted data was actually necessary.
-
-   2.10. Each added NS RR for a zone will add a minimum of between 16 and
-   44 octets to every untruncated referral or negative response from the
-   zone's authority servers (16 octets for an NS RR, 16 octets for an A RR,
-   and 28 octets for an AAAA RR), in addition to whatever space is taken by
-   the nameserver name (NS NSDNAME and A/AAAA owner name).
-
-
-
-
-   Expires December 2005                                           [Page 3]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   3 - Analysis
-
-   3.1. An instrumented protocol trace of a best case delegation response
-   follows.  Note that 13 servers are named, and 13 addresses are given.
-   This query was artificially designed to exactly reach the 512 octet
-   limit.
-
-      ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13
-      ;; QUERY SECTION:
-      ;;  [23456789.123456789.123456789.\
-           123456789.123456789.123456789.com A IN]        ;; @80
-
-      ;; AUTHORITY SECTION:
-      com.                 86400 NS  E.GTLD-SERVERS.NET.  ;; @112
-      com.                 86400 NS  F.GTLD-SERVERS.NET.  ;; @128
-      com.                 86400 NS  G.GTLD-SERVERS.NET.  ;; @144
-      com.                 86400 NS  H.GTLD-SERVERS.NET.  ;; @160
-      com.                 86400 NS  I.GTLD-SERVERS.NET.  ;; @176
-      com.                 86400 NS  J.GTLD-SERVERS.NET.  ;; @192
-      com.                 86400 NS  K.GTLD-SERVERS.NET.  ;; @208
-      com.                 86400 NS  L.GTLD-SERVERS.NET.  ;; @224
-      com.                 86400 NS  M.GTLD-SERVERS.NET.  ;; @240
-      com.                 86400 NS  A.GTLD-SERVERS.NET.  ;; @256
-      com.                 86400 NS  B.GTLD-SERVERS.NET.  ;; @272
-      com.                 86400 NS  C.GTLD-SERVERS.NET.  ;; @288
-      com.                 86400 NS  D.GTLD-SERVERS.NET.  ;; @304
-
-      ;; ADDITIONAL SECTION:
-      A.GTLD-SERVERS.NET.  86400 A   192.5.6.30           ;; @320
-      B.GTLD-SERVERS.NET.  86400 A   192.33.14.30         ;; @336
-      C.GTLD-SERVERS.NET.  86400 A   192.26.92.30         ;; @352
-      D.GTLD-SERVERS.NET.  86400 A   192.31.80.30         ;; @368
-      E.GTLD-SERVERS.NET.  86400 A   192.12.94.30         ;; @384
-      F.GTLD-SERVERS.NET.  86400 A   192.35.51.30         ;; @400
-      G.GTLD-SERVERS.NET.  86400 A   192.42.93.30         ;; @416
-      H.GTLD-SERVERS.NET.  86400 A   192.54.112.30        ;; @432
-      I.GTLD-SERVERS.NET.  86400 A   192.43.172.30        ;; @448
-      J.GTLD-SERVERS.NET.  86400 A   192.48.79.30         ;; @464
-      K.GTLD-SERVERS.NET.  86400 A   192.52.178.30        ;; @480
-      L.GTLD-SERVERS.NET.  86400 A   192.41.162.30        ;; @496
-      M.GTLD-SERVERS.NET.  86400 A   192.55.83.30         ;; @512
-
-      ;; MSG SIZE  sent: 80  rcvd: 512
-
-
-
-
-
-   Expires December 2005                                           [Page 4]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   3.2. For longer query names, the number of address records supplied will
-   be lower.  Furthermore, it is only by using a common parent name (which
-   is GTLD-SERVERS.NET in this example) that all 13 addresses are able to
-   fit.  The following output from a response simulator demonstrates these
-   properties:
-
-      % perl respsize.pl a.dns.br b.dns.br c.dns.br d.dns.br
-      a.dns.br requires 10 bytes
-      b.dns.br requires 4 bytes
-      c.dns.br requires 4 bytes
-      d.dns.br requires 4 bytes
-      # of NS: 4
-      For maximum size query (255 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 3 (yellow)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 3 (yellow)
-      For average size query (64 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 4 (green)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 4 (green)
-
-      % perl respsize.pl ns-ext.isc.org ns.psg.com ns.ripe.net ns.eu.int
-      ns-ext.isc.org requires 16 bytes
-      ns.psg.com requires 12 bytes
-      ns.ripe.net requires 13 bytes
-      ns.eu.int requires 11 bytes
-      # of NS: 4
-      For maximum size query (255 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 3 (yellow)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 2 (yellow)
-      For average size query (64 byte):
-              if only A is considered:     # of A is 4 (green)
-              if A and AAAA are condered:  # of A+AAAA is 4 (green)
-              if prefer_glue A is assumed: # of A is 4, # of AAAA is 4 (green)
-
-   (Note: The response simulator program is shown in Section 5.)
-
-   Here we use the term "green" if all address records could fit, or
-   "orange" if two or more could fit, or "red" if fewer than two could fit.
-   It's clear that without a common parent for nameserver names, much space
-   would be lost.  For these examples we use an average/common name size of
-   15 octets, befitting our assumption of GTLD-SERVERS.NET as our common
-   parent name.
-
-
-
-
-   Expires December 2005                                           [Page 5]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   We're assuming an average query name size of 64 since that is the
-   typical average maximum size seen in trace data at the time of this
-   writing.  If Internationalized Domain Name (IDN) or any other technology
-   which results in larger query names be deployed significantly in advance
-   of EDNS, then new measurements and new estimates will have to be made.
-
-   4 - Conclusions
-
-   4.1. The current practice of giving all nameserver names a common parent
-   (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS
-   responses and allows for more nameservers to be enumerated than would
-   otherwise be possible.  (Note that in this case it is wise to serve the
-   common parent domain's zone from the same servers that are named within
-   it, in order to limit external dependencies when all your eggs are in a
-   single basket.)
-
-   4.2. Thirteen (13) seems to be the effective maximum number of
-   nameserver names usable traditional (non-extended) DNS, assuming a
-   common parent domain name, and given that response truncation is
-   undesirable as an average case, and assuming mostly IPv4-only
-   reachability (only A RRs exist, not AAAA RRs).
-
-   4.3. Adding two to five IPv6 nameserver address records (AAAA RRs) to a
-   prototypical delegation that currently contains thirteen (13) IPv4
-   nameserver addresses (A RRs) for thirteen (13) nameserver names under a
-   common parent, would not have a significant negative operational impact
-   on the domain name system.
-
-   5 - Source Code
-
-   #!/usr/bin/perl
-   #
-   # SYNOPSIS
-   #    repsize.pl [ -z zone ] fqdn_ns1 fqdn_ns2 ...
-   #        if all queries are assumed to have zone suffux, such as "jp" in
-   #     JP TLD servers, specify it in -z option
-   #
-   use strict;
-   use Getopt::Std;
-   my ($sz_msg) = (512);
-   my ($sz_header, $sz_ptr, $sz_rr_a, $sz_rr_aaaa) = (12, 2, 16, 28);
-   my ($sz_type, $sz_class, $sz_ttl, $sz_rdlen) = (2, 2, 4, 2);
-   my (%namedb, $name, $nssect, %opts, $optz);
-   my $n_ns = 0;
-
-
-
-
-   Expires December 2005                                           [Page 6]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   getopt('z', opts);
-   if (defined($opts{'z'})) {
-        server_name_len($opts{'z'}); # just register it
-   }
-
-   foreach $name (@ARGV) {
-        my $len;
-        $n_ns++;
-        $len = server_name_len($name);
-           print "$name requires $len bytes\n";
-        $nssect += $sz_ptr + $sz_type + $sz_class + $sz_ttl + $sz_rdlen + $len;
-   }
-   print "# of NS: $n_ns\n";
-   arsect(255, $nssect, $n_ns, "maximum");
-   arsect(64, $nssect, $n_ns, "average");
-
-   sub server_name_len {
-       my ($name) = @_;
-       my (@labels, $len, $n, $suffix);
-
-       $name =~ tr/A-Z/a-z/;
-       @labels = split(/./, $name);
-       $len = length(join('.', @labels)) + 2;
-       for ($n = 0; $#labels >= 0; $n++, shift @labels) {
-           $suffix = join('.', @labels);
-           return length($name) - length($suffix) + $sz_ptr
-               if (defined($namedb{$suffix}));
-           $namedb{$suffix} = 1;
-       }
-       return $len;
-   }
-
-   sub arsect {
-       my ($sz_query, $nssect, $n_ns, $cond) = @_;
-       my ($space, $n_a, $n_a_aaaa, $n_p_aaaa, $ansect);
-       $ansect = $sz_query + 1 + $sz_type + $sz_class;
-       $space = $sz_msg - $sz_header - $ansect - $nssect;
-       $n_a = atmost(int($space / $sz_rr_a), $n_ns);
-       $n_a_aaaa = atmost(int($space / ($sz_rr_a + $sz_rr_aaaa)), $n_ns);
-       $n_p_aaaa = atmost(int(($space - $sz_rr_a * $n_ns) / $sz_rr_aaaa), $n_ns);
-       printf "For %s size query (%d byte):\n", $cond, $sz_query;
-       printf "if only A is considered:     ";
-       printf "# of A is %d (%s)\n", $n_a, &judge($n_a, $n_ns);
-       printf "if A and AAAA are condered:  ";
-       printf "# of A+AAAA is %d (%s)\n", $n_a_aaaa, &judge($n_a_aaaa, $n_ns);
-
-
-
-   Expires December 2005                                           [Page 7]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-       printf "if prefer_glue A is assumed: ";
-       printf "# of A is %d, # of AAAA is %d (%s)\n",
-           $n_a, $n_p_aaaa, &judge($n_p_aaaa, $n_ns);
-   }
-
-   sub judge {
-       my ($n, $n_ns) = @_;
-       return "green" if ($n >= $n_ns);
-       return "yellow" if ($n >= 2);
-       return "orange" if ($n == 1);
-       return "red";
-   }
-
-   sub atmost {
-       my ($a, $b) = @_;
-       return 0 if ($a < 0);
-       return $b if ($a > $b);
-       return $a;
-   }
-
-   Security Considerations
-
-   The recommendations contained in this document have no known security
-   implications.
-
-   IANA Considerations
-
-   This document does not call for changes or additions to any IANA
-   registry.
-
-   IPR Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject to
-   the rights, licenses and restrictions contained in BCP 78, and except as
-   set forth therein, the authors retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
-   IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-   Expires December 2005                                           [Page 8]
-
-   INTERNET-DRAFT                  July 2005                       RESPSIZE
-
-
-   Authors' Addresses
-
-   Paul Vixie
-      950 Charter Street
-      Redwood City, CA 94063
-      +1 650 423 1301
-      vixie@isc.org
-
-   Akira Kato
-      University of Tokyo, Information Technology Center
-      2-11-16 Yayoi Bunkyo
-      Tokyo 113-8658, JAPAN
-      +81 3 5841 2750
-      kato@wide.ad.jp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-   Expires December 2005                                           [Page 9]
-
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-02.txt
deleted file mode 100644
index b593c57179e3..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-02.txt
+++ /dev/null
@@ -1,617 +0,0 @@
-
-
-Network Working Group                                           S. Woolf
-Internet-Draft                         Internet Systems Consortium, Inc.
-Expires: January 16, 2005                                      D. Conrad
-                                                           Nominum, Inc.
-                                                           July 18, 2004
-
-
-               Identifying an Authoritative Name `Server
-                      draft-ietf-dnsop-serverid-02
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at http://
-   www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on January 16, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   With the increased use of DNS anycast, load balancing, and other
-   mechanisms allowing more than one DNS name server to share a single
-   IP address, it is sometimes difficult to tell which of a pool of name
-   servers has answered a particular query.  A standardized mechanism to
-   determine the identity of a name server responding to a particular
-   query would be useful, particularly as a diagnostic aid.  Existing ad
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 1]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-   hoc mechanisms for addressing this concern are not adequate.  This
-   document attempts to describe the common ad hoc solution to this
-   problem, including its advantages and disadvantasges, and to
-   characterize an improved mechanism.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 2]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-1.  Introduction
-
-   With the increased use of DNS anycast, load balancing, and other
-   mechanisms allowing more than one DNS name server to share a single
-   IP address, it is sometimes difficult to tell which of a pool of name
-   servers has answered a particular query.  A standardized mechanism to
-   determine the identity of a name server responding to a particular
-   query would be useful, particularly as a diagnostic aid.
-
-   Unfortunately, existing ad-hoc mechanisms for providing such
-   identification have some shortcomings, not the least of which is the
-   lack of prior analysis of exactly how such a mechanism should be
-   designed and deployed.  This document describes the existing
-   convention used in one widely deployed implementation of the DNS
-   protocol and discusses requirements for an improved solution to the
-   problem.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 3]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-2.  Rationale
-
-   Identifying which name server is responding to queries is often
-   useful, particularly in attempting to diagnose name server
-   difficulties.  However, relying on the IP address of the name server
-   has become more problematic due the deployment of various load
-   balancing solutions, including the use of shared unicast addresses as
-   documented in [RFC3258].
-
-   An unfortunate side effect of these load balancing solutions is that
-   traditional methods of determining which server is responding can be
-   unreliable.  Specifically, non-DNS methods such as ICMP ping, TCP
-   connections, or non-DNS UDP packets (e.g., as generated by tools such
-   as "traceroute"), etc., can end up going to a different server than
-   that which receives the DNS queries.
-
-   The widespread use of the existing convention suggests a need for a
-   documented, interoperable means of querying the identity of a
-   nameserver that may be part of an anycast or load-balancing cluster.
-   At the same time, however, it also has some drawbacks that argue
-   against standardizing it as it's been practiced so far.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 4]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-3.  Existing Conventions
-
-   Recent versions of the commonly deployed Berkeley Internet Name
-   Domain implementation of the DNS protocol suite from the Internet
-   Software Consortium [BIND] support a way of identifying a particular
-   server via the use of a standard, if somewhat unusual, DNS query.
-   Specifically, a query to a late model BIND server for a TXT resource
-   record in class 3 (CHAOS) for the domain name "HOSTNAME.BIND." will
-   return a string that can be configured by the name server
-   administrator to provide a unique identifier for the responding
-   server (defaulting to the value of a gethostname() call).  This
-   mechanism, which is an extension of the BIND convention of using
-   CHAOS class TXT RR queries to sub-domains of the "BIND." domain for
-   version information, has been copied by several name server vendors.
-
-   For reference, the other well-known name used by recent versions of
-   BIND within the CHAOS class "BIND." domain is "VERSION.BIND."  A
-   query for a TXT RR for this name will return an administratively re-
-   definable string which defaults to the version of the server
-   responding.
-
-3.1  Advantages
-
-   There are several valuable attributes to this mechanism, which
-   account for its usefulness.
-   1.  This mechanism is within the DNS protocol itself.  An
-       identification mechanism that relies on the DNS protocol is more
-       likely to be successful (although not guaranteed) in going to the
-       same machine as a "normal" DNS query.
-   2.  It is simple to configure.  An administrator can easily turn on
-       this feature and control the results of the relevant query.
-   3.  It allows the administrator complete control of what information
-       is given out in the response, minimizing passive leakage of
-       implementation or configuration details.  Such details are often
-       considered sensitive by infrastructure operators.
-
-3.2  Disadvantages
-
-   At the same time, there are some forbidding drawbacks to the
-   VERSION.BIND mechanism that argue against standardizing it as it
-   currently operates.
-   1.  It requires an additional query to correlate between the answer
-       to a DNS query under normal conditions and the supposed identity
-       of the server receiving the query.  There are a number of
-       situations in which this simply isn't reliable.
-   2.  It reserves an entire class in the DNS (CHAOS) for what amounts
-       to one zone.  While CHAOS class is defined in [RFC1034] and
-       [RFC1035], it's not clear that supporting it solely for this
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 5]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-       purpose is a good use of the namespace or of implementation
-       effort.
-   3.  It is implementation specific.  BIND is one DNS implementation.
-       At the time of this writing, it is probably the most prevalent,
-       for authoritative servers anyway.  This does not justify
-       standardizing on its ad hoc solution to a problem shared across
-       many operators and implementors.
-
-   The first of the listed disadvantages is technically the most
-   serious.  It argues for an attempt to design a good answer to the
-   problem that "I need to know what nameserver is answering my
-   queries", not simply a convenient one.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 6]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-4.  Characteristics of an Implementation Neutral Convention
-
-   The discussion above of advantages and disadvantages to the
-   HOSTNAME.BIND mechanism suggest some requirements for a better
-   solution to the server identification problem.  These are summarized
-   here as guidelines for any effort to provide appropriate protocol
-   extensions:
-   1.  The mechanism adopted MUST be in-band for the DNS protocol.  That
-       is, it needs to allow the query for the server's identifying
-       information to be part of a normal, operational query.  It SHOULD
-       also permit a separate, dedicated query for the server's
-       identifying information.
-   2.  The new mechanism should not require dedicated namespaces or
-       other reserved values outside of the existing protocol mechanisms
-       for these, i.e.  the OPT pseudo-RR.
-   3.  Support for the identification functionality SHOULD be easy to
-       implement and easy to enable.  It MUST be easy to disable and
-       SHOULD lend itself to access controls on who can query for it.
-   4.  It should be possible to return a unique identifier for a server
-       without requiring the exposure of information that may be
-       non-public and considered sensitive by the operator, such as a
-       hostname or unicast IP address maintained for administrative
-       purposes.
-   5.  The identification mechanism SHOULD NOT be
-       implementation-specific.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 7]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-5.  IANA Considerations
-
-   This document proposes no specific IANA action.  Protocol extensions,
-   if any, to meet the requirements described are out of scope for this
-   document.  Should such extensions be specified and adopted by normal
-   IETF process, the specification will include appropriate guidance to
-   IANA.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 8]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-6.  Security Considerations
-
-   Providing identifying information as to which server is responding
-   can be seen as information leakage and thus a security risk.  This
-   motivates the suggestion above that a new mechanism for server
-   identification allow the administrator to disable the functionality
-   altogether or partially restrict availability of the data.  It also
-   suggests that the serverid data should not be readily correlated with
-   a hostname or unicast IP address that may be considered private to
-   the nameserver operator's management infrastructure.
-
-   Propagation of protocol or service meta-data can sometimes expose the
-   application to denial of service or other attack.  As DNS is a
-   critically important infrastructure service for the production
-   Internet, extra care needs to be taken against this risk for
-   designers, implementors, and operators of a new mechanism for server
-   identification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005                [Page 9]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-7.  Acknowledgements
-
-   The technique for host identification documented here was initially
-   implemented by Paul Vixie of the Internet Software Consortium in the
-   Berkeley Internet Name Daemon package.  Comments and questions on
-   earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
-   Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
-   ICANN Root Server System Advisory Committee.  The newest draft takes
-   a significantly different direction from previous versions, owing to
-   discussion among contributors to the DNSOP working group and others,
-   particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam Weiler,
-   and Rob Austein.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005               [Page 10]
-
-Internet-Draft    Identifying an Authoritative Name `Server    July 2004
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Woolf & Conrad          Expires January 16, 2005               [Page 11]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-04.txt
deleted file mode 100644
index 242aa9ea6296..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-04.txt
+++ /dev/null
@@ -1,616 +0,0 @@
-
-
-Network Working Group                                           S. Woolf
-Internet-Draft                         Internet Systems Consortium, Inc.
-Expires: September 14, 2005                                    D. Conrad
-                                                           Nominum, Inc.
-                                                          March 13, 2005
-
-
-                Identifying an Authoritative Name Server
-                      draft-ietf-dnsop-serverid-04
-
-Status of this Memo
-
-   This document is an Internet-Draft and is subject to all provisions
-   of Section 3 of RFC 3667.  By submitting this Internet-Draft, each
-   author represents that any applicable patent or other IPR claims of
-   which he or she is aware have been or will be disclosed, and any of
-   which he or she become aware will be disclosed, in accordance with
-   RFC 3668.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on September 14, 2005.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   With the increased use of DNS anycast, load balancing, and other
-   mechanisms allowing more than one DNS name server to share a single
-   IP address, it is sometimes difficult to tell which of a pool of name
-   servers has answered a particular query.  A standardized mechanism to
-   determine the identity of a name server responding to a particular
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 1]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-   query would be useful, particularly as a diagnostic aid.  Existing ad
-   hoc mechanisms for addressing this concern are not adequate.  This
-   document attempts to describe the common ad hoc solution to this
-   problem, including its advantages and disadvantages, and to
-   characterize an improved mechanism.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 2]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-1.  Introduction
-
-   With the increased use of DNS anycast, load balancing, and other
-   mechanisms allowing more than one DNS name server to share a single
-   IP address, it is sometimes difficult to tell which of a pool of name
-   servers has answered a particular query.  A standardized mechanism to
-   determine the identity of a name server responding to a particular
-   query would be useful, particularly as a diagnostic aid.
-
-   Unfortunately, existing ad-hoc mechanisms for providing such
-   identification have some shortcomings, not the least of which is the
-   lack of prior analysis of exactly how such a mechanism should be
-   designed and deployed.  This document describes the existing
-   convention used in one widely deployed implementation of the DNS
-   protocol and discusses requirements for an improved solution to the
-   problem.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 3]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-2.  Rationale
-
-   Identifying which name server is responding to queries is often
-   useful, particularly in attempting to diagnose name server
-   difficulties.  However, relying on the IP address of the name server
-   has become more problematic due the deployment of various load
-   balancing solutions, including the use of shared unicast addresses as
-   documented in [RFC3258].
-
-   An unfortunate side effect of these load balancing solutions, and
-   some changes in management practices as the public Internet has
-   evolved, is that traditional methods of determining which server is
-   responding can be unreliable.  Specifically, non-DNS methods such as
-   ICMP ping, TCP connections, or non-DNS UDP packets (such as those
-   generated by tools such as "traceroute"), etc., can end up going to a
-   different server than that which receives the DNS queries.
-
-   There is a well-known and frequently-used technique for determining
-   an identity for a nameserver more specific than the
-   possibly-non-unique "server that answered my query".  The widespread
-   use of the existing convention suggests a need for a documented,
-   interoperable means of querying the identity of a nameserver that may
-   be part of an anycast or load-balancing cluster.  At the same time,
-   however, it also has some drawbacks that argue against standardizing
-   it as it's been practiced so far.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 4]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-3.  Existing Conventions
-
-   Recent versions of the commonly deployed Berkeley Internet Name
-   Domain implementation of the DNS protocol suite from the Internet
-   Software Consortium [BIND] support a way of identifying a particular
-   server via the use of a standard, if somewhat unusual, DNS query.
-   Specifically, a query to a late model BIND server for a TXT resource
-   record in class 3 (CHAOS) for the domain name "HOSTNAME.BIND." will
-   return a string that can be configured by the name server
-   administrator to provide a unique identifier for the responding
-   server (defaulting to the value of a gethostname() call).  This
-   mechanism, which is an extension of the BIND convention of using
-   CHAOS class TXT RR queries to sub-domains of the "BIND." domain for
-   version information, has been copied by several name server vendors.
-
-   For reference, the other well-known name used by recent versions of
-   BIND within the CHAOS class "BIND." domain is "VERSION.BIND."  A
-   query for a TXT RR for this name will return an administratively
-   defined string which defaults to the version of the server
-   responding.  This is, however, not generally implemented by other
-   vendors.
-
-3.1  Advantages
-
-   There are several valuable attributes to this mechanism, which
-   account for its usefulness.
-   1.  The "hostname.bind" query response mechanism is within the DNS
-       protocol itself.  An identification mechanism that relies on the
-       DNS protocol is more likely to be successful (although not
-       guaranteed) in going to the same machine as a "normal" DNS query.
-   2.  Since the identity information is requested and returned within
-       the DNS protocol, it doesn't require allowing any other query
-       mechanism to the server, such as holes in firewalls for
-       otherwise-unallowed ICMP Echo requests.  Thus it does not require
-       any special exceptions to site security policy.
-   3.  It is simple to configure.  An administrator can easily turn on
-       this feature and control the results of the relevant query.
-   4.  It allows the administrator complete control of what information
-       is given out in the response, minimizing passive leakage of
-       implementation or configuration details.  Such details are often
-       considered sensitive by infrastructure operators.
-
-3.2  Disadvantages
-
-   At the same time, there are some forbidding drawbacks to the
-   VERSION.BIND mechanism that argue against standardizing it as it
-   currently operates.
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 5]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-   1.  It requires an additional query to correlate between the answer
-       to a DNS query under normal conditions and the supposed identity
-       of the server receiving the query.  There are a number of
-       situations in which this simply isn't reliable.
-   2.  It reserves an entire class in the DNS (CHAOS) for what amounts
-       to one zone.  While CHAOS class is defined in [RFC1034] and
-       [RFC1035], it's not clear that supporting it solely for this
-       purpose is a good use of the namespace or of implementation
-       effort.
-   3.  It is implementation specific.  BIND is one DNS implementation.
-       At the time of this writing, it is probably the most prevalent
-       for authoritative servers.  This does not justify standardizing
-       on its ad hoc solution to a problem shared across many operators
-       and implementors.
-
-   The first of the listed disadvantages is technically the most
-   serious.  It argues for an attempt to design a good answer to the
-   problem that "I need to know what nameserver is answering my
-   queries", not simply a convenient one.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 6]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-4.  Characteristics of an Implementation Neutral Convention
-
-   The discussion above of advantages and disadvantages to the
-   HOSTNAME.BIND mechanism suggest some requirements for a better
-   solution to the server identification problem.  These are summarized
-   here as guidelines for any effort to provide appropriate protocol
-   extensions:
-   1.  The mechanism adopted MUST be in-band for the DNS protocol.  That
-       is, it needs to allow the query for the server's identifying
-       information to be part of a normal, operational query.  It SHOULD
-       also permit a separate, dedicated query for the server's
-       identifying information.
-   2.  The new mechanism SHOULD not require dedicated namespaces or
-       other reserved values outside of the existing protocol mechanisms
-       for these, i.e.  the OPT pseudo-RR.  In particular, it should not
-       propagate the existing drawback of requiring support for a CLASS
-       and top level domain in the authoritative server (or the querying
-       tool) to be useful.
-   3.  Support for the identification functionality SHOULD be easy to
-       implement and easy to enable.  It MUST be easy to disable and
-       SHOULD lend itself to access controls on who can query for it.
-   4.  It should be possible to return a unique identifier for a server
-       without requiring the exposure of information that may be
-       non-public and considered sensitive by the operator, such as a
-       hostname or unicast IP address maintained for administrative
-       purposes.
-   5.  The identification mechanism SHOULD NOT be
-       implementation-specific.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 7]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-5.  IANA Considerations
-
-   This document proposes no specific IANA action.  Protocol extensions,
-   if any, to meet the requirements described are out of scope for this
-   document.  Should such extensions be specified and adopted by normal
-   IETF process, the specification will include appropriate guidance to
-   IANA.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 8]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-6.  Security Considerations
-
-   Providing identifying information as to which server is responding to
-   a particular query from a particular location in the Internet can be
-   seen as information leakage and thus a security risk.  This motivates
-   the suggestion above that a new mechanism for server identification
-   allow the administrator to disable the functionality altogether or
-   partially restrict availability of the data.  It also suggests that
-   the serverid data should not be readily correlated with a hostname or
-   unicast IP address that may be considered private to the nameserver
-   operator's management infrastructure.
-
-   Propagation of protocol or service meta-data can sometimes expose the
-   application to denial of service or other attack.  As DNS is a
-   critically important infrastructure service for the production
-   Internet, extra care needs to be taken against this risk for
-   designers, implementors, and operators of a new mechanism for server
-   identification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005               [Page 9]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-7.  Acknowledgements
-
-   The technique for host identification documented here was initially
-   implemented by Paul Vixie of the Internet Software Consortium in the
-   Berkeley Internet Name Daemon package.  Comments and questions on
-   earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
-   Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
-   ICANN Root Server System Advisory Committee.  The newest version
-   takes a significantly different direction from previous versions,
-   owing to discussion among contributors to the DNSOP working group and
-   others, particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam
-   Weiler, and Rob Austein.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005              [Page 10]
-
-Internet-Draft    Identifying an Authoritative Name Server    March 2005
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at
-   ietf-ipr@ietf.org.
-
-
-Disclaimer of Validity
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Copyright Statement
-
-   Copyright (C) The Internet Society (2005).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-
-Acknowledgment
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-Woolf & Conrad         Expires September 14, 2005              [Page 11]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-enum-e164-gstn-np-05.txt b/contrib/bind9/doc/draft/draft-ietf-enum-e164-gstn-np-05.txt
deleted file mode 100644
index 3353b3bb423f..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-enum-e164-gstn-np-05.txt
+++ /dev/null
@@ -1,1588 +0,0 @@
-
-                                                            Mark Foster 
-Internet Draft                                              Tom McGarry 
-Document: <draft-ietf-enum-e164-gstn-np-05.txt>                James Yu 
-                                                          NeuStar, Inc. 
-Category: Informational                                   June 24, 2002 
- 
- 
-              Number Portability in the GSTN: An Overview 
- 
- 
-Status of this Memo 
- 
-   This document is an Internet-Draft and is in full conformance with 
-   all provisions of Section 10 of RFC2026 [RFC].  
- 
-   Internet-Drafts are working documents of the Internet Engineering 
-   Task Force (IETF), its areas, and its working groups. Note that 
-   other groups may also distribute working documents as Internet-
-   Drafts. Internet-Drafts are draft documents valid for a maximum of 
-   six months and may be updated, replaced, or obsoleted by other 
-   documents at any time. It is inappropriate to use Internet- Drafts 
-   as reference material or to cite them other than as "work in 
-   progress."  
-    
-   The list of current Internet-Drafts can be accessed at 
-   http://www.ietf.org/ietf/1id-abstracts.txt. 
-     
-   The list of Internet-Draft Shadow Directories can be accessed at 
-   http://www.ietf.org/shadow.html. 
-    
- 
-   Copyright Notice 
- 
-      Copyright (C) The Internet Society (2002).  All rights reserved. 
-    
-    
-   Abstract 
-    
-   This document provides an overview of E.164 telephone number 
-   portability (NP) in the Global Switched Telephone Network (GSTN).    
-   NP is a regulatory imperative seeking to liberalize local telephony 
-   service competition, by enabling end-users to retain telephone 
-   numbers while changing service providers.  NP changes the 
-   fundamental nature of a dialed E.164 number from a hierarchical 
-   physical routing address to a virtual address, thereby requiring the 
-   transparent translation of the later to the former.  In addition, 
-   there are various regulatory constraints that establish relevant 
-   parameters for NP implementation, most of which are not network 
-   technology specific.  Consequently, the implementation of NP 
-   behavior consistent with applicable regulatory constraints, as well 
-   as the need for interoperation with the existing GSTN NP 
-   implementations, are relevant topics for numerous areas of IP 
-   telephony work-in-progress at IETF. 
-  
-Foster,McGarry,Yu         Expired on December 23, 2002        [Page 1] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-    
-   Table of Contents 
-    
-    1.  Introduction ...............................................  2 
-    2.  Abbreviations and Acronyms .................................  4 
-    3.  Types of Number Portability ................................  5 
-    4.  Service Provider Number Portability Schemes ................  7 
-       4.1   All Call Query (ACQ) ..................................  7 
-       4.2   Query on Release (QoR) ................................  8 
-       4.3   Call Dropback .........................................  9 
-       4.4   Onward Routing (OR) ...................................  9 
-       4.5   Comparisons of the Four Schemes ....................... 10 
-    5.  Database Queries in the NP Environment ..................... 11 
-       5.1   U.S. and Canada ....................................... 12 
-       5.2   Europe ................................................ 13 
-    6.  Call Routing in the NP Environment ......................... 14 
-       6.1   U.S. and Canada ....................................... 14 
-       6.2   Europe ................................................ 15 
-    7.  NP Implementations for Geographic E.164 Numbers ............ 17 
-    8.  Number Conservation Method Enabled By NP ................... 20 
-       8.1   Block Pooling ......................................... 20 
-       8.2   ITN Pooling ........................................... 21 
-    9.  Potential Implications ..................................... 21 
-   10.  Security Considerations .................................... 24 
-   11.  IANA Considerations ........................................ 24 
-   12.  Normative References ....................................... 24 
-   13.  Informative References ..................................... 25 
-   14.  Acknowledgement ............................................ 25 
-   15.  AuthorsË Addresses ......................................... 25 
-    
- 
-    
-1. Introduction 
-    
-   This document provides an overview of E.164 telephone number 
-   portability in the Global Switched Telephone Network (GSTN).  There 
-   are considered to be three types of number portability (NP): service 
-   provider portability (SPNP), location portability (not to be 
-   confused with terminal mobility), and service portability. 
-    
-   Service provider portability (SPNP), the focus of the present draft, 
-   is a regulatory imperative in many countries seeking to liberalize 
-   telephony service competition, especially local service.  
-   Historically, local telephony service (as compared to long distance 
-   or international service) has been regulated as a utility-like form 
-   of service.  While a number of countries had begun liberalization 
-   (e.g. privatization, de-regulation, or re-regulation) some years 
-   ago, the advent of NP is relatively recent (since ~1995). 
-    
-   E.164 numbers can be non-geographic and geographic numbers.  Non-
-   geographic numbers do not reveal the locations information of those 
-   numbers.  Geographic E.164 numbers were intentionally designed as 
-   hierarchical routing addresses which could systematically be digit-
-   analyzed to ascertain the country, serving network provider, serving 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 2] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   end-office switch, and specific line of the called party.  As such, 
-   without NP a subscriber wishing to change service providers would 
-   incur a number change as a consequence of being served off of a 
-   different end-office switch operated by the new service provider.  
-   The cost and convenience impact to the subscriber of changing 
-   numbers is seen as barrier to competition.  Hence NP has become 
-   associated with GSTN infrastructure enhancements associated with a 
-   competitive environment driven by regulatory directives. 
-    
-   Forms of SPNP have been deployed or are being deployed widely in the 
-   GSTN in various parts of the world, including the U.S., Canada, 
-   Western Europe, Australia, and the Pacific Rim (e.g. Hong Kong). 
-   Other regions, such as South America (e.g. Brazil) are actively 
-   considering it. 
-    
-   Implementation of NP within a national telephony infrastructure 
-   entails potentially significant changes to numbering administration, 
-   network element signaling, call routing and processing, billing, 
-   service management, and other functions. 
-    
-   NP changes the fundamental nature of a dialed E.164 number from a 
-   hierarchical physical routing address to a virtual address.  NP 
-   implementations attempt to encapsulate the impacts to the GSTN and 
-   make NP transparent to subscribers by incorporating a translation 
-   function to map a dialed, potentially ported E.164 address, into a 
-   network routing address (either a number prefix or another E.164 
-   address) which can be hierarchically routed. 
-    
-   This is roughly analogous to the use of network address translation 
-   on IP addresses to enable IP address portability by containing the 
-   impact of the address change to the edge of the network and retain 
-   the use of CIDR blocks in the core which can be route aggregated by 
-   the network service provider to the rest of the internet. 
-    
-   NP bifurcates the historical role of a subscriberËs E.164 address 
-   into two or more data elements (a dialed or virtual address, and a 
-   network routing address) that must be made available to network 
-   elements through an NP translations database, carried by forward 
-   call signaling, and recorded on call detail records.  Not only is 
-   call processing and routing affected, but also so is SS7/C7 
-   messaging.  A number of TCAP-based SS7 messaging sets utilize an 
-   E.164 address as an application-level network element address in the 
-   global title address (GTA) field of the SCCP message header.  
-   Consequently, SS7/C7 signaling transfer points (STPs) and gateways 
-   need to be able to perform n-digit global title translation (GTT) to 
-   translate a dialed E.164 address into its network address 
-   counterpart via the NP database. 
-    
-   In addition, there are various national regulatory constraints that 
-   establish relevant parameters for NP implementation, most of which 
-   are not network technology specific.  Consequently, implementations 
-   of NP behavior in IP telephony consistent with applicable regulatory 
-   constraints, as well as the need for interoperation with the 
-
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 3] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   existing GSTN NP implementations, are relevant topics for numerous 
-   areas of IP telephony work-in-progress at IETF. 
-    
-   This document describes three types of number portability and the 
-   four schemes that have been standardized to support SPNP for 
-   geographic E.164 numbersspecifically.  Following that, specific 
-   information regarding the call routing and database query 
-   implementations are described for several regions (North American 
-   and Europe) and industries (wireless vs. wireline). The Number 
-   Portability Database (NPDB) interfaces and the call routing schemes 
-   that are used in the North America and Europe are described to show 
-   the variety of standards that may be implemented worldwide.  A 
-   glance of the NP implementations worldwide is provided.  Number 
-   pooling is briefly discussed to show how NP is being enhanced in the 
-   U.S. to conserve North American area codes.  The conclusion briefly 
-   touches the potential impacts of NP on IP & Telecommunications 
-   Interoperability.  Appendix A provides some specific technical and 
-   regulatory information on NP in North America.  Appendix B describes 
-   the number portability administration process that manages the 
-   number portability database in North America. 
-    
-    
-2. Abbreviations and Acronyms 
-    
-   ACQ     All Call Query 
-   AIN     Advanced Intelligent Network 
-   AMPS    Advanced Mobile Phone System 
-   ANSI    American National Standards Institute 
-   CDMA    Code Division Multiple Access 
-   CdPA    Called Party Address 
-   CdPN    Called Party Number 
-   CH      Code Holder 
-   CMIP    Common Management Information Protocol 
-   CS1     Capability Set 1 
-   CS2     Capability Set 2 
-   DN      Directory Number 
-   DNS     Domain Name System 
-   ETSI    European Technical Standards Institute 
-   FCI     Forward Call Indicator 
-   GAP     Generic Address Parameter 
-   GMSC    Gateway Mobile Services Switching Center or Gateway Mobile 
-           Switching Center 
-   GSM     Global System for Mobile Communications 
-   GSTN    Global Switched Telephone Network 
-   GW      Gateways 
-   HLR     Home Location Register 
-   IAM     Initial Address Message 
-   IETF    Internet Engineering Task Force 
-   ILNP    Interim LNP 
-   IN      Intelligent Network 
-   INAP    Intelligent Network Application Part 
-   INP     Interim NP     
-   IP      Internet Protocol 
-   IS-41   Interim Standards Number 41 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 4] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   ISDN    Integrated Services Digital Network 
-   ISUP    ISDN User Part 
-   ITN     Individual Telephony Number  
-   ITU     International Telecommunication Union 
-   ITU-TS  ITU-Telecommunication Sector 
-   LDAP    Lightweight Directory Access Protocol  
-   LEC     Local Exchange Carrier 
-   LERG    Local Exchange Routing Guide 
-   LNP     Local Number Portability 
-   LRN     Location Routing Number 
-   MAP     Mobile Application Part 
-   MNP     Mobile Number Portability 
-   MSRN    Mobile Station Roaming Number 
-   MTP     Message Transfer Part 
-   NANP    North American Numbering Plan 
-   NP      Number Portability 
-   NPDB    Number Portability Database 
-   NRN     Network Routing Number 
-   OR      Onward Routing 
-   OSS     Operation Support System 
-   PCS     Personal Communication Services 
-   PNTI    Ported Number Translation Indicator 
-   PODP    Public Office Dialing Plan 
-   PUC     Public Utility Commission 
-   QoR     Query on Release 
-   RN      Routing Number 
-   RTP     Return to Pivot 
-   SCCP    Signaling Connection Control Part 
-   SCP     Service Control Point  
-   SIP     Session Initiation Protocol 
-   SMR     Special Mobile Radio 
-   SMS     Service Management System 
-   SPNP    Service Provider Number Portability 
-   SRF     Signaling Relaying Function 
-   SRI     Send Routing Information 
-   SS7     Signaling System Number 7 
-   STP     Signaling Transfer Point 
-   TCAP    Transaction Capabilities Application Part 
-   TDMA    Time Division Multiple Access 
-   TN      Telephone Number 
-   TRIP    Telephony Routing Information Protocol 
-   URL     Universal Resource Locator 
-   U.S.    United States 
-    
-    
-3. Types of Number Portability 
-    
-   As there are several types of E.164 numbers (telephone numbers, or 
-   just TN) in the GSTN, there are correspondingly several types of 
-   E.164 NP in the GSTN.  First there are so-call non-geographic E.164 
-   numbers, commonly used for service-specific applications such as 
-   freephone (800 or 0800).  Portability of these numbers is called 
-   non-geographic number portability (NGNP).  NGNP, for example, was 
-   deployed in the U.S. in 1986-92. 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 5] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-    
-   Geographic number portability, which includes traditional fixed or 
-   wireline numbers as well as mobile numbers which are allocated out 
-   of geographic number range prefixes, is called NP or GNP or in the 
-   U.S. local number portability (LNP). 
-    
-   Number portability allows the telephony subscribers in the Global 
-   Switched Telephone Network (GSTN) to keep their phone numbers when 
-   they change their service providers or subscribed services, or when 
-   they move to a new location.   
-    
-   The ability to change the service provider while keeping the same 
-   phone number is called service provider portability (SPNP) also 
-   known as "operator portability." 
-    
-   The ability to change the subscriberËs fixed service location while 
-   keeping the same phone number is called location portability. 
-    
-   The ability to change the subscribed services (e.g., from the plain 
-   old telephone service to Integrated Services Digital Network (ISDN) 
-   services) while keeping the same phone number is called service 
-   portability.  Another aspect of service portability is to allow the 
-   subscribers to enjoy the subscribed services in the same way when 
-   they roam outside their home networks as is supported by the 
-   cellular/wireless networks. 
-    
-   In addition, mobile number portability (MNP) refers to specific NP 
-   implementation in mobile networks either as part of a broader NP 
-   implementation in the GSTN or on a stand-alone basis.  Where 
-   interoperation of LNP and MNP is supported, service portability 
-   between fixed and mobile service types is possible. 
-    
-   At present, SPNP has been the primary form of NP deployed due to its 
-   relevance in enabling local service competition. 
-    
-   Also in use in the GSTN are the terms interim NP (INP) or Interim 
-   LNP (ILNP) and true NP.  Interim NP usually refers to the use of 
-   remote call forwarding-like measures to forward calls to ported 
-   numbers through the donor network to the new service network.  These 
-   are considered interim relative to true NP, which seeks to remove 
-   the donor network or old service provider from the call or signaling 
-   path altogether.  Often the distinction between interim and true NP 
-   is a national regulatory matter relative to the 
-   technical/operational requirements imposed on NP in that country. 
-    
-   Implementations of true NP in certain countries (e.g. U.S., Canada, 
-   Spain, Belgium, Denmark) may pose specific requirements for IP 
-   telephony implementations as a result of regulatory and industry 
-   requirements for providing call routing and signaling independent of 
-   the donor network or last previous serving network. 
-    
-    
-    
-    
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 6] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
- 
-4. Service Provider Number Portability Schemes 
-    
-   Four schemes can be used to support service provider portability and 
-   are briefly described below.  But first, some further terms are 
-   introduced. 
-    
-   The donor network is the network that first assigned a telephone 
-   number (e.g., TN +1-202-533-1234) to a subscriber, out of a number 
-   range administratively (e.g., +1 202-533) assigned to it.  The 
-   current service provider (new SP) or new serving network is the 
-   network that currently serves the ported number. The old serving 
-   network (or old SP) is the network that previously served the ported 
-   number before the number was ported to the new serving network. 
-   Since a TN can port a number of times, the old SP is not necessarily 
-   the same as the donor network, except for the first time the TN 
-   ports away, or if the TN ports back into the donor network and away 
-   again.  While the new SP and old SP roles are transitory as a TN 
-   ports around, the donor network is always the same for any 
-   particular TN based on the service provider to whom the subtending 
-   number range was administratively assigned.  See the discussion 
-   below on number pooling, as this enhancement to NP further 
-   bifurcates the role of donor network into two (the number range or 
-   code holder network, and the block holder network). 
-    
-   To simplify the illustration, all the transit networks are ignored, 
-   the originating or donor network is the one that performs the 
-   database queries or call redirection, and the dialed directory 
-   number (TN) has been ported out of the donor network before.  
-    
-   It is assumed that the old serving network, the new serving network 
-   and the donor network are different networks so as to show which 
-   networks are involved in call handling and routing and database 
-   queries in each of four schemes.  Please note that the port of the 
-   number (process of moving it from one network to another) happened 
-   prior to the call setup and is not included in the call steps.  
-   Information carried in the signaling messages to support each of the 
-   four schemes is not discussed to simplify the explanation. 
-    
-    
-4.1 All Call Query (ACQ) 
-    
-   Figure 1 shows the call steps for the ACQ scheme.  Those call steps 
-   are as follows: 
- 
-   (1) The Originating Network receives a call from the caller and 
-       sends a query to a centrally administered Number Portability 
-       Database (NPDB), a copy of which is usually resident on a 
-       network element within its network or through a third party 
-       provider. 
-   (2) The NPDB returns the routing number associated with the dialed 
-       directory number.  The routing number is discussed later in 
-       Section 6. 
-
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 7] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   (3) The Originating Network uses the routing number to route the 
-       call to the new serving network. 
-    
-    
-   +-------------+              +-----------+    Number   +-----------+ 
-   | Centralized |              | New Serv. |    ported   | Old Serv. | 
-   |    NPDB     |    +-------->|  Network  |<------------|  Network  | 
-   +-------------+    |         +-----------+             +-----------+ 
-       ^  |           | 
-       |  |           | 
-      1|  |         3.| 
-       |  | 2.        | 
-       |  |           | 
-       |  v           | 
-    +----------+      |         +----------+           +----------+ 
-    |   Orig.  |------+         |   Donor  |           | Internal | 
-    |  Network |                |  Network |           |   NPDB   | 
-    +----------+                +----------+           +----------+ 
-    
-    
-              Figure 1 - All Call Query (ACQ) Scheme. 
- 
- 
-4.2 Query on Release (QoR) 
- 
-  Figure 2 shows the call steps for the QoR scheme.  Those call steps 
-  are as follows: 
-    
-    
-   +-------------+              +-----------+    Number   +-----------+ 
-   | Centralized |              | New Serv. |    ported   | Old Serv. | 
-   |    NPDB     |              |  Network  |<------------|  Network  | 
-   +-------------+              +-----------+             +-----------+ 
-       ^  |                          ^ 
-       |  | 4.                       | 
-     3.|  |              5.          | 
-       |  |   +----------------------+ 
-       |  |   | 
-       |  v   | 
-    +----------+      2.        +----------+           +----------+ 
-    |   Orig.  |<---------------|   Donor  |           | Internal | 
-    |  Network |--------------->|  Network |           |   NPDB   | 
-    +----------+      1.        +----------+           +----------+ 
-    
-                   
-                Figure 2 - Query on Release (QoR) Scheme. 
-    
-   (1) The Originating Network receives a call from the caller and 
-       routes the call to the donor network. 
-   (2) The donor network releases the call and indicates that the 
-       dialed directory number has been ported out of that switch. 
-   (3) The Originating Network sends a query to its copy of the 
-       centrally administered NPDB. 
-
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 8] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   (4) The NPDB returns the routing number associated with the dialed 
-       directory number.   
-   (5) The Originating Network uses the routing number to route the 
-       call to the new serving network. 
-    
-    
-4.3 Call Dropback 
-    
-  Figure 3 shows the call steps for the Dropback scheme.  This scheme 
-  is also known as "Return to Pivot (RTP)."  Those call steps are as 
-  follows: 
-    
-   (1) The Originating Network receives a call from the caller and 
-       routes the call to the donor network. 
-   (2) The donor network detects that the dialed directory number has 
-       been ported out of the donor switch and checks with an internal 
-       network-specific NPDB.  
-   (3) The internal NPDB returns the routing number associated with the 
-       dialed directory number. 
-   (4) The donor network releases the call by providing the routing 
-       number. 
-   (5) The Originating Network uses the routing number to route the 
-       call to the new serving network. 
-    
-   +-------------+              +-----------+    Number   +-----------+ 
-   | Centralized |              | New Serv. |    porting  | Old Serv. | 
-   |    NPDB     |              |  Network  |<------------|  Network  | 
-   +-------------+              +-----------+             +-----------+ 
-                                    /\ 
-                                     | 
-                           5.        | 
-            +------------------------+ 
-            | 
-            | 
-    +----------+       4.       +----------+     3.    +----------+ 
-    |   Orig.  |<---------------|   Donor  |<----------| Internal | 
-    |  Network |--------------->|  Network |---------->|   NPDB   | 
-    +----------+      1.        +----------+    2.     +----------+ 
-    
-                   
-                      Figure 3 - Dropback Scheme. 
-    
-    
-4.4 Onward Routing (OR) 
-    
-  Figure 4 shows the call steps for the OR scheme.  Those call steps 
-  are as follows: 
-    
-   (1) The Originating Network receives a call from the caller and 
-       routes the call to the donor network. 
-   (2) The donor network detects that the dialed directory number has 
-       been ported out of the donor switch and checks with an internal 
-       network-specific NPDB.  
-
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 9] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   (3) The internal NPDB returns the routing number associated with the 
-       dialed directory number. 
-   (4) The donor network uses the routing number to route the call to 
-       the new serving network. 
- 
-    
-   +-------------+              +-----------+    Number   +-----------+ 
-   | Centralized |              | New Serv. |    porting  | Old Serv. | 
-   |    NPDB     |              |  Network  |<------------|  Network  | 
-   +-------------+              +-----------+             +-----------+ 
-                                    /\ 
-                                     | 
-                                   4.| 
-                                     | 
-    +----------+                +----------+     3.    +----------+ 
-    |   Orig.  |                |   Donor  |<----------| Internal | 
-    |  Network |--------------->|  Network |---------->|   NPDB   | 
-    +----------+      1.        +----------+    2.     +----------+ 
-    
-                   
-                 Figure 4 - Onward Routing (OR) Scheme. 
- 
-4.5 Comparisons of the Four Schemes 
-    
-   Only the ACQ scheme does not involve the donor network when routing 
-   the call to the new serving network of the dialed ported number.  
-   The other three schemes involve call setup to or signaling with the 
-   donor network.   
-    
-   Only the OR scheme requires the setup of two physical call segments, 
-   one from the Originating Network to the donor network and the other 
-   from the donor network to the new serving network.  The OR scheme is 
-   the least efficient in terms of using the network transmission 
-   facilities.  The QoR and Dropback schemes set up calls to the donor 
-   network first but release the call back to the Originating Network 
-   that then initiates a new call to the Current Serving Network.  For 
-   the QoR and Dropback schemes, circuits are still reserved one by one 
-   between the Originating Network and the donor network when the 
-   Originating Network sets up the call towards the donor network.  
-   Those circuits are released one by one when the call is released 
-   from the donor network back to the Originating Network.  The ACQ 
-   scheme is the most efficient in terms of using the switching and 
-   transmission facilities for the call. 
-    
-   Both the ACQ and QoR schemes involve Centralized NPDBs for the 
-   Originating Network to retrieve the routing information.  
-   Centralized NPDB means that the NPDB contains ported number 
-   information from multiple networks.  This is in contrast to the 
-   internal network-specific NPDB that is used for the Dropback and OR 
-   schemes.  The internal NPDB only contains information about the 
-   numbers that were ported out of the donor network.  The internal 
-   NPDB can be a stand-alone database that contains information about 
-   all or some ported-out numbers from the donor network.  It can also 
-   reside on the donor switch and only contains information about those 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 10] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   numbers ported out of the donor switch.  In that case, no query to a 
-   stand-alone internal NPDB is required.  The donor switch for a 
-   particular phone number is the switch to which the number range is 
-   assigned from which that phone number was originally assigned. 
-    
-   For example, number ranges in the North American Numbering Plan 
-   (NANP) are usually assigned in the form of central office codes (CO 
-   codes) comprising a six-digit prefix formatted as a NPA+NXX.  Thus a 
-   switch serving +1-202-533 would typically serve +1-202-533-0000 
-   through +1-202-533-9999. In major cities, switches usually host 
-   several CO codes.  NPA stands for Numbering Plan Area that is also 
-   known as the area code.  It is three-digit long and has the format 
-   of NXX where N is any digit from 2 to 9 and X is any digit from 0 to 
-   9.  NXX in the NPA+NXX format is known as the office code that has 
-   the same format as the NPA.  When a NPA+NXX code is set as 
-   Ÿportable÷ in the Local Exchange Routing Guide (LERG), it becomes a 
-   "portable NPA+NXX" code. 
-    
-   Similarly, in other national E.164 numbering plans, number ranges 
-   cover a contiguous range of numbers within that range.  Once a 
-   number within that range has ported away from the donor network, all 
-   numbers in that range are considered potentially ported and should 
-   be queried in the NPDB. 
-    
-   The ACQ scheme has two versions.  One version is for the Originating 
-   Network to always query the NPDB when a call is received from the 
-   caller regardless whether the dialed directory number belongs to any 
-   number range that is portable or has at least one number ported out. 
-   The other version is to check whether the dialed directory number 
-   belongs to any number range that is portable or has at least one 
-   number ported out.  If yes, an NPDB query is sent. If not, no NPDB 
-   query is sent.  The former performs better when there are many 
-   portable number ranges.  The latter performs better when there are 
-   not too many portable number ranges at the expense of checking every 
-   call to see whether NPDB query is needed.  The latter ACQ scheme is 
-   similar to the QoR scheme except that the QoR scheme uses call setup 
-   and relies on the donor network to indicate "number ported out" 
-   before launching the NPDB query. 
-    
-    
-5. Database Queries in the NP Environment 
-    
-   As indicated earlier, the ACQ and QoR schemes require that a switch 
-   query the NPDB for routing information.  Various standards have been 
-   defined for the switch-to-NPDB interface.  Those interfaces with 
-   their protocol stacks are briefly described below.  The term "NPDB" 
-   is used for a stand-alone database that may support just one or some 
-   or all of the interfaces mentioned below.  The NPDB query contains 
-   the dialed directory number and the NPDB response contains the 
-   routing number.  There are certainly other information that is sent 
-   in the query and response.  The primary interest is to get the 
-   routing number from the NPDB to the switch for call routing. 
-    
-    
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 11] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-5.1 U.S. and Canada 
-    
-   One of the following five NPDB interfaces can be used to query an 
-   NPDB: 
-    
-   (a) Advanced Intelligent Network (AIN) using the American National 
-       Standards Institute (ANSI)  version of the Intelligent Network 
-       Application Part (INAP) [ANSI SS] [ANSI DB].  The INAP is 
-       carried on top of the protocol stack that includes the (ANSI) 
-       Message Transfer Part (MTP) Levels 1 through 3, ANSI Signaling 
-       Connection Control Part (SCCP), and ANSI Transaction 
-       Capabilities Application Part (TCAP).  This interface can be 
-       used by the wireline or wireless switches, is specific to the NP 
-       implementation in North America, and is modeled on the Public 
-       Office Dialing Plan (PODP) trigger defined in the Advanced 
-       Intelligent Network (AIN) 0.1 call model.  
-    
-   (b) Intelligent Network (IN), which is similar to the one used for 
-       querying the 800 databases.  The IN protocol is carried on top 
-       of the protocol stack that includes the ANSI MTP Levels 1 
-       through 3, ANSI SCCP, and ANSI TCAP.  This interface can be used 
-       by the wireline or wireless switches. 
-    
-   (c) ANSI IS-41 [IS41] [ISNP], which is carried on top of the 
-       protocol stack that includes the ANSI MTP Levels 1 through 3, 
-       ANSI SCCP, and ANSI TCAP.  This interface can be used by the IS-
-       41 based cellular/Personal Communication Services (PCS) wireless 
-       switches (e.g., AMPS, TDMA and CDMA).  Cellular systems use 
-       spectrum at 800 MHz range and PCS systems use spectrum at 1900 
-       MHz range. 
-    
-   (d) Global System for Mobile Communication Mobile Application Part 
-       (GSM MAP) [GSM], which is carried on top of the protocol stack 
-       that includes the ANSI MTP Levels 1 through 3, ANSI SCCP, and 
-       International Telecommunication Union - Telecommunication Sector  
-       (ITU-TS) TCAP.  It can be used by the PCS1900 wireless switches 
-       that are based on the GSM technologies.  GSM is a series of 
-       wireless standards defined by the European Telecommunications 
-       Standards Institute (ETSI). 
-    
-   (e) ISUP triggerless translation.  NP translations are performed 
-       transparently to the switching network by the signaling network 
-       (e.g. Signaling Transfer Points (STPs) or signaling gateways).  
-       ISUP IAM messages are examined to determine if the CdPN field 
-       has already been translated, and if not, an NPDB query is 
-       performed, and the appropriate parameters in the IAM message 
-       modified to reflect the results of the translation.   The 
-       modified IAM message is forwarded by the signaling node on to 
-       the designated DPC in a transparent manner to continue call 
-       setup.  The NPDB can be integrated with the signaling node or be 
-       accessed via an API locally or by a query to a remote NPDB using 
-       a proprietary protocol or the schemes described above. 
-    
-    
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 12] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   Wireline switches have the choice of using either (a), (b), or (e).  
-   IS-41 based wireless switches have the choice of using (a), (b), 
-   (c), or (e).  PCS1900 wireless switches have the choice of using 
-   (a), (b), (d), or (e). In the United States, service provider 
-   portability will be supported by both the wireline and wireless 
-   systems, not only within the wireline or wireless domain but also 
-   across the wireline/wireless boundary.  However, this is not true in 
-   Europe where service provider portability is usually supported only 
-   within the wireline or wireless domain, not across the 
-   wireline/wireless boundary due to explicit use of service-specific 
-   number range prefixes.  The reason is to avoid caller confusion 
-   about the call charge. GSM systems in Europe are assigned 
-   distinctive destination network codes, and the caller pays a higher 
-   charge when calling a GSM directory number. 
-    
-      
-5.2 Europe 
-    
-   One of the following two interfaces can be used to query an NPDB: 
-    
-   (a) Capability Set 1 (CS1) of the ITU-TS INAP [CS1], which is 
-       carried on top of the protocol stack that includes the ITU-TS 
-       MTP Levels 1 through 3, ITU-TS SCCP, and ITU-TS TCAP. 
-    
-   (b) Capability Set 2 (CS2) of the ITU-TS INAP [CS2], which is 
-       carried on top of the protocol stack that includes the ITU-TS 
-       MTP Levels 1 through ITU-TS MTP Levels 1 through 3, ITU-TS SCCP, 
-       and ITU-TS TCAP. 
-    
-   Wireline switches have the choice of using either (a) or (b); 
-   however, all the implementations in Europe so far are based on CS1.  
-   As indicated earlier that number portability in Europe does not go 
-   across the wireline/wireless boundary.  The wireless switches can 
-   also use (a) or (b) to query the NPDBs if those NPDBs contains 
-   ported wireless directory numbers.  The term "Mobile Number 
-   Portability (MNP)" is used for the support of service provider 
-   portability by the GSM networks in Europe.  
-    
-   In most, if not all, cases in Europe, the calls to the wireless 
-   directory numbers are routed to the wireless donor network first.  
-   Over there, an internal NPDB is queried to determine whether the 
-   dialed wireless directory number has been ported out or not.  In 
-   this case, the interface to the internal NPDB is not subject to 
-   standardization. 
-
-   MNP in Europe can also be supported via MNP Signaling Relay Function 
-   (MNP-SRF).  Again, an internal NPDB or a database integrated at the 
-   MNP-SRF is used to modify the SCCP Called Party Address parameter in 
-   the GSM MAP messages so that they can be re-directed to the wireless 
-   serving network.   Call routing involving MNP will be explained in 
-   Section 6.2. 
-    
-    
-    
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 13] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-6. Call Routing in the NP Environment 
- 
-   This section discusses the call routing after the routing 
-   information has been retrieved either through an NPDB query or an 
-   internal database lookup at the donor switch, or from the Integrated 
-   Services Digital Network User Part (ISUP) signaling message (e.g., 
-   for the Dropback scheme).  For the ACQ, QoR and Dropback schemes, it 
-   is the Originating Network that has the routing information and is 
-   ready to route the call.  For the OR scheme, it is the donor network 
-   that has the routing information and is ready to route the call.   
-    
-   A number of triggering schemes may be employed that determine where 
-   in the call path the NPDB query is performed.  In the U.S. an ŸN-1÷ 
-   policy is used, which essentially says that for domestic calls, the 
-   originating local carriers performs the query, otherwise, the long 
-   distance carrier is expected to.  To ensure independence of the 
-   actual trigger policy employed in any one carrier, forward call 
-   signaling is used to flag that an NPDB query has already been 
-   performed and to therefore suppress any subsequent NP triggers that 
-   may be encountered in downstream switches, in downstream networks.  
-   This allows the earliest able network in the call path to perform 
-   the query without introducing additional costs and call setup delays 
-   were redundant queries performed downstream. 
-    
-     
-6.1 U.S. and Canada 
-    
-   In the U.S. and Canada, a ten-digit North American Numbering Plan 
-   (NANP) number called Location Routing Number (LRN) is assigned to 
-   every switch involved in NP.  In the NANP, a switch is not reachable 
-   unless it has a unique number range (CO code) assigned to it.  
-   Consequently, the LRN for a switch is always assigned out of a CO 
-   code that is assigned to that switch. 
-    
-   The LRN assigned to a switch currently serving a particular ported 
-   telephone number is returned as the network routing address in the 
-   NPDB response.  The service portability scheme that was adopted in 
-   the North America is very often referred to as the LRN scheme or 
-   method. 
-    
-   LRN serves as a network address for terminating calls served off 
-   that switch using ported numbers.  The LRN is assigned by the switch 
-   operator using any of the unique CO codes (NPA+NXX) assigned to that 
-   switch.  The LRN is considered a non-dialable address, as the same 
-   10-digit number value may be assigned to a line on that switch.  A 
-   switch may have more than one LRN. 
-    
-   During call routing/processing, a switch performs an NPDB query to 
-   obtain the LRN associated with the dialed directory number. NPDB 
-   queries are performed for all the dialed directory numbers whose 
-   NPA+NXX codes are marked as portable NPA+NXX at that switch. When 
-   formulating the ISUP Initial Address Message (IAM) to be sent to the 
-   next switch, the switch puts the ten-digit LRN in the ISUP Called 
-   Party Number (CdPN) parameter and the originally dialed directory 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 14] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   number in the ISUP Generic Address parameter (GAP).  A new code in 
-   the GAP was defined to indicate that the address information in the 
-   GAP is the dialed directory number. A new bit in the ISUP Forward 
-   Call Indicator (FCI) parameter, the Ported Number Translation 
-   Indicator (PNTI) bit, is set to imply that NPDB query has already 
-   been performed.  All the switches in the downstream will not perform 
-   the NPDB query if the PNTI bit is set. 
-    
-   When the terminating switch receives the IAM and sees the PNTI bit 
-   in the FCI parameter set and its own LRN in the CdPN parameter, it 
-   retrieves the originally dialed directory number from the GAP and 
-   uses the dialed directory number to terminate the call. 
-    
-   A dialed directory number with a portable NPA+NXX does not imply 
-   that directory number has been ported.  The NPDBs currently do not 
-   store records for non-ported directory numbers.  In that case, the 
-   NPDB will return the same dialed directory number instead of the 
-   LRN.  The switch will then set the PNTI bit but keep the dialed 
-   directory number in the CdPN parameter. 
-    
-   In the real world environment, the Originating Network is not always 
-   the one that performs the NPDB query.  For example, it is usually 
-   the long distance carriers that query the NPDBs for long distance 
-   calls.  In that case, the Originating Network operated by the local 
-   exchange carrier (LEC) simply routes the call to the long distance 
-   carrier that is to handle that call.   A wireless network acting as 
-   the Originating Network can also route the call to the 
-   interconnected local exchange carrier network if it does not want to 
-   support the NPDB interface at its mobile switches. 
-    
-    
-6.2 Europe 
-    
-   In some European countries, a routing number is prefixed to the 
-   dialed directory number.  The ISUP CdPN parameter in the IAM will 
-   contain the routing prefix and the dialed directory number.  For 
-   example, United Kingdom uses routing prefixes with the format of 
-   5XXXXX and Italy uses C600XXXXX as the routing prefix.  The networks 
-   use the information in the ISUP CdPN parameter to route the call to 
-   the New/Current Serving Network. 
-    
-   The routing prefix can identify the Current Serving Network or the 
-   Current Serving Switch of a ported number.  For the former case, 
-   another query to the "internal" NPDB at the Current Serving Network 
-   is required to identify the Current Serving Switch before routing 
-   the call to that switch.  This shields the Current Serving Switch 
-   information for a ported number from the other networks at the 
-   expense of an additional NPDB query.  Another routing number, may be 
-   meaningful within the Current Serving Network, will replace the 
-   previously prefixed routing number in the ISUP CdPN parameter.  For 
-   the latter case, the call is routed to the Current Serving Switch 
-   without an additional NPDB query. 
-    
-
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 15] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   When the terminating switch receives the IAM and sees its own 
-   routing prefix in the CdPN parameter, it retrieves the originally 
-   dialed directory number after the routing prefix, and uses the 
-   dialed directory number to terminate the call.  
-    
-   The call routing example described above shows one of the three 
-   methods that can be used to transport the Directory Number (DN) and 
-   the Routing Number (RN) in the ISUP IAM message.  In addition, some 
-   other information may be added/modified as is listed in the ETSI 302 
-   097 document [ETSIISUP], which is based on the ITU-T Recommendation 
-   Q.769.1 [ITUISUP].  The three methods and the enhancements in the 
-   ISUP to support number portability are briefly described below 
-    
-   (a) Two separate parameters with the CdPN parameter containing the 
-      RN and a new Called Directory Number (CdDN) parameter containing 
-      the DN.  A new value for the Nature of Address (NOA) indicator in 
-      the CdPN parameter is defined to indicate that the RN is in the 
-      CdPN parameter.  The switches use the CdPN parameter to route the 
-      call as is done today. 
-    
-   (b) Two separate parameters with the CdPN parameter containing the 
-      DN and a new Network Routing Number (NRN) parameter containing 
-      the RN.  This method requires that the switches use the NRN 
-      parameter to route the call. 
-    
-   (c) Concatenated parameter with the CdPN parameter containing the RN 
-      plus the DN.  A new Nature of Address (NOA) indicator in the CdPN 
-      parameter is defined to indicate that the RN is concatenated with 
-      the DN in the CdPN parameter.  Some countries may not use new NOA 
-      value because the routing prefix does not overlap with the dialed 
-      directory numbers.  But if the routing prefix overlaps with the 
-      dialed directory numbers, a new NOA value must be assigned.  For 
-      example, Spain uses "XXXXXX" as the routing prefix to identify 
-      the new serving network and uses a new NOA value of 126. 
-    
-   There is also a network option to add a new ISUP parameter called 
-   Number Portability Forwarding Information parameter.  This parameter 
-   has a four-bit Number Portability Status Indicator field that can 
-   provide an indication whether number portability query is done for 
-   the called directory number and whether the called directory number 
-   is ported or not if the number portability query is done. 
- 
-   Please note that all those NP enhancements for a ported number can 
-   only be used in the country that defined them.  This is because 
-   number portability is supported within a nation.  Within each 
-   nation, the telecommunications industry or the regulatory bodies can 
-   decide which method or methods to use.  Number portability related 
-   parameters and coding are usually not passed across the national 
-   boundaries unless the interconnection agreements allow that.  For 
-   example, a UK routing prefix can only be used in UK, and would cause 
-   routing problem if it appears outside UK. 
-    
-
-
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 16] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   As indicated earlier, an originating wireless network can query the 
-   NPDB and concatenate the RN with DN in the CdPN parameter and route 
-   the call directly to the Current Serving Network.   
-    
-   If NPDBs do not contain information about the wireless directory 
-   numbers, the call, originated from either a wireline or a wireless 
-   network, will be routed to the Wireless donor network.  Over there, 
-   an internal NPDB is queried to retrieve the RN that then is 
-   concatenated with the DN in the CdPN parameter. 
-    
-   There are several ways of realizing MNP.  When MNP-SRF is supported, 
-   the Gateway Mobile Services Switching Center (GMSC) at the wireless 
-   donor network, when receiving a call from the wireline network, can 
-   send the GSM MAP Send Routing Information (SRI) message to the MNP-
-   SRF.  The MNP-SRF interrogates an internal or integrated NPDB for 
-   the RN of the MNP-SRF of the wireless Current Serving Network and 
-   prefixes the RN to the dialed wireless directory number in the 
-   global title address information in the SCCP Called Party Address 
-   (CdPA) parameter.  This SRI message will be routed to the MNP-SRF of 
-   the wireless Current Serving Network, which then responds with an 
-   acknowledgement by providing the RN plus the dialed wireless 
-   directory number as the Mobile Station Roaming Number (MSRN).  The 
-   GMSC of the wireless donor network formulates the ISUP IAM with the 
-   RN plus the dialed wireless directory number in the CdPN parameter 
-   and routes the call to the wireless Current Serving Network.  A GMSC 
-   of the wireless Current Serving Network receives the call and sends 
-   an SRI message to the associated MNP-SRF where the global title 
-   address information of the SCCP CdPA parameter contains only the 
-   dialed wireless directory number.  The MNP-SRF then replaces the 
-   global title address information in the SCCP CdPA parameter with the 
-   address information associated with a Home Location Register (HLR) 
-   that hosts the dialed wireless directory number and forwards the 
-   message to that HLR after verifying that the dialed wireless 
-   directory number is a ported-in number.   The HLR then returns an 
-   acknowledgement by providing an MSRN for the GMSC to route the call 
-   to the MSC that currently serves the mobile station that is 
-   associated with the dialed wireless directory number.  Please see 
-   [MNP] for details and additional scenarios. 
-    
-    
-7. NP Implementations for Geographic E.164 Numbers 
- 
-   This section shows the known SPNP implementations worldwide.  
-    
-   +-------------+----------------------------------------------------+ 
-   +   Country   +             SPNP Implementation                    + 
-   +-------------+----------------------------------------------------+ 
-   +  Argentina  + Analyzing operative viability now. Will determine  + 
-   +             + whether portability should be made obligatory      + 
-   +             + after a technical solution has been determined.    + 
-   +-------------+----------------------------------------------------+ 
-   +  Australia  + NP supported by wireline operators since 11/30/99. + 
-   +             + NP among wireless operators in March/April 2000,   + 
-
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 17] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   +             + but may be delayed to 1Q01. The access provider    + 
-   +             + or long distance provider has the obligation to    + 
-   +             + route the call to the correct destination. The     + 
-   +             + donor network is obligated to maintain and make    + 
-   +             + available a register of numbers ported away from   +  
-   +             + its network.  Telstra uses onward routing via an   + 
-   +             + on-switch solution.                                + 
-   +-------------+----------------------------------------------------+ 
-   +   Austria   + Uses onward routing at the donor network.  Routing + 
-   +             + prefix is "86xx" where "xx" identifies the         + 
-   +             + recipient network.                                 + 
-   +-------------+----------------------------------------------------+ 
-   +  Belgium    + ACQ selected by the industry. Routing prefix is    + 
-   +             + "Cxxxx" where "xxxx" identifies the recipient      + 
-   +             + switch. Another routing prefix is "C00xx" with "xx"+ 
-   +             + identifying the recipient network.  Plan to use NOA+ 
-   +             + to identify concatenated numbers and abandon the   + 
-   +             + hexadecimal routing prefix.                        + 
-   +-------------+----------------------------------------------------+ 
-   +  Brazil     + Considering NP for wireless users.                 + 
-   +-------------+----------------------------------------------------+ 
-   +  Chile      + There has been discussions lately on NP.           + 
-   +-------------+----------------------------------------------------+ 
-   +  Colombia   + There was an Article 3.1 on NP to support NP prior + 
-   +             + to December 31, 1999 when NP became technically    + 
-   +             + possible. Regulator has not yet issued regulations + 
-   +             + concerning this matter.                            + 
-   +-------------+----------------------------------------------------+ 
-   +  Denmark    + Uses ACQ. Routing number not passed between        + 
-   +             + operators; however, NOA is set to "112" to         + 
-   +             + indicate "ported number."  QoR can be used based   + 
-   +             + on bilateral agreements.                           +        
-   +-------------+----------------------------------------------------+ 
-   +  Finland    + Uses ACQ.  Routing prefix is "1Dxxy" where "xxy"   + 
-   +             + identifies the recipient network and service type. + 
-   +-------------+----------------------------------------------------+ 
-   +  France     + Uses onward routing.  Routing prefix is "Z0xxx"    + 
-   +             + where "xxx" identifies the recipient switch.       + 
-   +-------------+----------------------------------------------------+ 
-   +  Germany    + The originating network needs to do necessary      + 
-   +             + rerouting.  Operators decide their own solution(s).+ 
-   +             + Deutsche Telekom uses ACQ.  Routing prefix is      + 
-   +             + "Dxxx" where "xxx" identifies the recipient        + 
-   +             + network.                                           + 
-   +-------------+----------------------------------------------------+ 
-   +  Hong Kong  + Recipient network informs other networks about     + 
-   +             + ported-in numbers.  Routing prefix is "14x" where  + 
-   +             + "14x" identifies the recipient network, or a       + 
-   +             + routing number of "4x" plus 7 or 8 digits is used  +  
-   +             + where "4x" identifies the recipient network and    + 
-   +             + the rest of digits identify the called party.      + 
-   +-------------+----------------------------------------------------+ 
-   +  Ireland    + Operators choose their own solution but use onward + 
-   +             + routing now. Routing prefix is "1750" as the intra-+ 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 18] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   +             + network routing code (network-specific) and        + 
-   +             + "1752xxx" to "1759xxx" for GNP where "xxx"         + 
-   +             + identifies the recipient switch.                   + 
-   +-------------+----------------------------------------------------+ 
-   +  Italy      + Uses onward routing. Routing prefix is "C600xxxxx" + 
-   +             + where "xxxxx" identifies the recipient switch.     + 
-   +             + Telecom Italia uses IN solution and other operators+              
-   +             + use on-switch solution.                            + 
-   +-------------+----------------------------------------------------+ 
-   +  Japan      + Uses onward routing.  Donor switch uses IN to get  + 
-   +             + routing number.                                    + 
-   +-------------+----------------------------------------------------+ 
-   +  Mexico     + NP is considered in the Telecom law; however, the  + 
-   +             + regulator (Cofetel) or the new local entrants have + 
-   +             + started no initiatives on this process.            + 
-   +-------------+----------------------------------------------------+ 
-   + Netherlands + Operators decide NP scheme to use.  Operators have + 
-   +             + chosen ACQ or QoR.  KPN implemented IN solution    + 
-   +             + similar to U.S. solution.  Routing prefix is not   + 
-   +             + passed between operators.                          + 
-   +-------------+----------------------------------------------------+ 
-   +  Norway     + OR for short-term and ACQ for long-term.  QoR is   + 
-   +             + optional. Routing prefix can be "xxx" with NOA=8,  + 
-   +             + or "142xx" with NOA=3 where "xxx" or "xx"          + 
-   +             + identifies the recipient network.                  + 
-   +------------ +----------------------------------------------------+ 
-   +  Peru       + Wireline NP may be supported in 2001.              + 
-   +-------------+----------------------------------------------------+ 
-   +  Portugal   + No NP today.                                       + 
-   +-------------+----------------------------------------------------+ 
-   +  Spain      + Uses ACQ.  Telefonica uses QoR within its network. + 
-   +             + Routing prefix is  "xxyyzz" where "xxyyzz"         + 
-   +             + identifies the recipient network.  NOA is set to   + 
-   +             + 126.                                               + 
-   +-------------+----------------------------------------------------+ 
-   +  Sweden     + Standardized the ACQ but OR for operators without  + 
-   +             + IN. Routing prefix is "xxx" with NOA=8 or "394xxx" + 
-   +             + with NOA=3 where "xxx" identifies the recipient    + 
-   +             + network. But operators decide NP scheme to use.    + 
-   +             + Telia uses onward routing between operators.       + 
-   +-------------+----------------------------------------------------+ 
-   + Switzerland + Uses OR now and QoR in 2001.  Routing prefix is    + 
-   +             + "980xxx" where "xxx" identifies the recipient      +        
-   +             + network.                                           + 
-   +-------------+----------------------------------------------------+ 
-   +  UK         + Uses onward routing. Routing prefix is "5xxxxx"    + 
-   +             + where "xxxxx" identifies the recipient switch. NOA + 
-   +             + is 126. BT uses the dropback scheme in some parts  + 
-   +             + of its network.                                    + 
-   +-------------+----------------------------------------------------+ 
-   +  US         + Uses ACQ.  "Location Routing Number (LRN)" is used + 
-   +             + in the Called Party Number parameter.  Called party+ 
-   +             + number is carried in the Generic Address Parameter + 
-   +             + Use a PNTI indicator in the Forward Call Indicator + 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 19] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   +             + parameter to indicate that NPDB dip has been       + 
-   +             + performed.                                         + 
-   +-------------+----------------------------------------------------+ 
-    
-    
-8. Number Conservation Methods Enabled by NP 
- 
-   In addition to porting numbers NP provides the ability for number 
-   administrators to assign numbering resources to operators in smaller 
-   increments.  Today it is common for numbering resources to be 
-   assigned to telephone operators in a large block of consecutive 
-   telephone numbers (TNs).  For example, in North America each of 
-   these blocks contains 10,000 TNs and is of the format NXX+0000 to 
-   NXX+9999.  Operators are assigned a specific NXX, or block.  That 
-   operator is referred to as the block holder.  In that block there 
-   are 10,000 TNs with line numbers ranging from 0000 to 9999.   
-    
-   Instead of assigning an entire block to the operator NP allows the 
-   administrator to assign a sub-block or even an individual telephone 
-   number.  This is referred to as block pooling and individual 
-   telephone number (ITN) pooling, respectively.  
-     
-    
-8.1 Block Pooling 
-    
-   Block Pooling refers to the process whereby the number administrator 
-   assigns a range of numbers defined by a logical sub-block of the 
-   existing block.  Using North America as an example, block pooling 
-   would allow the administrator to assign sub-blocks of 1,000 TNs to 
-   multiple operators.  That is, NXX+0000 to NXX+0999 can be assigned 
-   to operator A, NXX+1000 to NXX+1999 can be assigned to operator B, 
-   NXX-2000 to 2999 can be assigned to operator C, etc.  In this 
-   example block pooling divides one block of 10,000 TNs into ten 
-   blocks of 1,000 TNs.   
-    
-   Porting the sub-blocks from the block holder enables block pooling.  
-   Using the example above operator A is the block holder, as well as, 
-   the holder of the first sub-block, NXX+0000 to NXX+0999.  The second 
-   sub-block, NXX+1000 to NXX+1999, is ported from operator A to 
-   operator B.  The third sub-block, NXX+2000 to NXX+2999, is ported 
-   from operator A to operator C, and so on.  NP administrative 
-   processes and call processing will enable proper and efficient 
-   routing.   
-    
-   From a number administration and NP administration perspective block 
-   pooling introduces a new concept, that of the sub-block holder.  
-   Block pooling requires coordination between the number 
-   administrator, the NP administrator, the block holder, and the sub-
-   block holder.  Block pooling must be implemented in a manner that 
-   allows for NP within the sub-blocks.  Each TN can have a different 
-   serving operator, sub-block holder, and block holder. 
-      
-    
-    
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 20] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-8.2 ITN Pooling 
-    
-   ITN pooling refers to the process whereby the number administrator 
-   assigns individual telephone numbers to operators.  Using the North 
-   American example, one block of 10,000 TNs can be divided into 10,000 
-   ITNs.  ITN is more commonly deployed in freephone services.   
-    
-   In ITN the block is not assigned to an operator but to a central 
-   administrator.  The administrator then assigns ITNs to operators.  
-   NP administrative processes and call processing will enable proper 
-   and efficient routing. 
-    
- 
-9. Potential Implications 
-    
-   There are three general areas of impact to IP telephony work-in-
-   progress at IETF: 
-    
-   - Interoperation between NP in GSTN and IP telephony 
-   - NP implementation or emulation in IP telephony 
-   - Interconnection to NP administrative environment 
-    
-   A good understanding of how number portability is supported in the 
-   GSTN is important when addressing the interworking issues between 
-   IP-based networks and the GSTN.  This is especially important when 
-   the IP-based network needs to route the calls to the GSTN.  As shown 
-   in Section 5, there are a variety of standards with various protocol 
-   stacks for the switch-to-NPDB interface.  Not only that, the 
-   national variations of the protocol standards make it very 
-   complicated to deal with in a global environment.  If an entity in 
-   the IP-based network needs to query those existing NPDBs for routing 
-   number information to terminate the calls to the destination GSTN, 
-   it would be impractical, if not an impossible, job for that entity 
-   to support all those interface standards to access the NPDBs in many 
-   countries. 
-    
-   Several alternatives may address this particular problem.  One 
-   alternative is to use certain entities in the IP-based networks for 
-   dealing with NP query, similar to the International Switches that 
-   are used in the GSTN to interwork different national ISUP 
-   variations.  This will force signaling information associated with 
-   the calls to certain NP-capable networks in the terminating GSTN to 
-   be routed to those IP entities that support the NP functions.  Those 
-   IP entities then query the NPDBs in the terminating country.   This 
-   will limit the number of NPDB interfaces that certain IP entities 
-   need to support.  Another alternative can be to define a "common" 
-   interface to be supported by all the NPDBs so that all the IP 
-   entities use that standardized protocol to query them.   The 
-   existing NPDBs can support this additional interface, or new NPDBs 
-   can be deployed that contain the same information but support the 
-   common IP interface. The candidates for such a common interface 
-   include Lightweight Directory Access Protocol (LDAP) and SIP 
-   [SIP](e.g., using the SIP redirection capability).  Certainly 
-
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 21] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   another possibility is to use interworking function to convert from 
-   one protocol to another. 
-    
-   IP-based networks can handle the domestic calls between two GSTNs.  
-   If the originating GSTN has performed NPDB query, SIP will need to 
-   transport and make use of some of the ISUP signaling information 
-   even if ISUP signaling may be encapsulated in SIP.  Also, IP-based 
-   networks may perform the NPDB queries, as the N-1 carrier.  In that 
-   case, SIP also needs to transport the NP related information while 
-   the call is being routed to the destination GSTN.  There are three 
-   pieces of NP related information that SIP needs to transport.  They 
-   are 1) the called directory number, 2) a routing number, and 3) a 
-   NPDB dip indicator.  The NPDB dip indicator is needed so that the 
-   terminating GSTN will not perform another NPDB dip.  The routing 
-   number is needed so that it is used to route the call to the 
-   destination network or switch in the destination GSTN.  The called 
-   directory number is needed so that the terminating GSTN switch can 
-   terminate the call.  When the routing number is present, the NPDB 
-   dip indicator may not be present because there are cases where 
-   routing number is added for routing the call even if NP is not 
-   involved.  One issue is how to transport the NP related information 
-   via SIP.  The SIP Universal Resource Locator (URL) is one mechanism.  
-   Another better choice may be to add an extension to the "tel" URL 
-   [TEL] that is also supported by SIP.  Please see [TELNP] for the 
-   proposed extensions to the "tel" URL to support NP and freephone 
-   service.  Those extensions to the "tel" URL will be automatically 
-   supported by SIP because they can be carried as the optional 
-   parameters in the user portion of the "sip" URL. 
-    
-   For a called directory number that belongs to a country that 
-   supports NP, and if the IP-based network is to perform the NPDB 
-   query, the logical step is to perform the NPDB dip first to retrieve 
-   the routing number and use that routing number to select the correct 
-   IP telephony gateways that can reach the serving switch that serves 
-   the called directory number.  Therefore, if the "rn" parameter is 
-   present in the "tel" URL or sip URL in the SIP INVITE message, it 
-   instead of the called directory number should be used for making 
-   routing decisions assuming that no other higher priority routing-
-   related parameters such as the Ÿcic÷ are present.  If "rn" is not 
-   present, then the dialed directory number can be used as the routing 
-   number for making routing decisions.   
-    
-   Telephony Routing Information Protocol (TRIP) [TRIP] is a policy 
-   driven inter-administrative domain protocol for advertising the 
-   reachability of telephony destinations between location servers, and 
-   for advertising attributes of the routes to those destinations.  
-   With the NP in mind, it is very important to know that it is the 
-   routing number, if present, not the called directory number that 
-   should be used to check against the TRIP tables for making the 
-   routing decisions.   
-    
-   Overlap signaling exists in the GSTN today.  For a call routing from 
-   the originating GSTN to the IP-based network that involves overlap 
-   signaling, NP will impact the call processing within the IP-based 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 22] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   networks if they must deal with the overlap signaling.  The entities 
-   in the IP-based networks that are to retrieve the NP information 
-   (e.g., the routing number) must collect a complete called directory 
-   number information before retrieving the NP information for a ported 
-   number.  Otherwise, the information retrieval won't be successful.   
-   This is an issue for the IP-based networks if the originating GSTN 
-   does not handle the overlap signaling by collecting the complete 
-   called directory number. 
-    
-   The IETF enum working group is defining the use of Domain Name 
-   System (DNS) for identifying available services associated with a 
-   particular E.164 number [ENUM].  [ENUMPO] outlines the principles 
-   for the operation of a telephone number service that resolves 
-   telephone numbers into Internet domain name addresses and service-
-   specific directory discovery.  [ENUMPO] implements a three-level 
-   approach where the first level is the mapping of the telephone 
-   number delegation tree to the authority to which the number has been 
-   delegated, the second level is the provision of the requested DNS 
-   resource records from a service registrar, and the third level is 
-   the provision of service specific data from the service provider 
-   itself.  NP certainly must be considered at the first level because 
-   the telephony service providers do not "own" or control the 
-   telephone numbers under the NP environment; therefore, they may not 
-   be the proper entities to have the authority for a given E.164 
-   number.  Not only that, there is a regulatory requirement on NP in 
-   some countries that the donor network should not be relied on to 
-   reach the delegated authority during the DNS process .  The 
-   delegated authority for a given E.164 number is likely to be an 
-   entity designated by the end user that owns/controls a specific 
-   telephone number or one that is designated by the service registrar. 
-    
-   Since the telephony service providers may have the need to use ENUM 
-   for their network-related services (e.g., map an E.164 number to a 
-   HLR Identifier in the wireless networks), their ENUM records must be 
-   collocated with those of the telephony subscribers.  If that is the 
-   case, NP will impact ENUM when a telephony subscriber who has ENUM 
-   service changes the telephony service provider.  This is because 
-   that the ENUM records from the new telephony service provider must 
-   replace those from the old telephony service provider.  To avoid the 
-   NP impact on ENUM, it is recommended that the telephony service 
-   providers use a different domain tree for their network-related 
-   service.  For example, if e164.arpa is chosen for Ÿend user÷ ENUM, a 
-   domain tree different from e164.arpa should be used for Ÿcarrier÷ 
-   ENUM. 
-    
-   The IP-based networks also may need to support some forms of number 
-   portability in the future if E.164 numbers [E164] are assigned to 
-   the IP-based end users.  One method is to assign a GSTN routing 
-   number for each IP-based network domain or entity in a NP-capable 
-   country.  This may increase the number of digits in the routing 
-   number to incorporate the IP entities and impact the existing 
-   routing in the GSTN.  Another method is to associate each IP entity 
-   with a particular GSTN gateway.  At that particular GSTN gateway, 
-   the called directory number then is used to locate the IP-entity 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 23] 
-
-Number Portability in the GSTN: An Overview               June 24, 2002 
-
-   that serves that dialed directory number.  Yet, another method can 
-   be to assign a special routing number so that the call to an end 
-   user currently served by an IP entity is routed to the nearest GSTN 
-   gateway.  The called directory number then is used to locate the IP-
-   entity that serves that dialed directory number.  A mechanism can be 
-   developed or used for the IP-based network to locate the IP entity 
-   that serves a particular dialed directory number.  Many other types 
-   of networks use E.164 numbers to identify the end users or terminals 
-   in those networks.  Number portability among GSTN, IP-based network 
-   and those various types of networks may also need to be supported in 
-   the future. 
-    
- 
-10. Security Considerations 
- 
-   This document does not raise any security issues. 
- 
- 
-11. IANA Considerations 
- 
-   This document introduces no new values for IANA registration. 
-    
- 
-12. Normative References  
- 
-   [ANSI OSS] ANSI Technical Requirements No. 1, "Number Portability -
-        Operator Services Switching Systems," April 1999. 
-    
-   [ANSI SS] ANSI Technical Requirements No. 2, "Number Portability -
-        Switching Systems," April 1999. 
-             
-   [ANSI DB] ANSI Technical Requirements No. 3, "Number Portability 
-        Database and Global Title Translation," April 1999.         
-          
-   [CS1] ITU-T Q-series  Recommendations - Supplement 4, "Number 
-        portability Capability set 1 requirements for service provider 
-        portability (All call query and onward routing)," May 1998. 
-    
-   [CS2] ITU-T Q-series  Recommendations - Supplement 5, "Number 
-        portability -Capability set 2 requirements for service provider 
-        portability (Query on release and Dropback)," March 1999. 
-    
-   [E164] ITU-T Recommendation E.164, "The International Public 
-        Telecommunications Numbering Plan," 1997. 
-    
-   [ENUM] P. Falstrom, "E.164 number and DNS," RFC 2916. 
-    
-   [ETSIISUP] ETSI EN 302 097 V.1.2.2, ŸIntegrated Services Digital 
-        Network (ISDN); Signalling System No.7 (SS7); ISDN User Part 
-        (ISUP); Enhancement for support of Number Portability (NP) 
-        [ITU-T Recommendation Q.769.1 (2000), modified] 
-    
-   [GSM]  GSM 09.02: "Digital cellular telecommunications system (Phase 
-        2+); Mobile Application Part (MAP) specification". 
-  
-Foster,McGarry,Yu           Expired on December 23, 2002      [Page 24] 
-
-Number Portability in the GSTN: An Overview              March 1, 2002 
- 
- 
- 
-   [IS41] TIA/EIA IS-756 Rev. A, "TIA/EIA-41-D Enhancements for 
-        Wireless Number Portability Phase II (December 1998)"Number 
-        Portability Network Support," April 1998. 
-    
-   [ITUISUP] ITU-T Recommendation Q.769.1, "Signaling System No. 7 - 
-        ISDN User Part Enhancements for the Support of Number 
-        Portability," December 1999. 
-    
-   [MNP] ETSI EN 301 716 (2000-10) European Standard 
-        (Telecommunications series) Digital cellular telecommunications 
-        system (Phase 2+); Support of Mobile Number Portability (MNP); 
-        Technical Realisation; Stage 2; (GSM 03.66 Version 7.2.0 
-        Release 1998). 
-    
-   [RFC] Scott Bradner, RFC2026, "The Internet Standards Process -- 
-        Revision 3," October 1996. 
-    
- 
-13. Informative References  
- 
-   [ENUMPO] A. Brown and G. Vaudreuil, "ENUM Service Specific 
-        Provisioning: Principles of Operations," draft-ietf-enum-
-        operation-02.txt, February 23, 2001. 
-    
-   [SIP] J. Rosenberg, et al., draft-ietf-sip-rfc2543bis-09.txt, "SIP: 
-        Session Initiation Protocol," February 27, 2002. 
-    
-   [TEL] H. Schulzrinne and A. Vaha-Sipila, draft-antti-rfc2806bis-
-        04.txt, "URIs for Telephone Calls," May 24, 2002. 
- 
-   [TELNP] J. Yu, draft-yu-tel-url-05.txt, "Extensions to the "tel" URL 
-        to support Number Portability and Freephone Service," June 14, 
-        2002. 
-    
-   [TRIP] J. Rosenberg, H. Salama and M. Squire, RFC 3219, "Telephony 
-        Routing Information Protocol (TRIP)," January 2002. 
-    
-    
-14. Acknowledgment 
-    
-   The authors would like to thank Monika Muench for providing 
-   information on ISUP and MNP. 
-    
-    
-15. Authors' Addresses 
-    
-   Mark D. Foster 
-   NeuStar, Inc. 
-   1120 Vermont Avenue, NW, 
-   Suite 400 
-   Washington, D.C. 20005 
-   United States 
-  
-Foster,McGarry,Yu           Expired on August 31, 2002        [Page 25] 
-
-Number Portability in the GSTN: An Overview              March 1, 2002 
- 
- 
-    
-   Phone: +1-202-533-2800 
-   Fax:   +1-202-533-2987 
-   Email: mark.foster@neustar.biz 
-          
-   Tom McGarry 
-   NeuStar, Inc. 
-   1120 Vermont Avenue, NW, 
-   Suite 400 
-   Washington, D.C. 20005 
-   United States 
-    
-   Phone: +1-202-533-2810 
-   Fax:   +1-202-533-2987 
-   Email: tom.mcgarry@neustar.biz 
-    
-   James Yu 
-   NeuStar, Inc. 
-   1120 Vermont Avenue, NW,  
-   Suite 400 
-   Washington, D.C. 20005 
-   United States 
-    
-   Phone: +1-202-533-2814 
-   Fax:   +1-202-533-2987 
-   Email: james.yu@neustar.biz 
-    
-    
-    
-Full Copyright Statement 
- 
-   "Copyright (C) The Internet Society (2002). All Rights Reserved. 
-    
-   This document and translations of it may be copied and furnished to 
-   others, and derivative works that comment on or otherwise explain it 
-   or assist in its implementation may be prepared, copied, published 
-   and distributed, in whole or in part, without restriction of any 
-   kind, provided that the above copyright notice and this paragraph 
-   are included on all such copies and derivative works. However, this 
-   document itself may not be modified in any way, such as by removing 
-   the copyright notice or references to the Internet Society or other 
-   Internet organizations, except as needed for the purpose of 
-   developing Internet standards in which case the procedures for 
-   copyrights defined in the Internet Standards process must be 
-   followed, or as required to translate it into languages other than 
-   English. 
-    
-   The limited permissions granted above are perpetual and will not be 
-   revoked by the Internet Society or its successors or assigns. 
-    
-
-  
-Foster,McGarry,Yu           Expired on August 31, 2002        [Page 26] 
-
-Number Portability in the GSTN: An Overview              March 1, 2002 
- 
- 
-   This document and the information contained herein is provided on an 
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
-    
-    
-Acknowledgement 
- 
-   Funding for the RFC Editor function is currently provided by the 
-   Internet Society. 
- 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-  
-Foster,McGarry,Yu           Expired on August 31, 2002        [Page 27] 
-
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-ipseckey-rr-09.txt b/contrib/bind9/doc/draft/draft-ietf-ipseckey-rr-09.txt
deleted file mode 100644
index 423a119f39f8..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-ipseckey-rr-09.txt
+++ /dev/null
@@ -1,951 +0,0 @@
-
-
-IPSECKEY WG                                                M. Richardson
-Internet-Draft                                                       SSW
-|Expires: August 1, 2004                                   February 2004
-
-
-           A Method for Storing IPsec Keying Material in DNS
-|                    draft-ietf-ipseckey-rr-09.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at http://
-   www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-|  This Internet-Draft will expire on August 1, 2004.
-
-Copyright Notice
-
-|  Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-|  This document describes a new resource record for Domain Name System
-|  (DNS).  This record may be used to store public keys for use in IP
-|  security (IPsec) systems.  The record also includes provisions for
-|  indicating what system should be contacted when establishing an IPsec
-|  tunnel with the entity in question.
-
-   This record replaces the functionality of the sub-type #1 of the KEY
-   Resource Record, which has been obsoleted by RFC3445.
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 1]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-|  1.2 Use of reverse (in-addr.arpa) map  . . . . . . . . . . . . . .  3
-|  1.3 Usage Criteria . . . . . . . . . . . . . . . . . . . . . . . .  3
-|  2.  Storage formats  . . . . . . . . . . . . . . . . . . . . . . .  5
-|  2.1 IPSECKEY RDATA format  . . . . . . . . . . . . . . . . . . . .  5
-|  2.2 RDATA format - precedence  . . . . . . . . . . . . . . . . . .  5
-|  2.3 RDATA format - gateway type  . . . . . . . . . . . . . . . . .  5
-|  2.4 RDATA format - algorithm type  . . . . . . . . . . . . . . . .  6
-|  2.5 RDATA format - gateway . . . . . . . . . . . . . . . . . . . .  6
-|  2.6 RDATA format - public keys . . . . . . . . . . . . . . . . . .  6
-|  3.  Presentation formats . . . . . . . . . . . . . . . . . . . . .  8
-|  3.1 Representation of IPSECKEY RRs . . . . . . . . . . . . . . . .  8
-|  3.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-|  4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
-|  4.1 Active attacks against unsecured IPSECKEY resource records . . 10
-|  5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
-|  6.  Intellectual Property Claims . . . . . . . . . . . . . . . . . 13
-|  7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 14
-|      Normative references . . . . . . . . . . . . . . . . . . . . . 15
-|      Non-normative references . . . . . . . . . . . . . . . . . . . 16
-|      Author's Address . . . . . . . . . . . . . . . . . . . . . . . 16
-|      Full Copyright Statement . . . . . . . . . . . . . . . . . . . 17
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 2]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-1. Introduction
-
-   It postulated that there is an end system desiring to establish an
-   IPsec tunnel with some remote entity on the network.  This system,
-   having only a DNS name of some kind (forward, reverse or even
-   user@FQDN) needs a public key to authenticate the remote entity.  It
-   also desires some guidance about whether to contact the entity
-   directly, or whether to contact another entity, as the gateway to
-   that desired entity.
-
-   The IPSECKEY RR provides a storage mechanism for such items as the
-   public key, and the gateway information.
-
-   The type number for the IPSECKEY RR is TBD.
-
-1.1 Overview
-
-   The IPSECKEY resource record (RR) is used to publish a public key
-   that is to be associated with a Domain Name System (DNS) name for use
-   with the IPsec protocol suite.  This can be the  public key of a
-   host, network, or application (in the case of per-port keying).
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC2119 [7].
-
-|1.2 Use of reverse (in-addr.arpa) map
-
-|  Often a security gateway will only have access to the IP address to
-|  which communication is desired.  It will not know the forward name.
-|  As such, it will frequently be the case that the IP address will be
-|  used an index into the reverse map.
-
-|  The lookup is done in the usual fashion as for PTR records.  The IP
-|  address' octets (IPv4) or nibbles (IPv6) are reversed and looked up
-|  under the .arpa.  zone.  Any CNAMEs or DNAMEs found SHOULD be
-|  followed.
-
-|  Note: even when the IPsec function is the end-host, often only the
-|  application will know the forward name used.  While the case where
-|  the application knows the forward name is common, the user could
-|  easily have typed in a literal IP address.  This storage mechanism
-|  does not preclude using the forward name when it is available, but
-|  does not require it.
-
-|1.3 Usage Criteria
-
-   An IPSECKEY resource record SHOULD be used in combination with DNSSEC
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 3]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-   unless some other means of authenticating the IPSECKEY resource
-   record is available.
-
-   It is expected that there will often be multiple IPSECKEY resource
-   records at the same name.  This will be due to the presence of
-   multiple gateways and the need to rollover keys.
-
-   This resource record is class independent.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 4]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-2. Storage formats
-
-2.1 IPSECKEY RDATA format
-
-   The RDATA for an IPSECKEY RR consists of a precedence value, a
-   gateway type, a public key, algorithm type, and an optional gateway
-   address.
-
-       0                   1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |  precedence   | gateway type  |  algorithm  |     gateway     |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+                 +
-      ~                            gateway                            ~
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |                                                               /
-      /                          public key                           /
-      /                                                               /
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-
-2.2 RDATA format - precedence
-
-   This is an 8-bit precedence for this record.  This is interpreted in
-   the same way as the PREFERENCE field described in section 3.3.9 of
-   RFC1035 [2].
-
-   Gateways listed in IPSECKEY records with  lower precedence are to be
-   attempted first.  Where there is a tie in precedence, the order
-   should be non-deterministic.
-
-2.3 RDATA format - gateway type
-
-   The gateway type field indicates the format of the information that
-   is stored in the gateway field.
-
-   The following values are defined:
-
-   0  No gateway is present
-
-   1  A 4-byte IPv4 address is present
-
-   2  A 16-byte IPv6 address is present
-
-   3  A wire-encoded domain name is present.  The wire-encoded format is
-      self-describing, so the length is implicit.  The domain name MUST
-      NOT be compressed.  (see section 3.3 of RFC1035 [2]).
-
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 5]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-2.4 RDATA format - algorithm type
-
-   The algorithm type field identifies the public key's cryptographic
-   algorithm and determines the format of the public key field.
-
-   A value of 0 indicates that no key is present.
-
-   The following values are defined:
-
-   1  A DSA key is present, in the format defined in RFC2536 [10]
-
-   2  A RSA key is present, in the format defined in RFC3110 [11]
-
-
-2.5 RDATA format - gateway
-
-   The gateway field indicates a gateway to which an IPsec tunnel may be
-   created in order to reach the entity named by this resource record.
-
-   There are three formats:
-
-   A 32-bit IPv4 address is present in the gateway field.  The data
-   portion is an IPv4 address as described in section 3.4.1 of RFC1035
-   [2].  This is a 32-bit number in network byte order.
-
-   A 128-bit IPv6 address is present in the gateway field.  The data
-   portion is an IPv6 address as described in section 2.2 of RFC3596
-   [13].  This is a 128-bit number in network byte order.
-
-   The gateway field is a normal wire-encoded domain name, as described
-   in section 3.3 of RFC1035 [2].  Compression MUST NOT be used.
-
-2.6 RDATA format - public keys
-
-   Both of the public key types defined in this document (RSA and DSA)
-   inherit their public key formats from the corresponding KEY RR
-   formats.  Specifically, the public key field contains the algorithm-
-   specific portion of the KEY RR RDATA, which is all of the KEY RR DATA
-   after the first four octets.  This is the same portion of the KEY RR
-   that must be specified by documents that define a DNSSEC algorithm.
-   Those documents also specify a message digest to be used for
-   generation of SIG RRs; that specification is not relevant for
-   IPSECKEY RR.
-
-   Future algorithms, if they are to be used by both DNSSEC (in the KEY
-   RR) and IPSECKEY, are likely to use the same public key encodings in
-   both records.  Unless otherwise specified, the IPSECKEY public key
-   field will contain the algorithm-specific portion of the KEY RR RDATA
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 6]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-   for the corresponding algorithm.  The algorithm must still be
-   designated for use by IPSECKEY, and an IPSECKEY algorithm type number
-   (which might be different than the DNSSEC algorithm number) must be
-   assigned to it.
-
-   The DSA key format is defined in RFC2536 [10]
-
-   The RSA key format is defined in RFC3110 [11], with the following
-   changes:
-
-   The earlier definition of RSA/MD5 in RFC2065 limited the exponent and
-   modulus to 2552 bits in length.  RFC3110 extended that limit to 4096
-   bits for RSA/SHA1 keys.  The IPSECKEY RR imposes no length limit on
-   RSA public keys, other than the 65535 octet limit imposed by the two-
-   octet length encoding.  This length extension is applicable only to
-   IPSECKEY and not to KEY RRs.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 7]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-3. Presentation formats
-
-3.1 Representation of IPSECKEY RRs
-
-   IPSECKEY RRs may appear in a zone data master file.  The precedence,
-   gateway type and algorithm and gateway fields are REQUIRED.  The
-   base64 encoded public key block is OPTIONAL; if not present, then the
-   public key field of the resource record MUST be construed as being
-   zero octets in length.
-
-   The algorithm field is an unsigned integer.  No mnemonics are
-   defined.
-
-   If no gateway is to be indicated, then the gateway type field MUST be
-   zero, and the gateway field MUST be "."
-
-   The Public Key field is represented as a Base64 encoding of the
-   Public Key.  Whitespace is allowed within the Base64 text.  For a
-   definition of Base64 encoding, see RFC3548 [6] Section 5.2.
-
-   The general presentation for the record as as follows:
-
-   IN     IPSECKEY ( precedence gateway-type algorithm
-                     gateway base64-encoded-public-key )
-
-
-3.2 Examples
-
-   An example of a node 192.0.2.38 that will accept IPsec tunnels on its
-   own behalf.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
-                    192.0.2.38
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 192.0.2.38 that has published its key only.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 0 2
-                    .
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 192.0.2.38 that has delegated authority to the
-   node 192.0.2.3.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
-                    192.0.2.3
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 8]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-   An example of a node, 192.0.1.38 that has delegated authority to the
-   node with the identity "mygateway.example.com".
-
-   38.1.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 3 2
-                    mygateway.example.com.
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0 that has
-   delegated authority to the node 2001:0DB8:c000:0200:2::1
-
-   $ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.arpa.
-   0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN     IPSECKEY ( 10 2 2
-                    2001:0DB8:0:8002::2000:1
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                 [Page 9]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-4. Security Considerations
-
-   This entire memo pertains to the provision of public keying material
-   for use by key management protocols such as ISAKMP/IKE (RFC2407) [8].
-
-   The IPSECKEY resource record contains information that SHOULD be
-   communicated to the end client in an integral fashion - i.e.  free
-   from modification.  The form of this channel is up to the consumer of
-   the data - there must be a trust relationship between the end
-   consumer of this resource record and the server.  This relationship
-   may be end-to-end DNSSEC validation, a TSIG or SIG(0) channel to
-   another secure source, a secure local channel on the host, or some
-   combination of the above.
-
-   The keying material provided by the IPSECKEY resource record is not
-   sensitive to passive attacks.  The keying material may be freely
-   disclosed to any party without any impact on the security properties
-   of the resulting IPsec session: IPsec and IKE provide for defense
-   against both active and passive attacks.
-
-   Any derivative standard that makes use of this resource record MUST
-   carefully document their trust model, and why the trust model of
-   DNSSEC is appropriate, if that is the secure channel used.
-
-4.1 Active attacks against unsecured IPSECKEY resource records
-
-   This section deals with active attacks against the DNS.  These
-   attacks require that DNS requests and responses be intercepted and
-   changed.  DNSSEC is designed to defend against attacks of this kind.
-
-   The first kind of active attack is when the attacker replaces the
-   keying material with either a key under its control or with garbage.
-
-   If the attacker is not able to mount a subsequent man-in-the-middle
-   attack on the IKE negotiation after replacing the public key, then
-   this will result in a denial of service, as the authenticator used by
-   IKE would fail.
-
-   If the attacker is able to both to mount active attacks against DNS
-   and is also in a position to perform a man-in-the-middle attack on
-   IKE and IPsec negotiations, then the attacker will be in a position
-   to compromise the resulting IPsec channel.  Note that an attacker
-   must be able to perform active DNS attacks on both sides of the IKE
-   negotiation in order for this to succeed.
-
-   The second kind of active attack is one in which the attacker
-   replaces the the gateway address to point to a node under the
-   attacker's control.  The attacker can then either replace the public
-
-
-
-|Richardson              Expires August 1, 2004                [Page 10]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-   key or remove it, thus providing an IPSECKEY record of its own to
-   match the gateway address.
-
-   This later form creates a simple man-in-the-middle since the attacker
-   can then create a second tunnel to the real destination.  Note that,
-   as before, this requires that the attacker also mount an active
-   attack against the responder.
-
-   Note that the man-in-the-middle can not just forward cleartext
-   packets to the original destination.  While the destination may be
-   willing to speak in the clear, replying to the original sender, the
-   sender will have already created a policy expecting ciphertext.
-   Thus, the attacker will need to intercept traffic from both sides.
-   In some cases, the attacker may be able to accomplish the full
-   intercept by use of Network Addresss/Port Translation (NAT/NAPT)
-   technology.
-
-|  Note that risk of a man-in-the-middle attack mediated by the IPSECKEY
-|  RR only applies to cases where the gateway field of the IPSECKEY RR
-|  indicates a different entity than the owner name of the IPSECKEY RR.
-
-|  An active attack on the DNS that caused the wrong IP address to be
-|  retrieved (via forged A RR), and therefore the wrong QNAME to be
-|  queried would also result in a man-in-the-middle attack.  This
-|  situation exists independantly of whether or not the IPSECKEY RR is
-|  used.
-
-|  In cases where the end-to-end integrity of the IPSECKEY RR is
-|  suspect, the end client MUST restrict its use of the IPSECKEY RR to
-|  cases where the RR owner name matches the content of the gateway
-|  field.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                [Page 11]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-5. IANA Considerations
-
-   This document updates the IANA Registry for DNS Resource Record Types
-   by assigning type X to the IPSECKEY record.
-
-   This document creates two new IANA registries, both specific to the
-   IPSECKEY Resource Record:
-
-   This document creates an IANA registry for the algorithm type field.
-
-   Values 0, 1 and 2 are defined in Section 2.4.  Algorithm numbers 3
-   through 255 can be assigned by IETF Consensus (see RFC2434 [5]).
-
-   This document creates an IANA registry for the gateway type field.
-
-   Values 0, 1, 2 and 3 are defined in Section 2.3.  Gateway type
-   numbers 4 through 255 can be assigned by Standards Action (see
-   RFC2434 [5]).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                [Page 12]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-6. Intellectual Property Claims
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights.  Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11.  Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                [Page 13]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-7. Acknowledgments
-
-   My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob
-   Austein, and Olafur Gurmundsson who reviewed this document carefully.
-   Additional thanks to Olafur Gurmundsson for a reference
-   implementation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                [Page 14]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-Normative references
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [3]  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
-        9, RFC 2026, October 1996.
-
-   [4]  Eastlake, D. and C. Kaufman, "Domain Name System Security
-        Extensions", RFC 2065, January 1997.
-
-   [5]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-   [6]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
-        RFC 3548, July 2003.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                [Page 15]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-Non-normative references
-
-   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
-         Levels", BCP 14, RFC 2119, March 1997.
-
-   [8]   Piper, D., "The Internet IP Security Domain of Interpretation
-         for ISAKMP", RFC 2407, November 1998.
-
-   [9]   Eastlake, D., "Domain Name System Security Extensions", RFC
-         2535, March 1999.
-
-   [10]  Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
-         (DNS)", RFC 2536, March 1999.
-
-   [11]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
-         System (DNS)", RFC 3110, May 2001.
-
-   [12]  Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
-         Record (RR)", RFC 3445, December 2002.
-
-   [13]  Thomson, S., Huitema, C., Ksinant, V. and M. Souissi, "DNS
-         Extensions to Support IP Version 6", RFC 3596, October 2003.
-
-
-Author's Address
-
-   Michael C. Richardson
-   Sandelman Software Works
-   470 Dawson Avenue
-   Ottawa, ON  K1Z 5V7
-   CA
-
-   EMail: mcr@sandelman.ottawa.on.ca
-   URI:   http://www.sandelman.ottawa.on.ca/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                [Page 16]
-
-|Internet-Draft   Storing IPsec keying material in DNS     February 2004
-
-
-Full Copyright Statement
-
-|  Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-|Richardson              Expires August 1, 2004                [Page 17]
diff --git a/contrib/bind9/doc/draft/draft-ietf-ipv6-node-requirements-08.txt b/contrib/bind9/doc/draft/draft-ietf-ipv6-node-requirements-08.txt
deleted file mode 100644
index 2d5c87eb3caa..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-ipv6-node-requirements-08.txt
+++ /dev/null
@@ -1,1200 +0,0 @@
-
-
-
-
-
-
-IPv6 Working Group                                 John Loughney (ed)
-Internet-Draft                                                  Nokia
-                                                     January 14, 2004
-
-Expires: July 14, 2004
-
-
-
-                         IPv6 Node Requirements
-                draft-ietf-ipv6-node-requirements-08.txt
-
-
-
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups.  Note that
-   other groups may also distribute working documents as Internet-
-   Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time.  It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   This document defines requirements for IPv6 nodes.  It is expected
-   that IPv6 will be deployed in a wide range of devices and situations.
-   Specifying the requirements for IPv6 nodes allows IPv6 to function
-   well and interoperate in a large number of situations and
-   deployments.
-
-
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 1]
-
-
-
-
-
-Internet-Draft
-
-
-Table of Contents
-
-   1.   Introduction
-   1.1 Requirement Language
-   1.2  Scope of this Document
-   1.3  Description of IPv6 Nodes
-   2.   Abbreviations Used in This Document
-   3.   Sub-IP Layer
-   3.1  Transmission of IPv6 Packets over Ethernet Networks - RFC2464
-   3.2  IP version 6 over PPP - RFC2472
-   3.3  IPv6 over ATM Networks - RFC2492
-   4.   IP Layer
-   4.1  Internet Protocol Version 6 - RFC2460
-   4.2  Neighbor Discovery for IPv6 - RFC2461
-   4.3  Path MTU Discovery & Packet Size
-   4.4  ICMP for the Internet Protocol Version 6 (IPv6) - RFC2463
-   4.5  Addressing
-   4.6  Multicast Listener Discovery (MLD) for IPv6 - RFC2710
-   5.   Transport and DNS
-   5.1  Transport Layer
-   5.2  DNS
-   5.3  Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
-   6.   IPv4 Support and Transition
-   6.1  Transition Mechanisms
-   7.   Mobility
-   8.   Security
-   8.1  Basic Architecture
-   8.2  Security Protocols
-   8.3  Transforms and Algorithms
-   8.4  Key Management Methods
-   9.   Router Functionality
-   9.1  General
-   10.  Network Management
-   10.1 MIBs
-   11.  Security Considerations
-   12.  References
-   12.1 Normative
-   12.2 Non-Normative
-   13.  Authors and Acknowledgements
-   14.  Editor's Address
-   Notices
-
-
-
-
-
-
-
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 2]
-
-
-
-
-
-Internet-Draft
-
-
-1. Introduction
-
-   The goal of this document is to define the common functionality
-   required from both IPv6 hosts and routers.  Many IPv6 nodes will
-   implement optional or additional features, but all IPv6 nodes can be
-   expected to implement the mandatory requirements listed in this
-   document.
-
-   This document tries to avoid discussion of protocol details, and
-   references RFCs for this purpose.  In case of any conflicting text,
-   this document takes less precedence than the normative RFCs, unless
-   additional clarifying text is included in this document.
-
-   Although the document points to different specifications, it should
-   be noted that in most cases, the granularity of requirements are
-   smaller than a single specification, as many specifications define
-   multiple, independent pieces, some of which may not be mandatory.
-
-   As it is not always possible for an implementer to know the exact
-   usage of IPv6 in a node, an overriding requirement for IPv6 nodes is
-   that they should adhere to Jon Postel's Robustness Principle:
-
-      Be conservative in what you do, be liberal in what you accept from
-      others [RFC-793].
-
-1.1 Requirement Language
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC-2119].
-
-1.2 Scope of this Document
-
-   IPv6 covers many specifications.  It is intended that IPv6 will be
-   deployed in many different situations and environments.  Therefore,
-   it is important to develop the requirements for IPv6 nodes, in order
-   to ensure interoperability.
-
-   This document assumes that all IPv6 nodes meet the minimum
-   requirements specified here.
-
-1.3 Description of IPv6 Nodes
-
-   From Internet Protocol, Version 6 (IPv6) Specification [RFC-2460] we
-   have the following definitions:
-
-      Description of an IPv6 Node
-
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 3]
-
-
-
-
-
-Internet-Draft
-
-
-       - a device that implements IPv6
-
-      Description of an IPv6 router
-
-       - a node that forwards IPv6 packets not explicitly addressed to
-         itself.
-
-      Description of an IPv6 Host
-
-       - any node that is not a router.
-
-2. Abbreviations Used in This Document
-
-   ATM   Asynchronous Transfer Mode
-
-   AH    Authentication Header
-
-   DAD   Duplicate Address Detection
-
-   ESP   Encapsulating Security Payload
-
-   ICMP  Internet Control Message Protocol
-
-   IKE   Internet Key Exchange
-
-   MIB   Management Information Base
-
-   MLD   Multicast Listener Discovery
-
-   MTU   Maximum Transfer Unit
-
-   NA    Neighbor Advertisement
-
-   NBMA  Non-Broadcast Multiple Access
-
-   ND    Neighbor Discovery
-
-   NS    Neighbor Solicitation
-
-   NUD   Neighbor Unreachability Detection
-
-   PPP   Point-to-Point Protocol
-
-   PVC   Permanent Virtual Circuit
-
-   SVC   Switched Virtual Circuit
-
-3. Sub-IP Layer
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 4]
-
-
-
-
-
-Internet-Draft
-
-
-   An IPv6 node must include support for one or more IPv6 link-layer
-   specifications.  Which link-layer specifications are included will
-   depend upon what link-layers are supported by the hardware available
-   on the system.  It is possible for a conformant IPv6 node to support
-   IPv6 on some of its interfaces and not on others.
-
-   As IPv6 is run over new layer 2 technologies, it is expected that new
-   specifications will be issued.  This section highlights some major
-   layer 2 technologies and is not intended to be complete.
-
-3.1 Transmission of IPv6 Packets over Ethernet Networks - RFC2464
-
-   Nodes supporting IPv6 over Ethernet interfaces MUST implement
-   Transmission of IPv6 Packets over Ethernet Networks [RFC-2464].
-
-3.2 IP version 6 over PPP - RFC2472
-
-   Nodes supporting IPv6 over PPP MUST implement IPv6 over PPP [RFC-
-   2472].
-
-3.3 IPv6 over ATM Networks - RFC2492
-
-   Nodes supporting IPv6 over ATM Networks MUST implement IPv6 over ATM
-   Networks [RFC-2492].  Additionally, RFC 2492 states:
-
-      A minimally conforming IPv6/ATM driver SHALL support the PVC mode
-      of operation. An IPv6/ATM driver that supports the full SVC mode
-      SHALL also support PVC mode of operation.
-
-4. IP Layer
-
-4.1 Internet Protocol Version 6 - RFC2460
-
-   The Internet Protocol Version 6 is specified in [RFC-2460]. This
-   specification MUST be supported.
-
-   Unrecognized options in Hop-by-Hop Options or Destination Options
-   extensions MUST be processed as described in RFC 2460.
-
-   The node MUST follow the packet transmission rules in RFC 2460.
-
-   Nodes MUST always be able to send, receive and process fragment
-   headers.  All conformant IPv6 implementations MUST be capable of
-   sending and receving IPv6 packets; forwarding functionality MAY be
-   supported
-
-   RFC 2460 specifies extension headers and the processing for these
-   headers.
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 5]
-
-
-
-
-
-Internet-Draft
-
-
-      A full implementation of IPv6 includes implementation of the
-      following extension headers: Hop-by-Hop Options, Routing (Type 0),
-      Fragment, Destination Options, Authentication and Encapsulating
-      Security Payload. [RFC-2460]
-
-   An IPv6 node MUST be able to process these headers.  It should be
-   noted that there is some discussion about the use of Routing Headers
-   and possible security threats [IPv6-RH] caused by them.
-
-4.2 Neighbor Discovery for IPv6 - RFC2461
-
-   Neighbor Discovery SHOULD be supported.  RFC 2461 states:
-
-      "Unless specified otherwise (in a document that covers operating
-      IP over a particular link type) this document applies to all link
-      types. However, because ND uses link-layer multicast for some of
-      its services, it is possible that on some link types (e.g., NBMA
-      links) alternative protocols or mechanisms to implement those
-      services will be specified (in the appropriate document covering
-      the operation of IP over a particular link type).  The services
-      described in this document that are not directly dependent on
-      multicast, such as Redirects, Next-hop determination, Neighbor
-      Unreachability Detection, etc., are expected to be provided as
-      specified in this document.  The details of how one uses ND on
-      NBMA links is an area for further study."
-
-   Some detailed analysis of Neighbor Discovery follows:
-
-   Router Discovery is how hosts locate routers that reside on an
-   attached link. Router Discovery MUST be supported for
-   implementations.
-
-   Prefix Discovery is how hosts discover the set of address prefixes
-   that define which destinations are on-link for an attached link.
-   Prefix discovery MUST be supported for implementations. Neighbor
-   Unreachability Detection (NUD) MUST be supported for all paths
-   between hosts and neighboring nodes. It is not required for paths
-   between routers.  However, when a node receives a unicast Neighbor
-   Solicitation (NS) message (that may be a NUD's NS), the node MUST
-   respond to it (i.e. send a unicast Neighbor Advertisement).
-
-   Duplicate Address Detection MUST be supported on all links supporting
-   link-layer multicast (RFC2462 section 5.4 specifies DAD MUST take
-   place on all unicast addresses).
-
-   A host implementation MUST support sending Router Solicitations.
-
-   Receiving and processing Router Advertisements MUST be supported for
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 6]
-
-
-
-
-
-Internet-Draft
-
-
-   host implementations. The ability to understand specific Router
-   Advertisement options is dependent on supporting the specification
-   where the RA is specified.
-
-   Sending and Receiving Neighbor Solicitation (NS) and Neighbor
-   Advertisement (NA) MUST be supported. NS and NA messages are required
-   for Duplicate Address Detection (DAD).
-
-   Redirect functionality SHOULD be supported. If the node is a router,
-   Redirect functionality MUST be supported.
-
-4.3 Path MTU Discovery & Packet Size
-
-4.3.1 Path MTU Discovery - RFC1981
-
-   Path MTU Discovery [RFC-1981] SHOULD be supported, though minimal
-   implementations MAY choose to not support it and avoid large packets.
-   The rules in RFC 2460 MUST be followed for packet fragmentation and
-   reassembly.
-
-4.3.2 IPv6 Jumbograms - RFC2675
-
-   IPv6 Jumbograms [RFC-2675] MAY be supported.
-
-4.4  ICMP for the Internet Protocol Version 6 (IPv6) - RFC2463
-
-   ICMPv6 [RFC-2463] MUST be supported.
-
-4.5 Addressing
-
-4.5.1 IP Version 6 Addressing Architecture - RFC3513
-
-   The IPv6 Addressing Architecture [RFC-3513] MUST be supported.
-
-4.5.2 IPv6 Stateless Address Autoconfiguration - RFC2462
-
-   IPv6 Stateless Address Autoconfiguration is defined in [RFC-2462].
-   This specification MUST be supported for nodes that are hosts.
-
-   Nodes that are routers MUST be able to generate link local addresses
-   as described in RFC 2462 [RFC-2462].
-
-   From 2462:
-
-      The autoconfiguration process specified in this document applies
-      only to hosts and not routers. Since host autoconfiguration uses
-      information advertised by routers, routers will need to be
-      configured by some other means. However, it is expected that
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 7]
-
-
-
-
-
-Internet-Draft
-
-
-      routers will generate link-local addresses using the mechanism
-      described in this document. In addition, routers are expected to
-      successfully pass the Duplicate Address Detection procedure
-      described in this document on all addresses prior to assigning
-      them to an interface.
-
-   Duplicate Address Detection (DAD) MUST be supported.
-
-4.5.3 Privacy Extensions for Address Configuration in IPv6 - RFC3041
-
-   Privacy Extensions for Stateless Address Autoconfiguration [RFC-3041]
-   SHOULD be supported.  It is recommended that this behavior be
-   configurable on a connection basis within each application when
-   available.  It is noted that a number of applications do not work
-   with addresses generated with this method, while other applications
-   work quite well with them.
-
-4.5.4 Default Address Selection for IPv6 - RFC3484
-
-   The rules specified in the Default Address Selection for IPv6 [RFC-
-   3484] document MUST be implemented. It is expected that IPv6 nodes
-   will need to deal with multiple addresses.
-
-4.5.5 Stateful Address Autoconfiguration
-
-   Stateful Address Autoconfiguration MAY be supported. DHCPv6 [RFC-
-   3315] is the standard stateful address configuration protocol; see
-   section 5.3 for DHCPv6 support.
-
-   Nodes which do not support Stateful Address Autoconfiguration may be
-   unable to obtain any IPv6 addresses aside from link-local addresses
-   when it receives a router advertisement with the 'M' flag (Managed
-   address configuration) set and which contains no prefixes advertised
-   for Stateless Address Autoconfiguration (see section 4.5.2).
-   Additionally, such nodes will be unable to obtain other configuration
-   information such as the addresses of DNS servers when it is connected
-   to a link over which the node receives a router advertisement in
-   which the 'O' flag ("Other stateful configuration") is set.
-
-4.6 Multicast Listener Discovery (MLD) for IPv6 - RFC2710
-
-   Nodes that need to join multicast groups SHOULD implement MLDv2
-   [MLDv2]. However, if the node has applications, which only need
-   support for Any- Source Multicast [RFC3569], the node MAY implement
-   MLDv1 [MLDv1] instead. If the node has applications, which need
-   support for Source- Specific Multicast [RFC3569, SSMARCH], the node
-   MUST support MLDv2 [MLDv2].
-
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 8]
-
-
-
-
-
-Internet-Draft
-
-
-   When MLD is used, the rules in "Source Address Selection for the
-   Multicast Listener Discovery (MLD) Protocol" [RFC-3590] MUST be
-   followed.
-
-5. Transport Layer and DNS
-
-5.1 Transport Layer
-
-5.1.1 TCP and UDP over IPv6 Jumbograms - RFC2147
-
-   This specification MUST be supported if jumbograms are implemented
-   [RFC- 2675].
-
-5.2 DNS
-
-   DNS, as described in [RFC-1034], [RFC-1035], [RFC-3152], [RFC-3363]
-   and [RFC-3596] MAY be supported.  Not all nodes will need to resolve
-   names. All nodes that need to resolve names SHOULD implement stub-
-   resolver [RFC-1034] functionality, in RFC 1034 section 5.3.1 with
-   support for:
-
-    - AAAA type Resource Records [RFC-3596];
-    - reverse addressing in ip6.arpa using PTR records [RFC-3152];
-    - EDNS0 [RFC-2671] to allow for DNS packet sizes larger than 512
-      octets.
-
-   Those nodes are RECOMMENDED to support DNS security extentions
-   [DNSSEC- INTRO], [DNSSEC-REC] and [DNSSEC-PROT].
-
-   Those nodes are NOT RECOMMENDED to support the experimental A6 and
-   DNAME Resource Records [RFC-3363].
-
-5.2.2 Format for Literal IPv6 Addresses in URL's - RFC2732
-
-   RFC 2732 MUST be supported if applications on the node use URL's.
-
-5.3 Dynamic Host Configuration Protocol for IPv6 (DHCPv6) - RFC3315
-
-5.3.1 Managed Address Configuration
-
-   Those IPv6 Nodes that use DHCP for address assignment initiate DHCP
-   to obtain IPv6 addresses and other configuration information upon
-   receipt of a Router Advertisement with the 'M' flag set, as described
-   in section 5.5.3 of RFC 2462.  In addition, in the absence of a
-   router, those IPv6 Nodes that use DHCP for address assignment MUST
-   initiate DHCP to obtain IPv6 addresses and other configuration
-   information, as described in section 5.5.2 of RFC 2462.  Those IPv6
-   nodes that do not use DHCP for address assignment can ignore the 'M'
-
-
-
-Loughney (editor)          February 16, 2004                    [Page 9]
-
-
-
-
-
-Internet-Draft
-
-
-   flag in Router Advertisements.
-
-5.3.2 Other Configuration Information
-
-   Those IPv6 Nodes that use DHCP to obtain other configuration
-   information initiate DHCP for other configuration information upon
-   receipt of a Router Advertisement with the 'O' flag set, as described
-   in section 5.5.3 of RFC 2462.  Those IPv6 nodes that do not use DHCP
-   for other configuration information can ignore the 'O' flag in Router
-   Advertisements.
-
-   An IPv6 Node can use the subset of DHCP described in [DHCPv6-SL] to
-   obtain other configuration information.
-
-6. IPv4 Support and Transition
-
-   IPv6 nodes MAY support IPv4.
-
-6.1 Transition Mechanisms
-
-6.1.1 Transition Mechanisms for IPv6 Hosts and Routers - RFC2893
-
-   If an IPv6 node implements dual stack and tunneling, then RFC2893
-   MUST be supported.
-
-   RFC 2893 is currently being updated.
-
-7. Mobile IP
-
-   The Mobile IPv6 [MIPv6] specification defines requirements for the
-   following types of nodes:
-
-       - mobile nodes
-       - correspondent nodes with support for route optimization
-       - home agents
-       - all IPv6 routers
-
-   Hosts MAY support mobile node functionality described in Section 8.5
-   of [MIPv6], including support of generic packet tunneling [RFC-2473]
-   and secure home agent communications [MIPv6-HASEC].
-
-   Hosts SHOULD support route optimization requirements for
-   correspondent nodes described in Section 8.2 of [MIPv6].
-
-   Routers SHOULD support the generic mobility-related requirements for
-   all IPv6 routers described in Section 8.3 of [MIPv6]. Routers MAY
-   support the home agent functionality described in Section 8.4 of
-   [MIPv6], including support of [RFC-2473] and [MIPv6-HASEC].
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 10]
-
-
-
-
-
-Internet-Draft
-
-
-8. Security
-
-   This section describes the specification of IPsec for the IPv6 node.
-
-8.1 Basic Architecture
-
-   Security Architecture for the Internet Protocol [RFC-2401] MUST be
-   supported. RFC-2401 is being updated by the IPsec Working Group.
-
-8.2 Security Protocols
-
-   ESP [RFC-2406] MUST be supported. AH [RFC-2402] MUST be supported.
-   RFC- 2406 and RFC 2402 are being updated by the IPsec Working Group.
-
-
-8.3 Transforms and Algorithms
-
-   Current IPsec RFCs specify the support of certain transforms and
-   algorithms, NULL encryption, DES-CBC, HMAC-SHA-1-96, and HMAC-MD5-96.
-   The requirements for these are discussed first, and then additional
-   algorithms 3DES-CBC, AES-128-CBC and HMAC-SHA-256-96 are discussed.
-
-   NULL encryption algorithm [RFC-2410] MUST be supported for providing
-   integrity service and also for debugging use.
-
-   The "ESP DES-CBC Cipher Algorithm With Explicit IV" [RFC-2405] SHOULD
-   NOT be supported. Security issues related to the use of DES are
-   discussed in [DESDIFF], [DESINT], [DESCRACK]. It is still listed as
-   required by the existing IPsec RFCs, but as it is currently viewed as
-   an inherently weak algorithm, and no longer fulfills its intended
-   role.
-
-   The NULL authentication algorithm [RFC-2406] MUST be supported within
-   ESP. The use of HMAC-SHA-1-96 within AH and ESP, described in [RFC-
-   2404] MUST be supported. The use of HMAC-MD5-96 within AH and ESP,
-   described in [RFC-2403] MUST be supported. An implementer MUST refer
-   to Keyed- Hashing for Message Authentication [RFC-2104].
-
-   3DES-CBC does not suffer from the issues related to DES-CBC. 3DES-CBC
-   and ESP CBC-Mode Cipher Algorithms [RFC-2451] MAY be supported. AES-
-   CBC Cipher Algorithm [RFC-3602] MUST be supported, as it is expected
-   to be a widely available, secure algorithm that is required for
-   interoperability. It is not required by the current IPsec RFCs, but
-   is expected to become required in the future.
-
-   In addition to the above requirements, "Cryptographic Algorithm
-   Implementation Requirements For ESP And AH" [CRYPTREQ] contains the
-   current set of mandatory to implement algorithms for ESP and AH as
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 11]
-
-
-
-
-
-Internet-Draft
-
-
-   well as specifying algorithms that should be implemented because they
-   may be promoted to mandatory at some future time.  It is RECOMMENDED
-   that IPv6 nodes conform to the requirements in this document.
-
-8.4 Key Management Methods
-
-   Manual keying MUST be supported.
-
-   IKE [RFC-2407] [RFC-2408] [RFC-2409] MAY be supported for unicast
-   traffic. Where key refresh, anti-replay features of AH and ESP, or
-   on- demand creation of Security Associations (SAs) is required,
-   automated keying MUST be supported. Note that the IPsec WG is working
-   on the successor to IKE [IKE2]. Key management methods for multicast
-   traffic are also being worked on by the MSEC WG.
-
-   "Cryptographic Algorithms for use in the Internet Key Exchange
-   Version 2" [IKEv2ALGO] defines the current set of mandatory to
-   implement algorithms for use of IKEv2 as well as specifying
-   algorithms that should be implemented because they made be promoted
-   to mandatory at some future time. It is RECOMMENDED that IPv6 nodes
-   implementing IKEv2 conform to the requirements in this
-   document.
-
-9. Router-Specific Functionality
-
-   This section defines general host considerations for IPv6 nodes that
-   act as routers.  Currently, this section does not discuss routing-
-   specific requirements.
-
-9.1 General
-
-9.1.1 IPv6 Router Alert Option - RFC2711
-
-
-   The IPv6 Router Alert Option [RFC-2711] is an optional IPv6 Hop-by-
-   Hop Header that is used in conjunction with some protocols (e.g.,
-   RSVP [RFC- 2205], or MLD [RFC-2710]). The Router Alert option will
-   need to be implemented whenever protocols that mandate its usage are
-   implemented. See Section 4.6.
-
-9.1.2 Neighbor Discovery for IPv6 - RFC2461
-
-   Sending Router Advertisements and processing Router Solicitation MUST
-   be supported.
-
-10. Network Management
-
-   Network Management MAY be supported by IPv6 nodes.  However, for IPv6
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 12]
-
-
-
-
-
-Internet-Draft
-
-
-   nodes that are embedded devices, network management may be the only
-   possibility to control these nodes.
-
-10.1 Management Information Base Modules (MIBs)
-
-   The following two MIBs SHOULD be supported by nodes that support an
-   SNMP agent.
-
-10.1.1  IP Forwarding Table MIB
-
-   IP Forwarding Table MIB [RFC-2096BIS] SHOULD be supported by nodes
-   that support an SNMP agent.
-
-10.1.2 Management Information Base for the Internet Protocol (IP)
-
-   IP MIB [RFC-2011BIS] SHOULD be supported by nodes that support an
-   SNMP agent.
-
-11. Security Considerations
-
-   This draft does not affect the security of the Internet, but
-   implementations of IPv6 are expected to support a minimum set of
-   security features to ensure security on the Internet.  "IP Security
-   Document Roadmap" [RFC-2411] is important for everyone to read.
-
-   The security considerations in RFC2460 describe the following:
-
-      The security features of IPv6 are described in the Security
-      Architecture for the Internet Protocol [RFC-2401].
-
-12. References
-
-12.1 Normative
-
-   [CRYPTREQ]     D. Eastlake 3rd, "Cryptographic Algorithm Implementa-
-                  tion Requirements For ESP And AH", draft-ietf-ipsec-
-                  esp-ah-algorithms-01.txt, January 2004.
-
-   [IKEv2ALGO]    J. Schiller, "Cryptographic Algorithms for use in the
-                  Internet Key Exchange Version 2", draft-ietf-ipsec-
-                  ikev2-algorithms-04.txt, Work in Progress.
-
-   [DHCPv6-SL]    R. Droms, "A Guide to Implementing Stateless DHCPv6
-                  Service", draft- ietf-dhc-dhcpv6-stateless-00.txt,
-                  Work in Progress.
-
-   [MIPv6]        J. Arkko, D. Johnson and C. Perkins, "Mobility Support
-                  in IPv6", draft- ietf-mobileip-ipv6-24.txt, Work in
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 13]
-
-
-
-
-
-Internet-Draft
-
-
-                  progress.
-
-   [MIPv6-HASEC]  J. Arkko, V. Devarapalli and F. Dupont, "Using IPsec
-                  to Protect Mobile IPv6 Signaling between Mobile Nodes
-                  and Home Agents", draft-ietf- mobileip-mipv6-ha-
-                  ipsec-06.txt, Work in Progress.
-
-   [MLDv2]        Vida, R. et al., "Multicast Listener Discovery Version
-                  2 (MLDv2) for IPv6", draft-vida-mld-v2-07.txt, Work in
-                  Progress.
-
-   [RFC-1035]     Mockapetris, P., "Domain names - implementation and
-                  specification", STD 13, RFC 1035, November 1987.
-
-   [RFC-1981]     McCann, J., Mogul, J. and Deering, S., "Path MTU
-                  Discovery for IP version 6", RFC 1981, August 1996.
-
-   [RFC-2096BIS]  Haberman, B. and Wasserman, M., "IP Forwarding Table
-                  MIB", draft-ietf- ipv6-rfc2096-update-07.txt, Work in
-                  Progress.
-
-   [RFC-2011BIS]  Routhier, S (ed), "Management Information Base for the
-                  Internet Protocol (IP)", draft-ietf-ipv6-rfc2011-
-                  update-07.txt, Work in progress.
-
-   [RFC-2104]     Krawczyk, K., Bellare, M., and Canetti, R., "HMAC:
-                  Keyed-Hashing for Message Authentication", RFC 2104,
-                  February 1997.
-
-   [RFC-2119]     Bradner, S., "Key words for use in RFCs to Indicate
-                  Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC-2401]     Kent, S. and Atkinson, R., "Security Architecture for
-                  the Internet Protocol", RFC 2401, November 1998.
-
-   [RFC-2402]     Kent, S. and Atkinson, R.,  "IP Authentication
-                  Header", RFC 2402, November 1998.
-
-   [RFC-2403]     Madson, C., and Glenn, R., "The Use of HMAC-MD5 within
-                  ESP and AH", RFC 2403, November 1998.
-
-   [RFC-2404]     Madson, C., and Glenn, R., "The Use of HMAC-SHA-1
-                  within ESP and AH", RFC 2404, November 1998.
-
-   [RFC-2405]     Madson, C. and Doraswamy, N., "The ESP DES-CBC Cipher
-                  Algorithm With Explicit IV", RFC 2405, November 1998.
-
-   [RFC-2406]     Kent, S. and Atkinson, R., "IP Encapsulating Security
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 14]
-
-
-
-
-
-Internet-Draft
-
-
-                  Protocol (ESP)", RFC 2406, November 1998.
-
-   [RFC-2407]     Piper, D., "The Internet IP Security Domain of
-                  Interpretation for ISAKMP", RFC 2407, November 1998.
-
-   [RFC-2408]     Maughan, D., Schertler, M., Schneider, M., and Turner,
-                  J., "Internet Security Association and Key Management
-                  Protocol (ISAKMP)", RFC 2408, November 1998.
-
-   [RFC-2409]     Harkins, D., and Carrel, D., "The Internet Key
-                  Exchange (IKE)", RFC 2409, November 1998.
-
-   [RFC-2410]     Glenn, R. and Kent, S., "The NULL Encryption Algorithm
-                  and Its Use With IPsec", RFC 2410, November 1998.
-
-   [RFC-2451]     Pereira, R. and Adams, R., "The ESP CBC-Mode Cipher
-                  Algorithms", RFC 2451, November 1998.
-
-   [RFC-2460]     Deering, S. and Hinden, R., "Internet Protocol, Ver-
-                  sion 6 (IPv6) Specification", RFC 2460, December 1998.
-
-   [RFC-2461]     Narten, T., Nordmark, E. and Simpson, W., "Neighbor
-                  Discovery for IP Version 6 (IPv6)", RFC 2461, December
-                  1998.
-
-   [RFC-2462]     Thomson, S. and Narten, T., "IPv6 Stateless Address
-                  Autoconfiguration", RFC 2462.
-
-   [RFC-2463]     Conta, A. and Deering, S., "ICMP for the Internet Pro-
-                  tocol Version 6 (IPv6)", RFC 2463, December 1998.
-
-   [RFC-2472]     Haskin, D. and Allen, E., "IP version 6 over PPP", RFC
-                  2472, December 1998.
-
-   [RFC-2473]     Conta, A. and Deering, S., "Generic Packet Tunneling
-                  in IPv6 Specification", RFC 2473, December 1998.  Xxx
-                  add
-
-   [RFC-2671]     Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-                  2671, August 1999.
-
-   [RFC-2710]     Deering, S., Fenner, W. and Haberman, B., "Multicast
-                  Listener Discovery (MLD) for IPv6", RFC 2710, October
-                  1999.
-
-   [RFC-2711]     Partridge, C. and Jackson, A., "IPv6 Router Alert
-                  Option", RFC 2711, October 1999.
-
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 15]
-
-
-
-
-
-Internet-Draft
-
-
-   [RFC-3041]     Narten, T. and Draves, R., "Privacy Extensions for
-                  Stateless Address Autoconfiguration in IPv6", RFC
-                  3041, January 2001.
-
-   [RFC-3152]     Bush, R., "Delegation of IP6.ARPA", RFC 3152, August
-                  2001.
-
-   [RFC-3315]     Bound, J. et al., "Dynamic Host Configuration Protocol
-                  for IPv6 (DHCPv6)", RFC 3315, July 2003.
-
-   [RFC-3363]     Bush, R., et al., "Representing Internet Protocol ver-
-                  sion 6 (IPv6) Addresses in the Domain Name System
-                  (DNS)", RFC 3363, August 2002.
-
-   [RFC-3484]     Draves, R., "Default Address Selection for IPv6", RFC
-                  3484, February 2003.
-
-   [RFC-3513]     Hinden, R. and Deering, S. "IP Version 6 Addressing
-                  Architecture", RFC 3513, April 2003.
-
-   [RFC-3590]     Haberman, B., "Source Address Selection for the Multi-
-                  cast Listener Discovery (MLD) Protocol", RFC 3590,
-                  September 2003.
-
-   [RFC-3596]     Thomson, S., et al., "DNS Extensions to support IP
-                  version 6", RFC 3596, October 2003.
-
-   [RFC-3602]     S. Frankel, "The AES-CBC Cipher Algorithm and Its Use
-                  with IPsec", RFC 3602, September 2003.
-
-12.2 Non-Normative
-
-   [ANYCAST]      Hagino, J and Ettikan K., "An Analysis of IPv6 Anycast",
-                  draft-ietf- ipngwg-ipv6-anycast-analysis-02.txt, Work in
-                  Progress.
-
-   [DESDIFF]      Biham, E., Shamir, A., "Differential Cryptanalysis of
-                  DES-like cryptosystems", Journal of Cryptology Vol 4, Jan
-                  1991.
-
-   [DESCRACK]     Cracking DES, O'Reilly & Associates, Sebastapol, CA 2000.
-   
-   [DESINT]       Bellovin, S., "An Issue With DES-CBC When Used Without
-                  Strong Integrity", Proceedings of the 32nd IETF, Danvers,
-                  MA, April 1995.
-
-   [DHCPv6-SL]    Droms, R., "A Guide to Implementing Stateless DHCPv6 Ser-
-                  vice", draft- ietf-dhc-dhcpv6-stateless-02.txt, Work in
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 16]
-
-
-
-
-
-Internet-Draft
-
-
-                  Progress.
-
-   [DNSSEC-INTRO] Arends, R., Austein, R., Larson, M., Massey, D. and Rose,
-                  S., "DNS Security Introduction and Requirements" draft-
-                  ietf-dnsext-dnssec-intro- 06.txt, Work in Progress.
-
-   [DNSSEC-REC]   Arends, R., Austein, R., Larson, M., Massey, D. and Rose,
-                  S., "Resource Records for the DNS Security Extensions",
-                  draft-ietf-dnsext-dnssec- records-04.txt, Work in Pro-
-                  gress.
-
-   [DNSSEC-PROT]  Arends, R., Austein, R., Larson, M., Massey, D. and Rose,
-                  S., "Protocol Modifications for the DNS Security Exten-
-                  sions", draft-ietf-dnsext- dnssec-protocol-02.txt, Work
-                  in Progress.
-
-   [IKE2]         Kaufman, C. (ed), "Internet Key Exchange (IKEv2) Proto-
-                  col", draft-ietf- ipsec-ikev2-10.txt, Work in Progress.
-  
-   [IPv6-RH]      P. Savola, "Security of IPv6 Routing Header and Home
-                  Address Options", draft-savola-ipv6-rh-ha-security-
-                  03.txt, Work in Progress, March 2002.
-
-   [MC-THREAT]    Ballardie A. and Crowcroft, J.; Multicast-Specific Secu-
-                  rity Threats and Counter-Measures; In Proceedings "Sympo-
-                  sium on Network and Distributed System Security", Febru-
-                  ary 1995, pp.2-16.
-
-   [RFC-793]      Postel, J., "Transmission Control Protocol", RFC 793,
-                  August 1980.
-
-   [RFC-1034]     Mockapetris, P., "Domain names - concepts and facili-
-                  ties", RFC 1034, November 1987.
-
-   [RFC-2147]     Borman, D., "TCP and UDP over IPv6 Jumbograms", RFC 2147,
-                  May 1997.
-
-   [RFC-2205]     Braden, B. (ed.), Zhang, L., Berson, S., Herzog, S. and
-                  S. Jamin, "Resource ReSerVation Protocol (RSVP)", RFC
-                  2205, September 1997.
-
-   [RFC-2464]     Crawford, M., "Transmission of IPv6 Packets over Ethernet
-                  Networks", RFC 2462, December 1998.
-
-   [RFC-2492]     G. Armitage, M. Jork, P. Schulter, G. Harter, IPv6 over
-                  ATM Networks", RFC 2492, January 1999.
-
-   [RFC-2675]     Borman, D., Deering, S. and Hinden, B., "IPv6
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 17]
-
-
-
-
-
-Internet-Draft
-
-
-                  Jumbograms", RFC 2675, August 1999.
-
-   [RFC-2732]     R. Hinden, B. Carpenter, L. Masinter, "Format for Literal
-                  IPv6 Addresses in URL's", RFC 2732, December 1999.
-
-   [RFC-2851]     M. Daniele, B. Haberman, S. Routhier, J. Schoenwaelder,
-                  "Textual Conventions for Internet Network Addresses", RFC
-                  2851, June 2000.
-
-   [RFC-2893]     Gilligan, R. and Nordmark, E., "Transition Mechanisms for
-                  IPv6 Hosts and Routers", RFC 2893, August 2000.
-
-   [RFC-3569]     S. Bhattacharyya, Ed., "An Overview of Source-Specific
-                  Multicast (SSM)", RFC 3569, July 2003.
-
-   [SSM-ARCH]     H. Holbrook, B. Cain, "Source-Specific Multicast for IP",
-                  draft-ietf- ssm-arch-03.txt, Work in Progress.
-
-13. Authors and Acknowledgements
-
-   This document was written by the IPv6 Node Requirements design team:
-
-      Jari Arkko
-      [jari.arkko@ericsson.com]
-
-      Marc Blanchet
-      [marc.blanchet@viagenie.qc.ca]
-
-      Samita Chakrabarti
-      [samita.chakrabarti@eng.sun.com]
-
-      Alain Durand
-      [alain.durand@sun.com]
-
-      Gerard Gastaud
-      [gerard.gastaud@alcatel.fr]
-
-      Jun-ichiro itojun Hagino
-      [itojun@iijlab.net]
-
-      Atsushi Inoue
-      [inoue@isl.rdc.toshiba.co.jp]
-
-      Masahiro Ishiyama
-      [masahiro@isl.rdc.toshiba.co.jp]
-
-      John Loughney
-      [john.loughney@nokia.com]
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 18]
-
-
-
-
-
-Internet-Draft
-
-
-      Rajiv Raghunarayan
-      [raraghun@cisco.com]
-
-      Shoichi Sakane
-      [shouichi.sakane@jp.yokogawa.com]
-
-      Dave Thaler
-      [dthaler@windows.microsoft.com]
-
-      Juha Wiljakka
-      [juha.wiljakka@Nokia.com]
-
-   The authors would like to thank Ran Atkinson, Jim Bound, Brian Car-
-   penter, Ralph Droms, Christian Huitema, Adam Machalek, Thomas Narten,
-   Juha Ollila and Pekka Savola for their comments.
-
-14. Editor's Contact Information
-
-   Comments or questions regarding this document should be sent to the
-   IPv6 Working Group mailing list (ipv6@ietf.org) or to:
-
-      John Loughney
-      Nokia Research Center
-      Itamerenkatu 11-13
-      00180 Helsinki
-      Finland
-
-      Phone: +358 50 483 6242
-      Email: John.Loughney@Nokia.com
-
-Notices
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to per-
-   tain to the implementation or use of the technology described in this
-   document or the extent to which any license under such rights might
-   or might not be available; neither does it represent that it has made
-   any effort to identify any such rights.  Information on the IETF's
-   procedures with respect to rights in standards-track and standards-
-   related documentation can be found in BCP-11.  Copies of claims of
-   rights made available for publication and any assurances of licenses
-   to be made available, or the result of an attempt made to obtain a
-   general license or permission for the use of such proprietary rights
-   by implementors or users of this specification can be obtained from
-   the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 19]
-
-
-
-
-
-Internet-Draft
-
-
-   rights, which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Loughney (editor)          February 16, 2004                   [Page 20]
-
-
diff --git a/contrib/bind9/doc/draft/draft-ietf-secsh-dns-05.txt b/contrib/bind9/doc/draft/draft-ietf-secsh-dns-05.txt
deleted file mode 100644
index a272d81b0a60..000000000000
--- a/contrib/bind9/doc/draft/draft-ietf-secsh-dns-05.txt
+++ /dev/null
@@ -1,614 +0,0 @@
-Secure Shell Working Group                                   J. Schlyter
-Internet-Draft                                                   OpenSSH
-Expires: March 5, 2004                                        W. Griffin
-                                                                  SPARTA
-                                                       September 5, 2003
-
-
-           Using DNS to Securely Publish SSH Key Fingerprints
-                      draft-ietf-secsh-dns-05.txt
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups. Note that other
-   groups may also distribute working documents as Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six months
-   and may be updated, replaced, or obsoleted by other documents at any
-   time. It is inappropriate to use Internet-Drafts as reference
-   material or to cite them other than as "work in progress."
-
-   The list of current Internet-Drafts can be accessed at http://
-   www.ietf.org/ietf/1id-abstracts.txt.
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-   This Internet-Draft will expire on March 5, 2004.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-Abstract
-
-   This document describes a method to verify SSH host keys using
-   DNSSEC. The document defines a new DNS resource record that contains
-   a standard SSH key fingerprint.
-
-
-
-
-
-
-
-
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 1]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-Table of Contents
-
-   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.    SSH Host Key Verification  . . . . . . . . . . . . . . . . .  3
-   2.1   Method . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
-   2.2   Implementation Notes . . . . . . . . . . . . . . . . . . . .  3
-   2.3   Fingerprint Matching . . . . . . . . . . . . . . . . . . . .  4
-   2.4   Authentication . . . . . . . . . . . . . . . . . . . . . . .  4
-   3.    The SSHFP Resource Record  . . . . . . . . . . . . . . . . .  4
-   3.1   The SSHFP RDATA Format . . . . . . . . . . . . . . . . . . .  5
-   3.1.1 Algorithm Number Specification . . . . . . . . . . . . . . .  5
-   3.1.2 Fingerprint Type Specification . . . . . . . . . . . . . . .  5
-   3.1.3 Fingerprint  . . . . . . . . . . . . . . . . . . . . . . . .  5
-   3.2   Presentation Format of the SSHFP RR  . . . . . . . . . . . .  6
-   4.    Security Considerations  . . . . . . . . . . . . . . . . . .  6
-   5.    IANA Considerations  . . . . . . . . . . . . . . . . . . . .  7
-         Normative References . . . . . . . . . . . . . . . . . . . .  8
-         Informational References . . . . . . . . . . . . . . . . . .  8
-         Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  9
-   A.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  9
-         Intellectual Property and Copyright Statements . . . . . . . 10
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 2]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-1. Introduction
-
-   The SSH [6] protocol provides secure remote login and other secure
-   network services over an insecure network.  The security of the
-   connection relies on the server authenticating itself to the client
-   as well as the user authenticating itself to the server.
-
-   If a connection is established to a server whose public key is not
-   already known to the client, a fingerprint of the key is presented to
-   the user for verification.  If the user decides that the fingerprint
-   is correct and accepts the key, the key is saved locally and used for
-   verification for all following connections. While some
-   security-conscious users verify the fingerprint out-of-band before
-   accepting the key, many users blindly accept the presented key.
-
-   The method described here can provide out-of-band verification by
-   looking up a fingerprint of the server public key in the DNS [1][2]
-   and using DNSSEC [5] to verify the lookup.
-
-   In order to distribute the fingerprint using DNS, this document
-   defines a new DNS resource record, "SSHFP", to carry the fingerprint.
-
-   Basic understanding of the DNS system [1][2] and the DNS security
-   extensions [5] is assumed by this document.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [3].
-
-2. SSH Host Key Verification
-
-2.1 Method
-
-   Upon connection to a SSH server, the SSH client MAY look up the SSHFP
-   resource record(s) for the host it is connecting to.  If the
-   algorithm and fingerprint of the key received from the SSH server
-   match the algorithm and fingerprint of one of the SSHFP resource
-   record(s) returned from DNS, the client MAY accept the identity of
-   the server.
-
-2.2 Implementation Notes
-
-   Client implementors SHOULD provide a configurable policy used to
-   select the order of methods used to verify a host key. This document
-   defines one method: Fingerprint storage in DNS. Another method
-   defined in the SSH Architecture [6] uses local files to store keys
-   for comparison. Other methods that could be defined in the future
-   might include storing fingerprints in LDAP or other databases. A
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 3]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-   configurable policy will allow administrators to determine which
-   methods they want to use and in what order the methods should be
-   prioritized. This will allow administrators to determine how much
-   trust they want to place in the different methods.
-
-   One specific scenario for having a configurable policy is where
-   clients do not use fully qualified host names to connect to servers.
-   In this scenario, the implementation SHOULD verify the host key
-   against a local database before verifying the key via the fingerprint
-   returned from DNS. This would help prevent an attacker from injecting
-   a DNS search path into the local resolver and forcing the client to
-   connect to a different host.
-
-2.3 Fingerprint Matching
-
-   The public key and the SSHFP resource record are matched together by
-   comparing algorithm number and fingerprint.
-
-      The public key algorithm and the SSHFP algorithm number MUST
-      match.
-
-      A message digest of the public key, using the message digest
-      algorithm specified in the SSHFP fingerprint type, MUST match the
-      SSHFP fingerprint.
-
-
-2.4 Authentication
-
-   A public key verified using this method MUST NOT be trusted if the
-   SSHFP resource record (RR) used for verification was not
-   authenticated by a trusted SIG RR.
-
-   Clients that do validate the DNSSEC signatures themselves SHOULD use
-   standard DNSSEC validation procedures.
-
-   Clients that do not validate the DNSSEC signatures themselves MUST
-   use a secure transport, e.g. TSIG [9], SIG(0) [10] or IPsec [8],
-   between themselves and the entity performing the signature
-   validation.
-
-3. The SSHFP Resource Record
-
-   The SSHFP resource record (RR) is used to store a fingerprint of a
-   SSH public host key that is associated with a Domain Name System
-   (DNS) name.
-
-   The RR type code for the SSHFP RR is TBA.
-
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 4]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-3.1 The SSHFP RDATA Format
-
-   The RDATA for a SSHFP RR consists of an algorithm number, fingerprint
-   type and the fingerprint of the public host key.
-
-         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-         |   algorithm   |    fp type    |                               /
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               /
-         /                                                               /
-         /                          fingerprint                          /
-         /                                                               /
-         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-
-3.1.1 Algorithm Number Specification
-
-   This algorithm number octet describes the algorithm of the public
-   key.  The following values are assigned:
-
-          Value    Algorithm name
-          -----    --------------
-          0        reserved
-          1        RSA
-          2        DSS
-
-   Reserving other types requires IETF consensus [4].
-
-3.1.2 Fingerprint Type Specification
-
-   The fingerprint type octet describes the message-digest algorithm
-   used to calculate the fingerprint of the public key.  The following
-   values are assigned:
-
-          Value    Fingerprint type
-          -----    ----------------
-          0        reserved
-          1        SHA-1
-
-   Reserving other types requires IETF consensus [4].
-
-   For interoperability reasons, as few fingerprint types as possible
-   should be reserved.  The only reason to reserve additional types is
-   to increase security.
-
-3.1.3 Fingerprint
-
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 5]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-   The fingerprint is calculated over the public key blob as described
-   in [7].
-
-   The message-digest algorithm is presumed to produce an opaque octet
-   string output which is placed as-is in the RDATA fingerprint field.
-
-3.2 Presentation Format of the SSHFP RR
-
-   The RDATA of the presentation format of the SSHFP resource record
-   consists of two numbers (algorithm and fingerprint type) followed by
-   the fingerprint itself presented in hex, e.g:
-
-         host.example.  SSHFP 2 1 123456789abcdef67890123456789abcdef67890
-
-   The use of mnemonics instead of numbers is not allowed.
-
-4. Security Considerations
-
-   Currently, the amount of trust a user can realistically place in a
-   server key is proportional to the amount of attention paid to
-   verifying that the public key presented actually corresponds to the
-   private key of the server. If a user accepts a key without verifying
-   the fingerprint with something learned through a secured channel, the
-   connection is vulnerable to a man-in-the-middle attack.
-
-   The overall security of using SSHFP for SSH host key verification is
-   dependent on the security policies of the SSH host administrator and
-   DNS zone administrator (in transferring the fingerprint), detailed
-   aspects of how verification is done in the SSH implementation, and in
-   the client's diligence in accessing the DNS in a secure manner.
-
-   One such aspect is in which order fingerprints are looked up (e.g.
-   first checking local file and then SSHFP).  We note that in addition
-   to protecting the first-time transfer of host keys, SSHFP can
-   optionally be used for stronger host key protection.
-
-      If SSHFP is checked first, new SSH host keys may be distributed by
-      replacing the corresponding SSHFP in DNS.
-
-      If SSH host key verification can be configured to require SSHFP,
-      SSH host key revocation can be implemented by removing the
-      corresponding SSHFP from DNS.
-
-   As stated in Section 2.2, we recommend that SSH implementors provide
-   a policy mechanism to control the order of methods used for host key
-   verification. One specific scenario for having a configurable policy
-   is where clients use unqualified host names to connect to servers. In
-   this case, we recommend that SSH implementations check the host key
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 6]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-   against a local database before verifying the key via the fingerprint
-   returned from DNS. This would help prevent an attacker from injecting
-   a DNS search path into the local resolver and forcing the client to
-   connect to a different host.
-
-   A different approach to solve the DNS search path issue would be for
-   clients to use a trusted DNS search path, i.e., one not acquired
-   through DHCP or other autoconfiguration mechanisms. Since there is no
-   way with current DNS lookup APIs to tell whether a search path is
-   from a trusted source, the entire client system would need to be
-   configured with this trusted DNS search path.
-
-   Another dependency is on the implementation of DNSSEC itself.  As
-   stated in Section 2.4, we mandate the use of secure methods for
-   lookup and that SSHFP RRs are authenticated by trusted SIG RRs.  This
-   is especially important if SSHFP is to be used as a basis for host
-   key rollover and/or revocation, as described above.
-
-   Since DNSSEC only protects the integrity of the host key fingerprint
-   after it is signed by the DNS zone administrator, the fingerprint
-   must be transferred securely from the SSH host administrator to the
-   DNS zone administrator.  This could be done manually between the
-   administrators or automatically using secure DNS dynamic update [11]
-   between the SSH server and the nameserver.  We note that this is no
-   different from other key enrollment situations, e.g. a client sending
-   a certificate request to a certificate authority for signing.
-
-5. IANA Considerations
-
-   IANA needs to allocate a RR type code for SSHFP from the standard RR
-   type space (type 44 requested).
-
-   IANA needs to open a new registry for the SSHFP RR type for public
-   key algorithms.  Defined types are:
-
-         0 is reserved
-         1 is RSA
-         2 is DSA
-
-    Adding new reservations requires IETF consensus [4].
-
-   IANA needs to open a new registry for the SSHFP RR type for
-   fingerprint types.  Defined types are:
-
-         0 is reserved
-         1 is SHA-1
-
-    Adding new reservations requires IETF consensus [4].
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 7]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-Normative References
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-   [5]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [6]  Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
-        Lehtinen, "SSH Protocol Architecture",
-        draft-ietf-secsh-architecture-14 (work in progress), July 2003.
-
-   [7]  Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
-        Lehtinen, "SSH Transport Layer Protocol",
-        draft-ietf-secsh-transport-16 (work in progress), July 2003.
-
-Informational References
-
-   [8]   Thayer, R., Doraswamy, N. and R. Glenn, "IP Security Document
-         Roadmap", RFC 2411, November 1998.
-
-   [9]   Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
-         2845, May 2000.
-
-   [10]  Eastlake, D., "DNS Request and Transaction Signatures (
-         SIG(0)s)", RFC 2931, September 2000.
-
-   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-         Update", RFC 3007, November 2000.
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 8]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-Authors' Addresses
-
-   Jakob Schlyter
-   OpenSSH
-   812 23rd Avenue SE
-   Calgary, Alberta  T2G 1N8
-   Canada
-
-   EMail: jakob@openssh.com
-   URI:   http://www.openssh.com/
-
-
-   Wesley Griffin
-   SPARTA
-   7075 Samuel Morse Drive
-   Columbia, MD  21046
-   USA
-
-   EMail: wgriffin@sparta.com
-   URI:   http://www.sparta.com/
-
-Appendix A. Acknowledgements
-
-   The authors gratefully acknowledge, in no particular order, the
-   contributions of the following persons:
-
-      Martin Fredriksson
-
-      Olafur Gudmundsson
-
-      Edward Lewis
-
-      Bill Sommerfeld
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                  [Page 9]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights. Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11. Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard. Please address the information to the IETF Executive
-   Director.
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003). All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works. However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                 [Page 10]
-
-Internet-Draft          DNS and SSH Fingerprints          September 2003
-
-
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Schlyter & Griffin       Expires March 5, 2004                 [Page 11]
-
diff --git a/contrib/bind9/doc/draft/draft-ihren-dnsext-threshold-validation-00.txt b/contrib/bind9/doc/draft/draft-ihren-dnsext-threshold-validation-00.txt
deleted file mode 100644
index 3578d2a15eb8..000000000000
--- a/contrib/bind9/doc/draft/draft-ihren-dnsext-threshold-validation-00.txt
+++ /dev/null
@@ -1,519 +0,0 @@
-
-Internet Draft                                          Johan Ihren
-draft-ihren-dnsext-threshold-validation-00.txt          Autonomica
-February 2003
-Expires in six months
-
-
-                        Threshold Validation: 
-
-	 A Mechanism for Improved Trust and Redundancy for DNSSEC Keys
-
-
-Status of this Memo
-
-   This document is an Internet-Draft and is in full conformance with
-   all provisions of Section 10 of RFC2026.
-
-   Internet-Drafts are working documents of the Internet Engineering
-   Task Force (IETF), its areas, and its working groups. Note that
-   other groups may also distribute working documents as
-   Internet-Drafts.
-
-   Internet-Drafts are draft documents valid for a maximum of six
-   months and may be updated, replaced, or obsoleted by other
-   documents at any time. It is inappropriate to use Internet-Drafts
-   as reference material or to cite them other than as "work in
-   progress."
-
-   The list of current Internet-Drafts can be accessed at
-   http://www.ietf.org/ietf/1id-abstracts.txt
-
-   The list of Internet-Draft Shadow Directories can be accessed at
-   http://www.ietf.org/shadow.html.
-
-
-Abstract
-
-   This memo documents a proposal for a different method of validation
-   for DNSSEC aware resolvers. The key change is that by changing from
-   a model of one Key Signing Key, KSK, at a time to multiple KSKs it
-   will be possible to increase the aggregated trust in the signed
-   keys by leveraging from the trust associated with the different
-   signees. 
-
-   By having multiple keys to chose from validating resolvers get the
-   opportunity to use local policy to reflect actual trust in
-   different keys. For instance, it is possible to trust a single,
-   particular key ultimately, while requiring multiple valid
-   signatures by less trusted keys for validation to succeed.
-   Furthermore, with multiple KSKs there are additional redundancy
-   benefits available since it is possible to roll over different KSKs
-   at different times which may make rollover scenarios easier to
-   manage.
-
-Contents
-
-	1. Terminology
-	2. Introduction and Background
-
-	3. Trust in DNSSEC Keys
-	3.1. Key Management, Split Keys and Trust Models
-	3.2. Trust Expansion: Authentication versus Authorization
-
-	4. Proposed Semantics for Signing the KEY Resource Record 
-           Set
-	4.1. Packet Size Considerations
-
-	5. Proposed Use of Multiple "Trusted Keys" in a Validating 
-           Resolver
-	5.1. Not All Possible KSKs Need to Be Trusted
-	5.2. Possible to do Threshold Validation
-	5.3. Not All Trusted Keys Will Be Available
-
-	6. Additional Benefits from Having Multiple KSKs
-	6.1. More Robust Key Rollovers
-	6.2. Evaluation of Multiple Key Distribution Mechanisms
-
-	7. Security Considerations
-	8. IANA Considerations.
-	9. References
-	9.1. Normative.
-	9.2. Informative.
-	10. Acknowledgments.
-	11. Authors' Address
-
-
-1. Terminology
-
-   The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
-   and "MAY" in this document are to be interpreted as described in
-   RFC 2119. 
-
-   The term "zone" refers to the unit of administrative control in the
-   Domain Name System. "Name server" denotes a DNS name server that is
-   authoritative (i.e. knows all there is to know) for a DNS zone,
-   typically the root zone. A "resolver", is a DNS "client", i.e. an
-   entity that sends DNS queries to authoritative nameservers and
-   interpret the results. A "validating resolver" is a resolver that
-   attempts to perform DNSSEC validation on data it retrieves by doing
-   DNS lookups.
-
-
-2. Introduction and Background
-
-   From a protocol perspective there is no real difference between
-   different keys in DNSSEC. They are all just keys. However, in
-   actual use there is lots of difference. First and foremost, most
-   DNSSEC keys have in-band verification. I.e. the keys are signed by
-   some other key, and this other key is in its turn also signed by
-   yet another key. This way a "chain of trust" is created. Such
-   chains have to end in what is referred to as a "trusted key" for
-   validation of DNS lookups to be possible. 
-
-   A "trusted key" is a the public part of a key that the resolver
-   acquired by some other means than by looking it up in DNS. The
-   trusted key has to be explicitly configured.
-
-   A node in the DNS hierarchy that issues such out-of-band "trusted
-   keys" is called a "security apex" and the trusted key for that apex
-   is the ultimate source of trust for all DNS lookups within that
-   entire subtree.
-
-   DNSSEC is designed to be able to work with more than on security
-   apex. These apexes will all share the problem of how to distribute
-   their "trusted keys" in a way that provides validating resolvers
-   confidence in the distributed keys. 
-
-   Maximizing that confidence is crucial to the usefulness of DNSSEC
-   and this document tries to address this issue.
-
-
-3. Trust in DNSSEC Keys
-
-   In the end the trust that a validating resolver will be able to put
-   in a key that it cannot validate within DNSSEC will have to be a
-   function of
-
-   	    * trust in the key issuer, aka the KSK holder
-
-	    * trust in the distribution method
-
-	    * trust in extra, out-of-band verification
-
-   The KSK holder needs to be trusted not to accidentally lose private
-   keys in public places. Furthermore it needs to be trusted to
-   perform correct identification of the ZSK holders in case they are
-   separate from the KSK holder itself.
-
-   The distribution mechanism can be more or less tamper-proof. If the
-   key holder publishes the public key, or perhaps just a secure
-   fingerprint of the key in a major newspaper it may be rather
-   difficult to tamper with. A key acquired that way may be easier to
-   trust than if it had just been downloaded from a web page.
-
-   Out-of-band verification can for instance be the key being signed
-   by a certificate issued by a known Certificate Authority that the
-   resolver has reason to trust.
-
-3.1. Simplicity vs Trust 
-
-   The fewer keys that are in use the simpler the key management
-   becomes. Therefore increasing the number of keys should only be
-   considered when the complexity is not the major concern. A perfect
-   example of this is the distinction between so called Key Signing
-   Keys, KSK, and Zone Signing Keys, ZSK. This distinction adds
-   overall complexity but simplifies real life operations and was an
-   overall gain since operational simplification was considered to be
-   a more crucial issue than the added complexity.
-
-   In the case of a security apex there are additional issues to
-   consider, among them
-
-      * maximizing trust in the KSK received out-of-band
-
-      * authenticating the legitimacy of the ZSKs used
-
-   In some cases this will be easy, since the same entity will manage
-   both ZSKs and KSKs (i.e. it will authenticate itself, somewhat
-   similar to a self-signed certificate). In some environments it will
-   be possible to get the trusted key installed in the resolver end by
-   decree (this would seem to be a likely method within corporate and
-   government environments).
-
-   In other cases, however, this will possibly not be sufficient. In
-   the case of the root zone this is obvious, but there may well be
-   other cases.
-
-3.2. Expanding the "Trust Base"
-
-   For a security apex where the ZSKs and KSK are not held by the same
-   entity the KSK will effectively authenticate the identity of
-   whoever does real operational zone signing. The amount of trust
-   that the data signed by a ZSK will get is directly dependent on
-   whether the end resolver trusts the KSK or not, since the resolver
-   has no OOB access to the public part of the ZSKs (for practical
-   reasons).
-
-   Since the KSK holder is distinct from the ZSK holder the obvious
-   question is whether it would then be possible to further improve
-   the situation by using multiple KSK holders and thereby expanding
-   the trust base to the union of that available to each individual
-   KSK holder. "Trust base" is an invented term intended to signify
-   the aggregate of Internet resolvers that will eventually choose to
-   trust a key issued by a particular KSK holder.
-
-   A crucial issue when considering trust expansion through addition
-   of multiple KSK holders is that the KSK holders are only used to
-   authenticate the ZSKs used for signing the zone. I.e. the function
-   performed by the KSK is basically:
-
-   	     "This is indeed the official ZSK holder for this zone,
-   	     I've verified this fact to the best of my abilitites."
-
-   Which can be thought of as similar to the service of a public
-   notary. I.e. the point with adding more KSK holders is to improve
-   the public trust in data signed by the ZSK holders by improving the
-   strength of available authentication. 
-
-   Therefore adding more KSK holders, each with their own trust base,
-   is by definition a good thing. More authentication is not
-   controversial. On the contrary, when it comes to authentication,
-   the more the merrier.
-
-   
-4. Proposed Semantics for Signing the KEY Resource Record Set
-
-   In DNSSEC according to RFC2535 all KEY Resource Records are used to
-   sign all authoritative data in the zone, including the KEY RRset
-   itself, since RFC2535 makes no distinction between Key Signing
-   Keys, KSK, and Zone Signing Keys, ZSK.  With Delegation Signer [DS]
-   it is possible to change this to the KEY RRset being signed with
-   all KSKs and ZSKs but the rest of the zone only being signed by the
-   ZSKs.
-
-   This proposal changes this one step further, by recommending that
-   the KEY RRset is only signed by the Key Signing Keys, KSK, and
-   explicitly not by the Zone Signing Keys, ZSK. The reason for this
-   is to maximize the amount of space in the DNS response packet that
-   is available for additional KSKs and signatures thereof. The rest
-   of the authoritative zone contents are as previously signed by only
-   the ZSKs.
-
-4.1. Packet Size Considerations
-
-   The reason for the change is to keep down the size of the aggregate
-   of KEY RRset plus SIG(KEY) that resolvers will need to acquire to
-   perform validation of data below a security apex. For DNSSEC data
-   to be returned the DNSSEC OK bit in the EDNS0 OPT Record has to be
-   set, and therefore the allowed packet size can be assumed to be at
-   least the EDNS0 minimum of 4000 bytes.
-
-   When querying for KEY + SIG(KEY) for "." (the case that is assumed
-   to be most crucial) the size of the response packet after the
-   change to only sign the KEY RR with the KSKs break down into a
-   rather large space of possibilities. Here are a few examples for
-   the possible alternatives for different numbers of KSKs and ZSKs
-   for some different key lengths (all RSA keys, with a public
-   exponent that is < 254). This is all based upon the size of the
-   response for the particular example of querying for
-   
-	". KEY IN"
-
-   with a response of entire KEY + SIG(KEY) with the authority and
-   additional sections empty:
-
-   	      ZSK/768 and KSK/1024   (real small)
-	      Max 12 KSK +  3 ZSK  at 3975
-	          10 KSK +  8 ZSK  at 3934
-		   8 KSK + 13 ZSK  at 3893
-
-	      ZSK/768 + KSK/1280
-	      MAX 10 KSK +  2 ZSK  at 3913
-	           8 KSK +  9 ZSK  at 3970
-                   6 KSK + 15 ZSK  at 3914
-
-	      ZSK/768 + KSK/1536
-	      MAX  8 KSK +  4 ZSK  at 3917
-                   7 KSK +  8 ZSK  at 3938
-                   6 KSK + 12 ZSK  at 3959
-
-              ZSK/768 + KSK/2048
-              MAX  6 KSK +  5 ZSK  at 3936
-                   5 KSK + 10 ZSK  at 3942
-
-              ZSK/1024 + KSK/1024
-              MAX 12 KSK +  2 ZSK  at 3943
-                  11 KSK +  4 ZSK  at 3930
-                  10 KSK +  6 ZSK  at 3917
-                   8 KSK + 10 ZSK  at 3891
-
-              ZSK/1024 + KSK/1536
-              MAX  8 KSK +  3 ZSK  at 3900
-                   7 KSK +  6 ZSK  at 3904
-                   6 KSK +  9 ZSK  at 3908
-
-              ZSK/1024 + KSK/2048
-              MAX  6 KSK +  4 ZSK  at 3951
-                   5 KSK +  8 ZSK  at 3972
-                   4 KSK + 12 ZSK  at 3993
-
-   Note that these are just examples and this document is not making
-   any recommendations on suitable choices of either key lengths nor
-   number of different keys employed at a security apex.
-
-   This document does however, based upon the above figures, make the
-   recommendation that at a security apex that expects to distribute
-   "trusted keys" the KEY RRset should only be signed with the KSKs
-   and not with the ZSKs to keep the size of the response packets
-   down.
-
-
-5. Proposed Use of Multiple "Trusted Keys" in a Validating Resolver
-
-   In DNSSEC according to RFC2535[RFC2535] validation is the process
-   of tracing a chain of signatures (and keys) upwards through the DNS
-   hierarchy until a "trusted key" is reached. If there is a known
-   trusted key present at a security apex above the starting point
-   validation becomes an exercise with a binary outcome: either the
-   validation succeeds or it fails. No intermediate states are
-   possible.
-
-   With multiple "trusted keys" (i.e. the KEY RRset for the security
-   apex signed by multiple KSKs) this changes into a more complicated
-   space of alternatives. From the perspective of complexity that may
-   be regarded as a change for the worse. However, from a perspective
-   of maximizing available trust the multiple KSKs add value to the
-   system.
-
-5.1. Possible to do Threshold Validation
-
-   With multiple KSKs a new option that opens for the security
-   concious resolver is to not trust a key individually. Instead the
-   resolver may decide to require the validated signatures to exceed a
-   threshold. For instance, given M trusted keys it is possible for
-   the resolver to require N-of-M signatures to treat the data as
-   validated.
-
-   I.e. with the following pseudo-configuration in a validating
-   resolver
-
-   	security-apex "." IN {
-	   keys { ksk-1 .... ;
-      	          ksk-2 .... ;
-	          ksk-3 .... ; 
-		  ksk-4 .... ;
-		  ksk-5 .... ;
-	        };
-	   validation {
-	      # Note that ksk-4 is not present below
-	      keys { ksk-1; ksk-2; ksk-3; ksk-5; }; 
-              # 3 signatures needed with 4 possible keys, aka 75%
-              needed-signatures 3;
-           };
-	};
-
-   we configure five trusted keys for the root zone, but require two
-   valid signatures for the top-most KEY for validation to
-   succeed. I.e.  threshold validation does not force multiple
-   signatures on the entire signature chain, only on the top-most
-   signature, closest to the security apex for which the resolver has
-   trusted keys.		    
-
-5.2. Not All Trusted Keys Will Be Available
-
-   With multiple KSKs held and managed by separate entities the end
-   resolvers will not always manage to get access to all possible
-   trusted keys. In the case of just a single KSK this would be fatal
-   to validation and necessary to avoid at whatever cost. But with
-   several fully trusted keys available the resolver can decide to
-   trust several of them individually. An example based upon more
-   pseudo-configuration:
-
-   	security-apex "." IN {
-	   keys { ksk-1 .... ;
-      	          ksk-2 .... ;
-	          ksk-3 .... ; 
-		  ksk-4 .... ;
-		  ksk-5 .... ;
-	        };
-	   validation {
-	      # Only these two keys are trusted independently
-	      keys { ksk-1; ksk-4; }; 
-              # With these keys a single signature is sufficient
-	      needed-signatures 1;
-           };
-	};
-
-   Here we have the same five keys and instruct the validating
-   resolver to fully trust data that ends up with just one signature
-   from by a fully trusted key.
-
-   The typical case where this will be useful is for the case where
-   there is a risk of the resolver not catching a rollover event by
-   one of the KSKs. By doing rollovers of different KSKs with
-   different schedules it is possible for a resolver to "survive"
-   missing a rollover without validation breaking. This improves
-   overall robustness from a management point of view.
-
-5.3. Not All Possible KSKs Need to Be Trusted
-
-   With just one key available it simply has to be trusted, since that
-   is the only option available. With multiple KSKs the validating
-   resolver immediately get the option of implementing a local policy
-   of only trusting some of the possible keys.
-
-   This local policy can be implemented either by simply not
-   configuring keys that are not trusted or, possibly, configure them
-   but specify to the resolver that certain keys are not to be
-   ultimately trusted alone.
-
-
-6. Additional Benefits from Having Multiple KSKs
-
-6.1. More Robust Key Rollovers
-
-   With only one KSK the rollover operation will be a delicate
-   operation since the new trusted key needs to reach every validating
-   resolver before the old key is retired. For this reason it is
-   expected that long periods of overlap will be needed.
-
-   With multiple KSKs this changes into a system where different
-   "series" of KSKs can have different rollover schedules, thereby
-   changing from one "big" rollover to several "smaller" rollovers.
-
-   If the resolver trusts several of the available keys individually
-   then even a failure to track a certain rollover operation within
-   the overlap period will not be fatal to validation since the other
-   available trusted keys will be sufficient.
-
-6.2. Evaluation of Multiple Key Distribution Mechanisms
-
-   Distribution of the trusted keys for the DNS root zone is
-   recognized to be a difficult problem that ...
-
-   With only one trusted key, from one single "source" to distribute
-   it will be difficult to evaluate what distribution mechanism works
-   best. With multiple KSKs, held by separate entitites it will be
-   possible to measure how large fraction of the resolver population
-   that is trusting what subsets of KSKs.
-
-
-7. Security Considerations
-
-   From a systems perspective the simplest design is arguably the
-   best, i.e. one single holder of both KSK and ZSKs. However, if that
-   is not possible in all cases a more complex scheme is needed where
-   additional trust is injected by using multiple KSK holders, each
-   contributing trust, then there are only two alternatives
-   available. The first is so called "split keys", where a single key
-   is split up among KSK holders, each contributing trust. The second
-   is the multiple KSK design outlined in this proposal.
-
-   Both these alternatives provide for threshold mechanisms. However
-   split keys makes the threshold integral to the key generating
-   mechanism (i.e. it will be a property of the keys how many
-   signatures are needed). In the case of multiple KSKs the threshold
-   validation is not a property of the keys but rather local policy in
-   the validating resolver. A benefit from this is that it is possible
-   for different resolvers to use different trust policies. Some may
-   configure threshold validation requiring multiple signatures and
-   specific keys (optimizing for security) while others may choose to
-   accept a single signature from a larger set of keys (optimizing for
-   redundancy). Since the security requirements are different it would
-   seem to be a good idea to make this choice local policy rather than
-   global policy.
-
-   Furthermore, a clear issue for validating resolvers will be how to
-   ensure that they track all rollover events for keys they
-   trust. Even with operlap during the rollover (which is clearly
-   needed) there is still a need to be exceedingly careful not to miss
-   any rollovers (or fail to acquire a new key) since without this
-   single key validation will fail. With multiple KSKs this operation
-   becomes more robust, since different KSKs may roll at different
-   times according to different rollover schedules and losing one key,
-   for whatever reason, will not be crucial unless the resolver
-   intentionally chooses to be completely dependent on that exact key.
-
-8. IANA Considerations.
-
-   NONE.
-
-
-9. References
-
-9.1. Normative.
-
-   [RFC2535] Domain Name System Security Extensions. D. Eastlake. 
-	     March 1999.
-
-   [RFC3090] DNS Security Extension Clarification on Zone Status. 
-	     E. Lewis.  March 2001.
-
-
-9.2. Informative.
-
-   [RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
-	     (DNS). D.  Eastlake 3rd. May 2001.
-
-   [RFC3225] Indicating Resolver Support of DNSSEC. D. Conrad. 
-	     December 2001.
-
-   [DS]      Delegation Signer Resource Record. 
-	     O. Gudmundsson. October 2002. Work In Progress.
-
-10. Acknowledgments.
-
-   Bill Manning came up with the original idea of moving complexity
-   from the signing side down to the resolver in the form of threshold
-   validation. I've also had much appreciated help from (in no
-   particular order) Jakob Schlyter, Paul Vixie, Olafur Gudmundson and
-   Olaf Kolkman.
-
-
-11. Authors' Address
-Johan Ihren
-Autonomica AB
-Bellmansgatan 30
-SE-118 47 Stockholm, Sweden
-johani@autonomica.se
diff --git a/contrib/bind9/doc/draft/draft-kato-dnsop-local-zones-00.txt b/contrib/bind9/doc/draft/draft-kato-dnsop-local-zones-00.txt
deleted file mode 100644
index d857cd95806b..000000000000
--- a/contrib/bind9/doc/draft/draft-kato-dnsop-local-zones-00.txt
+++ /dev/null
@@ -1,295 +0,0 @@
-
-
-
-Internet Engineering Task Force                         Akira Kato, WIDE
-INTERNET-DRAFT                                           Paul Vixie, ISC
-Expires: August 24, 2003                               February 24, 2003
-
-
-          Operational Guidelines for "local" zones in the DNS
-                  draft-kato-dnsop-local-zones-00.txt
-
-Status of this Memo
-
-
-This document is an Internet-Draft and is in full conformance with all
-provisions of Section 10 of RFC2026.
-
-Internet-Drafts are working documents of the Internet Engineering Task
-Force (IETF), its areas, and its working groups.  Note that other groups
-may also distribute working documents as Internet-Drafts.
-
-Internet-Drafts are draft documents valid for a maximum of six months
-and may be updated, replaced, or obsoleted by other documents at any
-time.  It is inappropriate to use Internet-Drafts as reference material
-or to cite them other than as ``work in progress.''
-
-To view the list Internet-Draft Shadow Directories, see
-http://www.ietf.org/shadow.html.
-
-Distribution of this memo is unlimited.
-
-The internet-draft will expire in 6 months.  The date of expiration will
-be August 24, 2003.
-
-
-Abstract
-
-A large number of DNS queries regarding to the "local" zones are sent
-over the Internet in every second.  This memo describes operational
-guidelines to reduce the unnecessary DNS traffic as well as the load of
-the Root DNS Servers.
-
-1.  Introduction
-
-While it has yet been described in a RFC, .local is used to provide a
-local subspace of the DNS tree.  Formal delegation process has not been
-completed for this TLD.  In spite of this informal status, .local has
-been used in many installations regardless of the awareness of the
-users.  Usually, the local DNS servers are not authoritative to the
-.local domain, they end up to send queries to the Root DNS Servers.
-
-There are several other DNS zones which describe the "local"
-information.  .localhost has been used to describe the localhost for
-more than a couple of decades and virtually all of the DNS servers are
-configured authoritative for .localhost and its reverse zone .127.in-
-
-
-KATO                    Expires: August 24, 2003                [Page 1]
-
-
-DRAFT                        DNS local zones               February 2003
-
-addr.arpa.  However, there are other "local" zones currently used in the
-Internet or Intranets connected to the Internet through NATs or similar
-devices.
-
-At a DNS server of an university in Japan, half of the DNS queries sent
-to one of the 13 Root DNS Servers were regarding to the .local.  At
-another DNS Server running in one of the Major ISPs in Japan, the 1/4
-were .local.  If those "local" queries are able to direct other DNS
-servers than Root, or they can be resolved locally, it contributes the
-reduction of the Root DNS Servers.
-
-2.  Rationale
-
-Any DNS queries regarding to "local" names should not be sent to the DNS
-servers on the Internet.
-
-3.  Operational Guidelines
-
-Those queries should be processed at the DNS servers internal to each
-site so that the severs respond with NXDOMAIN rather than sending
-queries to the DNS servers outside.
-
-The "local" names have common DNS suffixes which are listed below:
-
-3.1.  Local host related zones:
-
-Following two zones are described in [Barr, 1996] and .localhost is also
-defined in [Eastlake, 1999] .
-
-     o .localhost
-     o .127.in-addr.arpa
-
-
-Following two zones are for the loopback address in IPv6 [Hinden, 1998]
-.  While the TLD for IPv6 reverse lookup is .arpa as defined in [Bush,
-2001] , the old TLD .int has been used for this purpose for years
-[Thomson, 1995] and many implementations still use .int.  So it is
-suggested that both zones should be provided for each IPv6 reverse
-lookup zone for a while.
-
-     o 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int
-     o 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
-
-
-3.2.  Locally created name space
-
-While the use of .local has been proposed in several Internet-Drafts, it
-has not been described in any Internet documents with formal status.
-However, the amount of the queries for .local is much larger than
-others, it is suggested to resolve the following zone locally:
-
-
-
-
-KATO                    Expires: August 24, 2003                [Page 2]
-
-
-DRAFT                        DNS local zones               February 2003
-
-     o .local
-
-
-
-3.3.  Private or site-local addresses
-
-The following IPv4 "private" addresses [Rekhter, 1996] and IPv6 site-
-local addresses [Hinden, 1998] should be resolved locally:
-
-     o 10.in-addr.arpa
-     o 16.172.in-addr.arpa
-     o 17.172.in-addr.arpa
-     o 18.172.in-addr.arpa
-     o 19.172.in-addr.arpa
-     o 20.172.in-addr.arpa
-     o 21.172.in-addr.arpa
-     o 22.172.in-addr.arpa
-     o 23.172.in-addr.arpa
-     o 24.172.in-addr.arpa
-     o 25.172.in-addr.arpa
-     o 26.172.in-addr.arpa
-     o 27.172.in-addr.arpa
-     o 28.172.in-addr.arpa
-     o 29.172.in-addr.arpa
-     o 30.172.in-addr.arpa
-     o 31.172.in-addr.arpa
-     o 168.192.in-addr.arpa
-     o c.e.f.ip6.int
-     o d.e.f.ip6.int
-     o e.e.f.ip6.int
-     o f.e.f.ip6.int
-     o c.e.f.ip6.arpa
-     o d.e.f.ip6.arpa
-     o e.e.f.ip6.arpa
-     o f.e.f.ip6.arpa
-
-
-3.4.  Link-local addresses
-
-The link-local address blocks for IPv4 [IANA, 2002] and IPv6 [Hinden,
-1998] should be resolved locally:
-
-     o 254.169.in-addr.arpa
-     o 8.e.f.ip6.int
-     o 9.e.f.ip6.int
-     o a.e.f.ip6.int
-     o b.e.f.ip6.int
-     o 8.e.f.ip6.arpa
-     o 9.e.f.ip6.arpa
-     o a.e.f.ip6.arpa
-     o b.e.f.ip6.arpa
-
-
-
-KATO                    Expires: August 24, 2003                [Page 3]
-
-
-DRAFT                        DNS local zones               February 2003
-
-4.  Suggestions to developers
-
-4.1.  Suggestions to DNS software implementors
-
-In order to avoid unnecessary traffic, it is suggested that DNS software
-implementors provide configuration templates or default configurations
-so that the names described in the previous section are resolved locally
-rather than sent to other DNS servers in the Internet.
-
-4.2.  Suggestions to developers of NATs or similar devices
-
-There are many NAT or similar devices available in the market.
-Regardless of the availability of DNS Servers in those devices, it is
-suggested that those devices are able to filter the DNS traffic or
-respond to the DNS traffic related to "local" zones by configuration
-regardless of its ability of DNS service.  It is suggested that this
-functionality is activated by default.
-
-5.  IANA Consideration
-
-While .local TLD has yet defined officially, there are substantial
-queries to the Root DNS Servers as of writing. About 1/4 to 1/2% of the
-traffic sent to the Root DNS Servers are related to the .local zone.
-Therefore, while it is not formally defined, it is suggested that IANA
-delegates .local TLD to an organization.
-
-The AS112 Project [Vixie, ] serves authoritative DNS service for RFC1918
-address and the link-local address.  It has several DNS server instances
-around the world by using BGP Anycast [Hardie, 2002] .  So the AS112
-Project is one of the candidates to host the .local TLD.
-
-Authors' addresses
-
-     Akira Kato
-     The University of Tokyo, Information Technology Center
-     2-11-16 Yayoi Bunkyo
-     Tokyo 113-8658, JAPAN
-     Tel: +81 3-5841-2750
-     Email: kato@wide.ad.jp
-
-
-     Paul Vixie
-     Internet Software Consortium
-     950 Charter Street
-     Redwood City, CA 94063, USA
-     Tel: +1 650-779-7001
-     Email: vixie@isc.org
-
-
-
-
-
-
-
-KATO                    Expires: August 24, 2003                [Page 4]
-
-
-DRAFT                        DNS local zones               February 2003
-
-References
-
-To be filled
-
-References
-
-Barr, 1996.
-D. Barr, "Common DNS Operational and Configuration Errors" in RFC1912
-(February 1996).
-
-Eastlake, 1999.
-D. Eastlake, "Reserved Top Level DNS Names" in RFC2606 (June 1999).
-
-Hinden, 1998.
-R. Hinden and S. Deering, "IP Version 6 Addressing Architecture" in
-RFC2373 (July 1998).
-
-Bush, 2001.
-R. Bush, "Delegation of IP6.ARPA" in RFC3152 (August 2001).
-
-Thomson, 1995.
-S. Thomson and C. Huitema, "DNS Extensions to support IP version 6" in
-RFC1886 (December 1995).
-
-Rekhter, 1996.
-Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear,
-"Address Allocation for Private Internets" in RFC1918 (February 1996).
-
-IANA, 2002.
-IANA, "Special-Use IPv4 Addresses" in RFC3330 (September 2002).
-
-Vixie, .
-P. Vixie, "AS112 Project" in AS112. http://www.as112.net/.
-
-Hardie, 2002.
-T. Hardie, "Distributing Authoritative Name Servers via Shared Unicast
-Addresses" in RFC3258 (April 2002).
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-KATO                    Expires: August 24, 2003                [Page 5]
-
diff --git a/contrib/bind9/doc/draft/draft-park-ipv6-extensions-dns-pnp-00.txt b/contrib/bind9/doc/draft/draft-park-ipv6-extensions-dns-pnp-00.txt
deleted file mode 100644
index f9eaf268194f..000000000000
--- a/contrib/bind9/doc/draft/draft-park-ipv6-extensions-dns-pnp-00.txt
+++ /dev/null
@@ -1,1830 +0,0 @@
-  
-  
-  
-  INTERNET-DRAFT                                       S. Daniel Park
-  Expires: October 2003                              Syam Madanapalli
-  File:                                           SAMSUNG Electronics
-  draft-park-ipv6-extensions-dns-pnp-00.txt                April 2003
-  
-  
-  
-  
-                 IPv6 Extensions for DNS Plug and Play
-  
-  
-  
-  Status of This Memo   
-  
-  This document is an Internet-Draft and is in full conformance with
-  all provisions of Section 10 of RFC2026.
-
-  Internet-Drafts are working documents of the Internet Engineering
-  Task Force (IETF), its areas, and its working groups. Note that
-  other groups may also distribute working documents as
-  Internet-Drafts.
-
-  Internet-Drafts are draft documents valid for a maximum of six
-  months and may be updated, replaced, or obsoleted by other
-  documents at any time. It is inappropriate to use Internet-Drafts
-  as reference material or to cite them other than as "work in
-  progress."
-
-  The list of current Internet-Drafts can be accessed at
-  http://www.ietf.org/ietf/1id-abstracts.txt
-
-  The list of Internet-Draft Shadow Directories can be accessed at
-  http://www.ietf.org/shadow.html.
-  
-  
-  
-  Abstract  
-  
-  This document proposes automatic configuration of domain name (FQDN)
-  for IPv6 nodes using Domain Name Auto-Configuration (called 6DNAC) as
-  a part of IPv6 plug and play feature. 6DNAC allows the automatic
-  registration of domain name and corresponding IPv6 Addresses with
-  the DNS server. In order to provide 6DNAC function, Neighbor Discovery
-  Protocol [2461] will be used. Moreover, 6DNAC does not require any
-  changes to the existing DNS system.
-  
-  
-  Table of Contents 
-  
-  1.       Introduction .............................................  3
-  2.       Terminology ..............................................  3
-  3.       6DNAC Design Principles ..................................  4
-  4.       6DNAC Overview ...........................................  4
-  5.       6DNAC Requirements .......................................  5
-  5.1.     6DANR Client Requirements ................................  5
-  5.2.     6DNAC Server Requirements ................................  6
-    
-Park & Madanapalli             Expires October 2003             [Page 1]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003    
-    
-  6.       6DNAC Messages and Option Formats ........................  6
-  6.1.     Router Advertisement (RA) Message Format .................  6
-  6.2.     Neighbor Solicitation (NS) Message Format ................  7
-  6.3.     Neighbor Advertisement (NA) Message Format ...............  8
-  6.4.     Option Formats ...........................................  8
-  6.4.1.   DNS Zone Suffix Information Option Format ................  8
-  6.4.2.   Domain Name (FQDN) Option Format .........................  9
-  6.4.3.   Router Alert Option for 6DNAC ............................ 10
-  7.       6DNAC Operation .......................................... 10
-  7.1.     6DNAC Network Topology ................................... 11
-  7.2.     6DNAC Operational Scenarios .............................. 12
-  7.2.1.   Domain Name Registration-Success Case .................... 12
-  7.2.2.   Domain Name Registration-with DupAddrDetectTransmits=2.... 14
-  7.2.3.   Domain Name Registration-Defend Case ..................... 16
-  7.2.4.   Domain Name Registration in Retry Mode ................... 19
-  7.2.5.   Domain Name Registration when DAD Fails .................. 20
-  7.3.     DNS Zone Suffix Discovery and FQDN Construction .......... 22
-  7.3.1.   Sending Router Advertisement Messages .................... 22
-  7.3.2.   Processing Router Advertisement Messages ................. 22
-  7.3.3.   FQDN Lifetime expiry ..................................... 23
-  7.3.4.   Host Naming Algorithm .................................... 23
-  7.4.     Duplicate Domain Name Detection .......................... 23
-  7.4.1.   DAD with All Nodes Multicast Address ..................... 24
-  7.4.1.1. Sending Neighbor Solicitation Messages ................... 24
-  7.4.1.2. Processing Neighbor Solicitation Messages ................ 24
-  7.4.1.3. Sending Neighbor Advertisement Messages .................. 25
-  7.4.1.4. Processing Neighbor Advertisement Messages ............... 25
-  7.4.1.5. Pros and Cons ............................................ 25
-  7.4.2.   DAD with Router Alert Option for 6DNAC ................... 25
-  7.4.2.1. Sending Neighbor Solicitation Messages ................... 25
-  7.4.2.2. Processing Neighbor Solicitation Messages ................ 26
-  7.4.2.3. Sending Neighbor Advertisement Messages .................. 26
-  7.4.2.4. Processing Neighbor Advertisement Messages ............... 26
-  7.4.2.5. Pros and Cons ............................................ 26
-  7.4.3.   Explicit Detection of Duplicate Domain Name .............. 26
-  7.4.3.1. Sending Neighbor Solicitation Messages ................... 26
-  7.4.3.2. Processing Neighbor Solicitation Messages ................ 26
-  7.4.3.3. Sending Neighbor Advertisement Messages .................. 27
-  7.4.3.4. Processing Neighbor Advertisement Messages ............... 27
-  7.4.3.5. Pros and Cons ............................................ 27
-  7.4.4.   Retry Mode for Re-registering Domain Name ................ 27
-  7.5.     Domain Name Registration ................................. 27
-  8.       Security Consideration ................................... 27
-  9.       IANA Consideration ....................................... 28
-  10.      Acknowledgement .......................................... 28
-  11.      Intellectual Property .................................... 28
-  12.      Copyright ................................................ 28
-  13.      References ............................................... 29
-  14.      Author's Addresses ....................................... 30
-
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003             [Page 2]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
-  
-  1. Introduction 
-  
-  Today, most networks use DNS[1034][1035] for convenience. In case of
-  IPv6, DNS is more important element because of IPv6 long addresses
-  which are difficult to remember. In addition, small networks like home
-  networks using IPv6, should be able to make network easily without
-  manual configuration. Also, these small networks may not have DHCP
-  Server, DNS Server etc. that are used to configure the network. This
-  document discusses IPv6 Domain Name Auto-Configuration(6DNAC) procedure
-  for generating and registering the Domain Name and IPv6 addresses with
-  the DNS Server automatically. In order to use 6DNAC, IPv6 nodes are
-  required to implement lightweight functions specified in this document.
-  6DNAC can be applied to all defined IPv6 unicast addresses except Link
-  local IPv6 addresses, viz: Site-local and Global addresses.
-  
-  6DNAC uses Neighbor Discovery Protocol [2461] with new additions
-  (defined in section 6) and DAD procedures for generating and 
-  registering the Domain Name with the DNS server automatically.
-  
-  
-  2. Terminology
-
-  6DNAC         - IPv6 Domain Name Auto Configuration. It can provide
-                  IPv6 hosts with Domain Name Generation and 
-                  Registration automatically.
-  
-  6DNAC Client  - An IPv6 node that can generate its own unique Domain
-                  Name. Section 3 identifies the new requirements that
-                  6DNAC places on an IPv6 node to be a 6DNAC node.
-                  
-  6DNAC Server  - An IPv6 node that can collect and registrate Domain
-                  Name and IPv6 addresses automatically. 6DNAC server
-                  uses the information from the DAD operation messages
-                  with newly defined options for the registration of the 
-                  Domain Name and IPv6 Addresses. Section 3 identifies
-                  the new requirements that 6DNAC places on an IPv6 
-                  node to be a 6DNAC server. Also 6DNAC server can have 
-                  various other functions depending on network 
-                  environment and the network operator. For instance 
-                  6DNAC Server can acts as a Gateway as well Home Server
-                  in Home Networks.
- 
-  DAD           - Duplicate Address Detection (is defined [2461]) 
-  
-  DFQDND        - Duplicate Domain Name Detection
-
-  FQDN          - Fully Qualified Domain Name - FQDN and Domain Name are 
-                  used interchangeably in this document.
-  
-  NA            - Neighbor Advertisement message (is defined [2461]) 
-  
-  NS            - Neighbor Solicitation message (is defined [2461])
-
-  RA            - Router Advertisement message (is defined [2461]) 
-
-  SLAAC         - Stateless Address Autoconfiguration [2462].
-
-Park & Madanapalli             Expires October 2003             [Page 3]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
-  
-  3. 6DNAC Design Principles
-  
-  This section discusses the design principles of 6DNAC mechanism.
-  
-  1. The new procedures for plug and play DNS should not cause changes
-     to existing DNS system. 6DNAC requires lightweight functions to be 
-     implemented only at the client side of the DNS system, and uses the 
-     existing DDNS UPDATE [2136] to communicate with DNS Servers.
-  
-  2. Introducing a new protocol will always introduce new problems. 
-     6DNAC uses the existing protocols NDP [2461] with minor extensions 
-     for generating and registering the domain name automatically 
-     without defining a new protocol
-  
-  3. Reusing proven and well understood design principles/patterns 
-     will always yield a robust system. 6DNAC is based on IPv6 Address 
-     Auotoconfiguration principle, where routers advertise the prefix
-     and host adds the interface ID to the prefix and forms the IPv6 
-     address. Domain Name (FQDN) also contains two parts: host name 
-     and DNS zone suffix. Routers can advertise the DNS zone suffix 
-     on a particular link in Router Advertisements (RA Messages) and 
-     hosts can prefix their preferred host name to the DNS zone suffix
-     and form the fully qualified domain name. Also the detection of
-     duplicate domain name is similar to Duplicate Address Detection
-     (DAD) and can be part of DAD operation itself.
-  
-  
-  4. 6DNAC Overview
-  
-  6DNAC proposes minor extensions to NDP [2461] for automatic generation
-  and registration of domain name with the DNS server. It introduces two
-  new options: DNS Zone Suffix and Fully Qualified Domain Name. DNS Zone
-  Suffix option is carried in Router Advertisement (RA) messages for
-  notifying IPv6 nodes about the valid DNS Zone Suffix on the link and
-  FQDN option in Neighbor Solicitation (NS) and Neighbor Advertisement
-  (NA) messages to detect duplicate domain name. 6DNAC consists of two
-  components: 6DNAC Client and 6DNAC Server. 6DNAC Clients generate the
-  domain name based on DNS Zone Suffix using Host Naming Algorithm (see
-  section 7.3.1) and 6DNAC Server collects and registers the DNS
-  information with the DNS Server on behalf of 6DNAC Clients.
-
-  The automatic configuration of domain name using 6DNAC consists of
-  three parts.
-
-     - DNS Zone Suffix Discovery and FQDN Construction:
-
-       IPv6 Nodes collect DNS Zone Suffix information from Router
-       Advertisements and constructs FQDN by prefixing host name to the
-       DNS Zone Suffix. The IPv6 Nodes are required to implement Host 
-       Naming Algorithm for generating host part of the FQDN in the 
-       absence of administrator.
-
-  Generation of node's FQDN within the node itself has advantages. Nodes
-  can provide forward and reverse name lookups independent of the DNS
-  System by sending queries directly to IPv6 nodes [NIQ]. Moreover Domain
-  Name is some thing that is owned by the node.
-
-Park & Madanapalli             Expires October 2003             [Page 4]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-  
-     - Duplicate Domain Name Detection
-
-       All nodes are expected to go for DAD for all new IPv6 unicast
-       addresses, regardless of whether they are obtained through 
-       stateful, stateless or manual configuration. 6DNAC uses the DAD 
-       messages with new option for carrying the Domain Name along with 
-       the new IPv6 Address. 6DNAC Server captures this information and
-       updates DNS Server provided that the IPv6 Address and its domain
-       name are not duplicate. If the domain name is already in use, 
-       the 6DNAC server replies to the sender with FQDN Option in NA 
-       message indicating that the domain name is duplicate. Then the
-       node is expected to generate another domain name using host 
-       naming algorithm and go for DAD. This time the DAD is only for
-       duplicate domain name detection (DFQDND). In order to avoid
-       confusion with the normal NDP processing, the target address 
-       field of the NS message must carry the unspecified address 
-       in retry mode.  This can be repeated depending on number of
-       retries defined by the administrator in the host naming algorithm.
-
-  
-     - Domain Name Registration
-
-       6DNAC Server detects the DNS information (IPv6 Address and 
-       corresponding FQDN) from DAD/DFQDND messages and updates DNS 
-       Server using existing protocol DDNS UPDATE [2136] provided that
-       the IPv6 Address and its domain name are not duplicate.
-  
-  If an IPv6 Address is duplicate, the IPv6 node cannot perform
-  stateless address autoconfiguration repeatedly. Unlike IPv6 stateless 
-  address autoconfiguration, 6DNAC allows the automatic configuration of
-  domain name repeatedly if the domain name is duplicate depending on 
-  number of retries defined by the administrator in the host naming 
-  algorithm.
-  
-  
-  5. 6DNAC Requirements 
-  
-  Depending on the 6DNAC functionality, the IPv6 nodes implement, they
-  are called either 6DNAC Clients or 6DNAC Servers. The following 
-  sections lists the requirements that the 6DNAC Client and 6DNAC server
-  must support.
-   
-   
-  5.1. 6DANC Client Requirements
-  
-        - 6DNAC Client must recognize and process the following NDP 
-          extensions
-
-              - DNS Zone Suffix option in RA messages for generating its
-                domain name (FQDN).
-
-              - Domain Name option in NS and NA messages for detecting 
-                the duplicate domain name
- 
- 
- 
-
-Park & Madanapalli             Expires October 2003             [Page 5]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003 
-  
-        - It must generate its domain name (FQDN) based on the DNS 
-          suffix that it got from the router advertisement. And it must 
-          have a host naming algorithm for generating the host part of
-          the FQDN.
-
-        - If NA message is received with unspecified target address and
-          FQDN option, then the node must treat that the domain is 
-          duplicate.
-  
-  
-  5.2. 6DNAC Server Requirements
-  
-        - 6DNAC Server must recognize and process the following NDP
-          extensions
-      
-              - If the 6DNAC Server is a router on the link, then it
-                must advertise DNS Zone Suffix option in RA messages
-                for hosts to generate their domain name (FQDN).
-
-              - FQDN option in NS messages for detecting new DNS
-                information for of nodes on the link for which it
-                must update the AAAA RR and PTR RR in DNS Server.
-
-              - FQDN option in NA messages for notifying duplicate
-                domain name with unspecified target address.
-  
-        - 6DNAC server must update the DNS Server (both AAAA RR and
-          PTR RR) dynamically using DDNS UPDATE [2136].
-  
-        - 6DNAC server must cache this (newly detected) FQDN, Link
-          Layer Address, and IPv6 Address information, so that it can
-          decide whether it really needs to update DNS Server or not,
-          to avoid redundant updates. This information will also be
-          used for notifying the duplicate domain name.
-  
-  
-  6. 6DNAC Messages and Option Formats
-  
-  In order to achieve the plug and play DNS, 6DNAC proposes new 
-  extensions to the NDP [2461]. This section specifies the new
-  additions to NDP messages and formats of new options.
-  
-  
-  6.1. Router Advertisement (RA) Message Format
-  
-  Routers send out Router Advertisement (RA) message periodically, or
-  in response to a Router Solicitation. 6DNAC does not modify the format
-  of the RA message, but proposes new option (DNS Zone Suffix Information)
-  to be carried in RA messages.
-
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003             [Page 6]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-  
-      0                   1                   2                   3
-      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |     Type      |     Code      |          Checksum             |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     | Cur Hop Limit |M|O|  Reserved |       Router Lifetime         |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                         Reachable Time                        |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                          Retrans Timer                        |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |   Options ...                                                 |
-     /                                                               /
-     |                  DNS Zone Suffix Information                  |
-     |                                                               |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-  
-  
-                          <Figure: 1 RA message>
-  
-  
-  
-  6.2. Neighbor Solicitation (NS) Message Format 
-  
-  6DNAC does not modify the format of the Neighbor Solicitation (NS)
-  message, but proposes new option (FQDN Option) to be carried in NS
-  messages. When a node is going for DAD, the node must include FQDN
-  option in NS message to participate in plug and play DNS. If the
-  node is going for Explicit Detection of Duplicate Domain Name, the
-  node must use FQDN option in NS message and unspecified address in
-  the target address field.
-  
-  
-      0                   1                   2                   3 
-      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |     Type      |     Code      |          Checksum             |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                           Reserved                            |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                                                               |
-     +                                                               +
-     |                                                               |
-     +                       Target Address                          +
-     |                                                               |
-     +                                                               +
-     |                                                               |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |   Options ...                                                 |
-     /                                                               /
-     |                         Domain Name                           |
-     |                                                               |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-  
-  
-                         <Figure: 2 NS message>
-  
-Park & Madanapalli             Expires October 2003             [Page 7]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
-  
-  6.3. Neighbor Advertisement (NA) Message Format 
-  
-  6DNAC does not modify the format of the Neighbor Advertisement (NA)
-  message, but proposes new option (FQDN Option) to be carried in NA
-  messages. 6DNAC Server sends NA message with FQDN option to 6DNAC
-  Client that is performing duplicate domain name detection in case
-  the domain name found to be duplicate.
-
-      0                   1                   2                   3
-      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |     Type      |     Code      |          Checksum             |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |R|S|O|                     Reserved                            |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                                                               |
-     +                                                               +
-     |                                                               |
-     +                       Target Address                          +
-     |                                                               |
-     +                                                               +
-     |                                                               |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |   Options ...                                                 |
-     /                                                               /
-     |                         FQDN Option                           |
-     |                                                               |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-  
-  
-                          <Figure: 3 NA message> 
-  
-  
-  6.4 Option Formats
-  
-  6.4.1. DNS Zone Suffix Information Option Format
-  
-  IPv6 nodes require DNS Zone Suffix for constructing their FQDN.
-  6DNAC introduces new option for routers to advertise the DNS Zone
-  Suffix Information for IPv6 nodes on the link. The suffix information
-  should be configured into routers manually.
-
-      0                   1                   2                   3
-      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |     Type      |    Length     |          Reserved             |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                          Valid Lifetime                       |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                                                               |
-     /                       DNS Zone Suffix                         /
-     |                                                               |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-  
-  
-                   <Figure: 4 DNS Zone Suffix Information>
-
-Park & Madanapalli             Expires October 2003             [Page 8]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
-  
-  Type              [TBD]
-  
-  Length            8-bit unsigned integer. The length of the option
-                    (including the type and length fields) in units of
-                    8 octets.
-  
-  Reserved          This field is unused. It must be initialized to zero
-                    by the sender and must be ignored by the receiver.
-  
-  Valid Life Time   32-bit signed integer.  The maximum time, in 
-                    seconds, over which this suffix is valid. Nodes 
-                    should treat this as the life time for their domain
-                    name. Nodes should contact the source of this
-                    information before expiry of this time interval.
-                    A value of all one bits (0xFFFFFFFF) represents
-                    infinity.
-  
-  DNS Zone Suffix   The suffix part of the FQDN. The data in the DNS 
-                    Zone Suffix field should be encoded according to 
-                    DNS encoding rules specified in [1035].
-  
-  
-  
-  6.4.2. Domain Name (FQDN) Option Format
-  
-  
-      0                   1                   2                   3
-      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |     Type      |    Length     |          Reserved             |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                          Valid Lifetime                       |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                                                               |
-     +                                                               +
-     |                                                               |
-     +                       FQDN Target Address                     +
-     |                                                               |
-     +                                                               +
-     |                                                               |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-     |                                                               |
-     /                         Domain Name                           /
-     |                                                               |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-  
-  
-                      <Figure: 5 FQDN Information>
-  
-  Type                 [TBD]
-  
-  Length               8-bit unsigned integer. The length of the option
-                       (including the type and length fields) in units 
-                       of 8 octets.  It must be greater than 3.
-                       
-                       
-
-Park & Madanapalli             Expires October 2003             [Page 9]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003                       
-  
-  Reserved             This field is unused. It must be initialized to
-                       zero by the sender and must be ignored by the
-                       receiver.
-  
-  Valid Life Time      32-bit signed integer.  The maximum time, in 
-                       seconds, over which this domain name is valid
-                       6DNAC should deregister this domain name at
-                       the expiry of this interval. 6DNAC clients
-                       should send updates by the expiry of this 
-                       interval. A value of all one bits (0xFFFFFFFF)
-                       represents infinity.
-
-  FQDN Target Address  The Address for which the FQDN maps to.  It 
-                       should be same as Target Address field of the 
-                       NS message in case of DAD & duplicate FQDN are
-                       running in parallel.
-
-  Domain Name          The domain name (FQDN) of the node. The data in
-                       the domain name should be encoded according to
-                       DNS encoding rules specified in [1035].
-  
-  
-  6.4.3. Router Alert Option for 6DNAC
-
-  Router Alert Option for 6DNAC is new option within the IPv6 Hop-by-Hop
-  Header for using in NDP messages.  The presence of this option in NS
-  message informs the router that this NS message is carrying Domain
-  Name information and must be processed by the 6DNAC Server on the router.
-  6DNAC Clients can use this option for sending DAD packets instead
-  of addressing the DAD packets to the all-nodes multicast address
-  when 6DNAC Server is implemented on router.
- 
-  The Router Alert option has the following format:
-
-  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-  |0 0 0|0 0 1 0 1|0 0 0 0 0 0 1 0|        Value (2 octets)       |
-  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-                     Length = 2
-
-  Values are registered and maintained by the IANA. For 6DNAC, the 
-  value has to be assigned by IANA.
-
-  Further information about this option can be obtained from 
-  IPv6 Router Alert Option [2711].
-
-
-  7. 6DNAC Operation
-  
-  6DNAC provides mechanisms for automatic generation of domain name
-  and registering it with the DNS Server for IPv6 nodes. 6DNAC consists
-  of two components: 6DNAC Client and 6DNAC Server. All nodes that want
-  to participate in plug and play DNS are required to implement 6DNAC
-  Client functionality, and one of the IPv6 nodes is required to 
-  implement 6DNAC Server functionality. The IPv6 node that implements 
-  the 6DNAC Server functionality must know the location of the DNS 
-  Server and must be a trusted node to send DDNS UPDATE [2136] messages.
-
-Park & Madanapalli             Expires October 2003            [Page 10]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
-  
-  7.1. 6DNAC Network Topology
-  
-  This section identifies the possible locations for the 6DNAC Server.
-  Note that, all nodes are required to implement 6DNAC Client 
-  functionality for constructing the domain name from the DNS Zone 
-  Suffix Information advertised by the router.  Figure 6 illustrates 
-  IPv6 host (H4) implementing 6DNAC Server functionality. In this case 
-  H4 can serve only one link (that it belongs to) for automatic 
-  registration of domain name. H4 must observe the DAD packets on the 
-  link to detect the DNS information, this requires all nodes on the 
-  link must belong to same solicited node multicast address. In general,
-  this may not be the case. So the node that is going for DAD must use
-  all nodes multicast address for DAD packets, so that the 6DNAC Server
-  (H4) can observe the DAD packets, detects IPv6 address and 
-  corresponding domain name, checks if this domain name is duplicate 
-  and finally registers the domain name with the DNS Server.
- 
-  
-                          6DNAC Server
-      +---+                   +---+                     +----------+
-      | H1|                   | H4|<--- DDNS UPDATE --->|DNS Server|
-      +-+-+                   +-+-+                     +----+-----+
-        |                       |           +----+       +---/
-        |                       |           |    |      /
-     ---+-----+-----------+-----+-----------+ R1 +-----+
-              |           |                 |    |
-              |           |                 +----+
-            +-+-+       +-+-+
-            | H2|       | H3|
-            +---+       +---+
-  
-  
-  H1, H2, H3 - 6DNAC Clients
-  H4         - 6DNAC Server
-  R1         - Router
-  
-  
-                  <Figure: 6 Example of 6DNAC Topology>
-  
-  
-  Figure 7 shows the 6DNAC Server implemented on a router R1. In this
-  case a single 6DNAC server can serve multiple links for automatic
-  configuration of the domain name. This topology also has flexibility
-  of using DAD packets with Router Alert option instead of sending DAD
-  packets to all nodes multicast address. The routers are required to
-  process all the packets with Router Alert option as per [2711].
-
-  In case of Home Networks, R1 is will acts as a Home Gateway (CPE)
-  connected to ISP. R1 delegates the prefix from the ISP edge router.
-  After delegating the prefix the CPE can advertise the DNS Zone suffix
-  along with the prefix information to the nodes on the links to which
-  the router is connected to. Note that the R1 must be configured with
-  the DNS Zone suffix Information manually. 
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 11]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-  
-                         +---+       +---+ 
-                         | H3+       | H4|
-                         +-+-+       +-+-+
-                           |           |
-                           |   LINK2   |
-      +---+             ---+--------+--+--          +----------+
-      | H1|                         |               |DNS Server|
-      +-+-+                         |               +----+-----+
-        |                        +--+-+           -------/
-        |         LINK 1         |    |          /
-     ---+-----+------------------+ R1 +---------+
-              |                  |    |      DDNS UPDATE
-              |                  +----+
-            +-+-+             6DNAC Server
-            | H2|
-            +---+
-  
-  
-  H1, H2 - 6DNAC Clients on Link1
-  H3, H4 - 6DNAC Clients on Link2
-  R1     - Router with 6DNAC Server, serving both Link1 and Link2
-  
-  
-       <Figure: 7 Example of 6DNAC Server serving multiple links>
-  
-  
-  7.2. 6DNAC Operational Scenarios
-  
-  This section provides message sequence charts for various 6DNAC
-  operational scenarios assuming that the 6DNAC Server is implemented
-  on a router. All the scenarios assume that the normal boot up time
-  stateless address autoconfiguration of Link Local address derived
-  from the Interface Identifier has been completed successfully. And
-  it is also assumed that the router is already configured with the
-  DNS Zone Suffix Information.
-
-  
-  Legend:
-  
-  6DNAC-A, B, C  : 6DNAC Clients
-  6DNAC-S        : 6DNAC Server/Router
-  DAD            : Duplicate Address Detection
-  DFQDND         : Duplicate Domain Name Detection
-  DNS-S          : DNS Server
-  
-  
-  7.2.1. Domain Name Registration-Successful Case 
-
-  This scenario starts when a 6DNAC Client receives RA message with
-  DNS Zone Suffix and other parameters including address prefix as
-  specified in NDP [2461] and wants configure its IPv6 address (Global
-  or Site Local) and domain name. It is Assumed that the 
-  DupAddrDetectTransmits is set to 1.
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 12]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-  
-   +---------+      +---------+      +---------+
-   | 6DNAC-C |      | 6DNAC-S |      |  DNS-S  |
-   +----+----+      +----+----+      +----+----+
-        |                |                |
-        |     RA with    |                |
-        | DNS Suffix Opt |                |
-        |<---------------|                |
-        |       #1       |                |
-        |---+            |                |
-  Construct |#2          |                |
-    FQDN    |            |                |
-        |<--+            |                |
-DAD/DFQDND Starts        |                |
-        |                |                |
-        |                |                |
-        |    NS With     |                |
-        |    FQDN Opt    |                |
-        |--------------->|                |
-        |       #3       |                |
-        |                |                |
-        |                |------+         |
-        |          Create FQDN  | #4      |
-        |            <FQDN,C>   |         |
-        |                |<-----+         |
-        |                |                |
-        |                |  Register FQDN |
-        |                |--------------->|
-        |                |       #5       |
-        |   #6           |                |
-        |--------+       |                |
-   No Response   |       |                |
-  DFQDND-Success |       |                |
-        |<-------+       |                |
-        |                |                |
-        |                |                |
-        v                V                v  
-
-
-          <Figure: 8 Domain Name Generation and Registration>
-           
-  
-  #1. 6DNAC Server (Router) sends out router advertisement with DNS
-      Suffix information along with other parameters as specified in
-      NDP [2461].
-  
-  #2. 6DNAC Client processes the router advertisement and constructs
-      the FQDN by prefixing hostname to the DNS Zone Suffix. It also
-      constructs IPv6 address from the autoconfiguration prefix
-      information option.
-
-  #3. 6DNAC Client starts duplicate address & FQDN detection for the
-      IPv6 address & FQDN constructed and sends out a Neighbor
-      Solicitation message with FQDN option. 
-
-      Note that the DAD packets must be addressed to all nodes multicast
-      address if Router Alert option is not used. 
-      
-Park & Madanapalli             Expires October 2003            [Page 13]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003          
-
-  #4. 6DNAC Server processes the Neighbor Solicitation message sent by
-      6DNAC Client as part of duplicate FQDN detection procedure and
-      creates a FQDN entry in its FQDN Cache (assuming that there is no
-      entry <FQDN,C>), where C is Link Layer Address of the 6DNAC Client.
-
-  #5.  6DNAC Server then registers FQDN and corresponding IPv6 address
-       through the existing protocol DDNS UPDATE.
-
-  #6.  6DNAC Client times out and observes that there is no response to
-       defend its duplicate FQDN detection procedure and the node is
-       successful in configuring its domain name.
-  
-  Note that, Stateless Address Autoconfiguration DAD procedure is not
-  depicted in the following message sequence chart, which simultaneously
-  happens along with duplicate FQDN detection.
-  
-
-  7.2.2. Domain Name Registration-with DupAddrDetectTransmits=2 
-
-  This scenario starts when a 6DNAC Client receives RA message with
-  DNS Zone Suffix and other parameters including address prefix as
-  specified in NDP [2461] and wants configure its IPv6 address (Global
-  or Site Local) and domain name. The node is configured with 
-  DupAddrDetectTransmits = 2 for reliability in delivering DAD messages.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 14]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003 
-
-   +---------+      +---------+      +---------+
-   | 6DNAC-C |      | 6DNAC-S |      |  DNS-S  |
-   +----+----+      +----+----+      +----+----+
-        |                |                |
-        |     RA with    |                |
-        | DNS Suffix Opt |                |
-        |<---------------|                |
-        |       #1       |                |
-        |---+            |                |
-  Construct |#2          |                |
-    FQDN    |            |                |
-        |<--+            |                |
-DAD/DFQDND Starts        |                |
-        |                |                |
-        |                |                |
-        |    NS With     |                |
-        |    FQDN Opt    |                |
-        |--------------->|                |
-        |       #3       |                |
-        |                |                |
-        |                |------+         |
-        |          Create FQDN  | #4      |
-        |            <FQDN,C>   |         |
-        |                |<-----+         |
-        |                |                |
-        |                |  Register FQDN |
-        |                |--------------->|
-        |                |       #5       |
-        |    NS With     |                |
-        |    FQDN Opt    |                |
-        |--------------->|                |
-        |      #6        |                |
-        |                |                |
-        |          Lookup FQDN            |
-        |          Entry exists           |
-        |                |------+         |
-        |             Ignore    | #7      |
-        |                |<-----+         |
-        |   #8           |                |
-        |--------+       |                |
-   No Response   |       |                |
-  DFQDND-Success |       |                |
-        |<-------+       |                |
-        |                |                |
-        |                |                |
-        v                V                v  
-
-  
-  
-            <Figure: 9 Verification of duplicated Domain Name>
-
-
-  Steps from #1 to #5 are same as that of scenario.7.2.1.
-  
-  #6. 6DNAC Client sends out second Neighbor Solicitation message with
-      FQDN option as part of duplicate FQDN detection.
-      
-Park & Madanapalli             Expires October 2003            [Page 15]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003      
-
-  #7. 6DNAC Server receives and observes that the FQDN Cache exactly
-      matches with that of the NS information and ignores the NS message.
-
-  #8. 6DNAC Client times out and observes that there is no response to
-      defend its duplicate FQDN detection procedure and the node is
-      successful in configuring its domain name..
-
-  
-  7.2.3. Domain Name Registration-Defend Case 
-
-  This scenario starts when two 6DNAC Client receive RA message with
-  DNS Zone Suffix and other parameters including address prefix as
-  specified in NDP [2461] and both the nodes want configure their IPv6
-  address (Global or Site Local) and domain name. In this scenario both
-  the nodes want to have same domain name.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 16]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-
-
-   +---------+      +---------+      +---------+      +---------+
-   | 6DNAC-A |      | 6DNAC-S |      | 6DNAC-B |      |  DNS-S  |
-   +----+----+      +----+----+      +----+----+      +----+----+
-        |                |                |                |
-        |     RA with    |     RA with    |                |
-        | DNS Suffix Opt | DNS Suffix Opt |                |
-        |<---------------|--------------->|                |
-        |       #1       |       #1       |                |
-        |---+            |                |---+            |
-  Construct | #2         |          Construct | #2         |
-      FQDN  |            |              FQDN  |            |
-        |<--+            |                |<--+            |
- DAD/DFQDND Starts       |         DAD/DFQDND Starts       |
-        |                |            <DELAYED>            |
-        |                |                |                |
-        |    NS with     |                |                |
-        |    FQDN Opt    |                |                |
-        |--------------->|                |                |
-        |      #3        |                |                |
-        |            No Entry             |                |
-        |                |------+         |                |
-        |          Create FQDN  | #4      |                |
-        |            <FQDN,A>   |         |                |
-        |                |<-----+         |                |
-        |                |                |                |
-        |                |         Register FQDN #5        |
-        |                |-------------------------------->|
-        |                |                |                |
-        |                |    NS with     |                |
-        |                |    FQDN Opt    |                |
-        |                |<---------------|                |
-        |                |       #6       |                |
-        |                |------+         |                |
-        |         FQDN is in use|         |                |
-        |          Defend DFQDND| #7      |                |
-        |                |<-----+         |                |
-        |                |                |                |
-        |                |    NA with     |                |
-        |                |    D-flag Set  |                |
-        |                |--------------->|                |
-        |                |       #8       |                |
-        |------+         |                |---+            |
- No Response   | #9      |            Enter   | #10        |
- DFQDND Success|         |          Retry Mode|            |
-        |<-----+         |                |<--+            |
-        |                |                |                |
-        v                v                v                v
-
-         
-       <Figure: 10 Multiple Hosts Requesting Same Domain Name>
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 17]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003          
-
-  #1. 6DNAC Server (Router) sends out router advertisement with DNS
-      Suffix information.
-      
-  #2. 6DNAC Clients A&B process the router advertisement and construct
-      their FQDN by prefixing hostname to the DNS Zone Suffix.  They
-      also construct IPv6 address from the autoconfiguration prefix
-      information option.
-      
-      When each host is trying to go for DAD, all hosts must have
-      random delay to avoid the traffic congestion according to [2461].
-      So here it is assumed that 6DNAC Client-A starts DAD first and
-      6DNAC Client-B starts DAD later.
-
-  #3. 6DNAC Client-A starts duplicate address & FQDN detection for the
-      IPv6 address & FQDN constructed and sends out a Neighbor
-      Solicitation message with FQDN option.
-   
-  #4. 6DNAC Server processes the Neighbor Solicitation message sent by
-      6DNAC Client-A as part of duplicate FQDN detection procedure and
-      creates a FQDN entry in its FQDN Cache (assuming that there is no
-      entry <FQDN,A>), where A is Link Layer Address of the 6DNAC Client-A.
-
-  #5. 6DNAC Server then registers FQDN and corresponding IPv6 address
-      through the existing protocol DDNS UPDATE.
-
-  #6. 6DNAC Client-B starts duplicate address & FQDN detection for the
-      IPv6 address & FQDN constructed and sends out a Neighbor Solicitation
-      message with FQDN option. 
-
-  #7. 6DNAC Server processes the Neighbor Solicitation message sent by
-      6DNAC Client-B as part of duplicate FQDN detection procedure and 
-      finds that the domain name is already in use by the 6DNAC Client-A.
-      Hence, concludes to defend the duplicate FQDN detection of 6DNAC
-      Client-B.
-
-  #8. 6DNAC Server sends out Neighbor Advertisement message with FQDN
-      option to 6DNAC Client-B to defend its duplicate FQDN detection.
-
-  #9. 6DNAC Client-A times out and observes that there is no response to
-      defend its duplicate FQDN detection procedure and the node is 
-      successful in configuring its domain name.
-
-  #10. 6DNAC Client-B observes that there is a NA with FQDN option
-       indicating that the domain name is duplicate and enters Retry
-       Mode. In retry mode, 6DNAC Client constructs another FQDN based
-       on Host Naming Algorithm. The number of retries is defined by the
-       administrator and must be a configurable value.
-  
-
-
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 18]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
-  
-  7.2.4. Domain Name Registration in Retry Mode
-
-  Pre-Conditions:
-
-  1. Duplicate Address Detection has succeeded 
-  2. Duplicate FQDN Detection FAILED
-  3. FQDN is the first FQDN one constructed and FAILED
-  4. FQDN2 is the second FQDN to be constructed
-  5. The Neighbor Solicitation in the 'Retry Mode'
-    carries unspecified address in its target field (NS*).
-
-   +---------+      +---------+      +---------+
-   | 6DNAC-C |      | 6DNAC-S |      |  DNS-S  |
-   +----+----+      +----+----+      +----+----+
-        |                |                |
-        |--------+       |                |
-    Construct    | #1    |                |
-    new FQDN2    |       |                |
-        |<-------+       |                |
-        |                |                |
-  DFQDND Restarts        |                |
-        |                |                |
-        |                |                |
-        |    NS* With    |                |
-        |    FQDN Opt    |                |
-        |--------------->|                |
-        |       #2       |                |
-        |                |                |
-        |            No Entry             |
-        |                |------+         |
-        |          Create FQDN  | #3      |
-        |            <FQDN2,C>  |         |
-        |                |<-----+         |
-        |                |                |
-        |                | Register FQDN2 |
-        |                |--------------->|
-        |                |       #4       |
-        |                |                |
-        |--------+       |                |
-   No Response   | #5    |                |
-  DFQDND-Success |       |                |
-        |<-------+       |                |
-        |                |                |
-        v                V                v
-
-                
-                <Figure: 11 Regeneration of Domain Name>
-                
-
-
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 19]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
- 
-  #1. 6DNAC Client constructs the FQDN again as per Host Naming Algorithm,
-      the DNS Zone Suffix, and it is FQDN2.
-  #2. It then starts Duplicate Detection only for Domain Name. 6DNAC
-      Client sends out NS with FQDN option and unspecified target
-      address.
-
-  #3. 6DNAC Server processes the Retry Mode NS message and finds that
-      the FQDN2 is not in use and creates Cache entry as <FQDN2, C>.
-
-  #4. It then starts registration procedures with the DNS Server.
-
-  #5. Meanwhile, 6DNAC Client timesout and observes that there is no
-      defending NA for its DFQDND NS sent out and successfully
-      configures its domain name.
-
-
-  7.2.5. Domain Name Registration when DAD Fails
-
-  Duplicate domain name detection and subsequent registration starts 
-  if and only if the DAD for IPv6 address succeeds. If the DAD for
-  IPv6 address fails then no actions are taken for domain name. When
-  DAD fails for stateless address autoconfiguration, then the domain
-  configuration starts only when the address has been configured using 
-  Stateful Address Configuration methods and the node is going on DAD
-  for this address.
-
-  This scenario starts when a 6DNAC Client receives RA message with
-  DNS Zone Suffix and other parameters including address prefix as
-  specified in NDP [2461] and wants configure its IPv6 address (Global
-  or Site Local) and domain name.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 20]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-   +---------+      +---------+      +---------+      +---------+
-   | 6DNAC-A |      | 6DNAC-S |      | 6DNAC-B |      |  DNS-S  |
-   +----+----+      +----+----+      +----+----+      +----+----+
-        |                |                |                |
-        |                |                |                |
-        |     RA with    |                |                |
-        | DNS Suffix Opt |                |                |
-        |<---------------|                |                |
-        |       #1       |                |                |
-        |-----+          |                |                |
-    Construct |          |                |                |
-      FQDN&   | #2       |                |                |
-    IPv6 Addr |          |                |                |
-        |<----+          |                |                |
- DAD/DFQDND Starts       |                |                |
-        |                |                |                |
-        |                |                |                |
-        |    NS with     |                |                |
-        |    FQDN Opt    |                |                |
-        |--------------->+--------------->|                |
-        |       #3       |        #3      |                |
-        |            No Entry             |                |
-        |                |------+         |                |
-        |          Create FQDN  |         |                |
-        |            <FQDN,A>   | #4      |                |
-        |                |<-----+         |                |
-        |                |                |                |
-        |                |                |------+         |
-        |                |           My IPv6 Addr| #5      |
-        |                |                |<-----+         |
-        |                |   Defend DAD   |                |
-        |                |    with NA     |                |
-        |<---------------+<---------------|                |
-        |      #6        |       #6       |                |
-        |              Entry              |                |
-        |                |------+         |                |
-        |          Delete FQDN  | #7      |                |
-        |                |<-----+         |                |
-        |                |                |                |
-        |----+           |                |                |
-  DAD Failed | #8        |                |                |
- Stop DFQDND |           |                |                |
-        |<---+           |                |                |
-        |                |                |                |
-        v                v                v                v
-
-                     <Figure: 12 DAD failure>
-
-  #1. 6DNAC Server sends out Router Advertisement to 6DNAC Client-A.
-
-  #2. 6DNAC Client-A constructs IPv6 Address based on the prefix and
-      FQDN as per Host Naming Algorithm. 
-
-  #3. It then starts Duplicate address & FQDN Detection, for the newly 
-      constructed IPv6 address and FQDN, and sends out DAD/DFQDND NS
-      with FQDN option.  
-
-Park & Madanapalli             Expires October 2003            [Page 21]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003      
-
-  #4. 6DNAC Server processes the DAD/DFQDND NS message and finds 
-      that there is no entry for the FQDN in its cache. And,
-      creates Cache entry as <FQDN, A> and starts a Registration
-      timer with RegistrationWaitTime seconds.
-
-  #5. 6DNAC Client-B finds that the DAD/DFQDND-NS target address is 
-      in its unicast address list.  
-
-  #6. It then starts defending DAD by sending NA to all-nodes multicast.
-
-  #7. 6DNAC Server finds that the DAD has failed for 6DNAC Client-A.  
-      And, deletes its FQDN Cache entry <FQDN,A>.
-      
-  #8. 6DNAC Client gets defending DAD-NA and desists from DAD. 
-      And also, stops Duplicate FQDN Detection as well.
-      At this point the address must be configured using stateful 
-      methods and the domain name registration starts with the DAD
-      for the newly constructed IPv6 address.
-  
-  7.3. DNS Zone Suffix Discovery and FQDN Construction
-  
-  7.3.1. Sending Router Advertisement Messages
-
-  Routers send out Router Advertisement message periodically, 
-  or in response to a Router Solicitation. Router should include 
-  the DNS Zone Suffix Option in their advertisements. If the DNS
-  Zone Suffix changes (similar to Site Renumbering), then it should
-  advertise the Old Zone Suffix with zero Valid Lifetime and New
-  Zone Suffix with proper non-zero Valid Lifetime.  In any other
-  case, a router should not send this option twice in a single
-  router advertisement.
-
-  7.3.2. Processing Router Advertisement Messages  
-
-  For each DNS Zone Suffix Option in Router Advertisement,
-
-  a. 6DNAC node stores the Zone Suffix information in its local
-     database.  Also, constructs FQDN as per Host Naming Algorithm.
-
-  b. If the node has not configured FQDN yet,
-
-     1. If the node is going to perform DAD for either Site local or 
-        Global Address, then it should include FQDN option to perform
-        Duplicate FQDN Detection in parallel with DAD.
-
-     2. If the node has already got either Site local or Global 
-        address, then it should send out NS with FQDN option and 
-        unspecified target address to perform Duplicate FQDN 
-        Detection.
-
-  c. If the node has already configured FQDN, and if the 
-     advertisement carries two DNS Zone Suffix Options,
-     First DNS Zone Suffix should match with the configured FQDN 
-     Suffix and its Valid Lifetime must be zero. Second DNS Zone
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 22]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-
-     Suffix should have non-zero Valid Lifetime. In this case, the
-     node constructs new FQDN based on the new DNS Zone Suffix (from
-     second DNS Zone Suffix option), and perform Duplicate FQDN 
-     Detection with unspecified target address.  Also, it should
-     overwrite the old FQDN with the newly constructed FQDN.
-     
-
-  7.3.3. FQDN Lifetime expiry
-
-  6DNAC Server:  
-  It should delete the FQDN cache entry and should de-register from
-  the DNS Server.
-
-  6DNAC Client:
-  It should send update to 6DNAC Server by restarting the Duplicate 
-  FQDN Detection. 
-  
-  7.3.4. Host Naming Algorithm
- 
-  A node constructs FQDN by combining DNS Zone Suffix and the hostname
-  as depicted in the following diagram.
-
-     +------------------+----------------------------------+
-     |     Host Name    |          Advertised Suffix       |
-     +------------------+----------------------------------+
-
-          <Figure 13: Fully Qualified Domain Name format>
-
-  A node can choose Host Name using any of the following methods:
- 
-  a. String form of random number generated from the Interface 
-     Identifier.
-     
-  b. List of configured Host Names provided by the administrator.
-
-  
-  The number of retries must be specified in this algorithm in 
-  case of domain name duplication.
-  
-    
-  7.4. Duplicate Domain Name Detection
-  
-  The procedure for detecting duplicated FQDNs uses Neighbor
-  Solicitation and Advertisement messages as described below.
-
-  If a duplicate FQDN is detected during the procedure, the
-  FQDN cannot be assigned to the node.
-
-  An FQDN on which the DFQDND Procedure is applied is said 
-  to be tentative until the procedure has completed successfully.  
-  A tentative FQDN is not considered "assigned to the node" in the 
-  traditional sense.  That is, the node must accept Neighbor 
-  Advertisement message containing the tentative FQDN in the FQDN 
-  Option.
-
-
-Park & Madanapalli             Expires October 2003            [Page 23]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-
-  It should also be noted that DFQDN must be performed prior to 
-  registering with DNS Server to prevent multiple nodes from using 
-  the same FQDN simultaneously. All the Duplicate Address Detection 
-  Neighbor Solicitation messages must carry Source Link Layer Address 
-  Option as specified in NDP [2461]. 
-
-  The detection of duplicate FQDN can be achieved through one of the
-  following three types of procedures.
-  
-  1. DAD with All Nodes Multicast Address
-  2. DAD with Router Alert Option for 6DNAC.
-  3. Explicit Detection of Duplicate Domain Name
-   
-  Even though three solutions are listed, authors prefer only one 
-  procedure to be followed in future based on further analysis and
-  comments received from others. 
-  
-  7.4.1. DAD with All Nodes Multicast Address
-  
-  7.4.1.1. Sending Neighbor Solicitation Messages
-
-  6DNAC Client sends Neighbor Solicitation Messages as part
-  of Duplicate Address Detection SLAAC [2462] with the following 
-  extra information and modifications:
-
-  a. Include FQDN Option in the DAD Neighbor Solicitation Message
-  b. Destination Address is set to All Nodes Multicast Address
-
-  There may be a case where DAD has succeeded but DFQDND is in Retry 
-  Mode. In such case, the Neighbor Solicitation must carry unspecified 
-  address in the ICMP target address field and new domain name in FQDN
-  option to re-try the registration of the domain name.
-
-  7.4.1.2. Processing Neighbor Solicitation Messages
-
-  6DNAC Clients must ignore the FQDN option found in any of the
-  neighbor solicitation messages.
-
-  6DNAC Server processes FQDN Option found in the Duplicate Address 
-  Detection Neighbor Solicitation Messages as described below:
-
-  Lookup FQDN Cache for the domain name in FQDN Option.
-
-  If the entry exists and 
-   i. Link Layer Address matches with SLLA option, this is the case, 
-      where node has changed its IPv6 address or updating the valid 
-      life time. 6DNAC Server updates its cache and also updates DNS
-      Server using DDNS-UPDATE. If there is no change in IPv6 address
-      or life time then no updates are sent to the DNS server. 
-
-  ii. Link Layer Address differs with SLLA option, defend the duplicate 
-      FQDN Detection by sending Neighbor Advertisement Message as 
-      described in $7.4.1.3$.
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 24]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-
-  else,
-    Lookup FQDN Cache for the Link Layer Address in SLLA Option.
-
-    If the entry exists, update the FQDN Cache and update DNS Server 
-    using DDNS-UPDATE. This is the case, where node has changed its
-    domain name (similar to Site Re-numbering).
-
-    If then entry does not exists, then it means that this is the new 
-    registration. It must create a cache entry and start Registration    
-    
-    timer with RegistrationWaitTime. At the expiry of the Registration
-    timer, it should update DNS Server with DDNS-UPDATE.
-
-  7.4.1.3. Sending Neighbor Advertisement Messages
-
-  6DNAC Server sends Neighbor Advertisement Messages as part
-  of Duplicate Address Detection SLAAC [2462] with the FQDN Option 
-  in Neighbor Advertisement message to defend duplicate FQDN 
-  detection.
-
-  There may be the case where defending of duplicate address detection 
-  is not required but defending of FQDN is required.  In such instance, 
-  the defending Neighbor Advertisement must carry FQDN and unspecified
-  address in the ICMP target address field.
-
-  7.4.1.4. Processing Neighbor Advertisement Messages
-
-  6DNAC Server must ignore the any FQDN option found any of 
-  the neighbor advertisement messages.  If the Neighbor Advertisement
-  is a DAD defending, then it must delete its FQDN Cache entry created 
-  on the reception of DAD Neighbor Solicitation message.
-
-  When 6DNAC Clients gets the duplicate address detection neighbor
-  advertisement messages with FQDN option set it means that its
-  duplicate FQDN detection failed and enters Retry Mode.
-
-  7.4.1.5. Pros and Cons
-  
-  The advantage of this procedure is that it does not need any 
-  extension header options to be included. The disadvantage of this 
-  procedure is that, it needs change in the existing DAD procedure.
-  The change is only that the DAD neighbor solicitations are to be 
-  addressed to all nodes multicast address instead of solicited 
-  node multicast address. The another disadvantage is that, it needs 
-  the existence of Duplicate Address Detection Procedure to 
-  perform duplicate FQDN detection. 
-  
-  7.4.2. DAD with Router Alert Option for 6DNAC
-
-  7.4.2.1. Sending Neighbor Solicitation Messages
-
-  6DNAC Client sends Neighbor Solicitation Messages as part
-  of Duplicate Address Detection SLAAC [2462] with the following 
-  extra information:
-
-
-Park & Madanapalli             Expires October 2003            [Page 25]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-
-  a. Include Hop-by-Hop extension Header with Router Alert Option
-     for 6DNAC as described in IPv6 Router Alert Option[2711].
-
-  b. Include FQDN Option in the DAD Neighbor Solicitation Message
-
-  7.4.2.2. Processing Neighbor Solicitation Messages
-
-  This is same as described in $7.4.1.2$. 
-
-  7.4.2.3. Sending Neighbor Advertisement Messages
-
-  This is same as described in $7.4.1.3$. 
-
-  7.4.2.4. Processing Neighbor Advertisement Messages
-
-  This is same as described in $7.4.1.4$.
-
-  7.4.2.5. Pros and Cons
-
-  The advantage of this procedure is that it does not disturb
-  the existing implementation and their way of processing the 
-  packets.  The disadvantage is that, it needs the existence 
-  of Duplicate Address Detection Procedure to perform duplicate 
-  FQDN detection. Another disadvantage is that this procedure 
-  requires 6DNAC Server functionality to be implemented on Router.
-  However, in this case 6DNAC Server can serve multiple links.
-  
-  7.4.3. Explicit Detection of Duplicate Domain Name
-
-  In this procedure Duplicate FQDN Detection starts after completion
-  of successful Site local or Global Address configuration.
-  
-  7.4.3.1. Sending Neighbor Solicitation Messages
-
-  6DNAC Client sends Neighbor Solicitation Messages as part
-  of Duplicate FQDN Detection with the following information:
-
-  a. Include FQDN Option in the Neighbor Solicitation Message
-
-  b. Destination Address is set to All Nodes Multicast Address
-     or uses Router Alert Option for 6DNAC, when 6DNAC Server is 
-     implemented on router.
-
-  c. Target Address is set to Unspecified Address
-
-  d. Other fields are set as per DAD SLAAC [2462].
-
-  7.4.3.2. Processing Neighbor Solicitation Messages
-
-  This is same as described in $7.4.1.2$.
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 26]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003 
-
-
-  7.4.3.3. Sending Neighbor Advertisement Messages
-
-  This is same as described in $7.4.1.3$.
-
-  7.4.3.4. Processing Neighbor Advertisement Messages
-
-  This is same as described in $7.4.1.4$.
-
-  7.4.3.5. Pros and Cons
-
-  The advantage of this procedure is that it does not need the
-  existing duplicate address detection procedure.  This is introduced
-  as the DAD procedure is found to be redundant in when IPv6 addresses
-  are constructed from the interface ID [DIID].
-
-  Note that, if 6DNAC Clients know the address of 6DNAC Server then
-  they can directly send DFQDND-NS to 6DNAC Server. 
-
-  7.4.4. Retry Mode for Re-registering Domain Name
-
-  In retry mode, nodes construct new FQDN as per Host Naming Algorithm.
-  Then they restart Duplicate FQDN Detection as described in $7.4.3$.
-
-
-  7.5. Domain Name Registration
-  
-  6DNAC Server must be an authenticated to update the DNS Server.
-  6DNAC Server must also be configured with the DNS Server 
-  information.
-
-  6DNAC Server detects the DNS information (IPv6 Address and 
-  corresponding FQDN) from DAD/DFQDND messages and caches the
-  information. It also have an associated Registration Timer with 
-  RegistrationWaitTime to wait for the successful completion of 
-  DFQDND and update DNS Server using existing protocol DDNS UPDATE 
-  [2136].
-  
-                 
-  8. Security Consideration
-   
-  If someone wants to hijack correct Domain Name registration, they 
-  could send a NS message with incorrect or same Domain Name to the
-  6DNAC server repeatedly and server would start the Domain Name 
-  registration through above mechanism, which is a security hole. 
-  As described in [2461], a host can check validity of NDP messages.
-  If the NDP message include an IP Authentication Header, the message
-  authenticates correctly. For DNS UPDATE processing, secure DNS
-  Dynamic Update is described in [3007].
-  
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 27]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-  
-  9. IANA Consideration
-  
-  Values in the Router Alert Option are registered and maintained by
-  IANA. For 6DNAC, the value has to be assigned by IANA. Also IANA is
-  required to assign the Type values for DNS Zone Suffix Information
-  option and FADN option.
-
-  
-  10. Acknowledgement
-  
-  Special thanks are due to Badrinarayana N.S. and Christian Huitema for
-  many helpful suggestions and revisions. 
-  
-  
-  11. Intellectual Property
-
-  The following notice is copied from RFC 2026 [Bradner, 1996],
-  Section 10.4, and describes the position of the IETF concerning
-  intellectual property claims made against this document.
-
-  The IETF takes no position regarding the validity or scope of any
-  intellectual property or other rights that might be claimed to
-  pertain to the implementation or use other technology described in
-
-  this document or the extent to which any license under such rights
-  might or might not be available; neither does it represent that it
-  
-  has made any effort to identify any such rights.  Information on the
-  IETF's procedures with respect to rights in standards-track and
-  standards-related documentation can be found in BCP-11.  Copies of
-  claims of rights made available for publication and any assurances
-  of licenses to be made available, or the result of an attempt made
-  to obtain a general license or permission for the use of such
-  proprietary rights by implementers or users of this specification
-  can be obtained from the IETF Secretariat.
-
-  The IETF invites any interested party to bring to its attention any
-  copyrights, patents or patent applications, or other proprietary
-  rights which may cover technology that may be required to practice
-  this standard.  Please address the information to the IETF Executive
-  Director.
-  
-  
-  12. Copyright
-
-  The following copyright notice is copied from RFC 2026 [Bradner,
-  1996], Section 10.4, and describes the applicable copyright for this
-  document.
-
-  Copyright (C) The Internet Society July 12, 2001. All Rights
-  Reserved.
-  
-  This document and translations of it may be copied and furnished to
-  others, and derivative works that comment on or otherwise explain it
-  or assist in its implementation may be prepared, copied, published
-
-Park & Madanapalli             Expires October 2003            [Page 28]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-
-  and distributed, in whole or in part, without restriction of any
-  kind, provided that the above copyright notice and this paragraph
-  are included on all such copies and derivative works.  However, this
-  
-  document itself may not be modified in any way, such as by removing
-  the copyright notice or references to the Internet Society or other
-  Internet organizations, except as needed for the purpose of
-  developing Internet standards in which case the procedures for
-  copyrights defined in the Internet Standards process must be
-  followed, or as required to translate it into languages other than
-  English.
-
-  The limited permissions granted above are perpetual and will not be
-  revoked by the Internet Society or its successors or assignees.
-
-  This document and the information contained herein is provided on an
-  "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-  TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-  BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-  HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-  MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-  
-  
-  13. References
-   
-  [2373]        Hinden, R. and S. Deering, "IP Version 6 Addressing 
-                Architecture", RFC 2373, July 1998. 
-       
-  [2460]        Deering, S. abd R. Hinden, "Internet Protocol, 
-                Version 6 (IPv6) Specification", RFC 2460, 
-                December 1998. 
-               
-  [2461]        Narten, T., Nordmark, E. and W. Simpson, "Neighbor 
-                Discovery for IP version 6(IPv6)", RFC 2461, December 
-                1998. 
-
-  [2462]        S. Thomson and Narten T, "IPv6 Stateless Address Auto- 
-                Configuration", RFC 2462, December 1998. 
-               
-  [2711]        C. Patridge and A.Jackson, "IPv6 Router Alert Option",
-                RFC 2711, October 1999. 
-             
-  [1034]        P. Mockapetris, "DOMAIN NAMES - CONCEPTS AND 
-                FACILITIES", RFC 1034, November 1987. 
-               
-  [1035]        P. Mockapetris, "Domain Names - Implementation and 
-                Specification" RFC 1035, November 1987. 
-
-  [2136]        P. Vixie et al., "Dynamic Updates in the Domain Name
-                System (DNS UPDATE)", RFC2136, April 1997.
-                
-  [3007]        B. Wellington, "Secure Domain Name System (DNS) Dynamic 
-                Update", RFC 3007, November 2000.
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 29]
-
-INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
-
-                 
-  [DIID]        yokohama-dad-vs-diid.pdf
-                at http://playground.sun.com/ipng/presentations/July2002/
-                
-  [DNSISSUES]   Durand, A., "IPv6 DNS transition issues", draft-ietf-              
-                dnsop-ipv6-dns-issues-00.txt, work in progress.
-                
-  [PREFIX]      S. Miyakawa, R. Droms, "Requirements for IPv6 prefix
-                delegation", draft-ietf-ipv6-prefix-delegation-
-                requirement-01.txt, work in progress.
-   
-  [Autoreg]     H. Kitamura, "Domain Name Auto-Registration for 
-                Plugged-in IPv6 Nodes", draft-ietf-dnsext-ipv6-name-
-                auto-reg-00.txt, work in progress.
-
-  [NIQ]         Matt Crawford, "IPv6 Node Information Queries", <draft-
-                ietf-ipngwg-icmp-name-lookups-09.txt>, work in progress.
-                  
-  
-  14. Author's Addresses 
-  
-  Soohong Daniel Park 
-  Mobile Platform Laboratory, SAMSUNG Electronics, KOREA 
-  Phone: +82-31-200-3728 
-  Email:soohong.park@samsung.com
-  
-  Syam Madanapalli
-  Network Systems Division, SAMSUNG India Software Operations, INDIA
-  Phone: +91-80-5550555
-  Email:syam@samsung.com
-  
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Park & Madanapalli             Expires October 2003            [Page 30]
diff --git a/contrib/bind9/doc/draft/update b/contrib/bind9/doc/draft/update
deleted file mode 100644
index 6ac20904ab20..000000000000
--- a/contrib/bind9/doc/draft/update
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/sh
-commit=
-for i
-do
-	z=`expr "$i" : 'http://www.ietf.org/internet-drafts/\(.*\)'`
-	if test -n "$z"
-	then
-		i="$z"
-	fi
-	if test -f "$i"
-	then
-		continue
-	fi
-	pat=`echo "$i" | sed 's/...txt/??.txt/'`
-	old=`echo $pat 2> /dev/null`
-	if test "X$old" != "X$pat"
-	then
-		newer=0
-		for j in $old
-		do
-			if test $j ">" $i
-			then
-				 newer=1
-			fi
-		done
-		if test $newer = 1
-		then
-			continue;
-		fi
-	fi
-	if fetch "http://www.ietf.org/internet-drafts/$i" 
-	then
-		cvs add "$i" 
-		if test "X$old" != "X$pat"
-		then
-			rm $old
-			cvs delete $old
-			commit="$commit $old"
-		fi
-		commit="$commit $i"
-	fi
-done
-if test -n "$commit"
-then
-	cvs commit -m "new draft" $commit
-fi
diff --git a/contrib/bind9/doc/misc/Makefile.in b/contrib/bind9/doc/misc/Makefile.in
deleted file mode 100644
index 81f13beee5ce..000000000000
--- a/contrib/bind9/doc/misc/Makefile.in
+++ /dev/null
@@ -1,36 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.12.3 2004/03/08 09:04:25 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_MAKE_RULES@
-
-PERL = @PERL@
-
-MANOBJS = options
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f options
-
-options: ../../bin/tests/cfg_test
-	../../bin/tests/cfg_test --named --grammar | \
-		${PERL} ${srcdir}/format-options.pl >options || \
-		rm -f options
diff --git a/contrib/bind9/doc/misc/dnssec b/contrib/bind9/doc/misc/dnssec
deleted file mode 100644
index 79d91cf971a9..000000000000
--- a/contrib/bind9/doc/misc/dnssec
+++ /dev/null
@@ -1,84 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000-2002  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-DNSSEC Release Notes
-
-This document summarizes the state of the DNSSEC implementation in
-this release of BIND9.
-
-
-OpenSSL Library Required
-
-To support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of
-the OpenSSL library.  As of BIND 9.2, the library is no longer
-included in the distribution - it must be provided by the operating
-system or installed separately.
-
-To build BIND 9 with OpenSSL, use "configure --with-openssl".  If
-the OpenSSL library is installed in a nonstandard location, you can
-specify a path as in "configure --with-openssl=/var".
-
-
-Key Generation and Signing
-
-The tools for generating DNSSEC keys and signatures are now in the
-bin/dnssec directory.  Documentation for these programs can be found
-in doc/arm/Bv9ARM.4.html and the man pages.
-
-The random data used in generating DNSSEC keys and signatures comes
-from either /dev/random (if the OS supports it) or keyboard input.
-Alternatively, a device or file containing entropy/random data can be
-specified.
-
-
-Serving Secure Zones
-
-When acting as an authoritative name server, BIND9 includes KEY, SIG
-and NXT records in responses as specified in RFC2535 when the request
-has the DO flag set in the query.
-
-
-Secure Resolution
-
-Basic support for validation of DNSSEC signatures in responses has
-been implemented but should still be considered experimental.
-
-When acting as a caching name server, BIND9 is capable of performing
-basic DNSSEC validation of positive as well as nonexistence responses.
-This functionality is enabled by including a "trusted-keys" clause
-in the configuration file, containing the top-level zone key of the
-the DNSSEC tree.
-
-Validation of wildcard responses is not currently supported.  In
-particular, a "name does not exist" response will validate
-successfully even if it does not contain the NXT records to prove the
-nonexistence of a matching wildcard.
-
-Proof of insecure status for insecure zones delegated from secure
-zones works when the zones are completely insecure.  Privately
-secured zones delegated from secure zones will not work in all cases,
-such as when the privately secured zone is served by the same server
-as an ancestor (but not parent) zone.
-
-Handling of the CD bit in queries is now fully implemented.  Validation
-is not attempted for recursive queries if CD is set.
-
-
-Secure Dynamic Update
-
-Dynamic update of secure zones has been implemented, but may not be
-complete.  Affected NXT and SIG records are updated by the server when
-an update occurs.  Advanced access control is possible using the
-"update-policy" statement in the zone definition.
-
-
-Secure Zone Transfers
-
-BIND 9 does not implement the zone transfer security mechanisms of
-RFC2535 section 5.6, and we have no plans to implement them in the
-future as we consider them inferior to the use of TSIG or SIG(0) to
-ensure the integrity of zone transfers.
-
-
-$Id: dnssec,v 1.14.2.6.4.4 2004/03/08 09:04:25 marka Exp $
diff --git a/contrib/bind9/doc/misc/format-options.pl b/contrib/bind9/doc/misc/format-options.pl
deleted file mode 100644
index 5f0975ade820..000000000000
--- a/contrib/bind9/doc/misc/format-options.pl
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/usr/bin/perl
-#
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: format-options.pl,v 1.1.206.1 2004/03/06 13:16:19 marka Exp $
-
-print <<END;
-
-This is a summary of the named.conf options supported by 
-this version of BIND 9.
-
-END
-
-# Break long lines
-while (<>) {
-	s/\t/        /g;
-	if (length >= 79) {
-		m!^( *)!;
-		my $indent = $1;
-		s!^(.{0,75}) (.*)$!\1\n$indent    \2!;
-	}
-	print;
-}
diff --git a/contrib/bind9/doc/misc/ipv6 b/contrib/bind9/doc/misc/ipv6
deleted file mode 100644
index dd96cd27a337..000000000000
--- a/contrib/bind9/doc/misc/ipv6
+++ /dev/null
@@ -1,113 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-Currently, there are multiple interesting problems with ipv6
-implementations on various platforms.  These problems range from not
-being able to use ipv6 with bind9 (or in particular the ISC socket
-library, contained in libisc) to listen-on lists not being respected,
-to strange warnings but seemingly correct behavior of named.
-
-COMPILE-TIME ISSUES
--------------------
-
-The socket library requires a certain level of support from the
-operating system.  In particular, it must follow the advanced ipv6
-socket API to be usable.  The systems which do not follow this will
-currently not get any warnings or errors, but ipv6 will simply not
-function on them.
-
-These systems currently include, but are not limited to:
-
-	AIX 3.4 (with ipv6 patches)
-
-
-RUN-TIME ISSUES
----------------
-
-In the original drafts of the ipv6 RFC documents, binding an ipv6
-socket to the ipv6 wildcard address would also cause the socket to
-accept ipv4 connections and datagrams.  When an ipv4 packet is
-received on these systems, it is mapped into an ipv6 address.  For
-example, 1.2.3.4 would be mapped into ::ffff:1.2.3.4.  The intent of
-this mapping was to make transition from an ipv4-only application into
-ipv6 easier, by only requiring one socket to be open on a given port.
-
-Later, it was discovered that this was generally a bad idea.  For one,
-many firewalls will block connection to 1.2.3.4, but will let through
-::ffff:1.2.3.4.  This, of course, is bad.  Also, access control lists
-written to accept only ipv4 addresses were suddenly ignored unless
-they were rewritten to handle the ipv6 mapped addresses as well.
-
-Partly because of these problems, the latest IPv6 API introduces an
-explicit knob (the "IPV6_V6ONLY" socket option ) to turn off the ipv6
-mapped address usage.
-
-In bind9, we first check if both the advanced API and the IPV6_V6ONLY
-socket option are available.  If both of them are available, bind9
-named will bind to the ipv6 wildcard port for both TCP and UDP.
-Otherwise named will make a warning and try to bind to all available
-ipv6 addresses separately.
-
-In any case, bind9 named binds to specific addresses for ipv4 sockets.
-
-The followings are historical notes when we always bound to the ipv6
-wildcard port regardless of the availability of the API support.
-These problems should not happen with the closer checks above.
-
-
-IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail
----------------------------------------------------------------
-
-The only OS which seems to do this is (some kernel versions of) linux.
-If an ipv6 socket is bound to the ipv6 wildcard socket, and a specific
-ipv4 socket is later bound (say, to 1.2.3.4 port 53) the ipv4 binding
-will fail.
-
-What this means to bind9 is that the application will log warnings
-about being unable to bind to a socket because the address is already
-in use.  Since the ipv6 socket will accept ipv4 packets and map them,
-however, the ipv4 addresses continue to function.
-
-The effect is that the config file listen-on directive will not be
-respected on these systems.
-
-
-IPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed
-----------------------------------------------------------------
-
-In this case, the system allows opening an ipv6 wildcard address
-socket and then binding to a more specific ipv4 address later.  An
-example of this type of system is Digital Unix with ipv6 patches
-applied.
-
-What this means to bind9 is that the application will respect
-listen-on in regards to ipv4 sockets, but it will use mapped ipv6
-addresses for any that do not match the listen-on list.  This, in
-effect, makes listen-on useless for these machines as well.
-
-
-IPV6 Sockets Do Not Accept IPV4
--------------------------------
-
-On these systems, opening an IPV6 socket does not implicitly open any
-ipv4 sockets.  An example of these systems are NetBSD-current with the
-latest KAME patch, and other systems which use the latest KAME patches
-as their ipv6 implementation.
-
-On these systems, listen-on is fully functional, as the ipv6 socket
-only accepts ipv6 packets, and the ipv4 sockets will handle the ipv4
-packets.
-
-
-RELEVANT RFCs
--------------
-
-3513:  Internet Protocol Version 6 (IPv6) Addressing Architecture
-
-3493:  Basic Socket Interface Extensions for IPv6
-
-3542:  Advanced Sockets Application Program Interface (API) for IPv6
-
-
-$Id: ipv6,v 1.5.206.4 2004/08/10 04:28:15 jinmei Exp $
diff --git a/contrib/bind9/doc/misc/migration b/contrib/bind9/doc/misc/migration
deleted file mode 100644
index af9fccb221e3..000000000000
--- a/contrib/bind9/doc/misc/migration
+++ /dev/null
@@ -1,255 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-                   BIND 8 to BIND 9 Migration Notes
-
-BIND 9 is designed to be mostly upwards compatible with BIND 8, but
-there is still a number of caveats you should be aware of when
-upgrading an existing BIND 8 installation to use BIND 9.
-
-
-1. Configuration File Compatibility
-
-1.1. Unimplemented Options and Changed Defaults
-
-BIND 9 supports most, but not all of the named.conf options of BIND 8.
-For a complete list of implemented options, see doc/misc/options.
-
-If your named.conf file uses an unimplemented option, named will log a
-warning message.  A message is also logged about each option whose
-default has changed unless the option is set explicitly in named.conf.
-
-The default of the "transfer-format" option has changed from
-"one-answer" to "many-answers".  If you have slave servers that do not
-understand the many-answers zone transfer format (e.g., BIND 4.9.5 or
-older) you need to explicitly specify "transfer-format one-answer;" in
-either the options block or a server statement.
-
-1.2. Handling of Configuration File Errors
-
-In BIND 9, named refuses to start if it detects an error in
-named.conf.  Earlier versions would start despite errors, causing the
-server to run with a partial configuration.  Errors detected during
-subsequent reloads do not cause the server to exit.
-
-Errors in master files do not cause the server to exit, but they
-do cause the zone not to load.
-
-1.3. Logging
-
-The set of logging categories in BIND 9 is different from that
-in BIND 8.  If you have customised your logging on a per-category
-basis, you need to modify your logging statement to use the
-new categories.
-
-Another difference is that the "logging" statement only takes effect
-after the entire named.conf file has been read.  This means that when
-the server starts up, any messages about errors in the configuration
-file are always logged to the default destination (syslog) when the
-server first starts up, regardless of the contents of the "logging"
-statement.  In BIND 8, the new logging configuration took effect
-immediately after the "logging" statement was read.
-
-1.4. Notify messages and Refresh queries
-
-The source address and port for these is now controlled by
-"notify-source" and "transfer-source", respectively, rather that
-query-source as in BIND 8.
-
-1.5. Multiple Classes.
-
-Multiple classes have to be put into explicit views for each class.
-
-
-2. Zone File Compatibility
-
-2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
-
-BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
-omitted TTLs in zone files.  Omitted TTLs are replaced by the value
-specified with the $TTL directive, or by the previous explicit TTL if
-there is no $TTL directive.
-
-If there is no $TTL directive and the first RR in the file does not
-have an explicit TTL field, the zone file is illegal according to
-RFC1035 since the TTL of the first RR is undefined.  Unfortunately,
-BIND 4 and many versions of BIND 8 accept such files without warning
-and use the value of the SOA MINTTL field as a default for missing TTL
-values.
-
-BIND 9.0 and 9.1 completely refused to load such files.  BIND 9.2
-emulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the
-files anyway (provided the SOA is the first record in the file), but
-will issue the warning message "no TTL specified; using SOA MINTTL
-instead".
-
-To avoid problems, we recommend that you use a $TTL directive in each
-zone file.
-
-2.2. Periods in SOA Serial Numbers Deprecated
-
-Some versions of BIND allow SOA serial numbers with an embedded
-period, like "3.002", and convert them into integers in a rather
-unintuitive way.  This feature is not supported by BIND 9; serial
-numbers must be integers.
-
-2.3. Handling of Unbalanced Quotes
-
-TXT records with unbalanced quotes, like 'host TXT "foo', were not
-treated as errors in some versions of BIND.  If your zone files
-contain such records, you will get potentially confusing error
-messages like "unexpected end of file" because BIND 9 will interpret
-everything up to the next quote character as a literal string.
-
-2.4. Handling of Line Breaks
-
-Some versions of BIND accept RRs containing line breaks that are not
-properly quoted with parentheses, like the following SOA:
-
-	@	IN SOA	ns.example. hostmaster.example.
-			( 1 3600 1800 1814400 3600 )
-
-This is not legal master file syntax and will be treated as an error
-by BIND 9.  The fix is to move the opening parenthesis to the first
-line.
-
-2.5. Unimplemented BIND 8 Extensions
-
-$GENERATE: The "$$" construct for getting a literal $ into a domain
-name is deprecated.  Use \$ instead.
-
-2.6. TXT records are no longer automatically split.
-
-Some versions of BIND accepted strings in TXT RDATA consisting of more
-than 255 characters and silently split them to be able to encode the
-strings in a protocol conformant way. You may now see errors like this
-        dns_rdata_fromtext: local.db:119: ran out of space
-if you have TXT RRs with too longs strings. Make sure to split the
-string in the zone data file at or before a single one reaches 255
-characters.
-
-3. Interoperability Impact of New Protocol Features
-
-3.1. EDNS0
-
-BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
-also sets an EDNS flag bit in queries to indicate that it wishes to
-receive DNSSEC responses; this flag bit usage is not yet standardised,
-but we hope it will be.
-
-Most older servers that do not support EDNS0, including prior versions
-of BIND, will send a FORMERR or NOTIMP response to these queries.
-When this happens, BIND 9 will automatically retry the query without
-EDNS0.
-
-Unfortunately, there exists at least one non-BIND name server
-implementation that silently ignores these queries instead of sending
-an error response.  Resolving names in zones where all or most
-authoritative servers use this server will be very slow or fail
-completely.  We have contacted the manufacturer of the name server in
-case, and they are working on a solution.
-
-When BIND 9 communicates with a server that does support EDNS0, such as
-another BIND 9 server, responses of up to 4096 bytes may be
-transmitted as a single UDP datagram which is subject to fragmentation
-at the IP level.  If a firewall incorrectly drops IP fragments, it can
-cause resolution to slow down dramatically or fail.
-
-3.2. Zone Transfers
-
-Outgoing zone transfers now use the "many-answers" format by default.
-This format is not understood by certain old versions of BIND 4.  
-You can work around this problem using the option "transfer-format
-one-answer;", but since these old versions all have known security
-problems, the correct fix is to upgrade the slave servers.
-
-Zone transfers to Windows 2000 DNS servers sometimes fail due to a
-bug in the Windows 2000 DNS server where DNS messages larger than
-16K are not handled properly.  Obtain the latest service pack for
-Windows 2000 from Microsoft to address this issue.  In the meantime,
-the problem can be worked around by setting "transfer-format one-answer;".
-http://support.microsoft.com/default.aspx?scid=kb;en-us;297936
-
-4. Unrestricted Character Set
-
-BIND 9 does not restrict the character set of domain names - it is
-fully 8-bit clean in accordance with RFC2181 section 11.
-
-It is strongly recommended that hostnames published in the DNS follow
-the RFC952 rules, but BIND 9 will not enforce this restriction.
-
-Historically, some applications have suffered from security flaws
-where data originating from the network, such as names returned by
-gethostbyaddr(), are used with insufficient checking and may cause a
-breach of security when containing unexpected characters; see
-<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
-for details.  Some earlier versions of BIND attempt to protect these
-flawed applications from attack by discarding data containing
-characters deemed inappropriate in host names or mail addresses, under
-the control of the "check-names" option in named.conf and/or "options
-no-check-names" in resolv.conf.  BIND 9 provides no such protection;
-if applications with these flaws are still being used, they should
-be upgraded.
-
-
-5. Server Administration Tools
-
-5.1 Ndc Replaced by Rndc
-
-The "ndc" program has been replaced by "rndc", which is capable of
-remote operation.  Unlike ndc, rndc requires a configuration file.
-The easiest way to generate a configuration file is to run
-"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8),
-and rndc.conf(5) for details.
-
-5.2. Nsupdate Differences
-
-The BIND 8 implementation of nsupdate had an undocumented feature
-where an update request would be broken down into multiple requests
-based upon the discovered zones that contained the records.  This
-behaviour has not been implemented in BIND 9.  Each update request
-must pertain to a single zone, but it is still possible to do multiple
-updates in a single invocation of nsupdate by terminating each update
-with an empty line or a "send" command.
-
-
-6. No Information Leakage between Zones
-
-BIND 9 stores the authoritative data for each zone in a separate data
-structure, as recommended in RFC1035 and as required by DNSSEC and
-IXFR.  When a BIND 9 server is authoritative for both a child zone and
-its parent, it will have two distinct sets of NS records at the
-delegation point: the authoritative NS records at the child's apex,
-and a set of glue NS records in the parent.
-
-BIND 8 was unable to properly distinguish between these two sets of NS
-records and would "leak" the child's NS records into the parent,
-effectively causing the parent zone to be silently modified: responses
-and zone transfers from the parent contained the child's NS records
-rather than the glue configured into the parent (if any).  In the case
-of children of type "stub", this behaviour was documented as a feature,
-allowing the glue NS records to be omitted from the parent
-configuration.
-
-Sites that were relying on this BIND 8 behaviour need to add any
-omitted glue NS records, and any necessary glue A records, to the
-parent zone.
-
-Although stub zones can no longer be used as a mechanism for injecting
-NS records into their parent zones, they are still useful as a way of
-directing queries for a given domain to a particular set of name
-servers.
-
-
-7. Umask not Modified
-
-The BIND 8 named unconditionally sets the umask to 022.  BIND 9 does
-not; the umask inherited from the parent process remains in effect.
-This may cause files created by named, such as journal files, to be
-created with different file permissions than they did in BIND 8.  If
-necessary, the umask should be set explicitly in the script used to
-start the named process.
-
-
-$Id: migration,v 1.37.2.3.2.3 2004/11/22 22:33:09 marka Exp $
diff --git a/contrib/bind9/doc/misc/migration-4to9 b/contrib/bind9/doc/misc/migration-4to9
deleted file mode 100644
index fa75bacb7013..000000000000
--- a/contrib/bind9/doc/misc/migration-4to9
+++ /dev/null
@@ -1,57 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: migration-4to9,v 1.3.206.1 2004/03/06 13:16:19 marka Exp $
-
-		   BIND 4 to BIND 9 Migration Notes
-
-To transition from BIND 4 to BIND 9 you first need to convert your
-configuration file to the new format.  There is a conversion tool in
-contrib/named-bootconf that allows you to do this.
-
-	named-bootconf.sh < /etc/named.boot > /etc/named.conf
-
-BIND 9 uses a system assigned port for the UDP queries it makes rather
-than port 53 that BIND 4 uses.  This may conflict with some firewalls.
-The following directives in /etc/named.conf allows you to specify
-a port to use.
-
-	query-source address * port 53;
-	transfer-source * port 53;
-	notify-source * port 53;
-
-BIND 9 no longer uses the minimum field to specify the TTL of records
-without a explicit TTL.  Use the $TTL directive to specify a default TTL
-before the first record without a explicit TTL.
-
-	$TTL 3600
-	@	IN	SOA	ns1.example.com. hostmaster.example.com. (
-				2001021100
-				7200
-				1200
-				3600000
-				7200 )
-
-BIND 9 does not support multiple CNAMEs with the same owner name.
-	
-	Illegal:
-	www.example.com. CNAME host1.example.com.
-	www.example.com. CNAME host2.example.com.
-
-BIND 9 does not support "CNAMEs with other data" with the same owner name,
-ignoring the DNSSEC records (SIG, NXT, KEY) that BIND 4 did not support.
-
-	Illegal:
-	www.example.com. CNAME host1.example.com.
-	www.example.com. MX 10 host2.example.com.
-
-BIND 9 is less tolerant of errors in master files, so check your logs and
-fix any errors reported.  The named-checkzone program can also be to check
-master files.
-
-Outgoing zone transfers now use the "many-answers" format by default.
-This format is not understood by certain old versions of BIND 4.  
-You can work around this problem using the option "transfer-format
-one-answer;", but since these old versions all have known security
-problems, the correct fix is to upgrade the slave servers.
diff --git a/contrib/bind9/doc/misc/options b/contrib/bind9/doc/misc/options
deleted file mode 100644
index 01546b72644c..000000000000
--- a/contrib/bind9/doc/misc/options
+++ /dev/null
@@ -1,386 +0,0 @@
-
-This is a summary of the named.conf options supported by 
-this version of BIND 9.
-
-options {
-        avoid-v4-udp-ports { <port>; ... };
-        avoid-v6-udp-ports { <port>; ... };
-        blackhole { <address_match_element>; ... };
-        coresize <size>;
-        datasize <size>;
-        deallocate-on-exit <boolean>; // obsolete
-        directory <quoted_string>;
-        dump-file <quoted_string>;
-        fake-iquery <boolean>; // obsolete
-        files <size>;
-        has-old-clients <boolean>; // obsolete
-        heartbeat-interval <integer>;
-        host-statistics <boolean>; // not implemented
-        host-statistics-max <integer>; // not implemented
-        hostname ( <quoted_string> | none );
-        interface-interval <integer>;
-        listen-on [ port <integer> ] { <address_match_element>; ... };
-        listen-on-v6 [ port <integer> ] { <address_match_element>; ... };
-        match-mapped-addresses <boolean>;
-        memstatistics-file <quoted_string>;
-        multiple-cnames <boolean>; // obsolete
-        named-xfer <quoted_string>; // obsolete
-        pid-file ( <quoted_string> | none );
-        port <integer>;
-        querylog <boolean>;
-        recursing-file <quoted_string>;
-        random-device <quoted_string>;
-        recursive-clients <integer>;
-        serial-queries <integer>; // obsolete
-        serial-query-rate <integer>;
-        server-id ( <quoted_string> | none |;
-        stacksize <size>;
-        statistics-file <quoted_string>;
-        statistics-interval <integer>; // not yet implemented
-        tcp-clients <integer>;
-        tcp-listen-queue <integer>;
-        tkey-dhkey <quoted_string> <integer>;
-        tkey-gssapi-credential <quoted_string>;
-        tkey-domain <quoted_string>;
-        transfers-per-ns <integer>;
-        transfers-in <integer>;
-        transfers-out <integer>;
-        treat-cr-as-space <boolean>; // obsolete
-        use-id-pool <boolean>; // obsolete
-        use-ixfr <boolean>;
-        version ( <quoted_string> | none );
-        flush-zones-on-shutdown <boolean>;
-        allow-recursion { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
-        sortlist { <address_match_element>; ... };
-        topology { <address_match_element>; ... }; // not implemented
-        auth-nxdomain <boolean>; // default changed
-        minimal-responses <boolean>;
-        recursion <boolean>;
-        rrset-order { [ class <string> ] [ type <string> ] [ name
-            <quoted_string> ] <string> <string>; ... };
-        provide-ixfr <boolean>;
-        request-ixfr <boolean>;
-        fetch-glue <boolean>; // obsolete
-        rfc2308-type1 <boolean>; // not yet implemented
-        additional-from-auth <boolean>;
-        additional-from-cache <boolean>;
-        query-source <querysource4>;
-        query-source-v6 <querysource6>;
-        cleaning-interval <integer>;
-        min-roots <integer>; // not implemented
-        lame-ttl <integer>;
-        max-ncache-ttl <integer>;
-        max-cache-ttl <integer>;
-        transfer-format ( many-answers | one-answer );
-        max-cache-size <size_no_default>;
-        check-names ( master | slave | response ) ( fail | warn | ignore );
-        cache-file <quoted_string>;
-        suppress-initial-notify <boolean>; // not yet implemented
-        preferred-glue <string>;
-        dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
-            <integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
-        edns-udp-size <integer>;
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
-        disable-algorithms <string> { <string>; ... };
-        dnssec-enable <boolean>;
-        dnssec-lookaside <string> trust-anchor <string>;
-        dnssec-must-be-secure <string> <boolean>;
-        allow-query { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
-        allow-notify { <address_match_element>; ... };
-        notify <notifytype>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
-            ) [ port <integer> ]; ... };
-        dialup <dialuptype>;
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        ixfr-from-differences <boolean>;
-        maintain-ixfr-base <boolean>; // obsolete
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-retry-time <integer>;
-        min-retry-time <integer>;
-        max-refresh-time <integer>;
-        min-refresh-time <integer>;
-        multi-master <boolean>;
-        sig-validity-interval <integer>;
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
-            ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
-        use-alt-transfer-source <boolean>;
-        zone-statistics <boolean>;
-        key-directory <quoted_string>;
-};
-
-controls {
-        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
-            ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ];
-        unix <unsupported>; // not implemented
-};
-
-acl <string> { <address_match_element>; ... };
-
-masters <string> [ port <integer> ] { ( <masters> | <ipv4_address> [port
-    <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
-
-logging {
-        channel <string> {
-                file <log_file>;
-                syslog <optional_facility>;
-                null;
-                stderr;
-                severity <log_severity>;
-                print-time <boolean>;
-                print-severity <boolean>;
-                print-category <boolean>;
-        };
-        category <string> { <string>; ... };
-};
-
-view <string> <optional_class> {
-        match-clients { <address_match_element>; ... };
-        match-destinations { <address_match_element>; ... };
-        match-recursive-only <boolean>;
-        key <string> {
-                algorithm <string>;
-                secret <string>;
-        };
-        zone <string> <optional_class> {
-                type ( master | slave | stub | hint | forward |
-                    delegation-only );
-                allow-update { <address_match_element>; ... };
-                file <quoted_string>;
-                ixfr-base <quoted_string>; // obsolete
-                ixfr-tmp-file <quoted_string>; // obsolete
-                masters [ port <integer> ] { ( <masters> | <ipv4_address>
-                    [port <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
-                pubkey <integer> <integer> <integer> <quoted_string>; //
-                    obsolete
-                update-policy { ( grant | deny ) <string> ( name |
-                    subdomain | wildcard | self ) <string> <rrtypelist>; ... };
-                database <string>;
-                delegation-only <boolean>;
-                check-names ( fail | warn | ignore );
-                allow-query { <address_match_element>; ... };
-                allow-transfer { <address_match_element>; ... };
-                allow-update-forwarding { <address_match_element>; ... };
-                allow-notify { <address_match_element>; ... };
-                notify <notifytype>;
-                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
-                    ) ];
-                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
-                    | * ) ];
-                also-notify [ port <integer> ] { ( <ipv4_address> |
-                    <ipv6_address> ) [ port <integer> ]; ... };
-                dialup <dialuptype>;
-                forward ( first | only );
-                forwarders [ port <integer> ] { ( <ipv4_address> |
-                    <ipv6_address> ) [ port <integer> ]; ... };
-                ixfr-from-differences <boolean>;
-                maintain-ixfr-base <boolean>; // obsolete
-                max-ixfr-log-size <size>; // obsolete
-                max-journal-size <size_no_default>;
-                max-transfer-time-in <integer>;
-                max-transfer-time-out <integer>;
-                max-transfer-idle-in <integer>;
-                max-transfer-idle-out <integer>;
-                max-retry-time <integer>;
-                min-retry-time <integer>;
-                max-refresh-time <integer>;
-                min-refresh-time <integer>;
-                multi-master <boolean>;
-                sig-validity-interval <integer>;
-                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
-                    * ) ];
-                transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-                alt-transfer-source ( <ipv4_address> | * ) [ port (
-                    <integer> | * ) ];
-                alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-                use-alt-transfer-source <boolean>;
-                zone-statistics <boolean>;
-                key-directory <quoted_string>;
-        };
-        server <netaddr> {
-                bogus <boolean>;
-                provide-ixfr <boolean>;
-                request-ixfr <boolean>;
-                support-ixfr <boolean>; // obsolete
-                transfers <integer>;
-                transfer-format ( many-answers | one-answer );
-                keys <server_key>;
-                edns <boolean>;
-                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
-                    * ) ];
-                transfer-source-v6 ( <ipv6_address> | * ) [ port (
-                    <integer> | * ) ];
-        };
-        trusted-keys { <string> <integer> <integer> <integer>
-            <quoted_string>; ... };
-        allow-recursion { <address_match_element>; ... };
-        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
-        sortlist { <address_match_element>; ... };
-        topology { <address_match_element>; ... }; // not implemented
-        auth-nxdomain <boolean>; // default changed
-        minimal-responses <boolean>;
-        recursion <boolean>;
-        rrset-order { [ class <string> ] [ type <string> ] [ name
-            <quoted_string> ] <string> <string>; ... };
-        provide-ixfr <boolean>;
-        request-ixfr <boolean>;
-        fetch-glue <boolean>; // obsolete
-        rfc2308-type1 <boolean>; // not yet implemented
-        additional-from-auth <boolean>;
-        additional-from-cache <boolean>;
-        query-source <querysource4>;
-        query-source-v6 <querysource6>;
-        cleaning-interval <integer>;
-        min-roots <integer>; // not implemented
-        lame-ttl <integer>;
-        max-ncache-ttl <integer>;
-        max-cache-ttl <integer>;
-        transfer-format ( many-answers | one-answer );
-        max-cache-size <size_no_default>;
-        check-names ( master | slave | response ) ( fail | warn | ignore );
-        cache-file <quoted_string>;
-        suppress-initial-notify <boolean>; // not yet implemented
-        preferred-glue <string>;
-        dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
-            <integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
-        edns-udp-size <integer>;
-        root-delegation-only [ exclude { <quoted_string>; ... } ];
-        disable-algorithms <string> { <string>; ... };
-        dnssec-enable <boolean>;
-        dnssec-lookaside <string> trust-anchor <string>;
-        dnssec-must-be-secure <string> <boolean>;
-        allow-query { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
-        allow-notify { <address_match_element>; ... };
-        notify <notifytype>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
-            ) [ port <integer> ]; ... };
-        dialup <dialuptype>;
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        ixfr-from-differences <boolean>;
-        maintain-ixfr-base <boolean>; // obsolete
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-retry-time <integer>;
-        min-retry-time <integer>;
-        max-refresh-time <integer>;
-        min-refresh-time <integer>;
-        multi-master <boolean>;
-        sig-validity-interval <integer>;
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
-            ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
-        use-alt-transfer-source <boolean>;
-        zone-statistics <boolean>;
-        key-directory <quoted_string>;
-};
-
-lwres {
-        listen-on [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        view <string> <optional_class>;
-        search { <string>; ... };
-        ndots <integer>;
-};
-
-key <string> {
-        algorithm <string>;
-        secret <string>;
-};
-
-zone <string> <optional_class> {
-        type ( master | slave | stub | hint | forward | delegation-only );
-        allow-update { <address_match_element>; ... };
-        file <quoted_string>;
-        ixfr-base <quoted_string>; // obsolete
-        ixfr-tmp-file <quoted_string>; // obsolete
-        masters [ port <integer> ] { ( <masters> | <ipv4_address> [port
-            <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
-        pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
-        update-policy { ( grant | deny ) <string> ( name | subdomain |
-            wildcard | self ) <string> <rrtypelist>; ... };
-        database <string>;
-        delegation-only <boolean>;
-        check-names ( fail | warn | ignore );
-        allow-query { <address_match_element>; ... };
-        allow-transfer { <address_match_element>; ... };
-        allow-update-forwarding { <address_match_element>; ... };
-        allow-notify { <address_match_element>; ... };
-        notify <notifytype>;
-        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
-            ) [ port <integer> ]; ... };
-        dialup <dialuptype>;
-        forward ( first | only );
-        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
-            [ port <integer> ]; ... };
-        ixfr-from-differences <boolean>;
-        maintain-ixfr-base <boolean>; // obsolete
-        max-ixfr-log-size <size>; // obsolete
-        max-journal-size <size_no_default>;
-        max-transfer-time-in <integer>;
-        max-transfer-time-out <integer>;
-        max-transfer-idle-in <integer>;
-        max-transfer-idle-out <integer>;
-        max-retry-time <integer>;
-        min-retry-time <integer>;
-        max-refresh-time <integer>;
-        min-refresh-time <integer>;
-        multi-master <boolean>;
-        sig-validity-interval <integer>;
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
-            ];
-        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
-            * ) ];
-        use-alt-transfer-source <boolean>;
-        zone-statistics <boolean>;
-        key-directory <quoted_string>;
-};
-
-server <netaddr> {
-        bogus <boolean>;
-        provide-ixfr <boolean>;
-        request-ixfr <boolean>;
-        support-ixfr <boolean>; // obsolete
-        transfers <integer>;
-        transfer-format ( many-answers | one-answer );
-        keys <server_key>;
-        edns <boolean>;
-        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
-        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
-};
-
-trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
-
diff --git a/contrib/bind9/doc/misc/rfc-compliance b/contrib/bind9/doc/misc/rfc-compliance
deleted file mode 100644
index 6a3fac12f96e..000000000000
--- a/contrib/bind9/doc/misc/rfc-compliance
+++ /dev/null
@@ -1,62 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: rfc-compliance,v 1.3.206.1 2004/03/06 13:16:20 marka Exp $
-
-BIND 9 is striving for strict compliance with IETF standards.  We
-believe this release of BIND 9 complies with the following RFCs, with
-the caveats and exceptions listed in the numbered notes below.  Note
-that a number of these RFCs do not have the status of Internet
-standards but are proposed or draft standards, experimental RFCs, 
-or Best Current Practice (BCP) documents.
-
-  RFC1034
-  RFC1035 [1] [2]
-  RFC1123
-  RFC1183
-  RFC1535
-  RFC1536
-  RFC1706
-  RFC1712
-  RFC1750
-  RFC1876
-  RFC1982
-  RFC1995
-  RFC1996
-  RFC2136
-  RFC2163
-  RFC2181
-  RFC2230
-  RFC2308
-  RFC2535 [3] [4]
-  RFC2536
-  RFC2537
-  RFC2538
-  RFC2539
-  RFC2671
-  RFC2672
-  RFC2673
-  RFC2782
-  RFC2915
-  RFC2930
-  RFC2931 [5]
-  RFC3007
-
-
-[1] Queries to zones that have failed to load return SERVFAIL rather
-than a non-authoritative response.  This is considered a feature.
-
-[2] CLASS ANY queries are not supported.  This is considered a feature.
-
-[3] Wildcard records are not supported in DNSSEC secure zones.
-
-[4] Servers authoritative for secure zones being resolved by BIND 9
-must support EDNS0 (RFC2671), and must return all relevant SIGs and
-NXTs in responses rather than relying on the resolving server to
-perform separate queries for missing SIGs and NXTs.
-
-[5] When receiving a query signed with a SIG(0), the server will only
-be able to verify the signature if it has the key in its local
-authoritative data; it will not do recursion or validation to
-retrieve unknown keys.
diff --git a/contrib/bind9/doc/misc/roadmap b/contrib/bind9/doc/misc/roadmap
deleted file mode 100644
index 72021b82f662..000000000000
--- a/contrib/bind9/doc/misc/roadmap
+++ /dev/null
@@ -1,47 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: roadmap,v 1.1.206.1 2004/03/06 13:16:20 marka Exp $
-
-Road Map to the BIND 9 Source Tree
-
-bin/named		The name server.  This relies heavily on the
-			libraries in lib/isc and lib/dns.
-    client.c		Handling of incoming client requests
-    query.c		Query processing
-bin/rndc		The remote name daemon control program
-bin/dig			The "dig" program
-bin/dnssec		The DNSSEC signer and other DNSSEC tools
-bin/nsupdate		The "nsupdate" program
-bin/tests		Test suites and miscellaneous test programs
-bin/tests/system	System tests; see bin/tests/system/README
-lib/dns			The DNS library
-    resolver.c		The "full resolver" (performs recursive lookups)
-    validator.c		The DNSSEC validator
-    db.c		The database interface
-    sdb.c		The simple database interface
-    rbtdb.c		The red-black tree database
-lib/dns/rdata		Routines for handling the various RR types
-lib/dns/sec		Cryptographic libraries for DNSSEC
-lib/isc			The ISC library
-    task.c		Task library
-    unix/socket.c	Unix implementation of socket library
-lib/isccfg		Routines for reading and writing ISC-style
-			configuration files like named.conf and rndc.conf
-lib/isccc		The command channel library, used by rndc.
-lib/tests		Support code for the test suites.
-lib/lwres		The lightweight resolver library.
-doc/draft		Current internet-drafts pertaining to the DNS
-doc/rfc			RFCs pertaining to the DNS
-doc/misc		Miscellaneous documentation
-doc/arm			The BIND 9 Administrator Reference Manual
-doc/man			Man pages
-contrib			Contributed and other auxiliary code
-contrib/idn/mdnkit	The multilingual domain name evaluation kit
-contrib/sdb		Sample drivers for the simple database interface
-make			Makefile fragments, used by configure
-
-The library interfaces are mainly documented in the form of comments
-in the header files.  For example, the task subsystem is documented in
-lib/isc/include/isc/task.h
diff --git a/contrib/bind9/doc/misc/sdb b/contrib/bind9/doc/misc/sdb
deleted file mode 100644
index 0de0ab8943c6..000000000000
--- a/contrib/bind9/doc/misc/sdb
+++ /dev/null
@@ -1,169 +0,0 @@
-Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 2000, 2001  Internet Software Consortium.
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-Using the BIND 9 Simplified Database Interface
-
-This document describes the care and feeding of the BIND 9 Simplified
-Database Interface, which allows you to extend BIND 9 with new ways
-of obtaining the data that is published as DNS zones.
-
-
-The Original BIND 9 Database Interface
-
-BIND 9 has a well-defined "back-end database interface" that makes it
-possible to replace the component of the name server responsible for
-the storage and retrieval of zone data, called the "database", on a
-per-zone basis.  The default database is an in-memory, red-black-tree
-data structure commonly referred to as "rbtdb", but it is possible to
-write drivers to support any number of alternative database
-technologies such as in-memory hash tables, application specific
-persistent on-disk databases, object databases, or relational
-databases.
-
-The original BIND 9 database interface defined in <dns/db.h> is
-designed to efficiently support the full set of database functionality
-needed by a name server that implements the complete DNS protocols,
-including features such as zone transfers, dynamic update, and DNSSEC.
-Each of these aspects of name server operations places its own set of
-demands on the data store, with the result that the database API is
-quite complex and contains operations that are highly specific to the
-DNS.  For example, data are stored in a binary format, the name space
-is tree structured, and sets of data records are conceptually
-associated with DNSSEC signature sets.  For these reasons, writing a
-driver using this interface is a highly nontrivial undertaking.
-
-
-The Simplified Database Interface
-
-Many BIND users wish to provide access to various data sources through
-the DNS, but are not necessarily interested in completely replacing
-the in-memory "rbt" database or in supporting features like dynamic
-update, DNSSEC, or even zone transfers.
-
-Often, all you want is limited, read-only DNS access to an existing
-system.  For example, you may have an existing relational database
-containing hostname/address mappings and wish to provide forvard and
-reverse DNS lookups based on this information.  Or perhaps you want to
-set up a simple DNS-based load balancing system where the name server
-answers queries about a single DNS name with a dynamically changing
-set of A records.
-
-BIND 9.1 introduced a new, simplified database interface, or "sdb",
-which greatly simplifies the writing of drivers for these kinds of
-applications.
-
-
-The sdb Driver
-
-An sdb driver is an object module, typically written in C, which is
-linked into the name server and registers itself with the sdb
-subsystem.  It provides a set of callback functions, which also serve
-to advertise its capabilities.  When the name server receives DNS
-queries, invokes the callback functions to obtain the data to respond
-with.
-
-Unlike the full database interface, the sdb interface represents all
-domain names and resource records as ASCII text.
-
-
-Writing an sdb Driver
-
-When a driver is registered, it specifies its name, a list of callback
-functions, and flags.
-
-The flags specify whether the driver wants to use relative domain
-names where possible.
-
-The callback functions are as follows.  The only one that must be
-defined is lookup().
-
-  - create(zone, argc, argv, driverdata, dbdata)
-	  Create a database object for "zone".
-
-  - destroy(zone, driverdata, dbdata)
-	  Destroy the database object for "zone".
-
-  - lookup(zone, name, dbdata, lookup)
-	  Return all the records at the domain name "name".
-
-  - authority(zone, dbdata, lookup)
-	  Return the SOA and NS records at the zone apex.
-
-  - allnodes(zone, dbdata, allnodes)
-	  Return all data in the zone, for zone transfers.
-
-For more detail about these functions and their parameters, see
-bind9/lib/dns/include/dns/sdb.h.  For example drivers, see
-bind9/contrib/sdb.
-
-
-Rebuilding the Server
-
-The driver module and header file must be copied to (or linked into)
-the bind9/bin/named and bind9/bin/named/include directories
-respectively, and must be added to the DBDRIVER_OBJS and DBDRIVER_SRCS
-lines in bin/named/Makefile.in (e.g. for the timedb sample sdb driver,
-add timedb.c to DBDRIVER_SRCS and timedb.@O@ to DBDRIVER_OBJS).  If
-the driver needs additional header files or libraries in nonstandard
-places, the DBDRIVER_INCLUDES and DBDRIVER_LIBS lines should also be
-updated.
-
-Calls to dns_sdb_register() and dns_sdb_unregister() (or wrappers,
-e.g. timedb_init() and timedb_clear() for the timedb sample sdb
-driver) must be inserted into the server, in bind9/bin/named/main.c.
-Registration should be in setup(), before the call to
-ns_server_create().  Unregistration should be in cleanup(),
-after the call to ns_server_destroy().  A #include should be added
-corresponding to the driver header file.
-
-You should try doing this with one or more of the sample drivers
-before attempting to write a driver of your own.
-
-
-Configuring the Server
-
-To make a zone use a new database driver, specify a "database" option
-in its "zone" statement in named.conf.  For example, if the driver
-registers itself under the name "acmedb", you might say
-
-   zone "foo.com" {
-	   database "acmedb";
-   };
-
-You can pass arbitrary arguments to the create() function of the
-driver by adding any number of whitespace-separated words after the
-driver name:
-
-   zone "foo.com" {
-	   database "acmedb -mode sql -connect 10.0.0.1";
-   };
-
-
-Hints for Driver Writers
-
- - If a driver is generating data on the fly, it probably should
-   not implement the allnodes() function, since a zone transfer
-   will not be meaningful.  The allnodes() function is more relevant
-   with data from a database.
-
- - The authority() function is necessary if and only if the lookup()
-   function will not add SOA and NS records at the zone apex.  If
-   SOA and NS records are provided by the lookup() function,
-   the authority() function should be NULL.
-
- - When a driver is registered, an opaque object can be provided.  This
-   object is passed into the database create() and destroy() functions.
-
- - When a database is created, an opaque object can be created that
-   is associated with that database.  This object is passed into the
-   lookup(), authority(), and allnodes() functions, and is
-   destroyed by the destroy() function.
-
-
-Future Directions
-
-A future release may support dynamic loading of sdb drivers.
-
-
-$Id: sdb,v 1.5.206.1 2004/03/06 13:16:20 marka Exp $
diff --git a/contrib/bind9/doc/rfc/index b/contrib/bind9/doc/rfc/index
deleted file mode 100644
index 5c588db93016..000000000000
--- a/contrib/bind9/doc/rfc/index
+++ /dev/null
@@ -1,103 +0,0 @@
- 952:	DOD INTERNET HOST TABLE SPECIFICATION
-1032:	DOMAIN ADMINISTRATORS GUIDE
-1033:	DOMAIN ADMINISTRATORS OPERATIONS GUIDE
-1034:	DOMAIN NAMES - CONCEPTS AND FACILITIES
-1035:	DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
-1101:	DNS Encoding of Network Names and Other Types
-1122:	Requirements for Internet Hosts -- Communication Layers
-1123:	Requirements for Internet Hosts -- Application and Support
-1183:	New DNS RR Definitions (AFSDB, RP, X25, ISDN and RT)
-1348:	DNS NSAP RRs
-1535:	A Security Problem and Proposed Correction
-	   With Widely Deployed DNS Software
-1536:	Common DNS Implementation Errors and Suggested Fixes
-1537:	Common DNS Data File Configuration Errors
-1591:	Domain Name System Structure and Delegation
-1611:	DNS Server MIB Extensions
-1612:	DNS Resolver MIB Extensions
-1706:	DNS NSAP Resource Records
-1712:	DNS Encoding of Geographical Location
-1750:	Randomness Recommendations for Security
-1876:	A Means for Expressing Location Information in the Domain Name System
-1886:	DNS Extensions to support IP version 6
-1982:	Serial Number Arithmetic
-1995:	Incremental Zone Transfer in DNS
-1996:	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
-2052:	A DNS RR for specifying the location of services (DNS SRV)
-2104:	HMAC: Keyed-Hashing for Message Authentication
-2119:	Key words for use in RFCs to Indicate Requirement Levels
-2133:	Basic Socket Interface Extensions for IPv6
-2136:	Dynamic Updates in the Domain Name System (DNS UPDATE)
-2137:	Secure Domain Name System Dynamic Update
-2163:	Using the Internet DNS to Distribute MIXER
-	 Conformant Global Address Mapping (MCGAM)
-2168:	Resolution of Uniform Resource Identifiers using the Domain Name System
-2181:	Clarifications to the DNS Specification
-2230:	Key Exchange Delegation Record for the DNS
-2308:	Negative Caching of DNS Queries (DNS NCACHE)
-2317:	Classless IN-ADDR.ARPA delegation
-2373:	IP Version 6 Addressing Architecture
-2374:	An IPv6 Aggregatable Global Unicast Address Format
-2375:	IPv6 Multicast Address Assignments
-2418:	IETF Working Group Guidelines and Procedures
-2535:	Domain Name System Security Extensions
-2536:	DSA KEYs and SIGs in the Domain Name System (DNS)
-2537:	RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
-2538:	Storing Certificates in the Domain Name System (DNS)
-2539:	Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
-2540:	Detached Domain Name System (DNS) Information
-2541:	DNS Security Operational Considerations
-2553:	Basic Socket Interface Extensions for IPv6
-2671:	Extension Mechanisms for DNS (EDNS0)
-2672:	Non-Terminal DNS Name Redirection
-2673:	Binary Labels in the Domain Name System
-2782:	A DNS RR for specifying the location of services (DNS SRV)
-2825:	A Tangled Web: Issues of I18N, Domain Names, and the
-	 Other Internet protocols
-2826:	IAB Technical Comment on the Unique DNS Root
-2845:	Secret Key Transaction Authentication for DNS (TSIG)
-2874:	DNS Extensions to Support IPv6 Address Aggregation and Renumbering
-2915:	The Naming Authority Pointer (NAPTR) DNS Resource Record
-2929:	Domain Name System (DNS) IANA Considerations
-2930:	Secret Key Establishment for DNS (TKEY RR)
-2931:	DNS Request and Transaction Signatures ( SIG(0)s )
-3007:	Secure Domain Name System (DNS) Dynamic Update
-3008:	Domain Name System Security (DNSSEC) Signing Authority
-3071:	Reflections on the DNS, RFC 1591, and Categories of Domains
-3090:	DNS Security Extension Clarification on Zone Status
-3110:	RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)
-3123:	A DNS RR Type for Lists of Address Prefixes (APL RR)
-3152:	Delegation of IP6.ARPA
-3197:	Applicability Statement for DNS MIB Extensions
-3225:	Indicating Resolver Support of DNSSEC
-3226:	DNSSEC and IPv6 A6 aware server/resolver message size requirements
-3258:	Distributing Authoritative Name Servers via Shared Unicast Addresses
-3363:	Representing Internet Protocol version 6 (IPv6)
-	 Addresses in the Domain Name System (DNS)
-3364:	Tradeoffs in Domain Name System (DNS) Support
-	 for Internet Protocol version 6 (IPv6)
-3425:	Obsoleting IQUERY
-3445:	Limiting the Scope of the KEY Resource Record (RR)
-3490:	Internationalizing Domain Names In Applications (IDNA)
-3491:	Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
-3492:	Punycode:A Bootstring encoding of Unicode for
-	  Internationalized Domain Names in Applications (IDNA)
-3493:	Basic Socket Interface Extensions for IPv6
-3513:	Internet Protocol Version 6 (IPv6) Addressing Architecture
-3596:	DNS Extensions to Support IP Version 6
-3597:	Handling of Unknown DNS Resource Record (RR) Types
-3645:	Generic Security Service Algorithm for
-	  Secret Key Transaction Authentication for DNS (GSS-TSIG)
-3655:	Redefinition of DNS Authenticated Data (AD) bit
-3658:	Delegation Signer (DS) Resource Record (RR)
-3757:	Domain Name System KEY (DNSKEY) Resource Record (RR)
-	  Secure Entry Point (SEP) Flag
-3833:	Threat Analysis of the Domain Name System (DNS)
-3845:	DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
-3901:	DNS IPv6 Transport Operational Guidelines
-4025:	A Method for Storing IPsec Keying Material in DNS
-4033:	DNS Security Introduction and Requirements
-4034:	Resource Records for the DNS Security Extensions
-4035:	Protocol Modifications for the DNS Security Extensions
-4074:	Common Misbehavior Against DNS Queries for IPv6 Addresses
-4159:	Deprecation of "ip6.int"
diff --git a/contrib/bind9/doc/rfc/rfc1032.txt b/contrib/bind9/doc/rfc/rfc1032.txt
deleted file mode 100644
index 0e82721cee71..000000000000
--- a/contrib/bind9/doc/rfc/rfc1032.txt
+++ /dev/null
@@ -1,781 +0,0 @@
-Network Working Group                                       M. Stahl
-Request for Comments: 1032                         SRI International
-                                                       November 1987
-
-
-                      DOMAIN ADMINISTRATORS GUIDE
-
-
-STATUS OF THIS MEMO
-
-   This memo describes procedures for registering a domain with the
-   Network Information Center (NIC) of Defense Data Network (DDN), and
-   offers guidelines on the establishment and administration of a domain
-   in accordance with the requirements specified in RFC-920.  It is
-   intended for use by domain administrators.  This memo should be used
-   in conjunction with RFC-920, which is an official policy statement of
-   the Internet Activities Board (IAB) and the Defense Advanced Research
-   Projects Agency (DARPA).  Distribution of this memo is unlimited.
-
-BACKGROUND
-
-   Domains are administrative entities that provide decentralized
-   management of host naming and addressing.  The domain-naming system
-   is distributed and hierarchical.
-
-   The NIC is designated by the Defense Communications Agency (DCA) to
-   provide registry services for the domain-naming system on the DDN and
-   DARPA portions of the Internet.
-
-   As registrar of top-level and second-level domains, as well as
-   administrator of the root domain name servers on behalf of DARPA and
-   DDN, the NIC is responsible for maintaining the root server zone
-   files and their binary equivalents.  In addition, the NIC is
-   responsible for administering the top-level domains of "ARPA," "COM,"
-   "EDU," "ORG," "GOV," and "MIL" on behalf of DCA and DARPA until it
-   becomes feasible for other appropriate organizations to assume those
-   responsibilities.
-
-   It is recommended that the guidelines described in this document be
-   used by domain administrators in the establishment and control of
-   second-level domains.
-
-THE DOMAIN ADMINISTRATOR
-
-   The role of the domain administrator (DA) is that of coordinator,
-   manager, and technician.  If his domain is established at the second
-   level or lower in the tree, the DA must register by interacting with
-   the management of the domain directly above his, making certain that
-
-
-
-Stahl                                                           [Page 1]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-   his domain satisfies all the requirements of the administration under
-   which his domain would be situated.  To find out who has authority
-   over the name space he wishes to join, the DA can ask the NIC
-   Hostmaster.  Information on contacts for the top-level and second-
-   level domains can also be found on line in the file NETINFO:DOMAIN-
-   CONTACTS.TXT, which is available from the NIC via anonymous FTP.
-
-   The DA should be technically competent; he should understand the
-   concepts and procedures for operating a domain server, as described
-   in RFC-1034, and make sure that the service provided is reliable and
-   uninterrupted.  It is his responsibility or that of his delegate to
-   ensure that the data will be current at all times.  As a manager, the
-   DA must be able to handle complaints about service provided by his
-   domain name server.  He must be aware of the behavior of the hosts in
-   his domain, and take prompt action on reports of problems, such as
-   protocol violations or other serious misbehavior.  The administrator
-   of a domain must be a responsible person who has the authority to
-   either enforce these actions himself or delegate them to someone
-   else.
-
-   Name assignments within a domain are controlled by the DA, who should
-   verify that names are unique within his domain and that they conform
-   to standard naming conventions.  He furnishes access to names and
-   name-related information to users both inside and outside his domain.
-   He should work closely with the personnel he has designated as the
-   "technical and zone" contacts for his domain, for many administrative
-   decisions will be made on the basis of input from these people.
-
-THE DOMAIN TECHNICAL AND ZONE CONTACT
-
-   A zone consists of those contiguous parts of the domain tree for
-   which a domain server has complete information and over which it has
-   authority.  A domain server may be authoritative for more than one
-   zone.  The domain technical/zone contact is the person who tends to
-   the technical aspects of maintaining the domain's name server and
-   resolver software, and database files.  He keeps the name server
-   running, and interacts with technical people in other domains and
-   zones to solve problems that affect his zone.
-
-POLICIES
-
-   Domain or host name choices and the allocation of domain name space
-   are considered to be local matters.  In the event of conflicts, it is
-   the policy of the NIC not to get involved in local disputes or in the
-   local decision-making process.  The NIC will not act as referee in
-   disputes over such matters as who has the "right" to register a
-   particular top-level or second-level domain for an organization.  The
-   NIC considers this a private local matter that must be settled among
-
-
-
-Stahl                                                           [Page 2]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-   the parties involved prior to their commencing the registration
-   process with the NIC.  Therefore, it is assumed that the responsible
-   person for a domain will have resolved any local conflicts among the
-   members of his domain before registering that domain with the NIC.
-   The NIC will give guidance, if requested, by answering specific
-   technical questions, but will not provide arbitration in disputes at
-   the local level.  This policy is also in keeping with the distributed
-   hierarchical nature of the domain-naming system in that it helps to
-   distribute the tasks of solving problems and handling questions.
-
-   Naming conventions for hosts should follow the rules specified in
-   RFC-952.  From a technical standpoint, domain names can be very long.
-   Each segment of a domain name may contain up to 64 characters, but
-   the NIC strongly advises DAs to choose names that are 12 characters
-   or fewer, because behind every domain system there is a human being
-   who must keep track of the names, addresses, contacts, and other data
-   in a database.  The longer the name, the more likely the data
-   maintainer is to make a mistake.  Users also will appreciate shorter
-   names.  Most people agree that short names are easier to remember and
-   type; most domain names registered so far are 12 characters or fewer.
-
-   Domain name assignments are made on a first-come-first-served basis.
-   The NIC has chosen not to register individual hosts directly under
-   the top-level domains it administers.  One advantage of the domain
-   naming system is that administration and data maintenance can be
-   delegated down a hierarchical tree.  Registration of hosts at the
-   same level in the tree as a second-level domain would dilute the
-   usefulness of this feature.  In addition, the administrator of a
-   domain is responsible for the actions of hosts within his domain.  We
-   would not want to find ourselves in the awkward position of policing
-   the actions of individual hosts.  Rather, the subdomains registered
-   under these top-level domains retain the responsibility for this
-   function.
-
-   Countries that wish to be registered as top-level domains are
-   required to name themselves after the two-letter country code listed
-   in the international standard ISO-3166.  In some cases, however, the
-   two-letter ISO country code is identical to a state code used by the
-   U.S. Postal Service.  Requests made by countries to use the three-
-   letter form of country code specified in the ISO-3166 standard will
-   be considered in such cases so as to prevent possible conflicts and
-   confusion.
-
-
-
-
-
-
-
-
-
-Stahl                                                           [Page 3]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-HOW TO REGISTER
-
-   Obtain a domain questionnaire from the NIC hostmaster, or FTP the
-   file NETINFO:DOMAIN-TEMPLATE.TXT from host SRI-NIC.ARPA.
-
-   Fill out the questionnaire completely.  Return it via electronic mail
-   to HOSTMASTER@SRI-NIC.ARPA.
-
-   The APPENDIX to this memo contains the application form for
-   registering a top-level or second-level domain with the NIC.  It
-   supersedes the version of the questionnaire found in RFC-920.  The
-   application should be submitted by the person administratively
-   responsible for the domain, and must be filled out completely before
-   the NIC will authorize establishment of a top-level or second-level
-   domain.  The DA is responsible for keeping his domain's data current
-   with the NIC or with the registration agent with which his domain is
-   registered.  For example, the CSNET and UUCP managements act as
-   domain filters, processing domain applications for their own
-   organizations.  They pass pertinent information along periodically to
-   the NIC for incorporation into the domain database and root server
-   files.  The online file NETINFO:ALTERNATE-DOMAIN-PROCEDURE.TXT
-   outlines this procedure.  It is highly recommended that the DA review
-   this information periodically and provide any corrections or
-   additions.  Corrections should be submitted via electronic mail.
-
-WHICH DOMAIN NAME?
-
-   The designers of the domain-naming system initiated several general
-   categories of names as top-level domain names, so that each could
-   accommodate a variety of organizations.  The current top-level
-   domains registered with the DDN Network Information Center are ARPA,
-   COM, EDU, GOV, MIL, NET, and ORG, plus a number of top-level country
-   domains.  To join one of these, a DA needs to be aware of the purpose
-   for which it was intended.
-
-      "ARPA" is a temporary domain.  It is by default appended to the
-      names of hosts that have not yet joined a domain.  When the system
-      was begun in 1984, the names of all hosts in the Official DoD
-      Internet Host Table maintained by the NIC were changed by adding
-      of the label ".ARPA" in order to accelerate a transition to the
-      domain-naming system.  Another reason for the blanket name changes
-      was to force hosts to become accustomed to using the new style
-      names and to modify their network software, if necessary.  This
-      was done on a network-wide basis and was directed by DCA in DDN
-      Management Bulletin No. 22.  Hosts that fall into this domain will
-      eventually move to other branches of the domain tree.
-
-
-
-
-
-Stahl                                                           [Page 4]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-      "COM" is meant to incorporate subdomains of companies and
-      businesses.
-
-      "EDU" was initiated to accommodate subdomains set up by
-      universities and other educational institutions.
-
-      "GOV" exists to act as parent domain for subdomains set up by
-      government agencies.
-
-      "MIL" was initiated to act as parent to subdomains that are
-      developed by military organizations.
-
-      "NET" was introduced as a parent domain for various network-type
-      organizations.  Organizations that belong within this top-level
-      domain are generic or network-specific, such as network service
-      centers and consortia.  "NET" also encompasses network
-      management-related organizations, such as information centers and
-      operations centers.
-
-      "ORG" exists as a parent to subdomains that do not clearly fall
-      within the other top-level domains.  This may include technical-
-      support groups, professional societies, or similar organizations.
-
-   One of the guidelines in effect in the domain-naming system is that a
-   host should have only one name regardless of what networks it is
-   connected to.  This implies, that, in general, domain names should
-   not include routing information or addresses.  For example, a host
-   that has one network connection to the Internet and another to BITNET
-   should use the same name when talking to either network.  For a
-   description of the syntax of domain names, please refer to Section 3
-   of RFC-1034.
-
-VERIFICATION OF DATA
-
-   The verification process can be accomplished in several ways.  One of
-   these is through the NIC WHOIS server.  If he has access to WHOIS,
-   the DA can type the command "whois domain <domain name><return>".
-   The reply from WHOIS will supply the following: the name and address
-   of the organization "owning" the domain; the name of the domain; its
-   administrative, technical, and zone contacts; the host names and
-   network addresses of sites providing name service for the domain.
-
-
-
-
-
-
-
-
-
-
-Stahl                                                           [Page 5]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-         Example:
-
-         @whois domain rice.edu<Return>
-
-            Rice University (RICE-DOM)
-            Advanced Studies and Research
-            Houston, TX 77001
-
-            Domain Name: RICE.EDU
-
-               Administrative Contact:
-               Kennedy, Ken  (KK28)  Kennedy@LLL-CRG.ARPA (713) 527-4834
-               Technical Contact, Zone Contact:
-               Riffle, Vicky R.  (VRR)  rif@RICE.EDU
-               (713) 527-8101 ext 3844
-
-            Domain servers:
-
-            RICE.EDU                     128.42.5.1
-            PENDRAGON.CS.PURDUE.EDU      128.10.2.5
-
-
-   Alternatively, the DA can send an electronic mail message to
-   SERVICE@SRI-NIC.ARPA.  In the subject line of the message header, the
-   DA should type "whois domain <domain name>".  The requested
-   information will be returned via electronic mail.  This method is
-   convenient for sites that do not have access to the NIC WHOIS
-   service.
-
-   The initial application for domain authorization should be submitted
-   via electronic mail, if possible, to HOSTMASTER@SRI-NIC.ARPA.  The
-   questionnaire described in the appendix may be used or a separate
-   application can be FTPed from host SRI-NIC.ARPA.  The information
-   provided by the administrator will be reviewed by hostmaster
-   personnel for completeness.  There will most likely be a few
-   exchanges of correspondence via electronic mail, the preferred method
-   of communication, prior to authorization of the domain.
-
-HOW TO GET MORE INFORMATION
-
-   An informational table of the top-level domains and their root
-   servers is contained in the file NETINFO:DOMAINS.TXT online at SRI-
-   NIC.ARPA. This table can be obtained by FTPing the file.
-   Alternatively, the information can be acquired by opening a TCP or
-   UDP connection to the NIC Host Name Server, port 101 on SRI-NIC.ARPA,
-   and invoking the command "ALL-DOM".
-
-
-
-
-
-Stahl                                                           [Page 6]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-   The following online files, all available by FTP from SRI-NIC.ARPA,
-   contain pertinent domain information:
-
-      - NETINFO:DOMAINS.TXT, a table of all top-level domains and the
-        network addresses of the machines providing domain name
-        service for them.  It is updated each time a new top-level
-        domain is approved.
-
-      - NETINFO:DOMAIN-INFO.TXT contains a concise list of all
-        top-level and second-level domain names registered with the
-        NIC and is updated monthly.
-
-      - NETINFO:DOMAIN-CONTACTS.TXT also contains a list of all the
-        top level and second-level domains, but includes the
-        administrative, technical and zone contacts for each as well.
-
-      - NETINFO:DOMAIN-TEMPLATE.TXT contains the questionnaire to be
-        completed before registering a top-level or second-level
-        domain.
-
-   For either general or specific information on the domain system, do
-   one or more of the following:
-
-      1. Send electronic mail to HOSTMASTER@SRI-NIC.ARPA
-
-      2. Call the toll-free NIC hotline at (800) 235-3155
-
-      3. Use FTP to get background RFCs and other files maintained
-         online at the NIC.  Some pertinent RFCs are listed below in
-         the REFERENCES section of this memo.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stahl                                                           [Page 7]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-REFERENCES
-
-   The references listed here provide important background information
-   on the domain-naming system.  Path names of the online files
-   available via anonymous FTP from the SRI-NIC.ARPA host are noted in
-   brackets.
-
-      1. Defense Communications Agency DDN Defense Communications
-         System, DDN Management Bulletin No. 22, Domain Names
-         Transition, March 1984.
-         [ DDN-NEWS:DDN-MGT-BULLETIN-22.TXT ]
-
-      2. Defense Communications Agency DDN Defense Communications
-         System, DDN Management Bulletin No. 32, Phase I of the Domain
-         Name Implementation, January 1987.
-         [ DDN-NEWS:DDN-MGT-BULLETIN-32.TXT ]
-
-      3. Harrenstien, K., M. Stahl, and E. Feinler, "Hostname
-         Server", RFC-953, DDN Network Information Center, SRI
-         International, October 1985.  [ RFC:RFC953.TXT ]
-
-      4. Harrenstien, K., M. Stahl, and E. Feinler, "Official DoD
-         Internet Host Table Specification", RFC-952, DDN Network
-         Information Center, SRI International, October 1985.
-         [ RFC:RFC952.TXT ]
-
-      5. ISO, "Codes for the Representation of Names of Countries",
-         ISO-3166, International Standards Organization, May 1981.
-         [ Not online ]
-
-      6. Lazear, W.D., "MILNET Name Domain Transition", RFC-1031,
-         Mitre Corporation, October 1987.  [ RFC:RFC1031.TXT ]
-
-      7. Lottor, M.K., "Domain Administrators Operations Guide",
-         RFC-1033, DDN Network Information Center, SRI International,
-         July 1987.  [ RFC:RFC1033.TXT ]
-
-      8. Mockapetris, P., "Domain Names - Concepts and Facilities",
-         RFC-1034, USC Information Sciences Institute, October 1987.
-         [ RFC:RFC1034.TXT ]
-
-      9. Mockapetris, P., "Domain Names - Implementation and
-         Specification", RFC-1035, USC Information Sciences Institute,
-         October 1987.  [ RFC:RFC1035.TXT ]
-
-     10. Mockapetris, P., "The Domain Name System", Proceedings of the
-         IFIP 6.5 Working Conference on Computer Message Services,
-         Nottingham, England, May 1984.  Also as ISI/RS-84-133, June
-
-
-
-Stahl                                                           [Page 8]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-         1984.  [ Not online ]
-
-     11. Mockapetris, P., J. Postel, and P. Kirton, "Name Server
-         Design for Distributed Systems", Proceedings of the Seventh
-         International Conference on Computer Communication, October
-         30 to November 3 1984, Sidney, Australia.  Also as
-         ISI/RS-84-132, June 1984.  [ Not online ]
-
-     12. Partridge, C., "Mail Routing and the Domain System", RFC-974,
-         CSNET-CIC, BBN Laboratories, January 1986.
-         [ RFC:RFC974.TXT ]
-
-     13. Postel, J., "The Domain Names Plan and Schedule", RFC-881,
-         USC Information Sciences Institute, November 1983.
-         [ RFC:RFC881.TXT ]
-
-     14. Reynolds, J., and Postel, J., "Assigned Numbers", RFC-1010
-         USC Information Sciences Institute, May 1986.
-         [ RFC:RFC1010.TXT ]
-
-     15. Romano, S., and Stahl, M., "Internet Numbers", RFC-1020,
-         SRI, November 1987.
-         [ RFC:RFC1020.TXT ]
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stahl                                                           [Page 9]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-APPENDIX
-
-   The following questionnaire may be FTPed from SRI-NIC.ARPA as
-   NETINFO:DOMAIN-TEMPLATE.TXT.
-
-   ---------------------------------------------------------------------
-
-   To establish a domain, the following information must be sent to the
-   NIC Domain Registrar (HOSTMASTER@SRI-NIC.ARPA):
-
-   NOTE: The key people must have electronic mailboxes and NIC
-   "handles," unique NIC database identifiers.  If you have access to
-   "WHOIS", please check to see if you are registered and if so, make
-   sure the information is current.  Include only your handle and any
-   changes (if any) that need to be made in your entry.  If you do not
-   have access to "WHOIS", please provide all the information indicated
-   and a NIC handle will be assigned.
-
-   (1)  The name of the top-level domain to join.
-
-         For example:  COM
-
-   (2) The NIC handle of the administrative head of the organization.
-   Alternately, the person's name, title, mailing address, phone number,
-   organization, and network mailbox.  This is the contact point for
-   administrative and policy questions about the domain.  In the case of
-   a research project, this should be the principal investigator.
-
-         For example:
-
-            Administrator
-
-               Organization  The NetWorthy Corporation
-               Name          Penelope Q. Sassafrass
-               Title         President
-               Mail Address  The NetWorthy Corporation
-                             4676 Andrews Way, Suite 100
-                             Santa Clara, CA 94302-1212
-               Phone Number  (415) 123-4567
-               Net Mailbox   Sassafrass@ECHO.TNC.COM
-               NIC Handle    PQS
-
-   (3)  The NIC handle of the technical contact for the domain.
-   Alternately, the person's name, title, mailing address, phone number,
-   organization, and network mailbox.  This is the contact point for
-   problems concerning the domain or zone, as well as for updating
-   information about the domain or zone.
-
-
-
-
-Stahl                                                          [Page 10]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-         For example:
-
-            Technical and Zone Contact
-
-               Organization  The NetWorthy Corporation
-               Name          Ansel A. Aardvark
-               Title         Executive Director
-               Mail Address  The NetWorthy Corporation
-                             4676 Andrews Way, Suite 100
-                             Santa Clara, CA. 94302-1212
-               Phone Number  (415) 123-6789
-               Net Mailbox   Aardvark@ECHO.TNC.COM
-               NIC Handle    AAA2
-
-   (4)  The name of the domain (up to 12 characters).  This is the name
-   that will be used in tables and lists associating the domain with the
-   domain server addresses.  [While, from a technical standpoint, domain
-   names can be quite long (programmers beware), shorter names are
-   easier for people to cope with.]
-
-         For example:  TNC
-
-   (5)  A description of the servers that provide the domain service for
-   translating names to addresses for hosts in this domain, and the date
-   they will be operational.
-
-         A good way to answer this question is to say "Our server is
-         supplied by person or company X and does whatever their standard
-         issue server does."
-
-            For example:  Our server is a copy of the one operated by
-            the NIC; it will be installed and made operational on
-            1 November 1987.
-
-   (6) Domains must provide at least two independent servers for the
-   domain.  Establishing the servers in physically separate locations
-   and on different PSNs is strongly recommended.  A description of the
-   server machine and its backup, including
-
-
-
-
-
-
-
-
-
-
-
-
-
-Stahl                                                          [Page 11]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-         (a) Hardware and software (using keywords from the Assigned
-         Numbers RFC).
-
-         (b) Host domain name and network addresses (which host on which
-         network for each connected network).
-
-         (c) Any domain-style nicknames (please limit your domain-style
-         nickname request to one)
-
-         For example:
-
-            - Hardware and software
-
-               VAX-11/750  and  UNIX,    or
-               IBM-PC      and  MS-DOS,  or
-               DEC-1090    and  TOPS-20
-
-            - Host domain names and network addresses
-
-               BAR.FOO.COM 10.9.0.193 on ARPANET
-
-            - Domain-style nickname
-
-               BR.FOO.COM (same as BAR.FOO.COM 10.9.0.13 on ARPANET)
-
-   (7)  Planned mapping of names of any other network hosts, other than
-   the server machines, into the new domain's naming space.
-
-         For example:
-
-            BAR-FOO2.ARPA (10.8.0.193) -> FOO2.BAR.COM
-            BAR-FOO3.ARPA (10.7.0.193) -> FOO3.BAR.COM
-            BAR-FOO4.ARPA (10.6.0.193) -> FOO4.BAR.COM
-
-
-   (8)  An estimate of the number of hosts that will be in the domain.
-
-         (a) Initially
-         (b) Within one year
-         (c) Two years
-         (d) Five years.
-
-         For example:
-
-            (a) Initially  =   50
-            (b) One year   =  100
-            (c) Two years  =  200
-            (d) Five years =  500
-
-
-
-Stahl                                                          [Page 12]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-   (9)  The date you expect the fully qualified domain name to become
-   the official host name in HOSTS.TXT.
-
-         Please note: If changing to a fully qualified domain name (e.g.,
-         FOO.BAR.COM) causes a change in the official host name of an
-         ARPANET or MILNET host, DCA approval must be obtained beforehand.
-         Allow 10 working days for your requested changes to be processed.
-
-         ARPANET sites should contact ARPANETMGR@DDN1.ARPA.  MILNET sites
-         should contact HOSTMASTER@SRI-NIC.ARPA, 800-235-3155, for
-         further instructions.
-
-   (10) Please describe your organization briefly.
-
-         For example: The NetWorthy Corporation is a consulting
-         organization of people working with UNIX and the C language in an
-         electronic networking environment.  It sponsors two technical
-         conferences annually and distributes a bimonthly newsletter.
-
-   ---------------------------------------------------------------------
-
-   This example of a completed application corresponds to the examples
-   found in the companion document RFC-1033, "Domain Administrators
-   Operations Guide."
-
-   (1)  The name of the top-level domain to join.
-
-            COM
-
-   (2)  The NIC handle of the administrative contact person.
-
-            NIC Handle    JAKE
-
-   (3)  The NIC handle of the domain's technical and zone
-         contact person.
-
-            NIC Handle    DLE6
-
-   (4)  The name of the domain.
-
-            SRI
-
-   (5)  A description of the servers.
-
-            Our server is the TOPS20 server JEEVES supplied by ISI; it
-            will be installed and made operational on 1 July 1987.
-
-
-
-
-
-Stahl                                                          [Page 13]
-
-RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
-
-
-   (6)  A description of the server machine and its backup:
-
-            (a) Hardware and software
-
-               DEC-1090T   and  TOPS20
-               DEC-2065    and  TOPS20
-
-            (b) Host domain name and network address
-
-               KL.SRI.COM  10.1.0.2 on ARPANET, 128.18.10.6 on SRINET
-               STRIPE.SRI.COM  10.4.0.2 on ARPANET, 128.18.10.4 on SRINET
-
-            (c) Domain-style nickname
-
-               None
-
-   (7)  Planned mapping of names of any other network hosts, other than
-   the server machines, into the new domain's naming space.
-
-            SRI-Blackjack.ARPA (128.18.2.1) -> Blackjack.SRI.COM
-            SRI-CSL.ARPA (192.12.33.2) -> CSL.SRI.COM
-
-   (8)  An estimate of the number of hosts that will be directly within
-   this domain.
-
-            (a) Initially  =   50
-            (b) One year   =  100
-            (c) Two years  =  200
-            (d) Five years =  500
-
-   (9)  A date when you expect the fully qualified domain name to become
-   the official host name in HOSTS.TXT.
-
-            31 September 1987
-
-   (10)  Brief description of organization.
-
-            SRI International is an independent, nonprofit, scientific
-            research organization.  It performs basic and applied research
-            for government and commercial clients, and contributes to
-            worldwide economic, scientific, industrial, and social progress
-            through research and related services.
-
-
-
-
-
-
-
-
-
-Stahl                                                          [Page 14]
-
diff --git a/contrib/bind9/doc/rfc/rfc1033.txt b/contrib/bind9/doc/rfc/rfc1033.txt
deleted file mode 100644
index 37029fd9ae01..000000000000
--- a/contrib/bind9/doc/rfc/rfc1033.txt
+++ /dev/null
@@ -1,1229 +0,0 @@
-Network Working Group                                         M. Lottor
-Request For Comments:  1033                           SRI International
-                                                          November 1987
-
-
-                 DOMAIN ADMINISTRATORS OPERATIONS GUIDE
-
-
-
-STATUS OF THIS MEMO
-
-   This RFC provides guidelines for domain administrators in operating a
-   domain server and maintaining their portion of the hierarchical
-   database.  Familiarity with the domain system is assumed.
-   Distribution of this memo is unlimited.
-
-ACKNOWLEDGMENTS
-
-   This memo is a formatted collection of notes and excerpts from the
-   references listed at the end of this document.  Of particular mention
-   are Paul Mockapetris and Kevin Dunlap.
-
-INTRODUCTION
-
-   A domain server requires a few files to get started.  It will
-   normally have some number of boot/startup files (also known as the
-   "safety belt" files).  One section will contain a list of possible
-   root servers that the server will use to find the up-to-date list of
-   root servers.  Another section will list the zone files to be loaded
-   into the server for your local domain information.  A zone file
-   typically contains all the data for a particular domain.  This guide
-   describes the data formats that can be used in zone files and
-   suggested parameters to use for certain fields.  If you are
-   attempting to do anything advanced or tricky, consult the appropriate
-   domain RFC's for more details.
-
-   Note:  Each implementation of domain software may require different
-   files.  Zone files are standardized but some servers may require
-   other startup files.  See the appropriate documentation that comes
-   with your software.  See the appendix for some specific examples.
-
-ZONES
-
-   A zone defines the contents of a contiguous section of the domain
-   space, usually bounded by administrative boundaries.  There will
-   typically be a separate data file for each zone.  The data contained
-   in a zone file is composed of entries called Resource Records (RRs).
-
-
-
-
-Lottor                                                          [Page 1]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   You may only put data in your domain server that you are
-   authoritative for.  You must not add entries for domains other than
-   your own (except for the special case of "glue records").
-
-   A domain server will probably read a file on start-up that lists the
-   zones it should load into its database.  The format of this file is
-   not standardized and is different for most domain server
-   implementations.  For each zone it will normally contain the domain
-   name of the zone and the file name that contains the data to load for
-   the zone.
-
-ROOT SERVERS
-
-   A resolver will need to find the root servers when it first starts.
-   When the resolver boots, it will typically read a list of possible
-   root servers from a file.
-
-   The resolver will cycle through the list trying to contact each one.
-   When it finds a root server, it will ask it for the current list of
-   root servers.  It will then discard the list of root servers it read
-   from the data file and replace it with the current list it received.
-
-   Root servers will not change very often.  You can get the names of
-   current root servers from the NIC.
-
-   FTP the file NETINFO:ROOT-SERVERS.TXT or send a mail request to
-   NIC@SRI-NIC.ARPA.
-
-   As of this date (June 1987) they are:
-
-           SRI-NIC.ARPA       10.0.0.51    26.0.0.73
-           C.ISI.EDU          10.0.0.52
-           BRL-AOS.ARPA       192.5.25.82  192.5.22.82   128.20.1.2
-           A.ISI.EDU          26.3.0.103
-
-RESOURCE RECORDS
-
-   Records in the zone data files are called resource records (RRs).
-   They are specified in RFC-883 and RFC-973.  An RR has a standard
-   format as shown:
-
-           <name>   [<ttl>]   [<class>]   <type>   <data>
-
-   The record is divided into fields which are separated by white space.
-
-      <name>
-
-         The name field defines what domain name applies to the given
-
-
-
-Lottor                                                          [Page 2]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-         RR.  In some cases the name field can be left blank and it will
-         default to the name field of the previous RR.
-
-      <ttl>
-
-         TTL stands for Time To Live.  It specifies how long a domain
-         resolver should cache the RR before it throws it out and asks a
-         domain server again.  See the section on TTL's.  If you leave
-         the TTL field blank it will default to the minimum time
-         specified in the SOA record (described later).
-
-      <class>
-
-         The class field specifies the protocol group.  If left blank it
-         will default to the last class specified.
-
-      <type>
-
-         The type field specifies what type of data is in the RR.  See
-         the section on types.
-
-      <data>
-
-         The data field is defined differently for each type and class
-         of data.  Popular RR data formats are described later.
-
-   The domain system does not guarantee to preserve the order of
-   resource records.  Listing RRs (such as multiple address records) in
-   a certain order does not guarantee they will be used in that order.
-
-   Case is preserved in names and data fields when loaded into the name
-   server.  All comparisons and lookups in the name server are case
-   insensitive.
-
-   Parenthesis ("(",")") are used to group data that crosses a line
-   boundary.
-
-   A semicolon (";") starts a comment; the remainder of the line is
-   ignored.
-
-   The asterisk ("*") is used for wildcarding.
-
-   The at-sign ("@") denotes the current default domain name.
-
-
-
-
-
-
-
-
-Lottor                                                          [Page 3]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-NAMES
-
-   A domain name is a sequence of labels separated by dots.
-
-   Domain names in the zone files can be one of two types, either
-   absolute or relative.  An absolute name is the fully qualified domain
-   name and is terminated with a period.  A relative name does not
-   terminate with a period, and the current default domain is appended
-   to it.  The default domain is usually the name of the domain that was
-   specified in the boot file that loads each zone.
-
-   The domain system allows a label to contain any 8-bit character.
-   Although the domain system has no restrictions, other protocols such
-   as SMTP do have name restrictions.  Because of other protocol
-   restrictions, only the following characters are recommended for use
-   in a host name (besides the dot separator):
-
-           "A-Z", "a-z", "0-9", dash and underscore
-
-TTL's  (Time To Live)
-
-   It is important that TTLs are set to appropriate values.  The TTL is
-   the time (in seconds) that a resolver will use the data it got from
-   your server before it asks your server again.  If you set the value
-   too low, your server will get loaded down with lots of repeat
-   requests.  If you set it too high, then information you change will
-   not get distributed in a reasonable amount of time.  If you leave the
-   TTL field blank, it will default to what is specified in the SOA
-   record for the zone.
-
-   Most host information does not change much over long time periods.  A
-   good way to set up your TTLs would be to set them at a high value,
-   and then lower the value if you know a change will be coming soon.
-   You might set most TTLs to anywhere between a day (86400) and a week
-   (604800).  Then, if you know some data will be changing in the near
-   future, set the TTL for that RR down to a lower value (an hour to a
-   day) until the change takes place, and then put it back up to its
-   previous value.
-
-   Also, all RRs with the same name, class, and type should have the
-   same TTL value.
-
-CLASSES
-
-   The domain system was designed to be protocol independent.  The class
-   field is used to identify the protocol group that each RR is in.
-
-   The class of interest to people using TCP/IP software is the class
-
-
-
-Lottor                                                          [Page 4]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   "Internet".  Its standard designation is "IN".
-
-   A zone file should only contain RRs of the same class.
-
-TYPES
-
-   There are many defined RR types.  For a complete list, see the domain
-   specification RFCs.  Here is a list of current commonly used types.
-   The data for each type is described in the data section.
-
-                Designation                Description
-              ==========================================
-               SOA                 Start Of Authority
-               NS                  Name Server
-
-               A                   Internet Address
-               CNAME               Canonical Name (nickname pointer)
-               HINFO               Host Information
-               WKS                 Well Known Services
-
-               MX                  Mail Exchanger
-
-               PTR                 Pointer
-
-SOA  (Start Of Authority)
-
-           <name>  [<ttl>]  [<class>]  SOA  <origin>  <person>  (
-                           <serial>
-                           <refresh>
-                           <retry>
-                           <expire>
-                           <minimum> )
-
-   The Start Of Authority record designates the start of a zone.  The
-   zone ends at the next SOA record.
-
-   <name> is the name of the zone.
-
-   <origin> is the name of the host on which the master zone file
-   resides.
-
-   <person> is a mailbox for the person responsible for the zone.  It is
-   formatted like a mailing address but the at-sign that normally
-   separates the user from the host name is replaced with a dot.
-
-   <serial> is the version number of the zone file.  It should be
-   incremented anytime a change is made to data in the zone.
-
-
-
-
-Lottor                                                          [Page 5]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   <refresh> is how long, in seconds, a secondary name server is to
-   check with the primary name server to see if an update is needed.  A
-   good value here would be one hour (3600).
-
-   <retry> is how long, in seconds, a secondary name server is to retry
-   after a failure to check for a refresh.  A good value here would be
-   10 minutes (600).
-
-   <expire> is the upper limit, in seconds, that a secondary name server
-   is to use the data before it expires for lack of getting a refresh.
-   You want this to be rather large, and a nice value is 3600000, about
-   42 days.
-
-   <minimum> is the minimum number of seconds to be used for TTL values
-   in RRs.  A minimum of at least a day is a good value here (86400).
-
-   There should only be one SOA record per zone.  A sample SOA record
-   would look something like:
-
-           @   IN   SOA   SRI-NIC.ARPA.   HOSTMASTER.SRI-NIC.ARPA. (
-                           45         ;serial
-                           3600       ;refresh
-                           600        ;retry
-                           3600000    ;expire
-                           86400 )    ;minimum
-
-
-NS  (Name Server)
-
-           <domain>   [<ttl>] [<class>]   NS   <server>
-
-   The NS record lists the name of a machine that provides domain
-   service for a particular domain.  The name associated with the RR is
-   the domain name and the data portion is the name of a host that
-   provides the service.  If machines SRI-NIC.ARPA and C.ISI.EDU provide
-   name lookup service for the domain COM then the following entries
-   would be used:
-
-           COM.    NS      SRI-NIC.ARPA.
-                   NS      C.ISI.EDU.
-
-   Note that the machines providing name service do not have to live in
-   the named domain.  There should be one NS record for each server for
-   a domain.  Also note that the name "COM" defaults for the second NS
-   record.
-
-   NS records for a domain exist in both the zone that delegates the
-   domain, and in the domain itself.
-
-
-
-Lottor                                                          [Page 6]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-GLUE RECORDS
-
-   If the name server host for a particular domain is itself inside the
-   domain, then a 'glue' record will be needed.  A glue record is an A
-   (address) RR that specifies the address of the server.  Glue records
-   are only needed in the server delegating the domain, not in the
-   domain itself.  If for example the name server for domain SRI.COM was
-   KL.SRI.COM, then the NS record would look like this, but you will
-   also need to have the following A record.
-
-           SRI.COM.	NS	KL.SRI.COM.
-           KL.SRI.COM.  A	10.1.0.2
-
-
-A  (Address)
-
-           <host>   [<ttl>] [<class>]   A   <address>
-
-   The data for an A record is an internet address in dotted decimal
-   form.  A sample A record might look like:
-
-           SRI-NIC.ARPA.           A       10.0.0.51
-
-   There should be one A record for each address of a host.
-
-CNAME ( Canonical Name)
-
-           <nickname>   [<ttl>] [<class>]   CNAME   <host>
-
-   The CNAME record is used for nicknames.  The name associated with the
-   RR is the nickname.  The data portion is the official name.  For
-   example, a machine named SRI-NIC.ARPA may want to have the nickname
-   NIC.ARPA.  In that case, the following RR would be used:
-
-           NIC.ARPA.       CNAME   SRI-NIC.ARPA.
-
-   There must not be any other RRs associated with a nickname of the
-   same class.
-
-   Nicknames are also useful when a host changes it's name.  In that
-   case, it is usually a good idea to have a CNAME pointer so that
-   people still using the old name will get to the right place.
-
-
-
-
-
-
-
-
-
-Lottor                                                          [Page 7]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-HINFO (Host Info)
-
-           <host>   [<ttl>] [<class>]   HINFO   <hardware>   <software>
-
-   The HINFO record gives information about a particular host.  The data
-   is two strings separated by whitespace.  The first string is a
-   hardware description and the second is software.  The hardware is
-   usually a manufacturer name followed by a dash and model designation.
-   The software string is usually the name of the operating system.
-
-   Official HINFO types can be found in the latest Assigned Numbers RFC,
-   the latest of which is RFC-1010.  The Hardware type is called the
-   Machine name and the Software type is called the System name.
-
-   Some sample HINFO records:
-
-           SRI-NIC.ARPA.           HINFO   DEC-2060 TOPS20
-           UCBARPA.Berkeley.EDU.   HINFO   VAX-11/780 UNIX
-
-
-WKS (Well Known Services)
-
-           <host> [<ttl>] [<class>] WKS <address> <protocol> <services>
-
-   The WKS record is used to list Well Known Services a host provides.
-   WKS's are defined to be services on port numbers below 256.  The WKS
-   record lists what services are available at a certain address using a
-   certain protocol.  The common protocols are TCP or UDP.  A sample WKS
-   record for a host offering the same services on all address would
-   look like:
-
-   Official protocol names can be found in the latest Assigned Numbers
-   RFC, the latest of which is RFC-1010.
-
-           SRI-NIC.ARPA.   WKS  10.0.0.51  TCP  TELNET FTP SMTP
-                           WKS  10.0.0.51  UDP  TIME
-                           WKS  26.0.0.73  TCP  TELNET FTP SMTP
-                           WKS  26.0.0.73  UDP  TIME
-
-MX (Mail Exchanger)  (See RFC-974 for more details.)
-
-           <name>   [<ttl>] [<class>]   MX   <preference>   <host>
-
-   MX records specify where mail for a domain name should be delivered.
-   There may be multiple MX records for a particular name.  The
-   preference value specifies the order a mailer should try multiple MX
-   records when delivering mail.  Zero is the highest preference.
-   Multiple records for the same name may have the same preference.
-
-
-
-Lottor                                                          [Page 8]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   A host BAR.FOO.COM may want its mail to be delivered to the host
-   PO.FOO.COM and would then use the MX record:
-
-           BAR.FOO.COM.    MX      10      PO.FOO.COM.
-
-   A host BAZ.FOO.COM may want its mail to be delivered to one of three
-   different machines, in the following order:
-
-           BAZ.FOO.COM.    MX      10      PO1.FOO.COM.
-                           MX      20      PO2.FOO.COM.
-                           MX      30      PO3.FOO.COM.
-
-   An entire domain of hosts not connected to the Internet may want
-   their mail to go through a mail gateway that knows how to deliver
-   mail to them.  If they would like mail addressed to any host in the
-   domain FOO.COM to go through the mail gateway they might use:
-
-           FOO.COM.        MX       10     RELAY.CS.NET.
-           *.FOO.COM.      MX       20     RELAY.CS.NET.
-
-   Note that you can specify a wildcard in the MX record to match on
-   anything in FOO.COM, but that it won't match a plain FOO.COM.
-
-IN-ADDR.ARPA
-
-   The structure of names in the domain system is set up in a
-   hierarchical way such that the address of a name can be found by
-   tracing down the domain tree contacting a server for each label of
-   the name.  Because of this 'indexing' based on name, there is no easy
-   way to translate a host address back into its host name.
-
-   In order to do the reverse translation easily, a domain was created
-   that uses hosts' addresses as part of a name that then points to the
-   data for that host.  In this way, there is now an 'index' to hosts'
-   RRs based on their address.  This address mapping domain is called
-   IN-ADDR.ARPA.  Within that domain are subdomains for each network,
-   based on network number.  Also, for consistency and natural
-   groupings, the 4 octets of a host number are reversed.
-
-   For example, the ARPANET is net 10.  That means there is a domain
-   called 10.IN-ADDR.ARPA.  Within this domain there is a PTR RR at
-   51.0.0.10.IN-ADDR that points to the RRs for the host SRI-NIC.ARPA
-   (who's address is 10.0.0.51).  Since the NIC is also on the MILNET
-   (Net 26, address 26.0.0.73), there is also a PTR RR at 73.0.0.26.IN-
-   ADDR.ARPA that points to the same RR's for SRI-NIC.ARPA.  The format
-   of these special pointers is defined below along with the examples
-   for the NIC.
-
-
-
-
-Lottor                                                          [Page 9]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-PTR
-
-           <special-name>   [<ttl>] [<class>]   PTR   <name>
-
-   The PTR record is used to let special names point to some other
-   location in the domain tree.  They are mainly used in the IN-
-   ADDR.ARPA records for translation of addresses to names.  PTR's
-   should use official names and not aliases.
-
-   For example, host SRI-NIC.ARPA with addresses 10.0.0.51 and 26.0.0.73
-   would have the following records in the respective zone files for net
-   10 and net 26:
-
-           51.0.0.10.IN-ADDR.ARPA.  PTR   SRI-NIC.ARPA.
-           73.0.0.26.IN-ADDR.ARPA.  PTR   SRI-NIC.ARPA.
-
-GATEWAY PTR's
-
-   The IN-ADDR tree is also used to locate gateways on a particular
-   network.  Gateways have the same kind of PTR RRs as hosts (as above)
-   but in addition they have other PTRs used to locate them by network
-   number alone.  These records have only 1, 2, or 3 octets as part of
-   the name depending on whether they are class A, B, or C networks,
-   respectively.
-
-   Lets take the SRI-CSL gateway for example.  It connects 3 different
-   networks, one class A, one class B and one class C.  It will have the
-   standard RR's for a host in the CSL.SRI.COM zone:
-
-           GW.CSL.SRI.COM.    A    10.2.0.2
-                              A    128.18.1.1
-                              A    192.12.33.2
-
-   Also, in 3 different zones (one for each network), it will have one
-   of the following number to name translation pointers:
-
-           2.0.2.10.IN-ADDR.ARPA.      PTR   GW.CSL.SRI.COM.
-           1.1.18.128.IN-ADDR.ARPA.    PTR   GW.CSL.SRI.COM.
-           1.33.12.192.IN-ADDR.ARPA.   PTR   GW.CSL.SRI.COM.
-
-   In addition, in each of the same 3 zones will be one of the following
-   gateway location pointers:
-
-           10.IN-ADDR.ARPA.            PTR   GW.CSL.SRI.COM.
-           18.128.IN-ADDR.ARPA.        PTR   GW.CSL.SRI.COM.
-           33.12.192.IN-ADDR.ARPA.     PTR   GW.CSL.SRI.COM.
-
-
-
-
-
-Lottor                                                         [Page 10]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-INSTRUCTIONS
-
-   Adding a subdomain.
-
-      To add a new subdomain to your domain:
-
-         Setup the other domain server and/or the new zone file.
-
-         Add an NS record for each server of the new domain to the zone
-         file of the parent domain.
-
-         Add any necessary glue RRs.
-
-   Adding a host.
-
-      To add a new host to your zone files:
-
-         Edit the appropriate zone file for the domain the host is in.
-
-         Add an entry for each address of the host.
-
-         Optionally add CNAME, HINFO, WKS, and MX records.
-
-         Add the reverse IN-ADDR entry for each host address in the
-         appropriate zone files for each network the host in on.
-
-   Deleting a host.
-
-      To delete a host from the zone files:
-
-         Remove all the hosts' resource records from the zone file of
-         the domain the host is in.
-
-         Remove all the hosts' PTR records from the IN-ADDR zone files
-         for each network the host was on.
-
-   Adding gateways.
-
-         Follow instructions for adding a host.
-
-         Add the gateway location PTR records for each network the
-         gateway is on.
-
-   Deleting gateways.
-
-         Follow instructions for deleting a host.
-
-         Also delete the gateway location PTR records for each network
-
-
-
-Lottor                                                         [Page 11]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-         the gateway was on.
-
-COMPLAINTS
-
-   These are the suggested steps you should take if you are having
-   problems that you believe are caused by someone else's name server:
-
-
-   1.  Complain privately to the responsible person for the domain.  You
-   can find their mailing address in the SOA record for the domain.
-
-   2.  Complain publicly to the responsible person for the domain.
-
-   3.  Ask the NIC for the administrative person responsible for the
-   domain.  Complain.  You can also find domain contacts on the NIC in
-   the file NETINFO:DOMAIN-CONTACTS.TXT
-
-   4.  Complain to the parent domain authorities.
-
-   5.  Ask the parent authorities to excommunicate the domain.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 12]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-EXAMPLE DOMAIN SERVER DATABASE FILES
-
-   The following examples show how zone files are set up for a typical
-   organization.  SRI will be used as the example organization.  SRI has
-   decided to divided their domain SRI.COM into a few subdomains, one
-   for each group that wants one.  The subdomains are CSL and ISTC.
-
-   Note the following interesting items:
-
-      There are both hosts and domains under SRI.COM.
-
-      CSL.SRI.COM is both a domain name and a host name.
-
-      All the domains are serviced by the same pair of domain servers.
-
-      All hosts at SRI are on net 128.18 except hosts in the CSL domain
-      which are on net 192.12.33.  Note that a domain does not have to
-      correspond to a physical network.
-
-      The examples do not necessarily correspond to actual data in use
-      by the SRI domain.
-
-                       SRI Domain Organization
-
-                               +-------+
-                               |  COM  |
-                               +-------+
-                                   |
-                               +-------+
-                               |  SRI  |
-                               +-------+
-                                   |
-                        +----------++-----------+
-                        |           |           |
-                    +-------+    +------+   +-------+
-                    |  CSL  |    | ISTC |   | Hosts |
-                    +-------+    +------+   +-------+
-                        |           |
-                    +-------+    +-------+
-                    | Hosts |    | Hosts |
-                    +-------+    +-------+
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 13]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   [File "CONFIG.CMD".  Since bootstrap files are not standardized, this
-   file is presented using a pseudo configuration file syntax.]
-
-   load root server list             from file ROOT.SERVERS
-   load zone SRI.COM.                from file SRI.ZONE
-   load zone CSL.SRI.COM.            from file CSL.ZONE
-   load zone ISTC.SRI.COM.           from file ISTC.ZONE
-   load zone 18.128.IN-ADDR.ARPA.    from file SRINET.ZONE
-   load zone 33.12.192.IN-ADDR.ARPA. from file SRI-CSL-NET.ZONE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 14]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   [File "ROOT.SERVERS".  Again, the format of this file is not
-   standardized.]
-
-   ;list of possible root servers
-   SRI-NIC.ARPA       10.0.0.51    26.0.0.73
-   C.ISI.EDU          10.0.0.52
-   BRL-AOS.ARPA       192.5.25.82  192.5.22.82   128.20.1.2
-   A.ISI.EDU          26.3.0.103
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 15]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   [File "SRI.ZONE"]
-
-   SRI.COM.        IN      SOA     KL.SRI.COM. DLE.STRIPE.SRI.COM. (
-                                   870407  ;serial
-                                   1800    ;refresh every 30 minutes
-                                   600     ;retry every 10 minutes
-                                   604800  ;expire after a week
-                                   86400   ;default of an hour
-                                   )
-
-   SRI.COM.        NS      KL.SRI.COM.
-                   NS      STRIPE.SRI.COM.
-                   MX      10      KL.SRI.COM.
-
-   ;SRI.COM hosts
-
-   KL              A       10.1.0.2
-                   A       128.18.10.6
-                   MX      10      KL.SRI.COM.
-
-   STRIPE          A       10.4.0.2
-   STRIPE          A       128.18.10.4
-                   MX      10      STRIPE.SRI.COM.
-
-   NIC             CNAME   SRI-NIC.ARPA.
-
-   Blackjack       A       128.18.2.1
-                   HINFO   VAX-11/780      UNIX
-                   WKS     128.18.2.1      TCP TELNET FTP
-
-   CSL             A       192.12.33.2
-                   HINFO   FOONLY-F4       TOPS20
-                   WKS     192.12.33.2     TCP TELNET FTP SMTP FINGER
-                   MX      10      CSL.SRI.COM.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 16]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   [File "CSL.ZONE"]
-
-   CSL.SRI.COM.    IN      SOA     KL.SRI.COM. DLE.STRIPE.SRI.COM. (
-                                   870330  ;serial
-                                   1800    ;refresh every 30 minutes
-                                   600     ;retry every 10 minutes
-                                   604800  ;expire after a week
-                                   86400   ;default of a day
-                                   )
-
-   CSL.SRI.COM.    NS              KL.SRI.COM.
-                   NS              STRIPE.SRI.COM.
-                   A               192.12.33.2
-
-   ;CSL.SRI.COM hosts
-
-   A               CNAME   CSL.SRI.COM.
-   B               A       192.12.33.3
-                   HINFO   FOONLY-F4       TOPS20
-                   WKS     192.12.33.3     TCP TELNET FTP SMTP
-   GW              A       10.2.0.2
-                   A       192.12.33.1
-                   A       128.18.1.1
-                   HINFO   PDP-11/23       MOS
-   SMELLY          A       192.12.33.4
-                   HINFO   IMAGEN          IMAGEN
-   SQUIRREL        A       192.12.33.5
-                   HINFO   XEROX-1100      INTERLISP
-   VENUS           A       192.12.33.7
-                   HINFO   SYMBOLICS-3600  LISPM
-   HELIUM          A       192.12.33.30
-                   HINFO   SUN-3/160       UNIX
-   ARGON           A       192.12.33.31
-                   HINFO   SUN-3/75        UNIX
-   RADON           A       192.12.33.32
-                   HINFO   SUN-3/75        UNIX
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 17]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   [File "ISTC.ZONE"]
-
-   ISTC.SRI.COM.   IN  SOA     KL.SRI.COM. roemers.JOYCE.ISTC.SRI.COM. (
-                               870406      ;serial
-                               1800        ;refresh every 30 minutes
-                               600         ;retry every 10 minutes
-                               604800      ;expire after a week
-                               86400       ;default of a day
-                               )
-
-   ISTC.SRI.COM.   NS              KL.SRI.COM.
-                   NS              STRIPE.SRI.COM.
-                   MX              10      SPAM.ISTC.SRI.COM.
-
-   ; ISTC hosts
-
-   joyce           A       128.18.4.2
-                   HINFO   VAX-11/750 UNIX
-   bozo            A       128.18.0.6
-                   HINFO   SUN UNIX
-   sundae          A       128.18.0.11
-                   HINFO   SUN UNIX
-   tsca            A       128.18.0.201
-                   A       10.3.0.2
-                   HINFO   VAX-11/750 UNIX
-                   MX      10  TSCA.ISTC.SRI.COM.
-   tsc             CNAME   tsca
-   prmh            A       128.18.0.203
-                   A       10.2.0.51
-                   HINFO   PDP-11/44 UNIX
-   spam            A       128.18.4.3
-                   A       10.2.0.107
-                   HINFO   VAX-11/780 UNIX
-                   MX      10  SPAM.ISTC.SRI.COM.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 18]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   [File "SRINET.ZONE"]
-
-   18.128.IN-ADDR.ARPA.    IN  SOA  KL.SRI.COM  DLE.STRIPE.SRI.COM. (
-                               870406  ;serial
-                               1800    ;refresh every 30 minutes
-                               600     ;retry every 10 minutes
-                               604800  ;expire after a week
-                               86400   ;default of a day
-                               )
-
-   18.128.IN-ADDR.ARPA.    NS      KL.SRI.COM.
-                           NS      STRIPE.SRI.COM.
-                           PTR     GW.CSL.SRI.COM.
-
-   ; SRINET [128.18.0.0] Address Translations
-
-   ; SRI.COM Hosts
-   1.2.18.128.IN-ADDR.ARPA.        PTR     Blackjack.SRI.COM.
-
-   ; ISTC.SRI.COM Hosts
-   2.4.18.128.IN-ADDR.ARPA.        PTR     joyce.ISTC.SRI.COM.
-   6.0.18.128.IN-ADDR.ARPA.        PTR     bozo.ISTC.SRI.COM.
-   11.0.18.128.IN-ADDR.ARPA.       PTR     sundae.ISTC.SRI.COM.
-   201.0.18.128.IN-ADDR.ARPA.      PTR     tsca.ISTC.SRI.COM.
-   203.0.18.128.IN-ADDR.ARPA.      PTR     prmh.ISTC.SRI.COM.
-   3.4.18.128.IN-ADDR.ARPA.        PTR     spam.ISTC.SRI.COM.
-
-   ; CSL.SRI.COM Hosts
-   1.1.18.128.IN-ADDR.ARPA.        PTR     GW.CSL.SRI.COM.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 19]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-   [File "SRI-CSL-NET.ZONE"]
-
-   33.12.192.IN-ADDR.ARPA. IN  SOA KL.SRI.COM  DLE.STRIPE.SRI.COM. (
-                               870404  ;serial
-                               1800    ;refresh every 30 minutes
-                               600     ;retry every 10 minutes
-                               604800  ;expire after a week
-                               86400   ;default of a day
-                               )
-
-   33.12.192.IN-ADDR.ARPA. NS      KL.SRI.COM.
-                           NS      STRIPE.SRI.COM.
-                           PTR     GW.CSL.SRI.COM.
-
-   ; SRI-CSL-NET [192.12.33.0] Address Translations
-
-   ; SRI.COM Hosts
-   2.33.12.192.IN-ADDR.ARPA.       PTR     CSL.SRI.COM.
-
-   ; CSL.SRI.COM Hosts
-   1.33.12.192.IN-ADDR.ARPA.       PTR     GW.CSL.SRI.COM.
-   3.33.12.192.IN-ADDR.ARPA.       PTR     B.CSL.SRI.COM.
-   4.33.12.192.IN-ADDR.ARPA.       PTR     SMELLY.CSL.SRI.COM.
-   5.33.12.192.IN-ADDR.ARPA.       PTR     SQUIRREL.CSL.SRI.COM.
-   7.33.12.192.IN-ADDR.ARPA.       PTR     VENUS.CSL.SRI.COM.
-   30.33.12.192.IN-ADDR.ARPA.      PTR     HELIUM.CSL.SRI.COM.
-   31.33.12.192.IN-ADDR.ARPA.      PTR     ARGON.CSL.SRI.COM.
-   32.33.12.192.IN-ADDR.ARPA.      PTR     RADON.CSL.SRI.COM.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 20]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-APPENDIX
-
-   BIND (Berkeley Internet Name Domain server) distributed with 4.3 BSD
-   UNIX
-
-   This section describes two BIND implementation specific files; the
-   boot file and the cache file.  BIND has other options, files, and
-   specifications that are not described here.  See the Name Server
-   Operations Guide for BIND for details.
-
-   The boot file for BIND is usually called "named.boot".  This
-   corresponds to file "CONFIG.CMD" in the example section.
-
-           --------------------------------------------------------
-           cache         .                         named.ca
-           primary       SRI.COM                   SRI.ZONE
-           primary       CSL.SRI.COM               CSL.ZONE
-           primary       ISTC.SRI.COM              ISTC.ZONE
-           primary       18.128.IN-ADDR.ARPA       SRINET.ZONE
-           primary       33.12.192.IN-ADDR.ARPA    SRI-CSL-NET.ZONE
-           --------------------------------------------------------
-
-   The cache file for BIND is usually called "named.ca".  This
-   corresponds to file "ROOT.SERVERS" in the example section.
-
-           -------------------------------------------------
-           ;list of possible root servers
-           .       1          IN   NS   SRI-NIC.ARPA.
-                                   NS   C.ISI.EDU.
-                                   NS   BRL-AOS.ARPA.
-                                   NS   C.ISI.EDU.
-           ;and their addresses
-           SRI-NIC.ARPA.           A    10.0.0.51
-                                   A    26.0.0.73
-           C.ISI.EDU.              A    10.0.0.52
-           BRL-AOS.ARPA.           A    192.5.25.82
-                                   A    192.5.22.82
-                                   A    128.20.1.2
-           A.ISI.EDU.              A    26.3.0.103
-           -------------------------------------------------
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 21]
-
-RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
-
-
-REFERENCES
-
-   [1]  Dunlap, K., "Name Server Operations Guide for BIND", CSRG,
-        Department of Electrical Engineering and Computer Sciences,
-        University of California, Berkeley, California.
-
-   [2]  Partridge, C., "Mail Routing and the Domain System", RFC-974,
-        CSNET CIC BBN Laboratories, January 1986.
-
-   [3]  Mockapetris, P., "Domains Names - Concepts and Facilities",
-        RFC-1034, USC/Information Sciences Institute, November 1987.
-
-   [4]  Mockapetris, P., "Domain Names - Implementations Specification",
-        RFC-1035, USC/Information Sciences Institute, November 1987.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lottor                                                         [Page 22]
-
diff --git a/contrib/bind9/doc/rfc/rfc1034.txt b/contrib/bind9/doc/rfc/rfc1034.txt
deleted file mode 100644
index 55cdb21fe652..000000000000
--- a/contrib/bind9/doc/rfc/rfc1034.txt
+++ /dev/null
@@ -1,3077 +0,0 @@
-Network Working Group                                     P. Mockapetris
-Request for Comments: 1034                                           ISI
-Obsoletes: RFCs 882, 883, 973                              November 1987
-
-
-                 DOMAIN NAMES - CONCEPTS AND FACILITIES
-
-
-
-1. STATUS OF THIS MEMO
-
-This RFC is an introduction to the Domain Name System (DNS), and omits
-many details which can be found in a companion RFC, "Domain Names -
-Implementation and Specification" [RFC-1035].  That RFC assumes that the
-reader is familiar with the concepts discussed in this memo.
-
-A subset of DNS functions and data types constitute an official
-protocol.  The official protocol includes standard queries and their
-responses and most of the Internet class data formats (e.g., host
-addresses).
-
-However, the domain system is intentionally extensible.  Researchers are
-continuously proposing, implementing and experimenting with new data
-types, query types, classes, functions, etc.  Thus while the components
-of the official protocol are expected to stay essentially unchanged and
-operate as a production service, experimental behavior should always be
-expected in extensions beyond the official protocol.  Experimental or
-obsolete features are clearly marked in these RFCs, and such information
-should be used with caution.
-
-The reader is especially cautioned not to depend on the values which
-appear in examples to be current or complete, since their purpose is
-primarily pedagogical.  Distribution of this memo is unlimited.
-
-2. INTRODUCTION
-
-This RFC introduces domain style names, their use for Internet mail and
-host address support, and the protocols and servers used to implement
-domain name facilities.
-
-2.1. The history of domain names
-
-The impetus for the development of the domain system was growth in the
-Internet:
-
-   - Host name to address mappings were maintained by the Network
-     Information Center (NIC) in a single file (HOSTS.TXT) which
-     was FTPed by all hosts [RFC-952, RFC-953].  The total network
-
-
-
-Mockapetris                                                     [Page 1]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-     bandwidth consumed in distributing a new version by this
-     scheme is proportional to the square of the number of hosts in
-     the network, and even when multiple levels of FTP are used,
-     the outgoing FTP load on the NIC host is considerable.
-     Explosive growth in the number of hosts didn't bode well for
-     the future.
-
-   - The network population was also changing in character.  The
-     timeshared hosts that made up the original ARPANET were being
-     replaced with local networks of workstations.  Local
-     organizations were administering their own names and
-     addresses, but had to wait for the NIC to change HOSTS.TXT to
-     make changes visible to the Internet at large.  Organizations
-     also wanted some local structure on the name space.
-
-   - The applications on the Internet were getting more
-     sophisticated and creating a need for general purpose name
-     service.
-
-
-The result was several ideas about name spaces and their management
-[IEN-116, RFC-799, RFC-819, RFC-830].  The proposals varied, but a
-common thread was the idea of a hierarchical name space, with the
-hierarchy roughly corresponding to organizational structure, and names
-using "."  as the character to mark the boundary between hierarchy
-levels.  A design using a distributed database and generalized resources
-was described in [RFC-882, RFC-883].  Based on experience with several
-implementations, the system evolved into the scheme described in this
-memo.
-
-The terms "domain" or "domain name" are used in many contexts beyond the
-DNS described here.  Very often, the term domain name is used to refer
-to a name with structure indicated by dots, but no relation to the DNS.
-This is particularly true in mail addressing [Quarterman 86].
-
-2.2. DNS design goals
-
-The design goals of the DNS influence its structure.  They are:
-
-   - The primary goal is a consistent name space which will be used
-     for referring to resources.  In order to avoid the problems
-     caused by ad hoc encodings, names should not be required to
-     contain network identifiers, addresses, routes, or similar
-     information as part of the name.
-
-   - The sheer size of the database and frequency of updates
-     suggest that it must be maintained in a distributed manner,
-     with local caching to improve performance.  Approaches that
-
-
-
-Mockapetris                                                     [Page 2]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-     attempt to collect a consistent copy of the entire database
-     will become more and more expensive and difficult, and hence
-     should be avoided.  The same principle holds for the structure
-     of the name space, and in particular mechanisms for creating
-     and deleting names; these should also be distributed.
-
-   - Where there tradeoffs between the cost of acquiring data, the
-     speed of updates, and the accuracy of caches, the source of
-     the data should control the tradeoff.
-
-   - The costs of implementing such a facility dictate that it be
-     generally useful, and not restricted to a single application.
-     We should be able to use names to retrieve host addresses,
-     mailbox data, and other as yet undetermined information.  All
-     data associated with a name is tagged with a type, and queries
-     can be limited to a single type.
-
-   - Because we want the name space to be useful in dissimilar
-     networks and applications, we provide the ability to use the
-     same name space with different protocol families or
-     management.  For example, host address formats differ between
-     protocols, though all protocols have the notion of address.
-     The DNS tags all data with a class as well as the type, so
-     that we can allow parallel use of different formats for data
-     of type address.
-
-   - We want name server transactions to be independent of the
-     communications system that carries them.  Some systems may
-     wish to use datagrams for queries and responses, and only
-     establish virtual circuits for transactions that need the
-     reliability (e.g., database updates, long transactions); other
-     systems will use virtual circuits exclusively.
-
-   - The system should be useful across a wide spectrum of host
-     capabilities.  Both personal computers and large timeshared
-     hosts should be able to use the system, though perhaps in
-     different ways.
-
-2.3. Assumptions about usage
-
-The organization of the domain system derives from some assumptions
-about the needs and usage patterns of its user community and is designed
-to avoid many of the the complicated problems found in general purpose
-database systems.
-
-The assumptions are:
-
-   - The size of the total database will initially be proportional
-
-
-
-Mockapetris                                                     [Page 3]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-     to the number of hosts using the system, but will eventually
-     grow to be proportional to the number of users on those hosts
-     as mailboxes and other information are added to the domain
-     system.
-
-   - Most of the data in the system will change very slowly (e.g.,
-     mailbox bindings, host addresses), but that the system should
-     be able to deal with subsets that change more rapidly (on the
-     order of seconds or minutes).
-
-   - The administrative boundaries used to distribute
-     responsibility for the database will usually correspond to
-     organizations that have one or more hosts.  Each organization
-     that has responsibility for a particular set of domains will
-     provide redundant name servers, either on the organization's
-     own hosts or other hosts that the organization arranges to
-     use.
-
-   - Clients of the domain system should be able to identify
-     trusted name servers they prefer to use before accepting
-     referrals to name servers outside of this "trusted" set.
-
-   - Access to information is more critical than instantaneous
-     updates or guarantees of consistency.  Hence the update
-     process allows updates to percolate out through the users of
-     the domain system rather than guaranteeing that all copies are
-     simultaneously updated.  When updates are unavailable due to
-     network or host failure, the usual course is to believe old
-     information while continuing efforts to update it.  The
-     general model is that copies are distributed with timeouts for
-     refreshing.  The distributor sets the timeout value and the
-     recipient of the distribution is responsible for performing
-     the refresh.  In special situations, very short intervals can
-     be specified, or the owner can prohibit copies.
-
-   - In any system that has a distributed database, a particular
-     name server may be presented with a query that can only be
-     answered by some other server.  The two general approaches to
-     dealing with this problem are "recursive", in which the first
-     server pursues the query for the client at another server, and
-     "iterative", in which the server refers the client to another
-     server and lets the client pursue the query.  Both approaches
-     have advantages and disadvantages, but the iterative approach
-     is preferred for the datagram style of access.  The domain
-     system requires implementation of the iterative approach, but
-     allows the recursive approach as an option.
-
-
-
-
-
-Mockapetris                                                     [Page 4]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-The domain system assumes that all data originates in master files
-scattered through the hosts that use the domain system.  These master
-files are updated by local system administrators.  Master files are text
-files that are read by a local name server, and hence become available
-through the name servers to users of the domain system.  The user
-programs access name servers through standard programs called resolvers.
-
-The standard format of master files allows them to be exchanged between
-hosts (via FTP, mail, or some other mechanism); this facility is useful
-when an organization wants a domain, but doesn't want to support a name
-server.  The organization can maintain the master files locally using a
-text editor, transfer them to a foreign host which runs a name server,
-and then arrange with the system administrator of the name server to get
-the files loaded.
-
-Each host's name servers and resolvers are configured by a local system
-administrator [RFC-1033].  For a name server, this configuration data
-includes the identity of local master files and instructions on which
-non-local master files are to be loaded from foreign servers.  The name
-server uses the master files or copies to load its zones.  For
-resolvers, the configuration data identifies the name servers which
-should be the primary sources of information.
-
-The domain system defines procedures for accessing the data and for
-referrals to other name servers.  The domain system also defines
-procedures for caching retrieved data and for periodic refreshing of
-data defined by the system administrator.
-
-The system administrators provide:
-
-   - The definition of zone boundaries.
-
-   - Master files of data.
-
-   - Updates to master files.
-
-   - Statements of the refresh policies desired.
-
-The domain system provides:
-
-   - Standard formats for resource data.
-
-   - Standard methods for querying the database.
-
-   - Standard methods for name servers to refresh local data from
-     foreign name servers.
-
-
-
-
-
-Mockapetris                                                     [Page 5]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-2.4. Elements of the DNS
-
-The DNS has three major components:
-
-   - The DOMAIN NAME SPACE and RESOURCE RECORDS, which are
-     specifications for a tree structured name space and data
-     associated with the names.  Conceptually, each node and leaf
-     of the domain name space tree names a set of information, and
-     query operations are attempts to extract specific types of
-     information from a particular set.  A query names the domain
-     name of interest and describes the type of resource
-     information that is desired.  For example, the Internet
-     uses some of its domain names to identify hosts; queries for
-     address resources return Internet host addresses.
-
-   - NAME SERVERS are server programs which hold information about
-     the domain tree's structure and set information.  A name
-     server may cache structure or set information about any part
-     of the domain tree, but in general a particular name server
-     has complete information about a subset of the domain space,
-     and pointers to other name servers that can be used to lead to
-     information from any part of the domain tree.  Name servers
-     know the parts of the domain tree for which they have complete
-     information; a name server is said to be an AUTHORITY for
-     these parts of the name space.  Authoritative information is
-     organized into units called ZONEs, and these zones can be
-     automatically distributed to the name servers which provide
-     redundant service for the data in a zone.
-
-   - RESOLVERS are programs that extract information from name
-     servers in response to client requests.  Resolvers must be
-     able to access at least one name server and use that name
-     server's information to answer a query directly, or pursue the
-     query using referrals to other name servers.  A resolver will
-     typically be a system routine that is directly accessible to
-     user programs; hence no protocol is necessary between the
-     resolver and the user program.
-
-These three components roughly correspond to the three layers or views
-of the domain system:
-
-   - From the user's point of view, the domain system is accessed
-     through a simple procedure or OS call to a local resolver.
-     The domain space consists of a single tree and the user can
-     request information from any section of the tree.
-
-   - From the resolver's point of view, the domain system is
-     composed of an unknown number of name servers.  Each name
-
-
-
-Mockapetris                                                     [Page 6]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-     server has one or more pieces of the whole domain tree's data,
-     but the resolver views each of these databases as essentially
-     static.
-
-   - From a name server's point of view, the domain system consists
-     of separate sets of local information called zones.  The name
-     server has local copies of some of the zones.  The name server
-     must periodically refresh its zones from master copies in
-     local files or foreign name servers.  The name server must
-     concurrently process queries that arrive from resolvers.
-
-In the interests of performance, implementations may couple these
-functions.  For example, a resolver on the same machine as a name server
-might share a database consisting of the the zones managed by the name
-server and the cache managed by the resolver.
-
-3. DOMAIN NAME SPACE and RESOURCE RECORDS
-
-3.1. Name space specifications and terminology
-
-The domain name space is a tree structure.  Each node and leaf on the
-tree corresponds to a resource set (which may be empty).  The domain
-system makes no distinctions between the uses of the interior nodes and
-leaves, and this memo uses the term "node" to refer to both.
-
-Each node has a label, which is zero to 63 octets in length.  Brother
-nodes may not have the same label, although the same label can be used
-for nodes which are not brothers.  One label is reserved, and that is
-the null (i.e., zero length) label used for the root.
-
-The domain name of a node is the list of the labels on the path from the
-node to the root of the tree.  By convention, the labels that compose a
-domain name are printed or read left to right, from the most specific
-(lowest, farthest from the root) to the least specific (highest, closest
-to the root).
-
-Internally, programs that manipulate domain names should represent them
-as sequences of labels, where each label is a length octet followed by
-an octet string.  Because all domain names end at the root, which has a
-null string for a label, these internal representations can use a length
-byte of zero to terminate a domain name.
-
-By convention, domain names can be stored with arbitrary case, but
-domain name comparisons for all present domain functions are done in a
-case-insensitive manner, assuming an ASCII character set, and a high
-order zero bit.  This means that you are free to create a node with
-label "A" or a node with label "a", but not both as brothers; you could
-refer to either using "a" or "A".  When you receive a domain name or
-
-
-
-Mockapetris                                                     [Page 7]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-label, you should preserve its case.  The rationale for this choice is
-that we may someday need to add full binary domain names for new
-services; existing services would not be changed.
-
-When a user needs to type a domain name, the length of each label is
-omitted and the labels are separated by dots (".").  Since a complete
-domain name ends with the root label, this leads to a printed form which
-ends in a dot.  We use this property to distinguish between:
-
-   - a character string which represents a complete domain name
-     (often called "absolute").  For example, "poneria.ISI.EDU."
-
-   - a character string that represents the starting labels of a
-     domain name which is incomplete, and should be completed by
-     local software using knowledge of the local domain (often
-     called "relative").  For example, "poneria" used in the
-     ISI.EDU domain.
-
-Relative names are either taken relative to a well known origin, or to a
-list of domains used as a search list.  Relative names appear mostly at
-the user interface, where their interpretation varies from
-implementation to implementation, and in master files, where they are
-relative to a single origin domain name.  The most common interpretation
-uses the root "." as either the single origin or as one of the members
-of the search list, so a multi-label relative name is often one where
-the trailing dot has been omitted to save typing.
-
-To simplify implementations, the total number of octets that represent a
-domain name (i.e., the sum of all label octets and label lengths) is
-limited to 255.
-
-A domain is identified by a domain name, and consists of that part of
-the domain name space that is at or below the domain name which
-specifies the domain.  A domain is a subdomain of another domain if it
-is contained within that domain.  This relationship can be tested by
-seeing if the subdomain's name ends with the containing domain's name.
-For example, A.B.C.D is a subdomain of B.C.D, C.D, D, and " ".
-
-3.2. Administrative guidelines on use
-
-As a matter of policy, the DNS technical specifications do not mandate a
-particular tree structure or rules for selecting labels; its goal is to
-be as general as possible, so that it can be used to build arbitrary
-applications.  In particular, the system was designed so that the name
-space did not have to be organized along the lines of network
-boundaries, name servers, etc.  The rationale for this is not that the
-name space should have no implied semantics, but rather that the choice
-of implied semantics should be left open to be used for the problem at
-
-
-
-Mockapetris                                                     [Page 8]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-hand, and that different parts of the tree can have different implied
-semantics.  For example, the IN-ADDR.ARPA domain is organized and
-distributed by network and host address because its role is to translate
-from network or host numbers to names; NetBIOS domains [RFC-1001, RFC-
-1002] are flat because that is appropriate for that application.
-
-However, there are some guidelines that apply to the "normal" parts of
-the name space used for hosts, mailboxes, etc., that will make the name
-space more uniform, provide for growth, and minimize problems as
-software is converted from the older host table.  The political
-decisions about the top levels of the tree originated in RFC-920.
-Current policy for the top levels is discussed in [RFC-1032].  MILNET
-conversion issues are covered in [RFC-1031].
-
-Lower domains which will eventually be broken into multiple zones should
-provide branching at the top of the domain so that the eventual
-decomposition can be done without renaming.  Node labels which use
-special characters, leading digits, etc., are likely to break older
-software which depends on more restrictive choices.
-
-3.3. Technical guidelines on use
-
-Before the DNS can be used to hold naming information for some kind of
-object, two needs must be met:
-
-   - A convention for mapping between object names and domain
-     names.  This describes how information about an object is
-     accessed.
-
-   - RR types and data formats for describing the object.
-
-These rules can be quite simple or fairly complex.  Very often, the
-designer must take into account existing formats and plan for upward
-compatibility for existing usage.  Multiple mappings or levels of
-mapping may be required.
-
-For hosts, the mapping depends on the existing syntax for host names
-which is a subset of the usual text representation for domain names,
-together with RR formats for describing host addresses, etc.  Because we
-need a reliable inverse mapping from address to host name, a special
-mapping for addresses into the IN-ADDR.ARPA domain is also defined.
-
-For mailboxes, the mapping is slightly more complex.  The usual mail
-address <local-part>@<mail-domain> is mapped into a domain name by
-converting <local-part> into a single label (regardles of dots it
-contains), converting <mail-domain> into a domain name using the usual
-text format for domain names (dots denote label breaks), and
-concatenating the two to form a single domain name.  Thus the mailbox
-
-
-
-Mockapetris                                                     [Page 9]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-HOSTMASTER@SRI-NIC.ARPA is represented as a domain name by
-HOSTMASTER.SRI-NIC.ARPA.  An appreciation for the reasons behind this
-design also must take into account the scheme for mail exchanges [RFC-
-974].
-
-The typical user is not concerned with defining these rules, but should
-understand that they usually are the result of numerous compromises
-between desires for upward compatibility with old usage, interactions
-between different object definitions, and the inevitable urge to add new
-features when defining the rules.  The way the DNS is used to support
-some object is often more crucial than the restrictions inherent in the
-DNS.
-
-3.4. Example name space
-
-The following figure shows a part of the current domain name space, and
-is used in many examples in this RFC.  Note that the tree is a very
-small subset of the actual name space.
-
-                                   |
-                                   |
-             +---------------------+------------------+
-             |                     |                  |
-            MIL                   EDU                ARPA
-             |                     |                  |
-             |                     |                  |
-       +-----+-----+               |     +------+-----+-----+
-       |     |     |               |     |      |           |
-      BRL  NOSC  DARPA             |  IN-ADDR  SRI-NIC     ACC
-                                   |
-       +--------+------------------+---------------+--------+
-       |        |                  |               |        |
-      UCI      MIT                 |              UDEL     YALE
-                |                 ISI
-                |                  |
-            +---+---+              |
-            |       |              |
-           LCS  ACHILLES  +--+-----+-----+--------+
-            |             |  |     |     |        |
-            XX            A  C   VAXA  VENERA Mockapetris
-
-In this example, the root domain has three immediate subdomains: MIL,
-EDU, and ARPA.  The LCS.MIT.EDU domain has one immediate subdomain named
-XX.LCS.MIT.EDU.  All of the leaves are also domains.
-
-3.5. Preferred name syntax
-
-The DNS specifications attempt to be as general as possible in the rules
-
-
-
-Mockapetris                                                    [Page 10]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-for constructing domain names.  The idea is that the name of any
-existing object can be expressed as a domain name with minimal changes.
-However, when assigning a domain name for an object, the prudent user
-will select a name which satisfies both the rules of the domain system
-and any existing rules for the object, whether these rules are published
-or implied by existing programs.
-
-For example, when naming a mail domain, the user should satisfy both the
-rules of this memo and those in RFC-822.  When creating a new host name,
-the old rules for HOSTS.TXT should be followed.  This avoids problems
-when old software is converted to use domain names.
-
-The following syntax will result in fewer problems with many
-applications that use domain names (e.g., mail, TELNET).
-
-<domain> ::= <subdomain> | " "
-
-<subdomain> ::= <label> | <subdomain> "." <label>
-
-<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
-
-<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
-
-<let-dig-hyp> ::= <let-dig> | "-"
-
-<let-dig> ::= <letter> | <digit>
-
-<letter> ::= any one of the 52 alphabetic characters A through Z in
-upper case and a through z in lower case
-
-<digit> ::= any one of the ten digits 0 through 9
-
-Note that while upper and lower case letters are allowed in domain
-names, no significance is attached to the case.  That is, two names with
-the same spelling but different case are to be treated as if identical.
-
-The labels must follow the rules for ARPANET host names.  They must
-start with a letter, end with a letter or digit, and have as interior
-characters only letters, digits, and hyphen.  There are also some
-restrictions on the length.  Labels must be 63 characters or less.
-
-For example, the following strings identify hosts in the Internet:
-
-A.ISI.EDU  XX.LCS.MIT.EDU  SRI-NIC.ARPA
-
-3.6. Resource Records
-
-A domain name identifies a node.  Each node has a set of resource
-
-
-
-Mockapetris                                                    [Page 11]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-information, which may be empty.  The set of resource information
-associated with a particular name is composed of separate resource
-records (RRs).  The order of RRs in a set is not significant, and need
-not be preserved by name servers, resolvers, or other parts of the DNS.
-
-When we talk about a specific RR, we assume it has the following:
-
-owner           which is the domain name where the RR is found.
-
-type            which is an encoded 16 bit value that specifies the type
-                of the resource in this resource record.  Types refer to
-                abstract resources.
-
-                This memo uses the following types:
-
-                A               a host address
-
-                CNAME           identifies the canonical name of an
-                                alias
-
-                HINFO           identifies the CPU and OS used by a host
-
-                MX              identifies a mail exchange for the
-                                domain.  See [RFC-974 for details.
-
-                NS
-                the authoritative name server for the domain
-
-                PTR
-                a pointer to another part of the domain name space
-
-                SOA
-                identifies the start of a zone of authority]
-
-class           which is an encoded 16 bit value which identifies a
-                protocol family or instance of a protocol.
-
-                This memo uses the following classes:
-
-                IN              the Internet system
-
-                CH              the Chaos system
-
-TTL             which is the time to live of the RR.  This field is a 32
-                bit integer in units of seconds, an is primarily used by
-                resolvers when they cache RRs.  The TTL describes how
-                long a RR can be cached before it should be discarded.
-
-
-
-
-Mockapetris                                                    [Page 12]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-RDATA           which is the type and sometimes class dependent data
-                which describes the resource:
-
-                A               For the IN class, a 32 bit IP address
-
-                                For the CH class, a domain name followed
-                                by a 16 bit octal Chaos address.
-
-                CNAME           a domain name.
-
-                MX              a 16 bit preference value (lower is
-                                better) followed by a host name willing
-                                to act as a mail exchange for the owner
-                                domain.
-
-                NS              a host name.
-
-                PTR             a domain name.
-
-                SOA             several fields.
-
-The owner name is often implicit, rather than forming an integral part
-of the RR.  For example, many name servers internally form tree or hash
-structures for the name space, and chain RRs off nodes.  The remaining
-RR parts are the fixed header (type, class, TTL) which is consistent for
-all RRs, and a variable part (RDATA) that fits the needs of the resource
-being described.
-
-The meaning of the TTL field is a time limit on how long an RR can be
-kept in a cache.  This limit does not apply to authoritative data in
-zones; it is also timed out, but by the refreshing policies for the
-zone.  The TTL is assigned by the administrator for the zone where the
-data originates.  While short TTLs can be used to minimize caching, and
-a zero TTL prohibits caching, the realities of Internet performance
-suggest that these times should be on the order of days for the typical
-host.  If a change can be anticipated, the TTL can be reduced prior to
-the change to minimize inconsistency during the change, and then
-increased back to its former value following the change.
-
-The data in the RDATA section of RRs is carried as a combination of
-binary strings and domain names.  The domain names are frequently used
-as "pointers" to other data in the DNS.
-
-3.6.1. Textual expression of RRs
-
-RRs are represented in binary form in the packets of the DNS protocol,
-and are usually represented in highly encoded form when stored in a name
-server or resolver.  In this memo, we adopt a style similar to that used
-
-
-
-Mockapetris                                                    [Page 13]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-in master files in order to show the contents of RRs.  In this format,
-most RRs are shown on a single line, although continuation lines are
-possible using parentheses.
-
-The start of the line gives the owner of the RR.  If a line begins with
-a blank, then the owner is assumed to be the same as that of the
-previous RR.  Blank lines are often included for readability.
-
-Following the owner, we list the TTL, type, and class of the RR.  Class
-and type use the mnemonics defined above, and TTL is an integer before
-the type field.  In order to avoid ambiguity in parsing, type and class
-mnemonics are disjoint, TTLs are integers, and the type mnemonic is
-always last. The IN class and TTL values are often omitted from examples
-in the interests of clarity.
-
-The resource data or RDATA section of the RR are given using knowledge
-of the typical representation for the data.
-
-For example, we might show the RRs carried in a message as:
-
-    ISI.EDU.        MX      10 VENERA.ISI.EDU.
-                    MX      10 VAXA.ISI.EDU.
-    VENERA.ISI.EDU. A       128.9.0.32
-                    A       10.1.0.52
-    VAXA.ISI.EDU.   A       10.2.0.27
-                    A       128.9.0.33
-
-The MX RRs have an RDATA section which consists of a 16 bit number
-followed by a domain name.  The address RRs use a standard IP address
-format to contain a 32 bit internet address.
-
-This example shows six RRs, with two RRs at each of three domain names.
-
-Similarly we might see:
-
-    XX.LCS.MIT.EDU. IN      A       10.0.0.44
-                    CH      A       MIT.EDU. 2420
-
-This example shows two addresses for XX.LCS.MIT.EDU, each of a different
-class.
-
-3.6.2. Aliases and canonical names
-
-In existing systems, hosts and other resources often have several names
-that identify the same resource.  For example, the names C.ISI.EDU and
-USC-ISIC.ARPA both identify the same host.  Similarly, in the case of
-mailboxes, many organizations provide many names that actually go to the
-same mailbox; for example Mockapetris@C.ISI.EDU, Mockapetris@B.ISI.EDU,
-
-
-
-Mockapetris                                                    [Page 14]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-and PVM@ISI.EDU all go to the same mailbox (although the mechanism
-behind this is somewhat complicated).
-
-Most of these systems have a notion that one of the equivalent set of
-names is the canonical or primary name and all others are aliases.
-
-The domain system provides such a feature using the canonical name
-(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
-specifies the corresponding canonical name in the RDATA section of the
-RR.  If a CNAME RR is present at a node, no other data should be
-present; this ensures that the data for a canonical name and its aliases
-cannot be different.  This rule also insures that a cached CNAME can be
-used without checking with an authoritative server for other RR types.
-
-CNAME RRs cause special action in DNS software.  When a name server
-fails to find a desired RR in the resource set associated with the
-domain name, it checks to see if the resource set consists of a CNAME
-record with a matching class.  If so, the name server includes the CNAME
-record in the response and restarts the query at the domain name
-specified in the data field of the CNAME record.  The one exception to
-this rule is that queries which match the CNAME type are not restarted.
-
-For example, suppose a name server was processing a query with for USC-
-ISIC.ARPA, asking for type A information, and had the following resource
-records:
-
-    USC-ISIC.ARPA   IN      CNAME   C.ISI.EDU
-
-    C.ISI.EDU       IN      A       10.0.0.52
-
-Both of these RRs would be returned in the response to the type A query,
-while a type CNAME or * query should return just the CNAME.
-
-Domain names in RRs which point at another name should always point at
-the primary name and not the alias.  This avoids extra indirections in
-accessing information.  For example, the address to name RR for the
-above host should be:
-
-    52.0.0.10.IN-ADDR.ARPA  IN      PTR     C.ISI.EDU
-
-rather than pointing at USC-ISIC.ARPA.  Of course, by the robustness
-principle, domain software should not fail when presented with CNAME
-chains or loops; CNAME chains should be followed and CNAME loops
-signalled as an error.
-
-3.7. Queries
-
-Queries are messages which may be sent to a name server to provoke a
-
-
-
-Mockapetris                                                    [Page 15]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-response.  In the Internet, queries are carried in UDP datagrams or over
-TCP connections.  The response by the name server either answers the
-question posed in the query, refers the requester to another set of name
-servers, or signals some error condition.
-
-In general, the user does not generate queries directly, but instead
-makes a request to a resolver which in turn sends one or more queries to
-name servers and deals with the error conditions and referrals that may
-result.  Of course, the possible questions which can be asked in a query
-does shape the kind of service a resolver can provide.
-
-DNS queries and responses are carried in a standard message format.  The
-message format has a header containing a number of fixed fields which
-are always present, and four sections which carry query parameters and
-RRs.
-
-The most important field in the header is a four bit field called an
-opcode which separates different queries.  Of the possible 16 values,
-one (standard query) is part of the official protocol, two (inverse
-query and status query) are options, one (completion) is obsolete, and
-the rest are unassigned.
-
-The four sections are:
-
-Question        Carries the query name and other query parameters.
-
-Answer          Carries RRs which directly answer the query.
-
-Authority       Carries RRs which describe other authoritative servers.
-                May optionally carry the SOA RR for the authoritative
-                data in the answer section.
-
-Additional      Carries RRs which may be helpful in using the RRs in the
-                other sections.
-
-Note that the content, but not the format, of these sections varies with
-header opcode.
-
-3.7.1. Standard queries
-
-A standard query specifies a target domain name (QNAME), query type
-(QTYPE), and query class (QCLASS) and asks for RRs which match.  This
-type of query makes up such a vast majority of DNS queries that we use
-the term "query" to mean standard query unless otherwise specified.  The
-QTYPE and QCLASS fields are each 16 bits long, and are a superset of
-defined types and classes.
-
-
-
-
-
-Mockapetris                                                    [Page 16]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-The QTYPE field may contain:
-
-<any type>      matches just that type. (e.g., A, PTR).
-
-AXFR            special zone transfer QTYPE.
-
-MAILB           matches all mail box related RRs (e.g. MB and MG).
-
-*               matches all RR types.
-
-The QCLASS field may contain:
-
-<any class>     matches just that class (e.g., IN, CH).
-
-*               matches aLL RR classes.
-
-Using the query domain name, QTYPE, and QCLASS, the name server looks
-for matching RRs.  In addition to relevant records, the name server may
-return RRs that point toward a name server that has the desired
-information or RRs that are expected to be useful in interpreting the
-relevant RRs.  For example, a name server that doesn't have the
-requested information may know a name server that does; a name server
-that returns a domain name in a relevant RR may also return the RR that
-binds that domain name to an address.
-
-For example, a mailer tying to send mail to Mockapetris@ISI.EDU might
-ask the resolver for mail information about ISI.EDU, resulting in a
-query for QNAME=ISI.EDU, QTYPE=MX, QCLASS=IN.  The response's answer
-section would be:
-
-    ISI.EDU.        MX      10 VENERA.ISI.EDU.
-                    MX      10 VAXA.ISI.EDU.
-
-while the additional section might be:
-
-    VAXA.ISI.EDU.   A       10.2.0.27
-                    A       128.9.0.33
-    VENERA.ISI.EDU. A       10.1.0.52
-                    A       128.9.0.32
-
-Because the server assumes that if the requester wants mail exchange
-information, it will probably want the addresses of the mail exchanges
-soon afterward.
-
-Note that the QCLASS=* construct requires special interpretation
-regarding authority.  Since a particular name server may not know all of
-the classes available in the domain system, it can never know if it is
-authoritative for all classes.  Hence responses to QCLASS=* queries can
-
-
-
-Mockapetris                                                    [Page 17]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-never be authoritative.
-
-3.7.2. Inverse queries (Optional)
-
-Name servers may also support inverse queries that map a particular
-resource to a domain name or domain names that have that resource.  For
-example, while a standard query might map a domain name to a SOA RR, the
-corresponding inverse query might map the SOA RR back to the domain
-name.
-
-Implementation of this service is optional in a name server, but all
-name servers must at least be able to understand an inverse query
-message and return a not-implemented error response.
-
-The domain system cannot guarantee the completeness or uniqueness of
-inverse queries because the domain system is organized by domain name
-rather than by host address or any other resource type.  Inverse queries
-are primarily useful for debugging and database maintenance activities.
-
-Inverse queries may not return the proper TTL, and do not indicate cases
-where the identified RR is one of a set (for example, one address for a
-host having multiple addresses).  Therefore, the RRs returned in inverse
-queries should never be cached.
-
-Inverse queries are NOT an acceptable method for mapping host addresses
-to host names; use the IN-ADDR.ARPA domain instead.
-
-A detailed discussion of inverse queries is contained in [RFC-1035].
-
-3.8. Status queries (Experimental)
-
-To be defined.
-
-3.9. Completion queries (Obsolete)
-
-The optional completion services described in RFCs 882 and 883 have been
-deleted.  Redesigned services may become available in the future, or the
-opcodes may be reclaimed for other use.
-
-4. NAME SERVERS
-
-4.1. Introduction
-
-Name servers are the repositories of information that make up the domain
-database.  The database is divided up into sections called zones, which
-are distributed among the name servers.  While name servers can have
-several optional functions and sources of data, the essential task of a
-name server is to answer queries using data in its zones.  By design,
-
-
-
-Mockapetris                                                    [Page 18]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-name servers can answer queries in a simple manner; the response can
-always be generated using only local data, and either contains the
-answer to the question or a referral to other name servers "closer" to
-the desired information.
-
-A given zone will be available from several name servers to insure its
-availability in spite of host or communication link failure.  By
-administrative fiat, we require every zone to be available on at least
-two servers, and many zones have more redundancy than that.
-
-A given name server will typically support one or more zones, but this
-gives it authoritative information about only a small section of the
-domain tree.  It may also have some cached non-authoritative data about
-other parts of the tree.  The name server marks its responses to queries
-so that the requester can tell whether the response comes from
-authoritative data or not.
-
-4.2. How the database is divided into zones
-
-The domain database is partitioned in two ways: by class, and by "cuts"
-made in the name space between nodes.
-
-The class partition is simple.  The database for any class is organized,
-delegated, and maintained separately from all other classes.  Since, by
-convention, the name spaces are the same for all classes, the separate
-classes can be thought of as an array of parallel namespace trees.  Note
-that the data attached to nodes will be different for these different
-parallel classes.  The most common reasons for creating a new class are
-the necessity for a new data format for existing types or a desire for a
-separately managed version of the existing name space.
-
-Within a class, "cuts" in the name space can be made between any two
-adjacent nodes.  After all cuts are made, each group of connected name
-space is a separate zone.  The zone is said to be authoritative for all
-names in the connected region.  Note that the "cuts" in the name space
-may be in different places for different classes, the name servers may
-be different, etc.
-
-These rules mean that every zone has at least one node, and hence domain
-name, for which it is authoritative, and all of the nodes in a
-particular zone are connected.  Given, the tree structure, every zone
-has a highest node which is closer to the root than any other node in
-the zone.  The name of this node is often used to identify the zone.
-
-It would be possible, though not particularly useful, to partition the
-name space so that each domain name was in a separate zone or so that
-all nodes were in a single zone.  Instead, the database is partitioned
-at points where a particular organization wants to take over control of
-
-
-
-Mockapetris                                                    [Page 19]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-a subtree.  Once an organization controls its own zone it can
-unilaterally change the data in the zone, grow new tree sections
-connected to the zone, delete existing nodes, or delegate new subzones
-under its zone.
-
-If the organization has substructure, it may want to make further
-internal partitions to achieve nested delegations of name space control.
-In some cases, such divisions are made purely to make database
-maintenance more convenient.
-
-4.2.1. Technical considerations
-
-The data that describes a zone has four major parts:
-
-   - Authoritative data for all nodes within the zone.
-
-   - Data that defines the top node of the zone (can be thought of
-     as part of the authoritative data).
-
-   - Data that describes delegated subzones, i.e., cuts around the
-     bottom of the zone.
-
-   - Data that allows access to name servers for subzones
-     (sometimes called "glue" data).
-
-All of this data is expressed in the form of RRs, so a zone can be
-completely described in terms of a set of RRs.  Whole zones can be
-transferred between name servers by transferring the RRs, either carried
-in a series of messages or by FTPing a master file which is a textual
-representation.
-
-The authoritative data for a zone is simply all of the RRs attached to
-all of the nodes from the top node of the zone down to leaf nodes or
-nodes above cuts around the bottom edge of the zone.
-
-Though logically part of the authoritative data, the RRs that describe
-the top node of the zone are especially important to the zone's
-management.  These RRs are of two types: name server RRs that list, one
-per RR, all of the servers for the zone, and a single SOA RR that
-describes zone management parameters.
-
-The RRs that describe cuts around the bottom of the zone are NS RRs that
-name the servers for the subzones.  Since the cuts are between nodes,
-these RRs are NOT part of the authoritative data of the zone, and should
-be exactly the same as the corresponding RRs in the top node of the
-subzone.  Since name servers are always associated with zone boundaries,
-NS RRs are only found at nodes which are the top node of some zone.  In
-the data that makes up a zone, NS RRs are found at the top node of the
-
-
-
-Mockapetris                                                    [Page 20]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-zone (and are authoritative) and at cuts around the bottom of the zone
-(where they are not authoritative), but never in between.
-
-One of the goals of the zone structure is that any zone have all the
-data required to set up communications with the name servers for any
-subzones.  That is, parent zones have all the information needed to
-access servers for their children zones.  The NS RRs that name the
-servers for subzones are often not enough for this task since they name
-the servers, but do not give their addresses.  In particular, if the
-name of the name server is itself in the subzone, we could be faced with
-the situation where the NS RRs tell us that in order to learn a name
-server's address, we should contact the server using the address we wish
-to learn.  To fix this problem, a zone contains "glue" RRs which are not
-part of the authoritative data, and are address RRs for the servers.
-These RRs are only necessary if the name server's name is "below" the
-cut, and are only used as part of a referral response.
-
-4.2.2. Administrative considerations
-
-When some organization wants to control its own domain, the first step
-is to identify the proper parent zone, and get the parent zone's owners
-to agree to the delegation of control.  While there are no particular
-technical constraints dealing with where in the tree this can be done,
-there are some administrative groupings discussed in [RFC-1032] which
-deal with top level organization, and middle level zones are free to
-create their own rules.  For example, one university might choose to use
-a single zone, while another might choose to organize by subzones
-dedicated to individual departments or schools.  [RFC-1033] catalogs
-available DNS software an discusses administration procedures.
-
-Once the proper name for the new subzone is selected, the new owners
-should be required to demonstrate redundant name server support.  Note
-that there is no requirement that the servers for a zone reside in a
-host which has a name in that domain.  In many cases, a zone will be
-more accessible to the internet at large if its servers are widely
-distributed rather than being within the physical facilities controlled
-by the same organization that manages the zone.  For example, in the
-current DNS, one of the name servers for the United Kingdom, or UK
-domain, is found in the US.  This allows US hosts to get UK data without
-using limited transatlantic bandwidth.
-
-As the last installation step, the delegation NS RRs and glue RRs
-necessary to make the delegation effective should be added to the parent
-zone.  The administrators of both zones should insure that the NS and
-glue RRs which mark both sides of the cut are consistent and remain so.
-
-4.3. Name server internals
-
-
-
-
-Mockapetris                                                    [Page 21]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-4.3.1. Queries and responses
-
-The principal activity of name servers is to answer standard queries.
-Both the query and its response are carried in a standard message format
-which is described in [RFC-1035].  The query contains a QTYPE, QCLASS,
-and QNAME, which describe the types and classes of desired information
-and the name of interest.
-
-The way that the name server answers the query depends upon whether it
-is operating in recursive mode or not:
-
-   - The simplest mode for the server is non-recursive, since it
-     can answer queries using only local information: the response
-     contains an error, the answer, or a referral to some other
-     server "closer" to the answer.  All name servers must
-     implement non-recursive queries.
-
-   - The simplest mode for the client is recursive, since in this
-     mode the name server acts in the role of a resolver and
-     returns either an error or the answer, but never referrals.
-     This service is optional in a name server, and the name server
-     may also choose to restrict the clients which can use
-     recursive mode.
-
-Recursive service is helpful in several situations:
-
-   - a relatively simple requester that lacks the ability to use
-     anything other than a direct answer to the question.
-
-   - a request that needs to cross protocol or other boundaries and
-     can be sent to a server which can act as intermediary.
-
-   - a network where we want to concentrate the cache rather than
-     having a separate cache for each client.
-
-Non-recursive service is appropriate if the requester is capable of
-pursuing referrals and interested in information which will aid future
-requests.
-
-The use of recursive mode is limited to cases where both the client and
-the name server agree to its use.  The agreement is negotiated through
-the use of two bits in query and response messages:
-
-   - The recursion available, or RA bit, is set or cleared by a
-     name server in all responses.  The bit is true if the name
-     server is willing to provide recursive service for the client,
-     regardless of whether the client requested recursive service.
-     That is, RA signals availability rather than use.
-
-
-
-Mockapetris                                                    [Page 22]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-   - Queries contain a bit called recursion desired or RD.  This
-     bit specifies specifies whether the requester wants recursive
-     service for this query.  Clients may request recursive service
-     from any name server, though they should depend upon receiving
-     it only from servers which have previously sent an RA, or
-     servers which have agreed to provide service through private
-     agreement or some other means outside of the DNS protocol.
-
-The recursive mode occurs when a query with RD set arrives at a server
-which is willing to provide recursive service; the client can verify
-that recursive mode was used by checking that both RA and RD are set in
-the reply.  Note that the name server should never perform recursive
-service unless asked via RD, since this interferes with trouble shooting
-of name servers and their databases.
-
-If recursive service is requested and available, the recursive response
-to a query will be one of the following:
-
-   - The answer to the query, possibly preface by one or more CNAME
-     RRs that specify aliases encountered on the way to an answer.
-
-   - A name error indicating that the name does not exist.  This
-     may include CNAME RRs that indicate that the original query
-     name was an alias for a name which does not exist.
-
-   - A temporary error indication.
-
-If recursive service is not requested or is not available, the non-
-recursive response will be one of the following:
-
-   - An authoritative name error indicating that the name does not
-     exist.
-
-   - A temporary error indication.
-
-   - Some combination of:
-
-     RRs that answer the question, together with an indication
-     whether the data comes from a zone or is cached.
-
-     A referral to name servers which have zones which are closer
-     ancestors to the name than the server sending the reply.
-
-   - RRs that the name server thinks will prove useful to the
-     requester.
-
-
-
-
-
-
-Mockapetris                                                    [Page 23]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-4.3.2. Algorithm
-
-The actual algorithm used by the name server will depend on the local OS
-and data structures used to store RRs.  The following algorithm assumes
-that the RRs are organized in several tree structures, one for each
-zone, and another for the cache:
-
-   1. Set or clear the value of recursion available in the response
-      depending on whether the name server is willing to provide
-      recursive service.  If recursive service is available and
-      requested via the RD bit in the query, go to step 5,
-      otherwise step 2.
-
-   2. Search the available zones for the zone which is the nearest
-      ancestor to QNAME.  If such a zone is found, go to step 3,
-      otherwise step 4.
-
-   3. Start matching down, label by label, in the zone.  The
-      matching process can terminate several ways:
-
-         a. If the whole of QNAME is matched, we have found the
-            node.
-
-            If the data at the node is a CNAME, and QTYPE doesn't
-            match CNAME, copy the CNAME RR into the answer section
-            of the response, change QNAME to the canonical name in
-            the CNAME RR, and go back to step 1.
-
-            Otherwise, copy all RRs which match QTYPE into the
-            answer section and go to step 6.
-
-         b. If a match would take us out of the authoritative data,
-            we have a referral.  This happens when we encounter a
-            node with NS RRs marking cuts along the bottom of a
-            zone.
-
-            Copy the NS RRs for the subzone into the authority
-            section of the reply.  Put whatever addresses are
-            available into the additional section, using glue RRs
-            if the addresses are not available from authoritative
-            data or the cache.  Go to step 4.
-
-         c. If at some label, a match is impossible (i.e., the
-            corresponding label does not exist), look to see if a
-            the "*" label exists.
-
-            If the "*" label does not exist, check whether the name
-            we are looking for is the original QNAME in the query
-
-
-
-Mockapetris                                                    [Page 24]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-            or a name we have followed due to a CNAME.  If the name
-            is original, set an authoritative name error in the
-            response and exit.  Otherwise just exit.
-
-            If the "*" label does exist, match RRs at that node
-            against QTYPE.  If any match, copy them into the answer
-            section, but set the owner of the RR to be QNAME, and
-            not the node with the "*" label.  Go to step 6.
-
-   4. Start matching down in the cache.  If QNAME is found in the
-      cache, copy all RRs attached to it that match QTYPE into the
-      answer section.  If there was no delegation from
-      authoritative data, look for the best one from the cache, and
-      put it in the authority section.  Go to step 6.
-
-   5. Using the local resolver or a copy of its algorithm (see
-      resolver section of this memo) to answer the query.  Store
-      the results, including any intermediate CNAMEs, in the answer
-      section of the response.
-
-   6. Using local data only, attempt to add other RRs which may be
-      useful to the additional section of the query.  Exit.
-
-4.3.3. Wildcards
-
-In the previous algorithm, special treatment was given to RRs with owner
-names starting with the label "*".  Such RRs are called wildcards.
-Wildcard RRs can be thought of as instructions for synthesizing RRs.
-When the appropriate conditions are met, the name server creates RRs
-with an owner name equal to the query name and contents taken from the
-wildcard RRs.
-
-This facility is most often used to create a zone which will be used to
-forward mail from the Internet to some other mail system.  The general
-idea is that any name in that zone which is presented to server in a
-query will be assumed to exist, with certain properties, unless explicit
-evidence exists to the contrary.  Note that the use of the term zone
-here, instead of domain, is intentional; such defaults do not propagate
-across zone boundaries, although a subzone may choose to achieve that
-appearance by setting up similar defaults.
-
-The contents of the wildcard RRs follows the usual rules and formats for
-RRs.  The wildcards in the zone have an owner name that controls the
-query names they will match.  The owner name of the wildcard RRs is of
-the form "*.<anydomain>", where <anydomain> is any domain name.
-<anydomain> should not contain other * labels, and should be in the
-authoritative data of the zone.  The wildcards potentially apply to
-descendants of <anydomain>, but not to <anydomain> itself.  Another way
-
-
-
-Mockapetris                                                    [Page 25]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-to look at this is that the "*" label always matches at least one whole
-label and sometimes more, but always whole labels.
-
-Wildcard RRs do not apply:
-
-   - When the query is in another zone.  That is, delegation cancels
-     the wildcard defaults.
-
-   - When the query name or a name between the wildcard domain and
-     the query name is know to exist.  For example, if a wildcard
-     RR has an owner name of "*.X", and the zone also contains RRs
-     attached to B.X, the wildcards would apply to queries for name
-     Z.X (presuming there is no explicit information for Z.X), but
-     not to B.X, A.B.X, or X.
-
-A * label appearing in a query name has no special effect, but can be
-used to test for wildcards in an authoritative zone; such a query is the
-only way to get a response containing RRs with an owner name with * in
-it.  The result of such a query should not be cached.
-
-Note that the contents of the wildcard RRs are not modified when used to
-synthesize RRs.
-
-To illustrate the use of wildcard RRs, suppose a large company with a
-large, non-IP/TCP, network wanted to create a mail gateway.  If the
-company was called X.COM, and IP/TCP capable gateway machine was called
-A.X.COM, the following RRs might be entered into the COM zone:
-
-    X.COM           MX      10      A.X.COM
-
-    *.X.COM         MX      10      A.X.COM
-
-    A.X.COM         A       1.2.3.4
-    A.X.COM         MX      10      A.X.COM
-
-    *.A.X.COM       MX      10      A.X.COM
-
-This would cause any MX query for any domain name ending in X.COM to
-return an MX RR pointing at A.X.COM.  Two wildcard RRs are required
-since the effect of the wildcard at *.X.COM is inhibited in the A.X.COM
-subtree by the explicit data for A.X.COM.  Note also that the explicit
-MX data at X.COM and A.X.COM is required, and that none of the RRs above
-would match a query name of XX.COM.
-
-4.3.4. Negative response caching (Optional)
-
-The DNS provides an optional service which allows name servers to
-distribute, and resolvers to cache, negative results with TTLs.  For
-
-
-
-Mockapetris                                                    [Page 26]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-example, a name server can distribute a TTL along with a name error
-indication, and a resolver receiving such information is allowed to
-assume that the name does not exist during the TTL period without
-consulting authoritative data.  Similarly, a resolver can make a query
-with a QTYPE which matches multiple types, and cache the fact that some
-of the types are not present.
-
-This feature can be particularly important in a system which implements
-naming shorthands that use search lists beacuse a popular shorthand,
-which happens to require a suffix toward the end of the search list,
-will generate multiple name errors whenever it is used.
-
-The method is that a name server may add an SOA RR to the additional
-section of a response when that response is authoritative.  The SOA must
-be that of the zone which was the source of the authoritative data in
-the answer section, or name error if applicable.  The MINIMUM field of
-the SOA controls the length of time that the negative result may be
-cached.
-
-Note that in some circumstances, the answer section may contain multiple
-owner names.  In this case, the SOA mechanism should only be used for
-the data which matches QNAME, which is the only authoritative data in
-this section.
-
-Name servers and resolvers should never attempt to add SOAs to the
-additional section of a non-authoritative response, or attempt to infer
-results which are not directly stated in an authoritative response.
-There are several reasons for this, including: cached information isn't
-usually enough to match up RRs and their zone names, SOA RRs may be
-cached due to direct SOA queries, and name servers are not required to
-output the SOAs in the authority section.
-
-This feature is optional, although a refined version is expected to
-become part of the standard protocol in the future.  Name servers are
-not required to add the SOA RRs in all authoritative responses, nor are
-resolvers required to cache negative results.  Both are recommended.
-All resolvers and recursive name servers are required to at least be
-able to ignore the SOA RR when it is present in a response.
-
-Some experiments have also been proposed which will use this feature.
-The idea is that if cached data is known to come from a particular zone,
-and if an authoritative copy of the zone's SOA is obtained, and if the
-zone's SERIAL has not changed since the data was cached, then the TTL of
-the cached data can be reset to the zone MINIMUM value if it is smaller.
-This usage is mentioned for planning purposes only, and is not
-recommended as yet.
-
-
-
-
-
-Mockapetris                                                    [Page 27]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-4.3.5. Zone maintenance and transfers
-
-Part of the job of a zone administrator is to maintain the zones at all
-of the name servers which are authoritative for the zone.  When the
-inevitable changes are made, they must be distributed to all of the name
-servers.  While this distribution can be accomplished using FTP or some
-other ad hoc procedure, the preferred method is the zone transfer part
-of the DNS protocol.
-
-The general model of automatic zone transfer or refreshing is that one
-of the name servers is the master or primary for the zone.  Changes are
-coordinated at the primary, typically by editing a master file for the
-zone.  After editing, the administrator signals the master server to
-load the new zone.  The other non-master or secondary servers for the
-zone periodically check for changes (at a selectable interval) and
-obtain new zone copies when changes have been made.
-
-To detect changes, secondaries just check the SERIAL field of the SOA
-for the zone.  In addition to whatever other changes are made, the
-SERIAL field in the SOA of the zone is always advanced whenever any
-change is made to the zone.  The advancing can be a simple increment, or
-could be based on the write date and time of the master file, etc.  The
-purpose is to make it possible to determine which of two copies of a
-zone is more recent by comparing serial numbers.  Serial number advances
-and comparisons use sequence space arithmetic, so there is a theoretic
-limit on how fast a zone can be updated, basically that old copies must
-die out before the serial number covers half of its 32 bit range.  In
-practice, the only concern is that the compare operation deals properly
-with comparisons around the boundary between the most positive and most
-negative 32 bit numbers.
-
-The periodic polling of the secondary servers is controlled by
-parameters in the SOA RR for the zone, which set the minimum acceptable
-polling intervals.  The parameters are called REFRESH, RETRY, and
-EXPIRE.  Whenever a new zone is loaded in a secondary, the secondary
-waits REFRESH seconds before checking with the primary for a new serial.
-If this check cannot be completed, new checks are started every RETRY
-seconds.  The check is a simple query to the primary for the SOA RR of
-the zone.  If the serial field in the secondary's zone copy is equal to
-the serial returned by the primary, then no changes have occurred, and
-the REFRESH interval wait is restarted.  If the secondary finds it
-impossible to perform a serial check for the EXPIRE interval, it must
-assume that its copy of the zone is obsolete an discard it.
-
-When the poll shows that the zone has changed, then the secondary server
-must request a zone transfer via an AXFR request for the zone.  The AXFR
-may cause an error, such as refused, but normally is answered by a
-sequence of response messages.  The first and last messages must contain
-
-
-
-Mockapetris                                                    [Page 28]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-the data for the top authoritative node of the zone.  Intermediate
-messages carry all of the other RRs from the zone, including both
-authoritative and non-authoritative RRs.  The stream of messages allows
-the secondary to construct a copy of the zone.  Because accuracy is
-essential, TCP or some other reliable protocol must be used for AXFR
-requests.
-
-Each secondary server is required to perform the following operations
-against the master, but may also optionally perform these operations
-against other secondary servers.  This strategy can improve the transfer
-process when the primary is unavailable due to host downtime or network
-problems, or when a secondary server has better network access to an
-"intermediate" secondary than to the primary.
-
-5. RESOLVERS
-
-5.1. Introduction
-
-Resolvers are programs that interface user programs to domain name
-servers.  In the simplest case, a resolver receives a request from a
-user program (e.g., mail programs, TELNET, FTP) in the form of a
-subroutine call, system call etc., and returns the desired information
-in a form compatible with the local host's data formats.
-
-The resolver is located on the same machine as the program that requests
-the resolver's services, but it may need to consult name servers on
-other hosts.  Because a resolver may need to consult several name
-servers, or may have the requested information in a local cache, the
-amount of time that a resolver will take to complete can vary quite a
-bit, from milliseconds to several seconds.
-
-A very important goal of the resolver is to eliminate network delay and
-name server load from most requests by answering them from its cache of
-prior results.  It follows that caches which are shared by multiple
-processes, users, machines, etc., are more efficient than non-shared
-caches.
-
-5.2. Client-resolver interface
-
-5.2.1. Typical functions
-
-The client interface to the resolver is influenced by the local host's
-conventions, but the typical resolver-client interface has three
-functions:
-
-   1. Host name to host address translation.
-
-      This function is often defined to mimic a previous HOSTS.TXT
-
-
-
-Mockapetris                                                    [Page 29]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-      based function.  Given a character string, the caller wants
-      one or more 32 bit IP addresses.  Under the DNS, it
-      translates into a request for type A RRs.  Since the DNS does
-      not preserve the order of RRs, this function may choose to
-      sort the returned addresses or select the "best" address if
-      the service returns only one choice to the client.  Note that
-      a multiple address return is recommended, but a single
-      address may be the only way to emulate prior HOSTS.TXT
-      services.
-
-   2. Host address to host name translation
-
-      This function will often follow the form of previous
-      functions.  Given a 32 bit IP address, the caller wants a
-      character string.  The octets of the IP address are reversed,
-      used as name components, and suffixed with "IN-ADDR.ARPA".  A
-      type PTR query is used to get the RR with the primary name of
-      the host.  For example, a request for the host name
-      corresponding to IP address 1.2.3.4 looks for PTR RRs for
-      domain name "4.3.2.1.IN-ADDR.ARPA".
-
-   3. General lookup function
-
-      This function retrieves arbitrary information from the DNS,
-      and has no counterpart in previous systems.  The caller
-      supplies a QNAME, QTYPE, and QCLASS, and wants all of the
-      matching RRs.  This function will often use the DNS format
-      for all RR data instead of the local host's, and returns all
-      RR content (e.g., TTL) instead of a processed form with local
-      quoting conventions.
-
-When the resolver performs the indicated function, it usually has one of
-the following results to pass back to the client:
-
-   - One or more RRs giving the requested data.
-
-     In this case the resolver returns the answer in the
-     appropriate format.
-
-   - A name error (NE).
-
-     This happens when the referenced name does not exist.  For
-     example, a user may have mistyped a host name.
-
-   - A data not found error.
-
-     This happens when the referenced name exists, but data of the
-     appropriate type does not.  For example, a host address
-
-
-
-Mockapetris                                                    [Page 30]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-     function applied to a mailbox name would return this error
-     since the name exists, but no address RR is present.
-
-It is important to note that the functions for translating between host
-names and addresses may combine the "name error" and "data not found"
-error conditions into a single type of error return, but the general
-function should not.  One reason for this is that applications may ask
-first for one type of information about a name followed by a second
-request to the same name for some other type of information; if the two
-errors are combined, then useless queries may slow the application.
-
-5.2.2. Aliases
-
-While attempting to resolve a particular request, the resolver may find
-that the name in question is an alias.  For example, the resolver might
-find that the name given for host name to address translation is an
-alias when it finds the CNAME RR.  If possible, the alias condition
-should be signalled back from the resolver to the client.
-
-In most cases a resolver simply restarts the query at the new name when
-it encounters a CNAME.  However, when performing the general function,
-the resolver should not pursue aliases when the CNAME RR matches the
-query type.  This allows queries which ask whether an alias is present.
-For example, if the query type is CNAME, the user is interested in the
-CNAME RR itself, and not the RRs at the name it points to.
-
-Several special conditions can occur with aliases.  Multiple levels of
-aliases should be avoided due to their lack of efficiency, but should
-not be signalled as an error.  Alias loops and aliases which point to
-non-existent names should be caught and an error condition passed back
-to the client.
-
-5.2.3. Temporary failures
-
-In a less than perfect world, all resolvers will occasionally be unable
-to resolve a particular request.  This condition can be caused by a
-resolver which becomes separated from the rest of the network due to a
-link failure or gateway problem, or less often by coincident failure or
-unavailability of all servers for a particular domain.
-
-It is essential that this sort of condition should not be signalled as a
-name or data not present error to applications.  This sort of behavior
-is annoying to humans, and can wreak havoc when mail systems use the
-DNS.
-
-While in some cases it is possible to deal with such a temporary problem
-by blocking the request indefinitely, this is usually not a good choice,
-particularly when the client is a server process that could move on to
-
-
-
-Mockapetris                                                    [Page 31]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-other tasks.  The recommended solution is to always have temporary
-failure as one of the possible results of a resolver function, even
-though this may make emulation of existing HOSTS.TXT functions more
-difficult.
-
-5.3. Resolver internals
-
-Every resolver implementation uses slightly different algorithms, and
-typically spends much more logic dealing with errors of various sorts
-than typical occurances.  This section outlines a recommended basic
-strategy for resolver operation, but leaves details to [RFC-1035].
-
-5.3.1. Stub resolvers
-
-One option for implementing a resolver is to move the resolution
-function out of the local machine and into a name server which supports
-recursive queries.  This can provide an easy method of providing domain
-service in a PC which lacks the resources to perform the resolver
-function, or can centralize the cache for a whole local network or
-organization.
-
-All that the remaining stub needs is a list of name server addresses
-that will perform the recursive requests.  This type of resolver
-presumably needs the information in a configuration file, since it
-probably lacks the sophistication to locate it in the domain database.
-The user also needs to verify that the listed servers will perform the
-recursive service; a name server is free to refuse to perform recursive
-services for any or all clients.  The user should consult the local
-system administrator to find name servers willing to perform the
-service.
-
-This type of service suffers from some drawbacks.  Since the recursive
-requests may take an arbitrary amount of time to perform, the stub may
-have difficulty optimizing retransmission intervals to deal with both
-lost UDP packets and dead servers; the name server can be easily
-overloaded by too zealous a stub if it interprets retransmissions as new
-requests.  Use of TCP may be an answer, but TCP may well place burdens
-on the host's capabilities which are similar to those of a real
-resolver.
-
-5.3.2. Resources
-
-In addition to its own resources, the resolver may also have shared
-access to zones maintained by a local name server.  This gives the
-resolver the advantage of more rapid access, but the resolver must be
-careful to never let cached information override zone data.  In this
-discussion the term "local information" is meant to mean the union of
-the cache and such shared zones, with the understanding that
-
-
-
-Mockapetris                                                    [Page 32]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-authoritative data is always used in preference to cached data when both
-are present.
-
-The following resolver algorithm assumes that all functions have been
-converted to a general lookup function, and uses the following data
-structures to represent the state of a request in progress in the
-resolver:
-
-SNAME           the domain name we are searching for.
-
-STYPE           the QTYPE of the search request.
-
-SCLASS          the QCLASS of the search request.
-
-SLIST           a structure which describes the name servers and the
-                zone which the resolver is currently trying to query.
-                This structure keeps track of the resolver's current
-                best guess about which name servers hold the desired
-                information; it is updated when arriving information
-                changes the guess.  This structure includes the
-                equivalent of a zone name, the known name servers for
-                the zone, the known addresses for the name servers, and
-                history information which can be used to suggest which
-                server is likely to be the best one to try next.  The
-                zone name equivalent is a match count of the number of
-                labels from the root down which SNAME has in common with
-                the zone being queried; this is used as a measure of how
-                "close" the resolver is to SNAME.
-
-SBELT           a "safety belt" structure of the same form as SLIST,
-                which is initialized from a configuration file, and
-                lists servers which should be used when the resolver
-                doesn't have any local information to guide name server
-                selection.  The match count will be -1 to indicate that
-                no labels are known to match.
-
-CACHE           A structure which stores the results from previous
-                responses.  Since resolvers are responsible for
-                discarding old RRs whose TTL has expired, most
-                implementations convert the interval specified in
-                arriving RRs to some sort of absolute time when the RR
-                is stored in the cache.  Instead of counting the TTLs
-                down individually, the resolver just ignores or discards
-                old RRs when it runs across them in the course of a
-                search, or discards them during periodic sweeps to
-                reclaim the memory consumed by old RRs.
-
-
-
-
-
-Mockapetris                                                    [Page 33]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-5.3.3. Algorithm
-
-The top level algorithm has four steps:
-
-   1. See if the answer is in local information, and if so return
-      it to the client.
-
-   2. Find the best servers to ask.
-
-   3. Send them queries until one returns a response.
-
-   4. Analyze the response, either:
-
-         a. if the response answers the question or contains a name
-            error, cache the data as well as returning it back to
-            the client.
-
-         b. if the response contains a better delegation to other
-            servers, cache the delegation information, and go to
-            step 2.
-
-         c. if the response shows a CNAME and that is not the
-            answer itself, cache the CNAME, change the SNAME to the
-            canonical name in the CNAME RR and go to step 1.
-
-         d. if the response shows a servers failure or other
-            bizarre contents, delete the server from the SLIST and
-            go back to step 3.
-
-Step 1 searches the cache for the desired data. If the data is in the
-cache, it is assumed to be good enough for normal use.  Some resolvers
-have an option at the user interface which will force the resolver to
-ignore the cached data and consult with an authoritative server.  This
-is not recommended as the default.  If the resolver has direct access to
-a name server's zones, it should check to see if the desired data is
-present in authoritative form, and if so, use the authoritative data in
-preference to cached data.
-
-Step 2 looks for a name server to ask for the required data.  The
-general strategy is to look for locally-available name server RRs,
-starting at SNAME, then the parent domain name of SNAME, the
-grandparent, and so on toward the root.  Thus if SNAME were
-Mockapetris.ISI.EDU, this step would look for NS RRs for
-Mockapetris.ISI.EDU, then ISI.EDU, then EDU, and then . (the root).
-These NS RRs list the names of hosts for a zone at or above SNAME.  Copy
-the names into SLIST.  Set up their addresses using local data.  It may
-be the case that the addresses are not available.  The resolver has many
-choices here; the best is to start parallel resolver processes looking
-
-
-
-Mockapetris                                                    [Page 34]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-for the addresses while continuing onward with the addresses which are
-available.  Obviously, the design choices and options are complicated
-and a function of the local host's capabilities.  The recommended
-priorities for the resolver designer are:
-
-   1. Bound the amount of work (packets sent, parallel processes
-      started) so that a request can't get into an infinite loop or
-      start off a chain reaction of requests or queries with other
-      implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
-      SOME DATA.
-
-   2. Get back an answer if at all possible.
-
-   3. Avoid unnecessary transmissions.
-
-   4. Get the answer as quickly as possible.
-
-If the search for NS RRs fails, then the resolver initializes SLIST from
-the safety belt SBELT.  The basic idea is that when the resolver has no
-idea what servers to ask, it should use information from a configuration
-file that lists several servers which are expected to be helpful.
-Although there are special situations, the usual choice is two of the
-root servers and two of the servers for the host's domain.  The reason
-for two of each is for redundancy.  The root servers will provide
-eventual access to all of the domain space.  The two local servers will
-allow the resolver to continue to resolve local names if the local
-network becomes isolated from the internet due to gateway or link
-failure.
-
-In addition to the names and addresses of the servers, the SLIST data
-structure can be sorted to use the best servers first, and to insure
-that all addresses of all servers are used in a round-robin manner.  The
-sorting can be a simple function of preferring addresses on the local
-network over others, or may involve statistics from past events, such as
-previous response times and batting averages.
-
-Step 3 sends out queries until a response is received.  The strategy is
-to cycle around all of the addresses for all of the servers with a
-timeout between each transmission.  In practice it is important to use
-all addresses of a multihomed host, and too aggressive a retransmission
-policy actually slows response when used by multiple resolvers
-contending for the same name server and even occasionally for a single
-resolver.  SLIST typically contains data values to control the timeouts
-and keep track of previous transmissions.
-
-Step 4 involves analyzing responses.  The resolver should be highly
-paranoid in its parsing of responses.  It should also check that the
-response matches the query it sent using the ID field in the response.
-
-
-
-Mockapetris                                                    [Page 35]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-The ideal answer is one from a server authoritative for the query which
-either gives the required data or a name error.  The data is passed back
-to the user and entered in the cache for future use if its TTL is
-greater than zero.
-
-If the response shows a delegation, the resolver should check to see
-that the delegation is "closer" to the answer than the servers in SLIST
-are.  This can be done by comparing the match count in SLIST with that
-computed from SNAME and the NS RRs in the delegation.  If not, the reply
-is bogus and should be ignored.  If the delegation is valid the NS
-delegation RRs and any address RRs for the servers should be cached.
-The name servers are entered in the SLIST, and the search is restarted.
-
-If the response contains a CNAME, the search is restarted at the CNAME
-unless the response has the data for the canonical name or if the CNAME
-is the answer itself.
-
-Details and implementation hints can be found in [RFC-1035].
-
-6. A SCENARIO
-
-In our sample domain space, suppose we wanted separate administrative
-control for the root, MIL, EDU, MIT.EDU and ISI.EDU zones.  We might
-allocate name servers as follows:
-
-
-                                   |(C.ISI.EDU,SRI-NIC.ARPA
-                                   | A.ISI.EDU)
-             +---------------------+------------------+
-             |                     |                  |
-            MIL                   EDU                ARPA
-             |(SRI-NIC.ARPA,       |(SRI-NIC.ARPA,    |
-             | A.ISI.EDU           | C.ISI.EDU)       |
-       +-----+-----+               |     +------+-----+-----+
-       |     |     |               |     |      |           |
-      BRL  NOSC  DARPA             |  IN-ADDR  SRI-NIC     ACC
-                                   |
-       +--------+------------------+---------------+--------+
-       |        |                  |               |        |
-      UCI      MIT                 |              UDEL     YALE
-                |(XX.LCS.MIT.EDU, ISI
-                |ACHILLES.MIT.EDU) |(VAXA.ISI.EDU,VENERA.ISI.EDU,
-            +---+---+              | A.ISI.EDU)
-            |       |              |
-           LCS   ACHILLES +--+-----+-----+--------+
-            |             |  |     |     |        |
-            XX            A  C   VAXA  VENERA Mockapetris
-
-
-
-
-Mockapetris                                                    [Page 36]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-In this example, the authoritative name server is shown in parentheses
-at the point in the domain tree at which is assumes control.
-
-Thus the root name servers are on C.ISI.EDU, SRI-NIC.ARPA, and
-A.ISI.EDU.  The MIL domain is served by SRI-NIC.ARPA and A.ISI.EDU.  The
-EDU domain is served by SRI-NIC.ARPA. and C.ISI.EDU.  Note that servers
-may have zones which are contiguous or disjoint.  In this scenario,
-C.ISI.EDU has contiguous zones at the root and EDU domains.  A.ISI.EDU
-has contiguous zones at the root and MIL domains, but also has a non-
-contiguous zone at ISI.EDU.
-
-6.1. C.ISI.EDU name server
-
-C.ISI.EDU is a name server for the root, MIL, and EDU domains of the IN
-class, and would have zones for these domains.  The zone data for the
-root domain might be:
-
-    .       IN      SOA     SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
-                            870611          ;serial
-                            1800            ;refresh every 30 min
-                            300             ;retry every 5 min
-                            604800          ;expire after a week
-                            86400)          ;minimum of a day
-                    NS      A.ISI.EDU.
-                    NS      C.ISI.EDU.
-                    NS      SRI-NIC.ARPA.
-
-    MIL.    86400   NS      SRI-NIC.ARPA.
-            86400   NS      A.ISI.EDU.
-
-    EDU.    86400   NS      SRI-NIC.ARPA.
-            86400   NS      C.ISI.EDU.
-
-    SRI-NIC.ARPA.   A       26.0.0.73
-                    A       10.0.0.51
-                    MX      0 SRI-NIC.ARPA.
-                    HINFO   DEC-2060 TOPS20
-
-    ACC.ARPA.       A       26.6.0.65
-                    HINFO   PDP-11/70 UNIX
-                    MX      10 ACC.ARPA.
-
-    USC-ISIC.ARPA.  CNAME   C.ISI.EDU.
-
-    73.0.0.26.IN-ADDR.ARPA.  PTR    SRI-NIC.ARPA.
-    65.0.6.26.IN-ADDR.ARPA.  PTR    ACC.ARPA.
-    51.0.0.10.IN-ADDR.ARPA.  PTR    SRI-NIC.ARPA.
-    52.0.0.10.IN-ADDR.ARPA.  PTR    C.ISI.EDU.
-
-
-
-Mockapetris                                                    [Page 37]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-    103.0.3.26.IN-ADDR.ARPA. PTR    A.ISI.EDU.
-
-    A.ISI.EDU. 86400 A      26.3.0.103
-    C.ISI.EDU. 86400 A      10.0.0.52
-
-This data is represented as it would be in a master file.  Most RRs are
-single line entries; the sole exception here is the SOA RR, which uses
-"(" to start a multi-line RR and ")" to show the end of a multi-line RR.
-Since the class of all RRs in a zone must be the same, only the first RR
-in a zone need specify the class.  When a name server loads a zone, it
-forces the TTL of all authoritative RRs to be at least the MINIMUM field
-of the SOA, here 86400 seconds, or one day.  The NS RRs marking
-delegation of the MIL and EDU domains, together with the glue RRs for
-the servers host addresses, are not part of the authoritative data in
-the zone, and hence have explicit TTLs.
-
-Four RRs are attached to the root node: the SOA which describes the root
-zone and the 3 NS RRs which list the name servers for the root.  The
-data in the SOA RR describes the management of the zone.  The zone data
-is maintained on host SRI-NIC.ARPA, and the responsible party for the
-zone is HOSTMASTER@SRI-NIC.ARPA.  A key item in the SOA is the 86400
-second minimum TTL, which means that all authoritative data in the zone
-has at least that TTL, although higher values may be explicitly
-specified.
-
-The NS RRs for the MIL and EDU domains mark the boundary between the
-root zone and the MIL and EDU zones.  Note that in this example, the
-lower zones happen to be supported by name servers which also support
-the root zone.
-
-The master file for the EDU zone might be stated relative to the origin
-EDU.  The zone data for the EDU domain might be:
-
-    EDU.  IN SOA SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
-                            870729 ;serial
-                            1800 ;refresh every 30 minutes
-                            300 ;retry every 5 minutes
-                            604800 ;expire after a week
-                            86400 ;minimum of a day
-                            )
-                    NS SRI-NIC.ARPA.
-                    NS C.ISI.EDU.
-
-    UCI 172800 NS ICS.UCI
-                    172800 NS ROME.UCI
-    ICS.UCI 172800 A 192.5.19.1
-    ROME.UCI 172800 A 192.5.19.31
-
-
-
-
-Mockapetris                                                    [Page 38]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-    ISI 172800 NS VAXA.ISI
-                    172800 NS A.ISI
-                    172800 NS VENERA.ISI.EDU.
-    VAXA.ISI 172800 A 10.2.0.27
-                    172800 A 128.9.0.33
-    VENERA.ISI.EDU. 172800 A 10.1.0.52
-                    172800 A 128.9.0.32
-    A.ISI 172800 A 26.3.0.103
-
-    UDEL.EDU.  172800 NS LOUIE.UDEL.EDU.
-                    172800 NS UMN-REI-UC.ARPA.
-    LOUIE.UDEL.EDU. 172800 A 10.0.0.96
-                    172800 A 192.5.39.3
-
-    YALE.EDU.  172800 NS YALE.ARPA.
-    YALE.EDU.  172800 NS YALE-BULLDOG.ARPA.
-
-    MIT.EDU.  43200 NS XX.LCS.MIT.EDU.
-                      43200 NS ACHILLES.MIT.EDU.
-    XX.LCS.MIT.EDU.  43200 A 10.0.0.44
-    ACHILLES.MIT.EDU. 43200 A 18.72.0.8
-
-Note the use of relative names here.  The owner name for the ISI.EDU. is
-stated using a relative name, as are two of the name server RR contents.
-Relative and absolute domain names may be freely intermixed in a master
-
-6.2. Example standard queries
-
-The following queries and responses illustrate name server behavior.
-Unless otherwise noted, the queries do not have recursion desired (RD)
-in the header.  Note that the answers to non-recursive queries do depend
-on the server being asked, but do not depend on the identity of the
-requester.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 39]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-6.2.1. QNAME=SRI-NIC.ARPA, QTYPE=A
-
-The query would look like:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY                                     |
-               +---------------------------------------------------+
-    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A           |
-               +---------------------------------------------------+
-    Answer     | <empty>                                           |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-The response from C.ISI.EDU would be:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A           |
-               +---------------------------------------------------+
-    Answer     | SRI-NIC.ARPA. 86400 IN A 26.0.0.73                |
-               |               86400 IN A 10.0.0.51                |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-The header of the response looks like the header of the query, except
-that the RESPONSE bit is set, indicating that this message is a
-response, not a query, and the Authoritative Answer (AA) bit is set
-indicating that the address RRs in the answer section are from
-authoritative data.  The question section of the response matches the
-question section of the query.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 40]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-If the same query was sent to some other server which was not
-authoritative for SRI-NIC.ARPA, the response might be:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY,RESPONSE                            |
-               +---------------------------------------------------+
-    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A           |
-               +---------------------------------------------------+
-    Answer     | SRI-NIC.ARPA. 1777 IN A 10.0.0.51                 |
-               |               1777 IN A 26.0.0.73                 |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-This response is different from the previous one in two ways: the header
-does not have AA set, and the TTLs are different.  The inference is that
-the data did not come from a zone, but from a cache.  The difference
-between the authoritative TTL and the TTL here is due to aging of the
-data in a cache.  The difference in ordering of the RRs in the answer
-section is not significant.
-
-6.2.2. QNAME=SRI-NIC.ARPA, QTYPE=*
-
-A query similar to the previous one, but using a QTYPE of *, would
-receive the following response from C.ISI.EDU:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=*           |
-               +---------------------------------------------------+
-    Answer     | SRI-NIC.ARPA. 86400 IN  A     26.0.0.73           |
-               |                         A     10.0.0.51           |
-               |                         MX    0 SRI-NIC.ARPA.     |
-               |                         HINFO DEC-2060 TOPS20     |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 41]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-If a similar query was directed to two name servers which are not
-authoritative for SRI-NIC.ARPA, the responses might be:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE                           |
-               +---------------------------------------------------+
-    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=*           |
-               +---------------------------------------------------+
-    Answer     | SRI-NIC.ARPA. 12345 IN     A       26.0.0.73      |
-               |                            A       10.0.0.51      |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-and
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE                           |
-               +---------------------------------------------------+
-    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=*           |
-               +---------------------------------------------------+
-    Answer     | SRI-NIC.ARPA. 1290 IN HINFO  DEC-2060 TOPS20      |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-Neither of these answers have AA set, so neither response comes from
-authoritative data.  The different contents and different TTLs suggest
-that the two servers cached data at different times, and that the first
-server cached the response to a QTYPE=A query and the second cached the
-response to a HINFO query.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 42]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-6.2.3. QNAME=SRI-NIC.ARPA, QTYPE=MX
-
-This type of query might be result from a mailer trying to look up
-routing information for the mail destination HOSTMASTER@SRI-NIC.ARPA.
-The response from C.ISI.EDU would be:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=MX          |
-               +---------------------------------------------------+
-    Answer     | SRI-NIC.ARPA. 86400 IN     MX      0 SRI-NIC.ARPA.|
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | SRI-NIC.ARPA. 86400 IN     A       26.0.0.73      |
-               |                            A       10.0.0.51      |
-               +---------------------------------------------------+
-
-This response contains the MX RR in the answer section of the response.
-The additional section contains the address RRs because the name server
-at C.ISI.EDU guesses that the requester will need the addresses in order
-to properly use the information carried by the MX.
-
-6.2.4. QNAME=SRI-NIC.ARPA, QTYPE=NS
-
-C.ISI.EDU would reply to this query with:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=NS          |
-               +---------------------------------------------------+
-    Answer     | <empty>                                           |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-The only difference between the response and the query is the AA and
-RESPONSE bits in the header.  The interpretation of this response is
-that the server is authoritative for the name, and the name exists, but
-no RRs of type NS are present there.
-
-6.2.5. QNAME=SIR-NIC.ARPA, QTYPE=A
-
-If a user mistyped a host name, we might see this type of query.
-
-
-
-Mockapetris                                                    [Page 43]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-C.ISI.EDU would answer it with:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA, RCODE=NE             |
-               +---------------------------------------------------+
-    Question   | QNAME=SIR-NIC.ARPA., QCLASS=IN, QTYPE=A           |
-               +---------------------------------------------------+
-    Answer     | <empty>                                           |
-               +---------------------------------------------------+
-    Authority  | . SOA SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA.      |
-               |       870611 1800 300 604800 86400                |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-This response states that the name does not exist.  This condition is
-signalled in the response code (RCODE) section of the header.
-
-The SOA RR in the authority section is the optional negative caching
-information which allows the resolver using this response to assume that
-the name will not exist for the SOA MINIMUM (86400) seconds.
-
-6.2.6. QNAME=BRL.MIL, QTYPE=A
-
-If this query is sent to C.ISI.EDU, the reply would be:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE                           |
-               +---------------------------------------------------+
-    Question   | QNAME=BRL.MIL, QCLASS=IN, QTYPE=A                 |
-               +---------------------------------------------------+
-    Answer     | <empty>                                           |
-               +---------------------------------------------------+
-    Authority  | MIL.             86400 IN NS       SRI-NIC.ARPA.  |
-               |                  86400    NS       A.ISI.EDU.     |
-               +---------------------------------------------------+
-    Additional | A.ISI.EDU.                A        26.3.0.103     |
-               | SRI-NIC.ARPA.             A        26.0.0.73      |
-               |                           A        10.0.0.51      |
-               +---------------------------------------------------+
-
-This response has an empty answer section, but is not authoritative, so
-it is a referral.  The name server on C.ISI.EDU, realizing that it is
-not authoritative for the MIL domain, has referred the requester to
-servers on A.ISI.EDU and SRI-NIC.ARPA, which it knows are authoritative
-for the MIL domain.
-
-
-
-
-
-Mockapetris                                                    [Page 44]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-6.2.7. QNAME=USC-ISIC.ARPA, QTYPE=A
-
-The response to this query from A.ISI.EDU would be:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=USC-ISIC.ARPA., QCLASS=IN, QTYPE=A          |
-               +---------------------------------------------------+
-    Answer     | USC-ISIC.ARPA. 86400 IN CNAME      C.ISI.EDU.     |
-               | C.ISI.EDU.     86400 IN A          10.0.0.52      |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-Note that the AA bit in the header guarantees that the data matching
-QNAME is authoritative, but does not say anything about whether the data
-for C.ISI.EDU is authoritative.  This complete reply is possible because
-A.ISI.EDU happens to be authoritative for both the ARPA domain where
-USC-ISIC.ARPA is found and the ISI.EDU domain where C.ISI.EDU data is
-found.
-
-If the same query was sent to C.ISI.EDU, its response might be the same
-as shown above if it had its own address in its cache, but might also
-be:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 45]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=USC-ISIC.ARPA., QCLASS=IN, QTYPE=A          |
-               +---------------------------------------------------+
-    Answer     | USC-ISIC.ARPA.   86400 IN CNAME   C.ISI.EDU.      |
-               +---------------------------------------------------+
-    Authority  | ISI.EDU.        172800 IN NS      VAXA.ISI.EDU.   |
-               |                           NS      A.ISI.EDU.      |
-               |                           NS      VENERA.ISI.EDU. |
-               +---------------------------------------------------+
-    Additional | VAXA.ISI.EDU.   172800    A       10.2.0.27       |
-               |                 172800    A       128.9.0.33      |
-               | VENERA.ISI.EDU. 172800    A       10.1.0.52       |
-               |                 172800    A       128.9.0.32      |
-               | A.ISI.EDU.      172800    A       26.3.0.103      |
-               +---------------------------------------------------+
-
-This reply contains an authoritative reply for the alias USC-ISIC.ARPA,
-plus a referral to the name servers for ISI.EDU.  This sort of reply
-isn't very likely given that the query is for the host name of the name
-server being asked, but would be common for other aliases.
-
-6.2.8. QNAME=USC-ISIC.ARPA, QTYPE=CNAME
-
-If this query is sent to either A.ISI.EDU or C.ISI.EDU, the reply would
-be:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=USC-ISIC.ARPA., QCLASS=IN, QTYPE=A          |
-               +---------------------------------------------------+
-    Answer     | USC-ISIC.ARPA. 86400 IN CNAME      C.ISI.EDU.     |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-Because QTYPE=CNAME, the CNAME RR itself answers the query, and the name
-server doesn't attempt to look up anything for C.ISI.EDU.  (Except
-possibly for the additional section.)
-
-6.3. Example resolution
-
-The following examples illustrate the operations a resolver must perform
-for its client.  We assume that the resolver is starting without a
-
-
-
-Mockapetris                                                    [Page 46]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-cache, as might be the case after system boot.  We further assume that
-the system is not one of the hosts in the data and that the host is
-located somewhere on net 26, and that its safety belt (SBELT) data
-structure has the following information:
-
-    Match count = -1
-    SRI-NIC.ARPA.   26.0.0.73       10.0.0.51
-    A.ISI.EDU.      26.3.0.103
-
-This information specifies servers to try, their addresses, and a match
-count of -1, which says that the servers aren't very close to the
-target.  Note that the -1 isn't supposed to be an accurate closeness
-measure, just a value so that later stages of the algorithm will work.
-
-The following examples illustrate the use of a cache, so each example
-assumes that previous requests have completed.
-
-6.3.1. Resolve MX for ISI.EDU.
-
-Suppose the first request to the resolver comes from the local mailer,
-which has mail for PVM@ISI.EDU.  The mailer might then ask for type MX
-RRs for the domain name ISI.EDU.
-
-The resolver would look in its cache for MX RRs at ISI.EDU, but the
-empty cache wouldn't be helpful.  The resolver would recognize that it
-needed to query foreign servers and try to determine the best servers to
-query.  This search would look for NS RRs for the domains ISI.EDU, EDU,
-and the root.  These searches of the cache would also fail.  As a last
-resort, the resolver would use the information from the SBELT, copying
-it into its SLIST structure.
-
-At this point the resolver would need to pick one of the three available
-addresses to try.  Given that the resolver is on net 26, it should
-choose either 26.0.0.73 or 26.3.0.103 as its first choice.  It would
-then send off a query of the form:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 47]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY                                     |
-               +---------------------------------------------------+
-    Question   | QNAME=ISI.EDU., QCLASS=IN, QTYPE=MX               |
-               +---------------------------------------------------+
-    Answer     | <empty>                                           |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-The resolver would then wait for a response to its query or a timeout.
-If the timeout occurs, it would try different servers, then different
-addresses of the same servers, lastly retrying addresses already tried.
-It might eventually receive a reply from SRI-NIC.ARPA:
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE                           |
-               +---------------------------------------------------+
-    Question   | QNAME=ISI.EDU., QCLASS=IN, QTYPE=MX               |
-               +---------------------------------------------------+
-    Answer     | <empty>                                           |
-               +---------------------------------------------------+
-    Authority  | ISI.EDU.        172800 IN NS       VAXA.ISI.EDU.  |
-               |                           NS       A.ISI.EDU.     |
-               |                           NS       VENERA.ISI.EDU.|
-               +---------------------------------------------------+
-    Additional | VAXA.ISI.EDU.   172800    A        10.2.0.27      |
-               |                 172800    A        128.9.0.33     |
-               | VENERA.ISI.EDU. 172800    A        10.1.0.52      |
-               |                 172800    A        128.9.0.32     |
-               | A.ISI.EDU.      172800    A        26.3.0.103     |
-               +---------------------------------------------------+
-
-The resolver would notice that the information in the response gave a
-closer delegation to ISI.EDU than its existing SLIST (since it matches
-three labels).  The resolver would then cache the information in this
-response and use it to set up a new SLIST:
-
-    Match count = 3
-    A.ISI.EDU.      26.3.0.103
-    VAXA.ISI.EDU.   10.2.0.27       128.9.0.33
-    VENERA.ISI.EDU. 10.1.0.52       128.9.0.32
-
-A.ISI.EDU appears on this list as well as the previous one, but that is
-purely coincidental.  The resolver would again start transmitting and
-waiting for responses.  Eventually it would get an answer:
-
-
-
-Mockapetris                                                    [Page 48]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=ISI.EDU., QCLASS=IN, QTYPE=MX               |
-               +---------------------------------------------------+
-    Answer     | ISI.EDU.                MX 10 VENERA.ISI.EDU.     |
-               |                         MX 20 VAXA.ISI.EDU.       |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | VAXA.ISI.EDU.   172800  A  10.2.0.27              |
-               |                 172800  A  128.9.0.33             |
-               | VENERA.ISI.EDU. 172800  A  10.1.0.52              |
-               |                 172800  A  128.9.0.32             |
-               +---------------------------------------------------+
-
-The resolver would add this information to its cache, and return the MX
-RRs to its client.
-
-6.3.2. Get the host name for address 26.6.0.65
-
-The resolver would translate this into a request for PTR RRs for
-65.0.6.26.IN-ADDR.ARPA.  This information is not in the cache, so the
-resolver would look for foreign servers to ask.  No servers would match,
-so it would use SBELT again.  (Note that the servers for the ISI.EDU
-domain are in the cache, but ISI.EDU is not an ancestor of
-65.0.6.26.IN-ADDR.ARPA, so the SBELT is used.)
-
-Since this request is within the authoritative data of both servers in
-SBELT, eventually one would return:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 49]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-               +---------------------------------------------------+
-    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
-               +---------------------------------------------------+
-    Question   | QNAME=65.0.6.26.IN-ADDR.ARPA.,QCLASS=IN,QTYPE=PTR |
-               +---------------------------------------------------+
-    Answer     | 65.0.6.26.IN-ADDR.ARPA.    PTR     ACC.ARPA.      |
-               +---------------------------------------------------+
-    Authority  | <empty>                                           |
-               +---------------------------------------------------+
-    Additional | <empty>                                           |
-               +---------------------------------------------------+
-
-6.3.3. Get the host address of poneria.ISI.EDU
-
-This request would translate into a type A request for poneria.ISI.EDU.
-The resolver would not find any cached data for this name, but would
-find the NS RRs in the cache for ISI.EDU when it looks for foreign
-servers to ask.  Using this data, it would construct a SLIST of the
-form:
-
-    Match count = 3
-
-    A.ISI.EDU.      26.3.0.103
-    VAXA.ISI.EDU.   10.2.0.27       128.9.0.33
-    VENERA.ISI.EDU. 10.1.0.52
-
-A.ISI.EDU is listed first on the assumption that the resolver orders its
-choices by preference, and A.ISI.EDU is on the same network.
-
-One of these servers would answer the query.
-
-7. REFERENCES and BIBLIOGRAPHY
-
-[Dyer 87]       Dyer, S., and F. Hsu, "Hesiod", Project Athena
-                Technical Plan - Name Service, April 1987, version 1.9.
-
-                Describes the fundamentals of the Hesiod name service.
-
-[IEN-116]       J. Postel, "Internet Name Server", IEN-116,
-                USC/Information Sciences Institute, August 1979.
-
-                A name service obsoleted by the Domain Name System, but
-                still in use.
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 50]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-[Quarterman 86] Quarterman, J., and J. Hoskins, "Notable Computer
-                Networks",Communications of the ACM, October 1986,
-                volume 29, number 10.
-
-[RFC-742]       K. Harrenstien, "NAME/FINGER", RFC-742, Network
-                Information Center, SRI International, December 1977.
-
-[RFC-768]       J. Postel, "User Datagram Protocol", RFC-768,
-                USC/Information Sciences Institute, August 1980.
-
-[RFC-793]       J. Postel, "Transmission Control Protocol", RFC-793,
-                USC/Information Sciences Institute, September 1981.
-
-[RFC-799]       D. Mills, "Internet Name Domains", RFC-799, COMSAT,
-                September 1981.
-
-                Suggests introduction of a hierarchy in place of a flat
-                name space for the Internet.
-
-[RFC-805]       J. Postel, "Computer Mail Meeting Notes", RFC-805,
-                USC/Information Sciences Institute, February 1982.
-
-[RFC-810]       E. Feinler, K. Harrenstien, Z. Su, and V. White, "DOD
-                Internet Host Table Specification", RFC-810, Network
-                Information Center, SRI International, March 1982.
-
-                Obsolete.  See RFC-952.
-
-[RFC-811]       K. Harrenstien, V. White, and E. Feinler, "Hostnames
-                Server", RFC-811, Network Information Center, SRI
-                International, March 1982.
-
-                Obsolete.  See RFC-953.
-
-[RFC-812]       K. Harrenstien, and V. White, "NICNAME/WHOIS", RFC-812,
-                Network Information Center, SRI International, March
-                1982.
-
-[RFC-819]       Z. Su, and J. Postel, "The Domain Naming Convention for
-                Internet User Applications", RFC-819, Network
-                Information Center, SRI International, August 1982.
-
-                Early thoughts on the design of the domain system.
-                Current implementation is completely different.
-
-[RFC-821]       J. Postel, "Simple Mail Transfer Protocol", RFC-821,
-                USC/Information Sciences Institute, August 1980.
-
-
-
-
-Mockapetris                                                    [Page 51]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-[RFC-830]       Z. Su, "A Distributed System for Internet Name Service",
-                RFC-830, Network Information Center, SRI International,
-                October 1982.
-
-                Early thoughts on the design of the domain system.
-                Current implementation is completely different.
-
-[RFC-882]       P. Mockapetris, "Domain names - Concepts and
-                Facilities," RFC-882, USC/Information Sciences
-                Institute, November 1983.
-
-                Superceeded by this memo.
-
-[RFC-883]       P. Mockapetris, "Domain names - Implementation and
-                Specification," RFC-883, USC/Information Sciences
-                Institute, November 1983.
-
-                Superceeded by this memo.
-
-[RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
-                RFC-920, USC/Information Sciences Institute
-                October 1984.
-
-                Explains the naming scheme for top level domains.
-
-[RFC-952]       K. Harrenstien, M. Stahl, E. Feinler, "DoD Internet Host
-                Table Specification", RFC-952, SRI, October 1985.
-
-                Specifies the format of HOSTS.TXT, the host/address
-                table replaced by the DNS.
-
-[RFC-953]       K. Harrenstien, M. Stahl, E. Feinler, "HOSTNAME Server",
-                RFC-953, SRI, October 1985.
-
-                This RFC contains the official specification of the
-                hostname server protocol, which is obsoleted by the DNS.
-                This TCP based protocol accesses information stored in
-                the RFC-952 format, and is used to obtain copies of the
-                host table.
-
-[RFC-973]       P. Mockapetris, "Domain System Changes and
-                Observations", RFC-973, USC/Information Sciences
-                Institute, January 1986.
-
-                Describes changes to RFC-882 and RFC-883 and reasons for
-                them.  Now obsolete.
-
-
-
-
-
-Mockapetris                                                    [Page 52]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-[RFC-974]       C. Partridge, "Mail routing and the domain system",
-                RFC-974, CSNET CIC BBN Labs, January 1986.
-
-                Describes the transition from HOSTS.TXT based mail
-                addressing to the more powerful MX system used with the
-                domain system.
-
-[RFC-1001]      NetBIOS Working Group, "Protocol standard for a NetBIOS
-                service on a TCP/UDP transport: Concepts and Methods",
-                RFC-1001, March 1987.
-
-                This RFC and RFC-1002 are a preliminary design for
-                NETBIOS on top of TCP/IP which proposes to base NetBIOS
-                name service on top of the DNS.
-
-[RFC-1002]      NetBIOS Working Group, "Protocol standard for a NetBIOS
-                service on a TCP/UDP transport: Detailed
-                Specifications", RFC-1002, March 1987.
-
-[RFC-1010]      J. Reynolds and J. Postel, "Assigned Numbers", RFC-1010,
-                USC/Information Sciences Institute, May 1987
-
-                Contains socket numbers and mnemonics for host names,
-                operating systems, etc.
-
-[RFC-1031]      W. Lazear, "MILNET Name Domain Transition", RFC-1031,
-                November 1987.
-
-                Describes a plan for converting the MILNET to the DNS.
-
-[RFC-1032]      M. K. Stahl, "Establishing a Domain - Guidelines for
-                Administrators", RFC-1032, November 1987.
-
-                Describes the registration policies used by the NIC to
-                administer the top level domains and delegate subzones.
-
-[RFC-1033]      M. K. Lottor, "Domain Administrators Operations Guide",
-                RFC-1033, November 1987.
-
-                A cookbook for domain administrators.
-
-[Solomon 82]    M. Solomon, L. Landweber, and D. Neuhengen, "The CSNET
-                Name Server", Computer Networks, vol 6, nr 3, July 1982.
-
-                Describes a name service for CSNET which is independent
-                from the DNS and DNS use in the CSNET.
-
-
-
-
-
-Mockapetris                                                    [Page 53]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-Index
-
-          A   12
-          Absolute names   8
-          Aliases   14, 31
-          Authority   6
-          AXFR   17
-
-          Case of characters   7
-          CH   12
-          CNAME   12, 13, 31
-          Completion queries   18
-
-          Domain name   6, 7
-
-          Glue RRs   20
-
-          HINFO   12
-
-          IN   12
-          Inverse queries   16
-          Iterative   4
-
-          Label   7
-
-          Mailbox names   9
-          MX   12
-
-          Name error   27, 36
-          Name servers   5, 17
-          NE   30
-          Negative caching   44
-          NS   12
-
-          Opcode   16
-
-          PTR   12
-
-          QCLASS   16
-          QTYPE   16
-
-          RDATA   13
-          Recursive   4
-          Recursive service   22
-          Relative names   7
-          Resolvers   6
-          RR   12
-
-
-
-
-Mockapetris                                                    [Page 54]
-
-RFC 1034             Domain Concepts and Facilities        November 1987
-
-
-          Safety belt   33
-          Sections   16
-          SOA   12
-          Standard queries   22
-
-          Status queries   18
-          Stub resolvers   32
-
-          TTL   12, 13
-
-          Wildcards   25
-
-          Zone transfers   28
-          Zones   19
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 55]
-
diff --git a/contrib/bind9/doc/rfc/rfc1035.txt b/contrib/bind9/doc/rfc/rfc1035.txt
deleted file mode 100644
index b1a9bf5a94b6..000000000000
--- a/contrib/bind9/doc/rfc/rfc1035.txt
+++ /dev/null
@@ -1,3077 +0,0 @@
-Network Working Group                                     P. Mockapetris
-Request for Comments: 1035                                           ISI
-                                                           November 1987
-Obsoletes: RFCs 882, 883, 973
-
-            DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
-
-
-1. STATUS OF THIS MEMO
-
-This RFC describes the details of the domain system and protocol, and
-assumes that the reader is familiar with the concepts discussed in a
-companion RFC, "Domain Names - Concepts and Facilities" [RFC-1034].
-
-The domain system is a mixture of functions and data types which are an
-official protocol and functions and data types which are still
-experimental.  Since the domain system is intentionally extensible, new
-data types and experimental behavior should always be expected in parts
-of the system beyond the official protocol.  The official protocol parts
-include standard queries, responses and the Internet class RR data
-formats (e.g., host addresses).  Since the previous RFC set, several
-definitions have changed, so some previous definitions are obsolete.
-
-Experimental or obsolete features are clearly marked in these RFCs, and
-such information should be used with caution.
-
-The reader is especially cautioned not to depend on the values which
-appear in examples to be current or complete, since their purpose is
-primarily pedagogical.  Distribution of this memo is unlimited.
-
-                           Table of Contents
-
-  1. STATUS OF THIS MEMO                                              1
-  2. INTRODUCTION                                                     3
-      2.1. Overview                                                   3
-      2.2. Common configurations                                      4
-      2.3. Conventions                                                7
-          2.3.1. Preferred name syntax                                7
-          2.3.2. Data Transmission Order                              8
-          2.3.3. Character Case                                       9
-          2.3.4. Size limits                                         10
-  3. DOMAIN NAME SPACE AND RR DEFINITIONS                            10
-      3.1. Name space definitions                                    10
-      3.2. RR definitions                                            11
-          3.2.1. Format                                              11
-          3.2.2. TYPE values                                         12
-          3.2.3. QTYPE values                                        12
-          3.2.4. CLASS values                                        13
-
-
-
-Mockapetris                                                     [Page 1]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-          3.2.5. QCLASS values                                       13
-      3.3. Standard RRs                                              13
-          3.3.1. CNAME RDATA format                                  14
-          3.3.2. HINFO RDATA format                                  14
-          3.3.3. MB RDATA format (EXPERIMENTAL)                      14
-          3.3.4. MD RDATA format (Obsolete)                          15
-          3.3.5. MF RDATA format (Obsolete)                          15
-          3.3.6. MG RDATA format (EXPERIMENTAL)                      16
-          3.3.7. MINFO RDATA format (EXPERIMENTAL)                   16
-          3.3.8. MR RDATA format (EXPERIMENTAL)                      17
-          3.3.9. MX RDATA format                                     17
-          3.3.10. NULL RDATA format (EXPERIMENTAL)                   17
-          3.3.11. NS RDATA format                                    18
-          3.3.12. PTR RDATA format                                   18
-          3.3.13. SOA RDATA format                                   19
-          3.3.14. TXT RDATA format                                   20
-      3.4. ARPA Internet specific RRs                                20
-          3.4.1. A RDATA format                                      20
-          3.4.2. WKS RDATA format                                    21
-      3.5. IN-ADDR.ARPA domain                                       22
-      3.6. Defining new types, classes, and special namespaces       24
-  4. MESSAGES                                                        25
-      4.1. Format                                                    25
-          4.1.1. Header section format                               26
-          4.1.2. Question section format                             28
-          4.1.3. Resource record format                              29
-          4.1.4. Message compression                                 30
-      4.2. Transport                                                 32
-          4.2.1. UDP usage                                           32
-          4.2.2. TCP usage                                           32
-  5. MASTER FILES                                                    33
-      5.1. Format                                                    33
-      5.2. Use of master files to define zones                       35
-      5.3. Master file example                                       36
-  6. NAME SERVER IMPLEMENTATION                                      37
-      6.1. Architecture                                              37
-          6.1.1. Control                                             37
-          6.1.2. Database                                            37
-          6.1.3. Time                                                39
-      6.2. Standard query processing                                 39
-      6.3. Zone refresh and reload processing                        39
-      6.4. Inverse queries (Optional)                                40
-          6.4.1. The contents of inverse queries and responses       40
-          6.4.2. Inverse query and response example                  41
-          6.4.3. Inverse query processing                            42
-
-
-
-
-
-
-Mockapetris                                                     [Page 2]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-      6.5. Completion queries and responses                          42
-  7. RESOLVER IMPLEMENTATION                                         43
-      7.1. Transforming a user request into a query                  43
-      7.2. Sending the queries                                       44
-      7.3. Processing responses                                      46
-      7.4. Using the cache                                           47
-  8. MAIL SUPPORT                                                    47
-      8.1. Mail exchange binding                                     48
-      8.2. Mailbox binding (Experimental)                            48
-  9. REFERENCES and BIBLIOGRAPHY                                     50
-  Index                                                              54
-
-2. INTRODUCTION
-
-2.1. Overview
-
-The goal of domain names is to provide a mechanism for naming resources
-in such a way that the names are usable in different hosts, networks,
-protocol families, internets, and administrative organizations.
-
-From the user's point of view, domain names are useful as arguments to a
-local agent, called a resolver, which retrieves information associated
-with the domain name.  Thus a user might ask for the host address or
-mail information associated with a particular domain name.  To enable
-the user to request a particular type of information, an appropriate
-query type is passed to the resolver with the domain name.  To the user,
-the domain tree is a single information space; the resolver is
-responsible for hiding the distribution of data among name servers from
-the user.
-
-From the resolver's point of view, the database that makes up the domain
-space is distributed among various name servers.  Different parts of the
-domain space are stored in different name servers, although a particular
-data item will be stored redundantly in two or more name servers.  The
-resolver starts with knowledge of at least one name server.  When the
-resolver processes a user query it asks a known name server for the
-information; in return, the resolver either receives the desired
-information or a referral to another name server.  Using these
-referrals, resolvers learn the identities and contents of other name
-servers.  Resolvers are responsible for dealing with the distribution of
-the domain space and dealing with the effects of name server failure by
-consulting redundant databases in other servers.
-
-Name servers manage two kinds of data.  The first kind of data held in
-sets called zones; each zone is the complete database for a particular
-"pruned" subtree of the domain space.  This data is called
-authoritative.  A name server periodically checks to make sure that its
-zones are up to date, and if not, obtains a new copy of updated zones
-
-
-
-Mockapetris                                                     [Page 3]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-from master files stored locally or in another name server.  The second
-kind of data is cached data which was acquired by a local resolver.
-This data may be incomplete, but improves the performance of the
-retrieval process when non-local data is repeatedly accessed.  Cached
-data is eventually discarded by a timeout mechanism.
-
-This functional structure isolates the problems of user interface,
-failure recovery, and distribution in the resolvers and isolates the
-database update and refresh problems in the name servers.
-
-2.2. Common configurations
-
-A host can participate in the domain name system in a number of ways,
-depending on whether the host runs programs that retrieve information
-from the domain system, name servers that answer queries from other
-hosts, or various combinations of both functions.  The simplest, and
-perhaps most typical, configuration is shown below:
-
-                 Local Host                        |  Foreign
-                                                   |
-    +---------+               +----------+         |  +--------+
-    |         | user queries  |          |queries  |  |        |
-    |  User   |-------------->|          |---------|->|Foreign |
-    | Program |               | Resolver |         |  |  Name  |
-    |         |<--------------|          |<--------|--| Server |
-    |         | user responses|          |responses|  |        |
-    +---------+               +----------+         |  +--------+
-                                |     A            |
-                cache additions |     | references |
-                                V     |            |
-                              +----------+         |
-                              |  cache   |         |
-                              +----------+         |
-
-User programs interact with the domain name space through resolvers; the
-format of user queries and user responses is specific to the host and
-its operating system.  User queries will typically be operating system
-calls, and the resolver and its cache will be part of the host operating
-system.  Less capable hosts may choose to implement the resolver as a
-subroutine to be linked in with every program that needs its services.
-Resolvers answer user queries with information they acquire via queries
-to foreign name servers and the local cache.
-
-Note that the resolver may have to make several queries to several
-different foreign name servers to answer a particular user query, and
-hence the resolution of a user query may involve several network
-accesses and an arbitrary amount of time.  The queries to foreign name
-servers and the corresponding responses have a standard format described
-
-
-
-Mockapetris                                                     [Page 4]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-in this memo, and may be datagrams.
-
-Depending on its capabilities, a name server could be a stand alone
-program on a dedicated machine or a process or processes on a large
-timeshared host.  A simple configuration might be:
-
-                 Local Host                        |  Foreign
-                                                   |
-      +---------+                                  |
-     /         /|                                  |
-    +---------+ |             +----------+         |  +--------+
-    |         | |             |          |responses|  |        |
-    |         | |             |   Name   |---------|->|Foreign |
-    |  Master |-------------->|  Server  |         |  |Resolver|
-    |  files  | |             |          |<--------|--|        |
-    |         |/              |          | queries |  +--------+
-    +---------+               +----------+         |
-
-Here a primary name server acquires information about one or more zones
-by reading master files from its local file system, and answers queries
-about those zones that arrive from foreign resolvers.
-
-The DNS requires that all zones be redundantly supported by more than
-one name server.  Designated secondary servers can acquire zones and
-check for updates from the primary server using the zone transfer
-protocol of the DNS.  This configuration is shown below:
-
-                 Local Host                        |  Foreign
-                                                   |
-      +---------+                                  |
-     /         /|                                  |
-    +---------+ |             +----------+         |  +--------+
-    |         | |             |          |responses|  |        |
-    |         | |             |   Name   |---------|->|Foreign |
-    |  Master |-------------->|  Server  |         |  |Resolver|
-    |  files  | |             |          |<--------|--|        |
-    |         |/              |          | queries |  +--------+
-    +---------+               +----------+         |
-                                A     |maintenance |  +--------+
-                                |     +------------|->|        |
-                                |      queries     |  |Foreign |
-                                |                  |  |  Name  |
-                                +------------------|--| Server |
-                             maintenance responses |  +--------+
-
-In this configuration, the name server periodically establishes a
-virtual circuit to a foreign name server to acquire a copy of a zone or
-to check that an existing copy has not changed.  The messages sent for
-
-
-
-Mockapetris                                                     [Page 5]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-these maintenance activities follow the same form as queries and
-responses, but the message sequences are somewhat different.
-
-The information flow in a host that supports all aspects of the domain
-name system is shown below:
-
-                 Local Host                        |  Foreign
-                                                   |
-    +---------+               +----------+         |  +--------+
-    |         | user queries  |          |queries  |  |        |
-    |  User   |-------------->|          |---------|->|Foreign |
-    | Program |               | Resolver |         |  |  Name  |
-    |         |<--------------|          |<--------|--| Server |
-    |         | user responses|          |responses|  |        |
-    +---------+               +----------+         |  +--------+
-                                |     A            |
-                cache additions |     | references |
-                                V     |            |
-                              +----------+         |
-                              |  Shared  |         |
-                              | database |         |
-                              +----------+         |
-                                A     |            |
-      +---------+     refreshes |     | references |
-     /         /|               |     V            |
-    +---------+ |             +----------+         |  +--------+
-    |         | |             |          |responses|  |        |
-    |         | |             |   Name   |---------|->|Foreign |
-    |  Master |-------------->|  Server  |         |  |Resolver|
-    |  files  | |             |          |<--------|--|        |
-    |         |/              |          | queries |  +--------+
-    +---------+               +----------+         |
-                                A     |maintenance |  +--------+
-                                |     +------------|->|        |
-                                |      queries     |  |Foreign |
-                                |                  |  |  Name  |
-                                +------------------|--| Server |
-                             maintenance responses |  +--------+
-
-The shared database holds domain space data for the local name server
-and resolver.  The contents of the shared database will typically be a
-mixture of authoritative data maintained by the periodic refresh
-operations of the name server and cached data from previous resolver
-requests.  The structure of the domain data and the necessity for
-synchronization between name servers and resolvers imply the general
-characteristics of this database, but the actual format is up to the
-local implementor.
-
-
-
-
-Mockapetris                                                     [Page 6]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-Information flow can also be tailored so that a group of hosts act
-together to optimize activities.  Sometimes this is done to offload less
-capable hosts so that they do not have to implement a full resolver.
-This can be appropriate for PCs or hosts which want to minimize the
-amount of new network code which is required.  This scheme can also
-allow a group of hosts can share a small number of caches rather than
-maintaining a large number of separate caches, on the premise that the
-centralized caches will have a higher hit ratio.  In either case,
-resolvers are replaced with stub resolvers which act as front ends to
-resolvers located in a recursive server in one or more name servers
-known to perform that service:
-
-                   Local Hosts                     |  Foreign
-                                                   |
-    +---------+                                    |
-    |         | responses                          |
-    | Stub    |<--------------------+              |
-    | Resolver|                     |              |
-    |         |----------------+    |              |
-    +---------+ recursive      |    |              |
-                queries        |    |              |
-                               V    |              |
-    +---------+ recursive     +----------+         |  +--------+
-    |         | queries       |          |queries  |  |        |
-    | Stub    |-------------->| Recursive|---------|->|Foreign |
-    | Resolver|               | Server   |         |  |  Name  |
-    |         |<--------------|          |<--------|--| Server |
-    +---------+ responses     |          |responses|  |        |
-                              +----------+         |  +--------+
-                              |  Central |         |
-                              |   cache  |         |
-                              +----------+         |
-
-In any case, note that domain components are always replicated for
-reliability whenever possible.
-
-2.3. Conventions
-
-The domain system has several conventions dealing with low-level, but
-fundamental, issues.  While the implementor is free to violate these
-conventions WITHIN HIS OWN SYSTEM, he must observe these conventions in
-ALL behavior observed from other hosts.
-
-2.3.1. Preferred name syntax
-
-The DNS specifications attempt to be as general as possible in the rules
-for constructing domain names.  The idea is that the name of any
-existing object can be expressed as a domain name with minimal changes.
-
-
-
-Mockapetris                                                     [Page 7]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-However, when assigning a domain name for an object, the prudent user
-will select a name which satisfies both the rules of the domain system
-and any existing rules for the object, whether these rules are published
-or implied by existing programs.
-
-For example, when naming a mail domain, the user should satisfy both the
-rules of this memo and those in RFC-822.  When creating a new host name,
-the old rules for HOSTS.TXT should be followed.  This avoids problems
-when old software is converted to use domain names.
-
-The following syntax will result in fewer problems with many
-
-applications that use domain names (e.g., mail, TELNET).
-
-<domain> ::= <subdomain> | " "
-
-<subdomain> ::= <label> | <subdomain> "." <label>
-
-<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
-
-<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
-
-<let-dig-hyp> ::= <let-dig> | "-"
-
-<let-dig> ::= <letter> | <digit>
-
-<letter> ::= any one of the 52 alphabetic characters A through Z in
-upper case and a through z in lower case
-
-<digit> ::= any one of the ten digits 0 through 9
-
-Note that while upper and lower case letters are allowed in domain
-names, no significance is attached to the case.  That is, two names with
-the same spelling but different case are to be treated as if identical.
-
-The labels must follow the rules for ARPANET host names.  They must
-start with a letter, end with a letter or digit, and have as interior
-characters only letters, digits, and hyphen.  There are also some
-restrictions on the length.  Labels must be 63 characters or less.
-
-For example, the following strings identify hosts in the Internet:
-
-A.ISI.EDU XX.LCS.MIT.EDU SRI-NIC.ARPA
-
-2.3.2. Data Transmission Order
-
-The order of transmission of the header and data described in this
-document is resolved to the octet level.  Whenever a diagram shows a
-
-
-
-Mockapetris                                                     [Page 8]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-group of octets, the order of transmission of those octets is the normal
-order in which they are read in English.  For example, in the following
-diagram, the octets are transmitted in the order they are numbered.
-
-     0                   1
-     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |       1       |       2       |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |       3       |       4       |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |       5       |       6       |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-Whenever an octet represents a numeric quantity, the left most bit in
-the diagram is the high order or most significant bit.  That is, the bit
-labeled 0 is the most significant bit.  For example, the following
-diagram represents the value 170 (decimal).
-
-     0 1 2 3 4 5 6 7
-    +-+-+-+-+-+-+-+-+
-    |1 0 1 0 1 0 1 0|
-    +-+-+-+-+-+-+-+-+
-
-Similarly, whenever a multi-octet field represents a numeric quantity
-the left most bit of the whole field is the most significant bit.  When
-a multi-octet quantity is transmitted the most significant octet is
-transmitted first.
-
-2.3.3. Character Case
-
-For all parts of the DNS that are part of the official protocol, all
-comparisons between character strings (e.g., labels, domain names, etc.)
-are done in a case-insensitive manner.  At present, this rule is in
-force throughout the domain system without exception.  However, future
-additions beyond current usage may need to use the full binary octet
-capabilities in names, so attempts to store domain names in 7-bit ASCII
-or use of special bytes to terminate labels, etc., should be avoided.
-
-When data enters the domain system, its original case should be
-preserved whenever possible.  In certain circumstances this cannot be
-done.  For example, if two RRs are stored in a database, one at x.y and
-one at X.Y, they are actually stored at the same place in the database,
-and hence only one casing would be preserved.  The basic rule is that
-case can be discarded only when data is used to define structure in a
-database, and two names are identical when compared in a case
-insensitive manner.
-
-
-
-
-Mockapetris                                                     [Page 9]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-Loss of case sensitive data must be minimized.  Thus while data for x.y
-and X.Y may both be stored under a single location x.y or X.Y, data for
-a.x and B.X would never be stored under A.x, A.X, b.x, or b.X.  In
-general, this preserves the case of the first label of a domain name,
-but forces standardization of interior node labels.
-
-Systems administrators who enter data into the domain database should
-take care to represent the data they supply to the domain system in a
-case-consistent manner if their system is case-sensitive.  The data
-distribution system in the domain system will ensure that consistent
-representations are preserved.
-
-2.3.4. Size limits
-
-Various objects and parameters in the DNS have size limits.  They are
-listed below.  Some could be easily changed, others are more
-fundamental.
-
-labels          63 octets or less
-
-names           255 octets or less
-
-TTL             positive values of a signed 32 bit number.
-
-UDP messages    512 octets or less
-
-3. DOMAIN NAME SPACE AND RR DEFINITIONS
-
-3.1. Name space definitions
-
-Domain names in messages are expressed in terms of a sequence of labels.
-Each label is represented as a one octet length field followed by that
-number of octets.  Since every domain name ends with the null label of
-the root, a domain name is terminated by a length byte of zero.  The
-high order two bits of every length octet must be zero, and the
-remaining six bits of the length field limit the label to 63 octets or
-less.
-
-To simplify implementations, the total length of a domain name (i.e.,
-label octets and label length octets) is restricted to 255 octets or
-less.
-
-Although labels can contain any 8 bit values in octets that make up a
-label, it is strongly recommended that labels follow the preferred
-syntax described elsewhere in this memo, which is compatible with
-existing host naming conventions.  Name servers and resolvers must
-compare labels in a case-insensitive manner (i.e., A=a), assuming ASCII
-with zero parity.  Non-alphabetic codes must match exactly.
-
-
-
-Mockapetris                                                    [Page 10]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-3.2. RR definitions
-
-3.2.1. Format
-
-All RRs have the same top level format shown below:
-
-                                    1  1  1  1  1  1
-      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                                               |
-    /                                               /
-    /                      NAME                     /
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                      TYPE                     |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                     CLASS                     |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                      TTL                      |
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                   RDLENGTH                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
-    /                     RDATA                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-
-where:
-
-NAME            an owner name, i.e., the name of the node to which this
-                resource record pertains.
-
-TYPE            two octets containing one of the RR TYPE codes.
-
-CLASS           two octets containing one of the RR CLASS codes.
-
-TTL             a 32 bit signed integer that specifies the time interval
-                that the resource record may be cached before the source
-                of the information should again be consulted.  Zero
-                values are interpreted to mean that the RR can only be
-                used for the transaction in progress, and should not be
-                cached.  For example, SOA records are always distributed
-                with a zero TTL to prohibit caching.  Zero values can
-                also be used for extremely volatile data.
-
-RDLENGTH        an unsigned 16 bit integer that specifies the length in
-                octets of the RDATA field.
-
-
-
-Mockapetris                                                    [Page 11]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-RDATA           a variable length string of octets that describes the
-                resource.  The format of this information varies
-                according to the TYPE and CLASS of the resource record.
-
-3.2.2. TYPE values
-
-TYPE fields are used in resource records.  Note that these types are a
-subset of QTYPEs.
-
-TYPE            value and meaning
-
-A               1 a host address
-
-NS              2 an authoritative name server
-
-MD              3 a mail destination (Obsolete - use MX)
-
-MF              4 a mail forwarder (Obsolete - use MX)
-
-CNAME           5 the canonical name for an alias
-
-SOA             6 marks the start of a zone of authority
-
-MB              7 a mailbox domain name (EXPERIMENTAL)
-
-MG              8 a mail group member (EXPERIMENTAL)
-
-MR              9 a mail rename domain name (EXPERIMENTAL)
-
-NULL            10 a null RR (EXPERIMENTAL)
-
-WKS             11 a well known service description
-
-PTR             12 a domain name pointer
-
-HINFO           13 host information
-
-MINFO           14 mailbox or mail list information
-
-MX              15 mail exchange
-
-TXT             16 text strings
-
-3.2.3. QTYPE values
-
-QTYPE fields appear in the question part of a query.  QTYPES are a
-superset of TYPEs, hence all TYPEs are valid QTYPEs.  In addition, the
-following QTYPEs are defined:
-
-
-
-Mockapetris                                                    [Page 12]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-AXFR            252 A request for a transfer of an entire zone
-
-MAILB           253 A request for mailbox-related records (MB, MG or MR)
-
-MAILA           254 A request for mail agent RRs (Obsolete - see MX)
-
-*               255 A request for all records
-
-3.2.4. CLASS values
-
-CLASS fields appear in resource records.  The following CLASS mnemonics
-and values are defined:
-
-IN              1 the Internet
-
-CS              2 the CSNET class (Obsolete - used only for examples in
-                some obsolete RFCs)
-
-CH              3 the CHAOS class
-
-HS              4 Hesiod [Dyer 87]
-
-3.2.5. QCLASS values
-
-QCLASS fields appear in the question section of a query.  QCLASS values
-are a superset of CLASS values; every CLASS is a valid QCLASS.  In
-addition to CLASS values, the following QCLASSes are defined:
-
-*               255 any class
-
-3.3. Standard RRs
-
-The following RR definitions are expected to occur, at least
-potentially, in all classes.  In particular, NS, SOA, CNAME, and PTR
-will be used in all classes, and have the same format in all classes.
-Because their RDATA format is known, all domain names in the RDATA
-section of these RRs may be compressed.
-
-<domain-name> is a domain name represented as a series of labels, and
-terminated by a label with zero length.  <character-string> is a single
-length octet followed by that number of characters.  <character-string>
-is treated as binary information, and can be up to 256 characters in
-length (including the length octet).
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 13]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-3.3.1. CNAME RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                     CNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-CNAME           A <domain-name> which specifies the canonical or primary
-                name for the owner.  The owner name is an alias.
-
-CNAME RRs cause no additional section processing, but name servers may
-choose to restart the query at the canonical name in certain cases.  See
-the description of name server logic in [RFC-1034] for details.
-
-3.3.2. HINFO RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                      CPU                      /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                       OS                      /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-CPU             A <character-string> which specifies the CPU type.
-
-OS              A <character-string> which specifies the operating
-                system type.
-
-Standard values for CPU and OS can be found in [RFC-1010].
-
-HINFO records are used to acquire general information about a host.  The
-main use is for protocols such as FTP that can use special procedures
-when talking between machines or operating systems of the same type.
-
-3.3.3. MB RDATA format (EXPERIMENTAL)
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   MADNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-MADNAME         A <domain-name> which specifies a host which has the
-                specified mailbox.
-
-
-
-Mockapetris                                                    [Page 14]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-MB records cause additional section processing which looks up an A type
-RRs corresponding to MADNAME.
-
-3.3.4. MD RDATA format (Obsolete)
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   MADNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-MADNAME         A <domain-name> which specifies a host which has a mail
-                agent for the domain which should be able to deliver
-                mail for the domain.
-
-MD records cause additional section processing which looks up an A type
-record corresponding to MADNAME.
-
-MD is obsolete.  See the definition of MX and [RFC-974] for details of
-the new scheme.  The recommended policy for dealing with MD RRs found in
-a master file is to reject them, or to convert them to MX RRs with a
-preference of 0.
-
-3.3.5. MF RDATA format (Obsolete)
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   MADNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-MADNAME         A <domain-name> which specifies a host which has a mail
-                agent for the domain which will accept mail for
-                forwarding to the domain.
-
-MF records cause additional section processing which looks up an A type
-record corresponding to MADNAME.
-
-MF is obsolete.  See the definition of MX and [RFC-974] for details ofw
-the new scheme.  The recommended policy for dealing with MD RRs found in
-a master file is to reject them, or to convert them to MX RRs with a
-preference of 10.
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 15]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-3.3.6. MG RDATA format (EXPERIMENTAL)
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   MGMNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-MGMNAME         A <domain-name> which specifies a mailbox which is a
-                member of the mail group specified by the domain name.
-
-MG records cause no additional section processing.
-
-3.3.7. MINFO RDATA format (EXPERIMENTAL)
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                    RMAILBX                    /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                    EMAILBX                    /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-RMAILBX         A <domain-name> which specifies a mailbox which is
-                responsible for the mailing list or mailbox.  If this
-                domain name names the root, the owner of the MINFO RR is
-                responsible for itself.  Note that many existing mailing
-                lists use a mailbox X-request for the RMAILBX field of
-                mailing list X, e.g., Msgroup-request for Msgroup.  This
-                field provides a more general mechanism.
-
-
-EMAILBX         A <domain-name> which specifies a mailbox which is to
-                receive error messages related to the mailing list or
-                mailbox specified by the owner of the MINFO RR (similar
-                to the ERRORS-TO: field which has been proposed).  If
-                this domain name names the root, errors should be
-                returned to the sender of the message.
-
-MINFO records cause no additional section processing.  Although these
-records can be associated with a simple mailbox, they are usually used
-with a mailing list.
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 16]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-3.3.8. MR RDATA format (EXPERIMENTAL)
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   NEWNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-NEWNAME         A <domain-name> which specifies a mailbox which is the
-                proper rename of the specified mailbox.
-
-MR records cause no additional section processing.  The main use for MR
-is as a forwarding entry for a user who has moved to a different
-mailbox.
-
-3.3.9. MX RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                  PREFERENCE                   |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   EXCHANGE                    /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-PREFERENCE      A 16 bit integer which specifies the preference given to
-                this RR among others at the same owner.  Lower values
-                are preferred.
-
-EXCHANGE        A <domain-name> which specifies a host willing to act as
-                a mail exchange for the owner name.
-
-MX records cause type A additional section processing for the host
-specified by EXCHANGE.  The use of MX RRs is explained in detail in
-[RFC-974].
-
-3.3.10. NULL RDATA format (EXPERIMENTAL)
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                  <anything>                   /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-Anything at all may be in the RDATA field so long as it is 65535 octets
-or less.
-
-
-
-
-Mockapetris                                                    [Page 17]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-NULL records cause no additional section processing.  NULL RRs are not
-allowed in master files.  NULLs are used as placeholders in some
-experimental extensions of the DNS.
-
-3.3.11. NS RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   NSDNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-NSDNAME         A <domain-name> which specifies a host which should be
-                authoritative for the specified class and domain.
-
-NS records cause both the usual additional section processing to locate
-a type A record, and, when used in a referral, a special search of the
-zone in which they reside for glue information.
-
-The NS RR states that the named host should be expected to have a zone
-starting at owner name of the specified class.  Note that the class may
-not indicate the protocol family which should be used to communicate
-with the host, although it is typically a strong hint.  For example,
-hosts which are name servers for either Internet (IN) or Hesiod (HS)
-class information are normally queried using IN class protocols.
-
-3.3.12. PTR RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   PTRDNAME                    /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-PTRDNAME        A <domain-name> which points to some location in the
-                domain name space.
-
-PTR records cause no additional section processing.  These RRs are used
-in special domains to point to some other location in the domain space.
-These records are simple data, and don't imply any special processing
-similar to that performed by CNAME, which identifies aliases.  See the
-description of the IN-ADDR.ARPA domain for an example.
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 18]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-3.3.13. SOA RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                     MNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                     RNAME                     /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    SERIAL                     |
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    REFRESH                    |
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                     RETRY                     |
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    EXPIRE                     |
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    MINIMUM                    |
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-MNAME           The <domain-name> of the name server that was the
-                original or primary source of data for this zone.
-
-RNAME           A <domain-name> which specifies the mailbox of the
-                person responsible for this zone.
-
-SERIAL          The unsigned 32 bit version number of the original copy
-                of the zone.  Zone transfers preserve this value.  This
-                value wraps and should be compared using sequence space
-                arithmetic.
-
-REFRESH         A 32 bit time interval before the zone should be
-                refreshed.
-
-RETRY           A 32 bit time interval that should elapse before a
-                failed refresh should be retried.
-
-EXPIRE          A 32 bit time value that specifies the upper limit on
-                the time interval that can elapse before the zone is no
-                longer authoritative.
-
-
-
-
-
-Mockapetris                                                    [Page 19]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-MINIMUM         The unsigned 32 bit minimum TTL field that should be
-                exported with any RR from this zone.
-
-SOA records cause no additional section processing.
-
-All times are in units of seconds.
-
-Most of these fields are pertinent only for name server maintenance
-operations.  However, MINIMUM is used in all query operations that
-retrieve RRs from a zone.  Whenever a RR is sent in a response to a
-query, the TTL field is set to the maximum of the TTL field from the RR
-and the MINIMUM field in the appropriate SOA.  Thus MINIMUM is a lower
-bound on the TTL field for all RRs in a zone.  Note that this use of
-MINIMUM should occur when the RRs are copied into the response and not
-when the zone is loaded from a master file or via a zone transfer.  The
-reason for this provison is to allow future dynamic update facilities to
-change the SOA RR with known semantics.
-
-
-3.3.14. TXT RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   TXT-DATA                    /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-TXT-DATA        One or more <character-string>s.
-
-TXT RRs are used to hold descriptive text.  The semantics of the text
-depends on the domain where it is found.
-
-3.4. Internet specific RRs
-
-3.4.1. A RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    ADDRESS                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-ADDRESS         A 32 bit Internet address.
-
-Hosts that have multiple Internet addresses will have multiple A
-records.
-
-
-
-
-
-Mockapetris                                                    [Page 20]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-A records cause no additional section processing.  The RDATA section of
-an A line in a master file is an Internet address expressed as four
-decimal numbers separated by dots without any imbedded spaces (e.g.,
-"10.2.0.52" or "192.0.5.6").
-
-3.4.2. WKS RDATA format
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    ADDRESS                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |       PROTOCOL        |                       |
-    +--+--+--+--+--+--+--+--+                       |
-    |                                               |
-    /                   <BIT MAP>                   /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-ADDRESS         An 32 bit Internet address
-
-PROTOCOL        An 8 bit IP protocol number
-
-<BIT MAP>       A variable length bit map.  The bit map must be a
-                multiple of 8 bits long.
-
-The WKS record is used to describe the well known services supported by
-a particular protocol on a particular internet address.  The PROTOCOL
-field specifies an IP protocol number, and the bit map has one bit per
-port of the specified protocol.  The first bit corresponds to port 0,
-the second to port 1, etc.  If the bit map does not include a bit for a
-protocol of interest, that bit is assumed zero.  The appropriate values
-and mnemonics for ports and protocols are specified in [RFC-1010].
-
-For example, if PROTOCOL=TCP (6), the 26th bit corresponds to TCP port
-25 (SMTP).  If this bit is set, a SMTP server should be listening on TCP
-port 25; if zero, SMTP service is not supported on the specified
-address.
-
-The purpose of WKS RRs is to provide availability information for
-servers for TCP and UDP.  If a server supports both TCP and UDP, or has
-multiple Internet addresses, then multiple WKS RRs are used.
-
-WKS RRs cause no additional section processing.
-
-In master files, both ports and protocols are expressed using mnemonics
-or decimal numbers.
-
-
-
-
-Mockapetris                                                    [Page 21]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-3.5. IN-ADDR.ARPA domain
-
-The Internet uses a special domain to support gateway location and
-Internet address to host mapping.  Other classes may employ a similar
-strategy in other domains.  The intent of this domain is to provide a
-guaranteed method to perform host address to host name mapping, and to
-facilitate queries to locate all gateways on a particular network in the
-Internet.
-
-Note that both of these services are similar to functions that could be
-performed by inverse queries; the difference is that this part of the
-domain name space is structured according to address, and hence can
-guarantee that the appropriate data can be located without an exhaustive
-search of the domain space.
-
-The domain begins at IN-ADDR.ARPA and has a substructure which follows
-the Internet addressing structure.
-
-Domain names in the IN-ADDR.ARPA domain are defined to have up to four
-labels in addition to the IN-ADDR.ARPA suffix.  Each label represents
-one octet of an Internet address, and is expressed as a character string
-for a decimal value in the range 0-255 (with leading zeros omitted
-except in the case of a zero octet which is represented by a single
-zero).
-
-Host addresses are represented by domain names that have all four labels
-specified.  Thus data for Internet address 10.2.0.52 is located at
-domain name 52.0.2.10.IN-ADDR.ARPA.  The reversal, though awkward to
-read, allows zones to be delegated which are exactly one network of
-address space.  For example, 10.IN-ADDR.ARPA can be a zone containing
-data for the ARPANET, while 26.IN-ADDR.ARPA can be a separate zone for
-MILNET.  Address nodes are used to hold pointers to primary host names
-in the normal domain space.
-
-Network numbers correspond to some non-terminal nodes at various depths
-in the IN-ADDR.ARPA domain, since Internet network numbers are either 1,
-2, or 3 octets.  Network nodes are used to hold pointers to the primary
-host names of gateways attached to that network.  Since a gateway is, by
-definition, on more than one network, it will typically have two or more
-network nodes which point at it.  Gateways will also have host level
-pointers at their fully qualified addresses.
-
-Both the gateway pointers at network nodes and the normal host pointers
-at full address nodes use the PTR RR to point back to the primary domain
-names of the corresponding hosts.
-
-For example, the IN-ADDR.ARPA domain will contain information about the
-ISI gateway between net 10 and 26, an MIT gateway from net 10 to MIT's
-
-
-
-Mockapetris                                                    [Page 22]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-net 18, and hosts A.ISI.EDU and MULTICS.MIT.EDU.  Assuming that ISI
-gateway has addresses 10.2.0.22 and 26.0.0.103, and a name MILNET-
-GW.ISI.EDU, and the MIT gateway has addresses 10.0.0.77 and 18.10.0.4
-and a name GW.LCS.MIT.EDU, the domain database would contain:
-
-    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
-    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
-    18.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
-    26.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
-    22.0.2.10.IN-ADDR.ARPA.    PTR MILNET-GW.ISI.EDU.
-    103.0.0.26.IN-ADDR.ARPA.   PTR MILNET-GW.ISI.EDU.
-    77.0.0.10.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
-    4.0.10.18.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
-    103.0.3.26.IN-ADDR.ARPA.   PTR A.ISI.EDU.
-    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
-
-Thus a program which wanted to locate gateways on net 10 would originate
-a query of the form QTYPE=PTR, QCLASS=IN, QNAME=10.IN-ADDR.ARPA.  It
-would receive two RRs in response:
-
-    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
-    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
-
-The program could then originate QTYPE=A, QCLASS=IN queries for MILNET-
-GW.ISI.EDU. and GW.LCS.MIT.EDU. to discover the Internet addresses of
-these gateways.
-
-A resolver which wanted to find the host name corresponding to Internet
-host address 10.0.0.6 would pursue a query of the form QTYPE=PTR,
-QCLASS=IN, QNAME=6.0.0.10.IN-ADDR.ARPA, and would receive:
-
-    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
-
-Several cautions apply to the use of these services:
-   - Since the IN-ADDR.ARPA special domain and the normal domain
-     for a particular host or gateway will be in different zones,
-     the possibility exists that that the data may be inconsistent.
-
-   - Gateways will often have two names in separate domains, only
-     one of which can be primary.
-
-   - Systems that use the domain database to initialize their
-     routing tables must start with enough gateway information to
-     guarantee that they can access the appropriate name server.
-
-   - The gateway data only reflects the existence of a gateway in a
-     manner equivalent to the current HOSTS.TXT file.  It doesn't
-     replace the dynamic availability information from GGP or EGP.
-
-
-
-Mockapetris                                                    [Page 23]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-3.6. Defining new types, classes, and special namespaces
-
-The previously defined types and classes are the ones in use as of the
-date of this memo.  New definitions should be expected.  This section
-makes some recommendations to designers considering additions to the
-existing facilities.  The mailing list NAMEDROPPERS@SRI-NIC.ARPA is the
-forum where general discussion of design issues takes place.
-
-In general, a new type is appropriate when new information is to be
-added to the database about an existing object, or we need new data
-formats for some totally new object.  Designers should attempt to define
-types and their RDATA formats that are generally applicable to all
-classes, and which avoid duplication of information.  New classes are
-appropriate when the DNS is to be used for a new protocol, etc which
-requires new class-specific data formats, or when a copy of the existing
-name space is desired, but a separate management domain is necessary.
-
-New types and classes need mnemonics for master files; the format of the
-master files requires that the mnemonics for type and class be disjoint.
-
-TYPE and CLASS values must be a proper subset of QTYPEs and QCLASSes
-respectively.
-
-The present system uses multiple RRs to represent multiple values of a
-type rather than storing multiple values in the RDATA section of a
-single RR.  This is less efficient for most applications, but does keep
-RRs shorter.  The multiple RRs assumption is incorporated in some
-experimental work on dynamic update methods.
-
-The present system attempts to minimize the duplication of data in the
-database in order to insure consistency.  Thus, in order to find the
-address of the host for a mail exchange, you map the mail domain name to
-a host name, then the host name to addresses, rather than a direct
-mapping to host address.  This approach is preferred because it avoids
-the opportunity for inconsistency.
-
-In defining a new type of data, multiple RR types should not be used to
-create an ordering between entries or express different formats for
-equivalent bindings, instead this information should be carried in the
-body of the RR and a single type used.  This policy avoids problems with
-caching multiple types and defining QTYPEs to match multiple types.
-
-For example, the original form of mail exchange binding used two RR
-types one to represent a "closer" exchange (MD) and one to represent a
-"less close" exchange (MF).  The difficulty is that the presence of one
-RR type in a cache doesn't convey any information about the other
-because the query which acquired the cached information might have used
-a QTYPE of MF, MD, or MAILA (which matched both).  The redesigned
-
-
-
-Mockapetris                                                    [Page 24]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-service used a single type (MX) with a "preference" value in the RDATA
-section which can order different RRs.  However, if any MX RRs are found
-in the cache, then all should be there.
-
-4. MESSAGES
-
-4.1. Format
-
-All communications inside of the domain protocol are carried in a single
-format called a message.  The top level format of message is divided
-into 5 sections (some of which are empty in certain cases) shown below:
-
-    +---------------------+
-    |        Header       |
-    +---------------------+
-    |       Question      | the question for the name server
-    +---------------------+
-    |        Answer       | RRs answering the question
-    +---------------------+
-    |      Authority      | RRs pointing toward an authority
-    +---------------------+
-    |      Additional     | RRs holding additional information
-    +---------------------+
-
-The header section is always present.  The header includes fields that
-specify which of the remaining sections are present, and also specify
-whether the message is a query or a response, a standard query or some
-other opcode, etc.
-
-The names of the sections after the header are derived from their use in
-standard queries.  The question section contains fields that describe a
-question to a name server.  These fields are a query type (QTYPE), a
-query class (QCLASS), and a query domain name (QNAME).  The last three
-sections have the same format: a possibly empty list of concatenated
-resource records (RRs).  The answer section contains RRs that answer the
-question; the authority section contains RRs that point toward an
-authoritative name server; the additional records section contains RRs
-which relate to the query, but are not strictly answers for the
-question.
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 25]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-4.1.1. Header section format
-
-The header contains the following fields:
-
-                                    1  1  1  1  1  1
-      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                      ID                       |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    QDCOUNT                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    ANCOUNT                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    NSCOUNT                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                    ARCOUNT                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-ID              A 16 bit identifier assigned by the program that
-                generates any kind of query.  This identifier is copied
-                the corresponding reply and can be used by the requester
-                to match up replies to outstanding queries.
-
-QR              A one bit field that specifies whether this message is a
-                query (0), or a response (1).
-
-OPCODE          A four bit field that specifies kind of query in this
-                message.  This value is set by the originator of a query
-                and copied into the response.  The values are:
-
-                0               a standard query (QUERY)
-
-                1               an inverse query (IQUERY)
-
-                2               a server status request (STATUS)
-
-                3-15            reserved for future use
-
-AA              Authoritative Answer - this bit is valid in responses,
-                and specifies that the responding name server is an
-                authority for the domain name in question section.
-
-                Note that the contents of the answer section may have
-                multiple owner names because of aliases.  The AA bit
-
-
-
-Mockapetris                                                    [Page 26]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-                corresponds to the name which matches the query name, or
-                the first owner name in the answer section.
-
-TC              TrunCation - specifies that this message was truncated
-                due to length greater than that permitted on the
-                transmission channel.
-
-RD              Recursion Desired - this bit may be set in a query and
-                is copied into the response.  If RD is set, it directs
-                the name server to pursue the query recursively.
-                Recursive query support is optional.
-
-RA              Recursion Available - this be is set or cleared in a
-                response, and denotes whether recursive query support is
-                available in the name server.
-
-Z               Reserved for future use.  Must be zero in all queries
-                and responses.
-
-RCODE           Response code - this 4 bit field is set as part of
-                responses.  The values have the following
-                interpretation:
-
-                0               No error condition
-
-                1               Format error - The name server was
-                                unable to interpret the query.
-
-                2               Server failure - The name server was
-                                unable to process this query due to a
-                                problem with the name server.
-
-                3               Name Error - Meaningful only for
-                                responses from an authoritative name
-                                server, this code signifies that the
-                                domain name referenced in the query does
-                                not exist.
-
-                4               Not Implemented - The name server does
-                                not support the requested kind of query.
-
-                5               Refused - The name server refuses to
-                                perform the specified operation for
-                                policy reasons.  For example, a name
-                                server may not wish to provide the
-                                information to the particular requester,
-                                or a name server may not wish to perform
-                                a particular operation (e.g., zone
-
-
-
-Mockapetris                                                    [Page 27]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-                                transfer) for particular data.
-
-                6-15            Reserved for future use.
-
-QDCOUNT         an unsigned 16 bit integer specifying the number of
-                entries in the question section.
-
-ANCOUNT         an unsigned 16 bit integer specifying the number of
-                resource records in the answer section.
-
-NSCOUNT         an unsigned 16 bit integer specifying the number of name
-                server resource records in the authority records
-                section.
-
-ARCOUNT         an unsigned 16 bit integer specifying the number of
-                resource records in the additional records section.
-
-4.1.2. Question section format
-
-The question section is used to carry the "question" in most queries,
-i.e., the parameters that define what is being asked.  The section
-contains QDCOUNT (usually 1) entries, each of the following format:
-
-                                    1  1  1  1  1  1
-      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                                               |
-    /                     QNAME                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                     QTYPE                     |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                     QCLASS                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-QNAME           a domain name represented as a sequence of labels, where
-                each label consists of a length octet followed by that
-                number of octets.  The domain name terminates with the
-                zero length octet for the null label of the root.  Note
-                that this field may be an odd number of octets; no
-                padding is used.
-
-QTYPE           a two octet code which specifies the type of the query.
-                The values for this field include all codes valid for a
-                TYPE field, together with some more general codes which
-                can match more than one type of RR.
-
-
-
-Mockapetris                                                    [Page 28]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-QCLASS          a two octet code that specifies the class of the query.
-                For example, the QCLASS field is IN for the Internet.
-
-4.1.3. Resource record format
-
-The answer, authority, and additional sections all share the same
-format: a variable number of resource records, where the number of
-records is specified in the corresponding count field in the header.
-Each resource record has the following format:
-                                    1  1  1  1  1  1
-      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                                               |
-    /                                               /
-    /                      NAME                     /
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                      TYPE                     |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                     CLASS                     |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                      TTL                      |
-    |                                               |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                   RDLENGTH                    |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
-    /                     RDATA                     /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-where:
-
-NAME            a domain name to which this resource record pertains.
-
-TYPE            two octets containing one of the RR type codes.  This
-                field specifies the meaning of the data in the RDATA
-                field.
-
-CLASS           two octets which specify the class of the data in the
-                RDATA field.
-
-TTL             a 32 bit unsigned integer that specifies the time
-                interval (in seconds) that the resource record may be
-                cached before it should be discarded.  Zero values are
-                interpreted to mean that the RR can only be used for the
-                transaction in progress, and should not be cached.
-
-
-
-
-
-Mockapetris                                                    [Page 29]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-RDLENGTH        an unsigned 16 bit integer that specifies the length in
-                octets of the RDATA field.
-
-RDATA           a variable length string of octets that describes the
-                resource.  The format of this information varies
-                according to the TYPE and CLASS of the resource record.
-                For example, the if the TYPE is A and the CLASS is IN,
-                the RDATA field is a 4 octet ARPA Internet address.
-
-4.1.4. Message compression
-
-In order to reduce the size of messages, the domain system utilizes a
-compression scheme which eliminates the repetition of domain names in a
-message.  In this scheme, an entire domain name or a list of labels at
-the end of a domain name is replaced with a pointer to a prior occurance
-of the same name.
-
-The pointer takes the form of a two octet sequence:
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    | 1  1|                OFFSET                   |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-The first two bits are ones.  This allows a pointer to be distinguished
-from a label, since the label must begin with two zero bits because
-labels are restricted to 63 octets or less.  (The 10 and 01 combinations
-are reserved for future use.)  The OFFSET field specifies an offset from
-the start of the message (i.e., the first octet of the ID field in the
-domain header).  A zero offset specifies the first byte of the ID field,
-etc.
-
-The compression scheme allows a domain name in a message to be
-represented as either:
-
-   - a sequence of labels ending in a zero octet
-
-   - a pointer
-
-   - a sequence of labels ending with a pointer
-
-Pointers can only be used for occurances of a domain name where the
-format is not class specific.  If this were not the case, a name server
-or resolver would be required to know the format of all RRs it handled.
-As yet, there are no such cases, but they may occur in future RDATA
-formats.
-
-If a domain name is contained in a part of the message subject to a
-length field (such as the RDATA section of an RR), and compression is
-
-
-
-Mockapetris                                                    [Page 30]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-used, the length of the compressed name is used in the length
-calculation, rather than the length of the expanded name.
-
-Programs are free to avoid using pointers in messages they generate,
-although this will reduce datagram capacity, and may cause truncation.
-However all programs are required to understand arriving messages that
-contain pointers.
-
-For example, a datagram might need to use the domain names F.ISI.ARPA,
-FOO.F.ISI.ARPA, ARPA, and the root.  Ignoring the other fields of the
-message, these domain names might be represented as:
-
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    20 |           1           |           F           |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    22 |           3           |           I           |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    24 |           S           |           I           |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    26 |           4           |           A           |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    28 |           R           |           P           |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    30 |           A           |           0           |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    40 |           3           |           F           |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    42 |           O           |           O           |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    44 | 1  1|                20                       |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    64 | 1  1|                26                       |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    92 |           0           |                       |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-The domain name for F.ISI.ARPA is shown at offset 20.  The domain name
-FOO.F.ISI.ARPA is shown at offset 40; this definition uses a pointer to
-concatenate a label for FOO to the previously defined F.ISI.ARPA.  The
-domain name ARPA is defined at offset 64 using a pointer to the ARPA
-component of the name F.ISI.ARPA at 20; note that this pointer relies on
-ARPA being the last label in the string at 20.  The root domain name is
-
-
-
-Mockapetris                                                    [Page 31]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-defined by a single octet of zeros at 92; the root domain name has no
-labels.
-
-4.2. Transport
-
-The DNS assumes that messages will be transmitted as datagrams or in a
-byte stream carried by a virtual circuit.  While virtual circuits can be
-used for any DNS activity, datagrams are preferred for queries due to
-their lower overhead and better performance.  Zone refresh activities
-must use virtual circuits because of the need for reliable transfer.
-
-The Internet supports name server access using TCP [RFC-793] on server
-port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
-port 53 (decimal).
-
-4.2.1. UDP usage
-
-Messages sent using UDP user server port 53 (decimal).
-
-Messages carried by UDP are restricted to 512 bytes (not counting the IP
-or UDP headers).  Longer messages are truncated and the TC bit is set in
-the header.
-
-UDP is not acceptable for zone transfers, but is the recommended method
-for standard queries in the Internet.  Queries sent using UDP may be
-lost, and hence a retransmission strategy is required.  Queries or their
-responses may be reordered by the network, or by processing in name
-servers, so resolvers should not depend on them being returned in order.
-
-The optimal UDP retransmission policy will vary with performance of the
-Internet and the needs of the client, but the following are recommended:
-
-   - The client should try other servers and server addresses
-     before repeating a query to a specific address of a server.
-
-   - The retransmission interval should be based on prior
-     statistics if possible.  Too aggressive retransmission can
-     easily slow responses for the community at large.  Depending
-     on how well connected the client is to its expected servers,
-     the minimum retransmission interval should be 2-5 seconds.
-
-More suggestions on server selection and retransmission policy can be
-found in the resolver section of this memo.
-
-4.2.2. TCP usage
-
-Messages sent over TCP connections use server port 53 (decimal).  The
-message is prefixed with a two byte length field which gives the message
-
-
-
-Mockapetris                                                    [Page 32]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-length, excluding the two byte length field.  This length field allows
-the low-level processing to assemble a complete message before beginning
-to parse it.
-
-Several connection management policies are recommended:
-
-   - The server should not block other activities waiting for TCP
-     data.
-
-   - The server should support multiple connections.
-
-   - The server should assume that the client will initiate
-     connection closing, and should delay closing its end of the
-     connection until all outstanding client requests have been
-     satisfied.
-
-   - If the server needs to close a dormant connection to reclaim
-     resources, it should wait until the connection has been idle
-     for a period on the order of two minutes.  In particular, the
-     server should allow the SOA and AXFR request sequence (which
-     begins a refresh operation) to be made on a single connection.
-     Since the server would be unable to answer queries anyway, a
-     unilateral close or reset may be used instead of a graceful
-     close.
-
-5. MASTER FILES
-
-Master files are text files that contain RRs in text form.  Since the
-contents of a zone can be expressed in the form of a list of RRs a
-master file is most often used to define a zone, though it can be used
-to list a cache's contents.  Hence, this section first discusses the
-format of RRs in a master file, and then the special considerations when
-a master file is used to create a zone in some name server.
-
-5.1. Format
-
-The format of these files is a sequence of entries.  Entries are
-predominantly line-oriented, though parentheses can be used to continue
-a list of items across a line boundary, and text literals can contain
-CRLF within the text.  Any combination of tabs and spaces act as a
-delimiter between the separate items that make up an entry.  The end of
-any line in the master file can end with a comment.  The comment starts
-with a ";" (semicolon).
-
-The following entries are defined:
-
-    <blank>[<comment>]
-
-
-
-
-Mockapetris                                                    [Page 33]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-    $ORIGIN <domain-name> [<comment>]
-
-    $INCLUDE <file-name> [<domain-name>] [<comment>]
-
-    <domain-name><rr> [<comment>]
-
-    <blank><rr> [<comment>]
-
-Blank lines, with or without comments, are allowed anywhere in the file.
-
-Two control entries are defined: $ORIGIN and $INCLUDE.  $ORIGIN is
-followed by a domain name, and resets the current origin for relative
-domain names to the stated name.  $INCLUDE inserts the named file into
-the current file, and may optionally specify a domain name that sets the
-relative domain name origin for the included file.  $INCLUDE may also
-have a comment.  Note that a $INCLUDE entry never changes the relative
-origin of the parent file, regardless of changes to the relative origin
-made within the included file.
-
-The last two forms represent RRs.  If an entry for an RR begins with a
-blank, then the RR is assumed to be owned by the last stated owner.  If
-an RR entry begins with a <domain-name>, then the owner name is reset.
-
-<rr> contents take one of the following forms:
-
-    [<TTL>] [<class>] <type> <RDATA>
-
-    [<class>] [<TTL>] <type> <RDATA>
-
-The RR begins with optional TTL and class fields, followed by a type and
-RDATA field appropriate to the type and class.  Class and type use the
-standard mnemonics, TTL is a decimal integer.  Omitted class and TTL
-values are default to the last explicitly stated values.  Since type and
-class mnemonics are disjoint, the parse is unique.  (Note that this
-order is different from the order used in examples and the order used in
-the actual RRs; the given order allows easier parsing and defaulting.)
-
-<domain-name>s make up a large share of the data in the master file.
-The labels in the domain name are expressed as character strings and
-separated by dots.  Quoting conventions allow arbitrary characters to be
-stored in domain names.  Domain names that end in a dot are called
-absolute, and are taken as complete.  Domain names which do not end in a
-dot are called relative; the actual domain name is the concatenation of
-the relative part with an origin specified in a $ORIGIN, $INCLUDE, or as
-an argument to the master file loading routine.  A relative name is an
-error when no origin is available.
-
-
-
-
-
-Mockapetris                                                    [Page 34]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-<character-string> is expressed in one or two ways: as a contiguous set
-of characters without interior spaces, or as a string beginning with a "
-and ending with a ".  Inside a " delimited string any character can
-occur, except for a " itself, which must be quoted using \ (back slash).
-
-Because these files are text files several special encodings are
-necessary to allow arbitrary data to be loaded.  In particular:
-
-                of the root.
-
-@               A free standing @ is used to denote the current origin.
-
-\X              where X is any character other than a digit (0-9), is
-                used to quote that character so that its special meaning
-                does not apply.  For example, "\." can be used to place
-                a dot character in a label.
-
-\DDD            where each D is a digit is the octet corresponding to
-                the decimal number described by DDD.  The resulting
-                octet is assumed to be text and is not checked for
-                special meaning.
-
-( )             Parentheses are used to group data that crosses a line
-                boundary.  In effect, line terminations are not
-                recognized within parentheses.
-
-;               Semicolon is used to start a comment; the remainder of
-                the line is ignored.
-
-5.2. Use of master files to define zones
-
-When a master file is used to load a zone, the operation should be
-suppressed if any errors are encountered in the master file.  The
-rationale for this is that a single error can have widespread
-consequences.  For example, suppose that the RRs defining a delegation
-have syntax errors; then the server will return authoritative name
-errors for all names in the subzone (except in the case where the
-subzone is also present on the server).
-
-Several other validity checks that should be performed in addition to
-insuring that the file is syntactically correct:
-
-   1. All RRs in the file should have the same class.
-
-   2. Exactly one SOA RR should be present at the top of the zone.
-
-   3. If delegations are present and glue information is required,
-      it should be present.
-
-
-
-Mockapetris                                                    [Page 35]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-   4. Information present outside of the authoritative nodes in the
-      zone should be glue information, rather than the result of an
-      origin or similar error.
-
-5.3. Master file example
-
-The following is an example file which might be used to define the
-ISI.EDU zone.and is loaded with an origin of ISI.EDU:
-
-@   IN  SOA     VENERA      Action\.domains (
-                                 20     ; SERIAL
-                                 7200   ; REFRESH
-                                 600    ; RETRY
-                                 3600000; EXPIRE
-                                 60)    ; MINIMUM
-
-        NS      A.ISI.EDU.
-        NS      VENERA
-        NS      VAXA
-        MX      10      VENERA
-        MX      20      VAXA
-
-A       A       26.3.0.103
-
-VENERA  A       10.1.0.52
-        A       128.9.0.32
-
-VAXA    A       10.2.0.27
-        A       128.9.0.33
-
-
-$INCLUDE <SUBSYS>ISI-MAILBOXES.TXT
-
-Where the file <SUBSYS>ISI-MAILBOXES.TXT is:
-
-    MOE     MB      A.ISI.EDU.
-    LARRY   MB      A.ISI.EDU.
-    CURLEY  MB      A.ISI.EDU.
-    STOOGES MG      MOE
-            MG      LARRY
-            MG      CURLEY
-
-Note the use of the \ character in the SOA RR to specify the responsible
-person mailbox "Action.domains@E.ISI.EDU".
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 36]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-6. NAME SERVER IMPLEMENTATION
-
-6.1. Architecture
-
-The optimal structure for the name server will depend on the host
-operating system and whether the name server is integrated with resolver
-operations, either by supporting recursive service, or by sharing its
-database with a resolver.  This section discusses implementation
-considerations for a name server which shares a database with a
-resolver, but most of these concerns are present in any name server.
-
-6.1.1. Control
-
-A name server must employ multiple concurrent activities, whether they
-are implemented as separate tasks in the host's OS or multiplexing
-inside a single name server program.  It is simply not acceptable for a
-name server to block the service of UDP requests while it waits for TCP
-data for refreshing or query activities.  Similarly, a name server
-should not attempt to provide recursive service without processing such
-requests in parallel, though it may choose to serialize requests from a
-single client, or to regard identical requests from the same client as
-duplicates.  A name server should not substantially delay requests while
-it reloads a zone from master files or while it incorporates a newly
-refreshed zone into its database.
-
-6.1.2. Database
-
-While name server implementations are free to use any internal data
-structures they choose, the suggested structure consists of three major
-parts:
-
-   - A "catalog" data structure which lists the zones available to
-     this server, and a "pointer" to the zone data structure.  The
-     main purpose of this structure is to find the nearest ancestor
-     zone, if any, for arriving standard queries.
-
-   - Separate data structures for each of the zones held by the
-     name server.
-
-   - A data structure for cached data. (or perhaps separate caches
-     for different classes)
-
-All of these data structures can be implemented an identical tree
-structure format, with different data chained off the nodes in different
-parts: in the catalog the data is pointers to zones, while in the zone
-and cache data structures, the data will be RRs.  In designing the tree
-framework the designer should recognize that query processing will need
-to traverse the tree using case-insensitive label comparisons; and that
-
-
-
-Mockapetris                                                    [Page 37]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-in real data, a few nodes have a very high branching factor (100-1000 or
-more), but the vast majority have a very low branching factor (0-1).
-
-One way to solve the case problem is to store the labels for each node
-in two pieces: a standardized-case representation of the label where all
-ASCII characters are in a single case, together with a bit mask that
-denotes which characters are actually of a different case.  The
-branching factor diversity can be handled using a simple linked list for
-a node until the branching factor exceeds some threshold, and
-transitioning to a hash structure after the threshold is exceeded.  In
-any case, hash structures used to store tree sections must insure that
-hash functions and procedures preserve the casing conventions of the
-DNS.
-
-The use of separate structures for the different parts of the database
-is motivated by several factors:
-
-   - The catalog structure can be an almost static structure that
-     need change only when the system administrator changes the
-     zones supported by the server.  This structure can also be
-     used to store parameters used to control refreshing
-     activities.
-
-   - The individual data structures for zones allow a zone to be
-     replaced simply by changing a pointer in the catalog.  Zone
-     refresh operations can build a new structure and, when
-     complete, splice it into the database via a simple pointer
-     replacement.  It is very important that when a zone is
-     refreshed, queries should not use old and new data
-     simultaneously.
-
-   - With the proper search procedures, authoritative data in zones
-     will always "hide", and hence take precedence over, cached
-     data.
-
-   - Errors in zone definitions that cause overlapping zones, etc.,
-     may cause erroneous responses to queries, but problem
-     determination is simplified, and the contents of one "bad"
-     zone can't corrupt another.
-
-   - Since the cache is most frequently updated, it is most
-     vulnerable to corruption during system restarts.  It can also
-     become full of expired RR data.  In either case, it can easily
-     be discarded without disturbing zone data.
-
-A major aspect of database design is selecting a structure which allows
-the name server to deal with crashes of the name server's host.  State
-information which a name server should save across system crashes
-
-
-
-Mockapetris                                                    [Page 38]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-includes the catalog structure (including the state of refreshing for
-each zone) and the zone data itself.
-
-6.1.3. Time
-
-Both the TTL data for RRs and the timing data for refreshing activities
-depends on 32 bit timers in units of seconds.  Inside the database,
-refresh timers and TTLs for cached data conceptually "count down", while
-data in the zone stays with constant TTLs.
-
-A recommended implementation strategy is to store time in two ways:  as
-a relative increment and as an absolute time.  One way to do this is to
-use positive 32 bit numbers for one type and negative numbers for the
-other.  The RRs in zones use relative times; the refresh timers and
-cache data use absolute times.  Absolute numbers are taken with respect
-to some known origin and converted to relative values when placed in the
-response to a query.  When an absolute TTL is negative after conversion
-to relative, then the data is expired and should be ignored.
-
-6.2. Standard query processing
-
-The major algorithm for standard query processing is presented in
-[RFC-1034].
-
-When processing queries with QCLASS=*, or some other QCLASS which
-matches multiple classes, the response should never be authoritative
-unless the server can guarantee that the response covers all classes.
-
-When composing a response, RRs which are to be inserted in the
-additional section, but duplicate RRs in the answer or authority
-sections, may be omitted from the additional section.
-
-When a response is so long that truncation is required, the truncation
-should start at the end of the response and work forward in the
-datagram.  Thus if there is any data for the authority section, the
-answer section is guaranteed to be unique.
-
-The MINIMUM value in the SOA should be used to set a floor on the TTL of
-data distributed from a zone.  This floor function should be done when
-the data is copied into a response.  This will allow future dynamic
-update protocols to change the SOA MINIMUM field without ambiguous
-semantics.
-
-6.3. Zone refresh and reload processing
-
-In spite of a server's best efforts, it may be unable to load zone data
-from a master file due to syntax errors, etc., or be unable to refresh a
-zone within the its expiration parameter.  In this case, the name server
-
-
-
-Mockapetris                                                    [Page 39]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-should answer queries as if it were not supposed to possess the zone.
-
-If a master is sending a zone out via AXFR, and a new version is created
-during the transfer, the master should continue to send the old version
-if possible.  In any case, it should never send part of one version and
-part of another.  If completion is not possible, the master should reset
-the connection on which the zone transfer is taking place.
-
-6.4. Inverse queries (Optional)
-
-Inverse queries are an optional part of the DNS.  Name servers are not
-required to support any form of inverse queries.  If a name server
-receives an inverse query that it does not support, it returns an error
-response with the "Not Implemented" error set in the header.  While
-inverse query support is optional, all name servers must be at least
-able to return the error response.
-
-6.4.1. The contents of inverse queries and responses          Inverse
-queries reverse the mappings performed by standard query operations;
-while a standard query maps a domain name to a resource, an inverse
-query maps a resource to a domain name.  For example, a standard query
-might bind a domain name to a host address; the corresponding inverse
-query binds the host address to a domain name.
-
-Inverse queries take the form of a single RR in the answer section of
-the message, with an empty question section.  The owner name of the
-query RR and its TTL are not significant.  The response carries
-questions in the question section which identify all names possessing
-the query RR WHICH THE NAME SERVER KNOWS.  Since no name server knows
-about all of the domain name space, the response can never be assumed to
-be complete.  Thus inverse queries are primarily useful for database
-management and debugging activities.  Inverse queries are NOT an
-acceptable method of mapping host addresses to host names; use the IN-
-ADDR.ARPA domain instead.
-
-Where possible, name servers should provide case-insensitive comparisons
-for inverse queries.  Thus an inverse query asking for an MX RR of
-"Venera.isi.edu" should get the same response as a query for
-"VENERA.ISI.EDU"; an inverse query for HINFO RR "IBM-PC UNIX" should
-produce the same result as an inverse query for "IBM-pc unix".  However,
-this cannot be guaranteed because name servers may possess RRs that
-contain character strings but the name server does not know that the
-data is character.
-
-When a name server processes an inverse query, it either returns:
-
-   1. zero, one, or multiple domain names for the specified
-      resource as QNAMEs in the question section
-
-
-
-Mockapetris                                                    [Page 40]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-   2. an error code indicating that the name server doesn't support
-      inverse mapping of the specified resource type.
-
-When the response to an inverse query contains one or more QNAMEs, the
-owner name and TTL of the RR in the answer section which defines the
-inverse query is modified to exactly match an RR found at the first
-QNAME.
-
-RRs returned in the inverse queries cannot be cached using the same
-mechanism as is used for the replies to standard queries.  One reason
-for this is that a name might have multiple RRs of the same type, and
-only one would appear.  For example, an inverse query for a single
-address of a multiply homed host might create the impression that only
-one address existed.
-
-6.4.2. Inverse query and response example          The overall structure
-of an inverse query for retrieving the domain name that corresponds to
-Internet address 10.1.0.52 is shown below:
-
-                         +-----------------------------------------+
-           Header        |          OPCODE=IQUERY, ID=997          |
-                         +-----------------------------------------+
-          Question       |                 <empty>                 |
-                         +-----------------------------------------+
-           Answer        |        <anyname> A IN 10.1.0.52         |
-                         +-----------------------------------------+
-          Authority      |                 <empty>                 |
-                         +-----------------------------------------+
-         Additional      |                 <empty>                 |
-                         +-----------------------------------------+
-
-This query asks for a question whose answer is the Internet style
-address 10.1.0.52.  Since the owner name is not known, any domain name
-can be used as a placeholder (and is ignored).  A single octet of zero,
-signifying the root, is usually used because it minimizes the length of
-the message.  The TTL of the RR is not significant.  The response to
-this query might be:
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 41]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-                         +-----------------------------------------+
-           Header        |         OPCODE=RESPONSE, ID=997         |
-                         +-----------------------------------------+
-          Question       |QTYPE=A, QCLASS=IN, QNAME=VENERA.ISI.EDU |
-                         +-----------------------------------------+
-           Answer        |  VENERA.ISI.EDU  A IN 10.1.0.52         |
-                         +-----------------------------------------+
-          Authority      |                 <empty>                 |
-                         +-----------------------------------------+
-         Additional      |                 <empty>                 |
-                         +-----------------------------------------+
-
-Note that the QTYPE in a response to an inverse query is the same as the
-TYPE field in the answer section of the inverse query.  Responses to
-inverse queries may contain multiple questions when the inverse is not
-unique.  If the question section in the response is not empty, then the
-RR in the answer section is modified to correspond to be an exact copy
-of an RR at the first QNAME.
-
-6.4.3. Inverse query processing
-
-Name servers that support inverse queries can support these operations
-through exhaustive searches of their databases, but this becomes
-impractical as the size of the database increases.  An alternative
-approach is to invert the database according to the search key.
-
-For name servers that support multiple zones and a large amount of data,
-the recommended approach is separate inversions for each zone.  When a
-particular zone is changed during a refresh, only its inversions need to
-be redone.
-
-Support for transfer of this type of inversion may be included in future
-versions of the domain system, but is not supported in this version.
-
-6.5. Completion queries and responses
-
-The optional completion services described in RFC-882 and RFC-883 have
-been deleted.  Redesigned services may become available in the future.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 42]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-7. RESOLVER IMPLEMENTATION
-
-The top levels of the recommended resolver algorithm are discussed in
-[RFC-1034].  This section discusses implementation details assuming the
-database structure suggested in the name server implementation section
-of this memo.
-
-7.1. Transforming a user request into a query
-
-The first step a resolver takes is to transform the client's request,
-stated in a format suitable to the local OS, into a search specification
-for RRs at a specific name which match a specific QTYPE and QCLASS.
-Where possible, the QTYPE and QCLASS should correspond to a single type
-and a single class, because this makes the use of cached data much
-simpler.  The reason for this is that the presence of data of one type
-in a cache doesn't confirm the existence or non-existence of data of
-other types, hence the only way to be sure is to consult an
-authoritative source.  If QCLASS=* is used, then authoritative answers
-won't be available.
-
-Since a resolver must be able to multiplex multiple requests if it is to
-perform its function efficiently, each pending request is usually
-represented in some block of state information.  This state block will
-typically contain:
-
-   - A timestamp indicating the time the request began.
-     The timestamp is used to decide whether RRs in the database
-     can be used or are out of date.  This timestamp uses the
-     absolute time format previously discussed for RR storage in
-     zones and caches.  Note that when an RRs TTL indicates a
-     relative time, the RR must be timely, since it is part of a
-     zone.  When the RR has an absolute time, it is part of a
-     cache, and the TTL of the RR is compared against the timestamp
-     for the start of the request.
-
-     Note that using the timestamp is superior to using a current
-     time, since it allows RRs with TTLs of zero to be entered in
-     the cache in the usual manner, but still used by the current
-     request, even after intervals of many seconds due to system
-     load, query retransmission timeouts, etc.
-
-   - Some sort of parameters to limit the amount of work which will
-     be performed for this request.
-
-     The amount of work which a resolver will do in response to a
-     client request must be limited to guard against errors in the
-     database, such as circular CNAME references, and operational
-     problems, such as network partition which prevents the
-
-
-
-Mockapetris                                                    [Page 43]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-     resolver from accessing the name servers it needs.  While
-     local limits on the number of times a resolver will retransmit
-     a particular query to a particular name server address are
-     essential, the resolver should have a global per-request
-     counter to limit work on a single request.  The counter should
-     be set to some initial value and decremented whenever the
-     resolver performs any action (retransmission timeout,
-     retransmission, etc.)  If the counter passes zero, the request
-     is terminated with a temporary error.
-
-     Note that if the resolver structure allows one request to
-     start others in parallel, such as when the need to access a
-     name server for one request causes a parallel resolve for the
-     name server's addresses, the spawned request should be started
-     with a lower counter.  This prevents circular references in
-     the database from starting a chain reaction of resolver
-     activity.
-
-   - The SLIST data structure discussed in [RFC-1034].
-
-     This structure keeps track of the state of a request if it
-     must wait for answers from foreign name servers.
-
-7.2. Sending the queries
-
-As described in [RFC-1034], the basic task of the resolver is to
-formulate a query which will answer the client's request and direct that
-query to name servers which can provide the information.  The resolver
-will usually only have very strong hints about which servers to ask, in
-the form of NS RRs, and may have to revise the query, in response to
-CNAMEs, or revise the set of name servers the resolver is asking, in
-response to delegation responses which point the resolver to name
-servers closer to the desired information.  In addition to the
-information requested by the client, the resolver may have to call upon
-its own services to determine the address of name servers it wishes to
-contact.
-
-In any case, the model used in this memo assumes that the resolver is
-multiplexing attention between multiple requests, some from the client,
-and some internally generated.  Each request is represented by some
-state information, and the desired behavior is that the resolver
-transmit queries to name servers in a way that maximizes the probability
-that the request is answered, minimizes the time that the request takes,
-and avoids excessive transmissions.  The key algorithm uses the state
-information of the request to select the next name server address to
-query, and also computes a timeout which will cause the next action
-should a response not arrive.  The next action will usually be a
-transmission to some other server, but may be a temporary error to the
-
-
-
-Mockapetris                                                    [Page 44]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-client.
-
-The resolver always starts with a list of server names to query (SLIST).
-This list will be all NS RRs which correspond to the nearest ancestor
-zone that the resolver knows about.  To avoid startup problems, the
-resolver should have a set of default servers which it will ask should
-it have no current NS RRs which are appropriate.  The resolver then adds
-to SLIST all of the known addresses for the name servers, and may start
-parallel requests to acquire the addresses of the servers when the
-resolver has the name, but no addresses, for the name servers.
-
-To complete initialization of SLIST, the resolver attaches whatever
-history information it has to the each address in SLIST.  This will
-usually consist of some sort of weighted averages for the response time
-of the address, and the batting average of the address (i.e., how often
-the address responded at all to the request).  Note that this
-information should be kept on a per address basis, rather than on a per
-name server basis, because the response time and batting average of a
-particular server may vary considerably from address to address.  Note
-also that this information is actually specific to a resolver address /
-server address pair, so a resolver with multiple addresses may wish to
-keep separate histories for each of its addresses.  Part of this step
-must deal with addresses which have no such history; in this case an
-expected round trip time of 5-10 seconds should be the worst case, with
-lower estimates for the same local network, etc.
-
-Note that whenever a delegation is followed, the resolver algorithm
-reinitializes SLIST.
-
-The information establishes a partial ranking of the available name
-server addresses.  Each time an address is chosen and the state should
-be altered to prevent its selection again until all other addresses have
-been tried.  The timeout for each transmission should be 50-100% greater
-than the average predicted value to allow for variance in response.
-
-Some fine points:
-
-   - The resolver may encounter a situation where no addresses are
-     available for any of the name servers named in SLIST, and
-     where the servers in the list are precisely those which would
-     normally be used to look up their own addresses.  This
-     situation typically occurs when the glue address RRs have a
-     smaller TTL than the NS RRs marking delegation, or when the
-     resolver caches the result of a NS search.  The resolver
-     should detect this condition and restart the search at the
-     next ancestor zone, or alternatively at the root.
-
-
-
-
-
-Mockapetris                                                    [Page 45]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-   - If a resolver gets a server error or other bizarre response
-     from a name server, it should remove it from SLIST, and may
-     wish to schedule an immediate transmission to the next
-     candidate server address.
-
-7.3. Processing responses
-
-The first step in processing arriving response datagrams is to parse the
-response.  This procedure should include:
-
-   - Check the header for reasonableness.  Discard datagrams which
-     are queries when responses are expected.
-
-   - Parse the sections of the message, and insure that all RRs are
-     correctly formatted.
-
-   - As an optional step, check the TTLs of arriving data looking
-     for RRs with excessively long TTLs.  If a RR has an
-     excessively long TTL, say greater than 1 week, either discard
-     the whole response, or limit all TTLs in the response to 1
-     week.
-
-The next step is to match the response to a current resolver request.
-The recommended strategy is to do a preliminary matching using the ID
-field in the domain header, and then to verify that the question section
-corresponds to the information currently desired.  This requires that
-the transmission algorithm devote several bits of the domain ID field to
-a request identifier of some sort.  This step has several fine points:
-
-   - Some name servers send their responses from different
-     addresses than the one used to receive the query.  That is, a
-     resolver cannot rely that a response will come from the same
-     address which it sent the corresponding query to.  This name
-     server bug is typically encountered in UNIX systems.
-
-   - If the resolver retransmits a particular request to a name
-     server it should be able to use a response from any of the
-     transmissions.  However, if it is using the response to sample
-     the round trip time to access the name server, it must be able
-     to determine which transmission matches the response (and keep
-     transmission times for each outgoing message), or only
-     calculate round trip times based on initial transmissions.
-
-   - A name server will occasionally not have a current copy of a
-     zone which it should have according to some NS RRs.  The
-     resolver should simply remove the name server from the current
-     SLIST, and continue.
-
-
-
-
-Mockapetris                                                    [Page 46]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-7.4. Using the cache
-
-In general, we expect a resolver to cache all data which it receives in
-responses since it may be useful in answering future client requests.
-However, there are several types of data which should not be cached:
-
-   - When several RRs of the same type are available for a
-     particular owner name, the resolver should either cache them
-     all or none at all.  When a response is truncated, and a
-     resolver doesn't know whether it has a complete set, it should
-     not cache a possibly partial set of RRs.
-
-   - Cached data should never be used in preference to
-     authoritative data, so if caching would cause this to happen
-     the data should not be cached.
-
-   - The results of an inverse query should not be cached.
-
-   - The results of standard queries where the QNAME contains "*"
-     labels if the data might be used to construct wildcards.  The
-     reason is that the cache does not necessarily contain existing
-     RRs or zone boundary information which is necessary to
-     restrict the application of the wildcard RRs.
-
-   - RR data in responses of dubious reliability.  When a resolver
-     receives unsolicited responses or RR data other than that
-     requested, it should discard it without caching it.  The basic
-     implication is that all sanity checks on a packet should be
-     performed before any of it is cached.
-
-In a similar vein, when a resolver has a set of RRs for some name in a
-response, and wants to cache the RRs, it should check its cache for
-already existing RRs.  Depending on the circumstances, either the data
-in the response or the cache is preferred, but the two should never be
-combined.  If the data in the response is from authoritative data in the
-answer section, it is always preferred.
-
-8. MAIL SUPPORT
-
-The domain system defines a standard for mapping mailboxes into domain
-names, and two methods for using the mailbox information to derive mail
-routing information.  The first method is called mail exchange binding
-and the other method is mailbox binding.  The mailbox encoding standard
-and mail exchange binding are part of the DNS official protocol, and are
-the recommended method for mail routing in the Internet.  Mailbox
-binding is an experimental feature which is still under development and
-subject to change.
-
-
-
-
-Mockapetris                                                    [Page 47]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-The mailbox encoding standard assumes a mailbox name of the form
-"<local-part>@<mail-domain>".  While the syntax allowed in each of these
-sections varies substantially between the various mail internets, the
-preferred syntax for the ARPA Internet is given in [RFC-822].
-
-The DNS encodes the <local-part> as a single label, and encodes the
-<mail-domain> as a domain name.  The single label from the <local-part>
-is prefaced to the domain name from <mail-domain> to form the domain
-name corresponding to the mailbox.  Thus the mailbox HOSTMASTER@SRI-
-NIC.ARPA is mapped into the domain name HOSTMASTER.SRI-NIC.ARPA.  If the
-<local-part> contains dots or other special characters, its
-representation in a master file will require the use of backslash
-quoting to ensure that the domain name is properly encoded.  For
-example, the mailbox Action.domains@ISI.EDU would be represented as
-Action\.domains.ISI.EDU.
-
-8.1. Mail exchange binding
-
-Mail exchange binding uses the <mail-domain> part of a mailbox
-specification to determine where mail should be sent.  The <local-part>
-is not even consulted.  [RFC-974] specifies this method in detail, and
-should be consulted before attempting to use mail exchange support.
-
-One of the advantages of this method is that it decouples mail
-destination naming from the hosts used to support mail service, at the
-cost of another layer of indirection in the lookup function.  However,
-the addition layer should eliminate the need for complicated "%", "!",
-etc encodings in <local-part>.
-
-The essence of the method is that the <mail-domain> is used as a domain
-name to locate type MX RRs which list hosts willing to accept mail for
-<mail-domain>, together with preference values which rank the hosts
-according to an order specified by the administrators for <mail-domain>.
-
-In this memo, the <mail-domain> ISI.EDU is used in examples, together
-with the hosts VENERA.ISI.EDU and VAXA.ISI.EDU as mail exchanges for
-ISI.EDU.  If a mailer had a message for Mockapetris@ISI.EDU, it would
-route it by looking up MX RRs for ISI.EDU.  The MX RRs at ISI.EDU name
-VENERA.ISI.EDU and VAXA.ISI.EDU, and type A queries can find the host
-addresses.
-
-8.2. Mailbox binding (Experimental)
-
-In mailbox binding, the mailer uses the entire mail destination
-specification to construct a domain name.  The encoded domain name for
-the mailbox is used as the QNAME field in a QTYPE=MAILB query.
-
-Several outcomes are possible for this query:
-
-
-
-Mockapetris                                                    [Page 48]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-   1. The query can return a name error indicating that the mailbox
-      does not exist as a domain name.
-
-      In the long term, this would indicate that the specified
-      mailbox doesn't exist.  However, until the use of mailbox
-      binding is universal, this error condition should be
-      interpreted to mean that the organization identified by the
-      global part does not support mailbox binding.  The
-      appropriate procedure is to revert to exchange binding at
-      this point.
-
-   2. The query can return a Mail Rename (MR) RR.
-
-      The MR RR carries new mailbox specification in its RDATA
-      field.  The mailer should replace the old mailbox with the
-      new one and retry the operation.
-
-   3. The query can return a MB RR.
-
-      The MB RR carries a domain name for a host in its RDATA
-      field.  The mailer should deliver the message to that host
-      via whatever protocol is applicable, e.g., b,SMTP.
-
-   4. The query can return one or more Mail Group (MG) RRs.
-
-      This condition means that the mailbox was actually a mailing
-      list or mail group, rather than a single mailbox.  Each MG RR
-      has a RDATA field that identifies a mailbox that is a member
-      of the group.  The mailer should deliver a copy of the
-      message to each member.
-
-   5. The query can return a MB RR as well as one or more MG RRs.
-
-      This condition means the the mailbox was actually a mailing
-      list.  The mailer can either deliver the message to the host
-      specified by the MB RR, which will in turn do the delivery to
-      all members, or the mailer can use the MG RRs to do the
-      expansion itself.
-
-In any of these cases, the response may include a Mail Information
-(MINFO) RR.  This RR is usually associated with a mail group, but is
-legal with a MB.  The MINFO RR identifies two mailboxes.  One of these
-identifies a responsible person for the original mailbox name.  This
-mailbox should be used for requests to be added to a mail group, etc.
-The second mailbox name in the MINFO RR identifies a mailbox that should
-receive error messages for mail failures.  This is particularly
-appropriate for mailing lists when errors in member names should be
-reported to a person other than the one who sends a message to the list.
-
-
-
-Mockapetris                                                    [Page 49]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-New fields may be added to this RR in the future.
-
-
-9. REFERENCES and BIBLIOGRAPHY
-
-[Dyer 87]       S. Dyer, F. Hsu, "Hesiod", Project Athena
-                Technical Plan - Name Service, April 1987, version 1.9.
-
-                Describes the fundamentals of the Hesiod name service.
-
-[IEN-116]       J. Postel, "Internet Name Server", IEN-116,
-                USC/Information Sciences Institute, August 1979.
-
-                A name service obsoleted by the Domain Name System, but
-                still in use.
-
-[Quarterman 86] J. Quarterman, and J. Hoskins, "Notable Computer Networks",
-                Communications of the ACM, October 1986, volume 29, number
-                10.
-
-[RFC-742]       K. Harrenstien, "NAME/FINGER", RFC-742, Network
-                Information Center, SRI International, December 1977.
-
-[RFC-768]       J. Postel, "User Datagram Protocol", RFC-768,
-                USC/Information Sciences Institute, August 1980.
-
-[RFC-793]       J. Postel, "Transmission Control Protocol", RFC-793,
-                USC/Information Sciences Institute, September 1981.
-
-[RFC-799]       D. Mills, "Internet Name Domains", RFC-799, COMSAT,
-                September 1981.
-
-                Suggests introduction of a hierarchy in place of a flat
-                name space for the Internet.
-
-[RFC-805]       J. Postel, "Computer Mail Meeting Notes", RFC-805,
-                USC/Information Sciences Institute, February 1982.
-
-[RFC-810]       E. Feinler, K. Harrenstien, Z. Su, and V. White, "DOD
-                Internet Host Table Specification", RFC-810, Network
-                Information Center, SRI International, March 1982.
-
-                Obsolete.  See RFC-952.
-
-[RFC-811]       K. Harrenstien, V. White, and E. Feinler, "Hostnames
-                Server", RFC-811, Network Information Center, SRI
-                International, March 1982.
-
-
-
-
-Mockapetris                                                    [Page 50]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-                Obsolete.  See RFC-953.
-
-[RFC-812]       K. Harrenstien, and V. White, "NICNAME/WHOIS", RFC-812,
-                Network Information Center, SRI International, March
-                1982.
-
-[RFC-819]       Z. Su, and J. Postel, "The Domain Naming Convention for
-                Internet User Applications", RFC-819, Network
-                Information Center, SRI International, August 1982.
-
-                Early thoughts on the design of the domain system.
-                Current implementation is completely different.
-
-[RFC-821]       J. Postel, "Simple Mail Transfer Protocol", RFC-821,
-                USC/Information Sciences Institute, August 1980.
-
-[RFC-830]       Z. Su, "A Distributed System for Internet Name Service",
-                RFC-830, Network Information Center, SRI International,
-                October 1982.
-
-                Early thoughts on the design of the domain system.
-                Current implementation is completely different.
-
-[RFC-882]       P. Mockapetris, "Domain names - Concepts and
-                Facilities," RFC-882, USC/Information Sciences
-                Institute, November 1983.
-
-                Superceeded by this memo.
-
-[RFC-883]       P. Mockapetris, "Domain names - Implementation and
-                Specification," RFC-883, USC/Information Sciences
-                Institute, November 1983.
-
-                Superceeded by this memo.
-
-[RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
-                RFC-920, USC/Information Sciences Institute,
-                October 1984.
-
-                Explains the naming scheme for top level domains.
-
-[RFC-952]       K. Harrenstien, M. Stahl, E. Feinler, "DoD Internet Host
-                Table Specification", RFC-952, SRI, October 1985.
-
-                Specifies the format of HOSTS.TXT, the host/address
-                table replaced by the DNS.
-
-
-
-
-
-Mockapetris                                                    [Page 51]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-[RFC-953]       K. Harrenstien, M. Stahl, E. Feinler, "HOSTNAME Server",
-                RFC-953, SRI, October 1985.
-
-                This RFC contains the official specification of the
-                hostname server protocol, which is obsoleted by the DNS.
-                This TCP based protocol accesses information stored in
-                the RFC-952 format, and is used to obtain copies of the
-                host table.
-
-[RFC-973]       P. Mockapetris, "Domain System Changes and
-                Observations", RFC-973, USC/Information Sciences
-                Institute, January 1986.
-
-                Describes changes to RFC-882 and RFC-883 and reasons for
-                them.
-
-[RFC-974]       C. Partridge, "Mail routing and the domain system",
-                RFC-974, CSNET CIC BBN Labs, January 1986.
-
-                Describes the transition from HOSTS.TXT based mail
-                addressing to the more powerful MX system used with the
-                domain system.
-
-[RFC-1001]      NetBIOS Working Group, "Protocol standard for a NetBIOS
-                service on a TCP/UDP transport: Concepts and Methods",
-                RFC-1001, March 1987.
-
-                This RFC and RFC-1002 are a preliminary design for
-                NETBIOS on top of TCP/IP which proposes to base NetBIOS
-                name service on top of the DNS.
-
-[RFC-1002]      NetBIOS Working Group, "Protocol standard for a NetBIOS
-                service on a TCP/UDP transport: Detailed
-                Specifications", RFC-1002, March 1987.
-
-[RFC-1010]      J. Reynolds, and J. Postel, "Assigned Numbers", RFC-1010,
-                USC/Information Sciences Institute, May 1987.
-
-                Contains socket numbers and mnemonics for host names,
-                operating systems, etc.
-
-[RFC-1031]      W. Lazear, "MILNET Name Domain Transition", RFC-1031,
-                November 1987.
-
-                Describes a plan for converting the MILNET to the DNS.
-
-[RFC-1032]      M. Stahl, "Establishing a Domain - Guidelines for
-                Administrators", RFC-1032, November 1987.
-
-
-
-Mockapetris                                                    [Page 52]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-                Describes the registration policies used by the NIC to
-                administer the top level domains and delegate subzones.
-
-[RFC-1033]      M. Lottor, "Domain Administrators Operations Guide",
-                RFC-1033, November 1987.
-
-                A cookbook for domain administrators.
-
-[Solomon 82]    M. Solomon, L. Landweber, and D. Neuhengen, "The CSNET
-                Name Server", Computer Networks, vol 6, nr 3, July 1982.
-
-                Describes a name service for CSNET which is independent
-                from the DNS and DNS use in the CSNET.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 53]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-Index
-
-          *   13
-
-          ;   33, 35
-
-          <character-string>   35
-          <domain-name>   34
-
-          @   35
-
-          \   35
-
-          A   12
-
-          Byte order   8
-
-          CH   13
-          Character case   9
-          CLASS   11
-          CNAME   12
-          Completion   42
-          CS   13
-
-          Hesiod   13
-          HINFO   12
-          HS   13
-
-          IN   13
-          IN-ADDR.ARPA domain   22
-          Inverse queries   40
-
-          Mailbox names   47
-          MB   12
-          MD   12
-          MF   12
-          MG   12
-          MINFO   12
-          MINIMUM   20
-          MR   12
-          MX   12
-
-          NS   12
-          NULL   12
-
-          Port numbers   32
-          Primary server   5
-          PTR   12, 18
-
-
-
-Mockapetris                                                    [Page 54]
-
-RFC 1035        Domain Implementation and Specification    November 1987
-
-
-          QCLASS   13
-          QTYPE   12
-
-          RDATA   12
-          RDLENGTH  11
-
-          Secondary server   5
-          SOA   12
-          Stub resolvers   7
-
-          TCP   32
-          TXT   12
-          TYPE   11
-
-          UDP   32
-
-          WKS   12
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 55]
-
diff --git a/contrib/bind9/doc/rfc/rfc1101.txt b/contrib/bind9/doc/rfc/rfc1101.txt
deleted file mode 100644
index 66c9d8b813b3..000000000000
--- a/contrib/bind9/doc/rfc/rfc1101.txt
+++ /dev/null
@@ -1,787 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                     P. Mockapetris
-Request for Comments: 1101                                           ISI
-Updates: RFCs 1034, 1035                                      April 1989
-
-
-             DNS Encoding of Network Names and Other Types
-
-
-1. STATUS OF THIS MEMO
-
-   This RFC proposes two extensions to the Domain Name System:
-
-      - A specific method for entering and retrieving RRs which map
-        between network names and numbers.
-
-      - Ideas for a general method for describing mappings between
-        arbitrary identifiers and numbers.
-
-   The method for mapping between network names and addresses is a
-   proposed standard, the ideas for a general method are experimental.
-
-   This RFC assumes that the reader is familiar with the DNS [RFC 1034,
-   RFC 1035] and its use.  The data shown is for pedagogical use and
-   does not necessarily reflect the real Internet.
-
-   Distribution of this memo is unlimited.
-
-2. INTRODUCTION
-
-   The DNS is extensible and can be used for a virtually unlimited
-   number of data types, name spaces, etc.  New type definitions are
-   occasionally necessary as are revisions or deletions of old types
-   (e.g., MX replacement of MD and MF [RFC 974]), and changes described
-   in [RFC 973].  This RFC describes changes due to the general need to
-   map between identifiers and values, and a specific need for network
-   name support.
-
-   Users wish to be able to use the DNS to map between network names and
-   numbers.  This need is the only capability found in HOSTS.TXT which
-   is not available from the DNS.  In designing a method to do this,
-   there were two major areas of concern:
-
-      - Several tradeoffs involving control of network names, the
-        syntax of network names, backward compatibility, etc.
-
-      - A desire to create a method which would be sufficiently
-        general to set a good precedent for future mappings,
-        for example, between TCP-port names and numbers,
-
-
-
-Mockapetris                                                     [Page 1]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-        autonomous system names and numbers, X.500 Relative
-        Distinguished Names (RDNs) and their servers, or whatever.
-
-   It was impossible to reconcile these two areas of concern for network
-   names because of the desire to unify network number support within
-   existing IP address to host name support.  The existing support is
-   the IN-ADDR.ARPA section of the DNS name space.  As a result this RFC
-   describes one structure for network names which builds on the
-   existing support for host names, and another family of structures for
-   future yellow pages (YP) functions such as conversions between TCP-
-   port numbers and mnemonics.
-
-   Both structures are described in following sections.  Each structure
-   has a discussion of design issues and specific structure
-   recommendations.
-
-   We wish to avoid defining structures and methods which can work but
-   do not because of indifference or errors on the part of system
-   administrators when maintaining the database.  The WKS RR is an
-   example.  Thus, while we favor distribution as a general method, we
-   also recognize that centrally maintained tables (such as HOSTS.TXT)
-   are usually more consistent though less maintainable and timely.
-   Hence we recommend both specific methods for mapping network names,
-   addresses, and subnets, as well as an instance of the general method
-   for mapping between allocated network numbers and network names.
-   (Allocation is centrally performed by the SRI Network Information
-   Center, aka the NIC).
-
-3. NETWORK NAME ISSUES AND DISCUSSION
-
-   The issues involved in the design were the definition of network name
-   syntax, the mappings to be provided, and possible support for similar
-   functions at the subnet level.
-
-3.1. Network name syntax
-
-   The current syntax for network names, as defined by [RFC 952] is an
-   alphanumeric string of up to 24 characters, which begins with an
-   alpha, and may include "." and "-" except as first and last
-   characters.  This is the format which was also used for host names
-   before the DNS.  Upward compatibility with existing names might be a
-   goal of any new scheme.
-
-   However, the present syntax has been used to define a flat name
-   space, and hence would prohibit the same distributed name allocation
-   method used for host names.  There is some sentiment for allowing the
-   NIC to continue to allocate and regulate network names, much as it
-   allocates numbers, but the majority opinion favors local control of
-
-
-
-Mockapetris                                                     [Page 2]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-   network names.  Although it would be possible to provide a flat space
-   or a name space in which, for example, the last label of a domain
-   name captured the old-style network name, any such approach would add
-   complexity to the method and create different rules for network names
-   and host names.
-
-   For these reasons, we assume that the syntax of network names will be
-   the same as the expanded syntax for host names permitted in [HR].
-   The new syntax expands the set of names to allow leading digits, so
-   long as the resulting representations do not conflict with IP
-   addresses in decimal octet form.  For example, 3Com.COM and 3M.COM
-   are now legal, although 26.0.0.73.COM is not.  See [HR] for details.
-
-   The price is that network names will get as complicated as host
-   names.  An administrator will be able to create network names in any
-   domain under his control, and also create network number to name
-   entries in IN-ADDR.ARPA domains under his control.  Thus, the name
-   for the ARPANET might become NET.ARPA, ARPANET.ARPA or Arpa-
-   network.MIL., depending on the preferences of the owner.
-
-3.2. Mappings
-
-   The desired mappings, ranked by priority with most important first,
-   are:
-
-      - Mapping a IP address or network number to a network name.
-
-        This mapping is for use in debugging tools and status displays
-        of various sorts.  The conversion from IP address to network
-        number is well known for class A, B, and C IP addresses, and
-        involves a simple mask operation.  The needs of other classes
-        are not yet defined and are ignored for the rest of this RFC.
-
-      - Mapping a network name to a network address.
-
-        This facility is of less obvious application, but a
-        symmetrical mapping seems desirable.
-
-      - Mapping an organization to its network names and numbers.
-
-        This facility is useful because it may not always be possible
-        to guess the local choice for network names, but the
-        organization name is often well known.
-
-      - Similar mappings for subnets, even when nested.
-
-        The primary application is to be able to identify all of the
-        subnets involved in a particular IP address.  A secondary
-
-
-
-Mockapetris                                                     [Page 3]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-        requirement is to retrieve address mask information.
-
-3.3. Network address section of the name space
-
-   The network name syntax discussed above can provide domain names
-   which will contain mappings from network names to various quantities,
-   but we also need a section of the name space, organized by network
-   and subnet number to hold the inverse mappings.
-
-   The choices include:
-
-      - The same network number slots already assigned and delegated
-        in the IN-ADDR.ARPA section of the name space.
-
-        For example, 10.IN-ADDR.ARPA for class A net 10,
-        2.128.IN-ADDR.ARPA for class B net 128.2, etc.
-
-      - Host-zero addresses in the IN-ADDR.ARPA tree.  (A host field
-        of all zero in an IP address is prohibited because of
-        confusion related to broadcast addresses, et al.)
-
-        For example, 0.0.0.10.IN-ADDR.ARPA for class A net 10,
-        0.0.2.128.IN-ADDR.arpa for class B net 128.2, etc.  Like the
-        first scheme, it uses in-place name space delegations to
-        distribute control.
-
-        The main advantage of this scheme over the first is that it
-        allows convenient names for subnets as well as networks.  A
-        secondary advantage is that it uses names which are not in use
-        already, and hence it is possible to test whether an
-        organization has entered this information in its domain
-        database.
-
-      - Some new section of the name space.
-
-        While this option provides the most opportunities, it creates
-        a need to delegate a whole new name space.  Since the IP
-        address space is so closely related to the network number
-        space, most believe that the overhead of creating such a new
-        space is overwhelming and would lead to the WKS syndrome.  (As
-        of February, 1989, approximately 400 sections of the
-        IN-ADDR.ARPA tree are already delegated, usually at network
-        boundaries.)
-
-
-
-
-
-
-
-
-Mockapetris                                                     [Page 4]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-4. SPECIFICS FOR NETWORK NAME MAPPINGS
-
-   The proposed solution uses information stored at:
-
-      - Names in the IN-ADDR.ARPA tree that correspond to host-zero IP
-        addresses.  The same method is used for subnets in a nested
-        fashion.  For example, 0.0.0.10.IN-ADDR.ARPA. for net 10.
-
-        Two types of information are stored here: PTR RRs which point
-        to the network name in their data sections, and A RRs, which
-        are present if the network (or subnet) is subnetted further.
-        If a type A RR is present, then it has the address mask as its
-        data.  The general form is:
-
-        <reversed-host-zero-number>.IN-ADDR.ARPA. PTR <network-name>
-        <reversed-host-zero-number>.IN-ADDR.ARPA. A   <subnet-mask>
-
-        For example:
-
-        0.0.0.10.IN-ADDR.ARPA.  PTR     ARPANET.ARPA.
-
-        or
-
-        0.0.2.128.IN-ADDR.ARPA. PTR     cmu-net.cmu.edu.
-                                A       255.255.255.0
-
-        In general, this information will be added to an existing
-        master file for some IN-ADDR.ARPA domain for each network
-        involved.  Similar RRs can be used at host-zero subnet
-        entries.
-
-      - Names which are network names.
-
-        The data stored here is PTR RRs pointing at the host-zero
-        entries.  The general form is:
-
-        <network-name> ptr <reversed-host-zero-number>.IN-ADDR.ARPA
-
-        For example:
-
-        ARPANET.ARPA.           PTR     0.0.0.10.IN-ADDR.ARPA.
-
-        or
-
-        isi-net.isi.edu.        PTR     0.0.9.128.IN-ADDR.ARPA.
-
-        In general, this information will be inserted in the master
-        file for the domain name of the organization; this is a
-
-
-
-Mockapetris                                                     [Page 5]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-        different file from that which holds the information below
-        IN-ADDR.ARPA.  Similar PTR RRs can be used at subnet names.
-
-      - Names corresponding to organizations.
-
-        The data here is one or more PTR RRs pointing at the
-        IN-ADDR.ARPA names corresponding to host-zero entries for
-        networks.
-
-        For example:
-
-        ISI.EDU.        PTR     0.0.9.128.IN-ADDR.ARPA.
-
-        MCC.COM.        PTR     0.167.5.192.IN-ADDR.ARPA.
-                        PTR     0.168.5.192.IN-ADDR.ARPA.
-                        PTR     0.169.5.192.IN-ADDR.ARPA.
-                        PTR     0.0.62.128.IN-ADDR.ARPA.
-
-4.1. A simple example
-
-   The ARPANET is a Class A network without subnets.  The RRs which
-   would be added, assuming the ARPANET.ARPA was selected as a network
-   name, would be:
-
-   ARPA.                   PTR     0.0.0.10.IN-ADDR.ARPA.
-
-   ARPANET.ARPA.           PTR     0.0.0.10.IN-ADDR.ARPA.
-
-   0.0.0.10.IN-ADDR.ARPA.  PTR     ARPANET.ARPA.
-
-   The first RR states that the organization named ARPA owns net 10 (It
-   might also own more network numbers, and these would be represented
-   with an additional RR per net.)  The second states that the network
-   name ARPANET.ARPA. maps to net 10.  The last states that net 10 is
-   named ARPANET.ARPA.
-
-   Note that all of the usual host and corresponding IN-ADDR.ARPA
-   entries would still be required.
-
-4.2. A complicated, subnetted example
-
-   The ISI network is 128.9, a class B number.  Suppose the ISI network
-   was organized into two levels of subnet, with the first level using
-   an additional 8 bits of address, and the second level using 4 bits,
-   for address masks of x'FFFFFF00' and X'FFFFFFF0'.
-
-   Then the following RRs would be entered in ISI's master file for the
-   ISI.EDU zone:
-
-
-
-Mockapetris                                                     [Page 6]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-   ; Define network entry
-   isi-net.isi.edu.                PTR  0.0.9.128.IN-ADDR.ARPA.
-
-   ; Define first level subnets
-   div1-subnet.isi.edu.            PTR  0.1.9.128.IN-ADDR.ARPA.
-   div2-subnet.isi.edu.            PTR  0.2.9.128.IN-ADDR.ARPA.
-
-   ; Define second level subnets
-   inc-subsubnet.isi.edu.          PTR  16.2.9.128.IN-ADDR.ARPA.
-
-   in the 9.128.IN-ADDR.ARPA zone:
-
-   ; Define network number and address mask
-   0.0.9.128.IN-ADDR.ARPA.         PTR  isi-net.isi.edu.
-                                   A    255.255.255.0  ;aka X'FFFFFF00'
-
-   ; Define one of the first level subnet numbers and masks
-   0.1.9.128.IN-ADDR.ARPA.         PTR  div1-subnet.isi.edu.
-                                   A    255.255.255.240 ;aka X'FFFFFFF0'
-
-   ; Define another first level subnet number and mask
-   0.2.9.128.IN-ADDR.ARPA.         PTR  div2-subnet.isi.edu.
-                                   A    255.255.255.240 ;aka X'FFFFFFF0'
-
-   ; Define second level subnet number
-   16.2.9.128.IN-ADDR.ARPA.        PTR  inc-subsubnet.isi.edu.
-
-   This assumes that the ISI network is named isi-net.isi.edu., first
-   level subnets are named div1-subnet.isi.edu. and div2-
-   subnet.isi.edu., and a second level subnet is called inc-
-   subsubnet.isi.edu.  (In a real system as complicated as this there
-   would be more first and second level subnets defined, but we have
-   shown enough to illustrate the ideas.)
-
-4.3. Procedure for using an IP address to get network name
-
-   Depending on whether the IP address is class A, B, or C, mask off the
-   high one, two, or three bytes, respectively.  Reverse the octets,
-   suffix IN-ADDR.ARPA, and do a PTR query.
-
-   For example, suppose the IP address is 10.0.0.51.
-
-      1. Since this is a class A address, use a mask x'FF000000' and
-         get 10.0.0.0.
-
-      2. Construct the name 0.0.0.10.IN-ADDR.ARPA.
-
-      3. Do a PTR query.  Get back
-
-
-
-Mockapetris                                                     [Page 7]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-         0.0.0.10.IN-ADDR.ARPA.  PTR     ARPANET.ARPA.
-
-      4. Conclude that the network name is "ARPANET.ARPA."
-
-   Suppose that the IP address is 128.9.2.17.
-
-      1. Since this is a class B address, use a mask of x'FFFF0000'
-         and get 128.9.0.0.
-
-      2. Construct the name 0.0.9.128.IN-ADDR.ARPA.
-
-      3. Do a PTR query.  Get back
-
-         0.0.9.128.IN-ADDR.ARPA.       PTR     isi-net.isi.edu
-
-      4. Conclude that the network name is "isi-net.isi.edu."
-
-4.4. Procedure for finding all subnets involved with an IP address
-
-   This is a simple extension of the IP address to network name method.
-   When the network entry is located, do a lookup for a possible A RR.
-   If the A RR is found, look up the next level of subnet using the
-   original IP address and the mask in the A RR.  Repeat this procedure
-   until no A RR is found.
-
-   For example, repeating the use of 128.9.2.17.
-
-      1. As before construct a query for 0.0.9.128.IN-ADDR.ARPA.
-         Retrieve:
-
-         0.0.9.128.IN-ADDR.ARPA.  PTR    isi-net.isi.edu.
-                                  A      255.255.255.0
-
-      2. Since an A RR was found, repeat using mask from RR
-         (255.255.255.0), constructing a query for
-         0.2.9.128.IN-ADDR.ARPA.  Retrieve:
-
-         0.2.9.128.IN-ADDR.ARPA.  PTR    div2-subnet.isi.edu.
-                                  A      255.255.255.240
-
-      3. Since another A RR was found, repeat using mask
-         255.255.255.240 (x'FFFFFFF0').  constructing a query for
-         16.2.9.128.IN-ADDR.ARPA.  Retrieve:
-
-         16.2.9.128.IN-ADDR.ARPA. PTR    inc-subsubnet.isi.edu.
-
-      4. Since no A RR is present at 16.2.9.128.IN-ADDR.ARPA., there
-         are no more subnet levels.
-
-
-
-Mockapetris                                                     [Page 8]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-5. YP ISSUES AND DISCUSSION
-
-   The term "Yellow Pages" is used in almost as many ways as the term
-   "domain", so it is useful to define what is meant herein by YP.  The
-   general problem to be solved is to create a method for creating
-   mappings from one kind of identifier to another, often with an
-   inverse capability.  The traditional methods are to search or use a
-   precomputed index of some kind.
-
-   Searching is impractical when the search is too large, and
-   precomputed indexes are possible only when it is possible to specify
-   search criteria in advance, and pay for the resources necessary to
-   build the index.  For example, it is impractical to search the entire
-   domain tree to find a particular address RR, so we build the IN-
-   ADDR.ARPA YP.  Similarly, we could never build an Internet-wide index
-   of "hosts with a load average of less than 2" in less time than it
-   would take for the data to change, so indexes are a useless approach
-   for that problem.
-
-   Such a precomputed index is what we mean by YP, and we regard the
-   IN-ADDR.ARPA domain as the first instance of a YP in the DNS.
-   Although a single, centrally-managed YP for well-known values such as
-   TCP-port is desirable, we regard organization-specific YPs for, say,
-   locally defined TCP ports as a natural extension, as are combinations
-   of YPs using search lists to merge the two.
-
-   In examining Internet Numbers [RFC 997] and Assigned Numbers [RFC
-   1010], it is clear that there are several mappings which might be of
-   value.  For example:
-
-   <assigned-network-name> <==> <IP-address>
-   <autonomous-system-id>  <==> <number>
-   <protocol-id>           <==> <number>
-   <port-id>               <==> <number>
-   <ethernet-type>         <==> <number>
-   <public-data-net>       <==> <IP-address>
-
-   Following the IN-ADDR example, the YP takes the form of a domain tree
-   organized to optimize retrieval by search key and distribution via
-   normal DNS rules.  The name used as a key must include:
-
-      1. A well known origin.  For example, IN-ADDR.ARPA is the
-         current IP-address to host name YP.
-
-      2. A "from" data type.  This identifies the input type of the
-         mapping.  This is necessary because we may be mapping
-         something as anonymous as a number to any number of
-         mnemonics, etc.
-
-
-
-Mockapetris                                                     [Page 9]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-      3. A "to" data type.  Since we assume several symmetrical
-         mnemonic <==> number mappings, this is also necessary.
-
-   This ordering reflects the natural scoping of control, and hence the
-   order of the components in a domain name.  Thus domain names would be
-   of the form:
-
-   <from-value>.<to-data-type>.<from-data-type>.<YP-origin>
-
-   To make this work, we need to define well-know strings for each of
-   these metavariables, as well as encoding rules for converting a
-   <from-value> into a domain name.  We might define:
-
-   <YP-origin>     :=YP
-   <from-data-type>:=TCP-port | IN-ADDR | Number |
-                     Assigned-network-number | Name
-   <to-data-type>  :=<from-data-type>
-
-   Note that "YP" is NOT a valid country code under [ISO 3166] (although
-   we may want to worry about the future), and the existence of a
-   syntactically valid <to-data-type>.<from-data-type> pair does not
-   imply that a meaningful mapping exists, or is even possible.
-
-   The encoding rules might be:
-
-   TCP-port        Six character alphanumeric
-
-   IN-ADDR         Reversed 4-octet decimal string
-
-   Number          decimal integer
-
-   Assigned-network-number
-                   Reversed 4-octet decimal string
-
-   Name            Domain name
-
-6. SPECIFICS FOR YP MAPPINGS
-
-6.1. TCP-PORT
-
-   $origin Number.TCP-port.YP.
-
-   23              PTR     TELNET.TCP-port.Number.YP.
-   25              PTR     SMTP.TCP-port.Number.YP.
-
-   $origin TCP-port.Number.YP.
-
-   TELNET          PTR     23.Number.TCP-port.YP.
-
-
-
-Mockapetris                                                    [Page 10]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-   SMTP            PTR     25.Number.TCP-port.YP.
-
-   Thus the mapping between 23 and TELNET is represented by a pair of
-   PTR RRs, one for each direction of the mapping.
-
-6.2. Assigned networks
-
-   Network numbers are assigned by the NIC and reported in "Internet
-   Numbers" RFCs.  To create a YP, the NIC would set up two domains:
-
-   Name.Assigned-network-number.YP and Assigned-network-number.YP
-
-   The first would contain entries of the form:
-
-   $origin Name.Assigned-network-number.YP.
-
-   0.0.0.4         PTR     SATNET.Assigned-network-number.Name.YP.
-   0.0.0.10        PTR     ARPANET.Assigned-network-number.Name.YP.
-
-   The second would contain entries of the form:
-
-   $origin Assigned-network-number.Name.YP.
-
-   SATNET.         PTR     0.0.0.4.Name.Assigned-network-number.YP.
-   ARPANET.        PTR     0.0.0.10.Name.Assigned-network-number.YP.
-
-   These YPs are not in conflict with the network name support described
-   in the first half of this RFC since they map between ASSIGNED network
-   names and numbers, not those allocated by the organizations
-   themselves.  That is, they document the NIC's decisions about
-   allocating network numbers but do not automatically track any
-   renaming performed by the new owners.
-
-   As a practical matter, we might want to create both of these domains
-   to enable users on the Internet to experiment with centrally
-   maintained support as well as the distributed version, or might want
-   to implement only the allocated number to name mapping and request
-   organizations to convert their allocated network names to the network
-   names described in the distributed model.
-
-6.3. Operational improvements
-
-   We could imagine that all conversion routines using these YPs might
-   be instructed to use "YP.<local-domain>" followed by "YP."  as a
-   search list.  Thus, if the organization ISI.EDU wished to define
-   locally meaningful TCP-PORT, it would define the domains:
-
-   <TCP-port.Number.YP.ISI.EDU> and <Number.TCP-port.YP.ISI.EDU>.
-
-
-
-Mockapetris                                                    [Page 11]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-   We could add another level of indirection in the YP lookup, defining
-   the <to-data-type>.<from-data-type>.<YP-origin> nodes to point to the
-   YP tree, rather than being the YP tree directly.  This would enable
-   entries of the form:
-
-   IN-ADDR.Netname.YP.   PTR     IN-ADDR.ARPA.
-
-   to splice in YPs from other origins or existing spaces.
-
-   Another possibility would be to shorten the RDATA section of the RRs
-   which map back and forth by deleting the origin.  This could be done
-   either by allowing the domain name in the RDATA portion to not
-   identify a real domain name, or by defining a new RR which used a
-   simple text string rather than a domain name.
-
-   Thus, we might replace
-
-   $origin Assigned-network-number.Name.YP.
-
-   SATNET.         PTR     0.0.0.4.Name.Assigned-network-number.YP.
-   ARPANET.        PTR     0.0.0.10.Name.Assigned-network-number.YP.
-
-   with
-
-   $origin Assigned-network-number.Name.YP.
-
-   SATNET.         PTR     0.0.0.4.
-   ARPANET.        PTR     0.0.0.10.
-
-   or
-
-   $origin Assigned-network-number.Name.YP.
-
-   SATNET.         PTT     "0.0.0.4"
-   ARPANET.        PTT     "0.0.0.10"
-
-   where PTT is a new type whose RDATA section is a text string.
-
-7. ACKNOWLEDGMENTS
-
-   Drew Perkins, Mark Lottor, and Rob Austein contributed several of the
-   ideas in this RFC.  Numerous contributions, criticisms, and
-   compromises were produced in the IETF Domain working group and the
-   NAMEDROPPERS mailing list.
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 12]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-8. REFERENCES
-
-   [HR]        Braden, B., editor, "Requirements for Internet Hosts",
-               RFC in preparation.
-
-   [ISO 3166]  ISO, "Codes for the Representation of Names of
-               Countries", 1981.
-
-   [RFC 882]   Mockapetris, P., "Domain names - Concepts and
-               Facilities", RFC 882, USC/Information Sciences Institute,
-               November 1983.
-
-               Superseded by RFC 1034.
-
-   [RFC 883]   Mockapetris, P.,"Domain names - Implementation and
-               Specification", RFC 883, USC/Information Sciences
-               Institute, November 1983.
-
-               Superceeded by RFC 1035.
-
-   [RFC 920]   Postel, J. and J. Reynolds, "Domain Requirements", RFC
-               920, October 1984.
-
-               Explains the naming scheme for top level domains.
-
-   [RFC 952]   Harrenstien, K., M. Stahl, and E. Feinler, "DoD Internet
-               Host Table Specification", RFC 952, SRI, October 1985.
-
-               Specifies the format of HOSTS.TXT, the host/address table
-               replaced by the DNS
-
-   [RFC 973]   Mockapetris, P., "Domain System Changes and
-               Observations", RFC 973, USC/Information Sciences
-               Institute, January 1986.
-
-               Describes changes to RFCs 882 and 883 and reasons for
-               them.
-
-   [RFC 974]   Partridge, C., "Mail routing and the domain system", RFC
-               974, CSNET CIC BBN Labs, January 1986.
-
-               Describes the transition from HOSTS.TXT based mail
-               addressing to the more powerful MX system used with the
-               domain system.
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 13]
-
-RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
-
-
-   [RFC 997]   Reynolds, J., and J. Postel, "Internet Numbers", RFC 997,
-               USC/Information Sciences Institute, March 1987
-
-               Contains network numbers, autonomous system numbers, etc.
-
-   [RFC 1010]  Reynolds, J., and J. Postel, "Assigned Numbers", RFC
-               1010, USC/Information Sciences Institute, May 1987
-
-               Contains socket numbers and mnemonics for host names,
-               operating systems, etc.
-
-
-   [RFC 1034]  Mockapetris, P., "Domain names - Concepts and
-               Facilities", RFC 1034, USC/Information Sciences
-               Institute, November 1987.
-
-               Introduction/overview of the DNS.
-
-   [RFC 1035]  Mockapetris, P., "Domain names - Implementation and
-               Specification", RFC 1035, USC/Information Sciences
-               Institute, November 1987.
-
-               DNS implementation instructions.
-
-Author's Address:
-
-   Paul Mockapetris
-   USC/Information Sciences Institute
-   4676 Admiralty Way
-   Marina del Rey, CA 90292
-
-   Phone: (213) 822-1511
-
-   Email: PVM@ISI.EDU
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mockapetris                                                    [Page 14]
-
\ No newline at end of file
diff --git a/contrib/bind9/doc/rfc/rfc1122.txt b/contrib/bind9/doc/rfc/rfc1122.txt
deleted file mode 100644
index c14f2e50a319..000000000000
--- a/contrib/bind9/doc/rfc/rfc1122.txt
+++ /dev/null
@@ -1,6844 +0,0 @@
-
-
-
-
-
-
-Network Working Group                    Internet Engineering Task Force
-Request for Comments: 1122                             R. Braden, Editor
-                                                            October 1989
-
-
-        Requirements for Internet Hosts -- Communication Layers
-
-
-Status of This Memo
-
-   This RFC is an official specification for the Internet community.  It
-   incorporates by reference, amends, corrects, and supplements the
-   primary protocol standards documents relating to hosts.  Distribution
-   of this document is unlimited.
-
-Summary
-
-   This is one RFC of a pair that defines and discusses the requirements
-   for Internet host software.  This RFC covers the communications
-   protocol layers: link layer, IP layer, and transport layer; its
-   companion RFC-1123 covers the application and support protocols.
-
-
-
-                           Table of Contents
-
-
-
-
-   1.  INTRODUCTION ...............................................    5
-      1.1  The Internet Architecture ..............................    6
-         1.1.1  Internet Hosts ....................................    6
-         1.1.2  Architectural Assumptions .........................    7
-         1.1.3  Internet Protocol Suite ...........................    8
-         1.1.4  Embedded Gateway Code .............................   10
-      1.2  General Considerations .................................   12
-         1.2.1  Continuing Internet Evolution .....................   12
-         1.2.2  Robustness Principle ..............................   12
-         1.2.3  Error Logging .....................................   13
-         1.2.4  Configuration .....................................   14
-      1.3  Reading this Document ..................................   15
-         1.3.1  Organization ......................................   15
-         1.3.2  Requirements ......................................   16
-         1.3.3  Terminology .......................................   17
-      1.4  Acknowledgments ........................................   20
-
-   2. LINK LAYER ..................................................   21
-      2.1  INTRODUCTION ...........................................   21
-
-
-
-Internet Engineering Task Force                                 [Page 1]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-      2.2  PROTOCOL WALK-THROUGH ..................................   21
-      2.3  SPECIFIC ISSUES ........................................   21
-         2.3.1  Trailer Protocol Negotiation ......................   21
-         2.3.2  Address Resolution Protocol -- ARP ................   22
-            2.3.2.1  ARP Cache Validation .........................   22
-            2.3.2.2  ARP Packet Queue .............................   24
-         2.3.3  Ethernet and IEEE 802 Encapsulation ...............   24
-      2.4  LINK/INTERNET LAYER INTERFACE ..........................   25
-      2.5  LINK LAYER REQUIREMENTS SUMMARY ........................   26
-
-   3. INTERNET LAYER PROTOCOLS ....................................   27
-      3.1 INTRODUCTION ............................................   27
-      3.2  PROTOCOL WALK-THROUGH ..................................   29
-         3.2.1 Internet Protocol -- IP ............................   29
-            3.2.1.1  Version Number ...............................   29
-            3.2.1.2  Checksum .....................................   29
-            3.2.1.3  Addressing ...................................   29
-            3.2.1.4  Fragmentation and Reassembly .................   32
-            3.2.1.5  Identification ...............................   32
-            3.2.1.6  Type-of-Service ..............................   33
-            3.2.1.7  Time-to-Live .................................   34
-            3.2.1.8  Options ......................................   35
-         3.2.2 Internet Control Message Protocol -- ICMP ..........   38
-            3.2.2.1  Destination Unreachable ......................   39
-            3.2.2.2  Redirect .....................................   40
-            3.2.2.3  Source Quench ................................   41
-            3.2.2.4  Time Exceeded ................................   41
-            3.2.2.5  Parameter Problem ............................   42
-            3.2.2.6  Echo Request/Reply ...........................   42
-            3.2.2.7  Information Request/Reply ....................   43
-            3.2.2.8  Timestamp and Timestamp Reply ................   43
-            3.2.2.9  Address Mask Request/Reply ...................   45
-         3.2.3  Internet Group Management Protocol IGMP ...........   47
-      3.3  SPECIFIC ISSUES ........................................   47
-         3.3.1  Routing Outbound Datagrams ........................   47
-            3.3.1.1  Local/Remote Decision ........................   47
-            3.3.1.2  Gateway Selection ............................   48
-            3.3.1.3  Route Cache ..................................   49
-            3.3.1.4  Dead Gateway Detection .......................   51
-            3.3.1.5  New Gateway Selection ........................   55
-            3.3.1.6  Initialization ...............................   56
-         3.3.2  Reassembly ........................................   56
-         3.3.3  Fragmentation .....................................   58
-         3.3.4  Local Multihoming .................................   60
-            3.3.4.1  Introduction .................................   60
-            3.3.4.2  Multihoming Requirements .....................   61
-            3.3.4.3  Choosing a Source Address ....................   64
-         3.3.5  Source Route Forwarding ...........................   65
-
-
-
-Internet Engineering Task Force                                 [Page 2]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         3.3.6  Broadcasts ........................................   66
-         3.3.7  IP Multicasting ...................................   67
-         3.3.8  Error Reporting ...................................   69
-      3.4  INTERNET/TRANSPORT LAYER INTERFACE .....................   69
-      3.5  INTERNET LAYER REQUIREMENTS SUMMARY ....................   72
-
-   4. TRANSPORT PROTOCOLS .........................................   77
-      4.1  USER DATAGRAM PROTOCOL -- UDP ..........................   77
-         4.1.1  INTRODUCTION ......................................   77
-         4.1.2  PROTOCOL WALK-THROUGH .............................   77
-         4.1.3  SPECIFIC ISSUES ...................................   77
-            4.1.3.1  Ports ........................................   77
-            4.1.3.2  IP Options ...................................   77
-            4.1.3.3  ICMP Messages ................................   78
-            4.1.3.4  UDP Checksums ................................   78
-            4.1.3.5  UDP Multihoming ..............................   79
-            4.1.3.6  Invalid Addresses ............................   79
-         4.1.4  UDP/APPLICATION LAYER INTERFACE ...................   79
-         4.1.5  UDP REQUIREMENTS SUMMARY ..........................   80
-      4.2  TRANSMISSION CONTROL PROTOCOL -- TCP ...................   82
-         4.2.1  INTRODUCTION ......................................   82
-         4.2.2  PROTOCOL WALK-THROUGH .............................   82
-            4.2.2.1  Well-Known Ports .............................   82
-            4.2.2.2  Use of Push ..................................   82
-            4.2.2.3  Window Size ..................................   83
-            4.2.2.4  Urgent Pointer ...............................   84
-            4.2.2.5  TCP Options ..................................   85
-            4.2.2.6  Maximum Segment Size Option ..................   85
-            4.2.2.7  TCP Checksum .................................   86
-            4.2.2.8  TCP Connection State Diagram .................   86
-            4.2.2.9  Initial Sequence Number Selection ............   87
-            4.2.2.10  Simultaneous Open Attempts ..................   87
-            4.2.2.11  Recovery from Old Duplicate SYN .............   87
-            4.2.2.12  RST Segment .................................   87
-            4.2.2.13  Closing a Connection ........................   87
-            4.2.2.14  Data Communication ..........................   89
-            4.2.2.15  Retransmission Timeout ......................   90
-            4.2.2.16  Managing the Window .........................   91
-            4.2.2.17  Probing Zero Windows ........................   92
-            4.2.2.18  Passive OPEN Calls ..........................   92
-            4.2.2.19  Time to Live ................................   93
-            4.2.2.20  Event Processing ............................   93
-            4.2.2.21  Acknowledging Queued Segments ...............   94
-         4.2.3  SPECIFIC ISSUES ...................................   95
-            4.2.3.1  Retransmission Timeout Calculation ...........   95
-            4.2.3.2  When to Send an ACK Segment ..................   96
-            4.2.3.3  When to Send a Window Update .................   97
-            4.2.3.4  When to Send Data ............................   98
-
-
-
-Internet Engineering Task Force                                 [Page 3]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-            4.2.3.5  TCP Connection Failures ......................  100
-            4.2.3.6  TCP Keep-Alives ..............................  101
-            4.2.3.7  TCP Multihoming ..............................  103
-            4.2.3.8  IP Options ...................................  103
-            4.2.3.9  ICMP Messages ................................  103
-            4.2.3.10  Remote Address Validation ...................  104
-            4.2.3.11  TCP Traffic Patterns ........................  104
-            4.2.3.12  Efficiency ..................................  105
-         4.2.4  TCP/APPLICATION LAYER INTERFACE ...................  106
-            4.2.4.1  Asynchronous Reports .........................  106
-            4.2.4.2  Type-of-Service ..............................  107
-            4.2.4.3  Flush Call ...................................  107
-            4.2.4.4  Multihoming ..................................  108
-         4.2.5  TCP REQUIREMENT SUMMARY ...........................  108
-
-   5.  REFERENCES .................................................  112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                 [Page 4]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-1.  INTRODUCTION
-
-   This document is one of a pair that defines and discusses the
-   requirements for host system implementations of the Internet protocol
-   suite.  This RFC covers the communication protocol layers:  link
-   layer, IP layer, and transport layer.  Its companion RFC,
-   "Requirements for Internet Hosts -- Application and Support"
-   [INTRO:1], covers the application layer protocols.  This document
-   should also be read in conjunction with "Requirements for Internet
-   Gateways" [INTRO:2].
-
-   These documents are intended to provide guidance for vendors,
-   implementors, and users of Internet communication software.  They
-   represent the consensus of a large body of technical experience and
-   wisdom, contributed by the members of the Internet research and
-   vendor communities.
-
-   This RFC enumerates standard protocols that a host connected to the
-   Internet must use, and it incorporates by reference the RFCs and
-   other documents describing the current specifications for these
-   protocols.  It corrects errors in the referenced documents and adds
-   additional discussion and guidance for an implementor.
-
-   For each protocol, this document also contains an explicit set of
-   requirements, recommendations, and options.  The reader must
-   understand that the list of requirements in this document is
-   incomplete by itself; the complete set of requirements for an
-   Internet host is primarily defined in the standard protocol
-   specification documents, with the corrections, amendments, and
-   supplements contained in this RFC.
-
-   A good-faith implementation of the protocols that was produced after
-   careful reading of the RFC's and with some interaction with the
-   Internet technical community, and that followed good communications
-   software engineering practices, should differ from the requirements
-   of this document in only minor ways.  Thus, in many cases, the
-   "requirements" in this RFC are already stated or implied in the
-   standard protocol documents, so that their inclusion here is, in a
-   sense, redundant.  However, they were included because some past
-   implementation has made the wrong choice, causing problems of
-   interoperability, performance, and/or robustness.
-
-   This document includes discussion and explanation of many of the
-   requirements and recommendations.  A simple list of requirements
-   would be dangerous, because:
-
-   o    Some required features are more important than others, and some
-        features are optional.
-
-
-
-Internet Engineering Task Force                                 [Page 5]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-   o    There may be valid reasons why particular vendor products that
-        are designed for restricted contexts might choose to use
-        different specifications.
-
-   However, the specifications of this document must be followed to meet
-   the general goal of arbitrary host interoperation across the
-   diversity and complexity of the Internet system.  Although most
-   current implementations fail to meet these requirements in various
-   ways, some minor and some major, this specification is the ideal
-   towards which we need to move.
-
-   These requirements are based on the current level of Internet
-   architecture.  This document will be updated as required to provide
-   additional clarifications or to include additional information in
-   those areas in which specifications are still evolving.
-
-   This introductory section begins with a brief overview of the
-   Internet architecture as it relates to hosts, and then gives some
-   general advice to host software vendors.  Finally, there is some
-   guidance on reading the rest of the document and some terminology.
-
-   1.1  The Internet Architecture
-
-      General background and discussion on the Internet architecture and
-      supporting protocol suite can be found in the DDN Protocol
-      Handbook [INTRO:3]; for background see for example [INTRO:9],
-      [INTRO:10], and [INTRO:11].  Reference [INTRO:5] describes the
-      procedure for obtaining Internet protocol documents, while
-      [INTRO:6] contains a list of the numbers assigned within Internet
-      protocols.
-
-      1.1.1  Internet Hosts
-
-         A host computer, or simply "host," is the ultimate consumer of
-         communication services.  A host generally executes application
-         programs on behalf of user(s), employing network and/or
-         Internet communication services in support of this function.
-         An Internet host corresponds to the concept of an "End-System"
-         used in the OSI protocol suite [INTRO:13].
-
-         An Internet communication system consists of interconnected
-         packet networks supporting communication among host computers
-         using the Internet protocols.  The networks are interconnected
-         using packet-switching computers called "gateways" or "IP
-         routers" by the Internet community, and "Intermediate Systems"
-         by the OSI world [INTRO:13].  The RFC "Requirements for
-         Internet Gateways" [INTRO:2] contains the official
-         specifications for Internet gateways.  That RFC together with
-
-
-
-Internet Engineering Task Force                                 [Page 6]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         the present document and its companion [INTRO:1] define the
-         rules for the current realization of the Internet architecture.
-
-         Internet hosts span a wide range of size, speed, and function.
-         They range in size from small microprocessors through
-         workstations to mainframes and supercomputers.  In function,
-         they range from single-purpose hosts (such as terminal servers)
-         to full-service hosts that support a variety of online network
-         services, typically including remote login, file transfer, and
-         electronic mail.
-
-         A host is generally said to be multihomed if it has more than
-         one interface to the same or to different networks.  See
-         Section 1.1.3 on "Terminology".
-
-      1.1.2  Architectural Assumptions
-
-         The current Internet architecture is based on a set of
-         assumptions about the communication system.  The assumptions
-         most relevant to hosts are as follows:
-
-         (a)  The Internet is a network of networks.
-
-              Each host is directly connected to some particular
-              network(s); its connection to the Internet is only
-              conceptual.  Two hosts on the same network communicate
-              with each other using the same set of protocols that they
-              would use to communicate with hosts on distant networks.
-
-         (b)  Gateways don't keep connection state information.
-
-              To improve robustness of the communication system,
-              gateways are designed to be stateless, forwarding each IP
-              datagram independently of other datagrams.  As a result,
-              redundant paths can be exploited to provide robust service
-              in spite of failures of intervening gateways and networks.
-
-              All state information required for end-to-end flow control
-              and reliability is implemented in the hosts, in the
-              transport layer or in application programs.  All
-              connection control information is thus co-located with the
-              end points of the communication, so it will be lost only
-              if an end point fails.
-
-         (c)  Routing complexity should be in the gateways.
-
-              Routing is a complex and difficult problem, and ought to
-              be performed by the gateways, not the hosts.  An important
-
-
-
-Internet Engineering Task Force                                 [Page 7]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-              objective is to insulate host software from changes caused
-              by the inevitable evolution of the Internet routing
-              architecture.
-
-         (d)  The System must tolerate wide network variation.
-
-              A basic objective of the Internet design is to tolerate a
-              wide range of network characteristics -- e.g., bandwidth,
-              delay, packet loss, packet reordering, and maximum packet
-              size.  Another objective is robustness against failure of
-              individual networks, gateways, and hosts, using whatever
-              bandwidth is still available.  Finally, the goal is full
-              "open system interconnection": an Internet host must be
-              able to interoperate robustly and effectively with any
-              other Internet host, across diverse Internet paths.
-
-              Sometimes host implementors have designed for less
-              ambitious goals.  For example, the LAN environment is
-              typically much more benign than the Internet as a whole;
-              LANs have low packet loss and delay and do not reorder
-              packets.  Some vendors have fielded host implementations
-              that are adequate for a simple LAN environment, but work
-              badly for general interoperation.  The vendor justifies
-              such a product as being economical within the restricted
-              LAN market.  However, isolated LANs seldom stay isolated
-              for long; they are soon gatewayed to each other, to
-              organization-wide internets, and eventually to the global
-              Internet system.  In the end, neither the customer nor the
-              vendor is served by incomplete or substandard Internet
-              host software.
-
-              The requirements spelled out in this document are designed
-              for a full-function Internet host, capable of full
-              interoperation over an arbitrary Internet path.
-
-
-      1.1.3  Internet Protocol Suite
-
-         To communicate using the Internet system, a host must implement
-         the layered set of protocols comprising the Internet protocol
-         suite.  A host typically must implement at least one protocol
-         from each layer.
-
-         The protocol layers used in the Internet architecture are as
-         follows [INTRO:4]:
-
-
-         o  Application Layer
-
-
-
-Internet Engineering Task Force                                 [Page 8]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-              The application layer is the top layer of the Internet
-              protocol suite.  The Internet suite does not further
-              subdivide the application layer, although some of the
-              Internet application layer protocols do contain some
-              internal sub-layering.  The application layer of the
-              Internet suite essentially combines the functions of the
-              top two layers -- Presentation and Application -- of the
-              OSI reference model.
-
-              We distinguish two categories of application layer
-              protocols:  user protocols that provide service directly
-              to users, and support protocols that provide common system
-              functions.  Requirements for user and support protocols
-              will be found in the companion RFC [INTRO:1].
-
-              The most common Internet user protocols are:
-
-                o  Telnet (remote login)
-                o  FTP    (file transfer)
-                o  SMTP   (electronic mail delivery)
-
-              There are a number of other standardized user protocols
-              [INTRO:4] and many private user protocols.
-
-              Support protocols, used for host name mapping, booting,
-              and management, include SNMP, BOOTP, RARP, and the Domain
-              Name System (DNS) protocols.
-
-
-         o  Transport Layer
-
-              The transport layer provides end-to-end communication
-              services for applications.  There are two primary
-              transport layer protocols at present:
-
-                o Transmission Control Protocol (TCP)
-                o User Datagram Protocol (UDP)
-
-              TCP is a reliable connection-oriented transport service
-              that provides end-to-end reliability, resequencing, and
-              flow control.  UDP is a connectionless ("datagram")
-              transport service.
-
-              Other transport protocols have been developed by the
-              research community, and the set of official Internet
-              transport protocols may be expanded in the future.
-
-              Transport layer protocols are discussed in Chapter 4.
-
-
-
-Internet Engineering Task Force                                 [Page 9]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         o  Internet Layer
-
-              All Internet transport protocols use the Internet Protocol
-              (IP) to carry data from source host to destination host.
-              IP is a connectionless or datagram internetwork service,
-              providing no end-to-end delivery guarantees. Thus, IP
-              datagrams may arrive at the destination host damaged,
-              duplicated, out of order, or not at all.  The layers above
-              IP are responsible for reliable delivery service when it
-              is required.  The IP protocol includes provision for
-              addressing, type-of-service specification, fragmentation
-              and reassembly, and security information.
-
-              The datagram or connectionless nature of the IP protocol
-              is a fundamental and characteristic feature of the
-              Internet architecture.  Internet IP was the model for the
-              OSI Connectionless Network Protocol [INTRO:12].
-
-              ICMP is a control protocol that is considered to be an
-              integral part of IP, although it is architecturally
-              layered upon IP, i.e., it uses IP to carry its data end-
-              to-end just as a transport protocol like TCP or UDP does.
-              ICMP provides error reporting, congestion reporting, and
-              first-hop gateway redirection.
-
-              IGMP is an Internet layer protocol used for establishing
-              dynamic host groups for IP multicasting.
-
-              The Internet layer protocols IP, ICMP, and IGMP are
-              discussed in Chapter 3.
-
-
-         o  Link Layer
-
-              To communicate on its directly-connected network, a host
-              must implement the communication protocol used to
-              interface to that network.  We call this a link layer or
-              media-access layer protocol.
-
-              There is a wide variety of link layer protocols,
-              corresponding to the many different types of networks.
-              See Chapter 2.
-
-
-      1.1.4  Embedded Gateway Code
-
-         Some Internet host software includes embedded gateway
-         functionality, so that these hosts can forward packets as a
-
-
-
-Internet Engineering Task Force                                [Page 10]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         gateway would, while still performing the application layer
-         functions of a host.
-
-         Such dual-purpose systems must follow the Gateway Requirements
-         RFC [INTRO:2]  with respect to their gateway functions, and
-         must follow the present document with respect to their host
-         functions.  In all overlapping cases, the two specifications
-         should be in agreement.
-
-         There are varying opinions in the Internet community about
-         embedded gateway functionality.  The main arguments are as
-         follows:
-
-         o    Pro: in a local network environment where networking is
-              informal, or in isolated internets, it may be convenient
-              and economical to use existing host systems as gateways.
-
-              There is also an architectural argument for embedded
-              gateway functionality: multihoming is much more common
-              than originally foreseen, and multihoming forces a host to
-              make routing decisions as if it were a gateway.  If the
-              multihomed  host contains an embedded gateway, it will
-              have full routing knowledge and as a result will be able
-              to make more optimal routing decisions.
-
-         o    Con: Gateway algorithms and protocols are still changing,
-              and they will continue to change as the Internet system
-              grows larger.  Attempting to include a general gateway
-              function within the host IP layer will force host system
-              maintainers to track these (more frequent) changes.  Also,
-              a larger pool of gateway implementations will make
-              coordinating the changes more difficult.  Finally, the
-              complexity of a gateway IP layer is somewhat greater than
-              that of a host, making the implementation and operation
-              tasks more complex.
-
-              In addition, the style of operation of some hosts is not
-              appropriate for providing stable and robust gateway
-              service.
-
-         There is considerable merit in both of these viewpoints.  One
-         conclusion can be drawn: an host administrator must have
-         conscious control over whether or not a given host acts as a
-         gateway.  See Section 3.1 for the detailed requirements.
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 11]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-   1.2  General Considerations
-
-      There are two important lessons that vendors of Internet host
-      software have learned and which a new vendor should consider
-      seriously.
-
-      1.2.1  Continuing Internet Evolution
-
-         The enormous growth of the Internet has revealed problems of
-         management and scaling in a large datagram-based packet
-         communication system.  These problems are being addressed, and
-         as a result there will be continuing evolution of the
-         specifications described in this document.  These changes will
-         be carefully planned and controlled, since there is extensive
-         participation in this planning by the vendors and by the
-         organizations responsible for operations of the networks.
-
-         Development, evolution, and revision are characteristic of
-         computer network protocols today, and this situation will
-         persist for some years.  A vendor who develops computer
-         communication software for the Internet protocol suite (or any
-         other protocol suite!) and then fails to maintain and update
-         that software for changing specifications is going to leave a
-         trail of unhappy customers.  The Internet is a large
-         communication network, and the users are in constant contact
-         through it.  Experience has shown that knowledge of
-         deficiencies in vendor software propagates quickly through the
-         Internet technical community.
-
-      1.2.2  Robustness Principle
-
-         At every layer of the protocols, there is a general rule whose
-         application can lead to enormous benefits in robustness and
-         interoperability [IP:1]:
-
-                "Be liberal in what you accept, and
-                 conservative in what you send"
-
-         Software should be written to deal with every conceivable
-         error, no matter how unlikely; sooner or later a packet will
-         come in with that particular combination of errors and
-         attributes, and unless the software is prepared, chaos can
-         ensue.  In general, it is best to assume that the network is
-         filled with malevolent entities that will send in packets
-         designed to have the worst possible effect.  This assumption
-         will lead to suitable protective design, although the most
-         serious problems in the Internet have been caused by
-         unenvisaged mechanisms triggered by low-probability events;
-
-
-
-Internet Engineering Task Force                                [Page 12]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         mere human malice would never have taken so devious a course!
-
-         Adaptability to change must be designed into all levels of
-         Internet host software.  As a simple example, consider a
-         protocol specification that contains an enumeration of values
-         for a particular header field -- e.g., a type field, a port
-         number, or an error code; this enumeration must be assumed to
-         be incomplete.  Thus, if a protocol specification defines four
-         possible error codes, the software must not break when a fifth
-         code shows up.  An undefined code might be logged (see below),
-         but it must not cause a failure.
-
-         The second part of the principle is almost as important:
-         software on other hosts may contain deficiencies that make it
-         unwise to exploit legal but obscure protocol features.  It is
-         unwise to stray far from the obvious and simple, lest untoward
-         effects result elsewhere.  A corollary of this is "watch out
-         for misbehaving hosts"; host software should be prepared, not
-         just to survive other misbehaving hosts, but also to cooperate
-         to limit the amount of disruption such hosts can cause to the
-         shared communication facility.
-
-      1.2.3  Error Logging
-
-         The Internet includes a great variety of host and gateway
-         systems, each implementing many protocols and protocol layers,
-         and some of these contain bugs and mis-features in their
-         Internet protocol software.  As a result of complexity,
-         diversity, and distribution of function, the diagnosis of
-         Internet problems is often very difficult.
-
-         Problem diagnosis will be aided if host implementations include
-         a carefully designed facility for logging erroneous or
-         "strange" protocol events.  It is important to include as much
-         diagnostic information as possible when an error is logged.  In
-         particular, it is often useful to record the header(s) of a
-         packet that caused an error.  However, care must be taken to
-         ensure that error logging does not consume prohibitive amounts
-         of resources or otherwise interfere with the operation of the
-         host.
-
-         There is a tendency for abnormal but harmless protocol events
-         to overflow error logging files; this can be avoided by using a
-         "circular" log, or by enabling logging only while diagnosing a
-         known failure.  It may be useful to filter and count duplicate
-         successive messages.  One strategy that seems to work well is:
-         (1) always count abnormalities and make such counts accessible
-         through the management protocol (see [INTRO:1]); and (2) allow
-
-
-
-Internet Engineering Task Force                                [Page 13]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         the logging of a great variety of events to be selectively
-         enabled.  For example, it might useful to be able to "log
-         everything" or to "log everything for host X".
-
-         Note that different managements may have differing policies
-         about the amount of error logging that they want normally
-         enabled in a host.  Some will say, "if it doesn't hurt me, I
-         don't want to know about it", while others will want to take a
-         more watchful and aggressive attitude about detecting and
-         removing protocol abnormalities.
-
-      1.2.4  Configuration
-
-         It would be ideal if a host implementation of the Internet
-         protocol suite could be entirely self-configuring.  This would
-         allow the whole suite to be implemented in ROM or cast into
-         silicon, it would simplify diskless workstations, and it would
-         be an immense boon to harried LAN administrators as well as
-         system vendors.  We have not reached this ideal; in fact, we
-         are not even close.
-
-         At many points in this document, you will find a requirement
-         that a parameter be a configurable option.  There are several
-         different reasons behind such requirements.  In a few cases,
-         there is current uncertainty or disagreement about the best
-         value, and it may be necessary to update the recommended value
-         in the future.  In other cases, the value really depends on
-         external factors -- e.g., the size of the host and the
-         distribution of its communication load, or the speeds and
-         topology of nearby networks -- and self-tuning algorithms are
-         unavailable and may be insufficient.  In some cases,
-         configurability is needed because of administrative
-         requirements.
-
-         Finally, some configuration options are required to communicate
-         with obsolete or incorrect implementations of the protocols,
-         distributed without sources, that unfortunately persist in many
-         parts of the Internet.  To make correct systems coexist with
-         these faulty systems, administrators often have to "mis-
-         configure" the correct systems.  This problem will correct
-         itself gradually as the faulty systems are retired, but it
-         cannot be ignored by vendors.
-
-         When we say that a parameter must be configurable, we do not
-         intend to require that its value be explicitly read from a
-         configuration file at every boot time.  We recommend that
-         implementors set up a default for each parameter, so a
-         configuration file is only necessary to override those defaults
-
-
-
-Internet Engineering Task Force                                [Page 14]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         that are inappropriate in a particular installation.  Thus, the
-         configurability requirement is an assurance that it will be
-         POSSIBLE to override the default when necessary, even in a
-         binary-only or ROM-based product.
-
-         This document requires a particular value for such defaults in
-         some cases.  The choice of default is a sensitive issue when
-         the configuration item controls the accommodation to existing
-         faulty systems.  If the Internet is to converge successfully to
-         complete interoperability, the default values built into
-         implementations must implement the official protocol, not
-         "mis-configurations" to accommodate faulty implementations.
-         Although marketing considerations have led some vendors to
-         choose mis-configuration defaults, we urge vendors to choose
-         defaults that will conform to the standard.
-
-         Finally, we note that a vendor needs to provide adequate
-         documentation on all configuration parameters, their limits and
-         effects.
-
-
-   1.3  Reading this Document
-
-      1.3.1  Organization
-
-         Protocol layering, which is generally used as an organizing
-         principle in implementing network software, has also been used
-         to organize this document.  In describing the rules, we assume
-         that an implementation does strictly mirror the layering of the
-         protocols.  Thus, the following three major sections specify
-         the requirements for the link layer, the internet layer, and
-         the transport layer, respectively.  A companion RFC [INTRO:1]
-         covers application level software.  This layerist organization
-         was chosen for simplicity and clarity.
-
-         However, strict layering is an imperfect model, both for the
-         protocol suite and for recommended implementation approaches.
-         Protocols in different layers interact in complex and sometimes
-         subtle ways, and particular functions often involve multiple
-         layers.  There are many design choices in an implementation,
-         many of which involve creative "breaking" of strict layering.
-         Every implementor is urged to read references [INTRO:7] and
-         [INTRO:8].
-
-         This document describes the conceptual service interface
-         between layers using a functional ("procedure call") notation,
-         like that used in the TCP specification [TCP:1].  A host
-         implementation must support the logical information flow
-
-
-
-Internet Engineering Task Force                                [Page 15]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         implied by these calls, but need not literally implement the
-         calls themselves.  For example, many implementations reflect
-         the coupling between the transport layer and the IP layer by
-         giving them shared access to common data structures.  These
-         data structures, rather than explicit procedure calls, are then
-         the agency for passing much of the information that is
-         required.
-
-         In general, each major section of this document is organized
-         into the following subsections:
-
-         (1)  Introduction
-
-         (2)  Protocol Walk-Through -- considers the protocol
-              specification documents section-by-section, correcting
-              errors, stating requirements that may be ambiguous or
-              ill-defined, and providing further clarification or
-              explanation.
-
-         (3)  Specific Issues -- discusses protocol design and
-              implementation issues that were not included in the walk-
-              through.
-
-         (4)  Interfaces -- discusses the service interface to the next
-              higher layer.
-
-         (5)  Summary -- contains a summary of the requirements of the
-              section.
-
-
-         Under many of the individual topics in this document, there is
-         parenthetical material labeled "DISCUSSION" or
-         "IMPLEMENTATION". This material is intended to give
-         clarification and explanation of the preceding requirements
-         text.  It also includes some suggestions on possible future
-         directions or developments.  The implementation material
-         contains suggested approaches that an implementor may want to
-         consider.
-
-         The summary sections are intended to be guides and indexes to
-         the text, but are necessarily cryptic and incomplete.  The
-         summaries should never be used or referenced separately from
-         the complete RFC.
-
-      1.3.2  Requirements
-
-         In this document, the words that are used to define the
-         significance of each particular requirement are capitalized.
-
-
-
-Internet Engineering Task Force                                [Page 16]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         These words are:
-
-         *    "MUST"
-
-              This word or the adjective "REQUIRED" means that the item
-              is an absolute requirement of the specification.
-
-         *    "SHOULD"
-
-              This word or the adjective "RECOMMENDED" means that there
-              may exist valid reasons in particular circumstances to
-              ignore this item, but the full implications should be
-              understood and the case carefully weighed before choosing
-              a different course.
-
-         *    "MAY"
-
-              This word or the adjective "OPTIONAL" means that this item
-              is truly optional.  One vendor may choose to include the
-              item because a particular marketplace requires it or
-              because it enhances the product, for example; another
-              vendor may omit the same item.
-
-
-         An implementation is not compliant if it fails to satisfy one
-         or more of the MUST requirements for the protocols it
-         implements.  An implementation that satisfies all the MUST and
-         all the SHOULD requirements for its protocols is said to be
-         "unconditionally compliant"; one that satisfies all the MUST
-         requirements but not all the SHOULD requirements for its
-         protocols is said to be "conditionally compliant".
-
-      1.3.3  Terminology
-
-         This document uses the following technical terms:
-
-         Segment
-              A segment is the unit of end-to-end transmission in the
-              TCP protocol.  A segment consists of a TCP header followed
-              by application data.  A segment is transmitted by
-              encapsulation inside an IP datagram.
-
-         Message
-              In this description of the lower-layer protocols, a
-              message is the unit of transmission in a transport layer
-              protocol.  In particular, a TCP segment is a message.  A
-              message consists of a transport protocol header followed
-              by application protocol data.  To be transmitted end-to-
-
-
-
-Internet Engineering Task Force                                [Page 17]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-              end through the Internet, a message must be encapsulated
-              inside a datagram.
-
-         IP Datagram
-              An IP datagram is the unit of end-to-end transmission in
-              the IP protocol.  An IP datagram consists of an IP header
-              followed by transport layer data, i.e., of an IP header
-              followed by a message.
-
-              In the description of the internet layer (Section 3), the
-              unqualified term "datagram" should be understood to refer
-              to an IP datagram.
-
-         Packet
-              A packet is the unit of data passed across the interface
-              between the internet layer and the link layer.  It
-              includes an IP header and data.  A packet may be a
-              complete IP datagram or a fragment of an IP datagram.
-
-         Frame
-              A frame is the unit of transmission in a link layer
-              protocol, and consists of a link-layer header followed by
-              a packet.
-
-         Connected Network
-              A network to which a host is interfaced is often known as
-              the "local network" or the "subnetwork" relative to that
-              host.  However, these terms can cause confusion, and
-              therefore we use the term "connected network" in this
-              document.
-
-         Multihomed
-              A host is said to be multihomed if it has multiple IP
-              addresses.  For a discussion of multihoming, see Section
-              3.3.4 below.
-
-         Physical network interface
-              This is a physical interface to a connected network and
-              has a (possibly unique) link-layer address.  Multiple
-              physical network interfaces on a single host may share the
-              same link-layer address, but the address must be unique
-              for different hosts on the same physical network.
-
-         Logical [network] interface
-              We define a logical [network] interface to be a logical
-              path, distinguished by a unique IP address, to a connected
-              network.  See Section 3.3.4.
-
-
-
-
-Internet Engineering Task Force                                [Page 18]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-         Specific-destination address
-              This is the effective destination address of a datagram,
-              even if it is broadcast or multicast; see Section 3.2.1.3.
-
-         Path
-              At a given moment, all the IP datagrams from a particular
-              source host to a particular destination host will
-              typically traverse the same sequence of gateways.  We use
-              the term "path" for this sequence.  Note that a path is
-              uni-directional; it is not unusual to have different paths
-              in the two directions between a given host pair.
-
-         MTU
-              The maximum transmission unit, i.e., the size of the
-              largest packet that can be transmitted.
-
-
-         The terms frame, packet, datagram, message, and segment are
-         illustrated by the following schematic diagrams:
-
-         A. Transmission on connected network:
-           _______________________________________________
-          | LL hdr | IP hdr |         (data)              |
-          |________|________|_____________________________|
-
-           <---------- Frame ----------------------------->
-                    <----------Packet -------------------->
-
-
-         B. Before IP fragmentation or after IP reassembly:
-                    ______________________________________
-                   | IP hdr | transport| Application Data |
-                   |________|____hdr___|__________________|
-
-                    <--------  Datagram ------------------>
-                             <-------- Message ----------->
-           or, for TCP:
-                    ______________________________________
-                   | IP hdr |  TCP hdr | Application Data |
-                   |________|__________|__________________|
-
-                    <--------  Datagram ------------------>
-                             <-------- Segment ----------->
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 19]
-
-
-
-
-RFC1122                       INTRODUCTION                  October 1989
-
-
-   1.4  Acknowledgments
-
-      This document incorporates contributions and comments from a large
-      group of Internet protocol experts, including representatives of
-      university and research labs, vendors, and government agencies.
-      It was assembled primarily by the Host Requirements Working Group
-      of the Internet Engineering Task Force (IETF).
-
-      The Editor would especially like to acknowledge the tireless
-      dedication of the following people, who attended many long
-      meetings and generated 3 million bytes of electronic mail over the
-      past 18 months in pursuit of this document: Philip Almquist, Dave
-      Borman (Cray Research), Noel Chiappa, Dave Crocker (DEC), Steve
-      Deering (Stanford), Mike Karels (Berkeley), Phil Karn (Bellcore),
-      John Lekashman (NASA), Charles Lynn (BBN), Keith McCloghrie (TWG),
-      Paul Mockapetris (ISI), Thomas Narten (Purdue), Craig Partridge
-      (BBN), Drew Perkins (CMU), and James Van Bokkelen (FTP Software).
-
-      In addition, the following people made major contributions to the
-      effort: Bill Barns (Mitre), Steve Bellovin (AT&T), Mike Brescia
-      (BBN), Ed Cain (DCA), Annette DeSchon (ISI), Martin Gross (DCA),
-      Phill Gross (NRI), Charles Hedrick (Rutgers), Van Jacobson (LBL),
-      John Klensin (MIT), Mark Lottor (SRI), Milo Medin (NASA), Bill
-      Melohn (Sun Microsystems), Greg Minshall (Kinetics), Jeff Mogul
-      (DEC), John Mullen (CMC), Jon Postel (ISI), John Romkey (Epilogue
-      Technology), and Mike StJohns (DCA).  The following also made
-      significant contributions to particular areas: Eric Allman
-      (Berkeley), Rob Austein (MIT), Art Berggreen (ACC), Keith Bostic
-      (Berkeley), Vint Cerf (NRI), Wayne Hathaway (NASA), Matt Korn
-      (IBM), Erik Naggum (Naggum Software, Norway), Robert Ullmann
-      (Prime Computer), David Waitzman (BBN), Frank Wancho (USA), Arun
-      Welch (Ohio State), Bill Westfield (Cisco), and Rayan Zachariassen
-      (Toronto).
-
-      We are grateful to all, including any contributors who may have
-      been inadvertently omitted from this list.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 20]
-
-
-
-
-RFC1122                        LINK LAYER                   October 1989
-
-
-2. LINK LAYER
-
-   2.1  INTRODUCTION
-
-      All Internet systems, both hosts and gateways, have the same
-      requirements for link layer protocols.  These requirements are
-      given in Chapter 3 of "Requirements for Internet Gateways"
-      [INTRO:2], augmented with the material in this section.
-
-   2.2  PROTOCOL WALK-THROUGH
-
-      None.
-
-   2.3  SPECIFIC ISSUES
-
-      2.3.1  Trailer Protocol Negotiation
-
-         The trailer protocol [LINK:1] for link-layer encapsulation MAY
-         be used, but only when it has been verified that both systems
-         (host or gateway) involved in the link-layer communication
-         implement trailers.  If the system does not dynamically
-         negotiate use of the trailer protocol on a per-destination
-         basis, the default configuration MUST disable the protocol.
-
-         DISCUSSION:
-              The trailer protocol is a link-layer encapsulation
-              technique that rearranges the data contents of packets
-              sent on the physical network.  In some cases, trailers
-              improve the throughput of higher layer protocols by
-              reducing the amount of data copying within the operating
-              system.  Higher layer protocols are unaware of trailer
-              use, but both the sending and receiving host MUST
-              understand the protocol if it is used.
-
-              Improper use of trailers can result in very confusing
-              symptoms.  Only packets with specific size attributes are
-              encapsulated using trailers, and typically only a small
-              fraction of the packets being exchanged have these
-              attributes.  Thus, if a system using trailers exchanges
-              packets with a system that does not, some packets
-              disappear into a black hole while others are delivered
-              successfully.
-
-         IMPLEMENTATION:
-              On an Ethernet, packets encapsulated with trailers use a
-              distinct Ethernet type [LINK:1], and trailer negotiation
-              is performed at the time that ARP is used to discover the
-              link-layer address of a destination system.
-
-
-
-Internet Engineering Task Force                                [Page 21]
-
-
-
-
-RFC1122                        LINK LAYER                   October 1989
-
-
-              Specifically, the ARP exchange is completed in the usual
-              manner using the normal IP protocol type, but a host that
-              wants to speak trailers will send an additional "trailer
-              ARP reply" packet, i.e., an ARP reply that specifies the
-              trailer encapsulation protocol type but otherwise has the
-              format of a normal ARP reply.  If a host configured to use
-              trailers receives a trailer ARP reply message from a
-              remote machine, it can add that machine to the list of
-              machines that understand trailers, e.g., by marking the
-              corresponding entry in the ARP cache.
-
-              Hosts wishing to receive trailer encapsulations send
-              trailer ARP replies whenever they complete exchanges of
-              normal ARP messages for IP.  Thus, a host that received an
-              ARP request for its IP protocol address would send a
-              trailer ARP reply in addition to the normal IP ARP reply;
-              a host that sent the IP ARP request would send a trailer
-              ARP reply when it received the corresponding IP ARP reply.
-              In this way, either the requesting or responding host in
-              an IP ARP exchange may request that it receive trailer
-              encapsulations.
-
-              This scheme, using extra trailer ARP reply packets rather
-              than sending an ARP request for the trailer protocol type,
-              was designed to avoid a continuous exchange of ARP packets
-              with a misbehaving host that, contrary to any
-              specification or common sense, responded to an ARP reply
-              for trailers with another ARP reply for IP.  This problem
-              is avoided by sending a trailer ARP reply in response to
-              an IP ARP reply only when the IP ARP reply answers an
-              outstanding request; this is true when the hardware
-              address for the host is still unknown when the IP ARP
-              reply is received.  A trailer ARP reply may always be sent
-              along with an IP ARP reply responding to an IP ARP
-              request.
-
-      2.3.2  Address Resolution Protocol -- ARP
-
-         2.3.2.1  ARP Cache Validation
-
-            An implementation of the Address Resolution Protocol (ARP)
-            [LINK:2] MUST provide a mechanism to flush out-of-date cache
-            entries.  If this mechanism involves a timeout, it SHOULD be
-            possible to configure the timeout value.
-
-            A mechanism to prevent ARP flooding (repeatedly sending an
-            ARP Request for the same IP address, at a high rate) MUST be
-            included.  The recommended maximum rate is 1 per second per
-
-
-
-Internet Engineering Task Force                                [Page 22]
-
-
-
-
-RFC1122                        LINK LAYER                   October 1989
-
-
-            destination.
-
-            DISCUSSION:
-                 The ARP specification [LINK:2] suggests but does not
-                 require a timeout mechanism to invalidate cache entries
-                 when hosts change their Ethernet addresses.  The
-                 prevalence of proxy ARP (see Section 2.4 of [INTRO:2])
-                 has significantly increased the likelihood that cache
-                 entries in hosts will become invalid, and therefore
-                 some ARP-cache invalidation mechanism is now required
-                 for hosts.  Even in the absence of proxy ARP, a long-
-                 period cache timeout is useful in order to
-                 automatically correct any bad ARP data that might have
-                 been cached.
-
-            IMPLEMENTATION:
-                 Four mechanisms have been used, sometimes in
-                 combination, to flush out-of-date cache entries.
-
-                 (1)  Timeout -- Periodically time out cache entries,
-                      even if they are in use.  Note that this timeout
-                      should be restarted when the cache entry is
-                      "refreshed" (by observing the source fields,
-                      regardless of target address, of an ARP broadcast
-                      from the system in question).  For proxy ARP
-                      situations, the timeout needs to be on the order
-                      of a minute.
-
-                 (2)  Unicast Poll -- Actively poll the remote host by
-                      periodically sending a point-to-point ARP Request
-                      to it, and delete the entry if no ARP Reply is
-                      received from N successive polls.  Again, the
-                      timeout should be on the order of a minute, and
-                      typically N is 2.
-
-                 (3)  Link-Layer Advice -- If the link-layer driver
-                      detects a delivery problem, flush the
-                      corresponding ARP cache entry.
-
-                 (4)  Higher-layer Advice -- Provide a call from the
-                      Internet layer to the link layer to indicate a
-                      delivery problem.  The effect of this call would
-                      be to invalidate the corresponding cache entry.
-                      This call would be analogous to the
-                      "ADVISE_DELIVPROB()" call from the transport layer
-                      to the Internet layer (see Section 3.4), and in
-                      fact the ADVISE_DELIVPROB routine might in turn
-                      call the link-layer advice routine to invalidate
-
-
-
-Internet Engineering Task Force                                [Page 23]
-
-
-
-
-RFC1122                        LINK LAYER                   October 1989
-
-
-                      the ARP cache entry.
-
-                 Approaches (1) and (2) involve ARP cache timeouts on
-                 the order of a minute or less.  In the absence of proxy
-                 ARP, a timeout this short could create noticeable
-                 overhead traffic on a very large Ethernet.  Therefore,
-                 it may be necessary to configure a host to lengthen the
-                 ARP cache timeout.
-
-         2.3.2.2  ARP Packet Queue
-
-            The link layer SHOULD save (rather than discard) at least
-            one (the latest) packet of each set of packets destined to
-            the same unresolved IP address, and transmit the saved
-            packet when the address has been resolved.
-
-            DISCUSSION:
-                 Failure to follow this recommendation causes the first
-                 packet of every exchange to be lost.  Although higher-
-                 layer protocols can generally cope with packet loss by
-                 retransmission, packet loss does impact performance.
-                 For example, loss of a TCP open request causes the
-                 initial round-trip time estimate to be inflated.  UDP-
-                 based applications such as the Domain Name System are
-                 more seriously affected.
-
-      2.3.3  Ethernet and IEEE 802 Encapsulation
-
-         The IP encapsulation for Ethernets is described in RFC-894
-         [LINK:3], while RFC-1042 [LINK:4] describes the IP
-         encapsulation for IEEE 802 networks.  RFC-1042 elaborates and
-         replaces the discussion in Section 3.4 of [INTRO:2].
-
-         Every Internet host connected to a 10Mbps Ethernet cable:
-
-         o    MUST be able to send and receive packets using RFC-894
-              encapsulation;
-
-         o    SHOULD be able to receive RFC-1042 packets, intermixed
-              with RFC-894 packets; and
-
-         o    MAY be able to send packets using RFC-1042 encapsulation.
-
-
-         An Internet host that implements sending both the RFC-894 and
-         the RFC-1042 encapsulations MUST provide a configuration switch
-         to select which is sent, and this switch MUST default to RFC-
-         894.
-
-
-
-Internet Engineering Task Force                                [Page 24]
-
-
-
-
-RFC1122                        LINK LAYER                   October 1989
-
-
-         Note that the standard IP encapsulation in RFC-1042 does not
-         use the protocol id value (K1=6) that IEEE reserved for IP;
-         instead, it uses a value (K1=170) that implies an extension
-         (the "SNAP") which can be used to hold the Ether-Type field.
-         An Internet system MUST NOT send 802 packets using K1=6.
-
-         Address translation from Internet addresses to link-layer
-         addresses on Ethernet and IEEE 802 networks MUST be managed by
-         the Address Resolution Protocol (ARP).
-
-         The MTU for an Ethernet is 1500 and for 802.3 is 1492.
-
-         DISCUSSION:
-              The IEEE 802.3 specification provides for operation over a
-              10Mbps Ethernet cable, in which case Ethernet and IEEE
-              802.3 frames can be physically intermixed.  A receiver can
-              distinguish Ethernet and 802.3 frames by the value of the
-              802.3 Length field; this two-octet field coincides in the
-              header with the Ether-Type field of an Ethernet frame.  In
-              particular, the 802.3 Length field must be less than or
-              equal to 1500, while all valid Ether-Type values are
-              greater than 1500.
-
-              Another compatibility problem arises with link-layer
-              broadcasts.  A broadcast sent with one framing will not be
-              seen by hosts that can receive only the other framing.
-
-              The provisions of this section were designed to provide
-              direct interoperation between 894-capable and 1042-capable
-              systems on the same cable, to the maximum extent possible.
-              It is intended to support the present situation where
-              894-only systems predominate, while providing an easy
-              transition to a possible future in which 1042-capable
-              systems become common.
-
-              Note that 894-only systems cannot interoperate directly
-              with 1042-only systems.  If the two system types are set
-              up as two different logical networks on the same cable,
-              they can communicate only through an IP gateway.
-              Furthermore, it is not useful or even possible for a
-              dual-format host to discover automatically which format to
-              send, because of the problem of link-layer broadcasts.
-
-   2.4  LINK/INTERNET LAYER INTERFACE
-
-      The packet receive interface between the IP layer and the link
-      layer MUST include a flag to indicate whether the incoming packet
-      was addressed to a link-layer broadcast address.
-
-
-
-Internet Engineering Task Force                                [Page 25]
-
-
-
-
-RFC1122                        LINK LAYER                   October 1989
-
-
-      DISCUSSION
-           Although the IP layer does not generally know link layer
-           addresses (since every different network medium typically has
-           a different address format), the broadcast address on a
-           broadcast-capable medium is an important special case.  See
-           Section 3.2.2, especially the DISCUSSION concerning broadcast
-           storms.
-
-      The packet send interface between the IP and link layers MUST
-      include the 5-bit TOS field (see Section 3.2.1.6).
-
-      The link layer MUST NOT report a Destination Unreachable error to
-      IP solely because there is no ARP cache entry for a destination.
-
-   2.5  LINK LAYER REQUIREMENTS SUMMARY
-
-                                                  |       | | | |S| |
-                                                  |       | | | |H| |F
-                                                  |       | | | |O|M|o
-                                                  |       | |S| |U|U|o
-                                                  |       | |H| |L|S|t
-                                                  |       |M|O| |D|T|n
-                                                  |       |U|U|M| | |o
-                                                  |       |S|L|A|N|N|t
-                                                  |       |T|D|Y|O|O|t
-FEATURE                                           |SECTION| | | |T|T|e
---------------------------------------------------|-------|-|-|-|-|-|--
-                                                  |       | | | | | |
-Trailer encapsulation                             |2.3.1  | | |x| | |
-Send Trailers by default without negotiation      |2.3.1  | | | | |x|
-ARP                                               |2.3.2  | | | | | |
-  Flush out-of-date ARP cache entries             |2.3.2.1|x| | | | |
-  Prevent ARP floods                              |2.3.2.1|x| | | | |
-  Cache timeout configurable                      |2.3.2.1| |x| | | |
-  Save at least one (latest) unresolved pkt       |2.3.2.2| |x| | | |
-Ethernet and IEEE 802 Encapsulation               |2.3.3  | | | | | |
-  Host able to:                                   |2.3.3  | | | | | |
-    Send & receive RFC-894 encapsulation          |2.3.3  |x| | | | |
-    Receive RFC-1042 encapsulation                |2.3.3  | |x| | | |
-    Send RFC-1042 encapsulation                   |2.3.3  | | |x| | |
-      Then config. sw. to select, RFC-894 dflt    |2.3.3  |x| | | | |
-  Send K1=6 encapsulation                         |2.3.3  | | | | |x|
-  Use ARP on Ethernet and IEEE 802 nets           |2.3.3  |x| | | | |
-Link layer report b'casts to IP layer             |2.4    |x| | | | |
-IP layer pass TOS to link layer                   |2.4    |x| | | | |
-No ARP cache entry treated as Dest. Unreach.      |2.4    | | | | |x|
-
-
-
-
-
-Internet Engineering Task Force                                [Page 26]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-3. INTERNET LAYER PROTOCOLS
-
-   3.1 INTRODUCTION
-
-      The Robustness Principle: "Be liberal in what you accept, and
-      conservative in what you send" is particularly important in the
-      Internet layer, where one misbehaving host can deny Internet
-      service to many other hosts.
-
-      The protocol standards used in the Internet layer are:
-
-      o    RFC-791 [IP:1] defines the IP protocol and gives an
-           introduction to the architecture of the Internet.
-
-      o    RFC-792 [IP:2] defines ICMP, which provides routing,
-           diagnostic and error functionality for IP.  Although ICMP
-           messages are encapsulated within IP datagrams, ICMP
-           processing is considered to be (and is typically implemented
-           as) part of the IP layer.  See Section 3.2.2.
-
-      o    RFC-950 [IP:3] defines the mandatory subnet extension to the
-           addressing architecture.
-
-      o    RFC-1112 [IP:4] defines the Internet Group Management
-           Protocol IGMP, as part of a recommended extension to hosts
-           and to the host-gateway interface to support Internet-wide
-           multicasting at the IP level.  See Section 3.2.3.
-
-           The target of an IP multicast may be an arbitrary group of
-           Internet hosts.  IP multicasting is designed as a natural
-           extension of the link-layer multicasting facilities of some
-           networks, and it provides a standard means for local access
-           to such link-layer multicasting facilities.
-
-      Other important references are listed in Section 5 of this
-      document.
-
-      The Internet layer of host software MUST implement both IP and
-      ICMP.  See Section 3.3.7 for the requirements on support of IGMP.
-
-      The host IP layer has two basic functions:  (1) choose the "next
-      hop" gateway or host for outgoing IP datagrams and (2) reassemble
-      incoming IP datagrams.  The IP layer may also (3) implement
-      intentional fragmentation of outgoing datagrams.  Finally, the IP
-      layer must (4) provide diagnostic and error functionality.  We
-      expect that IP layer functions may increase somewhat in the
-      future, as further Internet control and management facilities are
-      developed.
-
-
-
-Internet Engineering Task Force                                [Page 27]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-      For normal datagrams, the processing is straightforward.  For
-      incoming datagrams, the IP layer:
-
-      (1)  verifies that the datagram is correctly formatted;
-
-      (2)  verifies that it is destined to the local host;
-
-      (3)  processes options;
-
-      (4)  reassembles the datagram if necessary; and
-
-      (5)  passes the encapsulated message to the appropriate
-           transport-layer protocol module.
-
-      For outgoing datagrams, the IP layer:
-
-      (1)  sets any fields not set by the transport layer;
-
-      (2)  selects the correct first hop on the connected network (a
-           process called "routing");
-
-      (3)  fragments the datagram if necessary and if intentional
-           fragmentation is implemented (see Section 3.3.3); and
-
-      (4)  passes the packet(s) to the appropriate link-layer driver.
-
-
-      A host is said to be multihomed if it has multiple IP addresses.
-      Multihoming introduces considerable confusion and complexity into
-      the protocol suite, and it is an area in which the Internet
-      architecture falls seriously short of solving all problems.  There
-      are two distinct problem areas in multihoming:
-
-      (1)  Local multihoming --  the host itself is multihomed; or
-
-      (2)  Remote multihoming -- the local host needs to communicate
-           with a remote multihomed host.
-
-      At present, remote multihoming MUST be handled at the application
-      layer, as discussed in the companion RFC [INTRO:1].  A host MAY
-      support local multihoming, which is discussed in this document,
-      and in particular in Section 3.3.4.
-
-      Any host that forwards datagrams generated by another host is
-      acting as a gateway and MUST also meet the specifications laid out
-      in the gateway requirements RFC [INTRO:2].  An Internet host that
-      includes embedded gateway code MUST have a configuration switch to
-      disable the gateway function, and this switch MUST default to the
-
-
-
-Internet Engineering Task Force                                [Page 28]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-      non-gateway mode.  In this mode, a datagram arriving through one
-      interface will not be forwarded to another host or gateway (unless
-      it is source-routed), regardless of whether the host is single-
-      homed or multihomed.  The host software MUST NOT automatically
-      move into gateway mode if the host has more than one interface, as
-      the operator of the machine may neither want to provide that
-      service nor be competent to do so.
-
-      In the following, the action specified in certain cases is to
-      "silently discard" a received datagram.  This means that the
-      datagram will be discarded without further processing and that the
-      host will not send any ICMP error message (see Section 3.2.2) as a
-      result.  However, for diagnosis of problems a host SHOULD provide
-      the capability of logging the error (see Section 1.2.3), including
-      the contents of the silently-discarded datagram, and SHOULD record
-      the event in a statistics counter.
-
-      DISCUSSION:
-           Silent discard of erroneous datagrams is generally intended
-           to prevent "broadcast storms".
-
-   3.2  PROTOCOL WALK-THROUGH
-
-      3.2.1 Internet Protocol -- IP
-
-         3.2.1.1  Version Number: RFC-791 Section 3.1
-
-            A datagram whose version number is not 4 MUST be silently
-            discarded.
-
-         3.2.1.2  Checksum: RFC-791 Section 3.1
-
-            A host MUST verify the IP header checksum on every received
-            datagram and silently discard every datagram that has a bad
-            checksum.
-
-         3.2.1.3  Addressing: RFC-791 Section 3.2
-
-            There are now five classes of IP addresses: Class A through
-            Class E.  Class D addresses are used for IP multicasting
-            [IP:4], while Class E addresses are reserved for
-            experimental use.
-
-            A multicast (Class D) address is a 28-bit logical address
-            that stands for a group of hosts, and may be either
-            permanent or transient.  Permanent multicast addresses are
-            allocated by the Internet Assigned Number Authority
-            [INTRO:6], while transient addresses may be allocated
-
-
-
-Internet Engineering Task Force                                [Page 29]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            dynamically to transient groups.  Group membership is
-            determined dynamically using IGMP [IP:4].
-
-            We now summarize the important special cases for Class A, B,
-            and C IP addresses, using the following notation for an IP
-            address:
-
-                { <Network-number>, <Host-number> }
-
-            or
-                { <Network-number>, <Subnet-number>, <Host-number> }
-
-            and the notation "-1" for a field that contains all 1 bits.
-            This notation is not intended to imply that the 1-bits in an
-            address mask need be contiguous.
-
-            (a)  { 0, 0 }
-
-                 This host on this network.  MUST NOT be sent, except as
-                 a source address as part of an initialization procedure
-                 by which the host learns its own IP address.
-
-                 See also Section 3.3.6 for a non-standard use of {0,0}.
-
-            (b)  { 0, <Host-number> }
-
-                 Specified host on this network.  It MUST NOT be sent,
-                 except as a source address as part of an initialization
-                 procedure by which the host learns its full IP address.
-
-            (c)  { -1, -1 }
-
-                 Limited broadcast.  It MUST NOT be used as a source
-                 address.
-
-                 A datagram with this destination address will be
-                 received by every host on the connected physical
-                 network but will not be forwarded outside that network.
-
-            (d)  { <Network-number>, -1 }
-
-                 Directed broadcast to the specified network.  It MUST
-                 NOT be used as a source address.
-
-            (e)  { <Network-number>, <Subnet-number>, -1 }
-
-                 Directed broadcast to the specified subnet.  It MUST
-                 NOT be used as a source address.
-
-
-
-Internet Engineering Task Force                                [Page 30]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            (f)  { <Network-number>, -1, -1 }
-
-                 Directed broadcast to all subnets of the specified
-                 subnetted network.  It MUST NOT be used as a source
-                 address.
-
-            (g)  { 127, <any> }
-
-                 Internal host loopback address.  Addresses of this form
-                 MUST NOT appear outside a host.
-
-            The <Network-number> is administratively assigned so that
-            its value will be unique in the entire world.
-
-            IP addresses are not permitted to have the value 0 or -1 for
-            any of the <Host-number>, <Network-number>, or <Subnet-
-            number> fields (except in the special cases listed above).
-            This implies that each of these fields will be at least two
-            bits long.
-
-            For further discussion of broadcast addresses, see Section
-            3.3.6.
-
-            A host MUST support the subnet extensions to IP [IP:3].  As
-            a result, there will be an address mask of the form:
-            {-1, -1, 0} associated with each of the host's local IP
-            addresses; see Sections 3.2.2.9 and 3.3.1.1.
-
-            When a host sends any datagram, the IP source address MUST
-            be one of its own IP addresses (but not a broadcast or
-            multicast address).
-
-            A host MUST silently discard an incoming datagram that is
-            not destined for the host.  An incoming datagram is destined
-            for the host if the datagram's destination address field is:
-
-            (1)  (one of) the host's IP address(es); or
-
-            (2)  an IP broadcast address valid for the connected
-                 network; or
-
-            (3)  the address for a multicast group of which the host is
-                 a member on the incoming physical interface.
-
-            For most purposes, a datagram addressed to a broadcast or
-            multicast destination is processed as if it had been
-            addressed to one of the host's IP addresses; we use the term
-            "specific-destination address" for the equivalent local IP
-
-
-
-Internet Engineering Task Force                                [Page 31]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            address of the host.  The specific-destination address is
-            defined to be the destination address in the IP header
-            unless the header contains a broadcast or multicast address,
-            in which case the specific-destination is an IP address
-            assigned to the physical interface on which the datagram
-            arrived.
-
-            A host MUST silently discard an incoming datagram containing
-            an IP source address that is invalid by the rules of this
-            section.  This validation could be done in either the IP
-            layer or by each protocol in the transport layer.
-
-            DISCUSSION:
-                 A mis-addressed datagram might be caused by a link-
-                 layer broadcast of a unicast datagram or by a gateway
-                 or host that is confused or mis-configured.
-
-                 An architectural goal for Internet hosts was to allow
-                 IP addresses to be featureless 32-bit numbers, avoiding
-                 algorithms that required a knowledge of the IP address
-                 format.  Otherwise, any future change in the format or
-                 interpretation of IP addresses will require host
-                 software changes.  However, validation of broadcast and
-                 multicast addresses violates this goal; a few other
-                 violations are described elsewhere in this document.
-
-                 Implementers should be aware that applications
-                 depending upon the all-subnets directed broadcast
-                 address (f) may be unusable on some networks.  All-
-                 subnets broadcast is not widely implemented in vendor
-                 gateways at present, and even when it is implemented, a
-                 particular network administration may disable it in the
-                 gateway configuration.
-
-         3.2.1.4  Fragmentation and Reassembly: RFC-791 Section 3.2
-
-            The Internet model requires that every host support
-            reassembly.  See Sections 3.3.2 and 3.3.3 for the
-            requirements on fragmentation and reassembly.
-
-         3.2.1.5  Identification: RFC-791 Section 3.2
-
-            When sending an identical copy of an earlier datagram, a
-            host MAY optionally retain the same Identification field in
-            the copy.
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 32]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            DISCUSSION:
-                 Some Internet protocol experts have maintained that
-                 when a host sends an identical copy of an earlier
-                 datagram, the new copy should contain the same
-                 Identification value as the original.  There are two
-                 suggested advantages:  (1) if the datagrams are
-                 fragmented and some of the fragments are lost, the
-                 receiver may be able to reconstruct a complete datagram
-                 from fragments of the original and the copies; (2) a
-                 congested gateway might use the IP Identification field
-                 (and Fragment Offset) to discard duplicate datagrams
-                 from the queue.
-
-                 However, the observed patterns of datagram loss in the
-                 Internet do not favor the probability of retransmitted
-                 fragments filling reassembly gaps, while other
-                 mechanisms (e.g., TCP repacketizing upon
-                 retransmission) tend to prevent retransmission of an
-                 identical datagram [IP:9].  Therefore, we believe that
-                 retransmitting the same Identification field is not
-                 useful.  Also, a connectionless transport protocol like
-                 UDP would require the cooperation of the application
-                 programs to retain the same Identification value in
-                 identical datagrams.
-
-         3.2.1.6  Type-of-Service: RFC-791 Section 3.2
-
-            The "Type-of-Service" byte in the IP header is divided into
-            two sections:  the Precedence field (high-order 3 bits), and
-            a field that is customarily called "Type-of-Service" or
-            "TOS" (low-order 5 bits).  In this document, all references
-            to "TOS" or the "TOS field" refer to the low-order 5 bits
-            only.
-
-            The Precedence field is intended for Department of Defense
-            applications of the Internet protocols.  The use of non-zero
-            values in this field is outside the scope of this document
-            and the IP standard specification.  Vendors should consult
-            the Defense Communication Agency (DCA) for guidance on the
-            IP Precedence field and its implications for other protocol
-            layers.  However, vendors should note that the use of
-            precedence will most likely require that its value be passed
-            between protocol layers in just the same way as the TOS
-            field is passed.
-
-            The IP layer MUST provide a means for the transport layer to
-            set the TOS field of every datagram that is sent; the
-            default is all zero bits.  The IP layer SHOULD pass received
-
-
-
-Internet Engineering Task Force                                [Page 33]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            TOS values up to the transport layer.
-
-            The particular link-layer mappings of TOS contained in RFC-
-            795 SHOULD NOT be implemented.
-
-            DISCUSSION:
-                 While the TOS field has been little used in the past,
-                 it is expected to play an increasing role in the near
-                 future.  The TOS field is expected to be used to
-                 control two aspects of gateway operations: routing and
-                 queueing algorithms.  See Section 2 of [INTRO:1] for
-                 the requirements on application programs to specify TOS
-                 values.
-
-                 The TOS field may also be mapped into link-layer
-                 service selectors.  This has been applied to provide
-                 effective sharing of serial lines by different classes
-                 of TCP traffic, for example.  However, the mappings
-                 suggested in RFC-795 for networks that were included in
-                 the Internet as of 1981 are now obsolete.
-
-         3.2.1.7  Time-to-Live: RFC-791 Section 3.2
-
-            A host MUST NOT send a datagram with a Time-to-Live (TTL)
-            value of zero.
-
-            A host MUST NOT discard a datagram just because it was
-            received with TTL less than 2.
-
-            The IP layer MUST provide a means for the transport layer to
-            set the TTL field of every datagram that is sent.  When a
-            fixed TTL value is used, it MUST be configurable.  The
-            current suggested value will be published in the "Assigned
-            Numbers" RFC.
-
-            DISCUSSION:
-                 The TTL field has two functions: limit the lifetime of
-                 TCP segments (see RFC-793 [TCP:1], p. 28), and
-                 terminate Internet routing loops.  Although TTL is a
-                 time in seconds, it also has some attributes of a hop-
-                 count, since each gateway is required to reduce the TTL
-                 field by at least one.
-
-                 The intent is that TTL expiration will cause a datagram
-                 to be discarded by a gateway but not by the destination
-                 host; however, hosts that act as gateways by forwarding
-                 datagrams must follow the gateway rules for TTL.
-
-
-
-
-Internet Engineering Task Force                                [Page 34]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 A higher-layer protocol may want to set the TTL in
-                 order to implement an "expanding scope" search for some
-                 Internet resource.  This is used by some diagnostic
-                 tools, and is expected to be useful for locating the
-                 "nearest" server of a given class using IP
-                 multicasting, for example.  A particular transport
-                 protocol may also want to specify its own TTL bound on
-                 maximum datagram lifetime.
-
-                 A fixed value must be at least big enough for the
-                 Internet "diameter," i.e., the longest possible path.
-                 A reasonable value is about twice the diameter, to
-                 allow for continued Internet growth.
-
-         3.2.1.8  Options: RFC-791 Section 3.2
-
-            There MUST be a means for the transport layer to specify IP
-            options to be included in transmitted IP datagrams (see
-            Section 3.4).
-
-            All IP options (except NOP or END-OF-LIST) received in
-            datagrams MUST be passed to the transport layer (or to ICMP
-            processing when the datagram is an ICMP message).  The IP
-            and transport layer MUST each interpret those IP options
-            that they understand and silently ignore the others.
-
-            Later sections of this document discuss specific IP option
-            support required by each of ICMP, TCP, and UDP.
-
-            DISCUSSION:
-                 Passing all received IP options to the transport layer
-                 is a deliberate "violation of strict layering" that is
-                 designed to ease the introduction of new transport-
-                 relevant IP options in the future.  Each layer must
-                 pick out any options that are relevant to its own
-                 processing and ignore the rest.  For this purpose,
-                 every IP option except NOP and END-OF-LIST will include
-                 a specification of its own length.
-
-                 This document does not define the order in which a
-                 receiver must process multiple options in the same IP
-                 header.  Hosts sending multiple options must be aware
-                 that this introduces an ambiguity in the meaning of
-                 certain options when combined with a source-route
-                 option.
-
-            IMPLEMENTATION:
-                 The IP layer must not crash as the result of an option
-
-
-
-Internet Engineering Task Force                                [Page 35]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 length that is outside the possible range.  For
-                 example, erroneous option lengths have been observed to
-                 put some IP implementations into infinite loops.
-
-            Here are the requirements for specific IP options:
-
-
-            (a)  Security Option
-
-                 Some environments require the Security option in every
-                 datagram; such a requirement is outside the scope of
-                 this document and the IP standard specification.  Note,
-                 however, that the security options described in RFC-791
-                 and RFC-1038 are obsolete.  For DoD applications,
-                 vendors should consult [IP:8] for guidance.
-
-
-            (b)  Stream Identifier Option
-
-                 This option is obsolete; it SHOULD NOT be sent, and it
-                 MUST be silently ignored if received.
-
-
-            (c)  Source Route Options
-
-                 A host MUST support originating a source route and MUST
-                 be able to act as the final destination of a source
-                 route.
-
-                 If host receives a datagram containing a completed
-                 source route (i.e., the pointer points beyond the last
-                 field), the datagram has reached its final destination;
-                 the option as received (the recorded route) MUST be
-                 passed up to the transport layer (or to ICMP message
-                 processing).  This recorded route will be reversed and
-                 used to form a return source route for reply datagrams
-                 (see discussion of IP Options in Section 4).  When a
-                 return source route is built, it MUST be correctly
-                 formed even if the recorded route included the source
-                 host (see case (B) in the discussion below).
-
-                 An IP header containing more than one Source Route
-                 option MUST NOT be sent; the effect on routing of
-                 multiple Source Route options is implementation-
-                 specific.
-
-                 Section 3.3.5 presents the rules for a host acting as
-                 an intermediate hop in a source route, i.e., forwarding
-
-
-
-Internet Engineering Task Force                                [Page 36]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 a source-routed datagram.
-
-                 DISCUSSION:
-                      If a source-routed datagram is fragmented, each
-                      fragment will contain a copy of the source route.
-                      Since the processing of IP options (including a
-                      source route) must precede reassembly, the
-                      original datagram will not be reassembled until
-                      the final destination is reached.
-
-                      Suppose a source routed datagram is to be routed
-                      from host S to host D via gateways G1, G2, ... Gn.
-                      There was an ambiguity in the specification over
-                      whether the source route option in a datagram sent
-                      out by S should be (A) or (B):
-
-                          (A):  {>>G2, G3, ... Gn, D}     <--- CORRECT
-
-                          (B):  {S, >>G2, G3, ... Gn, D}  <---- WRONG
-
-                      (where >> represents the pointer).  If (A) is
-                      sent, the datagram received at D will contain the
-                      option: {G1, G2, ... Gn >>}, with S and D as the
-                      IP source and destination addresses.  If (B) were
-                      sent, the datagram received at D would again
-                      contain S and D as the same IP source and
-                      destination addresses, but the option would be:
-                      {S, G1, ...Gn >>}; i.e., the originating host
-                      would be the first hop in the route.
-
-
-            (d)  Record Route Option
-
-                 Implementation of originating and processing the Record
-                 Route option is OPTIONAL.
-
-
-            (e)  Timestamp Option
-
-                 Implementation of originating and processing the
-                 Timestamp option is OPTIONAL.  If it is implemented,
-                 the following rules apply:
-
-                 o    The originating host MUST record a timestamp in a
-                      Timestamp option whose Internet address fields are
-                      not pre-specified or whose first pre-specified
-                      address is the host's interface address.
-
-
-
-
-Internet Engineering Task Force                                [Page 37]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 o    The destination host MUST (if possible) add the
-                      current timestamp to a Timestamp option before
-                      passing the option to the transport layer or to
-                      ICMP for processing.
-
-                 o    A timestamp value MUST follow the rules given in
-                      Section 3.2.2.8 for the ICMP Timestamp message.
-
-
-      3.2.2 Internet Control Message Protocol -- ICMP
-
-         ICMP messages are grouped into two classes.
-
-         *
-              ICMP error messages:
-
-               Destination Unreachable   (see Section 3.2.2.1)
-               Redirect                  (see Section 3.2.2.2)
-               Source Quench             (see Section 3.2.2.3)
-               Time Exceeded             (see Section 3.2.2.4)
-               Parameter Problem         (see Section 3.2.2.5)
-
-
-         *
-              ICMP query messages:
-
-                Echo                     (see Section 3.2.2.6)
-                Information              (see Section 3.2.2.7)
-                Timestamp                (see Section 3.2.2.8)
-                Address Mask             (see Section 3.2.2.9)
-
-
-         If an ICMP message of unknown type is received, it MUST be
-         silently discarded.
-
-         Every ICMP error message includes the Internet header and at
-         least the first 8 data octets of the datagram that triggered
-         the error; more than 8 octets MAY be sent; this header and data
-         MUST be unchanged from the received datagram.
-
-         In those cases where the Internet layer is required to pass an
-         ICMP error message to the transport layer, the IP protocol
-         number MUST be extracted from the original header and used to
-         select the appropriate transport protocol entity to handle the
-         error.
-
-         An ICMP error message SHOULD be sent with normal (i.e., zero)
-         TOS bits.
-
-
-
-Internet Engineering Task Force                                [Page 38]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-         An ICMP error message MUST NOT be sent as the result of
-         receiving:
-
-         *    an ICMP error message, or
-
-         *    a datagram destined to an IP broadcast or IP multicast
-              address, or
-
-         *    a datagram sent as a link-layer broadcast, or
-
-         *    a non-initial fragment, or
-
-         *    a datagram whose source address does not define a single
-              host -- e.g., a zero address, a loopback address, a
-              broadcast address, a multicast address, or a Class E
-              address.
-
-         NOTE: THESE RESTRICTIONS TAKE PRECEDENCE OVER ANY REQUIREMENT
-         ELSEWHERE IN THIS DOCUMENT FOR SENDING ICMP ERROR MESSAGES.
-
-         DISCUSSION:
-              These rules will prevent the "broadcast storms" that have
-              resulted from hosts returning ICMP error messages in
-              response to broadcast datagrams.  For example, a broadcast
-              UDP segment to a non-existent port could trigger a flood
-              of ICMP Destination Unreachable datagrams from all
-              machines that do not have a client for that destination
-              port.  On a large Ethernet, the resulting collisions can
-              render the network useless for a second or more.
-
-              Every datagram that is broadcast on the connected network
-              should have a valid IP broadcast address as its IP
-              destination (see Section 3.3.6).  However, some hosts
-              violate this rule.  To be certain to detect broadcast
-              datagrams, therefore, hosts are required to check for a
-              link-layer broadcast as well as an IP-layer broadcast
-              address.
-
-         IMPLEMENTATION:
-              This requires that the link layer inform the IP layer when
-              a link-layer broadcast datagram has been received; see
-              Section 2.4.
-
-         3.2.2.1  Destination Unreachable: RFC-792
-
-            The following additional codes are hereby defined:
-
-                    6 = destination network unknown
-
-
-
-Internet Engineering Task Force                                [Page 39]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                    7 = destination host unknown
-
-                    8 = source host isolated
-
-                    9 = communication with destination network
-                            administratively prohibited
-
-                   10 = communication with destination host
-                            administratively prohibited
-
-                   11 = network unreachable for type of service
-
-                   12 = host unreachable for type of service
-
-            A host SHOULD generate Destination Unreachable messages with
-            code:
-
-            2    (Protocol Unreachable), when the designated transport
-                 protocol is not supported; or
-
-            3    (Port Unreachable), when the designated transport
-                 protocol (e.g., UDP) is unable to demultiplex the
-                 datagram but has no protocol mechanism to inform the
-                 sender.
-
-            A Destination Unreachable message that is received MUST be
-            reported to the transport layer.  The transport layer SHOULD
-            use the information appropriately; for example, see Sections
-            4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
-            that has its own mechanism for notifying the sender that a
-            port is unreachable (e.g., TCP, which sends RST segments)
-            MUST nevertheless accept an ICMP Port Unreachable for the
-            same purpose.
-
-            A Destination Unreachable message that is received with code
-            0 (Net), 1 (Host), or 5 (Bad Source Route) may result from a
-            routing transient and MUST therefore be interpreted as only
-            a hint, not proof, that the specified destination is
-            unreachable [IP:11].  For example, it MUST NOT be used as
-            proof of a dead gateway (see Section 3.3.1).
-
-         3.2.2.2  Redirect: RFC-792
-
-            A host SHOULD NOT send an ICMP Redirect message; Redirects
-            are to be sent only by gateways.
-
-            A host receiving a Redirect message MUST update its routing
-            information accordingly.  Every host MUST be prepared to
-
-
-
-Internet Engineering Task Force                                [Page 40]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            accept both Host and Network Redirects and to process them
-            as described in Section 3.3.1.2 below.
-
-            A Redirect message SHOULD be silently discarded if the new
-            gateway address it specifies is not on the same connected
-            (sub-) net through which the Redirect arrived [INTRO:2,
-            Appendix A], or if the source of the Redirect is not the
-            current first-hop gateway for the specified destination (see
-            Section 3.3.1).
-
-         3.2.2.3  Source Quench: RFC-792
-
-            A host MAY send a Source Quench message if it is
-            approaching, or has reached, the point at which it is forced
-            to discard incoming datagrams due to a shortage of
-            reassembly buffers or other resources.  See Section 2.2.3 of
-            [INTRO:2] for suggestions on when to send Source Quench.
-
-            If a Source Quench message is received, the IP layer MUST
-            report it to the transport layer (or ICMP processing). In
-            general, the transport or application layer SHOULD implement
-            a mechanism to respond to Source Quench for any protocol
-            that can send a sequence of datagrams to the same
-            destination and which can reasonably be expected to maintain
-            enough state information to make this feasible.  See Section
-            4 for the handling of Source Quench by TCP and UDP.
-
-            DISCUSSION:
-                 A Source Quench may be generated by the target host or
-                 by some gateway in the path of a datagram.  The host
-                 receiving a Source Quench should throttle itself back
-                 for a period of time, then gradually increase the
-                 transmission rate again.  The mechanism to respond to
-                 Source Quench may be in the transport layer (for
-                 connection-oriented protocols like TCP) or in the
-                 application layer (for protocols that are built on top
-                 of UDP).
-
-                 A mechanism has been proposed [IP:14] to make the IP
-                 layer respond directly to Source Quench by controlling
-                 the rate at which datagrams are sent, however, this
-                 proposal is currently experimental and not currently
-                 recommended.
-
-         3.2.2.4  Time Exceeded: RFC-792
-
-            An incoming Time Exceeded message MUST be passed to the
-            transport layer.
-
-
-
-Internet Engineering Task Force                                [Page 41]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            DISCUSSION:
-                 A gateway will send a Time Exceeded Code 0 (In Transit)
-                 message when it discards a datagram due to an expired
-                 TTL field.  This indicates either a gateway routing
-                 loop or too small an initial TTL value.
-
-                 A host may receive a Time Exceeded Code 1 (Reassembly
-                 Timeout) message from a destination host that has timed
-                 out and discarded an incomplete datagram; see Section
-                 3.3.2 below.  In the future, receipt of this message
-                 might be part of some "MTU discovery" procedure, to
-                 discover the maximum datagram size that can be sent on
-                 the path without fragmentation.
-
-         3.2.2.5  Parameter Problem: RFC-792
-
-            A host SHOULD generate Parameter Problem messages.  An
-            incoming Parameter Problem message MUST be passed to the
-            transport layer, and it MAY be reported to the user.
-
-            DISCUSSION:
-                 The ICMP Parameter Problem message is sent to the
-                 source host for any problem not specifically covered by
-                 another ICMP message.  Receipt of a Parameter Problem
-                 message generally indicates some local or remote
-                 implementation error.
-
-            A new variant on the Parameter Problem message is hereby
-            defined:
-              Code 1 = required option is missing.
-
-            DISCUSSION:
-                 This variant is currently in use in the military
-                 community for a missing security option.
-
-         3.2.2.6  Echo Request/Reply: RFC-792
-
-            Every host MUST implement an ICMP Echo server function that
-            receives Echo Requests and sends corresponding Echo Replies.
-            A host SHOULD also implement an application-layer interface
-            for sending an Echo Request and receiving an Echo Reply, for
-            diagnostic purposes.
-
-            An ICMP Echo Request destined to an IP broadcast or IP
-            multicast address MAY be silently discarded.
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 42]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            DISCUSSION:
-                 This neutral provision results from a passionate debate
-                 between those who feel that ICMP Echo to a broadcast
-                 address provides a valuable diagnostic capability and
-                 those who feel that misuse of this feature can too
-                 easily create packet storms.
-
-            The IP source address in an ICMP Echo Reply MUST be the same
-            as the specific-destination address (defined in Section
-            3.2.1.3) of the corresponding ICMP Echo Request message.
-
-            Data received in an ICMP Echo Request MUST be entirely
-            included in the resulting Echo Reply.  However, if sending
-            the Echo Reply requires intentional fragmentation that is
-            not implemented, the datagram MUST be truncated to maximum
-            transmission size (see Section 3.3.3) and sent.
-
-            Echo Reply messages MUST be passed to the ICMP user
-            interface, unless the corresponding Echo Request originated
-            in the IP layer.
-
-            If a Record Route and/or Time Stamp option is received in an
-            ICMP Echo Request, this option (these options) SHOULD be
-            updated to include the current host and included in the IP
-            header of the Echo Reply message, without "truncation".
-            Thus, the recorded route will be for the entire round trip.
-
-            If a Source Route option is received in an ICMP Echo
-            Request, the return route MUST be reversed and used as a
-            Source Route option for the Echo Reply message.
-
-         3.2.2.7  Information Request/Reply: RFC-792
-
-            A host SHOULD NOT implement these messages.
-
-            DISCUSSION:
-                 The Information Request/Reply pair was intended to
-                 support self-configuring systems such as diskless
-                 workstations, to allow them to discover their IP
-                 network numbers at boot time.  However, the RARP and
-                 BOOTP protocols provide better mechanisms for a host to
-                 discover its own IP address.
-
-         3.2.2.8  Timestamp and Timestamp Reply: RFC-792
-
-            A host MAY implement Timestamp and Timestamp Reply.  If they
-            are implemented, the following rules MUST be followed.
-
-
-
-
-Internet Engineering Task Force                                [Page 43]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            o    The ICMP Timestamp server function returns a Timestamp
-                 Reply to every Timestamp message that is received.  If
-                 this function is implemented, it SHOULD be designed for
-                 minimum variability in delay (e.g., implemented in the
-                 kernel to avoid delay in scheduling a user process).
-
-            The following cases for Timestamp are to be handled
-            according to the corresponding rules for ICMP Echo:
-
-            o    An ICMP Timestamp Request message to an IP broadcast or
-                 IP multicast address MAY be silently discarded.
-
-            o    The IP source address in an ICMP Timestamp Reply MUST
-                 be the same as the specific-destination address of the
-                 corresponding Timestamp Request message.
-
-            o    If a Source-route option is received in an ICMP Echo
-                 Request, the return route MUST be reversed and used as
-                 a Source Route option for the Timestamp Reply message.
-
-            o    If a Record Route and/or Timestamp option is received
-                 in a Timestamp Request, this (these) option(s) SHOULD
-                 be updated to include the current host and included in
-                 the IP header of the Timestamp Reply message.
-
-            o    Incoming Timestamp Reply messages MUST be passed up to
-                 the ICMP user interface.
-
-            The preferred form for a timestamp value (the "standard
-            value") is in units of milliseconds since midnight Universal
-            Time.  However, it may be difficult to provide this value
-            with millisecond resolution.  For example, many systems use
-            clocks that update only at line frequency, 50 or 60 times
-            per second.  Therefore, some latitude is allowed in a
-            "standard value":
-
-            (a)  A "standard value" MUST be updated at least 15 times
-                 per second (i.e., at most the six low-order bits of the
-                 value may be undefined).
-
-            (b)  The accuracy of a "standard value" MUST approximate
-                 that of operator-set CPU clocks, i.e., correct within a
-                 few minutes.
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 44]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-         3.2.2.9  Address Mask Request/Reply: RFC-950
-
-            A host MUST support the first, and MAY implement all three,
-            of the following methods for determining the address mask(s)
-            corresponding to its IP address(es):
-
-            (1)  static configuration information;
-
-            (2)  obtaining the address mask(s) dynamically as a side-
-                 effect of the system initialization process (see
-                 [INTRO:1]); and
-
-            (3)  sending ICMP Address Mask Request(s) and receiving ICMP
-                 Address Mask Reply(s).
-
-            The choice of method to be used in a particular host MUST be
-            configurable.
-
-            When method (3), the use of Address Mask messages, is
-            enabled, then:
-
-            (a)  When it initializes, the host MUST broadcast an Address
-                 Mask Request message on the connected network
-                 corresponding to the IP address.  It MUST retransmit
-                 this message a small number of times if it does not
-                 receive an immediate Address Mask Reply.
-
-            (b)  Until it has received an Address Mask Reply, the host
-                 SHOULD assume a mask appropriate for the address class
-                 of the IP address, i.e., assume that the connected
-                 network is not subnetted.
-
-            (c)  The first Address Mask Reply message received MUST be
-                 used to set the address mask corresponding to the
-                 particular local IP address.  This is true even if the
-                 first Address Mask Reply message is "unsolicited", in
-                 which case it will have been broadcast and may arrive
-                 after the host has ceased to retransmit Address Mask
-                 Requests.  Once the mask has been set by an Address
-                 Mask Reply, later Address Mask Reply messages MUST be
-                 (silently) ignored.
-
-            Conversely, if Address Mask messages are disabled, then no
-            ICMP Address Mask Requests will be sent, and any ICMP
-            Address Mask Replies received for that local IP address MUST
-            be (silently) ignored.
-
-            A host SHOULD make some reasonableness check on any address
-
-
-
-Internet Engineering Task Force                                [Page 45]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            mask it installs; see IMPLEMENTATION section below.
-
-            A system MUST NOT send an Address Mask Reply unless it is an
-            authoritative agent for address masks.  An authoritative
-            agent may be a host or a gateway, but it MUST be explicitly
-            configured as a address mask agent.  Receiving an address
-            mask via an Address Mask Reply does not give the receiver
-            authority and MUST NOT be used as the basis for issuing
-            Address Mask Replies.
-
-            With a statically configured address mask, there SHOULD be
-            an additional configuration flag that determines whether the
-            host is to act as an authoritative agent for this mask,
-            i.e., whether it will answer Address Mask Request messages
-            using this mask.
-
-            If it is configured as an agent, the host MUST broadcast an
-            Address Mask Reply for the mask on the appropriate interface
-            when it initializes.
-
-            See "System Initialization" in [INTRO:1] for more
-            information about the use of Address Mask Request/Reply
-            messages.
-
-            DISCUSSION
-                 Hosts that casually send Address Mask Replies with
-                 invalid address masks have often been a serious
-                 nuisance.  To prevent this, Address Mask Replies ought
-                 to be sent only by authoritative agents that have been
-                 selected by explicit administrative action.
-
-                 When an authoritative agent receives an Address Mask
-                 Request message, it will send a unicast Address Mask
-                 Reply to the source IP address.  If the network part of
-                 this address is zero (see (a) and (b) in 3.2.1.3), the
-                 Reply will be broadcast.
-
-                 Getting no reply to its Address Mask Request messages,
-                 a host will assume there is no agent and use an
-                 unsubnetted mask, but the agent may be only temporarily
-                 unreachable.  An agent will broadcast an unsolicited
-                 Address Mask Reply whenever it initializes, in order to
-                 update the masks of all hosts that have initialized in
-                 the meantime.
-
-            IMPLEMENTATION:
-                 The following reasonableness check on an address mask
-                 is suggested: the mask is not all 1 bits, and it is
-
-
-
-Internet Engineering Task Force                                [Page 46]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 either zero or else the 8 highest-order bits are on.
-
-      3.2.3  Internet Group Management Protocol IGMP
-
-         IGMP [IP:4] is a protocol used between hosts and gateways on a
-         single network to establish hosts' membership in particular
-         multicast groups.  The gateways use this information, in
-         conjunction with a multicast routing protocol, to support IP
-         multicasting across the Internet.
-
-         At this time, implementation of IGMP is OPTIONAL; see Section
-         3.3.7 for more information.  Without IGMP, a host can still
-         participate in multicasting local to its connected networks.
-
-   3.3  SPECIFIC ISSUES
-
-      3.3.1  Routing Outbound Datagrams
-
-         The IP layer chooses the correct next hop for each datagram it
-         sends.  If the destination is on a connected network, the
-         datagram is sent directly to the destination host; otherwise,
-         it has to be routed to a gateway on a connected network.
-
-         3.3.1.1  Local/Remote Decision
-
-            To decide if the destination is on a connected network, the
-            following algorithm MUST be used [see IP:3]:
-
-            (a)  The address mask (particular to a local IP address for
-                 a multihomed host) is a 32-bit mask that selects the
-                 network number and subnet number fields of the
-                 corresponding IP address.
-
-            (b)  If the IP destination address bits extracted by the
-                 address mask match the IP source address bits extracted
-                 by the same mask, then the destination is on the
-                 corresponding connected network, and the datagram is to
-                 be transmitted directly to the destination host.
-
-            (c)  If not, then the destination is accessible only through
-                 a gateway.  Selection of a gateway is described below
-                 (3.3.1.2).
-
-            A special-case destination address is handled as follows:
-
-            *    For a limited broadcast or a multicast address, simply
-                 pass the datagram to the link layer for the appropriate
-                 interface.
-
-
-
-Internet Engineering Task Force                                [Page 47]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            *    For a (network or subnet) directed broadcast, the
-                 datagram can use the standard routing algorithms.
-
-            The host IP layer MUST operate correctly in a minimal
-            network environment, and in particular, when there are no
-            gateways.  For example, if the IP layer of a host insists on
-            finding at least one gateway to initialize, the host will be
-            unable to operate on a single isolated broadcast net.
-
-         3.3.1.2  Gateway Selection
-
-            To efficiently route a series of datagrams to the same
-            destination, the source host MUST keep a "route cache" of
-            mappings to next-hop gateways.  A host uses the following
-            basic algorithm on this cache to route a datagram; this
-            algorithm is designed to put the primary routing burden on
-            the gateways [IP:11].
-
-            (a)  If the route cache contains no information for a
-                 particular destination, the host chooses a "default"
-                 gateway and sends the datagram to it.  It also builds a
-                 corresponding Route Cache entry.
-
-            (b)  If that gateway is not the best next hop to the
-                 destination, the gateway will forward the datagram to
-                 the best next-hop gateway and return an ICMP Redirect
-                 message to the source host.
-
-            (c)  When it receives a Redirect, the host updates the
-                 next-hop gateway in the appropriate route cache entry,
-                 so later datagrams to the same destination will go
-                 directly to the best gateway.
-
-            Since the subnet mask appropriate to the destination address
-            is generally not known, a Network Redirect message SHOULD be
-            treated identically to a Host Redirect message; i.e., the
-            cache entry for the destination host (only) would be updated
-            (or created, if an entry for that host did not exist) for
-            the new gateway.
-
-            DISCUSSION:
-                 This recommendation is to protect against gateways that
-                 erroneously send Network Redirects for a subnetted
-                 network, in violation of the gateway requirements
-                 [INTRO:2].
-
-            When there is no route cache entry for the destination host
-            address (and the destination is not on the connected
-
-
-
-Internet Engineering Task Force                                [Page 48]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            network), the IP layer MUST pick a gateway from its list of
-            "default" gateways.  The IP layer MUST support multiple
-            default gateways.
-
-            As an extra feature, a host IP layer MAY implement a table
-            of "static routes".  Each such static route MAY include a
-            flag specifying whether it may be overridden by ICMP
-            Redirects.
-
-            DISCUSSION:
-                 A host generally needs to know at least one default
-                 gateway to get started.  This information can be
-                 obtained from a configuration file or else from the
-                 host startup sequence, e.g., the BOOTP protocol (see
-                 [INTRO:1]).
-
-                 It has been suggested that a host can augment its list
-                 of default gateways by recording any new gateways it
-                 learns about.  For example, it can record every gateway
-                 to which it is ever redirected.  Such a feature, while
-                 possibly useful in some circumstances, may cause
-                 problems in other cases (e.g., gateways are not all
-                 equal), and it is not recommended.
-
-                 A static route is typically a particular preset mapping
-                 from destination host or network into a particular
-                 next-hop gateway; it might also depend on the Type-of-
-                 Service (see next section).  Static routes would be set
-                 up by system administrators to override the normal
-                 automatic routing mechanism, to handle exceptional
-                 situations.  However, any static routing information is
-                 a potential source of failure as configurations change
-                 or equipment fails.
-
-         3.3.1.3  Route Cache
-
-            Each route cache entry needs to include the following
-            fields:
-
-            (1)  Local IP address (for a multihomed host)
-
-            (2)  Destination IP address
-
-            (3)  Type(s)-of-Service
-
-            (4)  Next-hop gateway IP address
-
-            Field (2) MAY be the full IP address of the destination
-
-
-
-Internet Engineering Task Force                                [Page 49]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            host, or only the destination network number.  Field (3),
-            the TOS, SHOULD be included.
-
-            See Section 3.3.4.2 for a discussion of the implications of
-            multihoming for the lookup procedure in this cache.
-
-            DISCUSSION:
-                 Including the Type-of-Service field in the route cache
-                 and considering it in the host route algorithm will
-                 provide the necessary mechanism for the future when
-                 Type-of-Service routing is commonly used in the
-                 Internet.  See Section 3.2.1.6.
-
-                 Each route cache entry defines the endpoints of an
-                 Internet path.  Although the connecting path may change
-                 dynamically in an arbitrary way, the transmission
-                 characteristics of the path tend to remain
-                 approximately constant over a time period longer than a
-                 single typical host-host transport connection.
-                 Therefore, a route cache entry is a natural place to
-                 cache data on the properties of the path.  Examples of
-                 such properties might be the maximum unfragmented
-                 datagram size (see Section 3.3.3), or the average
-                 round-trip delay measured by a transport protocol.
-                 This data will generally be both gathered and used by a
-                 higher layer protocol, e.g., by TCP, or by an
-                 application using UDP.  Experiments are currently in
-                 progress on caching path properties in this manner.
-
-                 There is no consensus on whether the route cache should
-                 be keyed on destination host addresses alone, or allow
-                 both host and network addresses.  Those who favor the
-                 use of only host addresses argue that:
-
-                 (1)  As required in Section 3.3.1.2, Redirect messages
-                      will generally result in entries keyed on
-                      destination host addresses; the simplest and most
-                      general scheme would be to use host addresses
-                      always.
-
-                 (2)  The IP layer may not always know the address mask
-                      for a network address in a complex subnetted
-                      environment.
-
-                 (3)  The use of only host addresses allows the
-                      destination address to be used as a pure 32-bit
-                      number, which may allow the Internet architecture
-                      to be more easily extended in the future without
-
-
-
-Internet Engineering Task Force                                [Page 50]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                      any change to the hosts.
-
-                 The opposing view is that allowing a mixture of
-                 destination hosts and networks in the route cache:
-
-                 (1)  Saves memory space.
-
-                 (2)  Leads to a simpler data structure, easily
-                      combining the cache with the tables of default and
-                      static routes (see below).
-
-                 (3)  Provides a more useful place to cache path
-                      properties, as discussed earlier.
-
-
-            IMPLEMENTATION:
-                 The cache needs to be large enough to include entries
-                 for the maximum number of destination hosts that may be
-                 in use at one time.
-
-                 A route cache entry may also include control
-                 information used to choose an entry for replacement.
-                 This might take the form of a "recently used" bit, a
-                 use count, or a last-used timestamp, for example.  It
-                 is recommended that it include the time of last
-                 modification of the entry, for diagnostic purposes.
-
-                 An implementation may wish to reduce the overhead of
-                 scanning the route cache for every datagram to be
-                 transmitted.  This may be accomplished with a hash
-                 table to speed the lookup, or by giving a connection-
-                 oriented transport protocol a "hint" or temporary
-                 handle on the appropriate cache entry, to be passed to
-                 the IP layer with each subsequent datagram.
-
-                 Although we have described the route cache, the lists
-                 of default gateways, and a table of static routes as
-                 conceptually distinct, in practice they may be combined
-                 into a single "routing table" data structure.
-
-         3.3.1.4  Dead Gateway Detection
-
-            The IP layer MUST be able to detect the failure of a "next-
-            hop" gateway that is listed in its route cache and to choose
-            an alternate gateway (see Section 3.3.1.5).
-
-            Dead gateway detection is covered in some detail in RFC-816
-            [IP:11]. Experience to date has not produced a complete
-
-
-
-Internet Engineering Task Force                                [Page 51]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            algorithm which is totally satisfactory, though it has
-            identified several forbidden paths and promising techniques.
-
-            *    A particular gateway SHOULD NOT be used indefinitely in
-                 the absence of positive indications that it is
-                 functioning.
-
-            *    Active probes such as "pinging" (i.e., using an ICMP
-                 Echo Request/Reply exchange) are expensive and scale
-                 poorly.  In particular, hosts MUST NOT actively check
-                 the status of a first-hop gateway by simply pinging the
-                 gateway continuously.
-
-            *    Even when it is the only effective way to verify a
-                 gateway's status, pinging MUST be used only when
-                 traffic is being sent to the gateway and when there is
-                 no other positive indication to suggest that the
-                 gateway is functioning.
-
-            *    To avoid pinging, the layers above and/or below the
-                 Internet layer SHOULD be able to give "advice" on the
-                 status of route cache entries when either positive
-                 (gateway OK) or negative (gateway dead) information is
-                 available.
-
-
-            DISCUSSION:
-                 If an implementation does not include an adequate
-                 mechanism for detecting a dead gateway and re-routing,
-                 a gateway failure may cause datagrams to apparently
-                 vanish into a "black hole".  This failure can be
-                 extremely confusing for users and difficult for network
-                 personnel to debug.
-
-                 The dead-gateway detection mechanism must not cause
-                 unacceptable load on the host, on connected networks,
-                 or on first-hop gateway(s).  The exact constraints on
-                 the timeliness of dead gateway detection and on
-                 acceptable load may vary somewhat depending on the
-                 nature of the host's mission, but a host generally
-                 needs to detect a failed first-hop gateway quickly
-                 enough that transport-layer connections will not break
-                 before an alternate gateway can be selected.
-
-                 Passing advice from other layers of the protocol stack
-                 complicates the interfaces between the layers, but it
-                 is the preferred approach to dead gateway detection.
-                 Advice can come from almost any part of the IP/TCP
-
-
-
-Internet Engineering Task Force                                [Page 52]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 architecture, but it is expected to come primarily from
-                 the transport and link layers.  Here are some possible
-                 sources for gateway advice:
-
-                 o    TCP or any connection-oriented transport protocol
-                      should be able to give negative advice, e.g.,
-                      triggered by excessive retransmissions.
-
-                 o    TCP may give positive advice when (new) data is
-                      acknowledged.  Even though the route may be
-                      asymmetric, an ACK for new data proves that the
-                      acknowleged data must have been transmitted
-                      successfully.
-
-                 o    An ICMP Redirect message from a particular gateway
-                      should be used as positive advice about that
-                      gateway.
-
-                 o    Link-layer information that reliably detects and
-                      reports host failures (e.g., ARPANET Destination
-                      Dead messages) should be used as negative advice.
-
-                 o    Failure to ARP or to re-validate ARP mappings may
-                      be used as negative advice for the corresponding
-                      IP address.
-
-                 o    Packets arriving from a particular link-layer
-                      address are evidence that the system at this
-                      address is alive.  However, turning this
-                      information into advice about gateways requires
-                      mapping the link-layer address into an IP address,
-                      and then checking that IP address against the
-                      gateways pointed to by the route cache.  This is
-                      probably prohibitively inefficient.
-
-                 Note that positive advice that is given for every
-                 datagram received may cause unacceptable overhead in
-                 the implementation.
-
-                 While advice might be passed using required arguments
-                 in all interfaces to the IP layer, some transport and
-                 application layer protocols cannot deduce the correct
-                 advice.  These interfaces must therefore allow a
-                 neutral value for advice, since either always-positive
-                 or always-negative advice leads to incorrect behavior.
-
-                 There is another technique for dead gateway detection
-                 that has been commonly used but is not recommended.
-
-
-
-Internet Engineering Task Force                                [Page 53]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 This technique depends upon the host passively
-                 receiving ("wiretapping") the Interior Gateway Protocol
-                 (IGP) datagrams that the gateways are broadcasting to
-                 each other.  This approach has the drawback that a host
-                 needs to recognize all the interior gateway protocols
-                 that gateways may use (see [INTRO:2]).  In addition, it
-                 only works on a broadcast network.
-
-                 At present, pinging (i.e., using ICMP Echo messages) is
-                 the mechanism for gateway probing when absolutely
-                 required.  A successful ping guarantees that the
-                 addressed interface and its associated machine are up,
-                 but it does not guarantee that the machine is a gateway
-                 as opposed to a host.  The normal inference is that if
-                 a Redirect or other evidence indicates that a machine
-                 was a gateway, successful pings will indicate that the
-                 machine is still up and hence still a gateway.
-                 However, since a host silently discards packets that a
-                 gateway would forward or redirect, this assumption
-                 could sometimes fail.  To avoid this problem, a new
-                 ICMP message under development will ask "are you a
-                 gateway?"
-
-            IMPLEMENTATION:
-                 The following specific algorithm has been suggested:
-
-                 o    Associate a "reroute timer" with each gateway
-                      pointed to by the route cache.  Initialize the
-                      timer to a value Tr, which must be small enough to
-                      allow detection of a dead gateway before transport
-                      connections time out.
-
-                 o    Positive advice would reset the reroute timer to
-                      Tr.  Negative advice would reduce or zero the
-                      reroute timer.
-
-                 o    Whenever the IP layer used a particular gateway to
-                      route a datagram, it would check the corresponding
-                      reroute timer.  If the timer had expired (reached
-                      zero), the IP layer would send a ping to the
-                      gateway, followed immediately by the datagram.
-
-                 o    The ping (ICMP Echo) would be sent again if
-                      necessary, up to N times.  If no ping reply was
-                      received in N tries, the gateway would be assumed
-                      to have failed, and a new first-hop gateway would
-                      be chosen for all cache entries pointing to the
-                      failed gateway.
-
-
-
-Internet Engineering Task Force                                [Page 54]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 Note that the size of Tr is inversely related to the
-                 amount of advice available.  Tr should be large enough
-                 to insure that:
-
-                 *    Any pinging will be at a low level (e.g., <10%) of
-                      all packets sent to a gateway from the host, AND
-
-                 *    pinging is infrequent (e.g., every 3 minutes)
-
-                 Since the recommended algorithm is concerned with the
-                 gateways pointed to by route cache entries, rather than
-                 the cache entries themselves, a two level data
-                 structure (perhaps coordinated with ARP or similar
-                 caches) may be desirable for implementing a route
-                 cache.
-
-         3.3.1.5  New Gateway Selection
-
-            If the failed gateway is not the current default, the IP
-            layer can immediately switch to a default gateway.  If it is
-            the current default that failed, the IP layer MUST select a
-            different default gateway (assuming more than one default is
-            known) for the failed route and for establishing new routes.
-
-            DISCUSSION:
-                 When a gateway does fail, the other gateways on the
-                 connected network will learn of the failure through
-                 some inter-gateway routing protocol.  However, this
-                 will not happen instantaneously, since gateway routing
-                 protocols typically have a settling time of 30-60
-                 seconds.  If the host switches to an alternative
-                 gateway before the gateways have agreed on the failure,
-                 the new target gateway will probably forward the
-                 datagram to the failed gateway and send a Redirect back
-                 to the host pointing to the failed gateway (!).  The
-                 result is likely to be a rapid oscillation in the
-                 contents of the host's route cache during the gateway
-                 settling period.  It has been proposed that the dead-
-                 gateway logic should include some hysteresis mechanism
-                 to prevent such oscillations.  However, experience has
-                 not shown any harm from such oscillations, since
-                 service cannot be restored to the host until the
-                 gateways' routing information does settle down.
-
-            IMPLEMENTATION:
-                 One implementation technique for choosing a new default
-                 gateway is to simply round-robin among the default
-                 gateways in the host's list.  Another is to rank the
-
-
-
-Internet Engineering Task Force                                [Page 55]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 gateways in priority order, and when the current
-                 default gateway is not the highest priority one, to
-                 "ping" the higher-priority gateways slowly to detect
-                 when they return to service.  This pinging can be at a
-                 very low rate, e.g., 0.005 per second.
-
-         3.3.1.6  Initialization
-
-            The following information MUST be configurable:
-
-            (1)  IP address(es).
-
-            (2)  Address mask(s).
-
-            (3)  A list of default gateways, with a preference level.
-
-            A manual method of entering this configuration data MUST be
-            provided.  In addition, a variety of methods can be used to
-            determine this information dynamically; see the section on
-            "Host Initialization" in [INTRO:1].
-
-            DISCUSSION:
-                 Some host implementations use "wiretapping" of gateway
-                 protocols on a broadcast network to learn what gateways
-                 exist.  A standard method for default gateway discovery
-                 is under development.
-
-      3.3.2  Reassembly
-
-         The IP layer MUST implement reassembly of IP datagrams.
-
-         We designate the largest datagram size that can be reassembled
-         by EMTU_R ("Effective MTU to receive"); this is sometimes
-         called the "reassembly buffer size".  EMTU_R MUST be greater
-         than or equal to 576, SHOULD be either configurable or
-         indefinite, and SHOULD be greater than or equal to the MTU of
-         the connected network(s).
-
-         DISCUSSION:
-              A fixed EMTU_R limit should not be built into the code
-              because some application layer protocols require EMTU_R
-              values larger than 576.
-
-         IMPLEMENTATION:
-              An implementation may use a contiguous reassembly buffer
-              for each datagram, or it may use a more complex data
-              structure that places no definite limit on the reassembled
-              datagram size; in the latter case, EMTU_R is said to be
-
-
-
-Internet Engineering Task Force                                [Page 56]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-              "indefinite".
-
-              Logically, reassembly is performed by simply copying each
-              fragment into the packet buffer at the proper offset.
-              Note that fragments may overlap if successive
-              retransmissions use different packetizing but the same
-              reassembly Id.
-
-              The tricky part of reassembly is the bookkeeping to
-              determine when all bytes of the datagram have been
-              reassembled.  We recommend Clark's algorithm [IP:10] that
-              requires no additional data space for the bookkeeping.
-              However, note that, contrary to [IP:10], the first
-              fragment header needs to be saved for inclusion in a
-              possible ICMP Time Exceeded (Reassembly Timeout) message.
-
-         There MUST be a mechanism by which the transport layer can
-         learn MMS_R, the maximum message size that can be received and
-         reassembled in an IP datagram (see GET_MAXSIZES calls in
-         Section 3.4).  If EMTU_R is not indefinite, then the value of
-         MMS_R is given by:
-
-            MMS_R = EMTU_R - 20
-
-         since 20 is the minimum size of an IP header.
-
-         There MUST be a reassembly timeout.  The reassembly timeout
-         value SHOULD be a fixed value, not set from the remaining TTL.
-         It is recommended that the value lie between 60 seconds and 120
-         seconds.  If this timeout expires, the partially-reassembled
-         datagram MUST be discarded and an ICMP Time Exceeded message
-         sent to the source host (if fragment zero has been received).
-
-         DISCUSSION:
-              The IP specification says that the reassembly timeout
-              should be the remaining TTL from the IP header, but this
-              does not work well because gateways generally treat TTL as
-              a simple hop count rather than an elapsed time.  If the
-              reassembly timeout is too small, datagrams will be
-              discarded unnecessarily, and communication may fail.  The
-              timeout needs to be at least as large as the typical
-              maximum delay across the Internet.  A realistic minimum
-              reassembly timeout would be 60 seconds.
-
-              It has been suggested that a cache might be kept of
-              round-trip times measured by transport protocols for
-              various destinations, and that these values might be used
-              to dynamically determine a reasonable reassembly timeout
-
-
-
-Internet Engineering Task Force                                [Page 57]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-              value.  Further investigation of this approach is
-              required.
-
-              If the reassembly timeout is set too high, buffer
-              resources in the receiving host will be tied up too long,
-              and the MSL (Maximum Segment Lifetime) [TCP:1] will be
-              larger than necessary.  The MSL controls the maximum rate
-              at which fragmented datagrams can be sent using distinct
-              values of the 16-bit Ident field; a larger MSL lowers the
-              maximum rate.  The TCP specification [TCP:1] arbitrarily
-              assumes a value of 2 minutes for MSL.  This sets an upper
-              limit on a reasonable reassembly timeout value.
-
-      3.3.3  Fragmentation
-
-         Optionally, the IP layer MAY implement a mechanism to fragment
-         outgoing datagrams intentionally.
-
-         We designate by EMTU_S ("Effective MTU for sending") the
-         maximum IP datagram size that may be sent, for a particular
-         combination of IP source and destination addresses and perhaps
-         TOS.
-
-         A host MUST implement a mechanism to allow the transport layer
-         to learn MMS_S, the maximum transport-layer message size that
-         may be sent for a given {source, destination, TOS} triplet (see
-         GET_MAXSIZES call in Section 3.4).  If no local fragmentation
-         is performed, the value of MMS_S will be:
-
-            MMS_S = EMTU_S - <IP header size>
-
-         and EMTU_S must be less than or equal to the MTU of the network
-         interface corresponding to the source address of the datagram.
-         Note that <IP header size> in this equation will be 20, unless
-         the IP reserves space to insert IP options for its own purposes
-         in addition to any options inserted by the transport layer.
-
-         A host that does not implement local fragmentation MUST ensure
-         that the transport layer (for TCP) or the application layer
-         (for UDP) obtains MMS_S from the IP layer and does not send a
-         datagram exceeding MMS_S in size.
-
-         It is generally desirable to avoid local fragmentation and to
-         choose EMTU_S low enough to avoid fragmentation in any gateway
-         along the path.  In the absence of actual knowledge of the
-         minimum MTU along the path, the IP layer SHOULD use
-         EMTU_S <= 576 whenever the destination address is not on a
-         connected network, and otherwise use the connected network's
-
-
-
-Internet Engineering Task Force                                [Page 58]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-         MTU.
-
-         The MTU of each physical interface MUST be configurable.
-
-         A host IP layer implementation MAY have a configuration flag
-         "All-Subnets-MTU", indicating that the MTU of the connected
-         network is to be used for destinations on different subnets
-         within the same network, but not for other networks.  Thus,
-         this flag causes the network class mask, rather than the subnet
-         address mask, to be used to choose an EMTU_S.  For a multihomed
-         host, an "All-Subnets-MTU" flag is needed for each network
-         interface.
-
-         DISCUSSION:
-              Picking the correct datagram size to use when sending data
-              is a complex topic [IP:9].
-
-              (a)  In general, no host is required to accept an IP
-                   datagram larger than 576 bytes (including header and
-                   data), so a host must not send a larger datagram
-                   without explicit knowledge or prior arrangement with
-                   the destination host.  Thus, MMS_S is only an upper
-                   bound on the datagram size that a transport protocol
-                   may send; even when MMS_S exceeds 556, the transport
-                   layer must limit its messages to 556 bytes in the
-                   absence of other knowledge about the destination
-                   host.
-
-              (b)  Some transport protocols (e.g., TCP) provide a way to
-                   explicitly inform the sender about the largest
-                   datagram the other end can receive and reassemble
-                   [IP:7].  There is no corresponding mechanism in the
-                   IP layer.
-
-                   A transport protocol that assumes an EMTU_R larger
-                   than 576 (see Section 3.3.2), can send a datagram of
-                   this larger size to another host that implements the
-                   same protocol.
-
-              (c)  Hosts should ideally limit their EMTU_S for a given
-                   destination to the minimum MTU of all the networks
-                   along the path, to avoid any fragmentation.  IP
-                   fragmentation, while formally correct, can create a
-                   serious transport protocol performance problem,
-                   because loss of a single fragment means all the
-                   fragments in the segment must be retransmitted
-                   [IP:9].
-
-
-
-
-Internet Engineering Task Force                                [Page 59]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-              Since nearly all networks in the Internet currently
-              support an MTU of 576 or greater, we strongly recommend
-              the use of 576 for datagrams sent to non-local networks.
-
-              It has been suggested that a host could determine the MTU
-              over a given path by sending a zero-offset datagram
-              fragment and waiting for the receiver to time out the
-              reassembly (which cannot complete!) and return an ICMP
-              Time Exceeded message.  This message would include the
-              largest remaining fragment header in its body.  More
-              direct mechanisms are being experimented with, but have
-              not yet been adopted (see e.g., RFC-1063).
-
-      3.3.4  Local Multihoming
-
-         3.3.4.1  Introduction
-
-            A multihomed host has multiple IP addresses, which we may
-            think of as "logical interfaces".  These logical interfaces
-            may be associated with one or more physical interfaces, and
-            these physical interfaces may be connected to the same or
-            different networks.
-
-            Here are some important cases of multihoming:
-
-            (a)  Multiple Logical Networks
-
-                 The Internet architects envisioned that each physical
-                 network would have a single unique IP network (or
-                 subnet) number.  However, LAN administrators have
-                 sometimes found it useful to violate this assumption,
-                 operating a LAN with multiple logical networks per
-                 physical connected network.
-
-                 If a host connected to such a physical network is
-                 configured to handle traffic for each of N different
-                 logical networks, then the host will have N logical
-                 interfaces.  These could share a single physical
-                 interface, or might use N physical interfaces to the
-                 same network.
-
-            (b)  Multiple Logical Hosts
-
-                 When a host has multiple IP addresses that all have the
-                 same <Network-number> part (and the same <Subnet-
-                 number> part, if any), the logical interfaces are known
-                 as "logical hosts".  These logical interfaces might
-                 share a single physical interface or might use separate
-
-
-
-Internet Engineering Task Force                                [Page 60]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 physical interfaces to the same physical network.
-
-            (c)  Simple Multihoming
-
-                 In this case, each logical interface is mapped into a
-                 separate physical interface and each physical interface
-                 is connected to a different physical network.  The term
-                 "multihoming" was originally applied only to this case,
-                 but it is now applied more generally.
-
-                 A host with embedded gateway functionality will
-                 typically fall into the simple multihoming case.  Note,
-                 however, that a host may be simply multihomed without
-                 containing an embedded gateway, i.e., without
-                 forwarding datagrams from one connected network to
-                 another.
-
-                 This case presents the most difficult routing problems.
-                 The choice of interface (i.e., the choice of first-hop
-                 network) may significantly affect performance or even
-                 reachability of remote parts of the Internet.
-
-
-            Finally, we note another possibility that is NOT
-            multihoming:  one logical interface may be bound to multiple
-            physical interfaces, in order to increase the reliability or
-            throughput between directly connected machines by providing
-            alternative physical paths between them.  For instance, two
-            systems might be connected by multiple point-to-point links.
-            We call this "link-layer multiplexing".  With link-layer
-            multiplexing, the protocols above the link layer are unaware
-            that multiple physical interfaces are present; the link-
-            layer device driver is responsible for multiplexing and
-            routing packets across the physical interfaces.
-
-            In the Internet protocol architecture, a transport protocol
-            instance ("entity") has no address of its own, but instead
-            uses a single Internet Protocol (IP) address.  This has
-            implications for the IP, transport, and application layers,
-            and for the interfaces between them.  In particular, the
-            application software may have to be aware of the multiple IP
-            addresses of a multihomed host; in other cases, the choice
-            can be made within the network software.
-
-         3.3.4.2  Multihoming Requirements
-
-            The following general rules apply to the selection of an IP
-            source address for sending a datagram from a multihomed
-
-
-
-Internet Engineering Task Force                                [Page 61]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-            host.
-
-            (1)  If the datagram is sent in response to a received
-                 datagram, the source address for the response SHOULD be
-                 the specific-destination address of the request.  See
-                 Sections 4.1.3.5 and 4.2.3.7 and the "General Issues"
-                 section of [INTRO:1] for more specific requirements on
-                 higher layers.
-
-                 Otherwise, a source address must be selected.
-
-            (2)  An application MUST be able to explicitly specify the
-                 source address for initiating a connection or a
-                 request.
-
-            (3)  In the absence of such a specification, the networking
-                 software MUST choose a source address.  Rules for this
-                 choice are described below.
-
-
-            There are two key requirement issues related to multihoming:
-
-            (A)  A host MAY silently discard an incoming datagram whose
-                 destination address does not correspond to the physical
-                 interface through which it is received.
-
-            (B)  A host MAY restrict itself to sending (non-source-
-                 routed) IP datagrams only through the physical
-                 interface that corresponds to the IP source address of
-                 the datagrams.
-
-
-            DISCUSSION:
-                 Internet host implementors have used two different
-                 conceptual models for multihoming, briefly summarized
-                 in the following discussion.  This document takes no
-                 stand on which model is preferred; each seems to have a
-                 place.  This ambivalence is reflected in the issues (A)
-                 and (B) being optional.
-
-                 o    Strong ES Model
-
-                      The Strong ES (End System, i.e., host) model
-                      emphasizes the host/gateway (ES/IS) distinction,
-                      and would therefore substitute MUST for MAY in
-                      issues (A) and (B) above.  It tends to model a
-                      multihomed host as a set of logical hosts within
-                      the same physical host.
-
-
-
-Internet Engineering Task Force                                [Page 62]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                      With respect to (A), proponents of the Strong ES
-                      model note that automatic Internet routing
-                      mechanisms could not route a datagram to a
-                      physical interface that did not correspond to the
-                      destination address.
-
-                      Under the Strong ES model, the route computation
-                      for an outgoing datagram is the mapping:
-
-                         route(src IP addr, dest IP addr, TOS)
-                                                        -> gateway
-
-                      Here the source address is included as a parameter
-                      in order to select a gateway that is directly
-                      reachable on the corresponding physical interface.
-                      Note that this model logically requires that in
-                      general there be at least one default gateway, and
-                      preferably multiple defaults, for each IP source
-                      address.
-
-                 o    Weak ES Model
-
-                      This view de-emphasizes the ES/IS distinction, and
-                      would therefore substitute MUST NOT for MAY in
-                      issues (A) and (B).  This model may be the more
-                      natural one for hosts that wiretap gateway routing
-                      protocols, and is necessary for hosts that have
-                      embedded gateway functionality.
-
-                      The Weak ES Model may cause the Redirect mechanism
-                      to fail.  If a datagram is sent out a physical
-                      interface that does not correspond to the
-                      destination address, the first-hop gateway will
-                      not realize when it needs to send a Redirect.  On
-                      the other hand, if the host has embedded gateway
-                      functionality, then it has routing information
-                      without listening to Redirects.
-
-                      In the Weak ES model, the route computation for an
-                      outgoing datagram is the mapping:
-
-                         route(dest IP addr, TOS) -> gateway, interface
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 63]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-         3.3.4.3  Choosing a Source Address
-
-            DISCUSSION:
-                 When it sends an initial connection request (e.g., a
-                 TCP "SYN" segment) or a datagram service request (e.g.,
-                 a UDP-based query), the transport layer on a multihomed
-                 host needs to know which source address to use.  If the
-                 application does not specify it, the transport layer
-                 must ask the IP layer to perform the conceptual
-                 mapping:
-
-                     GET_SRCADDR(remote IP addr, TOS)
-                                               -> local IP address
-
-                 Here TOS is the Type-of-Service value (see Section
-                 3.2.1.6), and the result is the desired source address.
-                 The following rules are suggested for implementing this
-                 mapping:
-
-                 (a)  If the remote Internet address lies on one of the
-                      (sub-) nets to which the host is directly
-                      connected, a corresponding source address may be
-                      chosen, unless the corresponding interface is
-                      known to be down.
-
-                 (b)  The route cache may be consulted, to see if there
-                      is an active route to the specified destination
-                      network through any network interface; if so, a
-                      local IP address corresponding to that interface
-                      may be chosen.
-
-                 (c)  The table of static routes, if any (see Section
-                      3.3.1.2) may be similarly consulted.
-
-                 (d)  The default gateways may be consulted.  If these
-                      gateways are assigned to different interfaces, the
-                      interface corresponding to the gateway with the
-                      highest preference may be chosen.
-
-                 In the future, there may be a defined way for a
-                 multihomed host to ask the gateways on all connected
-                 networks for advice about the best network to use for a
-                 given destination.
-
-            IMPLEMENTATION:
-                 It will be noted that this process is essentially the
-                 same as datagram routing (see Section 3.3.1), and
-                 therefore hosts may be able to combine the
-
-
-
-Internet Engineering Task Force                                [Page 64]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                 implementation of the two functions.
-
-      3.3.5  Source Route Forwarding
-
-         Subject to restrictions given below, a host MAY be able to act
-         as an intermediate hop in a source route, forwarding a source-
-         routed datagram to the next specified hop.
-
-         However, in performing this gateway-like function, the host
-         MUST obey all the relevant rules for a gateway forwarding
-         source-routed datagrams [INTRO:2].  This includes the following
-         specific provisions, which override the corresponding host
-         provisions given earlier in this document:
-
-         (A)  TTL (ref. Section 3.2.1.7)
-
-              The TTL field MUST be decremented and the datagram perhaps
-              discarded as specified for a gateway in [INTRO:2].
-
-         (B)  ICMP Destination Unreachable (ref. Section 3.2.2.1)
-
-              A host MUST be able to generate Destination Unreachable
-              messages with the following codes:
-
-              4    (Fragmentation Required but DF Set) when a source-
-                   routed datagram cannot be fragmented to fit into the
-                   target network;
-
-              5    (Source Route Failed) when a source-routed datagram
-                   cannot be forwarded, e.g., because of a routing
-                   problem or because the next hop of a strict source
-                   route is not on a connected network.
-
-         (C)  IP Source Address (ref. Section 3.2.1.3)
-
-              A source-routed datagram being forwarded MAY (and normally
-              will) have a source address that is not one of the IP
-              addresses of the forwarding host.
-
-         (D)  Record Route Option (ref. Section 3.2.1.8d)
-
-              A host that is forwarding a source-routed datagram
-              containing a Record Route option MUST update that option,
-              if it has room.
-
-         (E)  Timestamp Option (ref. Section 3.2.1.8e)
-
-              A host that is forwarding a source-routed datagram
-
-
-
-Internet Engineering Task Force                                [Page 65]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-              containing a Timestamp Option MUST add the current
-              timestamp to that option, according to the rules for this
-              option.
-
-         To define the rules restricting host forwarding of source-
-         routed datagrams, we use the term "local source-routing" if the
-         next hop will be through the same physical interface through
-         which the datagram arrived; otherwise, it is "non-local
-         source-routing".
-
-         o    A host is permitted to perform local source-routing
-              without restriction.
-
-         o    A host that supports non-local source-routing MUST have a
-              configurable switch to disable forwarding, and this switch
-              MUST default to disabled.
-
-         o    The host MUST satisfy all gateway requirements for
-              configurable policy filters [INTRO:2] restricting non-
-              local forwarding.
-
-         If a host receives a datagram with an incomplete source route
-         but does not forward it for some reason, the host SHOULD return
-         an ICMP Destination Unreachable (code 5, Source Route Failed)
-         message, unless the datagram was itself an ICMP error message.
-
-      3.3.6  Broadcasts
-
-         Section 3.2.1.3 defined the four standard IP broadcast address
-         forms:
-
-           Limited Broadcast:  {-1, -1}
-
-           Directed Broadcast:  {<Network-number>,-1}
-
-           Subnet Directed Broadcast:
-                              {<Network-number>,<Subnet-number>,-1}
-
-           All-Subnets Directed Broadcast: {<Network-number>,-1,-1}
-
-         A host MUST recognize any of these forms in the destination
-         address of an incoming datagram.
-
-         There is a class of hosts* that use non-standard broadcast
-         address forms, substituting 0 for -1.  All hosts SHOULD
-_________________________
-*4.2BSD Unix and its derivatives, but not 4.3BSD.
-
-
-
-
-Internet Engineering Task Force                                [Page 66]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-         recognize and accept any of these non-standard broadcast
-         addresses as the destination address of an incoming datagram.
-         A host MAY optionally have a configuration option to choose the
-         0 or the -1 form of broadcast address, for each physical
-         interface, but this option SHOULD default to the standard (-1)
-         form.
-
-         When a host sends a datagram to a link-layer broadcast address,
-         the IP destination address MUST be a legal IP broadcast or IP
-         multicast address.
-
-         A host SHOULD silently discard a datagram that is received via
-         a link-layer broadcast (see Section 2.4) but does not specify
-         an IP multicast or broadcast destination address.
-
-         Hosts SHOULD use the Limited Broadcast address to broadcast to
-         a connected network.
-
-
-         DISCUSSION:
-              Using the Limited Broadcast address instead of a Directed
-              Broadcast address may improve system robustness.  Problems
-              are often caused by machines that do not understand the
-              plethora of broadcast addresses (see Section 3.2.1.3), or
-              that may have different ideas about which broadcast
-              addresses are in use.  The prime example of the latter is
-              machines that do not understand subnetting but are
-              attached to a subnetted net.  Sending a Subnet Broadcast
-              for the connected network will confuse those machines,
-              which will see it as a message to some other host.
-
-              There has been discussion on whether a datagram addressed
-              to the Limited Broadcast address ought to be sent from all
-              the interfaces of a multihomed host.  This specification
-              takes no stand on the issue.
-
-      3.3.7  IP Multicasting
-
-         A host SHOULD support local IP multicasting on all connected
-         networks for which a mapping from Class D IP addresses to
-         link-layer addresses has been specified (see below).  Support
-         for local IP multicasting includes sending multicast datagrams,
-         joining multicast groups and receiving multicast datagrams, and
-         leaving multicast groups.  This implies support for all of
-         [IP:4] except the IGMP protocol itself, which is OPTIONAL.
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 67]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-         DISCUSSION:
-              IGMP provides gateways that are capable of multicast
-              routing with the information required to support IP
-              multicasting across multiple networks.  At this time,
-              multicast-routing gateways are in the experimental stage
-              and are not widely available.  For hosts that are not
-              connected to networks with multicast-routing gateways or
-              that do not need to receive multicast datagrams
-              originating on other networks, IGMP serves no purpose and
-              is therefore optional for now.  However, the rest of
-              [IP:4] is currently recommended for the purpose of
-              providing IP-layer access to local network multicast
-              addressing, as a preferable alternative to local broadcast
-              addressing.  It is expected that IGMP will become
-              recommended at some future date, when multicast-routing
-              gateways have become more widely available.
-
-         If IGMP is not implemented, a host SHOULD still join the "all-
-         hosts" group (224.0.0.1) when the IP layer is initialized and
-         remain a member for as long as the IP layer is active.
-
-         DISCUSSION:
-              Joining the "all-hosts" group will support strictly local
-              uses of multicasting, e.g., a gateway discovery protocol,
-              even if IGMP is not implemented.
-
-         The mapping of IP Class D addresses to local addresses is
-         currently specified for the following types of networks:
-
-         o    Ethernet/IEEE 802.3, as defined in [IP:4].
-
-         o    Any network that supports broadcast but not multicast,
-              addressing: all IP Class D addresses map to the local
-              broadcast address.
-
-         o    Any type of point-to-point link (e.g., SLIP or HDLC
-              links): no mapping required.  All IP multicast datagrams
-              are sent as-is, inside the local framing.
-
-         Mappings for other types of networks will be specified in the
-         future.
-
-         A host SHOULD provide a way for higher-layer protocols or
-         applications to determine which of the host's connected
-         network(s) support IP multicast addressing.
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 68]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-      3.3.8  Error Reporting
-
-         Wherever practical, hosts MUST return ICMP error datagrams on
-         detection of an error, except in those cases where returning an
-         ICMP error message is specifically prohibited.
-
-         DISCUSSION:
-              A common phenomenon in datagram networks is the "black
-              hole disease": datagrams are sent out, but nothing comes
-              back.  Without any error datagrams, it is difficult for
-              the user to figure out what the problem is.
-
-   3.4  INTERNET/TRANSPORT LAYER INTERFACE
-
-      The interface between the IP layer and the transport layer MUST
-      provide full access to all the mechanisms of the IP layer,
-      including options, Type-of-Service, and Time-to-Live.  The
-      transport layer MUST either have mechanisms to set these interface
-      parameters, or provide a path to pass them through from an
-      application, or both.
-
-      DISCUSSION:
-           Applications are urged to make use of these mechanisms where
-           applicable, even when the mechanisms are not currently
-           effective in the Internet (e.g., TOS).  This will allow these
-           mechanisms to be immediately useful when they do become
-           effective, without a large amount of retrofitting of host
-           software.
-
-      We now describe a conceptual interface between the transport layer
-      and the IP layer, as a set of procedure calls.  This is an
-      extension of the information in Section 3.3 of RFC-791 [IP:1].
-
-
-      *    Send Datagram
-
-                SEND(src, dst, prot, TOS, TTL, BufPTR, len, Id, DF, opt
-                     => result )
-
-           where the parameters are defined in RFC-791.  Passing an Id
-           parameter is optional; see Section 3.2.1.5.
-
-
-      *    Receive Datagram
-
-                RECV(BufPTR, prot
-                     => result, src, dst, SpecDest, TOS, len, opt)
-
-
-
-
-Internet Engineering Task Force                                [Page 69]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-           All the parameters are defined in RFC-791, except for:
-
-                SpecDest = specific-destination address of datagram
-                            (defined in Section 3.2.1.3)
-
-           The result parameter dst contains the datagram's destination
-           address.  Since this may be a broadcast or multicast address,
-           the SpecDest parameter (not shown in RFC-791) MUST be passed.
-           The parameter opt contains all the IP options received in the
-           datagram; these MUST also be passed to the transport layer.
-
-
-      *    Select Source Address
-
-                GET_SRCADDR(remote, TOS)  -> local
-
-                remote = remote IP address
-                TOS = Type-of-Service
-                local = local IP address
-
-           See Section 3.3.4.3.
-
-
-      *    Find Maximum Datagram Sizes
-
-                GET_MAXSIZES(local, remote, TOS) -> MMS_R, MMS_S
-
-                MMS_R = maximum receive transport-message size.
-                MMS_S = maximum send transport-message size.
-               (local, remote, TOS defined above)
-
-           See Sections 3.3.2 and 3.3.3.
-
-
-      *    Advice on Delivery Success
-
-                ADVISE_DELIVPROB(sense, local, remote, TOS)
-
-           Here the parameter sense is a 1-bit flag indicating whether
-           positive or negative advice is being given; see the
-           discussion in Section 3.3.1.4. The other parameters were
-           defined earlier.
-
-
-      *    Send ICMP Message
-
-                SEND_ICMP(src, dst, TOS, TTL, BufPTR, len, Id, DF, opt)
-                     -> result
-
-
-
-Internet Engineering Task Force                                [Page 70]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                (Parameters defined in RFC-791).
-
-           Passing an Id parameter is optional; see Section 3.2.1.5.
-           The transport layer MUST be able to send certain ICMP
-           messages:  Port Unreachable or any of the query-type
-           messages.  This function could be considered to be a special
-           case of the SEND() call, of course; we describe it separately
-           for clarity.
-
-
-      *    Receive ICMP Message
-
-                RECV_ICMP(BufPTR ) -> result, src, dst, len, opt
-
-                (Parameters defined in RFC-791).
-
-           The IP layer MUST pass certain ICMP messages up to the
-           appropriate transport-layer routine.  This function could be
-           considered to be a special case of the RECV() call, of
-           course; we describe it separately for clarity.
-
-           For an ICMP error message, the data that is passed up MUST
-           include the original Internet header plus all the octets of
-           the original message that are included in the ICMP message.
-           This data will be used by the transport layer to locate the
-           connection state information, if any.
-
-           In particular, the following ICMP messages are to be passed
-           up:
-
-           o    Destination Unreachable
-
-           o    Source Quench
-
-           o    Echo Reply (to ICMP user interface, unless the Echo
-                Request originated in the IP layer)
-
-           o    Timestamp Reply (to ICMP user interface)
-
-           o    Time Exceeded
-
-
-      DISCUSSION:
-           In the future, there may be additions to this interface to
-           pass path data (see Section 3.3.1.3) between the IP and
-           transport layers.
-
-
-
-
-
-Internet Engineering Task Force                                [Page 71]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-   3.5  INTERNET LAYER REQUIREMENTS SUMMARY
-
-
-                                                 |        | | | |S| |
-                                                 |        | | | |H| |F
-                                                 |        | | | |O|M|o
-                                                 |        | |S| |U|U|o
-                                                 |        | |H| |L|S|t
-                                                 |        |M|O| |D|T|n
-                                                 |        |U|U|M| | |o
-                                                 |        |S|L|A|N|N|t
-                                                 |        |T|D|Y|O|O|t
-FEATURE                                          |SECTION | | | |T|T|e
--------------------------------------------------|--------|-|-|-|-|-|--
-                                                 |        | | | | | |
-Implement IP and ICMP                            |3.1     |x| | | | |
-Handle remote multihoming in application layer   |3.1     |x| | | | |
-Support local multihoming                        |3.1     | | |x| | |
-Meet gateway specs if forward datagrams          |3.1     |x| | | | |
-Configuration switch for embedded gateway        |3.1     |x| | | | |1
-   Config switch default to non-gateway          |3.1     |x| | | | |1
-   Auto-config based on number of interfaces     |3.1     | | | | |x|1
-Able to log discarded datagrams                  |3.1     | |x| | | |
-   Record in counter                             |3.1     | |x| | | |
-                                                 |        | | | | | |
-Silently discard Version != 4                    |3.2.1.1 |x| | | | |
-Verify IP checksum, silently discard bad dgram   |3.2.1.2 |x| | | | |
-Addressing:                                      |        | | | | | |
-  Subnet addressing (RFC-950)                    |3.2.1.3 |x| | | | |
-  Src address must be host's own IP address      |3.2.1.3 |x| | | | |
-  Silently discard datagram with bad dest addr   |3.2.1.3 |x| | | | |
-  Silently discard datagram with bad src addr    |3.2.1.3 |x| | | | |
-Support reassembly                               |3.2.1.4 |x| | | | |
-Retain same Id field in identical datagram       |3.2.1.5 | | |x| | |
-                                                 |        | | | | | |
-TOS:                                             |        | | | | | |
-  Allow transport layer to set TOS               |3.2.1.6 |x| | | | |
-  Pass received TOS up to transport layer        |3.2.1.6 | |x| | | |
-  Use RFC-795 link-layer mappings for TOS        |3.2.1.6 | | | |x| |
-TTL:                                             |        | | | | | |
-  Send packet with TTL of 0                      |3.2.1.7 | | | | |x|
-  Discard received packets with TTL < 2          |3.2.1.7 | | | | |x|
-  Allow transport layer to set TTL               |3.2.1.7 |x| | | | |
-  Fixed TTL is configurable                      |3.2.1.7 |x| | | | |
-                                                 |        | | | | | |
-IP Options:                                      |        | | | | | |
-  Allow transport layer to send IP options       |3.2.1.8 |x| | | | |
-  Pass all IP options rcvd to higher layer       |3.2.1.8 |x| | | | |
-
-
-
-Internet Engineering Task Force                                [Page 72]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-  IP layer silently ignore unknown options       |3.2.1.8 |x| | | | |
-  Security option                                |3.2.1.8a| | |x| | |
-  Send Stream Identifier option                  |3.2.1.8b| | | |x| |
-  Silently ignore Stream Identifer option        |3.2.1.8b|x| | | | |
-  Record Route option                            |3.2.1.8d| | |x| | |
-  Timestamp option                               |3.2.1.8e| | |x| | |
-Source Route Option:                             |        | | | | | |
-  Originate & terminate Source Route options     |3.2.1.8c|x| | | | |
-  Datagram with completed SR passed up to TL     |3.2.1.8c|x| | | | |
-  Build correct (non-redundant) return route     |3.2.1.8c|x| | | | |
-  Send multiple SR options in one header         |3.2.1.8c| | | | |x|
-                                                 |        | | | | | |
-ICMP:                                            |        | | | | | |
-  Silently discard ICMP msg with unknown type    |3.2.2   |x| | | | |
-  Include more than 8 octets of orig datagram    |3.2.2   | | |x| | |
-      Included octets same as received           |3.2.2   |x| | | | |
-  Demux ICMP Error to transport protocol         |3.2.2   |x| | | | |
-  Send ICMP error message with TOS=0             |3.2.2   | |x| | | |
-  Send ICMP error message for:                   |        | | | | | |
-   - ICMP error msg                              |3.2.2   | | | | |x|
-   - IP b'cast or IP m'cast                      |3.2.2   | | | | |x|
-   - Link-layer b'cast                           |3.2.2   | | | | |x|
-   - Non-initial fragment                        |3.2.2   | | | | |x|
-   - Datagram with non-unique src address        |3.2.2   | | | | |x|
-  Return ICMP error msgs (when not prohibited)   |3.3.8   |x| | | | |
-                                                 |        | | | | | |
-  Dest Unreachable:                              |        | | | | | |
-    Generate Dest Unreachable (code 2/3)         |3.2.2.1 | |x| | | |
-    Pass ICMP Dest Unreachable to higher layer   |3.2.2.1 |x| | | | |
-    Higher layer act on Dest Unreach             |3.2.2.1 | |x| | | |
-      Interpret Dest Unreach as only hint        |3.2.2.1 |x| | | | |
-  Redirect:                                      |        | | | | | |
-    Host send Redirect                           |3.2.2.2 | | | |x| |
-    Update route cache when recv Redirect        |3.2.2.2 |x| | | | |
-    Handle both Host and Net Redirects           |3.2.2.2 |x| | | | |
-    Discard illegal Redirect                     |3.2.2.2 | |x| | | |
-  Source Quench:                                 |        | | | | | |
-    Send Source Quench if buffering exceeded     |3.2.2.3 | | |x| | |
-    Pass Source Quench to higher layer           |3.2.2.3 |x| | | | |
-    Higher layer act on Source Quench            |3.2.2.3 | |x| | | |
-  Time Exceeded: pass to higher layer            |3.2.2.4 |x| | | | |
-  Parameter Problem:                             |        | | | | | |
-    Send Parameter Problem messages              |3.2.2.5 | |x| | | |
-    Pass Parameter Problem to higher layer       |3.2.2.5 |x| | | | |
-    Report Parameter Problem to user             |3.2.2.5 | | |x| | |
-                                                 |        | | | | | |
-  ICMP Echo Request or Reply:                    |        | | | | | |
-    Echo server and Echo client                  |3.2.2.6 |x| | | | |
-
-
-
-Internet Engineering Task Force                                [Page 73]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-    Echo client                                  |3.2.2.6 | |x| | | |
-    Discard Echo Request to broadcast address    |3.2.2.6 | | |x| | |
-    Discard Echo Request to multicast address    |3.2.2.6 | | |x| | |
-    Use specific-dest addr as Echo Reply src     |3.2.2.6 |x| | | | |
-    Send same data in Echo Reply                 |3.2.2.6 |x| | | | |
-    Pass Echo Reply to higher layer              |3.2.2.6 |x| | | | |
-    Reflect Record Route, Time Stamp options     |3.2.2.6 | |x| | | |
-    Reverse and reflect Source Route option      |3.2.2.6 |x| | | | |
-                                                 |        | | | | | |
-  ICMP Information Request or Reply:             |3.2.2.7 | | | |x| |
-  ICMP Timestamp and Timestamp Reply:            |3.2.2.8 | | |x| | |
-    Minimize delay variability                   |3.2.2.8 | |x| | | |1
-    Silently discard b'cast Timestamp            |3.2.2.8 | | |x| | |1
-    Silently discard m'cast Timestamp            |3.2.2.8 | | |x| | |1
-    Use specific-dest addr as TS Reply src       |3.2.2.8 |x| | | | |1
-    Reflect Record Route, Time Stamp options     |3.2.2.6 | |x| | | |1
-    Reverse and reflect Source Route option      |3.2.2.8 |x| | | | |1
-    Pass Timestamp Reply to higher layer         |3.2.2.8 |x| | | | |1
-    Obey rules for "standard value"              |3.2.2.8 |x| | | | |1
-                                                 |        | | | | | |
-  ICMP Address Mask Request and Reply:           |        | | | | | |
-    Addr Mask source configurable                |3.2.2.9 |x| | | | |
-    Support static configuration of addr mask    |3.2.2.9 |x| | | | |
-    Get addr mask dynamically during booting     |3.2.2.9 | | |x| | |
-    Get addr via ICMP Addr Mask Request/Reply    |3.2.2.9 | | |x| | |
-      Retransmit Addr Mask Req if no Reply       |3.2.2.9 |x| | | | |3
-      Assume default mask if no Reply            |3.2.2.9 | |x| | | |3
-      Update address mask from first Reply only  |3.2.2.9 |x| | | | |3
-    Reasonableness check on Addr Mask            |3.2.2.9 | |x| | | |
-    Send unauthorized Addr Mask Reply msgs       |3.2.2.9 | | | | |x|
-      Explicitly configured to be agent          |3.2.2.9 |x| | | | |
-    Static config=> Addr-Mask-Authoritative flag |3.2.2.9 | |x| | | |
-      Broadcast Addr Mask Reply when init.       |3.2.2.9 |x| | | | |3
-                                                 |        | | | | | |
-ROUTING OUTBOUND DATAGRAMS:                      |        | | | | | |
-  Use address mask in local/remote decision      |3.3.1.1 |x| | | | |
-  Operate with no gateways on conn network       |3.3.1.1 |x| | | | |
-  Maintain "route cache" of next-hop gateways    |3.3.1.2 |x| | | | |
-  Treat Host and Net Redirect the same           |3.3.1.2 | |x| | | |
-  If no cache entry, use default gateway         |3.3.1.2 |x| | | | |
-    Support multiple default gateways            |3.3.1.2 |x| | | | |
-  Provide table of static routes                 |3.3.1.2 | | |x| | |
-    Flag: route overridable by Redirects         |3.3.1.2 | | |x| | |
-  Key route cache on host, not net address       |3.3.1.3 | | |x| | |
-  Include TOS in route cache                     |3.3.1.3 | |x| | | |
-                                                 |        | | | | | |
-  Able to detect failure of next-hop gateway     |3.3.1.4 |x| | | | |
-  Assume route is good forever                   |3.3.1.4 | | | |x| |
-
-
-
-Internet Engineering Task Force                                [Page 74]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-  Ping gateways continuously                     |3.3.1.4 | | | | |x|
-  Ping only when traffic being sent              |3.3.1.4 |x| | | | |
-  Ping only when no positive indication          |3.3.1.4 |x| | | | |
-  Higher and lower layers give advice            |3.3.1.4 | |x| | | |
-  Switch from failed default g'way to another    |3.3.1.5 |x| | | | |
-  Manual method of entering config info          |3.3.1.6 |x| | | | |
-                                                 |        | | | | | |
-REASSEMBLY and FRAGMENTATION:                    |        | | | | | |
-  Able to reassemble incoming datagrams          |3.3.2   |x| | | | |
-    At least 576 byte datagrams                  |3.3.2   |x| | | | |
-    EMTU_R configurable or indefinite            |3.3.2   | |x| | | |
-  Transport layer able to learn MMS_R            |3.3.2   |x| | | | |
-  Send ICMP Time Exceeded on reassembly timeout  |3.3.2   |x| | | | |
-    Fixed reassembly timeout value               |3.3.2   | |x| | | |
-                                                 |        | | | | | |
-  Pass MMS_S to higher layers                    |3.3.3   |x| | | | |
-  Local fragmentation of outgoing packets        |3.3.3   | | |x| | |
-     Else don't send bigger than MMS_S           |3.3.3   |x| | | | |
-  Send max 576 to off-net destination            |3.3.3   | |x| | | |
-  All-Subnets-MTU configuration flag             |3.3.3   | | |x| | |
-                                                 |        | | | | | |
-MULTIHOMING:                                     |        | | | | | |
-  Reply with same addr as spec-dest addr         |3.3.4.2 | |x| | | |
-  Allow application to choose local IP addr      |3.3.4.2 |x| | | | |
-  Silently discard d'gram in "wrong" interface   |3.3.4.2 | | |x| | |
-  Only send d'gram through "right" interface     |3.3.4.2 | | |x| | |4
-                                                 |        | | | | | |
-SOURCE-ROUTE FORWARDING:                         |        | | | | | |
-  Forward datagram with Source Route option      |3.3.5   | | |x| | |1
-    Obey corresponding gateway rules             |3.3.5   |x| | | | |1
-      Update TTL by gateway rules                |3.3.5   |x| | | | |1
-      Able to generate ICMP err code 4, 5        |3.3.5   |x| | | | |1
-      IP src addr not local host                 |3.3.5   | | |x| | |1
-      Update Timestamp, Record Route options     |3.3.5   |x| | | | |1
-    Configurable switch for non-local SRing      |3.3.5   |x| | | | |1
-      Defaults to OFF                            |3.3.5   |x| | | | |1
-    Satisfy gwy access rules for non-local SRing |3.3.5   |x| | | | |1
-    If not forward, send Dest Unreach (cd 5)     |3.3.5   | |x| | | |2
-                                                 |        | | | | | |
-BROADCAST:                                       |        | | | | | |
-  Broadcast addr as IP source addr               |3.2.1.3 | | | | |x|
-  Receive 0 or -1 broadcast formats OK           |3.3.6   | |x| | | |
-  Config'ble option to send 0 or -1 b'cast       |3.3.6   | | |x| | |
-    Default to -1 broadcast                      |3.3.6   | |x| | | |
-  Recognize all broadcast address formats        |3.3.6   |x| | | | |
-  Use IP b'cast/m'cast addr in link-layer b'cast |3.3.6   |x| | | | |
-  Silently discard link-layer-only b'cast dg's   |3.3.6   | |x| | | |
-  Use Limited Broadcast addr for connected net   |3.3.6   | |x| | | |
-
-
-
-Internet Engineering Task Force                                [Page 75]
-
-
-
-
-RFC1122                      INTERNET LAYER                 October 1989
-
-
-                                                 |        | | | | | |
-MULTICAST:                                       |        | | | | | |
-  Support local IP multicasting (RFC-1112)       |3.3.7   | |x| | | |
-  Support IGMP (RFC-1112)                        |3.3.7   | | |x| | |
-  Join all-hosts group at startup                |3.3.7   | |x| | | |
-  Higher layers learn i'face m'cast capability   |3.3.7   | |x| | | |
-                                                 |        | | | | | |
-INTERFACE:                                       |        | | | | | |
-  Allow transport layer to use all IP mechanisms |3.4     |x| | | | |
-  Pass interface ident up to transport layer     |3.4     |x| | | | |
-  Pass all IP options up to transport layer      |3.4     |x| | | | |
-  Transport layer can send certain ICMP messages |3.4     |x| | | | |
-  Pass spec'd ICMP messages up to transp. layer  |3.4     |x| | | | |
-     Include IP hdr+8 octets or more from orig.  |3.4     |x| | | | |
-  Able to leap tall buildings at a single bound  |3.5     | |x| | | |
-
-Footnotes:
-
-(1)  Only if feature is implemented.
-
-(2)  This requirement is overruled if datagram is an ICMP error message.
-
-(3)  Only if feature is implemented and is configured "on".
-
-(4)  Unless has embedded gateway functionality or is source routed.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 76]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- UDP             October 1989
-
-
-4. TRANSPORT PROTOCOLS
-
-   4.1  USER DATAGRAM PROTOCOL -- UDP
-
-      4.1.1  INTRODUCTION
-
-         The User Datagram Protocol UDP [UDP:1] offers only a minimal
-         transport service -- non-guaranteed datagram delivery -- and
-         gives applications direct access to the datagram service of the
-         IP layer.  UDP is used by applications that do not require the
-         level of service of TCP or that wish to use communications
-         services (e.g., multicast or broadcast delivery) not available
-         from TCP.
-
-         UDP is almost a null protocol; the only services it provides
-         over IP are checksumming of data and multiplexing by port
-         number.  Therefore, an application program running over UDP
-         must deal directly with end-to-end communication problems that
-         a connection-oriented protocol would have handled -- e.g.,
-         retransmission for reliable delivery, packetization and
-         reassembly, flow control, congestion avoidance, etc., when
-         these are required.  The fairly complex coupling between IP and
-         TCP will be mirrored in the coupling between UDP and many
-         applications using UDP.
-
-      4.1.2  PROTOCOL WALK-THROUGH
-
-         There are no known errors in the specification of UDP.
-
-      4.1.3  SPECIFIC ISSUES
-
-         4.1.3.1  Ports
-
-            UDP well-known ports follow the same rules as TCP well-known
-            ports; see Section 4.2.2.1 below.
-
-            If a datagram arrives addressed to a UDP port for which
-            there is no pending LISTEN call, UDP SHOULD send an ICMP
-            Port Unreachable message.
-
-         4.1.3.2  IP Options
-
-            UDP MUST pass any IP option that it receives from the IP
-            layer transparently to the application layer.
-
-            An application MUST be able to specify IP options to be sent
-            in its UDP datagrams, and UDP MUST pass these options to the
-            IP layer.
-
-
-
-Internet Engineering Task Force                                [Page 77]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- UDP             October 1989
-
-
-            DISCUSSION:
-                 At present, the only options that need be passed
-                 through UDP are Source Route, Record Route, and Time
-                 Stamp.  However, new options may be defined in the
-                 future, and UDP need not and should not make any
-                 assumptions about the format or content of options it
-                 passes to or from the application; an exception to this
-                 might be an IP-layer security option.
-
-                 An application based on UDP will need to obtain a
-                 source route from a request datagram and supply a
-                 reversed route for sending the corresponding reply.
-
-         4.1.3.3  ICMP Messages
-
-            UDP MUST pass to the application layer all ICMP error
-            messages that it receives from the IP layer.  Conceptually
-            at least, this may be accomplished with an upcall to the
-            ERROR_REPORT routine (see Section 4.2.4.1).
-
-            DISCUSSION:
-                 Note that ICMP error messages resulting from sending a
-                 UDP datagram are received asynchronously.  A UDP-based
-                 application that wants to receive ICMP error messages
-                 is responsible for maintaining the state necessary to
-                 demultiplex these messages when they arrive; for
-                 example, the application may keep a pending receive
-                 operation for this purpose.  The application is also
-                 responsible to avoid confusion from a delayed ICMP
-                 error message resulting from an earlier use of the same
-                 port(s).
-
-         4.1.3.4  UDP Checksums
-
-            A host MUST implement the facility to generate and validate
-            UDP checksums.  An application MAY optionally be able to
-            control whether a UDP checksum will be generated, but it
-            MUST default to checksumming on.
-
-            If a UDP datagram is received with a checksum that is non-
-            zero and invalid, UDP MUST silently discard the datagram.
-            An application MAY optionally be able to control whether UDP
-            datagrams without checksums should be discarded or passed to
-            the application.
-
-            DISCUSSION:
-                 Some applications that normally run only across local
-                 area networks have chosen to turn off UDP checksums for
-
-
-
-Internet Engineering Task Force                                [Page 78]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- UDP             October 1989
-
-
-                 efficiency.  As a result, numerous cases of undetected
-                 errors have been reported.  The advisability of ever
-                 turning off UDP checksumming is very controversial.
-
-            IMPLEMENTATION:
-                 There is a common implementation error in UDP
-                 checksums.  Unlike the TCP checksum, the UDP checksum
-                 is optional; the value zero is transmitted in the
-                 checksum field of a UDP header to indicate the absence
-                 of a checksum.  If the transmitter really calculates a
-                 UDP checksum of zero, it must transmit the checksum as
-                 all 1's (65535).  No special action is required at the
-                 receiver, since zero and 65535 are equivalent in 1's
-                 complement arithmetic.
-
-         4.1.3.5  UDP Multihoming
-
-            When a UDP datagram is received, its specific-destination
-            address MUST be passed up to the application layer.
-
-            An application program MUST be able to specify the IP source
-            address to be used for sending a UDP datagram or to leave it
-            unspecified (in which case the networking software will
-            choose an appropriate source address).  There SHOULD be a
-            way to communicate the chosen source address up to the
-            application layer (e.g, so that the application can later
-            receive a reply datagram only from the corresponding
-            interface).
-
-            DISCUSSION:
-                 A request/response application that uses UDP should use
-                 a source address for the response that is the same as
-                 the specific destination address of the request.  See
-                 the "General Issues" section of [INTRO:1].
-
-         4.1.3.6  Invalid Addresses
-
-            A UDP datagram received with an invalid IP source address
-            (e.g., a broadcast or multicast address) must be discarded
-            by UDP or by the IP layer (see Section 3.2.1.3).
-
-            When a host sends a UDP datagram, the source address MUST be
-            (one of) the IP address(es) of the host.
-
-      4.1.4  UDP/APPLICATION LAYER INTERFACE
-
-         The application interface to UDP MUST provide the full services
-         of the IP/transport interface described in Section 3.4 of this
-
-
-
-Internet Engineering Task Force                                [Page 79]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- UDP             October 1989
-
-
-         document.  Thus, an application using UDP needs the functions
-         of the GET_SRCADDR(), GET_MAXSIZES(), ADVISE_DELIVPROB(), and
-         RECV_ICMP() calls described in Section 3.4.  For example,
-         GET_MAXSIZES() can be used to learn the effective maximum UDP
-         maximum datagram size for a particular {interface,remote
-         host,TOS} triplet.
-
-         An application-layer program MUST be able to set the TTL and
-         TOS values as well as IP options for sending a UDP datagram,
-         and these values must be passed transparently to the IP layer.
-         UDP MAY pass the received TOS up to the application layer.
-
-      4.1.5  UDP REQUIREMENTS SUMMARY
-
-
-                                                 |        | | | |S| |
-                                                 |        | | | |H| |F
-                                                 |        | | | |O|M|o
-                                                 |        | |S| |U|U|o
-                                                 |        | |H| |L|S|t
-                                                 |        |M|O| |D|T|n
-                                                 |        |U|U|M| | |o
-                                                 |        |S|L|A|N|N|t
-                                                 |        |T|D|Y|O|O|t
-FEATURE                                          |SECTION | | | |T|T|e
--------------------------------------------------|--------|-|-|-|-|-|--
-                                                 |        | | | | | |
-    UDP                                          |        | | | | | |
--------------------------------------------------|--------|-|-|-|-|-|--
-                                                 |        | | | | | |
-UDP send Port Unreachable                        |4.1.3.1 | |x| | | |
-                                                 |        | | | | | |
-IP Options in UDP                                |        | | | | | |
- - Pass rcv'd IP options to applic layer         |4.1.3.2 |x| | | | |
- - Applic layer can specify IP options in Send   |4.1.3.2 |x| | | | |
- - UDP passes IP options down to IP layer        |4.1.3.2 |x| | | | |
-                                                 |        | | | | | |
-Pass ICMP msgs up to applic layer                |4.1.3.3 |x| | | | |
-                                                 |        | | | | | |
-UDP checksums:                                   |        | | | | | |
- - Able to generate/check checksum               |4.1.3.4 |x| | | | |
- - Silently discard bad checksum                 |4.1.3.4 |x| | | | |
- - Sender Option to not generate checksum        |4.1.3.4 | | |x| | |
-   - Default is to checksum                      |4.1.3.4 |x| | | | |
- - Receiver Option to require checksum           |4.1.3.4 | | |x| | |
-                                                 |        | | | | | |
-UDP Multihoming                                  |        | | | | | |
- - Pass spec-dest addr to application            |4.1.3.5 |x| | | | |
-
-
-
-Internet Engineering Task Force                                [Page 80]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- UDP             October 1989
-
-
- - Applic layer can specify Local IP addr        |4.1.3.5 |x| | | | |
- - Applic layer specify wild Local IP addr       |4.1.3.5 |x| | | | |
- - Applic layer notified of Local IP addr used   |4.1.3.5 | |x| | | |
-                                                 |        | | | | | |
-Bad IP src addr silently discarded by UDP/IP     |4.1.3.6 |x| | | | |
-Only send valid IP source address                |4.1.3.6 |x| | | | |
-UDP Application Interface Services               |        | | | | | |
-Full IP interface of 3.4 for application         |4.1.4   |x| | | | |
- - Able to spec TTL, TOS, IP opts when send dg   |4.1.4   |x| | | | |
- - Pass received TOS up to applic layer          |4.1.4   | | |x| | |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 81]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-   4.2  TRANSMISSION CONTROL PROTOCOL -- TCP
-
-      4.2.1  INTRODUCTION
-
-         The Transmission Control Protocol TCP [TCP:1] is the primary
-         virtual-circuit transport protocol for the Internet suite.  TCP
-         provides reliable, in-sequence delivery of a full-duplex stream
-         of octets (8-bit bytes).  TCP is used by those applications
-         needing reliable, connection-oriented transport service, e.g.,
-         mail (SMTP), file transfer (FTP), and virtual terminal service
-         (Telnet); requirements for these application-layer protocols
-         are described in [INTRO:1].
-
-      4.2.2  PROTOCOL WALK-THROUGH
-
-         4.2.2.1  Well-Known Ports: RFC-793 Section 2.7
-
-            DISCUSSION:
-                 TCP reserves port numbers in the range 0-255 for
-                 "well-known" ports, used to access services that are
-                 standardized across the Internet.  The remainder of the
-                 port space can be freely allocated to application
-                 processes.  Current well-known port definitions are
-                 listed in the RFC entitled "Assigned Numbers"
-                 [INTRO:6].  A prerequisite for defining a new well-
-                 known port is an RFC documenting the proposed service
-                 in enough detail to allow new implementations.
-
-                 Some systems extend this notion by adding a third
-                 subdivision of the TCP port space: reserved ports,
-                 which are generally used for operating-system-specific
-                 services.  For example, reserved ports might fall
-                 between 256 and some system-dependent upper limit.
-                 Some systems further choose to protect well-known and
-                 reserved ports by permitting only privileged users to
-                 open TCP connections with those port values.  This is
-                 perfectly reasonable as long as the host does not
-                 assume that all hosts protect their low-numbered ports
-                 in this manner.
-
-         4.2.2.2  Use of Push: RFC-793 Section 2.8
-
-            When an application issues a series of SEND calls without
-            setting the PUSH flag, the TCP MAY aggregate the data
-            internally without sending it.  Similarly, when a series of
-            segments is received without the PSH bit, a TCP MAY queue
-            the data internally without passing it to the receiving
-            application.
-
-
-
-Internet Engineering Task Force                                [Page 82]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            The PSH bit is not a record marker and is independent of
-            segment boundaries.  The transmitter SHOULD collapse
-            successive PSH bits when it packetizes data, to send the
-            largest possible segment.
-
-            A TCP MAY implement PUSH flags on SEND calls.  If PUSH flags
-            are not implemented, then the sending TCP: (1) must not
-            buffer data indefinitely, and (2) MUST set the PSH bit in
-            the last buffered segment (i.e., when there is no more
-            queued data to be sent).
-
-            The discussion in RFC-793 on pages 48, 50, and 74
-            erroneously implies that a received PSH flag must be passed
-            to the application layer.  Passing a received PSH flag to
-            the application layer is now OPTIONAL.
-
-            An application program is logically required to set the PUSH
-            flag in a SEND call whenever it needs to force delivery of
-            the data to avoid a communication deadlock.  However, a TCP
-            SHOULD send a maximum-sized segment whenever possible, to
-            improve performance (see Section 4.2.3.4).
-
-            DISCUSSION:
-                 When the PUSH flag is not implemented on SEND calls,
-                 i.e., when the application/TCP interface uses a pure
-                 streaming model, responsibility for aggregating any
-                 tiny data fragments to form reasonable sized segments
-                 is partially borne by the application layer.
-
-                 Generally, an interactive application protocol must set
-                 the PUSH flag at least in the last SEND call in each
-                 command or response sequence.  A bulk transfer protocol
-                 like FTP should set the PUSH flag on the last segment
-                 of a file or when necessary to prevent buffer deadlock.
-
-                 At the receiver, the PSH bit forces buffered data to be
-                 delivered to the application (even if less than a full
-                 buffer has been received). Conversely, the lack of a
-                 PSH bit can be used to avoid unnecessary wakeup calls
-                 to the application process; this can be an important
-                 performance optimization for large timesharing hosts.
-                 Passing the PSH bit to the receiving application allows
-                 an analogous optimization within the application.
-
-         4.2.2.3  Window Size: RFC-793 Section 3.1
-
-            The window size MUST be treated as an unsigned number, or
-            else large window sizes will appear like negative windows
-
-
-
-Internet Engineering Task Force                                [Page 83]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            and TCP will not work.  It is RECOMMENDED that
-            implementations reserve 32-bit fields for the send and
-            receive window sizes in the connection record and do all
-            window computations with 32 bits.
-
-            DISCUSSION:
-                 It is known that the window field in the TCP header is
-                 too small for high-speed, long-delay paths.
-                 Experimental TCP options have been defined to extend
-                 the window size; see for example [TCP:11].  In
-                 anticipation of the adoption of such an extension, TCP
-                 implementors should treat windows as 32 bits.
-
-         4.2.2.4  Urgent Pointer: RFC-793 Section 3.1
-
-            The second sentence is in error: the urgent pointer points
-            to the sequence number of the LAST octet (not LAST+1) in a
-            sequence of urgent data.  The description on page 56 (last
-            sentence) is correct.
-
-            A TCP MUST support a sequence of urgent data of any length.
-
-            A TCP MUST inform the application layer asynchronously
-            whenever it receives an Urgent pointer and there was
-            previously no pending urgent data, or whenever the Urgent
-            pointer advances in the data stream.  There MUST be a way
-            for the application to learn how much urgent data remains to
-            be read from the connection, or at least to determine
-            whether or not more urgent data remains to be read.
-
-            DISCUSSION:
-                 Although the Urgent mechanism may be used for any
-                 application, it is normally used to send "interrupt"-
-                 type commands to a Telnet program (see "Using Telnet
-                 Synch Sequence" section in [INTRO:1]).
-
-                 The asynchronous or "out-of-band" notification will
-                 allow the application to go into "urgent mode", reading
-                 data from the TCP connection.  This allows control
-                 commands to be sent to an application whose normal
-                 input buffers are full of unprocessed data.
-
-            IMPLEMENTATION:
-                 The generic ERROR-REPORT() upcall described in Section
-                 4.2.4.1 is a possible mechanism for informing the
-                 application of the arrival of urgent data.
-
-
-
-
-
-Internet Engineering Task Force                                [Page 84]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-         4.2.2.5  TCP Options: RFC-793 Section 3.1
-
-            A TCP MUST be able to receive a TCP option in any segment.
-            A TCP MUST ignore without error any TCP option it does not
-            implement, assuming that the option has a length field (all
-            TCP options defined in the future will have length fields).
-            TCP MUST be prepared to handle an illegal option length
-            (e.g., zero) without crashing; a suggested procedure is to
-            reset the connection and log the reason.
-
-         4.2.2.6  Maximum Segment Size Option: RFC-793 Section 3.1
-
-            TCP MUST implement both sending and receiving the Maximum
-            Segment Size option [TCP:4].
-
-            TCP SHOULD send an MSS (Maximum Segment Size) option in
-            every SYN segment when its receive MSS differs from the
-            default 536, and MAY send it always.
-
-            If an MSS option is not received at connection setup, TCP
-            MUST assume a default send MSS of 536 (576-40) [TCP:4].
-
-            The maximum size of a segment that TCP really sends, the
-            "effective send MSS," MUST be the smaller of the send MSS
-            (which reflects the available reassembly buffer size at the
-            remote host) and the largest size permitted by the IP layer:
-
-               Eff.snd.MSS =
-
-                  min(SendMSS+20, MMS_S) - TCPhdrsize - IPoptionsize
-
-            where:
-
-            *    SendMSS is the MSS value received from the remote host,
-                 or the default 536 if no MSS option is received.
-
-            *    MMS_S is the maximum size for a transport-layer message
-                 that TCP may send.
-
-            *    TCPhdrsize is the size of the TCP header; this is
-                 normally 20, but may be larger if TCP options are to be
-                 sent.
-
-            *    IPoptionsize is the size of any IP options that TCP
-                 will pass to the IP layer with the current message.
-
-
-            The MSS value to be sent in an MSS option must be less than
-
-
-
-Internet Engineering Task Force                                [Page 85]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            or equal to:
-
-               MMS_R - 20
-
-            where MMS_R is the maximum size for a transport-layer
-            message that can be received (and reassembled).  TCP obtains
-            MMS_R and MMS_S from the IP layer; see the generic call
-            GET_MAXSIZES in Section 3.4.
-
-            DISCUSSION:
-                 The choice of TCP segment size has a strong effect on
-                 performance.  Larger segments increase throughput by
-                 amortizing header size and per-datagram processing
-                 overhead over more data bytes; however, if the packet
-                 is so large that it causes IP fragmentation, efficiency
-                 drops sharply if any fragments are lost [IP:9].
-
-                 Some TCP implementations send an MSS option only if the
-                 destination host is on a non-connected network.
-                 However, in general the TCP layer may not have the
-                 appropriate information to make this decision, so it is
-                 preferable to leave to the IP layer the task of
-                 determining a suitable MTU for the Internet path.  We
-                 therefore recommend that TCP always send the option (if
-                 not 536) and that the IP layer determine MMS_R as
-                 specified in 3.3.3 and 3.4.  A proposed IP-layer
-                 mechanism to measure the MTU would then modify the IP
-                 layer without changing TCP.
-
-         4.2.2.7  TCP Checksum: RFC-793 Section 3.1
-
-            Unlike the UDP checksum (see Section 4.1.3.4), the TCP
-            checksum is never optional.  The sender MUST generate it and
-            the receiver MUST check it.
-
-         4.2.2.8  TCP Connection State Diagram: RFC-793 Section 3.2,
-            page 23
-
-            There are several problems with this diagram:
-
-            (a)  The arrow from SYN-SENT to SYN-RCVD should be labeled
-                 with "snd SYN,ACK", to agree with the text on page 68
-                 and with Figure 8.
-
-            (b)  There could be an arrow from SYN-RCVD state to LISTEN
-                 state, conditioned on receiving a RST after a passive
-                 open (see text page 70).
-
-
-
-
-Internet Engineering Task Force                                [Page 86]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            (c)  It is possible to go directly from FIN-WAIT-1 to the
-                 TIME-WAIT state (see page 75 of the spec).
-
-
-         4.2.2.9  Initial Sequence Number Selection: RFC-793 Section
-            3.3, page 27
-
-            A TCP MUST use the specified clock-driven selection of
-            initial sequence numbers.
-
-         4.2.2.10  Simultaneous Open Attempts: RFC-793 Section 3.4, page
-            32
-
-            There is an error in Figure 8: the packet on line 7 should
-            be identical to the packet on line 5.
-
-            A TCP MUST support simultaneous open attempts.
-
-            DISCUSSION:
-                 It sometimes surprises implementors that if two
-                 applications attempt to simultaneously connect to each
-                 other, only one connection is generated instead of two.
-                 This was an intentional design decision; don't try to
-                 "fix" it.
-
-         4.2.2.11  Recovery from Old Duplicate SYN: RFC-793 Section 3.4,
-            page 33
-
-            Note that a TCP implementation MUST keep track of whether a
-            connection has reached SYN_RCVD state as the result of a
-            passive OPEN or an active OPEN.
-
-         4.2.2.12  RST Segment: RFC-793 Section 3.4
-
-            A TCP SHOULD allow a received RST segment to include data.
-
-            DISCUSSION
-                 It has been suggested that a RST segment could contain
-                 ASCII text that encoded and explained the cause of the
-                 RST.  No standard has yet been established for such
-                 data.
-
-         4.2.2.13  Closing a Connection: RFC-793 Section 3.5
-
-            A TCP connection may terminate in two ways: (1) the normal
-            TCP close sequence using a FIN handshake, and (2) an "abort"
-            in which one or more RST segments are sent and the
-            connection state is immediately discarded.  If a TCP
-
-
-
-Internet Engineering Task Force                                [Page 87]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            connection is closed by the remote site, the local
-            application MUST be informed whether it closed normally or
-            was aborted.
-
-            The normal TCP close sequence delivers buffered data
-            reliably in both directions.  Since the two directions of a
-            TCP connection are closed independently, it is possible for
-            a connection to be "half closed," i.e., closed in only one
-            direction, and a host is permitted to continue sending data
-            in the open direction on a half-closed connection.
-
-            A host MAY implement a "half-duplex" TCP close sequence, so
-            that an application that has called CLOSE cannot continue to
-            read data from the connection.  If such a host issues a
-            CLOSE call while received data is still pending in TCP, or
-            if new data is received after CLOSE is called, its TCP
-            SHOULD send a RST to show that data was lost.
-
-            When a connection is closed actively, it MUST linger in
-            TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
-            However, it MAY accept a new SYN from the remote TCP to
-            reopen the connection directly from TIME-WAIT state, if it:
-
-            (1)  assigns its initial sequence number for the new
-                 connection to be larger than the largest sequence
-                 number it used on the previous connection incarnation,
-                 and
-
-            (2)  returns to TIME-WAIT state if the SYN turns out to be
-                 an old duplicate.
-
-
-            DISCUSSION:
-                 TCP's full-duplex data-preserving close is a feature
-                 that is not included in the analogous ISO transport
-                 protocol TP4.
-
-                 Some systems have not implemented half-closed
-                 connections, presumably because they do not fit into
-                 the I/O model of their particular operating system.  On
-                 these systems, once an application has called CLOSE, it
-                 can no longer read input data from the connection; this
-                 is referred to as a "half-duplex" TCP close sequence.
-
-                 The graceful close algorithm of TCP requires that the
-                 connection state remain defined on (at least)  one end
-                 of the connection, for a timeout period of 2xMSL, i.e.,
-                 4 minutes.  During this period, the (remote socket,
-
-
-
-Internet Engineering Task Force                                [Page 88]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 local socket) pair that defines the connection is busy
-                 and cannot be reused.  To shorten the time that a given
-                 port pair is tied up, some TCPs allow a new SYN to be
-                 accepted in TIME-WAIT state.
-
-         4.2.2.14  Data Communication: RFC-793 Section 3.7, page 40
-
-            Since RFC-793 was written, there has been extensive work on
-            TCP algorithms to achieve efficient data communication.
-            Later sections of the present document describe required and
-            recommended TCP algorithms to determine when to send data
-            (Section 4.2.3.4), when to send an acknowledgment (Section
-            4.2.3.2), and when to update the window (Section 4.2.3.3).
-
-            DISCUSSION:
-                 One important performance issue is "Silly Window
-                 Syndrome" or "SWS" [TCP:5], a stable pattern of small
-                 incremental window movements resulting in extremely
-                 poor TCP performance.  Algorithms to avoid SWS are
-                 described below for both the sending side (Section
-                 4.2.3.4) and the receiving side (Section 4.2.3.3).
-
-                 In brief, SWS is caused by the receiver advancing the
-                 right window edge whenever it has any new buffer space
-                 available to receive data and by the sender using any
-                 incremental window, no matter how small, to send more
-                 data [TCP:5].  The result can be a stable pattern of
-                 sending tiny data segments, even though both sender and
-                 receiver have a large total buffer space for the
-                 connection.  SWS can only occur during the transmission
-                 of a large amount of data; if the connection goes
-                 quiescent, the problem will disappear.  It is caused by
-                 typical straightforward implementation of window
-                 management, but the sender and receiver algorithms
-                 given below will avoid it.
-
-                 Another important TCP performance issue is that some
-                 applications, especially remote login to character-at-
-                 a-time hosts, tend to send streams of one-octet data
-                 segments.  To avoid deadlocks, every TCP SEND call from
-                 such applications must be "pushed", either explicitly
-                 by the application or else implicitly by TCP.  The
-                 result may be a stream of TCP segments that contain one
-                 data octet each, which makes very inefficient use of
-                 the Internet and contributes to Internet congestion.
-                 The Nagle Algorithm described in Section 4.2.3.4
-                 provides a simple and effective solution to this
-                 problem.  It does have the effect of clumping
-
-
-
-Internet Engineering Task Force                                [Page 89]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 characters over Telnet connections; this may initially
-                 surprise users accustomed to single-character echo, but
-                 user acceptance has not been a problem.
-
-                 Note that the Nagle algorithm and the send SWS
-                 avoidance algorithm play complementary roles in
-                 improving performance.  The Nagle algorithm discourages
-                 sending tiny segments when the data to be sent
-                 increases in small increments, while the SWS avoidance
-                 algorithm discourages small segments resulting from the
-                 right window edge advancing in small increments.
-
-                 A careless implementation can send two or more
-                 acknowledgment segments per data segment received.  For
-                 example, suppose the receiver acknowledges every data
-                 segment immediately.  When the application program
-                 subsequently consumes the data and increases the
-                 available receive buffer space again, the receiver may
-                 send a second acknowledgment segment to update the
-                 window at the sender.  The extreme case occurs with
-                 single-character segments on TCP connections using the
-                 Telnet protocol for remote login service.  Some
-                 implementations have been observed in which each
-                 incoming 1-character segment generates three return
-                 segments: (1) the acknowledgment, (2) a one byte
-                 increase in the window, and (3) the echoed character,
-                 respectively.
-
-         4.2.2.15  Retransmission Timeout: RFC-793 Section 3.7, page 41
-
-            The algorithm suggested in RFC-793 for calculating the
-            retransmission timeout is now known to be inadequate; see
-            Section 4.2.3.1 below.
-
-            Recent work by Jacobson [TCP:7] on Internet congestion and
-            TCP retransmission stability has produced a transmission
-            algorithm combining "slow start" with "congestion
-            avoidance".  A TCP MUST implement this algorithm.
-
-            If a retransmitted packet is identical to the original
-            packet (which implies not only that the data boundaries have
-            not changed, but also that the window and acknowledgment
-            fields of the header have not changed), then the same IP
-            Identification field MAY be used (see Section 3.2.1.5).
-
-            IMPLEMENTATION:
-                 Some TCP implementors have chosen to "packetize" the
-                 data stream, i.e., to pick segment boundaries when
-
-
-
-Internet Engineering Task Force                                [Page 90]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 segments are originally sent and to queue these
-                 segments in a "retransmission queue" until they are
-                 acknowledged.  Another design (which may be simpler) is
-                 to defer packetizing until each time data is
-                 transmitted or retransmitted, so there will be no
-                 segment retransmission queue.
-
-                 In an implementation with a segment retransmission
-                 queue, TCP performance may be enhanced by repacketizing
-                 the segments awaiting acknowledgment when the first
-                 retransmission timeout occurs.  That is, the
-                 outstanding segments that fitted would be combined into
-                 one maximum-sized segment, with a new IP Identification
-                 value.  The TCP would then retain this combined segment
-                 in the retransmit queue until it was acknowledged.
-                 However, if the first two segments in the
-                 retransmission queue totalled more than one maximum-
-                 sized segment, the TCP would retransmit only the first
-                 segment using the original IP Identification field.
-
-         4.2.2.16  Managing the Window: RFC-793 Section 3.7, page 41
-
-            A TCP receiver SHOULD NOT shrink the window, i.e., move the
-            right window edge to the left.  However, a sending TCP MUST
-            be robust against window shrinking, which may cause the
-            "useable window" (see Section 4.2.3.4) to become negative.
-
-            If this happens, the sender SHOULD NOT send new data, but
-            SHOULD retransmit normally the old unacknowledged data
-            between SND.UNA and SND.UNA+SND.WND.  The sender MAY also
-            retransmit old data beyond SND.UNA+SND.WND, but SHOULD NOT
-            time out the connection if data beyond the right window edge
-            is not acknowledged.  If the window shrinks to zero, the TCP
-            MUST probe it in the standard way (see next Section).
-
-            DISCUSSION:
-                 Many TCP implementations become confused if the window
-                 shrinks from the right after data has been sent into a
-                 larger window.  Note that TCP has a heuristic to select
-                 the latest window update despite possible datagram
-                 reordering; as a result, it may ignore a window update
-                 with a smaller window than previously offered if
-                 neither the sequence number nor the acknowledgment
-                 number is increased.
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 91]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-         4.2.2.17  Probing Zero Windows: RFC-793 Section 3.7, page 42
-
-            Probing of zero (offered) windows MUST be supported.
-
-            A TCP MAY keep its offered receive window closed
-            indefinitely.  As long as the receiving TCP continues to
-            send acknowledgments in response to the probe segments, the
-            sending TCP MUST allow the connection to stay open.
-
-            DISCUSSION:
-                 It is extremely important to remember that ACK
-                 (acknowledgment) segments that contain no data are not
-                 reliably transmitted by TCP.  If zero window probing is
-                 not supported, a connection may hang forever when an
-                 ACK segment that re-opens the window is lost.
-
-                 The delay in opening a zero window generally occurs
-                 when the receiving application stops taking data from
-                 its TCP.  For example, consider a printer daemon
-                 application, stopped because the printer ran out of
-                 paper.
-
-            The transmitting host SHOULD send the first zero-window
-            probe when a zero window has existed for the retransmission
-            timeout period (see Section 4.2.2.15), and SHOULD increase
-            exponentially the interval between successive probes.
-
-            DISCUSSION:
-                 This procedure minimizes delay if the zero-window
-                 condition is due to a lost ACK segment containing a
-                 window-opening update.  Exponential backoff is
-                 recommended, possibly with some maximum interval not
-                 specified here.  This procedure is similar to that of
-                 the retransmission algorithm, and it may be possible to
-                 combine the two procedures in the implementation.
-
-         4.2.2.18  Passive OPEN Calls:  RFC-793 Section 3.8
-
-            Every passive OPEN call either creates a new connection
-            record in LISTEN state, or it returns an error; it MUST NOT
-            affect any previously created connection record.
-
-            A TCP that supports multiple concurrent users MUST provide
-            an OPEN call that will functionally allow an application to
-            LISTEN on a port while a connection block with the same
-            local port is in SYN-SENT or SYN-RECEIVED state.
-
-            DISCUSSION:
-
-
-
-Internet Engineering Task Force                                [Page 92]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 Some applications (e.g., SMTP servers) may need to
-                 handle multiple connection attempts at about the same
-                 time.  The probability of a connection attempt failing
-                 is reduced by giving the application some means of
-                 listening for a new connection at the same time that an
-                 earlier connection attempt is going through the three-
-                 way handshake.
-
-            IMPLEMENTATION:
-                 Acceptable implementations of concurrent opens may
-                 permit multiple passive OPEN calls, or they may allow
-                 "cloning" of LISTEN-state connections from a single
-                 passive OPEN call.
-
-         4.2.2.19  Time to Live: RFC-793 Section 3.9, page 52
-
-            RFC-793 specified that TCP was to request the IP layer to
-            send TCP segments with TTL = 60.  This is obsolete; the TTL
-            value used to send TCP segments MUST be configurable.  See
-            Section 3.2.1.7 for discussion.
-
-         4.2.2.20  Event Processing: RFC-793 Section 3.9
-
-            While it is not strictly required, a TCP SHOULD be capable
-            of queueing out-of-order TCP segments.  Change the "may" in
-            the last sentence of the first paragraph on page 70 to
-            "should".
-
-            DISCUSSION:
-                 Some small-host implementations have omitted segment
-                 queueing because of limited buffer space.  This
-                 omission may be expected to adversely affect TCP
-                 throughput, since loss of a single segment causes all
-                 later segments to appear to be "out of sequence".
-
-            In general, the processing of received segments MUST be
-            implemented to aggregate ACK segments whenever possible.
-            For example, if the TCP is processing a series of queued
-            segments, it MUST process them all before sending any ACK
-            segments.
-
-            Here are some detailed error corrections and notes on the
-            Event Processing section of RFC-793.
-
-            (a)  CLOSE Call, CLOSE-WAIT state, p. 61: enter LAST-ACK
-                 state, not CLOSING.
-
-            (b)  LISTEN state, check for SYN (pp. 65, 66): With a SYN
-
-
-
-Internet Engineering Task Force                                [Page 93]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 bit, if the security/compartment or the precedence is
-                 wrong for the segment, a reset is sent.  The wrong form
-                 of reset is shown in the text; it should be:
-
-                   <SEQ=0><ACK=SEG.SEQ+SEG.LEN><CTL=RST,ACK>
-
-
-            (c)  SYN-SENT state, Check for SYN, p. 68: When the
-                 connection enters ESTABLISHED state, the following
-                 variables must be set:
-                    SND.WND <- SEG.WND
-                    SND.WL1 <- SEG.SEQ
-                    SND.WL2 <- SEG.ACK
-
-
-            (d)  Check security and precedence, p. 71: The first heading
-                 "ESTABLISHED STATE" should really be a list of all
-                 states other than SYN-RECEIVED: ESTABLISHED, FIN-WAIT-
-                 1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, and
-                 TIME-WAIT.
-
-            (e)  Check SYN bit, p. 71:  "In SYN-RECEIVED state and if
-                 the connection was initiated with a passive OPEN, then
-                 return this connection to the LISTEN state and return.
-                 Otherwise...".
-
-            (f)  Check ACK field, SYN-RECEIVED state, p. 72: When the
-                 connection enters ESTABLISHED state, the variables
-                 listed in (c) must be set.
-
-            (g)  Check ACK field, ESTABLISHED state, p. 72: The ACK is a
-                 duplicate if SEG.ACK =< SND.UNA (the = was omitted).
-                 Similarly, the window should be updated if: SND.UNA =<
-                 SEG.ACK =< SND.NXT.
-
-            (h)  USER TIMEOUT, p. 77:
-
-                 It would be better to notify the application of the
-                 timeout rather than letting TCP force the connection
-                 closed.  However, see also Section 4.2.3.5.
-
-
-         4.2.2.21  Acknowledging Queued Segments: RFC-793 Section 3.9
-
-            A TCP MAY send an ACK segment acknowledging RCV.NXT when a
-            valid segment arrives that is in the window but not at the
-            left window edge.
-
-
-
-
-Internet Engineering Task Force                                [Page 94]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            DISCUSSION:
-                 RFC-793 (see page 74) was ambiguous about whether or
-                 not an ACK segment should be sent when an out-of-order
-                 segment was received, i.e., when SEG.SEQ was unequal to
-                 RCV.NXT.
-
-                 One reason for ACKing out-of-order segments might be to
-                 support an experimental algorithm known as "fast
-                 retransmit".   With this algorithm, the sender uses the
-                 "redundant" ACK's to deduce that a segment has been
-                 lost before the retransmission timer has expired.  It
-                 counts the number of times an ACK has been received
-                 with the same value of SEG.ACK and with the same right
-                 window edge.  If more than a threshold number of such
-                 ACK's is received, then the segment containing the
-                 octets starting at SEG.ACK is assumed to have been lost
-                 and is retransmitted, without awaiting a timeout.  The
-                 threshold is chosen to compensate for the maximum
-                 likely segment reordering in the Internet.  There is
-                 not yet enough experience with the fast retransmit
-                 algorithm to determine how useful it is.
-
-      4.2.3  SPECIFIC ISSUES
-
-         4.2.3.1  Retransmission Timeout Calculation
-
-            A host TCP MUST implement Karn's algorithm and Jacobson's
-            algorithm for computing the retransmission timeout ("RTO").
-
-            o    Jacobson's algorithm for computing the smoothed round-
-                 trip ("RTT") time incorporates a simple measure of the
-                 variance [TCP:7].
-
-            o    Karn's algorithm for selecting RTT measurements ensures
-                 that ambiguous round-trip times will not corrupt the
-                 calculation of the smoothed round-trip time [TCP:6].
-
-            This implementation also MUST include "exponential backoff"
-            for successive RTO values for the same segment.
-            Retransmission of SYN segments SHOULD use the same algorithm
-            as data segments.
-
-            DISCUSSION:
-                 There were two known problems with the RTO calculations
-                 specified in RFC-793.  First, the accurate measurement
-                 of RTTs is difficult when there are retransmissions.
-                 Second, the algorithm to compute the smoothed round-
-                 trip time is inadequate [TCP:7], because it incorrectly
-
-
-
-Internet Engineering Task Force                                [Page 95]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 assumed that the variance in RTT values would be small
-                 and constant.  These problems were solved by Karn's and
-                 Jacobson's algorithm, respectively.
-
-                 The performance increase resulting from the use of
-                 these improvements varies from noticeable to dramatic.
-                 Jacobson's algorithm for incorporating the measured RTT
-                 variance is especially important on a low-speed link,
-                 where the natural variation of packet sizes causes a
-                 large variation in RTT.  One vendor found link
-                 utilization on a 9.6kb line went from 10% to 90% as a
-                 result of implementing Jacobson's variance algorithm in
-                 TCP.
-
-            The following values SHOULD be used to initialize the
-            estimation parameters for a new connection:
-
-            (a)  RTT = 0 seconds.
-
-            (b)  RTO = 3 seconds.  (The smoothed variance is to be
-                 initialized to the value that will result in this RTO).
-
-            The recommended upper and lower bounds on the RTO are known
-            to be inadequate on large internets.  The lower bound SHOULD
-            be measured in fractions of a second (to accommodate high
-            speed LANs) and the upper bound should be 2*MSL, i.e., 240
-            seconds.
-
-            DISCUSSION:
-                 Experience has shown that these initialization values
-                 are reasonable, and that in any case the Karn and
-                 Jacobson algorithms make TCP behavior reasonably
-                 insensitive to the initial parameter choices.
-
-         4.2.3.2  When to Send an ACK Segment
-
-            A host that is receiving a stream of TCP data segments can
-            increase efficiency in both the Internet and the hosts by
-            sending fewer than one ACK (acknowledgment) segment per data
-            segment received; this is known as a "delayed ACK" [TCP:5].
-
-            A TCP SHOULD implement a delayed ACK, but an ACK should not
-            be excessively delayed; in particular, the delay MUST be
-            less than 0.5 seconds, and in a stream of full-sized
-            segments there SHOULD be an ACK for at least every second
-            segment.
-
-            DISCUSSION:
-
-
-
-Internet Engineering Task Force                                [Page 96]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 A delayed ACK gives the application an opportunity to
-                 update the window and perhaps to send an immediate
-                 response.  In particular, in the case of character-mode
-                 remote login, a delayed ACK can reduce the number of
-                 segments sent by the server by a factor of 3 (ACK,
-                 window update, and echo character all combined in one
-                 segment).
-
-                 In addition, on some large multi-user hosts, a delayed
-                 ACK can substantially reduce protocol processing
-                 overhead by reducing the total number of packets to be
-                 processed [TCP:5].  However, excessive delays on ACK's
-                 can disturb the round-trip timing and packet "clocking"
-                 algorithms [TCP:7].
-
-         4.2.3.3  When to Send a Window Update
-
-            A TCP MUST include a SWS avoidance algorithm in the receiver
-            [TCP:5].
-
-            IMPLEMENTATION:
-                 The receiver's SWS avoidance algorithm determines when
-                 the right window edge may be advanced; this is
-                 customarily known as "updating the window".  This
-                 algorithm combines with the delayed ACK algorithm (see
-                 Section 4.2.3.2) to determine when an ACK segment
-                 containing the current window will really be sent to
-                 the receiver.  We use the notation of RFC-793; see
-                 Figures 4 and 5 in that document.
-
-                 The solution to receiver SWS is to avoid advancing the
-                 right window edge RCV.NXT+RCV.WND in small increments,
-                 even if data is received from the network in small
-                 segments.
-
-                 Suppose the total receive buffer space is RCV.BUFF.  At
-                 any given moment, RCV.USER octets of this total may be
-                 tied up with data that has been received and
-                 acknowledged but which the user process has not yet
-                 consumed.  When the connection is quiescent, RCV.WND =
-                 RCV.BUFF and RCV.USER = 0.
-
-                 Keeping the right window edge fixed as data arrives and
-                 is acknowledged requires that the receiver offer less
-                 than its full buffer space, i.e., the receiver must
-                 specify a RCV.WND that keeps RCV.NXT+RCV.WND constant
-                 as RCV.NXT increases.  Thus, the total buffer space
-                 RCV.BUFF is generally divided into three parts:
-
-
-
-Internet Engineering Task Force                                [Page 97]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-
-                 |<------- RCV.BUFF ---------------->|
-                      1             2            3
-             ----|---------|------------------|------|----
-                        RCV.NXT               ^
-                                           (Fixed)
-
-             1 - RCV.USER =  data received but not yet consumed;
-             2 - RCV.WND =   space advertised to sender;
-             3 - Reduction = space available but not yet
-                             advertised.
-
-
-                 The suggested SWS avoidance algorithm for the receiver
-                 is to keep RCV.NXT+RCV.WND fixed until the reduction
-                 satisfies:
-
-                      RCV.BUFF - RCV.USER - RCV.WND  >=
-
-                             min( Fr * RCV.BUFF, Eff.snd.MSS )
-
-                 where Fr is a fraction whose recommended value is 1/2,
-                 and Eff.snd.MSS is the effective send MSS for the
-                 connection (see Section 4.2.2.6).  When the inequality
-                 is satisfied, RCV.WND is set to RCV.BUFF-RCV.USER.
-
-                 Note that the general effect of this algorithm is to
-                 advance RCV.WND in increments of Eff.snd.MSS (for
-                 realistic receive buffers:  Eff.snd.MSS < RCV.BUFF/2).
-                 Note also that the receiver must use its own
-                 Eff.snd.MSS, assuming it is the same as the sender's.
-
-         4.2.3.4  When to Send Data
-
-            A TCP MUST include a SWS avoidance algorithm in the sender.
-
-            A TCP SHOULD implement the Nagle Algorithm [TCP:9] to
-            coalesce short segments.  However, there MUST be a way for
-            an application to disable the Nagle algorithm on an
-            individual connection.  In all cases, sending data is also
-            subject to the limitation imposed by the Slow Start
-            algorithm (Section 4.2.2.15).
-
-            DISCUSSION:
-                 The Nagle algorithm is generally as follows:
-
-                      If there is unacknowledged data (i.e., SND.NXT >
-                      SND.UNA), then the sending TCP buffers all user
-
-
-
-Internet Engineering Task Force                                [Page 98]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                      data (regardless of the PSH bit), until the
-                      outstanding data has been acknowledged or until
-                      the TCP can send a full-sized segment (Eff.snd.MSS
-                      bytes; see Section 4.2.2.6).
-
-                 Some applications (e.g., real-time display window
-                 updates) require that the Nagle algorithm be turned
-                 off, so small data segments can be streamed out at the
-                 maximum rate.
-
-            IMPLEMENTATION:
-                 The sender's SWS avoidance algorithm is more difficult
-                 than the receivers's, because the sender does not know
-                 (directly) the receiver's total buffer space RCV.BUFF.
-                 An approach which has been found to work well is for
-                 the sender to calculate Max(SND.WND), the maximum send
-                 window it has seen so far on the connection, and to use
-                 this value as an estimate of RCV.BUFF.  Unfortunately,
-                 this can only be an estimate; the receiver may at any
-                 time reduce the size of RCV.BUFF.  To avoid a resulting
-                 deadlock, it is necessary to have a timeout to force
-                 transmission of data, overriding the SWS avoidance
-                 algorithm.  In practice, this timeout should seldom
-                 occur.
-
-                 The "useable window" [TCP:5] is:
-
-                      U = SND.UNA + SND.WND - SND.NXT
-
-                 i.e., the offered window less the amount of data sent
-                 but not acknowledged.  If D is the amount of data
-                 queued in the sending TCP but not yet sent, then the
-                 following set of rules is recommended.
-
-                 Send data:
-
-                 (1)  if a maximum-sized segment can be sent, i.e, if:
-
-                           min(D,U) >= Eff.snd.MSS;
-
-
-                 (2)  or if the data is pushed and all queued data can
-                      be sent now, i.e., if:
-
-                          [SND.NXT = SND.UNA and] PUSHED and D <= U
-
-                      (the bracketed condition is imposed by the Nagle
-                      algorithm);
-
-
-
-Internet Engineering Task Force                                [Page 99]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 (3)  or if at least a fraction Fs of the maximum window
-                      can be sent, i.e., if:
-
-                          [SND.NXT = SND.UNA and]
-
-                                  min(D.U) >= Fs * Max(SND.WND);
-
-
-                 (4)  or if data is PUSHed and the override timeout
-                      occurs.
-
-                 Here Fs is a fraction whose recommended value is 1/2.
-                 The override timeout should be in the range 0.1 - 1.0
-                 seconds.  It may be convenient to combine this timer
-                 with the timer used to probe zero windows (Section
-                 4.2.2.17).
-
-                 Finally, note that the SWS avoidance algorithm just
-                 specified is to be used instead of the sender-side
-                 algorithm contained in [TCP:5].
-
-         4.2.3.5  TCP Connection Failures
-
-            Excessive retransmission of the same segment by TCP
-            indicates some failure of the remote host or the Internet
-            path.  This failure may be of short or long duration.  The
-            following procedure MUST be used to handle excessive
-            retransmissions of data segments [IP:11]:
-
-            (a)  There are two thresholds R1 and R2 measuring the amount
-                 of retransmission that has occurred for the same
-                 segment.  R1 and R2 might be measured in time units or
-                 as a count of retransmissions.
-
-            (b)  When the number of transmissions of the same segment
-                 reaches or exceeds threshold R1, pass negative advice
-                 (see Section 3.3.1.4) to the IP layer, to trigger
-                 dead-gateway diagnosis.
-
-            (c)  When the number of transmissions of the same segment
-                 reaches a threshold R2 greater than R1, close the
-                 connection.
-
-            (d)  An application MUST be able to set the value for R2 for
-                 a particular connection.  For example, an interactive
-                 application might set R2 to "infinity," giving the user
-                 control over when to disconnect.
-
-
-
-
-Internet Engineering Task Force                               [Page 100]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            (d)  TCP SHOULD inform the application of the delivery
-                 problem (unless such information has been disabled by
-                 the application; see Section 4.2.4.1), when R1 is
-                 reached and before R2.  This will allow a remote login
-                 (User Telnet) application program to inform the user,
-                 for example.
-
-            The value of R1 SHOULD correspond to at least 3
-            retransmissions, at the current RTO.  The value of R2 SHOULD
-            correspond to at least 100 seconds.
-
-            An attempt to open a TCP connection could fail with
-            excessive retransmissions of the SYN segment or by receipt
-            of a RST segment or an ICMP Port Unreachable.  SYN
-            retransmissions MUST be handled in the general way just
-            described for data retransmissions, including notification
-            of the application layer.
-
-            However, the values of R1 and R2 may be different for SYN
-            and data segments.  In particular, R2 for a SYN segment MUST
-            be set large enough to provide retransmission of the segment
-            for at least 3 minutes.  The application can close the
-            connection (i.e., give up on the open attempt) sooner, of
-            course.
-
-            DISCUSSION:
-                 Some Internet paths have significant setup times, and
-                 the number of such paths is likely to increase in the
-                 future.
-
-         4.2.3.6  TCP Keep-Alives
-
-            Implementors MAY include "keep-alives" in their TCP
-            implementations, although this practice is not universally
-            accepted.  If keep-alives are included, the application MUST
-            be able to turn them on or off for each TCP connection, and
-            they MUST default to off.
-
-            Keep-alive packets MUST only be sent when no data or
-            acknowledgement packets have been received for the
-            connection within an interval.  This interval MUST be
-            configurable and MUST default to no less than two hours.
-
-            It is extremely important to remember that ACK segments that
-            contain no data are not reliably transmitted by TCP.
-            Consequently, if a keep-alive mechanism is implemented it
-            MUST NOT interpret failure to respond to any specific probe
-            as a dead connection.
-
-
-
-Internet Engineering Task Force                               [Page 101]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            An implementation SHOULD send a keep-alive segment with no
-            data; however, it MAY be configurable to send a keep-alive
-            segment containing one garbage octet, for compatibility with
-            erroneous TCP implementations.
-
-            DISCUSSION:
-                 A "keep-alive" mechanism periodically probes the other
-                 end of a connection when the connection is otherwise
-                 idle, even when there is no data to be sent.  The TCP
-                 specification does not include a keep-alive mechanism
-                 because it could:  (1) cause perfectly good connections
-                 to break during transient Internet failures; (2)
-                 consume unnecessary bandwidth ("if no one is using the
-                 connection, who cares if it is still good?"); and (3)
-                 cost money for an Internet path that charges for
-                 packets.
-
-                 Some TCP implementations, however, have included a
-                 keep-alive mechanism.  To confirm that an idle
-                 connection is still active, these implementations send
-                 a probe segment designed to elicit a response from the
-                 peer TCP.  Such a segment generally contains SEG.SEQ =
-                 SND.NXT-1 and may or may not contain one garbage octet
-                 of data.  Note that on a quiet connection SND.NXT =
-                 RCV.NXT, so that this SEG.SEQ will be outside the
-                 window.  Therefore, the probe causes the receiver to
-                 return an acknowledgment segment, confirming that the
-                 connection is still live.  If the peer has dropped the
-                 connection due to a network partition or a crash, it
-                 will respond with a RST instead of an acknowledgment
-                 segment.
-
-                 Unfortunately, some misbehaved TCP implementations fail
-                 to respond to a segment with SEG.SEQ = SND.NXT-1 unless
-                 the segment contains data.  Alternatively, an
-                 implementation could determine whether a peer responded
-                 correctly to keep-alive packets with no garbage data
-                 octet.
-
-                 A TCP keep-alive mechanism should only be invoked in
-                 server applications that might otherwise hang
-                 indefinitely and consume resources unnecessarily if a
-                 client crashes or aborts a connection during a network
-                 failure.
-
-
-
-
-
-
-
-Internet Engineering Task Force                               [Page 102]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-         4.2.3.7  TCP Multihoming
-
-            If an application on a multihomed host does not specify the
-            local IP address when actively opening a TCP connection,
-            then the TCP MUST ask the IP layer to select a local IP
-            address before sending the (first) SYN.  See the function
-            GET_SRCADDR() in Section 3.4.
-
-            At all other times, a previous segment has either been sent
-            or received on this connection, and TCP MUST use the same
-            local address is used that was used in those previous
-            segments.
-
-         4.2.3.8  IP Options
-
-            When received options are passed up to TCP from the IP
-            layer, TCP MUST ignore options that it does not understand.
-
-            A TCP MAY support the Time Stamp and Record Route options.
-
-            An application MUST be able to specify a source route when
-            it actively opens a TCP connection, and this MUST take
-            precedence over a source route received in a datagram.
-
-            When a TCP connection is OPENed passively and a packet
-            arrives with a completed IP Source Route option (containing
-            a return route), TCP MUST save the return route and use it
-            for all segments sent on this connection.  If a different
-            source route arrives in a later segment, the later
-            definition SHOULD override the earlier one.
-
-         4.2.3.9  ICMP Messages
-
-            TCP MUST act on an ICMP error message passed up from the IP
-            layer, directing it to the connection that created the
-            error.  The necessary demultiplexing information can be
-            found in the IP header contained within the ICMP message.
-
-            o    Source Quench
-
-                 TCP MUST react to a Source Quench by slowing
-                 transmission on the connection.  The RECOMMENDED
-                 procedure is for a Source Quench to trigger a "slow
-                 start," as if a retransmission timeout had occurred.
-
-            o    Destination Unreachable -- codes 0, 1, 5
-
-                 Since these Unreachable messages indicate soft error
-
-
-
-Internet Engineering Task Force                               [Page 103]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 conditions, TCP MUST NOT abort the connection, and it
-                 SHOULD make the information available to the
-                 application.
-
-                 DISCUSSION:
-                      TCP could report the soft error condition directly
-                      to the application layer with an upcall to the
-                      ERROR_REPORT routine, or it could merely note the
-                      message and report it to the application only when
-                      and if the TCP connection times out.
-
-            o    Destination Unreachable -- codes 2-4
-
-                 These are hard error conditions, so TCP SHOULD abort
-                 the connection.
-
-            o    Time Exceeded -- codes 0, 1
-
-                 This should be handled the same way as Destination
-                 Unreachable codes 0, 1, 5 (see above).
-
-            o    Parameter Problem
-
-                 This should be handled the same way as Destination
-                 Unreachable codes 0, 1, 5 (see above).
-
-
-         4.2.3.10  Remote Address Validation
-
-            A TCP implementation MUST reject as an error a local OPEN
-            call for an invalid remote IP address (e.g., a broadcast or
-            multicast address).
-
-            An incoming SYN with an invalid source address must be
-            ignored either by TCP or by the IP layer (see Section
-            3.2.1.3).
-
-            A TCP implementation MUST silently discard an incoming SYN
-            segment that is addressed to a broadcast or multicast
-            address.
-
-         4.2.3.11  TCP Traffic Patterns
-
-            IMPLEMENTATION:
-                 The TCP protocol specification [TCP:1] gives the
-                 implementor much freedom in designing the algorithms
-                 that control the message flow over the connection --
-                 packetizing, managing the window, sending
-
-
-
-Internet Engineering Task Force                               [Page 104]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                 acknowledgments, etc.  These design decisions are
-                 difficult because a TCP must adapt to a wide range of
-                 traffic patterns.  Experience has shown that a TCP
-                 implementor needs to verify the design on two extreme
-                 traffic patterns:
-
-                 o    Single-character Segments
-
-                      Even if the sender is using the Nagle Algorithm,
-                      when a TCP connection carries remote login traffic
-                      across a low-delay LAN the receiver will generally
-                      get a stream of single-character segments.  If
-                      remote terminal echo mode is in effect, the
-                      receiver's system will generally echo each
-                      character as it is received.
-
-                 o    Bulk Transfer
-
-                      When TCP is used for bulk transfer, the data
-                      stream should be made up (almost) entirely of
-                      segments of the size of the effective MSS.
-                      Although TCP uses a sequence number space with
-                      byte (octet) granularity, in bulk-transfer mode
-                      its operation should be as if TCP used a sequence
-                      space that counted only segments.
-
-                 Experience has furthermore shown that a single TCP can
-                 effectively and efficiently handle these two extremes.
-
-                 The most important tool for verifying a new TCP
-                 implementation is a packet trace program.  There is a
-                 large volume of experience showing the importance of
-                 tracing a variety of traffic patterns with other TCP
-                 implementations and studying the results carefully.
-
-
-         4.2.3.12  Efficiency
-
-            IMPLEMENTATION:
-                 Extensive experience has led to the following
-                 suggestions for efficient implementation of TCP:
-
-                 (a)  Don't Copy Data
-
-                      In bulk data transfer, the primary CPU-intensive
-                      tasks are copying data from one place to another
-                      and checksumming the data.  It is vital to
-                      minimize the number of copies of TCP data.  Since
-
-
-
-Internet Engineering Task Force                               [Page 105]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                      the ultimate speed limitation may be fetching data
-                      across the memory bus, it may be useful to combine
-                      the copy with checksumming, doing both with a
-                      single memory fetch.
-
-                 (b)  Hand-Craft the Checksum Routine
-
-                      A good TCP checksumming routine is typically two
-                      to five times faster than a simple and direct
-                      implementation of the definition.  Great care and
-                      clever coding are often required and advisable to
-                      make the checksumming code "blazing fast".  See
-                      [TCP:10].
-
-                 (c)  Code for the Common Case
-
-                      TCP protocol processing can be complicated, but
-                      for most segments there are only a few simple
-                      decisions to be made.  Per-segment processing will
-                      be greatly speeded up by coding the main line to
-                      minimize the number of decisions in the most
-                      common case.
-
-
-      4.2.4  TCP/APPLICATION LAYER INTERFACE
-
-         4.2.4.1  Asynchronous Reports
-
-            There MUST be a mechanism for reporting soft TCP error
-            conditions to the application.  Generically, we assume this
-            takes the form of an application-supplied ERROR_REPORT
-            routine that may be upcalled [INTRO:7] asynchronously from
-            the transport layer:
-
-               ERROR_REPORT(local connection name, reason, subreason)
-
-            The precise encoding of the reason and subreason parameters
-            is not specified here.  However, the conditions that are
-            reported asynchronously to the application MUST include:
-
-            *    ICMP error message arrived (see 4.2.3.9)
-
-            *    Excessive retransmissions (see 4.2.3.5)
-
-            *    Urgent pointer advance (see 4.2.2.4).
-
-            However, an application program that does not want to
-            receive such ERROR_REPORT calls SHOULD be able to
-
-
-
-Internet Engineering Task Force                               [Page 106]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-            effectively disable these calls.
-
-            DISCUSSION:
-                 These error reports generally reflect soft errors that
-                 can be ignored without harm by many applications.  It
-                 has been suggested that these error report calls should
-                 default to "disabled," but this is not required.
-
-         4.2.4.2  Type-of-Service
-
-            The application layer MUST be able to specify the Type-of-
-            Service (TOS) for segments that are sent on a connection.
-            It not required, but the application SHOULD be able to
-            change the TOS during the connection lifetime.  TCP SHOULD
-            pass the current TOS value without change to the IP layer,
-            when it sends segments on the connection.
-
-            The TOS will be specified independently in each direction on
-            the connection, so that the receiver application will
-            specify the TOS used for ACK segments.
-
-            TCP MAY pass the most recently received TOS up to the
-            application.
-
-            DISCUSSION
-                 Some applications (e.g., SMTP) change the nature of
-                 their communication during the lifetime of a
-                 connection, and therefore would like to change the TOS
-                 specification.
-
-                 Note also that the OPEN call specified in RFC-793
-                 includes a parameter ("options") in which the caller
-                 can specify IP options such as source route, record
-                 route, or timestamp.
-
-         4.2.4.3  Flush Call
-
-            Some TCP implementations have included a FLUSH call, which
-            will empty the TCP send queue of any data for which the user
-            has issued SEND calls but which is still to the right of the
-            current send window.  That is, it flushes as much queued
-            send data as possible without losing sequence number
-            synchronization.  This is useful for implementing the "abort
-            output" function of Telnet.
-
-
-
-
-
-
-
-Internet Engineering Task Force                               [Page 107]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-         4.2.4.4  Multihoming
-
-            The user interface outlined in sections 2.7 and 3.8 of RFC-
-            793 needs to be extended for multihoming.  The OPEN call
-            MUST have an optional parameter:
-
-                OPEN( ... [local IP address,] ... )
-
-            to allow the specification of the local IP address.
-
-            DISCUSSION:
-                 Some TCP-based applications need to specify the local
-                 IP address to be used to open a particular connection;
-                 FTP is an example.
-
-            IMPLEMENTATION:
-                 A passive OPEN call with a specified "local IP address"
-                 parameter will await an incoming connection request to
-                 that address.  If the parameter is unspecified, a
-                 passive OPEN will await an incoming connection request
-                 to any local IP address, and then bind the local IP
-                 address of the connection to the particular address
-                 that is used.
-
-                 For an active OPEN call, a specified "local IP address"
-                 parameter will be used for opening the connection.  If
-                 the parameter is unspecified, the networking software
-                 will choose an appropriate local IP address (see
-                 Section 3.3.4.2) for the connection
-
-      4.2.5  TCP REQUIREMENT SUMMARY
-
-                                                 |        | | | |S| |
-                                                 |        | | | |H| |F
-                                                 |        | | | |O|M|o
-                                                 |        | |S| |U|U|o
-                                                 |        | |H| |L|S|t
-                                                 |        |M|O| |D|T|n
-                                                 |        |U|U|M| | |o
-                                                 |        |S|L|A|N|N|t
-                                                 |        |T|D|Y|O|O|t
-FEATURE                                          |SECTION | | | |T|T|e
--------------------------------------------------|--------|-|-|-|-|-|--
-                                                 |        | | | | | |
-Push flag                                        |        | | | | | |
-  Aggregate or queue un-pushed data              |4.2.2.2 | | |x| | |
-  Sender collapse successive PSH flags           |4.2.2.2 | |x| | | |
-  SEND call can specify PUSH                     |4.2.2.2 | | |x| | |
-
-
-
-Internet Engineering Task Force                               [Page 108]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-    If cannot: sender buffer indefinitely        |4.2.2.2 | | | | |x|
-    If cannot: PSH last segment                  |4.2.2.2 |x| | | | |
-  Notify receiving ALP of PSH                    |4.2.2.2 | | |x| | |1
-  Send max size segment when possible            |4.2.2.2 | |x| | | |
-                                                 |        | | | | | |
-Window                                           |        | | | | | |
-  Treat as unsigned number                       |4.2.2.3 |x| | | | |
-  Handle as 32-bit number                        |4.2.2.3 | |x| | | |
-  Shrink window from right                       |4.2.2.16| | | |x| |
-  Robust against shrinking window                |4.2.2.16|x| | | | |
-  Receiver's window closed indefinitely          |4.2.2.17| | |x| | |
-  Sender probe zero window                       |4.2.2.17|x| | | | |
-    First probe after RTO                        |4.2.2.17| |x| | | |
-    Exponential backoff                          |4.2.2.17| |x| | | |
-  Allow window stay zero indefinitely            |4.2.2.17|x| | | | |
-  Sender timeout OK conn with zero wind          |4.2.2.17| | | | |x|
-                                                 |        | | | | | |
-Urgent Data                                      |        | | | | | |
-  Pointer points to last octet                   |4.2.2.4 |x| | | | |
-  Arbitrary length urgent data sequence          |4.2.2.4 |x| | | | |
-  Inform ALP asynchronously of urgent data       |4.2.2.4 |x| | | | |1
-  ALP can learn if/how much urgent data Q'd      |4.2.2.4 |x| | | | |1
-                                                 |        | | | | | |
-TCP Options                                      |        | | | | | |
-  Receive TCP option in any segment              |4.2.2.5 |x| | | | |
-  Ignore unsupported options                     |4.2.2.5 |x| | | | |
-  Cope with illegal option length                |4.2.2.5 |x| | | | |
-  Implement sending & receiving MSS option       |4.2.2.6 |x| | | | |
-  Send MSS option unless 536                     |4.2.2.6 | |x| | | |
-  Send MSS option always                         |4.2.2.6 | | |x| | |
-  Send-MSS default is 536                        |4.2.2.6 |x| | | | |
-  Calculate effective send seg size              |4.2.2.6 |x| | | | |
-                                                 |        | | | | | |
-TCP Checksums                                    |        | | | | | |
-  Sender compute checksum                        |4.2.2.7 |x| | | | |
-  Receiver check checksum                        |4.2.2.7 |x| | | | |
-                                                 |        | | | | | |
-Use clock-driven ISN selection                   |4.2.2.9 |x| | | | |
-                                                 |        | | | | | |
-Opening Connections                              |        | | | | | |
-  Support simultaneous open attempts             |4.2.2.10|x| | | | |
-  SYN-RCVD remembers last state                  |4.2.2.11|x| | | | |
-  Passive Open call interfere with others        |4.2.2.18| | | | |x|
-  Function: simultan. LISTENs for same port      |4.2.2.18|x| | | | |
-  Ask IP for src address for SYN if necc.        |4.2.3.7 |x| | | | |
-    Otherwise, use local addr of conn.           |4.2.3.7 |x| | | | |
-  OPEN to broadcast/multicast IP Address         |4.2.3.14| | | | |x|
-  Silently discard seg to bcast/mcast addr       |4.2.3.14|x| | | | |
-
-
-
-Internet Engineering Task Force                               [Page 109]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-                                                 |        | | | | | |
-Closing Connections                              |        | | | | | |
-  RST can contain data                           |4.2.2.12| |x| | | |
-  Inform application of aborted conn             |4.2.2.13|x| | | | |
-  Half-duplex close connections                  |4.2.2.13| | |x| | |
-    Send RST to indicate data lost               |4.2.2.13| |x| | | |
-  In TIME-WAIT state for 2xMSL seconds           |4.2.2.13|x| | | | |
-    Accept SYN from TIME-WAIT state              |4.2.2.13| | |x| | |
-                                                 |        | | | | | |
-Retransmissions                                  |        | | | | | |
-  Jacobson Slow Start algorithm                  |4.2.2.15|x| | | | |
-  Jacobson Congestion-Avoidance algorithm        |4.2.2.15|x| | | | |
-  Retransmit with same IP ident                  |4.2.2.15| | |x| | |
-  Karn's algorithm                               |4.2.3.1 |x| | | | |
-  Jacobson's RTO estimation alg.                 |4.2.3.1 |x| | | | |
-  Exponential backoff                            |4.2.3.1 |x| | | | |
-  SYN RTO calc same as data                      |4.2.3.1 | |x| | | |
-  Recommended initial values and bounds          |4.2.3.1 | |x| | | |
-                                                 |        | | | | | |
-Generating ACK's:                                |        | | | | | |
-  Queue out-of-order segments                    |4.2.2.20| |x| | | |
-  Process all Q'd before send ACK                |4.2.2.20|x| | | | |
-  Send ACK for out-of-order segment              |4.2.2.21| | |x| | |
-  Delayed ACK's                                  |4.2.3.2 | |x| | | |
-    Delay < 0.5 seconds                          |4.2.3.2 |x| | | | |
-    Every 2nd full-sized segment ACK'd           |4.2.3.2 |x| | | | |
-  Receiver SWS-Avoidance Algorithm               |4.2.3.3 |x| | | | |
-                                                 |        | | | | | |
-Sending data                                     |        | | | | | |
-  Configurable TTL                               |4.2.2.19|x| | | | |
-  Sender SWS-Avoidance Algorithm                 |4.2.3.4 |x| | | | |
-  Nagle algorithm                                |4.2.3.4 | |x| | | |
-    Application can disable Nagle algorithm      |4.2.3.4 |x| | | | |
-                                                 |        | | | | | |
-Connection Failures:                             |        | | | | | |
-  Negative advice to IP on R1 retxs              |4.2.3.5 |x| | | | |
-  Close connection on R2 retxs                   |4.2.3.5 |x| | | | |
-  ALP can set R2                                 |4.2.3.5 |x| | | | |1
-  Inform ALP of  R1<=retxs<R2                    |4.2.3.5 | |x| | | |1
-  Recommended values for R1, R2                  |4.2.3.5 | |x| | | |
-  Same mechanism for SYNs                        |4.2.3.5 |x| | | | |
-    R2 at least 3 minutes for SYN                |4.2.3.5 |x| | | | |
-                                                 |        | | | | | |
-Send Keep-alive Packets:                         |4.2.3.6 | | |x| | |
-  - Application can request                      |4.2.3.6 |x| | | | |
-  - Default is "off"                             |4.2.3.6 |x| | | | |
-  - Only send if idle for interval               |4.2.3.6 |x| | | | |
-  - Interval configurable                        |4.2.3.6 |x| | | | |
-
-
-
-Internet Engineering Task Force                               [Page 110]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-  - Default at least 2 hrs.                      |4.2.3.6 |x| | | | |
-  - Tolerant of lost ACK's                       |4.2.3.6 |x| | | | |
-                                                 |        | | | | | |
-IP Options                                       |        | | | | | |
-  Ignore options TCP doesn't understand          |4.2.3.8 |x| | | | |
-  Time Stamp support                             |4.2.3.8 | | |x| | |
-  Record Route support                           |4.2.3.8 | | |x| | |
-  Source Route:                                  |        | | | | | |
-    ALP can specify                              |4.2.3.8 |x| | | | |1
-      Overrides src rt in datagram               |4.2.3.8 |x| | | | |
-    Build return route from src rt               |4.2.3.8 |x| | | | |
-    Later src route overrides                    |4.2.3.8 | |x| | | |
-                                                 |        | | | | | |
-Receiving ICMP Messages from IP                  |4.2.3.9 |x| | | | |
-  Dest. Unreach (0,1,5) => inform ALP            |4.2.3.9 | |x| | | |
-  Dest. Unreach (0,1,5) => abort conn            |4.2.3.9 | | | | |x|
-  Dest. Unreach (2-4) => abort conn              |4.2.3.9 | |x| | | |
-  Source Quench => slow start                    |4.2.3.9 | |x| | | |
-  Time Exceeded => tell ALP, don't abort         |4.2.3.9 | |x| | | |
-  Param Problem => tell ALP, don't abort         |4.2.3.9 | |x| | | |
-                                                 |        | | | | | |
-Address Validation                               |        | | | | | |
-  Reject OPEN call to invalid IP address         |4.2.3.10|x| | | | |
-  Reject SYN from invalid IP address             |4.2.3.10|x| | | | |
-  Silently discard SYN to bcast/mcast addr       |4.2.3.10|x| | | | |
-                                                 |        | | | | | |
-TCP/ALP Interface Services                       |        | | | | | |
-  Error Report mechanism                         |4.2.4.1 |x| | | | |
-  ALP can disable Error Report Routine           |4.2.4.1 | |x| | | |
-  ALP can specify TOS for sending                |4.2.4.2 |x| | | | |
-    Passed unchanged to IP                       |4.2.4.2 | |x| | | |
-  ALP can change TOS during connection           |4.2.4.2 | |x| | | |
-  Pass received TOS up to ALP                    |4.2.4.2 | | |x| | |
-  FLUSH call                                     |4.2.4.3 | | |x| | |
-  Optional local IP addr parm. in OPEN           |4.2.4.4 |x| | | | |
--------------------------------------------------|--------|-|-|-|-|-|--
--------------------------------------------------|--------|-|-|-|-|-|--
-
-FOOTNOTES:
-
-(1)  "ALP" means Application-Layer program.
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                               [Page 111]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-5.  REFERENCES
-
-INTRODUCTORY REFERENCES
-
-
-[INTRO:1] "Requirements for Internet Hosts -- Application and Support,"
-     IETF Host Requirements Working Group, R. Braden, Ed., RFC-1123,
-     October 1989.
-
-[INTRO:2]  "Requirements for Internet Gateways,"  R. Braden and J.
-     Postel, RFC-1009, June 1987.
-
-[INTRO:3]  "DDN Protocol Handbook," NIC-50004, NIC-50005, NIC-50006,
-     (three volumes), SRI International, December 1985.
-
-[INTRO:4]  "Official Internet Protocols," J. Reynolds and J. Postel,
-     RFC-1011, May 1987.
-
-     This document is republished periodically with new RFC numbers; the
-     latest version must be used.
-
-[INTRO:5]  "Protocol Document Order Information," O. Jacobsen and J.
-     Postel, RFC-980, March 1986.
-
-[INTRO:6]  "Assigned Numbers," J. Reynolds and J. Postel, RFC-1010, May
-     1987.
-
-     This document is republished periodically with new RFC numbers; the
-     latest version must be used.
-
-[INTRO:7] "Modularity and Efficiency in Protocol Implementations," D.
-     Clark, RFC-817, July 1982.
-
-[INTRO:8] "The Structuring of Systems Using Upcalls," D. Clark, 10th ACM
-     SOSP, Orcas Island, Washington, December 1985.
-
-
-Secondary References:
-
-
-[INTRO:9]  "A Protocol for Packet Network Intercommunication," V. Cerf
-     and R. Kahn, IEEE Transactions on Communication, May 1974.
-
-[INTRO:10]  "The ARPA Internet Protocol," J. Postel, C. Sunshine, and D.
-     Cohen, Computer Networks, Vol. 5, No. 4, July 1981.
-
-[INTRO:11]  "The DARPA Internet Protocol Suite," B. Leiner, J. Postel,
-     R. Cole and D. Mills, Proceedings INFOCOM 85, IEEE, Washington DC,
-
-
-
-Internet Engineering Task Force                               [Page 112]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-     March 1985.  Also in: IEEE Communications Magazine, March 1985.
-     Also available as ISI-RS-85-153.
-
-[INTRO:12] "Final Text of DIS8473, Protocol for Providing the
-     Connectionless Mode Network Service," ANSI, published as RFC-994,
-     March 1986.
-
-[INTRO:13] "End System to Intermediate System Routing Exchange
-     Protocol," ANSI X3S3.3, published as RFC-995, April 1986.
-
-
-LINK LAYER REFERENCES
-
-
-[LINK:1] "Trailer Encapsulations," S. Leffler and M. Karels, RFC-893,
-     April 1984.
-
-[LINK:2] "An Ethernet Address Resolution Protocol," D. Plummer, RFC-826,
-     November 1982.
-
-[LINK:3] "A Standard for the Transmission of IP Datagrams over Ethernet
-     Networks," C. Hornig, RFC-894, April 1984.
-
-[LINK:4] "A Standard for the Transmission of IP Datagrams over IEEE 802
-     "Networks," J. Postel and J. Reynolds, RFC-1042, February 1988.
-
-     This RFC contains a great deal of information of importance to
-     Internet implementers planning to use IEEE 802 networks.
-
-
-IP LAYER REFERENCES
-
-
-[IP:1] "Internet Protocol (IP)," J. Postel, RFC-791, September 1981.
-
-[IP:2] "Internet Control Message Protocol (ICMP)," J. Postel, RFC-792,
-     September 1981.
-
-[IP:3] "Internet Standard Subnetting Procedure," J. Mogul and J. Postel,
-     RFC-950, August 1985.
-
-[IP:4]  "Host Extensions for IP Multicasting," S. Deering, RFC-1112,
-     August 1989.
-
-[IP:5] "Military Standard Internet Protocol," MIL-STD-1777, Department
-     of Defense, August 1983.
-
-     This specification, as amended by RFC-963, is intended to describe
-
-
-
-Internet Engineering Task Force                               [Page 113]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-     the Internet Protocol but has some serious omissions (e.g., the
-     mandatory subnet extension [IP:3] and the optional multicasting
-     extension [IP:4]).  It is also out of date.  If there is a
-     conflict, RFC-791, RFC-792, and RFC-950 must be taken as
-     authoritative, while the present document is authoritative over
-     all.
-
-[IP:6] "Some Problems with the Specification of the Military Standard
-     Internet Protocol," D. Sidhu, RFC-963, November 1985.
-
-[IP:7] "The TCP Maximum Segment Size and Related Topics," J. Postel,
-     RFC-879, November 1983.
-
-     Discusses and clarifies the relationship between the TCP Maximum
-     Segment Size option and the IP datagram size.
-
-[IP:8] "Internet Protocol Security Options,"  B. Schofield, RFC-1108,
-     October 1989.
-
-[IP:9] "Fragmentation Considered Harmful," C. Kent and J. Mogul, ACM
-     SIGCOMM-87, August 1987.  Published as ACM Comp Comm Review, Vol.
-     17, no. 5.
-
-     This useful paper discusses the problems created by Internet
-     fragmentation and presents alternative solutions.
-
-[IP:10] "IP Datagram Reassembly Algorithms," D. Clark, RFC-815, July
-     1982.
-
-     This and the following paper should be read by every implementor.
-
-[IP:11] "Fault Isolation and Recovery," D. Clark, RFC-816, July 1982.
-
-SECONDARY IP REFERENCES:
-
-
-[IP:12] "Broadcasting Internet Datagrams in the Presence of Subnets," J.
-     Mogul, RFC-922, October 1984.
-
-[IP:13] "Name, Addresses, Ports, and Routes," D. Clark, RFC-814, July
-     1982.
-
-[IP:14] "Something a Host Could Do with Source Quench: The Source Quench
-     Introduced Delay (SQUID)," W. Prue and J. Postel, RFC-1016, July
-     1987.
-
-     This RFC first described directed broadcast addresses.  However,
-     the bulk of the RFC is concerned with gateways, not hosts.
-
-
-
-Internet Engineering Task Force                               [Page 114]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-UDP REFERENCES:
-
-
-[UDP:1] "User Datagram Protocol," J. Postel, RFC-768, August 1980.
-
-
-TCP REFERENCES:
-
-
-[TCP:1] "Transmission Control Protocol," J. Postel, RFC-793, September
-     1981.
-
-
-[TCP:2] "Transmission Control Protocol," MIL-STD-1778, US Department of
-     Defense, August 1984.
-
-     This specification as amended by RFC-964 is intended to describe
-     the same protocol as RFC-793 [TCP:1].  If there is a conflict,
-     RFC-793 takes precedence, and the present document is authoritative
-     over both.
-
-
-[TCP:3] "Some Problems with the Specification of the Military Standard
-     Transmission Control Protocol," D. Sidhu and T. Blumer, RFC-964,
-     November 1985.
-
-
-[TCP:4] "The TCP Maximum Segment Size and Related Topics," J. Postel,
-     RFC-879, November 1983.
-
-
-[TCP:5] "Window and Acknowledgment Strategy in TCP," D. Clark, RFC-813,
-     July 1982.
-
-
-[TCP:6] "Round Trip Time Estimation," P. Karn & C. Partridge, ACM
-     SIGCOMM-87, August 1987.
-
-
-[TCP:7] "Congestion Avoidance and Control," V. Jacobson, ACM SIGCOMM-88,
-     August 1988.
-
-
-SECONDARY TCP REFERENCES:
-
-
-[TCP:8] "Modularity and Efficiency in Protocol Implementation," D.
-     Clark, RFC-817, July 1982.
-
-
-
-Internet Engineering Task Force                               [Page 115]
-
-
-
-
-RFC1122                  TRANSPORT LAYER -- TCP             October 1989
-
-
-[TCP:9] "Congestion Control in IP/TCP," J. Nagle, RFC-896, January 1984.
-
-
-[TCP:10] "Computing the Internet Checksum," R. Braden, D. Borman, and C.
-     Partridge, RFC-1071, September 1988.
-
-
-[TCP:11] "TCP Extensions for Long-Delay Paths," V. Jacobson & R. Braden,
-     RFC-1072, October 1988.
-
-
-Security Considerations
-
-   There are many security issues in the communication layers of host
-   software, but a full discussion is beyond the scope of this RFC.
-
-   The Internet architecture generally provides little protection
-   against spoofing of IP source addresses, so any security mechanism
-   that is based upon verifying the IP source address of a datagram
-   should be treated with suspicion.  However, in restricted
-   environments some source-address checking may be possible.  For
-   example, there might be a secure LAN whose gateway to the rest of the
-   Internet discarded any incoming datagram with a source address that
-   spoofed the LAN address.  In this case, a host on the LAN could use
-   the source address to test for local vs. remote source.  This problem
-   is complicated by source routing, and some have suggested that
-   source-routed datagram forwarding by hosts (see Section 3.3.5) should
-   be outlawed for security reasons.
-
-   Security-related issues are mentioned in sections concerning the IP
-   Security option (Section 3.2.1.8), the ICMP Parameter Problem message
-   (Section 3.2.2.5), IP options in UDP datagrams (Section 4.1.3.2), and
-   reserved TCP ports (Section 4.2.2.1).
-
-Author's Address
-
-   Robert Braden
-   USC/Information Sciences Institute
-   4676 Admiralty Way
-   Marina del Rey, CA 90292-6695
-
-   Phone: (213) 822 1511
-
-   EMail: Braden@ISI.EDU
-
-
-
-
-
-
-
-Internet Engineering Task Force                               [Page 116]
-
diff --git a/contrib/bind9/doc/rfc/rfc1123.txt b/contrib/bind9/doc/rfc/rfc1123.txt
deleted file mode 100644
index 51cdf83c9844..000000000000
--- a/contrib/bind9/doc/rfc/rfc1123.txt
+++ /dev/null
@@ -1,5782 +0,0 @@
-
-
-
-
-
-
-Network Working Group                    Internet Engineering Task Force
-Request for Comments: 1123                             R. Braden, Editor
-                                                            October 1989
-
-
-       Requirements for Internet Hosts -- Application and Support
-
-Status of This Memo
-
-   This RFC is an official specification for the Internet community.  It
-   incorporates by reference, amends, corrects, and supplements the
-   primary protocol standards documents relating to hosts.  Distribution
-   of this document is unlimited.
-
-Summary
-
-   This RFC is one of a pair that defines and discusses the requirements
-   for Internet host software.  This RFC covers the application and
-   support protocols; its companion RFC-1122 covers the communication
-   protocol layers: link layer, IP layer, and transport layer.
-
-
-
-                           Table of Contents
-
-
-
-
-   1.  INTRODUCTION ...............................................    5
-      1.1  The Internet Architecture ..............................    6
-      1.2  General Considerations .................................    6
-         1.2.1  Continuing Internet Evolution .....................    6
-         1.2.2  Robustness Principle ..............................    7
-         1.2.3  Error Logging .....................................    8
-         1.2.4  Configuration .....................................    8
-      1.3  Reading this Document ..................................   10
-         1.3.1  Organization ......................................   10
-         1.3.2  Requirements ......................................   10
-         1.3.3  Terminology .......................................   11
-      1.4  Acknowledgments ........................................   12
-
-   2.  GENERAL ISSUES .............................................   13
-      2.1  Host Names and Numbers .................................   13
-      2.2  Using Domain Name Service ..............................   13
-      2.3  Applications on Multihomed hosts .......................   14
-      2.4  Type-of-Service ........................................   14
-      2.5  GENERAL APPLICATION REQUIREMENTS SUMMARY ...............   15
-
-
-
-
-Internet Engineering Task Force                                 [Page 1]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-   3.  REMOTE LOGIN -- TELNET PROTOCOL ............................   16
-      3.1  INTRODUCTION ...........................................   16
-      3.2  PROTOCOL WALK-THROUGH ..................................   16
-         3.2.1  Option Negotiation ................................   16
-         3.2.2  Telnet Go-Ahead Function ..........................   16
-         3.2.3  Control Functions .................................   17
-         3.2.4  Telnet "Synch" Signal .............................   18
-         3.2.5  NVT Printer and Keyboard ..........................   19
-         3.2.6  Telnet Command Structure ..........................   20
-         3.2.7  Telnet Binary Option ..............................   20
-         3.2.8  Telnet Terminal-Type Option .......................   20
-      3.3  SPECIFIC ISSUES ........................................   21
-         3.3.1  Telnet End-of-Line Convention .....................   21
-         3.3.2  Data Entry Terminals ..............................   23
-         3.3.3  Option Requirements ...............................   24
-         3.3.4  Option Initiation .................................   24
-         3.3.5  Telnet Linemode Option ............................   25
-      3.4  TELNET/USER INTERFACE ..................................   25
-         3.4.1  Character Set Transparency ........................   25
-         3.4.2  Telnet Commands ...................................   26
-         3.4.3  TCP Connection Errors .............................   26
-         3.4.4  Non-Default Telnet Contact Port ...................   26
-         3.4.5  Flushing Output ...................................   26
-      3.5.  TELNET REQUIREMENTS SUMMARY ...........................   27
-
-   4.  FILE TRANSFER ..............................................   29
-      4.1  FILE TRANSFER PROTOCOL -- FTP ..........................   29
-         4.1.1  INTRODUCTION ......................................   29
-         4.1.2.  PROTOCOL WALK-THROUGH ............................   29
-            4.1.2.1  LOCAL Type ...................................   29
-            4.1.2.2  Telnet Format Control ........................   30
-            4.1.2.3  Page Structure ...............................   30
-            4.1.2.4  Data Structure Transformations ...............   30
-            4.1.2.5  Data Connection Management ...................   31
-            4.1.2.6  PASV Command .................................   31
-            4.1.2.7  LIST and NLST Commands .......................   31
-            4.1.2.8  SITE Command .................................   32
-            4.1.2.9  STOU Command .................................   32
-            4.1.2.10  Telnet End-of-line Code .....................   32
-            4.1.2.11  FTP Replies .................................   33
-            4.1.2.12  Connections .................................   34
-            4.1.2.13  Minimum Implementation; RFC-959 Section .....   34
-         4.1.3  SPECIFIC ISSUES ...................................   35
-            4.1.3.1  Non-standard Command Verbs ...................   35
-            4.1.3.2  Idle Timeout .................................   36
-            4.1.3.3  Concurrency of Data and Control ..............   36
-            4.1.3.4  FTP Restart Mechanism ........................   36
-         4.1.4  FTP/USER INTERFACE ................................   39
-
-
-
-Internet Engineering Task Force                                 [Page 2]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-            4.1.4.1  Pathname Specification .......................   39
-            4.1.4.2  "QUOTE" Command ..............................   40
-            4.1.4.3  Displaying Replies to User ...................   40
-            4.1.4.4  Maintaining Synchronization ..................   40
-         4.1.5   FTP REQUIREMENTS SUMMARY .........................   41
-      4.2  TRIVIAL FILE TRANSFER PROTOCOL -- TFTP .................   44
-         4.2.1  INTRODUCTION ......................................   44
-         4.2.2  PROTOCOL WALK-THROUGH .............................   44
-            4.2.2.1  Transfer Modes ...............................   44
-            4.2.2.2  UDP Header ...................................   44
-         4.2.3  SPECIFIC ISSUES ...................................   44
-            4.2.3.1  Sorcerer's Apprentice Syndrome ...............   44
-            4.2.3.2  Timeout Algorithms ...........................   46
-            4.2.3.3  Extensions ...................................   46
-            4.2.3.4  Access Control ...............................   46
-            4.2.3.5  Broadcast Request ............................   46
-         4.2.4  TFTP REQUIREMENTS SUMMARY .........................   47
-
-   5.  ELECTRONIC MAIL -- SMTP and RFC-822 ........................   48
-      5.1  INTRODUCTION ...........................................   48
-      5.2  PROTOCOL WALK-THROUGH ..................................   48
-         5.2.1  The SMTP Model ....................................   48
-         5.2.2  Canonicalization ..................................   49
-         5.2.3  VRFY and EXPN Commands ............................   50
-         5.2.4  SEND, SOML, and SAML Commands .....................   50
-         5.2.5  HELO Command ......................................   50
-         5.2.6  Mail Relay ........................................   51
-         5.2.7  RCPT Command ......................................   52
-         5.2.8  DATA Command ......................................   53
-         5.2.9  Command Syntax ....................................   54
-         5.2.10  SMTP Replies .....................................   54
-         5.2.11  Transparency .....................................   55
-         5.2.12  WKS Use in MX Processing .........................   55
-         5.2.13  RFC-822 Message Specification ....................   55
-         5.2.14  RFC-822 Date and Time Specification ..............   55
-         5.2.15  RFC-822 Syntax Change ............................   56
-         5.2.16  RFC-822  Local-part ..............................   56
-         5.2.17  Domain Literals ..................................   57
-         5.2.18  Common Address Formatting Errors .................   58
-         5.2.19  Explicit Source Routes ...........................   58
-      5.3  SPECIFIC ISSUES ........................................   59
-         5.3.1  SMTP Queueing Strategies ..........................   59
-            5.3.1.1 Sending Strategy ..............................   59
-            5.3.1.2  Receiving strategy ...........................   61
-         5.3.2  Timeouts in SMTP ..................................   61
-         5.3.3  Reliable Mail Receipt .............................   63
-         5.3.4  Reliable Mail Transmission ........................   63
-         5.3.5  Domain Name Support ...............................   65
-
-
-
-Internet Engineering Task Force                                 [Page 3]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-         5.3.6  Mailing Lists and Aliases .........................   65
-         5.3.7  Mail Gatewaying ...................................   66
-         5.3.8  Maximum Message Size ..............................   68
-      5.4  SMTP REQUIREMENTS SUMMARY ..............................   69
-
-   6. SUPPORT SERVICES ............................................   72
-      6.1 DOMAIN NAME TRANSLATION .................................   72
-         6.1.1 INTRODUCTION .......................................   72
-         6.1.2  PROTOCOL WALK-THROUGH .............................   72
-            6.1.2.1  Resource Records with Zero TTL ...............   73
-            6.1.2.2  QCLASS Values ................................   73
-            6.1.2.3  Unused Fields ................................   73
-            6.1.2.4  Compression ..................................   73
-            6.1.2.5  Misusing Configuration Info ..................   73
-         6.1.3  SPECIFIC ISSUES ...................................   74
-            6.1.3.1  Resolver Implementation ......................   74
-            6.1.3.2  Transport Protocols ..........................   75
-            6.1.3.3  Efficient Resource Usage .....................   77
-            6.1.3.4  Multihomed Hosts .............................   78
-            6.1.3.5  Extensibility ................................   79
-            6.1.3.6  Status of RR Types ...........................   79
-            6.1.3.7  Robustness ...................................   80
-            6.1.3.8  Local Host Table .............................   80
-         6.1.4  DNS USER INTERFACE ................................   81
-            6.1.4.1  DNS Administration ...........................   81
-            6.1.4.2  DNS User Interface ...........................   81
-            6.1.4.3 Interface Abbreviation Facilities .............   82
-         6.1.5  DOMAIN NAME SYSTEM REQUIREMENTS SUMMARY ...........   84
-      6.2  HOST INITIALIZATION ....................................   87
-         6.2.1  INTRODUCTION ......................................   87
-         6.2.2  REQUIREMENTS ......................................   87
-            6.2.2.1  Dynamic Configuration ........................   87
-            6.2.2.2  Loading Phase ................................   89
-      6.3  REMOTE MANAGEMENT ......................................   90
-         6.3.1  INTRODUCTION ......................................   90
-         6.3.2  PROTOCOL WALK-THROUGH .............................   90
-         6.3.3  MANAGEMENT REQUIREMENTS SUMMARY ...................   92
-
-   7.  REFERENCES .................................................   93
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                 [Page 4]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-1.  INTRODUCTION
-
-   This document is one of a pair that defines and discusses the
-   requirements for host system implementations of the Internet protocol
-   suite.  This RFC covers the applications layer and support protocols.
-   Its companion RFC, "Requirements for Internet Hosts -- Communications
-   Layers" [INTRO:1] covers the lower layer protocols: transport layer,
-   IP layer, and link layer.
-
-   These documents are intended to provide guidance for vendors,
-   implementors, and users of Internet communication software.  They
-   represent the consensus of a large body of technical experience and
-   wisdom, contributed by members of the Internet research and vendor
-   communities.
-
-   This RFC enumerates standard protocols that a host connected to the
-   Internet must use, and it incorporates by reference the RFCs and
-   other documents describing the current specifications for these
-   protocols.  It corrects errors in the referenced documents and adds
-   additional discussion and guidance for an implementor.
-
-   For each protocol, this document also contains an explicit set of
-   requirements, recommendations, and options.  The reader must
-   understand that the list of requirements in this document is
-   incomplete by itself; the complete set of requirements for an
-   Internet host is primarily defined in the standard protocol
-   specification documents, with the corrections, amendments, and
-   supplements contained in this RFC.
-
-   A good-faith implementation of the protocols that was produced after
-   careful reading of the RFC's and with some interaction with the
-   Internet technical community, and that followed good communications
-   software engineering practices, should differ from the requirements
-   of this document in only minor ways.  Thus, in many cases, the
-   "requirements" in this RFC are already stated or implied in the
-   standard protocol documents, so that their inclusion here is, in a
-   sense, redundant.  However, they were included because some past
-   implementation has made the wrong choice, causing problems of
-   interoperability, performance, and/or robustness.
-
-   This document includes discussion and explanation of many of the
-   requirements and recommendations.  A simple list of requirements
-   would be dangerous, because:
-
-   o    Some required features are more important than others, and some
-        features are optional.
-
-   o    There may be valid reasons why particular vendor products that
-
-
-
-Internet Engineering Task Force                                 [Page 5]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-        are designed for restricted contexts might choose to use
-        different specifications.
-
-   However, the specifications of this document must be followed to meet
-   the general goal of arbitrary host interoperation across the
-   diversity and complexity of the Internet system.  Although most
-   current implementations fail to meet these requirements in various
-   ways, some minor and some major, this specification is the ideal
-   towards which we need to move.
-
-   These requirements are based on the current level of Internet
-   architecture.  This document will be updated as required to provide
-   additional clarifications or to include additional information in
-   those areas in which specifications are still evolving.
-
-   This introductory section begins with general advice to host software
-   vendors, and then gives some guidance on reading the rest of the
-   document.  Section 2 contains general requirements that may be
-   applicable to all application and support protocols.  Sections 3, 4,
-   and 5 contain the requirements on protocols for the three major
-   applications: Telnet, file transfer, and electronic mail,
-   respectively. Section 6 covers the support applications: the domain
-   name system, system initialization, and management.  Finally, all
-   references will be found in Section 7.
-
-   1.1  The Internet Architecture
-
-      For a brief introduction to the Internet architecture from a host
-      viewpoint, see Section 1.1 of [INTRO:1].  That section also
-      contains recommended references for general background on the
-      Internet architecture.
-
-   1.2  General Considerations
-
-      There are two important lessons that vendors of Internet host
-      software have learned and which a new vendor should consider
-      seriously.
-
-      1.2.1  Continuing Internet Evolution
-
-         The enormous growth of the Internet has revealed problems of
-         management and scaling in a large datagram-based packet
-         communication system.  These problems are being addressed, and
-         as a result there will be continuing evolution of the
-         specifications described in this document.  These changes will
-         be carefully planned and controlled, since there is extensive
-         participation in this planning by the vendors and by the
-         organizations responsible for operations of the networks.
-
-
-
-Internet Engineering Task Force                                 [Page 6]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-         Development, evolution, and revision are characteristic of
-         computer network protocols today, and this situation will
-         persist for some years.  A vendor who develops computer
-         communication software for the Internet protocol suite (or any
-         other protocol suite!) and then fails to maintain and update
-         that software for changing specifications is going to leave a
-         trail of unhappy customers.  The Internet is a large
-         communication network, and the users are in constant contact
-         through it.  Experience has shown that knowledge of
-         deficiencies in vendor software propagates quickly through the
-         Internet technical community.
-
-      1.2.2  Robustness Principle
-
-         At every layer of the protocols, there is a general rule whose
-         application can lead to enormous benefits in robustness and
-         interoperability:
-
-                "Be liberal in what you accept, and
-                 conservative in what you send"
-
-         Software should be written to deal with every conceivable
-         error, no matter how unlikely; sooner or later a packet will
-         come in with that particular combination of errors and
-         attributes, and unless the software is prepared, chaos can
-         ensue.  In general, it is best to assume that the network is
-         filled with malevolent entities that will send in packets
-         designed to have the worst possible effect.  This assumption
-         will lead to suitable protective design, although the most
-         serious problems in the Internet have been caused by
-         unenvisaged mechanisms triggered by low-probability events;
-         mere human malice would never have taken so devious a course!
-
-         Adaptability to change must be designed into all levels of
-         Internet host software.  As a simple example, consider a
-         protocol specification that contains an enumeration of values
-         for a particular header field -- e.g., a type field, a port
-         number, or an error code; this enumeration must be assumed to
-         be incomplete.  Thus, if a protocol specification defines four
-         possible error codes, the software must not break when a fifth
-         code shows up.  An undefined code might be logged (see below),
-         but it must not cause a failure.
-
-         The second part of the principle is almost as important:
-         software on other hosts may contain deficiencies that make it
-         unwise to exploit legal but obscure protocol features.  It is
-         unwise to stray far from the obvious and simple, lest untoward
-         effects result elsewhere.  A corollary of this is "watch out
-
-
-
-Internet Engineering Task Force                                 [Page 7]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-         for misbehaving hosts"; host software should be prepared, not
-         just to survive other misbehaving hosts, but also to cooperate
-         to limit the amount of disruption such hosts can cause to the
-         shared communication facility.
-
-      1.2.3  Error Logging
-
-         The Internet includes a great variety of host and gateway
-         systems, each implementing many protocols and protocol layers,
-         and some of these contain bugs and mis-features in their
-         Internet protocol software.  As a result of complexity,
-         diversity, and distribution of function, the diagnosis of user
-         problems is often very difficult.
-
-         Problem diagnosis will be aided if host implementations include
-         a carefully designed facility for logging erroneous or
-         "strange" protocol events.  It is important to include as much
-         diagnostic information as possible when an error is logged.  In
-         particular, it is often useful to record the header(s) of a
-         packet that caused an error.  However, care must be taken to
-         ensure that error logging does not consume prohibitive amounts
-         of resources or otherwise interfere with the operation of the
-         host.
-
-         There is a tendency for abnormal but harmless protocol events
-         to overflow error logging files; this can be avoided by using a
-         "circular" log, or by enabling logging only while diagnosing a
-         known failure.  It may be useful to filter and count duplicate
-         successive messages.  One strategy that seems to work well is:
-         (1) always count abnormalities and make such counts accessible
-         through the management protocol (see Section 6.3); and (2)
-         allow the logging of a great variety of events to be
-         selectively enabled.  For example, it might useful to be able
-         to "log everything" or to "log everything for host X".
-
-         Note that different managements may have differing policies
-         about the amount of error logging that they want normally
-         enabled in a host.  Some will say, "if it doesn't hurt me, I
-         don't want to know about it", while others will want to take a
-         more watchful and aggressive attitude about detecting and
-         removing protocol abnormalities.
-
-      1.2.4  Configuration
-
-         It would be ideal if a host implementation of the Internet
-         protocol suite could be entirely self-configuring.  This would
-         allow the whole suite to be implemented in ROM or cast into
-         silicon, it would simplify diskless workstations, and it would
-
-
-
-Internet Engineering Task Force                                 [Page 8]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-         be an immense boon to harried LAN administrators as well as
-         system vendors.  We have not reached this ideal; in fact, we
-         are not even close.
-
-         At many points in this document, you will find a requirement
-         that a parameter be a configurable option.  There are several
-         different reasons behind such requirements.  In a few cases,
-         there is current uncertainty or disagreement about the best
-         value, and it may be necessary to update the recommended value
-         in the future.  In other cases, the value really depends on
-         external factors -- e.g., the size of the host and the
-         distribution of its communication load, or the speeds and
-         topology of nearby networks -- and self-tuning algorithms are
-         unavailable and may be insufficient.  In some cases,
-         configurability is needed because of administrative
-         requirements.
-
-         Finally, some configuration options are required to communicate
-         with obsolete or incorrect implementations of the protocols,
-         distributed without sources, that unfortunately persist in many
-         parts of the Internet.  To make correct systems coexist with
-         these faulty systems, administrators often have to "mis-
-         configure" the correct systems.  This problem will correct
-         itself gradually as the faulty systems are retired, but it
-         cannot be ignored by vendors.
-
-         When we say that a parameter must be configurable, we do not
-         intend to require that its value be explicitly read from a
-         configuration file at every boot time.  We recommend that
-         implementors set up a default for each parameter, so a
-         configuration file is only necessary to override those defaults
-         that are inappropriate in a particular installation.  Thus, the
-         configurability requirement is an assurance that it will be
-         POSSIBLE to override the default when necessary, even in a
-         binary-only or ROM-based product.
-
-         This document requires a particular value for such defaults in
-         some cases.  The choice of default is a sensitive issue when
-         the configuration item controls the accommodation to existing
-         faulty systems.  If the Internet is to converge successfully to
-         complete interoperability, the default values built into
-         implementations must implement the official protocol, not
-         "mis-configurations" to accommodate faulty implementations.
-         Although marketing considerations have led some vendors to
-         choose mis-configuration defaults, we urge vendors to choose
-         defaults that will conform to the standard.
-
-         Finally, we note that a vendor needs to provide adequate
-
-
-
-Internet Engineering Task Force                                 [Page 9]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-         documentation on all configuration parameters, their limits and
-         effects.
-
-
-   1.3  Reading this Document
-
-      1.3.1  Organization
-
-         In general, each major section is organized into the following
-         subsections:
-
-         (1)  Introduction
-
-         (2)  Protocol Walk-Through -- considers the protocol
-              specification documents section-by-section, correcting
-              errors, stating requirements that may be ambiguous or
-              ill-defined, and providing further clarification or
-              explanation.
-
-         (3)  Specific Issues -- discusses protocol design and
-              implementation issues that were not included in the walk-
-              through.
-
-         (4)  Interfaces -- discusses the service interface to the next
-              higher layer.
-
-         (5)  Summary -- contains a summary of the requirements of the
-              section.
-
-         Under many of the individual topics in this document, there is
-         parenthetical material labeled "DISCUSSION" or
-         "IMPLEMENTATION".  This material is intended to give
-         clarification and explanation of the preceding requirements
-         text.  It also includes some suggestions on possible future
-         directions or developments.  The implementation material
-         contains suggested approaches that an implementor may want to
-         consider.
-
-         The summary sections are intended to be guides and indexes to
-         the text, but are necessarily cryptic and incomplete.  The
-         summaries should never be used or referenced separately from
-         the complete RFC.
-
-      1.3.2  Requirements
-
-         In this document, the words that are used to define the
-         significance of each particular requirement are capitalized.
-         These words are:
-
-
-
-Internet Engineering Task Force                                [Page 10]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-         *    "MUST"
-
-              This word or the adjective "REQUIRED" means that the item
-              is an absolute requirement of the specification.
-
-         *    "SHOULD"
-
-              This word or the adjective "RECOMMENDED" means that there
-              may exist valid reasons in particular circumstances to
-              ignore this item, but the full implications should be
-              understood and the case carefully weighed before choosing
-              a different course.
-
-         *    "MAY"
-
-              This word or the adjective "OPTIONAL" means that this item
-              is truly optional.  One vendor may choose to include the
-              item because a particular marketplace requires it or
-              because it enhances the product, for example; another
-              vendor may omit the same item.
-
-
-         An implementation is not compliant if it fails to satisfy one
-         or more of the MUST requirements for the protocols it
-         implements.  An implementation that satisfies all the MUST and
-         all the SHOULD requirements for its protocols is said to be
-         "unconditionally compliant"; one that satisfies all the MUST
-         requirements but not all the SHOULD requirements for its
-         protocols is said to be "conditionally compliant".
-
-      1.3.3  Terminology
-
-         This document uses the following technical terms:
-
-         Segment
-              A segment is the unit of end-to-end transmission in the
-              TCP protocol.  A segment consists of a TCP header followed
-              by application data.  A segment is transmitted by
-              encapsulation in an IP datagram.
-
-         Message
-              This term is used by some application layer protocols
-              (particularly SMTP) for an application data unit.
-
-         Datagram
-              A [UDP] datagram is the unit of end-to-end transmission in
-              the UDP protocol.
-
-
-
-
-Internet Engineering Task Force                                [Page 11]
-
-
-
-
-RFC1123                       INTRODUCTION                  October 1989
-
-
-         Multihomed
-              A host is said to be multihomed if it has multiple IP
-              addresses to connected networks.
-
-
-
-   1.4  Acknowledgments
-
-      This document incorporates contributions and comments from a large
-      group of Internet protocol experts, including representatives of
-      university and research labs, vendors, and government agencies.
-      It was assembled primarily by the Host Requirements Working Group
-      of the Internet Engineering Task Force (IETF).
-
-      The Editor would especially like to acknowledge the tireless
-      dedication of the following people, who attended many long
-      meetings and generated 3 million bytes of electronic mail over the
-      past 18 months in pursuit of this document: Philip Almquist, Dave
-      Borman (Cray Research), Noel Chiappa, Dave Crocker (DEC), Steve
-      Deering (Stanford), Mike Karels (Berkeley), Phil Karn (Bellcore),
-      John Lekashman (NASA), Charles Lynn (BBN), Keith McCloghrie (TWG),
-      Paul Mockapetris (ISI), Thomas Narten (Purdue), Craig Partridge
-      (BBN), Drew Perkins (CMU), and James Van Bokkelen (FTP Software).
-
-      In addition, the following people made major contributions to the
-      effort: Bill Barns (Mitre), Steve Bellovin (AT&T), Mike Brescia
-      (BBN), Ed Cain (DCA), Annette DeSchon (ISI), Martin Gross (DCA),
-      Phill Gross (NRI), Charles Hedrick (Rutgers), Van Jacobson (LBL),
-      John Klensin (MIT), Mark Lottor (SRI), Milo Medin (NASA), Bill
-      Melohn (Sun Microsystems), Greg Minshall (Kinetics), Jeff Mogul
-      (DEC), John Mullen (CMC), Jon Postel (ISI), John Romkey (Epilogue
-      Technology), and Mike StJohns (DCA).  The following also made
-      significant contributions to particular areas: Eric Allman
-      (Berkeley), Rob Austein (MIT), Art Berggreen (ACC), Keith Bostic
-      (Berkeley), Vint Cerf (NRI), Wayne Hathaway (NASA), Matt Korn
-      (IBM), Erik Naggum (Naggum Software, Norway), Robert Ullmann
-      (Prime Computer), David Waitzman (BBN), Frank Wancho (USA), Arun
-      Welch (Ohio State), Bill Westfield (Cisco), and Rayan Zachariassen
-      (Toronto).
-
-      We are grateful to all, including any contributors who may have
-      been inadvertently omitted from this list.
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 12]
-
-
-
-
-RFC1123              APPLICATIONS LAYER -- GENERAL          October 1989
-
-
-2.  GENERAL ISSUES
-
-   This section contains general requirements that may be applicable to
-   all application-layer protocols.
-
-   2.1  Host Names and Numbers
-
-      The syntax of a legal Internet host name was specified in RFC-952
-      [DNS:4].  One aspect of host name syntax is hereby changed: the
-      restriction on the first character is relaxed to allow either a
-      letter or a digit.  Host software MUST support this more liberal
-      syntax.
-
-      Host software MUST handle host names of up to 63 characters and
-      SHOULD handle host names of up to 255 characters.
-
-      Whenever a user inputs the identity of an Internet host, it SHOULD
-      be possible to enter either (1) a host domain name or (2) an IP
-      address in dotted-decimal ("#.#.#.#") form.  The host SHOULD check
-      the string syntactically for a dotted-decimal number before
-      looking it up in the Domain Name System.
-
-      DISCUSSION:
-           This last requirement is not intended to specify the complete
-           syntactic form for entering a dotted-decimal host number;
-           that is considered to be a user-interface issue.  For
-           example, a dotted-decimal number must be enclosed within
-           "[ ]" brackets for SMTP mail (see Section 5.2.17).  This
-           notation could be made universal within a host system,
-           simplifying the syntactic checking for a dotted-decimal
-           number.
-
-           If a dotted-decimal number can be entered without such
-           identifying delimiters, then a full syntactic check must be
-           made, because a segment of a host domain name is now allowed
-           to begin with a digit and could legally be entirely numeric
-           (see Section 6.1.2.4).  However, a valid host name can never
-           have the dotted-decimal form #.#.#.#, since at least the
-           highest-level component label will be alphabetic.
-
-   2.2  Using Domain Name Service
-
-      Host domain names MUST be translated to IP addresses as described
-      in Section 6.1.
-
-      Applications using domain name services MUST be able to cope with
-      soft error conditions.  Applications MUST wait a reasonable
-      interval between successive retries due to a soft error, and MUST
-
-
-
-Internet Engineering Task Force                                [Page 13]
-
-
-
-
-RFC1123              APPLICATIONS LAYER -- GENERAL          October 1989
-
-
-      allow for the possibility that network problems may deny service
-      for hours or even days.
-
-      An application SHOULD NOT rely on the ability to locate a WKS
-      record containing an accurate listing of all services at a
-      particular host address, since the WKS RR type is not often used
-      by Internet sites.  To confirm that a service is present, simply
-      attempt to use it.
-
-   2.3  Applications on Multihomed hosts
-
-      When the remote host is multihomed, the name-to-address
-      translation will return a list of alternative IP addresses.  As
-      specified in Section 6.1.3.4, this list should be in order of
-      decreasing preference.  Application protocol implementations
-      SHOULD be prepared to try multiple addresses from the list until
-      success is obtained.  More specific requirements for SMTP are
-      given in Section 5.3.4.
-
-      When the local host is multihomed, a UDP-based request/response
-      application SHOULD send the response with an IP source address
-      that is the same as the specific destination address of the UDP
-      request datagram.  The "specific destination address" is defined
-      in the "IP Addressing" section of the companion RFC [INTRO:1].
-
-      Similarly, a server application that opens multiple TCP
-      connections to the same client SHOULD use the same local IP
-      address for all.
-
-   2.4  Type-of-Service
-
-      Applications MUST select appropriate TOS values when they invoke
-      transport layer services, and these values MUST be configurable.
-      Note that a TOS value contains 5 bits, of which only the most-
-      significant 3 bits are currently defined; the other two bits MUST
-      be zero.
-
-      DISCUSSION:
-           As gateway algorithms are developed to implement Type-of-
-           Service, the recommended values for various application
-           protocols may change.  In addition, it is likely that
-           particular combinations of users and Internet paths will want
-           non-standard TOS values.  For these reasons, the TOS values
-           must be configurable.
-
-           See the latest version of the "Assigned Numbers" RFC
-           [INTRO:5] for the recommended TOS values for the major
-           application protocols.
-
-
-
-Internet Engineering Task Force                                [Page 14]
-
-
-
-
-RFC1123              APPLICATIONS LAYER -- GENERAL          October 1989
-
-
-   2.5  GENERAL APPLICATION REQUIREMENTS SUMMARY
-
-                                               |          | | | |S| |
-                                               |          | | | |H| |F
-                                               |          | | | |O|M|o
-                                               |          | |S| |U|U|o
-                                               |          | |H| |L|S|t
-                                               |          |M|O| |D|T|n
-                                               |          |U|U|M| | |o
-                                               |          |S|L|A|N|N|t
-                                               |          |T|D|Y|O|O|t
-FEATURE                                        |SECTION   | | | |T|T|e
------------------------------------------------|----------|-|-|-|-|-|--
-                                               |          | | | | | |
-User interfaces:                               |          | | | | | |
-  Allow host name to begin with digit          |2.1       |x| | | | |
-  Host names of up to 635 characters           |2.1       |x| | | | |
-  Host names of up to 255 characters           |2.1       | |x| | | |
-  Support dotted-decimal host numbers          |2.1       | |x| | | |
-  Check syntactically for dotted-dec first     |2.1       | |x| | | |
-                                               |          | | | | | |
-Map domain names per Section 6.1               |2.2       |x| | | | |
-Cope with soft DNS errors                      |2.2       |x| | | | |
-   Reasonable interval between retries         |2.2       |x| | | | |
-   Allow for long outages                      |2.2       |x| | | | |
-Expect WKS records to be available             |2.2       | | | |x| |
-                                               |          | | | | | |
-Try multiple addr's for remote multihomed host |2.3       | |x| | | |
-UDP reply src addr is specific dest of request |2.3       | |x| | | |
-Use same IP addr for related TCP connections   |2.3       | |x| | | |
-Specify appropriate TOS values                 |2.4       |x| | | | |
-  TOS values configurable                      |2.4       |x| | | | |
-  Unused TOS bits zero                         |2.4       |x| | | | |
-                                               |          | | | | | |
-                                               |          | | | | | |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 15]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-3.  REMOTE LOGIN -- TELNET PROTOCOL
-
-   3.1  INTRODUCTION
-
-      Telnet is the standard Internet application protocol for remote
-      login.  It provides the encoding rules to link a user's
-      keyboard/display on a client ("user") system with a command
-      interpreter on a remote server system.  A subset of the Telnet
-      protocol is also incorporated within other application protocols,
-      e.g., FTP and SMTP.
-
-      Telnet uses a single TCP connection, and its normal data stream
-      ("Network Virtual Terminal" or "NVT" mode) is 7-bit ASCII with
-      escape sequences to embed control functions.  Telnet also allows
-      the negotiation of many optional modes and functions.
-
-      The primary Telnet specification is to be found in RFC-854
-      [TELNET:1], while the options are defined in many other RFCs; see
-      Section 7 for references.
-
-   3.2  PROTOCOL WALK-THROUGH
-
-      3.2.1  Option Negotiation: RFC-854, pp. 2-3
-
-         Every Telnet implementation MUST include option negotiation and
-         subnegotiation machinery [TELNET:2].
-
-         A host MUST carefully follow the rules of RFC-854 to avoid
-         option-negotiation loops.  A host MUST refuse (i.e, reply
-         WONT/DONT to a DO/WILL) an unsupported option.  Option
-         negotiation SHOULD continue to function (even if all requests
-         are refused) throughout the lifetime of a Telnet connection.
-
-         If all option negotiations fail, a Telnet implementation MUST
-         default to, and support, an NVT.
-
-         DISCUSSION:
-              Even though more sophisticated "terminals" and supporting
-              option negotiations are becoming the norm, all
-              implementations must be prepared to support an NVT for any
-              user-server communication.
-
-      3.2.2  Telnet Go-Ahead Function: RFC-854, p. 5, and RFC-858
-
-         On a host that never sends the Telnet command Go Ahead (GA),
-         the Telnet Server MUST attempt to negotiate the Suppress Go
-         Ahead option (i.e., send "WILL Suppress Go Ahead").  A User or
-         Server Telnet MUST always accept negotiation of the Suppress Go
-
-
-
-Internet Engineering Task Force                                [Page 16]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-         Ahead option.
-
-         When it is driving a full-duplex terminal for which GA has no
-         meaning, a User Telnet implementation MAY ignore GA commands.
-
-         DISCUSSION:
-              Half-duplex ("locked-keyboard") line-at-a-time terminals
-              for which the Go-Ahead mechanism was designed have largely
-              disappeared from the scene.  It turned out to be difficult
-              to implement sending the Go-Ahead signal in many operating
-              systems, even some systems that support native half-duplex
-              terminals.  The difficulty is typically that the Telnet
-              server code does not have access to information about
-              whether the user process is blocked awaiting input from
-              the Telnet connection, i.e., it cannot reliably determine
-              when to send a GA command.  Therefore, most Telnet Server
-              hosts do not send GA commands.
-
-              The effect of the rules in this section is to allow either
-              end of a Telnet connection to veto the use of GA commands.
-
-              There is a class of half-duplex terminals that is still
-              commercially important: "data entry terminals," which
-              interact in a full-screen manner.  However, supporting
-              data entry terminals using the Telnet protocol does not
-              require the Go Ahead signal; see Section 3.3.2.
-
-      3.2.3  Control Functions: RFC-854, pp. 7-8
-
-         The list of Telnet commands has been extended to include EOR
-         (End-of-Record), with code 239 [TELNET:9].
-
-         Both User and Server Telnets MAY support the control functions
-         EOR, EC, EL, and Break, and MUST support AO, AYT, DM, IP, NOP,
-         SB, and SE.
-
-         A host MUST be able to receive and ignore any Telnet control
-         functions that it does not support.
-
-         DISCUSSION:
-              Note that a Server Telnet is required to support the
-              Telnet IP (Interrupt Process) function, even if the server
-              host has an equivalent in-stream function (e.g., Control-C
-              in many systems).  The Telnet IP function may be stronger
-              than an in-stream interrupt command, because of the out-
-              of-band effect of TCP urgent data.
-
-              The EOR control function may be used to delimit the
-
-
-
-Internet Engineering Task Force                                [Page 17]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-              stream.  An important application is data entry terminal
-              support (see Section 3.3.2).  There was concern that since
-              EOR had not been defined in RFC-854, a host that was not
-              prepared to correctly ignore unknown Telnet commands might
-              crash if it received an EOR.  To protect such hosts, the
-              End-of-Record option [TELNET:9] was introduced; however, a
-              properly implemented Telnet program will not require this
-              protection.
-
-      3.2.4  Telnet "Synch" Signal: RFC-854, pp. 8-10
-
-         When it receives "urgent" TCP data, a User or Server Telnet
-         MUST discard all data except Telnet commands until the DM (and
-         end of urgent) is reached.
-
-         When it sends Telnet IP (Interrupt Process), a User Telnet
-         SHOULD follow it by the Telnet "Synch" sequence, i.e., send as
-         TCP urgent data the sequence "IAC IP IAC DM".  The TCP urgent
-         pointer points to the DM octet.
-
-         When it receives a Telnet IP command, a Server Telnet MAY send
-         a Telnet "Synch" sequence back to the user, to flush the output
-         stream.  The choice ought to be consistent with the way the
-         server operating system behaves when a local user interrupts a
-         process.
-
-         When it receives a Telnet AO command, a Server Telnet MUST send
-         a Telnet "Synch" sequence back to the user, to flush the output
-         stream.
-
-         A User Telnet SHOULD have the capability of flushing output
-         when it sends a Telnet IP; see also Section 3.4.5.
-
-         DISCUSSION:
-              There are three possible ways for a User Telnet to flush
-              the stream of server output data:
-
-              (1)  Send AO after IP.
-
-                   This will cause the server host to send a "flush-
-                   buffered-output" signal to its operating system.
-                   However, the AO may not take effect locally, i.e.,
-                   stop terminal output at the User Telnet end, until
-                   the Server Telnet has received and processed the AO
-                   and has sent back a "Synch".
-
-              (2)  Send DO TIMING-MARK [TELNET:7] after IP, and discard
-                   all output locally until a WILL/WONT TIMING-MARK is
-
-
-
-Internet Engineering Task Force                                [Page 18]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-                   received from the Server Telnet.
-
-                   Since the DO TIMING-MARK will be processed after the
-                   IP at the server, the reply to it should be in the
-                   right place in the output data stream.  However, the
-                   TIMING-MARK will not send a "flush buffered output"
-                   signal to the server operating system.  Whether or
-                   not this is needed is dependent upon the server
-                   system.
-
-              (3)  Do both.
-
-              The best method is not entirely clear, since it must
-              accommodate a number of existing server hosts that do not
-              follow the Telnet standards in various ways.  The safest
-              approach is probably to provide a user-controllable option
-              to select (1), (2), or (3).
-
-      3.2.5  NVT Printer and Keyboard: RFC-854, p. 11
-
-         In NVT mode, a Telnet SHOULD NOT send characters with the
-         high-order bit 1, and MUST NOT send it as a parity bit.
-         Implementations that pass the high-order bit to applications
-         SHOULD negotiate binary mode (see Section 3.2.6).
-
-
-         DISCUSSION:
-              Implementors should be aware that a strict reading of
-              RFC-854 allows a client or server expecting NVT ASCII to
-              ignore characters with the high-order bit set.  In
-              general, binary mode is expected to be used for
-              transmission of an extended (beyond 7-bit) character set
-              with Telnet.
-
-              However, there exist applications that really need an 8-
-              bit NVT mode, which is currently not defined, and these
-              existing applications do set the high-order bit during
-              part or all of the life of a Telnet connection.  Note that
-              binary mode is not the same as 8-bit NVT mode, since
-              binary mode turns off end-of-line processing.  For this
-              reason, the requirements on the high-order bit are stated
-              as SHOULD, not MUST.
-
-              RFC-854 defines a minimal set of properties of a "network
-              virtual terminal" or NVT; this is not meant to preclude
-              additional features in a real terminal.  A Telnet
-              connection is fully transparent to all 7-bit ASCII
-              characters, including arbitrary ASCII control characters.
-
-
-
-Internet Engineering Task Force                                [Page 19]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-              For example, a terminal might support full-screen commands
-              coded as ASCII escape sequences; a Telnet implementation
-              would pass these sequences as uninterpreted data.  Thus,
-              an NVT should not be conceived as a terminal type of a
-              highly-restricted device.
-
-      3.2.6  Telnet Command Structure: RFC-854, p. 13
-
-         Since options may appear at any point in the data stream, a
-         Telnet escape character (known as IAC, with the value 255) to
-         be sent as data MUST be doubled.
-
-      3.2.7  Telnet Binary Option: RFC-856
-
-         When the Binary option has been successfully negotiated,
-         arbitrary 8-bit characters are allowed.  However, the data
-         stream MUST still be scanned for IAC characters, any embedded
-         Telnet commands MUST be obeyed, and data bytes equal to IAC
-         MUST be doubled.  Other character processing (e.g., replacing
-         CR by CR NUL or by CR LF) MUST NOT be done.  In particular,
-         there is no end-of-line convention (see Section 3.3.1) in
-         binary mode.
-
-         DISCUSSION:
-              The Binary option is normally negotiated in both
-              directions, to change the Telnet connection from NVT mode
-              to "binary mode".
-
-              The sequence IAC EOR can be used to delimit blocks of data
-              within a binary-mode Telnet stream.
-
-      3.2.8  Telnet Terminal-Type Option: RFC-1091
-
-         The Terminal-Type option MUST use the terminal type names
-         officially defined in the Assigned Numbers RFC [INTRO:5], when
-         they are available for the particular terminal.  However, the
-         receiver of a Terminal-Type option MUST accept any name.
-
-         DISCUSSION:
-              RFC-1091 [TELNET:10] updates an earlier version of the
-              Terminal-Type option defined in RFC-930.  The earlier
-              version allowed a server host capable of supporting
-              multiple terminal types to learn the type of a particular
-              client's terminal, assuming that each physical terminal
-              had an intrinsic type.  However, today a "terminal" is
-              often really a terminal emulator program running in a PC,
-              perhaps capable of emulating a range of terminal types.
-              Therefore, RFC-1091 extends the specification to allow a
-
-
-
-Internet Engineering Task Force                                [Page 20]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-              more general terminal-type negotiation between User and
-              Server Telnets.
-
-   3.3  SPECIFIC ISSUES
-
-      3.3.1  Telnet End-of-Line Convention
-
-         The Telnet protocol defines the sequence CR LF to mean "end-
-         of-line".  For terminal input, this corresponds to a command-
-         completion or "end-of-line" key being pressed on a user
-         terminal; on an ASCII terminal, this is the CR key, but it may
-         also be labelled "Return" or "Enter".
-
-         When a Server Telnet receives the Telnet end-of-line sequence
-         CR LF as input from a remote terminal, the effect MUST be the
-         same as if the user had pressed the "end-of-line" key on a
-         local terminal.  On server hosts that use ASCII, in particular,
-         receipt of the Telnet sequence CR LF must cause the same effect
-         as a local user pressing the CR key on a local terminal.  Thus,
-         CR LF and CR NUL MUST have the same effect on an ASCII server
-         host when received as input over a Telnet connection.
-
-         A User Telnet MUST be able to send any of the forms: CR LF, CR
-         NUL, and LF.  A User Telnet on an ASCII host SHOULD have a
-         user-controllable mode to send either CR LF or CR NUL when the
-         user presses the "end-of-line" key, and CR LF SHOULD be the
-         default.
-
-         The Telnet end-of-line sequence CR LF MUST be used to send
-         Telnet data that is not terminal-to-computer (e.g., for Server
-         Telnet sending output, or the Telnet protocol incorporated
-         another application protocol).
-
-         DISCUSSION:
-              To allow interoperability between arbitrary Telnet clients
-              and servers, the Telnet protocol defined a standard
-              representation for a line terminator.  Since the ASCII
-              character set includes no explicit end-of-line character,
-              systems have chosen various representations, e.g., CR, LF,
-              and the sequence CR LF.  The Telnet protocol chose the CR
-              LF sequence as the standard for network transmission.
-
-              Unfortunately, the Telnet protocol specification in RFC-
-              854 [TELNET:1] has turned out to be somewhat ambiguous on
-              what character(s) should be sent from client to server for
-              the "end-of-line" key.  The result has been a massive and
-              continuing interoperability headache, made worse by
-              various faulty implementations of both User and Server
-
-
-
-Internet Engineering Task Force                                [Page 21]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-              Telnets.
-
-              Although the Telnet protocol is based on a perfectly
-              symmetric model, in a remote login session the role of the
-              user at a terminal differs from the role of the server
-              host.  For example, RFC-854 defines the meaning of CR, LF,
-              and CR LF as output from the server, but does not specify
-              what the User Telnet should send when the user presses the
-              "end-of-line" key on the terminal; this turns out to be
-              the point at issue.
-
-              When a user presses the "end-of-line" key, some User
-              Telnet implementations send CR LF, while others send CR
-              NUL (based on a different interpretation of the same
-              sentence in RFC-854).  These will be equivalent for a
-              correctly-implemented ASCII server host, as discussed
-              above.  For other servers, a mode in the User Telnet is
-              needed.
-
-              The existence of User Telnets that send only CR NUL when
-              CR is pressed creates a dilemma for non-ASCII hosts: they
-              can either treat CR NUL as equivalent to CR LF in input,
-              thus precluding the possibility of entering a "bare" CR,
-              or else lose complete interworking.
-
-              Suppose a user on host A uses Telnet to log into a server
-              host B, and then execute B's User Telnet program to log
-              into server host C.  It is desirable for the Server/User
-              Telnet combination on B to be as transparent as possible,
-              i.e., to appear as if A were connected directly to C.  In
-              particular, correct implementation will make B transparent
-              to Telnet end-of-line sequences, except that CR LF may be
-              translated to CR NUL or vice versa.
-
-         IMPLEMENTATION:
-              To understand Telnet end-of-line issues, one must have at
-              least a general model of the relationship of Telnet to the
-              local operating system.  The Server Telnet process is
-              typically coupled into the terminal driver software of the
-              operating system as a pseudo-terminal.  A Telnet end-of-
-              line sequence received by the Server Telnet must have the
-              same effect as pressing the end-of-line key on a real
-              locally-connected terminal.
-
-              Operating systems that support interactive character-at-
-              a-time applications (e.g., editors) typically have two
-              internal modes for their terminal I/O: a formatted mode,
-              in which local conventions for end-of-line and other
-
-
-
-Internet Engineering Task Force                                [Page 22]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-              formatting rules have been applied to the data stream, and
-              a "raw" mode, in which the application has direct access
-              to every character as it was entered.  A Server Telnet
-              must be implemented in such a way that these modes have
-              the same effect for remote as for local terminals.  For
-              example, suppose a CR LF or CR NUL is received by the
-              Server Telnet on an ASCII host.  In raw mode, a CR
-              character is passed to the application; in formatted mode,
-              the local system's end-of-line convention is used.
-
-      3.3.2  Data Entry Terminals
-
-         DISCUSSION:
-              In addition to the line-oriented and character-oriented
-              ASCII terminals for which Telnet was designed, there are
-              several families of video display terminals that are
-              sometimes known as "data entry terminals" or DETs.  The
-              IBM 3270 family is a well-known example.
-
-              Two Internet protocols have been designed to support
-              generic DETs: SUPDUP [TELNET:16, TELNET:17], and the DET
-              option [TELNET:18, TELNET:19].  The DET option drives a
-              data entry terminal over a Telnet connection using (sub-)
-              negotiation.  SUPDUP is a completely separate terminal
-              protocol, which can be entered from Telnet by negotiation.
-              Although both SUPDUP and the DET option have been used
-              successfully in particular environments, neither has
-              gained general acceptance or wide implementation.
-
-              A different approach to DET interaction has been developed
-              for supporting the IBM 3270 family through Telnet,
-              although the same approach would be applicable to any DET.
-              The idea is to enter a "native DET" mode, in which the
-              native DET input/output stream is sent as binary data.
-              The Telnet EOR command is used to delimit logical records
-              (e.g., "screens") within this binary stream.
-
-         IMPLEMENTATION:
-              The rules for entering and leaving native DET mode are as
-              follows:
-
-              o    The Server uses the Terminal-Type option [TELNET:10]
-                   to learn that the client is a DET.
-
-              o    It is conventional, but not required, that both ends
-                   negotiate the EOR option [TELNET:9].
-
-              o    Both ends negotiate the Binary option [TELNET:3] to
-
-
-
-Internet Engineering Task Force                                [Page 23]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-                   enter native DET mode.
-
-              o    When either end negotiates out of binary mode, the
-                   other end does too, and the mode then reverts to
-                   normal NVT.
-
-
-      3.3.3  Option Requirements
-
-         Every Telnet implementation MUST support the Binary option
-         [TELNET:3] and the Suppress Go Ahead option [TELNET:5], and
-         SHOULD support the Echo [TELNET:4], Status [TELNET:6], End-of-
-         Record [TELNET:9], and Extended Options List [TELNET:8]
-         options.
-
-         A User or Server Telnet SHOULD support the Window Size Option
-         [TELNET:12] if the local operating system provides the
-         corresponding capability.
-
-         DISCUSSION:
-              Note that the End-of-Record option only signifies that a
-              Telnet can receive a Telnet EOR without crashing;
-              therefore, every Telnet ought to be willing to accept
-              negotiation of the End-of-Record option.  See also the
-              discussion in Section 3.2.3.
-
-      3.3.4  Option Initiation
-
-         When the Telnet protocol is used in a client/server situation,
-         the server SHOULD initiate negotiation of the terminal
-         interaction mode it expects.
-
-         DISCUSSION:
-              The Telnet protocol was defined to be perfectly
-              symmetrical, but its application is generally asymmetric.
-              Remote login has been known to fail because NEITHER side
-              initiated negotiation of the required non-default terminal
-              modes.  It is generally the server that determines the
-              preferred mode, so the server needs to initiate the
-              negotiation; since the negotiation is symmetric, the user
-              can also initiate it.
-
-         A client (User Telnet) SHOULD provide a means for users to
-         enable and disable the initiation of option negotiation.
-
-         DISCUSSION:
-              A user sometimes needs to connect to an application
-              service (e.g., FTP or SMTP) that uses Telnet for its
-
-
-
-Internet Engineering Task Force                                [Page 24]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-              control stream but does not support Telnet options.  User
-              Telnet may be used for this purpose if initiation of
-              option negotiation is  disabled.
-
-      3.3.5  Telnet Linemode Option
-
-         DISCUSSION:
-              An important new Telnet option, LINEMODE [TELNET:12], has
-              been proposed.  The LINEMODE option provides a standard
-              way for a User Telnet and a Server Telnet to agree that
-              the client rather than the server will perform terminal
-              character processing.  When the client has prepared a
-              complete line of text, it will send it to the server in
-              (usually) one TCP packet.  This option will greatly
-              decrease the packet cost of Telnet sessions and will also
-              give much better user response over congested or long-
-              delay networks.
-
-              The LINEMODE option allows dynamic switching between local
-              and remote character processing.  For example, the Telnet
-              connection will automatically negotiate into single-
-              character mode while a full screen editor is running, and
-              then return to linemode when the editor is finished.
-
-              We expect that when this RFC is released, hosts should
-              implement the client side of this option, and may
-              implement the server side of this option.  To properly
-              implement the server side, the server needs to be able to
-              tell the local system not to do any input character
-              processing, but to remember its current terminal state and
-              notify the Server Telnet process whenever the state
-              changes.  This will allow password echoing and full screen
-              editors to be handled properly, for example.
-
-   3.4  TELNET/USER INTERFACE
-
-      3.4.1  Character Set Transparency
-
-         User Telnet implementations SHOULD be able to send or receive
-         any 7-bit ASCII character.  Where possible, any special
-         character interpretations by the user host's operating system
-         SHOULD be bypassed so that these characters can conveniently be
-         sent and received on the connection.
-
-         Some character value MUST be reserved as "escape to command
-         mode"; conventionally, doubling this character allows it to be
-         entered as data.  The specific character used SHOULD be user
-         selectable.
-
-
-
-Internet Engineering Task Force                                [Page 25]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-         On binary-mode connections, a User Telnet program MAY provide
-         an escape mechanism for entering arbitrary 8-bit values, if the
-         host operating system doesn't allow them to be entered directly
-         from the keyboard.
-
-         IMPLEMENTATION:
-              The transparency issues are less pressing on servers, but
-              implementors should take care in dealing with issues like:
-              masking off parity bits (sent by an older, non-conforming
-              client) before they reach programs that expect only NVT
-              ASCII, and properly handling programs that request 8-bit
-              data streams.
-
-      3.4.2  Telnet Commands
-
-         A User Telnet program MUST provide a user the capability of
-         entering any of the Telnet control functions IP, AO, or AYT,
-         and SHOULD provide the capability of entering EC, EL, and
-         Break.
-
-      3.4.3  TCP Connection Errors
-
-         A User Telnet program SHOULD report to the user any TCP errors
-         that are reported by the transport layer (see "TCP/Application
-         Layer Interface" section in [INTRO:1]).
-
-      3.4.4  Non-Default Telnet Contact Port
-
-         A User Telnet program SHOULD allow the user to optionally
-         specify a non-standard contact port number at the Server Telnet
-         host.
-
-      3.4.5  Flushing Output
-
-         A User Telnet program SHOULD provide the user the ability to
-         specify whether or not output should be flushed when an IP is
-         sent; see Section 3.2.4.
-
-         For any output flushing scheme that causes the User Telnet to
-         flush output locally until a Telnet signal is received from the
-         Server, there SHOULD be a way for the user to manually restore
-         normal output, in case the Server fails to send the expected
-         signal.
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 26]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-   3.5.  TELNET REQUIREMENTS SUMMARY
-
-
-                                                 |        | | | |S| |
-                                                 |        | | | |H| |F
-                                                 |        | | | |O|M|o
-                                                 |        | |S| |U|U|o
-                                                 |        | |H| |L|S|t
-                                                 |        |M|O| |D|T|n
-                                                 |        |U|U|M| | |o
-                                                 |        |S|L|A|N|N|t
-                                                 |        |T|D|Y|O|O|t
-FEATURE                                          |SECTION | | | |T|T|e
--------------------------------------------------|--------|-|-|-|-|-|--
-                                                 |        | | | | | |
-Option Negotiation                               |3.2.1   |x| | | | |
-  Avoid negotiation loops                        |3.2.1   |x| | | | |
-  Refuse unsupported options                     |3.2.1   |x| | | | |
-  Negotiation OK anytime on connection           |3.2.1   | |x| | | |
-  Default to NVT                                 |3.2.1   |x| | | | |
-  Send official name in Term-Type option         |3.2.8   |x| | | | |
-  Accept any name in Term-Type option            |3.2.8   |x| | | | |
-  Implement Binary, Suppress-GA options          |3.3.3   |x| | | | |
-  Echo, Status, EOL, Ext-Opt-List options        |3.3.3   | |x| | | |
-  Implement Window-Size option if appropriate    |3.3.3   | |x| | | |
-  Server initiate mode negotiations              |3.3.4   | |x| | | |
-  User can enable/disable init negotiations      |3.3.4   | |x| | | |
-                                                 |        | | | | | |
-Go-Aheads                                        |        | | | | | |
-  Non-GA server negotiate SUPPRESS-GA option     |3.2.2   |x| | | | |
-  User or Server accept SUPPRESS-GA option       |3.2.2   |x| | | | |
-  User Telnet ignore GA's                        |3.2.2   | | |x| | |
-                                                 |        | | | | | |
-Control Functions                                |        | | | | | |
-  Support SE NOP DM IP AO AYT SB                 |3.2.3   |x| | | | |
-  Support EOR EC EL Break                        |3.2.3   | | |x| | |
-  Ignore unsupported control functions           |3.2.3   |x| | | | |
-  User, Server discard urgent data up to DM      |3.2.4   |x| | | | |
-  User Telnet send "Synch" after IP, AO, AYT     |3.2.4   | |x| | | |
-  Server Telnet reply Synch to IP                |3.2.4   | | |x| | |
-  Server Telnet reply Synch to AO                |3.2.4   |x| | | | |
-  User Telnet can flush output when send IP      |3.2.4   | |x| | | |
-                                                 |        | | | | | |
-Encoding                                         |        | | | | | |
-  Send high-order bit in NVT mode                |3.2.5   | | | |x| |
-  Send high-order bit as parity bit              |3.2.5   | | | | |x|
-  Negot. BINARY if pass high-ord. bit to applic  |3.2.5   | |x| | | |
-  Always double IAC data byte                    |3.2.6   |x| | | | |
-
-
-
-Internet Engineering Task Force                                [Page 27]
-
-
-
-
-RFC1123                  REMOTE LOGIN -- TELNET             October 1989
-
-
-  Double IAC data byte in binary mode            |3.2.7   |x| | | | |
-  Obey Telnet cmds in binary mode                |3.2.7   |x| | | | |
-  End-of-line, CR NUL in binary mode             |3.2.7   | | | | |x|
-                                                 |        | | | | | |
-End-of-Line                                      |        | | | | | |
-  EOL at Server same as local end-of-line        |3.3.1   |x| | | | |
-  ASCII Server accept CR LF or CR NUL for EOL    |3.3.1   |x| | | | |
-  User Telnet able to send CR LF, CR NUL, or LF  |3.3.1   |x| | | | |
-    ASCII user able to select CR LF/CR NUL       |3.3.1   | |x| | | |
-    User Telnet default mode is CR LF            |3.3.1   | |x| | | |
-  Non-interactive uses CR LF for EOL             |3.3.1   |x| | | | |
-                                                 |        | | | | | |
-User Telnet interface                            |        | | | | | |
-  Input & output all 7-bit characters            |3.4.1   | |x| | | |
-  Bypass local op sys interpretation             |3.4.1   | |x| | | |
-  Escape character                               |3.4.1   |x| | | | |
-     User-settable escape character              |3.4.1   | |x| | | |
-  Escape to enter 8-bit values                   |3.4.1   | | |x| | |
-  Can input IP, AO, AYT                          |3.4.2   |x| | | | |
-  Can input EC, EL, Break                        |3.4.2   | |x| | | |
-  Report TCP connection errors to user           |3.4.3   | |x| | | |
-  Optional non-default contact port              |3.4.4   | |x| | | |
-  Can spec: output flushed when IP sent          |3.4.5   | |x| | | |
-  Can manually restore output mode               |3.4.5   | |x| | | |
-                                                 |        | | | | | |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 28]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-4.  FILE TRANSFER
-
-   4.1  FILE TRANSFER PROTOCOL -- FTP
-
-      4.1.1  INTRODUCTION
-
-         The File Transfer Protocol FTP is the primary Internet standard
-         for file transfer.  The current specification is contained in
-         RFC-959 [FTP:1].
-
-         FTP uses separate simultaneous TCP connections for control and
-         for data transfer.  The FTP protocol includes many features,
-         some of which are not commonly implemented.  However, for every
-         feature in FTP, there exists at least one implementation.  The
-         minimum implementation defined in RFC-959 was too small, so a
-         somewhat larger minimum implementation is defined here.
-
-         Internet users have been unnecessarily burdened for years by
-         deficient FTP implementations.  Protocol implementors have
-         suffered from the erroneous opinion that implementing FTP ought
-         to be a small and trivial task.  This is wrong, because FTP has
-         a user interface, because it has to deal (correctly) with the
-         whole variety of communication and operating system errors that
-         may occur, and because it has to handle the great diversity of
-         real file systems in the world.
-
-      4.1.2.  PROTOCOL WALK-THROUGH
-
-         4.1.2.1  LOCAL Type: RFC-959 Section 3.1.1.4
-
-            An FTP program MUST support TYPE I ("IMAGE" or binary type)
-            as well as TYPE L 8 ("LOCAL" type with logical byte size 8).
-            A machine whose memory is organized into m-bit words, where
-            m is not a multiple of 8, MAY also support TYPE L m.
-
-            DISCUSSION:
-                 The command "TYPE L 8" is often required to transfer
-                 binary data between a machine whose memory is organized
-                 into (e.g.) 36-bit words and a machine with an 8-bit
-                 byte organization.  For an 8-bit byte machine, TYPE L 8
-                 is equivalent to IMAGE.
-
-                 "TYPE L m" is sometimes specified to the FTP programs
-                 on two m-bit word machines to ensure the correct
-                 transfer of a native-mode binary file from one machine
-                 to the other.  However, this command should have the
-                 same effect on these machines as "TYPE I".
-
-
-
-
-Internet Engineering Task Force                                [Page 29]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-         4.1.2.2  Telnet Format Control: RFC-959 Section 3.1.1.5.2
-
-            A host that makes no distinction between TYPE N and TYPE T
-            SHOULD implement TYPE T to be identical to TYPE N.
-
-            DISCUSSION:
-                 This provision should ease interoperation with hosts
-                 that do make this distinction.
-
-                 Many hosts represent text files internally as strings
-                 of ASCII characters, using the embedded ASCII format
-                 effector characters (LF, BS, FF, ...) to control the
-                 format when a file is printed.  For such hosts, there
-                 is no distinction between "print" files and other
-                 files.  However, systems that use record structured
-                 files typically need a special format for printable
-                 files (e.g., ASA carriage control).   For the latter
-                 hosts, FTP allows a choice of TYPE N or TYPE T.
-
-         4.1.2.3  Page Structure: RFC-959 Section 3.1.2.3 and Appendix I
-
-            Implementation of page structure is NOT RECOMMENDED in
-            general. However, if a host system does need to implement
-            FTP for "random access" or "holey" files, it MUST use the
-            defined page structure format rather than define a new
-            private FTP format.
-
-         4.1.2.4  Data Structure Transformations: RFC-959 Section 3.1.2
-
-            An FTP transformation between record-structure and file-
-            structure SHOULD be invertible, to the extent possible while
-            making the result useful on the target host.
-
-            DISCUSSION:
-                 RFC-959 required strict invertibility between record-
-                 structure and file-structure, but in practice,
-                 efficiency and convenience often preclude it.
-                 Therefore, the requirement is being relaxed.  There are
-                 two different objectives for transferring a file:
-                 processing it on the target host, or just storage.  For
-                 storage, strict invertibility is important.  For
-                 processing, the file created on the target host needs
-                 to be in the format expected by application programs on
-                 that host.
-
-                 As an example of the conflict, imagine a record-
-                 oriented operating system that requires some data files
-                 to have exactly 80 bytes in each record.  While STORing
-
-
-
-Internet Engineering Task Force                                [Page 30]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-                 a file on such a host, an FTP Server must be able to
-                 pad each line or record to 80 bytes; a later retrieval
-                 of such a file cannot be strictly invertible.
-
-         4.1.2.5  Data Connection Management: RFC-959 Section 3.3
-
-            A User-FTP that uses STREAM mode SHOULD send a PORT command
-            to assign a non-default data port before each transfer
-            command is issued.
-
-            DISCUSSION:
-                 This is required because of the long delay after a TCP
-                 connection is closed until its socket pair can be
-                 reused, to allow multiple transfers during a single FTP
-                 session.  Sending a port command can avoided if a
-                 transfer mode other than stream is used, by leaving the
-                 data transfer connection open between transfers.
-
-         4.1.2.6  PASV Command: RFC-959 Section 4.1.2
-
-            A server-FTP MUST implement the PASV command.
-
-            If multiple third-party transfers are to be executed during
-            the same session, a new PASV command MUST be issued before
-            each transfer command, to obtain a unique port pair.
-
-            IMPLEMENTATION:
-                 The format of the 227 reply to a PASV command is not
-                 well standardized.  In particular, an FTP client cannot
-                 assume that the parentheses shown on page 40 of RFC-959
-                 will be present (and in fact, Figure 3 on page 43 omits
-                 them).  Therefore, a User-FTP program that interprets
-                 the PASV reply must scan the reply for the first digit
-                 of the host and port numbers.
-
-                 Note that the host number h1,h2,h3,h4 is the IP address
-                 of the server host that is sending the reply, and that
-                 p1,p2 is a non-default data transfer port that PASV has
-                 assigned.
-
-         4.1.2.7  LIST and NLST Commands: RFC-959 Section 4.1.3
-
-            The data returned by an NLST command MUST contain only a
-            simple list of legal pathnames, such that the server can use
-            them directly as the arguments of subsequent data transfer
-            commands for the individual files.
-
-            The data returned by a LIST or NLST command SHOULD use an
-
-
-
-Internet Engineering Task Force                                [Page 31]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-            implied TYPE AN, unless the current type is EBCDIC, in which
-            case an implied TYPE EN SHOULD be used.
-
-            DISCUSSION:
-                 Many FTP clients support macro-commands that will get
-                 or put files matching a wildcard specification, using
-                 NLST to obtain a list of pathnames.  The expansion of
-                 "multiple-put" is local to the client, but "multiple-
-                 get" requires cooperation by the server.
-
-                 The implied type for LIST and NLST is designed to
-                 provide compatibility with existing User-FTPs, and in
-                 particular with multiple-get commands.
-
-         4.1.2.8  SITE Command: RFC-959 Section 4.1.3
-
-            A Server-FTP SHOULD use the SITE command for non-standard
-            features, rather than invent new private commands or
-            unstandardized extensions to existing commands.
-
-         4.1.2.9  STOU Command: RFC-959 Section 4.1.3
-
-            The STOU command stores into a uniquely named file.  When it
-            receives an STOU command, a Server-FTP MUST return the
-            actual file name in the "125 Transfer Starting" or the "150
-            Opening Data Connection" message that precedes the transfer
-            (the 250 reply code mentioned in RFC-959 is incorrect).  The
-            exact format of these messages is hereby defined to be as
-            follows:
-
-                125 FILE: pppp
-                150 FILE: pppp
-
-            where pppp represents the unique pathname of the file that
-            will be written.
-
-         4.1.2.10  Telnet End-of-line Code: RFC-959, Page 34
-
-            Implementors MUST NOT assume any correspondence between READ
-            boundaries on the control connection and the Telnet EOL
-            sequences (CR LF).
-
-            DISCUSSION:
-                 Thus, a server-FTP (or User-FTP) must continue reading
-                 characters from the control connection until a complete
-                 Telnet EOL sequence is encountered, before processing
-                 the command (or response, respectively).  Conversely, a
-                 single READ from the control connection may include
-
-
-
-Internet Engineering Task Force                                [Page 32]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-                 more than one FTP command.
-
-         4.1.2.11  FTP Replies: RFC-959 Section 4.2, Page 35
-
-            A Server-FTP MUST send only correctly formatted replies on
-            the control connection.  Note that RFC-959 (unlike earlier
-            versions of the FTP spec) contains no provision for a
-            "spontaneous" reply message.
-
-            A Server-FTP SHOULD use the reply codes defined in RFC-959
-            whenever they apply.  However, a server-FTP MAY use a
-            different reply code when needed, as long as the general
-            rules of Section 4.2 are followed. When the implementor has
-            a choice between a 4xx and 5xx reply code, a Server-FTP
-            SHOULD send a 4xx (temporary failure) code when there is any
-            reasonable possibility that a failed FTP will succeed a few
-            hours later.
-
-            A User-FTP SHOULD generally use only the highest-order digit
-            of a 3-digit reply code for making a procedural decision, to
-            prevent difficulties when a Server-FTP uses non-standard
-            reply codes.
-
-            A User-FTP MUST be able to handle multi-line replies.  If
-            the implementation imposes a limit on the number of lines
-            and if this limit is exceeded, the User-FTP MUST recover,
-            e.g., by ignoring the excess lines until the end of the
-            multi-line reply is reached.
-
-            A User-FTP SHOULD NOT interpret a 421 reply code ("Service
-            not available, closing control connection") specially, but
-            SHOULD detect closing of the control connection by the
-            server.
-
-            DISCUSSION:
-                 Server implementations that fail to strictly follow the
-                 reply rules often cause FTP user programs to hang.
-                 Note that RFC-959 resolved ambiguities in the reply
-                 rules found in earlier FTP specifications and must be
-                 followed.
-
-                 It is important to choose FTP reply codes that properly
-                 distinguish between temporary and permanent failures,
-                 to allow the successful use of file transfer client
-                 daemons.  These programs depend on the reply codes to
-                 decide whether or not to retry a failed transfer; using
-                 a permanent failure code (5xx) for a temporary error
-                 will cause these programs to give up unnecessarily.
-
-
-
-Internet Engineering Task Force                                [Page 33]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-                 When the meaning of a reply matches exactly the text
-                 shown in RFC-959, uniformity will be enhanced by using
-                 the RFC-959 text verbatim.  However, a Server-FTP
-                 implementor is encouraged to choose reply text that
-                 conveys specific system-dependent information, when
-                 appropriate.
-
-         4.1.2.12  Connections: RFC-959 Section 5.2
-
-            The words "and the port used" in the second paragraph of
-            this section of RFC-959 are erroneous (historical), and they
-            should be ignored.
-
-            On a multihomed server host, the default data transfer port
-            (L-1) MUST be associated with the same local IP address as
-            the corresponding control connection to port L.
-
-            A user-FTP MUST NOT send any Telnet controls other than
-            SYNCH and IP on an FTP control connection. In particular, it
-            MUST NOT attempt to negotiate Telnet options on the control
-            connection.  However, a server-FTP MUST be capable of
-            accepting and refusing Telnet negotiations (i.e., sending
-            DONT/WONT).
-
-            DISCUSSION:
-                 Although the RFC says: "Server- and User- processes
-                 should follow the conventions for the Telnet
-                 protocol...[on the control connection]", it is not the
-                 intent that Telnet option negotiation is to be
-                 employed.
-
-         4.1.2.13  Minimum Implementation; RFC-959 Section 5.1
-
-            The following commands and options MUST be supported by
-            every server-FTP and user-FTP, except in cases where the
-            underlying file system or operating system does not allow or
-            support a particular command.
-
-                 Type: ASCII Non-print, IMAGE, LOCAL 8
-                 Mode: Stream
-                 Structure: File, Record*
-                 Commands:
-                    USER, PASS, ACCT,
-                    PORT, PASV,
-                    TYPE, MODE, STRU,
-                    RETR, STOR, APPE,
-                    RNFR, RNTO, DELE,
-                    CWD,  CDUP, RMD,  MKD,  PWD,
-
-
-
-Internet Engineering Task Force                                [Page 34]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-                    LIST, NLST,
-                    SYST, STAT,
-                    HELP, NOOP, QUIT.
-
-            *Record structure is REQUIRED only for hosts whose file
-            systems support record structure.
-
-            DISCUSSION:
-                 Vendors are encouraged to implement a larger subset of
-                 the protocol.  For example, there are important
-                 robustness features in the protocol (e.g., Restart,
-                 ABOR, block mode) that would be an aid to some Internet
-                 users but are not widely implemented.
-
-                 A host that does not have record structures in its file
-                 system may still accept files with STRU R, recording
-                 the byte stream literally.
-
-      4.1.3  SPECIFIC ISSUES
-
-         4.1.3.1  Non-standard Command Verbs
-
-            FTP allows "experimental" commands, whose names begin with
-            "X".  If these commands are subsequently adopted as
-            standards, there may still be existing implementations using
-            the "X" form.  At present, this is true for the directory
-            commands:
-
-                RFC-959   "Experimental"
-
-                  MKD        XMKD
-                  RMD        XRMD
-                  PWD        XPWD
-                  CDUP       XCUP
-                  CWD        XCWD
-
-            All FTP implementations SHOULD recognize both forms of these
-            commands, by simply equating them with extra entries in the
-            command lookup table.
-
-            IMPLEMENTATION:
-                 A User-FTP can access a server that supports only the
-                 "X" forms by implementing a mode switch, or
-                 automatically using the following procedure: if the
-                 RFC-959 form of one of the above commands is rejected
-                 with a 500 or 502 response code, then try the
-                 experimental form; any other response would be passed
-                 to the user.
-
-
-
-Internet Engineering Task Force                                [Page 35]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-         4.1.3.2  Idle Timeout
-
-            A Server-FTP process SHOULD have an idle timeout, which will
-            terminate the process and close the control connection if
-            the server is inactive (i.e., no command or data transfer in
-            progress) for a long period of time.  The idle timeout time
-            SHOULD be configurable, and the default should be at least 5
-            minutes.
-
-            A client FTP process ("User-PI" in RFC-959) will need
-            timeouts on responses only if it is invoked from a program.
-
-            DISCUSSION:
-                 Without a timeout, a Server-FTP process may be left
-                 pending indefinitely if the corresponding client
-                 crashes without closing the control connection.
-
-         4.1.3.3  Concurrency of Data and Control
-
-            DISCUSSION:
-                 The intent of the designers of FTP was that a user
-                 should be able to send a STAT command at any time while
-                 data transfer was in progress and that the server-FTP
-                 would reply immediately with status -- e.g., the number
-                 of bytes transferred so far.  Similarly, an ABOR
-                 command should be possible at any time during a data
-                 transfer.
-
-                 Unfortunately, some small-machine operating systems
-                 make such concurrent programming difficult, and some
-                 other implementers seek minimal solutions, so some FTP
-                 implementations do not allow concurrent use of the data
-                 and control connections.  Even such a minimal server
-                 must be prepared to accept and defer a STAT or ABOR
-                 command that arrives during data transfer.
-
-         4.1.3.4  FTP Restart Mechanism
-
-            The description of the 110 reply on pp. 40-41 of RFC-959 is
-            incorrect; the correct description is as follows.  A restart
-            reply message, sent over the control connection from the
-            receiving FTP to the User-FTP, has the format:
-
-                110 MARK ssss = rrrr
-
-            Here:
-
-            *    ssss is a text string that appeared in a Restart Marker
-
-
-
-Internet Engineering Task Force                                [Page 36]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-                 in the data stream and encodes a position in the
-                 sender's file system;
-
-            *    rrrr encodes the corresponding position in the
-                 receiver's file system.
-
-            The encoding, which is specific to a particular file system
-            and network implementation, is always generated and
-            interpreted by the same system, either sender or receiver.
-
-            When an FTP that implements restart receives a Restart
-            Marker in the data stream, it SHOULD force the data to that
-            point to be written to stable storage before encoding the
-            corresponding position rrrr.  An FTP sending Restart Markers
-            MUST NOT assume that 110 replies will be returned
-            synchronously with the data, i.e., it must not await a 110
-            reply before sending more data.
-
-            Two new reply codes are hereby defined for errors
-            encountered in restarting a transfer:
-
-              554 Requested action not taken: invalid REST parameter.
-
-                 A 554 reply may result from a FTP service command that
-                 follows a REST command.  The reply indicates that the
-                 existing file at the Server-FTP cannot be repositioned
-                 as specified in the REST.
-
-              555 Requested action not taken: type or stru mismatch.
-
-                 A 555 reply may result from an APPE command or from any
-                 FTP service command following a REST command.  The
-                 reply indicates that there is some mismatch between the
-                 current transfer parameters (type and stru) and the
-                 attributes of the existing file.
-
-            DISCUSSION:
-                 Note that the FTP Restart mechanism requires that Block
-                 or Compressed mode be used for data transfer, to allow
-                 the Restart Markers to be included within the data
-                 stream.  The frequency of Restart Markers can be low.
-
-                 Restart Markers mark a place in the data stream, but
-                 the receiver may be performing some transformation on
-                 the data as it is stored into stable storage.  In
-                 general, the receiver's encoding must include any state
-                 information necessary to restart this transformation at
-                 any point of the FTP data stream.  For example, in TYPE
-
-
-
-Internet Engineering Task Force                                [Page 37]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-                 A transfers, some receiver hosts transform CR LF
-                 sequences into a single LF character on disk.   If a
-                 Restart Marker happens to fall between CR and LF, the
-                 receiver must encode in rrrr that the transfer must be
-                 restarted in a "CR has been seen and discarded" state.
-
-                 Note that the Restart Marker is required to be encoded
-                 as a string of printable ASCII characters, regardless
-                 of the type of the data.
-
-                 RFC-959 says that restart information is to be returned
-                 "to the user".  This should not be taken literally.  In
-                 general, the User-FTP should save the restart
-                 information (ssss,rrrr) in stable storage, e.g., append
-                 it to a restart control file.  An empty restart control
-                 file should be created when the transfer first starts
-                 and deleted automatically when the transfer completes
-                 successfully.  It is suggested that this file have a
-                 name derived in an easily-identifiable manner from the
-                 name of the file being transferred and the remote host
-                 name; this is analogous to the means used by many text
-                 editors for naming "backup" files.
-
-                 There are three cases for FTP restart.
-
-                 (1)  User-to-Server Transfer
-
-                      The User-FTP puts Restart Markers <ssss> at
-                      convenient places in the data stream.  When the
-                      Server-FTP receives a Marker, it writes all prior
-                      data to disk, encodes its file system position and
-                      transformation state as rrrr, and returns a "110
-                      MARK ssss = rrrr" reply over the control
-                      connection.  The User-FTP appends the pair
-                      (ssss,rrrr) to its restart control file.
-
-                      To restart the transfer, the User-FTP fetches the
-                      last (ssss,rrrr) pair from the restart control
-                      file, repositions its local file system and
-                      transformation state using ssss, and sends the
-                      command "REST rrrr" to the Server-FTP.
-
-                 (2)  Server-to-User Transfer
-
-                      The Server-FTP puts Restart Markers <ssss> at
-                      convenient places in the data stream.  When the
-                      User-FTP receives a Marker, it writes all prior
-                      data to disk, encodes its file system position and
-
-
-
-Internet Engineering Task Force                                [Page 38]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-                      transformation state as rrrr, and appends the pair
-                      (rrrr,ssss) to its restart control file.
-
-                      To restart the transfer, the User-FTP fetches the
-                      last (rrrr,ssss) pair from the restart control
-                      file, repositions its local file system and
-                      transformation state using rrrr, and sends the
-                      command "REST ssss" to the Server-FTP.
-
-                 (3)  Server-to-Server ("Third-Party") Transfer
-
-                      The sending Server-FTP puts Restart Markers <ssss>
-                      at convenient places in the data stream.  When it
-                      receives a Marker, the receiving Server-FTP writes
-                      all prior data to disk, encodes its file system
-                      position and transformation state as rrrr, and
-                      sends a "110 MARK ssss = rrrr" reply over the
-                      control connection to the User.  The User-FTP
-                      appends the pair (ssss,rrrr) to its restart
-                      control file.
-
-                      To restart the transfer, the User-FTP fetches the
-                      last (ssss,rrrr) pair from the restart control
-                      file, sends "REST ssss" to the sending Server-FTP,
-                      and sends "REST rrrr" to the receiving Server-FTP.
-
-
-      4.1.4  FTP/USER INTERFACE
-
-         This section discusses the user interface for a User-FTP
-         program.
-
-         4.1.4.1  Pathname Specification
-
-            Since FTP is intended for use in a heterogeneous
-            environment, User-FTP implementations MUST support remote
-            pathnames as arbitrary character strings, so that their form
-            and content are not limited by the conventions of the local
-            operating system.
-
-            DISCUSSION:
-                 In particular, remote pathnames can be of arbitrary
-                 length, and all the printing ASCII characters as well
-                 as space (0x20) must be allowed.  RFC-959 allows a
-                 pathname to contain any 7-bit ASCII character except CR
-                 or LF.
-
-
-
-
-
-Internet Engineering Task Force                                [Page 39]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-         4.1.4.2  "QUOTE" Command
-
-            A User-FTP program MUST implement a "QUOTE" command that
-            will pass an arbitrary character string to the server and
-            display all resulting response messages to the user.
-
-            To make the "QUOTE" command useful, a User-FTP SHOULD send
-            transfer control commands to the server as the user enters
-            them, rather than saving all the commands and sending them
-            to the server only when a data transfer is started.
-
-            DISCUSSION:
-                 The "QUOTE" command is essential to allow the user to
-                 access servers that require system-specific commands
-                 (e.g., SITE or ALLO), or to invoke new or optional
-                 features that are not implemented by the User-FTP.  For
-                 example, "QUOTE" may be used to specify "TYPE A T" to
-                 send a print file to hosts that require the
-                 distinction, even if the User-FTP does not recognize
-                 that TYPE.
-
-         4.1.4.3  Displaying Replies to User
-
-            A User-FTP SHOULD display to the user the full text of all
-            error reply messages it receives.  It SHOULD have a
-            "verbose" mode in which all commands it sends and the full
-            text and reply codes it receives are displayed, for
-            diagnosis of problems.
-
-         4.1.4.4  Maintaining Synchronization
-
-            The state machine in a User-FTP SHOULD be forgiving of
-            missing and unexpected reply messages, in order to maintain
-            command synchronization with the server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 40]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-      4.1.5   FTP REQUIREMENTS SUMMARY
-
-                                           |               | | | |S| |
-                                           |               | | | |H| |F
-                                           |               | | | |O|M|o
-                                           |               | |S| |U|U|o
-                                           |               | |H| |L|S|t
-                                           |               |M|O| |D|T|n
-                                           |               |U|U|M| | |o
-                                           |               |S|L|A|N|N|t
-                                           |               |T|D|Y|O|O|t
-FEATURE                                    |SECTION        | | | |T|T|e
--------------------------------------------|---------------|-|-|-|-|-|--
-Implement TYPE T if same as TYPE N         |4.1.2.2        | |x| | | |
-File/Record transform invertible if poss.  |4.1.2.4        | |x| | | |
-User-FTP send PORT cmd for stream mode     |4.1.2.5        | |x| | | |
-Server-FTP implement PASV                  |4.1.2.6        |x| | | | |
-  PASV is per-transfer                     |4.1.2.6        |x| | | | |
-NLST reply usable in RETR cmds             |4.1.2.7        |x| | | | |
-Implied type for LIST and NLST             |4.1.2.7        | |x| | | |
-SITE cmd for non-standard features         |4.1.2.8        | |x| | | |
-STOU cmd return pathname as specified      |4.1.2.9        |x| | | | |
-Use TCP READ boundaries on control conn.   |4.1.2.10       | | | | |x|
-                                           |               | | | | | |
-Server-FTP send only correct reply format  |4.1.2.11       |x| | | | |
-Server-FTP use defined reply code if poss. |4.1.2.11       | |x| | | |
-  New reply code following Section 4.2     |4.1.2.11       | | |x| | |
-User-FTP use only high digit of reply      |4.1.2.11       | |x| | | |
-User-FTP handle multi-line reply lines     |4.1.2.11       |x| | | | |
-User-FTP handle 421 reply specially        |4.1.2.11       | | | |x| |
-                                           |               | | | | | |
-Default data port same IP addr as ctl conn |4.1.2.12       |x| | | | |
-User-FTP send Telnet cmds exc. SYNCH, IP   |4.1.2.12       | | | | |x|
-User-FTP negotiate Telnet options          |4.1.2.12       | | | | |x|
-Server-FTP handle Telnet options           |4.1.2.12       |x| | | | |
-Handle "Experimental" directory cmds       |4.1.3.1        | |x| | | |
-Idle timeout in server-FTP                 |4.1.3.2        | |x| | | |
-    Configurable idle timeout              |4.1.3.2        | |x| | | |
-Receiver checkpoint data at Restart Marker |4.1.3.4        | |x| | | |
-Sender assume 110 replies are synchronous  |4.1.3.4        | | | | |x|
-                                           |               | | | | | |
-Support TYPE:                              |               | | | | | |
-  ASCII - Non-Print (AN)                   |4.1.2.13       |x| | | | |
-  ASCII - Telnet (AT) -- if same as AN     |4.1.2.2        | |x| | | |
-  ASCII - Carriage Control (AC)            |959 3.1.1.5.2  | | |x| | |
-  EBCDIC - (any form)                      |959 3.1.1.2    | | |x| | |
-  IMAGE                                    |4.1.2.1        |x| | | | |
-  LOCAL 8                                  |4.1.2.1        |x| | | | |
-
-
-
-Internet Engineering Task Force                                [Page 41]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-  LOCAL m                                  |4.1.2.1        | | |x| | |2
-                                           |               | | | | | |
-Support MODE:                              |               | | | | | |
-  Stream                                   |4.1.2.13       |x| | | | |
-  Block                                    |959 3.4.2      | | |x| | |
-                                           |               | | | | | |
-Support STRUCTURE:                         |               | | | | | |
-  File                                     |4.1.2.13       |x| | | | |
-  Record                                   |4.1.2.13       |x| | | | |3
-  Page                                     |4.1.2.3        | | | |x| |
-                                           |               | | | | | |
-Support commands:                          |               | | | | | |
-  USER                                     |4.1.2.13       |x| | | | |
-  PASS                                     |4.1.2.13       |x| | | | |
-  ACCT                                     |4.1.2.13       |x| | | | |
-  CWD                                      |4.1.2.13       |x| | | | |
-  CDUP                                     |4.1.2.13       |x| | | | |
-  SMNT                                     |959 5.3.1      | | |x| | |
-  REIN                                     |959 5.3.1      | | |x| | |
-  QUIT                                     |4.1.2.13       |x| | | | |
-                                           |               | | | | | |
-  PORT                                     |4.1.2.13       |x| | | | |
-  PASV                                     |4.1.2.6        |x| | | | |
-  TYPE                                     |4.1.2.13       |x| | | | |1
-  STRU                                     |4.1.2.13       |x| | | | |1
-  MODE                                     |4.1.2.13       |x| | | | |1
-                                           |               | | | | | |
-  RETR                                     |4.1.2.13       |x| | | | |
-  STOR                                     |4.1.2.13       |x| | | | |
-  STOU                                     |959 5.3.1      | | |x| | |
-  APPE                                     |4.1.2.13       |x| | | | |
-  ALLO                                     |959 5.3.1      | | |x| | |
-  REST                                     |959 5.3.1      | | |x| | |
-  RNFR                                     |4.1.2.13       |x| | | | |
-  RNTO                                     |4.1.2.13       |x| | | | |
-  ABOR                                     |959 5.3.1      | | |x| | |
-  DELE                                     |4.1.2.13       |x| | | | |
-  RMD                                      |4.1.2.13       |x| | | | |
-  MKD                                      |4.1.2.13       |x| | | | |
-  PWD                                      |4.1.2.13       |x| | | | |
-  LIST                                     |4.1.2.13       |x| | | | |
-  NLST                                     |4.1.2.13       |x| | | | |
-  SITE                                     |4.1.2.8        | | |x| | |
-  STAT                                     |4.1.2.13       |x| | | | |
-  SYST                                     |4.1.2.13       |x| | | | |
-  HELP                                     |4.1.2.13       |x| | | | |
-  NOOP                                     |4.1.2.13       |x| | | | |
-                                           |               | | | | | |
-
-
-
-Internet Engineering Task Force                                [Page 42]
-
-
-
-
-RFC1123                   FILE TRANSFER -- FTP              October 1989
-
-
-User Interface:                            |               | | | | | |
-  Arbitrary pathnames                      |4.1.4.1        |x| | | | |
-  Implement "QUOTE" command                |4.1.4.2        |x| | | | |
-  Transfer control commands immediately    |4.1.4.2        | |x| | | |
-  Display error messages to user           |4.1.4.3        | |x| | | |
-    Verbose mode                           |4.1.4.3        | |x| | | |
-  Maintain synchronization with server     |4.1.4.4        | |x| | | |
-
-Footnotes:
-
-(1)  For the values shown earlier.
-
-(2)  Here m is number of bits in a memory word.
-
-(3)  Required for host with record-structured file system, optional
-     otherwise.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 43]
-
-
-
-
-RFC1123                  FILE TRANSFER -- TFTP              October 1989
-
-
-   4.2  TRIVIAL FILE TRANSFER PROTOCOL -- TFTP
-
-      4.2.1  INTRODUCTION
-
-         The Trivial File Transfer Protocol TFTP is defined in RFC-783
-         [TFTP:1].
-
-         TFTP provides its own reliable delivery with UDP as its
-         transport protocol, using a simple stop-and-wait acknowledgment
-         system.  Since TFTP has an effective window of only one 512
-         octet segment, it can provide good performance only over paths
-         that have a small delay*bandwidth product.  The TFTP file
-         interface is very simple, providing no access control or
-         security.
-
-         TFTP's most important application is bootstrapping a host over
-         a local network, since it is simple and small enough to be
-         easily implemented in EPROM [BOOT:1, BOOT:2].  Vendors are
-         urged to support TFTP for booting.
-
-      4.2.2  PROTOCOL WALK-THROUGH
-
-         The TFTP specification [TFTP:1] is written in an open style,
-         and does not fully specify many parts of the protocol.
-
-         4.2.2.1  Transfer Modes: RFC-783, Page 3
-
-            The transfer mode "mail" SHOULD NOT be supported.
-
-         4.2.2.2  UDP Header: RFC-783, Page 17
-
-            The Length field of a UDP header is incorrectly defined; it
-            includes the UDP header length (8).
-
-      4.2.3  SPECIFIC ISSUES
-
-         4.2.3.1  Sorcerer's Apprentice Syndrome
-
-            There is a serious bug, known as the "Sorcerer's Apprentice
-            Syndrome," in the protocol specification.  While it does not
-            cause incorrect operation of the transfer (the file will
-            always be transferred correctly if the transfer completes),
-            this bug may cause excessive retransmission, which may cause
-            the transfer to time out.
-
-            Implementations MUST contain the fix for this problem: the
-            sender (i.e., the side originating the DATA packets) must
-            never resend the current DATA packet on receipt of a
-
-
-
-Internet Engineering Task Force                                [Page 44]
-
-
-
-
-RFC1123                  FILE TRANSFER -- TFTP              October 1989
-
-
-            duplicate ACK.
-
-            DISCUSSION:
-                 The bug is caused by the protocol rule that either
-                 side, on receiving an old duplicate datagram, may
-                 resend the current datagram.  If a packet is delayed in
-                 the network but later successfully delivered after
-                 either side has timed out and retransmitted a packet, a
-                 duplicate copy of the response may be generated.  If
-                 the other side responds to this duplicate with a
-                 duplicate of its own, then every datagram will be sent
-                 in duplicate for the remainder of the transfer (unless
-                 a datagram is lost, breaking the repetition).  Worse
-                 yet, since the delay is often caused by congestion,
-                 this duplicate transmission will usually causes more
-                 congestion, leading to more delayed packets, etc.
-
-                 The following example may help to clarify this problem.
-
-                     TFTP A                  TFTP B
-
-                 (1)  Receive ACK X-1
-                      Send DATA X
-                 (2)                          Receive DATA X
-                                              Send ACK X
-                        (ACK X is delayed in network,
-                         and  A times out):
-                 (3)  Retransmit DATA X
-
-                 (4)                          Receive DATA X again
-                                              Send ACK X again
-                 (5)  Receive (delayed) ACK X
-                      Send DATA X+1
-                 (6)                          Receive DATA X+1
-                                              Send ACK X+1
-                 (7)  Receive ACK X again
-                      Send DATA X+1 again
-                 (8)                          Receive DATA X+1 again
-                                              Send ACK X+1 again
-                 (9)  Receive ACK X+1
-                      Send DATA X+2
-                 (10)                         Receive DATA X+2
-                                              Send ACK X+3
-                 (11) Receive ACK X+1 again
-                      Send DATA X+2 again
-                 (12)                         Receive DATA X+2 again
-                                              Send ACK X+3 again
-
-
-
-
-Internet Engineering Task Force                                [Page 45]
-
-
-
-
-RFC1123                  FILE TRANSFER -- TFTP              October 1989
-
-
-                 Notice that once the delayed ACK arrives, the protocol
-                 settles down to duplicate all further packets
-                 (sequences 5-8 and 9-12).  The problem is caused not by
-                 either side timing out, but by both sides
-                 retransmitting the current packet when they receive a
-                 duplicate.
-
-                 The fix is to break the retransmission loop, as
-                 indicated above.  This is analogous to the behavior of
-                 TCP.  It is then possible to remove the retransmission
-                 timer on the receiver, since the resent ACK will never
-                 cause any action; this is a useful simplification where
-                 TFTP is used in a bootstrap program.  It is OK to allow
-                 the timer to remain, and it may be helpful if the
-                 retransmitted ACK replaces one that was genuinely lost
-                 in the network.  The sender still requires a retransmit
-                 timer, of course.
-
-         4.2.3.2  Timeout Algorithms
-
-            A TFTP implementation MUST use an adaptive timeout.
-
-            IMPLEMENTATION:
-                 TCP retransmission algorithms provide a useful base to
-                 work from.  At least an exponential backoff of
-                 retransmission timeout is necessary.
-
-         4.2.3.3  Extensions
-
-            A variety of non-standard extensions have been made to TFTP,
-            including additional transfer modes and a secure operation
-            mode (with passwords).  None of these have been
-            standardized.
-
-         4.2.3.4  Access Control
-
-            A server TFTP implementation SHOULD include some
-            configurable access control over what pathnames are allowed
-            in TFTP operations.
-
-         4.2.3.5  Broadcast Request
-
-            A TFTP request directed to a broadcast address SHOULD be
-            silently ignored.
-
-            DISCUSSION:
-                 Due to the weak access control capability of TFTP,
-                 directed broadcasts of TFTP requests to random networks
-
-
-
-Internet Engineering Task Force                                [Page 46]
-
-
-
-
-RFC1123                  FILE TRANSFER -- TFTP              October 1989
-
-
-                 could create a significant security hole.
-
-      4.2.4  TFTP REQUIREMENTS SUMMARY
-
-                                                 |        | | | |S| |
-                                                 |        | | | |H| |F
-                                                 |        | | | |O|M|o
-                                                 |        | |S| |U|U|o
-                                                 |        | |H| |L|S|t
-                                                 |        |M|O| |D|T|n
-                                                 |        |U|U|M| | |o
-                                                 |        |S|L|A|N|N|t
-                                                 |        |T|D|Y|O|O|t
-FEATURE                                          |SECTION | | | |T|T|e
--------------------------------------------------|--------|-|-|-|-|-|--
-Fix Sorcerer's Apprentice Syndrome               |4.2.3.1 |x| | | | |
-Transfer modes:                                  |        | | | | | |
-  netascii                                       |RFC-783 |x| | | | |
-  octet                                          |RFC-783 |x| | | | |
-  mail                                           |4.2.2.1 | | | |x| |
-  extensions                                     |4.2.3.3 | | |x| | |
-Use adaptive timeout                             |4.2.3.2 |x| | | | |
-Configurable access control                      |4.2.3.4 | |x| | | |
-Silently ignore broadcast request                |4.2.3.5 | |x| | | |
--------------------------------------------------|--------|-|-|-|-|-|--
--------------------------------------------------|--------|-|-|-|-|-|--
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 47]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-5.  ELECTRONIC MAIL -- SMTP and RFC-822
-
-   5.1  INTRODUCTION
-
-      In the TCP/IP protocol suite, electronic mail in a format
-      specified in RFC-822 [SMTP:2] is transmitted using the Simple Mail
-      Transfer Protocol (SMTP) defined in RFC-821 [SMTP:1].
-
-      While SMTP has remained unchanged over the years, the Internet
-      community has made several changes in the way SMTP is used.  In
-      particular, the conversion to the Domain Name System (DNS) has
-      caused changes in address formats and in mail routing.  In this
-      section, we assume familiarity with the concepts and terminology
-      of the DNS, whose requirements are given in Section 6.1.
-
-      RFC-822 specifies the Internet standard format for electronic mail
-      messages.  RFC-822 supercedes an older standard, RFC-733, that may
-      still be in use in a few places, although it is obsolete.  The two
-      formats are sometimes referred to simply by number ("822" and
-      "733").
-
-      RFC-822 is used in some non-Internet mail environments with
-      different mail transfer protocols than SMTP, and SMTP has also
-      been adapted for use in some non-Internet environments.  Note that
-      this document presents the rules for the use of SMTP and RFC-822
-      for the Internet environment only; other mail environments that
-      use these protocols may be expected to have their own rules.
-
-   5.2  PROTOCOL WALK-THROUGH
-
-      This section covers both RFC-821 and RFC-822.
-
-      The SMTP specification in RFC-821 is clear and contains numerous
-      examples, so implementors should not find it difficult to
-      understand.  This section simply updates or annotates portions of
-      RFC-821 to conform with current usage.
-
-      RFC-822 is a long and dense document, defining a rich syntax.
-      Unfortunately, incomplete or defective implementations of RFC-822
-      are common.  In fact, nearly all of the many formats of RFC-822
-      are actually used, so an implementation generally needs to
-      recognize and correctly interpret all of the RFC-822 syntax.
-
-      5.2.1  The SMTP Model: RFC-821 Section 2
-
-         DISCUSSION:
-              Mail is sent by a series of request/response transactions
-              between a client, the "sender-SMTP," and a server, the
-
-
-
-Internet Engineering Task Force                                [Page 48]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-              "receiver-SMTP".  These transactions pass (1) the message
-              proper, which is composed of header and body, and (2) SMTP
-              source and destination addresses, referred to as the
-              "envelope".
-
-              The SMTP programs are analogous to Message Transfer Agents
-              (MTAs) of X.400.  There will be another level of protocol
-              software, closer to the end user, that is responsible for
-              composing and analyzing RFC-822 message headers; this
-              component is known as the "User Agent" in X.400, and we
-              use that term in this document.  There is a clear logical
-              distinction between the User Agent and the SMTP
-              implementation, since they operate on different levels of
-              protocol.  Note, however, that this distinction is may not
-              be exactly reflected the structure of typical
-              implementations of Internet mail.  Often there is a
-              program known as the "mailer" that implements SMTP and
-              also some of the User Agent functions; the rest of the
-              User Agent functions are included in a user interface used
-              for entering and reading mail.
-
-              The SMTP envelope is constructed at the originating site,
-              typically by the User Agent when the message is first
-              queued for the Sender-SMTP program.  The envelope
-              addresses may be derived from information in the message
-              header, supplied by the user interface (e.g., to implement
-              a bcc: request), or derived from local configuration
-              information (e.g., expansion of a mailing list).  The SMTP
-              envelope cannot in general be re-derived from the header
-              at a later stage in message delivery, so the envelope is
-              transmitted separately from the message itself using the
-              MAIL and RCPT commands of SMTP.
-
-              The text of RFC-821 suggests that mail is to be delivered
-              to an individual user at a host.  With the advent of the
-              domain system and of mail routing using mail-exchange (MX)
-              resource records, implementors should now think of
-              delivering mail to a user at a domain, which may or may
-              not be a particular host.  This DOES NOT change the fact
-              that SMTP is a host-to-host mail exchange protocol.
-
-      5.2.2  Canonicalization: RFC-821 Section 3.1
-
-         The domain names that a Sender-SMTP sends in MAIL and RCPT
-         commands MUST have been  "canonicalized," i.e., they must be
-         fully-qualified principal names or domain literals, not
-         nicknames or domain abbreviations.  A canonicalized name either
-         identifies a host directly or is an MX name; it cannot be a
-
-
-
-Internet Engineering Task Force                                [Page 49]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         CNAME.
-
-      5.2.3  VRFY and EXPN Commands: RFC-821 Section 3.3
-
-         A receiver-SMTP MUST implement VRFY and SHOULD implement EXPN
-         (this requirement overrides RFC-821).  However, there MAY be
-         configuration information to disable VRFY and EXPN in a
-         particular installation; this might even allow EXPN to be
-         disabled for selected lists.
-
-         A new reply code is defined for the VRFY command:
-
-              252 Cannot VRFY user (e.g., info is not local), but will
-                  take message for this user and attempt delivery.
-
-         DISCUSSION:
-              SMTP users and administrators make regular use of these
-              commands for diagnosing mail delivery problems.  With the
-              increasing use of multi-level mailing list expansion
-              (sometimes more than two levels), EXPN has been
-              increasingly important for diagnosing inadvertent mail
-              loops.  On the other hand,  some feel that EXPN represents
-              a significant privacy, and perhaps even a security,
-              exposure.
-
-      5.2.4  SEND, SOML, and SAML Commands: RFC-821 Section 3.4
-
-         An SMTP MAY implement the commands to send a message to a
-         user's terminal: SEND, SOML, and SAML.
-
-         DISCUSSION:
-              It has been suggested that the use of mail relaying
-              through an MX record is inconsistent with the intent of
-              SEND to deliver a message immediately and directly to a
-              user's terminal.  However, an SMTP receiver that is unable
-              to write directly to the user terminal can return a "251
-              User Not Local" reply to the RCPT following a SEND, to
-              inform the originator of possibly deferred delivery.
-
-      5.2.5  HELO Command: RFC-821 Section 3.5
-
-         The sender-SMTP MUST ensure that the <domain> parameter in a
-         HELO command is a valid principal host domain name for the
-         client host.  As a result, the receiver-SMTP will not have to
-         perform MX resolution on this name in order to validate the
-         HELO parameter.
-
-         The HELO receiver MAY verify that the HELO parameter really
-
-
-
-Internet Engineering Task Force                                [Page 50]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         corresponds to the IP address of the sender.  However, the
-         receiver MUST NOT refuse to accept a message, even if the
-         sender's HELO command fails verification.
-
-         DISCUSSION:
-              Verifying the HELO parameter requires a domain name lookup
-              and may therefore take considerable time.  An alternative
-              tool for tracking bogus mail sources is suggested below
-              (see "DATA Command").
-
-              Note also that the HELO argument is still required to have
-              valid <domain> syntax, since it will appear in a Received:
-              line; otherwise, a 501 error is to be sent.
-
-         IMPLEMENTATION:
-              When HELO parameter validation fails, a suggested
-              procedure is to insert a note about the unknown
-              authenticity of the sender into the message header (e.g.,
-              in the "Received:"  line).
-
-      5.2.6  Mail Relay: RFC-821 Section 3.6
-
-         We distinguish three types of mail (store-and-) forwarding:
-
-         (1)  A simple forwarder or "mail exchanger" forwards a message
-              using private knowledge about the recipient; see section
-              3.2 of RFC-821.
-
-         (2)  An SMTP mail "relay" forwards a message within an SMTP
-              mail environment as the result of an explicit source route
-              (as defined in section 3.6 of RFC-821).  The SMTP relay
-              function uses the "@...:" form of source route from RFC-
-              822 (see Section 5.2.19 below).
-
-         (3)  A mail "gateway" passes a message between different
-              environments.  The rules for mail gateways are discussed
-              below in Section 5.3.7.
-
-         An Internet host that is forwarding a message but is not a
-         gateway to a different mail environment (i.e., it falls under
-         (1) or (2)) SHOULD NOT alter any existing header fields,
-         although the host will add an appropriate Received: line as
-         required in Section 5.2.8.
-
-         A Sender-SMTP SHOULD NOT send a RCPT TO: command containing an
-         explicit source route using the "@...:" address form.  Thus,
-         the relay function defined in section  3.6 of RFC-821 should
-         not be used.
-
-
-
-Internet Engineering Task Force                                [Page 51]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         DISCUSSION:
-              The intent is to discourage all source routing and to
-              abolish explicit source routing for mail delivery within
-              the Internet environment.  Source-routing is unnecessary;
-              the simple target address "user@domain" should always
-              suffice.  This is the result of an explicit architectural
-              decision to use universal naming rather than source
-              routing for mail.  Thus, SMTP provides end-to-end
-              connectivity, and the DNS provides globally-unique,
-              location-independent names.  MX records handle the major
-              case where source routing might otherwise be needed.
-
-         A receiver-SMTP MUST accept the explicit source route syntax in
-         the envelope, but it MAY implement the relay function as
-         defined in section 3.6 of RFC-821.  If it does not implement
-         the relay function, it SHOULD attempt to deliver the message
-         directly to the host to the right of the right-most "@" sign.
-
-         DISCUSSION:
-              For example, suppose a host that does not implement the
-              relay function receives a message with the SMTP command:
-              "RCPT TO:<@ALPHA,@BETA:joe@GAMMA>", where ALPHA, BETA, and
-              GAMMA represent domain names.  Rather than immediately
-              refusing the message with a 550 error reply as suggested
-              on page 20 of RFC-821, the host should try to forward the
-              message to GAMMA directly, using: "RCPT TO:<joe@GAMMA>".
-              Since this host does not support relaying, it is not
-              required to update the reverse path.
-
-              Some have suggested that source routing may be needed
-              occasionally for manually routing mail around failures;
-              however, the reality and importance of this need is
-              controversial.  The use of explicit SMTP mail relaying for
-              this purpose is discouraged, and in fact it may not be
-              successful, as many host systems do not support it.  Some
-              have used the "%-hack" (see Section 5.2.16) for this
-              purpose.
-
-      5.2.7  RCPT Command: RFC-821 Section 4.1.1
-
-         A host that supports a receiver-SMTP MUST support the reserved
-         mailbox "Postmaster".
-
-         The receiver-SMTP MAY verify RCPT parameters as they arrive;
-         however, RCPT responses MUST NOT be delayed beyond a reasonable
-         time (see Section 5.3.2).
-
-         Therefore, a "250 OK" response to a RCPT does not necessarily
-
-
-
-Internet Engineering Task Force                                [Page 52]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         imply that the delivery address(es) are valid.  Errors found
-         after message acceptance will be reported by mailing a
-         notification message to an appropriate address (see Section
-         5.3.3).
-
-         DISCUSSION:
-              The set of conditions under which a RCPT parameter can be
-              validated immediately is an engineering design choice.
-              Reporting destination mailbox errors to the Sender-SMTP
-              before mail is transferred is generally desirable to save
-              time and network bandwidth, but this advantage is lost if
-              RCPT verification is lengthy.
-
-              For example, the receiver can verify immediately any
-              simple local reference, such as a single locally-
-              registered mailbox.  On the other hand, the "reasonable
-              time" limitation generally implies deferring verification
-              of a mailing list until after the message has been
-              transferred and accepted, since verifying a large mailing
-              list can take a very long time.  An implementation might
-              or might not choose to defer validation of addresses that
-              are non-local and therefore require a DNS lookup.  If a
-              DNS lookup is performed but a soft domain system error
-              (e.g., timeout) occurs, validity must be assumed.
-
-      5.2.8  DATA Command: RFC-821 Section 4.1.1
-
-         Every receiver-SMTP (not just one that "accepts a message for
-         relaying or for final delivery" [SMTP:1]) MUST insert a
-         "Received:" line at the beginning of a message.  In this line,
-         called a "time stamp line" in RFC-821:
-
-         *    The FROM field SHOULD contain both (1) the name of the
-              source host as presented in the HELO command and (2) a
-              domain literal containing the IP address of the source,
-              determined from the TCP connection.
-
-         *    The ID field MAY contain an "@" as suggested in RFC-822,
-              but this is not required.
-
-         *    The FOR field MAY contain a list of <path> entries when
-              multiple RCPT commands have been given.
-
-
-         An Internet mail program MUST NOT change a Received: line that
-         was previously added to the message header.
-
-
-
-
-
-Internet Engineering Task Force                                [Page 53]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         DISCUSSION:
-              Including both the source host and the IP source address
-              in the Received: line may provide enough information for
-              tracking illicit mail sources and eliminate a need to
-              explicitly verify the HELO parameter.
-
-              Received: lines are primarily intended for humans tracing
-              mail routes, primarily of diagnosis of faults.  See also
-              the discussion under 5.3.7.
-
-         When the receiver-SMTP makes "final delivery" of a message,
-         then it MUST pass the MAIL FROM: address from the SMTP envelope
-         with the message, for use if an error notification message must
-         be sent later (see Section 5.3.3).  There is an analogous
-         requirement when gatewaying from the Internet into a different
-         mail environment; see Section 5.3.7.
-
-         DISCUSSION:
-              Note that the final reply to the DATA command depends only
-              upon the successful transfer and storage of the message.
-              Any problem with the destination address(es) must either
-              (1) have been reported in an SMTP error reply to the RCPT
-              command(s), or (2) be reported in a later error message
-              mailed to the originator.
-
-         IMPLEMENTATION:
-              The MAIL FROM: information may be passed as a parameter or
-              in a Return-Path: line inserted at the beginning of the
-              message.
-
-      5.2.9  Command Syntax: RFC-821 Section 4.1.2
-
-         The syntax shown in RFC-821 for the MAIL FROM: command omits
-         the case of an empty path:  "MAIL FROM: <>" (see RFC-821 Page
-         15).  An empty reverse path MUST be supported.
-
-      5.2.10  SMTP Replies:  RFC-821 Section 4.2
-
-         A receiver-SMTP SHOULD send only the reply codes listed in
-         section 4.2.2 of RFC-821 or in this document.  A receiver-SMTP
-         SHOULD use the text shown in examples in RFC-821 whenever
-         appropriate.
-
-         A sender-SMTP MUST determine its actions only by the reply
-         code, not by the text (except for 251 and 551 replies); any
-         text, including no text at all, must be acceptable.  The space
-         (blank) following the reply code is considered part of the
-         text.  Whenever possible, a sender-SMTP SHOULD test only the
-
-
-
-Internet Engineering Task Force                                [Page 54]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         first digit of the reply code, as specified in Appendix E of
-         RFC-821.
-
-         DISCUSSION:
-              Interoperability problems have arisen with SMTP systems
-              using reply codes that are not listed explicitly in RFC-
-              821 Section 4.3 but are legal according to the theory of
-              reply codes explained in Appendix E.
-
-      5.2.11  Transparency: RFC-821 Section 4.5.2
-
-         Implementors MUST be sure that their mail systems always add
-         and delete periods to ensure message transparency.
-
-      5.2.12  WKS Use in MX Processing: RFC-974, p. 5
-
-         RFC-974 [SMTP:3] recommended that the domain system be queried
-         for WKS ("Well-Known Service") records, to verify that each
-         proposed mail target does support SMTP.  Later experience has
-         shown that WKS is not widely supported, so the WKS step in MX
-         processing SHOULD NOT be used.
-
-      The following are notes on RFC-822, organized by section of that
-      document.
-
-      5.2.13  RFC-822 Message Specification: RFC-822 Section 4
-
-         The syntax shown for the Return-path line omits the possibility
-         of a null return path, which is used to prevent looping of
-         error notifications (see Section 5.3.3).  The complete syntax
-         is:
-
-             return = "Return-path"  ":" route-addr
-                    / "Return-path"  ":" "<" ">"
-
-         The set of optional header fields is hereby expanded to include
-         the Content-Type field defined in RFC-1049 [SMTP:7].  This
-         field "allows mail reading systems to automatically identify
-         the type of a structured message body and to process it for
-         display accordingly".  [SMTP:7]  A User Agent MAY support this
-         field.
-
-      5.2.14  RFC-822 Date and Time Specification: RFC-822 Section 5
-
-         The syntax for the date is hereby changed to:
-
-            date = 1*2DIGIT month 2*4DIGIT
-
-
-
-
-Internet Engineering Task Force                                [Page 55]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         All mail software SHOULD use 4-digit years in dates, to ease
-         the transition to the next century.
-
-         There is a strong trend towards the use of numeric timezone
-         indicators, and implementations SHOULD use numeric timezones
-         instead of timezone names.  However, all implementations MUST
-         accept either notation.  If timezone names are used, they MUST
-         be exactly as defined in RFC-822.
-
-         The military time zones are specified incorrectly in RFC-822:
-         they count the wrong way from UT (the signs are reversed).  As
-         a result, military time zones in RFC-822 headers carry no
-         information.
-
-         Finally, note that there is a typo in the definition of "zone"
-         in the syntax summary of appendix D; the correct definition
-         occurs in Section 3 of RFC-822.
-
-      5.2.15  RFC-822 Syntax Change: RFC-822 Section 6.1
-
-         The syntactic definition of "mailbox" in RFC-822 is hereby
-         changed to:
-
-            mailbox =  addr-spec            ; simple address
-                    / [phrase] route-addr   ; name & addr-spec
-
-         That is, the phrase preceding a route address is now OPTIONAL.
-         This change makes the following header field legal, for
-         example:
-
-             From: <craig@nnsc.nsf.net>
-
-      5.2.16  RFC-822  Local-part: RFC-822 Section 6.2
-
-         The basic mailbox address specification has the form: "local-
-         part@domain".  Here "local-part", sometimes called the "left-
-         hand side" of the address, is domain-dependent.
-
-         A host that is forwarding the message but is not the
-         destination host implied by the right-hand side "domain" MUST
-         NOT interpret or modify the "local-part" of the address.
-
-         When mail is to be gatewayed from the Internet mail environment
-         into a foreign mail environment (see Section 5.3.7), routing
-         information for that foreign environment MAY be embedded within
-         the "local-part" of the address.  The gateway will then
-         interpret this local part appropriately for the foreign mail
-         environment.
-
-
-
-Internet Engineering Task Force                                [Page 56]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         DISCUSSION:
-              Although source routes are discouraged within the Internet
-              (see Section 5.2.6), there are non-Internet mail
-              environments whose delivery mechanisms do depend upon
-              source routes.  Source routes for extra-Internet
-              environments can generally be buried in the "local-part"
-              of the address (see Section 5.2.16) while mail traverses
-              the Internet.  When the mail reaches the appropriate
-              Internet mail gateway, the gateway will interpret the
-              local-part and build the necessary address or route for
-              the target mail environment.
-
-              For example, an Internet host might send mail to:
-              "a!b!c!user@gateway-domain".  The complex local part
-              "a!b!c!user" would be uninterpreted within the Internet
-              domain, but could be parsed and understood by the
-              specified mail gateway.
-
-              An embedded source route is sometimes encoded in the
-              "local-part" using "%" as a right-binding routing
-              operator.  For example, in:
-
-                 user%domain%relay3%relay2@relay1
-
-              the "%" convention implies that the mail is to be routed
-              from "relay1" through "relay2", "relay3", and finally to
-              "user" at "domain".  This is commonly known as the "%-
-              hack".  It is suggested that "%" have lower precedence
-              than any other routing operator (e.g., "!") hidden in the
-              local-part; for example, "a!b%c" would be interpreted as
-              "(a!b)%c".
-
-              Only the target host (in this case, "relay1") is permitted
-              to analyze the local-part "user%domain%relay3%relay2".
-
-      5.2.17  Domain Literals: RFC-822 Section 6.2.3
-
-         A mailer MUST be able to accept and parse an Internet domain
-         literal whose content ("dtext"; see RFC-822) is a dotted-
-         decimal host address.  This satisfies the requirement of
-         Section 2.1 for the case of mail.
-
-         An SMTP MUST accept and recognize a domain literal for any of
-         its own IP addresses.
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 57]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-      5.2.18  Common Address Formatting Errors: RFC-822 Section 6.1
-
-         Errors in formatting or parsing 822 addresses are unfortunately
-         common.  This section mentions only the most common errors.  A
-         User Agent MUST accept all valid RFC-822 address formats, and
-         MUST NOT generate illegal address syntax.
-
-         o    A common error is to leave out the semicolon after a group
-              identifier.
-
-         o    Some systems fail to fully-qualify domain names in
-              messages they generate.  The right-hand side of an "@"
-              sign in a header address field MUST be a fully-qualified
-              domain name.
-
-              For example, some systems fail to fully-qualify the From:
-              address; this prevents a "reply" command in the user
-              interface from automatically constructing a return
-              address.
-
-              DISCUSSION:
-                   Although RFC-822 allows the local use of abbreviated
-                   domain names within a domain, the application of
-                   RFC-822 in Internet mail does not allow this.  The
-                   intent is that an Internet host must not send an SMTP
-                   message header containing an abbreviated domain name
-                   in an address field.  This allows the address fields
-                   of the header to be passed without alteration across
-                   the Internet, as required in Section 5.2.6.
-
-         o    Some systems mis-parse multiple-hop explicit source routes
-              such as:
-
-                  @relay1,@relay2,@relay3:user@domain.
-
-
-         o    Some systems over-qualify domain names by adding a
-              trailing dot to some or all domain names in addresses or
-              message-ids.  This violates RFC-822 syntax.
-
-
-      5.2.19  Explicit Source Routes: RFC-822 Section 6.2.7
-
-         Internet host software SHOULD NOT create an RFC-822 header
-         containing an address with an explicit source route, but MUST
-         accept such headers for compatibility with earlier systems.
-
-         DISCUSSION:
-
-
-
-Internet Engineering Task Force                                [Page 58]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-              In an understatement, RFC-822 says "The use of explicit
-              source routing is discouraged".  Many hosts implemented
-              RFC-822 source routes incorrectly, so the syntax cannot be
-              used unambiguously in practice.  Many users feel the
-              syntax is ugly.  Explicit source routes are not needed in
-              the mail envelope for delivery; see Section 5.2.6.  For
-              all these reasons, explicit source routes using the RFC-
-              822 notations are not to be used in Internet mail headers.
-
-              As stated in Section 5.2.16, it is necessary to allow an
-              explicit source route to be buried in the local-part of an
-              address, e.g., using the "%-hack", in order to allow mail
-              to be gatewayed into another environment in which explicit
-              source routing is necessary.  The vigilant will observe
-              that there is no way for a User Agent to detect and
-              prevent the use of such implicit source routing when the
-              destination is within the Internet.  We can only
-              discourage source routing of any kind within the Internet,
-              as unnecessary and undesirable.
-
-   5.3  SPECIFIC ISSUES
-
-      5.3.1  SMTP Queueing Strategies
-
-         The common structure of a host SMTP implementation includes
-         user mailboxes, one or more areas for queueing messages in
-         transit, and one or more daemon processes for sending and
-         receiving mail.  The exact structure will vary depending on the
-         needs of the users on the host and the number and size of
-         mailing lists supported by the host.  We describe several
-         optimizations that have proved helpful, particularly for
-         mailers supporting high traffic levels.
-
-         Any queueing strategy MUST include:
-
-         o    Timeouts on all activities.  See Section 5.3.2.
-
-         o    Never sending error messages in response to error
-              messages.
-
-
-         5.3.1.1 Sending Strategy
-
-            The general model of a sender-SMTP is one or more processes
-            that periodically attempt to transmit outgoing mail.  In a
-            typical system, the program that composes a message has some
-            method for requesting immediate attention for a new piece of
-            outgoing mail, while mail that cannot be transmitted
-
-
-
-Internet Engineering Task Force                                [Page 59]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-            immediately MUST be queued and periodically retried by the
-            sender.  A mail queue entry will include not only the
-            message itself but also the envelope information.
-
-            The sender MUST delay retrying a particular destination
-            after one attempt has failed.  In general, the retry
-            interval SHOULD be at least 30 minutes; however, more
-            sophisticated and variable strategies will be beneficial
-            when the sender-SMTP can determine the reason for non-
-            delivery.
-
-            Retries continue until the message is transmitted or the
-            sender gives up; the give-up time generally needs to be at
-            least 4-5 days.  The parameters to the retry algorithm MUST
-            be configurable.
-
-            A sender SHOULD keep a list of hosts it cannot reach and
-            corresponding timeouts, rather than just retrying queued
-            mail items.
-
-            DISCUSSION:
-                 Experience suggests that failures are typically
-                 transient (the target system has crashed), favoring a
-                 policy of two connection attempts in the first hour the
-                 message is in the queue, and then backing off to once
-                 every two or three hours.
-
-                 The sender-SMTP can shorten the queueing delay by
-                 cooperation with the receiver-SMTP.  In particular, if
-                 mail is received from a particular address, it is good
-                 evidence that any mail queued for that host can now be
-                 sent.
-
-                 The strategy may be further modified as a result of
-                 multiple addresses per host (see Section 5.3.4), to
-                 optimize delivery time vs. resource usage.
-
-                 A sender-SMTP may have a large queue of messages for
-                 each unavailable destination host, and if it retried
-                 all these messages in every retry cycle, there would be
-                 excessive Internet overhead and the daemon would be
-                 blocked for a long period.  Note that an SMTP can
-                 generally determine that a delivery attempt has failed
-                 only after a timeout of a minute or more; a one minute
-                 timeout per connection will result in a very large
-                 delay if it is repeated for dozens or even hundreds of
-                 queued messages.
-
-
-
-
-Internet Engineering Task Force                                [Page 60]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-            When the same message is to be delivered to several users on
-            the same host, only one copy of the message SHOULD be
-            transmitted.  That is, the sender-SMTP should use the
-            command sequence: RCPT, RCPT,... RCPT, DATA instead of the
-            sequence: RCPT, DATA, RCPT, DATA,... RCPT, DATA.
-            Implementation of this efficiency feature is strongly urged.
-
-            Similarly, the sender-SMTP MAY support multiple concurrent
-            outgoing mail transactions to achieve timely delivery.
-            However, some limit SHOULD be imposed to protect the host
-            from devoting all its resources to mail.
-
-            The use of the different addresses of a multihomed host is
-            discussed below.
-
-         5.3.1.2  Receiving strategy
-
-            The receiver-SMTP SHOULD attempt to keep a pending listen on
-            the SMTP port at all times.  This will require the support
-            of multiple incoming TCP connections for SMTP.  Some limit
-            MAY be imposed.
-
-            IMPLEMENTATION:
-                 When the receiver-SMTP receives mail from a particular
-                 host address, it could notify the sender-SMTP to retry
-                 any mail pending for that host address.
-
-      5.3.2  Timeouts in SMTP
-
-         There are two approaches to timeouts in the sender-SMTP:  (a)
-         limit the time for each SMTP command separately, or (b) limit
-         the time for the entire SMTP dialogue for a single mail
-         message.  A sender-SMTP SHOULD use option (a), per-command
-         timeouts.  Timeouts SHOULD be easily reconfigurable, preferably
-         without recompiling the SMTP code.
-
-         DISCUSSION:
-              Timeouts are an essential feature of an SMTP
-              implementation.  If the timeouts are too long (or worse,
-              there are no timeouts), Internet communication failures or
-              software bugs in receiver-SMTP programs can tie up SMTP
-              processes indefinitely.  If the timeouts are too short,
-              resources will be wasted with attempts that time out part
-              way through message delivery.
-
-              If option (b) is used, the timeout has to be very large,
-              e.g., an hour, to allow time to expand very large mailing
-              lists.  The timeout may also need to increase linearly
-
-
-
-Internet Engineering Task Force                                [Page 61]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-              with the size of the message, to account for the time to
-              transmit a very large message.  A large fixed timeout
-              leads to two problems:  a failure can still tie up the
-              sender for a very long time, and very large messages may
-              still spuriously time out (which is a wasteful failure!).
-
-              Using the recommended option (a), a timer is set for each
-              SMTP command and for each buffer of the data transfer.
-              The latter means that the overall timeout is inherently
-              proportional to the size of the message.
-
-         Based on extensive experience with busy mail-relay hosts, the
-         minimum per-command timeout values SHOULD be as follows:
-
-         o    Initial 220 Message: 5 minutes
-
-              A Sender-SMTP process needs to distinguish between a
-              failed TCP connection and a delay in receiving the initial
-              220 greeting message.  Many receiver-SMTPs will accept a
-              TCP connection but delay delivery of the 220 message until
-              their system load will permit more mail to be processed.
-
-         o    MAIL Command: 5 minutes
-
-
-         o    RCPT Command: 5 minutes
-
-              A longer timeout would be required if processing of
-              mailing lists and aliases were not deferred until after
-              the message was accepted.
-
-         o    DATA Initiation: 2 minutes
-
-              This is while awaiting the "354 Start Input" reply to a
-              DATA command.
-
-         o    Data Block: 3 minutes
-
-              This is while awaiting the completion of each TCP SEND
-              call transmitting a chunk of data.
-
-         o    DATA Termination: 10 minutes.
-
-              This is while awaiting the "250 OK" reply. When the
-              receiver gets the final period terminating the message
-              data, it typically performs processing to deliver the
-              message to a user mailbox.  A spurious timeout at this
-              point would be very wasteful, since the message has been
-
-
-
-Internet Engineering Task Force                                [Page 62]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-              successfully sent.
-
-         A receiver-SMTP SHOULD have a timeout of at least 5 minutes
-         while it is awaiting the next command from the sender.
-
-      5.3.3  Reliable Mail Receipt
-
-         When the receiver-SMTP accepts a piece of mail (by sending a
-         "250 OK" message in response to DATA), it is accepting
-         responsibility for delivering or relaying the message.  It must
-         take this responsibility seriously, i.e., it MUST NOT lose the
-         message for frivolous reasons, e.g., because the host later
-         crashes or because of a predictable resource shortage.
-
-         If there is a delivery failure after acceptance of a message,
-         the receiver-SMTP MUST formulate and mail a notification
-         message.  This notification MUST be sent using a null ("<>")
-         reverse path in the envelope; see Section 3.6 of RFC-821.  The
-         recipient of this notification SHOULD be the address from the
-         envelope return path (or the Return-Path: line).  However, if
-         this address is null ("<>"),  the receiver-SMTP MUST NOT send a
-         notification.  If the address is an explicit source route, it
-         SHOULD be stripped down to its final hop.
-
-         DISCUSSION:
-              For example, suppose that an error notification must be
-              sent for a message that arrived with:
-              "MAIL FROM:<@a,@b:user@d>".  The notification message
-              should be sent to: "RCPT TO:<user@d>".
-
-              Some delivery failures after the message is accepted by
-              SMTP will be unavoidable.  For example, it may be
-              impossible for the receiver-SMTP to validate all the
-              delivery addresses in RCPT command(s) due to a "soft"
-              domain system error or because the target is a mailing
-              list (see earlier discussion of RCPT).
-
-         To avoid receiving duplicate messages as the result of
-         timeouts, a receiver-SMTP MUST seek to minimize the time
-         required to respond to the final "." that ends a message
-         transfer.  See RFC-1047 [SMTP:4] for a discussion of this
-         problem.
-
-      5.3.4  Reliable Mail Transmission
-
-         To transmit a message, a sender-SMTP determines the IP address
-         of the target host from the destination address in the
-         envelope.  Specifically, it maps the string to the right of the
-
-
-
-Internet Engineering Task Force                                [Page 63]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-         "@" sign into an IP address.  This mapping or the transfer
-         itself may fail with a soft error, in which case the sender-
-         SMTP will requeue the outgoing mail for a later retry, as
-         required in Section 5.3.1.1.
-
-         When it succeeds, the mapping can result in a list of
-         alternative delivery addresses rather than a single address,
-         because of (a) multiple MX records, (b) multihoming, or both.
-         To provide reliable mail transmission, the sender-SMTP MUST be
-         able to try (and retry) each of the addresses in this list in
-         order, until a delivery attempt succeeds.  However, there MAY
-         also be a configurable limit on the number of alternate
-         addresses that can be tried.  In any case, a host SHOULD try at
-         least two addresses.
-
-         The following information is to be used to rank the host
-         addresses:
-
-         (1)  Multiple MX Records -- these contain a preference
-              indication that should be used in sorting.  If there are
-              multiple destinations with the same preference and there
-              is no clear reason to favor one (e.g., by address
-              preference), then the sender-SMTP SHOULD pick one at
-              random to spread the load across multiple mail exchanges
-              for a specific organization; note that this is a
-              refinement of the procedure in [DNS:3].
-
-         (2)  Multihomed host -- The destination host (perhaps taken
-              from the preferred MX record) may be multihomed, in which
-              case the domain name resolver will return a list of
-              alternative IP addresses.  It is the responsibility of the
-              domain name resolver interface (see Section 6.1.3.4 below)
-              to have ordered this list by decreasing preference, and
-              SMTP MUST try them in the order presented.
-
-         DISCUSSION:
-              Although the capability to try multiple alternative
-              addresses is required, there may be circumstances where
-              specific installations want to limit or disable the use of
-              alternative addresses.  The question of whether a sender
-              should attempt retries using the different addresses of a
-              multihomed host has been controversial.  The main argument
-              for using the multiple addresses is that it maximizes the
-              probability of timely delivery, and indeed sometimes the
-              probability of any delivery; the counter argument is that
-              it may result in unnecessary resource use.
-
-              Note that resource use is also strongly determined by the
-
-
-
-Internet Engineering Task Force                                [Page 64]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-              sending strategy discussed in Section 5.3.1.
-
-      5.3.5  Domain Name Support
-
-         SMTP implementations MUST use the mechanism defined in Section
-         6.1 for mapping between domain names and IP addresses.  This
-         means that every Internet SMTP MUST include support for the
-         Internet DNS.
-
-         In particular, a sender-SMTP MUST support the MX record scheme
-         [SMTP:3].  See also Section 7.4 of [DNS:2] for information on
-         domain name support for SMTP.
-
-      5.3.6  Mailing Lists and Aliases
-
-         An SMTP-capable host SHOULD support both the alias and the list
-         form of address expansion for multiple delivery.  When a
-         message is delivered or forwarded to each address of an
-         expanded list form, the return address in the envelope
-         ("MAIL FROM:") MUST be changed to be the address of a person
-         who administers the list, but the message header MUST be left
-         unchanged; in particular, the "From" field of the message is
-         unaffected.
-
-         DISCUSSION:
-              An important mail facility is a mechanism for multi-
-              destination delivery of a single message, by transforming
-              or "expanding" a pseudo-mailbox address into a list of
-              destination mailbox addresses.  When a message is sent to
-              such a pseudo-mailbox (sometimes called an "exploder"),
-              copies are forwarded or redistributed to each mailbox in
-              the expanded list.  We classify such a pseudo-mailbox as
-              an "alias" or a "list", depending upon the expansion
-              rules:
-
-              (a)  Alias
-
-                   To expand an alias, the recipient mailer simply
-                   replaces the pseudo-mailbox address in the envelope
-                   with each of the expanded addresses in turn; the rest
-                   of the envelope and the message body are left
-                   unchanged.  The message is then delivered or
-                   forwarded to each expanded address.
-
-              (b)  List
-
-                   A mailing list may be said to operate by
-                   "redistribution" rather than by "forwarding".  To
-
-
-
-Internet Engineering Task Force                                [Page 65]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-                   expand a list, the recipient mailer replaces the
-                   pseudo-mailbox address in the envelope with each of
-                   the expanded addresses in turn. The return address in
-                   the envelope is changed so that all error messages
-                   generated by the final deliveries will be returned to
-                   a list administrator, not to the message originator,
-                   who generally has no control over the contents of the
-                   list and will typically find error messages annoying.
-
-
-      5.3.7  Mail Gatewaying
-
-         Gatewaying mail between different mail environments, i.e.,
-         different mail formats and protocols, is complex and does not
-         easily yield to standardization.  See for example [SMTP:5a],
-         [SMTP:5b].  However, some general requirements may be given for
-         a gateway between the Internet and another mail environment.
-
-         (A)  Header fields MAY be rewritten when necessary as messages
-              are gatewayed across mail environment boundaries.
-
-              DISCUSSION:
-                   This may involve interpreting the local-part of the
-                   destination address, as suggested in Section 5.2.16.
-
-                   The other mail systems gatewayed to the Internet
-                   generally use a subset of RFC-822 headers, but some
-                   of them do not have an equivalent to the SMTP
-                   envelope.  Therefore, when a message leaves the
-                   Internet environment, it may be necessary to fold the
-                   SMTP envelope information into the message header.  A
-                   possible solution would be to create new header
-                   fields to carry the envelope information (e.g., "X-
-                   SMTP-MAIL:" and "X-SMTP-RCPT:"); however, this would
-                   require changes in mail programs in the foreign
-                   environment.
-
-         (B)  When forwarding a message into or out of the Internet
-              environment, a gateway MUST prepend a Received: line, but
-              it MUST NOT alter in any way a Received: line that is
-              already in the header.
-
-              DISCUSSION:
-                   This requirement is a subset of the general
-                   "Received:" line requirement of Section 5.2.8; it is
-                   restated here for emphasis.
-
-                   Received: fields of messages originating from other
-
-
-
-Internet Engineering Task Force                                [Page 66]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-                   environments may not conform exactly to RFC822.
-                   However, the most important use of Received: lines is
-                   for debugging mail faults, and this debugging can be
-                   severely hampered by well-meaning gateways that try
-                   to "fix" a Received: line.
-
-                   The gateway is strongly encouraged to indicate the
-                   environment and protocol in the "via" clauses of
-                   Received field(s) that it supplies.
-
-         (C)  From the Internet side, the gateway SHOULD accept all
-              valid address formats in SMTP commands and in RFC-822
-              headers, and all valid RFC-822 messages.  Although a
-              gateway must accept an RFC-822 explicit source route
-              ("@...:" format) in either the RFC-822 header or in the
-              envelope, it MAY or may not act on the source route; see
-              Sections 5.2.6 and 5.2.19.
-
-              DISCUSSION:
-                   It is often tempting to restrict the range of
-                   addresses accepted at the mail gateway to simplify
-                   the translation into addresses for the remote
-                   environment.  This practice is based on the
-                   assumption that mail users have control over the
-                   addresses their mailers send to the mail gateway.  In
-                   practice, however, users have little control over the
-                   addresses that are finally sent; their mailers are
-                   free to change addresses into any legal RFC-822
-                   format.
-
-         (D)  The gateway MUST ensure that all header fields of a
-              message that it forwards into the Internet meet the
-              requirements for Internet mail.  In particular, all
-              addresses in "From:", "To:", "Cc:", etc., fields must be
-              transformed (if necessary) to satisfy RFC-822 syntax, and
-              they must be effective and useful for sending replies.
-
-
-         (E)  The translation algorithm used to convert mail from the
-              Internet protocols to another environment's protocol
-              SHOULD try to ensure that error messages from the foreign
-              mail environment are delivered to the return path from the
-              SMTP envelope, not to the sender listed in the "From:"
-              field of the RFC-822 message.
-
-              DISCUSSION:
-                   Internet mail lists usually place the address of the
-                   mail list maintainer in the envelope but leave the
-
-
-
-Internet Engineering Task Force                                [Page 67]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-                   original message header intact (with the "From:"
-                   field containing the original sender).  This yields
-                   the behavior the average recipient expects: a reply
-                   to the header gets sent to the original sender, not
-                   to a mail list maintainer; however, errors get sent
-                   to the maintainer (who can fix the problem) and not
-                   the sender (who probably cannot).
-
-         (F)  Similarly, when forwarding a message from another
-              environment into the Internet, the gateway SHOULD set the
-              envelope return path in accordance with an error message
-              return address, if any, supplied by the foreign
-              environment.
-
-
-      5.3.8  Maximum Message Size
-
-         Mailer software MUST be able to send and receive messages of at
-         least 64K bytes in length (including header), and a much larger
-         maximum size is highly desirable.
-
-         DISCUSSION:
-              Although SMTP does not define the maximum size of a
-              message, many systems impose implementation limits.
-
-              The current de facto minimum limit in the Internet is 64K
-              bytes.  However, electronic mail is used for a variety of
-              purposes that create much larger messages.  For example,
-              mail is often used instead of FTP for transmitting ASCII
-              files, and in particular to transmit entire documents.  As
-              a result, messages can be 1 megabyte or even larger.  We
-              note that the present document together with its lower-
-              layer companion contains 0.5 megabytes.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 68]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-   5.4  SMTP REQUIREMENTS SUMMARY
-
-                                               |          | | | |S| |
-                                               |          | | | |H| |F
-                                               |          | | | |O|M|o
-                                               |          | |S| |U|U|o
-                                               |          | |H| |L|S|t
-                                               |          |M|O| |D|T|n
-                                               |          |U|U|M| | |o
-                                               |          |S|L|A|N|N|t
-                                               |          |T|D|Y|O|O|t
-FEATURE                                        |SECTION   | | | |T|T|e
------------------------------------------------|----------|-|-|-|-|-|--
-                                               |          | | | | | |
-RECEIVER-SMTP:                                 |          | | | | | |
-  Implement VRFY                               |5.2.3     |x| | | | |
-  Implement EXPN                               |5.2.3     | |x| | | |
-    EXPN, VRFY configurable                    |5.2.3     | | |x| | |
-  Implement SEND, SOML, SAML                   |5.2.4     | | |x| | |
-  Verify HELO parameter                        |5.2.5     | | |x| | |
-    Refuse message with bad HELO               |5.2.5     | | | | |x|
-  Accept explicit src-route syntax in env.     |5.2.6     |x| | | | |
-  Support "postmaster"                         |5.2.7     |x| | | | |
-  Process RCPT when received (except lists)    |5.2.7     | | |x| | |
-      Long delay of RCPT responses             |5.2.7     | | | | |x|
-                                               |          | | | | | |
-  Add Received: line                           |5.2.8     |x| | | | |
-      Received: line include domain literal    |5.2.8     | |x| | | |
-  Change previous Received: line               |5.2.8     | | | | |x|
-  Pass Return-Path info (final deliv/gwy)      |5.2.8     |x| | | | |
-  Support empty reverse path                   |5.2.9     |x| | | | |
-  Send only official reply codes               |5.2.10    | |x| | | |
-  Send text from RFC-821 when appropriate      |5.2.10    | |x| | | |
-  Delete "." for transparency                  |5.2.11    |x| | | | |
-  Accept and recognize self domain literal(s)  |5.2.17    |x| | | | |
-                                               |          | | | | | |
-  Error message about error message            |5.3.1     | | | | |x|
-  Keep pending listen on SMTP port             |5.3.1.2   | |x| | | |
-  Provide limit on recv concurrency            |5.3.1.2   | | |x| | |
-  Wait at least 5 mins for next sender cmd     |5.3.2     | |x| | | |
-  Avoidable delivery failure after "250 OK"    |5.3.3     | | | | |x|
-  Send error notification msg after accept     |5.3.3     |x| | | | |
-    Send using null return path                |5.3.3     |x| | | | |
-    Send to envelope return path               |5.3.3     | |x| | | |
-    Send to null address                       |5.3.3     | | | | |x|
-    Strip off explicit src route               |5.3.3     | |x| | | |
-  Minimize acceptance delay (RFC-1047)         |5.3.3     |x| | | | |
------------------------------------------------|----------|-|-|-|-|-|--
-
-
-
-Internet Engineering Task Force                                [Page 69]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-                                               |          | | | | | |
-SENDER-SMTP:                                   |          | | | | | |
-  Canonicalized domain names in MAIL, RCPT     |5.2.2     |x| | | | |
-  Implement SEND, SOML, SAML                   |5.2.4     | | |x| | |
-  Send valid principal host name in HELO       |5.2.5     |x| | | | |
-  Send explicit source route in RCPT TO:       |5.2.6     | | | |x| |
-  Use only reply code to determine action      |5.2.10    |x| | | | |
-  Use only high digit of reply code when poss. |5.2.10    | |x| | | |
-  Add "." for transparency                     |5.2.11    |x| | | | |
-                                               |          | | | | | |
-  Retry messages after soft failure            |5.3.1.1   |x| | | | |
-    Delay before retry                         |5.3.1.1   |x| | | | |
-    Configurable retry parameters              |5.3.1.1   |x| | | | |
-    Retry once per each queued dest host       |5.3.1.1   | |x| | | |
-  Multiple RCPT's for same DATA                |5.3.1.1   | |x| | | |
-  Support multiple concurrent transactions     |5.3.1.1   | | |x| | |
-    Provide limit on concurrency               |5.3.1.1   | |x| | | |
-                                               |          | | | | | |
-  Timeouts on all activities                   |5.3.1     |x| | | | |
-    Per-command timeouts                       |5.3.2     | |x| | | |
-    Timeouts easily reconfigurable             |5.3.2     | |x| | | |
-    Recommended times                          |5.3.2     | |x| | | |
-  Try alternate addr's in order                |5.3.4     |x| | | | |
-    Configurable limit on alternate tries      |5.3.4     | | |x| | |
-    Try at least two alternates                |5.3.4     | |x| | | |
-  Load-split across equal MX alternates        |5.3.4     | |x| | | |
-  Use the Domain Name System                   |5.3.5     |x| | | | |
-    Support MX records                         |5.3.5     |x| | | | |
-    Use WKS records in MX processing           |5.2.12    | | | |x| |
------------------------------------------------|----------|-|-|-|-|-|--
-                                               |          | | | | | |
-MAIL FORWARDING:                               |          | | | | | |
-  Alter existing header field(s)               |5.2.6     | | | |x| |
-  Implement relay function: 821/section 3.6    |5.2.6     | | |x| | |
-    If not, deliver to RHS domain              |5.2.6     | |x| | | |
-  Interpret 'local-part' of addr               |5.2.16    | | | | |x|
-                                               |          | | | | | |
-MAILING LISTS AND ALIASES                      |          | | | | | |
-  Support both                                 |5.3.6     | |x| | | |
-  Report mail list error to local admin.       |5.3.6     |x| | | | |
-                                               |          | | | | | |
-MAIL GATEWAYS:                                 |          | | | | | |
-  Embed foreign mail route in local-part       |5.2.16    | | |x| | |
-  Rewrite header fields when necessary         |5.3.7     | | |x| | |
-  Prepend Received: line                       |5.3.7     |x| | | | |
-  Change existing Received: line               |5.3.7     | | | | |x|
-  Accept full RFC-822 on Internet side         |5.3.7     | |x| | | |
-  Act on RFC-822 explicit source route         |5.3.7     | | |x| | |
-
-
-
-Internet Engineering Task Force                                [Page 70]
-
-
-
-
-RFC1123                  MAIL -- SMTP & RFC-822             October 1989
-
-
-  Send only valid RFC-822 on Internet side     |5.3.7     |x| | | | |
-  Deliver error msgs to envelope addr          |5.3.7     | |x| | | |
-  Set env return path from err return addr     |5.3.7     | |x| | | |
-                                               |          | | | | | |
-USER AGENT -- RFC-822                          |          | | | | | |
-  Allow user to enter <route> address          |5.2.6     | | | |x| |
-  Support RFC-1049 Content Type field          |5.2.13    | | |x| | |
-  Use 4-digit years                            |5.2.14    | |x| | | |
-  Generate numeric timezones                   |5.2.14    | |x| | | |
-  Accept all timezones                         |5.2.14    |x| | | | |
-  Use non-num timezones from RFC-822           |5.2.14    |x| | | | |
-  Omit phrase before route-addr                |5.2.15    | | |x| | |
-  Accept and parse dot.dec. domain literals    |5.2.17    |x| | | | |
-  Accept all RFC-822 address formats           |5.2.18    |x| | | | |
-  Generate invalid RFC-822 address format      |5.2.18    | | | | |x|
-  Fully-qualified domain names in header       |5.2.18    |x| | | | |
-  Create explicit src route in header          |5.2.19    | | | |x| |
-  Accept explicit src route in header          |5.2.19    |x| | | | |
-                                               |          | | | | | |
-Send/recv at least 64KB messages               |5.3.8     |x| | | | |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 71]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-6. SUPPORT SERVICES
-
-   6.1 DOMAIN NAME TRANSLATION
-
-      6.1.1 INTRODUCTION
-
-         Every host MUST implement a resolver for the Domain Name System
-         (DNS), and it MUST implement a mechanism using this DNS
-         resolver to convert host names to IP addresses and vice-versa
-         [DNS:1, DNS:2].
-
-         In addition to the DNS, a host MAY also implement a host name
-         translation mechanism that searches a local Internet host
-         table.  See Section 6.1.3.8 for more information on this
-         option.
-
-         DISCUSSION:
-              Internet host name translation was originally performed by
-              searching local copies of a table of all hosts.  This
-              table became too large to update and distribute in a
-              timely manner and too large to fit into many hosts, so the
-              DNS was invented.
-
-              The DNS creates a distributed database used primarily for
-              the translation between host names and host addresses.
-              Implementation of DNS software is required.  The DNS
-              consists of two logically distinct parts: name servers and
-              resolvers (although implementations often combine these
-              two logical parts in the interest of efficiency) [DNS:2].
-
-              Domain name servers store authoritative data about certain
-              sections of the database and answer queries about the
-              data.  Domain resolvers query domain name servers for data
-              on behalf of user processes.  Every host therefore needs a
-              DNS resolver; some host machines will also need to run
-              domain name servers.  Since no name server has complete
-              information, in general it is necessary to obtain
-              information from more than one name server to resolve a
-              query.
-
-      6.1.2  PROTOCOL WALK-THROUGH
-
-         An implementor must study references [DNS:1] and [DNS:2]
-         carefully.  They provide a thorough description of the theory,
-         protocol, and implementation of the domain name system, and
-         reflect several years of experience.
-
-
-
-
-
-Internet Engineering Task Force                                [Page 72]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-         6.1.2.1  Resource Records with Zero TTL: RFC-1035 Section 3.2.1
-
-            All DNS name servers and resolvers MUST properly handle RRs
-            with a zero TTL: return the RR to the client but do not
-            cache it.
-
-            DISCUSSION:
-                 Zero TTL values are interpreted to mean that the RR can
-                 only be used for the transaction in progress, and
-                 should not be cached; they are useful for extremely
-                 volatile data.
-
-         6.1.2.2  QCLASS Values: RFC-1035 Section 3.2.5
-
-            A query with "QCLASS=*" SHOULD NOT be used unless the
-            requestor is seeking data from more than one class.  In
-            particular, if the requestor is only interested in Internet
-            data types, QCLASS=IN MUST be used.
-
-         6.1.2.3  Unused Fields: RFC-1035 Section 4.1.1
-
-            Unused fields in a query or response message MUST be zero.
-
-         6.1.2.4  Compression: RFC-1035 Section 4.1.4
-
-            Name servers MUST use compression in responses.
-
-            DISCUSSION:
-                 Compression is essential to avoid overflowing UDP
-                 datagrams; see Section 6.1.3.2.
-
-         6.1.2.5  Misusing Configuration Info: RFC-1035 Section 6.1.2
-
-            Recursive name servers and full-service resolvers generally
-            have some configuration information containing hints about
-            the location of root or local name servers.  An
-            implementation MUST NOT include any of these hints in a
-            response.
-
-            DISCUSSION:
-                 Many implementors have found it convenient to store
-                 these hints as if they were cached data, but some
-                 neglected to ensure that this "cached data" was not
-                 included in responses.  This has caused serious
-                 problems in the Internet when the hints were obsolete
-                 or incorrect.
-
-
-
-
-
-Internet Engineering Task Force                                [Page 73]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-      6.1.3  SPECIFIC ISSUES
-
-         6.1.3.1  Resolver Implementation
-
-            A name resolver SHOULD be able to multiplex concurrent
-            requests if the host supports concurrent processes.
-
-            In implementing a DNS resolver, one of two different models
-            MAY optionally be chosen: a full-service resolver, or a stub
-            resolver.
-
-
-            (A)  Full-Service Resolver
-
-                 A full-service resolver is a complete implementation of
-                 the resolver service, and is capable of dealing with
-                 communication failures, failure of individual name
-                 servers, location of the proper name server for a given
-                 name, etc.  It must satisfy the following requirements:
-
-                 o    The resolver MUST implement a local caching
-                      function to avoid repeated remote access for
-                      identical requests, and MUST time out information
-                      in the cache.
-
-                 o    The resolver SHOULD be configurable with start-up
-                      information pointing to multiple root name servers
-                      and multiple name servers for the local domain.
-                      This insures that the resolver will be able to
-                      access the whole name space in normal cases, and
-                      will be able to access local domain information
-                      should the local network become disconnected from
-                      the rest of the Internet.
-
-
-            (B)  Stub Resolver
-
-                 A "stub resolver" relies on the services of a recursive
-                 name server on the connected network or a "nearby"
-                 network.  This scheme allows the host to pass on the
-                 burden of the resolver function to a name server on
-                 another host.  This model is often essential for less
-                 capable hosts, such as PCs, and is also recommended
-                 when the host is one of several workstations on a local
-                 network, because it allows all of the workstations to
-                 share the cache of the recursive name server and hence
-                 reduce the number of domain requests exported by the
-                 local network.
-
-
-
-Internet Engineering Task Force                                [Page 74]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-                 At a minimum, the stub resolver MUST be capable of
-                 directing its requests to redundant recursive name
-                 servers.  Note that recursive name servers are allowed
-                 to restrict the sources of requests that they will
-                 honor, so the host administrator must verify that the
-                 service will be provided.  Stub resolvers MAY implement
-                 caching if they choose, but if so, MUST timeout cached
-                 information.
-
-
-         6.1.3.2  Transport Protocols
-
-            DNS resolvers and recursive servers MUST support UDP, and
-            SHOULD support TCP, for sending (non-zone-transfer) queries.
-            Specifically, a DNS resolver or server that is sending a
-            non-zone-transfer query MUST send a UDP query first.  If the
-            Answer section of the response is truncated and if the
-            requester supports TCP, it SHOULD try the query again using
-            TCP.
-
-            DNS servers MUST be able to service UDP queries and SHOULD
-            be able to service TCP queries.  A name server MAY limit the
-            resources it devotes to TCP queries, but it SHOULD NOT
-            refuse to service a TCP query just because it would have
-            succeeded with UDP.
-
-            Truncated responses MUST NOT be saved (cached) and later
-            used in such a way that the fact that they are truncated is
-            lost.
-
-            DISCUSSION:
-                 UDP is preferred over TCP for queries because UDP
-                 queries have much lower overhead, both in packet count
-                 and in connection state.  The use of UDP is essential
-                 for heavily-loaded servers, especially the root
-                 servers.  UDP also offers additional robustness, since
-                 a resolver can attempt several UDP queries to different
-                 servers for the cost of a single TCP query.
-
-                 It is possible for a DNS response to be truncated,
-                 although this is a very rare occurrence in the present
-                 Internet DNS.  Practically speaking, truncation cannot
-                 be predicted, since it is data-dependent.  The
-                 dependencies include the number of RRs in the answer,
-                 the size of each RR, and the savings in space realized
-                 by the name compression algorithm.  As a rule of thumb,
-                 truncation in NS and MX lists should not occur for
-                 answers containing 15 or fewer RRs.
-
-
-
-Internet Engineering Task Force                                [Page 75]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-                 Whether it is possible to use a truncated answer
-                 depends on the application.  A mailer must not use a
-                 truncated MX response, since this could lead to mail
-                 loops.
-
-                 Responsible practices can make UDP suffice in the vast
-                 majority of cases.  Name servers must use compression
-                 in responses.  Resolvers must differentiate truncation
-                 of the Additional section of a response (which only
-                 loses extra information) from truncation of the Answer
-                 section (which for MX records renders the response
-                 unusable by mailers).  Database administrators should
-                 list only a reasonable number of primary names in lists
-                 of name servers, MX alternatives, etc.
-
-                 However, it is also clear that some new DNS record
-                 types defined in the future will contain information
-                 exceeding the 512 byte limit that applies to UDP, and
-                 hence will require TCP.  Thus, resolvers and name
-                 servers should implement TCP services as a backup to
-                 UDP today, with the knowledge that they will require
-                 the TCP service in the future.
-
-            By private agreement, name servers and resolvers MAY arrange
-            to use TCP for all traffic between themselves.  TCP MUST be
-            used for zone transfers.
-
-            A DNS server MUST have sufficient internal concurrency that
-            it can continue to process UDP queries while awaiting a
-            response or performing a zone transfer on an open TCP
-            connection [DNS:2].
-
-            A server MAY support a UDP query that is delivered using an
-            IP broadcast or multicast address.  However, the Recursion
-            Desired bit MUST NOT be set in a query that is multicast,
-            and MUST be ignored by name servers receiving queries via a
-            broadcast or multicast address.  A host that sends broadcast
-            or multicast DNS queries SHOULD send them only as occasional
-            probes, caching the IP address(es) it obtains from the
-            response(s) so it can normally send unicast queries.
-
-            DISCUSSION:
-                 Broadcast or (especially) IP multicast can provide a
-                 way to locate nearby name servers without knowing their
-                 IP addresses in advance.  However, general broadcasting
-                 of recursive queries can result in excessive and
-                 unnecessary load on both network and servers.
-
-
-
-
-Internet Engineering Task Force                                [Page 76]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-         6.1.3.3  Efficient Resource Usage
-
-            The following requirements on servers and resolvers are very
-            important to the health of the Internet as a whole,
-            particularly when DNS services are invoked repeatedly by
-            higher level automatic servers, such as mailers.
-
-            (1)  The resolver MUST implement retransmission controls to
-                 insure that it does not waste communication bandwidth,
-                 and MUST impose finite bounds on the resources consumed
-                 to respond to a single request.  See [DNS:2] pages 43-
-                 44 for specific recommendations.
-
-            (2)  After a query has been retransmitted several times
-                 without a response, an implementation MUST give up and
-                 return a soft error to the application.
-
-            (3)  All DNS name servers and resolvers SHOULD cache
-                 temporary failures, with a timeout period of the order
-                 of minutes.
-
-                 DISCUSSION:
-                      This will prevent applications that immediately
-                      retry soft failures (in violation of Section 2.2
-                      of this document) from generating excessive DNS
-                      traffic.
-
-            (4)  All DNS name servers and resolvers SHOULD cache
-                 negative responses that indicate the specified name, or
-                 data of the specified type, does not exist, as
-                 described in [DNS:2].
-
-            (5)  When a DNS server or resolver retries a UDP query, the
-                 retry interval SHOULD be constrained by an exponential
-                 backoff algorithm, and SHOULD also have upper and lower
-                 bounds.
-
-                 IMPLEMENTATION:
-                      A measured RTT and variance (if available) should
-                      be used to calculate an initial retransmission
-                      interval.  If this information is not available, a
-                      default of no less than 5 seconds should be used.
-                      Implementations may limit the retransmission
-                      interval, but this limit must exceed twice the
-                      Internet maximum segment lifetime plus service
-                      delay at the name server.
-
-            (6)  When a resolver or server receives a Source Quench for
-
-
-
-Internet Engineering Task Force                                [Page 77]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-                 a query it has issued, it SHOULD take steps to reduce
-                 the rate of querying that server in the near future.  A
-                 server MAY ignore a Source Quench that it receives as
-                 the result of sending a response datagram.
-
-                 IMPLEMENTATION:
-                      One recommended action to reduce the rate is to
-                      send the next query attempt to an alternate
-                      server, if there is one available.  Another is to
-                      backoff the retry interval for the same server.
-
-
-         6.1.3.4  Multihomed Hosts
-
-            When the host name-to-address function encounters a host
-            with multiple addresses, it SHOULD rank or sort the
-            addresses using knowledge of the immediately connected
-            network number(s) and any other applicable performance or
-            history information.
-
-            DISCUSSION:
-                 The different addresses of a multihomed host generally
-                 imply different Internet paths, and some paths may be
-                 preferable to others in performance, reliability, or
-                 administrative restrictions.  There is no general way
-                 for the domain system to determine the best path.  A
-                 recommended approach is to base this decision on local
-                 configuration information set by the system
-                 administrator.
-
-            IMPLEMENTATION:
-                 The following scheme has been used successfully:
-
-                 (a)  Incorporate into the host configuration data a
-                      Network-Preference List, that is simply a list of
-                      networks in preferred order.  This list may be
-                      empty if there is no preference.
-
-                 (b)  When a host name is mapped into a list of IP
-                      addresses, these addresses should be sorted by
-                      network number, into the same order as the
-                      corresponding networks in the Network-Preference
-                      List.  IP addresses whose networks do not appear
-                      in the Network-Preference List should be placed at
-                      the end of the list.
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 78]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-         6.1.3.5  Extensibility
-
-            DNS software MUST support all well-known, class-independent
-            formats [DNS:2], and SHOULD be written to minimize the
-            trauma associated with the introduction of new well-known
-            types and local experimentation with non-standard types.
-
-            DISCUSSION:
-                 The data types and classes used by the DNS are
-                 extensible, and thus new types will be added and old
-                 types deleted or redefined.  Introduction of new data
-                 types ought to be dependent only upon the rules for
-                 compression of domain names inside DNS messages, and
-                 the translation between printable (i.e., master file)
-                 and internal formats for Resource Records (RRs).
-
-                 Compression relies on knowledge of the format of data
-                 inside a particular RR.  Hence compression must only be
-                 used for the contents of well-known, class-independent
-                 RRs, and must never be used for class-specific RRs or
-                 RR types that are not well-known.  The owner name of an
-                 RR is always eligible for compression.
-
-                 A name server may acquire, via zone transfer, RRs that
-                 the server doesn't know how to convert to printable
-                 format.  A resolver can receive similar information as
-                 the result of queries.  For proper operation, this data
-                 must be preserved, and hence the implication is that
-                 DNS software cannot use textual formats for internal
-                 storage.
-
-                 The DNS defines domain name syntax very generally -- a
-                 string of labels each containing up to 63 8-bit octets,
-                 separated by dots, and with a maximum total of 255
-                 octets.  Particular applications of the DNS are
-                 permitted to further constrain the syntax of the domain
-                 names they use, although the DNS deployment has led to
-                 some applications allowing more general names.  In
-                 particular, Section 2.1 of this document liberalizes
-                 slightly the syntax of a legal Internet host name that
-                 was defined in RFC-952 [DNS:4].
-
-         6.1.3.6  Status of RR Types
-
-            Name servers MUST be able to load all RR types except MD and
-            MF from configuration files.  The MD and MF types are
-            obsolete and MUST NOT be implemented; in particular, name
-            servers MUST NOT load these types from configuration files.
-
-
-
-Internet Engineering Task Force                                [Page 79]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-            DISCUSSION:
-                 The RR types MB, MG, MR, NULL, MINFO and RP are
-                 considered experimental, and applications that use the
-                 DNS cannot expect these RR types to be supported by
-                 most domains.  Furthermore these types are subject to
-                 redefinition.
-
-                 The TXT and WKS RR types have not been widely used by
-                 Internet sites; as a result, an application cannot rely
-                 on the the existence of a TXT or WKS RR in most
-                 domains.
-
-         6.1.3.7  Robustness
-
-            DNS software may need to operate in environments where the
-            root servers or other servers are unavailable due to network
-            connectivity or other problems.  In this situation, DNS name
-            servers and resolvers MUST continue to provide service for
-            the reachable part of the name space, while giving temporary
-            failures for the rest.
-
-            DISCUSSION:
-                 Although the DNS is meant to be used primarily in the
-                 connected Internet, it should be possible to use the
-                 system in networks which are unconnected to the
-                 Internet.  Hence implementations must not depend on
-                 access to root servers before providing service for
-                 local names.
-
-         6.1.3.8  Local Host Table
-
-            DISCUSSION:
-                 A host may use a local host table as a backup or
-                 supplement to the DNS.  This raises the question of
-                 which takes precedence, the DNS or the host table; the
-                 most flexible approach would make this a configuration
-                 option.
-
-                 Typically, the contents of such a supplementary host
-                 table will be determined locally by the site.  However,
-                 a publically-available table of Internet hosts is
-                 maintained by the DDN Network Information Center (DDN
-                 NIC), with a format documented in [DNS:4].  This table
-                 can be retrieved from the DDN NIC using a protocol
-                 described in [DNS:5].  It must be noted that this table
-                 contains only a small fraction of all Internet hosts.
-                 Hosts using this protocol to retrieve the DDN NIC host
-                 table should use the VERSION command to check if the
-
-
-
-Internet Engineering Task Force                                [Page 80]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-                 table has changed before requesting the entire table
-                 with the ALL command.  The VERSION identifier should be
-                 treated as an arbitrary string and tested only for
-                 equality; no numerical sequence may be assumed.
-
-                 The DDN NIC host table includes administrative
-                 information that is not needed for host operation and
-                 is therefore not currently included in the DNS
-                 database; examples include network and gateway entries.
-                 However, much of this additional information will be
-                 added to the DNS in the future.  Conversely, the DNS
-                 provides essential services (in particular, MX records)
-                 that are not available from the DDN NIC host table.
-
-      6.1.4  DNS USER INTERFACE
-
-         6.1.4.1  DNS Administration
-
-            This document is concerned with design and implementation
-            issues in host software, not with administrative or
-            operational issues.  However, administrative issues are of
-            particular importance in the DNS, since errors in particular
-            segments of this large distributed database can cause poor
-            or erroneous performance for many sites.  These issues are
-            discussed in [DNS:6] and [DNS:7].
-
-         6.1.4.2  DNS User Interface
-
-            Hosts MUST provide an interface to the DNS for all
-            application programs running on the host.  This interface
-            will typically direct requests to a system process to
-            perform the resolver function [DNS:1, 6.1:2].
-
-            At a minimum, the basic interface MUST support a request for
-            all information of a specific type and class associated with
-            a specific name, and it MUST return either all of the
-            requested information, a hard error code, or a soft error
-            indication.  When there is no error, the basic interface
-            returns the complete response information without
-            modification, deletion, or ordering, so that the basic
-            interface will not need to be changed to accommodate new
-            data types.
-
-            DISCUSSION:
-                 The soft error indication is an essential part of the
-                 interface, since it may not always be possible to
-                 access particular information from the DNS; see Section
-                 6.1.3.3.
-
-
-
-Internet Engineering Task Force                                [Page 81]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-            A host MAY provide other DNS interfaces tailored to
-            particular functions, transforming the raw domain data into
-            formats more suited to these functions.  In particular, a
-            host MUST provide a DNS interface to facilitate translation
-            between host addresses and host names.
-
-         6.1.4.3 Interface Abbreviation Facilities
-
-            User interfaces MAY provide a method for users to enter
-            abbreviations for commonly-used names.  Although the
-            definition of such methods is outside of the scope of the
-            DNS specification, certain rules are necessary to insure
-            that these methods allow access to the entire DNS name space
-            and to prevent excessive use of Internet resources.
-
-            If an abbreviation method is provided, then:
-
-            (a)  There MUST be some convention for denoting that a name
-                 is already complete, so that the abbreviation method(s)
-                 are suppressed.  A trailing dot is the usual method.
-
-            (b)  Abbreviation expansion MUST be done exactly once, and
-                 MUST be done in the context in which the name was
-                 entered.
-
-
-            DISCUSSION:
-                 For example, if an abbreviation is used in a mail
-                 program for a destination, the abbreviation should be
-                 expanded into a full domain name and stored in the
-                 queued message with an indication that it is already
-                 complete.  Otherwise, the abbreviation might be
-                 expanded with a mail system search list, not the
-                 user's, or a name could grow due to repeated
-                 canonicalizations attempts interacting with wildcards.
-
-            The two most common abbreviation methods are:
-
-            (1)  Interface-level aliases
-
-                 Interface-level aliases are conceptually implemented as
-                 a list of alias/domain name pairs. The list can be
-                 per-user or per-host, and separate lists can be
-                 associated with different functions, e.g. one list for
-                 host name-to-address translation, and a different list
-                 for mail domains.  When the user enters a name, the
-                 interface attempts to match the name to the alias
-                 component of a list entry, and if a matching entry can
-
-
-
-Internet Engineering Task Force                                [Page 82]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-                 be found, the name is replaced by the domain name found
-                 in the pair.
-
-                 Note that interface-level aliases and CNAMEs are
-                 completely separate mechanisms; interface-level aliases
-                 are a local matter while CNAMEs are an Internet-wide
-                 aliasing mechanism which is a required part of any DNS
-                 implementation.
-
-            (2)  Search Lists
-
-                 A search list is conceptually implemented as an ordered
-                 list of domain names.  When the user enters a name, the
-                 domain names in the search list are used as suffixes to
-                 the user-supplied name, one by one, until a domain name
-                 with the desired associated data is found, or the
-                 search list is exhausted.  Search lists often contain
-                 the name of the local host's parent domain or other
-                 ancestor domains.  Search lists are often per-user or
-                 per-process.
-
-                 It SHOULD be possible for an administrator to disable a
-                 DNS search-list facility.  Administrative denial may be
-                 warranted in some cases, to prevent abuse of the DNS.
-
-                 There is danger that a search-list mechanism will
-                 generate excessive queries to the root servers while
-                 testing whether user input is a complete domain name,
-                 lacking a final period to mark it as complete.  A
-                 search-list mechanism MUST have one of, and SHOULD have
-                 both of, the following two provisions to prevent this:
-
-                 (a)  The local resolver/name server can implement
-                      caching  of negative responses (see Section
-                      6.1.3.3).
-
-                 (b)  The search list expander can require two or more
-                      interior dots in a generated domain name before it
-                      tries using the name in a query to non-local
-                      domain servers, such as the root.
-
-                 DISCUSSION:
-                      The intent of this requirement is to avoid
-                      excessive delay for the user as the search list is
-                      tested, and more importantly to prevent excessive
-                      traffic to the root and other high-level servers.
-                      For example, if the user supplied a name "X" and
-                      the search list contained the root as a component,
-
-
-
-Internet Engineering Task Force                                [Page 83]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-                      a query would have to consult a root server before
-                      the next search list alternative could be tried.
-                      The resulting load seen by the root servers and
-                      gateways near the root would be multiplied by the
-                      number of hosts in the Internet.
-
-                      The negative caching alternative limits the effect
-                      to the first time a name is used.  The interior
-                      dot rule is simpler to implement but can prevent
-                      easy use of some top-level names.
-
-
-      6.1.5  DOMAIN NAME SYSTEM REQUIREMENTS SUMMARY
-
-                                               |           | | | |S| |
-                                               |           | | | |H| |F
-                                               |           | | | |O|M|o
-                                               |           | |S| |U|U|o
-                                               |           | |H| |L|S|t
-                                               |           |M|O| |D|T|n
-                                               |           |U|U|M| | |o
-                                               |           |S|L|A|N|N|t
-                                               |           |T|D|Y|O|O|t
-FEATURE                                        |SECTION    | | | |T|T|e
------------------------------------------------|-----------|-|-|-|-|-|--
-GENERAL ISSUES                                 |           | | | | | |
-                                               |           | | | | | |
-Implement DNS name-to-address conversion       |6.1.1      |x| | | | |
-Implement DNS address-to-name conversion       |6.1.1      |x| | | | |
-Support conversions using host table           |6.1.1      | | |x| | |
-Properly handle RR with zero TTL               |6.1.2.1    |x| | | | |
-Use QCLASS=* unnecessarily                     |6.1.2.2    | |x| | | |
-  Use QCLASS=IN for Internet class             |6.1.2.2    |x| | | | |
-Unused fields zero                             |6.1.2.3    |x| | | | |
-Use compression in responses                   |6.1.2.4    |x| | | | |
-                                               |           | | | | | |
-Include config info in responses               |6.1.2.5    | | | | |x|
-Support all well-known, class-indep. types     |6.1.3.5    |x| | | | |
-Easily expand type list                        |6.1.3.5    | |x| | | |
-Load all RR types (except MD and MF)           |6.1.3.6    |x| | | | |
-Load MD or MF type                             |6.1.3.6    | | | | |x|
-Operate when root servers, etc. unavailable    |6.1.3.7    |x| | | | |
------------------------------------------------|-----------|-|-|-|-|-|--
-RESOLVER ISSUES:                               |           | | | | | |
-                                               |           | | | | | |
-Resolver support multiple concurrent requests  |6.1.3.1    | |x| | | |
-Full-service resolver:                         |6.1.3.1    | | |x| | |
-  Local caching                                |6.1.3.1    |x| | | | |
-
-
-
-Internet Engineering Task Force                                [Page 84]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-  Information in local cache times out         |6.1.3.1    |x| | | | |
-  Configurable with starting info              |6.1.3.1    | |x| | | |
-Stub resolver:                                 |6.1.3.1    | | |x| | |
-  Use redundant recursive name servers         |6.1.3.1    |x| | | | |
-  Local caching                                |6.1.3.1    | | |x| | |
-  Information in local cache times out         |6.1.3.1    |x| | | | |
-Support for remote multi-homed hosts:          |           | | | | | |
-  Sort multiple addresses by preference list   |6.1.3.4    | |x| | | |
-                                               |           | | | | | |
------------------------------------------------|-----------|-|-|-|-|-|--
-TRANSPORT PROTOCOLS:                           |           | | | | | |
-                                               |           | | | | | |
-Support UDP queries                            |6.1.3.2    |x| | | | |
-Support TCP queries                            |6.1.3.2    | |x| | | |
-  Send query using UDP first                   |6.1.3.2    |x| | | | |1
-  Try TCP if UDP answers are truncated         |6.1.3.2    | |x| | | |
-Name server limit TCP query resources          |6.1.3.2    | | |x| | |
-  Punish unnecessary TCP query                 |6.1.3.2    | | | |x| |
-Use truncated data as if it were not           |6.1.3.2    | | | | |x|
-Private agreement to use only TCP              |6.1.3.2    | | |x| | |
-Use TCP for zone transfers                     |6.1.3.2    |x| | | | |
-TCP usage not block UDP queries                |6.1.3.2    |x| | | | |
-Support broadcast or multicast queries         |6.1.3.2    | | |x| | |
-  RD bit set in query                          |6.1.3.2    | | | | |x|
-  RD bit ignored by server is b'cast/m'cast    |6.1.3.2    |x| | | | |
-  Send only as occasional probe for addr's     |6.1.3.2    | |x| | | |
------------------------------------------------|-----------|-|-|-|-|-|--
-RESOURCE USAGE:                                |           | | | | | |
-                                               |           | | | | | |
-Transmission controls, per [DNS:2]             |6.1.3.3    |x| | | | |
-  Finite bounds per request                    |6.1.3.3    |x| | | | |
-Failure after retries => soft error            |6.1.3.3    |x| | | | |
-Cache temporary failures                       |6.1.3.3    | |x| | | |
-Cache negative responses                       |6.1.3.3    | |x| | | |
-Retries use exponential backoff                |6.1.3.3    | |x| | | |
-  Upper, lower bounds                          |6.1.3.3    | |x| | | |
-Client handle Source Quench                    |6.1.3.3    | |x| | | |
-Server ignore Source Quench                    |6.1.3.3    | | |x| | |
------------------------------------------------|-----------|-|-|-|-|-|--
-USER INTERFACE:                                |           | | | | | |
-                                               |           | | | | | |
-All programs have access to DNS interface      |6.1.4.2    |x| | | | |
-Able to request all info for given name        |6.1.4.2    |x| | | | |
-Returns complete info or error                 |6.1.4.2    |x| | | | |
-Special interfaces                             |6.1.4.2    | | |x| | |
-  Name<->Address translation                   |6.1.4.2    |x| | | | |
-                                               |           | | | | | |
-Abbreviation Facilities:                       |6.1.4.3    | | |x| | |
-
-
-
-Internet Engineering Task Force                                [Page 85]
-
-
-
-
-RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
-
-
-  Convention for complete names                |6.1.4.3    |x| | | | |
-  Conversion exactly once                      |6.1.4.3    |x| | | | |
-  Conversion in proper context                 |6.1.4.3    |x| | | | |
-  Search list:                                 |6.1.4.3    | | |x| | |
-    Administrator can disable                  |6.1.4.3    | |x| | | |
-    Prevention of excessive root queries       |6.1.4.3    |x| | | | |
-      Both methods                             |6.1.4.3    | |x| | | |
------------------------------------------------|-----------|-|-|-|-|-|--
------------------------------------------------|-----------|-|-|-|-|-|--
-
-1.   Unless there is private agreement between particular resolver and
-     particular server.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 86]
-
-
-
-
-RFC1123            SUPPORT SERVICES -- INITIALIZATION       October 1989
-
-
-   6.2  HOST INITIALIZATION
-
-      6.2.1  INTRODUCTION
-
-         This section discusses the initialization of host software
-         across a connected network, or more generally across an
-         Internet path.  This is necessary for a diskless host, and may
-         optionally be used for a host with disk drives.  For a diskless
-         host, the initialization process is called "network booting"
-         and is controlled by a bootstrap program located in a boot ROM.
-
-         To initialize a diskless host across the network, there are two
-         distinct phases:
-
-         (1)  Configure the IP layer.
-
-              Diskless machines often have no permanent storage in which
-              to store network configuration information, so that
-              sufficient configuration information must be obtained
-              dynamically to support the loading phase that follows.
-              This information must include at least the IP addresses of
-              the host and of the boot server.  To support booting
-              across a gateway, the address mask and a list of default
-              gateways are also required.
-
-         (2)  Load the host system code.
-
-              During the loading phase, an appropriate file transfer
-              protocol is used to copy the system code across the
-              network from the boot server.
-
-         A host with a disk may perform the first step, dynamic
-         configuration.  This is important for microcomputers, whose
-         floppy disks allow network configuration information to be
-         mistakenly duplicated on more than one host.  Also,
-         installation of new hosts is much simpler if they automatically
-         obtain their configuration information from a central server,
-         saving administrator time and decreasing the probability of
-         mistakes.
-
-      6.2.2  REQUIREMENTS
-
-         6.2.2.1  Dynamic Configuration
-
-            A number of protocol provisions have been made for dynamic
-            configuration.
-
-            o    ICMP Information Request/Reply messages
-
-
-
-Internet Engineering Task Force                                [Page 87]
-
-
-
-
-RFC1123            SUPPORT SERVICES -- INITIALIZATION       October 1989
-
-
-                 This obsolete message pair was designed to allow a host
-                 to find the number of the network it is on.
-                 Unfortunately, it was useful only if the host already
-                 knew the host number part of its IP address,
-                 information that hosts requiring dynamic configuration
-                 seldom had.
-
-            o    Reverse Address Resolution Protocol (RARP) [BOOT:4]
-
-                 RARP is a link-layer protocol for a broadcast medium
-                 that allows a host to find its IP address given its
-                 link layer address.  Unfortunately, RARP does not work
-                 across IP gateways and therefore requires a RARP server
-                 on every network.  In addition, RARP does not provide
-                 any other configuration information.
-
-            o    ICMP Address Mask Request/Reply messages
-
-                 These ICMP messages allow a host to learn the address
-                 mask for a particular network interface.
-
-            o    BOOTP Protocol [BOOT:2]
-
-                 This protocol allows a host to determine the IP
-                 addresses of the local host and the boot server, the
-                 name of an appropriate boot file, and optionally the
-                 address mask and list of default gateways.  To locate a
-                 BOOTP server, the host broadcasts a BOOTP request using
-                 UDP.  Ad hoc gateway extensions have been used to
-                 transmit the BOOTP broadcast through gateways, and in
-                 the future the IP Multicasting facility will provide a
-                 standard mechanism for this purpose.
-
-
-            The suggested approach to dynamic configuration is to use
-            the BOOTP protocol with the extensions defined in "BOOTP
-            Vendor Information Extensions" RFC-1084 [BOOT:3].  RFC-1084
-            defines some important general (not vendor-specific)
-            extensions.  In particular, these extensions allow the
-            address mask to be supplied in BOOTP; we RECOMMEND that the
-            address mask be supplied in this manner.
-
-            DISCUSSION:
-                 Historically, subnetting was defined long after IP, and
-                 so a separate mechanism (ICMP Address Mask messages)
-                 was designed to supply the address mask to a host.
-                 However, the IP address mask and the corresponding IP
-                 address conceptually form a pair, and for operational
-
-
-
-Internet Engineering Task Force                                [Page 88]
-
-
-
-
-RFC1123            SUPPORT SERVICES -- INITIALIZATION       October 1989
-
-
-                 simplicity they ought to be defined at the same time
-                 and by the same mechanism, whether a configuration file
-                 or a dynamic mechanism like BOOTP.
-
-                 Note that BOOTP is not sufficiently general to specify
-                 the configurations of all interfaces of a multihomed
-                 host.  A multihomed host must either use BOOTP
-                 separately for each interface, or configure one
-                 interface using BOOTP to perform the loading, and
-                 perform the complete initialization from a file later.
-
-                 Application layer configuration information is expected
-                 to be obtained from files after loading of the system
-                 code.
-
-         6.2.2.2  Loading Phase
-
-            A suggested approach for the loading phase is to use TFTP
-            [BOOT:1] between the IP addresses established by BOOTP.
-
-            TFTP to a broadcast address SHOULD NOT be used, for reasons
-            explained in Section 4.2.3.4.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 89]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-   6.3  REMOTE MANAGEMENT
-
-      6.3.1  INTRODUCTION
-
-         The Internet community has recently put considerable effort
-         into the development of network management protocols.  The
-         result has been a two-pronged approach [MGT:1, MGT:6]:  the
-         Simple Network Management Protocol (SNMP) [MGT:4] and the
-         Common Management Information Protocol over TCP (CMOT) [MGT:5].
-
-         In order to be managed using SNMP or CMOT, a host will need to
-         implement an appropriate management agent.  An Internet host
-         SHOULD include an agent for either SNMP or CMOT.
-
-         Both SNMP and CMOT operate on a Management Information Base
-         (MIB) that defines a collection of management values.  By
-         reading and setting these values, a remote application may
-         query and change the state of the managed system.
-
-         A standard MIB [MGT:3] has been defined for use by both
-         management protocols, using data types defined by the Structure
-         of Management Information (SMI) defined in [MGT:2].  Additional
-         MIB variables can be introduced under the "enterprises" and
-         "experimental" subtrees of the MIB naming space [MGT:2].
-
-         Every protocol module in the host SHOULD implement the relevant
-         MIB variables.  A host SHOULD implement the MIB variables as
-         defined in the most recent standard MIB, and MAY implement
-         other MIB variables when appropriate and useful.
-
-      6.3.2  PROTOCOL WALK-THROUGH
-
-         The MIB is intended to cover both hosts and gateways, although
-         there may be detailed differences in MIB application to the two
-         cases.  This section contains the appropriate interpretation of
-         the MIB for hosts.  It is likely that later versions of the MIB
-         will include more entries for host management.
-
-         A managed host must implement the following groups of MIB
-         object definitions: System, Interfaces, Address Translation,
-         IP, ICMP, TCP, and UDP.
-
-         The following specific interpretations apply to hosts:
-
-         o    ipInHdrErrors
-
-              Note that the error "time-to-live exceeded" can occur in a
-              host only when it is forwarding a source-routed datagram.
-
-
-
-Internet Engineering Task Force                                [Page 90]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-         o    ipOutNoRoutes
-
-              This object counts datagrams discarded because no route
-              can be found.  This may happen in a host if all the
-              default gateways in the host's configuration are down.
-
-         o    ipFragOKs, ipFragFails, ipFragCreates
-
-              A host that does not implement intentional fragmentation
-              (see "Fragmentation" section of [INTRO:1]) MUST return the
-              value zero for these three objects.
-
-         o    icmpOutRedirects
-
-              For a host, this object MUST always be zero, since hosts
-              do not send Redirects.
-
-         o    icmpOutAddrMaskReps
-
-              For a host, this object MUST always be zero, unless the
-              host is an authoritative source of address mask
-              information.
-
-         o    ipAddrTable
-
-              For a host, the "IP Address Table" object is effectively a
-              table of logical interfaces.
-
-         o    ipRoutingTable
-
-              For a host, the "IP Routing Table" object is effectively a
-              combination of the host's Routing Cache and the static
-              route table described in "Routing Outbound Datagrams"
-              section of [INTRO:1].
-
-              Within each ipRouteEntry, ipRouteMetric1...4 normally will
-              have no meaning for a host and SHOULD always be -1, while
-              ipRouteType will normally have the value "remote".
-
-              If destinations on the connected network do not appear in
-              the Route Cache (see "Routing Outbound Datagrams section
-              of [INTRO:1]), there will be no entries with ipRouteType
-              of "direct".
-
-
-         DISCUSSION:
-              The current MIB does not include Type-of-Service in an
-              ipRouteEntry, but a future revision is expected to make
-
-
-
-Internet Engineering Task Force                                [Page 91]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-              this addition.
-
-              We also expect the MIB to be expanded to allow the remote
-              management of applications (e.g., the ability to partially
-              reconfigure mail systems).  Network service applications
-              such as mail systems should therefore be written with the
-              "hooks" for remote management.
-
-      6.3.3  MANAGEMENT REQUIREMENTS SUMMARY
-
-                                               |           | | | |S| |
-                                               |           | | | |H| |F
-                                               |           | | | |O|M|o
-                                               |           | |S| |U|U|o
-                                               |           | |H| |L|S|t
-                                               |           |M|O| |D|T|n
-                                               |           |U|U|M| | |o
-                                               |           |S|L|A|N|N|t
-                                               |           |T|D|Y|O|O|t
-FEATURE                                        |SECTION    | | | |T|T|e
------------------------------------------------|-----------|-|-|-|-|-|--
-Support SNMP or CMOT agent                     |6.3.1      | |x| | | |
-Implement specified objects in standard MIB    |6.3.1      | |x| | | |
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 92]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-7.  REFERENCES
-
-   This section lists the primary references with which every
-   implementer must be thoroughly familiar.  It also lists some
-   secondary references that are suggested additional reading.
-
-   INTRODUCTORY REFERENCES:
-
-
-   [INTRO:1] "Requirements for Internet Hosts -- Communication Layers,"
-        IETF Host Requirements Working Group, R. Braden, Ed., RFC-1122,
-        October 1989.
-
-   [INTRO:2]  "DDN Protocol Handbook," NIC-50004, NIC-50005, NIC-50006,
-        (three volumes), SRI International, December 1985.
-
-   [INTRO:3]  "Official Internet Protocols," J. Reynolds and J. Postel,
-        RFC-1011, May 1987.
-
-        This document is republished periodically with new RFC numbers;
-        the latest version must be used.
-
-   [INTRO:4]  "Protocol Document Order Information," O. Jacobsen and J.
-        Postel, RFC-980, March 1986.
-
-   [INTRO:5]  "Assigned Numbers," J. Reynolds and J. Postel, RFC-1010,
-        May 1987.
-
-        This document is republished periodically with new RFC numbers;
-        the latest version must be used.
-
-
-   TELNET REFERENCES:
-
-
-   [TELNET:1]  "Telnet Protocol Specification," J. Postel and J.
-        Reynolds, RFC-854, May 1983.
-
-   [TELNET:2]  "Telnet Option Specification," J. Postel and J. Reynolds,
-        RFC-855, May 1983.
-
-   [TELNET:3]  "Telnet Binary Transmission," J. Postel and J. Reynolds,
-        RFC-856, May 1983.
-
-   [TELNET:4]  "Telnet Echo Option," J. Postel and J. Reynolds, RFC-857,
-        May 1983.
-
-   [TELNET:5]  "Telnet Suppress Go Ahead Option," J. Postel and J.
-
-
-
-Internet Engineering Task Force                                [Page 93]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-        Reynolds, RFC-858, May 1983.
-
-   [TELNET:6]  "Telnet Status Option," J. Postel and J. Reynolds, RFC-
-        859, May 1983.
-
-   [TELNET:7]  "Telnet Timing Mark Option," J. Postel and J. Reynolds,
-        RFC-860, May 1983.
-
-   [TELNET:8]  "Telnet Extended Options List," J. Postel and J.
-        Reynolds, RFC-861, May 1983.
-
-   [TELNET:9]  "Telnet End-Of-Record Option," J. Postel, RFC-855,
-        December 1983.
-
-   [TELNET:10] "Telnet Terminal-Type Option," J. VanBokkelen, RFC-1091,
-        February 1989.
-
-        This document supercedes RFC-930.
-
-   [TELNET:11] "Telnet Window Size Option," D. Waitzman, RFC-1073,
-        October 1988.
-
-   [TELNET:12] "Telnet Linemode Option," D. Borman, RFC-1116, August
-        1989.
-
-   [TELNET:13] "Telnet Terminal Speed Option," C. Hedrick, RFC-1079,
-        December 1988.
-
-   [TELNET:14] "Telnet Remote Flow Control Option," C. Hedrick, RFC-
-        1080, November 1988.
-
-
-   SECONDARY TELNET REFERENCES:
-
-
-   [TELNET:15] "Telnet Protocol," MIL-STD-1782, U.S. Department of
-        Defense, May 1984.
-
-        This document is intended to describe the same protocol as RFC-
-        854.  In case of conflict, RFC-854 takes precedence, and the
-        present document takes precedence over both.
-
-   [TELNET:16] "SUPDUP Protocol," M. Crispin, RFC-734, October 1977.
-
-   [TELNET:17] "Telnet SUPDUP Option," M. Crispin, RFC-736, October
-        1977.
-
-   [TELNET:18] "Data Entry Terminal Option," J. Day, RFC-732, June 1977.
-
-
-
-Internet Engineering Task Force                                [Page 94]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-   [TELNET:19] "TELNET Data Entry Terminal option -- DODIIS
-        Implementation," A. Yasuda and T. Thompson, RFC-1043, February
-        1988.
-
-
-   FTP REFERENCES:
-
-
-   [FTP:1]  "File Transfer Protocol," J. Postel and J. Reynolds, RFC-
-        959, October 1985.
-
-   [FTP:2]  "Document File Format Standards," J. Postel, RFC-678,
-        December 1974.
-
-   [FTP:3]  "File Transfer Protocol," MIL-STD-1780, U.S. Department of
-        Defense, May 1984.
-
-        This document is based on an earlier version of the FTP
-        specification (RFC-765) and is obsolete.
-
-
-   TFTP REFERENCES:
-
-
-   [TFTP:1]  "The TFTP Protocol Revision 2," K. Sollins, RFC-783, June
-        1981.
-
-
-   MAIL REFERENCES:
-
-
-   [SMTP:1]  "Simple Mail Transfer Protocol," J. Postel, RFC-821, August
-        1982.
-
-   [SMTP:2]  "Standard For The Format of ARPA Internet Text Messages,"
-        D. Crocker, RFC-822, August 1982.
-
-        This document obsoleted an earlier specification, RFC-733.
-
-   [SMTP:3]  "Mail Routing and the Domain System," C. Partridge, RFC-
-        974, January 1986.
-
-        This RFC describes the use of MX records, a mandatory extension
-        to the mail delivery process.
-
-   [SMTP:4]  "Duplicate Messages and SMTP," C. Partridge, RFC-1047,
-        February 1988.
-
-
-
-
-Internet Engineering Task Force                                [Page 95]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-   [SMTP:5a]  "Mapping between X.400 and RFC 822," S. Kille, RFC-987,
-        June 1986.
-
-   [SMTP:5b]  "Addendum to RFC-987," S. Kille, RFC-???, September 1987.
-
-        The two preceding RFC's define a proposed standard for
-        gatewaying mail between the Internet and the X.400 environments.
-
-   [SMTP:6]  "Simple Mail Transfer Protocol,"  MIL-STD-1781, U.S.
-        Department of Defense, May 1984.
-
-        This specification is intended to describe the same protocol as
-        does RFC-821.  However, MIL-STD-1781 is incomplete; in
-        particular, it does not include MX records [SMTP:3].
-
-   [SMTP:7]  "A Content-Type Field for Internet Messages," M. Sirbu,
-        RFC-1049, March 1988.
-
-
-   DOMAIN NAME SYSTEM REFERENCES:
-
-
-   [DNS:1]  "Domain Names - Concepts and Facilities," P. Mockapetris,
-        RFC-1034, November 1987.
-
-        This document and the following one obsolete RFC-882, RFC-883,
-        and RFC-973.
-
-   [DNS:2]  "Domain Names - Implementation and Specification," RFC-1035,
-        P. Mockapetris, November 1987.
-
-
-   [DNS:3]  "Mail Routing and the Domain System," C. Partridge, RFC-974,
-        January 1986.
-
-
-   [DNS:4]  "DoD Internet Host Table Specification," K. Harrenstein,
-        RFC-952, M. Stahl, E. Feinler, October 1985.
-
-        SECONDARY DNS REFERENCES:
-
-
-   [DNS:5]  "Hostname Server," K. Harrenstein, M. Stahl, E. Feinler,
-        RFC-953, October 1985.
-
-   [DNS:6]  "Domain Administrators Guide," M. Stahl, RFC-1032, November
-        1987.
-
-
-
-
-Internet Engineering Task Force                                [Page 96]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-   [DNS:7]  "Domain Administrators Operations Guide," M. Lottor, RFC-
-        1033, November 1987.
-
-   [DNS:8]  "The Domain Name System Handbook," Vol. 4 of Internet
-        Protocol Handbook, NIC 50007, SRI Network Information Center,
-        August 1989.
-
-
-   SYSTEM INITIALIZATION REFERENCES:
-
-
-   [BOOT:1] "Bootstrap Loading Using TFTP," R. Finlayson, RFC-906, June
-        1984.
-
-   [BOOT:2] "Bootstrap Protocol (BOOTP)," W. Croft and J. Gilmore, RFC-
-        951, September 1985.
-
-   [BOOT:3] "BOOTP Vendor Information Extensions," J. Reynolds, RFC-
-        1084, December 1988.
-
-        Note: this RFC revised and obsoleted RFC-1048.
-
-   [BOOT:4] "A Reverse Address Resolution Protocol," R. Finlayson, T.
-        Mann, J. Mogul, and M. Theimer, RFC-903, June 1984.
-
-
-   MANAGEMENT REFERENCES:
-
-
-   [MGT:1]  "IAB Recommendations for the Development of Internet Network
-        Management Standards," V. Cerf, RFC-1052, April 1988.
-
-   [MGT:2]  "Structure and Identification of Management Information for
-        TCP/IP-based internets," M. Rose and K. McCloghrie, RFC-1065,
-        August 1988.
-
-   [MGT:3]  "Management Information Base for Network Management of
-        TCP/IP-based internets," M. Rose and K. McCloghrie, RFC-1066,
-        August 1988.
-
-   [MGT:4]  "A Simple Network Management Protocol," J. Case, M. Fedor,
-        M. Schoffstall, and C. Davin, RFC-1098, April 1989.
-
-   [MGT:5]  "The Common Management Information Services and Protocol
-        over TCP/IP," U. Warrier and L. Besaw, RFC-1095, April 1989.
-
-   [MGT:6]  "Report of the Second Ad Hoc Network Management Review
-        Group," V. Cerf, RFC-1109, August 1989.
-
-
-
-Internet Engineering Task Force                                [Page 97]
-
-
-
-
-RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
-
-
-Security Considerations
-
-   There are many security issues in the application and support
-   programs of host software, but a full discussion is beyond the scope
-   of this RFC.  Security-related issues are mentioned in sections
-   concerning TFTP (Sections 4.2.1, 4.2.3.4, 4.2.3.5), the SMTP VRFY and
-   EXPN commands (Section 5.2.3), the SMTP HELO command (5.2.5), and the
-   SMTP DATA command (Section 5.2.8).
-
-Author's Address
-
-   Robert Braden
-   USC/Information Sciences Institute
-   4676 Admiralty Way
-   Marina del Rey, CA 90292-6695
-
-   Phone: (213) 822 1511
-
-   EMail: Braden@ISI.EDU
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Internet Engineering Task Force                                [Page 98]
-
diff --git a/contrib/bind9/doc/rfc/rfc1183.txt b/contrib/bind9/doc/rfc/rfc1183.txt
deleted file mode 100644
index 6f080448bc72..000000000000
--- a/contrib/bind9/doc/rfc/rfc1183.txt
+++ /dev/null
@@ -1,619 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        C. Everhart
-Request for Comments: 1183                                      Transarc
-Updates: RFCs 1034, 1035                                      L. Mamakos
-                                                  University of Maryland
-                                                              R. Ullmann
-                                                          Prime Computer
-                                                  P. Mockapetris, Editor
-                                                                     ISI
-                                                            October 1990
-
-
-                         New DNS RR Definitions
-
-Status of this Memo
-
-   This memo defines five new DNS types for experimental purposes.  This
-   RFC describes an Experimental Protocol for the Internet community,
-   and requests discussion and suggestions for improvements.
-   Distribution of this memo is unlimited.
-
-Table of Contents
-
-   Introduction....................................................    1
-   1. AFS Data Base location.......................................    2
-   2. Responsible Person...........................................    3
-   2.1. Identification of the guilty party.........................    3
-   2.2. The Responsible Person RR..................................    4
-   3. X.25 and ISDN addresses, Route Binding.......................    6
-   3.1. The X25 RR.................................................    6
-   3.2. The ISDN RR................................................    7
-   3.3. The Route Through RR.......................................    8
-   REFERENCES and BIBLIOGRAPHY.....................................    9
-   Security Considerations.........................................   10
-   Authors' Addresses..............................................   11
-
-Introduction
-
-   This RFC defines the format of new Resource Records (RRs) for the
-   Domain Name System (DNS), and reserves corresponding DNS type
-   mnemonics and numerical codes.  The definitions are in three
-   independent sections: (1) location of AFS database servers, (2)
-   location of responsible persons, and (3) representation of X.25 and
-   ISDN addresses and route binding.  All are experimental.
-
-   This RFC assumes that the reader is familiar with the DNS [3,4].  The
-   data shown is for pedagogical use and does not necessarily reflect
-   the real Internet.
-
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 1]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-1. AFS Data Base location
-
-   This section defines an extension of the DNS to locate servers both
-   for AFS (AFS is a registered trademark of Transarc Corporation) and
-   for the Open Software Foundation's (OSF) Distributed Computing
-   Environment (DCE) authenticated naming system using HP/Apollo's NCA,
-   both to be components of the OSF DCE.  The discussion assumes that
-   the reader is familiar with AFS [5] and NCA [6].
-
-   The AFS (originally the Andrew File System) system uses the DNS to
-   map from a domain name to the name of an AFS cell database server.
-   The DCE Naming service uses the DNS for a similar function: mapping
-   from the domain name of a cell to authenticated name servers for that
-   cell.  The method uses a new RR type with mnemonic AFSDB and type
-   code of 18 (decimal).
-
-   AFSDB has the following format:
-
-   <owner> <ttl> <class> AFSDB <subtype> <hostname>
-
-   Both RDATA fields are required in all AFSDB RRs.  The <subtype> field
-   is a 16 bit integer.  The <hostname> field is a domain name of a host
-   that has a server for the cell named by the owner name of the RR.
-
-   The format of the AFSDB RR is class insensitive.  AFSDB records cause
-   type A additional section processing for <hostname>.  This, in fact,
-   is the rationale for using a new type code, rather than trying to
-   build the same functionality with TXT RRs.
-
-   Note that the format of AFSDB in a master file is identical to MX.
-   For purposes of the DNS itself, the subtype is merely an integer.
-   The present subtype semantics are discussed below, but changes are
-   possible and will be announced in subsequent RFCs.
-
-   In the case of subtype 1, the host has an AFS version 3.0 Volume
-   Location Server for the named AFS cell.  In the case of subtype 2,
-   the host has an authenticated name server holding the cell-root
-   directory node for the named DCE/NCA cell.
-
-   The use of subtypes is motivated by two considerations.  First, the
-   space of DNS RR types is limited.  Second, the services provided are
-   sufficiently distinct that it would continue to be confusing for a
-   client to attempt to connect to a cell's servers using the protocol
-   for one service, if the cell offered only the other service.
-
-   As an example of the use of this RR, suppose that the Toaster
-   Corporation has deployed AFS 3.0 but not (yet) the OSF's DCE.  Their
-   cell, named toaster.com, has three "AFS 3.0 cell database server"
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 2]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-   machines: bigbird.toaster.com, ernie.toaster.com, and
-   henson.toaster.com.  These three machines would be listed in three
-   AFSDB RRs.  These might appear in a master file as:
-
-   toaster.com.   AFSDB   1 bigbird.toaster.com.
-   toaster.com.   AFSDB   1 ernie.toaster.com.
-   toaster.com.   AFSDB   1 henson.toaster.com.
-
-   As another example use of this RR, suppose that Femto College (domain
-   name femto.edu) has deployed DCE, and that their DCE cell root
-   directory is served by processes running on green.femto.edu and
-   turquoise.femto.edu.  Furthermore, their DCE file servers also run
-   AFS 3.0-compatible volume location servers, on the hosts
-   turquoise.femto.edu and orange.femto.edu.  These machines would be
-   listed in four AFSDB RRs, which might appear in a master file as:
-
-   femto.edu.   AFSDB   2 green.femto.edu.
-   femto.edu.   AFSDB   2 turquoise.femto.edu.
-   femto.edu.   AFSDB   1 turquoise.femto.edu.
-   femto.edu.   AFSDB   1 orange.femto.edu.
-
-2. Responsible Person
-
-   The purpose of this section is to provide a standard method for
-   associating responsible person identification to any name in the DNS.
-
-   The domain name system functions as a distributed database which
-   contains many different form of information.  For a particular name
-   or host, you can discover it's Internet address, mail forwarding
-   information, hardware type and operating system among others.
-
-   A key aspect of the DNS is that the tree-structured namespace can be
-   divided into pieces, called zones, for purposes of distributing
-   control and responsibility.  The responsible person for zone database
-   purposes is named in the SOA RR for that zone.  This section
-   describes an extension which allows different responsible persons to
-   be specified for different names in a zone.
-
-2.1. Identification of the guilty party
-
-   Often it is desirable to be able to identify the responsible entity
-   for a particular host.  When that host is down or malfunctioning, it
-   is difficult to contact those parties which might resolve or repair
-   the host.  Mail sent to POSTMASTER may not reach the person in a
-   timely fashion.  If the host is one of a multitude of workstations,
-   there may be no responsible person which can be contacted on that
-   host.
-
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 3]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-   The POSTMASTER mailbox on that host continues to be a good contact
-   point for mail problems, and the zone contact in the SOA record for
-   database problem, but the RP record allows us to associate a mailbox
-   to entities that don't receive mail or are not directly connected
-   (namespace-wise) to the problem (e.g., GATEWAY.ISI.EDU might want to
-   point at HOTLINE@BBN.COM, and GATEWAY doesn't get mail, nor does the
-   ISI zone administrator have a clue about fixing gateways).
-
-2.2. The Responsible Person RR
-
-   The method uses a new RR type with mnemonic RP and type code of 17
-   (decimal).
-
-   RP has the following format:
-
-   <owner> <ttl> <class> RP <mbox-dname> <txt-dname>
-
-   Both RDATA fields are required in all RP RRs.
-
-   The first field, <mbox-dname>, is a domain name that specifies the
-   mailbox for the responsible person.  Its format in master files uses
-   the DNS convention for mailbox encoding, identical to that used for
-   the RNAME mailbox field in the SOA RR.  The root domain name (just
-   ".") may be specified for <mbox-dname> to indicate that no mailbox is
-   available.
-
-   The second field, <txt-dname>, is a domain name for which TXT RR's
-   exist.  A subsequent query can be performed to retrieve the
-   associated TXT resource records at <txt-dname>.  This provides a
-   level of indirection so that the entity can be referred to from
-   multiple places in the DNS.  The root domain name (just ".") may be
-   specified for <txt-dname> to indicate that the TXT_DNAME is absent,
-   and no associated TXT RR exists.
-
-   The format of the RP RR is class insensitive.  RP records cause no
-   additional section processing.  (TXT additional section processing
-   for <txt-dname> is allowed as an option, but only if it is disabled
-   for the root, i.e., ".").
-
-   The Responsible Person RR can be associated with any node in the
-   Domain Name System hierarchy, not just at the leaves of the tree.
-
-   The TXT RR associated with the TXT_DNAME contain free format text
-   suitable for humans.  Refer to [4] for more details on the TXT RR.
-
-   Multiple RP records at a single name may be present in the database.
-   They should have identical TTLs.
-
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 4]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-   EXAMPLES
-
-   Some examples of how the RP record might be used.
-
-   sayshell.umd.edu. A     128.8.1.14
-                     MX    10 sayshell.umd.edu.
-                     HINFO NeXT UNIX
-                     WKS   128.8.1.14 tcp ftp telnet smtp
-                     RP    louie.trantor.umd.edu.  LAM1.people.umd.edu.
-
-   LAM1.people.umd.edu. TXT (
-         "Louis A. Mamakos, (301) 454-2946, don't call me at home!" )
-
-   In this example, the responsible person's mailbox for the host
-   SAYSHELL.UMD.EDU is louie@trantor.umd.edu.  The TXT RR at
-   LAM1.people.umd.edu provides additional information and advice.
-
-   TERP.UMD.EDU.    A     128.8.10.90
-                    MX    10 128.8.10.90
-                    HINFO MICROVAX-II UNIX
-                    WKS   128.8.10.90 udp domain
-                    WKS   128.8.10.90 tcp ftp telnet smtp domain
-                    RP    louie.trantor.umd.edu. LAM1.people.umd.edu.
-                    RP    root.terp.umd.edu. ops.CS.UMD.EDU.
-
-   TRANTOR.UMD.EDU. A     128.8.10.14
-                    MX    10 trantor.umd.edu.
-                    HINFO MICROVAX-II UNIX
-                    WKS   128.8.10.14 udp domain
-                    WKS   128.8.10.14 tcp ftp telnet smtp domain
-                    RP    louie.trantor.umd.edu. LAM1.people.umd.edu.
-                    RP    petry.netwolf.umd.edu. petry.people.UMD.EDU.
-                    RP    root.trantor.umd.edu. ops.CS.UMD.EDU.
-                    RP    gregh.sunset.umd.edu.  .
-
-   LAM1.people.umd.edu.  TXT   "Louis A. Mamakos (301) 454-2946"
-   petry.people.umd.edu. TXT   "Michael G. Petry (301) 454-2946"
-   ops.CS.UMD.EDU.       TXT   "CS Operations Staff (301) 454-2943"
-
-   This set of resource records has two hosts, TRANTOR.UMD.EDU and
-   TERP.UMD.EDU, as well as a number of TXT RRs.  Note that TERP.UMD.EDU
-   and TRANTOR.UMD.EDU both reference the same pair of TXT resource
-   records, although the mail box names (root.terp.umd.edu and
-   root.trantor.umd.edu) differ.
-
-   Here, we obviously care much more if the machine flakes out, as we've
-   specified four persons which might want to be notified of problems or
-   other events involving TRANTOR.UMD.EDU.  In this example, the last RP
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 5]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-   RR for TRANTOR.UMD.EDU specifies a mailbox (gregh.sunset.umd.edu),
-   but no associated TXT RR.
-
-3. X.25 and ISDN addresses, Route Binding
-
-   This section describes an experimental representation of X.25 and
-   ISDN addresses in the DNS, as well as a route binding method,
-   analogous to the MX for mail routing, for very large scale networks.
-
-   There are several possible uses, all experimental at this time.
-   First, the RRs provide simple documentation of the correct addresses
-   to use in static configurations of IP/X.25 [11] and SMTP/X.25 [12].
-
-   The RRs could also be used automatically by an internet network-layer
-   router, typically IP.  The procedure would be to map IP address to
-   domain name, then name to canonical name if needed, then following RT
-   records, and finally attempting an IP/X.25 call to the address found.
-   Alternately, configured domain names could be resolved to identify IP
-   to X.25/ISDN bindings for a static but periodically refreshed routing
-   table.
-
-   This provides a function similar to ARP for wide area non-broadcast
-   networks that will scale well to a network with hundreds of millions
-   of hosts.
-
-   Also, a standard address binding reference will facilitate other
-   experiments in the use of X.25 and ISDN, especially in serious
-   inter-operability testing.  The majority of work in such a test is
-   establishing the n-squared entries in static tables.
-
-   Finally, the RRs are intended for use in a proposal [13] by one of
-   the authors for a possible next-generation internet.
-
-3.1. The X25 RR
-
-   The X25 RR is defined with mnemonic X25 and type code 19 (decimal).
-
-   X25 has the following format:
-
-   <owner> <ttl> <class> X25 <PSDN-address>
-
-   <PSDN-address> is required in all X25 RRs.
-
-   <PSDN-address> identifies the PSDN (Public Switched Data Network)
-   address in the X.121 [10] numbering plan associated with <owner>.
-   Its format in master files is a <character-string> syntactically
-   identical to that used in TXT and HINFO.
-
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 6]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-   The format of X25 is class insensitive.  X25 RRs cause no additional
-   section processing.
-
-   The <PSDN-address> is a string of decimal digits, beginning with the
-   4 digit DNIC (Data Network Identification Code), as specified in
-   X.121. National prefixes (such as a 0) MUST NOT be used.
-
-   For example:
-
-   Relay.Prime.COM.  X25       311061700956
-
-3.2. The ISDN RR
-
-   The ISDN RR is defined with mnemonic ISDN and type code 20 (decimal).
-
-   An ISDN (Integrated Service Digital Network) number is simply a
-   telephone number.  The intent of the members of the CCITT is to
-   upgrade all telephone and data network service to a common service.
-
-   The numbering plan (E.163/E.164) is the same as the familiar
-   international plan for POTS (an un-official acronym, meaning Plain
-   Old Telephone Service).  In E.166, CCITT says "An E.163/E.164
-   telephony subscriber may become an ISDN subscriber without a number
-   change."
-
-   ISDN has the following format:
-
-   <owner> <ttl> <class> ISDN <ISDN-address> <sa>
-
-   The <ISDN-address> field is required; <sa> is optional.
-
-   <ISDN-address> identifies the ISDN number of <owner> and DDI (Direct
-   Dial In) if any, as defined by E.164 [8] and E.163 [7], the ISDN and
-   PSTN (Public Switched Telephone Network) numbering plan.  E.163
-   defines the country codes, and E.164 the form of the addresses.  Its
-   format in master files is a <character-string> syntactically
-   identical to that used in TXT and HINFO.
-
-   <sa> specifies the subaddress (SA).  The format of <sa> in master
-   files is a <character-string> syntactically identical to that used in
-   TXT and HINFO.
-
-   The format of ISDN is class insensitive.  ISDN RRs cause no
-   additional section processing.
-
-   The <ISDN-address> is a string of characters, normally decimal
-   digits, beginning with the E.163 country code and ending with the DDI
-   if any.  Note that ISDN, in Q.931, permits any IA5 character in the
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 7]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-   general case.
-
-   The <sa> is a string of hexadecimal digits.  For digits 0-9, the
-   concrete encoding in the Q.931 call setup information element is
-   identical to BCD.
-
-   For example:
-
-   Relay.Prime.COM.   IN   ISDN      150862028003217
-   sh.Prime.COM.      IN   ISDN      150862028003217 004
-
-   (Note: "1" is the country code for the North American Integrated
-   Numbering Area, i.e., the system of "area codes" familiar to people
-   in those countries.)
-
-   The RR data is the ASCII representation of the digits.  It is encoded
-   as one or two <character-string>s, i.e., count followed by
-   characters.
-
-   CCITT recommendation E.166 [9] defines prefix escape codes for the
-   representation of ISDN (E.163/E.164) addresses in X.121, and PSDN
-   (X.121) addresses in E.164.  It specifies that the exact codes are a
-   "national matter", i.e., different on different networks.  A host
-   connected to the ISDN may be able to use both the X25 and ISDN
-   addresses, with the local prefix added.
-
-3.3. The Route Through RR
-
-   The Route Through RR is defined with mnemonic RT and type code 21
-   (decimal).
-
-   The RT resource record provides a route-through binding for hosts
-   that do not have their own direct wide area network addresses.  It is
-   used in much the same way as the MX RR.
-
-   RT has the following format:
-
-   <owner> <ttl> <class> RT <preference> <intermediate-host>
-
-   Both RDATA fields are required in all RT RRs.
-
-   The first field, <preference>, is a 16 bit integer, representing the
-   preference of the route.  Smaller numbers indicate more preferred
-   routes.
-
-   <intermediate-host> is the domain name of a host which will serve as
-   an intermediate in reaching the host specified by <owner>.  The DNS
-   RRs associated with <intermediate-host> are expected to include at
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 8]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-   least one A, X25, or ISDN record.
-
-   The format of the RT RR is class insensitive.  RT records cause type
-   X25, ISDN, and A additional section processing for <intermediate-
-   host>.
-
-   For example,
-
-   sh.prime.com.      IN   RT   2    Relay.Prime.COM.
-                      IN   RT   10   NET.Prime.COM.
-   *.prime.com.       IN   RT   90   Relay.Prime.COM.
-
-   When a host is looking up DNS records to attempt to route a datagram,
-   it first looks for RT records for the destination host, which point
-   to hosts with address records (A, X25, ISDN) compatible with the wide
-   area networks available to the host.  If it is itself in the set of
-   RT records, it discards any RTs with preferences higher or equal to
-   its own.  If there are no (remaining) RTs, it can then use address
-   records of the destination itself.
-
-   Wild-card RTs are used exactly as are wild-card MXs.  RT's do not
-   "chain"; that is, it is not valid to use the RT RRs found for a host
-   referred to by an RT.
-
-   The concrete encoding is identical to the MX RR.
-
-REFERENCES and BIBLIOGRAPHY
-
-   [1] Stahl, M., "Domain Administrators Guide", RFC 1032, Network
-       Information Center, SRI International, November 1987.
-
-   [2] Lottor, M., "Domain Administrators Operations Guide", RFC 1033,
-       Network Information Center, SRI International, November, 1987.
-
-   [3] Mockapetris, P., "Domain Names - Concepts and Facilities", RFC
-       1034, USC/Information Sciences Institute, November 1987.
-
-   [4] Mockapetris, P., "Domain Names - Implementation and
-       Specification", RFC 1035, USC/Information Sciences Institute,
-       November 1987.
-
-   [5] Spector A., and M. Kazar, "Uniting File Systems", UNIX Review,
-       7(3), pp. 61-69, March 1989.
-
-   [6] Zahn, et al., "Network Computing Architecture", Prentice-Hall,
-       1989.
-
-   [7] International Telegraph and Telephone Consultative Committee,
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                        [Page 9]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-       "Numbering Plan for the International Telephone Service", CCITT
-       Recommendations E.163., IXth Plenary Assembly, Melbourne, 1988,
-       Fascicle II.2 ("Blue Book").
-
-   [8] International Telegraph and Telephone Consultative Committee,
-       "Numbering Plan for the ISDN Era", CCITT Recommendations E.164.,
-       IXth Plenary Assembly, Melbourne, 1988, Fascicle II.2 ("Blue
-       Book").
-
-   [9] International Telegraph and Telephone Consultative Committee.
-       "Numbering Plan Interworking in the ISDN Era", CCITT
-       Recommendations E.166., IXth Plenary Assembly, Melbourne, 1988,
-       Fascicle II.2 ("Blue Book").
-
-  [10] International Telegraph and Telephone Consultative Committee,
-       "International Numbering Plan for the Public Data Networks",
-       CCITT Recommendations X.121., IXth Plenary Assembly, Melbourne,
-       1988, Fascicle VIII.3 ("Blue Book"); provisional, Geneva, 1978;
-       amended, Geneva, 1980, Malaga-Torremolinos, 1984 and Melborne,
-       1988.
-
-  [11] Korb, J., "Standard for the Transmission of IP datagrams Over
-       Public Data Networks", RFC 877, Purdue University, September
-       1983.
-
-  [12] Ullmann, R., "SMTP on X.25", RFC 1090, Prime Computer, February
-       1989.
-
-  [13] Ullmann, R., "TP/IX: The Next Internet", Prime Computer
-       (unpublished), July 1990.
-
-  [14] Mockapetris, P., "DNS Encoding of Network Names and Other Types",
-       RFC 1101, USC/Information Sciences Institute, April 1989.
-
-Security Considerations
-
-   Security issues are not addressed in this memo.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                       [Page 10]
-
-RFC 1183                 New DNS RR Definitions             October 1990
-
-
-Authors' Addresses
-
-   Craig F. Everhart
-   Transarc Corporation
-   The Gulf Tower
-   707 Grant Street
-   Pittsburgh, PA  15219
-
-   Phone: +1 412 338 4467
-
-   EMail: Craig_Everhart@transarc.com
-
-
-   Louis A. Mamakos
-   Network Infrastructure Group
-   Computer Science Center
-   University of Maryland
-   College Park, MD 20742-2411
-
-   Phone: +1-301-405-7836
-
-   Email: louie@Sayshell.UMD.EDU
-
-
-   Robert Ullmann 10-30
-   Prime Computer, Inc.
-   500 Old Connecticut Path
-   Framingham, MA 01701
-
-   Phone: +1 508 620 2800 ext 1736
-
-   Email: Ariel@Relay.Prime.COM
-
-
-   Paul Mockapetris
-   USC Information Sciences Institute
-   4676 Admiralty Way
-   Marina del Rey, CA 90292
-
-   Phone: 213-822-1511
-
-   EMail: pvm@isi.edu
-
-
-
-
-
-
-
-
-
-Everhart, Mamakos, Ullmann & Mockapetris                       [Page 11]
-
\ No newline at end of file
diff --git a/contrib/bind9/doc/rfc/rfc1348.txt b/contrib/bind9/doc/rfc/rfc1348.txt
deleted file mode 100644
index d9e5dea040ee..000000000000
--- a/contrib/bind9/doc/rfc/rfc1348.txt
+++ /dev/null
@@ -1,227 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         B. Manning
-Request for Comments: 1348                               Rice University
-Updates: RFCs 1034, 1035                                       July 1992
-
-
-                              DNS NSAP RRs
-
-Status of this Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  Discussion and suggestions for improvement are requested.
-   Please refer to the current edition of the "IAB Official Protocol
-   Standards" for the standardization state and status of this protocol.
-   Distribution of this memo is unlimited.
-
-Table of Contents
-
-   Introduction .....................................................  1
-   Background .......................................................  1
-   NSAP RR ..........................................................  2
-   NSAP-PTR RR ......................................................  2
-   REFERENCES and BIBLIOGRAPHY ......................................  3
-   Security Considerations ..........................................  4
-   Author's Address .................................................  4
-
-Introduction
-
-   This RFC defines the format of two new Resource Records (RRs) for the
-   Domain Name System (DNS), and reserves corresponding DNS type
-   mnemonic and numerical codes.  This format may be used with the any
-   proposal that has variable length addresses, but is targeted for CLNP
-   use.
-
-   This memo assumes that the reader is familiar with the DNS [3,4].
-
-Background
-
-   This section describes an experimental representation of NSAP
-   addresses in the DNS. There are several reasons to take this approch.
-   First, it provides simple documentation of the correct addresses to
-   use in static configurations of CLNP compliant hosts and routers.
-
-   NSAP support requires that a new DNS resource record entry type
-   ("NSAP") be defined, to store longer Internet (i.e., NSAP) addresses.
-   This resource record allows mapping from DNS names to NSAP addresses,
-   and will contain entries for systems which are able to run Internet
-   applications, over TCP or UDP, over CLNP.
-
-
-
-
-Manning                                                         [Page 1]
-
-RFC 1348                      DNS NSAP RRs                     July 1992
-
-
-   The backward translation (from NSAP address to DNS name) is
-   facilitated by definition of an associated resource record. This
-   resource record is known as "NSAP-PTR", and is used in a manner
-   analogous to the existing "in-addr.arpa".
-
-   These RRs are intended for use in a proposal [6] by one of the
-   members of the NOOP WG to address the next-generation internet.
-
-The NSAP RR
-
-   The NSAP RR is defined with mnemonic NSAP and type code 22 (decimal).
-
-   An NSAP (Network Service Access Protocol) number is a unique string
-   to OSI transport service.
-
-   The numbering plan follows RFC 1237 and associated OSI definitions
-   for NSAP format.
-
-   NSAP has the following format:
-
-   <owner> <ttl> <class> NSAP <length> <NSAP-address>
-
-   All fields are required.
-
-   <length> identifies the number of octets in the <NSAP-address> as
-   defined by the various national and international authorities.
-
-   <NSAP-address> enumerates the actual octet values assigned by the
-   assigning authority.  Its format in master files is a <character-
-   string> syntactically identical to that used in TXT and HINFO.
-
-   The format of NSAP is class insensitive.  NSAP RR causes no
-   additional section processing.
-
-   For example:
-
-foo.bar.com.    IN  NSAP   21 47000580ffff000000321099991111222233334444
-host.school.de  IN  NSAP   17 39276f3100111100002222333344449876
-
-   The RR data is the ASCII representation of the digits.  It is encoded
-   as two <character-strings>, i.e., count followed by characters.
-
-The NSAP-PTR RR
-
-   The NSAP-PTR RR is defined with mnemonic NSAP-PTR and a type code 23
-   (decimal).
-
-   Its function is analogous to the PTR record used for IP addresses
-
-
-
-Manning                                                         [Page 2]
-
-RFC 1348                      DNS NSAP RRs                     July 1992
-
-
-   [4,7].
-
-   NSAP-PTR has the following format:
-
-   <NSAP-suffix> <ttl> <class> NSAP-PTR <owner>
-
-   All fields are required.
-
-   <NSAP-suffix> enumerates the actual octet values assigned by the
-   assigning authority for the LOCAL network.  Its format in master
-   files is a <character-string> syntactically identical to that used in
-   TXT and HINFO.
-
-   The format of NSAP-PTR is class insensitive.  NSAP-PTR RR causes no
-   additional section processing.
-
-   For example:
-
-   In net ff08000574.nsap-in-addr.arpa:
-
-   444433332222111199990123000000ff    NSAP-PTR   foo.bar.com.
-
-   Or in net 11110031f67293.nsap-in-addr.arpa:
-
-   67894444333322220000  NSAP-PTR        host.school.de.
-
-   The RR data is the ASCII representation of the digits.  It is encoded
-   as a <character-string>.
-
-REFERENCES and BIBLIOGRAPHY
-
-   [1] Stahl, M., "Domain Administrators Guide", RFC 1032, Network
-       Information Center, SRI International, November 1987.
-
-   [2] Lottor, M., "Domain Administrators Operations Guide", RFC 1033,
-       Network Information Center, SRI International, November, 1987.
-
-   [3] Mockapetris, P., "Domain Names - Concepts and Facilities", RFC
-       1034, USC/Information Sciences Institute, November 1987.
-
-   [4] Mockapetris, P., "Domain Names - Implementation and
-       Specification", RFC 1035, USC/Information Sciences Institute,
-       November 1987.
-
-   [5] Colella, R., Gardner, E., and R. Callon, "Guidelines for OSI
-       NSAP Allocation in the Internet", RFC 1237, NIST, Mitre, DEC,
-       July 1991.
-
-
-
-
-Manning                                                         [Page 3]
-
-RFC 1348                      DNS NSAP RRs                     July 1992
-
-
-   [6] Callon, R., "TCP and UDP with Bigger Addresses (TUBA),
-       A Simple Proposal for Internet Addressing and Routing",
-       Digital Equipment Corporation, RFC 1347, June 1992.
-
-   [7] Mockapetris, P., "DNS Encoding of Network Names and Other Types",
-       RFC 1101, USC/Information Sciences Institute, April 1989.
-
-   [8] ISO/IEC.  Information Processing Systems -- Data Communications
-       -- Network Service Definition Addendum 2: Network Layer Address-
-       ing. International Standard 8348/Addendum 2, ISO/IEC JTC 1,
-       Switzerland, 1988.
-
-   [9] Bryant, P., "NSAPs", PB660, IPTAG/92/23, SCIENCE AND ENGINEERING
-       RESEARCH COUNCIL, RUTHERFORD APPLETON LABORATORY May 1992.
-
-Security Considerations
-
-   Security issues are not addressed in this memo.
-
-Author's Address
-
-   Bill Manning
-   Rice University - ONCS
-   PO Box 1892
-   6100 South Main
-   Houston, Texas  77251-1892
-
-   Phone: +1.713.285.5415
-   EMail: bmanning@rice.edu
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Manning                                                         [Page 4]
-
\ No newline at end of file
diff --git a/contrib/bind9/doc/rfc/rfc1535.txt b/contrib/bind9/doc/rfc/rfc1535.txt
deleted file mode 100644
index 03bddeebedcb..000000000000
--- a/contrib/bind9/doc/rfc/rfc1535.txt
+++ /dev/null
@@ -1,283 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          E. Gavron
-Request for Comments: 1535                            ACES Research Inc.
-Category: Informational                                     October 1993
-
-
-              A Security Problem and Proposed Correction
-                   With Widely Deployed DNS Software
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard.  Distribution of this memo is
-   unlimited.
-
-Abstract
-
-   This document discusses a flaw in some of the currently distributed
-   name resolver clients.  The flaw exposes a security weakness related
-   to the search heuristic invoked by these same resolvers when users
-   provide a partial domain name, and which is easy to exploit (although
-   not by the masses).  This document points out the flaw, a case in
-   point, and a solution.
-
-Background
-
-   Current Domain Name Server clients are designed to ease the burden of
-   remembering IP dotted quad addresses.  As such they translate human-
-   readable names into addresses and other resource records.  Part of
-   the translation process includes understanding and dealing with
-   hostnames that are not fully qualified domain names (FQDNs).
-
-   An absolute "rooted" FQDN is of the format {name}{.} A non "rooted"
-   domain name is of the format {name}
-
-   A domain name may have many parts and typically these include the
-   host, domain, and type.  Example:  foobar.company.com or
-   fooschool.university.edu.
-
-Flaw
-
-   The problem with most widely distributed resolvers based on the BSD
-   BIND resolver is that they attempt to resolve a partial name by
-   processing a search list of partial domains to be added to portions
-   of the specified host name until a DNS record is found.  This
-   "feature" is disabled by default in the official BIND 4.9.2 release.
-
-   Example: A TELNET attempt by    User@Machine.Tech.ACES.COM
-                             to    UnivHost.University.EDU
-
-
-
-Gavron                                                          [Page 1]
-
-RFC 1535               DNS Software Enhancements            October 1993
-
-
-   The resolver client will realize that since "UnivHost.University.EDU"
-   does not end with a ".", it is not an absolute "rooted" FQDN.  It
-   will then try the following combinations until a resource record is
-   found:
-
-                UnivHost.University.EDU.Tech.ACES.COM.
-                UnivHost.University.EDU.ACES.COM.
-                UnivHost.University.EDU.COM.
-                UnivHost.University.EDU.
-
-Security Issue
-
-   After registering the EDU.COM domain, it was discovered that an
-   unliberal application of one wildcard CNAME record would cause *all*
-   connects from any .COM site to any .EDU site to terminate at one
-   target machine in the private edu.com sub-domain.
-
-   Further, discussion reveals that specific hostnames registered in
-   this private subdomain, or any similarly named subdomain may be used
-   to spoof a host.
-
-        Example:        harvard.edu.com.        CNAME   targethost
-
-   Thus all connects to Harvard.edu from all .com sites would end up at
-   targthost, a machine which could provide a Harvard.edu login banner.
-
-   This is clearly unacceptable.  Further, it could only be made worse
-   with domains like COM.EDU, MIL.GOV, GOV.COM, etc.
-
-Public vs. Local Name Space Administration
-
-   The specification of the Domain Name System and the software that
-   implements it provides an undifferentiated hierarchy which permits
-   delegation of administration for subordinate portions of the name
-   space.  Actual administration of the name space is divided between
-   "public" and "local" portions.  Public administration pertains to all
-   top-level domains, such as .COM and .EDU.  For some domains, it also
-   pertains to some number of sub-domain levels.  The multi-level nature
-   of the public administration is most evident for top-level domains
-   for countries.  For example in the Fully Qualified Domain Name,
-   dbc.mtview.ca.us., the portion "mtview.ca.us" represents three levels
-   of public administration.  Only the left-most portion is subject to
-   local administration.
-
-
-
-
-
-
-
-
-Gavron                                                          [Page 2]
-
-RFC 1535               DNS Software Enhancements            October 1993
-
-
-   The danger of the heuristic search common in current practise is that
-   it it is possible to "intercept" the search by matching against an
-   unintended value while walking up the search list.  While this is
-   potentially dangerous at any level, it is entirely unacceptable when
-   the error impacts users outside of a local administration.
-
-   When attempting to resolve a partial domain name, DNS resolvers use
-   the Domain Name of the searching host for deriving the search list.
-   Existing DNS resolvers do not distinguish the portion of that name
-   which is in the locally administered scope from the part that is
-   publically administered.
-
-Solution(s)
-
-   At a minimum, DNS resolvers must honor the BOUNDARY between local and
-   public administration, by limiting any search lists to locally-
-   administered portions of the Domain Name space.  This requires a
-   parameter which shows the scope of the name space controlled by the
-   local administrator.
-
-   This would permit progressive searches from the most qualified to
-   less qualified up through the locally controlled domain, but not
-   beyond.
-
-   For example, if the local user were trying to reach:
-
-        User@chief.admin.DESERTU.EDU from
-        starburst,astro.DESERTU.EDU,
-
-   it is reasonable to permit the user to enter just chief.admin, and
-   for the search to cover:
-
-        chief.admin.astro.DESERTU.EDU
-        chief.admin.DESERTU.EDU
-
-   but not
-
-        chief.admin.EDU
-
-   In this case, the value of "search" should be set to "DESERTU.EDU"
-   because that's the scope of the name space controlled by the local
-   DNS administrator.
-
-   This is more than a mere optimization hack.  The local administrator
-   has control over the assignment of names within the locally
-   administered domain, so the administrator can make sure that
-   abbreviations result in the right thing.  Outside of the local
-   control, users are necessarily at risk.
-
-
-
-Gavron                                                          [Page 3]
-
-RFC 1535               DNS Software Enhancements            October 1993
-
-
-   A more stringent mechanism is implemented in BIND 4.9.2, to respond
-   to this problem:
-
-   The DNS Name resolver clients narrows its IMPLICIT search list IF ANY
-   to only try the first and the last of the examples shown.
-
-   Any additional search alternatives must be configured into the
-   resolver EXPLICITLY.
-
-   DNS Name resolver software SHOULD NOT use implicit search lists in
-   attempts to resolve partial names into absolute FQDNs other than the
-   hosts's immediate parent domain.
-
-   Resolvers which continue to use implicit search lists MUST limit
-   their scope to locally administered sub-domains.
-
-   DNS Name resolver software SHOULD NOT come pre-configured with
-   explicit search lists that perpetuate this problem.
-
-   Further, in any event where a "." exists in a specified name it
-   should be assumed to be a fully qualified domain name (FQDN) and
-   SHOULD be tried as a rooted name first.
-
-   Example:  Given  user@a.b.c.d connecting to e.f.g.h  only two tries
-             should be attempted as a result of using an implicit
-             search list:
-
-                e.f.g.h.  and e.f.g.h.b.c.d.
-
-             Given user@a.b.c.d. connecting to host those same two
-             tries would appear as:
-
-                x.b.c.d.  and x.
-
-   Some organizations make regular use of multi-part, partially
-   qualified Domain Names.  For example, host foo.loc1.org.city.state.us
-   might be used to making references to bar.loc2, or mumble.loc3, all
-   of which refer to whatever.locN.org.city.state.us
-
-   The stringent implicit search rules for BIND 4.9.2 will now cause
-   these searches to fail.  To return the ability for them to succeed,
-   configuration of the client resolvers must be changed to include an
-   explicit search rule for org.city.state.us.  That is, it must contain
-   an explicit rule for any -- and each -- portion of the locally-
-   administered sub-domain that it wishes to have as part of the search
-   list.
-
-
-
-
-
-Gavron                                                          [Page 4]
-
-RFC 1535               DNS Software Enhancements            October 1993
-
-
-References
-
-   [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
-       RFC 1034, USC/Information Sciences Institute, November 1987.
-
-   [2] Mockapetris, P., "Domain Names Implementation and Specification",
-       STD 13, RFC 1035, USC/Information Sciences Institute, November
-       1987.
-
-   [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
-       974, CSNET CIC BBN, January 1986.
-
-   [4] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. Miller,
-       "Common DNS Implementation Errors and Suggested Fixes", RFC 1536,
-       USC/Information Sciences Institute, USC, October 1993.
-
-   [5] Beertema, P., "Common DNS Data File Configuration Errors", RFC
-       1537, CWI, October 1993.
-
-Security Considerations
-
-   This memo indicates vulnerabilities with all too-forgiving DNS
-   clients.  It points out a correction that would eliminate the future
-   potential of the problem.
-
-Author's Address
-
-   Ehud Gavron
-   ACES Research Inc.
-   PO Box 14546
-   Tucson, AZ 85711
-
-   Phone: (602) 743-9841
-   EMail: gavron@aces.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gavron                                                          [Page 5]
-
diff --git a/contrib/bind9/doc/rfc/rfc1536.txt b/contrib/bind9/doc/rfc/rfc1536.txt
deleted file mode 100644
index 5ff2b25d0370..000000000000
--- a/contrib/bind9/doc/rfc/rfc1536.txt
+++ /dev/null
@@ -1,675 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                           A. Kumar
-Request for Comments: 1536                                     J. Postel
-Category: Informational                                        C. Neuman
-                                                                     ISI
-                                                               P. Danzig
-                                                               S. Miller
-                                                                     USC
-                                                            October 1993
-
-
-          Common DNS Implementation Errors and Suggested Fixes
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard.  Distribution of this memo is
-   unlimited.
-
-Abstract
-
-   This memo describes common errors seen in DNS implementations and
-   suggests some fixes. Where applicable, violations of recommendations
-   from STD 13, RFC 1034 and STD 13, RFC 1035 are mentioned. The memo
-   also describes, where relevant, the algorithms followed in BIND
-   (versions 4.8.3 and 4.9 which the authors referred to) to serve as an
-   example.
-
-Introduction
-
-   The last few years have seen, virtually, an explosion of DNS traffic
-   on the NSFnet backbone. Various DNS implementations and various
-   versions of these implementations interact with each other, producing
-   huge amounts of unnecessary traffic. Attempts are being made by
-   researchers all over the internet, to document the nature of these
-   interactions, the symptomatic traffic patterns and to devise remedies
-   for the sick pieces of software.
-
-   This draft is an attempt to document fixes for known DNS problems so
-   people know what problems to watch out for and how to repair broken
-   software.
-
-1. Fast Retransmissions
-
-   DNS implements the classic request-response scheme of client-server
-   interaction. UDP is, therefore, the chosen protocol for communication
-   though TCP is used for zone transfers. The onus of requerying in case
-   no response is seen in a "reasonable" period of time, lies with the
-   client. Although RFC 1034 and 1035 do not recommend any
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 1]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-   retransmission policy, RFC 1035 does recommend that the resolvers
-   should cycle through a list of servers. Both name servers and stub
-   resolvers should, therefore, implement some kind of a retransmission
-   policy based on round trip time estimates of the name servers. The
-   client should back-off exponentially, probably to a maximum timeout
-   value.
-
-   However, clients might not implement either of the two. They might
-   not wait a sufficient amount of time before retransmitting or they
-   might not back-off their inter-query times sufficiently.
-
-   Thus, what the server would see will be a series of queries from the
-   same querying entity, spaced very close together. Of course, a
-   correctly implemented server discards all duplicate queries but the
-   queries contribute to wide-area traffic, nevertheless.
-
-   We classify a retransmission of a query as a pure Fast retry timeout
-   problem when a series of query packets meet the following conditions.
-
-      a. Query packets are seen within a time less than a "reasonable
-         waiting period" of each other.
-
-      b. No response to the original query was seen i.e., we see two or
-         more queries, back to back.
-
-      c. The query packets share the same query identifier.
-
-      d. The server eventually responds to the query.
-
-A GOOD IMPLEMENTATION:
-
-   BIND (we looked at versions 4.8.3 and 4.9) implements a good
-   retransmission algorithm which solves or limits all of these
-   problems.  The Berkeley stub-resolver queries servers at an interval
-   that starts at the greater of 4 seconds and 5 seconds divided by the
-   number of servers the resolver queries. The resolver cycles through
-   servers and at the end of a cycle, backs off the time out
-   exponentially.
-
-   The Berkeley full-service resolver (built in with the program
-   "named") starts with a time-out equal to the greater of 4 seconds and
-   two times the round-trip time estimate of the server.  The time-out
-   is backed off with each cycle, exponentially, to a ceiling value of
-   45 seconds.
-
-
-
-
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 2]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-FIXES:
-
-      a. Estimate round-trip times or set a reasonably high initial
-         time-out.
-
-      b. Back-off timeout periods exponentially.
-
-      c. Yet another fundamental though difficult fix is to send the
-         client an acknowledgement of a query, with a round-trip time
-         estimate.
-
-   Since UDP is used, no response is expected by the client until the
-   query is complete.  Thus, it is less likely to have information about
-   previous packets on which to estimate its back-off time.  Unless, you
-   maintain state across queries, so subsequent queries to the same
-   server use information from previous queries.  Unfortunately, such
-   estimates are likely to be inaccurate for chained requests since the
-   variance is likely to be high.
-
-   The fix chosen in the ARDP library used by Prospero is that the
-   server will send an initial acknowledgement to the client in those
-   cases where the server expects the query to take a long time (as
-   might be the case for chained queries).  This initial acknowledgement
-   can include an expected time to wait before retrying.
-
-   This fix is more difficult since it requires that the client software
-   also be trained to expect the acknowledgement packet. This, in an
-   internet of millions of hosts is at best a hard problem.
-
-2. Recursion Bugs
-
-   When a server receives a client request, it first looks up its zone
-   data and the cache to check if the query can be answered. If the
-   answer is unavailable in either place, the server seeks names of
-   servers that are more likely to have the information, in its cache or
-   zone data. It then does one of two things. If the client desires the
-   server to recurse and the server architecture allows recursion, the
-   server chains this request to these known servers closest to the
-   queried name. If the client doesn't seek recursion or if the server
-   cannot handle recursion, it returns the list of name servers to the
-   client assuming the client knows what to do with these records.
-
-   The client queries this new list of name servers to get either the
-   answer, or names of another set of name servers to query. This
-   process repeats until the client is satisfied. Servers might also go
-   through this chaining process if the server returns a CNAME record
-   for the queried name. Some servers reprocess this name to try and get
-   the desired record type.
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 3]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-   However, in certain cases, this chain of events may not be good. For
-   example, a broken or malicious name server might list itself as one
-   of the name servers to query again. The unsuspecting client resends
-   the same query to the same server.
-
-   In another situation, more difficult to detect, a set of servers
-   might form a loop wherein A refers to B and B refers to A. This loop
-   might involve more than two servers.
-
-   Yet another error is where the client does not know how to process
-   the list of name servers returned, and requeries the same server
-   since that is one (of the few) servers it knows.
-
-   We, therefore, classify recursion bugs into three distinct
-   categories:
-
-      a. Ignored referral: Client did not know how to handle NS records
-         in the AUTHORITY section.
-
-      b. Too many referrals: Client called on a server too many times,
-         beyond a "reasonable" number, with same query. This is
-         different from a Fast retransmission problem and a Server
-         Failure detection problem in that a response is seen for every
-         query.  Also, the identifiers are always different. It implies
-         client is in a loop and should have detected that and broken
-         it.  (RFC 1035 mentions that client should not recurse beyond
-         a certain depth.)
-
-      c. Malicious Server: a server refers to itself in the authority
-         section. If a server does not have an answer now, it is very
-         unlikely it will be any better the next time you query it,
-         specially when it claims to be authoritative over a domain.
-
-      RFC 1034 warns against such situations, on page 35.
-
-      "Bound the amount of work (packets sent, parallel processes
-       started) so that a request can't get into an infinite loop or
-       start off a chain reaction of requests or queries with other
-       implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
-       SOME DATA."
-
-A GOOD IMPLEMENTATION:
-
-   BIND fixes at least one of these problems. It places an upper limit
-   on the number of recursive queries it will make, to answer a
-   question.  It chases a maximum of 20 referral links and 8 canonical
-   name translations.
-
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 4]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-FIXES:
-
-      a. Set an upper limit on the number of referral links and CNAME
-         links you are willing to chase.
-
-         Note that this is not guaranteed to break only recursion loops.
-         It could, in a rare case, prune off a very long search path,
-         prematurely.  We know, however, with high probability, that if
-         the number of links cross a certain metric (two times the depth
-         of the DNS tree), it is a recursion problem.
-
-      b. Watch out for self-referring servers. Avoid them whenever
-         possible.
-
-      c. Make sure you never pass off an authority NS record with your
-         own name on it!
-
-      d. Fix clients to accept iterative answers from servers not built
-         to provide recursion. Such clients should either be happy with
-         the non-authoritative answer or be willing to chase the
-         referral links themselves.
-
-3. Zero Answer Bugs:
-
-   Name servers sometimes return an authoritative NOERROR with no
-   ANSWER, AUTHORITY or ADDITIONAL records. This happens when the
-   queried name is valid but it does not have a record of the desired
-   type. Of course, the server has authority over the domain.
-
-   However, once again, some implementations of resolvers do not
-   interpret this kind of a response reasonably. They always expect an
-   answer record when they see an authoritative NOERROR. These entities
-   continue to resend their queries, possibly endlessly.
-
-A GOOD IMPLEMENTATION
-
-   BIND resolver code does not query a server more than 3 times. If it
-   is unable to get an answer from 4 servers, querying them three times
-   each, it returns error.
-
-   Of course, it treats a zero-answer response the way it should be
-   treated; with respect!
-
-FIXES:
-
-      a. Set an upper limit on the number of retransmissions for a given
-         query, at the very least.
-
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 5]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-      b. Fix resolvers to interpret such a response as an authoritative
-         statement of non-existence of the record type for the given
-         name.
-
-4. Inability to detect server failure:
-
-   Servers in the internet are not very reliable (they go down every
-   once in a while) and resolvers are expected to adapt to the changed
-   scenario by not querying the server for a while. Thus, when a server
-   does not respond to a query, resolvers should try another server.
-   Also, non-stub resolvers should update their round trip time estimate
-   for the server to a large value so that server is not tried again
-   before other, faster servers.
-
-   Stub resolvers, however, cycle through a fixed set of servers and if,
-   unfortunately, a server is down while others do not respond for other
-   reasons (high load, recursive resolution of query is taking more time
-   than the resolver's time-out, ....), the resolver queries the dead
-   server again! In fact, some resolvers might not set an upper limit on
-   the number of query retransmissions they will send and continue to
-   query dead servers indefinitely.
-
-   Name servers running system or chained queries might also suffer from
-   the same problem. They store names of servers they should query for a
-   given domain. They cycle through these names and in case none of them
-   answers, hit each one more than one. It is, once again, important
-   that there be an upper limit on the number of retransmissions, to
-   prevent network overload.
-
-   This behavior is clearly in violation of the dictum in RFC 1035 (page
-   46)
-
-      "If a resolver gets a server error or other bizarre response
-       from a name server, it should remove it from SLIST, and may
-       wish to schedule an immediate transmission to the next
-       candidate server address."
-
-   Removal from SLIST implies that the server is not queried again for
-   some time.
-
-   Correctly implemented full-service resolvers should, as pointed out
-   before, update round trip time values for servers that do not respond
-   and query them only after other, good servers. Full-service resolvers
-   might, however, not follow any of these common sense directives. They
-   query dead servers, and they query them endlessly.
-
-
-
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 6]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-A GOOD IMPLEMENTATION:
-
-   BIND places an upper limit on the number of times it queries a
-   server.  Both the stub-resolver and the full-service resolver code do
-   this.  Also, since the full-service resolver estimates round-trip
-   times and sorts name server addresses by these estimates, it does not
-   query a dead server again, until and unless all the other servers in
-   the list are dead too!  Further, BIND implements exponential back-off
-   too.
-
-FIXES:
-
-      a. Set an upper limit on number of retransmissions.
-
-      b. Measure round-trip time from servers (some estimate is better
-         than none). Treat no response as a "very large" round-trip
-         time.
-
-      c. Maintain a weighted rtt estimate and decay the "large" value
-         slowly, with time, so that the server is eventually tested
-         again, but not after an indefinitely long period.
-
-      d. Follow an exponential back-off scheme so that even if you do
-         not restrict the number of queries, you do not overload the
-         net excessively.
-
-5. Cache Leaks:
-
-   Every resource record returned by a server is cached for TTL seconds,
-   where the TTL value is returned with the RR. Full-service (or stub)
-   resolvers cache the RR and answer any queries based on this cached
-   information, in the future, until the TTL expires. After that, one
-   more query to the wide-area network gets the RR in cache again.
-
-   Full-service resolvers might not implement this caching mechanism
-   well. They might impose a limit on the cache size or might not
-   interpret the TTL value correctly. In either case, queries repeated
-   within a TTL period of a RR constitute a cache leak.
-
-A GOOD/BAD IMPLEMENTATION:
-
-   BIND has no restriction on the cache size and the size is governed by
-   the limits on the virtual address space of the machine it is running
-   on. BIND caches RRs for the duration of the TTL returned with each
-   record.
-
-   It does, however, not follow the RFCs with respect to interpretation
-   of a 0 TTL value. If a record has a TTL value of 0 seconds, BIND uses
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 7]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-   the minimum TTL value, for that zone, from the SOA record and caches
-   it for that duration. This, though it saves some traffic on the
-   wide-area network, is not correct behavior.
-
-FIXES:
-
-      a. Look over your caching mechanism to ensure TTLs are interpreted
-         correctly.
-
-      b. Do not restrict cache sizes (come on, memory is cheap!).
-         Expired entries are reclaimed periodically, anyway. Of course,
-         the cache size is bound to have some physical limit. But, when
-         possible, this limit should be large (run your name server on
-         a machine with a large amount of physical memory).
-
-      c. Possibly, a mechanism is needed to flush the cache, when it is
-         known or even suspected that the information has changed.
-
-6. Name Error Bugs:
-
-   This bug is very similar to the Zero Answer bug. A server returns an
-   authoritative NXDOMAIN when the queried name is known to be bad, by
-   the server authoritative for the domain, in the absence of negative
-   caching. This authoritative NXDOMAIN response is usually accompanied
-   by the SOA record for the domain, in the authority section.
-
-   Resolvers should recognize that the name they queried for was a bad
-   name and should stop querying further.
-
-   Some resolvers might, however, not interpret this correctly and
-   continue to query servers, expecting an answer record.
-
-   Some applications, in fact, prompt NXDOMAIN answers! When given a
-   perfectly good name to resolve, they append the local domain to it
-   e.g., an application in the domain "foo.bar.com", when trying to
-   resolve the name "usc.edu" first tries "usc.edu.foo.bar.com", then
-   "usc.edu.bar.com" and finally the good name "usc.edu". This causes at
-   least two queries that return NXDOMAIN, for every good query. The
-   problem is aggravated since the negative answers from the previous
-   queries are not cached.  When the same name is sought again, the
-   process repeats.
-
-   Some DNS resolver implementations suffer from this problem, too. They
-   append successive sub-parts of the local domain using an implicit
-   searchlist mechanism, when certain conditions are satisfied and try
-   the original name, only when this first set of iterations fails. This
-   behavior recently caused pandemonium in the Internet when the domain
-   "edu.com" was registered and a wildcard "CNAME" record placed at the
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 8]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-   top level. All machines from "com" domains trying to connect to hosts
-   in the "edu" domain ended up with connections to the local machine in
-   the "edu.com" domain!
-
-GOOD/BAD IMPLEMENTATIONS:
-
-   Some local versions of BIND already implement negative caching. They
-   typically cache negative answers with a very small TTL, sufficient to
-   answer a burst of queries spaced close together, as is typically
-   seen.
-
-   The next official public release of BIND (4.9.2) will have negative
-   caching as an ifdef'd feature.
-
-   The BIND resolver appends local domain to the given name, when one of
-   two conditions is met:
-
-      i.  The name has no periods and the flag RES_DEFNAME is set.
-      ii. There is no trailing period and the flag RES_DNSRCH is set.
-
-   The flags RES_DEFNAME and RES_DNSRCH are default resolver options, in
-   BIND, but can be changed at compile time.
-
-   Only if the name, so generated, returns an NXDOMAIN is the original
-   name tried as a Fully Qualified Domain Name. And only if it contains
-   at least one period.
-
-FIXES:
-
-      a. Fix the resolver code.
-
-      b. Negative Caching. Negative caching servers will restrict the
-         traffic seen on the wide-area network, even if not curb it
-         altogether.
-
-      c. Applications and resolvers should not append the local domain to
-         names they seek to resolve, as far as possible. Names
-         interspersed with periods should be treated as Fully Qualified
-         Domain Names.
-
-         In other words, Use searchlists only when explicitly specified.
-         No implicit searchlists should be used. A name that contains
-         any dots should first be tried as a FQDN and if that fails, with
-         the local domain name (or searchlist if specified) appended. A
-         name containing no dots can be appended with the searchlist right
-         away, but once again, no implicit searchlists should be used.
-
-
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                          [Page 9]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-   Associated with the name error bug is another problem where a server
-   might return an authoritative NXDOMAIN, although the name is valid. A
-   secondary server, on start-up, reads the zone information from the
-   primary, through a zone transfer. While it is in the process of
-   loading the zones, it does not have information about them, although
-   it is authoritative for them.  Thus, any query for a name in that
-   domain is answered with an NXDOMAIN response code. This problem might
-   not be disastrous were it not for negative caching servers that cache
-   this answer and so propagate incorrect information over the internet.
-
-BAD IMPLEMENTATION:
-
-   BIND apparently suffers from this problem.
-
-   Also, a new name added to the primary database will take a while to
-   propagate to the secondaries. Until that time, they will return
-   NXDOMAIN answers for a good name. Negative caching servers store this
-   answer, too and aggravate this problem further. This is probably a
-   more general DNS problem but is apparently more harmful in this
-   situation.
-
-FIX:
-
-      a. Servers should start answering only after loading all the zone
-         data. A failed server is better than a server handing out
-         incorrect information.
-
-      b. Negative cache records for a very small time, sufficient only
-         to ward off a burst of requests for the same bad name. This
-         could be related to the round-trip time of the server from
-         which the negative answer was received. Alternatively, a
-         statistical measure of the amount of time for which queries
-         for such names are received could be used. Minimum TTL value
-         from the SOA record is not advisable since they tend to be
-         pretty large.
-
-      c. A "PUSH" (or, at least, a "NOTIFY") mechanism should be allowed
-         and implemented, to allow the primary server to inform
-         secondaries that the database has been modified since it last
-         transferred zone data.  To alleviate the problem of "too many
-         zone transfers" that this might cause, Incremental Zone
-         Transfers should also be part of DNS.  Also, the primary should
-         not NOTIFY/PUSH with every update but bunch a good number
-         together.
-
-
-
-
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                         [Page 10]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-7. Format Errors:
-
-   Some resolvers issue query packets that do not necessarily conform to
-   standards as laid out in the relevant RFCs. This unnecessarily
-   increases net traffic and wastes server time.
-
-FIXES:
-
-      a. Fix resolvers.
-
-      b. Each resolver verify format of packets before sending them out,
-         using a mechanism outside of the resolver. This is, obviously,
-         needed only if step 1 cannot be followed.
-
-References
-
-   [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
-       RFC 1034, USC/Information Sciences Institute, November 1987.
-
-   [2] Mockapetris, P., "Domain Names Implementation and Specification",
-       STD 13, RFC 1035, USC/Information Sciences Institute, November
-       1987.
-
-   [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
-       974, CSNET CIC BBN, January 1986.
-
-   [4] Gavron, E., "A Security Problem and Proposed Correction With
-       Widely Deployed DNS Software", RFC 1535, ACES Research Inc.,
-       October 1993.
-
-   [5] Beertema, P., "Common DNS Data File Configuration Errors", RFC
-       1537, CWI, October 1993.
-
-Security Considerations
-
-   Security issues are not discussed in this memo.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                         [Page 11]
-
-RFC 1536            Common DNS Implementation Errors        October 1993
-
-
-Authors' Addresses
-
-   Anant Kumar
-   USC Information Sciences Institute
-   4676 Admiralty Way
-   Marina Del Rey CA 90292-6695
-
-   Phone:(310) 822-1511
-   FAX:  (310) 823-6741
-   EMail: anant@isi.edu
-
-
-   Jon Postel
-   USC Information Sciences Institute
-   4676 Admiralty Way
-   Marina Del Rey CA 90292-6695
-
-   Phone:(310) 822-1511
-   FAX:  (310) 823-6714
-   EMail: postel@isi.edu
-
-
-   Cliff Neuman
-   USC Information Sciences Institute
-   4676 Admiralty Way
-   Marina Del Rey CA 90292-6695
-
-   Phone:(310) 822-1511
-   FAX:  (310) 823-6714
-   EMail: bcn@isi.edu
-
-
-   Peter Danzig
-   Computer Science Department
-   University of Southern California
-   University Park
-
-   EMail: danzig@caldera.usc.edu
-
-
-   Steve Miller
-   Computer Science Department
-   University of Southern California
-   University Park
-   Los Angeles CA 90089
-
-   EMail: smiller@caldera.usc.edu
-
-
-
-
-Kumar, Postel, Neuman, Danzig & Miller                         [Page 12]
-
diff --git a/contrib/bind9/doc/rfc/rfc1537.txt b/contrib/bind9/doc/rfc/rfc1537.txt
deleted file mode 100644
index 81b97683156b..000000000000
--- a/contrib/bind9/doc/rfc/rfc1537.txt
+++ /dev/null
@@ -1,507 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        P. Beertema
-Request for Comments: 1537                                           CWI
-Category: Informational                                     October 1993
-
-
-               Common DNS Data File Configuration Errors
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard.  Distribution of this memo is
-   unlimited.
-
-Abstract
-
-   This memo describes errors often found in DNS data files. It points
-   out common mistakes system administrators tend to make and why they
-   often go unnoticed for long periods of time.
-
-Introduction
-
-   Due to the lack of extensive documentation and automated tools, DNS
-   zone files have mostly been configured by system administrators, by
-   hand. Some of the rules for writing the data files are rather subtle
-   and a few common mistakes are seen in domains worldwide.
-
-   This document is an attempt to list "surprises" that administrators
-   might find hidden in their zone files. It describes the symptoms of
-   the malady and prescribes medicine to cure that. It also gives some
-   general recommendations and advice on specific nameserver and zone
-   file issues and on the (proper) use of the Domain Name System.
-
-1. SOA records
-
-   A problem I've found in quite some nameservers is that the various
-   timers have been set (far) too low. Especially for top level domain
-   nameservers this causes unnecessary traffic over international and
-   intercontinental links.
-
-   Unfortunately the examples given in the BIND manual, in RFC's and in
-   some expert documents give those very short timer values, and that's
-   most likely what people have modeled their SOA records after.
-
-   First of all a short explanation of the timers used in the SOA
-   record:
-
-
-
-
-
-
-Beertema                                                        [Page 1]
-
-RFC 1537       Common DNS Data File Configuration Errors    October 1993
-
-
-        - Refresh: The SOA record of the primary server is checked
-                   every "refresh" time by the secondary servers;
-                   if it has changed, a zone transfer is done.
-
-        - Retry: If a secondary server cannot reach the primary
-                 server, it tries it again every "retry" time.
-
-        - Expire: If for "expire" time the primary server cannot
-                  be reached, all information about the zone is
-                  invalidated on the secondary servers (i.e., they
-                  are no longer authoritative for that zone).
-
-        - Minimum TTL: The default TTL value for all records in the
-                       zone file; a different TTL value may be given
-                       explicitly in a record when necessary.
-                       (This timer is named "Minimum", and that's
-                       what it's function should be according to
-                       STD 13, RFC 1035, but most (all?)
-                       implementations take it as the default value
-                       exported with records without an explicit TTL
-                       value).
-
-   For top level domain servers I would recommend the following values:
-
-          86400 ; Refresh     24 hours
-           7200 ; Retry        2 hours
-        2592000 ; Expire      30 days
-         345600 ; Minimum TTL  4 days
-
-   For other servers I would suggest:
-
-          28800 ; Refresh     8 hours
-           7200 ; Retry       2 hours
-         604800 ; Expire      7 days
-          86400 ; Minimum TTL 1 day
-
-   but here the frequency of changes, the required speed of propagation,
-   the reachability of the primary server etc. play a role in optimizing
-   the timer values.
-
-2. Glue records
-
-   Quite often, people put unnecessary glue (A) records in their zone
-   files. Even worse is that I've even seen *wrong* glue records for an
-   external host in a primary zone file! Glue records need only be in a
-   zone file if the server host is within the zone and there is no A
-   record for that host elsewhere in the zone file.
-
-
-
-
-Beertema                                                        [Page 2]
-
-RFC 1537       Common DNS Data File Configuration Errors    October 1993
-
-
-   Old BIND versions ("native" 4.8.3 and older versions) showed the
-   problem that wrong glue records could enter secondary servers in a
-   zone transfer.
-
-3. "Secondary server surprise"
-
-   I've seen it happen on various occasions that hosts got bombarded by
-   nameserver requests without knowing why. On investigation it turned
-   out then that such a host was supposed to (i.e., the information was
-   in the root servers) run secondary for some domain (or reverse (in-
-   addr.arpa)) domain, without that host's nameserver manager having
-   been asked or even been told so!
-
-   Newer BIND versions (4.9 and later) solved this problem.  At the same
-   time though the fix has the disadvantage that it's far less easy to
-   spot this problem.
-
-   Practice has shown that most domain registrars accept registrations
-   of nameservers without checking if primary (!) and secondary servers
-   have been set up, informed, or even asked.  It should also be noted
-   that a combination of long-lasting unreachability of primary
-   nameservers, (therefore) expiration of zone information, plus static
-   IP routing, can lead to massive network traffic that can fill up
-   lines completely.
-
-4. "MX records surprise"
-
-   In a sense similar to point 3. Sometimes nameserver managers enter MX
-   records in their zone files that point to external hosts, without
-   first asking or even informing the systems managers of those external
-   hosts.  This has to be fought out between the nameserver manager and
-   the systems managers involved. Only as a last resort, if really
-   nothing helps to get the offending records removed, can the systems
-   manager turn to the naming authority of the domain above the
-   offending domain to get the problem sorted out.
-
-5. "Name extension surprise"
-
-   Sometimes one encounters weird names, which appear to be an external
-   name extended with a local domain. This is caused by forgetting to
-   terminate a name with a dot: names in zone files that don't end with
-   a dot are always expanded with the name of the current zone (the
-   domain that the zone file stands for or the last $ORIGIN).
-
-   Example: zone file for foo.xx:
-
-   pqr          MX 100  relay.yy.
-   xyz          MX 100  relay.yy           (no trailing dot!)
-
-
-
-Beertema                                                        [Page 3]
-
-RFC 1537       Common DNS Data File Configuration Errors    October 1993
-
-
-   When fully written out this stands for:
-
-      pqr.foo.xx.  MX 100  relay.yy.
-      xyz.foo.xx.  MX 100  relay.yy.foo.xx.   (name extension!)
-
-6. Missing secondary servers
-
-   It is required that there be a least 2 nameservers for a domain. For
-   obvious reasons the nameservers for top level domains need to be very
-   well reachable from all over the Internet. This implies that there
-   must be more than just 2 of them; besides, most of the (secondary)
-   servers should be placed at "strategic" locations, e.g., close to a
-   point where international and/or intercontinental lines come
-   together.  To keep things manageable, there shouldn't be too many
-   servers for a domain either.
-
-   Important aspects in selecting the location of primary and secondary
-   servers are reliability (network, host) and expedient contacts: in
-   case of problems, changes/fixes must be carried out quickly.  It
-   should be considered logical that primary servers for European top
-   level domains should run on a host in Europe, preferably (if
-   possible) in the country itself. For each top level domain there
-   should be 2 secondary servers in Europe and 2 in the USA, but there
-   may of course be more on either side.  An excessive number of
-   nameservers is not a good idea though; a recommended maximum is 7
-   nameservers.  In Europe, EUnet has offered to run secondary server
-   for each European top level domain.
-
-7. Wildcard MX records
-
-   Wildcard MX records should be avoided where possible. They often
-   cause confusion and errors: especially beginning nameserver managers
-   tend to overlook the fact that a host/domain listed with ANY type of
-   record in a zone file is NOT covered by an overall wildcard MX record
-   in that zone; this goes not only for simple domain/host names, but
-   also for names that cover one or more domains. Take the following
-   example in zone foo.bar:
-
-         *            MX 100  mailhost
-         pqr          MX 100  mailhost
-         abc.def      MX 100  mailhost
-
-   This makes pqr.foo.bar, def.foo.bar and abd.def.foo.bar valid
-   domains, but the wildcard MX record covers NONE of them, nor anything
-   below them.  To cover everything by MX records, the required entries
-   are:
-
-
-
-
-
-Beertema                                                        [Page 4]
-
-RFC 1537       Common DNS Data File Configuration Errors    October 1993
-
-
-         *            MX 100  mailhost
-         pqr          MX 100  mailhost
-         *.pqr        MX 100  mailhost
-         abc.def      MX 100  mailhost
-         *.def        MX 100  mailhost
-         *.abc.def    MX 100  mailhost
-
-   An overall wildcard MX record is almost never useful.
-
-   In particular the zone file of a top level domain should NEVER
-   contain only an overall wildcard MX record (*.XX). The effect of such
-   a wildcard MX record can be that mail is unnecessarily sent across
-   possibly expensive links, only to fail at the destination or gateway
-   that the record points to. Top level domain zone files should
-   explicitly list at least all the officially registered primary
-   subdomains.
-
-   Whereas overall wildcard MX records should be avoided, wildcard MX
-   records are acceptable as an explicit part of subdomain entries,
-   provided they are allowed under a given subdomain (to be determined
-   by the naming authority for that domain).
-
-   Example:
-
-         foo.xx.      MX 100  gateway.xx.
-                      MX 200  fallback.yy.
-         *.foo.xx.    MX 100  gateway.xx.
-                      MX 200  fallback.yy.
-8. Hostnames
-
-   People appear to sometimes look only at STD 11, RFC 822 to determine
-   whether a particular hostname is correct or not. Hostnames should
-   strictly conform to the syntax given in STD 13, RFC 1034 (page 11),
-   with *addresses* in addition conforming to RFC 822. As an example
-   take "c&w.blues" which is perfectly legal according to RFC 822, but
-   which can have quite surprising effects on particular systems, e.g.,
-   "telnet c&w.blues" on a Unix system.
-
-9. HINFO records
-
-   There appears to be a common misunderstanding that one of the data
-   fields (usually the second field) in HINFO records is optional. A
-   recent scan of all reachable nameservers in only one country revealed
-   some 300 incomplete HINFO records. Specifying two data fields in a
-   HINFO record is mandatory (RFC 1033), but note that this does *not*
-   mean that HINFO records themselves are mandatory.
-
-
-
-
-
-Beertema                                                        [Page 5]
-
-RFC 1537       Common DNS Data File Configuration Errors    October 1993
-
-
-10. Safety measures and specialties
-
-   Nameservers and resolvers aren't flawless. Bogus queries should be
-   kept from being forwarded to the root servers, since they'll only
-   lead to unnecessary intercontinental traffic. Known bogus queries
-   that can easily be dealt with locally are queries for 0 and broadcast
-   addresses.  To catch such queries, every nameserver should run
-   primary for the 0.in-addr.arpa and 255.in-addr.arpa zones; the zone
-   files need only contain a SOA and an NS record.
-
-   Also each nameserver should run primary for 0.0.127.in-addr.arpa;
-   that zone file should contain a SOA and NS record and an entry:
-
-         1    PTR     localhost.
-
-   There has been extensive discussion about whether or not to append
-   the local domain to it. The conclusion was that "localhost." would be
-   the best solution; reasons given were:
-
-   - "localhost" itself is used and expected to work on some systems.
-
-   - translating 127.0.0.1 into "localhost.my_domain" can cause some
-     software to connect to itself using the loopback interface when
-     it didn't want to.
-
-   Note that all domains that contain hosts should have a "localhost" A
-   record in them.
-
-   People maintaining zone files with the Serial number given in dotted
-   decimal notation (e.g., when SCCS is used to maintain the files)
-   should beware of a bug in all BIND versions: if the serial number is
-   in Release.Version (dotted decimal) notation, then it is virtually
-   impossible to change to a higher release: because of the wrong way
-   that notation is turned into an integer, it results in a serial
-   number that is LOWER than that of the former release.
-
-   For this reason and because the Serial is an (unsigned) integer
-   according to STD 13, RFC 1035, it is recommended not to use the
-   dotted decimal notation. A recommended notation is to use the date
-   (yyyymmdd), if necessary with an extra digit (yyyymmddn) if there is
-   or can be more than one change per day in a zone file.
-
-   Very old versions of DNS resolver code have a bug that causes queries
-   for A records with domain names like "192.16.184.3" to go out. This
-   happens when users type in IP addresses and the resolver code does
-   not catch this case before sending out a DNS query. This problem has
-   been fixed in all resolver implementations known to us but if it
-   still pops up it is very serious because all those queries will go to
-
-
-
-Beertema                                                        [Page 6]
-
-RFC 1537       Common DNS Data File Configuration Errors    October 1993
-
-
-   the root servers looking for top level domains like "3" etc. It is
-   strongly recommended to install the latest (publicly) available BIND
-   version plus all available patches to get rid of these and other
-   problems.
-
-   Running secondary nameserver off another secondary nameserver is
-   possible, but not recommended unless really necessary: there are
-   known cases where it has led to problems like bogus TTL values. This
-   can be caused by older or flawed implementations, but secondary
-   nameservers in principle should always transfer their zones from the
-   official primary nameserver.
-
-11. Some general points
-
-   The Domain Name System and nameserver are purely technical tools, not
-   meant in any way to exert control or impose politics. The function of
-   a naming authority is that of a clearing house. Anyone registering a
-   subdomain under a particular (top level) domain becomes naming
-   authority and therewith the sole responsible for that subdomain.
-   Requests to enter MX or NS records concerning such a subdomain
-   therefore always MUST be honored by the registrar of the next higher
-   domain.
-
-   Examples of practices that are not allowed are:
-
-      - imposing specific mail routing (MX records) when registering
-        a subdomain.
-
-      - making registration of a subdomain dependent on to the use of
-        certain networks or services.
-
-      - using TXT records as a means of (free) commercial advertising.
-
-   In the latter case a network service provider could decide to cut off
-   a particular site until the offending TXT records have been removed
-   from the site's zone file.
-
-   Of course there are obvious cases where a naming authority can refuse
-   to register a particular subdomain and can require a proposed name to
-   be changed in order to get it registered (think of DEC trying to
-   register a domain IBM.XX).
-
-   There are also cases were one has to probe the authority of the
-   person: sending in the application - not every systems manager should
-   be able to register a domain name for a whole university.  The naming
-   authority can impose certain extra rules as long as they don't
-   violate or conflict with the rights and interest of the registrars of
-   subdomains; a top level domain registrar may e.g., require that there
-
-
-
-Beertema                                                        [Page 7]
-
-RFC 1537       Common DNS Data File Configuration Errors    October 1993
-
-
-   be primary subdomain "ac" and "co" only and that subdomains be
-   registered under those primary subdomains.
-
-   The naming authority can also interfere in exceptional cases like the
-   one mentioned in point 4, e.g., by temporarily removing a domain's
-   entry from the nameserver zone files; this of course should be done
-   only with extreme care and only as a last resort.
-
-   When adding NS records for subdomains, top level domain nameserver
-   managers should realize that the people setting up the nameserver for
-   a subdomain often are rather inexperienced and can make mistakes that
-   can easily lead to the subdomain becoming completely unreachable or
-   that can cause unnecessary DNS traffic (see point 1). It is therefore
-   highly recommended that, prior to entering such an NS record, the
-   (top level) nameserver manager does a couple of sanity checks on the
-   new nameserver (SOA record and timers OK?, MX records present where
-   needed? No obvious errors made? Listed secondary servers
-   operational?). Things that cannot be caught though by such checks
-   are:
-
-      - resolvers set up to use external hosts as nameservers
-
-      - nameservers set up to use external hosts as forwarders
-        without permission from those hosts.
-
-   Care should also be taken when registering 2-letter subdomains.
-   Although this is allowed, an implication is that abbreviated
-   addressing (see STD 11, RFC 822, paragraph 6.2.2) is not possible in
-   and under that subdomain.  When requested to register such a domain,
-   one should always notify the people of this consequence. As an
-   example take the name "cs", which is commonly used for Computer
-   Science departments: it is also the name of the top level domain for
-   Czecho-Slovakia, so within the domain cs.foo.bar the user@host.cs is
-   ambiguous in that in can denote both a user on the host
-   host.cs.foo.bar and a user on the host "host" in Czecho-Slovakia.
-   (This example does not take into account the recent political changes
-   in the mentioned country).
-
-References
-
-   [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
-       RFC 1034, USC/Information Sciences Institute, November 1987.
-
-   [2] Mockapetris, P., "Domain Names Implementation and Specification",
-       STD 13, RFC 1035, USC/Information Sciences Institute, November
-       1987.
-
-
-
-
-
-Beertema                                                        [Page 8]
-
-RFC 1537       Common DNS Data File Configuration Errors    October 1993
-
-
-   [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
-       974, CSNET CIC BBN, January 1986.
-
-   [4] Gavron, E., "A Security Problem and Proposed Correction With
-       Widely Deployed DNS Software", RFC 1535, ACES Research Inc.,
-       October 1993.
-
-   [5] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. Miller,
-       "Common DNS Implementation Errors and Suggested Fixes", RFC 1536,
-       USC/Information Sciences Institute, USC, October 1993.
-
-Security Considerations
-
-   Security issues are not discussed in this memo.
-
-Author's Address
-
-   Piet Beertema
-   CWI
-   Kruislaan 413
-   NL-1098 SJ Amsterdam
-   The Netherlands
-
-   Phone: +31 20 592 4112
-   FAX:   +31 20 592 4199
-   EMail: Piet.Beertema@cwi.nl
-
-
-Editor's Address
-
-   Anant Kumar
-   USC Information Sciences Institute
-   4676 Admiralty Way
-   Marina Del Rey CA 90292-6695
-
-   Phone:(310) 822-1511
-   FAX:  (310) 823-6741
-   EMail: anant@isi.edu
-
-
-
-
-
-
-
-
-
-
-
-
-
-Beertema                                                        [Page 9]
-
\ No newline at end of file
diff --git a/contrib/bind9/doc/rfc/rfc1591.txt b/contrib/bind9/doc/rfc/rfc1591.txt
deleted file mode 100644
index 89e0a254a235..000000000000
--- a/contrib/bind9/doc/rfc/rfc1591.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          J. Postel
-Request for Comments: 1591                                           ISI
-Category: Informational                                       March 1994
-
-
-              Domain Name System Structure and Delegation
-
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  This memo
-   does not specify an Internet standard of any kind.  Distribution of
-   this memo is unlimited.
-
-1. Introduction
-
-   This memo provides some information on the structure of the names in
-   the Domain Name System (DNS), specifically the top-level domain
-   names; and on the administration of domains.  The Internet Assigned
-   Numbers Authority (IANA) is the overall authority for the IP
-   Addresses, the Domain Names, and many other parameters, used in the
-   Internet.  The day-to-day responsibility for the assignment of IP
-   Addresses, Autonomous System Numbers, and most top and second level
-   Domain Names are handled by the Internet Registry (IR) and regional
-   registries.
-
-2.  The Top Level Structure of the Domain Names
-
-   In the Domain Name System (DNS) naming of computers there is a
-   hierarchy of names.  The root of system is unnamed.  There are a set
-   of what are called "top-level domain names" (TLDs).  These are the
-   generic TLDs (EDU, COM, NET, ORG, GOV, MIL, and INT), and the two
-   letter country codes from ISO-3166.  It is extremely unlikely that
-   any other TLDs will be created.
-
-   Under each TLD may be created a hierarchy of names.  Generally, under
-   the generic TLDs the structure is very flat.  That is, many
-   organizations are registered directly under the TLD, and any further
-   structure is up to the individual organizations.
-
-   In the country TLDs, there is a wide variation in the structure, in
-   some countries the structure is very flat, in others there is
-   substantial structural organization.  In some country domains the
-   second levels are generic categories (such as, AC, CO, GO, and RE),
-   in others they are based on political geography, and in still others,
-   organization names are listed directly under the country code.  The
-   organization for the US country domain is described in RFC 1480 [1].
-
-
-
-
-Postel                                                          [Page 1]
-
-RFC 1591      Domain Name System Structure and Delegation     March 1994
-
-
-   Each of the generic TLDs was created for a general category of
-   organizations.  The country code domains (for example, FR, NL, KR,
-   US) are each organized by an administrator for that country.  These
-   administrators may further delegate the management of portions of the
-   naming tree.  These administrators are performing a public service on
-   behalf of the Internet community.  Descriptions of the generic
-   domains and the US country domain follow.
-
-   Of these generic domains, five are international in nature, and two
-   are restricted to use by entities in the United States.
-
-   World Wide Generic Domains:
-
-   COM - This domain is intended for commercial entities, that is
-         companies.  This domain has grown very large and there is
-         concern about the administrative load and system performance if
-         the current growth pattern is continued.  Consideration is
-         being taken to subdivide the COM domain and only allow future
-         commercial registrations in the subdomains.
-
-   EDU - This domain was originally intended for all educational
-         institutions.  Many Universities, colleges, schools,
-         educational service organizations, and educational consortia
-         have registered here.  More recently a decision has been taken
-         to limit further registrations to 4 year colleges and
-         universities.  Schools and 2-year colleges will be registered
-         in the country domains (see US Domain, especially K12 and CC,
-         below).
-
-   NET - This domain is intended to hold only the computers of network
-         providers, that is the NIC and NOC computers, the
-         administrative computers, and the network node computers.  The
-         customers of the network provider would have domain names of
-         their own (not in the NET TLD).
-
-   ORG - This domain is intended as the miscellaneous TLD for
-         organizations that didn't fit anywhere else.  Some non-
-         government organizations may fit here.
-
-   INT - This domain is for organizations established by international
-         treaties, or international databases.
-
-   United States Only Generic Domains:
-
-   GOV - This domain was originally intended for any kind of government
-         office or agency.  More recently a decision was taken to
-         register only agencies of the US Federal government in this
-         domain.  State and local agencies are registered in the country
-
-
-
-Postel                                                          [Page 2]
-
-RFC 1591      Domain Name System Structure and Delegation     March 1994
-
-
-         domains (see US Domain, below).
-
-   MIL - This domain is used by the US military.
-
-   Example country code Domain:
-
-   US - As an example of a country domain, the US domain provides for
-        the registration of all kinds of entities in the United States
-        on the basis of political geography, that is, a hierarchy of
-        <entity-name>.<locality>.<state-code>.US.  For example,
-        "IBM.Armonk.NY.US".  In addition, branches of the US domain are
-        provided within each state for schools (K12), community colleges
-        (CC), technical schools (TEC), state government agencies
-        (STATE), councils of governments (COG),libraries (LIB), museums
-        (MUS), and several other generic types of entities (see RFC 1480
-        for details [1]).
-
-   To find a contact for a TLD use the "whois" program to access the
-   database on the host rs.internic.net.  Append "-dom" to the name of
-   TLD you are interested in.  For example:
-
-                       whois -h rs.internic.net us-dom
-      or
-                       whois -h rs.internic.net edu-dom
-
-3.  The Administration of Delegated Domains
-
-   The Internet Assigned Numbers Authority (IANA) is responsible for the
-   overall coordination and management of the Domain Name System (DNS),
-   and especially the delegation of portions of the name space called
-   top-level domains.  Most of these top-level domains are two-letter
-   country codes taken from the ISO standard 3166.
-
-   A central Internet Registry (IR) has been selected and designated to
-   handled the bulk of the day-to-day administration of the Domain Name
-   System.  Applications for new top-level domains (for example, country
-   code domains) are handled by the IR with consultation with the IANA.
-   The central IR is INTERNIC.NET.  Second level domains in COM, EDU,
-   ORG, NET, and GOV are registered by the Internet Registry at the
-   InterNIC.  The second level domains in the MIL are registered by the
-   DDN registry at NIC.DDN.MIL.  Second level names in INT are
-   registered by the PVM at ISI.EDU.
-
-   While all requests for new top-level domains must be sent to the
-   Internic (at hostmaster@internic.net), the regional registries are
-   often enlisted to assist in the administration of the DNS, especially
-   in solving problems with a country administration.  Currently, the
-   RIPE NCC is the regional registry for Europe and the APNIC is the
-
-
-
-Postel                                                          [Page 3]
-
-RFC 1591      Domain Name System Structure and Delegation     March 1994
-
-
-   regional registry for the Asia-Pacific region, while the INTERNIC
-   administers the North America region, and all the as yet undelegated
-   regions.
-
-      The contact mailboxes for these regional registries are:
-
-         INTERNIC        hostmaster@internic.net
-         APNIC           hostmaster@apnic.net
-         RIPE NCC        ncc@ripe.net
-
-   The policy concerns involved when a new top-level domain is
-   established are described in the following.  Also mentioned are
-   concerns raised when it is necessary to change the delegation of an
-   established domain from one party to another.
-
-   A new top-level domain is usually created and its management
-   delegated to a "designated manager" all at once.
-
-   Most of these same concerns are relevant when a sub-domain is
-   delegated and in general the principles described here apply
-   recursively to all delegations of the Internet DNS name space.
-
-   The major concern in selecting a designated manager for a domain is
-   that it be able to carry out the necessary responsibilities, and have
-   the ability to do a equitable, just, honest, and competent job.
-
-   1) The key requirement is that for each domain there be a designated
-      manager for supervising that domain's name space.  In the case of
-      top-level domains that are country codes this means that there is
-      a manager that supervises the domain names and operates the domain
-      name system in that country.
-
-      The manager must, of course, be on the Internet.  There must be
-      Internet Protocol (IP) connectivity to the nameservers and email
-      connectivity to the management and staff of the manager.
-
-      There must be an administrative contact and a technical contact
-      for each domain.  For top-level domains that are country codes at
-      least the administrative contact must reside in the country
-      involved.
-
-   2) These designated authorities are trustees for the delegated
-      domain, and have a duty to serve the community.
-
-      The designated manager is the trustee of the top-level domain for
-      both the nation, in the case of a country code, and the global
-      Internet community.
-
-
-
-
-Postel                                                          [Page 4]
-
-RFC 1591      Domain Name System Structure and Delegation     March 1994
-
-
-      Concerns about "rights" and "ownership" of domains are
-      inappropriate.  It is appropriate to be concerned about
-      "responsibilities" and "service" to the community.
-
-   3) The designated manager must be equitable to all groups in the
-      domain that request domain names.
-
-      This means that the same rules are applied to all requests, all
-      requests must be processed in a non-discriminatory fashion, and
-      academic and commercial (and other) users are treated on an equal
-      basis.  No bias shall be shown regarding requests that may come
-      from customers of some other business related to the manager --
-      e.g., no preferential service for customers of a particular data
-      network provider.  There can be no requirement that a particular
-      mail system (or other application), protocol, or product be used.
-
-      There are no requirements on subdomains of top-level domains
-      beyond the requirements on higher-level domains themselves.  That
-      is, the requirements in this memo are applied recursively.  In
-      particular, all subdomains shall be allowed to operate their own
-      domain name servers, providing in them whatever information the
-      subdomain manager sees fit (as long as it is true and correct).
-
-   4) Significantly interested parties in the domain should agree that
-      the designated manager is the appropriate party.
-
-      The IANA tries to have any contending parties reach agreement
-      among themselves, and generally takes no action to change things
-      unless all the contending parties agree; only in cases where the
-      designated manager has substantially mis-behaved would the IANA
-      step in.
-
-      However, it is also appropriate for interested parties to have
-      some voice in selecting the designated manager.
-
-      There are two cases where the IANA and the central IR may
-      establish a new top-level domain and delegate only a portion of
-      it: (1) there are contending parties that cannot agree, or (2) the
-      applying party may not be able to represent or serve the whole
-      country.  The later case sometimes arises when a party outside a
-      country is trying to be helpful in getting networking started in a
-      country -- this is sometimes called a "proxy" DNS service.
-
-      The Internet DNS Names Review Board (IDNB), a committee
-      established by the IANA, will act as a review panel for cases in
-      which the parties can not reach agreement among themselves.  The
-      IDNB's decisions will be binding.
-
-
-
-
-Postel                                                          [Page 5]
-
-RFC 1591      Domain Name System Structure and Delegation     March 1994
-
-
-   5) The designated manager must do a satisfactory job of operating the
-      DNS service for the domain.
-
-      That is, the actual management of the assigning of domain names,
-      delegating subdomains and operating nameservers must be done with
-      technical competence.  This includes keeping the central IR (in
-      the case of top-level domains) or other higher-level domain
-      manager advised of the status of the domain, responding to
-      requests in a timely manner, and operating the database with
-      accuracy, robustness, and resilience.
-
-      There must be a primary and a secondary nameserver that have IP
-      connectivity to the Internet and can be easily checked for
-      operational status and database accuracy by the IR and the IANA.
-
-      In cases when there are persistent problems with the proper
-      operation of a domain, the delegation may be revoked, and possibly
-      delegated to another designated manager.
-
-   6) For any transfer of the designated manager trusteeship from one
-      organization to another, the higher-level domain manager (the IANA
-      in the case of top-level domains) must receive communications from
-      both the old organization and the new organization that assure the
-      IANA that the transfer in mutually agreed, and that the new
-      organization understands its responsibilities.
-
-      It is also very helpful for the IANA to receive communications
-      from other parties that may be concerned or affected by the
-      transfer.
-
-4. Rights to Names
-
-   1) Names and Trademarks
-
-      In case of a dispute between domain name registrants as to the
-      rights to a particular name, the registration authority shall have
-      no role or responsibility other than to provide the contact
-      information to both parties.
-
-      The registration of a domain name does not have any Trademark
-      status.  It is up to the requestor to be sure he is not violating
-      anyone else's Trademark.
-
-   2) Country Codes
-
-      The IANA is not in the business of deciding what is and what is
-      not a country.
-
-
-
-
-Postel                                                          [Page 6]
-
-RFC 1591      Domain Name System Structure and Delegation     March 1994
-
-
-      The selection of the ISO 3166 list as a basis for country code
-      top-level domain names was made with the knowledge that ISO has a
-      procedure for determining which entities should be and should not
-      be on that list.
-
-5. Security Considerations
-
-   Security issues are not discussed in this memo.
-
-6. Acknowledgements
-
-   Many people have made comments on draft version of these descriptions
-   and procedures.  Steve Goldstein and John Klensin have been
-   particularly helpful.
-
-7. Author's Address
-
-   Jon Postel
-   USC/Information Sciences Institute
-   4676 Admiralty Way
-   Marina del Rey, CA  90292
-
-   Phone: 310-822-1511
-   Fax:   310-823-6714
-   EMail: Postel@ISI.EDU
-
-7. References
-
-   [1] Cooper, A., and J. Postel, "The US Domain", RFC 1480,
-       USC/Information Sciences Institute, June 1993.
-
-   [2] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC 1340,
-       USC/Information Sciences Institute, July 1992.
-
-   [3] Mockapetris, P., "Domain Names - Concepts and Facilities", STD
-       13, RFC 1034, USC/Information Sciences Institute, November 1987.
-
-   [4] Mockapetris, P., "Domain Names - Implementation and
-       Specification", STD 13, RFC 1035, USC/Information Sciences
-       Institute, November 1987.
-
-   [6] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
-       974, CSNET CIC BBN, January 1986.
-
-   [7] Braden, R., Editor, "Requirements for Internet Hosts --
-       Application and Support", STD 3, RFC 1123, Internet Engineering
-       Task Force, October 1989.
-
-
-
-
-Postel                                                          [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc1611.txt b/contrib/bind9/doc/rfc/rfc1611.txt
deleted file mode 100644
index ed5b93a83d8b..000000000000
--- a/contrib/bind9/doc/rfc/rfc1611.txt
+++ /dev/null
@@ -1,1683 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         R. Austein
-Request for Comments: 1611               Epilogue Technology Corporation
-Category: Standards Track                                     J. Saperia
-                                           Digital Equipment Corporation
-                                                                May 1994
-
-                       DNS Server MIB Extensions
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Table of Contents
-
-   1. Introduction ..............................................    1
-   2. The SNMPv2 Network Management Framework ...................    2
-   2.1 Object Definitions .......................................    2
-   3. Overview ..................................................    2
-   3.1 Resolvers ................................................    3
-   3.2 Name Servers .............................................    3
-   3.3 Selected Objects .........................................    4
-   3.4 Textual Conventions ......................................    4
-   4. Definitions ...............................................    5
-   5. Acknowledgements ..........................................   28
-   6. References ................................................   28
-   7. Security Considerations ...................................   29
-   8. Authors' Addresses ........................................   30
-
-1.  Introduction
-
-   This memo defines a portion of the Management Information Base (MIB)
-   for use with network management protocols in the Internet community.
-   In particular, it describes a set of extensions which instrument DNS
-   name server functions.  This memo was produced by the DNS working
-   group.
-
-   With the adoption of the Internet-standard Network Management
-   Framework [4,5,6,7], and with a large number of vendor
-   implementations of these standards in commercially available
-   products, it became possible to provide a higher level of effective
-   network management in TCP/IP-based internets than was previously
-   available.  With the growth in the use of these standards, it has
-   become possible to consider the management of other elements of the
-   infrastructure beyond the basic TCP/IP protocols.  A key element of
-
-
-
-Austein & Saperia                                               [Page 1]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   the TCP/IP infrastructure is the DNS.
-
-   Up to this point there has been no mechanism to integrate the
-   management of the DNS with SNMP-based managers.  This memo provides
-   the mechanisms by which IP-based management stations can effectively
-   manage DNS name server software in an integrated fashion.
-
-   We have defined DNS MIB objects to be used in conjunction with the
-   Internet MIB to allow access to and control of DNS name server
-   software via SNMP by the Internet community.
-
-2.  The SNMPv2 Network Management Framework
-
-   The SNMPv2 Network Management Framework consists of four major
-   components.  They are:
-
-      o  RFC 1442 which defines the SMI, the mechanisms used for
-         describing and naming objects for the purpose of management.
-
-      o  STD 17, RFC 1213 defines MIB-II, the core set of managed objects
-         for the Internet suite of protocols.
-
-      o  RFC 1445 which defines the administrative and other architectural
-         aspects of the framework.
-
-      o  RFC 1448 which defines the protocol used for network access to
-         managed objects.
-
-      The Framework permits new objects to be defined for the purpose of
-      experimentation and evaluation.
-
-2.1.  Object Definitions
-
-   Managed objects are accessed via a virtual information store, termed
-   the Management Information Base or MIB.  Objects in the MIB are
-   defined using the subset of Abstract Syntax Notation One (ASN.1)
-   defined in the SMI.  In particular, each object object type is named
-   by an OBJECT IDENTIFIER, an administratively assigned name.  The
-   object type together with an object instance serves to uniquely
-   identify a specific instantiation of the object.  For human
-   convenience, we often use a textual string, termed the descriptor, to
-   refer to the object type.
-
-3.  Overview
-
-   In theory, the DNS world is pretty simple.  There are two kinds of
-   entities: resolvers and name servers.  Resolvers ask questions.  Name
-   servers answer them.  The real world, however, is not so simple.
-
-
-
-Austein & Saperia                                               [Page 2]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   Implementors have made widely differing choices about how to divide
-   DNS functions between resolvers and servers.  They have also
-   constructed various sorts of exotic hybrids.  The most difficult task
-   in defining this MIB was to accommodate this wide range of entities
-   without having to come up with a separate MIB for each.
-
-   We divided up the various DNS functions into two, non-overlapping
-   classes, called "resolver functions" and "name server functions."  A
-   DNS entity that performs what we define as resolver functions
-   contains a resolver, and therefore must implement the MIB groups
-   required of all resolvers which are defined in a separate MIB Module.
-   A DNS entity which implements name server functions is considered to
-   be a name server, and must implement the MIB groups required for name
-   servers in this module.  If the same piece of software performs both
-   resolver and server functions, we imagine that it contains both a
-   resolver and a server and would thus implement both the DNS Server
-   and DNS Resolver MIBs.
-
-3.1.  Resolvers
-
-   In our model, a resolver is a program (or piece thereof) which
-   obtains resource records from servers.  Normally it does so at the
-   behest of an application, but may also do so as part of its own
-   operation.  A resolver sends DNS protocol queries and receives DNS
-   protocol replies.  A resolver neither receives queries nor sends
-   replies.  A full service resolver is one that knows how to resolve
-   queries: it obtains the needed resource records by contacting a
-   server authoritative for the records desired.  A stub resolver does
-   not know how to resolve queries: it sends all queries to a local name
-   server, setting the "recursion desired" flag to indicate that it
-   hopes that the name server will be willing to resolve the query.  A
-   resolver may (optionally) have a cache for remembering previously
-   acquired resource records.  It may also have a negative cache for
-   remembering names or data that have been determined not to exist.
-
-3.2.  Name Servers
-
-   A name server is a program (or piece thereof) that provides resource
-   records to resolvers.  All references in this document to "a name
-   server" imply "the name server's role"; in some cases the name
-   server's role and the resolver's role might be combined into a single
-   program.  A name server receives DNS protocol queries and sends DNS
-   protocol replies.  A name server neither sends queries nor receives
-   replies.  As a consequence, name servers do not have caches.
-   Normally, a name server would expect to receive only those queries to
-   which it could respond with authoritative information.  However, if a
-   name server receives a query that it cannot respond to with purely
-   authoritative information, it may choose to try to obtain the
-
-
-
-Austein & Saperia                                               [Page 3]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   necessary additional information from a resolver which may or may not
-   be a separate process.
-
-3.3.  Selected Objects
-
-   Many of the objects included in this memo have been created from
-   information contained in the DNS specifications [1,2], as amended and
-   clarified by subsequent host requirements documents [3].  Other
-   objects have been created based on experience with existing DNS
-   management tools, expected operational needs, the statistics
-   generated by existing DNS implementations, and the configuration
-   files used by existing DNS implementations.  These objects have been
-   ordered into groups as follows:
-
-      o  Server Configuration Group
-
-      o  Server Counter Group
-
-      o  Server Optional Counter Group
-
-      o  Server Zone Group
-
-   This information has been converted into a standard form using the
-   SNMPv2 SMI defined in [9].  For the most part, the descriptions are
-   influenced by the DNS related RFCs noted above.  For example, the
-   descriptions for counters used for the various types of queries of
-   DNS records are influenced by the definitions used for the various
-   record types found in [2].
-
-3.4.  Textual Conventions
-
-   Several conceptual data types have been introduced as a textual
-   conventions in this DNS MIB document.  These additions will
-   facilitate the common understanding of information used by the DNS.
-   No changes to the SMI or the SNMP are necessary to support these
-   conventions.
-
-   Readers familiar with MIBs designed to manage entities in the lower
-   layers of the Internet protocol suite may be surprised at the number
-   of non-enumerated integers used in this MIB to represent values such
-   as DNS RR class and type numbers.  The reason for this choice is
-   simple: the DNS itself is designed as an extensible protocol,
-   allowing new classes and types of resource records to be added to the
-   protocol without recoding the core DNS software.  Using non-
-   enumerated integers to represent these data types in this MIB allows
-   the MIB to accommodate these changes as well.
-
-
-
-
-
-Austein & Saperia                                               [Page 4]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-4.  Definitions
-
-   DNS-SERVER-MIB DEFINITIONS ::= BEGIN
-
-   IMPORTS
-       mib-2
-           FROM RFC-1213
-       MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
-       IpAddress, Counter32, Gauge32
-           FROM SNMPv2-SMI
-       TEXTUAL-CONVENTION, RowStatus, DisplayString, TruthValue
-           FROM SNMPv2-TC
-       MODULE-COMPLIANCE, OBJECT-GROUP
-           FROM SNMPv2-CONF;
-
-   dns OBJECT-IDENTITY
-       STATUS  current
-       DESCRIPTION
-               "The OID assigned to DNS MIB work by the IANA."
-       ::= { mib-2 32 }
-
-   dnsServMIB MODULE-IDENTITY
-       LAST-UPDATED "9401282251Z"
-       ORGANIZATION "IETF DNS Working Group"
-       CONTACT-INFO
-               "       Rob Austein
-               Postal: Epilogue Technology Corporation
-                       268 Main Street, Suite 283
-                       North Reading, MA 10864
-                       US
-                  Tel: +1 617 245 0804
-                  Fax: +1 617 245 8122
-               E-Mail: sra@epilogue.com
-
-                       Jon Saperia
-               Postal: Digital Equipment Corporation
-                       110 Spit Brook Road
-                       ZKO1-3/H18
-                       Nashua, NH 03062-2698
-                       US
-                  Tel: +1 603 881 0480
-                  Fax: +1 603 881 0120
-                Email: saperia@zko.dec.com"
-       DESCRIPTION
-               "The MIB module for entities implementing the server side
-               of the Domain Name System (DNS) protocol."
-       ::= { dns 1 }
-
-
-
-
-Austein & Saperia                                               [Page 5]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   dnsServMIBObjects       OBJECT IDENTIFIER ::= { dnsServMIB 1 }
-
-   -- (Old-style) groups in the DNS server MIB.
-
-   dnsServConfig           OBJECT IDENTIFIER ::= { dnsServMIBObjects 1 }
-   dnsServCounter          OBJECT IDENTIFIER ::= { dnsServMIBObjects 2 }
-   dnsServOptCounter       OBJECT IDENTIFIER ::= { dnsServMIBObjects 3 }
-   dnsServZone             OBJECT IDENTIFIER ::= { dnsServMIBObjects 4 }
-
-
-   -- Textual conventions
-
-   DnsName ::= TEXTUAL-CONVENTION
-       -- A DISPLAY-HINT would be nice, but difficult to express.
-       STATUS  current
-       DESCRIPTION
-               "A DNS name is a sequence of labels.  When DNS names are
-               displayed, the boundaries between labels are typically
-               indicated by dots (e.g. `Acme' and `COM' are labels in
-               the name `Acme.COM').  In the DNS protocol, however, no
-               such separators are needed because each label is encoded
-               as a length octet followed by the indicated number of
-               octets of label.  For example, `Acme.COM' is encoded as
-               the octet sequence { 4, 'A', 'c', 'm', 'e', 3, 'C', 'O',
-               'M', 0 } (the final 0 is the length of the name of the
-               root domain, which appears implicitly at the end of any
-               DNS name).  This MIB uses the same encoding as the DNS
-               protocol.
-
-               A DnsName must always be a fully qualified name.  It is
-               an error to encode a relative domain name as a DnsName
-               without first making it a fully qualified name."
-       REFERENCE
-               "RFC-1034 section 3.1."
-       SYNTAX  OCTET STRING (SIZE (0..255))
-
-   DnsNameAsIndex ::= TEXTUAL-CONVENTION
-       STATUS  current
-       DESCRIPTION
-               "This textual convention is like a DnsName, but is used
-               as an index componant in tables.  Alphabetic characters
-               in names of this type are restricted to uppercase: the
-               characters 'a' through 'z' are mapped to the characters
-               'A' through 'Z'.  This restriction is intended to make
-               the lexical ordering imposed by SNMP useful when applied
-               to DNS names.
-
-               Note that it is theoretically possible for a valid DNS
-
-
-
-Austein & Saperia                                               [Page 6]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-               name to exceed the allowed length of an SNMP object
-               identifer, and thus be impossible to represent in tables
-               in this MIB that are indexed by DNS name.  Sampling of
-               DNS names in current use on the Internet suggests that
-               this limit does not pose a serious problem in practice."
-       REFERENCE
-               "RFC-1034 section 3.1, RFC-1448 section 4.1."
-       SYNTAX  DnsName
-
-   DnsClass ::= TEXTUAL-CONVENTION
-       DISPLAY-HINT "2d"
-       STATUS  current
-       DESCRIPTION
-               "This data type is used to represent the class values
-               which appear in Resource Records in the DNS.  A 16-bit
-               unsigned integer is used to allow room for new classes
-               of records to be defined.  Existing standard classes are
-               listed in the DNS specifications."
-       REFERENCE
-               "RFC-1035 section 3.2.4."
-       SYNTAX  INTEGER (0..65535)
-
-   DnsType ::= TEXTUAL-CONVENTION
-       DISPLAY-HINT "2d"
-       STATUS  current
-       DESCRIPTION
-               "This data type is used to represent the type values
-               which appear in Resource Records in the DNS.  A 16-bit
-               unsigned integer is used to allow room for new record
-               types to be defined.  Existing standard types are listed
-               in the DNS specifications."
-       REFERENCE
-               "RFC-1035 section 3.2.2."
-       SYNTAX  INTEGER (0..65535)
-
-   DnsQClass ::= TEXTUAL-CONVENTION
-       DISPLAY-HINT "2d"
-       STATUS  current
-       DESCRIPTION
-               "This data type is used to represent the QClass values
-               which appear in Resource Records in the DNS.  A 16-bit
-               unsigned integer is used to allow room for new QClass
-               records to be defined.  Existing standard QClasses are
-               listed in the DNS specification."
-       REFERENCE
-               "RFC-1035 section 3.2.5."
-       SYNTAX  INTEGER (0..65535)
-
-
-
-
-Austein & Saperia                                               [Page 7]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   DnsQType ::= TEXTUAL-CONVENTION
-       DISPLAY-HINT "2d"
-       STATUS  current
-       DESCRIPTION
-               "This data type is used to represent the QType values
-               which appear in Resource Records in the DNS.  A 16-bit
-               unsigned integer is used to allow room for new QType
-               records to be defined.  Existing standard QTypes are
-               listed in the DNS specification."
-       REFERENCE
-               "RFC-1035 section 3.2.3."
-       SYNTAX  INTEGER (0..65535)
-
-   DnsTime ::= TEXTUAL-CONVENTION
-       DISPLAY-HINT "4d"
-       STATUS  current
-       DESCRIPTION
-               "DnsTime values are 32-bit unsigned integers which
-               measure time in seconds."
-       REFERENCE
-               "RFC-1035."
-       SYNTAX  Gauge32
-
-
-   DnsOpCode ::= TEXTUAL-CONVENTION
-       STATUS  current
-       DESCRIPTION
-               "This textual convention is used to represent the DNS
-               OPCODE values used in the header section of DNS
-               messages.  Existing standard OPCODE values are listed in
-               the DNS specifications."
-       REFERENCE
-               "RFC-1035 section 4.1.1."
-       SYNTAX  INTEGER (0..15)
-
-   DnsRespCode ::= TEXTUAL-CONVENTION
-       STATUS  current
-       DESCRIPTION
-               "This data type is used to represent the DNS RCODE value
-               in DNS response messages.  Existing standard RCODE
-               values are listed in the DNS specifications."
-       REFERENCE
-               "RFC-1035 section 4.1.1."
-       SYNTAX  INTEGER (0..15)
-
-
-
-
-
-
-
-Austein & Saperia                                               [Page 8]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   -- Server Configuration Group
-
-   dnsServConfigImplementIdent OBJECT-TYPE
-       SYNTAX      DisplayString
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "The implementation identification string for the DNS
-               server software in use on the system, for example;
-               `FNS-2.1'"
-       ::= { dnsServConfig 1 }
-
-   dnsServConfigRecurs  OBJECT-TYPE
-       SYNTAX      INTEGER { available(1),
-                             restricted(2),
-                             unavailable(3) }
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "This represents the recursion services offered by this
-               name server.  The values that can be read or written
-               are:
-
-               available(1) - performs recursion on requests from
-               clients.
-
-               restricted(2) - recursion is performed on requests only
-               from certain clients, for example; clients on an access
-               control list.
-
-               unavailable(3) - recursion is not available."
-        ::= { dnsServConfig 2 }
-
-   dnsServConfigUpTime OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "If the server has a persistent state (e.g., a process),
-               this value will be the time elapsed since it started.
-               For software without persistant state, this value will
-               be zero."
-       ::= { dnsServConfig 3 }
-
-   dnsServConfigResetTime OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-
-
-
-Austein & Saperia                                               [Page 9]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       DESCRIPTION
-               "If the server has a persistent state (e.g., a process)
-               and supports a `reset' operation (e.g., can be told to
-               re-read configuration files), this value will be the
-               time elapsed since the last time the name server was
-               `reset.'  For software that does not have persistence or
-               does not support a `reset' operation, this value will be
-               zero."
-       ::= { dnsServConfig 4 }
-
-   dnsServConfigReset OBJECT-TYPE
-       SYNTAX      INTEGER { other(1),
-                             reset(2),
-                             initializing(3),
-                             running(4) }
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "Status/action object to reinitialize any persistant name
-               server state.  When set to reset(2), any persistant
-               name server state (such as a process) is reinitialized as
-               if the name server had just been started.  This value
-               will never be returned by a read operation.  When read,
-               one of the following values will be returned:
-                   other(1) - server in some unknown state;
-                   initializing(3) - server (re)initializing;
-                   running(4) - server currently running."
-       ::= { dnsServConfig 5 }
-
-
-   -- Server Counter Group
-
-   dnsServCounterAuthAns OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries which were authoritatively answered."
-       ::= { dnsServCounter 2 }
-
-   dnsServCounterAuthNoNames OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries for which `authoritative no such name'
-               responses were made."
-       ::= { dnsServCounter 3 }
-
-
-
-Austein & Saperia                                              [Page 10]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   dnsServCounterAuthNoDataResps OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries for which `authoritative no such data'
-               (empty answer) responses were made."
-       ::= { dnsServCounter 4 }
-
-   dnsServCounterNonAuthDatas OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries which were non-authoritatively
-               answered (cached data)."
-       ::= { dnsServCounter 5 }
-
-   dnsServCounterNonAuthNoDatas OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries which were non-authoritatively
-               answered with no data (empty answer)."
-       ::= { dnsServCounter 6 }
-
-   dnsServCounterReferrals OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests that were referred to other servers."
-       ::= { dnsServCounter 7 }
-
-   dnsServCounterErrors OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests the server has processed that were
-               answered with errors (RCODE values other than 0 and 3)."
-       REFERENCE
-               "RFC-1035 section 4.1.1."
-       ::= { dnsServCounter 8 }
-
-   dnsServCounterRelNames OBJECT-TYPE
-       SYNTAX      Counter32
-
-
-
-Austein & Saperia                                              [Page 11]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests received by the server for names that
-               are only 1 label long (text form - no internal dots)."
-       ::= { dnsServCounter 9 }
-
-   dnsServCounterReqRefusals OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of DNS requests refused by the server."
-       ::= { dnsServCounter 10 }
-
-   dnsServCounterReqUnparses OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests received which were unparseable."
-       ::= { dnsServCounter 11 }
-
-   dnsServCounterOtherErrors OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests which were aborted for other (local)
-               server errors."
-       ::= { dnsServCounter 12 }
-
-   -- DNS Server Counter Table
-
-   dnsServCounterTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsServCounterEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Counter information broken down by DNS class and type."
-       ::= { dnsServCounter 13 }
-
-   dnsServCounterEntry OBJECT-TYPE
-       SYNTAX      DnsServCounterEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "This table contains count information for each DNS class
-
-
-
-Austein & Saperia                                              [Page 12]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-               and type value known to the server.  The index allows
-               management software to to create indices to the table to
-               get the specific information desired, e.g., number of
-               queries over UDP for records with type value `A' which
-               came to this server.  In order to prevent an
-               uncontrolled expansion of rows in the table; if
-               dnsServCounterRequests is 0 and dnsServCounterResponses
-               is 0, then the row does not exist and `no such' is
-               returned when the agent is queried for such instances."
-       INDEX     { dnsServCounterOpCode,
-                   dnsServCounterQClass,
-                   dnsServCounterQType,
-                   dnsServCounterTransport }
-       ::= { dnsServCounterTable 1 }
-
-   DnsServCounterEntry ::=
-       SEQUENCE {
-           dnsServCounterOpCode
-               DnsOpCode,
-           dnsServCounterQClass
-               DnsClass,
-           dnsServCounterQType
-               DnsType,
-           dnsServCounterTransport
-               INTEGER,
-           dnsServCounterRequests
-               Counter32,
-           dnsServCounterResponses
-               Counter32
-           }
-
-   dnsServCounterOpCode OBJECT-TYPE
-       SYNTAX      DnsOpCode
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "The DNS OPCODE being counted in this row of the table."
-       ::= { dnsServCounterEntry 1 }
-
-   dnsServCounterQClass OBJECT-TYPE
-       SYNTAX      DnsClass
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "The class of record being counted in this row of the
-               table."
-       ::= { dnsServCounterEntry 2 }
-
-
-
-
-Austein & Saperia                                              [Page 13]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   dnsServCounterQType OBJECT-TYPE
-       SYNTAX      DnsType
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "The type of record which is being counted in this row in
-               the table."
-       ::= { dnsServCounterEntry 3 }
-
-   dnsServCounterTransport OBJECT-TYPE
-       SYNTAX      INTEGER { udp(1), tcp(2), other(3) }
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "A value of udp(1) indicates that the queries reported on
-               this row were sent using UDP.
-
-               A value of tcp(2) indicates that the queries reported on
-               this row were sent using TCP.
-
-               A value of other(3) indicates that the queries reported
-               on this row were sent using a transport that was neither
-               TCP nor UDP."
-       ::= { dnsServCounterEntry 4 }
-
-   dnsServCounterRequests OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests (queries) that have been recorded in
-               this row of the table."
-       ::= { dnsServCounterEntry 5 }
-
-   dnsServCounterResponses OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of responses made by the server since
-               initialization for the kind of query identified on this
-               row of the table."
-       ::= { dnsServCounterEntry 6 }
-
-
-
-
-
-
-
-
-Austein & Saperia                                              [Page 14]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   -- Server Optional Counter Group
-
-   -- The Server Optional Counter Group is intended for those systems
-   -- which make distinctions between the different sources of the DNS
-   -- queries as defined below.
-   --
-   -- Objects in this group are implemented on servers which distinguish
-   -- between queries which originate from the same host as the server,
-   -- queries from one of an arbitrary group of hosts that are on an
-   -- access list defined by the server, and queries from hosts that do
-   -- not fit either of these descriptions.
-   --
-   -- The objects found in the Server Counter group are totals.  Thus if
-   -- one wanted to identify, for example, the number of queries from
-   -- `remote' hosts which have been given authoritative answers, one
-   -- would subtract the current values of ServOptCounterFriendsAuthAns
-   -- and ServOptCounterSelfAuthAns from servCounterAuthAns.
-   --
-   -- The purpose of these distinctions is to allow for implementations
-   -- to group queries and responses on this basis.  One way in which
-   -- servers may make these distinctions is by looking at the source IP
-   -- address of the DNS query.  If the source of the query is `your
-   -- own' then the query should be counted as `yourself' (local host).
-   -- If the source of the query matches an `access list,' the query
-   -- came from a friend.  What constitutes an `access list' is
-   -- implementation dependent and could be as simple as a rule that all
-   -- hosts on the same IP network as the DNS server are classed
-   -- `friends.'
-   --
-   -- In order to avoid double counting, the following rules apply:
-   --
-   -- 1. No host is in more than one of the three groups defined above.
-   --
-   -- 2. All queries from the local host are always counted in the
-   --    `yourself' group regardless of what the access list, if any,
-   --    says.
-   --
-   -- 3. The access list should not define `your friends' in such a way
-   --    that it includes all hosts.   That is, not everybody is your
-   --    `friend.'
-
-   dnsServOptCounterSelfAuthAns OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests the server has processed which
-               originated from a resolver on the same host for which
-
-
-
-Austein & Saperia                                              [Page 15]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-               there has been an authoritative answer."
-       ::= { dnsServOptCounter 1 }
-
-   dnsServOptCounterSelfAuthNoNames OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests the server has processed which
-               originated from a resolver on the same host for which
-               there has been an authoritative no such name answer
-               given."
-       ::= { dnsServOptCounter 2 }
-
-   dnsServOptCounterSelfAuthNoDataResps OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests the server has processed which
-               originated from a resolver on the same host for which
-               there has been an authoritative no such data answer
-               (empty answer) made."
-       ::= { dnsServOptCounter 3 }
-
-   dnsServOptCounterSelfNonAuthDatas OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests the server has processed which
-               originated from a resolver on the same host for which a
-               non-authoritative answer (cached data) was made."
-       ::= { dnsServOptCounter 4 }
-
-   dnsServOptCounterSelfNonAuthNoDatas OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests the server has processed which
-               originated from a resolver on the same host for which a
-               `non-authoritative, no such data' response was made
-               (empty answer)."
-       ::= { dnsServOptCounter 5 }
-
-   dnsServOptCounterSelfReferrals OBJECT-TYPE
-       SYNTAX      Counter32
-
-
-
-Austein & Saperia                                              [Page 16]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries the server has processed which
-               originated from a resolver on the same host and were
-               referred to other servers."
-       ::= { dnsServOptCounter 6 }
-
-   dnsServOptCounterSelfErrors OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests the server has processed which
-               originated from a resolver on the same host which have
-               been answered with errors (RCODEs other than 0 and 3)."
-       REFERENCE
-               "RFC-1035 section 4.1.1."
-       ::= { dnsServOptCounter 7 }
-
-   dnsServOptCounterSelfRelNames OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests received for names that are only 1
-               label long (text form - no internal dots) the server has
-               processed which originated from a resolver on the same
-               host."
-       ::= { dnsServOptCounter 8 }
-
-   dnsServOptCounterSelfReqRefusals OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of DNS requests refused by the server which
-               originated from a resolver on the same host."
-       ::= { dnsServOptCounter 9 }
-
-   dnsServOptCounterSelfReqUnparses OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests received which were unparseable and
-               which originated from a resolver on the same host."
-       ::= { dnsServOptCounter 10 }
-
-
-
-Austein & Saperia                                              [Page 17]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   dnsServOptCounterSelfOtherErrors OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests which were aborted for other (local)
-               server errors and which originated on the same host."
-       ::= { dnsServOptCounter 11 }
-
-   dnsServOptCounterFriendsAuthAns OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries originating from friends which were
-               authoritatively answered.  The definition of friends is
-               a locally defined matter."
-       ::= { dnsServOptCounter 12 }
-
-   dnsServOptCounterFriendsAuthNoNames OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries originating from friends, for which
-               authoritative `no such name' responses were made.  The
-               definition of friends is a locally defined matter."
-       ::= { dnsServOptCounter 13 }
-
-   dnsServOptCounterFriendsAuthNoDataResps OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries originating from friends for which
-               authoritative no such data (empty answer) responses were
-               made.  The definition of friends is a locally defined
-               matter."
-       ::= { dnsServOptCounter 14 }
-
-   dnsServOptCounterFriendsNonAuthDatas OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries originating from friends which were
-               non-authoritatively answered (cached data). The
-               definition of friends is a locally defined matter."
-
-
-
-Austein & Saperia                                              [Page 18]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       ::= { dnsServOptCounter 15 }
-
-   dnsServOptCounterFriendsNonAuthNoDatas OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries originating from friends which were
-               non-authoritatively answered with no such data (empty
-               answer)."
-       ::= { dnsServOptCounter 16 }
-
-   dnsServOptCounterFriendsReferrals OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests which originated from friends that
-               were referred to other servers.  The definition of
-               friends is a locally defined matter."
-       ::= { dnsServOptCounter 17 }
-
-   dnsServOptCounterFriendsErrors OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests the server has processed which
-               originated from friends and were answered with errors
-               (RCODE values other than 0 and 3).  The definition of
-               friends is a locally defined matter."
-       REFERENCE
-               "RFC-1035 section 4.1.1."
-       ::= { dnsServOptCounter 18 }
-
-   dnsServOptCounterFriendsRelNames OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests received for names from friends that
-               are only 1 label long (text form - no internal dots) the
-               server has processed."
-       ::= { dnsServOptCounter 19 }
-
-   dnsServOptCounterFriendsReqRefusals OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-
-
-
-Austein & Saperia                                              [Page 19]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       STATUS      current
-       DESCRIPTION
-               "Number of DNS requests refused by the server which were
-               received from `friends'."
-       ::= { dnsServOptCounter 20 }
-
-   dnsServOptCounterFriendsReqUnparses OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests received which were unparseable and
-               which originated from `friends'."
-       ::= { dnsServOptCounter 21 }
-
-   dnsServOptCounterFriendsOtherErrors OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests which were aborted for other (local)
-               server errors and which originated from `friends'."
-       ::= { dnsServOptCounter 22 }
-
-
-   -- Server Zone Group
-
-   -- DNS Management Zone Configuration Table
-
-   -- This table contains zone configuration information.
-
-   dnsServZoneTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsServZoneEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Table of zones for which this name server provides
-               information.  Each of the zones may be loaded from stable
-               storage via an implementation-specific mechanism or may
-               be obtained from another name server via a zone transfer.
-
-               If name server doesn't load any zones, this table is
-               empty."
-       ::= { dnsServZone 1 }
-
-   dnsServZoneEntry OBJECT-TYPE
-       SYNTAX      DnsServZoneEntry
-       MAX-ACCESS  not-accessible
-
-
-
-Austein & Saperia                                              [Page 20]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       STATUS      current
-       DESCRIPTION
-               "An entry in the name server zone table.  New rows may be
-               added either via SNMP or by the name server itself."
-       INDEX     { dnsServZoneName,
-                   dnsServZoneClass }
-       ::= { dnsServZoneTable 1 }
-
-   DnsServZoneEntry ::=
-       SEQUENCE {
-           dnsServZoneName
-               DnsNameAsIndex,
-           dnsServZoneClass
-               DnsClass,
-           dnsServZoneLastReloadSuccess
-               DnsTime,
-           dnsServZoneLastReloadAttempt
-               DnsTime,
-           dnsServZoneLastSourceAttempt
-               IpAddress,
-           dnsServZoneStatus
-               RowStatus,
-           dnsServZoneSerial
-               Counter32,
-           dnsServZoneCurrent
-               TruthValue,
-           dnsServZoneLastSourceSuccess
-               IpAddress
-       }
-
-   dnsServZoneName OBJECT-TYPE
-       SYNTAX      DnsNameAsIndex
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS name of the zone described by this row of the table.
-               This is the owner name of the SOA RR that defines the
-               top of the zone. This is name is in uppercase:
-               characters 'a' through 'z' are mapped to 'A' through 'Z'
-               in order to make the lexical ordering useful."
-       ::= { dnsServZoneEntry 1 }
-
-   dnsServZoneClass OBJECT-TYPE
-       SYNTAX      DnsClass
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS class of the RRs in this zone."
-
-
-
-Austein & Saperia                                              [Page 21]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       ::= { dnsServZoneEntry 2 }
-
-   dnsServZoneLastReloadSuccess OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Elapsed time in seconds since last successful reload of
-               this zone."
-       ::= { dnsServZoneEntry 3 }
-
-   dnsServZoneLastReloadAttempt OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Elapsed time in seconds since last attempted reload of
-               this zone."
-       ::= { dnsServZoneEntry 4 }
-
-   dnsServZoneLastSourceAttempt OBJECT-TYPE
-       SYNTAX      IpAddress
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "IP address of host from which most recent zone transfer
-               of this zone was attempted.  This value should match the
-               value of dnsServZoneSourceSuccess if the attempt was
-               succcessful.  If zone transfer has not been attempted
-               within the memory of this name server, this value should
-               be 0.0.0.0."
-       ::= { dnsServZoneEntry 5 }
-
-   dnsServZoneStatus OBJECT-TYPE
-       SYNTAX      RowStatus
-       MAX-ACCESS  read-create
-       STATUS      current
-       DESCRIPTION
-               "The status of the information represented in this row of
-               the table."
-       ::= { dnsServZoneEntry 6 }
-
-   dnsServZoneSerial OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Zone serial number (from the SOA RR) of the zone
-
-
-
-Austein & Saperia                                              [Page 22]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-               represented by this row of the table.  If the zone has
-               not been successfully loaded within the memory of this
-               name server, the value of this variable is zero."
-       ::= { dnsServZoneEntry 7 }
-
-   dnsServZoneCurrent OBJECT-TYPE
-       SYNTAX      TruthValue
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Whether the server's copy of the zone represented by
-               this row of the table is currently valid.  If the zone
-               has never been successfully loaded or has expired since
-               it was last succesfully loaded, this variable will have
-               the value false(2), otherwise this variable will have
-               the value true(1)."
-       ::= { dnsServZoneEntry 8 }
-
-   dnsServZoneLastSourceSuccess OBJECT-TYPE
-       SYNTAX      IpAddress
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "IP address of host which was the source of the most
-               recent successful zone transfer for this zone.  If
-               unknown (e.g., zone has never been successfully
-               transfered) or irrelevant (e.g., zone was loaded from
-               stable storage), this value should be 0.0.0.0."
-       ::= { dnsServZoneEntry 9 }
-
-   -- DNS Zone Source Table
-
-   dnsServZoneSrcTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsServZoneSrcEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "This table is a list of IP addresses from which the
-               server will attempt to load zone information using DNS
-               zone transfer operations.  A reload may occur due to SNMP
-               operations that create a row in dnsServZoneTable or a
-               SET to object dnsServZoneReload.  This table is only
-               used when the zone is loaded via zone transfer."
-       ::= { dnsServZone 2 }
-
-   dnsServZoneSrcEntry OBJECT-TYPE
-       SYNTAX      DnsServZoneSrcEntry
-       MAX-ACCESS  not-accessible
-
-
-
-Austein & Saperia                                              [Page 23]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       STATUS      current
-       DESCRIPTION
-               "An entry in the name server zone source table."
-       INDEX     { dnsServZoneSrcName,
-                   dnsServZoneSrcClass,
-                   dnsServZoneSrcAddr }
-       ::= { dnsServZoneSrcTable 1 }
-
-   DnsServZoneSrcEntry ::=
-       SEQUENCE {
-           dnsServZoneSrcName
-               DnsNameAsIndex,
-           dnsServZoneSrcClass
-               DnsClass,
-           dnsServZoneSrcAddr
-               IpAddress,
-           dnsServZoneSrcStatus
-               RowStatus
-       }
-
-   dnsServZoneSrcName OBJECT-TYPE
-       SYNTAX      DnsNameAsIndex
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS name of the zone to which this entry applies."
-       ::= { dnsServZoneSrcEntry 1 }
-
-   dnsServZoneSrcClass OBJECT-TYPE
-       SYNTAX      DnsClass
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS class of zone to which this entry applies."
-       ::= { dnsServZoneSrcEntry 2 }
-
-   dnsServZoneSrcAddr OBJECT-TYPE
-       SYNTAX      IpAddress
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "IP address of name server host from which this zone
-               might be obtainable."
-       ::= { dnsServZoneSrcEntry 3 }
-
-   dnsServZoneSrcStatus OBJECT-TYPE
-       SYNTAX      RowStatus
-       MAX-ACCESS  read-create
-
-
-
-Austein & Saperia                                              [Page 24]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       STATUS      current
-       DESCRIPTION
-               "The status of the information represented in this row of
-               the table."
-       ::= { dnsServZoneSrcEntry 4 }
-
-
-   -- SNMPv2 groups.
-
-   dnsServMIBGroups        OBJECT IDENTIFIER ::= { dnsServMIB 2 }
-
-   dnsServConfigGroup OBJECT-GROUP
-       OBJECTS   { dnsServConfigImplementIdent,
-                   dnsServConfigRecurs,
-                   dnsServConfigUpTime,
-                   dnsServConfigResetTime,
-                   dnsServConfigReset }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing basic configuration
-               control of a DNS name server."
-       ::= { dnsServMIBGroups 1 }
-
-   dnsServCounterGroup OBJECT-GROUP
-       OBJECTS   { dnsServCounterAuthAns,
-                   dnsServCounterAuthNoNames,
-                   dnsServCounterAuthNoDataResps,
-                   dnsServCounterNonAuthDatas,
-                   dnsServCounterNonAuthNoDatas,
-                   dnsServCounterReferrals,
-                   dnsServCounterErrors,
-                   dnsServCounterRelNames,
-                   dnsServCounterReqRefusals,
-                   dnsServCounterReqUnparses,
-                   dnsServCounterOtherErrors,
-                   dnsServCounterOpCode,
-                   dnsServCounterQClass,
-                   dnsServCounterQType,
-                   dnsServCounterTransport,
-                   dnsServCounterRequests,
-                   dnsServCounterResponses }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing basic instrumentation
-               of a DNS name server."
-       ::= { dnsServMIBGroups 2 }
-
-
-
-
-
-Austein & Saperia                                              [Page 25]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   dnsServOptCounterGroup OBJECT-GROUP
-       OBJECTS   { dnsServOptCounterSelfAuthAns,
-                   dnsServOptCounterSelfAuthNoNames,
-                   dnsServOptCounterSelfAuthNoDataResps,
-                   dnsServOptCounterSelfNonAuthDatas,
-                   dnsServOptCounterSelfNonAuthNoDatas,
-                   dnsServOptCounterSelfReferrals,
-                   dnsServOptCounterSelfErrors,
-                   dnsServOptCounterSelfRelNames,
-                   dnsServOptCounterSelfReqRefusals,
-                   dnsServOptCounterSelfReqUnparses,
-                   dnsServOptCounterSelfOtherErrors,
-                   dnsServOptCounterFriendsAuthAns,
-                   dnsServOptCounterFriendsAuthNoNames,
-                   dnsServOptCounterFriendsAuthNoDataResps,
-                   dnsServOptCounterFriendsNonAuthDatas,
-                   dnsServOptCounterFriendsNonAuthNoDatas,
-                   dnsServOptCounterFriendsReferrals,
-                   dnsServOptCounterFriendsErrors,
-                   dnsServOptCounterFriendsRelNames,
-                   dnsServOptCounterFriendsReqRefusals,
-                   dnsServOptCounterFriendsReqUnparses,
-                   dnsServOptCounterFriendsOtherErrors }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing extended
-               instrumentation of a DNS name server."
-       ::= { dnsServMIBGroups 3 }
-
-   dnsServZoneGroup OBJECT-GROUP
-       OBJECTS   { dnsServZoneName,
-                   dnsServZoneClass,
-                   dnsServZoneLastReloadSuccess,
-                   dnsServZoneLastReloadAttempt,
-                   dnsServZoneLastSourceAttempt,
-                   dnsServZoneLastSourceSuccess,
-                   dnsServZoneStatus,
-                   dnsServZoneSerial,
-                   dnsServZoneCurrent,
-                   dnsServZoneSrcName,
-                   dnsServZoneSrcClass,
-                   dnsServZoneSrcAddr,
-                   dnsServZoneSrcStatus }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing configuration control
-               of a DNS name server which loads authoritative zones."
-       ::= { dnsServMIBGroups 4 }
-
-
-
-Austein & Saperia                                              [Page 26]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-   -- Compliances.
-
-   dnsServMIBCompliances OBJECT IDENTIFIER ::= { dnsServMIB 3 }
-
-   dnsServMIBCompliance MODULE-COMPLIANCE
-       STATUS      current
-       DESCRIPTION
-               "The compliance statement for agents implementing the DNS
-               name server MIB extensions."
-       MODULE -- This MIB module
-           MANDATORY-GROUPS { dnsServConfigGroup, dnsServCounterGroup }
-           GROUP   dnsServOptCounterGroup
-           DESCRIPTION
-               "The server optional counter group is unconditionally
-               optional."
-           GROUP   dnsServZoneGroup
-           DESCRIPTION
-               "The server zone group is mandatory for any name server
-               that acts as an authoritative server for any DNS zone."
-           OBJECT  dnsServConfigRecurs
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-           OBJECT  dnsServConfigReset
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-       ::= { dnsServMIBCompliances 1 }
-
-   END
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein & Saperia                                              [Page 27]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-5.  Acknowledgements
-
-   This document is the result of work undertaken the by DNS working
-   group.  The authors would particularly like to thank the following
-   people for their contributions to this document: Philip Almquist,
-   Frank Kastenholz (FTP Software), Joe Peck (DEC), Dave Perkins
-   (SynOptics), Win Treese (DEC), and Mimi Zohar (IBM).
-
-6.  References
-
-   [1] Mockapetris, P., "Domain Names -- Concepts and Facilities", STD
-       13, RFC 1034, USC/Information Sciences Institute, November 1987.
-
-   [2] Mockapetris, P., "Domain Names -- Implementation and
-       Specification", STD 13, RFC 1035, USC/Information Sciences
-       Institute, November 1987.
-
-   [3] Braden, R., Editor, "Requirements for Internet Hosts --
-       Application and Support, STD 3, RFC 1123, USC/Information
-       Sciences Institute, October 1989.
-
-   [4] Rose, M., and K. McCloghrie, "Structure and Identification of
-       Management Information for TCP/IP-based internets", STD 16, RFC
-       1155, Performance Systems International, Hughes LAN Systems, May
-       1990.
-
-   [5] McCloghrie, K., and M. Rose, "Management Information Base for
-       Network Management of TCP/IP-based internets", RFC 1156, Hughes
-       LAN Systems, Performance Systems International, May 1990.
-
-   [6] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
-       Network Management Protocol", STD 15, RFC 1157, SNMP Research,
-       Performance Systems International, Performance Systems
-       International, MIT Laboratory for Computer Science, May 1990.
-
-   [7] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions",
-       STD 16, RFC 1212, Performance Systems International, Hughes LAN
-       Systems, March 1991.
-
-   [8] McCloghrie, K., and M. Rose, Editors, "Management Information
-       Base for Network Management of TCP/IP-based internets: MIB-II",
-       STD 17, RFC 1213, Hughes LAN Systems, Performance Systems
-       International, March 1991.
-
-   [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
-       of Management Information for version 2 of the Simple Network
-       Management Protocol (SNMPv2)", RFC 1442, SNMP Research, Inc.,
-       Hughes LAN Systems, Dover Beach Consulting, Inc., Carnegie Mellon
-
-
-
-Austein & Saperia                                              [Page 28]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-       University, April 1993.
-
-  [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual
-       Conventions for version 2 of the the Simple Network Management
-       Protocol (SNMPv2)", RFC 1443, SNMP Research, Inc., Hughes LAN
-       Systems, Dover Beach Consulting, Inc., Carnegie Mellon
-       University, April 1993.
-
-  [11] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
-       "Conformance Statements for version 2 of the the Simple Network
-       Management Protocol (SNMPv2)", RFC 1444, SNMP Research, Inc.,
-       Hughes LAN Systems, Dover Beach Consulting, Inc., Carnegie Mellon
-       University, April 1993.
-
-  [12] Galvin, J., and K. McCloghrie, "Administrative Model for version
-       2 of the Simple Network Management Protocol (SNMPv2)", RFC 1445,
-       Trusted Information Systems, Hughes LAN Systems, April 1993.
-
-  [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
-       Operations for version 2 of the Simple Network Management
-       Protocol (SNMPv2)", RFC 1448, SNMP Research, Inc., Hughes LAN
-       Systems, Dover Beach Consulting, Inc., Carnegie Mellon
-       University, April 1993.
-
-  [14] "Information processing systems - Open Systems Interconnection -
-       Specification of Abstract Syntax Notation One (ASN.1)",
-       International Organization for Standardization, International
-       Standard 8824, December 1987.
-
-7.  Security Considerations
-
-   Security issues are not discussed in this memo.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein & Saperia                                              [Page 29]
-
-RFC 1611               DNS Server MIB Extensions                May 1994
-
-
-8.  Authors' Addresses
-
-   Rob Austein
-   Epilogue Technology Corporation
-   268 Main Street, Suite 283
-   North Reading, MA 01864
-   USA
-
-   Phone: +1-617-245-0804
-   Fax:   +1-617-245-8122
-   EMail: sra@epilogue.com
-
-
-   Jon Saperia
-   Digital Equipment Corporation
-   110 Spit Brook Road
-   ZKO1-3/H18
-   Nashua, NH 03062-2698
-   USA
-
-   Phone: +1-603-881-0480
-   Fax:   +1-603-881-0120
-   EMail: saperia@zko.dec.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein & Saperia                                              [Page 30]
-
diff --git a/contrib/bind9/doc/rfc/rfc1612.txt b/contrib/bind9/doc/rfc/rfc1612.txt
deleted file mode 100644
index 4ef23b0c659c..000000000000
--- a/contrib/bind9/doc/rfc/rfc1612.txt
+++ /dev/null
@@ -1,1795 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         R. Austein
-Request for Comments: 1612               Epilogue Technology Corporation
-Category: Standards Track                                     J. Saperia
-                                           Digital Equipment Corporation
-                                                                May 1994
-
-
-                      DNS Resolver MIB Extensions
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Table of Contents
-
-   1. Introduction ..............................................    1
-   2. The SNMPv2 Network Management Framework ...................    2
-   2.1 Object Definitions .......................................    2
-   3. Overview ..................................................    2
-   3.1 Resolvers ................................................    3
-   3.2 Name Servers .............................................    3
-   3.3 Selected Objects .........................................    4
-   3.4 Textual Conventions ......................................    4
-   4. Definitions ...............................................    5
-   5. Acknowledgements ..........................................   30
-   6. References ................................................   30
-   7. Security Considerations ...................................   32
-   8. Authors' Addresses ........................................   32
-
-1.  Introduction
-
-   This memo defines a portion of the Management Information Base (MIB)
-   for use with network management protocols in the Internet community.
-   In particular, it describes a set of extensions which instrument DNS
-   resolver functions.  This memo was produced by the DNS working group.
-
-   With the adoption of the Internet-standard Network Management
-   Framework [4,5,6,7], and with a large number of vendor
-   implementations of these standards in commercially available
-   products, it became possible to provide a higher level of effective
-   network management in TCP/IP-based internets than was previously
-   available.  With the growth in the use of these standards, it has
-   become possible to consider the management of other elements of the
-   infrastructure beyond the basic TCP/IP protocols.  A key element of
-
-
-
-Austein & Saperia                                               [Page 1]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   the TCP/IP infrastructure is the DNS.
-
-   Up to this point there has been no mechanism to integrate the
-   management of the DNS with SNMP-based managers.  This memo provides
-   the mechanisms by which IP-based management stations can effectively
-   manage DNS resolver software in an integrated fashion.
-
-   We have defined DNS MIB objects to be used in conjunction with the
-   Internet MIB to allow access to and control of DNS resolver software
-   via SNMP by the Internet community.
-
-2.  The SNMPv2 Network Management Framework
-
-   The SNMPv2 Network Management Framework consists of four major
-   components.  They are:
-
-      o  RFC 1442 which defines the SMI, the mechanisms used for
-         describing and naming objects for the purpose of management.
-
-      o  STD 17, RFC 1213 defines MIB-II, the core set of managed
-         objects for the Internet suite of protocols.
-
-      o  RFC 1445 which defines the administrative and other
-         architectural aspects of the framework.
-
-      o  RFC 1448 which defines the protocol used for network access to
-         managed objects.
-
-   The Framework permits new objects to be defined for the purpose of
-   experimentation and evaluation.
-
-2.1.  Object Definitions
-
-   Managed objects are accessed via a virtual information store, termed
-   the Management Information Base or MIB.  Objects in the MIB are
-   defined using the subset of Abstract Syntax Notation One (ASN.1)
-   defined in the SMI.  In particular, each object object type is named
-   by an OBJECT IDENTIFIER, an administratively assigned name.  The
-   object type together with an object instance serves to uniquely
-   identify a specific instantiation of the object.  For human
-   convenience, we often use a textual string, termed the descriptor, to
-   refer to the object type.
-
-3.  Overview
-
-   In theory, the DNS world is pretty simple.  There are two kinds of
-   entities: resolvers and name servers.  Resolvers ask questions.  Name
-   servers answer them.  The real world, however, is not so simple.
-
-
-
-Austein & Saperia                                               [Page 2]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   Implementors have made widely differing choices about how to divide
-   DNS functions between resolvers and servers.  They have also
-   constructed various sorts of exotic hybrids.  The most difficult task
-   in defining this MIB was to accommodate this wide range of entities
-   without having to come up with a separate MIB for each.
-
-   We divided up the various DNS functions into two, non-overlapping
-   classes, called "resolver functions" and "name server functions."  A
-   DNS entity that performs what we define as resolver functions
-   contains a resolver, and therefore must implement the MIB groups
-   required of all resolvers which are defined in this module.  Some
-   resolvers also implement "optional" functions such as a cache, in
-   which case they must also implement the cache group contained in this
-   MIB.  A DNS entity which implements name server functions is
-   considered to be a name server, and must implement the MIB groups
-   required for name servers which are defined in a separate module.  If
-   the same piece of software performs both resolver and server
-   functions, we imagine that it contains both a resolver and a server
-   and would thus implement both the DNS Server and DNS Resolver MIBs.
-
-3.1.  Resolvers
-
-   In our model, a resolver is a program (or piece thereof) which
-   obtains resource records from servers.  Normally it does so at the
-   behest of an application, but may also do so as part of its own
-   operation.  A resolver sends DNS protocol queries and receives DNS
-   protocol replies.  A resolver neither receives queries nor sends
-   replies.  A full service resolver is one that knows how to resolve
-   queries: it obtains the needed resource records by contacting a
-   server authoritative for the records desired.  A stub resolver does
-   not know how to resolve queries: it sends all queries to a local name
-   server, setting the "recursion desired" flag to indicate that it
-   hopes that the name server will be willing to resolve the query.  A
-   resolver may (optionally) have a cache for remembering previously
-   acquired resource records.  It may also have a negative cache for
-   remembering names or data that have been determined not to exist.
-
-3.2.  Name Servers
-
-   A name server is a program (or piece thereof) that provides resource
-   records to resolvers.  All references in this document to "a name
-   server" imply "the name server's role"; in some cases the name
-   server's role and the resolver's role might be combined into a single
-   program.  A name server receives DNS protocol queries and sends DNS
-   protocol replies.  A name server neither sends queries nor receives
-   replies.  As a consequence, name servers do not have caches.
-   Normally, a name server would expect to receive only those queries to
-   which it could respond with authoritative information.  However, if a
-
-
-
-Austein & Saperia                                               [Page 3]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   name server receives a query that it cannot respond to with purely
-   authoritative information, it may choose to try to obtain the
-   necessary additional information from a resolver which may or may not
-   be a separate process.
-
-3.3.  Selected Objects
-
-   Many of the objects included in this memo have been created from
-   information contained in the DNS specifications [1,2], as amended and
-   clarified by subsequent host requirements documents [3].  Other
-   objects have been created based on experience with existing DNS
-   management tools, expected operational needs, the statistics
-   generated by existing DNS implementations, and the configuration
-   files used by existing DNS implementations.  These objects have been
-   ordered into groups as follows:
-
-         o  Resolver Configuration Group
-
-         o  Resolver Counter Group
-
-         o  Resolver Lame Delegation Group
-
-         o  Resolver Cache Group
-
-         o  Resolver Negative Cache Group
-
-         o  Resolver Optional Counter Group
-
-   This information has been converted into a standard form using the
-   SNMPv2 SMI defined in [9].  For the most part, the descriptions are
-   influenced by the DNS related RFCs noted above.  For example, the
-   descriptions for counters used for the various types of queries of
-   DNS records are influenced by the definitions used for the various
-   record types found in [2].
-
-3.4.  Textual Conventions
-
-   Several conceptual data types have been introduced as a textual
-   conventions in the DNS Server MIB document and have been imported
-   into this MIB module.  These additions will facilitate the common
-   understanding of information used by the DNS.  No changes to the SMI
-   or the SNMP are necessary to support these conventions.
-
-   Readers familiar with MIBs designed to manage entities in the lower
-   layers of the Internet protocol suite may be surprised at the number
-   of non-enumerated integers used in this MIB to represent values such
-   as DNS RR class and type numbers.  The reason for this choice is
-   simple: the DNS itself is designed as an extensible protocol,
-
-
-
-Austein & Saperia                                               [Page 4]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   allowing new classes and types of resource records to be added to the
-   protocol without recoding the core DNS software.  Using non-
-   enumerated integers to represent these data types in this MIB allows
-   the MIB to accommodate these changes as well.
-
-4.  Definitions
-
-   DNS-RESOLVER-MIB DEFINITIONS ::= BEGIN
-
-   IMPORTS
-       MODULE-IDENTITY, OBJECT-TYPE, IpAddress, Counter32, Integer32
-           FROM SNMPv2-SMI
-       TEXTUAL-CONVENTION, RowStatus, DisplayString
-           FROM SNMPv2-TC
-       MODULE-COMPLIANCE, OBJECT-GROUP
-           FROM SNMPv2-CONF
-       dns, DnsName, DnsNameAsIndex, DnsClass, DnsType, DnsQClass,
-       DnsQType, DnsTime, DnsOpCode, DnsRespCode
-           FROM DNS-SERVER-MIB;
-
-   -- DNS Resolver MIB
-
-   dnsResMIB MODULE-IDENTITY
-       LAST-UPDATED "9401282250Z"
-       ORGANIZATION "IETF DNS Working Group"
-       CONTACT-INFO
-               "       Rob Austein
-               Postal: Epilogue Technology Corporation
-                       268 Main Street, Suite 283
-                       North Reading, MA 10864
-                       US
-                  Tel: +1 617 245 0804
-                  Fax: +1 617 245 8122
-               E-Mail: sra@epilogue.com
-
-                       Jon Saperia
-               Postal: Digital Equipment Corporation
-                       110 Spit Brook Road
-                       ZKO1-3/H18
-                       Nashua, NH 03062-2698
-                       US
-                  Tel: +1 603 881 0480
-                  Fax: +1 603 881 0120
-               E-mail: saperia@zko.dec.com"
-       DESCRIPTION
-               "The MIB module for entities implementing the client
-               (resolver) side of the Domain Name System (DNS)
-               protocol."
-
-
-
-Austein & Saperia                                               [Page 5]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-       ::= { dns 2 }
-
-   dnsResMIBObjects        OBJECT IDENTIFIER ::= { dnsResMIB 1 }
-
-   -- (Old-style) groups in the DNS resolver MIB.
-
-   dnsResConfig            OBJECT IDENTIFIER ::= { dnsResMIBObjects 1 }
-   dnsResCounter           OBJECT IDENTIFIER ::= { dnsResMIBObjects 2 }
-   dnsResLameDelegation    OBJECT IDENTIFIER ::= { dnsResMIBObjects 3 }
-   dnsResCache             OBJECT IDENTIFIER ::= { dnsResMIBObjects 4 }
-   dnsResNCache            OBJECT IDENTIFIER ::= { dnsResMIBObjects 5 }
-   dnsResOptCounter        OBJECT IDENTIFIER ::= { dnsResMIBObjects 6 }
-
-
-   -- Resolver Configuration Group
-
-   dnsResConfigImplementIdent OBJECT-TYPE
-       SYNTAX      DisplayString
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "The implementation identification string for the
-               resolver software in use on the system, for example;
-               `RES-2.1'"
-       ::= { dnsResConfig 1 }
-
-   dnsResConfigService OBJECT-TYPE
-       SYNTAX      INTEGER { recursiveOnly(1),
-                             iterativeOnly(2),
-                             recursiveAndIterative(3) }
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Kind of DNS resolution service provided:
-
-               recursiveOnly(1) indicates a stub resolver.
-
-               iterativeOnly(2) indicates a normal full service
-               resolver.
-
-               recursiveAndIterative(3) indicates a full-service
-               resolver which performs a mix of recursive and iterative
-               queries."
-        ::= { dnsResConfig 2 }
-
-   dnsResConfigMaxCnames OBJECT-TYPE
-       SYNTAX      INTEGER (0..2147483647)
-       MAX-ACCESS  read-write
-
-
-
-Austein & Saperia                                               [Page 6]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-       STATUS      current
-       DESCRIPTION
-               "Limit on how many CNAMEs the resolver should allow
-               before deciding that there's a CNAME loop.  Zero means
-               that resolver has no explicit CNAME limit."
-       REFERENCE
-               "RFC-1035 section 7.1."
-       ::= { dnsResConfig 3 }
-
-   -- DNS Resolver Safety Belt Table
-
-   dnsResConfigSbeltTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsResConfigSbeltEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Table of safety belt information used by the resolver
-               when it hasn't got any better idea of where to send a
-               query, such as when the resolver is booting or is a stub
-               resolver."
-       ::= { dnsResConfig 4 }
-
-   dnsResConfigSbeltEntry OBJECT-TYPE
-       SYNTAX      DnsResConfigSbeltEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "An entry in the resolver's Sbelt table.
-               Rows may be created or deleted at any time by the DNS
-               resolver and by SNMP SET requests.  Whether the values
-               changed via SNMP are saved in stable storage across
-               `reset' operations is implementation-specific."
-       INDEX     { dnsResConfigSbeltAddr,
-                   dnsResConfigSbeltSubTree,
-                   dnsResConfigSbeltClass }
-       ::= { dnsResConfigSbeltTable 1 }
-
-   DnsResConfigSbeltEntry ::=
-       SEQUENCE {
-           dnsResConfigSbeltAddr
-               IpAddress,
-           dnsResConfigSbeltName
-               DnsName,
-           dnsResConfigSbeltRecursion
-               INTEGER,
-           dnsResConfigSbeltPref
-               INTEGER,
-           dnsResConfigSbeltSubTree
-
-
-
-Austein & Saperia                                               [Page 7]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-               DnsNameAsIndex,
-           dnsResConfigSbeltClass
-               DnsClass,
-           dnsResConfigSbeltStatus
-               RowStatus
-       }
-
-   dnsResConfigSbeltAddr OBJECT-TYPE
-       SYNTAX      IpAddress
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "The IP address of the Sbelt name server identified by
-               this row of the table."
-       ::= { dnsResConfigSbeltEntry 1 }
-
-   dnsResConfigSbeltName OBJECT-TYPE
-       SYNTAX      DnsName
-       MAX-ACCESS  read-create
-       STATUS      current
-       DESCRIPTION
-               "The DNS name of a Sbelt nameserver identified by this
-               row of the table.  A zero-length string indicates that
-               the name is not known by the resolver."
-       ::= { dnsResConfigSbeltEntry 2 }
-
-   dnsResConfigSbeltRecursion OBJECT-TYPE
-       SYNTAX      INTEGER { iterative(1),
-                             recursive(2),
-                             recursiveAndIterative(3) }
-       MAX-ACCESS  read-create
-       STATUS      current
-       DESCRIPTION
-               "Kind of queries resolver will be sending to the name
-               server identified in this row of the table:
-
-               iterative(1) indicates that resolver will be directing
-               iterative queries to this name server (RD bit turned
-               off).
-
-               recursive(2) indicates that resolver will be directing
-               recursive queries to this name server (RD bit turned
-               on).
-
-               recursiveAndIterative(3) indicates that the resolver
-               will be directing both recursive and iterative queries
-               to the server identified in this row of the table."
-        ::= { dnsResConfigSbeltEntry 3 }
-
-
-
-Austein & Saperia                                               [Page 8]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   dnsResConfigSbeltPref OBJECT-TYPE
-       SYNTAX      INTEGER (0..2147483647)
-       MAX-ACCESS  read-create
-       STATUS      current
-       DESCRIPTION
-               "This value identifies the preference for the name server
-               identified in this row of the table.  The lower the
-               value, the more desirable the resolver considers this
-               server."
-        ::= { dnsResConfigSbeltEntry 4 }
-
-   dnsResConfigSbeltSubTree OBJECT-TYPE
-       SYNTAX      DnsNameAsIndex
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Queries sent to the name server identified by this row
-               of the table are limited to those for names in the name
-               subtree identified by this variable.  If no such
-               limitation applies, the value of this variable is the
-               name of the root domain (a DNS name consisting of a
-               single zero octet)."
-       ::= { dnsResConfigSbeltEntry 5 }
-
-   dnsResConfigSbeltClass OBJECT-TYPE
-       SYNTAX      DnsClass
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "The class of DNS queries that will be sent to the server
-               identified by this row of the table."
-       ::= { dnsResConfigSbeltEntry 6 }
-
-   dnsResConfigSbeltStatus OBJECT-TYPE
-       SYNTAX      RowStatus
-       MAX-ACCESS  read-create
-       STATUS      current
-       DESCRIPTION
-               "Row status column for this row of the Sbelt table."
-       ::= { dnsResConfigSbeltEntry 7 }
-
-   dnsResConfigUpTime OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "If the resolver has a persistent state (e.g., a
-               process), this value will be the time elapsed since it
-
-
-
-Austein & Saperia                                               [Page 9]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-               started.  For software without persistant state, this
-               value will be 0."
-       ::= { dnsResConfig 5 }
-
-   dnsResConfigResetTime OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "If the resolver has a persistent state (e.g., a process)
-               and supports a `reset' operation (e.g., can be told to
-               re-read configuration files), this value will be the
-               time elapsed since the last time the resolver was
-               `reset.'  For software that does not have persistence or
-               does not support a `reset' operation, this value will be
-               zero."
-       ::= { dnsResConfig 6 }
-
-   dnsResConfigReset OBJECT-TYPE
-       SYNTAX      INTEGER { other(1),
-                             reset(2),
-                             initializing(3),
-                             running(4) }
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "Status/action object to reinitialize any persistant
-               resolver state.  When set to reset(2), any persistant
-               resolver state (such as a process) is reinitialized as if
-               the resolver had just been started.  This value will
-               never be returned by a read operation.  When read, one of
-               the following values will be returned:
-                   other(1) - resolver in some unknown state;
-                   initializing(3) - resolver (re)initializing;
-                   running(4) - resolver currently running."
-       ::= { dnsResConfig 7 }
-
-
-   -- Resolver Counters Group
-
-   -- Resolver Counter Table
-
-   dnsResCounterByOpcodeTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsResCounterByOpcodeEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Table of the current count of resolver queries and
-
-
-
-Austein & Saperia                                              [Page 10]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-               answers."
-       ::= { dnsResCounter 3 }
-
-   dnsResCounterByOpcodeEntry OBJECT-TYPE
-       SYNTAX      DnsResCounterByOpcodeEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Entry in the resolver counter table.  Entries are
-               indexed by DNS OpCode."
-       INDEX     { dnsResCounterByOpcodeCode }
-       ::= { dnsResCounterByOpcodeTable 1 }
-
-   DnsResCounterByOpcodeEntry ::=
-       SEQUENCE {
-           dnsResCounterByOpcodeCode
-               DnsOpCode,
-           dnsResCounterByOpcodeQueries
-               Counter32,
-           dnsResCounterByOpcodeResponses
-               Counter32
-       }
-
-   dnsResCounterByOpcodeCode OBJECT-TYPE
-       SYNTAX      DnsOpCode
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "The index to this table.  The OpCodes that have already
-               been defined are found in RFC-1035."
-       REFERENCE
-               "RFC-1035 section 4.1.1."
-       ::= { dnsResCounterByOpcodeEntry 1 }
-
-   dnsResCounterByOpcodeQueries OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Total number of queries that have sent out by the
-               resolver since initialization for the OpCode which is
-               the index to this row of the table."
-       ::= { dnsResCounterByOpcodeEntry 2 }
-
-   dnsResCounterByOpcodeResponses OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-
-
-
-Austein & Saperia                                              [Page 11]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-       DESCRIPTION
-               "Total number of responses that have been received by the
-               resolver since initialization for the OpCode which is
-               the index to this row of the table."
-       ::= { dnsResCounterByOpcodeEntry 3 }
-
-   -- Resolver Response Code Counter Table
-
-   dnsResCounterByRcodeTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsResCounterByRcodeEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Table of the current count of responses to resolver
-               queries."
-       ::= { dnsResCounter 4 }
-
-   dnsResCounterByRcodeEntry OBJECT-TYPE
-       SYNTAX      DnsResCounterByRcodeEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Entry in the resolver response table.  Entries are
-               indexed by DNS response code."
-       INDEX     { dnsResCounterByRcodeCode }
-       ::= { dnsResCounterByRcodeTable 1 }
-
-   DnsResCounterByRcodeEntry ::=
-       SEQUENCE {
-           dnsResCounterByRcodeCode
-               DnsRespCode,
-           dnsResCounterByRcodeResponses
-               Counter32
-       }
-
-   dnsResCounterByRcodeCode OBJECT-TYPE
-       SYNTAX      DnsRespCode
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "The index to this table.  The Response Codes that have
-               already been defined are found in RFC-1035."
-       REFERENCE
-               "RFC-1035 section 4.1.1."
-       ::= { dnsResCounterByRcodeEntry 1 }
-
-
-
-
-
-
-Austein & Saperia                                              [Page 12]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   dnsResCounterByRcodeResponses OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of responses the resolver has received for the
-               response code value which identifies this row of the
-               table."
-       ::= { dnsResCounterByRcodeEntry 2 }
-
-   -- Additional DNS Resolver Counter Objects
-
-   dnsResCounterNonAuthDataResps OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests made by the resolver for which a
-               non-authoritative answer (cached data) was received."
-       ::= { dnsResCounter 5 }
-
-   dnsResCounterNonAuthNoDataResps OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests made by the resolver for which a
-               non-authoritative answer - no such data response (empty
-               answer) was received."
-       ::= { dnsResCounter 6 }
-
-   dnsResCounterMartians OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of responses received which were received from
-               servers that the resolver does not think it asked."
-       ::= { dnsResCounter 7 }
-
-   dnsResCounterRecdResponses OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of responses received to all queries."
-       ::= { dnsResCounter 8 }
-
-
-
-
-Austein & Saperia                                              [Page 13]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   dnsResCounterUnparseResps OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of responses received which were unparseable."
-       ::= { dnsResCounter 9 }
-
-   dnsResCounterFallbacks OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of times the resolver had to fall back to its
-               seat belt information."
-       ::= { dnsResCounter 10 }
-
-
-   -- Lame Delegation Group
-
-   dnsResLameDelegationOverflows OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of times the resolver attempted to add an entry
-               to the Lame Delegation table but was unable to for some
-               reason such as space constraints."
-       ::= { dnsResLameDelegation 1 }
-
-   -- Lame Delegation Table
-
-   dnsResLameDelegationTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsResLameDelegationEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Table of name servers returning lame delegations.
-
-               A lame delegation has occured when a parent zone
-               delegates authority for a child zone to a server that
-               appears not to think that it is authoritative for the
-               child zone in question."
-       ::= { dnsResLameDelegation 2 }
-
-   dnsResLameDelegationEntry OBJECT-TYPE
-       SYNTAX      DnsResLameDelegationEntry
-       MAX-ACCESS  not-accessible
-
-
-
-Austein & Saperia                                              [Page 14]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-       STATUS      current
-       DESCRIPTION
-               "Entry in lame delegation table.  Only the resolver may
-               create rows in this table.  SNMP SET requests may be used
-               to delete rows."
-       INDEX     { dnsResLameDelegationSource,
-                   dnsResLameDelegationName,
-                   dnsResLameDelegationClass }
-       ::= { dnsResLameDelegationTable 1 }
-
-   DnsResLameDelegationEntry ::=
-       SEQUENCE {
-           dnsResLameDelegationSource
-               IpAddress,
-           dnsResLameDelegationName
-               DnsNameAsIndex,
-           dnsResLameDelegationClass
-               DnsClass,
-           dnsResLameDelegationCounts
-               Counter32,
-           dnsResLameDelegationStatus
-               RowStatus
-       }
-
-   dnsResLameDelegationSource OBJECT-TYPE
-       SYNTAX      IpAddress
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Source of lame delegation."
-       ::= { dnsResLameDelegationEntry 1 }
-
-   dnsResLameDelegationName OBJECT-TYPE
-       SYNTAX      DnsNameAsIndex
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS name for which lame delegation was received."
-       ::= { dnsResLameDelegationEntry 2 }
-
-   dnsResLameDelegationClass OBJECT-TYPE
-       SYNTAX      DnsClass
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS class of received lame delegation."
-       ::= { dnsResLameDelegationEntry 3 }
-
-
-
-
-Austein & Saperia                                              [Page 15]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   dnsResLameDelegationCounts OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "How many times this lame delegation has been received."
-       ::= { dnsResLameDelegationEntry 4 }
-
-   dnsResLameDelegationStatus OBJECT-TYPE
-       SYNTAX      RowStatus
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "Status column for the lame delegation table.  Since only
-               the agent (DNS resolver) creates rows in this table, the
-               only values that a manager may write to this variable
-               are active(1) and destroy(6)."
-       ::= { dnsResLameDelegationEntry 5 }
-
-
-   -- Resolver Cache Group
-
-   dnsResCacheStatus OBJECT-TYPE
-       SYNTAX      INTEGER { enabled(1), disabled(2), clear(3) }
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "Status/action for the resolver's cache.
-
-               enabled(1) means that the use of the cache is allowed.
-               Query operations can return this state.
-
-               disabled(2) means that the cache is not being used.
-               Query operations can return this state.
-
-               Setting this variable to clear(3) deletes the entire
-               contents of the resolver's cache, but does not otherwise
-               change the resolver's state.  The status will retain its
-               previous value from before the clear operation (i.e.,
-               enabled(1) or disabled(2)).  The value of clear(3) can
-               NOT be returned by a query operation."
-       ::= { dnsResCache 1 }
-
-   dnsResCacheMaxTTL OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-
-
-
-Austein & Saperia                                              [Page 16]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-               "Maximum Time-To-Live for RRs in this cache.  If the
-               resolver does not implement a TTL ceiling, the value of
-               this field should be zero."
-       ::= { dnsResCache 2 }
-
-   dnsResCacheGoodCaches OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of RRs the resolver has cached successfully."
-       ::= { dnsResCache 3 }
-
-   dnsResCacheBadCaches OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of RRs the resolver has refused to cache because
-               they appear to be dangerous or irrelevant.  E.g., RRs
-               with suspiciously high TTLs, unsolicited root
-               information, or that just don't appear to be relevant to
-               the question the resolver asked."
-       ::= { dnsResCache 4 }
-
-   -- Resolver Cache Table
-
-   dnsResCacheRRTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsResCacheRREntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "This table contains information about all the resource
-               records currently in the resolver's cache."
-       ::= { dnsResCache 5 }
-
-   dnsResCacheRREntry OBJECT-TYPE
-       SYNTAX      DnsResCacheRREntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "An entry in the resolvers's cache.  Rows may be created
-               only by the resolver.  SNMP SET requests may be used to
-               delete rows."
-       INDEX     { dnsResCacheRRName,
-                   dnsResCacheRRClass,
-                   dnsResCacheRRType,
-                   dnsResCacheRRIndex }
-
-
-
-Austein & Saperia                                              [Page 17]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-       ::= { dnsResCacheRRTable 1 }
-
-   DnsResCacheRREntry ::=
-       SEQUENCE {
-           dnsResCacheRRName
-               DnsNameAsIndex,
-           dnsResCacheRRClass
-               DnsClass,
-           dnsResCacheRRType
-               DnsType,
-           dnsResCacheRRTTL
-               DnsTime,
-           dnsResCacheRRElapsedTTL
-               DnsTime,
-           dnsResCacheRRSource
-               IpAddress,
-           dnsResCacheRRData
-               OCTET STRING,
-           dnsResCacheRRStatus
-               RowStatus,
-           dnsResCacheRRIndex
-               Integer32,
-           dnsResCacheRRPrettyName
-               DnsName
-       }
-
-   dnsResCacheRRName OBJECT-TYPE
-       SYNTAX      DnsNameAsIndex
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "Owner name of the Resource Record in the cache which is
-               identified in this row of the table.  As described in
-               RFC-1034, the owner of the record is the domain name
-               were the RR is found."
-       REFERENCE
-               "RFC-1034 section 3.6."
-       ::= { dnsResCacheRREntry 1 }
-
-   dnsResCacheRRClass OBJECT-TYPE
-       SYNTAX      DnsClass
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS class of the Resource Record in the cache which is
-               identified in this row of the table."
-       ::= { dnsResCacheRREntry 2 }
-
-
-
-
-Austein & Saperia                                              [Page 18]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   dnsResCacheRRType OBJECT-TYPE
-       SYNTAX      DnsType
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS type of the Resource Record in the cache which is
-               identified in this row of the table."
-       ::= { dnsResCacheRREntry 3 }
-
-   dnsResCacheRRTTL OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Time-To-Live of RR in DNS cache.  This is the initial
-               TTL value which was received with the RR when it was
-               originally received."
-       ::= { dnsResCacheRREntry 4 }
-
-   dnsResCacheRRElapsedTTL OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Elapsed seconds since RR was received."
-       ::= { dnsResCacheRREntry 5 }
-
-   dnsResCacheRRSource OBJECT-TYPE
-       SYNTAX      IpAddress
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Host from which RR was received, 0.0.0.0 if unknown."
-       ::= { dnsResCacheRREntry 6 }
-
-   dnsResCacheRRData OBJECT-TYPE
-       SYNTAX      OCTET STRING
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "RDATA portion of a cached RR.  The value is in the
-               format defined for the particular DNS class and type of
-               the resource record."
-       REFERENCE
-               "RFC-1035 section 3.2.1."
-       ::= { dnsResCacheRREntry 7 }
-
-
-
-
-
-Austein & Saperia                                              [Page 19]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   dnsResCacheRRStatus OBJECT-TYPE
-       SYNTAX      RowStatus
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "Status column for the resolver cache table.  Since only
-               the agent (DNS resolver) creates rows in this table, the
-               only values that a manager may write to this variable
-               are active(1) and destroy(6)."
-       ::= { dnsResCacheRREntry 8 }
-
-   dnsResCacheRRIndex OBJECT-TYPE
-       SYNTAX      Integer32
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "A value which makes entries in the table unique when the
-               other index values (dnsResCacheRRName,
-               dnsResCacheRRClass, and dnsResCacheRRType) do not
-               provide a unique index."
-       ::= { dnsResCacheRREntry 9 }
-
-   dnsResCacheRRPrettyName OBJECT-TYPE
-       SYNTAX      DnsName
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Name of the RR at this row in the table.  This is
-               identical to the dnsResCacheRRName variable, except that
-               character case is preserved in this variable, per DNS
-               conventions."
-       REFERENCE
-               "RFC-1035 section 2.3.3."
-       ::= { dnsResCacheRREntry 10 }
-
-   -- Resolver Negative Cache Group
-
-   dnsResNCacheStatus OBJECT-TYPE
-       SYNTAX      INTEGER { enabled(1), disabled(2), clear(3) }
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "Status/action for the resolver's negative response
-               cache.
-
-               enabled(1) means that the use of the negative response
-               cache is allowed.  Query operations can return this
-               state.
-
-
-
-Austein & Saperia                                              [Page 20]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-               disabled(2) means that the negative response cache is
-               not being used.  Query operations can return this state.
-
-               Setting this variable to clear(3) deletes the entire
-               contents of the resolver's negative response cache.  The
-               status will retain its previous value from before the
-               clear operation (i.e., enabled(1) or disabled(2)).  The
-               value of clear(3) can NOT be returned by a query
-               operation."
-       ::= { dnsResNCache 1 }
-
-   dnsResNCacheMaxTTL OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "Maximum Time-To-Live for cached authoritative errors.
-               If the resolver does not implement a TTL ceiling, the
-               value of this field should be zero."
-       ::= { dnsResNCache 2 }
-
-   dnsResNCacheGoodNCaches OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of authoritative errors the resolver has cached
-               successfully."
-       ::= { dnsResNCache 3 }
-
-   dnsResNCacheBadNCaches OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of authoritative errors the resolver would have
-               liked to cache but was unable to because the appropriate
-               SOA RR was not supplied or looked suspicious."
-       REFERENCE
-               "RFC-1034 section 4.3.4."
-       ::= { dnsResNCache 4 }
-
-   -- Resolver Negative Cache Table
-
-   dnsResNCacheErrTable OBJECT-TYPE
-       SYNTAX      SEQUENCE OF DnsResNCacheErrEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-
-
-
-Austein & Saperia                                              [Page 21]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-       DESCRIPTION
-               "The resolver's negative response cache.  This table
-               contains information about authoritative errors that
-               have been cached by the resolver."
-       ::= { dnsResNCache 5 }
-
-   dnsResNCacheErrEntry OBJECT-TYPE
-       SYNTAX      DnsResNCacheErrEntry
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "An entry in the resolver's negative response cache
-               table.  Only the resolver can create rows.  SNMP SET
-               requests may be used to delete rows."
-       INDEX     { dnsResNCacheErrQName,
-                   dnsResNCacheErrQClass,
-                   dnsResNCacheErrQType,
-                   dnsResNCacheErrIndex }
-       ::= { dnsResNCacheErrTable 1 }
-
-   DnsResNCacheErrEntry ::=
-       SEQUENCE {
-           dnsResNCacheErrQName
-               DnsNameAsIndex,
-           dnsResNCacheErrQClass
-               DnsQClass,
-           dnsResNCacheErrQType
-               DnsQType,
-           dnsResNCacheErrTTL
-               DnsTime,
-           dnsResNCacheErrElapsedTTL
-               DnsTime,
-           dnsResNCacheErrSource
-               IpAddress,
-           dnsResNCacheErrCode
-               INTEGER,
-           dnsResNCacheErrStatus
-               RowStatus,
-           dnsResNCacheErrIndex
-               Integer32,
-           dnsResNCacheErrPrettyName
-               DnsName
-       }
-
-   dnsResNCacheErrQName OBJECT-TYPE
-       SYNTAX      DnsNameAsIndex
-       MAX-ACCESS  not-accessible
-       STATUS      current
-
-
-
-Austein & Saperia                                              [Page 22]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-       DESCRIPTION
-               "QNAME associated with a cached authoritative error."
-       REFERENCE
-               "RFC-1034 section 3.7.1."
-       ::= { dnsResNCacheErrEntry 1 }
-
-   dnsResNCacheErrQClass OBJECT-TYPE
-       SYNTAX      DnsQClass
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS QCLASS associated with a cached authoritative
-               error."
-       ::= { dnsResNCacheErrEntry 2 }
-
-   dnsResNCacheErrQType OBJECT-TYPE
-       SYNTAX      DnsQType
-       MAX-ACCESS  not-accessible
-       STATUS      current
-       DESCRIPTION
-               "DNS QTYPE associated with a cached authoritative error."
-       ::= { dnsResNCacheErrEntry 3 }
-
-   dnsResNCacheErrTTL OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Time-To-Live of a cached authoritative error at the time
-               of the error, it should not be decremented by the number
-               of seconds since it was received.  This should be the
-               TTL as copied from the MINIMUM field of the SOA that
-               accompanied the authoritative error, or a smaller value
-               if the resolver implements a ceiling on negative
-               response cache TTLs."
-       REFERENCE
-               "RFC-1034 section 4.3.4."
-       ::= { dnsResNCacheErrEntry 4 }
-
-   dnsResNCacheErrElapsedTTL OBJECT-TYPE
-       SYNTAX      DnsTime
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Elapsed seconds since authoritative error was received."
-       ::= { dnsResNCacheErrEntry 5 }
-
-
-
-
-
-Austein & Saperia                                              [Page 23]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   dnsResNCacheErrSource OBJECT-TYPE
-       SYNTAX      IpAddress
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Host which sent the authoritative error, 0.0.0.0 if
-               unknown."
-       ::= { dnsResNCacheErrEntry 6 }
-
-   dnsResNCacheErrCode OBJECT-TYPE
-       SYNTAX      INTEGER { nonexistantName(1), noData(2), other(3) }
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "The authoritative error that has been cached:
-
-               nonexistantName(1) indicates an authoritative name error
-               (RCODE = 3).
-
-               noData(2) indicates an authoritative response with no
-               error (RCODE = 0) and no relevant data.
-
-               other(3) indicates some other cached authoritative
-               error.  At present, no such errors are known to exist."
-       ::= { dnsResNCacheErrEntry 7 }
-
-   dnsResNCacheErrStatus OBJECT-TYPE
-       SYNTAX      RowStatus
-       MAX-ACCESS  read-write
-       STATUS      current
-       DESCRIPTION
-               "Status column for the resolver negative response cache
-               table.  Since only the agent (DNS resolver) creates rows
-               in this table, the only values that a manager may write
-               to this variable are active(1) and destroy(6)."
-       ::= { dnsResNCacheErrEntry 8 }
-
-   dnsResNCacheErrIndex OBJECT-TYPE
-       SYNTAX      Integer32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "A value which makes entries in the table unique when the
-               other index values (dnsResNCacheErrQName,
-               dnsResNCacheErrQClass, and dnsResNCacheErrQType) do not
-               provide a unique index."
-       ::= { dnsResNCacheErrEntry 9 }
-
-
-
-
-Austein & Saperia                                              [Page 24]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   dnsResNCacheErrPrettyName OBJECT-TYPE
-       SYNTAX      DnsName
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "QNAME associated with this row in the table.  This is
-               identical to the dnsResNCacheErrQName variable, except
-               that character case is preserved in this variable, per
-               DNS conventions."
-       REFERENCE
-               "RFC-1035 section 2.3.3."
-       ::= { dnsResNCacheErrEntry 10 }
-
-
-   -- Resolver Optional Counters Group
-
-   dnsResOptCounterReferals OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of responses which were received from servers
-               redirecting query to another server."
-       ::= { dnsResOptCounter 1 }
-
-   dnsResOptCounterRetrans OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number requests retransmitted for all reasons."
-       ::= { dnsResOptCounter 2 }
-
-   dnsResOptCounterNoResponses OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries that were retransmitted because of no
-               response."
-       ::= { dnsResOptCounter 3 }
-
-   dnsResOptCounterRootRetrans OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of queries that were retransmitted that were to
-
-
-
-Austein & Saperia                                              [Page 25]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-               root servers."
-       ::= { dnsResOptCounter 4 }
-
-   dnsResOptCounterInternals OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests internally generated by the
-               resolver."
-       ::= { dnsResOptCounter 5 }
-
-   dnsResOptCounterInternalTimeOuts OBJECT-TYPE
-       SYNTAX      Counter32
-       MAX-ACCESS  read-only
-       STATUS      current
-       DESCRIPTION
-               "Number of requests internally generated which timed
-               out."
-       ::= { dnsResOptCounter 6 }
-
-
-   -- SNMPv2 groups.
-
-   dnsResMIBGroups         OBJECT IDENTIFIER ::= { dnsResMIB 2 }
-
-   dnsResConfigGroup OBJECT-GROUP
-       OBJECTS   { dnsResConfigImplementIdent,
-                   dnsResConfigService,
-                   dnsResConfigMaxCnames,
-                   dnsResConfigSbeltAddr,
-                   dnsResConfigSbeltName,
-                   dnsResConfigSbeltRecursion,
-                   dnsResConfigSbeltPref,
-                   dnsResConfigSbeltSubTree,
-                   dnsResConfigSbeltClass,
-                   dnsResConfigSbeltStatus,
-                   dnsResConfigUpTime,
-                   dnsResConfigResetTime }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing basic configuration
-               information for a DNS resolver implementation."
-       ::= { dnsResMIBGroups 1 }
-
-   dnsResCounterGroup OBJECT-GROUP
-       OBJECTS   { dnsResCounterByOpcodeCode,
-                   dnsResCounterByOpcodeQueries,
-
-
-
-Austein & Saperia                                              [Page 26]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-                   dnsResCounterByOpcodeResponses,
-                   dnsResCounterByRcodeCode,
-                   dnsResCounterByRcodeResponses,
-                   dnsResCounterNonAuthDataResps,
-                   dnsResCounterNonAuthNoDataResps,
-                   dnsResCounterMartians,
-                   dnsResCounterRecdResponses,
-                   dnsResCounterUnparseResps,
-                   dnsResCounterFallbacks }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing basic instrumentation
-               of a DNS resolver implementation."
-       ::= { dnsResMIBGroups 2 }
-
-   dnsResLameDelegationGroup OBJECT-GROUP
-       OBJECTS   { dnsResLameDelegationOverflows,
-                   dnsResLameDelegationSource,
-                   dnsResLameDelegationName,
-                   dnsResLameDelegationClass,
-                   dnsResLameDelegationCounts,
-                   dnsResLameDelegationStatus }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing instrumentation of
-               `lame delegation' failures."
-       ::= { dnsResMIBGroups 3 }
-
-
-   dnsResCacheGroup OBJECT-GROUP
-       OBJECTS   { dnsResCacheStatus,
-                   dnsResCacheMaxTTL,
-                   dnsResCacheGoodCaches,
-                   dnsResCacheBadCaches,
-                   dnsResCacheRRName,
-                   dnsResCacheRRClass,
-                   dnsResCacheRRType,
-                   dnsResCacheRRTTL,
-                   dnsResCacheRRElapsedTTL,
-                   dnsResCacheRRSource,
-                   dnsResCacheRRData,
-                   dnsResCacheRRStatus,
-                   dnsResCacheRRIndex,
-                   dnsResCacheRRPrettyName }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing access to and control
-               of a DNS resolver's cache."
-
-
-
-Austein & Saperia                                              [Page 27]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-       ::= { dnsResMIBGroups 4 }
-
-   dnsResNCacheGroup OBJECT-GROUP
-       OBJECTS   { dnsResNCacheStatus,
-                   dnsResNCacheMaxTTL,
-                   dnsResNCacheGoodNCaches,
-                   dnsResNCacheBadNCaches,
-                   dnsResNCacheErrQName,
-                   dnsResNCacheErrQClass,
-                   dnsResNCacheErrQType,
-                   dnsResNCacheErrTTL,
-                   dnsResNCacheErrElapsedTTL,
-                   dnsResNCacheErrSource,
-                   dnsResNCacheErrCode,
-                   dnsResNCacheErrStatus,
-                   dnsResNCacheErrIndex,
-                   dnsResNCacheErrPrettyName }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing access to and control
-               of a DNS resolver's negative response cache."
-       ::= { dnsResMIBGroups 5 }
-
-   dnsResOptCounterGroup OBJECT-GROUP
-       OBJECTS   { dnsResOptCounterReferals,
-                   dnsResOptCounterRetrans,
-                   dnsResOptCounterNoResponses,
-                   dnsResOptCounterRootRetrans,
-                   dnsResOptCounterInternals,
-                   dnsResOptCounterInternalTimeOuts }
-       STATUS      current
-       DESCRIPTION
-               "A collection of objects providing further
-               instrumentation applicable to many but not all DNS
-               resolvers."
-       ::= { dnsResMIBGroups 6 }
-
-
-   -- Compliances.
-
-   dnsResMIBCompliances OBJECT IDENTIFIER ::= { dnsResMIB 3 }
-
-   dnsResMIBCompliance MODULE-COMPLIANCE
-       STATUS      current
-       DESCRIPTION
-               "The compliance statement for agents implementing the DNS
-               resolver MIB extensions."
-       MODULE -- This MIB module
-
-
-
-Austein & Saperia                                              [Page 28]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-           MANDATORY-GROUPS { dnsResConfigGroup, dnsResCounterGroup }
-           GROUP   dnsResCacheGroup
-           DESCRIPTION
-               "The resolver cache group is mandatory for resolvers that
-               implement a cache."
-           GROUP   dnsResNCacheGroup
-           DESCRIPTION
-               "The resolver negative cache group is mandatory for
-               resolvers that implement a negative response cache."
-           GROUP   dnsResLameDelegationGroup
-           DESCRIPTION
-               "The lame delegation group is unconditionally optional."
-           GROUP   dnsResOptCounterGroup
-           DESCRIPTION
-               "The optional counters group is unconditionally
-               optional."
-           OBJECT  dnsResConfigMaxCnames
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-           OBJECT  dnsResConfigSbeltName
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-           OBJECT  dnsResConfigSbeltRecursion
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-           OBJECT  dnsResConfigSbeltPref
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-           OBJECT  dnsResConfigReset
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-           OBJECT  dnsResCacheStatus
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-           OBJECT  dnsResCacheMaxTTL
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-           OBJECT  dnsResNCacheStatus
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-
-
-
-Austein & Saperia                                              [Page 29]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-           OBJECT  dnsResNCacheMaxTTL
-           MIN-ACCESS      read-only
-           DESCRIPTION
-               "This object need not be writable."
-       ::= { dnsResMIBCompliances 1 }
-
-   END
-
-5.  Acknowledgements
-
-   This document is the result of work undertaken the by DNS working
-   group.  The authors would particularly like to thank the following
-   people for their contributions to this document: Philip Almquist,
-   Frank Kastenholz (FTP Software), Joe Peck (DEC), Dave Perkins
-   (SynOptics), Win Treese (DEC), and Mimi Zohar (IBM).
-
-6.  References
-
-   [1] Mockapetris, P., "Domain Names -- Concepts and Facilities", STD
-       13, RFC 1034, USC/Information Sciences Institute, November 1987.
-
-   [2] Mockapetris, P., "Domain Names -- Implementation and
-       Specification", STD 13, RFC 1035, USC/Information Sciences
-       Institute, November 1987.
-
-   [3] Braden, R., Editor, "Requirements for Internet Hosts --
-       Application and Support, STD 3, RFC 1123, USC/Information
-       Sciences Institute, October 1989.
-
-   [4] Rose, M., and K. McCloghrie, "Structure and Identification of
-       Management Information for TCP/IP-based internets", STD 16, RFC
-       1155, Performance Systems International, Hughes LAN Systems, May
-       1990.
-
-   [5] McCloghrie, K., and M. Rose, "Management Information Base for
-       Network Management of TCP/IP-based internets", RFC 1156, Hughes
-       LAN Systems, Performance Systems International, May 1990.
-
-   [6] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
-       Network Management Protocol", STD 15, RFC 1157, SNMP Research,
-       Performance Systems International, Performance Systems
-       International, MIT Laboratory for Computer Science, May 1990.
-
-   [7] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions",
-       STD 16, RFC 1212, Performance Systems International, Hughes LAN
-       Systems, March 1991.
-
-
-
-
-
-Austein & Saperia                                              [Page 30]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-   [8] McCloghrie, K., and M. Rose, "Management Information Base for
-       Network Management of TCP/IP-based internets: MIB-II", STD 17,
-       RFC 1213, Hughes LAN Systems, Performance Systems International,
-       March 1991.
-
-   [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
-       of Management Information for version 2 of the Simple Network
-       Management Protocol (SNMPv2)", RFC 1442, SNMP Research, Inc.,
-       Hughes LAN Systems, Dover Beach Consulting, Inc., Carnegie Mellon
-       University, April 1993.
-
-  [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual
-       Conventions for version 2 of the the Simple Network Management
-       Protocol (SNMPv2)", RFC 1443, SNMP Research, Inc., Hughes LAN
-       Systems, Dover Beach Consulting, Inc., Carnegie Mellon
-       University, April 1993.
-
-  [11] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
-       "Conformance Statements for version 2 of the the Simple Network
-       Management Protocol (SNMPv2)", RFC 1444, SNMP Research, Inc.,
-       Hughes LAN Systems, Dover Beach Consulting, Inc., Carnegie Mellon
-       University, April 1993.
-
-  [12] Galvin, J., and K. McCloghrie, "Administrative Model for version
-       2 of the Simple Network Management Protocol (SNMPv2)", RFC 1445,
-       Trusted Information Systems, Hughes LAN Systems, April 1993.
-
-  [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
-       Operations for version 2 of the Simple Network Management
-       Protocol (SNMPv2)", RFC 1448, SNMP Research, Inc., Hughes LAN
-       Systems, Dover Beach Consulting, Inc., Carnegie Mellon
-       University, April 1993.
-
-  [14] "Information processing systems - Open Systems Interconnection -
-       Specification of Abstract Syntax Notation One (ASN.1)",
-       International Organization for Standardization, International
-       Standard 8824, December 1987.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein & Saperia                                              [Page 31]
-
-RFC 1612                    DNS Resolver MIB                    May 1994
-
-
-7.  Security Considerations
-
-   Security issues are not discussed in this memo.
-
-8.  Authors' Addresses
-
-   Rob Austein
-   Epilogue Technology Corporation
-   268 Main Street, Suite 283
-   North Reading, MA 01864
-   USA
-
-   Phone: +1-617-245-0804
-   Fax:   +1-617-245-8122
-   EMail: sra@epilogue.com
-
-
-   Jon Saperia
-   Digital Equipment Corporation
-   110 Spit Brook Road
-   ZKO1-3/H18
-   Nashua, NH 03062-2698
-   USA
-
-   Phone: +1-603-881-0480
-   Fax:   +1-603-881-0120
-   EMail: saperia@zko.dec.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein & Saperia                                              [Page 32]
-
diff --git a/contrib/bind9/doc/rfc/rfc1706.txt b/contrib/bind9/doc/rfc/rfc1706.txt
deleted file mode 100644
index 5b5d82194aff..000000000000
--- a/contrib/bind9/doc/rfc/rfc1706.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         B. Manning
-Request for Comments: 1706                                           ISI
-Obsoletes: 1637, 1348                                         R. Colella
-Category: Informational                                             NIST
-                                                            October 1994
-
-
-                       DNS NSAP Resource Records
-
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  This memo
-   does not specify an Internet standard of any kind.  Distribution of
-   this memo is unlimited.
-
-Abstract
-
-   OSI lower layer protocols, comprising the connectionless network
-   protocol (CLNP) and supporting routing protocols, are deployed in
-   some parts of the global Internet.  Maintenance and debugging of CLNP
-   connectivity is greatly aided by support in the Domain Name System
-   (DNS) for mapping between names and NSAP addresses.
-
-   This document defines the format of one new Resource Record (RR) for
-   the DNS for domain name-to-NSAP mapping. The RR may be used with any
-   NSAP address format.
-
-   NSAP-to-name translation is accomplished through use of the PTR RR
-   (see STD 13, RFC 1035 for a description of the PTR RR). This paper
-   describes how PTR RRs are used to support this translation.
-
-   This document obsoletes RFC 1348 and RFC 1637.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Manning & Colella                                               [Page 1]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-1.  Introduction
-
-   OSI lower layer protocols, comprising the connectionless network
-   protocol (CLNP) [5] and supporting routing protocols, are deployed in
-   some parts of the global Internet.  Maintenance and debugging of CLNP
-   connectivity is greatly aided by support in the Domain Name System
-   (DNS) [7] [8] for mapping between names and NSAP (network service
-   access point) addresses [6] [Note: NSAP and NSAP address are used
-   interchangeably throughout this memo].
-
-   This document defines the format of one new Resource Record (RR) for
-   the DNS for domain name-to-NSAP mapping. The RR may be used with any
-   NSAP address format.
-
-   NSAP-to-name translation is accomplished through use of the PTR RR
-   (see RFC 1035 for a description of the PTR RR). This paper describes
-   how PTR RRs are used to support this translation.
-
-   This memo assumes that the reader is familiar with the DNS. Some
-   familiarity with NSAPs is useful; see [1] or Annex A of [6] for
-   additional information.
-
-2.  Background
-
-   The reason for defining DNS mappings for NSAPs is to support the
-   existing CLNP deployment in the Internet.  Debugging with CLNP ping
-   and traceroute has become more difficult with only numeric NSAPs as
-   the scale of deployment has increased. Current debugging is supported
-   by maintaining and exchanging a configuration file with name/NSAP
-   mappings similar in function to hosts.txt. This suffers from the lack
-   of a central coordinator for this file and also from the perspective
-   of scaling.  The former describes the most serious short-term
-   problem. Scaling of a hosts.txt-like solution has well-known long-
-   term scaling difficiencies.
-
-3.  Scope
-
-   The methods defined in this paper are applicable to all NSAP formats.
-
-   As a point of reference, there is a distinction between registration
-   and publication of addresses. For IP addresses, the IANA is the root
-   registration authority and the DNS a publication method. For NSAPs,
-   Annex A of the network service definition, ISO8348 [6], describes the
-   root registration authority and this memo defines how the DNS is used
-   as a publication method.
-
-
-
-
-
-
-Manning & Colella                                               [Page 2]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-4.  Structure of NSAPs
-
-   NSAPs are hierarchically structured to allow distributed
-   administration and efficient routing. Distributed administration
-   permits subdelegated addressing authorities to, as allowed by the
-   delegator, further structure the portion of the NSAP space under
-   their delegated control.  Accomodating this distributed authority
-   requires that there be little or no a priori knowledge of the
-   structure of NSAPs built into DNS resolvers and servers.
-
-   For the purposes of this memo, NSAPs can be thought of as a tree of
-   identifiers. The root of the tree is ISO8348 [6], and has as its
-   immediately registered subordinates the one-octet Authority and
-   Format Identifiers (AFIs) defined there. The size of subsequently-
-   defined fields depends on which branch of the tree is taken. The
-   depth of the tree varies according to the authority responsible for
-   defining subsequent fields.
-
-   An example is the authority under which U.S. GOSIP defines NSAPs [2].
-   Under the AFI of 47, NIST (National Institute of Standards and
-   Technology) obtained a value of 0005 (the AFI of 47 defines the next
-   field as being two octets consisting of four BCD digits from the
-   International Code Designator space [3]). NIST defined the subsequent
-   fields in [2], as shown in Figure 1. The field immediately following
-   0005 is a format identifier for the rest of the U.S. GOSIP NSAP
-   structure, with a hex value of 80. Following this is the three-octet
-   field, values for which are allocated to network operators; the
-   registration authority for this field is delegated to GSA (General
-   Services Administration).
-
-   The last octet of the NSAP is the NSelector (NSel). In practice, the
-   NSAP minus the NSel identifies the CLNP protocol machine on a given
-   system, and the NSel identifies the CLNP user. Since there can be
-   more than one CLNP user (meaning multiple NSel values for a given
-   "base" NSAP), the representation of the NSAP should be CLNP-user
-   independent. To achieve this, an NSel value of zero shall be used
-   with all NSAP values stored in the DNS. An NSAP with NSel=0
-   identifies the network layer itself. It is left to the application
-   retrieving the NSAP to determine the appropriate value to use in that
-   instance of communication.
-
-   When CLNP is used to support TCP and UDP services, the NSel value
-   used is the appropriate IP PROTO value as registered with the IANA.
-   For "standard" OSI, the selection of NSel values is left as a matter
-   of local administration. Administrators of systems that support the
-   OSI transport protocol [4] in addition to TCP/UDP must select NSels
-   for use by OSI Transport that do not conflict with the IP PROTO
-   values.
-
-
-
-Manning & Colella                                               [Page 3]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-              |--------------|
-              | <-- IDP -->  |
-              |--------------|-------------------------------------|
-              | AFI |  IDI   |            <-- DSP -->              |
-              |-----|--------|-------------------------------------|
-              | 47  |  0005  | DFI | AA |Rsvd | RD |Area | ID |Sel |
-              |-----|--------|-----|----|-----|----|-----|----|----|
-       octets |  1  |   2    |  1  | 3  |  2  | 2  |  2  | 6  | 1  |
-              |-----|--------|-----|----|-----|----|-----|----|----|
-
-                    IDP    Initial Domain Part
-                    AFI    Authority and Format Identifier
-                    IDI    Initial Domain Identifier
-                    DSP    Domain Specific Part
-                    DFI    DSP Format Identifier
-                    AA     Administrative Authority
-                    Rsvd   Reserved
-                    RD     Routing Domain Identifier
-                    Area   Area Identifier
-                    ID     System Identifier
-                    SEL    NSAP Selector
-
-                  Figure 1: GOSIP Version 2 NSAP structure.
-
-
-   In the NSAP RRs in Master Files and in the printed text in this memo,
-   NSAPs are often represented as a string of "."-separated hex values.
-   The values correspond to convenient divisions of the NSAP to make it
-   more readable. For example, the "."-separated fields might correspond
-   to the NSAP fields as defined by the appropriate authority (RARE,
-   U.S. GOSIP, ANSI, etc.). The use of this notation is strictly for
-   readability. The "."s do not appear in DNS packets and DNS servers
-   can ignore them when reading Master Files. For example, a printable
-   representation of the first four fields of a U.S. GOSIP NSAP might
-   look like
-
-                             47.0005.80.005a00
-
-   and a full U.S. GOSIP NSAP might appear as
-
-             47.0005.80.005a00.0000.1000.0020.00800a123456.00.
-
-   Other NSAP formats have different lengths and different
-   administratively defined field widths to accomodate different
-   requirements. For more information on NSAP formats in use see RFC
-   1629 [1].
-
-
-
-
-
-Manning & Colella                                               [Page 4]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-5.  The NSAP RR
-
-   The NSAP RR is defined with mnemonic "NSAP" and TYPE code 22
-   (decimal) and is used to map from domain names to NSAPs. Name-to-NSAP
-   mapping in the DNS using the NSAP RR operates analogously to IP
-   address lookup. A query is generated by the resolver requesting an
-   NSAP RR for a provided domain name.
-
-   NSAP RRs conform to the top level RR format and semantics as defined
-   in Section 3.2.1 of RFC 1035.
-
-                                            1  1  1  1  1  1
-              0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-           |                                               |
-           /                                               /
-           /                        NAME                   /
-           |                                               |
-           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-           |                    TYPE = NSAP                |
-           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-           |                    CLASS = IN                 |
-           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-           |                        TTL                    |
-           |                                               |
-           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-           |                      RDLENGTH                 |
-           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-           /                       RDATA                   /
-           /                                               /
-           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   where:
-
-   *  NAME: an owner name, i.e., the name of the node to which this
-      resource record pertains.
-
-   *  TYPE: two octets containing the NSAP RR TYPE code of 22 (decimal).
-
-   *  CLASS: two octets containing the RR IN CLASS code of 1.
-
-   *  TTL: a 32 bit signed integer that specifies the time interval in
-      seconds that the resource record may be cached before the source
-      of the information should again be consulted. Zero values are
-      interpreted to mean that the RR can only be used for the
-      transaction in progress, and should not be cached. For example,
-      SOA records are always distributed with a zero TTL to prohibit
-      caching. Zero values can also be used for extremely volatile data.
-
-
-
-Manning & Colella                                               [Page 5]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-   *  RDLENGTH: an unsigned 16 bit integer that specifies the length in
-      octets of the RDATA field.
-
-   *  RDATA: a variable length string of octets containing the NSAP.
-      The value is the binary encoding of the NSAP as it would appear in
-      the CLNP source or destination address field. A typical example of
-      such an NSAP (in hex) is shown below. For this NSAP, RDLENGTH is
-      20 (decimal); "."s have been omitted to emphasize that they don't
-      appear in the DNS packets.
-
-                 39840f80005a0000000001e13708002010726e00
-
-   NSAP RRs cause no additional section processing.
-
-6.  NSAP-to-name Mapping Using the PTR RR
-
-   The PTR RR is defined in RFC 1035. This RR is typically used under
-   the "IN-ADDR.ARPA" domain to map from IPv4 addresses to domain names.
-
-   Similarly, the PTR RR is used to map from NSAPs to domain names under
-   the "NSAP.INT" domain. A domain name is generated from the NSAP
-   according to the rules described below. A query is sent by the
-   resolver requesting a PTR RR for the provided domain name.
-
-   A domain name is generated from an NSAP by reversing the hex nibbles
-   of the NSAP, treating each nibble as a separate subdomain, and
-   appending the top-level subdomain name "NSAP.INT" to it. For example,
-   the domain name used in the reverse lookup for the NSAP
-
-             47.0005.80.005a00.0000.0001.e133.ffffff000162.00
-
-   would appear as
-
-     0.0.2.6.1.0.0.0.f.f.f.f.f.f.3.3.1.e.1.0.0.0.0.0.0.0.0.0.a.5.0.0. \
-                         0.8.5.0.0.0.7.4.NSAP.INT.
-
-   [Implementation note: For sanity's sake user interfaces should be
-   designed to allow users to enter NSAPs using their natural order,
-   i.e., as they are typically written on paper. Also, arbitrary "."s
-   should be allowed (and ignored) on input.]
-
-7.  Master File Format
-
-   The format of NSAP RRs (and NSAP-related PTR RRs) in Master Files
-   conforms to Section 5, "Master Files," of RFC 1035. Below are
-   examples of the use of these RRs in Master Files to support name-to-
-   NSAP and NSAP-to-name mapping.
-
-
-
-
-Manning & Colella                                               [Page 6]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-   The NSAP RR introduces a new hex string format for the RDATA field.
-   The format is "0x" (i.e., a zero followed by an 'x' character)
-   followed by a variable length string of hex characters (0 to 9, a to
-   f). The hex string is case-insensitive. "."s (i.e., periods) may be
-   inserted in the hex string anywhere after the "0x" for readability.
-   The "."s have no significance other than for readability and are not
-   propagated in the protocol (e.g., queries or zone transfers).
-
-
-   ;;;;;;
-   ;;;;;; Master File for domain nsap.nist.gov.
-   ;;;;;;
-
-
-   @      IN     SOA    emu.ncsl.nist.gov.  root.emu.ncsl.nist.gov. (
-                                     1994041800   ; Serial  - date
-                                     1800         ; Refresh - 30 minutes
-                                     300          ; Retry   - 5 minutes
-                                     604800       ; Expire  - 7 days
-                                     3600 )       ; Minimum - 1 hour
-          IN     NS     emu.ncsl.nist.gov.
-          IN     NS     tuba.nsap.lanl.gov.
-   ;
-   ;
-   $ORIGIN nsap.nist.gov.
-   ;
-   ;     hosts
-   ;
-   bsdi1    IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00
-            IN  A     129.6.224.161
-            IN  HINFO PC_486    BSDi1.1
-   ;
-   bsdi2    IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.ffffff000162.00
-            IN  A     129.6.224.162
-            IN  HINFO PC_486    BSDi1.1
-   ;
-   cursive  IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.ffffff000171.00
-            IN  A     129.6.224.171
-            IN  HINFO PC_386    DOS_5.0/NCSA_Telnet(TUBA)
-   ;
-   infidel  IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.ffffff000164.00
-            IN  A     129.6.55.164
-            IN  HINFO PC/486    BSDi1.0(TUBA)
-   ;
-   ;     routers
-   ;
-   cisco1   IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.aaaaaa000151.00
-            IN  A     129.6.224.151
-
-
-
-Manning & Colella                                               [Page 7]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-            IN  A     129.6.225.151
-            IN  A     129.6.229.151
-   ;
-   3com1    IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.aaaaaa000111.00
-            IN  A     129.6.224.111
-            IN  A     129.6.225.111
-            IN  A     129.6.228.111
-
-
-
-
-   ;;;;;;
-   ;;;;;; Master File for reverse mapping of NSAPs under the
-   ;;;;;;     NSAP prefix:
-   ;;;;;;
-   ;;;;;;          47.0005.80.005a00.0000.0001.e133
-   ;;;;;;
-
-
-   @      IN     SOA    emu.ncsl.nist.gov.  root.emu.ncsl.nist.gov. (
-                                     1994041800   ; Serial  - date
-                                     1800         ; Refresh - 30 minutes
-                                     300          ; Retry   - 5 minutes
-                                     604800       ; Expire  - 7 days
-                                     3600 )       ; Minimum - 1 hour
-          IN     NS     emu.ncsl.nist.gov.
-          IN     NS     tuba.nsap.lanl.gov.
-   ;
-   ;
-   $ORIGIN 3.3.1.e.1.0.0.0.0.0.0.0.0.0.a.5.0.0.0.8.5.0.0.0.7.4.NSAP.INT.
-   ;
-   0.0.1.6.1.0.0.0.f.f.f.f.f.f  IN    PTR  bsdi1.nsap.nist.gov.
-   ;
-   0.0.2.6.1.0.0.0.f.f.f.f.f.f  IN    PTR  bsdi2.nsap.nist.gov.
-   ;
-   0.0.1.7.1.0.0.0.f.f.f.f.f.f  IN    PTR  cursive.nsap.nist.gov.
-   ;
-   0.0.4.6.1.0.0.0.f.f.f.f.f.f  IN    PTR  infidel.nsap.nist.gov.
-   ;
-   0.0.1.5.1.0.0.0.a.a.a.a.a.a  IN    PTR  cisco1.nsap.nist.gov.
-   ;
-   0.0.1.1.1.0.0.0.a.a.a.a.a.a  IN    PTR  3com1.nsap.nist.gov.
-
-8.  Security Considerations
-
-   Security issues are not discussed in this memo.
-
-
-
-
-
-Manning & Colella                                               [Page 8]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-9.  Authors' Addresses
-
-   Bill Manning
-   USC/Information Sciences Institute
-   4676 Admiralty Way
-   Marina del Rey, CA. 90292
-   USA
-
-   Phone: +1.310.822.1511
-   EMail: bmanning@isi.edu
-
-
-   Richard Colella
-   National Institute of Standards and Technology
-   Technology/B217
-   Gaithersburg, MD 20899
-   USA
-
-   Phone: +1 301-975-3627
-   Fax: +1 301 590-0932
-   EMail: colella@nist.gov
-
-10.  References
-
-   [1] Colella, R., Gardner, E., Callon, R., and Y. Rekhter, "Guidelines
-       for OSI NSAP Allocation inh the Internet", RFC 1629, NIST,
-       Wellfleet, Mitre, T.J. Watson Research Center, IBM Corp., May
-       1994.
-
-   [2] GOSIP Advanced Requirements Group.  Government Open Systems
-       Interconnection Profile (GOSIP) Version 2. Federal Information
-       Processing Standard 146-1, U.S. Department of Commerce, National
-       Institute of Standards and Technology, Gaithersburg, MD, April
-       1991.
-
-   [3] ISO/IEC.  Data interchange - structures for the identification of
-       organization.  International Standard 6523, ISO/IEC JTC 1,
-       Switzerland, 1984.
-
-   [4] ISO/IEC. Connection oriented transport protocol specification.
-       International Standard 8073, ISO/IEC JTC 1, Switzerland, 1986.
-
-   [5] ISO/IEC.  Protocol for Providing the Connectionless-mode Network
-       Service.  International Standard 8473, ISO/IEC JTC 1,
-       Switzerland, 1986.
-
-
-
-
-
-
-Manning & Colella                                               [Page 9]
-
-RFC 1706                      DNS NSAP RRs                  October 1994
-
-
-   [6] ISO/IEC. Information Processing Systems -- Data Communications --
-       Network Service Definition.  International Standard 8348, ISO/IEC
-       JTC 1, Switzerland, 1993.
-
-   [7] Mockapetris, P., "Domain Names -- Concepts and Facilities", STD
-       13, RFC 1034, USC/Information Sciences Institute, November 1987.
-
-   [8] Mockapetris, P., "Domain Names -- Implementation and
-       Specification", STD 13, RFC 1035, USC/Information Sciences
-       Institute, November 1987.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Manning & Colella                                              [Page 10]
-
diff --git a/contrib/bind9/doc/rfc/rfc1712.txt b/contrib/bind9/doc/rfc/rfc1712.txt
deleted file mode 100644
index 40d88578e83f..000000000000
--- a/contrib/bind9/doc/rfc/rfc1712.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         C. Farrell
-Request for Comments: 1712                                    M. Schulze
-Category: Experimental                                       S. Pleitner
-                                                              D. Baldoni
-                                         Curtin University of Technology
-                                                           November 1994
-
-
-                 DNS Encoding of Geographical Location
-
-Status of this Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  This memo does not specify an Internet standard of any
-   kind.  Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-Abstract
-
-   This document defines the format of a new Resource Record (RR) for
-   the Domain Naming System (DNS), and reserves a corresponding DNS type
-   mnemonic and numerical code.  This definition deals with associating
-   geographical host location mappings to host names within a domain.
-   The data shown in this document is fictitious and does not
-   necessarily reflect the real Internet.
-
-1. Introduction
-
-   It has been a long standing problem to relate IP numbers to
-   geographical locations. The availability of Geographical location
-   information has immediate applications in network management.  Such
-   information can be used to supplement the data already provided by
-   utilities such as whois [Har85], traceroute [VJ89], and nslookup
-   [UCB89].  The usefulness and functionality of these already widely
-   used tools would be greatly enhanced by the provision of reliable
-   geographical location information.
-
-   The ideal way to manage and maintain a database of information, such
-   as geographical location of internet hosts, is to delegate
-   responsibility to local domain administrators. A large distributed
-   database could be implemented with a simple mechanism for updating
-   the local information.  A query mechanism also has to be available
-   for checking local entries, as well as inquiring about data from
-   non-local domains.
-
-
-
-
-
-
-
-Farrell, Schulze, Pleitner & Baldoni                            [Page 1]
-
-RFC 1712         DNS Encoding of Geographical Location     November 1994
-
-
-2. Background
-
-   The Internet continues to grow at an ever increasing rate with IP
-   numbers allocated on a first-come-first-serve basis.  Deciding when
-   and how to setup a database of geographical information about
-   internet hosts presented a number of options.  The uumap project
-   [UU85] was the first serious attempt to collect geographical location
-   data from sites and store it centrally.  This project met with
-   limited success because of the difficulty in maintaining and updating
-   a large central database.  Another problem was the lack of tools for
-   the checking the data supplied, this problem resulted in some
-   erroneous data entering the database.
-
-2.1 SNMP:
-
-   Using an SNMP get request on the sysLocation MIB (Management
-   Information Base) variable was also an option, however this would
-   require the host to be running an appropriate agent with public read
-   access.  It was also felt that MIB data should reflect local
-   management data (e.g., "this" host is on level 5 room 74) rather than
-   a hosts geographical position.  This view is supported in the
-   examples given in literature in this area [ROSE91].
-
-2.2 X500:
-
-   The X.500 Directory service [X.500.88] defined as part of the ISO
-   standards also appears as a potential provider of geographical
-   location data. However due to the limited implementations of this
-   service it was decided to defer this until this service gains wider
-   use and acceptance within the Internet community.
-
-2.3 BIND:
-
-   The DNS [Mock87a][Mock87b] represents an existing system ideally
-   suited to the provision of host specific information. The DNS is a
-   widely used and well-understood mechanism for providing a distributed
-   database of such information and its extensible nature allows it to
-   be used to disseminate virtually any information.  The most commonly
-   used DNS implementation is the Berkeley Internet Name Domain server
-   BIND [UCB89].  The information we wished to make available needed to
-   be updated locally but available globally; a perfect match with the
-   services provided by the DNS. Current DNS servers provide a variety
-   of useful information about hosts in their domain but lack the
-   ability to report a host's geographical location.
-
-
-
-
-
-
-
-Farrell, Schulze, Pleitner & Baldoni                            [Page 2]
-
-RFC 1712         DNS Encoding of Geographical Location     November 1994
-
-
-3. RDATA Format
-
-        MSB                                        LSB
-        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-        /                 LONGITUDE                  /
-        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-        /                  LATITUDE                  /
-        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-        /                  ALTITUDE                  /
-        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   where:
-
-   LONGITUDE The real number describing the longitude encoded as a
-             printable string. The precision is limited by 256 charcters
-             within the range -90..90 degrees. Positive numbers
-             indicate locations north of the equator.
-
-   LATITUDE The real number describing the latitude encoded as a
-            printable string. The precision is limited by 256 charcters
-            within the range -180..180 degrees. Positive numbers
-            indicate locations east of the prime meridian.
-
-   ALTITUDE The real number describing the altitude (in meters) from
-            mean sea-level encoded as a printable string. The precision
-            is limited by 256 charcters. Positive numbers indicate
-            locations above mean sea-level.
-
-   Latitude/Longitude/Altitude values are encoded as strings as to avoid
-   the precision limitations imposed by encoding as unsigned integers.
-   Although this might not be considered optimal, it allows for a very
-   high degree of precision with an acceptable average encoded record
-   length.
-
-4. The GPOS RR
-
-   The geographical location is defined with the mnemonic GPOS and type
-   code 27.
-
-   GPOS has the following format:
-           <owner> <ttl> <class> GPOS <longitude> <latitude> <altitude>
-
-   A floating point format was chosen to specify geographical locations
-   for reasons of simplicity.  This also guarantees a concise
-   unambiguous description of a location by enforcing three compulsory
-   numerical values to be specified.
-
-
-
-
-
-Farrell, Schulze, Pleitner & Baldoni                            [Page 3]
-
-RFC 1712         DNS Encoding of Geographical Location     November 1994
-
-
-   The owner, ttl, and class fields are optional and default to the last
-   defined value if omitted. The longitude is a floating point number
-   ranging from -90 to 90 with positive values indicating locations
-   north of the equator.  For example Perth, Western Australia is
-   located at 32^ 7` 19" south of the equator which would be specified
-   as -32.68820.  The latitude is a number ranging from -180.0 to 180.0.
-   For example Perth, Western Australia is located at 116^ 2' 25" east
-   of the prime meridian which would be specified as 116.86520.  Curtin
-   University, Perth is also 10 meters above sea-level.
-
-   The valid GPOS record for a host at Curtin University in  Perth
-   Western Australia would therefore be:
-
-                GPOS -32.6882 116.8652 10.0
-
-   There is no limit imposed on the number of decimal places, although
-   the length of the encoded string is limited to 256 characters for
-   each field. It is also suggested that administrators limit their
-   entries to the minimum number of necessary characters in each field.
-
-5. Master File Format
-
-   Each host requires its own GPOS field in the corresponding  DNS RR to
-   explicitly specify its geographical location and altitude.  If the
-   GPOS field is omitted, a DNS enquiry will return no position
-   information for that host.
-
-   Consider the following example:
-
-; Authoritative data for cs.curtin.edu.au.
-;
-@     IN    SOA     marsh.cs.curtin.edu.au. postmaster.cs.curtin.edu.au.
-                (
-                        94070503        ; Serial (yymmddnn)
-                        10800           ; Refresh (3 hours)
-                        3600            ; Retry (1 hour)
-                        3600000         ; Expire (1000 hours)
-                        86400           ; Minimum (24 hours)
-                )
-
-                IN      NS      marsh.cs.curtin.edu.au.
-
-marsh           IN      A       134.7.1.1
-                IN      MX      0       marsh
-                IN      HINFO   SGI-Indigo IRIX-4.0.5F
-                IN      GPOS    -32.6882 116.8652 10.0
-ftp             IN      CNAME   marsh
-
-
-
-
-Farrell, Schulze, Pleitner & Baldoni                            [Page 4]
-
-RFC 1712         DNS Encoding of Geographical Location     November 1994
-
-
-lillee          IN      A       134.7.1.2
-                IN      MX      0       marsh
-                IN      HINFO   SGI-Indigo IRIX-4.0.5F
-                IN      GPOS    -32.6882 116.8652 10.0
-
-hinault         IN      A       134.7.1.23
-                IN      MX      0       marsh
-                IN      HINFO   SUN-IPC SunOS-4.1.3
-                IN      GPOS    -22.6882 116.8652 250.0
-
-merckx          IN      A       134.7.1.24
-                IN      MX      0       marsh
-                IN      HINFO   SUN-IPC SunOS-4.1.1
-
-ambrose         IN      A       134.7.1.99
-                IN      MX      0       marsh
-                IN      HINFO   SGI-CHALLENGE_L IRIX-5.2
-                IN      GPOS    -32.6882 116.8652 10.0
-
-   The hosts marsh, lillee, and ambrose are all at the same geographical
-   location, Perth Western Australia (-32.68820 116.86520). The host
-   hinault is at a different geographical location, 10 degrees north of
-   Perth in the mountains (-22.6882 116.8652 250.0). For security
-   reasons we do not wish to give the location of the host merckx.
-
-   Although the GPOS clause is not a standard entry within BIND
-   configuration files, most vendor implementations seem to ignore
-   whatever is not understood upon startup of the DNS.  Usually this
-   will result in a number of warnings appearing in system log files,
-   but in no way alters naming information or impedes the DNS from
-   performing its normal duties.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell, Schulze, Pleitner & Baldoni                            [Page 5]
-
-RFC 1712         DNS Encoding of Geographical Location     November 1994
-
-
-7. References
-
-   [ROSE91]        Rose M., "The Simple Book: An Introduction to
-                   Management of TCP/IP-based Internets", Prentice-Hall,
-                   Englewood Cliffs, New Jersey, 1991.
-
-   [X.500.88]      CCITT: The Directory - Overview of Concepts, Models
-                   and Services", Recommendations X.500 - X.521.
-
-   [Har82]         Harrenstein K, Stahl M., and E. Feinler,
-                   "NICNAME/WHOIS" RFC 812, SRI NIC, March 1982.
-
-   [Mock87a]       Mockapetris P., "Domain Names - Concepts and
-                   Facilities", STD 13, RFC 1034, USC/Information
-                   Sciences Institute, November 1987.
-
-   [Mock87b]       Mockapetris P., "Domain Names - Implementation and
-                   Specification", STD 13, RFC 1035, USC/Information
-                   Sciences Institute, November 1987.
-
-   [FRB93]         Ford P., Rekhter Y., and H-W. Braun, "Improving the
-                   Routing and Addressing of IP", IEEE Network
-                   Vol.7, No. 3, pp. 11-15, May 1993.
-
-   [VJ89]          Jacobsen V., "The Traceroute(8) Manual Page",
-                   Lawrence Berkeley Laboratory, Berkeley,
-                   CA, February 1989.
-
-   [UCB89]         University of California, "BIND: Berkeley Internet
-                   Name Domain Server", 1989.
-   [UU85]          UUCP Mapping Project, Software available via
-                   anonymous FTP from ftp.uu.net., 1985.
-
-8. Security Considerations
-
-   Once information has been entered into the DNS, it is considered
-   public.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell, Schulze, Pleitner & Baldoni                            [Page 6]
-
-RFC 1712         DNS Encoding of Geographical Location     November 1994
-
-
-9. Authors' Addresses
-
-   Craig Farrell
-   Department of Computer Science
-   Curtin University of technology
-   GPO Box U1987 Perth,
-   Western Australia
-
-   EMail: craig@cs.curtin.edu.au
-
-
-   Mike Schulze
-   Department of Computer Science
-   Curtin University of technology
-   GPO Box U1987 Perth,
-   Western Australia
-
-   EMail: mike@cs.curtin.edu.au
-
-
-   Scott Pleitner
-   Department of Computer Science
-   Curtin University of technology
-   GPO Box U1987 Perth,
-   Western Australia
-
-   EMail: pleitner@cs.curtin.edu.au
-
-
-   Daniel Baldoni
-   Department of Computer Science
-   Curtin University of technology
-   GPO Box U1987 Perth,
-   Western Australia
-
-   EMail: flint@cs.curtin.edu.au
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Farrell, Schulze, Pleitner & Baldoni                            [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc1750.txt b/contrib/bind9/doc/rfc/rfc1750.txt
deleted file mode 100644
index 56d478c7eef4..000000000000
--- a/contrib/bind9/doc/rfc/rfc1750.txt
+++ /dev/null
@@ -1,1683 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                   D. Eastlake, 3rd
-Request for Comments: 1750                                           DEC
-Category: Informational                                       S. Crocker
-                                                               Cybercash
-                                                             J. Schiller
-                                                                     MIT
-                                                           December 1994
-
-
-                Randomness Recommendations for Security
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  This memo
-   does not specify an Internet standard of any kind.  Distribution of
-   this memo is unlimited.
-
-Abstract
-
-   Security systems today are built on increasingly strong cryptographic
-   algorithms that foil pattern analysis attempts. However, the security
-   of these systems is dependent on generating secret quantities for
-   passwords, cryptographic keys, and similar quantities.  The use of
-   pseudo-random processes to generate secret quantities can result in
-   pseudo-security.  The sophisticated attacker of these security
-   systems may find it easier to reproduce the environment that produced
-   the secret quantities, searching the resulting small set of
-   possibilities, than to locate the quantities in the whole of the
-   number space.
-
-   Choosing random quantities to foil a resourceful and motivated
-   adversary is surprisingly difficult.  This paper points out many
-   pitfalls in using traditional pseudo-random number generation
-   techniques for choosing such quantities.  It recommends the use of
-   truly random hardware techniques and shows that the existing hardware
-   on many systems can be used for this purpose.  It provides
-   suggestions to ameliorate the problem when a hardware solution is not
-   available.  And it gives examples of how large such quantities need
-   to be for some particular applications.
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 1]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-Acknowledgements
-
-   Comments on this document that have been incorporated were received
-   from (in alphabetic order) the following:
-
-        David M. Balenson (TIS)
-        Don Coppersmith (IBM)
-        Don T. Davis (consultant)
-        Carl Ellison (Stratus)
-        Marc Horowitz (MIT)
-        Christian Huitema (INRIA)
-        Charlie Kaufman (IRIS)
-        Steve Kent (BBN)
-        Hal Murray (DEC)
-        Neil Haller (Bellcore)
-        Richard Pitkin (DEC)
-        Tim Redmond (TIS)
-        Doug Tygar (CMU)
-
-Table of Contents
-
-   1. Introduction........................................... 3
-   2. Requirements........................................... 4
-   3. Traditional Pseudo-Random Sequences.................... 5
-   4. Unpredictability....................................... 7
-   4.1 Problems with Clocks and Serial Numbers............... 7
-   4.2 Timing and Content of External Events................  8
-   4.3 The Fallacy of Complex Manipulation..................  8
-   4.4 The Fallacy of Selection from a Large Database.......  9
-   5. Hardware for Randomness............................... 10
-   5.1 Volume Required...................................... 10
-   5.2 Sensitivity to Skew.................................. 10
-   5.2.1 Using Stream Parity to De-Skew..................... 11
-   5.2.2 Using Transition Mappings to De-Skew............... 12
-   5.2.3 Using FFT to De-Skew............................... 13
-   5.2.4 Using Compression to De-Skew....................... 13
-   5.3 Existing Hardware Can Be Used For Randomness......... 14
-   5.3.1 Using Existing Sound/Video Input................... 14
-   5.3.2 Using Existing Disk Drives......................... 14
-   6. Recommended Non-Hardware Strategy..................... 14
-   6.1 Mixing Functions..................................... 15
-   6.1.1 A Trivial Mixing Function.......................... 15
-   6.1.2 Stronger Mixing Functions.......................... 16
-   6.1.3 Diff-Hellman as a Mixing Function.................. 17
-   6.1.4 Using a Mixing Function to Stretch Random Bits..... 17
-   6.1.5 Other Factors in Choosing a Mixing Function........ 18
-   6.2 Non-Hardware Sources of Randomness................... 19
-   6.3 Cryptographically Strong Sequences................... 19
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 2]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   6.3.1 Traditional Strong Sequences....................... 20
-   6.3.2 The Blum Blum Shub Sequence Generator.............. 21
-   7. Key Generation Standards.............................. 22
-   7.1 US DoD Recommendations for Password Generation....... 23
-   7.2 X9.17 Key Generation................................. 23
-   8. Examples of Randomness Required....................... 24
-   8.1  Password Generation................................. 24
-   8.2 A Very High Security Cryptographic Key............... 25
-   8.2.1 Effort per Key Trial............................... 25
-   8.2.2 Meet in the Middle Attacks......................... 26
-   8.2.3 Other Considerations............................... 26
-   9. Conclusion............................................ 27
-   10. Security Considerations.............................. 27
-   References............................................... 28
-   Authors' Addresses....................................... 30
-
-1. Introduction
-
-   Software cryptography is coming into wider use.  Systems like
-   Kerberos, PEM, PGP, etc. are maturing and becoming a part of the
-   network landscape [PEM].  These systems provide substantial
-   protection against snooping and spoofing.  However, there is a
-   potential flaw.  At the heart of all cryptographic systems is the
-   generation of secret, unguessable (i.e., random) numbers.
-
-   For the present, the lack of generally available facilities for
-   generating such unpredictable numbers is an open wound in the design
-   of cryptographic software.  For the software developer who wants to
-   build a key or password generation procedure that runs on a wide
-   range of hardware, the only safe strategy so far has been to force
-   the local installation to supply a suitable routine to generate
-   random numbers.  To say the least, this is an awkward, error-prone
-   and unpalatable solution.
-
-   It is important to keep in mind that the requirement is for data that
-   an adversary has a very low probability of guessing or determining.
-   This will fail if pseudo-random data is used which only meets
-   traditional statistical tests for randomness or which is based on
-   limited range sources, such as clocks.  Frequently such random
-   quantities are determinable by an adversary searching through an
-   embarrassingly small space of possibilities.
-
-   This informational document suggests techniques for producing random
-   quantities that will be resistant to such attack.  It recommends that
-   future systems include hardware random number generation or provide
-   access to existing hardware that can be used for this purpose.  It
-   suggests methods for use if such hardware is not available.  And it
-   gives some estimates of the number of random bits required for sample
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 3]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   applications.
-
-2. Requirements
-
-   Probably the most commonly encountered randomness requirement today
-   is the user password. This is usually a simple character string.
-   Obviously, if a password can be guessed, it does not provide
-   security.  (For re-usable passwords, it is desirable that users be
-   able to remember the password.  This may make it advisable to use
-   pronounceable character strings or phrases composed on ordinary
-   words.  But this only affects the format of the password information,
-   not the requirement that the password be very hard to guess.)
-
-   Many other requirements come from the cryptographic arena.
-   Cryptographic techniques can be used to provide a variety of services
-   including confidentiality and authentication.  Such services are
-   based on quantities, traditionally called "keys", that are unknown to
-   and unguessable by an adversary.
-
-   In some cases, such as the use of symmetric encryption with the one
-   time pads [CRYPTO*] or the US Data Encryption Standard [DES], the
-   parties who wish to communicate confidentially and/or with
-   authentication must all know the same secret key.  In other cases,
-   using what are called asymmetric or "public key" cryptographic
-   techniques, keys come in pairs.  One key of the pair is private and
-   must be kept secret by one party, the other is public and can be
-   published to the world.  It is computationally infeasible to
-   determine the private key from the public key [ASYMMETRIC, CRYPTO*].
-
-   The frequency and volume of the requirement for random quantities
-   differs greatly for different cryptographic systems.  Using pure RSA
-   [CRYPTO*], random quantities are required when the key pair is
-   generated, but thereafter any number of messages can be signed
-   without any further need for randomness.  The public key Digital
-   Signature Algorithm that has been proposed by the US National
-   Institute of Standards and Technology (NIST) requires good random
-   numbers for each signature.  And encrypting with a one time pad, in
-   principle the strongest possible encryption technique, requires a
-   volume of randomness equal to all the messages to be processed.
-
-   In most of these cases, an adversary can try to determine the
-   "secret" key by trial and error.  (This is possible as long as the
-   key is enough smaller than the message that the correct key can be
-   uniquely identified.)  The probability of an adversary succeeding at
-   this must be made acceptably low, depending on the particular
-   application.  The size of the space the adversary must search is
-   related to the amount of key "information" present in the information
-   theoretic sense [SHANNON].  This depends on the number of different
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 4]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   secret values possible and the probability of each value as follows:
-
-                      -----
-                       \
-        Bits-of-info =  \  - p   * log  ( p  )
-                        /     i       2    i
-                       /
-                      -----
-
-   where i varies from 1 to the number of possible secret values and p
-   sub i is the probability of the value numbered i.  (Since p sub i is
-   less than one, the log will be negative so each term in the sum will
-   be non-negative.)
-
-   If there are 2^n different values of equal probability, then n bits
-   of information are present and an adversary would, on the average,
-   have to try half of the values, or 2^(n-1) , before guessing the
-   secret quantity.  If the probability of different values is unequal,
-   then there is less information present and fewer guesses will, on
-   average, be required by an adversary.  In particular, any values that
-   the adversary can know are impossible, or are of low probability, can
-   be initially ignored by an adversary, who will search through the
-   more probable values first.
-
-   For example, consider a cryptographic system that uses 56 bit keys.
-   If these 56 bit keys are derived by using a fixed pseudo-random
-   number generator that is seeded with an 8 bit seed, then an adversary
-   needs to search through only 256 keys (by running the pseudo-random
-   number generator with every possible seed), not the 2^56 keys that
-   may at first appear to be the case. Only 8 bits of "information" are
-   in these 56 bit keys.
-
-3. Traditional Pseudo-Random Sequences
-
-   Most traditional sources of random numbers use deterministic sources
-   of "pseudo-random" numbers.  These typically start with a "seed"
-   quantity and use numeric or logical operations to produce a sequence
-   of values.
-
-   [KNUTH] has a classic exposition on pseudo-random numbers.
-   Applications he mentions are simulation of natural phenomena,
-   sampling, numerical analysis, testing computer programs, decision
-   making, and games.  None of these have the same characteristics as
-   the sort of security uses we are talking about.  Only in the last two
-   could there be an adversary trying to find the random quantity.
-   However, in these cases, the adversary normally has only a single
-   chance to use a guessed value.  In guessing passwords or attempting
-   to break an encryption scheme, the adversary normally has many,
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 5]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   perhaps unlimited, chances at guessing the correct value and should
-   be assumed to be aided by a computer.
-
-   For testing the "randomness" of numbers, Knuth suggests a variety of
-   measures including statistical and spectral.  These tests check
-   things like autocorrelation between different parts of a "random"
-   sequence or distribution of its values.  They could be met by a
-   constant stored random sequence, such as the "random" sequence
-   printed in the CRC Standard Mathematical Tables [CRC].
-
-   A typical pseudo-random number generation technique, known as a
-   linear congruence pseudo-random number generator, is modular
-   arithmetic where the N+1th value is calculated from the Nth value by
-
-        V    = ( V  * a + b )(Mod c)
-         N+1      N
-
-   The above technique has a strong relationship to linear shift
-   register pseudo-random number generators, which are well understood
-   cryptographically [SHIFT*].  In such generators bits are introduced
-   at one end of a shift register as the Exclusive Or (binary sum
-   without carry) of bits from selected fixed taps into the register.
-
-   For example:
-
-      +----+     +----+     +----+                      +----+
-      | B  | <-- | B  | <-- | B  | <--  . . . . . . <-- | B  | <-+
-      |  0 |     |  1 |     |  2 |                      |  n |   |
-      +----+     +----+     +----+                      +----+   |
-        |                     |            |                     |
-        |                     |            V                  +-----+
-        |                     V            +----------------> |     |
-        V                     +-----------------------------> | XOR |
-        +---------------------------------------------------> |     |
-                                                              +-----+
-
-
-       V    = ( ( V  * 2 ) + B .xor. B ... )(Mod 2^n)
-        N+1         N         0       2
-
-   The goodness of traditional pseudo-random number generator algorithms
-   is measured by statistical tests on such sequences.  Carefully chosen
-   values of the initial V and a, b, and c or the placement of shift
-   register tap in the above simple processes can produce excellent
-   statistics.
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 6]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   These sequences may be adequate in simulations (Monte Carlo
-   experiments) as long as the sequence is orthogonal to the structure
-   of the space being explored.  Even there, subtle patterns may cause
-   problems.  However, such sequences are clearly bad for use in
-   security applications.  They are fully predictable if the initial
-   state is known.  Depending on the form of the pseudo-random number
-   generator, the sequence may be determinable from observation of a
-   short portion of the sequence [CRYPTO*, STERN].  For example, with
-   the generators above, one can determine V(n+1) given knowledge of
-   V(n).  In fact, it has been shown that with these techniques, even if
-   only one bit of the pseudo-random values is released, the seed can be
-   determined from short sequences.
-
-   Not only have linear congruent generators been broken, but techniques
-   are now known for breaking all polynomial congruent generators
-   [KRAWCZYK].
-
-4. Unpredictability
-
-   Randomness in the traditional sense described in section 3 is NOT the
-   same as the unpredictability required for security use.
-
-   For example, use of a widely available constant sequence, such as
-   that from the CRC tables, is very weak against an adversary. Once
-   they learn of or guess it, they can easily break all security, future
-   and past, based on the sequence [CRC].  Yet the statistical
-   properties of these tables are good.
-
-   The following sections describe the limitations of some randomness
-   generation techniques and sources.
-
-4.1 Problems with Clocks and Serial Numbers
-
-   Computer clocks, or similar operating system or hardware values,
-   provide significantly fewer real bits of unpredictability than might
-   appear from their specifications.
-
-   Tests have been done on clocks on numerous systems and it was found
-   that their behavior can vary widely and in unexpected ways.  One
-   version of an operating system running on one set of hardware may
-   actually provide, say, microsecond resolution in a clock while a
-   different configuration of the "same" system may always provide the
-   same lower bits and only count in the upper bits at much lower
-   resolution.  This means that successive reads on the clock may
-   produce identical values even if enough time has passed that the
-   value "should" change based on the nominal clock resolution. There
-   are also cases where frequently reading a clock can produce
-   artificial sequential values because of extra code that checks for
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 7]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   the clock being unchanged between two reads and increases it by one!
-   Designing portable application code to generate unpredictable numbers
-   based on such system clocks is particularly challenging because the
-   system designer does not always know the properties of the system
-   clocks that the code will execute on.
-
-   Use of a hardware serial number such as an Ethernet address may also
-   provide fewer bits of uniqueness than one would guess.  Such
-   quantities are usually heavily structured and subfields may have only
-   a limited range of possible values or values easily guessable based
-   on approximate date of manufacture or other data.  For example, it is
-   likely that most of the Ethernet cards installed on Digital Equipment
-   Corporation (DEC) hardware within DEC were manufactured by DEC
-   itself, which significantly limits the range of built in addresses.
-
-   Problems such as those described above related to clocks and serial
-   numbers make code to produce unpredictable quantities difficult if
-   the code is to be ported across a variety of computer platforms and
-   systems.
-
-4.2 Timing and Content of External Events
-
-   It is possible to measure the timing and content of mouse movement,
-   key strokes, and similar user events.  This is a reasonable source of
-   unguessable data with some qualifications.  On some machines, inputs
-   such as key strokes are buffered.  Even though the user's inter-
-   keystroke timing may have sufficient variation and unpredictability,
-   there might not be an easy way to access that variation.  Another
-   problem is that no standard method exists to sample timing details.
-   This makes it hard to build standard software intended for
-   distribution to a large range of machines based on this technique.
-
-   The amount of mouse movement or the keys actually hit are usually
-   easier to access than timings but may yield less unpredictability as
-   the user may provide highly repetitive input.
-
-   Other external events, such as network packet arrival times, can also
-   be used with care.  In particular, the possibility of manipulation of
-   such times by an adversary must be considered.
-
-4.3 The Fallacy of Complex Manipulation
-
-   One strategy which may give a misleading appearance of
-   unpredictability is to take a very complex algorithm (or an excellent
-   traditional pseudo-random number generator with good statistical
-   properties) and calculate a cryptographic key by starting with the
-   current value of a computer system clock as the seed.  An adversary
-   who knew roughly when the generator was started would have a
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 8]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   relatively small number of seed values to test as they would know
-   likely values of the system clock.  Large numbers of pseudo-random
-   bits could be generated but the search space an adversary would need
-   to check could be quite small.
-
-   Thus very strong and/or complex manipulation of data will not help if
-   the adversary can learn what the manipulation is and there is not
-   enough unpredictability in the starting seed value.  Even if they can
-   not learn what the manipulation is, they may be able to use the
-   limited number of results stemming from a limited number of seed
-   values to defeat security.
-
-   Another serious strategy error is to assume that a very complex
-   pseudo-random number generation algorithm will produce strong random
-   numbers when there has been no theory behind or analysis of the
-   algorithm.  There is a excellent example of this fallacy right near
-   the beginning of chapter 3 in [KNUTH] where the author describes a
-   complex algorithm.  It was intended that the machine language program
-   corresponding to the algorithm would be so complicated that a person
-   trying to read the code without comments wouldn't know what the
-   program was doing.  Unfortunately, actual use of this algorithm
-   showed that it almost immediately converged to a single repeated
-   value in one case and a small cycle of values in another case.
-
-   Not only does complex manipulation not help you if you have a limited
-   range of seeds but blindly chosen complex manipulation can destroy
-   the randomness in a good seed!
-
-4.4 The Fallacy of Selection from a Large Database
-
-   Another strategy that can give a misleading appearance of
-   unpredictability is selection of a quantity randomly from a database
-   and assume that its strength is related to the total number of bits
-   in the database.  For example, typical USENET servers as of this date
-   process over 35 megabytes of information per day.  Assume a random
-   quantity was selected by fetching 32 bytes of data from a random
-   starting point in this data.  This does not yield 32*8 = 256 bits
-   worth of unguessability.  Even after allowing that much of the data
-   is human language and probably has more like 2 or 3 bits of
-   information per byte, it doesn't yield 32*2.5 = 80 bits of
-   unguessability.  For an adversary with access to the same 35
-   megabytes the unguessability rests only on the starting point of the
-   selection.  That is, at best, about 25 bits of unguessability in this
-   case.
-
-   The same argument applies to selecting sequences from the data on a
-   CD ROM or Audio CD recording or any other large public database.  If
-   the adversary has access to the same database, this "selection from a
-
-
-
-Eastlake, Crocker & Schiller                                    [Page 9]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   large volume of data" step buys very little.  However, if a selection
-   can be made from data to which the adversary has no access, such as
-   system buffers on an active multi-user system, it may be of some
-   help.
-
-5. Hardware for Randomness
-
-   Is there any hope for strong portable randomness in the future?
-   There might be.  All that's needed is a physical source of
-   unpredictable numbers.
-
-   A thermal noise or radioactive decay source and a fast, free-running
-   oscillator would do the trick directly [GIFFORD].  This is a trivial
-   amount of hardware, and could easily be included as a standard part
-   of a computer system's architecture.  Furthermore, any system with a
-   spinning disk or the like has an adequate source of randomness
-   [DAVIS].  All that's needed is the common perception among computer
-   vendors that this small additional hardware and the software to
-   access it is necessary and useful.
-
-5.1 Volume Required
-
-   How much unpredictability is needed?  Is it possible to quantify the
-   requirement in, say, number of random bits per second?
-
-   The answer is not very much is needed.  For DES, the key is 56 bits
-   and, as we show in an example in Section 8, even the highest security
-   system is unlikely to require a keying material of over 200 bits.  If
-   a series of keys are needed, it can be generated from a strong random
-   seed using a cryptographically strong sequence as explained in
-   Section 6.3.  A few hundred random bits generated once a day would be
-   enough using such techniques.  Even if the random bits are generated
-   as slowly as one per second and it is not possible to overlap the
-   generation process, it should be tolerable in high security
-   applications to wait 200 seconds occasionally.
-
-   These numbers are trivial to achieve.  It could be done by a person
-   repeatedly tossing a coin.  Almost any hardware process is likely to
-   be much faster.
-
-5.2 Sensitivity to Skew
-
-   Is there any specific requirement on the shape of the distribution of
-   the random numbers?  The good news is the distribution need not be
-   uniform.  All that is needed is a conservative estimate of how non-
-   uniform it is to bound performance.  Two simple techniques to de-skew
-   the bit stream are given below and stronger techniques are mentioned
-   in Section 6.1.2 below.
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 10]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-5.2.1 Using Stream Parity to De-Skew
-
-   Consider taking a sufficiently long string of bits and map the string
-   to "zero" or "one".  The mapping will not yield a perfectly uniform
-   distribution, but it can be as close as desired.  One mapping that
-   serves the purpose is to take the parity of the string.  This has the
-   advantages that it is robust across all degrees of skew up to the
-   estimated maximum skew and is absolutely trivial to implement in
-   hardware.
-
-   The following analysis gives the number of bits that must be sampled:
-
-   Suppose the ratio of ones to zeros is 0.5 + e : 0.5 - e, where e is
-   between 0 and 0.5 and is a measure of the "eccentricity" of the
-   distribution.  Consider the distribution of the parity function of N
-   bit samples.  The probabilities that the parity will be one or zero
-   will be the sum of the odd or even terms in the binomial expansion of
-   (p + q)^N, where p = 0.5 + e, the probability of a one, and q = 0.5 -
-   e, the probability of a zero.
-
-   These sums can be computed easily as
-
-                         N            N
-        1/2 * ( ( p + q )  + ( p - q )  )
-   and
-                         N            N
-        1/2 * ( ( p + q )  - ( p - q )  ).
-
-   (Which one corresponds to the probability the parity will be 1
-   depends on whether N is odd or even.)
-
-   Since p + q = 1 and p - q = 2e, these expressions reduce to
-
-                       N
-        1/2 * [1 + (2e) ]
-   and
-                       N
-        1/2 * [1 - (2e) ].
-
-   Neither of these will ever be exactly 0.5 unless e is zero, but we
-   can bring them arbitrarily close to 0.5.  If we want the
-   probabilities to be within some delta d of 0.5, i.e. then
-
-                            N
-        ( 0.5 + ( 0.5 * (2e)  ) )  <  0.5 + d.
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 11]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   Solving for N yields N > log(2d)/log(2e).  (Note that 2e is less than
-   1, so its log is negative.  Division by a negative number reverses
-   the sense of an inequality.)
-
-   The following table gives the length of the string which must be
-   sampled for various degrees of skew in order to come within 0.001 of
-   a 50/50 distribution.
-
-                       +---------+--------+-------+
-                       | Prob(1) |    e   |    N  |
-                       +---------+--------+-------+
-                       |   0.5   |  0.00  |    1  |
-                       |   0.6   |  0.10  |    4  |
-                       |   0.7   |  0.20  |    7  |
-                       |   0.8   |  0.30  |   13  |
-                       |   0.9   |  0.40  |   28  |
-                       |   0.95  |  0.45  |   59  |
-                       |   0.99  |  0.49  |  308  |
-                       +---------+--------+-------+
-
-   The last entry shows that even if the distribution is skewed 99% in
-   favor of ones, the parity of a string of 308 samples will be within
-   0.001 of a 50/50 distribution.
-
-5.2.2 Using Transition Mappings to De-Skew
-
-   Another technique, originally due to von Neumann [VON NEUMANN], is to
-   examine a bit stream as a sequence of non-overlapping pairs. You
-   could then discard any 00 or 11 pairs found, interpret 01 as a 0 and
-   10 as a 1.  Assume the probability of a 1 is 0.5+e and the
-   probability of a 0 is 0.5-e where e is the eccentricity of the source
-   and described in the previous section.  Then the probability of each
-   pair is as follows:
-
-            +------+-----------------------------------------+
-            | pair |            probability                  |
-            +------+-----------------------------------------+
-            |  00  | (0.5 - e)^2          =  0.25 - e + e^2  |
-            |  01  | (0.5 - e)*(0.5 + e)  =  0.25     - e^2  |
-            |  10  | (0.5 + e)*(0.5 - e)  =  0.25     - e^2  |
-            |  11  | (0.5 + e)^2          =  0.25 + e + e^2  |
-            +------+-----------------------------------------+
-
-   This technique will completely eliminate any bias but at the expense
-   of taking an indeterminate number of input bits for any particular
-   desired number of output bits.  The probability of any particular
-   pair being discarded is 0.5 + 2e^2 so the expected number of input
-   bits to produce X output bits is X/(0.25 - e^2).
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 12]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   This technique assumes that the bits are from a stream where each bit
-   has the same probability of being a 0 or 1 as any other bit in the
-   stream and that bits are not correlated, i.e., that the bits are
-   identical independent distributions.  If alternate bits were from two
-   correlated sources, for example, the above analysis breaks down.
-
-   The above technique also provides another illustration of how a
-   simple statistical analysis can mislead if one is not always on the
-   lookout for patterns that could be exploited by an adversary.  If the
-   algorithm were mis-read slightly so that overlapping successive bits
-   pairs were used instead of non-overlapping pairs, the statistical
-   analysis given is the same; however, instead of provided an unbiased
-   uncorrelated series of random 1's and 0's, it instead produces a
-   totally predictable sequence of exactly alternating 1's and 0's.
-
-5.2.3 Using FFT to De-Skew
-
-   When real world data consists of strongly biased or correlated bits,
-   it may still contain useful amounts of randomness.  This randomness
-   can be extracted through use of the discrete Fourier transform or its
-   optimized variant, the FFT.
-
-   Using the Fourier transform of the data, strong correlations can be
-   discarded.  If adequate data is processed and remaining correlations
-   decay, spectral lines approaching statistical independence and
-   normally distributed randomness can be produced [BRILLINGER].
-
-5.2.4 Using Compression to De-Skew
-
-   Reversible compression techniques also provide a crude method of de-
-   skewing a skewed bit stream.  This follows directly from the
-   definition of reversible compression and the formula in Section 2
-   above for the amount of information in a sequence.  Since the
-   compression is reversible, the same amount of information must be
-   present in the shorter output than was present in the longer input.
-   By the Shannon information equation, this is only possible if, on
-   average, the probabilities of the different shorter sequences are
-   more uniformly distributed than were the probabilities of the longer
-   sequences.  Thus the shorter sequences are de-skewed relative to the
-   input.
-
-   However, many compression techniques add a somewhat predicatable
-   preface to their output stream and may insert such a sequence again
-   periodically in their output or otherwise introduce subtle patterns
-   of their own.  They should be considered only a rough technique
-   compared with those described above or in Section 6.1.2.  At a
-   minimum, the beginning of the compressed sequence should be skipped
-   and only later bits used for applications requiring random bits.
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 13]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-5.3 Existing Hardware Can Be Used For Randomness
-
-   As described below, many computers come with hardware that can, with
-   care, be used to generate truly random quantities.
-
-5.3.1 Using Existing Sound/Video Input
-
-   Increasingly computers are being built with inputs that digitize some
-   real world analog source, such as sound from a microphone or video
-   input from a camera.  Under appropriate circumstances, such input can
-   provide reasonably high quality random bits.  The "input" from a
-   sound digitizer with no source plugged in or a camera with the lens
-   cap on, if the system has enough gain to detect anything, is
-   essentially thermal noise.
-
-   For example, on a SPARCstation, one can read from the /dev/audio
-   device with nothing plugged into the microphone jack.  Such data is
-   essentially random noise although it should not be trusted without
-   some checking in case of hardware failure.  It will, in any case,
-   need to be de-skewed as described elsewhere.
-
-   Combining this with compression to de-skew one can, in UNIXese,
-   generate a huge amount of medium quality random data by doing
-
-        cat /dev/audio | compress - >random-bits-file
-
-5.3.2 Using Existing Disk Drives
-
-   Disk drives have small random fluctuations in their rotational speed
-   due to chaotic air turbulence [DAVIS].  By adding low level disk seek
-   time instrumentation to a system, a series of measurements can be
-   obtained that include this randomness. Such data is usually highly
-   correlated so that significant processing is needed, including FFT
-   (see section 5.2.3).  Nevertheless experimentation has shown that,
-   with such processing, disk drives easily produce 100 bits a minute or
-   more of excellent random data.
-
-   Partly offsetting this need for processing is the fact that disk
-   drive failure will normally be rapidly noticed.  Thus, problems with
-   this method of random number generation due to hardware failure are
-   very unlikely.
-
-6. Recommended Non-Hardware Strategy
-
-   What is the best overall strategy for meeting the requirement for
-   unguessable random numbers in the absence of a reliable hardware
-   source?  It is to obtain random input from a large number of
-   uncorrelated sources and to mix them with a strong mixing function.
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 14]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   Such a function will preserve the randomness present in any of the
-   sources even if other quantities being combined are fixed or easily
-   guessable.  This may be advisable even with a good hardware source as
-   hardware can also fail, though this should be weighed against any
-   increase in the chance of overall failure due to added software
-   complexity.
-
-6.1 Mixing Functions
-
-   A strong mixing function is one which combines two or more inputs and
-   produces an output where each output bit is a different complex non-
-   linear function of all the input bits.  On average, changing any
-   input bit will change about half the output bits.  But because the
-   relationship is complex and non-linear, no particular output bit is
-   guaranteed to change when any particular input bit is changed.
-
-   Consider the problem of converting a stream of bits that is skewed
-   towards 0 or 1 to a shorter stream which is more random, as discussed
-   in Section 5.2 above.  This is simply another case where a strong
-   mixing function is desired, mixing the input bits to produce a
-   smaller number of output bits.  The technique given in Section 5.2.1
-   of using the parity of a number of bits is simply the result of
-   successively Exclusive Or'ing them which is examined as a trivial
-   mixing function immediately below.  Use of stronger mixing functions
-   to extract more of the randomness in a stream of skewed bits is
-   examined in Section 6.1.2.
-
-6.1.1 A Trivial Mixing Function
-
-   A trivial example for single bit inputs is the Exclusive Or function,
-   which is equivalent to addition without carry, as show in the table
-   below.  This is a degenerate case in which the one output bit always
-   changes for a change in either input bit.  But, despite its
-   simplicity, it will still provide a useful illustration.
-
-                   +-----------+-----------+----------+
-                   |  input 1  |  input 2  |  output  |
-                   +-----------+-----------+----------+
-                   |     0     |     0     |     0    |
-                   |     0     |     1     |     1    |
-                   |     1     |     0     |     1    |
-                   |     1     |     1     |     0    |
-                   +-----------+-----------+----------+
-
-   If inputs 1 and 2 are uncorrelated and combined in this fashion then
-   the output will be an even better (less skewed) random bit than the
-   inputs.  If we assume an "eccentricity" e as defined in Section 5.2
-   above, then the output eccentricity relates to the input eccentricity
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 15]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   as follows:
-
-        e       = 2 * e        * e
-         output        input 1    input 2
-
-   Since e is never greater than 1/2, the eccentricity is always
-   improved except in the case where at least one input is a totally
-   skewed constant.  This is illustrated in the following table where
-   the top and left side values are the two input eccentricities and the
-   entries are the output eccentricity:
-
-     +--------+--------+--------+--------+--------+--------+--------+
-     |    e   |  0.00  |  0.10  |  0.20  |  0.30  |  0.40  |  0.50  |
-     +--------+--------+--------+--------+--------+--------+--------+
-     |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |
-     |  0.10  |  0.00  |  0.02  |  0.04  |  0.06  |  0.08  |  0.10  |
-     |  0.20  |  0.00  |  0.04  |  0.08  |  0.12  |  0.16  |  0.20  |
-     |  0.30  |  0.00  |  0.06  |  0.12  |  0.18  |  0.24  |  0.30  |
-     |  0.40  |  0.00  |  0.08  |  0.16  |  0.24  |  0.32  |  0.40  |
-     |  0.50  |  0.00  |  0.10  |  0.20  |  0.30  |  0.40  |  0.50  |
-     +--------+--------+--------+--------+--------+--------+--------+
-
-   However, keep in mind that the above calculations assume that the
-   inputs are not correlated.  If the inputs were, say, the parity of
-   the number of minutes from midnight on two clocks accurate to a few
-   seconds, then each might appear random if sampled at random intervals
-   much longer than a minute.  Yet if they were both sampled and
-   combined with xor, the result would be zero most of the time.
-
-6.1.2 Stronger Mixing Functions
-
-   The US Government Data Encryption Standard [DES] is an example of a
-   strong mixing function for multiple bit quantities.  It takes up to
-   120 bits of input (64 bits of "data" and 56 bits of "key") and
-   produces 64 bits of output each of which is dependent on a complex
-   non-linear function of all input bits.  Other strong encryption
-   functions with this characteristic can also be used by considering
-   them to mix all of their key and data input bits.
-
-   Another good family of mixing functions are the "message digest" or
-   hashing functions such as The US Government Secure Hash Standard
-   [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series.  These functions
-   all take an arbitrary amount of input and produce an output mixing
-   all the input bits. The MD* series produce 128 bits of output and SHS
-   produces 160 bits.
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 16]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   Although the message digest functions are designed for variable
-   amounts of input, DES and other encryption functions can also be used
-   to combine any number of inputs.  If 64 bits of output is adequate,
-   the inputs can be packed into a 64 bit data quantity and successive
-   56 bit keys, padding with zeros if needed, which are then used to
-   successively encrypt using DES in Electronic Codebook Mode [DES
-   MODES].  If more than 64 bits of output are needed, use more complex
-   mixing.  For example, if inputs are packed into three quantities, A,
-   B, and C, use DES to encrypt A with B as a key and then with C as a
-   key to produce the 1st part of the output, then encrypt B with C and
-   then A for more output and, if necessary, encrypt C with A and then B
-   for yet more output.  Still more output can be produced by reversing
-   the order of the keys given above to stretch things. The same can be
-   done with the hash functions by hashing various subsets of the input
-   data to produce multiple outputs.  But keep in mind that it is
-   impossible to get more bits of "randomness" out than are put in.
-
-   An example of using a strong mixing function would be to reconsider
-   the case of a string of 308 bits each of which is biased 99% towards
-   zero.  The parity technique given in Section 5.2.1 above reduced this
-   to one bit with only a 1/1000 deviance from being equally likely a
-   zero or one.  But, applying the equation for information given in
-   Section 2, this 308 bit sequence has 5 bits of information in it.
-   Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the
-   result would yield 5 unbiased random bits as opposed to the single
-   bit given by calculating the parity of the string.
-
-6.1.3 Diffie-Hellman as a Mixing Function
-
-   Diffie-Hellman exponential key exchange is a technique that yields a
-   shared secret between two parties that can be made computationally
-   infeasible for a third party to determine even if they can observe
-   all the messages between the two communicating parties.  This shared
-   secret is a mixture of initial quantities generated by each of them
-   [D-H].  If these initial quantities are random, then the shared
-   secret contains the combined randomness of them both, assuming they
-   are uncorrelated.
-
-6.1.4 Using a Mixing Function to Stretch Random Bits
-
-   While it is not necessary for a mixing function to produce the same
-   or fewer bits than its inputs, mixing bits cannot "stretch" the
-   amount of random unpredictability present in the inputs.  Thus four
-   inputs of 32 bits each where there is 12 bits worth of
-   unpredicatability (such as 4,096 equally probable values) in each
-   input cannot produce more than 48 bits worth of unpredictable output.
-   The output can be expanded to hundreds or thousands of bits by, for
-   example, mixing with successive integers, but the clever adversary's
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 17]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   search space is still 2^48 possibilities.  Furthermore, mixing to
-   fewer bits than are input will tend to strengthen the randomness of
-   the output the way using Exclusive Or to produce one bit from two did
-   above.
-
-   The last table in Section 6.1.1 shows that mixing a random bit with a
-   constant bit with Exclusive Or will produce a random bit.  While this
-   is true, it does not provide a way to "stretch" one random bit into
-   more than one.  If, for example, a random bit is mixed with a 0 and
-   then with a 1, this produces a two bit sequence but it will always be
-   either 01 or 10.  Since there are only two possible values, there is
-   still only the one bit of original randomness.
-
-6.1.5 Other Factors in Choosing a Mixing Function
-
-   For local use, DES has the advantages that it has been widely tested
-   for flaws, is widely documented, and is widely implemented with
-   hardware and software implementations available all over the world
-   including source code available by anonymous FTP.  The SHS and MD*
-   family are younger algorithms which have been less tested but there
-   is no particular reason to believe they are flawed.  Both MD5 and SHS
-   were derived from the earlier MD4 algorithm.  They all have source
-   code available by anonymous FTP [SHS, MD2, MD4, MD5].
-
-   DES and SHS have been vouched for the the US National Security Agency
-   (NSA) on the basis of criteria that primarily remain secret.  While
-   this is the cause of much speculation and doubt, investigation of DES
-   over the years has indicated that NSA involvement in modifications to
-   its design, which originated with IBM, was primarily to strengthen
-   it.  No concealed or special weakness has been found in DES.  It is
-   almost certain that the NSA modification to MD4 to produce the SHS
-   similarly strengthened the algorithm, possibly against threats not
-   yet known in the public cryptographic community.
-
-   DES, SHS, MD4, and MD5 are royalty free for all purposes.  MD2 has
-   been freely licensed only for non-profit use in connection with
-   Privacy Enhanced Mail [PEM].  Between the MD* algorithms, some people
-   believe that, as with "Goldilocks and the Three Bears", MD2 is strong
-   but too slow, MD4 is fast but too weak, and MD5 is just right.
-
-   Another advantage of the MD* or similar hashing algorithms over
-   encryption algorithms is that they are not subject to the same
-   regulations imposed by the US Government prohibiting the unlicensed
-   export or import of encryption/decryption software and hardware.  The
-   same should be true of DES rigged to produce an irreversible hash
-   code but most DES packages are oriented to reversible encryption.
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 18]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-6.2 Non-Hardware Sources of Randomness
-
-   The best source of input for mixing would be a hardware randomness
-   such as disk drive timing affected by air turbulence, audio input
-   with thermal noise, or radioactive decay.  However, if that is not
-   available there are other possibilities.  These include system
-   clocks, system or input/output buffers, user/system/hardware/network
-   serial numbers and/or addresses and timing, and user input.
-   Unfortunately, any of these sources can produce limited or
-   predicatable values under some circumstances.
-
-   Some of the sources listed above would be quite strong on multi-user
-   systems where, in essence, each user of the system is a source of
-   randomness.  However, on a small single user system, such as a
-   typical IBM PC or Apple Macintosh, it might be possible for an
-   adversary to assemble a similar configuration.  This could give the
-   adversary inputs to the mixing process that were sufficiently
-   correlated to those used originally as to make exhaustive search
-   practical.
-
-   The use of multiple random inputs with a strong mixing function is
-   recommended and can overcome weakness in any particular input.  For
-   example, the timing and content of requested "random" user keystrokes
-   can yield hundreds of random bits but conservative assumptions need
-   to be made.  For example, assuming a few bits of randomness if the
-   inter-keystroke interval is unique in the sequence up to that point
-   and a similar assumption if the key hit is unique but assuming that
-   no bits of randomness are present in the initial key value or if the
-   timing or key value duplicate previous values.  The results of mixing
-   these timings and characters typed could be further combined with
-   clock values and other inputs.
-
-   This strategy may make practical portable code to produce good random
-   numbers for security even if some of the inputs are very weak on some
-   of the target systems.  However, it may still fail against a high
-   grade attack on small single user systems, especially if the
-   adversary has ever been able to observe the generation process in the
-   past.  A hardware based random source is still preferable.
-
-6.3 Cryptographically Strong Sequences
-
-   In cases where a series of random quantities must be generated, an
-   adversary may learn some values in the sequence.  In general, they
-   should not be able to predict other values from the ones that they
-   know.
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 19]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   The correct technique is to start with a strong random seed, take
-   cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and
-   do not reveal the complete state of the generator in the sequence
-   elements.  If each value in the sequence can be calculated in a fixed
-   way from the previous value, then when any value is compromised, all
-   future values can be determined.  This would be the case, for
-   example, if each value were a constant function of the previously
-   used values, even if the function were a very strong, non-invertible
-   message digest function.
-
-   It should be noted that if your technique for generating a sequence
-   of key values is fast enough, it can trivially be used as the basis
-   for a confidentiality system.  If two parties use the same sequence
-   generating technique and start with the same seed material, they will
-   generate identical sequences.  These could, for example, be xor'ed at
-   one end with data being send, encrypting it, and xor'ed with this
-   data as received, decrypting it due to the reversible properties of
-   the xor operation.
-
-6.3.1 Traditional Strong Sequences
-
-   A traditional way to achieve a strong sequence has been to have the
-   values be produced by hashing the quantities produced by
-   concatenating the seed with successive integers or the like and then
-   mask the values obtained so as to limit the amount of generator state
-   available to the adversary.
-
-   It may also be possible to use an "encryption" algorithm with a
-   random key and seed value to encrypt and feedback some or all of the
-   output encrypted value into the value to be encrypted for the next
-   iteration.  Appropriate feedback techniques will usually be
-   recommended with the encryption algorithm.  An example is shown below
-   where shifting and masking are used to combine the cypher output
-   feedback.  This type of feedback is recommended by the US Government
-   in connection with DES [DES MODES].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 20]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-      +---------------+
-      |       V       |
-      |  |     n      |
-      +--+------------+
-            |      |           +---------+
-            |      +---------> |         |      +-----+
-         +--+                  | Encrypt | <--- | Key |
-         |           +-------- |         |      +-----+
-         |           |         +---------+
-         V           V
-      +------------+--+
-      |      V     |  |
-      |       n+1     |
-      +---------------+
-
-   Note that if a shift of one is used, this is the same as the shift
-   register technique described in Section 3 above but with the all
-   important difference that the feedback is determined by a complex
-   non-linear function of all bits rather than a simple linear or
-   polynomial combination of output from a few bit position taps.
-
-   It has been shown by Donald W. Davies that this sort of shifted
-   partial output feedback significantly weakens an algorithm compared
-   will feeding all of the output bits back as input.  In particular,
-   for DES, repeated encrypting a full 64 bit quantity will give an
-   expected repeat in about 2^63 iterations.  Feeding back anything less
-   than 64 (and more than 0) bits will give an expected repeat in
-   between 2**31 and 2**32 iterations!
-
-   To predict values of a sequence from others when the sequence was
-   generated by these techniques is equivalent to breaking the
-   cryptosystem or inverting the "non-invertible" hashing involved with
-   only partial information available.  The less information revealed
-   each iteration, the harder it will be for an adversary to predict the
-   sequence.  Thus it is best to use only one bit from each value.  It
-   has been shown that in some cases this makes it impossible to break a
-   system even when the cryptographic system is invertible and can be
-   broken if all of each generated value was revealed.
-
-6.3.2 The Blum Blum Shub Sequence Generator
-
-   Currently the generator which has the strongest public proof of
-   strength is called the Blum Blum Shub generator after its inventors
-   [BBS].  It is also very simple and is based on quadratic residues.
-   It's only disadvantage is that is is computationally intensive
-   compared with the traditional techniques give in 6.3.1 above.  This
-   is not a serious draw back if it is used for moderately infrequent
-   purposes, such as generating session keys.
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 21]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   Simply choose two large prime numbers, say p and q, which both have
-   the property that you get a remainder of 3 if you divide them by 4.
-   Let n = p * q.  Then you choose a random number x relatively prime to
-   n.  The initial seed for the generator and the method for calculating
-   subsequent values are then
-
-                   2
-        s    =  ( x  )(Mod n)
-         0
-
-                   2
-        s    = ( s   )(Mod n)
-         i+1      i
-
-   You must be careful to use only a few bits from the bottom of each s.
-   It is always safe to use only the lowest order bit.  If you use no
-   more than the
-
-                  log  ( log  ( s  ) )
-                     2      2    i
-
-   low order bits, then predicting any additional bits from a sequence
-   generated in this manner is provable as hard as factoring n.  As long
-   as the initial x is secret, you can even make n public if you want.
-
-   An intersting characteristic of this generator is that you can
-   directly calculate any of the s values.  In particular
-
-                     i
-               ( ( 2  )(Mod (( p - 1 ) * ( q - 1 )) ) )
-      s  = ( s                                          )(Mod n)
-       i      0
-
-   This means that in applications where many keys are generated in this
-   fashion, it is not necessary to save them all.  Each key can be
-   effectively indexed and recovered from that small index and the
-   initial s and n.
-
-7. Key Generation Standards
-
-   Several public standards are now in place for the generation of keys.
-   Two of these are described below.  Both use DES but any equally
-   strong or stronger mixing function could be substituted.
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 22]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-7.1 US DoD Recommendations for Password Generation
-
-   The United States Department of Defense has specific recommendations
-   for password generation [DoD].  They suggest using the US Data
-   Encryption Standard [DES] in Output Feedback Mode [DES MODES] as
-   follows:
-
-        use an initialization vector determined from
-             the system clock,
-             system ID,
-             user ID, and
-             date and time;
-        use a key determined from
-             system interrupt registers,
-             system status registers, and
-             system counters; and,
-        as plain text, use an external randomly generated 64 bit
-        quantity such as 8 characters typed in by a system
-        administrator.
-
-   The password can then be calculated from the 64 bit "cipher text"
-   generated in 64-bit Output Feedback Mode.  As many bits as are needed
-   can be taken from these 64 bits and expanded into a pronounceable
-   word, phrase, or other format if a human being needs to remember the
-   password.
-
-7.2 X9.17 Key Generation
-
-   The American National Standards Institute has specified a method for
-   generating a sequence of keys as follows:
-
-        s  is the initial 64 bit seed
-         0
-
-        g  is the sequence of generated 64 bit key quantities
-         n
-
-        k is a random key reserved for generating this key sequence
-
-        t is the time at which a key is generated to as fine a resolution
-            as is available (up to 64 bits).
-
-        DES ( K, Q ) is the DES encryption of quantity Q with key K
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 23]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-        g    = DES ( k, DES ( k, t ) .xor. s  )
-         n                                  n
-
-        s    = DES ( k, DES ( k, t ) .xor. g  )
-         n+1                                n
-
-   If g sub n is to be used as a DES key, then every eighth bit should
-   be adjusted for parity for that use but the entire 64 bit unmodified
-   g should be used in calculating the next s.
-
-8. Examples of Randomness Required
-
-   Below are two examples showing rough calculations of needed
-   randomness for security.  The first is for moderate security
-   passwords while the second assumes a need for a very high security
-   cryptographic key.
-
-8.1  Password Generation
-
-   Assume that user passwords change once a year and it is desired that
-   the probability that an adversary could guess the password for a
-   particular account be less than one in a thousand.  Further assume
-   that sending a password to the system is the only way to try a
-   password.  Then the crucial question is how often an adversary can
-   try possibilities.  Assume that delays have been introduced into a
-   system so that, at most, an adversary can make one password try every
-   six seconds.  That's 600 per hour or about 15,000 per day or about
-   5,000,000 tries in a year.  Assuming any sort of monitoring, it is
-   unlikely someone could actually try continuously for a year.  In
-   fact, even if log files are only checked monthly, 500,000 tries is
-   more plausible before the attack is noticed and steps taken to change
-   passwords and make it harder to try more passwords.
-
-   To have a one in a thousand chance of guessing the password in
-   500,000 tries implies a universe of at least 500,000,000 passwords or
-   about 2^29.  Thus 29 bits of randomness are needed. This can probably
-   be achieved using the US DoD recommended inputs for password
-   generation as it has 8 inputs which probably average over 5 bits of
-   randomness each (see section 7.1).  Using a list of 1000 words, the
-   password could be expressed as a three word phrase (1,000,000,000
-   possibilities) or, using case insensitive letters and digits, six
-   would suffice ((26+10)^6 = 2,176,782,336 possibilities).
-
-   For a higher security password, the number of bits required goes up.
-   To decrease the probability by 1,000 requires increasing the universe
-   of passwords by the same factor which adds about 10 bits.  Thus to
-   have only a one in a million chance of a password being guessed under
-   the above scenario would require 39 bits of randomness and a password
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 24]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   that was a four word phrase from a 1000 word list or eight
-   letters/digits.  To go to a one in 10^9 chance, 49 bits of randomness
-   are needed implying a five word phrase or ten letter/digit password.
-
-   In a real system, of course, there are also other factors.  For
-   example, the larger and harder to remember passwords are, the more
-   likely users are to write them down resulting in an additional risk
-   of compromise.
-
-8.2 A Very High Security Cryptographic Key
-
-   Assume that a very high security key is needed for symmetric
-   encryption / decryption between two parties.  Assume an adversary can
-   observe communications and knows the algorithm being used.  Within
-   the field of random possibilities, the adversary can try key values
-   in hopes of finding the one in use.  Assume further that brute force
-   trial of keys is the best the adversary can do.
-
-8.2.1 Effort per Key Trial
-
-   How much effort will it take to try each key?  For very high security
-   applications it is best to assume a low value of effort.  Even if it
-   would clearly take tens of thousands of computer cycles or more to
-   try a single key, there may be some pattern that enables huge blocks
-   of key values to be tested with much less effort per key.  Thus it is
-   probably best to assume no more than a couple hundred cycles per key.
-   (There is no clear lower bound on this as computers operate in
-   parallel on a number of bits and a poor encryption algorithm could
-   allow many keys or even groups of keys to be tested in parallel.
-   However, we need to assume some value and can hope that a reasonably
-   strong algorithm has been chosen for our hypothetical high security
-   task.)
-
-   If the adversary can command a highly parallel processor or a large
-   network of work stations, 2*10^10 cycles per second is probably a
-   minimum assumption for availability today.  Looking forward just a
-   couple years, there should be at least an order of magnitude
-   improvement.  Thus assuming 10^9 keys could be checked per second or
-   3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is
-   reasonable.  This implies a need for a minimum of 51 bits of
-   randomness in keys to be sure they cannot be found in a month.  Even
-   then it is possible that, a few years from now, a highly determined
-   and resourceful adversary could break the key in 2 weeks (on average
-   they need try only half the keys).
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 25]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-8.2.2 Meet in the Middle Attacks
-
-   If chosen or known plain text and the resulting encrypted text are
-   available, a "meet in the middle" attack is possible if the structure
-   of the encryption algorithm allows it.  (In a known plain text
-   attack, the adversary knows all or part of the messages being
-   encrypted, possibly some standard header or trailer fields.  In a
-   chosen plain text attack, the adversary can force some chosen plain
-   text to be encrypted, possibly by "leaking" an exciting text that
-   would then be sent by the adversary over an encrypted channel.)
-
-   An oversimplified explanation of the meet in the middle attack is as
-   follows: the adversary can half-encrypt the known or chosen plain
-   text with all possible first half-keys, sort the output, then half-
-   decrypt the encoded text with all the second half-keys.  If a match
-   is found, the full key can be assembled from the halves and used to
-   decrypt other parts of the message or other messages.  At its best,
-   this type of attack can halve the exponent of the work required by
-   the adversary while adding a large but roughly constant factor of
-   effort.  To be assured of safety against this, a doubling of the
-   amount of randomness in the key to a minimum of 102 bits is required.
-
-   The meet in the middle attack assumes that the cryptographic
-   algorithm can be decomposed in this way but we can not rule that out
-   without a deep knowledge of the algorithm.  Even if a basic algorithm
-   is not subject to a meet in the middle attack, an attempt to produce
-   a stronger algorithm by applying the basic algorithm twice (or two
-   different algorithms sequentially) with different keys may gain less
-   added security than would be expected.  Such a composite algorithm
-   would be subject to a meet in the middle attack.
-
-   Enormous resources may be required to mount a meet in the middle
-   attack but they are probably within the range of the national
-   security services of a major nation.  Essentially all nations spy on
-   other nations government traffic and several nations are believed to
-   spy on commercial traffic for economic advantage.
-
-8.2.3 Other Considerations
-
-   Since we have not even considered the possibilities of special
-   purpose code breaking hardware or just how much of a safety margin we
-   want beyond our assumptions above, probably a good minimum for a very
-   high security cryptographic key is 128 bits of randomness which
-   implies a minimum key length of 128 bits.  If the two parties agree
-   on a key by Diffie-Hellman exchange [D-H], then in principle only
-   half of this randomness would have to be supplied by each party.
-   However, there is probably some correlation between their random
-   inputs so it is probably best to assume that each party needs to
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 26]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   provide at least 96 bits worth of randomness for very high security
-   if Diffie-Hellman is used.
-
-   This amount of randomness is beyond the limit of that in the inputs
-   recommended by the US DoD for password generation and could require
-   user typing timing, hardware random number generation, or other
-   sources.
-
-   It should be noted that key length calculations such at those above
-   are controversial and depend on various assumptions about the
-   cryptographic algorithms in use.  In some cases, a professional with
-   a deep knowledge of code breaking techniques and of the strength of
-   the algorithm in use could be satisfied with less than half of the
-   key size derived above.
-
-9. Conclusion
-
-   Generation of unguessable "random" secret quantities for security use
-   is an essential but difficult task.
-
-   We have shown that hardware techniques to produce such randomness
-   would be relatively simple.  In particular, the volume and quality
-   would not need to be high and existing computer hardware, such as
-   disk drives, can be used.  Computational techniques are available to
-   process low quality random quantities from multiple sources or a
-   larger quantity of such low quality input from one source and produce
-   a smaller quantity of higher quality, less predictable key material.
-   In the absence of hardware sources of randomness, a variety of user
-   and software sources can frequently be used instead with care;
-   however, most modern systems already have hardware, such as disk
-   drives or audio input, that could be used to produce high quality
-   randomness.
-
-   Once a sufficient quantity of high quality seed key material (a few
-   hundred bits) is available, strong computational techniques are
-   available to produce cryptographically strong sequences of
-   unpredicatable quantities from this seed material.
-
-10. Security Considerations
-
-   The entirety of this document concerns techniques and recommendations
-   for generating unguessable "random" quantities for use as passwords,
-   cryptographic keys, and similar security uses.
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 27]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-References
-
-   [ASYMMETRIC] - Secure Communications and Asymmetric Cryptosystems,
-   edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview
-   Press, Inc.
-
-   [BBS] - A Simple Unpredictable Pseudo-Random Number Generator, SIAM
-   Journal on Computing, v. 15, n. 2, 1986, L. Blum, M. Blum, & M. Shub.
-
-   [BRILLINGER] - Time Series: Data Analysis and Theory, Holden-Day,
-   1981, David Brillinger.
-
-   [CRC] - C.R.C. Standard Mathematical Tables, Chemical Rubber
-   Publishing Company.
-
-   [CRYPTO1] - Cryptography: A Primer, A Wiley-Interscience Publication,
-   John Wiley & Sons, 1981, Alan G. Konheim.
-
-   [CRYPTO2] - Cryptography:  A New Dimension in Computer Data Security,
-   A Wiley-Interscience Publication, John Wiley & Sons, 1982, Carl H.
-   Meyer & Stephen M. Matyas.
-
-   [CRYPTO3] - Applied Cryptography: Protocols, Algorithms, and Source
-   Code in C, John Wiley & Sons, 1994, Bruce Schneier.
-
-   [DAVIS] - Cryptographic Randomness from Air Turbulence in Disk
-   Drives, Advances in Cryptology - Crypto '94, Springer-Verlag Lecture
-   Notes in Computer Science #839, 1984, Don Davis, Ross Ihaka, and
-   Philip Fenstermacher.
-
-   [DES] -  Data Encryption Standard, United States of America,
-   Department of Commerce, National Institute of Standards and
-   Technology, Federal Information Processing Standard (FIPS) 46-1.
-   - Data Encryption Algorithm, American National Standards Institute,
-   ANSI X3.92-1981.
-   (See also FIPS 112, Password Usage, which includes FORTRAN code for
-   performing DES.)
-
-   [DES MODES] - DES Modes of Operation, United States of America,
-   Department of Commerce, National Institute of Standards and
-   Technology, Federal Information Processing Standard (FIPS) 81.
-   - Data Encryption Algorithm - Modes of Operation, American National
-   Standards Institute, ANSI X3.106-1983.
-
-   [D-H] - New Directions in Cryptography, IEEE Transactions on
-   Information Technology, November, 1976, Whitfield Diffie and Martin
-   E. Hellman.
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 28]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   [DoD] - Password Management Guideline, United States of America,
-   Department of Defense, Computer Security Center, CSC-STD-002-85.
-   (See also FIPS 112, Password Usage, which incorporates CSC-STD-002-85
-   as one of its appendices.)
-
-   [GIFFORD] - Natural Random Number, MIT/LCS/TM-371, September 1988,
-   David K. Gifford
-
-   [KNUTH] - The Art of Computer Programming, Volume 2: Seminumerical
-   Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing
-   Company, Second Edition 1982, Donald E. Knuth.
-
-   [KRAWCZYK] - How to Predict Congruential Generators, Journal of
-   Algorithms, V. 13, N. 4, December 1992, H. Krawczyk
-
-   [MD2] - The MD2 Message-Digest Algorithm, RFC1319, April 1992, B.
-   Kaliski
-   [MD4] - The MD4 Message-Digest Algorithm, RFC1320, April 1992, R.
-   Rivest
-   [MD5] - The MD5 Message-Digest Algorithm, RFC1321, April 1992, R.
-   Rivest
-
-   [PEM] - RFCs 1421 through 1424:
-   - RFC 1424, Privacy Enhancement for Internet Electronic Mail: Part
-   IV: Key Certification and Related Services, 02/10/1993, B. Kaliski
-   - RFC 1423, Privacy Enhancement for Internet Electronic Mail: Part
-   III: Algorithms, Modes, and Identifiers, 02/10/1993, D. Balenson
-   - RFC 1422, Privacy Enhancement for Internet Electronic Mail: Part
-   II: Certificate-Based Key Management, 02/10/1993, S. Kent
-   - RFC 1421, Privacy Enhancement for Internet Electronic Mail: Part I:
-   Message Encryption and Authentication Procedures, 02/10/1993, J. Linn
-
-   [SHANNON] - The Mathematical Theory of Communication, University of
-   Illinois Press, 1963, Claude E. Shannon.  (originally from:  Bell
-   System Technical Journal, July and October 1948)
-
-   [SHIFT1] - Shift Register Sequences, Aegean Park Press, Revised
-   Edition 1982, Solomon W. Golomb.
-
-   [SHIFT2] - Cryptanalysis of Shift-Register Generated Stream Cypher
-   Systems, Aegean Park Press, 1984, Wayne G. Barker.
-
-   [SHS] - Secure Hash Standard, United States of American, National
-   Institute of Science and Technology, Federal Information Processing
-   Standard (FIPS) 180, April 1993.
-
-   [STERN] - Secret Linear Congruential Generators are not
-   Cryptograhically Secure, Proceedings of IEEE STOC, 1987, J. Stern.
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 29]
-
-RFC 1750        Randomness Recommendations for Security    December 1994
-
-
-   [VON NEUMANN] - Various techniques used in connection with random
-   digits, von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963,
-   J. von Neumann.
-
-Authors' Addresses
-
-   Donald E. Eastlake 3rd
-   Digital Equipment Corporation
-   550 King Street, LKG2-1/BB3
-   Littleton, MA 01460
-
-   Phone:   +1 508 486 6577(w)  +1 508 287 4877(h)
-   EMail:   dee@lkg.dec.com
-
-
-   Stephen D. Crocker
-   CyberCash Inc.
-   2086 Hunters Crest Way
-   Vienna, VA 22181
-
-   Phone:   +1 703-620-1222(w)  +1 703-391-2651 (fax)
-   EMail:   crocker@cybercash.com
-
-
-   Jeffrey I. Schiller
-   Massachusetts Institute of Technology
-   77 Massachusetts Avenue
-   Cambridge, MA 02139
-
-   Phone:   +1 617 253 0161(w)
-   EMail:   jis@mit.edu
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller                                   [Page 30]
-
diff --git a/contrib/bind9/doc/rfc/rfc1876.txt b/contrib/bind9/doc/rfc/rfc1876.txt
deleted file mode 100644
index a289cffece25..000000000000
--- a/contrib/bind9/doc/rfc/rfc1876.txt
+++ /dev/null
@@ -1,1011 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                           C. Davis
-Request for Comments: 1876                             Kapor Enterprises
-Updates: 1034, 1035                                             P. Vixie
-Category: Experimental                                 Vixie Enterprises
-                                                              T. Goodwin
-                                                            FORE Systems
-                                                            I. Dickinson
-                                                   University of Warwick
-                                                            January 1996
-
-
- A Means for Expressing Location Information in the Domain Name System
-
-Status of this Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  This memo does not specify an Internet standard of any
-   kind.  Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-1. Abstract
-
-   This memo defines a new DNS RR type for experimental purposes.  This
-   RFC describes a mechanism to allow the DNS to carry location
-   information about hosts, networks, and subnets.  Such information for
-   a small subset of hosts is currently contained in the flat-file UUCP
-   maps.  However, just as the DNS replaced the use of HOSTS.TXT to
-   carry host and network address information, it is possible to replace
-   the UUCP maps as carriers of location information.
-
-   This RFC defines the format of a new Resource Record (RR) for the
-   Domain Name System (DNS), and reserves a corresponding DNS type
-   mnemonic (LOC) and numerical code (29).
-
-   This RFC assumes that the reader is familiar with the DNS [RFC 1034,
-   RFC 1035].  The data shown in our examples is for pedagogical use and
-   does not necessarily reflect the real Internet.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Davis, et al                  Experimental                      [Page 1]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-2. RDATA Format
-
-       MSB                                           LSB
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      0|        VERSION        |         SIZE          |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      2|       HORIZ PRE       |       VERT PRE        |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      4|                   LATITUDE                    |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      6|                   LATITUDE                    |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      8|                   LONGITUDE                   |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-     10|                   LONGITUDE                   |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-     12|                   ALTITUDE                    |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-     14|                   ALTITUDE                    |
-       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-   (octet)
-
-where:
-
-VERSION      Version number of the representation.  This must be zero.
-             Implementations are required to check this field and make
-             no assumptions about the format of unrecognized versions.
-
-SIZE         The diameter of a sphere enclosing the described entity, in
-             centimeters, expressed as a pair of four-bit unsigned
-             integers, each ranging from zero to nine, with the most
-             significant four bits representing the base and the second
-             number representing the power of ten by which to multiply
-             the base.  This allows sizes from 0e0 (<1cm) to 9e9
-             (90,000km) to be expressed.  This representation was chosen
-             such that the hexadecimal representation can be read by
-             eye; 0x15 = 1e5.  Four-bit values greater than 9 are
-             undefined, as are values with a base of zero and a non-zero
-             exponent.
-
-             Since 20000000m (represented by the value 0x29) is greater
-             than the equatorial diameter of the WGS 84 ellipsoid
-             (12756274m), it is therefore suitable for use as a
-             "worldwide" size.
-
-HORIZ PRE    The horizontal precision of the data, in centimeters,
-             expressed using the same representation as SIZE.  This is
-             the diameter of the horizontal "circle of error", rather
-
-
-
-Davis, et al                  Experimental                      [Page 2]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-             than a "plus or minus" value.  (This was chosen to match
-             the interpretation of SIZE; to get a "plus or minus" value,
-             divide by 2.)
-
-VERT PRE     The vertical precision of the data, in centimeters,
-             expressed using the sane representation as for SIZE.  This
-             is the total potential vertical error, rather than a "plus
-             or minus" value.  (This was chosen to match the
-             interpretation of SIZE; to get a "plus or minus" value,
-             divide by 2.)  Note that if altitude above or below sea
-             level is used as an approximation for altitude relative to
-             the [WGS 84] ellipsoid, the precision value should be
-             adjusted.
-
-LATITUDE     The latitude of the center of the sphere described by the
-             SIZE field, expressed as a 32-bit integer, most significant
-             octet first (network standard byte order), in thousandths
-             of a second of arc.  2^31 represents the equator; numbers
-             above that are north latitude.
-
-LONGITUDE    The longitude of the center of the sphere described by the
-             SIZE field, expressed as a 32-bit integer, most significant
-             octet first (network standard byte order), in thousandths
-             of a second of arc, rounded away from the prime meridian.
-             2^31 represents the prime meridian; numbers above that are
-             east longitude.
-
-ALTITUDE     The altitude of the center of the sphere described by the
-             SIZE field, expressed as a 32-bit integer, most significant
-             octet first (network standard byte order), in centimeters,
-             from a base of 100,000m below the [WGS 84] reference
-             spheroid used by GPS (semimajor axis a=6378137.0,
-             reciprocal flattening rf=298.257223563).  Altitude above
-             (or below) sea level may be used as an approximation of
-             altitude relative to the the [WGS 84] spheroid, though due
-             to the Earth's surface not being a perfect spheroid, there
-             will be differences.  (For example, the geoid (which sea
-             level approximates) for the continental US ranges from 10
-             meters to 50 meters below the [WGS 84] spheroid.
-             Adjustments to ALTITUDE and/or VERT PRE will be necessary
-             in most cases.  The Defense Mapping Agency publishes geoid
-             height values relative to the [WGS 84] ellipsoid.
-
-
-
-
-
-
-
-
-
-Davis, et al                  Experimental                      [Page 3]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-3. Master File Format
-
-   The LOC record is expressed in a master file in the following format:
-
-   <owner> <TTL> <class> LOC ( d1 [m1 [s1]] {"N"|"S"} d2 [m2 [s2]]
-                               {"E"|"W"} alt["m"] [siz["m"] [hp["m"]
-                               [vp["m"]]]] )
-
-   (The parentheses are used for multi-line data as specified in [RFC
-   1035] section 5.1.)
-
-   where:
-
-       d1:     [0 .. 90]            (degrees latitude)
-       d2:     [0 .. 180]           (degrees longitude)
-       m1, m2: [0 .. 59]            (minutes latitude/longitude)
-       s1, s2: [0 .. 59.999]        (seconds latitude/longitude)
-       alt:    [-100000.00 .. 42849672.95] BY .01 (altitude in meters)
-       siz, hp, vp: [0 .. 90000000.00] (size/precision in meters)
-
-   If omitted, minutes and seconds default to zero, size defaults to 1m,
-   horizontal precision defaults to 10000m, and vertical precision
-   defaults to 10m.  These defaults are chosen to represent typical
-   ZIP/postal code area sizes, since it is often easy to find
-   approximate geographical location by ZIP/postal code.
-
-4. Example Data
-
-;;;
-;;; note that these data would not all appear in one zone file
-;;;
-
-;; network LOC RR derived from ZIP data.  note use of precision defaults
-cambridge-net.kei.com.        LOC   42 21 54 N 71 06 18 W -24m 30m
-
-;; higher-precision host LOC RR.  note use of vertical precision default
-loiosh.kei.com.               LOC   42 21 43.952 N 71 5 6.344 W
-                                    -24m 1m 200m
-
-pipex.net.                    LOC   52 14 05 N 00 08 50 E 10m
-
-curtin.edu.au.                LOC   32 7 19 S 116 2 25 E 10m
-
-rwy04L.logan-airport.boston.  LOC   42 21 28.764 N 71 00 51.617 W
-                                    -44m 2000m
-
-
-
-
-
-
-Davis, et al                  Experimental                      [Page 4]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-5. Application use of the LOC RR
-
-5.1 Suggested Uses
-
-   Some uses for the LOC RR have already been suggested, including the
-   USENET backbone flow maps, a "visual traceroute" application showing
-   the geographical path of an IP packet, and network management
-   applications that could use LOC RRs to generate a map of hosts and
-   routers being managed.
-
-5.2 Search Algorithms
-
-   This section specifies how to use the DNS to translate domain names
-   and/or IP addresses into location information.
-
-   If an application wishes to have a "fallback" behavior, displaying a
-   less precise or larger area when a host does not have an associated
-   LOC RR, it MAY support use of the algorithm in section 5.2.3, as
-   noted in sections 5.2.1 and 5.2.2.  If fallback is desired, this
-   behaviour is the RECOMMENDED default, but in some cases it may need
-   to be modified based on the specific requirements of the application
-   involved.
-
-   This search algorithm is designed to allow network administrators to
-   specify the location of a network or subnet without requiring LOC RR
-   data for each individual host.  For example, a computer lab with 24
-   workstations, all of which are on the same subnet and in basically
-   the same location, would only need a LOC RR for the subnet.
-   (However, if the file server's location has been more precisely
-   measured, a separate LOC RR for it can be placed in the DNS.)
-
-5.2.1 Searching by Name
-
-   If the application is beginning with a name, rather than an IP
-   address (as the USENET backbone flow maps do), it MUST check for a
-   LOC RR associated with that name.  (CNAME records should be followed
-   as for any other RR type.)
-
-   If there is no LOC RR for that name, all A records (if any)
-   associated with the name MAY be checked for network (or subnet) LOC
-   RRs using the "Searching by Network or Subnet" algorithm (5.2.3).  If
-   multiple A records exist and have associated network or subnet LOC
-   RRs, the application may choose to use any, some, or all of the LOC
-   RRs found, possibly in combination.  It is suggested that multi-homed
-   hosts have LOC RRs for their name in the DNS to avoid any ambiguity
-   in these cases.
-
-
-
-
-
-Davis, et al                  Experimental                      [Page 5]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-   Note that domain names that do not have associated A records must
-   have a LOC RR associated with their name in order for location
-   information to be accessible.
-
-5.2.2 Searching by Address
-
-   If the application is beginning with an IP address (as a "visual
-   traceroute" application might be) it MUST first map the address to a
-   name using the IN-ADDR.ARPA namespace (see [RFC 1034], section
-   5.2.1), then check for a LOC RR associated with that name.
-
-   If there is no LOC RR for the name, the address MAY be checked for
-   network (or subnet) LOC RRs using the "Searching by Network or
-   Subnet" algorithm (5.2.3).
-
-5.2.3 Searching by Network or Subnet
-
-   Even if a host's name does not have any associated LOC RRs, the
-   network(s) or subnet(s) it is on may.  If the application wishes to
-   search for such less specific data, the following algorithm SHOULD be
-   followed to find a network or subnet LOC RR associated with the IP
-   address.  This algorithm is adapted slightly from that specified in
-   [RFC 1101], sections 4.3 and 4.4.
-
-   Since subnet LOC RRs are (if present) more specific than network LOC
-   RRs, it is best to use them if available.  In order to do so, we
-   build a stack of network and subnet names found while performing the
-   [RFC 1101] search, then work our way down the stack until a LOC RR is
-   found.
-
-   1. create a host-zero address using the network portion of the IP
-      address (one, two, or three bytes for class A, B, or C networks,
-      respectively).  For example, for the host 128.9.2.17, on the class
-      B network 128.9, this would result in the address "128.9.0.0".
-
-   2. Reverse the octets, suffix IN-ADDR.ARPA, and query for PTR and A
-      records.  Retrieve:
-
-               0.0.9.128.IN-ADDR.ARPA.  PTR    isi-net.isi.edu.
-                                        A      255.255.255.0
-
-      Push the name "isi-net.isi.edu" onto the stack of names to be
-      searched for LOC RRs later.
-
-
-
-
-
-
-
-
-Davis, et al                  Experimental                      [Page 6]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-   3. Since an A RR was found, repeat using mask from RR
-      (255.255.255.0), constructing a query for 0.2.9.128.IN-ADDR.ARPA.
-      Retrieve:
-
-               0.2.9.128.IN-ADDR.ARPA.  PTR    div2-subnet.isi.edu.
-                                        A      255.255.255.240
-
-      Push the name "div2-subnet.isi.edu" onto the stack of names to be
-      searched for LOC RRs later.
-
-   4. Since another A RR was found, repeat using mask 255.255.255.240
-      (x'FFFFFFF0'), constructing a query for 16.2.9.128.IN-ADDR.ARPA.
-      Retrieve:
-
-               16.2.9.128.IN-ADDR.ARPA. PTR    inc-subsubnet.isi.edu.
-
-      Push the name "inc-subsubnet.isi.edu" onto the stack of names to
-      be searched for LOC RRs later.
-
-   5. Since no A RR is present at 16.2.9.128.IN-ADDR.ARPA., there are no
-      more subnet levels to search.  We now pop the top name from the
-      stack and check for an associated LOC RR.  Repeat until a LOC RR
-      is found.
-
-      In this case, assume that inc-subsubnet.isi.edu does not have an
-      associated LOC RR, but that div2-subnet.isi.edu does.  We will
-      then use div2-subnet.isi.edu's LOC RR as an approximation of this
-      host's location.  (Note that even if isi-net.isi.edu has a LOC RR,
-      it will not be used if a subnet also has a LOC RR.)
-
-5.3 Applicability to non-IN Classes and non-IP Addresses
-
-   The LOC record is defined for all RR classes, and may be used with
-   non-IN classes such as HS and CH.  The semantics of such use are not
-   defined by this memo.
-
-   The search algorithm in section 5.2.3 may be adapted to other
-   addressing schemes by extending [RFC 1101]'s encoding of network
-   names to cover those schemes.  Such extensions are not defined by
-   this memo.
-
-
-
-
-
-
-
-
-
-
-
-Davis, et al                  Experimental                      [Page 7]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-6. References
-
-   [RFC 1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
-              STD 13, RFC 1034, USC/Information Sciences Institute,
-              November 1987.
-
-   [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1035, USC/Information Sciences
-              Institute, November 1987.
-
-   [RFC 1101] Mockapetris, P., "DNS Encoding of Network Names and Other
-              Types", RFC 1101, USC/Information Sciences Institute,
-              April 1989.
-
-   [WGS 84] United States Department of Defense; DoD WGS-1984 - Its
-            Definition and Relationships with Local Geodetic Systems;
-            Washington, D.C.; 1985; Report AD-A188 815 DMA; 6127; 7-R-
-            138-R; CV, KV;
-
-7. Security Considerations
-
-   High-precision LOC RR information could be used to plan a penetration
-   of physical security, leading to potential denial-of-machine attacks.
-   To avoid any appearance of suggesting this method to potential
-   attackers, we declined the opportunity to name this RR "ICBM".
-
-8. Authors' Addresses
-
-   The authors as a group can be reached as <loc@pipex.net>.
-
-   Christopher Davis
-   Kapor Enterprises, Inc.
-   238 Main Street, Suite 400
-   Cambridge, MA 02142
-
-   Phone: +1 617 576 4532
-   EMail: ckd@kei.com
-
-
-   Paul Vixie
-   Vixie Enterprises
-   Star Route Box 159A
-   Woodside, CA 94062
-
-   Phone: +1 415 747 0204
-   EMail: paul@vix.com
-
-
-
-
-
-Davis, et al                  Experimental                      [Page 8]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-   Tim Goodwin
-   Public IP Exchange Ltd (PIPEX)
-   216 The Science Park
-   Cambridge CB4 4WA
-   UK
-
-   Phone: +44 1223 250250
-   EMail: tim@pipex.net
-
-
-   Ian Dickinson
-   FORE Systems
-   2475 The Crescent
-   Solihull Parkway
-   Birmingham Business Park
-   B37 7YE
-   UK
-
-   Phone: +44 121 717 4444
-   EMail: idickins@fore.co.uk
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Davis, et al                  Experimental                      [Page 9]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-Appendix A: Sample Conversion Routines
-
-/*
- * routines to convert between on-the-wire RR format and zone file
- * format.  Does not contain conversion to/from decimal degrees;
- * divide or multiply by 60*60*1000 for that.
- */
-
-static unsigned int poweroften[10] = {1, 10, 100, 1000, 10000, 100000,
-                                 1000000,10000000,100000000,1000000000};
-
-/* takes an XeY precision/size value, returns a string representation.*/
-static const char *
-precsize_ntoa(prec)
-        u_int8_t prec;
-{
-        static char retbuf[sizeof("90000000.00")];
-        unsigned long val;
-        int mantissa, exponent;
-
-        mantissa = (int)((prec >> 4) & 0x0f) % 10;
-        exponent = (int)((prec >> 0) & 0x0f) % 10;
-
-        val = mantissa * poweroften[exponent];
-
-        (void) sprintf(retbuf,"%d.%.2d", val/100, val%100);
-        return (retbuf);
-}
-
-/* converts ascii size/precision X * 10**Y(cm) to 0xXY. moves pointer.*/
-static u_int8_t
-precsize_aton(strptr)
-        char **strptr;
-{
-        unsigned int mval = 0, cmval = 0;
-        u_int8_t retval = 0;
-        register char *cp;
-        register int exponent;
-        register int mantissa;
-
-        cp = *strptr;
-
-        while (isdigit(*cp))
-                mval = mval * 10 + (*cp++ - '0');
-
-        if (*cp == '.') {               /* centimeters */
-                cp++;
-                if (isdigit(*cp)) {
-
-
-
-Davis, et al                  Experimental                     [Page 10]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-                        cmval = (*cp++ - '0') * 10;
-                        if (isdigit(*cp)) {
-                                cmval += (*cp++ - '0');
-                        }
-                }
-        }
-        cmval = (mval * 100) + cmval;
-
-        for (exponent = 0; exponent < 9; exponent++)
-                if (cmval < poweroften[exponent+1])
-                        break;
-
-        mantissa = cmval / poweroften[exponent];
-        if (mantissa > 9)
-                mantissa = 9;
-
-        retval = (mantissa << 4) | exponent;
-
-        *strptr = cp;
-
-        return (retval);
-}
-
-/* converts ascii lat/lon to unsigned encoded 32-bit number.
- *  moves pointer. */
-static u_int32_t
-latlon2ul(latlonstrptr,which)
-        char **latlonstrptr;
-        int *which;
-{
-        register char *cp;
-        u_int32_t retval;
-        int deg = 0, min = 0, secs = 0, secsfrac = 0;
-
-        cp = *latlonstrptr;
-
-        while (isdigit(*cp))
-                deg = deg * 10 + (*cp++ - '0');
-
-        while (isspace(*cp))
-                cp++;
-
-        if (!(isdigit(*cp)))
-                goto fndhemi;
-
-        while (isdigit(*cp))
-                min = min * 10 + (*cp++ - '0');
-
-
-
-
-Davis, et al                  Experimental                     [Page 11]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-        while (isspace(*cp))
-                cp++;
-
-        if (!(isdigit(*cp)))
-                goto fndhemi;
-
-        while (isdigit(*cp))
-                secs = secs * 10 + (*cp++ - '0');
-
-        if (*cp == '.') {               /* decimal seconds */
-                cp++;
-                if (isdigit(*cp)) {
-                        secsfrac = (*cp++ - '0') * 100;
-                        if (isdigit(*cp)) {
-                                secsfrac += (*cp++ - '0') * 10;
-                                if (isdigit(*cp)) {
-                                        secsfrac += (*cp++ - '0');
-                                }
-                        }
-                }
-        }
-
-        while (!isspace(*cp))   /* if any trailing garbage */
-                cp++;
-
-        while (isspace(*cp))
-                cp++;
-
- fndhemi:
-        switch (*cp) {
-        case 'N': case 'n':
-        case 'E': case 'e':
-                retval = ((unsigned)1<<31)
-                        + (((((deg * 60) + min) * 60) + secs) * 1000)
-                        + secsfrac;
-                break;
-        case 'S': case 's':
-        case 'W': case 'w':
-                retval = ((unsigned)1<<31)
-                        - (((((deg * 60) + min) * 60) + secs) * 1000)
-                        - secsfrac;
-                break;
-        default:
-                retval = 0;     /* invalid value -- indicates error */
-                break;
-        }
-
-        switch (*cp) {
-
-
-
-Davis, et al                  Experimental                     [Page 12]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-        case 'N': case 'n':
-        case 'S': case 's':
-                *which = 1;     /* latitude */
-                break;
-        case 'E': case 'e':
-        case 'W': case 'w':
-                *which = 2;     /* longitude */
-                break;
-        default:
-                *which = 0;     /* error */
-                break;
-        }
-
-        cp++;                   /* skip the hemisphere */
-
-        while (!isspace(*cp))   /* if any trailing garbage */
-                cp++;
-
-        while (isspace(*cp))    /* move to next field */
-                cp++;
-
-        *latlonstrptr = cp;
-
-        return (retval);
-}
-
-/* converts a zone file representation in a string to an RDATA
- * on-the-wire representation. */
-u_int32_t
-loc_aton(ascii, binary)
-        const char *ascii;
-        u_char *binary;
-{
-        const char *cp, *maxcp;
-        u_char *bcp;
-
-        u_int32_t latit = 0, longit = 0, alt = 0;
-        u_int32_t lltemp1 = 0, lltemp2 = 0;
-        int altmeters = 0, altfrac = 0, altsign = 1;
-        u_int8_t hp = 0x16;    /* default = 1e6 cm = 10000.00m = 10km */
-        u_int8_t vp = 0x13;    /* default = 1e3 cm = 10.00m */
-        u_int8_t siz = 0x12;   /* default = 1e2 cm = 1.00m */
-        int which1 = 0, which2 = 0;
-
-        cp = ascii;
-        maxcp = cp + strlen(ascii);
-
-        lltemp1 = latlon2ul(&cp, &which1);
-
-
-
-Davis, et al                  Experimental                     [Page 13]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-        lltemp2 = latlon2ul(&cp, &which2);
-
-        switch (which1 + which2) {
-        case 3:                 /* 1 + 2, the only valid combination */
-                if ((which1 == 1) && (which2 == 2)) { /* normal case */
-                        latit = lltemp1;
-                        longit = lltemp2;
-                } else if ((which1 == 2) && (which2 == 1)) {/*reversed*/
-                        longit = lltemp1;
-                        latit = lltemp2;
-                } else {        /* some kind of brokenness */
-                        return 0;
-                }
-                break;
-        default:                /* we didn't get one of each */
-                return 0;
-        }
-
-        /* altitude */
-        if (*cp == '-') {
-                altsign = -1;
-                cp++;
-        }
-
-        if (*cp == '+')
-                cp++;
-
-        while (isdigit(*cp))
-                altmeters = altmeters * 10 + (*cp++ - '0');
-
-        if (*cp == '.') {               /* decimal meters */
-                cp++;
-                if (isdigit(*cp)) {
-                        altfrac = (*cp++ - '0') * 10;
-                        if (isdigit(*cp)) {
-                                altfrac += (*cp++ - '0');
-                        }
-                }
-        }
-
-        alt = (10000000 + (altsign * (altmeters * 100 + altfrac)));
-
-        while (!isspace(*cp) && (cp < maxcp))
-                                           /* if trailing garbage or m */
-                cp++;
-
-        while (isspace(*cp) && (cp < maxcp))
-                cp++;
-
-
-
-Davis, et al                  Experimental                     [Page 14]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-        if (cp >= maxcp)
-                goto defaults;
-
-        siz = precsize_aton(&cp);
-
-        while (!isspace(*cp) && (cp < maxcp))/*if trailing garbage or m*/
-                cp++;
-
-        while (isspace(*cp) && (cp < maxcp))
-                cp++;
-
-        if (cp >= maxcp)
-                goto defaults;
-
-        hp = precsize_aton(&cp);
-
-        while (!isspace(*cp) && (cp < maxcp))/*if trailing garbage or m*/
-                cp++;
-
-        while (isspace(*cp) && (cp < maxcp))
-                cp++;
-
-        if (cp >= maxcp)
-                goto defaults;
-
-        vp = precsize_aton(&cp);
-
- defaults:
-
-        bcp = binary;
-        *bcp++ = (u_int8_t) 0;  /* version byte */
-        *bcp++ = siz;
-        *bcp++ = hp;
-        *bcp++ = vp;
-        PUTLONG(latit,bcp);
-        PUTLONG(longit,bcp);
-        PUTLONG(alt,bcp);
-
-        return (16);            /* size of RR in octets */
-}
-
-/* takes an on-the-wire LOC RR and prints it in zone file
- * (human readable) format. */
-char *
-loc_ntoa(binary,ascii)
-        const u_char *binary;
-        char *ascii;
-{
-
-
-
-Davis, et al                  Experimental                     [Page 15]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-        static char tmpbuf[255*3];
-
-        register char *cp;
-        register const u_char *rcp;
-
-        int latdeg, latmin, latsec, latsecfrac;
-        int longdeg, longmin, longsec, longsecfrac;
-        char northsouth, eastwest;
-        int altmeters, altfrac, altsign;
-
-        const int referencealt = 100000 * 100;
-
-        int32_t latval, longval, altval;
-        u_int32_t templ;
-        u_int8_t sizeval, hpval, vpval, versionval;
-
-        char *sizestr, *hpstr, *vpstr;
-
-        rcp = binary;
-        if (ascii)
-                cp = ascii;
-        else {
-                cp = tmpbuf;
-        }
-
-        versionval = *rcp++;
-
-        if (versionval) {
-                sprintf(cp,"; error: unknown LOC RR version");
-                return (cp);
-        }
-
-        sizeval = *rcp++;
-
-        hpval = *rcp++;
-        vpval = *rcp++;
-
-        GETLONG(templ,rcp);
-        latval = (templ - ((unsigned)1<<31));
-
-        GETLONG(templ,rcp);
-        longval = (templ - ((unsigned)1<<31));
-
-        GETLONG(templ,rcp);
-        if (templ < referencealt) { /* below WGS 84 spheroid */
-                altval = referencealt - templ;
-                altsign = -1;
-        } else {
-
-
-
-Davis, et al                  Experimental                     [Page 16]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-                altval = templ - referencealt;
-                altsign = 1;
-        }
-
-        if (latval < 0) {
-                northsouth = 'S';
-                latval = -latval;
-        }
-        else
-                northsouth = 'N';
-
-        latsecfrac = latval % 1000;
-        latval = latval / 1000;
-        latsec = latval % 60;
-        latval = latval / 60;
-        latmin = latval % 60;
-        latval = latval / 60;
-        latdeg = latval;
-
-        if (longval < 0) {
-                eastwest = 'W';
-                longval = -longval;
-        }
-        else
-                eastwest = 'E';
-
-        longsecfrac = longval % 1000;
-        longval = longval / 1000;
-        longsec = longval % 60;
-        longval = longval / 60;
-        longmin = longval % 60;
-        longval = longval / 60;
-        longdeg = longval;
-
-        altfrac = altval % 100;
-        altmeters = (altval / 100) * altsign;
-
-        sizestr = savestr(precsize_ntoa(sizeval));
-        hpstr = savestr(precsize_ntoa(hpval));
-        vpstr = savestr(precsize_ntoa(vpval));
-
-        sprintf(cp,
-                "%d %.2d %.2d.%.3d %c %d %.2d %.2d.%.3d %c %d.%.2dm
-                %sm %sm %sm",
-                latdeg, latmin, latsec, latsecfrac, northsouth,
-                longdeg, longmin, longsec, longsecfrac, eastwest,
-                altmeters, altfrac, sizestr, hpstr, vpstr);
-
-
-
-
-Davis, et al                  Experimental                     [Page 17]
-
-RFC 1876            Location Information in the DNS         January 1996
-
-
-        free(sizestr);
-        free(hpstr);
-        free(vpstr);
-
-        return (cp);
-}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Davis, et al                  Experimental                     [Page 18]
-
diff --git a/contrib/bind9/doc/rfc/rfc1886.txt b/contrib/bind9/doc/rfc/rfc1886.txt
deleted file mode 100644
index 9874fddb17a5..000000000000
--- a/contrib/bind9/doc/rfc/rfc1886.txt
+++ /dev/null
@@ -1,268 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         S. Thomson
-Request for Comments: 1886                                      Bellcore
-Category: Standards Track                                     C. Huitema
-                                                                   INRIA
-                                                           December 1995
-
-
-                DNS Extensions to support IP version 6
-
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-
-Abstract
-
-   This document defines the changes that need to be made to the Domain
-   Name System to support hosts running IP version 6 (IPv6).  The
-   changes include a new resource record type to store an IPv6 address,
-   a new domain to support lookups based on an IPv6 address, and updated
-   definitions of existing query types that return Internet addresses as
-   part of additional section processing.  The extensions are designed
-   to be compatible with existing applications and, in particular, DNS
-   implementations themselves.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Thompson & Huitema          Standards Track                    [Page 1]
-
-RFC 1886                  IPv6 DNS Extensions              December 1995
-
-
-1. INTRODUCTION
-
-   Current support for the storage of Internet addresses in the Domain
-   Name System (DNS)[1,2] cannot easily be extended to support IPv6
-   addresses[3] since applications assume that address queries return
-   32-bit IPv4 addresses only.
-
-   To support the storage of IPv6 addresses we define the following
-   extensions:
-
-      o A new resource record type is defined to map a domain name to an
-        IPv6 address.
-
-      o A new domain is defined to support lookups based on address.
-
-      o Existing queries that perform additional section processing to
-        locate IPv4 addresses are redefined to perform additional
-        section processing on both IPv4 and IPv6 addresses.
-
-   The changes are designed to be compatible with existing software. The
-   existing support for IPv4 addresses is retained. Transition issues
-   related to the co-existence of both IPv4 and IPv6 addresses in DNS
-   are discussed in [4].
-
-
-2. NEW RESOURCE RECORD DEFINITION AND DOMAIN
-
-   A new record type is defined to store a host's IPv6 address. A host
-   that has more than one IPv6 address must have more than one such
-   record.
-
-
-2.1 AAAA record type
-
-   The AAAA resource record type is a new record specific to the
-   Internet class that stores a single IPv6 address.
-
-   The value of the type is 28 (decimal).
-
-
-2.2 AAAA data format
-
-   A 128 bit IPv6 address is encoded in the data portion of an AAAA
-   resource record in network byte order (high-order byte first).
-
-
-
-
-Thompson & Huitema          Standards Track                    [Page 2]
-
-RFC 1886                  IPv6 DNS Extensions              December 1995
-
-
-2.3 AAAA query
-
-   An AAAA query for a specified domain name in the Internet class
-   returns all associated AAAA resource records in the answer section of
-   a response.
-
-   A type AAAA query does not perform additional section processing.
-
-
-2.4 Textual format of AAAA records
-
-   The textual representation of the data portion of the AAAA resource
-   record used in a master database file is the textual representation
-   of a IPv6 address as defined in [3].
-
-
-2.5 IP6.INT Domain
-
-   A special domain is defined to look up a record given an address. The
-   intent of this domain is to provide a way of mapping an IPv6 address
-   to a host name, although it may be used for other purposes as well.
-   The domain is rooted at IP6.INT.
-
-   An IPv6 address is represented as a name in the IP6.INT domain by a
-   sequence of nibbles separated by dots with the suffix ".IP6.INT". The
-   sequence of nibbles is encoded in reverse order, i.e. the low-order
-   nibble is encoded first, followed by the next low-order nibble and so
-   on. Each nibble is represented by a hexadecimal digit. For example,
-   the inverse lookup domain name corresponding to the address
-
-       4321:0:1:2:3:4:567:89ab
-
-   would be
-
-b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.INT.
-
-
-
-3. MODIFICATIONS TO EXISTING QUERY TYPES
-
-   All existing query types that perform type A additional section
-   processing, i.e. name server (NS), mail exchange (MX) and mailbox
-   (MB) query types, must be redefined to perform both type A and type
-   AAAA additional section processing. These new definitions mean that a
-   name server must add any relevant IPv4 addresses and any relevant
-
-
-
-Thompson & Huitema          Standards Track                    [Page 3]
-
-RFC 1886                  IPv6 DNS Extensions              December 1995
-
-
-   IPv6 addresses available locally to the additional section of a
-   response when processing any one of the above queries.
-
-
-4. SECURITY CONSIDERATIONS
-
-   Security issues are not discussed in this memo.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Thompson & Huitema          Standards Track                    [Page 4]
-
-RFC 1886                  IPv6 DNS Extensions              December 1995
-
-
-5. REFERENCES
-
-
-   [1]  Mockapetris, P., "Domain Names - Concepts and Facilities", STD
-        13, RFC 1034, USC/Information Sciences Institute, November 1987.
-
-   [2]  Mockapetris, P., "Domain Names - Implementation and Specifica-
-        tion", STD 13, RFC 1035, USC/Information Sciences Institute,
-        November 1987.
-
-   [3]  Hinden, R., and S. Deering, Editors, "IP Version 6 Addressing
-        Architecture", RFC 1884, Ipsilon Networks, Xerox PARC, December
-        1995.
-
-
-   [4]  Gilligan, R., and E. Nordmark, "Transition Mechanisms for IPv6
-        Hosts and Routers", Work in Progress.
-
-
-Authors' Addresses
-
-   Susan Thomson
-   Bellcore
-   MRE 2P343
-   445 South Street
-   Morristown, NJ 07960
-   U.S.A.
-
-   Phone: +1 201-829-4514
-   EMail: set@thumper.bellcore.com
-
-
-   Christian Huitema
-   INRIA, Sophia-Antipolis
-   2004 Route des Lucioles
-   BP 109
-   F-06561 Valbonne Cedex
-   France
-
-   Phone: +33 93 65 77 15
-   EMail: Christian.Huitema@MIRSA.INRIA.FR
-
-
-
-
-
-
-
-Thompson & Huitema          Standards Track                    [Page 5]
-
diff --git a/contrib/bind9/doc/rfc/rfc1982.txt b/contrib/bind9/doc/rfc/rfc1982.txt
deleted file mode 100644
index 5a34bc42ab72..000000000000
--- a/contrib/bind9/doc/rfc/rfc1982.txt
+++ /dev/null
@@ -1,394 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                             R. Elz
-Request for Comments: 1982                       University of Melbourne
-Updates: 1034, 1035                                              R. Bush
-Category: Standards Track                                    RGnet, Inc.
-                                                             August 1996
-
-
-                        Serial Number Arithmetic
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Abstract
-
-   This memo defines serial number arithmetic, as used in the Domain
-   Name System.  The DNS has long relied upon serial number arithmetic,
-   a concept which has never really been defined, certainly not in an
-   IETF document, though which has been widely understood.  This memo
-   supplies the missing definition.  It is intended to update RFC1034
-   and RFC1035.
-
-1. Introduction
-
-   The serial number field of the SOA resource record is defined in
-   RFC1035 as
-
-   SERIAL   The unsigned 32 bit version number of the original copy of
-            the zone.  Zone transfers preserve this value.  This value
-            wraps and should be compared using sequence space
-            arithmetic.
-
-   RFC1034 uses the same terminology when defining secondary server zone
-   consistency procedures.
-
-   Unfortunately the term "sequence space arithmetic" is not defined in
-   either RFC1034 or RFC1035, nor do any of their references provide
-   further information.
-
-   This phrase seems to have been intending to specify arithmetic as
-   used in TCP sequence numbers [RFC793], and defined in [IEN-74].
-
-   Unfortunately, the arithmetic defined in [IEN-74] is not adequate for
-   the purposes of the DNS, as no general comparison operator is
-
-
-
-Elz & Bush                  Standards Track                     [Page 1]
-
-RFC 1982                Serial Number Arithmetic             August 1996
-
-
-   defined.
-
-   To avoid further problems with this simple field, this document
-   defines the field and the operations available upon it.  This
-   definition is intended merely to clarify the intent of RFC1034 and
-   RFC1035, and is believed to generally agree with current
-   implementations.  However, older, superseded, implementations are
-   known to have treated the serial number as a simple unsigned integer,
-   with no attempt to implement any kind of "sequence space arithmetic",
-   however that may have been interpreted, and further, ignoring the
-   requirement that the value wraps.  Nothing can be done with these
-   implementations, beyond extermination.
-
-2. Serial Number Arithmetic
-
-   Serial numbers are formed from non-negative integers from a finite
-   subset of the range of all integer values.  The lowest integer in
-   every subset used for this purpose is zero, the maximum is always one
-   less than a power of two.
-
-   When considered as serial numbers however no value has any particular
-   significance, there is no minimum or maximum serial number, every
-   value has a successor and predecessor.
-
-   To define a serial number to be used in this way, the size of the
-   serial number space must be given.  This value, called "SERIAL_BITS",
-   gives the power of two which results in one larger than the largest
-   integer corresponding to a serial number value.  This also specifies
-   the number of bits required to hold every possible value of a serial
-   number of the defined type.  The operations permitted upon serial
-   numbers are defined in the following section.
-
-3. Operations upon the serial number
-
-   Only two operations are defined upon serial numbers, addition of a
-   positive integer of limited range, and comparison with another serial
-   number.
-
-3.1. Addition
-
-   Serial numbers may be incremented by the addition of a positive
-   integer n, where n is taken from the range of integers
-   [0 .. (2^(SERIAL_BITS - 1) - 1)].  For a sequence number s, the
-   result of such an addition, s', is defined as
-
-                   s' = (s + n) modulo (2 ^ SERIAL_BITS)
-
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 2]
-
-RFC 1982                Serial Number Arithmetic             August 1996
-
-
-   where the addition and modulus operations here act upon values that
-   are non-negative values of unbounded size in the usual ways of
-   integer arithmetic.
-
-   Addition of a value outside the range
-   [0 .. (2^(SERIAL_BITS - 1) - 1)] is undefined.
-
-3.2. Comparison
-
-   Any two serial numbers, s1 and s2, may be compared.  The definition
-   of the result of this comparison is as follows.
-
-   For the purposes of this definition, consider two integers, i1 and
-   i2, from the unbounded set of non-negative integers, such that i1 and
-   s1 have the same numeric value, as do i2 and s2.  Arithmetic and
-   comparisons applied to i1 and i2 use ordinary unbounded integer
-   arithmetic.
-
-   Then, s1 is said to be equal to s2 if and only if i1 is equal to i2,
-   in all other cases, s1 is not equal to s2.
-
-   s1 is said to be less than s2 if, and only if, s1 is not equal to s2,
-   and
-
-        (i1 < i2 and i2 - i1 < 2^(SERIAL_BITS - 1)) or
-        (i1 > i2 and i1 - i2 > 2^(SERIAL_BITS - 1))
-
-   s1 is said to be greater than s2 if, and only if, s1 is not equal to
-   s2, and
-
-        (i1 < i2 and i2 - i1 > 2^(SERIAL_BITS - 1)) or
-        (i1 > i2 and i1 - i2 < 2^(SERIAL_BITS - 1))
-
-   Note that there are some pairs of values s1 and s2 for which s1 is
-   not equal to s2, but for which s1 is neither greater than, nor less
-   than, s2.  An attempt to use these ordering operators on such pairs
-   of values produces an undefined result.
-
-   The reason for this is that those pairs of values are such that any
-   simple definition that were to define s1 to be less than s2 where
-   (s1, s2) is such a pair, would also usually cause s2 to be less than
-   s1, when the pair is (s2, s1).  This would mean that the particular
-   order selected for a test could cause the result to differ, leading
-   to unpredictable implementations.
-
-   While it would be possible to define the test in such a way that the
-   inequality would not have this surprising property, while being
-   defined for all pairs of values, such a definition would be
-
-
-
-Elz & Bush                  Standards Track                     [Page 3]
-
-RFC 1982                Serial Number Arithmetic             August 1996
-
-
-   unnecessarily burdensome to implement, and difficult to understand,
-   and would still allow cases where
-
-        s1 < s2 and (s1 + 1) > (s2 + 1)
-
-   which is just as non-intuitive.
-
-   Thus the problem case is left undefined, implementations are free to
-   return either result, or to flag an error, and users must take care
-   not to depend on any particular outcome.  Usually this will mean
-   avoiding allowing those particular pairs of numbers to co-exist.
-
-   The relationships greater than or equal to, and less than or equal
-   to, follow in the natural way from the above definitions.
-
-4. Corollaries
-
-   These definitions give rise to some results of note.
-
-4.1. Corollary 1
-
-   For any sequence number s and any integer n such that addition of n
-   to s is well defined, (s + n) >= s.  Further (s + n) == s only when
-   n == 0, in all other defined cases, (s + n) > s.
-
-4.2. Corollary 2
-
-   If s' is the result of adding the non-zero integer n to the sequence
-   number s, and m is another integer from the range defined as able to
-   be added to a sequence number, and s" is the result of adding m to
-   s', then it is undefined whether s" is greater than, or less than s,
-   though it is known that s" is not equal to s.
-
-4.3. Corollary 3
-
-   If s" from the previous corollary is further incremented, then there
-   is no longer any known relationship between the result and s.
-
-4.4. Corollary 4
-
-   If in corollary 2 the value (n + m) is such that addition of the sum
-   to sequence number s would produce a defined result, then corollary 1
-   applies, and s" is known to be greater than s.
-
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 4]
-
-RFC 1982                Serial Number Arithmetic             August 1996
-
-
-5. Examples
-
-5.1. A trivial example
-
-   The simplest meaningful serial number space has SERIAL_BITS == 2.  In
-   this space, the integers that make up the serial number space are 0,
-   1, 2, and 3.  That is, 3 == 2^SERIAL_BITS - 1.
-
-   In this space, the largest integer that it is meaningful to add to a
-   sequence number is 2^(SERIAL_BITS - 1) - 1, or 1.
-
-   Then, as defined 0+1 == 1, 1+1 == 2, 2+1 == 3, and 3+1 == 0.
-   Further, 1 > 0, 2 > 1, 3 > 2, and 0 > 3.  It is undefined whether
-   2 > 0 or 0 > 2, and whether 1 > 3 or 3 > 1.
-
-5.2. A slightly larger example
-
-   Consider the case where SERIAL_BITS == 8.  In this space the integers
-   that make up the serial number space are 0, 1, 2, ... 254, 255.
-   255 == 2^SERIAL_BITS - 1.
-
-   In this space, the largest integer that it is meaningful to add to a
-   sequence number is 2^(SERIAL_BITS - 1) - 1, or 127.
-
-   Addition is as expected in this space, for example: 255+1 == 0,
-   100+100 == 200, and 200+100 == 44.
-
-   Comparison is more interesting, 1 > 0, 44 > 0, 100 > 0, 100 > 44,
-   200 > 100, 255 > 200, 0 > 255, 100 > 255, 0 > 200, and 44 > 200.
-
-   Note that 100+100 > 100, but that (100+100)+100 < 100.  Incrementing
-   a serial number can cause it to become "smaller".  Of course,
-   incrementing by a smaller number will allow many more increments to
-   be made before this occurs.  However this is always something to be
-   aware of, it can cause surprising errors, or be useful as it is the
-   only defined way to actually cause a serial number to decrease.
-
-   The pairs of values 0 and 128, 1 and 129, 2 and 130, etc, to 127 and
-   255 are not equal, but in each pair, neither number is defined as
-   being greater than, or less than, the other.
-
-   It could be defined (arbitrarily) that 128 > 0, 129 > 1,
-   130 > 2, ..., 255 > 127, by changing the comparison operator
-   definitions, as mentioned above.  However note that that would cause
-   255 > 127, while (255 + 1) < (127 + 1), as 0 < 128.  Such a
-   definition, apart from being arbitrary, would also be more costly to
-   implement.
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 5]
-
-RFC 1982                Serial Number Arithmetic             August 1996
-
-
-6. Citation
-
-   As this defined arithmetic may be useful for purposes other than for
-   the DNS serial number, it may be referenced as Serial Number
-   Arithmetic from RFC1982.  Any such reference shall be taken as
-   implying that the rules of sections 2 to 5 of this document apply to
-   the stated values.
-
-7. The DNS SOA serial number
-
-   The serial number in the DNS SOA Resource Record is a Serial Number
-   as defined above, with SERIAL_BITS being 32.  That is, the serial
-   number is a non negative integer with values taken from the range
-   [0 .. 4294967295].  That is, a 32 bit unsigned integer.
-
-   The maximum defined increment is 2147483647 (2^31 - 1).
-
-   Care should be taken that the serial number not be incremented, in
-   one or more steps, by more than this maximum within the period given
-   by the value of SOA.expire.  Doing so may leave some secondary
-   servers with out of date copies of the zone, but with a serial number
-   "greater" than that of the primary server.  Of course, special
-   circumstances may require this rule be set aside, for example, when
-   the serial number needs to be set lower for some reason.  If this
-   must be done, then take special care to verify that ALL servers have
-   correctly succeeded in following the primary server's serial number
-   changes, at each step.
-
-   Note that each, and every, increment to the serial number must be
-   treated as the start of a new sequence of increments for this
-   purpose, as well as being the continuation of all previous sequences
-   started within the period specified by SOA.expire.
-
-   Caution should also be exercised before causing the serial number to
-   be set to the value zero.  While this value is not in any way special
-   in serial number arithmetic, or to the DNS SOA serial number, many
-   DNS implementations have incorrectly treated zero as a special case,
-   with special properties, and unusual behaviour may be expected if
-   zero is used as a DNS SOA serial number.
-
-
-
-
-
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 6]
-
-RFC 1982                Serial Number Arithmetic             August 1996
-
-
-8. Document Updates
-
-   RFC1034 and RFC1035 are to be treated as if the references to
-   "sequence space arithmetic" therein are replaced by references to
-   serial number arithmetic, as defined in this document.
-
-9. Security Considerations
-
-   This document does not consider security.
-
-   It is not believed that anything in this document adds to any
-   security issues that may exist with the DNS, nor does it do anything
-   to lessen them.
-
-References
-
-   [RFC1034]   Domain Names - Concepts and Facilities,
-               P. Mockapetris, STD 13, ISI, November 1987.
-
-   [RFC1035]   Domain Names - Implementation and Specification
-               P. Mockapetris, STD 13, ISI, November 1987
-
-   [RFC793]    Transmission Control protocol
-               Information Sciences Institute, STD 7, USC, September 1981
-
-   [IEN-74]    Sequence Number Arithmetic
-               William W. Plummer, BB&N Inc, September 1978
-
-Acknowledgements
-
-   Thanks to Rob Austein for suggesting clarification of the undefined
-   comparison operators, and to Michael Patton for attempting to locate
-   another reference for this procedure.  Thanks also to members of the
-   IETF DNSIND working group of 1995-6, in particular, Paul Mockapetris.
-
-Authors' Addresses
-
-   Robert Elz                     Randy Bush
-   Computer Science               RGnet, Inc.
-   University of Melbourne        10361 NE Sasquatch Lane
-   Parkville, Vic,  3052          Bainbridge Island, Washington,  98110
-   Australia.                     United States.
-
-   EMail: kre@munnari.OZ.AU       EMail: randy@psg.com
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 7]
diff --git a/contrib/bind9/doc/rfc/rfc1995.txt b/contrib/bind9/doc/rfc/rfc1995.txt
deleted file mode 100644
index b50bdc604870..000000000000
--- a/contrib/bind9/doc/rfc/rfc1995.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                            M. Ohta
-Request for Comments: 1995                 Tokyo Institute of Technology
-Updates: 1035                                                August 1996
-Category: Standards Track
-
-
-                    Incremental Zone Transfer in DNS
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Abstract
-
-   This document proposes extensions to the DNS protocols to provide an
-   incremental zone transfer (IXFR) mechanism.
-
-1. Introduction
-
-   For rapid propagation of changes to a DNS database [STD13], it is
-   necessary to reduce latency by actively notifying servers of the
-   change.  This is accomplished by the NOTIFY extension of the DNS
-   [NOTIFY].
-
-   The current full zone transfer mechanism (AXFR) is not an efficient
-   means to propagate changes to a small part of a zone, as it transfers
-   the entire zone file.
-
-   Incremental transfer (IXFR) as proposed is a more efficient
-   mechanism, as it transfers only the changed portion(s) of a zone.
-
-   In this document, a secondary name server which requests IXFR is
-   called an IXFR client and a primary or secondary name server which
-   responds to the request is called an IXFR server.
-
-2. Brief Description of the Protocol
-
-   If an IXFR client, which likely has an older version of a zone,
-   thinks it needs new information about the zone (typically through SOA
-   refresh timeout or the NOTIFY mechanism), it sends an IXFR message
-   containing the SOA serial number of its, presumably outdated, copy of
-   the zone.
-
-
-
-
-
-Ohta                        Standards Track                     [Page 1]
-
-RFC 1995            Incremental Zone Transfer in DNS         August 1996
-
-
-   An IXFR server should keep record of the newest version of the zone
-   and the differences between that copy and several older versions.
-   When an IXFR request with an older version number is received, the
-   IXFR server needs to send only the differences required to make that
-   version current.  Alternatively, the server may choose to transfer
-   the entire zone just as in a normal full zone transfer.
-
-   When a zone has been updated, it should be saved in stable storage
-   before the new version is used to respond to IXFR (or AXFR) queries.
-   Otherwise, if the server crashes, data which is no longer available
-   may have been distributed to secondary servers, which can cause
-   persistent database inconsistencies.
-
-   If an IXFR query with the same or newer version number than that of
-   the server is received, it is replied to with a single SOA record of
-   the server's current version, just as in AXFR.
-
-   Transport of a query may be by either UDP or TCP.  If an IXFR query
-   is via UDP, the IXFR server may attempt to reply using UDP if the
-   entire response can be contained in a single DNS packet.  If the UDP
-   reply does not fit, the query is responded to with a single SOA
-   record of the server's current version to inform the client that a
-   TCP query should be initiated.
-
-   Thus, a client should first make an IXFR query using UDP.  If the
-   query type is not recognized by the server, an AXFR (preceded by a
-   UDP SOA query) should be tried, ensuring backward compatibility.  If
-   the query response is a single packet with the entire new zone, or if
-   the server does not have a newer version than the client, everything
-   is done.  Otherwise, a TCP IXFR query should be tried.
-
-   To ensure integrity, servers should use UDP checksums for all UDP
-   responses.  A cautious client which receives a UDP packet with a
-   checksum value of zero should ignore the result and try a TCP IXFR
-   instead.
-
-   The query type value of IXFR assigned by IANA is 251.
-
-3. Query Format
-
-   The IXFR query packet format is the same as that of a normal DNS
-   query, but with the query type being IXFR and the authority section
-   containing the SOA record of client's version of the zone.
-
-
-
-
-
-
-
-
-Ohta                        Standards Track                     [Page 2]
-
-RFC 1995            Incremental Zone Transfer in DNS         August 1996
-
-
-4. Response Format
-
-   If incremental zone transfer is not available, the entire zone is
-   returned.  The first and the last RR of the response is the SOA
-   record of the zone.  I.e. the behavior is the same as an AXFR
-   response except the query type is IXFR.
-
-   If incremental zone transfer is available, one or more difference
-   sequences is returned.  The list of difference sequences is preceded
-   and followed by a copy of the server's current version of the SOA.
-
-   Each difference sequence represents one update to the zone (one SOA
-   serial change) consisting of deleted RRs and added RRs.  The first RR
-   of the deleted RRs is the older SOA RR and the first RR of the added
-   RRs is the newer SOA RR.
-
-   Modification of an RR is performed first by removing the original RR
-   and then adding the modified one.
-
-   The sequences of differential information are ordered oldest first
-   newest last.  Thus, the differential sequences are the history of
-   changes made since the version known by the IXFR client up to the
-   server's current version.
-
-   RRs in the incremental transfer messages may be partial.  That is, if
-   a single RR of multiple RRs of the same RR type changes, only the
-   changed RR is transferred.
-
-   An IXFR client, should only replace an older version with a newer
-   version after all the differences have been successfully processed.
-
-   An incremental response is different from that of a non-incremental
-   response in that it begins with two SOA RRs, the server's current SOA
-   followed by the SOA of the client's version which is about to be
-   replaced.
-
-   5. Purging Strategy
-
-   An IXFR server can not be required to hold all previous versions
-   forever and may delete them anytime. In general, there is a trade-off
-   between the size of storage space and the possibility of using IXFR.
-
-   Information about older versions should be purged if the total length
-   of an IXFR response would be longer than that of an AXFR response.
-   Given that the purpose of IXFR is to reduce AXFR overhead, this
-   strategy is quite reasonable.  The strategy assures that the amount
-   of storage required is at most twice that of the current zone
-   information.
-
-
-
-Ohta                        Standards Track                     [Page 3]
-
-RFC 1995            Incremental Zone Transfer in DNS         August 1996
-
-
-   Information older than the SOA expire period may also be purged.
-
-6. Optional Condensation of Multiple Versions
-
-   An IXFR server may optionally condense multiple difference sequences
-   into a single difference sequence, thus, dropping information on
-   intermediate versions.
-
-   This may be beneficial if a lot of versions, not all of which are
-   useful, are generated. For example, if multiple ftp servers share a
-   single DNS name and the IP address associated with the name is
-   changed once a minute to balance load between the ftp servers, it is
-   not so important to keep track of all the history of changes.
-
-   But, this feature may not be so useful if an IXFR client has access
-   to two IXFR servers: A and B, with inconsistent condensation results.
-   The current version of the IXFR client, received from server A, may
-   be unknown to server B. In such a case, server B can not provide
-   incremental data from the unknown version and a full zone transfer is
-   necessary.
-
-   Condensation is completely optional. Clients can't detect from the
-   response whether the server has condensed the reply or not.
-
-   For interoperability, IXFR servers, including those without the
-   condensation feature, should not flag an error even if it receives a
-   client's IXFR request with a unknown version number and should,
-   instead, attempt to perform a full zone transfer.
-
-7. Example
-
-   Given the following three generations of data with the current serial
-   number of 3,
-
-      JAIN.AD.JP.         IN SOA NS.JAIN.AD.JP. mohta.jain.ad.jp. (
-                                        1 600 600 3600000 604800)
-                          IN NS  NS.JAIN.AD.JP.
-      NS.JAIN.AD.JP.      IN A   133.69.136.1
-      NEZU.JAIN.AD.JP.    IN A   133.69.136.5
-
-   NEZU.JAIN.AD.JP. is removed and JAIN-BB.JAIN.AD.JP. is added.
-
-      jain.ad.jp.         IN SOA ns.jain.ad.jp. mohta.jain.ad.jp. (
-                                        2 600 600 3600000 604800)
-                          IN NS  NS.JAIN.AD.JP.
-      NS.JAIN.AD.JP.      IN A   133.69.136.1
-      JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4
-                          IN A   192.41.197.2
-
-
-
-Ohta                        Standards Track                     [Page 4]
-
-RFC 1995            Incremental Zone Transfer in DNS         August 1996
-
-
-   One of the IP addresses of JAIN-BB.JAIN.AD.JP. is changed.
-
-      JAIN.AD.JP.         IN SOA ns.jain.ad.jp. mohta.jain.ad.jp. (
-                                        3 600 600 3600000 604800)
-                          IN NS  NS.JAIN.AD.JP.
-      NS.JAIN.AD.JP.      IN A   133.69.136.1
-      JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3
-                          IN A   192.41.197.2
-
-   The following IXFR query
-
-                 +---------------------------------------------------+
-      Header     | OPCODE=SQUERY                                     |
-                 +---------------------------------------------------+
-      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
-                 +---------------------------------------------------+
-      Answer     | <empty>                                           |
-                 +---------------------------------------------------+
-      Authority  | JAIN.AD.JP.         IN SOA serial=1               |
-                 +---------------------------------------------------+
-      Additional | <empty>                                           |
-                 +---------------------------------------------------+
-
-   could be replied to with the following full zone transfer message:
-
-                 +---------------------------------------------------+
-      Header     | OPCODE=SQUERY, RESPONSE                           |
-                 +---------------------------------------------------+
-      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
-                 +---------------------------------------------------+
-      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
-                 | JAIN.AD.JP.         IN NS  NS.JAIN.AD.JP.         |
-                 | NS.JAIN.AD.JP.      IN A   133.69.136.1           |
-                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
-                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
-                 | JAIN.AD.JP.         IN SOA serial=3               |
-                 +---------------------------------------------------+
-      Authority  | <empty>                                           |
-                 +---------------------------------------------------+
-      Additional | <empty>                                           |
-                 +---------------------------------------------------+
-
-
-
-
-
-
-
-
-
-
-Ohta                        Standards Track                     [Page 5]
-
-RFC 1995            Incremental Zone Transfer in DNS         August 1996
-
-
-   or with the following incremental message:
-
-                 +---------------------------------------------------+
-      Header     | OPCODE=SQUERY, RESPONSE                           |
-                 +---------------------------------------------------+
-      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
-                 +---------------------------------------------------+
-      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
-                 | JAIN.AD.JP.         IN SOA serial=1               |
-                 | NEZU.JAIN.AD.JP.    IN A   133.69.136.5           |
-                 | JAIN.AD.JP.         IN SOA serial=2               |
-                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4           |
-                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
-                 | JAIN.AD.JP.         IN SOA serial=2               |
-                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4           |
-                 | JAIN.AD.JP.         IN SOA serial=3               |
-                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
-                 | JAIN.AD.JP.         IN SOA serial=3               |
-                 +---------------------------------------------------+
-      Authority  | <empty>                                           |
-                 +---------------------------------------------------+
-      Additional | <empty>                                           |
-                 +---------------------------------------------------+
-
-   or with the following condensed incremental message:
-
-                 +---------------------------------------------------+
-      Header     | OPCODE=SQUERY, RESPONSE                           |
-                 +---------------------------------------------------+
-      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
-                 +---------------------------------------------------+
-      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
-                 | JAIN.AD.JP.         IN SOA serial=1               |
-                 | NEZU.JAIN.AD.JP.    IN A   133.69.136.5           |
-                 | JAIN.AD.JP.         IN SOA serial=3               |
-                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
-                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
-                 | JAIN.AD.JP.         IN SOA serial=3               |
-                 +---------------------------------------------------+
-      Authority  | <empty>                                           |
-                 +---------------------------------------------------+
-      Additional | <empty>                                           |
-                 +---------------------------------------------------+
-
-
-
-
-
-
-
-
-Ohta                        Standards Track                     [Page 6]
-
-RFC 1995            Incremental Zone Transfer in DNS         August 1996
-
-
-   or, if UDP packet overflow occurs, with the following message:
-
-                 +---------------------------------------------------+
-      Header     | OPCODE=SQUERY, RESPONSE                           |
-                 +---------------------------------------------------+
-      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
-                 +---------------------------------------------------+
-      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
-                 +---------------------------------------------------+
-      Authority  | <empty>                                           |
-                 +---------------------------------------------------+
-      Additional | <empty>                                           |
-                 +---------------------------------------------------+
-
-8. Acknowledgements
-
-   The original idea of IXFR was conceived by Anant Kumar, Steve Hotz
-   and Jon Postel.
-
-   For the refinement of the protocol and documentation, many people
-   have contributed including, but not limited to, Anant Kumar, Robert
-   Austein, Paul Vixie, Randy Bush, Mark Andrews, Robert Elz and the
-   members of the IETF DNSIND working group.
-
-9. References
-
-   [NOTIFY] Vixie, P., "DNS NOTIFY: A Mechanism for Prompt
-   Notification of Zone Changes", RFC 1996, August 1996.
-
-   [STD13] Mockapetris, P., "Domain Name System", STD 13, RFC 1034 and
-   RFC 1035), November 1987.
-
-10. Security Considerations
-
-   Though DNS is related to several security problems, no attempt is
-   made to fix them in this document.
-
-   This document is believed to introduce no additional security
-   problems to the current DNS protocol.
-
-
-
-
-
-
-
-
-
-
-
-
-Ohta                        Standards Track                     [Page 7]
-
-RFC 1995            Incremental Zone Transfer in DNS         August 1996
-
-
-11. Author's Address
-
-   Masataka Ohta
-   Computer Center
-   Tokyo Institute of Technology
-   2-12-1, O-okayama, Meguro-ku, Tokyo 152, JAPAN
-
-   Phone: +81-3-5734-3299
-   Fax: +81-3-5734-3415
-   EMail: mohta@necom830.hpcl.titech.ac.jp
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Ohta                        Standards Track                     [Page 8]
-
diff --git a/contrib/bind9/doc/rfc/rfc1996.txt b/contrib/bind9/doc/rfc/rfc1996.txt
deleted file mode 100644
index b08f2007972f..000000000000
--- a/contrib/bind9/doc/rfc/rfc1996.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                           P. Vixie
-Request for Comments: 1996                                           ISC
-Updates: 1035                                                August 1996
-Category: Standards Track
-
-
-    A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Abstract
-
-   This memo describes the NOTIFY opcode for DNS, by which a master
-   server advises a set of slave servers that the master's data has been
-   changed and that a query should be initiated to discover the new
-   data.
-
-1. Rationale and Scope
-
-   1.1. Slow propagation of new and changed data in a DNS zone can be
-   due to a zone's relatively long refresh times.  Longer refresh times
-   are beneficial in that they reduce load on the master servers, but
-   that benefit comes at the cost of long intervals of incoherence among
-   authority servers whenever the zone is updated.
-
-   1.2. The DNS NOTIFY transaction allows master servers to inform slave
-   servers when the zone has changed -- an interrupt as opposed to poll
-   model -- which it is hoped will reduce propagation delay while not
-   unduly increasing the masters' load.  This specification only allows
-   slaves to be notified of SOA RR changes, but the architechture of
-   NOTIFY is intended to be extensible to other RR types.
-
-   1.3. This document intentionally gives more definition to the roles
-   of "Master," "Slave" and "Stealth" servers, their enumeration in NS
-   RRs, and the SOA MNAME field.  In that sense, this document can be
-   considered an addendum to [RFC1035].
-
-
-
-
-
-
-
-
-
-Vixie                       Standards Track                     [Page 1]
-
-RFC 1996                       DNS NOTIFY                    August 1996
-
-
-2. Definitions and Invariants
-
-   2.1. The following definitions are used in this document:
-
-   Slave           an authoritative server which uses zone transfer to
-                   retrieve the zone.  All slave servers are named in
-                   the NS RRs for the zone.
-
-   Master          any authoritative server configured to be the source
-                   of zone transfer for one or more slave servers.
-
-   Primary Master  master server at the root of the zone transfer
-                   dependency graph.  The primary master is named in the
-                   zone's SOA MNAME field and optionally by an NS RR.
-                   There is by definition only one primary master server
-                   per zone.
-
-   Stealth         like a slave server except not listed in an NS RR for
-                   the zone.  A stealth server, unless explicitly
-                   configured to do otherwise, will set the AA bit in
-                   responses and be capable of acting as a master.  A
-                   stealth server will only be known by other servers if
-                   they are given static configuration data indicating
-                   its existence.
-
-   Notify Set      set of servers to be notified of changes to some
-                   zone.  Default is all servers named in the NS RRset,
-                   except for any server also named in the SOA MNAME.
-                   Some implementations will permit the name server
-                   administrator to override this set or add elements to
-                   it (such as, for example, stealth servers).
-
-   2.2. The zone's servers must be organized into a dependency graph
-   such that there is a primary master, and all other servers must use
-   AXFR or IXFR either from the primary master or from some slave which
-   is also a master.  No loops are permitted in the AXFR dependency
-   graph.
-
-3. NOTIFY Message
-
-   3.1. When a master has updated one or more RRs in which slave servers
-   may be interested, the master may send the changed RR's name, class,
-   type, and optionally, new RDATA(s), to each known slave server using
-   a best efforts protocol based on the NOTIFY opcode.
-
-   3.2. NOTIFY uses the DNS Message Format, although it uses only a
-   subset of the available fields.  Fields not otherwise described
-   herein are to be filled with binary zero (0), and implementations
-
-
-
-Vixie                       Standards Track                     [Page 2]
-
-RFC 1996                       DNS NOTIFY                    August 1996
-
-
-   must ignore all messages for which this is not the case.
-
-   3.3. NOTIFY is similar to QUERY in that it has a request message with
-   the header QR flag "clear" and a response message with QR "set".  The
-   response message contains no useful information, but its reception by
-   the master is an indication that the slave has received the NOTIFY
-   and that the master can remove the slave from any retry queue for
-   this NOTIFY event.
-
-   3.4. The transport protocol used for a NOTIFY transaction will be UDP
-   unless the master has reason to believe that TCP is necessary; for
-   example, if a firewall has been installed between master and slave,
-   and only TCP has been allowed; or, if the changed RR is too large to
-   fit in a UDP/DNS datagram.
-
-   3.5. If TCP is used, both master and slave must continue to offer
-   name service during the transaction, even when the TCP transaction is
-   not making progress.  The NOTIFY request is sent once, and a
-   "timeout" is said to have occurred if no NOTIFY response is received
-   within a reasonable interval.
-
-   3.6. If UDP is used, a master periodically sends a NOTIFY request to
-   a slave until either too many copies have been sent (a "timeout"), an
-   ICMP message indicating that the port is unreachable, or until a
-   NOTIFY response is received from the slave with a matching query ID,
-   QNAME, IP source address, and UDP source port number.
-
-   Note:
-      The interval between transmissions, and the total number of
-      retransmissions, should be operational parameters specifiable by
-      the name server administrator, perhaps on a per-zone basis.
-      Reasonable defaults are a 60 second interval (or timeout if
-      using TCP), and a maximum of 5 retransmissions (for UDP).  It is
-      considered reasonable to use additive or exponential backoff for
-      the retry interval.
-
-   3.7. A NOTIFY request has QDCOUNT>0, ANCOUNT>=0, AUCOUNT>=0,
-   ADCOUNT>=0.  If ANCOUNT>0, then the answer section represents an
-   unsecure hint at the new RRset for this <QNAME,QCLASS,QTYPE>.  A
-   slave receiving such a hint is free to treat equivilence of this
-   answer section with its local data as a "no further work needs to be
-   done" indication.  If ANCOUNT=0, or ANCOUNT>0 and the answer section
-   differs from the slave's local data, then the slave should query its
-   known masters to retrieve the new data.
-
-   3.8. In no case shall the answer section of a NOTIFY request be used
-   to update a slave's local data, or to indicate that a zone transfer
-   needs to be undertaken, or to change the slave's zone refresh timers.
-
-
-
-Vixie                       Standards Track                     [Page 3]
-
-RFC 1996                       DNS NOTIFY                    August 1996
-
-
-   Only a "data present; data same" condition can lead a slave to act
-   differently if ANCOUNT>0 than it would if ANCOUNT=0.
-
-   3.9. This version of the NOTIFY specification makes no use of the
-   authority or additional data sections, and so conforming
-   implementations should set AUCOUNT=0 and ADCOUNT=0 when transmitting
-   requests.  Since a future revision of this specification may define a
-   backwards compatible use for either or both of these sections,
-   current implementations must ignore these sections, but not the
-   entire message, if AUCOUNT>0 and/or ADCOUNT>0.
-
-   3.10. If a slave receives a NOTIFY request from a host that is not a
-   known master for the zone containing the QNAME, it should ignore the
-   request and produce an error message in its operations log.
-
-   Note:
-      This implies that slaves of a multihomed master must either know
-      their master by the "closest" of the master's interface
-      addresses, or must know all of the master's interface addresses.
-      Otherwise, a valid NOTIFY request might come from an address
-      that is not on the slave's state list of masters for the zone,
-      which would be an error.
-
-   3.11. The only defined NOTIFY event at this time is that the SOA RR
-   has changed.  Upon completion of a NOTIFY transaction for QTYPE=SOA,
-   the slave should behave as though the zone given in the QNAME had
-   reached its REFRESH interval (see [RFC1035]), i.e., it should query
-   its masters for the SOA of the zone given in the NOTIFY QNAME, and
-   check the answer to see if the SOA SERIAL has been incremented since
-   the last time the zone was fetched.  If so, a zone transfer (either
-   AXFR or IXFR) should be initiated.
-
-   Note:
-      Because a deep server dependency graph may have multiple paths
-      from the primary master to any given slave, it is possible that
-      a slave will receive a NOTIFY from one of its known masters even
-      though the rest of its known masters have not yet updated their
-      copies of the zone.  Therefore, when issuing a QUERY for the
-      zone's SOA, the query should be directed at the known master who
-      was the source of the NOTIFY event, and not at any of the other
-      known masters.  This represents a departure from [RFC1035],
-      which specifies that upon expiry of the SOA REFRESH interval,
-      all known masters should be queried in turn.
-
-   3.12. If a NOTIFY request is received by a slave who does not
-   implement the NOTIFY opcode, it will respond with a NOTIMP
-   (unimplemented feature error) message.  A master server who receives
-   such a NOTIMP should consider the NOTIFY transaction complete for
-
-
-
-Vixie                       Standards Track                     [Page 4]
-
-RFC 1996                       DNS NOTIFY                    August 1996
-
-
-   that slave.
-
-4. Details and Examples
-
-   4.1. Retaining query state information across host reboots is
-   optional, but it is reasonable to simply execute an SOA NOTIFY
-   transaction on each authority zone when a server first starts.
-
-   4.2. Each slave is likely to receive several copies of the same
-   NOTIFY request:  One from the primary master, and one from each other
-   slave as that slave transfers the new zone and notifies its potential
-   peers.  The NOTIFY protocol supports this multiplicity by requiring
-   that NOTIFY be sent by a slave/master only AFTER it has updated the
-   SOA RR or has determined that no update is necessary, which in
-   practice means after a successful zone transfer.  Thus, barring
-   delivery reordering, the last NOTIFY any slave receives will be the
-   one indicating the latest change.  Since a slave always requests SOAs
-   and AXFR/IXFRs only from its known masters, it will have an
-   opportunity to retry its QUERY for the SOA after each of its masters
-   have completed each zone update.
-
-   4.3. If a master server seeks to avoid causing a large number of
-   simultaneous outbound zone transfers, it may delay for an arbitrary
-   length of time before sending a NOTIFY message to any given slave.
-   It is expected that the time will be chosen at random, so that each
-   slave will begin its transfer at a unique time.  The delay shall not
-   in any case be longer than the SOA REFRESH time.
-
-   Note:
-      This delay should be a parameter that each primary master name
-      server can specify, perhaps on a per-zone basis.  Random delays
-      of between 30 and 60 seconds would seem adequate if the servers
-      share a LAN and the zones are of moderate size.
-
-   4.4. A slave which receives a valid NOTIFY should defer action on any
-   subsequent NOTIFY with the same <QNAME,QCLASS,QTYPE> until it has
-   completed the transaction begun by the first NOTIFY.  This duplicate
-   rejection is necessary to avoid having multiple notifications lead to
-   pummeling the master server.
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie                       Standards Track                     [Page 5]
-
-RFC 1996                       DNS NOTIFY                    August 1996
-
-
-   4.5 Zone has Updated on Primary Master
-
-   Primary master sends a NOTIFY request to all servers named in Notify
-   Set.  The NOTIFY request has the following characteristics:
-
-      query ID:   (new)
-      op:         NOTIFY (4)
-      resp:       NOERROR
-      flags:      AA
-      qcount:     1
-      qname:      (zone name)
-      qclass:     (zone class)
-      qtype:      T_SOA
-
-   4.6 Zone has Updated on a Slave that is also a Master
-
-   As above in 4.5, except that this server's Notify Set may be
-   different from the Primary Master's due to optional static
-   specification of local stealth servers.
-
-   4.7 Slave Receives a NOTIFY Request from a Master
-
-   When a slave server receives a NOTIFY request from one of its locally
-   designated masters for the zone enclosing the given QNAME, with
-   QTYPE=SOA and QR=0, it should enter the state it would if the zone's
-   refresh timer had expired.  It will also send a NOTIFY response back
-   to the NOTIFY request's source, with the following characteristics:
-
-      query ID:   (same)
-      op:         NOTIFY (4)
-      resp:       NOERROR
-      flags:      QR AA
-      qcount:     1
-      qname:      (zone name)
-      qclass:     (zone class)
-      qtype:      T_SOA
-
-   This is intended to be identical to the NOTIFY request, except that
-   the QR bit is also set.  The query ID of the response must be the
-   same as was received in the request.
-
-   4.8 Master Receives a NOTIFY Response from Slave
-
-   When a master server receives a NOTIFY response, it deletes this
-   query from the retry queue, thus completing the "notification
-   process" of "this" RRset change to "that" server.
-
-
-
-
-
-Vixie                       Standards Track                     [Page 6]
-
-RFC 1996                       DNS NOTIFY                    August 1996
-
-
-5. Security Considerations
-
-   We believe that the NOTIFY operation's only security considerations
-   are:
-
-   1. That a NOTIFY request with a forged IP/UDP source address can
-      cause a slave to send spurious SOA queries to its masters,
-      leading to a benign denial of service attack if the forged
-      requests are sent very often.
-
-   2. That TCP spoofing could be used against a slave server given
-      NOTIFY as a means of synchronizing an SOA query and UDP/DNS
-      spoofing as a means of forcing a zone transfer.
-
-6. References
-
-   [RFC1035]
-      Mockapetris, P., "Domain Names - Implementation and
-      Specification", STD 13, RFC 1035, November 1987.
-
-   [IXFR]
-      Ohta, M., "Incremental Zone Transfer", RFC 1995, August 1996.
-
-7. Author's Address
-
-   Paul Vixie
-   Internet Software Consortium
-   Star Route Box 159A
-   Woodside, CA 94062
-
-   Phone: +1 415 747 0204
-   EMail: paul@vix.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie                       Standards Track                     [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc2052.txt b/contrib/bind9/doc/rfc/rfc2052.txt
deleted file mode 100644
index 46ba36296b96..000000000000
--- a/contrib/bind9/doc/rfc/rfc2052.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                     A. Gulbrandsen
-Request for Comments: 2052                            Troll Technologies
-Updates: 1035, 1183                                             P. Vixie
-Category: Experimental                                 Vixie Enterprises
-                                                            October 1996
-
-
-       A DNS RR for specifying the location of services (DNS SRV)
-
-Status of this Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  This memo does not specify an Internet standard of any
-   kind.  Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-Abstract
-
-   This document describes a DNS RR which specifies the location of the
-   server(s) for a specific protocol and domain (like a more general
-   form of MX).
-
-Overview and rationale
-
-   Currently, one must either know the exact address of a server to
-   contact it, or broadcast a question.  This has led to, for example,
-   ftp.whatever.com aliases, the SMTP-specific MX RR, and using MAC-
-   level broadcasts to locate servers.
-
-   The SRV RR allows administrators to use several servers for a single
-   domain, to move services from host to host with little fuss, and to
-   designate some hosts as primary servers for a service and others as
-   backups.
-
-   Clients ask for a specific service/protocol for a specific domain
-   (the word domain is used here in the strict RFC 1034 sense), and get
-   back the names of any available servers.
-
-Introductory example
-
-   When a SRV-cognizant web-browser wants to retrieve
-
-      http://www.asdf.com/
-
-   it does a lookup of
-
-      http.tcp.www.asdf.com
-
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 1]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-   and retrieves the document from one of the servers in the reply.  The
-   example zone file near the end of the memo contains answering RRs for
-   this query.
-
-The format of the SRV RR
-
-   Here is the format of the SRV RR, whose DNS type code is 33:
-
-        Service.Proto.Name TTL Class SRV Priority Weight Port Target
-
-        (There is an example near the end of this document.)
-
-   Service
-        The symbolic name of the desired service, as defined in Assigned
-        Numbers or locally.
-
-        Some widely used services, notably POP, don't have a single
-        universal name.  If Assigned Numbers names the service
-        indicated, that name is the only name which is legal for SRV
-        lookups.  Only locally defined services may be named locally.
-        The Service is case insensitive.
-
-   Proto
-        TCP and UDP are at present the most useful values
-        for this field, though any name defined by Assigned Numbers or
-        locally may be used (as for Service).  The Proto is case
-        insensitive.
-
-   Name
-        The domain this RR refers to.  The SRV RR is unique in that the
-        name one searches for is not this name; the example near the end
-        shows this clearly.
-
-   TTL
-        Standard DNS meaning.
-
-   Class
-        Standard DNS meaning.
-
-   Priority
-        As for MX, the priority of this target host.  A client MUST
-        attempt to contact the target host with the lowest-numbered
-        priority it can reach; target hosts with the same priority
-        SHOULD be tried in pseudorandom order.  The range is 0-65535.
-
-
-
-
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 2]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-   Weight
-        Load balancing mechanism.  When selecting a target host among
-        the those that have the same priority, the chance of trying this
-        one first SHOULD be proportional to its weight.  The range of
-        this number is 1-65535.  Domain administrators are urged to use
-        Weight 0 when there isn't any load balancing to do, to make the
-        RR easier to read for humans (less noisy).
-
-   Port
-        The port on this target host of this service.  The range is
-        0-65535.  This is often as specified in Assigned Numbers but
-        need not be.
-
-   Target
-        As for MX, the domain name of the target host.  There MUST be
-        one or more A records for this name. Implementors are urged, but
-        not required, to return the A record(s) in the Additional Data
-        section.  Name compression is to be used for this field.
-
-        A Target of "." means that the service is decidedly not
-        available at this domain.
-
-Domain administrator advice
-
-   Asking everyone to update their telnet (for example) clients when the
-   first internet site adds a SRV RR for Telnet/TCP is futile (even if
-   desirable).  Therefore SRV will have to coexist with A record lookups
-   for a long time, and DNS administrators should try to provide A
-   records to support old clients:
-
-      - Where the services for a single domain are spread over several
-        hosts, it seems advisable to have a list of A RRs at the same
-        DNS node as the SRV RR, listing reasonable (if perhaps
-        suboptimal) fallback hosts for Telnet, NNTP and other protocols
-        likely to be used with this name.  Note that some programs only
-        try the first address they get back from e.g. gethostbyname(),
-        and we don't know how widespread this behaviour is.
-
-      - Where one service is provided by several hosts, one can either
-        provide A records for all the hosts (in which case the round-
-        robin mechanism, where available, will share the load equally)
-        or just for one (presumably the fastest).
-
-      - If a host is intended to provide a service only when the main
-        server(s) is/are down, it probably shouldn't be listed in A
-        records.
-
-
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 3]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-      - Hosts that are referenced by backup A records must use the port
-        number specified in Assigned Numbers for the service.
-
-   Currently there's a practical limit of 512 bytes for DNS replies.
-   Until all resolvers can handle larger responses, domain
-   administrators are strongly advised to keep their SRV replies below
-   512 bytes.
-
-   All round numbers, wrote Dr. Johnson, are false, and these numbers
-   are very round: A reply packet has a 30-byte overhead plus the name
-   of the service ("telnet.tcp.asdf.com" for instance); each SRV RR adds
-   20 bytes plus the name of the target host; each NS RR in the NS
-   section is 15 bytes plus the name of the name server host; and
-   finally each A RR in the additional data section is 20 bytes or so,
-   and there are A's for each SRV and NS RR mentioned in the answer.
-   This size estimate is extremely crude, but shouldn't underestimate
-   the actual answer size by much.  If an answer may be close to the
-   limit, using e.g. "dig" to look at the actual answer is a good idea.
-
-The "Weight" field
-
-   Weight, the load balancing field, is not quite satisfactory, but the
-   actual load on typical servers changes much too quickly to be kept
-   around in DNS caches.  It seems to the authors that offering
-   administrators a way to say "this machine is three times as fast as
-   that one" is the best that can practically be done.
-
-   The only way the authors can see of getting a "better" load figure is
-   asking a separate server when the client selects a server and
-   contacts it.  For short-lived services like SMTP an extra step in the
-   connection establishment seems too expensive, and for long-lived
-   services like telnet, the load figure may well be thrown off a minute
-   after the connection is established when someone else starts or
-   finishes a heavy job.
-
-The Port number
-
-   Currently, the translation from service name to port number happens
-   at the client, often using a file such as /etc/services.
-
-   Moving this information to the DNS makes it less necessary to update
-   these files on every single computer of the net every time a new
-   service is added, and makes it possible to move standard services out
-   of the "root-only" port range on unix
-
-
-
-
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 4]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-Usage rules
-
-   A SRV-cognizant client SHOULD use this procedure to locate a list of
-   servers and connect to the preferred one:
-
-        Do a lookup for QNAME=service.protocol.target, QCLASS=IN,
-        QTYPE=SRV.
-
-        If the reply is NOERROR, ANCOUNT>0 and there is at least one SRV
-        RR which specifies the requested Service and Protocol in the
-        reply:
-
-             If there is precisely one SRV RR, and its Target is "."
-             (the root domain), abort.
-
-             Else, for all such RR's, build a list of (Priority, Weight,
-             Target) tuples
-
-             Sort the list by priority (lowest number first)
-
-             Create a new empty list
-
-             For each distinct priority level
-                  While there are still elements left at this priority
-                  level
-                       Select an element randomly, with probability
-                       Weight, and move it to the tail of the new list
-
-             For each element in the new list
-
-                  query the DNS for A RR's for the Target or use any
-                  RR's found in the Additional Data secion of the
-                  earlier SRV query.
-
-                  for each A RR found, try to connect to the (protocol,
-                  address, service).
-
-        else if the service desired is SMTP
-
-             skip to RFC 974 (MX).
-
-        else
-
-             Do a lookup for QNAME=target, QCLASS=IN, QTYPE=A
-
-             for each A RR found, try to connect to the (protocol,
-             address, service)
-
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 5]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-   Notes:
-
-      - Port numbers SHOULD NOT be used in place of the symbolic service
-        or protocol names (for the same reason why variant names cannot
-        be allowed: Applications would have to do two or more lookups).
-
-      - If a truncated response comes back from an SRV query, and the
-        Additional Data section has at least one complete RR in it, the
-        answer MUST be considered complete and the client resolver
-        SHOULD NOT retry the query using TCP, but use normal UDP queries
-        for A RR's missing from the Additional Data section.
-
-      - A client MAY use means other than Weight to choose among target
-        hosts with equal Priority.
-
-      - A client MUST parse all of the RR's in the reply.
-
-      - If the Additional Data section doesn't contain A RR's for all
-        the SRV RR's and the client may want to connect to the target
-        host(s) involved, the client MUST look up the A RR(s).  (This
-        happens quite often when the A RR has shorter TTL than the SRV
-        or NS RR's.)
-
-      - A future standard could specify that a SRV RR whose Protocol was
-        TCP and whose Service was SMTP would override RFC 974's rules
-        with regard to the use of an MX RR.  This would allow firewalled
-        organizations with several SMTP relays to control the load
-        distribution using the Weight field.
-
-      - Future protocols could be designed to use SRV RR lookups as the
-        means by which clients locate their servers.
-
-Fictional example
-
-   This is (part of) the zone file for asdf.com, a still-unused domain:
-
-        $ORIGIN asdf.com.
-        @               SOA server.asdf.com. root.asdf.com. (
-                            1995032001 3600 3600 604800 86400 )
-                        NS  server.asdf.com.
-                        NS  ns1.ip-provider.net.
-                        NS  ns2.ip-provider.net.
-        ftp.tcp         SRV 0 0 21 server.asdf.com.
-        finger.tcp      SRV 0 0 79 server.asdf.com.
-        ; telnet - use old-slow-box or new-fast-box if either is
-        ; available, make three quarters of the logins go to
-        ; new-fast-box.
-        telnet.tcp      SRV 0 1 23 old-slow-box.asdf.com.
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 6]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-                        SRV 0 3 23 new-fast-box.asdf.com.
-        ; if neither old-slow-box or new-fast-box is up, switch to
-        ; using the sysdmin's box and the server
-                        SRV 1 0 23 sysadmins-box.asdf.com.
-                        SRV 1 0 23 server.asdf.com.
-        ; HTTP - server is the main server, new-fast-box is the backup
-        ; (On new-fast-box, the HTTP daemon runs on port 8000)
-        http.tcp        SRV 0 0 80 server.asdf.com.
-                        SRV 10 0 8000 new-fast-box.asdf.com.
-        ; since we want to support both http://asdf.com/ and
-        ; http://www.asdf.com/ we need the next two RRs as well
-        http.tcp.www    SRV 0 0 80 server.asdf.com.
-                        SRV 10 0 8000 new-fast-box.asdf.com.
-        ; SMTP - mail goes to the server, and to the IP provider if
-        ; the net is down
-        smtp.tcp        SRV 0 0 25 server.asdf.com.
-                        SRV 1 0 25 mailhost.ip-provider.net.
-        @               MX  0 server.asdf.com.
-                        MX  1 mailhost.ip-provider.net.
-        ; NNTP - use the IP providers's NNTP server
-        nntp.tcp        SRV 0 0 119 nntphost.ip-provider.net.
-        ; IDB is an locally defined protocol
-        idb.tcp         SRV  0 0 2025 new-fast-box.asdf.com.
-        ; addresses
-        server          A   172.30.79.10
-        old-slow-box    A   172.30.79.11
-        sysadmins-box   A   172.30.79.12
-        new-fast-box    A   172.30.79.13
-        ; backup A records - new-fast-box and old-slow-box are
-        ; included, naturally, and server is too, but might go
-        ; if the load got too bad
-        @               A   172.30.79.10
-                        A   172.30.79.11
-                        A   172.30.79.13
-        ; backup A RR for www.asdf.com
-        www             A       172.30.79.10
-        ; NO other services are supported
-        *.tcp           SRV  0 0 0 .
-        *.udp           SRV  0 0 0 .
-
-   In this example, a telnet connection to "asdf.com." needs an SRV
-   lookup of "telnet.tcp.asdf.com." and possibly A lookups of "new-
-   fast-box.asdf.com." and/or the other hosts named.  The size of the
-   SRV reply is approximately 365 bytes:
-
-      30 bytes general overhead
-      20 bytes for the query string, "telnet.tcp.asdf.com."
-      130 bytes for 4 SRV RR's, 20 bytes each plus the lengths of "new-
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 7]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-        fast-box", "old-slow-box", "server" and "sysadmins-box" -
-        "asdf.com" in the query section is quoted here and doesn't
-        need to be counted again.
-      75 bytes for 3 NS RRs, 15 bytes each plus the lengths of
-        "server", "ns1.ip-provider.net." and "ns2" - again, "ip-
-        provider.net." is quoted and only needs to be counted once.
-      120 bytes for the 6 A RR's mentioned by the SRV and NS RR's.
-
-Refererences
-
-   RFC 1918: Rekhter, Y., Moskowitz, R., Karrenberg, D., de Groot, G.,
-        and E.  Lear, "Address Allocation for Private Internets",
-        RFC 1918, February 1996.
-
-   RFC 1916 Berkowitz, H., Ferguson, P, Leland, W. and P. Nesser,
-        "Enterprise Renumbering: Experience and Information
-        Solicitation", RFC 1916, February 1996.
-
-   RFC 1912 Barr, D., "Common DNS Operational and Configuration
-        Errors", RFC 1912, February 1996.
-
-   RFC 1900: Carpenter, B., and Y. Rekhter, "Renumbering Needs Work",
-        RFC 1900, February 1996.
-
-   RFC 1920: Postel, J., "INTERNET OFFICIAL PROTOCOL STANDARDS",
-        STD 1, RFC 1920, March 1996.
-
-   RFC 1814: Gerich, E., "Unique Addresses are Good", RFC 1814, June
-             1995.
-
-   RFC 1794: Brisco, T., "DNS Support for Load Balancing", April 1995.
-
-   RFC 1713: Romao, A., "Tools for DNS debugging", November 1994.
-
-   RFC 1712: Farrell, C., Schulze, M., Pleitner, S., and D. Baldoni,
-        "DNS Encoding of Geographical Location", RFC 1712, November
-        1994.
-
-   RFC 1706: Manning, B. and R. Colella, "DNS NSAP Resource Records",
-        RFC 1706, October 1994.
-
-   RFC 1700: Reynolds, J., and J. Postel, "ASSIGNED NUMBERS",
-        STD 2, RFC 1700, October 1994.
-
-   RFC 1183: Ullmann, R., Mockapetris, P., Mamakos, L., and
-        C. Everhart, "New DNS RR Definitions", RFC 1183, November
-        1990.
-
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 8]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-   RFC 1101: Mockapetris, P., "DNS encoding of network names and other
-        types", RFC 1101, April 1989.
-
-   RFC 1035: Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   RFC 1034: Mockapetris, P., "Domain names - concepts and
-        facilities", STD 13, RFC 1034, November 1987.
-
-   RFC 1033: Lottor, M., "Domain administrators operations guide",
-        RFC 1033, November 1987.
-
-   RFC 1032: Stahl, M., "Domain administrators guide", RFC 1032,
-        November 1987.
-
-   RFC 974: Partridge, C., "Mail routing and the domain system",
-        STD 14, RFC 974, January 1986.
-
-Security Considerations
-
-   The authors believes this RR to not cause any new security problems.
-   Some problems become more visible, though.
-
-      - The ability to specify ports on a fine-grained basis obviously
-        changes how a router can filter packets.  It becomes impossible
-        to block internal clients from accessing specific external
-        services, slightly harder to block internal users from running
-        unautorised services, and more important for the router
-        operations and DNS operations personnel to cooperate.
-
-      - There is no way a site can keep its hosts from being referenced
-        as servers (as, indeed, some sites become unwilling secondary
-        MXes today).  This could lead to denial of service.
-
-      - With SRV, DNS spoofers can supply false port numbers, as well as
-        host names and addresses.  The authors do not see any practical
-        effect of this.
-
-   We assume that as the DNS-security people invent new features, DNS
-   servers will return the relevant RRs in the Additional Data section
-   when answering an SRV query.
-
-
-
-
-
-
-
-
-
-
-Gulbrandsen & Vixie           Experimental                      [Page 9]
-
-RFC 2052                       DNS SRV RR                   October 1996
-
-
-Authors' Addresses
-
-   Arnt Gulbrandsen
-   Troll Tech
-   Postboks 6133 Etterstad
-   N-0602 Oslo
-   Norway
-
-   Phone: +47 22646966
-   EMail: agulbra@troll.no
-
-
-   Paul Vixie
-   Vixie Enterprises
-   Star Route 159A
-   Woodside, CA  94062
-
-   Phone: (415) 747-0204
-   EMail: paul@vix.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gulbrandsen & Vixie           Experimental                     [Page 10]
-
diff --git a/contrib/bind9/doc/rfc/rfc2104.txt b/contrib/bind9/doc/rfc/rfc2104.txt
deleted file mode 100644
index a205103a2ede..000000000000
--- a/contrib/bind9/doc/rfc/rfc2104.txt
+++ /dev/null
@@ -1,620 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                       H. Krawczyk
-Request for Comments: 2104                                          IBM
-Category: Informational                                      M. Bellare
-                                                                   UCSD
-                                                             R. Canetti
-                                                                    IBM
-                                                          February 1997
-
-
-             HMAC: Keyed-Hashing for Message Authentication
-
-Status of This Memo
-
-   This memo provides information for the Internet community.  This memo
-   does not specify an Internet standard of any kind.  Distribution of
-   this memo is unlimited.
-
-Abstract
-
-   This document describes HMAC, a mechanism for message authentication
-   using cryptographic hash functions. HMAC can be used with any
-   iterative cryptographic hash function, e.g., MD5, SHA-1, in
-   combination with a secret shared key.  The cryptographic strength of
-   HMAC depends on the properties of the underlying hash function.
-
-1. Introduction
-
-   Providing a way to check the integrity of information transmitted
-   over or stored in an unreliable medium is a prime necessity in the
-   world of open computing and communications. Mechanisms that provide
-   such integrity check based on a secret key are usually called
-   "message authentication codes" (MAC). Typically, message
-   authentication codes are used between two parties that share a secret
-   key in order to validate information transmitted between these
-   parties. In this document we present such a MAC mechanism based on
-   cryptographic hash functions. This mechanism, called HMAC, is based
-   on work by the authors [BCK1] where the construction is presented and
-   cryptographically analyzed. We refer to that work for the details on
-   the rationale and security analysis of HMAC, and its comparison to
-   other keyed-hash methods.
-
-
-
-
-
-
-
-
-
-
-
-Krawczyk, et. al.            Informational                      [Page 1]
-
-RFC 2104                          HMAC                     February 1997
-
-
-   HMAC can be used in combination with any iterated cryptographic hash
-   function. MD5 and SHA-1 are examples of such hash functions. HMAC
-   also uses a secret key for calculation and verification of the
-   message authentication values. The main goals behind this
-   construction are
-
-   * To use, without modifications, available hash functions.
-     In particular, hash functions that perform well in software,
-     and for which code is freely and widely available.
-
-   * To preserve the original performance of the hash function without
-     incurring a significant degradation.
-
-   * To use and handle keys in a simple way.
-
-   * To have a well understood cryptographic analysis of the strength of
-     the authentication mechanism based on reasonable assumptions on the
-     underlying hash function.
-
-   * To allow for easy replaceability of the underlying hash function in
-     case that faster or more secure hash functions are found or
-     required.
-
-   This document specifies HMAC using a generic cryptographic hash
-   function (denoted by H). Specific instantiations of HMAC need to
-   define a particular hash function. Current candidates for such hash
-   functions include SHA-1 [SHA], MD5 [MD5], RIPEMD-128/160 [RIPEMD].
-   These different realizations of HMAC will be denoted by HMAC-SHA1,
-   HMAC-MD5, HMAC-RIPEMD, etc.
-
-   Note: To the date of writing of this document MD5 and SHA-1 are the
-   most widely used cryptographic hash functions. MD5 has been recently
-   shown to be vulnerable to collision search attacks [Dobb].  This
-   attack and other currently known weaknesses of MD5 do not compromise
-   the use of MD5 within HMAC as specified in this document (see
-   [Dobb]); however, SHA-1 appears to be a cryptographically stronger
-   function. To this date, MD5 can be considered for use in HMAC for
-   applications where the superior performance of MD5 is critical.   In
-   any case, implementers and users need to be aware of possible
-   cryptanalytic developments regarding any of these cryptographic hash
-   functions, and the eventual need to replace the underlying hash
-   function. (See section 6 for more information on the security of
-   HMAC.)
-
-
-
-
-
-
-
-
-Krawczyk, et. al.            Informational                      [Page 2]
-
-RFC 2104                          HMAC                     February 1997
-
-
-2. Definition of HMAC
-
-   The definition of HMAC requires a cryptographic hash function, which
-   we denote by H, and a secret key K. We assume H to be a cryptographic
-   hash function where data is hashed by iterating a basic compression
-   function on blocks of data.   We denote by B the byte-length of such
-   blocks (B=64 for all the above mentioned examples of hash functions),
-   and by L the byte-length of hash outputs (L=16 for MD5, L=20 for
-   SHA-1).  The authentication key K can be of any length up to B, the
-   block length of the hash function.  Applications that use keys longer
-   than B bytes will first hash the key using H and then use the
-   resultant L byte string as the actual key to HMAC. In any case the
-   minimal recommended length for K is L bytes (as the hash output
-   length). See section 3 for more information on keys.
-
-   We define two fixed and different strings ipad and opad as follows
-   (the 'i' and 'o' are mnemonics for inner and outer):
-
-                   ipad = the byte 0x36 repeated B times
-                  opad = the byte 0x5C repeated B times.
-
-   To compute HMAC over the data `text' we perform
-
-                    H(K XOR opad, H(K XOR ipad, text))
-
-   Namely,
-
-    (1) append zeros to the end of K to create a B byte string
-        (e.g., if K is of length 20 bytes and B=64, then K will be
-         appended with 44 zero bytes 0x00)
-    (2) XOR (bitwise exclusive-OR) the B byte string computed in step
-        (1) with ipad
-    (3) append the stream of data 'text' to the B byte string resulting
-        from step (2)
-    (4) apply H to the stream generated in step (3)
-    (5) XOR (bitwise exclusive-OR) the B byte string computed in
-        step (1) with opad
-    (6) append the H result from step (4) to the B byte string
-        resulting from step (5)
-    (7) apply H to the stream generated in step (6) and output
-        the result
-
-   For illustration purposes, sample code based on MD5 is provided as an
-   appendix.
-
-
-
-
-
-
-
-Krawczyk, et. al.            Informational                      [Page 3]
-
-RFC 2104                          HMAC                     February 1997
-
-
-3. Keys
-
-   The key for HMAC can be of any length (keys longer than B bytes are
-   first hashed using H).  However, less than L bytes is strongly
-   discouraged as it would decrease the security strength of the
-   function.  Keys longer than L bytes are acceptable but the extra
-   length would not significantly increase the function strength. (A
-   longer key may be advisable if the randomness of the key is
-   considered weak.)
-
-   Keys need to be chosen at random (or using a cryptographically strong
-   pseudo-random generator seeded with a random seed), and periodically
-   refreshed.  (Current attacks do not indicate a specific recommended
-   frequency for key changes as these attacks are practically
-   infeasible.  However, periodic key refreshment is a fundamental
-   security practice that helps against potential weaknesses of the
-   function and keys, and limits the damage of an exposed key.)
-
-4. Implementation Note
-
-   HMAC is defined in such a way that the underlying hash function H can
-   be used with no modification to its code. In particular, it uses the
-   function H with the pre-defined initial value IV (a fixed value
-   specified by each iterative hash function to initialize its
-   compression function).  However, if desired, a performance
-   improvement can be achieved at the cost of (possibly) modifying the
-   code of H to support variable IVs.
-
-   The idea is that the intermediate results of the compression function
-   on the B-byte blocks (K XOR ipad) and (K XOR opad) can be precomputed
-   only once at the time of generation of the key K, or before its first
-   use. These intermediate results are stored and then used to
-   initialize the IV of H each time that a message needs to be
-   authenticated.  This method saves, for each authenticated message,
-   the application of the compression function of H on two B-byte blocks
-   (i.e., on (K XOR ipad) and (K XOR opad)). Such a savings may be
-   significant when authenticating short streams of data.  We stress
-   that the stored intermediate values need to be treated and protected
-   the same as secret keys.
-
-   Choosing to implement HMAC in the above way is a decision of the
-   local implementation and has no effect on inter-operability.
-
-
-
-
-
-
-
-
-
-Krawczyk, et. al.            Informational                      [Page 4]
-
-RFC 2104                          HMAC                     February 1997
-
-
-5. Truncated output
-
-   A well-known practice with message authentication codes is to
-   truncate the output of the MAC and output only part of the bits
-   (e.g., [MM, ANSI]).  Preneel and van Oorschot [PV] show some
-   analytical advantages of truncating the output of hash-based MAC
-   functions. The results in this area are not absolute as for the
-   overall security advantages of truncation. It has advantages (less
-   information on the hash result available to an attacker) and
-   disadvantages (less bits to predict for the attacker).  Applications
-   of HMAC can choose to truncate the output of HMAC by outputting the t
-   leftmost bits of the HMAC computation for some parameter t (namely,
-   the computation is carried in the normal way as defined in section 2
-   above but the end result is truncated to t bits). We recommend that
-   the output length t be not less than half the length of the hash
-   output (to match the birthday attack bound) and not less than 80 bits
-   (a suitable lower bound on the number of bits that need to be
-   predicted by an attacker).  We propose denoting a realization of HMAC
-   that uses a hash function H with t bits of output as HMAC-H-t. For
-   example, HMAC-SHA1-80 denotes HMAC computed using the SHA-1 function
-   and with the output truncated to 80 bits.  (If the parameter t is not
-   specified, e.g. HMAC-MD5, then it is assumed that all the bits of the
-   hash are output.)
-
-6. Security
-
-   The security of the message authentication mechanism presented here
-   depends on cryptographic properties of the hash function H: the
-   resistance to collision finding (limited to the case where the
-   initial value is secret and random, and where the output of the
-   function is not explicitly available to the attacker), and the
-   message authentication property of the compression function of H when
-   applied to single blocks (in HMAC these blocks are partially unknown
-   to an attacker as they contain the result of the inner H computation
-   and, in particular, cannot be fully chosen by the attacker).
-
-   These properties, and actually stronger ones, are commonly assumed
-   for hash functions of the kind used with HMAC. In particular, a hash
-   function for which the above properties do not hold would become
-   unsuitable for most (probably, all) cryptographic applications,
-   including alternative message authentication schemes based on such
-   functions.  (For a complete analysis and rationale of the HMAC
-   function the reader is referred to [BCK1].)
-
-
-
-
-
-
-
-
-Krawczyk, et. al.            Informational                      [Page 5]
-
-RFC 2104                          HMAC                     February 1997
-
-
-   Given the limited confidence gained so far as for the cryptographic
-   strength of candidate hash functions, it is important to observe the
-   following two properties of the HMAC construction and its secure use
-   for message authentication:
-
-   1. The construction is independent of the details of the particular
-   hash function H in use and then the latter can be replaced by any
-   other secure (iterative) cryptographic hash function.
-
-   2. Message authentication, as opposed to encryption, has a
-   "transient" effect. A published breaking of a message authentication
-   scheme would lead to the replacement of that scheme, but would have
-   no adversarial effect on information authenticated in the past.  This
-   is in sharp contrast with encryption, where information encrypted
-   today may suffer from exposure in the future if, and when, the
-   encryption algorithm is broken.
-
-   The strongest attack known against HMAC is based on the frequency of
-   collisions for the hash function H ("birthday attack") [PV,BCK2], and
-   is totally impractical for minimally reasonable hash functions.
-
-   As an example, if we consider a hash function like MD5 where the
-   output length equals L=16 bytes (128 bits) the attacker needs to
-   acquire the correct message authentication tags computed (with the
-   _same_ secret key K!) on about 2**64 known plaintexts.  This would
-   require the processing of at least 2**64 blocks under H, an
-   impossible task in any realistic scenario (for a block length of 64
-   bytes this would take 250,000 years in a continuous 1Gbps link, and
-   without changing the secret key K during all this time).  This attack
-   could become realistic only if serious flaws in the collision
-   behavior of the function H are discovered (e.g.  collisions found
-   after 2**30 messages). Such a discovery would determine the immediate
-   replacement of the function H (the effects of such failure would be
-   far more severe for the traditional uses of H in the context of
-   digital signatures, public key certificates, etc.).
-
-   Note: this attack needs to be strongly contrasted with regular
-   collision attacks on cryptographic hash functions where no secret key
-   is involved and where 2**64 off-line parallelizable (!) operations
-   suffice to find collisions.  The latter attack is approaching
-   feasibility [VW] while the birthday attack on HMAC is totally
-   impractical.  (In the above examples, if one uses a hash function
-   with, say, 160 bit of output then 2**64 should be replaced by 2**80.)
-
-
-
-
-
-
-
-
-Krawczyk, et. al.            Informational                      [Page 6]
-
-RFC 2104                          HMAC                     February 1997
-
-
-   A correct implementation of the above construction, the choice of
-   random (or cryptographically pseudorandom) keys, a secure key
-   exchange mechanism, frequent key refreshments, and good secrecy
-   protection of keys are all essential ingredients for the security of
-   the integrity verification mechanism provided by HMAC.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Krawczyk, et. al.            Informational                      [Page 7]
-
-RFC 2104                          HMAC                     February 1997
-
-
-Appendix -- Sample Code
-
-   For the sake of illustration we provide the following sample code for
-   the implementation of HMAC-MD5 as well as some corresponding test
-   vectors (the code is based on MD5 code as described in [MD5]).
-
-/*
-** Function: hmac_md5
-*/
-
-void
-hmac_md5(text, text_len, key, key_len, digest)
-unsigned char*  text;                /* pointer to data stream */
-int             text_len;            /* length of data stream */
-unsigned char*  key;                 /* pointer to authentication key */
-int             key_len;             /* length of authentication key */
-caddr_t         digest;              /* caller digest to be filled in */
-
-{
-        MD5_CTX context;
-        unsigned char k_ipad[65];    /* inner padding -
-                                      * key XORd with ipad
-                                      */
-        unsigned char k_opad[65];    /* outer padding -
-                                      * key XORd with opad
-                                      */
-        unsigned char tk[16];
-        int i;
-        /* if key is longer than 64 bytes reset it to key=MD5(key) */
-        if (key_len > 64) {
-
-                MD5_CTX      tctx;
-
-                MD5Init(&tctx);
-                MD5Update(&tctx, key, key_len);
-                MD5Final(tk, &tctx);
-
-                key = tk;
-                key_len = 16;
-        }
-
-        /*
-         * the HMAC_MD5 transform looks like:
-         *
-         * MD5(K XOR opad, MD5(K XOR ipad, text))
-         *
-         * where K is an n byte key
-         * ipad is the byte 0x36 repeated 64 times
-
-
-
-Krawczyk, et. al.            Informational                      [Page 8]
-
-RFC 2104                          HMAC                     February 1997
-
-
-         * opad is the byte 0x5c repeated 64 times
-         * and text is the data being protected
-         */
-
-        /* start out by storing key in pads */
-        bzero( k_ipad, sizeof k_ipad);
-        bzero( k_opad, sizeof k_opad);
-        bcopy( key, k_ipad, key_len);
-        bcopy( key, k_opad, key_len);
-
-        /* XOR key with ipad and opad values */
-        for (i=0; i<64; i++) {
-                k_ipad[i] ^= 0x36;
-                k_opad[i] ^= 0x5c;
-        }
-        /*
-         * perform inner MD5
-         */
-        MD5Init(&context);                   /* init context for 1st
-                                              * pass */
-        MD5Update(&context, k_ipad, 64)      /* start with inner pad */
-        MD5Update(&context, text, text_len); /* then text of datagram */
-        MD5Final(digest, &context);          /* finish up 1st pass */
-        /*
-         * perform outer MD5
-         */
-        MD5Init(&context);                   /* init context for 2nd
-                                              * pass */
-        MD5Update(&context, k_opad, 64);     /* start with outer pad */
-        MD5Update(&context, digest, 16);     /* then results of 1st
-                                              * hash */
-        MD5Final(digest, &context);          /* finish up 2nd pass */
-}
-
-Test Vectors (Trailing '\0' of a character string not included in test):
-
-  key =         0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
-  key_len =     16 bytes
-  data =        "Hi There"
-  data_len =    8  bytes
-  digest =      0x9294727a3638bb1c13f48ef8158bfc9d
-
-  key =         "Jefe"
-  data =        "what do ya want for nothing?"
-  data_len =    28 bytes
-  digest =      0x750c783e6ab0b503eaa86e310a5db738
-
-  key =         0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-
-
-
-Krawczyk, et. al.            Informational                      [Page 9]
-
-RFC 2104                          HMAC                     February 1997
-
-
-  key_len       16 bytes
-  data =        0xDDDDDDDDDDDDDDDDDDDD...
-                ..DDDDDDDDDDDDDDDDDDDD...
-                ..DDDDDDDDDDDDDDDDDDDD...
-                ..DDDDDDDDDDDDDDDDDDDD...
-                ..DDDDDDDDDDDDDDDDDDDD
-  data_len =    50 bytes
-  digest =      0x56be34521d144c88dbb8c733f0e8b3f6
-
-Acknowledgments
-
-   Pau-Chen Cheng, Jeff Kraemer, and Michael Oehler, have provided
-   useful comments on early drafts, and ran the first interoperability
-   tests of this specification. Jeff and Pau-Chen kindly provided the
-   sample code and test vectors that appear in the appendix.  Burt
-   Kaliski, Bart Preneel, Matt Robshaw, Adi Shamir, and Paul van
-   Oorschot have provided useful comments and suggestions during the
-   investigation of the HMAC construction.
-
-References
-
-   [ANSI]  ANSI X9.9, "American National Standard for Financial
-           Institution Message Authentication (Wholesale)," American
-           Bankers Association, 1981.   Revised 1986.
-
-   [Atk]   Atkinson, R., "IP Authentication Header", RFC 1826, August
-           1995.
-
-   [BCK1]  M. Bellare, R. Canetti, and H. Krawczyk,
-           "Keyed Hash Functions and Message Authentication",
-           Proceedings of Crypto'96, LNCS 1109, pp. 1-15.
-           (http://www.research.ibm.com/security/keyed-md5.html)
-
-   [BCK2]  M. Bellare, R. Canetti, and H. Krawczyk,
-           "Pseudorandom Functions Revisited: The Cascade Construction",
-           Proceedings of FOCS'96.
-
-   [Dobb]  H. Dobbertin, "The Status of MD5  After a Recent Attack",
-           RSA Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996.
-           http://www.rsa.com/rsalabs/pubs/cryptobytes.html
-
-   [PV]    B. Preneel and P. van Oorschot, "Building fast MACs from hash
-           functions", Advances in Cryptology -- CRYPTO'95 Proceedings,
-           Lecture Notes in Computer Science, Springer-Verlag Vol.963,
-           1995, pp. 1-14.
-
-   [MD5]   Rivest, R., "The MD5 Message-Digest Algorithm",
-           RFC 1321, April 1992.
-
-
-
-Krawczyk, et. al.            Informational                     [Page 10]
-
-RFC 2104                          HMAC                     February 1997
-
-
-   [MM]    Meyer, S. and Matyas, S.M., Cryptography, New York Wiley,
-           1982.
-
-   [RIPEMD] H. Dobbertin, A. Bosselaers, and B. Preneel, "RIPEMD-160: A
-            strengthened version of RIPEMD", Fast Software Encryption,
-            LNCS Vol 1039, pp. 71-82.
-            ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/bosselae/ripemd/.
-
-   [SHA]   NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.
-
-   [Tsu]   G. Tsudik, "Message authentication with one-way hash
-           functions", In Proceedings of Infocom'92, May 1992.
-           (Also in "Access Control and Policy Enforcement in
-            Internetworks", Ph.D. Dissertation, Computer Science
-            Department, University of Southern California, April 1991.)
-
-   [VW]    P. van Oorschot and M. Wiener, "Parallel Collision
-           Search with Applications to Hash Functions and Discrete
-           Logarithms", Proceedings of the 2nd ACM Conf. Computer and
-           Communications Security, Fairfax, VA, November 1994.
-
-Authors' Addresses
-
-   Hugo Krawczyk
-   IBM T.J. Watson Research Center
-   P.O.Box 704
-   Yorktown Heights, NY 10598
-
-   EMail: hugo@watson.ibm.com
-
-   Mihir Bellare
-   Dept of Computer Science and Engineering
-   Mail Code 0114
-   University of California at San Diego
-   9500 Gilman Drive
-   La Jolla, CA 92093
-
-   EMail: mihir@cs.ucsd.edu
-
-   Ran Canetti
-   IBM T.J. Watson Research Center
-   P.O.Box 704
-   Yorktown Heights, NY 10598
-
-   EMail: canetti@watson.ibm.com
-
-
-
-
-
-
-Krawczyk, et. al.            Informational                     [Page 11]
-
-
diff --git a/contrib/bind9/doc/rfc/rfc2119.txt b/contrib/bind9/doc/rfc/rfc2119.txt
deleted file mode 100644
index e31fae47fd1f..000000000000
--- a/contrib/bind9/doc/rfc/rfc2119.txt
+++ /dev/null
@@ -1,171 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         S. Bradner
-Request for Comments: 2119                            Harvard University
-BCP: 14                                                       March 1997
-Category: Best Current Practice
-
-
-        Key words for use in RFCs to Indicate Requirement Levels
-
-Status of this Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Abstract
-
-   In many standards track documents several words are used to signify
-   the requirements in the specification.  These words are often
-   capitalized.  This document defines these words as they should be
-   interpreted in IETF documents.  Authors who follow these guidelines
-   should incorporate this phrase near the beginning of their document:
-
-      The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
-      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
-      "OPTIONAL" in this document are to be interpreted as described in
-      RFC 2119.
-
-   Note that the force of these words is modified by the requirement
-   level of the document in which they are used.
-
-1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that the
-   definition is an absolute requirement of the specification.
-
-2. MUST NOT   This phrase, or the phrase "SHALL NOT", mean that the
-   definition is an absolute prohibition of the specification.
-
-3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
-   may exist valid reasons in particular circumstances to ignore a
-   particular item, but the full implications must be understood and
-   carefully weighed before choosing a different course.
-
-4. SHOULD NOT   This phrase, or the phrase "NOT RECOMMENDED" mean that
-   there may exist valid reasons in particular circumstances when the
-   particular behavior is acceptable or even useful, but the full
-   implications should be understood and the case carefully weighed
-   before implementing any behavior described with this label.
-
-
-
-
-
-Bradner                  Best Current Practice                  [Page 1]
-
-RFC 2119                     RFC Key Words                    March 1997
-
-
-5. MAY   This word, or the adjective "OPTIONAL", mean that an item is
-   truly optional.  One vendor may choose to include the item because a
-   particular marketplace requires it or because the vendor feels that
-   it enhances the product while another vendor may omit the same item.
-   An implementation which does not include a particular option MUST be
-   prepared to interoperate with another implementation which does
-   include the option, though perhaps with reduced functionality. In the
-   same vein an implementation which does include a particular option
-   MUST be prepared to interoperate with another implementation which
-   does not include the option (except, of course, for the feature the
-   option provides.)
-
-6. Guidance in the use of these Imperatives
-
-   Imperatives of the type defined in this memo must be used with care
-   and sparingly.  In particular, they MUST only be used where it is
-   actually required for interoperation or to limit behavior which has
-   potential for causing harm (e.g., limiting retransmisssions)  For
-   example, they must not be used to try to impose a particular method
-   on implementors where the method is not required for
-   interoperability.
-
-7. Security Considerations
-
-   These terms are frequently used to specify behavior with security
-   implications.  The effects on security of not implementing a MUST or
-   SHOULD, or doing something the specification says MUST NOT or SHOULD
-   NOT be done may be very subtle. Document authors should take the time
-   to elaborate the security implications of not following
-   recommendations or requirements as most implementors will not have
-   had the benefit of the experience and discussion that produced the
-   specification.
-
-8. Acknowledgments
-
-   The definitions of these terms are an amalgam of definitions taken
-   from a number of RFCs.  In addition, suggestions have been
-   incorporated from a number of people including Robert Ullmann, Thomas
-   Narten, Neal McBurnett, and Robert Elz.
-
-
-
-
-
-
-
-
-
-
-
-
-Bradner                  Best Current Practice                  [Page 2]
-
-RFC 2119                     RFC Key Words                    March 1997
-
-
-9. Author's Address
-
-      Scott Bradner
-      Harvard University
-      1350 Mass. Ave.
-      Cambridge, MA 02138
-
-      phone - +1 617 495 3864
-
-      email - sob@harvard.edu
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bradner                  Best Current Practice                  [Page 3]
-
diff --git a/contrib/bind9/doc/rfc/rfc2133.txt b/contrib/bind9/doc/rfc/rfc2133.txt
deleted file mode 100644
index ea66cf012679..000000000000
--- a/contrib/bind9/doc/rfc/rfc2133.txt
+++ /dev/null
@@ -1,1795 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        R. Gilligan
-Request for Comments: 2133                                      Freegate
-Category: Informational                                       S. Thomson
-                                                                Bellcore
-                                                                J. Bound
-                                                                 Digital
-                                                              W. Stevens
-                                                              Consultant
-                                                              April 1997
-
-               Basic Socket Interface Extensions for IPv6
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  This memo
-   does not specify an Internet standard of any kind.  Distribution of
-   this memo is unlimited.
-
-Abstract
-
-   The de facto standard application program interface (API) for TCP/IP
-   applications is the "sockets" interface.  Although this API was
-   developed for Unix in the early 1980s it has also been implemented on
-   a wide variety of non-Unix systems.  TCP/IP applications written
-   using the sockets API have in the past enjoyed a high degree of
-   portability and we would like the same portability with IPv6
-   applications.  But changes are required to the sockets API to support
-   IPv6 and this memo describes these changes.  These include a new
-   socket address structure to carry IPv6 addresses, new address
-   conversion functions, and some new socket options.  These extensions
-   are designed to provide access to the basic IPv6 features required by
-   TCP and UDP applications, including multicasting, while introducing a
-   minimum of change into the system and providing complete
-   compatibility for existing IPv4 applications.  Additional extensions
-   for advanced IPv6 features (raw sockets and access to the IPv6
-   extension headers) are defined in another document [5].
-
-Table of Contents
-
-   1.  Introduction ................................................  2
-   2.  Design Considerations .......................................  3
-   2.1.  What Needs to be Changed ..................................  3
-   2.2.  Data Types ................................................  5
-   2.3.  Headers ...................................................  5
-   2.4.  Structures ................................................  5
-   3.  Socket Interface ............................................  5
-   3.1.  IPv6 Address Family and Protocol Family ...................  5
-   3.2.  IPv6 Address Structure ....................................  6
-
-
-
-Gilligan, et. al.            Informational                      [Page 1]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   3.3.  Socket Address Structure for 4.3BSD-Based Systems .........  6
-   3.4.  Socket Address Structure for 4.4BSD-Based Systems .........  7
-   3.5.  The Socket Functions ......................................  8
-   3.6.  Compatibility with IPv4 Applications ......................  9
-   3.7.  Compatibility with IPv4 Nodes .............................  9
-   3.8.  IPv6 Wildcard Address ..................................... 10
-   3.9.  IPv6 Loopback Address ..................................... 11
-   4.  Interface Identification .................................... 12
-   4.1.  Name-to-Index ............................................. 13
-   4.2.  Index-to-Name ............................................. 13
-   4.3.  Return All Interface Names and Indexes .................... 14
-   4.4.  Free Memory ............................................... 14
-   5.  Socket Options .............................................. 14
-   5.1.  Changing Socket Type ...................................... 15
-   5.2.  Unicast Hop Limit ......................................... 16
-   5.3.  Sending and Receiving Multicast Packets ................... 17
-   6.  Library Functions ........................................... 19
-   6.1.  Hostname-to-Address Translation ........................... 19
-   6.2.  Address To Hostname Translation ........................... 22
-   6.3.  Protocol-Independent Hostname and Service Name Translation  22
-   6.4.  Socket Address Structure to Hostname and Service Name ..... 25
-   6.5.  Address Conversion Functions .............................. 27
-   6.6.  Address Testing Macros .................................... 28
-   7.  Summary of New Definitions .................................. 29
-   8.  Security Considerations ..................................... 31
-   9.  Acknowledgments ............................................. 31
-   10.  References ................................................. 31
-   11.  Authors' Addresses ......................................... 32
-
-1.  Introduction
-
-   While IPv4 addresses are 32 bits long, IPv6 interfaces are identified
-   by 128-bit addresses.  The socket interface make the size of an IP
-   address quite visible to an application; virtually all TCP/IP
-   applications for BSD-based systems have knowledge of the size of an
-   IP address.  Those parts of the API that expose the addresses must be
-   changed to accommodate the larger IPv6 address size.  IPv6 also
-   introduces new features (e.g., flow label and priority), some of
-   which must be made visible to applications via the API.  This memo
-   defines a set of extensions to the socket interface to support the
-   larger address size and new features of IPv6.
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 2]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-2.  Design Considerations
-
-   There are a number of important considerations in designing changes
-   to this well-worn API:
-
-   -  The API changes should provide both source and binary
-       compatibility for programs written to the original API.  That is,
-       existing program binaries should continue to operate when run on
-       a system supporting the new API.  In addition, existing
-       applications that are re-compiled and run on a system supporting
-       the new API should continue to operate.  Simply put, the API
-       changes for IPv6 should not break existing programs.
-
-   -  The changes to the API should be as small as possible in order to
-       simplify the task of converting existing IPv4 applications to
-       IPv6.
-
-   -  Where possible, applications should be able to use this API to
-       interoperate with both IPv6 and IPv4 hosts.  Applications should
-       not need to know which type of host they are communicating with.
-
-   -  IPv6 addresses carried in data structures should be 64-bit
-       aligned.  This is necessary in order to obtain optimum
-       performance on 64-bit machine architectures.
-
-   Because of the importance of providing IPv4 compatibility in the API,
-   these extensions are explicitly designed to operate on machines that
-   provide complete support for both IPv4 and IPv6.  A subset of this
-   API could probably be designed for operation on systems that support
-   only IPv6.  However, this is not addressed in this memo.
-
-2.1.  What Needs to be Changed
-
-   The socket interface API consists of a few distinct components:
-
-    -  Core socket functions.
-
-    -  Address data structures.
-
-    -  Name-to-address translation functions.
-
-    -  Address conversion functions.
-
-    The core socket functions -- those functions that deal with such
-    things as setting up and tearing down TCP connections, and sending
-    and receiving UDP packets -- were designed to be transport
-    independent.  Where protocol addresses are passed as function
-    arguments, they are carried via opaque pointers.  A protocol-specific
-
-
-
-Gilligan, et. al.            Informational                      [Page 3]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-    address data structure is defined for each protocol that the socket
-    functions support.  Applications must cast pointers to these
-    protocol-specific address structures into pointers to the generic
-    "sockaddr" address structure when using the socket functions.  These
-    functions need not change for IPv6, but a new IPv6-specific address
-    data structure is needed.
-
-    The "sockaddr_in" structure is the protocol-specific data structure
-    for IPv4.  This data structure actually includes 8-octets of unused
-    space, and it is tempting to try to use this space to adapt the
-    sockaddr_in structure to IPv6.  Unfortunately, the sockaddr_in
-    structure is not large enough to hold the 16-octet IPv6 address as
-    well as the other information (address family and port number) that
-    is needed.  So a new address data structure must be defined for IPv6.
-
-    The name-to-address translation functions in the socket interface are
-    gethostbyname() and gethostbyaddr().  These must be modified to
-    support IPv6 and the semantics defined must provide 100% backward
-    compatibility for all existing IPv4 applications, along with IPv6
-    support for new applications.  Additionally, the POSIX 1003.g work in
-    progress [4] specifies a new hostname-to-address translation function
-    which is protocol independent.  This function can also be used with
-    IPv6.
-
-    The address conversion functions -- inet_ntoa() and inet_addr() --
-    convert IPv4 addresses between binary and printable form.  These
-    functions are quite specific to 32-bit IPv4 addresses.  We have
-    designed two analogous functions that convert both IPv4 and IPv6
-    addresses, and carry an address type parameter so that they can be
-    extended to other protocol families as well.
-
-    Finally, a few miscellaneous features are needed to support IPv6.
-    New interfaces are needed to support the IPv6 flow label, priority,
-    and hop limit header fields.  New socket options are needed to
-    control the sending and receiving of IPv6 multicast packets.
-
-    The socket interface will be enhanced in the future to provide access
-    to other IPv6 features.  These extensions are described in [5].
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 4]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-2.2.  Data Types
-
-   The data types of the structure elements given in this memo are
-   intended to be examples, not absolute requirements.  Whenever
-   possible, POSIX 1003.1g data types are used:  u_intN_t means an
-   unsigned integer of exactly N bits (e.g., u_int16_t) and u_intNm_t
-   means an unsigned integer of at least N bits (e.g., u_int32m_t).  We
-   also assume the argument data types from 1003.1g when possible (e.g.,
-    the final argument to setsockopt() is a size_t value).  Whenever
-   buffer sizes are specified, the POSIX 1003.1 size_t data type is used
-   (e.g., the two length arguments to getnameinfo()).
-
-2.3.  Headers
-
-   When function prototypes and structures are shown we show the headers
-   that must be #included to cause that item to be defined.
-
-2.4.  Structures
-
-   When structures are described the members shown are the ones that
-   must appear in an implementation.  Additional, nonstandard members
-   may also be defined by an implementation.
-
-   The ordering shown for the members of a structure is the recommended
-   ordering, given alignment considerations of multibyte members, but an
-   implementation may order the members differently.
-
-3.  Socket Interface
-
-   This section specifies the socket interface changes for IPv6.
-
-3.1.  IPv6 Address Family and Protocol Family
-
-   A new address family name, AF_INET6, is defined in <sys/socket.h>.
-   The AF_INET6 definition distinguishes between the original
-   sockaddr_in address data structure, and the new sockaddr_in6 data
-   structure.
-
-   A new protocol family name, PF_INET6, is defined in <sys/socket.h>.
-   Like most of the other protocol family names, this will usually be
-   defined to have the same value as the corresponding address family
-   name:
-
-       #define PF_INET6        AF_INET6
-
-   The PF_INET6 is used in the first argument to the socket() function
-   to indicate that an IPv6 socket is being created.
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 5]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-3.2.  IPv6 Address Structure
-
-   A new data structure to hold a single IPv6 address is defined as
-    follows:
-
-       #include <netinet/in.h>
-
-       struct in6_addr {
-           u_int8_t  s6_addr[16];      /* IPv6 address */
-       }
-
-   This data structure contains an array of sixteen 8-bit elements,
-   which make up one 128-bit IPv6 address.  The IPv6 address is stored
-   in network byte order.
-
-3.3.  Socket Address Structure for 4.3BSD-Based Systems
-
-   In the socket interface, a different protocol-specific data structure
-   is defined to carry the addresses for each protocol suite.  Each
-   protocol-specific data structure is designed so it can be cast into a
-   protocol-independent data structure -- the "sockaddr" structure.
-   Each has a "family" field that overlays the "sa_family" of the
-   sockaddr data structure.  This field identifies the type of the data
-   structure.
-
-   The sockaddr_in structure is the protocol-specific address data
-   structure for IPv4.  It is used to pass addresses between
-   applications and the system in the socket functions.  The following
-   structure is defined to carry IPv6 addresses:
-
-       #include <netinet/in.h>
-
-       struct sockaddr_in6 {
-           u_int16m_t      sin6_family;    /* AF_INET6 */
-           u_int16m_t      sin6_port;      /* transport layer port # */
-           u_int32m_t      sin6_flowinfo;  /* IPv6 flow information */
-           struct in6_addr sin6_addr;      /* IPv6 address */
-       };
-
-   This structure is designed to be compatible with the sockaddr data
-   structure used in the 4.3BSD release.
-
-   The sin6_family field identifies this as a sockaddr_in6 structure.
-   This field overlays the sa_family field when the buffer is cast to a
-   sockaddr data structure.  The value of this field must be AF_INET6.
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 6]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The sin6_port field contains the 16-bit UDP or TCP port number.  This
-   field is used in the same way as the sin_port field of the
-   sockaddr_in structure.  The port number is stored in network byte
-   order.
-
-   The sin6_flowinfo field is a 32-bit field that contains two pieces of
-   information: the 24-bit IPv6 flow label and the 4-bit priority field.
-   The contents and interpretation of this member is unspecified at this
-   time.
-
-   The sin6_addr field is a single in6_addr structure (defined in the
-   previous section).  This field holds one 128-bit IPv6 address.  The
-   address is stored in network byte order.
-
-   The ordering of elements in this structure is specifically designed
-   so that the sin6_addr field will be aligned on a 64-bit boundary.
-   This is done for optimum performance on 64-bit architectures.
-
-   Notice that the sockaddr_in6 structure will normally be larger than
-   the generic sockaddr structure.  On many existing implementations the
-   sizeof(struct sockaddr_in) equals sizeof(struct sockaddr), with both
-   being 16 bytes.  Any existing code that makes this assumption needs
-   to be examined carefully when converting to IPv6.
-
-3.4.  Socket Address Structure for 4.4BSD-Based Systems
-
-   The 4.4BSD release includes a small, but incompatible change to the
-   socket interface.  The "sa_family" field of the sockaddr data
-   structure was changed from a 16-bit value to an 8-bit value, and the
-   space saved used to hold a length field, named "sa_len".  The
-   sockaddr_in6 data structure given in the previous section cannot be
-   correctly cast into the newer sockaddr data structure.  For this
-   reason, the following alternative IPv6 address data structure is
-   provided to be used on systems based on 4.4BSD:
-
-       #include <netinet/in.h>
-
-       #define SIN6_LEN
-
-       struct sockaddr_in6 {
-           u_char          sin6_len;       /* length of this struct */
-           u_char          sin6_family;    /* AF_INET6 */
-           u_int16m_t      sin6_port;      /* transport layer port # */
-           u_int32m_t      sin6_flowinfo;  /* IPv6 flow information */
-           struct in6_addr sin6_addr;      /* IPv6 address */
-       };
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 7]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The only differences between this data structure and the 4.3BSD
-   variant are the inclusion of the length field, and the change of the
-   family field to a 8-bit data type.  The definitions of all the other
-   fields are identical to the structure defined in the previous
-   section.
-
-   Systems that provide this version of the sockaddr_in6 data structure
-   must also declare SIN6_LEN as a result of including the
-   <netinet/in.h> header.  This macro allows applications to determine
-   whether they are being built on a system that supports the 4.3BSD or
-   4.4BSD variants of the data structure.
-
-3.5.  The Socket Functions
-
-   Applications call the socket() function to create a socket descriptor
-   that represents a communication endpoint.  The arguments to the
-   socket() function tell the system which protocol to use, and what
-   format address structure will be used in subsequent functions.  For
-   example, to create an IPv4/TCP socket, applications make the call:
-
-       s = socket(PF_INET, SOCK_STREAM, 0);
-
-   To create an IPv4/UDP socket, applications make the call:
-
-       s = socket(PF_INET, SOCK_DGRAM, 0);
-
-   Applications may create IPv6/TCP and IPv6/UDP sockets by simply using
-   the constant PF_INET6 instead of PF_INET in the first argument.  For
-   example, to create an IPv6/TCP socket, applications make the call:
-
-       s = socket(PF_INET6, SOCK_STREAM, 0);
-
-   To create an IPv6/UDP socket, applications make the call:
-
-       s = socket(PF_INET6, SOCK_DGRAM, 0);
-
-   Once the application has created a PF_INET6 socket, it must use the
-   sockaddr_in6 address structure when passing addresses in to the
-   system.  The functions that the application uses to pass addresses
-   into the system are:
-
-       bind()
-       connect()
-       sendmsg()
-       sendto()
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 8]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The system will use the sockaddr_in6 address structure to return
-   addresses to applications that are using PF_INET6 sockets.  The
-   functions that return an address from the system to an application
-   are:
-
-          accept()
-          recvfrom()
-          recvmsg()
-          getpeername()
-          getsockname()
-
-   No changes to the syntax of the socket functions are needed to
-   support IPv6, since all of the "address carrying" functions use an
-   opaque address pointer, and carry an address length as a function
-   argument.
-
-3.6.  Compatibility with IPv4 Applications
-
-   In order to support the large base of applications using the original
-   API, system implementations must provide complete source and binary
-   compatibility with the original API.  This means that systems must
-   continue to support PF_INET sockets and the sockaddr_in address
-   structure.  Applications must be able to create IPv4/TCP and IPv4/UDP
-   sockets using the PF_INET constant in the socket() function, as
-   described in the previous section.  Applications should be able to
-   hold a combination of IPv4/TCP, IPv4/UDP, IPv6/TCP and IPv6/UDP
-   sockets simultaneously within the same process.
-
-   Applications using the original API should continue to operate as
-   they did on systems supporting only IPv4.  That is, they should
-   continue to interoperate with IPv4 nodes.
-
-3.7.  Compatibility with IPv4 Nodes
-
-   The API also provides a different type of compatibility: the ability
-   for IPv6 applications to interoperate with IPv4 applications.  This
-   feature uses the IPv4-mapped IPv6 address format defined in the IPv6
-   addressing architecture specification [2].  This address format
-   allows the IPv4 address of an IPv4 node to be represented as an IPv6
-   address.  The IPv4 address is encoded into the low-order 32 bits of
-   the IPv6 address, and the high-order 96 bits hold the fixed prefix
-   0:0:0:0:0:FFFF.  IPv4-mapped addresses are written as follows:
-
-       ::FFFF:<IPv4-address>
-
-   These addresses are often generated automatically by the
-   gethostbyname() function when the specified host has only IPv4
-   addresses (as described in Section 6.1).
-
-
-
-Gilligan, et. al.            Informational                      [Page 9]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   Applications may use PF_INET6 sockets to open TCP connections to IPv4
-   nodes, or send UDP packets to IPv4 nodes, by simply encoding the
-   destination's IPv4 address as an IPv4-mapped IPv6 address, and
-   passing that address, within a sockaddr_in6 structure, in the
-   connect() or sendto() call.  When applications use PF_INET6 sockets
-   to accept TCP connections from IPv4 nodes, or receive UDP packets
-   from IPv4 nodes, the system returns the peer's address to the
-   application in the accept(), recvfrom(), or getpeername() call using
-   a sockaddr_in6 structure encoded this way.
-
-   Few applications will likely need to know which type of node they are
-   interoperating with.  However, for those applications that do need to
-   know, the IN6_IS_ADDR_V4MAPPED() macro, defined in Section 6.6, is
-   provided.
-
-3.8.  IPv6 Wildcard Address
-
-   While the bind() function allows applications to select the source IP
-   address of UDP packets and TCP connections, applications often want
-   the system to select the source address for them.  With IPv4, one
-   specifies the address as the symbolic constant INADDR_ANY (called the
-   "wildcard" address) in the bind() call, or simply omits the bind()
-   entirely.
-
-   Since the IPv6 address type is a structure (struct in6_addr), a
-   symbolic constant can be used to initialize an IPv6 address variable,
-   but cannot be used in an assignment.  Therefore systems provide the
-   IPv6 wildcard address in two forms.
-
-   The first version is a global variable named "in6addr_any" that is an
-   in6_addr structure.  The extern declaration for this variable is
-   defined in <netinet/in.h>:
-
-       extern const struct in6_addr in6addr_any;
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 10]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   Applications use in6addr_any similarly to the way they use INADDR_ANY
-   in IPv4.  For example, to bind a socket to port number 23, but let
-   the system select the source address, an application could use the
-   following code:
-
-       struct sockaddr_in6 sin6;
-        . . .
-       sin6.sin6_family = AF_INET6;
-       sin6.sin6_flowinfo = 0;
-       sin6.sin6_port = htons(23);
-       sin6.sin6_addr = in6addr_any;  /* structure assignment */
-        . . .
-       if (bind(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
-               . . .
-
-   The other version is a symbolic constant named IN6ADDR_ANY_INIT and
-   is defined in <netinet/in.h>.  This constant can be used to
-   initialize an in6_addr structure:
-
-       struct in6_addr anyaddr = IN6ADDR_ANY_INIT;
-
-   Note that this constant can be used ONLY at declaration time.  It can
-   not be used to assign a previously declared in6_addr structure.  For
-   example, the following code will not work:
-
-       /* This is the WRONG way to assign an unspecified address */
-       struct sockaddr_in6 sin6;
-        . . .
-       sin6.sin6_addr = IN6ADDR_ANY_INIT; /* will NOT compile */
-
-   Be aware that the IPv4 INADDR_xxx constants are all defined in host
-   byte order but the IPv6 IN6ADDR_xxx constants and the IPv6
-   in6addr_xxx externals are defined in network byte order.
-
-3.9.  IPv6 Loopback Address
-
-   Applications may need to send UDP packets to, or originate TCP
-   connections to, services residing on the local node.  In IPv4, they
-   can do this by using the constant IPv4 address INADDR_LOOPBACK in
-   their connect(), sendto(), or sendmsg() call.
-
-   IPv6 also provides a loopback address to contact local TCP and UDP
-   services.  Like the unspecified address, the IPv6 loopback address is
-   provided in two forms -- a global variable and a symbolic constant.
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 11]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The global variable is an in6_addr structure named
-   "in6addr_loopback."  The extern declaration for this variable is
-   defined in <netinet/in.h>:
-
-       extern const struct in6_addr in6addr_loopback;
-
-   Applications use in6addr_loopback as they would use INADDR_LOOPBACK
-   in IPv4 applications (but beware of the byte ordering difference
-   mentioned at the end of the previous section).  For example, to open
-   a TCP connection to the local telnet server, an application could use
-   the following code:
-
-       struct sockaddr_in6 sin6;
-        . . .
-       sin6.sin6_family = AF_INET6;
-       sin6.sin6_flowinfo = 0;
-       sin6.sin6_port = htons(23);
-       sin6.sin6_addr = in6addr_loopback;  /* structure assignment */
-        . . .
-       if (connect(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
-               . . .
-
-   The symbolic constant is named IN6ADDR_LOOPBACK_INIT and is defined
-   in <netinet/in.h>.  It can be used at declaration time ONLY; for
-   example:
-
-       struct in6_addr loopbackaddr = IN6ADDR_LOOPBACK_INIT;
-
-   Like IN6ADDR_ANY_INIT, this constant cannot be used in an assignment
-   to a previously declared IPv6 address variable.
-
-4.  Interface Identification
-
-   This API uses an interface index (a small positive integer) to
-   identify the local interface on which a multicast group is joined
-   (Section 5.3).  Additionally, the advanced API [5] uses these same
-   interface indexes to identify the interface on which a datagram is
-   received, or to specify the interface on which a datagram is to be
-   sent.
-
-   Interfaces are normally known by names such as "le0", "sl1", "ppp2",
-   and the like.  On Berkeley-derived implementations, when an interface
-   is made known to the system, the kernel assigns a unique positive
-   integer value (called the interface index) to that interface.  These
-   are small positive integers that start at 1.  (Note that 0 is never
-   used for an interface index.)  There may be gaps so that there is no
-   current interface for a particular positive interface index.
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 12]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   This API defines two functions that map between an interface name and
-   index, a third function that returns all the interface names and
-   indexes, and a fourth function to return the dynamic memory allocated
-   by the previous function.  How these functions are implemented is
-   left up to the implementation.  4.4BSD implementations can implement
-   these functions using the existing sysctl() function with the
-   NET_RT_LIST command.  Other implementations may wish to use ioctl()
-   for this purpose.
-
-4.1.  Name-to-Index
-
-   The first function maps an interface name into its corresponding
-   index.
-
-       #include <net/if.h>
-
-       unsigned int  if_nametoindex(const char *ifname);
-
-   If the specified interface does not exist, the return value is 0.
-
-4.2.  Index-to-Name
-
-   The second function maps an interface index into its corresponding
-   name.
-
-       #include <net/if.h>
-
-       char  *if_indextoname(unsigned int ifindex, char *ifname);
-
-   The ifname argument must point to a buffer of at least IFNAMSIZ bytes
-   into which the interface name corresponding to the specified index is
-   returned.  (IFNAMSIZ is also defined in <net/if.h> and its value
-   includes a terminating null byte at the end of the interface name.)
-   This pointer is also the return value of the function.  If there is
-   no interface corresponding to the specified index, NULL is returned.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 13]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-4.3.  Return All Interface Names and Indexes
-
-   The final function returns an array of if_nameindex structures, one
-   structure per interface.
-
-       #include <net/if.h>
-
-       struct if_nameindex {
-         unsigned int   if_index;  /* 1, 2, ... */
-         char          *if_name;   /* null terminated name: "le0", ... */
-       };
-
-       struct if_nameindex  *if_nameindex(void);
-
-   The end of the array of structures is indicated by a structure with
-   an if_index of 0 and an if_name of NULL.  The function returns a NULL
-   pointer upon an error.
-
-   The memory used for this array of structures along with the interface
-   names pointed to by the if_name members is obtained dynamically.
-   This memory is freed by the next function.
-
-4.4.  Free Memory
-
-   The following function frees the dynamic memory that was allocated by
-   if_nameindex().
-
-       #include <net/if.h>
-
-       void  if_freenameindex(struct if_nameindex *ptr);
-
-   The argument to this function must be a pointer that was returned by
-   if_nameindex().
-
-5.  Socket Options
-
-   A number of new socket options are defined for IPv6.  All of these
-   new options are at the IPPROTO_IPV6 level.  That is, the "level"
-   parameter in the getsockopt() and setsockopt() calls is IPPROTO_IPV6
-   when using these options.  The constant name prefix IPV6_ is used in
-   all of the new socket options.  This serves to clearly identify these
-   options as applying to IPv6.
-
-   The declaration for IPPROTO_IPV6, the new IPv6 socket options, and
-   related constants defined in this section are obtained by including
-   the header <netinet/in.h>.
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 14]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-5.1.  Changing Socket Type
-
-   Unix allows open sockets to be passed between processes via the
-   exec() call and other means.  It is a relatively common application
-   practice to pass open sockets across exec() calls.  Thus it is
-   possible for an application using the original API to pass an open
-   PF_INET socket to an application that is expecting to receive a
-   PF_INET6 socket.  Similarly, it is possible for an application using
-   the extended API to pass an open PF_INET6 socket to an application
-   using the original API, which would be equipped only to deal with
-   PF_INET sockets.  Either of these cases could cause problems, because
-   the application that is passed the open socket might not know how to
-   decode the address structures returned in subsequent socket
-   functions.
-
-   To remedy this problem, a new setsockopt() option is defined that
-   allows an application to "convert" a PF_INET6 socket into a PF_INET
-   socket and vice versa.
-
-   An IPv6 application that is passed an open socket from an unknown
-   process may use the IPV6_ADDRFORM setsockopt() option to "convert"
-   the socket to PF_INET6.  Once that has been done, the system will
-   return sockaddr_in6 address structures in subsequent socket
-   functions.
-
-   An IPv6 application that is about to pass an open PF_INET6 socket to
-   a program that is not be IPv6 capable can "downgrade" the socket to
-   PF_INET before calling exec().  After that, the system will return
-   sockaddr_in address structures to the application that was exec()'ed.
-   Be aware that you cannot downgrade an IPv6 socket to an IPv4 socket
-   unless all nonwildcard addresses already associated with the IPv6
-   socket are IPv4-mapped IPv6 addresses.
-
-   The IPV6_ADDRFORM option is valid at both the IPPROTO_IP and
-   IPPROTO_IPV6 levels.  The only valid option values are PF_INET6 and
-   PF_INET.  For example, to convert a PF_INET6 socket to PF_INET, a
-   program would call:
-
-       int  addrform = PF_INET;
-
-       if (setsockopt(s, IPPROTO_IPV6, IPV6_ADDRFORM,
-                      (char *) &addrform, sizeof(addrform)) == -1)
-           perror("setsockopt IPV6_ADDRFORM");
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 15]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   An application may use IPV6_ADDRFORM with getsockopt() to learn
-   whether an open socket is a PF_INET of PF_INET6 socket.  For example:
-
-       int  addrform;
-       size_t  len = sizeof(addrform);
-
-       if (getsockopt(s, IPPROTO_IPV6, IPV6_ADDRFORM,
-                      (char *) &addrform, &len) == -1)
-           perror("getsockopt IPV6_ADDRFORM");
-       else if (addrform == PF_INET)
-           printf("This is an IPv4 socket.\n");
-       else if (addrform == PF_INET6)
-           printf("This is an IPv6 socket.\n");
-       else
-           printf("This system is broken.\n");
-
-5.2.  Unicast Hop Limit
-
-   A new setsockopt() option controls the hop limit used in outgoing
-   unicast IPv6 packets.  The name of this option is IPV6_UNICAST_HOPS,
-   and it is used at the IPPROTO_IPV6 layer.  The following example
-   illustrates how it is used:
-
-       int  hoplimit = 10;
-
-       if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
-                      (char *) &hoplimit, sizeof(hoplimit)) == -1)
-           perror("setsockopt IPV6_UNICAST_HOPS");
-
-   When the IPV6_UNICAST_HOPS option is set with setsockopt(), the
-   option value given is used as the hop limit for all subsequent
-   unicast packets sent via that socket.  If the option is not set, the
-   system selects a default value.  The integer hop limit value (called
-   x) is interpreted as follows:
-
-       x < -1:        return an error of EINVAL
-       x == -1:       use kernel default
-       0 <= x <= 255: use x
-       x >= 256:      return an error of EINVAL
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 16]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The IPV6_UNICAST_HOPS option may be used with getsockopt() to
-   determine the hop limit value that the system will use for subsequent
-   unicast packets sent via that socket.  For example:
-
-       int  hoplimit;
-       size_t  len = sizeof(hoplimit);
-
-       if (getsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
-                      (char *) &hoplimit, &len) == -1)
-           perror("getsockopt IPV6_UNICAST_HOPS");
-       else
-           printf("Using %d for hop limit.\n", hoplimit);
-
-5.3.  Sending and Receiving Multicast Packets
-
-   IPv6 applications may send UDP multicast packets by simply specifying
-   an IPv6 multicast address in the address argument of the sendto()
-   function.
-
-   Three socket options at the IPPROTO_IPV6 layer control some of the
-   parameters for sending multicast packets.  Setting these options is
-   not required:  applications may send multicast packets without using
-   these options.  The setsockopt() options for controlling the sending
-   of multicast packets are summarized below:
-
-       IPV6_MULTICAST_IF
-
-           Set the interface to use for outgoing multicast packets.  The
-           argument is the index of the interface to use.
-
-           Argument type: unsigned int
-
-       IPV6_MULTICAST_HOPS
-
-           Set the hop limit to use for outgoing multicast packets.
-           (Note a separate option - IPV6_UNICAST_HOPS - is provided to
-           set the hop limit to use for outgoing unicast packets.)  The
-           interpretation of the argument is the same as for the
-           IPV6_UNICAST_HOPS option:
-
-               x < -1:        return an error of EINVAL
-               x == -1:       use kernel default
-               0 <= x <= 255: use x
-               x >= 256:      return an error of EINVAL
-
-           Argument type: int
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 17]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-       IPV6_MULTICAST_LOOP
-
-           Controls whether outgoing multicast packets  sent  should  be
-           delivered  back  to the local application.  A toggle.  If the
-           option is set to 1, multicast packets are looped back.  If it
-           is set to 0, they are not.
-
-           Argument type: unsigned int
-
-   The reception of multicast packets is controlled by the two
-   setsockopt() options summarized below:
-
-       IPV6_ADD_MEMBERSHIP
-
-           Join a multicast group on a specified local interface.  If
-           the interface index is specified as 0, the kernel chooses the
-           local interface.  For example, some kernels look up the
-           multicast group in the normal IPv6 routing table and using
-           the resulting interface.
-
-           Argument type: struct ipv6_mreq
-
-       IPV6_DROP_MEMBERSHIP
-
-           Leave a multicast group on a specified interface.
-
-           Argument type: struct ipv6_mreq
-
-   The argument type of both of these options is the ipv6_mreq
-   structure, defined as:
-
-       #include <netinet/in.h>
-
-       struct ipv6_mreq {
-           struct in6_addr ipv6mr_multiaddr; /* IPv6 multicast addr */
-           unsigned int    ipv6mr_interface; /* interface index */
-       };
-
-   Note that to receive multicast datagrams a process must join the
-   multicast group and bind the UDP port to which datagrams will be
-   sent.  Some processes also bind the multicast group address to the
-   socket, in addition to the port, to prevent other datagrams destined
-   to that same port from being delivered to the socket.
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 18]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-6.  Library Functions
-
-   New library functions are needed to perform a variety of operations
-   with IPv6 addresses.  Functions are needed to lookup IPv6 addresses
-   in the Domain Name System (DNS).  Both forward lookup (hostname-to-
-   address translation) and reverse lookup (address-to-hostname
-   translation) need to be supported.  Functions are also needed to
-   convert IPv6 addresses between their binary and textual form.
-
-6.1.  Hostname-to-Address Translation
-
-   The commonly used function gethostbyname() remains unchanged as does
-   the hostent structure to which it returns a pointer.  Existing
-   applications that call this function continue to receive only IPv4
-   addresses that are the result of a query in the DNS for A records.
-   (We assume the DNS is being used; some environments may be using a
-   hosts file or some other name resolution system, either of which may
-   impede renumbering.  We also assume that the RES_USE_INET6 resolver
-   option is not set, which we describe in more detail shortly.)
-
-   Two new changes are made to support IPv6 addresses.  First, the
-   following function is new:
-
-       #include <sys/socket.h>
-       #include <netdb.h>
-
-       struct hostent *gethostbyname2(const char *name, int af);
-
-   The af argument specifies the address family.  The default operation
-   of this function is simple:
-
-    -  If the af argument is AF_INET, then a query is made for A
-       records.  If successful, IPv4 addresses are returned and the
-       h_length member of the hostent structure will be 4, else the
-       function returns a NULL pointer.
-
-    -  If the af argument is AF_INET6, then a query is made for AAAA
-       records.  If successful, IPv6 addresses are returned and the
-       h_length member of the hostent structure will be 16, else the
-       function returns a NULL pointer.
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 19]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The second change, that provides additional functionality, is a new
-   resolver option RES_USE_INET6, which is defined as a result of
-   including the <resolv.h> header.  (This option is provided starting
-   with the BIND 4.9.4 release.)  There are three ways to set this
-   option.
-
-    -  The first way is
-
-           res_init();
-           _res.options |= RES_USE_INET6;
-
-       and then call either gethostbyname() or gethostbyname2().  This
-       option then affects only the process that is calling the
-       resolver.
-
-    -  The second way to set this option is to set the environment
-       variable RES_OPTIONS, as in RES_OPTIONS=inet6.  (This example is
-       for the Bourne and Korn shells.)  This method affects any
-       processes that see this environment variable.
-
-    -  The third way is to set this option in the resolver configuration
-       file (normally /etc/resolv.conf) and the option then affects all
-       applications on the host.  This final method should not be done
-       until all applications on the host are capable of dealing with
-       IPv6 addresses.
-
-   There is no priority among these three methods.  When the
-   RES_USE_INET6 option is set, two changes occur:
-
-    -  gethostbyname(host) first calls gethostbyname2(host, AF_INET6)
-       looking for AAAA records, and if this fails it then calls
-       gethostbyname2(host, AF_INET) looking for A records.
-
-    -  gethostbyname2(host, AF_INET) always returns IPv4-mapped IPv6
-       addresses with the h_length member of the hostent structure set
-       to 16.
-
-   An application must not enable the RES_USE_INET6 option until it is
-   prepared to deal with 16-byte addresses in the returned hostent
-   structure.
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 20]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The following table summarizes the operation of the existing
-   gethostbyname() function, the new function gethostbyname2(), along
-   with the new resolver option RES_USE_INET6.
-
-+------------------+---------------------------------------------------+
-|                  |              RES_USE_INET6 option                 |
-|                  +-------------------------+-------------------------+
-|                  |          off            |           on            |
-+------------------+-------------------------+-------------------------+
-|                  |Search for A records.    |Search for AAAA records. |
-| gethostbyname    | If found, return IPv4   | If found, return IPv6   |
-| (host)           | addresses (h_length=4). | addresses (h_length=16).|
-|                  | Else error.             | Else search for A       |
-|                  |                         | records.  If found,     |
-|                  |Provides backward        | return IPv4-mapped IPv6 |
-|                  | compatibility with all  | addresses (h_length=16).|
-|                  | existing IPv4 appls.    | Else error.             |
-+------------------+-------------------------+-------------------------+
-|                  |Search for A records.    |Search for A records.    |
-| gethostbyname2   | If found, return IPv4   | If found, return        |
-| (host, AF_INET)  | addresses (h_length=4). | IPv4-mapped IPv6        |
-|                  | Else error.             | addresses (h_length=16).|
-|                  |                         | Else error.             |
-+------------------+-------------------------+-------------------------+
-|                  |Search for AAAA records. |Search for AAAA records. |
-| gethostbyname2   | If found, return IPv6   | If found, return IPv6   |
-| (host, AF_INET6) | addresses (h_length=16).| addresses (h_length=16).|
-|                  | Else error.             | Else error.             |
-+------------------+-------------------------+-------------------------+
-
-   It is expected that when a typical naive application that calls
-   gethostbyname() today is modified to use IPv6, it simply changes the
-   program to use IPv6 sockets and then enables the RES_USE_INET6
-   resolver option before calling gethostbyname().  This application
-   will then work with either IPv4 or IPv6 peers.
-
-   Note that gethostbyname() and gethostbyname2() are not thread-safe,
-   since both return a pointer to a static hostent structure.  But
-   several vendors have defined a thread-safe gethostbyname_r() function
-   that requires four additional arguments.  We expect these vendors to
-   also define a gethostbyname2_r() function.
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 21]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-6.2.  Address To Hostname Translation
-
-   The existing gethostbyaddr() function already requires an address
-   family argument and can therefore work with IPv6 addresses:
-
-       #include <sys/socket.h>
-       #include <netdb.h>
-
-       struct hostent *gethostbyaddr(const char *src, int len, int af);
-
-   One possible source of confusion is the handling of IPv4-mapped IPv6
-   addresses and IPv4-compatible IPv6 addresses.  This is addressed in
-   [6] and involves the following logic:
-
-    1.  If af is AF_INET6, and if len equals 16, and if the IPv6 address
-        is an IPv4-mapped IPv6 address or an IPv4-compatible IPv6
-        address, then skip over the first 12 bytes of the IPv6 address,
-        set af to AF_INET, and set len to 4.
-
-    2.  If af is AF_INET, then query for a PTR record in the in-
-        addr.arpa domain.
-
-    3.  If af is AF_INET6, then query for a PTR record in the ip6.int
-        domain.
-
-    4.  If the function is returning success, and if af equals AF_INET,
-        and if the RES_USE_INET6 option was set, then the single address
-        that is returned in the hostent structure (a copy of the first
-        argument to the function) is returned as an IPv4-mapped IPv6
-        address and the h_length member is set to 16.
-
-   All four steps listed are performed, in order.  The same caveats
-   regarding a thread-safe version of gethostbyname() that were made at
-   the end of the previous section apply here as well.
-
-6.3.  Protocol-Independent Hostname and Service Name Translation
-
-   Hostname-to-address translation is done in a protocol-independent
-   fashion using the getaddrinfo() function that is taken from the
-   Institute of Electrical and Electronic Engineers (IEEE) POSIX 1003.1g
-   (Protocol Independent Interfaces) work in progress specification [4].
-
-   The official specification for this function will be the final POSIX
-   standard.  We are providing this independent description of the
-   function because POSIX standards are not freely available (as are
-   IETF documents).  Should there be any discrepancies between this
-   description and the POSIX description, the POSIX description takes
-   precedence.
-
-
-
-Gilligan, et. al.            Informational                     [Page 22]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-       #include <sys/socket.h>
-       #include <netdb.h>
-
-       int getaddrinfo(const char *hostname, const char *servname,
-                       const struct addrinfo *hints,
-                       struct addrinfo **res);
-
-   The addrinfo structure is defined as:
-
-       #include <sys/socket.h>
-       #include <netdb.h>
-
-       struct addrinfo {
-         int     ai_flags;     /* AI_PASSIVE, AI_CANONNAME */
-         int     ai_family;    /* PF_xxx */
-         int     ai_socktype;  /* SOCK_xxx */
-         int     ai_protocol;  /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-         size_t  ai_addrlen;   /* length of ai_addr */
-         char   *ai_canonname; /* canonical name for hostname */
-         struct sockaddr  *ai_addr; /* binary address */
-         struct addrinfo  *ai_next; /* next structure in linked list */
-       };
-
-   The return value from the function is 0 upon success or a nonzero
-   error code.  The following names are the nonzero error codes from
-   getaddrinfo(), and are defined in <netdb.h>:
-
-       EAI_ADDRFAMILY  address family for hostname not supported
-       EAI_AGAIN       temporary failure in name resolution
-       EAI_BADFLAGS    invalid value for ai_flags
-       EAI_FAIL        non-recoverable failure in name resolution
-       EAI_FAMILY      ai_family not supported
-       EAI_MEMORY      memory allocation failure
-       EAI_NODATA      no address associated with hostname
-       EAI_NONAME      hostname nor servname provided, or not known
-       EAI_SERVICE     servname not supported for ai_socktype
-       EAI_SOCKTYPE    ai_socktype not supported
-       EAI_SYSTEM      system error returned in errno
-
-   The hostname and servname arguments are pointers to null-terminated
-   strings or NULL.  One or both of these two arguments must be a non-
-   NULL pointer.  In the normal client scenario, both the hostname and
-   servname are specified.  In the normal server scenario, only the
-   servname is specified.  A non-NULL hostname string can be either a
-   host name or a numeric host address string (i.e., a dotted-decimal
-   IPv4 address or an IPv6 hex address).  A non-NULL servname string can
-   be either a service name or a decimal port number.
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 23]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The caller can optionally pass an addrinfo structure, pointed to by
-   the third argument, to provide hints concerning the type of socket
-   that the caller supports.  In this hints structure all members other
-   than ai_flags, ai_family, ai_socktype, and ai_protocol must be zero
-   or a NULL pointer.  A value of PF_UNSPEC for ai_family means the
-   caller will accept any protocol family.  A value of 0 for ai_socktype
-   means the caller will accept any socket type.  A value of 0 for
-   ai_protocol means the caller will accept any protocol.  For example,
-   if the caller handles only TCP and not UDP, then the ai_socktype
-   member of the hints structure should be set to SOCK_STREAM when
-   getaddrinfo() is called.  If the caller handles only IPv4 and not
-   IPv6, then the ai_family member of the hints structure should be set
-   to PF_INET when getaddrinfo() is called.  If the third argument to
-   getaddrinfo() is a NULL pointer, this is the same as if the caller
-   had filled in an addrinfo structure initialized to zero with
-   ai_family set to PF_UNSPEC.
-
-   Upon successful return a pointer to a linked list of one or more
-   addrinfo structures is returned through the final argument.  The
-   caller can process each addrinfo structure in this list by following
-   the ai_next pointer, until a NULL pointer is encountered.  In each
-   returned addrinfo structure the three members ai_family, ai_socktype,
-   and ai_protocol are the corresponding arguments for a call to the
-   socket() function.  In each addrinfo structure the ai_addr member
-   points to a filled-in socket address structure whose length is
-   specified by the ai_addrlen member.
-
-   If the AI_PASSIVE bit is set in the ai_flags member of the hints
-   structure, then the caller plans to use the returned socket address
-   structure in a call to bind().  In this case, if the hostname
-   argument is a NULL pointer, then the IP address portion of the socket
-   address structure will be set to INADDR_ANY for an IPv4 address or
-   IN6ADDR_ANY_INIT for an IPv6 address.
-
-   If the AI_PASSIVE bit is not set in the ai_flags member of the hints
-   structure, then the returned socket address structure will be ready
-   for a call to connect() (for a connection-oriented protocol) or
-   either connect(), sendto(), or sendmsg() (for a connectionless
-   protocol).  In this case, if the hostname argument is a NULL pointer,
-   then the IP address portion of the socket address structure will be
-   set to the loopback address.
-
-   If the AI_CANONNAME bit is set in the ai_flags member of the hints
-   structure, then upon successful return the ai_canonname member of the
-   first addrinfo structure in the linked list will point to a null-
-   terminated string containing the canonical name of the specified
-   hostname.
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 24]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   All of the information returned by getaddrinfo() is dynamically
-   allocated: the addrinfo structures, and the socket address structures
-   and canonical host name strings pointed to by the addrinfo
-   structures.  To return this information to the system the function
-   freeaddrinfo() is called:
-
-       #include <sys/socket.h>
-       #include <netdb.h>
-
-       void freeaddrinfo(struct addrinfo *ai);
-
-   The addrinfo structure pointed to by the ai argument is freed, along
-   with any dynamic storage pointed to by the structure.  This operation
-   is repeated until a NULL ai_next pointer is encountered.
-
-   To aid applications in printing error messages based on the EAI_xxx
-   codes returned by getaddrinfo(), the following function is defined.
-
-       #include <sys/socket.h>
-       #include <netdb.h>
-
-       char *gai_strerror(int ecode);
-
-   The argument is one of the EAI_xxx values defined earlier and the
-   eturn value points to a string describing the error.  If the argument
-   is not one of the EAI_xxx values, the function still returns a
-   pointer to a string whose contents indicate an unknown error.
-
-6.4.  Socket Address Structure to Hostname and Service Name
-
-   The POSIX 1003.1g specification includes no function to perform the
-   reverse conversion from getaddrinfo():  to look up a hostname and
-   service name, given the binary address and port.  Therefore, we
-   define the following function:
-
-       #include <sys/socket.h>
-       #include <netdb.h>
-
-       int getnameinfo(const struct sockaddr *sa, size_t salen,
-                       char *host, size_t hostlen,
-                       char *serv, size_t servlen,
-                       int flags);
-
-   This function looks up an IP address and port number provided by the
-   caller in the DNS and system-specific database, and returns text
-   strings for both in buffers provided by the caller.  The function
-   indicates successful completion by a zero return value; a non-zero
-   return value indicates failure.
-
-
-
-Gilligan, et. al.            Informational                     [Page 25]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The first argument, sa, points to either a sockaddr_in structure (for
-   IPv4) or a sockaddr_in6 structure (for IPv6) that holds the IP
-   address and port number.  The salen argument gives the length of the
-   sockaddr_in or sockaddr_in6 structure.
-
-   The function returns the hostname associated with the IP address in
-   the buffer pointed to by the host argument.  The caller provides the
-   size of this buffer via the hostlen argument.  The service name
-   associated with the port number is returned in the buffer pointed to
-   by serv, and the servlen argument gives the length of this buffer.
-   The caller specifies not to return either string by providing a zero
-   value for the hostlen or servlen arguments.  Otherwise, the caller
-   must provide buffers large enough to hold the hostname and the
-   service name, including the terminating null characters.
-
-   Unfortunately most systems do not provide constants that specify the
-   maximum size of either a fully-qualified domain name or a service
-   name.  Therefore to aid the application in allocating buffers for
-   these two returned strings the following constants are defined in
-   <netdb.h>:
-
-       #define NI_MAXHOST  1025
-       #define NI_MAXSERV    32
-
-   The first value is actually defined as the constant MAXDNAME in
-   recent versions of BIND's <arpa/nameser.h> header (older versions of
-   BIND define this constant to be 256) and the second is a guess based
-   on the services listed in the current Assigned Numbers RFC.
-
-   The final argument is a flag that changes the default actions of this
-   function.  By default the fully-qualified domain name (FQDN) for the
-   host is looked up in the DNS and returned.  If the flag bit NI_NOFQDN
-   is set, only the hostname portion of the FQDN is returned for local
-   hosts.
-
-   If the flag bit NI_NUMERICHOST is set, or if the host's name cannot
-   be located in the DNS, the numeric form of the host's address is
-   returned instead of its name (e.g., by calling inet_ntop() instead of
-   gethostbyaddr()).  If the flag bit NI_NAMEREQD is set, an error is
-   returned if the host's name cannot be located in the DNS.
-
-   If the flag bit NI_NUMERICSERV is set, the numeric form of the
-   service address is returned (e.g., its port number) instead of its
-   name.  The two NI_NUMERICxxx flags are required to support the "-n"
-   flag that many commands provide.
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 26]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   A fifth flag bit, NI_DGRAM, specifies that the service is a datagram
-   service, and causes getservbyport() to be called with a second
-   argument of "udp" instead of its default of "tcp".  This is required
-   for the few ports (512-514) that have different services for UDP and
-   TCP.
-
-   These NI_xxx flags are defined in <netdb.h> along with the AI_xxx
-   flags already defined for getaddrinfo().
-
-6.5.  Address Conversion Functions
-
-   The two functions inet_addr() and inet_ntoa() convert an IPv4 address
-   between binary and text form.  IPv6 applications need similar
-   functions.  The following two functions convert both IPv6 and IPv4
-   addresses:
-
-       #include <sys/socket.h>
-       #include <arpa/inet.h>
-
-       int inet_pton(int af, const char *src, void *dst);
-
-       const char *inet_ntop(int af, const void *src,
-                             char *dst, size_t size);
-
-   The inet_pton() function converts an address in its standard text
-   presentation form into its numeric binary form.  The af argument
-   specifies the family of the address.  Currently the AF_INET and
-   AF_INET6 address families are supported.  The src argument points to
-   the string being passed in.  The dst argument points to a buffer into
-   which the function stores the numeric address.  The address is
-   returned in network byte order.  Inet_pton() returns 1 if the
-   conversion succeeds, 0 if the input is not a valid IPv4 dotted-
-   decimal string or a valid IPv6 address string, or -1 with errno set
-   to EAFNOSUPPORT if the af argument is unknown.  The calling
-   application must ensure that the buffer referred to by dst is large
-   enough to hold the numeric address (e.g., 4 bytes for AF_INET or 16
-   bytes for AF_INET6).
-
-   If the af argument is AF_INET, the function accepts a string in the
-   standard IPv4 dotted-decimal form:
-
-       ddd.ddd.ddd.ddd
-
-   where ddd is a one to three digit decimal number between 0 and 255.
-   Note that many implementations of the existing inet_addr() and
-   inet_aton() functions accept nonstandard input:  octal numbers,
-   hexadecimal numbers, and fewer than four numbers.  inet_pton() does
-   not accept these formats.
-
-
-
-Gilligan, et. al.            Informational                     [Page 27]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   If the af argument is AF_INET6, then the function accepts a string in
-   one of the standard IPv6 text forms defined in Section 2.2 of the
-   addressing architecture specification [2].
-
-   The inet_ntop() function converts a numeric address into a text
-   string suitable for presentation.  The af argument specifies the
-   family of the address.  This can be AF_INET or AF_INET6.  The src
-   argument points to a buffer holding an IPv4 address if the af
-   argument is AF_INET, or an IPv6 address if the af argument is
-   AF_INET6.  The dst argument points to a buffer where the function
-   will store the resulting text string.  The size argument specifies
-   the size of this buffer.  The application must specify a non-NULL dst
-   argument.  For IPv6 addresses, the buffer must be at least 46-octets.
-   For IPv4 addresses, the buffer must be at least 16-octets.  In order
-   to allow applications to easily declare buffers of the proper size to
-   store IPv4 and IPv6 addresses in string form, the following two
-   constants are defined in <netinet/in.h>:
-
-       #define INET_ADDRSTRLEN    16
-       #define INET6_ADDRSTRLEN   46
-
-   The inet_ntop() function returns a pointer to the buffer containing
-   the text string if the conversion succeeds, and NULL otherwise.  Upon
-   failure, errno is set to EAFNOSUPPORT if the af argument is invalid
-   or ENOSPC if the size of the result buffer is inadequate.
-
-6.6.  Address Testing Macros
-
-   The following macros can be used to test for special IPv6 addresses.
-
-       #include <netinet/in.h>
-
-       int  IN6_IS_ADDR_UNSPECIFIED (const struct in6_addr *);
-       int  IN6_IS_ADDR_LOOPBACK    (const struct in6_addr *);
-       int  IN6_IS_ADDR_MULTICAST   (const struct in6_addr *);
-       int  IN6_IS_ADDR_LINKLOCAL   (const struct in6_addr *);
-       int  IN6_IS_ADDR_SITELOCAL   (const struct in6_addr *);
-       int  IN6_IS_ADDR_V4MAPPED    (const struct in6_addr *);
-       int  IN6_IS_ADDR_V4COMPAT    (const struct in6_addr *);
-
-       int  IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
-       int  IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
-       int  IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
-       int  IN6_IS_ADDR_MC_ORGLOCAL (const struct in6_addr *);
-       int  IN6_IS_ADDR_MC_GLOBAL   (const struct in6_addr *);
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 28]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   The first seven macros return true if the address is of the specified
-   type, or false otherwise.  The last five test the scope of a
-   multicast address and return true if the address is a multicast
-   address of the specified scope or false if the address is either not
-   a multicast address or not of the specified scope.
-
-7.  Summary of New Definitions
-
-   The following list summarizes the constants, structure, and extern
-   definitions discussed in this memo, sorted by header.
-
-     <net/if.h>      IFNAMSIZ
-     <net/if.h>      struct if_nameindex{};
-
-     <netdb.h>       AI_CANONNAME
-     <netdb.h>       AI_PASSIVE
-     <netdb.h>       EAI_ADDRFAMILY
-     <netdb.h>       EAI_AGAIN
-     <netdb.h>       EAI_BADFLAGS
-     <netdb.h>       EAI_FAIL
-     <netdb.h>       EAI_FAMILY
-     <netdb.h>       EAI_MEMORY
-     <netdb.h>       EAI_NODATA
-     <netdb.h>       EAI_NONAME
-     <netdb.h>       EAI_SERVICE
-     <netdb.h>       EAI_SOCKTYPE
-     <netdb.h>       EAI_SYSTEM
-     <netdb.h>       NI_DGRAM
-     <netdb.h>       NI_MAXHOST
-     <netdb.h>       NI_MAXSERV
-     <netdb.h>       NI_NAMEREQD
-     <netdb.h>       NI_NOFQDN
-     <netdb.h>       NI_NUMERICHOST
-     <netdb.h>       NI_NUMERICSERV
-     <netdb.h>       struct addrinfo{};
-
-     <netinet/in.h>  IN6ADDR_ANY_INIT
-     <netinet/in.h>  IN6ADDR_LOOPBACK_INIT
-     <netinet/in.h>  INET6_ADDRSTRLEN
-     <netinet/in.h>  INET_ADDRSTRLEN
-     <netinet/in.h>  IPPROTO_IPV6
-     <netinet/in.h>  IPV6_ADDRFORM
-     <netinet/in.h>  IPV6_ADD_MEMBERSHIP
-     <netinet/in.h>  IPV6_DROP_MEMBERSHIP
-     <netinet/in.h>  IPV6_MULTICAST_HOPS
-     <netinet/in.h>  IPV6_MULTICAST_IF
-     <netinet/in.h>  IPV6_MULTICAST_LOOP
-     <netinet/in.h>  IPV6_UNICAST_HOPS
-
-
-
-Gilligan, et. al.            Informational                     [Page 29]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-     <netinet/in.h>  SIN6_LEN
-     <netinet/in.h>  extern const struct in6_addr in6addr_any;
-     <netinet/in.h>  extern const struct in6_addr in6addr_loopback;
-     <netinet/in.h>  struct in6_addr{};
-     <netinet/in.h>  struct ipv6_mreq{};
-     <netinet/in.h>  struct sockaddr_in6{};
-
-     <resolv.h>      RES_USE_INET6
-
-     <sys/socket.h>  AF_INET6
-     <sys/socket.h>  PF_INET6
-
-
-   The following list summarizes the function and macro prototypes
-   discussed in this memo, sorted by header.
-
-<arpa/inet.h>   int inet_pton(int, const char *, void *);
-<arpa/inet.h>   const char *inet_ntop(int, const void *,
-                                      char *, size_t);
-
-<net/if.h>      char *if_indextoname(unsigned int, char *);
-<net/if.h>      unsigned int if_nametoindex(const char *);
-<net/if.h>      void if_freenameindex(struct if_nameindex *);
-<net/if.h>      struct if_nameindex *if_nameindex(void);
-
-<netdb.h>       int getaddrinfo(const char *, const char *,
-                                const struct addrinfo *,
-                                struct addrinfo **);
-<netdb.h>       int getnameinfo(const struct sockaddr *, size_t,
-                                char *, size_t, char *, size_t, int);
-<netdb.h>       void freeaddrinfo(struct addrinfo *);
-<netdb.h>       char *gai_strerror(int);
-<netdb.h>       struct hostent *gethostbyname(const char *);
-<netdb.h>       struct hostent *gethostbyaddr(const char *, int, int);
-<netdb.h>       struct hostent *gethostbyname2(const char *, int);
-
-<netinet/in.h>  int IN6_IS_ADDR_LINKLOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_LOOPBACK(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_GLOBAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_ORGLOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MULTICAST(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_SITELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_UNSPECIFIED(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_V4COMPAT(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_V4MAPPED(const struct in6_addr *);
-
-
-
-Gilligan, et. al.            Informational                     [Page 30]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-8.  Security Considerations
-
-   IPv6 provides a number of new security mechanisms, many of which need
-   to be accessible to applications.  A companion memo detailing the
-   extensions to the socket interfaces to support IPv6 security is being
-   written [3].
-
-9.  Acknowledgments
-
-   Thanks to the many people who made suggestions and provided feedback
-   to to the numerous revisions of this document, including: Werner
-   Almesberger, Ran Atkinson, Fred Baker, Dave Borman, Andrew Cherenson,
-   Alex Conta, Alan Cox, Steve Deering, Richard Draves, Francis Dupont,
-   Robert Elz, Marc Hasson, Tim Hartrick, Tom Herbert, Bob Hinden, Wan-
-   Yen Hsu, Christian Huitema, Koji Imada, Markus Jork, Ron Lee, Alan
-   Lloyd, Charles Lynn, Jack McCann, Dan McDonald, Dave Mitton, Thomas
-   Narten, Erik Nordmark, Josh Osborne, Craig Partridge, Jean-Luc
-   Richier, Erik Scoredos, Keith Sklower, Matt Thomas, Harvey Thompson,
-   Dean D. Throop, Karen Tracey, Glenn Trewitt, Paul Vixie, David
-   Waitzman, Carl Williams, and Kazuhiko Yamamoto,
-
-   The getaddrinfo() and getnameinfo() functions are taken from an
-   earlier Work in Progress by Keith Sklower.  As noted in that
-   document, William Durst, Steven Wise, Michael Karels, and Eric Allman
-   provided many useful discussions on the subject of protocol-
-   independent name-to-address translation, and reviewed early versions
-   of Keith Sklower's original proposal.  Eric Allman implemented the
-   first prototype of getaddrinfo().  The observation that specifying
-   the pair of name and service would suffice for connecting to a
-   service independent of protocol details was made by Marshall Rose in
-   a proposal to X/Open for a "Uniform Network Interface".
-
-   Craig Metz made many contributions to this document.  Ramesh Govindan
-   made a number of contributions and co-authored an earlier version of
-   this memo.
-
-10.  References
-
-   [1] Deering, S., and R. Hinden, "Internet Protocol, Version 6 (IPv6)
-       Specification", RFC 1883, December 1995.
-
-   [2] Hinden, R., and S. Deering, "IP Version 6 Addressing Architecture",
-       RFC 1884, December 1995.
-
-   [3] McDonald, D., "A Simple IP Security API Extension to BSD Sockets",
-       Work in Progress.
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 31]
-
-RFC 2133            IPv6 Socket Interface Extensions          April 1997
-
-
-   [4] IEEE, "Protocol Independent Interfaces", IEEE Std 1003.1g, DRAFT
-       6.3, November 1995.
-
-   [5] Stevens, W., and M. Thomas, "Advanced Sockets API for IPv6",
-       Work in Progress.
-
-   [6] Vixie, P., "Reverse Name Lookups of Encapsulated IPv4 Addresses in
-       IPv6", Work in Progress.
-
-11.  Authors' Addresses
-
-    Robert E. Gilligan
-    Freegate Corporation
-    710 Lakeway Dr.  STE 230
-    Sunnyvale, CA 94086
-
-    Phone: +1 408 524 4804
-    EMail: gilligan@freegate.net
-
-
-    Susan Thomson
-    Bell Communications Research
-    MRE 2P-343, 445 South Street
-    Morristown, NJ 07960
-
-    Phone: +1 201 829 4514
-    EMail: set@thumper.bellcore.com
-
-
-    Jim Bound
-    Digital Equipment Corporation
-    110 Spitbrook Road ZK3-3/U14
-    Nashua, NH 03062-2698
-
-    Phone: +1 603 881 0400
-    Email: bound@zk3.dec.com
-
-
-    W. Richard Stevens
-    1202 E. Paseo del Zorro
-    Tucson, AZ 85718-2826
-
-    Phone: +1 520 297 9416
-    EMail: rstevens@kohala.com
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 32]
-
diff --git a/contrib/bind9/doc/rfc/rfc2136.txt b/contrib/bind9/doc/rfc/rfc2136.txt
deleted file mode 100644
index 4d62702e0d4b..000000000000
--- a/contrib/bind9/doc/rfc/rfc2136.txt
+++ /dev/null
@@ -1,1460 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                  P. Vixie, Editor
-Request for Comments: 2136                                          ISC
-Updates: 1035                                                S. Thomson
-Category: Standards Track                                      Bellcore
-                                                             Y. Rekhter
-                                                                  Cisco
-                                                               J. Bound
-                                                                    DEC
-                                                             April 1997
-
-         Dynamic Updates in the Domain Name System (DNS UPDATE)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Abstract
-
-   The Domain Name System was originally designed to support queries of
-   a statically configured database.  While the data was expected to
-   change, the frequency of those changes was expected to be fairly low,
-   and all updates were made as external edits to a zone's Master File.
-
-   Using this specification of the UPDATE opcode, it is possible to add
-   or delete RRs or RRsets from a specified zone.  Prerequisites are
-   specified separately from update operations, and can specify a
-   dependency upon either the previous existence or nonexistence of an
-   RRset, or the existence of a single RR.
-
-   UPDATE is atomic, i.e., all prerequisites must be satisfied or else
-   no update operations will take place.  There are no data dependent
-   error conditions defined after the prerequisites have been met.
-
-1 - Definitions
-
-   This document intentionally gives more definition to the roles of
-   "Master," "Slave," and "Primary Master" servers, and their
-   enumeration in NS RRs, and the SOA MNAME field.  In that sense, the
-   following server type definitions can be considered an addendum to
-   [RFC1035], and are intended to be consistent with [RFC1996]:
-
-      Slave           an authoritative server that uses AXFR or IXFR to
-                      retrieve the zone and is named in the zone's NS
-                      RRset.
-
-
-
-Vixie, et. al.              Standards Track                     [Page 1]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-      Master          an authoritative server configured to be the
-                      source of AXFR or IXFR data for one or more slave
-                      servers.
-
-      Primary Master  master server at the root of the AXFR/IXFR
-                      dependency graph.  The primary master is named in
-                      the zone's SOA MNAME field and optionally by an NS
-                      RR.  There is by definition only one primary master
-                      server per zone.
-
-   A domain name identifies a node within the domain name space tree
-   structure.  Each node has a set (possibly empty) of Resource Records
-   (RRs).  All RRs having the same NAME, CLASS and TYPE are called a
-   Resource Record Set (RRset).
-
-   The pseudocode used in this document is for example purposes only.
-   If it is found to disagree with the text, the text shall be
-   considered authoritative.  If the text is found to be ambiguous, the
-   pseudocode can be used to help resolve the ambiguity.
-
-   1.1 - Comparison Rules
-
-   1.1.1. Two RRs are considered equal if their NAME, CLASS, TYPE,
-   RDLENGTH and RDATA fields are equal.  Note that the time-to-live
-   (TTL) field is explicitly excluded from the comparison.
-
-   1.1.2. The rules for comparison of character strings in names are
-   specified in [RFC1035 2.3.3].
-
-   1.1.3. Wildcarding is disabled.  That is, a wildcard ("*") in an
-   update only matches a wildcard ("*") in the zone, and vice versa.
-
-   1.1.4. Aliasing is disabled: A CNAME in the zone matches a CNAME in
-   the update, and will not otherwise be followed.  All UPDATE
-   operations are done on the basis of canonical names.
-
-   1.1.5. The following RR types cannot be appended to an RRset.  If the
-   following comparison rules are met, then an attempt to add the new RR
-   will result in the replacement of the previous RR:
-
-      SOA    compare only NAME, CLASS and TYPE -- it is not possible to
-             have more than one SOA per zone, even if any of the data
-             fields differ.
-
-      WKS    compare only NAME, CLASS, TYPE, ADDRESS, and PROTOCOL
-             -- only one WKS RR is possible for this tuple, even if the
-             services masks differ.
-
-
-
-
-Vixie, et. al.              Standards Track                     [Page 2]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-      CNAME  compare only NAME, CLASS, and TYPE -- it is not possible
-             to have more than one CNAME RR, even if their data fields
-             differ.
-
-   1.2 - Glue RRs
-
-   For the purpose of determining whether a domain name used in the
-   UPDATE protocol is contained within a specified zone, a domain name
-   is "in" a zone if it is owned by that zone's domain name.  See
-   section 7.18 for details.
-
-   1.3 - New Assigned Numbers
-
-      CLASS = NONE (254)
-      RCODE = YXDOMAIN (6)
-      RCODE = YXRRSET (7)
-      RCODE = NXRRSET (8)
-      RCODE = NOTAUTH (9)
-      RCODE = NOTZONE (10)
-      Opcode = UPDATE (5)
-
-2 - Update Message Format
-
-   The DNS Message Format is defined by [RFC1035 4.1].  Some extensions
-   are necessary (for example, more error codes are possible under
-   UPDATE than under QUERY) and some fields must be overloaded (see
-   description of CLASS fields below).
-
-   The overall format of an UPDATE message is, following [ibid]:
-
-      +---------------------+
-      |        Header       |
-      +---------------------+
-      |         Zone        | specifies the zone to be updated
-      +---------------------+
-      |     Prerequisite    | RRs or RRsets which must (not) preexist
-      +---------------------+
-      |        Update       | RRs or RRsets to be added or deleted
-      +---------------------+
-      |   Additional Data   | additional data
-      +---------------------+
-
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                     [Page 3]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   The Header Section specifies that this message is an UPDATE, and
-   describes the size of the other sections.  The Zone Section names the
-   zone that is to be updated by this message.  The Prerequisite Section
-   specifies the starting invariants (in terms of zone content) required
-   for this update.  The Update Section contains the edits to be made,
-   and the Additional Data Section contains data which may be necessary
-   to complete, but is not part of, this update.
-
-   2.1 - Transport Issues
-
-   An update transaction may be carried in a UDP datagram, if the
-   request fits, or in a TCP connection (at the discretion of the
-   requestor).  When TCP is used, the message is in the format described
-   in [RFC1035 4.2.2].
-
-   2.2 - Message Header
-
-   The header of the DNS Message Format is defined by [RFC 1035 4.1].
-   Not all opcodes define the same set of flag bits, though as a
-   practical matter most of the bits defined for QUERY (in [ibid]) are
-   identically defined by the other opcodes.  UPDATE uses only one flag
-   bit (QR).
-
-   The DNS Message Format specifies record counts for its four sections
-   (Question, Answer, Authority, and Additional).  UPDATE uses the same
-   fields, and the same section formats, but the naming and use of these
-   sections differs as shown in the following modified header, after
-   [RFC1035 4.1.1]:
-
-                                      1  1  1  1  1  1
-        0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |                      ID                       |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |QR|   Opcode  |          Z         |   RCODE   |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |                    ZOCOUNT                    |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |                    PRCOUNT                    |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |                    UPCOUNT                    |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |                    ADCOUNT                    |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                     [Page 4]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   These fields are used as follows:
-
-   ID      A 16-bit identifier assigned by the entity that generates any
-           kind of request.  This identifier is copied in the
-           corresponding reply and can be used by the requestor to match
-           replies to outstanding requests, or by the server to detect
-           duplicated requests from some requestor.
-
-   QR      A one bit field that specifies whether this message is a
-           request (0), or a response (1).
-
-   Opcode  A four bit field that specifies the kind of request in this
-           message.  This value is set by the originator of a request
-           and copied into the response.  The Opcode value that
-           identifies an UPDATE message is five (5).
-
-   Z       Reserved for future use.  Should be zero (0) in all requests
-           and responses.  A non-zero Z field should be ignored by
-           implementations of this specification.
-
-   RCODE   Response code - this four bit field is undefined in requests
-           and set in responses.  The values and meanings of this field
-           within responses are as follows:
-
-              Mneumonic   Value   Description
-              ------------------------------------------------------------
-              NOERROR     0       No error condition.
-              FORMERR     1       The name server was unable to interpret
-                                  the request due to a format error.
-              SERVFAIL    2       The name server encountered an internal
-                                  failure while processing this request,
-                                  for example an operating system error
-                                  or a forwarding timeout.
-              NXDOMAIN    3       Some name that ought to exist,
-                                  does not exist.
-              NOTIMP      4       The name server does not support
-                                  the specified Opcode.
-              REFUSED     5       The name server refuses to perform the
-                                  specified operation for policy or
-                                  security reasons.
-              YXDOMAIN    6       Some name that ought not to exist,
-                                  does exist.
-              YXRRSET     7       Some RRset that ought not to exist,
-                                  does exist.
-              NXRRSET     8       Some RRset that ought to exist,
-                                  does not exist.
-
-
-
-
-
-Vixie, et. al.              Standards Track                     [Page 5]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-              NOTAUTH     9       The server is not authoritative for
-                                  the zone named in the Zone Section.
-              NOTZONE     10      A name used in the Prerequisite or
-                                  Update Section is not within the
-                                  zone denoted by the Zone Section.
-
-   ZOCOUNT The number of RRs in the Zone Section.
-
-   PRCOUNT The number of RRs in the Prerequisite Section.
-
-   UPCOUNT The number of RRs in the Update Section.
-
-   ADCOUNT The number of RRs in the Additional Data Section.
-
-   2.3 - Zone Section
-
-   The Zone Section has the same format as that specified in [RFC1035
-   4.1.2], with the fields redefined as follows:
-
-                                      1  1  1  1  1  1
-        0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |                                               |
-      /                     ZNAME                     /
-      /                                               /
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |                     ZTYPE                     |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      |                     ZCLASS                    |
-      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   UPDATE uses this section to denote the zone of the records being
-   updated.  All records to be updated must be in the same zone, and
-   therefore the Zone Section is allowed to contain exactly one record.
-   The ZNAME is the zone name, the ZTYPE must be SOA, and the ZCLASS is
-   the zone's class.
-
-   2.4 - Prerequisite Section
-
-   This section contains a set of RRset prerequisites which must be
-   satisfied at the time the UPDATE packet is received by the primary
-   master server.  The format of this section is as specified by
-   [RFC1035 4.1.3].  There are five possible sets of semantics that can
-   be expressed here, summarized as follows and then explained below.
-
-      (1)  RRset exists (value independent).  At least one RR with a
-           specified NAME and TYPE (in the zone and class specified by
-           the Zone Section) must exist.
-
-
-
-Vixie, et. al.              Standards Track                     [Page 6]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-      (2)  RRset exists (value dependent).  A set of RRs with a
-           specified NAME and TYPE exists and has the same members
-           with the same RDATAs as the RRset specified here in this
-           Section.
-
-      (3)  RRset does not exist.  No RRs with a specified NAME and TYPE
-          (in the zone and class denoted by the Zone Section) can exist.
-
-      (4)  Name is in use.  At least one RR with a specified NAME (in
-           the zone and class specified by the Zone Section) must exist.
-           Note that this prerequisite is NOT satisfied by empty
-           nonterminals.
-
-      (5)  Name is not in use.  No RR of any type is owned by a
-           specified NAME.  Note that this prerequisite IS satisfied by
-           empty nonterminals.
-
-   The syntax of these is as follows:
-
-   2.4.1 - RRset Exists (Value Independent)
-
-   At least one RR with a specified NAME and TYPE (in the zone and class
-   specified in the Zone Section) must exist.
-
-   For this prerequisite, a requestor adds to the section a single RR
-   whose NAME and TYPE are equal to that of the zone RRset whose
-   existence is required.  RDLENGTH is zero and RDATA is therefore
-   empty.  CLASS must be specified as ANY to differentiate this
-   condition from that of an actual RR whose RDLENGTH is naturally zero
-   (0) (e.g., NULL).  TTL is specified as zero (0).
-
-   2.4.2 - RRset Exists (Value Dependent)
-
-   A set of RRs with a specified NAME and TYPE exists and has the same
-   members with the same RDATAs as the RRset specified here in this
-   section.  While RRset ordering is undefined and therefore not
-   significant to this comparison, the sets be identical in their
-   extent.
-
-   For this prerequisite, a requestor adds to the section an entire
-   RRset whose preexistence is required.  NAME and TYPE are that of the
-   RRset being denoted.  CLASS is that of the zone.  TTL must be
-   specified as zero (0) and is ignored when comparing RRsets for
-   identity.
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                     [Page 7]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   2.4.3 - RRset Does Not Exist
-
-   No RRs with a specified NAME and TYPE (in the zone and class denoted
-   by the Zone Section) can exist.
-
-   For this prerequisite, a requestor adds to the section a single RR
-   whose NAME and TYPE are equal to that of the RRset whose nonexistence
-   is required.  The RDLENGTH of this record is zero (0), and RDATA
-   field is therefore empty.  CLASS must be specified as NONE in order
-   to distinguish this condition from a valid RR whose RDLENGTH is
-   naturally zero (0) (for example, the NULL RR).  TTL must be specified
-   as zero (0).
-
-   2.4.4 - Name Is In Use
-
-   Name is in use.  At least one RR with a specified NAME (in the zone
-   and class specified by the Zone Section) must exist.  Note that this
-   prerequisite is NOT satisfied by empty nonterminals.
-
-   For this prerequisite, a requestor adds to the section a single RR
-   whose NAME is equal to that of the name whose ownership of an RR is
-   required.  RDLENGTH is zero and RDATA is therefore empty.  CLASS must
-   be specified as ANY to differentiate this condition from that of an
-   actual RR whose RDLENGTH is naturally zero (0) (e.g., NULL).  TYPE
-   must be specified as ANY to differentiate this case from that of an
-   RRset existence test.  TTL is specified as zero (0).
-
-   2.4.5 - Name Is Not In Use
-
-   Name is not in use.  No RR of any type is owned by a specified NAME.
-   Note that this prerequisite IS satisfied by empty nonterminals.
-
-   For this prerequisite, a requestor adds to the section a single RR
-   whose NAME is equal to that of the name whose nonownership of any RRs
-   is required.  RDLENGTH is zero and RDATA is therefore empty.  CLASS
-   must be specified as NONE.  TYPE must be specified as ANY.  TTL must
-   be specified as zero (0).
-
-   2.5 - Update Section
-
-   This section contains RRs to be added to or deleted from the zone.
-   The format of this section is as specified by [RFC1035 4.1.3].  There
-   are four possible sets of semantics, summarized below and with
-   details to follow.
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                     [Page 8]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-      (1) Add RRs to an RRset.
-      (2) Delete an RRset.
-      (3) Delete all RRsets from a name.
-      (4) Delete an RR from an RRset.
-
-   The syntax of these is as follows:
-
-   2.5.1 - Add To An RRset
-
-   RRs are added to the Update Section whose NAME, TYPE, TTL, RDLENGTH
-   and RDATA are those being added, and CLASS is the same as the zone
-   class.  Any duplicate RRs will be silently ignored by the primary
-   master.
-
-   2.5.2 - Delete An RRset
-
-   One RR is added to the Update Section whose NAME and TYPE are those
-   of the RRset to be deleted.  TTL must be specified as zero (0) and is
-   otherwise not used by the primary master.  CLASS must be specified as
-   ANY.  RDLENGTH must be zero (0) and RDATA must therefore be empty.
-   If no such RRset exists, then this Update RR will be silently ignored
-   by the primary master.
-
-   2.5.3 - Delete All RRsets From A Name
-
-   One RR is added to the Update Section whose NAME is that of the name
-   to be cleansed of RRsets.  TYPE must be specified as ANY.  TTL must
-   be specified as zero (0) and is otherwise not used by the primary
-   master.  CLASS must be specified as ANY.  RDLENGTH must be zero (0)
-   and RDATA must therefore be empty.  If no such RRsets exist, then
-   this Update RR will be silently ignored by the primary master.
-
-   2.5.4 - Delete An RR From An RRset
-
-   RRs to be deleted are added to the Update Section.  The NAME, TYPE,
-   RDLENGTH and RDATA must match the RR being deleted.  TTL must be
-   specified as zero (0) and will otherwise be ignored by the primary
-   master.  CLASS must be specified as NONE to distinguish this from an
-   RR addition.  If no such RRs exist, then this Update RR will be
-   silently ignored by the primary master.
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                     [Page 9]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   2.6 - Additional Data Section
-
-   This section contains RRs which are related to the update itself, or
-   to new RRs being added by the update.  For example, out of zone glue
-   (A RRs referred to by new NS RRs) should be presented here.  The
-   server can use or ignore out of zone glue, at the discretion of the
-   server implementor.  The format of this section is as specified by
-   [RFC1035 4.1.3].
-
-3 - Server Behavior
-
-   A server, upon receiving an UPDATE request, will signal NOTIMP to the
-   requestor if the UPDATE opcode is not recognized or if it is
-   recognized but has not been implemented.  Otherwise, processing
-   continues as follows.
-
-   3.1 - Process Zone Section
-
-   3.1.1. The Zone Section is checked to see that there is exactly one
-   RR therein and that the RR's ZTYPE is SOA, else signal FORMERR to the
-   requestor.  Next, the ZNAME and ZCLASS are checked to see if the zone
-   so named is one of this server's authority zones, else signal NOTAUTH
-   to the requestor.  If the server is a zone slave, the request will be
-   forwarded toward the primary master.
-
-   3.1.2 - Pseudocode For Zone Section Processing
-
-      if (zcount != 1 || ztype != SOA)
-           return (FORMERR)
-      if (zone_type(zname, zclass) == SLAVE)
-           return forward()
-      if (zone_type(zname, zclass) == MASTER)
-           return update()
-      return (NOTAUTH)
-
-   Sections 3.2 through 3.8 describe the primary master's behaviour,
-   whereas Section 6 describes a forwarder's behaviour.
-
-   3.2 - Process Prerequisite Section
-
-   Next, the Prerequisite Section is checked to see that all
-   prerequisites are satisfied by the current state of the zone.  Using
-   the definitions expressed in Section 1.2, if any RR's NAME is not
-   within the zone specified in the Zone Section, signal NOTZONE to the
-   requestor.
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 10]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   3.2.1. For RRs in this section whose CLASS is ANY, test to see that
-   TTL and RDLENGTH are both zero (0), else signal FORMERR to the
-   requestor.  If TYPE is ANY, test to see that there is at least one RR
-   in the zone whose NAME is the same as that of the Prerequisite RR,
-   else signal NXDOMAIN to the requestor.  If TYPE is not ANY, test to
-   see that there is at least one RR in the zone whose NAME and TYPE are
-   the same as that of the Prerequisite RR, else signal NXRRSET to the
-   requestor.
-
-   3.2.2. For RRs in this section whose CLASS is NONE, test to see that
-   the TTL and RDLENGTH are both zero (0), else signal FORMERR to the
-   requestor.  If the TYPE is ANY, test to see that there are no RRs in
-   the zone whose NAME is the same as that of the Prerequisite RR, else
-   signal YXDOMAIN to the requestor.  If the TYPE is not ANY, test to
-   see that there are no RRs in the zone whose NAME and TYPE are the
-   same as that of the Prerequisite RR, else signal YXRRSET to the
-   requestor.
-
-   3.2.3. For RRs in this section whose CLASS is the same as the ZCLASS,
-   test to see that the TTL is zero (0), else signal FORMERR to the
-   requestor.  Then, build an RRset for each unique <NAME,TYPE> and
-   compare each resulting RRset for set equality (same members, no more,
-   no less) with RRsets in the zone.  If any Prerequisite RRset is not
-   entirely and exactly matched by a zone RRset, signal NXRRSET to the
-   requestor.  If any RR in this section has a CLASS other than ZCLASS
-   or NONE or ANY, signal FORMERR to the requestor.
-
-   3.2.4 - Table Of Metavalues Used In Prerequisite Section
-
-   CLASS    TYPE     RDATA    Meaning
-   ------------------------------------------------------------
-   ANY      ANY      empty    Name is in use
-   ANY      rrset    empty    RRset exists (value independent)
-   NONE     ANY      empty    Name is not in use
-   NONE     rrset    empty    RRset does not exist
-   zone     rrset    rr       RRset exists (value dependent)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 11]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   3.2.5 - Pseudocode for Prerequisite Section Processing
-
-      for rr in prerequisites
-           if (rr.ttl != 0)
-                return (FORMERR)
-           if (zone_of(rr.name) != ZNAME)
-                return (NOTZONE);
-           if (rr.class == ANY)
-                if (rr.rdlength != 0)
-                     return (FORMERR)
-                if (rr.type == ANY)
-                     if (!zone_name<rr.name>)
-                          return (NXDOMAIN)
-                else
-                     if (!zone_rrset<rr.name, rr.type>)
-                          return (NXRRSET)
-           if (rr.class == NONE)
-                if (rr.rdlength != 0)
-                     return (FORMERR)
-                if (rr.type == ANY)
-                     if (zone_name<rr.name>)
-                          return (YXDOMAIN)
-                else
-                     if (zone_rrset<rr.name, rr.type>)
-                          return (YXRRSET)
-           if (rr.class == zclass)
-                temp<rr.name, rr.type> += rr
-           else
-                return (FORMERR)
-
-      for rrset in temp
-           if (zone_rrset<rrset.name, rrset.type> != rrset)
-                return (NXRRSET)
-
-   3.3 - Check Requestor's Permissions
-
-   3.3.1. Next, the requestor's permission to update the RRs named in
-   the Update Section may be tested in an implementation dependent
-   fashion or using mechanisms specified in a subsequent Secure DNS
-   Update protocol.  If the requestor does not have permission to
-   perform these updates, the server may write a warning message in its
-   operations log, and may either signal REFUSED to the requestor, or
-   ignore the permission problem and proceed with the update.
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 12]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   3.3.2. While the exact processing is implementation defined, if these
-   verification activities are to be performed, this is the point in the
-   server's processing where such performance should take place, since
-   if a REFUSED condition is encountered after an update has been
-   partially applied, it will be necessary to undo the partial update
-   and restore the zone to its original state before answering the
-   requestor.
-
-   3.3.3 - Pseudocode for Permission Checking
-
-      if (security policy exists)
-           if (this update is not permitted)
-                if (local option)
-                     log a message about permission problem
-                if (local option)
-                     return (REFUSED)
-
-   3.4 - Process Update Section
-
-   Next, the Update Section is processed as follows.
-
-   3.4.1 - Prescan
-
-   The Update Section is parsed into RRs and each RR's CLASS is checked
-   to see if it is ANY, NONE, or the same as the Zone Class, else signal
-   a FORMERR to the requestor.  Using the definitions in Section 1.2,
-   each RR's NAME must be in the zone specified by the Zone Section,
-   else signal NOTZONE to the requestor.
-
-   3.4.1.2. For RRs whose CLASS is not ANY, check the TYPE and if it is
-   ANY, AXFR, MAILA, MAILB, or any other QUERY metatype, or any
-   unrecognized type, then signal FORMERR to the requestor.  For RRs
-   whose CLASS is ANY or NONE, check the TTL to see that it is zero (0),
-   else signal a FORMERR to the requestor.  For any RR whose CLASS is
-   ANY, check the RDLENGTH to make sure that it is zero (0) (that is,
-   the RDATA field is empty), and that the TYPE is not AXFR, MAILA,
-   MAILB, or any other QUERY metatype besides ANY, or any unrecognized
-   type, else signal FORMERR to the requestor.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 13]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   3.4.1.3 - Pseudocode For Update Section Prescan
-
-      [rr] for rr in updates
-           if (zone_of(rr.name) != ZNAME)
-                return (NOTZONE);
-           if (rr.class == zclass)
-                if (rr.type & ANY|AXFR|MAILA|MAILB)
-                     return (FORMERR)
-           elsif (rr.class == ANY)
-                if (rr.ttl != 0 || rr.rdlength != 0
-                    || rr.type & AXFR|MAILA|MAILB)
-                     return (FORMERR)
-           elsif (rr.class == NONE)
-                if (rr.ttl != 0 || rr.type & ANY|AXFR|MAILA|MAILB)
-                     return (FORMERR)
-           else
-                return (FORMERR)
-
-   3.4.2 - Update
-
-   The Update Section is parsed into RRs and these RRs are processed in
-   order.
-
-   3.4.2.1. If any system failure (such as an out of memory condition,
-   or a hardware error in persistent storage) occurs during the
-   processing of this section, signal SERVFAIL to the requestor and undo
-   all updates applied to the zone during this transaction.
-
-   3.4.2.2. Any Update RR whose CLASS is the same as ZCLASS is added to
-   the zone.  In case of duplicate RDATAs (which for SOA RRs is always
-   the case, and for WKS RRs is the case if the ADDRESS and PROTOCOL
-   fields both match), the Zone RR is replaced by Update RR.  If the
-   TYPE is SOA and there is no Zone SOA RR, or the new SOA.SERIAL is
-   lower (according to [RFC1982]) than or equal to the current Zone SOA
-   RR's SOA.SERIAL, the Update RR is ignored.  In the case of a CNAME
-   Update RR and a non-CNAME Zone RRset or vice versa, ignore the CNAME
-   Update RR, otherwise replace the CNAME Zone RR with the CNAME Update
-   RR.
-
-   3.4.2.3. For any Update RR whose CLASS is ANY and whose TYPE is ANY,
-   all Zone RRs with the same NAME are deleted, unless the NAME is the
-   same as ZNAME in which case only those RRs whose TYPE is other than
-   SOA or NS are deleted.  For any Update RR whose CLASS is ANY and
-   whose TYPE is not ANY all Zone RRs with the same NAME and TYPE are
-   deleted, unless the NAME is the same as ZNAME in which case neither
-   SOA or NS RRs will be deleted.
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 14]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   3.4.2.4. For any Update RR whose class is NONE, any Zone RR whose
-   NAME, TYPE, RDATA and RDLENGTH are equal to the Update RR is deleted,
-   unless the NAME is the same as ZNAME and either the TYPE is SOA or
-   the TYPE is NS and the matching Zone RR is the only NS remaining in
-   the RRset, in which case this Update RR is ignored.
-
-   3.4.2.5. Signal NOERROR to the requestor.
-
-   3.4.2.6 - Table Of Metavalues Used In Update Section
-
-   CLASS    TYPE     RDATA    Meaning
-   ---------------------------------------------------------
-   ANY      ANY      empty    Delete all RRsets from a name
-   ANY      rrset    empty    Delete an RRset
-   NONE     rrset    rr       Delete an RR from an RRset
-   zone     rrset    rr       Add to an RRset
-
-   3.4.2.7 - Pseudocode For Update Section Processing
-
-      [rr] for rr in updates
-           if (rr.class == zclass)
-                if (rr.type == CNAME)
-                     if (zone_rrset<rr.name, ~CNAME>)
-                          next [rr]
-                elsif (zone_rrset<rr.name, CNAME>)
-                     next [rr]
-                if (rr.type == SOA)
-                     if (!zone_rrset<rr.name, SOA> ||
-                         zone_rr<rr.name, SOA>.serial > rr.soa.serial)
-                          next [rr]
-                for zrr in zone_rrset<rr.name, rr.type>
-                     if (rr.type == CNAME || rr.type == SOA ||
-                         (rr.type == WKS && rr.proto == zrr.proto &&
-                          rr.address == zrr.address) ||
-                         rr.rdata == zrr.rdata)
-                          zrr = rr
-                          next [rr]
-                zone_rrset<rr.name, rr.type> += rr
-           elsif (rr.class == ANY)
-                if (rr.type == ANY)
-                     if (rr.name == zname)
-                          zone_rrset<rr.name, ~(SOA|NS)> = Nil
-                     else
-                          zone_rrset<rr.name, *> = Nil
-                elsif (rr.name == zname &&
-                       (rr.type == SOA || rr.type == NS))
-                     next [rr]
-                else
-
-
-
-Vixie, et. al.              Standards Track                    [Page 15]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-                     zone_rrset<rr.name, rr.type> = Nil
-           elsif (rr.class == NONE)
-                if (rr.type == SOA)
-                     next [rr]
-                if (rr.type == NS && zone_rrset<rr.name, NS> == rr)
-                     next [rr]
-                zone_rr<rr.name, rr.type, rr.data> = Nil
-      return (NOERROR)
-
-   3.5 - Stability
-
-   When a zone is modified by an UPDATE operation, the server must
-   commit the change to nonvolatile storage before sending a response to
-   the requestor or answering any queries or transfers for the modified
-   zone.  It is reasonable for a server to store only the update records
-   as long as a system reboot or power failure will cause these update
-   records to be incorporated into the zone the next time the server is
-   started.  It is also reasonable for the server to copy the entire
-   modified zone to nonvolatile storage after each update operation,
-   though this would have suboptimal performance for large zones.
-
-   3.6 - Zone Identity
-
-   If the zone's SOA SERIAL is changed by an update operation, that
-   change must be in a positive direction (using modulo 2**32 arithmetic
-   as specified by [RFC1982]).  Attempts to replace an SOA with one
-   whose SERIAL is less than the current one will be silently ignored by
-   the primary master server.
-
-   If the zone's SOA's SERIAL is not changed as a result of an update
-   operation, then the server shall increment it automatically before
-   the SOA or any changed name or RR or RRset is included in any
-   response or transfer.  The primary master server's implementor might
-   choose to autoincrement the SOA SERIAL if any of the following events
-   occurs:
-
-   (1)  Each update operation.
-
-   (2)  A name, RR or RRset in the zone has changed and has subsequently
-        been visible to a DNS client since the unincremented SOA was
-        visible to a DNS client, and the SOA is about to become visible
-        to a DNS client.
-
-   (3)  A configurable period of time has elapsed since the last update
-        operation.  This period shall be less than or equal to one third
-        of the zone refresh time, and the default shall be the lesser of
-        that maximum and 300 seconds.
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 16]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   (4)  A configurable number of updates has been applied since the last
-        SOA change.  The default value for this configuration parameter
-        shall be one hundred (100).
-
-   It is imperative that the zone's contents and the SOA's SERIAL be
-   tightly synchronized.  If the zone appears to change, the SOA must
-   appear to change as well.
-
-   3.7 - Atomicity
-
-   During the processing of an UPDATE transaction, the server must
-   ensure atomicity with respect to other (concurrent) UPDATE or QUERY
-   transactions.  No two transactions can be processed concurrently if
-   either depends on the final results of the other; in particular, a
-   QUERY should not be able to retrieve RRsets which have been partially
-   modified by a concurrent UPDATE, and an UPDATE should not be able to
-   start from prerequisites that might not still hold at the completion
-   of some other concurrent UPDATE.  Finally, if two UPDATE transactions
-   would modify the same names, RRs or RRsets, then such UPDATE
-   transactions must be serialized.
-
-   3.8 - Response
-
-   At the end of UPDATE processing, a response code will be known.  A
-   response message is generated by copying the ID and Opcode fields
-   from the request, and either copying the ZOCOUNT, PRCOUNT, UPCOUNT,
-   and ADCOUNT fields and associated sections, or placing zeros (0) in
-   the these "count" fields and not including any part of the original
-   update.  The QR bit is set to one (1), and the response is sent back
-   to the requestor.  If the requestor used UDP, then the response will
-   be sent to the requestor's source UDP port.  If the requestor used
-   TCP, then the response will be sent back on the requestor's open TCP
-   connection.
-
-4 - Requestor Behaviour
-
-   4.1. From a requestor's point of view, any authoritative server for
-   the zone can appear to be able to process update requests, even
-   though only the primary master server is actually able to modify the
-   zone's master file.  Requestors are expected to know the name of the
-   zone they intend to update and to know or be able to determine the
-   name servers for that zone.
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 17]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   4.2. If update ordering is desired, the requestor will need to know
-   the value of the existing SOA RR.  Requestors who update the SOA RR
-   must update the SOA SERIAL field in a positive direction (as defined
-   by [RFC1982]) and also preserve the other SOA fields unless the
-   requestor's explicit intent is to change them.  The SOA SERIAL field
-   must never be set to zero (0).
-
-   4.3. If the requestor has reasonable cause to believe that all of a
-   zone's servers will be equally reachable, then it should arrange to
-   try the primary master server (as given by the SOA MNAME field if
-   matched by some NS NSDNAME) first to avoid unnecessary forwarding
-   inside the slave servers.  (Note that the primary master will in some
-   cases not be reachable by all requestors, due to firewalls or network
-   partitioning.)
-
-   4.4. Once the zone's name servers been found and possibly sorted so
-   that the ones more likely to be reachable and/or support the UPDATE
-   opcode are listed first, the requestor composes an UPDATE message of
-   the following form and sends it to the first name server on its list:
-
-      ID:                        (new)
-      Opcode:                    UPDATE
-      Zone zcount:               1
-      Zone zname:                (zone name)
-      Zone zclass:               (zone class)
-      Zone ztype:                T_SOA
-      Prerequisite Section:      (see previous text)
-      Update Section:            (see previous text)
-      Additional Data Section:   (empty)
-
-   4.5. If the requestor receives a response, and the response has an
-   RCODE other than SERVFAIL or NOTIMP, then the requestor returns an
-   appropriate response to its caller.
-
-   4.6. If a response is received whose RCODE is SERVFAIL or NOTIMP, or
-   if no response is received within an implementation dependent timeout
-   period, or if an ICMP error is received indicating that the server's
-   port is unreachable, then the requestor will delete the unusable
-   server from its internal name server list and try the next one,
-   repeating until the name server list is empty.  If the requestor runs
-   out of servers to try, an appropriate error will be returned to the
-   requestor's caller.
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 18]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-5 - Duplicate Detection, Ordering and Mutual Exclusion
-
-   5.1. For correct operation, mechanisms may be needed to ensure
-   idempotence, order UPDATE requests and provide mutual exclusion.  An
-   UPDATE message or response might be delivered zero times, one time,
-   or multiple times.  Datagram duplication is of particular interest
-   since it covers the case of the so-called "replay attack" where a
-   correct request is duplicated maliciously by an intruder.
-
-   5.2. Multiple UPDATE requests or responses in transit might be
-   delivered in any order, due to network topology changes or load
-   balancing, or to multipath forwarding graphs wherein several slave
-   servers all forward to the primary master.  In some cases, it might
-   be required that the earlier update not be applied after the later
-   update, where "earlier" and "later" are defined by an external time
-   base visible to some set of requestors, rather than by the order of
-   request receipt at the primary master.
-
-   5.3. A requestor can ensure transaction idempotence by explicitly
-   deleting some "marker RR" (rather than deleting the RRset of which it
-   is a part) and then adding a new "marker RR" with a different RDATA
-   field.  The Prerequisite Section should specify that the original
-   "marker RR" must be present in order for this UPDATE message to be
-   accepted by the server.
-
-   5.4. If the request is duplicated by a network error, all duplicate
-   requests will fail since only the first will find the original
-   "marker RR" present and having its known previous value.  The
-   decisions of whether to use such a "marker RR" and what RR to use are
-   left up to the application programmer, though one obvious choice is
-   the zone's SOA RR as described below.
-
-   5.5. Requestors can ensure update ordering by externally
-   synchronizing their use of successive values of the "marker RR."
-   Mutual exclusion can be addressed as a degenerate case, in that a
-   single succession of the "marker RR" is all that is needed.
-
-   5.6. A special case where update ordering and datagram duplication
-   intersect is when an RR validly changes to some new value and then
-   back to its previous value.  Without a "marker RR" as described
-   above, this sequence of updates can leave the zone in an undefined
-   state if datagrams are duplicated.
-
-   5.7. To achieve an atomic multitransaction "read-modify-write" cycle,
-   a requestor could first retrieve the SOA RR, and build an UPDATE
-   message one of whose prerequisites was the old SOA RR.  It would then
-   specify updates that would delete this SOA RR and add a new one with
-   an incremented SOA SERIAL, along with whatever actual prerequisites
-
-
-
-Vixie, et. al.              Standards Track                    [Page 19]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   and updates were the object of the transaction.  If the transaction
-   succeeds, the requestor knows that the RRs being changed were not
-   otherwise altered by any other requestor.
-
-6 - Forwarding
-
-   When a zone slave forwards an UPDATE message upward toward the zone's
-   primary master server, it must allocate a new ID and prepare to enter
-   the role of "forwarding server," which is a requestor with respect to
-   the forward server.
-
-   6.1. The set of forward servers will be same as the set of servers
-   this zone slave would use as the source of AXFR or IXFR data.  So,
-   while the original requestor might have used the zone's NS RRset to
-   locate its update server, a forwarder always forwards toward its
-   designated zone master servers.
-
-   6.2. If the original requestor used TCP, then the TCP connection from
-   the requestor is still open and the forwarder must use TCP to forward
-   the message.  If the original requestor used UDP, the forwarder may
-   use either UDP or TCP to forward the message, at the whim of the
-   implementor.
-
-   6.3. It is reasonable for forward servers to be forwarders
-   themselves, if the AXFR dependency graph being followed is a deep one
-   involving firewalls and multiple connectivity realms.  In most cases
-   the AXFR dependency graph will be shallow and the forward server will
-   be the primary master server.
-
-   6.4. The forwarder will not respond to its requestor until it
-   receives a response from its forward server.  UPDATE transactions
-   involving forwarders are therefore time synchronized with respect to
-   the original requestor and the primary master server.
-
-   6.5. When there are multiple possible sources of AXFR data and
-   therefore multiple possible forward servers, a forwarder will use the
-   same fallback strategy with respect to connectivity or timeout errors
-   that it would use when performing an AXFR.  This is implementation
-   dependent.
-
-   6.6. When a forwarder receives a response from a forward server, it
-   copies this response into a new response message, assigns its
-   requestor's ID to that message, and sends the response back to the
-   requestor.
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 20]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-7 - Design, Implementation, Operation, and Protocol Notes
-
-   Some of the principles which guided the design of this UPDATE
-   specification are as follows.  Note that these are not part of the
-   formal specification and any disagreement between this section and
-   any other section of this document should be resolved in favour of
-   the other section.
-
-   7.1. Using metavalues for CLASS is possible only because all RRs in
-   the packet are assumed to be in the same zone, and CLASS is an
-   attribute of a zone rather than of an RRset.  (It is for this reason
-   that the Zone Section is not optional.)
-
-   7.2. Since there are no data-present or data-absent errors possible
-   from processing the Update Section, any necessary data-present and
-   data- absent dependencies should be specified in the Prerequisite
-   Section.
-
-   7.3. The Additional Data Section can be used to supply a server with
-   out of zone glue that will be needed in referrals.  For example, if
-   adding a new NS RR to HOME.VIX.COM specifying a nameserver called
-   NS.AU.OZ, the A RR for NS.AU.OZ can be included in the Additional
-   Data Section.  Servers can use this information or ignore it, at the
-   discretion of the implementor.  We discourage caching this
-   information for use in subsequent DNS responses.
-
-   7.4. The Additional Data Section might be used if some of the RRs
-   later needed for Secure DNS Update are not actually zone updates, but
-   rather ancillary keys or signatures not intended to be stored in the
-   zone (as an update would be), yet necessary for validating the update
-   operation.
-
-   7.5. It is expected that in the absence of Secure DNS Update, a
-   server will only accept updates if they come from a source address
-   that has been statically configured in the server's description of a
-   primary master zone.  DHCP servers would be likely candidates for
-   inclusion in this statically configured list.
-
-   7.6. It is not possible to create a zone using this protocol, since
-   there is no provision for a slave server to be told who its master
-   servers are.  It is expected that this protocol will be extended in
-   the future to cover this case.  Therefore, at this time, the addition
-   of SOA RRs is unsupported.  For similar reasons, deletion of SOA RRs
-   is also unsupported.
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 21]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   7.7. The prerequisite for specifying that a name own at least one RR
-   differs semantically from QUERY, in that QUERY would return
-   <NOERROR,ANCOUNT=0> rather than NXDOMAIN if queried for an RRset at
-   this name, while UPDATE's prerequisite condition [Section 2.4.4]
-   would NOT be satisfied.
-
-   7.8. It is possible for a UDP response to be lost in transit and for
-   a request to be retried due to a timeout condition.  In this case an
-   UPDATE that was successful the first time it was received by the
-   primary master might ultimately appear to have failed when the
-   response to a duplicate request is finally received by the requestor.
-   (This is because the original prerequisites may no longer be
-   satisfied after the update has been applied.)  For this reason,
-   requestors who require an accurate response code must use TCP.
-
-   7.9. Because a requestor who requires an accurate response code will
-   initiate their UPDATE transaction using TCP, a forwarder who receives
-   a request via TCP must forward it using TCP.
-
-   7.10. Deferral of SOA SERIAL autoincrements is made possible so that
-   serial numbers can be conserved and wraparound at 2**32 can be made
-   an infrequent occurance.  Visible (to DNS clients) SOA SERIALs need
-   to differ if the zone differs.  Note that the Authority Section SOA
-   in a QUERY response is a form of visibility, for the purposes of this
-   prerequisite.
-
-   7.11. A zone's SOA SERIAL should never be set to zero (0) due to
-   interoperability problems with some older but widely installed
-   implementations of DNS.  When incrementing an SOA SERIAL, if the
-   result of the increment is zero (0) (as will be true when wrapping
-   around 2**32), it is necessary to increment it again or set it to one
-   (1).  See [RFC1982] for more detail on this subject.
-
-   7.12. Due to the TTL minimalization necessary when caching an RRset,
-   it is recommended that all TTLs in an RRset be set to the same value.
-   While the DNS Message Format permits variant TTLs to exist in the
-   same RRset, and this variance can exist inside a zone, such variance
-   will have counterintuitive results and its use is discouraged.
-
-   7.13. Zone cut management presents some obscure corner cases to the
-   add and delete operations in the Update Section.  It is possible to
-   delete an NS RR as long as it is not the last NS RR at the root of a
-   zone.  If deleting all RRs from a name, SOA and NS RRs at the root of
-   a zone are unaffected.  If deleting RRsets, it is not possible to
-   delete either SOA or NS RRsets at the top of a zone.  An attempt to
-   add an SOA will be treated as a replace operation if an SOA already
-   exists, or as a no-op if the SOA would be new.
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 22]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   7.14. No semantic checking is required in the primary master server
-   when adding new RRs.  Therefore a requestor can cause CNAME or NS or
-   any other kind of RR to be added even if their target name does not
-   exist or does not have the proper RRsets to make the original RR
-   useful.  Primary master servers that DO implement this kind of
-   checking should take great care to avoid out-of-zone dependencies
-   (whose veracity cannot be authoritatively checked) and should
-   implement all such checking during the prescan phase.
-
-   7.15. Nonterminal or wildcard CNAMEs are not well specified by
-   [RFC1035] and their use will probably lead to unpredictable results.
-   Their use is discouraged.
-
-   7.16. Empty nonterminals (nodes with children but no RRs of their
-   own) will cause <NOERROR,ANCOUNT=0> responses to be sent in response
-   to a query of any type for that name.  There is no provision for
-   empty terminal nodes -- so if all RRs of a terminal node are deleted,
-   the name is no longer in use, and queries of any type for that name
-   will result in an NXDOMAIN response.
-
-   7.17. In a deep AXFR dependency graph, it has not historically been
-   an error for slaves to depend mutually upon each other.  This
-   configuration has been used to enable a zone to flow from the primary
-   master to all slaves even though not all slaves have continuous
-   connectivity to the primary master.  UPDATE's use of the AXFR
-   dependency graph for forwarding prohibits this kind of dependency
-   loop, since UPDATE forwarding has no loop detection analagous to the
-   SOA SERIAL pretest used by AXFR.
-
-   7.18. Previously existing names which are occluded by a new zone cut
-   are still considered part of the parent zone, for the purposes of
-   zone transfers, even though queries for such names will be referred
-   to the new subzone's servers.  If a zone cut is removed, all parent
-   zone names that were occluded by it will again become visible to
-   queries.  (This is a clarification of [RFC1034].)
-
-   7.19. If a server is authoritative for both a zone and its child,
-   then queries for names at the zone cut between them will be answered
-   authoritatively using only data from the child zone.  (This is a
-   clarification of [RFC1034].)
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 23]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   7.20. Update ordering using the SOA RR is problematic since there is
-   no way to know which of a zone's NS RRs represents the primary
-   master, and the zone slaves can be out of date if their SOA.REFRESH
-   timers have not elapsed since the last time the zone was changed on
-   the primary master.  We recommend that a zone needing ordered updates
-   use only servers which implement NOTIFY (see [RFC1996]) and IXFR (see
-   [RFC1995]), and that a client receiving a prerequisite error while
-   attempting an ordered update simply retry after a random delay period
-   to allow the zone to settle.
-
-8 - Security Considerations
-
-   8.1. In the absence of [RFC2137] or equivilent technology, the
-   protocol described by this document makes it possible for anyone who
-   can reach an authoritative name server to alter the contents of any
-   zones on that server.  This is a serious increase in vulnerability
-   from the current technology.  Therefore it is very strongly
-   recommended that the protocols described in this document not be used
-   without [RFC2137] or other equivalently strong security measures,
-   e.g. IPsec.
-
-   8.2. A denial of service attack can be launched by flooding an update
-   forwarder with TCP sessions containing updates that the primary
-   master server will ultimately refuse due to permission problems.
-   This arises due to the requirement that an update forwarder receiving
-   a request via TCP use a synchronous TCP session for its forwarding
-   operation.  The connection management mechanisms of [RFC1035 4.2.2]
-   are sufficient to prevent large scale damage from such an attack, but
-   not to prevent some queries from going unanswered during the attack.
-
-Acknowledgements
-
-   We would like to thank the IETF DNSIND working group for their input
-   and assistance, in particular, Rob Austein, Randy Bush, Donald
-   Eastlake, Masataka Ohta, Mark Andrews, and Robert Elz.  Special
-   thanks to Bill Simpson, Ken Wallich and Bob Halley for reviewing this
-   document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 24]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-References
-
-   [RFC1035]
-      Mockapetris, P., "Domain Names - Implementation and
-      Specification", STD 13, RFC 1035, USC/Information Sciences
-      Institute, November 1987.
-
-   [RFC1982]
-      Elz, R., "Serial Number Arithmetic", RFC 1982, University of
-      Melbourne, August 1996.
-
-   [RFC1995]
-      Ohta, M., "Incremental Zone Transfer", RFC 1995, Tokyo Institute
-      of Technology, August 1996.
-
-   [RFC1996]
-      Vixie, P., "A Mechanism for Prompt Notification of Zone Changes",
-      RFC 1996, Internet Software Consortium, August 1996.
-
-   [RFC2065]
-      Eastlake, D., and C. Kaufman, "Domain Name System Protocol
-      Security Extensions", RFC 2065, January 1997.
-
-   [RFC2137]
-      Eastlake, D., "Secure Domain Name System Dynamic Update", RFC
-      2137, April 1997.
-
-Authors' Addresses
-
-   Yakov Rekhter
-   Cisco Systems
-   170 West Tasman Drive
-   San Jose, CA 95134-1706
-
-   Phone: +1 914 528 0090
-   EMail: yakov@cisco.com
-
-
-   Susan Thomson
-   Bellcore
-   445 South Street
-   Morristown, NJ 07960
-
-   Phone: +1 201 829 4514
-   EMail: set@thumper.bellcore.com
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 25]
-
-RFC 2136                       DNS Update                     April 1997
-
-
-   Jim Bound
-   Digital Equipment Corp.
-   110 Spitbrook Rd ZK3-3/U14
-   Nashua, NH 03062-2698
-
-   Phone: +1 603 881 0400
-   EMail: bound@zk3.dec.com
-
-
-   Paul Vixie
-   Internet Software Consortium
-   Star Route Box 159A
-   Woodside, CA 94062
-
-   Phone: +1 415 747 0204
-   EMail: paul@vix.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et. al.              Standards Track                    [Page 26]
-
-
diff --git a/contrib/bind9/doc/rfc/rfc2137.txt b/contrib/bind9/doc/rfc/rfc2137.txt
deleted file mode 100644
index ceb3613dde7d..000000000000
--- a/contrib/bind9/doc/rfc/rfc2137.txt
+++ /dev/null
@@ -1,619 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                    D. Eastlake 3rd
-Request for Comments: 2137                               CyberCash, Inc.
-Updates: 1035                                                 April 1997
-Category: Standards Track
-
-
-                Secure Domain Name System Dynamic Update
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Abstract
-
-   Domain Name System (DNS) protocol extensions have been defined to
-   authenticate the data in DNS and provide key distribution services
-   [RFC2065].  DNS Dynamic Update operations have also been defined
-   [RFC2136], but without a detailed description of security for the
-   update operation.  This memo describes how to use DNSSEC digital
-   signatures covering requests and data to secure updates and restrict
-   updates to those authorized to perform them as indicated by the
-   updater's possession of cryptographic keys.
-
-Acknowledgements
-
-   The contributions of the following persons (who are listed in
-   alphabetic order) to this memo are gratefully acknowledged:
-
-         Olafur Gudmundsson (ogud@tis.com>
-         Charlie Kaufman <Charlie_Kaufman@iris.com>
-         Stuart Kwan <skwan@microsoft.com>
-         Edward Lewis <lewis@tis.com>
-
-Table of Contents
-
-      1. Introduction............................................2
-      1.1 Overview of DNS Dynamic Update.........................2
-      1.2 Overview of DNS Security...............................2
-      2. Two Basic Modes.........................................3
-      3. Keys....................................................5
-      3.1 Update Keys............................................6
-      3.1.1 Update Key Name Scope................................6
-      3.1.2 Update Key Class Scope...............................6
-      3.1.3 Update Key Signatory Field...........................6
-
-
-
-Eastlake                    Standards Track                     [Page 1]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-      3.2 Zone Keys and Update Modes.............................8
-      3.3 Wildcard Key Punch Through.............................9
-      4. Update Signatures.......................................9
-      4.1 Update Request Signatures..............................9
-      4.2 Update Data Signatures................................10
-      5. Security Considerations................................10
-      References................................................10
-      Author's Address..........................................11
-
-1. Introduction
-
-   Dynamic update operations have been defined for the Domain Name
-   System (DNS) in RFC 2136, but without a detailed description of
-   security for those updates.  Means of securing the DNS and using it
-   for key distribution have been defined in RFC 2065.
-
-   This memo proposes techniques based on the defined DNS security
-   mechanisms to authenticate DNS updates.
-
-   Familiarity with the DNS system [RFC 1034, 1035] is assumed.
-   Familiarity with the DNS security and dynamic update proposals will
-   be helpful.
-
-1.1 Overview of DNS Dynamic Update
-
-   DNS dynamic update defines a new DNS opcode, new DNS request and
-   response structure if that opcode is used, and new error codes.  An
-   update can specify complex combinations of deletion and insertion
-   (with or without pre-existence testing) of resource records (RRs)
-   with one or more owner names; however, all testing and changes for
-   any particular DNS update request are restricted to a single zone.
-   Updates occur at the primary server for a zone.
-
-   The primary server for a secure dynamic zone must increment the zone
-   SOA serial number when an update occurs or the next time the SOA is
-   retrieved if one or more updates have occurred since the previous SOA
-   retrieval and the updates themselves did not update the SOA.
-
-1.2 Overview of DNS Security
-
-   DNS security authenticates data in the DNS by also storing digital
-   signatures in the DNS as SIG resource records (RRs).  A SIG RR
-   provides a digital signature on the set of all RRs with the same
-   owner name and class as the SIG and whose type is the type covered by
-   the SIG.  The SIG RR cryptographically binds the covered RR set to
-   the signer, time signed, signature expiration date, etc.  There are
-   one or more keys associated with every secure zone and all data in
-   the secure zone is signed either by a zone key or by a dynamic update
-
-
-
-Eastlake                    Standards Track                     [Page 2]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-   key tracing its authority to a zone key.
-
-   DNS security also defines transaction SIGs and request SIGs.
-   Transaction SIGs appear at the end of a response.  Transaction SIGs
-   authenticate the response and bind it to the corresponding request
-   with the key of the host where the responding DNS server is.  Request
-   SIGs appear at the end of a request and authenticate the request with
-   the key of the submitting entity.
-
-   Request SIGs are the primary means of authenticating update requests.
-
-   DNS security also permits the storage of public keys in the DNS via
-   KEY RRs.  These KEY RRs are also, of course, authenticated by SIG
-   RRs.  KEY RRs for zones are stored in their superzone and subzone
-   servers, if any, so that the secure DNS tree of zones can be
-   traversed by a security aware resolver.
-
-2. Two Basic Modes
-
-   A dynamic secure zone is any secure DNS zone containing one or more
-   KEY RRs that can authorize dynamic updates, i.e., entity or user KEY
-   RRs with the signatory field non-zero, and whose zone KEY RR
-   signatory field indicates that updates are implemented. There are two
-   basic modes of dynamic secure zone which relate to the update
-   strategy, mode A and mode B.  A summary comparison table is given
-   below and then each mode is described.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 3]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-                   SUMMARY OF DYNAMIC SECURE ZONE MODES
-
-   CRITERIA:                |   MODE A           |   MODE B
-   =========================+====================+===================
-   Definition:              | Zone Key Off line  | Zone Key On line
-   =========================+====================+===================
-   Server Workload          |   Low              |   High
-   -------------------------+--------------------+-------------------
-   Static Data Security     |   Very High        |   Medium-High
-   -------------------------+--------------------+-------------------
-   Dynamic Data Security    |   Medium           |   Medium-High
-   -------------------------+--------------------+-------------------
-   Key Restrictions         |   Fine grain       |   Coarse grain
-   -------------------------+--------------------+-------------------
-   Dynamic Data Temporality |   Transient        |   Permanent
-   -------------------------+--------------------+-------------------
-   Dynamic Key Rollover     |   No               |   Yes
-   -------------------------+--------------------+-------------------
-
-   For mode A, the zone owner key and static zone master file are always
-   kept off-line for maximum security of the static zone contents.
-
-   As a consequence, any dynamicly added or changed RRs are signed in
-   the secure zone by their authorizing dynamic update key and they are
-   backed up, along with this SIG RR, in a separate online dynamic
-   master file.  In this type of zone, server computation is minimized
-   since the server need only check signatures on the update data and
-   request, which have already been signed by the updater, generally a
-   much faster operation than signing data.  However, the AXFR SIG and
-   NXT RRs which covers the zone under the zone key will not cover
-   dynamically added data.  Thus, for type A dynamic secure zones, zone
-   transfer security is not automatically provided for dynamically added
-   RRs, where they could be omitted, and authentication is not provided
-   for the server denial of the existence of a dynamically added type.
-   Because the dynamicly added RRs retain their update KEY signed SIG,
-   finer grained control of updates can be implemented via bits in the
-   KEY RR signatory field.  Because dynamic data is only stored in the
-   online dynamic master file and only authenticated by dynamic keys
-   which expire, updates are transient in nature.  Key rollover for an
-   entity that can authorize dynamic updates is more cumbersome since
-   the authority of their key must be traceable to a zone key and so, in
-   general, they must securely communicate a new key to the zone
-   authority for manual transfer to the off line static master file.
-   NOTE: for this mode the zone SOA must be signed by a dynamic update
-   key and that private key must be kept on line so that the SOA can be
-   changed for updates.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 4]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-   For mode B, the zone owner key and master file are kept on-line at
-   the zone primary server. When authenticated updates succeed, SIGs
-   under the zone key for the resulting data (including the possible NXT
-   type bit map changes) are calculated and these SIG (and possible NXT)
-   changes are entered into the zone and the unified on-line master
-   file.  (The zone transfer AXFR SIG may be recalculated for each
-   update or on demand when a zone transfer is requested and it is out
-   of date.)
-
-   As a consequence, this mode requires considerably more computational
-   effort on the part of the server as the public/private keys are
-   generally arranged so that signing (calculating a SIG) is more effort
-   than verifying a signature.  The security of static data in the zone
-   is decreased because the ultimate state of the static data being
-   served and the ultimate zone authority private key are all on-line on
-   the net.  This means that if the primary server is subverted, false
-   data could be authenticated to secondaries and other
-   servers/resolvers.  On the other hand, this mode of operation means
-   that data added dynamically is more secure than in mode A.  Dynamic
-   data will be covered by the AXFR SIG and thus always protected during
-   zone transfers and will be included in NXT RRs so that it can be
-   falsely denied by a server only to the same extent that static data
-   can (i.e., if it is within a wild card scope). Because the zone key
-   is used to sign all the zone data, the information as to who
-   originated the current state of dynamic RR sets is lost, making
-   unavailable the effects of some of the update control bits in the KEY
-   RR signatory field.  In addition, the incorporation of the updates
-   into the primary master file and their authentication by the zone key
-   makes then permanent in nature.  Maintaining the zone key on-line
-   also means that dynamic update keys which are signed by the zone key
-   can be dynamically updated since the zone key is available to
-   dynamically sign new values.
-
-   NOTE:  The Mode A / Mode B distinction only effects the validation
-   and performance of update requests.  It has no effect on retrievals.
-   One reasonable operational scheme may be to keep a mostly static main
-   zone operating in Mode A and have one or more dynamic subzones
-   operating in Mode B.
-
-3. Keys
-
-   Dynamic update requests depend on update keys as described in section
-   3.1 below.  In addition, the zone secure dynamic update mode and
-   availability of some options is indicated in the zone key.  Finally,
-   a special rule is used in searching for KEYs to validate updates as
-   described in section 3.3.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 5]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-3.1 Update Keys
-
-   All update requests to a secure zone must include signatures by one
-   or more key(s) that together can authorize that update.  In order for
-   the Domain Name System (DNS) server receiving the request to confirm
-   this, the key or keys must be available to and authenticated by that
-   server as a specially flagged KEY Resource Record.
-
-   The scope of authority of such keys is indicated by their KEY RR
-   owner name, class, and signatory field flags as described below. In
-   addition, such KEY RRs must be entity or user keys and not have the
-   authentication use prohibited bit on.  All parts of the actual update
-   must be within the scope of at least one of the keys used for a
-   request SIG on the update request as described in section 4.
-
-3.1.1 Update Key Name Scope
-
-   The owner name of any update authorizing KEY RR must (1) be the same
-   as the owner name of any RRs being added or deleted or (2) a wildcard
-   name including within its extended scope (see section 3.3) the name
-   of any RRs being added or deleted and those RRs must be in the same
-   zone.
-
-3.1.2 Update Key Class Scope
-
-   The class of any update authorizing KEY RR must be the same as the
-   class of any RR's being added or deleted.
-
-3.1.3 Update Key Signatory Field
-
-   The four bit "signatory field" (see RFC 2065) of any update
-   authorizing KEY RR must be non-zero.  The bits have the meanings
-   described below for non-zone keys (see section 3.2 for zone type
-   keys).
-
-                    UPDATE KEY RR SIGNATORY FIELD BITS
-
-         0           1           2           3
-   +-----------+-----------+-----------+-----------+
-   |   zone    |  strong   |  unique   |  general  |
-   +-----------+-----------+-----------+-----------+
-
-   Bit 0, zone control - If nonzero, this key is authorized to attach,
-        detach, and move zones by creating and deleting NS, glue A, and
-        zone KEY RR(s).  If zero, the key can not authorize any update
-        that would effect such RRs.  This bit is meaningful for both
-        type A and type B dynamic secure zones.
-
-
-
-
-Eastlake                    Standards Track                     [Page 6]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-        NOTE:  do not confuse the "zone" signatory field bit with the
-        "zone" key type bit.
-
-   Bit 1, strong update - If nonzero, this key is authorized to add and
-        delete RRs even if there are other RRs with the same owner name
-        and class that are authenticated by a SIG signed with a
-        different dynamic update KEY. If zero, the key can only
-        authorize updates where any existing RRs of the same owner and
-        class are authenticated by a SIG using the same key.  This bit
-        is meaningful only for type A dynamic zones and is ignored in
-        type B dynamic zones.
-
-        Keeping this bit zero on multiple KEY RRs with the same or
-        nested wild card owner names permits multiple entities to exist
-        that can create and delete names but can not effect RRs with
-        different owner names from any they created.  In effect, this
-        creates two levels of dynamic update key, strong and weak, where
-        weak keys are limited in interfering with each other but a
-        strong key can interfere with any weak keys or other strong
-        keys.
-
-   Bit 2, unique name update - If nonzero, this key is authorized to add
-        and update RRs for only a single owner name.  If there already
-        exist RRs with one or more names signed by this key, they may be
-        updated but no new name created until the number of existing
-        names is reduced to zero.  This bit is meaningful only for mode
-        A dynamic zones and is ignored in mode B dynamic zones. This bit
-        is meaningful only if the owner name is a wildcard.  (Any
-        dynamic update KEY with a non-wildcard name is, in effect, a
-        unique name update key.)
-
-        This bit can be used to restrict a KEY from flooding a zone with
-        new names.  In conjunction with a local administratively imposed
-        limit on the number of dynamic RRs with a particular name, it
-        can completely restrict a KEY from flooding a zone with RRs.
-
-   Bit 3, general update - The general update signatory field bit has no
-        special meaning.  If the other three bits are all zero, it must
-        be one so that the field is non-zero to designate that the key
-        is an update key.  The meaning of all values of the signatory
-        field with the general bit and one or more other signatory field
-        bits on is reserved.
-
-   All the signatory bit update authorizations described above only
-   apply if the update is within the name and class scope as per
-   sections 3.1.1 and 3.1.2.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 7]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-3.2 Zone Keys and Update Modes
-
-   Zone type keys are automatically authorized to sign anything in their
-   zone, of course, regardless of the value of their signatory field.
-   For zone keys, the signatory field bits have different means than
-   they they do for update keys, as shown below.  The signatory field
-   MUST be zero if dynamic update is not supported for a zone and MUST
-   be non-zero if it is.
-
-                     ZONE KEY RR SIGNATORY FIELD BITS
-
-                  0           1           2           3
-            +-----------+-----------+-----------+-----------+
-            |   mode    |  strong   |  unique   |  general  |
-            +-----------+-----------+-----------+-----------+
-
-   Bit 0, mode - This bit indicates the update mode for this zone.  Zero
-        indicates mode A while a one indicates mode B.
-
-   Bit 1, strong update - If nonzero, this indicates that the "strong"
-        key feature described in section 3.1.3 above is implemented and
-        enabled for this secure zone.  If zero, the feature is not
-        available.  Has no effect if the zone is a mode B secure update
-        zone.
-
-   Bit 2, unique name update - If nonzero, this indicates that the
-        "unique name" feature described in section 3.1.3 above is
-        implemented and enabled for this secure zone.  If zero, this
-        feature is not available.  Has no effect if the zone is a mode B
-        secure update zone.
-
-   Bit 3, general - This bit has no special meeting.  If dynamic update
-        for a zone is supported and the other bits in the zone key
-        signatory field are zero, it must be a one.  The meaning of zone
-        keys where the signatory field has the general bit and one or
-        more other bits on is reserved.
-
-   If there are multiple dynamic update KEY RRs for a zone and zone
-   policy is in transition, they might have different non-zero signatory
-   fields.  In that case, strong and unique name restrictions must be
-   enforced as long as there is a non-expired zone key being advertised
-   that indicates mode A with the strong or unique name bit on
-   respectively.  Mode B updates MUST be supported as long as there is a
-   non-expired zone key that indicates mode B.  Mode A updates may be
-   treated as mode B updates at server option if non-expired zone keys
-   indicate that both are supported.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 8]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-   A server that will be executing update operations on a zone, that is,
-   the primary master server, MUST not advertize a zone key that will
-   attract requests for a mode or features that it can not support.
-
-3.3 Wildcard Key Punch Through
-
-   Just as a zone key is valid throughout the entire zone, update keys
-   with wildcard names are valid throughout their extended scope, within
-   the zone. That is, they remain valid for any name that would match
-   them, even existing specific names within their apparent scope.
-
-   If this were not so, then whenever a name within a wildcard scope was
-   created by dynamic update, it would be necessary to first create a
-   copy of the KEY RR with this name, because otherwise the existence of
-   the more specific name would hide the authorizing KEY RR and would
-   make later updates impossible.  An updater could create such a KEY RR
-   but could not zone sign it with their authorizing signer.  They would
-   have to sign it with the same key using the wildcard name as signer.
-   Thus in creating, for example, one hundred type A RRs authorized by a
-   *.1.1.1.in-addr.arpa. KEY RR, without key punch through 100 As, 100
-   KEYs, and 200 SIGs would have to be created as opposed to merely 100
-   As and 100 SIGs with key punch through.
-
-4. Update Signatures
-
-   Two kinds of signatures can appear in updates.  Request signatures,
-   which are always required, cover the entire request and authenticate
-   the DNS header, including opcode, counts, etc., as well as the data.
-   Data signatures, on the other hand, appear only among the RRs to be
-   added and are only required for mode A operation.  These two types of
-   signatures are described further below.
-
-4.1 Update Request Signatures
-
-   An update can effect multiple owner names in a zone.  It may be that
-   these different names are covered by different dynamic update keys.
-   For every owner name effected, the updater must know a private key
-   valid for that name (and the zone's class) and must prove this by
-   appending request SIG RRs under each such key.
-
-   As specified in RFC 2065, a request signature is a SIG RR occurring
-   at the end of a request with a type covered field of zero.  For an
-   update, request signatures occur in the Additional information
-   section.  Each request SIG signs the entire request, including DNS
-   header, but excluding any other request SIG(s) and with the ARCOUNT
-   in the DNS header set to what it wold be without the request SIGs.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 9]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-4.2 Update Data Signatures
-
-   Mode A dynamic secure zones require that the update requester provide
-   SIG RRs that will authenticate the after update state of all RR sets
-   that are changed by the update and are non-empty after the update.
-   These SIG RRs appear in the request as RRs to be added and the
-   request must delete any previous data SIG RRs that are invalidated by
-   the request.
-
-   In Mode B dynamic secure zones, all zone data is authenticated by
-   zone key SIG RRs.  In this case, data signatures need not be included
-   with the update.  A resolver can determine which mode an updatable
-   secure zone is using by examining the signatory field bits of the
-   zone KEY RR (see section 3.2).
-
-5. Security Considerations
-
-   Any zone permitting dynamic updates is inherently less secure than a
-   static secure zone maintained off line as recommended in RFC 2065. If
-   nothing else, secure dynamic update requires on line change to and
-   re-signing of the zone SOA resource record (RR) to increase the SOA
-   serial number.  This means that compromise of the primary server host
-   could lead to arbitrary serial number changes.
-
-   Isolation of dynamic RRs to separate zones from those holding most
-   static RRs can limit the damage that could occur from breach of a
-   dynamic zone's security.
-
-References
-
-   [RFC2065] Eastlake, D., and C. Kaufman, "Domain Name System Security
-   Extensions", RFC 2065, CyberCash, Iris, January 1997.
-
-   [RFC2136] Vixie, P., Editor, Thomson, T., Rekhter, Y., and J. Bound,
-   "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-   April 1997.
-
-   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
-   Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
-   STD 13, RFC 1034, November 1987.
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 10]
-
-RFC 2137                         SDNSDU                       April 1997
-
-
-Author's Address
-
-   Donald E. Eastlake, 3rd
-   CyberCash, Inc.
-   318 Acton Street
-   Carlisle, MA 01741 USA
-
-   Phone:   +1 508-287-4877
-            +1 508-371-7148 (fax)
-            +1 703-620-4200 (main office, Reston, Virginia, USA)
-   EMail:   dee@cybercash.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 11]
-
diff --git a/contrib/bind9/doc/rfc/rfc2163.txt b/contrib/bind9/doc/rfc/rfc2163.txt
deleted file mode 100644
index 00fcee7c8843..000000000000
--- a/contrib/bind9/doc/rfc/rfc2163.txt
+++ /dev/null
@@ -1,1459 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                       C. Allocchio
-Request for Comments: 2163                                    GARR-Italy
-Obsoletes: 1664                                             January 1998
-Category: Standards Track
-
-
-                  Using the Internet DNS to Distribute
-            MIXER Conformant Global Address Mapping (MCGAM)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-Abstract
-
-   This memo is the complete technical specification to store in the
-   Internet Domain Name System (DNS) the mapping information (MCGAM)
-   needed by MIXER conformant e-mail gateways and other tools to map
-   RFC822 domain names into X.400 O/R names and vice versa.  Mapping
-   information can be managed in a distributed rather than a centralised
-   way. Organizations can publish their MIXER mapping or preferred
-   gateway routing information using just local resources (their local
-   DNS server), avoiding the need for a strong coordination with any
-   centralised organization. MIXER conformant gateways and tools located
-   on Internet hosts can retrieve the mapping information querying the
-   DNS instead of having fixed tables which need to be centrally updated
-   and distributed.
-
-   This memo obsoletes RFC1664. It includes the changes introduced by
-   MIXER specification with respect to RFC1327: the new 'gate1' (O/R
-   addresses to domain) table is fully supported. Full backward
-   compatibility with RFC1664 specification is mantained, too.
-
-   RFC1664 was a joint effort of IETF X400 operation working group
-   (x400ops) and TERENA (formely named "RARE") Mail and Messaging
-   working group (WG-MSG). This update was performed by the IETF MIXER
-   working group.
-
-
-
-
-
-
-Allocchio                   Standards Track                     [Page 1]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-1. Introduction
-
-   The connectivity between the Internet SMTP mail and other mail
-   services, including the Internet X.400 mail and the commercial X.400
-   service providers, is assured by the Mail eXchanger (MX) record
-   information distributed via the Internet Domain Name System (DNS). A
-   number of documents then specify in details how to convert or encode
-   addresses from/to RFC822 style to the other mail system syntax.
-   However, only conversion methods provide, via some algorithm or a set
-   of mapping rules, a smooth translation, resulting in addresses
-   indistinguishable from the native ones in both RFC822 and foreign
-   world.
-
-   MIXER describes a set of mappings (MIXER Conformant Global Address
-   Mapping - MCGAM) which will enable interworking between systems
-   operating the CCITT X.400 (1984/88/92) Recommendations and systems
-   using using the RFC822 mail protocol, or protocols derived from
-   RFC822. That document addresses conversion of services, addresses,
-   message envelopes, and message bodies between the two mail systems.
-   This document is concerned with one aspect of MIXER: the mechanism
-   for mapping between X.400 O/R addresses and RFC822 domain names. As
-   described in Appendix F of MIXER, implementation of the mappings
-   requires a database which maps between X.400 O/R addresses and domain
-   names; in RFC1327 this database was statically defined.
-
-   The original approach in RFC1327 required many efforts to maintain
-   the correct mapping: all the gateways needed to get coherent tables
-   to apply the same mappings, the conversion tables had to be
-   distributed among all the operational gateways, and also every update
-   needed to be distributed.
-
-   The concept of mapping rules distribution and use has been revised in
-   the new MIXER specification, introducing the concept of MIXER
-   Conformant Global Address Mapping (MCGAM). A MCGAM does not need to
-   be globally installed by any MIXER conformant gateway in the world
-   any more. However MIXER requires now efficient methods to publish its
-   MCGAM.
-
-   Static tables are one of the possible methods to publish MCGAM.
-   However this static mechanism requires quite a long time to be spent
-   modifying and distributing the information, putting heavy constraints
-   on the time schedule of every update.  In fact it does not appear
-   efficient compared to the Internet Domain Name Service (DNS).  More
-   over it does not look feasible to distribute the database to a large
-   number of other useful applications, like local address converters,
-   e-mail User Agents or any other tool requiring the mapping rules to
-   produce correct results.
-
-
-
-
-Allocchio                   Standards Track                     [Page 2]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   Two much more efficient methods are proposed by MIXER for publication
-   of MCGAM: the Internet DNS and X.500. This memo is the complete
-   technical specification for publishing MCGAM via Internet DNS.
-
-   A first proposal to use the Internet DNS to store, retrieve and
-   maintain those mappings was introduced by two of the authors of
-   RFC1664 (B. Cole and R. Hagens) adopting two new DNS resource record
-   (RR)  types: TO-X400 and TO-822. This proposal now adopts a more
-   complete strategy, and requires one new RR only. The distribution of
-   MCGAMs via DNS is in fact an important service for the whole Internet
-   community: it completes the information given by MX resource record
-   and it allows to produce clean addresses when messages are exchanged
-   among the Internet RFC822 world and the X.400 one (both Internet and
-   Public X.400 service providers).
-
-   A first experiment in using the DNS without expanding the current set
-   of RR and using available ones was deployed by some of the authors of
-   RFC1664 at the time of its development. The existing PTR resource
-   records were used to store the mapping rules, and a new DNS tree was
-   created under the ".it" top level domain. The result of the
-   experiment was positive, and a few test applications ran under this
-   provisional set up. This test was also very useful in order to define
-   a possible migration strategy during the deployment of the new DNS
-   containing the new RR. The Internet DNS nameservers wishing to
-   provide this mapping information need in fact to be modified to
-   support the new RR type, and in the real Internet, due to the large
-   number of different implementations, this takes some time.
-
-   The basic idea is to adopt a new DNS RR to store the mapping
-   information. The RFC822 to X.400 mapping rules (including the so
-   called 'gate2' rules) will be stored in the ordinary DNS tree, while
-   the definition of a new branch of the name space defined under each
-   national top level domain is envisaged in order to contain the X.400
-   to RFC822 mappings ('table1' and 'gate1'). A "two-way" mapping
-   resolution schema is thus fully implemented.
-
-   The creation of the new domain name space representing the X.400 O/R
-   names structure also provides the chance to use the DNS to distribute
-   dynamically other X.400 related information, thus solving other
-   efficiency problems currently affecting the X.400 MHS service.
-
-   In this paper we will adopt the MCGAM syntax, showing how it can be
-   stored into the Internet DNS.
-
-
-
-
-
-
-
-
-Allocchio                   Standards Track                     [Page 3]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-1.1 Definitions syntax
-
-   The definitions in this document is given in BNF-like syntax, using
-   the following conventions:
-
-      |   means choice
-      \   is used for continuation of a definition over several lines
-      []  means optional
-      {}  means repeated one or more times
-
-   The definitions, however, are detailed only until a certain level,
-   and below it self-explaining character text strings will be used.
-
-2. Motivation
-
-   Implementations of MIXER gateways require that a database store
-   address mapping information for X.400 and RFC822. This information
-   must be made available (published) to all MIXER gateways. In the
-   Internet community, the DNS has proven to be a practical mean for
-   providing a distributed name service. Advantages of using a DNS based
-   system over a table based approach for mapping between O/R addresses
-   and domain names are:
-
-     - It avoids fetching and storing of entire mapping tables by every
-       host that wishes to implement MIXER gateways and/or tools
-
-     - Modifications to the DNS based mapping information can be made
-       available in a more timely manner than with a table driven
-       approach.
-
-     - It allows full authority delegation, in agreement with the
-       Internet regionalization process.
-
-     - Table management is not necessarily required for DNS-based
-       MIXER gateways.
-
-     - One can determine the mappings in use by a remote gateway by
-       querying the DNS (remote debugging).
-
-   Also many other tools, like address converters and User Agents can
-   take advantage of the real-time availability of MIXER tables,
-   allowing a much easier maintenance of the information.
-
-3. The domain space for X.400 O/R name addresses
-
-   Usual domain names (the ones normally used as the global part of an
-   RFC822 e-mail address) and their associated information, i.e., host
-   IP addresses, mail exchanger names, etc., are stored in the DNS as a
-
-
-
-Allocchio                   Standards Track                     [Page 4]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   distributed database under a number of top-level domains. Some top-
-   level domains are used for traditional categories or international
-   organisations (EDU, COM, NET, ORG, INT, MIL...). On the other hand
-   any country has its own two letter ISO country code as top-level
-   domain (FR, DE, GB, IT, RU, ...), including "US" for USA.  The
-   special top-level/second-level couple IN-ADDR.ARPA is used to store
-   the IP address to domain name relationship. This memo defines in the
-   above structure the appropriate way to locate the X.400 O/R name
-   space, thus enabling to store in DNS the MIXER mappings (MCGAMs).
-
-   The MIXER mapping information is composed by four tables:
-
-    - 'table1' and 'gate1' gives the translation from X.400 to RFC822;
-    - 'table2' and 'gate2' tables map RFC822 into X.400.
-
-   Each mapping table is composed by mapping rules, and a single mapping
-   rule is composed by a keyword (the argument of the mapping function
-   derived from the address to be translated) and a translator (the
-   mapping function parameter):
-
-                            keyword#translator#
-
-   the '#' sign is a delimiter enclosing the translator. An example:
-
-                 foo.bar.us#PRMD$foo\.bar.ADMD$intx.C$us#
-
-   Local mappings are not intended for use outside their restricted
-   environment, thus they should not be included in DNS. If local
-   mappings are used, they should be stored using static local tables,
-   exactly as local static host tables can be used with DNS.
-
-   The keyword of a 'table2' and 'gate2' table entry is a valid RFC822
-   domain; thus the usual domain name space can be used without problems
-   to store these entries.
-   On the other hand, the keyword of a 'table1' and 'gate1' entry
-   belongs to the X.400 O/R name space. The X.400 O/R name space does
-   not usually fit into the usual domain name space, although there are
-   a number of similarities; a new name structure is thus needed to
-   represent it. This new name structure contains the X.400 mail
-   domains.
-
-   To ensure the correct functioning of the DNS system, the new X.400
-   name structure must be hooked to the existing domain name space in a
-   way which respects the existing name hierarchy.
-
-   A possible solution was to create another special branch, starting
-   from the root of the DNS tree, somehow similar to the in-addr.arpa
-   tree. This idea would have required to establish a central authority
-
-
-
-Allocchio                   Standards Track                     [Page 5]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   to coordinate at international level the management of each national
-   X.400 name tree, including the X.400 public service providers. This
-   coordination problem is a heavy burden if approached globally. More
-   over the X.400 name structure is very 'country oriented': thus while
-   it requires a coordination at national level, it does not have
-   concepts like the international root. In fact the X.400 international
-   service is based  on a large number of bilateral agreements, and only
-   within some communities an international coordination service exists.
-
-   The X.400 two letter ISO country codes, however, are the same used
-   for the RFC822 country top-level domains and this gives us an
-   appropriate hook to insert the new branches. The proposal is, in
-   fact, to create under each national top level ISO country code a new
-   branch in the name space. This branch represents exactly the X.400
-   O/R name structure as defined in each single country, following the
-   ADMD, PRMD, O, OU hierarchy. A unique reserved label 'X42D' is placed
-   under each country top-level domain, and hence the national X.400
-   name space derives its own structure:
-
-                                    . (root)
-                                    |
-      +-----------------+-----------+--------+-----------------+...
-      |                 |                    |                 |
-     edu                it                   us                fr
-      |                 |                    |                 |
-  +---+---+...    +-----+-----+...     +-----+-----+...     +--+---+...
-  |       |       |     |     |        |     |     |        |      |
- ...     ...     cnr   X42D  infn      va    ca   X42D     X42D  inria
-                        |                    |     |        |
-           +------------+------------+...   ...   ...  +----+-------+...
-           |            |            |                 |            |
-    ADMD-PtPostel  ADMD-garr  ADMD-Master400        ADMD-atlas  ADMD-red
-                        |            |                 |            |
-             +----------+----+...   ...        +-------+------+... ...
-             |               |                 |              |
-         PRMD-infn       PRMD-STET        PRMD-Telecom   PRMD-Renault
-             |               |                 |              |
-            ...             ...               ...            ...
-
-
-   The creation of the X.400 new name tree at national level solves the
-   problem of the international coordination. Actually the coordination
-   problem is just moved at national level, but it thus becomes easier
-   to solve. The coordination at national level between the X.400
-   communities and the Internet world is already a requirement for the
-   creation of the national static MIXER mapping tables; the use of the
-   Internet DNS gives further motivations for this coordination.
-
-
-
-
-Allocchio                   Standards Track                     [Page 6]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   The coordination at national level also fits in the new concept of
-   MCGAM pubblication. The DNS in fact allows a step by step authority
-   distribution, up to a final complete delegation: thus organizations
-   whishing to publish their MCGAM just need to receive delegation also
-   for their branch of the new X.400 name space. A further advantage of
-   the national based solution is to allow each country to set up its
-   own X.400 name structure in DNS and to deploy its own authority
-   delegation according to its local time scale and requirements, with
-   no loss of global service in the mean time. And last, placing the new
-   X.400 name tree and coordination process at national level fits into
-   the Internet regionalization and internationalisation process, as it
-   requires local bodies to take care of local coordination problems.
-
-   The DNS name space thus contains completely the information required
-   by an e-mail gateway or tool to perform the X.400-RFC822 mapping: a
-   simple query to the nearest nameserver provides it. Moreover there is
-   no more any need to store, maintain and distribute manually any
-   mapping table. The new X.400 name space can also contain further
-   information about the X.400 community, as DNS allows for it a
-   complete set of resource records, and thus it allows further
-   developments. This set of RRs in the new X.400 name space must be
-   considered 'reserved' and thus not used until further specifications.
-
-   The construction of the new domain space trees will follow the same
-   procedures used when organising at first the already existing DNS
-   space: at first the information will be stored in a quite centralised
-   way, and distribution of authority will be gradually achieved. A
-   separate document will describe the implementation phase and the
-   methods to assure a smooth introduction of the new service.
-
-4. The new DNS resource record for MIXER mapping rules: PX
-
-   The specification of the Internet DNS (RFC1035) provides a number of
-   specific resource records (RRs) to contain specific pieces of
-   information. In particular they contain the Mail eXchanger (MX) RR
-   and the host Address (A) records which are used by the Internet SMTP
-   mailers. As we will store the RFC822 to X.400 mapping information in
-   the already existing DNS name tree, we need to define a new DNS RR in
-   order to avoid any possible clash or misuse of already existing data
-   structures. The same new RR will also be used to store the mappings
-   from X.400 to RFC822. More over the mapping information, i.e., the
-   MCGAMs, has a specific format and syntax which require an appropriate
-   data structure and processing. A further advantage of defining a new
-   RR is the ability to include flexibility for some eventual future
-   development.
-
-
-
-
-
-
-Allocchio                   Standards Track                     [Page 7]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   The definition of the new 'PX' DNS resource record is:
-
-      class:        IN   (Internet)
-
-      name:         PX   (pointer to X.400/RFC822 mapping information)
-
-      value:        26
-
-   The PX RDATA format is:
-
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          |                  PREFERENCE                   |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          /                    MAP822                     /
-          /                                               /
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          /                    MAPX400                    /
-          /                                               /
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   where:
-
-   PREFERENCE   A 16 bit integer which specifies the preference given to
-                this RR among others at the same owner.  Lower values
-                are preferred;
-
-   MAP822       A <domain-name> element containing <rfc822-domain>, the
-                RFC822 part of the MCGAM;
-
-   MAPX400      A <domain-name> element containing the value of
-                <x400-in-domain-syntax> derived from the X.400 part of
-                the MCGAM (see sect. 4.2);
-
-   PX records cause no additional section processing. The PX RR format
-   is the usual one:
-
-             <name> [<class>] [<TTL>] <type> <RDATA>
-
-   When we store in DNS a 'table1' or a 'gate1' entry, then <name> will
-   be an X.400 mail domain name in DNS syntax (see sect. 4.2). When we
-   store a 'table2' or a 'gate2' table entry, <name> will be an RFC822
-   mail domain name, including both fully qualified DNS domains and mail
-   only domains (MX-only domains). All normal DNS conventions, like
-   default values, wildcards, abbreviations and message compression,
-   apply also for all the components of the PX RR. In particular <name>,
-   MAP822 and MAPX400, as <domain-name> elements, must have the final
-   "." (root) when they are fully qualified.
-
-
-
-
-Allocchio                   Standards Track                     [Page 8]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-4.1 Additional features of the PX resource record
-
-   The definition of the RDATA for the PX resource record, and the fact
-   that DNS allows a distinction between an exact value and a wildcard
-   match for the <name> parameter, represent an extension of the MIXER
-   specification for mapping rules. In fact, any MCGAM entry is an
-   implicit wildcard entry, i.e., the rule
-
-      net2.it#PRMD$net2.ADMD$p400.C$it#
-
-   covers any RFC822 domain ending with 'net2.it', unless more detailed
-   rules for some subdomain in 'net2.it' are present. Thus there is no
-   possibility to specify explicitly a MCGAM as an exact match only
-   rule. In DNS an entry like
-
-      *.net2.it.   IN  PX  10   net2.it.  PRMD-net2.ADMD-p400.C-it.
-
-   specify the usual wildcard match as for MIXER tables. However an
-   entry like
-
-      ab.net2.it.  IN  PX  10   ab.net2.it.  O-ab.PRMD-net2.ADMDb.C-it.
-
-   is valid only for an exact match of 'ab.net2.it' RFC822 domain.
-
-   Note also that in DNS syntax there is no '#' delimiter around MAP822
-   and MAPX400 fields: the syntax defined in sect. 4.2 in fact does not
-   allow the <blank> (ASCII decimal 32) character within these fields,
-   making unneeded the use of an explicit delimiter as required in the
-   MIXER original syntax.
-
-   Another extension to the MIXER specifications is the PREFERENCE value
-   defined as part of the PX RDATA section. This numeric value has
-   exactly the same meaning than the similar one used for the MX RR. It
-   is thus possible to specify more than one single mapping for a domain
-   (both from RFC822 to X.400 and vice versa), giving as the preference
-   order. In MIXER static tables, however, you cannot specify more than
-   one mapping per each RFC822 domain, and the same restriction apply
-   for any X.400 domain mapping to an RFC822 one.
-
-   More over, in the X.400 recommendations a note suggests than an
-   ADMD=<blank> should be reserved for some special cases. Various
-   national functional profile specifications for an X.400 MHS states
-   that if an X.400 PRMD is reachable via any of its national ADMDs,
-   independently of its actual single or multiple connectivity with
-   them, it should use ADMD=<blank> to advertise this fact. Again, if a
-   PRMD has no connections to any ADMD it should use ADMD=0 to notify
-   its status, etc. However, in most of the current real situations, the
-   ADMD service providers do not accept messages coming from their
-
-
-
-Allocchio                   Standards Track                     [Page 9]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   subscribers if they have a blank ADMD, forcing them to have their own
-   ADMD value. In such a situation there are problems in indicating
-   properly the actually working mappings for domains with multiple
-   connectivity. The PX RDATA 'PREFERENCE' extension was introduced to
-   take in consideration these problems.
-
-   However, as these extensions are not available with MIXER static
-   tables, it is strongly discouraged to use them when interworking with
-   any table based gateway or application. The extensions were in fact
-   introduced just to add more flexibility, like the PREFERENCE value,
-    or they were already implicit in the DNS mechanism, like the
-   wildcard specification. They should be used very carefully or just
-   considered 'reserved for future use'. In particular, for current use,
-   the PREFERENCE value in the PX record specification should be fixed
-   to a value of 50, and only wildcard specifications should be used
-   when specifying <name> values.
-
-4.2 The DNS syntax for an X.400 'domain'
-
-   The syntax definition of the MCGAM rules is defined in appendix F of
-   that document. However that syntax is not very human oriented and
-   contains a number of characters which have a special meaning in other
-   fields of the Internet DNS. Thus in order to avoid any possible
-   problem, especially due to some old DNS implementations still being
-   used in the Internet, we define a syntax for the X.400 part of any
-   MCGAM rules (and hence for any X.400 O/R name) which makes it
-   compatible with a <domain-name> element, i.e.,
-
-   <domain-name>    ::= <subdomain> | " "
-   <subdomain>      ::= <label> | <label> "." <subdomain>
-   <label>          ::= <alphanum>|
-                        <alphanum> {<alphanumhyphen>} <alphanum>
-   <alphanum>       ::= "0".."9" | "A".."Z" | "a".."z"
-   <alphanumhyphen> ::= "0".."9" | "A".."Z" | "a".."z" | "-"
-
-   (see RFC1035, section 2.3.1, page 8).  The legal character set for
-   <label> does not correspond to the IA5 Printablestring one used in
-   MIXER to define MCGAM rules. However a very simple "escape mechanism"
-   can be applied in order to bypass the problem. We can in fact simply
-   describe the X.400 part of a MCGAM rule format as:
-
-     <map-rule>   ::= <map-elem> | <map-elem> { "." <map-elem> }
-     <map-elem>   ::= <attr-label> "$" <attr-value>
-     <attr-label> ::= "C" | "ADMD" | "PRMD" | "O" | "OU"
-     <attr-value> ::= " " | "@" | IA5-Printablestring
-
-
-
-
-
-
-Allocchio                   Standards Track                    [Page 10]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   As you can notice <domain-name> and <map-rule> look similar, and also
-   <label> and <map-elem> look the same. If we define the correct method
-   to transform a <map-elem> into a <label> and vice versa the problem
-   to write a MCGAM rule in <domain-name> syntax is solved.
-
-   The RFC822 domain part of any MCGAM rule is of course already in
-   <domain-name> syntax, and thus remains unchanged.
-
-   In particular, in a 'table1' or 'gate1' mapping rule the 'keyword'
-   value must be converted into <x400-in-domain-syntax> (X.400 mail DNS
-   mail domain), while the 'translator' value is already a valid RFC822
-   domain.  Vice versa in a 'table2' or 'gate2' mapping rule, the
-   'translator' must be converted into <x400-in-domain-syntax>, while
-   the 'keyword' is already a valid RFC822 domain.
-
-4.2.1 IA5-Printablestring to <alphanumhyphen> mappings
-
-   The problem of unmatching IA5-Printablestring and <label> character
-   set definition is solved by a simple character mapping rule: whenever
-   an IA5 character does not belong to <alphanumhyphen>, then it is
-   mapped using its 3 digit decimal ASCII code, enclosed in hyphens. A
-   small set of special rules is also defined for the most frequent
-   cases. Moreover some frequent characters combinations used in MIXER
-   rules are also mapped as special cases.
-
-   Let's then define the following simple rules:
-
-    MCGAM rule            DNS store translation    conditions
-    -----------------------------------------------------------------
-    <attr-label>$@        <attr-label>             missing attribute
-    <attr-label>$<blank>  <attr-label>"b"          blank attribute
-    <attr-label>$xxx      <attr-label>-xxx         elsewhere
-
-   Non <alphanumhyphen> characters in <attr-value>:
-
-    MCGAM rule            DNS store translation    conditions
-    -----------------------------------------------------------------
-    -                     -h-                      hyphen
-    \.                    -d-                      quoted dot
-    <blank>               -b-                      blank
-    <non A/N character>   -<3digit-decimal>-       elsewhere
-
-   If the DNS store translation of <attr-value> happens to end with an
-   hyphen, then this last hyphen is omitted.
-
-   Let's now have some examples:
-
-
-
-
-
-Allocchio                   Standards Track                    [Page 11]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-    MCGAM rule            DNS store translation    conditions
-    -----------------------------------------------------------------
-    PRMD$@                PRMD                     missing attribute
-    ADMD$<blank>          ADMDb                    blank attribute
-    ADMD$400-net          ADMD-400-h-net           hyphen mapping
-    PRMD$UK\.BD           PRMD-UK-d-BD             quoted dot mapping
-    O$ACME Inc\.          O-ACME-b-Inc-d           blank & final hyphen
-    PRMD$main-400-a       PRMD-main-h-400-h-a      hyphen mapping
-    O$-123-b              O--h-123-h-b             hyphen mapping
-    OU$123-x              OU-123-h-x               hyphen mapping
-    PRMD$Adis+co          PRMD-Adis-043-co         3digit mapping
-
-   Thus, an X.400 part from a MCGAM like
-
-     OU$uuu.O$@.PRMD$ppp\.rrr.ADMD$aaa ddd-mmm.C$cc
-
-   translates to
-
-     OU-uuu.O.PRMD-ppp-d-rrr.ADMD-aaa-b-ddd-h-mmm.C-cc
-
-   Another example:
-
-     OU$sales dept\..O$@.PRMD$ACME.ADMD$ .C$GB
-
-   translates to
-
-     OU-sales-b-dept-d.O.PRMD-ACME.ADMDb.C-GB
-
-4.2.2 Flow chart
-
-   In order to achieve the proper DNS store translations of the X.400
-   part of a MCGAM or any other X.400 O/R name, some software tools will
-   be used. It is in fact evident that the above rules for converting
-   mapping table from MIXER to DNS format (and vice versa) are not user
-   friendly enough to think of a human made conversion.
-
-   To help in designing such tools, we describe hereunder a small flow
-   chart. The fundamental rule to be applied during translation is,
-   however, the following:
-
-      "A string must be parsed from left to right, moving appropriately
-      the pointer in order not to consider again the already translated
-      left section of the string in subsequent analysis."
-
-
-
-
-
-
-
-
-Allocchio                   Standards Track                    [Page 12]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   Flow chart 1 - Translation from MIXER to DNS format:
-
-                 parse  single attribute
-              (enclosed in "." separators)
-                           |
-            (yes)  ---  <label>$@ ?  ---  (no)
-              |                             |
-        map to <label>        (no)  <label>$<blank> ?  (yes)
-              |                 |                        |
-              |           map to <label>-        map to <label>"b"
-              |                 |                        |
-              |           map "\." to -d-                |
-              |                 |                        |
-              |           map "-" to -h-                 |
-              |                 |                        |
-              |    map non A/N char to -<3digit>-        |
-  restart     |                 |                        |
-     ^        |      remove (if any) last "-"            |
-     |        |                 |                        |
-     |        \------->     add a  "."    <--------------/
-     |                          |
-     \----------  take  next  attribute  (if  any)
-
-
-   Flow chart 2 - Translation from DNS to MIXER format:
-
-
-                parse single attribute
-            (enclosed in "." separators)
-                          |
-            (yes) ---- <label> ? ---- (no)
-              |                          |
-      map to <label>$@        (no) <label>"b" ? (yes)
-              |                 |                 |
-              |           map to <label>$    map to <label>$<blank>
-              |                 |                 |
-              |           map -d- to "\."         |
-              |                 |                 |
-              |           map -h- to "-"          |
-              |                 |                 |
-              |           map -b- to " "          |
-  restart     |                 |                 |
-     ^        |   map -<3digit>- to non A/N char  |
-     |        |                 |                 |
-     |        \-------->   add a "."   <----------/
-     |                         |
-     \------------- take next attribute (if any)
-
-
-
-
-Allocchio                   Standards Track                    [Page 13]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   Note that the above flow charts deal with the translation of the
-   attributes syntax, only.
-
-4.2.3 The Country Code convention in the <name> value.
-
-   The RFC822 domain space and the X.400 O/R address space, as said in
-   section 3, have one specific common feature: the X.400 ISO country
-   codes are the same as the RFC822 ISO top level domains for countries.
-   In the previous sections we have also defined a method to write in
-   <domain-name> syntax any X.400 domain, while in section 3 we
-   described the new name space starting at each country top level
-   domain under the X42D.cc (where 'cc' is then two letter ISO country
-   code).
-
-   The <name> value for a 'table1' or 'gate1' entry in DNS should thus
-   be derived from the X.400 domain value, translated to <domain-name>
-   syntax, adding the 'X42D.cc.' post-fix to it, i.e.,
-
-     ADMD$acme.C$fr
-
-   produces in <domain-name> syntax the key:
-
-     ADMD-acme.C-fr
-
-   which is post-fixed by 'X42D.fr.' resulting in:
-
-     ADMD-acme.C-fr.X42D.fr.
-
-   However, due to the identical encoding for X.400 country codes and
-   RFC822 country top level domains, the string 'C-fr.X42D.fr.' is
-   clearly redundant.
-
-   We thus define the 'Country Code convention' for the <name> key,
-   i.e.,
-
-     "The C-cc section of an X.400 domain in <domain-name> syntax must
-     be omitted when creating a <name> key, as it is identical to the
-     top level country code used to identify the DNS zone where the
-     information is stored".
-
-   Thus we obtain the following <name> key examples:
-
-   X.400 domain                       DNS <name> key
-   --------------------------------------------------------------------
-   ADMD$acme.C$fr                     ADMD-acme.X42D.fr.
-   PRMD$ux\.av.ADMD$ .C$gb            PRMD-ux-d-av.ADMDb.X42D.gb.
-   PRMD$ppb.ADMD$Dat 400.C$de         PRMD-ppb.ADMD-Dat-b-400.X42D.de.
-
-
-
-
-Allocchio                   Standards Track                    [Page 14]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-4.3 Creating the appropriate DNS files
-
-   Using MIXER's assumption of an asymmetric mapping between X.400 and
-   RFC822 addresses, two separate relations are required to store the
-   mapping database: MIXER 'table1' and MIXER 'table2'; thus also in DNS
-   we will maintain the two different sections, even if they will both
-   use the PX resource record. More over MIXER also specify two
-   additional tables: MIXER 'gate1' and 'gate2' tables. These additional
-   tables, however, have the same syntax rules than MIXER 'table1' and
-   'table2' respectively, and thus the same translation procedure as
-   'table1' and 'table2' will be applied; some details about the MIXER
-   'gate1' and 'gate2' tables are discussed in section 4.4.
-
-   Let's now check how to create, from an MCGAM entry, the appropriate
-   DNS entry in a DNS data file. We can again define an MCGAM entry as
-   defined in appendix F of that document as:
-
-     <x400-domain>#<rfc822-domain>#  (case A: 'table1' and 'gate1'
-     entry)
-
-   and
-
-     <rfc822-domain>#<x400-domain>#  (case B: 'table2' and 'gate2'
-     entry)
-
-   The two cases must be considered separately. Let's consider case A.
-
-    - take <x400-domain> and translate it into <domain-name> syntax,
-     obtaining <x400-in-domain-syntax>;
-    - create the <name> key from <x400-in-domain-syntax> i.e., apply
-     the Country Code convention described in sect. 4.2.3;
-    - construct the DNS PX record as:
-
-      *.<name>  IN  PX  50  <rfc822-domain>  <x400-in-domain-syntax>
-
-   Please note that within PX RDATA the <rfc822-domain> precedes the
-   <x400-in-domain-syntax> also for a 'table1' and 'gate1' entry.
-
-   an example: from the 'table1' rule
-
-     PRMD$ab.ADMD$ac.C$fr#ab.fr#
-
-   we obtain
-
-     *.PRMD-ab.ADMD-ac.X42D.fr. IN PX 50  ab.fr.  PRMD-ab.ADMD-ac.C-fr.
-
-   Note that <name>, <rfc822-domain> and <x400-in-domain-syntax> are
-   fully qualified <domain-name> elements, thus ending with a ".".
-
-
-
-Allocchio                   Standards Track                    [Page 15]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   Let's now consider case B.
-
-    - take <rfc822-domain> as <name> key;
-    - translate <x400-domain> into <x400-in-domain-syntax>;
-    - construct the DNS PX record as:
-
-     *.<name>  IN  PX  50  <rfc822-domain>  <x400-in-domain-syntax>
-
-   an example: from the 'table2' rule
-
-     ab.fr#PRMD$ab.ADMD$ac.C$fr#
-
-   we obtain
-
-     *.ab.fr.  IN  PX  50  ab.fr.  PRMD-ab.ADMD-ac.C-fr.
-
-   Again note the fully qualified <domain-name> elements.
-
-   A file containing the MIXER mapping rules and MIXER 'gate1' and
-   'gate2' table written in DNS format will look like the following
-   fictious example:
-
-     !
-     ! MIXER table 1: X.400 --> RFC822
-     !
-     *.ADMD-acme.X42D.it.               IN  PX  50  it. ADMD-acme.C-it.
-     *.PRMD-accred.ADMD-tx400.X42D.it.  IN  PX  50   \
-                                accred.it. PRMD-accred.ADMD-tx400.C-it.
-     *.O-u-h-newcity.PRMD-x4net.ADMDb.X42D.it.  IN  PX  50   \
-                       cs.ncty.it. O-u-h-newcity.PRMD-x4net.ADMDb.C-it.
-     !
-     ! MIXER table 2: RFC822 --> X.400
-     !
-     *.nrc.it.    IN  PX  50   nrc.it. PRMD-nrc.ADMD-acme.C-it.
-     *.ninp.it.   IN  PX  50   ninp.it. O.PRMD-ninp.ADMD-acme.C-it.
-     *.bd.it.     IN  PX  50   bd.it. PRMD-uk-d-bd.ADMDb.C-it.
-     !
-     ! MIXER Gate 1 Table
-     !
-     *.ADMD-XKW-h-Mail.X42D.it.         IN  PX  50   \
-                            XKW-gateway.it. ADMD-XKW-h-Mail.C-it.G.
-     *.PRMD-Super-b-Inc.ADMDb.X42D.it.  IN  PX  50   \
-                            GlobalGw.it. PRMD-Super-b-Inc.ADMDb.C-it.G.
-     !
-     ! MIXER Gate 2 Table
-     !
-     my.it.  IN PX 50  my.it. OU-int-h-gw.O.PRMD-ninp.ADMD-acme.C-it.G.
-     co.it.  IN PX 50  co.it. O-mhs-h-relay.PRMD-x4net.ADMDb.C-it.G.
-
-
-
-Allocchio                   Standards Track                    [Page 16]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   (here the "\" indicates continuation on the same line, as wrapping is
-   done only due to typographical reasons).
-
-   Note the special suffix ".G." on the right side of the 'gate1' and
-   'gate2' Tables section whose aim is described in section 4.4. The
-   corresponding MIXER tables are:
-
-     #
-     # MIXER table 1: X.400 --> RFC822
-     #
-     ADMD$acme.C$it#it#
-     PRMD$accred.ADMD$tx400.C$it#accred.it#
-     O$u-newcity.PRMD$x4net.ADMD$ .C$it#cs.ncty.it#
-     #
-     # MIXER table 2: RFC822 --> X.400
-     #
-     nrc.it#PRMD$nrc.ADMD$acme.C$it#
-     ninp.it#O.PRMD$ninp.ADMD$acme.C$it#
-     bd.it#PRMD$uk\.bd.ADMD$ .C$it#
-     #
-     # MIXER Gate 1 Table
-     #
-     ADMD$XKW-Mail.C$it#XKW-gateway.it#
-     PRMD$Super Inc.ADMD$ .C$it#GlobalGw.it#
-     #
-     # MIXER Gate 2 Table
-     #
-     my.it#OU$int-gw.O$@.PRMD$ninp.ADMD$acme.C$it#
-     co.it#O$mhs-relay.PRMD$x4net.ADMD$ .C$t#
-
-4.4 Storing the MIXER 'gate1' and 'gate2' tables
-
-   Section 4.3.4 of MIXER also specify how an address should be
-   converted between RFC822 and X.400 in case a complete mapping is
-   impossible. To allow the use of DDAs for non mappable domains, the
-   MIXER 'gate2' table is thus introduced.
-
-   In a totally similar way, when an X.400 address cannot be completely
-   converted in RFC822, section 4.3.5 of MIXER specifies how to encode
-   (LHS encoding) the address itself, pointing then to the appropriate
-   MIXER conformant gateway, indicated in the MIXER 'gate1' table.
-
-   DNS must store and distribute also these 'gate1' and 'gate2' data.
-
-   One of the major features of the DNS is the ability to distribute the
-   authority: a certain site runs the "primary" nameserver for one
-   determined sub-tree and thus it is also the only place allowed to
-   update information regarding that sub-tree. This fact allows, in our
-
-
-
-Allocchio                   Standards Track                    [Page 17]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   case, a further additional feature to the table based approach. In
-   fact we can avoid one possible ambiguity about the use of the 'gate1'
-   and 'gate2' tables (and thus of LHS and DDAs encoding).
-
-   The authority maintaining a DNS entry in the usual RFC822 domain
-   space is the only one allowed to decide if its domain should be
-   mapped using Standard Attributes (SA) syntax or Domain Defined
-   Attributes (DDA) one. If the authority decides that its RFC822 domain
-   should be mapped using SA, then the PX RDATA will be a 'table2'
-   entry, otherwise it will be a 'gate2' table entry. Thus for an RFC822
-   domain we cannot have any more two possible entries, one from 'table2
-   and another one from 'gate2' table, and the action for a gateway
-   results clearly stated.
-
-   Similarly, the authority mantaining a DNS entry in the new X.400 name
-   space is the only one allowed to decide if its X.400 domain should be
-   mapped using SA syntax or Left Hand Side (LHS) encoding. If the
-   authority decides that its X.400 domain should be mapped using SA,
-   then the PX RDATA will be a 'table1' entry, otherwise it will be a
-   'gate1' table entry. Thus also for an X.400 domain we cannot have any
-   more two possible entries, one from 'table1' and another one from
-   'gate1' table, and the action for a gateway results clearly stated.
-
-   The MIXER 'gate1' table syntax is actually identical to MIXER
-   'table1', and 'gate2' table syntax is identical to MIXER 'table2'.
-   Thus the same syntax translation rules from MIXER to DNS format can
-   be applied in both cases. However a gateway or any other application
-   must know if the answer it got from DNS contains some 'table1',
-   'table2' or some 'gate1', 'gate2' table information. This is easily
-   obtained flagging with an additional ".G." post-fix the PX RDATA
-   value when it contains a 'gate1' or 'gate2' table entry. The example
-   in section 4.3 shows clearly the result. As any X.400 O/R domain must
-   end with a country code ("C-xx" in our DNS syntax) the additional
-   ".G." creates no conflicts or ambiguities at all. This postfix must
-   obviously be removed before using the MIXER 'gate1' or 'gate2' table
-   data.
-
-5. Finding MIXER mapping information from DNS
-
-   The MIXER mapping information is stored in DNS both in the normal
-   RFC822 domain name space, and in the newly defined X.400 name space.
-   The information, stored in PX resource records, does not represent a
-   full RFC822 or X.400 O/R address: it is a template which specifies
-   the fields of the domain that are used by the mapping algorithm.
-
-   When mapping information is stored in the DNS, queries to the DNS are
-   issued whenever an iterative search through the mapping table would
-   be performed (MIXER: section 4.3.4, State I; section 4.3.5, mapping
-
-
-
-Allocchio                   Standards Track                    [Page 18]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   B). Due to the DNS search mechanism, DNS by itself returns the
-   longest possible match in the stored mapping rule with a single
-   query, thus no iteration and/or multiple queries are needed. As
-   specified in MIXER, a search of the mapping table will result in
-   either success (mapping found) or failure (query failed, mapping not
-   found).
-
-   When a DNS query is issued, a third possible result is timeout. If
-   the result is timeout, the gateway operation is delayed and then
-   retried at a later time. A result of success or failure is processed
-   according to the algorithms specified in MIXER. If a DNS error code
-   is returned, an error message should be logged and the gateway
-   operation is delayed as for timeout. These pathological situations,
-   however, should be avoided with a careful duplication and chaching
-   mechanism which DNS itself provides.
-
-   Searching the nameserver which can authoritatively solve the query is
-   automatically performed by the DNS distributed name service.
-
-5.1 A DNS query example
-
-   An MIXER mail-gateway located in the Internet, when translating
-   addresses from RFC822 to X.400, can get information about the MCGAM
-   rule asking the DNS. As an example, when translating the address
-   SUN.CCE.NRC.IT, the gateway will just query DNS for the associated PX
-   resource record. The DNS should contain a PX record like this:
-
-   *.cce.nrc.it.  IN PX 50   cce.nrc.it.  O-cce.PRMD-nrc.ADMD-acme.C-it.
-
-   The first query will return immediately the appropriate mapping rule
-   in DNS store format.
-
-   There is no ".G." at the end of the obtained PX RDATA value, thus
-   applying the syntax translation specified in paragraph 4.2 the MIXER
-   Table 2 mapping rule will be obtained.
-
-   Let's now take another example where a 'gate2' table rule is
-   returned.  If we are looking for an RFC822 domain ending with top
-   level domain "MW", and the DNS contains a PX record like this,
-
-      *.mw.   IN  PX  50  mw.  O-cce.PRMD-nrc.ADMD-acme.C-it.G.
-
-   DNS will return 'mw.' and 'O-cce.PRMD-nrc.ADMD-acme.C-it.G.', i.e., a
-   'gate2' table entry in DNS store format. Dropping the final ".G." and
-   applying the syntax translation specified in paragraph 4.2 the
-   original rule will be available. More over, the ".G." flag also tells
-   the gateway to use DDA encoding for the inquired RFC822 domain.
-
-
-
-
-Allocchio                   Standards Track                    [Page 19]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   On the other hand, translating from X.400 to RFC822 the address
-
-      C=de; ADMD=pkz; PRMD=nfc; O=top;
-
-   the mail gateway should convert the syntax according to paragraph
-   4.2, apply the 'Country code convention' described in 4.2.3 to derive
-   the appropriate DNS translation of the X.400 O/R name and then query
-   DNS for the corresponding PX resource record. The obtained record for
-   which the PX record must be queried is thus:
-
-      O-top.PRMD-nfc.ADMD-pkz.X42D.de.
-
-   The DNS could contain:
-
-      *.ADMD-pkz.X42D.de.  IN  PX  50  pkz.de.  ADMD-pkz.C-de.
-
-   Assuming that there are not more specific records in DNS, the
-   wildcard mechanism will return the MIXER 'table1' rule in encoded
-   format.
-
-   Finally, an example where a 'gate1' rule is involved. If we are
-   looking for an X.400 domain ending with ADMD=PWT400; C=US; , and the
-   DNS contains a PX record like this,
-
-      *.ADMD-PWT400.X42D.us.  IN  PX  50  intGw.com. ADMD-PWT400.C-us.G.
-
-   DNS will return 'intGw.com.' and 'ADMD-PWT400.C-us.G.', i.e., a
-   'gate1' table entry in DNS store format. Dropping the final ".G." and
-   applying the syntax translation specified in paragraph 4.2 the
-   original rule will be available. More over, the ".G." flag also tells
-   the gateway to use LHS encoding for the inquired X.400 domain.
-
-6. Administration of mapping information
-
-   The DNS, using the PX RR, is able to distribute the MCGAM rules to
-   all MIXER gateways located on the Internet. However, not all MIXER
-   gateways will be able to use the Internet DNS. It is expected that
-   some gateways in a particular management domain will conform to one
-   of the following models:
-
-     (a) Table-based, (b) DNS-based, (c) X.500-based
-
-   Table-based management domains will continue to publish their MCGAM
-   rules and retrieve the mapping tables via the International Mapping
-   Table coordinator, manually or via some automated procedures. Their
-   MCGAM information can be made available also in DNS by the
-   appropriate DNS authorities, using the same mechanism already in
-   place for MX records: if a branch has not yet in place its own DNS
-
-
-
-Allocchio                   Standards Track                    [Page 20]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   server, some higher authority in the DNS tree will provide the
-   service for it. A transition procedure similar to the one used to
-   migrate from the 'hosts.txt' tables to DNS can be applied also to the
-   deployment phase of this specification. An informational document
-   describing the implementation phase and the detailed coordination
-   procedures is expected.
-
-   Another distributed directory service which can distribute the MCGAM
-   information is X.500. Coordination with table-based domains can be
-   obtained in an identical way as for the DNS case.
-
-   Coordination of MCGAM information between DNS and X.500 is more
-   complex, as it requies some kind of uploading information between the
-   two systems. The ideal solution is a dynamic alignment mechanism
-   which transparently makes the DNS mapping information available in
-   X.500 and vice versa. Some work in this specific field is already
-   being done [see Costa] which can result in a global transparent
-   directory service, where the information is stored in DNS or in
-   X.500, but is visible completely by any of the two systems.
-
-   However we must remind that MIXER concept of MCGAM rules publication
-   is different from the old RFC1327 concept of globally distributed,
-   coordinated and unique mapping rules. In fact MIXER does not requires
-   any more for any conformant gateway or tool to know the complete set
-   of MCGAM: it only requires to use some set (eventually empty) of
-   valid MCGAM rules, published either by Tables, DNS or X.500
-   mechanisms or any combination of these methods. More over MIXER
-   specifies that also incomplete sets of MCGAM can be used, and
-   supplementary local unpublished (but valid) MCGAM can also be used.
-   As a consequence, the problem of coordination between the three
-   systems proposed by MIXER for MCGAM publication is non essential, and
-   important only for efficient operational matters. It does not in fact
-   affect the correct behaviour of MIXER conformant gateways and tools.
-
-7. Conclusion
-
-   The introduction of the new PX resource record and the definition of
-   the X.400 O/R name space in the DNS structure provide a good
-   repository for MCGAM information. The mapping information is stored
-   in the DNS tree structure so that it can be easily obtained using the
-   DNS distributed name service. At the same time the definition of the
-   appropriate DNS space for X.400 O/R names provide a repository where
-   to store and distribute some other X.400 MHS information. The use of
-   the DNS has many known advantages in storing, managing and updating
-   the information. A successful number of tests were been performed
-   under the provisional top level domain "X400.IT" when RFC1664 was
-   developed, and their results confirmed the advantages of the method.
-   Operational exeprience for over 2 years with RFC1664 specification
-
-
-
-Allocchio                   Standards Track                    [Page 21]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   confirmed the feasibility of the method, and helped identifying some
-   operational procedures to deploy the insertion of MCGAM into DNS.
-
-   Software to query the DNS and then to convert between the textual
-   representation of DNS resource records and the address format defined
-   in MIXER was developed with RFC1664. This software also allows a
-   smooth implementation and deployment period, eventually taking care
-   of the transition phase. This software can be easily used (with
-   little or null modification) also for this updated specification,
-   supporting the new 'gate1' MIXER table. DNS software implementations
-   supporting RFC1664 also supports with no modification this memo new
-   specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Allocchio                   Standards Track                    [Page 22]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   A further informational document describing operational and
-   implementation of the service is expected.
-
-8. Acknowledgements
-
-   We wish to thanks all those who contributed to the discussion and
-   revision of this document: many of their ideas and suggestions
-   constitute essential parts of this work. In particular thanks to Jon
-   Postel, Paul Mockapetris, Rob Austin and the whole IETF x400ops,
-   TERENA wg-msg and IETF namedroppers groups. A special mention to
-   Christian Huitema for his fundamental contribution to this work.
-
-   This document is a revision of RFC1664, edited by one of its authors
-   on behalf of the IETF MIXER working group. The current editor wishes
-   to thank here also the authors of RFC1664:
-
-     Antonio Blasco Bonito     RFC822: bonito@cnuce.cnr.it
-     CNUCE - CNR               X.400:  C=it;A=garr;P=cnr;
-     Reparto infr. reti                O=cnuce;S=bonito;
-     Viale S. Maria 36
-     I 56126 Pisa
-     Italy
-
-
-     Bruce Cole                RFC822: bcole@cisco.com
-     Cisco Systems Inc.        X.400:  C=us;A= ;P=Internet;
-     P.O. Box 3075                     DD.rfc-822=bcole(a)cisco.com;
-     1525 O'Brien Drive
-     Menlo Park, CA 94026
-     U.S.A.
-
-
-     Silvia Giordano           RFC822: giordano@cscs.ch
-     Centro Svizzero di        X.400:  C=ch;A=arcom;P=switch;O=cscs;
-     Calcolo Scientifico               S=giordano;
-     Via Cantonale
-     CH 6928 Manno
-     Switzerland
-
-
-     Robert Hagens                   RFC822: hagens@ans.net
-     Advanced Network and Services   X.400:  C=us;A= ;P=Internet;
-     1875 Campus Commons Drive               DD.rfc-822=hagens(a)ans.net;
-     Reston, VA 22091
-     U.S.A.
-
-
-
-
-
-
-Allocchio                   Standards Track                    [Page 23]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-9. References
-
-   [CCITT] CCITT SG 5/VII, "Recommendation X.400, Message Handling
-       Systems: System Model - Service Elements", October 1988.
-
-   [RFC 1327] Kille, S., "Mapping between X.400(1988)/ISO 10021 and RFC
-       822", RFC 1327, March 1992.
-
-   [RFC 1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
-       STD 13, RFC 1034, USC/Information Sciences Institute, November
-       1987.
-
-   [RFC 1035] Mockapetris, P., "Domain names - Implementation and
-       Specification", STD 13, RFC 1035, USC/Information Sciences
-       Institute, November 1987.
-
-   [RFC 1033] Lottor, M., "Domain Administrators Operation Guide", RFC
-       1033, SRI International, November 1987.
-
-   [RFC 2156] Kille, S. E., " MIXER (Mime Internet X.400 Enhanced
-       Relay): Mapping between X.400 and RFC 822/MIME", RFC 2156,
-       January 1998.
-
-   [Costa] Costa, A., Macedo, J., and V. Freitas, "Accessing and
-       Managing DNS Information in the X.500 Directory", Proceeding of
-       the 4th Joint European Networking Conference, Trondheim, NO, May
-       1993.
-
-10. Security Considerations
-
-   This document specifies a means by which DNS "PX" records can direct
-   the translation between X.400 and Internet mail addresses.
-
-   This can indirectly affect the routing of mail across an gateway
-   between X.400 and Internet Mail.  A succesful attack on this service
-   could cause incorrect translation of an originator address (thus
-   "forging" the originator address), or incorrect translation of a
-   recipient address (thus directing the mail to an unauthorized
-   recipient, or making it appear to an authorized recipient, that the
-   message was intended for recipients other than those chosen by the
-   originator) or could force the mail path via some particular gateway
-   or message transfer agent where mail security can be affected by
-   compromised software.
-
-
-
-
-
-
-
-
-Allocchio                   Standards Track                    [Page 24]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-   There are several means by which an attacker might be able to deliver
-   incorrect PX records to a client.  These include: (a) compromise of a
-   DNS server,  (b) generating a counterfeit response to a client's DNS
-   query, (c) returning incorrect "additional information" in response
-   to an unrelated query.
-
-   Clients using PX records SHOULD ensure that routing and address
-   translations are based only on authoritative answers.  Once DNS
-   Security mechanisms [RFC 2065] become more widely deployed, clients
-   SHOULD employ those mechanisms to verify the authenticity and
-   integrity of PX records.
-
-11. Author's Address
-
-   Claudio Allocchio
-   Sincrotrone Trieste
-   SS 14 Km 163.5 Basovizza
-   I 34012 Trieste
-   Italy
-
-   RFC822: Claudio.Allocchio@elettra.trieste.it
-   X.400:  C=it;A=garr;P=Trieste;O=Elettra;
-   S=Allocchio;G=Claudio;
-   Phone:  +39 40 3758523
-   Fax:    +39 40 3758565
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Allocchio                   Standards Track                    [Page 25]
-
-RFC 2163                      MIXER MCGAM                   January 1998
-
-
-12.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Allocchio                   Standards Track                    [Page 26]
-
diff --git a/contrib/bind9/doc/rfc/rfc2168.txt b/contrib/bind9/doc/rfc/rfc2168.txt
deleted file mode 100644
index 3eed1bdb4d11..000000000000
--- a/contrib/bind9/doc/rfc/rfc2168.txt
+++ /dev/null
@@ -1,1123 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                       R. Daniel
-Request for Comments: 2168             Los Alamos National Laboratory
-Category: Experimental                                    M. Mealling
-                                              Network Solutions, Inc.
-                                                            June 1997
-
-
-               Resolution of Uniform Resource Identifiers
-                      using the Domain Name System
-
-Status of this Memo
-===================
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  This memo does not specify an Internet standard of any
-   kind.  Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-Abstract:
-=========
-
-   Uniform Resource Locators (URLs) are the foundation of the World Wide
-   Web, and are a vital Internet technology. However, they have proven
-   to be brittle in practice. The basic problem is that URLs typically
-   identify a particular path to a file on a particular host. There is
-   no graceful way of changing the path or host once the URL has been
-   assigned. Neither is there a graceful way of replicating the resource
-   located by the URL to achieve better network utilization and/or fault
-   tolerance. Uniform Resource Names (URNs) have been hypothesized as a
-   adjunct to URLs that would overcome such problems. URNs and URLs are
-   both instances of a broader class of identifiers known as Uniform
-   Resource Identifiers (URIs).
-
-   The requirements document for URN resolution systems[15] defines the
-   concept of a "resolver discovery service". This document describes
-   the first, experimental, RDS. It is implemented by a new DNS Resource
-   Record, NAPTR (Naming Authority PoinTeR), that provides rules for
-   mapping parts of URIs to domain names.  By changing the mapping
-   rules, we can change the host that is contacted to resolve a URI.
-   This will allow a more graceful handling of URLs over long time
-   periods, and forms the foundation for a new proposal for Uniform
-   Resource Names.
-
-
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                      [Page 1]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   In addition to locating resolvers, the NAPTR provides for other
-   naming systems to be grandfathered into the URN world, provides
-   independence between the name assignment system and the resolution
-   protocol system, and allows multiple services (Name to Location, Name
-   to Description, Name to Resource, ...) to be offered.  In conjunction
-   with the SRV RR, the NAPTR record allows those services to be
-   replicated for the purposes of fault tolerance and load balancing.
-
-Introduction:
-=============
-
-   Uniform Resource Locators have been a significant advance in
-   retrieving Internet-accessible resources. However, their  brittle
-   nature over time has been recognized for several years. The Uniform
-   Resource Identifier working group proposed the development of Uniform
-   Resource Names to serve as persistent, location-independent
-   identifiers for Internet resources in order to overcome most of the
-   problems with URLs. RFC-1737 [1] sets forth requirements on URNs.
-
-   During the lifetime of the URI-WG, a number of URN proposals were
-   generated. The developers of several of those proposals met in a
-   series of meetings, resulting in a compromise known as the Knoxville
-   framework.  The major principle behind the Knoxville framework is
-   that the resolution system must be separate from the way names are
-   assigned. This is in marked contrast to most URLs, which identify the
-   host to contact and the protocol to use. Readers are referred to [2]
-   for background on the Knoxville framework and for additional
-   information on the context and purpose of this proposal.
-
-   Separating the way names are resolved from the way they are
-   constructed provides several benefits. It allows multiple naming
-   approaches and resolution approaches to compete, as it allows
-   different protocols and resolvers to be used. There is just one
-   problem with such a separation - how do we resolve a name when it
-   can't give us directions to its resolver?
-
-   For the short term, DNS is the obvious candidate for the resolution
-   framework, since it is widely deployed and understood. However, it is
-   not appropriate to use DNS to maintain information on a per-resource
-   basis. First of all, DNS was never intended to handle that many
-   records. Second, the limited record size is inappropriate for catalog
-   information. Third, domain names are not appropriate as URNs.
-
-   Therefore our approach is to use DNS to locate "resolvers" that can
-   provide information on individual resources, potentially including
-   the resource itself. To accomplish this, we "rewrite" the URI into a
-   domain name following the rules provided in NAPTR records. Rewrite
-   rules provide considerable power, which is important when trying to
-
-
-
-Daniel & Mealling             Experimental                      [Page 2]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   meet the goals listed above. However, collections of rules can become
-   difficult to understand. To lessen this problem, the NAPTR rules are
-   *always* applied to the original URI, *never* to the output of
-   previous rules.
-
-   Locating a resolver through the rewrite procedure may take multiple
-   steps, but the beginning is always the same. The start of the URI is
-   scanned to extract its colon-delimited prefix. (For URNs, the prefix
-   is always "urn:" and we extract the following colon-delimited
-   namespace identifier [3]). NAPTR resolution begins by taking the
-   extracted string, appending the well-known suffix ".urn.net", and
-   querying the DNS for NAPTR records at that domain name.  Based on the
-   results of this query, zero or more additional DNS queries may be
-   needed to locate resolvers for the URI. The details of the
-   conversation between the client and the resolver thus located are
-   outside the bounds of this draft. Three brief examples of this
-   procedure are given in the next section.
-
-   The NAPTR RR provides the level of indirection needed to keep the
-   naming system independent of the resolution system, its protocols,
-   and services.  Coupled with the new SRV resource record proposal[4]
-   there is also the potential for replicating the resolver on multiple
-   hosts, overcoming some of the most significant problems of URLs. This
-   is an important and subtle point. Not only do the NAPTR and SRV
-   records allow us to replicate the resource, we can replicate the
-   resolvers that know about the replicated resource. Preventing a
-   single point of failure at the resolver level is a significant
-   benefit. Separating the resolution procedure from the way names are
-   constructed has additional benefits.  Different resolution procedures
-   can be used over time, and resolution procedures that are determined
-   to be useful can be extended to deal with additional namespaces.
-
-Caveats
-=======
-
-   The NAPTR proposal is the first resolution procedure to be considered
-   by the URN-WG. There are several concerns about the proposal which
-   have motivated the group to recommend it for publication as an
-   Experimental rather than a standards-track RFC.
-
-   First, URN resolution is new to the IETF and we wish to gain
-   operational experience before recommending any procedure for the
-   standards track. Second, the NAPTR proposal is based on DNS and
-   consequently inherits concerns about security and administration. The
-   recent advancement of the DNSSEC and secure update drafts to Proposed
-   Standard reduce these concerns, but we wish to experiment with those
-   new capabilities in the context of URN administration.  A third area
-   of concern is the potential for a noticeable impact on the DNS.  We
-
-
-
-Daniel & Mealling             Experimental                      [Page 3]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   believe that the proposal makes appropriate use of caching and
-   additional information, but it is best to go slow where the potential
-   for impact on a core system like the DNS is concerned. Fourth, the
-   rewrite rules in the NAPTR proposal are based on regular expressions.
-   Since regular expressions are difficult for humans to construct
-   correctly, concerns exist about the usability and maintainability of
-   the rules. This is especially true where international character sets
-   are concerned. Finally, the URN-WG is developing a requirements
-   document for URN Resolution Services[15], but that document is not
-   complete. That document needs to precede any resolution service
-   proposals on the standards track.
-
-Terminology
-===========
-
-   "Must" or "Shall" - Software that does not behave in the manner that
-              this document says it must is not conformant to this
-              document.
-   "Should" - Software that does not follow the behavior that this
-              document says it should may still be conformant, but is
-              probably broken in some fundamental way.
-   "May" -    Implementations may or may not provide the described
-              behavior, while still remaining conformant to this
-              document.
-
-Brief overview and examples of the NAPTR RR:
-============================================
-
-   A detailed description of the NAPTR RR will be given later, but to
-   give a flavor for the proposal we first give a simple description of
-   the record and three examples of its use.
-
-   The key fields in the NAPTR RR are order, preference, service, flags,
-   regexp, and replacement:
-
-   * The order field specifies the order in which records MUST be
-     processed when multiple NAPTR records are returned in response to a
-     single query.  A naming authority may have delegated a portion of
-     its namespace to another agency. Evaluating the NAPTR records in
-     the correct order is necessary for delegation to work properly.
-
-   * The preference field specifies the order in which records SHOULD be
-     processed when multiple NAPTR records have the same value of
-     "order".  This field lets a service provider specify the order in
-     which resolvers are contacted, so that more capable machines are
-     contacted in preference to less capable ones.
-
-
-
-
-
-Daniel & Mealling             Experimental                      [Page 4]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   * The service field specifies the resolution protocol and resolution
-     service(s) that will be available if the rewrite specified by the
-     regexp or replacement fields is applied. Resolution protocols are
-     the protocols used to talk with a resolver. They will be specified
-     in other documents, such as [5]. Resolution services are operations
-     such as N2R (URN to Resource), N2L (URN to URL), N2C (URN to URC),
-     etc.  These will be discussed in the URN Resolution Services
-     document[6], and their behavior in a particular resolution protocol
-     will be given in the specification for that protocol (see [5] for a
-     concrete example).
-
-   * The flags field contains modifiers that affect what happens in the
-     next DNS lookup, typically for optimizing the process. Flags may
-     also affect the interpretation of the other fields in the record,
-     therefore, clients MUST skip NAPTR records which contain an unknown
-     flag value.
-
-   * The regexp field is one of two fields used for the rewrite rules,
-     and is the core concept of the NAPTR record. The regexp field is a
-     String containing a sed-like substitution expression. (The actual
-     grammar for the substitution expressions is given later in this
-     draft). The substitution expression is applied to the original URN
-     to determine the next domain name to be queried. The regexp field
-     should be used when the domain name to be generated is conditional
-     on information in the URI. If the next domain name is always known,
-     which is anticipated to be a common occurrence, the replacement
-     field should be used instead.
-
-   * The replacement field is the other field that may be used for the
-     rewrite rule. It is an optimization of the rewrite process for the
-     case where the next domain name is fixed instead of being
-     conditional on the content of the URI. The replacement field is a
-     domain name (subject to compression if a DNS sender knows that a
-     given recipient is able to decompress names in this RR type's RDATA
-     field). If the rewrite is more complex than a simple substitution
-     of a domain name, the replacement field should be set to . and the
-     regexp field used.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                      [Page 5]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   Note that the client applies all the substitutions and performs all
-   lookups, they are not performed in the DNS servers. Note also that it
-   is the belief of the developers of this document that regexps should
-   rarely be used. The replacement field seems adequate for the vast
-   majority of situations. Regexps are only necessary when portions of a
-   namespace are to be delegated to different resolvers. Finally, note
-   that the regexp and replacement fields are, at present, mutually
-   exclusive. However, developers of client software should be aware
-   that a new flag might be defined which requires values in both
-   fields.
-
-Example 1
----------
-
-   Consider a URN that uses the hypothetical DUNS namespace. DUNS
-   numbers are identifiers for approximately 30 million registered
-   businesses around the world, assigned and maintained by Dunn and
-   Bradstreet. The URN might look like:
-
-                   urn:duns:002372413:annual-report-1997
-
-   The first step in the resolution process is to find out about the
-   DUNS namespace. The namespace identifier, "duns", is extracted from
-   the URN, prepended to urn.net, and the NAPTRs for duns.urn.net looked
-   up. It might return records of the form:
-
-duns.urn.net
-;;      order pref flags service          regexp        replacement
- IN NAPTR 100  10  "s" "dunslink+N2L+N2C" ""  dunslink.udp.isi.dandb.com
- IN NAPTR 100  20  "s" "rcds+N2C"         ""  rcds.udp.isi.dandb.com
- IN NAPTR 100  30  "s" "http+N2L+N2C+N2R" ""  http.tcp.isi.dandb.com
-
-   The order field contains equal values, indicating that no name
-   delegation order has to be followed. The preference field indicates
-   that the provider would like clients to use the special dunslink
-   protocol, followed by the RCDS protocol, and that HTTP is offered as
-   a last resort. All the records specify the "s" flag, which will be
-   explained momentarily.  The service fields say that if we speak
-   dunslink, we will be able to issue either the N2L or N2C requests to
-   obtain a URL or a URC (description) of the resource. The Resource
-   Cataloging and Distribution Service (RCDS)[7] could be used to get a
-   URC for the resource, while HTTP could be used to get a URL, URC, or
-   the resource itself.  All the records supply the next domain name to
-   query, none of them need to be rewritten with the aid of regular
-   expressions.
-
-
-
-
-
-
-Daniel & Mealling             Experimental                      [Page 6]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   The general case might require multiple NAPTR rewrites to locate a
-   resolver, but eventually we will come to the "terminal NAPTR". Once
-   we have the terminal NAPTR, our next probe into the DNS will be for a
-   SRV or A record instead of another NAPTR. Rather than probing for a
-   non-existent NAPTR record to terminate the loop, the flags field is
-   used to indicate a terminal lookup. If it has a value of "s", the
-   next lookup should be for SRV RRs, "a" denotes that A records should
-   sought.  A "p" flag is also provided to indicate that the next action
-   is Protocol-specific, but that looking up another NAPTR will not be
-   part of it.
-
-   Since our example RR specified the "s" flag, it was terminal.
-   Assuming our client does not know the dunslink protocol, our next
-   action is to lookup SRV RRs for rcds.udp.isi.dandb.com, which will
-   tell us hosts that can provide the necessary resolution service. That
-   lookup might return:
-
-    ;;                          Pref Weight Port Target
-    rcds.udp.isi.dandb.com IN SRV 0    0    1000 defduns.isi.dandb.com
-                           IN SRV 0    0    1000 dbmirror.com.au
-                           IN SRV 0    0    1000 ukmirror.com.uk
-
-   telling us three hosts that could actually do the resolution, and
-   giving us the port we should use to talk to their RCDS server.  (The
-   reader is referred to the SRV proposal [4] for the interpretation of
-   the fields above).
-
-   There is opportunity for significant optimization here. We can return
-   the SRV records as additional information for terminal NAPTRs (and
-   the A records as additional information for those SRVs). While this
-   recursive provision of additional information is not explicitly
-   blessed in the DNS specifications, it is not forbidden, and BIND does
-   take advantage of it [8]. This is a significant optimization. In
-   conjunction with a long TTL for *.urn.net records, the average number
-   of probes to DNS for resolving DUNS URNs would approach one.
-   Therefore, DNS server implementors SHOULD provide additional
-   information with NAPTR responses. The additional information will be
-   either SRV or A records.  If SRV records are available, their A
-   records should be provided as recursive additional information.
-
-   Note that the example NAPTR records above are intended to represent
-   the reply the client will see. They are not quite identical to what
-   the domain administrator would put into the zone files. For one
-   thing, the administrator should supply the trailing '.' character on
-   any FQDNs.
-
-
-
-
-
-
-Daniel & Mealling             Experimental                      [Page 7]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-Example 2
----------
-
-   Consider a URN namespace based on MIME Content-Ids. The URN might
-   look like this:
-
-                 urn:cid:199606121851.1@mordred.gatech.edu
-
-   (Note that this example is chosen for pedagogical purposes, and does
-   not conform to the recently-approved CID URL scheme.)
-
-   The first step in the resolution process is to find out about the CID
-   namespace. The namespace identifier, cid, is extracted from the URN,
-   prepended to urn.net, and the NAPTR for cid.urn.net looked up. It
-   might return records of the form:
-
- cid.urn.net
-  ;;       order pref flags service        regexp           replacement
-   IN NAPTR 100   10   ""  ""  "/urn:cid:.+@([^\.]+\.)(.*)$/\2/i"    .
-
-   We have only one NAPTR response, so ordering the responses is not a
-   problem.  The replacement field is empty, so we check the regexp
-   field and use the pattern provided there. We apply that regexp to the
-   entire URN to see if it matches, which it does.  The \2 part of the
-   substitution expression returns the string "gatech.edu". Since the
-   flags field does not contain "s" or "a", the lookup is not terminal
-   and our next probe to DNS is for more NAPTR records:
-   lookup(query=NAPTR, "gatech.edu").
-
-   Note that the rule does not extract the full domain name from the
-   CID, instead it assumes the CID comes from a host and extracts its
-   domain.  While all hosts, such as mordred, could have their very own
-   NAPTR, maintaining those records for all the machines at a site as
-   large as Georgia Tech would be an intolerable burden. Wildcards are
-   not appropriate here since they only return results when there is no
-   exactly matching names already in the system.
-
-   The record returned from the query on "gatech.edu" might look like:
-
-gatech.edu IN NAPTR
-;;       order pref flags service           regexp  replacement
-  IN NAPTR 100  50  "s"  "z3950+N2L+N2C"     ""    z3950.tcp.gatech.edu
-  IN NAPTR 100  50  "s"  "rcds+N2C"          ""    rcds.udp.gatech.edu
-  IN NAPTR 100  50  "s"  "http+N2L+N2C+N2R"  ""    http.tcp.gatech.edu
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                      [Page 8]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   Continuing with our example, we note that the values of the order and
-   preference fields are equal in all records, so the client is free to
-   pick any record. The flags field tells us that these are the last
-   NAPTR patterns we should see, and after the rewrite (a simple
-   replacement in this case) we should look up SRV records to get
-   information on the hosts that can provide the necessary service.
-
-   Assuming we prefer the Z39.50 protocol, our lookup might return:
-
-   ;;                        Pref Weight   Port Target
-   z3950.tcp.gatech.edu IN SRV 0    0      1000 z3950.gatech.edu
-                        IN SRV 0    0      1000 z3950.cc.gatech.edu
-                        IN SRV 0    0      1000 z3950.uga.edu
-
-   telling us three hosts that could actually do the resolution, and
-   giving us the port we should use to talk to their Z39.50 server.
-
-   Recall that the regular expression used \2 to extract a domain name
-   from the CID, and \. for matching the literal '.' characters
-   seperating the domain name components. Since '\' is the escape
-   character, literal occurances of a backslash must be escaped by
-   another backslash. For the case of the cid.urn.net record above, the
-   regular expression entered into the zone file should be
-   "/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i".  When the client code actually
-   receives the record, the pattern will have been converted to
-   "/urn:cid:.+@([^.]+\.)(.*)$/\2/i".
-
-Example 3
----------
-
-   Even if URN systems were in place now, there would still be a
-   tremendous number of URLs.  It should be possible to develop a URN
-   resolution system that can also provide location independence for
-   those URLs.  This is related to the requirement in [1] to be able to
-   grandfather in names from other naming systems, such as ISO Formal
-   Public Identifiers, Library of Congress Call Numbers, ISBNs, ISSNs,
-   etc.
-
-   The NAPTR RR could also be used for URLs that have already been
-   assigned.  Assume we have the URL for a very popular piece of
-   software that the publisher wishes to mirror at multiple sites around
-   the world:
-
-        http://www.foo.com/software/latest-beta.exe
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                      [Page 9]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   We extract the prefix, "http", and lookup NAPTR records for
-   http.urn.net. This might return a record of the form
-
-   http.urn.net IN NAPTR
-   ;;  order   pref flags service      regexp             replacement
-        100     90   ""      ""   "!http://([^/:]+)!\1!i"       .
-
-   This expression returns everything after the first double slash and
-   before the next slash or colon. (We use the '!' character to delimit
-   the parts of the substitution expression. Otherwise we would have to
-   use backslashes to escape the forward slashes, and would have a
-   regexp in the zone file that looked like
-   "/http:\\/\\/([^\\/:]+)/\\1/i".).
-
-   Applying this pattern to the URL extracts "www.foo.com". Looking up
-   NAPTR records for that might return:
-
-   www.foo.com
-   ;;       order pref flags   service  regexp     replacement
-    IN NAPTR 100  100  "s"   "http+L2R"   ""    http.tcp.foo.com
-    IN NAPTR 100  100  "s"   "ftp+L2R"    ""    ftp.tcp.foo.com
-
-   Looking up SRV records for http.tcp.foo.com would return information
-   on the hosts that foo.com has designated to be its mirror sites. The
-   client can then pick one for the user.
-
-NAPTR RR Format
-===============
-
-   The format of the NAPTR RR is given below. The DNS type code for
-   NAPTR is 35.
-
-       Domain TTL Class Order Preference Flags Service Regexp
-       Replacement
-
-   where:
-
-   Domain
-          The domain name this resource record refers to.
-   TTL
-          Standard DNS Time To Live field
-   Class
-          Standard DNS meaning
-
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                     [Page 10]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   Order
-          A 16-bit integer specifying the order in which the NAPTR
-          records MUST be processed to ensure correct delegation of
-          portions of the namespace over time. Low numbers are processed
-          before high numbers, and once a NAPTR is found that "matches"
-          a URN, the client MUST NOT consider any NAPTRs with a higher
-          value for order.
-
-   Preference
-          A 16-bit integer which specifies the order in which NAPTR
-          records with equal "order" values SHOULD be processed, low
-          numbers being processed before high numbers.  This is similar
-          to the preference field in an MX record, and is used so domain
-          administrators can direct clients towards more capable hosts
-          or lighter weight protocols.
-
-   Flags
-          A String giving flags to control aspects of the rewriting and
-          interpretation of the fields in the record. Flags are single
-          characters from the set [A-Z0-9]. The case of the alphabetic
-          characters is not significant.
-
-          At this time only three flags, "S", "A", and "P", are defined.
-          "S" means that the next lookup should be for SRV records
-          instead of NAPTR records. "A" means that the next lookup
-          should be for A records. The "P" flag says that the remainder
-          of the resolution shall be carried out in a Protocol-specific
-          fashion, and we should not do any more DNS queries.
-
-          The remaining alphabetic flags are reserved. The numeric flags
-          may be used for local experimentation. The S, A, and P flags
-          are all mutually exclusive, and resolution libraries MAY
-          signal an error if more than one is given. (Experimental code
-          and code for assisting in the creation of NAPTRs would be more
-          likely to signal such an error than a client such as a
-          browser). We anticipate that multiple flags will be allowed in
-          the future, so implementers MUST NOT assume that the flags
-          field can only contain 0 or 1 characters. Finally, if a client
-          encounters a record with an unknown flag, it MUST ignore it
-          and move to the next record. This test takes precedence even
-          over the "order" field. Since flags can control the
-          interpretation placed on fields, a novel flag might change the
-          interpretation of the regexp and/or replacement fields such
-          that it is impossible to determine if a record matched a URN.
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                     [Page 11]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   Service
-          Specifies the resolution service(s) available down this
-          rewrite path. It may also specify the particular protocol that
-          is used to talk with a resolver. A protocol MUST be specified
-          if the flags field states that the NAPTR is terminal. If a
-          protocol is specified, but the flags field does not state that
-          the NAPTR is terminal, the next lookup MUST be for a NAPTR.
-          The client MAY choose not to perform the next lookup if the
-          protocol is unknown, but that behavior MUST NOT be relied
-          upon.
-
-          The service field may take any of the values below (using the
-          Augmented BNF of RFC 822[9]):
-
-           service_field = [ [protocol] *("+" rs)]
-           protocol      = ALPHA *31ALPHANUM
-           rs            = ALPHA *31ALPHANUM
-        // The protocol and rs fields are limited to 32
-        // characters and must start with an alphabetic.
-        // The current set of "known" strings are:
-        // protocol      = "rcds" / "thttp" / "hdl" / "rwhois" / "z3950"
-        // rs            = "N2L" / "N2Ls" / "N2R" / "N2Rs" / "N2C"
-        //               / "N2Ns" / "L2R" / "L2Ns" / "L2Ls" / "L2C"
-
-          i.e. an optional protocol specification followed by 0 or more
-          resolution services. Each resolution service is indicated by
-          an initial '+' character.
-
-          Note that the empty string is also a valid service field. This
-          will typically be seen at the top levels of a namespace, when
-          it is impossible to know what services and protocols will be
-          offered by a particular publisher within that name space.
-
-          At this time the known protocols are rcds[7], hdl[10] (binary,
-          UDP-based protocols),  thttp[5] (a textual, TCP-based
-          protocol), rwhois[11] (textual, UDP or TCP based), and
-          Z39.50[12] (binary, TCP-based). More will be allowed later.
-          The names of the protocols must be formed from the characters
-          [a-Z0-9]. Case of the characters is not significant.
-
-          The service requests currently allowed will be described in
-          more detail in [6], but in brief they are:
-                N2L  - Given a URN, return a URL
-                N2Ls - Given a URN, return a set of URLs
-                N2R  - Given a URN, return an instance of the resource.
-                N2Rs - Given a URN, return multiple instances of the
-                       resource, typically encoded using
-                       multipart/alternative.
-
-
-
-Daniel & Mealling             Experimental                     [Page 12]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-                N2C  - Given a URN, return a collection of meta-
-                       information on the named resource. The format of
-                       this response is the subject of another document.
-                N2Ns - Given a URN, return all URNs that are also
-                       identifers for the resource.
-                L2R  - Given a URL, return the resource.
-                L2Ns - Given a URL, return all the URNs that are
-                       identifiers for the resource.
-                L2Ls - Given a URL, return all the URLs for instances of
-                       of the same resource.
-                L2C  - Given a URL, return a description of the
-                       resource.
-
-          The actual format of the service request and response will be
-          determined by the resolution protocol, and is the subject for
-          other documents (e.g. [5]). Protocols need not offer all
-          services. The labels for service requests shall be formed from
-          the set of characters [A-Z0-9]. The case of the alphabetic
-          characters is not significant.
-
-   Regexp
-          A STRING containing a substitution expression that is applied
-          to the original URI in order to construct the next domain name
-          to lookup. The grammar of the substitution expression is given
-          in the next section.
-
-   Replacement
-          The next NAME to query for NAPTR, SRV, or A records depending
-          on the value of the flags field. As mentioned above, this may
-          be compressed.
-
-Substitution Expression Grammar:
-================================
-
-   The content of the regexp field is a substitution expression. True
-   sed(1) substitution expressions are not appropriate for use in this
-   application for a variety of reasons, therefore the contents of the
-   regexp field MUST follow the grammar below:
-
-subst_expr   = delim-char  ere  delim-char  repl  delim-char  *flags
-delim-char   = "/" / "!" / ... (Any non-digit or non-flag character other
-               than backslash '\'. All occurances of a delim_char in a
-               subst_expr must be the same character.)
-ere          = POSIX Extended Regular Expression (see [13], section
-               2.8.4)
-repl         = dns_str /  backref / repl dns_str  / repl backref
-dns_str      = 1*DNS_CHAR
-backref      = "\" 1POS_DIGIT
-
-
-
-Daniel & Mealling             Experimental                     [Page 13]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-flags        = "i"
-DNS_CHAR     = "-" / "0" / ... / "9" / "a" / ... / "z" / "A" / ... / "Z"
-POS_DIGIT    = "1" / "2" / ... / "9"  ; 0 is not an allowed backref
-value domain name (see RFC-1123 [14]).
-
-   The result of applying the substitution expression to the original
-   URI MUST result in a string that obeys the syntax for DNS host names
-   [14]. Since it is possible for the regexp field to be improperly
-   specified, such that a non-conforming host name can be constructed,
-   client software SHOULD verify that the result is a legal host name
-   before making queries on it.
-
-   Backref expressions in the repl portion of the substitution
-   expression are replaced by the (possibly empty) string of characters
-   enclosed by '(' and ')' in the ERE portion of the substitution
-   expression. N is a single digit from 1 through 9, inclusive. It
-   specifies the N'th backref expression, the one that begins with the
-   N'th '(' and continues to the matching ')'.  For example, the ERE
-                      (A(B(C)DE)(F)G)
-   has backref expressions:
-                      \1  = ABCDEFG
-                      \2  = BCDE
-                      \3  = C
-                      \4  = F
-                 \5..\9  = error - no matching subexpression
-
-   The "i" flag indicates that the ERE matching SHALL be performed in a
-   case-insensitive fashion. Furthermore, any backref replacements MAY
-   be normalized to lower case when the "i" flag is given.
-
-   The first character in the substitution expression shall be used as
-   the character that delimits the components of the substitution
-   expression.  There must be exactly three non-escaped occurrences of
-   the delimiter character in a substitution expression. Since escaped
-   occurrences of the delimiter character will be interpreted as
-   occurrences of that character, digits MUST NOT be used as delimiters.
-   Backrefs would be confused with literal digits were this allowed.
-   Similarly, if flags are specified in the substitution expression, the
-   delimiter character must not also be a flag character.
-
-
-
-
-
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                     [Page 14]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-Advice to domain administrators:
-================================
-
-   Beware of regular expressions. Not only are they a pain to get
-   correct on their own, but there is the previously mentioned
-   interaction with DNS. Any backslashes in a regexp must be entered
-   twice in a zone file in order to appear once in a query response.
-   More seriously, the need for double backslashes has probably not been
-   tested by all implementors of DNS servers. We anticipate that urn.net
-   will be the heaviest user of regexps. Only when delegating portions
-   of namespaces should the typical domain administrator need to use
-   regexps.
-
-   On a related note, beware of interactions with the shell when
-   manipulating regexps from the command line. Since '\' is a common
-   escape character in shells, there is a good chance that when you
-   think you are saying "\\" you are actually saying "\".  Similar
-   caveats apply to characters such as
-
-   The "a" flag allows the next lookup to be for A records rather than
-   SRV records. Since there is no place for a port specification in the
-   NAPTR record, when the "A" flag is used the specified protocol must
-   be running on its default port.
-
-   The URN Sytnax draft defines a canonical form for each URN, which
-   requires %encoding characters outside a limited repertoire. The
-   regular expressions MUST be written to operate on that canonical
-   form. Since international character sets will end up with extensive
-   use of %encoded characters, regular expressions operating on them
-   will be essentially impossible to read or write by hand.
-
-Usage
-=====
-
-   For the edification of implementers, pseudocode for a client routine
-   using NAPTRs is given below. This code is provided merely as a
-   convience, it does not have any weight as a standard way to process
-   NAPTR records. Also, as is the case with pseudocode, it has never
-   been executed and may contain logical errors. You have been warned.
-
-    //
-    // findResolver(URN)
-    // Given a URN, find a host that can resolve it.
-    //
-    findResolver(string URN) {
-      // prepend prefix to urn.net
-      sprintf(key, "%s.urn.net", extractNS(URN));
-      do {
-
-
-
-Daniel & Mealling             Experimental                     [Page 15]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-        rewrite_flag = false;
-        terminal = false;
-        if (key has been seen) {
-          quit with a loop detected error
-        }
-        add key to list of "seens"
-        records = lookup(type=NAPTR, key); // get all NAPTR RRs for 'key'
-
-        discard any records with an unknown value in the "flags" field.
-        sort NAPTR records by "order" field and "preference" field
-            (with "order" being more significant than "preference").
-        n_naptrs = number of NAPTR records in response.
-        curr_order = records[0].order;
-        max_order = records[n_naptrs-1].order;
-
-        // Process current batch of NAPTRs according to "order" field.
-        for (j=0; j < n_naptrs && records[j].order <= max_order; j++) {
-          if (unknown_flag) // skip this record and go to next one
-             continue;
-          newkey = rewrite(URN, naptr[j].replacement, naptr[j].regexp);
-          if (!newkey) // Skip to next record if the rewrite didn't
-             match continue;
-          // We did do a rewrite, shrink max_order to current value
-          // so that delegation works properly
-          max_order = naptr[j].order;
-          // Will we know what to do with the protocol and services
-          // specified in the NAPTR? If not, try next record.
-          if(!isKnownProto(naptr[j].services)) {
-            continue;
-          }
-          if(!isKnownService(naptr[j].services)) {
-            continue;
-          }
-
-          // At this point we have a successful rewrite and we will
-          // know how to speak the protocol and request a known
-          // resolution service. Before we do the next lookup, check
-          // some optimization possibilities.
-
-          if (strcasecmp(flags, "S")
-           || strcasecmp(flags, "P"))
-           || strcasecmp(flags, "A")) {
-             terminal = true;
-             services = naptr[j].services;
-             addnl = any SRV and/or A records returned as additional
-                     info for naptr[j].
-          }
-          key = newkey;
-
-
-
-Daniel & Mealling             Experimental                     [Page 16]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-          rewriteflag = true;
-          break;
-        }
-      } while (rewriteflag && !terminal);
-
-      // Did we not find our way to a resolver?
-      if (!rewrite_flag) {
-         report an error
-         return NULL;
-      }
-
-
-      // Leave rest to another protocol?
-      if (strcasecmp(flags, "P")) {
-         return key as host to talk to;
-      }
-
-      // If not, keep plugging
-      if (!addnl) { // No SRVs came in as additional info, look them up
-        srvs = lookup(type=SRV, key);
-      }
-
-      sort SRV records by preference, weight, ...
-      foreach (SRV record) { // in order of preference
-        try contacting srv[j].target using the protocol and one of the
-            resolution service requests from the "services" field of the
-            last NAPTR record.
-        if (successful)
-          return (target, protocol, service);
-          // Actually we would probably return a result, but this
-          // code was supposed to just tell us a good host to talk to.
-      }
-      die with an "unable to find a host" error;
-    }
-
-Notes:
-======
-
-     -  A client MUST process multiple NAPTR records in the order
-        specified by the "order" field, it MUST NOT simply use the first
-        record that provides a known protocol and service combination.
-
-
-
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                     [Page 17]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-     -  If a record at a particular order matches the URI, but the
-        client doesn't know the specified protocol and service, the
-        client SHOULD continue to examine records that have the same
-        order. The client MUST NOT consider records with a higher value
-        of order. This is necessary to make delegation of portions of
-        the namespace work.  The order field is what lets site
-        administrators say "all requests for URIs matching pattern x go
-        to server 1, all others go to server 2".
-        (A match is defined as:
-          1)  The NAPTR provides a replacement domain name
-          or
-          2) The regular expression matches the URN
-           )
-
-     -  When multiple RRs have the same "order", the client should use
-        the value of the preference field to select the next NAPTR to
-        consider. However, because of preferred protocols or services,
-        estimates of network distance and bandwidth, etc. clients may
-        use different criteria to sort the records.
-     -  If the lookup after a rewrite fails, clients are strongly
-        encouraged to report a failure, rather than backing up to pursue
-        other rewrite paths.
-     -  When a namespace is to be delegated among a set of resolvers,
-        regexps must be used. Each regexp appears in a separate NAPTR
-        RR.  Administrators should do as little delegation as possible,
-        because of limitations on the size of DNS responses.
-     -  Note that SRV RRs impose additional requirements on clients.
-
-Acknowledgments:
-=================
-
-   The editors would like to thank Keith Moore for all his consultations
-   during the development of this draft. We would also like to thank
-   Paul Vixie for his assistance in debugging our implementation, and
-   his answers on our questions. Finally, we would like to acknowledge
-   our enormous intellectual debt to the participants in the Knoxville
-   series of meetings, as well as to the participants in the URI and URN
-   working groups.
-
-References:
-===========
-
-   [1]  Sollins, Karen and Larry Masinter, "Functional Requirements
-        for Uniform Resource Names", RFC-1737, Dec. 1994.
-
-   [2]  The URN Implementors, Uniform Resource Names: A Progress Report,
-        http://www.dlib.org/dlib/february96/02arms.html, D-Lib Magazine,
-        February 1996.
-
-
-
-Daniel & Mealling             Experimental                     [Page 18]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-   [3]  Moats, Ryan, "URN Syntax", RFC-2141, May 1997.
-
-   [4]  Gulbrandsen, A. and P. Vixie, "A DNS RR for specifying
-        the location of services (DNS SRV)", RFC-2052, October 1996.
-
-   [5]  Daniel, Jr., Ron, "A Trivial Convention for using HTTP in URN
-        Resolution", RFC-2169, June 1997.
-
-   [6]  URN-WG, "URN Resolution Services", Work in Progress.
-
-   [7]  Moore, Keith,  Shirley Browne, Jason Cox, and Jonathan Gettler,
-        Resource Cataloging and Distribution System, Technical Report
-        CS-97-346, University of Tennessee, Knoxville, December 1996
-
-   [8]  Paul Vixie, personal communication.
-
-   [9]  Crocker, Dave H. "Standard for the Format of ARPA Internet Text
-        Messages", RFC-822, August 1982.
-
-   [10] Orth, Charles and Bill Arms; Handle Resolution Protocol
-        Specification, http://www.handle.net/docs/client_spec.html
-
-   [11] Williamson, S., M. Kosters, D. Blacka, J. Singh, K. Zeilstra,
-        "Referral Whois Protocol (RWhois)", RFC-2167, June 1997.
-
-   [12] Information Retrieval (Z39.50): Application Service Definition
-        and Protocol Specification, ANSI/NISO Z39.50-1995, July 1995.
-
-   [13] IEEE Standard for Information Technology - Portable Operating
-        System Interface (POSIX) - Part 2: Shell and Utilities (Vol. 1);
-        IEEE Std 1003.2-1992; The Institute of Electrical and
-        Electronics Engineers; New York; 1993. ISBN:1-55937-255-9
-
-   [14] Braden, R., "Requirements for Internet Hosts - Application and
-        and Support", RFC-1123, Oct. 1989.
-
-   [15] Sollins, Karen, "Requirements and a Framework for URN Resolution
-        Systems", November 1996, Work in Progress.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                     [Page 19]
-
-RFC 2168            Resolution of URIs Using the DNS           June 1997
-
-
-Security Considerations
-=======================
-
-   The use of "urn.net" as the registry for URN namespaces is subject to
-   denial of service attacks, as well as other DNS spoofing attacks. The
-   interactions with DNSSEC are currently being studied. It is expected
-   that NAPTR records will be signed with SIG records once the DNSSEC
-   work is deployed.
-
-   The rewrite rules make identifiers from other namespaces subject to
-   the same attacks as normal domain names. Since they have not been
-   easily resolvable before, this may or may not be considered a
-   problem.
-
-   Regular expressions should be checked for sanity, not blindly passed
-   to something like PERL.
-
-   This document has discussed a way of locating a resolver, but has not
-   discussed any detail of how the communication with the resolver takes
-   place. There are significant security considerations attached to the
-   communication with a resolver. Those considerations are outside the
-   scope of this document, and must be addressed by the specifications
-   for particular resolver communication protocols.
-
-Author Contact Information:
-===========================
-
-   Ron Daniel
-   Los Alamos National Laboratory
-   MS B287
-   Los Alamos, NM, USA, 87545
-   voice:  +1 505 665 0597
-   fax:    +1 505 665 4939
-   email:  rdaniel@lanl.gov
-
-
-   Michael Mealling
-   Network Solutions
-   505 Huntmar Park Drive
-   Herndon, VA  22070
-   voice: (703) 742-0400
-   fax: (703) 742-9552
-   email: michaelm@internic.net
-   URL: http://www.netsol.com/
-
-
-
-
-
-
-
-Daniel & Mealling             Experimental                     [Page 20]
-
diff --git a/contrib/bind9/doc/rfc/rfc2181.txt b/contrib/bind9/doc/rfc/rfc2181.txt
deleted file mode 100644
index 7899e1cbf412..000000000000
--- a/contrib/bind9/doc/rfc/rfc2181.txt
+++ /dev/null
@@ -1,842 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                             R. Elz
-Request for Comments: 2181                       University of Melbourne
-Updates: 1034, 1035, 1123                                        R. Bush
-Category: Standards Track                                    RGnet, Inc.
-                                                               July 1997
-
-
-                Clarifications to the DNS Specification
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-1. Abstract
-
-   This document considers some areas that have been identified as
-   problems with the specification of the Domain Name System, and
-   proposes remedies for the defects identified.  Eight separate issues
-   are considered:
-
-     + IP packet header address usage from multi-homed servers,
-     + TTLs in sets of records with the same name, class, and type,
-     + correct handling of zone cuts,
-     + three minor issues concerning SOA records and their use,
-     + the precise definition of the Time to Live (TTL)
-     + Use of the TC (truncated) header bit
-     + the issue of what is an authoritative, or canonical, name,
-     + and the issue of what makes a valid DNS label.
-
-   The first six of these are areas where the correct behaviour has been
-   somewhat unclear, we seek to rectify that.  The other two are already
-   adequately specified, however the specifications seem to be sometimes
-   ignored.  We seek to reinforce the existing specifications.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 1]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-
-
-Contents
-
-    1  Abstract  ...................................................   1
-    2  Introduction  ...............................................   2
-    3  Terminology  ................................................   3
-    4  Server Reply Source Address Selection  ......................   3
-    5  Resource Record Sets  .......................................   4
-    6  Zone Cuts  ..................................................   8
-    7  SOA RRs  ....................................................  10
-    8  Time to Live (TTL)  .........................................  10
-    9  The TC (truncated) header bit  ..............................  11
-   10  Naming issues  ..............................................  11
-   11  Name syntax  ................................................  13
-   12  Security Considerations  ....................................  14
-   13  References  .................................................  14
-   14  Acknowledgements  ...........................................  15
-   15  Authors' Addresses  .........................................  15
-
-
-
-
-2. Introduction
-
-   Several problem areas in the Domain Name System specification
-   [RFC1034, RFC1035] have been noted through the years [RFC1123].  This
-   document addresses several additional problem areas.  The issues here
-   are independent.  Those issues are the question of which source
-   address a multi-homed DNS server should use when replying to a query,
-   the issue of differing TTLs for DNS records with the same label,
-   class and type, and the issue of canonical names, what they are, how
-   CNAME records relate, what names are legal in what parts of the DNS,
-   and what is the valid syntax of a DNS name.
-
-   Clarifications to the DNS specification to avoid these problems are
-   made in this memo.  A minor ambiguity in RFC1034 concerned with SOA
-   records is also corrected, as is one in the definition of the TTL
-   (Time To Live) and some possible confusion in use of the TC bit.
-
-
-
-
-
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 2]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-3. Terminology
-
-   This memo does not use the oft used expressions MUST, SHOULD, MAY, or
-   their negative forms.  In some sections it may seem that a
-   specification is worded mildly, and hence some may infer that the
-   specification is optional.  That is not correct.  Anywhere that this
-   memo suggests that some action should be carried out, or must be
-   carried out, or that some behaviour is acceptable, or not, that is to
-   be considered as a fundamental aspect of this specification,
-   regardless of the specific words used.  If some behaviour or action
-   is truly optional, that will be clearly specified by the text.
-
-4. Server Reply Source Address Selection
-
-   Most, if not all, DNS clients, expect the address from which a reply
-   is received to be the same address as that to which the query
-   eliciting the reply was sent.  This is true for servers acting as
-   clients for the purposes of recursive query resolution, as well as
-   simple resolver clients.  The address, along with the identifier (ID)
-   in the reply is used for disambiguating replies, and filtering
-   spurious responses.  This may, or may not, have been intended when
-   the DNS was designed, but is now a fact of life.
-
-   Some multi-homed hosts running DNS servers generate a reply using a
-   source address that is not the same as the destination address from
-   the client's request packet.  Such replies will be discarded by the
-   client because the source address of the reply does not match that of
-   a host to which the client sent the original request.  That is, it
-   appears to be an unsolicited response.
-
-4.1. UDP Source Address Selection
-
-   To avoid these problems, servers when responding to queries using UDP
-   must cause the reply to be sent with the source address field in the
-   IP header set to the address that was in the destination address
-   field of the IP header of the packet containing the query causing the
-   response.  If this would cause the response to be sent from an IP
-   address that is not permitted for this purpose, then the response may
-   be sent from any legal IP address allocated to the server.  That
-   address should be chosen to maximise the possibility that the client
-   will be able to use it for further queries.  Servers configured in
-   such a way that not all their addresses are equally reachable from
-   all potential clients need take particular care when responding to
-   queries sent to anycast, multicast, or similar, addresses.
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 3]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-4.2. Port Number Selection
-
-   Replies to all queries must be directed to the port from which they
-   were sent.  When queries are received via TCP this is an inherent
-   part of the transport protocol.  For queries received by UDP the
-   server must take note of the source port and use that as the
-   destination port in the response.  Replies should always be sent from
-   the port to which they were directed.  Except in extraordinary
-   circumstances, this will be the well known port assigned for DNS
-   queries [RFC1700].
-
-5. Resource Record Sets
-
-   Each DNS Resource Record (RR) has a label, class, type, and data.  It
-   is meaningless for two records to ever have label, class, type and
-   data all equal - servers should suppress such duplicates if
-   encountered.  It is however possible for most record types to exist
-   with the same label, class and type, but with different data.  Such a
-   group of records is hereby defined to be a Resource Record Set
-   (RRSet).
-
-5.1. Sending RRs from an RRSet
-
-   A query for a specific (or non-specific) label, class, and type, will
-   always return all records in the associated RRSet - whether that be
-   one or more RRs.  The response must be marked as "truncated" if the
-   entire RRSet will not fit in the response.
-
-5.2. TTLs of RRs in an RRSet
-
-   Resource Records also have a time to live (TTL).  It is possible for
-   the RRs in an RRSet to have different TTLs.  No uses for this have
-   been found that cannot be better accomplished in other ways.  This
-   can, however, cause partial replies (not marked "truncated") from a
-   caching server, where the TTLs for some but not all the RRs in the
-   RRSet have expired.
-
-   Consequently the use of differing TTLs in an RRSet is hereby
-   deprecated, the TTLs of all RRs in an RRSet must be the same.
-
-   Should a client receive a response containing RRs from an RRSet with
-   differing TTLs, it should treat this as an error.  If the RRSet
-   concerned is from a non-authoritative source for this data, the
-   client should simply ignore the RRSet, and if the values were
-   required, seek to acquire them from an authoritative source.  Clients
-   that are configured to send all queries to one, or more, particular
-   servers should treat those servers as authoritative for this purpose.
-   Should an authoritative source send such a malformed RRSet, the
-
-
-
-Elz & Bush                  Standards Track                     [Page 4]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-   client should treat the RRs for all purposes as if all TTLs in the
-   RRSet had been set to the value of the lowest TTL in the RRSet.  In
-   no case may a server send an RRSet with TTLs not all equal.
-
-5.3. DNSSEC Special Cases
-
-   Two of the record types added by DNS Security (DNSSEC) [RFC2065]
-   require special attention when considering the formation of Resource
-   Record Sets.  Those are the SIG and NXT records.  It should be noted
-   that DNS Security is still very new, and there is, as yet, little
-   experience with it.  Readers should be prepared for the information
-   related to DNSSEC contained in this document to become outdated as
-   the DNS Security specification matures.
-
-5.3.1. SIG records and RRSets
-
-   A SIG record provides signature (validation) data for another RRSet
-   in the DNS.  Where a zone has been signed, every RRSet in the zone
-   will have had a SIG record associated with it.  The data type of the
-   RRSet is included in the data of the SIG RR, to indicate with which
-   particular RRSet this SIG record is associated.  Were the rules above
-   applied, whenever a SIG record was included with a response to
-   validate that response, the SIG records for all other RRSets
-   associated with the appropriate node would also need to be included.
-   In some cases, this could be a very large number of records, not
-   helped by their being rather large RRs.
-
-   Thus, it is specifically permitted for the authority section to
-   contain only those SIG RRs with the "type covered" field equal to the
-   type field of an answer being returned.  However, where SIG records
-   are being returned in the answer section, in response to a query for
-   SIG records, or a query for all records associated with a name
-   (type=ANY) the entire SIG RRSet must be included, as for any other RR
-   type.
-
-   Servers that receive responses containing SIG records in the
-   authority section, or (probably incorrectly) as additional data, must
-   understand that the entire RRSet has almost certainly not been
-   included.  Thus, they must not cache that SIG record in a way that
-   would permit it to be returned should a query for SIG records be
-   received at that server.  RFC2065 actually requires that SIG queries
-   be directed only to authoritative servers to avoid the problems that
-   could be caused here, and while servers exist that do not understand
-   the special properties of SIG records, this will remain necessary.
-   However, careful design of SIG record processing in new
-   implementations should permit this restriction to be relaxed in the
-   future, so resolvers do not need to treat SIG record queries
-   specially.
-
-
-
-Elz & Bush                  Standards Track                     [Page 5]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-   It has been occasionally stated that a received request for a SIG
-   record should be forwarded to an authoritative server, rather than
-   being answered from data in the cache.  This is not necessary - a
-   server that has the knowledge of SIG as a special case for processing
-   this way would be better to correctly cache SIG records, taking into
-   account their characteristics.  Then the server can determine when it
-   is safe to reply from the cache, and when the answer is not available
-   and the query must be forwarded.
-
-5.3.2. NXT RRs
-
-   Next Resource Records (NXT) are even more peculiar.  There will only
-   ever be one NXT record in a zone for a particular label, so
-   superficially, the RRSet problem is trivial.  However, at a zone cut,
-   both the parent zone, and the child zone (superzone and subzone in
-   RFC2065 terminology) will have NXT records for the same name.  Those
-   two NXT records do not form an RRSet, even where both zones are
-   housed at the same server.  NXT RRSets always contain just a single
-   RR.  Where both NXT records are visible, two RRSets exist.  However,
-   servers are not required to treat this as a special case when
-   receiving NXT records in a response.  They may elect to notice the
-   existence of two different NXT RRSets, and treat that as they would
-   two different RRSets of any other type.  That is, cache one, and
-   ignore the other.  Security aware servers will need to correctly
-   process the NXT record in the received response though.
-
-5.4. Receiving RRSets
-
-   Servers must never merge RRs from a response with RRs in their cache
-   to form an RRSet.  If a response contains data that would form an
-   RRSet with data in a server's cache the server must either ignore the
-   RRs in the response, or discard the entire RRSet currently in the
-   cache, as appropriate.  Consequently the issue of TTLs varying
-   between the cache and a response does not cause concern, one will be
-   ignored.  That is, one of the data sets is always incorrect if the
-   data from an answer differs from the data in the cache.  The
-   challenge for the server is to determine which of the data sets is
-   correct, if one is, and retain that, while ignoring the other.  Note
-   that if a server receives an answer containing an RRSet that is
-   identical to that in its cache, with the possible exception of the
-   TTL value, it may, optionally, update the TTL in its cache with the
-   TTL of the received answer.  It should do this if the received answer
-   would be considered more authoritative (as discussed in the next
-   section) than the previously cached answer.
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 6]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-5.4.1. Ranking data
-
-   When considering whether to accept an RRSet in a reply, or retain an
-   RRSet already in its cache instead, a server should consider the
-   relative likely trustworthiness of the various data.  An
-   authoritative answer from a reply should replace cached data that had
-   been obtained from additional information in an earlier reply.
-   However additional information from a reply will be ignored if the
-   cache contains data from an authoritative answer or a zone file.
-
-   The accuracy of data available is assumed from its source.
-   Trustworthiness shall be, in order from most to least:
-
-     + Data from a primary zone file, other than glue data,
-     + Data from a zone transfer, other than glue,
-     + The authoritative data included in the answer section of an
-       authoritative reply.
-     + Data from the authority section of an authoritative answer,
-     + Glue from a primary zone, or glue from a zone transfer,
-     + Data from the answer section of a non-authoritative answer, and
-       non-authoritative data from the answer section of authoritative
-       answers,
-     + Additional information from an authoritative answer,
-       Data from the authority section of a non-authoritative answer,
-       Additional information from non-authoritative answers.
-
-   Note that the answer section of an authoritative answer normally
-   contains only authoritative data.  However when the name sought is an
-   alias (see section 10.1.1) only the record describing that alias is
-   necessarily authoritative.  Clients should assume that other records
-   may have come from the server's cache.  Where authoritative answers
-   are required, the client should query again, using the canonical name
-   associated with the alias.
-
-   Unauthenticated RRs received and cached from the least trustworthy of
-   those groupings, that is data from the additional data section, and
-   data from the authority section of a non-authoritative answer, should
-   not be cached in such a way that they would ever be returned as
-   answers to a received query.  They may be returned as additional
-   information where appropriate.  Ignoring this would allow the
-   trustworthiness of relatively untrustworthy data to be increased
-   without cause or excuse.
-
-   When DNS security [RFC2065] is in use, and an authenticated reply has
-   been received and verified, the data thus authenticated shall be
-   considered more trustworthy than unauthenticated data of the same
-   type.  Note that throughout this document, "authoritative" means a
-   reply with the AA bit set.  DNSSEC uses trusted chains of SIG and KEY
-
-
-
-Elz & Bush                  Standards Track                     [Page 7]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-   records to determine the authenticity of data, the AA bit is almost
-   irrelevant.  However DNSSEC aware servers must still correctly set
-   the AA bit in responses to enable correct operation with servers that
-   are not security aware (almost all currently).
-
-   Note that, glue excluded, it is impossible for data from two
-   correctly configured primary zone files, two correctly configured
-   secondary zones (data from zone transfers) or data from correctly
-   configured primary and secondary zones to ever conflict.  Where glue
-   for the same name exists in multiple zones, and differs in value, the
-   nameserver should select data from a primary zone file in preference
-   to secondary, but otherwise may choose any single set of such data.
-   Choosing that which appears to come from a source nearer the
-   authoritative data source may make sense where that can be
-   determined.  Choosing primary data over secondary allows the source
-   of incorrect glue data to be discovered more readily, when a problem
-   with such data exists.  Where a server can detect from two zone files
-   that one or more are incorrectly configured, so as to create
-   conflicts, it should refuse to load the zones determined to be
-   erroneous, and issue suitable diagnostics.
-
-   "Glue" above includes any record in a zone file that is not properly
-   part of that zone, including nameserver records of delegated sub-
-   zones (NS records), address records that accompany those NS records
-   (A, AAAA, etc), and any other stray data that might appear.
-
-5.5. Sending RRSets (reprise)
-
-   A Resource Record Set should only be included once in any DNS reply.
-   It may occur in any of the Answer, Authority, or Additional
-   Information sections, as required.  However it should not be repeated
-   in the same, or any other, section, except where explicitly required
-   by a specification.  For example, an AXFR response requires the SOA
-   record (always an RRSet containing a single RR) be both the first and
-   last record of the reply.  Where duplicates are required this way,
-   the TTL transmitted in each case must be the same.
-
-6. Zone Cuts
-
-   The DNS tree is divided into "zones", which are collections of
-   domains that are treated as a unit for certain management purposes.
-   Zones are delimited by "zone cuts".  Each zone cut separates a
-   "child" zone (below the cut) from a "parent" zone (above the cut).
-   The domain name that appears at the top of a zone (just below the cut
-   that separates the zone from its parent) is called the zone's
-   "origin".  The name of the zone is the same as the name of the domain
-   at the zone's origin.  Each zone comprises that subset of the DNS
-   tree that is at or below the zone's origin, and that is above the
-
-
-
-Elz & Bush                  Standards Track                     [Page 8]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-   cuts that separate the zone from its children (if any).  The
-   existence of a zone cut is indicated in the parent zone by the
-   existence of NS records specifying the origin of the child zone.  A
-   child zone does not contain any explicit reference to its parent.
-
-6.1. Zone authority
-
-   The authoritative servers for a zone are enumerated in the NS records
-   for the origin of the zone, which, along with a Start of Authority
-   (SOA) record are the mandatory records in every zone.  Such a server
-   is authoritative for all resource records in a zone that are not in
-   another zone.  The NS records that indicate a zone cut are the
-   property of the child zone created, as are any other records for the
-   origin of that child zone, or any sub-domains of it.  A server for a
-   zone should not return authoritative answers for queries related to
-   names in another zone, which includes the NS, and perhaps A, records
-   at a zone cut, unless it also happens to be a server for the other
-   zone.
-
-   Other than the DNSSEC cases mentioned immediately below, servers
-   should ignore data other than NS records, and necessary A records to
-   locate the servers listed in the NS records, that may happen to be
-   configured in a zone at a zone cut.
-
-6.2. DNSSEC issues
-
-   The DNS security mechanisms [RFC2065] complicate this somewhat, as
-   some of the new resource record types added are very unusual when
-   compared with other DNS RRs.  In particular the NXT ("next") RR type
-   contains information about which names exist in a zone, and hence
-   which do not, and thus must necessarily relate to the zone in which
-   it exists.  The same domain name may have different NXT records in
-   the parent zone and the child zone, and both are valid, and are not
-   an RRSet.  See also section 5.3.2.
-
-   Since NXT records are intended to be automatically generated, rather
-   than configured by DNS operators, servers may, but are not required
-   to, retain all differing NXT records they receive regardless of the
-   rules in section 5.4.
-
-   For a secure parent zone to securely indicate that a subzone is
-   insecure, DNSSEC requires that a KEY RR indicating that the subzone
-   is insecure, and the parent zone's authenticating SIG RR(s) be
-   present in the parent zone, as they by definition cannot be in the
-   subzone.  Where a subzone is secure, the KEY and SIG records will be
-   present, and authoritative, in that zone, but should also always be
-   present in the parent zone (if secure).
-
-
-
-
-Elz & Bush                  Standards Track                     [Page 9]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-   Note that in none of these cases should a server for the parent zone,
-   not also being a server for the subzone, set the AA bit in any
-   response for a label at a zone cut.
-
-7. SOA RRs
-
-   Three minor issues concerning the Start of Zone of Authority (SOA)
-   Resource Record need some clarification.
-
-7.1. Placement of SOA RRs in authoritative answers
-
-   RFC1034, in section 3.7, indicates that the authority section of an
-   authoritative answer may contain the SOA record for the zone from
-   which the answer was obtained.  When discussing negative caching,
-   RFC1034 section 4.3.4 refers to this technique but mentions the
-   additional section of the response.  The former is correct, as is
-   implied by the example shown in section 6.2.5 of RFC1034.  SOA
-   records, if added, are to be placed in the authority section.
-
-7.2. TTLs on SOA RRs
-
-   It may be observed that in section 3.2.1 of RFC1035, which defines
-   the format of a Resource Record, that the definition of the TTL field
-   contains a throw away line which states that the TTL of an SOA record
-   should always be sent as zero to prevent caching.  This is mentioned
-   nowhere else, and has not generally been implemented.
-   Implementations should not assume that SOA records will have a TTL of
-   zero, nor are they required to send SOA records with a TTL of zero.
-
-7.3. The SOA.MNAME field
-
-   It is quite clear in the specifications, yet seems to have been
-   widely ignored, that the MNAME field of the SOA record should contain
-   the name of the primary (master) server for the zone identified by
-   the SOA.  It should not contain the name of the zone itself.  That
-   information would be useless, as to discover it, one needs to start
-   with the domain name of the SOA record - that is the name of the
-   zone.
-
-8. Time to Live (TTL)
-
-   The definition of values appropriate to the TTL field in STD 13 is
-   not as clear as it could be, with respect to how many significant
-   bits exist, and whether the value is signed or unsigned.  It is
-   hereby specified that a TTL value is an unsigned number, with a
-   minimum value of 0, and a maximum value of 2147483647.  That is, a
-   maximum of 2^31 - 1.  When transmitted, this value shall be encoded
-   in the less significant 31 bits of the 32 bit TTL field, with the
-
-
-
-Elz & Bush                  Standards Track                    [Page 10]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-   most significant, or sign, bit set to zero.
-
-   Implementations should treat TTL values received with the most
-   significant bit set as if the entire value received was zero.
-
-   Implementations are always free to place an upper bound on any TTL
-   received, and treat any larger values as if they were that upper
-   bound.  The TTL specifies a maximum time to live, not a mandatory
-   time to live.
-
-9. The TC (truncated) header bit
-
-   The TC bit should be set in responses only when an RRSet is required
-   as a part of the response, but could not be included in its entirety.
-   The TC bit should not be set merely because some extra information
-   could have been included, but there was insufficient room.  This
-   includes the results of additional section processing.  In such cases
-   the entire RRSet that will not fit in the response should be omitted,
-   and the reply sent as is, with the TC bit clear.  If the recipient of
-   the reply needs the omitted data, it can construct a query for that
-   data and send that separately.
-
-   Where TC is set, the partial RRSet that would not completely fit may
-   be left in the response.  When a DNS client receives a reply with TC
-   set, it should ignore that response, and query again, using a
-   mechanism, such as a TCP connection, that will permit larger replies.
-
-10. Naming issues
-
-   It has sometimes been inferred from some sections of the DNS
-   specification [RFC1034, RFC1035] that a host, or perhaps an interface
-   of a host, is permitted exactly one authoritative, or official, name,
-   called the canonical name.  There is no such requirement in the DNS.
-
-10.1. CNAME resource records
-
-   The DNS CNAME ("canonical name") record exists to provide the
-   canonical name associated with an alias name.  There may be only one
-   such canonical name for any one alias.  That name should generally be
-   a name that exists elsewhere in the DNS, though there are some rare
-   applications for aliases with the accompanying canonical name
-   undefined in the DNS.  An alias name (label of a CNAME record) may,
-   if DNSSEC is in use, have SIG, NXT, and KEY RRs, but may have no
-   other data.  That is, for any label in the DNS (any domain name)
-   exactly one of the following is true:
-
-
-
-
-
-
-Elz & Bush                  Standards Track                    [Page 11]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-     + one CNAME record exists, optionally accompanied by SIG, NXT, and
-       KEY RRs,
-     + one or more records exist, none being CNAME records,
-     + the name exists, but has no associated RRs of any type,
-     + the name does not exist at all.
-
-10.1.1. CNAME terminology
-
-   It has been traditional to refer to the label of a CNAME record as "a
-   CNAME".  This is unfortunate, as "CNAME" is an abbreviation of
-   "canonical name", and the label of a CNAME record is most certainly
-   not a canonical name.  It is, however, an entrenched usage.  Care
-   must therefore be taken to be very clear whether the label, or the
-   value (the canonical name) of a CNAME resource record is intended.
-   In this document, the label of a CNAME resource record will always be
-   referred to as an alias.
-
-10.2. PTR records
-
-   Confusion about canonical names has lead to a belief that a PTR
-   record should have exactly one RR in its RRSet.  This is incorrect,
-   the relevant section of RFC1034 (section 3.6.2) indicates that the
-   value of a PTR record should be a canonical name.  That is, it should
-   not be an alias.  There is no implication in that section that only
-   one PTR record is permitted for a name.  No such restriction should
-   be inferred.
-
-   Note that while the value of a PTR record must not be an alias, there
-   is no requirement that the process of resolving a PTR record not
-   encounter any aliases.  The label that is being looked up for a PTR
-   value might have a CNAME record.  That is, it might be an alias.  The
-   value of that CNAME RR, if not another alias, which it should not be,
-   will give the location where the PTR record is found.  That record
-   gives the result of the PTR type lookup.  This final result, the
-   value of the PTR RR, is the label which must not be an alias.
-
-10.3. MX and NS records
-
-   The domain name used as the value of a NS resource record, or part of
-   the value of a MX resource record must not be an alias.  Not only is
-   the specification clear on this point, but using an alias in either
-   of these positions neither works as well as might be hoped, nor well
-   fulfills the ambition that may have led to this approach.  This
-   domain name must have as its value one or more address records.
-   Currently those will be A records, however in the future other record
-   types giving addressing information may be acceptable.  It can also
-   have other RRs, but never a CNAME RR.
-
-
-
-
-Elz & Bush                  Standards Track                    [Page 12]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-   Searching for either NS or MX records causes "additional section
-   processing" in which address records associated with the value of the
-   record sought are appended to the answer.  This helps avoid needless
-   extra queries that are easily anticipated when the first was made.
-
-   Additional section processing does not include CNAME records, let
-   alone the address records that may be associated with the canonical
-   name derived from the alias.  Thus, if an alias is used as the value
-   of an NS or MX record, no address will be returned with the NS or MX
-   value.  This can cause extra queries, and extra network burden, on
-   every query.  It is trivial for the DNS administrator to avoid this
-   by resolving the alias and placing the canonical name directly in the
-   affected record just once when it is updated or installed.  In some
-   particular hard cases the lack of the additional section address
-   records in the results of a NS lookup can cause the request to fail.
-
-11. Name syntax
-
-   Occasionally it is assumed that the Domain Name System serves only
-   the purpose of mapping Internet host names to data, and mapping
-   Internet addresses to host names.  This is not correct, the DNS is a
-   general (if somewhat limited) hierarchical database, and can store
-   almost any kind of data, for almost any purpose.
-
-   The DNS itself places only one restriction on the particular labels
-   that can be used to identify resource records.  That one restriction
-   relates to the length of the label and the full name.  The length of
-   any one label is limited to between 1 and 63 octets.  A full domain
-   name is limited to 255 octets (including the separators).  The zero
-   length full name is defined as representing the root of the DNS tree,
-   and is typically written and displayed as ".".  Those restrictions
-   aside, any binary string whatever can be used as the label of any
-   resource record.  Similarly, any binary string can serve as the value
-   of any record that includes a domain name as some or all of its value
-   (SOA, NS, MX, PTR, CNAME, and any others that may be added).
-   Implementations of the DNS protocols must not place any restrictions
-   on the labels that can be used.  In particular, DNS servers must not
-   refuse to serve a zone because it contains labels that might not be
-   acceptable to some DNS client programs.  A DNS server may be
-   configurable to issue warnings when loading, or even to refuse to
-   load, a primary zone containing labels that might be considered
-   questionable, however this should not happen by default.
-
-   Note however, that the various applications that make use of DNS data
-   can have restrictions imposed on what particular values are
-   acceptable in their environment.  For example, that any binary label
-   can have an MX record does not imply that any binary name can be used
-   as the host part of an e-mail address.  Clients of the DNS can impose
-
-
-
-Elz & Bush                  Standards Track                    [Page 13]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-   whatever restrictions are appropriate to their circumstances on the
-   values they use as keys for DNS lookup requests, and on the values
-   returned by the DNS.  If the client has such restrictions, it is
-   solely responsible for validating the data from the DNS to ensure
-   that it conforms before it makes any use of that data.
-
-   See also [RFC1123] section 6.1.3.5.
-
-12. Security Considerations
-
-   This document does not consider security.
-
-   In particular, nothing in section 4 is any way related to, or useful
-   for, any security related purposes.
-
-   Section 5.4.1 is also not related to security.  Security of DNS data
-   will be obtained by the Secure DNS [RFC2065], which is mostly
-   orthogonal to this memo.
-
-   It is not believed that anything in this document adds to any
-   security issues that may exist with the DNS, nor does it do anything
-   to that will necessarily lessen them.  Correct implementation of the
-   clarifications in this document might play some small part in
-   limiting the spread of non-malicious bad data in the DNS, but only
-   DNSSEC can help with deliberate attempts to subvert DNS data.
-
-13. References
-
-   [RFC1034]   Mockapetris, P., "Domain Names - Concepts and Facilities",
-               STD 13, RFC 1034, November 1987.
-
-   [RFC1035]   Mockapetris, P., "Domain Names - Implementation and
-               Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1123]   Braden, R., "Requirements for Internet Hosts - application
-               and support", STD 3, RFC 1123, January 1989.
-
-   [RFC1700]   Reynolds, J., Postel, J., "Assigned Numbers",
-               STD 2, RFC 1700, October 1994.
-
-   [RFC2065]   Eastlake, D., Kaufman, C., "Domain Name System Security
-               Extensions", RFC 2065, January 1997.
-
-
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                    [Page 14]
-
-RFC 2181        Clarifications to the DNS Specification        July 1997
-
-
-14. Acknowledgements
-
-   This memo arose from discussions in the DNSIND working group of the
-   IETF in 1995 and 1996, the members of that working group are largely
-   responsible for the ideas captured herein.  Particular thanks to
-   Donald E. Eastlake, 3rd, and Olafur Gudmundsson, for help with the
-   DNSSEC issues in this document, and to John Gilmore for pointing out
-   where the clarifications were not necessarily clarifying.  Bob Halley
-   suggested clarifying the placement of SOA records in authoritative
-   answers, and provided the references.  Michael Patton, as usual, and
-   Mark Andrews, Alan Barrett and Stan Barber provided much assistance
-   with many details.  Josh Littlefield helped make sure that the
-   clarifications didn't cause problems in some irritating corner cases.
-
-15. Authors' Addresses
-
-   Robert Elz
-   Computer Science
-   University of Melbourne
-   Parkville, Victoria, 3052
-   Australia.
-
-   EMail: kre@munnari.OZ.AU
-
-
-   Randy Bush
-   RGnet, Inc.
-   5147 Crystal Springs Drive NE
-   Bainbridge Island, Washington,  98110
-   United States.
-
-   EMail: randy@psg.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Elz & Bush                  Standards Track                    [Page 15]
diff --git a/contrib/bind9/doc/rfc/rfc2230.txt b/contrib/bind9/doc/rfc/rfc2230.txt
deleted file mode 100644
index 03995fe25bd1..000000000000
--- a/contrib/bind9/doc/rfc/rfc2230.txt
+++ /dev/null
@@ -1,619 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         R. Atkinson
-Request for Comments: 2230                                            NRL
-Category: Informational                                     November 1997
-
-
-               Key Exchange Delegation Record for the DNS
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1997).  All Rights Reserved.
-
-ABSTRACT
-
-   This note describes a mechanism whereby authorisation for one node to
-   act as key exchanger for a second node is delegated and made
-   available via the Secure DNS.  This mechanism is intended to be used
-   only with the Secure DNS.  It can be used with several security
-   services.  For example, a system seeking to use IP Security [RFC-
-   1825, RFC-1826, RFC-1827] to protect IP packets for a given
-   destination can use this mechanism to determine the set of authorised
-   remote key exchanger systems for that destination.
-
-1. INTRODUCTION
-
-
-   The Domain Name System (DNS) is the standard way that Internet nodes
-   locate information about addresses, mail exchangers, and other data
-   relating to remote Internet nodes. [RFC-1035, RFC-1034] More
-   recently, Eastlake and Kaufman have defined standards-track security
-   extensions to the DNS. [RFC-2065] These security extensions can be
-   used to authenticate signed DNS data records and can also be used to
-   store signed public keys in the DNS.
-
-   The KX record is useful in providing an authenticatible method of
-   delegating authorisation for one node to provide key exchange
-   services on behalf of one or more, possibly different, nodes.  This
-   note specifies the syntax and semantics of the KX record, which is
-   currently in limited deployment in certain IP-based networks.  The
-
-
-
-
-
-
-
-Atkinson                     Informational                      [Page 1]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   reader is assumed to be familiar with the basics of DNS, including
-   familiarity with [RFC-1035, RFC-1034].  This document is not on the
-   IETF standards-track and does not specify any level of standard.
-   This document merely provides information for the Internet community.
-
-1.1 Identity Terminology
-
-   This document relies upon the concept of "identity domination".  This
-   concept might be new to the reader and so is explained in this
-   section.  The subject of endpoint naming for security associations
-   has historically been somewhat contentious.  This document takes no
-   position on what forms of identity should be used.  In a network,
-   there are several forms of identity that are possible.
-
-   For example, IP Security has defined notions of identity that
-   include: IP Address, IP Address Range, Connection ID, Fully-Qualified
-   Domain Name (FQDN), and User with Fully Qualified Domain Name (USER
-   FQDN).
-
-   A USER FQDN identity dominates a FQDN identity.  A FQDN identity in
-   turn dominates an IP Address identity.  Similarly, a Connection ID
-   dominates an IP Address identity.  An IP Address Range dominates each
-   IP Address identity for each IP address within that IP address range.
-   Also, for completeness, an IP Address identity is considered to
-   dominate itself.
-
-2. APPROACH
-
-   This document specifies a new kind of DNS Resource Record (RR), known
-   as the Key Exchanger (KX) record.  A Key Exchanger Record has the
-   mnemonic "KX" and the type code of 36.  Each KX record is associated
-   with a fully-qualified domain name.  The KX record is modeled on the
-   MX record described in [Part86]. Any given domain, subdomain, or host
-   entry in the DNS might have a KX record.
-
-2.1 IPsec Examples
-
-   In these two examples, let S be the originating node and let D be the
-   destination node.  S2 is another node on the same subnet as S.  D2 is
-   another node on the same subnet as D.  R1 and R2 are IPsec-capable
-   routers.  The path from S to D goes via first R1 and later R2.  The
-   return path from D to S goes via first R2 and later R1.
-
-   IETF-standard IP Security uses unidirectional Security Associations
-   [RFC-1825].  Therefore, a typical IP session will use a pair of
-   related Security Associations, one in each direction.  The examples
-   below talk about how to setup an example Security Association, but in
-   practice a pair of matched Security Associations will normally be
-
-
-
-Atkinson                     Informational                      [Page 2]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   used.
-
-2.1.1 Subnet-to-Subnet Example
-
-   If neither S nor D implements IPsec, security can still be provided
-   between R1 and R2 by building a secure tunnel.  This can use either
-   AH or ESP.
-
-       S ---+                                          +----D
-            |                                          |
-            +- R1 -----[zero or more routers]-------R2-+
-            |                                          |
-       S2---+                                          +----D2
-
-       Figure 1:  Network Diagram for Subnet-to-Subnet Example
-
-   In this example, R1 makes the policy decision to provide the IPsec
-   service for traffic from R1 destined for R2.  Once R1 has decided
-   that the packet from S to D should be protected, it performs a secure
-   DNS lookup for the records associated with domain D.  If R1 only
-   knows the IP address for D, then a secure reverse DNS lookup will be
-   necessary to determine the domain D, before that forward secure DNS
-   lookup for records associated with domain D.  If these DNS records of
-   domain D include a KX record for the IPsec service, then R1 knows
-   which set of nodes are authorised key exchanger nodes for the
-   destination D.
-
-   In this example, let there be at least one KX record for D and let
-   the most preferred KX record for D point at R2.  R1 then selects a
-   key exchanger (in this example, R2) for D from the list obtained from
-   the secure DNS.  Then R1 initiates a key management session with that
-   key exchanger (in this example, R2) to setup an IPsec Security
-   Association between R1 and D.  In this example, R1 knows (either by
-   seeing an outbound packet arriving from S destined to D or via other
-   methods) that S will be sending traffic to D.  In this example R1's
-   policy requires that traffic from S to D should be segregated at
-   least on a host-to-host basis, so R1 desires an IPsec Security
-   Association with source identity that dominates S, proxy identity
-   that dominates R1, and destination identity that dominates R2.
-
-   In turn, R2 is able to authenticate the delegation of Key Exchanger
-   authorisation for target S to R1 by making an authenticated forward
-   DNS lookup for KX records associated with S and verifying that at
-   least one such record points to R1.  The identity S is typically
-   given to R2 as part of the key management process between R1 and R2.
-
-
-
-
-
-
-Atkinson                     Informational                      [Page 3]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   If D initially only knows the IP address of S, then it will need to
-   perform a secure reverse DNS lookup to obtain the fully-qualified
-   domain name for S prior to that secure forward DNS lookup.
-
-   If R2 does not receive an authenticated DNS response indicating that
-   R1 is an authorised key exchanger for S, then D will not accept the
-   SA negotiation from R1 on behalf of identity S.
-
-   If the proposed IPsec Security Association is acceptable to both R1
-   and R2, each of which might have separate policies, then they create
-   that IPsec Security Association via Key Management.
-
-   Note that for unicast traffic, Key Management will typically also
-   setup a separate (but related) IPsec Security Association for the
-   return traffic.  That return IPsec Security Association will have
-   equivalent identities.  In this example, that return IPsec Security
-   Association will have a source identity that dominates D, a proxy
-   identity that dominates R2, and a destination identity that dominates
-   R1.
-
-   Once the IPsec Security Association has been created, then R1 uses it
-   to protect traffic from S destined for D via a secure tunnel that
-   originates at R1 and terminates at R2.  For the case of unicast, R2
-   will use the return IPsec Security Association to protect traffic
-   from D destined for S via a secure tunnel that originates at R2 and
-   terminates at R1.
-
-2.1.2 Subnet-to-Host Example
-
-   Consider the case where D and R1 implement IPsec, but S does not
-   implement IPsec, which is an interesting variation on the previous
-   example.  This example is shown in Figure 2 below.
-
-       S ---+
-            |
-            +- R1 -----[zero or more routers]-------D
-            |
-       S2---+
-
-       Figure 2:  Network Diagram for Subnet-to-Host Example
-
-   In this example, R1 makes the policy decision that IP Security is
-   needed for the packet travelling from S to D.  Then, R1 performs the
-   secure DNS lookup for D and determines that D is its own key
-   exchanger, either from the existence of a KX record for D pointing to
-   D or from an authenticated DNS response indicating that no KX record
-   exists for D.  If R1 does not initially know the domain name of D,
-   then prior to the above forward secure DNS lookup, R1 performs a
-
-
-
-Atkinson                     Informational                      [Page 4]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   secure reverse DNS lookup on the IP address of D to determine the
-   fully-qualified domain name for that IP address.  R1 then initiates
-   key management with D to create an IPsec Security Association on
-   behalf of S.
-
-   In turn, D can verify that R1 is authorised to create an IPsec
-   Security Association on behalf of S by performing a DNS KX record
-   lookup for target S.  R1 usually provides identity S to D via key
-   management.  If D only has the IP address of S, then D will need to
-   perform a secure reverse lookup on the IP address of S to determine
-   domain name S prior to the secure forward DNS lookup on S to locate
-   the KX records for S.
-
-   If D does not receive an authenticated DNS response indicating that
-   R1 is an authorised key exchanger for S, then D will not accept the
-   SA negotiation from R1 on behalf of identity S.
-
-   If the IPsec Security Association is successfully established between
-   R1 and D, that IPsec Security Association has a source identity that
-   dominates S's IP address, a proxy identity that dominates R1's IP
-   address, and a destination identity that dominates D's IP address.
-
-   Finally, R1 begins providing the security service for packets from S
-   that transit R1 destined for D.  When D receives such packets, D
-   examines the SA information during IPsec input processing and sees
-   that R1's address is listed as valid proxy address for that SA and
-   that S is the source address for that SA.  Hence, D knows at input
-   processing time that R1 is authorised to provide security on behalf
-   of S.  Therefore packets coming from R1 with valid IP security that
-   claim to be from S are trusted by D to have really come from S.
-
-2.1.3 Host to Subnet Example
-
-   Now consider the above case from D's perspective (i.e. where D is
-   sending IP packets to S).  This variant is sometimes known as the
-   Mobile Host or "roadwarrier" case. The same basic concepts apply, but
-   the details are covered here in hope of improved clarity.
-
-       S ---+
-            |
-            +- R1 -----[zero or more routers]-------D
-            |
-       S2---+
-
-       Figure 3:  Network Diagram for Host-to-Subnet Example
-
-
-
-
-
-
-Atkinson                     Informational                      [Page 5]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   In this example, D makes the policy decision that IP Security is
-   needed for the packets from D to S.  Then D performs the secure DNS
-   lookup for S and discovers that a KX record for S exists and points
-   at R1.  If D only has the IP address of S, then it performs a secure
-   reverse DNS lookup on the IP address of S prior to the forward secure
-   DNS lookup for S.
-
-   D then initiates key management with R1, where R1 is acting on behalf
-   of S, to create an appropriate Security Association.  Because D is
-   acting as its own key exchanger, R1 does not need to perform a secure
-   DNS lookup for KX records associated with D.
-
-   D and R1 then create an appropriate IPsec Security Security
-   Association.  This IPsec Security Association is setup as a secure
-   tunnel with a source identity that dominates D's IP Address and a
-   destination identity that dominates R1's IP Address.  Because D
-   performs IPsec for itself, no proxy identity is needed in this IPsec
-   Security Association.  If the proxy identity is non-null in this
-   situation, then the proxy identity must dominate D's IP Address.
-
-   Finally, D sends secured IP packets to R1.  R1 receives those
-   packets, provides IPsec input processing (including appropriate
-   inner/outer IP address validation), and forwards valid packets along
-   to S.
-
-2.2 Other Examples
-
-   This mechanism can be extended for use with other services as well.
-   To give some insight into other possible uses, this section discusses
-   use of KX records in environments using a Key Distribution Center
-   (KDC), such as Kerberos [KN93], and a possible use of KX records in
-   conjunction with mobile nodes accessing the network via a dialup
-   service.
-
-2.2.1 KDC Examples
-
-   This example considers the situation of a destination node
-   implementing IPsec that can only obtain its Security Association
-   information from a Key Distribution Center (KDC).  Let the KDC
-   implement both the KDC protocol and also a non-KDC key management
-   protocol (e.g. ISAKMP).  In such a case, each client node of the KDC
-   might have its own KX record pointing at the KDC so that nodes not
-   implementing the KDC protocol can still create Security Associations
-   with each of the client nodes of the KDC.
-
-   In the event the session initiator were not using the KDC but the
-   session target was an IPsec node that only used the KDC, the
-   initiator would find the KX record for the target pointing at the
-
-
-
-Atkinson                     Informational                      [Page 6]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   KDC.  Then, the external key management exchange (e.g. ISAKMP) would
-   be between the initiator and the KDC.  Then the KDC would distribute
-   the IPsec SA to the KDC-only IPsec node using the KDC.  The IPsec
-   traffic itself could travel directly between the initiator and the
-   destination node.
-
-   In the event the initiator node could only use the KDC and the target
-   were not using the KDC, the initiator would send its request for a
-   key to the KDC.  The KDC would then initiate an external key
-   management exchange (e.g. ISAKMP) with a node that the target's KX
-   record(s) pointed to, on behalf of the initiator node.
-
-   The target node could verify that the KDC were allowed to proxy for
-   the initiator node by looking up the KX records for the initiator
-   node and finding a KX record for the initiator that listed the KDC.
-
-   Then the external key exchange would be performed between the KDC and
-   the target node.  Then the KDC would distribute the resulting IPsec
-   Security Association to the initiator.  Again, IPsec traffic itself
-   could travel directly between the initiator and the destination.
-
-2.2.2 Dial-Up Host Example
-
-   This example outlines a possible use of KX records with mobile hosts
-   that dial into the network via PPP and are dynamically assigned an IP
-   address and domain-name at dial-in time.
-
-   Consider the situation where each mobile node is dynamically assigned
-   both a domain name and an IP address at the time that node dials into
-   the network.  Let the policy require that each mobile node act as its
-   own Key Exchanger.  In this case, it is important that dial-in nodes
-   use addresses from one or more well known IP subnets or address pools
-   dedicated to dial-in access.  If that is true, then no KX record or
-   other action is needed to ensure that each node will act as its own
-   Key Exchanger because lack of a KX record indicates that the node is
-   its own Key Exchanger.
-
-   Consider the situation where the mobile node's domain name remains
-   constant but its IP address changes.  Let the policy require that
-   each mobile node act as its own Key Exchanger.  In this case, there
-   might be operational problems when another node attempts to perform a
-   secure reverse DNS lookup on the IP address to determine the
-   corresponding domain name.  The authenticated DNS binding (in the
-   form of a PTR record) between the mobile node's currently assigned IP
-   address and its permanent domain name will need to be securely
-   updated each time the node is assigned a new IP address.  There are
-   no mechanisms for accomplishing this that are both IETF-standard and
-   widely deployed as of the time this note was written.  Use of Dynamic
-
-
-
-Atkinson                     Informational                      [Page 7]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   DNS Update without authentication is a significant security risk and
-   hence is not recommended for this situation.
-
-3. SYNTAX OF KX RECORD
-
-   A KX record has the DNS TYPE of "KX" and a numeric value of 36.  A KX
-   record is a member of the Internet ("IN") CLASS in the DNS.  Each KX
-   record is associated with a <domain-name> entry in the DNS.  A KX
-   record has the following textual syntax:
-
-        <domain-name>  IN  KX  <preference> <domain-name>
-
-   For this description, let the <domain-name> item to the left of the
-   "KX" string be called <domain-name 1> and the <domain-name> item to
-   the right of the "KX" string be called <domain-name 2>.  <preference>
-   is a non-negative integer.
-
-   Internet nodes about to initiate a key exchange with <domain-name 1>
-   should instead contact <domain-name 2> to initiate the key exchange
-   for a security service between the initiator and <domain-name 2>.  If
-   more than one KX record exists for <domain-name 1>, then the
-   <preference> field is used to indicate preference among the systems
-   delegated to.  Lower values are preferred over higher values.  The
-   <domain-name 2> is authorised to provide key exchange services on
-   behalf of <domain-name 1>.  The <domain-name 2> MUST have a CNAME
-   record, an A record, or an AAAA record associated with it.
-
-3.1 KX RDATA format
-
-   The KX DNS record has the following RDATA format:
-
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    |                  PREFERENCE                   |
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-    /                   EXCHANGER                   /
-    /                                               /
-    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   where:
-
-   PREFERENCE      A 16 bit non-negative integer which specifies the
-                   preference given to this RR among other KX records
-                   at the same owner.  Lower values are preferred.
-
-   EXCHANGER       A <domain-name> which specifies a host willing to
-                   act as a mail exchange for the owner name.
-
-
-
-
-
-Atkinson                     Informational                      [Page 8]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   KX records MUST cause type A additional section processing for the
-   host specified by EXCHANGER.  In the event that the host processing
-   the DNS transaction supports IPv6, KX records MUST also cause type
-   AAAA additional section processing.
-
-   The KX RDATA field MUST NOT be compressed.
-
-4. SECURITY CONSIDERATIONS
-
-   KX records MUST always be signed using the method(s) defined by the
-   DNS Security extensions specified in [RFC-2065].  All unsigned KX
-   records MUST be ignored because of the security vulnerability caused
-   by assuming that unsigned records are valid.  All signed KX records
-   whose signatures do not correctly validate MUST be ignored because of
-   the potential security vulnerability in trusting an invalid KX
-   record.
-
-   KX records MUST be ignored by systems not implementing Secure DNS
-   because such systems have no mechanism to authenticate the KX record.
-
-   If a node does not have a permanent DNS entry and some form of
-   Dynamic DNS Update is in use, then those dynamic DNS updates MUST be
-   fully authenticated to prevent an adversary from injecting false DNS
-   records (especially the KX, A, and PTR records) into the Domain Name
-   System.  If false records were inserted into the DNS without being
-   signed by the Secure DNS mechanisms, then a denial-of-service attack
-   results.  If false records were inserted into the DNS and were
-   (erroneously) signed by the signing authority, then an active attack
-   results.
-
-   Myriad serious security vulnerabilities can arise if the restrictions
-   throuhout this document are not strictly adhered to.  Implementers
-   should carefully consider the openly published issues relating to DNS
-   security [Bell95,Vixie95] as they build their implementations.
-   Readers should also consider the security considerations discussed in
-   the DNS Security Extensions document [RFC-2065].
-
-5. REFERENCES
-
-
-   [RFC-1825]  Atkinson, R., "IP Authentication Header", RFC 1826,
-               August 1995.
-
-   [RFC-1827]  Atkinson, R., "IP Encapsulating Security Payload",
-               RFC 1827, August 1995.
-
-
-
-
-
-
-Atkinson                     Informational                      [Page 9]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-   [Bell95] Bellovin, S., "Using the Domain Name System for System
-            Break-ins", Proceedings of 5th USENIX UNIX Security
-            Symposium, USENIX Association, Berkeley, CA, June 1995.
-            ftp://ftp.research.att.com/dist/smb/dnshack.ps
-
-   [RFC-2065]  Eastlake, D., and C. Kaufman, "Domain Name System
-               Security Extensions", RFC 2065, January 1997.
-
-   [RFC-1510]  Kohl J., and C. Neuman, "The Kerberos Network
-               Authentication Service", RFC 1510, September 1993.
-
-   [RFC-1035]  Mockapetris, P., "Domain names - implementation and
-               specification", STD 13, RFC 1035, November 1987.
-
-   [RFC-1034]  Mockapetris, P., "Domain names - concepts and
-               facilities", STD 13, RFC 1034, November 1987.
-
-   [Vixie95] P. Vixie, "DNS and BIND Security Issues", Proceedings of
-             the 5th USENIX UNIX Security Symposium, USENIX
-             Association, Berkeley, CA, June 1995.
-             ftp://ftp.vix.com/pri/vixie/bindsec.psf
-
-ACKNOWLEDGEMENTS
-
-   Development of this DNS record was primarily performed during 1993
-   through 1995.  The author's work on this was sponsored jointly by the
-   Computing Systems Technology Office (CSTO) of the Advanced Research
-   Projects Agency (ARPA) and by the Information Security Program Office
-   (PD71E), Space & Naval Warface Systems Command (SPAWAR).  In that
-   era, Dave Mihelcic and others provided detailed review and
-   constructive feedback.  More recently, Bob Moscowitz and Todd Welch
-   provided detailed review and constructive feedback of a work in
-   progress version of this document.
-
-AUTHOR'S ADDRESS
-
-   Randall Atkinson
-   Code 5544
-   Naval Research Laboratory
-   4555 Overlook Avenue, SW
-   Washington, DC 20375-5337
-
-   Phone: (DSN) 354-8590
-   EMail: atkinson@itd.nrl.navy.mil
-
-
-
-
-
-
-
-Atkinson                     Informational                     [Page 10]
-
-RFC 2230           DNS Key Exchange Delegation Record      November 1997
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1997).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implmentation may be prepared, copied, published
-   andand distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Atkinson                     Informational                     [Page 11]
-
diff --git a/contrib/bind9/doc/rfc/rfc2308.txt b/contrib/bind9/doc/rfc/rfc2308.txt
deleted file mode 100644
index 9123a9527a81..000000000000
--- a/contrib/bind9/doc/rfc/rfc2308.txt
+++ /dev/null
@@ -1,1067 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          M. Andrews
-Request for Comments: 2308                                          CSIRO
-Updates: 1034, 1035                                            March 1998
-Category: Standards Track
-
-
-              Negative Caching of DNS Queries (DNS NCACHE)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-Abstract
-
-   [RFC1034] provided a description of how to cache negative responses.
-   It however had a fundamental flaw in that it did not allow a name
-   server to hand out those cached responses to other resolvers, thereby
-   greatly reducing the effect of the caching.  This document addresses
-   issues raise in the light of experience and replaces [RFC1034 Section
-   4.3.4].
-
-   Negative caching was an optional part of the DNS specification and
-   deals with the caching of the non-existence of an RRset [RFC2181] or
-   domain name.
-
-   Negative caching is useful as it reduces the response time for
-   negative answers.  It also reduces the number of messages that have
-   to be sent between resolvers and name servers hence overall network
-   traffic.  A large proportion of DNS traffic on the Internet could be
-   eliminated if all resolvers implemented negative caching.  With this
-   in mind negative caching should no longer be seen as an optional part
-   of a DNS resolver.
-
-
-
-
-
-
-
-
-
-
-
-Andrews                     Standards Track                     [Page 1]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-1 - Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-   "Negative caching" - the storage of knowledge that something does not
-   exist.  We can store the knowledge that a record has a particular
-   value.  We can also do the reverse, that is, to store the knowledge
-   that a record does not exist.  It is the storage of knowledge that
-   something does not exist, cannot or does not give an answer that we
-   call negative caching.
-
-   "QNAME" - the name in the query section of an answer, or where this
-   resolves to a CNAME, or CNAME chain, the data field of the last
-   CNAME.  The last CNAME in this sense is that which contains a value
-   which does not resolve to another CNAME.  Implementations should note
-   that including CNAME records in responses in order, so that the first
-   has the label from the query section, and then each in sequence has
-   the label from the data section of the previous (where more than one
-   CNAME is needed) allows the sequence to be processed in one pass, and
-   considerably eases the task of the receiver.  Other relevant records
-   (such as SIG RRs [RFC2065]) can be interspersed amongst the CNAMEs.
-
-   "NXDOMAIN" - an alternate expression for the "Name Error" RCODE as
-   described in [RFC1035 Section 4.1.1] and the two terms are used
-   interchangeably in this document.
-
-   "NODATA" - a pseudo RCODE which indicates that the name is valid, for
-   the given class, but are no records of the given type.  A NODATA
-   response has to be inferred from the answer.
-
-   "FORWARDER" - a nameserver used to resolve queries instead of
-   directly using the authoritative nameserver chain.  The forwarder
-   typically either has better access to the internet, or maintains a
-   bigger cache which may be shared amongst many resolvers.  How a
-   server is identified as a FORWARDER, or knows it is a FORWARDER is
-   outside the scope of this document.  However if you are being used as
-   a forwarder the query will have the recursion desired flag set.
-
-   An understanding of [RFC1034], [RFC1035] and [RFC2065] is expected
-   when reading this document.
-
-
-
-
-
-
-
-
-
-Andrews                     Standards Track                     [Page 2]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-2 - Negative Responses
-
-   The most common negative responses indicate that a particular RRset
-   does not exist in the DNS.  The first sections of this document deal
-   with this case.  Other negative responses can indicate failures of a
-   nameserver, those are dealt with in section 7 (Other Negative
-   Responses).
-
-   A negative response is indicated by one of the following conditions:
-
-2.1 - Name Error
-
-   Name errors (NXDOMAIN) are indicated by the presence of "Name Error"
-   in the RCODE field.  In this case the domain referred to by the QNAME
-   does not exist.  Note: the answer section may have SIG and CNAME RRs
-   and the authority section may have SOA, NXT [RFC2065] and SIG RRsets.
-
-   It is possible to distinguish between a referral and a NXDOMAIN
-   response by the presense of NXDOMAIN in the RCODE regardless of the
-   presence of NS or SOA records in the authority section.
-
-   NXDOMAIN responses can be categorised into four types by the contents
-   of the authority section.  These are shown below along with a
-   referral for comparison.  Fields not mentioned are not important in
-   terms of the examples.
-
-           NXDOMAIN RESPONSE: TYPE 1.
-
-           Header:
-               RDCODE=NXDOMAIN
-           Query:
-               AN.EXAMPLE. A
-           Answer:
-               AN.EXAMPLE. CNAME TRIPPLE.XX.
-           Authority:
-               XX. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
-               XX. NS NS1.XX.
-               XX. NS NS2.XX.
-           Additional:
-               NS1.XX. A 127.0.0.2
-               NS2.XX. A 127.0.0.3
-
-           NXDOMAIN RESPONSE: TYPE 2.
-
-           Header:
-               RDCODE=NXDOMAIN
-           Query:
-               AN.EXAMPLE. A
-
-
-
-Andrews                     Standards Track                     [Page 3]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-           Answer:
-               AN.EXAMPLE. CNAME TRIPPLE.XX.
-           Authority:
-               XX. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
-           Additional:
-               <empty>
-
-           NXDOMAIN RESPONSE: TYPE 3.
-
-           Header:
-               RDCODE=NXDOMAIN
-           Query:
-               AN.EXAMPLE. A
-           Answer:
-               AN.EXAMPLE. CNAME TRIPPLE.XX.
-           Authority:
-               <empty>
-           Additional:
-               <empty>
-
-           NXDOMAIN RESPONSE: TYPE 4
-
-           Header:
-               RDCODE=NXDOMAIN
-           Query:
-               AN.EXAMPLE. A
-           Answer:
-               AN.EXAMPLE. CNAME TRIPPLE.XX.
-           Authority:
-               XX. NS NS1.XX.
-               XX. NS NS2.XX.
-           Additional:
-               NS1.XX. A 127.0.0.2
-               NS2.XX. A 127.0.0.3
-
-           REFERRAL RESPONSE.
-
-           Header:
-               RDCODE=NOERROR
-           Query:
-               AN.EXAMPLE. A
-           Answer:
-               AN.EXAMPLE. CNAME TRIPPLE.XX.
-           Authority:
-               XX. NS NS1.XX.
-               XX. NS NS2.XX.
-           Additional:
-               NS1.XX. A 127.0.0.2
-
-
-
-Andrews                     Standards Track                     [Page 4]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-               NS2.XX. A 127.0.0.3
-
-   Note, in the four examples of NXDOMAIN responses, it is known that
-   the name "AN.EXAMPLE." exists, and has as its value a CNAME record.
-   The NXDOMAIN refers to "TRIPPLE.XX", which is then known not to
-   exist.  On the other hand, in the referral example, it is shown that
-   "AN.EXAMPLE" exists, and has a CNAME RR as its value, but nothing is
-   known one way or the other about the existence of "TRIPPLE.XX", other
-   than that "NS1.XX" or "NS2.XX" can be consulted as the next step in
-   obtaining information about it.
-
-   Where no CNAME records appear, the NXDOMAIN response refers to the
-   name in the label of the RR in the question section.
-
-2.1.1 Special Handling of Name Error
-
-   This section deals with errors encountered when implementing negative
-   caching of NXDOMAIN responses.
-
-   There are a large number of resolvers currently in existence that
-   fail to correctly detect and process all forms of NXDOMAIN response.
-   Some resolvers treat a TYPE 1 NXDOMAIN response as a referral.  To
-   alleviate this problem it is recommended that servers that are
-   authoritative for the NXDOMAIN response only send TYPE 2 NXDOMAIN
-   responses, that is the authority section contains a SOA record and no
-   NS records.  If a non- authoritative server sends a type 1 NXDOMAIN
-   response to one of these old resolvers, the result will be an
-   unnecessary query to an authoritative server.  This is undesirable,
-   but not fatal except when the server is being used a FORWARDER.  If
-   however the resolver is using the server as a FORWARDER to such a
-   resolver it will be necessary to disable the sending of TYPE 1
-   NXDOMAIN response to it, use TYPE 2 NXDOMAIN instead.
-
-   Some resolvers incorrectly continue processing if the authoritative
-   answer flag is not set, looping until the query retry threshold is
-   exceeded and then returning SERVFAIL.  This is a problem when your
-   nameserver is listed as a FORWARDER for such resolvers.  If the
-   nameserver is used as a FORWARDER by such resolver, the authority
-   flag will have to be forced on for NXDOMAIN responses to these
-   resolvers.  In practice this causes no problems even if turned on
-   always, and has been the default behaviour in BIND from 4.9.3
-   onwards.
-
-2.2 - No Data
-
-   NODATA is indicated by an answer with the RCODE set to NOERROR and no
-   relevant answers in the answer section.  The authority section will
-   contain an SOA record, or there will be no NS records there.
-
-
-
-Andrews                     Standards Track                     [Page 5]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   NODATA responses have to be algorithmically determined from the
-   response's contents as there is no RCODE value to indicate NODATA.
-   In some cases to determine with certainty that NODATA is the correct
-   response it can be necessary to send another query.
-
-   The authority section may contain NXT and SIG RRsets in addition to
-   NS and SOA records.  CNAME and SIG records may exist in the answer
-   section.
-
-   It is possible to distinguish between a NODATA and a referral
-   response by the presence of a SOA record in the authority section or
-   the absence of NS records in the authority section.
-
-   NODATA responses can be categorised into three types by the contents
-   of the authority section.  These are shown below along with a
-   referral for comparison.  Fields not mentioned are not important in
-   terms of the examples.
-
-           NODATA RESPONSE: TYPE 1.
-
-           Header:
-               RDCODE=NOERROR
-           Query:
-               ANOTHER.EXAMPLE. A
-           Answer:
-               <empty>
-           Authority:
-               EXAMPLE. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
-               EXAMPLE. NS NS1.XX.
-               EXAMPLE. NS NS2.XX.
-           Additional:
-               NS1.XX. A 127.0.0.2
-               NS2.XX. A 127.0.0.3
-
-           NO DATA RESPONSE: TYPE 2.
-
-           Header:
-               RDCODE=NOERROR
-           Query:
-               ANOTHER.EXAMPLE. A
-           Answer:
-               <empty>
-           Authority:
-               EXAMPLE. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
-           Additional:
-               <empty>
-
-
-
-
-
-Andrews                     Standards Track                     [Page 6]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-           NO DATA RESPONSE: TYPE 3.
-
-           Header:
-               RDCODE=NOERROR
-           Query:
-               ANOTHER.EXAMPLE. A
-           Answer:
-               <empty>
-           Authority:
-               <empty>
-           Additional:
-               <empty>
-
-           REFERRAL RESPONSE.
-
-           Header:
-               RDCODE=NOERROR
-           Query:
-               ANOTHER.EXAMPLE. A
-           Answer:
-               <empty>
-           Authority:
-               EXAMPLE. NS NS1.XX.
-               EXAMPLE. NS NS2.XX.
-           Additional:
-               NS1.XX. A 127.0.0.2
-               NS2.XX. A 127.0.0.3
-
-
-   These examples, unlike the NXDOMAIN examples above, have no CNAME
-   records, however they could, in just the same way that the NXDOMAIN
-   examples did, in which case it would be the value of the last CNAME
-   (the QNAME) for which NODATA would be concluded.
-
-2.2.1 - Special Handling of No Data
-
-   There are a large number of resolvers currently in existence that
-   fail to correctly detect and process all forms of NODATA response.
-   Some resolvers treat a TYPE 1 NODATA response as a referral.  To
-   alleviate this problem it is recommended that servers that are
-   authoritative for the NODATA response only send TYPE 2 NODATA
-   responses, that is the authority section contains a SOA record and no
-   NS records.  Sending a TYPE 1 NODATA response from a non-
-   authoritative server to one of these resolvers will only result in an
-   unnecessary query.  If a server is listed as a FORWARDER for another
-   resolver it may also be necessary to disable the sending of TYPE 1
-   NODATA response for non-authoritative NODATA responses.
-
-
-
-
-Andrews                     Standards Track                     [Page 7]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   Some name servers fail to set the RCODE to NXDOMAIN in the presence
-   of CNAMEs in the answer section.  If a definitive NXDOMAIN / NODATA
-   answer is required in this case the resolver must query again using
-   the QNAME as the query label.
-
-3 - Negative Answers from Authoritative Servers
-
-   Name servers authoritative for a zone MUST include the SOA record of
-   the zone in the authority section of the response when reporting an
-   NXDOMAIN or indicating that no data of the requested type exists.
-   This is required so that the response may be cached.  The TTL of this
-   record is set from the minimum of the MINIMUM field of the SOA record
-   and the TTL of the SOA itself, and indicates how long a resolver may
-   cache the negative answer.  The TTL SIG record associated with the
-   SOA record should also be trimmed in line with the SOA's TTL.
-
-   If the containing zone is signed [RFC2065] the SOA and appropriate
-   NXT and SIG records MUST be added.
-
-4 - SOA Minimum Field
-
-   The SOA minimum field has been overloaded in the past to have three
-   different meanings, the minimum TTL value of all RRs in a zone, the
-   default TTL of RRs which did not contain a TTL value and the TTL of
-   negative responses.
-
-   Despite being the original defined meaning, the first of these, the
-   minimum TTL value of all RRs in a zone, has never in practice been
-   used and is hereby deprecated.
-
-   The second, the default TTL of RRs which contain no explicit TTL in
-   the master zone file, is relevant only at the primary server.  After
-   a zone transfer all RRs have explicit TTLs and it is impossible to
-   determine whether the TTL for a record was explicitly set or derived
-   from the default after a zone transfer.  Where a server does not
-   require RRs to include the TTL value explicitly, it should provide a
-   mechanism, not being the value of the MINIMUM field of the SOA
-   record, from which the missing TTL values are obtained.  How this is
-   done is implementation dependent.
-
-   The Master File format [RFC 1035 Section 5] is extended to include
-   the following directive:
-
-                           $TTL <TTL> [comment]
-
-
-
-
-
-
-
-Andrews                     Standards Track                     [Page 8]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   All resource records appearing after the directive, and which do not
-   explicitly include a TTL value, have their TTL set to the TTL given
-   in the $TTL directive.  SIG records without a explicit TTL get their
-   TTL from the "original TTL" of the SIG record [RFC 2065 Section 4.5].
-
-   The remaining of the current meanings, of being the TTL to be used
-   for negative responses, is the new defined meaning of the SOA minimum
-   field.
-
-5 - Caching Negative Answers
-
-   Like normal answers negative answers have a time to live (TTL).  As
-   there is no record in the answer section to which this TTL can be
-   applied, the TTL must be carried by another method.  This is done by
-   including the SOA record from the zone in the authority section of
-   the reply.  When the authoritative server creates this record its TTL
-   is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.
-   This TTL decrements in a similar manner to a normal cached answer and
-   upon reaching zero (0) indicates the cached negative answer MUST NOT
-   be used again.
-
-   A negative answer that resulted from a name error (NXDOMAIN) should
-   be cached such that it can be retrieved and returned in response to
-   another query for the same <QNAME, QCLASS> that resulted in the
-   cached negative response.
-
-   A negative answer that resulted from a no data error (NODATA) should
-   be cached such that it can be retrieved and returned in response to
-   another query for the same <QNAME, QTYPE, QCLASS> that resulted in
-   the cached negative response.
-
-   The NXT record, if it exists in the authority section of a negative
-   answer received, MUST be stored such that it can be be located and
-   returned with SOA record in the authority section, as should any SIG
-   records in the authority section.  For NXDOMAIN answers there is no
-   "necessary" obvious relationship between the NXT records and the
-   QNAME.  The NXT record MUST have the same owner name as the query
-   name for NODATA responses.
-
-   Negative responses without SOA records SHOULD NOT be cached as there
-   is no way to prevent the negative responses looping forever between a
-   pair of servers even with a short TTL.
-
-   Despite the DNS forming a tree of servers, with various mis-
-   configurations it is possible to form a loop in the query graph, e.g.
-   two servers listing each other as forwarders, various lame server
-   configurations.  Without a TTL count down a cache negative response
-
-
-
-
-Andrews                     Standards Track                     [Page 9]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   when received by the next server would have its TTL reset.  This
-   negative indication could then live forever circulating between the
-   servers involved.
-
-   As with caching positive responses it is sensible for a resolver to
-   limit for how long it will cache a negative response as the protocol
-   supports caching for up to 68 years.  Such a limit should not be
-   greater than that applied to positive answers and preferably be
-   tunable.  Values of one to three hours have been found to work well
-   and would make sensible a default.  Values exceeding one day have
-   been found to be problematic.
-
-6 - Negative answers from the cache
-
-   When a server, in answering a query, encounters a cached negative
-   response it MUST add the cached SOA record to the authority section
-   of the response with the TTL decremented by the amount of time it was
-   stored in the cache.  This allows the NXDOMAIN / NODATA response to
-   time out correctly.
-
-   If a NXT record was cached along with SOA record it MUST be added to
-   the authority section.  If a SIG record was cached along with a NXT
-   record it SHOULD be added to the authority section.
-
-   As with all answers coming from the cache, negative answers SHOULD
-   have an implicit referral built into the answer.  This enables the
-   resolver to locate an authoritative source.  An implicit referral is
-   characterised by NS records in the authority section referring the
-   resolver towards a authoritative source.  NXDOMAIN types 1 and 4
-   responses contain implicit referrals as does NODATA type 1 response.
-
-7 - Other Negative Responses
-
-   Caching of other negative responses is not covered by any existing
-   RFC.  There is no way to indicate a desired TTL in these responses.
-   Care needs to be taken to ensure that there are not forwarding loops.
-
-7.1 Server Failure (OPTIONAL)
-
-   Server failures fall into two major classes.  The first is where a
-   server can determine that it has been misconfigured for a zone.  This
-   may be where it has been listed as a server, but not configured to be
-   a server for the zone, or where it has been configured to be a server
-   for the zone, but cannot obtain the zone data for some reason.  This
-   can occur either because the zone file does not exist or contains
-   errors, or because another server from which the zone should have
-   been available either did not respond or was unable or unwilling to
-   supply the zone.
-
-
-
-Andrews                     Standards Track                    [Page 10]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   The second class is where the server needs to obtain an answer from
-   elsewhere, but is unable to do so, due to network failures, other
-   servers that don't reply, or return server failure errors, or
-   similar.
-
-   In either case a resolver MAY cache a server failure response.  If it
-   does so it MUST NOT cache it for longer than five (5) minutes, and it
-   MUST be cached against the specific query tuple <query name, type,
-   class, server IP address>.
-
-7.2 Dead / Unreachable Server (OPTIONAL)
-
-   Dead / Unreachable servers are servers that fail to respond in any
-   way to a query or where the transport layer has provided an
-   indication that the server does not exist or is unreachable.  A
-   server may be deemed to be dead or unreachable if it has not
-   responded to an outstanding query within 120 seconds.
-
-   Examples of transport layer indications are:
-
-      ICMP error messages indicating host, net or port unreachable.
-      TCP resets
-      IP stack error messages providing similar indications to those above.
-
-   A server MAY cache a dead server indication.  If it does so it MUST
-   NOT be deemed dead for longer than five (5) minutes.  The indication
-   MUST be stored against query tuple <query name, type, class, server
-   IP address> unless there was a transport layer indication that the
-   server does not exist, in which case it applies to all queries to
-   that specific IP address.
-
-8 - Changes from RFC 1034
-
-   Negative caching in resolvers is no-longer optional, if a resolver
-   caches anything it must also cache negative answers.
-
-   Non-authoritative negative answers MAY be cached.
-
-   The SOA record from the authority section MUST be cached.  Name error
-   indications must be cached against the tuple <query name, QCLASS>.
-   No data indications must be cached against <query name, QTYPE,
-   QCLASS> tuple.
-
-   A cached SOA record must be added to the response.  This was
-   explicitly not allowed because previously the distinction between a
-   normal cached SOA record, and the SOA cached as a result of a
-   negative response was not made, and simply extracting a normal cached
-   SOA and adding that to a cached negative response causes problems.
-
-
-
-Andrews                     Standards Track                    [Page 11]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   The $TTL TTL directive was added to the master file format.
-
-9 - History of Negative Caching
-
-   This section presents a potted history of negative caching in the DNS
-   and forms no part of the technical specification of negative caching.
-
-   It is interesting to note that the same concepts were re-invented in
-   both the CHIVES and BIND servers.
-
-   The history of the early CHIVES work (Section 9.1) was supplied by
-   Rob Austein <sra@epilogue.com> and is reproduced here in the form in
-   which he supplied it [MPA].
-
-   Sometime around the spring of 1985, I mentioned to Paul Mockapetris
-   that our experience with his JEEVES DNS resolver had pointed out the
-   need for some kind of negative caching scheme.  Paul suggested that
-   we simply cache authoritative errors, using the SOA MINIMUM value for
-   the zone that would have contained the target RRs.  I'm pretty sure
-   that this conversation took place before RFC-973 was written, but it
-   was never clear to me whether this idea was something that Paul came
-   up with on the spot in response to my question or something he'd
-   already been planning to put into the document that became RFC-973.
-   In any case, neither of us was entirely sure that the SOA MINIMUM
-   value was really the right metric to use, but it was available and
-   was under the control of the administrator of the target zone, both
-   of which seemed to us at the time to be important feature.
-
-   Late in 1987, I released the initial beta-test version of CHIVES, the
-   DNS resolver I'd written to replace Paul's JEEVES resolver.  CHIVES
-   included a search path mechanism that was used pretty heavily at
-   several sites (including my own), so CHIVES also included a negative
-   caching mechanism based on SOA MINIMUM values.  The basic strategy
-   was to cache authoritative error codes keyed by the exact query
-   parameters (QNAME, QCLASS, and QTYPE), with a cache TTL equal to the
-   SOA MINIMUM value.  CHIVES did not attempt to track down SOA RRs if
-   they weren't supplied in the authoritative response, so it never
-   managed to completely eliminate the gratuitous DNS error message
-   traffic, but it did help considerably.  Keep in mind that this was
-   happening at about the same time as the near-collapse of the ARPANET
-   due to congestion caused by exponential growth and the the "old"
-   (pre-VJ) TCP retransmission algorithm, so negative caching resulted
-   in drasticly better DNS response time for our users, mailer daemons,
-   etcetera.
-
-
-
-
-
-
-
-Andrews                     Standards Track                    [Page 12]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   As far as I know, CHIVES was the first resolver to implement negative
-   caching.  CHIVES was developed during the twilight years of TOPS-20,
-   so it never ran on very many machines, but the few machines that it
-   did run on were the ones that were too critical to shut down quickly
-   no matter how much it cost to keep them running.  So what few users
-   we did have tended to drive CHIVES pretty hard.  Several interesting
-   bits of DNS technology resulted from that, but the one that's
-   relevant here is the MAXTTL configuration parameter.
-
-   Experience with JEEVES had already shown that RRs often showed up
-   with ridiculously long TTLs (99999999 was particularly popular for
-   many years, due to bugs in the code and documentation of several
-   early versions of BIND), and that robust software that blindly
-   believed such TTLs could create so many strange failures that it was
-   often necessary to reboot the resolver frequently just to clear this
-   garbage out of the cache.  So CHIVES had a configuration parameter
-   "MAXTTL", which specified the maximum "reasonable" TTL in a received
-   RR.  RRs with TTLs greater than MAXTTL would either have their TTLs
-   reduced to MAXTTL or would be discarded entirely, depending on the
-   setting of another configuration parameter.
-
-   When we started getting field experience with CHIVES's negative
-   caching code, it became clear that the SOA MINIMUM value was often
-   large enough to cause the same kinds of problems for negative caching
-   as the huge TTLs in RRs had for normal caching (again, this was in
-   part due to a bug in several early versions of BIND, where a
-   secondary server would authoritatively deny all knowledge of its
-   zones if it couldn't contact the primaries on reboot).  So we started
-   running the negative cache TTLs through the MAXTTL check too, and
-   continued to experiment.
-
-   The configuration that seemed to work best on WSMR-SIMTEL20.ARMY.MIL
-   (last of the major Internet TOPS-20 machines to be shut down, thus
-   the last major user of CHIVES, thus the place where we had the
-   longest experimental baseline) was to set MAXTTL to about three days.
-   Most of the traffic initiated by SIMTEL20 in its last years was
-   mail-related, and the mail queue timeout was set to one week, so this
-   gave a "stuck" message several tries at complete DNS resolution,
-   without bogging down the system with a lot of useless queries.  Since
-   (for reasons that now escape me) we only had the single MAXTTL
-   parameter rather than separate ones for positive and negative
-   caching, it's not clear how much effect this setting of MAXTTL had on
-   the negative caching code.
-
-   CHIVES also included a second, somewhat controversial mechanism which
-   took the place of negative caching in some cases.  The CHIVES
-   resolver daemon could be configured to load DNS master files, giving
-   it the ability to act as what today would be called a "stealth
-
-
-
-Andrews                     Standards Track                    [Page 13]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   secondary".  That is, when configured in this way, the resolver had
-   direct access to authoritative information for heavily-used zones.
-   The search path mechanisms in CHIVES reflected this: there were
-   actually two separate search paths, one of which only searched local
-   authoritative zone data, and one which could generate normal
-   iterative queries.  This cut down on the need for negative caching in
-   cases where usage was predictably heavy (e.g., the resolver on
-   XX.LCS.MIT.EDU always loaded the zone files for both LCS.MIT.EDU and
-   AI.MIT.EDU and put both of these suffixes into the "local" search
-   path, since between them the hosts in these two zones accounted for
-   the bulk of the DNS traffic).  Not all sites running CHIVES chose to
-   use this feature; C.CS.CMU.EDU, for example, chose to use the
-   "remote" search path for everything because there were too many
-   different sub-zones at CMU for zone shadowing to be practical for
-   them, so they relied pretty heavily on negative caching even for
-   local traffic.
-
-   Overall, I still think the basic design we used for negative caching
-   was pretty reasonable: the zone administrator specified how long to
-   cache negative answers, and the resolver configuration chose the
-   actual cache time from the range between zero and the period
-   specified by the zone administrator.  There are a lot of details I'd
-   do differently now (like using a new SOA field instead of overloading
-   the MINIMUM field), but after more than a decade, I'd be more worried
-   if we couldn't think of at least a few improvements.
-
-9.2 BIND
-
-   While not the first attempt to get negative caching into BIND, in
-   July 1993, BIND 4.9.2 ALPHA, Anant Kumar of ISI supplied code that
-   implemented, validation and negative caching (NCACHE).  This code had
-   a 10 minute TTL for negative caching and only cached the indication
-   that there was a negative response, NXDOMAIN or NOERROR_NODATA. This
-   is the origin of the NODATA pseudo response code mentioned above.
-
-   Mark Andrews of CSIRO added code (RETURNSOA) that stored the SOA
-   record such that it could be retrieved by a similar query.  UUnet
-   complained that they were getting old answers after loading a new
-   zone, and the option was turned off, BIND 4.9.3-alpha5, April 1994.
-   In reality this indicated that the named needed to purge the space
-   the zone would occupy.  Functionality to do this was added in BIND
-   4.9.3 BETA11 patch2, December 1994.
-
-   RETURNSOA was re-enabled by default, BIND 4.9.5-T1A, August 1996.
-
-
-
-
-
-
-
-Andrews                     Standards Track                    [Page 14]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-10 Example
-
-   The following example is based on a signed zone that is empty apart
-   from the nameservers.  We will query for WWW.XX.EXAMPLE showing
-   initial response and again 10 minutes later.  Note 1: during the
-   intervening 10 minutes the NS records for XX.EXAMPLE have expired.
-   Note 2: the TTL of the SIG records are not explicitly set in the zone
-   file and are hence the TTL of the RRset they are the signature for.
-
-        Zone File:
-
-        $TTL 86400
-        $ORIGIN XX.EXAMPLE.
-        @       IN      SOA     NS1.XX.EXAMPLE. HOSTMATER.XX.EXAMPLE. (
-                                1997102000      ; serial
-                                1800    ; refresh (30 mins)
-                                900     ; retry (15 mins)
-                                604800  ; expire (7 days)
-                                1200 ) ; minimum (20 mins)
-                IN      SIG     SOA ...
-          1200  IN      NXT     NS1.XX.EXAMPLE. A NXT SIG SOA NS KEY
-                IN      SIG     NXT ... XX.EXAMPLE. ...
-           300  IN      NS      NS1.XX.EXAMPLE.
-           300  IN      NS      NS2.XX.EXAMPLE.
-                IN      SIG     NS ... XX.EXAMPLE. ...
-                IN      KEY     0x4100 1 1 ...
-                IN      SIG     KEY ... XX.EXAMPLE. ...
-                IN      SIG     KEY ... EXAMPLE. ...
-        NS1     IN      A       10.0.0.1
-                IN      SIG     A ... XX.EXAMPLE. ...
-          1200  IN      NXT     NS2.XX.EXAMPLE. A NXT SIG
-                IN      SIG     NXT ...
-        NS2     IN      A       10.0.0.2
-                IN      SIG     A ... XX.EXAMPLE. ...
-          1200  IN      NXT     XX.EXAMPLE. A NXT SIG
-                IN      SIG     NXT ... XX.EXAMPLE. ...
-
-        Initial Response:
-
-        Header:
-            RDCODE=NXDOMAIN, AA=1, QR=1, TC=0
-        Query:
-            WWW.XX.EXAMPLE. IN A
-        Answer:
-            <empty>
-        Authority:
-            XX.EXAMPLE.      1200 IN SOA NS1.XX.EXAMPLE. ...
-            XX.EXAMPLE.      1200 IN SIG SOA ... XX.EXAMPLE. ...
-
-
-
-Andrews                     Standards Track                    [Page 15]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-            NS2.XX.EXAMPLE.  1200 IN NXT XX.EXAMPLE. NXT A NXT SIG
-            NS2.XX.EXAMPLE.  1200 IN SIG NXT ... XX.EXAMPLE. ...
-            XX.EXAMPLE.     86400 IN NS  NS1.XX.EXAMPLE.
-            XX.EXAMPLE.     86400 IN NS  NS2.XX.EXAMPLE.
-            XX.EXAMPLE.     86400 IN SIG NS ... XX.EXAMPLE. ...
-        Additional
-            XX.EXAMPLE.     86400 IN KEY 0x4100 1 1 ...
-            XX.EXAMPLE.     86400 IN SIG KEY ... EXAMPLE. ...
-            NS1.XX.EXAMPLE. 86400 IN A   10.0.0.1
-            NS1.XX.EXAMPLE. 86400 IN SIG A ... XX.EXAMPLE. ...
-            NS2.XX.EXAMPLE. 86400 IN A   10.0.0.2
-            NS3.XX.EXAMPLE. 86400 IN SIG A ... XX.EXAMPLE. ...
-
-         After 10 Minutes:
-
-         Header:
-             RDCODE=NXDOMAIN, AA=0, QR=1, TC=0
-         Query:
-             WWW.XX.EXAMPLE. IN A
-         Answer:
-             <empty>
-         Authority:
-             XX.EXAMPLE.       600 IN SOA NS1.XX.EXAMPLE. ...
-             XX.EXAMPLE.       600 IN SIG SOA ... XX.EXAMPLE. ...
-             NS2.XX.EXAMPLE.   600 IN NXT XX.EXAMPLE. NXT A NXT SIG
-             NS2.XX.EXAMPLE.   600 IN SIG NXT ... XX.EXAMPLE. ...
-             EXAMPLE.        65799 IN NS  NS1.YY.EXAMPLE.
-             EXAMPLE.        65799 IN NS  NS2.YY.EXAMPLE.
-             EXAMPLE.        65799 IN SIG NS ... XX.EXAMPLE. ...
-         Additional
-             XX.EXAMPLE.     65800 IN KEY 0x4100 1 1 ...
-             XX.EXAMPLE.     65800 IN SIG KEY ... EXAMPLE. ...
-             NS1.YY.EXAMPLE. 65799 IN A   10.100.0.1
-             NS1.YY.EXAMPLE. 65799 IN SIG A ... EXAMPLE. ...
-             NS2.YY.EXAMPLE. 65799 IN A   10.100.0.2
-             NS3.YY.EXAMPLE. 65799 IN SIG A ... EXAMPLE. ...
-             EXAMPLE.        65799 IN KEY 0x4100 1 1 ...
-             EXAMPLE.        65799 IN SIG KEY ... . ...
-
-
-11 Security Considerations
-
-   It is believed that this document does not introduce any significant
-   additional security threats other that those that already exist when
-   using data from the DNS.
-
-
-
-
-
-
-Andrews                     Standards Track                    [Page 16]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-   With negative caching it might be possible to propagate a denial of
-   service attack by spreading a NXDOMAIN message with a very high TTL.
-   Without negative caching that would be much harder.  A similar effect
-   could be achieved previously by spreading a bad A record, so that the
-   server could not be reached - which is almost the same.  It has the
-   same effect as far as what the end user is able to do, but with a
-   different psychological effect.  With the bad A, I feel "damn the
-   network is broken again" and try again tomorrow.  With the "NXDOMAIN"
-   I feel "Oh, they've turned off the server and it doesn't exist any
-   more" and probably never bother trying this server again.
-
-   A practical example of this is a SMTP server where this behaviour is
-   encoded.  With a NXDOMAIN attack the mail message would bounce
-   immediately, where as with a bad A attack the mail would be queued
-   and could potentially get through after the attack was suspended.
-
-   For such an attack to be successful, the NXDOMAIN indiction must be
-   injected into a parent server (or a busy caching resolver).  One way
-   this might be done by the use of a CNAME which results in the parent
-   server querying an attackers server.  Resolvers that wish to prevent
-   such attacks can query again the final QNAME ignoring any NS data in
-   the query responses it has received for this query.
-
-   Implementing TTL sanity checking will reduce the effectiveness of
-   such an attack, because a successful attack would require re-
-   injection of the bogus data at more frequent intervals.
-
-   DNS Security [RFC2065] provides a mechanism to verify whether a
-   negative response is valid or not, through the use of NXT and SIG
-   records.  This document supports the use of that mechanism by
-   promoting the transmission of the relevant security records even in a
-   non security aware server.
-
-Acknowledgments
-
-   I would like to thank Rob Austein for his history of the CHIVES
-   nameserver. The DNSIND working group, in particular Robert Elz for
-   his valuable technical and editorial contributions to this document.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Andrews                     Standards Track                    [Page 17]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-References
-
-   [RFC1034]
-           Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES,"
-           STD 13, RFC 1034, November 1987.
-
-   [RFC1035]
-           Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND
-           SPECIFICATION," STD 13, RFC 1035, November 1987.
-
-   [RFC2065]
-           Eastlake, D., and C. Kaufman, "Domain Name System Security
-           Extensions," RFC 2065, January 1997.
-
-   [RFC2119]
-           Bradner, S., "Key words for use in RFCs to Indicate
-           Requirement Levels," BCP 14, RFC 2119, March 1997.
-
-   [RFC2181]
-           Elz, R., and R. Bush, "Clarifications to the DNS
-           Specification," RFC 2181, July 1997.
-
-Author's Address
-
-   Mark Andrews
-   CSIRO - Mathematical and Information Sciences
-   Locked Bag 17
-   North Ryde NSW 2113
-   AUSTRALIA
-
-   Phone: +61 2 9325 3148
-   EMail: Mark.Andrews@cmis.csiro.au
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Andrews                     Standards Track                    [Page 18]
-
-RFC 2308                       DNS NCACHE                     March 1998
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Andrews                     Standards Track                    [Page 19]
-
diff --git a/contrib/bind9/doc/rfc/rfc2317.txt b/contrib/bind9/doc/rfc/rfc2317.txt
deleted file mode 100644
index c17bb41f29f3..000000000000
--- a/contrib/bind9/doc/rfc/rfc2317.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         H. Eidnes
-Request for Comments: 2317                                 SINTEF RUNIT
-BCP: 20                                                     G. de Groot
-Category: Best Current Practice          Berkeley Software Design, Inc.
-                                                               P. Vixie
-                                           Internet Software Consortium
-                                                             March 1998
-
-
-                   Classless IN-ADDR.ARPA delegation
-
-Status of this Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-2. Introduction
-
-   This document describes a way to do IN-ADDR.ARPA delegation on non-
-   octet boundaries for address spaces covering fewer than 256
-   addresses.  The proposed method should thus remove one of the
-   objections to subnet on non-octet boundaries but perhaps more
-   significantly, make it possible to assign IP address space in smaller
-   chunks than 24-bit prefixes, without losing the ability to delegate
-   authority for the corresponding IN-ADDR.ARPA mappings.  The proposed
-   method is fully compatible with the original DNS lookup mechanisms
-   specified in [1], i.e. there is no need to modify the lookup
-   algorithm used, and there should be no need to modify any software
-   which does DNS lookups.
-
-   The document also discusses some operational considerations to
-   provide some guidance in implementing this method.
-
-3. Motivation
-
-   With the proliferation of classless routing technology, it has become
-   feasible to assign address space on non-octet boundaries.  In case of
-   a very small organization with only a few hosts, assigning a full
-   24-bit prefix (what was traditionally referred to as a "class C
-   network number") often leads to inefficient address space
-   utilization.
-
-
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 1]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-   One of the problems encountered when assigning a longer prefix (less
-   address space) is that it seems impossible for such an organization
-   to maintain its own reverse ("IN-ADDR.ARPA") zone autonomously.  By
-   use of the reverse delegation method described below, the most
-   important objection to assignment of longer prefixes to unrelated
-   organizations can be removed.
-
-   Let us assume we have assigned the address spaces to three different
-   parties as follows:
-
-           192.0.2.0/25   to organization A
-           192.0.2.128/26 to organization B
-           192.0.2.192/26 to organization C
-
-   In the classical approach, this would lead to a single zone like
-   this:
-
-   $ORIGIN 2.0.192.in-addr.arpa.
-   ;
-   1               PTR     host1.A.domain.
-   2               PTR     host2.A.domain.
-   3               PTR     host3.A.domain.
-   ;
-   129             PTR     host1.B.domain.
-   130             PTR     host2.B.domain.
-   131             PTR     host3.B.domain.
-   ;
-   193             PTR     host1.C.domain.
-   194             PTR     host2.C.domain.
-   195             PTR     host3.C.domain.
-
-   The administration of this zone is problematic.  Authority for this
-   zone can only be delegated once, and this usually translates into
-   "this zone can only be administered by one organization."  The other
-   organizations with address space that corresponds to entries in this
-   zone would thus have to depend on another organization for their
-   address to name translation.  With the proposed method, this
-   potential problem can be avoided.
-
-4. Classless IN-ADDR.ARPA delegation
-
-   Since a single zone can only be delegated once, we need more points
-   to do delegation on to solve the problem above.  These extra points
-   of delegation can be introduced by extending the IN-ADDR.ARPA tree
-   downwards, e.g. by using the first address or the first address and
-   the network mask length (as shown below) in the corresponding address
-
-
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 2]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-   space to form the the first component in the name for the zones.  The
-   following four zone files show how the problem in the motivation
-   section could be solved using this method.
-
-   $ORIGIN 2.0.192.in-addr.arpa.
-   @       IN      SOA     my-ns.my.domain. hostmaster.my.domain. (...)
-   ;...
-   ;  <<0-127>> /25
-   0/25            NS      ns.A.domain.
-   0/25            NS      some.other.name.server.
-   ;
-   1               CNAME   1.0/25.2.0.192.in-addr.arpa.
-   2               CNAME   2.0/25.2.0.192.in-addr.arpa.
-   3               CNAME   3.0/25.2.0.192.in-addr.arpa.
-   ;
-   ;  <<128-191>> /26
-   128/26          NS      ns.B.domain.
-   128/26          NS      some.other.name.server.too.
-   ;
-   129             CNAME   129.128/26.2.0.192.in-addr.arpa.
-   130             CNAME   130.128/26.2.0.192.in-addr.arpa.
-   131             CNAME   131.128/26.2.0.192.in-addr.arpa.
-   ;
-   ;  <<192-255>> /26
-   192/26          NS      ns.C.domain.
-   192/26          NS      some.other.third.name.server.
-   ;
-   193             CNAME   193.192/26.2.0.192.in-addr.arpa.
-   194             CNAME   194.192/26.2.0.192.in-addr.arpa.
-   195             CNAME   195.192/26.2.0.192.in-addr.arpa.
-
-   $ORIGIN 0/25.2.0.192.in-addr.arpa.
-   @       IN      SOA     ns.A.domain. hostmaster.A.domain. (...)
-   @               NS      ns.A.domain.
-   @               NS      some.other.name.server.
-   ;
-   1               PTR     host1.A.domain.
-   2               PTR     host2.A.domain.
-   3               PTR     host3.A.domain.
-
-
-
-
-
-
-
-
-
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 3]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-   $ORIGIN 128/26.2.0.192.in-addr.arpa.
-   @       IN      SOA     ns.B.domain. hostmaster.B.domain. (...)
-   @               NS      ns.B.domain.
-   @               NS      some.other.name.server.too.
-   ;
-   129             PTR     host1.B.domain.
-   130             PTR     host2.B.domain.
-   131             PTR     host3.B.domain.
-
-
-   $ORIGIN 192/26.2.0.192.in-addr.arpa.
-   @       IN      SOA     ns.C.domain. hostmaster.C.domain. (...)
-   @               NS      ns.C.domain.
-   @               NS      some.other.third.name.server.
-   ;
-   193             PTR     host1.C.domain.
-   194             PTR     host2.C.domain.
-   195             PTR     host3.C.domain.
-
-   For each size-256 chunk split up using this method, there is a need
-   to install close to 256 CNAME records in the parent zone.  Some
-   people might view this as ugly; we will not argue that particular
-   point.  It is however quite easy to automatically generate the CNAME
-   resource records in the parent zone once and for all, if the way the
-   address space is partitioned is known.
-
-   The advantage of this approach over the other proposed approaches for
-   dealing with this problem is that there should be no need to modify
-   any already-deployed software.  In particular, the lookup mechanism
-   in the DNS does not have to be modified to accommodate this splitting
-   of the responsibility for the IPv4 address to name translation on
-   "non-dot" boundaries.  Furthermore, this technique has been in use
-   for several years in many installations, apparently with no ill
-   effects.
-
-   As usual, a resource record like
-
-   $ORIGIN 2.0.192.in-addr.arpa.
-   129             CNAME   129.128/26.2.0.192.in-addr.arpa.
-
-   can be convienently abbreviated to
-
-   $ORIGIN 2.0.192.in-addr.arpa.
-   129             CNAME   129.128/26
-
-
-
-
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 4]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-   Some DNS implementations are not kind to special characters in domain
-   names, e.g. the "/" used in the above examples.  As [3] makes clear,
-   these are legal, though some might feel unsightly.  Because these are
-   not host names the restriction of [2] does not apply.  Modern clients
-   and servers have an option to act in the liberal and correct fashion.
-
-   The examples here use "/" because it was felt to be more visible and
-   pedantic reviewers felt that the 'these are not hostnames' argument
-   needed to be repeated.  We advise you not to be so pedantic, and to
-   not precisely copy the above examples, e.g.  substitute a more
-   conservative character, such as hyphen, for "/".
-
-5. Operational considerations
-
-   This technique is intended to be used for delegating address spaces
-   covering fewer than 256 addresses.  For delegations covering larger
-   blocks of addresses the traditional methods (multiple delegations)
-   can be used instead.
-
-5.1 Recommended secondary name service
-
-   Some older versions of name server software will make no effort to
-   find and return the pointed-to name in CNAME records if the pointed-
-   to name is not already known locally as cached or as authoritative
-   data.  This can cause some confusion in resolvers, as only the CNAME
-   record will be returned in the response.  To avoid this problem it is
-   recommended that the authoritative name servers for the delegating
-   zone (the zone containing all the CNAME records) all run as slave
-   (secondary) name servers for the "child" zones delegated and pointed
-   into via the CNAME records.
-
-5.2 Alternative naming conventions
-
-   As a result of this method, the location of the zone containing the
-   actual PTR records is no longer predefined.  This gives flexibility
-   and some examples will be presented here.
-
-   An alternative to using the first address, or the first address and
-   the network mask length in the corresponding address space, to name
-   the new zones is to use some other (non-numeric) name.  Thus it is
-   also possible to point to an entirely different part of the DNS tree
-   (i.e. outside of the IN-ADDR.ARPA tree).  It would be necessary to
-   use one of these alternate methods if two organizations somehow
-   shared the same physical subnet (and corresponding IP address space)
-   with no "neat" alignment of the addresses, but still wanted to
-   administrate their own IN-ADDR.ARPA mappings.
-
-
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 5]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-   The following short example shows how you can point out of the IN-
-   ADDR.ARPA tree:
-
-   $ORIGIN 2.0.192.in-addr.arpa.
-   @       IN      SOA     my-ns.my.domain. hostmaster.my.domain. (...)
-   ; ...
-   1               CNAME   1.A.domain.
-   2               CNAME   2.A.domain.
-   ; ...
-   129             CNAME   129.B.domain.
-   130             CNAME   130.B.domain.
-   ;
-
-
-   $ORIGIN A.domain.
-   @       IN      SOA     my-ns.A.domain. hostmaster.A.domain. (...)
-   ; ...
-   ;
-   host1           A       192.0.2.1
-   1               PTR     host1
-   ;
-   host2           A       192.0.2.2
-   2               PTR     host2
-   ;
-
-   etc.
-
-   This way you can actually end up with the name->address and the
-   (pointed-to) address->name mapping data in the same zone file - some
-   may view this as an added bonus as no separate set of secondaries for
-   the reverse zone is required.  Do however note that the traversal via
-   the IN-ADDR.ARPA tree will still be done, so the CNAME records
-   inserted there need to point in the right direction for this to work.
-
-   Sketched below is an alternative approach using the same solution:
-
-   $ORIGIN 2.0.192.in-addr.arpa.
-   @                  SOA     my-ns.my.domain. hostmaster.my.domain. (...)
-   ; ...
-   1                  CNAME   1.2.0.192.in-addr.A.domain.
-   2                  CNAME   2.2.0.192.in-addr.A.domain.
-
-   $ORIGIN A.domain.
-   @                  SOA     my-ns.A.domain. hostmaster.A.domain. (...)
-   ; ...
-   ;
-   host1              A       192.0.2.1
-   1.2.0.192.in-addr  PTR     host1
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 6]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-   host2              A       192.0.2.2
-   2.2.0.192.in-addr  PTR     host2
-
-   It is clear that many possibilities exist which can be adapted to the
-   specific requirements of the situation at hand.
-
-5.3 Other operational issues
-
-   Note that one cannot provide CNAME referrals twice for the same
-   address space, i.e. you cannot allocate a /25 prefix to one
-   organisation, and run IN-ADDR.ARPA this way, and then have the
-   organisation subnet the /25 into longer prefixes, and attempt to
-   employ the same technique to give each subnet control of its own
-   number space. This would result in a CNAME record pointing to a CNAME
-   record, which may be less robust overall.
-
-   Unfortunately, some old beta releases of the popular DNS name server
-   implementation BIND 4.9.3 had a bug which caused problems if a CNAME
-   record was encountered when a reverse lookup was made.  The beta
-   releases involved have since been obsoleted, and this issue is
-   resolved in the released code.  Some software manufacturers have
-   included the defective beta code in their product. In the few cases
-   we know of, patches from the manufacturers are available or planned
-   to replace the obsolete beta code involved.
-
-6. Security Considerations
-
-   With this scheme, the "leaf sites" will need to rely on one more site
-   running their DNS name service correctly than they would be if they
-   had a /24 allocation of their own, and this may add an extra
-   component which will need to work for reliable name resolution.
-
-   Other than that, the authors are not aware of any additional security
-   issues introduced by this mechanism.
-
-7. Conclusion
-
-   The suggested scheme gives more flexibility in delegating authority
-   in the IN-ADDR.ARPA domain, thus making it possible to assign address
-   space more efficiently without losing the ability to delegate the DNS
-   authority over the corresponding address to name mappings.
-
-8. Acknowledgments
-
-   Glen A. Herrmannsfeldt described this trick on comp.protocols.tcp-
-   ip.domains some time ago.  Alan Barrett and Sam Wilson provided
-   valuable comments on the newsgroup.
-
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 7]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-   We would like to thank Rob Austein, Randy Bush, Matt Crawford, Robert
-   Elz, Glen A. Herrmannsfeldt, Daniel Karrenberg, David Kessens, Tony
-   Li, Paul Mockapetris, Eric Wassenaar, Michael Patton, Hans Maurer,
-   and Peter Koch for their review and constructive comments.
-
-9. References
-
-   [1]  Mockapetris, P., "Domain Names - Concepts and Facilities",
-        STD 13, RFC 1034, November 1987.
-
-   [2]  Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet Host
-        Table Specification", RFC 952, October 1985.
-
-   [3]  Elz, R., and R. Bush, "Clarifications to the DNS
-        Specification", RFC 2181, July 1997.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 8]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-10. Authors' Addresses
-
-   Havard Eidnes
-   SINTEF RUNIT
-   N-7034 Trondheim
-   Norway
-
-   Phone: +47 73 59 44 68
-   Fax: +47 73 59 17 00
-   EMail: Havard.Eidnes@runit.sintef.no
-
-
-   Geert Jan de Groot
-   Berkeley Software Design, Inc. (BSDI)
-   Hendrik Staetslaan 69
-   5622 HM Eindhoven
-   The Netherlands
-
-   Phone: +31 40 2960509
-   Fax:   +31 40 2960309
-   EMail: GeertJan.deGroot@bsdi.com
-
-
-   Paul Vixie
-   Internet Software Consortium
-   Star Route Box 159A
-   Woodside, CA 94062
-   USA
-
-   Phone: +1 415 747 0204
-   EMail: paul@vix.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eidnes, et. al.          Best Current Practice                  [Page 9]
-
-RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
-
-
-11.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eidnes, et. al.          Best Current Practice                 [Page 10]
-
diff --git a/contrib/bind9/doc/rfc/rfc2373.txt b/contrib/bind9/doc/rfc/rfc2373.txt
deleted file mode 100644
index 59fcff80f140..000000000000
--- a/contrib/bind9/doc/rfc/rfc2373.txt
+++ /dev/null
@@ -1,1459 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        R. Hinden
-Request for Comments: 2373                                       Nokia
-Obsoletes: 1884                                             S. Deering
-Category: Standards Track                                Cisco Systems
-							     July 1998
-
-                  IP Version 6 Addressing Architecture
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-Abstract
-
-   This specification defines the addressing architecture of the IP
-   Version 6 protocol [IPV6].  The document includes the IPv6 addressing
-   model, text representations of IPv6 addresses, definition of IPv6
-   unicast addresses, anycast addresses, and multicast addresses, and an
-   IPv6 node's required addresses.
-
-Table of Contents
-
-   1. Introduction.................................................2
-   2. IPv6 Addressing..............................................2
-      2.1 Addressing Model.........................................3
-      2.2 Text Representation of Addresses.........................3
-      2.3 Text Representation of Address Prefixes..................5
-      2.4 Address Type Representation..............................6
-      2.5 Unicast Addresses........................................7
-        2.5.1 Interface Identifiers................................8
-        2.5.2 The Unspecified Address..............................9
-        2.5.3 The Loopback Address.................................9
-        2.5.4 IPv6 Addresses with Embedded IPv4 Addresses.........10
-        2.5.5 NSAP Addresses......................................10
-        2.5.6 IPX Addresses.......................................10
-        2.5.7 Aggregatable Global Unicast Addresses...............11
-        2.5.8 Local-use IPv6 Unicast Addresses....................11
-      2.6 Anycast Addresses.......................................12
-        2.6.1 Required Anycast Address............................13
-      2.7 Multicast Addresses.....................................14
-
-
-
-Hinden & Deering            Standards Track                     [Page 1]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-        2.7.1 Pre-Defined Multicast Addresses.....................15
-        2.7.2 Assignment of New IPv6 Multicast Addresses..........17
-      2.8 A Node's Required Addresses.............................17
-   3. Security Considerations.....................................18
-   APPENDIX A: Creating EUI-64 based Interface Identifiers........19
-   APPENDIX B: ABNF Description of Text Representations...........22
-   APPENDIX C: CHANGES FROM RFC-1884..............................23
-   REFERENCES.....................................................24
-   AUTHORS' ADDRESSES.............................................25
-   FULL COPYRIGHT STATEMENT.......................................26
-
-
-1.0 INTRODUCTION
-
-   This specification defines the addressing architecture of the IP
-   Version 6 protocol.  It includes a detailed description of the
-   currently defined address formats for IPv6 [IPV6].
-
-   The authors would like to acknowledge the contributions of Paul
-   Francis, Scott Bradner, Jim Bound, Brian Carpenter, Matt Crawford,
-   Deborah Estrin, Roger Fajman, Bob Fink, Peter Ford, Bob Gilligan,
-   Dimitry Haskin, Tom Harsch, Christian Huitema, Tony Li, Greg
-   Minshall, Thomas Narten, Erik Nordmark, Yakov Rekhter, Bill Simpson,
-   and Sue Thomson.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-2.0 IPv6 ADDRESSING
-
-   IPv6 addresses are 128-bit identifiers for interfaces and sets of
-   interfaces.  There are three types of addresses:
-
-     Unicast:   An identifier for a single interface.  A packet sent to
-                a unicast address is delivered to the interface
-                identified by that address.
-
-     Anycast:   An identifier for a set of interfaces (typically
-                belonging to different nodes).  A packet sent to an
-                anycast address is delivered to one of the interfaces
-                identified by that address (the "nearest" one, according
-                to the routing protocols' measure of distance).
-
-     Multicast: An identifier for a set of interfaces (typically
-                belonging to different nodes).  A packet sent to a
-                multicast address is delivered to all interfaces
-                identified by that address.
-
-
-
-Hinden & Deering            Standards Track                     [Page 2]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-   There are no broadcast addresses in IPv6, their function being
-   superseded by multicast addresses.
-
-   In this document, fields in addresses are given a specific name, for
-   example "subscriber".  When this name is used with the term "ID" for
-   identifier after the name (e.g., "subscriber ID"), it refers to the
-   contents of the named field.  When it is used with the term "prefix"
-   (e.g.  "subscriber prefix") it refers to all of the address up to and
-   including this field.
-
-   In IPv6, all zeros and all ones are legal values for any field,
-   unless specifically excluded.  Specifically, prefixes may contain
-   zero-valued fields or end in zeros.
-
-2.1 Addressing Model
-
-   IPv6 addresses of all types are assigned to interfaces, not nodes.
-   An IPv6 unicast address refers to a single interface.  Since each
-   interface belongs to a single node, any of that node's interfaces'
-   unicast addresses may be used as an identifier for the node.
-
-   All interfaces are required to have at least one link-local unicast
-   address (see section 2.8 for additional required addresses).  A
-   single interface may also be assigned multiple IPv6 addresses of any
-   type (unicast, anycast, and multicast) or scope.  Unicast addresses
-   with scope greater than link-scope are not needed for interfaces that
-   are not used as the origin or destination of any IPv6 packets to or
-   from non-neighbors.  This is sometimes convenient for point-to-point
-   interfaces.  There is one exception to this addressing model:
-
-     An unicast address or a set of unicast addresses may be assigned to
-     multiple physical interfaces if the implementation treats the
-     multiple physical interfaces as one interface when presenting it to
-     the internet layer.  This is useful for load-sharing over multiple
-     physical interfaces.
-
-   Currently IPv6 continues the IPv4 model that a subnet prefix is
-   associated with one link.  Multiple subnet prefixes may be assigned
-   to the same link.
-
-2.2 Text Representation of Addresses
-
-   There are three conventional forms for representing IPv6 addresses as
-   text strings:
-
-   1. The preferred form is x:x:x:x:x:x:x:x, where the 'x's are the
-      hexadecimal values of the eight 16-bit pieces of the address.
-      Examples:
-
-
-
-Hinden & Deering            Standards Track                     [Page 3]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-         FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
-
-         1080:0:0:0:8:800:200C:417A
-
-      Note that it is not necessary to write the leading zeros in an
-      individual field, but there must be at least one numeral in every
-      field (except for the case described in 2.).
-
-   2. Due to some methods of allocating certain styles of IPv6
-      addresses, it will be common for addresses to contain long strings
-      of zero bits.  In order to make writing addresses containing zero
-      bits easier a special syntax is available to compress the zeros.
-      The use of "::" indicates multiple groups of 16-bits of zeros.
-      The "::" can only appear once in an address.  The "::" can also be
-      used to compress the leading and/or trailing zeros in an address.
-
-      For example the following addresses:
-
-         1080:0:0:0:8:800:200C:417A  a unicast address
-         FF01:0:0:0:0:0:0:101        a multicast address
-         0:0:0:0:0:0:0:1             the loopback address
-         0:0:0:0:0:0:0:0             the unspecified addresses
-
-      may be represented as:
-
-         1080::8:800:200C:417A       a unicast address
-         FF01::101                   a multicast address
-         ::1                         the loopback address
-         ::                          the unspecified addresses
-
-   3. An alternative form that is sometimes more convenient when dealing
-      with a mixed environment of IPv4 and IPv6 nodes is
-      x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of
-      the six high-order 16-bit pieces of the address, and the 'd's are
-      the decimal values of the four low-order 8-bit pieces of the
-      address (standard IPv4 representation).  Examples:
-
-         0:0:0:0:0:0:13.1.68.3
-
-         0:0:0:0:0:FFFF:129.144.52.38
-
-      or in compressed form:
-
-         ::13.1.68.3
-
-         ::FFFF:129.144.52.38
-
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 4]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-2.3 Text Representation of Address Prefixes
-
-   The text representation of IPv6 address prefixes is similar to the
-   way IPv4 addresses prefixes are written in CIDR notation.  An IPv6
-   address prefix is represented by the notation:
-
-      ipv6-address/prefix-length
-
-   where
-
-      ipv6-address    is an IPv6 address in any of the notations listed
-                      in section 2.2.
-
-      prefix-length   is a decimal value specifying how many of the
-                      leftmost contiguous bits of the address comprise
-                      the prefix.
-
-   For example, the following are legal representations of the 60-bit
-   prefix 12AB00000000CD3 (hexadecimal):
-
-      12AB:0000:0000:CD30:0000:0000:0000:0000/60
-      12AB::CD30:0:0:0:0/60
-      12AB:0:0:CD30::/60
-
-   The following are NOT legal representations of the above prefix:
-
-      12AB:0:0:CD3/60   may drop leading zeros, but not trailing zeros,
-                        within any 16-bit chunk of the address
-
-      12AB::CD30/60     address to left of "/" expands to
-                        12AB:0000:0000:0000:0000:000:0000:CD30
-
-      12AB::CD3/60      address to left of "/" expands to
-                        12AB:0000:0000:0000:0000:000:0000:0CD3
-
-   When writing both a node address and a prefix of that node address
-   (e.g., the node's subnet prefix), the two can combined as follows:
-
-      the node address      12AB:0:0:CD30:123:4567:89AB:CDEF
-      and its subnet number 12AB:0:0:CD30::/60
-
-      can be abbreviated as 12AB:0:0:CD30:123:4567:89AB:CDEF/60
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 5]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-2.4 Address Type Representation
-
-   The specific type of an IPv6 address is indicated by the leading bits
-   in the address.  The variable-length field comprising these leading
-   bits is called the Format Prefix (FP).  The initial allocation of
-   these prefixes is as follows:
-
-    Allocation                            Prefix         Fraction of
-                                          (binary)       Address Space
-    -----------------------------------   --------       -------------
-    Reserved                              0000 0000      1/256
-    Unassigned                            0000 0001      1/256
-
-    Reserved for NSAP Allocation          0000 001       1/128
-    Reserved for IPX Allocation           0000 010       1/128
-
-    Unassigned                            0000 011       1/128
-    Unassigned                            0000 1         1/32
-    Unassigned                            0001           1/16
-
-    Aggregatable Global Unicast Addresses 001            1/8
-    Unassigned                            010            1/8
-    Unassigned                            011            1/8
-    Unassigned                            100            1/8
-    Unassigned                            101            1/8
-    Unassigned                            110            1/8
-
-    Unassigned                            1110           1/16
-    Unassigned                            1111 0         1/32
-    Unassigned                            1111 10        1/64
-    Unassigned                            1111 110       1/128
-    Unassigned                            1111 1110 0    1/512
-
-    Link-Local Unicast Addresses          1111 1110 10   1/1024
-    Site-Local Unicast Addresses          1111 1110 11   1/1024
-
-    Multicast Addresses                   1111 1111      1/256
-
-    Notes:
-
-      (1) The "unspecified address" (see section 2.5.2), the loopback
-          address (see section 2.5.3), and the IPv6 Addresses with
-          Embedded IPv4 Addresses (see section 2.5.4), are assigned out
-          of the 0000 0000 format prefix space.
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 6]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-      (2) The format prefixes 001 through 111, except for Multicast
-          Addresses (1111 1111), are all required to have to have 64-bit
-          interface identifiers in EUI-64 format.  See section 2.5.1 for
-          definitions.
-
-   This allocation supports the direct allocation of aggregation
-   addresses, local use addresses, and multicast addresses.  Space is
-   reserved for NSAP addresses and IPX addresses.  The remainder of the
-   address space is unassigned for future use.  This can be used for
-   expansion of existing use (e.g., additional aggregatable addresses,
-   etc.) or new uses (e.g., separate locators and identifiers).  Fifteen
-   percent of the address space is initially allocated.  The remaining
-   85% is reserved for future use.
-
-   Unicast addresses are distinguished from multicast addresses by the
-   value of the high-order octet of the addresses: a value of FF
-   (11111111) identifies an address as a multicast address; any other
-   value identifies an address as a unicast address.  Anycast addresses
-   are taken from the unicast address space, and are not syntactically
-   distinguishable from unicast addresses.
-
-2.5 Unicast Addresses
-
-   IPv6 unicast addresses are aggregatable with contiguous bit-wise
-   masks similar to IPv4 addresses under Class-less Interdomain Routing
-   [CIDR].
-
-   There are several forms of unicast address assignment in IPv6,
-   including the global aggregatable global unicast address, the NSAP
-   address, the IPX hierarchical address, the site-local address, the
-   link-local address, and the IPv4-capable host address.  Additional
-   address types can be defined in the future.
-
-   IPv6 nodes may have considerable or little knowledge of the internal
-   structure of the IPv6 address, depending on the role the node plays
-   (for instance, host versus router).  At a minimum, a node may
-   consider that unicast addresses (including its own) have no internal
-   structure:
-
-   |                           128 bits                              |
-   +-----------------------------------------------------------------+
-   |                          node address                           |
-   +-----------------------------------------------------------------+
-
-   A slightly sophisticated host (but still rather simple) may
-   additionally be aware of subnet prefix(es) for the link(s) it is
-   attached to, where different addresses may have different values for
-   n:
-
-
-
-Hinden & Deering            Standards Track                     [Page 7]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-   |                         n bits                 |   128-n bits   |
-   +------------------------------------------------+----------------+
-   |                   subnet prefix                | interface ID   |
-   +------------------------------------------------+----------------+
-
-   Still more sophisticated hosts may be aware of other hierarchical
-   boundaries in the unicast address.  Though a very simple router may
-   have no knowledge of the internal structure of IPv6 unicast
-   addresses, routers will more generally have knowledge of one or more
-   of the hierarchical boundaries for the operation of routing
-   protocols.  The known boundaries will differ from router to router,
-   depending on what positions the router holds in the routing
-   hierarchy.
-
-2.5.1 Interface Identifiers
-
-   Interface identifiers in IPv6 unicast addresses are used to identify
-   interfaces on a link.  They are required to be unique on that link.
-   They may also be unique over a broader scope.  In many cases an
-   interface's identifier will be the same as that interface's link-
-   layer address.  The same interface identifier may be used on multiple
-   interfaces on a single node.
-
-   Note that the use of the same interface identifier on multiple
-   interfaces of a single node does not affect the interface
-   identifier's global uniqueness or each IPv6 addresses global
-   uniqueness created using that interface identifier.
-
-   In a number of the format prefixes (see section 2.4) Interface IDs
-   are required to be 64 bits long and to be constructed in IEEE EUI-64
-   format [EUI64].  EUI-64 based Interface identifiers may have global
-   scope when a global token is available (e.g., IEEE 48bit MAC) or may
-   have local scope where a global token is not available (e.g., serial
-   links, tunnel end-points, etc.).  It is required that the "u" bit
-   (universal/local bit in IEEE EUI-64 terminology) be inverted when
-   forming the interface identifier from the EUI-64.  The "u" bit is set
-   to one (1) to indicate global scope, and it is set to zero (0) to
-   indicate local scope.  The first three octets in binary of an EUI-64
-   identifier are as follows:
-
-       0       0 0       1 1       2
-      |0       7 8       5 6       3|
-      +----+----+----+----+----+----+
-      |cccc|ccug|cccc|cccc|cccc|cccc|
-      +----+----+----+----+----+----+
-
-
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 8]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-   written in Internet standard bit-order , where "u" is the
-   universal/local bit, "g" is the individual/group bit, and "c" are the
-   bits of the company_id.  Appendix A: "Creating EUI-64 based Interface
-   Identifiers" provides examples on the creation of different EUI-64
-   based interface identifiers.
-
-   The motivation for inverting the "u" bit when forming the interface
-   identifier is to make it easy for system administrators to hand
-   configure local scope identifiers when hardware tokens are not
-   available.  This is expected to be case for serial links, tunnel end-
-   points, etc.  The alternative would have been for these to be of the
-   form 0200:0:0:1, 0200:0:0:2, etc., instead of the much simpler ::1,
-   ::2, etc.
-
-   The use of the universal/local bit in the IEEE EUI-64 identifier is
-   to allow development of future technology that can take advantage of
-   interface identifiers with global scope.
-
-   The details of forming interface identifiers are defined in the
-   appropriate "IPv6 over <link>" specification such as "IPv6 over
-   Ethernet" [ETHER], "IPv6 over FDDI" [FDDI], etc.
-
-2.5.2 The Unspecified Address
-
-   The address 0:0:0:0:0:0:0:0 is called the unspecified address.  It
-   must never be assigned to any node.  It indicates the absence of an
-   address.  One example of its use is in the Source Address field of
-   any IPv6 packets sent by an initializing host before it has learned
-   its own address.
-
-   The unspecified address must not be used as the destination address
-   of IPv6 packets or in IPv6 Routing Headers.
-
-2.5.3 The Loopback Address
-
-   The unicast address 0:0:0:0:0:0:0:1 is called the loopback address.
-   It may be used by a node to send an IPv6 packet to itself.  It may
-   never be assigned to any physical interface.  It may be thought of as
-   being associated with a virtual interface (e.g., the loopback
-   interface).
-
-   The loopback address must not be used as the source address in IPv6
-   packets that are sent outside of a single node.  An IPv6 packet with
-   a destination address of loopback must never be sent outside of a
-   single node and must never be forwarded by an IPv6 router.
-
-
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 9]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-2.5.4 IPv6 Addresses with Embedded IPv4 Addresses
-
-   The IPv6 transition mechanisms [TRAN] include a technique for hosts
-   and routers to dynamically tunnel IPv6 packets over IPv4 routing
-   infrastructure.  IPv6 nodes that utilize this technique are assigned
-   special IPv6 unicast addresses that carry an IPv4 address in the low-
-   order 32-bits.  This type of address is termed an "IPv4-compatible
-   IPv6 address" and has the format:
-
-   |                80 bits               | 16 |      32 bits        |
-   +--------------------------------------+--------------------------+
-   |0000..............................0000|0000|    IPv4 address     |
-   +--------------------------------------+----+---------------------+
-
-   A second type of IPv6 address which holds an embedded IPv4 address is
-   also defined.  This address is used to represent the addresses of
-   IPv4-only nodes (those that *do not* support IPv6) as IPv6 addresses.
-   This type of address is termed an "IPv4-mapped IPv6 address" and has
-   the format:
-
-   |                80 bits               | 16 |      32 bits        |
-   +--------------------------------------+--------------------------+
-   |0000..............................0000|FFFF|    IPv4 address     |
-   +--------------------------------------+----+---------------------+
-
-2.5.5 NSAP Addresses
-
-   This mapping of NSAP address into IPv6 addresses is defined in
-   [NSAP].  This document recommends that network implementors who have
-   planned or deployed an OSI NSAP addressing plan, and who wish to
-   deploy or transition to IPv6, should redesign a native IPv6
-   addressing plan to meet their needs.  However, it also defines a set
-   of mechanisms for the support of OSI NSAP addressing in an IPv6
-   network.  These mechanisms are the ones that must be used if such
-   support is required.  This document also defines a mapping of IPv6
-   addresses within the OSI address format, should this be required.
-
-2.5.6 IPX Addresses
-
-   This mapping of IPX address into IPv6 addresses is as follows:
-
-   |   7   |                   121 bits                              |
-   +-------+---------------------------------------------------------+
-   |0000010|                 to be defined                           |
-   +-------+---------------------------------------------------------+
-
-   The draft definition, motivation, and usage are under study.
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 10]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-2.5.7 Aggregatable Global Unicast Addresses
-
-   The global aggregatable global unicast address is defined in [AGGR].
-   This address format is designed to support both the current provider
-   based aggregation and a new type of aggregation called exchanges.
-   The combination will allow efficient routing aggregation for both
-   sites which connect directly to providers and who connect to
-   exchanges.  Sites will have the choice to connect to either type of
-   aggregation point.
-
-   The IPv6 aggregatable global unicast address format is as follows:
-
-   | 3|  13 | 8 |   24   |   16   |          64 bits               |
-   +--+-----+---+--------+--------+--------------------------------+
-   |FP| TLA |RES|  NLA   |  SLA   |         Interface ID           |
-   |  | ID  |   |  ID    |  ID    |                                |
-   +--+-----+---+--------+--------+--------------------------------+
-
-   Where
-
-      001          Format Prefix (3 bit) for Aggregatable Global
-                   Unicast Addresses
-      TLA ID       Top-Level Aggregation Identifier
-      RES          Reserved for future use
-      NLA ID       Next-Level Aggregation Identifier
-      SLA ID       Site-Level Aggregation Identifier
-      INTERFACE ID Interface Identifier
-
-   The contents, field sizes, and assignment rules are defined in
-   [AGGR].
-
-2.5.8 Local-Use IPv6 Unicast Addresses
-
-   There are two types of local-use unicast addresses defined.  These
-   are Link-Local and Site-Local.  The Link-Local is for use on a single
-   link and the Site-Local is for use in a single site.  Link-Local
-   addresses have the following format:
-
-   |   10     |
-   |  bits    |        54 bits          |          64 bits           |
-   +----------+-------------------------+----------------------------+
-   |1111111010|           0             |       interface ID         |
-   +----------+-------------------------+----------------------------+
-
-   Link-Local addresses are designed to be used for addressing on a
-   single link for purposes such as auto-address configuration, neighbor
-   discovery, or when no routers are present.
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 11]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-   Routers must not forward any packets with link-local source or
-   destination addresses to other links.
-
-   Site-Local addresses have the following format:
-
-   |   10     |
-   |  bits    |   38 bits   |  16 bits  |         64 bits            |
-   +----------+-------------+-----------+----------------------------+
-   |1111111011|    0        | subnet ID |       interface ID         |
-   +----------+-------------+-----------+----------------------------+
-
-   Site-Local addresses are designed to be used for addressing inside of
-   a site without the need for a global prefix.
-
-   Routers must not forward any packets with site-local source or
-   destination addresses outside of the site.
-
-2.6 Anycast Addresses
-
-   An IPv6 anycast address is an address that is assigned to more than
-   one interface (typically belonging to different nodes), with the
-   property that a packet sent to an anycast address is routed to the
-   "nearest" interface having that address, according to the routing
-   protocols' measure of distance.
-
-   Anycast addresses are allocated from the unicast address space, using
-   any of the defined unicast address formats.  Thus, anycast addresses
-   are syntactically indistinguishable from unicast addresses.  When a
-   unicast address is assigned to more than one interface, thus turning
-   it into an anycast address, the nodes to which the address is
-   assigned must be explicitly configured to know that it is an anycast
-   address.
-
-   For any assigned anycast address, there is a longest address prefix P
-   that identifies the topological region in which all interfaces
-   belonging to that anycast address reside.  Within the region
-   identified by P, each member of the anycast set must be advertised as
-   a separate entry in the routing system (commonly referred to as a
-   "host route"); outside the region identified by P, the anycast
-   address may be aggregated into the routing advertisement for prefix
-   P.
-
-   Note that in, the worst case, the prefix P of an anycast set may be
-   the null prefix, i.e., the members of the set may have no topological
-   locality.  In that case, the anycast address must be advertised as a
-   separate routing entry throughout the entire internet, which presents
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 12]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-   a severe scaling limit on how many such "global" anycast sets may be
-   supported.  Therefore, it is expected that support for global anycast
-   sets may be unavailable or very restricted.
-
-   One expected use of anycast addresses is to identify the set of
-   routers belonging to an organization providing internet service.
-   Such addresses could be used as intermediate addresses in an IPv6
-   Routing header, to cause a packet to be delivered via a particular
-   aggregation or sequence of aggregations.  Some other possible uses
-   are to identify the set of routers attached to a particular subnet,
-   or the set of routers providing entry into a particular routing
-   domain.
-
-   There is little experience with widespread, arbitrary use of internet
-   anycast addresses, and some known complications and hazards when
-   using them in their full generality [ANYCST].  Until more experience
-   has been gained and solutions agreed upon for those problems, the
-   following restrictions are imposed on IPv6 anycast addresses:
-
-      o An anycast address must not be used as the source address of an
-        IPv6 packet.
-
-      o An anycast address must not be assigned to an IPv6 host, that
-        is, it may be assigned to an IPv6 router only.
-
-2.6.1 Required Anycast Address
-
-   The Subnet-Router anycast address is predefined.  Its format is as
-   follows:
-
-   |                         n bits                 |   128-n bits   |
-   +------------------------------------------------+----------------+
-   |                   subnet prefix                | 00000000000000 |
-   +------------------------------------------------+----------------+
-
-   The "subnet prefix" in an anycast address is the prefix which
-   identifies a specific link.  This anycast address is syntactically
-   the same as a unicast address for an interface on the link with the
-   interface identifier set to zero.
-
-   Packets sent to the Subnet-Router anycast address will be delivered
-   to one router on the subnet.  All routers are required to support the
-   Subnet-Router anycast addresses for the subnets which they have
-   interfaces.
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 13]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-   The subnet-router anycast address is intended to be used for
-   applications where a node needs to communicate with one of a set of
-   routers on a remote subnet.  For example when a mobile host needs to
-   communicate with one of the mobile agents on its "home" subnet.
-
-2.7 Multicast Addresses
-
-   An IPv6 multicast address is an identifier for a group of nodes.  A
-   node may belong to any number of multicast groups.  Multicast
-   addresses have the following format:
-
-   |   8    |  4 |  4 |                  112 bits                   |
-   +------ -+----+----+---------------------------------------------+
-   |11111111|flgs|scop|                  group ID                   |
-   +--------+----+----+---------------------------------------------+
-
-      11111111 at the start of the address identifies the address as
-      being a multicast address.
-
-                                    +-+-+-+-+
-      flgs is a set of 4 flags:     |0|0|0|T|
-                                    +-+-+-+-+
-
-         The high-order 3 flags are reserved, and must be initialized to
-         0.
-
-         T = 0 indicates a permanently-assigned ("well-known") multicast
-         address, assigned by the global internet numbering authority.
-
-         T = 1 indicates a non-permanently-assigned ("transient")
-         multicast address.
-
-      scop is a 4-bit multicast scope value used to limit the scope of
-      the multicast group.  The values are:
-
-         0  reserved
-         1  node-local scope
-         2  link-local scope
-         3  (unassigned)
-         4  (unassigned)
-         5  site-local scope
-         6  (unassigned)
-         7  (unassigned)
-         8  organization-local scope
-         9  (unassigned)
-         A  (unassigned)
-         B  (unassigned)
-         C  (unassigned)
-
-
-
-Hinden & Deering            Standards Track                    [Page 14]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-         D  (unassigned)
-         E  global scope
-         F  reserved
-
-      group ID identifies the multicast group, either permanent or
-      transient, within the given scope.
-
-   The "meaning" of a permanently-assigned multicast address is
-   independent of the scope value.  For example, if the "NTP servers
-   group" is assigned a permanent multicast address with a group ID of
-   101 (hex), then:
-
-      FF01:0:0:0:0:0:0:101 means all NTP servers on the same node as the
-      sender.
-
-      FF02:0:0:0:0:0:0:101 means all NTP servers on the same link as the
-      sender.
-
-      FF05:0:0:0:0:0:0:101 means all NTP servers at the same site as the
-      sender.
-
-      FF0E:0:0:0:0:0:0:101 means all NTP servers in the internet.
-
-   Non-permanently-assigned multicast addresses are meaningful only
-   within a given scope.  For example, a group identified by the non-
-   permanent, site-local multicast address FF15:0:0:0:0:0:0:101 at one
-   site bears no relationship to a group using the same address at a
-   different site, nor to a non-permanent group using the same group ID
-   with different scope, nor to a permanent group with the same group
-   ID.
-
-   Multicast addresses must not be used as source addresses in IPv6
-   packets or appear in any routing header.
-
-2.7.1 Pre-Defined Multicast Addresses
-
-   The following well-known multicast addresses are pre-defined:
-
-      Reserved Multicast Addresses:   FF00:0:0:0:0:0:0:0
-                                      FF01:0:0:0:0:0:0:0
-                                      FF02:0:0:0:0:0:0:0
-                                      FF03:0:0:0:0:0:0:0
-                                      FF04:0:0:0:0:0:0:0
-                                      FF05:0:0:0:0:0:0:0
-                                      FF06:0:0:0:0:0:0:0
-                                      FF07:0:0:0:0:0:0:0
-                                      FF08:0:0:0:0:0:0:0
-                                      FF09:0:0:0:0:0:0:0
-
-
-
-Hinden & Deering            Standards Track                    [Page 15]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-                                      FF0A:0:0:0:0:0:0:0
-                                      FF0B:0:0:0:0:0:0:0
-                                      FF0C:0:0:0:0:0:0:0
-                                      FF0D:0:0:0:0:0:0:0
-                                      FF0E:0:0:0:0:0:0:0
-                                      FF0F:0:0:0:0:0:0:0
-
-   The above multicast addresses are reserved and shall never be
-   assigned to any multicast group.
-
-      All Nodes Addresses:    FF01:0:0:0:0:0:0:1
-                              FF02:0:0:0:0:0:0:1
-
-   The above multicast addresses identify the group of all IPv6 nodes,
-   within scope 1 (node-local) or 2 (link-local).
-
-      All Routers Addresses:   FF01:0:0:0:0:0:0:2
-                               FF02:0:0:0:0:0:0:2
-                               FF05:0:0:0:0:0:0:2
-
-   The above multicast addresses identify the group of all IPv6 routers,
-   within scope 1 (node-local), 2 (link-local), or 5 (site-local).
-
-      Solicited-Node Address:  FF02:0:0:0:0:1:FFXX:XXXX
-
-   The above multicast address is computed as a function of a node's
-   unicast and anycast addresses.  The solicited-node multicast address
-   is formed by taking the low-order 24 bits of the address (unicast or
-   anycast) and appending those bits to the prefix
-   FF02:0:0:0:0:1:FF00::/104 resulting in a multicast address in the
-   range
-
-      FF02:0:0:0:0:1:FF00:0000
-
-   to
-
-      FF02:0:0:0:0:1:FFFF:FFFF
-
-   For example, the solicited node multicast address corresponding to
-   the IPv6 address 4037::01:800:200E:8C6C is FF02::1:FF0E:8C6C.  IPv6
-   addresses that differ only in the high-order bits, e.g. due to
-   multiple high-order prefixes associated with different aggregations,
-   will map to the same solicited-node address thereby reducing the
-   number of multicast addresses a node must join.
-
-   A node is required to compute and join the associated Solicited-Node
-   multicast addresses for every unicast and anycast address it is
-   assigned.
-
-
-
-Hinden & Deering            Standards Track                    [Page 16]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-2.7.2 Assignment of New IPv6 Multicast Addresses
-
-   The current approach [ETHER] to map IPv6 multicast addresses into
-   IEEE 802 MAC addresses takes the low order 32 bits of the IPv6
-   multicast address and uses it to create a MAC address.  Note that
-   Token Ring networks are handled differently.  This is defined in
-   [TOKEN].  Group ID's less than or equal to 32 bits will generate
-   unique MAC addresses.  Due to this new IPv6 multicast addresses
-   should be assigned so that the group identifier is always in the low
-   order 32 bits as shown in the following:
-
-   |   8    |  4 |  4 |          80 bits          |     32 bits     |
-   +------ -+----+----+---------------------------+-----------------+
-   |11111111|flgs|scop|   reserved must be zero   |    group ID     |
-   +--------+----+----+---------------------------+-----------------+
-
-   While this limits the number of permanent IPv6 multicast groups to
-   2^32 this is unlikely to be a limitation in the future.  If it
-   becomes necessary to exceed this limit in the future multicast will
-   still work but the processing will be sightly slower.
-
-   Additional IPv6 multicast addresses are defined and registered by the
-   IANA [MASGN].
-
-2.8 A Node's Required Addresses
-
-   A host is required to recognize the following addresses as
-   identifying itself:
-
-      o Its Link-Local Address for each interface
-      o Assigned Unicast Addresses
-      o Loopback Address
-      o All-Nodes Multicast Addresses
-      o Solicited-Node Multicast Address for each of its assigned
-        unicast and anycast addresses
-      o Multicast Addresses of all other groups to which the host
-        belongs.
-
-   A router is required to recognize all addresses that a host is
-   required to recognize, plus the following addresses as identifying
-   itself:
-
-      o The Subnet-Router anycast addresses for the interfaces it is
-        configured to act as a router on.
-      o All other Anycast addresses with which the router has been
-        configured.
-      o All-Routers Multicast Addresses
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 17]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-      o Multicast Addresses of all other groups to which the router
-        belongs.
-
-   The only address prefixes which should be predefined in an
-   implementation are the:
-
-      o Unspecified Address
-      o Loopback Address
-      o Multicast Prefix (FF)
-      o Local-Use Prefixes (Link-Local and Site-Local)
-      o Pre-Defined Multicast Addresses
-      o IPv4-Compatible Prefixes
-
-   Implementations should assume all other addresses are unicast unless
-   specifically configured (e.g., anycast addresses).
-
-3. Security Considerations
-
-   IPv6 addressing documents do not have any direct impact on Internet
-   infrastructure security.  Authentication of IPv6 packets is defined
-   in [AUTH].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 18]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-APPENDIX A : Creating EUI-64 based Interface Identifiers
---------------------------------------------------------
-
-   Depending on the characteristics of a specific link or node there are
-   a number of approaches for creating EUI-64 based interface
-   identifiers.  This appendix describes some of these approaches.
-
-Links or Nodes with EUI-64 Identifiers
-
-   The only change needed to transform an EUI-64 identifier to an
-   interface identifier is to invert the "u" (universal/local) bit.  For
-   example, a globally unique EUI-64 identifier of the form:
-
-   |0              1|1              3|3              4|4              6|
-   |0              5|6              1|2              7|8              3|
-   +----------------+----------------+----------------+----------------+
-   |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
-   +----------------+----------------+----------------+----------------+
-
-   where "c" are the bits of the assigned company_id, "0" is the value
-   of the universal/local bit to indicate global scope, "g" is
-   individual/group bit, and "m" are the bits of the manufacturer-
-   selected extension identifier.  The IPv6 interface identifier would
-   be of the form:
-
-   |0              1|1              3|3              4|4              6|
-   |0              5|6              1|2              7|8              3|
-   +----------------+----------------+----------------+----------------+
-   |cccccc1gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
-   +----------------+----------------+----------------+----------------+
-
-   The only change is inverting the value of the universal/local bit.
-
-Links or Nodes with IEEE 802 48 bit MAC's
-
-   [EUI64] defines a method to create a EUI-64 identifier from an IEEE
-   48bit MAC identifier.  This is to insert two octets, with hexadecimal
-   values of 0xFF and 0xFE, in the middle of the 48 bit MAC (between the
-   company_id and vendor supplied id).  For example the 48 bit MAC with
-   global scope:
-
-   |0              1|1              3|3              4|
-   |0              5|6              1|2              7|
-   +----------------+----------------+----------------+
-   |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|
-   +----------------+----------------+----------------+
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 19]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-   where "c" are the bits of the assigned company_id, "0" is the value
-   of the universal/local bit to indicate global scope, "g" is
-   individual/group bit, and "m" are the bits of the manufacturer-
-   selected extension identifier.  The interface identifier would be of
-   the form:
-
-   |0              1|1              3|3              4|4              6|
-   |0              5|6              1|2              7|8              3|
-   +----------------+----------------+----------------+----------------+
-   |cccccc1gcccccccc|cccccccc11111111|11111110mmmmmmmm|mmmmmmmmmmmmmmmm|
-   +----------------+----------------+----------------+----------------+
-
-   When IEEE 802 48bit MAC addresses are available (on an interface or a
-   node), an implementation should use them to create interface
-   identifiers due to their availability and uniqueness properties.
-
-Links with Non-Global Identifiers
-
-   There are a number of types of links that, while multi-access, do not
-   have globally unique link identifiers.  Examples include LocalTalk
-   and Arcnet.  The method to create an EUI-64 formatted identifier is
-   to take the link identifier (e.g., the LocalTalk 8 bit node
-   identifier) and zero fill it to the left.  For example a LocalTalk 8
-   bit node identifier of hexadecimal value 0x4F results in the
-   following interface identifier:
-
-   |0              1|1              3|3              4|4              6|
-   |0              5|6              1|2              7|8              3|
-   +----------------+----------------+----------------+----------------+
-   |0000000000000000|0000000000000000|0000000000000000|0000000001001111|
-   +----------------+----------------+----------------+----------------+
-
-   Note that this results in the universal/local bit set to "0" to
-   indicate local scope.
-
-Links without Identifiers
-
-   There are a number of links that do not have any type of built-in
-   identifier.  The most common of these are serial links and configured
-   tunnels.  Interface identifiers must be chosen that are unique for
-   the link.
-
-   When no built-in identifier is available on a link the preferred
-   approach is to use a global interface identifier from another
-   interface or one which is assigned to the node itself.  To use this
-   approach no other interface connecting the same node to the same link
-   may use the same identifier.
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 20]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-   If there is no global interface identifier available for use on the
-   link the implementation needs to create a local scope interface
-   identifier.  The only requirement is that it be unique on the link.
-   There are many possible approaches to select a link-unique interface
-   identifier.  They include:
-
-      Manual Configuration
-      Generated Random Number
-      Node Serial Number (or other node-specific token)
-
-   The link-unique interface identifier should be generated in a manner
-   that it does not change after a reboot of a node or if interfaces are
-   added or deleted from the node.
-
-   The selection of the appropriate algorithm is link and implementation
-   dependent.  The details on forming interface identifiers are defined
-   in the appropriate "IPv6 over <link>" specification.  It is strongly
-   recommended that a collision detection algorithm be implemented as
-   part of any automatic algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 21]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-APPENDIX B: ABNF Description of Text Representations
-----------------------------------------------------
-
-   This appendix defines the text representation of IPv6 addresses and
-   prefixes in Augmented BNF [ABNF] for reference purposes.
-
-      IPv6address = hexpart [ ":" IPv4address ]
-      IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
-
-      IPv6prefix  = hexpart "/" 1*2DIGIT
-
-      hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
-      hexseq  = hex4 *( ":" hex4)
-      hex4    = 1*4HEXDIG
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 22]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-APPENDIX C: CHANGES FROM RFC-1884
----------------------------------
-
-   The following changes were made from RFC-1884 "IP Version 6
-   Addressing Architecture":
-
-      - Added an appendix providing a ABNF description of text
-        representations.
-      - Clarification that link unique identifiers not change after
-        reboot or other interface reconfigurations.
-      - Clarification of Address Model based on comments.
-      - Changed aggregation format terminology to be consistent with
-        aggregation draft.
-      - Added text to allow interface identifier to be used on more than
-        one interface on same node.
-      - Added rules for defining new multicast addresses.
-      - Added appendix describing procedures for creating EUI-64 based
-        interface ID's.
-      - Added notation for defining IPv6 prefixes.
-      - Changed solicited node multicast definition to use a longer
-        prefix.
-      - Added site scope all routers multicast address.
-      - Defined Aggregatable Global Unicast Addresses to use "001" Format
-        Prefix.
-      - Changed "010" (Provider-Based Unicast) and "100" (Reserved for
-        Geographic) Format Prefixes to Unassigned.
-      - Added section on Interface ID definition for unicast addresses.
-        Requires use of EUI-64 in range of format prefixes and rules for
-        setting global/local scope bit in EUI-64.
-      - Updated NSAP text to reflect working in RFC1888.
-      - Removed protocol specific IPv6 multicast addresses (e.g., DHCP)
-        and referenced the IANA definitions.
-      - Removed section "Unicast Address Example".  Had become OBE.
-      - Added new and updated references.
-      - Minor text clarifications and improvements.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 23]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-REFERENCES
-
-   [ABNF]    Crocker, D., and P. Overell, "Augmented BNF for
-             Syntax Specifications: ABNF", RFC 2234, November 1997.
-
-   [AGGR]    Hinden, R., O'Dell, M., and S. Deering, "An
-             Aggregatable Global Unicast Address Format", RFC 2374, July
-             1998.
-
-   [AUTH]    Atkinson, R., "IP Authentication Header", RFC 1826, August
-             1995.
-
-   [ANYCST]  Partridge, C., Mendez, T., and W. Milliken, "Host
-             Anycasting Service", RFC 1546, November 1993.
-
-   [CIDR]    Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless
-             Inter-Domain Routing (CIDR): An Address Assignment and
-             Aggregation Strategy", RFC 1519, September 1993.
-
-   [ETHER]   Crawford, M., "Transmission of IPv6 Pacekts over Ethernet
-             Networks", Work in Progress.
-
-   [EUI64]   IEEE, "Guidelines for 64-bit Global Identifier (EUI-64)
-             Registration Authority",
-             http://standards.ieee.org/db/oui/tutorials/EUI64.html,
-             March 1997.
-
-   [FDDI]    Crawford, M., "Transmission of IPv6 Packets over FDDI
-             Networks", Work in Progress.
-
-   [IPV6]    Deering, S., and R. Hinden, Editors, "Internet Protocol,
-             Version 6 (IPv6) Specification", RFC 1883, December 1995.
-
-   [MASGN]   Hinden, R., and S. Deering, "IPv6 Multicast Address
-             Assignments", RFC 2375, July 1998.
-
-   [NSAP]    Bound, J., Carpenter, B., Harrington, D., Houldsworth, J.,
-             and A. Lloyd, "OSI NSAPs and IPv6", RFC 1888, August 1996.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [TOKEN]   Thomas, S., "Transmission of IPv6 Packets over Token Ring
-             Networks", Work in Progress.
-
-   [TRAN]    Gilligan, R., and E. Nordmark, "Transition Mechanisms for
-             IPv6 Hosts and Routers", RFC 1993, April 1996.
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 24]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-AUTHORS' ADDRESSES
-
-   Robert M. Hinden
-   Nokia
-   232 Java Drive
-   Sunnyvale, CA 94089
-   USA
-
-   Phone: +1 408 990-2004
-   Fax:   +1 408 743-5677
-   EMail: hinden@iprg.nokia.com
-
-
-   Stephen E. Deering
-   Cisco Systems, Inc.
-   170 West Tasman Drive
-   San Jose, CA 95134-1706
-   USA
-
-   Phone: +1 408 527-8213
-   Fax:   +1 408 527-8254
-   EMail: deering@cisco.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 25]
-
-RFC 2373              IPv6 Addressing Architecture             July 1998
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 26]
-
diff --git a/contrib/bind9/doc/rfc/rfc2374.txt b/contrib/bind9/doc/rfc/rfc2374.txt
deleted file mode 100644
index e3c7f0de490a..000000000000
--- a/contrib/bind9/doc/rfc/rfc2374.txt
+++ /dev/null
@@ -1,675 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        R. Hinden
-Request for Comments: 2374                                       Nokia
-Obsoletes: 2073                                              M. O'Dell
-Category: Standards Track                                        UUNET
-                                                            S. Deering
-                                                                 Cisco
-                                                             July 1998
-
-
-           An IPv6 Aggregatable Global Unicast Address Format
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-1.0 Introduction
-
-   This document defines an IPv6 aggregatable global unicast address
-   format for use in the Internet.  The address format defined in this
-   document is consistent with the IPv6 Protocol [IPV6] and the "IPv6
-   Addressing Architecture" [ARCH].  It is designed to facilitate
-   scalable Internet routing.
-
-   This documented replaces RFC 2073, "An IPv6 Provider-Based Unicast
-   Address Format".  RFC 2073 will become historic.  The Aggregatable
-   Global Unicast Address Format is an improvement over RFC 2073 in a
-   number of areas.  The major changes include removal of the registry
-   bits because they are not needed for route aggregation, support of
-   EUI-64 based interface identifiers, support of provider and exchange
-   based aggregation, separation of public and site topology, and new
-   aggregation based terminology.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-
-
-
-
-
-
-
-Hinden, et. al.             Standards Track                     [Page 1]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-2.0 Overview of the IPv6 Address
-
-   IPv6 addresses are 128-bit identifiers for interfaces and sets of
-   interfaces.  There are three types of addresses: Unicast, Anycast,
-   and Multicast.  This document defines a specific type of Unicast
-   address.
-
-   In this document, fields in addresses are given specific names, for
-   example "subnet".  When this name is used with the term "ID" (for
-   "identifier") after the name (e.g., "subnet ID"), it refers to the
-   contents of the named field.  When it is used with the term "prefix"
-   (e.g.  "subnet prefix") it refers to all of the addressing bits to
-   the left of and including this field.
-
-   IPv6 unicast addresses are designed assuming that the Internet
-   routing system makes forwarding decisions based on a "longest prefix
-   match" algorithm on arbitrary bit boundaries and does not have any
-   knowledge of the internal structure of IPv6 addresses.  The structure
-   in IPv6 addresses is for assignment and allocation.  The only
-   exception to this is the distinction made between unicast and
-   multicast addresses.
-
-   The specific type of an IPv6 address is indicated by the leading bits
-   in the address.  The variable-length field comprising these leading
-   bits is called the Format Prefix (FP).
-
-   This document defines an address format for the 001 (binary) Format
-   Prefix for Aggregatable Global Unicast addresses. The same address
-   format could be used for other Format Prefixes, as long as these
-   Format Prefixes also identify IPv6 unicast addresses.  Only the "001"
-   Format Prefix is defined here.
-
-3.0 IPv6 Aggregatable Global Unicast Address Format
-
-   This document defines an address format for the IPv6 aggregatable
-   global unicast address assignment.  The authors believe that this
-   address format will be widely used for IPv6 nodes connected to the
-   Internet.  This address format is designed to support both the
-   current provider-based aggregation and a new type of exchange-based
-   aggregation.  The combination will allow efficient routing
-   aggregation for sites that connect directly to providers and for
-   sites that connect to exchanges.  Sites will have the choice to
-   connect to either type of aggregation entity.
-
-
-
-
-
-
-
-
-Hinden, et. al.             Standards Track                     [Page 2]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-   While this address format is designed to support exchange-based
-   aggregation (in addition to current provider-based aggregation) it is
-   not dependent on exchanges for it's overall route aggregation
-   properties.  It will provide efficient route aggregation with only
-   provider-based aggregation.
-
-   Aggregatable addresses are organized into a three level hierarchy:
-
-      - Public Topology
-      - Site Topology
-      - Interface Identifier
-
-   Public topology is the collection of providers and exchanges who
-   provide public Internet transit services.  Site topology is local to
-   a specific site or organization which does not provide public transit
-   service to nodes outside of the site.  Interface identifiers identify
-   interfaces on links.
-
-        ______________                  ______________
-    --+/              \+--------------+/              \+----------
-      (       P1       )    +----+    (       P3       )  +----+
-      +\______________/     |    |----+\______________/+--|    |--
-      |                  +--| X1 |                       +| X2 |
-      | ______________  /   |    |-+    ______________  / |    |--
-      +/              \+    +-+--+  \  /              \+  +----+
-      (       P2       )     / \     +(      P4        )
-    --+\______________/     /   \      \______________/
-           |               /     \           |      |
-           |              /       |          |      |
-           |             /        |          |      |
-          _|_          _/_       _|_        _|_    _|_
-         /   \        /   \     /   \      /   \  /   \
-        ( S.A )      ( S.B )   ( P5  )    ( P6  )( S.C )
-         \___/        \___/     \___/      \___/  \___/
-                                  |          / \
-                                 _|_       _/_  \   ___
-                                /   \     /   \  +-/   \
-                               ( S.D )   ( S.E )  ( S.F )
-                                \___/     \___/    \___/
-
-   As shown in the figure above, the aggregatable address format is
-   designed to support long-haul providers (shown as P1, P2, P3, and
-   P4), exchanges (shown as X1 and X2), multiple levels of providers
-   (shown at P5 and P6), and subscribers (shown as S.x) Exchanges
-   (unlike current NAPs, FIXes, etc.) will allocate IPv6 addresses.
-   Organizations who connect to these exchanges will also subscribe
-   (directly, indirectly via the exchange, etc.) for long-haul service
-   from one or more long-haul providers.  Doing so, they will achieve
-
-
-
-Hinden, et. al.             Standards Track                     [Page 3]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-   addressing independence from long-haul transit providers.  They will
-   be able to change long-haul providers without having to renumber
-   their organization.  They can also be multihomed via the exchange to
-   more than one long-haul provider without having to have address
-   prefixes from each long-haul provider.  Note that the mechanisms used
-   for this type of provider selection and portability are not discussed
-   in the document.
-
-3.1 Aggregatable Global Unicast Address Structure
-
-   The aggregatable global unicast address format is as follows:
-
-     | 3|  13 | 8 |   24   |   16   |          64 bits               |
-     +--+-----+---+--------+--------+--------------------------------+
-     |FP| TLA |RES|  NLA   |  SLA   |         Interface ID           |
-     |  | ID  |   |  ID    |  ID    |                                |
-     +--+-----+---+--------+--------+--------------------------------+
-
-     <--Public Topology--->   Site
-                           <-------->
-                            Topology
-                                     <------Interface Identifier----->
-
-   Where
-
-      FP           Format Prefix (001)
-      TLA ID       Top-Level Aggregation Identifier
-      RES          Reserved for future use
-      NLA ID       Next-Level Aggregation Identifier
-      SLA ID       Site-Level Aggregation Identifier
-      INTERFACE ID Interface Identifier
-
-   The following sections specify each part of the IPv6 Aggregatable
-   Global Unicast address format.
-
-3.2 Top-Level Aggregation ID
-
-   Top-Level Aggregation Identifiers (TLA ID) are the top level in the
-   routing hierarchy.  Default-free routers must have a routing table
-   entry for every active TLA ID and will probably have additional
-   entries providing routing information for the TLA ID in which they
-   are located.  They may have additional entries in order to optimize
-   routing for their specific topology, but the routing topology at all
-   levels must be designed to minimize the number of additional entries
-   fed into the default free routing tables.
-
-
-
-
-
-
-Hinden, et. al.             Standards Track                     [Page 4]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-   This addressing format supports 8,192 (2^13) TLA ID's.  Additional
-   TLA ID's may be added by either growing the TLA field to the right
-   into the reserved field or by using this format for additional format
-   prefixes.
-
-   The issues relating to TLA ID assignment are beyond the scope of this
-   document.  They will be described in a document under preparation.
-
-3.3 Reserved
-
-   The Reserved field is reserved for future use and must be set to
-   zero.
-
-   The Reserved field allows for future growth of the TLA and NLA fields
-   as appropriate.  See section 4.0 for a discussion.
-
-3.4 Next-Level Aggregation Identifier
-
-   Next-Level Aggregation Identifier's are used by organizations
-   assigned a TLA ID to create an addressing hierarchy and to identify
-   sites.  The organization can assign the top part of the NLA ID in a
-   manner to create an addressing hierarchy appropriate to its network.
-   It can use the remainder of the bits in the field to identify sites
-   it wishes to serve.  This is shown as follows:
-
-      |  n  |      24-n bits     |   16   |    64 bits      |
-      +-----+--------------------+--------+-----------------+
-      |NLA1 |      Site ID       | SLA ID | Interface ID    |
-      +-----+--------------------+--------+-----------------+
-
-   Each organization assigned a TLA ID receives 24 bits of NLA ID space.
-   This NLA ID space allows each organization to provide service to
-   approximately as many organizations as the current IPv4 Internet can
-   support total networks.
-
-   Organizations assigned TLA ID's may also support NLA ID's in their
-   own Site ID space.  This allows the organization assigned a TLA ID to
-   provide service to organizations providing public transit service and
-   to organizations who do not provide public transit service.  These
-   organizations receiving an NLA ID may also choose to use their Site
-   ID space to support other NLA ID's.  This is shown as follows:
-
-
-
-
-
-
-
-
-
-
-Hinden, et. al.             Standards Track                     [Page 5]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-   |  n  |      24-n bits     |   16   |    64 bits      |
-   +-----+--------------------+--------+-----------------+
-   |NLA1 |      Site ID       | SLA ID | Interface ID    |
-   +-----+--------------------+--------+-----------------+
-
-         |  m  |    24-n-m    |   16   |    64 bits      |
-         +-----+--------------+--------+-----------------+
-         |NLA2 |   Site ID    | SLA ID | Interface ID    |
-         +-----+--------------+--------+-----------------+
-
-               |  o  |24-n-m-o|   16   |    64 bits      |
-               +-----+--------+--------+-----------------+
-               |NLA3 | Site ID| SLA ID | Interface ID    |
-               +-----+--------+--------+-----------------+
-
-   The design of the bit layout of the NLA ID space for a specific TLA
-   ID is left to the organization responsible for that TLA ID.  Likewise
-   the design of the bit layout of the next level NLA ID is the
-   responsibility of the previous level NLA ID.  It is recommended that
-   organizations assigning NLA address space use "slow start" allocation
-   procedures similar to [RFC2050].
-
-   The design of an NLA ID allocation plan is a tradeoff between routing
-   aggregation efficiency and flexibility.  Creating hierarchies allows
-   for greater amount of aggregation and results in smaller routing
-   tables.  Flat NLA ID assignment provides for easier allocation and
-   attachment flexibility, but results in larger routing tables.
-
-3.5 Site-Level Aggregation Identifier
-
-   The SLA ID field is used by an individual organization to create its
-   own local addressing hierarchy and to identify subnets.  This is
-   analogous to subnets in IPv4 except that each organization has a much
-   greater number of subnets.  The 16 bit SLA ID field support 65,535
-   individual subnets.
-
-   Organizations may choose to either route their SLA ID "flat" (e.g.,
-   not create any logical relationship between the SLA identifiers that
-   results in larger routing tables), or to create a two or more level
-   hierarchy (that results in smaller routing tables) in the SLA ID
-   field.  The latter is shown as follows:
-
-
-
-
-
-
-
-
-
-
-Hinden, et. al.             Standards Track                     [Page 6]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-   |  n  |   16-n     |              64 bits                |
-   +-----+------------+-------------------------------------+
-   |SLA1 |   Subnet   |            Interface ID             |
-   +-----+------------+-------------------------------------+
-
-         | m  |16-n-m |              64 bits                |
-         +----+-------+-------------------------------------+
-         |SLA2|Subnet |            Interface ID             |
-         +----+-------+-------------------------------------+
-
-   The approach chosen for structuring an SLA ID field is the
-   responsibility of the individual organization.
-
-   The number of subnets supported in this address format should be
-   sufficient for all but the largest of organizations.  Organizations
-   which need additional subnets can arrange with the organization they
-   are obtaining Internet service from to obtain additional site
-   identifiers and use this to create additional subnets.
-
-3.6 Interface ID
-
-   Interface identifiers are used to identify interfaces on a link.
-   They are required to be unique on that link.  They may also be unique
-   over a broader scope.  In many cases an interfaces identifier will be
-   the same or be based on the interface's link-layer address.
-   Interface IDs used in the aggregatable global unicast address format
-   are required to be 64 bits long and to be constructed in IEEE EUI-64
-   format [EUI-64].  These identifiers may have global scope when a
-   global token (e.g., IEEE 48bit MAC) is available or may have local
-   scope where a global token is not available (e.g., serial links,
-   tunnel end-points, etc.).  The "u" bit (universal/local bit in IEEE
-   EUI-64 terminology) in the EUI-64 identifier must be set correctly,
-   as defined in [ARCH], to indicate global or local scope.
-
-   The procedures for creating EUI-64 based Interface Identifiers is
-   defined in [ARCH].  The details on forming interface identifiers is
-   defined in the appropriate "IPv6 over <link>" specification such as
-   "IPv6 over Ethernet" [ETHER], "IPv6 over FDDI" [FDDI], etc.
-
-4.0 Technical Motivation
-
-   The design choices for the size of the fields in the aggregatable
-   address format were based on the need to meet a number of technical
-   requirements.  These are described in the following paragraphs.
-
-   The size of the Top-Level Aggregation Identifier is 13 bits.  This
-   allows for 8,192 TLA ID's.  This size was chosen to insure that the
-   default-free routing table in top level routers in the Internet is
-
-
-
-Hinden, et. al.             Standards Track                     [Page 7]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-   kept within the limits, with a reasonable margin, of the current
-   routing technology.  The margin is important because default-free
-   routers will also carry a significant number of longer (i.e., more-
-   specific) prefixes for optimizing paths internal to a TLA and between
-   TLAs.
-
-   The important issue is not only the size of the default-free routing
-   table, but the complexity of the topology that determines the number
-   of copies of the default-free routes that a router must examine while
-   computing a forwarding table.  Current practice with IPv4 it is
-   common to see a prefix announced fifteen times via different paths.
-
-   The complexity of Internet topology is very likely to increase in the
-   future.  It is important that IPv6 default-free routing support
-   additional complexity as well as a considerably larger internet.
-
-   It should be noted for comparison that at the time of this writing
-   (spring, 1998) the IPv4 default-free routing table contains
-   approximately 50,000 prefixes.  While this shows that it is possible
-   to support more routes than 8,192 it is matter of debate if the
-   number of prefixes supported today in IPv4 is already too high for
-   current routing technology.  There are serious issues of route
-   stability as well as cases of providers not supporting all top level
-   prefixes.  The technical requirement was to pick a TLA ID size that
-   was below, with a reasonable margin, what was being done with IPv4.
-
-   The choice of 13 bits for the TLA field was an engineering
-   compromise.  Fewer bits would have been too small by not supporting
-   enough top level organizations.  More bits would have exceeded what
-   can be reasonably accommodated, with a reasonable margin, with
-   current routing technology in order to deal with the issues described
-   in the previous paragraphs.
-
-   If in the future, routing technology improves to support a larger
-   number of top level routes in the default-free routing tables there
-   are two choices on how to increase the number TLA identifiers.  The
-   first is to expand the TLA ID field into the reserved field.  This
-   would increase the number of TLA ID's to approximately 2 million.
-   The second approach is to allocate another format prefix (FP) for use
-   with this address format.  Either or a combination of these
-   approaches allows the number of TLA ID's to increase significantly.
-
-   The size of the Reserved field is 8 bits.  This size was chosen to
-   allow significant growth of either the TLA ID and/or the NLA ID
-   fields.
-
-   The size of the Next-Level Aggregation Identifier field is 24 bits.
-
-
-
-
-Hinden, et. al.             Standards Track                     [Page 8]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-   This allows for approximately sixteen million NLA ID's if used in a
-   flat manner.  Used hierarchically it allows for a complexity roughly
-   equivalent to the IPv4 address space (assuming an average network
-   size of 254 interfaces).  If in the future additional room for
-   complexity is needed in the NLA ID, this may be accommodated by
-   extending the NLA ID into the Reserved field.
-
-   The size of the Site-Level Aggregation Identifier field is 16 bits.
-   This supports 65,535 individual subnets per site.  The design goal
-   for the size of this field was to be sufficient for all but the
-   largest of organizations.  Organizations which need additional
-   subnets can arrange with the organization they are obtaining Internet
-   service from to obtain additional site identifiers and use this to
-   create additional subnets.
-
-   The Site-Level Aggregation Identifier field was given a fixed size in
-   order to force the length of all prefixes identifying a particular
-   site to be the same length (i.e., 48 bits).  This facilitates
-   movement of sites in the topology (e.g., changing service providers
-   and multi-homing to multiple service providers).
-
-   The Interface ID Interface Identifier field is 64 bits.  This size
-   was chosen to meet the requirement specified in [ARCH] to support
-   EUI-64 based Interface Identifiers.
-
-5.0 Acknowledgments
-
-   The authors would like to express our thanks to Thomas Narten, Bob
-   Fink, Matt Crawford, Allison Mankin, Jim Bound, Christian Huitema,
-   Scott Bradner, Brian Carpenter, John Stewart, and Daniel Karrenberg
-   for their review and constructive comments.
-
-6.0 References
-
-   [ALLOC]   IAB and IESG, "IPv6 Address Allocation Management",
-             RFC 1881, December 1995.
-
-   [ARCH]    Hinden, R., "IP Version 6 Addressing Architecture",
-             RFC 2373, July 1998.
-
-   [AUTH]    Atkinson, R., "IP Authentication Header", RFC 1826, August
-             1995.
-
-   [AUTO]    Thompson, S., and T. Narten., "IPv6 Stateless Address
-             Autoconfiguration", RFC 1971, August 1996.
-
-   [ETHER]   Crawford, M., "Transmission of IPv6 Packets over Ethernet
-             Networks", Work in Progress.
-
-
-
-Hinden, et. al.             Standards Track                     [Page 9]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-   [EUI64]   IEEE, "Guidelines for 64-bit Global Identifier (EUI-64)
-             Registration Authority",
-             http://standards.ieee.org/db/oui/tutorials/EUI64.html,
-             March 1997.
-
-   [FDDI]    Crawford, M., "Transmission of IPv6 Packets over FDDI
-             Networks", Work in Progress.
-
-   [IPV6]    Deering, S., and R. Hinden, "Internet Protocol, Version 6
-             (IPv6) Specification", RFC 1883, December 1995.
-
-   [RFC2050] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D.,
-             and J. Postel, "Internet Registry IP Allocation
-             Guidelines", BCP 12, RFC 1466, November 1996.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-7.0 Security Considerations
-
-   IPv6 addressing documents do not have any direct impact on Internet
-   infrastructure security.  Authentication of IPv6 packets is defined
-   in [AUTH].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden, et. al.             Standards Track                    [Page 10]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-8.0 Authors' Addresses
-
-   Robert M. Hinden
-   Nokia
-   232 Java Drive
-   Sunnyvale, CA 94089
-   USA
-
-   Phone: 1 408 990-2004
-   EMail: hinden@iprg.nokia.com
-
-
-   Mike O'Dell
-   UUNET Technologies, Inc.
-   3060 Williams Drive
-   Fairfax, VA 22030
-   USA
-
-   Phone: 1 703 206-5890
-   EMail: mo@uunet.uu.net
-
-
-   Stephen E. Deering
-   Cisco Systems, Inc.
-   170 West Tasman Drive
-   San Jose, CA 95134-1706
-   USA
-
-   Phone: 1 408 527-8213
-   EMail: deering@cisco.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden, et. al.             Standards Track                    [Page 11]
-
-RFC 2374           IPv6 Global Unicast Address Format          July 1998
-
-
-9.0  Full Copyright Statement
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden, et. al.             Standards Track                    [Page 12]
-
diff --git a/contrib/bind9/doc/rfc/rfc2375.txt b/contrib/bind9/doc/rfc/rfc2375.txt
deleted file mode 100644
index a1fe8b9a40d8..000000000000
--- a/contrib/bind9/doc/rfc/rfc2375.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         R. Hinden
-Request for Comments: 2375                             Ipsilon Networks
-Category: Informational                                      S. Deering
-                                                                  Cisco
-                                                              July 1998
-
-
-                   IPv6 Multicast Address Assignments
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-1.0 Introduction
-
-   This document defines the initial assignment of IPv6 multicast
-   addresses.  It is based on the "IP Version 6 Addressing Architecture"
-   [ADDARCH] and current IPv4 multicast address assignment found in
-   <ftp://venera.isi.edu/in-notes/iana/assignments/multicast-addresses>.
-   It adapts the IPv4 assignments that are relevant to IPv6 assignments.
-   IPv4 assignments that were not relevant were not converted into IPv6
-   assignments.  Comments are solicited on this conversion.
-
-   All other IPv6 multicast addresses are reserved.
-
-   Sections 2 and 3 specify reserved and preassigned IPv6 multicast
-   addresses.
-
-   [ADDRARCH] defines rules for assigning new IPv6 multicast addresses.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-2. Fixed Scope Multicast Addresses
-
-   These permanently assigned multicast addresses are valid over a
-   specified scope value.
-
-
-
-
-
-
-
-Hinden & Deering             Informational                      [Page 1]
-
-RFC 2375           IPv6 Multicast Address Assignments          July 1998
-
-
-2.1 Node-Local Scope
-
-   FF01:0:0:0:0:0:0:1     All Nodes Address                  [ADDARCH]
-   FF01:0:0:0:0:0:0:2     All Routers Address                [ADDARCH]
-
-2.2 Link-Local Scope
-
-   FF02:0:0:0:0:0:0:1     All Nodes Address                  [ADDARCH]
-   FF02:0:0:0:0:0:0:2     All Routers Address                [ADDARCH]
-   FF02:0:0:0:0:0:0:3     Unassigned                             [JBP]
-   FF02:0:0:0:0:0:0:4     DVMRP Routers                  [RFC1075,JBP]
-   FF02:0:0:0:0:0:0:5     OSPFIGP                        [RFC2328,Moy]
-   FF02:0:0:0:0:0:0:6     OSPFIGP Designated Routers     [RFC2328,Moy]
-   FF02:0:0:0:0:0:0:7     ST Routers                    [RFC1190,KS14]
-   FF02:0:0:0:0:0:0:8     ST Hosts                      [RFC1190,KS14]
-   FF02:0:0:0:0:0:0:9     RIP Routers                        [RFC2080]
-   FF02:0:0:0:0:0:0:A     EIGRP Routers                    [Farinacci]
-   FF02:0:0:0:0:0:0:B     Mobile-Agents                 [Bill Simpson]
-
-   FF02:0:0:0:0:0:0:D     All PIM Routers                  [Farinacci]
-   FF02:0:0:0:0:0:0:E     RSVP-ENCAPSULATION                  [Braden]
-
-   FF02:0:0:0:0:0:1:1     Link Name                       [Harrington]
-   FF02:0:0:0:0:0:1:2     All-dhcp-agents              [Bound,Perkins]
-
-   FF02:0:0:0:0:1:FFXX:XXXX     Solicited-Node Address       [ADDARCH]
-
-2.3 Site-Local Scope
-
-   FF05:0:0:0:0:0:0:2       All Routers Address              [ADDARCH]
-
-   FF05:0:0:0:0:0:1:3       All-dhcp-servers           [Bound,Perkins]
-   FF05:0:0:0:0:0:1:4       All-dhcp-relays            [Bound,Perkins]
-   FF05:0:0:0:0:0:1:1000    Service Location                 [RFC2165]
-    -FF05:0:0:0:0:0:1:13FF
-
-3.0 All Scope Multicast Addresses
-
-   These permanently assigned multicast addresses are valid over all
-   scope ranges.  This is shown by an "X" in the scope field of the
-   address that means any legal scope value.
-
-   Note that, as defined in [ADDARCH], IPv6 multicast addresses which
-   are only different in scope represent different groups.  Nodes must
-   join each group individually.
-
-   The IPv6 multicast addresses with variable scope are as follows:
-
-
-
-
-Hinden & Deering             Informational                      [Page 2]
-
-RFC 2375           IPv6 Multicast Address Assignments          July 1998
-
-
-   FF0X:0:0:0:0:0:0:0     Reserved Multicast Address         [ADDARCH]
-
-   FF0X:0:0:0:0:0:0:100   VMTP Managers Group           [RFC1045,DRC3]
-   FF0X:0:0:0:0:0:0:101   Network Time Protocol (NTP)   [RFC1119,DLM1]
-   FF0X:0:0:0:0:0:0:102   SGI-Dogfight                           [AXC]
-   FF0X:0:0:0:0:0:0:103   Rwhod                                  [SXD]
-   FF0X:0:0:0:0:0:0:104   VNP                                   [DRC3]
-   FF0X:0:0:0:0:0:0:105   Artificial Horizons - Aviator          [BXF]
-   FF0X:0:0:0:0:0:0:106   NSS - Name Service Server             [BXS2]
-   FF0X:0:0:0:0:0:0:107   AUDIONEWS - Audio News Multicast      [MXF2]
-   FF0X:0:0:0:0:0:0:108   SUN NIS+ Information Service          [CXM3]
-   FF0X:0:0:0:0:0:0:109   MTP Multicast Transport Protocol       [SXA]
-   FF0X:0:0:0:0:0:0:10A   IETF-1-LOW-AUDIO                       [SC3]
-   FF0X:0:0:0:0:0:0:10B   IETF-1-AUDIO                           [SC3]
-   FF0X:0:0:0:0:0:0:10C   IETF-1-VIDEO                           [SC3]
-   FF0X:0:0:0:0:0:0:10D   IETF-2-LOW-AUDIO                       [SC3]
-   FF0X:0:0:0:0:0:0:10E   IETF-2-AUDIO                           [SC3]
-   FF0X:0:0:0:0:0:0:10F   IETF-2-VIDEO                           [SC3]
-
-   FF0X:0:0:0:0:0:0:110   MUSIC-SERVICE             [Guido van Rossum]
-   FF0X:0:0:0:0:0:0:111   SEANET-TELEMETRY             [Andrew Maffei]
-   FF0X:0:0:0:0:0:0:112   SEANET-IMAGE                 [Andrew Maffei]
-   FF0X:0:0:0:0:0:0:113   MLOADD                              [Braden]
-   FF0X:0:0:0:0:0:0:114   any private experiment                 [JBP]
-   FF0X:0:0:0:0:0:0:115   DVMRP on MOSPF                         [Moy]
-   FF0X:0:0:0:0:0:0:116   SVRLOC                            [Veizades]
-   FF0X:0:0:0:0:0:0:117   XINGTV                      <hgxing@aol.com>
-   FF0X:0:0:0:0:0:0:118   microsoft-ds         <arnoldm@microsoft.com>
-   FF0X:0:0:0:0:0:0:119   nbc-pro           <bloomer@birch.crd.ge.com>
-   FF0X:0:0:0:0:0:0:11A   nbc-pfn           <bloomer@birch.crd.ge.com>
-   FF0X:0:0:0:0:0:0:11B   lmsc-calren-1                         [Uang]
-   FF0X:0:0:0:0:0:0:11C   lmsc-calren-2                         [Uang]
-   FF0X:0:0:0:0:0:0:11D   lmsc-calren-3                         [Uang]
-   FF0X:0:0:0:0:0:0:11E   lmsc-calren-4                         [Uang]
-   FF0X:0:0:0:0:0:0:11F   ampr-info                          [Janssen]
-
-   FF0X:0:0:0:0:0:0:120   mtrace                              [Casner]
-   FF0X:0:0:0:0:0:0:121   RSVP-encap-1                        [Braden]
-   FF0X:0:0:0:0:0:0:122   RSVP-encap-2                        [Braden]
-   FF0X:0:0:0:0:0:0:123   SVRLOC-DA                         [Veizades]
-   FF0X:0:0:0:0:0:0:124   rln-server                            [Kean]
-   FF0X:0:0:0:0:0:0:125   proshare-mc                          [Lewis]
-   FF0X:0:0:0:0:0:0:126   dantz                               [Yackle]
-   FF0X:0:0:0:0:0:0:127   cisco-rp-announce                [Farinacci]
-   FF0X:0:0:0:0:0:0:128   cisco-rp-discovery               [Farinacci]
-   FF0X:0:0:0:0:0:0:129   gatekeeper                            [Toga]
-   FF0X:0:0:0:0:0:0:12A   iberiagames                        [Marocho]
-
-
-
-
-Hinden & Deering             Informational                      [Page 3]
-
-RFC 2375           IPv6 Multicast Address Assignments          July 1998
-
-
-   FF0X:0:0:0:0:0:0:201  "rwho" Group (BSD) (unofficial)         [JBP]
-   FF0X:0:0:0:0:0:0:202   SUN RPC PMAPPROC_CALLIT               [BXE1]
-
-   FF0X:0:0:0:0:0:2:0000
-    -FF0X:0:0:0:0:0:2:7FFD  Multimedia Conference Calls          [SC3]
-   FF0X:0:0:0:0:0:2:7FFE    SAPv1 Announcements                  [SC3]
-   FF0X:0:0:0:0:0:2:7FFF    SAPv0 Announcements (deprecated)     [SC3]
-   FF0X:0:0:0:0:0:2:8000
-    -FF0X:0:0:0:0:0:2:FFFF  SAP Dynamic Assignments              [SC3]
-
-5.0 References
-
-   [ADDARCH] Hinden, R., and S. Deering, "IP Version 6 Addressing
-             Architecture", RFC 2373, July 1998.
-
-   [AUTORFC] Thompson, S., and T. Narten, "IPv6 Stateless Address
-             Autoconfiguration", RFC 1971, August 1996.
-
-   [ETHER]   Crawford, M., "Transmission of IPv6 Packets over Ethernet
-             Networks", Work in Progress.
-
-   [RFC1045] Cheriton, D., "VMTP: Versatile Message Transaction Protocol
-             Specification", RFC 1045, February 1988.
-
-   [RFC1075] Waitzman, D., Partridge, C., and S. Deering, "Distance
-             Vector Multicast Routing Protocol", RFC 1075, November
-             1988.
-
-   [RFC1112] Deering, S., "Host Extensions for IP Multicasting", STD 5,
-             RFC 1112, Stanford University, August 1989.
-
-   [RFC1119] Mills, D., "Network Time Protocol (Version 1),
-             Specification and Implementation", STD 12, RFC 1119, July
-             1988.
-
-   [RFC1190] Topolcic, C., Editor, "Experimental Internet Stream
-             Protocol, Version 2 (ST-II)", RFC 1190, October 1990.
-
-   [RFC2080] Malkin, G., and R. Minnear, "RIPng for IPv6", RFC 2080,
-             January 1997.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2165] Veizades, J., Guttman, E., Perkins, C., and S. Kaplan
-             "Service Location Protocol", RFC 2165 June 1997.
-
-   [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
-
-
-
-Hinden & Deering             Informational                      [Page 4]
-
-RFC 2375           IPv6 Multicast Address Assignments          July 1998
-
-
-6. People
-
-   <arnoldm@microsoft.com>
-
-   [AXC] Andrew Cherenson <arc@SGI.COM>
-
-   [Braden] Bob Braden, <braden@isi.edu>, April 1996.
-
-   [Bob Brenner]
-
-   [Bressler] David J. Bressler, <bressler@tss.com>, April 1996.
-
-   <bloomer@birch.crd.ge.com>
-
-   [Bound] Jim Bound <bound@zk3.dec.com>
-
-   [BXE1] Brendan Eic <brendan@illyria.wpd.sgi.com>
-
-   [BXF] Bruce Factor <ahi!bigapple!bruce@uunet.UU.NET>
-
-   [BXS2] Bill Schilit <schilit@parc.xerox.com>
-
-   [Casner] Steve Casner, <casner@isi.edu>, January 1995.
-
-   [CXM3] Chuck McManis <cmcmanis@sun.com>
-
-   [Tim Clark]
-
-   [DLM1] David Mills <Mills@HUEY.UDEL.EDU>
-
-   [DRC3] Dave Cheriton <cheriton@PESCADERO.STANFORD.EDU>
-
-   [DXS3] Daniel Steinber <Daniel.Steinberg@Eng.Sun.COM>
-
-   [Farinacci] Dino Farinacci, <dino@cisco.com>
-
-   [GSM11] Gary S. Malkin <GMALKIN@XYLOGICS.COM>
-
-   [Harrington] Dan Harrington, <dan@lucent.com>, July 1996.
-
-   <hgxing@aol.com>
-
-   [IANA] IANA <iana@iana.org>
-
-   [Janssen] Rob Janssen, <rob@pe1chl.ampr.org>, January 1995.
-
-   [JBP] Jon Postel <postel@isi.edu>
-
-
-
-
-Hinden & Deering             Informational                      [Page 5]
-
-RFC 2375           IPv6 Multicast Address Assignments          July 1998
-
-
-   [JXM1] Jim Miner <miner@star.com>
-
-   [Kean] Brian Kean, <bkean@dca.com>, August 1995.
-
-   [KS14] <mystery contact>
-
-   [Lee] Choon Lee, <cwl@nsd.3com.com>, April 1996.
-
-   [Lewis] Mark Lewis, <Mark_Lewis@ccm.jf.intel.com>, October 1995.
-
-   [Malamud] Carl Malamud, <carl@radio.com>, January 1996.
-
-   [Andrew Maffei]
-
-   [Marohco] Jose Luis Marocho, <73374.313@compuserve.com>, July 1996.
-
-   [Moy] John Moy <jmoy@casc.com>
-
-   [MXF2] Martin Forssen <maf@dtek.chalmers.se>
-
-   [Perkins] Charlie Perkins, <cperkins@corp.sun.com>
-
-   [Guido van Rossum]
-
-   [SC3] Steve Casner <casner@isi.edu>
-
-   [Simpson] Bill Simpson <bill.simpson@um.cc.umich.edu> November 1994.
-
-   [Joel Snyder]
-
-   [SXA] Susie Armstrong <Armstrong.wbst128@XEROX.COM>
-
-   [SXD] Steve Deering <deering@PARC.XEROX.COM>
-
-   [tynan] Dermot Tynan, <dtynan@claddagh.ie>, August 1995.
-
-   [Toga] Jim Toga, <jtoga@ibeam.jf.intel.com>, May 1996.
-
-   [Uang] Yea Uang <uang@force.decnet.lockheed.com> November 1994.
-
-   [Veizades] John Veizades,  <veizades@tgv.com>, May 1995.
-
-   [Yackle] Dotty Yackle, <ditty_yackle@dantz.com>, February 1996.
-
-
-
-
-
-
-
-
-Hinden & Deering             Informational                      [Page 6]
-
-RFC 2375           IPv6 Multicast Address Assignments          July 1998
-
-
-7.0 Security Considerations
-
-   This document defines the initial assignment of IPv6 multicast
-   addresses.  As such it does not directly impact the security of the
-   Internet infrastructure or its applications.
-
-8.0 Authors' Addresses
-
-   Robert M. Hinden
-   Ipsilon Networks, Inc.
-   232 Java Drive
-   Sunnyvale, CA 94089
-   USA
-
-   Phone: +1 415 990 2004
-   EMail: hinden@ipsilon.com
-
-
-   Stephen E. Deering
-   Cisco Systems, Inc.
-   170 West Tasman Drive
-   San Jose, CA 95134-1706
-   USA
-
-   Phone: +1 408 527-8213
-   EMail: deering@cisco.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering             Informational                      [Page 7]
-
-RFC 2375           IPv6 Multicast Address Assignments          July 1998
-
-
-9.0  Full Copyright Statement
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering             Informational                      [Page 8]
-
diff --git a/contrib/bind9/doc/rfc/rfc2418.txt b/contrib/bind9/doc/rfc/rfc2418.txt
deleted file mode 100644
index 9bdb2c536783..000000000000
--- a/contrib/bind9/doc/rfc/rfc2418.txt
+++ /dev/null
@@ -1,1459 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         S. Bradner
-Request for Comments: 2418                                        Editor
-Obsoletes: 1603                                       Harvard University
-BCP: 25                                                   September 1998
-Category: Best Current Practice
-
-
-                           IETF Working Group
-                       Guidelines and Procedures
-
-Status of this Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-Abstract
-
-   The Internet Engineering Task Force (IETF) has responsibility for
-   developing and reviewing specifications intended as Internet
-   Standards. IETF activities are organized into working groups (WGs).
-   This document describes the guidelines and procedures for formation
-   and operation of IETF working groups. It also describes the formal
-   relationship between IETF participants WG and the Internet
-   Engineering Steering Group (IESG) and the basic duties of IETF
-   participants, including WG Chairs, WG participants, and IETF Area
-   Directors.
-
-Table of Contents
-
-   Abstract .........................................................  1
-   1. Introduction ..................................................  2
-     1.1. IETF approach to standardization ..........................  4
-     1.2. Roles within a Working Group ..............................  4
-   2. Working group formation .......................................  4
-     2.1. Criteria for formation ....................................  4
-     2.2. Charter ...................................................  6
-     2.3. Charter review & approval .................................  8
-     2.4. Birds of a feather (BOF) ..................................  9
-   3. Working Group Operation ....................................... 10
-     3.1. Session planning .......................................... 11
-     3.2. Session venue ............................................. 11
-     3.3. Session management ........................................ 13
-     3.4. Contention and appeals .................................... 15
-
-
-
-Bradner                  Best Current Practice                  [Page 1]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   4. Working Group Termination ..................................... 15
-   5. Rechartering a Working Group .................................. 15
-   6. Staff Roles ................................................... 16
-     6.1. WG Chair .................................................. 16
-     6.2. WG Secretary .............................................. 18
-     6.3. Document Editor ........................................... 18
-     6.4. WG Facilitator ............................................ 18
-     6.5. Design teams .............................................. 19
-     6.6. Working Group Consultant .................................. 19
-     6.7. Area Director ............................................. 19
-   7. Working Group Documents ....................................... 19
-     7.1. Session documents ......................................... 19
-     7.2. Internet-Drafts (I-D) ..................................... 19
-     7.3. Request For Comments (RFC) ................................ 20
-     7.4. Working Group Last-Call ................................... 20
-     7.5. Submission of documents ................................... 21
-   8. Review of documents ........................................... 21
-   9. Security Considerations ....................................... 22
-   10. Acknowledgments .............................................. 23
-   11. References ................................................... 23
-   12. Editor's Address ............................................. 23
-   Appendix:  Sample Working Group Charter .......................... 24
-   Full Copyright Statement ......................................... 26
-
-1. Introduction
-
-   The Internet, a loosely-organized international collaboration of
-   autonomous, interconnected networks, supports host-to-host
-   communication through voluntary adherence to open protocols and
-   procedures defined by Internet Standards.  There are also many
-   isolated interconnected networks, which are not connected to the
-   global Internet but use the Internet Standards. Internet Standards
-   are developed in the Internet Engineering Task Force (IETF).  This
-   document defines guidelines and procedures for IETF working groups.
-   The Internet Standards Process of the IETF is defined in [1]. The
-   organizations involved in the IETF Standards Process are described in
-   [2] as are the roles of specific individuals.
-
-   The IETF is a large, open community of network designers, operators,
-   vendors, users, and researchers concerned with the Internet and the
-   technology used on it. The primary activities of the IETF are
-   performed by committees known as working groups. There are currently
-   more than 100 working groups. (See the IETF web page for an up-to-
-   date list of IETF Working Groups - http://www.ietf.org.) Working
-   groups tend to have a narrow focus and a lifetime bounded by the
-   completion of a specific set of tasks, although there are exceptions.
-
-
-
-
-
-Bradner                  Best Current Practice                  [Page 2]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   For management purposes, the IETF working groups are collected
-   together into areas, with each area having a separate focus.  For
-   example, the security area deals with the development of security-
-   related technology.  Each IETF area is managed by one or two Area
-   Directors (ADs).  There are currently 8 areas in the IETF but the
-   number changes from time to time.  (See the IETF web page for a list
-   of the current areas, the Area Directors for each area, and a list of
-   which working groups are assigned to each area.)
-
-   In many areas, the Area Directors have formed an advisory group or
-   directorate.  These comprise experienced members of the IETF and the
-   technical community represented by the area.  The specific name and
-   the details of the role for each group differ from area to area, but
-   the primary intent is that these groups assist the Area Director(s),
-   e.g., with the review of specifications produced in the area.
-
-   The IETF area directors are selected by a nominating committee, which
-   also selects an overall chair for the IETF.  The nominations process
-   is described in [3].
-
-   The area directors sitting as a body, along with the IETF Chair,
-   comprise the Internet Engineering Steering Group (IESG). The IETF
-   Executive Director is an ex-officio participant of the IESG, as are
-   the IAB Chair and a designated Internet Architecture Board (IAB)
-   liaison.  The IESG approves IETF Standards and approves the
-   publication of other IETF documents.  (See [1].)
-
-   A small IETF Secretariat provides staff and administrative support
-   for the operation of the IETF.
-
-   There is no formal membership in the IETF.  Participation is open to
-   all.  This participation may be by on-line contribution, attendance
-   at face-to-face sessions, or both.  Anyone from the Internet
-   community who has the time and interest is urged to participate in
-   IETF meetings and any of its on-line working group discussions.
-   Participation is by individual technical contributors, rather than by
-   formal representatives of organizations.
-
-   This document defines procedures and guidelines for the formation and
-   operation of working groups in the IETF. It defines the relations of
-   working groups to other bodies within the IETF. The duties of working
-   group Chairs and Area Directors with respect to the operation of the
-   working group are also defined.  When used in this document the key
-   words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
-   "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be
-   interpreted as described in RFC 2119 [6].  RFC 2119 defines the use
-   of these key words to help make the intent of standards track
-   documents as clear as possible.  The same key words are used in this
-
-
-
-Bradner                  Best Current Practice                  [Page 3]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   document to help smooth WG operation and reduce the chance for
-   confusion about the processes.
-
-1.1. IETF approach to standardization
-
-   Familiarity with The Internet Standards Process [1] is essential for
-   a complete understanding of the philosophy, procedures and guidelines
-   described in this document.
-
-1.2. Roles within a Working Group
-
-   The document, "Organizations Involved in the IETF Standards Process"
-   [2] describes the roles of a number of individuals within a working
-   group, including the working group chair and the document editor.
-   These descriptions are expanded later in this document.
-
-2. Working group formation
-
-   IETF working groups (WGs) are the primary mechanism for development
-   of IETF specifications and guidelines, many of which are intended to
-   be standards or recommendations. A working group may be established
-   at the initiative of an Area Director or it may be initiated by an
-   individual or group of individuals. Anyone interested in creating an
-   IETF working group MUST obtain the advice and consent of the IETF
-   Area Director(s) in whose area the working group would fall and MUST
-   proceed through the formal steps detailed in this section.
-
-   Working groups are typically created to address a specific problem or
-   to produce one or more specific deliverables (a guideline, standards
-   specification, etc.).  Working groups are generally expected to be
-   short-lived in nature.  Upon completion of its goals and achievement
-   of its objectives, the working group is terminated. A working group
-   may also be terminated for other reasons (see section 4).
-   Alternatively, with the concurrence of the IESG, Area Director, the
-   WG Chair, and the WG participants, the objectives or assignment of
-   the working group may be extended by modifying the working group's
-   charter through a rechartering process (see section 5).
-
-2.1. Criteria for formation
-
-   When determining whether it is appropriate to create a working group,
-   the Area Director(s) and the IESG will consider several issues:
-
-    - Are the issues that the working group plans to address clear and
-      relevant to the Internet community?
-
-    - Are the goals specific and reasonably achievable, and achievable
-      within a reasonable time frame?
-
-
-
-Bradner                  Best Current Practice                  [Page 4]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-    - What are the risks and urgency of the work, to determine the level
-      of effort required?
-
-    - Do the working group's activities overlap with those of another
-      working group?  If so, it may still be appropriate to create the
-      working group, but this question must be considered carefully by
-      the Area Directors as subdividing efforts often dilutes the
-      available technical expertise.
-
-    - Is there sufficient interest within the IETF in the working
-      group's topic with enough people willing to expend the effort to
-      produce the desired result (e.g., a protocol specification)?
-      Working groups require considerable effort, including management
-      of the working group process, editing of working group documents,
-      and contributing to the document text.  IETF experience suggests
-      that these roles typically cannot all be handled by one person; a
-      minimum of four or five active participants in the management
-      positions are typically required in addition to a minimum of one
-      or two dozen people that will attend the working group meetings
-      and contribute on the mailing list.  NOTE: The interest must be
-      broad enough that a working group would not be seen as merely the
-      activity of a single vendor.
-
-    - Is there enough expertise within the IETF in the working group's
-      topic, and are those people interested in contributing in the
-      working group?
-
-    - Does a base of interested consumers (end-users) appear to exist
-      for the planned work?  Consumer interest can be measured by
-      participation of end-users within the IETF process, as well as by
-      less direct means.
-
-    - Does the IETF have a reasonable role to play in the determination
-      of the technology?  There are many Internet-related technologies
-      that may be interesting to IETF members but in some cases the IETF
-      may not be in a position to effect the course of the technology in
-      the "real world".  This can happen, for example, if the technology
-      is being developed by another standards body or an industry
-      consortium.
-
-    - Are all known intellectual property rights relevant to the
-      proposed working group's efforts issues understood?
-
-    - Is the proposed work plan an open IETF effort or is it an attempt
-      to "bless" non-IETF technology where the effect of input from IETF
-      participants may be limited?
-
-
-
-
-
-Bradner                  Best Current Practice                  [Page 5]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-    - Is there a good understanding of any existing work that is
-      relevant to the topics that the proposed working group is to
-      pursue?  This includes work within the IETF and elsewhere.
-
-    - Do the working group's goals overlap with known work in another
-      standards body, and if so is adequate liaison in place?
-
-   Considering the above criteria, the Area Director(s), using his or
-   her best judgement, will decide whether to pursue the formation of
-   the group through the chartering process.
-
-2.2. Charter
-
-   The formation of a working group requires a charter which is
-   primarily negotiated between a prospective working group Chair and
-   the relevant Area Director(s), although final approval is made by the
-   IESG with advice from the Internet Architecture Board (IAB).  A
-   charter is a contract between a working group and the IETF to perform
-   a set of tasks.  A charter:
-
-   1. Lists relevant administrative information for the working group;
-   2. Specifies the direction or objectives of the working group and
-      describes the approach that will be taken to achieve the goals;
-      and
-   3. Enumerates a set of milestones together with time frames for their
-      completion.
-
-   When the prospective Chair(s), the Area Director and the IETF
-   Secretariat are satisfied with the charter form and content, it
-   becomes the basis for forming a working group. Note that an Area
-   Director MAY require holding an exploratory Birds of a Feather (BOF)
-   meeting, as described below, to gage the level of support for a
-   working group before submitting the charter to the IESG and IAB for
-   approval.
-
-   Charters may be renegotiated periodically to reflect the current
-   status, organization or goals of the working group (see section 5).
-   Hence, a charter is a contract between the IETF and the working group
-   which is committing to meet explicit milestones and delivering
-   specific "products".
-
-   Specifically, each charter consists of the following sections:
-
-   Working group name
-      A working group name should be reasonably descriptive or
-      identifiable. Additionally, the group shall define an acronym
-      (maximum 8 printable ASCII characters) to reference the group in
-      the IETF directories, mailing lists, and general documents.
-
-
-
-Bradner                  Best Current Practice                  [Page 6]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   Chair(s)
-      The working group may have one or more Chairs to perform the
-      administrative functions of the group. The email address(es) of
-      the Chair(s) shall be included.  Generally, a working group is
-      limited to two chairs.
-
-   Area and Area Director(s)
-      The name of the IETF area with which the working group is
-      affiliated and the name and electronic mail address of the
-      associated Area Director(s).
-
-   Responsible Area Director
-      The Area Director who acts as the primary IESG contact for the
-      working group.
-
-   Mailing list
-      An IETF working group MUST have a general Internet mailing list.
-      Most of the work of an IETF working group will be conducted on the
-      mailing list. The working group charter MUST include:
-
-      1. The address to which a participant sends a subscription request
-         and the procedures to follow when subscribing,
-
-      2. The address to which a participant sends submissions and
-         special procedures, if any, and
-
-      3. The location of the mailing list archive. A message archive
-         MUST be maintained in a public place which can be accessed via
-         FTP or via the web.
-
-         As a service to the community, the IETF Secretariat operates a
-         mailing list archive for working group mailing lists. In order
-         to take advantage of this service, working group mailing lists
-         MUST include the address "wg_acronym-archive@lists.ietf.org"
-         (where "wg_acronym" is the working group acronym) in the
-         mailing list in order that a copy of all mailing list messages
-         be recorded in the Secretariat's archive.  Those archives are
-         located at ftp://ftp.ietf.org/ietf-mail-archive.  For
-         robustness, WGs SHOULD maintain an additional archive separate
-         from that maintained by the Secretariat.
-
-   Description of working group
-      The focus and intent of the group shall be set forth briefly. By
-      reading this section alone, an individual should be able to decide
-      whether this group is relevant to their own work. The first
-      paragraph must give a brief summary of the problem area, basis,
-      goal(s) and approach(es) planned for the working group.  This
-      paragraph can be used as an overview of the working group's
-
-
-
-Bradner                  Best Current Practice                  [Page 7]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-      effort.
-
-      To facilitate evaluation of the intended work and to provide on-
-      going guidance to the working group, the charter must describe the
-      problem being solved and should discuss objectives and expected
-      impact with respect to:
-
-         - Architecture
-         - Operations
-         - Security
-         - Network management
-         - Scaling
-         - Transition (where applicable)
-
-   Goals and milestones
-      The working group charter MUST establish a timetable for specific
-      work items.  While this may be renegotiated over time, the list of
-      milestones and dates facilitates the Area Director's tracking of
-      working group progress and status, and it is indispensable to
-      potential participants identifying the critical moments for input.
-      Milestones shall consist of deliverables that can be qualified as
-      showing specific achievement; e.g., "Internet-Draft finished" is
-      fine, but "discuss via email" is not. It is helpful to specify
-      milestones for every 3-6 months, so that progress can be gauged
-      easily.  This milestone list is expected to be updated
-      periodically (see section 5).
-
-      An example of a WG charter is included as Appendix A.
-
-2.3. Charter review & approval
-
-   Proposed working groups often comprise technically competent
-   participants who are not familiar with the history of Internet
-   architecture or IETF processes.  This can, unfortunately, lead to
-   good working group consensus about a bad design.  To facilitate
-   working group efforts, an Area Director may assign a Consultant from
-   among the ranks of senior IETF participants.  (Consultants are
-   described in section 6.)  At the discretion of the Area Director,
-   approval of a new WG may be withheld in the absence of sufficient
-   consultant resources.
-
-   Once the Area Director (and the Area Directorate, as the Area
-   Director deems appropriate) has approved the working group charter,
-   the charter is submitted for review by the IAB and approval by the
-   IESG.  After a review period of at least a week the proposed charter
-   is posted to the IETF-announce mailing list as a public notice that
-   the formation of the working group is being considered.  At the same
-   time the proposed charter is also posted to the "new-work" mailing
-
-
-
-Bradner                  Best Current Practice                  [Page 8]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   list.  This mailing list has been created to let qualified
-   representatives from other standards organizations know about pending
-   IETF working groups.  After another review period lasting at least a
-   week the IESG MAY approve the charter as-is, it MAY request that
-   changes be made in the charter, or MAY decline to approve chartering
-   of the working group
-
-   If the IESG approves the formation of the working group it remands
-   the approved charter to the IETF Secretariat who records and enters
-   the information into the IETF tracking database.  The working group
-   is announced to the IETF-announce a by the IETF Secretariat.
-
-2.4. Birds of a Feather (BOF)
-
-   Often it is not clear whether an issue merits the formation of a
-   working group.  To facilitate exploration of the issues the IETF
-   offers the possibility of a Birds of a Feather (BOF) session, as well
-   as the early formation of an email list for preliminary discussion.
-   In addition, a BOF may serve as a forum for a single presentation or
-   discussion, without any intent to form a working group.
-
-   A BOF is a session at an IETF meeting which permits "market research"
-   and technical "brainstorming".  Any individual may request permission
-   to hold a BOF on a subject. The request MUST be filed with a relevant
-   Area Director who must approve a BOF before it can be scheduled. The
-   person who requests the BOF may be asked to serve as Chair of the
-   BOF.
-
-   The Chair of the BOF is also responsible for providing a report on
-   the outcome of the BOF.  If the Area Director approves, the BOF is
-   then scheduled by submitting a request to agenda@ietf.org with copies
-   to the Area Director(s). A BOF description and agenda are required
-   before a BOF can be scheduled.
-
-   Available time for BOFs is limited, and BOFs are held at the
-   discretion of the ADs for an area.  The AD(s) may require additional
-   assurances before authorizing a BOF.  For example,
-
-    - The Area Director MAY require the establishment of an open email
-      list prior to authorizing a BOF.  This permits initial exchanges
-      and sharing of framework, vocabulary and approaches, in order to
-      make the time spent in the BOF more productive.
-
-    - The Area Director MAY require that a BOF be held, prior to
-      establishing a working group (see section 2.2).
-
-    - The Area Director MAY require that there be a draft of the WG
-      charter prior to holding a BOF.
-
-
-
-Bradner                  Best Current Practice                  [Page 9]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-    - The Area Director MAY require that a BOF not be held until an
-      Internet-Draft describing the proposed technology has been
-      published so it can be used as a basis for discussion in the BOF.
-
-   In general, a BOF on a particular topic is held only once (ONE slot
-   at one IETF Plenary meeting). Under unusual circumstances Area
-   Directors may, at their discretion, allow a BOF to meet for a second
-   time. BOFs are not permitted to meet three times.  Note that all
-   other things being equal, WGs will be given priority for meeting
-   space over BOFs.  Also, occasionally BOFs may be held for other
-   purposes than to discuss formation of a working group.
-
-   Usually the outcome of a BOF will be one of the following:
-
-    - There was enough interest and focus in the subject to warrant the
-      formation of a WG;
-
-    - While there was a reasonable level of interest expressed in the
-      BOF some other criteria for working group formation was not met
-      (see section 2.1).
-
-    - The discussion came to a fruitful conclusion, with results to be
-      written down and published, however there is no need to establish
-      a WG; or
-
-    - There was not enough interest in the subject to warrant the
-      formation of a WG.
-
-3.  Working Group Operation
-
-   The IETF has basic requirements for open and fair participation and
-   for thorough consideration of technical alternatives.  Within those
-   constraints, working groups are autonomous and each determines most
-   of the details of its own operation with respect to session
-   participation, reaching closure, etc. The core rule for operation is
-   that acceptance or agreement is achieved via working group "rough
-   consensus".  WG participants should specifically note the
-   requirements for disclosure of conflicts of interest in [2].
-
-   A number of procedural questions and issues will arise over time, and
-   it is the function of the Working Group Chair(s) to manage the group
-   process, keeping in mind that the overall purpose of the group is to
-   make progress towards reaching rough consensus in realizing the
-   working group's goals and objectives.
-
-   There are few hard and fast rules on organizing or conducting working
-   group activities, but a set of guidelines and practices has evolved
-   over time that have proven successful. These are listed here, with
-
-
-
-Bradner                  Best Current Practice                 [Page 10]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   actual choices typically determined by the working group participants
-   and the Chair(s).
-
-3.1. Session planning
-
-   For coordinated, structured WG interactions, the Chair(s) MUST
-   publish a draft agenda well in advance of the actual session. The
-   agenda should contain at least:
-
-   - The items for discussion;
-   - The estimated time necessary per item; and
-   - A clear indication of what documents the participants will need to
-     read before the session in order to be well prepared.
-
-   Publication of the working group agenda shall include sending a copy
-   of the agenda to the working group mailing list and to
-   agenda@ietf.org.
-
-   All working group actions shall be taken in a public forum, and wide
-   participation is encouraged. A working group will conduct much of its
-   business via electronic mail distribution lists but may meet
-   periodically to discuss and review task status and progress, to
-   resolve specific issues and to direct future activities.  IETF
-   Plenary meetings are the primary venue for these face-to-face working
-   group sessions, and it is common (though not required) that active
-   "interim" face-to-face meetings, telephone conferences, or video
-   conferences may also be held.  Interim meetings are subject to the
-   same rules for advance notification, reporting, open participation,
-   and process, which apply to other working group meetings.
-
-   All working group sessions (including those held outside of the IETF
-   meetings) shall be reported by making minutes available.  These
-   minutes should include the agenda for the session, an account of the
-   discussion including any decisions made, and a list of attendees. The
-   Working Group Chair is responsible for insuring that session minutes
-   are written and distributed, though the actual task may be performed
-   by someone designated by the Working Group Chair. The minutes shall
-   be submitted in printable ASCII text for publication in the IETF
-   Proceedings, and for posting in the IETF Directories and are to be
-   sent to: minutes@ietf.org
-
-3.2. Session venue
-
-   Each working group will determine the balance of email and face-to-
-   face sessions that is appropriate for achieving its milestones.
-   Electronic mail permits the widest participation; face-to-face
-   meetings often permit better focus and therefore can be more
-   efficient for reaching a consensus among a core of the working group
-
-
-
-Bradner                  Best Current Practice                 [Page 11]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   participants.  In determining the balance, the WG must ensure that
-   its process does not serve to exclude contribution by email-only
-   participants.  Decisions reached during a face-to-face meeting about
-   topics or issues which have not been discussed on the mailing list,
-   or are significantly different from previously arrived mailing list
-   consensus MUST be reviewed on the mailing list.
-
-   IETF Meetings
-   If a WG needs a session at an IETF meeting, the Chair must apply for
-   time-slots as soon as the first announcement of that IETF meeting is
-   made by the IETF Secretariat to the WG-chairs list.  Session time is
-   a scarce resource at IETF meetings, so placing requests early will
-   facilitate schedule coordination for WGs requiring the same set of
-   experts.
-
-   The application for a WG session at an IETF meeting MUST be made to
-   the IETF Secretariat at the address agenda@ietf.org.  Some Area
-   Directors may want to coordinate WG sessions in their area and
-   request that time slots be coordinated through them.  If this is the
-   case it will be noted in the IETF meeting announcement. A WG
-   scheduling request MUST contain:
-
-   - The working group name and full title;
-   - The amount of time requested;
-   - The rough outline of the WG agenda that is expected to be covered;
-   - The estimated number of people that will attend the WG session;
-   - Related WGs that should not be scheduled for the same time slot(s);
-     and
-   - Optionally a request can be added for the WG session to be
-     transmitted over the Internet in audio and video.
-
-   NOTE: While open discussion and contribution is essential to working
-   group success, the Chair is responsible for ensuring forward
-   progress.  When acceptable to the WG, the Chair may call for
-   restricted participation (but not restricted attendance!) at IETF
-   working group sessions for the purpose of achieving progress. The
-   Working Group Chair then has the authority to refuse to grant the
-   floor to any individual who is unprepared or otherwise covering
-   inappropriate material, or who, in the opinion of the Chair is
-   disrupting the WG process.  The Chair should consult with the Area
-   Director(s) if the individual persists in disruptive behavior.
-
-   On-line
-   It can be quite useful to conduct email exchanges in the same manner
-   as a face-to-face session, with published schedule and agenda, as
-   well as on-going summarization and consensus polling.
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 12]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   Many working group participants hold that mailing list discussion is
-   the best place to consider and resolve issues and make decisions. The
-   choice of operational style is made by the working group itself.  It
-   is important to note, however, that Internet email discussion is
-   possible for a much wider base of interested persons than is
-   attendance at IETF meetings, due to the time and expense required to
-   attend.
-
-   As with face-to-face sessions occasionally one or more individuals
-   may engage in behavior on a mailing list which disrupts the WG's
-   progress.  In these cases the Chair should attempt to discourage the
-   behavior by communication directly with the offending individual
-   rather than on the open mailing list.  If the behavior persists then
-   the Chair must involve the Area Director in the issue.  As a last
-   resort and after explicit warnings, the Area Director, with the
-   approval of the IESG, may request that the mailing list maintainer
-   block the ability of the offending individual to post to the mailing
-   list. (If the mailing list software permits this type of operation.)
-   Even if this is done, the individual must not be prevented from
-   receiving messages posted to the list.  Other methods of mailing list
-   control may be considered but must be approved by the AD(s) and the
-   IESG.
-
-3.3. Session management
-
-   Working groups make decisions through a "rough consensus" process.
-   IETF consensus does not require that all participants agree although
-   this is, of course, preferred.  In general, the dominant view of the
-   working group shall prevail.  (However, it must be noted that
-   "dominance" is not to be determined on the basis of volume or
-   persistence, but rather a more general sense of agreement.) Consensus
-   can be determined by a show of hands, humming, or any other means on
-   which the WG agrees (by rough consensus, of course).  Note that 51%
-   of the working group does not qualify as "rough consensus" and 99% is
-   better than rough.  It is up to the Chair to determine if rough
-   consensus has been reached.
-
-   It can be particularly challenging to gauge the level of consensus on
-   a mailing list.  There are two different cases where a working group
-   may be trying to understand the level of consensus via a mailing list
-   discussion. But in both cases the volume of messages on a topic is
-   not, by itself, a good indicator of consensus since one or two
-   individuals may be generating much of the traffic.
-
-   In the case where a consensus which has been reached during a face-
-   to-face meeting is being verified on a mailing list the people who
-   were in the meeting and expressed agreement must be taken into
-   account.  If there were 100 people in a meeting and only a few people
-
-
-
-Bradner                  Best Current Practice                 [Page 13]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   on the mailing list disagree with the consensus of the meeting then
-   the consensus should be seen as being verified.  Note that enough
-   time should be given to the verification process for the mailing list
-   readers to understand and consider any objections that may be raised
-   on the list.  The normal two week last-call period should be
-   sufficient for this.
-
-   The other case is where the discussion has been held entirely over
-   the mailing list.  The determination of the level of consensus may be
-   harder to do in this case since most people subscribed to mailing
-   lists do not actively participate in discussions on the list. It is
-   left to the discretion of the working group chair how to evaluate the
-   level of consensus.  The most common method used is for the working
-   group chair to state what he or she believes to be the consensus view
-   and. at the same time, requests comments from the list about the
-   stated conclusion.
-
-   The challenge to managing working group sessions is to balance the
-   need for open and fair consideration of the issues against the need
-   to make forward progress.  The working group, as a whole, has the
-   final responsibility for striking this balance.  The Chair has the
-   responsibility for overseeing the process but may delegate direct
-   process management to a formally-designated Facilitator.
-
-   It is occasionally appropriate to revisit a topic, to re-evaluate
-   alternatives or to improve the group's understanding of a relevant
-   decision.  However, unnecessary repeated discussions on issues can be
-   avoided if the Chair makes sure that the main arguments in the
-   discussion (and the outcome) are summarized and archived after a
-   discussion has come to conclusion. It is also good practice to note
-   important decisions/consensus reached by email in the minutes of the
-   next 'live' session, and to summarize briefly the decision-making
-   history in the final documents the WG produces.
-
-   To facilitate making forward progress, a Working Group Chair may wish
-   to decide to reject or defer the input from a member, based upon the
-   following criteria:
-
-   Old
-   The input pertains to a topic that already has been resolved and is
-   redundant with information previously available;
-
-   Minor
-   The input is new and pertains to a topic that has already been
-   resolved, but it is felt to be of minor import to the existing
-   decision;
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 14]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   Timing
-   The input pertains to a topic that the working group has not yet
-   opened for discussion; or
-
-   Scope
-   The input is outside of the scope of the working group charter.
-
-3.4. Contention and appeals
-
-   Disputes are possible at various stages during the IETF process. As
-   much as possible the process is designed so that compromises can be
-   made, and genuine consensus achieved; however, there are times when
-   even the most reasonable and knowledgeable people are unable to
-   agree.  To achieve the goals of openness and fairness, such conflicts
-   must be resolved by a process of open review and discussion.
-
-   Formal procedures for requesting a review of WG, Chair, Area Director
-   or IESG actions and conducting appeals are documented in The Internet
-   Standards Process [1].
-
-4. Working Group Termination
-
-   Working groups are typically chartered to accomplish a specific task
-   or tasks.  After the tasks are complete, the group will be disbanded.
-   However, if a WG produces a Proposed or Draft Standard, the WG will
-   frequently become dormant rather than disband (i.e., the WG will no
-   longer conduct formal activities, but the mailing list will remain
-   available to review the work as it moves to Draft Standard and
-   Standard status.)
-
-   If, at some point, it becomes evident that a working group is unable
-   to complete the work outlined in the charter, or if the assumptions
-   which that work was based have been modified in discussion or by
-   experience, the Area Director, in consultation with the working group
-   can either:
-
-   1. Recharter to refocus its tasks,
-   2. Choose new Chair(s), or
-   3. Disband.
-
-   If the working group disagrees with the Area Director's choice, it
-   may appeal to the IESG (see section 3.4).
-
-5. Rechartering a Working Group
-
-   Updated milestones are renegotiated with the Area Director and the
-   IESG, as needed, and then are submitted to the IESG Secretariat:
-   iesg-secretary@ietf.org.
-
-
-
-Bradner                  Best Current Practice                 [Page 15]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   Rechartering (other than revising milestones) a working group follows
-   the same procedures that the initial chartering does (see section 2).
-   The revised charter must be submitted to the IESG and IAB for
-   approval.  As with the initial chartering, the IESG may approve new
-   charter as-is, it may request that changes be made in the new charter
-   (including having the Working Group continue to use the old charter),
-   or it may decline to approve the rechartered working group.  In the
-   latter case, the working group is disbanded.
-
-6. Staff Roles
-
-   Working groups require considerable care and feeding.  In addition to
-   general participation, successful working groups benefit from the
-   efforts of participants filling specific functional roles.  The Area
-   Director must agree to the specific people performing the WG Chair,
-   and Working Group Consultant roles, and they serve at the discretion
-   of the Area Director.
-
-6.1. WG Chair
-
-   The Working Group Chair is concerned with making forward progress
-   through a fair and open process, and has wide discretion in the
-   conduct of WG business.  The Chair must ensure that a number of tasks
-   are performed, either directly or by others assigned to the tasks.
-
-   The Chair has the responsibility and the authority to make decisions,
-   on behalf of the working group, regarding all matters of working
-   group process and staffing, in conformance with the rules of the
-   IETF.  The AD has the authority and the responsibility to assist in
-   making those decisions at the request of the Chair or when
-   circumstances warrant such an intervention.
-
-   The Chair's responsibility encompasses at least the following:
-
-   Ensure WG process and content management
-
-      The Chair has ultimate responsibility for ensuring that a working
-      group achieves forward progress and meets its milestones.  The
-      Chair is also responsible to ensure that the working group
-      operates in an open and fair manner.  For some working groups,
-      this can be accomplished by having the Chair perform all
-      management-related activities.  In other working groups --
-      particularly those with large or divisive participation -- it is
-      helpful to allocate process and/or secretarial functions to other
-      participants.  Process management pertains strictly to the style
-      of working group interaction and not to its content. It ensures
-      fairness and detects redundancy.  The secretarial function
-      encompasses document editing.  It is quite common for a working
-
-
-
-Bradner                  Best Current Practice                 [Page 16]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-      group to assign the task of specification Editor to one or two
-      participants.  Sometimes, they also are part of the design team,
-      described below.
-
-   Moderate the WG email list
-
-      The Chair should attempt to ensure that the discussions on this
-      list are relevant and that they converge to consensus agreements.
-      The Chair should make sure that discussions on the list are
-      summarized and that the outcome is well documented (to avoid
-      repetition).  The Chair also may choose to schedule organized on-
-      line "sessions" with agenda and deliverables.  These can be
-      structured as true meetings, conducted over the course of several
-      days (to allow participation across the Internet).
-
-      Organize, prepare and chair face-to-face and on-line formal
-      sessions.
-
-   Plan WG Sessions
-
-      The Chair must plan and announce all WG sessions well in advance
-      (see section 3.1).
-
-   Communicate results of sessions
-
-      The Chair and/or Secretary must ensure that minutes of a session
-      are taken and that an attendance list is circulated (see section
-      3.1).
-
-      Immediately after a session, the WG Chair MUST provide the Area
-      Director with a very short report (approximately one paragraph,
-      via email) on the session.
-
-   Distribute the workload
-
-      Of course, each WG will have participants who may not be able (or
-      want) to do any work at all. Most of the time the bulk of the work
-      is done by a few dedicated participants. It is the task of the
-      Chair to motivate enough experts to allow for a fair distribution
-      of the workload.
-
-   Document development
-
-      Working groups produce documents and documents need authors. The
-      Chair must make sure that authors of WG documents incorporate
-      changes as agreed to by the WG (see section 6.3).
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 17]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   Document publication
-
-      The Chair and/or Document Editor will work with the RFC Editor to
-      ensure document conformance with RFC publication requirements [5]
-      and to coordinate any editorial changes suggested by the RFC
-      Editor.  A particular concern is that all participants are working
-      from the same version of a document at the same time.
-
-   Document implementations
-
-      Under the procedures described in [1], the Chair is responsible
-      for documenting the specific implementations which qualify the
-      specification for Draft or Internet Standard status along with
-      documentation about testing of the interoperation of these
-      implementations.
-
-6.2. WG Secretary
-
-   Taking minutes and editing working group documents often is performed
-   by a specifically-designated participant or set of participants.  In
-   this role, the Secretary's job is to record WG decisions, rather than
-   to perform basic specification.
-
-6.3. Document Editor
-
-   Most IETF working groups focus their efforts on a document, or set of
-   documents, that capture the results of the group's work.  A working
-   group generally designates a person or persons to serve as the Editor
-   for a particular document.  The Document Editor is responsible for
-   ensuring that the contents of the document accurately reflect the
-   decisions that have been made by the working group.
-
-   As a general practice, the Working Group Chair and Document Editor
-   positions are filled by different individuals to help ensure that the
-   resulting documents accurately reflect the consensus of the working
-   group and that all processes are followed.
-
-6.4. WG Facilitator
-
-   When meetings tend to become distracted or divisive, it often is
-   helpful to assign the task of "process management" to one
-   participant.  Their job is to oversee the nature, rather than the
-   content, of participant interactions.  That is, they attend to the
-   style of the discussion and to the schedule of the agenda, rather
-   than making direct technical contributions themselves.
-
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 18]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-6.5. Design teams
-
-   It is often useful, and perhaps inevitable, for a sub-group of a
-   working group to develop a proposal to solve a particular problem.
-   Such a sub-group is called a design team.  In order for a design team
-   to remain small and agile, it is acceptable to have closed membership
-   and private meetings.  Design teams may range from an informal chat
-   between people in a hallway to a formal set of expert volunteers that
-   the WG chair or AD appoints to attack a controversial problem.  The
-   output of a design team is always subject to approval, rejection or
-   modification by the WG as a whole.
-
-6.6. Working Group Consultant
-
-   At the discretion of the Area Director, a Consultant may be assigned
-   to a working group.  Consultants have specific technical background
-   appropriate to the WG and experience in Internet architecture and
-   IETF process.
-
-6.7. Area Director
-
-   Area Directors are responsible for ensuring that working groups in
-   their area produce coherent, coordinated, architecturally consistent
-   and timely output as a contribution to the overall results of the
-   IETF.
-
-7.  Working Group Documents
-
-7.1. Session documents
-
-   All relevant documents to be discussed at a session should be
-   published and available as Internet-Drafts at least two weeks before
-   a session starts.  Any document which does not meet this publication
-   deadline can only be discussed in a working group session with the
-   specific approval of the working group chair(s).  Since it is
-   important that working group members have adequate time to review all
-   documents, granting such an exception should only be done under
-   unusual conditions.  The final session agenda should be posted to the
-   working group mailing list at least two weeks before the session and
-   sent at that time to agenda@ietf.org for publication on the IETF web
-   site.
-
-7.2. Internet-Drafts (I-D)
-
-   The Internet-Drafts directory is provided to working groups as a
-   resource for posting and disseminating in-process copies of working
-   group documents. This repository is replicated at various locations
-   around the Internet. It is encouraged that draft documents be posted
-
-
-
-Bradner                  Best Current Practice                 [Page 19]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   as soon as they become reasonably stable.
-
-   It is stressed here that Internet-Drafts are working documents and
-   have no official standards status whatsoever. They may, eventually,
-   turn into a standards-track document or they may sink from sight.
-   Internet-Drafts are submitted to: internet-drafts@ietf.org
-
-   The format of an Internet-Draft must be the same as for an RFC [2].
-   Further, an I-D must contain:
-
-   - Beginning, standard, boilerplate text which is provided by the
-     Secretariat on their web site and in the ftp directory;
-   - The I-D filename; and
-   - The expiration date for the I-D.
-
-   Complete specification of requirements for an Internet-Draft are
-   found in the file "1id-guidelines.txt" in the Internet-Drafts
-   directory at an Internet Repository site.  The organization of the
-   Internet-Drafts directory is found in the file "1id-organization" in
-   the Internet-Drafts directory at an Internet Repository site.  This
-   file also contains the rules for naming Internet-Drafts.  (See [1]
-   for more information about Internet-Drafts.)
-
-7.3. Request For Comments (RFC)
-
-   The work of an IETF working group often results in publication of one
-   or more documents, as part of the Request For Comments (RFCs) [1]
-   series. This series is the archival publication record for the
-   Internet community. A document can be written by an individual in a
-   working group, by a group as a whole with a designated Editor, or by
-   others not involved with the IETF.
-
-   NOTE: The RFC series is a publication mechanism only and publication
-   does not determine the IETF status of a document.  Status is
-   determined through separate, explicit status labels assigned by the
-   IESG on behalf of the IETF.  In other words, the reader is reminded
-   that all Internet Standards are published as RFCs, but NOT all RFCs
-   specify standards [4].
-
-7.4. Working Group Last-Call
-
-   When a WG decides that a document is ready for publication it may be
-   submitted to the IESG for consideration. In most cases the
-   determination that a WG feels that a document is ready for
-   publication is done by the WG Chair issuing a working group Last-
-   Call.  The decision to issue a working group Last-Call is at the
-   discretion of the WG Chair working with the Area Director.  A working
-   group Last-Call serves the same purpose within a working group that
-
-
-
-Bradner                  Best Current Practice                 [Page 20]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   an IESG Last-Call does in the broader IETF community (see [1]).
-
-7.5. Submission of documents
-
-   Once that a WG has determined at least rough consensus exists within
-   the WG for the advancement of a document the following must be done:
-
-   - The version of the relevant document exactly as agreed to by the WG
-     MUST be in the Internet-Drafts directory.
-
-   - The relevant document MUST be formatted according to section 7.3.
-
-   - The WG Chair MUST send email to the relevant Area Director.  A copy
-     of the request MUST be also sent to the IESG Secretariat.  The mail
-     MUST contain the reference to the document's ID filename, and the
-     action requested.  The copy of the message to the IESG Secretariat
-     is to ensure that the request gets recorded by the Secretariat so
-     that they can monitor the progress of the document through the
-     process.
-
-   Unless returned by the IESG to the WG for further development,
-   progressing of the document is then the responsibility of the IESG.
-   After IESG approval, responsibility for final disposition is the
-   joint responsibility of the RFC Editor, the WG Chair and the Document
-   Editor.
-
-8. Review of documents
-
-   The IESG reviews all documents submitted for publication as RFCs.
-   Usually minimal IESG review is necessary in the case of a submission
-   from a WG intended as an Informational or Experimental RFC. More
-   extensive review is undertaken in the case of standards-track
-   documents.
-
-   Prior to the IESG beginning their deliberations on standards-track
-   documents, IETF Secretariat will issue a "Last-Call" to the IETF
-   mailing list (see [1]). This Last Call will announce the intention of
-   the IESG to consider the document, and it will solicit final comments
-   from the IETF within a period of two weeks.  It is important to note
-   that a Last-Call is intended as a brief, final check with the
-   Internet community, to make sure that no important concerns have been
-   missed or misunderstood. The Last-Call should not serve as a more
-   general, in-depth review.
-
-   The IESG review takes into account responses to the Last-Call and
-   will lead to one of these possible conclusions:
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 21]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   1. The document is accepted as is for the status requested.
-      This fact will be announced by the IETF Secretariat to the IETF
-      mailing list and to the RFC Editor.
-
-   2. The document is accepted as-is but not for the status requested.
-      This fact will be announced by the IETF Secretariat to the IETF
-      mailing list and to the RFC Editor (see [1] for more details).
-
-   3. Changes regarding content are suggested to the author(s)/WG.
-      Suggestions from the IESG must be clear and direct, so as to
-      facilitate working group and author correction of the
-      specification.  If the author(s)/WG can explain to the
-      satisfaction of the IESG why the changes are not necessary, the
-      document will be accepted for publication as under point 1, above.
-      If the changes are made the revised document may be resubmitted
-      for IESG review.
-
-   4. Changes are suggested by the IESG and a change in status is
-      recommended.
-      The process described above for 3 and 2 are followed in that
-      order.
-
-   5. The document is rejected.
-      Any document rejection will be accompanied by specific and
-      thorough arguments from the IESG. Although the IETF and working
-      group process is structured such that this alternative is not
-      likely to arise for documents coming from a working group, the
-      IESG has the right and responsibility to reject documents that the
-      IESG feels are fatally flawed in some way.
-
-      If any individual or group of individuals feels that the review
-      treatment has been unfair, there is the opportunity to make a
-      procedural complaint. The mechanism for this type of complaints is
-      described in [1].
-
-9. Security Considerations
-
-   Documents describing IETF processes, such as this one, do not have an
-   impact on the security of the network infrastructure or of Internet
-   applications.
-
-   It should be noted that all IETF working groups are required to
-   examine and understand the security implications of any technology
-   they develop.  This analysis must be included in any resulting RFCs
-   in a Security Considerations section.  Note that merely noting a
-   significant security hole is no longer sufficient.  IETF developed
-   technologies should not add insecurity to the environment in which
-   they are run.
-
-
-
-Bradner                  Best Current Practice                 [Page 22]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-10. Acknowledgments
-
-   This revision of this document relies heavily on the previous version
-   (RFC 1603) which was edited by Erik Huizer and Dave Crocker.  It has
-   been reviewed by the Poisson Working Group.
-
-11. References
-
-   [1] Bradner, S., Editor, "The Internet Standards Process -- Revision
-       3", BCP 9, RFC 2026, October 1996.
-
-   [2] Hovey, R., and S. Bradner, "The Organizations involved in the
-       IETF Standards Process", BCP 11, RFC 2028, October 1996.
-
-   [3] Gavin, J., "IAB and IESG Selection, Confirmation, and Recall
-       Process: Operation of the Nominating and Recall Committees", BCP
-       10, RFC 2282, February 1998.
-
-   [4] Huitema, C., J. Postel, S. Crocker, "Not all RFCs are Standards",
-       RFC 1796, April 1995.
-
-   [5] Postel, J., and J. Reynolds, "Instructions to RFC Authors", RFC
-       2223, October 1997.
-
-   [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
-       Level", BCP 14, RFC 2119, March 1997.
-
-
-12. Editor's Address
-
-   Scott Bradner
-   Harvard University
-   1350 Mass Ave.
-   Cambridge MA
-   02138
-   USA
-
-   Phone +1 617 495 3864
-   EMail: sob@harvard.edu
-
-
-
-
-
-
-
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 23]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   Appendix:  Sample Working Group Charter
-
-   Working Group Name:
-        IP Telephony (iptel)
-
-   IETF Area:
-        Transport Area
-
-   Chair(s):
-        Jonathan Rosenberg <jdrosen@bell-labs.com>
-
-   Transport Area Director(s):
-        Scott Bradner <sob@harvard.edu>
-        Allyn Romanow <allyn@mci.net>
-
-   Responsible Area Director:
-        Allyn Romanow <allyn@mci.net>
-
-   Mailing Lists:
-        General Discussion:iptel@lists.research.bell-labs.com
-        To Subscribe: iptel-request@lists.research.bell-labs.com
-        Archive: http://www.bell-labs.com/mailing-lists/siptel
-
-   Description of Working Group:
-
-   Before Internet telephony can become a widely deployed service, a
-   number of protocols must be deployed. These include signaling and
-   capabilities exchange, but also include a number of "peripheral"
-   protocols for providing related services.
-
-   The primary purpose of this working group is to develop two such
-   supportive protocols and a frameword document. They are:
-
-   1. Call Processing Syntax. When a call is setup between two
-   endpoints, the signaling will generally pass through several servers
-   (such as an H.323 gatekeeper) which are responsible for forwarding,
-   redirecting, or proxying the signaling messages. For example, a user
-   may make a call to j.doe@bigcompany.com. The signaling message to
-   initiate the call will arrive at some server at bigcompany. This
-   server can inform the caller that the callee is busy, forward the
-   call initiation request to another server closer to the user, or drop
-   the call completely (among other possibilities). It is very desirable
-   to allow the callee to provide input to this process, guiding the
-   server in its decision on how to act. This can enable a wide variety
-   of advanced personal mobility and call agent services.
-
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 24]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-   Such preferences can be expressed in a call processing syntax, which
-   can be authored by the user (or generated automatically by some
-   tool), and then uploaded to the server. The group will develop this
-   syntax, and specify means of securely transporting and extending it.
-   The result will be a single standards track RFC.
-
-   2. In addition, the group will write a service model document, which
-   describes the services that are enabled by the call processing
-   syntax, and discusses how the syntax can be used. This document will
-   result in a single RFC.
-
-   3. Gateway Attribute Distribution Protocol. When making a call
-   between an IP host and a PSTN user, a telephony gateway must be used.
-   The selection of such gateways can be based on many criteria,
-   including client expressed preferences, service provider preferences,
-   and availability of gateways, in addition to destination telephone
-   number.  Since gateways outside of the hosts' administrative domain
-   might be used, a protocol is required to allow gateways in remote
-   domains to distribute their attributes (such as PSTN connectivity,
-   supported codecs, etc.) to entities in other domains which must make
-   a selection of a gateway. The protocol must allow for scalable,
-   bandwidth efficient, and very secure transmission of these
-   attributes. The group will investigate and design a protocol for this
-   purpose, generate an Internet Draft, and advance it to RFC as
-   appropriate.
-
-   Goals and Milestones:
-
-   May 98    Issue first Internet-Draft on service framework
-   Jul 98    Submit framework ID to IESG for publication as an RFC.
-   Aug 98    Issue first Internet-Draft on Call Processing Syntax
-   Oct 98    Submit Call processing syntax to IESG for consideration
-             as a Proposed Standard.
-   Dec 98    Achieve consensus on basics of gateway attribute
-             distribution protocol
-   Jan 99    Submit Gateway Attribute Distribution protocol to IESG
-             for consideration as a RFC (info, exp, stds track TB
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 25]
-
-RFC 2418                Working Group Guidelines          September 1998
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1998).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bradner                  Best Current Practice                 [Page 26]
-
diff --git a/contrib/bind9/doc/rfc/rfc2535.txt b/contrib/bind9/doc/rfc/rfc2535.txt
deleted file mode 100644
index fe0b3d07f4ae..000000000000
--- a/contrib/bind9/doc/rfc/rfc2535.txt
+++ /dev/null
@@ -1,2635 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         D. Eastlake
-Request for Comments: 2535                                            IBM
-Obsoletes: 2065                                                March 1999
-Updates: 2181, 1035, 1034
-Category: Standards Track
-
-                 Domain Name System Security Extensions
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   Extensions to the Domain Name System (DNS) are described that provide
-   data integrity and authentication to security aware resolvers and
-   applications through the use of cryptographic digital signatures.
-   These digital signatures are included in secured zones as resource
-   records.  Security can also be provided through non-security aware
-   DNS servers in some cases.
-
-   The extensions provide for the storage of authenticated public keys
-   in the DNS.  This storage of keys can support general public key
-   distribution services as well as DNS security.  The stored keys
-   enable security aware resolvers to learn the authenticating key of
-   zones in addition to those for which they are initially configured.
-   Keys associated with DNS names can be retrieved to support other
-   protocols.  Provision is made for a variety of key types and
-   algorithms.
-
-   In addition, the security extensions provide for the optional
-   authentication of DNS protocol transactions and requests.
-
-   This document incorporates feedback on RFC 2065 from early
-   implementers and potential users.
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 1]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-Acknowledgments
-
-   The significant contributions and suggestions of the following
-   persons (in alphabetic order) to DNS security are gratefully
-   acknowledged:
-
-      James M. Galvin
-      John Gilmore
-      Olafur Gudmundsson
-      Charlie Kaufman
-      Edward Lewis
-      Thomas Narten
-      Radia J. Perlman
-      Jeffrey I. Schiller
-      Steven (Xunhua) Wang
-      Brian Wellington
-
-Table of Contents
-
-   Abstract...................................................1
-   Acknowledgments............................................2
-   1. Overview of Contents....................................4
-   2. Overview of the DNS Extensions..........................5
-   2.1 Services Not Provided..................................5
-   2.2 Key Distribution.......................................5
-   2.3 Data Origin Authentication and Integrity...............6
-   2.3.1 The SIG Resource Record..............................7
-   2.3.2 Authenticating Name and Type Non-existence...........7
-   2.3.3 Special Considerations With Time-to-Live.............7
-   2.3.4 Special Considerations at Delegation Points..........8
-   2.3.5 Special Considerations with CNAME....................8
-   2.3.6 Signers Other Than The Zone..........................9
-   2.4 DNS Transaction and Request Authentication.............9
-   3. The KEY Resource Record................................10
-   3.1 KEY RDATA format......................................10
-   3.1.1 Object Types, DNS Names, and Keys...................11
-   3.1.2 The KEY RR Flag Field...............................11
-   3.1.3 The Protocol Octet..................................13
-   3.2 The KEY Algorithm Number Specification................14
-   3.3 Interaction of Flags, Algorithm, and Protocol Bytes...15
-   3.4 Determination of Zone Secure/Unsecured Status.........15
-   3.5 KEY RRs in the Construction of Responses..............17
-   4. The SIG Resource Record................................17
-   4.1 SIG RDATA Format......................................17
-   4.1.1 Type Covered Field..................................18
-   4.1.2 Algorithm Number Field..............................18
-   4.1.3 Labels Field........................................18
-   4.1.4 Original TTL Field..................................19
-
-
-
-Eastlake                    Standards Track                     [Page 2]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   4.1.5 Signature Expiration and Inception Fields...........19
-   4.1.6 Key Tag Field.......................................20
-   4.1.7 Signer's Name Field.................................20
-   4.1.8 Signature Field.....................................20
-   4.1.8.1 Calculating Transaction and Request SIGs..........21
-   4.2 SIG RRs in the Construction of Responses..............21
-   4.3 Processing Responses and SIG RRs......................22
-   4.4 Signature Lifetime, Expiration, TTLs, and Validity....23
-   5. Non-existent Names and Types...........................24
-   5.1 The NXT Resource Record...............................24
-   5.2 NXT RDATA Format......................................25
-   5.3 Additional Complexity Due to Wildcards................26
-   5.4 Example...............................................26
-   5.5 Special Considerations at Delegation Points...........27
-   5.6 Zone Transfers........................................27
-   5.6.1 Full Zone Transfers.................................28
-   5.6.2 Incremental Zone Transfers..........................28
-   6. How to Resolve Securely and the AD and CD Bits.........29
-   6.1 The AD and CD Header Bits.............................29
-   6.2 Staticly Configured Keys..............................31
-   6.3 Chaining Through The DNS..............................31
-   6.3.1 Chaining Through KEYs...............................31
-   6.3.2 Conflicting Data....................................33
-   6.4 Secure Time...........................................33
-   7. ASCII Representation of Security RRs...................34
-   7.1 Presentation of KEY RRs...............................34
-   7.2 Presentation of SIG RRs...............................35
-   7.3 Presentation of NXT RRs...............................36
-   8. Canonical Form and Order of Resource Records...........36
-   8.1 Canonical RR Form.....................................36
-   8.2 Canonical DNS Name Order..............................37
-   8.3 Canonical RR Ordering Within An RRset.................37
-   8.4 Canonical Ordering of RR Types........................37
-   9. Conformance............................................37
-   9.1 Server Conformance....................................37
-   9.2 Resolver Conformance..................................38
-   10. Security Considerations...............................38
-   11. IANA Considerations...................................39
-   References................................................39
-   Author's Address..........................................41
-   Appendix A: Base 64 Encoding..............................42
-   Appendix B: Changes from RFC 2065.........................44
-   Appendix C: Key Tag Calculation...........................46
-   Full Copyright Statement..................................47
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 3]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-1. Overview of Contents
-
-   This document standardizes extensions of the Domain Name System (DNS)
-   protocol to support DNS security and public key distribution. It
-   assumes that the reader is familiar with the Domain Name System,
-   particularly as described in RFCs 1033, 1034, 1035 and later RFCs. An
-   earlier version of these extensions appears in RFC 2065.  This
-   replacement for that RFC incorporates early implementation experience
-   and requests from  potential users.
-
-   Section 2 provides an overview of the extensions and the key
-   distribution, data origin authentication, and transaction and request
-   security they provide.
-
-   Section 3 discusses the KEY resource record, its structure, and use
-   in DNS responses.  These resource records represent the public keys
-   of entities named in the DNS and are used for key distribution.
-
-   Section 4 discusses the SIG digital signature resource record, its
-   structure, and use in DNS responses.  These resource records are used
-   to authenticate other resource records in the DNS and optionally to
-   authenticate DNS transactions and requests.
-
-   Section 5 discusses the NXT resource record (RR) and its use in DNS
-   responses including full and incremental zone transfers.  The NXT RR
-   permits authenticated denial of the existence of a name or of an RR
-   type for an existing name.
-
-   Section 6 discusses how a resolver can be configured with a starting
-   key or keys and proceed to securely resolve DNS requests.
-   Interactions between resolvers and servers are discussed for various
-   combinations of security aware and security non-aware.  Two
-   additional DNS header bits are defined for signaling between
-   resolvers and servers.
-
-   Section 7 describes the ASCII representation of the security resource
-   records for use in master files and elsewhere.
-
-   Section 8 defines the canonical form and order of RRs for DNS
-   security purposes.
-
-   Section 9 defines levels of conformance for resolvers and servers.
-
-   Section 10 provides a few paragraphs on overall security
-   considerations.
-
-   Section 11 specified IANA considerations for allocation of additional
-   values of paramters defined in this document.
-
-
-
-Eastlake                    Standards Track                     [Page 4]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   Appendix A gives details of base 64 encoding which is used in the
-   file representation of some RRs defined in this document.
-
-   Appendix B summarizes changes between this memo and RFC 2065.
-
-   Appendix C specified how to calculate the simple checksum used as a
-   key tag in most SIG RRs.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2. Overview of the DNS Extensions
-
-   The Domain Name System (DNS) protocol security extensions provide
-   three distinct services: key distribution as described in Section 2.2
-   below, data origin authentication as described in Section 2.3 below,
-   and transaction and request authentication, described in Section 2.4
-   below.
-
-   Special considerations related to "time to live", CNAMEs, and
-   delegation points are also discussed in Section 2.3.
-
-2.1 Services Not Provided
-
-   It is part of the design philosophy of the DNS that the data in it is
-   public and that the DNS gives the same answers to all inquirers.
-   Following this philosophy, no attempt has been made to include any
-   sort of access control lists or other means to differentiate
-   inquirers.
-
-   No effort has been made to provide for any confidentiality for
-   queries or responses.  (This service may be available via IPSEC [RFC
-   2401], TLS, or other security protocols.)
-
-   Protection is not provided against denial of service.
-
-2.2 Key Distribution
-
-   A resource record format is defined to associate keys with DNS names.
-   This permits the DNS to be used as a public key distribution
-   mechanism in support of DNS security itself and other protocols.
-
-   The syntax of a KEY resource record (RR) is described in Section 3.
-   It includes an algorithm identifier, the actual public key
-   parameter(s), and a variety of flags including those indicating the
-   type of entity the key is associated with and/or asserting that there
-   is no key associated with that entity.
-
-
-
-Eastlake                    Standards Track                     [Page 5]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   Under conditions described in Section 3.5, security aware DNS servers
-   will automatically attempt to return KEY resources as additional
-   information, along with those resource records actually requested, to
-   minimize the number of queries needed.
-
-2.3 Data Origin Authentication and Integrity
-
-   Authentication is provided by associating with resource record sets
-   (RRsets [RFC 2181]) in the DNS cryptographically generated digital
-   signatures. Commonly, there will be a single private key that
-   authenticates an entire zone but there might be multiple keys for
-   different algorithms, signers, etc. If a security aware resolver
-   reliably learns a public key of the zone, it can authenticate, for
-   signed data read from that zone, that it is properly authorized.  The
-   most secure implementation is for the zone private key(s) to be kept
-   off-line and used to re-sign all of the records in the zone
-   periodically.  However, there are cases, for example dynamic update
-   [RFCs 2136, 2137], where DNS private keys need to be on-line [RFC
-   2541].
-
-   The data origin authentication key(s) are associated with the zone
-   and not with the servers that store copies of the data.  That means
-   compromise of a secondary server or, if the key(s) are kept off line,
-   even the primary server for a zone, will not necessarily affect the
-   degree of assurance that a resolver has that it can determine whether
-   data is genuine.
-
-   A resolver could learn a public key of a zone either by reading it
-   from the DNS or by having it staticly configured.  To reliably learn
-   a public key by reading it from the DNS, the key itself must be
-   signed with a key the resolver trusts. The resolver must be
-   configured with at least a public key which authenticates one zone as
-   a starting point. From there, it can securely read public keys of
-   other zones, if the intervening zones in the DNS tree are secure and
-   their signed keys accessible.
-
-   Adding data origin authentication and integrity requires no change to
-   the "on-the-wire" DNS protocol beyond the addition of the signature
-   resource type and the key resource type needed for key distribution.
-   (Data non-existence authentication also requires the NXT RR as
-   described in 2.3.2.)  This service can be supported by existing
-   resolver and caching server implementations so long as they can
-   support the additional resource types (see Section 9). The one
-   exception is that CNAME referrals in a secure zone can not be
-   authenticated if they are from non-security aware servers (see
-   Section 2.3.5).
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 6]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   If signatures are separately retrieved and verified when retrieving
-   the information they authenticate, there will be more trips to the
-   server and performance will suffer.  Security aware servers mitigate
-   that degradation by attempting to send the signature(s) needed (see
-   Section 4.2).
-
-2.3.1 The SIG Resource Record
-
-   The syntax of a SIG resource record (signature) is described in
-   Section 4.  It cryptographicly binds the RRset being signed to the
-   signer and a validity interval.
-
-   Every name in a secured zone will have associated with it at least
-   one SIG resource record for each resource type under that name except
-   for glue address RRs and delegation point NS RRs.  A security aware
-   server will attempt to return, with RRs retrieved, the corresponding
-   SIGs.  If a server is not security aware, the resolver must retrieve
-   all the SIG records for a name and select the one or ones that sign
-   the resource record set(s) that resolver is interested in.
-
-2.3.2 Authenticating Name and Type Non-existence
-
-   The above security mechanism only provides a way to sign existing
-   RRsets in a zone.  "Data origin" authentication is not obviously
-   provided for the non-existence of a domain name in a zone or the
-   non-existence of a type for an existing name.  This gap is filled by
-   the NXT RR which authenticatably asserts a range of non-existent
-   names in a zone and the non-existence of types for the existing name
-   just before that range.
-
-   Section 5 below covers the NXT RR.
-
-2.3.3 Special Considerations With Time-to-Live
-
-   A digital signature will fail to verify if any change has occurred to
-   the data between the time it was originally signed and the time the
-   signature is verified.  This conflicts with our desire to have the
-   time-to-live (TTL) field of resource records tick down while they are
-   cached.
-
-   This could be avoided by leaving the time-to-live out of the digital
-   signature, but that would allow unscrupulous servers to set
-   arbitrarily long TTL values undetected.  Instead, we include the
-   "original" TTL in the signature and communicate that data along with
-   the current TTL. Unscrupulous servers under this scheme can
-   manipulate the TTL but a security aware resolver will bound the TTL
-   value it uses at the original signed value.  Separately, signatures
-   include a signature inception time and a signature expiration time. A
-
-
-
-Eastlake                    Standards Track                     [Page 7]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   resolver that knows the absolute time can determine securely whether
-   a signature is in effect.  It is not possible to rely solely on the
-   signature expiration as a substitute for the TTL, however, since the
-   TTL is primarily a database consistency mechanism and non-security
-   aware servers that depend on TTL must still be supported.
-
-2.3.4 Special Considerations at Delegation Points
-
-   DNS security would like to view each zone as a unit of data
-   completely under the control of the zone owner with each entry
-   (RRset) signed by a special private key held by the zone manager.
-   But the DNS protocol views the leaf nodes in a zone, which are also
-   the apex nodes of a subzone (i.e., delegation points), as "really"
-   belonging to the subzone.  These nodes occur in two master files and
-   might have RRs signed by both the upper and lower zone's keys. A
-   retrieval could get a mixture of these RRs and SIGs, especially since
-   one server could be serving both the zone above and below a
-   delegation point. [RFC 2181]
-
-   There MUST be a zone KEY RR, signed by its superzone, for every
-   subzone if the superzone is secure. This will normally appear in the
-   subzone and may also be included in the superzone.  But, in the case
-   of an unsecured subzone which can not or will not be modified to add
-   any security RRs, a KEY declaring the subzone to be unsecured MUST
-   appear with the superzone signature in the superzone, if the
-   superzone is secure. For all but one other RR type the data from the
-   subzone is more authoritative so only the subzone KEY RR should be
-   signed in the superzone if it appears there. The NS and any glue
-   address RRs SHOULD only be signed in the subzone. The SOA and any
-   other RRs that have the zone name as owner should appear only in the
-   subzone and thus are signed only there. The NXT RR type is the
-   exceptional case that will always appear differently and
-   authoritatively in both the superzone and subzone, if both are
-   secure, as described in Section 5.
-
-2.3.5 Special Considerations with CNAME
-
-   There is a problem when security related RRs with the same owner name
-   as a CNAME RR are retrieved from a non-security-aware server. In
-   particular, an initial retrieval for the CNAME or any other type may
-   not retrieve any associated SIG, KEY, or NXT RR. For retrieved types
-   other than CNAME, it will retrieve that type at the target name of
-   the CNAME (or chain of CNAMEs) and will also return the CNAME.  In
-   particular, a specific retrieval for type SIG will not get the SIG,
-   if any, at the original CNAME domain name but rather a SIG at the
-   target name.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 8]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   Security aware servers must be used to securely CNAME in DNS.
-   Security aware servers MUST (1) allow KEY, SIG, and NXT RRs along
-   with CNAME RRs, (2) suppress CNAME processing on retrieval of these
-   types as well as on retrieval of the type CNAME, and (3)
-   automatically return SIG RRs authenticating the CNAME or CNAMEs
-   encountered in resolving a query.  This is a change from the previous
-   DNS standard [RFCs 1034/1035] which prohibited any other RR type at a
-   node where a CNAME RR was present.
-
-2.3.6 Signers Other Than The Zone
-
-   There are cases where the signer in a SIG resource record is other
-   than one of the private key(s) used to authenticate a zone.
-
-   One is for support of dynamic update [RFC 2136] (or future requests
-   which require secure authentication) where an entity is permitted to
-   authenticate/update its records [RFC 2137] and the zone is operating
-   in a mode where the zone key is not on line. The public key of the
-   entity must be present in the DNS and be signed by a zone level key
-   but the other RR(s) may be signed with the entity's key.
-
-   A second case is support of transaction and request authentication as
-   described in Section 2.4.
-
-   In additions, signatures can be included on resource records within
-   the DNS for use by applications other than DNS. DNS related
-   signatures authenticate that data originated with the authority of a
-   zone owner or that a request or transaction originated with the
-   relevant entity. Other signatures can provide other types of
-   assurances.
-
-2.4 DNS Transaction and Request Authentication
-
-   The data origin authentication service described above protects
-   retrieved resource records and the non-existence of resource records
-   but provides no protection for DNS requests or for message headers.
-
-   If header bits are falsely set by a bad server, there is little that
-   can be done.  However, it is possible to add transaction
-   authentication.  Such authentication means that a resolver can be
-   sure it is at least getting messages from the server it thinks it
-   queried and that the response is from the query it sent (i.e., that
-   these messages have not been diddled in transit).  This is
-   accomplished by optionally adding a special SIG resource record at
-   the end of the reply which digitally signs the concatenation of the
-   server's response and the resolver's query.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 9]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   Requests can also be authenticated by including a special SIG RR at
-   the end of the request.  Authenticating requests serves no function
-   in older DNS servers and requests with a non-empty additional
-   information section produce error returns or may even be ignored by
-   many of them. However, this syntax for signing requests is defined as
-   a way of authenticating secure dynamic update requests [RFC 2137] or
-   future requests requiring authentication.
-
-   The private keys used in transaction security belong to the entity
-   composing the reply, not to the zone involved.  Request
-   authentication may also involve the private key of the host or other
-   entity composing the request or other private keys depending on the
-   request authority it is sought to establish. The corresponding public
-   key(s) are normally stored in and retrieved from the DNS for
-   verification.
-
-   Because requests and replies are highly variable, message
-   authentication SIGs can not be pre-calculated.  Thus it will be
-   necessary to keep the private key on-line, for example in software or
-   in a directly connected piece of hardware.
-
-3. The KEY Resource Record
-
-   The KEY resource record (RR) is used to store a public key that is
-   associated with a Domain Name System (DNS) name.  This can be the
-   public key of a zone, a user, or a host or other end entity. Security
-   aware DNS implementations MUST be designed to handle at least two
-   simultaneously valid keys of the same type associated with the same
-   name.
-
-   The type number for the KEY RR is 25.
-
-   A KEY RR is, like any other RR, authenticated by a SIG RR.  KEY RRs
-   must be signed by a zone level key.
-
-3.1 KEY RDATA format
-
-   The RDATA for a KEY RR consists of flags, a protocol octet, the
-   algorithm number octet, and the public key itself.  The format is as
-   follows:
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 10]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |             flags             |    protocol   |   algorithm   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               /
-   /                          public key                           /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-   The KEY RR is not intended for storage of certificates and a separate
-   certificate RR has been developed for that purpose, defined in [RFC
-   2538].
-
-   The meaning of the KEY RR owner name, flags, and protocol octet are
-   described in Sections 3.1.1 through 3.1.5 below.  The flags and
-   algorithm must be examined before any data following the algorithm
-   octet as they control the existence and format of any following data.
-   The algorithm and public key fields are described in Section 3.2.
-   The format of the public key is algorithm dependent.
-
-   KEY RRs do not specify their validity period but their authenticating
-   SIG RR(s) do as described in Section 4 below.
-
-3.1.1 Object Types, DNS Names, and Keys
-
-   The public key in a KEY RR is for the object named in the owner name.
-
-   A DNS name may refer to three different categories of things.  For
-   example, foo.host.example could be (1) a zone, (2) a host or other
-   end entity , or (3) the mapping into a DNS name of the user or
-   account foo@host.example.  Thus, there are flag bits, as described
-   below, in the KEY RR to indicate with which of these roles the owner
-   name and public key are associated.  Note that an appropriate zone
-   KEY RR MUST occur at the apex node of a secure zone and zone KEY RRs
-   occur only at delegation points.
-
-3.1.2 The KEY RR Flag Field
-
-   In the "flags" field:
-
-     0   1   2   3   4   5   6   7   8   9   0   1   2   3   4   5
-   +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-   |  A/C  | Z | XT| Z | Z | NAMTYP| Z | Z | Z | Z |      SIG      |
-   +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-
-   Bit 0 and 1 are the key "type" bits whose values have the following
-   meanings:
-
-
-
-Eastlake                    Standards Track                    [Page 11]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-           10: Use of the key is prohibited for authentication.
-           01: Use of the key is prohibited for confidentiality.
-           00: Use of the key for authentication and/or confidentiality
-               is permitted. Note that DNS security makes use of keys
-               for authentication only. Confidentiality use flagging is
-               provided for use of keys in other protocols.
-               Implementations not intended to support key distribution
-               for confidentiality MAY require that the confidentiality
-               use prohibited bit be on for keys they serve.
-           11: If both bits are one, the "no key" value, there is no key
-               information and the RR stops after the algorithm octet.
-               By the use of this "no key" value, a signed KEY RR can
-               authenticatably assert that, for example, a zone is not
-               secured.  See section 3.4 below.
-
-   Bits 2 is reserved and must be zero.
-
-   Bits 3 is reserved as a flag extension bit.  If it is a one, a second
-          16 bit flag field is added after the algorithm octet and
-          before the key data.  This bit MUST NOT be set unless one or
-          more such additional bits have been defined and are non-zero.
-
-   Bits 4-5 are reserved and must be zero.
-
-   Bits 6 and 7 form a field that encodes the name type. Field values
-   have the following meanings:
-
-           00: indicates that this is a key associated with a "user" or
-               "account" at an end entity, usually a host.  The coding
-               of the owner name is that used for the responsible
-               individual mailbox in the SOA and RP RRs: The owner name
-               is the user name as the name of a node under the entity
-               name.  For example, "j_random_user" on
-               host.subdomain.example could have a public key associated
-               through a KEY RR with name
-               j_random_user.host.subdomain.example.  It could be used
-               in a security protocol where authentication of a user was
-               desired.  This key might be useful in IP or other
-               security for a user level service such a telnet, ftp,
-               rlogin, etc.
-           01: indicates that this is a zone key for the zone whose name
-               is the KEY RR owner name.  This is the public key used
-               for the primary DNS security feature of data origin
-               authentication.  Zone KEY RRs occur only at delegation
-               points.
-           10: indicates that this is a key associated with the non-zone
-               "entity" whose name is the RR owner name.  This will
-               commonly be a host but could, in some parts of the DNS
-
-
-
-Eastlake                    Standards Track                    [Page 12]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-               tree, be some other type of entity such as a telephone
-               number [RFC 1530] or numeric IP address.  This is the
-               public key used in connection with DNS request and
-               transaction authentication services.  It could also be
-               used in an IP-security protocol where authentication at
-               the host, rather than user, level was desired, such as
-               routing, NTP, etc.
-           11: reserved.
-
-   Bits 8-11 are reserved and must be zero.
-
-   Bits 12-15 are the "signatory" field.  If non-zero, they indicate
-              that the key can validly sign things as specified in DNS
-              dynamic update [RFC 2137].  Note that zone keys (see bits
-              6 and 7 above) always have authority to sign any RRs in
-              the zone regardless of the value of the signatory field.
-
-3.1.3 The Protocol Octet
-
-   It is anticipated that keys stored in DNS will be used in conjunction
-   with a variety of Internet protocols.  It is intended that the
-   protocol octet and possibly some of the currently unused (must be
-   zero) bits in the KEY RR flags as specified in the future will be
-   used to indicate a key's validity for different protocols.
-
-   The following values of the Protocol Octet are reserved as indicated:
-
-        VALUE   Protocol
-
-          0      -reserved
-          1     TLS
-          2     email
-          3     dnssec
-          4     IPSEC
-         5-254   - available for assignment by IANA
-        255     All
-
-   In more detail:
-        1 is reserved for use in connection with TLS.
-        2 is reserved for use in connection with email.
-        3 is used for DNS security.  The protocol field SHOULD be set to
-          this value for zone keys and other keys used in DNS security.
-          Implementations that can determine that a key is a DNS
-          security key by the fact that flags label it a zone key or the
-          signatory flag field is non-zero are NOT REQUIRED to check the
-          protocol field.
-        4 is reserved to refer to the Oakley/IPSEC [RFC 2401] protocol
-          and indicates that this key is valid for use in conjunction
-
-
-
-Eastlake                    Standards Track                    [Page 13]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-          with that security standard.  This key could be used in
-          connection with secured communication on behalf of an end
-          entity or user whose name is the owner name of the KEY RR if
-          the entity or user flag bits are set.  The presence of a KEY
-          resource with this protocol value is an assertion that the
-          host speaks Oakley/IPSEC.
-        255 indicates that the key can be used in connection with any
-          protocol for which KEY RR protocol octet values have been
-          defined.  The use of this value is discouraged and the use of
-          different keys for different protocols is encouraged.
-
-3.2 The KEY Algorithm Number Specification
-
-   This octet is the key algorithm parallel to the same field for the
-   SIG resource as described in Section 4.1.  The following values are
-   assigned:
-
-   VALUE   Algorithm
-
-     0      - reserved, see Section 11
-     1     RSA/MD5 [RFC 2537] - recommended
-     2     Diffie-Hellman [RFC 2539] - optional, key only
-     3     DSA [RFC 2536] - MANDATORY
-     4     reserved for elliptic curve crypto
-   5-251    - available, see Section 11
-   252     reserved for indirect keys
-   253     private - domain name (see below)
-   254     private - OID (see below)
-   255      - reserved, see Section 11
-
-   Algorithm specific formats and procedures are given in separate
-   documents.  The mandatory to implement for interoperability algorithm
-   is number 3, DSA.  It is recommended that the RSA/MD5 algorithm,
-   number 1, also be implemented.  Algorithm 2 is used to indicate
-   Diffie-Hellman keys and algorithm 4 is reserved for elliptic curve.
-
-   Algorithm number 252 indicates an indirect key format where the
-   actual key material is elsewhere.  This format is to be defined in a
-   separate document.
-
-   Algorithm numbers 253 and 254 are reserved for private use and will
-   never be assigned a specific algorithm.  For number 253, the public
-   key area and the signature begin with a wire encoded domain name.
-   Only local domain name compression is permitted.  The domain name
-   indicates the private algorithm to use and the remainder of the
-   public key area is whatever is required by that algorithm.  For
-   number 254, the public key area for the KEY RR and the signature
-   begin with an unsigned length byte followed by a BER encoded Object
-
-
-
-Eastlake                    Standards Track                    [Page 14]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   Identifier (ISO OID) of that length.  The OID indicates the private
-   algorithm in use and the remainder of the area is whatever is
-   required by that algorithm.  Entities should only use domain names
-   and OIDs they control to designate their private algorithms.
-
-   Values 0 and 255 are reserved but the value 0 is used in the
-   algorithm field when that field is not used.  An example is in a KEY
-   RR with the top two flag bits on, the "no-key" value, where no key is
-   present.
-
-3.3 Interaction of Flags, Algorithm, and Protocol Bytes
-
-   Various combinations of the no-key type flags, algorithm byte,
-   protocol byte, and any future assigned protocol indicating flags are
-   possible.  The meaning of these combinations is indicated below:
-
-   NK = no key type (flags bits 0 and 1 on)
-   AL = algorithm byte
-   PR = protocols indicated by protocol byte or future assigned flags
-
-   x represents any valid non-zero value(s).
-
-    AL  PR   NK  Meaning
-     0   0   0   Illegal, claims key but has bad algorithm field.
-     0   0   1   Specifies total lack of security for owner zone.
-     0   x   0   Illegal, claims key but has bad algorithm field.
-     0   x   1   Specified protocols unsecured, others may be secure.
-     x   0   0   Gives key but no protocols to use it.
-     x   0   1   Denies key for specific algorithm.
-     x   x   0   Specifies key for protocols.
-     x   x   1   Algorithm not understood for protocol.
-
-3.4 Determination of Zone Secure/Unsecured Status
-
-   A zone KEY RR with the "no-key" type field value (both key type flag
-   bits 0 and 1 on) indicates that the zone named is unsecured while a
-   zone KEY RR with a key present indicates that the zone named is
-   secure.  The secured versus unsecured status of a zone may vary with
-   different cryptographic algorithms.  Even for the same algorithm,
-   conflicting zone KEY RRs may be present.
-
-   Zone KEY RRs, like all RRs, are only trusted if they are
-   authenticated by a SIG RR whose signer field is a signer for which
-   the resolver has a public key they trust and where resolver policy
-   permits that signer to sign for the KEY owner name.  Untrusted zone
-   KEY RRs MUST be ignored in determining the security status of the
-   zone.  However, there can be multiple sets of trusted zone KEY RRs
-   for a zone with different algorithms, signers, etc.
-
-
-
-Eastlake                    Standards Track                    [Page 15]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   For any particular algorithm, zones can be (1) secure, indicating
-   that any retrieved RR must be authenticated by a SIG RR or it will be
-   discarded as bogus, (2) unsecured, indicating that SIG RRs are not
-   expected or required for RRs retrieved from the zone, or (3)
-   experimentally secure, which indicates that SIG RRs might or might
-   not be present but must be checked if found.  The status of a zone is
-   determined as follows:
-
-   1. If, for a zone and algorithm, every trusted zone KEY RR for the
-      zone says there is no key for that zone, it is unsecured for that
-      algorithm.
-
-   2. If, there is at least one trusted no-key zone KEY RR and one
-      trusted key specifying zone KEY RR, then that zone is only
-      experimentally secure for the algorithm.  Both authenticated and
-      non-authenticated RRs for it should be accepted by the resolver.
-
-   3. If every trusted zone KEY RR that the zone and algorithm has is
-      key specifying, then it is secure for that algorithm and only
-      authenticated RRs from it will be accepted.
-
-   Examples:
-
-   (1)  A resolver initially trusts only signatures by the superzone of
-   zone Z within the DNS hierarchy.  Thus it will look only at the KEY
-   RRs that are signed by the superzone.  If it finds only no-key KEY
-   RRs, it will assume the zone is not secure.  If it finds only key
-   specifying KEY RRs, it will assume the zone is secure and reject any
-   unsigned responses.  If it finds both, it will assume the zone is
-   experimentally secure
-
-   (2)  A resolver trusts the superzone of zone Z (to which it got
-   securely from its local zone) and a third party, cert-auth.example.
-   When considering data from zone Z, it may be signed by the superzone
-   of Z, by cert-auth.example, by both, or by neither.  The following
-   table indicates whether zone Z will be considered secure,
-   experimentally secure, or unsecured, depending on the signed zone KEY
-   RRs for Z;
-
-                      c e r t - a u t h . e x a m p l e
-
-        KEY RRs|   None    |  NoKeys   |  Mixed   |   Keys   |
-     S       --+-----------+-----------+----------+----------+
-     u  None   | illegal   | unsecured | experim. | secure   |
-     p       --+-----------+-----------+----------+----------+
-     e  NoKeys | unsecured | unsecured | experim. | secure   |
-     r       --+-----------+-----------+----------+----------+
-     Z  Mixed  | experim.  | experim.  | experim. | secure   |
-
-
-
-Eastlake                    Standards Track                    [Page 16]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-     o       --+-----------+-----------+----------+----------+
-     n  Keys   | secure    | secure    | secure   | secure   |
-     e         +-----------+-----------+----------+----------+
-
-3.5 KEY RRs in the Construction of Responses
-
-   An explicit request for KEY RRs does not cause any special additional
-   information processing except, of course, for the corresponding SIG
-   RR from a security aware server (see Section 4.2).
-
-   Security aware DNS servers include KEY RRs as additional information
-   in responses, where a KEY is available, in the following cases:
-
-   (1) On the retrieval of SOA or NS RRs, the KEY RRset with the same
-   name (perhaps just a zone key) SHOULD be included as additional
-   information if space is available. If not all additional information
-   will fit, type A and AAAA glue RRs have higher priority than KEY
-   RR(s).
-
-   (2) On retrieval of type A or AAAA RRs, the KEY RRset with the same
-   name (usually just a host RR and NOT the zone key (which usually
-   would have a different name)) SHOULD be included if space is
-   available.  On inclusion of A or AAAA RRs as additional information,
-   the KEY RRset with the same name should also be included but with
-   lower priority than the A or AAAA RRs.
-
-4. The SIG Resource Record
-
-   The SIG or "signature" resource record (RR) is the fundamental way
-   that data is authenticated in the secure Domain Name System (DNS). As
-   such it is the heart of the security provided.
-
-   The SIG RR unforgably authenticates an RRset [RFC 2181] of a
-   particular type, class, and name and binds it to a time interval and
-   the signer's domain name.  This is done using cryptographic
-   techniques and the signer's private key.  The signer is frequently
-   the owner of the zone from which the RR originated.
-
-   The type number for the SIG RR type is 24.
-
-4.1 SIG RDATA Format
-
-   The RDATA portion of a SIG RR is as shown below.  The integrity of
-   the RDATA information is protected by the signature field.
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 17]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |        type covered           |  algorithm    |     labels    |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |                         original TTL                          |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |                      signature expiration                     |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |                      signature inception                      |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |            key  tag           |                               |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         signer's name         +
-      |                                                               /
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
-      /                                                               /
-      /                            signature                          /
-      /                                                               /
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-4.1.1 Type Covered Field
-
-   The "type covered" is the type of the other RRs covered by this SIG.
-
-4.1.2 Algorithm Number Field
-
-   This octet is as described in section 3.2.
-
-4.1.3 Labels Field
-
-   The "labels" octet is an unsigned count of how many labels there are
-   in the original SIG RR owner name not counting the null label for
-   root and not counting any initial "*" for a wildcard.  If a secured
-   retrieval is the result of wild card substitution, it is necessary
-   for the resolver to use the original form of the name in verifying
-   the digital signature.  This field makes it easy to determine the
-   original form.
-
-   If, on retrieval, the RR appears to have a longer name than indicated
-   by "labels", the resolver can tell it is the result of wildcard
-   substitution.  If the RR owner name appears to be shorter than the
-   labels count, the SIG RR must be considered corrupt and ignored.  The
-   maximum number of labels allowed in the current DNS is 127 but the
-   entire octet is reserved and would be required should DNS names ever
-   be expanded to 255 labels.  The following table gives some examples.
-   The value of "labels" is at the top, the retrieved owner name on the
-   left, and the table entry is the name to use in signature
-   verification except that "bad" means the RR is corrupt.
-
-
-
-Eastlake                    Standards Track                    [Page 18]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   labels= |  0  |   1  |    2   |      3   |      4   |
-   --------+-----+------+--------+----------+----------+
-          .|   . | bad  |  bad   |    bad   |    bad   |
-         d.|  *. |   d. |  bad   |    bad   |    bad   |
-       c.d.|  *. | *.d. |   c.d. |    bad   |    bad   |
-     b.c.d.|  *. | *.d. | *.c.d. |   b.c.d. |    bad   |
-   a.b.c.d.|  *. | *.d. | *.c.d. | *.b.c.d. | a.b.c.d. |
-
-4.1.4 Original TTL Field
-
-   The "original TTL" field is included in the RDATA portion to avoid
-   (1) authentication problems that caching servers would otherwise
-   cause by decrementing the real TTL field and (2) security problems
-   that unscrupulous servers could otherwise cause by manipulating the
-   real TTL field.  This original TTL is protected by the signature
-   while the current TTL field is not.
-
-   NOTE:  The "original TTL" must be restored into the covered RRs when
-   the signature is verified (see Section 8).  This generaly implies
-   that all RRs for a particular type, name, and class, that is, all the
-   RRs in any particular RRset, must have the same TTL to start with.
-
-4.1.5 Signature Expiration and Inception Fields
-
-   The SIG is valid from the "signature inception" time until the
-   "signature expiration" time.  Both are unsigned numbers of seconds
-   since the start of 1 January 1970, GMT, ignoring leap seconds.  (See
-   also Section 4.4.)  Ring arithmetic is used as for DNS SOA serial
-   numbers [RFC 1982] which means that these times can never be more
-   than about 68 years in the past or the future.  This means that these
-   times are ambiguous modulo ~136.09 years.  However there is no
-   security flaw because keys are required to be changed to new random
-   keys by [RFC 2541] at least every five years.  This means that the
-   probability that the same key is in use N*136.09 years later should
-   be the same as the probability that a random guess will work.
-
-   A SIG RR may have an expiration time numerically less than the
-   inception time if the expiration time is near the 32 bit wrap around
-   point and/or the signature is long lived.
-
-   (To prevent misordering of network requests to update a zone
-   dynamically, monotonically increasing "signature inception" times may
-   be necessary.)
-
-   A secure zone must be considered changed for SOA serial number
-   purposes not only when its data is updated but also when new SIG RRs
-   are inserted (ie, the zone or any part of it is re-signed).
-
-
-
-
-Eastlake                    Standards Track                    [Page 19]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-4.1.6 Key Tag Field
-
-   The "key Tag" is a two octet quantity that is used to efficiently
-   select between multiple keys which may be applicable and thus check
-   that a public key about to be used for the computationally expensive
-   effort to check the signature is possibly valid.  For algorithm 1
-   (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
-   octets of the public key modulus needed to decode the signature
-   field.  That is to say, the most significant 16 of the least
-   significant 24 bits of the modulus in network (big endian) order. For
-   all other algorithms, including private algorithms, it is calculated
-   as a simple checksum of the KEY RR as described in Appendix C.
-
-4.1.7 Signer's Name Field
-
-   The "signer's name" field is the domain name of the signer generating
-   the SIG RR.  This is the owner name of the public KEY RR that can be
-   used to verify the signature.  It is frequently the zone which
-   contained the RRset being authenticated.  Which signers should be
-   authorized to sign what is a significant resolver policy question as
-   discussed in Section 6. The signer's name may be compressed with
-   standard DNS name compression when being transmitted over the
-   network.
-
-4.1.8 Signature Field
-
-   The actual signature portion of the SIG RR binds the other RDATA
-   fields to the RRset of the "type covered" RRs with that owner name
-   and class.  This covered RRset is thereby authenticated.  To
-   accomplish this, a data sequence is constructed as follows:
-
-         data = RDATA | RR(s)...
-
-   where "|" is concatenation,
-
-   RDATA is the wire format of all the RDATA fields in the SIG RR itself
-   (including the canonical form of the signer's name) before but not
-   including the signature, and
-
-   RR(s) is the RRset of the RR(s) of the type covered with the same
-   owner name and class as the SIG RR in canonical form and order as
-   defined in Section 8.
-
-   How this data sequence is processed into the signature is algorithm
-   dependent.  These algorithm dependent formats and procedures are
-   described in separate documents (Section 3.2).
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 20]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   SIGs SHOULD NOT be included in a zone for any "meta-type" such as
-   ANY, AXFR, etc. (but see section 5.6.2 with regard to IXFR).
-
-4.1.8.1 Calculating Transaction and Request SIGs
-
-   A response message from a security aware server may optionally
-   contain a special SIG at the end of the additional information
-   section to authenticate the transaction.
-
-   This SIG has a "type covered" field of zero, which is not a valid RR
-   type.  It is calculated by using a "data" (see Section 4.1.8) of the
-   entire preceding DNS reply message, including DNS header but not the
-   IP header and before the reply RR counts have been adjusted for the
-   inclusion of any transaction SIG, concatenated with the entire DNS
-   query message that produced this response, including the query's DNS
-   header and any request SIGs but not its IP header.  That is
-
-      data = full response (less transaction SIG) | full query
-
-   Verification of the transaction SIG (which is signed by the server
-   host key, not the zone key) by the requesting resolver shows that the
-   query and response were not tampered with in transit, that the
-   response corresponds to the intended query, and that the response
-   comes from the queried server.
-
-   A DNS request may be optionally signed by including one or more SIGs
-   at the end of the query. Such SIGs are identified by having a "type
-   covered" field of zero. They sign the preceding DNS request message
-   including DNS header but not including the IP header or any request
-   SIGs at the end and before the request RR counts have been adjusted
-   for the inclusions of any request SIG(s).
-
-   WARNING: Request SIGs are unnecessary for any currently defined
-   request other than update [RFC 2136, 2137] and will cause some old
-   DNS servers to give an error return or ignore a query.  However, such
-   SIGs may in the future be needed for other requests.
-
-   Except where needed to authenticate an update or similar privileged
-   request, servers are not required to check request SIGs.
-
-4.2 SIG RRs in the Construction of Responses
-
-   Security aware DNS servers SHOULD, for every authenticated RRset the
-   query will return, attempt to send the available SIG RRs which
-   authenticate the requested RRset.  The following rules apply to the
-   inclusion of SIG RRs in responses:
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 21]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-     1. when an RRset is placed in a response, its SIG RR has a higher
-        priority for inclusion than additional RRs that may need to be
-        included.  If space does not permit its inclusion, the response
-        MUST be considered truncated except as provided in 2 below.
-
-     2. When a SIG RR is present in the zone for an additional
-        information section RR, the response MUST NOT be considered
-        truncated merely because space does not permit the inclusion of
-        the SIG RR with the additional information.
-
-     3. SIGs to authenticate glue records and NS RRs for subzones at a
-        delegation point are unnecessary and MUST NOT be sent.
-
-     4. If a SIG covers any RR that would be in the answer section of
-        the response, its automatic inclusion MUST be in the answer
-        section.  If it covers an RR that would appear in the authority
-        section, its automatic inclusion MUST be in the authority
-        section.  If it covers an RR that would appear in the additional
-        information section it MUST appear in the additional information
-        section.  This is a change in the existing standard [RFCs 1034,
-        1035] which contemplates only NS and SOA RRs in the authority
-        section.
-
-     5. Optionally, DNS transactions may be authenticated by a SIG RR at
-        the end of the response in the additional information section
-        (Section 4.1.8.1).  Such SIG RRs are signed by the DNS server
-        originating the response.  Although the signer field MUST be a
-        name of the originating server host, the owner name, class, TTL,
-        and original TTL, are meaningless.  The class and TTL fields
-        SHOULD be zero.  To conserve space, the owner name SHOULD be
-        root (a single zero octet).  If transaction authentication is
-        desired, that SIG RR must be considered the highest priority for
-        inclusion.
-
-4.3 Processing Responses and SIG RRs
-
-   The following rules apply to the processing of SIG RRs included in a
-   response:
-
-     1. A security aware resolver that receives a response from a
-        security aware server via a secure communication with the AD bit
-        (see Section 6.1) set, MAY choose to accept the RRs as received
-        without verifying the zone SIG RRs.
-
-     2. In other cases, a security aware resolver SHOULD verify the SIG
-        RRs for the RRs of interest.  This may involve initiating
-        additional queries for SIG or KEY RRs, especially in the case of
-
-
-
-
-Eastlake                    Standards Track                    [Page 22]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-        getting a response from a server that does not implement
-        security.  (As explained in 2.3.5 above, it will not be possible
-        to secure CNAMEs being served up by non-secure resolvers.)
-
-        NOTE: Implementers might expect the above SHOULD to be a MUST.
-        However, local policy or the calling application may not require
-        the security services.
-
-     3. If SIG RRs are received in response to a user query explicitly
-        specifying the SIG type, no special processing is required.
-
-   If the message does not pass integrity checks or the SIG does not
-   check against the signed RRs, the SIG RR is invalid and should be
-   ignored.  If all of the SIG RR(s) purporting to authenticate an RRset
-   are invalid, then the RRset is not authenticated.
-
-   If the SIG RR is the last RR in a response in the additional
-   information section and has a type covered of zero, it is a
-   transaction signature of the response and the query that produced the
-   response.  It MAY be optionally checked and the message rejected if
-   the checks fail.  But even if the checks succeed, such a transaction
-   authentication SIG does NOT directly authenticate any RRs in the
-   message.  Only a proper SIG RR signed by the zone or a key tracing
-   its authority to the zone or to static resolver configuration can
-   directly authenticate RRs, depending on resolver policy (see Section
-   6).  If a resolver does not implement transaction and/or request
-   SIGs, it MUST ignore them without error.
-
-   If all checks indicate that the SIG RR is valid then RRs verified by
-   it should be considered authenticated.
-
-4.4 Signature Lifetime, Expiration, TTLs, and Validity
-
-   Security aware servers MUST NOT consider SIG RRs to authenticate
-   anything before their signature inception or after its expiration
-   time (see also Section 6).  Security aware servers MUST NOT consider
-   any RR to be authenticated after all its signatures have expired.
-   When a secure server caches authenticated data, if the TTL would
-   expire at a time further in the future than the authentication
-   expiration time, the server SHOULD trim the TTL in the cache entry
-   not to extent beyond the authentication expiration time.  Within
-   these constraints, servers should continue to follow DNS TTL aging.
-   Thus authoritative servers should continue to follow the zone refresh
-   and expire parameters and a non-authoritative server should count
-   down the TTL and discard RRs when the TTL is zero (even for a SIG
-   that has not yet reached its authentication expiration time).  In
-   addition, when RRs are transmitted in a query response, the TTL
-
-
-
-
-Eastlake                    Standards Track                    [Page 23]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   should be trimmed so that current time plus the TTL does not extend
-   beyond the authentication expiration time.  Thus, in general, the TTL
-   on a transmitted RR would be
-
-      min(authExpTim,max(zoneMinTTL,min(originalTTL,currentTTL)))
-
-   When signatures are generated, signature expiration times should be
-   set far enough in the future that it is quite certain that new
-   signatures can be generated before the old ones expire.  However,
-   setting expiration too far into the future could mean a long time to
-   flush any bad data or signatures that may have been generated.
-
-   It is recommended that signature lifetime be a small multiple of the
-   TTL (ie, 4 to 16 times the TTL) but not less than a reasonable
-   maximum re-signing interval and not less than the zone expiry time.
-
-5. Non-existent Names and Types
-
-   The SIG RR mechanism described in Section 4 above provides strong
-   authentication of RRs that exist in a zone.  But it is not clear
-   above how to verifiably deny the existence of a name in a zone or a
-   type for an existent name.
-
-   The nonexistence of a name in a zone is indicated by the NXT ("next")
-   RR for a name interval containing the nonexistent name. An NXT RR or
-   RRs and its or their SIG(s) are returned in the authority section,
-   along with the error, if the server is security aware.  The same is
-   true for a non-existent type under an existing name except that there
-   is no error indication other than an empty answer section
-   accompanying the NXT(s). This is a change in the existing standard
-   [RFCs 1034/1035] which contemplates only NS and SOA RRs in the
-   authority section. NXT RRs will also be returned if an explicit query
-   is made for the NXT type.
-
-   The existence of a complete set of NXT records in a zone means that
-   any query for any name and any type to a security aware server
-   serving the zone will result in an reply containing at least one
-   signed RR unless it is a query for delegation point NS or glue A or
-   AAAA RRs.
-
-5.1 The NXT Resource Record
-
-   The NXT resource record is used to securely indicate that RRs with an
-   owner name in a certain name interval do not exist in a zone and to
-   indicate what RR types are present for an existing name.
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 24]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   The owner name of the NXT RR is an existing name in the zone.  It's
-   RDATA is a "next" name and a type bit map. Thus the NXT RRs in a zone
-   create a chain of all of the literal owner names in that zone,
-   including unexpanded wildcards but omitting the owner name of glue
-   address records unless they would otherwise be included. This implies
-   a canonical ordering of all domain names in a zone as described in
-   Section 8. The presence of the NXT RR means that no name between its
-   owner name and the name in its RDATA area exists and that no other
-   types exist under its owner name.
-
-   There is a potential problem with the last NXT in a zone as it wants
-   to have an owner name which is the last existing name in canonical
-   order, which is easy, but it is not obvious what name to put in its
-   RDATA to indicate the entire remainder of the name space.  This is
-   handled by treating the name space as circular and putting the zone
-   name in the RDATA of the last NXT in a zone.
-
-   The NXT RRs for a zone SHOULD be automatically calculated and added
-   to the zone when SIGs are added.  The NXT RR's TTL SHOULD NOT exceed
-   the zone minimum TTL.
-
-   The type number for the NXT RR is 30.
-
-   NXT RRs are only signed by zone level keys.
-
-5.2 NXT RDATA Format
-
-   The RDATA for an NXT RR consists simply of a domain name followed by
-   a bit map, as shown below.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                  next domain name                             /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                    type bit map                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   The NXT RR type bit map format currently defined is one bit per RR
-   type present for the owner name.  A one bit indicates that at least
-   one RR of that type is present for the owner name.  A zero indicates
-   that no such RR is present.  All bits not specified because they are
-   beyond the end of the bit map are assumed to be zero.  Note that bit
-   30, for NXT, will always be on so the minimum bit map length is
-   actually four octets. Trailing zero octets are prohibited in this
-   format.  The first bit represents RR type zero (an illegal type which
-   can not be present) and so will be zero in this format.  This format
-   is not used if there exists an RR with a type number greater than
-
-
-
-Eastlake                    Standards Track                    [Page 25]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   127.  If the zero bit of the type bit map is a one, it indicates that
-   a different format is being used which will always be the case if a
-   type number greater than 127 is present.
-
-   The domain name may be compressed with standard DNS name compression
-   when being transmitted over the network.  The size of the bit map can
-   be inferred from the RDLENGTH and the length of the next domain name.
-
-5.3 Additional Complexity Due to Wildcards
-
-   Proving that a non-existent name response is correct or that a
-   wildcard expansion response is correct makes things a little more
-   complex.
-
-   In particular, when a non-existent name response is returned, an NXT
-   must be returned showing that the exact name queried did not exist
-   and, in general, one or more additional NXT's need to be returned to
-   also prove that there wasn't a wildcard whose expansion should have
-   been returned. (There is no need to return multiple copies of the
-   same NXT.) These NXTs, if any, are returned in the authority section
-   of the response.
-
-   Furthermore, if a wildcard expansion is returned in a response, in
-   general one or more NXTs needs to also be returned in the authority
-   section to prove that no more specific name (including possibly more
-   specific wildcards in the zone) existed on which the response should
-   have been based.
-
-5.4 Example
-
-   Assume zone foo.nil has entries for
-
-          big.foo.nil,
-          medium.foo.nil.
-          small.foo.nil.
-          tiny.foo.nil.
-
-   Then a query to a security aware server for huge.foo.nil would
-   produce an error reply with an RCODE of NXDOMAIN and the authority
-   section data including something like the following:
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 26]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   foo.nil.    NXT big.foo.nil NS KEY SOA NXT ;prove no *.foo.nil
-   foo.nil.    SIG NXT 1 2 ( ;type-cov=NXT, alg=1, labels=2
-                    19970102030405 ;signature expiration
-                    19961211100908 ;signature inception
-                    2143           ;key identifier
-                    foo.nil.       ;signer
-   AIYADP8d3zYNyQwW2EM4wXVFdslEJcUx/fxkfBeH1El4ixPFhpfHFElxbvKoWmvjDTCm
-   fiYy2X+8XpFjwICHc398kzWsTMKlxovpz2FnCTM= ;signature (640 bits)
-                          )
-   big.foo.nil. NXT medium.foo.nil. A MX SIG NXT ;prove no huge.foo.nil
-   big.foo.nil. SIG NXT 1 3 ( ;type-cov=NXT, alg=1, labels=3
-                    19970102030405 ;signature expiration
-                    19961211100908 ;signature inception
-                    2143           ;key identifier
-                    foo.nil.       ;signer
-    MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6VAuHAoNUz4YoU
-    1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= ;signature (640 bits)
-                             )
-   Note that this response implies that big.foo.nil is an existing name
-   in the zone and thus has other RR types associated with it than NXT.
-   However, only the NXT (and its SIG) RR appear in the response to this
-   query for huge.foo.nil, which is a non-existent name.
-
-5.5 Special Considerations at Delegation Points
-
-   A name (other than root) which is the head of a zone also appears as
-   the leaf in a superzone.  If both are secure, there will always be
-   two different NXT RRs with the same name.  They can be easily
-   distinguished by their signers, the next domain name fields, the
-   presence of the SOA type bit, etc.  Security aware servers should
-   return the correct NXT automatically when required to authenticate
-   the non-existence of a name and both NXTs, if available, on explicit
-   query for type NXT.
-
-   Non-security aware servers will never automatically return an NXT and
-   some old implementations may only return the NXT from the subzone on
-   explicit queries.
-
-5.6 Zone Transfers
-
-   The subsections below describe how full and incremental zone
-   transfers are secured.
-
-   SIG RRs secure all authoritative RRs transferred for both full and
-   incremental [RFC 1995] zone transfers.  NXT RRs are an essential
-   element in secure zone transfers and assure that every authoritative
-   name and type will be present; however, if there are multiple SIGs
-   with the same name and type covered, a subset of the SIGs could be
-
-
-
-Eastlake                    Standards Track                    [Page 27]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   sent as long as at least one is present and, in the case of unsigned
-   delegation point NS or glue A or AAAA RRs a subset of these RRs or
-   simply a modified set could be sent as long as at least one of each
-   type is included.
-
-   When an incremental or full zone transfer request is received with
-   the same or newer version number than that of the server's copy of
-   the zone, it is replied to with just the SOA RR of the server's
-   current version and the SIG RRset verifying that SOA RR.
-
-   The complete NXT chains specified in this document enable a resolver
-   to obtain, by successive queries chaining through NXTs, all of the
-   names in a zone even if zone transfers are prohibited.  Different
-   format NXTs may be specified in the future to avoid this.
-
-5.6.1 Full Zone Transfers
-
-   To provide server authentication that a complete transfer has
-   occurred, transaction authentication SHOULD be used on full zone
-   transfers.  This provides strong server based protection for the
-   entire zone in transit.
-
-5.6.2 Incremental Zone Transfers
-
-   Individual RRs in an incremental (IXFR) transfer [RFC 1995] can be
-   verified in the same way as for a full zone transfer and the
-   integrity of the NXT name chain and correctness of the NXT type bits
-   for the zone after the incremental RR deletes and adds can check each
-   disjoint area of the zone updated.  But the completeness of an
-   incremental transfer can not be confirmed because usually neither the
-   deleted RR section nor the added RR section has a compete zone NXT
-   chain.  As a result, a server which securely supports IXFR must
-   handle IXFR SIG RRs for each incremental transfer set that it
-   maintains.
-
-   The IXFR SIG is calculated over the incremental zone update
-   collection of RRs in the order in which it is transmitted: old SOA,
-   then deleted RRs, then new SOA and added RRs.  Within each section,
-   RRs must be ordered as specified in Section 8.  If condensation of
-   adjacent incremental update sets is done by the zone owner, the
-   original IXFR SIG for each set included in the condensation must be
-   discarded and a new on IXFR SIG calculated to cover the resulting
-   condensed set.
-
-   The IXFR SIG really belongs to the zone as a whole, not to the zone
-   name.  Although it SHOULD be correct for the zone name, the labels
-   field of an IXFR SIG is otherwise meaningless.  The IXFR SIG is only
-   sent as part of an incremental zone transfer.  After validation of
-
-
-
-Eastlake                    Standards Track                    [Page 28]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   the IXFR SIG, the transferred RRs MAY be considered valid without
-   verification of the internal SIGs if such trust in the server
-   conforms to local policy.
-
-6. How to Resolve Securely and the AD and CD Bits
-
-   Retrieving or resolving secure data from the Domain Name System (DNS)
-   involves starting with one or more trusted public keys that have been
-   staticly configured at the resolver.  With starting trusted keys, a
-   resolver willing to perform cryptography can progress securely
-   through the secure DNS structure to the zone of interest as described
-   in Section 6.3. Such trusted public keys would normally be configured
-   in a manner similar to that described in Section 6.2.  However, as a
-   practical matter, a security aware resolver would still gain some
-   confidence in the results it returns even if it was not configured
-   with any keys but trusted what it got from a local well known server
-   as if it were staticly configured.
-
-   Data stored at a security aware server needs to be internally
-   categorized as Authenticated, Pending, or Insecure. There is also a
-   fourth transient state of Bad which indicates that all SIG checks
-   have explicitly failed on the data. Such Bad data is not retained at
-   a security aware server. Authenticated means that the data has a
-   valid SIG under a KEY traceable via a chain of zero or more SIG and
-   KEY RRs allowed by the resolvers policies to a KEY staticly
-   configured at the resolver. Pending data has no authenticated SIGs
-   and at least one additional SIG the resolver is still trying to
-   authenticate.  Insecure data is data which it is known can never be
-   either Authenticated or found Bad in the zone where it was found
-   because it is in or has been reached via a unsecured zone or because
-   it is unsigned glue address or delegation point NS data. Behavior in
-   terms of control of and flagging based on such data labels is
-   described in Section 6.1.
-
-   The proper validation of signatures requires a reasonably secure
-   shared opinion of the absolute time between resolvers and servers as
-   described in Section 6.4.
-
-6.1 The AD and CD Header Bits
-
-   Two previously unused bits are allocated out of the DNS
-   query/response format header. The AD (authentic data) bit indicates
-   in a response that all the data included in the answer and authority
-   portion of the response has been authenticated by the server
-   according to the policies of that server. The CD (checking disabled)
-   bit indicates in a query that Pending (non-authenticated) data is
-   acceptable to the resolver sending the query.
-
-
-
-
-Eastlake                    Standards Track                    [Page 29]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   These bits are allocated from the previously must-be-zero Z field as
-   follows:
-
-                                           1  1  1  1  1  1
-             0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                      ID                       |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                    QDCOUNT                    |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                    ANCOUNT                    |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                    NSCOUNT                    |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                    ARCOUNT                    |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   These bits are zero in old servers and resolvers.  Thus the responses
-   of old servers are not flagged as authenticated to security aware
-   resolvers and queries from non-security aware resolvers do not assert
-   the checking disabled bit and thus will be answered by security aware
-   servers only with Authenticated or Insecure data. Security aware
-   resolvers MUST NOT trust the AD bit unless they trust the server they
-   are talking to and either have a secure path to it or use DNS
-   transaction security.
-
-   Any security aware resolver willing to do cryptography SHOULD assert
-   the CD bit on all queries to permit it to impose its own policies and
-   to reduce DNS latency time by allowing security aware servers to
-   answer with Pending data.
-
-   Security aware servers MUST NOT return Bad data.  For non-security
-   aware resolvers or security aware resolvers requesting service by
-   having the CD bit clear, security aware servers MUST return only
-   Authenticated or Insecure data in the answer and authority sections
-   with the AD bit set in the response. Security aware servers SHOULD
-   return Pending data, with the AD bit clear in the response, to
-   security aware resolvers requesting this service by asserting the CD
-   bit in their request.  The AD bit MUST NOT be set on a response
-   unless all of the RRs in the answer and authority sections of the
-   response are either Authenticated or Insecure.  The AD bit does not
-   cover the additional information section.
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 30]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-6.2 Staticly Configured Keys
-
-   The public key to authenticate a zone SHOULD be defined in local
-   configuration files before that zone is loaded at the primary server
-   so the zone can be authenticated.
-
-   While it might seem logical for everyone to start with a public key
-   associated with the root zone and staticly configure this in every
-   resolver, this has problems.  The logistics of updating every DNS
-   resolver in the world should this key ever change would be severe.
-   Furthermore, many organizations will explicitly wish their "interior"
-   DNS implementations to completely trust only their own DNS servers.
-   Interior resolvers of such organizations can then go through the
-   organization's zone servers to access data outside the organization's
-   domain and need not be configured with keys above the organization's
-   DNS apex.
-
-   Host resolvers that are not part of a larger organization may be
-   configured with a key for the domain of their local ISP whose
-   recursive secure DNS caching server they use.
-
-6.3 Chaining Through The DNS
-
-   Starting with one or more trusted keys for any zone, it should be
-   possible to retrieve signed keys for that zone's subzones which have
-   a key. A secure sub-zone is indicated by a KEY RR with non-null key
-   information appearing with the NS RRs in the sub-zone and which may
-   also be present in the parent.  These make it possible to descend
-   within the tree of zones.
-
-6.3.1 Chaining Through KEYs
-
-   In general, some RRset that you wish to validate in the secure DNS
-   will be signed by one or more SIG RRs.  Each of these SIG RRs has a
-   signer under whose name is stored the public KEY to use in
-   authenticating the SIG.  Each of those KEYs will, generally, also be
-   signed with a SIG.  And those SIGs will have signer names also
-   referring to KEYs.  And so on. As a result, authentication leads to
-   chains of alternating SIG and KEY RRs with the first SIG signing the
-   original data whose authenticity is to be shown and the final KEY
-   being some trusted key staticly configured at the resolver performing
-   the authentication.
-
-   In testing such a chain, the validity periods of the SIGs encountered
-   must be intersected to determine the validity period of the
-   authentication of the data, a purely algorithmic process. In
-   addition, the validation of each SIG over the data with reference to
-   a KEY must meet the objective cryptographic test implied by the
-
-
-
-Eastlake                    Standards Track                    [Page 31]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   cryptographic algorithm used (although even here the resolver may
-   have policies as to trusted algorithms and key lengths).  Finally,
-   the judgement that a SIG with a particular signer name can
-   authenticate data (possibly a KEY RRset) with a particular owner
-   name, is primarily a policy question.  Ultimately, this is a policy
-   local to the resolver and any clients that depend on that resolver's
-   decisions.  It is, however, recommended, that the policy below be
-   adopted:
-
-        Let A < B mean that A is a shorter domain name than B formed by
-        dropping one or more whole labels from the left end of B, i.e.,
-        A is a direct or indirect superdomain of B.  Let A = B mean that
-        A and B are the same domain name (i.e., are identical after
-        letter case canonicalization).  Let A > B mean that A is a
-        longer domain name than B formed by adding one or more whole
-        labels on the left end of B, i.e., A is a direct or indirect
-        subdomain of B
-
-        Let Static be the owner names of the set of staticly configured
-        trusted keys at a resolver.
-
-        Then Signer is a valid signer name for a SIG authenticating an
-        RRset (possibly a KEY RRset) with owner name Owner at the
-        resolver if any of the following three rules apply:
-
-        (1) Owner > or = Signer (except that if Signer is root, Owner
-        must be root or a top level domain name).  That is, Owner is the
-        same as or a subdomain of Signer.
-
-        (2) ( Owner < Signer ) and ( Signer > or = some Static ).  That
-        is, Owner is a superdomain of Signer and Signer is staticly
-        configured or a subdomain of a staticly configured key.
-
-        (3) Signer = some Static.  That is, the signer is exactly some
-        staticly configured key.
-
-   Rule 1 is the rule for descending the DNS tree and includes a special
-   prohibition on the root zone key due to the restriction that the root
-   zone be only one label deep.  This is the most fundamental rule.
-
-   Rule 2 is the rule for ascending the DNS tree from one or more
-   staticly configured keys.  Rule 2 has no effect if only root zone
-   keys are staticly configured.
-
-   Rule 3 is a rule permitting direct cross certification.  Rule 3 has
-   no effect if only root zone keys are staticly configured.
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 32]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   Great care should be taken that the consequences have been fully
-   considered before making any local policy adjustments to these rules
-   (other than dispensing with rules 2 and 3 if only root zone keys are
-   staticly configured).
-
-6.3.2 Conflicting Data
-
-   It is possible that there will be multiple SIG-KEY chains that appear
-   to authenticate conflicting RRset answers to the same query.  A
-   resolver should choose only the most reliable answer to return and
-   discard other data.  This choice of most reliable is a matter of
-   local policy which could take into account differing trust in
-   algorithms, key sizes, staticly configured keys, zones traversed,
-   etc.  The technique given below is recommended for taking into
-   account SIG-KEY chain length.
-
-   A resolver should keep track of the number of successive secure zones
-   traversed from a staticly configured key starting point to any secure
-   zone it can reach.  In general, the lower such a distance number is,
-   the greater the confidence in the data.  Staticly configured data
-   should be given a distance number of zero.  If a query encounters
-   different Authenticated data for the same query with different
-   distance values, that with a larger value should be ignored unless
-   some other local policy covers the case.
-
-   A security conscious resolver should completely refuse to step from a
-   secure zone into a unsecured zone unless the unsecured zone is
-   certified to be non-secure by the presence of an authenticated KEY RR
-   for the unsecured zone with the no-key type value.  Otherwise the
-   resolver is getting bogus or spoofed data.
-
-   If legitimate unsecured zones are encountered in traversing the DNS
-   tree, then no zone can be trusted as secure that can be reached only
-   via information from such non-secure zones. Since the unsecured zone
-   data could have been spoofed, the "secure" zone reached via it could
-   be counterfeit.  The "distance" to data in such zones or zones
-   reached via such zones could be set to 256 or more as this exceeds
-   the largest possible distance through secure zones in the DNS.
-
-6.4 Secure Time
-
-   Coordinated interpretation of the time fields in SIG RRs requires
-   that reasonably consistent time be available to the hosts
-   implementing the DNS security extensions.
-
-   A variety of time synchronization protocols exist including the
-   Network Time Protocol (NTP [RFC 1305, 2030]).  If such protocols are
-   used, they MUST be used securely so that time can not be spoofed.
-
-
-
-Eastlake                    Standards Track                    [Page 33]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   Otherwise, for example, a host could get its clock turned back and
-   might then believe old SIG RRs, and the data they authenticate, which
-   were valid but are no longer.
-
-7. ASCII Representation of Security RRs
-
-   This section discusses the format for master file and other ASCII
-   presentation of the three DNS security resource records.
-
-   The algorithm field in KEY and SIG RRs can be represented as either
-   an unsigned integer or symbolicly.  The following initial symbols are
-   defined as indicated:
-
-        Value  Symbol
-
-        001    RSAMD5
-        002    DH
-        003    DSA
-        004    ECC
-        252    INDIRECT
-        253    PRIVATEDNS
-        254    PRIVATEOID
-
-7.1 Presentation of KEY RRs
-
-   KEY RRs may appear as single logical lines in a zone data master file
-   [RFC 1033].
-
-   The flag field is represented as an unsigned integer or a sequence of
-   mnemonics as follows separated by instances of the verticle bar ("|")
-   character:
-
-     BIT  Mnemonic  Explanation
-    0-1           key type
-        NOCONF    =1 confidentiality use prohibited
-        NOAUTH    =2 authentication use prohibited
-        NOKEY     =3 no key present
-    2   FLAG2     - reserved
-    3   EXTEND    flags extension
-    4   FLAG4     - reserved
-    5   FLAG5     - reserved
-    6-7           name type
-        USER      =0 (default, may be omitted)
-        ZONE      =1
-        HOST      =2 (host or other end entity)
-        NTYP3     - reserved
-    8   FLAG8     - reserved
-    9   FLAG9     - reserved
-
-
-
-Eastlake                    Standards Track                    [Page 34]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   10   FLAG10    - reserved
-   11   FLAG11    - reserved
-   12-15          signatory field, values 0 to 15
-            can be represented by SIG0, SIG1, ... SIG15
-
-   No flag mnemonic need be present if the bit or field it represents is
-   zero.
-
-   The protocol octet can be represented as either an unsigned integer
-   or symbolicly.  The following initial symbols are defined:
-
-        000    NONE
-        001    TLS
-        002    EMAIL
-        003    DNSSEC
-        004    IPSEC
-        255    ALL
-
-   Note that if the type flags field has the NOKEY value, nothing
-   appears after the algorithm octet.
-
-   The remaining public key portion is represented in base 64 (see
-   Appendix A) and may be divided up into any number of white space
-   separated substrings, down to single base 64 digits, which are
-   concatenated to obtain the full signature.  These substrings can span
-   lines using the standard parenthesis.
-
-   Note that the public key may have internal sub-fields but these do
-   not appear in the master file representation.  For example, with
-   algorithm 1 there is a public exponent size, then a public exponent,
-   and then a modulus.  With algorithm 254, there will be an OID size,
-   an OID, and algorithm dependent information. But in both cases only a
-   single logical base 64 string will appear in the master file.
-
-7.2 Presentation of SIG RRs
-
-   A data SIG RR may be represented as a single logical line in a zone
-   data file [RFC 1033] but there are some special considerations as
-   described below.  (It does not make sense to include a transaction or
-   request authenticating SIG RR in a file as they are a transient
-   authentication that covers data including an ephemeral transaction
-   number and so must be calculated in real time.)
-
-   There is no particular problem with the signer, covered type, and
-   times.  The time fields appears in the form YYYYMMDDHHMMSS where YYYY
-   is the year, the first MM is the month number (01-12), DD is the day
-   of the month (01-31), HH is the hour in 24 hours notation (00-23),
-   the second MM is the minute (00-59), and SS is the second (00-59).
-
-
-
-Eastlake                    Standards Track                    [Page 35]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   The original TTL field appears as an unsigned integer.
-
-   If the original TTL, which applies to the type signed, is the same as
-   the TTL of the SIG RR itself, it may be omitted.  The date field
-   which follows it is larger than the maximum possible TTL so there is
-   no ambiguity.
-
-   The "labels" field appears as an unsigned integer.
-
-   The key tag appears as an unsigned number.
-
-   However, the signature itself can be very long.  It is the last data
-   field and is represented in base 64 (see Appendix A) and may be
-   divided up into any number of white space separated substrings, down
-   to single base 64 digits, which are concatenated to obtain the full
-   signature.  These substrings can be split between lines using the
-   standard parenthesis.
-
-7.3 Presentation of NXT RRs
-
-   NXT RRs do not appear in original unsigned zone master files since
-   they should be derived from the zone as it is being signed.  If a
-   signed file with NXTs added is printed or NXTs are printed by
-   debugging code, they appear as the next domain name followed by the
-   RR type present bits as an unsigned interger or sequence of RR
-   mnemonics.
-
-8. Canonical Form and Order of Resource Records
-
-   This section specifies, for purposes of domain name system (DNS)
-   security, the canonical form of resource records (RRs), their name
-   order, and their overall order.  A canonical name order is necessary
-   to construct the NXT name chain.  A canonical form and ordering
-   within an RRset is necessary in consistently constructing and
-   verifying SIG RRs.  A canonical ordering of types within a name is
-   required in connection with incremental transfer (Section 5.6.2).
-
-8.1 Canonical RR Form
-
-   For purposes of DNS security, the canonical form for an RR is the
-   wire format of the RR with domain names (1) fully expanded (no name
-   compression via pointers), (2) all domain name letters set to lower
-   case, (3) owner name wild cards in master file form (no substitution
-   made for *), and (4) the original TTL substituted for the current
-   TTL.
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 36]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-8.2 Canonical DNS Name Order
-
-   For purposes of DNS security, the canonical ordering of owner names
-   is to sort individual labels as unsigned left justified octet strings
-   where the absence of a octet sorts before a zero value octet and
-   upper case letters are treated as lower case letters.  Names in a
-   zone are sorted by sorting on the highest level label and then,
-   within those names with the same highest level label by the next
-   lower label, etc. down to leaf node labels.  Within a zone, the zone
-   name itself always exists and all other names are the zone name with
-   some prefix of lower level labels.  Thus the zone name itself always
-   sorts first.
-
-   Example:
-          foo.example
-          a.foo.example
-          yljkjljk.a.foo.example
-          Z.a.foo.example
-          zABC.a.FOO.EXAMPLE
-          z.foo.example
-          *.z.foo.example
-          \200.z.foo.example
-
-8.3 Canonical RR Ordering Within An RRset
-
-   Within any particular owner name and type, RRs are sorted by RDATA as
-   a left justified unsigned octet sequence where the absence of an
-   octet sorts before the zero octet.
-
-8.4 Canonical Ordering of RR Types
-
-   When RRs of the same name but different types must be ordered, they
-   are ordered by type, considering the type to be an unsigned integer,
-   except that SIG RRs are placed immediately after the type they cover.
-   Thus, for example, an A record would be put before an MX record
-   because A is type 1 and MX is type 15 but if both were signed, the
-   order would be A < SIG(A) < MX < SIG(MX).
-
-9. Conformance
-
-   Levels of server and resolver conformance are defined below.
-
-9.1 Server Conformance
-
-   Two levels of server conformance for DNS security are defined as
-   follows:
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 37]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   BASIC:  Basic server compliance is the ability to store and retrieve
-   (including zone transfer) SIG, KEY, and NXT RRs.  Any secondary or
-   caching server for a secure zone MUST have at least basic compliance
-   and even then some things, such as secure CNAMEs, will not work
-   without full compliance.
-
-   FULL:  Full server compliance adds the following to basic compliance:
-   (1) ability to read SIG, KEY, and NXT RRs in zone files and (2)
-   ability, given a zone file and private key, to add appropriate SIG
-   and NXT RRs, possibly via a separate application, (3) proper
-   automatic inclusion of SIG, KEY, and NXT RRs in responses, (4)
-   suppression of CNAME following on retrieval of the security type RRs,
-   (5) recognize the CD query header bit and set the AD query header
-   bit, as appropriate, and (6) proper handling of the two NXT RRs at
-   delegation points.  Primary servers for secure zones MUST be fully
-   compliant and for complete secure operation, all secondary, caching,
-   and other servers handling the zone SHOULD be fully compliant as
-   well.
-
-9.2 Resolver Conformance
-
-   Two levels of resolver compliance (including the resolver portion of
-   a server) are defined for DNS Security:
-
-   BASIC: A basic compliance resolver can handle SIG, KEY, and NXT RRs
-   when they are explicitly requested.
-
-   FULL: A fully compliant resolver (1) understands KEY, SIG, and NXT
-   RRs including verification of SIGs at least for the mandatory
-   algorithm, (2) maintains appropriate information in its local caches
-   and database to indicate which RRs have been authenticated and to
-   what extent they have been authenticated, (3) performs additional
-   queries as necessary to attempt to obtain KEY, SIG, or NXT RRs when
-   needed, (4) normally sets the CD query header bit on its queries.
-
-10. Security Considerations
-
-   This document specifies extensions to the Domain Name System (DNS)
-   protocol to provide data integrity and data origin authentication,
-   public key distribution, and optional transaction and request
-   security.
-
-   It should be noted that, at most, these extensions guarantee the
-   validity of resource records, including KEY resource records,
-   retrieved from the DNS.  They do not magically solve other security
-   problems.  For example, using secure DNS you can have high confidence
-   in the IP address you retrieve for a host name; however, this does
-   not stop someone for substituting an unauthorized host at that
-
-
-
-Eastlake                    Standards Track                    [Page 38]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   address or capturing packets sent to that address and falsely
-   responding with packets apparently from that address.  Any reasonably
-   complete security system will require the protection of many
-   additional facets of the Internet beyond DNS.
-
-   The implementation of NXT RRs as described herein enables a resolver
-   to determine all the names in a zone even if zone transfers are
-   prohibited (section 5.6).  This is an active area of work and may
-   change.
-
-   A number of precautions in DNS implementation have evolved over the
-   years to harden the insecure DNS against spoofing.  These precautions
-   should not be abandoned but should be considered to provide
-   additional protection in case of key compromise in secure DNS.
-
-11. IANA Considerations
-
-   KEY RR flag bits 2 and 8-11 and all flag extension field bits can be
-   assigned by IETF consensus as defined in RFC 2434.  The remaining
-   values of the NAMTYP flag field and flag bits 4 and 5 (which could
-   conceivably become an extension of the NAMTYP field) can only be
-   assigned by an IETF Standards Action [RFC 2434].
-
-   Algorithm numbers 5 through 251 are available for assignment should
-   sufficient reason arise.  However, the designation of a new algorithm
-   could have a major impact on interoperability and requires an IETF
-   Standards Action [RFC 2434].  The existence of the private algorithm
-   types 253 and 254 should satify most needs for private or proprietary
-   algorithms.
-
-   Additional values of the Protocol Octet (5-254) can be assigned by
-   IETF Consensus [RFC 2434].
-
-   The meaning of the first bit of the NXT RR "type bit map" being a one
-   can only be assigned by a standards action.
-
-References
-
-   [RFC 1033]  Lottor, M., "Domain Administrators Operations Guide", RFC
-               1033, November 1987.
-
-   [RFC 1034]  Mockapetris, P., "Domain Names - Concepts and
-               Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035]  Mockapetris, P., "Domain Names - Implementation and
-               Specifications", STD 13, RFC 1035, November 1987.
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 39]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   [RFC 1305]  Mills, D., "Network Time Protocol (v3)", RFC 1305, March
-               1992.
-
-   [RFC 1530]  Malamud, C. and M. Rose, "Principles of Operation for the
-               TPC.INT Subdomain: General Principles and Policy", RFC
-               1530, October 1993.
-
-   [RFC 2401]  Kent, S. and R. Atkinson, "Security Architecture for the
-               Internet Protocol", RFC 2401, November 1998.
-
-   [RFC 1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC
-               1982, September 1996.
-
-   [RFC 1995]  Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
-               August 1996.
-
-   [RFC 2030]  Mills, D., "Simple Network Time Protocol (SNTP) Version 4
-               for IPv4, IPv6 and OSI", RFC 2030, October 1996.
-
-   [RFC 2045]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
-               Extensions (MIME) Part One: Format of Internet Message
-               Bodies", RFC 2045, November 1996.
-
-   [RFC 2065]  Eastlake, D. and C. Kaufman, "Domain Name System Security
-               Extensions", RFC 2065, January 1997.
-
-   [RFC 2119]  Bradner, S., "Key words for use in RFCs to Indicate
-               Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC 2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound,
-               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-               RFC 2136, April 1997.
-
-   [RFC 2137]  Eastlake, D., "Secure Domain Name System Dynamic Update",
-               RFC 2137, April 1997.
-
-   [RFC 2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-               Specification", RFC 2181, July 1997.
-
-   [RFC 2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
-               IANA Considerations Section in RFCs", BCP 26, RFC 2434,
-               October 1998.
-
-   [RFC 2537]  Eastlake, D., "RSA/MD5 KEYs and SIGs in the Domain Name
-               System (DNS)", RFC 2537, March 1999.
-
-   [RFC 2539]  Eastlake, D., "Storage of Diffie-Hellman Keys in the
-               Domain Name System (DNS)", RFC 2539, March 1999.
-
-
-
-Eastlake                    Standards Track                    [Page 40]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   [RFC 2536]  Eastlake, D., "DSA KEYs and SIGs in the Domain Name
-               System (DNS)", RFC 2536, March 1999.
-
-   [RFC 2538]  Eastlake, D. and O. Gudmundsson, "Storing Certificates in
-               the Domain Name System", RFC 2538, March 1999.
-
-   [RFC 2541]  Eastlake, D., "DNS Operational Security Considerations",
-               RFC 2541, March 1999.
-
-   [RSA FAQ] - RSADSI Frequently Asked Questions periodic posting.
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   IBM
-   65 Shindegan Hill Road
-   RR #1
-   Carmel, NY 10512
-
-   Phone:   +1-914-784-7913 (w)
-            +1-914-276-2668 (h)
-   Fax:     +1-914-784-3833 (w-fax)
-   EMail:   dee3@us.ibm.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 41]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-Appendix A: Base 64 Encoding
-
-   The following encoding technique is taken from [RFC 2045] by N.
-   Borenstein and N. Freed.  It is reproduced here in an edited form for
-   convenience.
-
-   A 65-character subset of US-ASCII is used, enabling 6 bits to be
-   represented per printable character. (The extra 65th character, "=",
-   is used to signify a special processing function.)
-
-   The encoding process represents 24-bit groups of input bits as output
-   strings of 4 encoded characters. Proceeding from left to right, a
-   24-bit input group is formed by concatenating 3 8-bit input groups.
-   These 24 bits are then treated as 4 concatenated 6-bit groups, each
-   of which is translated into a single digit in the base 64 alphabet.
-
-   Each 6-bit group is used as an index into an array of 64 printable
-   characters. The character referenced by the index is placed in the
-   output string.
-
-                         Table 1: The Base 64 Alphabet
-
-      Value Encoding  Value Encoding  Value Encoding  Value Encoding
-          0 A            17 R            34 i            51 z
-          1 B            18 S            35 j            52 0
-          2 C            19 T            36 k            53 1
-          3 D            20 U            37 l            54 2
-          4 E            21 V            38 m            55 3
-          5 F            22 W            39 n            56 4
-          6 G            23 X            40 o            57 5
-          7 H            24 Y            41 p            58 6
-          8 I            25 Z            42 q            59 7
-          9 J            26 a            43 r            60 8
-         10 K            27 b            44 s            61 9
-         11 L            28 c            45 t            62 +
-         12 M            29 d            46 u            63 /
-         13 N            30 e            47 v
-         14 O            31 f            48 w         (pad) =
-         15 P            32 g            49 x
-         16 Q            33 h            50 y
-
-   Special processing is performed if fewer than 24 bits are available
-   at the end of the data being encoded.  A full encoding quantum is
-   always completed at the end of a quantity.  When fewer than 24 input
-   bits are available in an input group, zero bits are added (on the
-   right) to form an integral number of 6-bit groups.  Padding at the
-   end of the data is performed using the '=' character.  Since all base
-   64 input is an integral number of octets, only the following cases
-
-
-
-Eastlake                    Standards Track                    [Page 42]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   can arise: (1) the final quantum of encoding input is an integral
-   multiple of 24 bits; here, the final unit of encoded output will be
-   an integral multiple of 4 characters with no "=" padding, (2) the
-   final quantum of encoding input is exactly 8 bits; here, the final
-   unit of encoded output will be two characters followed by two "="
-   padding characters, or (3) the final quantum of encoding input is
-   exactly 16 bits; here, the final unit of encoded output will be three
-   characters followed by one "=" padding character.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 43]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-Appendix B: Changes from RFC 2065
-
-   This section summarizes the most important changes that have been
-   made since RFC 2065.
-
-   1. Most of Section 7 of [RFC 2065] called "Operational
-      Considerations", has been removed and may be made into a separate
-      document [RFC 2541].
-
-   2. The KEY RR has been changed by (2a) eliminating the "experimental"
-      flag as unnecessary, (2b) reserving a flag  bit for flags
-      expansion, (2c) more compactly encoding a number of bit fields in
-      such a way as to leave unchanged bits actually used by the limited
-      code currently deployed, (2d) eliminating the IPSEC and email flag
-      bits which are replaced by values of the protocol field and adding
-      a protocol field value for DNS security itself, (2e) adding
-      material to indicate that zone KEY RRs occur only at delegation
-      points, and (2f) removing the description of the RSA/MD5 algorithm
-      to a separate document [RFC 2537].  Section 3.4 describing the
-      meaning of various combinations of "no-key" and key present KEY
-      RRs has been added and the secure / unsecure status of a zone has
-      been clarified as being per algorithm.
-
-   3. The SIG RR has been changed by (3a) renaming the "time signed"
-      field to be the "signature inception" field, (3b) clarifying that
-      signature expiration and inception use serial number ring
-      arithmetic, (3c) changing the definition of the key footprint/tag
-      for algorithms other than 1 and adding Appendix C to specify its
-      calculation.  In addition, the SIG covering type AXFR has been
-      eliminated while one covering IXFR [RFC 1995] has been added (see
-      section 5.6).
-
-   4. Algorithm 3, the DSA algorithm, is now designated as the mandatory
-      to implement algorithm.  Algorithm 1, the RSA/MD5 algorithm, is
-      now a recommended option.  Algorithm 2 and 4 are designated as the
-      Diffie-Hellman key and elliptic cryptography algorithms
-      respectively, all to be defined in separate documents. Algorithm
-      code point 252 is designated to indicate "indirect" keys, to be
-      defined in a separate document, where the actual key is elsewhere.
-      Both the KEY and SIG RR definitions have been simplified by
-      eliminating the "null" algorithm 253 as defined in [RFC 2065].
-      That algorithm had been included because at the time it was
-      thought it might be useful in DNS dynamic update [RFC 2136]. It
-      was in fact not so used and it is dropped to simplify DNS
-      security.  Howver, that algorithm number has been re-used to
-      indicate private algorithms where a domain name specifies the
-      algorithm.
-
-
-
-
-Eastlake                    Standards Track                    [Page 44]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-   5. The NXT RR has been changed so that (5a) the NXT RRs in a zone
-      cover all names, including wildcards as literal names without
-      expansion, except for glue address records whose names would not
-      otherwise appear, (5b) all NXT bit map areas whose first octet has
-      bit zero set have been reserved for future definition, (5c) the
-      number of and circumstances under which an NXT must be returned in
-      connection with wildcard names has been extended, and (5d) in
-      connection with the bit map, references to the WKS RR have been
-      removed and verticle bars ("|") have been added between the RR
-      type mnemonics in the ASCII representation.
-
-   6. Information on the canonical form and ordering of RRs has been
-      moved into a separate Section 8.
-
-   7. A subsection covering incremental and full zone transfer has been
-      added in Section 5.
-
-   8. Concerning DNS chaining: Further specification and policy
-      recommendations on secure resolution have been added, primarily in
-      Section 6.3.1.  It is now clearly stated that authenticated data
-      has a validity period of the intersection of the validity periods
-      of the SIG RRs in its authentication chain.  The requirement to
-      staticly configure a superzone's key signed by a zone in all of
-      the zone's authoritative servers has been removed.  The
-      recommendation to continue DNS security checks in a secure island
-      of DNS data that is separated from other parts of the DNS tree by
-      insecure zones and does not contain a zone for which a key has
-      been staticly configured was dropped.
-
-   9. It was clarified that the presence of the AD bit in a response
-      does not apply to the additional information section or to glue
-      address or delegation point NS RRs.  The AD bit only indicates
-      that the answer and authority sections of the response are
-      authoritative.
-
-   10. It is now required that KEY RRs and NXT RRs be signed only with
-       zone-level keys.
-
-   11.  Add IANA Considerations section and references to RFC 2434.
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 45]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-Appendix C: Key Tag Calculation
-
-   The key tag field in the SIG RR is just a means of more efficiently
-   selecting the correct KEY RR to use when there is more than one KEY
-   RR candidate available, for example, in verifying a signature.  It is
-   possible for more than one candidate key to have the same tag, in
-   which case each must be tried until one works or all fail.  The
-   following reference implementation of how to calculate the Key Tag,
-   for all algorithms other than algorithm 1, is in ANSI C.  It is coded
-   for clarity, not efficiency.  (See section 4.1.6 for how to determine
-   the Key Tag of an algorithm 1 key.)
-
-   /* assumes int is at least 16 bits
-      first byte of the key tag is the most significant byte of return
-      value
-      second byte of the key tag is the least significant byte of
-      return value
-      */
-
-   int keytag (
-
-           unsigned char key[],  /* the RDATA part of the KEY RR */
-           unsigned int keysize, /* the RDLENGTH */
-           )
-   {
-   long int    ac;    /* assumed to be 32 bits or larger */
-
-   for ( ac = 0, i = 0; i < keysize; ++i )
-       ac += (i&1) ? key[i] : key[i]<<8;
-   ac += (ac>>16) & 0xFFFF;
-   return ac & 0xFFFF;
-   }
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 46]
-
-RFC 2535                DNS Security Extensions               March 1999
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 47]
-
diff --git a/contrib/bind9/doc/rfc/rfc2536.txt b/contrib/bind9/doc/rfc/rfc2536.txt
deleted file mode 100644
index 88be242bb7d0..000000000000
--- a/contrib/bind9/doc/rfc/rfc2536.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        D. EastLake
-Request for Comments: 2536                                           IBM
-Category: Standards Track                                     March 1999
-
-
-           DSA KEYs and SIGs in the Domain Name System (DNS)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   A standard method for storing US Government Digital Signature
-   Algorithm keys and signatures in the Domain Name System is described
-   which utilizes DNS KEY and SIG resource records.
-
-Table of Contents
-
-   Abstract...................................................1
-   1. Introduction............................................1
-   2. DSA KEY Resource Records................................2
-   3. DSA SIG Resource Records................................3
-   4. Performance Considerations..............................3
-   5. Security Considerations.................................4
-   6. IANA Considerations.....................................4
-   References.................................................5
-   Author's Address...........................................5
-   Full Copyright Statement...................................6
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information. The DNS has been extended to include digital
-   signatures and cryptographic keys as described in [RFC 2535].  Thus
-   the DNS can now be secured and can be used for secure key
-   distribution.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 1]
-
-RFC 2536                     DSA in the DNS                   March 1999
-
-
-   This document describes how to store US Government Digital Signature
-   Algorithm (DSA) keys and signatures in the DNS.  Familiarity with the
-   US Digital Signature Algorithm is assumed [Schneier].  Implementation
-   of DSA is mandatory for DNS security.
-
-2. DSA KEY Resource Records
-
-   DSA public keys are stored in the DNS as KEY RRs using algorithm
-   number 3 [RFC 2535].  The structure of the algorithm specific portion
-   of the RDATA part of this RR is as shown below.  These fields, from Q
-   through Y are the "public key" part of the DSA KEY RR.
-
-   The period of key validity is not in the KEY RR but is indicated by
-   the SIG RR(s) which signs and authenticates the KEY RR(s) at that
-   domain name.
-
-           Field     Size
-           -----     ----
-            T         1  octet
-            Q        20  octets
-            P        64 + T*8  octets
-            G        64 + T*8  octets
-            Y        64 + T*8  octets
-
-   As described in [FIPS 186] and [Schneier]: T is a key size parameter
-   chosen such that 0 <= T <= 8.  (The meaning for algorithm 3 if the T
-   octet is greater than 8 is reserved and the remainder of the RDATA
-   portion may have a different format in that case.)  Q is a prime
-   number selected at key generation time such that 2**159 < Q < 2**160
-   so Q is always 20 octets long and, as with all other fields, is
-   stored in "big-endian" network order.  P, G, and Y are calculated as
-   directed by the FIPS 186 key generation algorithm [Schneier].  P is
-   in the range 2**(511+64T) < P < 2**(512+64T) and so is 64 + 8*T
-   octets long.  G and Y are quantities modulus P and so can be up to
-   the same length as P and are allocated fixed size fields with the
-   same number of octets as P.
-
-   During the key generation process, a random number X must be
-   generated such that 1 <= X <= Q-1.  X is the private key and is used
-   in the final step of public key generation where Y is computed as
-
-             Y = G**X mod P
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 2]
-
-RFC 2536                     DSA in the DNS                   March 1999
-
-
-3. DSA SIG Resource Records
-
-   The signature portion of the SIG RR RDATA area, when using the US
-   Digital Signature Algorithm, is shown below with fields in the order
-   they occur.  See [RFC 2535] for fields in the SIG RR RDATA which
-   precede the signature itself.
-
-           Field     Size
-           -----     ----
-            T         1 octet
-            R        20 octets
-            S        20 octets
-
-   The data signed is determined as specified in [RFC 2535].  Then the
-   following steps are taken, as specified in [FIPS 186], where Q, P, G,
-   and Y are as specified in the public key [Schneier]:
-
-           hash = SHA-1 ( data )
-
-           Generate a random K such that 0 < K < Q.
-
-           R = ( G**K mod P ) mod Q
-
-           S = ( K**(-1) * (hash + X*R) ) mod Q
-
-   Since Q is 160 bits long, R and S can not be larger than 20 octets,
-   which is the space allocated.
-
-   T is copied from the public key.  It is not logically necessary in
-   the SIG but is present so that values of T > 8 can more conveniently
-   be used as an escape for extended versions of DSA or other algorithms
-   as later specified.
-
-4. Performance Considerations
-
-   General signature generation speeds are roughly the same for RSA [RFC
-   2537] and DSA.  With sufficient pre-computation, signature generation
-   with DSA is faster than RSA.  Key generation is also faster for DSA.
-   However, signature verification is an order of magnitude slower than
-   RSA when the RSA public exponent is chosen to be small as is
-   recommended for KEY RRs used in domain name system (DNS) data
-   authentication.
-
-   Current DNS implementations are optimized for small transfers,
-   typically less than 512 bytes including overhead.  While larger
-   transfers will perform correctly and work is underway to make larger
-   transfers more efficient, it is still advisable at this time to make
-   reasonable efforts to minimize the size of KEY RR sets stored within
-
-
-
-Eastlake                    Standards Track                     [Page 3]
-
-RFC 2536                     DSA in the DNS                   March 1999
-
-
-   the DNS consistent with adequate security.  Keep in mind that in a
-   secure zone, at least one authenticating SIG RR will also be
-   returned.
-
-5. Security Considerations
-
-   Many of the general security consideration in [RFC 2535] apply.  Keys
-   retrieved from the DNS should not be trusted unless (1) they have
-   been securely obtained from a secure resolver or independently
-   verified by the user and (2) this secure resolver and secure
-   obtainment or independent verification conform to security policies
-   acceptable to the user.  As with all cryptographic algorithms,
-   evaluating the necessary strength of the key is essential and
-   dependent on local policy.
-
-   The key size limitation of a maximum of 1024 bits ( T = 8 ) in the
-   current DSA standard may limit the security of DSA.  For particularly
-   critical applications, implementors are encouraged to consider the
-   range of available algorithms and key sizes.
-
-   DSA assumes the ability to frequently generate high quality random
-   numbers.  See [RFC 1750] for guidance.  DSA is designed so that if
-   manipulated rather than random numbers are used, very high bandwidth
-   covert channels are possible.  See [Schneier] and more recent
-   research.  The leakage of an entire DSA private key in only two DSA
-   signatures has been demonstrated.  DSA provides security only if
-   trusted implementations, including trusted random number generation,
-   are used.
-
-6. IANA Considerations
-
-   Allocation of meaning to values of the T parameter that are not
-   defined herein requires an IETF standards actions.  It is intended
-   that values unallocated herein be used to cover future extensions of
-   the DSS standard.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 4]
-
-RFC 2536                     DSA in the DNS                   March 1999
-
-
-References
-
-   [FIPS 186]   U.S. Federal Information Processing Standard: Digital
-                Signature Standard.
-
-   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
-                Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035]   Mockapetris, P., "Domain Names - Implementation and
-                Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC 1750]   Eastlake, D., Crocker, S. and J. Schiller, "Randomness
-                Recommendations for Security", RFC 1750, December 1994.
-
-   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
-                RFC 2535, March 1999.
-
-   [RFC 2537]   Eastlake, D., "RSA/MD5 KEYs and SIGs in the Domain Name
-                System (DNS)", RFC 2537, March 1999.
-
-   [Schneier]   Schneier, B., "Applied Cryptography Second Edition:
-                protocols, algorithms, and source code in C", 1996.
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   IBM
-   65 Shindegan Hill Road, RR #1
-   Carmel, NY 10512
-
-   Phone:   +1-914-276-2668(h)
-            +1-914-784-7913(w)
-   Fax:     +1-914-784-3833(w)
-   EMail:   dee3@us.ibm.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 5]
-
-RFC 2536                     DSA in the DNS                   March 1999
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 6]
-
diff --git a/contrib/bind9/doc/rfc/rfc2537.txt b/contrib/bind9/doc/rfc/rfc2537.txt
deleted file mode 100644
index cb75cf5b3b81..000000000000
--- a/contrib/bind9/doc/rfc/rfc2537.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        D. Eastlake
-Request for Comments: 2537                                           IBM
-Category: Standards Track                                     March 1999
-
-
-         RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   A standard method for storing RSA keys and and RSA/MD5 based
-   signatures in the Domain Name System is described which utilizes DNS
-   KEY and SIG resource records.
-
-Table of Contents
-
-   Abstract...................................................1
-   1. Introduction............................................1
-   2. RSA Public KEY Resource Records.........................2
-   3. RSA/MD5 SIG Resource Records............................2
-   4. Performance Considerations..............................3
-   5. Security Considerations.................................4
-   References.................................................4
-   Author's Address...........................................5
-   Full Copyright Statement...................................6
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information. The DNS has been extended to include digital
-   signatures and cryptographic keys as described in [RFC 2535].  Thus
-   the DNS can now be secured and used for secure key distribution.
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 1]
-
-RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
-
-
-   This document describes how to store RSA keys and and RSA/MD5 based
-   signatures in the DNS.  Familiarity with the RSA algorithm is assumed
-   [Schneier].  Implementation of the RSA algorithm in DNS is
-   recommended.
-
-   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
-   in this document are to be interpreted as described in RFC 2119.
-
-2. RSA Public KEY Resource Records
-
-   RSA public keys are stored in the DNS as KEY RRs using algorithm
-   number 1 [RFC 2535].  The structure of the algorithm specific portion
-   of the RDATA part of such RRs is as shown below.
-
-           Field             Size
-           -----             ----
-           exponent length   1 or 3 octets (see text)
-           exponent          as specified by length field
-           modulus           remaining space
-
-   For interoperability, the exponent and modulus are each currently
-   limited to 4096 bits in length.  The public key exponent is a
-   variable length unsigned integer.  Its length in octets is
-   represented as one octet if it is in the range of 1 to 255 and by a
-   zero octet followed by a two octet unsigned length if it is longer
-   than 255 bytes.  The public key modulus field is a multiprecision
-   unsigned integer.  The length of the modulus can be determined from
-   the RDLENGTH and the preceding RDATA fields including the exponent.
-   Leading zero octets are prohibited in the exponent and modulus.
-
-3. RSA/MD5 SIG Resource Records
-
-   The signature portion of the SIG RR RDATA area, when using the
-   RSA/MD5 algorithm, is calculated as shown below.  The data signed is
-   determined as specified in [RFC 2535].  See [RFC 2535] for fields in
-   the SIG RR RDATA which precede the signature itself.
-
-
-     hash = MD5 ( data )
-
-     signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 2]
-
-RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
-
-
-   where MD5 is the message digest algorithm documented in [RFC 1321],
-   "|" is concatenation, "e" is the private key exponent of the signer,
-   and "n" is the modulus of the signer's public key.  01, FF, and 00
-   are fixed octets of the corresponding hexadecimal value. "prefix" is
-   the ASN.1 BER MD5 algorithm designator prefix specified in [RFC
-   2437], that is,
-
-      hex 3020300c06082a864886f70d020505000410 [NETSEC].
-
-   This prefix is included to make it easier to use RSAREF (or similar
-   packages such as EuroRef).  The FF octet MUST be repeated the maximum
-   number of times such that the value of the quantity being
-   exponentiated is the same length in octets as the value of n.
-
-   (The above specifications are identical to the corresponding part of
-   Public Key Cryptographic Standard #1 [RFC 2437].)
-
-   The size of n, including most and least significant bits (which will
-   be 1) MUST be not less than 512 bits and not more than 4096 bits.  n
-   and e SHOULD be chosen such that the public exponent is small.
-
-   Leading zero bytes are permitted in the RSA/MD5 algorithm signature.
-
-   A public exponent of 3 minimizes the effort needed to verify a
-   signature.  Use of 3 as the public exponent is weak for
-   confidentiality uses since, if the same data can be collected
-   encrypted under three different keys with an exponent of 3 then,
-   using the Chinese Remainder Theorem [NETSEC], the original plain text
-   can be easily recovered.  This weakness is not significant for DNS
-   security because we seek only authentication, not confidentiality.
-
-4. Performance Considerations
-
-   General signature generation speeds are roughly the same for RSA and
-   DSA [RFC 2536].  With sufficient pre-computation, signature
-   generation with DSA is faster than RSA.  Key generation is also
-   faster for DSA.  However, signature verification is an order of
-   magnitude slower with DSA when the RSA public exponent is chosen to
-   be small as is recommended for KEY RRs used in domain name system
-   (DNS) data authentication.
-
-   Current DNS implementations are optimized for small transfers,
-   typically less than 512 bytes including overhead.  While larger
-   transfers will perform correctly and work is underway to make larger
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 3]
-
-RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
-
-
-   transfers more efficient, it is still advisable at this time to make
-   reasonable efforts to minimize the size of KEY RR sets stored within
-   the DNS consistent with adequate security.  Keep in mind that in a
-   secure zone, at least one authenticating SIG RR will also be
-   returned.
-
-5. Security Considerations
-
-   Many of the general security consideration in [RFC 2535] apply.  Keys
-   retrieved from the DNS should not be trusted unless (1) they have
-   been securely obtained from a secure resolver or independently
-   verified by the user and (2) this secure resolver and secure
-   obtainment or independent verification conform to security policies
-   acceptable to the user.  As with all cryptographic algorithms,
-   evaluating the necessary strength of the key is essential and
-   dependent on local policy.
-
-   For interoperability, the RSA key size is limited to 4096 bits.  For
-   particularly critical applications, implementors are encouraged to
-   consider the range of available algorithms and key sizes.
-
-References
-
-   [NETSEC]     Kaufman, C., Perlman, R. and M. Speciner, "Network
-                Security: PRIVATE Communications in a PUBLIC World",
-                Series in Computer Networking and Distributed
-                Communications, 1995.
-
-   [RFC 2437]   Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
-                Specifications Version 2.0", RFC 2437, October 1998.
-
-   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
-                Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035]   Mockapetris, P., "Domain Names - Implementation and
-                Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC 1321]   Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321
-                April 1992.
-
-   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
-                RFC 2535, March 1999.
-
-   [RFC 2536]   EastLake, D., "DSA KEYs and SIGs in the Domain Name
-                System (DNS)", RFC 2536, March 1999.
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 4]
-
-RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
-
-
-   [Schneier]   Bruce Schneier, "Applied Cryptography Second Edition:
-                protocols, algorithms, and source code in C", 1996, John
-                Wiley and Sons, ISBN 0-471-11709-9.
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   IBM
-   65 Shindegan Hill Road, RR #1
-   Carmel, NY 10512
-
-   Phone:   +1-914-276-2668(h)
-            +1-914-784-7913(w)
-   Fax:     +1-914-784-3833(w)
-   EMail:   dee3@us.ibm.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 5]
-
-RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 6]
-
diff --git a/contrib/bind9/doc/rfc/rfc2538.txt b/contrib/bind9/doc/rfc/rfc2538.txt
deleted file mode 100644
index c53e3efd15b5..000000000000
--- a/contrib/bind9/doc/rfc/rfc2538.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        D. Eastlake
-Request for Comments: 2538                                           IBM
-Category: Standards Track                                 O. Gudmundsson
-                                                                TIS Labs
-                                                              March 1999
-
-
-          Storing Certificates in the Domain Name System (DNS)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   Cryptographic public key are frequently published and their
-   authenticity demonstrated by certificates.  A CERT resource record
-   (RR) is defined so that such certificates and related certificate
-   revocation lists can be stored in the Domain Name System (DNS).
-
-Table of Contents
-
-   Abstract...................................................1
-   1. Introduction............................................2
-   2. The CERT Resource Record................................2
-   2.1 Certificate Type Values................................3
-   2.2 Text Representation of CERT RRs........................4
-   2.3 X.509 OIDs.............................................4
-   3. Appropriate Owner Names for CERT RRs....................5
-   3.1 X.509 CERT RR Names....................................5
-   3.2 PGP CERT RR Names......................................6
-   4. Performance Considerations..............................6
-   5. IANA Considerations.....................................7
-   6. Security Considerations.................................7
-   References.................................................8
-   Authors' Addresses.........................................9
-   Full Copyright Notice.....................................10
-
-
-
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 1]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-1. Introduction
-
-   Public keys are frequently published in the form of a certificate and
-   their authenticity is commonly demonstrated by certificates and
-   related certificate revocation lists (CRLs).  A certificate is a
-   binding, through a cryptographic digital signature, of a public key,
-   a validity interval and/or conditions, and identity, authorization,
-   or other information. A certificate revocation list is a list of
-   certificates that are revoked, and incidental information, all signed
-   by the signer (issuer) of the revoked certificates. Examples are
-   X.509 certificates/CRLs in the X.500 directory system or PGP
-   certificates/revocations used by PGP software.
-
-   Section 2 below specifies a CERT resource record (RR) for the storage
-   of certificates in the Domain Name System.
-
-   Section 3 discusses appropriate owner names for CERT RRs.
-
-   Sections 4, 5, and 6 below cover performance, IANA, and security
-   considerations, respectively.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2. The CERT Resource Record
-
-   The CERT resource record (RR) has the structure given below.  Its RR
-   type code is 37.
-
-                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |             type              |             key tag           |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |   algorithm   |                                               /
-    +---------------+            certificate or CRL                 /
-    /                                                               /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-   The type field is the certificate type as define in section 2.1
-   below.
-
-   The algorithm field has the same meaning as the algorithm field in
-   KEY and SIG RRs [RFC 2535] except that a zero algorithm field
-   indicates the algorithm is unknown to a secure DNS, which may simply
-   be the result of the algorithm not having been standardized for
-   secure DNS.
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 2]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-   The key tag field is the 16 bit value computed for the key embedded
-   in the certificate as specified in the DNSSEC Standard [RFC 2535].
-   This field is used as an efficiency measure to pick which CERT RRs
-   may be applicable to a particular key.  The key tag can be calculated
-   for the key in question and then only CERT RRs with the same key tag
-   need be examined. However, the key must always be transformed to the
-   format it would have as the public key portion of a KEY RR before the
-   key tag is computed.  This is only possible if the key is applicable
-   to an algorithm (and limits such as key size limits) defined for DNS
-   security.  If it is not, the algorithm field MUST BE zero and the tag
-   field is meaningless and SHOULD BE zero.
-
-2.1 Certificate Type Values
-
-   The following values are defined or reserved:
-
-    Value  Mnemonic  Certificate Type
-    -----  --------  ----------- ----
-        0            reserved
-        1   PKIX     X.509 as per PKIX
-        2   SPKI     SPKI cert
-        3   PGP      PGP cert
-    4-252            available for IANA assignment
-      253   URI      URI private
-      254   OID      OID private
-    255-65534        available for IANA assignment
-    65535            reserved
-
-   The PKIX type is reserved to indicate an X.509 certificate conforming
-   to the profile being defined by the IETF PKIX working group.  The
-   certificate section will start with a one byte unsigned OID length
-   and then an X.500 OID indicating the nature of the remainder of the
-   certificate section (see 2.3 below).  (NOTE: X.509 certificates do
-   not include their X.500 directory type designating OID as a prefix.)
-
-   The SPKI type is reserved to indicate a certificate formated as to be
-   specified by the IETF SPKI working group.
-
-   The PGP type indicates a Pretty Good Privacy certificate as described
-   in RFC 2440 and its extensions and successors.
-
-   The URI private type indicates a certificate format defined by an
-   absolute URI.  The certificate portion of the CERT RR MUST begin with
-   a null terminated URI [RFC 2396] and the data after the null is the
-   private format certificate itself.  The URI SHOULD be such that a
-   retrieval from it will lead to documentation on the format of the
-   certificate.  Recognition of private certificate types need not be
-   based on URI equality but can use various forms of pattern matching
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 3]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-   so that, for example, subtype or version information can also be
-   encoded into the URI.
-
-   The OID private type indicates a private format certificate specified
-   by a an ISO OID prefix.  The certificate section will start with a
-   one byte unsigned OID length and then a BER encoded OID indicating
-   the nature of the remainder of the certificate section.  This can be
-   an X.509 certificate format or some other format.  X.509 certificates
-   that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
-   type, not the OID private type.  Recognition of private certificate
-   types need not be based on OID equality but can use various forms of
-   pattern matching such as OID prefix.
-
-2.2 Text Representation of CERT RRs
-
-   The RDATA portion of a CERT RR has the type field as an unsigned
-   integer or as a mnemonic symbol as listed in section 2.1 above.
-
-   The key tag field is represented as an unsigned integer.
-
-   The algorithm field is represented as an unsigned integer or a
-   mnemonic symbol as listed in [RFC 2535].
-
-   The certificate / CRL portion is represented in base 64 and may be
-   divided up into any number of white space separated substrings, down
-   to single base 64 digits, which are concatenated to obtain the full
-   signature.  These substrings can span lines using the standard
-   parenthesis.
-
-   Note that the certificate / CRL portion may have internal sub-fields
-   but these do not appear in the master file representation.  For
-   example, with type 254, there will be an OID size, an OID, and then
-   the certificate / CRL proper. But only a single logical base 64
-   string will appear in the text representation.
-
-2.3 X.509 OIDs
-
-   OIDs have been defined in connection with the X.500 directory for
-   user certificates, certification authority certificates, revocations
-   of certification authority, and revocations of user certificates.
-   The following table lists the OIDs, their BER encoding, and their
-   length prefixed hex format for use in CERT RRs:
-
-
-
-
-
-
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 4]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-    id-at-userCertificate
-        = { joint-iso-ccitt(2) ds(5) at(4) 36 }
-           == 0x 03 55 04 24
-    id-at-cACertificate
-        = { joint-iso-ccitt(2) ds(5) at(4) 37 }
-           == 0x 03 55 04 25
-    id-at-authorityRevocationList
-        = { joint-iso-ccitt(2) ds(5) at(4) 38 }
-           == 0x 03 55 04 26
-    id-at-certificateRevocationList
-        = { joint-iso-ccitt(2) ds(5) at(4) 39 }
-           == 0x 03 55 04 27
-
-3. Appropriate Owner Names for CERT RRs
-
-   It is recommended that certificate CERT RRs be stored under a domain
-   name related to their subject, i.e., the name of the entity intended
-   to control the private key corresponding to the public key being
-   certified.  It is recommended that certificate revocation list CERT
-   RRs be stored under a domain name related to their issuer.
-
-   Following some of the guidelines below may result in the use in DNS
-   names of characters that require DNS quoting which is to use a
-   backslash followed by the octal representation of the ASCII code for
-   the character such as \000 for NULL.
-
-3.1 X.509 CERT RR Names
-
-   Some X.509 versions permit multiple names to be associated with
-   subjects and issuers under "Subject Alternate Name" and "Issuer
-   Alternate Name".  For example, x.509v3 has such Alternate Names with
-   an ASN.1 specification as follows:
-
-         GeneralName ::= CHOICE {
-            otherName                  [0] INSTANCE OF OTHER-NAME,
-            rfc822Name                 [1] IA5String,
-            dNSName                    [2] IA5String,
-            x400Address                [3] EXPLICIT OR-ADDRESS.&Type,
-            directoryName              [4] EXPLICIT Name,
-            ediPartyName               [5] EDIPartyName,
-            uniformResourceIdentifier  [6] IA5String,
-            iPAddress                  [7] OCTET STRING,
-            registeredID               [8] OBJECT IDENTIFIER
-         }
-
-   The recommended locations of CERT storage are as follows, in priority
-   order:
-
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 5]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-   (1) If a domain name is included in the identification in the
-       certificate or CRL, that should be used.
-   (2) If a domain name is not included but an IP address is included,
-       then the translation of that IP address into the appropriate
-       inverse domain name should be used.
-   (3) If neither of the above it used but a URI containing a domain
-       name is present, that domain name should be used.
-   (4) If none of the above is included but a character string name is
-       included, then it should be treated as described for PGP names in
-       3.2 below.
-   (5) If none of the above apply, then the distinguished name (DN)
-       should be mapped into a domain name as specified in RFC 2247.
-
-   Example 1: Assume that an X.509v3 certificate is issued to /CN=John
-   Doe/DC=Doe/DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative
-   names of (a) string "John (the Man) Doe", (b) domain name john-
-   doe.com, and (c) uri <https://www.secure.john-doe.com:8080/>.  Then
-   the storage locations recommended, in priority order, would be
-       (1) john-doe.com,
-       (2) www.secure.john-doe.com, and
-       (3) Doe.com.xy.
-
-   Example 2:  Assume that an X.509v3 certificate is issued to /CN=James
-   Hacker/L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names
-   of (a) domain name widget.foo.example, (b) IPv4 address
-   10.251.13.201, and (c) string "James Hacker
-   <hacker@mail.widget.foo.example>".  Then the storage locations
-   recommended, in priority order, would be
-        (1) widget.foo.example,
-        (2) 201.13.251.10.in-addr.arpa, and
-        (3) hacker.mail.widget.foo.example.
-
-3.2 PGP CERT RR Names
-
-   PGP signed keys (certificates) use a general character string User ID
-   [RFC 2440]. However, it is recommended by PGP that such names include
-   the RFC 822 email address of the party, as in "Leslie Example
-   <Leslie@host.example>".  If such a format is used, the CERT should be
-   under the standard translation of the email address into a domain
-   name, which would be leslie.host.example in this case.  If no RFC 822
-   name can be extracted from the string name no specific domain name is
-   recommended.
-
-4. Performance Considerations
-
-   Current Domain Name System (DNS) implementations are optimized for
-   small transfers, typically not more than 512 bytes including
-   overhead.  While larger transfers will perform correctly and work is
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 6]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-   underway to make larger transfers more efficient, it is still
-   advisable at this time to make every reasonable effort to minimize
-   the size of certificates stored within the DNS.  Steps that can be
-   taken may include using the fewest possible optional or extensions
-   fields and using short field values for variable length fields that
-   must be included.
-
-5. IANA Considerations
-
-   Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
-   only be assigned by an IETF standards action [RFC 2434] (and this
-   document assigns 0x0001 through 0x0003 and 0x00FD and 0x00FE).
-   Certificate types 0x0100 through 0xFEFF are assigned through IETF
-   Consensus [RFC 2434] based on RFC documentation of the certificate
-   type.  The availability of private types under 0x00FD and 0x00FE
-   should satisfy most requirements for proprietary or private types.
-
-6. Security Considerations
-
-   By definition, certificates contain their own authenticating
-   signature.  Thus it is reasonable to store certificates in non-secure
-   DNS zones or to retrieve certificates from DNS with DNS security
-   checking not implemented or deferred for efficiency.  The results MAY
-   be trusted if the certificate chain is verified back to a known
-   trusted key and this conforms with the user's security policy.
-
-   Alternatively, if certificates are retrieved from a secure DNS zone
-   with DNS security checking enabled and are verified by DNS security,
-   the key within the retrieved certificate MAY be trusted without
-   verifying the certificate chain if this conforms with the user's
-   security policy.
-
-   CERT RRs are not used in connection with securing the DNS security
-   additions so there are no security considerations related to CERT RRs
-   and securing the DNS itself.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 7]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-References
-
-   RFC 1034   Mockapetris, P., "Domain Names - Concepts and Facilities",
-              STD 13, RFC 1034, November 1987.
-
-   RFC 1035   Mockapetris, P., "Domain Names - Implementation and
-              Specifications", STD 13, RFC 1035, November 1987.
-
-   RFC 2119   Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   RFC 2247   Kille, S., Wahl, M., Grimstad, A., Huber, R. and S.
-              Sataluri, "Using Domains in LDAP/X.500 Distinguished
-              Names", RFC 2247, January 1998.
-
-   RFC 2396   Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
-              Resource Identifiers (URI): Generic Syntax", RFC 2396,
-              August 1998.
-
-   RFC 2440   Callas, J., Donnerhacke, L., Finney, H. and R.  Thayer,
-              "OpenPGP Message Format", RFC 2240, November 1998.
-
-   RFC 2434   Narten, T. and H. Alvestrand, "Guidelines for Writing an
-              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
-              October 1998.
-
-   RFC 2535   Eastlake, D., "Domain Name System (DNS) Security
-              Extensions", RFC 2535, March 1999.
-
-   RFC 2459   Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
-              X.509 Public Key Infrastructure Certificate and CRL
-              Profile", RFC 2459, January 1999.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 8]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-Authors' Addresses
-
-   Donald E. Eastlake 3rd
-   IBM
-   65 Shindegan Hill Road
-   RR#1
-   Carmel, NY 10512 USA
-
-   Phone:   +1-914-784-7913 (w)
-            +1-914-276-2668 (h)
-   Fax:     +1-914-784-3833 (w-fax)
-   EMail:   dee3@us.ibm.com
-
-
-   Olafur Gudmundsson
-   TIS Labs at Network Associates
-   3060 Washington Rd, Route 97
-   Glenwood MD 21738
-
-   Phone: +1 443-259-2389
-   EMail: ogud@tislabs.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake & Gudmundsson      Standards Track                     [Page 9]
-
-RFC 2538            Storing Certificates in the DNS           March 1999
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake & Gudmundsson      Standards Track                    [Page 10]
-
diff --git a/contrib/bind9/doc/rfc/rfc2539.txt b/contrib/bind9/doc/rfc/rfc2539.txt
deleted file mode 100644
index cf32523d9fa1..000000000000
--- a/contrib/bind9/doc/rfc/rfc2539.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        D. Eastlake
-Request for Comments: 2539                                           IBM
-Category: Standards Track                                     March 1999
-
-
-     Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   A standard method for storing Diffie-Hellman keys in the Domain Name
-   System is described which utilizes DNS KEY resource records.
-
-Acknowledgements
-
-   Part of the format for Diffie-Hellman keys and the description
-   thereof was taken from a work in progress by:
-
-      Ashar Aziz <ashar.aziz@eng.sun.com>
-      Tom Markson <markson@incog.com>
-      Hemma Prafullchandra <hemma@eng.sun.com>
-
-   In addition, the following person provided useful comments that have
-   been incorporated:
-
-      Ran Atkinson <rja@inet.org>
-      Thomas Narten <narten@raleigh.ibm.com>
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 1]
-
-RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
-
-
-Table of Contents
-
-   Abstract...................................................1
-   Acknowledgements...........................................1
-   1. Introduction............................................2
-   1.1 About This Document....................................2
-   1.2 About Diffie-Hellman...................................2
-   2. Diffie-Hellman KEY Resource Records.....................3
-   3. Performance Considerations..............................4
-   4. IANA Considerations.....................................4
-   5. Security Considerations.................................4
-   References.................................................5
-   Author's Address...........................................5
-   Appendix A: Well known prime/generator pairs...............6
-   A.1. Well-Known Group 1:  A 768 bit prime..................6
-   A.2. Well-Known Group 2:  A 1024 bit prime.................6
-   Full Copyright Notice......................................7
-
-1. Introduction
-
-   The Domain Name System (DNS) is the current global hierarchical
-   replicated distributed database system for Internet addressing, mail
-   proxy, and similar information. The DNS has been extended to include
-   digital signatures and cryptographic keys as described in [RFC 2535].
-   Thus the DNS can now be used for secure key distribution.
-
-1.1 About This Document
-
-   This document describes how to store Diffie-Hellman keys in the DNS.
-   Familiarity with the Diffie-Hellman key exchange algorithm is assumed
-   [Schneier].
-
-1.2 About Diffie-Hellman
-
-   Diffie-Hellman requires two parties to interact to derive keying
-   information which can then be used for authentication.  Since DNS SIG
-   RRs are primarily used as stored authenticators of zone information
-   for many different resolvers, no Diffie-Hellman algorithm SIG RR is
-   defined. For example, assume that two parties have local secrets "i"
-   and "j".  Assume they each respectively calculate X and Y as follows:
-
-                X = g**i ( mod p ) Y = g**j ( mod p )
-
-   They exchange these quantities and then each calculates a Z as
-   follows:
-
-                Zi = Y**i ( mod p ) Zj = X**j ( mod p )
-
-
-
-
-Eastlake                    Standards Track                     [Page 2]
-
-RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
-
-
-   shared secret between the two parties that an adversary who does not
-   know i or j will not be able to learn from the exchanged messages
-   (unless the adversary can derive i or j by performing a discrete
-   logarithm mod p which is hard for strong p and g).
-
-   The private key for each party is their secret i (or j).  The public
-   key is the pair p and g, which must be the same for the parties, and
-   their individual X (or Y).
-
-2. Diffie-Hellman KEY Resource Records
-
-   Diffie-Hellman keys are stored in the DNS as KEY RRs using algorithm
-   number 2.  The structure of the RDATA portion of this RR is as shown
-   below.  The first 4 octets, including the flags, protocol, and
-   algorithm fields are common to all KEY RRs as described in [RFC
-   2535].  The remainder, from prime length through public value is the
-   "public key" part of the KEY RR. The period of key validity is not in
-   the KEY RR but is indicated by the SIG RR(s) which signs and
-   authenticates the KEY RR(s) at that domain name.
-
-                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |           KEY flags           |    protocol   |  algorithm=2  |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |     prime length (or flag)    |  prime (p) (or special)       /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    /  prime (p)  (variable length) |       generator length        |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    | generator (g) (variable length)                               |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |     public value length       | public value (variable length)/
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    /  public value (g^i mod p)    (variable length)                |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   Prime length is length of the Diffie-Hellman prime (p) in bytes if it
-   is 16 or greater.  Prime contains the binary representation of the
-   Diffie-Hellman prime with most significant byte first (i.e., in
-   network order). If "prime length" field is 1 or 2, then the "prime"
-   field is actually an unsigned index into a table of 65,536
-   prime/generator pairs and the generator length SHOULD be zero.  See
-   Appedix A for defined table entries and Section 4 for information on
-   allocating additional table entries.  The meaning of a zero or 3
-   through 15 value for "prime length" is reserved.
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 3]
-
-RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
-
-
-   Generator length is the length of the generator (g) in bytes.
-   Generator is the binary representation of generator with most
-   significant byte first.  PublicValueLen is the Length of the Public
-   Value (g**i (mod p)) in bytes.  PublicValue is the binary
-   representation of the DH public value with most significant byte
-   first.
-
-   The corresponding algorithm=2 SIG resource record is not used so no
-   format for it is defined.
-
-3. Performance Considerations
-
-   Current DNS implementations are optimized for small transfers,
-   typically less than 512 bytes including overhead.  While larger
-   transfers will perform correctly and work is underway to make larger
-   transfers more efficient, it is still advisable to make reasonable
-   efforts to minimize the size of KEY RR sets stored within the DNS
-   consistent with adequate security.  Keep in mind that in a secure
-   zone, an authenticating SIG RR will also be returned.
-
-4. IANA Considerations
-
-   Assignment of meaning to Prime Lengths of 0 and 3 through 15 requires
-   an IETF consensus.
-
-   Well known prime/generator pairs number 0x0000 through 0x07FF can
-   only be assigned by an IETF standards action and this Proposed
-   Standard assigns 0x0001 through 0x0002. Pairs number 0s0800 through
-   0xBFFF can be assigned based on RFC documentation.  Pairs number
-   0xC000 through 0xFFFF are available for private use and are not
-   centrally coordinated. Use of such private pairs outside of a closed
-   environment may result in conflicts.
-
-5. Security Considerations
-
-   Many of the general security consideration in [RFC 2535] apply.  Keys
-   retrieved from the DNS should not be trusted unless (1) they have
-   been securely obtained from a secure resolver or independently
-   verified by the user and (2) this secure resolver and secure
-   obtainment or independent verification conform to security policies
-   acceptable to the user.  As with all cryptographic algorithms,
-   evaluating the necessary strength of the key is important and
-   dependent on local policy.
-
-   In addition, the usual Diffie-Hellman key strength considerations
-   apply. (p-1)/2 should also be prime, g should be primitive mod p, p
-   should be "large", etc.  [Schneier]
-
-
-
-
-Eastlake                    Standards Track                     [Page 4]
-
-RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
-
-
-References
-
-   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
-                Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035]   Mockapetris, P., "Domain Names - Implementation and
-                Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
-                RFC 2535, March 1999.
-
-   [Schneier]   Bruce Schneier, "Applied Cryptography: Protocols,
-                Algorithms, and Source Code in C", 1996, John Wiley and
-                Sons
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   IBM
-   65 Shindegan Hill Road, RR #1
-   Carmel, NY 10512
-
-   Phone:   +1-914-276-2668(h)
-            +1-914-784-7913(w)
-   Fax:     +1-914-784-3833(w)
-   EMail:   dee3@us.ibm.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 5]
-
-RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
-
-
-Appendix A: Well known prime/generator pairs
-
-   These numbers are copied from the IPSEC effort where the derivation
-   of these values is more fully explained and additional information is
-   available.  Richard Schroeppel performed all the mathematical and
-   computational work for this appendix.
-
-A.1. Well-Known Group 1:  A 768 bit prime
-
-   The prime is 2^768 - 2^704 - 1 + 2^64 * { [2^638 pi] + 149686 }.  Its
-   decimal value is
-          155251809230070893513091813125848175563133404943451431320235
-          119490296623994910210725866945387659164244291000768028886422
-          915080371891804634263272761303128298374438082089019628850917
-          0691316593175367469551763119843371637221007210577919
-
-   Prime modulus: Length (32 bit words): 24, Data (hex):
-            FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-            29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-            EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-            E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF
-
-   Generator: Length (32 bit words): 1, Data (hex): 2
-
-A.2. Well-Known Group 2:  A 1024 bit prime
-
-   The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
-   Its decimal value is
-         179769313486231590770839156793787453197860296048756011706444
-         423684197180216158519368947833795864925541502180565485980503
-         646440548199239100050792877003355816639229553136239076508735
-         759914822574862575007425302077447712589550957937778424442426
-         617334727629299387668709205606050270810842907692932019128194
-         467627007
-
-   Prime modulus:  Length (32 bit words): 32, Data (hex):
-            FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
-            29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
-            EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
-            E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
-            EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
-            FFFFFFFF FFFFFFFF
-
-   Generator: Length (32 bit words):  1, Data (hex): 2
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 6]
-
-RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc2540.txt b/contrib/bind9/doc/rfc/rfc2540.txt
deleted file mode 100644
index 631480618867..000000000000
--- a/contrib/bind9/doc/rfc/rfc2540.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        D. Eastlake
-Request for Comments: 2540                                           IBM
-Category: Experimental                                        March 1999
-
-
-             Detached Domain Name System (DNS) Information
-
-Status of this Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  It does not specify an Internet standard of any kind.
-   Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   A standard format is defined for representing detached DNS
-   information.  This is anticipated to be of use for storing
-   information retrieved from the Domain Name System (DNS), including
-   security information, in archival contexts or contexts not connected
-   to the Internet.
-
-Table of Contents
-
-   Abstract...................................................1
-   1. Introduction............................................1
-   2. General Format..........................................2
-   2.1 Binary Format..........................................3
-   2.2. Text Format...........................................4
-   3. Usage Example...........................................4
-   4. IANA Considerations.....................................4
-   5. Security Considerations.................................4
-   References.................................................5
-   Author's Address...........................................5
-   Full Copyright Statement...................................6
-
-1. Introduction
-
-   The Domain Name System (DNS) is a replicated hierarchical distributed
-   database system [RFC 1034, 1035] that can provide highly available
-   service.  It provides the operational basis for Internet host name to
-   address translation, automatic SMTP mail routing, and other basic
-   Internet functions.  The DNS has been extended as described in [RFC
-   2535] to permit the general storage of public cryptographic keys in
-
-
-
-Eastlake                      Experimental                      [Page 1]
-
-RFC 2540                Detached DNS Information              March 1999
-
-
-   the DNS and to enable the authentication of information retrieved
-   from the DNS though digital signatures.
-
-   The DNS was not originally designed for storage of information
-   outside of the active zones and authoritative master files that are
-   part of the connected DNS.  However there may be cases where this is
-   useful, particularly in connection with archived security
-   information.
-
-2. General Format
-
-   The formats used for detached Domain Name System (DNS) information
-   are similar to those used for connected DNS information. The primary
-   difference is that elements of the connected DNS system (unless they
-   are an authoritative server for the zone containing the information)
-   are required to count down the Time To Live (TTL) associated with
-   each DNS Resource Record (RR) and discard them (possibly fetching a
-   fresh copy) when the TTL reaches zero.  In contrast to this, detached
-   information may be stored in a off-line file, where it can not be
-   updated, and perhaps used to authenticate historic data or it might
-   be received via non-DNS protocols long after it was retrieved from
-   the DNS.  Therefore, it is not practical to count down detached DNS
-   information TTL and it may be necessary to keep the data beyond the
-   point where the TTL (which is defined as an unsigned field) would
-   underflow.  To preserve information as to the freshness of this
-   detached data, it is accompanied by its retrieval time.
-
-   Whatever retrieves the information from the DNS must associate this
-   retrieval time with it.  The retrieval time remains fixed thereafter.
-   When the current time minus the retrieval time exceeds the TTL for
-   any particular detached RR, it is no longer a valid copy within the
-   normal connected DNS scheme.  This may make it invalid in context for
-   some detached purposes as well.  If the RR is a SIG (signature) RR it
-   also has an expiration time.  Regardless of the TTL, it and any RRs
-   it signs can not be considered authenticated after the signature
-   expiration time.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                      Experimental                      [Page 2]
-
-RFC 2540                Detached DNS Information              March 1999
-
-
-2.1 Binary Format
-
-   The standard binary format for detached DNS information is as
-   follows:
-
-                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |                      first retrieval time                     |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |          RR count             |                               |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     Resource Records (RRs)    |
-    /                                                               /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-    |                       next retrieval time                     |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |          RR count             |                               |
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     Resource Records (RRs)    |
-    /                                                               /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    /                              ...                              /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    |     hex 20    |
-    +-+-+-+-+-+-+-+-+
-
-   Retrieval time - the time that the immediately following information
-       was obtained from the connected DNS system.  It is an unsigned
-       number of seconds since the start of 1 January 1970, GMT,
-       ignoring leap seconds, in network (big-endian) order.  Note that
-       this time can not be before the initial proposal of this
-       standard.  Therefore, the initial byte of an actual retrieval
-       time, considered as a 32 bit unsigned quantity, would always be
-       larger than 20 hex.  The end of detached DNS information is
-       indicated by a "retrieval time" field initial byte equal to 0x20.
-       Use of a "retrieval time" field with a leading unsigned byte of
-       zero indicates a 64 bit (actually 8 leading zero bits plus a 56
-       bit quantity).  This 64 bit format will be required when
-       retrieval time is larger than 0xFFFFFFFF, which is some time in
-       the year 2106.  The meaning of retrieval times with an initial
-       byte between 0x01 and 0x1F is reserved (see section 5).
-       Retrieval times will not generally be 32 bit aligned with respect
-       to each other due to the variable length nature of RRs.
-
-   RR count - an unsigned integer number (with bytes in network order)
-       of following resource records retrieved at the preceding
-       retrieval time.
-
-
-
-
-
-Eastlake                      Experimental                      [Page 3]
-
-RFC 2540                Detached DNS Information              March 1999
-
-
-   Resource Records - the actual data which is in the same format as if
-       it were being transmitted in a DNS response.  In particular, name
-       compression via pointers is permitted with the origin at the
-       beginning of the particular detached information data section,
-       just after the RR count.
-
-2.2. Text Format
-
-   The standard text format for detached DNS information is as
-   prescribed for zone master files [RFC 1035] except that the $INCLUDE
-   control entry is prohibited and the new $DATE entry is required
-   (unless the information set is empty). $DATE is followed by the date
-   and time that the following information was obtained from the DNS
-   system as described for retrieval time in section 2.1 above.  It is
-   in the text format YYYYMMDDHHMMSS where YYYY is the year (which may
-   be more than four digits to cover years after 9999), the first MM is
-   the month number (01-12), DD is the day of the month (01-31), HH is
-   the hour in 24 hours notation (00-23), the second MM is the minute
-   (00-59), and SS is the second (00-59).  Thus a $DATE must appear
-   before the first RR and at every change in retrieval time through the
-   detached information.
-
-3. Usage Example
-
-   A document might be authenticated by a key retrieved from the DNS in
-   a KEY resource record (RR).  To later prove the authenticity of this
-   document, it would be desirable to preserve the KEY RR for that
-   public key, the SIG RR signing that KEY RR, the KEY RR for the key
-   used to authenticate that SIG, and so on through SIG and KEY RRs
-   until a well known trusted key is reached, perhaps the key for the
-   DNS root or some third party authentication service. (In some cases
-   these KEY RRs will actually be sets of KEY RRs with the same owner
-   and class because SIGs actually sign such record sets.)
-
-   This information could be preserved as a set of detached DNS
-   information blocks.
-
-4. IANA Considerations
-
-   Allocation of meanings to retrieval time fields with a initial byte
-   of between 0x01 and 0x1F requires an IETF consensus.
-
-5. Security Considerations
-
-   The entirety of this document concerns a means to represent detached
-   DNS information.  Such detached resource records may be security
-   relevant and/or secured information as described in [RFC 2535].  The
-   detached format provides no overall security for sets of detached
-
-
-
-Eastlake                      Experimental                      [Page 4]
-
-RFC 2540                Detached DNS Information              March 1999
-
-
-   information or for the association between retrieval time and
-   information.  This can be provided by wrapping the detached
-   information format with some other form of signature.  However, if
-   the detached information is accompanied by SIG RRs, its validity
-   period is indicated in those SIG RRs so the retrieval time might be
-   of secondary importance.
-
-References
-
-   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
-                Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035]   Mockapetris, P., " Domain Names - Implementation and
-                Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
-                RFC 2535, March 1999.
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   IBM
-   65 Shindegan Hill Road, RR #1
-   Carmel, NY 10512
-
-   Phone:   +1-914-276-2668(h)
-            +1-914-784-7913(w)
-   Fax:     +1-914-784-3833(w)
-   EMail:   dee3@us.ibm.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                      Experimental                      [Page 5]
-
-RFC 2540                Detached DNS Information              March 1999
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                      Experimental                      [Page 6]
-
diff --git a/contrib/bind9/doc/rfc/rfc2541.txt b/contrib/bind9/doc/rfc/rfc2541.txt
deleted file mode 100644
index a62ed2b48677..000000000000
--- a/contrib/bind9/doc/rfc/rfc2541.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        D. Eastlake
-Request for Comments: 2541                                           IBM
-Category: Informational                                       March 1999
-
-
-                DNS Security Operational Considerations
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   Secure DNS is based on cryptographic techniques.  A necessary part of
-   the strength of these techniques is careful attention to the
-   operational aspects of key and signature generation, lifetime, size,
-   and storage.  In addition, special attention must be paid to the
-   security of the high level zones, particularly the root zone.  This
-   document discusses these operational aspects for keys and signatures
-   used in connection with the KEY and SIG DNS resource records.
-
-Acknowledgments
-
-   The contributions and suggestions of the following persons (in
-   alphabetic order) are gratefully acknowledged:
-
-         John Gilmore
-         Olafur Gudmundsson
-         Charlie Kaufman
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                     Informational                      [Page 1]
-
-RFC 2541        DNS Security Operational Considerations       March 1999
-
-
-Table of Contents
-
-   Abstract...................................................1
-   Acknowledgments............................................1
-   1. Introduction............................................2
-   2. Public/Private Key Generation...........................2
-   3. Public/Private Key Lifetimes............................2
-   4. Public/Private Key Size Considerations..................3
-   4.1 RSA Key Sizes..........................................3
-   4.2 DSS Key Sizes..........................................4
-   5. Private Key Storage.....................................4
-   6. High Level Zones, The Root Zone, and The Meta-Root Key..5
-   7. Security Considerations.................................5
-   References.................................................6
-   Author's Address...........................................6
-   Full Copyright Statement...................................7
-
-1. Introduction
-
-   This document describes operational considerations for the
-   generation, lifetime, size, and storage of DNS cryptographic keys and
-   signatures for use in the KEY and SIG resource records [RFC 2535].
-   Particular attention is paid to high level zones and the root zone.
-
-2. Public/Private Key Generation
-
-   Careful generation of all keys is a sometimes overlooked but
-   absolutely essential element in any cryptographically secure system.
-   The strongest algorithms used with the longest keys are still of no
-   use if an adversary can guess enough to lower the size of the likely
-   key space so that it can be exhaustively searched.  Technical
-   suggestions for the generation of random keys will be found in [RFC
-   1750].
-
-   Long term keys are particularly sensitive as they will represent a
-   more valuable target and be subject to attack for a longer time than
-   short period keys.  It is strongly recommended that long term key
-   generation occur off-line in a manner isolated from the network via
-   an air gap or, at a minimum, high level secure hardware.
-
-3. Public/Private Key Lifetimes
-
-   No key should be used forever.  The longer a key is in use, the
-   greater the probability that it will have been compromised through
-   carelessness, accident, espionage, or cryptanalysis.  Furthermore, if
-
-
-
-
-
-
-Eastlake                     Informational                      [Page 2]
-
-RFC 2541        DNS Security Operational Considerations       March 1999
-
-
-   key rollover is a rare event, there is an increased risk that, when
-   the time does come to change the key, no one at the site will
-   remember how to do it or operational problems will have developed in
-   the key rollover procedures.
-
-   While public key lifetime is a matter of local policy, these
-   considerations imply that, unless there are extraordinary
-   circumstances, no long term key should have a lifetime significantly
-   over four years.  In fact, a reasonable guideline for long term keys
-   that are kept off-line and carefully guarded is a 13 month lifetime
-   with the intent that they be replaced every year.  A reasonable
-   maximum lifetime for keys that are used for transaction security or
-   the like and are kept on line is 36 days with the intent that they be
-   replaced monthly or more often.  In many cases, a key lifetime of
-   somewhat over a day may be reasonable.
-
-   On the other hand, public keys with too short a lifetime can lead to
-   excessive resource consumption in re-signing data and retrieving
-   fresh information because cached information becomes stale.  In the
-   Internet environment, almost all public keys should have lifetimes no
-   shorter than three minutes, which is a reasonable estimate of maximum
-   packet delay even in unusual circumstances.
-
-4. Public/Private Key Size Considerations
-
-   There are a number of factors that effect public key size choice for
-   use in the DNS security extension.  Unfortunately, these factors
-   usually do not all point in the same direction.  Choice of zone key
-   size should generally be made by the zone administrator depending on
-   their local conditions.
-
-   For most schemes, larger keys are more secure but slower.  In
-   addition, larger keys increase the size of the KEY and SIG RRs.  This
-   increases the chance of DNS UDP packet overflow and the possible
-   necessity for using higher overhead TCP in responses.
-
-4.1 RSA Key Sizes
-
-   Given a small public exponent, verification (the most common
-   operation) for the MD5/RSA algorithm will vary roughly with the
-   square of the modulus length, signing will vary with the cube of the
-   modulus length, and key generation (the least common operation) will
-   vary with the fourth power of the modulus length.  The current best
-   algorithms for factoring a modulus and breaking RSA security vary
-   roughly with the 1.6 power of the modulus itself.  Thus going from a
-   640 bit modulus to a 1280 bit modulus only increases the verification
-   time by a factor of 4 but may increase the work factor of breaking
-   the key by over 2^900.
-
-
-
-Eastlake                     Informational                      [Page 3]
-
-RFC 2541        DNS Security Operational Considerations       March 1999
-
-
-   The recommended minimum RSA algorithm modulus size is 704 bits which
-   is believed by the author to be secure at this time.  But high level
-   zones in the DNS tree may wish to set a higher minimum, perhaps 1000
-   bits, for security reasons.  (Since the United States National
-   Security Agency generally permits export of encryption systems using
-   an RSA modulus of up to 512 bits, use of that small a modulus, i.e.
-   n, must be considered weak.)
-
-   For an RSA key used only to secure data and not to secure other keys,
-   704 bits should be adequate at this time.
-
-4.2 DSS Key Sizes
-
-   DSS keys are probably roughly as strong as an RSA key of the same
-   length but DSS signatures are significantly smaller.
-
-5. Private Key Storage
-
-   It is recommended that, where possible, zone private keys and the
-   zone file master copy be kept and used in off-line, non-network
-   connected, physically secure machines only.  Periodically an
-   application can be run to add authentication to a zone by adding SIG
-   and NXT RRs and adding no-key type KEY RRs for subzones/algorithms
-   where a real KEY RR for the subzone with that algorithm is not
-   provided. Then the augmented file can be transferred, perhaps by
-   sneaker-net, to the networked zone primary server machine.
-
-   The idea is to have a one way information flow to the network to
-   avoid the possibility of tampering from the network.  Keeping the
-   zone master file on-line on the network and simply cycling it through
-   an off-line signer does not do this.  The on-line version could still
-   be tampered with if the host it resides on is compromised.  For
-   maximum security, the master copy of the zone file should be off net
-   and should not be updated based on an unsecured network mediated
-   communication.
-
-   This is not possible if the zone is to be dynamically updated
-   securely [RFC 2137]. At least a private key capable of updating the
-   SOA and NXT chain must be on line in that case.
-
-   Secure resolvers must be configured with some trusted on-line public
-   key information (or a secure path to such a resolver) or they will be
-   unable to authenticate.  Although on line, this public key
-   information must be protected or it could be altered so that spoofed
-   DNS data would appear authentic.
-
-
-
-
-
-
-Eastlake                     Informational                      [Page 4]
-
-RFC 2541        DNS Security Operational Considerations       March 1999
-
-
-   Non-zone private keys, such as host or user keys, generally have to
-   be kept on line to be used for real-time purposes such as DNS
-   transaction security.
-
-6. High Level Zones, The Root Zone, and The Meta-Root Key
-
-   Higher level zones are generally more sensitive than lower level
-   zones.  Anyone controlling or breaking the security of a zone thereby
-   obtains authority over all of its subdomains (except in the case of
-   resolvers that have locally configured the public key of a
-   subdomain).  Therefore, extra care should be taken with high level
-   zones and strong keys used.
-
-   The root zone is the most critical of all zones.  Someone controlling
-   or compromising the security of the root zone would control the
-   entire DNS name space of all resolvers using that root zone (except
-   in the case of resolvers that have locally configured the public key
-   of a subdomain). Therefore, the utmost care must be taken in the
-   securing of the root zone. The strongest and most carefully handled
-   keys should be used.  The root zone private key should always be kept
-   off line.
-
-   Many resolvers will start at a root server for their access to and
-   authentication of DNS data.  Securely updating an enormous population
-   of resolvers around the world will be extremely difficult.  Yet the
-   guidelines in section 3 above would imply that the root zone private
-   key be changed annually or more often and if it were staticly
-   configured at all these resolvers, it would have to be updated when
-   changed.
-
-   To permit relatively frequent change to the root zone key yet
-   minimize exposure of the ultimate key of the DNS tree, there will be
-   a "meta-root" key used very rarely and then only to sign a sequence
-   of regular root key RRsets with overlapping time validity periods
-   that are to be rolled out. The root zone contains the meta-root and
-   current regular root KEY RR(s) signed by SIG RRs under both the
-   meta-root and other root private key(s) themselves.
-
-   The utmost security in the storage and use of the meta-root key is
-   essential.  The exact techniques are precautions to be used are
-   beyond the scope of this document.  Because of its special position,
-   it may be best to continue with the same meta-root key for an
-   extended period of time such as ten to fifteen years.
-
-7. Security Considerations
-
-   The entirety of this document is concerned with operational
-   considerations of public/private key pair DNS Security.
-
-
-
-Eastlake                     Informational                      [Page 5]
-
-RFC 2541        DNS Security Operational Considerations       March 1999
-
-
-References
-
-   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
-                Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035]   Mockapetris, P., "Domain Names - Implementation and
-                Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC 1750]   Eastlake, D., Crocker, S. and J. Schiller, "Randomness
-                Requirements for Security", RFC 1750, December 1994.
-
-   [RFC 2065]   Eastlake, D. and C. Kaufman, "Domain Name System
-                Security Extensions", RFC 2065, January 1997.
-
-   [RFC 2137]   Eastlake, D., "Secure Domain Name System Dynamic
-                Update", RFC 2137, April 1997.
-
-   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
-                RFC 2535, March 1999.
-
-   [RSA FAQ]    RSADSI Frequently Asked Questions periodic posting.
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   IBM
-   65 Shindegan Hill Road, RR #1
-   Carmel, NY 10512
-
-   Phone:   +1-914-276-2668(h)
-            +1-914-784-7913(w)
-   Fax:     +1-914-784-3833(w)
-   EMail:   dee3@us.ibm.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                     Informational                      [Page 6]
-
-RFC 2541        DNS Security Operational Considerations       March 1999
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                     Informational                      [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc2553.txt b/contrib/bind9/doc/rfc/rfc2553.txt
deleted file mode 100644
index 6989bf3045e5..000000000000
--- a/contrib/bind9/doc/rfc/rfc2553.txt
+++ /dev/null
@@ -1,2299 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        R. Gilligan
-Request for Comments: 2553                                      FreeGate
-Obsoletes: 2133                                               S. Thomson
-Category: Informational                                         Bellcore
-                                                                J. Bound
-                                                                  Compaq
-                                                              W. Stevens
-                                                              Consultant
-                                                              March 1999
-
-
-               Basic Socket Interface Extensions for IPv6
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   The de facto standard application program interface (API) for TCP/IP
-   applications is the "sockets" interface.  Although this API was
-   developed for Unix in the early 1980s it has also been implemented on
-   a wide variety of non-Unix systems.  TCP/IP applications written
-   using the sockets API have in the past enjoyed a high degree of
-   portability and we would like the same portability with IPv6
-   applications.  But changes are required to the sockets API to support
-   IPv6 and this memo describes these changes.  These include a new
-   socket address structure to carry IPv6 addresses, new address
-   conversion functions, and some new socket options.  These extensions
-   are designed to provide access to the basic IPv6 features required by
-   TCP and UDP applications, including multicasting, while introducing a
-   minimum of change into the system and providing complete
-   compatibility for existing IPv4 applications.  Additional extensions
-   for advanced IPv6 features (raw sockets and access to the IPv6
-   extension headers) are defined in another document [4].
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 1]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-Table of Contents
-
-   1. Introduction.................................................3
-   2. Design Considerations........................................3
-   2.1 What Needs to be Changed....................................4
-   2.2 Data Types..................................................5
-   2.3 Headers.....................................................5
-   2.4 Structures..................................................5
-   3. Socket Interface.............................................6
-   3.1 IPv6 Address Family and Protocol Family.....................6
-   3.2 IPv6 Address Structure......................................6
-   3.3 Socket Address Structure for 4.3BSD-Based Systems...........7
-   3.4 Socket Address Structure for 4.4BSD-Based Systems...........8
-   3.5 The Socket Functions........................................9
-   3.6 Compatibility with IPv4 Applications.......................10
-   3.7 Compatibility with IPv4 Nodes..............................10
-   3.8 IPv6 Wildcard Address......................................11
-   3.9 IPv6 Loopback Address......................................12
-   3.10 Portability Additions.....................................13
-   4. Interface Identification....................................16
-   4.1 Name-to-Index..............................................16
-   4.2 Index-to-Name..............................................17
-   4.3 Return All Interface Names and Indexes.....................17
-   4.4 Free Memory................................................18
-   5. Socket Options..............................................18
-   5.1 Unicast Hop Limit..........................................18
-   5.2 Sending and Receiving Multicast Packets....................19
-   6. Library Functions...........................................21
-   6.1 Nodename-to-Address Translation............................21
-   6.2 Address-To-Nodename Translation............................24
-   6.3 Freeing memory for getipnodebyname and getipnodebyaddr.....26
-   6.4 Protocol-Independent Nodename and Service Name Translation.26
-   6.5 Socket Address Structure to Nodename and Service Name......29
-   6.6 Address Conversion Functions...............................31
-   6.7 Address Testing Macros.....................................32
-   7. Summary of New Definitions..................................33
-   8. Security Considerations.....................................35
-   9. Year 2000 Considerations....................................35
-   Changes From RFC 2133..........................................35
-   Acknowledgments................................................38
-   References.....................................................39
-   Authors' Addresses.............................................40
-   Full Copyright Statement.......................................41
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 2]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-1. Introduction
-
-   While IPv4 addresses are 32 bits long, IPv6 interfaces are identified
-   by 128-bit addresses.  The socket interface makes the size of an IP
-   address quite visible to an application; virtually all TCP/IP
-   applications for BSD-based systems have knowledge of the size of an
-   IP address.  Those parts of the API that expose the addresses must be
-   changed to accommodate the larger IPv6 address size.  IPv6 also
-   introduces new features (e.g., traffic class and flowlabel), some of
-   which must be made visible to applications via the API.  This memo
-   defines a set of extensions to the socket interface to support the
-   larger address size and new features of IPv6.
-
-2. Design Considerations
-
-   There are a number of important considerations in designing changes
-   to this well-worn API:
-
-      - The API changes should provide both source and binary
-        compatibility for programs written to the original API.  That
-        is, existing program binaries should continue to operate when
-        run on a system supporting the new API.  In addition, existing
-        applications that are re-compiled and run on a system supporting
-        the new API should continue to operate.  Simply put, the API
-        changes for IPv6 should not break existing programs.  An
-        additonal mechanism for implementations to verify this is to
-        verify the new symbols are protected by Feature Test Macros as
-        described in IEEE Std 1003.1.  (Such Feature Test Macros are not
-        defined by this RFC.)
-
-      - The changes to the API should be as small as possible in order
-        to simplify the task of converting existing IPv4 applications to
-        IPv6.
-
-      - Where possible, applications should be able to use this API to
-        interoperate with both IPv6 and IPv4 hosts.  Applications should
-        not need to know which type of host they are communicating with.
-
-      - IPv6 addresses carried in data structures should be 64-bit
-        aligned.  This is necessary in order to obtain optimum
-        performance on 64-bit machine architectures.
-
-   Because of the importance of providing IPv4 compatibility in the API,
-   these extensions are explicitly designed to operate on machines that
-   provide complete support for both IPv4 and IPv6.  A subset of this
-   API could probably be designed for operation on systems that support
-   only IPv6.  However, this is not addressed in this memo.
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 3]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-2.1 What Needs to be Changed
-
-   The socket interface API consists of a few distinct components:
-
-      -  Core socket functions.
-
-      -  Address data structures.
-
-      -  Name-to-address translation functions.
-
-      -  Address conversion functions.
-
-   The core socket functions -- those functions that deal with such
-   things as setting up and tearing down TCP connections, and sending
-   and receiving UDP packets -- were designed to be transport
-   independent.  Where protocol addresses are passed as function
-   arguments, they are carried via opaque pointers.  A protocol-specific
-   address data structure is defined for each protocol that the socket
-   functions support.  Applications must cast pointers to these
-   protocol-specific address structures into pointers to the generic
-   "sockaddr" address structure when using the socket functions.  These
-   functions need not change for IPv6, but a new IPv6-specific address
-   data structure is needed.
-
-   The "sockaddr_in" structure is the protocol-specific data structure
-   for IPv4.  This data structure actually includes 8-octets of unused
-   space, and it is tempting to try to use this space to adapt the
-   sockaddr_in structure to IPv6.  Unfortunately, the sockaddr_in
-   structure is not large enough to hold the 16-octet IPv6 address as
-   well as the other information (address family and port number) that
-   is needed.  So a new address data structure must be defined for IPv6.
-
-   IPv6 addresses are scoped [2] so they could be link-local, site,
-   organization, global, or other scopes at this time undefined.  To
-   support applications that want to be able to identify a set of
-   interfaces for a specific scope, the IPv6 sockaddr_in structure must
-   support a field that can be used by an implementation to identify a
-   set of interfaces identifying the scope for an IPv6 address.
-
-   The name-to-address translation functions in the socket interface are
-   gethostbyname() and gethostbyaddr().  These are left as is and new
-   functions are defined to support IPv4 and IPv6.  Additionally, the
-   POSIX 1003.g draft [3] specifies a new nodename-to-address
-   translation function which is protocol independent.  This function
-   can also be used with IPv4 and IPv6.
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 4]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   The address conversion functions -- inet_ntoa() and inet_addr() --
-   convert IPv4 addresses between binary and printable form.  These
-   functions are quite specific to 32-bit IPv4 addresses.  We have
-   designed two analogous functions that convert both IPv4 and IPv6
-   addresses, and carry an address type parameter so that they can be
-   extended to other protocol families as well.
-
-   Finally, a few miscellaneous features are needed to support IPv6.
-   New interfaces are needed to support the IPv6 traffic class, flow
-   label, and hop limit header fields.  New socket options are needed to
-   control the sending and receiving of IPv6 multicast packets.
-
-   The socket interface will be enhanced in the future to provide access
-   to other IPv6 features.  These extensions are described in [4].
-
-2.2 Data Types
-
-   The data types of the structure elements given in this memo are
-   intended to be examples, not absolute requirements.  Whenever
-   possible, data types from Draft 6.6 (March 1997) of POSIX 1003.1g are
-   used: uintN_t means an unsigned integer of exactly N bits (e.g.,
-   uint16_t).  We also assume the argument data types from 1003.1g when
-   possible (e.g., the final argument to setsockopt() is a size_t
-   value).  Whenever buffer sizes are specified, the POSIX 1003.1 size_t
-   data type is used (e.g., the two length arguments to getnameinfo()).
-
-2.3 Headers
-
-   When function prototypes and structures are shown we show the headers
-   that must be #included to cause that item to be defined.
-
-2.4 Structures
-
-   When structures are described the members shown are the ones that
-   must appear in an implementation.  Additional, nonstandard members
-   may also be defined by an implementation.  As an additional
-   precaution nonstandard members could be verified by Feature Test
-   Macros as described in IEEE Std 1003.1.  (Such Feature Test Macros
-   are not defined by this RFC.)
-
-   The ordering shown for the members of a structure is the recommended
-   ordering, given alignment considerations of multibyte members, but an
-   implementation may order the members differently.
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 5]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-3. Socket Interface
-
-   This section specifies the socket interface changes for IPv6.
-
-3.1 IPv6 Address Family and Protocol Family
-
-   A new address family name, AF_INET6, is defined in <sys/socket.h>.
-   The AF_INET6 definition distinguishes between the original
-   sockaddr_in address data structure, and the new sockaddr_in6 data
-   structure.
-
-   A new protocol family name, PF_INET6, is defined in <sys/socket.h>.
-   Like most of the other protocol family names, this will usually be
-   defined to have the same value as the corresponding address family
-   name:
-
-      #define PF_INET6        AF_INET6
-
-   The PF_INET6 is used in the first argument to the socket() function
-   to indicate that an IPv6 socket is being created.
-
-3.2 IPv6 Address Structure
-
-   A new in6_addr structure holds a single IPv6 address and is defined
-   as a result of including <netinet/in.h>:
-
-      struct in6_addr {
-          uint8_t  s6_addr[16];      /* IPv6 address */
-      };
-
-   This data structure contains an array of sixteen 8-bit elements,
-   which make up one 128-bit IPv6 address.  The IPv6 address is stored
-   in network byte order.
-
-   The structure in6_addr above is usually implemented with an embedded
-   union with extra fields that force the desired alignment level in a
-   manner similar to BSD implementations of "struct in_addr". Those
-   additional implementation details are omitted here for simplicity.
-
-   An example is as follows:
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 6]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   struct in6_addr {
-        union {
-            uint8_t  _S6_u8[16];
-            uint32_t _S6_u32[4];
-            uint64_t _S6_u64[2];
-        } _S6_un;
-   };
-   #define s6_addr _S6_un._S6_u8
-
-3.3 Socket Address Structure for 4.3BSD-Based Systems
-
-   In the socket interface, a different protocol-specific data structure
-   is defined to carry the addresses for each protocol suite.  Each
-   protocol- specific data structure is designed so it can be cast into a
-   protocol- independent data structure -- the "sockaddr" structure.
-   Each has a "family" field that overlays the "sa_family" of the
-   sockaddr data structure.  This field identifies the type of the data
-   structure.
-
-   The sockaddr_in structure is the protocol-specific address data
-   structure for IPv4.  It is used to pass addresses between applications
-   and the system in the socket functions.  The following sockaddr_in6
-   structure holds IPv6 addresses and is defined as a result of including
-   the <netinet/in.h> header:
-
-struct sockaddr_in6 {
-    sa_family_t     sin6_family;    /* AF_INET6 */
-    in_port_t       sin6_port;      /* transport layer port # */
-    uint32_t        sin6_flowinfo;  /* IPv6 traffic class & flow info */
-    struct in6_addr sin6_addr;      /* IPv6 address */
-    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
-};
-
-   This structure is designed to be compatible with the sockaddr data
-   structure used in the 4.3BSD release.
-
-   The sin6_family field identifies this as a sockaddr_in6 structure.
-   This field overlays the sa_family field when the buffer is cast to a
-   sockaddr data structure.  The value of this field must be AF_INET6.
-
-   The sin6_port field contains the 16-bit UDP or TCP port number.  This
-   field is used in the same way as the sin_port field of the
-   sockaddr_in structure.  The port number is stored in network byte
-   order.
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 7]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   The sin6_flowinfo field is a 32-bit field that contains two pieces of
-   information: the traffic class and the flow label.  The contents and
-   interpretation of this member is specified in [1].  The sin6_flowinfo
-   field SHOULD be set to zero by an implementation prior to using the
-   sockaddr_in6 structure by an application on receive operations.
-
-   The sin6_addr field is a single in6_addr structure (defined in the
-   previous section).  This field holds one 128-bit IPv6 address.  The
-   address is stored in network byte order.
-
-   The ordering of elements in this structure is specifically designed
-   so that when sin6_addr field is aligned on a 64-bit boundary, the
-   start of the structure will also be aligned on a 64-bit boundary.
-   This is done for optimum performance on 64-bit architectures.
-
-   The sin6_scope_id field is a 32-bit integer that identifies a set of
-   interfaces as appropriate for the scope of the address carried in the
-   sin6_addr field.  For a link scope sin6_addr sin6_scope_id would be
-   an interface index.  For a site scope sin6_addr, sin6_scope_id would
-   be a site identifier.  The mapping of sin6_scope_id to an interface
-   or set of interfaces is left to implementation and future
-   specifications on the subject of site identifiers.
-
-   Notice that the sockaddr_in6 structure will normally be larger than
-   the generic sockaddr structure.  On many existing implementations the
-   sizeof(struct sockaddr_in) equals sizeof(struct sockaddr), with both
-   being 16 bytes.  Any existing code that makes this assumption needs
-   to be examined carefully when converting to IPv6.
-
-3.4 Socket Address Structure for 4.4BSD-Based Systems
-
-   The 4.4BSD release includes a small, but incompatible change to the
-   socket interface.  The "sa_family" field of the sockaddr data
-   structure was changed from a 16-bit value to an 8-bit value, and the
-   space saved used to hold a length field, named "sa_len".  The
-   sockaddr_in6 data structure given in the previous section cannot be
-   correctly cast into the newer sockaddr data structure.  For this
-   reason, the following alternative IPv6 address data structure is
-   provided to be used on systems based on 4.4BSD.  It is defined as a
-   result of including the <netinet/in.h> header.
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 8]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-struct sockaddr_in6 {
-    uint8_t         sin6_len;       /* length of this struct */
-    sa_family_t     sin6_family;    /* AF_INET6 */
-    in_port_t       sin6_port;      /* transport layer port # */
-    uint32_t        sin6_flowinfo;  /* IPv6 flow information */
-    struct in6_addr sin6_addr;      /* IPv6 address */
-    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
-};
-
-   The only differences between this data structure and the 4.3BSD
-   variant are the inclusion of the length field, and the change of the
-   family field to a 8-bit data type.  The definitions of all the other
-   fields are identical to the structure defined in the previous
-   section.
-
-   Systems that provide this version of the sockaddr_in6 data structure
-   must also declare SIN6_LEN as a result of including the
-   <netinet/in.h> header.  This macro allows applications to determine
-   whether they are being built on a system that supports the 4.3BSD or
-   4.4BSD variants of the data structure.
-
-3.5 The Socket Functions
-
-   Applications call the socket() function to create a socket descriptor
-   that represents a communication endpoint.  The arguments to the
-   socket() function tell the system which protocol to use, and what
-   format address structure will be used in subsequent functions.  For
-   example, to create an IPv4/TCP socket, applications make the call:
-
-      s = socket(PF_INET, SOCK_STREAM, 0);
-
-   To create an IPv4/UDP socket, applications make the call:
-
-      s = socket(PF_INET, SOCK_DGRAM, 0);
-
-   Applications may create IPv6/TCP and IPv6/UDP sockets by simply using
-   the constant PF_INET6 instead of PF_INET in the first argument.  For
-   example, to create an IPv6/TCP socket, applications make the call:
-
-      s = socket(PF_INET6, SOCK_STREAM, 0);
-
-   To create an IPv6/UDP socket, applications make the call:
-
-      s = socket(PF_INET6, SOCK_DGRAM, 0);
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                      [Page 9]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   Once the application has created a PF_INET6 socket, it must use the
-   sockaddr_in6 address structure when passing addresses in to the
-   system.  The functions that the application uses to pass addresses
-   into the system are:
-
-      bind()
-      connect()
-      sendmsg()
-      sendto()
-
-   The system will use the sockaddr_in6 address structure to return
-   addresses to applications that are using PF_INET6 sockets.  The
-   functions that return an address from the system to an application
-   are:
-
-      accept()
-      recvfrom()
-      recvmsg()
-      getpeername()
-      getsockname()
-
-   No changes to the syntax of the socket functions are needed to
-   support IPv6, since all of the "address carrying" functions use an
-   opaque address pointer, and carry an address length as a function
-   argument.
-
-3.6 Compatibility with IPv4 Applications
-
-   In order to support the large base of applications using the original
-   API, system implementations must provide complete source and binary
-   compatibility with the original API.  This means that systems must
-   continue to support PF_INET sockets and the sockaddr_in address
-   structure.  Applications must be able to create IPv4/TCP and IPv4/UDP
-   sockets using the PF_INET constant in the socket() function, as
-   described in the previous section.  Applications should be able to
-   hold a combination of IPv4/TCP, IPv4/UDP, IPv6/TCP and IPv6/UDP
-   sockets simultaneously within the same process.
-
-   Applications using the original API should continue to operate as
-   they did on systems supporting only IPv4.  That is, they should
-   continue to interoperate with IPv4 nodes.
-
-3.7 Compatibility with IPv4 Nodes
-
-   The API also provides a different type of compatibility: the ability
-   for IPv6 applications to interoperate with IPv4 applications.  This
-   feature uses the IPv4-mapped IPv6 address format defined in the IPv6
-   addressing architecture specification [2].  This address format
-
-
-
-Gilligan, et. al.            Informational                     [Page 10]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   allows the IPv4 address of an IPv4 node to be represented as an IPv6
-   address.  The IPv4 address is encoded into the low-order 32 bits of
-   the IPv6 address, and the high-order 96 bits hold the fixed prefix
-   0:0:0:0:0:FFFF.  IPv4- mapped addresses are written as follows:
-
-      ::FFFF:<IPv4-address>
-
-   These addresses can be generated automatically by the
-   getipnodebyname() function when the specified host has only IPv4
-   addresses (as described in Section 6.1).
-
-   Applications may use PF_INET6 sockets to open TCP connections to IPv4
-   nodes, or send UDP packets to IPv4 nodes, by simply encoding the
-   destination's IPv4 address as an IPv4-mapped IPv6 address, and
-   passing that address, within a sockaddr_in6 structure, in the
-   connect() or sendto() call.  When applications use PF_INET6 sockets
-   to accept TCP connections from IPv4 nodes, or receive UDP packets
-   from IPv4 nodes, the system returns the peer's address to the
-   application in the accept(), recvfrom(), or getpeername() call using
-   a sockaddr_in6 structure encoded this way.
-
-   Few applications will likely need to know which type of node they are
-   interoperating with.  However, for those applications that do need to
-   know, the IN6_IS_ADDR_V4MAPPED() macro, defined in Section 6.7, is
-   provided.
-
-3.8 IPv6 Wildcard Address
-
-   While the bind() function allows applications to select the source IP
-   address of UDP packets and TCP connections, applications often want
-   the system to select the source address for them.  With IPv4, one
-   specifies the address as the symbolic constant INADDR_ANY (called the
-   "wildcard" address) in the bind() call, or simply omits the bind()
-   entirely.
-
-   Since the IPv6 address type is a structure (struct in6_addr), a
-   symbolic constant can be used to initialize an IPv6 address variable,
-   but cannot be used in an assignment.  Therefore systems provide the
-   IPv6 wildcard address in two forms.
-
-   The first version is a global variable named "in6addr_any" that is an
-   in6_addr structure.  The extern declaration for this variable is
-   defined in <netinet/in.h>:
-
-      extern const struct in6_addr in6addr_any;
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 11]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   Applications use in6addr_any similarly to the way they use INADDR_ANY
-   in IPv4.  For example, to bind a socket to port number 23, but let
-   the system select the source address, an application could use the
-   following code:
-
-      struct sockaddr_in6 sin6;
-       . . .
-      sin6.sin6_family = AF_INET6;
-      sin6.sin6_flowinfo = 0;
-      sin6.sin6_port = htons(23);
-      sin6.sin6_addr = in6addr_any;  /* structure assignment */
-       . . .
-      if (bind(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
-              . . .
-
-   The other version is a symbolic constant named IN6ADDR_ANY_INIT and
-   is defined in <netinet/in.h>.  This constant can be used to
-   initialize an in6_addr structure:
-
-      struct in6_addr anyaddr = IN6ADDR_ANY_INIT;
-
-   Note that this constant can be used ONLY at declaration time.  It can
-   not be used to assign a previously declared in6_addr structure.  For
-   example, the following code will not work:
-
-      /* This is the WRONG way to assign an unspecified address */
-      struct sockaddr_in6 sin6;
-       . . .
-      sin6.sin6_addr = IN6ADDR_ANY_INIT; /* will NOT compile */
-
-   Be aware that the IPv4 INADDR_xxx constants are all defined in host
-   byte order but the IPv6 IN6ADDR_xxx constants and the IPv6
-   in6addr_xxx externals are defined in network byte order.
-
-3.9 IPv6 Loopback Address
-
-   Applications may need to send UDP packets to, or originate TCP
-   connections to, services residing on the local node.  In IPv4, they
-   can do this by using the constant IPv4 address INADDR_LOOPBACK in
-   their connect(), sendto(), or sendmsg() call.
-
-   IPv6 also provides a loopback address to contact local TCP and UDP
-   services.  Like the unspecified address, the IPv6 loopback address is
-   provided in two forms -- a global variable and a symbolic constant.
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 12]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   The global variable is an in6_addr structure named
-   "in6addr_loopback."  The extern declaration for this variable is
-   defined in <netinet/in.h>:
-
-      extern const struct in6_addr in6addr_loopback;
-
-   Applications use in6addr_loopback as they would use INADDR_LOOPBACK
-   in IPv4 applications (but beware of the byte ordering difference
-   mentioned at the end of the previous section).  For example, to open
-   a TCP connection to the local telnet server, an application could use
-   the following code:
-
-      struct sockaddr_in6 sin6;
-       . . .
-      sin6.sin6_family = AF_INET6;
-      sin6.sin6_flowinfo = 0;
-      sin6.sin6_port = htons(23);
-      sin6.sin6_addr = in6addr_loopback;  /* structure assignment */
-       . . .
-      if (connect(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
-              . . .
-
-   The symbolic constant is named IN6ADDR_LOOPBACK_INIT and is defined
-   in <netinet/in.h>.  It can be used at declaration time ONLY; for
-   example:
-
-      struct in6_addr loopbackaddr = IN6ADDR_LOOPBACK_INIT;
-
-   Like IN6ADDR_ANY_INIT, this constant cannot be used in an assignment
-   to a previously declared IPv6 address variable.
-
-3.10 Portability Additions
-
-   One simple addition to the sockets API that can help application
-   writers is the "struct sockaddr_storage". This data structure can
-   simplify writing code portable across multiple address families and
-   platforms.  This data structure is designed with the following goals.
-
-      - It has a large enough implementation specific maximum size to
-        store the desired set of protocol specific socket address data
-        structures. Specifically, it is at least large enough to
-        accommodate sockaddr_in and sockaddr_in6 and possibly other
-        protocol specific socket addresses too.
-      - It is aligned at an appropriate boundary so protocol specific
-        socket address data structure pointers can be cast to it and
-        access their fields without alignment problems. (e.g. pointers
-        to sockaddr_in6 and/or sockaddr_in can be cast to it and access
-        fields without alignment problems).
-
-
-
-Gilligan, et. al.            Informational                     [Page 13]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-      - It has the initial field(s) isomorphic to the fields of the
-        "struct sockaddr" data structure on that implementation which
-        can be used as a discriminants for deriving the protocol in use.
-        These initial field(s) would on most implementations either be a
-        single field of type "sa_family_t" (isomorphic to sa_family
-        field, 16 bits) or two fields of type uint8_t and sa_family_t
-        respectively, (isomorphic to sa_len and sa_family_t, 8 bits
-        each).
-
-   An example implementation design of such a data structure would be as
-   follows.
-
-/*
- * Desired design of maximum size and alignment
- */
-#define _SS_MAXSIZE    128  /* Implementation specific max size */
-#define _SS_ALIGNSIZE  (sizeof (int64_t))
-                         /* Implementation specific desired alignment */
-/*
- * Definitions used for sockaddr_storage structure paddings design.
- */
-#define _SS_PAD1SIZE   (_SS_ALIGNSIZE - sizeof (sa_family_t))
-#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (sa_family_t)+
-                              _SS_PAD1SIZE + _SS_ALIGNSIZE))
-struct sockaddr_storage {
-    sa_family_t  __ss_family;     /* address family */
-    /* Following fields are implementation specific */
-    char      __ss_pad1[_SS_PAD1SIZE];
-              /* 6 byte pad, this is to make implementation
-              /* specific pad up to alignment field that */
-              /* follows explicit in the data structure */
-    int64_t   __ss_align;     /* field to force desired structure */
-               /* storage alignment */
-    char      __ss_pad2[_SS_PAD2SIZE];
-              /* 112 byte pad to achieve desired size, */
-              /* _SS_MAXSIZE value minus size of ss_family */
-              /* __ss_pad1, __ss_align fields is 112 */
-};
-
-   On implementations where sockaddr data structure includes a "sa_len",
-   field this data structure would look like this:
-
-/*
- * Definitions used for sockaddr_storage structure paddings design.
- */
-#define _SS_PAD1SIZE (_SS_ALIGNSIZE -
-                            (sizeof (uint8_t) + sizeof (sa_family_t))
-#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof (sa_family_t)+
-
-
-
-Gilligan, et. al.            Informational                     [Page 14]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-                              _SS_PAD1SIZE + _SS_ALIGNSIZE))
-struct sockaddr_storage {
-    uint8_t      __ss_len;        /* address length */
-    sa_family_t  __ss_family;     /* address family */
-    /* Following fields are implementation specific */
-    char         __ss_pad1[_SS_PAD1SIZE];
-                  /* 6 byte pad, this is to make implementation
-                  /* specific pad up to alignment field that */
-                  /* follows explicit in the data structure */
-    int64_t      __ss_align;  /* field to force desired structure */
-                  /* storage alignment */
-    char         __ss_pad2[_SS_PAD2SIZE];
-                  /* 112 byte pad to achieve desired size, */
-                  /* _SS_MAXSIZE value minus size of ss_len, */
-                  /* __ss_family, __ss_pad1, __ss_align fields is 112 */
-};
-
-   The above example implementation illustrates a data structure which
-   will align on a 64 bit boundary. An implementation specific field
-   "__ss_align" along "__ss_pad1" is used to force a 64-bit alignment
-   which covers proper alignment good enough for needs of sockaddr_in6
-   (IPv6), sockaddr_in (IPv4) address data structures.  The size of
-   padding fields __ss_pad1 depends on the chosen alignment boundary.
-   The size of padding field __ss_pad2 depends on the value of overall
-   size chosen for the total size of the structure. This size and
-   alignment are represented in the above example by implementation
-   specific (not required) constants _SS_MAXSIZE (chosen value 128) and
-   _SS_ALIGNMENT (with chosen value 8).  Constants _SS_PAD1SIZE (derived
-   value 6) and _SS_PAD2SIZE (derived value 112) are also for
-   illustration and not required.  The implementation specific
-   definitions and structure field names above start with an underscore
-   to denote implementation private namespace.  Portable code is not
-   expected to access or reference those fields or constants.
-
-   The sockaddr_storage structure solves the problem of declaring
-   storage for automatic variables which is large enough and aligned
-   enough for storing socket address data structure of any family. For
-   example, code with a file descriptor and without the context of the
-   address family can pass a pointer to a variable of this type where a
-   pointer to a socket address structure is expected in calls such as
-   getpeername() and determine the address family by accessing the
-   received content after the call.
-
-   The sockaddr_storage structure may also be useful and applied to
-   certain other interfaces where a generic socket address large enough
-   and aligned for use with multiple address families may be needed. A
-   discussion of those interfaces is outside the scope of this document.
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 15]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   Also, much existing code assumes that any socket address structure
-   can fit in a generic sockaddr structure.  While this has been true
-   for IPv4 socket address structures, it has always been false for Unix
-   domain socket address structures (but in practice this has not been a
-   problem) and it is also false for IPv6 socket address structures
-   (which can be a problem).
-
-   So now an application can do the following:
-
-      struct sockaddr_storage __ss;
-      struct sockaddr_in6 *sin6;
-      sin6 = (struct sockaddr_in6 *) &__ss;
-
-4. Interface Identification
-
-   This API uses an interface index (a small positive integer) to
-   identify the local interface on which a multicast group is joined
-   (Section 5.3).  Additionally, the advanced API [4] uses these same
-   interface indexes to identify the interface on which a datagram is
-   received, or to specify the interface on which a datagram is to be
-   sent.
-
-   Interfaces are normally known by names such as "le0", "sl1", "ppp2",
-   and the like.  On Berkeley-derived implementations, when an interface
-   is made known to the system, the kernel assigns a unique positive
-   integer value (called the interface index) to that interface.  These
-   are small positive integers that start at 1.  (Note that 0 is never
-   used for an interface index.) There may be gaps so that there is no
-   current interface for a particular positive interface index.
-
-   This API defines two functions that map between an interface name and
-   index, a third function that returns all the interface names and
-   indexes, and a fourth function to return the dynamic memory allocated
-   by the previous function.  How these functions are implemented is
-   left up to the implementation.  4.4BSD implementations can implement
-   these functions using the existing sysctl() function with the
-   NET_RT_IFLIST command.  Other implementations may wish to use ioctl()
-   for this purpose.
-
-4.1 Name-to-Index
-
-   The first function maps an interface name into its corresponding
-   index.
-
-      #include <net/if.h>
-
-      unsigned int  if_nametoindex(const char *ifname);
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 16]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   If the specified interface name does not exist, the return value is
-   0, and errno is set to ENXIO.  If there was a system error (such as
-   running out of memory), the return value is 0 and errno is set to the
-   proper value (e.g., ENOMEM).
-
-4.2 Index-to-Name
-
-   The second function maps an interface index into its corresponding
-   name.
-
-      #include <net/if.h>
-
-      char  *if_indextoname(unsigned int ifindex, char *ifname);
-
-   The ifname argument must point to a buffer of at least IF_NAMESIZE
-   bytes into which the interface name corresponding to the specified
-   index is returned.  (IF_NAMESIZE is also defined in <net/if.h> and
-   its value includes a terminating null byte at the end of the
-   interface name.) This pointer is also the return value of the
-   function.  If there is no interface corresponding to the specified
-   index, NULL is returned, and errno is set to ENXIO, if there was a
-   system error (such as running out of memory), if_indextoname returns
-   NULL and errno would be set to the proper value (e.g., ENOMEM).
-
-4.3 Return All Interface Names and Indexes
-
-   The if_nameindex structure holds the information about a single
-   interface and is defined as a result of including the <net/if.h>
-   header.
-
-      struct if_nameindex {
-        unsigned int   if_index;  /* 1, 2, ... */
-        char          *if_name;   /* null terminated name: "le0", ... */
-      };
-
-   The final function returns an array of if_nameindex structures, one
-   structure per interface.
-
-      struct if_nameindex  *if_nameindex(void);
-
-   The end of the array of structures is indicated by a structure with
-   an if_index of 0 and an if_name of NULL.  The function returns a NULL
-   pointer upon an error, and would set errno to the appropriate value.
-
-   The memory used for this array of structures along with the interface
-   names pointed to by the if_name members is obtained dynamically.
-   This memory is freed by the next function.
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 17]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-4.4 Free Memory
-
-   The following function frees the dynamic memory that was allocated by
-   if_nameindex().
-
-      #include <net/if.h>
-
-      void  if_freenameindex(struct if_nameindex *ptr);
-
-   The argument to this function must be a pointer that was returned by
-   if_nameindex().
-
-   Currently net/if.h doesn't have prototype definitions for functions
-   and it is recommended that these definitions be defined in net/if.h
-   as well and the struct if_nameindex{}.
-
-5. Socket Options
-
-   A number of new socket options are defined for IPv6.  All of these
-   new options are at the IPPROTO_IPV6 level.  That is, the "level"
-   parameter in the getsockopt() and setsockopt() calls is IPPROTO_IPV6
-   when using these options.  The constant name prefix IPV6_ is used in
-   all of the new socket options.  This serves to clearly identify these
-   options as applying to IPv6.
-
-   The declaration for IPPROTO_IPV6, the new IPv6 socket options, and
-   related constants defined in this section are obtained by including
-   the header <netinet/in.h>.
-
-5.1 Unicast Hop Limit
-
-   A new setsockopt() option controls the hop limit used in outgoing
-   unicast IPv6 packets.  The name of this option is IPV6_UNICAST_HOPS,
-   and it is used at the IPPROTO_IPV6 layer.  The following example
-   illustrates how it is used:
-
-      int  hoplimit = 10;
-
-      if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
-                     (char *) &hoplimit, sizeof(hoplimit)) == -1)
-          perror("setsockopt IPV6_UNICAST_HOPS");
-
-   When the IPV6_UNICAST_HOPS option is set with setsockopt(), the
-   option value given is used as the hop limit for all subsequent
-   unicast packets sent via that socket.  If the option is not set, the
-   system selects a default value.  The integer hop limit value (called
-   x) is interpreted as follows:
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 18]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-      x < -1:        return an error of EINVAL
-      x == -1:       use kernel default
-      0 <= x <= 255: use x
-      x >= 256:      return an error of EINVAL
-
-   The IPV6_UNICAST_HOPS option may be used with getsockopt() to
-   determine the hop limit value that the system will use for subsequent
-   unicast packets sent via that socket.  For example:
-
-      int  hoplimit;
-      size_t  len = sizeof(hoplimit);
-
-      if (getsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
-                     (char *) &hoplimit, &len) == -1)
-          perror("getsockopt IPV6_UNICAST_HOPS");
-      else
-          printf("Using %d for hop limit.\n", hoplimit);
-
-5.2 Sending and Receiving Multicast Packets
-
-   IPv6 applications may send UDP multicast packets by simply specifying
-   an IPv6 multicast address in the address argument of the sendto()
-   function.
-
-   Three socket options at the IPPROTO_IPV6 layer control some of the
-   parameters for sending multicast packets.  Setting these options is
-   not required: applications may send multicast packets without using
-   these options.  The setsockopt() options for controlling the sending
-   of multicast packets are summarized below.  These three options can
-   also be used with getsockopt().
-
-      IPV6_MULTICAST_IF
-
-         Set the interface to use for outgoing multicast packets.  The
-         argument is the index of the interface to use.
-
-         Argument type: unsigned int
-
-      IPV6_MULTICAST_HOPS
-
-         Set the hop limit to use for outgoing multicast packets.  (Note
-         a separate option - IPV6_UNICAST_HOPS - is provided to set the
-         hop limit to use for outgoing unicast packets.)
-
-         The interpretation of the argument is the same as for the
-         IPV6_UNICAST_HOPS option:
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 19]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-           x < -1:        return an error of EINVAL
-           x == -1:       use kernel default
-           0 <= x <= 255: use x
-           x >= 256:      return an error of EINVAL
-
-           If IPV6_MULTICAST_HOPS is not set, the default is 1
-           (same as IPv4 today)
-
-         Argument type: int
-
-      IPV6_MULTICAST_LOOP
-
-         If a multicast datagram is sent to a group to which the sending
-         host itself belongs (on the outgoing interface), a copy of the
-         datagram is looped back by the IP layer for local delivery if
-         this option is set to 1.  If this option is set to 0 a copy
-         is not looped back.  Other option values return an error of
-         EINVAL.
-
-         If IPV6_MULTICAST_LOOP is not set, the default is 1 (loopback;
-         same as IPv4 today).
-
-         Argument type: unsigned int
-
-   The reception of multicast packets is controlled by the two
-   setsockopt() options summarized below.  An error of EOPNOTSUPP is
-   returned if these two options are used with getsockopt().
-
-      IPV6_JOIN_GROUP
-
-         Join a multicast group on a specified local interface.  If the
-         interface index is specified as 0, the kernel chooses the local
-         interface.  For example, some kernels look up the multicast
-         group in the normal IPv6 routing table and using the resulting
-         interface.
-
-         Argument type: struct ipv6_mreq
-
-      IPV6_LEAVE_GROUP
-
-         Leave a multicast group on a specified interface.
-
-         Argument type: struct ipv6_mreq
-
-   The argument type of both of these options is the ipv6_mreq structure,
-   defined as a result of including the <netinet/in.h> header;
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 20]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   struct ipv6_mreq {
-       struct in6_addr ipv6mr_multiaddr; /* IPv6 multicast addr */
-       unsigned int    ipv6mr_interface; /* interface index */
-   };
-
-   Note that to receive multicast datagrams a process must join the
-   multicast group and bind the UDP port to which datagrams will be
-   sent.  Some processes also bind the multicast group address to the
-   socket, in addition to the port, to prevent other datagrams destined
-   to that same port from being delivered to the socket.
-
-6. Library Functions
-
-   New library functions are needed to perform a variety of operations
-   with IPv6 addresses.  Functions are needed to lookup IPv6 addresses
-   in the Domain Name System (DNS).  Both forward lookup (nodename-to-
-   address translation) and reverse lookup (address-to-nodename
-   translation) need to be supported.  Functions are also needed to
-   convert IPv6 addresses between their binary and textual form.
-
-   We note that the two existing functions, gethostbyname() and
-   gethostbyaddr(), are left as-is.  New functions are defined to handle
-   both IPv4 and IPv6 addresses.
-
-6.1 Nodename-to-Address Translation
-
-   The commonly used function gethostbyname() is inadequate for many
-   applications, first because it provides no way for the caller to
-   specify anything about the types of addresses desired (IPv4 only,
-   IPv6 only, IPv4-mapped IPv6 are OK, etc.), and second because many
-   implementations of this function are not thread safe.  RFC 2133
-   defined a function named gethostbyname2() but this function was also
-   inadequate, first because its use required setting a global option
-   (RES_USE_INET6) when IPv6 addresses were required, and second because
-   a flag argument is needed to provide the caller with additional
-   control over the types of addresses required.
-
-   The following function is new and must be thread safe:
-
-   #include <sys/socket.h>
-   #include <netdb.h>
-
-   struct hostent *getipnodebyname(const char *name, int af, int flags
-                                       int *error_num);
-
-   The name argument can be either a node name or a numeric address
-   string (i.e., a dotted-decimal IPv4 address or an IPv6 hex address).
-   The af argument specifies the address family, either AF_INET or
-
-
-
-Gilligan, et. al.            Informational                     [Page 21]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   AF_INET6. The error_num value is returned to the caller, via a
-   pointer, with the appropriate error code in error_num, to support
-   thread safe error code returns.  error_num will be set to one of the
-   following values:
-
-      HOST_NOT_FOUND
-
-         No such host is known.
-
-      NO_ADDRESS
-
-         The server recognised the request and the name but no address is
-         available.  Another type of request to the name server for the
-         domain might return an answer.
-
-      NO_RECOVERY
-
-         An unexpected server failure occurred which cannot be recovered.
-
-      TRY_AGAIN
-
-         A temporary and possibly transient error occurred, such as a
-         failure of a server to respond.
-
-   The flags argument specifies the types of addresses that are searched
-   for, and the types of addresses that are returned.  We note that a
-   special flags value of AI_DEFAULT (defined below) should handle most
-   applications.
-
-   That is, porting simple applications to use IPv6 replaces the call
-
-      hptr = gethostbyname(name);
-
-   with
-
-      hptr = getipnodebyname(name, AF_INET6, AI_DEFAULT, &error_num);
-
-   and changes any subsequent error diagnosis code to use error_num
-   instead of externally declared variables, such as h_errno.
-
-   Applications desiring finer control over the types of addresses
-   searched for and returned, can specify other combinations of the
-   flags argument.
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 22]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   A flags of 0 implies a strict interpretation of the af argument:
-
-      - If flags is 0 and af is AF_INET, then the caller wants only
-        IPv4 addresses.  A query is made for A records.  If successful,
-        the IPv4 addresses are returned and the h_length member of the
-        hostent structure will be 4, else the function returns a NULL
-        pointer.
-
-      -  If flags is 0 and if af is AF_INET6, then the caller wants only
-        IPv6 addresses.  A query is made for AAAA records.  If
-        successful, the IPv6 addresses are returned and the h_length
-        member of the hostent structure will be 16, else the function
-        returns a NULL pointer.
-
-   Other constants can be logically-ORed into the flags argument, to
-   modify the behavior of the function.
-
-      - If the AI_V4MAPPED flag is specified along with an af of
-        AF_INET6, then the caller will accept IPv4-mapped IPv6
-        addresses.  That is, if no AAAA records are found then a query
-        is made for A records and any found are returned as IPv4-mapped
-        IPv6 addresses (h_length will be 16).  The AI_V4MAPPED flag is
-        ignored unless af equals AF_INET6.
-
-      - The AI_ALL flag is used in conjunction with the AI_V4MAPPED
-        flag, and is only used with the IPv6 address family.  When AI_ALL
-        is logically or'd with AI_V4MAPPED flag then the caller wants
-        all addresses: IPv6 and IPv4-mapped IPv6.  A query is first made
-        for AAAA records and if successful, the IPv6 addresses are
-        returned. Another query is then made for A records and any found
-        are returned as IPv4-mapped IPv6 addresses. h_length will be 16.
-        Only if both queries fail does the function return a NULL pointer.
-        This flag is ignored unless af equals AF_INET6.
-
-      - The AI_ADDRCONFIG flag specifies that a query for AAAA records
-        should occur only if the node has at least one IPv6 source
-        address configured and a query for A records should occur only
-        if the node has at least one IPv4 source address configured.
-
-        For example, if the node has no IPv6 source addresses
-        configured, and af equals AF_INET6, and the node name being
-        looked up has both AAAA and A records, then:
-
-            (a) if only AI_ADDRCONFIG is specified, the function
-                returns a NULL pointer;
-            (b) if AI_ADDRCONFIG | AI_V4MAPPED is specified, the A
-                records are returned as IPv4-mapped IPv6 addresses;
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 23]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   The special flags value of AI_DEFAULT is defined as
-
-      #define  AI_DEFAULT  (AI_V4MAPPED | AI_ADDRCONFIG)
-
-   We noted that the getipnodebyname() function must allow the name
-   argument to be either a node name or a literal address string (i.e.,
-   a dotted-decimal IPv4 address or an IPv6 hex address).  This saves
-   applications from having to call inet_pton() to handle literal
-   address strings.
-
-   There are four scenarios based on the type of literal address string
-   and the value of the af argument.
-
-   The two simple cases are:
-
-   When name is a dotted-decimal IPv4 address and af equals AF_INET, or
-   when name is an IPv6 hex address and af equals AF_INET6.  The members
-   of the returned hostent structure are: h_name points to a copy of the
-   name argument, h_aliases is a NULL pointer, h_addrtype is a copy of
-   the af argument, h_length is either 4 (for AF_INET) or 16 (for
-   AF_INET6), h_addr_list[0] is a pointer to the 4-byte or 16-byte
-   binary address, and h_addr_list[1] is a NULL pointer.
-
-   When name is a dotted-decimal IPv4 address and af equals AF_INET6,
-   and flags equals AI_V4MAPPED, an IPv4-mapped IPv6 address is
-   returned:  h_name points to an IPv6 hex address containing the IPv4-
-   mapped IPv6 address, h_aliases is a NULL pointer, h_addrtype is
-   AF_INET6, h_length is 16, h_addr_list[0] is a pointer to the 16-byte
-   binary address, and h_addr_list[1] is a NULL pointer.  If AI_V4MAPPED
-   is set (with or without AI_ALL) return IPv4-mapped otherwise return
-   NULL.
-
-   It is an error when name is an IPv6 hex address and af equals
-   AF_INET.  The function's return value is a NULL pointer and error_num
-   equals HOST_NOT_FOUND.
-
-6.2 Address-To-Nodename Translation
-
-   The following function has the same arguments as the existing
-   gethostbyaddr() function, but adds an error number.
-
-      #include <sys/socket.h> #include <netdb.h>
-
-      struct hostent *getipnodebyaddr(const void *src, size_t len,
-                                          int af, int *error_num);
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 24]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   As with getipnodebyname(), getipnodebyaddr() must be thread safe.
-   The error_num value is returned to the caller with the appropriate
-   error code, to support thread safe error code returns.  The following
-   error conditions may be returned for error_num:
-
-      HOST_NOT_FOUND
-
-         No such host is known.
-
-      NO_ADDRESS
-
-         The server recognized the request and the name but no address
-         is available.  Another type of request to the name server for
-         the domain might return an answer.
-
-      NO_RECOVERY
-
-         An unexpected server failure occurred which cannot be
-         recovered.
-
-      TRY_AGAIN
-
-         A temporary and possibly transient error occurred, such as a
-         failure of a server to respond.
-
-   One possible source of confusion is the handling of IPv4-mapped IPv6
-   addresses and IPv4-compatible IPv6 addresses, but the following logic
-   should apply.
-
-      1.  If af is AF_INET6, and if len equals 16, and if the IPv6
-          address is an IPv4-mapped IPv6 address or an IPv4-compatible
-          IPv6 address, then skip over the first 12 bytes of the IPv6
-          address, set af to AF_INET, and set len to 4.
-
-      2.  If af is AF_INET, lookup the name for the given IPv4 address
-          (e.g., query for a PTR record in the in-addr.arpa domain).
-
-      3.  If af is AF_INET6, lookup the name for the given IPv6 address
-          (e.g., query for a PTR record in the ip6.int domain).
-
-      4.  If the function is returning success, then the single address
-          that is returned in the hostent structure is a copy of the
-          first argument to the function with the same address family
-          that was passed as an argument to this function.
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 25]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   All four steps listed are performed, in order.  Also note that the
-   IPv6 hex addresses "::" and "::1" MUST NOT be treated as IPv4-
-   compatible addresses, and if the address is "::", HOST_NOT_FOUND MUST
-   be returned and a query of the address not performed.
-
-   Also for the macro in section 6.7 IN6_IS_ADDR_V4COMPAT MUST return
-   false for "::" and "::1".
-
-6.3 Freeing memory for getipnodebyname and getipnodebyaddr
-
-   The hostent structure does not change from its existing definition.
-   This structure, and the information pointed to by this structure, are
-   dynamically allocated by getipnodebyname and getipnodebyaddr.  The
-   following function frees this memory:
-
-      #include <netdb.h>
-
-      void freehostent(struct hostent *ptr);
-
-6.4 Protocol-Independent Nodename and Service Name Translation
-
-   Nodename-to-address translation is done in a protocol-independent
-   fashion using the getaddrinfo() function that is taken from the
-   Institute of Electrical and Electronic Engineers (IEEE) POSIX 1003.1g
-   (Protocol Independent Interfaces) draft specification [3].
-
-   The official specification for this function will be the final POSIX
-   standard, with the following additional requirements:
-
-      -  getaddrinfo() (along with the getnameinfo() function described
-         in the next section) must be thread safe.
-
-      -  The AI_NUMERICHOST is new with this document.
-
-      -  All fields in socket address structures returned by
-         getaddrinfo() that are not filled in through an explicit
-         argument (e.g., sin6_flowinfo and sin_zero) must be set to 0.
-         (This makes it easier to compare socket address structures.)
-
-      -  getaddrinfo() must fill in the length field of a socket address
-         structure (e.g., sin6_len) on systems that support this field.
-
-   We are providing this independent description of the function because
-   POSIX standards are not freely available (as are IETF documents).
-
-      #include <sys/socket.h>
-      #include <netdb.h>
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 26]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-      int getaddrinfo(const char *nodename, const char *servname,
-                      const struct addrinfo *hints,
-                      struct addrinfo **res);
-
-   The addrinfo structure is defined as a result of including the
-   <netdb.h> header.
-
-  struct addrinfo {
-    int     ai_flags;     /* AI_PASSIVE, AI_CANONNAME, AI_NUMERICHOST */
-    int     ai_family;    /* PF_xxx */
-    int     ai_socktype;  /* SOCK_xxx */
-    int     ai_protocol;  /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-    size_t  ai_addrlen;   /* length of ai_addr */
-    char   *ai_canonname; /* canonical name for nodename */
-    struct sockaddr  *ai_addr; /* binary address */
-    struct addrinfo  *ai_next; /* next structure in linked list */
-  };
-
-   The return value from the function is 0 upon success or a nonzero
-   error code.  The following names are the nonzero error codes from
-   getaddrinfo(), and are defined in <netdb.h>:
-
-      EAI_ADDRFAMILY  address family for nodename not supported
-      EAI_AGAIN       temporary failure in name resolution
-      EAI_BADFLAGS    invalid value for ai_flags
-      EAI_FAIL        non-recoverable failure in name resolution
-      EAI_FAMILY      ai_family not supported
-      EAI_MEMORY      memory allocation failure
-      EAI_NODATA      no address associated with nodename
-      EAI_NONAME      nodename nor servname provided, or not known
-      EAI_SERVICE     servname not supported for ai_socktype
-      EAI_SOCKTYPE    ai_socktype not supported
-      EAI_SYSTEM      system error returned in errno
-
-   The nodename and servname arguments are pointers to null-terminated
-   strings or NULL.  One or both of these two arguments must be a non-
-   NULL pointer.  In the normal client scenario, both the nodename and
-   servname are specified.  In the normal server scenario, only the
-   servname is specified.  A non-NULL nodename string can be either a
-   node name or a numeric host address string (i.e., a dotted-decimal
-   IPv4 address or an IPv6 hex address).  A non-NULL servname string can
-   be either a service name or a decimal port number.
-
-   The caller can optionally pass an addrinfo structure, pointed to by
-   the third argument, to provide hints concerning the type of socket
-   that the caller supports.  In this hints structure all members other
-   than ai_flags, ai_family, ai_socktype, and ai_protocol must be zero
-   or a NULL pointer.  A value of PF_UNSPEC for ai_family means the
-
-
-
-Gilligan, et. al.            Informational                     [Page 27]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   caller will accept any protocol family.  A value of 0 for ai_socktype
-   means the caller will accept any socket type.  A value of 0 for
-   ai_protocol means the caller will accept any protocol.  For example,
-   if the caller handles only TCP and not UDP, then the ai_socktype
-   member of the hints structure should be set to SOCK_STREAM when
-   getaddrinfo() is called.  If the caller handles only IPv4 and not
-   IPv6, then the ai_family member of the hints structure should be set
-   to PF_INET when getaddrinfo() is called.  If the third argument to
-   getaddrinfo() is a NULL pointer, this is the same as if the caller
-   had filled in an addrinfo structure initialized to zero with
-   ai_family set to PF_UNSPEC.
-
-   Upon successful return a pointer to a linked list of one or more
-   addrinfo structures is returned through the final argument.  The
-   caller can process each addrinfo structure in this list by following
-   the ai_next pointer, until a NULL pointer is encountered.  In each
-   returned addrinfo structure the three members ai_family, ai_socktype,
-   and ai_protocol are the corresponding arguments for a call to the
-   socket() function.  In each addrinfo structure the ai_addr member
-   points to a filled-in socket address structure whose length is
-   specified by the ai_addrlen member.
-
-   If the AI_PASSIVE bit is set in the ai_flags member of the hints
-   structure, then the caller plans to use the returned socket address
-   structure in a call to bind().  In this case, if the nodename
-   argument is a NULL pointer, then the IP address portion of the socket
-   address structure will be set to INADDR_ANY for an IPv4 address or
-   IN6ADDR_ANY_INIT for an IPv6 address.
-
-   If the AI_PASSIVE bit is not set in the ai_flags member of the hints
-   structure, then the returned socket address structure will be ready
-   for a call to connect() (for a connection-oriented protocol) or
-   either connect(), sendto(), or sendmsg() (for a connectionless
-   protocol).  In this case, if the nodename argument is a NULL pointer,
-   then the IP address portion of the socket address structure will be
-   set to the loopback address.
-
-   If the AI_CANONNAME bit is set in the ai_flags member of the hints
-   structure, then upon successful return the ai_canonname member of the
-   first addrinfo structure in the linked list will point to a null-
-   terminated string containing the canonical name of the specified
-   nodename.
-
-   If the AI_NUMERICHOST bit is set in the ai_flags member of the hints
-   structure, then a non-NULL nodename string must be a numeric host
-   address string.  Otherwise an error of EAI_NONAME is returned.  This
-   flag prevents any type of name resolution service (e.g., the DNS)
-   from being called.
-
-
-
-Gilligan, et. al.            Informational                     [Page 28]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   All of the information returned by getaddrinfo() is dynamically
-   allocated: the addrinfo structures, and the socket address structures
-   and canonical node name strings pointed to by the addrinfo
-   structures.  To return this information to the system the function
-   freeaddrinfo() is called:
-
-      #include <sys/socket.h> #include <netdb.h>
-
-      void freeaddrinfo(struct addrinfo *ai);
-
-   The addrinfo structure pointed to by the ai argument is freed, along
-   with any dynamic storage pointed to by the structure.  This operation
-   is repeated until a NULL ai_next pointer is encountered.
-
-   To aid applications in printing error messages based on the EAI_xxx
-   codes returned by getaddrinfo(), the following function is defined.
-
-      #include <sys/socket.h> #include <netdb.h>
-
-      char *gai_strerror(int ecode);
-
-   The argument is one of the EAI_xxx values defined earlier and the
-   return value points to a string describing the error.  If the
-   argument is not one of the EAI_xxx values, the function still returns
-   a pointer to a string whose contents indicate an unknown error.
-
-6.5 Socket Address Structure to Nodename and Service Name
-
-   The POSIX 1003.1g specification includes no function to perform the
-   reverse conversion from getaddrinfo(): to look up a nodename and
-   service name, given the binary address and port.  Therefore, we
-   define the following function:
-
-      #include <sys/socket.h>
-      #include <netdb.h>
-
-      int getnameinfo(const struct sockaddr *sa, socklen_t salen,
-                      char *host, size_t hostlen,
-                      char *serv, size_t servlen,
-                      int flags);
-
-   This function looks up an IP address and port number provided by the
-   caller in the DNS and system-specific database, and returns text
-   strings for both in buffers provided by the caller.  The function
-   indicates successful completion by a zero return value; a non-zero
-   return value indicates failure.
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 29]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   The first argument, sa, points to either a sockaddr_in structure (for
-   IPv4) or a sockaddr_in6 structure (for IPv6) that holds the IP
-   address and port number.  The salen argument gives the length of the
-   sockaddr_in or sockaddr_in6 structure.
-
-   The function returns the nodename associated with the IP address in
-   the buffer pointed to by the host argument.  The caller provides the
-   size of this buffer via the hostlen argument.  The service name
-   associated with the port number is returned in the buffer pointed to
-   by serv, and the servlen argument gives the length of this buffer.
-   The caller specifies not to return either string by providing a zero
-   value for the hostlen or servlen arguments.  Otherwise, the caller
-   must provide buffers large enough to hold the nodename and the
-   service name, including the terminating null characters.
-
-   Unfortunately most systems do not provide constants that specify the
-   maximum size of either a fully-qualified domain name or a service
-   name.  Therefore to aid the application in allocating buffers for
-   these two returned strings the following constants are defined in
-   <netdb.h>:
-
-      #define NI_MAXHOST  1025
-      #define NI_MAXSERV    32
-
-   The first value is actually defined as the constant MAXDNAME in recent
-   versions of BIND's <arpa/nameser.h> header (older versions of BIND
-   define this constant to be 256) and the second is a guess based on the
-   services listed in the current Assigned Numbers RFC.
-
-   The final argument is a flag that changes the default actions of this
-   function.  By default the fully-qualified domain name (FQDN) for the
-   host is looked up in the DNS and returned.  If the flag bit NI_NOFQDN
-   is set, only the nodename portion of the FQDN is returned for local
-   hosts.
-
-   If the flag bit NI_NUMERICHOST is set, or if the host's name cannot be
-   located in the DNS, the numeric form of the host's address is returned
-   instead of its name (e.g., by calling inet_ntop() instead of
-   getipnodebyaddr()).  If the flag bit NI_NAMEREQD is set, an error is
-   returned if the host's name cannot be located in the DNS.
-
-   If the flag bit NI_NUMERICSERV is set, the numeric form of the service
-   address is returned (e.g., its port number) instead of its name.  The
-   two NI_NUMERICxxx flags are required to support the "-n" flag that
-   many commands provide.
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 30]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   A fifth flag bit, NI_DGRAM, specifies that the service is a datagram
-   service, and causes getservbyport() to be called with a second
-   argument of "udp" instead of its default of "tcp".  This is required
-   for the few ports (e.g. 512-514) that have different services for UDP
-   and TCP.
-
-   These NI_xxx flags are defined in <netdb.h> along with the AI_xxx
-   flags already defined for getaddrinfo().
-
-6.6 Address Conversion Functions
-
-   The two functions inet_addr() and inet_ntoa() convert an IPv4 address
-   between binary and text form.  IPv6 applications need similar
-   functions.  The following two functions convert both IPv6 and IPv4
-   addresses:
-
-      #include <sys/socket.h>
-      #include <arpa/inet.h>
-
-      int inet_pton(int af, const char *src, void *dst);
-
-      const char *inet_ntop(int af, const void *src,
-                            char *dst, size_t size);
-
-   The inet_pton() function converts an address in its standard text
-   presentation form into its numeric binary form.  The af argument
-   specifies the family of the address.  Currently the AF_INET and
-   AF_INET6 address families are supported.  The src argument points to
-   the string being passed in.  The dst argument points to a buffer into
-   which the function stores the numeric address.  The address is
-   returned in network byte order.  Inet_pton() returns 1 if the
-   conversion succeeds, 0 if the input is not a valid IPv4 dotted-
-   decimal string or a valid IPv6 address string, or -1 with errno set
-   to EAFNOSUPPORT if the af argument is unknown.  The calling
-   application must ensure that the buffer referred to by dst is large
-   enough to hold the numeric address (e.g., 4 bytes for AF_INET or 16
-   bytes for AF_INET6).
-
-   If the af argument is AF_INET, the function accepts a string in the
-   standard IPv4 dotted-decimal form:
-
-      ddd.ddd.ddd.ddd
-
-   where ddd is a one to three digit decimal number between 0 and 255.
-   Note that many implementations of the existing inet_addr() and
-   inet_aton() functions accept nonstandard input: octal numbers,
-   hexadecimal numbers, and fewer than four numbers.  inet_pton() does
-   not accept these formats.
-
-
-
-Gilligan, et. al.            Informational                     [Page 31]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   If the af argument is AF_INET6, then the function accepts a string in
-   one of the standard IPv6 text forms defined in Section 2.2 of the
-   addressing architecture specification [2].
-
-   The inet_ntop() function converts a numeric address into a text
-   string suitable for presentation.  The af argument specifies the
-   family of the address.  This can be AF_INET or AF_INET6.  The src
-   argument points to a buffer holding an IPv4 address if the af
-   argument is AF_INET, or an IPv6 address if the af argument is
-   AF_INET6, the address must be in network byte order.  The dst
-   argument points to a buffer where the function will store the
-   resulting text string.  The size argument specifies the size of this
-   buffer.  The application must specify a non-NULL dst argument.  For
-   IPv6 addresses, the buffer must be at least 46-octets.  For IPv4
-   addresses, the buffer must be at least 16-octets.  In order to allow
-   applications to easily declare buffers of the proper size to store
-   IPv4 and IPv6 addresses in string form, the following two constants
-   are defined in <netinet/in.h>:
-
-      #define INET_ADDRSTRLEN    16
-      #define INET6_ADDRSTRLEN   46
-
-   The inet_ntop() function returns a pointer to the buffer containing
-   the text string if the conversion succeeds, and NULL otherwise.  Upon
-   failure, errno is set to EAFNOSUPPORT if the af argument is invalid or
-   ENOSPC if the size of the result buffer is inadequate.
-
-6.7 Address Testing Macros
-
-   The following macros can be used to test for special IPv6 addresses.
-
-      #include <netinet/in.h>
-
-      int  IN6_IS_ADDR_UNSPECIFIED (const struct in6_addr *);
-      int  IN6_IS_ADDR_LOOPBACK    (const struct in6_addr *);
-      int  IN6_IS_ADDR_MULTICAST   (const struct in6_addr *);
-      int  IN6_IS_ADDR_LINKLOCAL   (const struct in6_addr *);
-      int  IN6_IS_ADDR_SITELOCAL   (const struct in6_addr *);
-      int  IN6_IS_ADDR_V4MAPPED    (const struct in6_addr *);
-      int  IN6_IS_ADDR_V4COMPAT    (const struct in6_addr *);
-
-      int  IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
-      int  IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
-      int  IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
-      int  IN6_IS_ADDR_MC_ORGLOCAL (const struct in6_addr *);
-      int  IN6_IS_ADDR_MC_GLOBAL   (const struct in6_addr *);
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 32]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   The first seven macros return true if the address is of the specified
-   type, or false otherwise.  The last five test the scope of a
-   multicast address and return true if the address is a multicast
-   address of the specified scope or false if the address is either not
-   a multicast address or not of the specified scope.  Note that
-   IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL return true only for
-   the two local-use IPv6 unicast addresses.  These two macros do not
-   return true for IPv6 multicast addresses of either link-local scope
-   or site-local scope.
-
-7. Summary of New Definitions
-
-   The following list summarizes the constants, structure, and extern
-   definitions discussed in this memo, sorted by header.
-
-      <net/if.h>      IF_NAMESIZE
-      <net/if.h>      struct if_nameindex{};
-
-      <netdb.h>       AI_ADDRCONFIG
-      <netdb.h>       AI_DEFAULT
-      <netdb.h>       AI_ALL
-      <netdb.h>       AI_CANONNAME
-      <netdb.h>       AI_NUMERICHOST
-      <netdb.h>       AI_PASSIVE
-      <netdb.h>       AI_V4MAPPED
-      <netdb.h>       EAI_ADDRFAMILY
-      <netdb.h>       EAI_AGAIN
-      <netdb.h>       EAI_BADFLAGS
-      <netdb.h>       EAI_FAIL
-      <netdb.h>       EAI_FAMILY
-      <netdb.h>       EAI_MEMORY
-      <netdb.h>       EAI_NODATA
-      <netdb.h>       EAI_NONAME
-      <netdb.h>       EAI_SERVICE
-      <netdb.h>       EAI_SOCKTYPE
-      <netdb.h>       EAI_SYSTEM
-      <netdb.h>       NI_DGRAM
-      <netdb.h>       NI_MAXHOST
-      <netdb.h>       NI_MAXSERV
-      <netdb.h>       NI_NAMEREQD
-      <netdb.h>       NI_NOFQDN
-      <netdb.h>       NI_NUMERICHOST
-      <netdb.h>       NI_NUMERICSERV
-      <netdb.h>       struct addrinfo{};
-
-      <netinet/in.h>  IN6ADDR_ANY_INIT
-      <netinet/in.h>  IN6ADDR_LOOPBACK_INIT
-      <netinet/in.h>  INET6_ADDRSTRLEN
-
-
-
-Gilligan, et. al.            Informational                     [Page 33]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-      <netinet/in.h>  INET_ADDRSTRLEN
-      <netinet/in.h>  IPPROTO_IPV6
-      <netinet/in.h>  IPV6_JOIN_GROUP
-      <netinet/in.h>  IPV6_LEAVE_GROUP
-      <netinet/in.h>  IPV6_MULTICAST_HOPS
-      <netinet/in.h>  IPV6_MULTICAST_IF
-      <netinet/in.h>  IPV6_MULTICAST_LOOP
-      <netinet/in.h>  IPV6_UNICAST_HOPS
-      <netinet/in.h>  SIN6_LEN
-      <netinet/in.h>  extern const struct in6_addr in6addr_any;
-      <netinet/in.h>  extern const struct in6_addr in6addr_loopback;
-      <netinet/in.h>  struct in6_addr{};
-      <netinet/in.h>  struct ipv6_mreq{};
-      <netinet/in.h>  struct sockaddr_in6{};
-
-      <sys/socket.h>  AF_INET6
-      <sys/socket.h>  PF_INET6
-      <sys/socket.h>  struct sockaddr_storage;
-
-   The following list summarizes the function and macro prototypes
-   discussed in this memo, sorted by header.
-
-<arpa/inet.h>   int inet_pton(int, const char *, void *);
-<arpa/inet.h>   const char *inet_ntop(int, const void *,
-                                      char *, size_t);
-
-<net/if.h>      char *if_indextoname(unsigned int, char *);
-<net/if.h>      unsigned int if_nametoindex(const char *);
-<net/if.h>      void if_freenameindex(struct if_nameindex *);
-<net/if.h>      struct if_nameindex *if_nameindex(void);
-
-<netdb.h>       int getaddrinfo(const char *, const char *,
-                                const struct addrinfo *,
-                                struct addrinfo **);
-<netdb.h>       int getnameinfo(const struct sockaddr *, socklen_t,
-                                char *, size_t, char *, size_t, int);
-<netdb.h>       void freeaddrinfo(struct addrinfo *);
-<netdb.h>       char *gai_strerror(int);
-<netdb.h>       struct hostent *getipnodebyname(const char *, int, int,
-                                       int *);
-<netdb.h>       struct hostent *getipnodebyaddr(const void *, size_t,
-                                       int, int *);
-<netdb.h>       void freehostent(struct hostent *);
-
-<netinet/in.h>  int IN6_IS_ADDR_LINKLOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_LOOPBACK(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_GLOBAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
-
-
-
-Gilligan, et. al.            Informational                     [Page 34]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-<netinet/in.h>  int IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_ORGLOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MULTICAST(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_SITELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_UNSPECIFIED(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_V4COMPAT(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_V4MAPPED(const struct in6_addr *);
-
-8. Security Considerations
-
-   IPv6 provides a number of new security mechanisms, many of which need
-   to be accessible to applications.  Companion memos detailing the
-   extensions to the socket interfaces to support IPv6 security are
-   being written.
-
-9. Year 2000 Considerations
-
-   There are no issues for this memo concerning the Year 2000 issue
-   regarding the use of dates.
-
-Changes From RFC 2133
-
-   Changes made in the March 1998 Edition (-01 draft):
-
-      Changed all "hostname" to "nodename" for consistency with other
-      IPv6 documents.
-
-      Section 3.3: changed comment for sin6_flowinfo to be "traffic
-      class & flow info" and updated corresponding text description to
-      current definition of these two fields.
-
-      Section 3.10 ("Portability Additions") is new.
-
-      Section 6: a new paragraph was added reiterating that the existing
-      gethostbyname() and gethostbyaddr() are not changed.
-
-      Section 6.1: change gethostbyname3() to getnodebyname().  Add
-      AI_DEFAULT to handle majority of applications.  Renamed
-      AI_V6ADDRCONFIG to AI_ADDRCONFIG and define it for A records and
-      IPv4 addresses too.  Defined exactly what getnodebyname() must
-      return if the name argument is a numeric address string.
-
-      Section 6.2: change gethostbyaddr() to getnodebyaddr().  Reword
-      items 2 and 3 in the description of how to handle IPv4-mapped and
-      IPv4- compatible addresses to "lookup a name" for a given address,
-      instead of specifying what type of DNS query to issue.
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 35]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-      Section 6.3: added two more requirements to getaddrinfo().
-
-      Section 7: added the following constants to the list for
-      <netdb.h>:  AI_ADDRCONFIG, AI_ALL, and AI_V4MAPPED.  Add union
-      sockaddr_union and SA_LEN to the lists for <sys/socket.h>.
-
-      Updated references.
-
-   Changes made in the November 1997 Edition (-00 draft):
-
-      The data types have been changed to conform with Draft 6.6 of the
-      Posix 1003.1g standard.
-
-      Section 3.2: data type of s6_addr changed to "uint8_t".
-
-      Section 3.3: data type of sin6_family changed to "sa_family_t".
-      data type of sin6_port changed to "in_port_t", data type of
-      sin6_flowinfo changed to "uint32_t".
-
-      Section 3.4: same as Section 3.3, plus data type of sin6_len
-      changed to "uint8_t".
-
-      Section 6.2: first argument of gethostbyaddr() changed from "const
-      char *" to "const void *" and second argument changed from "int"
-      to "size_t".
-
-      Section 6.4: second argument of getnameinfo() changed from
-      "size_t" to "socklen_t".
-
-      The wording was changed when new structures were defined, to be
-      more explicit as to which header must be included to define the
-      structure:
-
-      Section 3.2 (in6_addr{}), Section 3.3 (sockaddr_in6{}), Section
-      3.4 (sockaddr_in6{}), Section 4.3 (if_nameindex{}), Section 5.3
-      (ipv6_mreq{}), and Section 6.3 (addrinfo{}).
-
-      Section 4: NET_RT_LIST changed to NET_RT_IFLIST.
-
-      Section 5.1: The IPV6_ADDRFORM socket option was removed.
-
-      Section 5.3: Added a note that an option value other than 0 or 1
-      for IPV6_MULTICAST_LOOP returns an error.  Added a note that
-      IPV6_MULTICAST_IF, IPV6_MULTICAST_HOPS, and IPV6_MULTICAST_LOOP
-      can also be used with getsockopt(), but IPV6_ADD_MEMBERSHIP and
-      IPV6_DROP_MEMBERSHIP cannot be used with getsockopt().
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 36]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-      Section 6.1: Removed the description of gethostbyname2() and its
-      associated RES_USE_INET6 option, replacing it with
-      gethostbyname3().
-
-      Section 6.2: Added requirement that gethostbyaddr() be thread
-      safe.  Reworded step 4 to avoid using the RES_USE_INET6 option.
-
-      Section 6.3: Added the requirement that getaddrinfo() and
-      getnameinfo() be thread safe.  Added the AI_NUMERICHOST flag.
-
-      Section 6.6: Added clarification about IN6_IS_ADDR_LINKLOCAL and
-      IN6_IS_ADDR_SITELOCAL macros.
-
-   Changes made to the draft -01 specification Sept 98
-
-      Changed priority to traffic class in the spec.
-
-      Added the need for scope identification in section 2.1.
-
-      Added sin6_scope_id to struct sockaddr_in6 in sections 3.3 and
-      3.4.
-
-      Changed 3.10 to use generic storage structure to support holding
-      IPv6 addresses and removed the SA_LEN macro.
-
-      Distinguished between invalid input parameters and system failures
-      for Interface Identification in Section 4.1 and 4.2.
-
-      Added defaults for multicast operations in section 5.2 and changed
-      the names from ADD to JOIN and DROP to LEAVE to be consistent with
-      IPv6 multicast terminology.
-
-      Changed getnodebyname to getipnodebyname, getnodebyaddr to
-      getipnodebyaddr, and added MT safe error code to function
-      parameters in section 6.
-
-      Moved freehostent to its own sub-section after getipnodebyaddr now
-      6.3 (so this bumps all remaining sections in section 6.
-
-      Clarified the use of AI_ALL and AI_V4MAPPED that these are
-      dependent on the AF parameter and must be used as a conjunction in
-      section 6.1.
-
-      Removed the restriction that literal addresses cannot be used with
-      a flags argument in section 6.1.
-
-      Added Year 2000 Section to the draft
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 37]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-      Deleted Reference to the following because the attached is deleted
-      from the ID directory and has expired.  But the logic from the
-      aforementioned draft still applies, so that was kept in Section
-      6.2 bullets after 3rd paragraph.
-
-      [7]  P. Vixie, "Reverse Name Lookups of Encapsulated IPv4
-           Addresses in IPv6", Internet-Draft, <draft-vixie-ipng-
-           ipv4ptr-00.txt>, May 1996.
-
-      Deleted the following reference as it is no longer referenced.
-      And the draft has expired.
-
-      [3]  D. McDonald, "A Simple IP Security API Extension to BSD
-           Sockets", Internet-Draft, <draft-mcdonald-simple-ipsec-api-
-           01.txt>, March 1997.
-
-      Deleted the following reference as it is no longer referenced.
-
-      [4]  C. Metz, "Network Security API for Sockets",
-           Internet-Draft, <draft-metz-net-security-api-01.txt>, January
-           1998.
-
-      Update current references to current status.
-
-      Added alignment notes for in6_addr and sin6_addr.
-
-      Clarified further that AI_V4MAPPED must be used with a dotted IPv4
-      literal address for getipnodebyname(), when address family is
-      AF_INET6.
-
-      Added text to clarify "::" and "::1" when used by
-      getipnodebyaddr().
-
-Acknowledgments
-
-   Thanks to the many people who made suggestions and provided feedback
-   to this document, including: Werner Almesberger, Ran Atkinson, Fred
-   Baker, Dave Borman, Andrew Cherenson, Alex Conta, Alan Cox, Steve
-   Deering, Richard Draves, Francis Dupont, Robert Elz, Marc Hasson, Tom
-   Herbert, Bob Hinden, Wan-Yen Hsu, Christian Huitema, Koji Imada,
-   Markus Jork, Ron Lee, Alan Lloyd, Charles Lynn, Dan McDonald, Dave
-   Mitton, Thomas Narten, Josh Osborne, Craig Partridge, Jean-Luc
-   Richier, Erik Scoredos, Keith Sklower, Matt Thomas, Harvey Thompson,
-   Dean D. Throop, Karen Tracey, Glenn Trewitt, Paul Vixie, David
-   Waitzman, Carl Williams, and Kazu Yamamoto,
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 38]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-   The getaddrinfo() and getnameinfo() functions are taken from an
-   earlier Internet Draft by Keith Sklower.  As noted in that draft,
-   William Durst, Steven Wise, Michael Karels, and Eric Allman provided
-   many useful discussions on the subject of protocol-independent name-
-   to-address translation, and reviewed early versions of Keith
-   Sklower's original proposal.  Eric Allman implemented the first
-   prototype of getaddrinfo().  The observation that specifying the pair
-   of name and service would suffice for connecting to a service
-   independent of protocol details was made by Marshall Rose in a
-   proposal to X/Open for a "Uniform Network Interface".
-
-   Craig Metz, Jack McCann, Erik Nordmark, Tim Hartrick, and Mukesh
-   Kacker made many contributions to this document.  Ramesh Govindan
-   made a number of contributions and co-authored an earlier version of
-   this memo.
-
-References
-
-   [1]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
-        Specification", RFC 2460, December 1998.
-
-   [2]  Hinden, R. and S. Deering, "IP Version 6 Addressing
-        Architecture", RFC 2373, July 1998.
-
-   [3]  IEEE, "Protocol Independent Interfaces", IEEE Std 1003.1g, DRAFT
-        6.6, March 1997.
-
-   [4]  Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6", RFC
-        2292, February 1998.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 39]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-Authors' Addresses
-
-   Robert E. Gilligan
-   FreeGate Corporation
-   1208 E. Arques Ave.
-   Sunnyvale, CA 94086
-
-   Phone: +1 408 617 1004
-   EMail: gilligan@freegate.com
-
-
-   Susan Thomson
-   Bell Communications Research
-   MRE 2P-343, 445 South Street
-   Morristown, NJ 07960
-
-   Phone: +1 201 829 4514
-   EMail: set@thumper.bellcore.com
-
-
-   Jim Bound
-   Compaq Computer Corporation
-   110 Spitbrook Road ZK3-3/U14
-   Nashua, NH 03062-2698
-
-   Phone: +1 603 884 0400
-   EMail: bound@zk3.dec.com
-
-
-   W. Richard Stevens
-   1202 E. Paseo del Zorro
-   Tucson, AZ 85718-2826
-
-   Phone: +1 520 297 9416
-   EMail: rstevens@kohala.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 40]
-
-RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et. al.            Informational                     [Page 41]
-
diff --git a/contrib/bind9/doc/rfc/rfc2671.txt b/contrib/bind9/doc/rfc/rfc2671.txt
deleted file mode 100644
index ec05f80829cf..000000000000
--- a/contrib/bind9/doc/rfc/rfc2671.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                            P. Vixie
-Request for Comments: 2671                                            ISC
-Category: Standards Track                                     August 1999
-
-
-                  Extension Mechanisms for DNS (EDNS0)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-Abstract
-
-   The Domain Name System's wire protocol includes a number of fixed
-   fields whose range has been or soon will be exhausted and does not
-   allow clients to advertise their capabilities to servers.  This
-   document describes backward compatible mechanisms for allowing the
-   protocol to grow.
-
-1 - Rationale and Scope
-
-1.1. DNS (see [RFC1035]) specifies a Message Format and within such
-     messages there are standard formats for encoding options, errors,
-     and name compression.  The maximum allowable size of a DNS Message
-     is fixed.  Many of DNS's protocol limits are too small for uses
-     which are or which are desired to become common.  There is no way
-     for implementations to advertise their capabilities.
-
-1.2. Existing clients will not know how to interpret the protocol
-     extensions detailed here.  In practice, these clients will be
-     upgraded when they have need of a new feature, and only new
-     features will make use of the extensions.  We must however take
-     account of client behaviour in the face of extra fields, and design
-     a fallback scheme for interoperability with these clients.
-
-
-
-
-
-
-
-
-
-Vixie                       Standards Track                     [Page 1]
-
-RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
-
-
-2 - Affected Protocol Elements
-
-2.1. The DNS Message Header's (see [RFC1035 4.1.1]) second full 16-bit
-     word is divided into a 4-bit OPCODE, a 4-bit RCODE, and a number of
-     1-bit flags.  The original reserved Z bits have been allocated to
-     various purposes, and most of the RCODE values are now in use.
-     More flags and more possible RCODEs are needed.
-
-2.2. The first two bits of a wire format domain label are used to denote
-     the type of the label.  [RFC1035 4.1.4] allocates two of the four
-     possible types and reserves the other two.  Proposals for use of
-     the remaining types far outnumber those available.  More label
-     types are needed.
-
-2.3. DNS Messages are limited to 512 octets in size when sent over UDP.
-     While the minimum maximum reassembly buffer size still allows a
-     limit of 512 octets of UDP payload, most of the hosts now connected
-     to the Internet are able to reassemble larger datagrams.  Some
-     mechanism must be created to allow requestors to advertise larger
-     buffer sizes to responders.
-
-3 - Extended Label Types
-
-3.1. The "0 1" label type will now indicate an extended label type,
-     whose value is encoded in the lower six bits of the first octet of
-     a label.  All subsequently developed label types should be encoded
-     using an extended label type.
-
-3.2. The "1 1 1 1 1 1" extended label type will be reserved for future
-     expansion of the extended label type code space.
-
-4 - OPT pseudo-RR
-
-4.1. One OPT pseudo-RR can be added to the additional data section of
-     either a request or a response.  An OPT is called a pseudo-RR
-     because it pertains to a particular transport level message and not
-     to any actual DNS data.  OPT RRs shall never be cached, forwarded,
-     or stored in or loaded from master files.  The quantity of OPT
-     pseudo-RRs per message shall be either zero or one, but not
-     greater.
-
-4.2. An OPT RR has a fixed part and a variable set of options expressed
-     as {attribute, value} pairs.  The fixed part holds some DNS meta
-     data and also a small collection of new protocol elements which we
-     expect to be so popular that it would be a waste of wire space to
-     encode them as {attribute, value} pairs.
-
-
-
-
-
-Vixie                       Standards Track                     [Page 2]
-
-RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
-
-
-4.3. The fixed part of an OPT RR is structured as follows:
-
-     Field Name   Field Type     Description
-     ------------------------------------------------------
-     NAME         domain name    empty (root domain)
-     TYPE         u_int16_t      OPT
-     CLASS        u_int16_t      sender's UDP payload size
-     TTL          u_int32_t      extended RCODE and flags
-     RDLEN        u_int16_t      describes RDATA
-     RDATA        octet stream   {attribute,value} pairs
-
-4.4. The variable part of an OPT RR is encoded in its RDATA and is
-     structured as zero or more of the following:
-
-                +0 (MSB)                            +1 (LSB)
-     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-  0: |                          OPTION-CODE                          |
-     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-  2: |                         OPTION-LENGTH                         |
-     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-  4: |                                                               |
-     /                          OPTION-DATA                          /
-     /                                                               /
-     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-
-   OPTION-CODE    (Assigned by IANA.)
-
-   OPTION-LENGTH  Size (in octets) of OPTION-DATA.
-
-   OPTION-DATA    Varies per OPTION-CODE.
-
-4.5. The sender's UDP payload size (which OPT stores in the RR CLASS
-     field) is the number of octets of the largest UDP payload that can
-     be reassembled and delivered in the sender's network stack.  Note
-     that path MTU, with or without fragmentation, may be smaller than
-     this.
-
-4.5.1. Note that a 512-octet UDP payload requires a 576-octet IP
-       reassembly buffer.  Choosing 1280 on an Ethernet connected
-       requestor would be reasonable.  The consequence of choosing too
-       large a value may be an ICMP message from an intermediate
-       gateway, or even a silent drop of the response message.
-
-4.5.2. Both requestors and responders are advised to take account of the
-       path's discovered MTU (if already known) when considering message
-       sizes.
-
-
-
-
-
-Vixie                       Standards Track                     [Page 3]
-
-RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
-
-
-4.5.3. The requestor's maximum payload size can change over time, and
-       should therefore not be cached for use beyond the transaction in
-       which it is advertised.
-
-4.5.4. The responder's maximum payload size can change over time, but
-       can be reasonably expected to remain constant between two
-       sequential transactions; for example, a meaningless QUERY to
-       discover a responder's maximum UDP payload size, followed
-       immediately by an UPDATE which takes advantage of this size.
-       (This is considered preferrable to the outright use of TCP for
-       oversized requests, if there is any reason to suspect that the
-       responder implements EDNS, and if a request will not fit in the
-       default 512 payload size limit.)
-
-4.5.5. Due to transaction overhead, it is unwise to advertise an
-       architectural limit as a maximum UDP payload size.  Just because
-       your stack can reassemble 64KB datagrams, don't assume that you
-       want to spend more than about 4KB of state memory per ongoing
-       transaction.
-
-4.6. The extended RCODE and flags (which OPT stores in the RR TTL field)
-     are structured as follows:
-
-                 +0 (MSB)                            +1 (LSB)
-      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-   0: |         EXTENDED-RCODE        |            VERSION            |
-      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-   2: |                               Z                               |
-      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-
-   EXTENDED-RCODE  Forms upper 8 bits of extended 12-bit RCODE.  Note
-                   that EXTENDED-RCODE value "0" indicates that an
-                   unextended RCODE is in use (values "0" through "15").
-
-   VERSION         Indicates the implementation level of whoever sets
-                   it.  Full conformance with this specification is
-                   indicated by version "0."  Requestors are encouraged
-                   to set this to the lowest implemented level capable
-                   of expressing a transaction, to minimize the
-                   responder and network load of discovering the
-                   greatest common implementation level between
-                   requestor and responder.  A requestor's version
-                   numbering strategy should ideally be a run time
-                   configuration option.
-
-                   If a responder does not implement the VERSION level
-                   of the request, then it answers with RCODE=BADVERS.
-                   All responses will be limited in format to the
-
-
-
-Vixie                       Standards Track                     [Page 4]
-
-RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
-
-
-                   VERSION level of the request, but the VERSION of each
-                   response will be the highest implementation level of
-                   the responder.  In this way a requestor will learn
-                   the implementation level of a responder as a side
-                   effect of every response, including error responses,
-                   including RCODE=BADVERS.
-
-   Z               Set to zero by senders and ignored by receivers,
-                   unless modified in a subsequent specification.
-
-5 - Transport Considerations
-
-5.1. The presence of an OPT pseudo-RR in a request should be taken as an
-     indication that the requestor fully implements the given version of
-     EDNS, and can correctly understand any response that conforms to
-     that feature's specification.
-
-5.2. Lack of use of these features in a request must be taken as an
-     indication that the requestor does not implement any part of this
-     specification and that the responder may make no use of any
-     protocol extension described here in its response.
-
-5.3. Responders who do not understand these protocol extensions are
-     expected to send a response with RCODE NOTIMPL, FORMERR, or
-     SERVFAIL.  Therefore use of extensions should be "probed" such that
-     a responder who isn't known to support them be allowed a retry with
-     no extensions if it responds with such an RCODE.  If a responder's
-     capability level is cached by a requestor, a new probe should be
-     sent periodically to test for changes to responder capability.
-
-6 - Security Considerations
-
-     Requestor-side specification of the maximum buffer size may open a
-     new DNS denial of service attack if responders can be made to send
-     messages which are too large for intermediate gateways to forward,
-     thus leading to potential ICMP storms between gateways and
-     responders.
-
-7 - IANA Considerations
-
-     The IANA has assigned RR type code 41 for OPT.
-
-     It is the recommendation of this document and its working group
-     that IANA create a registry for EDNS Extended Label Types, for EDNS
-     Option Codes, and for EDNS Version Numbers.
-
-     This document assigns label type 0b01xxxxxx as "EDNS Extended Label
-     Type."  We request that IANA record this assignment.
-
-
-
-Vixie                       Standards Track                     [Page 5]
-
-RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
-
-
-     This document assigns extended label type 0bxx111111 as "Reserved
-     for future extended label types."  We request that IANA record this
-     assignment.
-
-     This document assigns option code 65535 to "Reserved for future
-     expansion."
-
-     This document expands the RCODE space from 4 bits to 12 bits.  This
-     will allow IANA to assign more than the 16 distinct RCODE values
-     allowed in [RFC1035].
-
-     This document assigns EDNS Extended RCODE "16" to "BADVERS".
-
-     IESG approval should be required to create new entries in the EDNS
-     Extended Label Type or EDNS Version Number registries, while any
-     published RFC (including Informational, Experimental, or BCP)
-     should be grounds for allocation of an EDNS Option Code.
-
-8 - Acknowledgements
-
-     Paul Mockapetris, Mark Andrews, Robert Elz, Don Lewis, Bob Halley,
-     Donald Eastlake, Rob Austein, Matt Crawford, Randy Bush, and Thomas
-     Narten were each instrumental in creating and refining this
-     specification.
-
-9 - References
-
-    [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-               Specification", STD 13, RFC 1035, November 1987.
-
-10 - Author's Address
-
-   Paul Vixie
-   Internet Software Consortium
-   950 Charter Street
-   Redwood City, CA 94063
-
-   Phone: +1 650 779 7001
-   EMail: vixie@isc.org
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie                       Standards Track                     [Page 6]
-
-RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
-
-
-11 - Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie                       Standards Track                     [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc2672.txt b/contrib/bind9/doc/rfc/rfc2672.txt
deleted file mode 100644
index 11030168dcd0..000000000000
--- a/contrib/bind9/doc/rfc/rfc2672.txt
+++ /dev/null
@@ -1,507 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        M. Crawford
-Request for Comments: 2672                                      Fermilab
-Category: Standards Track                                    August 1999
-
-
-                   Non-Terminal DNS Name Redirection
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-1.  Introduction
-
-   This document defines a new DNS Resource Record called "DNAME", which
-   provides the capability to map an entire subtree of the DNS name
-   space to another domain.  It differs from the CNAME record which maps
-   a single node of the name space.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [KWORD].
-
-2.  Motivation
-
-   This Resource Record and its processing rules were conceived as a
-   solution to the problem of maintaining address-to-name mappings in a
-   context of network renumbering.  Without the DNAME mechanism, an
-   authoritative DNS server for the address-to-name mappings of some
-   network must be reconfigured when that network is renumbered.  With
-   DNAME, the zone can be constructed so that it needs no modification
-   when renumbered.  DNAME can also be useful in other situations, such
-   as when an organizational unit is renamed.
-
-3. The DNAME Resource Record
-
-   The DNAME RR has mnemonic DNAME and type code 39 (decimal).
-
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 1]
-
-RFC 2672           Non-Terminal DNS Name Redirection         August 1999
-
-
-   DNAME has the following format:
-
-      <owner> <ttl> <class> DNAME <target>
-
-   The format is not class-sensitive.  All fields are required.  The
-   RDATA field <target> is a <domain-name> [DNSIS].
-
-   The DNAME RR causes type NS additional section processing.
-
-   The effect of the DNAME record is the substitution of the record's
-   <target> for its <owner> as a suffix of a domain name.  A "no-
-   descendants" limitation governs the use of DNAMEs in a zone file:
-
-      If a DNAME RR is present at a node N, there may be other data at N
-      (except a CNAME or another DNAME), but there MUST be no data at
-      any descendant of N.  This restriction applies only to records of
-      the same class as the DNAME record.
-
-   This rule assures predictable results when a DNAME record is cached
-   by a server which is not authoritative for the record's zone.  It
-   MUST be enforced when authoritative zone data is loaded.  Together
-   with the rules for DNS zone authority [DNSCLR] it implies that DNAME
-   and NS records can only coexist at the top of a zone which has only
-   one node.
-
-   The compression scheme of [DNSIS] MUST NOT be applied to the RDATA
-   portion of a DNAME record unless the sending server has some way of
-   knowing that the receiver understands the DNAME record format.
-   Signalling such understanding is expected to be the subject of future
-   DNS Extensions.
-
-   Naming loops can be created with DNAME records or a combination of
-   DNAME and CNAME records, just as they can with CNAME records alone.
-   Resolvers, including resolvers embedded in DNS servers, MUST limit
-   the resources they devote to any query.  Implementors should note,
-   however, that fairly lengthy chains of DNAME records may be valid.
-
-4.  Query Processing
-
-   To exploit the DNAME mechanism the name resolution algorithms [DNSCF]
-   must be modified slightly for both servers and resolvers.
-
-   Both modified algorithms incorporate the operation of making a
-   substitution on a name (either QNAME or SNAME) under control of a
-   DNAME record.  This operation will be referred to as "the DNAME
-   substitution".
-
-
-
-
-
-Crawford                    Standards Track                     [Page 2]
-
-RFC 2672           Non-Terminal DNS Name Redirection         August 1999
-
-
-4.1.  Processing by Servers
-
-   For a server performing non-recursive service steps 3.c and 4 of
-   section 4.3.2 [DNSCF] are changed to check for a DNAME record before
-   checking for a wildcard ("*") label, and to return certain DNAME
-   records from zone data and the cache.
-
-   DNS clients sending Extended DNS [EDNS0] queries with Version 0 or
-   non-extended queries are presumed not to understand the semantics of
-   the DNAME record, so a server which implements this specification,
-   when answering a non-extended query, SHOULD synthesize a CNAME record
-   for each DNAME record encountered during query processing to help the
-   client reach the correct DNS data.  The behavior of clients and
-   servers under Extended DNS versions greater than 0 will be specified
-   when those versions are defined.
-
-   The synthesized CNAME RR, if provided, MUST have
-
-      The same CLASS as the QCLASS of the query,
-
-      TTL equal to zero,
-
-      An <owner> equal to the QNAME in effect at the moment the DNAME RR
-      was encountered, and
-
-      An RDATA field containing the new QNAME formed by the action of
-      the DNAME substitution.
-
-   If the server has the appropriate key on-line [DNSSEC, SECDYN], it
-   MAY generate and return a SIG RR for the synthesized CNAME RR.
-
-   The revised server algorithm is:
-
-   1. Set or clear the value of recursion available in the response
-      depending on whether the name server is willing to provide
-      recursive service.  If recursive service is available and
-      requested via the RD bit in the query, go to step 5, otherwise
-      step 2.
-
-   2. Search the available zones for the zone which is the nearest
-      ancestor to QNAME.  If such a zone is found, go to step 3,
-      otherwise step 4.
-
-   3. Start matching down, label by label, in the zone.  The matching
-      process can terminate several ways:
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 3]
-
-RFC 2672           Non-Terminal DNS Name Redirection         August 1999
-
-
-      a. If the whole of QNAME is matched, we have found the node.
-
-         If the data at the node is a CNAME, and QTYPE doesn't match
-         CNAME, copy the CNAME RR into the answer section of the
-         response, change QNAME to the canonical name in the CNAME RR,
-         and go back to step 1.
-
-         Otherwise, copy all RRs which match QTYPE into the answer
-         section and go to step 6.
-
-      b. If a match would take us out of the authoritative data, we have
-         a referral.  This happens when we encounter a node with NS RRs
-         marking cuts along the bottom of a zone.
-
-         Copy the NS RRs for the subzone into the authority section of
-         the reply.  Put whatever addresses are available into the
-         additional section, using glue RRs if the addresses are not
-         available from authoritative data or the cache.  Go to step 4.
-
-      c. If at some label, a match is impossible (i.e., the
-         corresponding label does not exist), look to see whether the
-         last label matched has a DNAME record.
-
-         If a DNAME record exists at that point, copy that record into
-         the answer section.  If substitution of its <target> for its
-         <owner> in QNAME would overflow the legal size for a <domain-
-         name>, set RCODE to YXDOMAIN [DNSUPD] and exit; otherwise
-         perform the substitution and continue.  If the query was not
-         extended [EDNS0] with a Version indicating understanding of the
-         DNAME record, the server SHOULD synthesize a CNAME record as
-         described above and include it in the answer section.  Go back
-         to step 1.
-
-         If there was no DNAME record, look to see if the "*" label
-         exists.
-
-         If the "*" label does not exist, check whether the name we are
-         looking for is the original QNAME in the query or a name we
-         have followed due to a CNAME.  If the name is original, set an
-         authoritative name error in the response and exit.  Otherwise
-         just exit.
-
-         If the "*" label does exist, match RRs at that node against
-         QTYPE.  If any match, copy them into the answer section, but
-         set the owner of the RR to be QNAME, and not the node with the
-         "*" label.  Go to step 6.
-
-
-
-
-
-Crawford                    Standards Track                     [Page 4]
-
-RFC 2672           Non-Terminal DNS Name Redirection         August 1999
-
-
-   4. Start matching down in the cache.  If QNAME is found in the cache,
-      copy all RRs attached to it that match QTYPE into the answer
-      section.  If QNAME is not found in the cache but a DNAME record is
-      present at an ancestor of QNAME, copy that DNAME record into the
-      answer section.  If there was no delegation from authoritative
-      data, look for the best one from the cache, and put it in the
-      authority section.  Go to step 6.
-
-   5. Use the local resolver or a copy of its algorithm (see resolver
-      section of this memo) to answer the query.  Store the results,
-      including any intermediate CNAMEs and DNAMEs, in the answer
-      section of the response.
-
-   6. Using local data only, attempt to add other RRs which may be
-      useful to the additional section of the query.  Exit.
-
-   Note that there will be at most one ancestor with a DNAME as
-   described in step 4 unless some zone's data is in violation of the
-   no-descendants limitation in section 3.  An implementation might take
-   advantage of this limitation by stopping the search of step 3c or
-   step 4 when a DNAME record is encountered.
-
-4.2.  Processing by Resolvers
-
-   A resolver or a server providing recursive service must be modified
-   to treat a DNAME as somewhat analogous to a CNAME.  The resolver
-   algorithm of [DNSCF] section 5.3.3 is modified to renumber step 4.d
-   as 4.e and insert a new 4.d.  The complete algorithm becomes:
-
-   1. See if the answer is in local information, and if so return it to
-      the client.
-
-   2. Find the best servers to ask.
-
-   3. Send them queries until one returns a response.
-
-   4. Analyze the response, either:
-
-      a. if the response answers the question or contains a name error,
-         cache the data as well as returning it back to the client.
-
-      b. if the response contains a better delegation to other servers,
-         cache the delegation information, and go to step 2.
-
-      c. if the response shows a CNAME and that is not the answer
-         itself, cache the CNAME, change the SNAME to the canonical name
-         in the CNAME RR and go to step 1.
-
-
-
-
-Crawford                    Standards Track                     [Page 5]
-
-RFC 2672           Non-Terminal DNS Name Redirection         August 1999
-
-
-      d. if the response shows a DNAME and that is not the answer
-         itself, cache the DNAME.  If substitution of the DNAME's
-         <target> for its <owner> in the SNAME would overflow the legal
-         size for a <domain-name>, return an implementation-dependent
-         error to the application; otherwise perform the substitution
-         and go to step 1.
-
-      e. if the response shows a server failure or other bizarre
-         contents, delete the server from the SLIST and go back to step
-         3.
-
-   A resolver or recursive server which understands DNAME records but
-   sends non-extended queries MUST augment step 4.c by deleting from the
-   reply any CNAME records which have an <owner> which is a subdomain of
-   the <owner> of any DNAME record in the response.
-
-5.  Examples of Use
-
-5.1.  Organizational Renaming
-
-   If an organization with domain name FROBOZZ.EXAMPLE became part of an
-   organization with domain name ACME.EXAMPLE, it might ease transition
-   by placing information such as this in its old zone.
-
-       frobozz.example.  DNAME    frobozz-division.acme.example.
-                         MX       10       mailhub.acme.example.
-
-   The response to an extended recursive query for www.frobozz.example
-   would contain, in the answer section, the DNAME record shown above
-   and the relevant RRs for www.frobozz-division.acme.example.
-
-5.2.  Classless Delegation of Shorter Prefixes
-
-   The classless scheme for in-addr.arpa delegation [INADDR] can be
-   extended to prefixes shorter than 24 bits by use of the DNAME record.
-   For example, the prefix 192.0.8.0/22 can be delegated by the
-   following records.
-
-       $ORIGIN 0.192.in-addr.arpa.
-       8/22    NS       ns.slash-22-holder.example.
-       8       DNAME    8.8/22
-       9       DNAME    9.8/22
-       10      DNAME    10.8/22
-       11      DNAME    11.8/22
-
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 6]
-
-RFC 2672           Non-Terminal DNS Name Redirection         August 1999
-
-
-   A typical entry in the resulting reverse zone for some host with
-   address 192.0.9.33 might be
-
-       $ORIGIN 8/22.0.192.in-addr.arpa.
-       33.9    PTR     somehost.slash-22-holder.example.
-
-   The same advisory remarks concerning the choice of the "/" character
-   apply here as in [INADDR].
-
-5.3.  Network Renumbering Support
-
-   If IPv4 network renumbering were common, maintenance of address space
-   delegation could be simplified by using DNAME records instead of NS
-   records to delegate.
-
-      $ORIGIN new-style.in-addr.arpa.
-      189.190           DNAME    in-addr.example.net.
-
-      $ORIGIN in-addr.example.net.
-      188               DNAME    in-addr.customer.example.
-
-      $ORIGIN in-addr.customer.example.
-      1                 PTR      www.customer.example.
-      2                 PTR      mailhub.customer.example.
-      ; etc ...
-
-   This would allow the address space 190.189.0.0/16 assigned to the ISP
-   "example.net" to be changed without the necessity of altering the
-   zone files describing the use of that space by the ISP and its
-   customers.
-
-   Renumbering IPv4 networks is currently so arduous a task that
-   updating the DNS is only a small part of the labor, so this scheme
-   may have a low value.  But it is hoped that in IPv6 the renumbering
-   task will be quite different and the DNAME mechanism may play a
-   useful part.
-
-6.  IANA Considerations
-
-   This document defines a new DNS Resource Record type with the
-   mnemonic DNAME and type code 39 (decimal).  The naming/numbering
-   space is defined in [DNSIS].  This name and number have already been
-   registered with the IANA.
-
-
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 7]
-
-RFC 2672           Non-Terminal DNS Name Redirection         August 1999
-
-
-7.  Security Considerations
-
-   The DNAME record is similar to the CNAME record with regard to the
-   consequences of insertion of a spoofed record into a DNS server or
-   resolver, differing in that the DNAME's effect covers a whole subtree
-   of the name space.  The facilities of [DNSSEC] are available to
-   authenticate this record type.
-
-8.  References
-
-   [DNSCF]  Mockapetris, P., "Domain names - concepts and facilities",
-            STD 13, RFC 1034, November 1987.
-
-   [DNSCLR] Elz, R. and R. Bush, "Clarifications to the DNS
-            Specification", RFC 2181, July 1997.
-
-   [DNSIS]  Mockapetris, P., "Domain names - implementation and
-            specification", STD 13, RFC 1035, November 1987.
-
-   [DNSSEC] Eastlake, 3rd, D. and C. Kaufman, "Domain Name System
-            Security Extensions", RFC 2065, January 1997.
-
-   [DNSUPD] Vixie, P., Ed., Thomson, S., Rekhter, Y. and J. Bound,
-            "Dynamic Updates in the Domain Name System", RFC 2136, April
-            1997.
-
-   [EDNS0]  Vixie, P., "Extensions mechanisms for DNS (EDNS0)", RFC
-            2671, August 1999.
-
-   [INADDR] Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
-            ADDR.ARPA delegation", RFC 2317, March 1998.
-
-   [KWORD]  Bradner, S., "Key words for use in RFCs to Indicate
-            Requirement Levels," BCP 14, RFC 2119, March 1997.
-
-   [SECDYN] D. Eastlake, 3rd, "Secure Domain Name System Dynamic
-            Update", RFC 2137, April 1997.
-
-9.  Author's Address
-
-   Matt Crawford
-   Fermilab MS 368
-   PO Box 500
-   Batavia, IL 60510
-   USA
-
-   Phone: +1 630 840-3461
-   EMail: crawdad@fnal.gov
-
-
-
-Crawford                    Standards Track                     [Page 8]
-
-RFC 2672           Non-Terminal DNS Name Redirection         August 1999
-
-
-10.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 9]
-
diff --git a/contrib/bind9/doc/rfc/rfc2673.txt b/contrib/bind9/doc/rfc/rfc2673.txt
deleted file mode 100644
index 19d272e92999..000000000000
--- a/contrib/bind9/doc/rfc/rfc2673.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        M. Crawford
-Request for Comments: 2673                                      Fermilab
-Category: Standards Track                                    August 1999
-
-
-                Binary Labels in the Domain Name System
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-1.  Introduction and Terminology
-
-   This document defines a "Bit-String Label" which may appear within
-   domain names.  This new label type compactly represents a sequence of
-   "One-Bit Labels" and enables resource records to be stored at any
-   bit-boundary in a binary-named section of the domain name tree.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [KWORD].
-
-2.  Motivation
-
-   Binary labels are intended to efficiently solve the problem of
-   storing data and delegating authority on arbitrary boundaries when
-   the structure of underlying name space is most naturally represented
-   in binary.
-
-3.  Label Format
-
-   Up to 256 One-Bit Labels can be grouped into a single Bit-String
-   Label.  Within a Bit-String Label the most significant or "highest
-   level" bit appears first.  This is unlike the ordering of DNS labels
-   themselves, which has the least significant or "lowest level" label
-   first.  Nonetheless, this ordering seems to be the most natural and
-   efficient for representing binary labels.
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 1]
-
-RFC 2673        Binary Labels in the Domain Name System      August 1999
-
-
-   Among consecutive Bit-String Labels, the bits in the first-appearing
-   label are less significant or "at a lower level" than the bits in
-   subsequent Bit-String Labels, just as ASCII labels are ordered.
-
-3.1.  Encoding
-
-      0                   1                   2
-      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2     . . .
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+
-     |0 1|    ELT    |     Count     |           Label ...         |
-     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+//-+-+-+-+-+-+-+
-
-   (Each tic mark represents one bit.)
-
-
-   ELT       000001 binary, the six-bit extended label type [EDNS0]
-             assigned to the Bit-String Label.
-
-   Count     The number of significant bits in the Label field.  A Count
-             value of zero indicates that 256 bits are significant.
-             (Thus the null label representing the DNS root cannot be
-             represented as a Bit String Label.)
-
-   Label     The bit string representing a sequence of One-Bit Labels,
-             with the most significant bit first.  That is, the One-Bit
-             Label in position 17 in the diagram above represents a
-             subdomain of the domain represented by the One-Bit Label in
-             position 16, and so on.
-
-             The Label field is padded on the right with zero to seven
-             pad bits to make the entire field occupy an integral number
-             of octets.  These pad bits MUST be zero on transmission and
-             ignored on reception.
-
-   A sequence of bits may be split into two or more Bit-String Labels,
-   but the division points have no significance and need not be
-   preserved.  An excessively clever server implementation might split
-   Bit-String Labels so as to maximize the effectiveness of message
-   compression [DNSIS].  A simpler server might divide Bit-String Labels
-   at zone boundaries, if any zone boundaries happen to fall between
-   One-Bit Labels.
-
-3.2.  Textual Representation
-
-   A Bit-String Label is represented in text -- in a zone file, for
-   example -- as a <bit-spec> surrounded by the delimiters "\[" and "]".
-   The <bit-spec> is either a dotted quad or a base indicator and a
-   sequence of digits appropriate to that base, optionally followed by a
-
-
-
-Crawford                    Standards Track                     [Page 2]
-
-RFC 2673        Binary Labels in the Domain Name System      August 1999
-
-
-   slash and a length.  The base indicators are "b", "o" and "x",
-   denoting base 2, 8 and 16 respectively.  The length counts the
-   significant bits and MUST be between 1 and 32, inclusive, after a
-   dotted quad, or between 1 and 256, inclusive, after one of the other
-   forms.  If the length is omitted, the implicit length is 32 for a
-   dotted quad or 1, 3 or 4 times the number of binary, octal or
-   hexadecimal digits supplied, respectively, for the other forms.
-
-   In augmented Backus-Naur form [ABNF],
-
-     bit-string-label =  "\[" bit-spec "]"
-
-     bit-spec         =  bit-data [ "/" length ]
-                       / dotted-quad [ "/" slength ]
-
-     bit-data         =  "x" 1*64HEXDIG
-                       / "o" 1*86OCTDIG
-                       / "b" 1*256BIT
-
-     dotted-quad      =  decbyte "." decbyte "." decbyte "." decbyte
-
-     decbyte          =  1*3DIGIT
-
-     length           =  NZDIGIT *2DIGIT
-
-     slength          =  NZDIGIT [ DIGIT ]
-
-     OCTDIG           =  %x30-37
-
-     NZDIGIT          =  %x31-39
-
-   If a <length> is present, the number of digits in the <bit-data> MUST
-   be just sufficient to contain the number of bits specified by the
-   <length>.  If there are insignificant bits in a final hexadecimal or
-   octal digit, they MUST be zero.  A <dotted-quad> always has all four
-   parts even if the associated <slength> is less than 24, but, like the
-   other forms, insignificant bits MUST be zero.
-
-   Each number represented by a <decbyte> must be between 0 and 255,
-   inclusive.
-
-   The number represented by <length> must be between 1 and 256
-   inclusive.
-
-   The number represented by <slength> must be between 1 and 32
-   inclusive.
-
-
-
-
-
-Crawford                    Standards Track                     [Page 3]
-
-RFC 2673        Binary Labels in the Domain Name System      August 1999
-
-
-   When the textual form of a Bit-String Label is generated by machine,
-   the length SHOULD be explicit, not implicit.
-
-3.2.1.  Examples
-
-   The following four textual forms represent the same Bit-String Label.
-
-                             \[b11010000011101]
-                             \[o64072/14]
-                             \[xd074/14]
-                             \[208.116.0.0/14]
-
-   The following represents two consecutive Bit-String Labels which
-   denote the same relative point in the DNS tree as any of the above
-   single Bit-String Labels.
-
-                             \[b11101].\[o640]
-
-3.3.  Canonical Representation and Sort Order
-
-   Both the wire form and the text form of binary labels have a degree
-   of flexibility in their grouping into multiple consecutive Bit-String
-   Labels.  For generating and checking DNS signature records [DNSSEC]
-   binary labels must be in a predictable form.  This canonical form is
-   defined as the form which has the fewest possible Bit-String Labels
-   and in which all except possibly the first (least significant) label
-   in any sequence of consecutive Bit-String Labels is of maximum
-   length.
-
-   For example, the canonical form of any sequence of up to 256 One-Bit
-   Labels has a single Bit-String Label, and the canonical form of a
-   sequence of 513 to 768 One-Bit Labels has three Bit-String Labels of
-   which the second and third contain 256 label bits.
-
-   The canonical sort order of domain names [DNSSEC] is extended to
-   encompass binary labels as follows.  Sorting is still label-by-label,
-   from most to least significant, where a label may now be a One-Bit
-   Label or a standard (code 00) label.  Any One-Bit Label sorts before
-   any standard label, and a 0 bit sorts before a 1 bit.  The absence of
-   a label sorts before any label, as specified in [DNSSEC].
-
-
-
-
-
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 4]
-
-RFC 2673        Binary Labels in the Domain Name System      August 1999
-
-
-   For example, the following domain names are correctly sorted.
-
-                         foo.example
-                         \[b1].foo.example
-                         \[b100].foo.example
-                         \[b101].foo.example
-                         bravo.\[b10].foo.example
-                         alpha.foo.example
-
-4.  Processing Rules
-
-   A One-Bit Label never matches any other kind of label.  In
-   particular, the DNS labels represented by the single ASCII characters
-   "0" and "1" do not match One-Bit Labels represented by the bit values
-   0 and 1.
-
-5.  Discussion
-
-   A Count of zero in the wire-form represents a 256-bit sequence, not
-   to optimize that particular case, but to make it completely
-   impossible to have a zero-bit label.
-
-6.  IANA Considerations
-
-   This document defines one Extended Label Type, termed the Bit-String
-   Label, and requests registration of the code point 000001 binary in
-   the space defined by [EDNS0].
-
-7.  Security Considerations
-
-   All security considerations which apply to traditional ASCII DNS
-   labels apply equally to binary labels.  he canonicalization and
-   sorting rules of section 3.3 allow these to be addressed by DNS
-   Security [DNSSEC].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 5]
-
-RFC 2673        Binary Labels in the Domain Name System      August 1999
-
-
-8.  References
-
-   [ABNF]   Crocker, D. and P. Overell, "Augmented BNF for Syntax
-            Specifications: ABNF", RFC 2234, November 1997.
-
-   [DNSIS]  Mockapetris, P., "Domain names - implementation and
-            specification", STD 13, RFC 1035, November 1987.
-
-   [DNSSEC] Eastlake, D., 3rd, C. Kaufman, "Domain Name System Security
-            Extensions", RFC 2065, January 1997
-
-   [EDNS0]  Vixie, P., "Extension mechanisms for DNS (EDNS0)", RFC 2671,
-            August 1999.
-
-   [KWORD]  Bradner, S., "Key words for use in RFCs to Indicate
-            Requirement Levels," BCP 14, RFC 2119, March 1997.
-
-9.  Author's Address
-
-   Matt Crawford
-   Fermilab MS 368
-   PO Box 500
-   Batavia, IL 60510
-   USA
-
-   Phone: +1 630 840-3461
-   EMail: crawdad@fnal.gov
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 6]
-
-RFC 2673        Binary Labels in the Domain Name System      August 1999
-
-
-10.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (1999).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Crawford                    Standards Track                     [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc2782.txt b/contrib/bind9/doc/rfc/rfc2782.txt
deleted file mode 100644
index 1827f104c838..000000000000
--- a/contrib/bind9/doc/rfc/rfc2782.txt
+++ /dev/null
@@ -1,675 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                     A. Gulbrandsen
-Request for Comments: 2782                            Troll Technologies
-Obsoletes: 2052                                                 P. Vixie
-Category: Standards Track                   Internet Software Consortium
-                                                               L. Esibov
-                                                         Microsoft Corp.
-                                                           February 2000
-
-
-       A DNS RR for specifying the location of services (DNS SRV)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-Abstract
-
-   This document describes a DNS RR which specifies the location of the
-   server(s) for a specific protocol and domain.
-
-Overview and rationale
-
-   Currently, one must either know the exact address of a server to
-   contact it, or broadcast a question.
-
-   The SRV RR allows administrators to use several servers for a single
-   domain, to move services from host to host with little fuss, and to
-   designate some hosts as primary servers for a service and others as
-   backups.
-
-   Clients ask for a specific service/protocol for a specific domain
-   (the word domain is used here in the strict RFC 1034 sense), and get
-   back the names of any available servers.
-
-   Note that where this document refers to "address records", it means A
-   RR's, AAAA RR's, or their most modern equivalent.
-
-
-
-
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 1]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-Definitions
-
-   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY"
-   used in this document are to be interpreted as specified in [BCP 14].
-   Other terms used in this document are defined in the DNS
-   specification, RFC 1034.
-
-Applicability Statement
-
-   In general, it is expected that SRV records will be used by clients
-   for applications where the relevant protocol specification indicates
-   that clients should use the SRV record. Such specification MUST
-   define the symbolic name to be used in the Service field of the SRV
-   record as described below. It also MUST include security
-   considerations. Service SRV records SHOULD NOT be used in the absence
-   of such specification.
-
-Introductory example
-
-   If a SRV-cognizant LDAP client wants to discover a LDAP server that
-   supports TCP protocol and provides LDAP service for the domain
-   example.com., it does a lookup of
-
-      _ldap._tcp.example.com
-
-   as described in [ARM].  The example zone file near the end of this
-   memo contains answering RRs for an SRV query.
-
-   Note: LDAP is chosen as an example for illustrative purposes only,
-   and the LDAP examples used in this document should not be considered
-   a definitive statement on the recommended way for LDAP to use SRV
-   records. As described in the earlier applicability section, consult
-   the appropriate LDAP documents for the recommended procedures.
-
-The format of the SRV RR
-
-   Here is the format of the SRV RR, whose DNS type code is 33:
-
-        _Service._Proto.Name TTL Class SRV Priority Weight Port Target
-
-        (There is an example near the end of this document.)
-
-   Service
-        The symbolic name of the desired service, as defined in Assigned
-        Numbers [STD 2] or locally.  An underscore (_) is prepended to
-        the service identifier to avoid collisions with DNS labels that
-        occur in nature.
-
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 2]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-        Some widely used services, notably POP, don't have a single
-        universal name.  If Assigned Numbers names the service
-        indicated, that name is the only name which is legal for SRV
-        lookups.  The Service is case insensitive.
-
-   Proto
-        The symbolic name of the desired protocol, with an underscore
-        (_) prepended to prevent collisions with DNS labels that occur
-        in nature.  _TCP and _UDP are at present the most useful values
-        for this field, though any name defined by Assigned Numbers or
-        locally may be used (as for Service).  The Proto is case
-        insensitive.
-
-   Name
-        The domain this RR refers to.  The SRV RR is unique in that the
-        name one searches for is not this name; the example near the end
-        shows this clearly.
-
-   TTL
-        Standard DNS meaning [RFC 1035].
-
-   Class
-        Standard DNS meaning [RFC 1035].   SRV records occur in the IN
-        Class.
-
-   Priority
-        The priority of this target host.  A client MUST attempt to
-        contact the target host with the lowest-numbered priority it can
-        reach; target hosts with the same priority SHOULD be tried in an
-        order defined by the weight field.  The range is 0-65535.  This
-        is a 16 bit unsigned integer in network byte order.
-
-   Weight
-        A server selection mechanism.  The weight field specifies a
-        relative weight for entries with the same priority. Larger
-        weights SHOULD be given a proportionately higher probability of
-        being selected. The range of this number is 0-65535.  This is a
-        16 bit unsigned integer in network byte order.  Domain
-        administrators SHOULD use Weight 0 when there isn't any server
-        selection to do, to make the RR easier to read for humans (less
-        noisy).  In the presence of records containing weights greater
-        than 0, records with weight 0 should have a very small chance of
-        being selected.
-
-        In the absence of a protocol whose specification calls for the
-        use of other weighting information, a client arranges the SRV
-        RRs of the same Priority in the order in which target hosts,
-
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 3]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-        specified by the SRV RRs, will be contacted. The following
-        algorithm SHOULD be used to order the SRV RRs of the same
-        priority:
-
-        To select a target to be contacted next, arrange all SRV RRs
-        (that have not been ordered yet) in any order, except that all
-        those with weight 0 are placed at the beginning of the list.
-
-        Compute the sum of the weights of those RRs, and with each RR
-        associate the running sum in the selected order. Then choose a
-        uniform random number between 0 and the sum computed
-        (inclusive), and select the RR whose running sum value is the
-        first in the selected order which is greater than or equal to
-        the random number selected. The target host specified in the
-        selected SRV RR is the next one to be contacted by the client.
-        Remove this SRV RR from the set of the unordered SRV RRs and
-        apply the described algorithm to the unordered SRV RRs to select
-        the next target host.  Continue the ordering process until there
-        are no unordered SRV RRs.  This process is repeated for each
-        Priority.
-
-   Port
-        The port on this target host of this service.  The range is 0-
-        65535.  This is a 16 bit unsigned integer in network byte order.
-        This is often as specified in Assigned Numbers but need not be.
-
-   Target
-        The domain name of the target host.  There MUST be one or more
-        address records for this name, the name MUST NOT be an alias (in
-        the sense of RFC 1034 or RFC 2181).  Implementors are urged, but
-        not required, to return the address record(s) in the Additional
-        Data section.  Unless and until permitted by future standards
-        action, name compression is not to be used for this field.
-
-        A Target of "." means that the service is decidedly not
-        available at this domain.
-
-Domain administrator advice
-
-   Expecting everyone to update their client applications when the first
-   server publishes a SRV RR is futile (even if desirable).  Therefore
-   SRV would have to coexist with address record lookups for existing
-   protocols, and DNS administrators should try to provide address
-   records to support old clients:
-
-      - Where the services for a single domain are spread over several
-        hosts, it seems advisable to have a list of address records at
-        the same DNS node as the SRV RR, listing reasonable (if perhaps
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 4]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-        suboptimal) fallback hosts for Telnet, NNTP and other protocols
-        likely to be used with this name.  Note that some programs only
-        try the first address they get back from e.g. gethostbyname(),
-        and we don't know how widespread this behavior is.
-
-      - Where one service is provided by several hosts, one can either
-        provide address records for all the hosts (in which case the
-        round-robin mechanism, where available, will share the load
-        equally) or just for one (presumably the fastest).
-
-      - If a host is intended to provide a service only when the main
-        server(s) is/are down, it probably shouldn't be listed in
-        address records.
-
-      - Hosts that are referenced by backup address records must use the
-        port number specified in Assigned Numbers for the service.
-
-      - Designers of future protocols for which "secondary servers" is
-        not useful (or meaningful) may choose to not use SRV's support
-        for secondary servers.  Clients for such protocols may use or
-        ignore SRV RRs with Priority higher than the RR with the lowest
-        Priority for a domain.
-
-   Currently there's a practical limit of 512 bytes for DNS replies.
-   Until all resolvers can handle larger responses, domain
-   administrators are strongly advised to keep their SRV replies below
-   512 bytes.
-
-   All round numbers, wrote Dr. Johnson, are false, and these numbers
-   are very round: A reply packet has a 30-byte overhead plus the name
-   of the service ("_ldap._tcp.example.com" for instance); each SRV RR
-   adds 20 bytes plus the name of the target host; each NS RR in the NS
-   section is 15 bytes plus the name of the name server host; and
-   finally each A RR in the additional data section is 20 bytes or so,
-   and there are A's for each SRV and NS RR mentioned in the answer.
-   This size estimate is extremely crude, but shouldn't underestimate
-   the actual answer size by much.  If an answer may be close to the
-   limit, using a DNS query tool (e.g. "dig") to look at the actual
-   answer is a good idea.
-
-The "Weight" field
-
-   Weight, the server selection field, is not quite satisfactory, but
-   the actual load on typical servers changes much too quickly to be
-   kept around in DNS caches.  It seems to the authors that offering
-   administrators a way to say "this machine is three times as fast as
-   that one" is the best that can practically be done.
-
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 5]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-   The only way the authors can see of getting a "better" load figure is
-   asking a separate server when the client selects a server and
-   contacts it.  For short-lived services an extra step in the
-   connection establishment seems too expensive, and for long-lived
-   services, the load figure may well be thrown off a minute after the
-   connection is established when someone else starts or finishes a
-   heavy job.
-
-   Note: There are currently various experiments at providing relative
-   network proximity estimation, available bandwidth estimation, and
-   similar services.  Use of the SRV record with such facilities, and in
-   particular the interpretation of the Weight field when these
-   facilities are used, is for further study.  Weight is only intended
-   for static, not dynamic, server selection.  Using SRV weight for
-   dynamic server selection would require assigning unreasonably short
-   TTLs to the SRV RRs, which would limit the usefulness of the DNS
-   caching mechanism, thus increasing overall network load and
-   decreasing overall reliability.  Server selection via SRV is only
-   intended to express static information such as "this server has a
-   faster CPU than that one" or "this server has a much better network
-   connection than that one".
-
-The Port number
-
-   Currently, the translation from service name to port number happens
-   at the client, often using a file such as /etc/services.
-
-   Moving this information to the DNS makes it less necessary to update
-   these files on every single computer of the net every time a new
-   service is added, and makes it possible to move standard services out
-   of the "root-only" port range on unix.
-
-Usage rules
-
-   A SRV-cognizant client SHOULD use this procedure to locate a list of
-   servers and connect to the preferred one:
-
-        Do a lookup for QNAME=_service._protocol.target, QCLASS=IN,
-        QTYPE=SRV.
-
-        If the reply is NOERROR, ANCOUNT>0 and there is at least one
-        SRV RR which specifies the requested Service and Protocol in
-        the reply:
-
-            If there is precisely one SRV RR, and its Target is "."
-            (the root domain), abort.
-
-
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 6]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-            Else, for all such RR's, build a list of (Priority, Weight,
-            Target) tuples
-
-            Sort the list by priority (lowest number first)
-
-            Create a new empty list
-
-            For each distinct priority level
-                While there are still elements left at this priority
-                level
-
-                    Select an element as specified above, in the
-                    description of Weight in "The format of the SRV
-                    RR" Section, and move it to the tail of the new
-                    list
-
-            For each element in the new list
-
-                query the DNS for address records for the Target or
-                use any such records found in the Additional Data
-                section of the earlier SRV response.
-
-                for each address record found, try to connect to the
-               (protocol, address, service).
-
-        else
-
-            Do a lookup for QNAME=target, QCLASS=IN, QTYPE=A
-
-            for each address record found, try to connect to the
-           (protocol, address, service)
-
-Notes:
-
-   - Port numbers SHOULD NOT be used in place of the symbolic service
-     or protocol names (for the same reason why variant names cannot
-     be allowed: Applications would have to do two or more lookups).
-
-   - If a truncated response comes back from an SRV query, the rules
-     described in [RFC 2181] shall apply.
-
-   - A client MUST parse all of the RR's in the reply.
-
-   - If the Additional Data section doesn't contain address records
-     for all the SRV RR's and the client may want to connect to the
-     target host(s) involved, the client MUST look up the address
-     record(s).  (This happens quite often when the address record
-     has shorter TTL than the SRV or NS RR's.)
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 7]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-   - Future protocols could be designed to use SRV RR lookups as the
-     means by which clients locate their servers.
-
-Fictional example
-
-   This example uses fictional service "foobar" as an aid in
-   understanding SRV records. If ever service "foobar" is implemented,
-   it is not intended that it will necessarily use SRV records.  This is
-   (part of) the zone file for example.com, a still-unused domain:
-
-      $ORIGIN example.com.
-      @               SOA server.example.com. root.example.com. (
-                          1995032001 3600 3600 604800 86400 )
-                      NS  server.example.com.
-                      NS  ns1.ip-provider.net.
-                      NS  ns2.ip-provider.net.
-      ; foobar - use old-slow-box or new-fast-box if either is
-      ; available, make three quarters of the logins go to
-      ; new-fast-box.
-      _foobar._tcp    SRV 0 1 9 old-slow-box.example.com.
-                       SRV 0 3 9 new-fast-box.example.com.
-      ; if neither old-slow-box or new-fast-box is up, switch to
-      ; using the sysdmin's box and the server
-                       SRV 1 0 9 sysadmins-box.example.com.
-                       SRV 1 0 9 server.example.com.
-      server           A   172.30.79.10
-      old-slow-box     A   172.30.79.11
-      sysadmins-box    A   172.30.79.12
-      new-fast-box     A   172.30.79.13
-      ; NO other services are supported
-      *._tcp          SRV  0 0 0 .
-      *._udp          SRV  0 0 0 .
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 8]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-   In this example, a client of the "foobar" service in the
-   "example.com." domain needs an SRV lookup of
-   "_foobar._tcp.example.com." and possibly A lookups of "new-fast-
-   box.example.com." and/or the other hosts named.  The size of the SRV
-   reply is approximately 365 bytes:
-
-      30 bytes general overhead
-      20 bytes for the query string, "_foobar._tcp.example.com."
-      130 bytes for 4 SRV RR's, 20 bytes each plus the lengths of "new-
-        fast-box", "old-slow-box", "server" and "sysadmins-box" -
-        "example.com" in the query section is quoted here and doesn't
-        need to be counted again.
-      75 bytes for 3 NS RRs, 15 bytes each plus the lengths of "server",
-        "ns1.ip-provider.net." and "ns2" - again, "ip-provider.net." is
-        quoted and only needs to be counted once.
-      120 bytes for the 6 address records (assuming IPv4 only) mentioned
-        by the SRV and NS RR's.
-
-IANA Considerations
-
-   The IANA has assigned RR type value 33 to the SRV RR.  No other IANA
-   services are required by this document.
-
-Changes from RFC 2052
-
-   This document obsoletes RFC 2052.   The major change from that
-   previous, experimental, version of this specification is that now the
-   protocol and service labels are prepended with an underscore, to
-   lower the probability of an accidental clash with a similar name used
-   for unrelated purposes.  Aside from that, changes are only intended
-   to increase the clarity and completeness of the document. This
-   document especially clarifies the use of the Weight field of the SRV
-   records.
-
-Security Considerations
-
-   The authors believe this RR to not cause any new security problems.
-   Some problems become more visible, though.
-
-   - The ability to specify ports on a fine-grained basis obviously
-     changes how a router can filter packets.  It becomes impossible
-     to block internal clients from accessing specific external
-     services, slightly harder to block internal users from running
-     unauthorized services, and more important for the router
-     operations and DNS operations personnel to cooperate.
-
-   - There is no way a site can keep its hosts from being referenced
-     as servers.  This could lead to denial of service.
-
-
-
-Gulbrandsen, et al.         Standards Track                     [Page 9]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-   - With SRV, DNS spoofers can supply false port numbers, as well as
-     host names and addresses.   Because this vulnerability exists
-     already, with names and addresses, this is not a new
-     vulnerability, merely a slightly extended one, with little
-     practical effect.
-
-References
-
-   STD 2:    Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC
-             1700, October 1994.
-
-   RFC 1034: Mockapetris, P., "Domain names - concepts and facilities",
-             STD 13, RFC 1034, November 1987.
-
-   RFC 1035: Mockapetris, P., "Domain names - Implementation and
-             Specification", STD 13, RFC 1035, November 1987.
-
-   RFC 974:  Partridge, C., "Mail routing and the domain system", STD
-             14, RFC 974, January 1986.
-
-   BCP 14:   Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   RFC 2181: Elz, R. and R. Bush, "Clarifications to the DNS
-             Specification", RFC 2181, July 1997.
-
-   RFC 2219: Hamilton, M. and R. Wright, "Use of DNS Aliases for Network
-             Services", BCP 17, RFC 2219, October 1997.
-
-   BCP 14:   Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   ARM:      Armijo, M., Esibov, L. and P. Leach, "Discovering LDAP
-             Services with DNS", Work in Progress.
-
-   KDC-DNS:  Hornstein, K. and J. Altman, "Distributing Kerberos KDC and
-             Realm Information with DNS", Work in Progress.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gulbrandsen, et al.         Standards Track                    [Page 10]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-Acknowledgements
-
-   The algorithm used to select from the weighted SRV RRs of equal
-   priority is adapted from one supplied by Dan Bernstein.
-
-Authors' Addresses
-
-   Arnt Gulbrandsen
-   Troll Tech
-   Waldemar Thranes gate 98B
-   N-0175 Oslo, Norway
-
-   Fax:   +47 22806380
-   Phone: +47 22806390
-   EMail: arnt@troll.no
-
-
-   Paul Vixie
-   Internet Software Consortium
-   950 Charter Street
-   Redwood City, CA 94063
-
-   Phone: +1 650 779 7001
-
-
-   Levon Esibov
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052
-
-   EMail: levone@microsoft.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gulbrandsen, et al.         Standards Track                    [Page 11]
-
-RFC 2782                       DNS SRV RR                  February 2000
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gulbrandsen, et al.         Standards Track                    [Page 12]
-
diff --git a/contrib/bind9/doc/rfc/rfc2825.txt b/contrib/bind9/doc/rfc/rfc2825.txt
deleted file mode 100644
index fd8ef7c892da..000000000000
--- a/contrib/bind9/doc/rfc/rfc2825.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-

-

-

-

-

-

-Network Working Group                  Internet Architecture Board (IAB)

-Request for Comments: 2825                             L. Daigle, Editor

-Category: Informational                                         May 2000

-

-

-         A Tangled Web: Issues of I18N, Domain Names, and the

-                        Other Internet protocols

-

-Status of this Memo

-

-   This memo provides information for the Internet community.  It does

-   not specify an Internet standard of any kind.  Distribution of this

-   memo is unlimited.

-

-Copyright Notice

-

-   Copyright (C) The Internet Society (2000).  All Rights Reserved.

-

-Abstract

-

-   The goals of the work to "internationalize" Internet protocols

-   include providing all users of the Internet with the capability of

-   using their own language and its standard character set to express

-   themselves, write names, and to navigate the network. This impacts

-   the domain names visible in e-mail addresses and so many of today's

-   URLs used to locate information on the World Wide Web, etc.  However,

-   domain names are used by Internet protocols that are used across

-   national boundaries. These services must interoperate worldwide, or

-   we risk isolating components of the network from each other along

-   locale boundaries.  This type of isolation could impede not only

-   communications among people, but opportunities of the areas involved

-   to participate effectively in e-commerce, distance learning, and

-   other activities at an international scale, thereby retarding

-   economic development.

-

-   There are several proposals for internationalizing domain names,

-   however it it is still to be determined whether any of them will

-   ensure this interoperability and global reach while addressing

-   visible-name representation.  Some of them obviously do not. This

-   document does not attempt to review any specific proposals, as that

-   is the work of the Internationalized Domain Name (IDN) Working Group

-   of the IETF, which is tasked with evaluating them in consideration of

-   the continued global network interoperation that is the deserved

-   expectation of all Internet users.

-

-

-

-

-

-

-

-IAB                          Informational                      [Page 1]

-

-RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

-

-

-   This document is a statement by the Internet Architecture Board. It

-   is not a protocol specification, but an attempt to clarify the range

-   of architectural issues that the internationalization of domain names

-   faces.

-

-1. A Definition of Success

-

-   The Internationalized Domain Names (IDN) Working Group is one

-   component of the IETF's continuing comprehensive effort to

-   internationalize language representation facilities in the protocols

-   that support the global functioning of the Internet.

-

-   In keeping with the principles of rough consensus, running code,

-   architectural integrity, and in the interest of ensuring the global

-   stability of the Internet, the IAB emphasizes that all solutions

-   proposed to the (IDN) Working Group will have to be evaluated not

-   only on their individual technical features, but also in terms of

-   impact on existing standards and operations of the Internet and the

-   total effect for end-users: solutions must not cause users to become

-   more isolated from their global neighbors even if they appear to

-   solve a local problem.  In some cases, existing protocols have

-   limitations on allowable characters, and in other cases

-   implementations of protocols used in the core of the Internet (beyond

-   individual organizations) have in practice not implemented all the

-   requisite options of the standards.

-

-2. Technical Challenges within the Domain Name System (DNS)

-

-   In many technical respects, the IDN work is not different from any

-   other effort to enable multiple character set representations in

-   textual elements that were traditionally restricted to English

-   language characters.

-

-   One aspect of the challenge is to decide how to represent the names

-   users want in the DNS in a way that is clear, technically feasible,

-   and ensures that a name always means the same thing.  Several

-   proposals have been suggested to address these issues.

-

-   These issues are being outlined in more detail in the IDN WG's

-   evolving draft requirements document; further discussion is deferred

-   to the WG and its documents.

-

-3. Integrating with Current Realities

-

-   Nevertheless, issues faced by the IDN working group are complex and

-   intricately intertwined with other operational components of the

-   Internet.  A key challenge in evaluating any proposed solution is the

-   analysis of the impact on existing critical operational standards

-

-

-

-IAB                          Informational                      [Page 2]

-

-RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

-

-

-   which use fully-qualified domain names [RFC1034], or simply host

-   names [RFC1123].  Standards-changes can be effected, but the best

-   path forward is one that takes into account current realities and

-   (re)deployment latencies. In the Internet's global context, it is not

-   enough to update a few isolated systems, or even most of the systems

-   in a country or region.  Deployment must be nearly universal in order

-   to avoid the creation of "islands" of interoperation that provide

-   users with less access to and connection from the rest of the world.

-

-   These are not esoteric or ephemeral concerns.  Some specific issues

-   have already been identified as part of the IDN WG's efforts.  These

-   include (but are not limited to) the following examples.

-

-3.1 Domain Names and E-mail

-

-   As indicated in the IDN WG's draft requirements document, the issue

-   goes beyond standardization of DNS usage.  Electronic mail has long

-   been one of the most-used and most important applications of the

-   Internet.  Internet e-mail is also used as the bridge that permits

-   the users of a variety of local and proprietary mail systems to

-   communicate. The standard protocols that define its use (e.g., SMTP

-   [RFC821, RFC822] and MIME [RFC2045]) do not permit the full range of

-   characters allowed in the DNS specification. Certain characters are

-   not allowed in e-mail address domain portions of these

-   specifications.  Some mailers, built to adhere to these

-   specifications, are known to fail when on mail having non-ASCII

-   domain names in its address -- by discarding, misrouting or damaging

-   the mail.  Thus, it's not possible to simply switch to

-   internationalized domain names and expect global e-mail to continue

-   to work until most of the servers in the world are upgraded.

-

-3.2 Domain Names and Routing

-

-   At a lower level, the Routing Policy Specification Language (RPLS)

-   [RFC2622] makes use of "named objects" -- and inherits object naming

-   restrictions from older standards ([RFC822] for the same e-mail

-   address restrictions, [RFC1034] for hostnames).  This means that

-   until routing registries and their protocols are updated, it is not

-   possible to enter or retrieve network descriptions utilizing

-   internationalized domain names.

-

-3.3 Domain Names and Network Management

-

-   Also, the Simple Network Management Protocol (SNMP) uses the textual

-   representation defined in [RFC2579].  While that specification does

-   allow for UTF-8-based domain names, an informal survey of deployed

-   implementations of software libraries being used to build SNMP-

-   compliant software uncovered the fact that few (if any) implement it.

-

-

-

-IAB                          Informational                      [Page 3]

-

-RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

-

-

-   This may cause inability to enter or display correct data in network

-   management tools, if such names are internationalized domain names.

-

-3.4 Domain Names and Security

-

-   Critical components of Internet public key technologies (PKIX,

-   [RFC2459], IKE [RFC2409]) rely heavily on identification of servers

-   (hostnames, or fully qualified domain names) and users (e-mail

-   addresses).  Failure to respect the character restrictions in these

-   protocols will impact security tools built to use them -- Transport

-   Layer Security protocol (TLS, [RFC2246]), and IPsec [RFC2401] to name

-   two.

-

-   Failure may not be obvious.  For example, in TLS, it is common usage

-   for a server to display a certificate containing a domain name

-   purporting to be the domain name of the server, which the client can

-   then match with the server name he thought he used to reach the

-   service.

-

-   Unless comparison of domain names is properly defined, the client may

-   either fail to match the domain name of a legitimate server, or match

-   incorrectly the domain name of a server performing a man-in-the-

-   middle attack.  Either failure could enable attacks on systems that

-   are now impossible or at least far more difficult.

-

-4. Conclusion

-

-   It is therefore clear that, although there are many possible ways to

-   assign internationalized names that are compatible with today's DNS

-   (or a version that is easily-deployable in the near future), not all

-   of them are compatible with the full range of necessary networking

-   tools.  When designing a solution for internationalization of domain

-   names, the effects on the current Internet must be carefully

-   evaluated. Some types of solutions proposed would, if put into effect

-   immediately, cause Internet communications to fail in ways that would

-   be hard to detect by and pose problems for those who deploy the new

-   services, but also for those who do not; this would have the effect

-   of cutting those who deploy them off from effective use of the

-   Internet.

-

-   The IDN WG has been identified as the appropriate forum for

-   identifying and discussing solutions for such potential

-   interoperability issues.

-

-   Experience with deployment of other protocols has indicated that it

-   will take years before a new protocol or enhancement is used all over

-   the Internet.  So far, the IDN WG has benefited from proposed

-   solutions from all quarters, including organizations hoping to

-

-

-

-IAB                          Informational                      [Page 4]

-

-RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

-

-

-   provide services that address visible-name representation and

-   registration -- continuing this process with the aim of getting a

-   single, scalable and deployable solution to this problem is the only

-   way to ensure the continued global interoperation that is the

-   deserved expectation of all Internet users.

-

-5. Security Considerations

-

-   In general, assignment and use of names does not raise any special

-   security problems.  However, as noted above, some existing security

-   mechanisms are reliant on the current specification of domain names

-   and may not be expected to work, as is, with Internationalized domain

-   names.  Additionally, deployment of non-standard systems (e.g., in

-   response to current pressures to address national or regional

-   characterset representation) might result in name strings that are

-   not globally unique, thereby opening up the possibility of "spoofing"

-   hosts from one domain in another, as described in [RFC2826].

-

-6. Acknowledgements

-

-   This document is the outcome of the joint effort of the members of

-   the IAB.  Additionally, valuable remarks were provided by Randy Bush,

-   Patrik Faltstrom, Ted Hardie, Paul Hoffman, and Mark Kosters.

-

-7. References

-

-   [RFC821]  Postel, J., "Simple Mail Transfer Protocol", STD 10, RFC

-             821, August 1982.

-

-   [RFC822]  Crocker, D., "Standard for the Format of ARPA Internet Text

-             Messages", STD 11, RFC 822, August 1982.

-

-   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",

-             STD 13, RFC 1034, November 1987.

-

-   [RFC1123] Braden, R., "Requirements for Internet Hosts -- Application

-             and Support", STD 3, RFC 1123, November 1989.

-

-   [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the

-             Internet Protocol", RFC 2401, November 1998.

-

-   [RFC2409] Harkins, D and D. Carrel, "The Internet Key Exchange

-             (IKE)", RFC 2409, November 1998.

-

-   [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail

-             Extensions (MIME) Part One:  Format of Internet Message

-             Bodies", RFC 2045, November 1996.

-

-

-

-

-IAB                          Informational                      [Page 5]

-

-RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

-

-

-   [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",

-             RFC 2246, January 1999.

-

-   [RFC2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet

-             X.509 Public Key Infrastructure Certificate and CRL

-             Profile", RFC 2459, January 1999.

-

-   [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.

-             and M. Rose, "Textual Conventions for SMIv2", RFC 2579,

-             April 1999.

-

-   [RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,

-             Meyer, D., Bates, T., Karrenberg, D. and M. Terpstra,

-             "Routing Policy Specification Language (RPSL)", RFC 2622,

-             June 1999.

-

-   [RFC2826] IAB, "IAB Technical Comment on the Unique DNS Root", RFC

-             2826, May 2000.

-

-8. Author's Address

-

-   Internet Architecture Board

-

-   EMail:  iab@iab.org

-

-

-   Membership at time this document was completed:

-

-      Harald Alvestrand

-      Ran Atkinson

-      Rob Austein

-      Brian Carpenter

-      Steve Bellovin

-      Jon Crowcroft

-      Leslie Daigle

-      Steve Deering

-      Tony Hain

-      Geoff Huston

-      John Klensin

-      Henning Schulzrinne

-

-

-

-

-

-

-

-

-

-

-

-IAB                          Informational                      [Page 6]

-

-RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

-

-

-9. Full Copyright Statement

-

-   Copyright (C) The Internet Society (2000).  All Rights Reserved.

-

-   This document and translations of it may be copied and furnished to

-   others, and derivative works that comment on or otherwise explain it

-   or assist in its implementation may be prepared, copied, published

-   and distributed, in whole or in part, without restriction of any

-   kind, provided that the above copyright notice and this paragraph are

-   included on all such copies and derivative works.  However, this

-   document itself may not be modified in any way, such as by removing

-   the copyright notice or references to the Internet Society or other

-   Internet organizations, except as needed for the purpose of

-   developing Internet standards in which case the procedures for

-   copyrights defined in the Internet Standards process must be

-   followed, or as required to translate it into languages other than

-   English.

-

-   The limited permissions granted above are perpetual and will not be

-   revoked by the Internet Society or its successors or assigns.

-

-   This document and the information contained herein is provided on an

-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

-

-Acknowledgement

-

-   Funding for the RFC Editor function is currently provided by the

-   Internet Society.

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-IAB                          Informational                      [Page 7]

-

diff --git a/contrib/bind9/doc/rfc/rfc2826.txt b/contrib/bind9/doc/rfc/rfc2826.txt
deleted file mode 100644
index b4d886968fc8..000000000000
--- a/contrib/bind9/doc/rfc/rfc2826.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-

-

-

-

-

-

-Network Working Group                        Internet Architecture Board

-Request for Comments: 2826                                      May 2000

-Category: Informational

-

-

-              IAB Technical Comment on the Unique DNS Root

-

-Status of this Memo

-

-   This memo provides information for the Internet community.  It does

-   not specify an Internet standard of any kind.  Distribution of this

-   memo is unlimited.

-

-Copyright Notice

-

-   Copyright (C) The Internet Society (2000).  All Rights Reserved.

-

-Summary

-

-   To remain a global network, the Internet requires the existence of a

-   globally unique public name space.  The DNS name space is a

-   hierarchical name space derived from a single, globally unique root.

-   This is a technical constraint inherent in the design of the DNS.

-   Therefore it is not technically feasible for there to be more than

-   one root in the public DNS.  That one root must be supported by a set

-   of coordinated root servers administered by a unique naming

-   authority.

-

-   Put simply, deploying multiple public DNS roots would raise a very

-   strong possibility that users of different ISPs who click on the same

-   link on a web page could end up at different destinations, against

-   the will of the web page designers.

-

-   This does not preclude private networks from operating their own

-   private name spaces, but if they wish to make use of names uniquely

-   defined for the global Internet, they have to fetch that information

-   from the global DNS naming hierarchy, and in particular from the

-   coordinated root servers of the global DNS naming hierarchy.

-

-1.  Detailed Explanation

-

-   There are several distinct reasons why the DNS requires a single root

-   in order to operate properly.

-

-1.1.  Maintenance of a Common Symbol Set

-

-   Effective communications between two parties requires two essential

-   preconditions:

-

-

-

-IAB                          Informational                      [Page 1]

-

-RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

-

-

-   -  The existence of a common symbol set, and

-

-   -  The existence of a common semantic interpretation of these

-      symbols.

-

-   Failure to meet the first condition implies a failure to communicate

-   at all, while failure to meet the second implies that the meaning of

-   the communication is lost.

-

-   In the case of a public communications system this condition of a

-   common symbol set with a common semantic interpretation must be

-   further strengthened to that of a unique symbol set with a unique

-   semantic interpretation.  This condition of uniqueness allows any

-   party to initiate a communication that can be received and understood

-   by any other party.  Such a condition rules out the ability to define

-   a symbol within some bounded context.  In such a case, once the

-   communication moves out of the context of interpretation in which it

-   was defined, the meaning of the symbol becomes lost.

-

-   Within public digital communications networks such as the Internet

-   this requirement for a uniquely defined symbol set with a uniquely

-   defined meaning exists at many levels, commencing with the binary

-   encoding scheme, extending to packet headers and payload formats and

-   the protocol that an application uses to interact.  In each case a

-   variation of the symbol set or a difference of interpretation of the

-   symbols being used within the interaction causes a protocol failure,

-   and the communication fails.  The property of uniqueness allows a

-   symbol to be used unambiguously in any context, allowing the symbol

-   to be passed on, referred to, and reused, while still preserving the

-   meaning of the original use.

-

-   The DNS fulfills an essential role within the Internet protocol

-   environment, allowing network locations to be referred to using a

-   label other than a protocol address.  As with any other such symbol

-   set, DNS names are designed to be globally unique, that is, for any

-   one DNS name at any one time there must be a single set of DNS

-   records uniquely describing protocol addresses, network resources and

-   services associated with that DNS name.  All of the applications

-   deployed on the Internet which use the DNS assume this, and Internet

-   users expect such behavior from DNS names.  Names are then constant

-   symbols, whose interpretation does not specifically require knowledge

-   of the context of any individual party.  A DNS name can be passed

-   from one party to another without altering the semantic intent of the

-   name.

-

-   Since the DNS is hierarchically structured into domains, the

-   uniqueness requirement for DNS names in their entirety implies that

-   each of the names (sub-domains) defined within a domain has a unique

-

-

-

-IAB                          Informational                      [Page 2]

-

-RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

-

-

-   meaning (i.e., set of DNS records) within that domain.  This is as

-   true for the root domain as for any other DNS domain.  The

-   requirement for uniqueness within a domain further implies that there

-   be some mechanism to prevent name conflicts within a domain.  In DNS

-   this is accomplished by assigning a single owner or maintainer to

-   every domain, including the root domain, who is responsible for

-   ensuring that each sub-domain of that domain has the proper records

-   associated with it.  This is a technical requirement, not a policy

-   choice.

-

-1.2.  Coordination of Updates

-

-   Both the design and implementations of the DNS protocol are heavily

-   based on the assumption that there is a single owner or maintainer

-   for every domain, and that any set of resources records associated

-   with a domain is modified in a single-copy serializable fashion.

-   That is, even assuming that a single domain could somehow be "shared"

-   by uncooperating parties, there is no means within the DNS protocol

-   by which a user or client could discover, and choose between,

-   conflicting definitions of a DNS name made by different parties.  The

-   client will simply return the first set of resource records that it

-   finds that matches the requested domain, and assume that these are

-   valid.  This protocol is embedded in the operating software of

-   hundreds of millions of computer systems, and is not easily updated

-   to support a shared domain scenario.

-

-   Moreover, even supposing that some other means of resolving

-   conflicting definitions could be provided in the future, it would

-   have to be based on objective rules established in advance.  For

-   example, zone A.B could declare that naming authority Y had been

-   delegated all subdomains of A.B with an odd number of characters, and

-   that naming authority Z had been delegated authority to define

-   subdomains of A.B with an even number of characters.  Thus, a single

-   set of rules would have to be agreed to prevent Y and Z from making

-   conflicting assignments, and with this train of actions a single

-   unique space has been created in any case.  Even this would not allow

-   multiple non-cooperating authorities to assign arbitrary sub-domains

-   within a single domain.

-

-   It seems that a degree of cooperation and agreed technical rules are

-   required in order to guarantee the uniqueness of names.  In the DNS,

-   these rules are established independently for each part of the naming

-   hierarchy, and the root domain is no exception.  Thus, there must be

-   a generally agreed single set of rules for the root.

-

-

-

-

-

-

-

-IAB                          Informational                      [Page 3]

-

-RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

-

-

-1.3.  Difficulty of Relocating the Root Zone

-

-   There is one specific technical respect in which the root zone

-   differs from all other DNS zones: the addresses of the name servers

-   for the root zone come primarily from out-of-band information.  This

-   out-of-band information is often poorly maintained and, unlike all

-   other data in the DNS, the out-of-band information has no automatic

-   timeout mechanism.  It is not uncommon for this information to be

-   years out of date at many sites.

-

-   Like any other zone, the root zone contains a set of "name server"

-   resource records listing its servers, but a resolver with no valid

-   addresses for the current set of root servers will never be able to

-   obtain these records.  More insidiously, a resolver that has a mixed

-   set of partially valid and partially stale out-of-band configuration

-   information will not be able to tell which are the "real" root

-   servers if it gets back conflicting answers; thus, it is very

-   difficult to revoke the status of a malicious root server, or even to

-   route around a buggy root server.

-

-   In effect, every full-service resolver in the world "delegates" the

-   root of the public tree to the public root server(s) of its choice.

-

-   As a direct consequence, any change to the list of IP addresses that

-   specify the public root zone is significantly more difficult than

-   changing any other aspect of the DNS delegation chain.   Thus,

-   stability of the system calls for extremely conservative and cautious

-   management of the public root zone: the frequency of updates to the

-   root zone must be kept low, and the servers for the root zone must be

-   closely coordinated.

-

-   These problems can be ameliorated to some extent by the DNS Security

-   Extensions [DNSSEC], but a similar out-of-band configuration problem

-   exists for the cryptographic signature key to the root zone, so the

-   root zone still requires tight coupling and coordinated management

-   even in the presence of DNSSEC.

-

-2.  Conclusion

-

-   The DNS type of unique naming and name-mapping system may not be

-   ideal for a number of purposes for which it was never designed, such

-   a locating information when the user doesn't precisely know the

-   correct names.  As the Internet continues to expand, we would expect

-   directory systems to evolve which can assist the user in dealing with

-   vague or ambiguous references.  To preserve the many important

-   features of the DNS and its multiple record types -- including the

-   Internet's equivalent of telephone number portability -- we would

-   expect the result of directory lookups and identification of the

-

-

-

-IAB                          Informational                      [Page 4]

-

-RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

-

-

-   correct names for a particular purpose to be unique DNS names that

-   are then resolved normally, rather than having directory systems

-   "replace" the DNS.

-

-   There is no getting away from the unique root of the public DNS.

-

-3.  Security Considerations

-

-   This memo does not introduce any new security issues, but it does

-   attempt to identify some of the problems inherent in a family of

-   recurring technically naive proposals.

-

-4.  IANA Considerations

-

-   This memo is not intended to create any new issues for IANA.

-

-5.  References

-

-   [DNS-CONCEPTS]        Mockapetris, P., "Domain Names - Concepts and

-                         Facilities", STD 13, RFC 1034, November 1987.

-

-   [DNS-IMPLEMENTATION]  Mockapetris, P., "Domain Names - Implementation

-                         and Specification", STD 13, RFC 1035, November

-                         1987.

-

-   [DNSSEC]              Eastlake, D., "Domain Name System Security

-                         Extensions", RFC 2535, March 1999.

-

-6.  Author's Address

-

-   Internet Architecture Board

-

-   EMail: iab@iab.org

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-IAB                          Informational                      [Page 5]

-

-RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

-

-

-7.  Full Copyright Statement

-

-   Copyright (C) The Internet Society (2000).  All Rights Reserved.

-

-   This document and translations of it may be copied and furnished to

-   others, and derivative works that comment on or otherwise explain it

-   or assist in its implementation may be prepared, copied, published

-   and distributed, in whole or in part, without restriction of any

-   kind, provided that the above copyright notice and this paragraph are

-   included on all such copies and derivative works.  However, this

-   document itself may not be modified in any way, such as by removing

-   the copyright notice or references to the Internet Society or other

-   Internet organizations, except as needed for the purpose of

-   developing Internet standards in which case the procedures for

-   copyrights defined in the Internet Standards process must be

-   followed, or as required to translate it into languages other than

-   English.

-

-   The limited permissions granted above are perpetual and will not be

-   revoked by the Internet Society or its successors or assigns.

-

-   This document and the information contained herein is provided on an

-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

-

-Acknowledgement

-

-   Funding for the RFC Editor function is currently provided by the

-   Internet Society.

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-IAB                          Informational                      [Page 6]

-

diff --git a/contrib/bind9/doc/rfc/rfc2845.txt b/contrib/bind9/doc/rfc/rfc2845.txt
deleted file mode 100644
index aa9f385ae354..000000000000
--- a/contrib/bind9/doc/rfc/rfc2845.txt
+++ /dev/null
@@ -1,843 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                             P. Vixie
-Request for Comments: 2845                                             ISC
-Category: Standards Track                                   O. Gudmundsson
-Updates: 1035                                                     NAI Labs
-                                                           D. Eastlake 3rd
-                                                                  Motorola
-                                                             B. Wellington
-                                                                   Nominum
-                                                                  May 2000
-
-
-          Secret Key Transaction Authentication for DNS (TSIG)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-Abstract
-
-   This protocol allows for transaction level authentication using
-   shared secrets and one way hashing.  It can be used to authenticate
-   dynamic updates as coming from an approved client, or to authenticate
-   responses as coming from an approved recursive name server.
-
-   No provision has been made here for distributing the shared secrets;
-   it is expected that a network administrator will statically configure
-   name servers and clients using some out of band mechanism such as
-   sneaker-net until a secure automated mechanism for key distribution
-   is available.
-
-1 - Introduction
-
-   1.1. The Domain Name System (DNS) [RFC1034, RFC1035] is a replicated
-   hierarchical distributed database system that provides information
-   fundamental to Internet operations, such as name <=> address
-   translation and mail handling information.  DNS has recently been
-   extended [RFC2535] to provide for data origin authentication, and
-   public key distribution, all based on public key cryptography and
-   public key based digital signatures.  To be practical, this form of
-
-
-
-
-Vixie, et al.               Standards Track                     [Page 1]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   security generally requires extensive local caching of keys and
-   tracing of authentication through multiple keys and signatures to a
-   pre-trusted locally configured key.
-
-   1.2. One difficulty with the [RFC2535] scheme is that common DNS
-   implementations include simple "stub" resolvers which do not have
-   caches.  Such resolvers typically rely on a caching DNS server on
-   another host.  It is impractical for these stub resolvers to perform
-   general [RFC2535] authentication and they would naturally depend on
-   their caching DNS server to perform such services for them.  To do so
-   securely requires secure communication of queries and responses.
-   [RFC2535] provides public key transaction signatures to support this,
-   but such signatures are very expensive computationally to generate.
-   In general, these require the same complex public key logic that is
-   impractical for stubs.  This document specifies use of a message
-   authentication code (MAC), specifically HMAC-MD5 (a keyed hash
-   function), to provide an efficient means of point-to-point
-   authentication and integrity checking for transactions.
-
-   1.3. A second area where use of straight [RFC2535] public key based
-   mechanisms may be impractical is authenticating dynamic update
-   [RFC2136] requests.  [RFC2535] provides for request signatures but
-   with [RFC2535] they, like transaction signatures, require
-   computationally expensive public key cryptography and complex
-   authentication logic.  Secure Domain Name System Dynamic Update
-   ([RFC2137]) describes how different keys are used in dynamically
-   updated zones.  This document's secret key based MACs can be used to
-   authenticate DNS update requests as well as transaction responses,
-   providing a lightweight alternative to the protocol described by
-   [RFC2137].
-
-   1.4. A further use of this mechanism is to protect zone transfers.
-   In this case the data covered would be the whole zone transfer
-   including any glue records sent.  The protocol described by [RFC2535]
-   does not protect glue records and unsigned records unless SIG(0)
-   (transaction signature) is used.
-
-   1.5. The authentication mechanism proposed in this document uses
-   shared secret keys to establish a trust relationship between two
-   entities.  Such keys must be protected in a fashion similar to
-   private keys, lest a third party masquerade as one of the intended
-   parties (forge MACs).  There is an urgent need to provide simple and
-   efficient authentication between clients and local servers and this
-   proposal addresses that need.  This proposal is unsuitable for
-   general server to server authentication for servers which speak with
-   many other servers, since key management would become unwieldy with
-
-
-
-
-
-Vixie, et al.               Standards Track                     [Page 2]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   the number of shared keys going up quadratically.  But it is suitable
-   for many resolvers on hosts that only talk to a few recursive
-   servers.
-
-   1.6. A server acting as an indirect caching resolver -- a "forwarder"
-   in common usage -- might use transaction-based authentication when
-   communicating with its small number of preconfigured "upstream"
-   servers.  Other uses of DNS secret key authentication and possible
-   systems for automatic secret key distribution may be proposed in
-   separate future documents.
-
-   1.7. New Assigned Numbers
-
-      RRTYPE = TSIG (250)
-      ERROR = 0..15 (a DNS RCODE)
-      ERROR = 16 (BADSIG)
-      ERROR = 17 (BADKEY)
-      ERROR = 18 (BADTIME)
-
-   1.8. The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED",  and
-   "MAY" in this document are to be interpreted as described in [RFC
-   2119].
-
-2 - TSIG RR Format
-
-   2.1 TSIG RR Type
-
-   To provide secret key authentication, we use a new RR type whose
-   mnemonic is TSIG and whose type code is 250.  TSIG is a meta-RR and
-   MUST not be cached.  TSIG RRs are used for authentication between DNS
-   entities that have established a shared secret key.  TSIG RRs are
-   dynamically computed to cover a particular DNS transaction and are
-   not DNS RRs in the usual sense.
-
-   2.2 TSIG Calculation
-
-   As the TSIG RRs are related to one DNS request/response, there is no
-   value in storing or retransmitting them, thus the TSIG RR is
-   discarded once it has been used to authenticate a DNS message.  The
-   only message digest algorithm specified in this document is "HMAC-
-   MD5" (see [RFC1321], [RFC2104]).  The "HMAC-MD5" algorithm is
-   mandatory to implement for interoperability.  Other algorithms can be
-   specified at a later date.  Names and definitions of new algorithms
-   MUST be registered with IANA.  All multi-octet integers in the TSIG
-   record are sent in network byte order (see [RFC1035 2.3.2]).
-
-
-
-
-
-
-Vixie, et al.               Standards Track                     [Page 3]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   2.3. Record Format
-
-    NAME The name of the key used in domain name syntax.  The name
-         should reflect the names of the hosts and uniquely identify
-         the key among a set of keys these two hosts may share at any
-         given time.  If hosts A.site.example and B.example.net share a
-         key, possibilities for the key name include
-         <id>.A.site.example, <id>.B.example.net, and
-         <id>.A.site.example.B.example.net.  It should be possible for
-         more than one key to be in simultaneous use among a set of
-         interacting hosts.  The name only needs to be meaningful to
-         the communicating hosts but a meaningful mnemonic name as
-         above is strongly recommended.
-
-         The name may be used as a local index to the key involved and
-         it is recommended that it be globally unique.  Where a key is
-         just shared between two hosts, its name actually only need
-         only be meaningful to them but it is recommended that the key
-         name be mnemonic and incorporate the resolver and server host
-         names in that order.
-
-    TYPE TSIG (250: Transaction SIGnature)
-
-    CLASS ANY
-
-    TTL  0
-
-    RdLen (variable)
-
-    RDATA
-
-      Field Name       Data Type      Notes
-      --------------------------------------------------------------
-      Algorithm Name   domain-name    Name of the algorithm
-                                      in domain name syntax.
-      Time Signed      u_int48_t      seconds since 1-Jan-70 UTC.
-      Fudge            u_int16_t      seconds of error permitted
-                                      in Time Signed.
-      MAC Size         u_int16_t      number of octets in MAC.
-      MAC              octet stream   defined by Algorithm Name.
-      Original ID      u_int16_t      original message ID
-      Error            u_int16_t      expanded RCODE covering
-                                      TSIG processing.
-      Other Len        u_int16_t      length, in octets, of
-                                      Other Data.
-      Other Data       octet stream   empty unless Error == BADTIME
-
-
-
-
-
-Vixie, et al.               Standards Track                     [Page 4]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   2.4. Example
-
-      NAME   HOST.EXAMPLE.
-
-      TYPE   TSIG
-
-      CLASS  ANY
-
-      TTL    0
-
-      RdLen  as appropriate
-
-      RDATA
-
-         Field Name       Contents
-         -------------------------------------
-         Algorithm Name   SAMPLE-ALG.EXAMPLE.
-         Time Signed      853804800
-         Fudge            300
-         MAC Size         as appropriate
-         MAC              as appropriate
-         Original ID      as appropriate
-         Error            0 (NOERROR)
-         Other Len        0
-         Other Data       empty
-
-3 - Protocol Operation
-
-   3.1. Effects of adding TSIG to outgoing message
-
-   Once the outgoing message has been constructed, the keyed message
-   digest operation can be performed.  The resulting message digest will
-   then be stored in a TSIG which is appended to the additional data
-   section (the ARCOUNT is incremented to reflect this).  If the TSIG
-   record cannot be added without causing the message to be truncated,
-   the server MUST alter the response so that a TSIG can be included.
-   This response consists of only the question and a TSIG record, and
-   has the TC bit set and RCODE 0 (NOERROR).  The client SHOULD at this
-   point retry the request using TCP (per [RFC1035 4.2.2]).
-
-   3.2. TSIG processing on incoming messages
-
-   If an incoming message contains a TSIG record, it MUST be the last
-   record in the additional section.  Multiple TSIG records are not
-   allowed.  If a TSIG record is present in any other position, the
-   packet is dropped and a response with RCODE 1 (FORMERR) MUST be
-   returned.  Upon receipt of a message with a correctly placed TSIG RR,
-   the TSIG RR is copied to a safe location, removed from the DNS
-
-
-
-Vixie, et al.               Standards Track                     [Page 5]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   Message, and decremented out of the DNS message header's ARCOUNT.  At
-   this point the keyed message digest operation is performed.  If the
-   algorithm name or key name is unknown to the recipient, or if the
-   message digests do not match, the whole DNS message MUST be
-   discarded.  If the message is a query, a response with RCODE 9
-   (NOTAUTH) MUST be sent back to the originator with TSIG ERROR 17
-   (BADKEY) or TSIG ERROR 16 (BADSIG).  If no key is available to sign
-   this message it MUST be sent unsigned (MAC size == 0 and empty MAC).
-   A message to the system operations log SHOULD be generated, to warn
-   the operations staff of a possible security incident in progress.
-   Care should be taken to ensure that logging of this type of event
-   does not open the system to a denial of service attack.
-
-   3.3. Time values used in TSIG calculations
-
-   The data digested includes the two timer values in the TSIG header in
-   order to defend against replay attacks.  If this were not done, an
-   attacker could replay old messages but update the "Time Signed" and
-   "Fudge" fields to make the message look new.  This data is named
-   "TSIG Timers", and for the purpose of digest calculation they are
-   invoked in their "on the wire" format, in the following order: first
-   Time Signed, then Fudge.  For example:
-
-Field Name    Value       Wire Format         Meaning
-----------------------------------------------------------------------
-Time Signed   853804800   00 00 32 e4 07 00   Tue Jan 21 00:00:00 1997
-Fudge         300         01 2C               5 minutes
-
-   3.4. TSIG Variables and Coverage
-
-   When generating or verifying the contents of a TSIG record, the
-   following data are digested, in network byte order or wire format, as
-   appropriate:
-
-   3.4.1. DNS Message
-
-   A whole and complete DNS message in wire format, before the TSIG RR
-   has been added to the additional data section and before the DNS
-   Message Header's ARCOUNT field has been incremented to contain the
-   TSIG RR.  If the message ID differs from the original message ID, the
-   original message ID is substituted for the message ID.  This could
-   happen when forwarding a dynamic update request, for example.
-
-
-
-
-
-
-
-
-
-Vixie, et al.               Standards Track                     [Page 6]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   3.4.2. TSIG Variables
-
-Source       Field Name       Notes
------------------------------------------------------------------------
-TSIG RR      NAME             Key name, in canonical wire format
-TSIG RR      CLASS            (Always ANY in the current specification)
-TSIG RR      TTL              (Always 0 in the current specification)
-TSIG RDATA   Algorithm Name   in canonical wire format
-TSIG RDATA   Time Signed      in network byte order
-TSIG RDATA   Fudge            in network byte order
-TSIG RDATA   Error            in network byte order
-TSIG RDATA   Other Len        in network byte order
-TSIG RDATA   Other Data       exactly as transmitted
-
-   The RR RDLEN and RDATA MAC Length are not included in the hash since
-   they are not guaranteed to be knowable before the MAC is generated.
-
-   The Original ID field is not included in this section, as it has
-   already been substituted for the message ID in the DNS header and
-   hashed.
-
-   For each label type, there must be a defined "Canonical wire format"
-   that specifies how to express a label in an unambiguous way.  For
-   label type 00, this is defined in [RFC2535], for label type 01, this
-   is defined in [RFC2673].  The use of label types other than 00 and 01
-   is not defined for this specification.
-
-   3.4.3. Request MAC
-
-   When generating the MAC to be included in a response, the request MAC
-   must be included in the digest.  The request's MAC is digested in
-   wire format, including the following fields:
-
-   Field        Type           Description
-   ---------------------------------------------------
-   MAC Length   u_int16_t      in network byte order
-   MAC Data     octet stream   exactly as transmitted
-
-   3.5. Padding
-
-   Digested components are fed into the hashing function as a continuous
-   octet stream with no interfield padding.
-
-
-
-
-
-
-
-
-
-Vixie, et al.               Standards Track                     [Page 7]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-4 - Protocol Details
-
-   4.1. TSIG generation on requests
-
-   Client performs the message digest operation and appends a TSIG
-   record to the additional data section and transmits the request to
-   the server.  The client MUST store the message digest from the
-   request while awaiting an answer.  The digest components for a
-   request are:
-
-      DNS Message (request)
-      TSIG Variables (request)
-
-   Note that some older name servers will not accept requests with a
-   nonempty additional data section.  Clients SHOULD only attempt signed
-   transactions with servers who are known to support TSIG and share
-   some secret key with the client -- so, this is not a problem in
-   practice.
-
-   4.2. TSIG on Answers
-
-   When a server has generated a response to a signed request, it signs
-   the response using the same algorithm and key.  The server MUST not
-   generate a signed response to an unsigned request.  The digest
-   components are:
-
-      Request MAC
-      DNS Message (response)
-      TSIG Variables (response)
-
-   4.3. TSIG on TSIG Error returns
-
-   When a server detects an error relating to the key or MAC, the server
-   SHOULD send back an unsigned error message (MAC size == 0 and empty
-   MAC).  If an error is detected relating to the TSIG validity period,
-   the server SHOULD send back a signed error message.  The digest
-   components are:
-
-      Request MAC (if the request MAC validated)
-      DNS Message (response)
-      TSIG Variables (response)
-
-   The reason that the request is not included in this digest in some
-   cases is to make it possible for the client to verify the error.  If
-   the error is not a TSIG error the response MUST be generated as
-   specified in [4.2].
-
-
-
-
-
-Vixie, et al.               Standards Track                     [Page 8]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   4.4. TSIG on TCP connection
-
-   A DNS TCP session can include multiple DNS envelopes.  This is, for
-   example, commonly used by zone transfer.  Using TSIG on such a
-   connection can protect the connection from hijacking and provide data
-   integrity.  The TSIG MUST be included on the first and last DNS
-   envelopes.  It can be optionally placed on any intermediary
-   envelopes.  It is expensive to include it on every envelopes, but it
-   MUST be placed on at least every 100'th envelope.  The first envelope
-   is processed as a standard answer, and subsequent messages have the
-   following digest components:
-
-      Prior Digest (running)
-      DNS Messages (any unsigned messages since the last TSIG)
-      TSIG Timers (current message)
-
-   This allows the client to rapidly detect when the session has been
-   altered; at which point it can close the connection and retry.  If a
-   client TSIG verification fails, the client MUST close the connection.
-   If the client does not receive TSIG records frequently enough (as
-   specified above) it SHOULD assume the connection has been hijacked
-   and it SHOULD close the connection.  The client SHOULD treat this the
-   same way as they would any other interrupted transfer (although the
-   exact behavior is not specified).
-
-   4.5. Server TSIG checks
-
-   Upon receipt of a message, server will check if there is a TSIG RR.
-   If one exists, the server is REQUIRED to return a TSIG RR in the
-   response.  The server MUST perform the following checks in the
-   following order, check KEY, check TIME values, check MAC.
-
-   4.5.1. KEY check and error handling
-
-   If a non-forwarding server does not recognize the key used by the
-   client, the server MUST generate an error response with RCODE 9
-   (NOTAUTH) and TSIG ERROR 17 (BADKEY).  This response MUST be unsigned
-   as specified in [4.3].  The server SHOULD log the error.
-
-   4.5.2. TIME check and error handling
-
-   If the server time is outside the time interval specified by the
-   request (which is: Time Signed, plus/minus Fudge), the server MUST
-   generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18
-   (BADTIME).  The server SHOULD also cache the most recent time signed
-   value in a message generated by a key, and SHOULD return BADTIME if a
-   message received later has an earlier time signed value.  A response
-   indicating a BADTIME error MUST be signed by the same key as the
-
-
-
-Vixie, et al.               Standards Track                     [Page 9]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   request.  It MUST include the client's current time in the time
-   signed field, the server's current time (a u_int48_t) in the other
-   data field, and 6 in the other data length field.  This is done so
-   that the client can verify a message with a BADTIME error without the
-   verification failing due to another BADTIME error.  The data signed
-   is specified in [4.3].  The server SHOULD log the error.
-
-   4.5.3. MAC check and error handling
-
-   If a TSIG fails to verify, the server MUST generate an error response
-   as specified in [4.3] with RCODE 9 (NOTAUTH) and TSIG ERROR 16
-   (BADSIG).  This response MUST be unsigned as specified in [4.3].  The
-   server SHOULD log the error.
-
-   4.6. Client processing of answer
-
-   When a client receives a response from a server and expects to see a
-   TSIG, it first checks if the TSIG RR is present in the response.
-   Otherwise, the response is treated as having a format error and
-   discarded.  The client then extracts the TSIG, adjusts the ARCOUNT,
-   and calculates the keyed digest in the same way as the server.  If
-   the TSIG does not validate, that response MUST be discarded, unless
-   the RCODE is 9 (NOTAUTH), in which case the client SHOULD attempt to
-   verify the response as if it were a TSIG Error response, as specified
-   in [4.3].  A message containing an unsigned TSIG record or a TSIG
-   record which fails verification SHOULD not be considered an
-   acceptable response; the client SHOULD log an error and continue to
-   wait for a signed response until the request times out.
-
-   4.6.1. Key error handling
-
-   If an RCODE on a response is 9 (NOTAUTH), and the response TSIG
-   validates, and the TSIG key is different from the key used on the
-   request, then this is a KEY error.  The client MAY retry the request
-   using the key specified by the server.  This should never occur, as a
-   server MUST NOT sign a response with a different key than signed the
-   request.
-
-   4.6.2. Time error handling
-
-   If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18
-   (BADTIME), or the current time does not fall in the range specified
-   in the TSIG record, then this is a TIME error.  This is an indication
-   that the client and server clocks are not synchronized.  In this case
-   the client SHOULD log the event.  DNS resolvers MUST NOT adjust any
-   clocks in the client based on BADTIME errors, but the server's time
-   in the other data field SHOULD be logged.
-
-
-
-
-Vixie, et al.               Standards Track                    [Page 10]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   4.6.3. MAC error handling
-
-   If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG),
-   this is a MAC error, and client MAY retry the request with a new
-   request ID but it would be better to try a different shared key if
-   one is available.  Client SHOULD keep track of how many MAC errors
-   are associated with each key.  Clients SHOULD log this event.
-
-   4.7. Special considerations for forwarding servers
-
-   A server acting as a forwarding server of a DNS message SHOULD check
-   for the existence of a TSIG record.  If the name on the TSIG is not
-   of a secret that the server shares with the originator the server
-   MUST forward the message unchanged including the TSIG.  If the name
-   of the TSIG is of a key this server shares with the originator, it
-   MUST process the TSIG.  If the TSIG passes all checks, the forwarding
-   server MUST, if possible, include a TSIG of his own, to the
-   destination or the next forwarder.  If no transaction security is
-   available to the destination and the response has the AD flag (see
-   [RFC2535]), the forwarder MUST unset the AD flag before adding the
-   TSIG to the answer.
-
-5 - Shared Secrets
-
-   5.1. Secret keys are very sensitive information and all available
-   steps should be taken to protect them on every host on which they are
-   stored.  Generally such hosts need to be physically protected.  If
-   they are multi-user machines, great care should be taken that
-   unprivileged users have no access to keying material.  Resolvers
-   often run unprivileged, which means all users of a host would be able
-   to see whatever configuration data is used by the resolver.
-
-   5.2. A name server usually runs privileged, which means its
-   configuration data need not be visible to all users of the host.  For
-   this reason, a host that implements transaction-based authentication
-   should probably be configured with a "stub resolver" and a local
-   caching and forwarding name server.  This presents a special problem
-   for [RFC2136] which otherwise depends on clients to communicate only
-   with a zone's authoritative name servers.
-
-   5.3. Use of strong random shared secrets is essential to the security
-   of TSIG.  See [RFC1750] for a discussion of this issue.  The secret
-   should be at least as long as the keyed message digest, i.e. 16 bytes
-   for HMAC-MD5 or 20 bytes for HMAC-SHA1.
-
-
-
-
-
-
-
-Vixie, et al.               Standards Track                    [Page 11]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-6 - Security Considerations
-
-   6.1. The approach specified here is computationally much less
-   expensive than the signatures specified in [RFC2535].  As long as the
-   shared secret key is not compromised, strong authentication is
-   provided for the last hop from a local name server to the user
-   resolver.
-
-   6.2. Secret keys should be changed periodically.  If the client host
-   has been compromised, the server should suspend the use of all
-   secrets known to that client.  If possible, secrets should be stored
-   in encrypted form.  Secrets should never be transmitted in the clear
-   over any network.  This document does not address the issue on how to
-   distribute secrets. Secrets should never be shared by more than two
-   entities.
-
-   6.3. This mechanism does not authenticate source data, only its
-   transmission between two parties who share some secret.  The original
-   source data can come from a compromised zone master or can be
-   corrupted during transit from an authentic zone master to some
-   "caching forwarder."  However, if the server is faithfully performing
-   the full [RFC2535] security checks, then only security checked data
-   will be available to the client.
-
-   6.4. A fudge value that is too large may leave the server open to
-   replay attacks.  A fudge value that is too small may cause failures
-   if machines are not time synchronized or there are unexpected network
-   delays.  The recommended value in most situation is 300 seconds.
-
-7 - IANA Considerations
-
-   IANA is expected to create and maintain a registry of algorithm names
-   to be used as "Algorithm Names" as defined in Section 2.3.  The
-   initial value should be "HMAC-MD5.SIG-ALG.REG.INT".  Algorithm names
-   are text strings encoded using the syntax of a domain name.  There is
-   no structure required other than names for different algorithms must
-   be unique when compared as DNS names, i.e., comparison is case
-   insensitive.  Note that the initial value mentioned above is not a
-   domain name, and therefore need not be a registered name within the
-   DNS.  New algorithms are assigned using the IETF Consensus policy
-   defined in RFC 2434. The algorithm name HMAC-MD5.SIG-ALG.REG.INT
-   looks like a FQDN for historical reasons; future algorithm names are
-   expected to be simple (i.e., single-component) names.
-
-
-
-
-
-
-
-
-Vixie, et al.               Standards Track                    [Page 12]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-   IANA is expected to create and maintain a registry of "TSIG Error
-   values" to be used for "Error" values as defined in section 2.3.
-   Initial values should be those defined in section 1.7.  New TSIG
-   error codes for the TSIG error field are assigned using the IETF
-   Consensus policy defined in RFC 2434.
-
-8 - References
-
-   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1034, November 1987.
-
-   [RFC1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
-              April 1992.
-
-   [RFC1750]  Eastlake, D., Crocker, S. and J. Schiller, "Randomness
-              Recommendations for Security", RFC 1750, December 1995.
-
-   [RFC2104]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC-MD5:
-              Keyed-MD5 for Message Authentication", RFC 2104, February
-              1997.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound "Dynamic
-              Updates in the Domain Name System", RFC 2136, April 1997.
-
-   [RFC2137]  Eastlake 3rd, D., "Secure Domain Name System Dynamic
-              Update", RFC 2137, April 1997.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC2673]  Crawford, M., "Binary Labels in the Domain Name System",
-              RFC 2673, August 1999.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et al.               Standards Track                    [Page 13]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-9 - Authors' Addresses
-
-   Paul Vixie
-   Internet Software Consortium
-   950 Charter Street
-   Redwood City, CA 94063
-
-   Phone: +1 650 779 7001
-   EMail: vixie@isc.org
-
-
-   Olafur Gudmundsson
-   NAI Labs
-   3060 Washington Road, Route 97
-   Glenwood, MD 21738
-
-   Phone: +1 443 259 2389
-   EMail: ogud@tislabs.com
-
-
-   Donald E. Eastlake 3rd
-   Motorola
-   140 Forest Avenue
-   Hudson, MA 01749 USA
-
-   Phone: +1 508 261 5434
-   EMail: dee3@torque.pothole.com
-
-
-   Brian Wellington
-   Nominum, Inc.
-   950 Charter Street
-   Redwood City, CA 94063
-
-   Phone: +1 650 779 6022
-   EMail: Brian.Wellington@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et al.               Standards Track                    [Page 14]
-
-RFC 2845                        DNS TSIG                        May 2000
-
-
-10  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Vixie, et al.               Standards Track                    [Page 15]
-
diff --git a/contrib/bind9/doc/rfc/rfc2874.txt b/contrib/bind9/doc/rfc/rfc2874.txt
deleted file mode 100644
index 915c104aa161..000000000000
--- a/contrib/bind9/doc/rfc/rfc2874.txt
+++ /dev/null
@@ -1,1123 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        M. Crawford
-Request for Comments: 2874                                      Fermilab
-Category: Standards Track                                     C. Huitema
-                                                   Microsoft Corporation
-                                                               July 2000
-
-
-   DNS Extensions to Support IPv6 Address Aggregation and Renumbering
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-Abstract
-
-   This document defines changes to the Domain Name System to support
-   renumberable and aggregatable IPv6 addressing.  The changes include a
-   new resource record type to store an IPv6 address in a manner which
-   expedites network renumbering and updated definitions of existing
-   query types that return Internet addresses as part of additional
-   section processing.
-
-   For lookups keyed on IPv6 addresses (often called reverse lookups),
-   this document defines a new zone structure which allows a zone to be
-   used without modification for parallel copies of an address space (as
-   for a multihomed provider or site) and across network renumbering
-   events.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Crawford, et al.            Standards Track                     [Page 1]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-Table of Contents
-
-   1.  Introduction ...............................................  2
-   2.  Overview ...................................................  3
-       2.1.  Name-to-Address Lookup ...............................  4
-       2.2.  Underlying Mechanisms for Reverse Lookups ............  4
-           2.2.1.  Delegation on Arbitrary Boundaries .............  4
-           2.2.2.  Reusable Zones .................................  5
-   3.  Specifications .............................................  5
-       3.1.  The A6 Record Type ...................................  5
-           3.1.1.  Format .........................................  6
-           3.1.2.  Processing .....................................  6
-           3.1.3.  Textual Representation .........................  7
-           3.1.4.  Name Resolution Procedure ......................  7
-       3.2.  Zone Structure for Reverse Lookups ...................  7
-   4.  Modifications to Existing Query Types ......................  8
-   5.  Usage Illustrations ........................................  8
-       5.1.  A6 Record Chains .....................................  9
-           5.1.1.  Authoritative Data .............................  9
-           5.1.2.  Glue ........................................... 10
-           5.1.3.  Variations ..................................... 12
-       5.2.  Reverse Mapping Zones ................................ 13
-           5.2.1.  The TLA level .................................. 13
-           5.2.2.  The ISP level .................................. 13
-           5.2.3.  The Site Level ................................. 13
-       5.3.  Lookups .............................................. 14
-       5.4.  Operational Note ..................................... 15
-   6.  Transition from RFC 1886 and Deployment Notes .............. 15
-       6.1.  Transition from AAAA and Coexistence with A Records .. 16
-       6.2.  Transition from Nibble Labels to Binary Labels ....... 17
-   7.  Security Considerations .................................... 17
-   8.  IANA Considerations ........................................ 17
-   9.  Acknowledgments ............................................ 18
-   10.  References ................................................ 18
-   11.  Authors' Addresses ........................................ 19
-   12.  Full Copyright Statement .................................. 20
-
-1.  Introduction
-
-   Maintenance of address information in the DNS is one of several
-   obstacles which have prevented site and provider renumbering from
-   being feasible in IP version 4.  Arguments about the importance of
-   network renumbering for the preservation of a stable routing system
-   and for other purposes may be read in [RENUM1, RENUM2, RENUM3].  To
-   support the storage of IPv6 addresses without impeding renumbering we
-   define the following extensions.
-
-
-
-
-
-Crawford, et al.            Standards Track                     [Page 2]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-   o  A new resource record type, "A6", is defined to map a domain name
-      to an IPv6 address, with a provision for indirection for leading
-      "prefix" bits.
-
-   o  Existing queries that perform additional section processing to
-      locate IPv4 addresses are redefined to do that processing for both
-      IPv4 and IPv6 addresses.
-
-   o  A new domain, IP6.ARPA, is defined to support lookups based on
-      IPv6 address.
-
-   o  A new prefix-delegation method is defined, relying on new DNS
-      features [BITLBL, DNAME].
-
-   The changes are designed to be compatible with existing application
-   programming interfaces.  The existing support for IPv4 addresses is
-   retained.  Transition issues related to the coexistence of both IPv4
-   and IPv6 addresses in DNS are discussed in [TRANS].
-
-   This memo proposes a replacement for the specification in RFC 1886
-   [AAAA] and a departure from current implementation practices.  The
-   changes are designed to facilitate network renumbering and
-   multihoming.  Domains employing the A6 record for IPv6 addresses can
-   insert automatically-generated AAAA records in zone files to ease
-   transition.  It is expected that after a reasonable period, RFC 1886
-   will become Historic.
-
-   The next three major sections of this document are an overview of the
-   facilities defined or employed by this specification, the
-   specification itself, and examples of use.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [KWORD].  The key word
-   "SUGGESTED" signifies a strength between MAY and SHOULD: it is
-   believed that compliance with the suggestion has tangible benefits in
-   most instances.
-
-2.  Overview
-
-   This section provides an overview of the DNS facilities for storage
-   of IPv6 addresses and for lookups based on IPv6 address, including
-   those defined here and elsewhere.
-
-
-
-
-
-
-
-
-Crawford, et al.            Standards Track                     [Page 3]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-2.1.  Name-to-Address Lookup
-
-   IPv6 addresses are stored in one or more A6 resource records.  A
-   single A6 record may include a complete IPv6 address, or a contiguous
-   portion of an address and information leading to one or more
-   prefixes.  Prefix information comprises a prefix length and a DNS
-   name which is in turn the owner of one or more A6 records defining
-   the prefix or prefixes which are needed to form one or more complete
-   IPv6 addresses.  When the prefix length is zero, no DNS name is
-   present and all the leading bits of the address are significant.
-   There may be multiple levels of indirection and the existence of
-   multiple A6 records at any level multiplies the number of IPv6
-   addresses which are formed.
-
-   An application looking up an IPv6 address will generally cause the
-   DNS resolver to access several A6 records, and multiple IPv6
-   addresses may be returned even if the queried name was the owner of
-   only one A6 record.  The authenticity of the returned address(es)
-   cannot be directly verified by DNS Security [DNSSEC].  The A6 records
-   which contributed to the address(es) may of course be verified if
-   signed.
-
-   Implementers are reminded of the necessity to limit the amount of
-   work a resolver will perform in response to a client request.  This
-   principle MUST be extended to also limit the generation of DNS
-   requests in response to one name-to-address (or address-to-name)
-   lookup request.
-
-2.2.  Underlying Mechanisms for Reverse Lookups
-
-   This section describes the new DNS features which this document
-   exploits.  This section is an overview, not a specification of those
-   features.  The reader is directed to the referenced documents for
-   more details on each.
-
-2.2.1.  Delegation on Arbitrary Boundaries
-
-   This new scheme for reverse lookups relies on a new type of DNS label
-   called the "bit-string label" [BITLBL].  This label compactly
-   represents an arbitrary string of bits which is treated as a
-   hierarchical sequence of one-bit domain labels.  Resource records can
-   thereby be stored at arbitrary bit-boundaries.
-
-   Examples in section 5 will employ the following textual
-   representation for bit-string labels, which is a subset of the syntax
-   defined in [BITLBL].  A base indicator "x" for hexadecimal and a
-   sequence of hexadecimal digits is enclosed between "\[" and "]".  The
-   bits denoted by the digits represent a sequence of one-bit domain
-
-
-
-Crawford, et al.            Standards Track                     [Page 4]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-   labels ordered from most to least significant.  (This is the opposite
-   of the order they would appear if listed one bit at a time, but it
-   appears to be a convenient notation.)  The digit string may be
-   followed by a slash ("/") and a decimal count.  If omitted, the
-   implicit count is equal to four times the number of hexadecimal
-   digits.
-
-   Consecutive bit-string labels are equivalent (up to the limit imposed
-   by the size of the bit count field) to a single bit-string label
-   containing all the bits of the consecutive labels in the proper
-   order.  As an example, either of the following domain names could be
-   used in a QCLASS=IN, QTYPE=PTR query to find the name of the node
-   with IPv6 address 3ffe:7c0:40:9:a00:20ff:fe81:2b32.
-
-    \[x3FFE07C0004000090A0020FFFE812B32/128].IP6.ARPA.
-
-    \[x0A0020FFFE812B32/64].\[x0009/16].\[x3FFE07C00040/48].IP6.ARPA.
-
-2.2.2.  Reusable Zones
-
-   DNS address space delegation is implemented not by zone cuts and NS
-   records, but by a new analogue to the CNAME record, called the DNAME
-   resource record [DNAME].  The DNAME record provides alternate naming
-   to an entire subtree of the domain name space, rather than to a
-   single node.  It causes some suffix of a queried name to be
-   substituted with a name from the DNAME record's RDATA.
-
-   For example, a resolver or server providing recursion, while looking
-   up a QNAME a.b.c.d.e.f may encounter a DNAME record
-
-                        d.e.f.     DNAME     w.xy.
-
-   which will cause it to look for a.b.c.w.xy.
-
-3.  Specifications
-
-3.1.  The A6 Record Type
-
-   The A6 record type is specific to the IN (Internet) class and has
-   type number 38 (decimal).
-
-
-
-
-
-
-
-
-
-
-
-Crawford, et al.            Standards Track                     [Page 5]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-3.1.1.  Format
-
-   The RDATA portion of the A6 record contains two or three fields.
-
-           +-----------+------------------+-------------------+
-           |Prefix len.|  Address suffix  |    Prefix name    |
-           | (1 octet) |  (0..16 octets)  |  (0..255 octets)  |
-           +-----------+------------------+-------------------+
-
-   o  A prefix length, encoded as an eight-bit unsigned integer with
-      value between 0 and 128 inclusive.
-
-   o  An IPv6 address suffix, encoded in network order (high-order octet
-      first).  There MUST be exactly enough octets in this field to
-      contain a number of bits equal to 128 minus prefix length, with 0
-      to 7 leading pad bits to make this field an integral number of
-      octets.  Pad bits, if present, MUST be set to zero when loading a
-      zone file and ignored (other than for SIG [DNSSEC] verification)
-      on reception.
-
-   o  The name of the prefix, encoded as a domain name.  By the rules of
-      [DNSIS], this name MUST NOT be compressed.
-
-   The domain name component SHALL NOT be present if the prefix length
-   is zero.  The address suffix component SHALL NOT be present if the
-   prefix length is 128.
-
-   It is SUGGESTED that an A6 record intended for use as a prefix for
-   other A6 records have all the insignificant trailing bits in its
-   address suffix field set to zero.
-
-3.1.2.  Processing
-
-   A query with QTYPE=A6 causes type A6 and type NS additional section
-   processing for the prefix names, if any, in the RDATA field of the A6
-   records in the answer section.  This processing SHOULD be recursively
-   applied to the prefix names of A6 records included as additional
-   data.  When space in the reply packet is a limit, inclusion of
-   additional A6 records takes priority over NS records.
-
-   It is an error for an A6 record with prefix length L1 > 0 to refer to
-   a domain name which owns an A6 record with a prefix length L2 > L1.
-   If such a situation is encountered by a resolver, the A6 record with
-   the offending (larger) prefix length MUST be ignored.  Robustness
-   precludes signaling an error if addresses can still be formed from
-   valid A6 records, but it is SUGGESTED that zone maintainers from time
-   to time check all the A6 records their zones reference.
-
-
-
-
-Crawford, et al.            Standards Track                     [Page 6]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-3.1.3.  Textual Representation
-
-   The textual representation of the RDATA portion of the A6 resource
-   record in a zone file comprises two or three fields separated by
-   whitespace.
-
-   o  A prefix length, represented as a decimal number between 0 and 128
-      inclusive,
-
-   o  the textual representation of an IPv6 address as defined in
-      [AARCH] (although some leading and/or trailing bits may not be
-      significant),
-
-   o  a domain name, if the prefix length is not zero.
-
-   The domain name MUST be absent if the prefix length is zero.  The
-   IPv6 address MAY be be absent if the prefix length is 128.  A number
-   of leading address bits equal to the prefix length SHOULD be zero,
-   either implicitly (through the :: notation) or explicitly, as
-   specified in section 3.1.1.
-
-3.1.4.  Name Resolution Procedure
-
-   To obtain the IPv6 address or addresses which belong to a given name,
-   a DNS client MUST obtain one or more complete chains of A6 records,
-   each chain beginning with a record owned by the given name and
-   including a record owned by the prefix name in that record, and so on
-   recursively, ending with an A6 record with a prefix length of zero.
-   One IPv6 address is formed from one such chain by taking the value of
-   each bit position from the earliest A6 record in the chain which
-   validly covers that position, as indicated by the prefix length.  The
-   set of all IPv6 addresses for the given name comprises the addresses
-   formed from all complete chains of A6 records beginning at that name,
-   discarding records which have invalid prefix lengths as defined in
-   section 3.1.2.
-
-   If some A6 queries fail and others succeed, a client might obtain a
-   non-empty but incomplete set of IPv6 addresses for a host.  In many
-   situations this may be acceptable.  The completeness of a set of A6
-   records may always be determined by inspection.
-
-3.2.  Zone Structure for Reverse Lookups
-
-   Very little of the new scheme's data actually appears under IP6.ARPA;
-   only the first level of delegation needs to be under that domain.
-   More levels of delegation could be placed under IP6.ARPA if some
-   top-level delegations were done via NS records instead of DNAME
-   records, but this would incur some cost in renumbering ease at the
-
-
-
-Crawford, et al.            Standards Track                     [Page 7]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-   level of TLAs [AGGR].  Therefore, it is declared here that all
-   address space delegations SHOULD be done by the DNAME mechanism
-   rather than NS.
-
-   In addition, since uniformity in deployment will simplify maintenance
-   of address delegations, it is SUGGESTED that address and prefix
-   information be stored immediately below a DNS label "IP6".  Stated
-   another way, conformance with this suggestion would mean that "IP6"
-   is the first label in the RDATA field of DNAME records which support
-   IPv6 reverse lookups.
-
-   When any "reserved" or "must be zero" bits are adjacent to a
-   delegation boundary, the higher-level entity MUST retain those bits
-   in its own control and delegate only the bits over which the lower-
-   level entity has authority.
-
-   To find the name of a node given its IPv6 address, a DNS client MUST
-   perform a query with QCLASS=IN, QTYPE=PTR on the name formed from the
-   128 bit address as one or more bit-string labels [BITLBL], followed
-   by the two standard labels "IP6.ARPA".  If recursive service was not
-   obtained from a server and the desired PTR record was not returned,
-   the resolver MUST handle returned DNAME records as specified in
-   [DNAME], and NS records as specified in [DNSCF], and iterate.
-
-4.  Modifications to Existing Query Types
-
-   All existing query types that perform type A additional section
-   processing, i.e. the name server (NS), mail exchange (MX), and
-   mailbox (MB) query types, and the experimental AFS data base (AFSDB)
-   and route through (RT) types, must be redefined to perform type A, A6
-   and AAAA additional section processing, with type A having the
-   highest priority for inclusion and type AAAA the lowest.  This
-   redefinition means that a name server may add any relevant IPv4 and
-   IPv6 address information available locally to the additional section
-   of a response when processing any one of the above queries.  The
-   recursive inclusion of A6 records referenced by A6 records already
-   included in the additional section is OPTIONAL.
-
-5.  Usage Illustrations
-
-   This section provides examples of use of the mechanisms defined in
-   the previous section.  All addresses and domains mentioned here are
-   intended to be fictitious and for illustrative purposes only.
-   Example delegations will be on 4-bit boundaries solely for
-   readability; this specification is indifferent to bit alignment.
-
-   Use of the IPv6 aggregatable address format [AGGR] is assumed in the
-   examples.
-
-
-
-Crawford, et al.            Standards Track                     [Page 8]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-5.1.  A6 Record Chains
-
-   Let's take the example of a site X that is multi-homed to two
-   "intermediate" providers A and B.  The provider A is itself multi-
-   homed to two "transit" providers, C and D.  The provider B gets its
-   transit service from a single provider, E.  For simplicity suppose
-   that C, D and E all belong to the same top-level aggregate (TLA) with
-   identifier (including format prefix) '2345', and the TLA authority at
-   ALPHA-TLA.ORG assigns to C, D and E respectively the next level
-   aggregate (NLA) prefixes 2345:00C0::/28, 2345:00D0::/28 and
-   2345:000E::/32.
-
-   C assigns the NLA prefix 2345:00C1:CA00::/40 to A, D assigns the
-   prefix 2345:00D2:DA00::/40 to A and E assigns 2345:000E:EB00::/40 to
-   B.
-
-   A assigns to X the subscriber identification '11' and B assigns the
-   subscriber identification '22'.  As a result, the site X inherits
-   three address prefixes:
-
-   o  2345:00C1:CA11::/48 from A, for routes through C.
-   o  2345:00D2:DA11::/48 from A, for routes through D.
-   o  2345:000E:EB22::/48 from B, for routes through E.
-
-   Let us suppose that N is a node in the site X, that it is assigned to
-   subnet number 1 in this site, and that it uses the interface
-   identifier '1234:5678:9ABC:DEF0'.  In our configuration, this node
-   will have three addresses:
-
-   o  2345:00C1:CA11:0001:1234:5678:9ABC:DEF0
-   o  2345:00D2:DA11:0001:1234:5678:9ABC:DEF0
-   o  2345:000E:EB22:0001:1234:5678:9ABC:DEF0
-
-5.1.1.  Authoritative Data
-
-   We will assume that the site X is represented in the DNS by the
-   domain name X.EXAMPLE, while A, B, C, D and E are represented by
-   A.NET, B.NET, C.NET, D.NET and E.NET.  In each of these domains, we
-   assume a subdomain "IP6" that will hold the corresponding prefixes.
-   The node N is identified by the domain name N.X.EXAMPLE.  The
-   following records would then appear in X's DNS.
-
-          $ORIGIN X.EXAMPLE.
-          N            A6 64 ::1234:5678:9ABC:DEF0 SUBNET-1.IP6
-          SUBNET-1.IP6 A6 48 0:0:0:1::  IP6
-          IP6          A6 48 0::0       SUBSCRIBER-X.IP6.A.NET.
-          IP6          A6 48 0::0       SUBSCRIBER-X.IP6.B.NET.
-
-
-
-
-Crawford, et al.            Standards Track                     [Page 9]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-   And elsewhere there would appear
-
-        SUBSCRIBER-X.IP6.A.NET. A6 40 0:0:0011:: A.NET.IP6.C.NET.
-        SUBSCRIBER-X.IP6.A.NET. A6 40 0:0:0011:: A.NET.IP6.D.NET.
-
-        SUBSCRIBER-X.IP6.B.NET. A6 40 0:0:0022:: B-NET.IP6.E.NET.
-
-        A.NET.IP6.C.NET. A6 28 0:0001:CA00:: C.NET.ALPHA-TLA.ORG.
-
-        A.NET.IP6.D.NET. A6 28 0:0002:DA00:: D.NET.ALPHA-TLA.ORG.
-
-        B-NET.IP6.E.NET. A6 32 0:0:EB00::    E.NET.ALPHA-TLA.ORG.
-
-        C.NET.ALPHA-TLA.ORG. A6 0 2345:00C0::
-        D.NET.ALPHA-TLA.ORG. A6 0 2345:00D0::
-        E.NET.ALPHA-TLA.ORG. A6 0 2345:000E::
-
-5.1.2.  Glue
-
-   When, as is common, some or all DNS servers for X.EXAMPLE are within
-   the X.EXAMPLE zone itself, the top-level zone EXAMPLE must carry
-   enough "glue" information to enable DNS clients to reach those
-   nameservers.  This is true in IPv6 just as in IPv4.  However, the A6
-   record affords the DNS administrator some choices.  The glue could be
-   any of
-
-   o  a minimal set of A6 records duplicated from the X.EXAMPLE zone,
-
-   o  a (possibly smaller) set of records which collapse the structure
-      of that minimal set,
-
-   o  or a set of A6 records with prefix length zero, giving the entire
-      global addresses of the servers.
-
-   The trade-off is ease of maintenance against robustness.  The best
-   and worst of both may be had together by implementing either the
-   first or second option together with the third.  To illustrate the
-   glue options, suppose that X.EXAMPLE is served by two nameservers
-   NS1.X.EXAMPLE and NS2.X.EXAMPLE, having interface identifiers
-   ::1:11:111:1111 and ::2:22:222:2222 on subnets 1 and 2 respectively.
-   Then the top-level zone EXAMPLE would include one (or more) of the
-   following sets of A6 records as glue.
-
-
-
-
-
-
-
-
-
-Crawford, et al.            Standards Track                    [Page 10]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-   $ORIGIN EXAMPLE.            ; first option
-   X               NS NS1.X
-                   NS NS2.X
-   NS1.X           A6 64 ::1:11:111:1111 SUBNET-1.IP6.X
-   NS2.X           A6 64 ::2:22:222:2222 SUBNET-2.IP6.X
-   SUBNET-1.IP6.X  A6 48 0:0:0:1::       IP6.X
-   SUBNET-2.IP6.X  A6 48 0:0:0:2::       IP6.X
-   IP6.X           A6 48 0::0            SUBSCRIBER-X.IP6.A.NET.
-   IP6.X           A6 48 0::0            SUBSCRIBER-X.IP6.B.NET.
-
-
-   $ORIGIN EXAMPLE.            ; second option
-   X               NS NS1.X
-                   NS NS2.X
-   NS1.X           A6 48 ::1:1:11:111:1111 SUBSCRIBER-X.IP6.A.NET.
-                   A6 48 ::1:1:11:111:1111 SUBSCRIBER-X.IP6.B.NET.
-   NS2.X           A6 48 ::2:2:22:222:2222 SUBSCRIBER-X.IP6.A.NET.
-                   A6 48 ::2:2:22:222:2222 SUBSCRIBER-X.IP6.B.NET.
-
-
-   $ORIGIN EXAMPLE.            ; third option
-   X               NS NS1.X
-                   NS NS2.X
-   NS1.X           A6 0  2345:00C1:CA11:1:1:11:111:1111
-                   A6 0  2345:00D2:DA11:1:1:11:111:1111
-                   A6 0  2345:000E:EB22:1:1:11:111:1111
-   NS2.X           A6 0  2345:00C1:CA11:2:2:22:222:2222
-                   A6 0  2345:00D2:DA11:2:2:22:222:2222
-                   A6 0  2345:000E:EB22:2:2:22:222:2222
-
-   The first and second glue options are robust against renumbering of
-   X.EXAMPLE's prefixes by providers A.NET and B.NET, but will fail if
-   those providers' own DNS is unreachable.  The glue records of the
-   third option are robust against DNS failures elsewhere than the zones
-   EXAMPLE and X.EXAMPLE themselves, but must be updated when X's
-   address space is renumbered.
-
-   If the EXAMPLE zone includes redundant glue, for instance the union
-   of the A6 records of the first and third options, then under normal
-   circumstances duplicate IPv6 addresses will be derived by DNS
-   clients.  But if provider DNS fails, addresses will still be obtained
-   from the zero-prefix-length records, while if the EXAMPLE zone lags
-   behind a renumbering of X.EXAMPLE, half of the addresses obtained by
-   DNS clients will still be up-to-date.
-
-   The zero-prefix-length glue records can of course be automatically
-   generated and/or checked in practice.
-
-
-
-
-Crawford, et al.            Standards Track                    [Page 11]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-5.1.3.  Variations
-
-   Several more-or-less arbitrary assumptions are reflected in the above
-   structure.  All of the following choices could have been made
-   differently, according to someone's notion of convenience or an
-   agreement between two parties.
-
-      First, that site X has chosen to put subnet information in a
-      separate A6 record rather than incorporate it into each node's A6
-      records.
-
-      Second, that site X is referred to as "SUBSCRIBER-X" by both of
-      its providers A and B.
-
-      Third, that site X chose to indirect its provider information
-      through A6 records at IP6.X.EXAMPLE containing no significant
-      bits.  An alternative would have been to replicate each subnet
-      record for each provider.
-
-      Fourth, B and E used a slightly different prefix naming convention
-      between themselves than did A, C and D.  Each hierarchical pair of
-      network entities must arrange this naming between themselves.
-
-      Fifth, that the upward prefix referral chain topped out at ALPHA-
-      TLA.ORG.  There could have been another level which assigned the
-      TLA values and holds A6 records containing those bits.
-
-   Finally, the above structure reflects an assumption that address
-   fields assigned by a given entity are recorded only in A6 records
-   held by that entity.  Those bits could be entered into A6 records in
-   the lower-level entity's zone instead, thus:
-
-                IP6.X.EXAMPLE. A6 40 0:0:11::   IP6.A.NET.
-                IP6.X.EXAMPLE. A6 40 0:0:22::   IP6.B.NET.
-
-                IP6.A.NET.     A6 28 0:1:CA00:: IP6.C.NET.
-                and so on.
-
-   Or the higher-level entities could hold both sorts of A6 records
-   (with different DNS owner names) and allow the lower-level entities
-   to choose either mode of A6 chaining.  But the general principle of
-   avoiding data duplication suggests that the proper place to store
-   assigned values is with the entity that assigned them.
-
-   It is possible, but not necessarily recommended, for a zone
-   maintainer to forego the renumbering support afforded by the chaining
-   of A6 records and to record entire IPv6 addresses within one zone
-   file.
-
-
-
-Crawford, et al.            Standards Track                    [Page 12]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-5.2.  Reverse Mapping Zones
-
-   Supposing that address space assignments in the TLAs with Format
-   Prefix (001) binary and IDs 0345, 0678 and 09AB were maintained in
-   zones called ALPHA-TLA.ORG, BRAVO-TLA.ORG and CHARLIE-TLA.XY, then
-   the IP6.ARPA zone would include
-
-               $ORIGIN IP6.ARPA.
-               \[x234500/24]   DNAME   IP6.ALPHA-TLA.ORG.
-               \[x267800/24]   DNAME   IP6.BRAVO-TLA.ORG.
-               \[x29AB00/24]   DNAME   IP6.CHARLIE-TLA.XY.
-
-   Eight trailing zero bits have been included in each TLA ID to reflect
-   the eight reserved bits in the current aggregatable global unicast
-   addresses format [AGGR].
-
-5.2.1.  The TLA level
-
-   ALPHA-TLA's assignments to network providers C, D and E are reflected
-   in the reverse data as follows.
-
-              \[xC/4].IP6.ALPHA-TLA.ORG.   DNAME  IP6.C.NET.
-              \[xD/4].IP6.ALPHA-TLA.ORG.   DNAME  IP6.D.NET.
-              \[x0E/8].IP6.ALPHA-TLA.ORG.  DNAME  IP6.E.NET.
-
-5.2.2.  The ISP level
-
-   The providers A through E carry the following delegation information
-   in their zone files.
-
-               \[x1CA/12].IP6.C.NET.  DNAME  IP6.A.NET.
-               \[x2DA/12].IP6.D.NET.  DNAME  IP6.A.NET.
-               \[xEB/8].IP6.E.NET.    DNAME  IP6.B.NET.
-               \[x11/8].IP6.A.NET.    DNAME  IP6.X.EXAMPLE.
-               \[x22/8].IP6.B.NET.    DNAME  IP6.X.EXAMPLE.
-
-   Note that some domain names appear in the RDATA of more than one
-   DNAME record.  In those cases, one zone is being used to map multiple
-   prefixes.
-
-5.2.3.  The Site Level
-
-   Consider the customer X.EXAMPLE using IP6.X.EXAMPLE for address-to-
-   name translations.  This domain is now referenced by two different
-   DNAME records held by two different providers.
-
-
-
-
-
-
-Crawford, et al.            Standards Track                    [Page 13]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-           $ORIGIN IP6.X.EXAMPLE.
-           \[x0001/16]                    DNAME   SUBNET-1
-           \[x123456789ABCDEF0].SUBNET-1  PTR     N.X.EXAMPLE.
-           and so on.
-
-   SUBNET-1 need not have been named in a DNAME record; the subnet bits
-   could have been joined with the interface identifier.  But if subnets
-   are treated alike in both the A6 records and in the reverse zone, it
-   will always be possible to keep the forward and reverse definition
-   data for each prefix in one zone.
-
-5.3.  Lookups
-
-   A DNS resolver looking for a hostname for the address
-   2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 would acquire certain of the
-   DNAME records shown above and would form new queries.  Assuming that
-   it began the process knowing servers for IP6.ARPA, but that no server
-   it consulted provided recursion and none had other useful additional
-   information cached, the sequence of queried names and responses would
-   be (all with QCLASS=IN, QTYPE=PTR):
-
-   To a server for IP6.ARPA:
-   QNAME=\[x234500C1CA110001123456789ABCDEF0/128].IP6.ARPA.
-
-        Answer:
-        \[x234500/24].IP6.ARPA. DNAME IP6.ALPHA-TLA.ORG.
-
-   To a server for IP6.ALPHA-TLA.ORG:
-   QNAME=\[xC1CA110001123456789ABCDEF0/104].IP6.ALPHA-TLA.ORG.
-
-        Answer:
-        \[xC/4].IP6.ALPHA-TLA.ORG. DNAME IP6.C.NET.
-
-   To a server for IP6.C.NET.:
-   QNAME=\[x1CA110001123456789ABCDEF0/100].IP6.C.NET.
-
-        Answer:
-        \[x1CA/12].IP6.C.NET. DNAME IP6.A.NET.
-
-   To a server for IP6.A.NET.:
-   QNAME=\[x110001123456789ABCDEF0/88].IP6.A.NET.
-
-        Answer:
-        \[x11/8].IP6.A.NET. DNAME IP6.X.EXAMPLE.
-
-   To a server for IP6.X.EXAMPLE.:
-   QNAME=\[x0001123456789ABCDEF0/80].IP6.X.EXAMPLE.
-
-
-
-
-Crawford, et al.            Standards Track                    [Page 14]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-        Answer:
-        \[x0001/16].IP6.X.EXAMPLE. DNAME SUBNET-1.IP6.X.EXAMPLE.
-        \[x123456789ABCDEF0/64].SUBNET-1.X.EXAMPLE. PTR N.X.EXAMPLE.
-
-   All the DNAME (and NS) records acquired along the way can be cached
-   to expedite resolution of addresses topologically near to this
-   address.  And if another global address of N.X.EXAMPLE were resolved
-   within the TTL of the final PTR record, that record would not have to
-   be fetched again.
-
-5.4.  Operational Note
-
-   In the illustrations in section 5.1, hierarchically adjacent
-   entities, such as a network provider and a customer, must agree on a
-   DNS name which will own the definition of the delegated prefix(es).
-   One simple convention would be to use a bit-string label representing
-   exactly the bits which are assigned to the lower-level entity by the
-   higher.  For example, "SUBSCRIBER-X" could be replaced by "\[x11/8]".
-   This would place the A6 record(s) defining the delegated prefix at
-   exactly the same point in the DNS tree as the DNAME record associated
-   with that delegation.  The cost of this simplification is that the
-   lower-level zone must update its upward-pointing A6 records when it
-   is renumbered.  This cost may be found quite acceptable in practice.
-
-6.  Transition from RFC 1886 and Deployment Notes
-
-   When prefixes have been "delegated upward" with A6 records, the
-   number of DNS resource records required to establish a single IPv6
-   address increases by some non-trivial factor.  Those records will
-   typically, but not necessarily, come from different DNS zones (which
-   can independently suffer failures for all the usual reasons).  When
-   obtaining multiple IPv6 addresses together, this increase in RR count
-   will be proportionally less -- and the total size of a DNS reply
-   might even decrease -- if the addresses are topologically clustered.
-   But the records could still easily exceed the space available in a
-   UDP response which returns a large RRset [DNSCLAR] to an MX, NS, or
-   SRV query, for example.  The possibilities for overall degradation of
-   performance and reliability of DNS lookups are numerous, and increase
-   with the number of prefix delegations involved, especially when those
-   delegations point to records in other zones.
-
-   DNS Security [DNSSEC] addresses the trustworthiness of cached data,
-   which is a problem intrinsic to DNS, but the cost of applying this to
-   an IPv6 address is multiplied by a factor which may be greater than
-   the number of prefix delegations involved if different signature
-   chains must be verified for different A6 records.  If a trusted
-   centralized caching server (as in [TSIG], for example) is used, this
-   cost might be amortized to acceptable levels.  One new phenomenon is
-
-
-
-Crawford, et al.            Standards Track                    [Page 15]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-   the possibility that IPv6 addresses may be formed from a A6 records
-   from a combination of secure and unsecured zones.
-
-   Until more deployment experience is gained with the A6 record, it is
-   recommended that prefix delegations be limited to one or two levels.
-   A reasonable phasing-in mechanism would be to start with no prefix
-   delegations (all A6 records having prefix length 0) and then to move
-   to the use of a single level of delegation within a single zone.  (If
-   the TTL of the "prefix" A6 records is kept to an appropriate duration
-   the capability for rapid renumbering is not lost.)  More aggressively
-   flexible delegation could be introduced for a subset of hosts for
-   experimentation.
-
-6.1.  Transition from AAAA and Coexistence with A Records
-
-   Administrators of zones which contain A6 records can easily
-   accommodate deployed resolvers which understand AAAA records but not
-   A6 records.  Such administrators can do automatic generation of AAAA
-   records for all of a zone's names which own A6 records by a process
-   which mimics the resolution of a hostname to an IPv6 address (see
-   section 3.1.4).  Attention must be paid to the TTL assigned to a
-   generated AAAA record, which MUST be no more than the minimum of the
-   TTLs of the A6 records that were used to form the IPv6 address in
-   that record.  For full robustness, those A6 records which were in
-   different zones should be monitored for changes (in TTL or RDATA)
-   even when there are no changes to zone for which AAAA records are
-   being generated.  If the zone is secure [DNSSEC], the generated AAAA
-   records MUST be signed along with the rest of the zone data.
-
-   A zone-specific heuristic MAY be used to avoid generation of AAAA
-   records for A6 records which record prefixes, although such
-   superfluous records would be relatively few in number and harmless.
-   Examples of such heuristics include omitting A6 records with a prefix
-   length less than the largest value found in the zone file, or records
-   with an address suffix field with a certain number of trailing zero
-   bits.
-
-   On the client side, when looking up and IPv6 address, the order of A6
-   and AAAA queries MAY be configurable to be one of: A6, then AAAA;
-   AAAA, then A6; A6 only; or both in parallel.  The default order (or
-   only order, if not configurable) MUST be to try A6 first, then AAAA.
-   If and when the AAAA becomes deprecated a new document will change
-   the default.
-
-   The guidelines and options for precedence between IPv4 and IPv6
-   addresses are specified in [TRANS].  All mentions of AAAA records in
-   that document are henceforth to be interpreted as meaning A6 and/or
-   AAAA records in the order specified in the previous paragraph.
-
-
-
-Crawford, et al.            Standards Track                    [Page 16]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-6.2.  Transition from Nibble Labels to Binary Labels
-
-   Implementations conforming to RFC 1886 [AAAA] perform reverse lookups
-   as follows:
-
-      An IPv6 address is represented as a name in the IP6.INT domain by
-      a sequence of nibbles separated by dots with the suffix
-      ".IP6.INT". The sequence of nibbles is encoded in reverse order,
-      i.e. the low-order nibble is encoded first, followed by the next
-      low-order nibble and so on. Each nibble is represented by a
-      hexadecimal digit. For example, a name for the address
-      2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 of the example in section
-      5.3 would be sought at the DNS name "0.f.e.d.c.b.a.9.-
-      8.7.6.5.4.3.2.1.1.0.0.0.1.1.a.c.1.c.0.0.5.4.3.2.ip6.int."
-
-   Implementations conforming to this specification will perform a
-   lookup of a binary label in IP6.ARPA as specified in Section 3.2.  It
-   is RECOMMENDED that for a transition period implementations first
-   lookup the binary label in IP6.ARPA and if this fails try to lookup
-   the 'nibble' label in IP6.INT.
-
-7.  Security Considerations
-
-   The signing authority [DNSSEC] for the A6 records which determine an
-   IPv6 address is distributed among several entities, reflecting the
-   delegation path of the address space which that address occupies.
-   DNS Security is fully applicable to bit-string labels and DNAME
-   records.  And just as in IPv4, verification of name-to-address
-   mappings is logically independent of verification of address-to-name
-   mappings.
-
-   With or without DNSSEC, the incomplete but non-empty address set
-   scenario of section 3.1.4 could be caused by selective interference
-   with DNS lookups.  If in some situation this would be more harmful
-   than complete DNS failure, it might be mitigated on the client side
-   by refusing to act on an incomplete set, or on the server side by
-   listing all addresses in A6 records with prefix length 0.
-
-8.  IANA Considerations
-
-   The A6 resource record has been assigned a Type value of 38.
-
-
-
-
-
-
-
-
-
-
-Crawford, et al.            Standards Track                    [Page 17]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-9.  Acknowledgments
-
-   The authors would like to thank the following persons for valuable
-   discussions and reviews:  Mark Andrews, Rob Austein, Jim Bound, Randy
-   Bush, Brian Carpenter, David Conrad, Steve Deering, Francis Dupont,
-   Robert Elz, Bob Fink, Olafur Gudmundsson, Bob Halley, Bob Hinden,
-   Edward Lewis, Bill Manning, Keith Moore, Thomas Narten, Erik
-   Nordmark, Mike O'Dell, Michael Patton and Ken Powell.
-
-10.  References
-
-   [AAAA]    Thomson, S. and C. Huitema, "DNS Extensions to support IP
-             version 6, RFC 1886, December 1995.
-
-   [AARCH]   Hinden, R. and S. Deering, "IP Version 6 Addressing
-             Architecture", RFC 2373, July 1998.
-
-   [AGGR]    Hinden, R., O'Dell, M. and S. Deering, "An IPv6
-             Aggregatable Global Unicast Address Format", RFC 2374, July
-             1998.
-
-   [BITLBL]  Crawford, M., "Binary Labels in the Domain Name System",
-             RFC 2673, August 1999.
-
-   [DNAME]   Crawford, M., "Non-Terminal DNS Name Redirection", RFC
-             2672, August 1999.
-
-   [DNSCLAR] Elz, R. and R. Bush, "Clarifications to the DNS
-             Specification", RFC 2181, July 1997.
-
-   [DNSIS]   Mockapetris, P., "Domain names - implementation and
-             specification", STD 13, RFC 1035, November 1987.
-
-   [DNSSEC]  Eastlake, D. 3rd and C. Kaufman, "Domain Name System
-             Security Extensions", RFC 2535, March 1999.
-
-   [KWORD]   Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RENUM1]  Carpenter, B. and Y. Rekhter, "Renumbering Needs Work", RFC
-             1900, February 1996.
-
-   [RENUM2]  Ferguson, P. and H. Berkowitz, "Network Renumbering
-             Overview:  Why would I want it and what is it anyway?", RFC
-             2071, January 1997.
-
-   [RENUM3]  Carpenter, B., Crowcroft, J. and Y. Rekhter, "IPv4 Address
-             Behaviour Today", RFC 2101, February 1997.
-
-
-
-Crawford, et al.            Standards Track                    [Page 18]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-   [TRANS]   Gilligan, R. and E. Nordmark, "Transition Mechanisms for
-             IPv6 Hosts and Routers", RFC 1933, April 1996.
-
-   [TSIG]    Vixie, P., Gudmundsson, O., Eastlake, D. 3rd and B.
-             Wellington, "Secret Key Transaction Authentication for DNS
-             (TSIG)", RFC 2845, May 2000.
-
-11.  Authors' Addresses
-
-   Matt Crawford
-   Fermilab
-   MS 368
-   PO Box 500
-   Batavia, IL 60510
-   USA
-
-   Phone: +1 630 840-3461
-   EMail: crawdad@fnal.gov
-
-
-   Christian Huitema
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052-6399
-
-   EMail: huitema@microsoft.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Crawford, et al.            Standards Track                    [Page 19]
-
-RFC 2874                        IPv6 DNS                       July 2000
-
-
-12.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Crawford, et al.            Standards Track                    [Page 20]
-
diff --git a/contrib/bind9/doc/rfc/rfc2915.txt b/contrib/bind9/doc/rfc/rfc2915.txt
deleted file mode 100644
index 2022ba115724..000000000000
--- a/contrib/bind9/doc/rfc/rfc2915.txt
+++ /dev/null
@@ -1,1011 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         M. Mealling
-Request for Comments: 2915                        Network Solutions, Inc.
-Updates: 2168                                                   R. Daniel
-Category: Standards Track                                DATAFUSION, Inc.
-                                                           September 2000
-
-
-        The Naming Authority Pointer (NAPTR) DNS Resource Record
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000). All Rights Reserved.
-
-Abstract
-
-   This document describes a Domain Name System (DNS) resource record
-   which specifies a regular expression based rewrite rule that, when
-   applied to an existing string, will produce a new domain label or
-   Uniform Resource Identifier (URI).  Depending on the value of the
-   flags field of the resource record, the resulting domain label or URI
-   may be used in subsequent queries for the Naming Authority Pointer
-   (NAPTR) resource records (to delegate the name lookup) or as the
-   output of the entire process for which this system is used (a
-   resolution server for URI resolution, a service URI for ENUM style
-   e.164 number to URI mapping, etc).
-
-   This allows the DNS to be used to lookup services for a wide variety
-   of resource names (including URIs) which are not in domain name
-   syntax.  Reasons for doing this range from URN Resource Discovery
-   Systems to moving out-of-date services to new domains.
-
-   This document updates the portions of RFC 2168 specifically dealing
-   with the definition of the NAPTR records and how other, non-URI
-   specific applications, might use NAPTR.
-
-
-
-
-
-
-
-
-
-Mealling & Daniel           Standards Track                     [Page 1]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . .   2
-   2.  NAPTR RR Format  . . . . . . . . . . . . . . . . . . . . . .   3
-   3.  Substitution Expression Grammar  . . . . . . . . . . . . . .   7
-   4.  The Basic NAPTR Algorithm  . . . . . . . . . . . . . . . . .   8
-   5.  Concerning How NAPTR Uses SRV Records  . . . . . . . . . . .   9
-   6.  Application Specifications . . . . . . . . . . . . . . . . .  10
-   7.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . .  10
-   7.1 Example 1  . . . . . . . . . . . . . . . . . . . . . . . . .  10
-   7.2 Example 2  . . . . . . . . . . . . . . . . . . . . . . . . .  12
-   7.3 Example 3  . . . . . . . . . . . . . . . . . . . . . . . . .  13
-   8.  DNS Packet Format  . . . . . . . . . . . . . . . . . . . . .  13
-   9.  Master File Format . . . . . . . . . . . . . . . . . . . . .  14
-   10. Advice for DNS Administrators  . . . . . . . . . . . . . . .  14
-   11. Notes  . . . . . . . . . . . . . . . . . . . . . . . . . . .  15
-   12. IANA Considerations  . . . . . . . . . . . . . . . . . . . .  15
-   13. Security Considerations  . . . . . . . . . . . . . . . . . .  15
-   14. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . .  16
-       References . . . . . . . . . . . . . . . . . . . . . . . . .  16
-       Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  17
-       Full Copyright Statement . . . . . . . . . . . . . . . . . .  18
-
-1. Introduction
-
-   This RR was originally produced by the URN Working Group [3] as a way
-   to encode rule-sets in DNS so that the delegated sections of a URI
-   could be decomposed in such a way that they could be changed and re-
-   delegated over time.  The result was a Resource Record that included
-   a regular expression that would be used by a client program to
-   rewrite a string into a domain name.  Regular expressions were chosen
-   for their compactness to expressivity ratio allowing for a great deal
-   of information to be encoded in a rather small DNS packet.
-
-   The function of rewriting a string according to the rules in a record
-   has usefulness in several different applications.  This document
-   defines the basic assumptions to which all of those applications must
-   adhere to.  It does not define the reasons the rewrite is used, what
-   the expected outcomes are, or what they are used for.  Those are
-   specified by applications that define how they use the NAPTR record
-   and algorithms within their contexts.
-
-   Flags and other fields are also specified in the RR to control the
-   rewrite procedure in various ways or to provide information on how to
-   communicate with the host at the domain name that was the result of
-   the rewrite.
-
-
-
-
-
-Mealling & Daniel           Standards Track                     [Page 2]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   The final result is a RR that has several fields that interact in a
-   non-trivial but implementable way.  This document specifies those
-   fields and their values.
-
-   This document does not define applications that utilizes this rewrite
-   functionality. Instead it specifies just the mechanics of how it is
-   done.  Why its done, what the rules concerning the inputs, and the
-   types of rules used are reserved for other documents that fully
-   specify a particular application.  This separation is due to several
-   different applications all wanting to take advantage of the rewrite
-   rule lookup process.  Each one has vastly different reasons for why
-   and how it uses the service, thus requiring that the definition of
-   the service be generic.
-
-      The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
-      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
-      in this document are to be interpreted as described in RFC 2119.
-
-      All references to Uniform Resource Identifiers in this document
-      adhere to the 'absoluteURI' production of the "Collected ABNF"
-      found in RFC 2396 [9].  Specifically, the semantics of URI
-      References do not apply since the concept of a Base makes no sense
-      here.
-
-2. NAPTR RR Format
-
-   The format of the NAPTR RR is given below.  The DNS type code [1] for
-   NAPTR is 35.
-
-   Domain TTL Class Type Order Preference Flags Service Regexp
-   Replacement
-
-   Domain
-      The domain name to which this resource record refers.  This is the
-      'key' for this entry in the rule database.  This value will either
-      be the first well known key (<something>.uri.arpa for example) or
-      a new key that is the output of a replacement or regexp rewrite.
-      Beyond this, it has the standard DNS requirements [1].
-
-   TTL
-      Standard DNS meaning [1].
-
-   Class
-      Standard DNS meaning [1].
-
-   Type
-      The Type Code [1] for NAPTR is 35.
-
-
-
-
-Mealling & Daniel           Standards Track                     [Page 3]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   Order
-      A 16-bit unsigned integer specifying the order in which the NAPTR
-      records MUST be processed to ensure the correct ordering of
-      rules.  Low numbers are processed before high numbers, and once a
-      NAPTR is found whose rule "matches" the target, the client MUST
-      NOT consider any NAPTRs with a higher value for order (except as
-      noted below for the Flags field).
-
-   Preference
-      A 16-bit unsigned integer that specifies the order in which NAPTR
-      records with equal "order" values SHOULD be processed, low
-      numbers being processed before high numbers.  This is similar to
-      the preference field in an MX record, and is used so domain
-      administrators can direct clients towards more capable hosts or
-      lighter weight protocols.  A client MAY look at records with
-      higher preference values if it has a good reason to do so such as
-      not understanding the preferred protocol or service.
-
-      The important difference between Order and Preference is that
-      once a match is found the client MUST NOT consider records with a
-      different Order but they MAY process records with the same Order
-      but different Preferences.  I.e., Preference is used to give weight
-      to rules that are considered the same from an authority
-      standpoint but not from a simple load balancing standpoint.
-
-   Flags
-      A <character-string> containing flags to control aspects of the
-      rewriting and interpretation of the fields in the record.  Flags
-      are single characters from the set [A-Z0-9].  The case of the
-      alphabetic characters is not significant.
-
-      At this time only four flags, "S", "A", "U", and "P", are
-      defined.  The "S", "A" and "U" flags denote a terminal lookup.
-      This means that this NAPTR record is the last one and that the
-      flag determines what the next stage should be.  The "S" flag
-      means that the next lookup should be for SRV records [4].  See
-      Section 5 for additional information on how NAPTR uses the SRV
-      record type.  "A" means that the next lookup should be for either
-      an A, AAAA, or A6 record.  The "U" flag means that the next step
-      is not a DNS lookup but that the output of the Regexp field is an
-      URI that adheres to the 'absoluteURI' production found in the
-      ABNF of RFC 2396 [9].  Since there may be applications that use
-      NAPTR to also lookup aspects of URIs, implementors should be
-      aware that this may cause loop conditions and should act
-      accordingly.
-
-
-
-
-
-
-Mealling & Daniel           Standards Track                     [Page 4]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-      The "P" flag says that the remainder of the application side
-      algorithm shall be carried out in a Protocol-specific fashion.
-      The new set of rules is identified by the Protocol specified in
-      the Services field.  The record that contains the 'P' flag is the
-      last record that is interpreted by the rules specified in this
-      document.  The new rules are dependent on the application for
-      which they are being used and the protocol specified.  For
-      example, if the application is a URI RDS and the protocol is WIRE
-      then the new set of rules are governed by the algorithms
-      surrounding the WIRE HTTP specification and not this document.
-
-      The remaining alphabetic flags are reserved for future versions
-      of the NAPTR specification.  The numeric flags may be used for
-      local experimentation.  The S, A, U and P flags are all mutually
-      exclusive, and resolution libraries MAY signal an error if more
-      than one is given.  (Experimental code and code for assisting in
-      the creation of NAPTRs would be more likely to signal such an
-      error than a client such as a browser).  It is anticipated that
-      multiple flags will be allowed in the future, so implementers
-      MUST NOT assume that the flags field can only contain 0 or 1
-      characters.  Finally, if a client encounters a record with an
-      unknown flag, it MUST ignore it and move to the next record.  This
-      test takes precedence even over the "order" field.  Since flags
-      can control the interpretation placed on fields, a novel flag
-      might change the interpretation of the regexp and/or replacement
-      fields such that it is impossible to determine if a record
-      matched a given target.
-
-      The "S", "A", and "U"  flags are called 'terminal' flags since
-      they halt the looping rewrite algorithm.  If those flags are not
-      present, clients may assume that another NAPTR RR exists at the
-      domain name produced by the current rewrite rule.  Since the "P"
-      flag specifies a new algorithm, it may or may not be 'terminal'.
-      Thus, the client cannot assume that another NAPTR exists since
-      this case is determined elsewhere.
-
-      DNS servers MAY interpret these flags and values and use that
-      information to include appropriate SRV and A,AAAA, or A6 records
-      in the additional information portion of the DNS packet.  Clients
-      are encouraged to check for additional information but are not
-      required to do so.
-
-   Service
-      Specifies the service(s) available down this rewrite path.  It may
-      also specify the particular protocol that is used to talk with a
-      service.  A protocol MUST be specified if the flags field states
-      that the NAPTR is terminal.  If a protocol is specified, but the
-      flags field does not state that the NAPTR is terminal, the next
-
-
-
-Mealling & Daniel           Standards Track                     [Page 5]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-      lookup MUST be for a NAPTR.  The client MAY choose not to perform
-      the next lookup if the protocol is unknown, but that behavior
-      MUST NOT be relied upon.
-
-      The service field may take any of the values below (using the
-      Augmented BNF of RFC 2234 [5]):
-
-                 service_field = [ [protocol] *("+" rs)]
-                 protocol      = ALPHA *31ALPHANUM
-                 rs            = ALPHA *31ALPHANUM
-                 ; The protocol and rs fields are limited to 32
-                 ; characters and must start with an alphabetic.
-
-      For example, an optional protocol specification followed by 0 or
-      more resolution services.  Each resolution service is indicated by
-      an initial '+' character.
-
-      Note that the empty string is also a valid service field.  This
-      will typically be seen at the beginning of a series of rules,
-      when it is impossible to know what services and protocols will be
-      offered by a particular service.
-
-      The actual format of the service request and response will be
-      determined by the resolution protocol, and is the subject for
-      other documents.  Protocols need not offer all services.  The
-      labels for service requests shall be formed from the set of
-      characters [A-Z0-9].  The case of the alphabetic characters is
-      not significant.
-
-      The list of "valid" protocols for any given NAPTR record is any
-      protocol that implements some or all of the services defined for
-      a NAPTR application.  Currently, THTTP [6] is the only protocol
-      that is known to make that claim at the time of publication.  Any
-      other protocol that is to be used must have documentation
-      specifying:
-
-      *  how it implements the services of the application
-
-      *  how it is to appear in the NAPTR record (i.e., the string id
-         of the protocol)
-
-      The list of valid Resolution Services is defined by the documents
-      that specify individual NAPTR based applications.
-
-      It is worth noting that the interpretation of this field is
-      subject to being changed by new flags, and that the current
-      specification is oriented towards telling clients how to talk
-      with a URN resolver.
-
-
-
-Mealling & Daniel           Standards Track                     [Page 6]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   Regexp
-      A STRING containing a substitution expression that is applied to
-      the original string held by the client in order to construct the
-      next domain name to lookup.  The grammar of the substitution
-      expression is given in the next section.
-
-      The regular expressions MUST NOT be used in a cumulative fashion,
-      that is, they should only be applied to the original string held
-      by the client, never to the domain name produced by a previous
-      NAPTR rewrite.  The latter is tempting in some applications but
-      experience has shown such use to be extremely fault sensitive,
-      very error prone, and extremely difficult to debug.
-
-   Replacement
-      The next NAME to query for NAPTR, SRV, or address records
-      depending on the value of the flags field.  This MUST be a fully
-      qualified domain-name. Unless and until permitted by future
-      standards action, name compression is not to be used for this
-      field.
-
-3. Substitution Expression Grammar
-
-   The content of the regexp field is a substitution expression.  True
-   sed(1) and Perl style substitution expressions are not appropriate
-   for use in this application for a variety of reasons stemming from
-   internationalization requirements and backref limitations, therefore
-   the contents of the regexp field MUST follow the grammar below:
-
-subst_expr   = delim-char  ere  delim-char  repl  delim-char  *flags
-delim-char   = "/" / "!" / ... <Any non-digit or non-flag character
-               other than backslash '\'. All occurances of a delim_char
-               in a subst_expr must be the same character.>
-ere          = POSIX Extended Regular Expression
-repl         = 1 * ( OCTET /  backref )
-backref      = "\" 1POS_DIGIT
-flags        = "i"
-POS_DIGIT    = %x31-39                 ; 0 is not an allowed backref
-
-   The definition of a POSIX Extended Regular Expression can be found in
-   [8], section 2.8.4.
-
-   The result of applying the substitution expression to the original
-   URI MUST result in either a string that obeys the syntax for DNS
-   domain-names [1] or a URI [9] if the Flags field contains a 'u'.
-   Since it is possible for the regexp field to be improperly specified,
-   such that a non-conforming domain-name can be constructed, client
-   software SHOULD verify that the result is a legal DNS domain-name
-   before making queries on it.
-
-
-
-Mealling & Daniel           Standards Track                     [Page 7]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   Backref expressions in the repl portion of the substitution
-   expression are replaced by the (possibly empty) string of characters
-   enclosed by '(' and ')' in the ERE portion of the substitution
-   expression. N is a single digit from 1 through 9, inclusive.  It
-   specifies the N'th backref expression, the one that begins with the
-   N'th '(' and continues to the matching ')'.  For example, the ERE
-
-                            (A(B(C)DE)(F)G)
-
-         has backref expressions:
-
-                            \1  = ABCDEFG
-                            \2  = BCDE
-                            \3  = C
-                            \4  = F
-                            \5..\9  = error - no matching subexpression
-
-   The "i" flag indicates that the ERE matching SHALL be performed in a
-   case-insensitive fashion. Furthermore, any backref replacements MAY
-   be normalized to lower case when the "i" flag is given.
-
-   The first character in the substitution expression shall be used as
-   the character that delimits the components of the substitution
-   expression.  There must be exactly three non-escaped occurrences of
-   the delimiter character in a substitution expression.  Since escaped
-   occurrences of the delimiter character will be interpreted as
-   occurrences of that character, digits MUST NOT be used as delimiters.
-   Backrefs would be confused with literal digits were this allowed.
-   Similarly, if flags are specified in the substitution expression, the
-   delimiter character must not also be a flag character.
-
-4. The Basic NAPTR Algorithm
-
-   The behavior and meaning of the flags and services assume an
-   algorithm where the output of one rewrite is a new key that points to
-   another rule.  This looping algorithm allows NAPTR records to
-   incrementally specify a complete rule.  These incremental rules can
-   be delegated which allows other entities to specify rules so that one
-   entity does not need to understand _all_ rules.
-
-   The algorithm starts with a string and some known key (domain).
-   NAPTR records for this key are retrieved, those with unknown Flags or
-   inappropriate Services are discarded and the remaining records are
-   sorted by their Order field.  Within each value of Order, the records
-   are further sorted by the Preferences field.
-
-   The records are examined in sorted order until a matching record is
-   found.  A record is considered a match iff:
-
-
-
-Mealling & Daniel           Standards Track                     [Page 8]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   o  it has a Replacement field value instead of a Regexp field value.
-
-   o  or the Regexp field matches the string held by the client.
-
-   The first match MUST be the match that is used.  Once a match is
-   found, the Services field is examined for whether or not this rule
-   advances toward the desired result.  If so, the rule is applied to
-   the target string.  If not, the process halts.  The domain that
-   results from the regular expression is then used as the domain of the
-   next loop through the NAPTR algorithm.  Note that the same target
-   string is used throughout the algorithm.
-
-   This looping is extremely important since it is the method by which
-   complex rules are broken down into manageable delegated chunks.  The
-   flags fields simply determine at which point the looping should stop
-   (or other specialized behavior).
-
-   Since flags are valid at any level of the algorithm, the degenerative
-   case is to never loop but to look up the NAPTR and then stop.  In
-   many specialized cases this is all that is needed.  Implementors
-   should be aware that the degenerative case should not become the
-   common case.
-
-5. Concerning How NAPTR Uses SRV Records
-
-   When the SRV record type was originally specified it assumed that the
-   client did not know the specific domain-name before hand.  The client
-   would construct a domain-name more in the form of a question than the
-   usual case of knowing ahead of time that the domain-name should
-   exist.  I.e., if the client wants to know if there is a TCP based
-   HTTP server running at a particular domain, the client would
-   construct the domain-name _http._tcp.somedomain.com and ask the DNS
-   if that records exists. The underscores are used to avoid collisions
-   with potentially 'real' domain-names.
-
-   In the case of NAPTR, the actual domain-name is specified by the
-   various fields in the NAPTR record.  In this case the client isn't
-   asking a question but is instead attempting to get at information
-   that it has been told exists in an SRV record at that particular
-   domain-name.  While this usage of SRV is slightly different than the
-   SRV authors originally intended it does not break any of the
-   assumptions concerning what SRV contains.  Also, since the NAPTR
-   explicitly spells out the domain-name for which an SRV exists, that
-   domain-name MUST be used in SRV queries with NO transformations.  Any
-   given NAPTR record may result in a domain-name to be used for SRV
-   queries that may or may not contain the SRV standardized underscore
-
-
-
-
-
-Mealling & Daniel           Standards Track                     [Page 9]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   characters.  NAPTR applications that make use of SRV MUST NOT attempt
-   to understand these domains or use them according to how the SRV
-   specification structures its query domains.
-
-6. Application Specifications
-
-   It should be noted that the NAPTR algorithm is the basic assumption
-   about how NAPTR works.  The reasons for the rewrite and the expected
-   output and its use are specified by documents that define what
-   applications the NAPTR record and algorithm are used for.  Any
-   document that defines such an application must define the following:
-
-   o  The first known domain-name or how to build it
-
-   o  The valid Services and Protocols
-
-   o  What the expected use is for the output of the last rewrite
-
-   o  The validity and/or behavior of any 'P' flag protocols.
-
-   o  The general semantics surrounding why and how NAPTR and its
-      algorithm are being used.
-
-7. Examples
-
-   NOTE: These are examples only.  They are taken from ongoing work and
-   may not represent the end result of that work. They are here for
-   pedagogical reasons only.
-
-7.1 Example 1
-
-   NAPTR was originally specified for use with the a Uniform Resource
-   Name Resolver Discovery System.  This example details how a
-   particular URN would use the NAPTR record to find a resolver service.
-
-   Consider a URN namespace based on MIME Content-Ids.  The URN might
-   look like this:
-
-      urn:cid:39CB83F7.A8450130@fake.gatech.edu
-
-   (Note that this example is chosen for pedagogical purposes, and does
-   not conform to the CID URL scheme.)
-
-   The first step in the resolution process is to find out about the CID
-   namespace.  The namespace identifier [3], 'cid', is extracted from
-   the URN, prepended to urn.arpa. 'cid.urn.arpa' then becomes the first
-   'known' key in the NAPTR algorithm.  The NAPTR records for
-   cid.urn.arpa looked up and return a single record:
-
-
-
-Mealling & Daniel           Standards Track                    [Page 10]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   cid.urn.arpa.
-   ;;       order pref flags service        regexp           replacement
-   IN NAPTR 100   10   ""  ""  "/urn:cid:.+@([^\.]+\.)(.*)$/\2/i"    .
-
-   There is only one NAPTR response, so ordering the responses is not a
-   problem.  The replacement field is empty, so the pattern provided in
-   the regexp field is used.  We apply that regexp to the entire URN to
-   see if it matches, which it does.  The \2 part of the substitution
-   expression returns the string "gatech.edu".  Since the flags field
-   does not contain "s" or "a", the lookup is not terminal and our next
-   probe to DNS is for more NAPTR records where the new domain is '
-   gatech.edu' and the string is the same string as before.
-
-   Note that the rule does not extract the full domain name from the
-   CID, instead it assumes the CID comes from a host and extracts its
-   domain.  While all hosts, such as mordred, could have their very own
-   NAPTR, maintaining those records for all the machines at a site as
-   large as Georgia Tech would be an intolerable burden.  Wildcards are
-   not appropriate here since they only return results when there is no
-   exactly matching names already in the system.
-
-   The record returned from the query on "gatech.edu" might look like:
-
-;;       order pref flags service           regexp  replacement
- IN NAPTR 100  50  "s"  "z3950+I2L+I2C"     ""  _z3950._tcp.gatech.edu.
- IN NAPTR 100  50  "s"  "rcds+I2C"          ""  _rcds._udp.gatech.edu.
- IN NAPTR 100  50  "s"  "http+I2L+I2C+I2R"  ""  _http._tcp.gatech.edu.
-
-   Continuing with the example, note that the values of the order and
-   preference fields are equal in all records, so the client is free to
-   pick any record.  The flags field tells us that these are the last
-   NAPTR patterns we should see, and after the rewrite (a simple
-   replacement in this case) we should look up SRV records to get
-   information on the hosts that can provide the necessary service.
-
-   Assuming we prefer the Z39.50 protocol, our lookup might return:
-
- ;;                        Pref Weight   Port Target
- _z3950._tcp.gatech.edu. IN SRV 0    0      1000 z3950.gatech.edu.
-                         IN SRV 0    0      1000 z3950.cc.gatech.edu.
-                         IN SRV 0    0      1000 z3950.uga.edu.
-
-   telling us three hosts that could actually do the resolution, and
-   giving us the port we should use to talk to their Z39.50 server.
-
-   Recall that the regular expression used \2 to extract a domain name
-   from the CID, and \. for matching the literal '.' characters
-   separating the domain name components. Since '\' is the escape
-
-
-
-Mealling & Daniel           Standards Track                    [Page 11]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   character, literal occurances of a backslash must be escaped by
-   another backslash.  For the case of the cid.urn.arpa record above,
-   the regular expression entered into the master file should be
-   "/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i".  When the client code actually
-   receives the record, the pattern will have been converted to
-   "/urn:cid:.+@([^\.]+\.)(.*)$/\2/i".
-
-7.2 Example 2
-
-   Even if URN systems were in place now, there would still be a
-   tremendous number of URLs.  It should be possible to develop a URN
-   resolution system that can also provide location independence for
-   those URLs.  This is related to the requirement that URNs be able to
-   grandfather in names from other naming systems, such as ISO Formal
-   Public Identifiers, Library of Congress Call Numbers, ISBNs, ISSNs,
-   etc.
-
-   The NAPTR RR could also be used for URLs that have already been
-   assigned.  Assume we have the URL for a very popular piece of
-   software that the publisher wishes to mirror at multiple sites around
-   the world:
-
-   Using the rules specified for this application we extract the prefix,
-   "http", and lookup NAPTR records for http.uri.arpa.  This might
-   return a record of the form
-
-     http.uri.arpa. IN NAPTR
-     ;;  order   pref flags service      regexp             replacement
-          100     90   ""      ""   "!http://([^/:]+)!\1!i"       .
-
-   This expression returns everything after the first double slash and
-   before the next slash or colon.  (We use the '!' character to delimit
-   the parts of the substitution expression.  Otherwise we would have to
-   use backslashes to escape the forward slashes and would have a regexp
-   in the zone file that looked like "/http:\\/\\/([^\\/:]+)/\\1/i".).
-
-   Applying this pattern to the URL extracts "www.foo.com".  Looking up
-   NAPTR records for that might return:
-
-     www.foo.com.
-     ;;       order pref flags   service  regexp     replacement
-      IN NAPTR 100  100  "s"   "http+I2R"   ""    _http._tcp.foo.com.
-      IN NAPTR 100  100  "s"   "ftp+I2R"    ""    _ftp._tcp.foo.com.
-
-   Looking up SRV records for http.tcp.foo.com would return information
-   on the hosts that foo.com has designated to be its mirror sites.  The
-   client can then pick one for the user.
-
-
-
-
-Mealling & Daniel           Standards Track                    [Page 12]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-7.3 Example 3
-
-   A non-URI example is the ENUM application which uses a NAPTR record
-   to map an e.164 telephone number to a URI.  In order to convert the
-   phone number to a domain name for the first iteration all characters
-   other than digits are removed from the the telephone number, the
-   entire number is inverted, periods are put between each digit and the
-   string ".e164.arpa" is put on the left-hand side.  For example, the
-   E.164 phone number "+1-770-555-1212" converted to a domain-name it
-   would be "2.1.2.1.5.5.5.0.7.7.1.e164.arpa."
-
-   For this example telephone number we might get back the following
-   NAPTR records:
-
-$ORIGIN 2.1.2.1.5.5.5.0.7.7.1.e164.arpa.
- IN NAPTR 100 10 "u" "sip+E2U"  "!^.*$!sip:information@tele2.se!"     .
- IN NAPTR 102 10 "u" "mailto+E2U" "!^.*$!mailto:information@tele2.se!"  .
-
-   This application uses the same 'u' flag as the URI Resolution
-   application. This flag states that the Rule is terminal and that the
-   output is a URI which contains the information needed to contact that
-   telephone service.  ENUM also uses the same format for its Service
-   field except that it defines the 'E2U' service instead of the 'I2*'
-   services that URI resolution uses.  The example above states that the
-   available protocols used to access that telephone's service are
-   either the Session Initiation Protocol or SMTP mail.
-
-8. DNS Packet Format
-
-         The packet format for the NAPTR record is:
-
-                                          1  1  1  1  1  1
-            0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          |                     ORDER                     |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          |                   PREFERENCE                  |
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          /                     FLAGS                     /
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          /                   SERVICES                    /
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          /                    REGEXP                     /
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-          /                  REPLACEMENT                  /
-          /                                               /
-          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-
-
-
-Mealling & Daniel           Standards Track                    [Page 13]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-    where:
-
-   FLAGS A <character-string> which contains various flags.
-
-   SERVICES A <character-string> which contains protocol and service
-      identifiers.
-
-   REGEXP A <character-string> which contains a regular expression.
-
-   REPLACEMENT A <domain-name> which specifies the new value in the
-      case where the regular expression is a simple replacement
-      operation.
-
-   <character-string> and <domain-name> as used here are defined in
-   RFC1035 [1].
-
-9. Master File Format
-
-   The master file format follows the standard rules in RFC-1035 [1].
-   Order and preference, being 16-bit unsigned integers, shall be an
-   integer between 0 and 65535.  The Flags and Services and Regexp
-   fields are all quoted <character-string>s.  Since the Regexp field
-   can contain numerous backslashes and thus should be treated with
-   care.  See Section 10 for how to correctly enter and escape the
-   regular expression.
-
-10. Advice for DNS Administrators
-
-   Beware of regular expressions.  Not only are they difficult to get
-   correct on their own, but there is the previously mentioned
-   interaction with DNS.  Any backslashes in a regexp must be entered
-   twice in a zone file in order to appear once in a query response.
-   More seriously, the need for double backslashes has probably not been
-   tested by all implementors of DNS servers.
-
-   The "a" flag allows the next lookup to be for address records (A,
-   AAAA, A6) rather than SRV records.  Since there is no place for a
-   port specification in the NAPTR record, when the "A" flag is used the
-   specified protocol must be running on its default port.
-
-   The URN Syntax draft defines a canonical form for each URN, which
-   requires %encoding characters outside a limited repertoire.  The
-   regular expressions MUST be written to operate on that canonical
-   form.  Since international character sets will end up with extensive
-   use of %encoded characters, regular expressions operating on them
-   will be essentially impossible to read or write by hand.
-
-
-
-
-
-Mealling & Daniel           Standards Track                    [Page 14]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-11. Notes
-
-   o  A client MUST process multiple NAPTR records in the order
-      specified by the "order" field, it MUST NOT simply use the first
-      record that provides a known protocol and service combination.
-
-   o  When multiple RRs have the same "order" and all other criteria
-      being equal, the client should use the value of the preference
-      field to select the next NAPTR to consider.  However, because it
-      will often be the case where preferred protocols or services
-      exist, clients may use this additional criteria to sort
-      the records.
-
-   o  If the lookup after a rewrite fails, clients are strongly
-      encouraged to report a failure, rather than backing up to pursue
-      other rewrite paths.
-
-   o  Note that SRV RRs impose additional requirements on clients.
-
-12. IANA Considerations
-
-   The only registration function that impacts the IANA is for the
-   values that are standardized for the Services and Flags fields.  To
-   extend the valid values of the Flags field beyond what is specified
-   in this document requires a published specification that is approved
-   by the IESG.
-
-   The values for the Services field will be determined by the
-   application that makes use of the NAPTR record.  Those values must be
-   specified in a published specification and approved by the IESG.
-
-13. Security Considerations
-
-   The interactions with DNSSEC are currently being studied.  It is
-   expected that NAPTR records will be signed with SIG records once the
-   DNSSEC work is deployed.
-
-   The rewrite rules make identifiers from other namespaces subject to
-   the same attacks as normal domain names.  Since they have not been
-   easily resolvable before, this may or may not be considered a
-   problem.
-
-   Regular expressions should be checked for sanity, not blindly passed
-   to something like PERL.
-
-   This document has discussed a way of locating a service, but has not
-   discussed any detail of how the communication with that service takes
-   place.  There are significant security considerations attached to the
-
-
-
-Mealling & Daniel           Standards Track                    [Page 15]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-   communication with a service.  Those considerations are outside the
-   scope of this document, and must be addressed by the specifications
-   for particular communication protocols.
-
-14. Acknowledgments
-
-   The editors would like to thank Keith Moore for all his consultations
-   during the development of this memo.  We would also like to thank
-   Paul Vixie for his assistance in debugging our implementation, and
-   his answers on our questions.  Finally, we would like to acknowledge
-   our enormous intellectual debt to the participants in the Knoxville
-   series of meetings, as well as to the participants in the URI and URN
-   working groups.
-
-References
-
-   [1]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [2]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [3]  Moats, R., "URN Syntax", RFC 2141, May 1997.
-
-   [4]  Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
-        specifying the location of services (DNS SRV)", RFC 2782,
-        February 2000.
-
-   [5]  Crocker, D., "Augmented BNF for Syntax Specifications: ABNF",
-        RFC 2234, November 1997.
-
-   [6]  Daniel, R., "A Trivial Convention for using HTTP in URN
-        Resolution", RFC 2169, June 1997.
-
-   [7]  Daniel, R. and M. Mealling, "Resolution of Uniform Resource
-        Identifiers using the Domain Name System", RFC 2168, June 1997.
-
-   [8]  IEEE, "IEEE Standard for Information Technology - Portable
-        Operating System Interface (POSIX) - Part 2: Shell and Utilities
-        (Vol. 1)", IEEE Std 1003.2-1992, January 1993.
-
-   [9]  Berners-Lee, T., Fielding, R.T. and L. Masinter, "Uniform
-        Resource Identifiers (URI): Generic Syntax", RFC 2396, August
-        1998.
-
-
-
-
-
-
-
-Mealling & Daniel           Standards Track                    [Page 16]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-Authors' Addresses
-
-   Michael Mealling
-   Network Solutions, Inc.
-   505 Huntmar Park Drive
-   Herndon, VA  22070
-   US
-
-   Phone: +1 770 921 2251
-   EMail: michaelm@netsol.com
-   URI:   http://www.netsol.com
-
-
-   Ron Daniel
-   DATAFUSION, Inc.
-   139 Townsend Street, Ste. 100
-   San Francisco, CA  94107
-   US
-
-   Phone: +1 415 222 0100
-   EMail: rdaniel@datafusion.net
-   URI:   http://www.datafusion.net
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mealling & Daniel           Standards Track                    [Page 17]
-
-RFC 2915                      NAPTR DNS RR                September 2000
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Mealling & Daniel           Standards Track                    [Page 18]
-
diff --git a/contrib/bind9/doc/rfc/rfc2929.txt b/contrib/bind9/doc/rfc/rfc2929.txt
deleted file mode 100644
index f055968935b8..000000000000
--- a/contrib/bind9/doc/rfc/rfc2929.txt
+++ /dev/null
@@ -1,675 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                   D. Eastlake, 3rd
-Request for Comments: 2929                                      Motorola
-BCP: 42                                              E. Brunner-Williams
-Category: Best Current Practice                                   Engage
-                                                              B. Manning
-                                                                     ISI
-                                                          September 2000
-
-              Domain Name System (DNS) IANA Considerations
-
-Status of this Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-Abstract
-
-   Internet Assigned Number Authority (IANA) parameter assignment
-   considerations are given for the allocation of Domain Name System
-   (DNS) classes, Resource Record (RR) types, operation codes, error
-   codes, etc.
-
-Table of Contents
-
-   1. Introduction.................................................  2
-   2. DNS Query/Response Headers...................................  2
-   2.1 One Spare Bit?..............................................  3
-   2.2 Opcode Assignment...........................................  3
-   2.3 RCODE Assignment............................................  4
-   3. DNS Resource Records.........................................  5
-   3.1 RR TYPE IANA Considerations.................................  6
-   3.1.1 Special Note on the OPT RR................................  7
-   3.2 RR CLASS IANA Considerations................................  7
-   3.3 RR NAME Considerations......................................  8
-   4. Security Considerations......................................  9
-   References......................................................  9
-   Authors' Addresses.............................................. 11
-   Full Copyright Statement........................................ 12
-
-
-
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 1]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-1. Introduction
-
-   The Domain Name System (DNS) provides replicated distributed secure
-   hierarchical databases which hierarchically store "resource records"
-   (RRs) under domain names.
-
-   This data is structured into CLASSes and zones which can be
-   independently maintained.  See [RFC 1034, 1035, 2136, 2181, 2535]
-   familiarity with which is assumed.
-
-   This document covers, either directly or by reference, general IANA
-   parameter assignment considerations applying across DNS query and
-   response headers and all RRs.  There may be additional IANA
-   considerations that apply to only a particular RR type or
-   query/response opcode.  See the specific RFC defining that RR type or
-   query/response opcode for such considerations if they have been
-   defined.
-
-   IANA currently maintains a web page of DNS parameters.  See
-   <http://www.iana.org/numbers.htm>.
-
-   "IETF Standards Action", "IETF Consensus", "Specification Required",
-   and "Private Use" are as defined in [RFC 2434].
-
-2. DNS Query/Response Headers
-
-   The header for DNS queries and responses contains field/bits in the
-   following diagram taken from [RFC 2136, 2535]:
-
-                                           1  1  1  1  1  1
-             0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                      ID                       |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                QDCOUNT/ZOCOUNT                |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                ANCOUNT/PRCOUNT                |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                NSCOUNT/UPCOUNT                |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-            |                    ARCOUNT                    |
-            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   The ID field identifies the query and is echoed in the response so
-   they can be matched.
-
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 2]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-   The QR bit indicates whether the header is for a query or a response.
-
-   The AA, TC, RD, RA, AD, and CD bits are each theoretically meaningful
-   only in queries or only in responses, depending on the bit.  However,
-   many DNS implementations copy the query header as the initial value
-   of the response header without clearing bits.  Thus any attempt to
-   use a "query" bit with a different meaning in a response or to define
-   a query meaning for a "response" bit is dangerous given existing
-   implementation.  Such meanings may only be assigned by an IETF
-   Standards Action.
-
-   The unsigned fields query count (QDCOUNT), answer count (ANCOUNT),
-   authority count (NSCOUNT), and additional information count (ARCOUNT)
-   express the number of records in each section for all opcodes except
-   Update.  These fields have the same structure and data type for
-   Update but are instead the counts for the zone (ZOCOUNT),
-   prerequisite (PRCOUNT), update (UPCOUNT), and additional information
-   (ARCOUNT) sections.
-
-2.1 One Spare Bit?
-
-   There have been ancient DNS implementations for which the Z bit being
-   on in a query meant that only a response from the primary server for
-   a zone is acceptable.  It is believed that current DNS
-   implementations ignore this bit.
-
-   Assigning a meaning to the Z bit requires an IETF Standards Action.
-
-2.2 Opcode Assignment
-
-   New OpCode assignments require an IETF Standards Action.
-
-   Currently DNS OpCodes are assigned as follows:
-
-       OpCode Name                      Reference
-
-        0     Query                     [RFC 1035]
-        1     IQuery  (Inverse Query)   [RFC 1035]
-        2     Status                    [RFC 1035]
-        3     available for assignment
-        4     Notify                    [RFC 1996]
-        5     Update                    [RFC 2136]
-       6-15   available for assignment
-
-
-
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 3]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-2.3 RCODE Assignment
-
-   It would appear from the DNS header above that only four bits of
-   RCODE, or response/error code are available.  However, RCODEs can
-   appear not only at the top level of a DNS response but also inside
-   OPT RRs [RFC 2671], TSIG RRs [RFC 2845], and TKEY RRs [RFC 2930].
-   The OPT RR provides an eight bit extension resulting in a 12 bit
-   RCODE field and the TSIG and TKEY RRs have a 16 bit RCODE field.
-
-   Error codes appearing in the DNS header and in these three RR types
-   all refer to the same error code space with the single exception of
-   error code 16 which has a different meaning in the OPT RR from its
-   meaning in other contexts.  See table below.
-
-   RCODE   Name    Description                        Reference
-   Decimal
-     Hexadecimal
-    0    NoError   No Error                           [RFC 1035]
-    1    FormErr   Format Error                       [RFC 1035]
-    2    ServFail  Server Failure                     [RFC 1035]
-    3    NXDomain  Non-Existent Domain                [RFC 1035]
-    4    NotImp    Not Implemented                    [RFC 1035]
-    5    Refused   Query Refused                      [RFC 1035]
-    6    YXDomain  Name Exists when it should not     [RFC 2136]
-    7    YXRRSet   RR Set Exists when it should not   [RFC 2136]
-    8    NXRRSet   RR Set that should exist does not  [RFC 2136]
-    9    NotAuth   Server Not Authoritative for zone  [RFC 2136]
-   10    NotZone   Name not contained in zone         [RFC 2136]
-   11-15           available for assignment
-   16    BADVERS   Bad OPT Version                    [RFC 2671]
-   16    BADSIG    TSIG Signature Failure             [RFC 2845]
-   17    BADKEY    Key not recognized                 [RFC 2845]
-   18    BADTIME   Signature out of time window       [RFC 2845]
-   19    BADMODE   Bad TKEY Mode                      [RFC 2930]
-   20    BADNAME   Duplicate key name                 [RFC 2930]
-   21    BADALG    Algorithm not supported            [RFC 2930]
-   22-3840         available for assignment
-     0x0016-0x0F00
-   3841-4095       Private Use
-     0x0F01-0x0FFF
-   4096-65535      available for assignment
-     0x1000-0xFFFF
-
-   Since it is important that RCODEs be understood for interoperability,
-   assignment of new RCODE listed above as "available for assignment"
-   requires an IETF Consensus.
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 4]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-3. DNS Resource Records
-
-   All RRs have the same top level format shown in the figure below
-   taken from [RFC 1035]:
-
-                                         1  1  1  1  1  1
-           0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-         |                                               |
-         /                                               /
-         /                      NAME                     /
-         |                                               |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-         |                      TYPE                     |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-         |                     CLASS                     |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-         |                      TTL                      |
-         |                                               |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-         |                   RDLENGTH                    |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
-         /                     RDATA                     /
-         /                                               /
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   NAME is an owner name, i.e., the name of the node to which this
-   resource record pertains.  NAMEs are specific to a CLASS as described
-   in section 3.2.  NAMEs consist of an ordered sequence of one or more
-   labels each of which has a label type [RFC 1035, 2671].
-
-   TYPE is a two octet unsigned integer containing one of the RR TYPE
-   codes.  See section 3.1.
-
-   CLASS is a two octet unsigned integer containing one of the RR CLASS
-   codes.  See section 3.2.
-
-   TTL is a four octet (32 bit) bit unsigned integer that specifies the
-   number of seconds that the resource record may be cached before the
-   source of the information should again be consulted.  Zero is
-   interpreted to mean that the RR can only be used for the transaction
-   in progress.
-
-   RDLENGTH is an unsigned 16 bit integer that specifies the length in
-   octets of the RDATA field.
-
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 5]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-   RDATA is a variable length string of octets that constitutes the
-   resource.  The format of this information varies according to the
-   TYPE and in some cases the CLASS of the resource record.
-
-3.1 RR TYPE IANA Considerations
-
-   There are three subcategories of RR TYPE numbers: data TYPEs, QTYPEs,
-   and MetaTYPEs.
-
-   Data TYPEs are the primary means of storing data.  QTYPES can only be
-   used in queries.  Meta-TYPEs designate transient data associated with
-   an particular DNS message and in some cases can also be used in
-   queries.  Thus far, data TYPEs have been assigned from 1 upwards plus
-   the block from 100 through 103 while Q and Meta Types have been
-   assigned from 255 downwards (except for the OPT Meta-RR which is
-   assigned TYPE 41).  There have been DNS implementations which made
-   caching decisions based on the top bit of the bottom byte of the RR
-   TYPE.
-
-   There are currently three Meta-TYPEs assigned: OPT [RFC 2671], TSIG
-   [RFC 2845], and TKEY [RFC 2930].
-
-   There are currently five QTYPEs assigned: * (all), MAILA, MAILB,
-   AXFR, and IXFR.
-
-   Considerations for the allocation of new RR TYPEs are as follows:
-
-     Decimal
-   Hexadecimal
-
-     0
-   0x0000 - TYPE zero is used as a special indicator for the SIG RR [RFC
-          2535] and in other circumstances and must never be allocated
-          for ordinary use.
-
-     1 - 127
-   0x0001 - 0x007F - remaining TYPEs in this range are assigned for data
-          TYPEs by IETF Consensus.
-
-     128 - 255
-   0x0080 - 0x00FF - remaining TYPEs in this rage are assigned for Q and
-          Meta TYPEs by IETF Consensus.
-
-     256 - 32767
-   0x0100 - 0x7FFF - assigned for data, Q, or Meta TYPE use by IETF
-          Consensus.
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 6]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-     32768 - 65279
-   0x8000 - 0xFEFF - Specification Required as defined in [RFC 2434].
-
-     65280 - 65535
-   0xFF00 - 0xFFFF - Private Use.
-
-3.1.1 Special Note on the OPT RR
-
-   The OPT (OPTion) RR, number 41, is specified in [RFC 2671].  Its
-   primary purpose is to extend the effective field size of various DNS
-   fields including RCODE, label type, flag bits, and RDATA size.  In
-   particular, for resolvers and servers that recognize it, it extends
-   the RCODE field from 4 to 12 bits.
-
-3.2 RR CLASS IANA Considerations
-
-   DNS CLASSes have been little used but constitute another dimension of
-   the DNS distributed database.  In particular, there is no necessary
-   relationship between the name space or root servers for one CLASS and
-   those for another CLASS.  The same name can have completely different
-   meanings in different CLASSes although the label types are the same
-   and the null label is usable only as root in every CLASS.  However,
-   as global networking and DNS have evolved, the IN, or Internet, CLASS
-   has dominated DNS use.
-
-   There are two subcategories of DNS CLASSes: normal data containing
-   classes and QCLASSes that are only meaningful in queries or updates.
-
-   The current CLASS assignments and considerations for future
-   assignments are as follows:
-
-     Decimal
-   Hexadecimal
-
-     0
-   0x0000 - assignment requires an IETF Standards Action.
-
-     1
-   0x0001 - Internet (IN).
-
-     2
-   0x0002 - available for assignment by IETF Consensus as a data CLASS.
-
-     3
-   0x0003 - Chaos (CH) [Moon 1981].
-
-     4
-   0x0004 - Hesiod (HS) [Dyer 1987].
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 7]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-     5 - 127
-   0x0005 - 0x007F - available for assignment by IETF Consensus as data
-          CLASSes only.
-
-     128 - 253
-   0x0080 - 0x00FD - available for assignment by IETF Consensus as
-          QCLASSes only.
-
-     254
-   0x00FE - QCLASS None [RFC 2136].
-
-     255
-   0x00FF - QCLASS Any [RFC 1035].
-
-     256 - 32767
-   0x0100 - 0x7FFF - assigned by IETF Consensus.
-
-     32768 - 65280
-   0x8000 - 0xFEFF - assigned based on Specification Required as defined
-          in [RFC 2434].
-
-     65280 - 65534
-   0xFF00 - 0xFFFE - Private Use.
-
-     65535
-   0xFFFF - can only be assigned by an IETF Standards Action.
-
-3.3 RR NAME Considerations
-
-   DNS NAMEs are sequences of labels [RFC 1035].  The last label in each
-   NAME is "ROOT" which is the zero length label.  By definition, the
-   null or ROOT label can not be used for any other NAME purpose.
-
-   At the present time, there are two categories of label types, data
-   labels and compression labels.  Compression labels are pointers to
-   data labels elsewhere within an RR or DNS message and are intended to
-   shorten the wire encoding of NAMEs.  The two existing data label
-   types are sometimes referred to as Text and Binary.  Text labels can,
-   in fact, include any octet value including zero octets but most
-   current uses involve only [US-ASCII].  For retrieval, Text labels are
-   defined to treat ASCII upper and lower case letter codes as matching.
-   Binary labels are bit sequences [RFC 2673].
-
-   IANA considerations for label types are given in [RFC 2671].
-
-
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 8]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-   NAMEs are local to a CLASS.  The Hesiod [Dyer 1987] and Chaos [Moon
-   1981] CLASSes are essentially for local use.  The IN or Internet
-   CLASS is thus the only DNS CLASS in global use on the Internet at
-   this time.
-
-   A somewhat dated description of name allocation in the IN Class is
-   given in [RFC 1591].  Some information on reserved top level domain
-   names is in Best Current Practice 32 [RFC 2606].
-
-4. Security Considerations
-
-   This document addresses IANA considerations in the allocation of
-   general DNS parameters, not security.  See [RFC 2535] for secure DNS
-   considerations.
-
-References
-
-   [Dyer 1987] Dyer, S., and F. Hsu, "Hesiod", Project Athena Technical
-               Plan - Name Service, April 1987,
-
-   [Moon 1981] D. Moon, "Chaosnet", A.I. Memo 628, Massachusetts
-               Institute of Technology Artificial Intelligence
-               Laboratory, June 1981.
-
-   [RFC 1034]  Mockapetris, P., "Domain Names - Concepts and
-               Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC 1035]  Mockapetris, P., "Domain Names - Implementation and
-               Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC 1591]  Postel, J., "Domain Name System Structure and
-               Delegation", RFC 1591, March 1994.
-
-   [RFC 1996]  Vixie, P., "A Mechanism for Prompt Notification of Zone
-               Changes (DNS NOTIFY)", RFC 1996, August 1996.
-
-   [RFC 2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound,
-               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-               RFC 2136, April 1997.
-
-   [RFC 2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-               Specification", RFC 2181, July 1997.
-
-   [RFC 2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
-               IANA Considerations Section in RFCs", BCP 26, RFC 2434,
-               October 1998.
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                  [Page 9]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-   [RFC 2535]  Eastlake, D., "Domain Name System Security Extensions",
-               RFC 2535, March 1999.
-
-   [RFC 2606]  Eastlake, D. and A. Panitz, "Reserved Top Level DNS
-               Names", RFC 2606, June 1999.
-
-   [RFC 2671]  Vixie, P., "Extension mechanisms for DNS (EDNS0)", RFC
-               2671, August 1999.
-
-   [RFC 2672]  Crawford, M., "Non-Terminal DNS Name Redirection", RFC
-               2672, August 1999.
-
-   [RFC 2673]  Crawford, M., "Binary Labels in the Domain Name System",
-               RFC 2673, August 1999.
-
-   [RFC 2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
-               Wellington, "Secret Key Transaction Authentication for
-               DNS (TSIG)", RFC 2845, May 2000.
-
-   [RFC 2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
-               RR)", RFC 2930, September 2000.
-
-   [US-ASCII]  ANSI, "USA Standard Code for Information Interchange",
-               X3.4, American National Standards Institute: New York,
-               1968.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                 [Page 10]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-Authors' Addresses
-
-   Donald E. Eastlake 3rd
-   Motorola
-   140 Forest Avenue
-   Hudson, MA 01749 USA
-
-   Phone: +1-978-562-2827 (h)
-          +1-508-261-5434 (w)
-   Fax:   +1-508-261-4447 (w)
-   EMail: Donald.Eastlake@motorola.com
-
-
-   Eric Brunner-Williams
-   Engage
-   100 Brickstone Square, 2nd Floor
-   Andover, MA 01810
-
-   Phone: +1-207-797-0525 (h)
-          +1-978-684-7796 (w)
-   Fax:   +1-978-684-3118
-   EMail: brunner@engage.com
-
-
-   Bill Manning
-   USC/ISI
-   4676 Admiralty Way, #1001
-   Marina del Rey, CA 90292 USA
-
-   Phone: +1-310-822-1511
-   EMail: bmanning@isi.edu
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                 [Page 11]
-
-RFC 2929                DNS IANA Considerations           September 2000
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, et al.         Best Current Practice                 [Page 12]
-
diff --git a/contrib/bind9/doc/rfc/rfc2930.txt b/contrib/bind9/doc/rfc/rfc2930.txt
deleted file mode 100644
index f99573dd1cdf..000000000000
--- a/contrib/bind9/doc/rfc/rfc2930.txt
+++ /dev/null
@@ -1,899 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                   D. Eastlake, 3rd
-Request for Comments: 2930                                      Motorola
-Category: Standards Track                                 September 2000
-
-
-               Secret Key Establishment for DNS (TKEY RR)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-Abstract
-
-   [RFC 2845] provides a means of authenticating Domain Name System
-   (DNS) queries and responses using shared secret keys via the
-   Transaction Signature (TSIG) resource record (RR).  However, it
-   provides no mechanism for setting up such keys other than manual
-   exchange. This document describes a Transaction Key (TKEY) RR that
-   can be used in a number of different modes to establish shared secret
-   keys between a DNS resolver and server.
-
-Acknowledgments
-
-   The comments and ideas of the following persons (listed in alphabetic
-   order) have been incorporated herein and are gratefully acknowledged:
-
-         Olafur Gudmundsson (TIS)
-
-         Stuart Kwan (Microsoft)
-
-         Ed Lewis (TIS)
-
-         Erik Nordmark (SUN)
-
-         Brian Wellington (Nominum)
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 1]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-Table of Contents
-
-   1. Introduction...............................................  2
-   1.1 Overview of Contents......................................  3
-   2. The TKEY Resource Record...................................  4
-   2.1 The Name Field............................................  4
-   2.2 The TTL Field.............................................  5
-   2.3 The Algorithm Field.......................................  5
-   2.4 The Inception and Expiration Fields.......................  5
-   2.5 The Mode Field............................................  5
-   2.6 The Error Field...........................................  6
-   2.7 The Key Size and Data Fields..............................  6
-   2.8 The Other Size and Data Fields............................  6
-   3. General TKEY Considerations................................  7
-   4. Exchange via Resolver Query................................  8
-   4.1 Query for Diffie-Hellman Exchanged Keying.................  8
-   4.2 Query for TKEY Deletion...................................  9
-   4.3 Query for GSS-API Establishment........................... 10
-   4.4 Query for Server Assigned Keying.......................... 10
-   4.5 Query for Resolver Assigned Keying........................ 11
-   5. Spontaneous Server Inclusion............................... 12
-   5.1 Spontaneous Server Key Deletion........................... 12
-   6. Methods of Encryption...................................... 12
-   7. IANA Considerations........................................ 13
-   8. Security Considerations.................................... 13
-   References.................................................... 14
-   Author's Address.............................................. 15
-   Full Copyright Statement...................................... 16
-
-1. Introduction
-
-   The Domain Name System (DNS) is a hierarchical, distributed, highly
-   available database used for bi-directional mapping between domain
-   names and addresses, for email routing, and for other information
-   [RFC 1034, 1035].  It has been extended to provide for public key
-   security and dynamic update [RFC 2535, RFC 2136].  Familiarity with
-   these RFCs is assumed.
-
-   [RFC 2845] provides a means of efficiently authenticating DNS
-   messages using shared secret keys via the TSIG resource record (RR)
-   but provides no mechanism for setting up such keys other than manual
-   exchange. This document specifies a TKEY RR that can be used in a
-   number of different modes to establish and delete such shared secret
-   keys between a DNS resolver and server.
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 2]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-   Note that TKEY established keying material and TSIGs that use it are
-   associated with DNS servers or resolvers.  They are not associated
-   with zones.  They may be used to authenticate queries and responses
-   but they do not provide zone based DNS data origin or denial
-   authentication [RFC 2535].
-
-   Certain modes of TKEY perform encryption which may affect their
-   export or import status for some countries.  The affected modes
-   specified in this document are the server assigned mode and the
-   resolver assigned mode.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-   In all cases herein, the term "resolver" includes that part of a
-   server which may make full and incremental [RFC 1995] zone transfer
-   queries, forwards recursive queries, etc.
-
-1.1 Overview of Contents
-
-   Section 2 below specifies the TKEY RR and provides a description of
-   and considerations for its constituent fields.
-
-   Section 3 describes general principles of operations with TKEY.
-
-   Section 4 discusses key agreement and deletion via DNS requests with
-   the Query opcode for RR type TKEY.  This method is applicable to all
-   currently defined TKEY modes, although in some cases it is not what
-   would intuitively be called a "query".
-
-   Section 5 discusses spontaneous inclusion of TKEY RRs in responses by
-   servers which is currently used only for key deletion.
-
-   Section 6 describes encryption methods for transmitting secret key
-   information. In this document these are used only for the server
-   assigned mode and the resolver assigned mode.
-
-   Section 7 covers IANA considerations in assignment of TKEY modes.
-
-   Finally, Section 8 provides the required security considerations
-   section.
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 3]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-2. The TKEY Resource Record
-
-   The TKEY resource record (RR) has the structure given below.  Its RR
-   type code is 249.
-
-      Field       Type         Comment
-      -----       ----         -------
-
-      NAME         domain      see description below
-      TTYPE        u_int16_t   TKEY = 249
-      CLASS        u_int16_t   ignored, SHOULD be 255 (ANY)
-      TTL          u_int32_t   ignored, SHOULD be zero
-      RDLEN        u_int16_t   size of RDATA
-      RDATA:
-       Algorithm:   domain
-       Inception:   u_int32_t
-       Expiration:  u_int32_t
-       Mode:        u_int16_t
-       Error:       u_int16_t
-       Key Size:    u_int16_t
-       Key Data:    octet-stream
-       Other Size:  u_int16_t
-       Other Data:  octet-stream  undefined by this specification
-
-2.1 The Name Field
-
-   The Name field relates to naming keys.  Its meaning differs somewhat
-   with mode and context as explained in subsequent sections.
-
-   At any DNS server or resolver only one octet string of keying
-   material may be in place for any particular key name.  An attempt to
-   establish another set of keying material at a server for an existing
-   name returns a BADNAME error.
-
-   For a TKEY with a non-root name appearing in a query, the TKEY RR
-   name SHOULD be a domain locally unique at the resolver, less than 128
-   octets long in wire encoding, and meaningful to the resolver to
-   assist in distinguishing keys and/or key agreement sessions.   For
-   TKEY(s) appearing in a response to a query, the TKEY RR name SHOULD
-   be a globally unique server assigned domain.
-
-   A reasonable key naming strategy is as follows:
-
-      If the key is generated as the result of a query with root as its
-      owner name, then the server SHOULD create a globally unique domain
-      name, to be the key name, by suffixing a pseudo-random [RFC 1750]
-      label with a domain name of the server.  For example
-      89n3mDgX072pp.server1.example.com.  If generation of a new
-
-
-
-Eastlake                    Standards Track                     [Page 4]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-      pseudo-random name in each case is an excessive computation load
-      or entropy drain, a serial number prefix can be added to a fixed
-      pseudo-random name generated an DNS server start time, such as
-      1001.89n3mDgX072pp.server1.example.com.
-
-      If the key is generated as the result of a query with a non-root
-      name, say 789.resolver.example.net, then use the concatenation of
-      that with a name of the server.  For example
-      789.resolver.example.net.server1.example.com.
-
-2.2 The TTL Field
-
-   The TTL field is meaningless in TKEY RRs. It SHOULD always be zero to
-   be sure that older DNS implementations do not cache TKEY RRs.
-
-2.3 The Algorithm Field
-
-   The algorithm name is in the form of a domain name with the same
-   meaning as in [RFC 2845].  The algorithm determines how the secret
-   keying material agreed to using the TKEY RR is actually used to
-   derive the algorithm specific key.
-
-2.4 The Inception and Expiration Fields
-
-   The inception time and expiration times are in number of seconds
-   since the beginning of 1 January 1970 GMT ignoring leap seconds
-   treated as modulo 2**32 using ring arithmetic [RFC 1982]. In messages
-   between a DNS resolver and a DNS server where these fields are
-   meaningful, they are either the requested validity interval for the
-   keying material asked for or specify the validity interval of keying
-   material provided.
-
-   To avoid different interpretations of the inception and expiration
-   times in TKEY RRs, resolvers and servers exchanging them must have
-   the same idea of what time it is.  One way of doing this is with the
-   NTP protocol [RFC 2030] but that or any other time synchronization
-   used for this purpose MUST be done securely.
-
-2.5 The Mode Field
-
-   The mode field specifies the general scheme for key agreement or the
-   purpose of the TKEY DNS message.  Servers and resolvers supporting
-   this specification MUST implement the Diffie-Hellman key agreement
-   mode and the key deletion mode for queries.  All other modes are
-   OPTIONAL.  A server supporting TKEY that receives a TKEY request with
-   a mode it does not support returns the BADMODE error.  The following
-   values of the Mode octet are defined, available, or reserved:
-
-
-
-
-Eastlake                    Standards Track                     [Page 5]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-         Value    Description
-         -----    -----------
-          0        - reserved, see section 7
-          1       server assignment
-          2       Diffie-Hellman exchange
-          3       GSS-API negotiation
-          4       resolver assignment
-          5       key deletion
-         6-65534   - available, see section 7
-         65535     - reserved, see section 7
-
-2.6 The Error Field
-
-   The error code field is an extended RCODE.  The following values are
-   defined:
-
-         Value   Description
-         -----   -----------
-          0       - no error
-          1-15   a non-extended RCODE
-          16     BADSIG   (TSIG)
-          17     BADKEY   (TSIG)
-          18     BADTIME  (TSIG)
-          19     BADMODE
-          20     BADNAME
-          21     BADALG
-
-   When the TKEY Error Field is non-zero in a response to a TKEY query,
-   the DNS header RCODE field indicates no error. However, it is
-   possible if a TKEY is spontaneously included in a response the TKEY
-   RR and DNS header error field could have unrelated non-zero error
-   codes.
-
-2.7 The Key Size and Data Fields
-
-   The key data size field is an unsigned 16 bit integer in network
-   order which specifies the size of the key exchange data field in
-   octets. The meaning of this data depends on the mode.
-
-2.8 The Other Size and Data Fields
-
-   The Other Size and Other Data fields are not used in this
-   specification but may be used in future extensions.  The RDLEN field
-   MUST equal the length of the RDATA section through the end of Other
-   Data or the RR is to be considered malformed and rejected.
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 6]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-3. General TKEY Considerations
-
-   TKEY is a meta-RR that is not stored or cached in the DNS and does
-   not appear in zone files.  It supports a variety of modes for the
-   establishment and deletion of shared secret keys information between
-   DNS resolvers and servers.  The establishment of such a shared key
-   requires that state be maintained at both ends and the allocation of
-   the resources to maintain such state may require mutual agreement. In
-   the absence of willingness to provide such state, servers MUST return
-   errors such as NOTIMP or REFUSED for an attempt to use TKEY and
-   resolvers are free to ignore any TKEY RRs they receive.
-
-   The shared secret keying material developed by using TKEY is a plain
-   octet sequence.  The means by which this shared secret keying
-   material, exchanged via TKEY, is actually used in any particular TSIG
-   algorithm is algorithm dependent and is defined in connection with
-   that algorithm.  For example, see [RFC 2104] for how TKEY agreed
-   shared secret keying material is used in the HMAC-MD5 algorithm or
-   other HMAC algorithms.
-
-   There MUST NOT be more than one TKEY RR in a DNS query or response.
-
-   Except for GSS-API mode, TKEY responses MUST always have DNS
-   transaction authentication to protect the integrity of any keying
-   data, error codes, etc.  This authentication MUST use a previously
-   established secret (TSIG) or public (SIG(0) [RFC 2931]) key and MUST
-   NOT use any key that the response to be verified is itself providing.
-
-   TKEY queries MUST be authenticated for all modes except GSS-API and,
-   under some circumstances, server assignment mode.  In particular, if
-   the query for a server assigned key is for a key to assert some
-   privilege, such as update authority, then the query must be
-   authenticated to avoid spoofing.  However, if the key is just to be
-   used for transaction security, then spoofing will lead at worst to
-   denial of service.  Query authentication SHOULD use an established
-   secret (TSIG) key authenticator if available.  Otherwise, it must use
-   a public (SIG(0)) key signature.  It MUST NOT use any key that the
-   query is itself providing.
-
-   In the absence of required TKEY authentication, a NOTAUTH error MUST
-   be returned.
-
-   To avoid replay attacks, it is necessary that a TKEY response or
-   query not be valid if replayed on the order of 2**32 second (about
-   136 years), or a multiple thereof, later.  To accomplish this, the
-   keying material used in any TSIG or SIG(0) RR that authenticates a
-   TKEY message MUST NOT have a lifetime of more then 2**31 - 1 seconds
-
-
-
-
-Eastlake                    Standards Track                     [Page 7]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-   (about 68 years).  Thus, on attempted replay, the authenticating TSIG
-   or SIG(0) RR will not be verifiable due to key expiration and the
-   replay will fail.
-
-4. Exchange via Resolver Query
-
-   One method for a resolver and a server to agree about shared secret
-   keying material for use in TSIG is through DNS requests from the
-   resolver which are syntactically DNS queries for type TKEY.  Such
-   queries MUST be accompanied by a TKEY RR in the additional
-   information section to indicate the mode in use and accompanied by
-   other information where required.
-
-   Type TKEY queries SHOULD NOT be flagged as recursive and servers MAY
-   ignore the recursive header bit in TKEY queries they receive.
-
-4.1 Query for Diffie-Hellman Exchanged Keying
-
-   Diffie-Hellman (DH) key exchange is a means whereby two parties can
-   derive some shared secret information without requiring any secrecy
-   of the messages they exchange [Schneier].  Provisions have been made
-   for the storage of DH public keys in the DNS [RFC 2539].
-
-   A resolver sends a query for type TKEY accompanied by a TKEY RR in
-   the additional information section specifying the Diffie-Hellman mode
-   and accompanied by a KEY RR also in the additional information
-   section specifying a resolver Diffie-Hellman key.  The TKEY RR
-   algorithm field is set to the authentication algorithm the resolver
-   plans to use. The "key data" provided in the TKEY is used as a random
-   [RFC 1750] nonce to avoid always deriving the same keying material
-   for the same pair of DH KEYs.
-
-   The server response contains a TKEY in its answer section with the
-   Diffie-Hellman mode. The "key data" provided in this TKEY is used as
-   an additional nonce to avoid always deriving the same keying material
-   for the same pair of DH KEYs. If the TKEY error field is non-zero,
-   the query failed for the reason given. FORMERR is given if the query
-   included no DH KEY and BADKEY is given if the query included an
-   incompatible DH KEY.
-
-   If the TKEY error field is zero, the resolver supplied Diffie-Hellman
-   KEY RR SHOULD be echoed in the additional information section and a
-   server Diffie-Hellman KEY RR will also be present in the answer
-   section of the response.  Both parties can then calculate the same
-   shared secret quantity from the pair of Diffie-Hellman (DH) keys used
-   [Schneier] (provided these DH keys use the same generator and
-   modulus) and the data in the TKEY RRs.  The TKEY RR data is mixed
-   with the DH result as follows:
-
-
-
-Eastlake                    Standards Track                     [Page 8]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-      keying material =
-           XOR ( DH value, MD5 ( query data | DH value ) |
-                           MD5 ( server data | DH value ) )
-
-   Where XOR is an exclusive-OR operation and "|" is byte-stream
-   concatenation.  The shorter of the two operands to XOR is byte-wise
-   left justified and padded with zero-valued bytes to match the length
-   of the other operand.  "DH value" is the Diffie-Hellman value derived
-   from the KEY RRs. Query data and server data are the values sent in
-   the TKEY RR data fields.  These "query data" and "server data" nonces
-   are suffixed by the DH value, digested by MD5, the results
-   concatenated, and then XORed with the DH value.
-
-   The inception and expiry times in the query TKEY RR are those
-   requested for the keying material.  The inception and expiry times in
-   the response TKEY RR are the maximum period the server will consider
-   the keying material valid.  Servers may pre-expire keys so this is
-   not a guarantee.
-
-4.2 Query for TKEY Deletion
-
-   Keys established via TKEY can be treated as soft state.  Since DNS
-   transactions are originated by the resolver, the resolver can simply
-   toss keys, although it may have to go through another key exchange if
-   it later needs one.  Similarly, the server can discard keys although
-   that will result in an error on receiving a query with a TSIG using
-   the discarded key.
-
-   To avoid attempted reliance in requests on keys no longer in effect,
-   servers MUST implement key deletion whereby the server "discards" a
-   key on receipt from a resolver of an authenticated delete request for
-   a TKEY RR with the key's name.  If the server has no record of a key
-   with that name, it returns BADNAME.
-
-   Key deletion TKEY queries MUST be authenticated.  This authentication
-   MAY be a TSIG RR using the key to be deleted.
-
-   For querier assigned and Diffie-Hellman keys, the server MUST truly
-   "discard" all active state associated with the key.  For server
-   assigned keys, the server MAY simply mark the key as no longer
-   retained by the client and may re-send it in response to a future
-   query for server assigned keying material.
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 9]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-4.3 Query for GSS-API Establishment
-
-   This mode is described in a separate document under preparation which
-   should be seen for the full description.  Basically the resolver and
-   server can exchange queries and responses for type TKEY with a TKEY
-   RR specifying the GSS-API mode in the additional information section
-   and a GSS-API token in the key data portion of the TKEY RR.
-
-   Any issues of possible encryption of parts the GSS-API token data
-   being transmitted are handled by the GSS-API level.  In addition, the
-   GSS-API level provides its own authentication so that this mode of
-   TKEY query and response MAY be, but do not need to be, authenticated
-   with TSIG RR or SIG(0) RR [RFC 2931].
-
-   The inception and expiry times in a GSS-API mode TKEY RR are ignored.
-
-4.4 Query for Server Assigned Keying
-
-   Optionally, the server can assign keying for the resolver.  It is
-   sent to the resolver encrypted under a resolver public key.  See
-   section 6 for description of encryption methods.
-
-   A resolver sends a query for type TKEY accompanied by a TKEY RR
-   specifying the "server assignment" mode and a resolver KEY RR to be
-   used in encrypting the response, both in the additional information
-   section. The TKEY algorithm field is set to the authentication
-   algorithm the resolver plans to use.  It is RECOMMENDED that any "key
-   data" provided in the query TKEY RR by the resolver be strongly mixed
-   by the server with server generated randomness [RFC 1750] to derive
-   the keying material to be used.  The KEY RR that appears in the query
-   need not be accompanied by a SIG(KEY) RR.  If the query is
-   authenticated by the resolver with a TSIG RR [RFC 2845] or SIG(0) RR
-   and that authentication is verified, then any SIG(KEY) provided in
-   the query SHOULD be ignored.  The KEY RR in such a query SHOULD have
-   a name that corresponds to the resolver but it is only essential that
-   it be a public key for which the resolver has the corresponding
-   private key so it can decrypt the response data.
-
-   The server response contains a TKEY RR in its answer section with the
-   server assigned mode and echoes the KEY RR provided in the query in
-   its additional information section.
-
-   If the response TKEY error field is zero, the key data portion of the
-   response TKEY RR will be the server assigned keying data encrypted
-   under the public key in the resolver provided KEY RR.  In this case,
-   the owner name of the answer TKEY RR will be the server assigned name
-   of the key.
-
-
-
-
-Eastlake                    Standards Track                    [Page 10]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-   If the error field of the response TKEY is non-zero, the query failed
-   for the reason given.  FORMERR is given if the query specified no
-   encryption key.
-
-   The inception and expiry times in the query TKEY RR are those
-   requested for the keying material.  The inception and expiry times in
-   the response TKEY are the maximum period the server will consider the
-   keying material valid.  Servers may pre-expire keys so this is not a
-   guarantee.
-
-   The resolver KEY RR MUST be authenticated, through the authentication
-   of this query with a TSIG or SIG(0) or the signing of the resolver
-   KEY with a SIG(KEY).  Otherwise, an attacker can forge a resolver KEY
-   for which they know the private key, and thereby the attacker could
-   obtain a valid shared secret key from the server.
-
-4.5 Query for Resolver Assigned Keying
-
-   Optionally, a server can accept resolver assigned keys.  The keying
-   material MUST be encrypted under a server key for protection in
-   transmission as described in Section 6.
-
-   The resolver sends a TKEY query with a TKEY RR that specifies the
-   encrypted keying material and a KEY RR specifying the server public
-   key used to encrypt the data, both in the additional information
-   section.  The name of the key and the keying data are completely
-   controlled by the sending resolver so a globally unique key name
-   SHOULD be used.  The KEY RR used MUST be one for which the server has
-   the corresponding private key, or it will not be able to decrypt the
-   keying material and will return a FORMERR. It is also important that
-   no untrusted party (preferably no other party than the server) has
-   the private key corresponding to the KEY RR because, if they do, they
-   can capture the messages to the server, learn the shared secret, and
-   spoof valid TSIGs.
-
-   The query TKEY RR inception and expiry give the time period the
-   querier intends to consider the keying material valid.  The server
-   can return a lesser time interval to advise that it will not maintain
-   state for that long and can pre-expire keys in any case.
-
-   This mode of query MUST be authenticated with a TSIG or SIG(0).
-   Otherwise, an attacker can forge a resolver assigned TKEY query, and
-   thereby the attacker could specify a shared secret key that would be
-   accepted, used, and honored by the server.
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 11]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-5. Spontaneous Server Inclusion
-
-   A DNS server may include a TKEY RR spontaneously as additional
-   information in responses.  This SHOULD only be done if the server
-   knows the querier understands TKEY and has this option implemented.
-   This technique can be used to delete a key and may be specified for
-   modes defined in the future.  A disadvantage of this technique is
-   that there is no way for the server to get any error or success
-   indication back and, in the case of UDP, no way to even know if the
-   DNS response reached the resolver.
-
-5.1 Spontaneous Server Key Deletion
-
-   A server can optionally tell a client that it has deleted a secret
-   key by spontaneously including a TKEY RR in the additional
-   information section of a response with the key's name and specifying
-   the key deletion mode.  Such a response SHOULD be authenticated.  If
-   authenticated, it "deletes" the key with the given name.  The
-   inception and expiry times of the delete TKEY RR are ignored. Failure
-   by a client to receive or properly process such additional
-   information in a response would mean that the client might use a key
-   that the server had discarded and would then get an error indication.
-
-   For server assigned and Diffie-Hellman keys, the client MUST
-   "discard" active state associated with the key.  For querier assigned
-   keys, the querier MAY simply mark the key as no longer retained by
-   the server and may re-send it in a future query specifying querier
-   assigned keying material.
-
-6. Methods of Encryption
-
-   For the server assigned and resolver assigned key agreement modes,
-   the keying material is sent within the key data field of a TKEY RR
-   encrypted under the public key in an accompanying KEY RR [RFC 2535].
-   This KEY RR MUST be for a public key algorithm where the public and
-   private keys can be used for encryption and the corresponding
-   decryption which recovers the originally encrypted data.  The KEY RR
-   SHOULD correspond to a name for the decrypting resolver/server such
-   that the decrypting process has access to the corresponding private
-   key to decrypt the data.  The secret keying material being sent will
-   generally be fairly short, usually less than 256 bits, because that
-   is adequate for very strong protection with modern keyed hash or
-   symmetric algorithms.
-
-   If the KEY RR specifies the RSA algorithm, then the keying material
-   is encrypted as per the description of RSAES-PKCS1-v1_5 encryption in
-   PKCS#1 [RFC 2437].  (Note, the secret keying material being sent is
-   directly RSA encrypted in PKCS#1 format. It is not "enveloped" under
-
-
-
-Eastlake                    Standards Track                    [Page 12]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-   some other symmetric algorithm.)  In the unlikely event that the
-   keying material will not fit within one RSA modulus of the chosen
-   public key, additional RSA encryption blocks are included.  The
-   length of each block is clear from the public RSA key specified and
-   the RSAES-PKCS1-v1_5 padding makes it clear what part of the
-   encrypted data is actually keying material and what part is
-   formatting or the required at least eight bytes of random [RFC 1750]
-   padding.
-
-7. IANA Considerations
-
-   This section is to be interpreted as provided in [RFC 2434].
-
-   Mode field values 0x0000 and 0xFFFF are reserved.
-
-   Mode field values 0x0001 through 0x00FF, and 0XFF00 through 0XFFFE
-   can only be assigned by an IETF Standards Action.
-
-   Mode field values 0x0100 through 0x0FFF and 0xF0000 through 0xFEFF
-   are allocated by IESG approval or IETF consensus.
-
-   Mode field values 0x1000 through 0xEFFF are allocated based on
-   Specification Required as defined in [RFC 2434].
-
-   Mode values should not be changed when the status of their use
-   changes.  For example, a mode value assigned based just on providing
-   a specification should not be changed later just because that use's
-   status is changed to standards track.
-
-   The following assignments are documented herein:
-
-      RR Type 249 for TKEY.
-
-      TKEY Modes 1 through 5 as listed in section 2.5.
-
-      Extended RCODE Error values of 19, 20, and 21 as listed in section
-      2.6.
-
-8. Security Considerations
-
-   The entirety of this specification is concerned with the secure
-   establishment of a shared secret between DNS clients and servers in
-   support of TSIG [RFC 2845].
-
-   Protection against denial of service via the use of TKEY is not
-   provided.
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 13]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-References
-
-   [Schneier] Bruce Schneier, "Applied Cryptography: Protocols,
-              Algorithms, and Source Code in C", 1996, John Wiley and
-              Sons
-
-   [RFC 1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
-              Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC 1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness
-              Recommendations for Security", RFC 1750, December 1994.
-
-   [RFC 1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
-              September 1996.
-
-   [RFC 1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
-              August 1996.
-
-   [RFC 2030] Mills, D., "Simple Network Time Protocol (SNTP) Version 4
-              for IPv4, IPv6 and OSI", RFC 2030, October 1996.
-
-   [RFC 2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:  Keyed-
-              Hashing for Message Authentication", RFC 2104, February
-              1997.
-
-   [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC 2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
-              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-              April 1997.
-
-   [RFC 2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
-              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
-              October 1998.
-
-   [RFC 2437] Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
-              Specifications Version 2.0", RFC 2437, October 1998.
-
-   [RFC 2535] Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC 2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the
-              Domain Name System (DNS)", RFC 2539, March 1999.
-
-
-
-
-Eastlake                    Standards Track                    [Page 14]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-   [RFC 2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B.
-              Wellington, "Secret Key Transaction Authentication for DNS
-              (TSIG)", RFC 2845, May 2000.
-
-   [RFC 2931] Eastlake, D., "DNS Request and Transaction Signatures
-              (SIG(0)s )", RFC 2931, September 2000.
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola
-   140 Forest Avenue
-   Hudson, MA 01749 USA
-
-   Phone: +1 978-562-2827 (h)
-          +1 508-261-5434 (w)
-   Fax:   +1 508-261-4447 (w)
-   EMail: Donald.Eastlake@motorola.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 15]
-
-RFC 2930                    The DNS TKEY RR               September 2000
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 16]
-
diff --git a/contrib/bind9/doc/rfc/rfc2931.txt b/contrib/bind9/doc/rfc/rfc2931.txt
deleted file mode 100644
index 84cc97e2d26e..000000000000
--- a/contrib/bind9/doc/rfc/rfc2931.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                    D. Eastlake 3rd
-Request for Comments: 2931                                      Motorola
-Updates: 2535                                             September 2000
-Category: Standards Track
-
-
-           DNS Request and Transaction Signatures ( SIG(0)s )
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-Abstract
-
-   Extensions to the Domain Name System (DNS) are described in [RFC
-   2535] that can provide data origin and transaction integrity and
-   authentication to security aware resolvers and applications through
-   the use of cryptographic digital signatures.
-
-   Implementation experience has indicated the need for minor but non-
-   interoperable changes in Request and Transaction signature resource
-   records ( SIG(0)s ).  These changes are documented herein.
-
-Acknowledgments
-
-   The contributions and suggestions of the following persons (in
-   alphabetic order) to this memo are gratefully acknowledged:
-
-         Olafur Gudmundsson
-
-         Ed Lewis
-
-         Erik Nordmark
-
-         Brian Wellington
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 1]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-Table of Contents
-
-   1. Introduction.................................................  2
-   2. SIG(0) Design Rationale......................................  3
-   2.1 Transaction Authentication..................................  3
-   2.2 Request Authentication......................................  3
-   2.3 Keying......................................................  3
-   2.4 Differences Between TSIG and SIG(0).........................  4
-   3. The SIG(0) Resource Record...................................  4
-   3.1 Calculating Request and Transaction SIGs....................  5
-   3.2 Processing Responses and SIG(0) RRs.........................  6
-   3.3 SIG(0) Lifetime and Expiration..............................  7
-   4. Security Considerations......................................  7
-   5. IANA Considerations..........................................  7
-   References......................................................  7
-   Author's Address................................................  8
-   Appendix: SIG(0) Changes from RFC 2535..........................  9
-   Full Copyright Statement........................................ 10
-
-1. Introduction
-
-   This document makes minor but non-interoperable changes to part of
-   [RFC 2535], familiarity with which is assumed, and includes
-   additional explanatory text.  These changes concern SIG Resource
-   Records (RRs) that are used to digitally sign DNS requests and
-   transactions / responses.  Such a resource record, because it has a
-   type covered field of zero, is frequently called a SIG(0). The
-   changes are based on implementation and attempted implementation
-   experience with TSIG [RFC 2845] and the [RFC 2535] specification for
-   SIG(0).
-
-   Sections of [RFC 2535] updated are all of 4.1.8.1 and parts of 4.2
-   and 4.3.  No changes are made herein related to the KEY or NXT RRs or
-   to the processing involved with data origin and denial authentication
-   for DNS data.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 2]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-2. SIG(0) Design Rationale
-
-   SIG(0) provides protection for DNS transactions and requests that is
-   not provided by the regular SIG, KEY, and NXT RRs specified in [RFC
-   2535].  The authenticated data origin services of secure DNS either
-   provide protected data resource records (RRs) or authenticatably deny
-   their nonexistence.  These services provide no protection for glue
-   records, DNS requests, no protection for message headers on requests
-   or responses, and no protection of the overall integrity of a
-   response.
-
-2.1 Transaction Authentication
-
-   Transaction authentication means that a requester can be sure it is
-   at least getting the messages from the server it queried and that the
-   received messages are in response to the query it sent.  This is
-   accomplished by optionally adding either a TSIG RR [RFC 2845] or, as
-   described herein, a SIG(0) resource record at the end of the response
-   which digitally signs the concatenation of the server's response and
-   the corresponding resolver query.
-
-2.2 Request Authentication
-
-   Requests can also be authenticated by including a TSIG or, as
-   described herein, a special SIG(0) RR at the end of the request.
-   Authenticating requests serves no function in DNS servers that
-   predate the specification of dynamic update.  Requests with a non-
-   empty additional information section produce error returns or may
-   even be ignored by a few such older DNS servers. However, this syntax
-   for signing requests is defined for authenticating dynamic update
-   requests [RFC 2136], TKEY requests [RFC 2930], or future requests
-   requiring authentication.
-
-2.3 Keying
-
-   The private keys used in transaction security belong to the host
-   composing the DNS response message, not to the zone involved.
-   Request authentication may also involve the private key of the host
-   or other entity composing the request or of a zone to be affected by
-   the request or other private keys depending on the request authority
-   it is sought to establish. The corresponding public key(s) are
-   normally stored in and retrieved from the DNS for verification as KEY
-   RRs with a protocol byte of 3 (DNSSEC) or 255 (ANY).
-
-   Because requests and replies are highly variable, message
-   authentication SIGs can not be pre-calculated.  Thus it will be
-   necessary to keep the private key on-line, for example in software or
-   in a directly connected piece of hardware.
-
-
-
-Eastlake                    Standards Track                     [Page 3]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-2.4 Differences Between TSIG and SIG(0)
-
-   There are significant differences between TSIG and SIG(0).
-
-   Because TSIG involves secret keys installed at both the requester and
-   server the presence of such a key implies that the other party
-   understands TSIG and very likely has the same key installed.
-   Furthermore, TSIG uses keyed hash authentication codes which are
-   relatively inexpensive to compute.  Thus it is common to authenticate
-   requests with TSIG and responses are authenticated with TSIG if the
-   corresponding request is authenticated.
-
-   SIG(0) on the other hand, uses public key authentication, where the
-   public keys are stored in DNS as KEY RRs and a private key is stored
-   at the signer.  Existence of such a KEY RR does not necessarily imply
-   implementation of SIG(0).  In addition, SIG(0) involves relatively
-   expensive public key cryptographic operations that should be
-   minimized and the verification of a SIG(0) involves obtaining and
-   verifying the corresponding KEY which can be an expensive and lengthy
-   operation.  Indeed, a policy of using SIG(0) on all requests and
-   verifying it before responding would, for some configurations, lead
-   to a deadly embrace with the attempt to obtain and verify the KEY
-   needed to authenticate the request SIG(0) resulting in additional
-   requests accompanied by a SIG(0) leading to further requests
-   accompanied by a SIG(0), etc.  Furthermore, omitting SIG(0)s when not
-   required on requests halves the number of public key operations
-   required by the transaction.
-
-   For these reasons, SIG(0)s SHOULD only be used on requests when
-   necessary to authenticate that the requester has some required
-   privilege or identity.  SIG(0)s on replies are defined in such a way
-   as to not require a SIG(0) on the corresponding request and still
-   provide transaction protection.  For other replies, whether they are
-   authenticated by the server or required to be authenticated by the
-   requester SHOULD be a local configuration option.
-
-3. The SIG(0) Resource Record
-
-   The structure of and type number of SIG resource records (RRs) is
-   given in [RFC 2535] Section 4.1.  However all of Section 4.1.8.1 and
-   the parts of Sections 4.2 and 4.3 related to SIG(0) should be
-   considered replaced by the material below.  Any conflict between [RFC
-   2535] and this document concerning SIG(0) RRs should be resolved in
-   favor of this document.
-
-   For all transaction SIG(0)s, the signer field MUST be a name of the
-   originating host and there MUST be a KEY RR at that name with the
-   public key corresponding to the private key used to calculate the
-
-
-
-Eastlake                    Standards Track                     [Page 4]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-   signature.  (The host domain name used may be the inverse IP address
-   mapping name for an IP address of the host if the relevant KEY is
-   stored there.)
-
-   For all SIG(0) RRs, the owner name, class, TTL, and original TTL, are
-   meaningless.  The TTL fields SHOULD be zero and the CLASS field
-   SHOULD be ANY.  To conserve space, the owner name SHOULD be root (a
-   single zero octet).  When SIG(0) authentication on a response is
-   desired, that SIG RR MUST be considered the highest priority of any
-   additional information for inclusion in the response. If the SIG(0)
-   RR cannot be added without causing the message to be truncated, the
-   server MUST alter the response so that a SIG(0) can be included.
-   This response consists of only the question and a SIG(0) record, and
-   has the TC bit set and RCODE 0 (NOERROR).  The client should at this
-   point retry the request using TCP.
-
-3.1 Calculating Request and Transaction SIGs
-
-   A DNS request may be optionally signed by including one SIG(0)s at
-   the end of the query additional information section.  Such a SIG is
-   identified by having a "type covered" field of zero. It signs the
-   preceding DNS request message including DNS header but not including
-   the UDP/IP header and before the request RR counts have been adjusted
-   for the inclusions of the request SIG(0).
-
-   It is calculated by using a "data" (see [RFC 2535], Section 4.1.8) of
-   (1) the SIG's RDATA section entirely omitting (not just zeroing) the
-   signature subfield itself, (2) the DNS query messages, including DNS
-   header, but not the UDP/IP header and before the reply RR counts have
-   been adjusted for the inclusion of the SIG(0).  That is
-
-      data = RDATA | request - SIG(0)
-
-   where "|" is concatenation and RDATA is the RDATA of the SIG(0) being
-   calculated less the signature itself.
-
-   Similarly, a SIG(0) can be used to secure a response and the request
-   that produced it.  Such transaction signatures are calculated by
-   using a "data" of (1) the SIG's RDATA section omitting the signature
-   itself, (2) the entire DNS query message that produced this response,
-   including the query's DNS header but not its UDP/IP header, and (3)
-   the entire DNS response message, including DNS header but not the
-   UDP/IP header and before the response RR counts have been adjusted
-   for the inclusion of the SIG(0).
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 5]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-   That is
-
-      data = RDATA | full query | response - SIG(0)
-
-   where "|" is concatenation and RDATA is the RDATA of the SIG(0) being
-   calculated less the signature itself.
-
-   Verification of a response SIG(0) (which is signed by the server host
-   key, not the zone key) by the requesting resolver shows that the
-   query and response were not tampered with in transit, that the
-   response corresponds to the intended query, and that the response
-   comes from the queried server.
-
-   In the case of a DNS message via TCP, a SIG(0) on the first data
-   packet is calculated with "data" as above and for each subsequent
-   packet, it is calculated as follows:
-
-      data = RDATA | DNS payload - SIG(0) | previous packet
-
-   where "|" is concatenations, RDATA is as above, and previous packet
-   is the previous DNS payload including DNS header and the SIG(0) but
-   not the TCP/IP header.  Support of SIG(0) for TCP is OPTIONAL.  As an
-   alternative, TSIG may be used after, if necessary, setting up a key
-   with TKEY [RFC 2930].
-
-   Except where needed to authenticate an update, TKEY, or similar
-   privileged request, servers are not required to check a request
-   SIG(0).
-
-   Note: requests and responses can either have a single TSIG or one
-   SIG(0) but not both a TSIG and a SIG(0).
-
-3.2 Processing Responses and SIG(0) RRs
-
-   If a SIG RR is at the end of the additional information section of a
-   response and has a type covered of zero, it is a transaction
-   signature covering the response and the query that produced the
-   response.  For TKEY responses, it MUST be checked and the message
-   rejected if the checks fail unless otherwise specified for the TKEY
-   mode in use.  For all other responses, it MAY be checked and the
-   message rejected if the checks fail.
-
-   If a response's SIG(0) check succeed, such a transaction
-   authentication SIG does NOT directly authenticate the validity any
-   data-RRs in the message.  However, it authenticates that they were
-   sent by the queried server and have not been diddled.  (Only a proper
-   SIG(0) RR signed by the zone or a key tracing its authority to the
-   zone or to static resolver configuration can directly authenticate
-
-
-
-Eastlake                    Standards Track                     [Page 6]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-   data-RRs, depending on resolver policy.) If a resolver or server does
-   not implement transaction and/or request SIGs, it MUST ignore them
-   without error where they are optional and treat them as failing where
-   they are required.
-
-3.3 SIG(0) Lifetime and Expiration
-
-   The inception and expiration times in SIG(0)s are for the purpose of
-   resisting replay attacks.  They should be set to form a time bracket
-   such that messages outside that bracket can be ignored.  In IP
-   networks, this time bracket should not normally extend further than 5
-   minutes into the past and 5 minutes into the future.
-
-4. Security Considerations
-
-   No additional considerations beyond those in [RFC 2535].
-
-   The inclusion of the SIG(0) inception and expiration time under the
-   signature improves resistance to replay attacks.
-
-5. IANA Considerations
-
-   No new parameters are created or parameter values assigned by this
-   document.
-
-References
-
-   [RFC 1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
-              September 1996.
-
-   [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC 2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
-              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
-              April 1997.
-
-   [RFC 2535] Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC 2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B.
-              Wellington, "Secret Key Transaction Signatures for DNS
-              (TSIG)", RFC 2845, May 2000.
-
-   [RFC 2930] Eastlake, D., "Secret Key Establishment for DNS (RR)", RFC
-              2930, September 2000.
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 7]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola
-   140 Forest Avenue
-   Hudson, MA 01749 USA
-
-   Phone: +1-978-562-2827(h)
-          +1-508-261-5434(w)
-   Fax:   +1 978-567-7941(h)
-          +1-508-261-4447(w)
-   EMail: Donald.Eastlake@motorola.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 8]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-Appendix: SIG(0) Changes from RFC 2535
-
-   Add explanatory text concerning the differences between TSIG and
-   SIG(0).
-
-   Change the data over which SIG(0) is calculated to include the SIG(0)
-   RDATA other than the signature itself so as to secure the signature
-   inception and expiration times and resist replay attacks.  Specify
-   SIG(0) for TCP.
-
-   Add discussion of appropriate inception and expiration times for
-   SIG(0).
-
-   Add wording to indicate that either a TSIG or one or more SIG(0)s may
-   be present but not both.
-
-   Reword some areas for clarity.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                     [Page 9]
-
-RFC 2931                       DNS SIG(0)                 September 2000
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake                    Standards Track                    [Page 10]
-
diff --git a/contrib/bind9/doc/rfc/rfc3007.txt b/contrib/bind9/doc/rfc/rfc3007.txt
deleted file mode 100644
index 1697475355d3..000000000000
--- a/contrib/bind9/doc/rfc/rfc3007.txt
+++ /dev/null
@@ -1,507 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                      B. Wellington
-Request for Comments: 3007                                       Nominum
-Updates: 2535, 2136                                        November 2000
-Obsoletes: 2137
-Category: Standards Track
-
-
-             Secure Domain Name System (DNS) Dynamic Update
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-Abstract
-
-   This document proposes a method for performing secure Domain Name
-   System (DNS) dynamic updates.  The method described here is intended
-   to be flexible and useful while requiring as few changes to the
-   protocol as possible.  The authentication of the dynamic update
-   message is separate from later DNSSEC validation of the data.  Secure
-   communication based on authenticated requests and transactions is
-   used to provide authorization.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
-
-1 - Introduction
-
-   This document defines a means to secure dynamic updates of the Domain
-   Name System (DNS), allowing only authorized sources to make changes
-   to a zone's contents.  The existing unsecured dynamic update
-   operations form the basis for this work.
-
-   Familiarity with the DNS system [RFC1034, RFC1035] and dynamic update
-   [RFC2136] is helpful and is assumed by this document.  In addition,
-   knowledge of DNS security extensions [RFC2535], SIG(0) transaction
-   security [RFC2535, RFC2931], and TSIG transaction security [RFC2845]
-   is recommended.
-
-
-
-
-Wellington                  Standards Track                     [Page 1]
-
-RFC 3007                 Secure Dynamic Update             November 2000
-
-
-   This document updates portions of RFC 2535, in particular section
-   3.1.2, and RFC 2136.  This document obsoletes RFC 2137, an alternate
-   proposal for secure dynamic update, due to implementation experience.
-
-1.1 - Overview of DNS Dynamic Update
-
-   DNS dynamic update defines a new DNS opcode and a new interpretation
-   of the DNS message if that opcode is used.  An update can specify
-   insertions or deletions of data, along with prerequisites necessary
-   for the updates to occur.  All tests and changes for a DNS update
-   request are restricted to a single zone, and are performed at the
-   primary server for the zone.  The primary server for a dynamic zone
-   must increment the zone SOA serial number when an update occurs or
-   before the next retrieval of the SOA.
-
-1.2 - Overview of DNS Transaction Security
-
-   Exchanges of DNS messages which include TSIG [RFC2845] or SIG(0)
-   [RFC2535, RFC2931] records allow two DNS entities to authenticate DNS
-   requests and responses sent between them.  A TSIG MAC (message
-   authentication code) is derived from a shared secret, and a SIG(0) is
-   generated from a private key whose public counterpart is stored in
-   DNS.  In both cases, a record containing the message signature/MAC is
-   included as the final resource record in a DNS message.  Keyed
-   hashes, used in TSIG, are inexpensive to calculate and verify.
-   Public key encryption, as used in SIG(0), is more scalable as the
-   public keys are stored in DNS.
-
-1.3 - Comparison of data authentication and message authentication
-
-   Message based authentication, using TSIG or SIG(0), provides
-   protection for the entire message with a single signing and single
-   verification which, in the case of TSIG, is a relatively inexpensive
-   MAC creation and check.  For update requests, this signature can
-   establish, based on policy or key negotiation, the authority to make
-   the request.
-
-   DNSSEC SIG records can be used to protect the integrity of individual
-   RRs or RRsets in a DNS message with the authority of the zone owner.
-   However, this cannot sufficiently protect the dynamic update request.
-
-   Using SIG records to secure RRsets in an update request is
-   incompatible with the design of update, as described below, and would
-   in any case require multiple expensive public key signatures and
-   verifications.
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 2]
-
-RFC 3007                 Secure Dynamic Update             November 2000
-
-
-   SIG records do not cover the message header, which includes record
-   counts.  Therefore, it is possible to maliciously insert or remove
-   RRsets in an update request without causing a verification failure.
-
-   If SIG records were used to protect the prerequisite section, it
-   would be impossible to determine whether the SIGs themselves were a
-   prerequisite or simply used for validation.
-
-   In the update section of an update request, signing requests to add
-   an RRset is straightforward, and this signature could be permanently
-   used to protect the data, as specified in [RFC2535].  However, if an
-   RRset is deleted, there is no data for a SIG to cover.
-
-1.4 - Data and message signatures
-
-   As specified in [RFC3008], the DNSSEC validation process performed by
-   a resolver MUST NOT process any non-zone keys unless local policy
-   dictates otherwise.  When performing secure dynamic update, all zone
-   data modified in a signed zone MUST be signed by a relevant zone key.
-   This completely disassociates authentication of an update request
-   from authentication of the data itself.
-
-   The primary usefulness of host and user keys, with respect to DNSSEC,
-   is to authenticate messages, including dynamic updates.  Thus, host
-   and user keys MAY be used to generate SIG(0) records to authenticate
-   updates and MAY be used in the TKEY [RFC2930] process to generate
-   TSIG shared secrets.  In both cases, no SIG records generated by
-   non-zone keys will be used in a DNSSEC validation process unless
-   local policy dictates.
-
-   Authentication of data, once it is present in DNS, only involves
-   DNSSEC zone keys and signatures generated by them.
-
-1.5 - Signatory strength
-
-   [RFC2535, section 3.1.2] defines the signatory field of a key as the
-   final 4 bits of the flags field, but does not define its value.  This
-   proposal leaves this field undefined.  Updating [RFC2535], this field
-   SHOULD be set to 0 in KEY records, and MUST be ignored.
-
-2 - Authentication
-
-   TSIG or SIG(0) records MUST be included in all secure dynamic update
-   messages.  This allows the server to verifiably determine the
-   originator of a message.  If the message contains authentication in
-   the form of a SIG(0), the identity of the sender (that is, the
-   principal) is the owner of the KEY RR that generated the SIG(0).  If
-   the message contains a TSIG generated by a statically configured
-
-
-
-Wellington                  Standards Track                     [Page 3]
-
-RFC 3007                 Secure Dynamic Update             November 2000
-
-
-   shared secret, the principal is the same as or derived from the
-   shared secret name.  If the message contains a TSIG generated by a
-   dynamically configured shared secret, the principal is the same as
-   the one that authenticated the TKEY process; if the TKEY process was
-   unauthenticated, no information is known about the principal, and the
-   associated TSIG shared secret MUST NOT be used for secure dynamic
-   update.
-
-   SIG(0) signatures SHOULD NOT be generated by zone keys, since
-   transactions are initiated by a host or user, not a zone.
-
-   DNSSEC SIG records (other than SIG(0)) MAY be included in an update
-   message, but MUST NOT be used to authenticate the update request.
-
-   If an update fails because it is signed with an unauthorized key, the
-   server MUST indicate failure by returning a message with RCODE
-   REFUSED.  Other TSIG, SIG(0), or dynamic update errors are returned
-   as specified in the appropriate protocol description.
-
-3 - Policy
-
-   All policy is configured by the zone administrator and enforced by
-   the zone's primary name server.  Policy dictates the authorized
-   actions that an authenticated principal can take.  Policy checks are
-   based on the principal and the desired action, where the principal is
-   derived from the message signing key and applied to dynamic update
-   messages signed with that key.
-
-   The server's policy defines criteria which determine if the key used
-   to sign the update is permitted to perform the requested updates.  By
-   default, a principal MUST NOT be permitted to make any changes to
-   zone data; any permissions MUST be enabled though configuration.
-
-   The policy is fully implemented in the primary zone server's
-   configuration for several reasons.  This removes limitations imposed
-   by encoding policy into a fixed number of bits (such as the KEY RR's
-   signatory field).  Policy is only relevant in the server applying it,
-   so there is no reason to expose it.  Finally, a change in policy or a
-   new type of policy should not affect the DNS protocol or data format,
-   and should not cause interoperability failures.
-
-3.1 - Standard policies
-
-   Implementations SHOULD allow access control policies to use the
-   principal as an authorization token, and MAY also allow policies to
-   grant permission to a signed message regardless of principal.
-
-
-
-
-
-Wellington                  Standards Track                     [Page 4]
-
-RFC 3007                 Secure Dynamic Update             November 2000
-
-
-   A common practice would be to restrict the permissions of a principal
-   by domain name.  That is, a principal could be permitted to add,
-   delete, or modify entries corresponding to one or more domain names.
-   Implementations SHOULD allow per-name access control, and SHOULD
-   provide a concise representation of the principal's own name, its
-   subdomains, and all names in the zone.
-
-   Additionally, a server SHOULD allow restricting updates by RR type,
-   so that a principal could add, delete, or modify specific record
-   types at certain names.  Implementations SHOULD allow per-type access
-   control, and SHOULD provide concise representations of all types and
-   all "user" types, where a user type is defined as one that does not
-   affect the operation of DNS itself.
-
-3.1.1 - User types
-
-   User types include all data types except SOA, NS, SIG, and NXT.  SOA
-   and NS records SHOULD NOT be modified by normal users, since these
-   types create or modify delegation points.  The addition of SIG
-   records can lead to attacks resulting in additional workload for
-   resolvers, and the deletion of SIG records could lead to extra work
-   for the server if the zone SIG was deleted.  Note that these records
-   are not forbidden, but not recommended for normal users.
-
-   NXT records MUST NOT be created, modified, or deleted by dynamic
-   update, as their update may cause instability in the protocol.  This
-   is an update to RFC 2136.
-
-   Issues concerning updates of KEY records are discussed in the
-   Security Considerations section.
-
-3.2 - Additional policies
-
-   Users are free to implement any policies.  Policies may be as
-   specific or general as desired, and as complex as desired.  They may
-   depend on the principal or any other characteristics of the signed
-   message.
-
-4 - Interaction with DNSSEC
-
-   Although this protocol does not change the way updates to secure
-   zones are processed, there are a number of issues that should be
-   clarified.
-
-
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 5]
-
-RFC 3007                 Secure Dynamic Update             November 2000
-
-
-4.1 - Adding SIGs
-
-   An authorized update request MAY include SIG records with each RRset.
-   Since SIG records (except SIG(0) records) MUST NOT be used for
-   authentication of the update message, they are not required.
-
-   If a principal is authorized to update SIG records and there are SIG
-   records in the update, the SIG records are added without
-   verification.  The server MAY examine SIG records and drop SIGs with
-   a temporal validity period in the past.
-
-4.2 - Deleting SIGs
-
-   If a principal is authorized to update SIG records and the update
-   specifies the deletion of SIG records, the server MAY choose to
-   override the authority and refuse the update.  For example, the
-   server may allow all SIG records not generated by a zone key to be
-   deleted.
-
-4.3 - Non-explicit updates to SIGs
-
-   If the updated zone is secured, the RRset affected by an update
-   operation MUST, at the completion of the update, be signed in
-   accordance with the zone's signing policy.  This will usually require
-   one or more SIG records to be generated by one or more zone keys
-   whose private components MUST be online [RFC3008].
-
-   When the contents of an RRset are updated, the server MAY delete all
-   associated SIG records, since they will no longer be valid.
-
-4.4 - Effects on the zone
-
-   If any changes are made, the server MUST, if necessary, generate a
-   new SOA record and new NXT records, and sign these with the
-   appropriate zone keys.  Changes to NXT records by secure dynamic
-   update are explicitly forbidden.  SOA updates are allowed, since the
-   maintenance of SOA parameters is outside of the scope of the DNS
-   protocol.
-
-5 - Security Considerations
-
-   This document requires that a zone key and possibly other
-   cryptographic secret material be held in an on-line, network-
-   connected host, most likely a name server.  This material is at the
-   mercy of host security to remain a secret.  Exposing this secret puts
-   DNS data at risk of masquerade attacks.  The data at risk is that in
-   both zones served by the machine and delegated from this machine.
-
-
-
-
-Wellington                  Standards Track                     [Page 6]
-
-RFC 3007                 Secure Dynamic Update             November 2000
-
-
-   Allowing updates of KEY records may lead to undesirable results,
-   since a principal may be allowed to insert a public key without
-   holding the private key, and possibly masquerade as the key owner.
-
-6 - Acknowledgements
-
-   The author would like to thank the following people for review and
-   informative comments (in alphabetical order):
-
-   Harald Alvestrand
-   Donald Eastlake
-   Olafur Gudmundsson
-   Andreas Gustafsson
-   Bob Halley
-   Stuart Kwan
-   Ed Lewis
-
-7 - References
-
-   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2136]  Vixie (Ed.), P., Thomson, S., Rekhter, Y. and J. Bound,
-              "Dynamic Updates in the Domain Name System", RFC 2136,
-              April 1997.
-
-   [RFC2137]  Eastlake, D., "Secure Domain Name System Dynamic Update",
-              RFC 2137, April 1997.
-
-   [RFC2535]  Eastlake, G., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
-              Wellington, "Secret Key Transaction Signatures for DNS
-              (TSIG)", RFC 2845, May 2000.
-
-   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
-              RR)", RFC 2930, September 2000.
-
-   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures
-              (SIG(0)s)", RFC 2931, September 2000.
-
-   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
-              Signing Authority", RFC 3008, November 2000.
-
-
-
-
-Wellington                  Standards Track                     [Page 7]
-
-RFC 3007                 Secure Dynamic Update             November 2000
-
-
-8 - Author's Address
-
-   Brian Wellington
-   Nominum, Inc.
-   950 Charter Street
-   Redwood City, CA 94063
-
-   Phone: +1 650 381 6022
-   EMail: Brian.Wellington@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 8]
-
-RFC 3007                 Secure Dynamic Update             November 2000
-
-
-9.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 9]
-
diff --git a/contrib/bind9/doc/rfc/rfc3008.txt b/contrib/bind9/doc/rfc/rfc3008.txt
deleted file mode 100644
index 08a4a8fabedb..000000000000
--- a/contrib/bind9/doc/rfc/rfc3008.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                      B. Wellington
-Request for Comments: 3008                                       Nominum
-Updates: 2535                                              November 2000
-Category: Standards Track
-
-
-         Domain Name System Security (DNSSEC) Signing Authority
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-Abstract
-
-   This document proposes a revised model of Domain Name System Security
-   (DNSSEC) Signing Authority.  The revised model is designed to clarify
-   earlier documents and add additional restrictions to simplify the
-   secure resolution process.  Specifically, this affects the
-   authorization of keys to sign sets of records.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [RFC2119].
-
-1 - Introduction
-
-   This document defines additional restrictions on DNSSEC signatures
-   (SIG) records relating to their authority to sign associated data.
-   The intent is to establish a standard policy followed by a secure
-   resolver; this policy can be augmented by local rules.  This builds
-   upon [RFC2535], updating section 2.3.6 of that document.
-
-   The most significant change is that in a secure zone, zone data is
-   required to be signed by the zone key.
-
-   Familiarity with the DNS system [RFC1034, RFC1035] and the DNS
-   security extensions [RFC2535] is assumed.
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 1]
-
-RFC 3008                DNSSEC Signing Authority           November 2000
-
-
-2 - The SIG Record
-
-   A SIG record is normally associated with an RRset, and "covers" (that
-   is, demonstrates the authenticity and integrity of) the RRset.  This
-   is referred to as a "data SIG".  Note that there can be multiple SIG
-   records covering an RRset, and the same validation process should be
-   repeated for each of them.  Some data SIGs are considered "material",
-   that is, relevant to a DNSSEC capable resolver, and some are
-   "immaterial" or "extra-DNSSEC", as they are not relevant to DNSSEC
-   validation.  Immaterial SIGs may have application defined roles.  SIG
-   records may exist which are not bound to any RRset; these are also
-   considered immaterial.  The validation process determines which SIGs
-   are material; once a SIG is shown to be immaterial, no other
-   validation is necessary.
-
-   SIGs may also be used for transaction security.  In this case, a SIG
-   record with a type covered field of 0 is attached to a message, and
-   is used to protect message integrity.  This is referred to as a
-   SIG(0) [RFC2535, RFC2931].
-
-   The following sections define requirements for all of the fields of a
-   SIG record.  These requirements MUST be met in order for a DNSSEC
-   capable resolver to process this signature.  If any of these
-   requirements are not met, the SIG cannot be further processed.
-   Additionally, once a KEY has been identified as having generated this
-   SIG, there are requirements that it MUST meet.
-
-2.1 - Type Covered
-
-   For a data SIG, the type covered MUST be the same as the type of data
-   in the associated RRset.  For a SIG(0), the type covered MUST be 0.
-
-2.2 - Algorithm Number
-
-   The algorithm specified in a SIG MUST be recognized by the client,
-   and it MUST be an algorithm that has a defined SIG rdata format.
-
-2.3 - Labels
-
-   The labels count MUST be less than or equal to the number of labels
-   in the SIG owner name, as specified in [RFC2535, section 4.1.3].
-
-2.4 - Original TTL
-
-   The original TTL MUST be greater than or equal to the TTL of the SIG
-   record itself, since the TTL cannot be increased by intermediate
-   servers.  This field can be ignored for SIG(0) records.
-
-
-
-
-Wellington                  Standards Track                     [Page 2]
-
-RFC 3008                DNSSEC Signing Authority           November 2000
-
-
-2.5 - Signature Expiration and Inception
-
-   The current time at the time of validation MUST lie within the
-   validity period bounded by the inception and expiration times.
-
-2.6 - Key Tag
-
-   There are no restrictions on the Key Tag field, although it is
-   possible that future algorithms will impose constraints.
-
-2.7 - Signer's Name
-
-   The signer's name field of a data SIG MUST contain the name of the
-   zone to which the data and signature belong.  The combination of
-   signer's name, key tag, and algorithm MUST identify a zone key if the
-   SIG is to be considered material.  The only exception that the
-   signer's name field in a SIG KEY at a zone apex SHOULD contain the
-   parent zone's name, unless the KEY set is self-signed.  This document
-   defines a standard policy for DNSSEC validation; local policy may
-   override the standard policy.
-
-   There are no restrictions on the signer field of a SIG(0) record.
-   The combination of signer's name, key tag, and algorithm MUST
-   identify a key if this SIG(0) is to be processed.
-
-2.8 - Signature
-
-   There are no restrictions on the signature field.  The signature will
-   be verified at some point, but does not need to be examined prior to
-   verification unless a future algorithm imposes constraints.
-
-3 - The Signing KEY Record
-
-   Once a signature has been examined and its fields validated (but
-   before the signature has been verified), the resolver attempts to
-   locate a KEY that matches the signer name, key tag, and algorithm
-   fields in the SIG.  If one is not found, the SIG cannot be verified
-   and is considered immaterial.  If KEYs are found, several fields of
-   the KEY record MUST have specific values if the SIG is to be
-   considered material and authorized.  If there are multiple KEYs, the
-   following checks are performed on all of them, as there is no way to
-   determine which one generated the signature until the verification is
-   performed.
-
-
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 3]
-
-RFC 3008                DNSSEC Signing Authority           November 2000
-
-
-3.1 - Type Flags
-
-   The signing KEY record MUST have a flags value of 00 or 01
-   (authentication allowed, confidentiality optional) [RFC2535, 3.1.2].
-   A DNSSEC resolver MUST only trust signatures generated by keys that
-   are permitted to authenticate data.
-
-3.2 - Name Flags
-
-   The interpretation of this field is considerably different for data
-   SIGs and SIG(0) records.
-
-3.2.1 - Data SIG
-
-   If the SIG record covers an RRset, the name type of the associated
-   KEY MUST be 01 (zone) [RFC2535, 3.1.2].  This updates RFC 2535,
-   section 2.3.6.  The DNSSEC validation process performed by a resolver
-   MUST ignore all keys that are not zone keys unless local policy
-   dictates otherwise.
-
-   The primary reason that RFC 2535 allows host and user keys to
-   generate material DNSSEC signatures is to allow dynamic update
-   without online zone keys; that is, avoid storing private keys in an
-   online server.  The desire to avoid online signing keys cannot be
-   achieved, though, because they are necessary to sign NXT and SOA sets
-   [RFC3007].  These online zone keys can sign any incoming data.
-   Removing the goal of having no online keys removes the reason to
-   allow host and user keys to generate material signatures.
-
-   Limiting material signatures to zone keys simplifies the validation
-   process.  The length of the verification chain is bounded by the
-   name's label depth.  The authority of a key is clearly defined; a
-   resolver does not need to make a potentially complicated decision to
-   determine whether a key has the proper authority to sign data.
-
-   Finally, there is no additional flexibility granted by allowing
-   host/user key generated material signatures.  As long as users and
-   hosts have the ability to authenticate update requests to the primary
-   zone server, signatures by zone keys are sufficient to protect the
-   integrity of the data to the world at large.
-
-3.2.2 - SIG(0)
-
-   If the SIG record is a SIG(0) protecting a message, the name type of
-   the associated KEY SHOULD be 00 (user) or 10 (host/entity).
-   Transactions are initiated by a host or user, not a zone, so zone
-   keys SHOULD not generate SIG(0) records.
-
-
-
-
-Wellington                  Standards Track                     [Page 4]
-
-RFC 3008                DNSSEC Signing Authority           November 2000
-
-
-   A client is either explicitly executed by a user or on behalf of a
-   host, therefore the name type of a SIG(0) generated by a client
-   SHOULD be either user or host.  A nameserver is associated with a
-   host, and its use of SIG(0) is not associated with a particular zone,
-   so the name type of a SIG(0) generated by a nameserver SHOULD be
-   host.
-
-3.3 - Signatory Flags
-
-   This document does not assign any values to the signatory field, nor
-   require any values to be present.
-
-3.4 - Protocol
-
-   The signing KEY record MUST have a protocol value of 3 (DNSSEC) or
-   255 (ALL).  If a key is not specified for use with DNSSEC, a DNSSEC
-   resolver MUST NOT trust any signature that it generates.
-
-3.5 - Algorithm Number
-
-   The algorithm field MUST be identical to that of the generated SIG
-   record, and MUST meet all requirements for an algorithm value in a
-   SIG record.
-
-4 - Security Considerations
-
-   This document defines a standard baseline for a DNSSEC capable
-   resolver.  This is necessary for a thorough security analysis of
-   DNSSEC, if one is to be done.
-
-   Specifically, this document places additional restrictions on SIG
-   records that a resolver must validate before the signature can be
-   considered worthy of DNSSEC trust.  This simplifies the protocol,
-   making it more robust and able to withstand scrutiny by the security
-   community.
-
-5 - Acknowledgements
-
-   The author would like to thank the following people for review and
-   informative comments (in alphabetical order):
-
-   Olafur Gudmundsson
-   Ed Lewis
-
-
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 5]
-
-RFC 3008                DNSSEC Signing Authority           November 2000
-
-
-6 - References
-
-   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2136]  Vixie (Ed.), P., Thomson, S., Rekhter, Y. and J. Bound,
-              "Dynamic Updates in the Domain Name System", RFC 2136,
-              April 1997.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures
-              (SIG(0)s )", RFC 2931, September 2000.
-
-   [RFC3007]      Wellington, B., "Simple Secure Domain Name System
-              (DNS) Dynamic Update", RFC 3007, November 2000.
-
-7 - Author's Address
-
-   Brian Wellington
-   Nominum, Inc.
-   950 Charter Street
-   Redwood City, CA 94063
-
-   Phone: +1 650 381 6022
-   EMail: Brian.Wellington@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 6]
-
-RFC 3008                DNSSEC Signing Authority           November 2000
-
-
-8  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2000).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wellington                  Standards Track                     [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc3071.txt b/contrib/bind9/doc/rfc/rfc3071.txt
deleted file mode 100644
index 2c4d52fc1141..000000000000
--- a/contrib/bind9/doc/rfc/rfc3071.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         J. Klensin
-Request for Comments: 3071                                 February 2001
-Category: Informational
-
-
-      Reflections on the DNS, RFC 1591, and Categories of Domains
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-Abstract
-
-   RFC 1591, "Domain Name System Structure and Delegation", laid out the
-   basic administrative design and principles for the allocation and
-   administration of domains, from the top level down.  It was written
-   before the introduction of the world wide web (WWW) and rapid growth
-   of the Internet put significant market, social, and political
-   pressure on domain name allocations.  In recent years, 1591 has been
-   cited by all sides in various debates, and attempts have been made by
-   various bodies to update it or adjust its provisions, sometimes under
-   pressures that have arguably produced policies that are less well
-   thought out than the original.  Some of those efforts have begun from
-   misconceptions about the provisions of 1591 or the motivation for
-   those provisions.  The current directions of the Internet Corporation
-   for Assigned Names and Numbers (ICANN) and other groups who now
-   determine the Domain Name System (DNS) policy directions appear to be
-   drifting away from the policies and philosophy of 1591.  This
-   document is being published primarily for historical context and
-   comparative purposes, essentially to document some thoughts about how
-   1591 might have been interpreted and adjusted by the Internet
-   Assigned Numbers Authority (IANA) and ICANN to better reflect today's
-   world while retaining characteristics and policies that have proven
-   to be effective in supporting Internet growth and stability.  An
-   earlier variation of this memo was submitted to ICANN as a comment on
-   its evolving Top-level Domain (TLD) policies.
-
-
-
-
-
-
-
-
-
-Klensin                      Informational                      [Page 1]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-1.  Introduction
-
-   RFC 1591 [1] has been heavily discussed and referenced in the last
-   year or two, especially in discussions within ICANN and its
-   predecessors about the creation, delegation, and management of top-
-   level domains.  In particular, the ICANN Domain Name Supporting
-   Organization (DNSO), and especially its ccTLD constituency, have been
-   the home of many discussions in which 1591 and interpretations of it
-   have been cited in support of a variety of sometimes-contradictory
-   positions.  During that period, other discussions have gone on to try
-   to reconstruct the thinking that went into RFC 1591.  Those in turn
-   have led me and others to muse on how that original thinking might
-   relate to some of the issues being raised.  1591 is, I believe, one
-   of Jon Postel's masterpieces, drawing together very different
-   philosophies (e.g., his traditional view that people are basically
-   reasonable and will do the right thing if told what it is with some
-   stronger mechanisms when that model is not successful) into a single
-   whole.
-
-   RFC 1591 was written in the context of the assumption that what it
-   described as generic TLDs would be bound to policies and categories
-   of registration (see the "This domain is intended..."  text in
-   section 2) while ccTLDs were expected to be used primarily to support
-   users and uses within and for a country and its residents.  The
-   notion that different domains would be run in different ways --albeit
-   within the broad contexts of "public service on behalf of the
-   Internet community" and "trustee... for the global Internet
-   community"-- was considered a design feature and a safeguard against
-   a variety of potential abuses.  Obviously the world has changed in
-   many ways in the seven or eight years since 1591 was written.  In
-   particular, the Internet has become more heavily used and, because
-   the design of the world wide web has put domain names in front of
-   users, top-level domain names and registrations in them have been
-   heavily in demand: not only has the number of hosts increased
-   dramatically during that time, but the ratio between registered
-   domain names and physical hosts has increased very significantly.
-
-   The issues 1591 attempted to address when it was written and those we
-   face today have not changed significantly in principle.  But one
-   alternative to present trends would be to take a step back to refine
-   it into a model that can function effectively today.  Therefore, it
-   may be useful to try to reconstruct 1591's principles and think about
-   their applicability today as a model that could continue to be
-   applied: not because it is historically significant, but because many
-   of its elements have proven to work reasonably well, even in
-   difficult situations.  In particular, for many domains (some in
-   1591's "generic" list and others in its "country code" category) the
-   notion of "public service" --expected then to imply being carried out
-
-
-
-Klensin                      Informational                      [Page 2]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-   at no or minimal cost to the users, not merely on a non-profit
-   basis-- has yielded to profitability calculations.  And, in most of
-   the rest, considerations of at least calculating and recovering costs
-   have crept in.  While many of us feel some nostalgia for the old
-   system, it is clear that its days are waning if not gone: perhaps the
-   public service notions as understood when 1591 was written just don't
-   scale to rapid internet growth and very large numbers of
-   yregistrations.
-
-   In particular, some ccTLDs have advertised for registrations outside
-   the designated countries (or other entities), while others have made
-   clear decisions to allow registrations by non-nationals.  These
-   decisions and others have produced protests from many sides,
-   suggesting, in turn, that a recategorization is in order.  For
-   example, we have heard concerns by governments and managers of
-   traditional, "public service", in-country, ccTLDs about excessive
-   ICANN interference and fears of being forced to conform to
-   internationally-set policies for dispute resolution when their
-   domestic ones are considered more appropriate.  We have also heard
-   concerns from registrars and operators of externally-marketed ccTLDs
-   about unreasonable government interference and from gTLD registrars
-   and registries about unreasonable competition from aggressively
-   marketed ccTLDs.  The appropriate distinction is no longer between
-   what RFC 1591 described as "generic" TLDs (but which were really
-   intended to be "purpose-specific", a term I will use again below) and
-   ccTLDs but among:
-
-      (i) true "generic" TLDs, in which any registration is acceptable
-      and, ordinarily, registrations from all sources are actively
-      promoted.  This list currently includes (the formerly purpose-
-      specific) COM, NET, and ORG, and some ccTLDs.  There have been
-      proposals from time to time for additional TLDs of this variety in
-      which, as with COM (and, more recently, NET and ORG) anyone
-      (generally subject only to name conflicts and national law) could
-      register who could pay the fees.
-
-      (ii) purpose-specific TLDs, in which registration is accepted only
-      from organizations or individuals meeting particular
-      qualifications, but where those qualifications are not tied to
-      national boundaries.  This list currently includes INT, EDU, the
-      infrastructure domain ARPA, and, arguably, the specialized US
-      Government TLDs MIL and GOV.  There have been proposals from time
-      to time for other international TLDs of this variety, e.g., for
-      medical entities such as physicians and hospitals and for museums.
-      ICANN has recently approved several TLDs of this type and
-      describes them as "sponsored" TLDs.
-
-
-
-
-
-Klensin                      Informational                      [Page 3]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-      (iii) Country domains, operated according to the original
-      underlying assumptions of 1591, i.e., registrants are largely
-      expected to be people or other entities within the country.  While
-      external registrations might be accepted by some of these, the
-      country does not aggressively advertise for such registrations,
-      nor does anyone expect to derive significant fee revenue from
-      them.  All current domains in this category are ccTLDs, but not
-      all ccTLDs are in this category.
-
-   These categories are clearly orthogonal to the association between
-   the use of the IS 3166-1 registered code list [2] and two-letter
-   "country" domain names.  If that relationship is to be maintained
-   (and I believe it is desirable), the only inherent requirement is
-   that no two-letter TLDs be created except from that list (in order to
-   avoid future conflicts).  ICANN should control the allocation and
-   delegation of TLDs using these, and other, criteria, but only
-   registered 3166-1 two letter codes should be used as two-letter TLDs.
-
-2. Implications of the Categories
-
-   If we had adopted this type of three-way categorization and could
-   make it work, I believe it would have presented several opportunities
-   for ICANN and the community more generally to reduce controversies
-   and move forward.  Of course, there will be cases where the
-   categorization of a particular domain and its operating style will
-   not be completely clear-cut (see section 3, below).  But having ICANN
-   work out procedures for dealing with those (probably few) situations
-   appears preferable to strategies that would tend to propel ICANN into
-   areas that are beyond its competence or that might require
-   significant expansion of its mandate.
-
-   First, the internally-operated ccTLDs (category iii above) should not
-   be required to have much interaction with ICANN or vice versa.  Once
-   a domain of this sort is established and delegated, and assuming that
-   the "admin contact in the country" rule is strictly observed, the
-   domain should be able to function effectively without ICANN
-   intervention or oversight.  In particular, while a country might
-   choose to adopt the general ICANN policies about dispute resolution
-   or name management, issues that arise in these areas might equally
-   well be dealt with exclusively under applicable national laws.  If a
-   domain chooses to use ICANN services that cost resources to provide,
-   it should contribute to ICANN's support, but, if it does not, ICANN
-   should not presume to charge it for other than a reasonable fraction
-   of the costs to ICANN of operating the root, root servers, and any
-   directory systems that are generally agreed upon to be necessary and
-   in which the domain participates.
-
-
-
-
-
-Klensin                      Informational                      [Page 4]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-   By contrast, ccTLDs operated as generic domains ought to be treated
-   as generic domains.  ICANN dispute resolution and name management
-   policies and any special rules developed to protect the Internet
-   public in multiple registrar or registry situations should reasonably
-   apply.
-
-3.  Telling TLD types apart
-
-   If appropriate policies are adopted, ccTLDs operated as generic
-   domains (category (i) above) and those operated as country domains
-   (category (iii) above) ought to be able to be self-identified.  There
-   are several criteria that could be applied to make this
-   determination.  For example, either a domain is aggressively seeking
-   outside registrations or it is not and either the vast majority of
-   registrants in a domain are in-country or they are not.  One could
-   also think of this as the issue of having some tangible level of
-   presence in the jurisdiction - e.g., is the administrative contact
-   subject, in practical terms, to the in-country laws, or are the
-   registration rules such that it is reasonably likely that a court in
-   the jurisdiction of the country associated with the domain can
-   exercise jurisdiction and enforce a judgment against the registrant.
-
-   One (fairly non-intrusive) rule ICANN might well impose on all top-
-   level domains is that they identify and publish the policies they
-   intend to use.  E.g., registrants in a domain that will use the laws
-   of one particular country to resolve disputes should have a
-   reasonable opportunity to understand those policies prior to
-   registration and to make other arrangements (e.g., to register
-   elsewhere) if that mechanism for dispute resolution is not
-   acceptable.  Giving IANA (as the root registrar) incorrect
-   information about the purpose and use of a domain should be subject
-   to challenge, and should be grounds for reviewing the appropriateness
-   of the domain delegation, just as not acting consistently and
-   equitably provides such grounds under the original provisions of RFC
-   1591.
-
-   In order to ensure the availability of accurate and up-to-date
-   registration information the criteria must be consistent, and
-   consistent with more traditional gTLDs, for all nominally country
-   code domains operating as generic TLDs.
-
-4. The role of ICANN in country domains
-
-   ICANN (and IANA) should, as described above, have as little
-   involvement as possible in the direction of true country [code]
-   domains (i.e., category (iii)).  There is no particular reason why
-
-
-
-
-
-Klensin                      Informational                      [Page 5]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-   these domains should be subject to ICANN regulation beyond the basic
-   principles of 1591 and associated arrangements needed to ensure
-   Internet interoperability and stability.
-
-   ICANN's avoiding such involvement strengthens it: the desirability of
-   avoiding collisions with national sovereignty, determinations about
-   government legitimacy, and the authority of someone purportedly
-   writing on behalf of a government, is as important today as it was
-   when 1591 was written.  The alternatives take us quickly from
-   "administration" into "internet governance" or, in the case of
-   determining which claimant is the legitimate government of a country,
-   "international relations", and the reasons for not moving in that
-   particular direction are legion.
-
-5. The role of governments
-
-   The history of IANA strategy in handling ccTLDs included three major
-   "things to avoid" considerations:
-
-      * Never get involved in determining which entities were countries
-        and which ones were not.
-
-      * Never get involved in determining who was, or was not, the
-        legitimate government of a country.  And, more generally, avoid
-        deciding what entity --government, religion, commercial,
-        academic, etc.-- has what legitimacy or rights.
-
-      * If possible, never become involved in in-country disputes.
-        Instead, very strongly encourage internal parties to work
-        problems out among themselves.  At most, adopt a role as
-        mediator and educator, rather than judge, unless abuses are very
-        clear and clearly will not be settled by any internal mechanism.
-
-   All three considerations were obviously intended to avoid IANA's
-   being dragged into a political morass in which it had (and, I
-   suggest, has) no competence to resolve the issues and could only get
-   bogged down.  The first consideration was the most visible (and the
-   easiest) and was implemented by strict and careful adherence (see
-   below) to the ISO 3166 registered Country Code list.  If an entity
-   had a code, it was eligible to be registered with a TLD (although
-   IANA was free to apply additional criteria-most of them stated in
-   1591).  If it did not, there were no exceptions: the applicant's only
-   recourse was a discussion with the 3166 Registration Authority (now
-   Maintenance Agency, often known just as "3166/MA") or the UN
-   Statistical Office (now Statistics Bureau), not with IANA.
-
-
-
-
-
-
-Klensin                      Informational                      [Page 6]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-   There are actually five ccTLD exceptions to the strict rules.  One,
-   "UK", is historical: it predates the adoption of ISO 3166 for this
-   purpose.  The others --Ascension Island, Guernsey, Isle of Man, and
-   Jersey --are arguably, at least in retrospect, just mistakes.
-   Regardless of the historical reasons (about which there has been much
-   speculation), it is almost certainly the case that the right way to
-   handle mistakes of this sort is to acknowledge them and move on,
-   rather than trying to use them as precedents to justify more
-   mistakes.
-
-   This, obviously, is also the argument against use of the "reserved"
-   list (technically internal to the 3166 maintenance activity, and not
-   part of the Standard): since IANA (or ICANN) can ask that a name be
-   placed on that list, there is no rule of an absolute determination by
-   an external organization.  Purported countries can come to ICANN,
-   insist on having delegations made and persuade ICANN to ask that the
-   names be reserved.  Then, since the reserved name would exist, they
-   could insist that the domain be delegated.  Worse, someone could use
-   another organization to request reservation of the name by 3166/MA;
-   once it was reserved, ICANN might be hard-pressed not to do the
-   delegation.  Of course, ICANN could (and probably would be forced to)
-   adopt additional criteria other than appearance on the "reserved
-   list" in order to delegate such domains.  But those criteria would
-   almost certainly be nearly equivalent to determining which applicants
-   were legitimate and stable enough to be considered a country, the
-   exact decision process that 1591 strove to avoid.
-
-   The other two considerations were more subtle and not always
-   successful: from time to time, both before and after the formal
-   policy shifted toward "governments could have their way", IANA
-   received letters from people purporting to be competent government
-   authorities asking for changes.  Some of them turned out later to not
-   have that authority or appropriate qualifications.  The assumption of
-   1591 itself was that, if the "administrative contact in country" rule
-   was strictly observed, as was the rule that delegation changes
-   requested by the administrative contact would be honored, then, if a
-   government _really_ wanted to assert itself, it could pressure the
-   administrative contact into requesting the changes it wanted, using
-   whatever would pass for due process in that country.  And the ability
-   to apply that process and pressure would effectively determine who
-   was the government and who wasn't, and would do so far more
-   effectively than any IANA evaluation of, e.g., whether the letterhead
-   on a request looked authentic (and far more safely for ICANN than
-   asking the opinion of any particular other government or selection of
-   governments).
-
-
-
-
-
-
-Klensin                      Informational                      [Page 7]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-   Specific language in 1591 permitted IANA to adopt a "work it out
-   yourselves; if we have to decide, we will strive for a solution that
-   is not satisfactory to any party" stance.  That approach was used
-   successfully, along with large doses of education, on many occasions
-   over the years, to avoid IANA's having to assume the role of judge
-   between conflicting parties.
-
-   Similar principles could be applied to the boundary between country-
-   code-based generic TLDs and country domains.  Different countries,
-   under different circumstances, might prefer to operate the ccTLD
-   either as a national service or as a profit center where the
-   "customers" were largely external.  Whatever decisions were made
-   historically, general Internet stability argues that changes should
-   not be made lightly.  At the same time, if a government wishes to
-   make a change, the best mechanism for doing so is not to involve
-   ICANN in a potential determination of legitimacy (or even to have
-   ICANN's Government Advisory Committee (GAC) try to formally make that
-   decision for individual countries) but for the relevant government to
-   use its own procedures to persuade the administrative contact to
-   request the change and for IANA to promptly and efficiently carry out
-   requests made by administrative contacts.
-
-6. Implications for the current ICANN DNSO structure.
-
-   The arguments by some of the ccTLD administrators that they are
-   different from the rest of the ICANN and DNSO structures are (in this
-   model) correct: they are different.  The ccTLDs that are operating as
-   generic TLDs should be separated from the ccTLD constituency and
-   joined to the gTLD constituency.  The country ccTLDs should be
-   separated from ICANN's immediate Supporting Organization structure,
-   and operate in a parallel and advisory capacity to ICANN, similar to
-   the arrangements used with the GAC.  The DNSO and country TLDs should
-   not be required to interact with each other except on a mutually
-   voluntary basis and, if ICANN needs interaction or advice from some
-   of all of those TLDs, it would be more appropriate to get it in the
-   form of an advisory body like the GAC rather than as DNSO
-   constituency.
-
-7. References
-
-   [1] Postel, J., "Domain Name System Structure and Delegation", RFC
-       1591, March 1994.
-
-   [2] ISO 3166. ISO 3166-1. Codes for the representation of names of
-       countries and their subdivisions - Part 1: Country codes (1997).
-
-
-
-
-
-
-Klensin                      Informational                      [Page 8]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-8. Acknowledgements and disclaimer
-
-   These reflections have been prepared in my individual capacity and do
-   not necessarily reflect the views of my past or present employers.
-   Several people, including Randy Bush, Theresa Swinehart, Zita Wenzel,
-   Geoff Huston, Havard Eidnes, and several anonymous reviewers, made
-   suggestions or offered editorial comments about earlier versions of
-   this document.  Cord Wischhoefer, of the ISO 3166/MA, was also kind
-   enough to look at the draft and supplied some useful details.  Those
-   comments contributed significantly to whatever clarity the document
-   has, but the author bears responsibility for the selection of
-   comments which were ultimately incorporated and the way in which the
-   conclusions were presented.
-
-9.  Security Considerations
-
-   This memo addresses the context for a set of administrative decisions
-   and procedures, and does not raise or address security issues.
-
-10. Author's Address
-
-   John C. Klensin
-   1770 Massachusetts Ave, Suite 322
-   Cambridge, MA 02140, USA
-
-   EMail: klensin@jck.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Klensin                      Informational                      [Page 9]
-
-RFC 3071          Reflections on the DNS and RFC 1591      February 2001
-
-
-11. Full Copyright Statement
-
-   Copyright (C) The Internet Society 2001. All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others provided that the above copyright notice and this paragraph
-   are included on all such copies.  However, this document itself may
-   not be modified in any way, such as by removing the copyright notice
-   or references to the Internet Society or other Internet
-   organizations, except as required to translate it into languages
-   other than English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR  IMPLIED, INCLUDING
-   BUT NOT  LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY  IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Klensin                      Informational                     [Page 10]
-
diff --git a/contrib/bind9/doc/rfc/rfc3090.txt b/contrib/bind9/doc/rfc/rfc3090.txt
deleted file mode 100644
index 08008f7a3ddd..000000000000
--- a/contrib/bind9/doc/rfc/rfc3090.txt
+++ /dev/null
@@ -1,619 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                           E. Lewis
-Request for Comments: 3090                                      NAI Labs
-Category: Standards Track                                     March 2001
-
-
-          DNS Security Extension Clarification on Zone Status
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-Abstract
-
-   The definition of a secured zone is presented, clarifying and
-   updating sections of RFC 2535.  RFC 2535 defines a zone to be secured
-   based on a per algorithm basis, e.g., a zone can be secured with RSA
-   keys, and not secured with DSA keys.  This document changes this to
-   define a zone to be secured or not secured regardless of the key
-   algorithm used (or not used).  To further simplify the determination
-   of a zone's status, "experimentally secure" status is deprecated.
-
-1 Introduction
-
-   Whether a DNS zone is "secured" or not is a question asked in at
-   least four contexts.  A zone administrator asks the question when
-   configuring a zone to use DNSSEC.  A dynamic update server asks the
-   question when an update request arrives, which may require DNSSEC
-   processing.  A delegating zone asks the question of a child zone when
-   the parent enters data indicating the status the child.  A resolver
-   asks the question upon receipt of data belonging to the zone.
-
-1.1 When a Zone's Status is Important
-
-   A zone administrator needs to be able to determine what steps are
-   needed to make the zone as secure as it can be.  Realizing that due
-   to the distributed nature of DNS and its administration, any single
-   zone is at the mercy of other zones when it comes to the appearance
-   of security.  This document will define what makes a zone qualify as
-   secure.
-
-
-
-
-Lewis                       Standards Track                     [Page 1]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-   A name server performing dynamic updates needs to know whether a zone
-   being updated is to have signatures added to the updated data, NXT
-   records applied, and other required processing.  In this case, it is
-   conceivable that the name server is configured with the knowledge,
-   but being able to determine the status of a zone by examining the
-   data is a desirable alternative to configuration parameters.
-
-   A delegating zone is required to indicate whether a child zone is
-   secured.  The reason for this requirement lies in the way in which a
-   resolver makes its own determination about a zone (next paragraph).
-   To shorten a long story, a parent needs to know whether a child
-   should be considered secured.  This is a two part question.  Under
-   what circumstances does a parent consider a child zone to be secure,
-   and how does a parent know if the child conforms?
-
-   A resolver needs to know if a zone is secured when the resolver is
-   processing data from the zone.  Ultimately, a resolver needs to know
-   whether or not to expect a usable signature covering the data.  How
-   this determination is done is out of the scope of this document,
-   except that, in some cases, the resolver will need to contact the
-   parent of the zone to see if the parent states that the child is
-   secured.
-
-1.2 Islands of Security
-
-   The goal of DNSSEC is to have each zone secured, from the root zone
-   and the top-level domains down the hierarchy to the leaf zones.
-   Transitioning from an unsecured DNS, as we have now, to a fully
-   secured - or "as much as will be secured" - tree will take some time.
-   During this time, DNSSEC will be applied in various locations in the
-   tree, not necessarily "top down."
-
-   For example, at a particular instant, the root zone and the "test."
-   TLD might be secured, but region1.test. might not be.  (For
-   reference, let's assume that region2.test. is secured.)  However,
-   subarea1.region1.test. may have gone through the process of becoming
-   secured, along with its delegations.  The dilemma here is that
-   subarea1 cannot get its zone keys properly signed as its parent zone,
-   region1, is not secured.
-
-   The colloquial phrase describing the collection of contiguous secured
-   zones at or below subarea1.region1.test. is an "island of security."
-   The only way in which a DNSSEC resolver will come to trust any data
-   from this island is if the resolver is pre-configured with the zone
-   key(s) for subarea1.region1.test., i.e., the root of the island of
-   security.  Other resolvers (not so configured) will recognize this
-   island as unsecured.
-
-
-
-
-Lewis                       Standards Track                     [Page 2]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-   An island of security begins with one zone whose public key is pre-
-   configured in resolvers.  Within this island are subzones which are
-   also secured.  The "bottom" of the island is defined by delegations
-   to unsecured zones.  One island may also be on top of another -
-   meaning that there is at least one unsecured zone between the bottom
-   of the upper island and the root of the lower secured island.
-
-   Although both subarea1.region1.test. and region2.test. have both been
-   properly brought to a secured state by the administering staff, only
-   the latter of the two is actually "globally" secured - in the sense
-   that all DNSSEC resolvers can and will verify its data.  The former,
-   subarea1, will be seen as secured by a subset of those resolvers,
-   just those appropriately configured.  This document refers to such
-   zones as being "locally" secured.
-
-   In RFC 2535, there is a provision for "certification authorities,"
-   entities that will sign public keys for zones such as subarea1.
-   There is another document, [RFC3008], that restricts this activity.
-   Regardless of the other document, resolvers would still need proper
-   configuration to be able to use the certification authority to verify
-   the data for the subarea1 island.
-
-1.2.1 Determining the closest security root
-
-   Given a domain, in order to determine whether it is secure or not,
-   the first step is to determine the closest security root.  The
-   closest security root is the top of an island of security whose name
-   has the most matching (in order from the root) right-most labels to
-   the given domain.
-
-   For example, given a name "sub.domain.testing.signed.exp.test.", and
-   given the secure roots "exp.test.", "testing.signed.exp.test." and
-   "not-the-same.xy.", the middle one is the closest.  The first secure
-   root shares 2 labels, the middle 4, and the last 0.
-
-   The reason why the closest is desired is to eliminate false senses of
-   insecurity because of a NULL key.  Continuing with the example, the
-   reason both "testing..." and "exp.test." are listed as secure root is
-   presumably because "signed.exp.test." is unsecured (has a NULL key).
-   If we started to descend from "exp.test." to our given domain
-   (sub...), we would encounter a NULL key and conclude that sub... was
-   unsigned.  However, if we descend from "testing..." and find keys
-   "domain...." then we can conclude that "sub..." is secured.
-
-   Note that this example assumes one-label deep zones, and assumes that
-   we do not configure overlapping islands of security.  To be clear,
-   the definition given should exclude "short.xy.test." from being a
-   closest security root for "short.xy." even though 2 labels match.
-
-
-
-Lewis                       Standards Track                     [Page 3]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-   Overlapping islands of security introduce no conceptually interesting
-   ideas and do not impact the protocol in anyway.  However, protocol
-   implementers are advised to make sure their code is not thrown for a
-   loop by overlaps.  Overlaps are sure to be configuration problems as
-   islands of security grow to encompass larger regions of the name
-   space.
-
-1.3 Parent Statement of Child Security
-
-   In 1.1 of this document, there is the comment "the parent states that
-   the child is secured."  This has caused quite a bit of confusion.
-
-   The need to have the parent "state" the status of a child is derived
-   from the following observation.  If you are looking to see if an
-   answer is secured, that it comes from an "island of security" and is
-   properly signed, you must begin at the (appropriate) root of the
-   island of security.
-
-   To find the answer you are inspecting, you may have to descend
-   through zones within the island of security.  Beginning with the
-   trusted root of the island, you descend into the next zone down.  As
-   you trust the upper zone, you need to get data from it about the next
-   zone down, otherwise there is a vulnerable point in which a zone can
-   be hijacked. When or if you reach a point of traversing from a
-   secured zone to an unsecured zone, you have left the island of
-   security and should conclude that the answer is unsecured.
-
-   However, in RFC 2535, section 2.3.4, these words seem to conflict
-   with the need to have the parent "state" something about a child:
-
-      There MUST be a zone KEY RR, signed by its superzone, for every
-      subzone if the superzone is secure.  This will normally appear in
-      the subzone and may also be included in the superzone.  But, in
-      the case of an unsecured subzone which can not or will not be
-      modified to add any security RRs, a KEY declaring the subzone to
-      be unsecured MUST appear with the superzone signature in the
-      superzone, if the superzone is secure.
-
-   The confusion here is that in RFC 2535, a secured parent states that
-   a child is secured by SAYING NOTHING ("may also be" as opposed to
-   "MUST also be").  This is counter intuitive, the fact that an absence
-   of data means something is "secured."  This notion, while acceptable
-   in a theoretic setting has met with some discomfort in an operation
-   setting.  However, the use of "silence" to state something does
-   indeed work in this case, so there hasn't been sufficient need
-   demonstrated to change the definition.
-
-
-
-
-
-Lewis                       Standards Track                     [Page 4]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-1.4 Impact on RFC 2535
-
-   This document updates sections of RFC 2535.  The definition of a
-   secured zone is an update to section 3.4 of the RFC.  Section 3.4 is
-   updated to eliminate the definition of experimental keys and
-   illustrate a way to still achieve the functionality they were
-   designed to provide.  Section 3.1.3 is updated by the specifying the
-   value of the protocol octet in a zone key.
-
-1.5 "MUST" and other key words
-
-   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
-   in this document are to be interpreted as described in [RFC 2119].
-   Currently, only "MUST" is used in this document.
-
-2 Status of a Zone
-
-   In this section, rules governing a zone's DNSSEC status are
-   presented.  There are three levels of security defined: global,
-   local, and unsecured.  A zone is globally secure when it complies
-   with the strictest set of DNSSEC processing rules.  A zone is locally
-   secured when it is configured in such a way that only resolvers that
-   are appropriately configured see the zone as secured.  All other
-   zones are unsecured.
-
-   Note: there currently is no document completely defining DNSSEC
-   verification rules.  For the purposes of this document, the strictest
-   rules are assumed to state that the verification chain of zone keys
-   parallels the delegation tree up to the root zone.  (See 2.b below.)
-   This is not intended to disallow alternate verification paths, just
-   to establish a baseline definition.
-
-   To avoid repetition in the rules below, the following terms are
-   defined.
-
-   2.a Zone signing KEY RR - A KEY RR whose flag field has the value 01
-   for name type (indicating a zone key) and either value 00 or value 01
-   for key type (indicating a key permitted to authenticate data).  (See
-   RFC 2535, section 3.1.2).  The KEY RR also has a protocol octet value
-   of DNSSEC (3) or ALL (255).
-
-   The definition updates RFC 2535's definition of a zone key.  The
-   requirement that the protocol field be either DNSSEC or ALL is a new
-   requirement (a change to section 3.1.3.)
-
-   2.b On-tree Validation - The authorization model in which only the
-   parent zone is recognized to supply a DNSSEC-meaningful signature
-   that is used by a resolver to build a chain of trust from the child's
-
-
-
-Lewis                       Standards Track                     [Page 5]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-   keys to a recognized root of security.  The term "on-tree" refers to
-   following the DNS domain hierarchy (upwards) to reach a trusted key,
-   presumably the root key if no other key is available.  The term
-   "validation" refers to the digital signature by the parent to prove
-   the integrity, authentication and authorization of the child's key to
-   sign the child's zone data.
-
-   2.c Off-tree Validation - Any authorization model that permits domain
-   names other than the parent's to provide a signature over a child's
-   zone keys that will enable a resolver to trust the keys.
-
-2.1 Globally Secured
-
-   A globally secured zone, in a nutshell, is a zone that uses only
-   mandatory to implement algorithms (RFC 2535, section 3.2) and relies
-   on a key certification chain that parallels the delegation tree (on-
-   tree validation).  Globally secured zones are defined by the
-   following rules.
-
-   2.1.a. The zone's apex MUST have a KEY RR set.  There MUST be at
-   least one zone signing KEY RR (2.a) of a mandatory to implement
-   algorithm in the set.
-
-   2.1.b. The zone's apex KEY RR set MUST be signed by a private key
-   belonging to the parent zone.  The private key's public companion
-   MUST be a zone signing KEY RR (2.a) of a mandatory to implement
-   algorithm and owned by the parent's apex.
-
-   If a zone cannot get a conforming signature from the parent zone, the
-   child zone cannot be considered globally secured.  The only exception
-   to this is the root zone, for which there is no parent zone.
-
-   2.1.c. NXT records MUST be deployed throughout the zone.  (Clarifies
-   RFC 2535, section 2.3.2.)  Note: there is some operational discomfort
-   with the current NXT record.  This requirement is open to
-   modification when two things happen.  First, an alternate mechanism
-   to the NXT is defined and second, a means by which a zone can
-   indicate that it is using an alternate method.
-
-   2.1.d. Each RR set that qualifies for zone membership MUST be signed
-   by a key that is in the apex's KEY RR set and is a zone signing KEY
-   RR (2.a) of a mandatory to implement algorithm.  (Updates 2535,
-   section 2.3.1.)
-
-   Mentioned earlier, the root zone is a special case.  The root zone
-   will be considered to be globally secured provided that if conforms
-   to the rules for locally secured, with the exception that rule 2.1.a.
-   be also met (mandatory to implement requirement).
-
-
-
-Lewis                       Standards Track                     [Page 6]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-2.2 Locally Secured
-
-   The term "locally" stems from the likely hood that the only resolvers
-   to be configured for a particular zone will be resolvers "local" to
-   an organization.
-
-   A locally secured zone is a zone that complies with rules like those
-   for a globally secured zone with the following exceptions.  The
-   signing keys may be of an algorithm that is not mandatory to
-   implement and/or the verification of the zone keys in use may rely on
-   a verification chain that is not parallel to the delegation tree
-   (off-tree validation).
-
-   2.2.a. The zone's apex MUST have a KEY RR set.  There MUST be at
-   least one zone signing KEY RR (2.a) in the set.
-
-   2.2.b. The zone's apex KEY RR set MUST be signed by a private key and
-   one of the following two subclauses MUST hold true.
-
-   2.2.b.1 The private key's public companion MUST be pre-configured in
-   all the resolvers of interest.
-
-   2.2.b.2 The private key's public companion MUST be a zone signing KEY
-   RR (2.a) authorized to provide validation of the zone's apex KEY RR
-   set, as recognized by resolvers of interest.
-
-   The previous sentence is trying to convey the notion of using a
-   trusted third party to provide validation of keys.  If the domain
-   name owning the validating key is not the parent zone, the domain
-   name must represent someone the resolver trusts to provide
-   validation.
-
-   2.2.c. NXT records MUST be deployed throughout the zone.  Note: see
-   the discussion following 2.1.c.
-
-   2.2.d. Each RR set that qualifies for zone membership MUST be signed
-   by a key that is in the apex's KEY RR set and is a zone signing KEY
-   RR (2.a).  (Updates 2535, section 2.3.1.)
-
-2.3 Unsecured
-
-   All other zones qualify as unsecured.  This includes zones that are
-   designed to be experimentally secure, as defined in a later section
-   on that topic.
-
-
-
-
-
-
-
-Lewis                       Standards Track                     [Page 7]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-2.4 Wrap up
-
-   The designation of globally secured, locally secured, and unsecured
-   are merely labels to apply to zones, based on their contents.
-   Resolvers, when determining whether a signature is expected or not,
-   will only see a zone as secured or unsecured.
-
-   Resolvers that follow the most restrictive DNSSEC verification rules
-   will only see globally secured zones as secured, and all others as
-   unsecured, including zones which are locally secured.  Resolvers that
-   are not as restrictive, such as those that implement algorithms in
-   addition to the mandatory to implement algorithms, will see some
-   locally secured zones as secured.
-
-   The intent of the labels "global" and "local" is to identify the
-   specific attributes of a zone.  The words are chosen to assist in the
-   writing of a document recommending the actions a zone administrator
-   take in making use of the DNS security extensions.  The words are
-   explicitly not intended to convey a state of compliance with DNS
-   security standards.
-
-3 Experimental Status
-
-   The purpose of an experimentally secured zone is to facilitate the
-   migration from an unsecured zone to a secured zone.  This distinction
-   is dropped.
-
-   The objective of facilitating the migration can be achieved without a
-   special designation of an experimentally secure status.
-   Experimentally secured is a special case of locally secured.  A zone
-   administrator can achieve this by publishing a zone with signatures
-   and configuring a set of test resolvers with the corresponding public
-   keys.  Even if the public key is published in a KEY RR, as long as
-   there is no parent signature, the resolvers will need some pre-
-   configuration to know to process the signatures.  This allows a zone
-   to be secured with in the sphere of the experiment, yet still be
-   registered as unsecured in the general Internet.
-
-4 IANA Considerations
-
-   This document does not request any action from an assigned number
-   authority nor recommends any actions.
-
-
-
-
-
-
-
-
-
-Lewis                       Standards Track                     [Page 8]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-5 Security Considerations
-
-   Without a means to enforce compliance with specified protocols or
-   recommended actions, declaring a DNS zone to be "completely" secured
-   is impossible.  Even if, assuming an omnipotent view of DNS, one can
-   declare a zone to be properly configured for security, and all of the
-   zones up to the root too, a misbehaving resolver could be duped into
-   believing bad data.  If a zone and resolver comply, a non-compliant
-   or subverted parent could interrupt operations.  The best that can be
-   hoped for is that all parties are prepared to be judged secure and
-   that security incidents can be traced to the cause in short order.
-
-6 Acknowledgements
-
-   The need to refine the definition of a secured zone has become
-   apparent through the efforts of the participants at two DNSSEC
-   workshops, sponsored by the NIC-SE (.se registrar), CAIRN (a DARPA-
-   funded research network), and other workshops.  Further discussions
-   leading to the document include Olafur Gudmundsson, Russ Mundy,
-   Robert Watson, and Brian Wellington.  Roy Arends, Ted Lindgreen and
-   others have contributed significant input via the namedroppers
-   mailing list.
-
-7 References
-
-   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
-             STD 13, RFC 1034, November 1987.
-
-   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
-             Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2136] Vixie, P., (Ed.), Thomson, S., Rekhter, Y. and J. Bound,
-             "Dynamic Updates in the Domain Name System", RFC 2136,
-             April 1997.
-
-   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
-             2535, March 1999.
-
-   [RFC3007] Wellington, B., "Simple Secure Domain Name System (DNS)
-             Dynamic Update", RFC 3007, November 2000.
-
-   [RFC3008] Wellington, B., "Domain Name System Security (DNSSEC)
-             Signing Authority", RFC 3008, November 2000.
-
-
-
-
-
-Lewis                       Standards Track                     [Page 9]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-10 Author's Address
-
-   Edward Lewis
-   NAI Labs
-   3060 Washington Road Glenwood
-   MD 21738
-
-   Phone: +1 443 259 2352
-   EMail: lewis@tislabs.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lewis                       Standards Track                    [Page 10]
-
-RFC 3090         DNS Security Extension on Zone Status        March 2001
-
-
-11 Full Copyright Statement
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lewis                       Standards Track                    [Page 11]
-
diff --git a/contrib/bind9/doc/rfc/rfc3110.txt b/contrib/bind9/doc/rfc/rfc3110.txt
deleted file mode 100644
index 764694860c60..000000000000
--- a/contrib/bind9/doc/rfc/rfc3110.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                    D. Eastlake 3rd
-Request for Comments: 3110                                      Motorola
-Obsoletes: 2537                                                 May 2001
-Category: Standards Track
-
-
-      RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-Abstract
-
-   This document describes how to produce RSA/SHA1 SIG resource records
-   (RRs) in Section 3 and, so as to completely replace RFC 2537,
-   describes how to produce RSA KEY RRs in Section 2.
-
-   Since the adoption of a Proposed Standard for RSA signatures in the
-   DNS (Domain Name Space), advances in hashing have been made.  A new
-   DNS signature algorithm is defined to make these advances available
-   in SIG RRs.  The use of the previously specified weaker mechanism is
-   deprecated.  The algorithm number of the RSA KEY RR is changed to
-   correspond to this new SIG algorithm.  No other changes are made to
-   DNS security.
-
-Acknowledgements
-
-   Material and comments from the following have been incorporated and
-   are gratefully acknowledged:
-
-      Olafur Gudmundsson
-
-      The IESG
-
-      Charlie Kaufman
-
-      Steve Wang
-
-
-
-
-
-D. Eastlake 3rd             Standards Track                     [Page 1]
-
-RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
-
-
-Table of Contents
-
-   1. Introduction................................................... 2
-   2. RSA Public KEY Resource Records................................ 3
-   3. RSA/SHA1 SIG Resource Records.................................. 3
-   4. Performance Considerations..................................... 4
-   5. IANA Considerations............................................ 5
-   6. Security Considerations........................................ 5
-   References........................................................ 5
-   Author's Address.................................................. 6
-   Full Copyright Statement.......................................... 7
-
-1. Introduction
-
-   The Domain Name System (DNS) is the global hierarchical replicated
-   distributed database system for Internet addressing, mail proxy, and
-   other information [RFC1034, 1035, etc.].  The DNS has been extended
-   to include digital signatures and cryptographic keys as described in
-   [RFC2535].  Thus the DNS can now be secured and used for secure key
-   distribution.
-
-   Familiarity with the RSA and SHA-1 algorithms is assumed [Schneier,
-   FIP180] in this document.
-
-   RFC 2537 described how to store RSA keys and RSA/MD5 based signatures
-   in the DNS.  However, since the adoption of RFC 2537, continued
-   cryptographic research has revealed hints of weakness in the MD5
-   [RFC1321] algorithm used in RFC 2537.  The SHA1 Secure Hash Algorithm
-   [FIP180], which produces a larger hash, has been developed.  By now
-   there has been sufficient experience with SHA1 that it is generally
-   acknowledged to be stronger than MD5.  While this stronger hash is
-   probably not needed today in most secure DNS zones, critical zones
-   such a root, most top level domains, and some second and third level
-   domains, are sufficiently valuable targets that it would be negligent
-   not to provide what are generally agreed to be stronger mechanisms.
-   Furthermore, future advances in cryptanalysis and/or computer speeds
-   may require a stronger hash everywhere.  In addition, the additional
-   computation required by SHA1 above that required by MD5 is
-   insignificant compared with the computational effort required by the
-   RSA modular exponentiation.
-
-   This document describes how to produce RSA/SHA1 SIG RRs in Section 3
-   and, so as to completely replace RFC 2537, describes how to produce
-   RSA KEY RRs in Section 2.
-
-   Implementation of the RSA algorithm in DNS with SHA1 is MANDATORY for
-   DNSSEC.  The generation of RSA/MD5 SIG RRs as described in RFC 2537
-   is NOT RECOMMENDED.
-
-
-
-D. Eastlake 3rd             Standards Track                     [Page 2]
-
-RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
-
-
-   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", "NOT
-   RECOMMENDED", and "MAY" in this document are to be interpreted as
-   described in RFC 2119.
-
-2. RSA Public KEY Resource Records
-
-   RSA public keys are stored in the DNS as KEY RRs using algorithm
-   number 5 [RFC2535].  The structure of the algorithm specific portion
-   of the RDATA part of such RRs is as shown below.
-
-         Field             Size
-         -----             ----
-         exponent length   1 or 3 octets (see text)
-         exponent          as specified by length field
-         modulus           remaining space
-
-   For interoperability, the exponent and modulus are each limited to
-   4096 bits in length.  The public key exponent is a variable length
-   unsigned integer.  Its length in octets is represented as one octet
-   if it is in the range of 1 to 255 and by a zero octet followed by a
-   two octet unsigned length if it is longer than 255 bytes.  The public
-   key modulus field is a multiprecision unsigned integer.  The length
-   of the modulus can be determined from the RDLENGTH and the preceding
-   RDATA fields including the exponent.  Leading zero octets are
-   prohibited in the exponent and modulus.
-
-   Note: KEY RRs for use with RSA/SHA1 DNS signatures MUST use this
-   algorithm number (rather than the algorithm number specified in the
-   obsoleted RFC 2537).
-
-   Note: This changes the algorithm number for RSA KEY RRs to be the
-   same as the new algorithm number for RSA/SHA1 SIGs.
-
-3. RSA/SHA1 SIG Resource Records
-
-   RSA/SHA1 signatures are stored in the DNS using SIG resource records
-   (RRs) with algorithm number 5.
-
-   The signature portion of the SIG RR RDATA area, when using the
-   RSA/SHA1 algorithm, is calculated as shown below.  The data signed is
-   determined as specified in RFC 2535.  See RFC 2535 for fields in the
-   SIG RR RDATA which precede the signature itself.
-
-         hash = SHA1 ( data )
-
-         signature = ( 01 | FF* | 00 | prefix | hash ) ** e (mod n)
-
-
-
-
-
-D. Eastlake 3rd             Standards Track                     [Page 3]
-
-RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
-
-
-   where SHA1 is the message digest algorithm documented in [FIP180],
-   "|" is concatenation, "e" is the private key exponent of the signer,
-   and "n" is the modulus of the signer's public key.  01, FF, and 00
-   are fixed octets of the corresponding hexadecimal value.  "prefix" is
-   the ASN.1 BER SHA1 algorithm designator prefix required in PKCS1
-   [RFC2437], that is,
-
-         hex 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14
-
-   This prefix is included to make it easier to use standard
-   cryptographic libraries.  The FF octet MUST be repeated the maximum
-   number of times such that the value of the quantity being
-   exponentiated is one octet shorter than the value of n.
-
-   (The above specifications are identical to the corresponding parts of
-   Public Key Cryptographic Standard #1 [RFC2437].)
-
-   The size of "n", including most and least significant bits (which
-   will be 1) MUST be not less than 512 bits and not more than 4096
-   bits.  "n" and "e" SHOULD be chosen such that the public exponent is
-   small.  These are protocol limits.  For a discussion of key size see
-   RFC 2541.
-
-   Leading zero bytes are permitted in the RSA/SHA1 algorithm signature.
-
-4. Performance Considerations
-
-   General signature generation speeds are roughly the same for RSA and
-   DSA [RFC2536].  With sufficient pre-computation, signature generation
-   with DSA is faster than RSA.  Key generation is also faster for DSA.
-   However, signature verification is an order of magnitude slower with
-   DSA when the RSA public exponent is chosen to be small as is
-   recommended for KEY RRs used in domain name system (DNS) data
-   authentication.
-
-   A public exponent of 3 minimizes the effort needed to verify a
-   signature.  Use of 3 as the public exponent is weak for
-   confidentiality uses since, if the same data can be collected
-   encrypted under three different keys with an exponent of 3 then,
-   using the Chinese Remainder Theorem [NETSEC], the original plain text
-   can be easily recovered.  If a key is known to be used only for
-   authentication, as is the case with DNSSEC, then an exponent of 3 is
-   acceptable.  However other applications in the future may wish to
-   leverage DNS distributed keys for applications that do require
-   confidentiality.  For keys which might have such other uses, a more
-   conservative choice would be 65537 (F4, the fourth fermat number).
-
-
-
-
-
-D. Eastlake 3rd             Standards Track                     [Page 4]
-
-RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
-
-
-   Current DNS implementations are optimized for small transfers,
-   typically less than 512 bytes including DNS overhead.  Larger
-   transfers will perform correctly and extensions have been
-   standardized [RFC2671] to make larger transfers more efficient, it is
-   still advisable at this time to make reasonable efforts to minimize
-   the size of KEY RR sets stored within the DNS consistent with
-   adequate security.  Keep in mind that in a secure zone, at least one
-   authenticating SIG RR will also be returned.
-
-5. IANA Considerations
-
-   The DNSSEC algorithm number 5 is allocated for RSA/SHA1 SIG RRs and
-   RSA KEY RRs.
-
-6. Security Considerations
-
-   Many of the general security considerations in RFC 2535 apply.  Keys
-   retrieved from the DNS should not be trusted unless (1) they have
-   been securely obtained from a secure resolver or independently
-   verified by the user and (2) this secure resolver and secure
-   obtainment or independent verification conform to security policies
-   acceptable to the user.  As with all cryptographic algorithms,
-   evaluating the necessary strength of the key is essential and
-   dependent on local policy.  For particularly critical applications,
-   implementers are encouraged to consider the range of available
-   algorithms and key sizes.  See also RFC 2541, "DNS Security
-   Operational Considerations".
-
-References
-
-   [FIP180]   U.S. Department of Commerce, "Secure Hash Standard", FIPS
-              PUB 180-1, 17 Apr 1995.
-
-   [NETSEC]   Network Security: PRIVATE Communications in a PUBLIC
-              World, Charlie Kaufman, Radia Perlman, & Mike Speciner,
-              Prentice Hall Series in Computer Networking and
-              Distributed Communications, 1995.
-
-   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
-              April 1992.
-
-
-
-
-
-D. Eastlake 3rd             Standards Track                     [Page 5]
-
-RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
-
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2437]  Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
-              Specifications Version 2.0", RFC 2437, October 1998.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC2536]  Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
-              (DNS)", RFC 2536, March 1999.
-
-   [RFC2537]  Eastlake, D., "RSA/MD5 KEYs and SIGs in the Domain Name
-              System (DNS)", RFC 2537, March 1999.
-
-   [RFC2541]  Eastlake, D., "DNS Security Operational Considerations",
-              RFC 2541, March 1999.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [Schneier] Bruce Schneier, "Applied Cryptography Second Edition:
-              protocols, algorithms, and source code in C", 1996, John
-              Wiley and Sons, ISBN 0-471-11709-9.
-
-Author's Address
-
-   Donald E. Eastlake 3rd
-   Motorola
-   155 Beaver Street
-   Milford, MA 01757 USA
-
-   Phone:   +1-508-261-5434 (w)
-            +1-508-634-2066 (h)
-   Fax      +1-508-261-4777 (w)
-   EMail:   Donald.Eastlake@motorola.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd             Standards Track                     [Page 6]
-
-RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-D. Eastlake 3rd             Standards Track                     [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc3123.txt b/contrib/bind9/doc/rfc/rfc3123.txt
deleted file mode 100644
index 3b2fe00e5ee8..000000000000
--- a/contrib/bind9/doc/rfc/rfc3123.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                            P. Koch
-Request for Comments: 3123                        Universitaet Bielefeld
-Category: Experimental                                         June 2001
-
-
-          A DNS RR Type for Lists of Address Prefixes (APL RR)
-
-Status of this Memo
-
-   This memo defines an Experimental Protocol for the Internet
-   community.  It does not specify an Internet standard of any kind.
-   Discussion and suggestions for improvement are requested.
-   Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-Abstract
-
-   The Domain Name System (DNS) is primarily used to translate domain
-   names into IPv4 addresses using A RRs (Resource Records).  Several
-   approaches exist to describe networks or address ranges.  This
-   document specifies a new DNS RR type "APL" for address prefix lists.
-
-1. Conventions used in this document
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-   Domain names herein are for explanatory purposes only and should not
-   be expected to lead to useful information in real life [RFC2606].
-
-2. Background
-
-   The Domain Name System [RFC1034], [RFC1035] provides a mechanism to
-   associate addresses and other Internet infrastructure elements with
-   hierarchically built domain names.  Various types of resource records
-   have been defined, especially those for IPv4 and IPv6 [RFC2874]
-   addresses.  In [RFC1101] a method is described to publish information
-   about the address space allocated to an organisation.  In older BIND
-   versions, a weak form of controlling access to zone data was
-   implemented using TXT RRs describing address ranges.
-
-   This document specifies a new RR type for address prefix lists.
-
-
-
-
-
-Koch                          Experimental                      [Page 1]
-
-RFC 3123                       DNS APL RR                      June 2001
-
-
-3. APL RR Type
-
-   An APL record has the DNS type of "APL" and a numeric value of 42
-   [IANA].  The APL RR is defined in the IN class only.  APL RRs cause
-   no additional section processing.
-
-4. APL RDATA format
-
-   The RDATA section consists of zero or more items (<apitem>) of the
-   form
-
-      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-      |                          ADDRESSFAMILY                        |
-      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-      |             PREFIX            | N |         AFDLENGTH         |
-      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-      /                            AFDPART                            /
-      |                                                               |
-      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
-
-      ADDRESSFAMILY     16 bit unsigned value as assigned by IANA
-                        (see IANA Considerations)
-      PREFIX            8 bit unsigned binary coded prefix length.
-                        Upper and lower bounds and interpretation of
-                        this value are address family specific.
-      N                 negation flag, indicates the presence of the
-                        "!" character in the textual format.  It has
-                        the value "1" if the "!" was given, "0" else.
-      AFDLENGTH         length in octets of the following address
-                        family dependent part (7 bit unsigned).
-      AFDPART           address family dependent part.  See below.
-
-   This document defines the AFDPARTs for address families 1 (IPv4) and
-   2 (IPv6).  Future revisions may deal with additional address
-   families.
-
-4.1. AFDPART for IPv4
-
-   The encoding of an IPv4 address (address family 1) follows the
-   encoding specified for the A RR by [RFC1035], section 3.4.1.
-
-   PREFIX specifies the number of bits of the IPv4 address starting at
-   the most significant bit.  Legal values range from 0 to 32.
-
-   Trailing zero octets do not bear any information (e.g., there is no
-   semantic difference between 10.0.0.0/16 and 10/16) in an address
-   prefix, so the shortest possible AFDLENGTH can be used to encode it.
-   However, for DNSSEC [RFC2535] a single wire encoding must be used by
-
-
-
-Koch                          Experimental                      [Page 2]
-
-RFC 3123                       DNS APL RR                      June 2001
-
-
-   all.  Therefore the sender MUST NOT include trailing zero octets in
-   the AFDPART regardless of the value of PREFIX.  This includes cases
-   in which AFDLENGTH times 8 results in a value less than PREFIX.  The
-   AFDPART is padded with zero bits to match a full octet boundary.
-
-   An IPv4 AFDPART has a variable length of 0 to 4 octets.
-
-4.2. AFDPART for IPv6
-
-   The 128 bit IPv6 address (address family 2) is encoded in network
-   byte order (high-order byte first).
-
-   PREFIX specifies the number of bits of the IPv6 address starting at
-   the most significant bit.  Legal values range from 0 to 128.
-
-   With the same reasoning as in 4.1 above, the sender MUST NOT include
-   trailing zero octets in the AFDPART regardless of the value of
-   PREFIX.  This includes cases in which AFDLENGTH times 8 results in a
-   value less than PREFIX.  The AFDPART is padded with zero bits to
-   match a full octet boundary.
-
-   An IPv6 AFDPART has a variable length of 0 to 16 octets.
-
-5. Zone File Syntax
-
-   The textual representation of an APL RR in a DNS zone file is as
-   follows:
-
-   <owner>   IN   <TTL>   APL   {[!]afi:address/prefix}*
-
-   The data consists of zero or more strings of the address family
-   indicator <afi>, immediately followed by a colon ":", an address,
-   immediately followed by the "/" character, immediately followed by a
-   decimal numeric value for the prefix length.  Any such string may be
-   preceded by a "!" character.  The strings are separated by
-   whitespace.  The <afi> is the decimal numeric value of that
-   particular address family.
-
-5.1. Textual Representation of IPv4 Addresses
-
-   An IPv4 address in the <address> part of an <apitem> is in dotted
-   quad notation, just as in an A RR.  The <prefix> has values from the
-   interval 0..32 (decimal).
-
-
-
-
-
-
-
-
-Koch                          Experimental                      [Page 3]
-
-RFC 3123                       DNS APL RR                      June 2001
-
-
-5.2. Textual Representation of IPv6 Addresses
-
-   The representation of an IPv6 address in the <address> part of an
-   <apitem> follows [RFC2373], section 2.2.  Legal values for <prefix>
-   are from the interval 0..128 (decimal).
-
-6. APL RR usage
-
-   An APL RR with empty RDATA is valid and implements an empty list.
-   Multiple occurrences of the same <apitem> in a single APL RR are
-   allowed and MUST NOT be merged by a DNS server or resolver.
-   <apitems> MUST be kept in order and MUST NOT be rearranged or
-   aggregated.
-
-   A single APL RR may contain <apitems> belonging to different address
-   families.  The maximum number of <apitems> is upper bounded by the
-   available RDATA space.
-
-   RRSets consisting of more than one APL RR are legal but the
-   interpretation is left to the particular application.
-
-7. Applicability Statement
-
-   The APL RR defines a framework without specifying any particular
-   meaning for the list of prefixes.  It is expected that APL RRs will
-   be used in different application scenarios which have to be
-   documented separately.  Those scenarios may be distinguished by
-   characteristic prefixes placed in front of the DNS owner name.
-
-   An APL application specification MUST include information on
-
-   o  the characteristic prefix, if any
-
-   o  how to interpret APL RRSets consisting of more than one RR
-
-   o  how to interpret an empty APL RR
-
-   o  which address families are expected to appear in the APL RRs for
-      that application
-
-   o  how to deal with APL RR list elements which belong to other
-      address families, including those not yet defined
-
-   o  the exact semantics of list elements negated by the "!" character
-
-
-
-
-
-
-
-Koch                          Experimental                      [Page 4]
-
-RFC 3123                       DNS APL RR                      June 2001
-
-
-   Possible applications include the publication of address ranges
-   similar to [RFC1101], description of zones built following [RFC2317]
-   and in-band access control to limit general access or zone transfer
-   (AXFR) availability for zone data held in DNS servers.
-
-   The specification of particular application scenarios is out of the
-   scope of this document.
-
-8. Examples
-
-   The following examples only illustrate some of the possible usages
-   outlined in the previous section.  None of those applications are
-   hereby specified nor is it implied that any particular APL RR based
-   application does exist now or will exist in the future.
-
-  ; RFC 1101-like announcement of address ranges for foo.example
-  foo.example.             IN APL 1:192.168.32.0/21 !1:192.168.38.0/28
-
-  ; CIDR blocks covered by classless delegation
-  42.168.192.IN-ADDR.ARPA. IN APL ( 1:192.168.42.0/26 1:192.168.42.64/26
-                                  1:192.168.42.128/25 )
-
-  ; Zone transfer restriction
-  _axfr.sbo.example.       IN APL 1:127.0.0.1/32 1:172.16.64.0/22
-
-  ; List of address ranges for multicast
-  multicast.example.       IN APL 1:224.0.0.0/4  2:FF00:0:0:0:0:0:0:0/8
-
-   Note that since trailing zeroes are ignored in the first APL RR the
-   AFDLENGTH of both <apitems> is three.
-
-9. Security Considerations
-
-   Any information obtained from the DNS should be regarded as unsafe
-   unless techniques specified in [RFC2535] or [RFC2845] were used.  The
-   definition of a new RR type does not introduce security problems into
-   the DNS, but usage of information made available by APL RRs may
-   compromise security.  This includes disclosure of network topology
-   information and in particular the use of APL RRs to construct access
-   control lists.
-
-
-
-
-
-
-
-
-
-
-
-Koch                          Experimental                      [Page 5]
-
-RFC 3123                       DNS APL RR                      June 2001
-
-
-10. IANA Considerations
-
-   This section is to be interpreted as following [RFC2434].
-
-   This document does not define any new namespaces.  It uses the 16 bit
-   identifiers for address families maintained by IANA in
-   http://www.iana.org/numbers.html.
-
-   The IANA assigned numeric RR type value 42 for APL [IANA].
-
-11. Acknowledgements
-
-   The author would like to thank Mark Andrews, Olafur Gudmundsson, Ed
-   Lewis, Thomas Narten, Erik Nordmark, and Paul Vixie for their review
-   and constructive comments.
-
-12. References
-
-   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
-             STD 13, RFC 1034, November 1987.
-
-   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
-             Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1101] Mockapetris, P., "DNS Encoding of Network Names and Other
-             Types", RFC 1101, April 1989.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
-             Specification", RFC 2181, July 1997.
-
-   [RFC2317] Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
-             ADDR.ARPA delegation", BCP 20, RFC 2317, March 1998.
-
-   [RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing
-             Architecture", RFC 2373, July 1998.
-
-   [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
-             IANA Considerations Section in RFCs", BCP 26, RFC 2434,
-             October 1998.
-
-   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
-             2535, March 1999.
-
-   [RFC2606] Eastlake, D. and A. Panitz, "Reserved Top Level DNS Names",
-             BCP 32, RFC 2606, June 1999.
-
-
-
-Koch                          Experimental                      [Page 6]
-
-RFC 3123                       DNS APL RR                      June 2001
-
-
-   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-             "Secret Key Transaction Authentication for DNS (TSIG)", RFC
-             2845, May 2000.
-
-   [RFC2874] Crawford, M. and C. Huitema, "DNS Extensions to Support
-             IPv6 Address Aggregation and Renumbering", RFC 2874, July
-             2000.
-
-   [IANA]    http://www.iana.org/assignments/dns-parameters
-
-13. Author's Address
-
-   Peter Koch
-   Universitaet Bielefeld
-   Technische Fakultaet
-   D-33594 Bielefeld
-   Germany
-
-   Phone: +49 521 106 2902
-   EMail: pk@TechFak.Uni-Bielefeld.DE
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Koch                          Experimental                      [Page 7]
-
-RFC 3123                       DNS APL RR                      June 2001
-
-
-14. Full Copyright Statement
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Koch                          Experimental                      [Page 8]
-
diff --git a/contrib/bind9/doc/rfc/rfc3152.txt b/contrib/bind9/doc/rfc/rfc3152.txt
deleted file mode 100644
index b226ce6451f9..000000000000
--- a/contrib/bind9/doc/rfc/rfc3152.txt
+++ /dev/null
@@ -1,227 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                            R. Bush
-Request for Comments: 3152                                         RGnet
-BCP: 49                                                      August 2001
-Updates: 2874, 2772, 2766, 2553, 1886
-Category: Best Current Practice
-
-
-                         Delegation of IP6.ARPA
-
-Status of this Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-Abstract
-
-   This document discusses the need for delegation of the IP6.ARPA DNS
-   zone, and specifies a plan for the technical operation thereof.
-
-1. Why IP6.ARPA?
-
-   In the IPv6 address space, there is a need for 'reverse mapping' of
-   addresses to DNS names analogous to that provided by the IN-ADDR.ARPA
-   zone for IPv4.
-
-   The IAB recommended that the ARPA top level domain (the name is now
-   considered an acronym for "Address and Routing Parameters Area") be
-   used for technical infrastructure sub-domains when possible.  It is
-   already in use for IPv4 reverse mapping and has been established as
-   the location for E.164 numbering on the Internet [RFC2916 RFC3026].
-
-   IETF consensus was reached that the IP6.ARPA domain be used for
-   address to DNS name mapping for the IPv6 address space [RFC2874].
-
-2. Obsoleted Usage
-
-   This document deprecates references to IP6.INT in [RFC1886] section
-   2.5, [RFC2553] section 6.2.3, [RFC2766] section 4.1, [RFC2772]
-   section 7.1.c, and [RFC2874] section 2.5.
-
-   In this context, 'deprecate' means that the old usage is not
-   appropriate for new implementations, and IP6.INT will likely be
-   phased out in an orderly fashion.
-
-
-
-Bush                     Best Current Practice                  [Page 1]
-
-RFC 3152                 Delegation of IP6.ARPA              August 2001
-
-
-3. IANA Considerations
-
-   This memo requests that the IANA delegate the IP6.ARPA domain
-   following instructions to be provided by the IAB.  Names within this
-   zone are to be further delegated to the regional IP registries in
-   accordance with the delegation of IPv6 address space to those
-   registries.  The names allocated should be hierarchic in accordance
-   with the address space assignment.
-
-4. Security Considerations
-
-   While DNS spoofing of address to name mapping has been exploited in
-   IPv4, delegation of the IP6.ARPA zone creates no new threats to the
-   security of the internet.
-
-5. References
-
-   [RFC1886]   Thomson, S. and C. Huitema, "DNS Extensions to support IP
-               version 6", RFC 1886, December 1995.
-
-   [RFC2553]   Gilligan, R., Thomson, S., Bound, J. and W. Stevens,
-               "Basic Socket Interface Extensions for IPv6", RFC 2553,
-               March 1999.
-
-   [RFC2766]   Tsirtsis, G. and P. Srisuresh, "Network Address
-               Translation - Protocol Translation (NAT-PT)", RFC 2766,
-               February 2000.
-
-   [RFC2772]   Rockell, R. and R. Fink, "6Bone Backbone Routing
-               Guidelines", RFC 2772, February 2000.
-
-   [RFC2874]   Crawford, M. and C. Huitema, "DNS Extensions to Support
-               IPv6 Address Aggregation and Renumbering", RFC 2874, July
-               2001.
-
-   [RFC2916]   Faltstrom, P., "E.164 number and DNS", RFC 2916,
-               September 2000.
-
-   [RFC3026]   Blane, R., "Liaison to IETF/ISOC on ENUM", RFC 3026,
-               January 2001.
-
-
-
-
-
-
-
-
-
-
-
-Bush                     Best Current Practice                  [Page 2]
-
-RFC 3152                 Delegation of IP6.ARPA              August 2001
-
-
-6. Author's Address
-
-   Randy Bush
-   5147 Crystal Springs
-   Bainbridge Island, WA US-98110
-
-   Phone: +1 206 780 0431
-   EMail: randy@psg.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bush                     Best Current Practice                  [Page 3]
-
-RFC 3152                 Delegation of IP6.ARPA              August 2001
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bush                     Best Current Practice                  [Page 4]
-
diff --git a/contrib/bind9/doc/rfc/rfc3197.txt b/contrib/bind9/doc/rfc/rfc3197.txt
deleted file mode 100644
index 94cefa4c6b71..000000000000
--- a/contrib/bind9/doc/rfc/rfc3197.txt
+++ /dev/null
@@ -1,283 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         R. Austein
-Request for Comments: 3197                                 InterNetShare
-Category: Informational                                    November 2001
-
-
-             Applicability Statement for DNS MIB Extensions
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-Abstract
-
-   This document explains why, after more than six years as proposed
-   standards, the DNS Server and Resolver MIB extensions were never
-   deployed, and recommends retiring these MIB extensions by moving them
-   to Historical status.
-
-1. History
-
-   The road to the DNS MIB extensions was paved with good intentions.
-
-   In retrospect, it's obvious that the working group never had much
-   agreement on what belonged in the MIB extensions, just that we should
-   have some.  This happened during the height of the craze for MIB
-   extensions in virtually every protocol that the IETF was working on
-   at the time, so the question of why we were doing this in the first
-   place never got a lot of scrutiny.  Very late in the development
-   cycle we discovered that much of the support for writing the MIB
-   extensions in the first place had come from people who wanted to use
-   SNMP SET operations to update DNS zones on the fly.  Examination of
-   the security model involved, however, led us to conclude that this
-   was not a good way to do dynamic update and that a separate DNS
-   Dynamic Update protocol would be necessary.
-
-   The MIB extensions started out being fairly specific to one
-   particular DNS implementation (BIND-4.8.3); as work progressed, the
-   BIND-specific portions were rewritten to be as implementation-neutral
-   as we knew how to make them, but somehow every revision of the MIB
-   extensions managed to create new counters that just happened to
-   closely match statistics kept by some version of BIND.  As a result,
-   the MIB extensions ended up being much too big, which raised a number
-
-
-
-Austein                      Informational                      [Page 1]
-
-RFC 3197      Applicability Statement - DNS MIB Extensions November 2001
-
-
-   of concerns with the network management directorate, but the WG
-   resisted every attempt to remove any of these variables.  In the end,
-   large portions of the MIB extensions were moved into optional groups
-   in an attempt to get the required subset down to a manageable size.
-
-   The DNS Server and Resolver MIB extensions were one of the first
-   attempts to write MIB extensions for a protocol usually considered to
-   be at the application layer.  Fairly early on it became clear that,
-   while it was certainly possible to write MIB extensions for DNS, the
-   SMI was not really designed with this sort of thing in mind.  A case
-   in point was the attempt to provide direct indexing into the caches
-   in the resolver MIB extensions: while arguably the only sane way to
-   do this for a large cache, this required much more complex indexing
-   clauses than is usual, and ended up running into known length limits
-   for object identifiers in some SNMP implementations.
-
-   Furthermore, the lack of either real proxy MIB support in SNMP
-   managers or a standard subagent protocol meant that there was no
-   reasonable way to implement the MIB extensions in the dominant
-   implementation (BIND).  When the AgentX subagent protocol was
-   developed a few years later, we initially hoped that this would
-   finally clear the way for an implementation of the DNS MIB
-   extensions, but by the time AgentX was a viable protocol it had
-   become clear that nobody really wanted to implement these MIB
-   extensions.
-
-   Finally, the MIB extensions took much too long to produce.  In
-   retrospect, this should have been a clear warning sign, particularly
-   when the WG had clearly become so tired of the project that the
-   authors found it impossible to elicit any comments whatsoever on the
-   documents.
-
-2. Lessons
-
-   Observations based on the preceding list of mistakes, for the benefit
-   of anyone else who ever attempts to write DNS MIB extensions again:
-
-   -  Define a clear set of goals before writing any MIB extensions.
-      Know who the constituency is and make sure that what you write
-      solves their problem.
-
-   -  Keep the MIB extensions short, and don't add variables just
-      because somebody in the WG thinks they'd be a cool thing to
-      measure.
-
-   -  If some portion of the task seems to be very hard to do within the
-      SMI, that's a strong hint that SNMP is not the right tool for
-      whatever it is that you're trying to do.
-
-
-
-Austein                      Informational                      [Page 2]
-
-RFC 3197      Applicability Statement - DNS MIB Extensions November 2001
-
-
-   -  If the entire project is taking too long, perhaps that's a hint
-      too.
-
-3. Recommendation
-
-   In view of the community's apparent total lack of interest in
-   deploying these MIB extensions, we recommend that RFCs 1611 and 1612
-   be reclassified as Historical documents.
-
-4. Security Considerations
-
-   Re-classifying an existing MIB document from Proposed Standard to
-   Historic should not have any negative impact on security for the
-   Internet.
-
-5. IANA Considerations
-
-   Getting rid of the DNS MIB extensions should not impose any new work
-   on IANA.
-
-6. Acknowledgments
-
-   The author would like to thank all the people who were involved in
-   this project over the years for their optimism and patience,
-   misguided though it may have been.
-
-7. References
-
-   [DNS-SERVER-MIB]     Austein, R. and J. Saperia, "DNS Server MIB
-                        Extensions", RFC 1611, May 1994.
-
-   [DNS-RESOLVER-MIB]   Austein, R. and J. Saperia, "DNS Resolver MIB
-                        Extensions", RFC 1612, May 1994.
-
-   [DNS-DYNAMIC-UPDATE] Vixie, P., Thomson, S., Rekhter, Y. and J.
-                        Bound, "Dynamic Updates in the Domain Name
-                        System (DNS UPDATE)", RFC 2136, April 1997.
-
-   [AGENTX]             Daniele, M., Wijnen, B., Ellison, M., and D.
-                        Francisco, "Agent Extensibility (AgentX)
-                        Protocol Version 1", RFC 2741, January 2000.
-
-
-
-
-
-
-
-
-
-
-Austein                      Informational                      [Page 3]
-
-RFC 3197      Applicability Statement - DNS MIB Extensions November 2001
-
-
-8. Author's Address
-
-   Rob Austein
-   InterNetShare, Incorporated
-   325M Sharon Park Drive, Suite 308
-   Menlo Park, CA  94025
-   USA
-
-   EMail: sra@hactrn.net
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein                      Informational                      [Page 4]
-
-RFC 3197      Applicability Statement - DNS MIB Extensions November 2001
-
-
-9. Full Copyright Statement
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein                      Informational                      [Page 5]
-
diff --git a/contrib/bind9/doc/rfc/rfc3225.txt b/contrib/bind9/doc/rfc/rfc3225.txt
deleted file mode 100644
index 13e6768c37a9..000000000000
--- a/contrib/bind9/doc/rfc/rfc3225.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          D. Conrad
-Request for Comments: 3225                                 Nominum, Inc.
-Category: Standards Track                                  December 2001
-
-
-                 Indicating Resolver Support of DNSSEC
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-Abstract
-
-   In order to deploy DNSSEC (Domain Name System Security Extensions)
-   operationally, DNSSEC aware servers should only perform automatic
-   inclusion of DNSSEC RRs when there is an explicit indication that the
-   resolver can understand those RRs.  This document proposes the use of
-   a bit in the EDNS0 header to provide that explicit indication and
-   describes the necessary protocol changes to implement that
-   notification.
-
-1. Introduction
-
-   DNSSEC [RFC2535] has been specified to provide data integrity and
-   authentication to security aware resolvers and applications through
-   the use of cryptographic digital signatures.  However, as DNSSEC is
-   deployed, non-DNSSEC-aware clients will likely query DNSSEC-aware
-   servers.  In such situations, the DNSSEC-aware server (responding to
-   a request for data in a signed zone) will respond with SIG, KEY,
-   and/or NXT records.  For reasons described in the subsequent section,
-   such responses can have significant negative operational impacts for
-   the DNS infrastructure.
-
-   This document discusses a method to avoid these negative impacts,
-   namely DNSSEC-aware servers should only respond with SIG, KEY, and/or
-   NXT RRs when there is an explicit indication from the resolver that
-   it can understand those RRs.
-
-   For the purposes of this document, "DNSSEC security RRs" are
-   considered RRs of type SIG, KEY, or NXT.
-
-
-
-Conrad                      Standards Track                     [Page 1]
-
-RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
-
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2. Rationale
-
-   Initially, as DNSSEC is deployed, the vast majority of queries will
-   be from resolvers that are not DNSSEC aware and thus do not
-   understand or support the DNSSEC security RRs.  When a query from
-   such a resolver is received for a DNSSEC signed zone, the DNSSEC
-   specification indicates the nameserver must respond with the
-   appropriate DNSSEC security RRs.  As DNS UDP datagrams are limited to
-   512 bytes [RFC1035], responses including DNSSEC security RRs have a
-   high probability of resulting in a truncated response being returned
-   and the resolver retrying the query using TCP.
-
-   TCP DNS queries result in significant overhead due to connection
-   setup and teardown.  Operationally, the impact of these TCP queries
-   will likely be quite detrimental in terms of increased network
-   traffic (typically five packets for a single query/response instead
-   of two), increased latency resulting from the additional round trip
-   times, increased incidences of queries failing due to timeouts, and
-   significantly increased load on nameservers.
-
-   In addition, in preliminary and experimental deployment of DNSSEC,
-   there have been reports of non-DNSSEC aware resolvers being unable to
-   handle responses which contain DNSSEC security RRs, resulting in the
-   resolver failing (in the worst case) or entire responses being
-   ignored (in the better case).
-
-   Given these operational implications, explicitly notifying the
-   nameserver that the client is prepared to receive (if not understand)
-   DNSSEC security RRs would be prudent.
-
-   Client-side support of DNSSEC is assumed to be binary -- either the
-   client is willing to receive all DNSSEC security RRs or it is not
-   willing to accept any.  As such, a single bit is sufficient to
-   indicate client-side DNSSEC support.  As effective use of DNSSEC
-   implies the need of EDNS0 [RFC2671], bits in the "classic" (non-EDNS
-   enhanced DNS header) are scarce, and there may be situations in which
-   non-compliant caching or forwarding servers inappropriately copy data
-   from classic headers as queries are passed on to authoritative
-   servers, the use of a bit from the EDNS0 header is proposed.
-
-   An alternative approach would be to use the existence of an EDNS0
-   header as an implicit indication of client-side support of DNSSEC.
-   This approach was not chosen as there may be applications in which
-   EDNS0 is supported but in which the use of DNSSEC is inappropriate.
-
-
-
-Conrad                      Standards Track                     [Page 2]
-
-RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
-
-
-3. Protocol Changes
-
-   The mechanism chosen for the explicit notification of the ability of
-   the client to accept (if not understand) DNSSEC security RRs is using
-   the most significant bit of the Z field on the EDNS0 OPT header in
-   the query.  This bit is referred to as the "DNSSEC OK" (DO) bit.  In
-   the context of the EDNS0 OPT meta-RR, the DO bit is the first bit of
-   the third and fourth bytes of the "extended RCODE and flags" portion
-   of the EDNS0 OPT meta-RR, structured as follows:
-
-                +0 (MSB)                +1 (LSB)
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      0: |   EXTENDED-RCODE      |       VERSION         |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      2: |DO|                    Z                       |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-   Setting the DO bit to one in a query indicates to the server that the
-   resolver is able to accept DNSSEC security RRs.  The DO bit cleared
-   (set to zero) indicates the resolver is unprepared to handle DNSSEC
-   security RRs and those RRs MUST NOT be returned in the response
-   (unless DNSSEC security RRs are explicitly queried for).  The DO bit
-   of the query MUST be copied in the response.
-
-   More explicitly, DNSSEC-aware nameservers MUST NOT insert SIG, KEY,
-   or NXT RRs to authenticate a response as specified in [RFC2535]
-   unless the DO bit was set on the request.  Security records that
-   match an explicit SIG, KEY, NXT, or ANY query, or are part of the
-   zone data for an AXFR or IXFR query, are included whether or not the
-   DO bit was set.
-
-   A recursive DNSSEC-aware server MUST set the DO bit on recursive
-   requests, regardless of the status of the DO bit on the initiating
-   resolver request.  If the initiating resolver request does not have
-   the DO bit set, the recursive DNSSEC-aware server MUST remove DNSSEC
-   security RRs before returning the data to the client, however cached
-   data MUST NOT be modified.
-
-   In the event a server returns a NOTIMP, FORMERR or SERVFAIL response
-   to a query that has the DO bit set, the resolver SHOULD NOT expect
-   DNSSEC security RRs and SHOULD retry the query without EDNS0 in
-   accordance with section 5.3 of [RFC2671].
-
-
-
-
-
-
-
-
-
-Conrad                      Standards Track                     [Page 3]
-
-RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
-
-
-Security Considerations
-
-   The absence of DNSSEC data in response to a query with the DO bit set
-   MUST NOT be taken to mean no security information is available for
-   that zone as the response may be forged or a non-forged response of
-   an altered (DO bit cleared) query.
-
-IANA Considerations
-
-   EDNS0 [RFC2671] defines 16 bits as extended flags in the OPT record,
-   these bits are encoded into the TTL field of the OPT record (RFC2671
-   section 4.6).
-
-   This document reserves one of these bits as the OK bit.  It is
-   requested that the left most bit be allocated.  Thus the USE of the
-   OPT record TTL field would look like
-
-                +0 (MSB)                +1 (LSB)
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      0: |   EXTENDED-RCODE      |       VERSION         |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-      2: |DO|                    Z                       |
-         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
-
-Acknowledgements
-
-   This document is based on a rough draft by Bob Halley with input from
-   Olafur Gudmundsson, Andreas Gustafsson, Brian Wellington, Randy Bush,
-   Rob Austein, Steve Bellovin, and Erik Nordmark.
-
-References
-
-   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
-             STD 13, RFC 1034, November 1987.
-
-   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
-             Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
-             2535, March 1999.
-
-   [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-             2671, August 1999.
-
-
-
-
-
-Conrad                      Standards Track                     [Page 4]
-
-RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
-
-
-Author's Address
-
-   David Conrad
-   Nominum Inc.
-   950 Charter Street
-   Redwood City, CA 94063
-   USA
-
-   Phone: +1 650 381 6003
-   EMail: david.conrad@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Conrad                      Standards Track                     [Page 5]
-
-RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Conrad                      Standards Track                     [Page 6]
-
diff --git a/contrib/bind9/doc/rfc/rfc3226.txt b/contrib/bind9/doc/rfc/rfc3226.txt
deleted file mode 100644
index dac0e11c1575..000000000000
--- a/contrib/bind9/doc/rfc/rfc3226.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                     O. Gudmundsson
-Request for Comments: 3226                                 December 2001
-Updates: 2874, 2535
-Category: Standards Track
-
-
-   DNSSEC and IPv6 A6 aware server/resolver message size requirements
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-Abstract
-
-   This document mandates support for EDNS0 (Extension Mechanisms for
-   DNS) in DNS entities claiming to support either DNS Security
-   Extensions or A6 records.  This requirement is necessary because
-   these new features increase the size of DNS messages.  If EDNS0 is
-   not supported fall back to TCP will happen, having a detrimental
-   impact on query latency and DNS server load.  This document updates
-   RFC 2535 and RFC 2874, by adding new requirements.
-
-1.  Introduction
-
-   Familiarity with the DNS [RFC1034, RFC1035], DNS Security Extensions
-   [RFC2535], EDNS0 [RFC2671] and A6 [RFC2874] is helpful.
-
-   STD 13, RFC 1035 Section 2.3.4 requires that DNS messages over UDP
-   have a data payload of 512 octets or less.  Most DNS software today
-   will not accept larger UDP datagrams.  Any answer that requires more
-   than 512 octets, results in a partial and sometimes useless reply
-   with the Truncation Bit set; in most cases the requester will then
-   retry using TCP.  Furthermore, server delivery of truncated responses
-   varies widely and resolver handling of these responses also varies,
-   leading to additional inefficiencies in handling truncation.
-
-   Compared to UDP, TCP is an expensive protocol to use for a simple
-   transaction like DNS: a TCP connection requires 5 packets for setup
-   and tear down, excluding data packets, thus requiring at least 3
-   round trips on top of the one for the original UDP query.  The DNS
-
-
-
-Gudmundsson                 Standards Track                     [Page 1]
-
-RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
-
-
-   server also needs to keep a state of the connection during this
-   transaction.  Many DNS servers answer thousands of queries per
-   second, requiring them to use TCP will cause significant overhead and
-   delays.
-
-1.1.  Requirements
-
-   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
-   in this document are to be interpreted as described in RFC 2119.
-
-2.  Motivating factors
-
-2.1.  DNSSEC motivations
-
-   DNSSEC [RFC2535] secures DNS by adding a Public Key signature on each
-   RR set.  These signatures range in size from about 80 octets to 800
-   octets, most are going to be in the range of 80 to 200 octets.  The
-   addition of signatures on each or most RR sets in an answer
-   significantly increases the size of DNS answers from secure zones.
-
-   For performance reasons and to reduce load on DNS servers, it is
-   important that security aware servers and resolvers get all the data
-   in Answer and Authority section in one query without truncation.
-   Sending Additional Data in the same query is helpful when the server
-   is authoritative for the data, and this reduces round trips.
-
-   DNSSEC OK[OK] specifies how a client can, using EDNS0, indicate that
-   it is interested in receiving DNSSEC records.  The OK bit does not
-   eliminate the need for large answers for DNSSEC capable clients.
-
-2.1.1.  Message authentication or TSIG motivation
-
-   TSIG [RFC2845] allows for the light weight authentication of DNS
-   messages, but increases the size of the messages by at least 70
-   octets.  DNSSEC specifies for computationally expensive message
-   authentication SIG(0) using a standard public key signature.  As only
-   one TSIG or SIG(0) can be attached to each DNS answer the size
-   increase of message authentication is not significant, but may still
-   lead to a truncation.
-
-2.2.  IPv6 Motivations
-
-   IPv6 addresses [RFC2874] are 128 bits and can be represented in the
-   DNS by multiple A6 records, each consisting of a domain name and a
-   bit field.  The domain name refers to an address prefix that may
-   require additional A6 RRs to be included in the answer.  Answers
-   where the queried name has multiple A6 addresses may overflow a 512-
-   octet UDP packet size.
-
-
-
-Gudmundsson                 Standards Track                     [Page 2]
-
-RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
-
-
-2.3.  Root server and TLD server motivations
-
-   The current number of root servers is limited to 13 as that is the
-   maximum number of name servers and their address records that fit in
-   one 512-octet answer for a SOA record.  If root servers start
-   advertising A6 or KEY records then the answer for the root NS records
-   will not fit in a single 512-octet DNS message, resulting in a large
-   number of TCP query connections to the root servers.  Even if all
-   client resolver query their local name server for information, there
-   are millions of these servers.  Each name server must periodically
-   update its information about the high level servers.
-
-   For redundancy, latency and load balancing reasons, large numbers of
-   DNS servers are required for some zones.  Since the root zone is used
-   by the entire net, it is important to have as many servers as
-   possible.  Large TLDs (and many high-visibility SLDs) often have
-   enough servers that either A6 or KEY records would cause the NS
-   response to overflow the 512 byte limit.  Note that these zones with
-   large numbers of servers are often exactly those zones that are
-   critical to network operation and that already sustain fairly high
-   loads.
-
-2.4.  UDP vs TCP for DNS messages
-
-   Given all these factors, it is essential that any implementation that
-   supports DNSSEC and or A6 be able to use larger DNS messages than 512
-   octets.
-
-   The original 512 restriction was put in place to reduce the
-   probability of fragmentation of DNS responses.  A fragmented UDP
-   message that suffers a loss of one of the fragments renders the
-   answer useless and the query must be retried.  A TCP connection
-   requires a larger number of round trips for establishment, data
-   transfer and tear down, but only the lost data segments are
-   retransmitted.
-
-   In the early days a number of IP implementations did not handle
-   fragmentation well, but all modern operating systems have overcome
-   that issue thus sending fragmented messages is fine from that
-   standpoint.  The open issue is the effect of losses on fragmented
-   messages.  If connection has high loss ratio only TCP will allow
-   reliable transfer of DNS data, most links have low loss ratios thus
-   sending fragmented UDP packet in one round trip is better than
-   establishing a TCP connection to transfer a few thousand octets.
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 3]
-
-RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
-
-
-2.5.  EDNS0 and large UDP messages
-
-   EDNS0 [RFC2671] allows clients to declare the maximum size of UDP
-   message they are willing to handle.  Thus, if the expected answer is
-   between 512 octets and the maximum size that the client can accept,
-   the additional overhead of a TCP connection can be avoided.
-
-3.  Protocol changes:
-
-   This document updates RFC 2535 and RFC 2874, by adding new
-   requirements.
-
-   All RFC 2535 compliant servers and resolvers MUST support EDNS0 and
-   advertise message size of at least 1220 octets, but SHOULD advertise
-   message size of 4000.  This value might be too low to get full
-   answers for high level servers and successor of this document may
-   require a larger value.
-
-   All RFC 2874 compliant servers and resolver MUST support EDNS0 and
-   advertise message size of at least 1024 octets, but SHOULD advertise
-   message size of 2048.  The IPv6 datagrams should be 1024 octets,
-   unless the MTU of the path is known.  (Note that this is smaller than
-   the minimum IPv6 MTU to allow for some extension headers and/or
-   encapsulation without exceeding the minimum MTU.)
-
-   All RFC 2535 and RFC 2874 compliant entities MUST be able to handle
-   fragmented IPv4 and IPv6 UDP packets.
-
-   All hosts supporting both RFC 2535 and RFC 2874 MUST use the larger
-   required value in EDNS0 advertisements.
-
-4.  Acknowledgments
-
-   Harald Alvestrand, Rob Austein, Randy Bush, David Conrad, Andreas
-   Gustafsson, Jun-ichiro itojun Hagino, Bob Halley, Edward Lewis
-   Michael Patton and Kazu Yamamoto were instrumental in motivating and
-   shaping this document.
-
-5.  Security Considerations:
-
-   There are no additional security considerations other than those in
-   RFC 2671.
-
-6.  IANA Considerations:
-
-   None
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 4]
-
-RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
-
-
-7.  References
-
-   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2535]  Eastlake, D. "Domain Name System Security Extensions", RFC
-              2535, March 1999.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
-              Wellington, "Secret Key Transaction Authentication for DNS
-              (TSIG)", RFC 2845, May 2000.
-
-   [RFC2874]  Crawford, M. and C. Huitema, "DNS Extensions to Support
-              IPv6 Address Aggregation and Renumbering", RFC 2874, July
-              2000.
-
-   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-              3225, December 2001.
-
-8.  Author Address
-
-   Olafur Gudmundsson
-   3826 Legation Street, NW
-   Washington, DC 20015
-   USA
-
-   EMail: ogud@ogud.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 5]
-
-RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
-
-
-9.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2001).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 6]
-
diff --git a/contrib/bind9/doc/rfc/rfc3258.txt b/contrib/bind9/doc/rfc/rfc3258.txt
deleted file mode 100644
index dcd4b34b2b6e..000000000000
--- a/contrib/bind9/doc/rfc/rfc3258.txt
+++ /dev/null
@@ -1,619 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          T. Hardie
-Request for Comments: 3258                                 Nominum, Inc.
-Category: Informational                                       April 2002
-
-
-  Distributing Authoritative Name Servers via Shared Unicast Addresses
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-Abstract
-
-   This memo describes a set of practices intended to enable an
-   authoritative name server operator to provide access to a single
-   named server in multiple locations.  The primary motivation for the
-   development and deployment of these practices is to increase the
-   distribution of Domain Name System (DNS) servers to previously
-   under-served areas of the network topology and to reduce the latency
-   for DNS  query responses in those areas.
-
-1.  Introduction
-
-   This memo describes a set of practices intended to enable an
-   authoritative name server operator to provide access to a single
-   named server in multiple locations.  The primary motivation for the
-   development and deployment of these practices is to increase the
-   distribution of DNS servers to previously under-served areas of the
-   network topology and to reduce the latency for DNS query responses in
-   those areas.  This document presumes a one-to-one mapping between
-   named authoritative servers and administrative entities (operators).
-   This document contains no guidelines or recommendations for caching
-   name servers.  The shared unicast system described here is specific
-   to IPv4; applicability to IPv6 is an area for further study.  It
-   should also be noted that the system described here is related to
-   that described in [ANYCAST], but it does not require dedicated
-   address space, routing changes, or the other elements of a full
-   anycast infrastructure which that document describes.
-
-
-
-
-
-
-
-Hardie                       Informational                      [Page 1]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-2.  Architecture
-
-2.1 Server Requirements
-
-   Operators of authoritative name servers may wish to refer to
-   [SECONDARY] and [ROOT] for general guidance on appropriate practice
-   for authoritative name servers.  In addition to proper configuration
-   as a standard authoritative name server, each of the hosts
-   participating in a shared-unicast system should be configured with
-   two network interfaces.  These interfaces may be either two physical
-   interfaces or one physical interface mapped to two logical
-   interfaces.  One of the network interfaces should use the IPv4 shared
-   unicast address associated with the authoritative name server.  The
-   other interface, referred to as the administrative interface below,
-   should use a distinct IPv4 address specific to that host.  The host
-   should respond to DNS queries only on the shared-unicast interface.
-   In order to provide the most consistent set of responses from the
-   mesh of anycast hosts, it is good practice to limit responses on that
-   interface to zones for which the host is authoritative.
-
-2.2 Zone file delivery
-
-   In order to minimize the risk of man-in-the-middle attacks, zone
-   files should be delivered to the administrative interface of the
-   servers participating in the mesh.  Secure file transfer methods and
-   strong authentication should be used for all transfers.  If the hosts
-   in the mesh make their zones available for zone transfer, the
-   administrative interfaces should be used for those transfers as well,
-   in order to avoid the problems with potential routing changes for TCP
-   traffic noted in section 2.5 below.
-
-2.3 Synchronization
-
-   Authoritative name servers may be loosely or tightly synchronized,
-   depending on the practices set by the operating organization.  As
-   noted below in section 4.1.2, lack of synchronization among servers
-   using the same shared unicast address could create problems for some
-   users of this service.  In order to minimize that risk, switch-overs
-   from one data set to another data set should be coordinated as much
-   as possible.  The use of synchronized clocks on the participating
-   hosts and set times for switch-overs provides a basic level of
-   coordination.  A more complete coordination process would involve:
-
-      a) receipt of zones at a distribution host
-      b) confirmation of the integrity of zones received
-      c) distribution of the zones to all of the servers in the mesh
-      d) confirmation of the integrity of the zones at each server
-
-
-
-
-Hardie                       Informational                      [Page 2]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-      e) coordination of the switchover times for the servers in the
-         mesh
-      f) institution of a failure process to ensure that servers that
-         did not receive correct data or could not switchover to the new
-         data ceased to respond to incoming queries until the problem
-         could be resolved.
-
-   Depending on the size of the mesh, the distribution host may also be
-   a participant; for authoritative servers, it may also be the host on
-   which zones are generated.
-
-   This document presumes that the usual DNS failover methods are the
-   only ones used to ensure reachability of the data for clients.  It
-   does not advise that the routes be withdrawn in the case of failure;
-   it advises instead that the DNS process shutdown so that servers on
-   other addresses are queried.  This recommendation reflects a choice
-   between performance and operational complexity.  While it would be
-   possible to have some process withdraw the route for a specific
-   server instance when it is not available, there is considerable
-   operational complexity involved in ensuring that this occurs
-   reliably.  Given the existing DNS failover methods, the marginal
-   improvement in performance will not be sufficient to justify the
-   additional complexity for most uses.
-
-2.4 Server Placement
-
-   Though the geographic diversity of server placement helps reduce the
-   effects of service disruptions due to local problems, it is diversity
-   of placement in the network topology which is the driving force
-   behind these distribution practices.  Server placement should
-   emphasize that diversity.  Ideally, servers should be placed
-   topologically near the points at which the operator exchanges routes
-   and traffic with other networks.
-
-2.5 Routing
-
-   The organization administering the mesh of servers sharing a unicast
-   address must have an autonomous system number and speak BGP to its
-   peers.  To those peers, the organization announces a route to the
-   network containing the shared-unicast address of the name server.
-   The organization's border routers must then deliver the traffic
-   destined for the name server to the nearest instantiation.  Routing
-   to the administrative interfaces for the servers can use the normal
-   routing methods for the administering organization.
-
-   One potential problem with using shared unicast addresses is that
-   routers forwarding traffic to them may have more than one available
-   route, and those routes may, in fact, reach different instances of
-
-
-
-Hardie                       Informational                      [Page 3]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-   the shared unicast address.  Applications like the DNS, whose
-   communication typically consists of independent request-response
-   messages each fitting in a single UDP packet present no problem.
-   Other applications, in which multiple packets must reach the same
-   endpoint (e.g., TCP) may fail or present unworkable performance
-   characteristics in some circumstances.  Split-destination failures
-   may occur when a router does per-packet (or round-robin) load
-   sharing, a topology change occurs that changes the relative metrics
-   of two paths to the same anycast destination, etc.
-
-   Four things mitigate the severity of this problem.  The first is that
-   UDP is a fairly high proportion of the query traffic to name servers.
-   The second is that the aim of this proposal is to diversify
-   topological placement; for most users, this means that the
-   coordination of placement will ensure that new instances of a name
-   server will be at a significantly different cost metric from existing
-   instances.  Some set of users may end up in the middle, but that
-   should be relatively rare.  The third is that per packet load sharing
-   is only one of the possible load sharing mechanisms, and other
-   mechanisms are increasing in popularity.
-
-   Lastly, in the case where the traffic is TCP, per packet load sharing
-   is used, and equal cost routes to different instances of a name
-   server are available, any DNS implementation which measures the
-   performance of servers to select a preferred server will quickly
-   prefer a server for which this problem does not occur.  For the DNS
-   failover mechanisms to reliably avoid this problem, however, those
-   using shared unicast distribution mechanisms must take care that all
-   of the servers for a specific zone are not participants in the same
-   shared-unicast mesh.  To guard even against the case where multiple
-   meshes have a set of users affected by per packet load sharing along
-   equal cost routes, organizations implementing these practices should
-   always provide at least one authoritative server which is not a
-   participant in any shared unicast mesh.  Those deploying shared-
-   unicast meshes should note that any specific host may become
-   unreachable to a client should a server fail, a path fail, or the
-   route to that host be withdrawn.  These error conditions are,
-   however, not specific to shared-unicast distributions, but would
-   occur for standard unicast hosts.
-
-   Since ICMP response packets might go to a different member of the
-   mesh than that sending a packet, packets sent with a shared unicast
-   source address should also avoid using path MTU discovery.
-
-   Appendix A. contains an ASCII diagram of an example of a simple
-   implementation of this system.  In it, the odd numbered routers
-   deliver traffic to the shared-unicast interface network and filter
-   traffic from the administrative network; the even numbered routers
-
-
-
-Hardie                       Informational                      [Page 4]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-   deliver traffic to the administrative network and filter traffic from
-   the shared-unicast network.  These are depicted as separate routers
-   for the ease this gives in explanation, but they could easily be
-   separate interfaces on the same router.  Similarly, a local NTP
-   source is depicted for synchronization, but the level of
-   synchronization needed would not require that source to be either
-   local or a stratum one NTP server.
-
-3. Administration
-
-3.1 Points of Contact
-
-   A single point of contact for reporting problems is crucial to the
-   correct administration of this system.  If an external user of the
-   system needs to report a problem related to the service, there must
-   be no ambiguity about whom to contact.  If internal monitoring does
-   not indicate a problem, the contact may, of course, need to work with
-   the external user to identify which server generated the error.
-
-4. Security Considerations
-
-   As a core piece of Internet infrastructure, authoritative name
-   servers are common targets of attack.  The practices outlined here
-   increase the risk of certain kinds of attacks and reduce the risk of
-   others.
-
-4.1 Increased Risks
-
-4.1.1 Increase in physical servers
-
-   The architecture outlined in this document increases the number of
-   physical servers, which could increase the possibility that a server
-   mis-configuration will occur which allows for a security breach.  In
-   general, the entity administering a mesh should ensure that patches
-   and security mechanisms applied to a single member of the mesh are
-   appropriate for and applied to all of the members of a mesh.
-   "Genetic diversity" (code from different code bases) can be a useful
-   security measure in avoiding attacks based on vulnerabilities in a
-   specific code base; in order to ensure consistency of responses from
-   a single named server, however, that diversity should be applied to
-   different shared-unicast meshes or between a mesh and a related
-   unicast authoritative server.
-
-4.1.2 Data synchronization problems
-
-   The level of systemic synchronization described above should be
-   augmented by synchronization of the data present at each of the
-   servers.  While the DNS itself is a loosely coupled system, debugging
-
-
-
-Hardie                       Informational                      [Page 5]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-   problems with data in specific zones would be far more difficult if
-   two different servers sharing a single unicast address might return
-   different responses to the same query.  For example, if the data
-   associated with www.example.com has changed and the administrators of
-   the domain are testing for the changes at the example.com
-   authoritative name servers, they should not need to check each
-   instance of a named authoritative server.  The use of NTP to provide
-   a synchronized time for switch-over eliminates some aspects of this
-   problem, but mechanisms to handle failure during the switchover are
-   required.  In particular, a server which cannot make the switchover
-   must not roll-back to a previous version; it must cease to respond to
-   queries so that other servers are queried.
-
-4.1.3 Distribution risks
-
-   If the mechanism used to distribute zone files among the servers is
-   not well secured, a man-in-the-middle attack could result in the
-   injection of false information.  Digital signatures will alleviate
-   this risk, but encrypted transport and tight access lists are a
-   necessary adjunct to them.  Since zone files will be distributed to
-   the administrative interfaces of meshed servers, the access control
-   list for distribution of the zone files should include the
-   administrative interface of the server or servers, rather than their
-   shared unicast addresses.
-
-4.2 Decreased Risks
-
-   The increase in number of physical servers reduces the likelihood
-   that a denial-of-service attack will take out a significant portion
-   of the DNS infrastructure.  The increase in servers also reduces the
-   effect of machine crashes, fiber cuts, and localized disasters by
-   reducing the number of users dependent on a specific machine.
-
-5. Acknowledgments
-
-   Masataka Ohta, Bill Manning, Randy Bush, Chris Yarnell, Ray Plzak,
-   Mark Andrews, Robert Elz, Geoff Huston, Bill Norton, Akira Kato,
-   Suzanne Woolf, Bernard Aboba, Casey Ajalat, and Gunnar Lindberg all
-   provided input and commentary on this work.  The editor wishes to
-   remember in particular the contribution of the late Scott Tucker,
-   whose extensive systems experience and plain common sense both
-   contributed greatly to the editor's own deployment experience and are
-   missed by all who knew him.
-
-
-
-
-
-
-
-
-Hardie                       Informational                      [Page 6]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-6. References
-
-   [SECONDARY] Elz, R., Bush, R., Bradner, S. and M. Patton, "Selection
-               and Operation of Secondary DNS Servers", BCP 16, RFC
-               2182, July 1997.
-
-   [ROOT]      Bush, R., Karrenberg, D., Kosters, M. and R. Plzak, "Root
-               Name Server Operational Requirements", BCP 40, RFC 2870,
-               June 2000.
-
-   [ANYCAST]   Patridge, C., Mendez, T. and W. Milliken, "Host
-               Anycasting Service", RFC 1546, November 1993.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hardie                       Informational                      [Page 7]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-Appendix A.
-
-       __________________
-Peer 1-|                |
-Peer 2-|                |
-Peer 3-|     Switch     |
-Transit|                |  _________                   _________
-etc    |                |--|Router1|---|----|----------|Router2|---WAN-|
-       |                |  ---------   |    |          ---------       |
-       |                |              |    |                          |
-       |                |              |    |                          |
-       ------------------            [NTP] [DNS]                       |
-                                                                       |
-                                                                       |
-                                                                       |
-                                                                       |
-       __________________                                              |
-Peer 1-|                |                                              |
-Peer 2-|                |                                              |
-Peer 3-|     Switch     |                                              |
-Transit|                |  _________                   _________       |
-etc    |                |--|Router3|---|----|----------|Router4|---WAN-|
-       |                |  ---------   |    |          ---------       |
-       |                |              |    |                          |
-       |                |              |    |                          |
-       ------------------            [NTP] [DNS]                       |
-                                                                       |
-                                                                       |
-                                                                       |
-                                                                       |
-       __________________                                              |
-Peer 1-|                |                                              |
-Peer 2-|                |                                              |
-Peer 3-|     Switch     |                                              |
-Transit|                |  _________                   _________       |
-etc    |                |--|Router5|---|----|----------|Router6|---WAN-|
-       |                |  ---------   |    |          ---------       |
-       |                |              |    |                          |
-       |                |              |    |                          |
-       ------------------            [NTP] [DNS]                       |
-                                                                       |
-                                                                       |
-                                                                       |
-
-
-
-
-
-
-
-
-Hardie                       Informational                      [Page 8]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-                                                                       |
-       __________________                                              |
-Peer 1-|                |                                              |
-Peer 2-|                |                                              |
-Peer 3-|     Switch     |                                              |
-Transit|                |  _________                   _________       |
-etc    |                |--|Router7|---|----|----------|Router8|---WAN-|
-       |                |  ---------   |    |          ---------
-       |                |              |    |
-       |                |              |    |
-       ------------------            [NTP] [DNS]
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hardie                       Informational                      [Page 9]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-7. Editor's Address
-
-   Ted Hardie
-   Nominum, Inc.
-   2385 Bay Road.
-   Redwood City, CA 94063
-
-   Phone: 1.650.381.6226
-   EMail: Ted.Hardie@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hardie                       Informational                     [Page 10]
-
-RFC 3258        Distributing Authoritative Name Servers       April 2002
-
-
-8.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hardie                       Informational                     [Page 11]
-
diff --git a/contrib/bind9/doc/rfc/rfc3363.txt b/contrib/bind9/doc/rfc/rfc3363.txt
deleted file mode 100644
index 9d7a39c208cb..000000000000
--- a/contrib/bind9/doc/rfc/rfc3363.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                            R. Bush
-Request for Comments: 3363                                     A. Durand
-Updates: 2673, 2874                                              B. Fink
-Category: Informational                                   O. Gudmundsson
-                                                                 T. Hain
-                                                                 Editors
-                                                             August 2002
-
-
-            Representing Internet Protocol version 6 (IPv6)
-               Addresses in the Domain Name System (DNS)
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-Abstract
-
-   This document clarifies and updates the standards status of RFCs that
-   define direct and reverse map of IPv6 addresses in DNS.  This
-   document moves the A6 and Bit label specifications to experimental
-   status.
-
-1.  Introduction
-
-   The IETF had begun the process of standardizing two different address
-   formats for IPv6 addresses AAAA [RFC1886] and A6 [RFC2874] and both
-   are at proposed standard.  This had led to confusion and conflicts on
-   which one to deploy.  It is important for deployment that any
-   confusion in this area be cleared up, as there is a feeling in the
-   community that having more than one choice will lead to delays in the
-   deployment of IPv6.  The goal of this document is to clarify the
-   situation.
-
-   This document also discusses issues relating to the usage of Binary
-   Labels [RFC 2673] to support the reverse mapping of IPv6 addresses.
-
-   This document is based on extensive technical discussion on various
-   relevant working groups mailing lists and a joint DNSEXT and NGTRANS
-   meeting at the 51st IETF in August 2001.  This document attempts to
-   capture the sense of the discussions and reflect them in this
-   document to represent the consensus of the community.
-
-
-
-Bush, et. al.                Informational                      [Page 1]
-
-RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
-
-
-   The main arguments and the issues are covered in a separate document
-   [RFC3364] that reflects the current understanding of the issues.
-   This document summarizes the outcome of these discussions.
-
-   The issue of the root of reverse IPv6 address map is outside the
-   scope of this document and is covered in a different document
-   [RFC3152].
-
-1.1 Standards Action Taken
-
-   This document changes the status of RFCs 2673 and 2874 from Proposed
-   Standard to Experimental.
-
-2.  IPv6 Addresses: AAAA RR vs A6 RR
-
-   Working group consensus as perceived by the chairs of the DNSEXT and
-   NGTRANS working groups is that:
-
-   a) AAAA records are preferable at the moment for production
-      deployment of IPv6, and
-
-   b) that A6 records have interesting properties that need to be better
-      understood before deployment.
-
-   c) It is not known if the benefits of A6 outweigh the costs and
-      risks.
-
-2.1 Rationale
-
-   There are several potential issues with A6 RRs that stem directly
-   from the feature that makes them different from AAAA RRs: the ability
-   to build up addresses via chaining.
-
-   Resolving a chain of A6 RRs involves resolving a series of what are
-   nearly-independent queries.  Each of these sub-queries takes some
-   non-zero amount of time, unless the answer happens to be in the
-   resolver's local cache already.  Other things being equal, we expect
-   that the time it takes to resolve an N-link chain of A6 RRs will be
-   roughly proportional to N.  What data we have suggests that users are
-   already impatient with the length of time it takes to resolve A RRs
-   in the IPv4 Internet, which suggests that users are not likely to be
-   patient with significantly longer delays in the IPv6 Internet, but
-   terminating queries prematurely is both a waste of resources and
-   another source of user frustration.  Thus, we are forced to conclude
-   that indiscriminate use of long A6 chains is likely to lead to
-   increased user frustration.
-
-
-
-
-
-Bush, et. al.                Informational                      [Page 2]
-
-RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
-
-
-   The probability of failure during the process of resolving an N-link
-   A6 chain also appears to be roughly proportional to N, since each of
-   the queries involved in resolving an A6 chain has roughly the same
-   probability of failure as a single AAAA query.
-
-   Last, several of the most interesting potential applications for A6
-   RRs involve situations where the prefix name field in the A6 RR
-   points to a target that is not only outside the DNS zone containing
-   the A6 RR, but is administered by a different organization entirely.
-   While pointers out of zone are not a problem per se, experience both
-   with glue RRs and with PTR RRs in the IN-ADDR.ARPA tree suggests that
-   pointers to other organizations are often not maintained properly,
-   perhaps because they're less susceptible to automation than pointers
-   within a single organization would be.
-
-2.2 Recommended Standard Action
-
-   Based on the perceived consensus, this document recommends that RFC
-   1886 stay on standards track and be advanced, while moving RFC 2874
-   to Experimental status.
-
-3.  Bitlabels in the Reverse DNS Tree
-
-   RFC 2673 defines a new DNS label type.  This was the first new type
-   defined since RFC 1035 [RFC1035].  Since the development of 2673 it
-   has been learned that deployment of a new type is difficult since DNS
-   servers that do not support bitlabels reject queries containing bit
-   labels as being malformed.  The community has also indicated that
-   this new label type is not needed for mapping reverse addresses.
-
-3.1 Rationale
-
-   The hexadecimal text representation of IPv6 addresses appears to be
-   capable of expressing all of the delegation schemes that we expect to
-   be used in the DNS reverse tree.
-
-3.2 Recommended Standard Action
-
-   RFC 2673 standard status is to be changed from Proposed to
-   Experimental.  Future standardization of these documents is to be
-   done by the DNSEXT working group or its successor.
-
-
-
-
-
-
-
-
-
-
-Bush, et. al.                Informational                      [Page 3]
-
-RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
-
-
-4.  DNAME in IPv6 Reverse Tree
-
-   The issues for DNAME in the reverse mapping tree appears to be
-   closely tied to the need to use fragmented A6 in the main tree: if
-   one is necessary, so is the other, and if one isn't necessary, the
-   other isn't either.  Therefore, in moving RFC 2874 to experimental,
-   the intent of this document is that use of DNAME RRs in the reverse
-   tree be deprecated.
-
-5.  Acknowledgments
-
-   This document is based on input from many members of the various IETF
-   working groups involved in this issues.  Special thanks go to the
-   people that prepared reading material for the joint DNSEXT and
-   NGTRANS working group meeting at the 51st IETF in London, Rob
-   Austein, Dan Bernstein, Matt Crawford, Jun-ichiro itojun Hagino,
-   Christian Huitema.  Number of other people have made number of
-   comments on mailing lists about this issue including Andrew W.
-   Barclay, Robert Elz, Johan Ihren, Edward Lewis, Bill Manning, Pekka
-   Savola, Paul Vixie.
-
-6.  Security Considerations
-
-   As this document specifies a course of action, there are no direct
-   security considerations.  There is an indirect security impact of the
-   choice, in that the relationship between A6 and DNSSEC is not well
-   understood throughout the community, while the choice of AAAA does
-   leads to a model for use of DNSSEC in IPv6 networks which parallels
-   current IPv4 practice.
-
-7.  IANA Considerations
-
-   None.
-
-Normative References
-
-   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1886]  Thompson, S. and C. Huitema, "DNS Extensions to support IP
-              version 6", RFC 1886, December 1995.
-
-   [RFC2673]  Crawford, M., "Binary Labels in the Domain Name System",
-              RFC 2673, August 1999.
-
-   [RFC2874]  Crawford, M. and C. Huitema, "DNS Extensions to Support
-              IPv6 Address Aggregation and Renumbering", RFC 2874, July
-              2000.
-
-
-
-Bush, et. al.                Informational                      [Page 4]
-
-RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
-
-
-   [RFC3152]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152
-              August 2001.
-
-Informative References
-
-   [RFC3364]  Austein, R., "Tradeoffs in Domain Name System (DNS)
-              Support for Internet Protocol version 6 (IPv6)", RFC 3364,
-              August 2002.
-
-Editors' Addresses
-
-   Randy Bush
-   EMail: randy@psg.com
-
-
-   Alain Durand
-   EMail: alain.durand@sun.com
-
-
-   Bob Fink
-   EMail: fink@es.net
-
-
-   Olafur Gudmundsson
-   EMail: ogud@ogud.com
-
-
-   Tony Hain
-   EMail: hain@tndh.net
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bush, et. al.                Informational                      [Page 5]
-
-RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Bush, et. al.                Informational                      [Page 6]
-
diff --git a/contrib/bind9/doc/rfc/rfc3364.txt b/contrib/bind9/doc/rfc/rfc3364.txt
deleted file mode 100644
index 189c0d2aa055..000000000000
--- a/contrib/bind9/doc/rfc/rfc3364.txt
+++ /dev/null
@@ -1,619 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         R. Austein
-Request for Comments: 3364                           Bourgeois Dilettant
-Updates: 2673, 2874                                          August 2002
-Category: Informational
-
-
-             Tradeoffs in Domain Name System (DNS) Support
-                 for Internet Protocol version 6 (IPv6)
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-Abstract
-
-   The IETF has two different proposals on the table for how to do DNS
-   support for IPv6, and has thus far failed to reach a clear consensus
-   on which approach is better.  This note attempts to examine the pros
-   and cons of each approach, in the hope of clarifying the debate so
-   that we can reach closure and move on.
-
-Introduction
-
-   RFC 1886 [RFC1886] specified straightforward mechanisms to support
-   IPv6 addresses in the DNS.  These mechanisms closely resemble the
-   mechanisms used to support IPv4, with a minor improvement to the
-   reverse mapping mechanism based on experience with CIDR.  RFC 1886 is
-   currently listed as a Proposed Standard.
-
-   RFC 2874 [RFC2874] specified enhanced mechanisms to support IPv6
-   addresses in the DNS.  These mechanisms provide new features that
-   make it possible for an IPv6 address stored in the DNS to be broken
-   up into multiple DNS resource records in ways that can reflect the
-   network topology underlying the address, thus making it possible for
-   the data stored in the DNS to reflect certain kinds of network
-   topology changes or routing architectures that are either impossible
-   or more difficult to represent without these mechanisms.  RFC 2874 is
-   also currently listed as a Proposed Standard.
-
-
-
-
-
-
-
-Austein                      Informational                      [Page 1]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-   Both of these Proposed Standards were the output of the IPNG Working
-   Group.  Both have been implemented, although implementation of
-   [RFC1886] is more widespread, both because it was specified earlier
-   and because it's simpler to implement.
-
-   There's little question that the mechanisms proposed in [RFC2874] are
-   more general than the mechanisms proposed in [RFC1886], and that
-   these enhanced mechanisms might be valuable if IPv6's evolution goes
-   in certain directions.  The questions are whether we really need the
-   more general mechanism, what new usage problems might come along with
-   the enhanced mechanisms, and what effect all this will have on IPv6
-   deployment.
-
-   The one thing on which there does seem to be widespread agreement is
-   that we should make up our minds about all this Real Soon Now.
-
-Main Advantages of Going with A6
-
-   While the A6 RR proposed in [RFC2874] is very general and provides a
-   superset of the functionality provided by the AAAA RR in [RFC1886],
-   many of the features of A6 can also be implemented with AAAA RRs via
-   preprocessing during zone file generation.
-
-   There is one specific area where A6 RRs provide something that cannot
-   be provided using AAAA RRs: A6 RRs can represent addresses in which a
-   prefix portion of the address can change without any action (or
-   perhaps even knowledge) by the parties controlling the DNS zone
-   containing the terminal portion (least significant bits) of the
-   address.  This includes both so-called "rapid renumbering" scenarios
-   (where an entire network's prefix may change very quickly) and
-   routing architectures such as the former "GSE" proposal [GSE] (where
-   the "routing goop" portion of an address may be subject to change
-   without warning).  A6 RRs do not completely remove the need to update
-   leaf zones during all renumbering events (for example, changing ISPs
-   would usually require a change to the upward delegation pointer), but
-   careful use of A6 RRs could keep the number of RRs that need to
-   change during such an event to a minimum.
-
-   Note that constructing AAAA RRs via preprocessing during zone file
-   generation requires exactly the sort of information that A6 RRs store
-   in the DNS.  This begs the question of where the hypothetical
-   preprocessor obtains that information if it's not getting it from the
-   DNS.
-
-   Note also that the A6 RR, when restricted to its zero-length-prefix
-   form ("A6 0"), is semantically equivalent to an AAAA RR (with one
-   "wasted" octet in the wire representation), so anything that can be
-   done with an AAAA RR can also be done with an A6 RR.
-
-
-
-Austein                      Informational                      [Page 2]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-Main Advantages of Going with AAAA
-
-   The AAAA RR proposed in [RFC1886], while providing only a subset of
-   the functionality provided by the A6 RR proposed in [RFC2874], has
-   two main points to recommend it:
-
-   - AAAA RRs are essentially identical (other than their length) to
-     IPv4's A RRs, so we have more than 15 years of experience to help
-     us predict the usage patterns, failure scenarios and so forth
-     associated with AAAA RRs.
-
-   - The AAAA RR is "optimized for read", in the sense that, by storing
-     a complete address rather than making the resolver fetch the
-     address in pieces, it minimizes the effort involved in fetching
-     addresses from the DNS (at the expense of increasing the effort
-     involved in injecting new data into the DNS).
-
-Less Compelling Arguments in Favor of A6
-
-   Since the A6 RR allows a zone administrator to write zone files whose
-   description of addresses maps to the underlying network topology, A6
-   RRs can be construed as a "better" way of representing addresses than
-   AAAA.  This may well be a useful capability, but in and of itself
-   it's more of an argument for better tools for zone administrators to
-   use when constructing zone files than a justification for changing
-   the resolution protocol used on the wire.
-
-Less Compelling Arguments in Favor of AAAA
-
-   Some of the pressure to go with AAAA instead of A6 appears to be
-   based on the wider deployment of AAAA.  Since it is possible to
-   construct transition tools (see discussion of AAAA synthesis, later
-   in this note), this does not appear to be a compelling argument if A6
-   provides features that we really need.
-
-   Another argument in favor of AAAA RRs over A6 RRs appears to be that
-   the A6 RR's advanced capabilities increase the number of ways in
-   which a zone administrator could build a non-working configuration.
-   While operational issues are certainly important, this is more of
-   argument that we need better tools for zone administrators than it is
-   a justification for turning away from A6 if A6 provides features that
-   we really need.
-
-
-
-
-
-
-
-
-
-Austein                      Informational                      [Page 3]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-Potential Problems with A6
-
-   The enhanced capabilities of the A6 RR, while interesting, are not in
-   themselves justification for choosing A6 if we don't really need
-   those capabilities.  The A6 RR is "optimized for write", in the sense
-   that, by making it possible to store fragmented IPv6 addresses in the
-   DNS, it makes it possible to reduce the effort that it takes to
-   inject new data into the DNS (at the expense of increasing the effort
-   involved in fetching data from the DNS).  This may be justified if we
-   expect the effort involved in maintaining AAAA-style DNS entries to
-   be prohibitive, but in general, we expect the DNS data to be read
-   more frequently than it is written, so we need to evaluate this
-   particular tradeoff very carefully.
-
-   There are also several potential issues with A6 RRs that stem
-   directly from the feature that makes them different from AAAA RRs:
-   the ability to build up address via chaining.
-
-   Resolving a chain of A6 RRs involves resolving a series of what are
-   almost independent queries, but not quite.  Each of these sub-queries
-   takes some non-zero amount of time, unless the answer happens to be
-   in the resolver's local cache already.  Assuming that resolving an
-   AAAA RR takes time T as a baseline, we can guess that, on the
-   average, it will take something approaching time N*T to resolve an
-   N-link chain of A6 RRs, although we would expect to see a fairly good
-   caching factor for the A6 fragments representing the more significant
-   bits of an address.  This leaves us with two choices, neither of
-   which is very good:  we can decrease the amount of time that the
-   resolver is willing to wait for each fragment, or we can increase the
-   amount of time that a resolver is willing to wait before returning
-   failure to a client.  What little data we have on this subject
-   suggests that users are already impatient with the length of time it
-   takes to resolve A RRs in the IPv4 Internet, which suggests that they
-   are not likely to be patient with significantly longer delays in the
-   IPv6 Internet.  At the same time, terminating queries prematurely is
-   both a waste of resources and another source of user frustration.
-   Thus, we are forced to conclude that indiscriminate use of long A6
-   chains is likely to lead to problems.
-
-   To make matters worse, the places where A6 RRs are likely to be most
-   critical for rapid renumbering or GSE-like routing are situations
-   where the prefix name field in the A6 RR points to a target that is
-   not only outside the DNS zone containing the A6 RR, but is
-   administered by a different organization (for example, in the case of
-   an end user's site, the prefix name will most likely point to a name
-   belonging to an ISP that provides connectivity for the site).  While
-   pointers out of zone are not a problem per se, pointers to other
-   organizations are somewhat more difficult to maintain and less
-
-
-
-Austein                      Informational                      [Page 4]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-   susceptible to automation than pointers within a single organization
-   would be.  Experience both with glue RRs and with PTR RRs in the IN-
-   ADDR.ARPA tree suggests that many zone administrators do not really
-   understand how to set up and maintain these pointers properly, and we
-   have no particular reason to believe that these zone administrators
-   will do a better job with A6 chains than they do today.  To be fair,
-   however, the alternative case of building AAAA RRs via preprocessing
-   before loading zones has many of the same problems; at best, one can
-   claim that using AAAA RRs for this purpose would allow DNS clients to
-   get the wrong answer somewhat more efficiently than with A6 RRs.
-
-   Finally, assuming near total ignorance of how likely a query is to
-   fail, the probability of failure with an N-link A6 chain would appear
-   to be roughly proportional to N, since each of the queries involved
-   in resolving an A6 chain would have the same probability of failure
-   as a single AAAA query.  Note again that this comment applies to
-   failures in the the process of resolving a query, not to the data
-   obtained via that process.  Arguably, in an ideal world, A6 RRs would
-   increase the probability of the answer a client (finally) gets being
-   right, assuming that nothing goes wrong in the query process, but we
-   have no real idea how to quantify that assumption at this point even
-   to the hand-wavey extent used elsewhere in this note.
-
-   One potential problem that has been raised in the past regarding A6
-   RRs turns out not to be a serious issue.  The A6 design includes the
-   possibility of there being more than one A6 RR matching the prefix
-   name portion of a leaf A6 RR.  That is, an A6 chain may not be a
-   simple linked list, it may in fact be a tree, where each branch
-   represents a possible prefix.  Some critics of A6 have been concerned
-   that this will lead to a wild expansion of queries, but this turns
-   out not to be a problem if a resolver simply follows the "bounded
-   work per query" rule described in RFC 1034 (page 35).  That rule
-   applies to all work resulting from attempts to process a query,
-   regardless of whether it's a simple query, a CNAME chain, an A6 tree,
-   or an infinite loop.  The client may not get back a useful answer in
-   cases where the zone has been configured badly, but a proper
-   implementation should not produce a query explosion as a result of
-   processing even the most perverse A6 tree, chain, or loop.
-
-Interactions with DNSSEC
-
-   One of the areas where AAAA and A6 RRs differ is in the precise
-   details of how they interact with DNSSEC.  The following comments
-   apply only to non-zero-prefix A6 RRs (A6 0 RRs, once again, are
-   semantically equivalent to AAAA RRs).
-
-
-
-
-
-
-Austein                      Informational                      [Page 5]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-   Other things being equal, the time it takes to re-sign all of the
-   addresses in a zone after a renumbering event is longer with AAAA RRs
-   than with A6 RRs (because each address record has to be re-signed
-   rather than just signing a common prefix A6 RR and a few A6 0 RRs
-   associated with the zone's name servers).  Note, however, that in
-   general this does not present a serious scaling problem, because the
-   re-signing is performed in the leaf zones.
-
-   Other things being equal, there's more work involved in verifying the
-   signatures received back for A6 RRs, because each address fragment
-   has a separate associated signature.  Similarly, a DNS message
-   containing a set of A6 address fragments and their associated
-   signatures will be larger than the equivalent packet with a single
-   AAAA (or A6 0) and a single associated signature.
-
-   Since AAAA RRs cannot really represent rapid renumbering or GSE-style
-   routing scenarios very well, it should not be surprising that DNSSEC
-   signatures of AAAA RRs are also somewhat problematic.  In cases where
-   the AAAA RRs would have to be changing very quickly to keep up with
-   prefix changes, the time required to re-sign the AAAA RRs may be
-   prohibitive.
-
-   Empirical testing by Bill Sommerfeld [Sommerfeld] suggests that
-   333MHz Celeron laptop with 128KB L2 cache and 64MB RAM running the
-   BIND-9 dnssec-signzone program under NetBSD can generate roughly 40
-   1024-bit RSA signatures per second.  Extrapolating from this,
-   assuming one A RR, one AAAA RR, and one NXT RR per host, this
-   suggests that it would take this laptop a few hours to sign a zone
-   listing 10**5 hosts, or about a day to sign a zone listing 10**6
-   hosts using AAAA RRs.
-
-   This suggests that the additional effort of re-signing a large zone
-   full of AAAA RRs during a re-numbering event, while noticeable, is
-   only likely to be prohibitive in the rapid renumbering case where
-   AAAA RRs don't work well anyway.
-
-Interactions with Dynamic Update
-
-   DNS dynamic update appears to work equally well for AAAA or A6 RRs,
-   with one minor exception: with A6 RRs, the dynamic update client
-   needs to know the prefix length and prefix name.  At present, no
-   mechanism exists to inform a dynamic update client of these values,
-   but presumably such a mechanism could be provided via an extension to
-   DHCP, or some other equivalent could be devised.
-
-
-
-
-
-
-
-Austein                      Informational                      [Page 6]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-Transition from AAAA to A6 Via AAAA Synthesis
-
-   While AAAA is at present more widely deployed than A6, it is possible
-   to transition from AAAA-aware DNS software to A6-aware DNS software.
-   A rough plan for this was presented at IETF-50 in Minneapolis and has
-   been discussed on the ipng mailing list.  So if the IETF concludes
-   that A6's enhanced capabilities are necessary, it should be possible
-   to transition from AAAA to A6.
-
-   The details of this transition have been left to a separate document,
-   but the general idea is that the resolver that is performing
-   iterative resolution on behalf of a DNS client program could
-   synthesize AAAA RRs representing the result of performing the
-   equivalent A6 queries.  Note that in this case it is not possible to
-   generate an equivalent DNSSEC signature for the AAAA RR, so clients
-   that care about performing DNSSEC validation for themselves would
-   have to issue A6 queries directly rather than relying on AAAA
-   synthesis.
-
-Bitlabels
-
-   While the differences between AAAA and A6 RRs have generated most of
-   the discussion to date, there are also two proposed mechanisms for
-   building the reverse mapping tree (the IPv6 equivalent of IPv4's IN-
-   ADDR.ARPA tree).
-
-   [RFC1886] proposes a mechanism very similar to the IN-ADDR.ARPA
-   mechanism used for IPv4 addresses: the RR name is the hexadecimal
-   representation of the IPv6 address, reversed and concatenated with a
-   well-known suffix, broken up with a dot between each hexadecimal
-   digit.  The resulting DNS names are somewhat tedious for humans to
-   type, but are very easy for programs to generate.  Making each
-   hexadecimal digit a separate label means that delegation on arbitrary
-   bit boundaries will result in a maximum of 16 NS RRsets per label
-   level; again, the mechanism is somewhat tedious for humans, but is
-   very easy to program.  As with IPv4's IN-ADDR.ARPA tree, the one
-   place where this scheme is weak is in handling delegations in the
-   least significant label; however, since there appears to be no real
-   need to delegate the least significant four bits of an IPv6 address,
-   this does not appear to be a serious restriction.
-
-   [RFC2874] proposed a radically different way of naming entries in the
-   reverse mapping tree: rather than using textual representations of
-   addresses, it proposes to use a new kind of DNS label (a "bit label")
-   to represent binary addresses directly in the DNS.  This has the
-   advantage of being significantly more compact than the textual
-   representation, and arguably might have been a better solution for
-   DNS to use for this purpose if it had been designed into the protocol
-
-
-
-Austein                      Informational                      [Page 7]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-   from the outset.  Unfortunately, experience to date suggests that
-   deploying a new DNS label type is very hard: all of the DNS name
-   servers that are authoritative for any portion of the name in
-   question must be upgraded before the new label type can be used, as
-   must any resolvers involved in the resolution process.  Any name
-   server that has not been upgraded to understand the new label type
-   will reject the query as being malformed.
-
-   Since the main benefit of the bit label approach appears to be an
-   ability that we don't really need (delegation in the least
-   significant four bits of an IPv6 address), and since the upgrade
-   problem is likely to render bit labels unusable until a significant
-   portion of the DNS code base has been upgraded, it is difficult to
-   escape the conclusion that the textual solution is good enough.
-
-DNAME RRs
-
-   [RFC2874] also proposes using DNAME RRs as a way of providing the
-   equivalent of A6's fragmented addresses in the reverse mapping tree.
-   That is, by using DNAME RRs, one can write zone files for the reverse
-   mapping tree that have the same ability to cope with rapid
-   renumbering or GSE-style routing that the A6 RR offers in the main
-   portion of the DNS tree.  Consequently, the need to use DNAME in the
-   reverse mapping tree appears to be closely tied to the need to use
-   fragmented A6 in the main tree: if one is necessary, so is the other,
-   and if one isn't necessary, the other isn't either.
-
-   Other uses have also been proposed for the DNAME RR, but since they
-   are outside the scope of the IPv6 address discussion, they will not
-   be addressed here.
-
-Recommendation
-
-   Distilling the above feature comparisons down to their key elements,
-   the important questions appear to be:
-
-   (a) Is IPv6 going to do rapid renumbering or GSE-like routing?
-
-   (b) Is the reverse mapping tree for IPv6 going to require delegation
-       in the least significant four bits of the address?
-
-   Question (a) appears to be the key to the debate.  This is really a
-   decision for the IPv6 community to make, not the DNS community.
-
-   Question (b) is also for the IPv6 community to make, but it seems
-   fairly obvious that the answer is "no".
-
-
-
-
-
-Austein                      Informational                      [Page 8]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-   Recommendations based on these questions:
-
-   (1) If the IPv6 working groups seriously intend to specify and deploy
-       rapid renumbering or GSE-like routing, we should transition to
-       using the A6 RR in the main tree and to using DNAME RRs as
-       necessary in the reverse tree.
-
-   (2) Otherwise, we should keep the simpler AAAA solution in the main
-       tree and should not use DNAME RRs in the reverse tree.
-
-   (3) In either case, the reverse tree should use the textual
-       representation described in [RFC1886] rather than the bit label
-       representation described in [RFC2874].
-
-   (4) If we do go to using A6 RRs in the main tree and to using DNAME
-       RRs in the reverse tree, we should write applicability statements
-       and implementation guidelines designed to discourage excessively
-       complex uses of these features; in general, any network that can
-       be described adequately using A6 0 RRs and without using DNAME
-       RRs should be described that way, and the enhanced features
-       should be used only when absolutely necessary, at least until we
-       have much more experience with them and have a better
-       understanding of their failure modes.
-
-Security Considerations
-
-   This note compares two mechanisms with similar security
-   characteristics, but there are a few security implications to the
-   choice between these two mechanisms:
-
-   (1) The two mechanisms have similar but not identical interactions
-       with DNSSEC.  Please see the section entitled "Interactions with
-       DNSSEC" (above) for a discussion of these issues.
-
-   (2) To the extent that operational complexity is the enemy of
-       security, the tradeoffs in operational complexity discussed
-       throughout this note have an impact on security.
-
-   (3) To the extent that protocol complexity is the enemy of security,
-       the additional protocol complexity of [RFC2874] as compared to
-       [RFC1886] has some impact on security.
-
-IANA Considerations
-
-   None, since all of these RR types have already been allocated.
-
-
-
-
-
-
-Austein                      Informational                      [Page 9]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-Acknowledgments
-
-   This note is based on a number of discussions both public and private
-   over a period of (at least) eight years, but particular thanks go to
-   Alain Durand, Bill Sommerfeld, Christian Huitema, Jun-ichiro itojun
-   Hagino, Mark Andrews, Matt Crawford, Olafur Gudmundsson, Randy Bush,
-   and Sue Thomson, none of whom are responsible for what the author did
-   with their ideas.
-
-References
-
-   [RFC1886]    Thomson, S. and C. Huitema, "DNS Extensions to support
-                IP version 6", RFC 1886, December 1995.
-
-   [RFC2874]    Crawford, M. and C. Huitema, "DNS Extensions to Support
-                IPv6 Address Aggregation and Renumbering", RFC 2874,
-                July 2000.
-
-   [Sommerfeld] Private message to the author from Bill Sommerfeld dated
-                21 March 2001, summarizing the result of experiments he
-                performed on a copy of the MIT.EDU zone.
-
-   [GSE]       "GSE" was an evolution of the so-called "8+8" proposal
-                discussed by the IPng working group in 1996 and 1997.
-                The GSE proposal itself was written up as an Internet-
-                Draft, which has long since expired.  Readers interested
-                in the details and history of GSE should review the IPng
-                working group's mailing list archives and minutes from
-                that period.
-
-Author's Address
-
-   Rob Austein
-
-   EMail: sra@hactrn.net
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein                      Informational                     [Page 10]
-
-RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Austein                      Informational                     [Page 11]
-
diff --git a/contrib/bind9/doc/rfc/rfc3425.txt b/contrib/bind9/doc/rfc/rfc3425.txt
deleted file mode 100644
index 707cafd18aa1..000000000000
--- a/contrib/bind9/doc/rfc/rfc3425.txt
+++ /dev/null
@@ -1,283 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        D. Lawrence
-Request for Comments: 3425                                       Nominum
-Updates: 1035                                              November 2002
-Category: Standards Track
-
-
-                           Obsoleting IQUERY
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-Abstract
-
-   The IQUERY method of performing inverse DNS lookups, specified in RFC
-   1035, has not been generally implemented and has usually been
-   operationally disabled where it has been implemented.  Both reflect a
-   general view in the community that the concept was unwise and that
-   the widely-used alternate approach of using pointer (PTR) queries and
-   reverse-mapping records is preferable.  Consequently, this document
-   deprecates the IQUERY operation, declaring it entirely obsolete.
-   This document updates RFC 1035.
-
-1 - Introduction
-
-   As specified in RFC 1035 (section 6.4), the IQUERY operation for DNS
-   queries is used to look up the name(s) which are associated with the
-   given value.  The value being sought is provided in the query's
-   answer section and the response fills in the question section with
-   one or more 3-tuples of type, name and class.
-
-   As noted in [RFC1035], section 6.4.3, inverse query processing can
-   put quite an arduous burden on a server.  A server would need to
-   perform either an exhaustive search of its database or maintain a
-   separate database that is keyed by the values of the primary
-   database.  Both of these approaches could strain system resource use,
-   particularly for servers that are authoritative for millions of
-   names.
-
-
-
-
-
-Lawrence                    Standards Track                     [Page 1]
-
-RFC 3425                   Obsoleting IQUERY               November 2002
-
-
-   Response packets from these megaservers could be exceptionally large,
-   and easily run into megabyte sizes.  For example, using IQUERY to
-   find every domain that is delegated to one of the nameservers of a
-   large ISP could return tens of thousands of 3-tuples in the question
-   section.  This could easily be used to launch denial of service
-   attacks.
-
-   Operators of servers that do support IQUERY in some form (such as
-   very old BIND 4 servers) generally opt to disable it.  This is
-   largely due to bugs in insufficiently-exercised code, or concerns
-   about exposure of large blocks of names in their zones by probes such
-   as inverse MX queries.
-
-   IQUERY is also somewhat inherently crippled by being unable to tell a
-   requester where it needs to go to get the information that was
-   requested.  The answer is very specific to the single server that was
-   queried.  This is sometimes a handy diagnostic tool, but apparently
-   not enough so that server operators like to enable it, or request
-   implementation where it is lacking.
-
-   No known clients use IQUERY to provide any meaningful service.  The
-   only common reverse mapping support on the Internet, mapping address
-   records to names, is provided through the use of pointer (PTR)
-   records in the in-addr.arpa tree and has served the community well
-   for many years.
-
-   Based on all of these factors, this document recommends that the
-   IQUERY operation for DNS servers be officially obsoleted.
-
-2 - Requirements
-
-   The key word "SHOULD" in this document is to be interpreted as
-   described in BCP 14, RFC 2119, namely that there may exist valid
-   reasons to ignore a particular item, but the full implications must
-   be understood and carefully weighed before choosing a different
-   course.
-
-3 - Effect on RFC 1035
-
-   The effect of this document is to change the definition of opcode 1
-   from that originally defined in section 4.1.1 of RFC 1035, and to
-   entirely supersede section 6.4 (including subsections) of RFC 1035.
-
-   The definition of opcode 1 is hereby changed to:
-
-      "1               an inverse query (IQUERY) (obsolete)"
-
-
-
-
-
-Lawrence                    Standards Track                     [Page 2]
-
-RFC 3425                   Obsoleting IQUERY               November 2002
-
-
-   The text in section 6.4 of RFC 1035 is now considered obsolete.  The
-   following is an applicability statement regarding the IQUERY opcode:
-
-   Inverse queries using the IQUERY opcode were originally described as
-   the ability to look up the names that are associated with a
-   particular Resource Record (RR).  Their implementation was optional
-   and never achieved widespread use.  Therefore IQUERY is now obsolete,
-   and name servers SHOULD return a "Not Implemented" error when an
-   IQUERY request is received.
-
-4 - Security Considerations
-
-   Since this document obsoletes an operation that was once available,
-   it is conceivable that someone was using it as the basis of a
-   security policy.  However, since the most logical course for such a
-   policy to take in the face of a lack of positive response from a
-   server is to deny authentication/authorization, it is highly unlikely
-   that removing support for IQUERY will open any new security holes.
-
-   Note that if IQUERY is not obsoleted, securing the responses with DNS
-   Security (DNSSEC) is extremely difficult without out-on-the-fly
-   digital signing.
-
-5 - IANA Considerations
-
-   The IQUERY opcode of 1 should be permanently retired, not to be
-   assigned to any future opcode.
-
-6 - Acknowledgments
-
-   Olafur Gudmundsson instigated this action.  Matt Crawford, John
-   Klensin, Erik Nordmark and Keith Moore contributed some improved
-   wording in how to handle obsoleting functionality described by an
-   Internet Standard.
-
-7 - References
-
-   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
-              3", BCP 9, RFC 2026, October 1996.
-
-   [RFC2119]  Bradner, S., "Key Words for Use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-
-
-
-
-
-Lawrence                    Standards Track                     [Page 3]
-
-RFC 3425                   Obsoleting IQUERY               November 2002
-
-
-8 - Author's Address
-
-   David C Lawrence
-   Nominum, Inc.
-   2385 Bay Rd
-   Redwood City CA 94063
-   USA
-
-   Phone: +1.650.779.6042
-   EMail: tale@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lawrence                    Standards Track                     [Page 4]
-
-RFC 3425                   Obsoleting IQUERY               November 2002
-
-
-9 - Full Copyright Statement
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Lawrence                    Standards Track                     [Page 5]
-
diff --git a/contrib/bind9/doc/rfc/rfc3445.txt b/contrib/bind9/doc/rfc/rfc3445.txt
deleted file mode 100644
index 67f9b2d6e573..000000000000
--- a/contrib/bind9/doc/rfc/rfc3445.txt
+++ /dev/null
@@ -1,563 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          D. Massey
-Request for Comments: 3445                                       USC/ISI
-Updates: 2535                                                    S. Rose
-Category: Standards Track                                           NIST
-                                                           December 2002
-
-
-           Limiting the Scope of the KEY Resource Record (RR)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-Abstract
-
-   This document limits the Domain Name System (DNS) KEY Resource Record
-   (RR) to only keys used by the Domain Name System Security Extensions
-   (DNSSEC).  The original KEY RR used sub-typing to store both DNSSEC
-   keys and arbitrary application keys.  Storing both DNSSEC and
-   application keys with the same record type is a mistake.  This
-   document removes application keys from the KEY record by redefining
-   the Protocol Octet field in the KEY RR Data.  As a result of removing
-   application keys, all but one of the flags in the KEY record become
-   unnecessary and are redefined.  Three existing application key sub-
-   types are changed to reserved, but the format of the KEY record is
-   not changed.  This document updates RFC 2535.
-
-1. Introduction
-
-   This document limits the scope of the KEY Resource Record (RR).  The
-   KEY RR was defined in [3] and used resource record sub-typing to hold
-   arbitrary public keys such as Email, IPSEC, DNSSEC, and TLS keys.
-   This document eliminates the existing Email, IPSEC, and TLS sub-types
-   and prohibits the introduction of new sub-types.  DNSSEC will be the
-   only allowable sub-type for the KEY RR (hence sub-typing is
-   essentially eliminated) and all but one of the KEY RR flags are also
-   eliminated.
-
-
-
-
-
-
-Massey & Rose               Standards Track                     [Page 1]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-   Section 2 presents the motivation for restricting the KEY record and
-   Section 3 defines the revised KEY RR.  Sections 4 and 5 summarize the
-   changes from RFC 2535 and discuss backwards compatibility.  It is
-   important to note that this document restricts the use of the KEY RR
-   and simplifies the flags, but does not change the definition or use
-   of DNSSEC keys.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [1].
-
-2. Motivation for Restricting the KEY RR
-
-   The KEY RR RDATA [3] consists of Flags, a Protocol Octet, an
-   Algorithm type, and a Public Key.  The Protocol Octet identifies the
-   KEY RR sub-type.  DNSSEC public keys are stored in the KEY RR using a
-   Protocol Octet value of 3.  Email, IPSEC, and TLS keys were also
-   stored in the KEY RR and used Protocol Octet values of 1,2, and 4
-   (respectively).  Protocol Octet values 5-254 were available for
-   assignment by IANA and values were requested (but not assigned) for
-   applications such as SSH.
-
-   Any use of sub-typing has inherent limitations.  A resolver can not
-   specify the desired sub-type in a DNS query and most DNS operations
-   apply only to resource records sets.  For example, a resolver can not
-   directly request the DNSSEC subtype KEY RRs.  Instead, the resolver
-   has to request all KEY RRs associated with a DNS name and then search
-   the set for the desired DNSSEC sub-type.  DNSSEC signatures also
-   apply to the set of all KEY RRs associated with the DNS name,
-   regardless of sub-type.
-
-   In the case of the KEY RR, the inherent sub-type limitations are
-   exacerbated since the sub-type is used to distinguish between DNSSEC
-   keys and application keys.  DNSSEC keys and application keys differ
-   in virtually every respect and Section 2.1 discusses these
-   differences in more detail.  Combining these very different types of
-   keys into a single sub-typed resource record adds unnecessary
-   complexity and increases the potential for implementation and
-   deployment errors.  Limited experimental deployment has shown that
-   application keys stored in KEY RRs are problematic.
-
-   This document addresses these issues by removing all application keys
-   from the KEY RR.  Note that the scope of this document is strictly
-   limited to the KEY RR and this document does not endorse or restrict
-   the storage of application keys in other, yet undefined, resource
-   records.
-
-
-
-
-
-Massey & Rose               Standards Track                     [Page 2]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-2.1 Differences Between DNSSEC and Application Keys
-
-   DNSSEC keys are an essential part of the DNSSEC protocol and are used
-   by both name servers and resolvers in order to perform DNS tasks.  A
-   DNS zone key, used to sign and authenticate RR sets, is the most
-   common example of a DNSSEC key.  SIG(0) [4] and TKEY [3]  also use
-   DNSSEC keys.
-
-   Application keys such as Email keys, IPSEC keys, and TLS keys are
-   simply another type of data.  These keys have no special meaning to a
-   name server or resolver.
-
-   The following table summarizes some of the differences between DNSSEC
-   keys and application keys:
-
-      1.  They serve different purposes.
-
-      2.  They are managed by different administrators.
-
-      3.  They are authenticated according to different rules.
-
-      4.  Nameservers use different rules when including them in
-          responses.
-
-      5.  Resolvers process them in different ways.
-
-      6.  Faults/key compromises have different consequences.
-
-   1.  The purpose of a DNSSEC key is to sign resource records
-   associated with a DNS zone (or generate DNS transaction signatures in
-   the case of SIG(0)/TKEY).  But the purpose of an application key is
-   specific to the application.  Application keys, such as PGP/email,
-   IPSEC, TLS, and SSH keys, are not a mandatory part of any zone and
-   the purpose and proper use of application keys is outside the scope
-   of DNS.
-
-   2.  DNSSEC keys are managed by DNS administrators, but application
-   keys are managed by application administrators.  The DNS zone
-   administrator determines the key lifetime, handles any suspected key
-   compromises, and manages any DNSSEC key changes.  Likewise, the
-   application administrator is responsible for the same functions for
-   the application keys related to the application.  For example, a user
-   typically manages her own PGP key and a server manages its own TLS
-   key.  Application key management tasks are outside the scope of DNS
-   administration.
-
-
-
-
-
-
-Massey & Rose               Standards Track                     [Page 3]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-   3.  DNSSEC zone keys are used to authenticate application keys, but
-   by definition, application keys are not allowed to authenticate DNS
-   zone keys.  A DNS zone key is either configured as a trusted key or
-   authenticated by constructing a chain of trust in the DNS hierarchy.
-   To participate in the chain of trust, a DNS zone needs to exchange
-   zone key information with its parent zone [3].  Application keys are
-   not configured as trusted keys in the DNS and are never part of any
-   DNS chain of trust.  Application key data is not needed by the parent
-   and does not need to be exchanged with the parent zone for secure DNS
-   resolution to work.  A resolver considers an application key RRset as
-   authenticated DNS information if it has a valid signature from the
-   local DNS zone keys, but applications could impose additional
-   security requirements before the application key is accepted as
-   authentic for use with the application.
-
-   4.  It may be useful for nameservers to include DNS zone keys in the
-   additional section of a response, but application keys are typically
-   not useful unless they have been specifically requested.  For
-   example, it could be useful to include the example.com zone key along
-   with a response that contains the www.example.com A record and SIG
-   record.  A secure resolver will need the example.com zone key in
-   order to check the SIG and authenticate the www.example.com A record.
-   It is typically not useful to include the IPSEC, email, and TLS keys
-   along with the A record.  Note that by placing application keys in
-   the KEY record, a resolver would need the IPSEC, email, TLS, and
-   other key associated with example.com if the resolver intends to
-   authenticate the example.com zone key (since signatures only apply to
-   the entire KEY RR set).  Depending on the number of protocols
-   involved, the KEY RR set could grow unwieldy for resolvers, and DNS
-   administrators to manage.
-
-   5.  DNS zone keys require special handling by resolvers, but
-   application keys are treated the same as any other type of DNS data.
-   The DNSSEC keys are of no value to end applications, unless the
-   applications plan to do their own DNS authentication.  By definition,
-   secure resolvers are not allowed to use application keys as part of
-   the authentication process.  Application keys have no unique meaning
-   to resolvers and are only useful to the application requesting the
-   key.  Note that if sub-types are used to identify the application
-   key, then either the interface to the resolver needs to specify the
-   sub-type or the application needs to be able to accept all KEY RRs
-   and pick out the desired sub-type.
-
-   6.  A fault or compromise of a DNS zone key can lead to invalid or
-   forged DNS data, but a fault or compromise of an application key
-   should have no impact on other DNS data.  Incorrectly adding or
-   changing a DNS zone key can invalidate all of the DNS data in the
-   zone and in all of its subzones.  By using a compromised key, an
-
-
-
-Massey & Rose               Standards Track                     [Page 4]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-   attacker can forge data from the effected zone and for any of its
-   sub-zones.  A fault or compromise of an application key has
-   implications for that application, but it should not have an impact
-   on the DNS.  Note that application key faults and key compromises can
-   have an impact on the entire DNS if the application key and DNS zone
-   keys are both stored in the KEY RR.
-
-   In summary, DNSSEC keys and application keys differ in most every
-   respect.  DNSSEC keys are an essential part of the DNS infrastructure
-   and require special handling by DNS administrators and DNS resolvers.
-   Application keys are simply another type of data and have no special
-   meaning to DNS administrators or resolvers.  These two different
-   types of data do not belong in the same resource record.
-
-3. Definition of the KEY RR
-
-   The KEY RR uses type 25 and is used as resource record for storing
-   DNSSEC keys.  The RDATA for a KEY RR consists of flags, a protocol
-   octet, the algorithm number octet, and the public key itself.  The
-   format is as follows:
-
-   ---------------------------------------------------------------------
-
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |              flags            |   protocol    |   algorithm   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               /
-   /                        public key                             /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-                             KEY RR Format
-
-   ---------------------------------------------------------------------
-
-   In the flags field, all bits except bit 7 are reserved and MUST be
-   zero.  If Bit 7 (Zone bit) is set to 1, then the KEY is a DNS Zone
-   key.  If Bit 7 is set to 0, the KEY is not a zone key.  SIG(0)/TKEY
-   are examples of DNSSEC keys that are not zone keys.
-
-   The protocol field MUST be set to 3.
-
-   The algorithm and public key fields are not changed.
-
-
-
-
-
-Massey & Rose               Standards Track                     [Page 5]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-4. Changes from RFC 2535 KEY RR
-
-   The KEY RDATA format is not changed.
-
-   All flags except for the zone key flag are eliminated:
-
-      The A/C bits (bits 0 and 1) are eliminated.  They MUST be set to 0
-      and MUST be ignored by the receiver.
-
-      The extended flags bit (bit 3) is eliminated.  It MUST be set to 0
-      and MUST be ignored by the receiver.
-
-      The host/user bit (bit 6) is eliminated.  It MUST be set to 0 and
-      MUST be ignored by the receiver.
-
-      The zone bit (bit 7) remains unchanged.
-
-      The signatory field (bits 12-15) are eliminated by [5].  They MUST
-      be set to 0 and MUST be ignored by the receiver.
-
-      Bits 2,4,5,8,9,10,11 remain unchanged.  They are reserved, MUST be
-      set to zero and MUST be ignored by the receiver.
-
-   Assignment of any future KEY RR Flag values requires a standards
-   action.
-
-   All Protocol Octet values except DNSSEC (3) are eliminated:
-
-      Value 1 (Email) is renamed to RESERVED.
-
-      Value 2 (IPSEC) is renamed to RESERVED.
-
-      Value 3 (DNSSEC) is unchanged.
-
-      Value 4 (TLS) is renamed to RESERVED.
-
-      Value 5-254 remains unchanged (reserved).
-
-      Value 255 (ANY) is renamed to RESERVED.
-
-   The authoritative data for a zone MUST NOT include any KEY records
-   with a protocol octet other than 3.  The registry maintained by IANA
-   for protocol values is closed for new assignments.
-
-   Name servers and resolvers SHOULD accept KEY RR sets that contain KEY
-   RRs with a value other than 3.  If out of date DNS zones contain
-   deprecated KEY RRs with a protocol octet value other than 3, then
-   simply dropping the deprecated KEY RRs from the KEY RR set would
-
-
-
-Massey & Rose               Standards Track                     [Page 6]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-   invalidate any associated SIG record(s) and could create caching
-   consistency problems.  Note that KEY RRs with a protocol octet value
-   other than 3 MUST NOT be used to authenticate DNS data.
-
-   The algorithm and public key fields are not changed.
-
-5. Backward Compatibility
-
-   DNSSEC zone KEY RRs are not changed and remain backwards compatible.
-   A properly formatted RFC 2535 zone KEY would have all flag bits,
-   other than the Zone Bit (Bit 7), set to 0 and would have the Protocol
-   Octet set to 3.  This remains true under the restricted KEY.
-
-   DNSSEC non-zone KEY RRs (SIG(0)/TKEY keys) are backwards compatible,
-   but the distinction between host and user keys (flag bit 6) is lost.
-
-   No backwards compatibility is provided for application keys.  Any
-   Email, IPSEC, or TLS keys are now deprecated.  Storing application
-   keys in the KEY RR created problems such as keys at the apex and
-   large RR sets and some change in the definition and/or usage of the
-   KEY RR would have been required even if the approach described here
-   were not adopted.
-
-   Overall, existing nameservers and resolvers will continue to
-   correctly process KEY RRs with a sub-type of DNSSEC keys.
-
-6. Storing Application Keys in the DNS
-
-   The scope of this document is strictly limited to the KEY record.
-   This document prohibits storing application keys in the KEY record,
-   but it does not endorse or restrict the storing application keys in
-   other record types.  Other documents can describe how DNS handles
-   application keys.
-
-7. IANA Considerations
-
-   RFC 2535 created an IANA registry for DNS KEY RR Protocol Octet
-   values.  Values 1, 2, 3, 4, and 255 were assigned by RFC 2535 and
-   values 5-254 were made available for assignment by IANA.  This
-   document makes two sets of changes to this registry.
-
-   First, this document re-assigns DNS KEY RR Protocol Octet values 1,
-   2, 4, and 255 to "reserved".  DNS Key RR Protocol Octet Value 3
-   remains unchanged as "DNSSEC".
-
-
-
-
-
-
-
-Massey & Rose               Standards Track                     [Page 7]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-   Second, new values are no longer available for assignment by IANA and
-   this document closes the IANA registry for DNS KEY RR Protocol Octet
-   Values.  Assignment of any future KEY RR Protocol Octet values
-   requires a standards action.
-
-8. Security Considerations
-
-   This document eliminates potential security problems that could arise
-   due to the coupling of DNS zone keys and application keys.  Prior to
-   the change described in this document, a correctly authenticated KEY
-   set could include both application keys and DNSSEC keys.  This
-   document restricts the KEY RR to DNS security usage only.  This is an
-   attempt to simplify the security model and make it less user-error
-   prone.  If one of the application keys is compromised, it could be
-   used as a false zone key to create false DNS signatures (SIG
-   records).  Resolvers that do not carefully check the KEY sub-type
-   could believe these false signatures and incorrectly authenticate DNS
-   data.  With this change, application keys cannot appear in an
-   authenticated KEY set and this vulnerability is eliminated.
-
-   The format and correct usage of DNSSEC keys is not changed by this
-   document and no new security considerations are introduced.
-
-9. Normative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [3]  Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)", RFC
-        2930, September 2000.
-
-   [4]  Eastlake, D., "DNS Request and Transaction Signatures
-        (SIG(0)s)", RFC 2931, September 2000.
-
-   [5]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-        Update", RFC 3007, November 2000.
-
-
-
-
-
-
-
-
-
-
-
-
-Massey & Rose               Standards Track                     [Page 8]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-10. Authors' Addresses
-
-   Dan Massey
-   USC Information Sciences Institute
-   3811 N. Fairfax Drive
-   Arlington, VA  22203
-   USA
-
-   EMail: masseyd@isi.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-3460
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Massey & Rose               Standards Track                     [Page 9]
-
-RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
-
-
-11.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2002).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Massey & Rose               Standards Track                    [Page 10]
-
diff --git a/contrib/bind9/doc/rfc/rfc3467.txt b/contrib/bind9/doc/rfc/rfc3467.txt
deleted file mode 100644
index 37ac7ec1d930..000000000000
--- a/contrib/bind9/doc/rfc/rfc3467.txt
+++ /dev/null
@@ -1,1739 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         J. Klensin
-Request for Comments: 3467                                 February 2003
-Category: Informational
-
-
-                  Role of the Domain Name System (DNS)
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   This document reviews the original function and purpose of the domain
-   name system (DNS).  It contrasts that history with some of the
-   purposes for which the DNS has recently been applied and some of the
-   newer demands being placed upon it or suggested for it.  A framework
-   for an alternative to placing these additional stresses on the DNS is
-   then outlined.  This document and that framework are not a proposed
-   solution, only a strong suggestion that the time has come to begin
-   thinking more broadly about the problems we are encountering and
-   possible approaches to solving them.
-
-Table of Contents
-
-   1.  Introduction and History .....................................  2
-      1.1 Context for DNS Development ...............................  3
-      1.2 Review of the DNS and Its Role as Designed ................  4
-      1.3 The Web and User-visible Domain Names .....................  6
-      1.4 Internet Applications Protocols and Their Evolution .......  7
-   2.  Signs of DNS Overloading .....................................  8
-   3.  Searching, Directories, and the DNS .......................... 12
-      3.1 Overview  ................................................. 12
-      3.2 Some Details and Comments ................................. 14
-   4.  Internationalization ......................................... 15
-      4.1 ASCII Isn't Just Because of English ....................... 16
-      4.2 The "ASCII Encoding" Approaches ........................... 17
-      4.3 "Stringprep" and Its Complexities ......................... 17
-      4.4 The Unicode Stability Problem ............................. 19
-      4.5 Audiences, End Users, and the User Interface Problem ...... 20
-      4.6 Business Cards and Other Natural Uses of Natural Languages. 22
-      4.7 ASCII Encodings and the Roman Keyboard Assumption ......... 22
-
-
-
-Klensin                      Informational                      [Page 1]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-      4.8 Intra-DNS Approaches for "Multilingual Names" ............. 23
-   5.  Search-based Systems: The Key Controversies .................. 23
-   6.  Security Considerations ...................................... 24
-   7.  References ................................................... 25
-      7.1 Normative References ...................................... 25
-      7.2 Explanatory and Informative References .................... 25
-   8.  Acknowledgements ............................................. 30
-   9.  Author's Address ............................................. 30
-   10. Full Copyright Statement ..................................... 31
-
-1. Introduction and History
-
-   The DNS was designed as a replacement for the older "host table"
-   system.  Both were intended to provide names for network resources at
-   a more abstract level than network (IP) addresses (see, e.g.,
-   [RFC625], [RFC811], [RFC819], [RFC830], [RFC882]).  In recent years,
-   the DNS has become a database of convenience for the Internet, with
-   many proposals to add new features.  Only some of these proposals
-   have been successful.  Often the main (or only) motivation for using
-   the DNS is because it exists and is widely deployed, not because its
-   existing structure, facilities, and content are appropriate for the
-   particular application of data involved.  This document reviews the
-   history of the DNS, including examination of some of those newer
-   applications.  It then argues that the overloading process is often
-   inappropriate.  Instead, it suggests that the DNS should be
-   supplemented by systems better matched to the intended applications
-   and outlines a framework and rationale for one such system.
-
-   Several of the comments that follow are somewhat revisionist.  Good
-   design and engineering often requires a level of intuition by the
-   designers about things that will be necessary in the future; the
-   reasons for some of these design decisions are not made explicit at
-   the time because no one is able to articulate them.  The discussion
-   below reconstructs some of the decisions about the Internet's primary
-   namespace (the "Class=IN" DNS) in the light of subsequent development
-   and experience.  In addition, the historical reasons for particular
-   decisions about the Internet were often severely underdocumented
-   contemporaneously and, not surprisingly, different participants have
-   different recollections about what happened and what was considered
-   important.  Consequently, the quasi-historical story below is just
-   one story.  There may be (indeed, almost certainly are) other stories
-   about how the DNS evolved to its present state, but those variants do
-   not invalidate the inferences and conclusions.
-
-   This document presumes a general understanding of the terminology of
-   RFC 1034 [RFC1034] or of any good DNS tutorial (see, e.g., [Albitz]).
-
-
-
-
-
-Klensin                      Informational                      [Page 2]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-1.1  Context for DNS Development
-
-   During the entire post-startup-period life of the ARPANET and nearly
-   the first decade or so of operation of the Internet, the list of host
-   names and their mapping to and from addresses was maintained in a
-   frequently-updated "host table" [RFC625], [RFC811], [RFC952].  The
-   names themselves were restricted to a subset of ASCII [ASCII] chosen
-   to avoid ambiguities in printed form, to permit interoperation with
-   systems using other character codings (notably EBCDIC), and to avoid
-   the "national use" code positions of ISO 646 [IS646].  These
-   restrictions later became collectively known as the "LDH" rules for
-   "letter-digit-hyphen", the permitted characters.  The table was just
-   a list with a common format that was eventually agreed upon; sites
-   were expected to frequently obtain copies of, and install, new
-   versions.  The host tables themselves were introduced to:
-
-   o  Eliminate the requirement for people to remember host numbers
-      (addresses).  Despite apparent experience to the contrary in the
-      conventional telephone system, numeric numbering systems,
-      including the numeric host number strategy, did not (and do not)
-      work well for more than a (large) handful of hosts.
-
-   o  Provide stability when addresses changed.  Since addresses -- to
-      some degree in the ARPANET and more importantly in the
-      contemporary Internet -- are a function of network topology and
-      routing, they often had to be changed when connectivity or
-      topology changed.  The names could be kept stable even as
-      addresses changed.
-
-   o  Provide the capability to have multiple addresses associated with
-      a given host to reflect different types of connectivity and
-      topology.  Use of names, rather than explicit addresses, avoided
-      the requirement that would otherwise exist for users and other
-      hosts to track these multiple host numbers and addresses and the
-      topological considerations for selecting one over others.
-
-   After several years of using the host table approach, the community
-   concluded that model did not scale adequately and that it would not
-   adequately support new service variations.  A number of discussions
-   and meetings were held which drew several ideas and incomplete
-   proposals together.  The DNS was the result of that effort.  It
-   continued to evolve during the design and initial implementation
-   period, with a number of documents recording the changes (see
-   [RFC819], [RFC830], and [RFC1034]).
-
-
-
-
-
-
-
-Klensin                      Informational                      [Page 3]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   The goals for the DNS included:
-
-   o  Preservation of the capabilities of the host table arrangements
-      (especially unique, unambiguous, host names),
-
-   o  Provision for addition of additional services (e.g., the special
-      record types for electronic mail routing which quickly followed
-      introduction of the DNS), and
-
-   o  Creation of a robust, hierarchical, distributed, name lookup
-      system to accomplish the other goals.
-
-   The DNS design also permitted distribution of name administration,
-   rather than requiring that each host be entered into a single,
-   central, table by a central administration.
-
-1.2 Review of the DNS and Its Role as Designed
-
-   The DNS was designed to identify network resources.  Although there
-   was speculation about including, e.g., personal names and email
-   addresses, it was not designed primarily to identify people, brands,
-   etc.  At the same time, the system was designed with the flexibility
-   to accommodate new data types and structures, both through the
-   addition of new record types to the initial "INternet" class, and,
-   potentially, through the introduction of new classes.  Since the
-   appropriate identifiers and content of those future extensions could
-   not be anticipated, the design provided that these fields could
-   contain any (binary) information, not just the restricted text forms
-   of the host table.
-
-   However, the DNS, as it is actually used, is intimately tied to the
-   applications and application protocols that utilize it, often at a
-   fairly low level.
-
-   In particular, despite the ability of the protocols and data
-   structures themselves to accommodate any binary representation, DNS
-   names as used were historically not even unrestricted ASCII, but a
-   very restricted subset of it, a subset that derives from the original
-   host table naming rules.  Selection of that subset was driven in part
-   by human factors considerations, including a desire to eliminate
-   possible ambiguities in an international context.  Hence character
-   codes that had international variations in interpretation were
-   excluded, the underscore character and case distinctions were
-   eliminated as being confusing (in the underscore's case, with the
-   hyphen character) when written or read by people, and so on.  These
-   considerations appear to be very similar to those that resulted in
-   similarly restricted character sets being used as protocol elements
-   in many ITU and ISO protocols (cf. [X29]).
-
-
-
-Klensin                      Informational                      [Page 4]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   Another assumption was that there would be a high ratio of physical
-   hosts to second level domains and, more generally, that the system
-   would be deeply hierarchical, with most systems (and names) at the
-   third level or below and a very large percentage of the total names
-   representing physical hosts.  There are domains that follow this
-   model: many university and corporate domains use fairly deep
-   hierarchies, as do a few country-oriented top level domains
-   ("ccTLDs").  Historically, the "US." domain has been an excellent
-   example of the deeply hierarchical approach.  However, by 1998,
-   comparison of several efforts to survey the DNS showed a count of SOA
-   records that approached (and may have passed) the number of distinct
-   hosts.  Looked at differently, we appear to be moving toward a
-   situation in which the number of delegated domains on the Internet is
-   approaching or exceeding the number of hosts, or at least the number
-   of hosts able to provide services to others on the network.  This
-   presumably results from synonyms or aliases that map a great many
-   names onto a smaller number of hosts.  While experience up to this
-   time has shown that the DNS is robust enough -- given contemporary
-   machines as servers and current bandwidth norms -- to be able to
-   continue to operate reasonably well when those historical assumptions
-   are not met (e.g., with a flat, structure under ".COM" containing
-   well over ten million delegated subdomains [COMSIZE]), it is still
-   useful to remember that the system could have been designed to work
-   optimally with a flat structure (and very large zones) rather than a
-   deeply hierarchical one, and was not.
-
-   Similarly, despite some early speculation about entering people's
-   names and email addresses into the DNS directly (e.g., see
-   [RFC1034]), electronic mail addresses in the Internet have preserved
-   the original, pre-DNS, "user (or mailbox) at location" conceptual
-   format rather than a flatter or strictly dot-separated one.
-   Location, in that instance, is a reference to a host. The sole
-   exception, at least in the "IN" class, has been one field of the SOA
-   record.
-
-   Both the DNS architecture itself and the two-level (host name and
-   mailbox name) provisions for email and similar functions (e.g., see
-   the finger protocol [FINGER]), also anticipated a relatively high
-   ratio of users to actual hosts.  Despite the observation in RFC 1034
-   that the DNS was expected to grow to be proportional to the number of
-   users (section 2.3), it has never been clear that the DNS was
-   seriously designed for, or could, scale to the order of magnitude of
-   number of users (or, more recently, products or document objects),
-   rather than that of physical hosts.
-
-   Just as was the case for the host table before it, the DNS provided
-   critical uniqueness for names, and universal accessibility to them,
-   as part of overall "single internet" and "end to end" models (cf.
-
-
-
-Klensin                      Informational                      [Page 5]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   [RFC2826]).  However, there are many signs that, as new uses evolved
-   and original assumptions were abused (if not violated outright), the
-   system was being stretched to, or beyond, its practical limits.
-
-   The original design effort that led to the DNS included examination
-   of the directory technologies available at the time.  The design
-   group concluded that the DNS design, with its simplifying assumptions
-   and restricted capabilities, would be feasible to deploy and make
-   adequately robust, which the more comprehensive directory approaches
-   were not.  At the same time, some of the participants feared that the
-   limitations might cause future problems; this document essentially
-   takes the position that they were probably correct.  On the other
-   hand, directory technology and implementations have evolved
-   significantly in the ensuing years: it may be time to revisit the
-   assumptions, either in the context of the two- (or more) level
-   mechanism contemplated by the rest of this document or, even more
-   radically, as a path toward a DNS replacement.
-
-1.3 The Web and User-visible Domain Names
-
-   From the standpoint of the integrity of the domain name system -- and
-   scaling of the Internet, including optimal accessibility to content
-   -- the web design decision to use "A record" domain names directly in
-   URLs, rather than some system of indirection, has proven to be a
-   serious mistake in several respects.  Convenience of typing, and the
-   desire to make domain names out of easily-remembered product names,
-   has led to a flattening of the DNS, with many people now perceiving
-   that second-level names under COM (or in some countries, second- or
-   third-level names under the relevant ccTLD) are all that is
-   meaningful.  This perception has been reinforced by some domain name
-   registrars [REGISTRAR] who have been anxious to "sell" additional
-   names.  And, of course, the perception that one needed a second-level
-   (or even top-level) domain per product, rather than having names
-   associated with a (usually organizational) collection of network
-   resources, has led to a rapid acceleration in the number of names
-   being registered.  That acceleration has, in turn, clearly benefited
-   registrars charging on a per-name basis, "cybersquatters", and others
-   in the business of "selling" names, but it has not obviously
-   benefited the Internet as a whole.
-
-   This emphasis on second-level domain names has also created a problem
-   for the trademark community.  Since the Internet is international,
-   and names are being populated in a flat and unqualified space,
-   similarly-named entities are in conflict even if there would
-   ordinarily be no chance of confusing them in the marketplace.  The
-   problem appears to be unsolvable except by a choice between draconian
-   measures.  These might include significant changes to the legislation
-   and conventions that govern disputes over "names" and "marks".  Or
-
-
-
-Klensin                      Informational                      [Page 6]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   they might result in a situation in which the "rights" to a name are
-   typically not settled using the subtle and traditional product (or
-   industry) type and geopolitical scope rules of the trademark system.
-   Instead they have depended largely on political or economic power,
-   e.g., the organization with the greatest resources to invest in
-   defending (or attacking) names will ultimately win out.  The latter
-   raises not only important issues of equity, but also the risk of
-   backlash as the numerous small players are forced to relinquish names
-   they find attractive and to adopt less-desirable naming conventions.
-
-   Independent of these sociopolitical problems, content distribution
-   issues have made it clear that it should be possible for an
-   organization to have copies of data it wishes to make available
-   distributed around the network, with a user who asks for the
-   information by name getting the topologically-closest copy.  This is
-   not possible with simple, as-designed, use of the DNS: DNS names
-   identify target resources or, in the case of email "MX" records, a
-   preferentially-ordered list of resources "closest" to a target (not
-   to the source/user).  Several technologies (and, in some cases,
-   corresponding business models) have arisen to work around these
-   problems, including intercepting and altering DNS requests so as to
-   point to other locations.
-
-   Additional implications are still being discovered and evaluated.
-
-   Approaches that involve interception of DNS queries and rewriting of
-   DNS names (or otherwise altering the resolution process based on the
-   topological location of the user) seem, however, to risk disrupting
-   end-to-end applications in the general case and raise many of the
-   issues discussed by the IAB in [IAB-OPES].  These problems occur even
-   if the rewriting machinery is accompanied by additional workarounds
-   for particular applications.  For example, security associations and
-   applications that need to identify "the same host" often run into
-   problems if DNS names or other references are changed in the network
-   without participation of the applications that are trying to invoke
-   the associated services.
-
-1.4 Internet Applications Protocols and Their Evolution
-
-   At the applications level, few of the protocols in active,
-   widespread, use on the Internet reflect either contemporary knowledge
-   in computer science or human factors or experience accumulated
-   through deployment and use.  Instead, protocols tend to be deployed
-   at a just-past-prototype level, typically including the types of
-   expedient compromises typical with prototypes.  If they prove useful,
-   the nature of the network permits very rapid dissemination (i.e.,
-   they fill a vacuum, even if a vacuum that no one previously knew
-   existed).  But, once the vacuum is filled, the installed base
-
-
-
-Klensin                      Informational                      [Page 7]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   provides its own inertia: unless the design is so seriously faulty as
-   to prevent effective use (or there is a widely-perceived sense of
-   impending disaster unless the protocol is replaced), future
-   developments must maintain backward compatibility and workarounds for
-   problematic characteristics rather than benefiting from redesign in
-   the light of experience.  Applications that are "almost good enough"
-   prevent development and deployment of high-quality replacements.
-
-   The DNS is both an illustration of, and an exception to, parts of
-   this pessimistic interpretation. It was a second-generation
-   development, with the host table system being seen as at the end of
-   its useful life.  There was a serious attempt made to reflect the
-   computing state of the art at the time.  However, deployment was much
-   slower than expected (and very painful for many sites) and some fixed
-   (although relaxed several times) deadlines from a central network
-   administration were necessary for deployment to occur at all.
-   Replacing it now, in order to add functionality, while it continues
-   to perform its core functions at least reasonably well, would
-   presumably be extremely difficult.
-
-   There are many, perhaps obvious, examples of this.  Despite many
-   known deficiencies and weaknesses of definition, the "finger" and
-   "whois" [WHOIS] protocols have not been replaced (despite many
-   efforts to update or replace the latter [WHOIS-UPDATE]).  The Telnet
-   protocol and its many options drove out the SUPDUP [RFC734] one,
-   which was arguably much better designed for a diverse collection of
-   network hosts.  A number of efforts to replace the email or file
-   transfer protocols with models which their advocates considered much
-   better have failed.  And, more recently and below the applications
-   level, there is some reason to believe that this resistance to change
-   has been one of the factors impeding IPv6 deployment.
-
-2. Signs of DNS Overloading
-
-   Parts of the historical discussion above identify areas in which the
-   DNS has become overloaded (semantically if not in the mechanical
-   ability to resolve names).  Despite this overloading, it appears that
-   DNS performance and reliability are still within an acceptable range:
-   there is little evidence of serious performance degradation.  Recent
-   proposals and mechanisms to better respond to overloading and scaling
-   issues have all focused on patching or working around limitations
-   that develop when the DNS is utilized for out-of-design functions,
-   rather than on dramatic rethinking of either DNS design or those
-   uses.  The number of these issues that have arisen at much the same
-   time may argue for just that type of rethinking, and not just for
-   adding complexity and attempting to incrementally alter the design
-   (see, for example, the discussion of simplicity in section 2 of
-   [RFC3439]).
-
-
-
-Klensin                      Informational                      [Page 8]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   For example:
-
-   o  While technical approaches such as larger and higher-powered
-      servers and more bandwidth, and legal/political mechanisms such as
-      dispute resolution policies, have arguably kept the problems from
-      becoming critical, the DNS has not proven adequately responsive to
-      business and individual needs to describe or identify things (such
-      as product names and names of individuals) other than strict
-      network resources.
-
-   o  While stacks have been modified to better handle multiple
-      addresses on a physical interface and some protocols have been
-      extended to include DNS names for determining context, the DNS
-      does not deal especially well with many names associated with a
-      given host (e.g., web hosting facilities with multiple domains on
-      a server).
-
-   o  Efforts to add names deriving from languages or character sets
-      based on other than simple ASCII and English-like names (see
-      below), or even to utilize complex company or product names
-      without the use of hierarchy, have created apparent requirements
-      for names (labels) that are over 63 octets long.  This requirement
-      will undoubtedly increase over time; while there are workarounds
-      to accommodate longer names, they impose their own restrictions
-      and cause their own problems.
-
-   o  Increasing commercialization of the Internet, and visibility of
-      domain names that are assumed to match names of companies or
-      products, has turned the DNS and DNS names into a trademark
-      battleground.  The traditional trademark system in (at least) most
-      countries makes careful distinctions about fields of
-      applicability.  When the space is flattened, without
-      differentiation by either geography or industry sector, not only
-      are there likely conflicts between "Joe's Pizza" (of Boston) and
-      "Joe's Pizza" (of San Francisco) but between both and "Joe's Auto
-      Repair" (of Los Angeles).  All three would like to control
-      "Joes.com" (and would prefer, if it were permitted by DNS naming
-      rules, to also spell it as "Joe's.com" and have both resolve the
-      same way) and may claim trademark rights to do so, even though
-      conflict or confusion would not occur with traditional trademark
-      principles.
-
-   o  Many organizations wish to have different web sites under the same
-      URL and domain name.  Sometimes this is to create local variations
-      -- the Widget Company might want to present different material to
-      a UK user relative to a US one -- and sometimes it is to provide
-      higher performance by supplying information from the server
-      topologically closest to the user.  If the name resolution
-
-
-
-Klensin                      Informational                      [Page 9]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-      mechanism is expected to provide this functionality, there are
-      three possible models (which might be combined):
-
-      -  supply information about multiple sites (or locations or
-         references).  Those sites would, in turn, provide information
-         associated with the name and sufficient site-specific
-         attributes to permit the application to make a sensible choice
-         of destination, or
-
-      -  accept client-site attributes and utilize them in the search
-         process, or
-
-      -  return different answers based on the location or identity of
-         the requestor.
-
-   While there are some tricks that can provide partial simulations of
-   these types of function, DNS responses cannot be reliably conditioned
-   in this way.
-
-   These, and similar, issues of performance or content choices can, of
-   course, be thought of as not involving the DNS at all.  For example,
-   the commonly-cited alternate approach of coupling these issues to
-   HTTP content negotiation (cf. [RFC2295]), requires that an HTTP
-   connection first be opened to some "common" or "primary" host so that
-   preferences can be negotiated and then the client redirected or sent
-   alternate data.  At least from the standpoint of improving
-   performance by accessing a "closer" location, both initially and
-   thereafter, this approach sacrifices the desired result before the
-   client initiates any action.  It could even be argued that some of
-   the characteristics of common content negotiation approaches are
-   workarounds for the non-optimal use of the DNS in web URLs.
-
-   o  Many existing and proposed systems for "finding things on the
-      Internet" require a true search capability in which near matches
-      can be reported to the user (or to some user agent with an
-      appropriate rule-set) and to which queries may be ambiguous or
-      fuzzy.  The DNS, by contrast, can accommodate only one set of
-      (quite rigid) matching rules.  Proposals to permit different rules
-      in different localities (e.g., matching rules that are TLD- or
-      zone-specific) help to identify the problem.  But they cannot be
-      applied directly to the DNS without either abandoning the desired
-      level of flexibility or isolating different parts of the Internet
-      from each other (or both).  Fuzzy or ambiguous searches are
-      desirable for resolution of names that might have spelling
-      variations and for names that can be resolved into different sets
-      of glyphs depending on context.  Especially when
-      internationalization is considered, variant name problems go
-      beyond simple differences in representation of a character or
-
-
-
-Klensin                      Informational                     [Page 10]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-      ordering of a string.  Instead, avoiding user astonishment and
-      confusion requires consideration of relationships such as
-      languages that can be written with different alphabets, Kanji-
-      Hiragana relationships, Simplified and Traditional Chinese, etc.
-      See [Seng] for a discussion and suggestions for addressing a
-      subset of these issues in the context of characters based on
-      Chinese ones.  But that document essentially illustrates the
-      difficulty of providing the type of flexible matching that would
-      be anticipated by users; instead, it tries to protect against the
-      worst types of confusion (and opportunities for fraud).
-
-   o  The historical DNS, and applications that make assumptions about
-      how it works, impose significant risk (or forces technical kludges
-      and consequent odd restrictions), when one considers adding
-      mechanisms for use with various multi-character-set and
-      multilingual "internationalization" systems.  See the IAB's
-      discussion of some of these issues [RFC2825] for more information.
-
-   o  In order to provide proper functionality to the Internet, the DNS
-      must have a single unique root (the IAB provides more discussion
-      of this issue [RFC2826]).  There are many desires for local
-      treatment of names or character sets that cannot be accommodated
-      without either multiple roots (e.g., a separate root for
-      multilingual names, proposed at various times by MINC [MINC] and
-      others), or mechanisms that would have similar effects in terms of
-      Internet fragmentation and isolation.
-
-   o  For some purposes, it is desirable to be able to search not only
-      an index entry (labels or fully-qualified names in the DNS case),
-      but their values or targets (DNS data).  One might, for example,
-      want to locate all of the host (and virtual host) names which
-      cause mail to be directed to a given server via MX records.  The
-      DNS does not support this capability (see the discussion in
-      [IQUERY]) and it can be simulated only by extracting all of the
-      relevant records (perhaps by zone transfer if the source permits
-      doing so, but that permission is becoming less frequently
-      available) and then searching a file built from those records.
-
-   o  Finally, as additional types of personal or identifying
-      information are added to the DNS, issues arise with protection of
-      that information.  There are increasing calls to make different
-      information available based on the credentials and authorization
-      of the source of the inquiry.  As with information keyed to site
-      locations or proximity (as discussed above), the DNS protocols
-      make providing these differentiated services quite difficult if
-      not impossible.
-
-
-
-
-
-Klensin                      Informational                     [Page 11]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   In each of these cases, it is, or might be, possible to devise ways
-   to trick the DNS system into supporting mechanisms that were not
-   designed into it.  Several ingenious solutions have been proposed in
-   many of these areas already, and some have been deployed into the
-   marketplace with some success.  But the price of each of these
-   changes is added complexity and, with it, added risk of unexpected
-   and destabilizing problems.
-
-   Several of the above problems are addressed well by a good directory
-   system (supported by the LDAP protocol or some protocol more
-   precisely suited to these specific applications) or searching
-   environment (such as common web search engines) although not by the
-   DNS.  Given the difficulty of deploying new applications discussed
-   above, an important question is whether the tricks and kludges are
-   bad enough, or will become bad enough as usage grows, that new
-   solutions are needed and can be deployed.
-
-3. Searching, Directories, and the DNS
-
-3.1 Overview
-
-   The constraints of the DNS and the discussion above suggest the
-   introduction of an intermediate protocol mechanism, referred to below
-   as a "search layer" or "searchable system".  The terms "directory"
-   and "directory system" are used interchangeably with "searchable
-   system" in this document, although the latter is far more precise.
-   Search layer proposals would use a two (or more) stage lookup, not
-   unlike several of the proposals for internationalized names in the
-   DNS (see section 4), but all operations but the final one would
-   involve searching other systems, rather than looking up identifiers
-   in the DNS itself.  As explained below, this would permit relaxation
-   of several constraints, leading to a more capable and comprehensive
-   overall system.
-
-   Ultimately, many of the issues with domain names arise as the result
-   of efforts to use the DNS as a directory.  While, at the time this
-   document was written, sufficient pressure or demand had not occurred
-   to justify a change, it was already quite clear that, as a directory
-   system, the DNS is a good deal less than ideal.  This document
-   suggests that there actually is a requirement for a directory system,
-   and that the right solution to a searchable system requirement is a
-   searchable system, not a series of DNS patches, kludges, or
-   workarounds.
-
-
-
-
-
-
-
-
-Klensin                      Informational                     [Page 12]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   The following points illustrate particular aspects of this
-   conclusion.
-
-   o  A directory system would not require imposition of particular
-      length limits on names.
-
-   o  A directory system could permit explicit association of
-      attributes, e.g., language and country, with a name, without
-      having to utilize trick encodings to incorporate that information
-      in DNS labels (or creating artificial hierarchy for doing so).
-
-   o  There is considerable experience (albeit not much of it very
-      successful) in doing fuzzy and "sonex" (similar-sounding) matching
-      in directory systems.  Moreover, it is plausible to think about
-      different matching rules for different areas and sets of names so
-      that these can be adapted to local cultural requirements.
-      Specifically, it might be possible to have a single form of a name
-      in a directory, but to have great flexibility about what queries
-      matched that name (and even have different variations in different
-      areas).  Of course, the more flexibility that a system provides,
-      the greater the possibility of real or imagined trademark
-      conflicts.  But the opportunity would exist to design a directory
-      structure that dealt with those issues in an intelligent way,
-      while DNS constraints almost certainly make a general and
-      equitable DNS-only solution impossible.
-
-   o  If a directory system is used to translate to DNS names, and then
-      DNS names are looked up in the normal fashion, it may be possible
-      to relax several of the constraints that have been traditional
-      (and perhaps necessary) with the DNS.  For example, reverse-
-      mapping of addresses to directory names may not be a requirement
-      even if mapping of addresses to DNS names continues to be, since
-      the DNS name(s) would (continue to) uniquely identify the host.
-
-   o  Solutions to multilingual transcription problems that are common
-      in "normal life" (e.g., two-sided business cards to be sure that
-      recipients trying to contact a person can access romanized
-      spellings and numbers if the original language is not
-      comprehensible to them) can be easily handled in a directory
-      system by inserting both sets of entries.
-
-   o  A directory system could be designed that would return, not a
-      single name, but a set of names paired with network-locational
-      information or other context-establishing attributes.  This type
-      of information might be of considerable use in resolving the
-      "nearest (or best) server for a particular named resource"
-
-
-
-
-
-Klensin                      Informational                     [Page 13]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-      problems that are a significant concern for organizations hosting
-      web and other sites that are accessed from a wide range of
-      locations and subnets.
-
-   o  Names bound to countries and languages might help to manage
-      trademark realities, while, as discussed in section 1.3 above, use
-      of the DNS in trademark-significant contexts tends to require
-      worldwide "flattening" of the trademark system.
-
-   Many of these issues are a consequence of another property of the
-   DNS:  names must be unique across the Internet.  The need to have a
-   system of unique identifiers is fairly obvious (see [RFC2826]).
-   However, if that requirement were to be eliminated in a search or
-   directory system that was visible to users instead of the DNS, many
-   difficult problems -- of both an engineering and a policy nature --
-   would be likely to vanish.
-
-3.2 Some Details and Comments
-
-   Almost any internationalization proposal for names that are in, or
-   map into, the DNS will require changing DNS resolver API calls
-   ("gethostbyname" or equivalent), or adding some pre-resolution
-   preparation mechanism, in almost all Internet applications -- whether
-   to cause the API to take a different character set (no matter how it
-   is then mapped into the bits used in the DNS or another system), to
-   accept or return more arguments with qualifying or identifying
-   information, or otherwise.  Once applications must be opened to make
-   such changes, it is a relatively small matter to switch from calling
-   into the DNS to calling a directory service and then the DNS (in many
-   situations, both actions could be accomplished in a single API call).
-
-   A directory approach can be consistent both with "flat" models and
-   multi-attribute ones.  The DNS requires strict hierarchies, limiting
-   its ability to differentiate among names by their properties.  By
-   contrast, modern directories can utilize independently-searched
-   attributes and other structured schema to provide flexibilities not
-   present in a strictly hierarchical system.
-
-   There is a strong historical argument for a single directory
-   structure (implying a need for mechanisms for registration,
-   delegation, etc.).  But a single structure is not a strict
-   requirement, especially if in-depth case analysis and design work
-   leads to the conclusion that reverse-mapping to directory names is
-   not a requirement (see section 5).  If a single structure is not
-   needed, then, unlike the DNS, there would be no requirement for a
-   global organization to authorize or delegate operation of portions of
-   the structure.
-
-
-
-
-Klensin                      Informational                     [Page 14]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   The "no single structure" concept could be taken further by moving
-   away from simple "names" in favor of, e.g., multiattribute,
-   multihierarchical, faceted systems in which most of the facets use
-   restricted vocabularies.  (These terms are fairly standard in the
-   information retrieval and classification system literature, see,
-   e.g., [IS5127].)  Such systems could be designed to avoid the need
-   for procedures to ensure uniqueness across, or even within, providers
-   and databases of the faceted entities for which the search is to be
-   performed.  (See [DNS-Search] for further discussion.)
-
-   While the discussion above includes very general comments about
-   attributes, it appears that only a very small number of attributes
-   would be needed.  The list would almost certainly include country and
-   language for internationalization purposes.  It might require
-   "charset" if we cannot agree on a character set and encoding,
-   although there are strong arguments for simply using ISO 10646 (also
-   known as Unicode or "UCS" (for Universal Character Set) [UNICODE],
-   [IS10646] coding in interchange.  Trademark issues might motivate
-   "commercial" and "non-commercial" (or other) attributes if they would
-   be helpful in bypassing trademark problems.  And applications to
-   resource location, such as those contemplated for Uniform Resource
-   Identifiers (URIs) [RFC2396, RFC3305] or the Service Location
-   Protocol [RFC2608], might argue for a few other attributes (as
-   outlined above).
-
-4.  Internationalization
-
-   Much of the thinking underlying this document was driven by
-   considerations of internationalizing the DNS or, more specifically,
-   providing access to the functions of the DNS from languages and
-   naming systems that cannot be accurately expressed in the traditional
-   DNS subset of ASCII.  Much of the relevant work was done in the
-   IETF's "Internationalized Domain Names" Working Group (IDN-WG),
-   although this document also draws on extensive parallel discussions
-   in other forums.  This section contains an evaluation of what was
-   learned as an "internationalized DNS" or "multilingual DNS" was
-   explored and suggests future steps based on that evaluation.
-
-   When the IDN-WG was initiated, it was obvious to several of the
-   participants that its first important task was an undocumented one:
-   to increase the understanding of the complexities of the problem
-   sufficiently that naive solutions could be rejected and people could
-   go to work on the harder problems.  The IDN-WG clearly accomplished
-   that task. The beliefs that the problems were simple, and in the
-   corresponding simplistic approaches and their promises of quick and
-   painless deployment, effectively disappeared as the WG's efforts
-   matured.
-
-
-
-
-Klensin                      Informational                     [Page 15]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   Some of the lessons learned from increased understanding and the
-   dissipation of naive beliefs should be taken as cautions by the wider
-   community: the problems are not simple. Specifically, extracting
-   small elements for solution rather than looking at whole systems, may
-   result in obscuring the problems but not solving any problem that is
-   worth the trouble.
-
-4.1 ASCII Isn't Just Because of English
-
-   The hostname rules chosen in the mid-70s weren't just "ASCII because
-   English uses ASCII", although that was a starting point.  We have
-   discovered that almost every other script (and even ASCII if we
-   permit the rest of the characters specified in the ISO 646
-   International Reference Version) is more complex than hostname-
-   restricted-ASCII (the "LDH" form, see section 1.1).  And ASCII isn't
-   sufficient to completely represent English -- there are several words
-   in the language that are correctly spelled only with characters or
-   diacritical marks that do not appear in ASCII.  With a broader
-   selection of scripts, in some examples, case mapping works from one
-   case to the other but is not reversible.  In others, there are
-   conventions about alternate ways to represent characters (in the
-   language, not [only] in character coding) that work most of the time,
-   but not always.  And there are issues in coding, with Unicode/10646
-   providing different ways to represent the same character
-   ("character", rather than "glyph", is used deliberately here).  And,
-   in still others, there are questions as to whether two glyphs
-   "match", which may be a distance-function question, not one with a
-   binary answer.  The IETF approach to these problems is to require
-   pre-matching canonicalization (see the "stringprep" discussion
-   below).
-
-   The IETF has resisted the temptations to either try to specify an
-   entirely new coded character set, or to pick and choose Unicode/10646
-   characters on a per-character basis rather than by using well-defined
-   blocks.  While it may appear that a character set designed to meet
-   Internet-specific needs would be very attractive, the IETF has never
-   had the expertise, resources, and representation from critically-
-   important communities to actually take on that job.  Perhaps more
-   important, a new effort might have chosen to make some of the many
-   complex tradeoffs differently than the Unicode committee did,
-   producing a code with somewhat different characteristics.  But there
-   is no evidence that doing so would produce a code with fewer problems
-   and side-effects.  It is much more likely that making tradeoffs
-   differently would simply result in a different set of problems, which
-   would be equally or more difficult.
-
-
-
-
-
-
-Klensin                      Informational                     [Page 16]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-4.2 The "ASCII Encoding" Approaches
-
-   While the DNS can handle arbitrary binary strings without known
-   internal problems (see [RFC2181]), some restrictions are imposed by
-   the requirement that text be interpreted in a case-independent way
-   ([RFC1034], [RFC1035]).  More important, most internet applications
-   assume the hostname-restricted "LDH" syntax that is specified in the
-   host table RFCs and as "prudent" in RFC 1035.  If those assumptions
-   are not met, many conforming implementations of those applications
-   may exhibit behavior that would surprise implementors and users.  To
-   avoid these potential problems, IETF internationalization work has
-   focused on "ASCII-Compatible Encodings" (ACE).  These encodings
-   preserve the LDH conventions in the DNS itself.  Implementations of
-   applications that have not been upgraded utilize the encoded forms,
-   while newer ones can be written to recognize the special codings and
-   map them into non-ASCII characters. These approaches are, however,
-   not problem-free even if human interface issues are ignored.  Among
-   other issues, they rely on what is ultimately a heuristic to
-   determine whether a DNS label is to be considered as an
-   internationalized name (i.e., encoded Unicode) or interpreted as an
-   actual LDH name in its own right.  And, while all determinations of
-   whether a particular query matches a stored object are traditionally
-   made by DNS servers, the ACE systems, when combined with the
-   complexities of international scripts and names, require that much of
-   the matching work be separated into a separate, client-side,
-   canonicalization or "preparation" process before the DNS matching
-   mechanisms are invoked [STRINGPREP].
-
-4.3 "Stringprep" and Its Complexities
-
-   As outlined above, the model for avoiding problems associated with
-   putting non-ASCII names in the DNS and elsewhere evolved into the
-   principle that strings are to be placed into the DNS only after being
-   passed through a string preparation function that eliminates or
-   rejects spurious character codes, maps some characters onto others,
-   performs some sequence canonicalization, and generally creates forms
-   that can be accurately compared.  The impact of this process on
-   hostname-restricted ASCII (i.e., "LDH") strings is trivial and
-   essentially adds only overhead.  For other scripts, the impact is, of
-   necessity, quite significant.
-
-   Although the general notion underlying stringprep is simple, the many
-   details are quite subtle and the associated tradeoffs are complex. A
-   design team worked on it for months, with considerable effort placed
-   into clarifying and fine-tuning the protocol and tables.  Despite
-   general agreement that the IETF would avoid getting into the business
-   of defining character sets, character codings, and the associated
-   conventions, the group several times considered and rejected special
-
-
-
-Klensin                      Informational                     [Page 17]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   treatment of code positions to more nearly match the distinctions
-   made by Unicode with user perceptions about similarities and
-   differences between characters.  But there were intense temptations
-   (and pressures) to incorporate language-specific or country-specific
-   rules.  Those temptations, even when resisted, were indicative of
-   parts of the ongoing controversy or of the basic unsuitability of the
-   DNS for fully internationalized names that are visible,
-   comprehensible, and predictable for end users.
-
-   There have also been controversies about how far one should go in
-   these processes of preparation and transformation and, ultimately,
-   about the validity of various analogies.  For example, each of the
-   following operations has been claimed to be similar to case-mapping
-   in ASCII:
-
-   o  stripping of vowels in Arabic or Hebrew
-
-   o  matching of "look-alike" characters such as upper-case Alpha in
-      Greek and upper-case A in Roman-based alphabets
-
-   o  matching of Traditional and Simplified Chinese characters that
-      represent the same words,
-
-   o  matching of Serbo-Croatian words whether written in Roman-derived
-      or Cyrillic characters
-
-   A decision to support any of these operations would have implications
-   for other scripts or languages and would increase the overall
-   complexity of the process.  For example, unless language-specific
-   information is somehow available, performing matching between
-   Traditional and Simplified Chinese has impacts on Japanese and Korean
-   uses of the same "traditional" characters (e.g., it would not be
-   appropriate to map Kanji into Simplified Chinese).
-
-   Even were the IDN-WG's other work to have been abandoned completely
-   or if it were to fail in the marketplace, the stringprep and nameprep
-   work will continue to be extremely useful, both in identifying issues
-   and problem code points and in providing a reasonable set of basic
-   rules.  Where problems remain, they are arguably not with nameprep,
-   but with the DNS-imposed requirement that its results, as with all
-   other parts of the matching and comparison process, yield a binary
-   "match or no match" answer, rather than, e.g., a value on a
-   similarity scale that can be evaluated by the user or by user-driven
-   heuristic functions.
-
-
-
-
-
-
-
-Klensin                      Informational                     [Page 18]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-4.4 The Unicode Stability Problem
-
-   ISO 10646 basically defines only code points, and not rules for using
-   or comparing the characters.  This is part of a long-standing
-   tradition with the work of what is now ISO/IEC JTC1/SC2: they have
-   performed code point assignments and have typically treated the ways
-   in which characters are used as beyond their scope.  Consequently,
-   they have not dealt effectively with the broader range of
-   internationalization issues.  By contrast, the Unicode Technical
-   Committee (UTC) has defined, in annexes and technical reports (see,
-   e.g., [UTR15]), some additional rules for canonicalization and
-   comparison.  Many of those rules and conventions have been factored
-   into the "stringprep" and "nameprep" work, but it is not
-   straightforward to make or define them in a fashion that is
-   sufficiently precise and permanent to be relied on by the DNS.
-
-   Perhaps more important, the discussions leading to nameprep also
-   identified several areas in which the UTC definitions are inadequate,
-   at least without additional information, to make matching precise and
-   unambiguous.  In some of these cases, the Unicode Standard permits
-   several alternate approaches, none of which are an exact and obvious
-   match to DNS needs.  That has left these sensitive choices up to
-   IETF, which lacks sufficient in-depth expertise, much less any
-   mechanism for deciding to optimize one language at the expense of
-   another.
-
-   For example, it is tempting to define some rules on the basis of
-   membership in particular scripts, or for punctuation characters, but
-   there is no precise definition of what characters belong to which
-   script or which ones are, or are not, punctuation.  The existence of
-   these areas of vagueness raises two issues: whether trying to do
-   precise matching at the character set level is actually possible
-   (addressed below) and whether driving toward more precision could
-   create issues that cause instability in the implementation and
-   resolution models for the DNS.
-
-   The Unicode definition also evolves.  Version 3.2 appeared shortly
-   after work on this document was initiated.  It added some characters
-   and functionality and included a few minor incompatible code point
-   changes.  IETF has secured an agreement about constraints on future
-   changes, but it remains to be seen how that agreement will work out
-   in practice.  The prognosis actually appears poor at this stage,
-   since UTC chose to ballot a recent possible change which should have
-   been prohibited by the agreement (the outcome of the ballot is not
-   relevant, only that the ballot was issued rather than having the
-   result be a foregone conclusion).  However, some members of the
-   community consider some of the changes between Unicode 3.0 and 3.1
-   and between 3.1 and 3.2, as well as this recent ballot, to be
-
-
-
-Klensin                      Informational                     [Page 19]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   evidence of instability and that these instabilities are better
-   handled in a system that can be more flexible about handling of
-   characters, scripts, and ancillary information than the DNS.
-
-   In addition, because the systems implications of internationalization
-   are considered out of scope in SC2, ISO/IEC JTC1 has assigned some of
-   those issues to its SC22/WG20 (the Internationalization working group
-   within the subcommittee that deals with programming languages,
-   systems, and environments).  WG20 has historically dealt with
-   internationalization issues thoughtfully and in depth, but its status
-   has several times been in doubt in recent years.  However, assignment
-   of these matters to WG20 increases the risk of eventual ISO
-   internationalization standards that specify different behavior than
-   the UTC specifications.
-
-4.5 Audiences, End Users, and the User Interface Problem
-
-   Part of what has "caused" the DNS internationalization problem, as
-   well as the DNS trademark problem and several others, is that we have
-   stopped thinking about "identifiers for objects" -- which normal
-   people are not expected to see -- and started thinking about "names"
-   -- strings that are expected not only to be readable, but to have
-   linguistically-sensible and culturally-dependent meaning to non-
-   specialist users.
-
-   Within the IETF, the IDN-WG, and sometimes other groups, avoided
-   addressing the implications of that transition by taking "outside our
-   scope -- someone else's problem" approaches or by suggesting that
-   people will just become accustomed to whatever conventions are
-   adopted.  The realities of user and vendor behavior suggest that
-   these approaches will not serve the Internet community well in the
-   long term:
-
-   o  If we want to make it a problem in a different part of the user
-      interface structure, we need to figure out where it goes in order
-      to have proof of concept of our solution.  Unlike vendors whose
-      sole [business] model is the selling or registering of names, the
-      IETF must produce solutions that actually work, in the
-      applications context as seen by the end user.
-
-   o  The principle that "they will get used to our conventions and
-      adapt" is fine if we are writing rules for programming languages
-      or an API.  But the conventions under discussion are not part of a
-      semi-mathematical system, they are deeply ingrained in culture.
-      No matter how often an English-speaking American is told that the
-      Internet requires that the correct spelling of "colour" be used,
-      he or she isn't going to be convinced. Getting a French-speaker in
-      Lyon to use exactly the same lexical conventions as a French-
-
-
-
-Klensin                      Informational                     [Page 20]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-      speaker in Quebec in order to accommodate the decisions of the
-      IETF or of a registrar or registry is just not likely.  "Montreal"
-      is either a misspelling or an anglicization of a similar word with
-      an acute accent mark over the "e" (i.e., using the Unicode
-      character U+00E9 or one of its equivalents). But global agreement
-      on a rule that will determine whether the two forms should match
-      -- and that won't astonish end users and speakers of one language
-      or the other -- is as unlikely as agreement on whether
-      "misspelling" or "anglicization" is the greater travesty.
-
-   More generally, it is not clear that the outcome of any conceivable
-   nameprep-like process is going to be good enough for practical,
-   user-level, use.  In the use of human languages by humans, there are
-   many cases in which things that do not match are nonetheless
-   interpreted as matching.  The Norwegian/Danish character that appears
-   in U+00F8 (visually, a lower case 'o' overstruck with a forward
-   slash) and the "o-umlaut" German character that appears in U+00F6
-   (visually, a lower case 'o' with diaeresis (or umlaut)) are clearly
-   different and no matching program should yield an "equal" comparison.
-   But they are more similar to each other than either of them is to,
-   e.g., "e".  Humans are able to mentally make the correction in
-   context, and do so easily, and they can be surprised if computers
-   cannot do so.  Worse, there is a Swedish character whose appearance
-   is identical to the German o-umlaut, and which shares code point
-   U+00F6, but that, if the languages are known and the sounds of the
-   letters or meanings of words including the character are considered,
-   actually should match the Norwegian/Danish use of U+00F8.
-
-   This text uses examples in Roman scripts because it is being written
-   in English and those examples are relatively easy to render.  But one
-   of the important lessons of the discussions about domain name
-   internationalization in recent years is that problems similar to
-   those described above exist in almost every language and script.
-   Each one has its idiosyncrasies, and each set of idiosyncracies is
-   tied to common usage and cultural issues that are very familiar in
-   the relevant group, and often deeply held as cultural values.  As
-   long as a schoolchild in the US can get a bad grade on a spelling
-   test for using a perfectly valid British spelling, or one in France
-   or Germany can get a poor grade for leaving off a diacritical mark,
-   there are issues with the relevant language.  Similarly, if children
-   in Egypt or Israel are taught that it is acceptable to write a word
-   with or without vowels or stress marks, but that, if those marks are
-   included, they must be the correct ones, or a user in Korea is
-   potentially offended or astonished by out-of-order sequences of Jamo,
-   systems based on character-at-a-time processing and simplistic
-   matching, with no contextual information, are not going to satisfy
-   user needs.
-
-
-
-
-Klensin                      Informational                     [Page 21]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   Users are demanding solutions that deal with language and culture.
-   Systems of identifier symbol-strings that serve specialists or
-   computers are, at best, a solution to a rather different (and, at the
-   time this document was written, somewhat ill-defined), problem.  The
-   recent efforts have made it ever more clear that, if we ignore the
-   distinction between the user requirements and narrowly-defined
-   identifiers, we are solving an insufficient problem.  And,
-   conversely, the approaches that have been proposed to approximate
-   solutions to the user requirement may be far more complex than simple
-   identifiers require.
-
-4.6 Business Cards and Other Natural Uses of Natural Languages
-
-   Over the last few centuries, local conventions have been established
-   in various parts of the world for dealing with multilingual
-   situations.  It may be helpful to examine some of these.  For
-   example, if one visits a country where the language is different from
-   ones own, business cards are often printed on two sides, one side in
-   each language.  The conventions are not completely consistent and the
-   technique assumes that recipients will be tolerant. Translations of
-   names or places are attempted in some situations and transliterations
-   in others.  Since it is widely understood that exact translations or
-   transliterations are often not possible, people typically smile at
-   errors, appreciate the effort, and move on.
-
-   The DNS situation differs from these practices in at least two ways.
-   Since a global solution is required, the business card would need a
-   number of sides approximating the number of languages in the world,
-   which is probably impossible without violating laws of physics.  More
-   important, the opportunities for tolerance don't exist:  the DNS
-   requires a exact match or the lookup fails.
-
-4.7 ASCII Encodings and the Roman Keyboard Assumption
-
-   Part of the argument for ACE-based solutions is that they provide an
-   escape for multilingual environments when applications have not been
-   upgraded.  When an older application encounters an ACE-based name,
-   the assumption is that the (admittedly ugly) ASCII-coded string will
-   be displayed and can be typed in.  This argument is reasonable from
-   the standpoint of mixtures of Roman-based alphabets, but may not be
-   relevant if user-level systems and devices are involved that do not
-   support the entry of Roman-based characters or which cannot
-   conveniently render such characters.  Such systems are few in the
-   world today, but the number can reasonably be expected to rise as the
-   Internet is increasingly used by populations whose primary concern is
-   with local issues, local information, and local languages.  It is,
-
-
-
-
-
-Klensin                      Informational                     [Page 22]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   for example, fairly easy to imagine populations who use Arabic or
-   Thai scripts and who do not have routine access to scripts or input
-   devices based on Roman-derived alphabets.
-
-4.8 Intra-DNS Approaches for "Multilingual Names"
-
-   It appears, from the cases above and others, that none of the intra-
-   DNS-based solutions for "multilingual names" are workable.  They rest
-   on too many assumptions that do not appear to be feasible -- that
-   people will adapt deeply-entrenched language habits to conventions
-   laid down to make the lives of computers easy; that we can make
-   "freeze it now, no need for changes in these areas" decisions about
-   Unicode and nameprep; that ACE will smooth over applications
-   problems, even in environments without the ability to key or render
-   Roman-based glyphs (or where user experience is such that such glyphs
-   cannot easily be distinguished from each other); that the Unicode
-   Consortium will never decide to repair an error in a way that creates
-   a risk of DNS incompatibility; that we can either deploy EDNS
-   [RFC2671] or that long names are not really important; that Japanese
-   and Chinese computer users (and others) will either give up their
-   local or IS 2022-based character coding solutions (for which addition
-   of a large fraction of a million new code points to Unicode is almost
-   certainly a necessary, but probably not sufficient, condition) or
-   build leakproof and completely accurate boundary conversion
-   mechanisms; that out of band or contextual information will always be
-   sufficient for the "map glyph onto script" problem; and so on.  In
-   each case, it is likely that about 80% or 90% of cases will work
-   satisfactorily, but it is unlikely that such partial solutions will
-   be good enough.  For example, suppose someone can spell her name 90%
-   correctly, or a company name is matched correctly 80% of the time but
-   the other 20% of attempts identify a competitor: are either likely to
-   be considered adequate?
-
-5. Search-based Systems: The Key Controversies
-
-   For many years, a common response to requirements to locate people or
-   resources on the Internet has been to invoke the term "directory".
-   While an in-depth analysis of the reasons would require a separate
-   document, the history of failure of these invocations has given
-   "directory" efforts a bad reputation.  The effort proposed here is
-   different from those predecessors for several reasons, perhaps the
-   most important of which is that it focuses on a fairly-well-
-   understood set of problems and needs, rather than on finding uses for
-   a particular technology.
-
-   As suggested in some of the text above, it is an open question as to
-   whether the needs of the community would be best served by a single
-   (even if functionally, and perhaps administratively, distributed)
-
-
-
-Klensin                      Informational                     [Page 23]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   directory with universal applicability, a single directory that
-   supports locally-tailored search (and, most important, matching)
-   functions, or multiple, locally-determined, directories.  Each has
-   its attractions.  Any but the first would essentially prevent
-   reverse-mapping (determination of the user-visible name of the host
-   or resource from target information such as an address or DNS name).
-   But reverse mapping has become less useful over the years --at least
-   to users -- as more and more names have been associated with many
-   host addresses and as CIDR [CIDR] has proven problematic for mapping
-   smaller address blocks to meaningful names.
-
-   Locally-tailored searches and mappings would permit national
-   variations on interpretation of which strings matched which other
-   ones, an arrangement that is especially important when different
-   localities apply different rules to, e.g., matching of characters
-   with and without diacriticals.  But, of course, this implies that a
-   URL may evaluate properly or not depending on either settings on a
-   client machine or the network connectivity of the user.  That is not,
-   in general, a desirable situation, since it implies that users could
-   not, in the general case, share URLs (or other host references) and
-   that a particular user might not be able to carry references from one
-   host or location to another.
-
-   And, of course, completely separate directories would permit
-   translation and transliteration functions to be embedded in the
-   directory, giving much of the Internet a different appearance
-   depending on which directory was chosen.  The attractions of this are
-   obvious, but, unless things were very carefully designed to preserve
-   uniqueness and precise identities at the right points (which may or
-   may not be possible), such a system would have many of the
-   difficulties associated with multiple DNS roots.
-
-   Finally, a system of separate directories and databases, if coupled
-   with removal of the DNS-imposed requirement for unique names, would
-   largely eliminate the need for a single worldwide authority to manage
-   the top of the naming hierarchy.
-
-6.  Security Considerations
-
-   The set of proposals implied by this document suggests an interesting
-   set of security issues (i.e., nothing important is ever easy).  A
-   directory system used for locating network resources would presumably
-   need to be as carefully protected against unauthorized changes as the
-   DNS itself.  There also might be new opportunities for problems in an
-   arrangement involving two or more (sub)layers, especially if such a
-   system were designed without central authority or uniqueness of
-   names.  It is uncertain how much greater those risks would be as
-   compared to a DNS lookup sequence that involved looking up one name,
-
-
-
-Klensin                      Informational                     [Page 24]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   getting back information, and then doing additional lookups
-   potentially in different subtrees.  That multistage lookup will often
-   be the case with, e.g., NAPTR records [RFC 2915] unless additional
-   restrictions are imposed.  But additional steps, systems, and
-   databases almost certainly involve some additional risks of
-   compromise.
-
-7.  References
-
-7.1 Normative References
-
-   None
-
-7.2 Explanatory and Informative References
-
-   [Albitz]       Any of the editions of Albitz, P. and C. Liu, DNS and
-                  BIND, O'Reilly and Associates, 1992, 1997, 1998, 2001.
-
-   [ASCII]        American National Standards Institute (formerly United
-                  States of America Standards Institute), X3.4, 1968,
-                  "USA Code for Information Interchange". ANSI X3.4-1968
-                  has been replaced by newer versions with slight
-                  modifications, but the 1968 version remains definitive
-                  for the Internet.  Some time after ASCII was first
-                  formulated as a standard, ISO adopted international
-                  standard 646, which uses ASCII as a base.  IS 646
-                  actually contained two code tables: an "International
-                  Reference Version" (often referenced as ISO 646-IRV)
-                  which was essentially identical to the ASCII of the
-                  time, and a "Basic Version" (ISO 646-BV), which
-                  designates a number of character positions for
-                  national use.
-
-   [CIDR]         Fuller, V., Li, T., Yu, J. and K. Varadhan, "Classless
-                  Inter-Domain Routing (CIDR): an Address Assignment and
-                  Aggregation Strategy", RFC 1519, September 1993.
-
-                  Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
-                  ADDR.ARPA delegation", RFC 2317, March 1998.
-
-   [COM-SIZE]     Size information supplied by Verisign Global Registry
-                  Services (the zone administrator, or "registry
-                  operator", for COM, see [REGISTRAR], below) to ICANN,
-                  third quarter 2002.
-
-   [DNS-Search]   Klensin, J., "A Search-based access model for the
-                  DNS", Work in Progress.
-
-
-
-
-Klensin                      Informational                     [Page 25]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   [FINGER]       Zimmerman, D., "The Finger User Information Protocol",
-                  RFC 1288, December 1991.
-
-                  Harrenstien, K., "NAME/FINGER Protocol", RFC 742,
-                  December 1977.
-
-   [IAB-OPES]     Floyd, S. and L. Daigle, "IAB Architectural and Policy
-                  Considerations for Open Pluggable Edge Services", RFC
-                  3238, January 2002.
-
-   [IQUERY]       Lawrence, D., "Obsoleting IQUERY", RFC 3425, November
-                  2002.
-
-   [IS646]        ISO/IEC 646:1991 Information technology -- ISO 7-bit
-                  coded character set for information interchange
-
-   [IS10646]      ISO/IEC 10646-1:2000 Information technology --
-                  Universal Multiple-Octet Coded Character Set (UCS) --
-                  Part 1: Architecture and Basic Multilingual Plane and
-                  ISO/IEC 10646-2:2001 Information technology --
-                  Universal Multiple-Octet Coded Character Set (UCS) --
-                  Part 2: Supplementary Planes
-
-   [MINC]         The Multilingual Internet Names Consortium,
-                  http://www.minc.org/ has been an early advocate for
-                  the importance of expansion of DNS names to
-                  accommodate non-ASCII characters.  Some of their
-                  specific proposals, while helping people to understand
-                  the problems better, were not compatible with the
-                  design of the DNS.
-
-   [NAPTR]        Mealling, M. and R. Daniel, "The Naming Authority
-                  Pointer (NAPTR) DNS Resource Record", RFC 2915,
-                  September 2000.
-
-                  Mealling, M., "Dynamic Delegation Discovery System
-                  (DDDS) Part One: The Comprehensive DDDS", RFC 3401,
-                  October 2002.
-
-                  Mealling, M., "Dynamic Delegation Discovery System
-                  (DDDS) Part Two: The Algorithm", RFC 3402, October
-                  2002.
-
-                  Mealling, M., "Dynamic Delegation Discovery System
-                  (DDDS) Part Three: The Domain Name System (DNS)
-                  Database", RFC 3403, October 2002.
-
-
-
-
-
-Klensin                      Informational                     [Page 26]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   [REGISTRAR]    In an early stage of the process that created the
-                  Internet Corporation for Assigned Names and Numbers
-                  (ICANN), a "Green Paper" was released by the US
-                  Government.   That paper introduced new terminology
-                  and some concepts not needed by traditional DNS
-                  operations.  The term "registry" was applied to the
-                  actual operator and database holder of a domain
-                  (typically at the top level, since the Green Paper was
-                  little concerned with anything else), while
-                  organizations that marketed names and made them
-                  available to "registrants" were known as "registrars".
-                  In the classic DNS model, the function of "zone
-                  administrator" encompassed both registry and registrar
-                  roles, although that model did not anticipate a
-                  commercial market in names.
-
-   [RFC625]       Kudlick, M. and E. Feinler, "On-line hostnames
-                  service", RFC 625, March 1974.
-
-   [RFC734]       Crispin, M., "SUPDUP Protocol", RFC 734, October 1977.
-
-   [RFC811]       Harrenstien, K., White, V. and E. Feinler, "Hostnames
-                  Server", RFC 811, March 1982.
-
-   [RFC819]       Su, Z. and J. Postel, "Domain naming convention for
-                  Internet user applications", RFC 819, August 1982.
-
-   [RFC830]       Su, Z., "Distributed system for Internet name
-                  service", RFC 830, October 1982.
-
-   [RFC882]       Mockapetris, P., "Domain names: Concepts and
-                  facilities", RFC 882, November 1983.
-
-   [RFC883]       Mockapetris, P., "Domain names: Implementation
-                  specification", RFC 883, November 1983.
-
-   [RFC952]       Harrenstien, K, Stahl, M. and E. Feinler, "DoD
-                  Internet host table specification", RFC 952, October
-                  1985.
-
-   [RFC953]       Harrenstien, K., Stahl, M. and E. Feinler, "HOSTNAME
-                  SERVER", RFC 953, October 1985.
-
-   [RFC1034]      Mockapetris, P., "Domain names, Concepts and
-                  facilities", STD 13, RFC 1034, November 1987.
-
-
-
-
-
-
-Klensin                      Informational                     [Page 27]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   [RFC1035]      Mockapetris, P., "Domain names - implementation and
-                  specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1591]      Postel, J., "Domain Name System Structure and
-                  Delegation", RFC 1591, March 1994.
-
-   [RFC2181]      Elz, R. and  R. Bush, "Clarifications to the DNS
-                  Specification", RFC 2181, July 1997.
-
-   [RFC2295]      Holtman, K. and A. Mutz, "Transparent Content
-                  Negotiation in HTTP", RFC 2295, March 1998
-
-   [RFC2396]      Berners-Lee, T., Fielding, R. and L. Masinter,
-                  "Uniform Resource Identifiers (URI): Generic Syntax",
-                  RFC 2396, August 1998.
-
-   [RFC2608]      Guttman, E., Perkins, C., Veizades, J. and M. Day,
-                  "Service Location Protocol, Version 2", RFC 2608, June
-                  1999.
-
-   [RFC2671]      Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-                  2671, August 1999.
-
-   [RFC2825]      IAB, Daigle, L., Ed., "A Tangled Web: Issues of I18N,
-                  Domain Names, and the Other Internet protocols", RFC
-                  2825, May 2000.
-
-   [RFC2826]      IAB, "IAB Technical Comment on the Unique DNS Root",
-                  RFC 2826, May 2000.
-
-   [RFC2972]      Popp, N., Mealling, M., Masinter, L. and K. Sollins,
-                  "Context and Goals for Common Name Resolution", RFC
-                  2972, October 2000.
-
-   [RFC3305]      Mealling, M. and R. Denenberg, Eds., "Report from the
-                  Joint W3C/IETF URI Planning Interest Group: Uniform
-                  Resource Identifiers (URIs), URLs, and Uniform
-                  Resource Names (URNs):  Clarifications and
-                  Recommendations", RFC 3305, August 2002.
-
-   [RFC3439]      Bush, R. and D. Meyer, "Some Internet Architectural
-                  Guidelines and Philosophy", RFC 3439, December 2002.
-
-   [Seng]         Seng, J., et al., Eds., "Internationalized Domain
-                  Names:  Registration and Administration Guideline for
-                  Chinese, Japanese, and Korean", Work in Progress.
-
-
-
-
-
-Klensin                      Informational                     [Page 28]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   [STRINGPREP]   Hoffman, P. and M. Blanchet, "Preparation of
-                  Internationalized Strings (stringprep)", RFC 3454,
-                  December 2002.
-
-                  The particular profile used for placing
-                  internationalized strings in the DNS is called
-                  "nameprep", described in Hoffman, P. and M. Blanchet,
-                  "Nameprep: A Stringprep Profile for Internationalized
-                  Domain Names", Work in Progress.
-
-   [TELNET]       Postel, J. and J. Reynolds, "Telnet Protocol
-                  Specification", STD 8, RFC 854, May 1983.
-
-                  Postel, J. and J. Reynolds, "Telnet Option
-                  Specifications", STD 8, RFC 855, May 1983.
-
-   [UNICODE]      The Unicode Consortium, The Unicode Standard, Version
-                  3.0, Addison-Wesley: Reading, MA, 2000.  Update to
-                  version 3.1, 2001.  Update to version 3.2, 2002.
-
-   [UTR15]        Davis, M. and M. Duerst, "Unicode Standard Annex #15:
-                  Unicode Normalization Forms", Unicode Consortium,
-                  March 2002.  An integral part of The Unicode Standard,
-                  Version 3.1.1.  Available at
-                  (http://www.unicode.org/reports/tr15/tr15-21.html).
-
-   [WHOIS]        Harrenstien, K, Stahl, M. and E. Feinler,
-                  "NICNAME/WHOIS", RFC 954, October 1985.
-
-   [WHOIS-UPDATE] Gargano, J. and K. Weiss, "Whois and Network
-                  Information Lookup Service, Whois++", RFC 1834, August
-                  1995.
-
-                  Weider, C., Fullton, J. and S. Spero, "Architecture of
-                  the Whois++ Index Service", RFC 1913, February 1996.
-
-                  Williamson, S., Kosters, M., Blacka, D., Singh, J. and
-                  K. Zeilstra, "Referral Whois (RWhois) Protocol V1.5",
-                  RFC 2167, June 1997;
-
-                  Daigle, L. and P. Faltstrom, "The
-                  application/whoispp-query Content-Type", RFC 2957,
-                  October 2000.
-
-                  Daigle, L. and P. Falstrom, "The application/whoispp-
-                  response Content-type", RFC 2958, October 2000.
-
-
-
-
-
-Klensin                      Informational                     [Page 29]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-   [X29]          International Telecommuncations Union, "Recommendation
-                  X.29: Procedures for the exchange of control
-                  information and user data between a Packet
-                  Assembly/Disassembly (PAD) facility and a packet mode
-                  DTE or another PAD", December 1997.
-
-8. Acknowledgements
-
-   Many people have contributed to versions of this document or the
-   thinking that went into it.  The author would particularly like to
-   thank Harald Alvestrand, Rob Austein, Bob Braden, Vinton Cerf, Matt
-   Crawford, Leslie Daigle, Patrik Faltstrom, Eric A. Hall, Ted Hardie,
-   Paul Hoffman, Erik Nordmark, and Zita Wenzel for making specific
-   suggestions and/or challenging the assumptions and presentation of
-   earlier versions and suggesting ways to improve them.
-
-9. Author's Address
-
-   John C. Klensin
-   1770 Massachusetts Ave, #322
-   Cambridge, MA 02140
-
-   EMail: klensin+srch@jck.com
-
-   A mailing list has been initiated for discussion of the topics
-   discussed in this document, and closely-related issues, at
-   ietf-irnss@lists.elistx.com.  See http://lists.elistx.com/archives/
-   for subscription and archival information.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Klensin                      Informational                     [Page 30]
-
-RFC 3467          Role of the Domain Name System (DNS)     February 2003
-
-
-10. Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Klensin                      Informational                     [Page 31]
-
diff --git a/contrib/bind9/doc/rfc/rfc3490.txt b/contrib/bind9/doc/rfc/rfc3490.txt
deleted file mode 100644
index d2e0b3b75a14..000000000000
--- a/contrib/bind9/doc/rfc/rfc3490.txt
+++ /dev/null
@@ -1,1235 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                       P. Faltstrom
-Request for Comments: 3490                                         Cisco
-Category: Standards Track                                     P. Hoffman
-                                                              IMC & VPNC
-                                                             A. Costello
-                                                             UC Berkeley
-                                                              March 2003
-
-
-         Internationalizing Domain Names in Applications (IDNA)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   Until now, there has been no standard method for domain names to use
-   characters outside the ASCII repertoire.  This document defines
-   internationalized domain names (IDNs) and a mechanism called
-   Internationalizing Domain Names in Applications (IDNA) for handling
-   them in a standard fashion.  IDNs use characters drawn from a large
-   repertoire (Unicode), but IDNA allows the non-ASCII characters to be
-   represented using only the ASCII characters already allowed in so-
-   called host names today.  This backward-compatible representation is
-   required in existing protocols like DNS, so that IDNs can be
-   introduced with no changes to the existing infrastructure.  IDNA is
-   only meant for processing domain names, not free text.
-
-Table of Contents
-
-   1. Introduction..................................................  2
-      1.1 Problem Statement.........................................  3
-      1.2 Limitations of IDNA.......................................  3
-      1.3 Brief overview for application developers.................  4
-   2. Terminology...................................................  5
-   3. Requirements and applicability................................  7
-      3.1 Requirements..............................................  7
-      3.2 Applicability.............................................  8
-         3.2.1. DNS resource records................................  8
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 1]
-
-RFC 3490                          IDNA                        March 2003
-
-
-         3.2.2. Non-domain-name data types stored in domain names...  9
-   4. Conversion operations.........................................  9
-      4.1 ToASCII................................................... 10
-      4.2 ToUnicode................................................. 11
-   5. ACE prefix.................................................... 12
-   6. Implications for typical applications using DNS............... 13
-      6.1 Entry and display in applications......................... 14
-      6.2 Applications and resolver libraries....................... 15
-      6.3 DNS servers............................................... 15
-      6.4 Avoiding exposing users to the raw ACE encoding........... 16
-      6.5  DNSSEC authentication of IDN domain names................ 16
-   7. Name server considerations.................................... 17
-   8. Root server considerations.................................... 17
-   9. References.................................................... 18
-      9.1 Normative References...................................... 18
-      9.2 Informative References.................................... 18
-   10. Security Considerations...................................... 19
-   11. IANA Considerations.......................................... 20
-   12. Authors' Addresses........................................... 21
-   13. Full Copyright Statement..................................... 22
-
-1. Introduction
-
-   IDNA works by allowing applications to use certain ASCII name labels
-   (beginning with a special prefix) to represent non-ASCII name labels.
-   Lower-layer protocols need not be aware of this; therefore IDNA does
-   not depend on changes to any infrastructure.  In particular, IDNA
-   does not depend on any changes to DNS servers, resolvers, or protocol
-   elements, because the ASCII name service provided by the existing DNS
-   is entirely sufficient for IDNA.
-
-   This document does not require any applications to conform to IDNA,
-   but applications can elect to use IDNA in order to support IDN while
-   maintaining interoperability with existing infrastructure.  If an
-   application wants to use non-ASCII characters in domain names, IDNA
-   is the only currently-defined option.  Adding IDNA support to an
-   existing application entails changes to the application only, and
-   leaves room for flexibility in the user interface.
-
-   A great deal of the discussion of IDN solutions has focused on
-   transition issues and how IDN will work in a world where not all of
-   the components have been updated.  Proposals that were not chosen by
-   the IDN Working Group would depend on user applications, resolvers,
-   and DNS servers being updated in order for a user to use an
-   internationalized domain name.  Rather than rely on widespread
-   updating of all components, IDNA depends on updates to user
-   applications only; no changes are needed to the DNS protocol or any
-   DNS servers or the resolvers on user's computers.
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 2]
-
-RFC 3490                          IDNA                        March 2003
-
-
-1.1 Problem Statement
-
-   The IDNA specification solves the problem of extending the repertoire
-   of characters that can be used in domain names to include the Unicode
-   repertoire (with some restrictions).
-
-   IDNA does not extend the service offered by DNS to the applications.
-   Instead, the applications (and, by implication, the users) continue
-   to see an exact-match lookup service.  Either there is a single
-   exactly-matching name or there is no match.  This model has served
-   the existing applications well, but it requires, with or without
-   internationalized domain names, that users know the exact spelling of
-   the domain names that the users type into applications such as web
-   browsers and mail user agents.  The introduction of the larger
-   repertoire of characters potentially makes the set of misspellings
-   larger, especially given that in some cases the same appearance, for
-   example on a business card, might visually match several Unicode code
-   points or several sequences of code points.
-
-   IDNA allows the graceful introduction of IDNs not only by avoiding
-   upgrades to existing infrastructure (such as DNS servers and mail
-   transport agents), but also by allowing some rudimentary use of IDNs
-   in applications by using the ASCII representation of the non-ASCII
-   name labels.  While such names are very user-unfriendly to read and
-   type, and hence are not suitable for user input, they allow (for
-   instance) replying to email and clicking on URLs even though the
-   domain name displayed is incomprehensible to the user.  In order to
-   allow user-friendly input and output of the IDNs, the applications
-   need to be modified to conform to this specification.
-
-   IDNA uses the Unicode character repertoire, which avoids the
-   significant delays that would be inherent in waiting for a different
-   and specific character set be defined for IDN purposes by some other
-   standards developing organization.
-
-1.2 Limitations of IDNA
-
-   The IDNA protocol does not solve all linguistic issues with users
-   inputting names in different scripts.  Many important language-based
-   and script-based mappings are not covered in IDNA and need to be
-   handled outside the protocol.  For example, names that are entered in
-   a mix of traditional and simplified Chinese characters will not be
-   mapped to a single canonical name.  Another example is Scandinavian
-   names that are entered with U+00F6 (LATIN SMALL LETTER O WITH
-   DIAERESIS) will not be mapped to U+00F8 (LATIN SMALL LETTER O WITH
-   STROKE).
-
-
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 3]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   An example of an important issue that is not considered in detail in
-   IDNA is how to provide a high probability that a user who is entering
-   a domain name based on visual information (such as from a business
-   card or billboard) or aural information (such as from a telephone or
-   radio) would correctly enter the IDN.  Similar issues exist for ASCII
-   domain names, for example the possible visual confusion between the
-   letter 'O' and the digit zero, but the introduction of the larger
-   repertoire of characters creates more opportunities of similar
-   looking and similar sounding names.  Note that this is a complex
-   issue relating to languages, input methods on computers, and so on.
-   Furthermore, the kind of matching and searching necessary for a high
-   probability of success would not fit the role of the DNS and its
-   exact matching function.
-
-1.3 Brief overview for application developers
-
-   Applications can use IDNA to support internationalized domain names
-   anywhere that ASCII domain names are already supported, including DNS
-   master files and resolver interfaces.  (Applications can also define
-   protocols and interfaces that support IDNs directly using non-ASCII
-   representations.  IDNA does not prescribe any particular
-   representation for new protocols, but it still defines which names
-   are valid and how they are compared.)
-
-   The IDNA protocol is contained completely within applications.  It is
-   not a client-server or peer-to-peer protocol: everything is done
-   inside the application itself.  When used with a DNS resolver
-   library, IDNA is inserted as a "shim" between the application and the
-   resolver library.  When used for writing names into a DNS zone, IDNA
-   is used just before the name is committed to the zone.
-
-   There are two operations described in section 4 of this document:
-
-   -  The ToASCII operation is used before sending an IDN to something
-      that expects ASCII names (such as a resolver) or writing an IDN
-      into a place that expects ASCII names (such as a DNS master file).
-
-   -  The ToUnicode operation is used when displaying names to users,
-      for example names obtained from a DNS zone.
-
-   It is important to note that the ToASCII operation can fail.  If it
-   fails when processing a domain name, that domain name cannot be used
-   as an internationalized domain name and the application has to have
-   some method of dealing with this failure.
-
-   IDNA requires that implementations process input strings with
-   Nameprep [NAMEPREP], which is a profile of Stringprep [STRINGPREP],
-   and then with Punycode [PUNYCODE].  Implementations of IDNA MUST
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 4]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   fully implement Nameprep and Punycode; neither Nameprep nor Punycode
-   are optional.
-
-2. Terminology
-
-   The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
-   and "MAY" in this document are to be interpreted as described in BCP
-   14, RFC 2119 [RFC2119].
-
-   A code point is an integer value associated with a character in a
-   coded character set.
-
-   Unicode [UNICODE] is a coded character set containing tens of
-   thousands of characters.  A single Unicode code point is denoted by
-   "U+" followed by four to six hexadecimal digits, while a range of
-   Unicode code points is denoted by two hexadecimal numbers separated
-   by "..", with no prefixes.
-
-   ASCII means US-ASCII [USASCII], a coded character set containing 128
-   characters associated with code points in the range 0..7F.  Unicode
-   is an extension of ASCII: it includes all the ASCII characters and
-   associates them with the same code points.
-
-   The term "LDH code points" is defined in this document to mean the
-   code points associated with ASCII letters, digits, and the hyphen-
-   minus; that is, U+002D, 30..39, 41..5A, and 61..7A. "LDH" is an
-   abbreviation for "letters, digits, hyphen".
-
-   [STD13] talks about "domain names" and "host names", but many people
-   use the terms interchangeably.  Further, because [STD13] was not
-   terribly clear, many people who are sure they know the exact
-   definitions of each of these terms disagree on the definitions.  In
-   this document the term "domain name" is used in general.  This
-   document explicitly cites [STD3] whenever referring to the host name
-   syntax restrictions defined therein.
-
-   A label is an individual part of a domain name.  Labels are usually
-   shown separated by dots; for example, the domain name
-   "www.example.com" is composed of three labels: "www", "example", and
-   "com".  (The zero-length root label described in [STD13], which can
-   be explicit as in "www.example.com." or implicit as in
-   "www.example.com", is not considered a label in this specification.)
-   IDNA extends the set of usable characters in labels that are text.
-   For the rest of this document, the term "label" is shorthand for
-   "text label", and "every label" means "every text label".
-
-
-
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 5]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   An "internationalized label" is a label to which the ToASCII
-   operation (see section 4) can be applied without failing (with the
-   UseSTD3ASCIIRules flag unset).  This implies that every ASCII label
-   that satisfies the [STD13] length restriction is an internationalized
-   label.  Therefore the term "internationalized label" is a
-   generalization, embracing both old ASCII labels and new non-ASCII
-   labels.  Although most Unicode characters can appear in
-   internationalized labels, ToASCII will fail for some input strings,
-   and such strings are not valid internationalized labels.
-
-   An "internationalized domain name" (IDN) is a domain name in which
-   every label is an internationalized label.  This implies that every
-   ASCII domain name is an IDN (which implies that it is possible for a
-   name to be an IDN without it containing any non-ASCII characters).
-   This document does not attempt to define an "internationalized host
-   name".  Just as has been the case with ASCII names, some DNS zone
-   administrators may impose restrictions, beyond those imposed by DNS
-   or IDNA, on the characters or strings that may be registered as
-   labels in their zones.  Such restrictions have no impact on the
-   syntax or semantics of DNS protocol messages; a query for a name that
-   matches no records will yield the same response regardless of the
-   reason why it is not in the zone.  Clients issuing queries or
-   interpreting responses cannot be assumed to have any knowledge of
-   zone-specific restrictions or conventions.
-
-   In IDNA, equivalence of labels is defined in terms of the ToASCII
-   operation, which constructs an ASCII form for a given label, whether
-   or not the label was already an ASCII label.  Labels are defined to
-   be equivalent if and only if their ASCII forms produced by ToASCII
-   match using a case-insensitive ASCII comparison.  ASCII labels
-   already have a notion of equivalence: upper case and lower case are
-   considered equivalent.  The IDNA notion of equivalence is an
-   extension of that older notion.  Equivalent labels in IDNA are
-   treated as alternate forms of the same label, just as "foo" and "Foo"
-   are treated as alternate forms of the same label.
-
-   To allow internationalized labels to be handled by existing
-   applications, IDNA uses an "ACE label" (ACE stands for ASCII
-   Compatible Encoding).  An ACE label is an internationalized label
-   that can be rendered in ASCII and is equivalent to an
-   internationalized label that cannot be rendered in ASCII.  Given any
-   internationalized label that cannot be rendered in ASCII, the ToASCII
-   operation will convert it to an equivalent ACE label (whereas an
-   ASCII label will be left unaltered by ToASCII).  ACE labels are
-   unsuitable for display to users.  The ToUnicode operation will
-   convert any label to an equivalent non-ACE label.  In fact, an ACE
-   label is formally defined to be any label that the ToUnicode
-   operation would alter (whereas non-ACE labels are left unaltered by
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 6]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   ToUnicode).  Every ACE label begins with the ACE prefix specified in
-   section 5.  The ToASCII and ToUnicode operations are specified in
-   section 4.
-
-   The "ACE prefix" is defined in this document to be a string of ASCII
-   characters that appears at the beginning of every ACE label.  It is
-   specified in section 5.
-
-   A "domain name slot" is defined in this document to be a protocol
-   element or a function argument or a return value (and so on)
-   explicitly designated for carrying a domain name.  Examples of domain
-   name slots include: the QNAME field of a DNS query; the name argument
-   of the gethostbyname() library function; the part of an email address
-   following the at-sign (@) in the From: field of an email message
-   header; and the host portion of the URI in the src attribute of an
-   HTML <IMG> tag.  General text that just happens to contain a domain
-   name is not a domain name slot; for example, a domain name appearing
-   in the plain text body of an email message is not occupying a domain
-   name slot.
-
-   An "IDN-aware domain name slot" is defined in this document to be a
-   domain name slot explicitly designated for carrying an
-   internationalized domain name as defined in this document.  The
-   designation may be static (for example, in the specification of the
-   protocol or interface) or dynamic (for example, as a result of
-   negotiation in an interactive session).
-
-   An "IDN-unaware domain name slot" is defined in this document to be
-   any domain name slot that is not an IDN-aware domain name slot.
-   Obviously, this includes any domain name slot whose specification
-   predates IDNA.
-
-3. Requirements and applicability
-
-3.1 Requirements
-
-   IDNA conformance means adherence to the following four requirements:
-
-   1) Whenever dots are used as label separators, the following
-      characters MUST be recognized as dots: U+002E (full stop), U+3002
-      (ideographic full stop), U+FF0E (fullwidth full stop), U+FF61
-      (halfwidth ideographic full stop).
-
-   2) Whenever a domain name is put into an IDN-unaware domain name slot
-      (see section 2), it MUST contain only ASCII characters.  Given an
-      internationalized domain name (IDN), an equivalent domain name
-      satisfying this requirement can be obtained by applying the
-
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 7]
-
-RFC 3490                          IDNA                        March 2003
-
-
-      ToASCII operation (see section 4) to each label and, if dots are
-      used as label separators, changing all the label separators to
-      U+002E.
-
-   3) ACE labels obtained from domain name slots SHOULD be hidden from
-      users when it is known that the environment can handle the non-ACE
-      form, except when the ACE form is explicitly requested.  When it
-      is not known whether or not the environment can handle the non-ACE
-      form, the application MAY use the non-ACE form (which might fail,
-      such as by not being displayed properly), or it MAY use the ACE
-      form (which will look unintelligle to the user).  Given an
-      internationalized domain name, an equivalent domain name
-      containing no ACE labels can be obtained by applying the ToUnicode
-      operation (see section 4) to each label.  When requirements 2 and
-      3 both apply, requirement 2 takes precedence.
-
-   4) Whenever two labels are compared, they MUST be considered to match
-      if and only if they are equivalent, that is, their ASCII forms
-      (obtained by applying ToASCII) match using a case-insensitive
-      ASCII comparison.  Whenever two names are compared, they MUST be
-      considered to match if and only if their corresponding labels
-      match, regardless of whether the names use the same forms of label
-      separators.
-
-3.2 Applicability
-
-   IDNA is applicable to all domain names in all domain name slots
-   except where it is explicitly excluded.
-
-   This implies that IDNA is applicable to many protocols that predate
-   IDNA.  Note that IDNs occupying domain name slots in those protocols
-   MUST be in ASCII form (see section 3.1, requirement 2).
-
-3.2.1. DNS resource records
-
-   IDNA does not apply to domain names in the NAME and RDATA fields of
-   DNS resource records whose CLASS is not IN.  This exclusion applies
-   to every non-IN class, present and future, except where future
-   standards override this exclusion by explicitly inviting the use of
-   IDNA.
-
-   There are currently no other exclusions on the applicability of IDNA
-   to DNS resource records; it depends entirely on the CLASS, and not on
-   the TYPE.  This will remain true, even as new types are defined,
-   unless there is a compelling reason for a new type to complicate
-   matters by imposing type-specific rules.
-
-
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 8]
-
-RFC 3490                          IDNA                        March 2003
-
-
-3.2.2. Non-domain-name data types stored in domain names
-
-   Although IDNA enables the representation of non-ASCII characters in
-   domain names, that does not imply that IDNA enables the
-   representation of non-ASCII characters in other data types that are
-   stored in domain names.  For example, an email address local part is
-   sometimes stored in a domain label (hostmaster@example.com would be
-   represented as hostmaster.example.com in the RDATA field of an SOA
-   record).  IDNA does not update the existing email standards, which
-   allow only ASCII characters in local parts.  Therefore, unless the
-   email standards are revised to invite the use of IDNA for local
-   parts, a domain label that holds the local part of an email address
-   SHOULD NOT begin with the ACE prefix, and even if it does, it is to
-   be interpreted literally as a local part that happens to begin with
-   the ACE prefix.
-
-4. Conversion operations
-
-   An application converts a domain name put into an IDN-unaware slot or
-   displayed to a user.  This section specifies the steps to perform in
-   the conversion, and the ToASCII and ToUnicode operations.
-
-   The input to ToASCII or ToUnicode is a single label that is a
-   sequence of Unicode code points (remember that all ASCII code points
-   are also Unicode code points).  If a domain name is represented using
-   a character set other than Unicode or US-ASCII, it will first need to
-   be transcoded to Unicode.
-
-   Starting from a whole domain name, the steps that an application
-   takes to do the conversions are:
-
-   1) Decide whether the domain name is a "stored string" or a "query
-      string" as described in [STRINGPREP].  If this conversion follows
-      the "queries" rule from [STRINGPREP], set the flag called
-      "AllowUnassigned".
-
-   2) Split the domain name into individual labels as described in
-      section 3.1.  The labels do not include the separator.
-
-   3) For each label, decide whether or not to enforce the restrictions
-      on ASCII characters in host names [STD3].  (Applications already
-      faced this choice before the introduction of IDNA, and can
-      continue to make the decision the same way they always have; IDNA
-      makes no new recommendations regarding this choice.)  If the
-      restrictions are to be enforced, set the flag called
-      "UseSTD3ASCIIRules" for that label.
-
-
-
-
-
-Faltstrom, et al.           Standards Track                     [Page 9]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   4) Process each label with either the ToASCII or the ToUnicode
-      operation as appropriate.  Typically, you use the ToASCII
-      operation if you are about to put the name into an IDN-unaware
-      slot, and you use the ToUnicode operation if you are displaying
-      the name to a user; section 3.1 gives greater detail on the
-      applicable requirements.
-
-   5) If ToASCII was applied in step 4 and dots are used as label
-      separators, change all the label separators to U+002E (full stop).
-
-   The following two subsections define the ToASCII and ToUnicode
-   operations that are used in step 4.
-
-   This description of the protocol uses specific procedure names, names
-   of flags, and so on, in order to facilitate the specification of the
-   protocol.  These names, as well as the actual steps of the
-   procedures, are not required of an implementation.  In fact, any
-   implementation which has the same external behavior as specified in
-   this document conforms to this specification.
-
-4.1 ToASCII
-
-   The ToASCII operation takes a sequence of Unicode code points that
-   make up one label and transforms it into a sequence of code points in
-   the ASCII range (0..7F).  If ToASCII succeeds, the original sequence
-   and the resulting sequence are equivalent labels.
-
-   It is important to note that the ToASCII operation can fail.  ToASCII
-   fails if any step of it fails.  If any step of the ToASCII operation
-   fails on any label in a domain name, that domain name MUST NOT be
-   used as an internationalized domain name.  The method for dealing
-   with this failure is application-specific.
-
-   The inputs to ToASCII are a sequence of code points, the
-   AllowUnassigned flag, and the UseSTD3ASCIIRules flag.  The output of
-   ToASCII is either a sequence of ASCII code points or a failure
-   condition.
-
-   ToASCII never alters a sequence of code points that are all in the
-   ASCII range to begin with (although it could fail).  Applying the
-   ToASCII operation multiple times has exactly the same effect as
-   applying it just once.
-
-   ToASCII consists of the following steps:
-
-   1. If the sequence contains any code points outside the ASCII range
-      (0..7F) then proceed to step 2, otherwise skip to step 3.
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 10]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   2. Perform the steps specified in [NAMEPREP] and fail if there is an
-      error.  The AllowUnassigned flag is used in [NAMEPREP].
-
-   3. If the UseSTD3ASCIIRules flag is set, then perform these checks:
-
-     (a) Verify the absence of non-LDH ASCII code points; that is, the
-         absence of 0..2C, 2E..2F, 3A..40, 5B..60, and 7B..7F.
-
-     (b) Verify the absence of leading and trailing hyphen-minus; that
-         is, the absence of U+002D at the beginning and end of the
-         sequence.
-
-   4. If the sequence contains any code points outside the ASCII range
-      (0..7F) then proceed to step 5, otherwise skip to step 8.
-
-   5. Verify that the sequence does NOT begin with the ACE prefix.
-
-   6. Encode the sequence using the encoding algorithm in [PUNYCODE] and
-      fail if there is an error.
-
-   7. Prepend the ACE prefix.
-
-   8. Verify that the number of code points is in the range 1 to 63
-      inclusive.
-
-4.2 ToUnicode
-
-   The ToUnicode operation takes a sequence of Unicode code points that
-   make up one label and returns a sequence of Unicode code points.  If
-   the input sequence is a label in ACE form, then the result is an
-   equivalent internationalized label that is not in ACE form, otherwise
-   the original sequence is returned unaltered.
-
-   ToUnicode never fails.  If any step fails, then the original input
-   sequence is returned immediately in that step.
-
-   The ToUnicode output never contains more code points than its input.
-   Note that the number of octets needed to represent a sequence of code
-   points depends on the particular character encoding used.
-
-   The inputs to ToUnicode are a sequence of code points, the
-   AllowUnassigned flag, and the UseSTD3ASCIIRules flag.  The output of
-   ToUnicode is always a sequence of Unicode code points.
-
-   1. If all code points in the sequence are in the ASCII range (0..7F)
-      then skip to step 3.
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 11]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   2. Perform the steps specified in [NAMEPREP] and fail if there is an
-      error.  (If step 3 of ToASCII is also performed here, it will not
-      affect the overall behavior of ToUnicode, but it is not
-      necessary.)  The AllowUnassigned flag is used in [NAMEPREP].
-
-   3. Verify that the sequence begins with the ACE prefix, and save a
-      copy of the sequence.
-
-   4. Remove the ACE prefix.
-
-   5. Decode the sequence using the decoding algorithm in [PUNYCODE] and
-      fail if there is an error.  Save a copy of the result of this
-      step.
-
-   6. Apply ToASCII.
-
-   7. Verify that the result of step 6 matches the saved copy from step
-      3, using a case-insensitive ASCII comparison.
-
-   8. Return the saved copy from step 5.
-
-5. ACE prefix
-
-   The ACE prefix, used in the conversion operations (section 4), is two
-   alphanumeric ASCII characters followed by two hyphen-minuses.  It
-   cannot be any of the prefixes already used in earlier documents,
-   which includes the following: "bl--", "bq--", "dq--", "lq--", "mq--",
-   "ra--", "wq--" and "zq--".  The ToASCII and ToUnicode operations MUST
-   recognize the ACE prefix in a case-insensitive manner.
-
-   The ACE prefix for IDNA is "xn--" or any capitalization thereof.
-
-   This means that an ACE label might be "xn--de-jg4avhby1noc0d", where
-   "de-jg4avhby1noc0d" is the part of the ACE label that is generated by
-   the encoding steps in [PUNYCODE].
-
-   While all ACE labels begin with the ACE prefix, not all labels
-   beginning with the ACE prefix are necessarily ACE labels.  Non-ACE
-   labels that begin with the ACE prefix will confuse users and SHOULD
-   NOT be allowed in DNS zones.
-
-
-
-
-
-
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 12]
-
-RFC 3490                          IDNA                        March 2003
-
-
-6. Implications for typical applications using DNS
-
-   In IDNA, applications perform the processing needed to input
-   internationalized domain names from users, display internationalized
-   domain names to users, and process the inputs and outputs from DNS
-   and other protocols that carry domain names.
-
-   The components and interfaces between them can be represented
-   pictorially as:
-
-                    +------+
-                    | User |
-                    +------+
-                       ^
-                       | Input and display: local interface methods
-                       | (pen, keyboard, glowing phosphorus, ...)
-   +-------------------|-------------------------------+
-   |                   v                               |
-   |          +-----------------------------+          |
-   |          |        Application          |          |
-   |          |   (ToASCII and ToUnicode    |          |
-   |          |      operations may be      |          |
-   |          |        called here)         |          |
-   |          +-----------------------------+          |
-   |                   ^        ^                      | End system
-   |                   |        |                      |
-   | Call to resolver: |        | Application-specific |
-   |              ACE  |        | protocol:            |
-   |                   v        | ACE unless the       |
-   |           +----------+     | protocol is updated  |
-   |           | Resolver |     | to handle other      |
-   |           +----------+     | encodings            |
-   |                 ^          |                      |
-   +-----------------|----------|----------------------+
-       DNS protocol: |          |
-                 ACE |          |
-                     v          v
-          +-------------+    +---------------------+
-          | DNS servers |    | Application servers |
-          +-------------+    +---------------------+
-
-   The box labeled "Application" is where the application splits a
-   domain name into labels, sets the appropriate flags, and performs the
-   ToASCII and ToUnicode operations.  This is described in section 4.
-
-
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 13]
-
-RFC 3490                          IDNA                        March 2003
-
-
-6.1 Entry and display in applications
-
-   Applications can accept domain names using any character set or sets
-   desired by the application developer, and can display domain names in
-   any charset.  That is, the IDNA protocol does not affect the
-   interface between users and applications.
-
-   An IDNA-aware application can accept and display internationalized
-   domain names in two formats: the internationalized character set(s)
-   supported by the application, and as an ACE label.  ACE labels that
-   are displayed or input MUST always include the ACE prefix.
-   Applications MAY allow input and display of ACE labels, but are not
-   encouraged to do so except as an interface for special purposes,
-   possibly for debugging, or to cope with display limitations as
-   described in section 6.4..  ACE encoding is opaque and ugly, and
-   should thus only be exposed to users who absolutely need it.  Because
-   name labels encoded as ACE name labels can be rendered either as the
-   encoded ASCII characters or the proper decoded characters, the
-   application MAY have an option for the user to select the preferred
-   method of display; if it does, rendering the ACE SHOULD NOT be the
-   default.
-
-   Domain names are often stored and transported in many places.  For
-   example, they are part of documents such as mail messages and web
-   pages.  They are transported in many parts of many protocols, such as
-   both the control commands and the RFC 2822 body parts of SMTP, and
-   the headers and the body content in HTTP.  It is important to
-   remember that domain names appear both in domain name slots and in
-   the content that is passed over protocols.
-
-   In protocols and document formats that define how to handle
-   specification or negotiation of charsets, labels can be encoded in
-   any charset allowed by the protocol or document format.  If a
-   protocol or document format only allows one charset, the labels MUST
-   be given in that charset.
-
-   In any place where a protocol or document format allows transmission
-   of the characters in internationalized labels, internationalized
-   labels SHOULD be transmitted using whatever character encoding and
-   escape mechanism that the protocol or document format uses at that
-   place.
-
-   All protocols that use domain name slots already have the capacity
-   for handling domain names in the ASCII charset.  Thus, ACE labels
-   (internationalized labels that have been processed with the ToASCII
-   operation) can inherently be handled by those protocols.
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 14]
-
-RFC 3490                          IDNA                        March 2003
-
-
-6.2 Applications and resolver libraries
-
-   Applications normally use functions in the operating system when they
-   resolve DNS queries.  Those functions in the operating system are
-   often called "the resolver library", and the applications communicate
-   with the resolver libraries through a programming interface (API).
-
-   Because these resolver libraries today expect only domain names in
-   ASCII, applications MUST prepare labels that are passed to the
-   resolver library using the ToASCII operation.  Labels received from
-   the resolver library contain only ASCII characters; internationalized
-   labels that cannot be represented directly in ASCII use the ACE form.
-   ACE labels always include the ACE prefix.
-
-   An operating system might have a set of libraries for performing the
-   ToASCII operation.  The input to such a library might be in one or
-   more charsets that are used in applications (UTF-8 and UTF-16 are
-   likely candidates for almost any operating system, and script-
-   specific charsets are likely for localized operating systems).
-
-   IDNA-aware applications MUST be able to work with both non-
-   internationalized labels (those that conform to [STD13] and [STD3])
-   and internationalized labels.
-
-   It is expected that new versions of the resolver libraries in the
-   future will be able to accept domain names in other charsets than
-   ASCII, and application developers might one day pass not only domain
-   names in Unicode, but also in local script to a new API for the
-   resolver libraries in the operating system.  Thus the ToASCII and
-   ToUnicode operations might be performed inside these new versions of
-   the resolver libraries.
-
-   Domain names passed to resolvers or put into the question section of
-   DNS requests follow the rules for "queries" from [STRINGPREP].
-
-6.3 DNS servers
-
-   Domain names stored in zones follow the rules for "stored strings"
-   from [STRINGPREP].
-
-   For internationalized labels that cannot be represented directly in
-   ASCII, DNS servers MUST use the ACE form produced by the ToASCII
-   operation.  All IDNs served by DNS servers MUST contain only ASCII
-   characters.
-
-   If a signaling system which makes negotiation possible between old
-   and new DNS clients and servers is standardized in the future, the
-   encoding of the query in the DNS protocol itself can be changed from
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 15]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   ACE to something else, such as UTF-8.  The question whether or not
-   this should be used is, however, a separate problem and is not
-   discussed in this memo.
-
-6.4 Avoiding exposing users to the raw ACE encoding
-
-   Any application that might show the user a domain name obtained from
-   a domain name slot, such as from gethostbyaddr or part of a mail
-   header, will need to be updated if it is to prevent users from seeing
-   the ACE.
-
-   If an application decodes an ACE name using ToUnicode but cannot show
-   all of the characters in the decoded name, such as if the name
-   contains characters that the output system cannot display, the
-   application SHOULD show the name in ACE format (which always includes
-   the ACE prefix) instead of displaying the name with the replacement
-   character (U+FFFD).  This is to make it easier for the user to
-   transfer the name correctly to other programs.  Programs that by
-   default show the ACE form when they cannot show all the characters in
-   a name label SHOULD also have a mechanism to show the name that is
-   produced by the ToUnicode operation with as many characters as
-   possible and replacement characters in the positions where characters
-   cannot be displayed.
-
-   The ToUnicode operation does not alter labels that are not valid ACE
-   labels, even if they begin with the ACE prefix.  After ToUnicode has
-   been applied, if a label still begins with the ACE prefix, then it is
-   not a valid ACE label, and is not equivalent to any of the
-   intermediate Unicode strings constructed by ToUnicode.
-
-6.5  DNSSEC authentication of IDN domain names
-
-   DNS Security [RFC2535] is a method for supplying cryptographic
-   verification information along with DNS messages.  Public Key
-   Cryptography is used in conjunction with digital signatures to
-   provide a means for a requester of domain information to authenticate
-   the source of the data.  This ensures that it can be traced back to a
-   trusted source, either directly, or via a chain of trust linking the
-   source of the information to the top of the DNS hierarchy.
-
-   IDNA specifies that all internationalized domain names served by DNS
-   servers that cannot be represented directly in ASCII must use the ACE
-   form produced by the ToASCII operation.  This operation must be
-   performed prior to a zone being signed by the private key for that
-   zone.  Because of this ordering, it is important to recognize that
-   DNSSEC authenticates the ASCII domain name, not the Unicode form or
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 16]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   the mapping between the Unicode form and the ASCII form.  In the
-   presence of DNSSEC, this is the name that MUST be signed in the zone
-   and MUST be validated against.
-
-   One consequence of this for sites deploying IDNA in the presence of
-   DNSSEC is that any special purpose proxies or forwarders used to
-   transform user input into IDNs must be earlier in the resolution flow
-   than DNSSEC authenticating nameservers for DNSSEC to work.
-
-7. Name server considerations
-
-   Existing DNS servers do not know the IDNA rules for handling non-
-   ASCII forms of IDNs, and therefore need to be shielded from them.
-   All existing channels through which names can enter a DNS server
-   database (for example, master files [STD13] and DNS update messages
-   [RFC2136]) are IDN-unaware because they predate IDNA, and therefore
-   requirement 2 of section 3.1 of this document provides the needed
-   shielding, by ensuring that internationalized domain names entering
-   DNS server databases through such channels have already been
-   converted to their equivalent ASCII forms.
-
-   It is imperative that there be only one ASCII encoding for a
-   particular domain name.  Because of the design of the ToASCII and
-   ToUnicode operations, there are no ACE labels that decode to ASCII
-   labels, and therefore name servers cannot contain multiple ASCII
-   encodings of the same domain name.
-
-   [RFC2181] explicitly allows domain labels to contain octets beyond
-   the ASCII range (0..7F), and this document does not change that.
-   Note, however, that there is no defined interpretation of octets
-   80..FF as characters.  If labels containing these octets are returned
-   to applications, unpredictable behavior could result.  The ASCII form
-   defined by ToASCII is the only standard representation for
-   internationalized labels in the current DNS protocol.
-
-8. Root server considerations
-
-   IDNs are likely to be somewhat longer than current domain names, so
-   the bandwidth needed by the root servers is likely to go up by a
-   small amount.  Also, queries and responses for IDNs will probably be
-   somewhat longer than typical queries today, so more queries and
-   responses may be forced to go to TCP instead of UDP.
-
-
-
-
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 17]
-
-RFC 3490                          IDNA                        March 2003
-
-
-9. References
-
-9.1 Normative References
-
-   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
-                Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [STRINGPREP] Hoffman, P. and M. Blanchet, "Preparation of
-                Internationalized Strings ("stringprep")", RFC 3454,
-                December 2002.
-
-   [NAMEPREP]   Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
-                Profile for Internationalized Domain Names (IDN)", RFC
-                3491, March 2003.
-
-   [PUNYCODE]   Costello, A., "Punycode: A Bootstring encoding of
-                Unicode for use with Internationalized Domain Names in
-                Applications (IDNA)", RFC 3492, March 2003.
-
-   [STD3]       Braden, R., "Requirements for Internet Hosts --
-                Communication Layers", STD 3, RFC 1122, and
-                "Requirements for Internet Hosts -- Application and
-                Support", STD 3, RFC 1123, October 1989.
-
-   [STD13]      Mockapetris, P., "Domain names - concepts and
-                facilities", STD 13, RFC 1034 and "Domain names -
-                implementation and specification", STD 13, RFC 1035,
-                November 1987.
-
-9.2 Informative References
-
-   [RFC2535]    Eastlake, D., "Domain Name System Security Extensions",
-                RFC 2535, March 1999.
-
-   [RFC2181]    Elz, R. and R. Bush, "Clarifications to the DNS
-                Specification", RFC 2181, July 1997.
-
-   [UAX9]       Unicode Standard Annex #9, The Bidirectional Algorithm,
-                <http://www.unicode.org/unicode/reports/tr9/>.
-
-   [UNICODE]    The Unicode Consortium. The Unicode Standard, Version
-                3.2.0 is defined by The Unicode Standard, Version 3.0
-                (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
-                as amended by the Unicode Standard Annex #27: Unicode
-                3.1 (http://www.unicode.org/reports/tr27/) and by the
-                Unicode Standard Annex #28: Unicode 3.2
-                (http://www.unicode.org/reports/tr28/).
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 18]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   [USASCII]    Cerf, V., "ASCII format for Network Interchange", RFC
-                20, October 1969.
-
-10. Security Considerations
-
-   Security on the Internet partly relies on the DNS.  Thus, any change
-   to the characteristics of the DNS can change the security of much of
-   the Internet.
-
-   This memo describes an algorithm which encodes characters that are
-   not valid according to STD3 and STD13 into octet values that are
-   valid.  No security issues such as string length increases or new
-   allowed values are introduced by the encoding process or the use of
-   these encoded values, apart from those introduced by the ACE encoding
-   itself.
-
-   Domain names are used by users to identify and connect to Internet
-   servers.  The security of the Internet is compromised if a user
-   entering a single internationalized name is connected to different
-   servers based on different interpretations of the internationalized
-   domain name.
-
-   When systems use local character sets other than ASCII and Unicode,
-   this specification leaves the the problem of transcoding between the
-   local character set and Unicode up to the application.  If different
-   applications (or different versions of one application) implement
-   different transcoding rules, they could interpret the same name
-   differently and contact different servers.  This problem is not
-   solved by security protocols like TLS that do not take local
-   character sets into account.
-
-   Because this document normatively refers to [NAMEPREP], [PUNYCODE],
-   and [STRINGPREP], it includes the security considerations from those
-   documents as well.
-
-   If or when this specification is updated to use a more recent Unicode
-   normalization table, the new normalization table will need to be
-   compared with the old to spot backwards incompatible changes.  If
-   there are such changes, they will need to be handled somehow, or
-   there will be security as well as operational implications.  Methods
-   to handle the conflicts could include keeping the old normalization,
-   or taking care of the conflicting characters by operational means, or
-   some other method.
-
-   Implementations MUST NOT use more recent normalization tables than
-   the one referenced from this document, even though more recent tables
-   may be provided by operating systems.  If an application is unsure of
-   which version of the normalization tables are in the operating
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 19]
-
-RFC 3490                          IDNA                        March 2003
-
-
-   system, the application needs to include the normalization tables
-   itself.  Using normalization tables other than the one referenced
-   from this specification could have security and operational
-   implications.
-
-   To help prevent confusion between characters that are visually
-   similar, it is suggested that implementations provide visual
-   indications where a domain name contains multiple scripts.  Such
-   mechanisms can also be used to show when a name contains a mixture of
-   simplified and traditional Chinese characters, or to distinguish zero
-   and one from O and l.  DNS zone adminstrators may impose restrictions
-   (subject to the limitations in section 2) that try to minimize
-   homographs.
-
-   Domain names (or portions of them) are sometimes compared against a
-   set of privileged or anti-privileged domains.  In such situations it
-   is especially important that the comparisons be done properly, as
-   specified in section 3.1 requirement 4.  For labels already in ASCII
-   form, the proper comparison reduces to the same case-insensitive
-   ASCII comparison that has always been used for ASCII labels.
-
-   The introduction of IDNA means that any existing labels that start
-   with the ACE prefix and would be altered by ToUnicode will
-   automatically be ACE labels, and will be considered equivalent to
-   non-ASCII labels, whether or not that was the intent of the zone
-   adminstrator or registrant.
-
-11. IANA Considerations
-
-   IANA has assigned the ACE prefix in consultation with the IESG.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 20]
-
-RFC 3490                          IDNA                        March 2003
-
-
-12. Authors' Addresses
-
-   Patrik Faltstrom
-   Cisco Systems
-   Arstaangsvagen 31 J
-   S-117 43 Stockholm  Sweden
-
-   EMail: paf@cisco.com
-
-
-   Paul Hoffman
-   Internet Mail Consortium and VPN Consortium
-   127 Segre Place
-   Santa Cruz, CA  95060  USA
-
-   EMail: phoffman@imc.org
-
-
-   Adam M. Costello
-   University of California, Berkeley
-
-   URL: http://www.nicemice.net/amc/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 21]
-
-RFC 3490                          IDNA                        March 2003
-
-
-13. Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Faltstrom, et al.           Standards Track                    [Page 22]
-
diff --git a/contrib/bind9/doc/rfc/rfc3491.txt b/contrib/bind9/doc/rfc/rfc3491.txt
deleted file mode 100644
index dbc86c7fe4c0..000000000000
--- a/contrib/bind9/doc/rfc/rfc3491.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         P. Hoffman
-Request for Comments: 3491                                    IMC & VPNC
-Category: Standards Track                                    M. Blanchet
-                                                                Viagenie
-                                                              March 2003
-
-
-                   Nameprep: A Stringprep Profile for
-                  Internationalized Domain Names (IDN)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   This document describes how to prepare internationalized domain name
-   (IDN) labels in order to increase the likelihood that name input and
-   name comparison work in ways that make sense for typical users
-   throughout the world.  This profile of the stringprep protocol is
-   used as part of a suite of on-the-wire protocols for
-   internationalizing the Domain Name System (DNS).
-
-1. Introduction
-
-   This document specifies processing rules that will allow users to
-   enter internationalized domain names (IDNs) into applications and
-   have the highest chance of getting the content of the strings
-   correct.  It is a profile of stringprep [STRINGPREP].  These
-   processing rules are only intended for internationalized domain
-   names, not for arbitrary text.
-
-   This profile defines the following, as required by [STRINGPREP].
-
-   -  The intended applicability of the profile: internationalized
-      domain names processed by IDNA.
-
-   -  The character repertoire that is the input and output to
-      stringprep:  Unicode 3.2, specified in section 2.
-
-
-
-
-Hoffman & Blanchet          Standards Track                     [Page 1]
-
-RFC 3491                      IDN Nameprep                    March 2003
-
-
-   -  The mappings used: specified in section 3.
-
-   -  The Unicode normalization used: specified in section 4.
-
-   -  The characters that are prohibited as output: specified in section
-      5.
-
-   -  Bidirectional character handling: specified in section 6.
-
-1.1 Interaction of protocol parts
-
-   Nameprep is used by the IDNA [IDNA] protocol for preparing domain
-   names; it is not designed for any other purpose.  It is explicitly
-   not designed for processing arbitrary free text and SHOULD NOT be
-   used for that purpose.  Nameprep is a profile of Stringprep
-   [STRINGPREP].  Implementations of Nameprep MUST fully implement
-   Stringprep.
-
-   Nameprep is used to process domain name labels, not domain names.
-   IDNA calls nameprep for each label in a domain name, not for the
-   whole domain name.
-
-1.2 Terminology
-
-   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
-   in this document are to be interpreted as described in BCP 14, RFC
-   2119 [RFC2119].
-
-2. Character Repertoire
-
-   This profile uses Unicode 3.2, as defined in [STRINGPREP] Appendix A.
-
-3. Mapping
-
-   This profile specifies mapping using the following tables from
-   [STRINGPREP]:
-
-   Table B.1
-   Table B.2
-
-4. Normalization
-
-   This profile specifies using Unicode normalization form KC, as
-   described in [STRINGPREP].
-
-
-
-
-
-
-
-Hoffman & Blanchet          Standards Track                     [Page 2]
-
-RFC 3491                      IDN Nameprep                    March 2003
-
-
-5. Prohibited Output
-
-   This profile specifies prohibiting using the following tables from
-   [STRINGPREP]:
-
-   Table C.1.2
-   Table C.2.2
-   Table C.3
-   Table C.4
-   Table C.5
-   Table C.6
-   Table C.7
-   Table C.8
-   Table C.9
-
-   IMPORTANT NOTE: This profile MUST be used with the IDNA protocol.
-   The IDNA protocol has additional prohibitions that are checked
-   outside of this profile.
-
-6. Bidirectional characters
-
-   This profile specifies checking bidirectional strings as described in
-   [STRINGPREP] section 6.
-
-7. Unassigned Code Points in Internationalized Domain Names
-
-   If the processing in [IDNA] specifies that a list of unassigned code
-   points be used, the system uses table A.1 from [STRINGPREP] as its
-   list of unassigned code points.
-
-8. References
-
-8.1 Normative References
-
-   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
-                Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [STRINGPREP] Hoffman, P. and M. Blanchet, "Preparation of
-                Internationalized Strings ("stringprep")", RFC 3454,
-                December 2002.
-
-   [IDNA]       Faltstrom, P., Hoffman, P. and A. Costello,
-                "Internationalizing Domain Names in Applications
-                (IDNA)", RFC 3490, March 2003.
-
-
-
-
-
-
-
-Hoffman & Blanchet          Standards Track                     [Page 3]
-
-RFC 3491                      IDN Nameprep                    March 2003
-
-
-8.2 Informative references
-
-   [STD13]      Mockapetris, P., "Domain names - concepts and
-                facilities", STD 13, RFC 1034, and "Domain names -
-                implementation and specification", STD 13, RFC 1035,
-                November 1987.
-
-9. Security Considerations
-
-   The Unicode and ISO/IEC 10646 repertoires have many characters that
-   look similar.  In many cases, users of security protocols might do
-   visual matching, such as when comparing the names of trusted third
-   parties.  Because it is impossible to map similar-looking characters
-   without a great deal of context such as knowing the fonts used,
-   stringprep does nothing to map similar-looking characters together
-   nor to prohibit some characters because they look like others.
-
-   Security on the Internet partly relies on the DNS.  Thus, any change
-   to the characteristics of the DNS can change the security of much of
-   the Internet.
-
-   Domain names are used by users to connect to Internet servers.  The
-   security of the Internet would be compromised if a user entering a
-   single internationalized name could be connected to different servers
-   based on different interpretations of the internationalized domain
-   name.
-
-   Current applications might assume that the characters allowed in
-   domain names will always be the same as they are in [STD13].  This
-   document vastly increases the number of characters available in
-   domain names.  Every program that uses "special" characters in
-   conjunction with domain names may be vulnerable to attack based on
-   the new characters allowed by this specification.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet          Standards Track                     [Page 4]
-
-RFC 3491                      IDN Nameprep                    March 2003
-
-
-10. IANA Considerations
-
-   This is a profile of stringprep.  It has been registered by the IANA
-   in the stringprep profile registry
-   (www.iana.org/assignments/stringprep-profiles).
-
-      Name of this profile:
-         Nameprep
-
-      RFC in which the profile is defined:
-         This document.
-
-      Indicator whether or not this is the newest version of the
-      profile:
-         This is the first version of Nameprep.
-
-11. Acknowledgements
-
-   Many people from the IETF IDN Working Group and the Unicode Technical
-   Committee contributed ideas that went into this document.
-
-   The IDN Nameprep design team made many useful changes to the
-   document.  That team and its advisors include:
-
-      Asmus Freytag
-      Cathy Wissink
-      Francois Yergeau
-      James Seng
-      Marc Blanchet
-      Mark Davis
-      Martin Duerst
-      Patrik Faltstrom
-      Paul Hoffman
-
-   Additional significant improvements were proposed by:
-
-      Jonathan Rosenne
-      Kent Karlsson
-      Scott Hollenbeck
-      Dave Crocker
-      Erik Nordmark
-      Matitiahu Allouche
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet          Standards Track                     [Page 5]
-
-RFC 3491                      IDN Nameprep                    March 2003
-
-
-12. Authors' Addresses
-
-   Paul Hoffman
-   Internet Mail Consortium and VPN Consortium
-   127 Segre Place
-   Santa Cruz, CA  95060 USA
-
-   EMail: paul.hoffman@imc.org and paul.hoffman@vpnc.org
-
-
-   Marc Blanchet
-   Viagenie inc.
-   2875 boul. Laurier, bur. 300
-   Ste-Foy, Quebec, Canada, G1V 2M2
-
-   EMail: Marc.Blanchet@viagenie.qc.ca
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet          Standards Track                     [Page 6]
-
-RFC 3491                      IDN Nameprep                    March 2003
-
-
-13.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hoffman & Blanchet          Standards Track                     [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc3492.txt b/contrib/bind9/doc/rfc/rfc3492.txt
deleted file mode 100644
index e72ad81a2719..000000000000
--- a/contrib/bind9/doc/rfc/rfc3492.txt
+++ /dev/null
@@ -1,1963 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        A. Costello
-Request for Comments: 3492                 Univ. of California, Berkeley
-Category: Standards Track                                     March 2003
-
-
-              Punycode: A Bootstring encoding of Unicode
-       for Internationalized Domain Names in Applications (IDNA)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   Punycode is a simple and efficient transfer encoding syntax designed
-   for use with Internationalized Domain Names in Applications (IDNA).
-   It uniquely and reversibly transforms a Unicode string into an ASCII
-   string.  ASCII characters in the Unicode string are represented
-   literally, and non-ASCII characters are represented by ASCII
-   characters that are allowed in host name labels (letters, digits, and
-   hyphens).  This document defines a general algorithm called
-   Bootstring that allows a string of basic code points to uniquely
-   represent any string of code points drawn from a larger set.
-   Punycode is an instance of Bootstring that uses particular parameter
-   values specified by this document, appropriate for IDNA.
-
-Table of Contents
-
-   1. Introduction...............................................2
-       1.1 Features..............................................2
-       1.2 Interaction of protocol parts.........................3
-   2. Terminology................................................3
-   3. Bootstring description.....................................4
-       3.1 Basic code point segregation..........................4
-       3.2 Insertion unsort coding...............................4
-       3.3 Generalized variable-length integers..................5
-       3.4 Bias adaptation.......................................7
-   4. Bootstring parameters......................................8
-   5. Parameter values for Punycode..............................8
-   6. Bootstring algorithms......................................9
-
-
-
-Costello                    Standards Track                     [Page 1]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-       6.1 Bias adaptation function.............................10
-       6.2 Decoding procedure...................................11
-       6.3 Encoding procedure...................................12
-       6.4 Overflow handling....................................13
-   7. Punycode examples.........................................14
-       7.1 Sample strings.......................................14
-       7.2 Decoding traces......................................17
-       7.3 Encoding traces......................................19
-   8. Security Considerations...................................20
-   9. References................................................21
-       9.1 Normative References.................................21
-       9.2 Informative References...............................21
-   A. Mixed-case annotation.....................................22
-   B. Disclaimer and license....................................22
-   C. Punycode sample implementation............................23
-   Author's Address.............................................34
-   Full Copyright Statement.....................................35
-
-1. Introduction
-
-   [IDNA] describes an architecture for supporting internationalized
-   domain names.  Labels containing non-ASCII characters can be
-   represented by ACE labels, which begin with a special ACE prefix and
-   contain only ASCII characters.  The remainder of the label after the
-   prefix is a Punycode encoding of a Unicode string satisfying certain
-   constraints.  For the details of the prefix and constraints, see
-   [IDNA] and [NAMEPREP].
-
-   Punycode is an instance of a more general algorithm called
-   Bootstring, which allows strings composed from a small set of "basic"
-   code points to uniquely represent any string of code points drawn
-   from a larger set.  Punycode is Bootstring with particular parameter
-   values appropriate for IDNA.
-
-1.1 Features
-
-   Bootstring has been designed to have the following features:
-
-   *  Completeness:  Every extended string (sequence of arbitrary code
-      points) can be represented by a basic string (sequence of basic
-      code points).  Restrictions on what strings are allowed, and on
-      length, can be imposed by higher layers.
-
-   *  Uniqueness:  There is at most one basic string that represents a
-      given extended string.
-
-   *  Reversibility:  Any extended string mapped to a basic string can
-      be recovered from that basic string.
-
-
-
-Costello                    Standards Track                     [Page 2]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   *  Efficient encoding:  The ratio of basic string length to extended
-      string length is small.  This is important in the context of
-      domain names because RFC 1034 [RFC1034] restricts the length of a
-      domain label to 63 characters.
-
-   *  Simplicity:  The encoding and decoding algorithms are reasonably
-      simple to implement.  The goals of efficiency and simplicity are
-      at odds; Bootstring aims at a good balance between them.
-
-   *  Readability:  Basic code points appearing in the extended string
-      are represented as themselves in the basic string (although the
-      main purpose is to improve efficiency, not readability).
-
-   Punycode can also support an additional feature that is not used by
-   the ToASCII and ToUnicode operations of [IDNA].  When extended
-   strings are case-folded prior to encoding, the basic string can use
-   mixed case to tell how to convert the folded string into a mixed-case
-   string.  See appendix A "Mixed-case annotation".
-
-1.2 Interaction of protocol parts
-
-   Punycode is used by the IDNA protocol [IDNA] for converting domain
-   labels into ASCII; it is not designed for any other purpose.  It is
-   explicitly not designed for processing arbitrary free text.
-
-2. Terminology
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in BCP 14, RFC 2119
-   [RFC2119].
-
-   A code point is an integral value associated with a character in a
-   coded character set.
-
-   As in the Unicode Standard [UNICODE], Unicode code points are denoted
-   by "U+" followed by four to six hexadecimal digits, while a range of
-   code points is denoted by two hexadecimal numbers separated by "..",
-   with no prefixes.
-
-   The operators div and mod perform integer division; (x div y) is the
-   quotient of x divided by y, discarding the remainder, and (x mod y)
-   is the remainder, so (x div y) * y + (x mod y) == x.  Bootstring uses
-   these operators only with nonnegative operands, so the quotient and
-   remainder are always nonnegative.
-
-   The break statement jumps out of the innermost loop (as in C).
-
-
-
-
-Costello                    Standards Track                     [Page 3]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   An overflow is an attempt to compute a value that exceeds the maximum
-   value of an integer variable.
-
-3. Bootstring description
-
-   Bootstring represents an arbitrary sequence of code points (the
-   "extended string") as a sequence of basic code points (the "basic
-   string").  This section describes the representation.  Section 6
-   "Bootstring algorithms" presents the algorithms as pseudocode.
-   Sections 7.1 "Decoding traces" and 7.2 "Encoding traces" trace the
-   algorithms for sample inputs.
-
-   The following sections describe the four techniques used in
-   Bootstring.  "Basic code point segregation" is a very simple and
-   efficient encoding for basic code points occurring in the extended
-   string: they are simply copied all at once.  "Insertion unsort
-   coding" encodes the non-basic code points as deltas, and processes
-   the code points in numerical order rather than in order of
-   appearance, which typically results in smaller deltas.  The deltas
-   are represented as "generalized variable-length integers", which use
-   basic code points to represent nonnegative integers.  The parameters
-   of this integer representation are dynamically adjusted using "bias
-   adaptation", to improve efficiency when consecutive deltas have
-   similar magnitudes.
-
-3.1 Basic code point segregation
-
-   All basic code points appearing in the extended string are
-   represented literally at the beginning of the basic string, in their
-   original order, followed by a delimiter if (and only if) the number
-   of basic code points is nonzero.  The delimiter is a particular basic
-   code point, which never appears in the remainder of the basic string.
-   The decoder can therefore find the end of the literal portion (if
-   there is one) by scanning for the last delimiter.
-
-3.2 Insertion unsort coding
-
-   The remainder of the basic string (after the last delimiter if there
-   is one) represents a sequence of nonnegative integral deltas as
-   generalized variable-length integers, described in section 3.3.  The
-   meaning of the deltas is best understood in terms of the decoder.
-
-   The decoder builds the extended string incrementally.  Initially, the
-   extended string is a copy of the literal portion of the basic string
-   (excluding the last delimiter).  The decoder inserts non-basic code
-   points, one for each delta, into the extended string, ultimately
-   arriving at the final decoded string.
-
-
-
-
-Costello                    Standards Track                     [Page 4]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   At the heart of this process is a state machine with two state
-   variables: an index i and a counter n.  The index i refers to a
-   position in the extended string; it ranges from 0 (the first
-   position) to the current length of the extended string (which refers
-   to a potential position beyond the current end).  If the current
-   state is <n,i>, the next state is <n,i+1> if i is less than the
-   length of the extended string, or <n+1,0> if i equals the length of
-   the extended string.  In other words, each state change causes i to
-   increment, wrapping around to zero if necessary, and n counts the
-   number of wrap-arounds.
-
-   Notice that the state always advances monotonically (there is no way
-   for the decoder to return to an earlier state).  At each state, an
-   insertion is either performed or not performed.  At most one
-   insertion is performed in a given state.  An insertion inserts the
-   value of n at position i in the extended string.  The deltas are a
-   run-length encoding of this sequence of events: they are the lengths
-   of the runs of non-insertion states preceeding the insertion states.
-   Hence, for each delta, the decoder performs delta state changes, then
-   an insertion, and then one more state change.  (An implementation
-   need not perform each state change individually, but can instead use
-   division and remainder calculations to compute the next insertion
-   state directly.)  It is an error if the inserted code point is a
-   basic code point (because basic code points were supposed to be
-   segregated as described in section 3.1).
-
-   The encoder's main task is to derive the sequence of deltas that will
-   cause the decoder to construct the desired string.  It can do this by
-   repeatedly scanning the extended string for the next code point that
-   the decoder would need to insert, and counting the number of state
-   changes the decoder would need to perform, mindful of the fact that
-   the decoder's extended string will include only those code points
-   that have already been inserted.  Section 6.3 "Encoding procedure"
-   gives a precise algorithm.
-
-3.3 Generalized variable-length integers
-
-   In a conventional integer representation the base is the number of
-   distinct symbols for digits, whose values are 0 through base-1.  Let
-   digit_0 denote the least significant digit, digit_1 the next least
-   significant, and so on.  The value represented is the sum over j of
-   digit_j * w(j), where w(j) = base^j is the weight (scale factor) for
-   position j.  For example, in the base 8 integer 437, the digits are
-   7, 3, and 4, and the weights are 1, 8, and 64, so the value is 7 +
-   3*8 + 4*64 = 287.  This representation has two disadvantages:  First,
-   there are multiple encodings of each value (because there can be
-   extra zeros in the most significant positions), which is inconvenient
-
-
-
-
-Costello                    Standards Track                     [Page 5]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   when unique encodings are needed.  Second, the integer is not self-
-   delimiting, so if multiple integers are concatenated the boundaries
-   between them are lost.
-
-   The generalized variable-length representation solves these two
-   problems.  The digit values are still 0 through base-1, but now the
-   integer is self-delimiting by means of thresholds t(j), each of which
-   is in the range 0 through base-1.  Exactly one digit, the most
-   significant, satisfies digit_j < t(j).  Therefore, if several
-   integers are concatenated, it is easy to separate them, starting with
-   the first if they are little-endian (least significant digit first),
-   or starting with the last if they are big-endian (most significant
-   digit first).  As before, the value is the sum over j of digit_j *
-   w(j), but the weights are different:
-
-      w(0) = 1
-      w(j) = w(j-1) * (base - t(j-1)) for j > 0
-
-   For example, consider the little-endian sequence of base 8 digits
-   734251...  Suppose the thresholds are 2, 3, 5, 5, 5, 5...  This
-   implies that the weights are 1, 1*(8-2) = 6, 6*(8-3) = 30, 30*(8-5) =
-   90, 90*(8-5) = 270, and so on.  7 is not less than 2, and 3 is not
-   less than 3, but 4 is less than 5, so 4 is the last digit.  The value
-   of 734 is 7*1 + 3*6 + 4*30 = 145.  The next integer is 251, with
-   value 2*1 + 5*6 + 1*30 = 62.  Decoding this representation is very
-   similar to decoding a conventional integer:  Start with a current
-   value of N = 0 and a weight w = 1.  Fetch the next digit d and
-   increase N by d * w.  If d is less than the current threshold (t)
-   then stop, otherwise increase w by a factor of (base - t), update t
-   for the next position, and repeat.
-
-   Encoding this representation is similar to encoding a conventional
-   integer:  If N < t then output one digit for N and stop, otherwise
-   output the digit for t + ((N - t) mod (base - t)), then replace N
-   with (N - t) div (base - t), update t for the next position, and
-   repeat.
-
-   For any particular set of values of t(j), there is exactly one
-   generalized variable-length representation of each nonnegative
-   integral value.
-
-   Bootstring uses little-endian ordering so that the deltas can be
-   separated starting with the first.  The t(j) values are defined in
-   terms of the constants base, tmin, and tmax, and a state variable
-   called bias:
-
-      t(j) = base * (j + 1) - bias,
-      clamped to the range tmin through tmax
-
-
-
-Costello                    Standards Track                     [Page 6]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   The clamping means that if the formula yields a value less than tmin
-   or greater than tmax, then t(j) = tmin or tmax, respectively.  (In
-   the pseudocode in section 6 "Bootstring algorithms", the expression
-   base * (j + 1) is denoted by k for performance reasons.)  These t(j)
-   values cause the representation to favor integers within a particular
-   range determined by the bias.
-
-3.4 Bias adaptation
-
-   After each delta is encoded or decoded, bias is set for the next
-   delta as follows:
-
-   1. Delta is scaled in order to avoid overflow in the next step:
-
-         let delta = delta div 2
-
-      But when this is the very first delta, the divisor is not 2, but
-      instead a constant called damp.  This compensates for the fact
-      that the second delta is usually much smaller than the first.
-
-   2. Delta is increased to compensate for the fact that the next delta
-      will be inserting into a longer string:
-
-         let delta = delta + (delta div numpoints)
-
-      numpoints is the total number of code points encoded/decoded so
-      far (including the one corresponding to this delta itself, and
-      including the basic code points).
-
-   3. Delta is repeatedly divided until it falls within a threshold, to
-      predict the minimum number of digits needed to represent the next
-      delta:
-
-         while delta > ((base - tmin) * tmax) div 2
-         do let delta = delta div (base - tmin)
-
-   4. The bias is set:
-
-         let bias =
-           (base * the number of divisions performed in step 3) +
-           (((base - tmin + 1) * delta) div (delta + skew))
-
-      The motivation for this procedure is that the current delta
-      provides a hint about the likely size of the next delta, and so
-      t(j) is set to tmax for the more significant digits starting with
-      the one expected to be last, tmin for the less significant digits
-      up through the one expected to be third-last, and somewhere
-      between tmin and tmax for the digit expected to be second-last
-
-
-
-Costello                    Standards Track                     [Page 7]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-      (balancing the hope of the expected-last digit being unnecessary
-      against the danger of it being insufficient).
-
-4. Bootstring parameters
-
-   Given a set of basic code points, one needs to be designated as the
-   delimiter.  The base cannot be greater than the number of
-   distinguishable basic code points remaining.  The digit-values in the
-   range 0 through base-1 need to be associated with distinct non-
-   delimiter basic code points.  In some cases multiple code points need
-   to have the same digit-value; for example, uppercase and lowercase
-   versions of the same letter need to be equivalent if basic strings
-   are case-insensitive.
-
-   The initial value of n cannot be greater than the minimum non-basic
-   code point that could appear in extended strings.
-
-   The remaining five parameters (tmin, tmax, skew, damp, and the
-   initial value of bias) need to satisfy the following constraints:
-
-      0 <= tmin <= tmax <= base-1
-      skew >= 1
-      damp >= 2
-      initial_bias mod base <= base - tmin
-
-   Provided the constraints are satisfied, these five parameters affect
-   efficiency but not correctness.  They are best chosen empirically.
-
-   If support for mixed-case annotation is desired (see appendix A),
-   make sure that the code points corresponding to 0 through tmax-1 all
-   have both uppercase and lowercase forms.
-
-5. Parameter values for Punycode
-
-   Punycode uses the following Bootstring parameter values:
-
-      base         = 36
-      tmin         = 1
-      tmax         = 26
-      skew         = 38
-      damp         = 700
-      initial_bias = 72
-      initial_n    = 128 = 0x80
-
-   Although the only restriction Punycode imposes on the input integers
-   is that they be nonnegative, these parameters are especially designed
-   to work well with Unicode [UNICODE] code points, which are integers
-   in the range 0..10FFFF (but not D800..DFFF, which are reserved for
-
-
-
-Costello                    Standards Track                     [Page 8]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   use by the UTF-16 encoding of Unicode).  The basic code points are
-   the ASCII [ASCII] code points (0..7F), of which U+002D (-) is the
-   delimiter, and some of the others have digit-values as follows:
-
-      code points    digit-values
-      ------------   ----------------------
-      41..5A (A-Z) =  0 to 25, respectively
-      61..7A (a-z) =  0 to 25, respectively
-      30..39 (0-9) = 26 to 35, respectively
-
-   Using hyphen-minus as the delimiter implies that the encoded string
-   can end with a hyphen-minus only if the Unicode string consists
-   entirely of basic code points, but IDNA forbids such strings from
-   being encoded.  The encoded string can begin with a hyphen-minus, but
-   IDNA prepends a prefix.  Therefore IDNA using Punycode conforms to
-   the RFC 952 rule that host name labels neither begin nor end with a
-   hyphen-minus [RFC952].
-
-   A decoder MUST recognize the letters in both uppercase and lowercase
-   forms (including mixtures of both forms).  An encoder SHOULD output
-   only uppercase forms or only lowercase forms, unless it uses mixed-
-   case annotation (see appendix A).
-
-   Presumably most users will not manually write or type encoded strings
-   (as opposed to cutting and pasting them), but those who do will need
-   to be alert to the potential visual ambiguity between the following
-   sets of characters:
-
-      G 6
-      I l 1
-      O 0
-      S 5
-      U V
-      Z 2
-
-   Such ambiguities are usually resolved by context, but in a Punycode
-   encoded string there is no context apparent to humans.
-
-6. Bootstring algorithms
-
-   Some parts of the pseudocode can be omitted if the parameters satisfy
-   certain conditions (for which Punycode qualifies).  These parts are
-   enclosed in {braces}, and notes immediately following the pseudocode
-   explain the conditions under which they can be omitted.
-
-
-
-
-
-
-
-Costello                    Standards Track                     [Page 9]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   Formally, code points are integers, and hence the pseudocode assumes
-   that arithmetic operations can be performed directly on code points.
-   In some programming languages, explicit conversion between code
-   points and integers might be necessary.
-
-6.1 Bias adaptation function
-
-   function adapt(delta,numpoints,firsttime):
-     if firsttime then let delta = delta div damp
-     else let delta = delta div 2
-     let delta = delta + (delta div numpoints)
-     let k = 0
-     while delta > ((base - tmin) * tmax) div 2 do begin
-       let delta = delta div (base - tmin)
-       let k = k + base
-     end
-     return k + (((base - tmin + 1) * delta) div (delta + skew))
-
-   It does not matter whether the modifications to delta and k inside
-   adapt() affect variables of the same name inside the
-   encoding/decoding procedures, because after calling adapt() the
-   caller does not read those variables before overwriting them.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 10]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-6.2 Decoding procedure
-
-   let n = initial_n
-   let i = 0
-   let bias = initial_bias
-   let output = an empty string indexed from 0
-   consume all code points before the last delimiter (if there is one)
-     and copy them to output, fail on any non-basic code point
-   if more than zero code points were consumed then consume one more
-     (which will be the last delimiter)
-   while the input is not exhausted do begin
-     let oldi = i
-     let w = 1
-     for k = base to infinity in steps of base do begin
-       consume a code point, or fail if there was none to consume
-       let digit = the code point's digit-value, fail if it has none
-       let i = i + digit * w, fail on overflow
-       let t = tmin if k <= bias {+ tmin}, or
-               tmax if k >= bias + tmax, or k - bias otherwise
-       if digit < t then break
-       let w = w * (base - t), fail on overflow
-     end
-     let bias = adapt(i - oldi, length(output) + 1, test oldi is 0?)
-     let n = n + i div (length(output) + 1), fail on overflow
-     let i = i mod (length(output) + 1)
-     {if n is a basic code point then fail}
-     insert n into output at position i
-     increment i
-   end
-
-   The full statement enclosed in braces (checking whether n is a basic
-   code point) can be omitted if initial_n exceeds all basic code points
-   (which is true for Punycode), because n is never less than initial_n.
-
-   In the assignment of t, where t is clamped to the range tmin through
-   tmax, "+ tmin" can always be omitted.  This makes the clamping
-   calculation incorrect when bias < k < bias + tmin, but that cannot
-   happen because of the way bias is computed and because of the
-   constraints on the parameters.
-
-   Because the decoder state can only advance monotonically, and there
-   is only one representation of any delta, there is therefore only one
-   encoded string that can represent a given sequence of integers.  The
-   only error conditions are invalid code points, unexpected end-of-
-   input, overflow, and basic code points encoded using deltas instead
-   of appearing literally.  If the decoder fails on these errors as
-   shown above, then it cannot produce the same output for two distinct
-   inputs.  Without this property it would have been necessary to re-
-
-
-
-Costello                    Standards Track                    [Page 11]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   encode the output and verify that it matches the input in order to
-   guarantee the uniqueness of the encoding.
-
-6.3 Encoding procedure
-
-   let n = initial_n
-   let delta = 0
-   let bias = initial_bias
-   let h = b = the number of basic code points in the input
-   copy them to the output in order, followed by a delimiter if b > 0
-   {if the input contains a non-basic code point < n then fail}
-   while h < length(input) do begin
-     let m = the minimum {non-basic} code point >= n in the input
-     let delta = delta + (m - n) * (h + 1), fail on overflow
-     let n = m
-     for each code point c in the input (in order) do begin
-       if c < n {or c is basic} then increment delta, fail on overflow
-       if c == n then begin
-         let q = delta
-         for k = base to infinity in steps of base do begin
-           let t = tmin if k <= bias {+ tmin}, or
-                   tmax if k >= bias + tmax, or k - bias otherwise
-           if q < t then break
-           output the code point for digit t + ((q - t) mod (base - t))
-           let q = (q - t) div (base - t)
-         end
-         output the code point for digit q
-         let bias = adapt(delta, h + 1, test h equals b?)
-         let delta = 0
-         increment h
-       end
-     end
-     increment delta and n
-   end
-
-   The full statement enclosed in braces (checking whether the input
-   contains a non-basic code point less than n) can be omitted if all
-   code points less than initial_n are basic code points (which is true
-   for Punycode if code points are unsigned).
-
-   The brace-enclosed conditions "non-basic" and "or c is basic" can be
-   omitted if initial_n exceeds all basic code points (which is true for
-   Punycode), because the code point being tested is never less than
-   initial_n.
-
-   In the assignment of t, where t is clamped to the range tmin through
-   tmax, "+ tmin" can always be omitted.  This makes the clamping
-   calculation incorrect when bias < k < bias + tmin, but that cannot
-
-
-
-Costello                    Standards Track                    [Page 12]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   happen because of the way bias is computed and because of the
-   constraints on the parameters.
-
-   The checks for overflow are necessary to avoid producing invalid
-   output when the input contains very large values or is very long.
-
-   The increment of delta at the bottom of the outer loop cannot
-   overflow because delta < length(input) before the increment, and
-   length(input) is already assumed to be representable.  The increment
-   of n could overflow, but only if h == length(input), in which case
-   the procedure is finished anyway.
-
-6.4 Overflow handling
-
-   For IDNA, 26-bit unsigned integers are sufficient to handle all valid
-   IDNA labels without overflow, because any string that needed a 27-bit
-   delta would have to exceed either the code point limit (0..10FFFF) or
-   the label length limit (63 characters).  However, overflow handling
-   is necessary because the inputs are not necessarily valid IDNA
-   labels.
-
-   If the programming language does not provide overflow detection, the
-   following technique can be used.  Suppose A, B, and C are
-   representable nonnegative integers and C is nonzero.  Then A + B
-   overflows if and only if B > maxint - A, and A + (B * C) overflows if
-   and only if B > (maxint - A) div C, where maxint is the greatest
-   integer for which maxint + 1 cannot be represented.  Refer to
-   appendix C "Punycode sample implementation" for demonstrations of
-   this technique in the C language.
-
-   The decoding and encoding algorithms shown in sections 6.2 and 6.3
-   handle overflow by detecting it whenever it happens.  Another
-   approach is to enforce limits on the inputs that prevent overflow
-   from happening.  For example, if the encoder were to verify that no
-   input code points exceed M and that the input length does not exceed
-   L, then no delta could ever exceed (M - initial_n) * (L + 1), and
-   hence no overflow could occur if integer variables were capable of
-   representing values that large.  This prevention approach would
-   impose more restrictions on the input than the detection approach
-   does, but might be considered simpler in some programming languages.
-
-   In theory, the decoder could use an analogous approach, limiting the
-   number of digits in a variable-length integer (that is, limiting the
-   number of iterations in the innermost loop).  However, the number of
-   digits that suffice to represent a given delta can sometimes
-   represent much larger deltas (because of the adaptation), and hence
-   this approach would probably need integers wider than 32 bits.
-
-
-
-
-Costello                    Standards Track                    [Page 13]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   Yet another approach for the decoder is to allow overflow to occur,
-   but to check the final output string by re-encoding it and comparing
-   to the decoder input.  If and only if they do not match (using a
-   case-insensitive ASCII comparison) overflow has occurred.  This
-   delayed-detection approach would not impose any more restrictions on
-   the input than the immediate-detection approach does, and might be
-   considered simpler in some programming languages.
-
-   In fact, if the decoder is used only inside the IDNA ToUnicode
-   operation [IDNA], then it need not check for overflow at all, because
-   ToUnicode performs a higher level re-encoding and comparison, and a
-   mismatch has the same consequence as if the Punycode decoder had
-   failed.
-
-7. Punycode examples
-
-7.1 Sample strings
-
-   In the Punycode encodings below, the ACE prefix is not shown.
-   Backslashes show where line breaks have been inserted in strings too
-   long for one line.
-
-   The first several examples are all translations of the sentence "Why
-   can't they just speak in <language>?" (courtesy of Michael Kaplan's
-   "provincial" page [PROVINCIAL]).  Word breaks and punctuation have
-   been removed, as is often done in domain names.
-
-   (A) Arabic (Egyptian):
-       u+0644 u+064A u+0647 u+0645 u+0627 u+0628 u+062A u+0643 u+0644
-       u+0645 u+0648 u+0634 u+0639 u+0631 u+0628 u+064A u+061F
-       Punycode: egbpdaj6bu4bxfgehfvwxn
-
-   (B) Chinese (simplified):
-       u+4ED6 u+4EEC u+4E3A u+4EC0 u+4E48 u+4E0D u+8BF4 u+4E2D u+6587
-       Punycode: ihqwcrb4cv8a8dqg056pqjye
-
-   (C) Chinese (traditional):
-       u+4ED6 u+5011 u+7232 u+4EC0 u+9EBD u+4E0D u+8AAA u+4E2D u+6587
-       Punycode: ihqwctvzc91f659drss3x8bo0yb
-
-   (D) Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky
-       U+0050 u+0072 u+006F u+010D u+0070 u+0072 u+006F u+0073 u+0074
-       u+011B u+006E u+0065 u+006D u+006C u+0075 u+0076 u+00ED u+010D
-       u+0065 u+0073 u+006B u+0079
-       Punycode: Proprostnemluvesky-uyb24dma41a
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 14]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   (E) Hebrew:
-       u+05DC u+05DE u+05D4 u+05D4 u+05DD u+05E4 u+05E9 u+05D5 u+05D8
-       u+05DC u+05D0 u+05DE u+05D3 u+05D1 u+05E8 u+05D9 u+05DD u+05E2
-       u+05D1 u+05E8 u+05D9 u+05EA
-       Punycode: 4dbcagdahymbxekheh6e0a7fei0b
-
-   (F) Hindi (Devanagari):
-       u+092F u+0939 u+0932 u+094B u+0917 u+0939 u+093F u+0928 u+094D
-       u+0926 u+0940 u+0915 u+094D u+092F u+094B u+0902 u+0928 u+0939
-       u+0940 u+0902 u+092C u+094B u+0932 u+0938 u+0915 u+0924 u+0947
-       u+0939 u+0948 u+0902
-       Punycode: i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd
-
-   (G) Japanese (kanji and hiragana):
-       u+306A u+305C u+307F u+3093 u+306A u+65E5 u+672C u+8A9E u+3092
-       u+8A71 u+3057 u+3066 u+304F u+308C u+306A u+3044 u+306E u+304B
-       Punycode: n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa
-
-   (H) Korean (Hangul syllables):
-       u+C138 u+ACC4 u+C758 u+BAA8 u+B4E0 u+C0AC u+B78C u+B4E4 u+C774
-       u+D55C u+AD6D u+C5B4 u+B97C u+C774 u+D574 u+D55C u+B2E4 u+BA74
-       u+C5BC u+B9C8 u+B098 u+C88B u+C744 u+AE4C
-       Punycode: 989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5j\
-                 psd879ccm6fea98c
-
-   (I) Russian (Cyrillic):
-       U+043F u+043E u+0447 u+0435 u+043C u+0443 u+0436 u+0435 u+043E
-       u+043D u+0438 u+043D u+0435 u+0433 u+043E u+0432 u+043E u+0440
-       u+044F u+0442 u+043F u+043E u+0440 u+0443 u+0441 u+0441 u+043A
-       u+0438
-       Punycode: b1abfaaepdrnnbgefbaDotcwatmq2g4l
-
-   (J) Spanish: Porqu<eacute>nopuedensimplementehablarenEspa<ntilde>ol
-       U+0050 u+006F u+0072 u+0071 u+0075 u+00E9 u+006E u+006F u+0070
-       u+0075 u+0065 u+0064 u+0065 u+006E u+0073 u+0069 u+006D u+0070
-       u+006C u+0065 u+006D u+0065 u+006E u+0074 u+0065 u+0068 u+0061
-       u+0062 u+006C u+0061 u+0072 u+0065 u+006E U+0045 u+0073 u+0070
-       u+0061 u+00F1 u+006F u+006C
-       Punycode: PorqunopuedensimplementehablarenEspaol-fmd56a
-
-   (K) Vietnamese:
-       T<adotbelow>isaoh<odotbelow>kh<ocirc>ngth<ecirchookabove>ch\
-       <ihookabove>n<oacute>iti<ecircacute>ngVi<ecircdotbelow>t
-       U+0054 u+1EA1 u+0069 u+0073 u+0061 u+006F u+0068 u+1ECD u+006B
-       u+0068 u+00F4 u+006E u+0067 u+0074 u+0068 u+1EC3 u+0063 u+0068
-       u+1EC9 u+006E u+00F3 u+0069 u+0074 u+0069 u+1EBF u+006E u+0067
-       U+0056 u+0069 u+1EC7 u+0074
-       Punycode: TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g
-
-
-
-Costello                    Standards Track                    [Page 15]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   The next several examples are all names of Japanese music artists,
-   song titles, and TV programs, just because the author happens to have
-   them handy (but Japanese is useful for providing examples of single-
-   row text, two-row text, ideographic text, and various mixtures
-   thereof).
-
-   (L) 3<nen>B<gumi><kinpachi><sensei>
-       u+0033 u+5E74 U+0042 u+7D44 u+91D1 u+516B u+5148 u+751F
-       Punycode: 3B-ww4c5e180e575a65lsy2b
-
-   (M) <amuro><namie>-with-SUPER-MONKEYS
-       u+5B89 u+5BA4 u+5948 u+7F8E u+6075 u+002D u+0077 u+0069 u+0074
-       u+0068 u+002D U+0053 U+0055 U+0050 U+0045 U+0052 u+002D U+004D
-       U+004F U+004E U+004B U+0045 U+0059 U+0053
-       Punycode: -with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n
-
-   (N) Hello-Another-Way-<sorezore><no><basho>
-       U+0048 u+0065 u+006C u+006C u+006F u+002D U+0041 u+006E u+006F
-       u+0074 u+0068 u+0065 u+0072 u+002D U+0057 u+0061 u+0079 u+002D
-       u+305D u+308C u+305E u+308C u+306E u+5834 u+6240
-       Punycode: Hello-Another-Way--fc4qua05auwb3674vfr0b
-
-   (O) <hitotsu><yane><no><shita>2
-       u+3072 u+3068 u+3064 u+5C4B u+6839 u+306E u+4E0B u+0032
-       Punycode: 2-u9tlzr9756bt3uc0v
-
-   (P) Maji<de>Koi<suru>5<byou><mae>
-       U+004D u+0061 u+006A u+0069 u+3067 U+004B u+006F u+0069 u+3059
-       u+308B u+0035 u+79D2 u+524D
-       Punycode: MajiKoi5-783gue6qz075azm5e
-
-   (Q) <pafii>de<runba>
-       u+30D1 u+30D5 u+30A3 u+30FC u+0064 u+0065 u+30EB u+30F3 u+30D0
-       Punycode: de-jg4avhby1noc0d
-
-   (R) <sono><supiido><de>
-       u+305D u+306E u+30B9 u+30D4 u+30FC u+30C9 u+3067
-       Punycode: d9juau41awczczp
-
-   The last example is an ASCII string that breaks the existing rules
-   for host name labels.  (It is not a realistic example for IDNA,
-   because IDNA never encodes pure ASCII labels.)
-
-   (S) -> $1.00 <-
-       u+002D u+003E u+0020 u+0024 u+0031 u+002E u+0030 u+0030 u+0020
-       u+003C u+002D
-       Punycode: -> $1.00 <--
-
-
-
-
-Costello                    Standards Track                    [Page 16]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-7.2 Decoding traces
-
-   In the following traces, the evolving state of the decoder is shown
-   as a sequence of hexadecimal values, representing the code points in
-   the extended string.  An asterisk appears just after the most
-   recently inserted code point, indicating both n (the value preceeding
-   the asterisk) and i (the position of the value just after the
-   asterisk).  Other numerical values are decimal.
-
-   Decoding trace of example B from section 7.1:
-
-   n is 128, i is 0, bias is 72
-   input is "ihqwcrb4cv8a8dqg056pqjye"
-   there is no delimiter, so extended string starts empty
-   delta "ihq" decodes to 19853
-   bias becomes 21
-   4E0D *
-   delta "wc" decodes to 64
-   bias becomes 20
-   4E0D 4E2D *
-   delta "rb" decodes to 37
-   bias becomes 13
-   4E3A * 4E0D 4E2D
-   delta "4c" decodes to 56
-   bias becomes 17
-   4E3A 4E48 * 4E0D 4E2D
-   delta "v8a" decodes to 599
-   bias becomes 32
-   4E3A 4EC0 * 4E48 4E0D 4E2D
-   delta "8d" decodes to 130
-   bias becomes 23
-   4ED6 * 4E3A 4EC0 4E48 4E0D 4E2D
-   delta "qg" decodes to 154
-   bias becomes 25
-   4ED6 4EEC * 4E3A 4EC0 4E48 4E0D 4E2D
-   delta "056p" decodes to 46301
-   bias becomes 84
-   4ED6 4EEC 4E3A 4EC0 4E48 4E0D 4E2D 6587 *
-   delta "qjye" decodes to 88531
-   bias becomes 90
-   4ED6 4EEC 4E3A 4EC0 4E48 4E0D 8BF4 * 4E2D 6587
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 17]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   Decoding trace of example L from section 7.1:
-
-   n is 128, i is 0, bias is 72
-   input is "3B-ww4c5e180e575a65lsy2b"
-   literal portion is "3B-", so extended string starts as:
-   0033 0042
-   delta "ww4c" decodes to 62042
-   bias becomes 27
-   0033 0042 5148 *
-   delta "5e" decodes to 139
-   bias becomes 24
-   0033 0042 516B * 5148
-   delta "180e" decodes to 16683
-   bias becomes 67
-   0033 5E74 * 0042 516B 5148
-   delta "575a" decodes to 34821
-   bias becomes 82
-   0033 5E74 0042 516B 5148 751F *
-   delta "65l" decodes to 14592
-   bias becomes 67
-   0033 5E74 0042 7D44 * 516B 5148 751F
-   delta "sy2b" decodes to 42088
-   bias becomes 84
-   0033 5E74 0042 7D44 91D1 * 516B 5148 751F
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 18]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-7.3 Encoding traces
-
-   In the following traces, code point values are hexadecimal, while
-   other numerical values are decimal.
-
-   Encoding trace of example B from section 7.1:
-
-   bias is 72
-   input is:
-   4ED6 4EEC 4E3A 4EC0 4E48 4E0D 8BF4 4E2D 6587
-   there are no basic code points, so no literal portion
-   next code point to insert is 4E0D
-   needed delta is 19853, encodes as "ihq"
-   bias becomes 21
-   next code point to insert is 4E2D
-   needed delta is 64, encodes as "wc"
-   bias becomes 20
-   next code point to insert is 4E3A
-   needed delta is 37, encodes as "rb"
-   bias becomes 13
-   next code point to insert is 4E48
-   needed delta is 56, encodes as "4c"
-   bias becomes 17
-   next code point to insert is 4EC0
-   needed delta is 599, encodes as "v8a"
-   bias becomes 32
-   next code point to insert is 4ED6
-   needed delta is 130, encodes as "8d"
-   bias becomes 23
-   next code point to insert is 4EEC
-   needed delta is 154, encodes as "qg"
-   bias becomes 25
-   next code point to insert is 6587
-   needed delta is 46301, encodes as "056p"
-   bias becomes 84
-   next code point to insert is 8BF4
-   needed delta is 88531, encodes as "qjye"
-   bias becomes 90
-   output is "ihqwcrb4cv8a8dqg056pqjye"
-
-
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 19]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-   Encoding trace of example L from section 7.1:
-
-   bias is 72
-   input is:
-   0033 5E74 0042 7D44 91D1 516B 5148 751F
-   basic code points (0033, 0042) are copied to literal portion: "3B-"
-   next code point to insert is 5148
-   needed delta is 62042, encodes as "ww4c"
-   bias becomes 27
-   next code point to insert is 516B
-   needed delta is 139, encodes as "5e"
-   bias becomes 24
-   next code point to insert is 5E74
-   needed delta is 16683, encodes as "180e"
-   bias becomes 67
-   next code point to insert is 751F
-   needed delta is 34821, encodes as "575a"
-   bias becomes 82
-   next code point to insert is 7D44
-   needed delta is 14592, encodes as "65l"
-   bias becomes 67
-   next code point to insert is 91D1
-   needed delta is 42088, encodes as "sy2b"
-   bias becomes 84
-   output is "3B-ww4c5e180e575a65lsy2b"
-
-8. Security Considerations
-
-   Users expect each domain name in DNS to be controlled by a single
-   authority.  If a Unicode string intended for use as a domain label
-   could map to multiple ACE labels, then an internationalized domain
-   name could map to multiple ASCII domain names, each controlled by a
-   different authority, some of which could be spoofs that hijack
-   service requests intended for another.  Therefore Punycode is
-   designed so that each Unicode string has a unique encoding.
-
-   However, there can still be multiple Unicode representations of the
-   "same" text, for various definitions of "same".  This problem is
-   addressed to some extent by the Unicode standard under the topic of
-   canonicalization, and this work is leveraged for domain names by
-   Nameprep [NAMEPREP].
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 20]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-9. References
-
-9.1 Normative References
-
-   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
-                Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-9.2 Informative References
-
-   [RFC952]     Harrenstien, K., Stahl, M. and E. Feinler, "DOD Internet
-                Host Table Specification", RFC 952, October 1985.
-
-   [RFC1034]    Mockapetris, P., "Domain Names - Concepts and
-                Facilities", STD 13, RFC 1034, November 1987.
-
-   [IDNA]       Faltstrom, P., Hoffman, P. and A. Costello,
-                "Internationalizing Domain Names in Applications
-                (IDNA)", RFC 3490, March 2003.
-
-   [NAMEPREP]   Hoffman, P. and  M. Blanchet, "Nameprep: A Stringprep
-                Profile for Internationalized Domain Names (IDN)", RFC
-                3491, March 2003.
-
-   [ASCII]      Cerf, V., "ASCII format for Network Interchange", RFC
-                20, October 1969.
-
-   [PROVINCIAL] Kaplan, M., "The 'anyone can be provincial!' page",
-                http://www.trigeminal.com/samples/provincial.html.
-
-   [UNICODE]    The Unicode Consortium, "The Unicode Standard",
-                http://www.unicode.org/unicode/standard/standard.html.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 21]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-A. Mixed-case annotation
-
-   In order to use Punycode to represent case-insensitive strings,
-   higher layers need to case-fold the strings prior to Punycode
-   encoding.  The encoded string can use mixed case as an annotation
-   telling how to convert the folded string into a mixed-case string for
-   display purposes.  Note, however, that mixed-case annotation is not
-   used by the ToASCII and ToUnicode operations specified in [IDNA], and
-   therefore implementors of IDNA can disregard this appendix.
-
-   Basic code points can use mixed case directly, because the decoder
-   copies them verbatim, leaving lowercase code points lowercase, and
-   leaving uppercase code points uppercase.  Each non-basic code point
-   is represented by a delta, which is represented by a sequence of
-   basic code points, the last of which provides the annotation.  If it
-   is uppercase, it is a suggestion to map the non-basic code point to
-   uppercase (if possible); if it is lowercase, it is a suggestion to
-   map the non-basic code point to lowercase (if possible).
-
-   These annotations do not alter the code points returned by decoders;
-   the annotations are returned separately, for the caller to use or
-   ignore.  Encoders can accept annotations in addition to code points,
-   but the annotations do not alter the output, except to influence the
-   uppercase/lowercase form of ASCII letters.
-
-   Punycode encoders and decoders need not support these annotations,
-   and higher layers need not use them.
-
-B. Disclaimer and license
-
-   Regarding this entire document or any portion of it (including the
-   pseudocode and C code), the author makes no guarantees and is not
-   responsible for any damage resulting from its use.  The author grants
-   irrevocable permission to anyone to use, modify, and distribute it in
-   any way that does not diminish the rights of anyone else to use,
-   modify, and distribute it, provided that redistributed derivative
-   works do not contain misleading author or version information.
-   Derivative works need not be licensed under similar terms.
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 22]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-C. Punycode sample implementation
-
-/*
-punycode.c from RFC 3492
-http://www.nicemice.net/idn/
-Adam M. Costello
-http://www.nicemice.net/amc/
-
-This is ANSI C code (C89) implementing Punycode (RFC 3492).
-
-*/
-
-
-/************************************************************/
-/* Public interface (would normally go in its own .h file): */
-
-#include <limits.h>
-
-enum punycode_status {
-  punycode_success,
-  punycode_bad_input,   /* Input is invalid.                       */
-  punycode_big_output,  /* Output would exceed the space provided. */
-  punycode_overflow     /* Input needs wider integers to process.  */
-};
-
-#if UINT_MAX >= (1 << 26) - 1
-typedef unsigned int punycode_uint;
-#else
-typedef unsigned long punycode_uint;
-#endif
-
-enum punycode_status punycode_encode(
-  punycode_uint input_length,
-  const punycode_uint input[],
-  const unsigned char case_flags[],
-  punycode_uint *output_length,
-  char output[] );
-
-    /* punycode_encode() converts Unicode to Punycode.  The input     */
-    /* is represented as an array of Unicode code points (not code    */
-    /* units; surrogate pairs are not allowed), and the output        */
-    /* will be represented as an array of ASCII code points.  The     */
-    /* output string is *not* null-terminated; it will contain        */
-    /* zeros if and only if the input contains zeros.  (Of course     */
-    /* the caller can leave room for a terminator and add one if      */
-    /* needed.)  The input_length is the number of code points in     */
-    /* the input.  The output_length is an in/out argument: the       */
-    /* caller passes in the maximum number of code points that it     */
-
-
-
-Costello                    Standards Track                    [Page 23]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-    /* can receive, and on successful return it will contain the      */
-    /* number of code points actually output.  The case_flags array   */
-    /* holds input_length boolean values, where nonzero suggests that */
-    /* the corresponding Unicode character be forced to uppercase     */
-    /* after being decoded (if possible), and zero suggests that      */
-    /* it be forced to lowercase (if possible).  ASCII code points    */
-    /* are encoded literally, except that ASCII letters are forced    */
-    /* to uppercase or lowercase according to the corresponding       */
-    /* uppercase flags.  If case_flags is a null pointer then ASCII   */
-    /* letters are left as they are, and other code points are        */
-    /* treated as if their uppercase flags were zero.  The return     */
-    /* value can be any of the punycode_status values defined above   */
-    /* except punycode_bad_input; if not punycode_success, then       */
-    /* output_size and output might contain garbage.                  */
-
-enum punycode_status punycode_decode(
-  punycode_uint input_length,
-  const char input[],
-  punycode_uint *output_length,
-  punycode_uint output[],
-  unsigned char case_flags[] );
-
-    /* punycode_decode() converts Punycode to Unicode.  The input is  */
-    /* represented as an array of ASCII code points, and the output   */
-    /* will be represented as an array of Unicode code points.  The   */
-    /* input_length is the number of code points in the input.  The   */
-    /* output_length is an in/out argument: the caller passes in      */
-    /* the maximum number of code points that it can receive, and     */
-    /* on successful return it will contain the actual number of      */
-    /* code points output.  The case_flags array needs room for at    */
-    /* least output_length values, or it can be a null pointer if the */
-    /* case information is not needed.  A nonzero flag suggests that  */
-    /* the corresponding Unicode character be forced to uppercase     */
-    /* by the caller (if possible), while zero suggests that it be    */
-    /* forced to lowercase (if possible).  ASCII code points are      */
-    /* output already in the proper case, but their flags will be set */
-    /* appropriately so that applying the flags would be harmless.    */
-    /* The return value can be any of the punycode_status values      */
-    /* defined above; if not punycode_success, then output_length,    */
-    /* output, and case_flags might contain garbage.  On success, the */
-    /* decoder will never need to write an output_length greater than */
-    /* input_length, because of how the encoding is defined.          */
-
-/**********************************************************/
-/* Implementation (would normally go in its own .c file): */
-
-#include <string.h>
-
-
-
-
-Costello                    Standards Track                    [Page 24]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-/*** Bootstring parameters for Punycode ***/
-
-enum { base = 36, tmin = 1, tmax = 26, skew = 38, damp = 700,
-       initial_bias = 72, initial_n = 0x80, delimiter = 0x2D };
-
-/* basic(cp) tests whether cp is a basic code point: */
-#define basic(cp) ((punycode_uint)(cp) < 0x80)
-
-/* delim(cp) tests whether cp is a delimiter: */
-#define delim(cp) ((cp) == delimiter)
-
-/* decode_digit(cp) returns the numeric value of a basic code */
-/* point (for use in representing integers) in the range 0 to */
-/* base-1, or base if cp is does not represent a value.       */
-
-static punycode_uint decode_digit(punycode_uint cp)
-{
-  return  cp - 48 < 10 ? cp - 22 :  cp - 65 < 26 ? cp - 65 :
-          cp - 97 < 26 ? cp - 97 :  base;
-}
-
-/* encode_digit(d,flag) returns the basic code point whose value      */
-/* (when used for representing integers) is d, which needs to be in   */
-/* the range 0 to base-1.  The lowercase form is used unless flag is  */
-/* nonzero, in which case the uppercase form is used.  The behavior   */
-/* is undefined if flag is nonzero and digit d has no uppercase form. */
-
-static char encode_digit(punycode_uint d, int flag)
-{
-  return d + 22 + 75 * (d < 26) - ((flag != 0) << 5);
-  /*  0..25 map to ASCII a..z or A..Z */
-  /* 26..35 map to ASCII 0..9         */
-}
-
-/* flagged(bcp) tests whether a basic code point is flagged */
-/* (uppercase).  The behavior is undefined if bcp is not a  */
-/* basic code point.                                        */
-
-#define flagged(bcp) ((punycode_uint)(bcp) - 65 < 26)
-
-/* encode_basic(bcp,flag) forces a basic code point to lowercase */
-/* if flag is zero, uppercase if flag is nonzero, and returns    */
-/* the resulting code point.  The code point is unchanged if it  */
-/* is caseless.  The behavior is undefined if bcp is not a basic */
-/* code point.                                                   */
-
-static char encode_basic(punycode_uint bcp, int flag)
-{
-
-
-
-Costello                    Standards Track                    [Page 25]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-  bcp -= (bcp - 97 < 26) << 5;
-  return bcp + ((!flag && (bcp - 65 < 26)) << 5);
-}
-
-/*** Platform-specific constants ***/
-
-/* maxint is the maximum value of a punycode_uint variable: */
-static const punycode_uint maxint = -1;
-/* Because maxint is unsigned, -1 becomes the maximum value. */
-
-/*** Bias adaptation function ***/
-
-static punycode_uint adapt(
-  punycode_uint delta, punycode_uint numpoints, int firsttime )
-{
-  punycode_uint k;
-
-  delta = firsttime ? delta / damp : delta >> 1;
-  /* delta >> 1 is a faster way of doing delta / 2 */
-  delta += delta / numpoints;
-
-  for (k = 0;  delta > ((base - tmin) * tmax) / 2;  k += base) {
-    delta /= base - tmin;
-  }
-
-  return k + (base - tmin + 1) * delta / (delta + skew);
-}
-
-/*** Main encode function ***/
-
-enum punycode_status punycode_encode(
-  punycode_uint input_length,
-  const punycode_uint input[],
-  const unsigned char case_flags[],
-  punycode_uint *output_length,
-  char output[] )
-{
-  punycode_uint n, delta, h, b, out, max_out, bias, j, m, q, k, t;
-
-  /* Initialize the state: */
-
-  n = initial_n;
-  delta = out = 0;
-  max_out = *output_length;
-  bias = initial_bias;
-
-  /* Handle the basic code points: */
-
-
-
-
-Costello                    Standards Track                    [Page 26]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-  for (j = 0;  j < input_length;  ++j) {
-    if (basic(input[j])) {
-      if (max_out - out < 2) return punycode_big_output;
-      output[out++] =
-        case_flags ?  encode_basic(input[j], case_flags[j]) : input[j];
-    }
-    /* else if (input[j] < n) return punycode_bad_input; */
-    /* (not needed for Punycode with unsigned code points) */
-  }
-
-  h = b = out;
-
-  /* h is the number of code points that have been handled, b is the  */
-  /* number of basic code points, and out is the number of characters */
-  /* that have been output.                                           */
-
-  if (b > 0) output[out++] = delimiter;
-
-  /* Main encoding loop: */
-
-  while (h < input_length) {
-    /* All non-basic code points < n have been     */
-    /* handled already.  Find the next larger one: */
-
-    for (m = maxint, j = 0;  j < input_length;  ++j) {
-      /* if (basic(input[j])) continue; */
-      /* (not needed for Punycode) */
-      if (input[j] >= n && input[j] < m) m = input[j];
-    }
-
-    /* Increase delta enough to advance the decoder's    */
-    /* <n,i> state to <m,0>, but guard against overflow: */
-
-    if (m - n > (maxint - delta) / (h + 1)) return punycode_overflow;
-    delta += (m - n) * (h + 1);
-    n = m;
-
-    for (j = 0;  j < input_length;  ++j) {
-      /* Punycode does not need to check whether input[j] is basic: */
-      if (input[j] < n /* || basic(input[j]) */ ) {
-        if (++delta == 0) return punycode_overflow;
-      }
-
-      if (input[j] == n) {
-        /* Represent delta as a generalized variable-length integer: */
-
-        for (q = delta, k = base;  ;  k += base) {
-          if (out >= max_out) return punycode_big_output;
-
-
-
-Costello                    Standards Track                    [Page 27]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-          t = k <= bias /* + tmin */ ? tmin :     /* +tmin not needed */
-              k >= bias + tmax ? tmax : k - bias;
-          if (q < t) break;
-          output[out++] = encode_digit(t + (q - t) % (base - t), 0);
-          q = (q - t) / (base - t);
-        }
-
-        output[out++] = encode_digit(q, case_flags && case_flags[j]);
-        bias = adapt(delta, h + 1, h == b);
-        delta = 0;
-        ++h;
-      }
-    }
-
-    ++delta, ++n;
-  }
-
-  *output_length = out;
-  return punycode_success;
-}
-
-/*** Main decode function ***/
-
-enum punycode_status punycode_decode(
-  punycode_uint input_length,
-  const char input[],
-  punycode_uint *output_length,
-  punycode_uint output[],
-  unsigned char case_flags[] )
-{
-  punycode_uint n, out, i, max_out, bias,
-                 b, j, in, oldi, w, k, digit, t;
-
-  /* Initialize the state: */
-
-  n = initial_n;
-  out = i = 0;
-  max_out = *output_length;
-  bias = initial_bias;
-
-  /* Handle the basic code points:  Let b be the number of input code */
-  /* points before the last delimiter, or 0 if there is none, then    */
-  /* copy the first b code points to the output.                      */
-
-  for (b = j = 0;  j < input_length;  ++j) if (delim(input[j])) b = j;
-  if (b > max_out) return punycode_big_output;
-
-  for (j = 0;  j < b;  ++j) {
-
-
-
-Costello                    Standards Track                    [Page 28]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-    if (case_flags) case_flags[out] = flagged(input[j]);
-    if (!basic(input[j])) return punycode_bad_input;
-    output[out++] = input[j];
-  }
-
-  /* Main decoding loop:  Start just after the last delimiter if any  */
-  /* basic code points were copied; start at the beginning otherwise. */
-
-  for (in = b > 0 ? b + 1 : 0;  in < input_length;  ++out) {
-
-    /* in is the index of the next character to be consumed, and */
-    /* out is the number of code points in the output array.     */
-
-    /* Decode a generalized variable-length integer into delta,  */
-    /* which gets added to i.  The overflow checking is easier   */
-    /* if we increase i as we go, then subtract off its starting */
-    /* value at the end to obtain delta.                         */
-
-    for (oldi = i, w = 1, k = base;  ;  k += base) {
-      if (in >= input_length) return punycode_bad_input;
-      digit = decode_digit(input[in++]);
-      if (digit >= base) return punycode_bad_input;
-      if (digit > (maxint - i) / w) return punycode_overflow;
-      i += digit * w;
-      t = k <= bias /* + tmin */ ? tmin :     /* +tmin not needed */
-          k >= bias + tmax ? tmax : k - bias;
-      if (digit < t) break;
-      if (w > maxint / (base - t)) return punycode_overflow;
-      w *= (base - t);
-    }
-
-    bias = adapt(i - oldi, out + 1, oldi == 0);
-
-    /* i was supposed to wrap around from out+1 to 0,   */
-    /* incrementing n each time, so we'll fix that now: */
-
-    if (i / (out + 1) > maxint - n) return punycode_overflow;
-    n += i / (out + 1);
-    i %= (out + 1);
-
-    /* Insert n at position i of the output: */
-
-    /* not needed for Punycode: */
-    /* if (decode_digit(n) <= base) return punycode_invalid_input; */
-    if (out >= max_out) return punycode_big_output;
-
-    if (case_flags) {
-      memmove(case_flags + i + 1, case_flags + i, out - i);
-
-
-
-Costello                    Standards Track                    [Page 29]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-      /* Case of last character determines uppercase flag: */
-      case_flags[i] = flagged(input[in - 1]);
-    }
-
-    memmove(output + i + 1, output + i, (out - i) * sizeof *output);
-    output[i++] = n;
-  }
-
-  *output_length = out;
-  return punycode_success;
-}
-
-/******************************************************************/
-/* Wrapper for testing (would normally go in a separate .c file): */
-
-#include <assert.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-/* For testing, we'll just set some compile-time limits rather than */
-/* use malloc(), and set a compile-time option rather than using a  */
-/* command-line option.                                             */
-
-enum {
-  unicode_max_length = 256,
-  ace_max_length = 256
-};
-
-static void usage(char **argv)
-{
-  fprintf(stderr,
-    "\n"
-    "%s -e reads code points and writes a Punycode string.\n"
-    "%s -d reads a Punycode string and writes code points.\n"
-    "\n"
-    "Input and output are plain text in the native character set.\n"
-    "Code points are in the form u+hex separated by whitespace.\n"
-    "Although the specification allows Punycode strings to contain\n"
-    "any characters from the ASCII repertoire, this test code\n"
-    "supports only the printable characters, and needs the Punycode\n"
-    "string to be followed by a newline.\n"
-    "The case of the u in u+hex is the force-to-uppercase flag.\n"
-    , argv[0], argv[0]);
-  exit(EXIT_FAILURE);
-}
-
-static void fail(const char *msg)
-
-
-
-Costello                    Standards Track                    [Page 30]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-{
-  fputs(msg,stderr);
-  exit(EXIT_FAILURE);
-}
-
-static const char too_big[] =
-  "input or output is too large, recompile with larger limits\n";
-static const char invalid_input[] = "invalid input\n";
-static const char overflow[] = "arithmetic overflow\n";
-static const char io_error[] = "I/O error\n";
-
-/* The following string is used to convert printable */
-/* characters between ASCII and the native charset:  */
-
-static const char print_ascii[] =
-  "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
-  "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
-  " !\"#$%&'()*+,-./"
-  "0123456789:;<=>?"
-  "@ABCDEFGHIJKLMNO"
-  "PQRSTUVWXYZ[\\]^_"
-  "`abcdefghijklmno"
-  "pqrstuvwxyz{|}~\n";
-
-int main(int argc, char **argv)
-{
-  enum punycode_status status;
-  int r;
-  unsigned int input_length, output_length, j;
-  unsigned char case_flags[unicode_max_length];
-
-  if (argc != 2) usage(argv);
-  if (argv[1][0] != '-') usage(argv);
-  if (argv[1][2] != 0) usage(argv);
-
-  if (argv[1][1] == 'e') {
-    punycode_uint input[unicode_max_length];
-    unsigned long codept;
-    char output[ace_max_length+1], uplus[3];
-    int c;
-
-    /* Read the input code points: */
-
-    input_length = 0;
-
-    for (;;) {
-      r = scanf("%2s%lx", uplus, &codept);
-      if (ferror(stdin)) fail(io_error);
-
-
-
-Costello                    Standards Track                    [Page 31]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-      if (r == EOF || r == 0) break;
-
-      if (r != 2 || uplus[1] != '+' || codept > (punycode_uint)-1) {
-        fail(invalid_input);
-      }
-
-      if (input_length == unicode_max_length) fail(too_big);
-
-      if (uplus[0] == 'u') case_flags[input_length] = 0;
-      else if (uplus[0] == 'U') case_flags[input_length] = 1;
-      else fail(invalid_input);
-
-      input[input_length++] = codept;
-    }
-
-    /* Encode: */
-
-    output_length = ace_max_length;
-    status = punycode_encode(input_length, input, case_flags,
-                             &output_length, output);
-    if (status == punycode_bad_input) fail(invalid_input);
-    if (status == punycode_big_output) fail(too_big);
-    if (status == punycode_overflow) fail(overflow);
-    assert(status == punycode_success);
-
-    /* Convert to native charset and output: */
-
-    for (j = 0;  j < output_length;  ++j) {
-      c = output[j];
-      assert(c >= 0 && c <= 127);
-      if (print_ascii[c] == 0) fail(invalid_input);
-      output[j] = print_ascii[c];
-    }
-
-    output[j] = 0;
-    r = puts(output);
-    if (r == EOF) fail(io_error);
-    return EXIT_SUCCESS;
-  }
-
-  if (argv[1][1] == 'd') {
-    char input[ace_max_length+2], *p, *pp;
-    punycode_uint output[unicode_max_length];
-
-    /* Read the Punycode input string and convert to ASCII: */
-
-    fgets(input, ace_max_length+2, stdin);
-    if (ferror(stdin)) fail(io_error);
-
-
-
-Costello                    Standards Track                    [Page 32]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-    if (feof(stdin)) fail(invalid_input);
-    input_length = strlen(input) - 1;
-    if (input[input_length] != '\n') fail(too_big);
-    input[input_length] = 0;
-
-    for (p = input;  *p != 0;  ++p) {
-      pp = strchr(print_ascii, *p);
-      if (pp == 0) fail(invalid_input);
-      *p = pp - print_ascii;
-    }
-
-    /* Decode: */
-
-    output_length = unicode_max_length;
-    status = punycode_decode(input_length, input, &output_length,
-                             output, case_flags);
-    if (status == punycode_bad_input) fail(invalid_input);
-    if (status == punycode_big_output) fail(too_big);
-    if (status == punycode_overflow) fail(overflow);
-    assert(status == punycode_success);
-
-    /* Output the result: */
-
-    for (j = 0;  j < output_length;  ++j) {
-      r = printf("%s+%04lX\n",
-                 case_flags[j] ? "U" : "u",
-                 (unsigned long) output[j] );
-      if (r < 0) fail(io_error);
-    }
-
-    return EXIT_SUCCESS;
-  }
-
-  usage(argv);
-  return EXIT_SUCCESS;  /* not reached, but quiets compiler warning */
-}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 33]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-Author's Address
-
-   Adam M. Costello
-   University of California, Berkeley
-   http://www.nicemice.net/amc/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 34]
-
-RFC 3492                     IDNA Punycode                    March 2003
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Costello                    Standards Track                    [Page 35]
-
diff --git a/contrib/bind9/doc/rfc/rfc3493.txt b/contrib/bind9/doc/rfc/rfc3493.txt
deleted file mode 100644
index 5fea6c19ecb8..000000000000
--- a/contrib/bind9/doc/rfc/rfc3493.txt
+++ /dev/null
@@ -1,2187 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                        R. Gilligan
-Request for Comments: 3493                                Intransa, Inc.
-Obsoletes: 2553                                               S. Thomson
-Category: Informational                                            Cisco
-                                                                J. Bound
-                                                               J. McCann
-                                                         Hewlett-Packard
-                                                              W. Stevens
-                                                           February 2003
-
-
-               Basic Socket Interface Extensions for IPv6
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   The de facto standard Application Program Interface (API) for TCP/IP
-   applications is the "sockets" interface.  Although this API was
-   developed for Unix in the early 1980s it has also been implemented on
-   a wide variety of non-Unix systems.  TCP/IP applications written
-   using the sockets API have in the past enjoyed a high degree of
-   portability and we would like the same portability with IPv6
-   applications.  But changes are required to the sockets API to support
-   IPv6 and this memo describes these changes.  These include a new
-   socket address structure to carry IPv6 addresses, new address
-   conversion functions, and some new socket options.  These extensions
-   are designed to provide access to the basic IPv6 features required by
-   TCP and UDP applications, including multicasting, while introducing a
-   minimum of change into the system and providing complete
-   compatibility for existing IPv4 applications.  Additional extensions
-   for advanced IPv6 features (raw sockets and access to the IPv6
-   extension headers) are defined in another document.
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                      [Page 1]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-Table of Contents
-
-   1.  Introduction................................................3
-   2.  Design Considerations.......................................4
-       2.1  What Needs to be Changed...............................4
-       2.2  Data Types.............................................6
-       2.3  Headers................................................6
-       2.4  Structures.............................................6
-   3.  Socket Interface............................................6
-       3.1  IPv6 Address Family and Protocol Family................6
-       3.2  IPv6 Address Structure.................................7
-       3.3  Socket Address Structure for 4.3BSD-Based Systems......7
-       3.4  Socket Address Structure for 4.4BSD-Based Systems......9
-       3.5  The Socket Functions...................................9
-       3.6  Compatibility with IPv4 Applications..................10
-       3.7  Compatibility with IPv4 Nodes.........................11
-       3.8  IPv6 Wildcard Address.................................11
-       3.9  IPv6 Loopback Address.................................13
-       3.10 Portability Additions.................................14
-   4.  Interface Identification...................................16
-       4.1  Name-to-Index.........................................17
-       4.2  Index-to-Name.........................................17
-       4.3  Return All Interface Names and Indexes................18
-       4.4  Free Memory...........................................18
-   5.  Socket Options.............................................18
-       5.1  Unicast Hop Limit.....................................19
-       5.2  Sending and Receiving Multicast Packets...............19
-       5.3  IPV6_V6ONLY option for AF_INET6 Sockets...............22
-   6.  Library Functions..........................................22
-       6.1  Protocol-Independent Nodename and
-            Service Name Translation..............................23
-       6.2  Socket Address Structure to Node Name
-            and Service Name......................................28
-       6.3  Address Conversion Functions..........................31
-       6.4  Address Testing Macros................................33
-   7.  Summary of New Definitions.................................33
-   8.  Security Considerations....................................35
-   9.  Changes from RFC 2553......................................35
-   10. Acknowledgments............................................36
-   11. References.................................................37
-   12. Authors' Addresses.........................................38
-   13. Full Copyright Statement...................................39
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                      [Page 2]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-1. Introduction
-
-   While IPv4 addresses are 32 bits long, IPv6 addresses are 128 bits
-   long.  The socket interface makes the size of an IP address quite
-   visible to an application; virtually all TCP/IP applications for
-   BSD-based systems have knowledge of the size of an IP address.  Those
-   parts of the API that expose the addresses must be changed to
-   accommodate the larger IPv6 address size.  IPv6 also introduces new
-   features, some of which must be made visible to applications via the
-   API.  This memo defines a set of extensions to the socket interface
-   to support the larger address size and new features of IPv6.  It
-   defines "basic" extensions that are of use to a broad range of
-   applications.  A companion document, the "advanced" API [4], covers
-   extensions that are of use to more specialized applications, examples
-   of which include routing daemons, and the "ping" and "traceroute"
-   utilities.
-
-   The development of this API was started in 1994 in the IETF IPng
-   working group.  The API has evolved over the years, published first
-   in RFC 2133, then again in RFC 2553, and reaching its final form in
-   this document.
-
-   As the API matured and stabilized, it was incorporated into the Open
-   Group's Networking Services (XNS) specification, issue 5.2, which was
-   subsequently incorporated into a joint Open Group/IEEE/ISO standard
-   [3].
-
-   Effort has been made to ensure that this document and [3] contain the
-   same information with regard to the API definitions.  However, the
-   reader should note that this document is for informational purposes
-   only, and that the official standard specification of the sockets API
-   is [3].
-
-   It is expected that any future standardization work on this API would
-   be done by the Open Group Base Working Group [6].
-
-   It should also be noted that this document describes only those
-   portions of the API needed for IPv4 and IPv6 communications.  Other
-   potential uses of the API, for example the use of getaddrinfo() and
-   getnameinfo() with the AF_UNIX address family, are beyond the scope
-   of this document.
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                      [Page 3]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-2. Design Considerations
-
-   There are a number of important considerations in designing changes
-   to this well-worn API:
-
-   -  The API changes should provide both source and binary
-      compatibility for programs written to the original API.  That is,
-      existing program binaries should continue to operate when run on a
-      system supporting the new API.  In addition, existing applications
-      that are re-compiled and run on a system supporting the new API
-      should continue to operate.  Simply put, the API changes for IPv6
-      should not break existing programs.  An additional mechanism for
-      implementations to verify this is to verify the new symbols are
-      protected by Feature Test Macros as described in [3].  (Such
-      Feature Test Macros are not defined by this RFC.)
-
-   -  The changes to the API should be as small as possible in order to
-      simplify the task of converting existing IPv4 applications to
-      IPv6.
-
-   -  Where possible, applications should be able to use this API to
-      interoperate with both IPv6 and IPv4 hosts.  Applications should
-      not need to know which type of host they are communicating with.
-
-   -  IPv6 addresses carried in data structures should be 64-bit
-      aligned.  This is necessary in order to obtain optimum performance
-      on 64-bit machine architectures.
-
-   Because of the importance of providing IPv4 compatibility in the API,
-   these extensions are explicitly designed to operate on machines that
-   provide complete support for both IPv4 and IPv6.  A subset of this
-   API could probably be designed for operation on systems that support
-   only IPv6.  However, this is not addressed in this memo.
-
-2.1 What Needs to be Changed
-
-   The socket interface API consists of a few distinct components:
-
-   -  Core socket functions.
-
-   -  Address data structures.
-
-   -  Name-to-address translation functions.
-
-   -  Address conversion functions.
-
-
-
-
-
-
-Gilligan, et al.             Informational                      [Page 4]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   The core socket functions -- those functions that deal with such
-   things as setting up and tearing down TCP connections, and sending
-   and receiving UDP packets -- were designed to be transport
-   independent.  Where protocol addresses are passed as function
-   arguments, they are carried via opaque pointers.  A protocol-specific
-   address data structure is defined for each protocol that the socket
-   functions support.  Applications must cast pointers to these
-   protocol-specific address structures into pointers to the generic
-   "sockaddr" address structure when using the socket functions.  These
-   functions need not change for IPv6, but a new IPv6-specific address
-   data structure is needed.
-
-   The "sockaddr_in" structure is the protocol-specific data structure
-   for IPv4.  This data structure actually includes 8-octets of unused
-   space, and it is tempting to try to use this space to adapt the
-   sockaddr_in structure to IPv6.  Unfortunately, the sockaddr_in
-   structure is not large enough to hold the 16-octet IPv6 address as
-   well as the other information (address family and port number) that
-   is needed.  So a new address data structure must be defined for IPv6.
-
-   IPv6 addresses are scoped [2] so they could be link-local, site,
-   organization, global, or other scopes at this time undefined.  To
-   support applications that want to be able to identify a set of
-   interfaces for a specific scope, the IPv6 sockaddr_in structure must
-   support a field that can be used by an implementation to identify a
-   set of interfaces identifying the scope for an IPv6 address.
-
-   The IPv4 name-to-address translation functions in the socket
-   interface are gethostbyname() and gethostbyaddr().  These are left as
-   is, and new functions are defined which support both IPv4 and IPv6.
-
-   The IPv4 address conversion functions -- inet_ntoa() and inet_addr()
-   -- convert IPv4 addresses between binary and printable form.  These
-   functions are quite specific to 32-bit IPv4 addresses.  We have
-   designed two analogous functions that convert both IPv4 and IPv6
-   addresses, and carry an address type parameter so that they can be
-   extended to other protocol families as well.
-
-   Finally, a few miscellaneous features are needed to support IPv6.  A
-   new interface is needed to support the IPv6 hop limit header field.
-   New socket options are needed to control the sending and receiving of
-   IPv6 multicast packets.
-
-   The socket interface will be enhanced in the future to provide access
-   to other IPv6 features.  Some of these extensions are described in
-   [4].
-
-
-
-
-
-Gilligan, et al.             Informational                      [Page 5]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-2.2 Data Types
-
-   The data types of the structure elements given in this memo are
-   intended to track the relevant standards.  uintN_t means an unsigned
-   integer of exactly N bits (e.g., uint16_t).  The sa_family_t and
-   in_port_t types are defined in [3].
-
-2.3 Headers
-
-   When function prototypes and structures are shown we show the headers
-   that must be #included to cause that item to be defined.
-
-2.4 Structures
-
-   When structures are described the members shown are the ones that
-   must appear in an implementation.  Additional, nonstandard members
-   may also be defined by an implementation.  As an additional
-   precaution nonstandard members could be verified by Feature Test
-   Macros as described in [3].  (Such Feature Test Macros are not
-   defined by this RFC.)
-
-   The ordering shown for the members of a structure is the recommended
-   ordering, given alignment considerations of multibyte members, but an
-   implementation may order the members differently.
-
-3. Socket Interface
-
-   This section specifies the socket interface changes for IPv6.
-
-3.1 IPv6 Address Family and Protocol Family
-
-   A new address family name, AF_INET6, is defined in <sys/socket.h>.
-   The AF_INET6 definition distinguishes between the original
-   sockaddr_in address data structure, and the new sockaddr_in6 data
-   structure.
-
-   A new protocol family name, PF_INET6, is defined in <sys/socket.h>.
-   Like most of the other protocol family names, this will usually be
-   defined to have the same value as the corresponding address family
-   name:
-
-      #define PF_INET6        AF_INET6
-
-   The AF_INET6 is used in the first argument to the socket() function
-   to indicate that an IPv6 socket is being created.
-
-
-
-
-
-
-Gilligan, et al.             Informational                      [Page 6]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-3.2 IPv6 Address Structure
-
-   A new in6_addr structure holds a single IPv6 address and is defined
-   as a result of including <netinet/in.h>:
-
-      struct in6_addr {
-          uint8_t  s6_addr[16];      /* IPv6 address */
-      };
-
-   This data structure contains an array of sixteen 8-bit elements,
-   which make up one 128-bit IPv6 address.  The IPv6 address is stored
-   in network byte order.
-
-   The structure in6_addr above is usually implemented with an embedded
-   union with extra fields that force the desired alignment level in a
-   manner similar to BSD implementations of "struct in_addr".  Those
-   additional implementation details are omitted here for simplicity.
-
-   An example is as follows:
-
-   struct in6_addr {
-        union {
-            uint8_t  _S6_u8[16];
-            uint32_t _S6_u32[4];
-            uint64_t _S6_u64[2];
-        } _S6_un;
-   };
-   #define s6_addr _S6_un._S6_u8
-
-3.3 Socket Address Structure for 4.3BSD-Based Systems
-
-   In the socket interface, a different protocol-specific data structure
-   is defined to carry the addresses for each protocol suite.  Each
-   protocol-specific data structure is designed so it can be cast into a
-   protocol-independent data structure -- the "sockaddr" structure.
-   Each has a "family" field that overlays the "sa_family" of the
-   sockaddr data structure.  This field identifies the type of the data
-   structure.
-
-   The sockaddr_in structure is the protocol-specific address data
-   structure for IPv4.  It is used to pass addresses between
-   applications and the system in the socket functions.  The following
-   sockaddr_in6 structure holds IPv6 addresses and is defined as a
-   result of including the <netinet/in.h> header:
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                      [Page 7]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-struct sockaddr_in6 {
-    sa_family_t     sin6_family;    /* AF_INET6 */
-    in_port_t       sin6_port;      /* transport layer port # */
-    uint32_t        sin6_flowinfo;  /* IPv6 flow information */
-    struct in6_addr sin6_addr;      /* IPv6 address */
-    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
-};
-
-   This structure is designed to be compatible with the sockaddr data
-   structure used in the 4.3BSD release.
-
-   The sin6_family field identifies this as a sockaddr_in6 structure.
-   This field overlays the sa_family field when the buffer is cast to a
-   sockaddr data structure.  The value of this field must be AF_INET6.
-
-   The sin6_port field contains the 16-bit UDP or TCP port number.  This
-   field is used in the same way as the sin_port field of the
-   sockaddr_in structure.  The port number is stored in network byte
-   order.
-
-   The sin6_flowinfo field is a 32-bit field intended to contain flow-
-   related information.  The exact way this field is mapped to or from a
-   packet is not currently specified.  Until such time as its use is
-   specified, applications should set this field to zero when
-   constructing a sockaddr_in6, and ignore this field in a sockaddr_in6
-   structure constructed by the system.
-
-   The sin6_addr field is a single in6_addr structure (defined in the
-   previous section).  This field holds one 128-bit IPv6 address.  The
-   address is stored in network byte order.
-
-   The ordering of elements in this structure is specifically designed
-   so that when sin6_addr field is aligned on a 64-bit boundary, the
-   start of the structure will also be aligned on a 64-bit boundary.
-   This is done for optimum performance on 64-bit architectures.
-
-   The sin6_scope_id field is a 32-bit integer that identifies a set of
-   interfaces as appropriate for the scope [2] of the address carried in
-   the sin6_addr field.  The mapping of sin6_scope_id to an interface or
-   set of interfaces is left to implementation and future specifications
-   on the subject of scoped addresses.
-
-   Notice that the sockaddr_in6 structure will normally be larger than
-   the generic sockaddr structure.  On many existing implementations the
-   sizeof(struct sockaddr_in) equals sizeof(struct sockaddr), with both
-   being 16 bytes.  Any existing code that makes this assumption needs
-   to be examined carefully when converting to IPv6.
-
-
-
-
-Gilligan, et al.             Informational                      [Page 8]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-3.4 Socket Address Structure for 4.4BSD-Based Systems
-
-   The 4.4BSD release includes a small, but incompatible change to the
-   socket interface.  The "sa_family" field of the sockaddr data
-   structure was changed from a 16-bit value to an 8-bit value, and the
-   space saved used to hold a length field, named "sa_len".  The
-   sockaddr_in6 data structure given in the previous section cannot be
-   correctly cast into the newer sockaddr data structure.  For this
-   reason, the following alternative IPv6 address data structure is
-   provided to be used on systems based on 4.4BSD.  It is defined as a
-   result of including the <netinet/in.h> header.
-
-struct sockaddr_in6 {
-    uint8_t         sin6_len;       /* length of this struct */
-    sa_family_t     sin6_family;    /* AF_INET6 */
-    in_port_t       sin6_port;      /* transport layer port # */
-    uint32_t        sin6_flowinfo;  /* IPv6 flow information */
-    struct in6_addr sin6_addr;      /* IPv6 address */
-    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
-};
-
-   The only differences between this data structure and the 4.3BSD
-   variant are the inclusion of the length field, and the change of the
-   family field to a 8-bit data type.  The definitions of all the other
-   fields are identical to the structure defined in the previous
-   section.
-
-   Systems that provide this version of the sockaddr_in6 data structure
-   must also declare SIN6_LEN as a result of including the
-   <netinet/in.h> header.  This macro allows applications to determine
-   whether they are being built on a system that supports the 4.3BSD or
-   4.4BSD variants of the data structure.
-
-3.5 The Socket Functions
-
-   Applications call the socket() function to create a socket descriptor
-   that represents a communication endpoint.  The arguments to the
-   socket() function tell the system which protocol to use, and what
-   format address structure will be used in subsequent functions.  For
-   example, to create an IPv4/TCP socket, applications make the call:
-
-      s = socket(AF_INET, SOCK_STREAM, 0);
-
-   To create an IPv4/UDP socket, applications make the call:
-
-      s = socket(AF_INET, SOCK_DGRAM, 0);
-
-
-
-
-
-Gilligan, et al.             Informational                      [Page 9]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   Applications may create IPv6/TCP and IPv6/UDP sockets (which may also
-   handle IPv4 communication as described in section 3.7) by simply
-   using the constant AF_INET6 instead of AF_INET in the first argument.
-   For example, to create an IPv6/TCP socket, applications make the
-   call:
-
-      s = socket(AF_INET6, SOCK_STREAM, 0);
-
-   To create an IPv6/UDP socket, applications make the call:
-
-      s = socket(AF_INET6, SOCK_DGRAM, 0);
-
-   Once the application has created a AF_INET6 socket, it must use the
-   sockaddr_in6 address structure when passing addresses in to the
-   system.  The functions that the application uses to pass addresses
-   into the system are:
-
-      bind()
-      connect()
-      sendmsg()
-      sendto()
-
-   The system will use the sockaddr_in6 address structure to return
-   addresses to applications that are using AF_INET6 sockets.  The
-   functions that return an address from the system to an application
-   are:
-
-      accept()
-      recvfrom()
-      recvmsg()
-      getpeername()
-      getsockname()
-
-   No changes to the syntax of the socket functions are needed to
-   support IPv6, since all of the "address carrying" functions use an
-   opaque address pointer, and carry an address length as a function
-   argument.
-
-3.6 Compatibility with IPv4 Applications
-
-   In order to support the large base of applications using the original
-   API, system implementations must provide complete source and binary
-   compatibility with the original API.  This means that systems must
-   continue to support AF_INET sockets and the sockaddr_in address
-   structure.  Applications must be able to create IPv4/TCP and IPv4/UDP
-   sockets using the AF_INET constant in the socket() function, as
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 10]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   described in the previous section.  Applications should be able to
-   hold a combination of IPv4/TCP, IPv4/UDP, IPv6/TCP and IPv6/UDP
-   sockets simultaneously within the same process.
-
-   Applications using the original API should continue to operate as
-   they did on systems supporting only IPv4.  That is, they should
-   continue to interoperate with IPv4 nodes.
-
-3.7 Compatibility with IPv4 Nodes
-
-   The API also provides a different type of compatibility: the ability
-   for IPv6 applications to interoperate with IPv4 applications.  This
-   feature uses the IPv4-mapped IPv6 address format defined in the IPv6
-   addressing architecture specification [2].  This address format
-   allows the IPv4 address of an IPv4 node to be represented as an IPv6
-   address.  The IPv4 address is encoded into the low-order 32 bits of
-   the IPv6 address, and the high-order 96 bits hold the fixed prefix
-   0:0:0:0:0:FFFF.  IPv4-mapped addresses are written as follows:
-
-      ::FFFF:<IPv4-address>
-
-   These addresses can be generated automatically by the getaddrinfo()
-   function, as described in Section 6.1.
-
-   Applications may use AF_INET6 sockets to open TCP connections to IPv4
-   nodes, or send UDP packets to IPv4 nodes, by simply encoding the
-   destination's IPv4 address as an IPv4-mapped IPv6 address, and
-   passing that address, within a sockaddr_in6 structure, in the
-   connect() or sendto() call.  When applications use AF_INET6 sockets
-   to accept TCP connections from IPv4 nodes, or receive UDP packets
-   from IPv4 nodes, the system returns the peer's address to the
-   application in the accept(), recvfrom(), or getpeername() call using
-   a sockaddr_in6 structure encoded this way.
-
-   Few applications will likely need to know which type of node they are
-   interoperating with.  However, for those applications that do need to
-   know, the IN6_IS_ADDR_V4MAPPED() macro, defined in Section 6.4, is
-   provided.
-
-3.8 IPv6 Wildcard Address
-
-   While the bind() function allows applications to select the source IP
-   address of UDP packets and TCP connections, applications often want
-   the system to select the source address for them.  With IPv4, one
-   specifies the address as the symbolic constant INADDR_ANY (called the
-   "wildcard" address) in the bind() call, or simply omits the bind()
-   entirely.
-
-
-
-
-Gilligan, et al.             Informational                     [Page 11]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   Since the IPv6 address type is a structure (struct in6_addr), a
-   symbolic constant can be used to initialize an IPv6 address variable,
-   but cannot be used in an assignment.  Therefore systems provide the
-   IPv6 wildcard address in two forms.
-
-   The first version is a global variable named "in6addr_any" that is an
-   in6_addr structure.  The extern declaration for this variable is
-   defined in <netinet/in.h>:
-
-      extern const struct in6_addr in6addr_any;
-
-   Applications use in6addr_any similarly to the way they use INADDR_ANY
-   in IPv4.  For example, to bind a socket to port number 23, but let
-   the system select the source address, an application could use the
-   following code:
-
-      struct sockaddr_in6 sin6;
-       . . .
-      sin6.sin6_family = AF_INET6;
-      sin6.sin6_flowinfo = 0;
-      sin6.sin6_port = htons(23);
-      sin6.sin6_addr = in6addr_any;  /* structure assignment */
-       . . .
-      if (bind(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
-              . . .
-
-   The other version is a symbolic constant named IN6ADDR_ANY_INIT and
-   is defined in <netinet/in.h>.  This constant can be used to
-   initialize an in6_addr structure:
-
-      struct in6_addr anyaddr = IN6ADDR_ANY_INIT;
-
-   Note that this constant can be used ONLY at declaration time.  It can
-   not be used to assign a previously declared in6_addr structure.  For
-   example, the following code will not work:
-
-      /* This is the WRONG way to assign an unspecified address */
-      struct sockaddr_in6 sin6;
-       . . .
-      sin6.sin6_addr = IN6ADDR_ANY_INIT; /* will NOT compile */
-
-   Be aware that the IPv4 INADDR_xxx constants are all defined in host
-   byte order but the IPv6 IN6ADDR_xxx constants and the IPv6
-   in6addr_xxx externals are defined in network byte order.
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 12]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-3.9 IPv6 Loopback Address
-
-   Applications may need to send UDP packets to, or originate TCP
-   connections to, services residing on the local node.  In IPv4, they
-   can do this by using the constant IPv4 address INADDR_LOOPBACK in
-   their connect(), sendto(), or sendmsg() call.
-
-   IPv6 also provides a loopback address to contact local TCP and UDP
-   services.  Like the unspecified address, the IPv6 loopback address is
-   provided in two forms -- a global variable and a symbolic constant.
-
-   The global variable is an in6_addr structure named
-   "in6addr_loopback."  The extern declaration for this variable is
-   defined in <netinet/in.h>:
-
-      extern const struct in6_addr in6addr_loopback;
-
-   Applications use in6addr_loopback as they would use INADDR_LOOPBACK
-   in IPv4 applications (but beware of the byte ordering difference
-   mentioned at the end of the previous section).  For example, to open
-   a TCP connection to the local telnet server, an application could use
-   the following code:
-
-   struct sockaddr_in6 sin6;
-    . . .
-   sin6.sin6_family = AF_INET6;
-   sin6.sin6_flowinfo = 0;
-   sin6.sin6_port = htons(23);
-   sin6.sin6_addr = in6addr_loopback;  /* structure assignment */
-    . . .
-   if (connect(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
-           . . .
-
-   The symbolic constant is named IN6ADDR_LOOPBACK_INIT and is defined
-   in <netinet/in.h>.  It can be used at declaration time ONLY; for
-   example:
-
-      struct in6_addr loopbackaddr = IN6ADDR_LOOPBACK_INIT;
-
-   Like IN6ADDR_ANY_INIT, this constant cannot be used in an assignment
-   to a previously declared IPv6 address variable.
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 13]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-3.10 Portability Additions
-
-   One simple addition to the sockets API that can help application
-   writers is the "struct sockaddr_storage".  This data structure can
-   simplify writing code that is portable across multiple address
-   families and platforms.  This data structure is designed with the
-   following goals.
-
-   - Large enough to accommodate all supported protocol-specific address
-      structures.
-
-   - Aligned at an appropriate boundary so that pointers to it can be
-      cast as pointers to protocol specific address structures and used
-      to access the fields of those structures without alignment
-      problems.
-
-   The sockaddr_storage structure contains field ss_family which is of
-   type sa_family_t.  When a sockaddr_storage structure is cast to a
-   sockaddr structure, the ss_family field of the sockaddr_storage
-   structure maps onto the sa_family field of the sockaddr structure.
-   When a sockaddr_storage structure is cast as a protocol specific
-   address structure, the ss_family field maps onto a field of that
-   structure that is of type sa_family_t and that identifies the
-   protocol's address family.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 14]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   An example implementation design of such a data structure would be as
-   follows.
-
-/*
- * Desired design of maximum size and alignment
- */
-#define _SS_MAXSIZE    128  /* Implementation specific max size */
-#define _SS_ALIGNSIZE  (sizeof (int64_t))
-                         /* Implementation specific desired alignment */
-/*
- * Definitions used for sockaddr_storage structure paddings design.
- */
-#define _SS_PAD1SIZE   (_SS_ALIGNSIZE - sizeof (sa_family_t))
-#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (sa_family_t) +
-                              _SS_PAD1SIZE + _SS_ALIGNSIZE))
-struct sockaddr_storage {
-    sa_family_t  ss_family;     /* address family */
-    /* Following fields are implementation specific */
-    char      __ss_pad1[_SS_PAD1SIZE];
-              /* 6 byte pad, this is to make implementation
-              /* specific pad up to alignment field that */
-              /* follows explicit in the data structure */
-    int64_t   __ss_align;     /* field to force desired structure */
-               /* storage alignment */
-    char      __ss_pad2[_SS_PAD2SIZE];
-              /* 112 byte pad to achieve desired size, */
-              /* _SS_MAXSIZE value minus size of ss_family */
-              /* __ss_pad1, __ss_align fields is 112 */
-};
-
-   The above example implementation illustrates a data structure which
-   will align on a 64-bit boundary.  An implementation-specific field
-   "__ss_align" along with "__ss_pad1" is used to force a 64-bit
-   alignment which covers proper alignment good enough for the needs of
-   sockaddr_in6 (IPv6), sockaddr_in (IPv4) address data structures.  The
-   size of padding field __ss_pad1 depends on the chosen alignment
-   boundary.  The size of padding field __ss_pad2 depends on the value
-   of overall size chosen for the total size of the structure.  This
-   size and alignment are represented in the above example by
-   implementation specific (not required) constants _SS_MAXSIZE (chosen
-   value 128) and _SS_ALIGNSIZE (with chosen value 8).  Constants
-   _SS_PAD1SIZE (derived value 6) and _SS_PAD2SIZE (derived value 112)
-   are also for illustration and not required.  The derived values
-   assume sa_family_t is 2 bytes.  The implementation specific
-   definitions and structure field names above start with an underscore
-   to denote implementation private namespace.  Portable code is not
-   expected to access or reference those fields or constants.
-
-
-
-
-Gilligan, et al.             Informational                     [Page 15]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   On implementations where the sockaddr data structure includes a
-   "sa_len" field this data structure would look like this:
-
-/*
- * Definitions used for sockaddr_storage structure paddings design.
- */
-#define _SS_PAD1SIZE (_SS_ALIGNSIZE -
-                            (sizeof (uint8_t) + sizeof (sa_family_t))
-#define _SS_PAD2SIZE (_SS_MAXSIZE -
-                            (sizeof (uint8_t) + sizeof (sa_family_t) +
-                             _SS_PAD1SIZE + _SS_ALIGNSIZE))
-struct sockaddr_storage {
-    uint8_t      ss_len;        /* address length */
-    sa_family_t  ss_family;     /* address family */
-    /* Following fields are implementation specific */
-    char         __ss_pad1[_SS_PAD1SIZE];
-                  /* 6 byte pad, this is to make implementation
-                  /* specific pad up to alignment field that */
-                  /* follows explicit in the data structure */
-    int64_t      __ss_align;  /* field to force desired structure */
-                  /* storage alignment */
-    char         __ss_pad2[_SS_PAD2SIZE];
-                  /* 112 byte pad to achieve desired size, */
-                  /* _SS_MAXSIZE value minus size of ss_len, */
-                  /* __ss_family, __ss_pad1, __ss_align fields is 112 */
-};
-
-4. Interface Identification
-
-   This API uses an interface index (a small positive integer) to
-   identify the local interface on which a multicast group is joined
-   (Section 5.2).  Additionally, the advanced API [4] uses these same
-   interface indexes to identify the interface on which a datagram is
-   received, or to specify the interface on which a datagram is to be
-   sent.
-
-   Interfaces are normally known by names such as "le0", "sl1", "ppp2",
-   and the like.  On Berkeley-derived implementations, when an interface
-   is made known to the system, the kernel assigns a unique positive
-   integer value (called the interface index) to that interface.  These
-   are small positive integers that start at 1.  (Note that 0 is never
-   used for an interface index.)  There may be gaps so that there is no
-   current interface for a particular positive interface index.
-
-   This API defines two functions that map between an interface name and
-   index, a third function that returns all the interface names and
-   indexes, and a fourth function to return the dynamic memory allocated
-   by the previous function.  How these functions are implemented is
-
-
-
-Gilligan, et al.             Informational                     [Page 16]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   left up to the implementation.  4.4BSD implementations can implement
-   these functions using the existing sysctl() function with the
-   NET_RT_IFLIST command.  Other implementations may wish to use ioctl()
-   for this purpose.
-
-4.1 Name-to-Index
-
-   The first function maps an interface name into its corresponding
-   index.
-
-      #include <net/if.h>
-
-      unsigned int  if_nametoindex(const char *ifname);
-
-   If ifname is the name of an interface, the if_nametoindex() function
-   shall return the interface index corresponding to name ifname;
-   otherwise, it shall return zero.  No errors are defined.
-
-4.2 Index-to-Name
-
-   The second function maps an interface index into its corresponding
-   name.
-
-      #include <net/if.h>
-
-      char  *if_indextoname(unsigned int ifindex, char *ifname);
-
-   When this function is called, the ifname argument shall point to a
-   buffer of at least IF_NAMESIZE bytes.  The function shall place in
-   this buffer the name of the interface with index ifindex.
-   (IF_NAMESIZE is also defined in <net/if.h> and its value includes a
-   terminating null byte at the end of the interface name.)  If ifindex
-   is an interface index, then the function shall return the value
-   supplied in ifname, which points to a buffer now containing the
-   interface name.  Otherwise, the function shall return a NULL pointer
-   and set errno to indicate the error.  If there is no interface
-   corresponding to the specified index, errno is set to ENXIO.  If
-   there was a system error (such as running out of memory), errno would
-   be set to the proper value (e.g., ENOMEM).
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 17]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-4.3 Return All Interface Names and Indexes
-
-   The if_nameindex structure holds the information about a single
-   interface and is defined as a result of including the <net/if.h>
-   header.
-
-   struct if_nameindex {
-     unsigned int   if_index;  /* 1, 2, ... */
-     char          *if_name;   /* null terminated name: "le0", ... */
-   };
-
-   The final function returns an array of if_nameindex structures, one
-   structure per interface.
-
-      #include <net/if.h>
-
-      struct if_nameindex  *if_nameindex(void);
-
-   The end of the array of structures is indicated by a structure with
-   an if_index of 0 and an if_name of NULL.  The function returns a NULL
-   pointer upon an error, and would set errno to the appropriate value.
-
-   The memory used for this array of structures along with the interface
-   names pointed to by the if_name members is obtained dynamically.
-   This memory is freed by the next function.
-
-4.4 Free Memory
-
-   The following function frees the dynamic memory that was allocated by
-   if_nameindex().
-
-      #include <net/if.h>
-
-      void  if_freenameindex(struct if_nameindex *ptr);
-
-   The ptr argument shall be a pointer that was returned by
-   if_nameindex().  After if_freenameindex() has been called, the
-   application shall not use the array of which ptr is the address.
-
-5. Socket Options
-
-   A number of new socket options are defined for IPv6.  All of these
-   new options are at the IPPROTO_IPV6 level.  That is, the "level"
-   parameter in the getsockopt() and setsockopt() calls is IPPROTO_IPV6
-   when using these options.  The constant name prefix IPV6_ is used in
-   all of the new socket options.  This serves to clearly identify these
-   options as applying to IPv6.
-
-
-
-
-Gilligan, et al.             Informational                     [Page 18]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   The declaration for IPPROTO_IPV6, the new IPv6 socket options, and
-   related constants defined in this section are obtained by including
-   the header <netinet/in.h>.
-
-5.1 Unicast Hop Limit
-
-   A new setsockopt() option controls the hop limit used in outgoing
-   unicast IPv6 packets.  The name of this option is IPV6_UNICAST_HOPS,
-   and it is used at the IPPROTO_IPV6 layer.  The following example
-   illustrates how it is used:
-
-   int  hoplimit = 10;
-
-   if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
-                  (char *) &hoplimit, sizeof(hoplimit)) == -1)
-       perror("setsockopt IPV6_UNICAST_HOPS");
-
-   When the IPV6_UNICAST_HOPS option is set with setsockopt(), the
-   option value given is used as the hop limit for all subsequent
-   unicast packets sent via that socket.  If the option is not set, the
-   system selects a default value.  The integer hop limit value (called
-   x) is interpreted as follows:
-
-      x < -1:        return an error of EINVAL
-      x == -1:       use kernel default
-      0 <= x <= 255: use x
-      x >= 256:      return an error of EINVAL
-
-   The IPV6_UNICAST_HOPS option may be used with getsockopt() to
-   determine the hop limit value that the system will use for subsequent
-   unicast packets sent via that socket.  For example:
-
-      int  hoplimit;
-      socklen_t  len = sizeof(hoplimit);
-
-      if (getsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
-                     (char *) &hoplimit, &len) == -1)
-          perror("getsockopt IPV6_UNICAST_HOPS");
-      else
-          printf("Using %d for hop limit.\n", hoplimit);
-
-5.2 Sending and Receiving Multicast Packets
-
-   IPv6 applications may send multicast packets by simply specifying an
-   IPv6 multicast address as the destination address, for example in the
-   destination address argument of the sendto() function.
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 19]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   Three socket options at the IPPROTO_IPV6 layer control some of the
-   parameters for sending multicast packets.  Setting these options is
-   not required: applications may send multicast packets without using
-   these options.  The setsockopt() options for controlling the sending
-   of multicast packets are summarized below.  These three options can
-   also be used with getsockopt().
-
-      IPV6_MULTICAST_IF
-
-         Set the interface to use for outgoing multicast packets.  The
-         argument is the index of the interface to use.  If the
-         interface index is specified as zero, the system selects the
-         interface (for example, by looking up the address in a routing
-         table and using the resulting interface).
-
-         Argument type: unsigned int
-
-      IPV6_MULTICAST_HOPS
-
-         Set the hop limit to use for outgoing multicast packets.  (Note
-         a separate option - IPV6_UNICAST_HOPS - is provided to set the
-         hop limit to use for outgoing unicast packets.)
-
-         The interpretation of the argument is the same as for the
-         IPV6_UNICAST_HOPS option:
-
-            x < -1:        return an error of EINVAL
-            x == -1:       use kernel default
-            0 <= x <= 255: use x
-            x >= 256:      return an error of EINVAL
-
-            If IPV6_MULTICAST_HOPS is not set, the default is 1
-            (same as IPv4 today)
-
-         Argument type: int
-
-      IPV6_MULTICAST_LOOP
-
-         If a multicast datagram is sent to a group to which the sending
-         host itself belongs (on the outgoing interface), a copy of the
-         datagram is looped back by the IP layer for local delivery if
-         this option is set to 1.  If this option is set to 0 a copy is
-         not looped back.  Other option values return an error of
-         EINVAL.
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 20]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-         If IPV6_MULTICAST_LOOP is not set, the default is 1 (loopback;
-         same as IPv4 today).
-
-         Argument type: unsigned int
-
-   The reception of multicast packets is controlled by the two
-   setsockopt() options summarized below.  An error of EOPNOTSUPP is
-   returned if these two options are used with getsockopt().
-
-      IPV6_JOIN_GROUP
-
-         Join a multicast group on a specified local interface.
-         If the interface index is specified as 0,
-         the kernel chooses the local interface.
-         For example, some kernels look up the multicast group
-         in the normal IPv6 routing table and use the resulting
-         interface.
-
-         Argument type: struct ipv6_mreq
-
-      IPV6_LEAVE_GROUP
-
-         Leave a multicast group on a specified interface.
-         If the interface index is specified as 0, the system
-         may choose a multicast group membership to drop by
-         matching the multicast address only.
-
-         Argument type: struct ipv6_mreq
-
-   The argument type of both of these options is the ipv6_mreq
-   structure, defined as a result of including the <netinet/in.h>
-   header;
-
-   struct ipv6_mreq {
-       struct in6_addr ipv6mr_multiaddr; /* IPv6 multicast addr */
-       unsigned int    ipv6mr_interface; /* interface index */
-   };
-
-   Note that to receive multicast datagrams a process must join the
-   multicast group to which datagrams will be sent.  UDP applications
-   must also bind the UDP port to which datagrams will be sent.  Some
-   processes also bind the multicast group address to the socket, in
-   addition to the port, to prevent other datagrams destined to that
-   same port from being delivered to the socket.
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 21]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-5.3 IPV6_V6ONLY option for AF_INET6 Sockets
-
-   This socket option restricts AF_INET6 sockets to IPv6 communications
-   only.  As stated in section <3.7 Compatibility with IPv4 Nodes>,
-   AF_INET6 sockets may be used for both IPv4 and IPv6 communications.
-   Some applications may want to restrict their use of an AF_INET6
-   socket to IPv6 communications only.  For these applications the
-   IPV6_V6ONLY socket option is defined.  When this option is turned on,
-   the socket can be used to send and receive IPv6 packets only.  This
-   is an IPPROTO_IPV6 level option.  This option takes an int value.
-   This is a boolean option.  By default this option is turned off.
-
-   Here is an example of setting this option:
-
-      int on = 1;
-
-      if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
-                     (char *)&on, sizeof(on)) == -1)
-          perror("setsockopt IPV6_V6ONLY");
-      else
-          printf("IPV6_V6ONLY set\n");
-
-   Note - This option has no effect on the use of IPv4 Mapped addresses
-   which enter a node as a valid IPv6 addresses for IPv6 communications
-   as defined by Stateless IP/ICMP Translation Algorithm (SIIT) [5].
-
-   An example use of this option is to allow two versions of the same
-   server process to run on the same port, one providing service over
-   IPv6, the other providing the same service over IPv4.
-
-6. Library Functions
-
-   New library functions are needed to perform a variety of operations
-   with IPv6 addresses.  Functions are needed to lookup IPv6 addresses
-   in the Domain Name System (DNS).  Both forward lookup (nodename-to-
-   address translation) and reverse lookup (address-to-nodename
-   translation) need to be supported.  Functions are also needed to
-   convert IPv6 addresses between their binary and textual form.
-
-   We note that the two existing functions, gethostbyname() and
-   gethostbyaddr(), are left as-is.  New functions are defined to handle
-   both IPv4 and IPv6 addresses.
-
-   The commonly used function gethostbyname() is inadequate for many
-   applications, first because it provides no way for the caller to
-   specify anything about the types of addresses desired (IPv4 only,
-   IPv6 only, IPv4-mapped IPv6 are OK, etc.), and second because many
-   implementations of this function are not thread safe.  RFC 2133
-
-
-
-Gilligan, et al.             Informational                     [Page 22]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   defined a function named gethostbyname2() but this function was also
-   inadequate, first because its use required setting a global option
-   (RES_USE_INET6) when IPv6 addresses were required, and second because
-   a flag argument is needed to provide the caller with additional
-   control over the types of addresses required.  The gethostbyname2()
-   function was deprecated in RFC 2553 and is no longer part of the
-   basic API.
-
-6.1 Protocol-Independent Nodename and Service Name Translation
-
-   Nodename-to-address translation is done in a protocol-independent
-   fashion using the getaddrinfo() function.
-
-#include <sys/socket.h>
-#include <netdb.h>
-
-
-int getaddrinfo(const char *nodename, const char *servname,
-                const struct addrinfo *hints, struct addrinfo **res);
-
-void freeaddrinfo(struct addrinfo *ai);
-
-struct addrinfo {
-  int     ai_flags;     /* AI_PASSIVE, AI_CANONNAME,
-                           AI_NUMERICHOST, .. */
-  int     ai_family;    /* AF_xxx */
-  int     ai_socktype;  /* SOCK_xxx */
-  int     ai_protocol;  /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-  socklen_t  ai_addrlen;   /* length of ai_addr */
-  char   *ai_canonname; /* canonical name for nodename */
-  struct sockaddr  *ai_addr; /* binary address */
-  struct addrinfo  *ai_next; /* next structure in linked list */
-};
-
-   The getaddrinfo() function translates the name of a service location
-   (for example, a host name) and/or a service name and returns a set of
-   socket addresses and associated information to be used in creating a
-   socket with which to address the specified service.
-
-   The nodename and servname arguments are either null pointers or
-   pointers to null-terminated strings.  One or both of these two
-   arguments must be a non-null pointer.
-
-   The format of a valid name depends on the address family or families.
-   If a specific family is not given and the name could be interpreted
-   as valid within multiple supported families, the implementation will
-   attempt to resolve the name in all supported families and, in absence
-   of errors, one or more results shall be returned.
-
-
-
-Gilligan, et al.             Informational                     [Page 23]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   If the nodename argument is not null, it can be a descriptive name or
-   can be an address string.  If the specified address family is
-   AF_INET, AF_INET6, or AF_UNSPEC, valid descriptive names include host
-   names. If the specified address family is AF_INET or AF_UNSPEC,
-   address strings using Internet standard dot notation as specified in
-   inet_addr() are valid.  If the specified address family is AF_INET6
-   or AF_UNSPEC, standard IPv6 text forms described in inet_pton() are
-   valid.
-
-   If nodename is not null, the requested service location is named by
-   nodename; otherwise, the requested service location is local to the
-   caller.
-
-   If servname is null, the call shall return network-level addresses
-   for the specified nodename.  If servname is not null, it is a null-
-   terminated character string identifying the requested service.  This
-   can be either a descriptive name or a numeric representation suitable
-   for use with the address family or families.  If the specified
-   address family is AF_INET, AF_INET6 or AF_UNSPEC, the service can be
-   specified as a string specifying a decimal port number.
-
-   If the argument hints is not null, it refers to a structure
-   containing input values that may direct the operation by providing
-   options and by limiting the returned information to a specific socket
-   type, address family and/or protocol.  In this hints structure every
-   member other than ai_flags, ai_family, ai_socktype and ai_protocol
-   shall be set to zero or a null pointer.  A value of AF_UNSPEC for
-   ai_family means that the caller shall accept any address family.  A
-   value of zero for ai_socktype means that the caller shall accept any
-   socket type.  A value of zero for ai_protocol means that the caller
-   shall accept any protocol.  If hints is a null pointer, the behavior
-   shall be as if it referred to a structure containing the value zero
-   for the ai_flags, ai_socktype and ai_protocol fields, and AF_UNSPEC
-   for the ai_family field.
-
-   Note:
-
-   1. If the caller handles only TCP and not UDP, for example, then the
-      ai_protocol member of the hints structure should be set to
-      IPPROTO_TCP when getaddrinfo() is called.
-
-   2. If the caller handles only IPv4 and not IPv6, then the ai_family
-      member of the hints structure should be set to AF_INET when
-      getaddrinfo() is called.
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 24]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   The ai_flags field to which hints parameter points shall be set to
-   zero or be the bitwise-inclusive OR of one or more of the values
-   AI_PASSIVE, AI_CANONNAME, AI_NUMERICHOST, AI_NUMERICSERV,
-   AI_V4MAPPED, AI_ALL, and AI_ADDRCONFIG.
-
-   If the AI_PASSIVE flag is specified, the returned address information
-   shall be suitable for use in binding a socket for accepting incoming
-   connections for the specified service (i.e., a call to bind()).  In
-   this case, if the nodename argument is null, then the IP address
-   portion of the socket address structure shall be set to INADDR_ANY
-   for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6 address.  If the
-   AI_PASSIVE flag is not specified, the returned address information
-   shall be suitable for a call to connect() (for a connection-mode
-   protocol) or for a call to connect(), sendto() or sendmsg() (for a
-   connectionless protocol).  In this case, if the nodename argument is
-   null, then the IP address portion of the socket address structure
-   shall be set to the loopback address.  This flag is ignored if the
-   nodename argument is not null.
-
-   If the AI_CANONNAME flag is specified and the nodename argument is
-   not null, the function shall attempt to determine the canonical name
-   corresponding to nodename (for example, if nodename is an alias or
-   shorthand notation for a complete name).
-
-   If the AI_NUMERICHOST flag is specified, then a non-null nodename
-   string supplied shall be a numeric host address string.  Otherwise,
-   an [EAI_NONAME] error is returned.  This flag shall prevent any type
-   of name resolution service (for example, the DNS) from being invoked.
-
-   If the AI_NUMERICSERV flag is specified, then a non-null servname
-   string supplied shall be a numeric port string.  Otherwise, an
-   [EAI_NONAME] error shall be returned.  This flag shall prevent any
-   type of name resolution service (for example, NIS+) from being
-   invoked.
-
-   If the AI_V4MAPPED flag is specified along with an ai_family of
-   AF_INET6, then getaddrinfo() shall return IPv4-mapped IPv6 addresses
-   on finding no matching IPv6 addresses (ai_addrlen shall be 16).
-
-      For example, when using the DNS, if no AAAA records are found then
-      a query is made for A records and any found are returned as IPv4-
-      mapped IPv6 addresses.
-
-   The AI_V4MAPPED flag shall be ignored unless ai_family equals
-   AF_INET6.
-
-   If the AI_ALL flag is used with the AI_V4MAPPED flag, then
-   getaddrinfo() shall return all matching IPv6 and IPv4 addresses.
-
-
-
-Gilligan, et al.             Informational                     [Page 25]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-      For example, when using the DNS, queries are made for both AAAA
-      records and A records, and getaddrinfo() returns the combined
-      results of both queries.  Any IPv4 addresses found are returned as
-      IPv4-mapped IPv6 addresses.
-
-   The AI_ALL flag without the AI_V4MAPPED flag is ignored.
-
-      Note:
-
-      When ai_family is not specified (AF_UNSPEC), AI_V4MAPPED and
-      AI_ALL flags will only be used if AF_INET6 is supported.
-
-   If the AI_ADDRCONFIG flag is specified, IPv4 addresses shall be
-   returned only if an IPv4 address is configured on the local system,
-   and IPv6 addresses shall be returned only if an IPv6 address is
-   configured on the local system.  The loopback address is not
-   considered for this case as valid as a configured address.
-
-      For example, when using the DNS, a query for AAAA records should
-      occur only if the node has at least one IPv6 address configured
-      (other than IPv6 loopback) and a query for A records should occur
-      only if the node has at least one IPv4 address configured (other
-      than the IPv4 loopback).
-
-   The ai_socktype field to which argument hints points specifies the
-   socket type for the service, as defined for socket().  If a specific
-   socket type is not given (for example, a value of zero) and the
-   service name could be interpreted as valid with multiple supported
-   socket types, the implementation shall attempt to resolve the service
-   name for all supported socket types and, in the absence of errors,
-   all possible results shall be returned.  A non-zero socket type value
-   shall limit the returned information to values with the specified
-   socket type.
-
-   If the ai_family field to which hints points has the value AF_UNSPEC,
-   addresses shall be returned for use with any address family that can
-   be used with the specified nodename and/or servname.  Otherwise,
-   addresses shall be returned for use only with the specified address
-   family.  If ai_family is not AF_UNSPEC and ai_protocol is not zero,
-   then addresses are returned for use only with the specified address
-   family and protocol; the value of ai_protocol shall be interpreted as
-   in a call to the socket() function with the corresponding values of
-   ai_family and ai_protocol.
-
-   The freeaddrinfo() function frees one or more addrinfo structures
-   returned by getaddrinfo(), along with any additional storage
-   associated with those structures (for example, storage pointed to by
-   the ai_canonname and ai_addr fields; an application must not
-
-
-
-Gilligan, et al.             Informational                     [Page 26]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   reference this storage after the associated addrinfo structure has
-   been freed).  If the ai_next field of the structure is not null, the
-   entire list of structures is freed.  The freeaddrinfo() function must
-   support the freeing of arbitrary sublists of an addrinfo list
-   originally returned by getaddrinfo().
-
-   Functions getaddrinfo() and freeaddrinfo() must be thread-safe.
-
-   A zero return value for getaddrinfo() indicates successful
-   completion; a non-zero return value indicates failure.  The possible
-   values for the failures are listed below under Error Return Values.
-
-   Upon successful return of getaddrinfo(), the location to which res
-   points shall refer to a linked list of addrinfo structures, each of
-   which shall specify a socket address and information for use in
-   creating a socket with which to use that socket address.  The list
-   shall include at least one addrinfo structure.  The ai_next field of
-   each structure contains a pointer to the next structure on the list,
-   or a null pointer if it is the last structure on the list.  Each
-   structure on the list shall include values for use with a call to the
-   socket() function, and a socket address for use with the connect()
-   function or, if the AI_PASSIVE flag was specified, for use with the
-   bind() function.  The fields ai_family, ai_socktype, and ai_protocol
-   shall be usable as the arguments to the socket() function to create a
-   socket suitable for use with the returned address.  The fields
-   ai_addr and ai_addrlen are usable as the arguments to the connect()
-   or bind() functions with such a socket, according to the AI_PASSIVE
-   flag.
-
-   If nodename is not null, and if requested by the AI_CANONNAME flag,
-   the ai_canonname field of the first returned addrinfo structure shall
-   point to a null-terminated string containing the canonical name
-   corresponding to the input nodename; if the canonical name is not
-   available, then ai_canonname shall refer to the nodename argument or
-   a string with the same contents.  The contents of the ai_flags field
-   of the returned structures are undefined.
-
-   All fields in socket address structures returned by getaddrinfo()
-   that are not filled in through an explicit argument (for example,
-   sin6_flowinfo) shall be set to zero.
-
-   Note: This makes it easier to compare socket address structures.
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 27]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   Error Return Values:
-
-   The getaddrinfo() function shall fail and return the corresponding
-   value if:
-
-   [EAI_AGAIN]     The name could not be resolved at this time.  Future
-                   attempts may succeed.
-
-   [EAI_BADFLAGS]  The flags parameter had an invalid value.
-
-   [EAI_FAIL]      A non-recoverable error occurred when attempting to
-                   resolve the name.
-
-   [EAI_FAMILY]    The address family was not recognized.
-
-   [EAI_MEMORY]    There was a memory allocation failure when trying to
-                   allocate storage for the return value.
-
-   [EAI_NONAME]    The name does not resolve for the supplied
-                   parameters.  Neither nodename nor servname were
-                   supplied.  At least one of these must be supplied.
-
-   [EAI_SERVICE]   The service passed was not recognized for the
-                   specified socket type.
-
-   [EAI_SOCKTYPE]  The intended socket type was not recognized.
-
-   [EAI_SYSTEM]    A system error occurred; the error code can be found
-                   in errno.
-
-   The gai_strerror() function provides a descriptive text string
-   corresponding to an EAI_xxx error value.
-
-      #include <netdb.h>
-
-      const char *gai_strerror(int ecode);
-
-   The argument is one of the EAI_xxx values defined for the
-   getaddrinfo() and getnameinfo() functions.  The return value points
-   to a string describing the error.  If the argument is not one of the
-   EAI_xxx values, the function still returns a pointer to a string
-   whose contents indicate an unknown error.
-
-6.2 Socket Address Structure to Node Name and Service Name
-
-   The getnameinfo() function is used to translate the contents of a
-   socket address structure to a node name and/or service name.
-
-
-
-
-Gilligan, et al.             Informational                     [Page 28]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   #include <sys/socket.h>
-   #include <netdb.h>
-
-   int getnameinfo(const struct sockaddr *sa, socklen_t salen,
-                       char *node, socklen_t nodelen,
-                       char *service, socklen_t servicelen,
-                         int flags);
-
-   The getnameinfo() function shall translate a socket address to a node
-   name and service location, all of which are defined as in
-   getaddrinfo().
-
-   The sa argument points to a socket address structure to be
-   translated.
-
-   The salen argument holds the size of the socket address structure
-   pointed to by sa.
-
-   If the socket address structure contains an IPv4-mapped IPv6 address
-   or an IPv4-compatible IPv6 address, the implementation shall extract
-   the embedded IPv4 address and lookup the node name for that IPv4
-   address.
-
-      Note: The IPv6 unspecified address ("::") and the IPv6 loopback
-      address ("::1") are not IPv4-compatible addresses.  If the address
-      is the IPv6 unspecified address ("::"), a lookup is not performed,
-      and the [EAI_NONAME] error is returned.
-
-   If the node argument is non-NULL and the nodelen argument is nonzero,
-   then the node argument points to a buffer able to contain up to
-   nodelen characters that receives the node name as a null-terminated
-   string.  If the node argument is NULL or the nodelen argument is
-   zero, the node name shall not be returned.  If the node's name cannot
-   be located, the numeric form of the node's address is returned
-   instead of its name.
-
-   If the service argument is non-NULL and the servicelen argument is
-   non-zero, then the service argument points to a buffer able to
-   contain up to servicelen bytes that receives the service name as a
-   null-terminated string.  If the service argument is NULL or the
-   servicelen argument is zero, the service name shall not be returned.
-   If the service's name cannot be located, the numeric form of the
-   service address (for example, its port number) shall be returned
-   instead of its name.
-
-   The arguments node and service cannot both be NULL.
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 29]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   The flags argument is a flag that changes the default actions of the
-   function.  By default the fully-qualified domain name (FQDN) for the
-   host shall be returned, but:
-
-   -  If the flag bit NI_NOFQDN is set, only the node name portion of
-      the FQDN shall be returned for local hosts.
-
-   -  If the flag bit NI_NUMERICHOST is set, the numeric form of the
-      host's address shall be returned instead of its name, under all
-      circumstances.
-
-   -  If the flag bit NI_NAMEREQD is set, an error shall be returned if
-      the host's name cannot be located.
-
-   -  If the flag bit NI_NUMERICSERV is set, the numeric form of the
-      service address shall be returned (for example, its port number)
-      instead of its name, under all circumstances.
-
-   -  If the flag bit NI_DGRAM is set, this indicates that the service
-      is a datagram service (SOCK_DGRAM).  The default behavior shall
-      assume that the service is a stream service (SOCK_STREAM).
-
-   Note:
-
-   1. The NI_NUMERICxxx flags are required to support the "-n" flags
-      that many commands provide.
-
-   2. The NI_DGRAM flag is required for the few AF_INET and AF_INET6
-      port numbers (for example, [512,514]) that represent different
-      services for UDP and TCP.
-
-   The getnameinfo() function shall be thread safe.
-
-   A zero return value for getnameinfo() indicates successful
-   completion; a non-zero return value indicates failure.
-
-   Upon successful completion, getnameinfo() shall return the node and
-   service names, if requested, in the buffers provided.  The returned
-   names are always null-terminated strings.
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 30]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   Error Return Values:
-
-   The getnameinfo() function shall fail and return the corresponding
-   value if:
-
-   [EAI_AGAIN]    The name could not be resolved at this time.
-                  Future attempts may succeed.
-
-   [EAI_BADFLAGS] The flags had an invalid value.
-
-   [EAI_FAIL]     A non-recoverable error occurred.
-
-   [EAI_FAMILY]   The address family was not recognized or the address
-                  length was invalid for the specified family.
-
-   [EAI_MEMORY]   There was a memory allocation failure.
-
-   [EAI_NONAME]   The name does not resolve for the supplied parameters.
-                  NI_NAMEREQD is set and the host's name cannot be
-                  located, or both nodename and servname were null.
-
-   [EAI_OVERFLOW] An argument buffer overflowed.
-
-   [EAI_SYSTEM]   A system error occurred.  The error code can be found
-                  in errno.
-
-6.3 Address Conversion Functions
-
-   The two IPv4 functions inet_addr() and inet_ntoa() convert an IPv4
-   address between binary and text form.  IPv6 applications need similar
-   functions.  The following two functions convert both IPv6 and IPv4
-   addresses:
-
-   #include <arpa/inet.h>
-
-   int inet_pton(int af, const char *src, void *dst);
-
-   const char *inet_ntop(int af, const void *src,
-                            char *dst, socklen_t size);
-
-   The inet_pton() function shall convert an address in its standard
-   text presentation form into its numeric binary form.  The af argument
-   shall specify the family of the address.  The AF_INET and AF_INET6
-   address families shall be supported.  The src argument points to the
-   string being passed in.  The dst argument points to a buffer into
-   which the function stores the numeric address; this shall be large
-   enough to hold the numeric address (32 bits for AF_INET, 128 bits for
-   AF_INET6).  The inet_pton() function shall return 1 if the conversion
-
-
-
-Gilligan, et al.             Informational                     [Page 31]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   succeeds, with the address pointed to by dst in network byte order.
-   It shall return 0 if the input is not a valid IPv4 dotted-decimal
-   string or a valid IPv6 address string, or -1 with errno set to
-   EAFNOSUPPORT if the af argument is unknown.
-
-   If the af argument of inet_pton() is AF_INET, the src string shall be
-   in the standard IPv4 dotted-decimal form:
-
-      ddd.ddd.ddd.ddd
-
-   where "ddd" is a one to three digit decimal number between 0 and 255.
-   The inet_pton() function does not accept other formats (such as the
-   octal numbers, hexadecimal numbers, and fewer than four numbers that
-   inet_addr() accepts).
-
-   If the af argument of inet_pton() is AF_INET6, the src string shall
-   be in one of the standard IPv6 text forms defined in Section 2.2 of
-   the addressing architecture specification [2].
-
-   The inet_ntop() function shall convert a numeric address into a text
-   string suitable for presentation.  The af argument shall specify the
-   family of the address.  This can be AF_INET or AF_INET6.  The src
-   argument points to a buffer holding an IPv4 address if the af
-   argument is AF_INET, or an IPv6 address if the af argument is
-   AF_INET6; the address must be in network byte order.  The dst
-   argument points to a buffer where the function stores the resulting
-   text string; it shall not be NULL.  The size argument specifies the
-   size of this buffer, which shall be large enough to hold the text
-   string (INET_ADDRSTRLEN characters for IPv4, INET6_ADDRSTRLEN
-   characters for IPv6).
-
-   In order to allow applications to easily declare buffers of the
-   proper size to store IPv4 and IPv6 addresses in string form, the
-   following two constants are defined in <netinet/in.h>:
-
-      #define INET_ADDRSTRLEN    16
-      #define INET6_ADDRSTRLEN   46
-
-   The inet_ntop() function shall return a pointer to the buffer
-   containing the text string if the conversion succeeds, and NULL
-   otherwise.  Upon failure, errno is set to EAFNOSUPPORT if the af
-   argument is invalid or ENOSPC if the size of the result buffer is
-   inadequate.
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 32]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-6.4 Address Testing Macros
-
-   The following macros can be used to test for special IPv6 addresses.
-
-   #include <netinet/in.h>
-
-   int  IN6_IS_ADDR_UNSPECIFIED (const struct in6_addr *);
-   int  IN6_IS_ADDR_LOOPBACK    (const struct in6_addr *);
-   int  IN6_IS_ADDR_MULTICAST   (const struct in6_addr *);
-   int  IN6_IS_ADDR_LINKLOCAL   (const struct in6_addr *);
-   int  IN6_IS_ADDR_SITELOCAL   (const struct in6_addr *);
-   int  IN6_IS_ADDR_V4MAPPED    (const struct in6_addr *);
-   int  IN6_IS_ADDR_V4COMPAT    (const struct in6_addr *);
-
-   int  IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
-   int  IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
-   int  IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
-   int  IN6_IS_ADDR_MC_ORGLOCAL (const struct in6_addr *);
-   int  IN6_IS_ADDR_MC_GLOBAL   (const struct in6_addr *);
-
-   The first seven macros return true if the address is of the specified
-   type, or false otherwise.  The last five test the scope of a
-   multicast address and return true if the address is a multicast
-   address of the specified scope or false if the address is either not
-   a multicast address or not of the specified scope.
-
-   Note that IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL return true
-   only for the two types of local-use IPv6 unicast addresses (Link-
-   Local and Site-Local) defined in [2], and that by this definition,
-   the IN6_IS_ADDR_LINKLOCAL macro returns false for the IPv6 loopback
-   address (::1).  These two macros do not return true for IPv6
-   multicast addresses of either link-local scope or site-local scope.
-
-7. Summary of New Definitions
-
-   The following list summarizes the constants, structure, and extern
-   definitions discussed in this memo, sorted by header.
-
-<net/if.h>      IF_NAMESIZE
-<net/if.h>      struct if_nameindex{};
-
-<netdb.h>       AI_ADDRCONFIG
-<netdb.h>       AI_ALL
-<netdb.h>       AI_CANONNAME
-<netdb.h>       AI_NUMERICHOST
-<netdb.h>       AI_NUMERICSERV
-<netdb.h>       AI_PASSIVE
-<netdb.h>       AI_V4MAPPED
-
-
-
-Gilligan, et al.             Informational                     [Page 33]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-<netdb.h>       EAI_AGAIN
-<netdb.h>       EAI_BADFLAGS
-<netdb.h>       EAI_FAIL
-<netdb.h>       EAI_FAMILY
-<netdb.h>       EAI_MEMORY
-<netdb.h>       EAI_NONAME
-<netdb.h>       EAI_OVERFLOW
-<netdb.h>       EAI_SERVICE
-<netdb.h>       EAI_SOCKTYPE
-<netdb.h>       EAI_SYSTEM
-<netdb.h>       NI_DGRAM
-<netdb.h>       NI_NAMEREQD
-<netdb.h>       NI_NOFQDN
-<netdb.h>       NI_NUMERICHOST
-<netdb.h>       NI_NUMERICSERV
-<netdb.h>       struct addrinfo{};
-
-<netinet/in.h>  IN6ADDR_ANY_INIT
-<netinet/in.h>  IN6ADDR_LOOPBACK_INIT
-<netinet/in.h>  INET6_ADDRSTRLEN
-<netinet/in.h>  INET_ADDRSTRLEN
-<netinet/in.h>  IPPROTO_IPV6
-<netinet/in.h>  IPV6_JOIN_GROUP
-<netinet/in.h>  IPV6_LEAVE_GROUP
-<netinet/in.h>  IPV6_MULTICAST_HOPS
-<netinet/in.h>  IPV6_MULTICAST_IF
-<netinet/in.h>  IPV6_MULTICAST_LOOP
-<netinet/in.h>  IPV6_UNICAST_HOPS
-<netinet/in.h>  IPV6_V6ONLY
-<netinet/in.h>  SIN6_LEN
-<netinet/in.h>  extern const struct in6_addr in6addr_any;
-<netinet/in.h>  extern const struct in6_addr in6addr_loopback;
-<netinet/in.h>  struct in6_addr{};
-<netinet/in.h>  struct ipv6_mreq{};
-<netinet/in.h>  struct sockaddr_in6{};
-
-<sys/socket.h>  AF_INET6
-<sys/socket.h>  PF_INET6
-<sys/socket.h>  struct sockaddr_storage;
-
-   The following list summarizes the function and macro prototypes
-   discussed in this memo, sorted by header.
-
-<arpa/inet.h>   int inet_pton(int, const char *, void *);
-<arpa/inet.h>   const char *inet_ntop(int, const void *,
-                               char *, socklen_t);
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 34]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-<net/if.h>      char *if_indextoname(unsigned int, char *);
-<net/if.h>      unsigned int if_nametoindex(const char *);
-<net/if.h>      void if_freenameindex(struct if_nameindex *);
-<net/if.h>      struct if_nameindex *if_nameindex(void);
-
-<netdb.h>       int getaddrinfo(const char *, const char *,
-                                const struct addrinfo *,
-                                struct addrinfo **);
-<netdb.h>       int getnameinfo(const struct sockaddr *, socklen_t,
-                  char *, socklen_t, char *, socklen_t, int);
-<netdb.h>       void freeaddrinfo(struct addrinfo *);
-<netdb.h>       const char *gai_strerror(int);
-
-<netinet/in.h>  int IN6_IS_ADDR_LINKLOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_LOOPBACK(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_GLOBAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_ORGLOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_MULTICAST(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_SITELOCAL(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_UNSPECIFIED(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_V4COMPAT(const struct in6_addr *);
-<netinet/in.h>  int IN6_IS_ADDR_V4MAPPED(const struct in6_addr *);
-
-8. Security Considerations
-
-   IPv6 provides a number of new security mechanisms, many of which need
-   to be accessible to applications.  Companion memos detailing the
-   extensions to the socket interfaces to support IPv6 security are
-   being written.
-
-9. Changes from RFC 2553
-
-   1. Add brief description of the history of this API and its relation
-      to the Open Group/IEEE/ISO standards.
-
-   2. Alignments with [3].
-
-   3. Removed all references to getipnodebyname() and getipnodebyaddr(),
-      which are deprecated in favor of getaddrinfo() and getnameinfo().
-
-   4. Added IPV6_V6ONLY IP level socket option to permit nodes to not
-      process IPv4 packets as IPv4 Mapped addresses in implementations.
-
-   5. Added SIIT to references and added new contributors.
-
-
-
-
-Gilligan, et al.             Informational                     [Page 35]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-   6. In previous versions of this specification, the sin6_flowinfo
-      field was associated with the IPv6 traffic class and flow label,
-      but its usage was not completely specified.  The complete
-      definition of the sin6_flowinfo field, including its association
-      with the traffic class or flow label, is now deferred to a future
-      specification.
-
-10. Acknowledgments
-
-   This specification's evolution and completeness were significantly
-   influenced by the efforts of Richard Stevens, who has passed on.
-   Richard's wisdom and talent made the specification what it is today.
-   The co-authors will long think of Richard with great respect.
-
-   Thanks to the many people who made suggestions and provided feedback
-   to this document, including:
-
-   Werner Almesberger, Ran Atkinson, Fred Baker, Dave Borman, Andrew
-   Cherenson, Alex Conta, Alan Cox, Steve Deering, Richard Draves,
-   Francis Dupont, Robert Elz, Brian Haberman, Jun-ichiro itojun Hagino,
-   Marc Hasson, Tom Herbert, Bob Hinden, Wan-Yen Hsu, Christian Huitema,
-   Koji Imada, Markus Jork, Ron Lee, Alan Lloyd, Charles Lynn, Dan
-   McDonald, Dave Mitton, Finnbarr Murphy, Thomas Narten, Josh Osborne,
-   Craig Partridge, Jean-Luc Richier, Bill Sommerfield, Erik Scoredos,
-   Keith Sklower, JINMEI Tatuya, Dave Thaler, Matt Thomas, Harvey
-   Thompson, Dean D. Throop, Karen Tracey, Glenn Trewitt, Paul Vixie,
-   David Waitzman, Carl Williams, Kazu Yamamoto, Vlad Yasevich, Stig
-   Venaas, and Brian Zill.
-
-   The getaddrinfo() and getnameinfo() functions are taken from an
-   earlier document by Keith Sklower.  As noted in that document,
-   William Durst, Steven Wise, Michael Karels, and Eric Allman provided
-   many useful discussions on the subject of protocol-independent name-
-   to-address translation, and reviewed early versions of Keith
-   Sklower's original proposal.  Eric Allman implemented the first
-   prototype of getaddrinfo().  The observation that specifying the pair
-   of name and service would suffice for connecting to a service
-   independent of protocol details was made by Marshall Rose in a
-   proposal to X/Open for a "Uniform Network Interface".
-
-   Craig Metz, Jack McCann, Erik Nordmark, Tim Hartrick, and Mukesh
-   Kacker made many contributions to this document.  Ramesh Govindan
-   made a number of contributions and co-authored an earlier version of
-   this memo.
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 36]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-11. References
-
-   [1]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
-        Specification", RFC 2460, December 1998.
-
-   [2]  Hinden, R. and S. Deering, "IP Version 6 Addressing
-        Architecture", RFC 2373, July 1998.
-
-   [3]  IEEE Std. 1003.1-2001 Standard for Information Technology --
-        Portable Operating System Interface (POSIX). Open Group
-        Technical Standard: Base Specifications, Issue 6, December 2001.
-        ISO/IEC 9945:2002.  http://www.opengroup.org/austin
-
-   [4]  Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6", RFC
-        2292, February 1998.
-
-   [5]  Nordmark, E., "Stateless IP/ICMP Translation Algorithm (SIIT)",
-        RFC 2765, February 2000.
-
-   [6]  The Open Group Base Working Group
-        http://www.opengroup.org/platform/base.html
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 37]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-12. Authors' Addresses
-
-   Bob Gilligan
-   Intransa, Inc.
-   2870 Zanker Rd.
-   San Jose, CA 95134
-
-   Phone: 408-678-8647
-   EMail: gilligan@intransa.com
-
-
-   Susan Thomson
-   Cisco Systems
-   499 Thornall Street, 8th floor
-   Edison, NJ 08837
-
-   Phone: 732-635-3086
-   EMail:  sethomso@cisco.com
-
-
-   Jim Bound
-   Hewlett-Packard Company
-   110 Spitbrook Road ZKO3-3/W20
-   Nashua, NH 03062
-
-   Phone: 603-884-0062
-   EMail: Jim.Bound@hp.com
-
-
-   Jack McCann
-   Hewlett-Packard Company
-   110 Spitbrook Road ZKO3-3/W20
-   Nashua, NH 03062
-
-   Phone: 603-884-2608
-   EMail: Jack.McCann@hp.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 38]
-
-RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
-
-
-13. Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gilligan, et al.             Informational                     [Page 39]
-
diff --git a/contrib/bind9/doc/rfc/rfc3513.txt b/contrib/bind9/doc/rfc/rfc3513.txt
deleted file mode 100644
index 49c0fa412477..000000000000
--- a/contrib/bind9/doc/rfc/rfc3513.txt
+++ /dev/null
@@ -1,1459 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          R. Hinden
-Request for Comments: 3513                                         Nokia
-Obsoletes: 2373                                               S. Deering
-Category: Standards Track                                  Cisco Systems
-                                                              April 2003
-
-
-       Internet Protocol Version 6 (IPv6) Addressing Architecture
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   This specification defines the addressing architecture of the IP
-   Version 6 (IPv6) protocol.  The document includes the IPv6 addressing
-   model, text representations of IPv6 addresses, definition of IPv6
-   unicast addresses, anycast addresses, and multicast addresses, and an
-   IPv6 node's required addresses.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 1]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-Table of Contents
-
-   1. Introduction.................................................3
-   2. IPv6 Addressing..............................................3
-      2.1 Addressing Model.........................................4
-      2.2 Text Representation of Addresses.........................4
-      2.3 Text Representation of Address Prefixes..................5
-      2.4 Address Type Identification..............................6
-      2.5 Unicast Addresses........................................7
-          2.5.1 Interface Identifiers..............................8
-          2.5.2 The Unspecified Address............................9
-          2.5.3 The Loopback Address...............................9
-          2.5.4 Global Unicast Addresses..........................10
-          2.5.5 IPv6 Addresses with Embedded IPv4 Addresses.......10
-          2.5.6 Local-use IPv6 Unicast Addresses..................11
-      2.6 Anycast Addresses.......................................12
-          2.6.1 Required Anycast Address..........................13
-      2.7 Multicast Addresses.....................................13
-          2.7.1 Pre-Defined Multicast Addresses...................15
-      2.8 A Node's Required Addresses.............................17
-   3. Security Considerations.....................................17
-   4. IANA Considerations.........................................18
-   5. References..................................................19
-      5.1 Normative References....................................19
-      5.2 Informative References..................................19
-   APPENDIX A: Creating Modified EUI-64 format Interface IDs......21
-   APPENDIX B: Changes from RFC-2373..............................24
-   Authors' Addresses.............................................25
-   Full Copyright Statement.......................................26
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 2]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-1.  Introduction
-
-   This specification defines the addressing architecture of the IP
-   Version 6 (IPv6) protocol.  It includes the basic formats for the
-   various types of IPv6 addresses (unicast, anycast, and multicast).
-
-   The authors would like to acknowledge the contributions of Paul
-   Francis, Scott Bradner, Jim Bound, Brian Carpenter, Matt Crawford,
-   Deborah Estrin, Roger Fajman, Bob Fink, Peter Ford, Bob Gilligan,
-   Dimitry Haskin, Tom Harsch, Christian Huitema, Tony Li, Greg
-   Minshall, Thomas Narten, Erik Nordmark, Yakov Rekhter, Bill Simpson,
-   Sue Thomson, Markku Savela, and Larry Masinter.
-
-2. IPv6 Addressing
-
-   IPv6 addresses are 128-bit identifiers for interfaces and sets of
-   interfaces (where "interface" is as defined in section 2 of [IPV6]).
-   There are three types of addresses:
-
-   Unicast:   An identifier for a single interface.  A packet sent to a
-              unicast address is delivered to the interface identified
-              by that address.
-
-   Anycast:   An identifier for a set of interfaces (typically belonging
-              to different nodes).  A packet sent to an anycast address
-              is delivered to one of the interfaces identified by that
-              address (the "nearest" one, according to the routing
-              protocols' measure of distance).
-
-   Multicast: An identifier for a set of interfaces (typically belonging
-              to different nodes).  A packet sent to a multicast address
-              is delivered to all interfaces identified by that address.
-
-   There are no broadcast addresses in IPv6, their function being
-   superseded by multicast addresses.
-
-   In this document, fields in addresses are given a specific name, for
-   example "subnet".  When this name is used with the term "ID" for
-   identifier after the name (e.g., "subnet ID"), it refers to the
-   contents of the named field.  When it is used with the term "prefix"
-   (e.g., "subnet prefix") it refers to all of the address from the left
-   up to and including this field.
-
-   In IPv6, all zeros and all ones are legal values for any field,
-   unless specifically excluded.  Specifically, prefixes may contain, or
-   end with, zero-valued fields.
-
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 3]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-2.1 Addressing Model
-
-   IPv6 addresses of all types are assigned to interfaces, not nodes.
-   An IPv6 unicast address refers to a single interface.  Since each
-   interface belongs to a single node, any of that node's interfaces'
-   unicast addresses may be used as an identifier for the node.
-
-   All interfaces are required to have at least one link-local unicast
-   address (see section 2.8 for additional required addresses).  A
-   single interface may also have multiple IPv6 addresses of any type
-   (unicast, anycast, and multicast) or scope.  Unicast addresses with
-   scope greater than link-scope are not needed for interfaces that are
-   not used as the origin or destination of any IPv6 packets to or from
-   non-neighbors.  This is sometimes convenient for point-to-point
-   interfaces.  There is one exception to this addressing model:
-
-      A unicast address or a set of unicast addresses may be assigned to
-      multiple physical interfaces if the implementation treats the
-      multiple physical interfaces as one interface when presenting it
-      to the internet layer.  This is useful for load-sharing over
-      multiple physical interfaces.
-
-   Currently IPv6 continues the IPv4 model that a subnet prefix is
-   associated with one link.  Multiple subnet prefixes may be assigned
-   to the same link.
-
-2.2 Text Representation of Addresses
-
-   There are three conventional forms for representing IPv6 addresses as
-   text strings:
-
-   1. The preferred form is x:x:x:x:x:x:x:x, where the 'x's are the
-      hexadecimal values of the eight 16-bit pieces of the address.
-
-      Examples:
-
-         FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
-
-         1080:0:0:0:8:800:200C:417A
-
-      Note that it is not necessary to write the leading zeros in an
-      individual field, but there must be at least one numeral in every
-      field (except for the case described in 2.).
-
-   2. Due to some methods of allocating certain styles of IPv6
-      addresses, it will be common for addresses to contain long strings
-      of zero bits.  In order to make writing addresses containing zero
-      bits easier a special syntax is available to compress the zeros.
-
-
-
-Hinden & Deering            Standards Track                     [Page 4]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-      The use of "::" indicates one or more groups of 16 bits of zeros.
-      The "::" can only appear once in an address.  The "::" can also be
-      used to compress leading or trailing zeros in an address.
-
-      For example, the following addresses:
-
-         1080:0:0:0:8:800:200C:417A  a unicast address
-         FF01:0:0:0:0:0:0:101        a multicast address
-         0:0:0:0:0:0:0:1             the loopback address
-         0:0:0:0:0:0:0:0             the unspecified addresses
-
-      may be represented as:
-
-         1080::8:800:200C:417A       a unicast address
-         FF01::101                   a multicast address
-         ::1                         the loopback address
-         ::                          the unspecified addresses
-
-   3. An alternative form that is sometimes more convenient when dealing
-      with a mixed environment of IPv4 and IPv6 nodes is
-      x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of
-      the six high-order 16-bit pieces of the address, and the 'd's are
-      the decimal values of the four low-order 8-bit pieces of the
-      address (standard IPv4 representation).  Examples:
-
-         0:0:0:0:0:0:13.1.68.3
-
-         0:0:0:0:0:FFFF:129.144.52.38
-
-      or in compressed form:
-
-         ::13.1.68.3
-
-         ::FFFF:129.144.52.38
-
-2.3 Text Representation of Address Prefixes
-
-   The text representation of IPv6 address prefixes is similar to the
-   way IPv4 addresses prefixes are written in CIDR notation [CIDR].  An
-   IPv6 address prefix is represented by the notation:
-
-      ipv6-address/prefix-length
-
-   where
-
-      ipv6-address    is an IPv6 address in any of the notations listed
-                      in section 2.2.
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 5]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-      prefix-length   is a decimal value specifying how many of the
-                      leftmost contiguous bits of the address comprise
-                      the prefix.
-
-   For example, the following are legal representations of the 60-bit
-   prefix 12AB00000000CD3 (hexadecimal):
-
-      12AB:0000:0000:CD30:0000:0000:0000:0000/60
-      12AB::CD30:0:0:0:0/60
-      12AB:0:0:CD30::/60
-
-   The following are NOT legal representations of the above prefix:
-
-      12AB:0:0:CD3/60   may drop leading zeros, but not trailing zeros,
-                        within any 16-bit chunk of the address
-
-      12AB::CD30/60     address to left of "/" expands to
-                        12AB:0000:0000:0000:0000:000:0000:CD30
-
-      12AB::CD3/60      address to left of "/" expands to
-                        12AB:0000:0000:0000:0000:000:0000:0CD3
-
-   When writing both a node address and a prefix of that node address
-   (e.g., the node's subnet prefix), the two can combined as follows:
-
-      the node address      12AB:0:0:CD30:123:4567:89AB:CDEF
-      and its subnet number 12AB:0:0:CD30::/60
-
-      can be abbreviated as 12AB:0:0:CD30:123:4567:89AB:CDEF/60
-
-2.4 Address Type Identification
-
-   The type of an IPv6 address is identified by the high-order bits of
-   the address, as follows:
-
-   Address type         Binary prefix        IPv6 notation   Section
-   ------------         -------------        -------------   -------
-   Unspecified          00...0  (128 bits)   ::/128          2.5.2
-   Loopback             00...1  (128 bits)   ::1/128         2.5.3
-   Multicast            11111111             FF00::/8        2.7
-   Link-local unicast   1111111010           FE80::/10       2.5.6
-   Site-local unicast   1111111011           FEC0::/10       2.5.6
-   Global unicast       (everything else)
-
-   Anycast addresses are taken from the unicast address spaces (of any
-   scope) and are not syntactically distinguishable from unicast
-   addresses.
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 6]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   The general format of global unicast addresses is described in
-   section 2.5.4.  Some special-purpose subtypes of global unicast
-   addresses which contain embedded IPv4 addresses (for the purposes of
-   IPv4-IPv6 interoperation) are described in section 2.5.5.
-
-   Future specifications may redefine one or more sub-ranges of the
-   global unicast space for other purposes, but unless and until that
-   happens, implementations must treat all addresses that do not start
-   with any of the above-listed prefixes as global unicast addresses.
-
-2.5 Unicast Addresses
-
-   IPv6 unicast addresses are aggregable with prefixes of arbitrary
-   bit-length similar to IPv4 addresses under Classless Interdomain
-   Routing.
-
-   There are several types of unicast addresses in IPv6, in particular
-   global unicast, site-local unicast, and link-local unicast.  There
-   are also some special-purpose subtypes of global unicast, such as
-   IPv6 addresses with embedded IPv4 addresses or encoded NSAP
-   addresses.  Additional address types or subtypes can be defined in
-   the future.
-
-   IPv6 nodes may have considerable or little knowledge of the internal
-   structure of the IPv6 address, depending on the role the node plays
-   (for instance, host versus router).  At a minimum, a node may
-   consider that unicast addresses (including its own) have no internal
-   structure:
-
-   |                           128 bits                              |
-   +-----------------------------------------------------------------+
-   |                          node address                           |
-   +-----------------------------------------------------------------+
-
-   A slightly sophisticated host (but still rather simple) may
-   additionally be aware of subnet prefix(es) for the link(s) it is
-   attached to, where different addresses may have different values for
-   n:
-
-   |                         n bits                 |   128-n bits   |
-   +------------------------------------------------+----------------+
-   |                   subnet prefix                | interface ID   |
-   +------------------------------------------------+----------------+
-
-   Though a very simple router may have no knowledge of the internal
-   structure of IPv6 unicast addresses, routers will more generally have
-   knowledge of one or more of the hierarchical boundaries for the
-   operation of routing protocols.  The known boundaries will differ
-
-
-
-Hinden & Deering            Standards Track                     [Page 7]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   from router to router, depending on what positions the router holds
-   in the routing hierarchy.
-
-2.5.1 Interface Identifiers
-
-   Interface identifiers in IPv6 unicast addresses are used to identify
-   interfaces on a link.  They are required to be unique within a subnet
-   prefix.  It is recommended that the same interface identifier not be
-   assigned to different nodes on a link.  They may also be unique over
-   a broader scope.  In some cases an interface's identifier will be
-   derived directly from that interface's link-layer address.  The same
-   interface identifier may be used on multiple interfaces on a single
-   node, as long as they are attached to different subnets.
-
-   Note that the uniqueness of interface identifiers is independent of
-   the uniqueness of IPv6 addresses.  For example, a global unicast
-   address may be created with a non-global scope interface identifier
-   and a site-local address may be created with a global scope interface
-   identifier.
-
-   For all unicast addresses, except those that start with binary value
-   000, Interface IDs are required to be 64 bits long and to be
-   constructed in Modified EUI-64 format.
-
-   Modified EUI-64 format based Interface identifiers may have global
-   scope when derived from a global token (e.g., IEEE 802 48-bit MAC or
-   IEEE EUI-64 identifiers [EUI64]) or may have local scope where a
-   global token is not available (e.g., serial links, tunnel end-points,
-   etc.) or where global tokens are undesirable (e.g., temporary tokens
-   for privacy [PRIV]).
-
-   Modified EUI-64 format interface identifiers are formed by inverting
-   the "u" bit (universal/local bit in IEEE EUI-64 terminology) when
-   forming the interface identifier from IEEE EUI-64 identifiers.  In
-   the resulting Modified EUI-64 format the "u" bit is set to one (1) to
-   indicate global scope, and it is set to zero (0) to indicate local
-   scope.  The first three octets in binary of an IEEE EUI-64 identifier
-   are as follows:
-
-       0       0 0       1 1       2
-      |0       7 8       5 6       3|
-      +----+----+----+----+----+----+
-      |cccc|ccug|cccc|cccc|cccc|cccc|
-      +----+----+----+----+----+----+
-
-   written in Internet standard bit-order , where "u" is the
-   universal/local bit, "g" is the individual/group bit, and "c" are the
-   bits of the company_id.  Appendix A: "Creating Modified EUI-64 format
-
-
-
-Hinden & Deering            Standards Track                     [Page 8]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   Interface Identifiers" provides examples on the creation of Modified
-   EUI-64 format based interface identifiers.
-
-   The motivation for inverting the "u" bit when forming an interface
-   identifier is to make it easy for system administrators to hand
-   configure non-global identifiers when hardware tokens are not
-   available.  This is expected to be case for serial links, tunnel end-
-   points, etc.  The alternative would have been for these to be of the
-   form 0200:0:0:1, 0200:0:0:2, etc., instead of the much simpler 1, 2,
-   etc.
-
-   The use of the universal/local bit in the Modified EUI-64 format
-   identifier is to allow development of future technology that can take
-   advantage of interface identifiers with global scope.
-
-   The details of forming interface identifiers are defined in the
-   appropriate "IPv6 over <link>" specification such as "IPv6 over
-   Ethernet" [ETHER], "IPv6 over FDDI" [FDDI], etc.
-
-2.5.2 The Unspecified Address
-
-   The address 0:0:0:0:0:0:0:0 is called the unspecified address.  It
-   must never be assigned to any node.  It indicates the absence of an
-   address.  One example of its use is in the Source Address field of
-   any IPv6 packets sent by an initializing host before it has learned
-   its own address.
-
-   The unspecified address must not be used as the destination address
-   of IPv6 packets or in IPv6 Routing Headers.  An IPv6 packet with a
-   source address of unspecified must never be forwarded by an IPv6
-   router.
-
-2.5.3 The Loopback Address
-
-   The unicast address 0:0:0:0:0:0:0:1 is called the loopback address.
-   It may be used by a node to send an IPv6 packet to itself.  It may
-   never be assigned to any physical interface.   It is treated as
-   having link-local scope, and may be thought of as the link-local
-   unicast address of a virtual interface (typically called "the
-   loopback interface") to an imaginary link that goes nowhere.
-
-   The loopback address must not be used as the source address in IPv6
-   packets that are sent outside of a single node.  An IPv6 packet with
-   a destination address of loopback must never be sent outside of a
-   single node and must never be forwarded by an IPv6 router.  A packet
-   received on an interface with destination address of loopback must be
-   dropped.
-
-
-
-
-Hinden & Deering            Standards Track                     [Page 9]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-2.5.4 Global Unicast Addresses
-
-   The general format for IPv6 global unicast addresses is as follows:
-
-   |         n bits         |   m bits  |       128-n-m bits         |
-   +------------------------+-----------+----------------------------+
-   | global routing prefix  | subnet ID |       interface ID         |
-   +------------------------+-----------+----------------------------+
-
-   where the global routing prefix is a (typically hierarchically-
-   structured) value assigned to a site (a cluster of subnets/links),
-   the subnet ID is an identifier of a link within the site, and the
-   interface ID is as defined in section 2.5.1.
-
-   All global unicast addresses other than those that start with binary
-   000 have a 64-bit interface ID field (i.e., n + m = 64), formatted as
-   described in section 2.5.1.  Global unicast addresses that start with
-   binary 000 have no such constraint on the size or structure of the
-   interface ID field.
-
-   Examples of global unicast addresses that start with binary 000 are
-   the IPv6 address with embedded IPv4 addresses described in section
-   2.5.5 and the IPv6 address containing encoded NSAP addresses
-   specified in [NSAP].  An example of global addresses starting with a
-   binary value other than 000 (and therefore having a 64-bit interface
-   ID field) can be found in [AGGR].
-
-2.5.5 IPv6 Addresses with Embedded IPv4 Addresses
-
-   The IPv6 transition mechanisms [TRAN] include a technique for hosts
-   and routers to dynamically tunnel IPv6 packets over IPv4 routing
-   infrastructure.  IPv6 nodes that use this technique are assigned
-   special IPv6 unicast addresses that carry a global IPv4 address in
-   the low-order 32 bits.  This type of address is termed an "IPv4-
-   compatible IPv6 address" and has the format:
-
-   |                80 bits               | 16 |      32 bits        |
-   +--------------------------------------+--------------------------+
-   |0000..............................0000|0000|    IPv4 address     |
-   +--------------------------------------+----+---------------------+
-
-   Note: The IPv4 address used in the "IPv4-compatible IPv6 address"
-   must be a globally-unique IPv4 unicast address.
-
-   A second type of IPv6 address which holds an embedded IPv4 address is
-   also defined.  This address type is used to represent the addresses
-   of IPv4 nodes as IPv6 addresses.  This type of address is termed an
-   "IPv4-mapped IPv6 address" and has the format:
-
-
-
-Hinden & Deering            Standards Track                    [Page 10]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   |                80 bits               | 16 |      32 bits        |
-   +--------------------------------------+--------------------------+
-   |0000..............................0000|FFFF|    IPv4 address     |
-   +--------------------------------------+----+---------------------+
-
-2.5.6 Local-Use IPv6 Unicast Addresses
-
-   There are two types of local-use unicast addresses defined.  These
-   are Link-Local and Site-Local.  The Link-Local is for use on a single
-   link and the Site-Local is for use in a single site.  Link-Local
-   addresses have the following format:
-
-   |   10     |
-   |  bits    |         54 bits         |          64 bits           |
-   +----------+-------------------------+----------------------------+
-   |1111111010|           0             |       interface ID         |
-   +----------+-------------------------+----------------------------+
-
-   Link-Local addresses are designed to be used for addressing on a
-   single link for purposes such as automatic address configuration,
-   neighbor discovery, or when no routers are present.
-
-   Routers must not forward any packets with link-local source or
-   destination addresses to other links.
-
-   Site-Local addresses have the following format:
-
-   |   10     |
-   |  bits    |         54 bits         |         64 bits            |
-   +----------+-------------------------+----------------------------+
-   |1111111011|        subnet ID        |       interface ID         |
-   +----------+-------------------------+----------------------------+
-
-   Site-local addresses are designed to be used for addressing inside of
-   a site without the need for a global prefix.  Although a subnet ID
-   may be up to 54-bits long, it is expected that globally-connected
-   sites will use the same subnet IDs for site-local and global
-   prefixes.
-
-   Routers must not forward any packets with site-local source or
-   destination addresses outside of the site.
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 11]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-2.6 Anycast Addresses
-
-   An IPv6 anycast address is an address that is assigned to more than
-   one interface (typically belonging to different nodes), with the
-   property that a packet sent to an anycast address is routed to the
-   "nearest" interface having that address, according to the routing
-   protocols' measure of distance.
-
-   Anycast addresses are allocated from the unicast address space, using
-   any of the defined unicast address formats.  Thus, anycast addresses
-   are syntactically indistinguishable from unicast addresses.  When a
-   unicast address is assigned to more than one interface, thus turning
-   it into an anycast address, the nodes to which the address is
-   assigned must be explicitly configured to know that it is an anycast
-   address.
-
-   For any assigned anycast address, there is a longest prefix P of that
-   address that identifies the topological region in which all
-   interfaces belonging to that anycast address reside.  Within the
-   region identified by P, the anycast address must be maintained as a
-   separate entry in the routing system (commonly referred to as a "host
-   route"); outside the region identified by P, the anycast address may
-   be aggregated into the routing entry for prefix P.
-
-   Note that in the worst case, the prefix P of an anycast set may be
-   the null prefix, i.e., the members of the set may have no topological
-   locality.  In that case, the anycast address must be maintained as a
-   separate routing entry throughout the entire internet, which presents
-   a severe scaling limit on how many such "global" anycast sets may be
-   supported.  Therefore, it is expected that support for global anycast
-   sets may be unavailable or very restricted.
-
-   One expected use of anycast addresses is to identify the set of
-   routers belonging to an organization providing internet service.
-   Such addresses could be used as intermediate addresses in an IPv6
-   Routing header, to cause a packet to be delivered via a particular
-   service provider or sequence of service providers.
-
-   Some other possible uses are to identify the set of routers attached
-   to a particular subnet, or the set of routers providing entry into a
-   particular routing domain.
-
-   There is little experience with widespread, arbitrary use of internet
-   anycast addresses, and some known complications and hazards when
-   using them in their full generality [ANYCST].  Until more experience
-   has been gained and solutions are specified, the following
-   restrictions are imposed on IPv6 anycast addresses:
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 12]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   o  An anycast address must not be used as the source address of an
-      IPv6 packet.
-
-   o  An anycast address must not be assigned to an IPv6 host, that is,
-      it may be assigned to an IPv6 router only.
-
-2.6.1 Required Anycast Address
-
-   The Subnet-Router anycast address is predefined.  Its format is as
-   follows:
-
-   |                         n bits                 |   128-n bits   |
-   +------------------------------------------------+----------------+
-   |                   subnet prefix                | 00000000000000 |
-   +------------------------------------------------+----------------+
-
-   The "subnet prefix" in an anycast address is the prefix which
-   identifies a specific link.  This anycast address is syntactically
-   the same as a unicast address for an interface on the link with the
-   interface identifier set to zero.
-
-   Packets sent to the Subnet-Router anycast address will be delivered
-   to one router on the subnet.  All routers are required to support the
-   Subnet-Router anycast addresses for the subnets to which they have
-   interfaces.
-
-   The subnet-router anycast address is intended to be used for
-   applications where a node needs to communicate with any one of the
-   set of routers.
-
-2.7 Multicast Addresses
-
-   An IPv6 multicast address is an identifier for a group of interfaces
-   (typically on different nodes).  An interface may belong to any
-   number of multicast groups.  Multicast addresses have the following
-   format:
-
-   |   8    |  4 |  4 |                  112 bits                   |
-   +------ -+----+----+---------------------------------------------+
-   |11111111|flgs|scop|                  group ID                   |
-   +--------+----+----+---------------------------------------------+
-
-         binary 11111111 at the start of the address identifies the
-         address as being a multicast address.
-
-                                       +-+-+-+-+
-         flgs is a set of 4 flags:     |0|0|0|T|
-                                       +-+-+-+-+
-
-
-
-Hinden & Deering            Standards Track                    [Page 13]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-            The high-order 3 flags are reserved, and must be initialized
-            to 0.
-
-            T = 0 indicates a permanently-assigned ("well-known")
-            multicast address, assigned by the Internet Assigned Number
-            Authority (IANA).
-
-            T = 1 indicates a non-permanently-assigned ("transient")
-            multicast address.
-
-         scop is a 4-bit multicast scope value used to limit the scope
-         of the multicast group.  The values are:
-
-            0  reserved
-            1  interface-local scope
-            2  link-local scope
-            3  reserved
-            4  admin-local scope
-            5  site-local scope
-            6  (unassigned)
-            7  (unassigned)
-            8  organization-local scope
-            9  (unassigned)
-            A  (unassigned)
-            B  (unassigned)
-            C  (unassigned)
-            D  (unassigned)
-            E  global scope
-            F  reserved
-
-            interface-local scope spans only a single interface on a
-            node, and is useful only for loopback transmission of
-            multicast.
-
-            link-local and site-local multicast scopes span the same
-            topological regions as the corresponding unicast scopes.
-
-            admin-local scope is the smallest scope that must be
-            administratively configured, i.e., not automatically derived
-            from physical connectivity or other, non- multicast-related
-            configuration.
-
-            organization-local scope is intended to span multiple sites
-            belonging to a single organization.
-
-            scopes labeled "(unassigned)" are available for
-            administrators to define additional multicast regions.
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 14]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-         group ID identifies the multicast group, either permanent or
-         transient, within the given scope.
-
-   The "meaning" of a permanently-assigned multicast address is
-   independent of the scope value.  For example, if the "NTP servers
-   group" is assigned a permanent multicast address with a group ID of
-   101 (hex), then:
-
-      FF01:0:0:0:0:0:0:101 means all NTP servers on the same interface
-      (i.e., the same node) as the sender.
-
-      FF02:0:0:0:0:0:0:101 means all NTP servers on the same link as the
-      sender.
-
-      FF05:0:0:0:0:0:0:101 means all NTP servers in the same site as the
-      sender.
-
-      FF0E:0:0:0:0:0:0:101 means all NTP servers in the internet.
-
-   Non-permanently-assigned multicast addresses are meaningful only
-   within a given scope.  For example, a group identified by the non-
-   permanent, site-local multicast address FF15:0:0:0:0:0:0:101 at one
-   site bears no relationship to a group using the same address at a
-   different site, nor to a non-permanent group using the same group ID
-   with different scope, nor to a permanent group with the same group
-   ID.
-
-   Multicast addresses must not be used as source addresses in IPv6
-   packets or appear in any Routing header.
-
-   Routers must not forward any multicast packets beyond of the scope
-   indicated by the scop field in the destination multicast address.
-
-   Nodes must not originate a packet to a multicast address whose scop
-   field contains the reserved value 0; if such a packet is received, it
-   must be silently dropped.  Nodes should not originate a packet to a
-   multicast address whose scop field contains the reserved value F; if
-   such a packet is sent or received, it must be treated the same as
-   packets destined to a global (scop E) multicast address.
-
-2.7.1 Pre-Defined Multicast Addresses
-
-   The following well-known multicast addresses are pre-defined.  The
-   group ID's defined in this section are defined for explicit scope
-   values.
-
-   Use of these group IDs for any other scope values, with the T flag
-   equal to 0, is not allowed.
-
-
-
-Hinden & Deering            Standards Track                    [Page 15]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-      Reserved Multicast Addresses:   FF00:0:0:0:0:0:0:0
-                                      FF01:0:0:0:0:0:0:0
-                                      FF02:0:0:0:0:0:0:0
-                                      FF03:0:0:0:0:0:0:0
-                                      FF04:0:0:0:0:0:0:0
-                                      FF05:0:0:0:0:0:0:0
-                                      FF06:0:0:0:0:0:0:0
-                                      FF07:0:0:0:0:0:0:0
-                                      FF08:0:0:0:0:0:0:0
-                                      FF09:0:0:0:0:0:0:0
-                                      FF0A:0:0:0:0:0:0:0
-                                      FF0B:0:0:0:0:0:0:0
-                                      FF0C:0:0:0:0:0:0:0
-                                      FF0D:0:0:0:0:0:0:0
-                                      FF0E:0:0:0:0:0:0:0
-                                      FF0F:0:0:0:0:0:0:0
-
-   The above multicast addresses are reserved and shall never be
-   assigned to any multicast group.
-
-      All Nodes Addresses:    FF01:0:0:0:0:0:0:1
-                              FF02:0:0:0:0:0:0:1
-
-   The above multicast addresses identify the group of all IPv6 nodes,
-   within scope 1 (interface-local) or 2 (link-local).
-
-      All Routers Addresses:   FF01:0:0:0:0:0:0:2
-                               FF02:0:0:0:0:0:0:2
-                               FF05:0:0:0:0:0:0:2
-
-   The above multicast addresses identify the group of all IPv6 routers,
-   within scope 1 (interface-local), 2 (link-local), or 5 (site-local).
-
-      Solicited-Node Address:  FF02:0:0:0:0:1:FFXX:XXXX
-
-   Solicited-node multicast address are computed as a function of a
-   node's unicast and anycast addresses.  A solicited-node multicast
-   address is formed by taking the low-order 24 bits of an address
-   (unicast or anycast) and appending those bits to the prefix
-   FF02:0:0:0:0:1:FF00::/104 resulting in a multicast address in the
-   range
-
-      FF02:0:0:0:0:1:FF00:0000
-
-   to
-
-      FF02:0:0:0:0:1:FFFF:FFFF
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 16]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   For example, the solicited node multicast address corresponding to
-   the IPv6 address 4037::01:800:200E:8C6C is FF02::1:FF0E:8C6C.  IPv6
-   addresses that differ only in the high-order bits, e.g., due to
-   multiple high-order prefixes associated with different aggregations,
-   will map to the same solicited-node address thereby, reducing the
-   number of multicast addresses a node must join.
-
-   A node is required to compute and join (on the appropriate interface)
-   the associated Solicited-Node multicast addresses for every unicast
-   and anycast address it is assigned.
-
-2.8 A Node's Required Addresses
-
-   A host is required to recognize the following addresses as
-   identifying itself:
-
-      o  Its required Link-Local Address for each interface.
-      o  Any additional Unicast and Anycast Addresses that have been
-         configured for the node's interfaces (manually or
-         automatically).
-      o  The loopback address.
-      o  The All-Nodes Multicast Addresses defined in section 2.7.1.
-      o  The Solicited-Node Multicast Address for each of its unicast
-         and anycast addresses.
-      o  Multicast Addresses of all other groups to which the node
-         belongs.
-
-   A router is required to recognize all addresses that a host is
-   required to recognize, plus the following addresses as identifying
-   itself:
-
-      o  The Subnet-Router Anycast Addresses for all interfaces for
-         which it is configured to act as a router.
-      o  All other Anycast Addresses with which the router has been
-         configured.
-      o  The All-Routers Multicast Addresses defined in section 2.7.1.
-
-3. Security Considerations
-
-   IPv6 addressing documents do not have any direct impact on Internet
-   infrastructure security.  Authentication of IPv6 packets is defined
-   in [AUTH].
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 17]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-4. IANA Considerations
-
-   The table and notes at http://www.isi.edu/in-
-   notes/iana/assignments/ipv6-address-space.txt should be replaced with
-   the following:
-
-   INTERNET PROTOCOL VERSION 6 ADDRESS SPACE
-
-   The initial assignment of IPv6 address space is as follows:
-
-   Allocation                            Prefix         Fraction of
-                                         (binary)       Address Space
-   -----------------------------------   --------       -------------
-   Unassigned (see Note 1 below)         0000 0000      1/256
-   Unassigned                            0000 0001      1/256
-   Reserved for NSAP Allocation          0000 001       1/128 [RFC1888]
-   Unassigned                            0000 01        1/64
-   Unassigned                            0000 1         1/32
-   Unassigned                            0001           1/16
-   Global Unicast                        001            1/8   [RFC2374]
-   Unassigned                            010            1/8
-   Unassigned                            011            1/8
-   Unassigned                            100            1/8
-   Unassigned                            101            1/8
-   Unassigned                            110            1/8
-   Unassigned                            1110           1/16
-   Unassigned                            1111 0         1/32
-   Unassigned                            1111 10        1/64
-   Unassigned                            1111 110       1/128
-   Unassigned                            1111 1110 0    1/512
-   Link-Local Unicast Addresses          1111 1110 10   1/1024
-   Site-Local Unicast Addresses          1111 1110 11   1/1024
-   Multicast Addresses                   1111 1111      1/256
-
-   Notes:
-
-   1. The "unspecified address", the "loopback address", and the IPv6
-      Addresses with Embedded IPv4 Addresses are assigned out of the
-      0000 0000 binary prefix space.
-
-   2. For now, IANA should limit its allocation of IPv6 unicast address
-      space to the range of addresses that start with binary value 001.
-      The rest of the global unicast address space (approximately 85% of
-      the IPv6 address space) is reserved for future definition and use,
-      and is not to be assigned by IANA at this time.
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 18]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-5.  References
-
-5.1  Normative References
-
-   [IPV6]    Deering, S. and R. Hinden, "Internet Protocol, Version 6
-             (IPv6) Specification", RFC 2460, December 1998.
-
-   [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
-             3", BCP 9 , RFC 2026, October 1996.
-
-5.2  Informative References
-
-   [ANYCST]  Partridge, C., Mendez, T. and W. Milliken, "Host Anycasting
-             Service", RFC 1546, November 1993.
-
-   [AUTH]    Kent, S. and R. Atkinson, "IP Authentication Header", RFC
-             2402, November 1998.
-
-   [AGGR]    Hinden, R., O'Dell, M. and S. Deering, "An Aggregatable
-             Global Unicast Address Format", RFC 2374, July 1998.
-
-   [CIDR]    Fuller, V., Li, T., Yu, J. and K. Varadhan, "Classless
-             Inter-Domain Routing (CIDR): An Address Assignment and
-             Aggregation Strategy", RFC 1519, September 1993.
-
-   [ETHER]   Crawford, M., "Transmission of IPv6 Packets over Ethernet
-             Networks", RFC 2464, December 1998.
-
-   [EUI64]   IEEE, "Guidelines for 64-bit Global Identifier (EUI-64)
-             Registration Authority",
-             http://standards.ieee.org/regauth/oui/tutorials/EUI64.html,
-             March 1997.
-
-   [FDDI]    Crawford, M., "Transmission of IPv6 Packets over FDDI
-             Networks", RFC 2467, December 1998.
-
-   [MASGN]   Hinden, R. and S. Deering, "IPv6 Multicast Address
-             Assignments", RFC 2375, July 1998.
-
-   [NSAP]    Bound, J., Carpenter, B., Harrington, D., Houldsworth, J.
-             and A. Lloyd, "OSI NSAPs and IPv6", RFC 1888, August 1996.
-
-   [PRIV]    Narten, T. and R. Draves, "Privacy Extensions for Stateless
-             Address Autoconfiguration in IPv6", RFC 3041, January 2001.
-
-   [TOKEN]   Crawford, M., Narten, T. and S. Thomas, "Transmission of
-             IPv6 Packets over Token Ring Networks", RFC 2470, December
-             1998.
-
-
-
-Hinden & Deering            Standards Track                    [Page 19]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   [TRAN]    Gilligan, R. and E. Nordmark, "Transition Mechanisms for
-             IPv6 Hosts and Routers", RFC 2893, August 2000.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 20]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-APPENDIX A: Creating Modified EUI-64 format Interface Identifiers
-
-   Depending on the characteristics of a specific link or node there are
-   a number of approaches for creating Modified EUI-64 format interface
-   identifiers.  This appendix describes some of these approaches.
-
-Links or Nodes with IEEE EUI-64 Identifiers
-
-   The only change needed to transform an IEEE EUI-64 identifier to an
-   interface identifier is to invert the "u" (universal/local) bit.  For
-   example, a globally unique IEEE EUI-64 identifier of the form:
-
-   |0              1|1              3|3              4|4              6|
-   |0              5|6              1|2              7|8              3|
-   +----------------+----------------+----------------+----------------+
-   |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
-   +----------------+----------------+----------------+----------------+
-
-   where "c" are the bits of the assigned company_id, "0" is the value
-   of the universal/local bit to indicate global scope, "g" is
-   individual/group bit, and "m" are the bits of the manufacturer-
-   selected extension identifier.  The IPv6 interface identifier would
-   be of the form:
-
-   |0              1|1              3|3              4|4              6|
-   |0              5|6              1|2              7|8              3|
-   +----------------+----------------+----------------+----------------+
-   |cccccc1gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
-   +----------------+----------------+----------------+----------------+
-
-   The only change is inverting the value of the universal/local bit.
-
-Links or Nodes with IEEE 802 48 bit MAC's
-
-   [EUI64] defines a method to create a IEEE EUI-64 identifier from an
-   IEEE 48bit MAC identifier.  This is to insert two octets, with
-   hexadecimal values of 0xFF and 0xFE, in the middle of the 48 bit MAC
-   (between the company_id and vendor supplied id).  For example, the 48
-   bit IEEE MAC with global scope:
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 21]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   |0              1|1              3|3              4|
-   |0              5|6              1|2              7|
-   +----------------+----------------+----------------+
-   |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|
-   +----------------+----------------+----------------+
-
-   where "c" are the bits of the assigned company_id, "0" is the value
-   of the universal/local bit to indicate global scope, "g" is
-   individual/group bit, and "m" are the bits of the manufacturer-
-   selected extension identifier.  The interface identifier would be of
-   the form:
-
-   |0              1|1              3|3              4|4              6|
-   |0              5|6              1|2              7|8              3|
-   +----------------+----------------+----------------+----------------+
-   |cccccc1gcccccccc|cccccccc11111111|11111110mmmmmmmm|mmmmmmmmmmmmmmmm|
-   +----------------+----------------+----------------+----------------+
-
-   When IEEE 802 48bit MAC addresses are available (on an interface or a
-   node), an implementation may use them to create interface identifiers
-   due to their availability and uniqueness properties.
-
-Links with Other Kinds of Identifiers
-
-   There are a number of types of links that have link-layer interface
-   identifiers other than IEEE EIU-64 or IEEE 802 48-bit MACs.  Examples
-   include LocalTalk and Arcnet.  The method to create an Modified EUI-
-   64 format identifier is to take the link identifier (e.g., the
-   LocalTalk 8 bit node identifier) and zero fill it to the left.  For
-   example, a LocalTalk 8 bit node identifier of hexadecimal value 0x4F
-   results in the following interface identifier:
-
-   |0              1|1              3|3              4|4              6|
-   |0              5|6              1|2              7|8              3|
-   +----------------+----------------+----------------+----------------+
-   |0000000000000000|0000000000000000|0000000000000000|0000000001001111|
-   +----------------+----------------+----------------+----------------+
-
-   Note that this results in the universal/local bit set to "0" to
-   indicate local scope.
-
-Links without Identifiers
-
-   There are a number of links that do not have any type of built-in
-   identifier.  The most common of these are serial links and configured
-   tunnels.  Interface identifiers must be chosen that are unique within
-   a subnet-prefix.
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 22]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   When no built-in identifier is available on a link the preferred
-   approach is to use a global interface identifier from another
-   interface or one which is assigned to the node itself.  When using
-   this approach no other interface connecting the same node to the same
-   subnet-prefix may use the same identifier.
-
-   If there is no global interface identifier available for use on the
-   link the implementation needs to create a local-scope interface
-   identifier.  The only requirement is that it be unique within a
-   subnet prefix.  There are many possible approaches to select a
-   subnet-prefix-unique interface identifier.  These include:
-
-      Manual Configuration
-      Node Serial Number
-      Other node-specific token
-
-   The subnet-prefix-unique interface identifier should be generated in
-   a manner that it does not change after a reboot of a node or if
-   interfaces are added or deleted from the node.
-
-   The selection of the appropriate algorithm is link and implementation
-   dependent.  The details on forming interface identifiers are defined
-   in the appropriate "IPv6 over <link>" specification.  It is strongly
-   recommended that a collision detection algorithm be implemented as
-   part of any automatic algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 23]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-APPENDIX B: Changes from RFC-2373
-
-   The following changes were made from RFC-2373 "IP Version 6
-   Addressing Architecture":
-
-   -  Clarified text in section 2.2 to allow "::" to represent one or
-      more groups of 16 bits of zeros.
-   -  Changed uniqueness requirement of Interface Identifiers from
-      unique on a link to unique within a subnet prefix.  Also added a
-      recommendation that the same interface identifier not be assigned
-      to different machines on a link.
-   -  Change site-local format to make the subnet ID field 54-bit long
-      and remove the 38-bit zero's field.
-   -  Added description of multicast scop values and rules to handle the
-      reserved scop value 0.
-   -  Revised sections 2.4 and 2.5.6 to simplify and clarify how
-      different address types  are identified.  This was done to insure
-      that implementations do not build in any knowledge about global
-      unicast format prefixes.  Changes include:
-         o  Removed Format Prefix (FP) terminology
-         o  Revised list of address types to only include exceptions to
-            global unicast and a singe entry that identifies everything
-            else as Global Unicast.
-         o  Removed list of defined prefix exceptions from section 2.5.6
-            as it is now the main part of section 2.4.
-   -  Clarified text relating to EUI-64 identifiers to distinguish
-      between IPv6's "Modified EUI-64 format" identifiers and IEEE EUI-
-      64 identifiers.
-   -  Combined the sections on the Global Unicast Addresses and NSAP
-      Addresses into a single section on Global Unicast Addresses,
-      generalized the Global Unicast format, and cited [AGGR] and [NSAP]
-      as examples.
-   -  Reordered sections 2.5.4 and 2.5.5.
-   -  Removed section 2.7.2 Assignment of New IPv6 Multicast Addresses
-      because this is being redefined elsewhere.
-   -  Added an IANA considerations section that updates the IANA IPv6
-      address allocations and documents the NSAP and AGGR allocations.
-   -  Added clarification that the "IPv4-compatible IPv6 address" must
-      use global IPv4 unicast addresses.
-   -  Divided references in to normative and non-normative sections.
-   -  Added reference to [PRIV] in section 2.5.1
-   -  Added clarification that routers must not forward multicast
-      packets outside of the scope indicated in the multicast address.
-   -  Added clarification that routers must not forward packets with
-       source address of the unspecified address.
-   -  Added clarification that routers must drop packets received on an
-      interface with destination address of loopback.
-   -  Clarified the definition of IPv4-mapped addresses.
-
-
-
-Hinden & Deering            Standards Track                    [Page 24]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-   -  Removed the ABNF Description of Text Representations Appendix.
-   -  Removed the address block reserved for IPX addresses.
-   -  Multicast scope changes:
-         o  Changed name of scope value 1 from "node-local" to
-            "interface-local"
-         o  Defined scope value 4 as "admin-local"
-   -  Corrected reference to RFC1933 and updated references.
-   -  Many small changes to clarify and make the text more consistent.
-
-Authors' Addresses
-
-   Robert M. Hinden
-   Nokia
-   313 Fairchild Drive
-   Mountain View, CA 94043
-   USA
-
-   Phone: +1 650 625-2004
-   EMail: hinden@iprg.nokia.com
-
-
-   Stephen E. Deering
-   Cisco Systems, Inc.
-   170 West Tasman Drive
-   San Jose, CA 95134-1706
-   USA
-
-   Phone: +1 408 527-8213
-   EMail: deering@cisco.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 25]
-
-RFC 3513              IPv6 Addressing Architecture            April 2003
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assigns.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Hinden & Deering            Standards Track                    [Page 26]
-
diff --git a/contrib/bind9/doc/rfc/rfc3596.txt b/contrib/bind9/doc/rfc/rfc3596.txt
deleted file mode 100644
index f65690c8875a..000000000000
--- a/contrib/bind9/doc/rfc/rfc3596.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         S. Thomson
-Request for Comments: 3596                                         Cisco
-Obsoletes: 3152, 1886                                         C. Huitema
-Category: Standards Track                                      Microsoft
-                                                              V. Ksinant
-                                                                   6WIND
-                                                              M. Souissi
-                                                                   AFNIC
-                                                            October 2003
-
-
-                 DNS Extensions to Support IP Version 6
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   This document defines the changes that need to be made to the Domain
-   Name System (DNS) to support hosts running IP version 6 (IPv6).  The
-   changes include a resource record type to store an IPv6 address, a
-   domain to support lookups based on an IPv6 address, and updated
-   definitions of existing query types that return Internet addresses as
-   part of additional section processing.  The extensions are designed
-   to be compatible with existing applications and, in particular, DNS
-   implementations themselves.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-   2.  New resource record definition and domain. . . . . . . . . . .  2
-       2.1.  AAAA record type . . . . . . . . . . . . . . . . . . . .  3
-       2.2.  AAAA data format . . . . . . . . . . . . . . . . . . . .  3
-       2.3.  AAAA query . . . . . . . . . . . . . . . . . . . . . . .  3
-       2.4.  Textual format of AAAA records . . . . . . . . . . . . .  3
-       2.5.  IP6.ARPA domain. . . . . . . . . . . . . . . . . . . . .  3
-   3.  Modifications to existing query types. . . . . . . . . . . . .  4
-   4.  Security Considerations. . . . . . . . . . . . . . . . . . . .  4
-   5.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . .  4
-
-
-
-Thomson, et al.             Standards Track                     [Page 1]
-
-RFC 3596             DNS Extensions to Support IPv6         October 2003
-
-
-   6.  Intellectual Property Statement. . . . . . . . . . . . . . . .  4
-   Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . .  5
-   Appendix A: Changes from RFC 1886. . . . . . . . . . . . . . . . .  6
-   Normative References . . . . . . . . . . . . . . . . . . . . . . .  6
-   Informative References . . . . . . . . . . . . . . . . . . . . . .  6
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .  7
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . .  8
-
-1. Introduction
-
-   Current support for the storage of Internet addresses in the Domain
-   Name System (DNS) [1,2] cannot easily be extended to support IPv6
-   addresses [3] since applications assume that address queries return
-   32-bit IPv4 addresses only.
-
-   To support the storage of IPv6 addresses in the DNS, this document
-   defines the following extensions:
-
-      o A resource record type is defined to map a domain name to an
-        IPv6 address.
-
-      o A domain is defined to support lookups based on address.
-
-      o Existing queries that perform additional section processing to
-        locate IPv4 addresses are redefined to perform additional
-        section processing on both IPv4 and IPv6 addresses.
-
-   The changes are designed to be compatible with existing software.
-   The existing support for IPv4 addresses is retained.  Transition
-   issues related to the co-existence of both IPv4 and IPv6 addresses in
-   the DNS are discussed in [4].
-
-   The IP protocol version used for querying resource records is
-   independent of the protocol version of the resource records; e.g.,
-   IPv4 transport can be used to query IPv6 records and vice versa.
-
-   This document combines RFC 1886 [5] and changes to RFC 1886 made by
-   RFC 3152 [6], obsoleting both.  Changes mainly consist in replacing
-   the IP6.INT domain by IP6.ARPA as defined in RFC 3152.
-
-2. New resource record definition and domain
-
-   A record type is defined to store a host's IPv6 address.  A host that
-   has more than one IPv6 address must have more than one such record.
-
-
-
-
-
-
-
-Thomson, et al.             Standards Track                     [Page 2]
-
-RFC 3596             DNS Extensions to Support IPv6         October 2003
-
-
-2.1 AAAA record type
-
-   The AAAA resource record type is a record specific to the Internet
-   class that stores a single IPv6 address.
-
-   The IANA assigned value of the type is 28 (decimal).
-
-2.2 AAAA data format
-
-   A 128 bit IPv6 address is encoded in the data portion of an AAAA
-   resource record in network byte order (high-order byte first).
-
-2.3 AAAA query
-
-   An AAAA query for a specified domain name in the Internet class
-   returns all associated AAAA resource records in the answer section of
-   a response.
-
-   A type AAAA query does not trigger additional section processing.
-
-2.4 Textual format of AAAA records
-
-   The textual representation of the data portion of the AAAA resource
-   record used in a master database file is the textual representation
-   of an IPv6 address as defined in [3].
-
-2.5 IP6.ARPA Domain
-
-   A special domain is defined to look up a record given an IPv6
-   address.  The intent of this domain is to provide a way of mapping an
-   IPv6 address to a host name, although it may be used for other
-   purposes as well.  The domain is rooted at IP6.ARPA.
-
-   An IPv6 address is represented as a name in the IP6.ARPA domain by a
-   sequence of nibbles separated by dots with the suffix ".IP6.ARPA".
-   The sequence of nibbles is encoded in reverse order, i.e., the
-   low-order nibble is encoded first, followed by the next low-order
-   nibble and so on.  Each nibble is represented by a hexadecimal digit.
-   For example, the reverse lookup domain name corresponding to the
-   address
-
-       4321:0:1:2:3:4:567:89ab
-
-   would be
-
-   b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.
-                                                                  ARPA.
-
-
-
-
-Thomson, et al.             Standards Track                     [Page 3]
-
-RFC 3596             DNS Extensions to Support IPv6         October 2003
-
-
-3. Modifications to existing query types
-
-   All existing query types that perform type A additional section
-   processing, i.e., name server (NS), location of services (SRV) and
-   mail exchange (MX) query types, must be redefined to perform both
-   type A and type AAAA additional section processing.  These
-   definitions mean that a name server must add any relevant IPv4
-   addresses and any relevant IPv6 addresses available locally to the
-   additional section of a response when processing any one of the above
-   queries.
-
-4. Security Considerations
-
-   Any information obtained from the DNS must be regarded as unsafe
-   unless techniques specified in [7] or [8] are used.  The definitions
-   of the AAAA record type and of the IP6.ARPA domain do not change the
-   model for use of these techniques.
-
-   So, this specification is not believed to cause any new security
-   problems, nor to solve any existing ones.
-
-5. IANA Considerations
-
-   There are no IANA assignments to be performed.
-
-6. Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights.  Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11.  Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-
-
-
-
-Thomson, et al.             Standards Track                     [Page 4]
-
-RFC 3596             DNS Extensions to Support IPv6         October 2003
-
-
-Acknowledgments
-
-   Vladimir Ksinant and Mohsen Souissi would like to thank Sebastien
-   Barbin (IRISA), Luc Beloeil (France Telecom R&D), Jean-Mickael Guerin
-   (6WIND), Vincent Levigneron (AFNIC), Alain Ritoux (6WIND), Frederic
-   Roudaut (IRISA) and G6 group for their help during the RFC 1886
-   Interop tests sessions.
-
-   Many thanks to Alain Durand and Olafur Gudmundsson for their support.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Thomson, et al.             Standards Track                     [Page 5]
-
-RFC 3596             DNS Extensions to Support IPv6         October 2003
-
-
-Appendix A: Changes from RFC 1886
-
-   The following changes were made from RFC 1886 "DNS Extensions to
-   support IP version 6":
-
-   - Replaced the "IP6.INT" domain by "IP6.ARPA".
-   - Mentioned SRV query types in section 3 "MODIFICATIONS TO
-     EXISTING QUERY TYPES"
-   - Added security considerations.
-   - Updated references :
-     * From RFC 1884 to RFC 3513 (IP Version 6 Addressing
-       Architecture).
-     * From "work in progress" to RFC 2893 (Transition Mechanisms for
-       IPv6 Hosts and Routers).
-     * Added reference to RFC 1886, RFC 3152, RFC 2535 and RFC 2845.
-   - Updated document abstract
-   - Added table of contents
-   - Added full copyright statement
-   - Added IANA considerations section
-   - Added Intellectual Property Statement
-
-Normative References
-
-   [1]  Mockapetris, P., "Domain Names - Concepts and Facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  Mockapetris, P., "Domain Names - Implementation and
-        Specification", STD 13, RFC 1035, November 1987.
-
-   [3]  Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
-        Addressing Architecture", RFC 3513, April 2003.
-
-Informative References
-
-   [4]  Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6
-        Hosts and Routers", RFC 2893, August 2000.
-
-   [5]  Thomson, S. and C. Huitema, "DNS Extensions to support IP
-        version 6", RFC 1886, December 1995.
-
-   [6]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152, August
-        2001.
-
-   [7]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999
-
-
-
-
-
-
-Thomson, et al.             Standards Track                     [Page 6]
-
-RFC 3596             DNS Extensions to Support IPv6         October 2003
-
-
-   [8]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
-        "Secret Key Transaction Authentication for DNS (TSIG)", RFC
-        2845, May 2000.
-
-Authors' Addresses
-
-   Susan Thomson
-   Cisco Systems
-   499 Thornall Street, 8th floor
-   Edison, NJ 08837
-
-   Phone: +1 732-635-3086
-   EMail:  sethomso@cisco.com
-
-
-   Christian Huitema
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA 98052-6399
-
-   EMail: huitema@microsoft.com
-
-
-   Vladimir Ksinant
-   6WIND S.A.
-   Immeuble Central Gare - Bat.C
-   1, place Charles de Gaulle
-   78180, Montigny-Le-Bretonneux - France
-
-   Phone: +33 1 39 30 92 36
-   EMail: vladimir.ksinant@6wind.com
-
-
-   Mohsen Souissi
-   AFNIC
-   Immeuble International
-   2, rue Stephenson,
-   78181, Saint-Quentin en Yvelines Cedex - France
-
-   Phone: +33 1 39 30 83 40
-   EMail: Mohsen.Souissi@nic.fr
-
-
-
-
-
-
-
-
-
-
-Thomson, et al.             Standards Track                     [Page 7]
-
-RFC 3596             DNS Extensions to Support IPv6         October 2003
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Thomson, et al.             Standards Track                     [Page 8]
-
diff --git a/contrib/bind9/doc/rfc/rfc3597.txt b/contrib/bind9/doc/rfc/rfc3597.txt
deleted file mode 100644
index 19e9a55053d1..000000000000
--- a/contrib/bind9/doc/rfc/rfc3597.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                      A. Gustafsson
-Request for Comments: 3597                                  Nominum Inc.
-Category: Standards Track                                 September 2003
-
-
-           Handling of Unknown DNS Resource Record (RR) Types
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   Extending the Domain Name System (DNS) with new Resource Record (RR)
-   types currently requires changes to name server software.  This
-   document specifies the changes necessary to allow future DNS
-   implementations to handle new RR types transparently.
-
-1.  Introduction
-
-   The DNS is designed to be extensible to support new services through
-   the introduction of new resource record (RR) types.  In practice,
-   deploying a new RR type currently requires changes to the name server
-   software not only at the authoritative DNS server that is providing
-   the new information and the client making use of it, but also at all
-   slave servers for the zone containing it, and in some cases also at
-   caching name servers and forwarders used by the client.
-
-   Because the deployment of new server software is slow and expensive,
-   the potential of the DNS in supporting new services has never been
-   fully realized.  This memo proposes changes to name servers and to
-   procedures for defining new RR types aimed at simplifying the future
-   deployment of new RR types.
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC 2119].
-
-
-
-
-
-
-Gustafsson                  Standards Track                     [Page 1]
-
-RFC 3597            Handling of Unknown DNS RR Types      September 2003
-
-
-2.  Definition
-
-   An "RR of unknown type" is an RR whose RDATA format is not known to
-   the DNS implementation at hand, and whose type is not an assigned
-   QTYPE or Meta-TYPE as specified in [RFC 2929] (section 3.1) nor
-   within the range reserved in that section for assignment only to
-   QTYPEs and Meta-TYPEs.  Such an RR cannot be converted to a type-
-   specific text format, compressed, or otherwise handled in a type-
-   specific way.
-
-   In the case of a type whose RDATA format is class specific, an RR is
-   considered to be of unknown type when the RDATA format for that
-   combination of type and class is not known.
-
-3.  Transparency
-
-   To enable new RR types to be deployed without server changes, name
-   servers and resolvers MUST handle RRs of unknown type transparently.
-   That is, they must treat the RDATA section of such RRs as
-   unstructured binary data, storing and transmitting it without change
-   [RFC1123].
-
-   To ensure the correct operation of equality comparison (section 6)
-   and of the DNSSEC canonical form (section 7) when an RR type is known
-   to some but not all of the servers involved, servers MUST also
-   exactly preserve the RDATA of RRs of known type, except for changes
-   due to compression or decompression where allowed by section 4 of
-   this memo.  In particular, the character case of domain names that
-   are not subject to compression MUST be preserved.
-
-4.  Domain Name Compression
-
-   RRs containing compression pointers in the RDATA part cannot be
-   treated transparently, as the compression pointers are only
-   meaningful within the context of a DNS message.  Transparently
-   copying the RDATA into a new DNS message would cause the compression
-   pointers to point at the corresponding location in the new message,
-   which now contains unrelated data.  This would cause the compressed
-   name to be corrupted.
-
-   To avoid such corruption, servers MUST NOT compress domain names
-   embedded in the RDATA of types that are class-specific or not well-
-   known.  This requirement was stated in [RFC1123] without defining the
-   term "well-known"; it is hereby specified that only the RR types
-   defined in [RFC1035] are to be considered "well-known".
-
-
-
-
-
-
-Gustafsson                  Standards Track                     [Page 2]
-
-RFC 3597            Handling of Unknown DNS RR Types      September 2003
-
-
-   The specifications of a few existing RR types have explicitly allowed
-   compression contrary to this specification: [RFC2163] specified that
-   compression applies to the PX RR, and [RFC2535] allowed compression
-   in SIG RRs and NXT RRs records.  Since this specification disallows
-   compression in these cases, it is an update to [RFC2163] (section 4)
-   and [RFC2535] (sections 4.1.7 and 5.2).
-
-   Receiving servers MUST decompress domain names in RRs of well-known
-   type, and SHOULD also decompress RRs of type RP, AFSDB, RT, SIG, PX,
-   NXT, NAPTR, and SRV (although the current specification of the SRV RR
-   in [RFC2782] prohibits compression, [RFC2052] mandated it, and some
-   servers following that earlier specification are still in use).
-
-   Future specifications for new RR types that contain domain names
-   within their RDATA MUST NOT allow the use of name compression for
-   those names, and SHOULD explicitly state that the embedded domain
-   names MUST NOT be compressed.
-
-   As noted in [RFC1123], the owner name of an RR is always eligible for
-   compression.
-
-5.  Text Representation
-
-   In the "type" field of a master file line, an unknown RR type is
-   represented by the word "TYPE" immediately followed by the decimal RR
-   type number, with no intervening whitespace.  In the "class" field,
-   an unknown class is similarly represented as the word "CLASS"
-   immediately followed by the decimal class number.
-
-   This convention allows types and classes to be distinguished from
-   each other and from TTL values, allowing the "[<TTL>] [<class>]
-   <type> <RDATA>" and "[<class>] [<TTL>] <type> <RDATA>" forms of
-   [RFC1035] to both be unambiguously parsed.
-
-   The RDATA section of an RR of unknown type is represented as a
-   sequence of white space separated words as follows:
-
-      The special token \# (a backslash immediately followed by a hash
-      sign), which identifies the RDATA as having the generic encoding
-      defined herein rather than a traditional type-specific encoding.
-
-      An unsigned decimal integer specifying the RDATA length in octets.
-
-      Zero or more words of hexadecimal data encoding the actual RDATA
-      field, each containing an even number of hexadecimal digits.
-
-   If the RDATA is of zero length, the text representation contains only
-   the \# token and the single zero representing the length.
-
-
-
-Gustafsson                  Standards Track                     [Page 3]
-
-RFC 3597            Handling of Unknown DNS RR Types      September 2003
-
-
-   An implementation MAY also choose to represent some RRs of known type
-   using the above generic representations for the type, class and/or
-   RDATA, which carries the benefit of making the resulting master file
-   portable to servers where these types are unknown.  Using the generic
-   representation for the RDATA of an RR of known type can also be
-   useful in the case of an RR type where the text format varies
-   depending on a version, protocol, or similar field (or several)
-   embedded in the RDATA when such a field has a value for which no text
-   format is known, e.g., a LOC RR [RFC1876] with a VERSION other than
-   0.
-
-   Even though an RR of known type represented in the \# format is
-   effectively treated as an unknown type for the purpose of parsing the
-   RDATA text representation, all further processing by the server MUST
-   treat it as a known type and take into account any applicable type-
-   specific rules regarding compression, canonicalization, etc.
-
-   The following are examples of RRs represented in this manner,
-   illustrating various combinations of generic and type-specific
-   encodings for the different fields of the master file format:
-
-      a.example.   CLASS32     TYPE731         \# 6 abcd (
-                                               ef 01 23 45 )
-      b.example.   HS          TYPE62347       \# 0
-      e.example.   IN          A               \# 4 0A000001
-      e.example.   CLASS1      TYPE1           10.0.0.2
-
-6.  Equality Comparison
-
-   Certain DNS protocols, notably Dynamic Update [RFC2136], require RRs
-   to be compared for equality.  Two RRs of the same unknown type are
-   considered equal when their RDATA is bitwise equal.  To ensure that
-   the outcome of the comparison is identical whether the RR is known to
-   the server or not, specifications for new RR types MUST NOT specify
-   type-specific comparison rules.
-
-   This implies that embedded domain names, being included in the
-   overall bitwise comparison, are compared in a case-sensitive manner.
-
-   As a result, when a new RR type contains one or more embedded domain
-   names, it is possible to have multiple RRs owned by the same name
-   that differ only in the character case of the embedded domain
-   name(s).  This is similar to the existing possibility of multiple TXT
-   records differing only in character case, and not expected to cause
-   any problems in practice.
-
-
-
-
-
-
-Gustafsson                  Standards Track                     [Page 4]
-
-RFC 3597            Handling of Unknown DNS RR Types      September 2003
-
-
-7.  DNSSEC Canonical Form and Ordering
-
-   DNSSEC defines a canonical form and ordering for RRs [RFC2535]
-   (section 8.1).  In that canonical form, domain names embedded in the
-   RDATA are converted to lower case.
-
-   The downcasing is necessary to ensure the correctness of DNSSEC
-   signatures when case distinctions in domain names are lost due to
-   compression, but since it requires knowledge of the presence and
-   position of embedded domain names, it cannot be applied to unknown
-   types.
-
-   To ensure continued consistency of the canonical form of RR types
-   where compression is allowed, and for continued interoperability with
-   existing implementations that already implement the [RFC2535]
-   canonical form and apply it to their known RR types, the canonical
-   form remains unchanged for all RR types whose whose initial
-   publication as an RFC was prior to the initial publication of this
-   specification as an RFC (RFC 3597).
-
-   As a courtesy to implementors, it is hereby noted that the complete
-   set of such previously published RR types that contain embedded
-   domain names, and whose DNSSEC canonical form therefore involves
-   downcasing according to the DNS rules for character comparisons,
-   consists of the RR types NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
-   HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX, SRV,
-   DNAME, and A6.
-
-   This document specifies that for all other RR types (whether treated
-   as unknown types or treated as known types according to an RR type
-   definition RFC more recent than RFC 3597), the canonical form is such
-   that no downcasing of embedded domain names takes place, and
-   otherwise identical to the canonical form specified in [RFC2535]
-   section 8.1.
-
-   Note that the owner name is always set to lower case according to the
-   DNS rules for character comparisons, regardless of the RR type.
-
-   The DNSSEC canonical RR ordering is as specified in [RFC2535] section
-   8.3, where the octet sequence is the canonical form as revised by
-   this specification.
-
-8.  Additional Section Processing
-
-   Unknown RR types cause no additional section processing.  Future RR
-   type specifications MAY specify type-specific additional section
-   processing rules, but any such processing MUST be optional as it can
-   only be performed by servers for which the RR type in case is known.
-
-
-
-Gustafsson                  Standards Track                     [Page 5]
-
-RFC 3597            Handling of Unknown DNS RR Types      September 2003
-
-
-9.  IANA Considerations
-
-   This document does not require any IANA actions.
-
-10.  Security Considerations
-
-   This specification is not believed to cause any new security
-   problems, nor to solve any existing ones.
-
-11.  Normative References
-
-   [RFC1034]   Mockapetris, P., "Domain Names - Concepts and
-               Facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC1035]   Mockapetris, P., "Domain Names - Implementation and
-               Specifications", STD 13, RFC 1035, November 1987.
-
-   [RFC1123]   Braden, R., Ed., "Requirements for Internet Hosts --
-               Application and Support", STD 3, RFC 1123, October 1989.
-
-   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
-               Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2535]   Eastlake, D., "Domain Name System Security Extensions",
-               RFC 2535, March 1999.
-
-   [RFC2163]   Allocchio, C., "Using the Internet DNS to Distribute
-               MIXER Conformant Global Address Mapping (MCGAM)", RFC
-               2163, January 1998.
-
-   [RFC2929]   Eastlake, D., Brunner-Williams, E. and B. Manning,
-               "Domain Name System (DNS) IANA Considerations", BCP 42,
-               RFC 2929, September 2000.
-
-12.  Informative References
-
-   [RFC1876]   Davis, C., Vixie, P., Goodwin, T. and I. Dickinson, "A
-               Means for Expressing Location Information in the Domain
-               Name System", RFC 1876, January 1996.
-
-   [RFC2052]   Gulbrandsen, A. and P. Vixie, "A DNS RR for specifying
-               the location of services (DNS SRV)", RFC 2052, October
-               1996.
-
-   [RFC2136]   Vixie, P., Ed., Thomson, S., Rekhter, Y. and J. Bound,
-               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-               RFC 2136, April 1997.
-
-
-
-
-Gustafsson                  Standards Track                     [Page 6]
-
-RFC 3597            Handling of Unknown DNS RR Types      September 2003
-
-
-   [RFC2782]   Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
-               specifying the location of services (DNS SRV)", RFC 2782,
-               February 2000.
-
-13.  Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights.  Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11.  Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-14.  Author's Address
-
-   Andreas Gustafsson
-   Nominum, Inc.
-   2385 Bay Rd
-   Redwood City, CA 94063
-   USA
-
-   Phone: +1 650 381 6004
-   EMail: gson@nominum.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gustafsson                  Standards Track                     [Page 7]
-
-RFC 3597            Handling of Unknown DNS RR Types      September 2003
-
-
-15.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gustafsson                  Standards Track                     [Page 8]
-
diff --git a/contrib/bind9/doc/rfc/rfc3645.txt b/contrib/bind9/doc/rfc/rfc3645.txt
deleted file mode 100644
index 61266786a547..000000000000
--- a/contrib/bind9/doc/rfc/rfc3645.txt
+++ /dev/null
@@ -1,1459 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                            S. Kwan
-Request for Comments: 3645                                       P. Garg
-Updates: 2845                                                  J. Gilroy
-Category: Standards Track                                      L. Esibov
-                                                             J. Westhead
-                                                         Microsoft Corp.
-                                                                 R. Hall
-                                                     Lucent Technologies
-                                                            October 2003
-
-
-                 Generic Security Service Algorithm for
-        Secret Key Transaction Authentication for DNS (GSS-TSIG)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   The Secret Key Transaction Authentication for DNS (TSIG) protocol
-   provides transaction level authentication for DNS.  TSIG is
-   extensible through the definition of new algorithms.  This document
-   specifies an algorithm based on the Generic Security Service
-   Application Program Interface (GSS-API) (RFC2743).  This document
-   updates RFC 2845.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                     [Page 1]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-   2.  Algorithm Overview . . . . . . . . . . . . . . . . . . . . . .  3
-       2.1.  GSS Details. . . . . . . . . . . . . . . . . . . . . . .  4
-       2.2.  Modifications to the TSIG protocol (RFC 2845). . . . . .  4
-   3.  Client Protocol Details. . . . . . . . . . . . . . . . . . . .  5
-       3.1.  Negotiating Context. . . . . . . . . . . . . . . . . . .  5
-           3.1.1.  Call GSS_Init_sec_context. . . . . . . . . . . . .  6
-           3.1.2.  Send TKEY Query to Server. . . . . . . . . . . . .  8
-           3.1.3.  Receive TKEY Query-Response from Server. . . . . .  8
-       3.2.  Context Established. . . . . . . . . . . . . . . . . . . 11
-           3.2.1.  Terminating a Context. . . . . . . . . . . . . . . 11
-   4.  Server Protocol Details. . . . . . . . . . . . . . . . . . . . 12
-       4.1.  Negotiating Context. . . . . . . . . . . . . . . . . . . 12
-           4.1.1.  Receive TKEY Query from Client . . . . . . . . . . 12
-           4.1.2.  Call GSS_Accept_sec_context. . . . . . . . . . . . 12
-           4.1.3.  Send TKEY Query-Response to Client . . . . . . . . 13
-       4.2.  Context Established. . . . . . . . . . . . . . . . . . . 15
-           4.2.1.  Terminating a Context. . . . . . . . . . . . . . . 15
-   5.  Sending and Verifying Signed Messages. . . . . . . . . . . . . 15
-       5.1.  Sending a Signed Message - Call GSS_GetMIC . . . . . . . 15
-       5.2.  Verifying a Signed Message - Call GSS_VerifyMIC. . . . . 16
-   6.  Example usage of GSS-TSIG algorithm. . . . . . . . . . . . . . 18
-   7.  Security Considerations. . . . . . . . . . . . . . . . . . . . 22
-   8.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 22
-   9.  Conformance. . . . . . . . . . . . . . . . . . . . . . . . . . 22
-   10. Intellectual Property Statement. . . . . . . . . . . . . . . . 23
-   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
-   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
-       12.1.  Normative References. . . . . . . . . . . . . . . . . . 24
-       12.2.  Informative References. . . . . . . . . . . . . . . . . 24
-   13. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
-   14. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26
-
-1.  Introduction
-
-   The Secret Key Transaction Authentication for DNS (TSIG) [RFC2845]
-   protocol was developed to provide a lightweight authentication and
-   integrity of messages between two DNS entities, such as client and
-   server or server and server.  TSIG can be used to protect dynamic
-   update messages, authenticate regular message or to off-load
-   complicated DNSSEC [RFC2535] processing from a client to a server and
-   still allow the client to be assured of the integrity of the answers.
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                     [Page 2]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   The TSIG protocol [RFC2845] is extensible through the definition of
-   new algorithms.  This document specifies an algorithm based on the
-   Generic Security Service Application Program Interface (GSS-API)
-   [RFC2743].  GSS-API is a framework that provides an abstraction of
-   security to the application protocol developer.  The security
-   services offered can include authentication, integrity, and
-   confidentiality.
-
-   The GSS-API framework has several benefits:
-
-   *  Mechanism and protocol independence.  The underlying mechanisms
-      that realize the security services can be negotiated on the fly
-      and varied over time.  For example, a client and server MAY use
-      Kerberos [RFC1964] for one transaction, whereas that same server
-      MAY use SPKM [RFC2025] with a different client.
-
-   *  The protocol developer is removed from the responsibility of
-      creating and managing a security infrastructure.  For example, the
-      developer does not need to create new key distribution or key
-      management systems.  Instead the developer relies on the security
-      service mechanism to manage this on its behalf.
-
-   The scope of this document is limited to the description of an
-   authentication mechanism only.  It does not discuss and/or propose an
-   authorization mechanism.  Readers that are unfamiliar with GSS-API
-   concepts are encouraged to read the characteristics and concepts
-   section of [RFC2743] before examining this protocol in detail.  It is
-   also assumed that the reader is familiar with [RFC2845], [RFC2930],
-   [RFC1034] and [RFC1035].
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
-   "RECOMMENDED", and "MAY" in this document are to be interpreted as
-   described in BCP 14, RFC 2119 [RFC2119].
-
-2.  Algorithm Overview
-
-   In GSS, client and server interact to create a "security context".
-   The security context can be used to create and verify transaction
-   signatures on messages between the two parties.  A unique security
-   context is required for each unique connection between client and
-   server.
-
-   Creating a security context involves a negotiation between client and
-   server.  Once a context has been established, it has a finite
-   lifetime for which it can be used to secure messages.  Thus there are
-   three states of a context associated with a connection:
-
-
-
-
-
-Kwan, et al.                Standards Track                     [Page 3]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-                              +----------+
-                              |          |
-                              V          |
-                      +---------------+  |
-                      | Uninitialized |  |
-                      |               |  |
-                      +---------------+  |
-                              |          |
-                              V          |
-                      +---------------+  |
-                      | Negotiating   |  |
-                      | Context       |  |
-                      +---------------+  |
-                              |          |
-                              V          |
-                      +---------------+  |
-                      | Context       |  |
-                      | Established   |  |
-                      +---------------+  |
-                              |          |
-                              +----------+
-
-   Every connection begins in the uninitialized state.
-
-2.1.  GSS Details
-
-   Client and server MUST be locally authenticated and have acquired
-   default credentials before using this protocol as specified in
-   Section 1.1.1 "Credentials" in RFC 2743 [RFC2743].
-
-   The GSS-TSIG algorithm consists of two stages:
-
-   I.  Establish security context.  The Client and Server use the
-       GSS_Init_sec_context and GSS_Accept_sec_context APIs to generate
-       the tokens that they pass to each other using [RFC2930] as a
-       transport mechanism.
-
-   II. Once the security context is established it is used to generate
-       and verify signatures using GSS_GetMIC and GSS_VerifyMIC APIs.
-       These signatures are exchanged by the Client and Server as a part
-       of the TSIG records exchanged in DNS messages sent between the
-       Client and Server, as described in [RFC2845].
-
-2.2.  Modifications to the TSIG protocol (RFC 2845)
-
-   Modification to RFC 2845 allows use of TSIG through signing server's
-   response in an explicitly specified place in multi message exchange
-   between two DNS entities even if client's request wasn't signed.
-
-
-
-Kwan, et al.                Standards Track                     [Page 4]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   Specifically, Section 4.2 of RFC 2845 MUST be modified as follows:
-
-   Replace:
-      "The server MUST not generate a signed response to an unsigned
-      request."
-
-   With:
-      "The server MUST not generate a signed response to an unsigned
-      request, except in case of response to client's unsigned TKEY
-      query if secret key is established on server side after server
-      processed client's query.  Signing responses to unsigned TKEY
-      queries MUST be explicitly specified in the description of an
-      individual secret key establishment algorithm."
-
-3.  Client Protocol Details
-
-   A unique context is required for each server to which the client
-   sends secure messages.  A context is identified by a context handle.
-   A client maintains a mapping of servers to handles:
-
-      (target_name, key_name, context_handle)
-
-   The value key_name also identifies a context handle.  The key_name is
-   the owner name of the TKEY and TSIG records sent between a client and
-   a server to indicate to each other which context MUST be used to
-   process the current request.
-
-   DNS client and server MAY use various underlying security mechanisms
-   to establish security context as described in sections 3 and 4.  At
-   the same time, in order to guarantee interoperability between DNS
-   clients and servers that support GSS-TSIG it is REQUIRED that
-   security mechanism used by client enables use of Kerberos v5 (see
-   Section 9 for more information).
-
-3.1.  Negotiating Context
-
-   In GSS, establishing a security context involves the passing of
-   opaque tokens between the client and the server.  The client
-   generates the initial token and sends it to the server.  The server
-   processes the token and if necessary, returns a subsequent token to
-   the client.  The client processes this token, and so on, until the
-   negotiation is complete.  The number of times the client and server
-   exchange tokens depends on the underlying security mechanism.  A
-   completed negotiation results in a context handle.
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                     [Page 5]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   The TKEY resource record [RFC2930] is used as the vehicle to transfer
-   tokens between client and server.  The TKEY record is a general
-   mechanism for establishing secret keys for use with TSIG.  For more
-   information, see [RFC2930].
-
-3.1.1.  Call GSS_Init_sec_context
-
-   To obtain the first token to be sent to a server, a client MUST call
-   GSS_Init_sec_context API.
-
-   The following input parameters MUST be used.  The outcome of the call
-   is indicated with the output values below.  Consult Sections 2.2.1,
-   "GSS_Init_sec_context call", of [RFC2743] for syntax definitions.
-
-   INPUTS
-     CREDENTIAL HANDLE claimant_cred_handle = NULL (NULL specifies "use
-         default").  Client MAY instead specify some other valid
-         handle to its credentials.
-     CONTEXT HANDLE input_context_handle  = 0
-     INTERNAL NAME  targ_name             = "DNS@<target_server_name>"
-     OBJECT IDENTIFIER mech_type          = Underlying security
-         mechanism chosen by implementers.  To guarantee
-         interoperability of the implementations of the GSS-TSIG
-         mechanism client MUST specify a valid underlying security
-         mechanism that enables use of Kerberos v5 (see Section 9 for
-         more information).
-     OCTET STRING   input_token           = NULL
-     BOOLEAN        replay_det_req_flag   = TRUE
-     BOOLEAN        mutual_req_flag       = TRUE
-     BOOLEAN        deleg_req_flag        = TRUE
-     BOOLEAN        sequence_req_flag     = TRUE
-     BOOLEAN        anon_req_flag         = FALSE
-     BOOLEAN        integ_req_flag        = TRUE
-     INTEGER        lifetime_req          = 0 (0 requests a default
-         value).  Client MAY instead specify another upper bound for the
-         lifetime of the context to be established in seconds.
-     OCTET STRING   chan_bindings         = Any valid channel bindings
-         as specified in Section 1.1.6 "Channel Bindings" in [RFC2743]
-
-   OUTPUTS
-     INTEGER        major_status
-     CONTEXT HANDLE output_context_handle
-     OCTET STRING   output_token
-     BOOLEAN        replay_det_state
-     BOOLEAN        mutual_state
-     INTEGER        minor_status
-     OBJECT IDENTIFIER mech_type
-     BOOLEAN        deleg_state
-
-
-
-Kwan, et al.                Standards Track                     [Page 6]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-     BOOLEAN        sequence_state
-     BOOLEAN        anon_state
-     BOOLEAN        trans_state
-     BOOLEAN        prot_ready_state
-     BOOLEAN        conf_avail
-     BOOLEAN        integ_avail
-     INTEGER        lifetime_rec
-
-   If returned major_status is set to one of the following errors:
-
-     GSS_S_DEFECTIVE_TOKEN
-     GSS_S_DEFECTIVE_CREDENTIAL
-     GSS_S_BAD_SIG (GSS_S_BAD_MIC)
-     GSS_S_NO_CRED
-     GSS_S_CREDENTIALS_EXPIRED
-     GSS_S_BAD_BINDINGS
-     GSS_S_OLD_TOKEN
-     GSS_S_DUPLICATE_TOKEN
-     GSS_S_NO_CONTEXT
-     GSS_S_BAD_NAMETYPE
-     GSS_S_BAD_NAME
-     GSS_S_BAD_MECH
-     GSS_S_FAILURE
-
-   then the client MUST abandon the algorithm and MUST NOT use the GSS-
-   TSIG algorithm to establish this security context.  This document
-   does not prescribe which other mechanism could be used to establish a
-   security context.  Next time when this client needs to establish
-   security context, the client MAY use GSS-TSIG algorithm.
-
-   Success values of major_status are GSS_S_CONTINUE_NEEDED and
-   GSS_S_COMPLETE.  The exact success code is important during later
-   processing.
-
-   The values of replay_det_state and mutual_state indicate if the
-   security package provides replay detection and mutual authentication,
-   respectively.  If returned major_status is GSS_S_COMPLETE AND one or
-   both of these values are FALSE, the client MUST abandon this
-   algorithm.
-
-   Client's behavior MAY depend on other OUTPUT parameters according to
-   the policy local to the client.
-
-   The handle output_context_handle is unique to this negotiation and is
-   stored in the client's mapping table as the context_handle that maps
-   to target_name.
-
-
-
-
-
-Kwan, et al.                Standards Track                     [Page 7]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-3.1.2.  Send TKEY Query to Server
-
-   An opaque output_token returned by GSS_Init_sec_context is
-   transmitted to the server in a query request with QTYPE=TKEY.  The
-   token itself will be placed in a Key Data field of the RDATA field in
-   the TKEY resource record in the additional records section of the
-   query.  The owner name of the TKEY resource record set queried for
-   and the owner name of the supplied TKEY resource record in the
-   additional records section MUST be the same.  This name uniquely
-   identifies the security context to both the client and server, and
-   thus the client SHOULD use a value which is globally unique as
-   described in [RFC2930].  To achieve global uniqueness, the name MAY
-   contain a UUID/GUID [ISO11578].
-
-      TKEY Record
-        NAME = client-generated globally unique domain name string
-               (as described in [RFC2930])
-        RDATA
-           Algorithm Name      = gss-tsig
-           Mode                = 3 (GSS-API negotiation - per [RFC2930])
-           Key Size            = size of output_token in octets
-           Key Data            = output_token
-
-   The remaining fields in the TKEY RDATA, i.e., Inception, Expiration,
-   Error, Other Size and Data Fields, MUST be set according to
-   [RFC2930].
-
-   The query is transmitted to the server.
-
-   Note: if the original client call to GSS_Init_sec_context returned
-   any major_status other than GSS_S_CONTINUE_NEEDED or GSS_S_COMPLETE,
-   then the client MUST NOT send TKEY query.  Client's behavior in this
-   case is described above in Section 3.1.1.
-
-3.1.3.  Receive TKEY Query-Response from Server
-
-   Upon the reception of the TKEY query the DNS server MUST respond
-   according to the description in Section 4.  This section specifies
-   the behavior of the client after it receives the matching response to
-   its query.
-
-   The next processing step depends on the value of major_status from
-   the most recent call that client performed to GSS_Init_sec_context:
-   either GSS_S_COMPLETE or GSS_S_CONTINUE.
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                     [Page 8]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-3.1.3.1.  Value of major_status == GSS_S_COMPLETE
-
-   If the last call to GSS_Init_sec_context yielded a major_status value
-   of GSS_S_COMPLETE and a non-NULL output_token was sent to the server,
-   then the client side component of the negotiation is complete and the
-   client is awaiting confirmation from the server.
-
-   Confirmation is in the form of a query response with RCODE=NOERROR
-   and with the last client supplied TKEY record in the answer section
-   of the query.  The response MUST be signed with a TSIG record.  Note
-   that the server is allowed to sign a response to unsigned client's
-   query due to modification to the RFC 2845 specified in Section 2.2
-   above.  The signature in the TSIG record MUST be verified using the
-   procedure detailed in section 5, Sending and Verifying Signed
-   Messages.  If the response is not signed, OR if the response is
-   signed but the signature is invalid, then an attacker has tampered
-   with the message in transit or has attempted to send the client a
-   false response.  In this case, the client MAY continue waiting for a
-   response to its last TKEY query until the time period since the
-   client sent last TKEY query expires.  Such a time period is specified
-   by the policy local to the client.  This is a new option that allows
-   the DNS client to accept multiple answers for one query ID and select
-   one (not necessarily the first one) based on some criteria.
-
-   If the signature is verified, the context state is advanced to
-   Context Established.  Proceed to section 3.2 for usage of the
-   security context.
-
-3.1.3.2.  Value of major_status == GSS_S_CONTINUE_NEEDED
-
-   If the last call to GSS_Init_sec_context yielded a major_status value
-   of GSS_S_CONTINUE_NEEDED, then the negotiation is not yet complete.
-   The server will return to the client a query response with a TKEY
-   record in the Answer section.  If the DNS message error is not
-   NO_ERROR or error field in the TKEY record is not 0 (i.e., no error),
-   then the client MUST abandon this negotiation sequence.  The client
-   MUST delete an active context by calling GSS_Delete_sec_context
-   providing the associated context_handle.  The client MAY repeat the
-   negotiation sequence starting with the uninitialized state as
-   described in section 3.1.  To prevent infinite looping the number of
-   attempts to establish a security context MUST be limited to ten or
-   less.
-
-   If the DNS message error is NO_ERROR and the error field in the TKEY
-   record is 0 (i.e., no error), then the client MUST pass a token
-   specified in the Key Data field in the TKEY resource record to
-
-
-
-
-
-Kwan, et al.                Standards Track                     [Page 9]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   GSS_Init_sec_context using the same parameters values as in previous
-   call except values for CONTEXT HANDLE input_context_handle and OCTET
-   STRING input_token as described below:
-
-   INPUTS
-     CONTEXT HANDLE input_context_handle  = context_handle (this is the
-          context_handle corresponding to the key_name which is the
-          owner name of the TKEY record in the answer section in the
-          TKEY query response)
-
-     OCTET STRING   input_token           = token from Key field of
-                                            TKEY record
-
-   Depending on the following OUTPUT values of GSS_Init_sec_context
-
-        INTEGER        major_status
-        OCTET STRING   output_token
-
-   the client MUST take one of the following actions:
-
-   If OUTPUT major_status is set to one of the following values:
-
-        GSS_S_DEFECTIVE_TOKEN
-        GSS_S_DEFECTIVE_CREDENTIAL
-        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
-        GSS_S_NO_CRED
-        GSS_S_CREDENTIALS_EXPIRED
-        GSS_S_BAD_BINDINGS
-        GSS_S_OLD_TOKEN
-        GSS_S_DUPLICATE_TOKEN
-        GSS_S_NO_CONTEXT
-        GSS_S_BAD_NAMETYPE
-        GSS_S_BAD_NAME
-        GSS_S_BAD_MECH
-        GSS_S_FAILURE
-
-   the client MUST abandon this negotiation sequence.  This means that
-   the client MUST delete an active context by calling
-   GSS_Delete_sec_context providing the associated context_handle.  The
-   client MAY repeat the negotiation sequence starting with the
-   uninitialized state as described in section 3.1.  To prevent infinite
-   looping the number of attempts to establish a security context MUST
-   be limited to ten or less.
-
-   If OUTPUT major_status is GSS_S_CONTINUE_NEEDED OR GSS_S_COMPLETE
-   then client MUST act as described below.
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 10]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   If the response from the server was signed, and the OUTPUT
-   major_status is GSS_S_COMPLETE,then the signature in the TSIG record
-   MUST be verified using the procedure detailed in section 5, Sending
-   and Verifying Signed Messages.  If the signature is invalid, then the
-   client MUST abandon this negotiation sequence.  This means that the
-   client MUST delete an active context by calling
-   GSS_Delete_sec_context providing the associated context_handle.  The
-   client MAY repeat the negotiation sequence starting with the
-   uninitialized state as described in section 3.1.  To prevent infinite
-   looping the number of attempts to establish a security context MUST
-   be limited to ten or less.
-
-   If major_status is GSS_S_CONTINUE_NEEDED the negotiation is not yet
-   finished.  The token output_token MUST be passed to the server in a
-   TKEY record by repeating the negotiation sequence beginning with
-   section 3.1.2.  The client MUST place a limit on the number of
-   continuations in a context negotiation to prevent endless looping.
-   Such limit SHOULD NOT exceed value of 10.
-
-   If major_status is GSS_S_COMPLETE and output_token is non-NULL, the
-   client-side component of the negotiation is complete but the token
-   output_token MUST be passed to the server by repeating the
-   negotiation sequence beginning with section 3.1.2.
-
-   If major_status is GSS_S_COMPLETE and output_token is NULL, context
-   negotiation is complete.  The context state is advanced to Context
-   Established.  Proceed to section 3.2 for usage of the security
-   context.
-
-3.2.  Context Established
-
-   When context negotiation is complete, the handle context_handle MUST
-   be used for the generation and verification of transaction
-   signatures.
-
-   The procedures for sending and receiving signed messages are
-   described in section 5, Sending and Verifying Signed Messages.
-
-3.2.1.  Terminating a Context
-
-   When the client is not intended to continue using the established
-   security context, the client SHOULD delete an active context by
-   calling GSS_Delete_sec_context providing the associated
-   context_handle, AND client SHOULD delete the established context on
-   the DNS server by using TKEY RR with the Mode field set to 5, i.e.,
-   "key deletion" [RFC2930].
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 11]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-4.  Server Protocol Details
-
-   As on the client-side, the result of a successful context negotiation
-   is a context handle used in future generation and verification of the
-   transaction signatures.
-
-   A server MAY be managing several contexts with several clients.
-   Clients identify their contexts by providing a key name in their
-   request.  The server maintains a mapping of key names to handles:
-
-      (key_name, context_handle)
-
-4.1.  Negotiating Context
-
-   A server MUST recognize TKEY queries as security context negotiation
-   messages.
-
-4.1.1.  Receive TKEY Query from Client
-
-   Upon receiving a query with QTYPE = TKEY, the server MUST examine
-   whether the Mode and Algorithm Name fields of the TKEY record in the
-   additional records section of the message contain values of 3 and
-   gss-tsig, respectively.  If they do, then the (key_name,
-   context_handle) mapping table is searched for the key_name matching
-   the owner name of the TKEY record in the additional records section
-   of the query.  If the name is found in the table and the security
-   context for this name is established and not expired, then the server
-   MUST respond to the query with BADNAME error in the TKEY error field.
-   If the name is found in the table and the security context is not
-   established, the corresponding context_handle is used in subsequent
-   GSS operations.  If the name is found but the security context is
-   expired, then the server deletes this security context, as described
-   in Section 4.2.1, and interprets this query as a start of new
-   security context negotiation and performs operations described in
-   Section 4.1.2 and 4.1.3.  If the name is not found, then the server
-   interprets this query as a start of new security context negotiation
-   and performs operations described in Section 4.1.2 and 4.1.3.
-
-4.1.2.  Call GSS_Accept_sec_context
-
-   The server performs its side of a context negotiation by calling
-   GSS_Accept_sec_context.  The following input parameters MUST be used.
-   The outcome of the call is indicated with the output values below.
-   Consult Sections 2.2.2 "GSS_Accept_sec_context call" of the RFC 2743
-   [RFC2743] for syntax definitions.
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 12]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   INPUTS
-     CONTEXT HANDLE input_context_handle  = 0 if new negotiation,
-                                            context_handle matching
-                                         key_name if ongoing negotiation
-     OCTET STRING   input_token           = token specified in the Key
-           field from TKEY RR (from Additional records Section of
-           the client's query)
-
-     CREDENTIAL HANDLE acceptor_cred_handle = NULL (NULL specifies "use
-           default").  Server MAY instead specify some other valid
-           handle to its credentials.
-     OCTET STRING   chan_bindings          = Any valid channel bindings
-           as specified in Section 1.1.6 "Channel Bindings" in [RFC2743]
-
-   OUTPUTS
-     INTEGER        major_status
-     CONTEXT_HANDLE output_context_handle
-     OCTET STRING   output_token
-     INTEGER        minor_status
-     INTERNAL NAME  src_name
-     OBJECT IDENTIFIER  mech_type
-     BOOLEAN        deleg_state
-     BOOLEAN        mutual_state
-     BOOLEAN        replay_det_state
-     BOOLEAN        sequence_state
-     BOOLEAN        anon_state
-     BOOLEAN        trans_state
-     BOOLEAN        prot_ready_state
-     BOOLEAN        conf_avail
-     BOOLEAN        integ_avail
-     INTEGER        lifetime_rec
-     CONTEXT_HANDLE delegated_cred_handle
-
-   If this is the first call to GSS_Accept_sec_context in a new
-   negotiation, then output_context_handle is stored in the server's
-   key-mapping table as the context_handle that maps to the name of the
-   TKEY record.
-
-4.1.3.  Send TKEY Query-Response to Client
-
-   The server MUST respond to the client with a TKEY query response with
-   RCODE = NOERROR, that contains a TKEY record in the answer section.
-
-   If OUTPUT major_status is one of the following errors the error field
-   in the TKEY record set to BADKEY.
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 13]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-        GSS_S_DEFECTIVE_TOKEN
-        GSS_S_DEFECTIVE_CREDENTIAL
-        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
-        GSS_S_DUPLICATE_TOKEN
-        GSS_S_OLD_TOKEN
-        GSS_S_NO_CRED
-        GSS_S_CREDENTIALS_EXPIRED
-        GSS_S_BAD_BINDINGS
-        GSS_S_NO_CONTEXT
-        GSS_S_BAD_MECH
-        GSS_S_FAILURE
-
-   If OUTPUT major_status is set to  GSS_S_COMPLETE or
-   GSS_S_CONTINUE_NEEDED then server MUST act as described below.
-
-   If major_status is GSS_S_COMPLETE the server component of the
-   negotiation is finished.  If output_token is non-NULL, then it MUST
-   be returned to the client in a Key Data field of the RDATA in TKEY.
-   The error field in the TKEY record is set to NOERROR.  The message
-   MUST be signed with a TSIG record as described in section 5, Sending
-   and Verifying Signed Messages.  Note that server is allowed to sign a
-   response to unsigned client's query due to modification to the RFC
-   2845 specified in Section 2.2 above.  The context state is advanced
-   to Context Established.  Section 4.2 discusses the usage of the
-   security context.
-
-   If major_status is GSS_S_COMPLETE and output_token is NULL, then the
-   TKEY record received from the client MUST be returned in the Answer
-   section of the response.  The message MUST be signed with a TSIG
-   record as described in section 5, Sending and Verifying Signed
-   Messages.  Note that server is allowed to sign a response to unsigned
-   client's query due to modification to the RFC 2845 specified in
-   section 2.2 above.  The context state is advanced to Context
-   Established.  Section 4.2 discusses the usage of the security
-   context.
-
-   If major_status is GSS_S_CONTINUE_NEEDED, the server component of the
-   negotiation is not yet finished.  The server responds to the TKEY
-   query with a standard query response, placing in the answer section a
-   TKEY record containing output_token in the Key Data RDATA field.  The
-   error field in the TKEY record is set to NOERROR.  The server MUST
-   limit the number of times that a given context is allowed to repeat,
-   to prevent endless looping.  Such limit SHOULD NOT exceed value of
-   10.
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 14]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   In all cases, except if major_status is GSS_S_COMPLETE and
-   output_token is NULL, other TKEY record fields MUST contain the
-   following values:
-
-        NAME = key_name
-        RDATA
-           Algorithm Name      = gss-tsig
-           Mode                = 3 (GSS-API negotiation - per [RFC2930])
-           Key Size            = size of output_token in octets
-
-   The remaining fields in the TKEY RDATA, i.e., Inception, Expiration,
-   Error, Other Size and Data Fields, MUST be set according to
-   [RFC2930].
-
-4.2.  Context Established
-
-   When context negotiation is complete, the handle context_handle is
-   used for the generation and verification of transaction signatures.
-   The handle is valid for a finite amount of time determined by the
-   underlying security mechanism.  A server MAY unilaterally terminate a
-   context at any time (see section 4.2.1).
-
-   Server SHOULD limit the amount of memory used to cache established
-   contexts.
-
-   The procedures for sending and receiving signed messages are given in
-   section 5, Sending and Verifying Signed Messages.
-
-4.2.1.  Terminating a Context
-
-   A server can terminate any established context at any time.  The
-   server MAY hint to the client that the context is being deleted by
-   including a TKEY RR in a response with the Mode field set to 5, i.e.,
-   "key deletion" [RFC2930].  An active context is deleted by calling
-   GSS_Delete_sec_context providing the associated context_handle.
-
-5.  Sending and Verifying Signed Messages
-
-5.1.  Sending a Signed Message - Call GSS_GetMIC
-
-   The procedure for sending a signature-protected message is specified
-   in [RFC2845].  The data to be passed to the signature routine
-   includes the whole DNS message with specific TSIG variables appended.
-   For the exact format, see [RFC2845].  For this protocol, use the
-   following TSIG variable values:
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 15]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-      TSIG Record
-        NAME = key_name that identifies this context
-        RDATA
-           Algorithm Name = gss-tsig
-
-   Assign the remaining fields in the TSIG RDATA appropriate values as
-   described in [RFC2845].
-
-   The signature is generated by calling GSS_GetMIC.  The following
-   input parameters MUST be used.  The outcome of the call is indicated
-   with the output values specified below.  Consult Sections 2.3.1
-   "GSS_GetMIC call" of the RFC 2743[RFC2743] for syntax definitions.
-
-   INPUTS
-     CONTEXT HANDLE context_handle = context_handle for key_name
-     OCTET STRING   message        = outgoing message plus TSIG
-                                     variables (per [RFC2845])
-     INTEGER qop_req               = 0 (0 requests a default
-         value).  Caller MAY instead specify other valid value (for
-         details see Section 1.2.4 in [RFC2743])
-
-   OUTPUTS
-     INTEGER        major_status
-     INTEGER        minor_status
-     OCTET STRING   per_msg_token
-
-   If major_status is GSS_S_COMPLETE, then signature generation
-   succeeded.  The signature in per_msg_token is inserted into the
-   Signature field of the TSIG RR and the message is transmitted.
-
-   If major_status is GSS_S_CONTEXT_EXPIRED, GSS_S_CREDENTIALS_EXPIRED
-   or GSS_S_FAILURE the caller MUST delete the security context, return
-   to the uninitialized state and SHOULD negotiate a new security
-   context, as described above in Section 3.1
-
-   If major_status is GSS_S_NO_CONTEXT, the caller MUST remove the entry
-   for key_name from the (target_ name, key_name, context_handle)
-   mapping table, return to the uninitialized state and SHOULD negotiate
-   a new security context, as described above in Section 3.1
-
-   If major_status is GSS_S_BAD_QOP, the caller SHOULD repeat the
-   GSS_GetMIC call with allowed QOP value.  The number of such
-   repetitions MUST be limited to prevent infinite loops.
-
-5.2.  Verifying a Signed Message - Call GSS_VerifyMIC
-
-   The procedure for verifying a signature-protected message is
-   specified in [RFC2845].
-
-
-
-Kwan, et al.                Standards Track                    [Page 16]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   The NAME of the TSIG record determines which context_handle maps to
-   the context that MUST be used to verify the signature.  If the NAME
-   does not map to an established context, the server MUST send a
-   standard TSIG error response to the client indicating BADKEY in the
-   TSIG error field (as described in [RFC2845]).
-
-   For the GSS algorithm, a signature is verified by using
-   GSS_VerifyMIC:
-
-   INPUTS
-     CONTEXT HANDLE context_handle = context_handle for key_name
-     OCTET STRING   message        = incoming message plus TSIG
-                                     variables (per [RFC2845])
-     OCTET STRING   per_msg_token  = Signature field from TSIG RR
-
-   OUTPUTS
-     INTEGER        major_status
-     INTEGER        minor_status
-     INTEGER        qop_state
-
-   If major_status is GSS_S_COMPLETE, the signature is authentic and the
-   message was delivered intact.  Per [RFC2845], the timer values of the
-   TSIG record MUST also be valid before considering the message to be
-   authentic.  The caller MUST not act on the request or response in the
-   message until these checks are verified.
-
-   When a server is processing a client request, the server MUST send a
-   standard TSIG error response to the client indicating BADKEY in the
-   TSIG error field as described in [RFC2845], if major_status is set to
-   one of the following values
-
-        GSS_S_DEFECTIVE_TOKEN
-        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
-        GSS_S_DUPLICATE_TOKEN
-        GSS_S_OLD_TOKEN
-        GSS_S_UNSEQ_TOKEN
-        GSS_S_GAP_TOKEN
-        GSS_S_CONTEXT_EXPIRED
-        GSS_S_NO_CONTEXT
-        GSS_S_FAILURE
-
-   If the timer values of the TSIG record are invalid, the message MUST
-   NOT be considered authentic.  If this error checking fails when a
-   server is processing a client request, the appropriate error response
-   MUST be sent to the client according to [RFC2845].
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 17]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-6.  Example usage of GSS-TSIG algorithm
-
-   This Section describes an example where a Client, client.example.com,
-   and a Server, server.example.com, establish a security context
-   according to the algorithm described above.
-
-  I.  Client initializes security context negotiation
-
-  To establish a security context with a server, server.example.com, the
-  Client calls GSS_Init_sec_context with the following parameters.
-  (Note that some INPUT and OUTPUT parameters not critical for this
-  algorithm are not described in this example.)
-
-     CONTEXT HANDLE input_context_handle  = 0
-     INTERNAL NAME  targ_name             = "DNS@server.example.com"
-     OCTET STRING   input_token           = NULL
-     BOOLEAN        replay_det_req_flag   = TRUE
-     BOOLEAN        mutual_req_flag       = TRUE
-
-  The OUTPUTS parameters returned by GSS_Init_sec_context include
-     INTEGER        major_status = GSS_S_CONTINUE_NEEDED
-     CONTEXT HANDLE output_context_handle context_handle
-     OCTET STRING   output_token output_token
-     BOOLEAN        replay_det_state = TRUE
-     BOOLEAN        mutual_state = TRUE
-
-  Client verifies that replay_det_state and mutual_state values are
-  TRUE.  Since the major_status is GSS_S_CONTINUE_NEEDED, which is a
-  success OUTPUT major_status value, client stores context_handle that
-  maps to "DNS@server.example.com" and proceeds to the next step.
-
-  II.  Client sends a query with QTYPE = TKEY to server
-
-  Client sends a query with QTYPE = TKEY for a client-generated globally
-  unique domain name string, 789.client.example.com.server.example.com.
-  Query contains a TKEY record in its Additional records section with
-  the following fields.  (Note that some fields not specific to this
-  algorithm are not specified.)
-
-     NAME = 789.client.example.com.server.example.com.
-     RDATA
-        Algorithm Name      = gss-tsig
-        Mode                = 3 (GSS-API negotiation - per [RFC2930])
-        Key Size            = size of output_token in octets
-        Key Data            = output_token
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 18]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-  After the key_name 789.client.example.com.server.example.com.
-  is generated it is stored in the client's (target_name, key_name,
-  context_handle) mapping table.
-
-  III.  Server receives a query with QTYPE = TKEY
-
-  When server receives a query with QTYPE = TKEY, the server verifies
-  that Mode and Algorithm fields in the TKEY record in the Additional
-  records section of the query are set to 3 and "gss-tsig" respectively.
-  It finds that the key_name 789.client.example.com.server.example.com.
-  is not listed in its (key_name, context_handle) mapping table.
-
-  IV.  Server calls GSS_Accept_sec_context
-
-  To continue security context negotiation server calls
-  GSS_Accept_sec_context with the following parameters.  (Note that
-  some INPUT and OUTPUT parameters not critical for this algorithm
-  are not described in this example.)
-
-   INPUTS
-     CONTEXT HANDLE input_context_handle  = 0
-     OCTET STRING   input_token           = token specified in the Key
-                              field from TKEY RR (from Additional
-                              records section of the client's query)
-
-  The OUTPUTS parameters returned by GSS_Accept_sec_context include
-     INTEGER        major_status = GSS_S_CONTINUE_NEEDED
-     CONTEXT_HANDLE output_context_handle context_handle
-     OCTET STRING   output_token output_token
-
-  Server stores the mapping of the
-  789.client.example.com.server.example.com. to OUTPUT context_handle
-  in its (key_name, context_handle) mapping table.
-
-  V.  Server responds to the TKEY query
-
-  Since the major_status = GSS_S_CONTINUE_NEEDED in the last server's
-  call to GSS_Accept_sec_context, the server responds to the TKEY query
-  placing in the answer section a TKEY record containing output_token in
-  the Key Data RDATA field.  The error field in the TKEY record is set
-  to 0.  The RCODE in the query response is set to NOERROR.
-
-  VI.  Client processes token returned by server
-
-  When the client receives the TKEY query response from the server, the
-  client calls GSS_Init_sec_context with the following parameters.
-  (Note that some INPUT and OUTPUT parameters not critical for this
-  algorithm are not described in this example.)
-
-
-
-Kwan, et al.                Standards Track                    [Page 19]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-     CONTEXT HANDLE input_context_handle  = the context_handle stored
-          in the client's mapping table entry (DNS@server.example.com.,
-          789.client.example.com.server.example.com., context_handle)
-     INTERNAL NAME  targ_name             = "DNS@server.example.com"
-     OCTET STRING   input_token           = token from Key field of TKEY
-          record from the Answer section of the server's response
-     BOOLEAN        replay_det_req_flag   = TRUE
-     BOOLEAN        mutual_req_flag       = TRUE
-
-  The OUTPUTS parameters returned by GSS_Init_sec_context include
-     INTEGER        major_status = GSS_S_COMPLETE
-     CONTEXT HANDLE output_context_handle = context_handle
-     OCTET STRING   output_token = output_token
-     BOOLEAN        replay_det_state = TRUE
-     BOOLEAN        mutual_state = TRUE
-
-  Since the major_status is set to GSS_S_COMPLETE the client side
-  security context is established, but since the output_token is not
-  NULL client MUST send a TKEY query to the server as described below.
-
-  VII.  Client sends a query with QTYPE = TKEY to server
-
-  Client sends to the server a TKEY query for the
-  789.client.example.com.server.example.com. name.  Query contains a
-  TKEY record in its Additional records section with the following
-  fields.  (Note that some INPUT and OUTPUT parameters not critical to
-  this algorithm are not described in this example.)
-
-     NAME = 789.client.example.com.server.example.com.
-     RDATA
-        Algorithm Name      = gss-tsig
-        Mode                = 3 (GSS-API negotiation - per [RFC2930])
-        Key Size            = size of output_token in octets
-        Key Data            = output_token
-
-  VIII.  Server receives a TKEY query
-
-  When the server receives a TKEY query, the server verifies that Mode
-  and Algorithm fields in the TKEY record in the Additional records
-  section of the query are set to 3 and gss-tsig, respectively.  It
-  finds that the key_name 789.client.example.com.server.example.com. is
-  listed in its (key_name, context_handle) mapping table.
-
-
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 20]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-  IX.  Server calls GSS_Accept_sec_context
-
-  To continue security context negotiation server calls
-  GSS_Accept_sec_context with the following parameters (Note that some
-  INPUT and OUTPUT parameters not critical for this algorithm are not
-  described in this example)
-
-   INPUTS
-     CONTEXT HANDLE input_context_handle  = context_handle from the
-           (789.client.example.com.server.example.com., context_handle)
-           entry in the server's mapping table
-     OCTET STRING   input_token           = token specified in the Key
-           field of TKEY RR (from Additional records Section of
-           the client's query)
-
-  The OUTPUTS parameters returned by GSS_Accept_sec_context include
-     INTEGER        major_status = GSS_S_COMPLETE
-     CONTEXT_HANDLE output_context_handle = context_handle
-     OCTET STRING   output_token = NULL
-
-  Since major_status = GSS_S_COMPLETE, the security context on the
-  server side is established, but the server still needs to respond to
-  the client's TKEY query, as described below.  The security context
-  state is advanced to Context Established.
-
-  X.  Server responds to the TKEY query
-
-  Since the major_status = GSS_S_COMPLETE in the last server's call to
-  GSS_Accept_sec_context and the output_token is NULL, the server
-  responds to the TKEY query placing in the answer section a TKEY record
-  that was sent by the client in the Additional records section of the
-  client's latest TKEY query.  In addition, this server places a
-  TSIG record in additional records section of its response.  Server
-  calls GSS_GetMIC to generate a signature to include it in the TSIG
-  record.  The server specifies the following GSS_GetMIC INPUT
-  parameters:
-
-     CONTEXT HANDLE context_handle = context_handle from the
-           (789.client.example.com.server.example.com., context_handle)
-           entry in the server's mapping table
-     OCTET STRING   message        = outgoing message plus TSIG
-                                   variables (as described in [RFC2845])
-
-  The OUTPUTS parameters returned by GSS_GetMIC include
-     INTEGER        major_status = GSS_S_COMPLETE
-     OCTET STRING   per_msg_token
-
-  Signature field in the TSIG record is set to per_msg_token.
-
-
-
-Kwan, et al.                Standards Track                    [Page 21]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-  XI.  Client processes token returned by server
-
-  Client receives the TKEY query response from the server.  Since the
-  major_status was GSS_S_COMPLETE in the last client's call to
-  GSS_Init_sec_context, the client verifies that the server's response
-  is signed.  To validate the signature, the client calls
-  GSS_VerifyMIC with the following parameters:
-
-   INPUTS
-     CONTEXT HANDLE context_handle = context_handle for
-                  789.client.example.com.server.example.com. key_name
-     OCTET STRING   message        = incoming message plus TSIG
-                                  variables (as described in [RFC2845])
-     OCTET STRING   per_msg_token  = Signature field from TSIG RR
-                  included in the server's query response
-
-  Since the OUTPUTS parameter major_status = GSS_S_COMPLETE, the
-  signature is validated, security negotiation is complete and the
-  security context state is advanced to Context Established.  These
-  client and server will use the established security context to sign
-  and validate the signatures when they exchange packets with each
-  other until the context expires.
-
-7.  Security Considerations
-
-   This document describes a protocol for DNS security using GSS-API.
-   The security provided by this protocol is only as effective as the
-   security provided by the underlying GSS mechanisms.
-
-   All the security considerations from RFC 2845, RFC 2930 and RFC 2743
-   apply to the protocol described in this document.
-
-8.  IANA Considerations
-
-   The IANA has reserved the TSIG Algorithm name gss-tsig for the use in
-   the Algorithm fields of TKEY and TSIG resource records.  This
-   Algorithm name refers to the algorithm described in this document.
-   The requirement to have this name registered with IANA is specified
-   in RFC 2845.
-
-9.  Conformance
-
-   The GSS API using SPNEGO [RFC2478] provides maximum flexibility to
-   choose the underlying security mechanisms that enables security
-   context negotiation.  GSS API using SPNEGO [RFC2478] enables client
-   and server to negotiate and choose such underlying security
-   mechanisms on the fly.  To support such flexibility, DNS clients and
-   servers SHOULD specify SPNEGO mech_type in their GSS API calls.  At
-
-
-
-Kwan, et al.                Standards Track                    [Page 22]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-   the same time, in order to guarantee interoperability between DNS
-   clients and servers that support GSS-TSIG it is required that
-
-   -  DNS servers specify SPNEGO mech_type
-   -  GSS APIs called by DNS client support Kerberos v5
-   -  GSS APIs called by DNS server support SPNEGO [RFC2478] and
-      Kerberos v5.
-
-   In addition to these, GSS APIs used by DNS client and server MAY also
-   support other underlying security mechanisms.
-
-10.  Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights.  Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11.  Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-11.  Acknowledgements
-
-   The authors of this document would like to thank the following people
-   for their contribution to this specification:  Chuck Chan, Mike
-   Swift, Ram Viswanathan, Olafur Gudmundsson, Donald E. Eastlake, 3rd
-   and Erik Nordmark.
-
-
-
-
-
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 23]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-12.  References
-
-12.1.  Normative References
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2478] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API
-             Negotiation Mechanism", RFC 2478, December 1998.
-
-   [RFC2743] Linn, J., "Generic Security Service Application Program
-             Interface, Version 2 , Update 1", RFC 2743, January 2000.
-
-   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D. and B.
-             Wellington, "Secret Key Transaction Authentication for DNS
-             (TSIG)", RFC 2845, May 2000.
-
-   [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
-             RR)", RFC 2930, September 2000.
-
-12.2.  Informative References
-
-
-   [ISO11578] "Information technology", "Open Systems Interconnection",
-              "Remote Procedure Call", ISO/IEC 11578:1996,
-              http://www.iso.ch/cate/d2229.html.
-
-   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
-             STD 13, RFC 1034, November 1987.
-
-   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
-             Specification", STD 13, RFC 1034, November 1987.
-
-   [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
-             1964, June 1996.
-
-   [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
-             (SPKM)", RFC 2025, October 1996.
-
-   [RFC2137] Eastlake 3rd, D., "Secure Domain Name System Dynamic
-             Update", RFC 2137, April 1997.
-
-   [RFC2535] Eastlake 3rd, D., "Domain Name System Security Extensions",
-             RFC 2535, March 1999.
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 24]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-13.  Authors' Addresses
-
-   Stuart Kwan
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA  98052
-   USA
-   EMail: skwan@microsoft.com
-
-   Praerit Garg
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA  98052
-   USA
-   EMail: praeritg@microsoft.com
-
-   James Gilroy
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA  98052
-   USA
-   EMail: jamesg@microsoft.com
-
-   Levon Esibov
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA  98052
-   USA
-   EMail: levone@microsoft.com
-
-   Randy Hall
-   Lucent Technologies
-   400 Lapp Road
-   Malvern PA 19355
-   USA
-   EMail: randyhall@lucent.com
-
-   Jeff Westhead
-   Microsoft Corporation
-   One Microsoft Way
-   Redmond, WA  98052
-   USA
-   EMail: jwesth@microsoft.com
-
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 25]
-
-RFC 3645                        GSS-TSIG                    October 2003
-
-
-14.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kwan, et al.                Standards Track                    [Page 26]
-
diff --git a/contrib/bind9/doc/rfc/rfc3655.txt b/contrib/bind9/doc/rfc/rfc3655.txt
deleted file mode 100644
index 13e586bad0d7..000000000000
--- a/contrib/bind9/doc/rfc/rfc3655.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                      B. Wellington
-Request for Comments: 3655                                O. Gudmundsson
-Updates: 2535                                              November 2003
-Category: Standards Track
-
-
-            Redefinition of DNS Authenticated Data (AD) bit
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   This document alters the specification defined in RFC 2535.  Based on
-   implementation experience, the Authenticated Data (AD) bit in the DNS
-   header is not useful.  This document redefines the AD bit such that
-   it is only set if all answers or records proving that no answers
-   exist in the response has been cryptographically verified or
-   otherwise meets the server's local security policy.
-
-1.  Introduction
-
-   Familiarity with the DNS system [RFC1035] and DNS security extensions
-   [RFC2535] is helpful but not necessary.
-
-   As specified in RFC 2535 (section 6.1), the AD (Authenticated Data)
-   bit indicates in a response that all data included in the answer and
-   authority sections of the response have been authenticated by the
-   server according to the policies of that server.  This is not
-   especially useful in practice, since a conformant server SHOULD never
-   reply with data that failed its security policy.
-
-   This document redefines the AD bit such that it is only set if all
-   data in the response has been cryptographically verified or otherwise
-   meets the server's local security policy.  Thus, neither a response
-   containing properly delegated insecure data, nor a server configured
-   without DNSSEC keys, will have the AD set.  As before, data that
-   failed to verify will not be returned.  An application running on a
-   host that has a trust relationship with the server performing the
-
-
-
-Wellington & Gudmundsson    Standards Track                     [Page 1]
-
-RFC 3655               Redefinition of DNS AD bit          November 2003
-
-
-   recursive query can now use the value of the AD bit to determine
-   whether the data is secure.
-
-1.1.  Motivation
-
-   A full DNSSEC capable resolver called directly from an application
-   can return to the application the security status of the RRsets in
-   the answer.  However, most applications use a limited stub resolver
-   that relies on an external recursive name server which incorporates a
-   full resolver.  The recursive nameserver can use the AD bit in a
-   response to indicate the security status of the data in the answer,
-   and the local resolver can pass this information to the application.
-   The application in this context can be either a human using a DNS
-   tool or a software application.
-
-   The AD bit SHOULD be used by the local resolver if and only if it has
-   been explicitly configured to trust the remote resolver.  The AD bit
-   SHOULD be ignored when the recursive name server is not trusted.
-
-   An alternate solution would be to embed a full DNSSEC resolver into
-   every application, but this has several disadvantages.
-
-   -  DNSSEC validation is both CPU and network intensive, and caching
-      SHOULD be used whenever possible.
-
-   -  DNSSEC requires non-trivial configuration - the root key must be
-      configured, as well as keys for any "islands of security" that
-      will exist until DNSSEC is fully deployed.  The number of
-      configuration points should be minimized.
-
-1.2.  Requirements
-
-   The key words "MAY", "MAY NOT" "MUST", "MUST NOT", "SHOULD", "SHOULD
-   NOT", "RECOMMENDED", in this document are to be interpreted as
-   described in BCP 14, RFC 2119 [RFC2119].
-
-1.3.  Updated documents and sections
-
-   The definition of the AD bit in RFC 2535, Section 6.1, is changed.
-
-2.  Setting of AD bit
-
-   The presence of the CD (Checking Disabled) bit in a query does not
-   affect the setting of the AD bit in the response.  If the CD bit is
-   set, the server will not perform checking, but SHOULD still set the
-   AD bit if the data has already been cryptographically verified or
-
-
-
-
-
-Wellington & Gudmundsson    Standards Track                     [Page 2]
-
-RFC 3655               Redefinition of DNS AD bit          November 2003
-
-
-   complies with local policy.  The AD bit MUST only be set if DNSSEC
-   records have been requested via the DO bit [RFC3225] and relevant SIG
-   records are returned.
-
-2.1.  Setting of AD bit by recursive servers
-
-   Section 6.1 of RFC 2535 says:
-
-   "The AD bit MUST NOT be set on a response unless all of the RRs in
-   the answer and authority sections of the response are either
-   Authenticated or Insecure."
-
-   The replacement text reads:
-
-   "The AD bit MUST NOT be set on a response unless all of the RRsets in
-   the answer and authority sections of the response are Authenticated."
-
-   "The AD bit SHOULD be set if and only if all RRs in the answer
-   section and any relevant negative response RRs in the authority
-   section are Authenticated."
-
-   A recursive DNS server following this modified specification will
-   only set the AD bit when it has cryptographically verified the data
-   in the answer.
-
-2.2.  Setting of AD bit by authoritative servers
-
-   A primary server for a secure zone MAY have the policy of treating
-   authoritative secure zones as Authenticated.  Secondary servers MAY
-   have the same policy, but SHOULD NOT consider zone data Authenticated
-   unless the zone was transferred securely and/or the data was
-   verified.  An authoritative server MUST only set the AD bit for
-   authoritative answers from a secure zone if it has been explicitly
-   configured to do so.  The default for this behavior SHOULD be off.
-
-   Note that having the AD bit clear on an authoritative answer is
-   normal and expected behavior.
-
-2.2.1.  Justification for setting AD bit w/o verifying data
-
-   The setting of the AD bit by authoritative servers affects only the
-   small set of resolvers that are configured to directly query and
-   trust authoritative servers.  This only affects servers that function
-   as both recursive and authoritative.  Iterative resolvers SHOULD
-   ignore the AD bit.
-
-   The cost of verifying all signatures on load by an authoritative
-   server can be high and increases the delay before it can begin
-
-
-
-Wellington & Gudmundsson    Standards Track                     [Page 3]
-
-RFC 3655               Redefinition of DNS AD bit          November 2003
-
-
-   answering queries.  Verifying signatures at query time is also
-   expensive and could lead to resolvers timing out on many queries
-   after the server reloads zones.
-
-   Organizations requiring that all DNS responses contain
-   cryptographically verified data will need to separate the
-   authoritative name server and signature verification functions, since
-   name servers are not required to validate signatures of data for
-   which they are authoritative.
-
-3.  Interpretation of the AD bit
-
-   A response containing data marked Insecure in the answer or authority
-   section MUST never have the AD bit set.  In this case, the resolver
-   SHOULD treat the data as Insecure whether or not SIG records are
-   present.
-
-   A resolver MUST NOT blindly trust the AD bit unless it communicates
-   with a recursive nameserver over a secure transport mechanism or
-   using a message authentication such as TSIG [RFC2845] or SIG(0)
-   [RFC2931] and is explicitly configured to trust this recursive name
-   server.
-
-4.  Applicability statement
-
-   The AD bit is intended to allow the transmission of the indication
-   that a resolver has verified the DNSSEC signatures accompanying the
-   records in the Answer and Authority section.  The AD bit MUST only be
-   trusted when the end consumer of the DNS data has confidence that the
-   intermediary resolver setting the AD bit is trustworthy.  This can
-   only be accomplished via an out of band mechanism such as:
-
-   -  Fiat: An organization that can dictate whether it is OK to trust
-      certain DNS servers.
-
-   -  Personal: Because of a personal relationship or the reputation of
-      a recursive nameserver operator, a DNS consumer can decide to
-      trust that recursive nameserver.
-
-   -  Knowledge: If a recursive nameserver operator posts the configured
-      policy of a recursive nameserver, a consumer can decide that
-      recursive nameserver is trustworthy.
-
-   In the absence of one or more of these factors AD bit from a
-   recursive name server SHOULD NOT be trusted.  For example, home users
-   frequently depend on their ISP to provide recursive DNS service; it
-
-
-
-
-
-Wellington & Gudmundsson    Standards Track                     [Page 4]
-
-RFC 3655               Redefinition of DNS AD bit          November 2003
-
-
-   is not advisable to trust these recursive nameservers.  A
-   roaming/traveling host SHOULD not use recursive DNS servers offered
-   by DHCP when looking up information where security status matters.
-
-   In the latter two cases, the end consumer must also completely trust
-   the path to the trusted recursive name servers, or a secure transport
-   must be employed to protect the traffic.
-
-   When faced with a situation where there are no satisfactory recursive
-   nameservers available, running one locally is RECOMMENDED.  This has
-   the advantage that it can be trusted, and the AD bit can still be
-   used to allow applications to use stub resolvers.
-
-5.  Security Considerations
-
-   This document redefines a bit in the DNS header.  If a resolver
-   trusts the value of the AD bit, it must be sure that the responder is
-   using the updated definition, which is any DNS server/resolver
-   supporting the DO bit [RFC3225].
-
-   Authoritative servers can be explicitly configured to set the AD bit
-   on answers without doing cryptographic checks.  This behavior MUST be
-   off by default.  The only affected resolvers are those that directly
-   query and trust the authoritative server, and this functionality
-   SHOULD only be used on servers that act both as authoritative and
-   recursive name servers.
-
-   Resolvers (full or stub) that blindly trust the AD bit without
-   knowing the security policy of the server generating the answer can
-   not be considered security aware.
-
-   A resolver MUST NOT blindly trust the AD bit unless it communicates
-   such as IPsec, or using message authentication such as TSIG [RFC2845]
-   or SIG(0) [RFC2931].  In addition, the resolver must have been
-   explicitly configured to trust this recursive name server.
-
-6.  IANA Considerations
-
-   None.
-
-7.  Internationalization Considerations
-
-   None.  This document does not change any textual data in any
-   protocol.
-
-
-
-
-
-
-
-Wellington & Gudmundsson    Standards Track                     [Page 5]
-
-RFC 3655               Redefinition of DNS AD bit          November 2003
-
-
-8.  Intellectual Property Rights Notice
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights.  Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11.  Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-9.  Acknowledgments
-
-   The following people have provided input on this document: Robert
-   Elz, Andreas Gustafsson, Bob Halley, Steven Jacob, Erik Nordmark,
-   Edward Lewis, Jakob Schlyter, Roy Arends, Ted Lindgreen.
-
-10.  Normative References
-
-   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
-             Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
-             Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
-             2535, March 1999.
-
-   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D. and B.
-             Wellington, "Secret Key Transaction Authentication for DNS
-             (TSIG)", RFC 2845, May 2000.
-
-   [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures
-             (SIG(0))", RFC 2931, September 2000.
-
-   [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-             3225, December 2001.
-
-
-
-Wellington & Gudmundsson    Standards Track                     [Page 6]
-
-RFC 3655               Redefinition of DNS AD bit          November 2003
-
-
-11.  Authors' Addresses
-
-   Brian Wellington
-   Nominum Inc.
-   2385 Bay Road
-   Redwood City, CA, 94063
-   USA
-
-   EMail: Brian.Wellington@nominum.com
-
-
-   Olafur Gudmundsson
-   3821 Village Park Drive
-   Chevy Chase, MD, 20815
-   USA
-
-   EMail: ogud@ogud.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wellington & Gudmundsson    Standards Track                     [Page 7]
-
-RFC 3655               Redefinition of DNS AD bit          November 2003
-
-
-12.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Wellington & Gudmundsson    Standards Track                     [Page 8]
-
diff --git a/contrib/bind9/doc/rfc/rfc3658.txt b/contrib/bind9/doc/rfc/rfc3658.txt
deleted file mode 100644
index 88cfb5af2425..000000000000
--- a/contrib/bind9/doc/rfc/rfc3658.txt
+++ /dev/null
@@ -1,1067 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                     O. Gudmundsson
-Request for Comments: 3658                                 December 2003
-Updates: 3090, 3008, 2535, 1035
-Category: Standards Track
-
-
-              Delegation Signer (DS) Resource Record (RR)
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-Abstract
-
-   The delegation signer (DS) resource record (RR) is inserted at a zone
-   cut (i.e., a delegation point) to indicate that the delegated zone is
-   digitally signed and that the delegated zone recognizes the indicated
-   key as a valid zone key for the delegated zone.  The DS RR is a
-   modification to the DNS Security Extensions definition, motivated by
-   operational considerations.  The intent is to use this resource
-   record as an explicit statement about the delegation, rather than
-   relying on inference.
-
-   This document defines the DS RR, gives examples of how it is used and
-   describes the implications on resolvers.  This change is not
-   backwards compatible with RFC 2535.  This document updates RFC 1035,
-   RFC 2535, RFC 3008 and RFC 3090.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 1]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-Table of Contents
-
-   1.  Introduction. . . . . . . . . . . . . . . . . . . . . . . . .   3
-       1.2.  Reserved Words. . . . . . . . . . . . . . . . . . . . .   4
-   2.  Specification of the Delegation key Signer. . . . . . . . . .   4
-       2.1.  Delegation Signer Record Model. . . . . . . . . . . . .   4
-       2.2.  Protocol Change . . . . . . . . . . . . . . . . . . . .   5
-             2.2.1.  RFC 2535 2.3.4 and 3.4: Special Considerations
-                     at Delegation Points  . . . . . . . . . . . . .   6
-                     2.2.1.1. Special processing for DS queries. . .   6
-                     2.2.1.2. Special processing when child and an
-                              ancestor share nameserver. . . . . . .   7
-                     2.2.1.3. Modification on use of KEY RR in the
-                              construction of Responses. . . . . . .   8
-             2.2.2.  Signer's Name (replaces RFC3008 section 2.7). .   9
-             2.2.3.  Changes to RFC 3090 . . . . . . . . . . . . . .   9
-                     2.2.3.1. RFC 3090: Updates to section 1:
-                              Introduction . . . . . . . . . . . . .   9
-                     2.2.3.2. RFC 3090 section 2.1: Globally
-                              Secured. . . . . . . . . . . . . . . .  10
-                     2.2.3.3. RFC 3090 section 3: Experimental
-                              Status . . . . . . . . . . . . . . . .  10
-             2.2.4.  NULL KEY elimination. . . . . . . . . . . . . .  10
-       2.3.  Comments on Protocol Changes. . . . . . . . . . . . . .  10
-       2.4.  Wire Format of the DS record. . . . . . . . . . . . . .  11
-             2.4.1.  Justifications for Fields . . . . . . . . . . .  12
-       2.5.  Presentation Format of the DS Record. . . . . . . . . .  12
-       2.6.  Transition Issues for Installed Base. . . . . . . . . .  12
-             2.6.1.  Backwards compatibility with RFC 2535 and
-                     RFC 1035. . . . . . . . . . . . . . . . . . . .  12
-       2.7.  KEY and corresponding DS record example . . . . . . . .  13
-   3.  Resolver. . . . . . . . . . . . . . . . . . . . . . . . . . .  14
-       3.1.  DS Example" . . . . . . . . . . . . . . . . . . . . . .  14
-       3.2.  Resolver Cost Estimates for DS Records" . . . . . . . .  15
-   4.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
-   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  16
-   6.  Intellectual Property Statement . . . . . . . . . . . . . . .  16
-   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  17
-   8.  References. . . . . . . . . . . . . . . . . . . . . . . . . .  17
-       8.1.  Normative References. . . . . . . . . . . . . . . . . .  17
-       8.2.  Informational References. . . . . . . . . . . . . . . .  17
-   9.  Author's Address. . . . . . . . . . . . . . . . . . . . . . .  18
-   10. Full Copyright Statement. . . . . . . . . . . . . . . . . . .  19
-
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 2]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-1.  Introduction
-
-   Familiarity with the DNS system [RFC1035], DNS security extensions
-   [RFC2535], and DNSSEC terminology [RFC3090] is important.
-
-   Experience shows that when the same data can reside in two
-   administratively different DNS zones, the data frequently gets out of
-   sync.  The presence of an NS RRset in a zone anywhere other than at
-   the apex indicates a zone cut or delegation.  The RDATA of the NS
-   RRset specifies the authoritative nameservers for the delegated or
-   "child" zone.  Based on actual measurements, 10-30% of all
-   delegations on the Internet have differing NS RRsets at parent and
-   child.  There are a number of reasons for this, including a lack of
-   communication between parent and child and bogus name servers being
-   listed to meet registry requirements.
-
-   DNSSEC [RFC2535, RFC3008, RFC3090] specifies that a child zone needs
-   to have its KEY RRset signed by its parent to create a verifiable
-   chain of KEYs.  There has been some debate on where the signed KEY
-   RRset should reside, whether at the child [RFC2535] or at the parent.
-   If the KEY RRset resides at the child, maintaining the signed KEY
-   RRset in the child requires frequent two-way communication between
-   the two parties.  First, the child transmits the KEY RRset to the
-   parent and then the parent sends the signature(s) to the child.
-   Storing the KEY RRset at the parent was thought to simplify the
-   communication.
-
-   DNSSEC [RFC2535] requires that the parent store a NULL KEY record for
-   an unsecure child zone to indicate that the child is unsecure.  A
-   NULL KEY record is a waste: an entire signed RRset is used to
-   communicate effectively one bit of information - that the child is
-   unsecure. Chasing down NULL KEY RRsets complicates the resolution
-   process in many cases, because nameservers for both parent and child
-   need to be queried for the KEY RRset if the child nameserver does not
-   return it.  Storing the KEY RRset only in the parent zone simplifies
-   this and would allow the elimination of the NULL KEY RRsets entirely.
-   For large delegation zones, the cost of NULL keys is a significant
-   barrier to deployment.
-
-   Prior to the restrictions imposed by RFC 3445 [RFC3445], another
-   implication of the DNSSEC key model is that the KEY record could be
-   used to store public keys for other protocols in addition to DNSSEC
-   keys.  There are a number of potential problems with this, including:
-
-   1. The KEY RRset can become quite large if many applications and
-      protocols store their keys at the zone apex.  Possible protocols
-      are IPSEC, HTTP, SMTP, SSH and others that use public key
-      cryptography.
-
-
-
-Gudmundsson                 Standards Track                     [Page 3]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   2. The KEY RRset may require frequent updates.
-
-   3. The probability of compromised or lost keys, which trigger
-      emergency key roll-over procedures, increases.
-
-   4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone
-      keys.
-
-   5. The parent may not meet the child's expectations of turnaround
-      time for resigning the KEY RRset.
-
-   Given these reasons, SIG@parent isn't any better than SIG/KEY@Child.
-
-1.2.  Reserved Words
-
-   The key words "MAY", "MAY NOT", "MUST", "MUST NOT", "REQUIRED",
-   "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
-   interpreted as described in BCP 14, RFC 2119 [RFC2119].
-
-2.  Specification of the Delegation key Signer
-
-   This section defines the Delegation Signer (DS) RR type (type code
-   43) and the changes to DNS to accommodate it.
-
-2.1.  Delegation Signer Record Model
-
-   This document presents a replacement for the DNSSEC KEY record chain
-   of trust [RFC2535] that uses a new RR that resides only at the
-   parent.  This record identifies the key(s) that the child uses to
-   self-sign its own KEY RRset.
-
-   Even though DS identifies two roles for KEYs, Key Signing Key (KSK)
-   and Zone Signing Key (ZSK), there is no requirement that zone uses
-   two different keys for these roles.  It is expected that many small
-   zones will only use one key, while larger zones will be more likely
-   to use multiple keys.
-
-   The chain of trust is now established by verifying the parent KEY
-   RRset, the DS RRset from the parent and the KEY RRset at the child.
-   This is cryptographically equivalent to using just KEY records.
-
-   Communication between the parent and child is greatly reduced, since
-   the child only needs to notify the parent about changes in keys that
-   sign its apex KEY RRset.  The parent is ignorant of all other keys in
-   the child's apex KEY RRset.  Furthermore, the child maintains full
-   control over the apex KEY RRset and its content.  The child can
-   maintain any policies regarding its KEY usage for DNSSEC with minimal
-   impact on the parent.  Thus, if the child wants to have frequent key
-
-
-
-Gudmundsson                 Standards Track                     [Page 4]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   roll-over for its DNS zone keys, the parent does not need to be aware
-   of it.  The child can use one key to sign only its apex KEY RRset and
-   a different key to sign the other RRsets in the zone.
-
-   This model fits well with a slow roll out of DNSSEC and the islands
-   of security model.  In this model, someone who trusts "good.example."
-   can preconfigure a key from "good.example." as a trusted key, and
-   from then on trusts any data signed by that key or that has a chain
-   of trust to that key.  If "example." starts advertising DS records,
-   "good.example." does not have to change operations by suspending
-   self-signing.  DS records can be used in configuration files to
-   identify trusted keys instead of KEY records.  Another significant
-   advantage is that the amount of information stored in large
-   delegation zones is reduced: rather than the NULL KEY record at every
-   unsecure delegation demanded by RFC 2535, only secure delegations
-   require additional information in the form of a signed DS RRset.
-
-   The main disadvantage of this approach is that verifying a zone's KEY
-   RRset requires two signature verification operations instead of the
-   one in RFC 2535 chain of trust.  There is no impact on the number of
-   signatures verified for other types of RRsets.
-
-2.2.  Protocol Change
-
-   All DNS servers and resolvers that support DS MUST support the OK bit
-   [RFC3225] and a larger message size [RFC3226].  In order for a
-   delegation to be considered secure the delegation MUST contain a DS
-   RRset.  If a query contains the OK bit, a nameserver returning a
-   referral for the delegation MUST include the following RRsets in the
-   authority section in this order:
-
-   If DS RRset is present:
-      parent's copy of child's NS RRset
-      DS and SIG(DS)
-
-   If no DS RRset is present:
-      parent's copy of child's NS RRset
-      parent's zone NXT and SIG(NXT)
-
-   This increases the size of referral messages, possibly causing some
-   or all glue to be omitted.  If the DS or NXT RRsets with signatures
-   do not fit in the DNS message, the TC bit MUST be set.  Additional
-   section processing is not changed.
-
-   A DS RRset accompanying a NS RRset indicates that the child zone is
-   secure.  If a NS RRset exists without a DS RRset, the child zone is
-   unsecure (from the parents point of view).  DS RRsets MUST NOT appear
-   at non-delegation points or at a zone's apex.
-
-
-
-Gudmundsson                 Standards Track                     [Page 5]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   Section 2.2.1 defines special considerations related to authoritative
-   nameservers responding to DS queries and replaces RFC 2535 sections
-   2.3.4 and 3.4.  Section 2.2.2 replaces RFC 3008 section 2.7, and
-   section 2.2.3 updates RFC 3090.
-
-2.2.1.  RFC 2535 2.3.4 and 3.4: Special Considerations at Delegation
-        Points
-
-   DNS security views each zone as a unit of data completely under the
-   control of the zone owner with each entry (RRset) signed by a special
-   private key held by the zone manager.  But the DNS protocol views the
-   leaf nodes in a zone that are also the apex nodes of a child zone
-   (i.e., delegation points) as "really" belonging to the child zone.
-   The corresponding domain names appear in two master files and might
-   have RRsets signed by both the parent and child zones' keys.  A
-   retrieval could get a mixture of these RRsets and SIGs, especially
-   since one nameserver could be serving both the zone above and below a
-   delegation point [RFC2181].
-
-   Each DS RRset stored in the parent zone MUST be signed by at least
-   one of the parent zone's private keys.  The parent zone MUST NOT
-   contain a KEY RRset at any delegation point.  Delegations in the
-   parent MAY contain only the following RR types: NS, DS, NXT and SIG.
-   The NS RRset MUST NOT be signed.  The NXT RRset is the exceptional
-   case: it will always appear differently and authoritatively in both
-   the parent and child zones, if both are secure.
-
-   A secure zone MUST contain a self-signed KEY RRset at its apex.  Upon
-   verifying the DS RRset from the parent, a resolver MAY trust any KEY
-   identified in the DS RRset as a valid signer of the child's apex KEY
-   RRset.  Resolvers configured to trust one of the keys signing the KEY
-   RRset MAY now treat any data signed by the zone keys in the KEY RRset
-   as secure.  In all other cases, resolvers MUST consider the zone
-   unsecure.
-
-   An authoritative nameserver queried for type DS MUST return the DS
-   RRset in the answer section.
-
-2.2.1.1.  Special processing for DS queries
-
-   When a nameserver is authoritative for the parent zone at a
-   delegation point and receives a query for the DS record at that name,
-   it MUST answer based on data in the parent zone, return DS or
-   negative answer.  This is true whether or not it is also
-   authoritative for the child zone.
-
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 6]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   When the nameserver is authoritative for the child zone at a
-   delegation point but not the parent zone, there is no natural
-   response, since the child zone is not authoritative for the DS record
-   at the zone's apex.  As these queries are only expected to originate
-   from recursive nameservers which are not DS-aware, the authoritative
-   nameserver MUST answer with:
-
-      RCODE:             NOERROR
-      AA bit:            set
-      Answer Section:    Empty
-      Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]
-
-   That is, it answers as if it is authoritative and the DS record does
-   not exist.  DS-aware recursive nameservers will query the parent zone
-   at delegation points, so will not be affected by this.
-
-   A nameserver authoritative for only the child zone, that is also a
-   caching server MAY (if the RD bit is set in the query) perform
-   recursion to find the DS record at the delegation point, or MAY
-   return the DS record from its cache.  In this case, the AA bit MUST
-   NOT be set in the response.
-
-2.2.1.2.  Special processing when child and an ancestor share
-          nameserver
-
-   Special rules are needed to permit DS RR aware nameservers to
-   gracefully interact with older caches which otherwise might falsely
-   label a nameserver as lame because of the placement of the DS RR set.
-
-   Such a situation might arise when a nameserver is authoritative for
-   both a zone and it's grandparent, but not the parent.  This sounds
-   like an obscure example, but it is very real.  The root zone is
-   currently served on 13 machines, and "root-servers.net." is served on
-   4 of the 13, but "net." is severed on different nameservers.
-
-   When a nameserver receives a query for (<QNAME>, DS, <QCLASS>), the
-   response MUST be determined from reading these rules in order:
-
-   1) If the nameserver is authoritative for the zone that holds the DS
-      RR set (i.e., the zone that delegates <QNAME>, a.k.a. the "parent"
-      zone), the response contains the DS RR set as an authoritative
-      answer.
-
-   2) If the nameserver is offering recursive service and the RD bit is
-      set in the query, the nameserver performs the query itself
-      (according to the rules for resolvers described below) and returns
-      its findings.
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 7]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   3) If the nameserver is authoritative for the zone that holds the
-      <QNAME>'s SOA RR set, the response is an authoritative negative
-      answer as described in 2.2.1.1.
-
-   4) If the nameserver is authoritative for a zone or zones above the
-      QNAME, a referral to the most enclosing (deepest match) zone's
-      servers is made.
-
-   5) If the nameserver is not authoritative for any part of the QNAME,
-      a response indicating a lame nameserver for QNAME is given.
-
-   Using these rules will require some special processing on the part of
-   a DS RR aware resolver.  To illustrate this, an example is used.
-
-   Assuming a nameserver is authoritative for roots.example.net. and for
-   the root zone but not the intervening two zones (or the intervening
-   two label deep zone).  Assume that QNAME=roots.example.net.,
-   QTYPE=DS, and QCLASS=IN.
-
-   The resolver will issue this request (assuming no cached data)
-   expecting a referral to a nameserver for .net.  Instead, rule number
-   3 above applies and a negative answer is returned by the nameserver.
-   The reaction by the resolver is not to accept this answer as final,
-   as it can determine from the SOA RR in the negative answer the
-   context within which the nameserver has answered.
-
-   A solution would be to instruct the resolver to hunt for the
-   authoritative zone of the data in a brute force manner.
-
-   This can be accomplished by taking the owner name of the returned SOA
-   RR and striping off enough left-hand labels until a successful NS
-   response is obtained.  A successful response here means that the
-   answer has NS records in it.  (Entertaining the possibility that a
-   cut point can be two labels down in a zone.)
-
-   Returning to the example, the response will include a negative answer
-   with either the SOA RR for "roots.example.net." or "example.net."
-   depending on whether roots.example.net is a delegated domain.  In
-   either case, removing the left most label of the SOA owner name will
-   lead to the location of the desired data.
-
-2.2.1.3.  Modification on use of KEY RR in the construction of Responses
-
-   This section updates RFC 2535 section 3.5 by replacing it with the
-   following:
-
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 8]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   A query for KEY RR MUST NOT trigger any additional section
-   processing.  Security aware resolvers will include corresponding SIG
-   records in the answer section.
-
-   KEY records SHOULD NOT be added to the additional records section in
-   response to any query.
-
-   RFC 2535 specified that KEY records be added to the additional
-   section when SOA or NS records were included in an answer.  This was
-   done to reduce round trips (in the case of SOA) and to force out NULL
-   KEYs (in the NS case).  As this document obsoletes NULL keys, there
-   is no need for the inclusion of KEYs with NSs.  Furthermore, as SOAs
-   are included in the authority section of negative answers, including
-   the KEYs each time will cause redundant transfers of KEYs.
-
-   RFC 2535 section 3.5 also included a rule for adding the KEY RRset to
-   the response for a query for A and AAAA types.  As Restrict KEY
-   [RFC3445] eliminated use of KEY RR by all applications, this rule is
-   no longer needed.
-
-2.2.2.  Signer's Name (replaces RFC 3008 section 2.7)
-
-   The signer's name field of a SIG RR MUST contain the name of the zone
-   to which the data and signature belong.  The combination of signer's
-   name, key tag, and algorithm MUST identify a zone key if the SIG is
-   to be considered material.  This document defines a standard policy
-   for DNSSEC validation; local policy MAY override the standard policy.
-
-   There are no restrictions on the signer field of a SIG(0) record. The
-   combination of signer's name, key tag, and algorithm MUST identify a
-   key if this SIG(0) is to be processed.
-
-2.2.3.  Changes to RFC 3090
-
-   A number of sections in RFC 3090 need to be updated to reflect the DS
-   record.
-
-2.2.3.1.  RFC 3090: Updates to section 1: Introduction
-
-   Most of the text is still relevant but the words "NULL key" are to be
-   replaced with "missing DS RRset".  In section 1.3, the last three
-   paragraphs discuss the confusion in sections of RFC 2535 that are
-   replaced in section 2.2.1 above.  Therefore, these paragraphs are now
-   obsolete.
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                     [Page 9]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-2.2.3.2.  RFC 3090 section 2.1: Globally Secured
-
-   Rule 2.1.b is replaced by the following rule:
-
-   2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a
-   private key whose public counterpart MUST appear in a zone signing
-   KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to-
-   implement algorithm.  This KEY RR MUST be identified by a DS RR in a
-   signed DS RRset in the parent zone.
-
-   If a zone cannot get its parent to advertise a DS record for it, the
-   child zone cannot be considered globally secured.  The only exception
-   to this is the root zone, for which there is no parent zone.
-
-2.2.3.3.  RFC 3090 section 3: Experimental Status.
-
-   The only difference between experimental status and globally secured
-   is the missing DS RRset in the parent zone.  All locally secured
-   zones are experimental.
-
-2.2.4.  NULL KEY elimination
-
-   RFC 3445 section 3 eliminates the top two bits in the flags field of
-   KEY RR.  These two bits were used to indicate NULL KEY or NO KEY. RFC
-   3090 defines that zone as either secure or not and these rules
-   eliminate the need to put NULL keys in the zone apex to indicate that
-   the zone is not secured for a algorithm.  Along with this document,
-   these other two eliminate all uses for the NULL KEY.  This document
-   obsoletes NULL KEY.
-
-2.3.  Comments on Protocol Changes
-
-   Over the years, there have been various discussions surrounding the
-   DNS delegation model, declaring it to be broken because there is no
-   good way to assert if a delegation exists.  In the RFC 2535 version
-   of DNSSEC, the presence of the NS bit in the NXT bit map proves there
-   is a delegation at this name.  Something more explicit is required
-   and the DS record addresses this need for secure delegations.
-
-   The DS record is a major change to DNS: it is the first resource
-   record that can appear only on the upper side of a delegation.
-   Adding it will cause interoperability problems and requires a flag
-   day for DNSSEC.  Many old nameservers and resolvers MUST be upgraded
-   to take advantage of DS.  Some old nameservers will be able to be
-   authoritative for zones with DS records but will not add the NXT or
-   DS records to the authority section.  The same is true for caching
-   nameservers; in fact, some might even refuse to pass on the DS or NXT
-   records.
-
-
-
-Gudmundsson                 Standards Track                    [Page 10]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-2.4.  Wire Format of the DS record
-
-   The DS (type=43) record contains these fields: key tag, algorithm,
-   digest type, and the digest of a public key KEY record that is
-   allowed and/or used to sign the child's apex KEY RRset.  Other keys
-   MAY sign the child's apex KEY RRset.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |           key tag             |  algorithm    |  Digest type  |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                digest  (length depends on type)               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                (SHA-1 digest is 20 bytes)                     |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-   |                                                               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-   The key tag is calculated as specified in RFC 2535.  Algorithm MUST
-   be allowed to sign DNS data.  The digest type is an identifier for
-   the digest algorithm used.  The digest is calculated over the
-   canonical name of the delegated domain name followed by the whole
-   RDATA of the KEY record (all four fields).
-
-      digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata)
-
-      KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key
-
-   Digest type value 0 is reserved, value 1 is SHA-1, and reserving
-   other types requires IETF standards action.  For interoperability
-   reasons, keeping number of digest algorithms low is strongly
-   RECOMMENDED.  The only reason to reserve additional digest types is
-   to increase security.
-
-   DS records MUST point to zone KEY records that are allowed to
-   authenticate DNS data.  The indicated KEY records protocol field MUST
-   be set to 3; flag field bit 7 MUST be set to 1.  The value of other
-   flag bits is not significant for the purposes of this document.
-
-   The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless
-   of key size.  New digest types probably will have larger digests.
-
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 11]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-2.4.1.  Justifications for Fields
-
-   The algorithm and key tag fields are present to allow resolvers to
-   quickly identify the candidate KEY records to examine.  SHA-1 is a
-   strong cryptographic checksum: it is computationally infeasible for
-   an attacker to generate a KEY record that has the same SHA-1 digest.
-   Combining the name of the key and the key rdata as input to the
-   digest provides stronger assurance of the binding.  Having the key
-   tag in the DS record adds greater assurance than the SHA-1 digest
-   alone, as there are now two different mapping functions.
-
-   This format allows concise representation of the keys that the child
-   will use, thus keeping down the size of the answer for the
-   delegation, reducing the probability of DNS message overflow.  The
-   SHA-1 hash is strong enough to uniquely identify the key and is
-   similar to the PGP key footprint.  The digest type field is present
-   for possible future expansion.
-
-   The DS record is well suited to listing trusted keys for islands of
-   security in configuration files.
-
-2.5.  Presentation Format of the DS Record
-
-   The presentation format of the DS record consists of three numbers
-   (key tag, algorithm, and digest type) followed by the digest itself
-   presented in hex:
-
-      example.   DS  12345 3 1 123456789abcdef67890123456789abcdef67890
-
-2.6.  Transition Issues for Installed Base
-
-   No backwards compatibility with RFC 2535 is provided.
-
-   RFC 2535-compliant resolvers will assume that all DS-secured
-   delegations are locally secure.  This is bad, but the DNSEXT Working
-   Group has determined that rather than dealing with both RFC 2535-
-   secured zones and DS-secured zones, a rapid adoption of DS is
-   preferable.  Thus, the only option for early adopters is to upgrade
-   to DS as soon as possible.
-
-2.6.1.  Backwards compatibility with RFC 2535 and RFC 1035
-
-   This section documents how a resolver determines the type of
-   delegation.
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 12]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   RFC 1035 delegation (in parent) has:
-
-   RFC 1035           NS
-
-   RFC 2535 adds the following two cases:
-
-   Secure RFC 2535:   NS + NXT + SIG(NXT)
-                      NXT bit map contains: NS SIG NXT
-   Unsecure RFC 2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
-                      NXT bit map contains: NS SIG KEY NXT
-                      KEY must be a NULL key.
-
-   DNSSEC with DS has the following two states:
-
-   Secure DS:         NS + DS + SIG(DS)
-                      NXT bit map contains: NS SIG NXT DS
-   Unsecure DS:       NS + NXT + SIG(NXT)
-                      NXT bit map contains: NS SIG NXT
-
-   It is difficult for a resolver to determine if a delegation is secure
-   RFC 2535 or unsecure DS.  This could be overcome by adding a flag to
-   the NXT bit map, but only upgraded resolvers would understand this
-   flag, anyway.  Having both parent and child signatures for a KEY
-   RRset might allow old resolvers to accept a zone as secure, but the
-   cost of doing this for a long time is much higher than just
-   prohibiting RFC 2535-style signatures at child zone apexes and
-   forcing rapid deployment of DS-enabled nameservers and resolvers.
-
-   RFC 2535 and DS can, in theory, be deployed in parallel, but this
-   would require resolvers to deal with RFC 2535 configurations forever.
-   This document obsoletes the NULL KEY in parent zones, which is a
-   difficult enough change that to cause a flag day.
-
-2.7.  KEY and corresponding DS record example
-
-   This is an example of a KEY record and the corresponding DS record.
-
-   dskey.example. KEY  256 3 1 (
-                  AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
-                  4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
-                  ) ; key id = 28668
-             DS   28668 1  1  49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
-
-
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 13]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-3.  Resolver
-
-3.1.  DS Example
-
-   To create a chain of trust, a resolver goes from trusted KEY to DS to
-   KEY.
-
-      Assume the key for domain "example." is trusted.  Zone "example."
-      contains at least the following records:
-      example.          SOA     <soa stuff>
-      example.          NS       ns.example.
-      example.          KEY     <stuff>
-      example.          NXT      secure.example. NS SOA KEY SIG NXT
-      example.          SIG(SOA)
-      example.          SIG(NS)
-      example.          SIG(NXT)
-      example.          SIG(KEY)
-      secure.example.   NS      ns1.secure.example.
-      secure.example.   DS      tag=12345 alg=3 digest_type=1 <foofoo>
-      secure.example.   NXT     unsecure.example. NS SIG NXT DS
-      secure.example.   SIG(NXT)
-      secure.example.   SIG(DS)
-      unsecure.example  NS      ns1.unsecure.example.
-      unsecure.example. NXT     example. NS SIG NXT
-      unsecure.example. SIG(NXT)
-
-      In zone "secure.example." following records exist:
-      secure.example.   SOA      <soa stuff>
-      secure.example.   NS       ns1.secure.example.
-      secure.example.   KEY      <tag=12345 alg=3>
-      secure.example.   KEY      <tag=54321 alg=5>
-      secure.example.   NXT      <nxt stuff>
-      secure.example.   SIG(KEY) <key-tag=12345 alg=3>
-      secure.example.   SIG(SOA) <key-tag=54321 alg=5>
-      secure.example.   SIG(NS)  <key-tag=54321 alg=5>
-      secure.example.   SIG(NXT) <key-tag=54321 alg=5>
-
-   In this example, the private key for "example." signs the DS record
-   for "secure.example.", making that a secure delegation.  The DS
-   record states which key is expected to sign the KEY RRset at
-   "secure.example.".  Here "secure.example." signs its KEY RRset with
-   the KEY identified in the DS RRset, thus the KEY RRset is validated
-   and trusted.
-
-   This example has only one DS record for the child, but parents MUST
-   allow multiple DS records to facilitate key roll-over and multiple
-   KEY algorithms.
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 14]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   The resolver determines the security status of "unsecure.example." by
-   examining the parent zone's NXT record for this name.  The absence of
-   the DS bit indicates an unsecure delegation.  Note the NXT record
-   SHOULD only be examined after verifying the corresponding signature.
-
-3.2.  Resolver Cost Estimates for DS Records
-
-   From a RFC 2535 recursive resolver point of view, for each delegation
-   followed to chase down an answer, one KEY RRset has to be verified.
-   Additional RRsets might also need to be verified based on local
-   policy (e.g., the contents of the NS RRset).  Once the resolver gets
-   to the appropriate delegation, validating the answer might require
-   verifying one or more signatures.  A simple A record lookup requires
-   at least N delegations to be verified and one RRset.  For a DS-
-   enabled recursive resolver, the cost is 2N+1.  For an MX record,
-   where the target of the MX record is in the same zone as the MX
-   record, the costs are N+2 and 2N+2, for RFC 2535 and DS,
-   respectively.  In the case of a negative answer, the same ratios hold
-   true.
-
-   The recursive resolver has to do an extra query to get the DS record,
-   which will increase the overall cost of resolving this question, but
-   it will never be worse than chasing down NULL KEY records from the
-   parent in RFC 2535 DNSSEC.
-
-   DS adds processing overhead on resolvers and increases the size of
-   delegation answers, but much less than storing signatures in the
-   parent zone.
-
-4.  Security Considerations
-
-   This document proposes a change to the validation chain of KEY
-   records in DNSSEC.  The change is not believed to reduce security in
-   the overall system.  In RFC 2535 DNSSEC, the child zone has to
-   communicate keys to its parent and prudent parents will require some
-   authentication with that transaction.  The modified protocol will
-   require the same authentication, but allows the child to exert more
-   local control over its own KEY RRset.
-
-   There is a remote possibility that an attacker could generate a valid
-   KEY that matches all the DS fields, of a specific DS set, and thus
-   forge data from the child.  This possibility is considered
-   impractical, as on average more than
-
-      2 ^ (160 - <Number of keys in DS set>)
-
-   keys would have to be generated before a match would be found.
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 15]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-   An attacker that wants to match any DS record will have to generate
-   on average at least 2^80 keys.
-
-   The DS record represents a change to the DNSSEC protocol and there is
-   an installed base of implementations, as well as textbooks on how to
-   set up secure delegations.  Implementations that do not understand
-   the DS record will not be able to follow the KEY to DS to KEY chain
-   and will consider all zones secured that way as unsecure.
-
-5.  IANA Considerations
-
-   IANA has allocated an RR type code for DS from the standard RR type
-   space (type 43).
-
-   IANA has established a new registry for the DS RR type for digest
-   algorithms.  Defined types are:
-
-      0 is Reserved,
-      1 is SHA-1.
-
-   Adding new reservations requires IETF standards action.
-
-6.  Intellectual Property Statement
-
-   The IETF takes no position regarding the validity or scope of any
-   intellectual property or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; neither does it represent that it
-   has made any effort to identify any such rights.  Information on the
-   IETF's procedures with respect to rights in standards-track and
-   standards-related documentation can be found in BCP-11.  Copies of
-   claims of rights made available for publication and any assurances of
-   licenses to be made available, or the result of an attempt made to
-   obtain a general license or permission for the use of such
-   proprietary rights by implementors or users of this specification can
-   be obtained from the IETF Secretariat.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights which may cover technology that may be required to practice
-   this standard.  Please address the information to the IETF Executive
-   Director.
-
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 16]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-7.  Acknowledgments
-
-   Over the last few years a number of people have contributed ideas
-   that are captured in this document.  The core idea of using one key
-   to sign only the KEY RRset comes from discussions with Bill Manning
-   and Perry Metzger on how to put in a single root key in all
-   resolvers. Alexis Yushin, Brian Wellington, Sam Weiler, Paul Vixie,
-   Jakob Schlyter, Scott Rose, Edward Lewis, Lars-Johan Liman, Matt
-   Larson, Mark Kosters, Dan Massey, Olaf Kolman, Phillip Hallam-Baker,
-   Miek Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David
-   Blacka, Steve Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark
-   Andrews, Harald Alvestrand, and others have provided useful comments.
-
-8.  References
-
-8.1.  Normative References
-
-   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
-              Specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
-              RFC 2535, March 1999.
-
-   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
-              Signing Authority", RFC 3008, November 2000.
-
-   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
-              Status", RFC 3090, March 2001.
-
-   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-              3225, December 2001.
-
-   [RFC3445]  Massey, D. and S. Rose, "Limiting the scope of the KEY
-              Resource Record (RR)", RFC 3445, December 2002.
-
-8.2.  Informational References
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
-              message size requirements", RFC 3226, December 2001.
-
-
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 17]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-9.  Author's Address
-
-   Olafur Gudmundsson
-   3821 Village Park Drive
-   Chevy Chase, MD,  20815
-
-   EMail: ds-rfc@ogud.com
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 18]
-
-RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
-
-
-10.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2003).  All Rights Reserved.
-
-   This document and translations of it may be copied and furnished to
-   others, and derivative works that comment on or otherwise explain it
-   or assist in its implementation may be prepared, copied, published
-   and distributed, in whole or in part, without restriction of any
-   kind, provided that the above copyright notice and this paragraph are
-   included on all such copies and derivative works.  However, this
-   document itself may not be modified in any way, such as by removing
-   the copyright notice or references to the Internet Society or other
-   Internet organizations, except as needed for the purpose of
-   developing Internet standards in which case the procedures for
-   copyrights defined in the Internet Standards process must be
-   followed, or as required to translate it into languages other than
-   English.
-
-   The limited permissions granted above are perpetual and will not be
-   revoked by the Internet Society or its successors or assignees.
-
-   This document and the information contained herein is provided on an
-   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
-   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
-   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
-   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
-   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Gudmundsson                 Standards Track                    [Page 19]
-
diff --git a/contrib/bind9/doc/rfc/rfc3757.txt b/contrib/bind9/doc/rfc/rfc3757.txt
deleted file mode 100644
index 31890a4bcbeb..000000000000
--- a/contrib/bind9/doc/rfc/rfc3757.txt
+++ /dev/null
@@ -1,451 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                         O. Kolkman
-Request for Comments: 3757                                      RIPE NCC
-Updates: 3755, 2535                                          J. Schlyter
-Category: Standards Track                                         NIC-SE
-                                                                E. Lewis
-                                                                    ARIN
-                                                              April 2004
-
-
-         Domain Name System KEY (DNSKEY) Resource Record (RR)
-                     Secure Entry Point (SEP) Flag
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).  All Rights Reserved.
-
-Abstract
-
-   With the Delegation Signer (DS) resource record (RR), the concept of
-   a public key acting as a secure entry point (SEP) has been
-   introduced.  During exchanges of public keys with the parent there is
-   a need to differentiate SEP keys from other public keys in the Domain
-   Name System KEY (DNSKEY) resource record set.  A flag bit in the
-   DNSKEY RR is defined to indicate that DNSKEY is to be used as a SEP.
-   The flag bit is intended to assist in operational procedures to
-   correctly generate DS resource records, or to indicate what DNSKEYs
-   are intended for static configuration.  The flag bit is not to be
-   used in the DNS verification protocol.  This document updates RFC
-   2535 and RFC 3755.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 1]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-   2.  The Secure Entry Point (SEP) Flag. . . . . . . . . . . . . . .  4
-   3.  DNSSEC Protocol Changes. . . . . . . . . . . . . . . . . . . .  4
-   4.  Operational Guidelines . . . . . . . . . . . . . . . . . . . .  4
-   5.  Security Considerations. . . . . . . . . . . . . . . . . . . .  5
-   6.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . .  6
-   7.  Internationalization Considerations. . . . . . . . . . . . . .  6
-   8.  Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . .  6
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  6
-       9.1.  Normative References . . . . . . . . . . . . . . . . . .  6
-       9.2.  Informative References . . . . . . . . . . . . . . . . .  6
-   10. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  7
-   11. Full Copyright Statement . . . . . . . . . . . . . . . . . . .  8
-
-1.  Introduction
-
-   "All keys are equal but some keys are more equal than others" [6].
-
-   With the definition of the Delegation Signer Resource Record (DS RR)
-   [5], it has become important to differentiate between the keys in the
-   DNSKEY RR set that are (to be) pointed to by parental DS RRs and the
-   other keys in the DNSKEY RR set.  We refer to these public keys as
-   Secure Entry Point (SEP) keys.  A SEP key either used to generate a
-   DS RR or is distributed to resolvers that use the key as the root of
-   a trusted subtree [3].
-
-   In early deployment tests, the use of two (kinds of) key pairs for
-   each zone has been prevalent.  For one kind of key pair the private
-   key is used to sign just the zone's DNSKEY resource record (RR) set.
-   Its public key is intended to be referenced by a DS RR at the parent
-   or configured statically in a resolver.  The private key of the other
-   kind of key pair is used to sign the rest of the zone's data sets.
-   The former key pair is called a key-signing key (KSK) and the latter
-   is called a zone-signing key (ZSK).  In practice there have been
-   usually one of each kind of key pair, but there will be multiples of
-   each at times.
-
-   It should be noted that division of keys pairs into KSK's and ZSK's
-   is not mandatory in any definition of DNSSEC, not even with the
-   introduction of the DS RR.  But, in testing, this distinction has
-   been helpful when designing key roll over (key super-cession)
-   schemes.  Given that the distinction has proven helpful, the labels
-   KSK and ZSK have begun to stick.
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 2]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-   There is a need to differentiate the public keys for the key pairs
-   that are used for key signing from keys that are not used key signing
-   (KSKs vs ZSKs).  This need is driven by knowing which DNSKEYs are to
-   be sent for generating DS RRs, which DNSKEYs are to be distributed to
-   resolvers, and which keys are fed to the signer application at the
-   appropriate time.
-
-   In other words, the SEP bit provides an in-band method to communicate
-   a DNSKEY RR's intended use to third parties.  As an example we
-   present 3 use cases in which the bit is useful:
-
-      The parent is a registry, the parent and the child use secured DNS
-      queries and responses, with a preexisting trust-relation, or plain
-      DNS over a secured channel to exchange the child's DNSKEY RR sets.
-      Since a DNSKEY RR set will contain a complete DNSKEY RRset the SEP
-      bit can be used to isolate the DNSKEYs for which a DS RR needs to
-      be created.
-
-      An administrator has configured a DNSKEY as root for a trusted
-      subtree into security aware resolver.  Using a special purpose
-      tool that queries for the KEY RRs from that domain's apex, the
-      administrator will be able to notice the roll over of the trusted
-      anchor by a change of the subset of KEY RRs with the DS flag set.
-
-      A signer might use the SEP bit on the public key to determine
-      which private key to use to exclusively sign the DNSKEY RRset and
-      which private key to use to sign the other RRsets in the zone.
-
-   As demonstrated in the above examples it is important to be able to
-   differentiate the SEP keys from the other keys in a DNSKEY RR set in
-   the flow between signer and (parental) key-collector and in the flow
-   between the signer and the resolver configuration.  The SEP flag is
-   to be of no interest to the flow between the verifier and the
-   authoritative data store.
-
-   The reason for the term "SEP" is a result of the observation that the
-   distinction between KSK and ZSK key pairs is made by the signer, a
-   key pair could be used as both a KSK and a ZSK at the same time.  To
-   be clear, the term SEP was coined to lessen the confusion caused by
-   the overlap.  (Once this label was applied, it had the side effect of
-   removing the temptation to have both a KSK flag bit and a ZSK flag
-   bit.)
-
-   The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
-   "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
-   interpreted as described in BCP 14, RFC 2119 [1].
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 3]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-2.  The Secure Entry Point (SEP) Flag
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |              flags          |S|   protocol    |   algorithm   |
-   |                             |E|               |               |
-   |                             |P|               |               |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                                                               /
-   /                        public key                             /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-                          DNSKEY RR Format
-   This document assigns the 15th bit in the flags field as the secure
-   entry point (SEP) bit.  If the bit is set to 1 the key is intended to
-   be used as secure entry point key.  One SHOULD NOT assign special
-   meaning to the key if the bit is set to 0.  Operators can recognize
-   the secure entry point key by the even or odd-ness of the decimal
-   representation of the flag field.
-
-3.  DNSSEC Protocol Changes
-
-   The bit MUST NOT be used during the resolving and verification
-   process.  The SEP flag is only used to provide a hint about the
-   different administrative properties of the key and therefore the use
-   of the SEP flag does not change the DNS resolution protocol or the
-   resolution process.
-
-4.  Operational Guidelines
-
-   The SEP bit is set by the key-pair-generator and MAY be used by the
-   zone signer to decide whether the public part of the key pair is to
-   be prepared for input to a DS RR generation function.  The SEP bit is
-   recommended to be set (to 1) whenever the public key of the key pair
-   will be distributed to the parent zone to build the authentication
-   chain or if the public key is to be distributed for static
-   configuration in verifiers.
-
-   When a key pair is created, the operator needs to indicate whether
-   the SEP bit is to be set in the DNSKEY RR.  As the SEP bit is within
-   the data that is used to compute the 'key tag field' in the SIG RR,
-   changing the SEP bit will change the identity of the key within DNS.
-   In other words, once a key is used to generate signatures, the
-   setting of the SEP bit is to remain constant.  If not, a verifier
-   will not be able to find the relevant KEY RR.
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 4]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-   When signing a zone, it is intended that the key(s) with the SEP bit
-   set (if such keys exist) are used to sign the KEY RR set of the zone.
-   The same key can be used to sign the rest of the zone data too.  It
-   is conceivable that not all keys with a SEP bit set will sign the
-   DNSKEY RR set, such keys might be pending retirement or not yet in
-   use.
-
-   When verifying a RR set, the SEP bit is not intended to play a role.
-   How the key is used by the verifier is not intended to be a
-   consideration at key creation time.
-
-   Although the SEP flag provides a hint on which public key is to be
-   used as trusted root, administrators can choose to ignore the fact
-   that a DNSKEY has its SEP bit set or not when configuring a trusted
-   root for their resolvers.
-
-   Using the SEP flag a key roll over can be automated.  The parent can
-   use an existing trust relation to verify DNSKEY RR sets in which a
-   new DNSKEY RR with the SEP flag appears.
-
-5.  Security Considerations
-
-   As stated in Section 3 the flag is not to be used in the resolution
-   protocol or to determine the security status of a key.  The flag is
-   to be used for administrative purposes only.
-
-   No trust in a key should be inferred from this flag - trust MUST be
-   inferred from an existing chain of trust or an out-of-band exchange.
-
-   Since this flag might be used for automating public key exchanges, we
-   think the following consideration is in place.
-
-   Automated mechanisms for roll over of the DS RR might be vulnerable
-   to a class of replay attacks.  This might happen after a public key
-   exchange where a DNSKEY RR set, containing two DNSKEY RRs with the
-   SEP flag set, is sent to the parent.  The parent verifies the DNSKEY
-   RR set with the existing trust relation and creates the new DS RR
-   from the DNSKEY RR that the current DS RR is not pointing to.  This
-   key exchange might be replayed.  Parents are encouraged to implement
-   a replay defense.  A simple defense can be based on a registry of
-   keys that have been used to generate DS RRs during the most recent
-   roll over.  These same considerations apply to entities that
-   configure keys in resolvers.
-
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 5]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-6.  IANA Considerations
-
-   IANA has assigned the 15th bit in the DNSKEY Flags Registry (see
-   Section 4.3 of [4]) as the Secure Entry Point (SEP) bit.
-
-7.  Internationalization Considerations
-
-   Although SEP is a popular acronym in many different languages, there
-   are no internationalization considerations.
-
-8.  Acknowledgments
-
-   The ideas documented in this document are inspired by communications
-   we had with numerous people and ideas published by other folk.  Among
-   others Mark Andrews, Rob Austein, Miek Gieben, Olafur Gudmundsson,
-   Daniel Karrenberg, Dan Massey, Scott Rose, Marcos Sanz and Sam Weiler
-   have contributed ideas and provided feedback.
-
-   This document saw the light during a workshop on DNSSEC operations
-   hosted by USC/ISI in August 2002.
-
-9.  References
-
-9.1.  Normative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Eastlake, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [3]  Lewis, E., "DNS Security Extension Clarification on Zone
-        Status", RFC 3090, March 2001.
-
-   [4]  Weiler, S., "Legacy Resolver Compatibility for Delegation Signer
-        (DS)", RFC 3755, April 2004.
-
-9.2.  Informative References
-
-   [5]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
-        RFC 3658, December 2003.
-
-   [6]  Orwell, G. and R. Steadman (illustrator), "Animal Farm; a Fairy
-        Story", ISBN 0151002177 (50th anniversary edition), April 1996.
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 6]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-10.  Authors' Addresses
-
-   Olaf M. Kolkman
-   RIPE NCC
-   Singel 256
-   Amsterdam  1016 AB
-   NL
-
-   Phone: +31 20 535 4444
-   EMail: olaf@ripe.net
-   URI:   http://www.ripe.net/
-
-
-   Jakob Schlyter
-   NIC-SE
-   Box 5774
-   SE-114 87 Stockholm
-   Sweden
-
-   EMail: jakob@nic.se
-   URI:   http://www.nic.se/
-
-
-   Edward P. Lewis
-   ARIN
-   3635 Concorde Parkway Suite 200
-   Chantilly, VA  20151
-   US
-
-   Phone: +1 703 227 9854
-   EMail: edlewis@arin.net
-   URI:   http://www.arin.net/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 7]
-
-RFC 3757                   DNSKEY RR SEP Flag                 April 2004
-
-
-11.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78 and
-   except as set forth therein, the authors retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
-   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
-   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
-   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed
-   to pertain to the implementation or use of the technology
-   described in this document or the extent to which any license
-   under such rights might or might not be available; nor does it
-   represent that it has made any independent effort to identify any
-   such rights.  Information on the procedures with respect to
-   rights in RFC documents can be found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use
-   of such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository
-   at http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention
-   any copyrights, patents or patent applications, or other
-   proprietary rights that may cover technology that may be required
-   to implement this standard.  Please address the information to the
-   IETF at ietf-ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-Kolkman, et al.              Standard Track                     [Page 8]
-
diff --git a/contrib/bind9/doc/rfc/rfc3833.txt b/contrib/bind9/doc/rfc/rfc3833.txt
deleted file mode 100644
index 8ce4d34e3419..000000000000
--- a/contrib/bind9/doc/rfc/rfc3833.txt
+++ /dev/null
@@ -1,899 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          D. Atkins
-Request for Comments: 3833                              IHTFP Consulting
-Category: Informational                                       R. Austein
-                                                                     ISC
-                                                             August 2004
-
-
-            Threat Analysis of the Domain Name System (DNS)
-
-Status of this Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).
-
-Abstract
-
-   Although the DNS Security Extensions (DNSSEC) have been under
-   development for most of the last decade, the IETF has never written
-   down the specific set of threats against which DNSSEC is designed to
-   protect.  Among other drawbacks, this cart-before-the-horse situation
-   has made it difficult to determine whether DNSSEC meets its design
-   goals, since its design goals are not well specified.  This note
-   attempts to document some of the known threats to the DNS, and, in
-   doing so, attempts to measure to what extent (if any) DNSSEC is a
-   useful tool in defending against these threats.
-
-1. Introduction
-
-   The earliest organized work on DNSSEC within the IETF was an open
-   design team meeting organized by members of the DNS working group in
-   November 1993 at the 28th IETF meeting in Houston.  The broad
-   outlines of DNSSEC as we know it today are already clear in Jim
-   Galvin's summary of the results of that meeting [Galvin93]:
-
-   - While some participants in the meeting were interested in
-     protecting against disclosure of DNS data to unauthorized parties,
-     the design team made an explicit decision that "DNS data is
-     `public'", and ruled all threats of data disclosure explicitly out
-     of scope for DNSSEC.
-
-   - While some participants in the meeting were interested in
-     authentication of DNS clients and servers as a basis for access
-     control, this work was also ruled out of scope for DNSSEC per se.
-
-
-
-Atkins & Austein             Informational                      [Page 1]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   - Backwards compatibility and co-existence with "insecure DNS" was
-     listed as an explicit requirement.
-
-   - The resulting list of desired security services was
-     1) data integrity, and
-     2) data origin authentication.
-
-   - The design team noted that a digital signature mechanism would
-     support the desired services.
-
-   While a number of detail decisions were yet to be made (and in some
-   cases remade after implementation experience) over the subsequent
-   decade, the basic model and design goals have remained fixed.
-
-   Nowhere, however, does any of the DNSSEC work attempt to specify in
-   any detail the sorts of attacks against which DNSSEC is intended to
-   protect, or the reasons behind the list of desired security services
-   that came out of the Houston meeting.  For that, we have to go back
-   to a paper originally written by Steve Bellovin in 1990 but not
-   published until 1995, for reasons that Bellovin explained in the
-   paper's epilogue [Bellovin95].
-
-   While it may seem a bit strange to publish the threat analysis a
-   decade after starting work on the protocol designed to defend against
-   it, that is, nevertheless, what this note attempts to do.  Better
-   late than never.
-
-   This note assumes that the reader is familiar with both the DNS and
-   with DNSSEC, and does not attempt to provide a tutorial on either.
-   The DNS documents most relevant to the subject of this note are:
-   [RFC1034], [RFC1035], section 6.1 of [RFC1123], [RFC2181], [RFC2308],
-   [RFC2671], [RFC2845], [RFC2930], [RFC3007], and [RFC2535].
-
-   For purposes of discussion, this note uses the term "DNSSEC" to refer
-   to the core hierarchical public key and signature mechanism specified
-   in the DNSSEC documents, and refers to TKEY and TSIG as separate
-   mechanisms, even though channel security mechanisms such as TKEY and
-   TSIG are also part of the larger problem of "securing DNS" and thus
-   are often considered part of the overall set of "DNS security
-   extensions".  This is an arbitrary distinction that in part reflects
-   the way in which the protocol has evolved (introduction of a
-   putatively simpler channel security model for certain operations such
-   as zone transfers and dynamic update requests), and perhaps should be
-   changed in a future revision of this note.
-
-
-
-
-
-
-
-Atkins & Austein             Informational                      [Page 2]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-2.  Known Threats
-
-   There are several distinct classes of threats to the DNS, most of
-   which are DNS-related instances of more general problems, but a few
-   of which are specific to peculiarities of the DNS protocol.
-
-2.1.  Packet Interception
-
-   Some of the simplest threats against DNS are various forms of packet
-   interception: monkey-in-the-middle attacks, eavesdropping on requests
-   combined with spoofed responses that beat the real response back to
-   the resolver, and so forth.  In any of these scenarios, the attacker
-   can simply tell either party (usually the resolver) whatever it wants
-   that party to believe.  While packet interception attacks are far
-   from unique to DNS, DNS's usual behavior of sending an entire query
-   or response in a single unsigned, unencrypted UDP packet makes these
-   attacks particularly easy for any bad guy with the ability to
-   intercept packets on a shared or transit network.
-
-   To further complicate things, the DNS query the attacker intercepts
-   may just be a means to an end for the attacker: the attacker might
-   even choose to return the correct result in the answer section of a
-   reply message while using other parts of the message to set the stage
-   for something more complicated, for example, a name chaining attack
-   (see section 2.3).
-
-   While it certainly would be possible to sign DNS messages using a
-   channel security mechanism such as TSIG or IPsec, or even to encrypt
-   them using IPsec, this would not be a very good solution for
-   interception attacks.  First, this approach would impose a fairly
-   high processing cost per DNS message, as well as a very high cost
-   associated with establishing and maintaining bilateral trust
-   relationships between all the parties that might be involved in
-   resolving any particular query.  For heavily used name servers (such
-   as the servers for the root zone), this cost would almost certainly
-   be prohibitively high.  Even more important, however, is that the
-   underlying trust model in such a design would be wrong, since at best
-   it would only provide a hop-by-hop integrity check on DNS messages
-   and would not provide any sort of end-to-end integrity check between
-   the producer of DNS data (the zone administrator) and the consumer of
-   DNS data (the application that triggered the query).
-
-   By contrast, DNSSEC (when used properly) does provide an end-to-end
-   data integrity check, and is thus a much better solution for this
-   class of problems during basic DNS lookup operations.
-
-
-
-
-
-
-Atkins & Austein             Informational                      [Page 3]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   TSIG does have its place in corners of the DNS protocol where there's
-   a specific trust relationship between a particular client and a
-   particular server, such as zone transfer, dynamic update, or a
-   resolver (stub or otherwise) that is not going to check all the
-   DNSSEC signatures itself.
-
-   Note that DNSSEC does not provide any protection against modification
-   of the DNS message header, so any properly paranoid resolver must:
-
-   - Perform all of the DNSSEC signature checking on its own,
-
-   - Use TSIG (or some equivalent mechanism) to ensure the integrity of
-     its communication with whatever name servers it chooses to trust,
-     or
-
-   - Resign itself to the possibility of being attacked via packet
-     interception (and via other techniques discussed below).
-
-2.2.  ID Guessing and Query Prediction
-
-   Since DNS is for the most part used over UDP/IP, it is relatively
-   easy for an attacker to generate packets which will match the
-   transport protocol parameters.  The ID field in the DNS header is
-   only a 16-bit field and the server UDP port associated with DNS is a
-   well-known value, so there are only 2**32 possible combinations of ID
-   and client UDP port for a given client and server.  This is not a
-   particularly large range, and is not sufficient to protect against a
-   brute force search; furthermore, in practice both the client UDP port
-   and the ID can often be predicted from previous traffic, and it is
-   not uncommon for the client port to be a known fixed value as well
-   (due to firewalls or other restrictions), thus frequently reducing
-   the search space to a range smaller than 2**16.
-
-   By itself, ID guessing is not enough to allow an attacker to inject
-   bogus data, but combined with knowledge (or guesses) about QNAMEs and
-   QTYPEs for which a resolver might be querying, this leaves the
-   resolver only weakly defended against injection of bogus responses.
-
-   Since this attack relies on predicting a resolver's behavior, it's
-   most likely to be successful when the victim is in a known state,
-   whether because the victim rebooted recently, or because the victim's
-   behavior has been influenced by some other action by the attacker, or
-   because the victim is responding (in a predictable way) to some third
-   party action known to the attacker.
-
-
-
-
-
-
-
-Atkins & Austein             Informational                      [Page 4]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   This attack is both more and less difficult for the attacker than the
-   simple interception attack described above: more difficult, because
-   the attack only works when the attacker guesses correctly; less
-   difficult, because the attacker doesn't need to be on a transit or
-   shared network.
-
-   In most other respects, this attack is similar to a packet
-   interception attack.  A resolver that checks DNSSEC signatures will
-   be able to detect the forged response; resolvers that do not perform
-   DNSSEC signature checking themselves should use TSIG or some
-   equivalent mechanism to ensure the integrity of their communication
-   with a recursive name server that does perform DNSSEC signature
-   checking.
-
-2.3.  Name Chaining
-
-   Perhaps the most interesting class of DNS-specific threats are the
-   name chaining attacks.  These are a subset of a larger class of
-   name-based attacks, sometimes called "cache poisoning" attacks.  Most
-   name-based attacks can be partially mitigated by the long-standing
-   defense of checking RRs in response messages for relevance to the
-   original query, but such defenses do not catch name chaining attacks.
-   There are several variations on the basic attack, but what they all
-   have in common is that they all involve DNS RRs whose RDATA portion
-   (right hand side) includes a DNS name (or, in a few cases, something
-   that is not a DNS name but which directly maps to a DNS name).  Any
-   such RR is, at least in principle, a hook that lets an attacker feed
-   bad data into a victim's cache, thus potentially subverting
-   subsequent decisions based on DNS names.
-
-   The worst examples in this class of RRs are CNAME, NS, and DNAME RRs
-   because they can redirect a victim's query to a location of the
-   attacker's choosing.  RRs like MX and SRV are somewhat less
-   dangerous, but in principle they can also be used to trigger further
-   lookups at a location of the attacker's choosing.  Address RR types
-   such as A or AAAA don't have DNS names in their RDATA, but since the
-   IN-ADDR.ARPA and IP6.ARPA trees are indexed using a DNS encoding of
-   IPv4 and IPv6 addresses, these record types can also be used in a
-   name chaining attack.
-
-   The general form of a name chaining attack is something like this:
-
-   - Victim issues a query, perhaps at the instigation of the attacker
-     or some third party; in some cases the query itself may be
-     unrelated to the name under attack (that is, the attacker is just
-     using this query as a means to inject false information about some
-     other name).
-
-
-
-
-Atkins & Austein             Informational                      [Page 5]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   - Attacker injects response, whether via packet interception, query
-     guessing, or by being a legitimate name server that's involved at
-     some point in the process of answering the query that the victim
-     issued.
-
-   - Attacker's response includes one or more RRs with DNS names in
-     their RDATA; depending on which particular form this attack takes,
-     the object may be to inject false data associated with those names
-     into the victim's cache via the Additional section of this
-     response, or may be to redirect the next stage of the query to a
-     server of the attacker's choosing (in order to inject more complex
-     lies into the victim's cache than will fit easily into a single
-     response, or in order to place the lies in the Authority or Answer
-     section of a response where they will have a better chance of
-     sneaking past a resolver's defenses).
-
-   Any attacker who can insert resource records into a victim's cache
-   can almost certainly do some kind of damage, so there are cache
-   poisoning attacks which are not name chaining attacks in the sense
-   discussed here.  However, in the case of name chaining attacks, the
-   cause and effect relationship between the initial attack and the
-   eventual result may be significantly more complex than in the other
-   forms of cache poisoning, so name chaining attacks merit special
-   attention.
-
-   The common thread in all of the name chaining attacks is that
-   response messages allow the attacker to introduce arbitrary DNS names
-   of the attacker's choosing and provide further information that the
-   attacker claims is associated with those names; unless the victim has
-   better knowledge of the data associated with those names, the victim
-   is going to have a hard time defending against this class of attacks.
-
-   This class of attack is particularly insidious given that it's quite
-   easy for an attacker to provoke a victim into querying for a
-   particular name of the attacker's choosing, for example, by embedding
-   a link to a 1x1-pixel "web bug" graphic in a piece of Text/HTML mail
-   to the victim.  If the victim's mail reading program attempts to
-   follow such a link, the result will be a DNS query for a name chosen
-   by the attacker.
-
-   DNSSEC should provide a good defense against most (all?) variations
-   on this class of attack.  By checking signatures, a resolver can
-   determine whether the data associated with a name really was inserted
-   by the delegated authority for that portion of the DNS name space.
-   More precisely, a resolver can determine whether the entity that
-   injected the data had access to an allegedly secret key whose
-
-
-
-
-
-Atkins & Austein             Informational                      [Page 6]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   corresponding public key appears at an expected location in the DNS
-   name space with an expected chain of parental signatures that start
-   with a public key of which the resolver has prior knowledge.
-
-   DNSSEC signatures do not cover glue records, so there's still a
-   possibility of a name chaining attack involving glue, but with DNSSEC
-   it is possible to detect the attack by temporarily accepting the glue
-   in order to fetch the signed authoritative version of the same data,
-   then checking the signatures on the authoritative version.
-
-2.4.  Betrayal By Trusted Server
-
-   Another variation on the packet interception attack is the trusted
-   server that turns out not to be so trustworthy, whether by accident
-   or by intent.  Many client machines are only configured with stub
-   resolvers, and use trusted servers to perform all of their DNS
-   queries on their behalf.  In many cases the trusted server is
-   furnished by the user's ISP and advertised to the client via DHCP or
-   PPP options.  Besides accidental betrayal of this trust relationship
-   (via server bugs, successful server break-ins, etc), the server
-   itself may be configured to give back answers that are not what the
-   user would expect, whether in an honest attempt to help the user or
-   to promote some other goal such as furthering a business partnership
-   between the ISP and some third party.
-
-   This problem is particularly acute for frequent travelers who carry
-   their own equipment and expect it to work in much the same way
-   wherever they go.  Such travelers need trustworthy DNS service
-   without regard to who operates the network into which their equipment
-   is currently plugged or what brand of middle boxes the local
-   infrastructure might use.
-
-   While the obvious solution to this problem would be for the client to
-   choose a more trustworthy server, in practice this may not be an
-   option for the client.  In many network environments a client machine
-   has only a limited set of recursive name servers from which to
-   choose, and none of them may be particularly trustworthy.  In extreme
-   cases, port filtering or other forms of packet interception may
-   prevent the client host from being able to run an iterative resolver
-   even if the owner of the client machine is willing and able to do so.
-   Thus, while the initial source of this problem is not a DNS protocol
-   attack per se, this sort of betrayal is a threat to DNS clients, and
-   simply switching to a different recursive name server is not an
-   adequate defense.
-
-   Viewed strictly from the DNS protocol standpoint, the only difference
-   between this sort of betrayal and a packet interception attack is
-   that in this case the client has voluntarily sent its request to the
-
-
-
-Atkins & Austein             Informational                      [Page 7]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   attacker.  The defense against this is the same as with a packet
-   interception attack: the resolver must either check DNSSEC signatures
-   itself or use TSIG (or equivalent) to authenticate the server that it
-   has chosen to trust.  Note that use of TSIG does not by itself
-   guarantee that a name server is at all trustworthy: all TSIG can do
-   is help a resolver protect its communication with a name server that
-   it has already decided to trust for other reasons.  Protecting a
-   resolver's communication with a server that's giving out bogus
-   answers is not particularly useful.
-
-   Also note that if the stub resolver does not trust the name server
-   that is doing work on its behalf and wants to check the DNSSEC
-   signatures itself, the resolver really does need to have independent
-   knowledge of the DNSSEC public key(s) it needs in order to perform
-   the check.  Usually the public key for the root zone is enough, but
-   in some cases knowledge of additional keys may also be appropriate.
-
-   It is difficult to escape the conclusion that a properly paranoid
-   resolver must always perform its own signature checking, and that
-   this rule even applies to stub resolvers.
-
-2.5.  Denial of Service
-
-   As with any network service (or, indeed, almost any service of any
-   kind in any domain of discourse), DNS is vulnerable to denial of
-   service attacks.  DNSSEC does not help this, and may in fact make the
-   problem worse for resolvers that check signatures, since checking
-   signatures both increases the processing cost per DNS message and in
-   some cases can also increase the number of messages needed to answer
-   a query.  TSIG (and similar mechanisms) have equivalent problems.
-
-   DNS servers are also at risk of being used as denial of service
-   amplifiers, since DNS response packets tend to be significantly
-   longer than DNS query packets.  Unsurprisingly, DNSSEC doesn't help
-   here either.
-
-2.6.  Authenticated Denial of Domain Names
-
-   Much discussion has taken place over the question of authenticated
-   denial of domain names.  The particular question is whether there is
-   a requirement for authenticating the non-existence of a name.  The
-   issue is whether the resolver should be able to detect when an
-   attacker removes RRs from a response.
-
-   General paranoia aside, the existence of RR types whose absence
-   causes an action other than immediate failure (such as missing MX and
-   SRV RRs, which fail over to A RRs) constitutes a real threat.
-   Arguably, in some cases, even the absence of an RR might be
-
-
-
-Atkins & Austein             Informational                      [Page 8]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   considered a problem.  The question remains: how serious is this
-   threat?  Clearly the threat does exist; general paranoia says that
-   some day it'll be on the front page of some major newspaper, even if
-   we cannot conceive of a plausible scenario involving this attack
-   today.  This implies that some mitigation of this risk is required.
-
-   Note that it's necessary to prove the non-existence of applicable
-   wildcard RRs as part of the authenticated denial mechanism, and that,
-   in a zone that is more than one label deep, such a proof may require
-   proving the non-existence of multiple discrete sets of wildcard RRs.
-
-   DNSSEC does include mechanisms which make it possible to determine
-   which authoritative names exist in a zone, and which authoritative
-   resource record types exist at those names.  The DNSSEC protections
-   do not cover non-authoritative data such as glue records.
-
-2.7.  Wildcards
-
-   Much discussion has taken place over whether and how to provide data
-   integrity and data origin authentication for "wildcard" DNS names.
-   Conceptually, RRs with wildcard names are patterns for synthesizing
-   RRs on the fly according to the matching rules described in section
-   4.3.2 of RFC 1034.  While the rules that control the behavior of
-   wildcard names have a few quirks that can make them a trap for the
-   unwary zone administrator, it's clear that a number of sites make
-   heavy use of wildcard RRs, particularly wildcard MX RRs.
-
-   In order to provide the desired services for wildcard RRs, we need to
-   do two things:
-
-   - We need a way to attest to the existence of the wildcard RR itself
-     (that is, we need to show that the synthesis rule exists), and
-
-   - We need a way to attest to the non-existence of any RRs which, if
-     they existed, would make the wildcard RR irrelevant according to
-     the synthesis rules that govern the way in which wildcard RRs are
-     used (that is, we need to show that the synthesis rule is
-     applicable).
-
-   Note that this makes the wildcard mechanisms dependent upon the
-   authenticated denial mechanism described in the previous section.
-
-   DNSSEC includes mechanisms along the lines described above, which
-   make it possible for a resolver to verify that a name server applied
-   the wildcard expansion rules correctly when generating an answer.
-
-
-
-
-
-
-Atkins & Austein             Informational                      [Page 9]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-3.  Weaknesses of DNSSEC
-
-   DNSSEC has some problems of its own:
-
-   - DNSSEC is complex to implement and includes some nasty edge cases
-     at the zone cuts that require very careful coding.  Testbed
-     experience to date suggests that trivial zone configuration errors
-     or expired keys can cause serious problems for a DNSSEC-aware
-     resolver, and that the current protocol's error reporting
-     capabilities may leave something to be desired.
-
-   - DNSSEC significantly increases the size of DNS response packets;
-     among other issues, this makes DNSSEC-aware DNS servers even more
-     effective as denial of service amplifiers.
-
-   - DNSSEC answer validation increases the resolver's work load, since
-     a DNSSEC-aware resolver will need to perform signature validation
-     and in some cases will also need to issue further queries.  This
-     increased workload will also increase the time it takes to get an
-     answer back to the original DNS client, which is likely to trigger
-     both timeouts and re-queries in some cases.  Arguably, many current
-     DNS clients are already too impatient even before taking the
-     further delays that DNSSEC will impose into account, but that topic
-     is beyond the scope of this note.
-
-   - Like DNS itself, DNSSEC's trust model is almost totally
-     hierarchical.  While DNSSEC does allow resolvers to have special
-     additional knowledge of public keys beyond those for the root, in
-     the general case the root key is the one that matters.  Thus any
-     compromise in any of the zones between the root and a particular
-     target name can damage DNSSEC's ability to protect the integrity of
-     data owned by that target name.  This is not a change, since
-     insecure DNS has the same model.
-
-   - Key rollover at the root is really hard.  Work to date has not even
-     come close to adequately specifying how the root key rolls over, or
-     even how it's configured in the first place.
-
-   - DNSSEC creates a requirement of loose time synchronization between
-     the validating resolver and the entity creating the DNSSEC
-     signatures.  Prior to DNSSEC, all time-related actions in DNS could
-     be performed by a machine that only knew about "elapsed" or
-     "relative" time.  Because the validity period of a DNSSEC signature
-     is based on "absolute" time, a validating resolver must have the
-     same concept of absolute time as the zone signer in order to
-     determine whether the signature is within its validity period or
-     has expired.  An attacker that can change a resolver's opinion of
-     the current absolute time can fool the resolver using expired
-
-
-
-Atkins & Austein             Informational                     [Page 10]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-     signatures.  An attacker that can change the zone signer's opinion
-     of the current absolute time can fool the zone signer into
-     generating signatures whose validity period does not match what the
-     signer intended.
-
-   - The possible existence of wildcard RRs in a zone complicates the
-     authenticated denial mechanism considerably.  For most of the
-     decade that DNSSEC has been under development these issues were
-     poorly understood.  At various times there have been questions as
-     to whether the authenticated denial mechanism is completely
-     airtight and whether it would be worthwhile to optimize the
-     authenticated denial mechanism for the common case in which
-     wildcards are not present in a zone.  However, the main problem is
-     just the inherent complexity of the wildcard mechanism itself.
-     This complexity probably makes the code for generating and checking
-     authenticated denial attestations somewhat fragile, but since the
-     alternative of giving up wildcards entirely is not practical due to
-     widespread use, we are going to have to live with wildcards. The
-     question just becomes one of whether or not the proposed
-     optimizations would make DNSSEC's mechanisms more or less fragile.
-
-   - Even with DNSSEC, the class of attacks discussed in section 2.4 is
-     not easy to defeat.  In order for DNSSEC to be effective in this
-     case, it must be possible to configure the resolver to expect
-     certain categories of DNS records to be signed.  This may require
-     manual configuration of the resolver, especially during the initial
-     DNSSEC rollout period when the resolver cannot reasonably expect
-     the root and TLD zones to be signed.
-
-4.  Topics for Future Work
-
-   This section lists a few subjects not covered above which probably
-   need additional study, additional mechanisms, or both.
-
-4.1.  Interactions With Other Protocols
-
-   The above discussion has concentrated exclusively on attacks within
-   the boundaries of the DNS protocol itself, since those are (some of)
-   the problems against which DNSSEC was intended to protect.  There
-   are, however, other potential problems at the boundaries where DNS
-   interacts with other protocols.
-
-4.2.  Securing DNS Dynamic Update
-
-   DNS dynamic update opens a number of potential problems when combined
-   with DNSSEC.  Dynamic update of a non-secure zone can use TSIG to
-   authenticate the updating client to the server.  While TSIG does not
-   scale very well (it requires manual configuration of shared keys
-
-
-
-Atkins & Austein             Informational                     [Page 11]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   between the DNS name server and each TSIG client), it works well in a
-   limited or closed environment such as a DHCP server updating a local
-   DNS name server.
-
-   Major issues arise when trying to use dynamic update on a secure
-   zone.  TSIG can similarly be used in a limited fashion to
-   authenticate the client to the server, but TSIG only protects DNS
-   transactions, not the actual data, and the TSIG is not inserted into
-   the DNS zone, so resolvers cannot use the TSIG as a way of verifying
-   the changes to the zone.  This means that either:
-
-   a) The updating client must have access to a zone-signing key in
-      order to sign the update before sending it to the server, or
-
-   b) The DNS name server must have access to an online zone-signing key
-      in order to sign the update.
-
-   In either case, a zone-signing key must be available to create signed
-   RRsets to place in the updated zone.  The fact that this key must be
-   online (or at least available) is a potential security risk.
-
-   Dynamic update also requires an update to the SERIAL field of the
-   zone's SOA RR.  In theory, this could also be handled via either of
-   the above options, but in practice (a) would almost certainly be
-   extremely fragile, so (b) is the only workable mechanism.
-
-   There are other threats in terms of describing the policy of who can
-   make what changes to which RRsets in the zone.  The current access
-   control scheme in Secure Dynamic Update is fairly limited.  There is
-   no way to give fine-grained access to updating DNS zone information
-   to multiple entities, each of whom may require different kinds of
-   access.  For example, Alice may need to be able to add new nodes to
-   the zone or change existing nodes, but not remove them; Bob may need
-   to be able to remove zones but not add them; Carol may need to be
-   able to add, remove, or modify nodes, but only A records.
-
-   Scaling properties of the key management problem here are a
-   particular concern that needs more study.
-
-4.3.  Securing DNS Zone Replication
-
-   As discussed in previous sections, DNSSEC per se attempts to provide
-   data integrity and data origin authentication services on top of the
-   normal DNS query protocol.  Using the terminology discussed in
-   [RFC3552], DNSSEC provides "object security" for the normal DNS query
-   protocol.  For purposes of replicating entire DNS zones, however,
-   DNSSEC does not provide object security, because zones include
-   unsigned NS RRs and glue at delegation points.  Use of TSIG to
-
-
-
-Atkins & Austein             Informational                     [Page 12]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   protect zone transfer (AXFR or IXFR) operations provides "channel
-   security", but still does not provide object security for complete
-   zones. The trust relationships involved in zone transfer are still
-   very much a hop-by-hop matter of name server operators trusting other
-   name server operators rather than an end-to-end matter of name server
-   operators trusting zone administrators.
-
-   Zone object security was not an explicit design goal of DNSSEC, so
-   failure to provide this service should not be a surprise.
-   Nevertheless, there are some zone replication scenarios for which
-   this would be a very useful additional service, so this seems like a
-   useful area for future work.  In theory it should not be difficult to
-   add zone object security as a backwards compatible enhancement to the
-   existing DNSSEC model, but the DNSEXT WG has not yet discussed either
-   the desirability of or the requirements for such an enhancement.
-
-5.  Conclusion
-
-   Based on the above analysis, the DNSSEC extensions do appear to solve
-   a set of problems that do need to be solved, and are worth deploying.
-
-Security Considerations
-
-   This entire document is about security considerations of the DNS.
-   The authors believe that deploying DNSSEC will help to address some,
-   but not all, of the known threats to the DNS.
-
-Acknowledgments
-
-   This note is based both on previous published works by others and on
-   a number of discussions both public and private over a period of many
-   years, but particular thanks go to
-
-   Jaap Akkerhuis,
-   Steve Bellovin,
-   Dan Bernstein,
-   Randy Bush,
-   Steve Crocker,
-   Olafur Gudmundsson,
-   Russ Housley,
-   Rip Loomis,
-   Allison Mankin,
-   Paul Mockapetris,
-   Thomas Narten
-   Mans Nilsson,
-   Pekka Savola,
-   Paul Vixie,
-   Xunhua Wang,
-
-
-
-Atkins & Austein             Informational                     [Page 13]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-   and any other members of the DNS, DNSSEC, DNSIND, and DNSEXT working
-   groups whose names and contributions the authors have forgotten, none
-   of whom are responsible for what the authors did with their ideas.
-
-   As with any work of this nature, the authors of this note acknowledge
-   that we are standing on the toes of those who have gone before us.
-   Readers interested in this subject may also wish to read
-   [Bellovin95], [Schuba93], and [Vixie95].
-
-Normative References
-
-   [RFC1034]    Mockapetris, P., "Domain names - concepts and
-                facilities", STD 13, RFC 1034, November 1987.
-
-   [RFC1035]    Mockapetris, P., "Domain names - implementation and
-                specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1123]    Braden, R., "Requirements for Internet Hosts -
-                Application and Support", STD 3, RFC 1123, October 1989.
-
-   [RFC2181]    Elz, R. and R. Bush, "Clarifications to the DNS
-                Specification", RFC 2181, July 1997.
-
-   [RFC2308]    Andrews, M., "Negative Caching of DNS Queries (DNS
-                NCACHE)", RFC 2308, March 1998.
-
-   [RFC2671]    Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-                2671, August 1999.
-
-   [RFC2845]    Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
-                Wellington, "Secret Key Transaction Authentication for
-                DNS (TSIG)", RFC 2845, May 2000.
-
-   [RFC2930]    Eastlake 3rd, D., "Secret Key Establishment for DNS
-                (TKEY RR)", RFC 2930, September 2000.
-
-   [RFC3007]    Wellington, B., "Secure Domain Name System (DNS) Dynamic
-                Update", RFC 3007, November 2000.
-
-   [RFC2535]    Eastlake 3rd, D., "Domain Name System Security
-                Extensions", RFC 2535, March 1999.
-
-
-
-
-
-
-
-
-
-
-Atkins & Austein             Informational                     [Page 14]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-Informative References
-
-   [RFC3552]    Rescorla, E. and B. Korver, "Guidelines for Writing RFC
-                Text on Security Considerations", BCP 72, RFC 3552, July
-                2003.
-
-   [Bellovin95] Bellovin, S., "Using the Domain Name System for System
-                Break-Ins", Proceedings of the Fifth Usenix Unix
-                Security Symposium, June 1995.
-
-   [Galvin93]   Design team meeting summary message posted to dns-
-                security@tis.com mailing list by Jim Galvin on 19
-                November 1993.
-
-   [Schuba93]   Schuba, C., "Addressing Weaknesses in the Domain Name
-                System Protocol", Master's thesis, Purdue University
-                Department of Computer Sciences,  August 1993.
-
-   [Vixie95]    Vixie, P, "DNS and BIND Security Issues", Proceedings of
-                the Fifth Usenix Unix Security Symposium, June 1995.
-
-Authors' Addresses
-
-   Derek Atkins
-   IHTFP Consulting, Inc.
-   6 Farragut Ave
-   Somerville, MA  02144
-   USA
-
-   EMail: derek@ihtfp.com
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA 94063
-   USA
-
-   EMail: sra@isc.org
-
-
-
-
-
-
-
-
-
-
-
-
-Atkins & Austein             Informational                     [Page 15]
-
-RFC 3833                  DNS Threat Analysis                August 2004
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004).  This document is subject
-   to the rights, licenses and restrictions contained in BCP 78, and
-   except as set forth therein, the authors retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-
-
-Atkins & Austein             Informational                     [Page 16]
-
diff --git a/contrib/bind9/doc/rfc/rfc3845.txt b/contrib/bind9/doc/rfc/rfc3845.txt
deleted file mode 100644
index 9887a20af0b5..000000000000
--- a/contrib/bind9/doc/rfc/rfc3845.txt
+++ /dev/null
@@ -1,395 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                   J. Schlyter, Ed.
-Request for Comments: 3845                                   August 2004
-Updates: 3755, 2535
-Category: Standards Track
-
-
-          DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
-
-Status of this Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).
-
-Abstract
-
-   This document redefines the wire format of the "Type Bit Map" field
-   in the DNS NextSECure (NSEC) resource record RDATA format to cover
-   the full resource record (RR) type space.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-   2.  The NSEC Resource Record . . . . . . . . . . . . . . . . . . .  2
-       2.1.  NSEC RDATA Wire Format . . . . . . . . . . . . . . . . .  3
-             2.1.1.  The Next Domain Name Field . . . . . . . . . . .  3
-             2.1.2.  The List of Type Bit Map(s) Field  . . . . . . .  3
-             2.1.3.  Inclusion of Wildcard Names in NSEC RDATA  . . .  4
-       2.2.  The NSEC RR Presentation Format  . . . . . . . . . . . .  4
-       2.3.  NSEC RR Example  . . . . . . . . . . . . . . . . . . . .  5
-   3.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  5
-   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  5
-   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  6
-       5.1.  Normative References . . . . . . . . . . . . . . . . . .  6
-       5.2.  Informative References . . . . . . . . . . . . . . . . .  6
-   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  6
-   7.  Author's Address . . . . . . . . . . . . . . . . . . . . . . .  6
-   8.  Full Copyright Statement . . . . . . . . . . . . . . . . . . .  7
-
-
-
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 1]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-1.  Introduction
-
-   The DNS [6][7] NSEC [5] Resource Record (RR) is used for
-   authenticated proof of the non-existence of DNS owner names and
-   types.  The NSEC RR is based on the NXT RR as described in RFC 2535
-   [2], and is similar except for the name and typecode.  The RDATA
-   format for the NXT RR has the limitation in that the RDATA could only
-   carry information about the existence of the first 127 types.  RFC
-   2535 did reserve a bit to specify an extension mechanism, but the
-   mechanism was never actually defined.
-
-   In order to avoid needing to develop an extension mechanism into a
-   deployed base of DNSSEC aware servers and resolvers once the first
-   127 type codes are allocated, this document redefines the wire format
-   of the "Type Bit Map" field in the NSEC RDATA to cover the full RR
-   type space.
-
-   This document introduces a new format for the type bit map.  The
-   properties of the type bit map format are that it can cover the full
-   possible range of typecodes, that it is relatively economical in the
-   amount of space it uses for the common case of a few types with an
-   owner name, that it can represent owner names with all possible types
-   present in packets of approximately 8.5 kilobytes, and that the
-   representation is simple to implement.  Efficient searching of the
-   type bitmap for the presence of certain types is not a requirement.
-
-   For convenience and completeness, this document presents the syntax
-   and semantics for the NSEC RR based on the specification in RFC 2535
-   [2] and as updated by RFC 3755 [5], thereby not introducing changes
-   except for the syntax of the type bit map.
-
-   This document updates RFC 2535 [2] and RFC 3755 [5].
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in BCP 14, RFC 2119 [1].
-
-2.  The NSEC Resource Record
-
-   The NSEC resource record lists two separate things: the owner name of
-   the next RRset in the canonical ordering of the zone, and the set of
-   RR types present at the NSEC RR's owner name.  The complete set of
-   NSEC RRs in a zone indicate which RRsets exist in a zone, and form a
-   chain of owner names in the zone.  This information is used to
-   provide authenticated denial of existence for DNS data, as described
-   in RFC 2535 [2].
-
-   The type value for the NSEC RR is 47.
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 2]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-   The NSEC RR RDATA format is class independent and defined for all
-   classes.
-
-   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching [8].
-
-2.1.  NSEC RDATA Wire Format
-
-   The RDATA of the NSEC RR is as shown below:
-
-                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    /                      Next Domain Name                         /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    /                   List of Type Bit Map(s)                     /
-    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-2.1.1.  The Next Domain Name Field
-
-   The Next Domain Name field contains the owner name of the next RR in
-   the canonical ordering of the zone.  The value of the Next Domain
-   Name field in the last NSEC record in the zone is the name of the
-   zone apex (the owner name of the zone's SOA RR).
-
-   A sender MUST NOT use DNS name compression on the Next Domain Name
-   field when transmitting an NSEC RR.
-
-   Owner names of RRsets that are not authoritative for the given zone
-   (such as glue records) MUST NOT be listed in the Next Domain Name
-   unless at least one authoritative RRset exists at the same owner
-   name.
-
-2.1.2.  The List of Type Bit Map(s) Field
-
-   The RR type space is split into 256 window blocks, each representing
-   the low-order 8 bits of the 16-bit RR type space.  Each block that
-   has at least one active RR type is encoded using a single octet
-   window number (from 0 to 255), a single octet bitmap length (from 1
-   to 32) indicating the number of octets used for the window block's
-   bitmap, and up to 32 octets (256 bits) of bitmap.
-
-   Window blocks are present in the NSEC RR RDATA in increasing
-   numerical order.
-
-   "|" denotes concatenation
-
-   Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 3]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-   Each bitmap encodes the low-order 8 bits of RR types within the
-   window block, in network bit order.  The first bit is bit 0.  For
-   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
-   to RR type 2 (NS), and so forth.  For window block 1, bit 1
-   corresponds to RR type 257, and bit 2 to RR type 258.  If a bit is
-   set to 1, it indicates that an RRset of that type is present for the
-   NSEC RR's owner name.  If a bit is set to 0, it indicates that no
-   RRset of that type is present for the NSEC RR's owner name.
-
-   Since bit 0 in window block 0 refers to the non-existing RR type 0,
-   it MUST be set to 0.  After verification, the validator MUST ignore
-   the value of bit 0 in window block 0.
-
-   Bits representing Meta-TYPEs or QTYPEs, as specified in RFC 2929 [3]
-   (section 3.1), or within the range reserved for assignment only to
-   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
-   zone data.  If encountered, they must be ignored upon reading.
-
-   Blocks with no types present MUST NOT be included.  Trailing zero
-   octets in the bitmap MUST be omitted.  The length of each block's
-   bitmap is determined by the type code with the largest numerical
-   value within that block, among the set of RR types present at the
-   NSEC RR's owner name.  Trailing zero octets not specified MUST be
-   interpreted as zero octets.
-
-2.1.3.  Inclusion of Wildcard Names in NSEC RDATA
-
-   If a wildcard owner name appears in a zone, the wildcard label ("*")
-   is treated as a literal symbol and is treated the same as any other
-   owner name for purposes of generating NSEC RRs.  Wildcard owner names
-   appear in the Next Domain Name field without any wildcard expansion.
-   RFC 2535 [2] describes the impact of wildcards on authenticated
-   denial of existence.
-
-2.2.  The NSEC RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Next Domain Name field is represented as a domain name.
-
-   The List of Type Bit Map(s) Field is represented as a sequence of RR
-   type mnemonics.  When the mnemonic is not known, the TYPE
-   representation as described in RFC 3597 [4] (section 5) MUST be used.
-
-
-
-
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 4]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-2.3.  NSEC RR Example
-
-   The following NSEC RR identifies the RRsets associated with
-   alfa.example.com. and the next authoritative name after
-   alfa.example.com.
-
-   alfa.example.com. 86400 IN NSEC host.example.com. A MX RRSIG NSEC
-   TYPE1234
-
-   The first four text fields specify the name, TTL, Class, and RR type
-   (NSEC).  The entry host.example.com. is the next authoritative name
-   after alfa.example.com. in canonical order.  The A, MX, RRSIG, NSEC,
-   and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, and
-   TYPE1234 RRsets associated with the name alfa.example.com.
-
-   The RDATA section of the NSEC RR above would be encoded as:
-
-      0x04 'h'  'o'  's'  't'
-      0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
-      0x03 'c'  'o'  'm'  0x00
-      0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
-      0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
-      0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-      0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-      0x00 0x00 0x00 0x00 0x20
-
-   Assuming that the resolver can authenticate this NSEC record, it
-   could be used to prove that beta.example.com does not exist, or could
-   be used to prove that there is no AAAA record associated with
-   alfa.example.com.  Authenticated denial of existence is discussed in
-   RFC 2535 [2].
-
-3.  IANA Considerations
-
-   This document introduces no new IANA considerations, because all of
-   the protocol parameters used in this document have already been
-   assigned by RFC 3755 [5].
-
-4.  Security Considerations
-
-   The update of the RDATA format and encoding does not affect the
-   security of the use of NSEC RRs.
-
-
-
-
-
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 5]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-5.  References
-
-5.1.  Normative References
-
-   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [2]  Eastlake 3rd, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [3]  Eastlake 3rd, D., Brunner-Williams, E., and B. Manning, "Domain
-        Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
-        September 2000.
-
-   [4]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
-        Types", RFC 3597, September 2003.
-
-   [5]  Weiler, S., "Legacy Resolver Compatibility for Delegation Signer
-        (DS)", RFC 3755, May 2004.
-
-5.2.  Informative References
-
-   [6]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [7]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [8]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
-        2308, March 1998.
-
-6.  Acknowledgements
-
-   The encoding described in this document was initially proposed by
-   Mark Andrews.  Other encodings where proposed by David Blacka and
-   Michael Graff.
-
-7.  Author's Address
-
-   Jakob Schlyter (editor)
-   NIC-SE
-   Box 5774
-   Stockholm  SE-114 87
-   Sweden
-
-   EMail: jakob@nic.se
-   URI: http://www.nic.se/
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 6]
-
-RFC 3845                DNSSEC NSEC RDATA Format             August 2004
-
-
-8.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE
-   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
-   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
-   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the IETF's procedures with respect to rights in IETF Documents can
-   be found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Schlyter, Ed.               Standards Track                     [Page 7]
-
diff --git a/contrib/bind9/doc/rfc/rfc3901.txt b/contrib/bind9/doc/rfc/rfc3901.txt
deleted file mode 100644
index 43b7356e6adf..000000000000
--- a/contrib/bind9/doc/rfc/rfc3901.txt
+++ /dev/null
@@ -1,283 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          A. Durand
-Request for Comments: 3901                        SUN Microsystems, Inc.
-BCP: 91                                                         J. Ihren
-Category: Best Current Practice                               Autonomica
-                                                          September 2004
-
-
-               DNS IPv6 Transport Operational Guidelines
-
-Status of this Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2004).
-
-Abstract
-
-   This memo provides guidelines and Best Current Practice for operating
-   DNS in a world where queries and responses are carried in a mixed
-   environment of IPv4 and IPv6 networks.
-
-1.  Introduction to the Problem of Name Space Fragmentation:
-    following the referral chain
-
-   A resolver that tries to look up a name starts out at the root, and
-   follows referrals until it is referred to a name server that is
-   authoritative for the name.  If somewhere down the chain of referrals
-   it is referred to a name server that is only accessible over a
-   transport which the resolver cannot use, the resolver is unable to
-   finish the task.
-
-   When the Internet moves from IPv4 to a mixture of IPv4 and IPv6 it is
-   only a matter of time until this starts to happen.  The complete DNS
-   hierarchy then starts to fragment into a graph where authoritative
-   name servers for certain nodes are only accessible over a certain
-   transport.  The concern is that a resolver using only a particular
-   version of IP and querying information about another node using the
-   same version of IP can not do it because somewhere in the chain of
-   servers accessed during the resolution process, one or more of them
-   will only be accessible with the other version of IP.
-
-   With all DNS data only available over IPv4 transport everything is
-   simple.  IPv4 resolvers can use the intended mechanism of following
-   referrals from the root and down while IPv6 resolvers have to work
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 1]
-
-RFC 3901             DNS IPv6 Transport Guidelines        September 2004
-
-
-   through a "translator", i.e., they have to use a recursive name
-   server on a so-called "dual stack" host as a "forwarder" since they
-   cannot access the DNS data directly.
-
-   With all DNS data only available over IPv6 transport everything would
-   be equally simple, with the exception of IPv4 recursive name servers
-   having to switch to a forwarding configuration.
-
-   However, the second situation will not arise in the foreseeable
-   future.  Instead, the transition will be from IPv4 only to a mixture
-   of IPv4 and IPv6, with three categories of DNS data depending on
-   whether the information is available only over IPv4 transport, only
-   over IPv6 or both.
-
-   Having DNS data available on both transports is the best situation.
-   The major question is how to ensure that it becomes the norm as
-   quickly as possible.  However, while it is obvious that some DNS data
-   will only be available over v4 transport for a long time it is also
-   obvious that it is important to avoid fragmenting the name space
-   available to IPv4 only hosts.  For example, during transition it is
-   not acceptable to break the name space that we presently have
-   available for IPv4-only hosts.
-
-2.  Terminology
-
-   The phrase "IPv4 name server" indicates a name server available over
-   IPv4 transport.  It does not imply anything about what DNS [1,2] data
-   is served.  Likewise, "IPv6 [4,5,6] name server" indicates a name
-   server available over IPv6 transport.  The phrase "dual-stack name
-   server" indicates a name server that is actually configured to run
-   both protocols, IPv4 and IPv6, and not merely a server running on a
-   system capable of running both but actually configured to run only
-   one.
-
-3.  Policy Based Avoidance of Name Space Fragmentation
-
-   Today there are only a few DNS "zones" on the public Internet that
-   are available over IPv6 transport, and most of them can be regarded
-   as "experimental".  However, as soon as the root and top level
-   domains are available over IPv6 transport, it is reasonable to expect
-   that it will become more common to have zones served by IPv6 servers.
-
-   Having those zones served only by IPv6-only name server would not be
-   a good development, since this will fragment the previously
-   unfragmented IPv4 name space and there are strong reasons to find a
-   mechanism to avoid it.
-
-
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 2]
-
-RFC 3901             DNS IPv6 Transport Guidelines        September 2004
-
-
-   The recommended approach to maintain name space continuity is to use
-   administrative policies, as described in the next section.
-
-4.  DNS IPv6 Transport recommended Guidelines
-
-   In order to preserve name space continuity, the following
-   administrative policies are recommended:
-
-      - every recursive name server SHOULD be either IPv4-only or dual
-        stack,
-
-         This rules out IPv6-only recursive servers.  However, one might
-         design configurations where a chain of IPv6-only name server
-         forward queries to a set of dual stack recursive name server
-         actually performing those recursive queries.
-
-      - every DNS zone SHOULD be served by at least one IPv4-reachable
-        authoritative name server.
-
-         This rules out DNS zones served only by IPv6-only authoritative
-         name servers.
-
-   Note: zone validation processes SHOULD ensure that there is at least
-   one IPv4 address record available for the name servers of any child
-   delegations within the zone.
-
-5.  Security Considerations
-
-   The guidelines described in this memo introduce no new security
-   considerations into the DNS protocol or associated operational
-   scenarios.
-
-6.  Acknowledgment
-
-   This document is the result of many conversations that happened in
-   the DNS community at IETF and elsewhere since 2001.  During that
-   period of time, a number of Internet drafts have been published to
-   clarify various aspects of the issues at stake.  This document
-   focuses on the conclusion of those discussions.
-
-   The authors would like to acknowledge the role of Pekka Savola in his
-   thorough review of the document.
-
-
-
-
-
-
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 3]
-
-RFC 3901             DNS IPv6 Transport Guidelines        September 2004
-
-
-7.  Normative References
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [3]  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
-        9, RFC 2026, October 1996.
-
-   [4]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
-        Specification", RFC 2460, December 1998.
-
-   [5]  Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
-        Addressing Architecture", RFC 3513, April 2003.
-
-   [6]  Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, "DNS
-        Extensions to Support IP Version 6", RFC 3596, October 2003.
-
-8.  Authors' Addresses
-
-   Alain Durand
-   SUN Microsystems, Inc
-   17 Network circle UMPK17-202
-   Menlo Park, CA, 94025
-   USA
-
-   EMail: Alain.Durand@sun.com
-
-
-   Johan Ihren
-   Autonomica
-   Bellmansgatan 30
-   SE-118 47 Stockholm
-   Sweden
-
-   EMail: johani@autonomica.se
-
-
-
-
-
-
-
-
-
-
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 4]
-
-RFC 3901             DNS IPv6 Transport Guidelines        September 2004
-
-
-9.  Full Copyright Statement
-
-   Copyright (C) The Internet Society (2004).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE
-   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
-   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
-   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the IETF's procedures with respect to rights in IETF Documents can
-   be found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Durand & Ihren           Best Current Practice                  [Page 5]
-
diff --git a/contrib/bind9/doc/rfc/rfc4025.txt b/contrib/bind9/doc/rfc/rfc4025.txt
deleted file mode 100644
index 92e7f4007956..000000000000
--- a/contrib/bind9/doc/rfc/rfc4025.txt
+++ /dev/null
@@ -1,675 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                      M. Richardson
-Request for Comments: 4025                                           SSW
-Category: Standards Track                                   February 2005
-
-
-           A Method for Storing IPsec Keying Material in DNS
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document describes a new resource record for the Domain Name
-   System (DNS).  This record may be used to store public keys for use
-   in IP security (IPsec) systems.  The record also includes provisions
-   for indicating what system should be contacted when an IPsec tunnel
-   is established with the entity in question.
-
-   This record replaces the functionality of the sub-type #4 of the KEY
-   Resource Record, which has been obsoleted by RFC 3445.
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
-       1.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . .  2
-       1.2.  Use of DNS Address-to-Name Maps (IN-ADDR.ARPA and
-             IP6.ARPA)  . . . . . . . . . . . . . . . . . . . . . . .  3
-       1.3.  Usage Criteria . . . . . . . . . . . . . . . . . . . . .  3
-   2.  Storage Formats  . . . . . . . . . . . . . . . . . . . . . . .  3
-       2.1.  IPSECKEY RDATA Format  . . . . . . . . . . . . . . . . .  3
-       2.2.  RDATA Format - Precedence  . . . . . . . . . . . . . . .  4
-       2.3.  RDATA Format - Gateway Type  . . . . . . . . . . . . . .  4
-       2.4.  RDATA Format - Algorithm Type  . . . . . . . . . . . . .  4
-       2.5.  RDATA Format - Gateway . . . . . . . . . . . . . . . . .  5
-       2.6.  RDATA Format - Public Keys . . . . . . . . . . . . . . .  5
-   3.  Presentation Formats . . . . . . . . . . . . . . . . . . . . .  6
-       3.1.  Representation of IPSECKEY RRs . . . . . . . . . . . . .  6
-       3.2.  Examples . . . . . . . . . . . . . . . . . . . . . . . .  6
-   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
-
-
-
-Richardson                  Standards Track                     [Page 1]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-       4.1.  Active Attacks Against Unsecured IPSECKEY Resource
-             Records  . . . . . . . . . . . . . . . . . . . . . . . .  8
-             4.1.1.  Active Attacks Against IPSECKEY Keying
-                     Materials. . . . . . . . . . . . . . . . . . . .  8
-             4.1.2.  Active Attacks Against IPSECKEY Gateway
-                     Material. . . . . . . . . . . . . . . . . . . .   8
-   5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
-   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 10
-   7.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
-       7.1.  Normative References . . . . . . . . . . . . . . . . . . 10
-       7.2.  Informative References . . . . . . . . . . . . . . . . . 10
-   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 12
-
-1.  Introduction
-
-   Suppose a host wishes (or is required by policy) to establish an
-   IPsec tunnel with some remote entity on the network prior to allowing
-   normal communication to take place.  In many cases, this end system
-   will be able to determine the DNS name for the remote entity (either
-   by having the DNS name given explicitly, by performing a DNS PTR
-   query for a particular IP address, or through some other means, e.g.,
-   by extracting the DNS portion of a "user@FQDN" name for a remote
-   entity).  In these cases, the host will need to obtain a public key
-   to authenticate the remote entity, and may also need some guidance
-   about whether it should contact the entity directly or use another
-   node as a gateway to the target entity.  The IPSECKEY RR provides a
-   mechanism for storing such information.
-
-   The type number for the IPSECKEY RR is 45.
-
-   This record replaces the functionality of the sub-type #4 of the KEY
-   Resource Record, which has been obsoleted by RFC 3445 [11].
-
-1.1.  Overview
-
-   The IPSECKEY resource record (RR) is used to publish a public key
-   that is to be associated with a Domain Name System (DNS) [1] name for
-   use with the IPsec protocol suite.  This can be the public key of a
-   host, network, or application (in the case of per-port keying).
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in RFC 2119 [3].
-
-
-
-
-
-
-
-Richardson                  Standards Track                     [Page 2]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-1.2.  Use of DNS Address-to-Name Maps (IN-ADDR.ARPA and IP6.ARPA)
-
-   Often a security gateway will only have access to the IP address of
-   the node with which communication is desired and will not know any
-   other name for the target node.  Because of this, frequently the best
-   way of looking up IPSECKEY RRs will be by using the IP address as an
-   index into one of the reverse mapping trees (IN-ADDR.ARPA for IPv4 or
-   IP6.ARPA for IPv6).
-
-   The lookup is done in the fashion usual for PTR records.  The IP
-   address' octets (IPv4) or nibbles (IPv6) are reversed and looked up
-   with the appropriate suffix.  Any CNAMEs or DNAMEs found MUST be
-   followed.
-
-   Note: even when the IPsec function is contained in the end-host,
-   often only the application will know the forward name used.  Although
-   the case where the application knows the forward name is common, the
-   user could easily have typed in a literal IP address.  This storage
-   mechanism does not preclude using the forward name when it is
-   available but does not require it.
-
-1.3.  Usage Criteria
-
-   An IPSECKEY resource record SHOULD be used in combination with DNSSEC
-   [8] unless some other means of authenticating the IPSECKEY resource
-   record is available.
-
-   It is expected that there will often be multiple IPSECKEY resource
-   records at the same name.  This will be due to the presence of
-   multiple gateways and a need to roll over keys.
-
-   This resource record is class independent.
-
-2.  Storage Formats
-
-2.1.  IPSECKEY RDATA Format
-
-   The RDATA for an IPSECKEY RR consists of a precedence value, a
-   gateway type, a public key, algorithm type, and an optional gateway
-   address.
-
-
-
-
-
-
-
-
-
-
-
-Richardson                  Standards Track                     [Page 3]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-       0                   1                   2                   3
-       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |  precedence   | gateway type  |  algorithm  |     gateway     |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+                 +
-      ~                            gateway                            ~
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |                                                               /
-      /                          public key                           /
-      /                                                               /
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
-
-2.2.  RDATA Format - Precedence
-
-   This is an 8-bit precedence for this record.  It is interpreted in
-   the same way as the PREFERENCE field described in section 3.3.9 of
-   RFC 1035 [2].
-
-   Gateways listed in IPSECKEY records with lower precedence are to be
-   attempted first.  Where there is a tie in precedence, the order
-   should be non-deterministic.
-
-2.3.  RDATA Format - Gateway Type
-
-   The gateway type field indicates the format of the information that
-   is stored in the gateway field.
-
-   The following values are defined:
-   0  No gateway is present.
-   1  A 4-byte IPv4 address is present.
-   2  A 16-byte IPv6 address is present.
-   3  A wire-encoded domain name is present.  The wire-encoded format is
-      self-describing, so the length is implicit.  The domain name MUST
-      NOT be compressed.  (See Section 3.3 of RFC 1035 [2].)
-
-2.4.  RDATA Format - Algorithm Type
-
-   The algorithm type field identifies the public key's cryptographic
-   algorithm and determines the format of the public key field.
-
-   A value of 0 indicates that no key is present.
-
-   The following values are defined:
-   1  A DSA key is present, in the format defined in RFC 2536 [9].
-   2  A RSA key is present, in the format defined in RFC 3110 [10].
-
-
-
-
-
-
-Richardson                  Standards Track                     [Page 4]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-2.5.  RDATA Format - Gateway
-
-   The gateway field indicates a gateway to which an IPsec tunnel may be
-   created in order to reach the entity named by this resource record.
-
-   There are three formats:
-
-   A 32-bit IPv4 address is present in the gateway field.  The data
-   portion is an IPv4 address as described in section 3.4.1 of RFC 1035
-   [2].  This is a 32-bit number in network byte order.
-
-   A 128-bit IPv6 address is present in the gateway field.  The data
-   portion is an IPv6 address as described in section 2.2 of RFC 3596
-   [12].  This is a 128-bit number in network byte order.
-
-   The gateway field is a normal wire-encoded domain name, as described
-   in section 3.3 of RFC 1035 [2].  Compression MUST NOT be used.
-
-2.6.  RDATA Format - Public Keys
-
-   Both the public key types defined in this document (RSA and DSA)
-   inherit their public key formats from the corresponding KEY RR
-   formats.  Specifically, the public key field contains the
-   algorithm-specific portion of the KEY RR RDATA, which is all the KEY
-   RR DATA after the first four octets.  This is the same portion of the
-   KEY RR that must be specified by documents that define a DNSSEC
-   algorithm.  Those documents also specify a message digest to be used
-   for generation of SIG RRs; that specification is not relevant for
-   IPSECKEY RRs.
-
-   Future algorithms, if they are to be used by both DNSSEC (in the KEY
-   RR) and IPSECKEY, are likely to use the same public key encodings in
-   both records.  Unless otherwise specified, the IPSECKEY public key
-   field will contain the algorithm-specific portion of the KEY RR RDATA
-   for the corresponding algorithm.  The algorithm must still be
-   designated for use by IPSECKEY, and an IPSECKEY algorithm type number
-   (which might be different from the DNSSEC algorithm number) must be
-   assigned to it.
-
-   The DSA key format is defined in RFC 2536 [9]
-
-   The RSA key format is defined in RFC 3110 [10], with the following
-   changes:
-
-   The earlier definition of RSA/MD5 in RFC 2065 [4] limited the
-   exponent and modulus to 2552 bits in length.  RFC 3110 extended that
-   limit to 4096 bits for RSA/SHA1 keys.  The IPSECKEY RR imposes no
-   length limit on RSA public keys, other than the 65535 octet limit
-
-
-
-Richardson                  Standards Track                     [Page 5]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   imposed by the two-octet length encoding.  This length extension is
-   applicable only to IPSECKEY; it is not applicable to KEY RRs.
-
-3.  Presentation Formats
-
-3.1.  Representation of IPSECKEY RRs
-
-   IPSECKEY RRs may appear in a zone data master file.  The precedence,
-   gateway type, algorithm, and gateway fields are REQUIRED.  The base64
-   encoded public key block is OPTIONAL; if it is not present, the
-   public key field of the resource record MUST be construed to be zero
-   octets in length.
-
-   The algorithm field is an unsigned integer.  No mnemonics are
-   defined.
-
-   If no gateway is to be indicated, then the gateway type field MUST be
-   zero, and the gateway field MUST be "."
-
-   The Public Key field is represented as a Base64 encoding of the
-   Public Key.  Whitespace is allowed within the Base64 text.  For a
-   definition of Base64 encoding, see RFC 3548 [6], Section 5.2.
-
-   The general presentation for the record is as follows:
-
-   IN     IPSECKEY ( precedence gateway-type algorithm
-                     gateway base64-encoded-public-key )
-
-3.2.  Examples
-
-   An example of a node, 192.0.2.38, that will accept IPsec tunnels on
-   its own behalf.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
-                    192.0.2.38
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 192.0.2.38, that has published its key only.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 0 2
-                    .
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-
-
-
-
-
-
-
-
-Richardson                  Standards Track                     [Page 6]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   An example of a node, 192.0.2.38, that has delegated authority to the
-   node 192.0.2.3.
-
-   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
-                    192.0.2.3
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 192.0.1.38 that has delegated authority to the
-   node with the identity "mygateway.example.com".
-
-   38.1.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 3 2
-                    mygateway.example.com.
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-   An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0, that has
-   delegated authority to the node 2001:0DB8:c000:0200:2::1
-
-   $ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.arpa.
-   0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN     IPSECKEY ( 10 2 2
-                    2001:0DB8:0:8002::2000:1
-                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
-
-4.  Security Considerations
-
-   This entire memo pertains to the provision of public keying material
-   for use by key management protocols such as ISAKMP/IKE (RFC 2407)
-   [7].
-
-   The IPSECKEY resource record contains information that SHOULD be
-   communicated to the end client in an integral fashion; i.e., free
-   from modification.  The form of this channel is up to the consumer of
-   the data; there must be a trust relationship between the end consumer
-   of this resource record and the server.  This relationship may be
-   end-to-end DNSSEC validation, a TSIG or SIG(0) channel to another
-   secure source, a secure local channel on the host, or some
-   combination of the above.
-
-   The keying material provided by the IPSECKEY resource record is not
-   sensitive to passive attacks.  The keying material may be freely
-   disclosed to any party without any impact on the security properties
-   of the resulting IPsec session.  IPsec and IKE provide defense
-   against both active and passive attacks.
-
-   Any derivative specification that makes use of this resource record
-   MUST carefully document its trust model and why the trust model of
-   DNSSEC is appropriate, if that is the secure channel used.
-
-
-
-
-
-Richardson                  Standards Track                     [Page 7]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   An active attack on the DNS that caused the wrong IP address to be
-   retrieved (via forged address), and therefore the wrong QNAME to be
-   queried, would also result in a man-in-the-middle attack.  This
-   situation is independent of whether the IPSECKEY RR is used.
-
-4.1.  Active Attacks Against Unsecured IPSECKEY Resource Records
-
-   This section deals with active attacks against the DNS.  These
-   attacks require that DNS requests and responses be intercepted and
-   changed.  DNSSEC is designed to defend against attacks of this kind.
-   This section deals with the situation in which DNSSEC is not
-   available.  This is not the recommended deployment scenario.
-
-4.1.1.  Active Attacks Against IPSECKEY Keying Materials
-
-   The first kind of active attack is when the attacker replaces the
-   keying material with either a key under its control or with garbage.
-
-   The gateway field is either untouched or is null.  The IKE
-   negotiation will therefore occur with the original end-system.  For
-   this attack to succeed, the attacker must perform a man-in-the-middle
-   attack on the IKE negotiation.  This attack requires that the
-   attacker be able to intercept and modify packets on the forwarding
-   path for the IKE and data packets.
-
-   If the attacker is not able to perform this man-in-the-middle attack
-   on the IKE negotiation, then a denial of service will result, as the
-   IKE negotiation will fail.
-
-   If the attacker is not only able to mount active attacks against DNS
-   but also in a position to perform a man-in-the-middle attack on IKE
-   and IPsec negotiations, then the attacker will be able to compromise
-   the resulting IPsec channel.  Note that an attacker must be able to
-   perform active DNS attacks on both sides of the IKE negotiation for
-   this to succeed.
-
-4.1.2.  Active Attacks Against IPSECKEY Gateway Material
-
-   The second kind of active attack is one in which the attacker
-   replaces the gateway address to point to a node under the attacker's
-   control.  The attacker then either replaces the public key or removes
-   it.  If the public key were removed, then the attacker could provide
-   an accurate public key of its own in a second record.
-
-   This second form creates a simple man-in-the-middle attacks since the
-   attacker can then create a second tunnel to the real destination.
-   Note that, as before, this requires that the attacker also mount an
-   active attack against the responder.
-
-
-
-Richardson                  Standards Track                     [Page 8]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   Note that the man-in-the-middle cannot just forward cleartext packets
-   to the original destination.  While the destination may be willing to
-   speak in the clear, replying to the original sender, the sender will
-   already have created a policy expecting ciphertext.  Thus, the
-   attacker will need to intercept traffic in both directions.  In some
-   cases, the attacker may be able to accomplish the full intercept by
-   use of Network Address/Port Translation (NAT/NAPT) technology.
-
-   This attack is easier than the first one because the attacker does
-   NOT need to be on the end-to-end forwarding path.  The attacker need
-   only be able to modify DNS replies.  This can be done by packet
-   modification, by various kinds of race attacks, or through methods
-   that pollute DNS caches.
-
-   If the end-to-end integrity of the IPSECKEY RR is suspect, the end
-   client MUST restrict its use of the IPSECKEY RR to cases where the RR
-   owner name matches the content of the gateway field.  As the RR owner
-   name is assumed when the gateway field is null, a null gateway field
-   is considered a match.
-
-   Thus, any records obtained under unverified conditions (e.g., no
-   DNSSEC or trusted path to source) that have a non-null gateway field
-   MUST be ignored.
-
-   This restriction eliminates attacks against the gateway field, which
-   are considered much easier, as the attack does not need to be on the
-   forwarding path.
-
-   In the case of an IPSECKEY RR with a value of three in its gateway
-   type field, the gateway field contains a domain name.  The subsequent
-   query required to translate that name into an IP address or IPSECKEY
-   RR will also be subject to man-in-the-middle attacks.  If the
-   end-to-end integrity of this second query is suspect, then the
-   provisions above also apply.  The IPSECKEY RR MUST be ignored
-   whenever the resulting gateway does not match the QNAME of the
-   original IPSECKEY RR query.
-
-5.  IANA Considerations
-
-   This document updates the IANA Registry for DNS Resource Record Types
-   by assigning type 45 to the IPSECKEY record.
-
-   This document creates two new IANA registries, both specific to the
-   IPSECKEY Resource Record:
-
-   This document creates an IANA registry for the algorithm type field.
-
-
-
-
-
-Richardson                  Standards Track                     [Page 9]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   Values 0, 1, and 2 are defined in Section 2.4.  Algorithm numbers 3
-   through 255 can be assigned by IETF Consensus (see RFC 2434 [5]).
-
-   This document creates an IANA registry for the gateway type field.
-
-   Values 0, 1, 2, and 3 are defined in Section 2.3.  Gateway type
-   numbers 4 through 255 can be assigned by Standards Action (see RFC
-   2434 [5]).
-
-6.  Acknowledgements
-
-   My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob
-   Austein, and Olafur Gudmundsson, who reviewed this document
-   carefully.  Additional thanks to Olafur Gurmundsson for a reference
-   implementation.
-
-7.  References
-
-7.1.  Normative References
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  Mockapetris, P., "Domain names - implementation and
-        specification", STD 13, RFC 1035, November 1987.
-
-   [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
-        Levels", BCP 14, RFC 2119, March 1997.
-
-   [4]  Eastlake 3rd, D. and C. Kaufman, "Domain Name System Security
-        Extensions", RFC 2065, January 1997.
-
-   [5]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
-        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
-
-   [6]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
-        RFC 3548, July 2003.
-
-7.2.  Informative References
-
-   [7]  Piper, D., "The Internet IP Security Domain of Interpretation
-        for ISAKMP", RFC 2407, November 1998.
-
-   [8]  Eastlake 3rd, D., "Domain Name System Security Extensions", RFC
-        2535, March 1999.
-
-   [9]  Eastlake 3rd, D., "DSA KEYs and SIGs in the Domain Name System
-        (DNS)", RFC 2536, March 1999.
-
-
-
-Richardson                  Standards Track                    [Page 10]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-   [10] Eastlake 3rd, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
-        Name System (DNS)", RFC 3110, May 2001.
-
-   [11] Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
-        Record (RR)", RFC 3445, December 2002.
-
-   [12] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, "DNS
-        Extensions to Support IP Version 6", RFC 3596, October 2003.
-
-Author's Address
-
-   Michael C. Richardson
-   Sandelman Software Works
-   470 Dawson Avenue
-   Ottawa, ON  K1Z 5V7
-   CA
-
-   EMail: mcr@sandelman.ottawa.on.ca
-   URI:   http://www.sandelman.ottawa.on.ca/
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Richardson                  Standards Track                    [Page 11]
-
-RFC 4025          Storing IPsec Keying Material in DNS     February 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the IETF's procedures with respect to rights in IETF Documents can
-   be found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Richardson                  Standards Track                    [Page 12]
-
diff --git a/contrib/bind9/doc/rfc/rfc4033.txt b/contrib/bind9/doc/rfc/rfc4033.txt
deleted file mode 100644
index 7f0a46477319..000000000000
--- a/contrib/bind9/doc/rfc/rfc4033.txt
+++ /dev/null
@@ -1,1179 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          R. Arends
-Request for Comments: 4033                          Telematica Instituut
-Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
-           3755, 3757, 3845                                          ISC
-Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
-         3007, 3597, 3226                                       VeriSign
-Category: Standards Track                                      D. Massey
-                                               Colorado State University
-                                                                 S. Rose
-                                                                    NIST
-                                                              March 2005
-
-
-               DNS Security Introduction and Requirements
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   The Domain Name System Security Extensions (DNSSEC) add data origin
-   authentication and data integrity to the Domain Name System.  This
-   document introduces these extensions and describes their capabilities
-   and limitations.  This document also discusses the services that the
-   DNS security extensions do and do not provide.  Last, this document
-   describes the interrelationships between the documents that
-   collectively describe DNSSEC.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 1]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . .   2
-   2.  Definitions of Important DNSSEC Terms  . . . . . . . . . . .   3
-   3.  Services Provided by DNS Security  . . . . . . . . . . . . .   7
-       3.1.  Data Origin Authentication and Data Integrity  . . . .   7
-       3.2.  Authenticating Name and Type Non-Existence . . . . . .   9
-   4.  Services Not Provided by DNS Security  . . . . . . . . . . .   9
-   5.  Scope of the DNSSEC Document Set and Last Hop Issues . . . .   9
-   6.  Resolver Considerations  . . . . . . . . . . . . . . . . . .  10
-   7.  Stub Resolver Considerations . . . . . . . . . . . . . . . .  11
-   8.  Zone Considerations  . . . . . . . . . . . . . . . . . . . .  12
-       8.1.  TTL Values vs. RRSIG Validity Period . . . . . . . . .  13
-       8.2.  New Temporal Dependency Issues for Zones . . . . . . .  13
-   9.  Name Server Considerations . . . . . . . . . . . . . . . . .  13
-   10. DNS Security Document Family . . . . . . . . . . . . . . . .  14
-   11. IANA Considerations  . . . . . . . . . . . . . . . . . . . .  15
-   12. Security Considerations  . . . . . . . . . . . . . . . . . .  15
-   13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  17
-   14. References . . . . . . . . . . . . . . . . . . . . . . . . .  17
-       14.1. Normative References . . . . . . . . . . . . . . . . .  17
-       14.2. Informative References . . . . . . . . . . . . . . . .  18
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .  20
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . .  21
-
-1.  Introduction
-
-   This document introduces the Domain Name System Security Extensions
-   (DNSSEC).  This document and its two companion documents ([RFC4034]
-   and [RFC4035]) update, clarify, and refine the security extensions
-   defined in [RFC2535] and its predecessors.  These security extensions
-   consist of a set of new resource record types and modifications to
-   the existing DNS protocol ([RFC1035]).  The new records and protocol
-   modifications are not fully described in this document, but are
-   described in a family of documents outlined in Section 10.  Sections
-   3 and 4 describe the capabilities and limitations of the security
-   extensions in greater detail.  Section 5 discusses the scope of the
-   document set.  Sections 6, 7, 8, and 9 discuss the effect that these
-   security extensions will have on resolvers, stub resolvers, zones,
-   and name servers.
-
-   This document and its two companions obsolete [RFC2535], [RFC3008],
-   [RFC3090], [RFC3445], [RFC3655], [RFC3658], [RFC3755], [RFC3757], and
-   [RFC3845].  This document set also updates but does not obsolete
-   [RFC1034], [RFC1035], [RFC2136], [RFC2181], [RFC2308], [RFC3225],
-   [RFC3007], [RFC3597], and the portions of [RFC3226] that deal with
-   DNSSEC.
-
-
-
-
-Arends, et al.              Standards Track                     [Page 2]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   The DNS security extensions provide origin authentication and
-   integrity protection for DNS data, as well as a means of public key
-   distribution.  These extensions do not provide confidentiality.
-
-2.  Definitions of Important DNSSEC Terms
-
-   This section defines a number of terms used in this document set.
-   Because this is intended to be useful as a reference while reading
-   the rest of the document set, first-time readers may wish to skim
-   this section quickly, read the rest of this document, and then come
-   back to this section.
-
-   Authentication Chain: An alternating sequence of DNS public key
-      (DNSKEY) RRsets and Delegation Signer (DS) RRsets forms a chain of
-      signed data, with each link in the chain vouching for the next.  A
-      DNSKEY RR is used to verify the signature covering a DS RR and
-      allows the DS RR to be authenticated.  The DS RR contains a hash
-      of another DNSKEY RR and this new DNSKEY RR is authenticated by
-      matching the hash in the DS RR.  This new DNSKEY RR in turn
-      authenticates another DNSKEY RRset and, in turn, some DNSKEY RR in
-      this set may be used to authenticate another DS RR, and so forth
-      until the chain finally ends with a DNSKEY RR whose corresponding
-      private key signs the desired DNS data.  For example, the root
-      DNSKEY RRset can be used to authenticate the DS RRset for
-      "example."  The "example." DS RRset contains a hash that matches
-      some "example." DNSKEY, and this DNSKEY's corresponding private
-      key signs the "example." DNSKEY RRset.  Private key counterparts
-      of the "example." DNSKEY RRset sign data records such as
-      "www.example." and DS RRs for delegations such as
-      "subzone.example."
-
-   Authentication Key: A public key that a security-aware resolver has
-      verified and can therefore use to authenticate data.  A
-      security-aware resolver can obtain authentication keys in three
-      ways.  First, the resolver is generally configured to know about
-      at least one public key; this configured data is usually either
-      the public key itself or a hash of the public key as found in the
-      DS RR (see "trust anchor").  Second, the resolver may use an
-      authenticated public key to verify a DS RR and the DNSKEY RR to
-      which the DS RR refers.  Third, the resolver may be able to
-      determine that a new public key has been signed by the private key
-      corresponding to another public key that the resolver has
-      verified.  Note that the resolver must always be guided by local
-      policy when deciding whether to authenticate a new public key,
-      even if the local policy is simply to authenticate any new public
-      key for which the resolver is able verify the signature.
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 3]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Authoritative RRset: Within the context of a particular zone, an
-      RRset is "authoritative" if and only if the owner name of the
-      RRset lies within the subset of the name space that is at or below
-      the zone apex and at or above the cuts that separate the zone from
-      its children, if any.  All RRsets at the zone apex are
-      authoritative, except for certain RRsets at this domain name that,
-      if present, belong to this zone's parent.  These RRset could
-      include a DS RRset, the NSEC RRset referencing this DS RRset (the
-      "parental NSEC"), and RRSIG RRs associated with these RRsets, all
-      of which are authoritative in the parent zone.  Similarly, if this
-      zone contains any delegation points, only the parental NSEC RRset,
-      DS RRsets, and any RRSIG RRs associated with these RRsets are
-      authoritative for this zone.
-
-   Delegation Point: Term used to describe the name at the parental side
-      of a zone cut.  That is, the delegation point for "foo.example"
-      would be the foo.example node in the "example" zone (as opposed to
-      the zone apex of the "foo.example" zone).  See also zone apex.
-
-   Island of Security: Term used to describe a signed, delegated zone
-      that does not have an authentication chain from its delegating
-      parent.  That is, there is no DS RR containing a hash of a DNSKEY
-      RR for the island in its delegating parent zone (see [RFC4034]).
-      An island of security is served by security-aware name servers and
-      may provide authentication chains to any delegated child zones.
-      Responses from an island of security or its descendents can only
-      be authenticated if its authentication keys can be authenticated
-      by some trusted means out of band from the DNS protocol.
-
-   Key Signing Key (KSK): An authentication key that corresponds to a
-      private key used to sign one or more other authentication keys for
-      a given zone.  Typically, the private key corresponding to a key
-      signing key will sign a zone signing key, which in turn has a
-      corresponding private key that will sign other zone data.  Local
-      policy may require that the zone signing key be changed
-      frequently, while the key signing key may have a longer validity
-      period in order to provide a more stable secure entry point into
-      the zone.  Designating an authentication key as a key signing key
-      is purely an operational issue: DNSSEC validation does not
-      distinguish between key signing keys and other DNSSEC
-      authentication keys, and it is possible to use a single key as
-      both a key signing key and a zone signing key.  Key signing keys
-      are discussed in more detail in [RFC3757].  Also see zone signing
-      key.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 4]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Non-Validating Security-Aware Stub Resolver: A security-aware stub
-      resolver that trusts one or more security-aware recursive name
-      servers to perform most of the tasks discussed in this document
-      set on its behalf.  In particular, a non-validating security-aware
-      stub resolver is an entity that sends DNS queries, receives DNS
-      responses, and is capable of establishing an appropriately secured
-      channel to a security-aware recursive name server that will
-      provide these services on behalf of the security-aware stub
-      resolver.  See also security-aware stub resolver, validating
-      security-aware stub resolver.
-
-   Non-Validating Stub Resolver: A less tedious term for a
-      non-validating security-aware stub resolver.
-
-   Security-Aware Name Server: An entity acting in the role of a name
-      server (defined in section 2.4 of [RFC1034]) that understands the
-      DNS security extensions defined in this document set.  In
-      particular, a security-aware name server is an entity that
-      receives DNS queries, sends DNS responses, supports the EDNS0
-      ([RFC2671]) message size extension and the DO bit ([RFC3225]), and
-      supports the RR types and message header bits defined in this
-      document set.
-
-   Security-Aware Recursive Name Server: An entity that acts in both the
-      security-aware name server and security-aware resolver roles.  A
-      more cumbersome but equivalent phrase would be "a security-aware
-      name server that offers recursive service".
-
-   Security-Aware Resolver: An entity acting in the role of a resolver
-      (defined in section 2.4 of [RFC1034]) that understands the DNS
-      security extensions defined in this document set.  In particular,
-      a security-aware resolver is an entity that sends DNS queries,
-      receives DNS responses, supports the EDNS0 ([RFC2671]) message
-      size extension and the DO bit ([RFC3225]), and is capable of using
-      the RR types and message header bits defined in this document set
-      to provide DNSSEC services.
-
-   Security-Aware Stub Resolver: An entity acting in the role of a stub
-      resolver (defined in section 5.3.1 of [RFC1034]) that has enough
-      of an understanding the DNS security extensions defined in this
-      document set to provide additional services not available from a
-      security-oblivious stub resolver.  Security-aware stub resolvers
-      may be either "validating" or "non-validating", depending on
-      whether the stub resolver attempts to verify DNSSEC signatures on
-      its own or trusts a friendly security-aware name server to do so.
-      See also validating stub resolver, non-validating stub resolver.
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 5]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Security-Oblivious <anything>: An <anything> that is not
-      "security-aware".
-
-   Signed Zone: A zone whose RRsets are signed and that contains
-      properly constructed DNSKEY, Resource Record Signature (RRSIG),
-      Next Secure (NSEC), and (optionally) DS records.
-
-   Trust Anchor: A configured DNSKEY RR or DS RR hash of a DNSKEY RR.  A
-      validating security-aware resolver uses this public key or hash as
-      a starting point for building the authentication chain to a signed
-      DNS response.  In general, a validating resolver will have to
-      obtain the initial values of its trust anchors via some secure or
-      trusted means outside the DNS protocol.  Presence of a trust
-      anchor also implies that the resolver should expect the zone to
-      which the trust anchor points to be signed.
-
-   Unsigned Zone: A zone that is not signed.
-
-   Validating Security-Aware Stub Resolver: A security-aware resolver
-      that sends queries in recursive mode but that performs signature
-      validation on its own rather than just blindly trusting an
-      upstream security-aware recursive name server.  See also
-      security-aware stub resolver, non-validating security-aware stub
-      resolver.
-
-   Validating Stub Resolver: A less tedious term for a validating
-      security-aware stub resolver.
-
-   Zone Apex: Term used to describe the name at the child's side of a
-      zone cut.  See also delegation point.
-
-   Zone Signing Key (ZSK): An authentication key that corresponds to a
-      private key used to sign a zone.  Typically, a zone signing key
-      will be part of the same DNSKEY RRset as the key signing key whose
-      corresponding private key signs this DNSKEY RRset, but the zone
-      signing key is used for a slightly different purpose and may
-      differ from the key signing key in other ways, such as validity
-      lifetime.  Designating an authentication key as a zone signing key
-      is purely an operational issue; DNSSEC validation does not
-      distinguish between zone signing keys and other DNSSEC
-      authentication keys, and it is possible to use a single key as
-      both a key signing key and a zone signing key.  See also key
-      signing key.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 6]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-3.  Services Provided by DNS Security
-
-   The Domain Name System (DNS) security extensions provide origin
-   authentication and integrity assurance services for DNS data,
-   including mechanisms for authenticated denial of existence of DNS
-   data.  These mechanisms are described below.
-
-   These mechanisms require changes to the DNS protocol.  DNSSEC adds
-   four new resource record types: Resource Record Signature (RRSIG),
-   DNS Public Key (DNSKEY), Delegation Signer (DS), and Next Secure
-   (NSEC).  It also adds two new message header bits: Checking Disabled
-   (CD) and Authenticated Data (AD).  In order to support the larger DNS
-   message sizes that result from adding the DNSSEC RRs, DNSSEC also
-   requires EDNS0 support ([RFC2671]).  Finally, DNSSEC requires support
-   for the DNSSEC OK (DO) EDNS header bit ([RFC3225]) so that a
-   security-aware resolver can indicate in its queries that it wishes to
-   receive DNSSEC RRs in response messages.
-
-   These services protect against most of the threats to the Domain Name
-   System described in [RFC3833].  Please see Section 12 for a
-   discussion of the limitations of these extensions.
-
-3.1.  Data Origin Authentication and Data Integrity
-
-   DNSSEC provides authentication by associating cryptographically
-   generated digital signatures with DNS RRsets.  These digital
-   signatures are stored in a new resource record, the RRSIG record.
-   Typically, there will be a single private key that signs a zone's
-   data, but multiple keys are possible.  For example, there may be keys
-   for each of several different digital signature algorithms.  If a
-   security-aware resolver reliably learns a zone's public key, it can
-   authenticate that zone's signed data.  An important DNSSEC concept is
-   that the key that signs a zone's data is associated with the zone
-   itself and not with the zone's authoritative name servers.  (Public
-   keys for DNS transaction authentication mechanisms may also appear in
-   zones, as described in [RFC2931], but DNSSEC itself is concerned with
-   object security of DNS data, not channel security of DNS
-   transactions.  The keys associated with transaction security may be
-   stored in different RR types.  See [RFC3755] for details.)
-
-   A security-aware resolver can learn a zone's public key either by
-   having a trust anchor configured into the resolver or by normal DNS
-   resolution.  To allow the latter, public keys are stored in a new
-   type of resource record, the DNSKEY RR.  Note that the private keys
-   used to sign zone data must be kept secure and should be stored
-   offline when practical.  To discover a public key reliably via DNS
-   resolution, the target key itself has to be signed by either a
-   configured authentication key or another key that has been
-
-
-
-Arends, et al.              Standards Track                     [Page 7]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   authenticated previously.  Security-aware resolvers authenticate zone
-   information by forming an authentication chain from a newly learned
-   public key back to a previously known authentication public key,
-   which in turn either has been configured into the resolver or must
-   have been learned and verified previously.  Therefore, the resolver
-   must be configured with at least one trust anchor.
-
-   If the configured trust anchor is a zone signing key, then it will
-   authenticate the associated zone; if the configured key is a key
-   signing key, it will authenticate a zone signing key.  If the
-   configured trust anchor is the hash of a key rather than the key
-   itself, the resolver may have to obtain the key via a DNS query.  To
-   help security-aware resolvers establish this authentication chain,
-   security-aware name servers attempt to send the signature(s) needed
-   to authenticate a zone's public key(s) in the DNS reply message along
-   with the public key itself, provided that there is space available in
-   the message.
-
-   The Delegation Signer (DS) RR type simplifies some of the
-   administrative tasks involved in signing delegations across
-   organizational boundaries.  The DS RRset resides at a delegation
-   point in a parent zone and indicates the public key(s) corresponding
-   to the private key(s) used to self-sign the DNSKEY RRset at the
-   delegated child zone's apex.  The administrator of the child zone, in
-   turn, uses the private key(s) corresponding to one or more of the
-   public keys in this DNSKEY RRset to sign the child zone's data.  The
-   typical authentication chain is therefore
-   DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
-   DS->DNSKEY subchains.  DNSSEC permits more complex authentication
-   chains, such as additional layers of DNSKEY RRs signing other DNSKEY
-   RRs within a zone.
-
-   A security-aware resolver normally constructs this authentication
-   chain from the root of the DNS hierarchy down to the leaf zones based
-   on configured knowledge of the public key for the root.  Local
-   policy, however, may also allow a security-aware resolver to use one
-   or more configured public keys (or hashes of public keys) other than
-   the root public key, may not provide configured knowledge of the root
-   public key, or may prevent the resolver from using particular public
-   keys for arbitrary reasons, even if those public keys are properly
-   signed with verifiable signatures.  DNSSEC provides mechanisms by
-   which a security-aware resolver can determine whether an RRset's
-   signature is "valid" within the meaning of DNSSEC.  In the final
-   analysis, however, authenticating both DNS keys and data is a matter
-   of local policy, which may extend or even override the protocol
-   extensions defined in this document set.  See Section 5 for further
-   discussion.
-
-
-
-
-Arends, et al.              Standards Track                     [Page 8]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-3.2.  Authenticating Name and Type Non-Existence
-
-   The security mechanism described in Section 3.1 only provides a way
-   to sign existing RRsets in a zone.  The problem of providing negative
-   responses with the same level of authentication and integrity
-   requires the use of another new resource record type, the NSEC
-   record.  The NSEC record allows a security-aware resolver to
-   authenticate a negative reply for either name or type non-existence
-   with the same mechanisms used to authenticate other DNS replies.  Use
-   of NSEC records requires a canonical representation and ordering for
-   domain names in zones.  Chains of NSEC records explicitly describe
-   the gaps, or "empty space", between domain names in a zone and list
-   the types of RRsets present at existing names.  Each NSEC record is
-   signed and authenticated using the mechanisms described in Section
-   3.1.
-
-4.  Services Not Provided by DNS Security
-
-   DNS was originally designed with the assumptions that the DNS will
-   return the same answer to any given query regardless of who may have
-   issued the query, and that all data in the DNS is thus visible.
-   Accordingly, DNSSEC is not designed to provide confidentiality,
-   access control lists, or other means of differentiating between
-   inquirers.
-
-   DNSSEC provides no protection against denial of service attacks.
-   Security-aware resolvers and security-aware name servers are
-   vulnerable to an additional class of denial of service attacks based
-   on cryptographic operations.  Please see Section 12 for details.
-
-   The DNS security extensions provide data and origin authentication
-   for DNS data.  The mechanisms outlined above are not designed to
-   protect operations such as zone transfers and dynamic update
-   ([RFC2136], [RFC3007]).  Message authentication schemes described in
-   [RFC2845] and [RFC2931] address security operations that pertain to
-   these transactions.
-
-5.  Scope of the DNSSEC Document Set and Last Hop Issues
-
-   The specification in this document set defines the behavior for zone
-   signers and security-aware name servers and resolvers in such a way
-   that the validating entities can unambiguously determine the state of
-   the data.
-
-   A validating resolver can determine the following 4 states:
-
-   Secure: The validating resolver has a trust anchor, has a chain of
-      trust, and is able to verify all the signatures in the response.
-
-
-
-Arends, et al.              Standards Track                     [Page 9]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Insecure: The validating resolver has a trust anchor, a chain of
-      trust, and, at some delegation point, signed proof of the
-      non-existence of a DS record.  This indicates that subsequent
-      branches in the tree are provably insecure.  A validating resolver
-      may have a local policy to mark parts of the domain space as
-      insecure.
-
-   Bogus: The validating resolver has a trust anchor and a secure
-      delegation indicating that subsidiary data is signed, but the
-      response fails to validate for some reason: missing signatures,
-      expired signatures, signatures with unsupported algorithms, data
-      missing that the relevant NSEC RR says should be present, and so
-      forth.
-
-   Indeterminate: There is no trust anchor that would indicate that a
-      specific portion of the tree is secure.  This is the default
-      operation mode.
-
-   This specification only defines how security-aware name servers can
-   signal non-validating stub resolvers that data was found to be bogus
-   (using RCODE=2, "Server Failure"; see [RFC4035]).
-
-   There is a mechanism for security-aware name servers to signal
-   security-aware stub resolvers that data was found to be secure (using
-   the AD bit; see [RFC4035]).
-
-   This specification does not define a format for communicating why
-   responses were found to be bogus or marked as insecure.  The current
-   signaling mechanism does not distinguish between indeterminate and
-   insecure states.
-
-   A method for signaling advanced error codes and policy between a
-   security-aware stub resolver and security-aware recursive nameservers
-   is a topic for future work, as is the interface between a security-
-   aware resolver and the applications that use it.  Note, however, that
-   the lack of the specification of such communication does not prohibit
-   deployment of signed zones or the deployment of security aware
-   recursive name servers that prohibit propagation of bogus data to the
-   applications.
-
-6.  Resolver Considerations
-
-   A security-aware resolver has to be able to perform cryptographic
-   functions necessary to verify digital signatures using at least the
-   mandatory-to-implement algorithm(s).  Security-aware resolvers must
-   also be capable of forming an authentication chain from a newly
-   learned zone back to an authentication key, as described above.  This
-   process might require additional queries to intermediate DNS zones to
-
-
-
-Arends, et al.              Standards Track                    [Page 10]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   obtain necessary DNSKEY, DS, and RRSIG records.  A security-aware
-   resolver should be configured with at least one trust anchor as the
-   starting point from which it will attempt to establish authentication
-   chains.
-
-   If a security-aware resolver is separated from the relevant
-   authoritative name servers by a recursive name server or by any sort
-   of intermediary device that acts as a proxy for DNS, and if the
-   recursive name server or intermediary device is not security-aware,
-   the security-aware resolver may not be capable of operating in a
-   secure mode.  For example, if a security-aware resolver's packets are
-   routed through a network address translation (NAT) device that
-   includes a DNS proxy that is not security-aware, the security-aware
-   resolver may find it difficult or impossible to obtain or validate
-   signed DNS data.  The security-aware resolver may have a particularly
-   difficult time obtaining DS RRs in such a case, as DS RRs do not
-   follow the usual DNS rules for ownership of RRs at zone cuts.  Note
-   that this problem is not specific to NATs: any security-oblivious DNS
-   software of any kind between the security-aware resolver and the
-   authoritative name servers will interfere with DNSSEC.
-
-   If a security-aware resolver must rely on an unsigned zone or a name
-   server that is not security aware, the resolver may not be able to
-   validate DNS responses and will need a local policy on whether to
-   accept unverified responses.
-
-   A security-aware resolver should take a signature's validation period
-   into consideration when determining the TTL of data in its cache, to
-   avoid caching signed data beyond the validity period of the
-   signature.  However, it should also allow for the possibility that
-   the security-aware resolver's own clock is wrong.  Thus, a
-   security-aware resolver that is part of a security-aware recursive
-   name server will have to pay careful attention to the DNSSEC
-   "checking disabled" (CD) bit ([RFC4034]).  This is in order to avoid
-   blocking valid signatures from getting through to other
-   security-aware resolvers that are clients of this recursive name
-   server.  See [RFC4035] for how a secure recursive server handles
-   queries with the CD bit set.
-
-7.  Stub Resolver Considerations
-
-   Although not strictly required to do so by the protocol, most DNS
-   queries originate from stub resolvers.  Stub resolvers, by
-   definition, are minimal DNS resolvers that use recursive query mode
-   to offload most of the work of DNS resolution to a recursive name
-   server.  Given the widespread use of stub resolvers, the DNSSEC
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 11]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   architecture has to take stub resolvers into account, but the
-   security features needed in a stub resolver differ in some respects
-   from those needed in a security-aware iterative resolver.
-
-   Even a security-oblivious stub resolver may benefit from DNSSEC if
-   the recursive name servers it uses are security-aware, but for the
-   stub resolver to place any real reliance on DNSSEC services, the stub
-   resolver must trust both the recursive name servers in question and
-   the communication channels between itself and those name servers.
-   The first of these issues is a local policy issue: in essence, a
-   security-oblivious stub resolver has no choice but to place itself at
-   the mercy of the recursive name servers that it uses, as it does not
-   perform DNSSEC validity checks on its own.  The second issue requires
-   some kind of channel security mechanism; proper use of DNS
-   transaction authentication mechanisms such as SIG(0) ([RFC2931]) or
-   TSIG ([RFC2845]) would suffice, as would appropriate use of IPsec.
-   Particular implementations may have other choices available, such as
-   operating system specific interprocess communication mechanisms.
-   Confidentiality is not needed for this channel, but data integrity
-   and message authentication are.
-
-   A security-aware stub resolver that does trust both its recursive
-   name servers and its communication channel to them may choose to
-   examine the setting of the Authenticated Data (AD) bit in the message
-   header of the response messages it receives.  The stub resolver can
-   use this flag bit as a hint to find out whether the recursive name
-   server was able to validate signatures for all of the data in the
-   Answer and Authority sections of the response.
-
-   There is one more step that a security-aware stub resolver can take
-   if, for whatever reason, it is not able to establish a useful trust
-   relationship with the recursive name servers that it uses: it can
-   perform its own signature validation by setting the Checking Disabled
-   (CD) bit in its query messages.  A validating stub resolver is thus
-   able to treat the DNSSEC signatures as trust relationships between
-   the zone administrators and the stub resolver itself.
-
-8.  Zone Considerations
-
-   There are several differences between signed and unsigned zones.  A
-   signed zone will contain additional security-related records (RRSIG,
-   DNSKEY, DS, and NSEC records).  RRSIG and NSEC records may be
-   generated by a signing process prior to serving the zone.  The RRSIG
-   records that accompany zone data have defined inception and
-   expiration times that establish a validity period for the signatures
-   and the zone data the signatures cover.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 12]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-8.1.  TTL Values vs. RRSIG Validity Period
-
-   It is important to note the distinction between a RRset's TTL value
-   and the signature validity period specified by the RRSIG RR covering
-   that RRset.  DNSSEC does not change the definition or function of the
-   TTL value, which is intended to maintain database coherency in
-   caches.  A caching resolver purges RRsets from its cache no later
-   than the end of the time period specified by the TTL fields of those
-   RRsets, regardless of whether the resolver is security-aware.
-
-   The inception and expiration fields in the RRSIG RR ([RFC4034]), on
-   the other hand, specify the time period during which the signature
-   can be used to validate the covered RRset.  The signatures associated
-   with signed zone data are only valid for the time period specified by
-   these fields in the RRSIG RRs in question.  TTL values cannot extend
-   the validity period of signed RRsets in a resolver's cache, but the
-   resolver may use the time remaining before expiration of the
-   signature validity period of a signed RRset as an upper bound for the
-   TTL of the signed RRset and its associated RRSIG RR in the resolver's
-   cache.
-
-8.2.  New Temporal Dependency Issues for Zones
-
-   Information in a signed zone has a temporal dependency that did not
-   exist in the original DNS protocol.  A signed zone requires regular
-   maintenance to ensure that each RRset in the zone has a current valid
-   RRSIG RR.  The signature validity period of an RRSIG RR is an
-   interval during which the signature for one particular signed RRset
-   can be considered valid, and the signatures of different RRsets in a
-   zone may expire at different times.  Re-signing one or more RRsets in
-   a zone will change one or more RRSIG RRs, which will in turn require
-   incrementing the zone's SOA serial number to indicate that a zone
-   change has occurred and re-signing the SOA RRset itself.  Thus,
-   re-signing any RRset in a zone may also trigger DNS NOTIFY messages
-   and zone transfer operations.
-
-9.  Name Server Considerations
-
-   A security-aware name server should include the appropriate DNSSEC
-   records (RRSIG, DNSKEY, DS, and NSEC) in all responses to queries
-   from resolvers that have signaled their willingness to receive such
-   records via use of the DO bit in the EDNS header, subject to message
-   size limitations.  Because inclusion of these DNSSEC RRs could easily
-   cause UDP message truncation and fallback to TCP, a security-aware
-   name server must also support the EDNS "sender's UDP payload"
-   mechanism.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 13]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   If possible, the private half of each DNSSEC key pair should be kept
-   offline, but this will not be possible for a zone for which DNS
-   dynamic update has been enabled.  In the dynamic update case, the
-   primary master server for the zone will have to re-sign the zone when
-   it is updated, so the private key corresponding to the zone signing
-   key will have to be kept online.  This is an example of a situation
-   in which the ability to separate the zone's DNSKEY RRset into zone
-   signing key(s) and key signing key(s) may be useful, as the key
-   signing key(s) in such a case can still be kept offline and may have
-   a longer useful lifetime than the zone signing key(s).
-
-   By itself, DNSSEC is not enough to protect the integrity of an entire
-   zone during zone transfer operations, as even a signed zone contains
-   some unsigned, nonauthoritative data if the zone has any children.
-   Therefore, zone maintenance operations will require some additional
-   mechanisms (most likely some form of channel security, such as TSIG,
-   SIG(0), or IPsec).
-
-10.  DNS Security Document Family
-
-   The DNSSEC document set can be partitioned into several main groups,
-   under the larger umbrella of the DNS base protocol documents.
-
-   The "DNSSEC protocol document set" refers to the three documents that
-   form the core of the DNS security extensions:
-
-   1.  DNS Security Introduction and Requirements (this document)
-
-   2.  Resource Records for DNS Security Extensions [RFC4034]
-
-   3.  Protocol Modifications for the DNS Security Extensions [RFC4035]
-
-   Additionally, any document that would add to or change the core DNS
-   Security extensions would fall into this category.  This includes any
-   future work on the communication between security-aware stub
-   resolvers and upstream security-aware recursive name servers.
-
-   The "Digital Signature Algorithm Specification" document set refers
-   to the group of documents that describe how specific digital
-   signature algorithms should be implemented to fit the DNSSEC resource
-   record format.  Each document in this set deals with a specific
-   digital signature algorithm.  Please see the appendix on "DNSSEC
-   Algorithm and Digest Types" in [RFC4034] for a list of the algorithms
-   that were defined when this core specification was written.
-
-   The "Transaction Authentication Protocol" document set refers to the
-   group of documents that deal with DNS message authentication,
-   including secret key establishment and verification.  Although not
-
-
-
-Arends, et al.              Standards Track                    [Page 14]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   strictly part of the DNSSEC specification as defined in this set of
-   documents, this group is noted because of its relationship to DNSSEC.
-
-   The final document set, "New Security Uses", refers to documents that
-   seek to use proposed DNS Security extensions for other security
-   related purposes.  DNSSEC does not provide any direct security for
-   these new uses but may be used to support them.  Documents that fall
-   in this category include those describing the use of DNS in the
-   storage and distribution of certificates ([RFC2538]).
-
-11.  IANA Considerations
-
-   This overview document introduces no new IANA considerations.  Please
-   see [RFC4034] for a complete review of the IANA considerations
-   introduced by DNSSEC.
-
-12.  Security Considerations
-
-   This document introduces DNS security extensions and describes the
-   document set that contains the new security records and DNS protocol
-   modifications.  The extensions provide data origin authentication and
-   data integrity using digital signatures over resource record sets.
-   This section discusses the limitations of these extensions.
-
-   In order for a security-aware resolver to validate a DNS response,
-   all zones along the path from the trusted starting point to the zone
-   containing the response zones must be signed, and all name servers
-   and resolvers involved in the resolution process must be
-   security-aware, as defined in this document set.  A security-aware
-   resolver cannot verify responses originating from an unsigned zone,
-   from a zone not served by a security-aware name server, or for any
-   DNS data that the resolver is only able to obtain through a recursive
-   name server that is not security-aware.  If there is a break in the
-   authentication chain such that a security-aware resolver cannot
-   obtain and validate the authentication keys it needs, then the
-   security-aware resolver cannot validate the affected DNS data.
-
-   This document briefly discusses other methods of adding security to a
-   DNS query, such as using a channel secured by IPsec or using a DNS
-   transaction authentication mechanism such as TSIG ([RFC2845]) or
-   SIG(0) ([RFC2931]), but transaction security is not part of DNSSEC
-   per se.
-
-   A non-validating security-aware stub resolver, by definition, does
-   not perform DNSSEC signature validation on its own and thus is
-   vulnerable both to attacks on (and by) the security-aware recursive
-   name servers that perform these checks on its behalf and to attacks
-   on its communication with those security-aware recursive name
-
-
-
-Arends, et al.              Standards Track                    [Page 15]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   servers.  Non-validating security-aware stub resolvers should use
-   some form of channel security to defend against the latter threat.
-   The only known defense against the former threat would be for the
-   security-aware stub resolver to perform its own signature validation,
-   at which point, again by definition, it would no longer be a
-   non-validating security-aware stub resolver.
-
-   DNSSEC does not protect against denial of service attacks.  DNSSEC
-   makes DNS vulnerable to a new class of denial of service attacks
-   based on cryptographic operations against security-aware resolvers
-   and security-aware name servers, as an attacker can attempt to use
-   DNSSEC mechanisms to consume a victim's resources.  This class of
-   attacks takes at least two forms.  An attacker may be able to consume
-   resources in a security-aware resolver's signature validation code by
-   tampering with RRSIG RRs in response messages or by constructing
-   needlessly complex signature chains.  An attacker may also be able to
-   consume resources in a security-aware name server that supports DNS
-   dynamic update, by sending a stream of update messages that force the
-   security-aware name server to re-sign some RRsets in the zone more
-   frequently than would otherwise be necessary.
-
-   Due to a deliberate design choice, DNSSEC does not provide
-   confidentiality.
-
-   DNSSEC introduces the ability for a hostile party to enumerate all
-   the names in a zone by following the NSEC chain.  NSEC RRs assert
-   which names do not exist in a zone by linking from existing name to
-   existing name along a canonical ordering of all the names within a
-   zone.  Thus, an attacker can query these NSEC RRs in sequence to
-   obtain all the names in a zone.  Although this is not an attack on
-   the DNS itself, it could allow an attacker to map network hosts or
-   other resources by enumerating the contents of a zone.
-
-   DNSSEC introduces significant additional complexity to the DNS and
-   thus introduces many new opportunities for implementation bugs and
-   misconfigured zones.  In particular, enabling DNSSEC signature
-   validation in a resolver may cause entire legitimate zones to become
-   effectively unreachable due to DNSSEC configuration errors or bugs.
-
-   DNSSEC does not protect against tampering with unsigned zone data.
-   Non-authoritative data at zone cuts (glue and NS RRs in the parent
-   zone) are not signed.  This does not pose a problem when validating
-   the authentication chain, but it does mean that the non-authoritative
-   data itself is vulnerable to tampering during zone transfer
-   operations.  Thus, while DNSSEC can provide data origin
-   authentication and data integrity for RRsets, it cannot do so for
-   zones, and other mechanisms (such as TSIG, SIG(0), or IPsec) must be
-   used to protect zone transfer operations.
-
-
-
-Arends, et al.              Standards Track                    [Page 16]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   Please see [RFC4034] and [RFC4035] for additional security
-   considerations.
-
-13.  Acknowledgements
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group.  Although explicitly listing
-   everyone who has contributed during the decade in which DNSSEC has
-   been under development would be impossible, the editors would
-   particularly like to thank the following people for their
-   contributions to and comments on this document set: Jaap Akkerhuis,
-   Mark Andrews, Derek Atkins, Roy Badami, Alan Barrett, Dan Bernstein,
-   David Blacka, Len Budney, Randy Bush, Francis Dupont, Donald
-   Eastlake, Robert Elz, Miek Gieben, Michael Graff, Olafur Gudmundsson,
-   Gilles Guette, Andreas Gustafsson, Jun-ichiro Itojun Hagino, Phillip
-   Hallam-Baker, Bob Halley, Ted Hardie, Walter Howard, Greg Hudson,
-   Christian Huitema, Johan Ihren, Stephen Jacob, Jelte Jansen, Simon
-   Josefsson, Andris Kalnozols, Peter Koch, Olaf Kolkman, Mark Kosters,
-   Suresh Krishnaswamy, Ben Laurie, David Lawrence, Ted Lemon, Ed Lewis,
-   Ted Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Russ
-   Mundy, Thomas Narten, Mans Nilsson, Masataka Ohta, Mike Patton, Rob
-   Payne, Jim Reid, Michael Richardson, Erik Rozendaal, Marcos Sanz,
-   Pekka Savola, Jakob Schlyter, Mike StJohns, Paul Vixie, Sam Weiler,
-   Brian Wellington, and Suzanne Woolf.
-
-   No doubt the above list is incomplete.  We apologize to anyone we
-   left out.
-
-14.  References
-
-14.1.  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC2535]  Eastlake 3rd, D., "Domain Name System Security
-              Extensions", RFC 2535, March 1999.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-              3225, December 2001.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 17]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
-              message size requirements", RFC 3226, December 2001.
-
-   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
-              Resource Record (RR)", RFC 3445, December 2002.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for DNS Security Extensions", RFC
-              4034, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-14.2.  Informative References
-
-   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
-              "Dynamic Updates in the Domain Name System (DNS UPDATE)",
-              RFC 2136, April 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2538]  Eastlake 3rd, D. and O. Gudmundsson, "Storing Certificates
-              in the Domain Name System (DNS)", RFC 2538, March 1999.
-
-   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
-              Wellington, "Secret Key Transaction Authentication for DNS
-              (TSIG)", RFC 2845, May 2000.
-
-   [RFC2931]  Eastlake 3rd, D., "DNS Request and Transaction Signatures
-              ( SIG(0)s )", RFC 2931, September 2000.
-
-   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-              Update", RFC 3007, November 2000.
-
-   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
-              Signing Authority", RFC 3008, November 2000.
-
-   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
-              Status", RFC 3090, March 2001.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
-
-
-
-
-Arends, et al.              Standards Track                    [Page 18]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
-              Authenticated Data (AD) bit", RFC 3655, November 2003.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
-              Signer (DS)", RFC 3755, May 2004.
-
-   [RFC3757]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name
-              System KEY (DNSKEY) Resource Record (RR) Secure Entry
-              Point (SEP) Flag", RFC 3757, April 2004.
-
-   [RFC3833]  Atkins, D. and R. Austein, "Threat Analysis of the Domain
-              Name System (DNS)", RFC 3833, August 2004.
-
-   [RFC3845]  Schlyter, J., "DNS Security (DNSSEC) NextSECure (NSEC)
-              RDATA Format", RFC 3845, August 2004.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 19]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Dan Massey
-   Colorado State University
-   Department of Computer Science
-   Fort Collins, CO 80523-1873
-
-   EMail: massey@cs.colostate.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 20]
-
-RFC 4033       DNS Security Introduction and Requirements     March 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 21]
-
diff --git a/contrib/bind9/doc/rfc/rfc4034.txt b/contrib/bind9/doc/rfc/rfc4034.txt
deleted file mode 100644
index 6a12c6b8efc5..000000000000
--- a/contrib/bind9/doc/rfc/rfc4034.txt
+++ /dev/null
@@ -1,1627 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          R. Arends
-Request for Comments: 4034                          Telematica Instituut
-Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
-           3755, 3757, 3845                                          ISC
-Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
-         3007, 3597, 3226                                       VeriSign
-Category: Standards Track                                      D. Massey
-                                               Colorado State University
-                                                                 S. Rose
-                                                                    NIST
-                                                              March 2005
-
-
-            Resource Records for the DNS Security Extensions
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document is part of a family of documents that describe the DNS
-   Security Extensions (DNSSEC).  The DNS Security Extensions are a
-   collection of resource records and protocol modifications that
-   provide source authentication for the DNS.  This document defines the
-   public key (DNSKEY), delegation signer (DS), resource record digital
-   signature (RRSIG), and authenticated denial of existence (NSEC)
-   resource records.  The purpose and format of each resource record is
-   described in detail, and an example of each resource record is given.
-
-   This document obsoletes RFC 2535 and incorporates changes from all
-   updates to RFC 2535.
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 1]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
-       1.1.  Background and Related Documents . . . . . . . . . . .  3
-       1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . .  3
-   2.  The DNSKEY Resource Record . . . . . . . . . . . . . . . . .  4
-       2.1.  DNSKEY RDATA Wire Format . . . . . . . . . . . . . . .  4
-             2.1.1.  The Flags Field. . . . . . . . . . . . . . . .  4
-             2.1.2.  The Protocol Field . . . . . . . . . . . . . .  5
-             2.1.3.  The Algorithm Field. . . . . . . . . . . . . .  5
-             2.1.4.  The Public Key Field . . . . . . . . . . . . .  5
-             2.1.5.  Notes on DNSKEY RDATA Design . . . . . . . . .  5
-       2.2.  The DNSKEY RR Presentation Format. . . . . . . . . . .  5
-       2.3.  DNSKEY RR Example  . . . . . . . . . . . . . . . . . .  6
-   3.  The RRSIG Resource Record  . . . . . . . . . . . . . . . . .  6
-       3.1.  RRSIG RDATA Wire Format. . . . . . . . . . . . . . . .  7
-             3.1.1.  The Type Covered Field . . . . . . . . . . . .  7
-             3.1.2.  The Algorithm Number Field . . . . . . . . . .  8
-             3.1.3.  The Labels Field . . . . . . . . . . . . . . .  8
-             3.1.4.  Original TTL Field . . . . . . . . . . . . . .  8
-             3.1.5.  Signature Expiration and Inception Fields. . .  9
-             3.1.6.  The Key Tag Field. . . . . . . . . . . . . . .  9
-             3.1.7.  The Signer's Name Field. . . . . . . . . . . .  9
-             3.1.8.  The Signature Field. . . . . . . . . . . . . .  9
-       3.2.  The RRSIG RR Presentation Format . . . . . . . . . . . 10
-       3.3.  RRSIG RR Example . . . . . . . . . . . . . . . . . . . 11
-   4.  The NSEC Resource Record . . . . . . . . . . . . . . . . . . 12
-       4.1.  NSEC RDATA Wire Format . . . . . . . . . . . . . . . . 13
-             4.1.1.  The Next Domain Name Field . . . . . . . . . . 13
-             4.1.2.  The Type Bit Maps Field. . . . . . . . . . . . 13
-             4.1.3.  Inclusion of Wildcard Names in NSEC RDATA. . . 14
-       4.2.  The NSEC RR Presentation Format. . . . . . . . . . . . 14
-       4.3.  NSEC RR Example. . . . . . . . . . . . . . . . . . . . 15
-   5.  The DS Resource Record . . . . . . . . . . . . . . . . . . . 15
-       5.1.  DS RDATA Wire Format . . . . . . . . . . . . . . . . . 16
-             5.1.1.  The Key Tag Field. . . . . . . . . . . . . . . 16
-             5.1.2.  The Algorithm Field. . . . . . . . . . . . . . 16
-             5.1.3.  The Digest Type Field. . . . . . . . . . . . . 17
-             5.1.4.  The Digest Field . . . . . . . . . . . . . . . 17
-       5.2.  Processing of DS RRs When Validating Responses . . . . 17
-       5.3.  The DS RR Presentation Format. . . . . . . . . . . . . 17
-       5.4.  DS RR Example. . . . . . . . . . . . . . . . . . . . . 18
-   6.  Canonical Form and Order of Resource Records . . . . . . . . 18
-       6.1.  Canonical DNS Name Order . . . . . . . . . . . . . . . 18
-       6.2.  Canonical RR Form. . . . . . . . . . . . . . . . . . . 19
-       6.3.  Canonical RR Ordering within an RRset. . . . . . . . . 20
-   7.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . 20
-   8.  Security Considerations. . . . . . . . . . . . . . . . . . . 21
-
-
-
-Arends, et al.              Standards Track                     [Page 2]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
-   10. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
-       10.1. Normative References . . . . . . . . . . . . . . . . . 22
-       10.2. Informative References . . . . . . . . . . . . . . . . 23
-   A.  DNSSEC Algorithm and Digest Types. . . . . . . . . . . . . . 24
-       A.1.  DNSSEC Algorithm Types . . . . . . . . . . . . . . . . 24
-             A.1.1.  Private Algorithm Types. . . . . . . . . . . . 25
-       A.2.  DNSSEC Digest Types. . . . . . . . . . . . . . . . . . 25
-   B.  Key Tag Calculation. . . . . . . . . . . . . . . . . . . . . 25
-       B.1.  Key Tag for Algorithm 1 (RSA/MD5). . . . . . . . . . . 27
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 29
-
-1.  Introduction
-
-   The DNS Security Extensions (DNSSEC) introduce four new DNS resource
-   record types: DNS Public Key (DNSKEY), Resource Record Signature
-   (RRSIG), Next Secure (NSEC), and Delegation Signer (DS).  This
-   document defines the purpose of each resource record (RR), the RR's
-   RDATA format, and its presentation format (ASCII representation).
-
-1.1.  Background and Related Documents
-
-   This document is part of a family of documents defining DNSSEC, which
-   should be read together as a set.
-
-   [RFC4033] contains an introduction to DNSSEC and definition of common
-   terms; the reader is assumed to be familiar with this document.
-   [RFC4033] also contains a list of other documents updated by and
-   obsoleted by this document set.
-
-   [RFC4035] defines the DNSSEC protocol operations.
-
-   The reader is also assumed to be familiar with the basic DNS concepts
-   described in [RFC1034], [RFC1035], and the subsequent documents that
-   update them, particularly [RFC2181] and [RFC2308].
-
-   This document defines the DNSSEC resource records.  All numeric DNS
-   type codes given in this document are decimal integers.
-
-1.2.  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 3]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-2.  The DNSKEY Resource Record
-
-   DNSSEC uses public key cryptography to sign and authenticate DNS
-   resource record sets (RRsets).  The public keys are stored in DNSKEY
-   resource records and are used in the DNSSEC authentication process
-   described in [RFC4035]: A zone signs its authoritative RRsets by
-   using a private key and stores the corresponding public key in a
-   DNSKEY RR.  A resolver can then use the public key to validate
-   signatures covering the RRsets in the zone, and thus to authenticate
-   them.
-
-   The DNSKEY RR is not intended as a record for storing arbitrary
-   public keys and MUST NOT be used to store certificates or public keys
-   that do not directly relate to the DNS infrastructure.
-
-   The Type value for the DNSKEY RR type is 48.
-
-   The DNSKEY RR is class independent.
-
-   The DNSKEY RR has no special TTL requirements.
-
-2.1.  DNSKEY RDATA Wire Format
-
-   The RDATA for a DNSKEY RR consists of a 2 octet Flags Field, a 1
-   octet Protocol Field, a 1 octet Algorithm Field, and the Public Key
-   Field.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |              Flags            |    Protocol   |   Algorithm   |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Public Key                         /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-2.1.1.  The Flags Field
-
-   Bit 7 of the Flags field is the Zone Key flag.  If bit 7 has value 1,
-   then the DNSKEY record holds a DNS zone key, and the DNSKEY RR's
-   owner name MUST be the name of a zone.  If bit 7 has value 0, then
-   the DNSKEY record holds some other type of DNS public key and MUST
-   NOT be used to verify RRSIGs that cover RRsets.
-
-   Bit 15 of the Flags field is the Secure Entry Point flag, described
-   in [RFC3757].  If bit 15 has value 1, then the DNSKEY record holds a
-   key intended for use as a secure entry point.  This flag is only
-
-
-
-Arends, et al.              Standards Track                     [Page 4]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   intended to be a hint to zone signing or debugging software as to the
-   intended use of this DNSKEY record; validators MUST NOT alter their
-   behavior during the signature validation process in any way based on
-   the setting of this bit.  This also means that a DNSKEY RR with the
-   SEP bit set would also need the Zone Key flag set in order to be able
-   to generate signatures legally.  A DNSKEY RR with the SEP set and the
-   Zone Key flag not set MUST NOT be used to verify RRSIGs that cover
-   RRsets.
-
-   Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon
-   creation of the DNSKEY RR and MUST be ignored upon receipt.
-
-2.1.2.  The Protocol Field
-
-   The Protocol Field MUST have value 3, and the DNSKEY RR MUST be
-   treated as invalid during signature verification if it is found to be
-   some value other than 3.
-
-2.1.3.  The Algorithm Field
-
-   The Algorithm field identifies the public key's cryptographic
-   algorithm and determines the format of the Public Key field.  A list
-   of DNSSEC algorithm types can be found in Appendix A.1
-
-2.1.4.  The Public Key Field
-
-   The Public Key Field holds the public key material.  The format
-   depends on the algorithm of the key being stored and is described in
-   separate documents.
-
-2.1.5.  Notes on DNSKEY RDATA Design
-
-   Although the Protocol Field always has value 3, it is retained for
-   backward compatibility with early versions of the KEY record.
-
-2.2.  The DNSKEY RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Flag field MUST be represented as an unsigned decimal integer.
-   Given the currently defined flags, the possible values are: 0, 256,
-   and 257.
-
-   The Protocol Field MUST be represented as an unsigned decimal integer
-   with a value of 3.
-
-   The Algorithm field MUST be represented either as an unsigned decimal
-   integer or as an algorithm mnemonic as specified in Appendix A.1.
-
-
-
-Arends, et al.              Standards Track                     [Page 5]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The Public Key field MUST be represented as a Base64 encoding of the
-   Public Key.  Whitespace is allowed within the Base64 text.  For a
-   definition of Base64 encoding, see [RFC3548].
-
-2.3.  DNSKEY RR Example
-
-   The following DNSKEY RR stores a DNS zone key for example.com.
-
-   example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3
-                                          Cbl+BBZH4b/0PY1kxkmvHjcZc8no
-                                          kfzj31GajIQKY+5CptLr3buXA10h
-                                          WqTkF7H6RfoRqXQeogmMHfpftf6z
-                                          Mv1LyBUgia7za6ZEzOJBOztyvhjL
-                                          742iU/TpPSEDhm2SNKLijfUppn1U
-                                          aNvv4w==  )
-
-   The first four text fields specify the owner name, TTL, Class, and RR
-   type (DNSKEY).  Value 256 indicates that the Zone Key bit (bit 7) in
-   the Flags field has value 1.  Value 3 is the fixed Protocol value.
-   Value 5 indicates the public key algorithm.  Appendix A.1 identifies
-   algorithm type 5 as RSA/SHA1 and indicates that the format of the
-   RSA/SHA1 public key field is defined in [RFC3110].  The remaining
-   text is a Base64 encoding of the public key.
-
-3.  The RRSIG Resource Record
-
-   DNSSEC uses public key cryptography to sign and authenticate DNS
-   resource record sets (RRsets).  Digital signatures are stored in
-   RRSIG resource records and are used in the DNSSEC authentication
-   process described in [RFC4035].  A validator can use these RRSIG RRs
-   to authenticate RRsets from the zone.  The RRSIG RR MUST only be used
-   to carry verification material (digital signatures) used to secure
-   DNS operations.
-
-   An RRSIG record contains the signature for an RRset with a particular
-   name, class, and type.  The RRSIG RR specifies a validity interval
-   for the signature and uses the Algorithm, the Signer's Name, and the
-   Key Tag to identify the DNSKEY RR containing the public key that a
-   validator can use to verify the signature.
-
-   Because every authoritative RRset in a zone must be protected by a
-   digital signature, RRSIG RRs must be present for names containing a
-   CNAME RR.  This is a change to the traditional DNS specification
-   [RFC1034], which stated that if a CNAME is present for a name, it is
-   the only type allowed at that name.  A RRSIG and NSEC (see Section 4)
-   MUST exist for the same name as a CNAME resource record in a signed
-   zone.
-
-
-
-
-Arends, et al.              Standards Track                     [Page 6]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The Type value for the RRSIG RR type is 46.
-
-   The RRSIG RR is class independent.
-
-   An RRSIG RR MUST have the same class as the RRset it covers.
-
-   The TTL value of an RRSIG RR MUST match the TTL value of the RRset it
-   covers.  This is an exception to the [RFC2181] rules for TTL values
-   of individual RRs within a RRset: individual RRSIG RRs with the same
-   owner name will have different TTL values if the RRsets they cover
-   have different TTL values.
-
-3.1.  RRSIG RDATA Wire Format
-
-   The RDATA for an RRSIG RR consists of a 2 octet Type Covered field, a
-   1 octet Algorithm field, a 1 octet Labels field, a 4 octet Original
-   TTL field, a 4 octet Signature Expiration field, a 4 octet Signature
-   Inception field, a 2 octet Key tag, the Signer's Name field, and the
-   Signature field.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |        Type Covered           |  Algorithm    |     Labels    |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                         Original TTL                          |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                      Signature Expiration                     |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |                      Signature Inception                      |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |            Key Tag            |                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         Signer's Name         /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Signature                          /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-3.1.1.  The Type Covered Field
-
-   The Type Covered field identifies the type of the RRset that is
-   covered by this RRSIG record.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 7]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-3.1.2.  The Algorithm Number Field
-
-   The Algorithm Number field identifies the cryptographic algorithm
-   used to create the signature.  A list of DNSSEC algorithm types can
-   be found in Appendix A.1
-
-3.1.3.  The Labels Field
-
-   The Labels field specifies the number of labels in the original RRSIG
-   RR owner name.  The significance of this field is that a validator
-   uses it to determine whether the answer was synthesized from a
-   wildcard.  If so, it can be used to determine what owner name was
-   used in generating the signature.
-
-   To validate a signature, the validator needs the original owner name
-   that was used to create the signature.  If the original owner name
-   contains a wildcard label ("*"), the owner name may have been
-   expanded by the server during the response process, in which case the
-   validator will have to reconstruct the original owner name in order
-   to validate the signature.  [RFC4035] describes how to use the Labels
-   field to reconstruct the original owner name.
-
-   The value of the Labels field MUST NOT count either the null (root)
-   label that terminates the owner name or the wildcard label (if
-   present).  The value of the Labels field MUST be less than or equal
-   to the number of labels in the RRSIG owner name.  For example,
-   "www.example.com." has a Labels field value of 3, and
-   "*.example.com." has a Labels field value of 2.  Root (".") has a
-   Labels field value of 0.
-
-   Although the wildcard label is not included in the count stored in
-   the Labels field of the RRSIG RR, the wildcard label is part of the
-   RRset's owner name when the signature is generated or verified.
-
-3.1.4.  Original TTL Field
-
-   The Original TTL field specifies the TTL of the covered RRset as it
-   appears in the authoritative zone.
-
-   The Original TTL field is necessary because a caching resolver
-   decrements the TTL value of a cached RRset.  In order to validate a
-   signature, a validator requires the original TTL.  [RFC4035]
-   describes how to use the Original TTL field value to reconstruct the
-   original TTL.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 8]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-3.1.5.  Signature Expiration and Inception Fields
-
-   The Signature Expiration and Inception fields specify a validity
-   period for the signature.  The RRSIG record MUST NOT be used for
-   authentication prior to the inception date and MUST NOT be used for
-   authentication after the expiration date.
-
-   The Signature Expiration and Inception field values specify a date
-   and time in the form of a 32-bit unsigned number of seconds elapsed
-   since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network
-   byte order.  The longest interval that can be expressed by this
-   format without wrapping is approximately 136 years.  An RRSIG RR can
-   have an Expiration field value that is numerically smaller than the
-   Inception field value if the expiration field value is near the
-   32-bit wrap-around point or if the signature is long lived.  Because
-   of this, all comparisons involving these fields MUST use "Serial
-   number arithmetic", as defined in [RFC1982].  As a direct
-   consequence, the values contained in these fields cannot refer to
-   dates more than 68 years in either the past or the future.
-
-3.1.6.  The Key Tag Field
-
-   The Key Tag field contains the key tag value of the DNSKEY RR that
-   validates this signature, in network byte order.  Appendix B explains
-   how to calculate Key Tag values.
-
-3.1.7.  The Signer's Name Field
-
-   The Signer's Name field value identifies the owner name of the DNSKEY
-   RR that a validator is supposed to use to validate this signature.
-   The Signer's Name field MUST contain the name of the zone of the
-   covered RRset.  A sender MUST NOT use DNS name compression on the
-   Signer's Name field when transmitting a RRSIG RR.
-
-3.1.8.  The Signature Field
-
-   The Signature field contains the cryptographic signature that covers
-   the RRSIG RDATA (excluding the Signature field) and the RRset
-   specified by the RRSIG owner name, RRSIG class, and RRSIG Type
-   Covered field.  The format of this field depends on the algorithm in
-   use, and these formats are described in separate companion documents.
-
-3.1.8.1.  Signature Calculation
-
-   A signature covers the RRSIG RDATA (excluding the Signature Field)
-   and covers the data RRset specified by the RRSIG owner name, RRSIG
-   class, and RRSIG Type Covered fields.  The RRset is in canonical form
-   (see Section 6), and the set RR(1),...RR(n) is signed as follows:
-
-
-
-Arends, et al.              Standards Track                     [Page 9]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-         signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) where
-
-            "|" denotes concatenation;
-
-            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
-               with the Signer's Name field in canonical form and
-               the Signature field excluded;
-
-            RR(i) = owner | type | class | TTL | RDATA length | RDATA
-
-               "owner" is the fully qualified owner name of the RRset in
-               canonical form (for RRs with wildcard owner names, the
-               wildcard label is included in the owner name);
-
-               Each RR MUST have the same owner name as the RRSIG RR;
-
-               Each RR MUST have the same class as the RRSIG RR;
-
-               Each RR in the RRset MUST have the RR type listed in the
-               RRSIG RR's Type Covered field;
-
-               Each RR in the RRset MUST have the TTL listed in the
-               RRSIG Original TTL Field;
-
-               Any DNS names in the RDATA field of each RR MUST be in
-               canonical form; and
-
-               The RRset MUST be sorted in canonical order.
-
-   See Sections 6.2 and 6.3 for details on canonical form and ordering
-   of RRsets.
-
-3.2.  The RRSIG RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Type Covered field is represented as an RR type mnemonic.  When
-   the mnemonic is not known, the TYPE representation as described in
-   [RFC3597], Section 5, MUST be used.
-
-   The Algorithm field value MUST be represented either as an unsigned
-   decimal integer or as an algorithm mnemonic, as specified in Appendix
-   A.1.
-
-   The Labels field value MUST be represented as an unsigned decimal
-   integer.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 10]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The Original TTL field value MUST be represented as an unsigned
-   decimal integer.
-
-   The Signature Expiration Time and Inception Time field values MUST be
-   represented either as an unsigned decimal integer indicating seconds
-   since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in
-   UTC, where:
-
-      YYYY is the year (0001-9999, but see Section 3.1.5);
-      MM is the month number (01-12);
-      DD is the day of the month (01-31);
-      HH is the hour, in 24 hour notation (00-23);
-      mm is the minute (00-59); and
-      SS is the second (00-59).
-
-   Note that it is always possible to distinguish between these two
-   formats because the YYYYMMDDHHmmSS format will always be exactly 14
-   digits, while the decimal representation of a 32-bit unsigned integer
-   can never be longer than 10 digits.
-
-   The Key Tag field MUST be represented as an unsigned decimal integer.
-
-   The Signer's Name field value MUST be represented as a domain name.
-
-   The Signature field is represented as a Base64 encoding of the
-   signature.  Whitespace is allowed within the Base64 text.  See
-   Section 2.2.
-
-3.3.  RRSIG RR Example
-
-   The following RRSIG RR stores the signature for the A RRset of
-   host.example.com:
-
-   host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 (
-                                  20030220173103 2642 example.com.
-                                  oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr
-                                  PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o
-                                  B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t
-                                  GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG
-                                  J5D6fwFm8nN+6pBzeDQfsS3Ap3o= )
-
-   The first four fields specify the owner name, TTL, Class, and RR type
-   (RRSIG).  The "A" represents the Type Covered field.  The value 5
-   identifies the algorithm used (RSA/SHA1) to create the signature.
-   The value 3 is the number of Labels in the original owner name.  The
-   value 86400 in the RRSIG RDATA is the Original TTL for the covered A
-   RRset.  20030322173103 and 20030220173103 are the expiration and
-
-
-
-
-Arends, et al.              Standards Track                    [Page 11]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   inception dates, respectively.  2642 is the Key Tag, and example.com.
-   is the Signer's Name.  The remaining text is a Base64 encoding of the
-   signature.
-
-   Note that combination of RRSIG RR owner name, class, and Type Covered
-   indicates that this RRSIG covers the "host.example.com" A RRset.  The
-   Label value of 3 indicates that no wildcard expansion was used.  The
-   Algorithm, Signer's Name, and Key Tag indicate that this signature
-   can be authenticated using an example.com zone DNSKEY RR whose
-   algorithm is 5 and whose key tag is 2642.
-
-4.  The NSEC Resource Record
-
-   The NSEC resource record lists two separate things: the next owner
-   name (in the canonical ordering of the zone) that contains
-   authoritative data or a delegation point NS RRset, and the set of RR
-   types present at the NSEC RR's owner name [RFC3845].  The complete
-   set of NSEC RRs in a zone indicates which authoritative RRsets exist
-   in a zone and also form a chain of authoritative owner names in the
-   zone.  This information is used to provide authenticated denial of
-   existence for DNS data, as described in [RFC4035].
-
-   Because every authoritative name in a zone must be part of the NSEC
-   chain, NSEC RRs must be present for names containing a CNAME RR.
-   This is a change to the traditional DNS specification [RFC1034],
-   which stated that if a CNAME is present for a name, it is the only
-   type allowed at that name.  An RRSIG (see Section 3) and NSEC MUST
-   exist for the same name as does a CNAME resource record in a signed
-   zone.
-
-   See [RFC4035] for discussion of how a zone signer determines
-   precisely which NSEC RRs it has to include in a zone.
-
-   The type value for the NSEC RR is 47.
-
-   The NSEC RR is class independent.
-
-   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
-   field.  This is in the spirit of negative caching ([RFC2308]).
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 12]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-4.1.  NSEC RDATA Wire Format
-
-   The RDATA of the NSEC RR is as shown below:
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                      Next Domain Name                         /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                       Type Bit Maps                           /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-4.1.1.  The Next Domain Name Field
-
-   The Next Domain field contains the next owner name (in the canonical
-   ordering of the zone) that has authoritative data or contains a
-   delegation point NS RRset; see Section 6.1 for an explanation of
-   canonical ordering.  The value of the Next Domain Name field in the
-   last NSEC record in the zone is the name of the zone apex (the owner
-   name of the zone's SOA RR).  This indicates that the owner name of
-   the NSEC RR is the last name in the canonical ordering of the zone.
-
-   A sender MUST NOT use DNS name compression on the Next Domain Name
-   field when transmitting an NSEC RR.
-
-   Owner names of RRsets for which the given zone is not authoritative
-   (such as glue records) MUST NOT be listed in the Next Domain Name
-   unless at least one authoritative RRset exists at the same owner
-   name.
-
-4.1.2.  The Type Bit Maps Field
-
-   The Type Bit Maps field identifies the RRset types that exist at the
-   NSEC RR's owner name.
-
-   The RR type space is split into 256 window blocks, each representing
-   the low-order 8 bits of the 16-bit RR type space.  Each block that
-   has at least one active RR type is encoded using a single octet
-   window number (from 0 to 255), a single octet bitmap length (from 1
-   to 32) indicating the number of octets used for the window block's
-   bitmap, and up to 32 octets (256 bits) of bitmap.
-
-   Blocks are present in the NSEC RR RDATA in increasing numerical
-   order.
-
-      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
-
-      where "|" denotes concatenation.
-
-
-
-Arends, et al.              Standards Track                    [Page 13]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   Each bitmap encodes the low-order 8 bits of RR types within the
-   window block, in network bit order.  The first bit is bit 0.  For
-   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
-   to RR type 2 (NS), and so forth.  For window block 1, bit 1
-   corresponds to RR type 257, and bit 2 to RR type 258.  If a bit is
-   set, it indicates that an RRset of that type is present for the NSEC
-   RR's owner name.  If a bit is clear, it indicates that no RRset of
-   that type is present for the NSEC RR's owner name.
-
-   Bits representing pseudo-types MUST be clear, as they do not appear
-   in zone data.  If encountered, they MUST be ignored upon being read.
-
-   Blocks with no types present MUST NOT be included.  Trailing zero
-   octets in the bitmap MUST be omitted.  The length of each block's
-   bitmap is determined by the type code with the largest numerical
-   value, within that block, among the set of RR types present at the
-   NSEC RR's owner name.  Trailing zero octets not specified MUST be
-   interpreted as zero octets.
-
-   The bitmap for the NSEC RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and the RR
-   types for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
-   A zone MUST NOT include an NSEC RR for any domain name that only
-   holds glue records.
-
-4.1.3.  Inclusion of Wildcard Names in NSEC RDATA
-
-   If a wildcard owner name appears in a zone, the wildcard label ("*")
-   is treated as a literal symbol and is treated the same as any other
-   owner name for the purposes of generating NSEC RRs.  Wildcard owner
-   names appear in the Next Domain Name field without any wildcard
-   expansion.  [RFC4035] describes the impact of wildcards on
-   authenticated denial of existence.
-
-4.2.  The NSEC RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Next Domain Name field is represented as a domain name.
-
-   The Type Bit Maps field is represented as a sequence of RR type
-   mnemonics.  When the mnemonic is not known, the TYPE representation
-   described in [RFC3597], Section 5, MUST be used.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 14]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-4.3.  NSEC RR Example
-
-   The following NSEC RR identifies the RRsets associated with
-   alfa.example.com. and identifies the next authoritative name after
-   alfa.example.com.
-
-   alfa.example.com. 86400 IN NSEC host.example.com. (
-                                   A MX RRSIG NSEC TYPE1234 )
-
-   The first four text fields specify the name, TTL, Class, and RR type
-   (NSEC).  The entry host.example.com. is the next authoritative name
-   after alfa.example.com. in canonical order.  The A, MX, RRSIG, NSEC,
-   and TYPE1234 mnemonics indicate that there are A, MX, RRSIG, NSEC,
-   and TYPE1234 RRsets associated with the name alfa.example.com.
-
-   The RDATA section of the NSEC RR above would be encoded as:
-
-            0x04 'h'  'o'  's'  't'
-            0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
-            0x03 'c'  'o'  'm'  0x00
-            0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
-            0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
-            0x00 0x00 0x00 0x00 0x20
-
-   Assuming that the validator can authenticate this NSEC record, it
-   could be used to prove that beta.example.com does not exist, or to
-   prove that there is no AAAA record associated with alfa.example.com.
-   Authenticated denial of existence is discussed in [RFC4035].
-
-5.  The DS Resource Record
-
-   The DS Resource Record refers to a DNSKEY RR and is used in the DNS
-   DNSKEY authentication process.  A DS RR refers to a DNSKEY RR by
-   storing the key tag, algorithm number, and a digest of the DNSKEY RR.
-   Note that while the digest should be sufficient to identify the
-   public key, storing the key tag and key algorithm helps make the
-   identification process more efficient.  By authenticating the DS
-   record, a resolver can authenticate the DNSKEY RR to which the DS
-   record points.  The key authentication process is described in
-   [RFC4035].
-
-   The DS RR and its corresponding DNSKEY RR have the same owner name,
-   but they are stored in different locations.  The DS RR appears only
-   on the upper (parental) side of a delegation, and is authoritative
-   data in the parent zone.  For example, the DS RR for "example.com" is
-   stored in the "com" zone (the parent zone) rather than in the
-
-
-
-Arends, et al.              Standards Track                    [Page 15]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   "example.com" zone (the child zone).  The corresponding DNSKEY RR is
-   stored in the "example.com" zone (the child zone).  This simplifies
-   DNS zone management and zone signing but introduces special response
-   processing requirements for the DS RR; these are described in
-   [RFC4035].
-
-   The type number for the DS record is 43.
-
-   The DS resource record is class independent.
-
-   The DS RR has no special TTL requirements.
-
-5.1.  DS RDATA Wire Format
-
-   The RDATA for a DS RR consists of a 2 octet Key Tag field, a 1 octet
-   Algorithm field, a 1 octet Digest Type field, and a Digest field.
-
-                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
-    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   |           Key Tag             |  Algorithm    |  Digest Type  |
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   /                                                               /
-   /                            Digest                             /
-   /                                                               /
-   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-
-5.1.1.  The Key Tag Field
-
-   The Key Tag field lists the key tag of the DNSKEY RR referred to by
-   the DS record, in network byte order.
-
-   The Key Tag used by the DS RR is identical to the Key Tag used by
-   RRSIG RRs.  Appendix B describes how to compute a Key Tag.
-
-5.1.2.  The Algorithm Field
-
-   The Algorithm field lists the algorithm number of the DNSKEY RR
-   referred to by the DS record.
-
-   The algorithm number used by the DS RR is identical to the algorithm
-   number used by RRSIG and DNSKEY RRs.  Appendix A.1 lists the
-   algorithm number types.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 16]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-5.1.3.  The Digest Type Field
-
-   The DS RR refers to a DNSKEY RR by including a digest of that DNSKEY
-   RR.  The Digest Type field identifies the algorithm used to construct
-   the digest.  Appendix A.2 lists the possible digest algorithm types.
-
-5.1.4.  The Digest Field
-
-   The DS record refers to a DNSKEY RR by including a digest of that
-   DNSKEY RR.
-
-   The digest is calculated by concatenating the canonical form of the
-   fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA,
-   and then applying the digest algorithm.
-
-     digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
-
-      "|" denotes concatenation
-
-     DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
-
-   The size of the digest may vary depending on the digest algorithm and
-   DNSKEY RR size.  As of the time of this writing, the only defined
-   digest algorithm is SHA-1, which produces a 20 octet digest.
-
-5.2.  Processing of DS RRs When Validating Responses
-
-   The DS RR links the authentication chain across zone boundaries, so
-   the DS RR requires extra care in processing.  The DNSKEY RR referred
-   to in the DS RR MUST be a DNSSEC zone key.  The DNSKEY RR Flags MUST
-   have Flags bit 7 set.  If the DNSKEY flags do not indicate a DNSSEC
-   zone key, the DS RR (and the DNSKEY RR it references) MUST NOT be
-   used in the validation process.
-
-5.3.  The DS RR Presentation Format
-
-   The presentation format of the RDATA portion is as follows:
-
-   The Key Tag field MUST be represented as an unsigned decimal integer.
-
-   The Algorithm field MUST be represented either as an unsigned decimal
-   integer or as an algorithm mnemonic specified in Appendix A.1.
-
-   The Digest Type field MUST be represented as an unsigned decimal
-   integer.
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 17]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The Digest MUST be represented as a sequence of case-insensitive
-   hexadecimal digits.  Whitespace is allowed within the hexadecimal
-   text.
-
-5.4.  DS RR Example
-
-   The following example shows a DNSKEY RR and its corresponding DS RR.
-
-   dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
-                                             fwJr1AYtsmx3TGkJaNXVbfi/
-                                             2pHm822aJ5iI9BMzNXxeYCmZ
-                                             DRD99WYwYqUSdjMmmAphXdvx
-                                             egXd/M5+X7OrzKBaMbCVdFLU
-                                             Uh6DhweJBjEVv5f2wwjM9Xzc
-                                             nOf+EPbtG9DMBmADjFDc2w/r
-                                             ljwvFw==
-                                             ) ;  key id = 60485
-
-   dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
-                                              98631FAD1A292118 )
-
-   The first four text fields specify the name, TTL, Class, and RR type
-   (DS).  Value 60485 is the key tag for the corresponding
-   "dskey.example.com." DNSKEY RR, and value 5 denotes the algorithm
-   used by this "dskey.example.com." DNSKEY RR.  The value 1 is the
-   algorithm used to construct the digest, and the rest of the RDATA
-   text is the digest in hexadecimal.
-
-6.  Canonical Form and Order of Resource Records
-
-   This section defines a canonical form for resource records, a
-   canonical ordering of DNS names, and a canonical ordering of resource
-   records within an RRset.  A canonical name order is required to
-   construct the NSEC name chain.  A canonical RR form and ordering
-   within an RRset are required in order to construct and verify RRSIG
-   RRs.
-
-6.1.  Canonical DNS Name Order
-
-   For the purposes of DNS security, owner names are ordered by treating
-   individual labels as unsigned left-justified octet strings.  The
-   absence of a octet sorts before a zero value octet, and uppercase
-   US-ASCII letters are treated as if they were lowercase US-ASCII
-   letters.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 18]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   To compute the canonical ordering of a set of DNS names, start by
-   sorting the names according to their most significant (rightmost)
-   labels.  For names in which the most significant label is identical,
-   continue sorting according to their next most significant label, and
-   so forth.
-
-   For example, the following names are sorted in canonical DNS name
-   order.  The most significant label is "example".  At this level,
-   "example" sorts first, followed by names ending in "a.example", then
-   by names ending "z.example".  The names within each level are sorted
-   in the same way.
-
-             example
-             a.example
-             yljkjljk.a.example
-             Z.a.example
-             zABC.a.EXAMPLE
-             z.example
-             \001.z.example
-             *.z.example
-             \200.z.example
-
-6.2.  Canonical RR Form
-
-   For the purposes of DNS security, the canonical form of an RR is the
-   wire format of the RR where:
-
-   1.  every domain name in the RR is fully expanded (no DNS name
-       compression) and fully qualified;
-
-   2.  all uppercase US-ASCII letters in the owner name of the RR are
-       replaced by the corresponding lowercase US-ASCII letters;
-
-   3.  if the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
-       HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
-       SRV, DNAME, A6, RRSIG, or NSEC, all uppercase US-ASCII letters in
-       the DNS names contained within the RDATA are replaced by the
-       corresponding lowercase US-ASCII letters;
-
-   4.  if the owner name of the RR is a wildcard name, the owner name is
-       in its original unexpanded form, including the "*" label (no
-       wildcard substitution); and
-
-   5.  the RR's TTL is set to its original value as it appears in the
-       originating authoritative zone or the Original TTL field of the
-       covering RRSIG RR.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 19]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-6.3.  Canonical RR Ordering within an RRset
-
-   For the purposes of DNS security, RRs with the same owner name,
-   class, and type are sorted by treating the RDATA portion of the
-   canonical form of each RR as a left-justified unsigned octet sequence
-   in which the absence of an octet sorts before a zero octet.
-
-   [RFC2181] specifies that an RRset is not allowed to contain duplicate
-   records (multiple RRs with the same owner name, class, type, and
-   RDATA).  Therefore, if an implementation detects duplicate RRs when
-   putting the RRset in canonical form, it MUST treat this as a protocol
-   error.  If the implementation chooses to handle this protocol error
-   in the spirit of the robustness principle (being liberal in what it
-   accepts), it MUST remove all but one of the duplicate RR(s) for the
-   purposes of calculating the canonical form of the RRset.
-
-7.  IANA Considerations
-
-   This document introduces no new IANA considerations, as all of the
-   protocol parameters used in this document have already been assigned
-   by previous specifications.  However, since the evolution of DNSSEC
-   has been long and somewhat convoluted, this section attempts to
-   describe the current state of the IANA registries and other protocol
-   parameters that are (or once were) related to DNSSEC.
-
-   Please refer to [RFC4035] for additional IANA considerations.
-
-   DNS Resource Record Types: [RFC2535] assigned types 24, 25, and 30 to
-      the SIG, KEY, and NXT RRs, respectively.  [RFC3658] assigned DNS
-      Resource Record Type 43 to DS.  [RFC3755] assigned types 46, 47,
-      and 48 to the RRSIG, NSEC, and DNSKEY RRs, respectively.
-      [RFC3755] also marked type 30 (NXT) as Obsolete and restricted use
-      of types 24 (SIG) and 25 (KEY) to the "SIG(0)" transaction
-      security protocol described in [RFC2931] and to the transaction
-      KEY Resource Record described in [RFC2930].
-
-   DNS Security Algorithm Numbers: [RFC2535] created an IANA registry
-      for DNSSEC Resource Record Algorithm field numbers and assigned
-      values 1-4 and 252-255.  [RFC3110] assigned value 5.  [RFC3755]
-      altered this registry to include flags for each entry regarding
-      its use with the DNS security extensions.  Each algorithm entry
-      could refer to an algorithm that can be used for zone signing,
-      transaction security (see [RFC2931]), or both.  Values 6-251 are
-      available for assignment by IETF standards action ([RFC3755]).
-      See Appendix A for a full listing of the DNS Security Algorithm
-      Numbers entries at the time of this writing and their status for
-      use in DNSSEC.
-
-
-
-
-Arends, et al.              Standards Track                    [Page 20]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-      [RFC3658] created an IANA registry for DNSSEC DS Digest Types and
-      assigned value 0 to reserved and value 1 to SHA-1.
-
-   KEY Protocol Values: [RFC2535] created an IANA Registry for KEY
-      Protocol Values, but [RFC3445] reassigned all values other than 3
-      to reserved and closed this IANA registry.  The registry remains
-      closed, and all KEY and DNSKEY records are required to have a
-      Protocol Octet value of 3.
-
-   Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA
-      registry for the DNSSEC KEY and DNSKEY RR flag bits.  Initially,
-      this registry only contains assignments for bit 7 (the ZONE bit)
-      and bit 15 (the Secure Entry Point flag (SEP) bit; see [RFC3757]).
-      As stated in [RFC3755], bits 0-6 and 8-14 are available for
-      assignment by IETF Standards Action.
-
-8.  Security Considerations
-
-   This document describes the format of four DNS resource records used
-   by the DNS security extensions and presents an algorithm for
-   calculating a key tag for a public key.  Other than the items
-   described below, the resource records themselves introduce no
-   security considerations.  Please see [RFC4033] and [RFC4035] for
-   additional security considerations related to the use of these
-   records.
-
-   The DS record points to a DNSKEY RR by using a cryptographic digest,
-   the key algorithm type, and a key tag.  The DS record is intended to
-   identify an existing DNSKEY RR, but it is theoretically possible for
-   an attacker to generate a DNSKEY that matches all the DS fields.  The
-   probability of constructing a matching DNSKEY depends on the type of
-   digest algorithm in use.  The only currently defined digest algorithm
-   is SHA-1, and the working group believes that constructing a public
-   key that would match the algorithm, key tag, and SHA-1 digest given
-   in a DS record would be a sufficiently difficult problem that such an
-   attack is not a serious threat at this time.
-
-   The key tag is used to help select DNSKEY resource records
-   efficiently, but it does not uniquely identify a single DNSKEY
-   resource record.  It is possible for two distinct DNSKEY RRs to have
-   the same owner name, the same algorithm type, and the same key tag.
-   An implementation that uses only the key tag to select a DNSKEY RR
-   might select the wrong public key in some circumstances.  Please see
-   Appendix B for further details.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 21]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The table of algorithms in Appendix A and the key tag calculation
-   algorithms in Appendix B include the RSA/MD5 algorithm for
-   completeness, but the RSA/MD5 algorithm is NOT RECOMMENDED, as
-   explained in [RFC3110].
-
-9.  Acknowledgements
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group and working group mailing list.  The
-   editors would like to express their thanks for the comments and
-   suggestions received during the revision of these security extension
-   specifications.  Although explicitly listing everyone who has
-   contributed during the decade in which DNSSEC has been under
-   development would be impossible, [RFC4033] includes a list of some of
-   the participants who were kind enough to comment on these documents.
-
-10.  References
-
-10.1.  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
-              August 1996.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2536]  Eastlake 3rd, D., "DSA KEYs and SIGs in the Domain Name
-              System (DNS)", RFC 2536, March 1999.
-
-   [RFC2931]  Eastlake 3rd, D., "DNS Request and Transaction Signatures
-              ( SIG(0)s )", RFC 2931, September 2000.
-
-   [RFC3110]  Eastlake 3rd, D., "RSA/SHA-1 SIGs and RSA KEYs in the
-              Domain Name System (DNS)", RFC 3110, May 2001.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 22]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
-              Resource Record (RR)", RFC 3445, December 2002.
-
-   [RFC3548]  Josefsson, S., "The Base16, Base32, and Base64 Data
-              Encodings", RFC 3548, July 2003.
-
-   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
-              (RR) Types", RFC 3597, September 2003.
-
-   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
-              (RR)", RFC 3658, December 2003.
-
-   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
-              Signer (DS)", RFC 3755, May 2004.
-
-   [RFC3757]  Kolkman, O., Schlyter, J., and E. Lewis, "Domain Name
-              System KEY (DNSKEY) Resource Record (RR) Secure Entry
-              Point (SEP) Flag", RFC 3757, April 2004.
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements", RFC
-              4033, March 2005.
-
-   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Protocol Modifications for the DNS Security
-              Extensions", RFC 4035, March 2005.
-
-10.2.  Informative References
-
-   [RFC2535]  Eastlake 3rd, D., "Domain Name System Security
-              Extensions", RFC 2535, March 1999.
-
-   [RFC2537]  Eastlake 3rd, D., "RSA/MD5 KEYs and SIGs in the Domain
-              Name System (DNS)", RFC 2537, March 1999.
-
-   [RFC2539]  Eastlake 3rd, D., "Storage of Diffie-Hellman Keys in the
-              Domain Name System (DNS)", RFC 2539, March 1999.
-
-   [RFC2930]  Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
-              RR)", RFC 2930, September 2000.
-
-   [RFC3845]  Schlyter, J., "DNS Security (DNSSEC) NextSECure (NSEC)
-              RDATA Format", RFC 3845, August 2004.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 23]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-Appendix A.  DNSSEC Algorithm and Digest Types
-
-   The DNS security extensions are designed to be independent of the
-   underlying cryptographic algorithms.  The DNSKEY, RRSIG, and DS
-   resource records all use a DNSSEC Algorithm Number to identify the
-   cryptographic algorithm in use by the resource record.  The DS
-   resource record also specifies a Digest Algorithm Number to identify
-   the digest algorithm used to construct the DS record.  The currently
-   defined Algorithm and Digest Types are listed below.  Additional
-   Algorithm or Digest Types could be added as advances in cryptography
-   warrant them.
-
-   A DNSSEC aware resolver or name server MUST implement all MANDATORY
-   algorithms.
-
-A.1.  DNSSEC Algorithm Types
-
-   The DNSKEY, RRSIG, and DS RRs use an 8-bit number to identify the
-   security algorithm being used.  These values are stored in the
-   "Algorithm number" field in the resource record RDATA.
-
-   Some algorithms are usable only for zone signing (DNSSEC), some only
-   for transaction security mechanisms (SIG(0) and TSIG), and some for
-   both.  Those usable for zone signing may appear in DNSKEY, RRSIG, and
-   DS RRs.  Those usable for transaction security would be present in
-   SIG(0) and KEY RRs, as described in [RFC2931].
-
-                                Zone
-   Value Algorithm [Mnemonic]  Signing  References   Status
-   ----- -------------------- --------- ----------  ---------
-     0   reserved
-     1   RSA/MD5 [RSAMD5]         n      [RFC2537]  NOT RECOMMENDED
-     2   Diffie-Hellman [DH]      n      [RFC2539]   -
-     3   DSA/SHA-1 [DSA]          y      [RFC2536]  OPTIONAL
-     4   Elliptic Curve [ECC]              TBA       -
-     5   RSA/SHA-1 [RSASHA1]      y      [RFC3110]  MANDATORY
-   252   Indirect [INDIRECT]      n                  -
-   253   Private [PRIVATEDNS]     y      see below  OPTIONAL
-   254   Private [PRIVATEOID]     y      see below  OPTIONAL
-   255   reserved
-
-   6 - 251  Available for assignment by IETF Standards Action.
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 24]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-A.1.1.  Private Algorithm Types
-
-   Algorithm number 253 is reserved for private use and will never be
-   assigned to a specific algorithm.  The public key area in the DNSKEY
-   RR and the signature area in the RRSIG RR begin with a wire encoded
-   domain name, which MUST NOT be compressed.  The domain name indicates
-   the private algorithm to use, and the remainder of the public key
-   area is determined by that algorithm.  Entities should only use
-   domain names they control to designate their private algorithms.
-
-   Algorithm number 254 is reserved for private use and will never be
-   assigned to a specific algorithm.  The public key area in the DNSKEY
-   RR and the signature area in the RRSIG RR begin with an unsigned
-   length byte followed by a BER encoded Object Identifier (ISO OID) of
-   that length.  The OID indicates the private algorithm in use, and the
-   remainder of the area is whatever is required by that algorithm.
-   Entities should only use OIDs they control to designate their private
-   algorithms.
-
-A.2.  DNSSEC Digest Types
-
-   A "Digest Type" field in the DS resource record types identifies the
-   cryptographic digest algorithm used by the resource record.  The
-   following table lists the currently defined digest algorithm types.
-
-              VALUE   Algorithm                 STATUS
-                0      Reserved                   -
-                1      SHA-1                   MANDATORY
-              2-255    Unassigned                 -
-
-Appendix B.  Key Tag Calculation
-
-   The Key Tag field in the RRSIG and DS resource record types provides
-   a mechanism for selecting a public key efficiently.  In most cases, a
-   combination of owner name, algorithm, and key tag can efficiently
-   identify a DNSKEY record.  Both the RRSIG and DS resource records
-   have corresponding DNSKEY records.  The Key Tag field in the RRSIG
-   and DS records can be used to help select the corresponding DNSKEY RR
-   efficiently when more than one candidate DNSKEY RR is available.
-
-   However, it is essential to note that the key tag is not a unique
-   identifier.  It is theoretically possible for two distinct DNSKEY RRs
-   to have the same owner name, the same algorithm, and the same key
-   tag.  The key tag is used to limit the possible candidate keys, but
-   it does not uniquely identify a DNSKEY record.  Implementations MUST
-   NOT assume that the key tag uniquely identifies a DNSKEY RR.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 25]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-   The key tag is the same for all DNSKEY algorithm types except
-   algorithm 1 (please see Appendix B.1 for the definition of the key
-   tag for algorithm 1).  The key tag algorithm is the sum of the wire
-   format of the DNSKEY RDATA broken into 2 octet groups.  First, the
-   RDATA (in wire format) is treated as a series of 2 octet groups.
-   These groups are then added together, ignoring any carry bits.
-
-   A reference implementation of the key tag algorithm is as an ANSI C
-   function is given below, with the RDATA portion of the DNSKEY RR is
-   used as input.  It is not necessary to use the following reference
-   code verbatim, but the numerical value of the Key Tag MUST be
-   identical to what the reference implementation would generate for the
-   same input.
-
-   Please note that the algorithm for calculating the Key Tag is almost
-   but not completely identical to the familiar ones-complement checksum
-   used in many other Internet protocols.  Key Tags MUST be calculated
-   using the algorithm described here rather than the ones complement
-   checksum.
-
-   The following ANSI C reference implementation calculates the value of
-   a Key Tag.  This reference implementation applies to all algorithm
-   types except algorithm 1 (see Appendix B.1).  The input is the wire
-   format of the RDATA portion of the DNSKEY RR.  The code is written
-   for clarity, not efficiency.
-
-   /*
-    * Assumes that int is at least 16 bits.
-    * First octet of the key tag is the most significant 8 bits of the
-    * return value;
-    * Second octet of the key tag is the least significant 8 bits of the
-    * return value.
-    */
-
-   unsigned int
-   keytag (
-           unsigned char key[],  /* the RDATA part of the DNSKEY RR */
-           unsigned int keysize  /* the RDLENGTH */
-          )
-   {
-           unsigned long ac;     /* assumed to be 32 bits or larger */
-           int i;                /* loop index */
-
-           for ( ac = 0, i = 0; i < keysize; ++i )
-                   ac += (i & 1) ? key[i] : key[i] << 8;
-           ac += (ac >> 16) & 0xFFFF;
-           return ac & 0xFFFF;
-   }
-
-
-
-Arends, et al.              Standards Track                    [Page 26]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-B.1.  Key Tag for Algorithm 1 (RSA/MD5)
-
-   The key tag for algorithm 1 (RSA/MD5) is defined differently from the
-   key tag for all other algorithms, for historical reasons.  For a
-   DNSKEY RR with algorithm 1, the key tag is defined to be the most
-   significant 16 bits of the least significant 24 bits in the public
-   key modulus (in other words, the 4th to last and 3rd to last octets
-   of the public key modulus).
-
-   Please note that Algorithm 1 is NOT RECOMMENDED.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 27]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Dan Massey
-   Colorado State University
-   Department of Computer Science
-   Fort Collins, CO 80523-1873
-
-   EMail: massey@cs.colostate.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 28]
-
-RFC 4034                DNSSEC Resource Records               March 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 29]
-
diff --git a/contrib/bind9/doc/rfc/rfc4035.txt b/contrib/bind9/doc/rfc/rfc4035.txt
deleted file mode 100644
index b701cd2f235b..000000000000
--- a/contrib/bind9/doc/rfc/rfc4035.txt
+++ /dev/null
@@ -1,2971 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          R. Arends
-Request for Comments: 4035                          Telematica Instituut
-Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658,                R. Austein
-           3755, 3757, 3845                                          ISC
-Updates: 1034, 1035, 2136, 2181, 2308, 3225,                   M. Larson
-         3007, 3597, 3226                                       VeriSign
-Category: Standards Track                                      D. Massey
-                                               Colorado State University
-                                                                 S. Rose
-                                                                    NIST
-                                                              March 2005
-
-
-         Protocol Modifications for the DNS Security Extensions
-
-Status of This Memo
-
-   This document specifies an Internet standards track protocol for the
-   Internet community, and requests discussion and suggestions for
-   improvements.  Please refer to the current edition of the "Internet
-   Official Protocol Standards" (STD 1) for the standardization state
-   and status of this protocol.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document is part of a family of documents that describe the DNS
-   Security Extensions (DNSSEC).  The DNS Security Extensions are a
-   collection of new resource records and protocol modifications that
-   add data origin authentication and data integrity to the DNS.  This
-   document describes the DNSSEC protocol modifications.  This document
-   defines the concept of a signed zone, along with the requirements for
-   serving and resolving by using DNSSEC.  These techniques allow a
-   security-aware resolver to authenticate both DNS resource records and
-   authoritative DNS error indications.
-
-   This document obsoletes RFC 2535 and incorporates changes from all
-   updates to RFC 2535.
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 1]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-Table of Contents
-
-   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
-       1.1.  Background and Related Documents . . . . . . . . . . . .  4
-       1.2.  Reserved Words . . . . . . . . . . . . . . . . . . . . .  4
-   2.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . . .  4
-       2.1.  Including DNSKEY RRs in a Zone . . . . . . . . . . . . .  5
-       2.2.  Including RRSIG RRs in a Zone  . . . . . . . . . . . . .  5
-       2.3.  Including NSEC RRs in a Zone . . . . . . . . . . . . . .  6
-       2.4.  Including DS RRs in a Zone . . . . . . . . . . . . . . .  7
-       2.5.  Changes to the CNAME Resource Record.  . . . . . . . . .  7
-       2.6.  DNSSEC RR Types Appearing at Zone Cuts.  . . . . . . . .  8
-       2.7.  Example of a Secure Zone . . . . . . . . . . . . . . . .  8
-   3.  Serving  . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
-       3.1.  Authoritative Name Servers . . . . . . . . . . . . . . .  9
-             3.1.1.  Including RRSIG RRs in a Response  . . . . . . . 10
-             3.1.2.  Including DNSKEY RRs in a Response . . . . . . . 11
-             3.1.3.  Including NSEC RRs in a Response . . . . . . . . 11
-             3.1.4.  Including DS RRs in a Response . . . . . . . . . 14
-             3.1.5.  Responding to Queries for Type AXFR or IXFR  . . 15
-             3.1.6.  The AD and CD Bits in an Authoritative Response. 16
-       3.2.  Recursive Name Servers . . . . . . . . . . . . . . . . . 17
-             3.2.1.  The DO Bit . . . . . . . . . . . . . . . . . . . 17
-             3.2.2.  The CD Bit . . . . . . . . . . . . . . . . . . . 17
-             3.2.3.  The AD Bit . . . . . . . . . . . . . . . . . . . 18
-       3.3.  Example DNSSEC Responses . . . . . . . . . . . . . . . . 19
-   4.  Resolving  . . . . . . . . . . . . . . . . . . . . . . . . . . 19
-       4.1.  EDNS Support . . . . . . . . . . . . . . . . . . . . . . 19
-       4.2.  Signature Verification Support . . . . . . . . . . . . . 19
-       4.3.  Determining Security Status of Data  . . . . . . . . . . 20
-       4.4.  Configured Trust Anchors . . . . . . . . . . . . . . . . 21
-       4.5.  Response Caching . . . . . . . . . . . . . . . . . . . . 21
-       4.6.  Handling of the CD and AD Bits . . . . . . . . . . . . . 22
-       4.7.  Caching BAD Data . . . . . . . . . . . . . . . . . . . . 22
-       4.8.  Synthesized CNAMEs . . . . . . . . . . . . . . . . . . . 23
-       4.9.  Stub Resolvers . . . . . . . . . . . . . . . . . . . . . 23
-             4.9.1.  Handling of the DO Bit . . . . . . . . . . . . . 24
-             4.9.2.  Handling of the CD Bit . . . . . . . . . . . . . 24
-             4.9.3.  Handling of the AD Bit . . . . . . . . . . . . . 24
-   5.  Authenticating DNS Responses . . . . . . . . . . . . . . . . . 25
-       5.1.  Special Considerations for Islands of Security . . . . . 26
-       5.2.  Authenticating Referrals . . . . . . . . . . . . . . . . 26
-       5.3.  Authenticating an RRset with an RRSIG RR . . . . . . . . 28
-             5.3.1.  Checking the RRSIG RR Validity . . . . . . . . . 28
-             5.3.2.  Reconstructing the Signed Data . . . . . . . . . 29
-             5.3.3.  Checking the Signature . . . . . . . . . . . . . 31
-             5.3.4.  Authenticating a Wildcard Expanded RRset
-                     Positive Response. . . . . . . . . . . . . . . . 32
-
-
-
-Arends, et al.              Standards Track                     [Page 2]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-       5.4.  Authenticated Denial of Existence  . . . . . . . . . . . 32
-       5.5.  Resolver Behavior When Signatures Do Not Validate  . . . 33
-       5.6.  Authentication Example . . . . . . . . . . . . . . . . . 33
-   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 33
-   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 33
-   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 34
-   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 34
-       9.1.  Normative References . . . . . . . . . . . . . . . . . . 34
-       9.2.  Informative References . . . . . . . . . . . . . . . . . 35
-   A.  Signed Zone Example  . . . . . . . . . . . . . . . . . . . . . 36
-   B.  Example Responses  . . . . . . . . . . . . . . . . . . . . . . 41
-       B.1.  Answer . . . . . . . . . . . . . . . . . . . . . . . . . 41
-       B.2.  Name Error . . . . . . . . . . . . . . . . . . . . . . . 43
-       B.3.  No Data Error  . . . . . . . . . . . . . . . . . . . . . 44
-       B.4.  Referral to Signed Zone  . . . . . . . . . . . . . . . . 44
-       B.5.  Referral to Unsigned Zone  . . . . . . . . . . . . . . . 45
-       B.6.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . 46
-       B.7.  Wildcard No Data Error . . . . . . . . . . . . . . . . . 47
-       B.8.  DS Child Zone No Data Error  . . . . . . . . . . . . . . 48
-   C.  Authentication Examples  . . . . . . . . . . . . . . . . . . . 49
-       C.1.  Authenticating an Answer . . . . . . . . . . . . . . . . 49
-             C.1.1.  Authenticating the Example DNSKEY RR . . . . . . 49
-       C.2.  Name Error . . . . . . . . . . . . . . . . . . . . . . . 50
-       C.3.  No Data Error  . . . . . . . . . . . . . . . . . . . . . 50
-       C.4.  Referral to Signed Zone  . . . . . . . . . . . . . . . . 50
-       C.5.  Referral to Unsigned Zone  . . . . . . . . . . . . . . . 51
-       C.6.  Wildcard Expansion . . . . . . . . . . . . . . . . . . . 51
-       C.7.  Wildcard No Data Error . . . . . . . . . . . . . . . . . 51
-       C.8.  DS Child Zone No Data Error  . . . . . . . . . . . . . . 51
-   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 52
-   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 53
-
-1.  Introduction
-
-   The DNS Security Extensions (DNSSEC) are a collection of new resource
-   records and protocol modifications that add data origin
-   authentication and data integrity to the DNS.  This document defines
-   the DNSSEC protocol modifications.  Section 2 of this document
-   defines the concept of a signed zone and lists the requirements for
-   zone signing.  Section 3 describes the modifications to authoritative
-   name server behavior necessary for handling signed zones.  Section 4
-   describes the behavior of entities that include security-aware
-   resolver functions.  Finally, Section 5 defines how to use DNSSEC RRs
-   to authenticate a response.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 3]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-1.1.  Background and Related Documents
-
-   This document is part of a family of documents defining DNSSEC that
-   should be read together as a set.
-
-   [RFC4033] contains an introduction to DNSSEC and definitions of
-   common terms; the reader is assumed to be familiar with this
-   document.  [RFC4033] also contains a list of other documents updated
-   by and obsoleted by this document set.
-
-   [RFC4034] defines the DNSSEC resource records.
-
-   The reader is also assumed to be familiar with the basic DNS concepts
-   described in [RFC1034], [RFC1035], and the subsequent documents that
-   update them; particularly, [RFC2181] and [RFC2308].
-
-   This document defines the DNSSEC protocol operations.
-
-1.2.  Reserved Words
-
-   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
-   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
-   document are to be interpreted as described in [RFC2119].
-
-2.  Zone Signing
-
-   DNSSEC introduces the concept of signed zones.  A signed zone
-   includes DNS Public Key (DNSKEY), Resource Record Signature (RRSIG),
-   Next Secure (NSEC), and (optionally) Delegation Signer (DS) records
-   according to the rules specified in Sections 2.1, 2.2, 2.3, and 2.4,
-   respectively.  A zone that does not include these records according
-   to the rules in this section is an unsigned zone.
-
-   DNSSEC requires a change to the definition of the CNAME resource
-   record ([RFC1035]).  Section 2.5 changes the CNAME RR to allow RRSIG
-   and NSEC RRs to appear at the same owner name as does a CNAME RR.
-
-   DNSSEC specifies the placement of two new RR types, NSEC and DS,
-   which can be placed at the parental side of a zone cut (that is, at a
-   delegation point).  This is an exception to the general prohibition
-   against putting data in the parent zone at a zone cut.  Section 2.6
-   describes this change.
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 4]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-2.1.  Including DNSKEY RRs in a Zone
-
-   To sign a zone, the zone's administrator generates one or more
-   public/private key pairs and uses the private key(s) to sign
-   authoritative RRsets in the zone.  For each private key used to
-   create RRSIG RRs in a zone, the zone SHOULD include a zone DNSKEY RR
-   containing the corresponding public key.  A zone key DNSKEY RR MUST
-   have the Zone Key bit of the flags RDATA field set (see Section 2.1.1
-   of [RFC4034]).  Public keys associated with other DNS operations MAY
-   be stored in DNSKEY RRs that are not marked as zone keys but MUST NOT
-   be used to verify RRSIGs.
-
-   If the zone administrator intends a signed zone to be usable other
-   than as an island of security, the zone apex MUST contain at least
-   one DNSKEY RR to act as a secure entry point into the zone.  This
-   secure entry point could then be used as the target of a secure
-   delegation via a corresponding DS RR in the parent zone (see
-   [RFC4034]).
-
-2.2.  Including RRSIG RRs in a Zone
-
-   For each authoritative RRset in a signed zone, there MUST be at least
-   one RRSIG record that meets the following requirements:
-
-   o  The RRSIG owner name is equal to the RRset owner name.
-
-   o  The RRSIG class is equal to the RRset class.
-
-   o  The RRSIG Type Covered field is equal to the RRset type.
-
-   o  The RRSIG Original TTL field is equal to the TTL of the RRset.
-
-   o  The RRSIG RR's TTL is equal to the TTL of the RRset.
-
-   o  The RRSIG Labels field is equal to the number of labels in the
-      RRset owner name, not counting the null root label and not
-      counting the leftmost label if it is a wildcard.
-
-   o  The RRSIG Signer's Name field is equal to the name of the zone
-      containing the RRset.
-
-   o  The RRSIG Algorithm, Signer's Name, and Key Tag fields identify a
-      zone key DNSKEY record at the zone apex.
-
-   The process for constructing the RRSIG RR for a given RRset is
-   described in [RFC4034].  An RRset MAY have multiple RRSIG RRs
-   associated with it.  Note that as RRSIG RRs are closely tied to the
-   RRsets whose signatures they contain, RRSIG RRs, unlike all other DNS
-
-
-
-Arends, et al.              Standards Track                     [Page 5]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   RR types, do not form RRsets.  In particular, the TTL values among
-   RRSIG RRs with a common owner name do not follow the RRset rules
-   described in [RFC2181].
-
-   An RRSIG RR itself MUST NOT be signed, as signing an RRSIG RR would
-   add no value and would create an infinite loop in the signing
-   process.
-
-   The NS RRset that appears at the zone apex name MUST be signed, but
-   the NS RRsets that appear at delegation points (that is, the NS
-   RRsets in the parent zone that delegate the name to the child zone's
-   name servers) MUST NOT be signed.  Glue address RRsets associated
-   with delegations MUST NOT be signed.
-
-   There MUST be an RRSIG for each RRset using at least one DNSKEY of
-   each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
-   itself MUST be signed by each algorithm appearing in the DS RRset
-   located at the delegating parent (if any).
-
-2.3.  Including NSEC RRs in a Zone
-
-   Each owner name in the zone that has authoritative data or a
-   delegation point NS RRset MUST have an NSEC resource record.  The
-   format of NSEC RRs and the process for constructing the NSEC RR for a
-   given name is described in [RFC4034].
-
-   The TTL value for any NSEC RR SHOULD be the same as the minimum TTL
-   value field in the zone SOA RR.
-
-   An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
-   RRset at any particular owner name.  That is, the signing process
-   MUST NOT create NSEC or RRSIG RRs for owner name nodes that were not
-   the owner name of any RRset before the zone was signed.  The main
-   reasons for this are a desire for namespace consistency between
-   signed and unsigned versions of the same zone and a desire to reduce
-   the risk of response inconsistency in security oblivious recursive
-   name servers.
-
-   The type bitmap of every NSEC resource record in a signed zone MUST
-   indicate the presence of both the NSEC record itself and its
-   corresponding RRSIG record.
-
-   The difference between the set of owner names that require RRSIG
-   records and the set of owner names that require NSEC records is
-   subtle and worth highlighting.  RRSIG records are present at the
-   owner names of all authoritative RRsets.  NSEC records are present at
-   the owner names of all names for which the signed zone is
-   authoritative and also at the owner names of delegations from the
-
-
-
-Arends, et al.              Standards Track                     [Page 6]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   signed zone to its children.  Neither NSEC nor RRSIG records are
-   present (in the parent zone) at the owner names of glue address
-   RRsets.  Note, however, that this distinction is for the most part
-   visible only during the zone signing process, as NSEC RRsets are
-   authoritative data and are therefore signed.  Thus, any owner name
-   that has an NSEC RRset will have RRSIG RRs as well in the signed
-   zone.
-
-   The bitmap for the NSEC RR at a delegation point requires special
-   attention.  Bits corresponding to the delegation NS RRset and any
-   RRsets for which the parent zone has authoritative data MUST be set;
-   bits corresponding to any non-NS RRset for which the parent is not
-   authoritative MUST be clear.
-
-2.4.  Including DS RRs in a Zone
-
-   The DS resource record establishes authentication chains between DNS
-   zones.  A DS RRset SHOULD be present at a delegation point when the
-   child zone is signed.  The DS RRset MAY contain multiple records,
-   each referencing a public key in the child zone used to verify the
-   RRSIGs in that zone.  All DS RRsets in a zone MUST be signed, and DS
-   RRsets MUST NOT appear at a zone's apex.
-
-   A DS RR SHOULD point to a DNSKEY RR that is present in the child's
-   apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed
-   by the corresponding private key.  DS RRs that fail to meet these
-   conditions are not useful for validation, but because the DS RR and
-   its corresponding DNSKEY RR are in different zones, and because the
-   DNS is only loosely consistent, temporary mismatches can occur.
-
-   The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset
-   (that is, the NS RRset from the same zone containing the DS RRset).
-
-   Construction of a DS RR requires knowledge of the corresponding
-   DNSKEY RR in the child zone, which implies communication between the
-   child and parent zones.  This communication is an operational matter
-   not covered by this document.
-
-2.5.  Changes to the CNAME Resource Record
-
-   If a CNAME RRset is present at a name in a signed zone, appropriate
-   RRSIG and NSEC RRsets are REQUIRED at that name.  A KEY RRset at that
-   name for secure dynamic update purposes is also allowed ([RFC3007]).
-   Other types MUST NOT be present at that name.
-
-   This is a modification to the original CNAME definition given in
-   [RFC1034].  The original definition of the CNAME RR did not allow any
-   other types to coexist with a CNAME record, but a signed zone
-
-
-
-Arends, et al.              Standards Track                     [Page 7]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   requires NSEC and RRSIG RRs for every authoritative name.  To resolve
-   this conflict, this specification modifies the definition of the
-   CNAME resource record to allow it to coexist with NSEC and RRSIG RRs.
-
-2.6.  DNSSEC RR Types Appearing at Zone Cuts
-
-   DNSSEC introduced two new RR types that are unusual in that they can
-   appear at the parental side of a zone cut.  At the parental side of a
-   zone cut (that is, at a delegation point), NSEC RRs are REQUIRED at
-   the owner name.  A DS RR could also be present if the zone being
-   delegated is signed and seeks to have a chain of authentication to
-   the parent zone.  This is an exception to the original DNS
-   specification ([RFC1034]), which states that only NS RRsets could
-   appear at the parental side of a zone cut.
-
-   This specification updates the original DNS specification to allow
-   NSEC and DS RR types at the parent side of a zone cut.  These RRsets
-   are authoritative for the parent when they appear at the parent side
-   of a zone cut.
-
-2.7.  Example of a Secure Zone
-
-   Appendix A shows a complete example of a small signed zone.
-
-3.  Serving
-
-   This section describes the behavior of entities that include
-   security-aware name server functions.  In many cases such functions
-   will be part of a security-aware recursive name server, but a
-   security-aware authoritative name server has some of the same
-   requirements.  Functions specific to security-aware recursive name
-   servers are described in Section 3.2; functions specific to
-   authoritative servers are described in Section 3.1.
-
-   In the following discussion, the terms "SNAME", "SCLASS", and "STYPE"
-   are as used in [RFC1034].
-
-   A security-aware name server MUST support the EDNS0 ([RFC2671])
-   message size extension, MUST support a message size of at least 1220
-   octets, and SHOULD support a message size of 4000 octets.  As IPv6
-   packets can only be fragmented by the source host, a security aware
-   name server SHOULD take steps to ensure that UDP datagrams it
-   transmits over IPv6 are fragmented, if necessary, at the minimum IPv6
-   MTU, unless the path MTU is known.  Please see [RFC1122], [RFC2460],
-   and [RFC3226] for further discussion of packet size and fragmentation
-   issues.
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 8]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   A security-aware name server that receives a DNS query that does not
-   include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
-   treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset and
-   MUST NOT perform any of the additional processing described below.
-   Because the DS RR type has the peculiar property of only existing in
-   the parent zone at delegation points, DS RRs always require some
-   special processing, as described in Section 3.1.4.1.
-
-   Security aware name servers that receive explicit queries for
-   security RR types that match the content of more than one zone that
-   it serves (for example, NSEC and RRSIG RRs above and below a
-   delegation point where the server is authoritative for both zones)
-   should behave self-consistently.  As long as the response is always
-   consistent for each query to the name server, the name server MAY
-   return one of the following:
-
-   o  The above-delegation RRsets.
-   o  The below-delegation RRsets.
-   o  Both above and below-delegation RRsets.
-   o  Empty answer section (no records).
-   o  Some other response.
-   o  An error.
-
-   DNSSEC allocates two new bits in the DNS message header: the CD
-   (Checking Disabled) bit and the AD (Authentic Data) bit.  The CD bit
-   is controlled by resolvers; a security-aware name server MUST copy
-   the CD bit from a query into the corresponding response.  The AD bit
-   is controlled by name servers; a security-aware name server MUST
-   ignore the setting of the AD bit in queries.  See Sections 3.1.6,
-   3.2.2, 3.2.3, 4, and 4.9 for details on the behavior of these bits.
-
-   A security aware name server that synthesizes CNAME RRs from DNAME
-   RRs as described in [RFC2672] SHOULD NOT generate signatures for the
-   synthesized CNAME RRs.
-
-3.1.  Authoritative Name Servers
-
-   Upon receiving a relevant query that has the EDNS ([RFC2671]) OPT
-   pseudo-RR DO bit ([RFC3225]) set, a security-aware authoritative name
-   server for a signed zone MUST include additional RRSIG, NSEC, and DS
-   RRs, according to the following rules:
-
-   o  RRSIG RRs that can be used to authenticate a response MUST be
-      included in the response according to the rules in Section 3.1.1.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                     [Page 9]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   o  NSEC RRs that can be used to provide authenticated denial of
-      existence MUST be included in the response automatically according
-      to the rules in Section 3.1.3.
-
-   o  Either a DS RRset or an NSEC RR proving that no DS RRs exist MUST
-      be included in referrals automatically according to the rules in
-      Section 3.1.4.
-
-   These rules only apply to responses where the semantics convey
-   information about the presence or absence of resource records.  That
-   is, these rules are not intended to rule out responses such as RCODE
-   4 ("Not Implemented") or RCODE 5 ("Refused").
-
-   DNSSEC does not change the DNS zone transfer protocol.  Section 3.1.5
-   discusses zone transfer requirements.
-
-3.1.1.  Including RRSIG RRs in a Response
-
-   When responding to a query that has the DO bit set, a security-aware
-   authoritative name server SHOULD attempt to send RRSIG RRs that a
-   security-aware resolver can use to authenticate the RRsets in the
-   response.  A name server SHOULD make every attempt to keep the RRset
-   and its associated RRSIG(s) together in a response.  Inclusion of
-   RRSIG RRs in a response is subject to the following rules:
-
-   o  When placing a signed RRset in the Answer section, the name server
-      MUST also place its RRSIG RRs in the Answer section.  The RRSIG
-      RRs have a higher priority for inclusion than any other RRsets
-      that may have to be included.  If space does not permit inclusion
-      of these RRSIG RRs, the name server MUST set the TC bit.
-
-   o  When placing a signed RRset in the Authority section, the name
-      server MUST also place its RRSIG RRs in the Authority section.
-      The RRSIG RRs have a higher priority for inclusion than any other
-      RRsets that may have to be included.  If space does not permit
-      inclusion of these RRSIG RRs, the name server MUST set the TC bit.
-
-   o  When placing a signed RRset in the Additional section, the name
-      server MUST also place its RRSIG RRs in the Additional section.
-      If space does not permit inclusion of both the RRset and its
-      associated RRSIG RRs, the name server MAY retain the RRset while
-      dropping the RRSIG RRs.  If this happens, the name server MUST NOT
-      set the TC bit solely because these RRSIG RRs didn't fit.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 10]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-3.1.2.  Including DNSKEY RRs in a Response
-
-   When responding to a query that has the DO bit set and that requests
-   the SOA or NS RRs at the apex of a signed zone, a security-aware
-   authoritative name server for that zone MAY return the zone apex
-   DNSKEY RRset in the Additional section.  In this situation, the
-   DNSKEY RRset and associated RRSIG RRs have lower priority than does
-   any other information that would be placed in the additional section.
-   The name server SHOULD NOT include the DNSKEY RRset unless there is
-   enough space in the response message for both the DNSKEY RRset and
-   its associated RRSIG RR(s).  If there is not enough space to include
-   these DNSKEY and RRSIG RRs, the name server MUST omit them and MUST
-   NOT set the TC bit solely because these RRs didn't fit (see Section
-   3.1.1).
-
-3.1.3.  Including NSEC RRs in a Response
-
-   When responding to a query that has the DO bit set, a security-aware
-   authoritative name server for a signed zone MUST include NSEC RRs in
-   each of the following cases:
-
-   No Data: The zone contains RRsets that exactly match <SNAME, SCLASS>
-      but does not contain any RRsets that exactly match <SNAME, SCLASS,
-      STYPE>.
-
-   Name Error: The zone does not contain any RRsets that match <SNAME,
-      SCLASS> either exactly or via wildcard name expansion.
-
-   Wildcard Answer: The zone does not contain any RRsets that exactly
-      match <SNAME, SCLASS> but does contain an RRset that matches
-      <SNAME, SCLASS, STYPE> via wildcard name expansion.
-
-   Wildcard No Data: The zone does not contain any RRsets that exactly
-      match <SNAME, SCLASS> and does contain one or more RRsets that
-      match <SNAME, SCLASS> via wildcard name expansion, but does not
-      contain any RRsets that match <SNAME, SCLASS, STYPE> via wildcard
-      name expansion.
-
-   In each of these cases, the name server includes NSEC RRs in the
-   response to prove that an exact match for <SNAME, SCLASS, STYPE> was
-   not present in the zone and that the response that the name server is
-   returning is correct given the data in the zone.
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 11]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-3.1.3.1.  Including NSEC RRs: No Data Response
-
-   If the zone contains RRsets matching <SNAME, SCLASS> but contains no
-   RRset matching <SNAME, SCLASS, STYPE>, then the name server MUST
-   include the NSEC RR for <SNAME, SCLASS> along with its associated
-   RRSIG RR(s) in the Authority section of the response (see Section
-   3.1.1).  If space does not permit inclusion of the NSEC RR or its
-   associated RRSIG RR(s), the name server MUST set the TC bit (see
-   Section 3.1.1).
-
-   Since the search name exists, wildcard name expansion does not apply
-   to this query, and a single signed NSEC RR suffices to prove that the
-   requested RR type does not exist.
-
-3.1.3.2.  Including NSEC RRs: Name Error Response
-
-   If the zone does not contain any RRsets matching <SNAME, SCLASS>
-   either exactly or via wildcard name expansion, then the name server
-   MUST include the following NSEC RRs in the Authority section, along
-   with their associated RRSIG RRs:
-
-   o  An NSEC RR proving that there is no exact match for <SNAME,
-      SCLASS>.
-
-   o  An NSEC RR proving that the zone contains no RRsets that would
-      match <SNAME, SCLASS> via wildcard name expansion.
-
-   In some cases, a single NSEC RR may prove both of these points.  If
-   it does, the name server SHOULD only include the NSEC RR and its
-   RRSIG RR(s) once in the Authority section.
-
-   If space does not permit inclusion of these NSEC and RRSIG RRs, the
-   name server MUST set the TC bit (see Section 3.1.1).
-
-   The owner names of these NSEC and RRSIG RRs are not subject to
-   wildcard name expansion when these RRs are included in the Authority
-   section of the response.
-
-   Note that this form of response includes cases in which SNAME
-   corresponds to an empty non-terminal name within the zone (a name
-   that is not the owner name for any RRset but that is the parent name
-   of one or more RRsets).
-
-3.1.3.3.  Including NSEC RRs: Wildcard Answer Response
-
-   If the zone does not contain any RRsets that exactly match <SNAME,
-   SCLASS> but does contain an RRset that matches <SNAME, SCLASS, STYPE>
-   via wildcard name expansion, the name server MUST include the
-
-
-
-Arends, et al.              Standards Track                    [Page 12]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   wildcard-expanded answer and the corresponding wildcard-expanded
-   RRSIG RRs in the Answer section and MUST include in the Authority
-   section an NSEC RR and associated RRSIG RR(s) proving that the zone
-   does not contain a closer match for <SNAME, SCLASS>.  If space does
-   not permit inclusion of the answer, NSEC and RRSIG RRs, the name
-   server MUST set the TC bit (see Section 3.1.1).
-
-3.1.3.4.  Including NSEC RRs: Wildcard No Data Response
-
-   This case is a combination of the previous cases.  The zone does not
-   contain an exact match for <SNAME, SCLASS>, and although the zone
-   does contain RRsets that match <SNAME, SCLASS> via wildcard
-   expansion, none of those RRsets matches STYPE.  The name server MUST
-   include the following NSEC RRs in the Authority section, along with
-   their associated RRSIG RRs:
-
-   o  An NSEC RR proving that there are no RRsets matching STYPE at the
-      wildcard owner name that matched <SNAME, SCLASS> via wildcard
-      expansion.
-
-   o  An NSEC RR proving that there are no RRsets in the zone that would
-      have been a closer match for <SNAME, SCLASS>.
-
-   In some cases, a single NSEC RR may prove both of these points.  If
-   it does, the name server SHOULD only include the NSEC RR and its
-   RRSIG RR(s) once in the Authority section.
-
-   The owner names of these NSEC and RRSIG RRs are not subject to
-   wildcard name expansion when these RRs are included in the Authority
-   section of the response.
-
-   If space does not permit inclusion of these NSEC and RRSIG RRs, the
-   name server MUST set the TC bit (see Section 3.1.1).
-
-3.1.3.5.  Finding the Right NSEC RRs
-
-   As explained above, there are several situations in which a
-   security-aware authoritative name server has to locate an NSEC RR
-   that proves that no RRsets matching a particular SNAME exist.
-   Locating such an NSEC RR within an authoritative zone is relatively
-   simple, at least in concept.  The following discussion assumes that
-   the name server is authoritative for the zone that would have held
-   the non-existent RRsets matching SNAME.  The algorithm below is
-   written for clarity, not for efficiency.
-
-   To find the NSEC that proves that no RRsets matching name N exist in
-   the zone Z that would have held them, construct a sequence, S,
-   consisting of the owner names of every RRset in Z, sorted into
-
-
-
-Arends, et al.              Standards Track                    [Page 13]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   canonical order ([RFC4034]), with no duplicate names.  Find the name
-   M that would have immediately preceded N in S if any RRsets with
-   owner name N had existed.  M is the owner name of the NSEC RR that
-   proves that no RRsets exist with owner name N.
-
-   The algorithm for finding the NSEC RR that proves that a given name
-   is not covered by any applicable wildcard is similar but requires an
-   extra step.  More precisely, the algorithm for finding the NSEC
-   proving that no RRsets exist with the applicable wildcard name is
-   precisely the same as the algorithm for finding the NSEC RR that
-   proves that RRsets with any other owner name do not exist.  The part
-   that's missing is a method of determining the name of the non-
-   existent applicable wildcard.  In practice, this is easy, because the
-   authoritative name server has already checked for the presence of
-   precisely this wildcard name as part of step (1)(c) of the normal
-   lookup algorithm described in Section 4.3.2 of [RFC1034].
-
-3.1.4.  Including DS RRs in a Response
-
-   When responding to a query that has the DO bit set, a security-aware
-   authoritative name server returning a referral includes DNSSEC data
-   along with the NS RRset.
-
-   If a DS RRset is present at the delegation point, the name server
-   MUST return both the DS RRset and its associated RRSIG RR(s) in the
-   Authority section along with the NS RRset.
-
-   If no DS RRset is present at the delegation point, the name server
-   MUST return both the NSEC RR that proves that the DS RRset is not
-   present and the NSEC RR's associated RRSIG RR(s) along with the NS
-   RRset.  The name server MUST place the NS RRset before the NSEC RRset
-   and its associated RRSIG RR(s).
-
-   Including these DS, NSEC, and RRSIG RRs increases the size of
-   referral messages and may cause some or all glue RRs to be omitted.
-   If space does not permit inclusion of the DS or NSEC RRset and
-   associated RRSIG RRs, the name server MUST set the TC bit (see
-   Section 3.1.1).
-
-3.1.4.1.  Responding to Queries for DS RRs
-
-   The DS resource record type is unusual in that it appears only on the
-   parent zone's side of a zone cut.  For example, the DS RRset for the
-   delegation of "foo.example" is stored in the "example" zone rather
-   than in the "foo.example" zone.  This requires special processing
-   rules for both name servers and resolvers, as the name server for the
-   child zone is authoritative for the name at the zone cut by the
-   normal DNS rules but the child zone does not contain the DS RRset.
-
-
-
-Arends, et al.              Standards Track                    [Page 14]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   A security-aware resolver sends queries to the parent zone when
-   looking for a needed DS RR at a delegation point (see Section 4.2).
-   However, special rules are necessary to avoid confusing
-   security-oblivious resolvers which might become involved in
-   processing such a query (for example, in a network configuration that
-   forces a security-aware resolver to channel its queries through a
-   security-oblivious recursive name server).  The rest of this section
-   describes how a security-aware name server processes DS queries in
-   order to avoid this problem.
-
-   The need for special processing by a security-aware name server only
-   arises when all the following conditions are met:
-
-   o  The name server has received a query for the DS RRset at a zone
-      cut.
-
-   o  The name server is authoritative for the child zone.
-
-   o  The name server is not authoritative for the parent zone.
-
-   o  The name server does not offer recursion.
-
-   In all other cases, the name server either has some way of obtaining
-   the DS RRset or could not have been expected to have the DS RRset
-   even by the pre-DNSSEC processing rules, so the name server can
-   return either the DS RRset or an error response according to the
-   normal processing rules.
-
-   If all the above conditions are met, however, the name server is
-   authoritative for SNAME but cannot supply the requested RRset.  In
-   this case, the name server MUST return an authoritative "no data"
-   response showing that the DS RRset does not exist in the child zone's
-   apex.  See Appendix B.8 for an example of such a response.
-
-3.1.5.  Responding to Queries for Type AXFR or IXFR
-
-   DNSSEC does not change the DNS zone transfer process.  A signed zone
-   will contain RRSIG, DNSKEY, NSEC, and DS resource records, but these
-   records have no special meaning with respect to a zone transfer
-   operation.
-
-   An authoritative name server is not required to verify that a zone is
-   properly signed before sending or accepting a zone transfer.
-   However, an authoritative name server MAY choose to reject the entire
-   zone transfer if the zone fails to meet any of the signing
-   requirements described in Section 2.  The primary objective of a zone
-   transfer is to ensure that all authoritative name servers have
-   identical copies of the zone.  An authoritative name server that
-
-
-
-Arends, et al.              Standards Track                    [Page 15]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   chooses to perform its own zone validation MUST NOT selectively
-   reject some RRs and accept others.
-
-   DS RRsets appear only on the parental side of a zone cut and are
-   authoritative data in the parent zone.  As with any other
-   authoritative RRset, the DS RRset MUST be included in zone transfers
-   of the zone in which the RRset is authoritative data.  In the case of
-   the DS RRset, this is the parent zone.
-
-   NSEC RRs appear in both the parent and child zones at a zone cut and
-   are authoritative data in both the parent and child zones.  The
-   parental and child NSEC RRs at a zone cut are never identical to each
-   other, as the NSEC RR in the child zone's apex will always indicate
-   the presence of the child zone's SOA RR whereas the parental NSEC RR
-   at the zone cut will never indicate the presence of an SOA RR.  As
-   with any other authoritative RRs, NSEC RRs MUST be included in zone
-   transfers of the zone in which they are authoritative data.  The
-   parental NSEC RR at a zone cut MUST be included in zone transfers of
-   the parent zone, and the NSEC at the zone apex of the child zone MUST
-   be included in zone transfers of the child zone.
-
-   RRSIG RRs appear in both the parent and child zones at a zone cut and
-   are authoritative in whichever zone contains the authoritative RRset
-   for which the RRSIG RR provides the signature.  That is, the RRSIG RR
-   for a DS RRset or a parental NSEC RR at a zone cut will be
-   authoritative in the parent zone, and the RRSIG for any RRset in the
-   child zone's apex will be authoritative in the child zone.  Parental
-   and child RRSIG RRs at a zone cut will never be identical to each
-   other, as the Signer's Name field of an RRSIG RR in the child zone's
-   apex will indicate a DNSKEY RR in the child zone's apex whereas the
-   same field of a parental RRSIG RR at the zone cut will indicate a
-   DNSKEY RR in the parent zone's apex.  As with any other authoritative
-   RRs, RRSIG RRs MUST be included in zone transfers of the zone in
-   which they are authoritative data.
-
-3.1.6.  The AD and CD Bits in an Authoritative Response
-
-   The CD and AD bits are designed for use in communication between
-   security-aware resolvers and security-aware recursive name servers.
-   These bits are for the most part not relevant to query processing by
-   security-aware authoritative name servers.
-
-   A security-aware name server does not perform signature validation
-   for authoritative data during query processing, even when the CD bit
-   is clear.  A security-aware name server SHOULD clear the CD bit when
-   composing an authoritative response.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 16]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   A security-aware name server MUST NOT set the AD bit in a response
-   unless the name server considers all RRsets in the Answer and
-   Authority sections of the response to be authentic.  A security-aware
-   name server's local policy MAY consider data from an authoritative
-   zone to be authentic without further validation.  However, the name
-   server MUST NOT do so unless the name server obtained the
-   authoritative zone via secure means (such as a secure zone transfer
-   mechanism) and MUST NOT do so unless this behavior has been
-   configured explicitly.
-
-   A security-aware name server that supports recursion MUST follow the
-   rules for the CD and AD bits given in Section 3.2 when generating a
-   response that involves data obtained via recursion.
-
-3.2.  Recursive Name Servers
-
-   As explained in [RFC4033], a security-aware recursive name server is
-   an entity that acts in both the security-aware name server and
-   security-aware resolver roles.  This section uses the terms "name
-   server side" and "resolver side" to refer to the code within a
-   security-aware recursive name server that implements the
-   security-aware name server role and the code that implements the
-   security-aware resolver role, respectively.
-
-   The resolver side follows the usual rules for caching and negative
-   caching that would apply to any security-aware resolver.
-
-3.2.1.  The DO Bit
-
-   The resolver side of a security-aware recursive name server MUST set
-   the DO bit when sending requests, regardless of the state of the DO
-   bit in the initiating request received by the name server side.  If
-   the DO bit in an initiating query is not set, the name server side
-   MUST strip any authenticating DNSSEC RRs from the response but MUST
-   NOT strip any DNSSEC RR types that the initiating query explicitly
-   requested.
-
-3.2.2.  The CD Bit
-
-   The CD bit exists in order to allow a security-aware resolver to
-   disable signature validation in a security-aware name server's
-   processing of a particular query.
-
-   The name server side MUST copy the setting of the CD bit from a query
-   to the corresponding response.
-
-   The name server side of a security-aware recursive name server MUST
-   pass the state of the CD bit to the resolver side along with the rest
-
-
-
-Arends, et al.              Standards Track                    [Page 17]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   of an initiating query, so that the resolver side will know whether
-   it is required to verify the response data it returns to the name
-   server side.  If the CD bit is set, it indicates that the originating
-   resolver is willing to perform whatever authentication its local
-   policy requires.  Thus, the resolver side of the recursive name
-   server need not perform authentication on the RRsets in the response.
-   When the CD bit is set, the recursive name server SHOULD, if
-   possible, return the requested data to the originating resolver, even
-   if the recursive name server's local authentication policy would
-   reject the records in question.  That is, by setting the CD bit, the
-   originating resolver has indicated that it takes responsibility for
-   performing its own authentication, and the recursive name server
-   should not interfere.
-
-   If the resolver side implements a BAD cache (see Section 4.7) and the
-   name server side receives a query that matches an entry in the
-   resolver side's BAD cache, the name server side's response depends on
-   the state of the CD bit in the original query.  If the CD bit is set,
-   the name server side SHOULD return the data from the BAD cache; if
-   the CD bit is not set, the name server side MUST return RCODE 2
-   (server failure).
-
-   The intent of the above rule is to provide the raw data to clients
-   that are capable of performing their own signature verification
-   checks while protecting clients that depend on the resolver side of a
-   security-aware recursive name server to perform such checks.  Several
-   of the possible reasons why signature validation might fail involve
-   conditions that may not apply equally to the recursive name server
-   and the client that invoked it.  For example, the recursive name
-   server's clock may be set incorrectly, or the client may have
-   knowledge of a relevant island of security that the recursive name
-   server does not share.  In such cases, "protecting" a client that is
-   capable of performing its own signature validation from ever seeing
-   the "bad" data does not help the client.
-
-3.2.3.  The AD Bit
-
-   The name server side of a security-aware recursive name server MUST
-   NOT set the AD bit in a response unless the name server considers all
-   RRsets in the Answer and Authority sections of the response to be
-   authentic.  The name server side SHOULD set the AD bit if and only if
-   the resolver side considers all RRsets in the Answer section and any
-   relevant negative response RRs in the Authority section to be
-   authentic.  The resolver side MUST follow the procedure described in
-   Section 5 to determine whether the RRs in question are authentic.
-   However, for backward compatibility, a recursive name server MAY set
-   the AD bit when a response includes unsigned CNAME RRs if those CNAME
-
-
-
-
-Arends, et al.              Standards Track                    [Page 18]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   RRs demonstrably could have been synthesized from an authentic DNAME
-   RR that is also included in the response according to the synthesis
-   rules described in [RFC2672].
-
-3.3.  Example DNSSEC Responses
-
-   See Appendix B for example response packets.
-
-4.  Resolving
-
-   This section describes the behavior of entities that include
-   security-aware resolver functions.  In many cases such functions will
-   be part of a security-aware recursive name server, but a stand-alone
-   security-aware resolver has many of the same requirements.  Functions
-   specific to security-aware recursive name servers are described in
-   Section 3.2.
-
-4.1.  EDNS Support
-
-   A security-aware resolver MUST include an EDNS ([RFC2671]) OPT
-   pseudo-RR with the DO ([RFC3225]) bit set when sending queries.
-
-   A security-aware resolver MUST support a message size of at least
-   1220 octets, SHOULD support a message size of 4000 octets, and MUST
-   use the "sender's UDP payload size" field in the EDNS OPT pseudo-RR
-   to advertise the message size that it is willing to accept.  A
-   security-aware resolver's IP layer MUST handle fragmented UDP packets
-   correctly regardless of whether any such fragmented packets were
-   received via IPv4 or IPv6.  Please see [RFC1122], [RFC2460], and
-   [RFC3226] for discussion of these requirements.
-
-4.2.  Signature Verification Support
-
-   A security-aware resolver MUST support the signature verification
-   mechanisms described in Section 5 and SHOULD apply them to every
-   received response, except when:
-
-   o  the security-aware resolver is part of a security-aware recursive
-      name server, and the response is the result of recursion on behalf
-      of a query received with the CD bit set;
-
-   o  the response is the result of a query generated directly via some
-      form of application interface that instructed the security-aware
-      resolver not to perform validation for this query; or
-
-   o  validation for this query has been disabled by local policy.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 19]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   A security-aware resolver's support for signature verification MUST
-   include support for verification of wildcard owner names.
-
-   Security-aware resolvers MAY query for missing security RRs in an
-   attempt to perform validation; implementations that choose to do so
-   must be aware that the answers received may not be sufficient to
-   validate the original response.  For example, a zone update may have
-   changed (or deleted) the desired information between the original and
-   follow-up queries.
-
-   When attempting to retrieve missing NSEC RRs that reside on the
-   parental side at a zone cut, a security-aware iterative-mode resolver
-   MUST query the name servers for the parent zone, not the child zone.
-
-   When attempting to retrieve a missing DS, a security-aware
-   iterative-mode resolver MUST query the name servers for the parent
-   zone, not the child zone.  As explained in Section 3.1.4.1,
-   security-aware name servers need to apply special processing rules to
-   handle the DS RR, and in some situations the resolver may also need
-   to apply special rules to locate the name servers for the parent zone
-   if the resolver does not already have the parent's NS RRset.  To
-   locate the parent NS RRset, the resolver can start with the
-   delegation name, strip off the leftmost label, and query for an NS
-   RRset by that name.  If no NS RRset is present at that name, the
-   resolver then strips off the leftmost remaining label and retries the
-   query for that name, repeating this process of walking up the tree
-   until it either finds the NS RRset or runs out of labels.
-
-4.3.  Determining Security Status of Data
-
-   A security-aware resolver MUST be able to determine whether it should
-   expect a particular RRset to be signed.  More precisely, a
-   security-aware resolver must be able to distinguish between four
-   cases:
-
-   Secure: An RRset for which the resolver is able to build a chain of
-      signed DNSKEY and DS RRs from a trusted security anchor to the
-      RRset.  In this case, the RRset should be signed and is subject to
-      signature validation, as described above.
-
-   Insecure: An RRset for which the resolver knows that it has no chain
-      of signed DNSKEY and DS RRs from any trusted starting point to the
-      RRset.  This can occur when the target RRset lies in an unsigned
-      zone or in a descendent of an unsigned zone.  In this case, the
-      RRset may or may not be signed, but the resolver will not be able
-      to verify the signature.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 20]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   Bogus: An RRset for which the resolver believes that it ought to be
-      able to establish a chain of trust but for which it is unable to
-      do so, either due to signatures that for some reason fail to
-      validate or due to missing data that the relevant DNSSEC RRs
-      indicate should be present.  This case may indicate an attack but
-      may also indicate a configuration error or some form of data
-      corruption.
-
-   Indeterminate: An RRset for which the resolver is not able to
-      determine whether the RRset should be signed, as the resolver is
-      not able to obtain the necessary DNSSEC RRs.  This can occur when
-      the security-aware resolver is not able to contact security-aware
-      name servers for the relevant zones.
-
-4.4.  Configured Trust Anchors
-
-   A security-aware resolver MUST be capable of being configured with at
-   least one trusted public key or DS RR and SHOULD be capable of being
-   configured with multiple trusted public keys or DS RRs.  Since a
-   security-aware resolver will not be able to validate signatures
-   without such a configured trust anchor, the resolver SHOULD have some
-   reasonably robust mechanism for obtaining such keys when it boots;
-   examples of such a mechanism would be some form of non-volatile
-   storage (such as a disk drive) or some form of trusted local network
-   configuration mechanism.
-
-   Note that trust anchors also cover key material that is updated in a
-   secure manner.  This secure manner could be through physical media, a
-   key exchange protocol, or some other out-of-band means.
-
-4.5.  Response Caching
-
-   A security-aware resolver SHOULD cache each response as a single
-   atomic entry containing the entire answer, including the named RRset
-   and any associated DNSSEC RRs.  The resolver SHOULD discard the
-   entire atomic entry when any of the RRs contained in it expire.  In
-   most cases the appropriate cache index for the atomic entry will be
-   the triple <QNAME, QTYPE, QCLASS>, but in cases such as the response
-   form described in Section 3.1.3.2 the appropriate cache index will be
-   the double <QNAME,QCLASS>.
-
-   The reason for these recommendations is that, between the initial
-   query and the expiration of the data from the cache, the
-   authoritative data might have been changed (for example, via dynamic
-   update).
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 21]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   There are two situations for which this is relevant:
-
-   1.  By using the RRSIG record, it is possible to deduce that an
-       answer was synthesized from a wildcard.  A security-aware
-       recursive name server could store this wildcard data and use it
-       to generate positive responses to queries other than the name for
-       which the original answer was first received.
-
-   2.  NSEC RRs received to prove the non-existence of a name could be
-       reused by a security-aware resolver to prove the non-existence of
-       any name in the name range it spans.
-
-   In theory, a resolver could use wildcards or NSEC RRs to generate
-   positive and negative responses (respectively) until the TTL or
-   signatures on the records in question expire.  However, it seems
-   prudent for resolvers to avoid blocking new authoritative data or
-   synthesizing new data on their own.  Resolvers that follow this
-   recommendation will have a more consistent view of the namespace.
-
-4.6.  Handling of the CD and AD Bits
-
-   A security-aware resolver MAY set a query's CD bit in order to
-   indicate that the resolver takes responsibility for performing
-   whatever authentication its local policy requires on the RRsets in
-   the response.  See Section 3.2 for the effect this bit has on the
-   behavior of security-aware recursive name servers.
-
-   A security-aware resolver MUST clear the AD bit when composing query
-   messages to protect against buggy name servers that blindly copy
-   header bits that they do not understand from the query message to the
-   response message.
-
-   A resolver MUST disregard the meaning of the CD and AD bits in a
-   response unless the response was obtained by using a secure channel
-   or the resolver was specifically configured to regard the message
-   header bits without using a secure channel.
-
-4.7.  Caching BAD Data
-
-   While many validation errors will be transient, some are likely to be
-   more persistent, such as those caused by administrative error
-   (failure to re-sign a zone, clock skew, and so forth).  Since
-   requerying will not help in these cases, validating resolvers might
-   generate a significant amount of unnecessary DNS traffic as a result
-   of repeated queries for RRsets with persistent validation failures.
-
-   To prevent such unnecessary DNS traffic, security-aware resolvers MAY
-   cache data with invalid signatures, with some restrictions.
-
-
-
-Arends, et al.              Standards Track                    [Page 22]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   Conceptually, caching such data is similar to negative caching
-   ([RFC2308]), except that instead of caching a valid negative
-   response, the resolver is caching the fact that a particular answer
-   failed to validate.  This document refers to a cache of data with
-   invalid signatures as a "BAD cache".
-
-   Resolvers that implement a BAD cache MUST take steps to prevent the
-   cache from being useful as a denial-of-service attack amplifier,
-   particularly the following:
-
-   o  Since RRsets that fail to validate do not have trustworthy TTLs,
-      the implementation MUST assign a TTL.  This TTL SHOULD be small,
-      in order to mitigate the effect of caching the results of an
-      attack.
-
-   o  In order to prevent caching of a transient validation failure
-      (which might be the result of an attack), resolvers SHOULD track
-      queries that result in validation failures and SHOULD only answer
-      from the BAD cache after the number of times that responses to
-      queries for that particular <QNAME, QTYPE, QCLASS> have failed to
-      validate exceeds a threshold value.
-
-   Resolvers MUST NOT return RRsets from the BAD cache unless the
-   resolver is not required to validate the signatures of the RRsets in
-   question under the rules given in Section 4.2 of this document.  See
-   Section 3.2.2 for discussion of how the responses returned by a
-   security-aware recursive name server interact with a BAD cache.
-
-4.8.  Synthesized CNAMEs
-
-   A validating security-aware resolver MUST treat the signature of a
-   valid signed DNAME RR as also covering unsigned CNAME RRs that could
-   have been synthesized from the DNAME RR, as described in [RFC2672],
-   at least to the extent of not rejecting a response message solely
-   because it contains such CNAME RRs.  The resolver MAY retain such
-   CNAME RRs in its cache or in the answers it hands back, but is not
-   required to do so.
-
-4.9.  Stub Resolvers
-
-   A security-aware stub resolver MUST support the DNSSEC RR types, at
-   least to the extent of not mishandling responses just because they
-   contain DNSSEC RRs.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 23]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-4.9.1.  Handling of the DO Bit
-
-   A non-validating security-aware stub resolver MAY include the DNSSEC
-   RRs returned by a security-aware recursive name server as part of the
-   data that the stub resolver hands back to the application that
-   invoked it, but is not required to do so.  A non-validating stub
-   resolver that seeks to do this will need to set the DO bit in order
-   to receive DNSSEC RRs from the recursive name server.
-
-   A validating security-aware stub resolver MUST set the DO bit,
-   because otherwise it will not receive the DNSSEC RRs it needs to
-   perform signature validation.
-
-4.9.2.  Handling of the CD Bit
-
-   A non-validating security-aware stub resolver SHOULD NOT set the CD
-   bit when sending queries unless it is requested by the application
-   layer, as by definition, a non-validating stub resolver depends on
-   the security-aware recursive name server to perform validation on its
-   behalf.
-
-   A validating security-aware stub resolver SHOULD set the CD bit,
-   because otherwise the security-aware recursive name server will
-   answer the query using the name server's local policy, which may
-   prevent the stub resolver from receiving data that would be
-   acceptable to the stub resolver's local policy.
-
-4.9.3.  Handling of the AD Bit
-
-   A non-validating security-aware stub resolver MAY chose to examine
-   the setting of the AD bit in response messages that it receives in
-   order to determine whether the security-aware recursive name server
-   that sent the response claims to have cryptographically verified the
-   data in the Answer and Authority sections of the response message.
-   Note, however, that the responses received by a security-aware stub
-   resolver are heavily dependent on the local policy of the
-   security-aware recursive name server.  Therefore, there may be little
-   practical value in checking the status of the AD bit, except perhaps
-   as a debugging aid.  In any case, a security-aware stub resolver MUST
-   NOT place any reliance on signature validation allegedly performed on
-   its behalf, except when the security-aware stub resolver obtained the
-   data in question from a trusted security-aware recursive name server
-   via a secure channel.
-
-   A validating security-aware stub resolver SHOULD NOT examine the
-   setting of the AD bit in response messages, as, by definition, the
-   stub resolver performs its own signature validation regardless of the
-   setting of the AD bit.
-
-
-
-Arends, et al.              Standards Track                    [Page 24]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-5.  Authenticating DNS Responses
-
-   To use DNSSEC RRs for authentication, a security-aware resolver
-   requires configured knowledge of at least one authenticated DNSKEY or
-   DS RR.  The process for obtaining and authenticating this initial
-   trust anchor is achieved via some external mechanism.  For example, a
-   resolver could use some off-line authenticated exchange to obtain a
-   zone's DNSKEY RR or to obtain a DS RR that identifies and
-   authenticates a zone's DNSKEY RR.  The remainder of this section
-   assumes that the resolver has somehow obtained an initial set of
-   trust anchors.
-
-   An initial DNSKEY RR can be used to authenticate a zone's apex DNSKEY
-   RRset.  To authenticate an apex DNSKEY RRset by using an initial key,
-   the resolver MUST:
-
-   1.  verify that the initial DNSKEY RR appears in the apex DNSKEY
-       RRset, and that the DNSKEY RR has the Zone Key Flag (DNSKEY RDATA
-       bit 7) set; and
-
-   2.  verify that there is some RRSIG RR that covers the apex DNSKEY
-       RRset, and that the combination of the RRSIG RR and the initial
-       DNSKEY RR authenticates the DNSKEY RRset.  The process for using
-       an RRSIG RR to authenticate an RRset is described in Section 5.3.
-
-   Once the resolver has authenticated the apex DNSKEY RRset by using an
-   initial DNSKEY RR, delegations from that zone can be authenticated by
-   using DS RRs.  This allows a resolver to start from an initial key
-   and use DS RRsets to proceed recursively down the DNS tree, obtaining
-   other apex DNSKEY RRsets.  If the resolver were configured with a
-   root DNSKEY RR, and if every delegation had a DS RR associated with
-   it, then the resolver could obtain and validate any apex DNSKEY
-   RRset.  The process of using DS RRs to authenticate referrals is
-   described in Section 5.2.
-
-   Section 5.3 shows how the resolver can use DNSKEY RRs in the apex
-   DNSKEY RRset and RRSIG RRs from the zone to authenticate any other
-   RRsets in the zone once the resolver has authenticated a zone's apex
-   DNSKEY RRset.  Section 5.4 shows how the resolver can use
-   authenticated NSEC RRsets from the zone to prove that an RRset is not
-   present in the zone.
-
-   When a resolver indicates support for DNSSEC (by setting the DO bit),
-   a security-aware name server should attempt to provide the necessary
-   DNSKEY, RRSIG, NSEC, and DS RRsets in a response (see Section 3).
-   However, a security-aware resolver may still receive a response that
-   lacks the appropriate DNSSEC RRs, whether due to configuration issues
-   such as an upstream security-oblivious recursive name server that
-
-
-
-Arends, et al.              Standards Track                    [Page 25]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   accidentally interferes with DNSSEC RRs or due to a deliberate attack
-   in which an adversary forges a response, strips DNSSEC RRs from a
-   response, or modifies a query so that DNSSEC RRs appear not to be
-   requested.  The absence of DNSSEC data in a response MUST NOT by
-   itself be taken as an indication that no authentication information
-   exists.
-
-   A resolver SHOULD expect authentication information from signed
-   zones.  A resolver SHOULD believe that a zone is signed if the
-   resolver has been configured with public key information for the
-   zone, or if the zone's parent is signed and the delegation from the
-   parent contains a DS RRset.
-
-5.1.  Special Considerations for Islands of Security
-
-   Islands of security (see [RFC4033]) are signed zones for which it is
-   not possible to construct an authentication chain to the zone from
-   its parent.  Validating signatures within an island of security
-   requires that the validator have some other means of obtaining an
-   initial authenticated zone key for the island.  If a validator cannot
-   obtain such a key, it SHOULD switch to operating as if the zones in
-   the island of security are unsigned.
-
-   All the normal processes for validating responses apply to islands of
-   security.  The only difference between normal validation and
-   validation within an island of security is in how the validator
-   obtains a trust anchor for the authentication chain.
-
-5.2.  Authenticating Referrals
-
-   Once the apex DNSKEY RRset for a signed parent zone has been
-   authenticated, DS RRsets can be used to authenticate the delegation
-   to a signed child zone.  A DS RR identifies a DNSKEY RR in the child
-   zone's apex DNSKEY RRset and contains a cryptographic digest of the
-   child zone's DNSKEY RR.  Use of a strong cryptographic digest
-   algorithm ensures that it is computationally infeasible for an
-   adversary to generate a DNSKEY RR that matches the digest.  Thus,
-   authenticating the digest allows a resolver to authenticate the
-   matching DNSKEY RR.  The resolver can then use this child DNSKEY RR
-   to authenticate the entire child apex DNSKEY RRset.
-
-   Given a DS RR for a delegation, the child zone's apex DNSKEY RRset
-   can be authenticated if all of the following hold:
-
-   o  The DS RR has been authenticated using some DNSKEY RR in the
-      parent's apex DNSKEY RRset (see Section 5.3).
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 26]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   o  The Algorithm and Key Tag in the DS RR match the Algorithm field
-      and the key tag of a DNSKEY RR in the child zone's apex DNSKEY
-      RRset, and, when the DNSKEY RR's owner name and RDATA are hashed
-      using the digest algorithm specified in the DS RR's Digest Type
-      field, the resulting digest value matches the Digest field of the
-      DS RR.
-
-   o  The matching DNSKEY RR in the child zone has the Zone Flag bit
-      set, the corresponding private key has signed the child zone's
-      apex DNSKEY RRset, and the resulting RRSIG RR authenticates the
-      child zone's apex DNSKEY RRset.
-
-   If the referral from the parent zone did not contain a DS RRset, the
-   response should have included a signed NSEC RRset proving that no DS
-   RRset exists for the delegated name (see Section 3.1.4).  A
-   security-aware resolver MUST query the name servers for the parent
-   zone for the DS RRset if the referral includes neither a DS RRset nor
-   a NSEC RRset proving that the DS RRset does not exist (see Section
-   4).
-
-   If the validator authenticates an NSEC RRset that proves that no DS
-   RRset is present for this zone, then there is no authentication path
-   leading from the parent to the child.  If the resolver has an initial
-   DNSKEY or DS RR that belongs to the child zone or to any delegation
-   below the child zone, this initial DNSKEY or DS RR MAY be used to
-   re-establish an authentication path.  If no such initial DNSKEY or DS
-   RR exists, the validator cannot authenticate RRsets in or below the
-   child zone.
-
-   If the validator does not support any of the algorithms listed in an
-   authenticated DS RRset, then the resolver has no supported
-   authentication path leading from the parent to the child.  The
-   resolver should treat this case as it would the case of an
-   authenticated NSEC RRset proving that no DS RRset exists, as
-   described above.
-
-   Note that, for a signed delegation, there are two NSEC RRs associated
-   with the delegated name.  One NSEC RR resides in the parent zone and
-   can be used to prove whether a DS RRset exists for the delegated
-   name.  The second NSEC RR resides in the child zone and identifies
-   which RRsets are present at the apex of the child zone.  The parent
-   NSEC RR and child NSEC RR can always be distinguished because the SOA
-   bit will be set in the child NSEC RR and clear in the parent NSEC RR.
-   A security-aware resolver MUST use the parent NSEC RR when attempting
-   to prove that a DS RRset does not exist.
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 27]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   If the resolver does not support any of the algorithms listed in an
-   authenticated DS RRset, then the resolver will not be able to verify
-   the authentication path to the child zone.  In this case, the
-   resolver SHOULD treat the child zone as if it were unsigned.
-
-5.3.  Authenticating an RRset with an RRSIG RR
-
-   A validator can use an RRSIG RR and its corresponding DNSKEY RR to
-   attempt to authenticate RRsets.  The validator first checks the RRSIG
-   RR to verify that it covers the RRset, has a valid time interval, and
-   identifies a valid DNSKEY RR.  The validator then constructs the
-   canonical form of the signed data by appending the RRSIG RDATA
-   (excluding the Signature Field) with the canonical form of the
-   covered RRset.  Finally, the validator uses the public key and
-   signature to authenticate the signed data.  Sections 5.3.1, 5.3.2,
-   and 5.3.3 describe each step in detail.
-
-5.3.1.  Checking the RRSIG RR Validity
-
-   A security-aware resolver can use an RRSIG RR to authenticate an
-   RRset if all of the following conditions hold:
-
-   o  The RRSIG RR and the RRset MUST have the same owner name and the
-      same class.
-
-   o  The RRSIG RR's Signer's Name field MUST be the name of the zone
-      that contains the RRset.
-
-   o  The RRSIG RR's Type Covered field MUST equal the RRset's type.
-
-   o  The number of labels in the RRset owner name MUST be greater than
-      or equal to the value in the RRSIG RR's Labels field.
-
-   o  The validator's notion of the current time MUST be less than or
-      equal to the time listed in the RRSIG RR's Expiration field.
-
-   o  The validator's notion of the current time MUST be greater than or
-      equal to the time listed in the RRSIG RR's Inception field.
-
-   o  The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST
-      match the owner name, algorithm, and key tag for some DNSKEY RR in
-      the zone's apex DNSKEY RRset.
-
-   o  The matching DNSKEY RR MUST be present in the zone's apex DNSKEY
-      RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7)
-      set.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 28]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   It is possible for more than one DNSKEY RR to match the conditions
-   above.  In this case, the validator cannot predetermine which DNSKEY
-   RR to use to authenticate the signature, and it MUST try each
-   matching DNSKEY RR until either the signature is validated or the
-   validator has run out of matching public keys to try.
-
-   Note that this authentication process is only meaningful if the
-   validator authenticates the DNSKEY RR before using it to validate
-   signatures.  The matching DNSKEY RR is considered to be authentic if:
-
-   o  the apex DNSKEY RRset containing the DNSKEY RR is considered
-      authentic; or
-
-   o  the RRset covered by the RRSIG RR is the apex DNSKEY RRset itself,
-      and the DNSKEY RR either matches an authenticated DS RR from the
-      parent zone or matches a trust anchor.
-
-5.3.2.  Reconstructing the Signed Data
-
-   Once the RRSIG RR has met the validity requirements described in
-   Section 5.3.1, the validator has to reconstruct the original signed
-   data.  The original signed data includes RRSIG RDATA (excluding the
-   Signature field) and the canonical form of the RRset.  Aside from
-   being ordered, the canonical form of the RRset might also differ from
-   the received RRset due to DNS name compression, decremented TTLs, or
-   wildcard expansion.  The validator should use the following to
-   reconstruct the original signed data:
-
-         signed_data = RRSIG_RDATA | RR(1) | RR(2)...  where
-
-            "|" denotes concatenation
-
-            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
-               with the Signature field excluded and the Signer's Name
-               in canonical form.
-
-            RR(i) = name | type | class | OrigTTL | RDATA length | RDATA
-
-               name is calculated according to the function below
-
-               class is the RRset's class
-
-               type is the RRset type and all RRs in the class
-
-               OrigTTL is the value from the RRSIG Original TTL field
-
-               All names in the RDATA field are in canonical form
-
-
-
-
-Arends, et al.              Standards Track                    [Page 29]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-               The set of all RR(i) is sorted into canonical order.
-
-            To calculate the name:
-               let rrsig_labels = the value of the RRSIG Labels field
-
-               let fqdn = RRset's fully qualified domain name in
-                               canonical form
-
-               let fqdn_labels = Label count of the fqdn above.
-
-               if rrsig_labels = fqdn_labels,
-                   name = fqdn
-
-               if rrsig_labels < fqdn_labels,
-                  name = "*." | the rightmost rrsig_label labels of the
-                                fqdn
-
-               if rrsig_labels > fqdn_labels
-                  the RRSIG RR did not pass the necessary validation
-                  checks and MUST NOT be used to authenticate this
-                  RRset.
-
-   The canonical forms for names and RRsets are defined in [RFC4034].
-
-   NSEC RRsets at a delegation boundary require special processing.
-   There are two distinct NSEC RRsets associated with a signed delegated
-   name.  One NSEC RRset resides in the parent zone, and specifies which
-   RRsets are present at the parent zone.  The second NSEC RRset resides
-   at the child zone and identifies which RRsets are present at the apex
-   in the child zone.  The parent NSEC RRset and child NSEC RRset can
-   always be distinguished as only a child NSEC RR will indicate that an
-   SOA RRset exists at the name.  When reconstructing the original NSEC
-   RRset for the delegation from the parent zone, the NSEC RRs MUST NOT
-   be combined with NSEC RRs from the child zone.  When reconstructing
-   the original NSEC RRset for the apex of the child zone, the NSEC RRs
-   MUST NOT be combined with NSEC RRs from the parent zone.
-
-   Note that each of the two NSEC RRsets at a delegation point has a
-   corresponding RRSIG RR with an owner name matching the delegated
-   name, and each of these RRSIG RRs is authoritative data associated
-   with the same zone that contains the corresponding NSEC RRset.  If
-   necessary, a resolver can tell these RRSIG RRs apart by checking the
-   Signer's Name field.
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 30]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-5.3.3.  Checking the Signature
-
-   Once the resolver has validated the RRSIG RR as described in Section
-   5.3.1 and reconstructed the original signed data as described in
-   Section 5.3.2, the validator can attempt to use the cryptographic
-   signature to authenticate the signed data, and thus (finally!)
-   authenticate the RRset.
-
-   The Algorithm field in the RRSIG RR identifies the cryptographic
-   algorithm used to generate the signature.  The signature itself is
-   contained in the Signature field of the RRSIG RDATA, and the public
-   key used to verify the signature is contained in the Public Key field
-   of the matching DNSKEY RR(s) (found in Section 5.3.1).  [RFC4034]
-   provides a list of algorithm types and provides pointers to the
-   documents that define each algorithm's use.
-
-   Note that it is possible for more than one DNSKEY RR to match the
-   conditions in Section 5.3.1.  In this case, the validator can only
-   determine which DNSKEY RR is correct by trying each matching public
-   key until the validator either succeeds in validating the signature
-   or runs out of keys to try.
-
-   If the Labels field of the RRSIG RR is not equal to the number of
-   labels in the RRset's fully qualified owner name, then the RRset is
-   either invalid or the result of wildcard expansion.  The resolver
-   MUST verify that wildcard expansion was applied properly before
-   considering the RRset to be authentic.  Section 5.3.4 describes how
-   to determine whether a wildcard was applied properly.
-
-   If other RRSIG RRs also cover this RRset, the local resolver security
-   policy determines whether the resolver also has to test these RRSIG
-   RRs and how to resolve conflicts if these RRSIG RRs lead to differing
-   results.
-
-   If the resolver accepts the RRset as authentic, the validator MUST
-   set the TTL of the RRSIG RR and each RR in the authenticated RRset to
-   a value no greater than the minimum of:
-
-   o  the RRset's TTL as received in the response;
-
-   o  the RRSIG RR's TTL as received in the response;
-
-   o  the value in the RRSIG RR's Original TTL field; and
-
-   o  the difference of the RRSIG RR's Signature Expiration time and the
-      current time.
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 31]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-5.3.4.  Authenticating a Wildcard Expanded RRset Positive Response
-
-   If the number of labels in an RRset's owner name is greater than the
-   Labels field of the covering RRSIG RR, then the RRset and its
-   covering RRSIG RR were created as a result of wildcard expansion.
-   Once the validator has verified the signature, as described in
-   Section 5.3, it must take additional steps to verify the non-
-   existence of an exact match or closer wildcard match for the query.
-   Section 5.4 discusses these steps.
-
-   Note that the response received by the resolver should include all
-   NSEC RRs needed to authenticate the response (see Section 3.1.3).
-
-5.4.  Authenticated Denial of Existence
-
-   A resolver can use authenticated NSEC RRs to prove that an RRset is
-   not present in a signed zone.  Security-aware name servers should
-   automatically include any necessary NSEC RRs for signed zones in
-   their responses to security-aware resolvers.
-
-   Denial of existence is determined by the following rules:
-
-   o  If the requested RR name matches the owner name of an
-      authenticated NSEC RR, then the NSEC RR's type bit map field lists
-      all RR types present at that owner name, and a resolver can prove
-      that the requested RR type does not exist by checking for the RR
-      type in the bit map.  If the number of labels in an authenticated
-      NSEC RR's owner name equals the Labels field of the covering RRSIG
-      RR, then the existence of the NSEC RR proves that wildcard
-      expansion could not have been used to match the request.
-
-   o  If the requested RR name would appear after an authenticated NSEC
-      RR's owner name and before the name listed in that NSEC RR's Next
-      Domain Name field according to the canonical DNS name order
-      defined in [RFC4034], then no RRsets with the requested name exist
-      in the zone.  However, it is possible that a wildcard could be
-      used to match the requested RR owner name and type, so proving
-      that the requested RRset does not exist also requires proving that
-      no possible wildcard RRset exists that could have been used to
-      generate a positive response.
-
-   In addition, security-aware resolvers MUST authenticate the NSEC
-   RRsets that comprise the non-existence proof as described in Section
-   5.3.
-
-   To prove the non-existence of an RRset, the resolver must be able to
-   verify both that the queried RRset does not exist and that no
-   relevant wildcard RRset exists.  Proving this may require more than
-
-
-
-Arends, et al.              Standards Track                    [Page 32]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   one NSEC RRset from the zone.  If the complete set of necessary NSEC
-   RRsets is not present in a response (perhaps due to message
-   truncation), then a security-aware resolver MUST resend the query in
-   order to attempt to obtain the full collection of NSEC RRs necessary
-   to verify the non-existence of the requested RRset.  As with all DNS
-   operations, however, the resolver MUST bound the work it puts into
-   answering any particular query.
-
-   Since a validated NSEC RR proves the existence of both itself and its
-   corresponding RRSIG RR, a validator MUST ignore the settings of the
-   NSEC and RRSIG bits in an NSEC RR.
-
-5.5.  Resolver Behavior When Signatures Do Not Validate
-
-   If for whatever reason none of the RRSIGs can be validated, the
-   response SHOULD be considered BAD.  If the validation was being done
-   to service a recursive query, the name server MUST return RCODE 2 to
-   the originating client.  However, it MUST return the full response if
-   and only if the original query had the CD bit set.  Also see Section
-   4.7 on caching responses that do not validate.
-
-5.6.  Authentication Example
-
-   Appendix C shows an example of the authentication process.
-
-6.  IANA Considerations
-
-   [RFC4034] contains a review of the IANA considerations introduced by
-   DNSSEC.  The following are additional IANA considerations discussed
-   in this document:
-
-   [RFC2535] reserved the CD and AD bits in the message header.  The
-   meaning of the AD bit was redefined in [RFC3655], and the meaning of
-   both the CD and AD bit are restated in this document.  No new bits in
-   the DNS message header are defined in this document.
-
-   [RFC2671] introduced EDNS, and [RFC3225] reserved the DNSSEC OK bit
-   and defined its use.  The use is restated but not altered in this
-   document.
-
-7.  Security Considerations
-
-   This document describes how the DNS security extensions use public
-   key cryptography to sign and authenticate DNS resource record sets.
-   Please see [RFC4033] for terminology and general security
-   considerations related to DNSSEC; see [RFC4034] for considerations
-   specific to the DNSSEC resource record types.
-
-
-
-
-Arends, et al.              Standards Track                    [Page 33]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   An active attacker who can set the CD bit in a DNS query message or
-   the AD bit in a DNS response message can use these bits to defeat the
-   protection that DNSSEC attempts to provide to security-oblivious
-   recursive-mode resolvers.  For this reason, use of these control bits
-   by a security-aware recursive-mode resolver requires a secure
-   channel.  See Sections 3.2.2 and 4.9 for further discussion.
-
-   The protocol described in this document attempts to extend the
-   benefits of DNSSEC to security-oblivious stub resolvers.  However, as
-   recovery from validation failures is likely to be specific to
-   particular applications, the facilities that DNSSEC provides for stub
-   resolvers may prove inadequate.  Operators of security-aware
-   recursive name servers will have to pay close attention to the
-   behavior of the applications that use their services when choosing a
-   local validation policy; failure to do so could easily result in the
-   recursive name server accidentally denying service to the clients it
-   is intended to support.
-
-8.  Acknowledgements
-
-   This document was created from the input and ideas of the members of
-   the DNS Extensions Working Group and working group mailing list.  The
-   editors would like to express their thanks for the comments and
-   suggestions received during the revision of these security extension
-   specifications.  Although explicitly listing everyone who has
-   contributed during the decade in which DNSSEC has been under
-   development would be impossible, [RFC4033] includes a list of some of
-   the participants who were kind enough to comment on these documents.
-
-9.  References
-
-9.1.  Normative References
-
-   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
-              STD 13, RFC 1034, November 1987.
-
-   [RFC1035]  Mockapetris, P., "Domain names - implementation and
-              specification", STD 13, RFC 1035, November 1987.
-
-   [RFC1122]  Braden, R., "Requirements for Internet Hosts -
-              Communication Layers", STD 3, RFC 1122, October 1989.
-
-   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
-              Requirement Levels", BCP 14, RFC 2119, March 1997.
-
-   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
-              Specification", RFC 2181, July 1997.
-
-
-
-
-Arends, et al.              Standards Track                    [Page 34]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   [RFC2460]  Deering, S. and R. Hinden, "Internet Protocol, Version 6
-              (IPv6) Specification", RFC 2460, December 1998.
-
-   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
-              2671, August 1999.
-
-   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection", RFC
-              2672, August 1999.
-
-   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
-              3225, December 2001.
-
-   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
-              message size requirements", RFC 3226, December 2001.
-
-   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "DNS Security Introduction and Requirements", RFC
-              4033, March 2005.
-
-   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
-              Rose, "Resource Records for DNS Security Extensions", RFC
-              4034, March 2005.
-
-9.2.  Informative References
-
-   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
-              NCACHE)", RFC 2308, March 1998.
-
-   [RFC2535]  Eastlake 3rd, D., "Domain Name System Security
-              Extensions", RFC 2535, March 1999.
-
-   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
-              Update", RFC 3007, November 2000.
-
-   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
-              Authenticated Data (AD) bit", RFC 3655, November 2003.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 35]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-Appendix A.  Signed Zone Example
-
-   The following example shows a (small) complete signed zone.
-
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-                  3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-                  3600 NS     ns1.example.
-                  3600 NS     ns2.example.
-                  3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-                  3600 MX     1 xx.example.
-                  3600 RRSIG  MX 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              HyDHYVT5KHSZ7HtO/vypumPmSZQrcOP3tzWB
-                              2qaKkHVPfau/DgLgS/IKENkYOGL95G4N+NzE
-                              VyNU8dcTOckT+ChPcGeVjguQ7a3Ao9Z/ZkUO
-                              6gmmUW4b89rz1PUxW4jzUxj66PTwoVtUU/iM
-                              W6OISukd1EQt7a0kygkg+PEDxdI= )
-                  3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-                  3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-                  3600 DNSKEY 256 3 5 (
-                              AQOy1bZVvpPqhg4j7EJoM9rI3ZmyEx2OzDBV
-                              rZy/lvI5CQePxXHZS4i8dANH4DX3tbHol61e
-                              k8EFMcsGXxKciJFHyhl94C+NwILQdzsUlSFo
-                              vBZsyl/NX6yEbtw/xN9ZNcrbYvgjjZ/UVPZI
-
-
-
-Arends, et al.              Standards Track                    [Page 36]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              ySFNsgEYvh0z2542lzMKR4Dh8uZffQ==
-                              )
-                  3600 DNSKEY 257 3 5 (
-                              AQOeX7+baTmvpVHb2CcLnL1dMRWbuscRvHXl
-                              LnXwDzvqp4tZVKp1sZMepFb8MvxhhW3y/0QZ
-                              syCjczGJ1qk8vJe52iOhInKROVLRwxGpMfzP
-                              RLMlGybr51bOV/1se0ODacj3DomyB4QB5gKT
-                              Yot/K9alk5/j8vfd4jWCWD+E1Sze0Q==
-                              )
-                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
-                              20040409183619 9465 example.
-                              ZxgauAuIj+k1YoVEOSlZfx41fcmKzTFHoweZ
-                              xYnz99JVQZJ33wFS0Q0jcP7VXKkaElXk9nYJ
-                              XevO/7nAbo88iWsMkSpSR6jWzYYKwfrBI/L9
-                              hjYmyVO9m6FjQ7uwM4dCP/bIuV/DKqOAK9NY
-                              NC3AHfvCV1Tp4VKDqxqG7R5tTVM= )
-                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              eGL0s90glUqcOmloo/2y+bSzyEfKVOQViD9Z
-                              DNhLz/Yn9CQZlDVRJffACQDAUhXpU/oP34ri
-                              bKBpysRXosczFrKqS5Oa0bzMOfXCXup9qHAp
-                              eFIku28Vqfr8Nt7cigZLxjK+u0Ws/4lIRjKk
-                              7z5OXogYVaFzHKillDt3HRxHIZM= )
-   a.example.     3600 IN NS  ns1.a.example.
-                  3600 IN NS  ns2.a.example.
-                  3600 DS     57855 5 1 (
-                              B6DCD485719ADCA18E5F3D48A2331627FDD3
-                              636B )
-                  3600 RRSIG  DS 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
-                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
-                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
-                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
-                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
-                  3600 NSEC   ai.example. NS DS RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              cOlYgqJLqlRqmBQ3iap2SyIsK4O5aqpKSoba
-                              U9fQ5SMApZmHfq3AgLflkrkXRXvgxTQSKkG2
-                              039/cRUs6Jk/25+fi7Xr5nOVJsb0lq4zsB3I
-                              BBdjyGDAHE0F5ROJj87996vJupdm1fbH481g
-                              sdkOW6Zyqtz3Zos8N0BBkEx+2G4= )
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-   ai.example.    3600 IN A   192.0.2.9
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-
-
-
-Arends, et al.              Standards Track                    [Page 37]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
-                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
-                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
-                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
-                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
-                  3600 HINFO  "KLH-10" "ITS"
-                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Iq/RGCbBdKzcYzlGE4ovbr5YcB+ezxbZ9W0l
-                              e/7WqyvhOO9J16HxhhL7VY/IKmTUY0GGdcfh
-                              ZEOCkf4lEykZF9NPok1/R/fWrtzNp8jobuY7
-                              AZEcZadp1WdDF3jc2/ndCa5XZhLKD3JzOsBw
-                              FvL8sqlS5QS6FY/ijFEDnI4RkZA= )
-                  3600 AAAA   2001:db8::f00:baa9
-                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
-                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
-                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
-                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
-                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
-                  3600 NSEC   b.example. A HINFO AAAA RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              QoshyPevLcJ/xcRpEtMft1uoIrcrieVcc9pG
-                              CScIn5Glnib40T6ayVOimXwdSTZ/8ISXGj4p
-                              P8Sh0PlA6olZQ84L453/BUqB8BpdOGky4hsN
-                              3AGcLEv1Gr0QMvirQaFcjzOECfnGyBm+wpFL
-                              AhS+JOVfDI/79QtyTI0SaDWcg8U= )
-   b.example.     3600 IN NS  ns1.b.example.
-                  3600 IN NS  ns2.b.example.
-                  3600 NSEC   ns1.example. NS RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-   ns1.example.   3600 IN A   192.0.2.1
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
-                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
-                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
-                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
-
-
-
-Arends, et al.              Standards Track                    [Page 38]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
-                  3600 NSEC   ns2.example. A RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
-                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
-                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
-                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
-                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
-   ns2.example.   3600 IN A   192.0.2.2
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
-                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
-                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
-                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
-                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
-                  3600 NSEC   *.w.example. A RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              N0QzHvaJf5NRw1rE9uxS1Ltb2LZ73Qb9bKGE
-                              VyaISkqzGpP3jYJXZJPVTq4UVEsgT3CgeHvb
-                              3QbeJ5Dfb2V9NGCHj/OvF/LBxFFWwhLwzngH
-                              l+bQAgAcMsLu/nL3nDi1y/JSQjAcdZNDl4bw
-                              Ymx28EtgIpo9A0qmP08rMBqs1Jw= )
-   *.w.example.   3600 IN MX  1 ai.example.
-                  3600 RRSIG  MX 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
-                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
-                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
-                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
-                              4kX18MMR34i8lC36SR5xBni8vHI= )
-                  3600 NSEC   x.w.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
-                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
-                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
-                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
-                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
-   x.w.example.   3600 IN MX  1 xx.example.
-                  3600 RRSIG  MX 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
-                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
-                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
-                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
-
-
-
-Arends, et al.              Standards Track                    [Page 39]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
-                  3600 NSEC   x.y.w.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              aRbpHftxggzgMXdDlym9SsADqMZovZZl2QWK
-                              vw8J0tZEUNQByH5Qfnf5N1FqH/pS46UA7A4E
-                              mcWBN9PUA1pdPY6RVeaRlZlCr1IkVctvbtaI
-                              NJuBba/VHm+pebTbKcAPIvL9tBOoh+to1h6e
-                              IjgiM8PXkBQtxPq37wDKALkyn7Q= )
-   x.y.w.example. 3600 IN MX  1 xx.example.
-                  3600 RRSIG  MX 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              k2bJHbwP5LH5qN4is39UiPzjAWYmJA38Hhia
-                              t7i9t7nbX/e0FPnvDSQXzcK7UL+zrVA+3MDj
-                              q1ub4q3SZgcbLMgexxIW3Va//LVrxkP6Xupq
-                              GtOB9prkK54QTl/qZTXfMQpW480YOvVknhvb
-                              +gLcMZBnHJ326nb/TOOmrqNmQQE= )
-                  3600 NSEC   xx.example. MX RRSIG NSEC
-                  3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-   xx.example.    3600 IN A   192.0.2.10
-                  3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
-                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
-                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
-                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
-                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
-                  3600 HINFO  "KLH-10" "TOPS-20"
-                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GY2PLSXmMHkWHfLdggiox8+chWpeMNJLkML0
-                              t+U/SXSUsoUdR91KNdNUkTDWamwcF8oFRjhq
-                              BcPZ6EqrF+vl5v5oGuvSF7U52epfVTC+wWF8
-                              3yCUeUw8YklhLWlvk8gQ15YKth0ITQy8/wI+
-                              RgNvuwbioFSEuv2pNlkq0goYxNY= )
-                  3600 AAAA   2001:db8::f00:baaa
-                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
-                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
-                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
-                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
-
-
-
-Arends, et al.              Standards Track                    [Page 40]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
-                  3600 NSEC   example. A HINFO AAAA RRSIG NSEC
-                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ZFWUln6Avc8bmGl5GFjD3BwT530DUZKHNuoY
-                              9A8lgXYyrxu+pqgFiRVbyZRQvVB5pccEOT3k
-                              mvHgEa/HzbDB4PIYY79W+VHrgOxzdQGGCZzi
-                              asXrpSGOWwSOElghPnMIi8xdF7qtCntr382W
-                              GghLahumFIpg4MO3LS/prgzVVWo= )
-
-   The apex DNSKEY set includes two DNSKEY RRs, and the DNSKEY RDATA
-   Flags indicate that each of these DNSKEY RRs is a zone key.  One of
-   these DNSKEY RRs also has the SEP flag set and has been used to sign
-   the apex DNSKEY RRset; this is the key that should be hashed to
-   generate a DS record to be inserted into the parent zone.  The other
-   DNSKEY is used to sign all the other RRsets in the zone.
-
-   The zone includes a wildcard entry, "*.w.example".  Note that the
-   name "*.w.example" is used in constructing NSEC chains, and that the
-   RRSIG covering the "*.w.example" MX RRset has a label count of 2.
-
-   The zone also includes two delegations.  The delegation to
-   "b.example" includes an NS RRset, glue address records, and an NSEC
-   RR; note that only the NSEC RRset is signed.  The delegation to
-   "a.example" provides a DS RR; note that only the NSEC and DS RRsets
-   are signed.
-
-Appendix B.  Example Responses
-
-   The examples in this section show response messages using the signed
-   zone example in Appendix A.
-
-B.1.  Answer
-
-   A successful query to an authoritative server.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   x.w.example.        IN MX
-
-   ;; Answer
-   x.w.example.   3600 IN MX  1 xx.example.
-   x.w.example.   3600 RRSIG  MX 5 3 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
-                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
-                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
-
-
-
-Arends, et al.              Standards Track                    [Page 41]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
-                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
-
-   ;; Authority
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-
-   ;; Additional
-   xx.example.    3600 IN A   192.0.2.10
-   xx.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
-                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
-                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
-                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
-                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
-   xx.example.    3600 AAAA   2001:db8::f00:baaa
-   xx.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
-                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
-                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
-                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
-                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
-   ns1.example.   3600 IN A   192.0.2.1
-   ns1.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
-                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
-                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
-                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
-                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
-   ns2.example.   3600 IN A   192.0.2.2
-   ns2.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
-                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
-                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
-                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
-                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
-
-
-
-
-Arends, et al.              Standards Track                    [Page 42]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-B.2.  Name Error
-
-   An authoritative name error.  The NSEC RRs prove that the name does
-   not exist and that no covering wildcard exists.
-
-   ;; Header: QR AA DO RCODE=3
-   ;;
-   ;; Question
-   ml.example.         IN A
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
-   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-
-   ;; Additional
-   ;; (empty)
-
-
-
-
-Arends, et al.              Standards Track                    [Page 43]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-B.3.  No Data Error
-
-   A "no data" response.  The NSEC RR proves that the name exists and
-   that the requested RR type does not.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   ns1.example.        IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   ns1.example.   3600 NSEC   ns2.example. A RRSIG NSEC
-   ns1.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
-                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
-                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
-                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
-                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
-
-   ;; Additional
-   ;; (empty)
-
-B.4.  Referral to Signed Zone
-
-   Referral to a signed zone.  The DS RR contains the data which the
-   resolver will need to validate the corresponding DNSKEY RR in the
-   child zone's apex.
-
-   ;; Header: QR DO RCODE=0
-   ;;
-
-
-
-Arends, et al.              Standards Track                    [Page 44]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   ;; Question
-   mc.a.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   a.example.     3600 IN NS  ns1.a.example.
-   a.example.     3600 IN NS  ns2.a.example.
-   a.example.     3600 DS     57855 5 1 (
-                              B6DCD485719ADCA18E5F3D48A2331627FDD3
-                              636B )
-   a.example.     3600 RRSIG  DS 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
-                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
-                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
-                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
-                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
-
-   ;; Additional
-   ns1.a.example. 3600 IN A   192.0.2.5
-   ns2.a.example. 3600 IN A   192.0.2.6
-
-B.5.  Referral to Unsigned Zone
-
-   Referral to an unsigned zone.  The NSEC RR proves that no DS RR for
-   this delegation exists in the parent zone.
-
-   ;; Header: QR DO RCODE=0
-   ;;
-   ;; Question
-   mc.b.example.       IN MX
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   b.example.     3600 IN NS  ns1.b.example.
-   b.example.     3600 IN NS  ns2.b.example.
-   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
-   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
-                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
-                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
-                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
-                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
-
-
-
-Arends, et al.              Standards Track                    [Page 45]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   ;; Additional
-   ns1.b.example. 3600 IN A   192.0.2.7
-   ns2.b.example. 3600 IN A   192.0.2.8
-
-B.6.  Wildcard Expansion
-
-   A successful query that was answered via wildcard expansion.  The
-   label count in the answer's RRSIG RR indicates that a wildcard RRset
-   was expanded to produce this response, and the NSEC RR proves that no
-   closer match exists in the zone.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN MX
-
-   ;; Answer
-   a.z.w.example. 3600 IN MX  1 ai.example.
-   a.z.w.example. 3600 RRSIG  MX 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
-                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
-                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
-                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
-                              4kX18MMR34i8lC36SR5xBni8vHI= )
-
-   ;; Authority
-   example.       3600 NS     ns1.example.
-   example.       3600 NS     ns2.example.
-   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
-                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
-                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
-                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
-                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
-   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
-   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-
-   ;; Additional
-   ai.example.    3600 IN A   192.0.2.9
-   ai.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
-
-
-
-Arends, et al.              Standards Track                    [Page 46]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              20040409183619 38519 example.
-                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
-                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
-                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
-                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
-                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
-   ai.example.    3600 AAAA   2001:db8::f00:baa9
-   ai.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
-                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
-                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
-                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
-                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
-
-B.7.  Wildcard No Data Error
-
-   A "no data" response for a name covered by a wildcard.  The NSEC RRs
-   prove that the matching wildcard name does not have any RRs of the
-   requested type and that no closer match exists in the zone.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   a.z.w.example.      IN AAAA
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
-   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
-
-
-
-Arends, et al.              Standards Track                    [Page 47]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
-                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
-                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
-                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
-   *.w.example.   3600 NSEC   x.w.example. MX RRSIG NSEC
-   *.w.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
-                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
-                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
-                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
-                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
-
-   ;; Additional
-   ;; (empty)
-
-B.8.  DS Child Zone No Data Error
-
-   A "no data" response for a QTYPE=DS query that was mistakenly sent to
-   a name server for the child zone.
-
-   ;; Header: QR AA DO RCODE=0
-   ;;
-   ;; Question
-   example.            IN DS
-
-   ;; Answer
-   ;; (empty)
-
-   ;; Authority
-   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
-                              1081539377
-                              3600
-                              300
-                              3600000
-                              3600
-                              )
-   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
-                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
-                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
-                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
-                              jV7j86HyQgM5e7+miRAz8V01b0I= )
-   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
-   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
-                              20040409183619 38519 example.
-                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
-
-
-
-Arends, et al.              Standards Track                    [Page 48]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
-                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
-                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
-                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
-
-   ;; Additional
-   ;; (empty)
-
-Appendix C.  Authentication Examples
-
-   The examples in this section show how the response messages in
-   Appendix B are authenticated.
-
-C.1.  Authenticating an Answer
-
-   The query in Appendix B.1 returned an MX RRset for "x.w.example.com".
-   The corresponding RRSIG indicates that the MX RRset was signed by an
-   "example" DNSKEY with algorithm 5 and key tag 38519.  The resolver
-   needs the corresponding DNSKEY RR in order to authenticate this
-   answer.  The discussion below describes how a resolver might obtain
-   this DNSKEY RR.
-
-   The RRSIG indicates the original TTL of the MX RRset was 3600, and,
-   for the purpose of authentication, the current TTL is replaced by
-   3600.  The RRSIG labels field value of 3 indicates that the answer
-   was not the result of wildcard expansion.  The "x.w.example.com" MX
-   RRset is placed in canonical form, and, assuming the current time
-   falls between the signature inception and expiration dates, the
-   signature is authenticated.
-
-C.1.1.  Authenticating the Example DNSKEY RR
-
-   This example shows the logical authentication process that starts
-   from the a configured root DNSKEY (or DS RR) and moves down the tree
-   to authenticate the desired "example" DNSKEY RR.  Note that the
-   logical order is presented for clarity.  An implementation may choose
-   to construct the authentication as referrals are received or to
-   construct the authentication chain only after all RRsets have been
-   obtained, or in any other combination it sees fit.  The example here
-   demonstrates only the logical process and does not dictate any
-   implementation rules.
-
-   We assume the resolver starts with a configured DNSKEY RR for the
-   root zone (or a configured DS RR for the root zone).  The resolver
-   checks whether this configured DNSKEY RR is present in the root
-   DNSKEY RRset (or whether the DS RR matches some DNSKEY in the root
-   DNSKEY RRset), whether this DNSKEY RR has signed the root DNSKEY
-   RRset, and whether the signature lifetime is valid.  If all these
-
-
-
-Arends, et al.              Standards Track                    [Page 49]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   conditions are met, all keys in the DNSKEY RRset are considered
-   authenticated.  The resolver then uses one (or more) of the root
-   DNSKEY RRs to authenticate the "example" DS RRset.  Note that the
-   resolver may have to query the root zone to obtain the root DNSKEY
-   RRset or "example" DS RRset.
-
-   Once the DS RRset has been authenticated using the root DNSKEY, the
-   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
-   RR that matches one of the authenticated "example" DS RRs.  If such a
-   matching "example" DNSKEY is found, the resolver checks whether this
-   DNSKEY RR has signed the "example" DNSKEY RRset and the signature
-   lifetime is valid.  If these conditions are met, all keys in the
-   "example" DNSKEY RRset are considered authenticated.
-
-   Finally, the resolver checks that some DNSKEY RR in the "example"
-   DNSKEY RRset uses algorithm 5 and has a key tag of 38519.  This
-   DNSKEY is used to authenticate the RRSIG included in the response.
-   If multiple "example" DNSKEY RRs match this algorithm and key tag,
-   then each DNSKEY RR is tried, and the answer is authenticated if any
-   of the matching DNSKEY RRs validate the signature as described above.
-
-C.2.  Name Error
-
-   The query in Appendix B.2 returned NSEC RRs that prove that the
-   requested data does not exist and no wildcard applies.  The negative
-   reply is authenticated by verifying both NSEC RRs.  The NSEC RRs are
-   authenticated in a manner identical to that of the MX RRset discussed
-   above.
-
-C.3.  No Data Error
-
-   The query in Appendix B.3 returned an NSEC RR that proves that the
-   requested name exists, but the requested RR type does not exist.  The
-   negative reply is authenticated by verifying the NSEC RR.  The NSEC
-   RR is authenticated in a manner identical to that of the MX RRset
-   discussed above.
-
-C.4.  Referral to Signed Zone
-
-   The query in Appendix B.4 returned a referral to the signed
-   "a.example." zone.  The DS RR is authenticated in a manner identical
-   to that of the MX RRset discussed above.  This DS RR is used to
-   authenticate the "a.example" DNSKEY RRset.
-
-   Once the "a.example" DS RRset has been authenticated using the
-   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
-   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
-   matching "a.example" DNSKEY is found, the resolver checks whether
-
-
-
-Arends, et al.              Standards Track                    [Page 50]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-   this DNSKEY RR has signed the "a.example" DNSKEY RRset and whether
-   the signature lifetime is valid.  If all these conditions are met,
-   all keys in the "a.example" DNSKEY RRset are considered
-   authenticated.
-
-C.5.  Referral to Unsigned Zone
-
-   The query in Appendix B.5 returned a referral to an unsigned
-   "b.example." zone.  The NSEC proves that no authentication leads from
-   "example" to "b.example", and the NSEC RR is authenticated in a
-   manner identical to that of the MX RRset discussed above.
-
-C.6.  Wildcard Expansion
-
-   The query in Appendix B.6 returned an answer that was produced as a
-   result of wildcard expansion.  The answer section contains a wildcard
-   RRset expanded as it would be in a traditional DNS response, and the
-   corresponding RRSIG indicates that the expanded wildcard MX RRset was
-   signed by an "example" DNSKEY with algorithm 5 and key tag 38519.
-   The RRSIG indicates that the original TTL of the MX RRset was 3600,
-   and, for the purpose of authentication, the current TTL is replaced
-   by 3600.  The RRSIG labels field value of 2 indicates that the answer
-   is the result of wildcard expansion, as the "a.z.w.example" name
-   contains 4 labels.  The name "a.z.w.w.example" is replaced by
-   "*.w.example", the MX RRset is placed in canonical form, and,
-   assuming that the current time falls between the signature inception
-   and expiration dates, the signature is authenticated.
-
-   The NSEC proves that no closer match (exact or closer wildcard) could
-   have been used to answer this query, and the NSEC RR must also be
-   authenticated before the answer is considered valid.
-
-C.7.  Wildcard No Data Error
-
-   The query in Appendix B.7 returned NSEC RRs that prove that the
-   requested data does not exist and no wildcard applies.  The negative
-   reply is authenticated by verifying both NSEC RRs.
-
-C.8.  DS Child Zone No Data Error
-
-   The query in Appendix B.8 returned NSEC RRs that shows the requested
-   was answered by a child server ("example" server).  The NSEC RR
-   indicates the presence of an SOA RR, showing that the answer is from
-   the child .  Queries for the "example" DS RRset should be sent to the
-   parent servers ("root" servers).
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 51]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-Authors' Addresses
-
-   Roy Arends
-   Telematica Instituut
-   Brouwerijstraat 1
-   7523 XC  Enschede
-   NL
-
-   EMail: roy.arends@telin.nl
-
-
-   Rob Austein
-   Internet Systems Consortium
-   950 Charter Street
-   Redwood City, CA  94063
-   USA
-
-   EMail: sra@isc.org
-
-
-   Matt Larson
-   VeriSign, Inc.
-   21345 Ridgetop Circle
-   Dulles, VA  20166-6503
-   USA
-
-   EMail: mlarson@verisign.com
-
-
-   Dan Massey
-   Colorado State University
-   Department of Computer Science
-   Fort Collins, CO 80523-1873
-
-   EMail: massey@cs.colostate.edu
-
-
-   Scott Rose
-   National Institute for Standards and Technology
-   100 Bureau Drive
-   Gaithersburg, MD  20899-8920
-   USA
-
-   EMail: scott.rose@nist.gov
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 52]
-
-RFC 4035             DNSSEC Protocol Modifications            March 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Arends, et al.              Standards Track                    [Page 53]
-
diff --git a/contrib/bind9/doc/rfc/rfc4074.txt b/contrib/bind9/doc/rfc/rfc4074.txt
deleted file mode 100644
index d9252b39eb59..000000000000
--- a/contrib/bind9/doc/rfc/rfc4074.txt
+++ /dev/null
@@ -1,339 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                       Y. Morishita
-Request for Comments: 4074                                          JPRS
-Category: Informational                                        T. Jinmei
-                                                                 Toshiba
-                                                                May 2005
-
-
-       Common Misbehavior Against DNS Queries for IPv6 Addresses
-
-Status of This Memo
-
-   This memo provides information for the Internet community.  It does
-   not specify an Internet standard of any kind.  Distribution of this
-   memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   There is some known misbehavior of DNS authoritative servers when
-   they are queried for AAAA resource records.  Such behavior can block
-   IPv4 communication that should actually be available, cause a
-   significant delay in name resolution, or even make a denial of
-   service attack.  This memo describes details of known cases and
-   discusses their effects.
-
-1.  Introduction
-
-   Many existing DNS clients (resolvers) that support IPv6 first search
-   for AAAA Resource Records (RRs) of a target host name, and then for A
-   RRs of the same name.  This fallback mechanism is based on the DNS
-   specifications, which if not obeyed by authoritative servers, can
-   produce unpleasant results.  In some cases, for example, a web
-   browser fails to connect to a web server it could otherwise reach.
-   In the following sections, this memo describes some typical cases of
-   such misbehavior and its (bad) effects.
-
-   Note that the misbehavior is not specific to AAAA RRs.  In fact, all
-   known examples also apply to the cases of queries for MX, NS, and SOA
-   RRs.  The authors believe this can be generalized for all types of
-   queries other than those for A RRs.  In this memo, however, we
-   concentrate on the case for AAAA queries, since the problem is
-   particularly severe for resolvers that support IPv6, which thus
-   affects many end users.  Resolvers at end users normally send A
-   and/or AAAA queries only, so the problem for the other cases is
-   relatively minor.
-
-
-
-Morishita & Jinmei           Informational                      [Page 1]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-2.  Network Model
-
-   In this memo, we assume a typical network model of name resolution
-   environment using DNS.  It consists of three components: stub
-   resolvers, caching servers, and authoritative servers.  A stub
-   resolver issues a recursive query to a caching server, which then
-   handles the entire name resolution procedure recursively.  The
-   caching server caches the result of the query and sends the result to
-   the stub resolver.  The authoritative servers respond to queries for
-   names for which they have the authority, normally in a non-recursive
-   manner.
-
-3.  Expected Behavior
-
-   Suppose that an authoritative server has an A RR but has no AAAA RR
-   for a host name.  Then, the server should return a response to a
-   query for an AAAA RR of the name with the response code (RCODE) being
-   0 (indicating no error) and with an empty answer section (see
-   Sections 4.3.2 and 6.2.4 of [1]).  Such a response indicates that
-   there is at least one RR of a different type than AAAA for the
-   queried name, and the stub resolver can then look for A RRs.
-
-   This way, the caching server can cache the fact that the queried name
-   has no AAAA RR (but may have other types of RRs), and thus improve
-   the response time to further queries for an AAAA RR of the name.
-
-4.  Problematic Behaviors
-
-   There are some known cases at authoritative servers that do not
-   conform to the expected behavior.  This section describes those
-   problematic cases.
-
-4.1.  Ignore Queries for AAAA
-
-   Some authoritative servers seem to ignore queries for an AAAA RR,
-   causing a delay at the stub resolver to fall back to a query for an A
-   RR.  This behavior may cause a fatal timeout at the resolver or at
-   the application that calls the resolver.  Even if the resolver
-   eventually falls back, the result can be an unacceptable delay for
-   the application user, especially with interactive applications like
-   web browsing.
-
-4.2.  Return "Name Error"
-
-   This type of server returns a response with RCODE 3 ("Name Error") to
-   a query for an AAAA RR, indicating that it does not have any RRs of
-   any type for the queried name.
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 2]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-   With this response, the stub resolver may immediately give up and
-   never fall back.  Even if the resolver retries with a query for an A
-   RR, the negative response for the name has been cached in the caching
-   server, and the caching server will simply return the negative
-   response.  As a result, the stub resolver considers this to be a
-   fatal error in name resolution.
-
-   Several examples of this behavior are known to the authors.  As of
-   this writing, all have been fixed.
-
-4.3.  Return Other Erroneous Codes
-
-   Other authoritative servers return a response with erroneous response
-   codes other than RCODE 3 ("Name Error").  One such RCODE is 4 ("Not
-   Implemented"), indicating that the servers do not support the
-   requested type of query.
-
-   These cases are less harmful than the previous one; if the stub
-   resolver falls back to querying for an A RR, the caching server will
-   process the query correctly and return an appropriate response.
-
-   However, these can still cause a serious effect.  There was an
-   authoritative server implementation that returned RCODE 2 ("Server
-   failure") to queries for AAAA RRs.  One widely deployed mail server
-   implementation with a certain type of resolver library interpreted
-   this result as an indication of retry and did not fall back to
-   queries for A RRs, causing message delivery failure.
-
-   If the caching server receives a response with these response codes,
-   it does not cache the fact that the queried name has no AAAA RR,
-   resulting in redundant queries for AAAA RRs in the future.  The
-   behavior will waste network bandwidth and increase the load of the
-   authoritative server.
-
-   Using RCODE 1 ("Format error") would cause a similar effect, though
-   the authors have not seen such implementations yet.
-
-4.4.  Return a Broken Response
-
-   Another type of authoritative servers returns broken responses to
-   AAAA queries.  Returning a response whose RR type is AAAA with the
-   length of the RDATA being 4 bytes is a known behavior of this
-   category.  The 4-byte data looks like the IPv4 address of the queried
-   host name.
-
-
-
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 3]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-   That is, the RR in the answer section would be described as follows:
-
-     www.bad.example. 600 IN AAAA 192.0.2.1
-
-   which is, of course, bogus (or at least meaningless).
-
-   A widely deployed caching server implementation transparently returns
-   the broken response (and caches it) to the stub resolver.  Another
-   known server implementation parses the response by itself, and sends
-   a separate response with RCODE 2 ("Server failure").
-
-   In either case, the broken response does not affect queries for an A
-   RR of the same name.  If the stub resolver falls back to A queries,
-   it will get an appropriate response.
-
-   The latter case, however, causes the same bad effect as that
-   described in the previous section: redundant queries for AAAA RRs.
-
-4.5.  Make Lame Delegation
-
-   Some authoritative servers respond to AAAA queries in a way that
-   causes lame delegation.  In this case, the parent zone specifies that
-   the authoritative server should have the authority of a zone, but the
-   server should not return an authoritative response for AAAA queries
-   within the zone (i.e., the AA bit in the response is not set).  On
-   the other hand, the authoritative server returns an authoritative
-   response for A queries.
-
-   When a caching server asks the server for AAAA RRs in the zone, it
-   recognizes the delegation is lame, and returns a response with RCODE
-   2 ("Server failure") to the stub resolver.
-
-   Furthermore, some caching servers record the authoritative server as
-   lame for the zone and will not use it for a certain period of time.
-   With this type of caching server, even if the stub resolver falls
-   back to querying for an A RR, the caching server will simply return a
-   response with RCODE 2, since all the servers are known to be "lame."
-
-   There is also an implementation that relaxes the behavior a little
-   bit.  It tries to avoid using the lame server, but continues to try
-   it as a last resort.  With this type of caching server, the stub
-   resolver will get a correct response if it falls back after Server
-   failure.  However, this still causes redundant AAAA queries, as
-   explained in the previous sections.
-
-
-
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 4]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-5.  Security Considerations
-
-   The CERT/CC pointed out that the response with RCODE 3 ("Name
-   Error"), described in Section 4.2, can be used for a denial of
-   service attack [2].  The same argument applies to the case of "lame
-   delegation", described in Section 4.5, with a certain type of caching
-   server.
-
-6.  Acknowledgements
-
-   Erik Nordmark encouraged the authors to publish this document as an
-   RFC.  Akira Kato and Paul Vixie reviewed a preliminary version of
-   this document.  Pekka Savola carefully reviewed a previous version
-   and provided detailed comments.  Bill Fenner, Scott Hollenbeck,
-   Thomas Narten, and Alex Zinin reviewed and helped improve the
-   document at the last stage for publication.
-
-7.  Informative References
-
-   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
-        13, RFC 1034, November 1987.
-
-   [2]  The CERT Coordination Center, "Incorrect NXDOMAIN responses from
-        AAAA queries could cause denial-of-service conditions",
-        March 2003, <http://www.kb.cert.org/vuls/id/714121>.
-
-Authors' Addresses
-
-   MORISHITA Orange Yasuhiro
-   Research and Development Department, Japan Registry Services Co.,Ltd.
-   Chiyoda First Bldg. East 13F, 3-8-1 Nishi-Kanda
-   Chiyoda-ku, Tokyo  101-0065
-   Japan
-
-   EMail: yasuhiro@jprs.co.jp
-
-
-   JINMEI Tatuya
-   Corporate Research & Development Center, Toshiba Corporation
-   1 Komukai Toshiba-cho, Saiwai-ku
-   Kawasaki-shi, Kanagawa  212-8582
-   Japan
-
-   EMail: jinmei@isl.rdc.toshiba.co.jp
-
-
-
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 5]
-
-RFC 4074         Common Misbehavior Against DNS Queries         May 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Morishita & Jinmei           Informational                      [Page 6]
-
diff --git a/contrib/bind9/doc/rfc/rfc4159.txt b/contrib/bind9/doc/rfc/rfc4159.txt
deleted file mode 100644
index 1ab4bd1ae340..000000000000
--- a/contrib/bind9/doc/rfc/rfc4159.txt
+++ /dev/null
@@ -1,171 +0,0 @@
-
-
-
-
-
-
-Network Working Group                                          G. Huston
-Request for Comments: 4159                                         APNIC
-BCP: 109                                                     August 2005
-Category: Best Current Practice
-
-
-                        Deprecation of "ip6.int"
-
-Status of This Memo
-
-   This document specifies an Internet Best Current Practices for the
-   Internet Community, and requests discussion and suggestions for
-   improvements.  Distribution of this memo is unlimited.
-
-Copyright Notice
-
-   Copyright (C) The Internet Society (2005).
-
-Abstract
-
-   This document advises of the deprecation of the use of "ip6.int" for
-   Standards Conformant IPv6 implementations.
-
-1.  IPv6 Standards Action
-
-   In August 2001 the IETF published [RFC3152], which advised that the
-   use of "ip6.int" as the domain for reverse-mapping of IPv6 addresses
-   to DNS names was deprecated.  The document noted that the use of
-   "ip6.int" would be phased out in an orderly fashion.
-
-   As of 1 September 2005, the IETF advises the community that the DNS
-   domain "ip6.int" should no longer be used to perform reverse mapping
-   of IPv6 addresses to domain names, and that the domain "ip6.arpa"
-   should be used henceforth, in accordance with the IANA Considerations
-   described in [RFC3596].  The domain "ip6.int" is deprecated, and its
-   use in IPv6 implementations that conform to the IPv6 Internet
-   Standards is discontinued.
-
-   The Regional Internet Registries (RIRs) are advised that maintenance
-   of delegation of entries in "ip6.int" is no longer required as part
-   of infrastructure services in support of Internet Standards
-   Conformant IPv6 implementations as of 1 September 2005.  The RIRs are
-   requested to work with their communities to adopt a schedule
-   regarding the cessation of support of registration services for the
-   "ip6.int" domain.
-
-
-
-
-
-
-Huston                   Best Current Practice                  [Page 1]
-
-RFC 4159                        ip6.int                      August 2005
-
-
-2.  IANA Considerations
-
-   IANA is advised that the "ip6.int" domain for reverse mapping of IPv6
-   addresses to domain names is no longer part of Internet Standards
-   Conformant support of IPv6 as of 1 September 2005.
-
-3.  Security Considerations
-
-   While DNS spoofing of address to name mapping has been exploited in
-   IPv4, removal of the "ip6.int" zone from the standard IPv6
-   specification creates no new threats to the security of the internet.
-
-4.  Acknowledgements
-
-   The document was prepared with the assistance of Kurt Lindqvist,
-   Thomas Narten, Paul Wilson, David Kessens, Bob Hinden, Brian
-   Haberman, and Bill Manning.
-
-5.  Normative References
-
-   [RFC3152] Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152,
-             August 2001.
-
-   [RFC3596] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, "DNS
-             Extensions to Support IP Version 6", RFC 3596, October
-             2003.
-
-Author's Address
-
-   Geoff Huston
-   APNIC
-
-   EMail: gih@apnic.net
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Huston                   Best Current Practice                  [Page 2]
-
-RFC 4159                        ip6.int                      August 2005
-
-
-Full Copyright Statement
-
-   Copyright (C) The Internet Society (2005).
-
-   This document is subject to the rights, licenses and restrictions
-   contained in BCP 78, and except as set forth therein, the authors
-   retain all their rights.
-
-   This document and the information contained herein are provided on an
-   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
-   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
-   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
-   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
-   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Intellectual Property
-
-   The IETF takes no position regarding the validity or scope of any
-   Intellectual Property Rights or other rights that might be claimed to
-   pertain to the implementation or use of the technology described in
-   this document or the extent to which any license under such rights
-   might or might not be available; nor does it represent that it has
-   made any independent effort to identify any such rights.  Information
-   on the procedures with respect to rights in RFC documents can be
-   found in BCP 78 and BCP 79.
-
-   Copies of IPR disclosures made to the IETF Secretariat and any
-   assurances of licenses to be made available, or the result of an
-   attempt made to obtain a general license or permission for the use of
-   such proprietary rights by implementers or users of this
-   specification can be obtained from the IETF on-line IPR repository at
-   http://www.ietf.org/ipr.
-
-   The IETF invites any interested party to bring to its attention any
-   copyrights, patents or patent applications, or other proprietary
-   rights that may cover technology that may be required to implement
-   this standard.  Please address the information to the IETF at ietf-
-   ipr@ietf.org.
-
-Acknowledgement
-
-   Funding for the RFC Editor function is currently provided by the
-   Internet Society.
-
-
-
-
-
-
-
-Huston                   Best Current Practice                  [Page 3]
-
diff --git a/contrib/bind9/doc/rfc/rfc952.txt b/contrib/bind9/doc/rfc/rfc952.txt
deleted file mode 100644
index 7df339a272e2..000000000000
--- a/contrib/bind9/doc/rfc/rfc952.txt
+++ /dev/null
@@ -1,340 +0,0 @@
-Network Working Group                               K. Harrenstien (SRI)
-Request for Comments: 952                                 M. Stahl (SRI)
-                                                        E. Feinler (SRI)
-Obsoletes:  RFC 810, 608                                    October 1985
-
-                 DOD INTERNET HOST TABLE SPECIFICATION
-
-
-STATUS OF THIS MEMO
-
-   This RFC is the official specification of the format of the Internet
-   Host Table.  This edition of the specification includes minor
-   revisions to RFC-810 which brings it up to date. Distribution of this
-   memo is unlimited.
-
-INTRODUCTION
-
-   The DoD Host Table is utilized by the DoD Hostname Server maintained
-   by the DDN Network Information Center (NIC) on behalf of the Defense
-   Communications Agency (DCA) [See RFC-953].
-
-LOCATION OF THE STANDARD DOD ONLINE HOST TABLE
-
-   A machine-translatable ASCII text version of the DoD Host Table is
-   online in the file NETINFO:HOSTS.TXT on the SRI-NIC host.  It can be
-   obtained via FTP from your local host by connecting to host
-   SRI-NIC.ARPA (26.0.0.73 or 10.0.0.51), logging in as user =
-   ANONYMOUS, password = GUEST, and retrieving the file
-   "NETINFO:HOSTS.TXT".  The same table may also be obtained via the NIC
-   Hostname Server, as described in RFC-953.  The latter method is
-   faster and easier, but requires a user program to make the necessary
-   connection to the Name Server.
-
-ASSUMPTIONS
-
-   1. A "name" (Net, Host, Gateway, or Domain name) is a text string up
-   to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus
-   sign (-), and period (.).  Note that periods are only allowed when
-   they serve to delimit components of "domain style names". (See
-   RFC-921, "Domain Name System Implementation Schedule", for
-   background).  No blank or space characters are permitted as part of a
-   name. No distinction is made between upper and lower case.  The first
-   character must be an alpha character.  The last character must not be
-   a minus sign or period.  A host which serves as a GATEWAY should have
-   "-GATEWAY" or "-GW" as part of its name.  Hosts which do not serve as
-   Internet gateways should not use "-GATEWAY" and "-GW" as part of
-   their names. A host which is a TAC should have "-TAC" as the last
-   part of its host name, if it is a DoD host.  Single character names
-   or nicknames are not allowed.
-
-   2. Internet Addresses are 32-bit addresses [See RFC-796].  In the
-
-
-Harrenstien & Stahl & Feinler                                   [Page 1]
-
-
-
-RFC 952                                                     October 1985
-DOD INTERNET HOST TABLE SPECIFICATION
-
-
-   host table described herein each address is represented by four
-   decimal numbers separated by a period.  Each decimal number
-   represents 1 octet.
-
-   3. If the first bit of the first octet of the address is 0 (zero),
-   then the next 7 bits of the first octet indicate the network number
-   (Class A Address).  If the first two bits are 1,0 (one,zero), then
-   the next 14 bits define the net number (Class B Address).  If the
-   first 3 bits are 1,1,0 (one,one,zero), then the next 21 bits define
-   the net number (Class C Address) [See RFC-943].
-
-      This is depicted in the following diagram:
-
-      +-+------------+--------------+--------------+--------------+
-      |0|  NET <-7-> |         LOCAL ADDRESS <-24->               |
-      +-+------------+--------------+--------------+--------------+
-
-      +---+----------+--------------+--------------+--------------+
-      |1 0|      NET  <-14->        |  LOCAL ADDRESS <-16->       |
-      +---+----------+--------------+--------------+--------------+
-
-      +-----+--------+--------------+--------------+--------------+
-      |1 1 0|            NET  <-21->               | LOCAL ADDRESS|
-      +-----+--------+--------------+--------------+--------------+
-
-   4. The LOCAL ADDRESS portion of the internet address identifies a
-   host within the network specified by the NET portion of the address.
-
-   5. The ARPANET and MILNET are both Class A networks.  The NET portion
-   is 10 decimal for ARPANET, 26 decimal for MILNET, and the LOCAL
-   ADDRESS maps as follows: the second octet identifies the physical
-   host, the third octet identifies the logical host, and the fourth
-   identifies the Packet Switching Node (PSN), formerly known as an
-   Interface Message Processor (IMP).
-
-      +-+------------+--------------+--------------+--------------+
-      |0|  10 or 26  |    HOST      | LOGICAL HOST |   PSN (IMP)  |
-      +-+------------+--------------+--------------+--------------+
-
-      (NOTE:  RFC-796 also describes the local address mappings for
-      several other networks.)
-
-   6. It is the responsibility of the users of this host table to
-   translate it into whatever format is needed for their purposes.
-
-   7. Names and addresses for DoD hosts and gateways will be negotiated
-   and registered with the DDN PMO, and subsequently with the NIC,
-
-
-Harrenstien & Stahl & Feinler                                   [Page 2]
-
-
-
-RFC 952                                                     October 1985
-DOD INTERNET HOST TABLE SPECIFICATION
-
-
-   before being used and before traffic is passed by a DoD host.  Names
-   and addresses for domains and networks are to be registered with the
-   DDN Network Information Center (HOSTMASTER@SRI-NIC.ARPA) or
-   800-235-3155.
-
-   The NIC will attempt to keep similar information for non-DoD networks
-   and hosts, if this information is provided, and as long as it is
-   needed, i.e., until intercommunicating network name servers are in
-   place.
-
-EXAMPLE OF HOST TABLE FORMAT
-
-   NET : 10.0.0.0 : ARPANET :
-   NET : 128.10.0.0 : PURDUE-CS-NET :
-   GATEWAY : 10.0.0.77, 18.10.0.4 : MIT-GW.ARPA,MIT-GATEWAY : PDP-11 :
-             MOS : IP/GW,EGP :
-   HOST : 26.0.0.73, 10.0.0.51 : SRI-NIC.ARPA,SRI-NIC,NIC : DEC-2060 :
-          TOPS20 :TCP/TELNET,TCP/SMTP,TCP/TIME,TCP/FTP,TCP/ECHO,ICMP :
-   HOST : 10.2.0.11 : SU-TAC.ARPA,SU-TAC : C/30 : TAC : TCP :
-
-SYNTAX AND CONVENTIONS
-
-   ; (semicolon)   is used to denote the beginning of a comment.
-                   Any text on a given line following a ';' is a
-                   comment, and not part of the host table.
-
-   NET             keyword introducing a network entry
-
-   GATEWAY         keyword introducing a gateway entry
-
-   HOST            keyword introducing a host entry
-
-   DOMAIN          keyword introducing a domain entry
-
-   :(colon)        is used as a field delimiter
-
-   ::(2 colons)    indicates a null field
-
-   ,(comma)        is used as a data element delimiter
-
-   XXX/YYY         indicates protocol information of the type
-                   TRANSPORT/SERVICE.
-
-      where TRANSPORT/SERVICE options are specified as
-
-         "FOO/BAR"       both transport and service known
-
-
-
-Harrenstien & Stahl & Feinler                                   [Page 3]
-
-
-
-RFC 952                                                     October 1985
-DOD INTERNET HOST TABLE SPECIFICATION
-
-
-         "FOO"           transport known; services not known
-
-         "BAR"           service is known, transport not known
-
-         NOTE:  See "Assigned Numbers" for specific options and acronyms
-         for machine types, operating systems, and protocol/services.
-
-   Each host table entry is an ASCII text string comprised of 6 fields,
-   where
-
-      Field 1         KEYWORD indicating whether this entry pertains to
-                      a NET, GATEWAY, HOST, or DOMAIN.  NET entries are
-                      assigned and cannot have alternate addresses or
-                      nicknames.  DOMAIN entries do not use fields 4, 5,
-                      or 6.
-
-      Field 2         Internet Address of Network, Gateway, or Host
-                      followed by alternate addresses.  Addresses for a
-                      Domain are those where a Domain Name Server exists
-                      for that domain.
-
-      Field 3         Official Name of Network, Gateway, Host, or Domain
-                      (with optional nicknames, where permitted).
-
-      Field 4         Machine Type
-
-      Field 5         Operating System
-
-      Field 6         Protocol List
-
-   Fields 4, 5 and 6 are optional.  For a Domain they are not used.
-
-   Fields 3-6, if included, pertain to the first address in Field 2.
-
-   'Blanks' (spaces and tabs) are ignored between data elements or
-   fields, but are disallowed within a data element.
-
-   Each entry ends with a colon.
-
-   The entries in the table are grouped by types in the order Domain,
-   Net, Gateway, and Host.  Within each type the ordering is
-   unspecified.
-
-   Note that although optional nicknames are allowed for hosts, they are
-   discouraged, except in the case where host names have been changed
-
-
-
-
-Harrenstien & Stahl & Feinler                                   [Page 4]
-
-
-
-RFC 952                                                     October 1985
-DOD INTERNET HOST TABLE SPECIFICATION
-
-
-   and both the new and the old names are maintained for a suitable
-   period of time to effect a smooth transition.  Nicknames are not
-   permitted for NET names.
-
-GRAMMATICAL HOST TABLE SPECIFICATION
-
-   A. Parsing grammar
-
-      <entry> ::= <keyword> ":" <addresses> ":" <names> [":" [<cputype>]
-         [":" [<opsys>]  [":" [<protocol list>] ]]] ":"
-      <addresses> ::= <address> *["," <address>]
-      <address> ::= <octet> "." <octet> "." <octet> "." <octet>
-      <octet> ::= <0 to 255 decimal>
-      <names> ::= <netname> | <gatename> | <domainname> *[","
-         <nicknames>]
-         | <official hostname> *["," <nicknames>]
-      <netname>  ::= <name>
-      <gatename> ::= <hname>
-      <domainname> ::= <hname>
-      <official hostname> ::= <hname>
-      <nickname> ::= <hname>
-      <protocol list> ::= <protocol spec> *["," <protocol spec>]
-      <protocol spec> ::= <transport name> "/" <service name>
-         | <raw protocol name>
-
-   B. Lexical grammar
-
-      <entry-field> ::= <entry-text> [<cr><lf> <blank> <entry-field>]
-      <entry-text>  ::= <print-char> *<text>
-      <blank> ::= <space-or-tab> [<blank>]
-      <keyword> ::= NET | GATEWAY | HOST | DOMAIN
-      <hname> ::= <name>*["."<name>]
-      <name>  ::= <let>[*[<let-or-digit-or-hyphen>]<let-or-digit>]
-      <cputype> ::= PDP-11/70 | DEC-1080 | C/30 | CDC-6400...etc.
-      <opsys>   ::= ITS | MULTICS | TOPS20 | UNIX...etc.
-      <transport name> ::= TCP | NCP | UDP | IP...etc.
-      <service name> ::= TELNET | FTP | SMTP | MTP...etc.
-      <raw protocol name> ::= <name>
-      <comment> ::= ";" <text><cr><lf>
-      <text>    ::= *[<print-char> | <blank>]
-      <print-char>  ::= <any printing char (not space or tab)>
-
-   Notes:
-
-      1. Zero or more 'blanks' between separators " , : " are allowed.
-      'Blanks' are spaces and tabs.
-
-
-
-Harrenstien & Stahl & Feinler                                   [Page 5]
-
-
-
-RFC 952                                                     October 1985
-DOD INTERNET HOST TABLE SPECIFICATION
-
-
-      2. Continuation lines are lines that begin with at least one
-      blank.  They may be used anywhere 'blanks' are legal to split an
-      entry across lines.
-
-BIBLIOGRAPHY
-
-   1. Feinler, E., Harrenstien, K., Su, Z. and White, V., "Official DoD
-      Internet Host Table Specification", RFC-810, Network Information
-      Center, SRI International, March 1982.
-
-   2. Harrenstien, K., Stahl, M., and Feinler, E., "Hostname Server",
-      RFC-953, Network Information Center, SRI International, October
-      1985.
-
-   3. Kudlick, M. "Host Names Online", RFC-608, Network Information
-      Center, SRI International, January 1973.
-
-   4. Postel, J., "Internet Protocol", RFC-791, Information Sciences
-      Institute, University of Southern California, Marina del Rey,
-      September 1981.
-
-   5. Postel, J., "Address Mappings", RFC-796, Information Sciences
-      Institute, University of Southern California, Marina del Rey,
-      September 1981.
-
-   6. Postel, J., "Domain Name System Implementation Schedule", RFC-921,
-      Information Sciences Institute, University of Southern California,
-      Marina del Rey, October 1984.
-
-   7. Reynolds, J. and Postel, J., "Assigned Numbers", RFC-943,
-      Information Sciences Institute, University of Southern California,
-      Marina del Rey, April 1985.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Harrenstien & Stahl & Feinler                                   [Page 6]
-
diff --git a/contrib/bind9/install-sh b/contrib/bind9/install-sh
deleted file mode 100755
index 058b26c82d24..000000000000
--- a/contrib/bind9/install-sh
+++ /dev/null
@@ -1,250 +0,0 @@
-#! /bin/sh
-#
-# install - install a program, script, or datafile
-# This comes from X11R5 (mit/util/scripts/install.sh).
-#
-# Copyright 1991 by the Massachusetts Institute of Technology
-#
-# Permission to use, copy, modify, distribute, and sell this software and its
-# documentation for any purpose is hereby granted without fee, provided that
-# the above copyright notice appear in all copies and that both that
-# copyright notice and this permission notice appear in supporting
-# documentation, and that the name of M.I.T. not be used in advertising or
-# publicity pertaining to distribution of the software without specific,
-# written prior permission.  M.I.T. makes no representations about the
-# suitability of this software for any purpose.  It is provided "as is"
-# without express or implied warranty.
-#
-# Calling this script install-sh is preferred over install.sh, to prevent
-# `make' implicit rules from creating a file called install from it
-# when there is no Makefile.
-#
-# This script is compatible with the BSD install script, but was written
-# from scratch.  It can only install one file at a time, a restriction
-# shared with many OS's install programs.
-
-
-# set DOITPROG to echo to test this script
-
-# Don't use :- since 4.3BSD and earlier shells don't like it.
-doit="${DOITPROG-}"
-
-
-# put in absolute paths if you don't have them in your path; or use env. vars.
-
-mvprog="${MVPROG-mv}"
-cpprog="${CPPROG-cp}"
-chmodprog="${CHMODPROG-chmod}"
-chownprog="${CHOWNPROG-chown}"
-chgrpprog="${CHGRPPROG-chgrp}"
-stripprog="${STRIPPROG-strip}"
-rmprog="${RMPROG-rm}"
-mkdirprog="${MKDIRPROG-mkdir}"
-
-transformbasename=""
-transform_arg=""
-instcmd="$mvprog"
-chmodcmd="$chmodprog 0755"
-chowncmd=""
-chgrpcmd=""
-stripcmd=""
-rmcmd="$rmprog -f"
-mvcmd="$mvprog"
-src=""
-dst=""
-dir_arg=""
-
-while [ x"$1" != x ]; do
-    case $1 in
-	-c) instcmd="$cpprog"
-	    shift
-	    continue;;
-
-	-d) dir_arg=true
-	    shift
-	    continue;;
-
-	-m) chmodcmd="$chmodprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-o) chowncmd="$chownprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-g) chgrpcmd="$chgrpprog $2"
-	    shift
-	    shift
-	    continue;;
-
-	-s) stripcmd="$stripprog"
-	    shift
-	    continue;;
-
-	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
-	    shift
-	    continue;;
-
-	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
-	    shift
-	    continue;;
-
-	*)  if [ x"$src" = x ]
-	    then
-		src=$1
-	    else
-		# this colon is to work around a 386BSD /bin/sh bug
-		:
-		dst=$1
-	    fi
-	    shift
-	    continue;;
-    esac
-done
-
-if [ x"$src" = x ]
-then
-	echo "install:	no input file specified"
-	exit 1
-else
-	true
-fi
-
-if [ x"$dir_arg" != x ]; then
-	dst=$src
-	src=""
-
-	if [ -d $dst ]; then
-		instcmd=:
-	else
-		instcmd=mkdir
-	fi
-else
-
-# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
-# might cause directories to be created, which would be especially bad
-# if $src (and thus $dsttmp) contains '*'.
-
-	if [ -f $src -o -d $src ]
-	then
-		true
-	else
-		echo "install:  $src does not exist"
-		exit 1
-	fi
-
-	if [ x"$dst" = x ]
-	then
-		echo "install:	no destination specified"
-		exit 1
-	else
-		true
-	fi
-
-# If destination is a directory, append the input filename; if your system
-# does not like double slashes in filenames, you may need to add some logic
-
-	if [ -d $dst ]
-	then
-		dst="$dst"/`basename $src`
-	else
-		true
-	fi
-fi
-
-## this sed command emulates the dirname command
-dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
-
-# Make sure that the destination directory exists.
-#  this part is taken from Noah Friedman's mkinstalldirs script
-
-# Skip lots of stat calls in the usual case.
-if [ ! -d "$dstdir" ]; then
-defaultIFS='
-'
-IFS="${IFS-${defaultIFS}}"
-
-oIFS="${IFS}"
-# Some sh's can't handle IFS=/ for some reason.
-IFS='%'
-set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
-IFS="${oIFS}"
-
-pathcomp=''
-
-while [ $# -ne 0 ] ; do
-	pathcomp="${pathcomp}${1}"
-	shift
-
-	if [ ! -d "${pathcomp}" ] ;
-        then
-		$mkdirprog "${pathcomp}"
-	else
-		true
-	fi
-
-	pathcomp="${pathcomp}/"
-done
-fi
-
-if [ x"$dir_arg" != x ]
-then
-	$doit $instcmd $dst &&
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
-else
-
-# If we're going to rename the final executable, determine the name now.
-
-	if [ x"$transformarg" = x ]
-	then
-		dstfile=`basename $dst`
-	else
-		dstfile=`basename $dst $transformbasename |
-			sed $transformarg`$transformbasename
-	fi
-
-# don't allow the sed command to completely eliminate the filename
-
-	if [ x"$dstfile" = x ]
-	then
-		dstfile=`basename $dst`
-	else
-		true
-	fi
-
-# Make a temp file name in the proper directory.
-
-	dsttmp=$dstdir/#inst.$$#
-
-# Move or copy the file name to the temp name
-
-	$doit $instcmd $src $dsttmp &&
-
-	trap "rm -f ${dsttmp}" 0 &&
-
-# and set any options; do chmod last to preserve setuid bits
-
-# If any of these fail, we abort the whole thing.  If we want to
-# ignore errors from any of these, just make sure not to ignore
-# errors from the above "$doit $instcmd $src $dsttmp" command.
-
-	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
-	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
-	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
-	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
-
-# Now rename the file to the real destination.
-
-	$doit $rmcmd -f $dstdir/$dstfile &&
-	$doit $mvcmd $dsttmp $dstdir/$dstfile
-
-fi &&
-
-
-exit 0
diff --git a/contrib/bind9/isc-config.sh.in b/contrib/bind9/isc-config.sh.in
deleted file mode 100644
index 737e31d2426e..000000000000
--- a/contrib/bind9/isc-config.sh.in
+++ /dev/null
@@ -1,149 +0,0 @@
-#!/bin/sh
-#
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: isc-config.sh.in,v 1.10.12.3 2004/03/08 04:04:12 marka Exp $
-
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-exec_prefix_set=
-
-usage()
-{
-	cat << EOF
-Usage: isc-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Libraries:
-	isc
-	isccc
-	isccfg
-	dns
-	lwres
-	bind9
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-while test $# -gt 0; do
-	case "$1" in
-	-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-	*) optarg= ;;
-	esac
-
-	case "$1" in
-	--prefix=*)
-		prefix=$optarg
-		if test "x$exec_prefix_set" = x ; then
-			exec_prefix=$prefix
-		fi
-		;;
-	--prefix)
-		echo_prefix=true
-		;;
-	--exec-prefix=*)
-		exec_prefix=$optarg
-		;;
-	--exec-prefix)
-		echo_exec_prefix=true
-		;;
-	--version)
-		echo @BIND9_VERSION@
-		exit 0
-		;;
-	--cflags)
-		echo_cflags=true
-		;;
-	--libs)
-		echo_libs=true;
-		;;
-	isc)
-		libisc=true;
-		;;
-	isccc)
-		libisccc=true;
-		libisc=true;
-		;;
-	isccfg)
-		libisccfg=true;
-		libisc=true;
-		;;
-	dns)
-		libdns=true;
-		libisc=true;
-		;;
-	lwres)
-		liblwres=true;
-		;;
-	bind9)
-		libdns=true;
-		libisc=true;
-		libisccfg=true;
-		libbind9=true;
-		;;
-	*)
-		usage 1 1>&2
-	esac
-	shift
-done
-
-if test x"$echo_prefix" = x"true" ; then
-	echo $prefix
-fi
-if test x"$echo_exec_prefix" = x"true" ; then
-	echo $exec_prefix
-fi
-if test x"$echo_cflags" = x"true"; then
-	includes="-I${exec_prefix}/include"
-	if test x"$libisc" = x"true"; then
-		includes="$includes @ALWAYS_DEFINES@ @STD_CINCLUDES@ @STD_CDEFINES@ @CCOPT@"
-	fi
-	echo $includes
-fi
-if test x"$echo_libs" = x"true"; then
-	libs=-L${exec_prefix}/lib
-	if test x"$liblwres" = x"true" ; then
-		libs="$libs -llwres"
-	fi
-	if test x"$libbind9" = x"true" ; then
-		libs="$libs -lbind9"
-	fi
-	if test x"$libdns" = x"true" ; then
-		libs="$libs -ldns @DNS_CRYPTO_LIBS@"
-	fi
-	if test x"$libisccfg" = x"true" ; then
-		libs="$libs -lisccfg"
-	fi
-	if test x"$libisccc" = x"true" ; then
-		libs="$libs -lisccc"
-	fi
-	if test x"$libisc" = x"true" ; then
-		libs="$libs -lisc"
-		needothers=true
-	fi
-	if test x"$needothers" = x"true" ; then
-		libs="$libs @CCOPT@ @LIBS@"
-	fi
-	echo $libs
-fi
diff --git a/contrib/bind9/lib/Makefile.in b/contrib/bind9/lib/Makefile.in
deleted file mode 100644
index c72b3e772607..000000000000
--- a/contrib/bind9/lib/Makefile.in
+++ /dev/null
@@ -1,29 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.15.2.2.8.4 2004/03/08 09:04:25 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-# Note: the order of SUBDIRS is important.
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-SUBDIRS =	isc isccc dns isccfg bind9 lwres tests
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/Makefile.in b/contrib/bind9/lib/bind/Makefile.in
deleted file mode 100644
index 5c34c1a1842e..000000000000
--- a/contrib/bind9/lib/bind/Makefile.in
+++ /dev/null
@@ -1,132 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.12.2.5.2.9 2005/07/29 00:13:08 marka Exp $
-
-srcdir =        @srcdir@
-VPATH =         @srcdir@
-top_srcdir =    @top_srcdir@
-
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-
-@LIBBIND_API@
-
-LIBS =		@LIBS@
-
-DAEMON_OBJS=bsd/daemon.@O@
-STRSEP_OBJS=bsd/strsep.@O@
-
-BSDOBJS= @DAEMON_OBJS@ @STRSEP_OBJS@ bsd/ftruncate.@O@ bsd/gettimeofday.@O@ \
-        bsd/mktemp.@O@ bsd/putenv.@O@ bsd/readv.@O@ bsd/setenv.@O@ \
-	bsd/setitimer.@O@ bsd/strcasecmp.@O@ bsd/strdup.@O@ \
-        bsd/strerror.@O@ bsd/strpbrk.@O@ bsd/strtoul.@O@ bsd/utimes.@O@ \
-        bsd/writev.@O@
-
-DSTOBJS= dst/dst_api.@O@ dst/hmac_link.@O@ dst/md5_dgst.@O@ dst/support.@O@
-
-INETOBJS= inet/inet_addr.@O@ inet/inet_cidr_ntop.@O@ inet/inet_cidr_pton.@O@ \
-	inet/inet_data.@O@ inet/inet_lnaof.@O@ inet/inet_makeaddr.@O@ \
-	inet/inet_net_ntop.@O@ inet/inet_net_pton.@O@ inet/inet_neta.@O@ \
-	inet/inet_netof.@O@ inet/inet_network.@O@ inet/inet_ntoa.@O@ \
-	inet/inet_ntop.@O@ inet/inet_pton.@O@ inet/nsap_addr.@O@
-
-WANT_IRS_THREADS_OBJS=	irs/gethostent_r.@O@ irs/getnetent_r.@O@ \
-	irs/getnetgrent_r.@O@ irs/getprotoent_r.@O@ irs/getservent_r.@O@
-
-WANT_IRS_NISGR_OBJS= irs/nis_gr.@O@ 
-WANT_IRS_GR_OBJS= irs/dns_gr.@O@ irs/irp_gr.@O@ irs/lcl_gr.@O@ irs/gen_gr.@O@ \
-	irs/getgrent.@O@ @WANT_IRS_NISGR_OBJS@ @WANT_IRS_THREADSGR_OBJS@
-
-WANT_IRS_THREADSPW_OBJS=irs/getpwent_r.@O@
-WANT_IRS_NISPW_OBJS= irs/nis_pw.@O@
-WANT_IRS_DBPW_OBJS=irs/irp_pw.@O@ irs/lcl_pw.@O@
-WANT_IRS_PW_OBJS= irs/dns_pw.@O@ irs/gen_pw.@O@ irs/getpwent.@O@ \
-	@WANT_IRS_DBPW_OBJS@ @WANT_IRS_NISPW_OBJS@ @WANT_IRS_THREADSPW_OBJS@
-
-WANT_IRS_NIS_OBJS= irs/nis_ho.@O@ irs/nis_ng.@O@ irs/nis_nw.@O@ \
-	irs/nis_pr.@O@ irs/nis_sv.@O@
-
-IRSOBJS= @WANT_IRS_GR_OBJS@ @WANT_IRS_NIS_OBJS@ @WANT_IRS_THREADS_OBJS@ \
-	@WANT_IRS_PW_OBJS@ \
-	irs/dns.@O@ irs/dns_ho.@O@ irs/dns_nw.@O@ irs/dns_pr.@O@ \
-	irs/dns_sv.@O@ irs/gai_strerror.@O@ irs/gen.@O@ irs/gen_ho.@O@ \
-	irs/gen_ng.@O@ irs/gen_nw.@O@ irs/gen_pr.@O@ irs/gen_sv.@O@ \
-	irs/getaddrinfo.@O@ irs/gethostent.@O@  irs/getnameinfo.@O@ \
-	irs/getnetent.@O@ irs/getnetgrent.@O@ \
-	irs/getprotoent.@O@ irs/getservent.@O@ irs/hesiod.@O@ \
-	irs/irp.@O@ irs/irp_ho.@O@ irs/irp_ng.@O@ irs/irp_nw.@O@ \
-	irs/irp_pr.@O@ irs/irp_sv.@O@ irs/irpmarshall.@O@ irs/irs_data.@O@ \
-	irs/lcl.@O@ irs/lcl_ho.@O@ irs/lcl_ng.@O@ irs/lcl_nw.@O@ \
-	irs/lcl_pr.@O@ irs/lcl_sv.@O@ irs/nis.@O@ irs/nul_ng.@O@ irs/util.@O@
-
-WANT_IRS_THREADSGR_OBJS=irs/getgrent_r.@O@
-
-ISCOBJS= isc/assertions.@O@ isc/base64.@O@ isc/bitncmp.@O@ isc/ctl_clnt.@O@ \
-	isc/ctl_p.@O@ isc/ctl_srvr.@O@ isc/ev_connects.@O@ isc/ev_files.@O@ \
-	isc/ev_streams.@O@ isc/ev_timers.@O@ isc/ev_waits.@O@ \
-	isc/eventlib.@O@ isc/heap.@O@ isc/hex.@O@ isc/logging.@O@ \
-	isc/memcluster.@O@ isc/movefile.@O@ isc/tree.@O@
-
-NAMESEROBJS= nameser/ns_date.@O@ nameser/ns_name.@O@ nameser/ns_netint.@O@ \
-	nameser/ns_parse.@O@ nameser/ns_print.@O@  nameser/ns_samedomain.@O@ \
-	nameser/ns_sign.@O@ nameser/ns_ttl.@O@ nameser/ns_verify.@O@
-
-RESOLVOBJS= resolv/herror.@O@ resolv/mtctxres.@O@ resolv/res_comp.@O@ \
-	resolv/res_data.@O@ resolv/res_debug.@O@ resolv/res_findzonecut.@O@ \
-	resolv/res_init.@O@ resolv/res_mkquery.@O@ resolv/res_mkupdate.@O@ \
-	resolv/res_query.@O@ resolv/res_send.@O@ resolv/res_sendsigned.@O@ \
-	resolv/res_update.@O@
-
-SUBDIRS = bsd dst include inet irs isc nameser resolv @PORT_INCLUDE@
-
-TARGETS= timestamp
-OBJS=	${BSDOBJS} ${DSTOBJS} ${INETOBJS} ${IRSOBJS} ${ISCOBJS} \
-	${NAMESEROBJS} ${RESOLVOBJS}
-
-@BIND9_MAKE_RULES@
-
-libbind.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libbind.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-	${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${LIBS}
-
-timestamp: libbind.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libbind.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libbind.@SA@ libbind.la
-
-distclean::
-	rm -f make/rules make/includes make/mkdep
-
-distclean::
-	rm -f config.cache config.h config.log config.status libtool
-	rm -f port_before.h port_after.h configure.lineno
-	rm -f port/Makefile @PORT_DIR@/Makefile
-
-man:
diff --git a/contrib/bind9/lib/bind/README b/contrib/bind9/lib/bind/README
deleted file mode 100644
index b89cff7095d1..000000000000
--- a/contrib/bind9/lib/bind/README
+++ /dev/null
@@ -1,4 +0,0 @@
---with-irs-gr=yes #define WANT_IRS_GR
---with-irs-nis=yes #define WANT_IRS_NIS
---with-irs-pw=yes #define WANT_IRS_PW
-
diff --git a/contrib/bind9/lib/bind/aclocal.m4 b/contrib/bind9/lib/bind/aclocal.m4
deleted file mode 100644
index 110ed87832da..000000000000
--- a/contrib/bind9/lib/bind/aclocal.m4
+++ /dev/null
@@ -1,2 +0,0 @@
-sinclude(../../libtool.m4)dnl
-
diff --git a/contrib/bind9/lib/bind/api b/contrib/bind9/lib/bind/api
deleted file mode 100644
index dcc846ea5275..000000000000
--- a/contrib/bind9/lib/bind/api
+++ /dev/null
@@ -1,3 +0,0 @@
-LIBINTERFACE = 4
-LIBREVISION = 2
-LIBAGE = 0
diff --git a/contrib/bind9/lib/bind/bsd/Makefile.in b/contrib/bind9/lib/bind/bsd/Makefile.in
deleted file mode 100644
index dd7b616e482d..000000000000
--- a/contrib/bind9/lib/bind/bsd/Makefile.in
+++ /dev/null
@@ -1,39 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:13:22 marka Exp $
-
-srcdir=         @srcdir@
-VPATH =         @srcdir@
-
-DAEMON_OBJS=daemon.@O@
-STRSEP_OBJS=strsep.@O@
-
-OBJS=	@DAEMON_OBJS@ @STRSEP_OBJS@ ftruncate.@O@ gettimeofday.@O@ \
-	mktemp.@O@ putenv.@O@ \
-	readv.@O@ setenv.@O@ setitimer.@O@ strcasecmp.@O@ strdup.@O@ \
-	strerror.@O@ strpbrk.@O@ strtoul.@O@ utimes.@O@ \
-	writev.@O@
-
-SRCS=	daemon.c ftruncate.c gettimeofday.c mktemp.c putenv.c \
-	readv.c setenv.c setitimer.c strcasecmp.c strdup.c \
-	strerror.c strpbrk.c strsep.c strtoul.c utimes.c \
-	writev.c
-
-TARGETS= ${OBJS}
-
-CINCLUDES= -I.. -I${srcdir}/../include
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/bsd/daemon.c b/contrib/bind9/lib/bind/bsd/daemon.c
deleted file mode 100644
index a1472f969b9f..000000000000
--- a/contrib/bind9/lib/bind/bsd/daemon.c
+++ /dev/null
@@ -1,79 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)daemon.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: daemon.c,v 1.1 2001/03/29 06:30:31 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "port_before.h"
-
-#include <fcntl.h>
-#include <paths.h>
-#include <unistd.h>
-
-#include "port_after.h"
-
-#ifndef NEED_DAEMON
-int __bind_daemon__;
-#else
-
-int
-daemon(int nochdir, int noclose) {
-	int fd;
-
-	switch (fork()) {
-	case -1:
-		return (-1);
-	case 0:
-		break;
-	default:
-		_exit(0);
-	}
-
-	if (setsid() == -1)
-		return (-1);
-
-	if (!nochdir)
-		(void)chdir("/");
-
-	if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
-		(void)dup2(fd, STDIN_FILENO);
-		(void)dup2(fd, STDOUT_FILENO);
-		(void)dup2(fd, STDERR_FILENO);
-		if (fd > 2)
-			(void)close (fd);
-	}
-	return (0);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/bsd/ftruncate.c b/contrib/bind9/lib/bind/bsd/ftruncate.c
deleted file mode 100644
index 56ce8d34a9c1..000000000000
--- a/contrib/bind9/lib/bind/bsd/ftruncate.c
+++ /dev/null
@@ -1,63 +0,0 @@
-#ifndef LINT
-static const char rcsid[] = "$Id: ftruncate.c,v 1.1 2001/03/29 06:30:32 marka Exp $";
-#endif
-
-/*
- * ftruncate - set file size, BSD Style
- *
- * shortens or enlarges the file as neeeded
- * uses some undocumented locking call. It is known to work on SCO unix,
- * other vendors should try.
- * The #error directive prevents unsupported OSes
- */
-
-#include "port_before.h"
-
-#if defined(M_UNIX)
-#define OWN_FTRUNCATE
-#include <stdio.h>
-#ifdef _XOPEN_SOURCE
-#undef _XOPEN_SOURCE
-#endif
-#ifdef _POSIX_SOURCE
-#undef _POSIX_SOURCE
-#endif
-
-#include <fcntl.h>
-
-#include "port_after.h"
-
-int
-__ftruncate(int fd, long wantsize) {
-	long cursize;
-
-	/* determine current file size */
-	if ((cursize = lseek(fd, 0L, 2)) == -1)
-		return (-1);
-
-	/* maybe lengthen... */
-	if (cursize < wantsize) {
-		if (lseek(fd, wantsize - 1, 0) == -1 ||
-		    write(fd, "", 1) == -1) {
-			return (-1);
-		}
-		return (0);
-	}
-
-	/* maybe shorten... */
-	if (wantsize < cursize) {
-		struct flock fl;
-
-		fl.l_whence = 0;
-		fl.l_len = 0;
-		fl.l_start = wantsize;
-		fl.l_type = F_WRLCK;
-		return (fcntl(fd, F_FREESP, &fl));
-	}
-	return (0);
-}
-#endif
-
-#ifndef OWN_FTRUNCATE
-int __bindcompat_ftruncate;
-#endif
diff --git a/contrib/bind9/lib/bind/bsd/gettimeofday.c b/contrib/bind9/lib/bind/bsd/gettimeofday.c
deleted file mode 100644
index ffde0202134b..000000000000
--- a/contrib/bind9/lib/bind/bsd/gettimeofday.c
+++ /dev/null
@@ -1,62 +0,0 @@
-#ifndef LINT
-static const char rcsid[] = "$Id: gettimeofday.c,v 1.1.2.2 2002/07/12 00:49:51 marka Exp $";
-#endif
-
-#include "port_before.h"
-#include <stdio.h>
-#include <syslog.h>
-#include <sys/time.h>
-#include "port_after.h"
-
-#if !defined(NEED_GETTIMEOFDAY)
-/*
- * gettimeofday() occasionally returns invalid tv_usec on some platforms.
- */
-#define MILLION 1000000
-#undef gettimeofday
-
-int
-isc__gettimeofday(struct timeval *tp, struct timezone *tzp) {
-	int res;
-
-	res = gettimeofday(tp, tzp);
-	if (res < 0)
-		return (res);
-	if (tp == NULL)
-		return (res);
-	if (tp->tv_usec < 0) {
-		do {
-			tp->tv_usec += MILLION;
-			tp->tv_sec--;
-		} while (tp->tv_usec < 0);
-		goto log;
-	} else if (tp->tv_usec > MILLION) {
-		do {
-			tp->tv_usec -= MILLION;
-			tp->tv_sec++;
-		} while (tp->tv_usec > MILLION);
-		goto log;
-	}
-	return (res);
- log:
-	syslog(LOG_ERR, "gettimeofday: tv_usec out of range\n");
-	return (res);
-}
-#else
-int
-gettimeofday(struct timeval *tvp, struct _TIMEZONE *tzp) {
-	time_t clock, time(time_t *);
-
-	if (time(&clock) == (time_t) -1)
-		return (-1);
-	if (tvp) {
-		tvp->tv_sec = clock;
-		tvp->tv_usec = 0;
-	}
-	if (tzp) {
-		tzp->tz_minuteswest = 0;
-		tzp->tz_dsttime = 0;
-	}
-	return (0);
-}
-#endif /*NEED_GETTIMEOFDAY*/
diff --git a/contrib/bind9/lib/bind/bsd/mktemp.c b/contrib/bind9/lib/bind/bsd/mktemp.c
deleted file mode 100644
index 9852a356ac94..000000000000
--- a/contrib/bind9/lib/bind/bsd/mktemp.c
+++ /dev/null
@@ -1,154 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)mktemp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: mktemp.c,v 1.1 2001/03/29 06:30:33 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Copyright (c) 1987, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-
-#include "port_after.h"
-
-#if (!defined(NEED_MKTEMP)) && (!defined(NEED_MKSTEMP))
-int __mktemp_unneeded__;
-#else
-
-static int gettemp(char *path, int *doopen);
-
-#ifdef NEED_MKSTEMP
-mkstemp(char *path) {
-	int fd;
-
-	return (gettemp(path, &fd) ? fd : -1);
-}
-#endif
-
-#ifdef NEED_MKTEMP
-char *
-mktemp(char *path) {
-	return(gettemp(path, (int *)NULL) ? path : (char *)NULL);
-}
-#endif
-
-static int
-gettemp(char *path, int *doopen) {
-	char *start, *trv;
-	struct stat sbuf;
-	u_int pid;
-
-	pid = getpid();
-	for (trv = path; *trv; ++trv);		/* extra X's get set to 0's */
-	while (*--trv == 'X') {
-		*trv = (pid % 10) + '0';
-		pid /= 10;
-	}
-
-	/*
-	 * check the target directory; if you have six X's and it
-	 * doesn't exist this runs for a *very* long time.
-	 */
-	for (start = trv + 1;; --trv) {
-		if (trv <= path)
-			break;
-		if (*trv == '/') {
-			*trv = '\0';
-			if (stat(path, &sbuf))
-				return(0);
-			if (!S_ISDIR(sbuf.st_mode)) {
-				errno = ENOTDIR;
-				return(0);
-			}
-			*trv = '/';
-			break;
-		}
-	}
-
-	for (;;) {
-		if (doopen) {
-			if ((*doopen =
-			    open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
-				return(1);
-			if (errno != EEXIST)
-				return(0);
-		}
-		else if (stat(path, &sbuf))
-			return(errno == ENOENT ? 1 : 0);
-
-		/* tricky little algorithm for backward compatibility */
-		for (trv = start;;) {
-			if (!*trv)
-				return(0);
-			if (*trv == 'z')
-				*trv++ = 'a';
-			else {
-				if (isdigit(*trv))
-					*trv = 'a';
-				else
-					++*trv;
-				break;
-			}
-		}
-	}
-	/*NOTREACHED*/
-}
-
-#endif /*NEED_MKTEMP*/
diff --git a/contrib/bind9/lib/bind/bsd/putenv.c b/contrib/bind9/lib/bind/bsd/putenv.c
deleted file mode 100644
index abaa525d36af..000000000000
--- a/contrib/bind9/lib/bind/bsd/putenv.c
+++ /dev/null
@@ -1,25 +0,0 @@
-#ifndef LINT
-static const char rcsid[] = "$Id: putenv.c,v 1.1 2001/03/29 06:30:33 marka Exp $";
-#endif
-
-#include "port_before.h"
-#include "port_after.h"
-
-/*
- * To give a little credit to Sun, SGI,
- * and many vendors in the SysV world.
- */
-
-#if !defined(NEED_PUTENV)
-int __bindcompat_putenv;
-#else
-int
-putenv(char *str) {
-	char *tmp;
-
-	for (tmp = str; *tmp && (*tmp != '='); tmp++)
-		;
-
-	return (setenv(str, tmp, 1));
-}
-#endif
diff --git a/contrib/bind9/lib/bind/bsd/readv.c b/contrib/bind9/lib/bind/bsd/readv.c
deleted file mode 100644
index ccfcb5af332a..000000000000
--- a/contrib/bind9/lib/bind/bsd/readv.c
+++ /dev/null
@@ -1,38 +0,0 @@
-#ifndef LINT
-static const char rcsid[] = "$Id: readv.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-
-#include "port_after.h"
-
-#ifndef NEED_READV
-int __bindcompat_readv;
-#else
-
-int
-__readv(fd, vp, vpcount)
-	int fd;
-	const struct iovec *vp;
-	int vpcount;
-{
-	int count = 0;
-
-	while (vpcount-- > 0) {
-		int bytes = read(fd, vp->iov_base, vp->iov_len);
-
-		if (bytes < 0)
-			return (-1);
-		count += bytes;
-		if (bytes != vp->iov_len)
-			break;
-		vp++;
-	}
-	return (count);
-}
-#endif /* NEED_READV */
diff --git a/contrib/bind9/lib/bind/bsd/setenv.c b/contrib/bind9/lib/bind/bsd/setenv.c
deleted file mode 100644
index 6a11c9db821a..000000000000
--- a/contrib/bind9/lib/bind/bsd/setenv.c
+++ /dev/null
@@ -1,149 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)setenv.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: setenv.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Copyright (c) 1987, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "port_before.h"
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "port_after.h"
-
-#if !defined(NEED_SETENV)
-int __bindcompat_setenv;
-#else
-
-extern char **environ;
-
-static char *findenv(const char *name, int *offset);
-
-/*
- * setenv --
- *	Set the value of the environmental variable "name" to be
- *	"value".  If rewrite is set, replace any current value.
- */
-setenv(const char *name, const char *value, int rewrite) {
-	extern char **environ;
-	static int alloced;			/* if allocated space before */
-	char *c;
-	int l_value, offset;
-
-	if (*value == '=')			/* no `=' in value */
-		++value;
-	l_value = strlen(value);
-	if ((c = findenv(name, &offset))) {	/* find if already exists */
-		if (!rewrite)
-			return (0);
-		if (strlen(c) >= l_value) {	/* old larger; copy over */
-			while (*c++ = *value++);
-			return (0);
-		}
-	} else {					/* create new slot */
-		int cnt;
-		char **p;
-
-		for (p = environ, cnt = 0; *p; ++p, ++cnt);
-		if (alloced) {			/* just increase size */
-			environ = (char **)realloc((char *)environ,
-			    (size_t)(sizeof(char *) * (cnt + 2)));
-			if (!environ)
-				return (-1);
-		}
-		else {				/* get new space */
-			alloced = 1;		/* copy old entries into it */
-			p = malloc((size_t)(sizeof(char *) * (cnt + 2)));
-			if (!p)
-				return (-1);
-			memcpy(p, environ, cnt * sizeof(char *));
-			environ = p;
-		}
-		environ[cnt + 1] = NULL;
-		offset = cnt;
-	}
-	for (c = (char *)name; *c && *c != '='; ++c);	/* no `=' in name */
-	if (!(environ[offset] =			/* name + `=' + value */
-	    malloc((size_t)((int)(c - name) + l_value + 2))))
-		return (-1);
-	for (c = environ[offset]; (*c = *name++) && *c != '='; ++c);
-	for (*c++ = '='; *c++ = *value++;);
-	return (0);
-}
-
-/*
- * unsetenv(name) --
- *	Delete environmental variable "name".
- */
-void
-unsetenv(const char *name) {
-	char **p;
-	int offset;
-
-	while (findenv(name, &offset))	/* if set multiple times */
-		for (p = &environ[offset];; ++p)
-			if (!(*p = *(p + 1)))
-				break;
-}
-
-/*
- * findenv --
- *	Returns pointer to value associated with name, if any, else NULL.
- *	Sets offset to be the offset of the name/value combination in the
- *	environmental array, for use by setenv(3) and unsetenv(3).
- *	Explicitly removes '=' in argument name.
- *
- *	This routine *should* be a static; don't use it.
- */
-static char *
-findenv(const char *name, int *offset) {
-	const char *np;
-	char **p, *c;
-	int len;
-
-	if (name == NULL || environ == NULL)
-		return (NULL);
-	for (np = name; *np && *np != '='; ++np)
-		continue;
-	len = np - name;
-	for (p = environ; (c = *p) != NULL; ++p)
-		if (strncmp(c, name, len) == 0 && c[len] == '=') {
-			*offset = p - environ;
-			return (c + len + 1);
-		}
-	return (NULL);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/bsd/setitimer.c b/contrib/bind9/lib/bind/bsd/setitimer.c
deleted file mode 100644
index 791846a299e8..000000000000
--- a/contrib/bind9/lib/bind/bsd/setitimer.c
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef LINT
-static const char rcsid[] = "$Id: setitimer.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/time.h>
-
-#include "port_after.h"
-
-/*
- * Setitimer emulation routine.
- */
-#ifndef NEED_SETITIMER
-int __bindcompat_setitimer;
-#else
-
-int
-__setitimer(int which, const struct itimerval *value,
-	    struct itimerval *ovalue)
-{
-	if (alarm(value->it_value.tv_sec) >= 0)
-		return (0);
-	else
-		return (-1);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/bsd/strcasecmp.c b/contrib/bind9/lib/bind/bsd/strcasecmp.c
deleted file mode 100644
index c8c9d056bba1..000000000000
--- a/contrib/bind9/lib/bind/bsd/strcasecmp.c
+++ /dev/null
@@ -1,122 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)strcasecmp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strcasecmp.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Copyright (c) 1987, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/cdefs.h>
-
-#include <string.h>
-
-#include "port_after.h"
-
-#ifndef NEED_STRCASECMP
-int __strcasecmp_unneeded__;
-#else
-
-/*
- * This array is designed for mapping upper and lower case letter
- * together for a case independent comparison.  The mappings are
- * based upon ascii character sequences.
- */
-static const u_char charmap[] = {
-	0000, 0001, 0002, 0003, 0004, 0005, 0006, 0007,
-	0010, 0011, 0012, 0013, 0014, 0015, 0016, 0017,
-	0020, 0021, 0022, 0023, 0024, 0025, 0026, 0027,
-	0030, 0031, 0032, 0033, 0034, 0035, 0036, 0037,
-	0040, 0041, 0042, 0043, 0044, 0045, 0046, 0047,
-	0050, 0051, 0052, 0053, 0054, 0055, 0056, 0057,
-	0060, 0061, 0062, 0063, 0064, 0065, 0066, 0067,
-	0070, 0071, 0072, 0073, 0074, 0075, 0076, 0077,
-	0100, 0141, 0142, 0143, 0144, 0145, 0146, 0147,
-	0150, 0151, 0152, 0153, 0154, 0155, 0156, 0157,
-	0160, 0161, 0162, 0163, 0164, 0165, 0166, 0167,
-	0170, 0171, 0172, 0133, 0134, 0135, 0136, 0137,
-	0140, 0141, 0142, 0143, 0144, 0145, 0146, 0147,
-	0150, 0151, 0152, 0153, 0154, 0155, 0156, 0157,
-	0160, 0161, 0162, 0163, 0164, 0165, 0166, 0167,
-	0170, 0171, 0172, 0173, 0174, 0175, 0176, 0177,
-	0200, 0201, 0202, 0203, 0204, 0205, 0206, 0207,
-	0210, 0211, 0212, 0213, 0214, 0215, 0216, 0217,
-	0220, 0221, 0222, 0223, 0224, 0225, 0226, 0227,
-	0230, 0231, 0232, 0233, 0234, 0235, 0236, 0237,
-	0240, 0241, 0242, 0243, 0244, 0245, 0246, 0247,
-	0250, 0251, 0252, 0253, 0254, 0255, 0256, 0257,
-	0260, 0261, 0262, 0263, 0264, 0265, 0266, 0267,
-	0270, 0271, 0272, 0273, 0274, 0275, 0276, 0277,
-	0300, 0301, 0302, 0303, 0304, 0305, 0306, 0307,
-	0310, 0311, 0312, 0313, 0314, 0315, 0316, 0317,
-	0320, 0321, 0322, 0323, 0324, 0325, 0326, 0327,
-	0330, 0331, 0332, 0333, 0334, 0335, 0336, 0337,
-	0340, 0341, 0342, 0343, 0344, 0345, 0346, 0347,
-	0350, 0351, 0352, 0353, 0354, 0355, 0356, 0357,
-	0360, 0361, 0362, 0363, 0364, 0365, 0366, 0367,
-	0370, 0371, 0372, 0373, 0374, 0375, 0376, 0377
-};
-
-int
-strcasecmp(const char *s1, const char *s2) {
-	const u_char *cm = charmap,
-		     *us1 = (const u_char *)s1,
-		     *us2 = (const u_char *)s2;
-
-	while (cm[*us1] == cm[*us2++])
-		if (*us1++ == '\0')
-			return (0);
-	return (cm[*us1] - cm[*--us2]);
-}
-
-int
-strncasecmp(const char *s1, const char *s2, size_t n) {
-	if (n != 0) {
-		const u_char *cm = charmap,
-			     *us1 = (const u_char *)s1,
-			     *us2 = (const u_char *)s2;
-
-		do {
-			if (cm[*us1] != cm[*us2++])
-				return (cm[*us1] - cm[*--us2]);
-			if (*us1++ == '\0')
-				break;
-		} while (--n != 0);
-	}
-	return (0);
-}
-
-#endif /*NEED_STRCASECMP*/
diff --git a/contrib/bind9/lib/bind/bsd/strdup.c b/contrib/bind9/lib/bind/bsd/strdup.c
deleted file mode 100644
index 246bc1f49fc2..000000000000
--- a/contrib/bind9/lib/bind/bsd/strdup.c
+++ /dev/null
@@ -1,18 +0,0 @@
-#include "port_before.h"
-
-#include <stdlib.h>
-
-#include "port_after.h"
-
-#ifndef NEED_STRDUP
-int __bind_strdup_unneeded;
-#else
-char *
-strdup(const char *src) {
-	char *dst = malloc(strlen(src) + 1);
-
-	if (dst)
-		strcpy(dst, src);
-	return (dst);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/bsd/strerror.c b/contrib/bind9/lib/bind/bsd/strerror.c
deleted file mode 100644
index d13adbb03b4d..000000000000
--- a/contrib/bind9/lib/bind/bsd/strerror.c
+++ /dev/null
@@ -1,90 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)strerror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strerror.c,v 1.3.2.1 2001/11/02 17:45:31 gson Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Copyright (c) 1988, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-
-#include <string.h>
-
-#include "port_after.h"
-
-#ifndef NEED_STRERROR
-int __strerror_unneeded__;
-#else
-
-#ifdef USE_SYSERROR_LIST
-extern int sys_nerr;
-extern char *sys_errlist[];
-#endif
-
-const char *
-isc_strerror(int num) {
-#define	UPREFIX	"Unknown error: "
-	static char ebuf[40] = UPREFIX;		/* 64-bit number + slop */
-	u_int errnum;
-	char *p, *t;
-	const char *ret;
-	char tmp[40];
-
-	errnum = num;				/* convert to unsigned */
-#ifdef USE_SYSERROR_LIST
-	if (errnum < sys_nerr)
-		return (sys_errlist[errnum]);
-#else
-#undef strerror
-	ret = strerror(num);			/* call strerror() in libc */
-	if (ret != NULL)
-		return(ret);
-#endif
-
-	/* Do this by hand, so we don't include stdio(3). */
-	t = tmp;
-	do {
-		*t++ = "0123456789"[errnum % 10];
-	} while (errnum /= 10);
-	for (p = ebuf + sizeof(UPREFIX) - 1;;) {
-		*p++ = *--t;
-		if (t <= tmp)
-			break;
-	}
-	return (ebuf);
-}
-
-#endif /*NEED_STRERROR*/
diff --git a/contrib/bind9/lib/bind/bsd/strpbrk.c b/contrib/bind9/lib/bind/bsd/strpbrk.c
deleted file mode 100644
index ff039e15943a..000000000000
--- a/contrib/bind9/lib/bind/bsd/strpbrk.c
+++ /dev/null
@@ -1,68 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)strpbrk.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strpbrk.c,v 1.1 2001/03/29 06:30:36 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Copyright (c) 1985, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/cdefs.h>
-
-#include <string.h>
-
-#include "port_after.h"
-
-#ifndef NEED_STRPBRK
-int __strpbrk_unneeded__;
-#else
-
-/*
- * Find the first occurrence in s1 of a character in s2 (excluding NUL).
- */
-char *
-strpbrk(const char *s1, const char *s2) {
-	const char *scanp;
-	int c, sc;
-
-	while ((c = *s1++) != 0) {
-		for (scanp = s2; (sc = *scanp++) != 0;)
-			if (sc == c)
-				return ((char *)(s1 - 1));
-	}
-	return (NULL);
-}
-
-#endif /*NEED_STRPBRK*/
diff --git a/contrib/bind9/lib/bind/bsd/strsep.c b/contrib/bind9/lib/bind/bsd/strsep.c
deleted file mode 100644
index 3dcee4aab874..000000000000
--- a/contrib/bind9/lib/bind/bsd/strsep.c
+++ /dev/null
@@ -1,86 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "strsep.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strsep.c,v 1.1 2001/03/29 06:30:36 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "port_before.h"
-#include <sys/cdefs.h>
-#include <string.h>
-#include <stdio.h>
-#include "port_after.h"
-
-#ifndef NEED_STRSEP
-int __strsep_unneeded__;
-#else
-
-/*
- * Get next token from string *stringp, where tokens are possibly-empty
- * strings separated by characters from delim.  
- *
- * Writes NULs into the string at *stringp to end tokens.
- * delim need not remain constant from call to call.
- * On return, *stringp points past the last NUL written (if there might
- * be further tokens), or is NULL (if there are definitely no more tokens).
- *
- * If *stringp is NULL, strsep returns NULL.
- */
-char *
-strsep(char **stringp, const char *delim) {
-	char *s;
-	const char *spanp;
-	int c, sc;
-	char *tok;
-
-	if ((s = *stringp) == NULL)
-		return (NULL);
-	for (tok = s;;) {
-		c = *s++;
-		spanp = delim;
-		do {
-			if ((sc = *spanp++) == c) {
-				if (c == 0)
-					s = NULL;
-				else
-					s[-1] = 0;
-				*stringp = s;
-				return (tok);
-			}
-		} while (sc != 0);
-	}
-	/* NOTREACHED */
-}
-
-#endif /*NEED_STRSEP*/
diff --git a/contrib/bind9/lib/bind/bsd/strtoul.c b/contrib/bind9/lib/bind/bsd/strtoul.c
deleted file mode 100644
index d110f30943df..000000000000
--- a/contrib/bind9/lib/bind/bsd/strtoul.c
+++ /dev/null
@@ -1,117 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: strtoul.c,v 1.1.2.1 2003/06/27 03:51:35 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Copyright (c) 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-
-#include "port_after.h"
-
-#ifndef NEED_STRTOUL
-int __strtoul_unneeded__;
-#else
-
-/*
- * Convert a string to an unsigned long integer.
- *
- * Ignores `locale' stuff.  Assumes that the upper and lower case
- * alphabets and digits are each contiguous.
- */
-u_long
-strtoul(const char *nptr, char **endptr, int base) {
-	const char *s = nptr;
-	u_long acc, cutoff;
-	int neg, c, any, cutlim;
-
-	neg = 0;
-
-	/*
-	 * See strtol for comments as to the logic used.
-	 */
-	do {
-		c = *(unsigned char *)s++;
-	} while (isspace(c));
-	if (c == '-') {
-		neg = 1;
-		c = *s++;
-	} else if (c == '+')
-		c = *s++;
-	if ((base == 0 || base == 16) &&
-	    c == '0' && (*s == 'x' || *s == 'X')) {
-		c = s[1];
-		s += 2;
-		base = 16;
-	}
-	if (base == 0)
-		base = c == '0' ? 8 : 10;
-	cutoff = (u_long)ULONG_MAX / (u_long)base;
-	cutlim = (u_long)ULONG_MAX % (u_long)base;
-	for (acc = 0, any = 0;; c = *(unsigned char*)s++) {
-		if (isdigit(c))
-			c -= '0';
-		else if (isalpha(c))
-			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
-		else
-			break;
-		if (c >= base)
-			break;
-		if (any < 0 || acc > cutoff || acc == cutoff && c > cutlim)
-			any = -1;
-		else {
-			any = 1;
-			acc *= base;
-			acc += c;
-		}
-	}
-	if (any < 0) {
-		acc = ULONG_MAX;
-		errno = ERANGE;
-	} else if (neg)
-		acc = -acc;
-	if (endptr != 0)
-		*endptr = (char *)(any ? s - 1 : nptr);
-	return (acc);
-}
-
-#endif /*NEED_STRTOUL*/
diff --git a/contrib/bind9/lib/bind/bsd/utimes.c b/contrib/bind9/lib/bind/bsd/utimes.c
deleted file mode 100644
index 6a288f49560d..000000000000
--- a/contrib/bind9/lib/bind/bsd/utimes.c
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1997,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/time.h>
-#include <utime.h>
-
-#include "port_after.h"
-
-#ifndef NEED_UTIMES
-int __bind_utimes_unneeded;
-#else
-
-int
-__utimes(char *filename, struct timeval *tvp) {
-	struct utimbuf utb;
-
-	utb.actime = (time_t)tvp[0].tv_sec;
-	utb.modtime = (time_t)tvp[1].tv_sec;
-	return (utime(filename, &utb));
-}
-
-#endif /* NEED_UTIMES */
diff --git a/contrib/bind9/lib/bind/bsd/writev.c b/contrib/bind9/lib/bind/bsd/writev.c
deleted file mode 100644
index fe204a97ae39..000000000000
--- a/contrib/bind9/lib/bind/bsd/writev.c
+++ /dev/null
@@ -1,87 +0,0 @@
-#ifndef LINT
-static const char rcsid[] = "$Id: writev.c,v 1.1.2.1 2003/06/27 03:51:35 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-
-#include "port_after.h"
-
-#ifndef NEED_WRITEV
-int __bindcompat_writev;
-#else
-
-#ifdef _CRAY
-#define OWN_WRITEV
-int
-__writev(int fd, struct iovec *iov, int iovlen)
-{
-	struct stat statbuf;
-
-	if (fstat(fd, &statbuf) < 0)
-		return (-1);
-
-	/*
-	 * Allow for atomic writes to network.
-	 */
-	if (statbuf.st_mode & S_IFSOCK) {
-		struct msghdr   mesg;		
-
-		memset(&mesg, 0, sizeof(mesg));
-		mesg.msg_name = 0;
-		mesg.msg_namelen = 0;
-		mesg.msg_iov = iov;
-		mesg.msg_iovlen = iovlen;
-		mesg.msg_accrights = 0;
-		mesg.msg_accrightslen = 0;
-		return (sendmsg(fd, &mesg, 0));
-	} else {
-		struct iovec *tv;
-		int i, rcode = 0, count = 0;
-
-		for (i = 0, tv = iov; i <= iovlen; tv++) {
-			rcode = write(fd, tv->iov_base, tv->iov_len);
-
-			if (rcode < 0)
-				break;
-
-			count += rcode;
-		}
-
-		if (count == 0)
-			return (rcode);
-		else
-			return (count);
-	}
-}
-
-#else /*_CRAY*/
-
-int
-__writev(fd, vp, vpcount)
-	int fd;
-	const struct iovec *vp;
-	int vpcount;
-{
-	int count = 0;
-
-	while (vpcount-- > 0) {
-		int written = write(fd, vp->iov_base, vp->iov_len);
-
-		if (written < 0)
-			return (-1);
-		count += written;
-		if (written != vp->iov_len)
-			break;
-		vp++;
-	}
-	return (count);
-}
-
-#endif /*_CRAY*/
-
-#endif /*NEED_WRITEV*/
diff --git a/contrib/bind9/lib/bind/config.h.in b/contrib/bind9/lib/bind/config.h.in
deleted file mode 100644
index 82a1560d1fd8..000000000000
--- a/contrib/bind9/lib/bind/config.h.in
+++ /dev/null
@@ -1,57 +0,0 @@
-#undef _SOCKADDR_LEN
-#undef HAVE_FCNTL_H
-#undef HAVE_PATHS_H
-#undef HAVE_INTTYPES_H
-#undef HAVE_STROPTS_H
-#undef HAVE_SYS_TIMERS_H
-#undef SYS_CDEFS_H
-#undef _POSIX_PTHREAD_SEMANTICS
-#undef POSIX_GETPWUID_R
-#undef POSIX_GETPWNAM_R
-#undef POSIX_GETGRGID_R
-#undef POSIX_GETGRNAM_R
-
-#undef NEED_SETGROUPENT
-#undef NEED_GETGROUPLIST
-
-/* define if prototype for getgrnam_r() is required */
-#undef NEED_GETGRNAM_R 
-#undef NEED_GETGRGID_R 
-#undef NEED_GETGRENT_R 
-#undef NEED_SETGRENT_R 
-#undef NEED_ENDGRENT_R 
-
-#undef NEED_INNETGR_R
-#undef NEED_SETNETGRENT_R
-#undef NEED_ENDNETGRENT_R
-
-#undef NEED_GETPWNAM_R
-#undef NEED_GETPWUID_R
-#undef NEED_SETPWENT_R
-#undef NEED_SETPASSENT_R
-#undef NEED_SETPWENT_R
-#undef NEED_GETPWENT_R
-#undef NEED_ENDPWENT_R
-
-#undef NEED_SETPASSENT
-
-#undef HAS_PW_CLASS
-
-#undef uintptr_t
-
-/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */ 
-#undef SHUTUP_SPUTAUX
-#ifdef SHUTUP_SPUTAUX
-struct __sFILE;
-extern __inline int __sputaux(int _c, struct __sFILE *_p);
-#endif
-#undef BROKEN_IN6ADDR_INIT_MACROS
-#undef HAVE_STRLCAT
-/* Shut up warnings about missing braces */
-#undef SHUTUP_MUTEX_INITIALIZER
-#ifdef SHUTUP_MUTEX_INITIALIZER
-#define LIBBIND_MUTEX_INITIALIZER { PTHREAD_MUTEX_INITIALIZER }
-#else
-#define LIBBIND_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
-#endif
-
diff --git a/contrib/bind9/lib/bind/configure b/contrib/bind9/lib/bind/configure
deleted file mode 100755
index 8f12621650ba..000000000000
--- a/contrib/bind9/lib/bind/configure
+++ /dev/null
@@ -1,32376 +0,0 @@
-#! /bin/sh
-# From configure.in Revision: 1.83.2.5.2.22 .
-# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59.
-#
-# Copyright (C) 2003 Free Software Foundation, Inc.
-# This configure script is free software; the Free Software Foundation
-# gives unlimited permission to copy, distribute and modify it.
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
-
-# Be Bourne compatible
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
-fi
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-
-
-# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    $as_unset $as_var
-  fi
-done
-
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
-
-
-# Name of the executable.
-as_me=`$as_basename "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-
-
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
-
-
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
-	 /*)
-	   if ("$as_dir/$as_base" -c '
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
-
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
-    sed '
-      N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
-      t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
-    ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
-   { (exit 1); exit 1; }; }
-
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
-  # Exit status is that of the last command.
-  exit
-}
-
-
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
-esac
-
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-rm -f conf$$ conf$$.exe conf$$.file
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
-    as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
-else
-  as_ln_s='cp -p'
-fi
-rm -f conf$$ conf$$.exe conf$$.file
-
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  test -d ./-p && rmdir ./-p
-  as_mkdir_p=false
-fi
-
-as_executable_p="test -f"
-
-# Sed expression to map a string onto a valid CPP name.
-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-
-# Sed expression to map a string onto a valid variable name.
-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-
-
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
-
-
-# Check that we are running under the correct shell.
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-case X$ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$ECHO" | sed 's,\\\\\$\\$0,'$0','`
-  ;;
-esac
-
-echo=${ECHO-echo}
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $echo works!
-  :
-else
-  # Restart under the correct shell.
-  exec $SHELL "$0" --no-reexec ${1+"$@"}
-fi
-
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit 0
-fi
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$ECHO"; then
-if test "X${echo_test_string+set}" != Xset; then
-# find a string as large as possible, as long as the shell can cope with it
-  for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
-    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
-       echo_test_string="`eval $cmd`" &&
-       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
-    then
-      break
-    fi
-  done
-fi
-
-if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-   test "X$echo_testing_string" = "X$echo_test_string"; then
-  :
-else
-  # The Solaris, AIX, and Digital Unix default echo programs unquote
-  # backslashes.  This makes it impossible to quote backslashes using
-  #   echo "$something" | sed 's/\\/\\\\/g'
-  #
-  # So, first we look for a working echo in the user's PATH.
-
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for dir in $PATH /usr/ucb; do
-    IFS="$lt_save_ifs"
-    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      echo="$dir/echo"
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  if test "X$echo" = Xecho; then
-    # We didn't find a better echo, so look for alternatives.
-    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      # This shell has a builtin print -r that does the trick.
-      echo='print -r'
-    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
-	 test "X$CONFIG_SHELL" != X/bin/ksh; then
-      # If we have ksh, try running configure again with it.
-      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-      export ORIGINAL_CONFIG_SHELL
-      CONFIG_SHELL=/bin/ksh
-      export CONFIG_SHELL
-      exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
-    else
-      # Try using printf.
-      echo='printf %s\n'
-      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-	 test "X$echo_testing_string" = "X$echo_test_string"; then
-	# Cool, printf works
-	:
-      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	export CONFIG_SHELL
-	SHELL="$CONFIG_SHELL"
-	export SHELL
-	echo="$CONFIG_SHELL $0 --fallback-echo"
-      elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	echo="$CONFIG_SHELL $0 --fallback-echo"
-      else
-	# maybe with a smaller string...
-	prev=:
-
-	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
-	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
-	  then
-	    break
-	  fi
-	  prev="$cmd"
-	done
-
-	if test "$prev" != 'sed 50q "$0"'; then
-	  echo_test_string=`eval $prev`
-	  export echo_test_string
-	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
-	else
-	  # Oops.  We lost completely, so just stick with echo.
-	  echo=echo
-	fi
-      fi
-    fi
-  fi
-fi
-fi
-
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-ECHO=$echo
-if test "X$ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
-   ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
-fi
-
-
-
-
-tagnames=${tagnames+${tagnames},}CXX
-
-tagnames=${tagnames+${tagnames},}F77
-
-# Name of the host.
-# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
-# so uname gets run too.
-ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
-
-exec 6>&1
-
-#
-# Initializations.
-#
-ac_default_prefix=/usr/local
-ac_config_libobj_dir=.
-cross_compiling=no
-subdirs=
-MFLAGS=
-MAKEFLAGS=
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-# Maximum number of lines to put in a shell here document.
-# This variable seems obsolete.  It should probably be removed, and
-# only ac_max_sed_lines should be used.
-: ${ac_max_here_lines=38}
-
-# Identity of this package.
-PACKAGE_NAME=
-PACKAGE_TARNAME=
-PACKAGE_VERSION=
-PACKAGE_STRING=
-PACKAGE_BUGREPORT=
-
-ac_unique_file="resolv/herror.c"
-# Factoring default headers for most tests.
-ac_includes_default="\
-#include <stdio.h>
-#if HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-#if HAVE_SYS_STAT_H
-# include <sys/stat.h>
-#endif
-#if STDC_HEADERS
-# include <stdlib.h>
-# include <stddef.h>
-#else
-# if HAVE_STDLIB_H
-#  include <stdlib.h>
-# endif
-#endif
-#if HAVE_STRING_H
-# if !STDC_HEADERS && HAVE_MEMORY_H
-#  include <memory.h>
-# endif
-# include <string.h>
-#endif
-#if HAVE_STRINGS_H
-# include <strings.h>
-#endif
-#if HAVE_INTTYPES_H
-# include <inttypes.h>
-#else
-# if HAVE_STDINT_H
-#  include <stdint.h>
-# endif
-#endif
-#if HAVE_UNISTD_H
-# include <unistd.h>
-#endif"
-
-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_NEEDSYSSELECTH WANT_IRS_GR WANT_IRS_GR_OBJS WANT_IRS_PW WANT_IRS_PW_OBJS WANT_IRS_NIS WANT_IRS_NIS_OBJS WANT_IRS_NISGR_OBJS WANT_IRS_NISPW_OBJS WANT_IRS_DBPW_OBJS ALWAYS_DEFINES DO_PTHREADS WANT_IRS_THREADSGR_OBJS WANT_IRS_THREADSPW_OBJS WANT_IRS_THREADS_OBJS WANT_THREADS_OBJS USE_IFNAMELINKID ISC_THREAD_DIR DAEMON_OBJS NEED_DAEMON STRSEP_OBJS NEED_STRSEP NEED_STRERROR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK HAS_INET6_STRUCTS ISC_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H HAS_IN_ADDR6 NEED_IN6ADDR_ANY ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C HAVE_SIN6_SCOPE_ID HAVE_SOCKADDR_STORAGE ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON HAVE_SA_LEN HAVE_MINIMUM_IFREQ BSD_COMP SOLARIS_BITTYPES USE_FIONBIO_IOCTL PORT_NONBLOCK PORT_DIR USE_POLL HAVE_MD5 SOLARIS2 PORT_INCLUDE ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO NEED_PSELECT NEED_GETTIMEOFDAY HAVE_STRNDUP ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_SYSERROR_LIST ISC_PLATFORM_QUADFORMAT ISC_SOCKLEN_T GETGROUPLIST_ARGS NET_R_ARGS NET_R_BAD NET_R_COPY NET_R_COPY_ARGS NET_R_OK NET_R_SETANSWER NET_R_RETURN GETNETBYADDR_ADDR_T NETENT_DATA NET_R_ENT_ARGS NET_R_SET_RESULT NET_R_SET_RETURN NET_R_END_RESULT NET_R_END_RETURN GROUP_R_ARGS GROUP_R_BAD GROUP_R_OK GROUP_R_RETURN GROUP_R_END_RESULT GROUP_R_END_RETURN GROUP_R_ENT_ARGS GROUP_R_SET_RESULT GROUP_R_SET_RETURN HOST_R_ARGS HOST_R_BAD HOST_R_COPY HOST_R_COPY_ARGS HOST_R_ERRNO HOST_R_OK HOST_R_RETURN HOST_R_SETANSWER HOSTENT_DATA HOST_R_END_RESULT HOST_R_END_RETURN HOST_R_ENT_ARGS HOST_R_SET_RESULT HOST_R_SET_RETURN SETPWENT_VOID SETGRENT_VOID NGR_R_ARGS NGR_R_BAD NGR_R_COPY NGR_R_COPY_ARGS NGR_R_OK NGR_R_RETURN NGR_R_PRIVATE NGR_R_END_RESULT NGR_R_END_RETURN NGR_R_ENT_ARGS NGR_R_SET_RESULT NGR_R_SET_RETURN PROTO_R_ARGS PROTO_R_BAD PROTO_R_COPY PROTO_R_COPY_ARGS PROTO_R_OK PROTO_R_SETANSWER PROTO_R_RETURN PROTO_R_END_RESULT PROTO_R_END_RETURN PROTO_R_ENT_ARGS PROTO_R_SET_RESULT PROTO_R_SET_RETURN PASS_R_ARGS PASS_R_BAD PASS_R_COPY PASS_R_COPY_ARGS PASS_R_OK PASS_R_RETURN PASS_R_END_RESULT PASS_R_END_RETURN PASS_R_ENT_ARGS PASS_R_SET_RESULT PASS_R_SET_RETURN SERV_R_ARGS SERV_R_BAD SERV_R_COPY SERV_R_COPY_ARGS SERV_R_OK SERV_R_SETANSWER SERV_R_RETURN SERV_R_END_RESULT SERV_R_END_RETURN SERV_R_ENT_ARGS SERV_R_SET_RESULT SERV_R_SET_RETURN SETNETGRENT_ARGS INNETGR_ARGS BIND9_TOP_BUILDDIR BIND9_VERSION LIBOBJS LTLIBOBJS'
-ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBBIND_API'
-
-# Initialize some variables set by options.
-ac_init_help=
-ac_init_version=false
-# The variables have the same names as the options, with
-# dashes changed to underlines.
-cache_file=/dev/null
-exec_prefix=NONE
-no_create=
-no_recursion=
-prefix=NONE
-program_prefix=NONE
-program_suffix=NONE
-program_transform_name=s,x,x,
-silent=
-site=
-srcdir=
-verbose=
-x_includes=NONE
-x_libraries=NONE
-
-# Installation directory options.
-# These are left unexpanded so users can "make install exec_prefix=/foo"
-# and all the variables that are supposed to be based on exec_prefix
-# by default will actually change.
-# Use braces instead of parens because sh, perl, etc. also accept them.
-bindir='${exec_prefix}/bin'
-sbindir='${exec_prefix}/sbin'
-libexecdir='${exec_prefix}/libexec'
-datadir='${prefix}/share'
-sysconfdir='${prefix}/etc'
-sharedstatedir='${prefix}/com'
-localstatedir='${prefix}/var'
-libdir='${exec_prefix}/lib'
-includedir='${prefix}/include'
-oldincludedir='/usr/include'
-infodir='${prefix}/info'
-mandir='${prefix}/man'
-
-ac_prev=
-for ac_option
-do
-  # If the previous option needs an argument, assign it.
-  if test -n "$ac_prev"; then
-    eval "$ac_prev=\$ac_option"
-    ac_prev=
-    continue
-  fi
-
-  ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
-
-  # Accept the important Cygnus configure options, so we can diagnose typos.
-
-  case $ac_option in
-
-  -bindir | --bindir | --bindi | --bind | --bin | --bi)
-    ac_prev=bindir ;;
-  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
-    bindir=$ac_optarg ;;
-
-  -build | --build | --buil | --bui | --bu)
-    ac_prev=build_alias ;;
-  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
-    build_alias=$ac_optarg ;;
-
-  -cache-file | --cache-file | --cache-fil | --cache-fi \
-  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
-    ac_prev=cache_file ;;
-  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
-  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
-    cache_file=$ac_optarg ;;
-
-  --config-cache | -C)
-    cache_file=config.cache ;;
-
-  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
-    ac_prev=datadir ;;
-  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
-  | --da=*)
-    datadir=$ac_optarg ;;
-
-  -disable-* | --disable-*)
-    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-   { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    eval "enable_$ac_feature=no" ;;
-
-  -enable-* | --enable-*)
-    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
-   { (exit 1); exit 1; }; }
-    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "enable_$ac_feature='$ac_optarg'" ;;
-
-  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
-  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
-  | --exec | --exe | --ex)
-    ac_prev=exec_prefix ;;
-  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
-  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
-  | --exec=* | --exe=* | --ex=*)
-    exec_prefix=$ac_optarg ;;
-
-  -gas | --gas | --ga | --g)
-    # Obsolete; use --with-gas.
-    with_gas=yes ;;
-
-  -help | --help | --hel | --he | -h)
-    ac_init_help=long ;;
-  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
-    ac_init_help=recursive ;;
-  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
-    ac_init_help=short ;;
-
-  -host | --host | --hos | --ho)
-    ac_prev=host_alias ;;
-  -host=* | --host=* | --hos=* | --ho=*)
-    host_alias=$ac_optarg ;;
-
-  -includedir | --includedir | --includedi | --included | --include \
-  | --includ | --inclu | --incl | --inc)
-    ac_prev=includedir ;;
-  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
-  | --includ=* | --inclu=* | --incl=* | --inc=*)
-    includedir=$ac_optarg ;;
-
-  -infodir | --infodir | --infodi | --infod | --info | --inf)
-    ac_prev=infodir ;;
-  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
-    infodir=$ac_optarg ;;
-
-  -libdir | --libdir | --libdi | --libd)
-    ac_prev=libdir ;;
-  -libdir=* | --libdir=* | --libdi=* | --libd=*)
-    libdir=$ac_optarg ;;
-
-  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
-  | --libexe | --libex | --libe)
-    ac_prev=libexecdir ;;
-  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
-  | --libexe=* | --libex=* | --libe=*)
-    libexecdir=$ac_optarg ;;
-
-  -localstatedir | --localstatedir | --localstatedi | --localstated \
-  | --localstate | --localstat | --localsta | --localst \
-  | --locals | --local | --loca | --loc | --lo)
-    ac_prev=localstatedir ;;
-  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
-  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
-  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
-    localstatedir=$ac_optarg ;;
-
-  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
-    ac_prev=mandir ;;
-  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
-    mandir=$ac_optarg ;;
-
-  -nfp | --nfp | --nf)
-    # Obsolete; use --without-fp.
-    with_fp=no ;;
-
-  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
-  | --no-cr | --no-c | -n)
-    no_create=yes ;;
-
-  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
-  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
-    no_recursion=yes ;;
-
-  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
-  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
-  | --oldin | --oldi | --old | --ol | --o)
-    ac_prev=oldincludedir ;;
-  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
-  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
-  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
-    oldincludedir=$ac_optarg ;;
-
-  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
-    ac_prev=prefix ;;
-  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
-    prefix=$ac_optarg ;;
-
-  -program-prefix | --program-prefix | --program-prefi | --program-pref \
-  | --program-pre | --program-pr | --program-p)
-    ac_prev=program_prefix ;;
-  -program-prefix=* | --program-prefix=* | --program-prefi=* \
-  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
-    program_prefix=$ac_optarg ;;
-
-  -program-suffix | --program-suffix | --program-suffi | --program-suff \
-  | --program-suf | --program-su | --program-s)
-    ac_prev=program_suffix ;;
-  -program-suffix=* | --program-suffix=* | --program-suffi=* \
-  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
-    program_suffix=$ac_optarg ;;
-
-  -program-transform-name | --program-transform-name \
-  | --program-transform-nam | --program-transform-na \
-  | --program-transform-n | --program-transform- \
-  | --program-transform | --program-transfor \
-  | --program-transfo | --program-transf \
-  | --program-trans | --program-tran \
-  | --progr-tra | --program-tr | --program-t)
-    ac_prev=program_transform_name ;;
-  -program-transform-name=* | --program-transform-name=* \
-  | --program-transform-nam=* | --program-transform-na=* \
-  | --program-transform-n=* | --program-transform-=* \
-  | --program-transform=* | --program-transfor=* \
-  | --program-transfo=* | --program-transf=* \
-  | --program-trans=* | --program-tran=* \
-  | --progr-tra=* | --program-tr=* | --program-t=*)
-    program_transform_name=$ac_optarg ;;
-
-  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-  | -silent | --silent | --silen | --sile | --sil)
-    silent=yes ;;
-
-  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
-    ac_prev=sbindir ;;
-  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
-  | --sbi=* | --sb=*)
-    sbindir=$ac_optarg ;;
-
-  -sharedstatedir | --sharedstatedir | --sharedstatedi \
-  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
-  | --sharedst | --shareds | --shared | --share | --shar \
-  | --sha | --sh)
-    ac_prev=sharedstatedir ;;
-  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
-  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
-  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
-  | --sha=* | --sh=*)
-    sharedstatedir=$ac_optarg ;;
-
-  -site | --site | --sit)
-    ac_prev=site ;;
-  -site=* | --site=* | --sit=*)
-    site=$ac_optarg ;;
-
-  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
-    ac_prev=srcdir ;;
-  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
-    srcdir=$ac_optarg ;;
-
-  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
-  | --syscon | --sysco | --sysc | --sys | --sy)
-    ac_prev=sysconfdir ;;
-  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
-  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
-    sysconfdir=$ac_optarg ;;
-
-  -target | --target | --targe | --targ | --tar | --ta | --t)
-    ac_prev=target_alias ;;
-  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
-    target_alias=$ac_optarg ;;
-
-  -v | -verbose | --verbose | --verbos | --verbo | --verb)
-    verbose=yes ;;
-
-  -version | --version | --versio | --versi | --vers | -V)
-    ac_init_version=: ;;
-
-  -with-* | --with-*)
-    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid package name: $ac_package" >&2
-   { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package| sed 's/-/_/g'`
-    case $ac_option in
-      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
-      *) ac_optarg=yes ;;
-    esac
-    eval "with_$ac_package='$ac_optarg'" ;;
-
-  -without-* | --without-*)
-    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid package name: $ac_package" >&2
-   { (exit 1); exit 1; }; }
-    ac_package=`echo $ac_package | sed 's/-/_/g'`
-    eval "with_$ac_package=no" ;;
-
-  --x)
-    # Obsolete; use --with-x.
-    with_x=yes ;;
-
-  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
-  | --x-incl | --x-inc | --x-in | --x-i)
-    ac_prev=x_includes ;;
-  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
-  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
-    x_includes=$ac_optarg ;;
-
-  -x-libraries | --x-libraries | --x-librarie | --x-librari \
-  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
-    ac_prev=x_libraries ;;
-  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
-  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
-    x_libraries=$ac_optarg ;;
-
-  -*) { echo "$as_me: error: unrecognized option: $ac_option
-Try \`$0 --help' for more information." >&2
-   { (exit 1); exit 1; }; }
-    ;;
-
-  *=*)
-    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
-    # Reject names that are not valid shell variable names.
-    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
-      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
-   { (exit 1); exit 1; }; }
-    ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
-    eval "$ac_envvar='$ac_optarg'"
-    export $ac_envvar ;;
-
-  *)
-    # FIXME: should be removed in autoconf 3.0.
-    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
-    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
-      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
-    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
-    ;;
-
-  esac
-done
-
-if test -n "$ac_prev"; then
-  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
-  { echo "$as_me: error: missing argument to $ac_option" >&2
-   { (exit 1); exit 1; }; }
-fi
-
-# Be sure to have absolute paths.
-for ac_var in exec_prefix prefix
-do
-  eval ac_val=$`echo $ac_var`
-  case $ac_val in
-    [\\/$]* | ?:[\\/]* | NONE | '' ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# Be sure to have absolute paths.
-for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
-	      localstatedir libdir includedir oldincludedir infodir mandir
-do
-  eval ac_val=$`echo $ac_var`
-  case $ac_val in
-    [\\/$]* | ?:[\\/]* ) ;;
-    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# There might be people who depend on the old broken behavior: `$host'
-# used to hold the argument of --host etc.
-# FIXME: To remove some day.
-build=$build_alias
-host=$host_alias
-target=$target_alias
-
-# FIXME: To remove some day.
-if test "x$host_alias" != x; then
-  if test "x$build_alias" = x; then
-    cross_compiling=maybe
-    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
-    If a cross compiler is detected then cross compile mode will be used." >&2
-  elif test "x$build_alias" != "x$host_alias"; then
-    cross_compiling=yes
-  fi
-fi
-
-ac_tool_prefix=
-test -n "$host_alias" && ac_tool_prefix=$host_alias-
-
-test "$silent" = yes && exec 6>/dev/null
-
-
-# Find the source files, if location was not specified.
-if test -z "$srcdir"; then
-  ac_srcdir_defaulted=yes
-  # Try the directory containing this script, then its parent.
-  ac_confdir=`(dirname "$0") 2>/dev/null ||
-$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$0" : 'X\(//\)[^/]' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$0" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-  srcdir=$ac_confdir
-  if test ! -r $srcdir/$ac_unique_file; then
-    srcdir=..
-  fi
-else
-  ac_srcdir_defaulted=no
-fi
-if test ! -r $srcdir/$ac_unique_file; then
-  if test "$ac_srcdir_defaulted" = yes; then
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
-   { (exit 1); exit 1; }; }
-  else
-    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
-   { (exit 1); exit 1; }; }
-  fi
-fi
-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
-  { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
-   { (exit 1); exit 1; }; }
-srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
-ac_env_build_alias_set=${build_alias+set}
-ac_env_build_alias_value=$build_alias
-ac_cv_env_build_alias_set=${build_alias+set}
-ac_cv_env_build_alias_value=$build_alias
-ac_env_host_alias_set=${host_alias+set}
-ac_env_host_alias_value=$host_alias
-ac_cv_env_host_alias_set=${host_alias+set}
-ac_cv_env_host_alias_value=$host_alias
-ac_env_target_alias_set=${target_alias+set}
-ac_env_target_alias_value=$target_alias
-ac_cv_env_target_alias_set=${target_alias+set}
-ac_cv_env_target_alias_value=$target_alias
-ac_env_CC_set=${CC+set}
-ac_env_CC_value=$CC
-ac_cv_env_CC_set=${CC+set}
-ac_cv_env_CC_value=$CC
-ac_env_CFLAGS_set=${CFLAGS+set}
-ac_env_CFLAGS_value=$CFLAGS
-ac_cv_env_CFLAGS_set=${CFLAGS+set}
-ac_cv_env_CFLAGS_value=$CFLAGS
-ac_env_LDFLAGS_set=${LDFLAGS+set}
-ac_env_LDFLAGS_value=$LDFLAGS
-ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
-ac_cv_env_LDFLAGS_value=$LDFLAGS
-ac_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_env_CPPFLAGS_value=$CPPFLAGS
-ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
-ac_cv_env_CPPFLAGS_value=$CPPFLAGS
-ac_env_CPP_set=${CPP+set}
-ac_env_CPP_value=$CPP
-ac_cv_env_CPP_set=${CPP+set}
-ac_cv_env_CPP_value=$CPP
-ac_env_CXX_set=${CXX+set}
-ac_env_CXX_value=$CXX
-ac_cv_env_CXX_set=${CXX+set}
-ac_cv_env_CXX_value=$CXX
-ac_env_CXXFLAGS_set=${CXXFLAGS+set}
-ac_env_CXXFLAGS_value=$CXXFLAGS
-ac_cv_env_CXXFLAGS_set=${CXXFLAGS+set}
-ac_cv_env_CXXFLAGS_value=$CXXFLAGS
-ac_env_CXXCPP_set=${CXXCPP+set}
-ac_env_CXXCPP_value=$CXXCPP
-ac_cv_env_CXXCPP_set=${CXXCPP+set}
-ac_cv_env_CXXCPP_value=$CXXCPP
-ac_env_F77_set=${F77+set}
-ac_env_F77_value=$F77
-ac_cv_env_F77_set=${F77+set}
-ac_cv_env_F77_value=$F77
-ac_env_FFLAGS_set=${FFLAGS+set}
-ac_env_FFLAGS_value=$FFLAGS
-ac_cv_env_FFLAGS_set=${FFLAGS+set}
-ac_cv_env_FFLAGS_value=$FFLAGS
-
-#
-# Report the --help message.
-#
-if test "$ac_init_help" = "long"; then
-  # Omit some internal or obsolete options to make the list less imposing.
-  # This message is too long to be a string in the A/UX 3.1 sh.
-  cat <<_ACEOF
-\`configure' configures this package to adapt to many kinds of systems.
-
-Usage: $0 [OPTION]... [VAR=VALUE]...
-
-To assign environment variables (e.g., CC, CFLAGS...), specify them as
-VAR=VALUE.  See below for descriptions of some of the useful variables.
-
-Defaults for the options are specified in brackets.
-
-Configuration:
-  -h, --help              display this help and exit
-      --help=short        display options specific to this package
-      --help=recursive    display the short help of all the included packages
-  -V, --version           display version information and exit
-  -q, --quiet, --silent   do not print \`checking...' messages
-      --cache-file=FILE   cache test results in FILE [disabled]
-  -C, --config-cache      alias for \`--cache-file=config.cache'
-  -n, --no-create         do not create output files
-      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
-
-_ACEOF
-
-  cat <<_ACEOF
-Installation directories:
-  --prefix=PREFIX         install architecture-independent files in PREFIX
-			  [$ac_default_prefix]
-  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
-			  [PREFIX]
-
-By default, \`make install' will install all the files in
-\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
-an installation prefix other than \`$ac_default_prefix' using \`--prefix',
-for instance \`--prefix=\$HOME'.
-
-For better control, use the options below.
-
-Fine tuning of the installation directories:
-  --bindir=DIR           user executables [EPREFIX/bin]
-  --sbindir=DIR          system admin executables [EPREFIX/sbin]
-  --libexecdir=DIR       program executables [EPREFIX/libexec]
-  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
-  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
-  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
-  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
-  --libdir=DIR           object code libraries [EPREFIX/lib]
-  --includedir=DIR       C header files [PREFIX/include]
-  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
-  --infodir=DIR          info documentation [PREFIX/info]
-  --mandir=DIR           man documentation [PREFIX/man]
-_ACEOF
-
-  cat <<\_ACEOF
-
-System types:
-  --build=BUILD     configure for building on BUILD [guessed]
-  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
-_ACEOF
-fi
-
-if test -n "$ac_init_help"; then
-
-  cat <<\_ACEOF
-
-Optional Features:
-  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
-  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
-  --enable-threads	enable multithreading
-  --enable-shared[=PKGS]
-                          build shared libraries [default=yes]
-  --enable-static[=PKGS]
-                          build static libraries [default=yes]
-  --enable-fast-install[=PKGS]
-                          optimize for fast installation [default=yes]
-  --disable-libtool-lock  avoid locking (might break parallel builds)
-  --enable-ipv6		use IPv6 default=autodetect
-
-Optional Packages:
-  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
-  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
- --with-irs-gr		Build ....
- --with-irs-pw		Build ....
- --with-irs-nis		Build ....
-  --with-randomdev=PATH Specify path for random device
-  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)
-  --with-purify=PATH	use Rational purify
-  --with-libtool	use GNU libtool (following indented options supported)
-  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
-  --with-pic              try to use only PIC/non-PIC objects [default=use
-                          both]
-  --with-tags[=TAGS]
-                          include additional configurations [automatic]
-  --with-kame=PATH	use Kame IPv6 default path /usr/local/v6
-
-Some influential environment variables:
-  CC          C compiler command
-  CFLAGS      C compiler flags
-  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
-              nonstandard directory <lib dir>
-  CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
-              headers in a nonstandard directory <include dir>
-  CPP         C preprocessor
-  CXX         C++ compiler command
-  CXXFLAGS    C++ compiler flags
-  CXXCPP      C++ preprocessor
-  F77         Fortran 77 compiler command
-  FFLAGS      Fortran 77 compiler flags
-
-Use these variables to override the choices made by `configure' or to help
-it to find libraries and programs with nonstandard names/locations.
-
-_ACEOF
-fi
-
-if test "$ac_init_help" = "recursive"; then
-  # If there are subdirs, report their specific --help.
-  ac_popdir=`pwd`
-  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
-    test -d $ac_dir || continue
-    ac_builddir=.
-
-if test "$ac_dir" != .; then
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
-
-case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
-    ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
-    ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
-esac
-
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
-
-    cd $ac_dir
-    # Check for guested configure; otherwise get Cygnus style configure.
-    if test -f $ac_srcdir/configure.gnu; then
-      echo
-      $SHELL $ac_srcdir/configure.gnu  --help=recursive
-    elif test -f $ac_srcdir/configure; then
-      echo
-      $SHELL $ac_srcdir/configure  --help=recursive
-    elif test -f $ac_srcdir/configure.ac ||
-	   test -f $ac_srcdir/configure.in; then
-      echo
-      $ac_configure --help
-    else
-      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
-    fi
-    cd $ac_popdir
-  done
-fi
-
-test -n "$ac_init_help" && exit 0
-if $ac_init_version; then
-  cat <<\_ACEOF
-
-Copyright (C) 2003 Free Software Foundation, Inc.
-This configure script is free software; the Free Software Foundation
-gives unlimited permission to copy, distribute and modify it.
-_ACEOF
-  exit 0
-fi
-exec 5>config.log
-cat >&5 <<_ACEOF
-This file contains any messages produced by compilers while
-running configure, to aid debugging if configure makes a mistake.
-
-It was created by $as_me, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
-
-  $ $0 $@
-
-_ACEOF
-{
-cat <<_ASUNAME
-## --------- ##
-## Platform. ##
-## --------- ##
-
-hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
-uname -m = `(uname -m) 2>/dev/null || echo unknown`
-uname -r = `(uname -r) 2>/dev/null || echo unknown`
-uname -s = `(uname -s) 2>/dev/null || echo unknown`
-uname -v = `(uname -v) 2>/dev/null || echo unknown`
-
-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
-/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
-
-/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
-/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
-hostinfo               = `(hostinfo) 2>/dev/null               || echo unknown`
-/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
-/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
-/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
-
-_ASUNAME
-
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  echo "PATH: $as_dir"
-done
-
-} >&5
-
-cat >&5 <<_ACEOF
-
-
-## ----------- ##
-## Core tests. ##
-## ----------- ##
-
-_ACEOF
-
-
-# Keep a trace of the command line.
-# Strip out --no-create and --no-recursion so they do not pile up.
-# Strip out --silent because we don't want to record it for future runs.
-# Also quote any args containing shell meta-characters.
-# Make two passes to allow for proper duplicate-argument suppression.
-ac_configure_args=
-ac_configure_args0=
-ac_configure_args1=
-ac_sep=
-ac_must_keep_next=false
-for ac_pass in 1 2
-do
-  for ac_arg
-  do
-    case $ac_arg in
-    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
-    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-    | -silent | --silent | --silen | --sile | --sil)
-      continue ;;
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
-    esac
-    case $ac_pass in
-    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
-    2)
-      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
-      if test $ac_must_keep_next = true; then
-	ac_must_keep_next=false # Got value, back to normal.
-      else
-	case $ac_arg in
-	  *=* | --config-cache | -C | -disable-* | --disable-* \
-	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
-	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
-	  | -with-* | --with-* | -without-* | --without-* | --x)
-	    case "$ac_configure_args0 " in
-	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
-	    esac
-	    ;;
-	  -* ) ac_must_keep_next=true ;;
-	esac
-      fi
-      ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
-      # Get rid of the leading space.
-      ac_sep=" "
-      ;;
-    esac
-  done
-done
-$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
-$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
-
-# When interrupted or exit'd, cleanup temporary files, and complete
-# config.log.  We remove comments because anyway the quotes in there
-# would cause problems or look ugly.
-# WARNING: Be sure not to use single quotes in there, as some shells,
-# such as our DU 5.0 friend, will then `close' the trap.
-trap 'exit_status=$?
-  # Save into config.log some information that might help in debugging.
-  {
-    echo
-
-    cat <<\_ASBOX
-## ---------------- ##
-## Cache variables. ##
-## ---------------- ##
-_ASBOX
-    echo
-    # The following way of writing the cache mishandles newlines in values,
-{
-  (set) 2>&1 |
-    case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
-      sed -n \
-	"s/'"'"'/'"'"'\\\\'"'"''"'"'/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p"
-      ;;
-    *)
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
-      ;;
-    esac;
-}
-    echo
-
-    cat <<\_ASBOX
-## ----------------- ##
-## Output variables. ##
-## ----------------- ##
-_ASBOX
-    echo
-    for ac_var in $ac_subst_vars
-    do
-      eval ac_val=$`echo $ac_var`
-      echo "$ac_var='"'"'$ac_val'"'"'"
-    done | sort
-    echo
-
-    if test -n "$ac_subst_files"; then
-      cat <<\_ASBOX
-## ------------- ##
-## Output files. ##
-## ------------- ##
-_ASBOX
-      echo
-      for ac_var in $ac_subst_files
-      do
-	eval ac_val=$`echo $ac_var`
-	echo "$ac_var='"'"'$ac_val'"'"'"
-      done | sort
-      echo
-    fi
-
-    if test -s confdefs.h; then
-      cat <<\_ASBOX
-## ----------- ##
-## confdefs.h. ##
-## ----------- ##
-_ASBOX
-      echo
-      sed "/^$/d" confdefs.h | sort
-      echo
-    fi
-    test "$ac_signal" != 0 &&
-      echo "$as_me: caught signal $ac_signal"
-    echo "$as_me: exit $exit_status"
-  } >&5
-  rm -f core *.core &&
-  rm -rf conftest* confdefs* conf$$* $ac_clean_files &&
-    exit $exit_status
-     ' 0
-for ac_signal in 1 2 13 15; do
-  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
-done
-ac_signal=0
-
-# confdefs.h avoids OS command line length limits that DEFS can exceed.
-rm -rf conftest* confdefs.h
-# AIX cpp loses on an empty file, so make sure it contains at least a newline.
-echo >confdefs.h
-
-# Predefined preprocessor variables.
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_NAME "$PACKAGE_NAME"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_VERSION "$PACKAGE_VERSION"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_STRING "$PACKAGE_STRING"
-_ACEOF
-
-
-cat >>confdefs.h <<_ACEOF
-#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
-_ACEOF
-
-
-# Let the site file select an alternate cache file if it wants to.
-# Prefer explicitly selected file to automatically selected ones.
-if test -z "$CONFIG_SITE"; then
-  if test "x$prefix" != xNONE; then
-    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
-  else
-    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
-  fi
-fi
-for ac_site_file in $CONFIG_SITE; do
-  if test -r "$ac_site_file"; then
-    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
-echo "$as_me: loading site script $ac_site_file" >&6;}
-    sed 's/^/| /' "$ac_site_file" >&5
-    . "$ac_site_file"
-  fi
-done
-
-if test -r "$cache_file"; then
-  # Some versions of bash will fail to source /dev/null (special
-  # files actually), so we avoid doing that.
-  if test -f "$cache_file"; then
-    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
-echo "$as_me: loading cache $cache_file" >&6;}
-    case $cache_file in
-      [\\/]* | ?:[\\/]* ) . $cache_file;;
-      *)                      . ./$cache_file;;
-    esac
-  fi
-else
-  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
-echo "$as_me: creating cache $cache_file" >&6;}
-  >$cache_file
-fi
-
-# Check that the precious variables saved in the cache have kept the same
-# value.
-ac_cache_corrupted=false
-for ac_var in `(set) 2>&1 |
-	       sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
-  eval ac_old_set=\$ac_cv_env_${ac_var}_set
-  eval ac_new_set=\$ac_env_${ac_var}_set
-  eval ac_old_val="\$ac_cv_env_${ac_var}_value"
-  eval ac_new_val="\$ac_env_${ac_var}_value"
-  case $ac_old_set,$ac_new_set in
-    set,)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
-echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
-      ac_cache_corrupted=: ;;
-    ,set)
-      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
-echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
-      ac_cache_corrupted=: ;;
-    ,);;
-    *)
-      if test "x$ac_old_val" != "x$ac_new_val"; then
-	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
-echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
-	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
-echo "$as_me:   former value:  $ac_old_val" >&2;}
-	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
-echo "$as_me:   current value: $ac_new_val" >&2;}
-	ac_cache_corrupted=:
-      fi;;
-  esac
-  # Pass precious variables to config.status.
-  if test "$ac_new_set" = set; then
-    case $ac_new_val in
-    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
-      ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
-    *) ac_arg=$ac_var=$ac_new_val ;;
-    esac
-    case " $ac_configure_args " in
-      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
-      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
-    esac
-  fi
-done
-if $ac_cache_corrupted; then
-  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
-echo "$as_me: error: changes in the environment can compromise the build" >&2;}
-  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
-echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-          ac_config_headers="$ac_config_headers config.h"
-
-
-ac_aux_dir=
-for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
-  if test -f $ac_dir/install-sh; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install-sh -c"
-    break
-  elif test -f $ac_dir/install.sh; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/install.sh -c"
-    break
-  elif test -f $ac_dir/shtool; then
-    ac_aux_dir=$ac_dir
-    ac_install_sh="$ac_aux_dir/shtool install -c"
-    break
-  fi
-done
-if test -z "$ac_aux_dir"; then
-  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5
-echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-ac_config_guess="$SHELL $ac_aux_dir/config.guess"
-ac_config_sub="$SHELL $ac_aux_dir/config.sub"
-ac_configure="$SHELL $ac_aux_dir/configure" # This should be Cygnus configure.
-
-# Make sure we can run config.sub.
-$ac_config_sub sun4 >/dev/null 2>&1 ||
-  { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5
-echo "$as_me: error: cannot run $ac_config_sub" >&2;}
-   { (exit 1); exit 1; }; }
-
-echo "$as_me:$LINENO: checking build system type" >&5
-echo $ECHO_N "checking build system type... $ECHO_C" >&6
-if test "${ac_cv_build+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_build_alias=$build_alias
-test -z "$ac_cv_build_alias" &&
-  ac_cv_build_alias=`$ac_config_guess`
-test -z "$ac_cv_build_alias" &&
-  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
-echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
-   { (exit 1); exit 1; }; }
-ac_cv_build=`$ac_config_sub $ac_cv_build_alias` ||
-  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5
-echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;}
-   { (exit 1); exit 1; }; }
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_build" >&5
-echo "${ECHO_T}$ac_cv_build" >&6
-build=$ac_cv_build
-build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-
-
-echo "$as_me:$LINENO: checking host system type" >&5
-echo $ECHO_N "checking host system type... $ECHO_C" >&6
-if test "${ac_cv_host+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_host_alias=$host_alias
-test -z "$ac_cv_host_alias" &&
-  ac_cv_host_alias=$ac_cv_build_alias
-ac_cv_host=`$ac_config_sub $ac_cv_host_alias` ||
-  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5
-echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;}
-   { (exit 1); exit 1; }; }
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_host" >&5
-echo "${ECHO_T}$ac_cv_host" >&6
-host=$ac_cv_host
-host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
-host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
-host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
-
-
-
-echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
-echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6
-set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y,:./+-,___p_,'`
-if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.make <<\_ACEOF
-all:
-	@echo 'ac_maketemp="$(MAKE)"'
-_ACEOF
-# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
-eval `${MAKE-make} -f conftest.make 2>/dev/null | grep temp=`
-if test -n "$ac_maketemp"; then
-  eval ac_cv_prog_make_${ac_make}_set=yes
-else
-  eval ac_cv_prog_make_${ac_make}_set=no
-fi
-rm -f conftest.make
-fi
-if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-  SET_MAKE=
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-  SET_MAKE="MAKE=${MAKE-make}"
-fi
-
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_RANLIB+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$RANLIB"; then
-  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-RANLIB=$ac_cv_prog_RANLIB
-if test -n "$RANLIB"; then
-  echo "$as_me:$LINENO: result: $RANLIB" >&5
-echo "${ECHO_T}$RANLIB" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_RANLIB"; then
-  ac_ct_RANLIB=$RANLIB
-  # Extract the first word of "ranlib", so it can be a program name with args.
-set dummy ranlib; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_RANLIB"; then
-  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_RANLIB="ranlib"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
-fi
-fi
-ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
-if test -n "$ac_ct_RANLIB"; then
-  echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
-echo "${ECHO_T}$ac_ct_RANLIB" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  RANLIB=$ac_ct_RANLIB
-else
-  RANLIB="$ac_cv_prog_RANLIB"
-fi
-
-# Find a good install program.  We prefer a C program (faster),
-# so one script is as good as another.  But avoid the broken or
-# incompatible versions:
-# SysV /etc/install, /usr/sbin/install
-# SunOS /usr/etc/install
-# IRIX /sbin/install
-# AIX /bin/install
-# AmigaOS /C/install, which installs bootblocks on floppy discs
-# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
-# AFS /usr/afsws/bin/install, which mishandles nonexistent args
-# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
-# OS/2's system install, which has a completely different semantic
-# ./install, which can be erroneously created by make from ./install.sh.
-echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
-echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6
-if test -z "$INSTALL"; then
-if test "${ac_cv_path_install+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  # Account for people who put trailing slashes in PATH elements.
-case $as_dir/ in
-  ./ | .// | /cC/* | \
-  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
-  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
-  /usr/ucb/* ) ;;
-  *)
-    # OSF1 and SCO ODT 3.0 have their own names for install.
-    # Don't use installbsd from OSF since it installs stuff as root
-    # by default.
-    for ac_prog in ginstall scoinst install; do
-      for ac_exec_ext in '' $ac_executable_extensions; do
-	if $as_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
-	  if test $ac_prog = install &&
-	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # AIX install.  It has an incompatible calling convention.
-	    :
-	  elif test $ac_prog = install &&
-	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
-	    # program-specific install script used by HP pwplus--don't use.
-	    :
-	  else
-	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
-	    break 3
-	  fi
-	fi
-      done
-    done
-    ;;
-esac
-done
-
-
-fi
-  if test "${ac_cv_path_install+set}" = set; then
-    INSTALL=$ac_cv_path_install
-  else
-    # As a last resort, use the slow shell script.  We don't cache a
-    # path for INSTALL within a source directory, because that will
-    # break other packages using the cache if that directory is
-    # removed, or if the path is relative.
-    INSTALL=$ac_install_sh
-  fi
-fi
-echo "$as_me:$LINENO: result: $INSTALL" >&5
-echo "${ECHO_T}$INSTALL" >&6
-
-# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
-# It thinks the first close brace ends the variable substitution.
-test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
-
-test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
-
-test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
-
-
-
-
-
-
-
-# Extract the first word of "ar", so it can be a program name with args.
-set dummy ar; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_AR+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $AR in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_AR="$AR" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_AR="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  ;;
-esac
-fi
-AR=$ac_cv_path_AR
-
-if test -n "$AR"; then
-  echo "$as_me:$LINENO: result: $AR" >&5
-echo "${ECHO_T}$AR" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-ARFLAGS="cruv"
-
-
-
-# The POSIX ln(1) program.  Non-POSIX systems may substitute
-# "copy" or something.
-LN=ln
-
-
-case "$AR" in
-	"")
-		{ { echo "$as_me:$LINENO: error:
-ar program not found.  Please fix your PATH to include the directory in
-which ar resides, or set AR in the environment with the full path to ar.
-" >&5
-echo "$as_me: error:
-ar program not found.  Please fix your PATH to include the directory in
-which ar resides, or set AR in the environment with the full path to ar.
-" >&2;}
-   { (exit 1); exit 1; }; }
-
-		;;
-esac
-
-#
-# Etags.
-#
-for ac_prog in etags emacs-etags
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_ETAGS+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $ETAGS in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_ETAGS="$ETAGS" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_ETAGS="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  ;;
-esac
-fi
-ETAGS=$ac_cv_path_ETAGS
-
-if test -n "$ETAGS"; then
-  echo "$as_me:$LINENO: result: $ETAGS" >&5
-echo "${ECHO_T}$ETAGS" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  test -n "$ETAGS" && break
-done
-
-
-#
-# Some systems, e.g. RH7, have the Exuberant Ctags etags instead of
-# GNU emacs etags, and it requires the -L flag.
-#
-if test "X$ETAGS" != "X"; then
-	echo "$as_me:$LINENO: checking for Exuberant Ctags etags" >&5
-echo $ECHO_N "checking for Exuberant Ctags etags... $ECHO_C" >&6
-	if $ETAGS --version 2>&1 | grep 'Exuberant Ctags' >/dev/null 2>&1; then
-		echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-		ETAGS="$ETAGS -L"
-	else
-		echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	fi
-fi
-
-
-#
-# Perl is optional; it is used only by some of the system test scripts.
-#
-for ac_prog in perl5 perl
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_PERL+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $PERL in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  ;;
-esac
-fi
-PERL=$ac_cv_path_PERL
-
-if test -n "$PERL"; then
-  echo "$as_me:$LINENO: result: $PERL" >&5
-echo "${ECHO_T}$PERL" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  test -n "$PERL" && break
-done
-
-
-
-#
-# isc/list.h and others clash with the rest of BIND 9
-#
-case "$includedir" in
-	'${prefix}/include')
-		includedir='${prefix}/bind/include'
-		;;
-esac
-case "$libdir" in
-	'${prefix}/lib')
-		libdir='${prefix}/bind/lib'
-		;;
-esac
-
-#
-# Make sure INSTALL uses an absolute path, else it will be wrong in all
-# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
-# configure based on the location of the file where it is substituted.
-# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
-# subdirectory of install-sh, This relative path will be wrong for all
-# directories more than one level down from install-sh.
-#
-case "$INSTALL" in
-	/*)
-                ;;
-        *)
-                #
-                # Not all systems have dirname.
-                #
-
-                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
-
-
-                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
-                test "$ac_dir" = "$ac_prog" && ac_dir=.
-                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
-                INSTALL="$ac_dir/$ac_prog"
-                ;;
-esac
-
-#
-# On these hosts, we really want to use cc, not gcc, even if it is
-# found.  The gcc that these systems have will not correctly handle
-# pthreads.
-#
-# However, if the user sets $CC to be something, let that override
-# our change.
-#
-if test "X$CC" = "X" ; then
-	case "$host" in
-		*-dec-osf*)
-			CC="cc"
-			;;
-		*-solaris*)
-                        # Use Sun's cc if it is available, but watch
-                        # out for /usr/ucb/cc; it will never be the right
-                        # compiler to use.
-                        #
-                        # If setting CC here fails, the AC_PROG_CC done
-                        # below might still find gcc.
-			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
-			for ac_dir in $PATH; do
-				test -z "$ac_dir" && ac_dir=.
-				case "$ac_dir" in
-				/usr/ucb)
-					# exclude
-					;;
-				*)
-					if test -f "$ac_dir/cc"; then
-						CC="$ac_dir/cc"
-						break
-					fi
-					;;
-				esac
-			done
-			IFS="$ac_save_ifs"
-			;;
-		*-hp-hpux*)
-			CC="cc"
-			;;
-		mips-sgi-irix*)
-			CC="cc"
-			;;
-	esac
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CC="${ac_tool_prefix}gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "gcc", so it can be a program name with args.
-set dummy gcc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="gcc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  CC=$ac_ct_CC
-else
-  CC="$ac_cv_prog_CC"
-fi
-
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
-set dummy ${ac_tool_prefix}cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CC="${ac_tool_prefix}cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_CC"; then
-  ac_ct_CC=$CC
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  CC=$ac_ct_CC
-else
-  CC="$ac_cv_prog_CC"
-fi
-
-fi
-if test -z "$CC"; then
-  # Extract the first word of "cc", so it can be a program name with args.
-set dummy cc; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-  ac_prog_rejected=no
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
-       ac_prog_rejected=yes
-       continue
-     fi
-    ac_cv_prog_CC="cc"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-if test $ac_prog_rejected = yes; then
-  # We found a bogon in the path, so make sure we never use it.
-  set dummy $ac_cv_prog_CC
-  shift
-  if test $# != 0; then
-    # We chose a different compiler from the bogus one.
-    # However, it has the same basename, so the bogon will be chosen
-    # first if we set CC to just the basename; use the full file name.
-    shift
-    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
-  fi
-fi
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$CC"; then
-  if test -n "$ac_tool_prefix"; then
-  for ac_prog in cl
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CC"; then
-  ac_cv_prog_CC="$CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-CC=$ac_cv_prog_CC
-if test -n "$CC"; then
-  echo "$as_me:$LINENO: result: $CC" >&5
-echo "${ECHO_T}$CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-    test -n "$CC" && break
-  done
-fi
-if test -z "$CC"; then
-  ac_ct_CC=$CC
-  for ac_prog in cl
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CC"; then
-  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CC="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_CC=$ac_cv_prog_ac_ct_CC
-if test -n "$ac_ct_CC"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
-echo "${ECHO_T}$ac_ct_CC" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  test -n "$ac_ct_CC" && break
-done
-
-  CC=$ac_ct_CC
-fi
-
-fi
-
-
-test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&5
-echo "$as_me: error: no acceptable C compiler found in \$PATH
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-
-# Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
-     "checking for C compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
-  (eval $ac_compiler --version </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
-  (eval $ac_compiler -v </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
-  (eval $ac_compiler -V </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files a.out a.exe b.out"
-# Try to create an executable without -o first, disregard a.out.
-# It will help us diagnose broken compilers, and finding out an intuition
-# of exeext.
-echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
-echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6
-ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
-if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5
-  (eval $ac_link_default) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # Find the output, starting from the most likely.  This scheme is
-# not robust to junk in `.', hence go to wildcards (a.*) only as a last
-# resort.
-
-# Be careful to initialize this variable, since it used to be cached.
-# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile.
-ac_cv_exeext=
-# b.out is created by i960 compilers.
-for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out
-do
-  test -f "$ac_file" || continue
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj )
-	;;
-    conftest.$ac_ext )
-	# This is the source file.
-	;;
-    [ab].out )
-	# We found the default executable, but exeext='' is most
-	# certainly right.
-	break;;
-    *.* )
-	ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	# FIXME: I believe we export ac_cv_exeext for Libtool,
-	# but it would be cool to find out if it's true.  Does anybody
-	# maintain Libtool? --akim.
-	export ac_cv_exeext
-	break;;
-    * )
-	break;;
-  esac
-done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
-See \`config.log' for more details." >&5
-echo "$as_me: error: C compiler cannot create executables
-See \`config.log' for more details." >&2;}
-   { (exit 77); exit 77; }; }
-fi
-
-ac_exeext=$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_file" >&5
-echo "${ECHO_T}$ac_file" >&6
-
-# Check the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether the C compiler works" >&5
-echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
-# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
-# If not cross compiling, check that we can run a simple program.
-if test "$cross_compiling" != yes; then
-  if { ac_try='./$ac_file'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-    cross_compiling=no
-  else
-    if test "$cross_compiling" = maybe; then
-	cross_compiling=yes
-    else
-	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot run C compiled programs.
-If you meant to cross compile, use \`--host'.
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-    fi
-  fi
-fi
-echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-
-rm -f a.out a.exe conftest$ac_cv_exeext b.out
-ac_clean_files=$ac_clean_files_save
-# Check the compiler produces executables we can run.  If not, either
-# the compiler is broken, or we cross compile.
-echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
-echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $cross_compiling" >&5
-echo "${ECHO_T}$cross_compiling" >&6
-
-echo "$as_me:$LINENO: checking for suffix of executables" >&5
-echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # If both `conftest.exe' and `conftest' are `present' (well, observable)
-# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
-# work properly (i.e., refer to `conftest.exe'), while it won't with
-# `rm'.
-for ac_file in conftest.exe conftest conftest.*; do
-  test -f "$ac_file" || continue
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj ) ;;
-    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
-	  export ac_cv_exeext
-	  break;;
-    * ) break;;
-  esac
-done
-else
-  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-rm -f conftest$ac_cv_exeext
-echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
-echo "${ECHO_T}$ac_cv_exeext" >&6
-
-rm -f conftest.$ac_ext
-EXEEXT=$ac_cv_exeext
-ac_exeext=$EXEEXT
-echo "$as_me:$LINENO: checking for suffix of object files" >&5
-echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6
-if test "${ac_cv_objext+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.o conftest.obj
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
-  case $ac_file in
-    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg ) ;;
-    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
-       break;;
-  esac
-done
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&5
-echo "$as_me: error: cannot compute suffix of object files: cannot compile
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-rm -f conftest.$ac_cv_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
-echo "${ECHO_T}$ac_cv_objext" >&6
-OBJEXT=$ac_cv_objext
-ac_objext=$OBJEXT
-echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
-if test "${ac_cv_c_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-#ifndef __GNUC__
-       choke me
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_compiler_gnu=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_c_compiler_gnu=$ac_compiler_gnu
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
-GCC=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CFLAGS=${CFLAGS+set}
-ac_save_CFLAGS=$CFLAGS
-CFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
-echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cc_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_prog_cc_g=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
-if test "$ac_test_CFLAGS" = set; then
-  CFLAGS=$ac_save_CFLAGS
-elif test $ac_cv_prog_cc_g = yes; then
-  if test "$GCC" = yes; then
-    CFLAGS="-g -O2"
-  else
-    CFLAGS="-g"
-  fi
-else
-  if test "$GCC" = yes; then
-    CFLAGS="-O2"
-  else
-    CFLAGS=
-  fi
-fi
-echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
-echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
-if test "${ac_cv_prog_cc_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_prog_cc_stdc=no
-ac_save_CC=$CC
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdarg.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
-struct buf { int x; };
-FILE * (*rcsopen) (struct buf *, struct stat *, int);
-static char *e (p, i)
-     char **p;
-     int i;
-{
-  return p[i];
-}
-static char *f (char * (*g) (char **, int), char **p, ...)
-{
-  char *s;
-  va_list v;
-  va_start (v,p);
-  s = g (p, va_arg (v,int));
-  va_end (v);
-  return s;
-}
-
-/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
-   function prototypes and stuff, but not '\xHH' hex character constants.
-   These don't provoke an error unfortunately, instead are silently treated
-   as 'x'.  The following induces an error, until -std1 is added to get
-   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
-   array size at least.  It's necessary to write '\x00'==0 to get something
-   that's true only with -std1.  */
-int osf4_cc_array ['\x00' == 0 ? 1 : -1];
-
-int test (int i, double x);
-struct s1 {int (*f) (int a);};
-struct s2 {int (*f) (double a);};
-int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
-int argc;
-char **argv;
-int
-main ()
-{
-return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
-  ;
-  return 0;
-}
-_ACEOF
-# Don't try gcc -ansi; that turns off useful extensions and
-# breaks some systems' header files.
-# AIX			-qlanglvl=ansi
-# Ultrix and OSF/1	-std1
-# HP-UX 10.20 and later	-Ae
-# HP-UX older versions	-Aa -D_HPUX_SOURCE
-# SVR4			-Xc -D__EXTENSIONS__
-for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
-do
-  CC="$ac_save_CC $ac_arg"
-  rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cc_stdc=$ac_arg
-break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext
-done
-rm -f conftest.$ac_ext conftest.$ac_objext
-CC=$ac_save_CC
-
-fi
-
-case "x$ac_cv_prog_cc_stdc" in
-  x|xno)
-    echo "$as_me:$LINENO: result: none needed" >&5
-echo "${ECHO_T}none needed" >&6 ;;
-  *)
-    echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5
-echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
-    CC="$CC $ac_cv_prog_cc_stdc" ;;
-esac
-
-# Some people use a C++ compiler to compile C.  Since we use `exit',
-# in C++ we need to declare it.  In case someone uses the same compiler
-# for both compiling C and C++ we need to have the C++ compiler decide
-# the declaration of exit, since it's the most demanding environment.
-cat >conftest.$ac_ext <<_ACEOF
-#ifndef __cplusplus
-  choke me
-#endif
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  for ac_declaration in \
-   '' \
-   'extern "C" void std::exit (int) throw (); using std::exit;' \
-   'extern "C" void std::exit (int); using std::exit;' \
-   'extern "C" void exit (int) throw ();' \
-   'extern "C" void exit (int);' \
-   'void exit (int);'
-do
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-#include <stdlib.h>
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-continue
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-rm -f conftest*
-if test -n "$ac_declaration"; then
-  echo '#ifdef __cplusplus' >>confdefs.h
-  echo $ac_declaration      >>confdefs.h
-  echo '#endif'             >>confdefs.h
-fi
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
-echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
-# On Suns, sometimes $CPP names a directory.
-if test -n "$CPP" && test -d "$CPP"; then
-  CPP=
-fi
-if test -z "$CPP"; then
-  if test "${ac_cv_prog_CPP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-      # Double quotes because CPP needs to be expanded
-    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
-    do
-      ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether non-existent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  break
-fi
-
-    done
-    ac_cv_prog_CPP=$CPP
-
-fi
-  CPP=$ac_cv_prog_CPP
-else
-  ac_cv_prog_CPP=$CPP
-fi
-echo "$as_me:$LINENO: result: $CPP" >&5
-echo "${ECHO_T}$CPP" >&6
-ac_preproc_ok=false
-for ac_c_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether non-existent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&5
-echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-echo "$as_me:$LINENO: checking for egrep" >&5
-echo $ECHO_N "checking for egrep... $ECHO_C" >&6
-if test "${ac_cv_prog_egrep+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
-    fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
-echo "${ECHO_T}$ac_cv_prog_egrep" >&6
- EGREP=$ac_cv_prog_egrep
-
-
-echo "$as_me:$LINENO: checking for ANSI C header files" >&5
-echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
-if test "${ac_cv_header_stdc+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-#include <stdarg.h>
-#include <string.h>
-#include <float.h>
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_header_stdc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_header_stdc=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-if test $ac_cv_header_stdc = yes; then
-  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <string.h>
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "memchr" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <stdlib.h>
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "free" >/dev/null 2>&1; then
-  :
-else
-  ac_cv_header_stdc=no
-fi
-rm -f conftest*
-
-fi
-
-if test $ac_cv_header_stdc = yes; then
-  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
-  if test "$cross_compiling" = yes; then
-  :
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ctype.h>
-#if ((' ' & 0x0FF) == 0x020)
-# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
-# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-#else
-# define ISLOWER(c) \
-		   (('a' <= (c) && (c) <= 'i') \
-		     || ('j' <= (c) && (c) <= 'r') \
-		     || ('s' <= (c) && (c) <= 'z'))
-# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
-#endif
-
-#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
-int
-main ()
-{
-  int i;
-  for (i = 0; i < 256; i++)
-    if (XOR (islower (i), ISLOWER (i))
-	|| toupper (i) != TOUPPER (i))
-      exit(2);
-  exit (0);
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_header_stdc=no
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
-echo "${ECHO_T}$ac_cv_header_stdc" >&6
-if test $ac_cv_header_stdc = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define STDC_HEADERS 1
-_ACEOF
-
-fi
-
-
-
-# On IRIX 5.3, sys/types and inttypes.h are conflicting.
-
-
-
-
-
-
-
-
-
-for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
-		  inttypes.h stdint.h unistd.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  eval "$as_ac_Header=yes"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-eval "$as_ac_Header=no"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
-
-
-
-
-
-
-
-
-
-for ac_header in fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/timers.h stropts.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_header_compiler=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-
-# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------------ ##
-## Report this to the AC_PACKAGE_NAME lists.  ##
-## ------------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-
-echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
-echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
-if test "${ac_cv_c_const+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-/* FIXME: Include the comments suggested by Paul. */
-#ifndef __cplusplus
-  /* Ultrix mips cc rejects this.  */
-  typedef int charset[2];
-  const charset x;
-  /* SunOS 4.1.1 cc rejects this.  */
-  char const *const *ccp;
-  char **p;
-  /* NEC SVR4.0.2 mips cc rejects this.  */
-  struct point {int x, y;};
-  static struct point const zero = {0,0};
-  /* AIX XL C 1.02.0.0 rejects this.
-     It does not let you subtract one const X* pointer from another in
-     an arm of an if-expression whose if-part is not a constant
-     expression */
-  const char *g = "string";
-  ccp = &g + (g ? g-g : 0);
-  /* HPUX 7.0 cc rejects these. */
-  ++ccp;
-  p = (char**) ccp;
-  ccp = (char const *const *) p;
-  { /* SCO 3.2v4 cc rejects this.  */
-    char *t;
-    char const *s = 0 ? (char *) 0 : (char const *) 0;
-
-    *t++ = 0;
-  }
-  { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
-    int x[] = {25, 17};
-    const int *foo = &x[0];
-    ++foo;
-  }
-  { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
-    typedef const int *iptr;
-    iptr p = 0;
-    ++p;
-  }
-  { /* AIX XL C 1.02.0.0 rejects this saying
-       "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
-    struct s { int j; const int *ap[3]; };
-    struct s *b; b->j = 5;
-  }
-  { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
-    const int foo = 10;
-  }
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_c_const=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_c_const=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
-echo "${ECHO_T}$ac_cv_c_const" >&6
-if test $ac_cv_c_const = no; then
-
-cat >>confdefs.h <<\_ACEOF
-#define const
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for inline" >&5
-echo $ECHO_N "checking for inline... $ECHO_C" >&6
-if test "${ac_cv_c_inline+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_cv_c_inline=no
-for ac_kw in inline __inline__ __inline; do
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifndef __cplusplus
-typedef int foo_t;
-static $ac_kw foo_t static_foo () {return 0; }
-$ac_kw foo_t foo () {return 0; }
-#endif
-
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_c_inline=$ac_kw; break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
-echo "${ECHO_T}$ac_cv_c_inline" >&6
-
-
-case $ac_cv_c_inline in
-  inline | yes) ;;
-  *)
-    case $ac_cv_c_inline in
-      no) ac_val=;;
-      *) ac_val=$ac_cv_c_inline;;
-    esac
-    cat >>confdefs.h <<_ACEOF
-#ifndef __cplusplus
-#define inline $ac_val
-#endif
-_ACEOF
-    ;;
-esac
-
-echo "$as_me:$LINENO: checking for size_t" >&5
-echo $ECHO_N "checking for size_t... $ECHO_C" >&6
-if test "${ac_cv_type_size_t+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if ((size_t *) 0)
-  return 0;
-if (sizeof (size_t))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_size_t=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_type_size_t=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
-echo "${ECHO_T}$ac_cv_type_size_t" >&6
-if test $ac_cv_type_size_t = yes; then
-  :
-else
-
-cat >>confdefs.h <<_ACEOF
-#define size_t unsigned
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for uintptr_t" >&5
-echo $ECHO_N "checking for uintptr_t... $ECHO_C" >&6
-if test "${ac_cv_type_uintptr_t+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-int
-main ()
-{
-if ((uintptr_t *) 0)
-  return 0;
-if (sizeof (uintptr_t))
-  return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_type_uintptr_t=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_type_uintptr_t=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_type_uintptr_t" >&5
-echo "${ECHO_T}$ac_cv_type_uintptr_t" >&6
-if test $ac_cv_type_uintptr_t = yes; then
-  :
-else
-
-cat >>confdefs.h <<_ACEOF
-#define uintptr_t unsigned long
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
-echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
-if test "${ac_cv_header_time+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/types.h>
-#include <sys/time.h>
-#include <time.h>
-
-int
-main ()
-{
-if ((struct tm *) 0)
-return 0;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_header_time=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_header_time=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
-echo "${ECHO_T}$ac_cv_header_time" >&6
-if test $ac_cv_header_time = yes; then
-
-cat >>confdefs.h <<\_ACEOF
-#define TIME_WITH_SYS_TIME 1
-_ACEOF
-
-fi
-
-#
-# check if we need to #include sys/select.h explicitly
-#
-case $ac_cv_header_unistd_h in
-yes)
-echo "$as_me:$LINENO: checking if unistd.h defines fd_set" >&5
-echo $ECHO_N "checking if unistd.h defines fd_set... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <unistd.h>
-int
-main ()
-{
-fd_set read_set; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	 ISC_PLATFORM_NEEDSYSSELECTH="#undef ISC_PLATFORM_NEEDSYSSELECTH"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	case ac_cv_header_sys_select_h in
-	yes)
-         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
-		;;
-	no)
-		{ { echo "$as_me:$LINENO: error: need either working unistd.h or sys/select.h" >&5
-echo "$as_me: error: need either working unistd.h or sys/select.h" >&2;}
-   { (exit 1); exit 1; }; }
-		;;
-	esac
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-	;;
-no)
-	case ac_cv_header_sys_select_h in
-	yes)
-             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
-		;;
-	no)
-		{ { echo "$as_me:$LINENO: error: need either unistd.h or sys/select.h" >&5
-echo "$as_me: error: need either unistd.h or sys/select.h" >&2;}
-   { (exit 1); exit 1; }; }
-		;;
-	esac
-	;;
-esac
-
-
-#
-# Find the machine's endian flavor.
-#
-echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
-echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6
-if test "${ac_cv_c_bigendian+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # See if sys/param.h defines the BYTE_ORDER macro.
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/types.h>
-#include <sys/param.h>
-
-int
-main ()
-{
-#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
- bogus endian macros
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  # It does; now see whether it defined to BIG_ENDIAN or not.
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <sys/types.h>
-#include <sys/param.h>
-
-int
-main ()
-{
-#if BYTE_ORDER != BIG_ENDIAN
- not big endian
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_c_bigendian=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_c_bigendian=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-# It does not; compile a test program.
-if test "$cross_compiling" = yes; then
-  # try to guess the endianness by grepping values into an object file
-  ac_cv_c_bigendian=unknown
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-short ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
-short ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
-void _ascii () { char *s = (char *) ascii_mm; s = (char *) ascii_ii; }
-short ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
-short ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
-void _ebcdic () { char *s = (char *) ebcdic_mm; s = (char *) ebcdic_ii; }
-int
-main ()
-{
- _ascii (); _ebcdic ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  if grep BIGenDianSyS conftest.$ac_objext >/dev/null ; then
-  ac_cv_c_bigendian=yes
-fi
-if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
-  if test "$ac_cv_c_bigendian" = unknown; then
-    ac_cv_c_bigendian=no
-  else
-    # finding both strings is unlikely to happen, but who knows?
-    ac_cv_c_bigendian=unknown
-  fi
-fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-int
-main ()
-{
-  /* Are we little or big endian?  From Harbison&Steele.  */
-  union
-  {
-    long l;
-    char c[sizeof (long)];
-  } u;
-  u.l = 1;
-  exit (u.c[sizeof (long) - 1] == 1);
-}
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_c_bigendian=no
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-ac_cv_c_bigendian=yes
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
-echo "${ECHO_T}$ac_cv_c_bigendian" >&6
-case $ac_cv_c_bigendian in
-  yes)
-
-cat >>confdefs.h <<\_ACEOF
-#define WORDS_BIGENDIAN 1
-_ACEOF
- ;;
-  no)
-     ;;
-  *)
-    { { echo "$as_me:$LINENO: error: unknown endianness
-presetting ac_cv_c_bigendian=no (or yes) will help" >&5
-echo "$as_me: error: unknown endianness
-presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
-   { (exit 1); exit 1; }; } ;;
-esac
-
-
-
-# Check whether --with-irs-gr or --without-irs-gr was given.
-if test "${with_irs_gr+set}" = set; then
-  withval="$with_irs_gr"
-  want_irs_gr="$withval"
-else
-  want_irs_gr="no"
-fi;
-case "$want_irs_gr" in
-yes) WANT_IRS_GR="#define WANT_IRS_GR 1"
-     WANT_IRS_GR_OBJS="\${WANT_IRS_GR_OBJS}"
-	;;
-*) WANT_IRS_GR="#undef WANT_IRS_GR" WANT_IRS_GR_OBJS="";;
-esac
-
-
-
-
-# Check whether --with-irs-pw or --without-irs-pw was given.
-if test "${with_irs_pw+set}" = set; then
-  withval="$with_irs_pw"
-  want_irs_pw="$withval"
-else
-  want_irs_pw="no"
-fi;
-case "$want_irs_pw" in
-yes) WANT_IRS_PW="#define WANT_IRS_PW 1"
-     WANT_IRS_PW_OBJS="\${WANT_IRS_PW_OBJS}";;
-*) WANT_IRS_PW="#undef WANT_IRS_PW" WANT_IRS_PW_OBJS="";;
-esac
-
-
-
-
-# Check whether --with-irs-nis or --without-irs-nis was given.
-if test "${with_irs_nis+set}" = set; then
-  withval="$with_irs_nis"
-  want_irs_nis="$withval"
-else
-  want_irs_nis="no"
-fi;
-case "$want_irs_nis" in
-yes)
-	WANT_IRS_NIS="#define WANT_IRS_NIS 1"
-	WANT_IRS_NIS_OBJS="\${WANT_IRS_NIS_OBJS}"
-	case "$want_irs_gr" in
-	yes)
-		WANT_IRS_NISGR_OBJS="\${WANT_IRS_NISGR_OBJS}";;
-	*)
-		WANT_IRS_NISGR_OBJS="";;
-	esac
-	case "$want_irs_pw" in
-	yes)
-		WANT_IRS_NISPW_OBJS="\${WANT_IRS_NISPW_OBJS}";;
-	*)
-		WANT_IRS_NISPW_OBJS="";;
-	esac
-	;;
-*)
-	WANT_IRS_NIS="#undef WANT_IRS_NIS"
-	WANT_IRS_NIS_OBJS=""
-	WANT_IRS_NISGR_OBJS=""
-	WANT_IRS_NISPW_OBJS="";;
-esac
-
-
-
-
-if test "$cross_compiling" = yes; then
-  WANT_IRS_DBPW_OBJS=""
-
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#ifdef HAVE_DB_H
-int have_db_h = 1;
-#else
-int have_db_h = 0;
-#endif
-main() { return(!have_db_h); }
-
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  WANT_IRS_DBPW_OBJS="\${WANT_IRS_DBPW_OBJS}"
-
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-WANT_IRS_DBPW_OBJS=""
-
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-
-
-#
-# was --with-randomdev specified?
-#
-echo "$as_me:$LINENO: checking for random device" >&5
-echo $ECHO_N "checking for random device... $ECHO_C" >&6
-
-# Check whether --with-randomdev or --without-randomdev was given.
-if test "${with_randomdev+set}" = set; then
-  withval="$with_randomdev"
-  use_randomdev="$withval"
-else
-  use_randomdev="unspec"
-fi;
-
-case "$use_randomdev" in
-	unspec)
-		case "$host" in
-			*-openbsd*)
-				devrandom=/dev/srandom
-				;;
-			*)
-				devrandom=/dev/random
-				;;
-		esac
-		echo "$as_me:$LINENO: result: $devrandom" >&5
-echo "${ECHO_T}$devrandom" >&6
-		as_ac_File=`echo "ac_cv_file_$devrandom" | $as_tr_sh`
-echo "$as_me:$LINENO: checking for $devrandom" >&5
-echo $ECHO_N "checking for $devrandom... $ECHO_C" >&6
-if eval "test \"\${$as_ac_File+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  test "$cross_compiling" = yes &&
-  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
-echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
-   { (exit 1); exit 1; }; }
-if test -r "$devrandom"; then
-  eval "$as_ac_File=yes"
-else
-  eval "$as_ac_File=no"
-fi
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_File'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_File'}'`" >&6
-if test `eval echo '${'$as_ac_File'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define PATH_RANDOMDEV "$devrandom"
-_ACEOF
-
-fi
-
-		;;
-	yes)
-		{ { echo "$as_me:$LINENO: error: --with-randomdev must specify a path" >&5
-echo "$as_me: error: --with-randomdev must specify a path" >&2;}
-   { (exit 1); exit 1; }; }
-		;;
-	*)
-		cat >>confdefs.h <<_ACEOF
-#define PATH_RANDOMDEV "$use_randomdev"
-_ACEOF
-
-		echo "$as_me:$LINENO: result: using \"$use_randomdev\"" >&5
-echo "${ECHO_T}using \"$use_randomdev\"" >&6
-		;;
-esac
-
-#
-# Begin pthreads checking.
-#
-# First, decide whether to use multithreading or not.
-#
-# Enable multithreading by default on systems where it is known
-# to work well, and where debugging of multithreaded programs
-# is supported.
-#
-
-echo "$as_me:$LINENO: checking whether to build with thread support" >&5
-echo $ECHO_N "checking whether to build with thread support... $ECHO_C" >&6
-
-case $host in
-*-dec-osf*)
-	use_threads=true ;;
-*-solaris2.[0-6])
-	# Thread signals are broken on Solaris 2.6; they are sometimes
-	# delivered to the wrong thread.
-	use_threads=false ;;
-*-solaris*)
-	use_threads=true ;;
-*-ibm-aix*)
-	use_threads=true ;;
-*-hp-hpux10*)
-	use_threads=false ;;
-*-hp-hpux11*)
-	use_threads=true ;;
-*-sgi-irix*)
-	use_threads=true ;;
-*-sco-sysv*uw*|*-*-sysv*UnixWare*)
-        # UnixWare
-	use_threads=false ;;
-*-*-sysv*OpenUNIX*)
-        # UnixWare
-	use_threads=true ;;
-*-netbsd*)
-	if test -r /usr/lib/libpthread.so ; then
-	    use_threads=true
-	else
-	    # Socket I/O optimizations introduced in 9.2 expose a
-	    # bug in unproven-pthreads; see PR #12650
-	    use_threads=false
-	fi
-	;;
-*-openbsd*)
-	# OpenBSD users have reported that named dumps core on
-	# startup when built with threads.
-	use_threads=false ;;
-*-freebsd*)
-	use_threads=false ;;
-*-bsdi234*)
-	# Thread signals do not work reliably on some versions of BSD/OS.
-	use_threads=false ;;
-*-bsdi5*)
-	use_threads=true ;;
-*-linux*)
-   	# Threads are disabled on Linux by default because most
-	# Linux kernels produce unusable core dumps from multithreaded
-	# programs, and because of limitations in setuid().
-	use_threads=false ;;
-*)
-	use_threads=false ;;
-esac
-
-# Check whether --enable-threads or --disable-threads was given.
-if test "${enable_threads+set}" = set; then
-  enableval="$enable_threads"
-
-fi;
-case "$enable_threads" in
-	yes)
-		use_threads=true
-		;;
-	no)
-		use_threads=false
-		;;
-	'')
-		# Use system-dependent default
-		;;
-	*)
-	    	{ { echo "$as_me:$LINENO: error: --enable-threads takes yes or no" >&5
-echo "$as_me: error: --enable-threads takes yes or no" >&2;}
-   { (exit 1); exit 1; }; }
-		;;
-esac
-
-if $use_threads
-then
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-if $use_threads
-then
-	#
-	# Search for / configure pthreads in a system-dependent fashion.
-	#
-	case "$host" in
-	  *-netbsd*)
-		# NetBSD has multiple pthreads implementations.	 The
-		# recommended one to use is "unproven-pthreads".  The
-		# older "mit-pthreads" may also work on some NetBSD
-		# versions.  The PTL2 thread library does not
-		# currently work with bind9, but can be chosen with
-		# the --with-ptl2 option for those who wish to
-		# experiment with it.
-		CC="gcc"
-		echo "$as_me:$LINENO: checking which NetBSD thread library to use" >&5
-echo $ECHO_N "checking which NetBSD thread library to use... $ECHO_C" >&6
-
-
-# Check whether --with-ptl2 or --without-ptl2 was given.
-if test "${with_ptl2+set}" = set; then
-  withval="$with_ptl2"
-  use_ptl2="$withval"
-else
-  use_ptl2="no"
-fi;
-
-		: ${LOCALBASE:=/usr/pkg}
-
-		if test "X$use_ptl2" = "Xyes"
-		then
-			echo "$as_me:$LINENO: result: PTL2" >&5
-echo "${ECHO_T}PTL2" >&6
-			{ echo "$as_me:$LINENO: WARNING: linking with PTL2 is highly experimental and not expected to work" >&5
-echo "$as_me: WARNING: linking with PTL2 is highly experimental and not expected to work" >&2;}
-			CC=ptlgcc
-		else
-			if test -r /usr/lib/libpthread.so
-			then
-				echo "$as_me:$LINENO: result: native" >&5
-echo "${ECHO_T}native" >&6
-				LIBS="-lpthread $LIBS"
-			else
-				if test ! -d $LOCALBASE/pthreads
-				then
-					echo "$as_me:$LINENO: result: none" >&5
-echo "${ECHO_T}none" >&6
-					{ { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-echo "$as_me: error: \"could not find thread libraries\"" >&2;}
-   { (exit 1); exit 1; }; }
-				fi
-
-				if $use_threads
-				then
-					echo "$as_me:$LINENO: result: mit-pthreads/unproven-pthreads" >&5
-echo "${ECHO_T}mit-pthreads/unproven-pthreads" >&6
-					pkg="$LOCALBASE/pthreads"
-					lib1="-L$pkg/lib -Wl,-R$pkg/lib"
-					lib2="-lpthread -lm -lgcc -lpthread"
-					LIBS="$lib1 $lib2 $LIBS"
-					CPPFLAGS="$CPPFLAGS -I$pkg/include"
-					STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
-				fi
-			fi
-		fi
-		;;
-		*)
-
-echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
-echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6
-if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_pthread_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_pthread_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6
-if test $ac_cv_lib_pthread_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for __pthread_create in -lpthread" >&5
-echo $ECHO_N "checking for __pthread_create in -lpthread... $ECHO_C" >&6
-if test "${ac_cv_lib_pthread___pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char __pthread_create ();
-int
-main ()
-{
-__pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_pthread___pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_pthread___pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_pthread___pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_pthread___pthread_create" >&6
-if test $ac_cv_lib_pthread___pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for __pthread_create_system in -lpthread" >&5
-echo $ECHO_N "checking for __pthread_create_system in -lpthread... $ECHO_C" >&6
-if test "${ac_cv_lib_pthread___pthread_create_system+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char __pthread_create_system ();
-int
-main ()
-{
-__pthread_create_system ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_pthread___pthread_create_system=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_pthread___pthread_create_system=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_pthread___pthread_create_system" >&5
-echo "${ECHO_T}$ac_cv_lib_pthread___pthread_create_system" >&6
-if test $ac_cv_lib_pthread___pthread_create_system = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBPTHREAD 1
-_ACEOF
-
-  LIBS="-lpthread $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5
-echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6
-if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_c_r_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_c_r_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6
-if test $ac_cv_lib_c_r_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC_R 1
-_ACEOF
-
-  LIBS="-lc_r $LIBS"
-
-else
-
-echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5
-echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6
-if test "${ac_cv_lib_c_pthread_create+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_create ();
-int
-main ()
-{
-pthread_create ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_c_pthread_create=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_c_pthread_create=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5
-echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6
-if test $ac_cv_lib_c_pthread_create = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBC 1
-_ACEOF
-
-  LIBS="-lc $LIBS"
-
-else
-  { { echo "$as_me:$LINENO: error: \"could not find thread libraries\"" >&5
-echo "$as_me: error: \"could not find thread libraries\"" >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-fi
-
-fi
-
-fi
-
-fi
-
-		;;
-	esac
-fi
-
-if $use_threads
-then
-	#
-	# We'd like to use sigwait() too
-	#
-	echo "$as_me:$LINENO: checking for sigwait in -lc" >&5
-echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6
-if test "${ac_cv_lib_c_sigwait+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char sigwait ();
-int
-main ()
-{
-sigwait ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_c_sigwait=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_c_sigwait=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c_sigwait" >&5
-echo "${ECHO_T}$ac_cv_lib_c_sigwait" >&6
-if test $ac_cv_lib_c_sigwait = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_SIGWAIT 1
-_ACEOF
-
-else
-  echo "$as_me:$LINENO: checking for sigwait in -lpthread" >&5
-echo $ECHO_N "checking for sigwait in -lpthread... $ECHO_C" >&6
-if test "${ac_cv_lib_pthread_sigwait+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char sigwait ();
-int
-main ()
-{
-sigwait ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_pthread_sigwait=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_pthread_sigwait=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_sigwait" >&5
-echo "${ECHO_T}$ac_cv_lib_pthread_sigwait" >&6
-if test $ac_cv_lib_pthread_sigwait = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_SIGWAIT 1
-_ACEOF
-
-else
-  echo "$as_me:$LINENO: checking for _Psigwait in -lpthread" >&5
-echo $ECHO_N "checking for _Psigwait in -lpthread... $ECHO_C" >&6
-if test "${ac_cv_lib_pthread__Psigwait+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lpthread  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char _Psigwait ();
-int
-main ()
-{
-_Psigwait ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_pthread__Psigwait=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_pthread__Psigwait=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_pthread__Psigwait" >&5
-echo "${ECHO_T}$ac_cv_lib_pthread__Psigwait" >&6
-if test $ac_cv_lib_pthread__Psigwait = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_SIGWAIT 1
-_ACEOF
-
-fi
-
-fi
-
-
-fi
-
-
-	echo "$as_me:$LINENO: checking for pthread_attr_getstacksize" >&5
-echo $ECHO_N "checking for pthread_attr_getstacksize... $ECHO_C" >&6
-if test "${ac_cv_func_pthread_attr_getstacksize+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define pthread_attr_getstacksize to an innocuous variant, in case <limits.h> declares pthread_attr_getstacksize.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define pthread_attr_getstacksize innocuous_pthread_attr_getstacksize
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char pthread_attr_getstacksize (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef pthread_attr_getstacksize
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_attr_getstacksize ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_pthread_attr_getstacksize) || defined (__stub___pthread_attr_getstacksize)
-choke me
-#else
-char (*f) () = pthread_attr_getstacksize;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != pthread_attr_getstacksize;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_pthread_attr_getstacksize=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_pthread_attr_getstacksize=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_pthread_attr_getstacksize" >&5
-echo "${ECHO_T}$ac_cv_func_pthread_attr_getstacksize" >&6
-if test $ac_cv_func_pthread_attr_getstacksize = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1
-_ACEOF
-
-fi
-
-
-	#
-	# Additional OS-specific issues related to pthreads and sigwait.
-	#
-	case "$host" in
-		#
-		# One more place to look for sigwait.
-		#
-		*-freebsd*)
-			echo "$as_me:$LINENO: checking for sigwait in -lc_r" >&5
-echo $ECHO_N "checking for sigwait in -lc_r... $ECHO_C" >&6
-if test "${ac_cv_lib_c_r_sigwait+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lc_r  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char sigwait ();
-int
-main ()
-{
-sigwait ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_c_r_sigwait=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_c_r_sigwait=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_sigwait" >&5
-echo "${ECHO_T}$ac_cv_lib_c_r_sigwait" >&6
-if test $ac_cv_lib_c_r_sigwait = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_SIGWAIT 1
-_ACEOF
-
-fi
-
-			;;
-		#
-		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
-		# called before certain pthreads calls.	 This is deprecated
-		# in BSD/OS 4.1.
-		#
-		*-bsdi3.*|*-bsdi4.0*)
-			cat >>confdefs.h <<\_ACEOF
-#define NEED_PTHREAD_INIT 1
-_ACEOF
-
-			;;
-		#
-		# LinuxThreads requires some changes to the way we
-		# deal with signals.
-		#
-		*-linux*)
-			cat >>confdefs.h <<\_ACEOF
-#define HAVE_LINUXTHREADS 1
-_ACEOF
-
-			;;
-		#
-		# Ensure the right sigwait() semantics on Solaris and make
-		# sure we call pthread_setconcurrency.
-		#
-		*-solaris*)
-			cat >>confdefs.h <<\_ACEOF
-#define _POSIX_PTHREAD_SEMANTICS 1
-_ACEOF
-
-			echo "$as_me:$LINENO: checking for pthread_setconcurrency" >&5
-echo $ECHO_N "checking for pthread_setconcurrency... $ECHO_C" >&6
-if test "${ac_cv_func_pthread_setconcurrency+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define pthread_setconcurrency to an innocuous variant, in case <limits.h> declares pthread_setconcurrency.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define pthread_setconcurrency innocuous_pthread_setconcurrency
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char pthread_setconcurrency (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef pthread_setconcurrency
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pthread_setconcurrency ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_pthread_setconcurrency) || defined (__stub___pthread_setconcurrency)
-choke me
-#else
-char (*f) () = pthread_setconcurrency;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != pthread_setconcurrency;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_pthread_setconcurrency=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_pthread_setconcurrency=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_pthread_setconcurrency" >&5
-echo "${ECHO_T}$ac_cv_func_pthread_setconcurrency" >&6
-if test $ac_cv_func_pthread_setconcurrency = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define CALL_PTHREAD_SETCONCURRENCY 1
-_ACEOF
-
-fi
-
-			cat >>confdefs.h <<\_ACEOF
-#define POSIX_GETPWUID_R 1
-_ACEOF
-
-			cat >>confdefs.h <<\_ACEOF
-#define POSIX_GETPWNAM_R 1
-_ACEOF
-
-			cat >>confdefs.h <<\_ACEOF
-#define POSIX_GETGRGID_R 1
-_ACEOF
-
-			cat >>confdefs.h <<\_ACEOF
-#define POSIX_GETGRNAM_R 1
-_ACEOF
-
-			;;
-		*hpux11*)
-			cat >>confdefs.h <<\_ACEOF
-#define NEED_ENDNETGRENT_R 1
-_ACEOF
-
-			cat >>confdefs.h <<\_ACEOF
-#define _PTHREADS_DRAFT4 1
-_ACEOF
-
-			;;
-		#
-		# UnixWare does things its own way.
-		#
-		*-UnixWare*)
-			cat >>confdefs.h <<\_ACEOF
-#define HAVE_UNIXWARE_SIGWAIT 1
-_ACEOF
-
-			;;
-	esac
-
-	#
-	# Look for sysconf to allow detection of the number of processors.
-	#
-	echo "$as_me:$LINENO: checking for sysconf" >&5
-echo $ECHO_N "checking for sysconf... $ECHO_C" >&6
-if test "${ac_cv_func_sysconf+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define sysconf to an innocuous variant, in case <limits.h> declares sysconf.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define sysconf innocuous_sysconf
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char sysconf (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef sysconf
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char sysconf ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_sysconf) || defined (__stub___sysconf)
-choke me
-#else
-char (*f) () = sysconf;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != sysconf;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_sysconf=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_sysconf=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_sysconf" >&5
-echo "${ECHO_T}$ac_cv_func_sysconf" >&6
-if test $ac_cv_func_sysconf = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_SYSCONF 1
-_ACEOF
-
-fi
-
-
-	if test "X$GCC" = "Xyes"; then
-		case "$host" in
-		*-freebsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-openbsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			LIBS="$LIBS -lthread"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		esac
-	else
-		case $host in
-		*-dec-osf*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			CC="$CC -mt"
-			CCOPT="$CCOPT -mt"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-UnixWare*)
-			CC="$CC -Kthread"
-			CCOPT="$CCOPT -Kthread"
-			;;
-		esac
-	fi
-	cat >>confdefs.h <<\_ACEOF
-#define _REENTRANT 1
-_ACEOF
-
-	ALWAYS_DEFINES="-D_REENTRANT"
-	DO_PTHREADS="#define DO_PTHREADS 1"
-	WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}"
-	WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}"
-	case $host in
-	ia64-hp-hpux11.*)
-		WANT_IRS_THREADS_OBJS="";;
-	*)
-		WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";;
-	esac
-	WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}"
-	thread_dir=pthreads
-else
-	ALWAYS_DEFINES=""
-	DO_PTHREADS="#undef DO_PTHREADS"
-	WANT_IRS_THREADSGR_OBJS=""
-	WANT_IRS_THREADSPW_OBJS=""
-	WANT_IRS_THREADS_OBJS=""
-	WANT_THREADS_OBJS=""
-	thread_dir=nothreads
-fi
-
-
-
-
-
-
-
-
-echo "$as_me:$LINENO: checking for strlcat" >&5
-echo $ECHO_N "checking for strlcat... $ECHO_C" >&6
-if test "${ac_cv_func_strlcat+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define strlcat to an innocuous variant, in case <limits.h> declares strlcat.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define strlcat innocuous_strlcat
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char strlcat (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef strlcat
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char strlcat ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strlcat) || defined (__stub___strlcat)
-choke me
-#else
-char (*f) () = strlcat;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != strlcat;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_strlcat=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_strlcat=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strlcat" >&5
-echo "${ECHO_T}$ac_cv_func_strlcat" >&6
-if test $ac_cv_func_strlcat = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_STRLCAT 1
-_ACEOF
-
-fi
-
-
-echo "$as_me:$LINENO: checking for if_nametoindex" >&5
-echo $ECHO_N "checking for if_nametoindex... $ECHO_C" >&6
-if test "${ac_cv_func_if_nametoindex+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define if_nametoindex to an innocuous variant, in case <limits.h> declares if_nametoindex.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define if_nametoindex innocuous_if_nametoindex
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char if_nametoindex (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef if_nametoindex
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char if_nametoindex ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_if_nametoindex) || defined (__stub___if_nametoindex)
-choke me
-#else
-char (*f) () = if_nametoindex;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != if_nametoindex;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_if_nametoindex=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_if_nametoindex=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_if_nametoindex" >&5
-echo "${ECHO_T}$ac_cv_func_if_nametoindex" >&6
-if test $ac_cv_func_if_nametoindex = yes; then
-  USE_IFNAMELINKID="#define USE_IFNAMELINKID 1"
-else
-  USE_IFNAMELINKID="#undef USE_IFNAMELINKID"
-fi
-
-
-
-ISC_THREAD_DIR=$thread_dir
-
-
-echo "$as_me:$LINENO: checking for daemon" >&5
-echo $ECHO_N "checking for daemon... $ECHO_C" >&6
-if test "${ac_cv_func_daemon+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define daemon to an innocuous variant, in case <limits.h> declares daemon.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define daemon innocuous_daemon
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char daemon (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef daemon
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char daemon ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_daemon) || defined (__stub___daemon)
-choke me
-#else
-char (*f) () = daemon;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != daemon;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_daemon=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_daemon=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5
-echo "${ECHO_T}$ac_cv_func_daemon" >&6
-if test $ac_cv_func_daemon = yes; then
-  DAEMON_OBJS="" NEED_DAEMON="#undef NEED_DAEMON"
-
-else
-  DAEMON_OBJS="\${DAEMON_OBJS}" NEED_DAEMON="#define NEED_DAEMON 1"
-
-fi
-
-
-
-
-echo "$as_me:$LINENO: checking for strsep" >&5
-echo $ECHO_N "checking for strsep... $ECHO_C" >&6
-if test "${ac_cv_func_strsep+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define strsep to an innocuous variant, in case <limits.h> declares strsep.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define strsep innocuous_strsep
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char strsep (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef strsep
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char strsep ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strsep) || defined (__stub___strsep)
-choke me
-#else
-char (*f) () = strsep;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != strsep;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_strsep=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_strsep=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strsep" >&5
-echo "${ECHO_T}$ac_cv_func_strsep" >&6
-if test $ac_cv_func_strsep = yes; then
-  STRSEP_OBJS="" NEED_STRSEP="#undef NEED_STRSEP"
-
-else
-  STRSEP_OBJS="\${STRSEP_OBJS}" NEED_STRSEP="#define NEED_STRSEP 1"
-
-fi
-
-
-
-
-echo "$as_me:$LINENO: checking for strerror" >&5
-echo $ECHO_N "checking for strerror... $ECHO_C" >&6
-if test "${ac_cv_func_strerror+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define strerror to an innocuous variant, in case <limits.h> declares strerror.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define strerror innocuous_strerror
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char strerror (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef strerror
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char strerror ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strerror) || defined (__stub___strerror)
-choke me
-#else
-char (*f) () = strerror;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != strerror;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_strerror=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_strerror=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strerror" >&5
-echo "${ECHO_T}$ac_cv_func_strerror" >&6
-if test $ac_cv_func_strerror = yes; then
-  NEED_STRERROR="#undef NEED_STRERROR"
-else
-  NEED_STRERROR="#define NEED_STRERROR 1"
-fi
-
-
-
-#
-# flockfile is usually provided by pthreads, but we may want to use it
-# even if compiled with --disable-threads.
-#
-echo "$as_me:$LINENO: checking for flockfile" >&5
-echo $ECHO_N "checking for flockfile... $ECHO_C" >&6
-if test "${ac_cv_func_flockfile+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define flockfile to an innocuous variant, in case <limits.h> declares flockfile.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define flockfile innocuous_flockfile
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char flockfile (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef flockfile
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char flockfile ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_flockfile) || defined (__stub___flockfile)
-choke me
-#else
-char (*f) () = flockfile;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != flockfile;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_flockfile=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_flockfile=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_flockfile" >&5
-echo "${ECHO_T}$ac_cv_func_flockfile" >&6
-if test $ac_cv_func_flockfile = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_FLOCKFILE 1
-_ACEOF
-
-fi
-
-
-#
-# Indicate what the final decision was regarding threads.
-#
-echo "$as_me:$LINENO: checking whether to build with threads" >&5
-echo $ECHO_N "checking whether to build with threads... $ECHO_C" >&6
-if $use_threads; then
-	echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-	echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-#
-# End of pthreads stuff.
-#
-
-#
-# Additional compiler settings.
-#
-MKDEPCC="$CC"
-MKDEPCFLAGS="-M"
-IRIX_DNSSEC_WARNINGS_HACK=""
-
-if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
-else
-	case $host in
-	*-dec-osf*)
-		CC="$CC -std"
-		CCOPT="$CCOPT -std"
-		MKDEPCC="$CC"
-		;;
-	*-hp-hpux*)
-		CC="$CC -Ae -z"
-		# The version of the C compiler that constantly warns about
-                # 'const' as well as alignment issues is unfortunately not
-                # able to be discerned via the version of the operating
-                # system, nor does cc have a version flag.
-		case "`$CC +W 123 2>&1`" in
-		*Unknown?option*)
-			STD_CWARNINGS="+w1"
-			;;
-		*)
-			# Turn off the pointlessly noisy warnings.
-			STD_CWARNINGS="+w1 +W 474,530,2193,2236"
-			;;
-		esac
-		CCOPT="$CCOPT -Ae -z"
-		LIBS="-Wl,+vnocompatwarnings $LIBS"
-MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>&1 | awk '"'"'BEGIN {colon=0; rec="";} { for (i = 0 ; i < NF; i++) { if (colon && a$i) continue; if ($i == "\\") continue; if (!colon) { rec =  $i continue; } if ($i == ":") { rec = rec " :" colon = 1 continue; } if (length(rec $i) > 76) { print rec " \\"; rec = "\t" $i; a$i = 1; } else { rec = rec " " $i a$i = 1; } } } END {print rec}'"'"' >>$TMP'
-		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
-		;;
-	*-sgi-irix*)
-		STD_CWARNINGS="-fullwarn -woff 1209"
-		#
-		# Silence more than 250 instances of
-		#   "prototyped function redeclared without prototype"
-		# and 11 instances of
-		#   "variable ... was set but never used"
-		# from lib/dns/sec/openssl.
-		#
-		IRIX_DNSSEC_WARNINGS_HACK="-woff 1692,1552"
-		;;
-	*-solaris*)
-		MKDEPCFLAGS="-xM"
-		;;
-	*-UnixWare*)
-		CC="$CC -w"
-		;;
-	esac
-fi
-
-#
-# _GNU_SOURCE is needed to access the fd_bits field of struct fd_set, which
-# is supposed to be opaque.
-#
-case $host in
-	*linux*)
-		STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE"
-		;;
-esac
-
-
-
-
-
-
-#
-# NLS
-#
-echo "$as_me:$LINENO: checking for catgets" >&5
-echo $ECHO_N "checking for catgets... $ECHO_C" >&6
-if test "${ac_cv_func_catgets+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define catgets to an innocuous variant, in case <limits.h> declares catgets.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define catgets innocuous_catgets
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char catgets (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef catgets
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char catgets ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_catgets) || defined (__stub___catgets)
-choke me
-#else
-char (*f) () = catgets;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != catgets;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_catgets=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_catgets=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_catgets" >&5
-echo "${ECHO_T}$ac_cv_func_catgets" >&6
-if test $ac_cv_func_catgets = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_CATGETS 1
-_ACEOF
-
-fi
-
-
-#
-# -lxnet buys us one big porting headache...  standards, gotta love 'em.
-#
-# AC_CHECK_LIB(xnet, socket, ,
-#    AC_CHECK_LIB(socket, socket)
-#    AC_CHECK_LIB(nsl, inet_ntoa)
-# )
-#
-# Use this for now, instead:
-#
-case "$host" in
-	mips-sgi-irix*)
-		;;
-	ia64-hp-hpux11.*)
-
-echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
-echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6
-if test "${ac_cv_lib_socket_socket+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsocket  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char socket ();
-int
-main ()
-{
-socket ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_socket_socket=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_socket_socket=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
-echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6
-if test $ac_cv_lib_socket_socket = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBSOCKET 1
-_ACEOF
-
-  LIBS="-lsocket $LIBS"
-
-fi
-
-
-echo "$as_me:$LINENO: checking for inet_ntoa in -lnsl" >&5
-echo $ECHO_N "checking for inet_ntoa in -lnsl... $ECHO_C" >&6
-if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lnsl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char inet_ntoa ();
-int
-main ()
-{
-inet_ntoa ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_nsl_inet_ntoa=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_nsl_inet_ntoa=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_ntoa" >&5
-echo "${ECHO_T}$ac_cv_lib_nsl_inet_ntoa" >&6
-if test $ac_cv_lib_nsl_inet_ntoa = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBNSL 1
-_ACEOF
-
-  LIBS="-lnsl $LIBS"
-
-fi
-
-		;;
-	*)
-
-echo "$as_me:$LINENO: checking for gethostbyname_r in -ld4r" >&5
-echo $ECHO_N "checking for gethostbyname_r in -ld4r... $ECHO_C" >&6
-if test "${ac_cv_lib_d4r_gethostbyname_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ld4r  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char gethostbyname_r ();
-int
-main ()
-{
-gethostbyname_r ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_d4r_gethostbyname_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_d4r_gethostbyname_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_d4r_gethostbyname_r" >&5
-echo "${ECHO_T}$ac_cv_lib_d4r_gethostbyname_r" >&6
-if test $ac_cv_lib_d4r_gethostbyname_r = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBD4R 1
-_ACEOF
-
-  LIBS="-ld4r $LIBS"
-
-fi
-
-
-echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
-echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6
-if test "${ac_cv_lib_socket_socket+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsocket  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char socket ();
-int
-main ()
-{
-socket ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_socket_socket=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_socket_socket=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
-echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6
-if test $ac_cv_lib_socket_socket = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBSOCKET 1
-_ACEOF
-
-  LIBS="-lsocket $LIBS"
-
-fi
-
-
-echo "$as_me:$LINENO: checking for inet_ntoa in -lnsl" >&5
-echo $ECHO_N "checking for inet_ntoa in -lnsl... $ECHO_C" >&6
-if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lnsl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char inet_ntoa ();
-int
-main ()
-{
-inet_ntoa ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_nsl_inet_ntoa=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_nsl_inet_ntoa=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_ntoa" >&5
-echo "${ECHO_T}$ac_cv_lib_nsl_inet_ntoa" >&6
-if test $ac_cv_lib_nsl_inet_ntoa = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBNSL 1
-_ACEOF
-
-  LIBS="-lnsl $LIBS"
-
-fi
-
-		;;
-esac
-
-#
-# Purify support
-#
-echo "$as_me:$LINENO: checking whether to use purify" >&5
-echo $ECHO_N "checking whether to use purify... $ECHO_C" >&6
-
-# Check whether --with-purify or --without-purify was given.
-if test "${with_purify+set}" = set; then
-  withval="$with_purify"
-  use_purify="$withval"
-else
-  use_purify="no"
-fi;
-
-case "$use_purify" in
-	no)
-		;;
-	yes)
-		# Extract the first word of "purify", so it can be a program name with args.
-set dummy purify; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_path_purify_path+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $purify_path in
-  [\\/]* | ?:[\\/]*)
-  ac_cv_path_purify_path="$purify_path" # Let the user override the test with a path.
-  ;;
-  *)
-  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_path_purify_path="$as_dir/$ac_word$ac_exec_ext"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  test -z "$ac_cv_path_purify_path" && ac_cv_path_purify_path="purify"
-  ;;
-esac
-fi
-purify_path=$ac_cv_path_purify_path
-
-if test -n "$purify_path"; then
-  echo "$as_me:$LINENO: result: $purify_path" >&5
-echo "${ECHO_T}$purify_path" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-		;;
-	*)
-		purify_path="$use_purify"
-		;;
-esac
-
-case "$use_purify" in
-	no)
-		echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-		PURIFY=""
-		;;
-	*)
-		if test -f $purify_path || test $purify_path = purify; then
-			echo "$as_me:$LINENO: result: $purify_path" >&5
-echo "${ECHO_T}$purify_path" >&6
-			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
-			PURIFY="$purify_path $PURIFYFLAGS"
-		else
-			{ { echo "$as_me:$LINENO: error: $purify_path not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-purify=PATH
-" >&5
-echo "$as_me: error: $purify_path not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-purify=PATH
-" >&2;}
-   { (exit 1); exit 1; }; }
-		fi
-		;;
-esac
-
-
-
-#
-# GNU libtool support
-#
-
-# Check whether --with-libtool or --without-libtool was given.
-if test "${with_libtool+set}" = set; then
-  withval="$with_libtool"
-  use_libtool="$withval"
-else
-  use_libtool="no"
-fi;
-
-case $use_libtool in
-	yes)
-		# Check whether --enable-shared or --disable-shared was given.
-if test "${enable_shared+set}" = set; then
-  enableval="$enable_shared"
-  p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_shared=yes ;;
-    no) enable_shared=no ;;
-    *)
-      enable_shared=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_shared=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_shared=yes
-fi;
-
-# Check whether --enable-static or --disable-static was given.
-if test "${enable_static+set}" = set; then
-  enableval="$enable_static"
-  p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_static=yes ;;
-    no) enable_static=no ;;
-    *)
-     enable_static=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_static=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_static=yes
-fi;
-
-# Check whether --enable-fast-install or --disable-fast-install was given.
-if test "${enable_fast_install+set}" = set; then
-  enableval="$enable_fast_install"
-  p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_fast_install=yes ;;
-    no) enable_fast_install=no ;;
-    *)
-      enable_fast_install=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_fast_install=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac
-else
-  enable_fast_install=yes
-fi;
-
-echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
-echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6
-if test "${lt_cv_path_SED+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # Loop through the user's path and test for sed and gsed.
-# Then use that list of sed's as ones to test for truncation.
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for lt_ac_prog in sed gsed; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
-        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
-      fi
-    done
-  done
-done
-lt_ac_max=0
-lt_ac_count=0
-# Add /usr/xpg4/bin/sed as it is typically found on Solaris
-# along with /bin/sed that truncates output.
-for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && break
-  cat /dev/null > conftest.in
-  lt_ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
-  # Check for GNU sed and select it if it is found.
-  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
-    lt_cv_path_SED=$lt_ac_sed
-    break
-  fi
-  while true; do
-    cat conftest.in conftest.in >conftest.tmp
-    mv conftest.tmp conftest.in
-    cp conftest.in conftest.nl
-    echo >>conftest.nl
-    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
-    cmp -s conftest.out conftest.nl || break
-    # 10000 chars as input seems more than enough
-    test $lt_ac_count -gt 10 && break
-    lt_ac_count=`expr $lt_ac_count + 1`
-    if test $lt_ac_count -gt $lt_ac_max; then
-      lt_ac_max=$lt_ac_count
-      lt_cv_path_SED=$lt_ac_sed
-    fi
-  done
-done
-
-fi
-
-SED=$lt_cv_path_SED
-echo "$as_me:$LINENO: result: $SED" >&5
-echo "${ECHO_T}$SED" >&6
-
-
-# Check whether --with-gnu-ld or --without-gnu-ld was given.
-if test "${with_gnu_ld+set}" = set; then
-  withval="$with_gnu_ld"
-  test "$withval" = no || with_gnu_ld=yes
-else
-  with_gnu_ld=no
-fi;
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [\\/]* | ?:[\\/]*)
-      re_direlt='/[^/][^/]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6
-else
-  echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6
-fi
-if test "${lt_cv_path_LD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some GNU ld's only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi
-fi
-
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
-   { (exit 1); exit 1; }; }
-echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6
-if test "${lt_cv_prog_gnu_ld+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # I'd rather use --version here, but apparently some GNU ld's only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac
-fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6
-with_gnu_ld=$lt_cv_prog_gnu_ld
-
-
-echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
-echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6
-if test "${lt_cv_ld_reload_flag+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_ld_reload_flag='-r'
-fi
-echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
-echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6
-reload_flag=$lt_cv_ld_reload_flag
-case $reload_flag in
-"" | " "*) ;;
-*) reload_flag=" $reload_flag" ;;
-esac
-reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$CC -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
-
-echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
-echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6
-if test "${lt_cv_path_NM+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$NM"; then
-  # Let the user override the test.
-  lt_cv_path_NM="$NM"
-else
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
-    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-      # Check to see if the nm accepts a BSD-compat flag.
-      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
-      #   nm: unknown option "B" ignored
-      # Tru64's nm complains that /dev/null is an invalid object file
-      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-      */dev/null* | *'Invalid file or object type'*)
-	lt_cv_path_NM="$tmp_nm -B"
-	break
-        ;;
-      *)
-	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	*/dev/null*)
-	  lt_cv_path_NM="$tmp_nm -p"
-	  break
-	  ;;
-	*)
-	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	  continue # so that we can try to find one that supports BSD flags
-	  ;;
-	esac
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
-fi
-fi
-echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
-echo "${ECHO_T}$lt_cv_path_NM" >&6
-NM="$lt_cv_path_NM"
-
-echo "$as_me:$LINENO: checking whether ln -s works" >&5
-echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6
-LN_S=$as_ln_s
-if test "$LN_S" = "ln -s"; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-  echo "$as_me:$LINENO: result: no, using $LN_S" >&5
-echo "${ECHO_T}no, using $LN_S" >&6
-fi
-
-echo "$as_me:$LINENO: checking how to recognise dependent libraries" >&5
-echo $ECHO_N "checking how to recognise dependent libraries... $ECHO_C" >&6
-if test "${lt_cv_deplibs_check_method+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_file_magic_cmd='$MAGIC_CMD'
-lt_cv_file_magic_test_file=
-lt_cv_deplibs_check_method='unknown'
-# Need to set the preceding variable on all platforms that support
-# interlibrary dependencies.
-# 'none' -- dependencies not supported.
-# `unknown' -- same as none, but documents that we really don't know.
-# 'pass_all' -- all dependencies passed with no checks.
-# 'test_compile' -- check by making test program.
-# 'file_magic [[regex]]' -- check by looking for files in library path
-# which responds to the $file_magic_cmd with a given extended regex.
-# If you have `file' or equivalent on your system and you're not sure
-# whether `pass_all' will *always* work, you probably want this one.
-
-case $host_os in
-aix4* | aix5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-beos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-bsdi[45]*)
-  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
-  lt_cv_file_magic_cmd='/usr/bin/file -L'
-  lt_cv_file_magic_test_file=/shlib/libc.so
-  ;;
-
-cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
-  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
-  ;;
-
-mingw* | pw32*)
-  # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
-  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-  lt_cv_file_magic_cmd='$OBJDUMP -f'
-  ;;
-
-darwin* | rhapsody*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-freebsd* | kfreebsd*-gnu)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    case $host_cpu in
-    i*86 )
-      # Not sure whether the presence of OpenBSD here was a mistake.
-      # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[3-9]86 (compact )?demand paged shared library'
-      lt_cv_file_magic_cmd=/usr/bin/file
-      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
-      ;;
-    esac
-  else
-    lt_cv_deplibs_check_method=pass_all
-  fi
-  ;;
-
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-hpux10.20* | hpux11*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  case "$host_cpu" in
-  ia64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
-    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
-    ;;
-  hppa*64*)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
-    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
-    ;;
-  *)
-    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
-    lt_cv_file_magic_test_file=/usr/lib/libc.sl
-    ;;
-  esac
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $LD in
-  *-32|*"-32 ") libmagic=32-bit;;
-  *-n32|*"-n32 ") libmagic=N32;;
-  *-64|*"-64 ") libmagic=64-bit;;
-  *) libmagic=never-match;;
-  esac
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-# This must be Linux ELF.
-linux*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-netbsd*)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$'
-  fi
-  ;;
-
-newos6*)
-  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)'
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=/usr/lib/libnls.so
-  ;;
-
-nto-qnx*)
-  lt_cv_deplibs_check_method=unknown
-  ;;
-
-openbsd*)
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
-  fi
-  ;;
-
-osf3* | osf4* | osf5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sco3.2v5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-solaris*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-  case $host_vendor in
-  motorola)
-    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
-    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
-    ;;
-  ncr)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  sequent)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
-    ;;
-  sni)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib"
-    lt_cv_file_magic_test_file=/lib/libc.so
-    ;;
-  siemens)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  esac
-  ;;
-
-sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[78]* | unixware7* | sysv4*uw2*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-esac
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
-echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6
-file_magic_cmd=$lt_cv_file_magic_cmd
-deplibs_check_method=$lt_cv_deplibs_check_method
-test -z "$deplibs_check_method" && deplibs_check_method=unknown
-
-
-
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-# Check whether --enable-libtool-lock or --disable-libtool-lock was given.
-if test "${enable_libtool_lock+set}" = set; then
-  enableval="$enable_libtool_lock"
-
-fi;
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-# Some flags need to be propagated to the compiler or linker for good
-# libtool support.
-case $host in
-ia64-*-hpux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *ELF-32*)
-      HPUX_IA64_MODE="32"
-      ;;
-    *ELF-64*)
-      HPUX_IA64_MODE="64"
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-*-*-irix6*)
-  # Find out which ABI we are using.
-  echo '#line 7605 "configure"' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-   if test "$lt_cv_prog_gnu_ld" = yes; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -melf32bsmip"
-      ;;
-    *N32*)
-      LD="${LD-ld} -melf32bmipn32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -melf64bmip"
-      ;;
-    esac
-   else
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -32"
-      ;;
-    *N32*)
-      LD="${LD-ld} -n32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -64"
-      ;;
-    esac
-   fi
-  fi
-  rm -rf conftest*
-  ;;
-
-x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    case "`/usr/bin/file conftest.o`" in
-    *32-bit*)
-      case $host in
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_i386"
-          ;;
-        ppc64-*linux*|powerpc64-*linux*)
-          LD="${LD-ld} -m elf32ppclinux"
-          ;;
-        s390x-*linux*)
-          LD="${LD-ld} -m elf_s390"
-          ;;
-        sparc64-*linux*)
-          LD="${LD-ld} -m elf32_sparc"
-          ;;
-      esac
-      ;;
-    *64-bit*)
-      case $host in
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_x86_64"
-          ;;
-        ppc*-*linux*|powerpc*-*linux*)
-          LD="${LD-ld} -m elf64ppc"
-          ;;
-        s390*-*linux*)
-          LD="${LD-ld} -m elf64_s390"
-          ;;
-        sparc*-*linux*)
-          LD="${LD-ld} -m elf64_sparc"
-          ;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-*-*-sco3.2v5*)
-  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -belf"
-  echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
-echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6
-if test "${lt_cv_cc_needs_belf+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-     cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  lt_cv_cc_needs_belf=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-lt_cv_cc_needs_belf=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-     ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
-echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6
-  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
-    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
-    CFLAGS="$SAVE_CFLAGS"
-  fi
-  ;;
-
-esac
-
-need_locks="$enable_libtool_lock"
-
-
-
-for ac_header in dlfcn.h
-do
-as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-else
-  # Is the header compilable?
-echo "$as_me:$LINENO: checking $ac_header usability" >&5
-echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_includes_default
-#include <$ac_header>
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_header_compiler=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_header_compiler=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
-echo "${ECHO_T}$ac_header_compiler" >&6
-
-# Is the header present?
-echo "$as_me:$LINENO: checking $ac_header presence" >&5
-echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <$ac_header>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_c_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  ac_header_preproc=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  ac_header_preproc=no
-fi
-rm -f conftest.err conftest.$ac_ext
-echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
-echo "${ECHO_T}$ac_header_preproc" >&6
-
-# So?  What about this header?
-case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
-  yes:no: )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
-echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
-    ac_header_preproc=yes
-    ;;
-  no:yes:* )
-    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
-echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
-echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
-echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
-echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
-echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
-    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
-echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
-    (
-      cat <<\_ASBOX
-## ------------------------------------------ ##
-## Report this to the AC_PACKAGE_NAME lists.  ##
-## ------------------------------------------ ##
-_ASBOX
-    ) |
-      sed "s/^/$as_me: WARNING:     /" >&2
-    ;;
-esac
-echo "$as_me:$LINENO: checking for $ac_header" >&5
-echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
-if eval "test \"\${$as_ac_Header+set}\" = set"; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  eval "$as_ac_Header=\$ac_header_preproc"
-fi
-echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
-echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
-
-fi
-if test `eval echo '${'$as_ac_Header'}'` = yes; then
-  cat >>confdefs.h <<_ACEOF
-#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
-_ACEOF
-
-fi
-
-done
-
-ac_ext=cc
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  for ac_prog in $CCC g++ c++ gpp aCC CC cxx cc++ cl FCC KCC RCC xlC_r xlC
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$CXX"; then
-  ac_cv_prog_CXX="$CXX" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_CXX="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-CXX=$ac_cv_prog_CXX
-if test -n "$CXX"; then
-  echo "$as_me:$LINENO: result: $CXX" >&5
-echo "${ECHO_T}$CXX" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-    test -n "$CXX" && break
-  done
-fi
-if test -z "$CXX"; then
-  ac_ct_CXX=$CXX
-  for ac_prog in $CCC g++ c++ gpp aCC CC cxx cc++ cl FCC KCC RCC xlC_r xlC
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_CXX"; then
-  ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_CXX="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_CXX=$ac_cv_prog_ac_ct_CXX
-if test -n "$ac_ct_CXX"; then
-  echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
-echo "${ECHO_T}$ac_ct_CXX" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  test -n "$ac_ct_CXX" && break
-done
-test -n "$ac_ct_CXX" || ac_ct_CXX="g++"
-
-  CXX=$ac_ct_CXX
-fi
-
-
-# Provide some information about the compiler.
-echo "$as_me:$LINENO:" \
-     "checking for C++ compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
-  (eval $ac_compiler --version </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
-  (eval $ac_compiler -v </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
-  (eval $ac_compiler -V </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-
-echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6
-if test "${ac_cv_cxx_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-#ifndef __GNUC__
-       choke me
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_compiler_gnu=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_cxx_compiler_gnu=$ac_compiler_gnu
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6
-GXX=`test $ac_compiler_gnu = yes && echo yes`
-ac_test_CXXFLAGS=${CXXFLAGS+set}
-ac_save_CXXFLAGS=$CXXFLAGS
-CXXFLAGS="-g"
-echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
-echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6
-if test "${ac_cv_prog_cxx_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_cxx_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_prog_cxx_g=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
-echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6
-if test "$ac_test_CXXFLAGS" = set; then
-  CXXFLAGS=$ac_save_CXXFLAGS
-elif test $ac_cv_prog_cxx_g = yes; then
-  if test "$GXX" = yes; then
-    CXXFLAGS="-g -O2"
-  else
-    CXXFLAGS="-g"
-  fi
-else
-  if test "$GXX" = yes; then
-    CXXFLAGS="-O2"
-  else
-    CXXFLAGS=
-  fi
-fi
-for ac_declaration in \
-   '' \
-   'extern "C" void std::exit (int) throw (); using std::exit;' \
-   'extern "C" void std::exit (int); using std::exit;' \
-   'extern "C" void exit (int) throw ();' \
-   'extern "C" void exit (int);' \
-   'void exit (int);'
-do
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-#include <stdlib.h>
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-continue
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-$ac_declaration
-int
-main ()
-{
-exit (42);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  break
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-done
-rm -f conftest*
-if test -n "$ac_declaration"; then
-  echo '#ifdef __cplusplus' >>confdefs.h
-  echo $ac_declaration      >>confdefs.h
-  echo '#endif'             >>confdefs.h
-fi
-
-ac_ext=cc
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-
-
-
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-    (test "X$CXX" != "Xg++"))) ; then
-  ac_ext=cc
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
-echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6
-if test -z "$CXXCPP"; then
-  if test "${ac_cv_prog_CXXCPP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-      # Double quotes because CXXCPP needs to be expanded
-    for CXXCPP in "$CXX -E" "/lib/cpp"
-    do
-      ac_preproc_ok=false
-for ac_cxx_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_cxx_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether non-existent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_cxx_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  break
-fi
-
-    done
-    ac_cv_prog_CXXCPP=$CXXCPP
-
-fi
-  CXXCPP=$ac_cv_prog_CXXCPP
-else
-  ac_cv_prog_CXXCPP=$CXXCPP
-fi
-echo "$as_me:$LINENO: result: $CXXCPP" >&5
-echo "${ECHO_T}$CXXCPP" >&6
-ac_preproc_ok=false
-for ac_cxx_preproc_warn_flag in '' yes
-do
-  # Use a header file that comes with gcc, so configuring glibc
-  # with a fresh cross-compiler works.
-  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-  # <limits.h> exists even on freestanding compilers.
-  # On the NeXT, cc -E runs the code through the compiler's parser,
-  # not just through cpp. "Syntax error" is here to catch this case.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-		     Syntax error
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_cxx_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  :
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Broken: fails on valid input.
-continue
-fi
-rm -f conftest.err conftest.$ac_ext
-
-  # OK, works on sane cases.  Now check whether non-existent headers
-  # can be detected and how.
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <ac_nonexistent.h>
-_ACEOF
-if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
-  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } >/dev/null; then
-  if test -s conftest.err; then
-    ac_cpp_err=$ac_cxx_preproc_warn_flag
-    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
-  else
-    ac_cpp_err=
-  fi
-else
-  ac_cpp_err=yes
-fi
-if test -z "$ac_cpp_err"; then
-  # Broken: success on invalid input.
-continue
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-  # Passes both tests.
-ac_preproc_ok=:
-break
-fi
-rm -f conftest.err conftest.$ac_ext
-
-done
-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
-rm -f conftest.err conftest.$ac_ext
-if $ac_preproc_ok; then
-  :
-else
-  { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check
-See \`config.log' for more details." >&5
-echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check
-See \`config.log' for more details." >&2;}
-   { (exit 1); exit 1; }; }
-fi
-
-ac_ext=cc
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-
-fi
-
-
-ac_ext=f
-ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
-ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_f77_compiler_gnu
-if test -n "$ac_tool_prefix"; then
-  for ac_prog in g77 f77 xlf frt pgf77 fort77 fl32 af77 f90 xlf90 pgf90 epcf90 f95 fort xlf95 ifc efc pgf95 lf95 gfortran
-  do
-    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
-set dummy $ac_tool_prefix$ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$F77"; then
-  ac_cv_prog_F77="$F77" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_F77="$ac_tool_prefix$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-F77=$ac_cv_prog_F77
-if test -n "$F77"; then
-  echo "$as_me:$LINENO: result: $F77" >&5
-echo "${ECHO_T}$F77" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-    test -n "$F77" && break
-  done
-fi
-if test -z "$F77"; then
-  ac_ct_F77=$F77
-  for ac_prog in g77 f77 xlf frt pgf77 fort77 fl32 af77 f90 xlf90 pgf90 epcf90 f95 fort xlf95 ifc efc pgf95 lf95 gfortran
-do
-  # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_F77"; then
-  ac_cv_prog_ac_ct_F77="$ac_ct_F77" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_F77="$ac_prog"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-ac_ct_F77=$ac_cv_prog_ac_ct_F77
-if test -n "$ac_ct_F77"; then
-  echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
-echo "${ECHO_T}$ac_ct_F77" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  test -n "$ac_ct_F77" && break
-done
-
-  F77=$ac_ct_F77
-fi
-
-
-# Provide some information about the compiler.
-echo "$as_me:8602:" \
-     "checking for Fortran 77 compiler version" >&5
-ac_compiler=`set X $ac_compile; echo $2`
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
-  (eval $ac_compiler --version </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
-  (eval $ac_compiler -v </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
-  (eval $ac_compiler -V </dev/null >&5) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-rm -f a.out
-
-# If we don't use `.F' as extension, the preprocessor is not run on the
-# input file.  (Note that this only needs to work for GNU compilers.)
-ac_save_ext=$ac_ext
-ac_ext=F
-echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
-echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6
-if test "${ac_cv_f77_compiler_gnu+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-      program main
-#ifndef __GNUC__
-       choke me
-#endif
-
-      end
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_f77_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_compiler_gnu=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_compiler_gnu=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-ac_cv_f77_compiler_gnu=$ac_compiler_gnu
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
-echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6
-ac_ext=$ac_save_ext
-ac_test_FFLAGS=${FFLAGS+set}
-ac_save_FFLAGS=$FFLAGS
-FFLAGS=
-echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
-echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6
-if test "${ac_cv_prog_f77_g+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  FFLAGS=-g
-cat >conftest.$ac_ext <<_ACEOF
-      program main
-
-      end
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_f77_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_prog_f77_g=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_prog_f77_g=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
-echo "${ECHO_T}$ac_cv_prog_f77_g" >&6
-if test "$ac_test_FFLAGS" = set; then
-  FFLAGS=$ac_save_FFLAGS
-elif test $ac_cv_prog_f77_g = yes; then
-  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
-    FFLAGS="-g -O2"
-  else
-    FFLAGS="-g"
-  fi
-else
-  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
-    FFLAGS="-O2"
-  else
-    FFLAGS=
-  fi
-fi
-
-G77=`test $ac_compiler_gnu = yes && echo yes`
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-
-# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
-
-# find the maximum length of command line arguments
-echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
-echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6
-if test "${lt_cv_sys_max_cmd_len+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-    i=0
-  teststring="ABCD"
-
-  case $build_os in
-  msdosdjgpp*)
-    # On DJGPP, this test can blow up pretty badly due to problems in libc
-    # (any single argument exceeding 2000 bytes causes a buffer overrun
-    # during glob expansion).  Even if it were fixed, the result of this
-    # check would be larger than it should be.
-    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
-    ;;
-
-  gnu*)
-    # Under GNU Hurd, this test is not required because there is
-    # no limit to the length of command line arguments.
-    # Libtool will interpret -1 as no limit whatsoever
-    lt_cv_sys_max_cmd_len=-1;
-    ;;
-
-  cygwin* | mingw*)
-    # On Win9x/ME, this test blows up -- it succeeds, but takes
-    # about 5 minutes as the teststring grows exponentially.
-    # Worse, since 9x/ME are not pre-emptively multitasking,
-    # you end up with a "frozen" computer, even though with patience
-    # the test eventually succeeds (with a max line length of 256k).
-    # Instead, let's just punt: use the minimum linelength reported by
-    # all of the supported platforms: 8192 (on NT/2K/XP).
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  amigaos*)
-    # On AmigaOS with pdksh, this test takes hours, literally.
-    # So we just punt and use a minimum line length of 8192.
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  netbsd* | freebsd* | openbsd* | darwin* )
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536 # usable default for *BSD
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    ;;
-
- *)
-    # If test is not a shell built-in, we'll probably end up computing a
-    # maximum length that is only half of the actual maximum length, but
-    # we can't tell.
-    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-    while (test "X"`$SHELL $0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
-	    lt_cv_sys_max_cmd_len=$new_result &&
-	    test $i != 17 # 1/2 MB should be enough
-    do
-      i=`expr $i + 1`
-      teststring=$teststring$teststring
-    done
-    teststring=
-    # Add a significant safety factor because C++ compilers can tack on massive
-    # amounts of additional arguments before passing them to the linker.
-    # It appears as though 1/2 is a usable value.
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
-    ;;
-  esac
-
-fi
-
-if test -n $lt_cv_sys_max_cmd_len ; then
-  echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
-echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6
-else
-  echo "$as_me:$LINENO: result: none" >&5
-echo "${ECHO_T}none" >&6
-fi
-
-
-
-
-# Check for command to grab the raw symbol name followed by C symbol from nm.
-echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
-echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6
-if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-
-# These are sane defaults that work on at least a few old systems.
-# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
-
-# Character class describing NM global symbol codes.
-symcode='[BCDEGRST]'
-
-# Regexp to match symbols that can be accessed directly from C.
-sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
-
-# Transform the above into a raw symbol and a C symbol.
-symxfrm='\1 \2\3 \3'
-
-# Transform an extracted symbol line into a proper C declaration
-lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
-
-# Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-
-# Define system-specific variables.
-case $host_os in
-aix*)
-  symcode='[BCDT]'
-  ;;
-cygwin* | mingw* | pw32*)
-  symcode='[ABCDGISTW]'
-  ;;
-hpux*) # Its linker distinguishes data from code symbols
-  if test "$host_cpu" = ia64; then
-    symcode='[ABCDEGRST]'
-  fi
-  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  ;;
-linux*)
-  if test "$host_cpu" = ia64; then
-    symcode='[ABCDGIRSTW]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
-  ;;
-irix* | nonstopux*)
-  symcode='[BCDEGRST]'
-  ;;
-osf*)
-  symcode='[BCDEGQRST]'
-  ;;
-solaris* | sysv5*)
-  symcode='[BDRT]'
-  ;;
-sysv4)
-  symcode='[DFNSTU]'
-  ;;
-esac
-
-# Handle CRLF in mingw tool chain
-opt_cr=
-case $build_os in
-mingw*)
-  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
-  ;;
-esac
-
-# If we're using GNU nm, then use its standard symbol codes.
-case `$NM -V 2>&1` in
-*GNU* | *'with BFD'*)
-  symcode='[ABCDGIRSTW]' ;;
-esac
-
-# Try without a prefix undercore, then with it.
-for ac_symprfx in "" "_"; do
-
-  # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode$symcode*\)[ 	][ 	]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
-
-  # Check to see that the pipe works correctly.
-  pipe_works=no
-
-  rm -f conftest*
-  cat > conftest.$ac_ext <<EOF
-#ifdef __cplusplus
-extern "C" {
-#endif
-char nm_test_var;
-void nm_test_func(){}
-#ifdef __cplusplus
-}
-#endif
-int main(){nm_test_var='a';nm_test_func();return(0);}
-EOF
-
-  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-    # Now try to grab the symbols.
-    nlist=conftest.nm
-    if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5
-  (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s "$nlist"; then
-      # Try sorting and uniquifying the output.
-      if sort "$nlist" | uniq > "$nlist"T; then
-	mv -f "$nlist"T "$nlist"
-      else
-	rm -f "$nlist"T
-      fi
-
-      # Make sure that we snagged all the symbols we need.
-      if grep ' nm_test_var$' "$nlist" >/dev/null; then
-	if grep ' nm_test_func$' "$nlist" >/dev/null; then
-	  cat <<EOF > conftest.$ac_ext
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-EOF
-	  # Now generate the symbol file.
-	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
-
-	  cat <<EOF >> conftest.$ac_ext
-#if defined (__STDC__) && __STDC__
-# define lt_ptr_t void *
-#else
-# define lt_ptr_t char *
-# define const
-#endif
-
-/* The mapping between symbol names and symbols. */
-const struct {
-  const char *name;
-  lt_ptr_t address;
-}
-lt_preloaded_symbols[] =
-{
-EOF
-	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
-	  cat <<\EOF >> conftest.$ac_ext
-  {0, (lt_ptr_t) 0}
-};
-
-#ifdef __cplusplus
-}
-#endif
-EOF
-	  # Now try linking the two files.
-	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
-	  LIBS="conftstm.$ac_objext"
-	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
-	  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext}; then
-	    pipe_works=yes
-	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
-	else
-	  echo "cannot find nm_test_func in $nlist" >&5
-	fi
-      else
-	echo "cannot find nm_test_var in $nlist" >&5
-      fi
-    else
-      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5
-    fi
-  else
-    echo "$progname: failed program was:" >&5
-    cat conftest.$ac_ext >&5
-  fi
-  rm -f conftest* conftst*
-
-  # Do not use the global_symbol_pipe unless it works.
-  if test "$pipe_works" = yes; then
-    break
-  else
-    lt_cv_sys_global_symbol_pipe=
-  fi
-done
-
-fi
-
-if test -z "$lt_cv_sys_global_symbol_pipe"; then
-  lt_cv_sys_global_symbol_to_cdecl=
-fi
-if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  echo "$as_me:$LINENO: result: failed" >&5
-echo "${ECHO_T}failed" >&6
-else
-  echo "$as_me:$LINENO: result: ok" >&5
-echo "${ECHO_T}ok" >&6
-fi
-
-echo "$as_me:$LINENO: checking for objdir" >&5
-echo $ECHO_N "checking for objdir... $ECHO_C" >&6
-if test "${lt_cv_objdir+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  rm -f .libs 2>/dev/null
-mkdir .libs 2>/dev/null
-if test -d .libs; then
-  lt_cv_objdir=.libs
-else
-  # MS-DOS does not allow filenames that begin with a dot.
-  lt_cv_objdir=_libs
-fi
-rmdir .libs 2>/dev/null
-fi
-echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
-echo "${ECHO_T}$lt_cv_objdir" >&6
-objdir=$lt_cv_objdir
-
-
-
-
-
-case $host_os in
-aix3*)
-  # AIX sometimes has problems with the GCC collect2 program.  For some
-  # reason, if we set the COLLECT_NAMES environment variable, the problems
-  # vanish in a puff of smoke.
-  if test "X${COLLECT_NAMES+set}" != Xset; then
-    COLLECT_NAMES=
-    export COLLECT_NAMES
-  fi
-  ;;
-esac
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed='sed -e s/^X//'
-sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
-
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
-# Constants:
-rm="rm -f"
-
-# Global variables:
-default_ofile=libtool
-can_build_shared=yes
-
-# All known linkers require a `.a' archive for static linking (except M$VC,
-# which needs '.lib').
-libext=a
-ltmain="$ac_aux_dir/ltmain.sh"
-ofile="$default_ofile"
-with_gnu_ld="$lt_cv_prog_gnu_ld"
-
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ar; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_AR+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$AR"; then
-  ac_cv_prog_AR="$AR" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_AR="${ac_tool_prefix}ar"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-AR=$ac_cv_prog_AR
-if test -n "$AR"; then
-  echo "$as_me:$LINENO: result: $AR" >&5
-echo "${ECHO_T}$AR" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_AR"; then
-  ac_ct_AR=$AR
-  # Extract the first word of "ar", so it can be a program name with args.
-set dummy ar; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_AR"; then
-  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_AR="ar"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  test -z "$ac_cv_prog_ac_ct_AR" && ac_cv_prog_ac_ct_AR="false"
-fi
-fi
-ac_ct_AR=$ac_cv_prog_ac_ct_AR
-if test -n "$ac_ct_AR"; then
-  echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
-echo "${ECHO_T}$ac_ct_AR" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  AR=$ac_ct_AR
-else
-  AR="$ac_cv_prog_AR"
-fi
-
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
-set dummy ${ac_tool_prefix}ranlib; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_RANLIB+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$RANLIB"; then
-  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-RANLIB=$ac_cv_prog_RANLIB
-if test -n "$RANLIB"; then
-  echo "$as_me:$LINENO: result: $RANLIB" >&5
-echo "${ECHO_T}$RANLIB" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_RANLIB"; then
-  ac_ct_RANLIB=$RANLIB
-  # Extract the first word of "ranlib", so it can be a program name with args.
-set dummy ranlib; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_RANLIB"; then
-  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_RANLIB="ranlib"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
-fi
-fi
-ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
-if test -n "$ac_ct_RANLIB"; then
-  echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
-echo "${ECHO_T}$ac_ct_RANLIB" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  RANLIB=$ac_ct_RANLIB
-else
-  RANLIB="$ac_cv_prog_RANLIB"
-fi
-
-if test -n "$ac_tool_prefix"; then
-  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
-set dummy ${ac_tool_prefix}strip; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$STRIP"; then
-  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-fi
-fi
-STRIP=$ac_cv_prog_STRIP
-if test -n "$STRIP"; then
-  echo "$as_me:$LINENO: result: $STRIP" >&5
-echo "${ECHO_T}$STRIP" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-fi
-if test -z "$ac_cv_prog_STRIP"; then
-  ac_ct_STRIP=$STRIP
-  # Extract the first word of "strip", so it can be a program name with args.
-set dummy strip; ac_word=$2
-echo "$as_me:$LINENO: checking for $ac_word" >&5
-echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
-if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -n "$ac_ct_STRIP"; then
-  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for ac_exec_ext in '' $ac_executable_extensions; do
-  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
-    ac_cv_prog_ac_ct_STRIP="strip"
-    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
-    break 2
-  fi
-done
-done
-
-  test -z "$ac_cv_prog_ac_ct_STRIP" && ac_cv_prog_ac_ct_STRIP=":"
-fi
-fi
-ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
-if test -n "$ac_ct_STRIP"; then
-  echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
-echo "${ECHO_T}$ac_ct_STRIP" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  STRIP=$ac_ct_STRIP
-else
-  STRIP="$ac_cv_prog_STRIP"
-fi
-
-
-old_CC="$CC"
-old_CFLAGS="$CFLAGS"
-
-# Set sane defaults for various variables
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-test -z "$AS" && AS=as
-test -z "$CC" && CC=cc
-test -z "$LTCC" && LTCC=$CC
-test -z "$DLLTOOL" && DLLTOOL=dlltool
-test -z "$LD" && LD=ld
-test -z "$LN_S" && LN_S="ln -s"
-test -z "$MAGIC_CMD" && MAGIC_CMD=file
-test -z "$NM" && NM=nm
-test -z "$SED" && SED=sed
-test -z "$OBJDUMP" && OBJDUMP=objdump
-test -z "$RANLIB" && RANLIB=:
-test -z "$STRIP" && STRIP=:
-test -z "$ac_objext" && ac_objext=o
-
-# Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
-old_postinstall_cmds='chmod 644 $oldlib'
-old_postuninstall_cmds=
-
-if test -n "$RANLIB"; then
-  case $host_os in
-  openbsd*)
-    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
-    ;;
-  *)
-    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
-    ;;
-  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
-fi
-
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
-# Only perform the check for file, if the check method requires it
-case $deplibs_check_method in
-file_magic*)
-  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
-echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $MAGIC_CMD in
-[\\/*] |  ?:[\\/]*)
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/${ac_tool_prefix}file; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac
-fi
-
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-if test -z "$lt_cv_path_MAGIC_CMD"; then
-  if test -n "$ac_tool_prefix"; then
-    echo "$as_me:$LINENO: checking for file" >&5
-echo $ECHO_N "checking for file... $ECHO_C" >&6
-if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  case $MAGIC_CMD in
-[\\/*] |  ?:[\\/]*)
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/file; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/file"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac
-fi
-
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
-echo "${ECHO_T}$MAGIC_CMD" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-
-  else
-    MAGIC_CMD=:
-  fi
-fi
-
-  fi
-  ;;
-esac
-
-enable_dlopen=no
-enable_win32_dll=no
-
-# Check whether --enable-libtool-lock or --disable-libtool-lock was given.
-if test "${enable_libtool_lock+set}" = set; then
-  enableval="$enable_libtool_lock"
-
-fi;
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-
-# Check whether --with-pic or --without-pic was given.
-if test "${with_pic+set}" = set; then
-  withval="$with_pic"
-  pic_mode="$withval"
-else
-  pic_mode=default
-fi;
-test -z "$pic_mode" && pic_mode=default
-
-# Use C for the default configuration in the libtool script
-tagname=
-lt_save_CC="$CC"
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-
-# Source file extension for C test sources.
-ac_ext=c
-
-# Object file extension for compiled C test sources.
-objext=o
-objext=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}\n'
-
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-#
-# Check for any special shared library compilation flags.
-#
-lt_prog_cc_shlib=
-if test "$GCC" = no; then
-  case $host_os in
-  sco3.2v5*)
-    lt_prog_cc_shlib='-belf'
-    ;;
-  esac
-fi
-if test -n "$lt_prog_cc_shlib"; then
-  { echo "$as_me:$LINENO: WARNING: \`$CC' requires \`$lt_prog_cc_shlib' to build shared libraries" >&5
-echo "$as_me: WARNING: \`$CC' requires \`$lt_prog_cc_shlib' to build shared libraries" >&2;}
-  if echo "$old_CC $old_CFLAGS " | grep "[ 	]$lt_prog_cc_shlib[ 	]" >/dev/null; then :
-  else
-    { echo "$as_me:$LINENO: WARNING: add \`$lt_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" >&5
-echo "$as_me: WARNING: add \`$lt_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" >&2;}
-    lt_cv_prog_cc_can_build_shared=no
-  fi
-fi
-
-
-#
-# Check to make sure the static flag actually works.
-#
-echo "$as_me:$LINENO: checking if $compiler static flag $lt_prog_compiler_static works" >&5
-echo $ECHO_N "checking if $compiler static flag $lt_prog_compiler_static works... $ECHO_C" >&6
-if test "${lt_prog_compiler_static_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_prog_compiler_static_works=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $lt_prog_compiler_static"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&5
-     else
-       lt_prog_compiler_static_works=yes
-     fi
-   fi
-   $rm conftest*
-   LDFLAGS="$save_LDFLAGS"
-
-fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works" >&5
-echo "${ECHO_T}$lt_prog_compiler_static_works" >&6
-
-if test x"$lt_prog_compiler_static_works" = xyes; then
-    :
-else
-    lt_prog_compiler_static=
-fi
-
-
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-
-lt_prog_compiler_no_builtin_flag=
-
-if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
-
-
-echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_rtti_exceptions=no
-  ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="-fno-rtti -fno-exceptions"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9663: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:9667: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
-       lt_cv_prog_compiler_rtti_exceptions=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6
-
-if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
-    lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
-else
-    :
-fi
-
-fi
-
-lt_prog_compiler_wl=
-lt_prog_compiler_pic=
-lt_prog_compiler_static=
-
-echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
-
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl='-Wl,'
-    lt_prog_compiler_static='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
-      ;;
-
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic='-DDLL_EXPORT'
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic='-fno-common'
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared=no
-      enable_shared=no
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic=-Kconform_pic
-      fi
-      ;;
-
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic='-fPIC'
-	;;
-      esac
-      ;;
-
-    *)
-      lt_prog_compiler_pic='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static='-Bstatic'
-      else
-	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic='-qnocommon'
-         lt_prog_compiler_wl='-Wl,'
-         ;;
-       esac
-       ;;
-
-    mingw* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic='-DDLL_EXPORT'
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static='-non_shared'
-      ;;
-
-    newsos6)
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    linux*)
-      case $CC in
-      icc* | ecc*)
-	lt_prog_compiler_wl='-Wl,'
-	lt_prog_compiler_pic='-KPIC'
-	lt_prog_compiler_static='-static'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static='-non_shared'
-        ;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static='-non_shared'
-      ;;
-
-    sco3.2v5*)
-      lt_prog_compiler_pic='-Kpic'
-      lt_prog_compiler_static='-dn'
-      ;;
-
-    solaris*)
-      lt_prog_compiler_wl='-Wl,'
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    sunos4*)
-      lt_prog_compiler_wl='-Qoption ld '
-      lt_prog_compiler_pic='-PIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-      lt_prog_compiler_wl='-Wl,'
-      lt_prog_compiler_pic='-KPIC'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic='-Kconform_pic'
-	lt_prog_compiler_static='-Bstatic'
-      fi
-      ;;
-
-    uts4*)
-      lt_prog_compiler_pic='-pic'
-      lt_prog_compiler_static='-Bstatic'
-      ;;
-
-    *)
-      lt_prog_compiler_can_build_shared=no
-      ;;
-    esac
-  fi
-
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic" >&6
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic"; then
-
-echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6
-if test "${lt_prog_compiler_pic_works+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_prog_compiler_pic_works=no
-  ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9906: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:9910: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
-       lt_prog_compiler_pic_works=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works" >&6
-
-if test x"$lt_prog_compiler_pic_works" = xyes; then
-    case $lt_prog_compiler_pic in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
-     esac
-else
-    lt_prog_compiler_pic=
-     lt_prog_compiler_can_build_shared=no
-fi
-
-fi
-case "$host_os" in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic=
-    ;;
-  *)
-    lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
-    ;;
-esac
-
-echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
-if test "${lt_cv_prog_compiler_c_o+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9966: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:9970: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s out/conftest.err; then
-       lt_cv_prog_compiler_c_o=yes
-     fi
-   fi
-   chmod u+w .
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6
-
-
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
-
-  runpath_var=
-  allow_undefined_flag=
-  enable_shared_with_static_runtimes=no
-  archive_cmds=
-  archive_expsym_cmds=
-  old_archive_From_new_cmds=
-  old_archive_from_expsyms_cmds=
-  export_dynamic_flag_spec=
-  whole_archive_flag_spec=
-  thread_safe_flag_spec=
-  hardcode_libdir_flag_spec=
-  hardcode_libdir_flag_spec_ld=
-  hardcode_libdir_separator=
-  hardcode_direct=no
-  hardcode_minus_L=no
-  hardcode_shlibpath_var=unsupported
-  link_all_deplibs=unknown
-  hardcode_automatic=no
-  module_cmds=
-  module_expsym_cmds=
-  always_export_symbols=no
-  export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms="_GLOBAL_OFFSET_TABLE_"
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  extract_expsyms_cmds=
-
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  ld_shlibs=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix3* | aix4* | aix5*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs=no
-	cat <<EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-EOF
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs=no
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec='-L$libdir'
-      allow_undefined_flag=unsupported
-      always_export_symbols=no
-      enable_shared_with_static_runtimes=yes
-      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris* | sysv5*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    sunos4*)
-      archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-  linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_cmds="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        archive_expsym_cmds="$tmp_archive_cmds"
-      fi
-    else
-      ld_shlibs=no
-    fi
-    ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs" = yes; then
-      runpath_var=LD_RUN_PATH
-      hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
-      export_dynamic_flag_spec='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec=
-      fi
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag=unsupported
-      always_export_symbols=yes
-      archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct=unsupported
-      fi
-      ;;
-
-    aix4* | aix5*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      archive_cmds=''
-      hardcode_direct=yes
-      hardcode_libdir_separator=':'
-      link_all_deplibs=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.012|aix4.012.*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  hardcode_direct=yes
-	  else
-  	  # We have old collect2
-  	  hardcode_direct=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L=yes
-  	  hardcode_libdir_flag_spec='-L$libdir'
-  	  hardcode_libdir_separator=
-	  fi
-	esac
-	shared_flag='-shared'
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-  	if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-  	fi
-	fi
-      fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-       hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag="-z nodefs"
-	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag=' ${wl}-bernotok'
-	  allow_undefined_flag=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  always_export_symbols=yes
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec=' '
-	  archive_cmds_need_lc=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs=no
-      ;;
-
-    bsdi[45]*)
-      export_dynamic_flag_spec=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec=' '
-      allow_undefined_flag=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes=yes
-      ;;
-
-    darwin* | rhapsody*)
-      case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc=no
-      hardcode_direct=no
-      hardcode_automatic=yes
-      hardcode_shlibpath_var=unsupported
-      whole_archive_flag_spec=''
-      link_all_deplibs=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs=no
-          ;;
-      esac
-    fi
-      ;;
-
-    dgux*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_shlibpath_var=no
-      ;;
-
-    freebsd1*)
-      ld_shlibs=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct=yes
-      hardcode_minus_L=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
-      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator=:
-      hardcode_direct=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L=yes
-      export_dynamic_flag_spec='${wl}-E'
-      ;;
-
-    hpux10* | hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  ;;
-	*)
-	  archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_flag_spec_ld='+b $libdir'
-	  hardcode_libdir_separator=:
-	  hardcode_direct=no
-	  hardcode_shlibpath_var=no
-	  ;;
-	ia64*)
-	  hardcode_libdir_flag_spec='-L$libdir'
-	  hardcode_direct=no
-	  hardcode_shlibpath_var=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L=yes
-	  ;;
-	*)
-	  hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_separator=:
-	  hardcode_direct=yes
-	  export_dynamic_flag_spec='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      link_all_deplibs=yes
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    newsos6)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct=yes
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      hardcode_shlibpath_var=no
-      ;;
-
-    openbsd*)
-      hardcode_direct=yes
-      hardcode_shlibpath_var=no
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-	export_dynamic_flag_spec='${wl}-E'
-      else
-       case $host_os in
-	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	   archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	   hardcode_libdir_flag_spec='-R$libdir'
-	   ;;
-	 *)
-	   archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	   hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
-	   ;;
-       esac
-      fi
-      ;;
-
-    os2*)
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_minus_L=yes
-      allow_undefined_flag=unsupported
-      archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag=' -expect_unresolved \*'
-	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec='-rpath $libdir'
-      fi
-      hardcode_libdir_separator=:
-      ;;
-
-    sco3.2v5*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var=no
-      export_dynamic_flag_spec='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
-    solaris*)
-      no_undefined_flag=' -z text'
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec='-R$libdir'
-      hardcode_shlibpath_var=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;;
-      esac
-      link_all_deplibs=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_direct=yes
-      hardcode_minus_L=yes
-      hardcode_shlibpath_var=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds='$CC -r -o $output$reload_objs'
-	  hardcode_direct=no
-        ;;
-	motorola)
-	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var=no
-      ;;
-
-    sysv4.3*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var=no
-      export_dynamic_flag_spec='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs=yes
-      fi
-      ;;
-
-    sysv4.2uw2*)
-      archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct=yes
-      hardcode_minus_L=no
-      hardcode_shlibpath_var=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
-
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
-      no_undefined_flag='${wl}-z ${wl}text'
-      if test "$GCC" = yes; then
-	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var=no
-      ;;
-
-    sysv5*)
-      no_undefined_flag=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      hardcode_libdir_flag_spec=
-      hardcode_shlibpath_var=no
-      runpath_var='LD_RUN_PATH'
-      ;;
-
-    uts4*)
-      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec='-L$libdir'
-      hardcode_shlibpath_var=no
-      ;;
-
-    *)
-      ld_shlibs=no
-      ;;
-    esac
-  fi
-
-echo "$as_me:$LINENO: result: $ld_shlibs" >&5
-echo "${ECHO_T}$ld_shlibs" >&6
-test "$ld_shlibs" = no && can_build_shared=no
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
-      $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag
-        allow_undefined_flag=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc=no
-        else
-	  archive_cmds_need_lc=yes
-        fi
-        allow_undefined_flag=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
-echo "${ECHO_T}$archive_cmds_need_lc" >&6
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix4* | aix5*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.01* | freebsdelf3.01*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  *) # from 3.2 on
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case "$host_cpu" in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6
-test "$dynamic_linker" = no && can_build_shared=no
-
-echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
-hardcode_action=
-if test -n "$hardcode_libdir_flag_spec" || \
-   test -n "$runpath_var" || \
-   test "X$hardcode_automatic" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, )" != no &&
-     test "$hardcode_minus_L" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action=unsupported
-fi
-echo "$as_me:$LINENO: result: $hardcode_action" >&5
-echo "${ECHO_T}$hardcode_action" >&6
-
-if test "$hardcode_action" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-
-striplib=
-old_striplib=
-echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-       else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-       ;;
-   *)
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-    ;;
-  esac
-fi
-
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-
-fi
-
-   ;;
-
-  *)
-    echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
-if test "${ac_cv_func_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define shl_load innocuous_shl_load
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shl_load (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef shl_load
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_shl_load) || defined (__stub___shl_load)
-choke me
-#else
-char (*f) () = shl_load;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != shl_load;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6
-if test $ac_cv_func_shl_load = yes; then
-  lt_cv_dlopen="shl_load"
-else
-  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-int
-main ()
-{
-shl_load ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
-if test $ac_cv_lib_dld_shl_load = yes; then
-  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
-else
-  echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
-if test "${ac_cv_func_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define dlopen innocuous_dlopen
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char dlopen (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef dlopen
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_dlopen) || defined (__stub___dlopen)
-choke me
-#else
-char (*f) () = dlopen;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != dlopen;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6
-if test $ac_cv_func_dlopen = yes; then
-  lt_cv_dlopen="dlopen"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsvld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_svld_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_svld_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
-if test $ac_cv_lib_svld_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
-else
-  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dld_link ();
-int
-main ()
-{
-dld_link ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_dld_link=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_dld_link=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
-if test $ac_cv_lib_dld_dld_link = yes; then
-  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 12151 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
-      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self_static+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self_static=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 12249 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self_static=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-
-
-# Report which librarie types wil actually be built
-echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6
-
-echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case "$host_os" in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-
-aix4* | aix5*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-    ;;
-esac
-echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6
-
-echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler \
-    CC \
-    LD \
-    lt_prog_compiler_wl \
-    lt_prog_compiler_pic \
-    lt_prog_compiler_static \
-    lt_prog_compiler_no_builtin_flag \
-    export_dynamic_flag_spec \
-    thread_safe_flag_spec \
-    whole_archive_flag_spec \
-    enable_shared_with_static_runtimes \
-    old_archive_cmds \
-    old_archive_from_new_cmds \
-    predep_objects \
-    postdep_objects \
-    predeps \
-    postdeps \
-    compiler_lib_search_path \
-    archive_cmds \
-    archive_expsym_cmds \
-    postinstall_cmds \
-    postuninstall_cmds \
-    old_archive_from_expsyms_cmds \
-    allow_undefined_flag \
-    no_undefined_flag \
-    export_symbols_cmds \
-    hardcode_libdir_flag_spec \
-    hardcode_libdir_flag_spec_ld \
-    hardcode_libdir_separator \
-    hardcode_automatic \
-    module_cmds \
-    module_expsym_cmds \
-    lt_cv_prog_compiler_c_o \
-    exclude_expsyms \
-    include_expsyms; do
-
-    case $var in
-    old_archive_cmds | \
-    old_archive_from_new_cmds | \
-    archive_cmds | \
-    archive_expsym_cmds | \
-    module_cmds | \
-    module_expsym_cmds | \
-    old_archive_from_expsyms_cmds | \
-    export_symbols_cmds | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="${ofile}T"
-  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
-  $rm -f "$cfgfile"
-  { echo "$as_me:$LINENO: creating $ofile" >&5
-echo "$as_me: creating $ofile" >&6;}
-
-  cat <<__EOF__ >> "$cfgfile"
-#! $SHELL
-
-# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
-# NOTE: Changes made to this file will be lost: look at ltmain.sh.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
-# Free Software Foundation, Inc.
-#
-# This file is part of GNU Libtool:
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# A sed program that does not truncate output.
-SED=$lt_SED
-
-# Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e s/^X//"
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-# The names of the tagged configurations supported by this script.
-available_tags=
-
-# ### BEGIN LIBTOOL CONFIG
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# A language-specific compiler.
-CC=$lt_compiler
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o
-
-# Must we lock files when doing compilation ?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds
-archive_expsym_cmds=$lt_archive_expsym_cmds
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds
-module_expsym_cmds=$lt_module_expsym_cmds
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path="$fix_srcfile_path"
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms
-
-# ### END LIBTOOL CONFIG
-
-__EOF__
-
-
-  case $host_os in
-  aix3*)
-    cat <<\EOF >> "$cfgfile"
-
-# AIX sometimes has problems with the GCC collect2 program.  For some
-# reason, if we set the COLLECT_NAMES environment variable, the problems
-# vanish in a puff of smoke.
-if test "X${COLLECT_NAMES+set}" != Xset; then
-  COLLECT_NAMES=
-  export COLLECT_NAMES
-fi
-EOF
-    ;;
-  esac
-
-  # We use sed instead of cat because bash on DJGPP gets confused if
-  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
-  # text mode, it properly converts lines to CR/LF.  This bash problem
-  # is reportedly fixed, but why not run on old versions too?
-  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" || \
-    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
-  chmod +x "$ofile"
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-
-# Check whether --with-tags or --without-tags was given.
-if test "${with_tags+set}" = set; then
-  withval="$with_tags"
-  tagnames="$withval"
-fi;
-
-if test -f "$ltmain" && test -n "$tagnames"; then
-  if test ! -f "${ofile}"; then
-    { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5
-echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;}
-  fi
-
-  if test -z "$LTCC"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
-    if test -z "$LTCC"; then
-      { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5
-echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;}
-    else
-      { echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5
-echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
-    fi
-  fi
-
-  # Extract list of available tagged configurations in $ofile.
-  # Note that this assumes the entire list is on one line.
-  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
-
-  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-  for tagname in $tagnames; do
-    IFS="$lt_save_ifs"
-    # Check whether tagname contains only valid characters
-    case `$echo "X$tagname" | $Xsed -e 's:[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]::g'` in
-    "") ;;
-    *)  { { echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5
-echo "$as_me: error: invalid tag name: $tagname" >&2;}
-   { (exit 1); exit 1; }; }
-	;;
-    esac
-
-    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
-    then
-      { { echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5
-echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
-   { (exit 1); exit 1; }; }
-    fi
-
-    # Update the list of available tags.
-    if test -n "$tagname"; then
-      echo appending configuration tag \"$tagname\" to $ofile
-
-      case $tagname in
-      CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
-	    (test "X$CXX" != "Xg++"))) ; then
-	  ac_ext=cc
-ac_cpp='$CXXCPP $CPPFLAGS'
-ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
-
-
-
-
-archive_cmds_need_lc_CXX=no
-allow_undefined_flag_CXX=
-always_export_symbols_CXX=no
-archive_expsym_cmds_CXX=
-export_dynamic_flag_spec_CXX=
-hardcode_direct_CXX=no
-hardcode_libdir_flag_spec_CXX=
-hardcode_libdir_flag_spec_ld_CXX=
-hardcode_libdir_separator_CXX=
-hardcode_minus_L_CXX=no
-hardcode_automatic_CXX=no
-module_cmds_CXX=
-module_expsym_cmds_CXX=
-link_all_deplibs_CXX=unknown
-old_archive_cmds_CXX=$old_archive_cmds
-no_undefined_flag_CXX=
-whole_archive_flag_spec_CXX=
-enable_shared_with_static_runtimes_CXX=no
-
-# Dependencies to place before and after the object being linked:
-predep_objects_CXX=
-postdep_objects_CXX=
-predeps_CXX=
-postdeps_CXX=
-compiler_lib_search_path_CXX=
-
-# Source file extension for C++ test sources.
-ac_ext=cc
-
-# Object file extension for compiled C++ test sources.
-objext=o
-objext_CXX=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *) { return(0); }\n'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# Allow CC to be a program name with arguments.
-lt_save_CC=$CC
-lt_save_LD=$LD
-lt_save_GCC=$GCC
-GCC=$GXX
-lt_save_with_gnu_ld=$with_gnu_ld
-lt_save_path_LD=$lt_cv_path_LD
-if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
-  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
-else
-  unset lt_cv_prog_gnu_ld
-fi
-if test -n "${lt_cv_path_LDCXX+set}"; then
-  lt_cv_path_LD=$lt_cv_path_LDCXX
-else
-  unset lt_cv_path_LD
-fi
-test -z "${LDCXX+set}" || LD=$LDCXX
-CC=${CXX-"c++"}
-compiler=$CC
-compiler_CXX=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
-# We don't want -fno-exception wen compiling C++ code, so set the
-# no_builtin_flag separately
-if test "$GXX" = yes; then
-  lt_prog_compiler_no_builtin_flag_CXX=' -fno-builtin'
-else
-  lt_prog_compiler_no_builtin_flag_CXX=
-fi
-
-if test "$GXX" = yes; then
-  # Set up default GNU C++ configuration
-
-
-# Check whether --with-gnu-ld or --without-gnu-ld was given.
-if test "${with_gnu_ld+set}" = set; then
-  withval="$with_gnu_ld"
-  test "$withval" = no || with_gnu_ld=yes
-else
-  with_gnu_ld=no
-fi;
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  echo "$as_me:$LINENO: checking for ld used by $CC" >&5
-echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [\\/]* | ?:[\\/]*)
-      re_direlt='/[^/][^/]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  echo "$as_me:$LINENO: checking for GNU ld" >&5
-echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6
-else
-  echo "$as_me:$LINENO: checking for non-GNU ld" >&5
-echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6
-fi
-if test "${lt_cv_path_LD+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some GNU ld's only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi
-fi
-
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  echo "$as_me:$LINENO: result: $LD" >&5
-echo "${ECHO_T}$LD" >&6
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
-echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
-   { (exit 1); exit 1; }; }
-echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
-echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6
-if test "${lt_cv_prog_gnu_ld+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  # I'd rather use --version here, but apparently some GNU ld's only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac
-fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
-echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6
-with_gnu_ld=$lt_cv_prog_gnu_ld
-
-
-
-  # Check if GNU C++ uses GNU ld as the underlying linker, since the
-  # archiving commands below assume that GNU ld is being used.
-  if test "$with_gnu_ld" = yes; then
-    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    archive_expsym_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-
-    hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
-    export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
-    #     investigate it a little bit more. (MM)
-    wlarc='${wl}'
-
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
-	grep 'no-whole-archive' > /dev/null; then
-      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    else
-      whole_archive_flag_spec_CXX=
-    fi
-  else
-    with_gnu_ld=no
-    wlarc=
-
-    # A generic and very simple default shared library creation
-    # command for GNU C++ for the case where it uses the native
-    # linker, instead of GNU ld.  If possible, this setting should
-    # overridden to take advantage of the native linker features on
-    # the platform it is being used on.
-    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-  fi
-
-  # Commands to make compiler produce verbose output that lists
-  # what "hidden" libraries, object files and flags are used when
-  # linking a shared library.
-  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-else
-  GXX=no
-  with_gnu_ld=no
-  wlarc=
-fi
-
-# PORTME: fill in a description of your system's C++ link characteristics
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
-ld_shlibs_CXX=yes
-case $host_os in
-  aix3*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  aix4* | aix5*)
-    if test "$host_cpu" = ia64; then
-      # On IA64, the linker does run time linking by default, so we don't
-      # have to do anything special.
-      aix_use_runtimelinking=no
-      exp_sym_flag='-Bexport'
-      no_entry_flag=""
-    else
-      aix_use_runtimelinking=no
-
-      # Test if we are trying to use run time linking or normal
-      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-      # need to do runtime linking.
-      case $host_os in aix4.[23]|aix4.[23].*|aix5*)
-	for ld_flag in $LDFLAGS; do
-	  case $ld_flag in
-	  *-brtl*)
-	    aix_use_runtimelinking=yes
-	    break
-	    ;;
-	  esac
-	done
-      esac
-
-      exp_sym_flag='-bexport'
-      no_entry_flag='-bnoentry'
-    fi
-
-    # When large executables or shared objects are built, AIX ld can
-    # have problems creating the table of contents.  If linking a library
-    # or program results in "error TOC overflow" add -mminimal-toc to
-    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-    archive_cmds_CXX=''
-    hardcode_direct_CXX=yes
-    hardcode_libdir_separator_CXX=':'
-    link_all_deplibs_CXX=yes
-
-    if test "$GXX" = yes; then
-      case $host_os in aix4.012|aix4.012.*)
-      # We only want to do this on AIX 4.2 and lower, the check
-      # below for broken collect2 doesn't work under 4.3+
-	collect2name=`${CC} -print-prog-name=collect2`
-	if test -f "$collect2name" && \
-	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	then
-	  # We have reworked collect2
-	  hardcode_direct_CXX=yes
-	else
-	  # We have old collect2
-	  hardcode_direct_CXX=unsupported
-	  # It fails to find uninstalled libraries when the uninstalled
-	  # path is not listed in the libpath.  Setting hardcode_minus_L
-	  # to unsupported forces relinking
-	  hardcode_minus_L_CXX=yes
-	  hardcode_libdir_flag_spec_CXX='-L$libdir'
-	  hardcode_libdir_separator_CXX=
-	fi
-      esac
-      shared_flag='-shared'
-    else
-      # not using gcc
-      if test "$host_cpu" = ia64; then
-	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	# chokes on -Wl,-G. The following line is correct:
-	shared_flag='-G'
-      else
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag='${wl}-G'
-	else
-	  shared_flag='${wl}-bM:SRE'
-	fi
-      fi
-    fi
-
-    # It seems that -bexpall does not export symbols beginning with
-    # underscore (_), so it is better to generate a list of symbols to export.
-    always_export_symbols_CXX=yes
-    if test "$aix_use_runtimelinking" = yes; then
-      # Warning - without using the other runtime loading flags (-brtl),
-      # -berok will link without error, but may produce a broken library.
-      allow_undefined_flag_CXX='-berok'
-      # Determine the default libpath from the value encoded in an empty executable.
-      cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-      hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
-
-      archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-     else
-      if test "$host_cpu" = ia64; then
-	hardcode_libdir_flag_spec_CXX='${wl}-R $libdir:/usr/lib:/lib'
-	allow_undefined_flag_CXX="-z nodefs"
-	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
-      else
-	# Determine the default libpath from the value encoded in an empty executable.
-	cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
-	# Warning - without using the other run time loading flags,
-	# -berok will link without error, but may produce a broken library.
-	no_undefined_flag_CXX=' ${wl}-bernotok'
-	allow_undefined_flag_CXX=' ${wl}-berok'
-	# -bexpall does not export symbols beginning with underscore (_)
-	always_export_symbols_CXX=yes
-	# Exported symbols can be pulled into shared objects from archives
-	whole_archive_flag_spec_CXX=' '
-	archive_cmds_need_lc_CXX=yes
-	# This is similar to how AIX traditionally builds it's shared libraries.
-	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-      fi
-    fi
-    ;;
-  chorus*)
-    case $cc_basename in
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-
-
-  cygwin* | mingw* | pw32*)
-    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless,
-    # as there is no search path for DLLs.
-    hardcode_libdir_flag_spec_CXX='-L$libdir'
-    allow_undefined_flag_CXX=unsupported
-    always_export_symbols_CXX=no
-    enable_shared_with_static_runtimes_CXX=yes
-
-    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
-      # If the export-symbols file already is a .def file (1st line
-      # is EXPORTS), use it as is; otherwise, prepend...
-      archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	cp $export_symbols $output_objdir/$soname.def;
-      else
-	echo EXPORTS > $output_objdir/$soname.def;
-	cat $export_symbols >> $output_objdir/$soname.def;
-      fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
-    else
-      ld_shlibs_CXX=no
-    fi
-  ;;
-      darwin* | rhapsody*)
-        case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_CXX='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_CXX='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_CXX='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-        esac
-      archive_cmds_need_lc_CXX=no
-      hardcode_direct_CXX=no
-      hardcode_automatic_CXX=yes
-      hardcode_shlibpath_var_CXX=unsupported
-      whole_archive_flag_spec_CXX=''
-      link_all_deplibs_CXX=yes
-
-    if test "$GXX" = yes ; then
-      lt_int_apple_cc_single_mod=no
-      output_verbose_link_cmd='echo'
-      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
-       lt_int_apple_cc_single_mod=yes
-      fi
-      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-       archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      else
-          archive_cmds_CXX='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-        fi
-        module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          else
-            archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          fi
-            module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          archive_cmds_CXX='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-          module_cmds_CXX='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_CXX=no
-          ;;
-      esac
-      fi
-        ;;
-
-  dgux*)
-    case $cc_basename in
-      ec++)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      ghcx)
-	# Green Hills C++ Compiler
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  freebsd12*)
-    # C++ shared libraries reported to be fairly broken before switch to ELF
-    ld_shlibs_CXX=no
-    ;;
-  freebsd-elf*)
-    archive_cmds_need_lc_CXX=no
-    ;;
-  freebsd* | kfreebsd*-gnu)
-    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
-    # conventions
-    ld_shlibs_CXX=yes
-    ;;
-  gnu*)
-    ;;
-  hpux9*)
-    hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
-    hardcode_libdir_separator_CXX=:
-    export_dynamic_flag_spec_CXX='${wl}-E'
-    hardcode_direct_CXX=yes
-    hardcode_minus_L_CXX=yes # Not in the search PATH,
-				# but as the default
-				# location of the library.
-
-    case $cc_basename in
-    CC)
-      # FIXME: insert proper C++ library support
-      ld_shlibs_CXX=no
-      ;;
-    aCC)
-      archive_cmds_CXX='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      # Commands to make compiler produce verbose output that lists
-      # what "hidden" libraries, object files and flags are used when
-      # linking a shared library.
-      #
-      # There doesn't appear to be a way to prevent this compiler from
-      # explicitly linking system object files so we need to strip them
-      # from the output so that they don't get included in the library
-      # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-      ;;
-    *)
-      if test "$GXX" = yes; then
-        archive_cmds_CXX='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-        # FIXME: insert proper C++ library support
-        ld_shlibs_CXX=no
-      fi
-      ;;
-    esac
-    ;;
-  hpux10*|hpux11*)
-    if test $with_gnu_ld = no; then
-      case "$host_cpu" in
-      hppa*64*)
-	hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
-	hardcode_libdir_flag_spec_ld_CXX='+b $libdir'
-	hardcode_libdir_separator_CXX=:
-        ;;
-      ia64*)
-	hardcode_libdir_flag_spec_CXX='-L$libdir'
-        ;;
-      *)
-	hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
-	hardcode_libdir_separator_CXX=:
-	export_dynamic_flag_spec_CXX='${wl}-E'
-        ;;
-      esac
-    fi
-    case "$host_cpu" in
-    hppa*64*)
-      hardcode_direct_CXX=no
-      hardcode_shlibpath_var_CXX=no
-      ;;
-    ia64*)
-      hardcode_direct_CXX=no
-      hardcode_shlibpath_var_CXX=no
-      hardcode_minus_L_CXX=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
-      ;;
-    *)
-      hardcode_direct_CXX=yes
-      hardcode_minus_L_CXX=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
-      ;;
-    esac
-
-    case $cc_basename in
-      CC)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      aCC)
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds_CXX='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
-	  ;;
-	*)
-	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	esac
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test $with_gnu_ld = no; then
-	    case "$host_cpu" in
-	    ia64*|hppa*64*)
-	      archive_cmds_CXX='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
-	      ;;
-	    *)
-	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    esac
-	  fi
-	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
-    ;;
-  irix5* | irix6*)
-    case $cc_basename in
-      CC)
-	# SGI C++
-	archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
-
-	# Archives containing C++ object files must be created using
-	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	old_archive_cmds_CXX='$CC -ar -WR,-u -o $oldlib $oldobjs'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test "$with_gnu_ld" = no; then
-	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
-	  else
-	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
-	  fi
-	fi
-	link_all_deplibs_CXX=yes
-	;;
-    esac
-    hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-    hardcode_libdir_separator_CXX=:
-    ;;
-  linux*)
-    case $cc_basename in
-      KCC)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-	archive_expsym_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-
-	hardcode_libdir_flag_spec_CXX='${wl}--rpath,$libdir'
-	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
-	;;
-      icpc)
-	# Intel C++
-	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-  	  archive_cmds_CXX='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	archive_expsym_cmds_CXX='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	esac
-	archive_cmds_need_lc_CXX=no
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
-	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	;;
-      cxx)
-	# Compaq C++
-	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
-
-	runpath_var=LD_RUN_PATH
-	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-    esac
-    ;;
-  lynxos*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  m88k*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  mvs*)
-    case $cc_basename in
-      cxx)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  netbsd*)
-    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-      archive_cmds_CXX='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
-      wlarc=
-      hardcode_libdir_flag_spec_CXX='-R$libdir'
-      hardcode_direct_CXX=yes
-      hardcode_shlibpath_var_CXX=no
-    fi
-    # Workaround some broken pre-1.5 toolchains
-    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
-    ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    ld_shlibs_CXX=no
-    ;;
-  openbsd*)
-    hardcode_direct_CXX=yes
-    hardcode_shlibpath_var_CXX=no
-    archive_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-    hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-      archive_expsym_cmds_CXX='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-      export_dynamic_flag_spec_CXX='${wl}-E'
-      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    fi
-    output_verbose_link_cmd='echo'
-    ;;
-  osf3*)
-    case $cc_basename in
-      KCC)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
-
-	;;
-      RCC)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      cxx)
-	allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	  archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
-
-	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	  hardcode_libdir_separator_CXX=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
-    ;;
-  osf4* | osf5*)
-    case $cc_basename in
-      KCC)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Archives containing C++ object files must be created using
-	# the KAI C++ compiler.
-	old_archive_cmds_CXX='$CC -o $oldlib $oldobjs'
-	;;
-      RCC)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      cxx)
-	allow_undefined_flag_CXX=' -expect_unresolved \*'
-	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
-	archive_expsym_cmds_CXX='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
-	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
-	  $rm $lib.exp'
-
-	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
-	hardcode_libdir_separator_CXX=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
-	 archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
-
-	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
-	  hardcode_libdir_separator_CXX=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  ld_shlibs_CXX=no
-	fi
-	;;
-    esac
-    ;;
-  psos*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  sco*)
-    archive_cmds_need_lc_CXX=no
-    case $cc_basename in
-      CC)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  sunos4*)
-    case $cc_basename in
-      CC)
-	# Sun C++ 4.x
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      lcc)
-	# Lucid
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  solaris*)
-    case $cc_basename in
-      CC)
-	# Sun C++ 4.2, 5.x and Centerline C++
-	no_undefined_flag_CXX=' -zdefs'
-	archive_cmds_CXX='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	hardcode_libdir_flag_spec_CXX='-R$libdir'
-	hardcode_shlibpath_var_CXX=no
-	case $host_os in
-	  solaris2.0-5 | solaris2.0-5.*) ;;
-	  *)
-	    # The C++ compiler is used as linker so we must use $wl
-	    # flag to pass the commands to the underlying system
-	    # linker.
-	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	    ;;
-	esac
-	link_all_deplibs_CXX=yes
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[LR]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-
-	# Archives containing C++ object files must be created using
-	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
-	;;
-      gcx)
-	# Green Hills C++ Compiler
-	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-
-	# The C++ compiler must be used to create the archive.
-	old_archive_cmds_CXX='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
-	;;
-      *)
-	# GNU C++ compiler with Solaris linker
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  no_undefined_flag_CXX=' ${wl}-z ${wl}defs'
-	  if $CC --version | grep -v '^2\.7' > /dev/null; then
-	    archive_cmds_CXX='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  else
-	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
-	    # platform.
-	    archive_cmds_CXX='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  fi
-
-	  hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir'
-	fi
-	;;
-    esac
-    ;;
-  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[78]* | unixware7*)
-    archive_cmds_need_lc_CXX=no
-    ;;
-  tandem*)
-    case $cc_basename in
-      NCC)
-	# NonStop-UX NCC 3.20
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	ld_shlibs_CXX=no
-	;;
-    esac
-    ;;
-  vxworks*)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-  *)
-    # FIXME: insert proper C++ library support
-    ld_shlibs_CXX=no
-    ;;
-esac
-echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-echo "${ECHO_T}$ld_shlibs_CXX" >&6
-test "$ld_shlibs_CXX" = no && can_build_shared=no
-
-GCC_CXX="$GXX"
-LD_CXX="$LD"
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-
-cat > conftest.$ac_ext <<EOF
-class Foo
-{
-public:
-  Foo (void) { a = 0; }
-private:
-  int a;
-};
-EOF
-
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; then
-  # Parse the compiler output and extract the necessary
-  # objects, libraries and library flags.
-
-  # Sentinel used to keep track of whether or not we are before
-  # the conftest object file.
-  pre_test_object_deps_done=no
-
-  # The `*' in the case matches for architectures that use `case' in
-  # $output_verbose_cmd can trigger glob expansion during the loop
-  # eval without this substitution.
-  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
-
-  for p in `eval $output_verbose_link_cmd`; do
-    case $p in
-
-    -L* | -R* | -l*)
-       # Some compilers place space between "-{L,R}" and the path.
-       # Remove the space.
-       if test $p = "-L" \
-	  || test $p = "-R"; then
-	 prev=$p
-	 continue
-       else
-	 prev=
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
-	   # Internal compiler library paths should come after those
-	   # provided the user.  The postdeps already come after the
-	   # user supplied libs so there is no need to process them.
-	   if test -z "$compiler_lib_search_path_CXX"; then
-	     compiler_lib_search_path_CXX="${prev}${p}"
-	   else
-	     compiler_lib_search_path_CXX="${compiler_lib_search_path_CXX} ${prev}${p}"
-	   fi
-	   ;;
-	 # The "-l" case would never come before the object being
-	 # linked, so don't bother handling this case.
-	 esac
-       else
-	 if test -z "$postdeps_CXX"; then
-	   postdeps_CXX="${prev}${p}"
-	 else
-	   postdeps_CXX="${postdeps_CXX} ${prev}${p}"
-	 fi
-       fi
-       ;;
-
-    *.$objext)
-       # This assumes that the test object file only shows up
-       # once in the compiler output.
-       if test "$p" = "conftest.$objext"; then
-	 pre_test_object_deps_done=yes
-	 continue
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 if test -z "$predep_objects_CXX"; then
-	   predep_objects_CXX="$p"
-	 else
-	   predep_objects_CXX="$predep_objects_CXX $p"
-	 fi
-       else
-	 if test -z "$postdep_objects_CXX"; then
-	   postdep_objects_CXX="$p"
-	 else
-	   postdep_objects_CXX="$postdep_objects_CXX $p"
-	 fi
-       fi
-       ;;
-
-    *) ;; # Ignore the rest.
-
-    esac
-  done
-
-  # Clean up.
-  rm -f a.out a.exe
-else
-  echo "libtool.m4: error: problem compiling CXX test program"
-fi
-
-$rm -f confest.$objext
-
-case " $postdeps_CXX " in
-*" -lc "*) archive_cmds_need_lc_CXX=no ;;
-esac
-
-lt_prog_compiler_wl_CXX=
-lt_prog_compiler_pic_CXX=
-lt_prog_compiler_static_CXX=
-
-echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
-
-  # C++ specific cases for pic, static, wl, etc.
-  if test "$GXX" = yes; then
-    lt_prog_compiler_wl_CXX='-Wl,'
-    lt_prog_compiler_static_CXX='-static'
-
-    case $host_os in
-    aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_CXX='-Bstatic'
-      fi
-      ;;
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4'
-      ;;
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-    mingw* | os2* | pw32*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic_CXX='-DDLL_EXPORT'
-      ;;
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_CXX='-fno-common'
-      ;;
-    *djgpp*)
-      # DJGPP does not support shared libraries at all
-      lt_prog_compiler_pic_CXX=
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_CXX=-Kconform_pic
-      fi
-      ;;
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	;;
-      *)
-	lt_prog_compiler_pic_CXX='-fPIC'
-	;;
-      esac
-      ;;
-    *)
-      lt_prog_compiler_pic_CXX='-fPIC'
-      ;;
-    esac
-  else
-    case $host_os in
-      aix4* | aix5*)
-	# All AIX code is PIC.
-	if test "$host_cpu" = ia64; then
-	  # AIX 5 now supports IA64 processor
-	  lt_prog_compiler_static_CXX='-Bstatic'
-	else
-	  lt_prog_compiler_static_CXX='-bnso -bI:/lib/syscalls.exp'
-	fi
-	;;
-      chorus*)
-	case $cc_basename in
-	cxch68)
-	  # Green Hills C++ Compiler
-	  # _LT_AC_TAGVAR(lt_prog_compiler_static, CXX)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
-	  ;;
-	esac
-	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case "$cc_basename" in
-           xlc*)
-           lt_prog_compiler_pic_CXX='-qnocommon'
-           lt_prog_compiler_wl_CXX='-Wl,'
-           ;;
-         esac
-       ;;
-      dgux*)
-	case $cc_basename in
-	  ec++)
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    ;;
-	  ghcx)
-	    # Green Hills C++ Compiler
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      freebsd* | kfreebsd*-gnu)
-	# FreeBSD uses GNU C++
-	;;
-      hpux9* | hpux10* | hpux11*)
-	case $cc_basename in
-	  CC)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
-	    if test "$host_cpu" != ia64; then
-	      lt_prog_compiler_pic_CXX='+Z'
-	    fi
-	    ;;
-	  aCC)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
-	    case "$host_cpu" in
-	    hppa*64*|ia64*)
-	      # +Z the default
-	      ;;
-	    *)
-	      lt_prog_compiler_pic_CXX='+Z'
-	      ;;
-	    esac
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      irix5* | irix6* | nonstopux*)
-	case $cc_basename in
-	  CC)
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    # CC pic flag -KPIC is the default.
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      linux*)
-	case $cc_basename in
-	  KCC)
-	    # KAI C++ Compiler
-	    lt_prog_compiler_wl_CXX='--backend -Wl,'
-	    lt_prog_compiler_pic_CXX='-fPIC'
-	    ;;
-	  icpc)
-	    # Intel C++
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    lt_prog_compiler_static_CXX='-static'
-	    ;;
-	  cxx)
-	    # Compaq C++
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    lt_prog_compiler_pic_CXX=
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      lynxos*)
-	;;
-      m88k*)
-	;;
-      mvs*)
-	case $cc_basename in
-	  cxx)
-	    lt_prog_compiler_pic_CXX='-W c,exportall'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      netbsd*)
-	;;
-      osf3* | osf4* | osf5*)
-	case $cc_basename in
-	  KCC)
-	    lt_prog_compiler_wl_CXX='--backend -Wl,'
-	    ;;
-	  RCC)
-	    # Rational C++ 2.4.1
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  cxx)
-	    # Digital/Compaq C++
-	    lt_prog_compiler_wl_CXX='-Wl,'
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    lt_prog_compiler_pic_CXX=
-	    lt_prog_compiler_static_CXX='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      psos*)
-	;;
-      sco*)
-	case $cc_basename in
-	  CC)
-	    lt_prog_compiler_pic_CXX='-fPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      solaris*)
-	case $cc_basename in
-	  CC)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    lt_prog_compiler_wl_CXX='-Qoption ld '
-	    ;;
-	  gcx)
-	    # Green Hills C++ Compiler
-	    lt_prog_compiler_pic_CXX='-PIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sunos4*)
-	case $cc_basename in
-	  CC)
-	    # Sun C++ 4.x
-	    lt_prog_compiler_pic_CXX='-pic'
-	    lt_prog_compiler_static_CXX='-Bstatic'
-	    ;;
-	  lcc)
-	    # Lucid
-	    lt_prog_compiler_pic_CXX='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      tandem*)
-	case $cc_basename in
-	  NCC)
-	    # NonStop-UX NCC 3.20
-	    lt_prog_compiler_pic_CXX='-KPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      unixware*)
-	;;
-      vxworks*)
-	;;
-      *)
-	lt_prog_compiler_can_build_shared_CXX=no
-	;;
-    esac
-  fi
-
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_CXX"; then
-
-echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6
-if test "${lt_prog_compiler_pic_works_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_prog_compiler_pic_works_CXX=no
-  ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14446: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:14450: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
-       lt_prog_compiler_pic_works_CXX=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_CXX" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works_CXX" >&6
-
-if test x"$lt_prog_compiler_pic_works_CXX" = xyes; then
-    case $lt_prog_compiler_pic_CXX in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_CXX=" $lt_prog_compiler_pic_CXX" ;;
-     esac
-else
-    lt_prog_compiler_pic_CXX=
-     lt_prog_compiler_can_build_shared_CXX=no
-fi
-
-fi
-case "$host_os" in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_CXX=
-    ;;
-  *)
-    lt_prog_compiler_pic_CXX="$lt_prog_compiler_pic_CXX -DPIC"
-    ;;
-esac
-
-echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
-if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o_CXX=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:14506: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:14510: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s out/conftest.err; then
-       lt_cv_prog_compiler_c_o_CXX=yes
-     fi
-   fi
-   chmod u+w .
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6
-
-
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
-
-  export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  case $host_os in
-  aix4* | aix5*)
-    # If we're using GNU nm, then we don't want the "-C" option.
-    # -C means demangle to AIX nm, but means don't demangle with GNU nm
-    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-      export_symbols_cmds_CXX='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-    else
-      export_symbols_cmds_CXX='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-    fi
-    ;;
-  pw32*)
-    export_symbols_cmds_CXX="$ltdll_cmds"
-  ;;
-  cygwin* | mingw*)
-    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  *)
-    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  esac
-
-echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
-echo "${ECHO_T}$ld_shlibs_CXX" >&6
-test "$ld_shlibs_CXX" = no && can_build_shared=no
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_CXX" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_CXX=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_CXX in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
-      $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_CXX
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_CXX
-        allow_undefined_flag_CXX=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_CXX=no
-        else
-	  archive_cmds_need_lc_CXX=yes
-        fi
-        allow_undefined_flag_CXX=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix4* | aix5*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.01* | freebsdelf3.01*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  *) # from 3.2 on
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case "$host_cpu" in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6
-test "$dynamic_linker" = no && can_build_shared=no
-
-echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
-hardcode_action_CXX=
-if test -n "$hardcode_libdir_flag_spec_CXX" || \
-   test -n "$runpath_var_CXX" || \
-   test "X$hardcode_automatic_CXX" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_CXX" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, CXX)" != no &&
-     test "$hardcode_minus_L_CXX" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_CXX=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_CXX=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_CXX=unsupported
-fi
-echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
-echo "${ECHO_T}$hardcode_action_CXX" >&6
-
-if test "$hardcode_action_CXX" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-
-striplib=
-old_striplib=
-echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-       else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-       ;;
-   *)
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-    ;;
-  esac
-fi
-
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-
-fi
-
-   ;;
-
-  *)
-    echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
-if test "${ac_cv_func_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define shl_load innocuous_shl_load
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shl_load (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef shl_load
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_shl_load) || defined (__stub___shl_load)
-choke me
-#else
-char (*f) () = shl_load;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != shl_load;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6
-if test $ac_cv_func_shl_load = yes; then
-  lt_cv_dlopen="shl_load"
-else
-  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-int
-main ()
-{
-shl_load ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
-if test $ac_cv_lib_dld_shl_load = yes; then
-  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
-else
-  echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
-if test "${ac_cv_func_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define dlopen innocuous_dlopen
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char dlopen (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef dlopen
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_dlopen) || defined (__stub___dlopen)
-choke me
-#else
-char (*f) () = dlopen;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != dlopen;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6
-if test $ac_cv_func_dlopen = yes; then
-  lt_cv_dlopen="dlopen"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsvld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_svld_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_svld_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
-if test $ac_cv_lib_svld_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
-else
-  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dld_link ();
-int
-main ()
-{
-dld_link ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_cxx_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_dld_link=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_dld_link=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
-if test $ac_cv_lib_dld_dld_link = yes; then
-  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 15867 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
-      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self_static+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self_static=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 15965 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self_static=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_CXX \
-    CC_CXX \
-    LD_CXX \
-    lt_prog_compiler_wl_CXX \
-    lt_prog_compiler_pic_CXX \
-    lt_prog_compiler_static_CXX \
-    lt_prog_compiler_no_builtin_flag_CXX \
-    export_dynamic_flag_spec_CXX \
-    thread_safe_flag_spec_CXX \
-    whole_archive_flag_spec_CXX \
-    enable_shared_with_static_runtimes_CXX \
-    old_archive_cmds_CXX \
-    old_archive_from_new_cmds_CXX \
-    predep_objects_CXX \
-    postdep_objects_CXX \
-    predeps_CXX \
-    postdeps_CXX \
-    compiler_lib_search_path_CXX \
-    archive_cmds_CXX \
-    archive_expsym_cmds_CXX \
-    postinstall_cmds_CXX \
-    postuninstall_cmds_CXX \
-    old_archive_from_expsyms_cmds_CXX \
-    allow_undefined_flag_CXX \
-    no_undefined_flag_CXX \
-    export_symbols_cmds_CXX \
-    hardcode_libdir_flag_spec_CXX \
-    hardcode_libdir_flag_spec_ld_CXX \
-    hardcode_libdir_separator_CXX \
-    hardcode_automatic_CXX \
-    module_cmds_CXX \
-    module_expsym_cmds_CXX \
-    lt_cv_prog_compiler_c_o_CXX \
-    exclude_expsyms_CXX \
-    include_expsyms_CXX; do
-
-    case $var in
-    old_archive_cmds_CXX | \
-    old_archive_from_new_cmds_CXX | \
-    archive_cmds_CXX | \
-    archive_expsym_cmds_CXX | \
-    module_cmds_CXX | \
-    module_expsym_cmds_CXX | \
-    old_archive_from_expsyms_cmds_CXX | \
-    export_symbols_cmds_CXX | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_CXX
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_CXX
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# A language-specific compiler.
-CC=$lt_compiler_CXX
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_CXX
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_CXX
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_CXX
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_CXX
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_CXX
-
-# Must we lock files when doing compilation ?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_CXX
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_CXX
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_CXX
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_CXX
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_CXX
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_CXX
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_CXX
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_CXX
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_CXX
-archive_expsym_cmds=$lt_archive_expsym_cmds_CXX
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_CXX
-module_expsym_cmds=$lt_module_expsym_cmds_CXX
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_CXX
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_CXX
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_CXX
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_CXX
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_CXX
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_CXX
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_CXX
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_CXX
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_CXX
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_CXX
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_CXX
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_CXX
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_CXX
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_CXX
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_CXX
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_CXX
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path="$fix_srcfile_path_CXX"
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_CXX
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_CXX
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_CXX
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_CXX
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC=$lt_save_CC
-LDCXX=$LD
-LD=$lt_save_LD
-GCC=$lt_save_GCC
-with_gnu_ldcxx=$with_gnu_ld
-with_gnu_ld=$lt_save_with_gnu_ld
-lt_cv_path_LDCXX=$lt_cv_path_LD
-lt_cv_path_LD=$lt_save_path_LD
-lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
-lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
-
-	else
-	  tagname=""
-	fi
-	;;
-
-      F77)
-	if test -n "$F77" && test "X$F77" != "Xno"; then
-
-ac_ext=f
-ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
-ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_f77_compiler_gnu
-
-
-archive_cmds_need_lc_F77=no
-allow_undefined_flag_F77=
-always_export_symbols_F77=no
-archive_expsym_cmds_F77=
-export_dynamic_flag_spec_F77=
-hardcode_direct_F77=no
-hardcode_libdir_flag_spec_F77=
-hardcode_libdir_flag_spec_ld_F77=
-hardcode_libdir_separator_F77=
-hardcode_minus_L_F77=no
-hardcode_automatic_F77=no
-module_cmds_F77=
-module_expsym_cmds_F77=
-link_all_deplibs_F77=unknown
-old_archive_cmds_F77=$old_archive_cmds
-no_undefined_flag_F77=
-whole_archive_flag_spec_F77=
-enable_shared_with_static_runtimes_F77=no
-
-# Source file extension for f77 test sources.
-ac_ext=f
-
-# Object file extension for compiled f77 test sources.
-objext=o
-objext_F77=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="      program t\n      end\n"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${F77-"f77"}
-compiler=$CC
-compiler_F77=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
-echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
-echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
-echo "$as_me:$LINENO: result: $can_build_shared" >&5
-echo "${ECHO_T}$can_build_shared" >&6
-
-echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
-echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case "$host_os" in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-aix4* | aix5*)
-  test "$enable_shared" = yes && enable_static=no
-  ;;
-esac
-echo "$as_me:$LINENO: result: $enable_shared" >&5
-echo "${ECHO_T}$enable_shared" >&6
-
-echo "$as_me:$LINENO: checking whether to build static libraries" >&5
-echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-echo "$as_me:$LINENO: result: $enable_static" >&5
-echo "${ECHO_T}$enable_static" >&6
-
-test "$ld_shlibs_F77" = no && can_build_shared=no
-
-GCC_F77="$G77"
-LD_F77="$LD"
-
-lt_prog_compiler_wl_F77=
-lt_prog_compiler_pic_F77=
-lt_prog_compiler_static_F77=
-
-echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
-
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl_F77='-Wl,'
-    lt_prog_compiler_static_F77='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_F77='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4'
-      ;;
-
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_F77='-fno-common'
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared_F77=no
-      enable_shared=no
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_F77=-Kconform_pic
-      fi
-      ;;
-
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_F77='-fPIC'
-	;;
-      esac
-      ;;
-
-    *)
-      lt_prog_compiler_pic_F77='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_F77='-Bstatic'
-      else
-	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic_F77='-qnocommon'
-         lt_prog_compiler_wl_F77='-Wl,'
-         ;;
-       esac
-       ;;
-
-    mingw* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_F77='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static_F77='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static_F77='-non_shared'
-      ;;
-
-    newsos6)
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    linux*)
-      case $CC in
-      icc* | ecc*)
-	lt_prog_compiler_wl_F77='-Wl,'
-	lt_prog_compiler_pic_F77='-KPIC'
-	lt_prog_compiler_static_F77='-static'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl_F77='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static_F77='-non_shared'
-        ;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static_F77='-non_shared'
-      ;;
-
-    sco3.2v5*)
-      lt_prog_compiler_pic_F77='-Kpic'
-      lt_prog_compiler_static_F77='-dn'
-      ;;
-
-    solaris*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    sunos4*)
-      lt_prog_compiler_wl_F77='-Qoption ld '
-      lt_prog_compiler_pic_F77='-PIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-      lt_prog_compiler_wl_F77='-Wl,'
-      lt_prog_compiler_pic_F77='-KPIC'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic_F77='-Kconform_pic'
-	lt_prog_compiler_static_F77='-Bstatic'
-      fi
-      ;;
-
-    uts4*)
-      lt_prog_compiler_pic_F77='-pic'
-      lt_prog_compiler_static_F77='-Bstatic'
-      ;;
-
-    *)
-      lt_prog_compiler_can_build_shared_F77=no
-      ;;
-    esac
-  fi
-
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_F77"; then
-
-echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6
-if test "${lt_prog_compiler_pic_works_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_prog_compiler_pic_works_F77=no
-  ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_F77"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16802: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:16806: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
-       lt_prog_compiler_pic_works_F77=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_F77" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works_F77" >&6
-
-if test x"$lt_prog_compiler_pic_works_F77" = xyes; then
-    case $lt_prog_compiler_pic_F77 in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_F77=" $lt_prog_compiler_pic_F77" ;;
-     esac
-else
-    lt_prog_compiler_pic_F77=
-     lt_prog_compiler_can_build_shared_F77=no
-fi
-
-fi
-case "$host_os" in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_F77=
-    ;;
-  *)
-    lt_prog_compiler_pic_F77="$lt_prog_compiler_pic_F77"
-    ;;
-esac
-
-echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
-if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o_F77=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16862: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:16866: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s out/conftest.err; then
-       lt_cv_prog_compiler_c_o_F77=yes
-     fi
-   fi
-   chmod u+w .
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6
-
-
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
-
-  runpath_var=
-  allow_undefined_flag_F77=
-  enable_shared_with_static_runtimes_F77=no
-  archive_cmds_F77=
-  archive_expsym_cmds_F77=
-  old_archive_From_new_cmds_F77=
-  old_archive_from_expsyms_cmds_F77=
-  export_dynamic_flag_spec_F77=
-  whole_archive_flag_spec_F77=
-  thread_safe_flag_spec_F77=
-  hardcode_libdir_flag_spec_F77=
-  hardcode_libdir_flag_spec_ld_F77=
-  hardcode_libdir_separator_F77=
-  hardcode_direct_F77=no
-  hardcode_minus_L_F77=no
-  hardcode_shlibpath_var_F77=unsupported
-  link_all_deplibs_F77=unknown
-  hardcode_automatic_F77=no
-  module_cmds_F77=
-  module_expsym_cmds_F77=
-  always_export_symbols_F77=no
-  export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms_F77=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms_F77="_GLOBAL_OFFSET_TABLE_"
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  extract_expsyms_cmds=
-
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  ld_shlibs_F77=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix3* | aix4* | aix5*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs_F77=no
-	cat <<EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-EOF
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs_F77=no
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag_F77=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds_F77='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, F77) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      allow_undefined_flag_F77=unsupported
-      always_export_symbols_F77=no
-      enable_shared_with_static_runtimes_F77=yes
-      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris* | sysv5*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs_F77=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-
-    sunos4*)
-      archive_cmds_F77='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-  linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_cmds_F77="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        archive_expsym_cmds_F77="$tmp_archive_cmds"
-      fi
-    else
-      ld_shlibs_F77=no
-    fi
-    ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_F77=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs_F77" = yes; then
-      runpath_var=LD_RUN_PATH
-      hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir'
-      export_dynamic_flag_spec_F77='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec_F77=
-      fi
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag_F77=unsupported
-      always_export_symbols_F77=yes
-      archive_expsym_cmds_F77='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L_F77=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct_F77=unsupported
-      fi
-      ;;
-
-    aix4* | aix5*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds_F77='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds_F77='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      archive_cmds_F77=''
-      hardcode_direct_F77=yes
-      hardcode_libdir_separator_F77=':'
-      link_all_deplibs_F77=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.012|aix4.012.*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  hardcode_direct_F77=yes
-	  else
-  	  # We have old collect2
-  	  hardcode_direct_F77=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L_F77=yes
-  	  hardcode_libdir_flag_spec_F77='-L$libdir'
-  	  hardcode_libdir_separator_F77=
-	  fi
-	esac
-	shared_flag='-shared'
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-  	if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-  	fi
-	fi
-      fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols_F77=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag_F77='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
-      program main
-
-      end
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_f77_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-       hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec_F77='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag_F77="-z nodefs"
-	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-      program main
-
-      end
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_f77_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	 hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag_F77=' ${wl}-bernotok'
-	  allow_undefined_flag_F77=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  always_export_symbols_F77=yes
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec_F77=' '
-	  archive_cmds_need_lc_F77=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs_F77=no
-      ;;
-
-    bsdi[45]*)
-      export_dynamic_flag_spec_F77=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec_F77=' '
-      allow_undefined_flag_F77=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds_F77='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds_F77='lib /OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes_F77=yes
-      ;;
-
-    darwin* | rhapsody*)
-      case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_F77='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_F77='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_F77='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc_F77=no
-      hardcode_direct_F77=no
-      hardcode_automatic_F77=yes
-      hardcode_shlibpath_var_F77=unsupported
-      whole_archive_flag_spec_F77=''
-      link_all_deplibs_F77=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_F77='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_F77='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds_F77='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_F77=no
-          ;;
-      esac
-    fi
-      ;;
-
-    dgux*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    freebsd1*)
-      ld_shlibs_F77=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_F77=yes
-      hardcode_minus_L_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
-      archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds_F77='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      hardcode_direct_F77=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L_F77=yes
-      export_dynamic_flag_spec_F77='${wl}-E'
-      ;;
-
-    hpux10* | hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds_F77='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  ;;
-	*)
-	  archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_flag_spec_ld_F77='+b $libdir'
-	  hardcode_libdir_separator_F77=:
-	  hardcode_direct_F77=no
-	  hardcode_shlibpath_var_F77=no
-	  ;;
-	ia64*)
-	  hardcode_libdir_flag_spec_F77='-L$libdir'
-	  hardcode_direct_F77=no
-	  hardcode_shlibpath_var_F77=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_F77=yes
-	  ;;
-	*)
-	  hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_separator_F77=:
-	  hardcode_direct_F77=yes
-	  export_dynamic_flag_spec_F77='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_F77=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds_F77='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld_F77='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      link_all_deplibs_F77=yes
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds_F77='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    newsos6)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_F77=yes
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    openbsd*)
-      hardcode_direct_F77=yes
-      hardcode_shlibpath_var_F77=no
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
-	export_dynamic_flag_spec_F77='${wl}-E'
-      else
-       case $host_os in
-	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	   archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	   hardcode_libdir_flag_spec_F77='-R$libdir'
-	   ;;
-	 *)
-	   archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	   hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
-	   ;;
-       esac
-      fi
-      ;;
-
-    os2*)
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_minus_L_F77=yes
-      allow_undefined_flag_F77=unsupported
-      archive_cmds_F77='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds_F77='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag_F77=' -expect_unresolved \*'
-	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_F77=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag_F77=' -expect_unresolved \*'
-	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds_F77='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec_F77='-rpath $libdir'
-      fi
-      hardcode_libdir_separator_F77=:
-      ;;
-
-    sco3.2v5*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_F77=no
-      export_dynamic_flag_spec_F77='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
-    solaris*)
-      no_undefined_flag_F77=' -z text'
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec_F77='-R$libdir'
-      hardcode_shlibpath_var_F77=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ;;
-      esac
-      link_all_deplibs_F77=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds_F77='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_direct_F77=yes
-      hardcode_minus_L_F77=yes
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_F77=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds_F77='$CC -r -o $output$reload_objs'
-	  hardcode_direct_F77=no
-        ;;
-	motorola)
-	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_F77=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    sysv4.3*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_F77=no
-      export_dynamic_flag_spec_F77='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var_F77=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs_F77=yes
-      fi
-      ;;
-
-    sysv4.2uw2*)
-      archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_F77=yes
-      hardcode_minus_L_F77=no
-      hardcode_shlibpath_var_F77=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
-
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
-      no_undefined_flag_F77='${wl}-z ${wl}text'
-      if test "$GCC" = yes; then
-	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_F77='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    sysv5*)
-      no_undefined_flag_F77=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      hardcode_libdir_flag_spec_F77=
-      hardcode_shlibpath_var_F77=no
-      runpath_var='LD_RUN_PATH'
-      ;;
-
-    uts4*)
-      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_F77='-L$libdir'
-      hardcode_shlibpath_var_F77=no
-      ;;
-
-    *)
-      ld_shlibs_F77=no
-      ;;
-    esac
-  fi
-
-echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
-echo "${ECHO_T}$ld_shlibs_F77" >&6
-test "$ld_shlibs_F77" = no && can_build_shared=no
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_F77" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_F77=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_F77 in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
-      $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_F77
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_F77
-        allow_undefined_flag_F77=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_F77=no
-        else
-	  archive_cmds_need_lc_F77=yes
-        fi
-        allow_undefined_flag_F77=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix4* | aix5*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.01* | freebsdelf3.01*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  *) # from 3.2 on
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case "$host_cpu" in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6
-test "$dynamic_linker" = no && can_build_shared=no
-
-echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
-hardcode_action_F77=
-if test -n "$hardcode_libdir_flag_spec_F77" || \
-   test -n "$runpath_var_F77" || \
-   test "X$hardcode_automatic_F77" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_F77" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, F77)" != no &&
-     test "$hardcode_minus_L_F77" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_F77=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_F77=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_F77=unsupported
-fi
-echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
-echo "${ECHO_T}$hardcode_action_F77" >&6
-
-if test "$hardcode_action_F77" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-
-striplib=
-old_striplib=
-echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-       else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-       ;;
-   *)
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-    ;;
-  esac
-fi
-
-
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_F77 \
-    CC_F77 \
-    LD_F77 \
-    lt_prog_compiler_wl_F77 \
-    lt_prog_compiler_pic_F77 \
-    lt_prog_compiler_static_F77 \
-    lt_prog_compiler_no_builtin_flag_F77 \
-    export_dynamic_flag_spec_F77 \
-    thread_safe_flag_spec_F77 \
-    whole_archive_flag_spec_F77 \
-    enable_shared_with_static_runtimes_F77 \
-    old_archive_cmds_F77 \
-    old_archive_from_new_cmds_F77 \
-    predep_objects_F77 \
-    postdep_objects_F77 \
-    predeps_F77 \
-    postdeps_F77 \
-    compiler_lib_search_path_F77 \
-    archive_cmds_F77 \
-    archive_expsym_cmds_F77 \
-    postinstall_cmds_F77 \
-    postuninstall_cmds_F77 \
-    old_archive_from_expsyms_cmds_F77 \
-    allow_undefined_flag_F77 \
-    no_undefined_flag_F77 \
-    export_symbols_cmds_F77 \
-    hardcode_libdir_flag_spec_F77 \
-    hardcode_libdir_flag_spec_ld_F77 \
-    hardcode_libdir_separator_F77 \
-    hardcode_automatic_F77 \
-    module_cmds_F77 \
-    module_expsym_cmds_F77 \
-    lt_cv_prog_compiler_c_o_F77 \
-    exclude_expsyms_F77 \
-    include_expsyms_F77; do
-
-    case $var in
-    old_archive_cmds_F77 | \
-    old_archive_from_new_cmds_F77 | \
-    archive_cmds_F77 | \
-    archive_expsym_cmds_F77 | \
-    module_cmds_F77 | \
-    module_expsym_cmds_F77 | \
-    old_archive_from_expsyms_cmds_F77 | \
-    export_symbols_cmds_F77 | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_F77
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_F77
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# A language-specific compiler.
-CC=$lt_compiler_F77
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_F77
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_F77
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_F77
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_F77
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_F77
-
-# Must we lock files when doing compilation ?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_F77
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_F77
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_F77
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_F77
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_F77
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_F77
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_F77
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_F77
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_F77
-archive_expsym_cmds=$lt_archive_expsym_cmds_F77
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_F77
-module_expsym_cmds=$lt_module_expsym_cmds_F77
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_F77
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_F77
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_F77
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_F77
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_F77
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_F77
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_F77
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_F77
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_F77
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_F77
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_F77
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_F77
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_F77
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_F77
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_F77
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_F77
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path="$fix_srcfile_path_F77"
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_F77
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_F77
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_F77
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_F77
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	else
-	  tagname=""
-	fi
-	;;
-
-      GCJ)
-	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
-
-
-
-# Source file extension for Java test sources.
-ac_ext=java
-
-# Object file extension for compiled Java test sources.
-objext=o
-objext_GCJ=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}\n"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String argv) {}; }\n'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${GCJ-"gcj"}
-compiler=$CC
-compiler_GCJ=$CC
-
-# GCJ did not exist at the time GCC didn't implicitly link libc in.
-archive_cmds_need_lc_GCJ=no
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-
-lt_prog_compiler_no_builtin_flag_GCJ=
-
-if test "$GCC" = yes; then
-  lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin'
-
-
-echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
-echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6
-if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_rtti_exceptions=no
-  ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="-fno-rtti -fno-exceptions"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:18901: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:18905: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
-       lt_cv_prog_compiler_rtti_exceptions=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6
-
-if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
-    lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions"
-else
-    :
-fi
-
-fi
-
-lt_prog_compiler_wl_GCJ=
-lt_prog_compiler_pic_GCJ=
-lt_prog_compiler_static_GCJ=
-
-echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
-echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
-
-  if test "$GCC" = yes; then
-    lt_prog_compiler_wl_GCJ='-Wl,'
-    lt_prog_compiler_static_GCJ='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4'
-      ;;
-
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      lt_prog_compiler_pic_GCJ='-fno-common'
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      lt_prog_compiler_can_build_shared_GCJ=no
-      enable_shared=no
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	lt_prog_compiler_pic_GCJ=-Kconform_pic
-      fi
-      ;;
-
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_GCJ='-fPIC'
-	;;
-      esac
-      ;;
-
-    *)
-      lt_prog_compiler_pic_GCJ='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      else
-	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         lt_prog_compiler_pic_GCJ='-qnocommon'
-         lt_prog_compiler_wl_GCJ='-Wl,'
-         ;;
-       esac
-       ;;
-
-    mingw* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	lt_prog_compiler_pic_GCJ='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      lt_prog_compiler_static_GCJ='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # PIC (with -KPIC) is the default.
-      lt_prog_compiler_static_GCJ='-non_shared'
-      ;;
-
-    newsos6)
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    linux*)
-      case $CC in
-      icc* | ecc*)
-	lt_prog_compiler_wl_GCJ='-Wl,'
-	lt_prog_compiler_pic_GCJ='-KPIC'
-	lt_prog_compiler_static_GCJ='-static'
-        ;;
-      ccc*)
-        lt_prog_compiler_wl_GCJ='-Wl,'
-        # All Alpha code is PIC.
-        lt_prog_compiler_static_GCJ='-non_shared'
-        ;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      # All OSF/1 code is PIC.
-      lt_prog_compiler_static_GCJ='-non_shared'
-      ;;
-
-    sco3.2v5*)
-      lt_prog_compiler_pic_GCJ='-Kpic'
-      lt_prog_compiler_static_GCJ='-dn'
-      ;;
-
-    solaris*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    sunos4*)
-      lt_prog_compiler_wl_GCJ='-Qoption ld '
-      lt_prog_compiler_pic_GCJ='-PIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-      lt_prog_compiler_wl_GCJ='-Wl,'
-      lt_prog_compiler_pic_GCJ='-KPIC'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	lt_prog_compiler_pic_GCJ='-Kconform_pic'
-	lt_prog_compiler_static_GCJ='-Bstatic'
-      fi
-      ;;
-
-    uts4*)
-      lt_prog_compiler_pic_GCJ='-pic'
-      lt_prog_compiler_static_GCJ='-Bstatic'
-      ;;
-
-    *)
-      lt_prog_compiler_can_build_shared_GCJ=no
-      ;;
-    esac
-  fi
-
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$lt_prog_compiler_pic_GCJ"; then
-
-echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
-echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6
-if test "${lt_prog_compiler_pic_works_GCJ+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_prog_compiler_pic_works_GCJ=no
-  ac_outfile=conftest.$ac_objext
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$lt_prog_compiler_pic_GCJ"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19144: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&5
-   echo "$as_me:19148: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
-       lt_prog_compiler_pic_works_GCJ=yes
-     fi
-   fi
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_GCJ" >&5
-echo "${ECHO_T}$lt_prog_compiler_pic_works_GCJ" >&6
-
-if test x"$lt_prog_compiler_pic_works_GCJ" = xyes; then
-    case $lt_prog_compiler_pic_GCJ in
-     "" | " "*) ;;
-     *) lt_prog_compiler_pic_GCJ=" $lt_prog_compiler_pic_GCJ" ;;
-     esac
-else
-    lt_prog_compiler_pic_GCJ=
-     lt_prog_compiler_can_build_shared_GCJ=no
-fi
-
-fi
-case "$host_os" in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    lt_prog_compiler_pic_GCJ=
-    ;;
-  *)
-    lt_prog_compiler_pic_GCJ="$lt_prog_compiler_pic_GCJ"
-    ;;
-esac
-
-echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
-echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
-if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  lt_cv_prog_compiler_c_o_GCJ=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:19204: $lt_compile\"" >&5)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&5
-   echo "$as_me:19208: \$? = $ac_status" >&5
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s out/conftest.err; then
-       lt_cv_prog_compiler_c_o_GCJ=yes
-     fi
-   fi
-   chmod u+w .
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
-echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6
-
-
-hard_links="nottested"
-if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
-echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  echo "$as_me:$LINENO: result: $hard_links" >&5
-echo "${ECHO_T}$hard_links" >&6
-  if test "$hard_links" = no; then
-    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
-echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-
-echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
-echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
-
-  runpath_var=
-  allow_undefined_flag_GCJ=
-  enable_shared_with_static_runtimes_GCJ=no
-  archive_cmds_GCJ=
-  archive_expsym_cmds_GCJ=
-  old_archive_From_new_cmds_GCJ=
-  old_archive_from_expsyms_cmds_GCJ=
-  export_dynamic_flag_spec_GCJ=
-  whole_archive_flag_spec_GCJ=
-  thread_safe_flag_spec_GCJ=
-  hardcode_libdir_flag_spec_GCJ=
-  hardcode_libdir_flag_spec_ld_GCJ=
-  hardcode_libdir_separator_GCJ=
-  hardcode_direct_GCJ=no
-  hardcode_minus_L_GCJ=no
-  hardcode_shlibpath_var_GCJ=unsupported
-  link_all_deplibs_GCJ=unknown
-  hardcode_automatic_GCJ=no
-  module_cmds_GCJ=
-  module_expsym_cmds_GCJ=
-  always_export_symbols_GCJ=no
-  export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  include_expsyms_GCJ=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  exclude_expsyms_GCJ="_GLOBAL_OFFSET_TABLE_"
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  extract_expsyms_cmds=
-
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  ld_shlibs_GCJ=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix3* | aix4* | aix5*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	ld_shlibs_GCJ=no
-	cat <<EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-EOF
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      ld_shlibs_GCJ=no
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	allow_undefined_flag_GCJ=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	archive_cmds_GCJ='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, GCJ) is actually meaningless,
-      # as there is no search path for DLLs.
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      allow_undefined_flag_GCJ=unsupported
-      always_export_symbols_GCJ=no
-      enable_shared_with_static_runtimes_GCJ=yes
-      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris* | sysv5*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	ld_shlibs_GCJ=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-
-    sunos4*)
-      archive_cmds_GCJ='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-  linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_cmds_GCJ="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        archive_expsym_cmds_GCJ="$tmp_archive_cmds"
-      fi
-    else
-      ld_shlibs_GCJ=no
-    fi
-    ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	ld_shlibs_GCJ=no
-      fi
-      ;;
-    esac
-
-    if test "$ld_shlibs_GCJ" = yes; then
-      runpath_var=LD_RUN_PATH
-      hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir'
-      export_dynamic_flag_spec_GCJ='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	whole_archive_flag_spec_GCJ=
-      fi
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      allow_undefined_flag_GCJ=unsupported
-      always_export_symbols_GCJ=yes
-      archive_expsym_cmds_GCJ='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      hardcode_minus_L_GCJ=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	hardcode_direct_GCJ=unsupported
-      fi
-      ;;
-
-    aix4* | aix5*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  export_symbols_cmds_GCJ='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	else
-	  export_symbols_cmds_GCJ='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      archive_cmds_GCJ=''
-      hardcode_direct_GCJ=yes
-      hardcode_libdir_separator_GCJ=':'
-      link_all_deplibs_GCJ=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.012|aix4.012.*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  hardcode_direct_GCJ=yes
-	  else
-  	  # We have old collect2
-  	  hardcode_direct_GCJ=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  hardcode_minus_L_GCJ=yes
-  	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
-  	  hardcode_libdir_separator_GCJ=
-	  fi
-	esac
-	shared_flag='-shared'
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-  	if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-  	fi
-	fi
-      fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      always_export_symbols_GCJ=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	allow_undefined_flag_GCJ='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-       hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
-	archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  hardcode_libdir_flag_spec_GCJ='${wl}-R $libdir:/usr/lib:/lib'
-	  allow_undefined_flag_GCJ="-z nodefs"
-	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-
-	 hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  no_undefined_flag_GCJ=' ${wl}-bernotok'
-	  allow_undefined_flag_GCJ=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  always_export_symbols_GCJ=yes
-	  # Exported symbols can be pulled into shared objects from archives
-	  whole_archive_flag_spec_GCJ=' '
-	  archive_cmds_need_lc_GCJ=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-      # see comment about different semantics on the GNU ld section
-      ld_shlibs_GCJ=no
-      ;;
-
-    bsdi[45]*)
-      export_dynamic_flag_spec_GCJ=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      hardcode_libdir_flag_spec_GCJ=' '
-      allow_undefined_flag_GCJ=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      old_archive_From_new_cmds_GCJ='true'
-      # FIXME: Should let the user specify the lib program.
-      old_archive_cmds_GCJ='lib /OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      enable_shared_with_static_runtimes_GCJ=yes
-      ;;
-
-    darwin* | rhapsody*)
-      case "$host_os" in
-        rhapsody* | darwin1.[012])
-         allow_undefined_flag_GCJ='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[012])
-               allow_undefined_flag_GCJ='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               allow_undefined_flag_GCJ='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      archive_cmds_need_lc_GCJ=no
-      hardcode_direct_GCJ=no
-      hardcode_automatic_GCJ=yes
-      hardcode_shlibpath_var_GCJ=unsupported
-      whole_archive_flag_spec_GCJ=''
-      link_all_deplibs_GCJ=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        archive_cmds_GCJ='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         archive_cmds_GCJ='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         module_cmds_GCJ='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         ld_shlibs_GCJ=no
-          ;;
-      esac
-    fi
-      ;;
-
-    dgux*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    freebsd1*)
-      ld_shlibs_GCJ=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_GCJ=yes
-      hardcode_minus_L_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
-      archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	archive_cmds_GCJ='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      hardcode_direct_GCJ=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      hardcode_minus_L_GCJ=yes
-      export_dynamic_flag_spec_GCJ='${wl}-E'
-      ;;
-
-    hpux10* | hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  archive_cmds_GCJ='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  ;;
-	*)
-	  archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_flag_spec_ld_GCJ='+b $libdir'
-	  hardcode_libdir_separator_GCJ=:
-	  hardcode_direct_GCJ=no
-	  hardcode_shlibpath_var_GCJ=no
-	  ;;
-	ia64*)
-	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
-	  hardcode_direct_GCJ=no
-	  hardcode_shlibpath_var_GCJ=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_GCJ=yes
-	  ;;
-	*)
-	  hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
-	  hardcode_libdir_separator_GCJ=:
-	  hardcode_direct_GCJ=yes
-	  export_dynamic_flag_spec_GCJ='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  hardcode_minus_L_GCJ=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	archive_cmds_GCJ='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_ld_GCJ='-rpath $libdir'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      link_all_deplibs_GCJ=yes
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	archive_cmds_GCJ='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    newsos6)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_GCJ=yes
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    openbsd*)
-      hardcode_direct_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
-	export_dynamic_flag_spec_GCJ='${wl}-E'
-      else
-       case $host_os in
-	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
-	   archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	   hardcode_libdir_flag_spec_GCJ='-R$libdir'
-	   ;;
-	 *)
-	   archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	   hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
-	   ;;
-       esac
-      fi
-      ;;
-
-    os2*)
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_minus_L_GCJ=yes
-      allow_undefined_flag_GCJ=unsupported
-      archive_cmds_GCJ='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      old_archive_From_new_cmds_GCJ='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	allow_undefined_flag_GCJ=' -expect_unresolved \*'
-	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      hardcode_libdir_separator_GCJ=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
-	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
-      else
-	allow_undefined_flag_GCJ=' -expect_unresolved \*'
-	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	archive_expsym_cmds_GCJ='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	hardcode_libdir_flag_spec_GCJ='-rpath $libdir'
-      fi
-      hardcode_libdir_separator_GCJ=:
-      ;;
-
-    sco3.2v5*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_GCJ=no
-      export_dynamic_flag_spec_GCJ='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
-    solaris*)
-      no_undefined_flag_GCJ=' -z text'
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      hardcode_libdir_flag_spec_GCJ='-R$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      case $host_os in
-      solaris2.[0-5] | solaris2.[0-5].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ;;
-      esac
-      link_all_deplibs_GCJ=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	archive_cmds_GCJ='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_direct_GCJ=yes
-      hardcode_minus_L_GCJ=yes
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_GCJ=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  reload_cmds_GCJ='$CC -r -o $output$reload_objs'
-	  hardcode_direct_GCJ=no
-        ;;
-	motorola)
-	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  hardcode_direct_GCJ=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    sysv4.3*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_shlibpath_var_GCJ=no
-      export_dynamic_flag_spec_GCJ='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	hardcode_shlibpath_var_GCJ=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	ld_shlibs_GCJ=yes
-      fi
-      ;;
-
-    sysv4.2uw2*)
-      archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_direct_GCJ=yes
-      hardcode_minus_L_GCJ=no
-      hardcode_shlibpath_var_GCJ=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
-
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
-      no_undefined_flag_GCJ='${wl}-z ${wl}text'
-      if test "$GCC" = yes; then
-	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	archive_cmds_GCJ='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      runpath_var='LD_RUN_PATH'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    sysv5*)
-      no_undefined_flag_GCJ=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      hardcode_libdir_flag_spec_GCJ=
-      hardcode_shlibpath_var_GCJ=no
-      runpath_var='LD_RUN_PATH'
-      ;;
-
-    uts4*)
-      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      hardcode_libdir_flag_spec_GCJ='-L$libdir'
-      hardcode_shlibpath_var_GCJ=no
-      ;;
-
-    *)
-      ld_shlibs_GCJ=no
-      ;;
-    esac
-  fi
-
-echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
-echo "${ECHO_T}$ld_shlibs_GCJ" >&6
-test "$ld_shlibs_GCJ" = no && can_build_shared=no
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$archive_cmds_need_lc_GCJ" in
-x|xyes)
-  # Assume -lc should be added
-  archive_cmds_need_lc_GCJ=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $archive_cmds_GCJ in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
-echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
-      $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$lt_prog_compiler_wl_GCJ
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$allow_undefined_flag_GCJ
-        allow_undefined_flag_GCJ=
-        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
-  (eval $archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }
-        then
-	  archive_cmds_need_lc_GCJ=no
-        else
-	  archive_cmds_need_lc_GCJ=yes
-        fi
-        allow_undefined_flag_GCJ=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
-echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6
-      ;;
-    esac
-  fi
-  ;;
-esac
-
-echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
-echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix4* | aix5*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[01] | aix4.[01].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[45]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.01* | freebsdelf3.01*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  *) # from 3.2 on
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case "$host_cpu" in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[89] | openbsd2.[89].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-echo "$as_me:$LINENO: result: $dynamic_linker" >&5
-echo "${ECHO_T}$dynamic_linker" >&6
-test "$dynamic_linker" = no && can_build_shared=no
-
-echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
-echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
-hardcode_action_GCJ=
-if test -n "$hardcode_libdir_flag_spec_GCJ" || \
-   test -n "$runpath_var_GCJ" || \
-   test "X$hardcode_automatic_GCJ" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$hardcode_direct_GCJ" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, GCJ)" != no &&
-     test "$hardcode_minus_L_GCJ" != no; then
-    # Linking always hardcodes the temporary library directory.
-    hardcode_action_GCJ=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    hardcode_action_GCJ=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  hardcode_action_GCJ=unsupported
-fi
-echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
-echo "${ECHO_T}$hardcode_action_GCJ" >&6
-
-if test "$hardcode_action_GCJ" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-
-striplib=
-old_striplib=
-echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
-echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-       else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-       ;;
-   *)
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-    ;;
-  esac
-fi
-
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-
-fi
-
-   ;;
-
-  *)
-    echo "$as_me:$LINENO: checking for shl_load" >&5
-echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
-if test "${ac_cv_func_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define shl_load innocuous_shl_load
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char shl_load (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef shl_load
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_shl_load) || defined (__stub___shl_load)
-choke me
-#else
-char (*f) () = shl_load;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != shl_load;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
-echo "${ECHO_T}$ac_cv_func_shl_load" >&6
-if test $ac_cv_func_shl_load = yes; then
-  lt_cv_dlopen="shl_load"
-else
-  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
-echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_shl_load+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char shl_load ();
-int
-main ()
-{
-shl_load ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_shl_load=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_shl_load=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
-if test $ac_cv_lib_dld_shl_load = yes; then
-  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
-else
-  echo "$as_me:$LINENO: checking for dlopen" >&5
-echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
-if test "${ac_cv_func_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define dlopen innocuous_dlopen
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char dlopen (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef dlopen
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_dlopen) || defined (__stub___dlopen)
-choke me
-#else
-char (*f) () = dlopen;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != dlopen;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
-echo "${ECHO_T}$ac_cv_func_dlopen" >&6
-if test $ac_cv_func_dlopen = yes; then
-  lt_cv_dlopen="dlopen"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
-echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
-if test "${ac_cv_lib_dl_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldl  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dl_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dl_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
-if test $ac_cv_lib_dl_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
-else
-  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
-echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
-if test "${ac_cv_lib_svld_dlopen+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-lsvld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dlopen ();
-int
-main ()
-{
-dlopen ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_svld_dlopen=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_svld_dlopen=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
-echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
-if test $ac_cv_lib_svld_dlopen = yes; then
-  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
-else
-  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
-echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
-if test "${ac_cv_lib_dld_dld_link+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  ac_check_lib_save_LIBS=$LIBS
-LIBS="-ldld  $LIBS"
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char dld_link ();
-int
-main ()
-{
-dld_link ();
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_lib_dld_dld_link=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_lib_dld_dld_link=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
-echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
-if test $ac_cv_lib_dld_dld_link = yes; then
-  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-
-fi
-
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
-echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 21389 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self" >&6
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
-      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
-echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
-if test "${lt_cv_dlopen_self_static+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  	  if test "$cross_compiling" = yes; then :
-  lt_cv_dlopen_self_static=cross
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-#line 21487 "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}
-EOF
-  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
-      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
-    esac
-  else :
-    # compilation failed
-    lt_cv_dlopen_self_static=no
-  fi
-fi
-rm -fr conftest*
-
-
-fi
-echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
-echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_GCJ \
-    CC_GCJ \
-    LD_GCJ \
-    lt_prog_compiler_wl_GCJ \
-    lt_prog_compiler_pic_GCJ \
-    lt_prog_compiler_static_GCJ \
-    lt_prog_compiler_no_builtin_flag_GCJ \
-    export_dynamic_flag_spec_GCJ \
-    thread_safe_flag_spec_GCJ \
-    whole_archive_flag_spec_GCJ \
-    enable_shared_with_static_runtimes_GCJ \
-    old_archive_cmds_GCJ \
-    old_archive_from_new_cmds_GCJ \
-    predep_objects_GCJ \
-    postdep_objects_GCJ \
-    predeps_GCJ \
-    postdeps_GCJ \
-    compiler_lib_search_path_GCJ \
-    archive_cmds_GCJ \
-    archive_expsym_cmds_GCJ \
-    postinstall_cmds_GCJ \
-    postuninstall_cmds_GCJ \
-    old_archive_from_expsyms_cmds_GCJ \
-    allow_undefined_flag_GCJ \
-    no_undefined_flag_GCJ \
-    export_symbols_cmds_GCJ \
-    hardcode_libdir_flag_spec_GCJ \
-    hardcode_libdir_flag_spec_ld_GCJ \
-    hardcode_libdir_separator_GCJ \
-    hardcode_automatic_GCJ \
-    module_cmds_GCJ \
-    module_expsym_cmds_GCJ \
-    lt_cv_prog_compiler_c_o_GCJ \
-    exclude_expsyms_GCJ \
-    include_expsyms_GCJ; do
-
-    case $var in
-    old_archive_cmds_GCJ | \
-    old_archive_from_new_cmds_GCJ | \
-    archive_cmds_GCJ | \
-    archive_expsym_cmds_GCJ | \
-    module_cmds_GCJ | \
-    module_expsym_cmds_GCJ | \
-    old_archive_from_expsyms_cmds_GCJ | \
-    export_symbols_cmds_GCJ | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_GCJ
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_GCJ
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# A language-specific compiler.
-CC=$lt_compiler_GCJ
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_GCJ
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_GCJ
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_GCJ
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_GCJ
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_GCJ
-
-# Must we lock files when doing compilation ?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_GCJ
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_GCJ
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_GCJ
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_GCJ
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_GCJ
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_GCJ
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_GCJ
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_GCJ
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_GCJ
-archive_expsym_cmds=$lt_archive_expsym_cmds_GCJ
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_GCJ
-module_expsym_cmds=$lt_module_expsym_cmds_GCJ
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_GCJ
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_GCJ
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_GCJ
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_GCJ
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_GCJ
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_GCJ
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_GCJ
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_GCJ
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_GCJ
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_GCJ
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_GCJ
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_GCJ
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_GCJ
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_GCJ
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_GCJ
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_GCJ
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path="$fix_srcfile_path_GCJ"
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_GCJ
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_GCJ
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_GCJ
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_GCJ
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	else
-	  tagname=""
-	fi
-	;;
-
-      RC)
-
-
-
-# Source file extension for RC test sources.
-ac_ext=rc
-
-# Object file extension for compiled RC test sources.
-objext=o
-objext_RC=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="$lt_simple_compile_test_code"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${RC-"windres"}
-compiler=$CC
-compiler_RC=$CC
-lt_cv_prog_compiler_c_o_RC=yes
-
-# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    compiler_RC \
-    CC_RC \
-    LD_RC \
-    lt_prog_compiler_wl_RC \
-    lt_prog_compiler_pic_RC \
-    lt_prog_compiler_static_RC \
-    lt_prog_compiler_no_builtin_flag_RC \
-    export_dynamic_flag_spec_RC \
-    thread_safe_flag_spec_RC \
-    whole_archive_flag_spec_RC \
-    enable_shared_with_static_runtimes_RC \
-    old_archive_cmds_RC \
-    old_archive_from_new_cmds_RC \
-    predep_objects_RC \
-    postdep_objects_RC \
-    predeps_RC \
-    postdeps_RC \
-    compiler_lib_search_path_RC \
-    archive_cmds_RC \
-    archive_expsym_cmds_RC \
-    postinstall_cmds_RC \
-    postuninstall_cmds_RC \
-    old_archive_from_expsyms_cmds_RC \
-    allow_undefined_flag_RC \
-    no_undefined_flag_RC \
-    export_symbols_cmds_RC \
-    hardcode_libdir_flag_spec_RC \
-    hardcode_libdir_flag_spec_ld_RC \
-    hardcode_libdir_separator_RC \
-    hardcode_automatic_RC \
-    module_cmds_RC \
-    module_expsym_cmds_RC \
-    lt_cv_prog_compiler_c_o_RC \
-    exclude_expsyms_RC \
-    include_expsyms_RC; do
-
-    case $var in
-    old_archive_cmds_RC | \
-    old_archive_from_new_cmds_RC | \
-    archive_cmds_RC | \
-    archive_expsym_cmds_RC | \
-    module_cmds_RC | \
-    module_expsym_cmds_RC | \
-    old_archive_from_expsyms_cmds_RC | \
-    export_symbols_cmds_RC | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\$0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
-    ;;
-  esac
-
-cfgfile="$ofile"
-
-  cat <<__EOF__ >> "$cfgfile"
-# ### BEGIN LIBTOOL TAG CONFIG: $tagname
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$archive_cmds_need_lc_RC
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_RC
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# A language-specific compiler.
-CC=$lt_compiler_RC
-
-# Is the compiler the GNU C compiler?
-with_gcc=$GCC_RC
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_LD_RC
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_lt_prog_compiler_wl_RC
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_lt_prog_compiler_pic_RC
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC
-
-# Must we lock files when doing compilation ?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_lt_prog_compiler_static_RC
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_RC
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_RC
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_whole_archive_flag_spec_RC
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_thread_safe_flag_spec_RC
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_old_archive_cmds_RC
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_RC
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_RC
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_archive_cmds_RC
-archive_expsym_cmds=$lt_archive_expsym_cmds_RC
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_module_cmds_RC
-module_expsym_cmds=$lt_module_expsym_cmds_RC
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_predep_objects_RC
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_postdep_objects_RC
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_predeps_RC
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_postdeps_RC
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_compiler_lib_search_path_RC
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_allow_undefined_flag_RC
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_no_undefined_flag_RC
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$hardcode_action_RC
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_RC
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_RC
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_hardcode_libdir_separator_RC
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$hardcode_direct_RC
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$hardcode_minus_L_RC
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$hardcode_shlibpath_var_RC
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$hardcode_automatic_RC
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$link_all_deplibs_RC
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path="$fix_srcfile_path_RC"
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$always_export_symbols_RC
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_export_symbols_cmds_RC
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_exclude_expsyms_RC
-
-# Symbols that must always be exported.
-include_expsyms=$lt_include_expsyms_RC
-
-# ### END LIBTOOL TAG CONFIG: $tagname
-
-__EOF__
-
-
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-
-
-ac_ext=c
-ac_cpp='$CPP $CPPFLAGS'
-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
-ac_compiler_gnu=$ac_cv_c_compiler_gnu
-
-CC="$lt_save_CC"
-
-	;;
-
-      *)
-	{ { echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5
-echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
-   { (exit 1); exit 1; }; }
-	;;
-      esac
-
-      # Append the new tag name to the list of available tags.
-      if test -n "$tagname" ; then
-      available_tags="$available_tags $tagname"
-    fi
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  # Now substitute the updated list of available tags.
-  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
-    mv "${ofile}T" "$ofile"
-    chmod +x "$ofile"
-  else
-    rm -f "${ofile}T"
-    { { echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5
-echo "$as_me: error: unable to update list of available tagged configurations." >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-fi
-
-
-
-# This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
-
-# Always use our own libtool.
-LIBTOOL='$(SHELL) $(top_builddir)/libtool'
-
-# Prevent multiple expansion
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-		O=lo
-		A=la
-		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
-		LIBTOOL_MODE_COMPILE='--mode=compile'
-		LIBTOOL_MODE_INSTALL='--mode=install'
-		LIBTOOL_MODE_LINK='--mode=link'
-		;;
-	*)
-		O=o
-		A=a
-		LIBTOOL=
-
-		LIBTOOL_MKDEP_SED=
-		LIBTOOL_MODE_COMPILE=
-		LIBTOOL_MODE_INSTALL=
-		LIBTOOL_MODE_LINK=
-		;;
-esac
-
-#
-# File name extension for static archive files, for those few places
-# where they are treated differently from dynamic ones.
-#
-SA=a
-
-
-
-
-
-
-
-
-
-#
-# Here begins a very long section to determine the system's networking
-# capabilities.  The order of the tests is signficant.
-#
-
-#
-# IPv6
-#
-# Check whether --enable-ipv6 or --disable-ipv6 was given.
-if test "${enable_ipv6+set}" = set; then
-  enableval="$enable_ipv6"
-
-fi;
-
-case "$enable_ipv6" in
-	yes|''|autodetect)
-		cat >>confdefs.h <<\_ACEOF
-#define WANT_IPV6 1
-_ACEOF
-
-		;;
-	no)
-		;;
-esac
-
-#
-# We do the IPv6 compilation checking after libtool so that we can put
-# the right suffix on the files.
-#
-echo "$as_me:$LINENO: checking for IPv6 structures" >&5
-echo $ECHO_N "checking for IPv6 structures... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-int
-main ()
-{
-struct sockaddr_in6 sin6; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	 found_ipv6=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	 found_ipv6=no
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-#
-# See whether IPv6 support is provided via a Kame add-on.
-# This is done before other IPv6 linking tests to LIBS is properly set.
-#
-echo "$as_me:$LINENO: checking for Kame IPv6 support" >&5
-echo $ECHO_N "checking for Kame IPv6 support... $ECHO_C" >&6
-
-# Check whether --with-kame or --without-kame was given.
-if test "${with_kame+set}" = set; then
-  withval="$with_kame"
-  use_kame="$withval"
-else
-  use_kame="no"
-fi;
-
-case "$use_kame" in
-	no)
-		;;
-	yes)
-		kame_path=/usr/local/v6
-		;;
-	*)
-		kame_path="$use_kame"
-		;;
-esac
-
-case "$use_kame" in
-	no)
-		echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-		;;
-	*)
-		if test -f $kame_path/lib/libinet6.a; then
-			echo "$as_me:$LINENO: result: $kame_path/lib/libinet6.a" >&5
-echo "${ECHO_T}$kame_path/lib/libinet6.a" >&6
-			LIBS="-L$kame_path/lib -linet6 $LIBS"
-		else
-			{ { echo "$as_me:$LINENO: error: $kame_path/lib/libinet6.a not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-kame=PATH
-" >&5
-echo "$as_me: error: $kame_path/lib/libinet6.a not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-kame=PATH
-" >&2;}
-   { (exit 1); exit 1; }; }
-		fi
-		;;
-esac
-
-#
-# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
-# Including it on Kame-using platforms is very bad, though, because
-# Kame uses #error against direct inclusion.   So include it on only
-# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
-# This is done before the in6_pktinfo check because that's what
-# netinet6/in6.h is needed for.
-#
-
-case "$host" in
-*-bsdi4.[01]*)
-	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
-	isc_netinet6in6_hack="#include <netinet6/in6.h>"
-	;;
-*)
-	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
-	isc_netinet6in6_hack=""
-	;;
-esac
-
-
-#
-# This is similar to the netinet6/in6.h issue.
-#
-case "$host" in
-*-UnixWare*)
-	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
-        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
-	isc_netinetin6_hack="#include <netinet/in6.h>"
-	;;
-*)
-	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
-        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
-	isc_netinetin6_hack=""
-	;;
-esac
-
-#
-# Now delve deeper into the suitability of the IPv6 support.
-#
-case "$found_ipv6" in
-	yes)
-		HAS_INET6_STRUCTS="#define HAS_INET6_STRUCTS 1"
-
-		echo "$as_me:$LINENO: checking for in6_addr" >&5
-echo $ECHO_N "checking for in6_addr... $ECHO_C" >&6
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-
-int
-main ()
-{
-struct in6_addr in6; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-		 HAS_IN_ADDR6="#undef HAS_IN_ADDR6"
-		 isc_in_addr6_hack=""
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-		 HAS_IN_ADDR6="#define HAS_IN_ADDR6 1"
-		 isc_in_addr6_hack="#define in6_addr in_addr6"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-		echo "$as_me:$LINENO: checking for in6addr_any" >&5
-echo $ECHO_N "checking for in6addr_any... $ECHO_C" >&6
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-$isc_in_addr6_hack
-
-int
-main ()
-{
-struct in6_addr in6; in6 = in6addr_any; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-			 NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-			 NEED_IN6ADDR_ANY="#define NEED_IN6ADDR_ANY 1"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-
-		echo "$as_me:$LINENO: checking for sin6_scope_id in struct sockaddr_in6" >&5
-echo $ECHO_N "checking for sin6_scope_id in struct sockaddr_in6... $ECHO_C" >&6
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-
-int
-main ()
-{
-struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-			 result="#define HAVE_SIN6_SCOPE_ID 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-			 result="#undef HAVE_SIN6_SCOPE_ID"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-		HAVE_SIN6_SCOPE_ID="$result"
-
-		echo "$as_me:$LINENO: checking for in6_pktinfo" >&5
-echo $ECHO_N "checking for in6_pktinfo... $ECHO_C" >&6
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-
-int
-main ()
-{
-struct in6_pktinfo xyzzy; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no -- disabling runtime ipv6 support" >&5
-echo "${ECHO_T}no -- disabling runtime ipv6 support" >&6
-			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-		echo "$as_me:$LINENO: checking for sockaddr_storage" >&5
-echo $ECHO_N "checking for sockaddr_storage... $ECHO_C" >&6
-		cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-
-int
-main ()
-{
-struct sockaddr_storage xyzzy; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-			 HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-			 HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-		;;
-	no)
-		HAS_INET6_STRUCTS="#undef HAS_INET6_STRUCTS"
-		NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
-		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
-		HAVE_SIN6_SCOPE_ID="#define HAVE_SIN6_SCOPE_ID 1"
-		HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
-		ISC_IPV6_H="ipv6.h"
-		ISC_IPV6_O="ipv6.$O"
-		ISC_ISCIPV6_O="unix/ipv6.$O"
-		ISC_IPV6_C="ipv6.c"
-		;;
-esac
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-#
-# Check for network functions that are often missing.  We do this
-# after the libtool checking, so we can put the right suffix on
-# the files.  It also needs to come after checking for a Kame add-on,
-# which provides some (all?) of the desired functions.
-#
-echo "$as_me:$LINENO: checking for inet_ntop" >&5
-echo $ECHO_N "checking for inet_ntop... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-int
-main ()
-{
-inet_ntop(0, 0, 0, 0); return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-echo "$as_me:$LINENO: checking for inet_pton" >&5
-echo $ECHO_N "checking for inet_pton... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-int
-main ()
-{
-inet_pton(0, 0, 0); return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-echo "$as_me:$LINENO: checking for inet_aton" >&5
-echo $ECHO_N "checking for inet_aton... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-int
-main ()
-{
-struct in_addr in; inet_aton(0, &in); return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
-        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-
-
-
-
-
-#
-# Look for a 4.4BSD-style sa_len member in struct sockaddr.
-#
-case "$host" in
-	*-dec-osf*)
-		# Turn on 4.4BSD style sa_len support.
-		cat >>confdefs.h <<\_ACEOF
-#define _SOCKADDR_LEN 1
-_ACEOF
-
-		;;
-esac
-
-echo "$as_me:$LINENO: checking for sa_len in struct sockaddr" >&5
-echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-int
-main ()
-{
-struct sockaddr sa; sa.sa_len = 0; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	HAVE_SA_LEN="#define HAVE_SA_LEN 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	HAVE_SA_LEN="#undef HAVE_SA_LEN"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-# HAVE_MINIMUM_IFREQ
-
-case "$host" in
-	*-bsdi2345*)	have_minimum_ifreq=yes;;
-	*-darwin*)	have_minimum_ifreq=yes;;
-	*-freebsd*)	have_minimum_ifreq=yes;;
-	*-lynxos*)	have_minimum_ifreq=yes;;
-	*-netbsd*)	have_minimum_ifreq=yes;;
-	*-next*)	have_minimum_ifreq=yes;;
-	*-openbsd*)	have_minimum_ifreq=yes;;
-	*-rhapsody*)	have_minimum_ifreq=yes;;
-esac
-
-case "$have_minimum_ifreq" in
-	yes)
-		HAVE_MINIMUM_IFREQ="#define HAVE_MINIMUM_IFREQ 1";;
-	no)
-		HAVE_MINIMUM_IFREQ="#undef HAVE_MINIMUM_IFREQ";;
-	*)
-		HAVE_MINIMUM_IFREQ="#undef HAVE_MINIMUM_IFREQ";;
-esac
-
-
-# PORT_DIR
-PORT_DIR=port/unknown
-SOLARIS_BITTYPES="#undef NEED_SOLARIS_BITTYPES"
-BSD_COMP="#undef BSD_COMP"
-USE_FIONBIO_IOCTL="#undef USE_FIONBIO_IOCTL"
-PORT_NONBLOCK="#define PORT_NONBLOCK O_NONBLOCK"
-HAVE_MD5="#undef HAVE_MD5"
-USE_POLL="#undef HAVE_POLL"
-SOLARIS2="#undef SOLARIS2"
-case "$host" in
-	*aix3.2*)	PORT_DIR="port/aix32";;
-	*aix4*)		PORT_DIR="port/aix4";;
-	*aix5*)		PORT_DIR="port/aix5";;
-	*aux3*)		PORT_DIR="port/aux3";;
-	*-bsdi2*)	PORT_DIR="port/bsdos2";;
-	*-bsdi*)	PORT_DIR="port/bsdos";;
-	*-cygwin*)
-			PORT_NONBLOCK="#define PORT_NONBLOCK O_NDELAY"
-			PORT_DIR="port/cygwin";;
-	*-darwin*)	PORT_DIR="port/darwin";;
-	*-osf*)		PORT_DIR="port/decunix";;
-	*-freebsd*)	PORT_DIR="port/freebsd";;
-	*-hpux9*)	PORT_DIR="port/hpux9";;
-	*-hpux10*)	PORT_DIR="port/hpux10";;
-	*-hpux11*)	PORT_DIR="port/hpux";;
-	*-irix*)	PORT_DIR="port/irix";;
-	*-linux*)	PORT_DIR="port/linux";;
-	*-lynxos*)	PORT_DIR="port/lynxos";;
-	*-mpe*)		PORT_DIR="port/mpe";;
-	*-netbsd*)	PORT_DIR="port/netbsd";;
-	*-next*)	PORT_DIR="port/next";;
-	*-openbsd*)	PORT_DIR="port/openbsd";;
-	*-qnx*)		PORT_DIR="port/qnx";;
-	*-rhapsody*)	PORT_DIR="port/rhapsody";;
-	*-sunos4*)
-			PORT_NONBLOCK="#define PORT_NONBLOCK O_NDELAY"
-			PORT_DIR="port/sunos";;
-	*-solaris2.[01234])
-			BSD_COMP="#define BSD_COMP 1"
-			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
-			USE_FIONBIO_IOCTL="#define USE_FIONBIO_IOCTL 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-solaris2.5)
-			BSD_COMP="#define BSD_COMP 1"
-			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-solaris2.[67])
-			BSD_COMP="#define BSD_COMP 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-solaris2*)	BSD_COMP="#define BSD_COMP 1"
-			USE_POLL="#define USE_POLL 1"
-			HAVE_MD5="#define HAVE_MD5 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-ultrix*)	PORT_DIR="port/ultrix";;
-	*-sco-sysv*uw2.0*)	PORT_DIR="port/unixware20";;
-	*-sco-sysv*uw2.1.2*)	PORT_DIR="port/unixware212";;
-	*-sco-sysv*uw7*)	PORT_DIR="port/unixware7";;
-esac
-
-
-
-
-
-
-
-
-
-PORT_INCLUDE=${PORT_DIR}/include
-
-
-#
-# Look for a 4.4BSD or 4.3BSD struct msghdr
-#
-echo "$as_me:$LINENO: checking for struct msghdr flavor" >&5
-echo $ECHO_N "checking for struct msghdr flavor... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-int
-main ()
-{
-struct msghdr msg; msg.msg_flags = 0; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: 4.4BSD" >&5
-echo "${ECHO_T}4.4BSD" >&6
-	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: 4.3BSD" >&5
-echo "${ECHO_T}4.3BSD" >&6
-	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-#
-# Look for in_port_t.
-#
-echo "$as_me:$LINENO: checking for type in_port_t" >&5
-echo $ECHO_N "checking for type in_port_t... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <netinet/in.h>
-int
-main ()
-{
-in_port_t port = 25; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-#
-# Check for addrinfo
-#
-echo "$as_me:$LINENO: checking for struct addrinfo" >&5
-echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <netdb.h>
-int
-main ()
-{
-struct addrinfo a; return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	cat >>confdefs.h <<\_ACEOF
-#define HAVE_ADDRINFO 1
-_ACEOF
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-echo "$as_me:$LINENO: checking for int sethostent" >&5
-echo $ECHO_N "checking for int sethostent... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <netdb.h>
-int
-main ()
-{
-int i = sethostent(0); return(0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-echo "$as_me:$LINENO: checking for int endhostent" >&5
-echo $ECHO_N "checking for int endhostent... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <netdb.h>
-int
-main ()
-{
-int i = endhostent(); return(0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-echo "$as_me:$LINENO: checking for int setnetent" >&5
-echo $ECHO_N "checking for int setnetent... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <netdb.h>
-int
-main ()
-{
-int i = setnetent(0); return(0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-echo "$as_me:$LINENO: checking for int endnetent" >&5
-echo $ECHO_N "checking for int endnetent... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <netdb.h>
-int
-main ()
-{
-int i = endnetent(); return(0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-echo "$as_me:$LINENO: checking for gethostbyaddr(const void *, size_t, ...)" >&5
-echo $ECHO_N "checking for gethostbyaddr(const void *, size_t, ...)... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <netdb.h>
-struct hostent *gethostbyaddr(const void *, size_t, int);
-int
-main ()
-{
-return(0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-echo "$as_me:$LINENO: checking for h_errno in netdb.h" >&5
-echo $ECHO_N "checking for h_errno in netdb.h... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <netdb.h>
-int
-main ()
-{
-h_errno = 1; return(0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-echo "$as_me:$LINENO: checking for getipnodebyname" >&5
-echo $ECHO_N "checking for getipnodebyname... $ECHO_C" >&6
-if test "${ac_cv_func_getipnodebyname+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getipnodebyname to an innocuous variant, in case <limits.h> declares getipnodebyname.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getipnodebyname innocuous_getipnodebyname
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getipnodebyname (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getipnodebyname
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getipnodebyname ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getipnodebyname) || defined (__stub___getipnodebyname)
-choke me
-#else
-char (*f) () = getipnodebyname;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getipnodebyname;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getipnodebyname=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getipnodebyname=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getipnodebyname" >&5
-echo "${ECHO_T}$ac_cv_func_getipnodebyname" >&6
-if test $ac_cv_func_getipnodebyname = yes; then
-  ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"
-else
-  ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"
-fi
-
-echo "$as_me:$LINENO: checking for getnameinfo" >&5
-echo $ECHO_N "checking for getnameinfo... $ECHO_C" >&6
-if test "${ac_cv_func_getnameinfo+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getnameinfo to an innocuous variant, in case <limits.h> declares getnameinfo.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getnameinfo innocuous_getnameinfo
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getnameinfo (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getnameinfo
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getnameinfo ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getnameinfo) || defined (__stub___getnameinfo)
-choke me
-#else
-char (*f) () = getnameinfo;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getnameinfo;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getnameinfo=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getnameinfo=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getnameinfo" >&5
-echo "${ECHO_T}$ac_cv_func_getnameinfo" >&6
-if test $ac_cv_func_getnameinfo = yes; then
-  ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"
-else
-  ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"
-fi
-
-echo "$as_me:$LINENO: checking for getaddrinfo" >&5
-echo $ECHO_N "checking for getaddrinfo... $ECHO_C" >&6
-if test "${ac_cv_func_getaddrinfo+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getaddrinfo to an innocuous variant, in case <limits.h> declares getaddrinfo.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getaddrinfo innocuous_getaddrinfo
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getaddrinfo (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getaddrinfo
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getaddrinfo ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getaddrinfo) || defined (__stub___getaddrinfo)
-choke me
-#else
-char (*f) () = getaddrinfo;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getaddrinfo;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getaddrinfo=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getaddrinfo=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getaddrinfo" >&5
-echo "${ECHO_T}$ac_cv_func_getaddrinfo" >&6
-if test $ac_cv_func_getaddrinfo = yes; then
-  ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
-	cat >>confdefs.h <<\_ACEOF
-#define HAVE_GETADDRINFO 1
-_ACEOF
-
-else
-  ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"
-fi
-
-echo "$as_me:$LINENO: checking for gai_strerror" >&5
-echo $ECHO_N "checking for gai_strerror... $ECHO_C" >&6
-if test "${ac_cv_func_gai_strerror+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define gai_strerror to an innocuous variant, in case <limits.h> declares gai_strerror.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define gai_strerror innocuous_gai_strerror
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char gai_strerror (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef gai_strerror
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char gai_strerror ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_gai_strerror) || defined (__stub___gai_strerror)
-choke me
-#else
-char (*f) () = gai_strerror;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != gai_strerror;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_gai_strerror=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_gai_strerror=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gai_strerror" >&5
-echo "${ECHO_T}$ac_cv_func_gai_strerror" >&6
-if test $ac_cv_func_gai_strerror = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_GAISTRERROR 1
-_ACEOF
-
-fi
-
-
-
-
-echo "$as_me:$LINENO: checking for pselect" >&5
-echo $ECHO_N "checking for pselect... $ECHO_C" >&6
-if test "${ac_cv_func_pselect+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define pselect to an innocuous variant, in case <limits.h> declares pselect.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define pselect innocuous_pselect
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char pselect (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef pselect
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char pselect ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_pselect) || defined (__stub___pselect)
-choke me
-#else
-char (*f) () = pselect;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != pselect;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_pselect=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_pselect=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_pselect" >&5
-echo "${ECHO_T}$ac_cv_func_pselect" >&6
-if test $ac_cv_func_pselect = yes; then
-  NEED_PSELECT="#undef NEED_PSELECT"
-else
-  NEED_PSELECT="#define NEED_PSELECT"
-fi
-
-
-echo "$as_me:$LINENO: checking for gettimeofday" >&5
-echo $ECHO_N "checking for gettimeofday... $ECHO_C" >&6
-if test "${ac_cv_func_gettimeofday+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define gettimeofday to an innocuous variant, in case <limits.h> declares gettimeofday.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define gettimeofday innocuous_gettimeofday
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char gettimeofday (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef gettimeofday
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char gettimeofday ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_gettimeofday) || defined (__stub___gettimeofday)
-choke me
-#else
-char (*f) () = gettimeofday;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != gettimeofday;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_gettimeofday=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_gettimeofday=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gettimeofday" >&5
-echo "${ECHO_T}$ac_cv_func_gettimeofday" >&6
-if test $ac_cv_func_gettimeofday = yes; then
-  NEED_GETTIMEOFDAY="#undef NEED_GETTIMEOFDAY"
-else
-  NEED_GETTIMEOFDAY="#define NEED_GETTIMEOFDAY 1"
-fi
-
-
-echo "$as_me:$LINENO: checking for strndup" >&5
-echo $ECHO_N "checking for strndup... $ECHO_C" >&6
-if test "${ac_cv_func_strndup+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define strndup to an innocuous variant, in case <limits.h> declares strndup.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define strndup innocuous_strndup
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char strndup (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef strndup
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char strndup ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strndup) || defined (__stub___strndup)
-choke me
-#else
-char (*f) () = strndup;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != strndup;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_strndup=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_strndup=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strndup" >&5
-echo "${ECHO_T}$ac_cv_func_strndup" >&6
-if test $ac_cv_func_strndup = yes; then
-  HAVE_STRNDUP="#define HAVE_STRNDUP 1"
-else
-  HAVE_STRNDUP="#undef HAVE_STRNDUP"
-fi
-
-
-
-#
-# Look for a sysctl call to get the list of network interfaces.
-#
-echo "$as_me:$LINENO: checking for interface list sysctl" >&5
-echo $ECHO_N "checking for interface list sysctl... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/param.h>
-#include <sys/sysctl.h>
-#include <sys/socket.h>
-#ifdef NET_RT_IFLIST
-found_rt_iflist
-#endif
-
-_ACEOF
-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
-  $EGREP "found_rt_iflist" >/dev/null 2>&1; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-	 cat >>confdefs.h <<\_ACEOF
-#define HAVE_IFLIST_SYSCTL 1
-_ACEOF
-
-else
-  echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-fi
-rm -f conftest*
-
-
-#
-# Check for some other useful functions that are not ever-present.
-#
-echo "$as_me:$LINENO: checking for strsep" >&5
-echo $ECHO_N "checking for strsep... $ECHO_C" >&6
-if test "${ac_cv_func_strsep+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define strsep to an innocuous variant, in case <limits.h> declares strsep.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define strsep innocuous_strsep
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char strsep (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef strsep
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char strsep ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strsep) || defined (__stub___strsep)
-choke me
-#else
-char (*f) () = strsep;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != strsep;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_strsep=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_strsep=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strsep" >&5
-echo "${ECHO_T}$ac_cv_func_strsep" >&6
-if test $ac_cv_func_strsep = yes; then
-  ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"
-else
-  ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"
-fi
-
-echo "$as_me:$LINENO: checking for vsnprintf" >&5
-echo $ECHO_N "checking for vsnprintf... $ECHO_C" >&6
-if test "${ac_cv_func_vsnprintf+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define vsnprintf to an innocuous variant, in case <limits.h> declares vsnprintf.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define vsnprintf innocuous_vsnprintf
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char vsnprintf (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef vsnprintf
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char vsnprintf ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_vsnprintf) || defined (__stub___vsnprintf)
-choke me
-#else
-char (*f) () = vsnprintf;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != vsnprintf;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_vsnprintf=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_vsnprintf=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf" >&5
-echo "${ECHO_T}$ac_cv_func_vsnprintf" >&6
-if test $ac_cv_func_vsnprintf = yes; then
-  ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"
-else
-  ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS print.$O"
-	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS print.c"
-	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
-fi
-
-
-
-
-
-
-echo "$as_me:$LINENO: checking for strerror" >&5
-echo $ECHO_N "checking for strerror... $ECHO_C" >&6
-if test "${ac_cv_func_strerror+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define strerror to an innocuous variant, in case <limits.h> declares strerror.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define strerror innocuous_strerror
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char strerror (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef strerror
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char strerror ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_strerror) || defined (__stub___strerror)
-choke me
-#else
-char (*f) () = strerror;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != strerror;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_strerror=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_strerror=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_strerror" >&5
-echo "${ECHO_T}$ac_cv_func_strerror" >&6
-if test $ac_cv_func_strerror = yes; then
-  USE_SYSERROR_LIST="#undef USE_SYSERROR_LIST"
-else
-  USE_SYSERROR_LIST="#define USE_SYSERROR_LIST 1"
-fi
-
-
-
-#
-# Determine the printf format characters to use when printing
-# values of type isc_int64_t.  We make the assumption that platforms
-# where a "long long" is the same size as a "long" (e.g., Alpha/OSF1)
-# want "%ld" and everyone else can use "%lld".  Win32 uses "%I64d",
-# but that's defined elsewhere since we don't use configure on Win32.
-#
-echo "$as_me:$LINENO: checking printf format modifier for 64-bit integers" >&5
-echo $ECHO_N "checking printf format modifier for 64-bit integers... $ECHO_C" >&6
-if test "$cross_compiling" = yes; then
-  echo "$as_me:$LINENO: result: default ll" >&5
-echo "${ECHO_T}default ll" >&6
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-main() { exit(!(sizeof(long long int) == sizeof(long int))); }
-_ACEOF
-rm -f conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: l" >&5
-echo "${ECHO_T}l" >&6
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'
-else
-  echo "$as_me: program exited with status $ac_status" >&5
-echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-( exit $ac_status )
-echo "$as_me:$LINENO: result: ll" >&5
-echo "${ECHO_T}ll" >&6
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
-fi
-rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
-fi
-
-
-#
-# Security Stuff
-#
-echo "$as_me:$LINENO: checking for chroot" >&5
-echo $ECHO_N "checking for chroot... $ECHO_C" >&6
-if test "${ac_cv_func_chroot+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define chroot to an innocuous variant, in case <limits.h> declares chroot.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define chroot innocuous_chroot
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char chroot (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef chroot
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char chroot ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_chroot) || defined (__stub___chroot)
-choke me
-#else
-char (*f) () = chroot;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != chroot;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_chroot=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_chroot=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_chroot" >&5
-echo "${ECHO_T}$ac_cv_func_chroot" >&6
-if test $ac_cv_func_chroot = yes; then
-  cat >>confdefs.h <<\_ACEOF
-#define HAVE_CHROOT 1
-_ACEOF
-
-fi
-
-
-#
-# for accept, recvfrom, getpeername etc.
-#
-echo "$as_me:$LINENO: checking for socket length type" >&5
-echo $ECHO_N "checking for socket length type... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-int accept(int, struct sockaddr *, socklen_t *);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ISC_SOCKLEN_T="#define ISC_SOCKLEN_T socklen_t"
-echo "$as_me:$LINENO: result: socklen_t" >&5
-echo "${ECHO_T}socklen_t" >&6
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-int accept(int, struct sockaddr *, unsigned int *);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ISC_SOCKLEN_T="#define ISC_SOCKLEN_T unsigned int"
-echo "$as_me:$LINENO: result: unsigned int" >&5
-echo "${ECHO_T}unsigned int" >&6
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-int accept(int, struct sockaddr *, unsigned long *);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ISC_SOCKLEN_T="#define ISC_SOCKLEN_T unsigned long"
-echo "$as_me:$LINENO: result: unsigned long" >&5
-echo "${ECHO_T}unsigned long" >&6
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-int accept(int, struct sockaddr *, long *);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ISC_SOCKLEN_T="#define ISC_SOCKLEN_T long"
-echo "$as_me:$LINENO: result: long" >&5
-echo "${ECHO_T}long" >&6
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ISC_SOCKLEN_T="#define ISC_SOCKLEN_T int"
-echo "$as_me:$LINENO: result: int" >&5
-echo "${ECHO_T}int" >&6
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-echo "$as_me:$LINENO: checking for getgrouplist" >&5
-echo $ECHO_N "checking for getgrouplist... $ECHO_C" >&6
-if test "${ac_cv_func_getgrouplist+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getgrouplist to an innocuous variant, in case <limits.h> declares getgrouplist.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getgrouplist innocuous_getgrouplist
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getgrouplist (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getgrouplist
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getgrouplist ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getgrouplist) || defined (__stub___getgrouplist)
-choke me
-#else
-char (*f) () = getgrouplist;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getgrouplist;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getgrouplist=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getgrouplist=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getgrouplist" >&5
-echo "${ECHO_T}$ac_cv_func_getgrouplist" >&6
-if test $ac_cv_func_getgrouplist = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#include <unistd.h>
-int
-getgrouplist(const char *name, int basegid, int *groups, int *ngroups) {
-}
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, int basegid, int *groups, int *ngroups"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, gid_t basegid, gid_t *groups, int *ngroups"
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-else
-  GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, gid_t basegid, gid_t *groups, int *ngroups"
-cat >>confdefs.h <<\_ACEOF
-#define NEED_GETGROUPLIST 1
-_ACEOF
-
-
-fi
-
-
-
-echo "$as_me:$LINENO: checking for setgroupent" >&5
-echo $ECHO_N "checking for setgroupent... $ECHO_C" >&6
-if test "${ac_cv_func_setgroupent+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setgroupent to an innocuous variant, in case <limits.h> declares setgroupent.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setgroupent innocuous_setgroupent
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setgroupent (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setgroupent
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setgroupent ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setgroupent) || defined (__stub___setgroupent)
-choke me
-#else
-char (*f) () = setgroupent;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setgroupent;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setgroupent=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setgroupent=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setgroupent" >&5
-echo "${ECHO_T}$ac_cv_func_setgroupent" >&6
-if test $ac_cv_func_setgroupent = yes; then
-  :
-else
-  cat >>confdefs.h <<\_ACEOF
-#define NEED_SETGROUPENT 1
-_ACEOF
-
-fi
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for getnetbyaddr_r" >&5
-echo $ECHO_N "checking for getnetbyaddr_r... $ECHO_C" >&6
-if test "${ac_cv_func_getnetbyaddr_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getnetbyaddr_r to an innocuous variant, in case <limits.h> declares getnetbyaddr_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getnetbyaddr_r innocuous_getnetbyaddr_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getnetbyaddr_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getnetbyaddr_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getnetbyaddr_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getnetbyaddr_r) || defined (__stub___getnetbyaddr_r)
-choke me
-#else
-char (*f) () = getnetbyaddr_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getnetbyaddr_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getnetbyaddr_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getnetbyaddr_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getnetbyaddr_r" >&5
-echo "${ECHO_T}$ac_cv_func_getnetbyaddr_r" >&6
-if test $ac_cv_func_getnetbyaddr_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#define _OSF_SOURCE
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-struct netent *
-getnetbyaddr_r(long net, int type, struct netent *result, char *buffer,
-int buflen) {}
-
-int
-main ()
-{
-return (0)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen"
-NET_R_BAD="#define NET_R_BAD NULL"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS NET_R_ARGS"
-NET_R_OK="#define NET_R_OK nptr"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN struct netent *"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
-NETENT_DATA="#undef NETENT_DATA"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#define _OSF_SOURCE
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetbyaddr_r (unsigned long int, int, struct netent *,
-                    char *, size_t, struct netent **, int *);
-
-int
-main ()
-{
-return (0)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ARGS="#define NET_R_ARGS char *buf, size_t buflen, struct netent **answerp, int *h_errnop"
-NET_R_BAD="#define NET_R_BAD ERANGE"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS char *buf, size_t buflen"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#define NET_R_SETANSWER 1"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T unsigned long int"
-NETENT_DATA="#undef NETENT_DATA"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#define _OSF_SOURCE
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int getnetbyaddr_r(int, int, struct netent *, struct netent_data *);
-
-int
-main ()
-{
-return (0)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
-NET_R_BAD="#define NET_R_BAD (-1)"
-NET_R_COPY="#define NET_R_COPY ndptr"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int"
-NETENT_DATA="#define NETENT_DATA 1"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetbyaddr_r (long, int, struct netent *, struct netent_data *);
-
-int
-main ()
-{
-return (0)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
-NET_R_BAD="#define NET_R_BAD (-1)"
-NET_R_COPY="#define NET_R_COPY ndptr"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
-NETENT_DATA="#define NETENT_DATA 1"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetbyaddr_r (uint32_t, int, struct netent *,
-                    char *, size_t, struct netent **, int *);
-
-int
-main ()
-{
-return (0)
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ARGS="#define NET_R_ARGS char *buf, size_t buflen, struct netent **answerp, int *h_errnop"
-NET_R_BAD="#define NET_R_BAD ERANGE"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS char *buf, size_t buflen"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#define NET_R_SETANSWER 1"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T unsigned long int"
-NETENT_DATA="#undef NETENT_DATA"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen"
-NET_R_BAD="#define NET_R_BAD NULL"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS NET_R_ARGS"
-NET_R_OK="#define NET_R_OK nptr"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN struct netent *"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
-NETENT_DATA="#undef NETENT_DATA"
-
-fi
-
-esac
-
-case "$host" in
-*dec-osf*) GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int" ;;
-esac
-
-
-
-
-
-
-
-
-
-
-echo "$as_me:$LINENO: checking for setnetent_r" >&5
-echo $ECHO_N "checking for setnetent_r... $ECHO_C" >&6
-if test "${ac_cv_func_setnetent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setnetent_r to an innocuous variant, in case <limits.h> declares setnetent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setnetent_r innocuous_setnetent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setnetent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setnetent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setnetent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setnetent_r) || defined (__stub___setnetent_r)
-choke me
-#else
-char (*f) () = setnetent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setnetent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setnetent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setnetent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setnetent_r" >&5
-echo "${ECHO_T}$ac_cv_func_setnetent_r" >&6
-if test $ac_cv_func_setnetent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void  setnetent_r (int);
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ENT_ARGS="#undef NET_R_ENT_ARGS /*empty*/"
-NET_R_SET_RESULT="#undef NET_R_SET_RESULT /*empty*/"
-NET_R_SET_RETURN="#define NET_R_SET_RETURN void"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int setnetent_r(int, struct netent_data *);
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_ENT_ARGS="#define NET_R_ENT_ARGS struct netent_data *ndptr"
-NET_R_SET_RESULT="#define NET_R_SET_RESULT NET_R_OK"
-NET_R_SET_RETURN="#define NET_R_SET_RETURN int"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  NET_R_ENT_ARGS="#undef NET_R_ENT_ARGS /*empty*/"
-NET_R_SET_RESULT="#undef NET_R_SET_RESULT /*empty*/"
-NET_R_SET_RETURN="#define NET_R_SET_RETURN void"
-
-fi
-
-
-
-
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for endnetent_r" >&5
-echo $ECHO_N "checking for endnetent_r... $ECHO_C" >&6
-if test "${ac_cv_func_endnetent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define endnetent_r to an innocuous variant, in case <limits.h> declares endnetent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define endnetent_r innocuous_endnetent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char endnetent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef endnetent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char endnetent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_endnetent_r) || defined (__stub___endnetent_r)
-choke me
-#else
-char (*f) () = endnetent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != endnetent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_endnetent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_endnetent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_endnetent_r" >&5
-echo "${ECHO_T}$ac_cv_func_endnetent_r" >&6
-if test $ac_cv_func_endnetent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void  endnetent_r (void);
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
-NET_R_END_RETURN="#define NET_R_END_RETURN void"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int endnetent_r(struct netent_data *);
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_END_RESULT="#define NET_R_END_RESULT(x) return (x)"
-NET_R_END_RETURN="#define NET_R_END_RETURN int"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern void endnetent_r(struct netent_data *);
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
-NET_R_END_RETURN="#define NET_R_END_RETURN void"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
-NET_R_END_RETURN="#define NET_R_END_RETURN void"
-
-fi
-
-esac
-
-
-
-echo "$as_me:$LINENO: checking for getgrnam_r" >&5
-echo $ECHO_N "checking for getgrnam_r... $ECHO_C" >&6
-if test "${ac_cv_func_getgrnam_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getgrnam_r to an innocuous variant, in case <limits.h> declares getgrnam_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getgrnam_r innocuous_getgrnam_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getgrnam_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getgrnam_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getgrnam_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getgrnam_r) || defined (__stub___getgrnam_r)
-choke me
-#else
-char (*f) () = getgrnam_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getgrnam_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getgrnam_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getgrnam_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getgrnam_r" >&5
-echo "${ECHO_T}$ac_cv_func_getgrnam_r" >&6
-if test $ac_cv_func_getgrnam_r = yes; then
-  :
-else
-  cat >>confdefs.h <<\_ACEOF
-#define NEED_GETGRNAM_R 1
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for getgrgid_r" >&5
-echo $ECHO_N "checking for getgrgid_r... $ECHO_C" >&6
-if test "${ac_cv_func_getgrgid_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getgrgid_r to an innocuous variant, in case <limits.h> declares getgrgid_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getgrgid_r innocuous_getgrgid_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getgrgid_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getgrgid_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getgrgid_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getgrgid_r) || defined (__stub___getgrgid_r)
-choke me
-#else
-char (*f) () = getgrgid_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getgrgid_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getgrgid_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getgrgid_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getgrgid_r" >&5
-echo "${ECHO_T}$ac_cv_func_getgrgid_r" >&6
-if test $ac_cv_func_getgrgid_r = yes; then
-  :
-else
-  cat >>confdefs.h <<\_ACEOF
-#define NEED_GETGRGID_R 1
-_ACEOF
-
-fi
-
-
-echo "$as_me:$LINENO: checking for getgrent_r" >&5
-echo $ECHO_N "checking for getgrent_r... $ECHO_C" >&6
-if test "${ac_cv_func_getgrent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getgrent_r to an innocuous variant, in case <limits.h> declares getgrent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getgrent_r innocuous_getgrent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getgrent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getgrent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getgrent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getgrent_r) || defined (__stub___getgrent_r)
-choke me
-#else
-char (*f) () = getgrent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getgrent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getgrent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getgrent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getgrent_r" >&5
-echo "${ECHO_T}$ac_cv_func_getgrent_r" >&6
-if test $ac_cv_func_getgrent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <grp.h>
-struct group *getgrent_r(struct group *grp, char *buffer,
-           int buflen) {}
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-GROUP_R_ARGS="#define GROUP_R_ARGS char *buf, int buflen"
-GROUP_R_BAD="#define GROUP_R_BAD NULL"
-GROUP_R_OK="#define GROUP_R_OK gptr"
-GROUP_R_RETURN="#define GROUP_R_RETURN struct group *"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  GROUP_R_ARGS="#define GROUP_R_ARGS char *buf, int buflen"
-GROUP_R_BAD="#define GROUP_R_BAD NULL"
-GROUP_R_OK="#define GROUP_R_OK gptr"
-GROUP_R_RETURN="#define GROUP_R_RETURN struct group *"
-cat >>confdefs.h <<\_ACEOF
-#define NEED_GETGRENT_R 1
-_ACEOF
-
-
-fi
-
-
-
-
-
-
-echo "$as_me:$LINENO: checking for endgrent_r" >&5
-echo $ECHO_N "checking for endgrent_r... $ECHO_C" >&6
-if test "${ac_cv_func_endgrent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define endgrent_r to an innocuous variant, in case <limits.h> declares endgrent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define endgrent_r innocuous_endgrent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char endgrent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef endgrent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char endgrent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_endgrent_r) || defined (__stub___endgrent_r)
-choke me
-#else
-char (*f) () = endgrent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != endgrent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_endgrent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_endgrent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_endgrent_r" >&5
-echo "${ECHO_T}$ac_cv_func_endgrent_r" >&6
-if test $ac_cv_func_endgrent_r = yes; then
-  :
-else
-  GROUP_R_END_RESULT="#define GROUP_R_END_RESULT(x) /*empty*/"
-GROUP_R_END_RETURN="#define GROUP_R_END_RETURN void"
-GROUP_R_ENT_ARGS="#define GROUP_R_ENT_ARGS void"
-cat >>confdefs.h <<\_ACEOF
-#define NEED_ENDGRENT_R 1
-_ACEOF
-
-
-fi
-
-
-
-
-
-echo "$as_me:$LINENO: checking for setgrent_r" >&5
-echo $ECHO_N "checking for setgrent_r... $ECHO_C" >&6
-if test "${ac_cv_func_setgrent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setgrent_r to an innocuous variant, in case <limits.h> declares setgrent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setgrent_r innocuous_setgrent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setgrent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setgrent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setgrent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setgrent_r) || defined (__stub___setgrent_r)
-choke me
-#else
-char (*f) () = setgrent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setgrent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setgrent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setgrent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setgrent_r" >&5
-echo "${ECHO_T}$ac_cv_func_setgrent_r" >&6
-if test $ac_cv_func_setgrent_r = yes; then
-  :
-else
-  GROUP_R_SET_RESULT="#undef GROUP_R_SET_RESULT /*empty*/"
-GROUP_R_SET_RETURN="#define GROUP_R_SET_RETURN void"
-cat >>confdefs.h <<\_ACEOF
-#define NEED_SETGRENT_R 1
-_ACEOF
-
-
-fi
-
-
-
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for gethostbyname_r" >&5
-echo $ECHO_N "checking for gethostbyname_r... $ECHO_C" >&6
-if test "${ac_cv_func_gethostbyname_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define gethostbyname_r to an innocuous variant, in case <limits.h> declares gethostbyname_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define gethostbyname_r innocuous_gethostbyname_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char gethostbyname_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef gethostbyname_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char gethostbyname_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_gethostbyname_r) || defined (__stub___gethostbyname_r)
-choke me
-#else
-char (*f) () = gethostbyname_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != gethostbyname_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_gethostbyname_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_gethostbyname_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_gethostbyname_r" >&5
-echo "${ECHO_T}$ac_cv_func_gethostbyname_r" >&6
-if test $ac_cv_func_gethostbyname_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-struct hostent  *gethostbyname_r
-(const char *name, struct hostent *hp, char *buf, int len, int *h_errnop) {}
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-HOST_R_ARGS="#define HOST_R_ARGS char *buf, int buflen, int *h_errnop"
-HOST_R_BAD="#define HOST_R_BAD NULL"
-HOST_R_COPY="#define HOST_R_COPY buf, buflen"
-HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
-HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
-HOST_R_OK="#define HOST_R_OK hptr"
-HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
-HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
-HOSTENT_DATA="#undef HOSTENT_DATA"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int gethostbyname_r(const char *name,
-                          struct hostent *result,
-                          struct hostent_data *hdptr);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-HOST_R_ARGS="#define HOST_R_ARGS struct hostent_data *hdptr"
-HOST_R_BAD="#define HOST_R_BAD (-1)"
-HOST_R_COPY="#define HOST_R_COPY hdptr"
-HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS HOST_R_ARGS"
-HOST_R_ERRNO="#undef HOST_R_ERRNO"
-HOST_R_OK="#define HOST_R_OK 0"
-HOST_R_RETURN="#define HOST_R_RETURN int"
-HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
-HOSTENT_DATA="#define HOSTENT_DATA 1"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int gethostbyname_r (const char *,
-                                 struct hostent *,
-                                 char *, size_t,
-                                 struct hostent **,
-                                 int *);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-HOST_R_ARGS="#define HOST_R_ARGS char *buf, size_t buflen, struct hostent **answerp, int *h_errnop"
-HOST_R_BAD="#define HOST_R_BAD ERANGE"
-HOST_R_COPY="#define HOST_R_COPY buf, buflen"
-HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
-HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
-HOST_R_OK="#define HOST_R_OK 0"
-HOST_R_RETURN="#define HOST_R_RETURN int"
-HOST_R_SETANSWER="#define HOST_R_SETANSWER 1"
-HOSTENT_DATA="#undef HOSTENT_DATA"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  HOST_R_ARGS="#define HOST_R_ARGS char *buf, int buflen, int *h_errnop"
-HOST_R_BAD="#define HOST_R_BAD NULL"
-HOST_R_COPY="#define HOST_R_COPY buf, buflen"
-HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
-HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
-HOST_R_OK="#define HOST_R_OK hptr"
-HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
-HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
-HOSTENT_DATA="#undef HOSTENT_DATA"
-
-fi
-
-esac
-
-
-
-
-
-
-
-
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for endhostent_r" >&5
-echo $ECHO_N "checking for endhostent_r... $ECHO_C" >&6
-if test "${ac_cv_func_endhostent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define endhostent_r to an innocuous variant, in case <limits.h> declares endhostent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define endhostent_r innocuous_endhostent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char endhostent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef endhostent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char endhostent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_endhostent_r) || defined (__stub___endhostent_r)
-choke me
-#else
-char (*f) () = endhostent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != endhostent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_endhostent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_endhostent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_endhostent_r" >&5
-echo "${ECHO_T}$ac_cv_func_endhostent_r" >&6
-if test $ac_cv_func_endhostent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int endhostent_r(struct hostent_data *buffer);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) return (x)"
-HOST_R_END_RETURN="#define HOST_R_END_RETURN int"
-HOST_R_ENT_ARGS="#define HOST_R_ENT_ARGS struct hostent_data *hdptr"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern void endhostent_r(struct hostent_data *ht_data);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-HOST_R_END_RESULT="#define HOST_R_END_RESULT(x)"
-HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
-HOST_R_ENT_ARGS="#define HOST_R_ENT_ARGS struct hostent_data *hdptr"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern void endhostent_r(void);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
-HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
-HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
-HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
-HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
-
-fi
-
-esac;
-
-
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for sethostent_r" >&5
-echo $ECHO_N "checking for sethostent_r... $ECHO_C" >&6
-if test "${ac_cv_func_sethostent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define sethostent_r to an innocuous variant, in case <limits.h> declares sethostent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define sethostent_r innocuous_sethostent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char sethostent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef sethostent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char sethostent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_sethostent_r) || defined (__stub___sethostent_r)
-choke me
-#else
-char (*f) () = sethostent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != sethostent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_sethostent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_sethostent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_sethostent_r" >&5
-echo "${ECHO_T}$ac_cv_func_sethostent_r" >&6
-if test $ac_cv_func_sethostent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern void sethostent_r(int flag, struct hostent_data *ht_data);
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT /*empty*/"
-HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int sethostent_r(int flag, struct hostent_data *ht_data);
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  HOST_R_SET_RESULT="#define HOST_R_SET_RESULT 0"
-HOST_R_SET_RETURN="#define HOST_R_SET_RETURN int"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void            sethostent_r (int);
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
-HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
-HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
-
-fi
-
-esac
-
-
-
-
-echo "$as_me:$LINENO: checking struct passwd element pw_class" >&5
-echo $ECHO_N "checking struct passwd element pw_class... $ECHO_C" >&6
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <pwd.h>
-
-int
-main ()
-{
-struct passwd *pw; pw->pw_class = "";
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  echo "$as_me:$LINENO: result: yes" >&5
-echo "${ECHO_T}yes" >&6
-cat >>confdefs.h <<\_ACEOF
-#define HAS_PW_CLASS 1
-_ACEOF
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-echo "$as_me:$LINENO: result: no" >&5
-echo "${ECHO_T}no" >&6
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <pwd.h>
-void
-setpwent(void) {}
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  SETPWENT_VOID="#define SETPWENT_VOID 1"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-SETPWENT_VOID="#undef SETPWENT_VOID"
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <grp.h>
-void
-setgrent(void) {}
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  SETGRENT_VOID="#define SETGRENT_VOID 1"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-SETGRENT_VOID="#undef SETGRENT_VOID"
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for getnetgrent_r" >&5
-echo $ECHO_N "checking for getnetgrent_r... $ECHO_C" >&6
-if test "${ac_cv_func_getnetgrent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getnetgrent_r to an innocuous variant, in case <limits.h> declares getnetgrent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getnetgrent_r innocuous_getnetgrent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getnetgrent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getnetgrent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getnetgrent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getnetgrent_r) || defined (__stub___getnetgrent_r)
-choke me
-#else
-char (*f) () = getnetgrent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getnetgrent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getnetgrent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getnetgrent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getnetgrent_r" >&5
-echo "${ECHO_T}$ac_cv_func_getnetgrent_r" >&6
-if test $ac_cv_func_getnetgrent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetgrent_r(char **m, char **u, char **d, char *b, int l) {}
-
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NGR_R_ARGS="#define NGR_R_ARGS char *buf, int buflen"
-NGR_R_BAD="#define NGR_R_BAD (0)"
-NGR_R_COPY="#define NGR_R_COPY buf, buflen"
-NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
-NGR_R_OK="#define NGR_R_OK 1"
-NGR_R_RETURN="#define NGR_R_RETURN int"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetgrent_r(char **m, char **u, char **d, char *b, size_t l) {}
-
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NGR_R_ARGS="#define NGR_R_ARGS char *buf, size_t buflen"
-NGR_R_BAD="#define NGR_R_BAD (0)"
-NGR_R_COPY="#define NGR_R_COPY buf, buflen"
-NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
-NGR_R_OK="#define NGR_R_OK 1"
-NGR_R_RETURN="#define NGR_R_RETURN int"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int getnetgrent_r( char **, char **, char **, void **);
-
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-NGR_R_ARGS="#define NGR_R_ARGS void **buf"
-NGR_R_BAD="#define NGR_R_BAD (0)"
-NGR_R_COPY="#define NGR_R_COPY buf"
-NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
-NGR_R_OK="#define NGR_R_OK 1"
-NGR_R_RETURN="#define NGR_R_RETURN int"
-NGR_R_PRIVATE="#define NGR_R_PRIVATE 1"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  NGR_R_ARGS="#define NGR_R_ARGS char *buf, int buflen"
-NGR_R_BAD="#define NGR_R_BAD (0)"
-NGR_R_COPY="#define NGR_R_COPY buf, buflen"
-NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
-NGR_R_OK="#define NGR_R_OK 1"
-NGR_R_RETURN="#define NGR_R_RETURN int"
-
-fi
-
-esac
-
-
-
-
-
-
-
-
-echo "$as_me:$LINENO: checking for endnetgrent_r" >&5
-echo $ECHO_N "checking for endnetgrent_r... $ECHO_C" >&6
-if test "${ac_cv_func_endnetgrent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define endnetgrent_r to an innocuous variant, in case <limits.h> declares endnetgrent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define endnetgrent_r innocuous_endnetgrent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char endnetgrent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef endnetgrent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char endnetgrent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_endnetgrent_r) || defined (__stub___endnetgrent_r)
-choke me
-#else
-char (*f) () = endnetgrent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != endnetgrent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_endnetgrent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_endnetgrent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_endnetgrent_r" >&5
-echo "${ECHO_T}$ac_cv_func_endnetgrent_r" >&6
-if test $ac_cv_func_endnetgrent_r = yes; then
-  NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  return (x)"
-NGR_R_END_RETURN="#define NGR_R_END_RETURN int"
-NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS"
-
-else
-  NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  /*empty*/"
-NGR_R_END_RETURN="#define NGR_R_END_RETURN void"
-NGR_R_ENT_ARGS="#undef NGR_R_ENT_ARGS /*empty*/"
-cat >>confdefs.h <<\_ACEOF
-#define NEED_ENDNETGRENT_R 1
-_ACEOF
-
-
-fi
-
-
-
-
-
-echo "$as_me:$LINENO: checking for setnetgrent_r" >&5
-echo $ECHO_N "checking for setnetgrent_r... $ECHO_C" >&6
-if test "${ac_cv_func_setnetgrent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setnetgrent_r to an innocuous variant, in case <limits.h> declares setnetgrent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setnetgrent_r innocuous_setnetgrent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setnetgrent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setnetgrent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setnetgrent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setnetgrent_r) || defined (__stub___setnetgrent_r)
-choke me
-#else
-char (*f) () = setnetgrent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setnetgrent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setnetgrent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setnetgrent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setnetgrent_r" >&5
-echo "${ECHO_T}$ac_cv_func_setnetgrent_r" >&6
-if test $ac_cv_func_setnetgrent_r = yes; then
-
-case "$host" in
-*bsdi*)
-	NGR_R_SET_RESULT="#undef NGR_R_SET_RESULT /*empty*/"
-	NGR_R_SET_RETURN="#define NGR_R_SET_RETURN void"
-	;;
-*)
-	NGR_R_SET_RESULT="#define NGR_R_SET_RESULT NGR_R_OK"
-	NGR_R_SET_RETURN="#define NGR_R_SET_RETURN int"
-	;;
-esac
-
-
-else
-  NGR_R_SET_RESULT="#undef NGR_R_SET_RESULT /*empty*/"
-NGR_R_SET_RETURN="#define NGR_R_SET_RETURN void"
-
-fi
-
-
-
-
-echo "$as_me:$LINENO: checking for innetgr_r" >&5
-echo $ECHO_N "checking for innetgr_r... $ECHO_C" >&6
-if test "${ac_cv_func_innetgr_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define innetgr_r to an innocuous variant, in case <limits.h> declares innetgr_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define innetgr_r innocuous_innetgr_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char innetgr_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef innetgr_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char innetgr_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_innetgr_r) || defined (__stub___innetgr_r)
-choke me
-#else
-char (*f) () = innetgr_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != innetgr_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_innetgr_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_innetgr_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_innetgr_r" >&5
-echo "${ECHO_T}$ac_cv_func_innetgr_r" >&6
-if test $ac_cv_func_innetgr_r = yes; then
-  :
-else
-  cat >>confdefs.h <<\_ACEOF
-#define NEED_INNETGR_R 1
-_ACEOF
-
-fi
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for getprotoent_r" >&5
-echo $ECHO_N "checking for getprotoent_r... $ECHO_C" >&6
-if test "${ac_cv_func_getprotoent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getprotoent_r to an innocuous variant, in case <limits.h> declares getprotoent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getprotoent_r innocuous_getprotoent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getprotoent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getprotoent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getprotoent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getprotoent_r) || defined (__stub___getprotoent_r)
-choke me
-#else
-char (*f) () = getprotoent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getprotoent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getprotoent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getprotoent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getprotoent_r" >&5
-echo "${ECHO_T}$ac_cv_func_getprotoent_r" >&6
-if test $ac_cv_func_getprotoent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-struct protoent *getprotoent_r(struct protoent *result,
-		 char *buffer, int buflen) {}
-
-
-int
-main ()
-{
-return (0);
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
-PROTO_R_BAD="#define PROTO_R_BAD NULL"
-PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
-PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
-PROTO_R_OK="#define PROTO_R_OK pptr"
-PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
-PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getprotoent_r (struct protoent *, char *, size_t, struct protoent **);
-
-
-
-int
-main ()
-{
-return (0);
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, size_t buflen, struct protoent **answerp"
-PROTO_R_BAD="#define PROTO_R_BAD ERANGE"
-PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
-PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen"
-PROTO_R_OK="#define PROTO_R_OK 0"
-PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1"
-PROTO_R_RETURN="#define PROTO_R_RETURN int"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
-PROTO_R_BAD="#define PROTO_R_BAD NULL"
-PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
-PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
-PROTO_R_OK="#define PROTO_R_OK pptr"
-PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
-PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
-
-fi
-
-esac
-
-
-
-
-
-
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for endprotoent_r" >&5
-echo $ECHO_N "checking for endprotoent_r... $ECHO_C" >&6
-if test "${ac_cv_func_endprotoent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define endprotoent_r to an innocuous variant, in case <limits.h> declares endprotoent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define endprotoent_r innocuous_endprotoent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char endprotoent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef endprotoent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char endprotoent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_endprotoent_r) || defined (__stub___endprotoent_r)
-choke me
-#else
-char (*f) () = endprotoent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != endprotoent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_endprotoent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_endprotoent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_endprotoent_r" >&5
-echo "${ECHO_T}$ac_cv_func_endprotoent_r" >&6
-if test $ac_cv_func_endprotoent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endprotoent_r(void);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
-PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
-PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
-PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
-PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/"
-
-fi
-
-esac
-
-
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for setprotoent_r" >&5
-echo $ECHO_N "checking for setprotoent_r... $ECHO_C" >&6
-if test "${ac_cv_func_setprotoent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setprotoent_r to an innocuous variant, in case <limits.h> declares setprotoent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setprotoent_r innocuous_setprotoent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setprotoent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setprotoent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setprotoent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setprotoent_r) || defined (__stub___setprotoent_r)
-choke me
-#else
-char (*f) () = setprotoent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setprotoent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setprotoent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setprotoent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setprotoent_r" >&5
-echo "${ECHO_T}$ac_cv_func_setprotoent_r" >&6
-if test $ac_cv_func_setprotoent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void               setprotoent_r __P((int));
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
-PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
-PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
-
-fi
-
-esac
-
-
-
-echo "$as_me:$LINENO: checking for getpwent_r" >&5
-echo $ECHO_N "checking for getpwent_r... $ECHO_C" >&6
-if test "${ac_cv_func_getpwent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getpwent_r to an innocuous variant, in case <limits.h> declares getpwent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getpwent_r innocuous_getpwent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getpwent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getpwent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getpwent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getpwent_r) || defined (__stub___getpwent_r)
-choke me
-#else
-char (*f) () = getpwent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getpwent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getpwent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getpwent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getpwent_r" >&5
-echo "${ECHO_T}$ac_cv_func_getpwent_r" >&6
-if test $ac_cv_func_getpwent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <pwd.h>
-struct passwd *
-getpwent_r(struct passwd *pwptr, char *buf, int buflen) {}
-
-
-int
-main ()
-{
-
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  PASS_R_ARGS="#define PASS_R_ARGS char *buf, int buflen"
-PASS_R_BAD="#define PASS_R_BAD NULL"
-PASS_R_COPY="#define PASS_R_COPY buf, buflen"
-PASS_R_COPY_ARGS="#define PASS_R_COPY_ARGS PASS_R_ARGS"
-PASS_R_OK="#define PASS_R_OK pwptr"
-PASS_R_RETURN="#define PASS_R_RETURN struct passwd *"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  PASS_R_ARGS="#define PASS_R_ARGS char *buf, int buflen"
-PASS_R_BAD="#define PASS_R_BAD NULL"
-PASS_R_COPY="#define PASS_R_COPY buf, buflen"
-PASS_R_COPY_ARGS="#define PASS_R_COPY_ARGS PASS_R_ARGS"
-PASS_R_OK="#define PASS_R_OK pwptr"
-PASS_R_RETURN="#define PASS_R_RETURN struct passwd *"
-cat >>confdefs.h <<\_ACEOF
-#define NEED_GETPWENT_R 1
-_ACEOF
-
-
-fi
-
-
-
-
-
-
-
-
-echo "$as_me:$LINENO: checking for endpwent_r" >&5
-echo $ECHO_N "checking for endpwent_r... $ECHO_C" >&6
-if test "${ac_cv_func_endpwent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define endpwent_r to an innocuous variant, in case <limits.h> declares endpwent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define endpwent_r innocuous_endpwent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char endpwent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef endpwent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char endpwent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_endpwent_r) || defined (__stub___endpwent_r)
-choke me
-#else
-char (*f) () = endpwent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != endpwent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_endpwent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_endpwent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_endpwent_r" >&5
-echo "${ECHO_T}$ac_cv_func_endpwent_r" >&6
-if test $ac_cv_func_endpwent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <pwd.h>
-void endpwent_r(FILE **pwfp);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  PASS_R_END_RESULT="#define PASS_R_END_RESULT(x) /*empty*/"
-PASS_R_END_RETURN="#define PASS_R_END_RETURN void"
-PASS_R_ENT_ARGS="#define PASS_R_ENT_ARGS FILE **pwptr"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  PASS_R_END_RESULT="#define PASS_R_END_RESULT(x) /*empty*/"
-PASS_R_END_RETURN="#define PASS_R_END_RETURN void"
-PASS_R_ENT_ARGS="#undef PASS_R_ENT_ARGS"
-cat >>confdefs.h <<\_ACEOF
-#define NEED_ENDPWENT_R 1
-_ACEOF
-
-
-fi
-
-
-
-
-echo "$as_me:$LINENO: checking for setpassent_r" >&5
-echo $ECHO_N "checking for setpassent_r... $ECHO_C" >&6
-if test "${ac_cv_func_setpassent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setpassent_r to an innocuous variant, in case <limits.h> declares setpassent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setpassent_r innocuous_setpassent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setpassent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setpassent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setpassent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setpassent_r) || defined (__stub___setpassent_r)
-choke me
-#else
-char (*f) () = setpassent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setpassent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setpassent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setpassent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setpassent_r" >&5
-echo "${ECHO_T}$ac_cv_func_setpassent_r" >&6
-if test $ac_cv_func_setpassent_r = yes; then
-  :
-else
-  cat >>confdefs.h <<\_ACEOF
-#define NEED_SETPASSENT_R 1
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for setpassent" >&5
-echo $ECHO_N "checking for setpassent... $ECHO_C" >&6
-if test "${ac_cv_func_setpassent+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setpassent to an innocuous variant, in case <limits.h> declares setpassent.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setpassent innocuous_setpassent
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setpassent (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setpassent
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setpassent ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setpassent) || defined (__stub___setpassent)
-choke me
-#else
-char (*f) () = setpassent;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setpassent;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setpassent=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setpassent=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setpassent" >&5
-echo "${ECHO_T}$ac_cv_func_setpassent" >&6
-if test $ac_cv_func_setpassent = yes; then
-  :
-else
-  cat >>confdefs.h <<\_ACEOF
-#define NEED_SETPASSENT 1
-_ACEOF
-
-fi
-
-
-echo "$as_me:$LINENO: checking for setpwent_r" >&5
-echo $ECHO_N "checking for setpwent_r... $ECHO_C" >&6
-if test "${ac_cv_func_setpwent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setpwent_r to an innocuous variant, in case <limits.h> declares setpwent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setpwent_r innocuous_setpwent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setpwent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setpwent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setpwent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setpwent_r) || defined (__stub___setpwent_r)
-choke me
-#else
-char (*f) () = setpwent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setpwent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setpwent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setpwent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setpwent_r" >&5
-echo "${ECHO_T}$ac_cv_func_setpwent_r" >&6
-if test $ac_cv_func_setpwent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <pwd.h>
-void setpwent_r(FILE **pwfp);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  PASS_R_SET_RESULT="#undef PASS_R_SET_RESULT /* empty */"
-PASS_R_SET_RETURN="#define PASS_R_SET_RETURN int"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#include <pwd.h>
-int setpwent_r(FILE **pwfp);
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  PASS_R_SET_RESULT="#define PASS_R_SET_RESULT 0"
-PASS_R_SET_RETURN="#define PASS_R_SET_RETURN int"
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  PASS_R_SET_RESULT="#undef PASS_R_SET_RESULT /*empty*/"
-PASS_R_SET_RETURN="#define PASS_R_SET_RETURN void"
-cat >>confdefs.h <<\_ACEOF
-#define NEED_SETPWENT_R 1
-_ACEOF
-
-
-fi
-
-
-
-
-echo "$as_me:$LINENO: checking for getpwnam_r" >&5
-echo $ECHO_N "checking for getpwnam_r... $ECHO_C" >&6
-if test "${ac_cv_func_getpwnam_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getpwnam_r to an innocuous variant, in case <limits.h> declares getpwnam_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getpwnam_r innocuous_getpwnam_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getpwnam_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getpwnam_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getpwnam_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getpwnam_r) || defined (__stub___getpwnam_r)
-choke me
-#else
-char (*f) () = getpwnam_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getpwnam_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getpwnam_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getpwnam_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getpwnam_r" >&5
-echo "${ECHO_T}$ac_cv_func_getpwnam_r" >&6
-if test $ac_cv_func_getpwnam_r = yes; then
-  :
-else
-  cat >>confdefs.h <<\_ACEOF
-#define NEED_GETPWNAM_R 1
-_ACEOF
-
-fi
-
-echo "$as_me:$LINENO: checking for getpwuid_r" >&5
-echo $ECHO_N "checking for getpwuid_r... $ECHO_C" >&6
-if test "${ac_cv_func_getpwuid_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getpwuid_r to an innocuous variant, in case <limits.h> declares getpwuid_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getpwuid_r innocuous_getpwuid_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getpwuid_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getpwuid_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getpwuid_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getpwuid_r) || defined (__stub___getpwuid_r)
-choke me
-#else
-char (*f) () = getpwuid_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getpwuid_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getpwuid_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getpwuid_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getpwuid_r" >&5
-echo "${ECHO_T}$ac_cv_func_getpwuid_r" >&6
-if test $ac_cv_func_getpwuid_r = yes; then
-  :
-else
-  cat >>confdefs.h <<\_ACEOF
-#define NEED_GETPWUID_R 1
-_ACEOF
-
-fi
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for getservent_r" >&5
-echo $ECHO_N "checking for getservent_r... $ECHO_C" >&6
-if test "${ac_cv_func_getservent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define getservent_r to an innocuous variant, in case <limits.h> declares getservent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define getservent_r innocuous_getservent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char getservent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef getservent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char getservent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_getservent_r) || defined (__stub___getservent_r)
-choke me
-#else
-char (*f) () = getservent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != getservent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_getservent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_getservent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_getservent_r" >&5
-echo "${ECHO_T}$ac_cv_func_getservent_r" >&6
-if test $ac_cv_func_getservent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-struct servent *
-getservent_r(struct servent *result, char *buffer, int buflen) {}
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SERV_R_ARGS="#define SERV_R_ARGS char *buf, int buflen"
-SERV_R_BAD="#define SERV_R_BAD NULL"
-SERV_R_COPY="#define SERV_R_COPY buf, buflen"
-SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS SERV_R_ARGS"
-SERV_R_OK="#define SERV_R_OK sptr"
-SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
-SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int
-getservent_r (struct servent *, char *, size_t, struct servent **);
-
-int
-main ()
-{
-return (0);
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SERV_R_ARGS="#define SERV_R_ARGS char *buf, size_t buflen, struct servent **answerp"
-SERV_R_BAD="#define SERV_R_BAD ERANGE"
-SERV_R_COPY="#define SERV_R_COPY buf, buflen"
-SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS char *buf, size_t buflen"
-SERV_R_OK="#define SERV_R_OK (0)"
-SERV_R_SETANSWER="#define SERV_R_SETANSWER 1"
-SERV_R_RETURN="#define SERV_R_RETURN int"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  SERV_R_ARGS="#define SERV_R_ARGS char *buf, int buflen"
-SERV_R_BAD="#define SERV_R_BAD NULL"
-SERV_R_COPY="#define SERV_R_COPY buf, buflen"
-SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS SERV_R_ARGS"
-SERV_R_OK="#define SERV_R_OK sptr"
-SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
-SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
-
-fi
-
-esac
-
-
-
-
-
-
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for endservent_r" >&5
-echo $ECHO_N "checking for endservent_r... $ECHO_C" >&6
-if test "${ac_cv_func_endservent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define endservent_r to an innocuous variant, in case <limits.h> declares endservent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define endservent_r innocuous_endservent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char endservent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef endservent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char endservent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_endservent_r) || defined (__stub___endservent_r)
-choke me
-#else
-char (*f) () = endservent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != endservent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_endservent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_endservent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_endservent_r" >&5
-echo "${ECHO_T}$ac_cv_func_endservent_r" >&6
-if test $ac_cv_func_endservent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endservent_r(void);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
-SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
-SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
-SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
-SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
-
-fi
-
-esac
-
-
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-echo "$as_me:$LINENO: checking for setservent_r" >&5
-echo $ECHO_N "checking for setservent_r... $ECHO_C" >&6
-if test "${ac_cv_func_setservent_r+set}" = set; then
-  echo $ECHO_N "(cached) $ECHO_C" >&6
-else
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-/* Define setservent_r to an innocuous variant, in case <limits.h> declares setservent_r.
-   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
-#define setservent_r innocuous_setservent_r
-
-/* System header to define __stub macros and hopefully few prototypes,
-    which can conflict with char setservent_r (); below.
-    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
-    <limits.h> exists even on freestanding compilers.  */
-
-#ifdef __STDC__
-# include <limits.h>
-#else
-# include <assert.h>
-#endif
-
-#undef setservent_r
-
-/* Override any gcc2 internal prototype to avoid an error.  */
-#ifdef __cplusplus
-extern "C"
-{
-#endif
-/* We use char because int might match the return type of a gcc2
-   builtin and then its argument prototype would still apply.  */
-char setservent_r ();
-/* The GNU C library defines this for functions which it implements
-    to always fail with ENOSYS.  Some functions are actually named
-    something starting with __ and the normal name is an alias.  */
-#if defined (__stub_setservent_r) || defined (__stub___setservent_r)
-choke me
-#else
-char (*f) () = setservent_r;
-#endif
-#ifdef __cplusplus
-}
-#endif
-
-int
-main ()
-{
-return f != setservent_r;
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext conftest$ac_exeext
-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
-  (eval $ac_link) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest$ac_exeext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-  ac_cv_func_setservent_r=yes
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-ac_cv_func_setservent_r=no
-fi
-rm -f conftest.err conftest.$ac_objext \
-      conftest$ac_exeext conftest.$ac_ext
-fi
-echo "$as_me:$LINENO: result: $ac_cv_func_setservent_r" >&5
-echo "${ECHO_T}$ac_cv_func_setservent_r" >&6
-if test $ac_cv_func_setservent_r = yes; then
-  cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void            setservent_r(int);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
-SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-else
-  SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
-SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
-
-fi
-
-esac
-
-
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <unistd.h>
-#include <netdb.h>
-int innetgr(const char *netgroup, const char *host, const char *user, const char *domain);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-INNETGR_ARGS="#undef INNETGR_ARGS"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <unistd.h>
-#include <netdb.h>
-int innetgr(char *netgroup, char *host, char *user, char *domain);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-INNETGR_ARGS="#define INNETGR_ARGS char *netgroup, char *host, char *user, char *domain"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <unistd.h>
-#include <netdb.h>
-void setnetgrent(const char *);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SETNETGRENT_ARGS="#undef SETNETGRENT_ARGS"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-cat >conftest.$ac_ext <<_ACEOF
-/* confdefs.h.  */
-_ACEOF
-cat confdefs.h >>conftest.$ac_ext
-cat >>conftest.$ac_ext <<_ACEOF
-/* end confdefs.h.  */
-
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <unistd.h>
-#include <netdb.h>
-void setnetgrent(char *);
-
-
-int
-main ()
-{
-
-  ;
-  return 0;
-}
-_ACEOF
-rm -f conftest.$ac_objext
-if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
-  (eval $ac_compile) 2>conftest.er1
-  ac_status=$?
-  grep -v '^ *+' conftest.er1 >conftest.err
-  rm -f conftest.er1
-  cat conftest.err >&5
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); } &&
-	 { ac_try='test -z "$ac_c_werror_flag"
-			 || test ! -s conftest.err'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; } &&
-	 { ac_try='test -s conftest.$ac_objext'
-  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
-  (eval $ac_try) 2>&5
-  ac_status=$?
-  echo "$as_me:$LINENO: \$? = $ac_status" >&5
-  (exit $ac_status); }; }; then
-
-SETNETGRENT_ARGS="#define SETNETGRENT_ARGS char *netgroup"
-
-
-else
-  echo "$as_me: failed program was:" >&5
-sed 's/^/| /' conftest.$ac_ext >&5
-
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
-
-
-
-#
-# Random remaining OS-specific issues involving compiler warnings.
-# XXXDCL print messages to indicate some compensation is being done?
-#
-BROKEN_IN6ADDR_INIT_MACROS="#undef BROKEN_IN6ADDR_INIT_MACROS"
-
-case "$host" in
-	*-aix5.1.*)
-		hack_shutup_pthreadmutexinit=yes
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-bsdi3.1*)
-		hack_shutup_sputaux=yes
-		;;
-	*-bsdi4.0*)
-		hack_shutup_sigwait=yes
-		hack_shutup_sputaux=yes
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-bsdi4.1*)
-		hack_shutup_stdargcast=yes
-		;;
-	*-hpux11.11)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-osf5.1|*-osf5.1b)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-solaris2.8)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-solaris2.9)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-esac
-
-case "$hack_shutup_pthreadmutexinit" in
-	yes)
-		#
-		# Shut up PTHREAD_MUTEX_INITIALIZER unbraced
-		# initializer warnings.
-		#
-		cat >>confdefs.h <<\_ACEOF
-#define SHUTUP_MUTEX_INITIALIZER 1
-_ACEOF
-
-		;;
-esac
-
-case "$hack_shutup_sigwait" in
-	yes)
-		#
-		# Shut up a -Wmissing-prototypes warning for sigwait().
-		#
-		cat >>confdefs.h <<\_ACEOF
-#define SHUTUP_SIGWAIT 1
-_ACEOF
-
-		;;
-esac
-
-case "$hack_shutup_sputaux" in
-	yes)
-		#
-		# Shut up a -Wmissing-prototypes warning from <stdio.h>.
-		#
-		cat >>confdefs.h <<\_ACEOF
-#define SHUTUP_SPUTAUX 1
-_ACEOF
-
-		;;
-esac
-
-case "$hack_shutup_stdargcast" in
-	yes)
-		#
-		# Shut up a -Wcast-qual warning from va_start().
-		#
-		cat >>confdefs.h <<\_ACEOF
-#define SHUTUP_STDARG_CAST 1
-_ACEOF
-
-		;;
-esac
-
-case "$hack_shutup_in6addr_init_macros" in
-	yes)
-		cat >>confdefs.h <<\_ACEOF
-#define BROKEN_IN6ADDR_INIT_MACROS 1
-_ACEOF
-
-		;;
-esac
-
-#
-# Substitutions
-#
-
-BIND9_TOP_BUILDDIR=`pwd`
-
-
-BIND9_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
-
-
-BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
-
-. $srcdir/../../version
-BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
-
-
-
-LIBBIND_API=$srcdir/api
-
-                                                                                                                                                                          ac_config_files="$ac_config_files make/rules make/mkdep make/includes Makefile bsd/Makefile dst/Makefile include/Makefile inet/Makefile irs/Makefile isc/Makefile nameser/Makefile port_after.h port_before.h resolv/Makefile port/Makefile ${PORT_DIR}/Makefile ${PORT_INCLUDE}/Makefile"
-cat >confcache <<\_ACEOF
-# This file is a shell script that caches the results of configure
-# tests run on this system so they can be shared between configure
-# scripts and configure runs, see configure's option --config-cache.
-# It is not useful on other systems.  If it contains results you don't
-# want to keep, you may remove or edit it.
-#
-# config.status only pays attention to the cache file if you give it
-# the --recheck option to rerun configure.
-#
-# `ac_cv_env_foo' variables (set or unset) will be overridden when
-# loading this file, other *unset* `ac_cv_foo' will be assigned the
-# following values.
-
-_ACEOF
-
-# The following way of writing the cache mishandles newlines in values,
-# but we know of no workaround that is simple, portable, and efficient.
-# So, don't put newlines in cache variables' values.
-# Ultrix sh set writes to stderr and can't be redirected directly,
-# and sets the high bit in the cache file unless we assign to the vars.
-{
-  (set) 2>&1 |
-    case `(ac_space=' '; set | grep ac_space) 2>&1` in
-    *ac_space=\ *)
-      # `set' does not quote correctly, so add quotes (double-quote
-      # substitution turns \\\\ into \\, and sed turns \\ into \).
-      sed -n \
-	"s/'/'\\\\''/g;
-	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
-      ;;
-    *)
-      # `set' quotes correctly as required by POSIX, so do not add quotes.
-      sed -n \
-	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
-      ;;
-    esac;
-} |
-  sed '
-     t clear
-     : clear
-     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
-     t end
-     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
-     : end' >>confcache
-if diff $cache_file confcache >/dev/null 2>&1; then :; else
-  if test -w $cache_file; then
-    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
-    cat confcache >$cache_file
-  else
-    echo "not updating unwritable cache $cache_file"
-  fi
-fi
-rm -f confcache
-
-test "x$prefix" = xNONE && prefix=$ac_default_prefix
-# Let make expand exec_prefix.
-test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
-
-# VPATH may cause trouble with some makes, so we remove $(srcdir),
-# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
-# trailing colons and then remove the whole line if VPATH becomes empty
-# (actually we leave an empty line to preserve line numbers).
-if test "x$srcdir" = x.; then
-  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
-s/:*\$(srcdir):*/:/;
-s/:*\${srcdir}:*/:/;
-s/:*@srcdir@:*/:/;
-s/^\([^=]*=[	 ]*\):*/\1/;
-s/:*$//;
-s/^[^=]*=[	 ]*$//;
-}'
-fi
-
-DEFS=-DHAVE_CONFIG_H
-
-ac_libobjs=
-ac_ltlibobjs=
-for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
-  # 1. Remove the extension, and $U if already installed.
-  ac_i=`echo "$ac_i" |
-	 sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
-  # 2. Add them.
-  ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
-  ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
-done
-LIBOBJS=$ac_libobjs
-
-LTLIBOBJS=$ac_ltlibobjs
-
-
-
-: ${CONFIG_STATUS=./config.status}
-ac_clean_files_save=$ac_clean_files
-ac_clean_files="$ac_clean_files $CONFIG_STATUS"
-{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
-echo "$as_me: creating $CONFIG_STATUS" >&6;}
-cat >$CONFIG_STATUS <<_ACEOF
-#! $SHELL
-# Generated by $as_me.
-# Run this file to recreate the current configuration.
-# Compiler output produced by configure, useful for debugging
-# configure, is in config.log if it exists.
-
-debug=false
-ac_cs_recheck=false
-ac_cs_silent=false
-SHELL=\${CONFIG_SHELL-$SHELL}
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-## --------------------- ##
-## M4sh Initialization.  ##
-## --------------------- ##
-
-# Be Bourne compatible
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-  emulate sh
-  NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
-  # is contrary to our usage.  Disable this feature.
-  alias -g '${1+"$@"}'='"$@"'
-elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
-  set -o posix
-fi
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# Support unset when possible.
-if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
-  as_unset=unset
-else
-  as_unset=false
-fi
-
-
-# Work around bugs in pre-3.0 UWIN ksh.
-$as_unset ENV MAIL MAILPATH
-PS1='$ '
-PS2='> '
-PS4='+ '
-
-# NLS nuisances.
-for as_var in \
-  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
-  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
-  LC_TELEPHONE LC_TIME
-do
-  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
-    eval $as_var=C; export $as_var
-  else
-    $as_unset $as_var
-  fi
-done
-
-# Required to use basename.
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
-  as_basename=basename
-else
-  as_basename=false
-fi
-
-
-# Name of the executable.
-as_me=`$as_basename "$0" ||
-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
-	 X"$0" : 'X\(//\)$' \| \
-	 X"$0" : 'X\(/\)$' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X/"$0" |
-    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
-  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\/\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-
-
-# PATH needs CR, and LINENO needs CR and PATH.
-# Avoid depending upon Character Ranges.
-as_cr_letters='abcdefghijklmnopqrstuvwxyz'
-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
-as_cr_Letters=$as_cr_letters$as_cr_LETTERS
-as_cr_digits='0123456789'
-as_cr_alnum=$as_cr_Letters$as_cr_digits
-
-# The user is always right.
-if test "${PATH_SEPARATOR+set}" != set; then
-  echo "#! /bin/sh" >conf$$.sh
-  echo  "exit 0"   >>conf$$.sh
-  chmod +x conf$$.sh
-  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
-    PATH_SEPARATOR=';'
-  else
-    PATH_SEPARATOR=:
-  fi
-  rm -f conf$$.sh
-fi
-
-
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
-  # Find who we are.  Look in the path if we contain no path at all
-  # relative or not.
-  case $0 in
-    *[\\/]* ) as_myself=$0 ;;
-    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
-done
-
-       ;;
-  esac
-  # We did not find ourselves, most probably we were run as `sh COMMAND'
-  # in which case we are not to be found in the path.
-  if test "x$as_myself" = x; then
-    as_myself=$0
-  fi
-  if test ! -f "$as_myself"; then
-    { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
-echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
-   { (exit 1); exit 1; }; }
-  fi
-  case $CONFIG_SHELL in
-  '')
-    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for as_base in sh bash ksh sh5; do
-	 case $as_dir in
-	 /*)
-	   if ("$as_dir/$as_base" -c '
-  as_lineno_1=$LINENO
-  as_lineno_2=$LINENO
-  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
-  test "x$as_lineno_1" != "x$as_lineno_2" &&
-  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
-	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
-	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
-	     CONFIG_SHELL=$as_dir/$as_base
-	     export CONFIG_SHELL
-	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
-	   fi;;
-	 esac
-       done
-done
-;;
-  esac
-
-  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
-  # uniformly replaced by the line number.  The first 'sed' inserts a
-  # line-number line before each line; the second 'sed' does the real
-  # work.  The second script uses 'N' to pair each line-number line
-  # with the numbered line, and appends trailing '-' during
-  # substitution so that $LINENO is not a special case at line end.
-  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
-  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
-  sed '=' <$as_myself |
-    sed '
-      N
-      s,$,-,
-      : loop
-      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
-      t loop
-      s,-$,,
-      s,^['$as_cr_digits']*\n,,
-    ' >$as_me.lineno &&
-  chmod +x $as_me.lineno ||
-    { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
-echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
-   { (exit 1); exit 1; }; }
-
-  # Don't try to exec as it changes $[0], causing all sort of problems
-  # (the dirname of $[0] is not the place where we might find the
-  # original and so on.  Autoconf is especially sensible to this).
-  . ./$as_me.lineno
-  # Exit status is that of the last command.
-  exit
-}
-
-
-case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
-  *c*,-n*) ECHO_N= ECHO_C='
-' ECHO_T='	' ;;
-  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
-  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
-esac
-
-if expr a : '\(a\)' >/dev/null 2>&1; then
-  as_expr=expr
-else
-  as_expr=false
-fi
-
-rm -f conf$$ conf$$.exe conf$$.file
-echo >conf$$.file
-if ln -s conf$$.file conf$$ 2>/dev/null; then
-  # We could just check for DJGPP; but this test a) works b) is more generic
-  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
-  if test -f conf$$.exe; then
-    # Don't use ln at all; we don't have any links
-    as_ln_s='cp -p'
-  else
-    as_ln_s='ln -s'
-  fi
-elif ln conf$$.file conf$$ 2>/dev/null; then
-  as_ln_s=ln
-else
-  as_ln_s='cp -p'
-fi
-rm -f conf$$ conf$$.exe conf$$.file
-
-if mkdir -p . 2>/dev/null; then
-  as_mkdir_p=:
-else
-  test -d ./-p && rmdir ./-p
-  as_mkdir_p=false
-fi
-
-as_executable_p="test -f"
-
-# Sed expression to map a string onto a valid CPP name.
-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
-
-# Sed expression to map a string onto a valid variable name.
-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
-
-
-# IFS
-# We need space, tab and new line, in precisely that order.
-as_nl='
-'
-IFS=" 	$as_nl"
-
-# CDPATH.
-$as_unset CDPATH
-
-exec 6>&1
-
-# Open the log real soon, to keep \$[0] and so on meaningful, and to
-# report actual input values of CONFIG_FILES etc. instead of their
-# values after options handling.  Logging --version etc. is OK.
-exec 5>>config.log
-{
-  echo
-  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
-## Running $as_me. ##
-_ASBOX
-} >&5
-cat >&5 <<_CSEOF
-
-This file was extended by $as_me, which was
-generated by GNU Autoconf 2.59.  Invocation command line was
-
-  CONFIG_FILES    = $CONFIG_FILES
-  CONFIG_HEADERS  = $CONFIG_HEADERS
-  CONFIG_LINKS    = $CONFIG_LINKS
-  CONFIG_COMMANDS = $CONFIG_COMMANDS
-  $ $0 $@
-
-_CSEOF
-echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
-echo >&5
-_ACEOF
-
-# Files that config.status was made for.
-if test -n "$ac_config_files"; then
-  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_headers"; then
-  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_links"; then
-  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
-fi
-
-if test -n "$ac_config_commands"; then
-  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
-fi
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-ac_cs_usage="\
-\`$as_me' instantiates files from templates according to the
-current configuration.
-
-Usage: $0 [OPTIONS] [FILE]...
-
-  -h, --help       print this help, then exit
-  -V, --version    print version number, then exit
-  -q, --quiet      do not print progress messages
-  -d, --debug      don't remove temporary files
-      --recheck    update $as_me by reconfiguring in the same conditions
-  --file=FILE[:TEMPLATE]
-		   instantiate the configuration file FILE
-  --header=FILE[:TEMPLATE]
-		   instantiate the configuration header FILE
-
-Configuration files:
-$config_files
-
-Configuration headers:
-$config_headers
-
-Report bugs to <bug-autoconf@gnu.org>."
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-ac_cs_version="\\
-config.status
-configured by $0, generated by GNU Autoconf 2.59,
-  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
-
-Copyright (C) 2003 Free Software Foundation, Inc.
-This config.status script is free software; the Free Software Foundation
-gives unlimited permission to copy, distribute and modify it."
-srcdir=$srcdir
-INSTALL="$INSTALL"
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-# If no file are specified by the user, then we need to provide default
-# value.  By we need to know if files were specified by the user.
-ac_need_defaults=:
-while test $# != 0
-do
-  case $1 in
-  --*=*)
-    ac_option=`expr "x$1" : 'x\([^=]*\)='`
-    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
-    ac_shift=:
-    ;;
-  -*)
-    ac_option=$1
-    ac_optarg=$2
-    ac_shift=shift
-    ;;
-  *) # This is not an option, so the user has probably given explicit
-     # arguments.
-     ac_option=$1
-     ac_need_defaults=false;;
-  esac
-
-  case $ac_option in
-  # Handling of the options.
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
-    ac_cs_recheck=: ;;
-  --version | --vers* | -V )
-    echo "$ac_cs_version"; exit 0 ;;
-  --he | --h)
-    # Conflict between --help and --header
-    { { echo "$as_me:$LINENO: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: ambiguous option: $1
-Try \`$0 --help' for more information." >&2;}
-   { (exit 1); exit 1; }; };;
-  --help | --hel | -h )
-    echo "$ac_cs_usage"; exit 0 ;;
-  --debug | --d* | -d )
-    debug=: ;;
-  --file | --fil | --fi | --f )
-    $ac_shift
-    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
-    ac_need_defaults=false;;
-  --header | --heade | --head | --hea )
-    $ac_shift
-    CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
-    ac_need_defaults=false;;
-  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
-  | -silent | --silent | --silen | --sile | --sil | --si | --s)
-    ac_cs_silent=: ;;
-
-  # This is an error.
-  -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&5
-echo "$as_me: error: unrecognized option: $1
-Try \`$0 --help' for more information." >&2;}
-   { (exit 1); exit 1; }; } ;;
-
-  *) ac_config_targets="$ac_config_targets $1" ;;
-
-  esac
-  shift
-done
-
-ac_configure_extra_args=
-
-if $ac_cs_silent; then
-  exec 6>/dev/null
-  ac_configure_extra_args="$ac_configure_extra_args --silent"
-fi
-
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-if \$ac_cs_recheck; then
-  echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
-  exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
-fi
-
-_ACEOF
-
-
-
-
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-for ac_config_target in $ac_config_targets
-do
-  case "$ac_config_target" in
-  # Handling of arguments.
-  "make/rules" ) CONFIG_FILES="$CONFIG_FILES make/rules" ;;
-  "make/mkdep" ) CONFIG_FILES="$CONFIG_FILES make/mkdep" ;;
-  "make/includes" ) CONFIG_FILES="$CONFIG_FILES make/includes" ;;
-  "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
-  "bsd/Makefile" ) CONFIG_FILES="$CONFIG_FILES bsd/Makefile" ;;
-  "dst/Makefile" ) CONFIG_FILES="$CONFIG_FILES dst/Makefile" ;;
-  "include/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
-  "inet/Makefile" ) CONFIG_FILES="$CONFIG_FILES inet/Makefile" ;;
-  "irs/Makefile" ) CONFIG_FILES="$CONFIG_FILES irs/Makefile" ;;
-  "isc/Makefile" ) CONFIG_FILES="$CONFIG_FILES isc/Makefile" ;;
-  "nameser/Makefile" ) CONFIG_FILES="$CONFIG_FILES nameser/Makefile" ;;
-  "port_after.h" ) CONFIG_FILES="$CONFIG_FILES port_after.h" ;;
-  "port_before.h" ) CONFIG_FILES="$CONFIG_FILES port_before.h" ;;
-  "resolv/Makefile" ) CONFIG_FILES="$CONFIG_FILES resolv/Makefile" ;;
-  "port/Makefile" ) CONFIG_FILES="$CONFIG_FILES port/Makefile" ;;
-  "${PORT_DIR}/Makefile" ) CONFIG_FILES="$CONFIG_FILES ${PORT_DIR}/Makefile" ;;
-  "${PORT_INCLUDE}/Makefile" ) CONFIG_FILES="$CONFIG_FILES ${PORT_INCLUDE}/Makefile" ;;
-  "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
-  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
-echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
-   { (exit 1); exit 1; }; };;
-  esac
-done
-
-# If the user did not use the arguments to specify the items to instantiate,
-# then the envvar interface is used.  Set only those that are not.
-# We use the long form for the default assignment because of an extremely
-# bizarre bug on SunOS 4.1.3.
-if $ac_need_defaults; then
-  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
-  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
-fi
-
-# Have a temporary directory for convenience.  Make it in the build tree
-# simply because there is no reason to put it here, and in addition,
-# creating and moving files from /tmp can sometimes cause problems.
-# Create a temporary directory, and hook for its removal unless debugging.
-$debug ||
-{
-  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
-  trap '{ (exit 1); exit 1; }' 1 2 13 15
-}
-
-# Create a (secure) tmp directory for tmp files.
-
-{
-  tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
-  test -n "$tmp" && test -d "$tmp"
-}  ||
-{
-  tmp=./confstat$$-$RANDOM
-  (umask 077 && mkdir $tmp)
-} ||
-{
-   echo "$me: cannot create a temporary directory in ." >&2
-   { (exit 1); exit 1; }
-}
-
-_ACEOF
-
-cat >>$CONFIG_STATUS <<_ACEOF
-
-#
-# CONFIG_FILES section.
-#
-
-# No need to generate the scripts if there are no CONFIG_FILES.
-# This happens for instance when ./config.status config.h
-if test -n "\$CONFIG_FILES"; then
-  # Protect against being on the right side of a sed subst in config.status.
-  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
-   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
-s,@SHELL@,$SHELL,;t t
-s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
-s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
-s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
-s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
-s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
-s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
-s,@exec_prefix@,$exec_prefix,;t t
-s,@prefix@,$prefix,;t t
-s,@program_transform_name@,$program_transform_name,;t t
-s,@bindir@,$bindir,;t t
-s,@sbindir@,$sbindir,;t t
-s,@libexecdir@,$libexecdir,;t t
-s,@datadir@,$datadir,;t t
-s,@sysconfdir@,$sysconfdir,;t t
-s,@sharedstatedir@,$sharedstatedir,;t t
-s,@localstatedir@,$localstatedir,;t t
-s,@libdir@,$libdir,;t t
-s,@includedir@,$includedir,;t t
-s,@oldincludedir@,$oldincludedir,;t t
-s,@infodir@,$infodir,;t t
-s,@mandir@,$mandir,;t t
-s,@build_alias@,$build_alias,;t t
-s,@host_alias@,$host_alias,;t t
-s,@target_alias@,$target_alias,;t t
-s,@DEFS@,$DEFS,;t t
-s,@ECHO_C@,$ECHO_C,;t t
-s,@ECHO_N@,$ECHO_N,;t t
-s,@ECHO_T@,$ECHO_T,;t t
-s,@LIBS@,$LIBS,;t t
-s,@build@,$build,;t t
-s,@build_cpu@,$build_cpu,;t t
-s,@build_vendor@,$build_vendor,;t t
-s,@build_os@,$build_os,;t t
-s,@host@,$host,;t t
-s,@host_cpu@,$host_cpu,;t t
-s,@host_vendor@,$host_vendor,;t t
-s,@host_os@,$host_os,;t t
-s,@SET_MAKE@,$SET_MAKE,;t t
-s,@RANLIB@,$RANLIB,;t t
-s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
-s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
-s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
-s,@INSTALL_DATA@,$INSTALL_DATA,;t t
-s,@STD_CINCLUDES@,$STD_CINCLUDES,;t t
-s,@STD_CDEFINES@,$STD_CDEFINES,;t t
-s,@STD_CWARNINGS@,$STD_CWARNINGS,;t t
-s,@CCOPT@,$CCOPT,;t t
-s,@AR@,$AR,;t t
-s,@ARFLAGS@,$ARFLAGS,;t t
-s,@LN@,$LN,;t t
-s,@ETAGS@,$ETAGS,;t t
-s,@PERL@,$PERL,;t t
-s,@CC@,$CC,;t t
-s,@CFLAGS@,$CFLAGS,;t t
-s,@LDFLAGS@,$LDFLAGS,;t t
-s,@CPPFLAGS@,$CPPFLAGS,;t t
-s,@ac_ct_CC@,$ac_ct_CC,;t t
-s,@EXEEXT@,$EXEEXT,;t t
-s,@OBJEXT@,$OBJEXT,;t t
-s,@CPP@,$CPP,;t t
-s,@EGREP@,$EGREP,;t t
-s,@ISC_PLATFORM_NEEDSYSSELECTH@,$ISC_PLATFORM_NEEDSYSSELECTH,;t t
-s,@WANT_IRS_GR@,$WANT_IRS_GR,;t t
-s,@WANT_IRS_GR_OBJS@,$WANT_IRS_GR_OBJS,;t t
-s,@WANT_IRS_PW@,$WANT_IRS_PW,;t t
-s,@WANT_IRS_PW_OBJS@,$WANT_IRS_PW_OBJS,;t t
-s,@WANT_IRS_NIS@,$WANT_IRS_NIS,;t t
-s,@WANT_IRS_NIS_OBJS@,$WANT_IRS_NIS_OBJS,;t t
-s,@WANT_IRS_NISGR_OBJS@,$WANT_IRS_NISGR_OBJS,;t t
-s,@WANT_IRS_NISPW_OBJS@,$WANT_IRS_NISPW_OBJS,;t t
-s,@WANT_IRS_DBPW_OBJS@,$WANT_IRS_DBPW_OBJS,;t t
-s,@ALWAYS_DEFINES@,$ALWAYS_DEFINES,;t t
-s,@DO_PTHREADS@,$DO_PTHREADS,;t t
-s,@WANT_IRS_THREADSGR_OBJS@,$WANT_IRS_THREADSGR_OBJS,;t t
-s,@WANT_IRS_THREADSPW_OBJS@,$WANT_IRS_THREADSPW_OBJS,;t t
-s,@WANT_IRS_THREADS_OBJS@,$WANT_IRS_THREADS_OBJS,;t t
-s,@WANT_THREADS_OBJS@,$WANT_THREADS_OBJS,;t t
-s,@USE_IFNAMELINKID@,$USE_IFNAMELINKID,;t t
-s,@ISC_THREAD_DIR@,$ISC_THREAD_DIR,;t t
-s,@DAEMON_OBJS@,$DAEMON_OBJS,;t t
-s,@NEED_DAEMON@,$NEED_DAEMON,;t t
-s,@STRSEP_OBJS@,$STRSEP_OBJS,;t t
-s,@NEED_STRSEP@,$NEED_STRSEP,;t t
-s,@NEED_STRERROR@,$NEED_STRERROR,;t t
-s,@MKDEPCC@,$MKDEPCC,;t t
-s,@MKDEPCFLAGS@,$MKDEPCFLAGS,;t t
-s,@MKDEPPROG@,$MKDEPPROG,;t t
-s,@IRIX_DNSSEC_WARNINGS_HACK@,$IRIX_DNSSEC_WARNINGS_HACK,;t t
-s,@purify_path@,$purify_path,;t t
-s,@PURIFY@,$PURIFY,;t t
-s,@LN_S@,$LN_S,;t t
-s,@ECHO@,$ECHO,;t t
-s,@ac_ct_AR@,$ac_ct_AR,;t t
-s,@STRIP@,$STRIP,;t t
-s,@ac_ct_STRIP@,$ac_ct_STRIP,;t t
-s,@CXX@,$CXX,;t t
-s,@CXXFLAGS@,$CXXFLAGS,;t t
-s,@ac_ct_CXX@,$ac_ct_CXX,;t t
-s,@CXXCPP@,$CXXCPP,;t t
-s,@F77@,$F77,;t t
-s,@FFLAGS@,$FFLAGS,;t t
-s,@ac_ct_F77@,$ac_ct_F77,;t t
-s,@LIBTOOL@,$LIBTOOL,;t t
-s,@O@,$O,;t t
-s,@A@,$A,;t t
-s,@SA@,$SA,;t t
-s,@LIBTOOL_MKDEP_SED@,$LIBTOOL_MKDEP_SED,;t t
-s,@LIBTOOL_MODE_COMPILE@,$LIBTOOL_MODE_COMPILE,;t t
-s,@LIBTOOL_MODE_INSTALL@,$LIBTOOL_MODE_INSTALL,;t t
-s,@LIBTOOL_MODE_LINK@,$LIBTOOL_MODE_LINK,;t t
-s,@HAS_INET6_STRUCTS@,$HAS_INET6_STRUCTS,;t t
-s,@ISC_PLATFORM_NEEDNETINETIN6H@,$ISC_PLATFORM_NEEDNETINETIN6H,;t t
-s,@ISC_PLATFORM_NEEDNETINET6IN6H@,$ISC_PLATFORM_NEEDNETINET6IN6H,;t t
-s,@HAS_IN_ADDR6@,$HAS_IN_ADDR6,;t t
-s,@NEED_IN6ADDR_ANY@,$NEED_IN6ADDR_ANY,;t t
-s,@ISC_PLATFORM_HAVEIN6PKTINFO@,$ISC_PLATFORM_HAVEIN6PKTINFO,;t t
-s,@ISC_PLATFORM_FIXIN6ISADDR@,$ISC_PLATFORM_FIXIN6ISADDR,;t t
-s,@ISC_IPV6_H@,$ISC_IPV6_H,;t t
-s,@ISC_IPV6_O@,$ISC_IPV6_O,;t t
-s,@ISC_ISCIPV6_O@,$ISC_ISCIPV6_O,;t t
-s,@ISC_IPV6_C@,$ISC_IPV6_C,;t t
-s,@HAVE_SIN6_SCOPE_ID@,$HAVE_SIN6_SCOPE_ID,;t t
-s,@HAVE_SOCKADDR_STORAGE@,$HAVE_SOCKADDR_STORAGE,;t t
-s,@ISC_PLATFORM_NEEDNTOP@,$ISC_PLATFORM_NEEDNTOP,;t t
-s,@ISC_PLATFORM_NEEDPTON@,$ISC_PLATFORM_NEEDPTON,;t t
-s,@ISC_PLATFORM_NEEDATON@,$ISC_PLATFORM_NEEDATON,;t t
-s,@HAVE_SA_LEN@,$HAVE_SA_LEN,;t t
-s,@HAVE_MINIMUM_IFREQ@,$HAVE_MINIMUM_IFREQ,;t t
-s,@BSD_COMP@,$BSD_COMP,;t t
-s,@SOLARIS_BITTYPES@,$SOLARIS_BITTYPES,;t t
-s,@USE_FIONBIO_IOCTL@,$USE_FIONBIO_IOCTL,;t t
-s,@PORT_NONBLOCK@,$PORT_NONBLOCK,;t t
-s,@PORT_DIR@,$PORT_DIR,;t t
-s,@USE_POLL@,$USE_POLL,;t t
-s,@HAVE_MD5@,$HAVE_MD5,;t t
-s,@SOLARIS2@,$SOLARIS2,;t t
-s,@PORT_INCLUDE@,$PORT_INCLUDE,;t t
-s,@ISC_PLATFORM_MSGHDRFLAVOR@,$ISC_PLATFORM_MSGHDRFLAVOR,;t t
-s,@ISC_PLATFORM_NEEDPORTT@,$ISC_PLATFORM_NEEDPORTT,;t t
-s,@ISC_LWRES_ENDHOSTENTINT@,$ISC_LWRES_ENDHOSTENTINT,;t t
-s,@ISC_LWRES_SETNETENTINT@,$ISC_LWRES_SETNETENTINT,;t t
-s,@ISC_LWRES_ENDNETENTINT@,$ISC_LWRES_ENDNETENTINT,;t t
-s,@ISC_LWRES_GETHOSTBYADDRVOID@,$ISC_LWRES_GETHOSTBYADDRVOID,;t t
-s,@ISC_LWRES_NEEDHERRNO@,$ISC_LWRES_NEEDHERRNO,;t t
-s,@ISC_LWRES_GETIPNODEPROTO@,$ISC_LWRES_GETIPNODEPROTO,;t t
-s,@ISC_LWRES_GETADDRINFOPROTO@,$ISC_LWRES_GETADDRINFOPROTO,;t t
-s,@ISC_LWRES_GETNAMEINFOPROTO@,$ISC_LWRES_GETNAMEINFOPROTO,;t t
-s,@NEED_PSELECT@,$NEED_PSELECT,;t t
-s,@NEED_GETTIMEOFDAY@,$NEED_GETTIMEOFDAY,;t t
-s,@HAVE_STRNDUP@,$HAVE_STRNDUP,;t t
-s,@ISC_PLATFORM_NEEDSTRSEP@,$ISC_PLATFORM_NEEDSTRSEP,;t t
-s,@ISC_PLATFORM_NEEDVSNPRINTF@,$ISC_PLATFORM_NEEDVSNPRINTF,;t t
-s,@ISC_EXTRA_OBJS@,$ISC_EXTRA_OBJS,;t t
-s,@ISC_EXTRA_SRCS@,$ISC_EXTRA_SRCS,;t t
-s,@USE_SYSERROR_LIST@,$USE_SYSERROR_LIST,;t t
-s,@ISC_PLATFORM_QUADFORMAT@,$ISC_PLATFORM_QUADFORMAT,;t t
-s,@ISC_SOCKLEN_T@,$ISC_SOCKLEN_T,;t t
-s,@GETGROUPLIST_ARGS@,$GETGROUPLIST_ARGS,;t t
-s,@NET_R_ARGS@,$NET_R_ARGS,;t t
-s,@NET_R_BAD@,$NET_R_BAD,;t t
-s,@NET_R_COPY@,$NET_R_COPY,;t t
-s,@NET_R_COPY_ARGS@,$NET_R_COPY_ARGS,;t t
-s,@NET_R_OK@,$NET_R_OK,;t t
-s,@NET_R_SETANSWER@,$NET_R_SETANSWER,;t t
-s,@NET_R_RETURN@,$NET_R_RETURN,;t t
-s,@GETNETBYADDR_ADDR_T@,$GETNETBYADDR_ADDR_T,;t t
-s,@NETENT_DATA@,$NETENT_DATA,;t t
-s,@NET_R_ENT_ARGS@,$NET_R_ENT_ARGS,;t t
-s,@NET_R_SET_RESULT@,$NET_R_SET_RESULT,;t t
-s,@NET_R_SET_RETURN@,$NET_R_SET_RETURN,;t t
-s,@NET_R_END_RESULT@,$NET_R_END_RESULT,;t t
-s,@NET_R_END_RETURN@,$NET_R_END_RETURN,;t t
-s,@GROUP_R_ARGS@,$GROUP_R_ARGS,;t t
-s,@GROUP_R_BAD@,$GROUP_R_BAD,;t t
-s,@GROUP_R_OK@,$GROUP_R_OK,;t t
-s,@GROUP_R_RETURN@,$GROUP_R_RETURN,;t t
-s,@GROUP_R_END_RESULT@,$GROUP_R_END_RESULT,;t t
-s,@GROUP_R_END_RETURN@,$GROUP_R_END_RETURN,;t t
-s,@GROUP_R_ENT_ARGS@,$GROUP_R_ENT_ARGS,;t t
-s,@GROUP_R_SET_RESULT@,$GROUP_R_SET_RESULT,;t t
-s,@GROUP_R_SET_RETURN@,$GROUP_R_SET_RETURN,;t t
-s,@HOST_R_ARGS@,$HOST_R_ARGS,;t t
-s,@HOST_R_BAD@,$HOST_R_BAD,;t t
-s,@HOST_R_COPY@,$HOST_R_COPY,;t t
-s,@HOST_R_COPY_ARGS@,$HOST_R_COPY_ARGS,;t t
-s,@HOST_R_ERRNO@,$HOST_R_ERRNO,;t t
-s,@HOST_R_OK@,$HOST_R_OK,;t t
-s,@HOST_R_RETURN@,$HOST_R_RETURN,;t t
-s,@HOST_R_SETANSWER@,$HOST_R_SETANSWER,;t t
-s,@HOSTENT_DATA@,$HOSTENT_DATA,;t t
-s,@HOST_R_END_RESULT@,$HOST_R_END_RESULT,;t t
-s,@HOST_R_END_RETURN@,$HOST_R_END_RETURN,;t t
-s,@HOST_R_ENT_ARGS@,$HOST_R_ENT_ARGS,;t t
-s,@HOST_R_SET_RESULT@,$HOST_R_SET_RESULT,;t t
-s,@HOST_R_SET_RETURN@,$HOST_R_SET_RETURN,;t t
-s,@SETPWENT_VOID@,$SETPWENT_VOID,;t t
-s,@SETGRENT_VOID@,$SETGRENT_VOID,;t t
-s,@NGR_R_ARGS@,$NGR_R_ARGS,;t t
-s,@NGR_R_BAD@,$NGR_R_BAD,;t t
-s,@NGR_R_COPY@,$NGR_R_COPY,;t t
-s,@NGR_R_COPY_ARGS@,$NGR_R_COPY_ARGS,;t t
-s,@NGR_R_OK@,$NGR_R_OK,;t t
-s,@NGR_R_RETURN@,$NGR_R_RETURN,;t t
-s,@NGR_R_PRIVATE@,$NGR_R_PRIVATE,;t t
-s,@NGR_R_END_RESULT@,$NGR_R_END_RESULT,;t t
-s,@NGR_R_END_RETURN@,$NGR_R_END_RETURN,;t t
-s,@NGR_R_ENT_ARGS@,$NGR_R_ENT_ARGS,;t t
-s,@NGR_R_SET_RESULT@,$NGR_R_SET_RESULT,;t t
-s,@NGR_R_SET_RETURN@,$NGR_R_SET_RETURN,;t t
-s,@PROTO_R_ARGS@,$PROTO_R_ARGS,;t t
-s,@PROTO_R_BAD@,$PROTO_R_BAD,;t t
-s,@PROTO_R_COPY@,$PROTO_R_COPY,;t t
-s,@PROTO_R_COPY_ARGS@,$PROTO_R_COPY_ARGS,;t t
-s,@PROTO_R_OK@,$PROTO_R_OK,;t t
-s,@PROTO_R_SETANSWER@,$PROTO_R_SETANSWER,;t t
-s,@PROTO_R_RETURN@,$PROTO_R_RETURN,;t t
-s,@PROTO_R_END_RESULT@,$PROTO_R_END_RESULT,;t t
-s,@PROTO_R_END_RETURN@,$PROTO_R_END_RETURN,;t t
-s,@PROTO_R_ENT_ARGS@,$PROTO_R_ENT_ARGS,;t t
-s,@PROTO_R_SET_RESULT@,$PROTO_R_SET_RESULT,;t t
-s,@PROTO_R_SET_RETURN@,$PROTO_R_SET_RETURN,;t t
-s,@PASS_R_ARGS@,$PASS_R_ARGS,;t t
-s,@PASS_R_BAD@,$PASS_R_BAD,;t t
-s,@PASS_R_COPY@,$PASS_R_COPY,;t t
-s,@PASS_R_COPY_ARGS@,$PASS_R_COPY_ARGS,;t t
-s,@PASS_R_OK@,$PASS_R_OK,;t t
-s,@PASS_R_RETURN@,$PASS_R_RETURN,;t t
-s,@PASS_R_END_RESULT@,$PASS_R_END_RESULT,;t t
-s,@PASS_R_END_RETURN@,$PASS_R_END_RETURN,;t t
-s,@PASS_R_ENT_ARGS@,$PASS_R_ENT_ARGS,;t t
-s,@PASS_R_SET_RESULT@,$PASS_R_SET_RESULT,;t t
-s,@PASS_R_SET_RETURN@,$PASS_R_SET_RETURN,;t t
-s,@SERV_R_ARGS@,$SERV_R_ARGS,;t t
-s,@SERV_R_BAD@,$SERV_R_BAD,;t t
-s,@SERV_R_COPY@,$SERV_R_COPY,;t t
-s,@SERV_R_COPY_ARGS@,$SERV_R_COPY_ARGS,;t t
-s,@SERV_R_OK@,$SERV_R_OK,;t t
-s,@SERV_R_SETANSWER@,$SERV_R_SETANSWER,;t t
-s,@SERV_R_RETURN@,$SERV_R_RETURN,;t t
-s,@SERV_R_END_RESULT@,$SERV_R_END_RESULT,;t t
-s,@SERV_R_END_RETURN@,$SERV_R_END_RETURN,;t t
-s,@SERV_R_ENT_ARGS@,$SERV_R_ENT_ARGS,;t t
-s,@SERV_R_SET_RESULT@,$SERV_R_SET_RESULT,;t t
-s,@SERV_R_SET_RETURN@,$SERV_R_SET_RETURN,;t t
-s,@SETNETGRENT_ARGS@,$SETNETGRENT_ARGS,;t t
-s,@INNETGR_ARGS@,$INNETGR_ARGS,;t t
-s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
-s,@BIND9_VERSION@,$BIND9_VERSION,;t t
-s,@LIBOBJS@,$LIBOBJS,;t t
-s,@LTLIBOBJS@,$LTLIBOBJS,;t t
-/@BIND9_INCLUDES@/r $BIND9_INCLUDES
-s,@BIND9_INCLUDES@,,;t t
-/@BIND9_MAKE_RULES@/r $BIND9_MAKE_RULES
-s,@BIND9_MAKE_RULES@,,;t t
-/@LIBBIND_API@/r $LIBBIND_API
-s,@LIBBIND_API@,,;t t
-CEOF
-
-_ACEOF
-
-  cat >>$CONFIG_STATUS <<\_ACEOF
-  # Split the substitutions into bite-sized pieces for seds with
-  # small command number limits, like on Digital OSF/1 and HP-UX.
-  ac_max_sed_lines=48
-  ac_sed_frag=1 # Number of current file.
-  ac_beg=1 # First line for current file.
-  ac_end=$ac_max_sed_lines # Line after last line for current file.
-  ac_more_lines=:
-  ac_sed_cmds=
-  while $ac_more_lines; do
-    if test $ac_beg -gt 1; then
-      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    else
-      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
-    fi
-    if test ! -s $tmp/subs.frag; then
-      ac_more_lines=false
-    else
-      # The purpose of the label and of the branching condition is to
-      # speed up the sed processing (if there are no `@' at all, there
-      # is no need to browse any of the substitutions).
-      # These are the two extra sed commands mentioned above.
-      (echo ':t
-  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
-      if test -z "$ac_sed_cmds"; then
-	ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
-      else
-	ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
-      fi
-      ac_sed_frag=`expr $ac_sed_frag + 1`
-      ac_beg=$ac_end
-      ac_end=`expr $ac_end + $ac_max_sed_lines`
-    fi
-  done
-  if test -z "$ac_sed_cmds"; then
-    ac_sed_cmds=cat
-  fi
-fi # test -n "$CONFIG_FILES"
-
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
-  esac
-
-  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
-  ac_dir=`(dirname "$ac_file") 2>/dev/null ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-  { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
-    as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
-
-  ac_builddir=.
-
-if test "$ac_dir" != .; then
-  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
-  # A "../" for each directory in $ac_dir_suffix.
-  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
-else
-  ac_dir_suffix= ac_top_builddir=
-fi
-
-case $srcdir in
-  .)  # No --srcdir option.  We are building in place.
-    ac_srcdir=.
-    if test -z "$ac_top_builddir"; then
-       ac_top_srcdir=.
-    else
-       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
-    fi ;;
-  [\\/]* | ?:[\\/]* )  # Absolute path.
-    ac_srcdir=$srcdir$ac_dir_suffix;
-    ac_top_srcdir=$srcdir ;;
-  *) # Relative path.
-    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
-    ac_top_srcdir=$ac_top_builddir$srcdir ;;
-esac
-
-# Do not use `cd foo && pwd` to compute absolute paths, because
-# the directories may not exist.
-case `pwd` in
-.) ac_abs_builddir="$ac_dir";;
-*)
-  case "$ac_dir" in
-  .) ac_abs_builddir=`pwd`;;
-  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
-  *) ac_abs_builddir=`pwd`/"$ac_dir";;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_builddir=${ac_top_builddir}.;;
-*)
-  case ${ac_top_builddir}. in
-  .) ac_abs_top_builddir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
-  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_srcdir=$ac_srcdir;;
-*)
-  case $ac_srcdir in
-  .) ac_abs_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
-  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
-  esac;;
-esac
-case $ac_abs_builddir in
-.) ac_abs_top_srcdir=$ac_top_srcdir;;
-*)
-  case $ac_top_srcdir in
-  .) ac_abs_top_srcdir=$ac_abs_builddir;;
-  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
-  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
-  esac;;
-esac
-
-
-  case $INSTALL in
-  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
-  *) ac_INSTALL=$ac_top_builddir$INSTALL ;;
-  esac
-
-  if test x"$ac_file" != x-; then
-    { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-    rm -f "$ac_file"
-  fi
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    configure_input=
-  else
-    configure_input="$ac_file.  "
-  fi
-  configure_input=$configure_input"Generated from `echo $ac_file_in |
-				     sed 's,.*/,,'` by configure."
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
-_ACEOF
-cat >>$CONFIG_STATUS <<_ACEOF
-  sed "$ac_vpsub
-$extrasub
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-:t
-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
-s,@configure_input@,$configure_input,;t t
-s,@srcdir@,$ac_srcdir,;t t
-s,@abs_srcdir@,$ac_abs_srcdir,;t t
-s,@top_srcdir@,$ac_top_srcdir,;t t
-s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
-s,@builddir@,$ac_builddir,;t t
-s,@abs_builddir@,$ac_abs_builddir,;t t
-s,@top_builddir@,$ac_top_builddir,;t t
-s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
-s,@INSTALL@,$ac_INSTALL,;t t
-" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
-  rm -f $tmp/stdin
-  if test x"$ac_file" != x-; then
-    mv $tmp/out $ac_file
-  else
-    cat $tmp/out
-    rm -f $tmp/out
-  fi
-
-done
-_ACEOF
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-#
-# CONFIG_HEADER section.
-#
-
-# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
-# NAME is the cpp macro being defined and VALUE is the value it is being given.
-#
-# ac_d sets the value in "#define NAME VALUE" lines.
-ac_dA='s,^\([	 ]*\)#\([	 ]*define[	 ][	 ]*\)'
-ac_dB='[	 ].*$,\1#\2'
-ac_dC=' '
-ac_dD=',;t'
-# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
-ac_uA='s,^\([	 ]*\)#\([	 ]*\)undef\([	 ][	 ]*\)'
-ac_uB='$,\1#\2define\3'
-ac_uC=' '
-ac_uD=',;t'
-
-for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
-  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
-  case $ac_file in
-  - | *:- | *:-:* ) # input from stdin
-	cat >$tmp/stdin
-	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
-	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
-  * )   ac_file_in=$ac_file.in ;;
-  esac
-
-  test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
-echo "$as_me: creating $ac_file" >&6;}
-
-  # First look for the input files in the build tree, otherwise in the
-  # src tree.
-  ac_file_inputs=`IFS=:
-    for f in $ac_file_in; do
-      case $f in
-      -) echo $tmp/stdin ;;
-      [\\/$]*)
-	 # Absolute (can't be DOS-style, as IFS=:)
-	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 # Do quote $f, to prevent DOS paths from being IFS'd.
-	 echo "$f";;
-      *) # Relative
-	 if test -f "$f"; then
-	   # Build tree
-	   echo "$f"
-	 elif test -f "$srcdir/$f"; then
-	   # Source tree
-	   echo "$srcdir/$f"
-	 else
-	   # /dev/null tree
-	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
-echo "$as_me: error: cannot find input file: $f" >&2;}
-   { (exit 1); exit 1; }; }
-	 fi;;
-      esac
-    done` || { (exit 1); exit 1; }
-  # Remove the trailing spaces.
-  sed 's/[	 ]*$//' $ac_file_inputs >$tmp/in
-
-_ACEOF
-
-# Transform confdefs.h into two sed scripts, `conftest.defines' and
-# `conftest.undefs', that substitutes the proper values into
-# config.h.in to produce config.h.  The first handles `#define'
-# templates, and the second `#undef' templates.
-# And first: Protect against being on the right side of a sed subst in
-# config.status.  Protect against being in an unquoted here document
-# in config.status.
-rm -f conftest.defines conftest.undefs
-# Using a here document instead of a string reduces the quoting nightmare.
-# Putting comments in sed scripts is not portable.
-#
-# `end' is used to avoid that the second main sed command (meant for
-# 0-ary CPP macros) applies to n-ary macro definitions.
-# See the Autoconf documentation for `clear'.
-cat >confdef2sed.sed <<\_ACEOF
-s/[\\&,]/\\&/g
-s,[\\$`],\\&,g
-t clear
-: clear
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*\)\(([^)]*)\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp
-t end
-s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
-: end
-_ACEOF
-# If some macros were called several times there might be several times
-# the same #defines, which is useless.  Nevertheless, we may not want to
-# sort them, since we want the *last* AC-DEFINE to be honored.
-uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
-sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
-rm -f confdef2sed.sed
-
-# This sed command replaces #undef with comments.  This is necessary, for
-# example, in the case of _POSIX_SOURCE, which is predefined and required
-# on some systems where configure will not decide to define it.
-cat >>conftest.undefs <<\_ACEOF
-s,^[	 ]*#[	 ]*undef[	 ][	 ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
-_ACEOF
-
-# Break up conftest.defines because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
-echo '  if grep "^[	 ]*#[	 ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
-echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
-echo '  :' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.defines >/dev/null
-do
-  # Write a limited-size here document to $tmp/defines.sed.
-  echo '  cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
-  # Speed up: don't consider the non `#define' lines.
-  echo '/^[	 ]*#[	 ]*define/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
-  echo 'CEOF
-  sed -f $tmp/defines.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
-  rm -f conftest.defines
-  mv conftest.tail conftest.defines
-done
-rm -f conftest.defines
-echo '  fi # grep' >>$CONFIG_STATUS
-echo >>$CONFIG_STATUS
-
-# Break up conftest.undefs because some shells have a limit on the size
-# of here documents, and old seds have small limits too (100 cmds).
-echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
-rm -f conftest.tail
-while grep . conftest.undefs >/dev/null
-do
-  # Write a limited-size here document to $tmp/undefs.sed.
-  echo '  cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
-  # Speed up: don't consider the non `#undef'
-  echo '/^[	 ]*#[	 ]*undef/!b' >>$CONFIG_STATUS
-  # Work around the forget-to-reset-the-flag bug.
-  echo 't clr' >>$CONFIG_STATUS
-  echo ': clr' >>$CONFIG_STATUS
-  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
-  echo 'CEOF
-  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
-  rm -f $tmp/in
-  mv $tmp/out $tmp/in
-' >>$CONFIG_STATUS
-  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
-  rm -f conftest.undefs
-  mv conftest.tail conftest.undefs
-done
-rm -f conftest.undefs
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-  # Let's still pretend it is `configure' which instantiates (i.e., don't
-  # use $as_me), people would be surprised to read:
-  #    /* config.h.  Generated by config.status.  */
-  if test x"$ac_file" = x-; then
-    echo "/* Generated by configure.  */" >$tmp/config.h
-  else
-    echo "/* $ac_file.  Generated by configure.  */" >$tmp/config.h
-  fi
-  cat $tmp/in >>$tmp/config.h
-  rm -f $tmp/in
-  if test x"$ac_file" != x-; then
-    if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
-      { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
-echo "$as_me: $ac_file is unchanged" >&6;}
-    else
-      ac_dir=`(dirname "$ac_file") 2>/dev/null ||
-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$ac_file" : 'X\(//\)[^/]' \| \
-	 X"$ac_file" : 'X\(//\)$' \| \
-	 X"$ac_file" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$ac_file" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-      { if $as_mkdir_p; then
-    mkdir -p "$ac_dir"
-  else
-    as_dir="$ac_dir"
-    as_dirs=
-    while test ! -d "$as_dir"; do
-      as_dirs="$as_dir $as_dirs"
-      as_dir=`(dirname "$as_dir") 2>/dev/null ||
-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
-	 X"$as_dir" : 'X\(//\)[^/]' \| \
-	 X"$as_dir" : 'X\(//\)$' \| \
-	 X"$as_dir" : 'X\(/\)' \| \
-	 .     : '\(.\)' 2>/dev/null ||
-echo X"$as_dir" |
-    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
-  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
-  	  /^X\(\/\/\)$/{ s//\1/; q; }
-  	  /^X\(\/\).*/{ s//\1/; q; }
-  	  s/.*/./; q'`
-    done
-    test ! -n "$as_dirs" || mkdir $as_dirs
-  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
-echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
-   { (exit 1); exit 1; }; }; }
-
-      rm -f $ac_file
-      mv $tmp/config.h $ac_file
-    fi
-  else
-    cat $tmp/config.h
-    rm -f $tmp/config.h
-  fi
-done
-_ACEOF
-
-cat >>$CONFIG_STATUS <<\_ACEOF
-
-{ (exit 0); exit 0; }
-_ACEOF
-chmod +x $CONFIG_STATUS
-ac_clean_files=$ac_clean_files_save
-
-
-# configure is writing to config.log, and then calls config.status.
-# config.status does its own redirection, appending to config.log.
-# Unfortunately, on DOS this fails, as config.log is still kept open
-# by configure, so config.status won't be able to write to it; its
-# output is simply discarded.  So we exec the FD to /dev/null,
-# effectively closing config.log, so it can be properly (re)opened and
-# appended to by config.status.  When coming back to configure, we
-# need to make the FD available again.
-if test "$no_create" != yes; then
-  ac_cs_success=:
-  ac_config_status_args=
-  test "$silent" = yes &&
-    ac_config_status_args="$ac_config_status_args --quiet"
-  exec 5>/dev/null
-  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
-  exec 5>>config.log
-  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
-  # would make configure fail if this is the last instruction.
-  $ac_cs_success || { (exit 1); exit 1; }
-fi
-
-
-# Tell Emacs to edit this file in shell mode.
-# Local Variables:
-# mode: sh
-# End:
diff --git a/contrib/bind9/lib/bind/configure.in b/contrib/bind9/lib/bind/configure.in
deleted file mode 100644
index 50ffe82ab18b..000000000000
--- a/contrib/bind9/lib/bind/configure.in
+++ /dev/null
@@ -1,2458 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-AC_REVISION($Revision: 1.83.2.5.2.22 $)
-
-AC_INIT(resolv/herror.c)
-AC_PREREQ(2.13)
-
-AC_CONFIG_HEADER(config.h)
-
-AC_CANONICAL_HOST
-
-AC_PROG_MAKE_SET
-AC_PROG_RANLIB
-AC_PROG_INSTALL
-
-AC_SUBST(STD_CINCLUDES)
-AC_SUBST(STD_CDEFINES)
-AC_SUBST(STD_CWARNINGS)
-AC_SUBST(CCOPT)
-
-AC_PATH_PROG(AR, ar)
-ARFLAGS="cruv"
-AC_SUBST(AR)
-AC_SUBST(ARFLAGS)
-
-# The POSIX ln(1) program.  Non-POSIX systems may substitute
-# "copy" or something.
-LN=ln
-AC_SUBST(LN)
-
-case "$AR" in
-	"")
-		AC_MSG_ERROR([
-ar program not found.  Please fix your PATH to include the directory in
-which ar resides, or set AR in the environment with the full path to ar.
-])
-
-		;;
-esac
-
-#
-# Etags.
-#
-AC_PATH_PROGS(ETAGS, etags emacs-etags)
-
-#
-# Some systems, e.g. RH7, have the Exuberant Ctags etags instead of
-# GNU emacs etags, and it requires the -L flag.
-#
-if test "X$ETAGS" != "X"; then
-	AC_MSG_CHECKING(for Exuberant Ctags etags)
-	if $ETAGS --version 2>&1 | grep 'Exuberant Ctags' >/dev/null 2>&1; then
-		AC_MSG_RESULT(yes)
-		ETAGS="$ETAGS -L"
-	else
-		AC_MSG_RESULT(no)
-	fi
-fi
-AC_SUBST(ETAGS)
-
-#
-# Perl is optional; it is used only by some of the system test scripts.
-#
-AC_PATH_PROGS(PERL, perl5 perl)
-AC_SUBST(PERL)
-
-#
-# isc/list.h and others clash with the rest of BIND 9
-#
-case "$includedir" in
-	'${prefix}/include')
-		includedir='${prefix}/bind/include'
-		;;
-esac
-case "$libdir" in
-	'${prefix}/lib')
-		libdir='${prefix}/bind/lib'
-		;;
-esac
-
-#
-# Make sure INSTALL uses an absolute path, else it will be wrong in all
-# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
-# configure based on the location of the file where it is substituted.
-# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
-# subdirectory of install-sh, This relative path will be wrong for all
-# directories more than one level down from install-sh.
-#
-case "$INSTALL" in
-	/*)
-                ;;
-        *)
-                #
-                # Not all systems have dirname.
-                #
-                changequote({, })
-                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
-                changequote([, ])
-
-                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
-                test "$ac_dir" = "$ac_prog" && ac_dir=.
-                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
-                INSTALL="$ac_dir/$ac_prog"
-                ;;
-esac
-
-#
-# On these hosts, we really want to use cc, not gcc, even if it is
-# found.  The gcc that these systems have will not correctly handle
-# pthreads.
-#
-# However, if the user sets $CC to be something, let that override
-# our change.
-#
-if test "X$CC" = "X" ; then
-	case "$host" in
-		*-dec-osf*)
-			CC="cc"
-			;;
-		*-solaris*)
-                        # Use Sun's cc if it is available, but watch
-                        # out for /usr/ucb/cc; it will never be the right
-                        # compiler to use.
-                        #
-                        # If setting CC here fails, the AC_PROG_CC done
-                        # below might still find gcc.
-			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
-			for ac_dir in $PATH; do
-				test -z "$ac_dir" && ac_dir=.
-				case "$ac_dir" in
-				/usr/ucb)
-					# exclude
-					;;
-				*)
-					if test -f "$ac_dir/cc"; then
-						CC="$ac_dir/cc"
-						break
-					fi
-					;;
-				esac
-			done
-			IFS="$ac_save_ifs"
-			;;
-		*-hp-hpux*)
-			CC="cc"
-			;;
-		mips-sgi-irix*)
-			CC="cc"
-			;;
-	esac
-fi
-
-
-AC_PROG_CC
-
-AC_HEADER_STDC
-
-
-AC_CHECK_HEADERS(fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/timers.h stropts.h)
-
-AC_C_CONST
-AC_C_INLINE
-AC_TYPE_SIZE_T
-AC_CHECK_TYPE(uintptr_t,unsigned long)
-AC_HEADER_TIME
-#
-# check if we need to #include sys/select.h explicitly
-#
-case $ac_cv_header_unistd_h in
-yes)
-AC_MSG_CHECKING(if unistd.h defines fd_set)
-AC_TRY_COMPILE([
-#include <unistd.h>],
-[fd_set read_set; return (0);],
-	[AC_MSG_RESULT(yes)
-	 ISC_PLATFORM_NEEDSYSSELECTH="#undef ISC_PLATFORM_NEEDSYSSELECTH"
-	 ],
-	[AC_MSG_RESULT(no)
-	case ac_cv_header_sys_select_h in
-	yes)
-         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
-		;;
-	no)
-		AC_MSG_ERROR([need either working unistd.h or sys/select.h])
-		;;
-	esac
-	])
-	;;
-no)
-	case ac_cv_header_sys_select_h in
-	yes)
-             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
-		;;
-	no)
-		AC_MSG_ERROR([need either unistd.h or sys/select.h])
-		;;
-	esac
-	;;
-esac
-AC_SUBST(ISC_PLATFORM_NEEDSYSSELECTH)
-
-#
-# Find the machine's endian flavor.
-#
-AC_C_BIGENDIAN
-
-AC_ARG_WITH(irs-gr,[ --with-irs-gr		Build ....],
-want_irs_gr="$withval", want_irs_gr="no")
-case "$want_irs_gr" in
-yes) WANT_IRS_GR="#define WANT_IRS_GR 1"
-     WANT_IRS_GR_OBJS="\${WANT_IRS_GR_OBJS}"
-	;;
-*) WANT_IRS_GR="#undef WANT_IRS_GR" WANT_IRS_GR_OBJS="";;
-esac
-AC_SUBST(WANT_IRS_GR)
-AC_SUBST(WANT_IRS_GR_OBJS)
-
-AC_ARG_WITH(irs-pw,[ --with-irs-pw		Build ....],
-want_irs_pw="$withval", want_irs_pw="no")
-case "$want_irs_pw" in
-yes) WANT_IRS_PW="#define WANT_IRS_PW 1"
-     WANT_IRS_PW_OBJS="\${WANT_IRS_PW_OBJS}";;
-*) WANT_IRS_PW="#undef WANT_IRS_PW" WANT_IRS_PW_OBJS="";;
-esac
-AC_SUBST(WANT_IRS_PW)
-AC_SUBST(WANT_IRS_PW_OBJS)
-
-AC_ARG_WITH(irs-nis,[ --with-irs-nis		Build ....],
-want_irs_nis="$withval", want_irs_nis="no")
-case "$want_irs_nis" in
-yes)
-	WANT_IRS_NIS="#define WANT_IRS_NIS 1"
-	WANT_IRS_NIS_OBJS="\${WANT_IRS_NIS_OBJS}"
-	case "$want_irs_gr" in
-	yes)
-		WANT_IRS_NISGR_OBJS="\${WANT_IRS_NISGR_OBJS}";;
-	*)
-		WANT_IRS_NISGR_OBJS="";;
-	esac
-	case "$want_irs_pw" in
-	yes)
-		WANT_IRS_NISPW_OBJS="\${WANT_IRS_NISPW_OBJS}";;
-	*)
-		WANT_IRS_NISPW_OBJS="";;
-	esac
-	;;
-*)
-	WANT_IRS_NIS="#undef WANT_IRS_NIS"
-	WANT_IRS_NIS_OBJS=""
-	WANT_IRS_NISGR_OBJS=""
-	WANT_IRS_NISPW_OBJS="";;
-esac
-AC_SUBST(WANT_IRS_NIS)
-AC_SUBST(WANT_IRS_NIS_OBJS)
-AC_SUBST(WANT_IRS_NISGR_OBJS)
-AC_SUBST(WANT_IRS_NISPW_OBJS)
-AC_TRY_RUN([
-#ifdef HAVE_DB_H
-int have_db_h = 1;
-#else
-int have_db_h = 0;
-#endif
-main() { return(!have_db_h); }
-],
-WANT_IRS_DBPW_OBJS="\${WANT_IRS_DBPW_OBJS}"
-,
-WANT_IRS_DBPW_OBJS=""
-,
-WANT_IRS_DBPW_OBJS=""
-)
-AC_SUBST(WANT_IRS_DBPW_OBJS)
-
-#
-# was --with-randomdev specified?
-#
-AC_MSG_CHECKING(for random device)
-AC_ARG_WITH(randomdev,
-[  --with-randomdev=PATH Specify path for random device],
-    use_randomdev="$withval", use_randomdev="unspec")
-
-case "$use_randomdev" in
-	unspec)
-		case "$host" in
-			*-openbsd*)
-				devrandom=/dev/srandom
-				;;
-			*)
-				devrandom=/dev/random
-				;;
-		esac
-		AC_MSG_RESULT($devrandom)
-		AC_CHECK_FILE($devrandom,
-			      AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
-						 "$devrandom"),)
-		;;
-	yes)
-		AC_MSG_ERROR([--with-randomdev must specify a path])
-		;;
-	*)
-		AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
-		AC_MSG_RESULT(using "$use_randomdev")
-		;;
-esac
-
-sinclude(../../config.threads.in)dnl
-
-if $use_threads
-then
-	#
-	# We'd like to use sigwait() too
-	#
-	AC_CHECK_LIB(c, sigwait,
-		     AC_DEFINE(HAVE_SIGWAIT),
-		     AC_CHECK_LIB(pthread, sigwait,
-				  AC_DEFINE(HAVE_SIGWAIT),
-				  AC_CHECK_LIB(pthread, _Psigwait,
-					       AC_DEFINE(HAVE_SIGWAIT),))
-	)
-
-	AC_CHECK_FUNC(pthread_attr_getstacksize,
-		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
-
-	#
-	# Additional OS-specific issues related to pthreads and sigwait.
-	#
-	case "$host" in
-		#
-		# One more place to look for sigwait.
-		#
-		*-freebsd*)
-			AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
-			;;
-		#
-		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
-		# called before certain pthreads calls.	 This is deprecated
-		# in BSD/OS 4.1.
-		#
-		*-bsdi3.*|*-bsdi4.0*)
-			AC_DEFINE(NEED_PTHREAD_INIT)
-			;;
-		#
-		# LinuxThreads requires some changes to the way we
-		# deal with signals.
-		#
-		*-linux*)
-			AC_DEFINE(HAVE_LINUXTHREADS)
-			;;
-		#
-		# Ensure the right sigwait() semantics on Solaris and make
-		# sure we call pthread_setconcurrency.
-		#
-		*-solaris*)
-			AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
-			AC_CHECK_FUNC(pthread_setconcurrency,
-				      AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
-			AC_DEFINE(POSIX_GETPWUID_R)
-			AC_DEFINE(POSIX_GETPWNAM_R)
-			AC_DEFINE(POSIX_GETGRGID_R)
-			AC_DEFINE(POSIX_GETGRNAM_R)
-			;;
-		*hpux11*)
-			AC_DEFINE(NEED_ENDNETGRENT_R)
-			AC_DEFINE(_PTHREADS_DRAFT4)
-			;;
-		#
-		# UnixWare does things its own way.
-		#
-		*-UnixWare*)
-			AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
-			;;
-	esac
-
-	#
-	# Look for sysconf to allow detection of the number of processors.
-	#
-	AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
-
-	if test "X$GCC" = "Xyes"; then
-		case "$host" in
-		*-freebsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-openbsd*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			LIBS="$LIBS -lthread"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		esac
-	else
-		case $host in
-		*-dec-osf*)
-			CC="$CC -pthread"
-			CCOPT="$CCOPT -pthread"
-			;;
-		*-solaris*)
-			CC="$CC -mt"
-			CCOPT="$CCOPT -mt"
-			;;
-		*-ibm-aix*)
-			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
-			;;
-		*-UnixWare*)
-			CC="$CC -Kthread"
-			CCOPT="$CCOPT -Kthread"
-			;;
-		esac
-	fi
-	AC_DEFINE(_REENTRANT)
-	ALWAYS_DEFINES="-D_REENTRANT"
-	DO_PTHREADS="#define DO_PTHREADS 1"
-	WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}"
-	WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}"
-	case $host in
-	ia64-hp-hpux11.*)
-		WANT_IRS_THREADS_OBJS="";;
-	*)
-		WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}";;
-	esac
-	WANT_THREADS_OBJS="\${WANT_THREADS_OBJS}"
-	thread_dir=pthreads
-else
-	ALWAYS_DEFINES=""
-	DO_PTHREADS="#undef DO_PTHREADS"
-	WANT_IRS_THREADSGR_OBJS=""
-	WANT_IRS_THREADSPW_OBJS=""
-	WANT_IRS_THREADS_OBJS=""
-	WANT_THREADS_OBJS=""
-	thread_dir=nothreads
-fi
-
-AC_SUBST(ALWAYS_DEFINES)
-AC_SUBST(DO_PTHREADS)
-AC_SUBST(WANT_IRS_THREADSGR_OBJS)
-AC_SUBST(WANT_IRS_THREADSPW_OBJS)
-AC_SUBST(WANT_IRS_THREADS_OBJS)
-AC_SUBST(WANT_THREADS_OBJS)
-
-AC_CHECK_FUNC(strlcat, AC_DEFINE(HAVE_STRLCAT))
-
-AC_CHECK_FUNC(if_nametoindex,
-	[USE_IFNAMELINKID="#define USE_IFNAMELINKID 1"],
-	[USE_IFNAMELINKID="#undef USE_IFNAMELINKID"])
-AC_SUBST(USE_IFNAMELINKID)
-
-ISC_THREAD_DIR=$thread_dir
-AC_SUBST(ISC_THREAD_DIR)
-
-AC_CHECK_FUNC(daemon,
-[DAEMON_OBJS="" NEED_DAEMON="#undef NEED_DAEMON"]
-,
-[DAEMON_OBJS="\${DAEMON_OBJS}" NEED_DAEMON="#define NEED_DAEMON 1"]
-)
-AC_SUBST(DAEMON_OBJS)
-AC_SUBST(NEED_DAEMON)
-
-AC_CHECK_FUNC(strsep,
-[STRSEP_OBJS="" NEED_STRSEP="#undef NEED_STRSEP"]
-,
-[STRSEP_OBJS="\${STRSEP_OBJS}" NEED_STRSEP="#define NEED_STRSEP 1"]
-)
-AC_SUBST(STRSEP_OBJS)
-AC_SUBST(NEED_STRSEP)
-
-AC_CHECK_FUNC(strerror, [NEED_STRERROR="#undef NEED_STRERROR"],
-[NEED_STRERROR="#define NEED_STRERROR 1"])
-AC_SUBST(NEED_STRERROR)
-
-#
-# flockfile is usually provided by pthreads, but we may want to use it
-# even if compiled with --disable-threads.
-#
-AC_CHECK_FUNC(flockfile, AC_DEFINE(HAVE_FLOCKFILE),)
-
-# 
-# Indicate what the final decision was regarding threads.
-#
-AC_MSG_CHECKING(whether to build with threads)
-if $use_threads; then
-	AC_MSG_RESULT(yes)
-else
-	AC_MSG_RESULT(no)
-fi
-
-# 
-# End of pthreads stuff.
-#
-
-#
-# Additional compiler settings.
-#
-MKDEPCC="$CC"
-MKDEPCFLAGS="-M"
-IRIX_DNSSEC_WARNINGS_HACK=""
-
-if test "X$GCC" = "Xyes"; then
-	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
-else
-	case $host in
-	*-dec-osf*)
-		CC="$CC -std"
-		CCOPT="$CCOPT -std"
-		MKDEPCC="$CC"
-		;;
-	*-hp-hpux*)
-		CC="$CC -Ae -z"
-		# The version of the C compiler that constantly warns about
-                # 'const' as well as alignment issues is unfortunately not
-                # able to be discerned via the version of the operating
-                # system, nor does cc have a version flag.
-		case "`$CC +W 123 2>&1`" in
-		*Unknown?option*)
-			STD_CWARNINGS="+w1"
-			;;
-		*)
-			# Turn off the pointlessly noisy warnings.
-			STD_CWARNINGS="+w1 +W 474,530,2193,2236"
-			;;
-		esac
-		CCOPT="$CCOPT -Ae -z"
-		LIBS="-Wl,+vnocompatwarnings $LIBS"
-MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>&1 | awk '"'"'BEGIN {colon=0; rec="";} { for (i = 0 ; i < NF; i++) { if (colon && a[$i]) continue; if ($i == "\\") continue; if (!colon) { rec =  $i continue; } if ($i == ":") { rec = rec " :" colon = 1 continue; } if (length(rec $i) > 76) { print rec " \\"; rec = "\t" $i; a[$i] = 1; } else { rec = rec " " $i a[$i] = 1; } } } END {print rec}'"'"' >>$TMP'
-		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
-		;;
-	*-sgi-irix*)
-		STD_CWARNINGS="-fullwarn -woff 1209"
-		#
-		# Silence more than 250 instances of
-		#   "prototyped function redeclared without prototype"
-		# and 11 instances of
-		#   "variable ... was set but never used"
-		# from lib/dns/sec/openssl.
-		#
-		IRIX_DNSSEC_WARNINGS_HACK="-woff 1692,1552"
-		;;
-	*-solaris*)
-		MKDEPCFLAGS="-xM"
-		;;
-	*-UnixWare*)
-		CC="$CC -w"
-		;;
-	esac
-fi
-
-#
-# _GNU_SOURCE is needed to access the fd_bits field of struct fd_set, which
-# is supposed to be opaque.
-#
-case $host in
-	*linux*)
-		STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE"
-		;;
-esac
-
-AC_SUBST(MKDEPCC)
-AC_SUBST(MKDEPCFLAGS)
-AC_SUBST(MKDEPPROG)
-AC_SUBST(IRIX_DNSSEC_WARNINGS_HACK)
-
-#
-# NLS
-#
-AC_CHECK_FUNC(catgets, AC_DEFINE(HAVE_CATGETS),)
-
-#
-# -lxnet buys us one big porting headache...  standards, gotta love 'em.
-#
-# AC_CHECK_LIB(xnet, socket, ,
-#    AC_CHECK_LIB(socket, socket)
-#    AC_CHECK_LIB(nsl, inet_ntoa)
-# )
-#
-# Use this for now, instead:
-#
-case "$host" in
-	mips-sgi-irix*)
-		;;
-	ia64-hp-hpux11.*)
-		AC_CHECK_LIB(socket, socket)
-		AC_CHECK_LIB(nsl, inet_ntoa)
-		;;
-	*)
-		AC_CHECK_LIB(d4r, gethostbyname_r)
-		AC_CHECK_LIB(socket, socket)
-		AC_CHECK_LIB(nsl, inet_ntoa)
-		;;
-esac
-
-#
-# Purify support
-#
-AC_MSG_CHECKING(whether to use purify)
-AC_ARG_WITH(purify,
-	[  --with-purify[=PATH]	use Rational purify],
-	use_purify="$withval", use_purify="no")
-
-case "$use_purify" in
-	no)
-		;;
-	yes)
-		AC_PATH_PROG(purify_path, purify, purify)
-		;;
-	*)
-		purify_path="$use_purify"
-		;;
-esac
-
-case "$use_purify" in
-	no)
-		AC_MSG_RESULT(no)
-		PURIFY=""
-		;;
-	*)
-		if test -f $purify_path || test $purify_path = purify; then
-			AC_MSG_RESULT($purify_path)
-			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
-			PURIFY="$purify_path $PURIFYFLAGS"
-		else
-			AC_MSG_ERROR([$purify_path not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-purify=PATH
-])
-		fi
-		;;
-esac
-
-AC_SUBST(PURIFY)
-
-#
-# GNU libtool support
-#
-AC_ARG_WITH(libtool,
-	    [  --with-libtool	use GNU libtool (following indented options supported)],
-	    use_libtool="$withval", use_libtool="no")
-
-case $use_libtool in
-	yes)
-		AM_PROG_LIBTOOL
-		O=lo
-		A=la
-		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
-		LIBTOOL_MODE_COMPILE='--mode=compile'
-		LIBTOOL_MODE_INSTALL='--mode=install'
-		LIBTOOL_MODE_LINK='--mode=link'
-		;;
-	*)
-		O=o
-		A=a
-		LIBTOOL=
-		AC_SUBST(LIBTOOL)
-		LIBTOOL_MKDEP_SED=
-		LIBTOOL_MODE_COMPILE=
-		LIBTOOL_MODE_INSTALL=
-		LIBTOOL_MODE_LINK=
-		;;
-esac
-
-#
-# File name extension for static archive files, for those few places
-# where they are treated differently from dynamic ones.
-#
-SA=a
-
-AC_SUBST(O)
-AC_SUBST(A)
-AC_SUBST(SA)
-AC_SUBST(LIBTOOL_MKDEP_SED)
-AC_SUBST(LIBTOOL_MODE_COMPILE)
-AC_SUBST(LIBTOOL_MODE_INSTALL)
-AC_SUBST(LIBTOOL_MODE_LINK)
-
-#
-# Here begins a very long section to determine the system's networking
-# capabilities.  The order of the tests is signficant.
-#
-
-#
-# IPv6
-#
-AC_ARG_ENABLE(ipv6,
-	[  --enable-ipv6		use IPv6 [default=autodetect]])
-
-case "$enable_ipv6" in
-	yes|''|autodetect)
-		AC_DEFINE(WANT_IPV6)
-		;;
-	no)
-		;;
-esac
-
-#
-# We do the IPv6 compilation checking after libtool so that we can put
-# the right suffix on the files.
-#
-AC_MSG_CHECKING(for IPv6 structures)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>],
-[struct sockaddr_in6 sin6; return (0);],
-	[AC_MSG_RESULT(yes)
-	 found_ipv6=yes],
-	[AC_MSG_RESULT(no)
-	 found_ipv6=no])
-
-#
-# See whether IPv6 support is provided via a Kame add-on.
-# This is done before other IPv6 linking tests to LIBS is properly set.
-#
-AC_MSG_CHECKING(for Kame IPv6 support)
-AC_ARG_WITH(kame,
-	[  --with-kame[=PATH]	use Kame IPv6 [default path /usr/local/v6]],
-	use_kame="$withval", use_kame="no")
-
-case "$use_kame" in
-	no)
-		;;
-	yes)
-		kame_path=/usr/local/v6
-		;;
-	*)
-		kame_path="$use_kame"
-		;;
-esac
-
-case "$use_kame" in
-	no)
-		AC_MSG_RESULT(no)
-		;;
-	*)
-		if test -f $kame_path/lib/libinet6.a; then
-			AC_MSG_RESULT($kame_path/lib/libinet6.a)
-			LIBS="-L$kame_path/lib -linet6 $LIBS"
-		else
-			AC_MSG_ERROR([$kame_path/lib/libinet6.a not found.
-
-Please choose the proper path with the following command:
-
-    configure --with-kame=PATH
-])
-		fi
-		;;
-esac
-
-#
-# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
-# Including it on Kame-using platforms is very bad, though, because
-# Kame uses #error against direct inclusion.   So include it on only
-# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
-# This is done before the in6_pktinfo check because that's what
-# netinet6/in6.h is needed for.
-#
-changequote({, })
-case "$host" in
-*-bsdi4.[01]*)
-	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
-	isc_netinet6in6_hack="#include <netinet6/in6.h>"
-	;;
-*)
-	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
-	isc_netinet6in6_hack=""
-	;;
-esac
-changequote([, ])
-
-#
-# This is similar to the netinet6/in6.h issue.
-#
-case "$host" in
-*-UnixWare*)
-	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
-        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
-	isc_netinetin6_hack="#include <netinet/in6.h>"
-	;;
-*)
-	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
-        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
-	isc_netinetin6_hack=""
-	;;
-esac
-
-#
-# Now delve deeper into the suitability of the IPv6 support.
-#
-case "$found_ipv6" in
-	yes)
-		HAS_INET6_STRUCTS="#define HAS_INET6_STRUCTS 1"
-
-		AC_MSG_CHECKING(for in6_addr)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-[struct in6_addr in6; return (0);],
-		[AC_MSG_RESULT(yes)
-		 HAS_IN_ADDR6="#undef HAS_IN_ADDR6"
-		 isc_in_addr6_hack=""],
-		[AC_MSG_RESULT(no)
-		 HAS_IN_ADDR6="#define HAS_IN_ADDR6 1"
-		 isc_in_addr6_hack="#define in6_addr in_addr6"])
-
-		AC_MSG_CHECKING(for in6addr_any)
-		AC_TRY_LINK([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-$isc_in_addr6_hack
-],
-		[struct in6_addr in6; in6 = in6addr_any; return (0);],
-			[AC_MSG_RESULT(yes)
-			 NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"],
-			[AC_MSG_RESULT(no)
-			 NEED_IN6ADDR_ANY="#define NEED_IN6ADDR_ANY 1"])
-
-		AC_MSG_CHECKING(for sin6_scope_id in struct sockaddr_in6)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-		[struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0);],
-			[AC_MSG_RESULT(yes)
-			 result="#define HAVE_SIN6_SCOPE_ID 1"],
-			[AC_MSG_RESULT(no)
-			 result="#undef HAVE_SIN6_SCOPE_ID"])
-		HAVE_SIN6_SCOPE_ID="$result"
-
-		AC_MSG_CHECKING(for in6_pktinfo)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-		[struct in6_pktinfo xyzzy; return (0);],
-			[AC_MSG_RESULT(yes)
-			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"],
-			[AC_MSG_RESULT(no -- disabling runtime ipv6 support)
-			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"])
-
-		AC_MSG_CHECKING(for sockaddr_storage)
-		AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-$isc_netinetin6_hack
-$isc_netinet6in6_hack
-],
-		[struct sockaddr_storage xyzzy; return (0);],
-			[AC_MSG_RESULT(yes)
-			 HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"],
-			[AC_MSG_RESULT(no)
-			 HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"])
-		;;
-	no)
-		HAS_INET6_STRUCTS="#undef HAS_INET6_STRUCTS"
-		NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
-		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
-		HAVE_SIN6_SCOPE_ID="#define HAVE_SIN6_SCOPE_ID 1"
-		HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
-		ISC_IPV6_H="ipv6.h"
-		ISC_IPV6_O="ipv6.$O"
-		ISC_ISCIPV6_O="unix/ipv6.$O"
-		ISC_IPV6_C="ipv6.c"
-		;;
-esac
-
-AC_SUBST(HAS_INET6_STRUCTS)
-AC_SUBST(ISC_PLATFORM_NEEDNETINETIN6H)
-AC_SUBST(ISC_PLATFORM_NEEDNETINET6IN6H)
-AC_SUBST(HAS_IN_ADDR6)
-AC_SUBST(NEED_IN6ADDR_ANY)
-AC_SUBST(ISC_PLATFORM_HAVEIN6PKTINFO)
-AC_SUBST(ISC_PLATFORM_FIXIN6ISADDR)
-AC_SUBST(ISC_IPV6_H)
-AC_SUBST(ISC_IPV6_O)
-AC_SUBST(ISC_ISCIPV6_O)
-AC_SUBST(ISC_IPV6_C)
-AC_SUBST(HAVE_SIN6_SCOPE_ID)
-AC_SUBST(HAVE_SOCKADDR_STORAGE)
-
-#
-# Check for network functions that are often missing.  We do this
-# after the libtool checking, so we can put the right suffix on
-# the files.  It also needs to come after checking for a Kame add-on,
-# which provides some (all?) of the desired functions.
-#
-AC_MSG_CHECKING([for inet_ntop])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>],
-        [inet_ntop(0, 0, 0, 0); return (0);],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
-
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
-AC_MSG_CHECKING([for inet_pton])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>],
-        [inet_pton(0, 0, 0); return (0);],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"])
-AC_MSG_CHECKING([for inet_aton])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>],
-        [struct in_addr in; inet_aton(0, &in); return (0);],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
-
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
-        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"])
-
-AC_SUBST(ISC_PLATFORM_NEEDNTOP)
-AC_SUBST(ISC_PLATFORM_NEEDPTON)
-AC_SUBST(ISC_PLATFORM_NEEDATON)
-
-#
-# Look for a 4.4BSD-style sa_len member in struct sockaddr.
-#
-case "$host" in
-	*-dec-osf*)
-		# Turn on 4.4BSD style sa_len support.
-		AC_DEFINE(_SOCKADDR_LEN)
-		;;
-esac
-
-AC_MSG_CHECKING(for sa_len in struct sockaddr)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>],
-[struct sockaddr sa; sa.sa_len = 0; return (0);],
-	[AC_MSG_RESULT(yes)
-	HAVE_SA_LEN="#define HAVE_SA_LEN 1"],
-	[AC_MSG_RESULT(no)
-	HAVE_SA_LEN="#undef HAVE_SA_LEN"])
-AC_SUBST(HAVE_SA_LEN)
-
-# HAVE_MINIMUM_IFREQ
-
-case "$host" in
-	*-bsdi[2345]*)	have_minimum_ifreq=yes;;
-	*-darwin*)	have_minimum_ifreq=yes;;
-	*-freebsd*)	have_minimum_ifreq=yes;;
-	*-lynxos*)	have_minimum_ifreq=yes;;
-	*-netbsd*)	have_minimum_ifreq=yes;;
-	*-next*)	have_minimum_ifreq=yes;;
-	*-openbsd*)	have_minimum_ifreq=yes;;
-	*-rhapsody*)	have_minimum_ifreq=yes;;
-esac
-
-case "$have_minimum_ifreq" in
-	yes)
-		HAVE_MINIMUM_IFREQ="#define HAVE_MINIMUM_IFREQ 1";;
-	no)
-		HAVE_MINIMUM_IFREQ="#undef HAVE_MINIMUM_IFREQ";;
-	*)
-		HAVE_MINIMUM_IFREQ="#undef HAVE_MINIMUM_IFREQ";;
-esac
-AC_SUBST(HAVE_MINIMUM_IFREQ)
-
-# PORT_DIR
-PORT_DIR=port/unknown
-SOLARIS_BITTYPES="#undef NEED_SOLARIS_BITTYPES"
-BSD_COMP="#undef BSD_COMP"
-USE_FIONBIO_IOCTL="#undef USE_FIONBIO_IOCTL"
-PORT_NONBLOCK="#define PORT_NONBLOCK O_NONBLOCK"
-HAVE_MD5="#undef HAVE_MD5"
-USE_POLL="#undef HAVE_POLL"
-SOLARIS2="#undef SOLARIS2"
-case "$host" in
-	*aix3.2*)	PORT_DIR="port/aix32";;
-	*aix4*)		PORT_DIR="port/aix4";;
-	*aix5*)		PORT_DIR="port/aix5";;
-	*aux3*)		PORT_DIR="port/aux3";;
-	*-bsdi2*)	PORT_DIR="port/bsdos2";;
-	*-bsdi*)	PORT_DIR="port/bsdos";;
-	*-cygwin*)
-			PORT_NONBLOCK="#define PORT_NONBLOCK O_NDELAY"
-			PORT_DIR="port/cygwin";;
-	*-darwin*)	PORT_DIR="port/darwin";;
-	*-osf*)		PORT_DIR="port/decunix";;
-	*-freebsd*)	PORT_DIR="port/freebsd";;
-	*-hpux9*)	PORT_DIR="port/hpux9";;
-	*-hpux10*)	PORT_DIR="port/hpux10";;
-	*-hpux11*)	PORT_DIR="port/hpux";;
-	*-irix*)	PORT_DIR="port/irix";;
-	*-linux*)	PORT_DIR="port/linux";;
-	*-lynxos*)	PORT_DIR="port/lynxos";;
-	*-mpe*)		PORT_DIR="port/mpe";;
-	*-netbsd*)	PORT_DIR="port/netbsd";;
-	*-next*)	PORT_DIR="port/next";;
-	*-openbsd*)	PORT_DIR="port/openbsd";;
-	*-qnx*)		PORT_DIR="port/qnx";;
-	*-rhapsody*)	PORT_DIR="port/rhapsody";;
-	*-sunos4*)
-			PORT_NONBLOCK="#define PORT_NONBLOCK O_NDELAY"
-			PORT_DIR="port/sunos";;
-	*-solaris2.[[01234]])
-			BSD_COMP="#define BSD_COMP 1"
-			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
-			USE_FIONBIO_IOCTL="#define USE_FIONBIO_IOCTL 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-solaris2.5)
-			BSD_COMP="#define BSD_COMP 1"
-			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-solaris2.[[67]])
-			BSD_COMP="#define BSD_COMP 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-solaris2*)	BSD_COMP="#define BSD_COMP 1"
-			USE_POLL="#define USE_POLL 1"
-			HAVE_MD5="#define HAVE_MD5 1"
-			SOLARIS2="#define SOLARIS2 1"
-			PORT_DIR="port/solaris";;
-	*-ultrix*)	PORT_DIR="port/ultrix";;
-	*-sco-sysv*uw2.0*)	PORT_DIR="port/unixware20";;
-	*-sco-sysv*uw2.1.2*)	PORT_DIR="port/unixware212";;
-	*-sco-sysv*uw7*)	PORT_DIR="port/unixware7";;
-esac
-
-AC_SUBST(BSD_COMP)
-AC_SUBST(SOLARIS_BITTYPES)
-AC_SUBST(USE_FIONBIO_IOCTL)
-AC_SUBST(PORT_NONBLOCK)
-AC_SUBST(PORT_DIR)
-AC_SUBST(USE_POLL)
-AC_SUBST(HAVE_MD5)
-AC_SUBST(SOLARIS2)
-PORT_INCLUDE=${PORT_DIR}/include
-AC_SUBST(PORT_INCLUDE)
-
-#
-# Look for a 4.4BSD or 4.3BSD struct msghdr
-#
-AC_MSG_CHECKING(for struct msghdr flavor)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>],
-[struct msghdr msg; msg.msg_flags = 0; return (0);],
-	[AC_MSG_RESULT(4.4BSD)
-	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"],
-	[AC_MSG_RESULT(4.3BSD)
-	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"])
-AC_SUBST(ISC_PLATFORM_MSGHDRFLAVOR)
-
-#
-# Look for in_port_t.
-#
-AC_MSG_CHECKING(for type in_port_t)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <netinet/in.h>],
-[in_port_t port = 25; return (0);],
-	[AC_MSG_RESULT(yes)
-	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"],
-        [AC_MSG_RESULT(no)
-	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"])
-AC_SUBST(ISC_PLATFORM_NEEDPORTT)
-
-#
-# Check for addrinfo
-#
-AC_MSG_CHECKING(for struct addrinfo)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[struct addrinfo a; return (0);],
-	[AC_MSG_RESULT(yes)
-	AC_DEFINE(HAVE_ADDRINFO)],
-	[AC_MSG_RESULT(no)])
-
-AC_MSG_CHECKING(for int sethostent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = sethostent(0); return(0);],
-	[AC_MSG_RESULT(yes)],
-	[AC_MSG_RESULT(no)])
-
-AC_MSG_CHECKING(for int endhostent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = endhostent(); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"])
-AC_SUBST(ISC_LWRES_ENDHOSTENTINT)
-
-AC_MSG_CHECKING(for int setnetent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = setnetent(0); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"])
-AC_SUBST(ISC_LWRES_SETNETENTINT)
-
-AC_MSG_CHECKING(for int endnetent)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[int i = endnetent(); return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"])
-AC_SUBST(ISC_LWRES_ENDNETENTINT)
-
-AC_MSG_CHECKING(for gethostbyaddr(const void *, size_t, ...))
-AC_TRY_COMPILE([
-#include <netdb.h>
-struct hostent *gethostbyaddr(const void *, size_t, int);],
-[return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"])
-AC_SUBST(ISC_LWRES_GETHOSTBYADDRVOID)
-
-AC_MSG_CHECKING(for h_errno in netdb.h)
-AC_TRY_COMPILE([
-#include <netdb.h>],
-[h_errno = 1; return(0);],
-	[AC_MSG_RESULT(yes)
-	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"],
-	[AC_MSG_RESULT(no)
-	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"])
-AC_SUBST(ISC_LWRES_NEEDHERRNO)
-
-AC_CHECK_FUNC(getipnodebyname,
-        [ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
-        [ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
-AC_CHECK_FUNC(getnameinfo,
-        [ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
-        [ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
-AC_CHECK_FUNC(getaddrinfo,
-        [ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
-	AC_DEFINE(HAVE_GETADDRINFO)],
-        [ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
-AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
-AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
-AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
-AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
-AC_CHECK_FUNC(pselect,
-	      [NEED_PSELECT="#undef NEED_PSELECT"],
-	      [NEED_PSELECT="#define NEED_PSELECT"])
-AC_SUBST(NEED_PSELECT)
-AC_CHECK_FUNC(gettimeofday,
-	      [NEED_GETTIMEOFDAY="#undef NEED_GETTIMEOFDAY"],
-	      [NEED_GETTIMEOFDAY="#define NEED_GETTIMEOFDAY 1"])
-AC_SUBST(NEED_GETTIMEOFDAY)
-AC_CHECK_FUNC(strndup,
-	      [HAVE_STRNDUP="#define HAVE_STRNDUP 1"],
-	      [HAVE_STRNDUP="#undef HAVE_STRNDUP"])
-AC_SUBST(HAVE_STRNDUP)
-
-#
-# Look for a sysctl call to get the list of network interfaces.
-#
-AC_MSG_CHECKING(for interface list sysctl)
-AC_EGREP_CPP(found_rt_iflist, [
-#include <sys/param.h>
-#include <sys/sysctl.h>
-#include <sys/socket.h>
-#ifdef NET_RT_IFLIST
-found_rt_iflist
-#endif
-],
-	[AC_MSG_RESULT(yes)
-	 AC_DEFINE(HAVE_IFLIST_SYSCTL)],
-	[AC_MSG_RESULT(no)])
-
-#
-# Check for some other useful functions that are not ever-present.
-#
-AC_CHECK_FUNC(strsep,
-	[ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"],
-	[ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"])
-AC_CHECK_FUNC(vsnprintf,
-	[ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"],
-	[ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS print.$O"
-	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS print.c"
-	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"])
-AC_SUBST(ISC_PLATFORM_NEEDSTRSEP)
-AC_SUBST(ISC_PLATFORM_NEEDVSNPRINTF)
-
-AC_SUBST(ISC_EXTRA_OBJS)
-AC_SUBST(ISC_EXTRA_SRCS)
-AC_CHECK_FUNC(strerror,
-	[USE_SYSERROR_LIST="#undef USE_SYSERROR_LIST"],
-	[USE_SYSERROR_LIST="#define USE_SYSERROR_LIST 1"])
-AC_SUBST(USE_SYSERROR_LIST)
-
-#
-# Determine the printf format characters to use when printing
-# values of type isc_int64_t.  We make the assumption that platforms
-# where a "long long" is the same size as a "long" (e.g., Alpha/OSF1)
-# want "%ld" and everyone else can use "%lld".  Win32 uses "%I64d",
-# but that's defined elsewhere since we don't use configure on Win32.
-#
-AC_MSG_CHECKING(printf format modifier for 64-bit integers)
-AC_TRY_RUN([main() { exit(!(sizeof(long long int) == sizeof(long int))); }],
-	[AC_MSG_RESULT(l)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'],
-	[AC_MSG_RESULT(ll)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'],
-	[AC_MSG_RESULT(default ll)
-	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'])
-AC_SUBST(ISC_PLATFORM_QUADFORMAT)
-
-#
-# Security Stuff
-#
-AC_CHECK_FUNC(chroot, AC_DEFINE(HAVE_CHROOT))
-
-#
-# for accept, recvfrom, getpeername etc.
-#
-AC_MSG_CHECKING(for socket length type)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-int accept(int, struct sockaddr *, socklen_t *);
-],[],
-[ISC_SOCKLEN_T="#define ISC_SOCKLEN_T socklen_t"
-AC_MSG_RESULT(socklen_t)]
-,
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-int accept(int, struct sockaddr *, unsigned int *);
-],[],
-[ISC_SOCKLEN_T="#define ISC_SOCKLEN_T unsigned int"
-AC_MSG_RESULT(unsigned int)]
-,
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-int accept(int, struct sockaddr *, unsigned long *);
-],[],
-[ISC_SOCKLEN_T="#define ISC_SOCKLEN_T unsigned long"
-AC_MSG_RESULT(unsigned long)]
-,
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <sys/socket.h>
-int accept(int, struct sockaddr *, long *);
-],[],
-[ISC_SOCKLEN_T="#define ISC_SOCKLEN_T long"
-AC_MSG_RESULT(long)]
-,
-ISC_SOCKLEN_T="#define ISC_SOCKLEN_T int"
-AC_MSG_RESULT(int)
-))))
-AC_SUBST(ISC_SOCKLEN_T)
-
-AC_CHECK_FUNC(getgrouplist,
-AC_TRY_COMPILE(
-[#include <unistd.h>
-int
-getgrouplist(const char *name, int basegid, int *groups, int *ngroups) {
-}
-],
-[return (0);],
-GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, int basegid, int *groups, int *ngroups"
-,
-GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, gid_t basegid, gid_t *groups, int *ngroups"
-),
-GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, gid_t basegid, gid_t *groups, int *ngroups"
-AC_DEFINE(NEED_GETGROUPLIST)
-)
-AC_SUBST(GETGROUPLIST_ARGS)
-
-AC_CHECK_FUNC(setgroupent,,AC_DEFINE(NEED_SETGROUPENT))
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(getnetbyaddr_r,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#define _OSF_SOURCE
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-struct netent *
-getnetbyaddr_r(long net, int type, struct netent *result, char *buffer,
-int buflen) {}
-],
-[return (0)],
-[
-NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen"
-NET_R_BAD="#define NET_R_BAD NULL"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS NET_R_ARGS"
-NET_R_OK="#define NET_R_OK nptr"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN struct netent *"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
-NETENT_DATA="#undef NETENT_DATA"
-],
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#define _OSF_SOURCE
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetbyaddr_r (unsigned long int, int, struct netent *,
-                    char *, size_t, struct netent **, int *);
-],
-[return (0)],
-[
-NET_R_ARGS="#define NET_R_ARGS char *buf, size_t buflen, struct netent **answerp, int *h_errnop"
-NET_R_BAD="#define NET_R_BAD ERANGE"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS char *buf, size_t buflen"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#define NET_R_SETANSWER 1"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T unsigned long int"
-NETENT_DATA="#undef NETENT_DATA"
-],
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#define _OSF_SOURCE
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int getnetbyaddr_r(int, int, struct netent *, struct netent_data *);
-],
-[return (0)],
-[
-NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
-NET_R_BAD="#define NET_R_BAD (-1)"
-NET_R_COPY="#define NET_R_COPY ndptr"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int"
-NETENT_DATA="#define NETENT_DATA 1"
-],
-AC_TRY_COMPILE(
-#undef __USE_MISC
-#define __USE_MISC
-[#include <netdb.h>
-int getnetbyaddr_r (long, int, struct netent *, struct netent_data *);
-],
-[return (0)],
-[
-NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
-NET_R_BAD="#define NET_R_BAD (-1)"
-NET_R_COPY="#define NET_R_COPY ndptr"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
-NETENT_DATA="#define NETENT_DATA 1"
-],
-AC_TRY_COMPILE(
-#undef __USE_MISC
-#define __USE_MISC
-[#include <netdb.h>
-int getnetbyaddr_r (uint32_t, int, struct netent *,
-                    char *, size_t, struct netent **, int *);
-],
-[return (0)],
-[
-NET_R_ARGS="#define NET_R_ARGS char *buf, size_t buflen, struct netent **answerp, int *h_errnop"
-NET_R_BAD="#define NET_R_BAD ERANGE"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS char *buf, size_t buflen"
-NET_R_OK="#define NET_R_OK 0"
-NET_R_SETANSWER="#define NET_R_SETANSWER 1"
-NET_R_RETURN="#define NET_R_RETURN int"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T unsigned long int"
-NETENT_DATA="#undef NETENT_DATA"
-],
-)
-)
-)
-)
-)
-,
-NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen"
-NET_R_BAD="#define NET_R_BAD NULL"
-NET_R_COPY="#define NET_R_COPY buf, buflen"
-NET_R_COPY_ARGS="#define NET_R_COPY_ARGS NET_R_ARGS"
-NET_R_OK="#define NET_R_OK nptr"
-NET_R_SETANSWER="#undef NET_R_SETANSWER"
-NET_R_RETURN="#define NET_R_RETURN struct netent *"
-GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
-NETENT_DATA="#undef NETENT_DATA"
-)
-esac
-
-case "$host" in
-*dec-osf*) GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int" ;;
-esac
-AC_SUBST(NET_R_ARGS)
-AC_SUBST(NET_R_BAD)
-AC_SUBST(NET_R_COPY)
-AC_SUBST(NET_R_COPY_ARGS)
-AC_SUBST(NET_R_OK)
-AC_SUBST(NET_R_SETANSWER)
-AC_SUBST(NET_R_RETURN)
-AC_SUBST(GETNETBYADDR_ADDR_T)
-AC_SUBST(NETENT_DATA)
-
-AC_CHECK_FUNC(setnetent_r,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void  setnetent_r (int);
-] ,[return (0);],[
-NET_R_ENT_ARGS="#undef NET_R_ENT_ARGS /*empty*/"
-NET_R_SET_RESULT="#undef NET_R_SET_RESULT /*empty*/"
-NET_R_SET_RETURN="#define NET_R_SET_RETURN void"
-],
-AC_TRY_COMPILE(
-[
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int setnetent_r(int, struct netent_data *);
-] ,[return (0);],[
-NET_R_ENT_ARGS="#define NET_R_ENT_ARGS struct netent_data *ndptr"
-NET_R_SET_RESULT="#define NET_R_SET_RESULT NET_R_OK"
-NET_R_SET_RETURN="#define NET_R_SET_RETURN int"
-],
-)
-)
-,
-NET_R_ENT_ARGS="#undef NET_R_ENT_ARGS /*empty*/"
-NET_R_SET_RESULT="#undef NET_R_SET_RESULT /*empty*/"
-NET_R_SET_RETURN="#define NET_R_SET_RETURN void"
-)
-AC_SUBST(NET_R_ENT_ARGS)
-AC_SUBST(NET_R_SET_RESULT)
-AC_SUBST(NET_R_SET_RETURN)
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(endnetent_r,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void  endnetent_r (void);
-] ,[return (0);],[
-NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
-NET_R_END_RETURN="#define NET_R_END_RETURN void"
-],
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int endnetent_r(struct netent_data *);
-] ,[return (0);],[
-NET_R_END_RESULT="#define NET_R_END_RESULT(x) return (x)"
-NET_R_END_RETURN="#define NET_R_END_RETURN int"
-],
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern void endnetent_r(struct netent_data *);
-] ,[return (0);],[
-NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
-NET_R_END_RETURN="#define NET_R_END_RETURN void"
-],
-)
-)
-)
-,
-NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
-NET_R_END_RETURN="#define NET_R_END_RETURN void"
-)
-esac
-AC_SUBST(NET_R_END_RESULT)
-AC_SUBST(NET_R_END_RETURN)
-
-AC_CHECK_FUNC(getgrnam_r,,AC_DEFINE(NEED_GETGRNAM_R))
-AC_CHECK_FUNC(getgrgid_r,,AC_DEFINE(NEED_GETGRGID_R))
-
-AC_CHECK_FUNC(getgrent_r,
-AC_TRY_COMPILE(
-[
-#include <grp.h>
-struct group *getgrent_r(struct group *grp, char *buffer,
-           int buflen) {}
-] ,[return (0);],[
-GROUP_R_ARGS="#define GROUP_R_ARGS char *buf, int buflen"
-GROUP_R_BAD="#define GROUP_R_BAD NULL"
-GROUP_R_OK="#define GROUP_R_OK gptr"
-GROUP_R_RETURN="#define GROUP_R_RETURN struct group *"
-],
-)
-,
-GROUP_R_ARGS="#define GROUP_R_ARGS char *buf, int buflen"
-GROUP_R_BAD="#define GROUP_R_BAD NULL"
-GROUP_R_OK="#define GROUP_R_OK gptr"
-GROUP_R_RETURN="#define GROUP_R_RETURN struct group *"
-AC_DEFINE(NEED_GETGRENT_R)
-)
-AC_SUBST(GROUP_R_ARGS)
-AC_SUBST(GROUP_R_BAD)
-AC_SUBST(GROUP_R_OK)
-AC_SUBST(GROUP_R_RETURN)
-
-AC_CHECK_FUNC(endgrent_r,
-,
-GROUP_R_END_RESULT="#define GROUP_R_END_RESULT(x) /*empty*/"
-GROUP_R_END_RETURN="#define GROUP_R_END_RETURN void"
-GROUP_R_ENT_ARGS="#define GROUP_R_ENT_ARGS void"
-AC_DEFINE(NEED_ENDGRENT_R)
-)
-AC_SUBST(GROUP_R_END_RESULT)
-AC_SUBST(GROUP_R_END_RETURN)
-AC_SUBST(GROUP_R_ENT_ARGS)
-
-AC_CHECK_FUNC(setgrent_r,
-,
-GROUP_R_SET_RESULT="#undef GROUP_R_SET_RESULT /*empty*/"
-GROUP_R_SET_RETURN="#define GROUP_R_SET_RETURN void"
-AC_DEFINE(NEED_SETGRENT_R)
-)
-AC_SUBST(GROUP_R_SET_RESULT)
-AC_SUBST(GROUP_R_SET_RETURN)
-
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(gethostbyname_r,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-struct hostent  *gethostbyname_r
-(const char *name, struct hostent *hp, char *buf, int len, int *h_errnop) {}
-],
-[return (0);],
-[
-HOST_R_ARGS="#define HOST_R_ARGS char *buf, int buflen, int *h_errnop"
-HOST_R_BAD="#define HOST_R_BAD NULL"
-HOST_R_COPY="#define HOST_R_COPY buf, buflen"
-HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
-HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
-HOST_R_OK="#define HOST_R_OK hptr"
-HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
-HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
-HOSTENT_DATA="#undef HOSTENT_DATA"
-]
-,
-AC_TRY_COMPILE([
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int gethostbyname_r(const char *name,
-                          struct hostent *result,
-                          struct hostent_data *hdptr);
-],,[
-HOST_R_ARGS="#define HOST_R_ARGS struct hostent_data *hdptr"
-HOST_R_BAD="#define HOST_R_BAD (-1)"
-HOST_R_COPY="#define HOST_R_COPY hdptr"
-HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS HOST_R_ARGS"
-HOST_R_ERRNO="#undef HOST_R_ERRNO"
-HOST_R_OK="#define HOST_R_OK 0"
-HOST_R_RETURN="#define HOST_R_RETURN int"
-HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
-HOSTENT_DATA="#define HOSTENT_DATA 1"
-],
-AC_TRY_COMPILE([
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int gethostbyname_r (const char *,
-                                 struct hostent *,
-                                 char *, size_t,
-                                 struct hostent **,
-                                 int *);
-],,[
-HOST_R_ARGS="#define HOST_R_ARGS char *buf, size_t buflen, struct hostent **answerp, int *h_errnop"
-HOST_R_BAD="#define HOST_R_BAD ERANGE"
-HOST_R_COPY="#define HOST_R_COPY buf, buflen"
-HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
-HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
-HOST_R_OK="#define HOST_R_OK 0"
-HOST_R_RETURN="#define HOST_R_RETURN int"
-HOST_R_SETANSWER="#define HOST_R_SETANSWER 1"
-HOSTENT_DATA="#undef HOSTENT_DATA"
-],
-)))
-,
-HOST_R_ARGS="#define HOST_R_ARGS char *buf, int buflen, int *h_errnop"
-HOST_R_BAD="#define HOST_R_BAD NULL"
-HOST_R_COPY="#define HOST_R_COPY buf, buflen"
-HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
-HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
-HOST_R_OK="#define HOST_R_OK hptr"
-HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
-HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
-HOSTENT_DATA="#undef HOSTENT_DATA"
-)
-esac
-AC_SUBST(HOST_R_ARGS)
-AC_SUBST(HOST_R_BAD)
-AC_SUBST(HOST_R_COPY)
-AC_SUBST(HOST_R_COPY_ARGS)
-AC_SUBST(HOST_R_ERRNO)
-AC_SUBST(HOST_R_OK)
-AC_SUBST(HOST_R_RETURN)
-AC_SUBST(HOST_R_SETANSWER)
-AC_SUBST(HOSTENT_DATA)
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(endhostent_r,
-AC_TRY_COMPILE([
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int endhostent_r(struct hostent_data *buffer);
-], ,
-HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) return (x)"
-HOST_R_END_RETURN="#define HOST_R_END_RETURN int"
-HOST_R_ENT_ARGS="#define HOST_R_ENT_ARGS struct hostent_data *hdptr"
-,
-AC_TRY_COMPILE([
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern void endhostent_r(struct hostent_data *ht_data);
-],[],[
-HOST_R_END_RESULT="#define HOST_R_END_RESULT(x)"
-HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
-HOST_R_ENT_ARGS="#define HOST_R_ENT_ARGS struct hostent_data *hdptr"
-],
-AC_TRY_COMPILE([
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern void endhostent_r(void);
-],[],[
-HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
-HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
-HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
-],
-)
-)
-)
-,
-HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
-HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
-HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
-)
-esac;
-AC_SUBST(HOST_R_END_RESULT)
-AC_SUBST(HOST_R_END_RETURN)
-AC_SUBST(HOST_R_ENT_ARGS)
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(sethostent_r,
-AC_TRY_COMPILE([
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern void sethostent_r(int flag, struct hostent_data *ht_data);],[],
-[HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT /*empty*/"
-HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"],
-AC_TRY_COMPILE([
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int sethostent_r(int flag, struct hostent_data *ht_data);],[],
-[HOST_R_SET_RESULT="#define HOST_R_SET_RESULT 0"
-HOST_R_SET_RETURN="#define HOST_R_SET_RETURN int"],
-AC_TRY_COMPILE([
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void            sethostent_r (int);],[],
-[HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
-HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"],
-)
-)
-)
-,
-HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
-HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
-)
-esac
-AC_SUBST(HOST_R_SET_RESULT)
-AC_SUBST(HOST_R_SET_RETURN)
-
-
-AC_MSG_CHECKING(struct passwd element pw_class)
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <pwd.h>
-],[struct passwd *pw; pw->pw_class = "";],
-AC_MSG_RESULT(yes)
-AC_DEFINE(HAS_PW_CLASS)
-,
-		AC_MSG_RESULT(no)
-)
-
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <pwd.h>
-void
-setpwent(void) {}
-],
-[return (0);],
-SETPWENT_VOID="#define SETPWENT_VOID 1"
-,
-SETPWENT_VOID="#undef SETPWENT_VOID"
-)
-AC_SUBST(SETPWENT_VOID)
-
-AC_TRY_COMPILE([
-#include <sys/types.h>
-#include <grp.h>
-void
-setgrent(void) {}
-],
-[return (0);],
-SETGRENT_VOID="#define SETGRENT_VOID 1"
-,
-SETGRENT_VOID="#undef SETGRENT_VOID"
-)
-AC_SUBST(SETGRENT_VOID)
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(getnetgrent_r,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetgrent_r(char **m, char **u, char **d, char *b, int l) {}
-]
-,
-[return (0);],
-[
-NGR_R_ARGS="#define NGR_R_ARGS char *buf, int buflen"
-NGR_R_BAD="#define NGR_R_BAD (0)"
-NGR_R_COPY="#define NGR_R_COPY buf, buflen"
-NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
-NGR_R_OK="#define NGR_R_OK 1"
-NGR_R_RETURN="#define NGR_R_RETURN int"
-]
-,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getnetgrent_r(char **m, char **u, char **d, char *b, size_t l) {}
-]
-,
-[return (0);],
-[
-NGR_R_ARGS="#define NGR_R_ARGS char *buf, size_t buflen"
-NGR_R_BAD="#define NGR_R_BAD (0)"
-NGR_R_COPY="#define NGR_R_COPY buf, buflen"
-NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
-NGR_R_OK="#define NGR_R_OK 1"
-NGR_R_RETURN="#define NGR_R_RETURN int"
-]
-,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-extern int getnetgrent_r( char **, char **, char **, void **);
-]
-,
-[return (0);],
-[
-NGR_R_ARGS="#define NGR_R_ARGS void **buf"
-NGR_R_BAD="#define NGR_R_BAD (0)"
-NGR_R_COPY="#define NGR_R_COPY buf"
-NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
-NGR_R_OK="#define NGR_R_OK 1"
-NGR_R_RETURN="#define NGR_R_RETURN int"
-NGR_R_PRIVATE="#define NGR_R_PRIVATE 1"
-]
-,
-)
-)
-)
-,
-NGR_R_ARGS="#define NGR_R_ARGS char *buf, int buflen"
-NGR_R_BAD="#define NGR_R_BAD (0)"
-NGR_R_COPY="#define NGR_R_COPY buf, buflen"
-NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
-NGR_R_OK="#define NGR_R_OK 1"
-NGR_R_RETURN="#define NGR_R_RETURN int"
-)
-esac
-AC_SUBST(NGR_R_ARGS)
-AC_SUBST(NGR_R_BAD)
-AC_SUBST(NGR_R_COPY)
-AC_SUBST(NGR_R_COPY_ARGS)
-AC_SUBST(NGR_R_OK)
-AC_SUBST(NGR_R_RETURN)
-AC_SUBST(NGR_R_PRIVATE)
-
-AC_CHECK_FUNC(endnetgrent_r,
-NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  return (x)"
-NGR_R_END_RETURN="#define NGR_R_END_RETURN int"
-NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS"
-,
-NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  /*empty*/"
-NGR_R_END_RETURN="#define NGR_R_END_RETURN void"
-NGR_R_ENT_ARGS="#undef NGR_R_ENT_ARGS /*empty*/"
-AC_DEFINE(NEED_ENDNETGRENT_R)
-)
-AC_SUBST(NGR_R_END_RESULT)
-AC_SUBST(NGR_R_END_RETURN)
-AC_SUBST(NGR_R_ENT_ARGS)
-
-AC_CHECK_FUNC(setnetgrent_r,
-[
-case "$host" in
-*bsdi*)
-	NGR_R_SET_RESULT="#undef NGR_R_SET_RESULT /*empty*/"
-	NGR_R_SET_RETURN="#define NGR_R_SET_RETURN void"
-	;;
-*)
-	NGR_R_SET_RESULT="#define NGR_R_SET_RESULT NGR_R_OK"
-	NGR_R_SET_RETURN="#define NGR_R_SET_RETURN int"
-	;;
-esac
-]
-,
-NGR_R_SET_RESULT="#undef NGR_R_SET_RESULT /*empty*/"
-NGR_R_SET_RETURN="#define NGR_R_SET_RETURN void"
-)
-AC_SUBST(NGR_R_SET_RESULT)
-AC_SUBST(NGR_R_SET_RETURN)
-
-AC_CHECK_FUNC(innetgr_r,,AC_DEFINE(NEED_INNETGR_R))
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(getprotoent_r,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-struct protoent *getprotoent_r(struct protoent *result,
-		 char *buffer, int buflen) {}
-]
-,
-[return (0);]
-,
-[
-PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
-PROTO_R_BAD="#define PROTO_R_BAD NULL"
-PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
-PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
-PROTO_R_OK="#define PROTO_R_OK pptr"
-PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
-PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
-]
-,
-AC_TRY_COMPILE(
-[
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int getprotoent_r (struct protoent *, char *, size_t, struct protoent **);
-
-]
-,
-[return (0);]
-,
-[
-PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, size_t buflen, struct protoent **answerp"
-PROTO_R_BAD="#define PROTO_R_BAD ERANGE"
-PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
-PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen"
-PROTO_R_OK="#define PROTO_R_OK 0"
-PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1"
-PROTO_R_RETURN="#define PROTO_R_RETURN int"
-]
-,
-)
-)
-,
-PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
-PROTO_R_BAD="#define PROTO_R_BAD NULL"
-PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
-PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
-PROTO_R_OK="#define PROTO_R_OK pptr"
-PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
-PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
-)
-esac
-AC_SUBST(PROTO_R_ARGS)
-AC_SUBST(PROTO_R_BAD)
-AC_SUBST(PROTO_R_COPY)
-AC_SUBST(PROTO_R_COPY_ARGS)
-AC_SUBST(PROTO_R_OK)
-AC_SUBST(PROTO_R_SETANSWER)
-AC_SUBST(PROTO_R_RETURN)
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(endprotoent_r,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endprotoent_r(void);
-]
-,,
-[
-PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
-PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
-PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS"
-]
-,
-)
-,
-PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
-PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
-PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/"
-)
-esac
-AC_SUBST(PROTO_R_END_RESULT)
-AC_SUBST(PROTO_R_END_RETURN)
-AC_SUBST(PROTO_R_ENT_ARGS)
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(setprotoent_r,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void               setprotoent_r __P((int));
-],[],
-PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
-PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
-,
-)
-,
-PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
-PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
-)
-esac
-AC_SUBST(PROTO_R_SET_RESULT)
-AC_SUBST(PROTO_R_SET_RETURN)
-
-AC_CHECK_FUNC(getpwent_r,
-AC_TRY_COMPILE(
-[
-#include <sys/types.h>
-#include <pwd.h>
-struct passwd *
-getpwent_r(struct passwd *pwptr, char *buf, int buflen) {}
-]
-,
-[]
-,
-PASS_R_ARGS="#define PASS_R_ARGS char *buf, int buflen"
-PASS_R_BAD="#define PASS_R_BAD NULL"
-PASS_R_COPY="#define PASS_R_COPY buf, buflen"
-PASS_R_COPY_ARGS="#define PASS_R_COPY_ARGS PASS_R_ARGS"
-PASS_R_OK="#define PASS_R_OK pwptr"
-PASS_R_RETURN="#define PASS_R_RETURN struct passwd *"
-,
-)
-,
-PASS_R_ARGS="#define PASS_R_ARGS char *buf, int buflen"
-PASS_R_BAD="#define PASS_R_BAD NULL"
-PASS_R_COPY="#define PASS_R_COPY buf, buflen"
-PASS_R_COPY_ARGS="#define PASS_R_COPY_ARGS PASS_R_ARGS"
-PASS_R_OK="#define PASS_R_OK pwptr"
-PASS_R_RETURN="#define PASS_R_RETURN struct passwd *"
-AC_DEFINE(NEED_GETPWENT_R)
-)
-AC_SUBST(PASS_R_ARGS)
-AC_SUBST(PASS_R_BAD)
-AC_SUBST(PASS_R_COPY)
-AC_SUBST(PASS_R_COPY_ARGS)
-AC_SUBST(PASS_R_OK)
-AC_SUBST(PASS_R_RETURN)
-
-AC_CHECK_FUNC(endpwent_r,
-AC_TRY_COMPILE(
-[
-#include <pwd.h>
-void endpwent_r(FILE **pwfp);
-], ,
-PASS_R_END_RESULT="#define PASS_R_END_RESULT(x) /*empty*/"
-PASS_R_END_RETURN="#define PASS_R_END_RETURN void"
-PASS_R_ENT_ARGS="#define PASS_R_ENT_ARGS FILE **pwptr"
-,
-)
-,
-PASS_R_END_RESULT="#define PASS_R_END_RESULT(x) /*empty*/"
-PASS_R_END_RETURN="#define PASS_R_END_RETURN void"
-PASS_R_ENT_ARGS="#undef PASS_R_ENT_ARGS"
-AC_DEFINE(NEED_ENDPWENT_R)
-)
-AC_SUBST(PASS_R_END_RESULT)
-AC_SUBST(PASS_R_END_RETURN)
-AC_SUBST(PASS_R_ENT_ARGS)
-AC_CHECK_FUNC(setpassent_r,,AC_DEFINE(NEED_SETPASSENT_R))
-AC_CHECK_FUNC(setpassent,,AC_DEFINE(NEED_SETPASSENT))
-
-AC_CHECK_FUNC(setpwent_r,
-AC_TRY_COMPILE([
-#include <pwd.h>
-void setpwent_r(FILE **pwfp);
-], ,
-PASS_R_SET_RESULT="#undef PASS_R_SET_RESULT /* empty */"
-PASS_R_SET_RETURN="#define PASS_R_SET_RETURN int"
-,
-AC_TRY_COMPILE([
-#include <pwd.h>
-int setpwent_r(FILE **pwfp);
-], ,
-PASS_R_SET_RESULT="#define PASS_R_SET_RESULT 0"
-PASS_R_SET_RETURN="#define PASS_R_SET_RETURN int"
-,
-)
-)
-,
-PASS_R_SET_RESULT="#undef PASS_R_SET_RESULT /*empty*/"
-PASS_R_SET_RETURN="#define PASS_R_SET_RETURN void"
-AC_DEFINE(NEED_SETPWENT_R)
-)
-AC_SUBST(PASS_R_SET_RESULT)
-AC_SUBST(PASS_R_SET_RETURN)
-
-AC_CHECK_FUNC(getpwnam_r,,AC_DEFINE(NEED_GETPWNAM_R))
-AC_CHECK_FUNC(getpwuid_r,,AC_DEFINE(NEED_GETPWUID_R))
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(getservent_r,
-AC_TRY_COMPILE([
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-struct servent *
-getservent_r(struct servent *result, char *buffer, int buflen) {}
-],[return (0);],
-[
-SERV_R_ARGS="#define SERV_R_ARGS char *buf, int buflen"
-SERV_R_BAD="#define SERV_R_BAD NULL"
-SERV_R_COPY="#define SERV_R_COPY buf, buflen"
-SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS SERV_R_ARGS"
-SERV_R_OK="#define SERV_R_OK sptr"
-SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
-SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
-]
-,
-AC_TRY_COMPILE([
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-int
-getservent_r (struct servent *, char *, size_t, struct servent **);
-],[return (0);],
-[
-SERV_R_ARGS="#define SERV_R_ARGS char *buf, size_t buflen, struct servent **answerp"
-SERV_R_BAD="#define SERV_R_BAD ERANGE"
-SERV_R_COPY="#define SERV_R_COPY buf, buflen"
-SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS char *buf, size_t buflen"
-SERV_R_OK="#define SERV_R_OK (0)"
-SERV_R_SETANSWER="#define SERV_R_SETANSWER 1"
-SERV_R_RETURN="#define SERV_R_RETURN int"
-]
-,
-)
-)
-,
-SERV_R_ARGS="#define SERV_R_ARGS char *buf, int buflen"
-SERV_R_BAD="#define SERV_R_BAD NULL"
-SERV_R_COPY="#define SERV_R_COPY buf, buflen"
-SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS SERV_R_ARGS"
-SERV_R_OK="#define SERV_R_OK sptr"
-SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
-SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
-)
-esac
-AC_SUBST(SERV_R_ARGS)
-AC_SUBST(SERV_R_BAD)
-AC_SUBST(SERV_R_COPY)
-AC_SUBST(SERV_R_COPY_ARGS)
-AC_SUBST(SERV_R_OK)
-AC_SUBST(SERV_R_SETANSWER)
-AC_SUBST(SERV_R_RETURN)
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(endservent_r,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void endservent_r(void);
-]
-,
-,
-[
-SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
-SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
-SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
-]
-,
-)
-,
-SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
-SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
-SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
-)
-esac
-AC_SUBST(SERV_R_END_RESULT)
-AC_SUBST(SERV_R_END_RETURN)
-AC_SUBST(SERV_R_ENT_ARGS)
-
-case $host in
-ia64-hp-hpux11.*)
-;;
-*)
-AC_CHECK_FUNC(setservent_r,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <netdb.h>
-void            setservent_r(int);
-]
-,,
-[
-SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
-SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
-]
-,
-)
-,
-SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
-SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
-)
-esac
-AC_SUBST(SERV_R_SET_RESULT)
-AC_SUBST(SERV_R_SET_RETURN)
-
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <unistd.h>
-#include <netdb.h>
-int innetgr(const char *netgroup, const char *host, const char *user, const char *domain);
-]
-,,
-[
-INNETGR_ARGS="#undef INNETGR_ARGS"
-]
-,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <unistd.h>
-#include <netdb.h>
-int innetgr(char *netgroup, char *host, char *user, char *domain);
-]
-,,
-[
-INNETGR_ARGS="#define INNETGR_ARGS char *netgroup, char *host, char *user, char *domain"
-]
-,
-))
-
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <unistd.h>
-#include <netdb.h>
-void setnetgrent(const char *);
-]
-,,
-[
-SETNETGRENT_ARGS="#undef SETNETGRENT_ARGS"
-]
-,
-AC_TRY_COMPILE(
-[
-#undef _REENTRANT
-#define _REENTRANT
-#undef __USE_MISC
-#define __USE_MISC
-#include <unistd.h>
-#include <netdb.h>
-void setnetgrent(char *);
-]
-,,
-[
-SETNETGRENT_ARGS="#define SETNETGRENT_ARGS char *netgroup"
-]
-,
-))
-AC_SUBST(SETNETGRENT_ARGS)
-AC_SUBST(INNETGR_ARGS)
-
-#
-# Random remaining OS-specific issues involving compiler warnings.
-# XXXDCL print messages to indicate some compensation is being done?
-#
-BROKEN_IN6ADDR_INIT_MACROS="#undef BROKEN_IN6ADDR_INIT_MACROS"
-
-case "$host" in
-	*-aix5.1.*)
-		hack_shutup_pthreadmutexinit=yes
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-bsdi3.1*)
-		hack_shutup_sputaux=yes
-		;;
-	*-bsdi4.0*)
-		hack_shutup_sigwait=yes
-		hack_shutup_sputaux=yes
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-bsdi4.1*)
-		hack_shutup_stdargcast=yes
-		;;
-	*-hpux11.11)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-osf5.1|*-osf5.1b)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-solaris2.8)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-	*-solaris2.9)
-		hack_shutup_in6addr_init_macros=yes
-		;;
-esac
-
-case "$hack_shutup_pthreadmutexinit" in
-	yes)
-		#
-		# Shut up PTHREAD_MUTEX_INITIALIZER unbraced
-		# initializer warnings.
-		#
-		AC_DEFINE(SHUTUP_MUTEX_INITIALIZER)
-		;;
-esac
-
-case "$hack_shutup_sigwait" in
-	yes)
-		#
-		# Shut up a -Wmissing-prototypes warning for sigwait().
-		#
-		AC_DEFINE(SHUTUP_SIGWAIT)
-		;;
-esac
-
-case "$hack_shutup_sputaux" in
-	yes)
-		#
-		# Shut up a -Wmissing-prototypes warning from <stdio.h>.
-		#
-		AC_DEFINE(SHUTUP_SPUTAUX)
-		;;
-esac
-
-case "$hack_shutup_stdargcast" in
-	yes)
-		#
-		# Shut up a -Wcast-qual warning from va_start().
-		#
-		AC_DEFINE(SHUTUP_STDARG_CAST)
-		;;
-esac
-
-case "$hack_shutup_in6addr_init_macros" in
-	yes)
-		AC_DEFINE(BROKEN_IN6ADDR_INIT_MACROS)
-		;;
-esac
-
-#
-# Substitutions
-#
-AC_SUBST(BIND9_TOP_BUILDDIR)
-BIND9_TOP_BUILDDIR=`pwd`
-
-AC_SUBST_FILE(BIND9_INCLUDES)
-BIND9_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
-
-AC_SUBST_FILE(BIND9_MAKE_RULES)
-BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
-
-. $srcdir/../../version
-BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
-AC_SUBST(BIND9_VERSION)
-
-AC_SUBST_FILE(LIBBIND_API)
-LIBBIND_API=$srcdir/api
-
-AC_OUTPUT(
-	make/rules
-	make/mkdep
-	make/includes
-	Makefile
-	bsd/Makefile
-	dst/Makefile
-	include/Makefile
-	inet/Makefile
-	irs/Makefile
-	isc/Makefile
-	nameser/Makefile
-	port_after.h
-	port_before.h
-	resolv/Makefile
-	port/Makefile
-	${PORT_DIR}/Makefile
-	${PORT_INCLUDE}/Makefile
-)
-
-# Tell Emacs to edit this file in shell mode.
-# Local Variables:
-# mode: sh
-# End:
diff --git a/contrib/bind9/lib/bind/dst/Makefile.in b/contrib/bind9/lib/bind/dst/Makefile.in
deleted file mode 100644
index 8b306591708e..000000000000
--- a/contrib/bind9/lib/bind/dst/Makefile.in
+++ /dev/null
@@ -1,32 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.5.206.1 2004/03/06 08:13:22 marka Exp $
- 
-srcdir=		@srcdir@
-VPATH =         @srcdir@
-
-OBJS=	dst_api.@O@ hmac_link.@O@ md5_dgst.@O@ support.@O@
-
-SRCS=	dst_api.c hmac_link.c md5_dgst.c support.c
-
-TARGETS= ${OBJS}
-
-CRYPTFLAGS=     -DCYLINK_DSS -DHMAC_MD5 -DUSE_MD5 -DDNSSAFE
-
-CINCLUDES= -I.. -I${srcdir}/../include ${CRYPTINCL}
-CDEFINES= ${CRYPTFLAGS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/dst/dst_api.c b/contrib/bind9/lib/bind/dst/dst_api.c
deleted file mode 100644
index 51dfd0b8910b..000000000000
--- a/contrib/bind9/lib/bind/dst/dst_api.c
+++ /dev/null
@@ -1,1051 +0,0 @@
-#ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6.8.3 2005/10/11 00:48:14 marka Exp $";
-#endif
-
-/*
- * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
- *
- * Permission to use, copy modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
- */
-/*
- * This file contains the interface between the DST API and the crypto API.
- * This is the only file that needs to be changed if the crypto system is
- * changed.  Exported functions are:
- * void dst_init()	 Initialize the toolkit
- * int  dst_check_algorithm()   Function to determines if alg is suppored.
- * int  dst_compare_keys()      Function to compare two keys for equality.
- * int  dst_sign_data()         Incremental signing routine.
- * int  dst_verify_data()       Incremental verify routine.
- * int  dst_generate_key()      Function to generate new KEY
- * DST_KEY *dst_read_key()      Function to retrieve private/public KEY.
- * void dst_write_key()         Function to write out a key.
- * DST_KEY *dst_dnskey_to_key() Function to convert DNS KEY RR to a DST
- *				KEY structure.
- * int dst_key_to_dnskey() 	Function to return a public key in DNS 
- *				format binary
- * DST_KEY *dst_buffer_to_key() Converst a data in buffer to KEY
- * int *dst_key_to_buffer()	Writes out DST_KEY key matterial in buffer
- * void dst_free_key()       	Releases all memory referenced by key structure
- */
-
-#include "port_before.h"
-#include <stdio.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <memory.h>
-#include <ctype.h>
-#include <time.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include "dst_internal.h"
-#include "port_after.h"
-
-/* static variables */
-static int done_init = 0;
-dst_func *dst_t_func[DST_MAX_ALGS];
-const char *key_file_fmt_str = "Private-key-format: v%s\nAlgorithm: %d (%s)\n";
-const char *dst_path = "";
-
-/* internal I/O functions */
-static DST_KEY *dst_s_read_public_key(const char *in_name, 
-				      const u_int16_t in_id, int in_alg);
-static int dst_s_read_private_key_file(char *name, DST_KEY *pk_key,
-				       u_int16_t in_id, int in_alg);
-static int dst_s_write_public_key(const DST_KEY *key);
-static int dst_s_write_private_key(const DST_KEY *key);
-
-/* internal function to set up data structure */
-static DST_KEY *dst_s_get_key_struct(const char *name, const int alg,
-				     const int flags, const int protocol,
-				     const int bits);
-
-/*
- *  dst_init
- *	This function initializes the Digital Signature Toolkit.
- *	Right now, it just checks the DSTKEYPATH environment variable.
- *  Parameters
- *	none
- *  Returns
- *	none
- */
-void
-dst_init()
-{
-	char *s;
-	int len;
-
-	if (done_init != 0)
-		return;
-	done_init = 1;
-
-	s = getenv("DSTKEYPATH");
-	len = 0;
-	if (s) {
-		struct stat statbuf;
-
-		len = strlen(s);
-		if (len > PATH_MAX) {
-			EREPORT(("%s is longer than %d characters, ignoring\n",
-				 s, PATH_MAX));
-		} else if (stat(s, &statbuf) != 0 || !S_ISDIR(statbuf.st_mode)) {
-			EREPORT(("%s is not a valid directory\n", s));
-		} else {
-			char *tmp;
-			tmp = (char *) malloc(len + 2);
-			memcpy(tmp, s, len + 1);
-			if (tmp[strlen(tmp) - 1] != '/') {
-				tmp[strlen(tmp) + 1] = 0;
-				tmp[strlen(tmp)] = '/';
-			}
-			dst_path = tmp;
-		}
-	}
-	memset(dst_t_func, 0, sizeof(dst_t_func));
-	/* first one is selected */
-	dst_hmac_md5_init();
-}
-
-/*
- *  dst_check_algorithm
- *	This function determines if the crypto system for the specified
- *	algorithm is present.
- *  Parameters
- *	alg     1       KEY_RSA
- *		3       KEY_DSA
- *	      157     KEY_HMAC_MD5
- *		      future algorithms TBD and registered with IANA.
- *  Returns
- *	1 - The algorithm is available.
- *	0 - The algorithm is not available.
- */
-int
-dst_check_algorithm(const int alg)
-{
-	return (dst_t_func[alg] != NULL);
-}
-
-/* 
- * dst_s_get_key_struct 
- *	This function allocates key structure and fills in some of the 
- *	fields of the structure. 
- * Parameters: 
- *	name:     the name of the key 
- *	alg:      the algorithm number 
- *	flags:    the dns flags of the key
- *	protocol: the dns protocol of the key
- *	bits:     the size of the key
- * Returns:
- *       NULL if error
- *       valid pointer otherwise
- */
-static DST_KEY *
-dst_s_get_key_struct(const char *name, const int alg, const int flags,
-		     const int protocol, const int bits)
-{
-	DST_KEY *new_key = NULL; 
-
-	if (dst_check_algorithm(alg)) /* make sure alg is available */
-		new_key = (DST_KEY *) malloc(sizeof(*new_key));
-	if (new_key == NULL)
-		return (NULL);
-
-	memset(new_key, 0, sizeof(*new_key));
-	new_key->dk_key_name = strdup(name);
-	new_key->dk_alg = alg;
-	new_key->dk_flags = flags;
-	new_key->dk_proto = protocol;
-	new_key->dk_KEY_struct = NULL;
-	new_key->dk_key_size = bits;
-	new_key->dk_func = dst_t_func[alg];
-	return (new_key);
-}
-
-/*
- *  dst_compare_keys
- *	Compares two keys for equality.
- *  Parameters
- *	key1, key2      Two keys to be compared.
- *  Returns
- *	0	       The keys are equal.
- *	non-zero	The keys are not equal.
- */
-
-int
-dst_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
-{
-	if (key1 == key2)
-		return (0);
-	if (key1 == NULL || key2 == NULL)
-		return (4);
-	if (key1->dk_alg != key2->dk_alg)
-		return (1);
-	if (key1->dk_key_size != key2->dk_key_size)
-		return (2);
-	if (key1->dk_id != key2->dk_id)
-		return (3);
-	return (key1->dk_func->compare(key1, key2));
-}
-
-
-/*
- * dst_sign_data
- *	An incremental signing function.  Data is signed in steps.
- *	First the context must be initialized (SIG_MODE_INIT).
- *	Then data is hashed (SIG_MODE_UPDATE).  Finally the signature
- *	itself is created (SIG_MODE_FINAL).  This function can be called
- *	once with INIT, UPDATE and FINAL modes all set, or it can be
- *	called separately with a different mode set for each step.  The
- *	UPDATE step can be repeated.
- * Parameters
- *	mode    A bit mask used to specify operation(s) to be performed.
- *		  SIG_MODE_INIT	   1   Initialize digest
- *		  SIG_MODE_UPDATE	 2   Add data to digest
- *		  SIG_MODE_FINAL	  4   Generate signature
- *					      from signature
- *		  SIG_MODE_ALL (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL
- *	data    Data to be signed.
- *	len     The length in bytes of data to be signed.
- *	in_key  Contains a private key to sign with.
- *		  KEY structures should be handled (created, converted,
- *		  compared, stored, freed) by the DST.
- *	signature
- *	      The location to which the signature will be written.
- *	sig_len Length of the signature field in bytes.
- * Return
- *	 0      Successfull INIT or Update operation
- *	>0      success FINAL (sign) operation
- *	<0      failure
- */
-
-int
-dst_sign_data(const int mode, DST_KEY *in_key, void **context, 
-	      const u_char *data, const int len,
-	      u_char *signature, const int sig_len)
-{
-	DUMP(data, mode, len, "dst_sign_data()");
-
-	if (mode & SIG_MODE_FINAL &&
-	    (in_key->dk_KEY_struct == NULL || signature == NULL))
-		return (MISSING_KEY_OR_SIGNATURE);
-
-	if (in_key->dk_func && in_key->dk_func->sign)
-		return (in_key->dk_func->sign(mode, in_key, context, data, len,
-					      signature, sig_len));
-	return (UNKNOWN_KEYALG);
-}
-
-
-/*
- *  dst_verify_data
- *	An incremental verify function.  Data is verified in steps.
- *	First the context must be initialized (SIG_MODE_INIT).
- *	Then data is hashed (SIG_MODE_UPDATE).  Finally the signature
- *	is verified (SIG_MODE_FINAL).  This function can be called
- *	once with INIT, UPDATE and FINAL modes all set, or it can be
- *	called separately with a different mode set for each step.  The
- *	UPDATE step can be repeated.
- *  Parameters
- *	mode	Operations to perform this time.
- *		      SIG_MODE_INIT       1   Initialize digest
- *		      SIG_MODE_UPDATE     2   add data to digest
- *		      SIG_MODE_FINAL      4   verify signature
- *		      SIG_MODE_ALL
- *			  (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL)
- *	data	Data to pass through the hash function.
- *	len	 Length of the data in bytes.
- *	in_key      Key for verification.
- *	signature   Location of signature.
- *	sig_len     Length of the signature in bytes.
- *  Returns
- *	0	   Verify success
- *	Non-Zero    Verify Failure
- */
-
-int
-dst_verify_data(const int mode, DST_KEY *in_key, void **context, 
-		const u_char *data, const int len,
-		const u_char *signature, const int sig_len)
-{
-	DUMP(data, mode, len, "dst_verify_data()");
-	if (mode & SIG_MODE_FINAL &&
-	    (in_key->dk_KEY_struct == NULL || signature == NULL))
-		return (MISSING_KEY_OR_SIGNATURE);
-
-	if (in_key->dk_func == NULL || in_key->dk_func->verify == NULL)
-		return (UNSUPPORTED_KEYALG);
-	return (in_key->dk_func->verify(mode, in_key, context, data, len,
-					signature, sig_len));
-}
-
-
-/*
- *  dst_read_private_key
- *	Access a private key.  First the list of private keys that have
- *	already been read in is searched, then the key accessed on disk.
- *	If the private key can be found, it is returned.  If the key cannot
- *	be found, a null pointer is returned.  The options specify required
- *	key characteristics.  If the private key requested does not have
- *	these characteristics, it will not be read.
- *  Parameters
- *	in_keyname  The private key name.
- *	in_id	    The id of the private key.
- *	options     DST_FORCE_READ  Read from disk - don't use a previously
- *				      read key.
- *		  DST_CAN_SIGN    The key must be useable for signing.
- *		  DST_NO_AUTHEN   The key must be useable for authentication.
- *		  DST_STANDARD    Return any key 
- *  Returns
- *	NULL	If there is no key found in the current directory or
- *		      this key has not been loaded before.
- *	!NULL       Success - KEY structure returned.
- */
-
-DST_KEY *
-dst_read_key(const char *in_keyname, const u_int16_t in_id, 
-	     const int in_alg, const int type)
-{
-	char keyname[PATH_MAX];
-	DST_KEY *dg_key = NULL, *pubkey = NULL;
-
-	if (!dst_check_algorithm(in_alg)) { /* make sure alg is available */
-		EREPORT(("dst_read_private_key(): Algorithm %d not suppored\n",
-			 in_alg));
-		return (NULL);
-	}
-	if ((type & (DST_PUBLIC | DST_PRIVATE)) == 0) 
-		return (NULL);
-	if (in_keyname == NULL) {
-		EREPORT(("dst_read_private_key(): Null key name passed in\n"));
-		return (NULL);
-	} else if (strlen(in_keyname) >= sizeof(keyname)) {
-		EREPORT(("dst_read_private_key(): keyname too big\n"));
-		return (NULL);
-	} else 
-		strcpy(keyname, in_keyname);
-
-	/* before I read in the public key, check if it is allowed to sign */
-	if ((pubkey = dst_s_read_public_key(keyname, in_id, in_alg)) == NULL)
-		return (NULL);
-
-	if (type == DST_PUBLIC) 
-		return pubkey; 
-
-	if (!(dg_key = dst_s_get_key_struct(keyname, pubkey->dk_alg,
-					    pubkey->dk_flags, pubkey->dk_proto,
-					    0)))
-		return (dg_key);
-	/* Fill in private key and some fields in the general key structure */
-	if (dst_s_read_private_key_file(keyname, dg_key, pubkey->dk_id,
-					pubkey->dk_alg) == 0)
-		dg_key = dst_free_key(dg_key);
-
-	pubkey = dst_free_key(pubkey);
-	return (dg_key);
-}
-
-int 
-dst_write_key(const DST_KEY *key, const int type)
-{
-	int pub = 0, priv = 0;
-
-	if (key == NULL) 
-		return (0);
-	if (!dst_check_algorithm(key->dk_alg)) { /* make sure alg is available */
-		EREPORT(("dst_write_key(): Algorithm %d not suppored\n", 
-			 key->dk_alg));
-		return (UNSUPPORTED_KEYALG);
-	}
-	if ((type & (DST_PRIVATE|DST_PUBLIC)) == 0)
-		return (0);
-
-	if (type & DST_PUBLIC) 
-		if ((pub = dst_s_write_public_key(key)) < 0)
-			return (pub);
-	if (type & DST_PRIVATE)
-		if ((priv = dst_s_write_private_key(key)) < 0)
-			return (priv);
-	return (priv+pub);
-}
-
-/*
- *  dst_write_private_key
- *	Write a private key to disk.  The filename will be of the form:
- *	K<key->dk_name>+<key->dk_alg>+<key->dk_id>.<private key suffix>.
- *	If there is already a file with this name, an error is returned.
- *
- *  Parameters
- *	key     A DST managed key structure that contains
- *	      all information needed about a key.
- *  Return
- *	>= 0    Correct behavior.  Returns length of encoded key value
- *		  written to disk.
- *	<  0    error.
- */
-
-static int
-dst_s_write_private_key(const DST_KEY *key)
-{
-	u_char encoded_block[RAW_KEY_SIZE];
-	char file[PATH_MAX];
-	int len;
-	FILE *fp;
-
-	/* First encode the key into the portable key format */
-	if (key == NULL)
-		return (-1);
-	if (key->dk_KEY_struct == NULL)
-		return (0);	/* null key has no private key */
-
-	if (key->dk_func == NULL || key->dk_func->to_file_fmt == NULL) {
-		EREPORT(("dst_write_private_key(): Unsupported operation %d\n",
-			 key->dk_alg));
-		return (-5);
-	} else if ((len = key->dk_func->to_file_fmt(key, (char *)encoded_block,
-					     sizeof(encoded_block))) <= 0) {
-		EREPORT(("dst_write_private_key(): Failed encoding private RSA bsafe key %d\n", len));
-		return (-8);
-	}
-	/* Now I can create the file I want to use */
-	dst_s_build_filename(file, key->dk_key_name, key->dk_id, key->dk_alg,
-			     PRIVATE_KEY, PATH_MAX);
-
-	/* Do not overwrite an existing file */
-	if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) {
-		int nn;
-		if ((nn = fwrite(encoded_block, 1, len, fp)) != len) {
-			EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n",
-				 file, len, nn, errno));
-			return (-5);
-		}
-		fclose(fp);
-	} else {
-		EREPORT(("dst_write_private_key(): Can not create file %s\n"
-			 ,file));
-		return (-6);
-	}
-	memset(encoded_block, 0, len);
-	return (len);
-}
-
-/*
-*
- *  dst_read_public_key
- *	Read a public key from disk and store in a DST key structure.
- *  Parameters
- *	in_name	 K<in_name><in_id>.<public key suffix> is the
- *		      filename of the key file to be read.
- *  Returns
- *	NULL	    If the key does not exist or no name is supplied.
- *	NON-NULL	Initialized key structure if the key exists.
- */
-
-static DST_KEY *
-dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg)
-{
-	int flags, proto, alg, len, dlen;
-	int c;
-	char name[PATH_MAX], enckey[RAW_KEY_SIZE], *notspace;
-	u_char deckey[RAW_KEY_SIZE];
-	FILE *fp;
-
-	if (in_name == NULL) {
-		EREPORT(("dst_read_public_key(): No key name given\n"));
-		return (NULL);
-	}
-	if (dst_s_build_filename(name, in_name, in_id, in_alg, PUBLIC_KEY,
-				 PATH_MAX) == -1) {
-		EREPORT(("dst_read_public_key(): Cannot make filename from %s, %d, and %s\n",
-			 in_name, in_id, PUBLIC_KEY));
-		return (NULL);
-	}
-	/*
-	 * Open the file and read it's formatted contents up to key
-	 * File format:
-	 *    domain.name [ttl] [IN] KEY  <flags> <protocol> <algorithm> <key>
-	 * flags, proto, alg stored as decimal (or hex numbers FIXME).
-	 * (FIXME: handle parentheses for line continuation.)
-	 */
-	if ((fp = dst_s_fopen(name, "r", 0)) == NULL) {
-		EREPORT(("dst_read_public_key(): Public Key not found %s\n",
-			 name));
-		return (NULL);
-	}
-	/* Skip domain name, which ends at first blank */
-	while ((c = getc(fp)) != EOF)
-		if (isspace(c))
-			break;
-	/* Skip blank to get to next field */
-	while ((c = getc(fp)) != EOF)
-		if (!isspace(c))
-			break;
-
-	/* Skip optional TTL -- if initial digit, skip whole word. */
-	if (isdigit(c)) {
-		while ((c = getc(fp)) != EOF)
-			if (isspace(c))
-				break;
-		while ((c = getc(fp)) != EOF)
-			if (!isspace(c))
-				break;
-	}
-	/* Skip optional "IN" */
-	if (c == 'I' || c == 'i') {
-		while ((c = getc(fp)) != EOF)
-			if (isspace(c))
-				break;
-		while ((c = getc(fp)) != EOF)
-			if (!isspace(c))
-				break;
-	}
-	/* Locate and skip "KEY" */
-	if (c != 'K' && c != 'k') {
-		EREPORT(("\"KEY\" doesn't appear in file: %s", name));
-		return NULL;
-	}
-	while ((c = getc(fp)) != EOF)
-		if (isspace(c))
-			break;
-	while ((c = getc(fp)) != EOF)
-		if (!isspace(c))
-			break;
-	ungetc(c, fp);		/* return the charcter to the input field */
-	/* Handle hex!! FIXME.  */
-
-	if (fscanf(fp, "%d %d %d", &flags, &proto, &alg) != 3) {
-		EREPORT(("dst_read_public_key(): Can not read flag/proto/alg field from %s\n"
-			 ,name));
-		return (NULL);
-	}
-	/* read in the key string */
-	fgets(enckey, sizeof(enckey), fp);
-
-	/* If we aren't at end-of-file, something is wrong.  */
-	while ((c = getc(fp)) != EOF)
-		if (!isspace(c))
-			break;
-	if (!feof(fp)) {
-		EREPORT(("Key too long in file: %s", name));
-		return NULL;
-	}
-	fclose(fp);
-
-	if ((len = strlen(enckey)) <= 0)
-		return (NULL);
-
-	/* discard \n */
-	enckey[--len] = '\0';
-
-	/* remove leading spaces */
-	for (notspace = (char *) enckey; isspace((*notspace)&0xff); len--)
-		notspace++;
-
-	dlen = b64_pton(notspace, deckey, sizeof(deckey));
-	if (dlen < 0) {
-		EREPORT(("dst_read_public_key: bad return from b64_pton = %d",
-			 dlen));
-		return (NULL);
-	}
-	/* store key and info in a key structure that is returned */
-/*	return dst_store_public_key(in_name, alg, proto, 666, flags, deckey,
-				    dlen);*/
-	return dst_buffer_to_key(in_name, alg, flags, proto, deckey, dlen);
-}
-
-
-/*
- *  dst_write_public_key
- *	Write a key to disk in DNS format.
- *  Parameters
- *	key     Pointer to a DST key structure.
- *  Returns
- *	0       Failure
- *	1       Success
- */
-
-static int
-dst_s_write_public_key(const DST_KEY *key)
-{
-	FILE *fp;
-	char filename[PATH_MAX];
-	u_char out_key[RAW_KEY_SIZE];
-	char enc_key[RAW_KEY_SIZE];
-	int len = 0;
-	int mode;
-
-	memset(out_key, 0, sizeof(out_key));
-	if (key == NULL) {
-		EREPORT(("dst_write_public_key(): No key specified \n"));
-		return (0);
-	} else if ((len = dst_key_to_dnskey(key, out_key, sizeof(out_key)))< 0)
-		return (0);
-
-	/* Make the filename */
-	if (dst_s_build_filename(filename, key->dk_key_name, key->dk_id,
-				 key->dk_alg, PUBLIC_KEY, PATH_MAX) == -1) {
-		EREPORT(("dst_write_public_key(): Cannot make filename from %s, %d, and %s\n",
-			 key->dk_key_name, key->dk_id, PUBLIC_KEY));
-		return (0);
-	}
-	/* XXX in general this should be a check for symmetric keys */
-	mode = (key->dk_alg == KEY_HMAC_MD5) ? 0600 : 0644;
-	/* create public key file */
-	if ((fp = dst_s_fopen(filename, "w+", mode)) == NULL) {
-		EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n",
-			 filename, errno));
-		return (0);
-	}
-	/*write out key first base64 the key data */
-	if (key->dk_flags & DST_EXTEND_FLAG)
-		b64_ntop(&out_key[6], len - 6, enc_key, sizeof(enc_key));
-	else
-		b64_ntop(&out_key[4], len - 4, enc_key, sizeof(enc_key));
-	fprintf(fp, "%s IN KEY %d %d %d %s\n",
-		key->dk_key_name,
-		key->dk_flags, key->dk_proto, key->dk_alg, enc_key);
-	fclose(fp);
-	return (1);
-}
-
-
-/*
- *  dst_dnskey_to_public_key
- *	This function converts the contents of a DNS KEY RR into a DST
- *	key structure.
- *  Paramters
- *	len	 Length of the RDATA of the KEY RR RDATA
- *	rdata	 A pointer to the the KEY RR RDATA.
- *	in_name     Key name to be stored in key structure.
- *  Returns
- *	NULL	    Failure
- *	NON-NULL	Success.  Pointer to key structure.
- *			Caller's responsibility to free() it.
- */
-
-DST_KEY *
-dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
-{
-	DST_KEY *key_st;
-	int alg ;
-	int start = DST_KEY_START;
-
-	if (rdata == NULL || len <= DST_KEY_ALG) /* no data */
-		return (NULL);
-	alg = (u_int8_t) rdata[DST_KEY_ALG];
-	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
-		EREPORT(("dst_dnskey_to_key(): Algorithm %d not suppored\n",
-			 alg));
-		return (NULL);
-	}
-	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
-		return (NULL);
-
-	if (in_name == NULL)
-		return (NULL);
-	key_st->dk_id = dst_s_dns_key_id(rdata, len);
-	key_st->dk_flags = dst_s_get_int16(rdata);
-	key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
-	if (key_st->dk_flags & DST_EXTEND_FLAG) {
-		u_int32_t ext_flags;
-		ext_flags = (u_int32_t) dst_s_get_int16(&rdata[DST_EXT_FLAG]);
-		key_st->dk_flags = key_st->dk_flags | (ext_flags << 16);
-		start += 2;
-	}
-	/*
-	 * now point to the begining of the data representing the encoding
-	 * of the key
-	 */
-	if (key_st->dk_func && key_st->dk_func->from_dns_key) {
-		if (key_st->dk_func->from_dns_key(key_st, &rdata[start],
-						  len - start) > 0)
-			return (key_st);
-	} else
-		EREPORT(("dst_dnskey_to_public_key(): unsuppored alg %d\n",
-			 alg));
-
-	SAFE_FREE(key_st);
-	return (key_st);
-}
-
-
-/*
- *  dst_public_key_to_dnskey
- *	Function to encode a public key into DNS KEY wire format 
- *  Parameters
- *	key	     Key structure to encode.
- *	out_storage     Location to write the encoded key to.
- *	out_len	 Size of the output array.
- *  Returns
- *	<0      Failure
- *	>=0     Number of bytes written to out_storage
- */
-
-int
-dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage,
-			 const int out_len)
-{
-	u_int16_t val;
-	int loc = 0;
-	int enc_len = 0;
-	if (key == NULL)
-		return (-1);
-
-	if (!dst_check_algorithm(key->dk_alg)) { /* make sure alg is available */
-		EREPORT(("dst_key_to_dnskey(): Algorithm %d not suppored\n",
-			 key->dk_alg));
-		return (UNSUPPORTED_KEYALG);
-	}
-	memset(out_storage, 0, out_len);
-	val = (u_int16_t)(key->dk_flags & 0xffff);
-	dst_s_put_int16(out_storage, val);
-	loc += 2;
-
-	out_storage[loc++] = (u_char) key->dk_proto;
-	out_storage[loc++] = (u_char) key->dk_alg;
-
-	if (key->dk_flags > 0xffff) {	/* Extended flags */
-		val = (u_int16_t)((key->dk_flags >> 16) & 0xffff);
-		dst_s_put_int16(&out_storage[loc], val);
-		loc += 2;
-	}
-	if (key->dk_KEY_struct == NULL)
-		return (loc);
-	if (key->dk_func && key->dk_func->to_dns_key) {
-		enc_len = key->dk_func->to_dns_key(key,
-						 (u_char *) &out_storage[loc],
-						   out_len - loc);
-		if (enc_len > 0)
-			return (enc_len + loc);
-		else
-			return (-1);
-	} else
-		EREPORT(("dst_key_to_dnskey(): Unsupported ALG %d\n",
-			 key->dk_alg));
-	return (-1);
-}
-
-
-/*
- *  dst_buffer_to_key
- *	Function to encode a string of raw data into a DST key
- *  Parameters
- *	alg		The algorithm (HMAC only)
- *	key		A pointer to the data
- *	keylen		The length of the data
- *  Returns
- *	NULL	    an error occurred
- *	NON-NULL	the DST key
- */
-DST_KEY *
-dst_buffer_to_key(const char *key_name,		/* name of the key */
-		  const int alg,		/* algorithm */
-		  const int flags,		/* dns flags */
-		  const int protocol,		/* dns protocol */
-		  const u_char *key_buf,	/* key in dns wire fmt */
-		  const int key_len)		/* size of key */
-{
-	
-	DST_KEY *dkey = NULL; 
-	int dnslen;
-	u_char dns[2048];
-
-	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
-		EREPORT(("dst_buffer_to_key(): Algorithm %d not suppored\n", alg));
-		return (NULL);
-	}
-
-	dkey = dst_s_get_key_struct(key_name, alg, flags, 
-					     protocol, -1);
-
-	if (dkey == NULL)
-		return (NULL);
-	if (dkey->dk_func == NULL || dkey->dk_func->from_dns_key == NULL)
-		return NULL;
-
-	if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
-		EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
-		return (dst_free_key(dkey));
-	}
-
-	dnslen = dst_key_to_dnskey(dkey, dns, sizeof(dns));
-	dkey->dk_id = dst_s_dns_key_id(dns, dnslen);
-	return (dkey);
-}
-
-int 
-dst_key_to_buffer(DST_KEY *key, u_char *out_buff, int buf_len)
-{
-	int len;
-  /* this function will extrac the secret of HMAC into a buffer */
-	if (key == NULL) 
-		return (0);
-	if (key->dk_func != NULL && key->dk_func->to_dns_key != NULL) {
-		len = key->dk_func->to_dns_key(key, out_buff, buf_len);
-		if (len < 0)
-			return (0);
-		return (len);
-	}
-	return (0);
-}
-
-
-/*
- * dst_s_read_private_key_file
- *     Function reads in private key from a file.
- *     Fills out the KEY structure.
- * Parameters
- *     name    Name of the key to be read.
- *     pk_key  Structure that the key is returned in.
- *     in_id   Key identifier (tag)
- * Return
- *     1 if everthing works
- *     0 if there is any problem
- */
-
-static int
-dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
-			    int in_alg)
-{
-	int cnt, alg, len, major, minor, file_major, file_minor;
-	int ret, id;
-	char filename[PATH_MAX];
-	u_char in_buff[RAW_KEY_SIZE], *p;
-	FILE *fp;
-	int dnslen;
-	u_char dns[2048];
-
-	if (name == NULL || pk_key == NULL) {
-		EREPORT(("dst_read_private_key_file(): No key name given\n"));
-		return (0);
-	}
-	/* Make the filename */
-	if (dst_s_build_filename(filename, name, in_id, in_alg, PRIVATE_KEY,
-				 PATH_MAX) == -1) {
-		EREPORT(("dst_read_private_key(): Cannot make filename from %s, %d, and %s\n",
-			 name, in_id, PRIVATE_KEY));
-		return (0);
-	}
-	/* first check if we can find the key file */
-	if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) {
-		EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n",
-			 filename, dst_path[0] ? dst_path :
-			 (char *) getcwd(NULL, PATH_MAX - 1)));
-		return (0);
-	}
-	/* now read the header info from the file */
-	if ((cnt = fread(in_buff, 1, sizeof(in_buff), fp)) < 5) {
-		fclose(fp);
-		EREPORT(("dst_s_read_private_key_file: error reading file %s (empty file)\n",
-			 filename));
-		return (0);
-	}
-	/* decrypt key */
-	fclose(fp);
-	if (memcmp(in_buff, "Private-key-format: v", 20) != 0)
-		goto fail;
-	len = cnt;
-	p = in_buff;
-
-	if (!dst_s_verify_str((const char **) (void *)&p,
-			       "Private-key-format: v")) {
-		EREPORT(("dst_s_read_private_key_file(): Not a Key file/Decrypt failed %s\n", name));
-		goto fail;
-	}
-	/* read in file format */
-	sscanf((char *)p, "%d.%d", &file_major, &file_minor);
-	sscanf(KEY_FILE_FORMAT, "%d.%d", &major, &minor);
-	if (file_major < 1) {
-		EREPORT(("dst_s_read_private_key_file(): Unknown keyfile %d.%d version for %s\n",
-			 file_major, file_minor, name));
-		goto fail;
-	} else if (file_major > major || file_minor > minor)
-		EREPORT((
-				"dst_s_read_private_key_file(): Keyfile %s version higher than mine %d.%d MAY FAIL\n",
-				name, file_major, file_minor));
-
-	while (*p++ != '\n') ;	/* skip to end of line */
-
-	if (!dst_s_verify_str((const char **) (void *)&p, "Algorithm: "))
-		goto fail;
-
-	if (sscanf((char *)p, "%d", &alg) != 1)
-		goto fail;
-	while (*p++ != '\n') ;	/* skip to end of line */
-
-	if (pk_key->dk_key_name && !strcmp(pk_key->dk_key_name, name))
-		SAFE_FREE2(pk_key->dk_key_name, strlen(pk_key->dk_key_name));
-	pk_key->dk_key_name = (char *) strdup(name);
-
-	/* allocate and fill in key structure */
-	if (pk_key->dk_func == NULL || pk_key->dk_func->from_file_fmt == NULL)
-		goto fail;
-
-	ret = pk_key->dk_func->from_file_fmt(pk_key, (char *)p, &in_buff[len] - p);
-	if (ret < 0)
-		goto fail;
-
-	dnslen = dst_key_to_dnskey(pk_key, dns, sizeof(dns));
-	id = dst_s_dns_key_id(dns, dnslen);
-
-	/* Make sure the actual key tag matches the input tag used in the filename
-	 */
-	if (id != in_id) {
-		EREPORT(("dst_s_read_private_key_file(): actual tag of key read %d != input tag used to build filename %d.\n", id, in_id));
-		goto fail;
-	}
-	pk_key->dk_id = (u_int16_t) id;
-	pk_key->dk_alg = alg;
-	memset(in_buff, 0, cnt);
-	return (1);
-
- fail:
-	memset(in_buff, 0, cnt);
-	return (0);
-}
-
-
-/*
- *  dst_generate_key
- *	Generate and store a public/private keypair.
- *	Keys will be stored in formatted files.
- *  Parameters
- *	name    Name of the new key.  Used to create key files
- *		  K<name>+<alg>+<id>.public and K<name>+<alg>+<id>.private.
- *	bits    Size of the new key in bits.
- *	exp     What exponent to use:
- *		  0	   use exponent 3
- *		  non-zero    use Fermant4
- *	flags   The default value of the DNS Key flags.
- *		  The DNS Key RR Flag field is defined in RFC 2065,
- *		  section 3.3.  The field has 16 bits.
- *	protocol
- *	      Default value of the DNS Key protocol field.
- *		  The DNS Key protocol field is defined in RFC 2065,
- *		  section 3.4.  The field has 8 bits.
- *	alg     What algorithm to use.  Currently defined:
- *		  KEY_RSA       1
- *		  KEY_DSA       3
- *		  KEY_HMAC    157
- *	out_id The key tag is returned.
- *
- *  Return
- *	NULL		Failure
- *	non-NULL 	the generated key pair
- *			Caller frees the result, and its dk_name pointer.
- */
-DST_KEY *
-dst_generate_key(const char *name, const int bits, const int exp,
-		 const int flags, const int protocol, const int alg)
-{
-	DST_KEY *new_key = NULL;
-	int dnslen;
-	u_char dns[2048];
-
-	if (name == NULL)
-		return (NULL);
-
-	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
-		EREPORT(("dst_generate_key(): Algorithm %d not suppored\n", alg));
-		return (NULL);
-	}
-
-	new_key = dst_s_get_key_struct(name, alg, flags, protocol, bits);
-	if (new_key == NULL)
-		return (NULL);
-	if (bits == 0) /* null key we are done */
-		return (new_key);
-	if (new_key->dk_func == NULL || new_key->dk_func->generate == NULL) {
-		EREPORT(("dst_generate_key_pair():Unsupported algorithm %d\n",
-			 alg));
-		return (dst_free_key(new_key));
-	}
-	if (new_key->dk_func->generate(new_key, exp) <= 0) {
-		EREPORT(("dst_generate_key_pair(): Key generation failure %s %d %d %d\n",
-			 new_key->dk_key_name, new_key->dk_alg,
-			 new_key->dk_key_size, exp));
-		return (dst_free_key(new_key));
-	}
-
-	dnslen = dst_key_to_dnskey(new_key, dns, sizeof(dns));
-	if (dnslen != UNSUPPORTED_KEYALG)
-		new_key->dk_id = dst_s_dns_key_id(dns, dnslen);
-	else
-		new_key->dk_id = 0;
-
-	return (new_key);
-}
-
-
-/*
- *  dst_free_key
- *	Release all data structures pointed to by a key structure.
- *  Parameters
- *	f_key   Key structure to be freed.
- */
-
-DST_KEY *
-dst_free_key(DST_KEY *f_key)
-{
-
-	if (f_key == NULL)
-		return (f_key);
-	if (f_key->dk_func && f_key->dk_func->destroy)
-		f_key->dk_KEY_struct =
-			f_key->dk_func->destroy(f_key->dk_KEY_struct);
-	else {
-		EREPORT(("dst_free_key(): Unknown key alg %d\n",
-			 f_key->dk_alg));
-		free(f_key->dk_KEY_struct);	/* SHOULD NOT happen */
-	}
-	if (f_key->dk_KEY_struct) {
-		free(f_key->dk_KEY_struct);
-		f_key->dk_KEY_struct = NULL;
-	}
-	if (f_key->dk_key_name)
-		SAFE_FREE(f_key->dk_key_name);
-	SAFE_FREE(f_key);
-	return (NULL);
-}
-
-/*
- * dst_sig_size
- *	Return the maximim size of signature from the key specified in bytes
- * Parameters
- *      key 
- * Returns
- *     bytes
- */
-int
-dst_sig_size(DST_KEY *key) {
-	switch (key->dk_alg) {
-	    case KEY_HMAC_MD5:
-		return (16);
-	    case KEY_HMAC_SHA1:
-		return (20);
-	    case KEY_RSA:
-		return (key->dk_key_size + 7) / 8;
-	    case KEY_DSA:
-		return (40);
-	    default:
-		EREPORT(("dst_sig_size(): Unknown key alg %d\n", key->dk_alg));
-		return -1;
-	}
-}
diff --git a/contrib/bind9/lib/bind/dst/dst_internal.h b/contrib/bind9/lib/bind/dst/dst_internal.h
deleted file mode 100644
index 928650a72650..000000000000
--- a/contrib/bind9/lib/bind/dst/dst_internal.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#ifndef DST_INTERNAL_H
-#define DST_INTERNAL_H
-
-/*
- * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
- *
- * Permission to use, copy modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
- */
-#include <limits.h>
-#include <sys/param.h>
-#if (!defined(BSD)) || (BSD < 199306)
-# include <sys/bitypes.h>
-#else
-# include <sys/types.h>
-#endif
-
-#ifndef PATH_MAX
-# ifdef POSIX_PATH_MAX
-#  define PATH_MAX POSIX_PATH_MAX
-# else
-#  define PATH_MAX 255 /* this is the value of POSIX_PATH_MAX */
-# endif
-#endif 
-
-typedef struct dst_key {
-	char	*dk_key_name;   /* name of the key */
-	int	dk_key_size;    /* this is the size of the key in bits */
-	int	dk_proto;       /* what protocols this key can be used for */
-	int	dk_alg;         /* algorithm number from key record */
-	u_int32_t dk_flags;     /* and the flags of the public key */
-	u_int16_t dk_id;        /* identifier of the key */
-	void	*dk_KEY_struct; /* pointer to key in crypto pkg fmt */
-	struct dst_func *dk_func; /* point to cryptto pgk specific function table */
-} DST_KEY;
-#define HAS_DST_KEY 
-
-#include <isc/dst.h>
-/* 
- * define what crypto systems are supported for RSA, 
- * BSAFE is prefered over RSAREF; only one can be set at any time
- */
-#if defined(BSAFE) && defined(RSAREF)
-# error "Cannot have both BSAFE and RSAREF defined"
-#endif
-
-/* Declare dst_lib specific constants */
-#define KEY_FILE_FORMAT "1.2"
-
-/* suffixes for key file names */
-#define PRIVATE_KEY		"private"
-#define PUBLIC_KEY		"key"
-
-/* error handling */
-#ifdef REPORT_ERRORS
-#define EREPORT(str)		printf str
-#else
-#define EREPORT(str)		(void)0
-#endif
-
-/* use our own special macro to FRRE memory */
-
-#ifndef SAFE_FREE
-#define SAFE_FREE(a) \
-do{if(a != NULL){memset(a,0, sizeof(*a)); free(a); a=NULL;}} while (0)
-#define SAFE_FREE2(a,s) if (a != NULL && (long)s > 0){memset(a,0, s);free(a); a=NULL;}
-#endif
-
-typedef struct dst_func {
-	int (*sign)(const int mode, DST_KEY *key, void **context,
-		     const u_int8_t *data, const int len,
-		     u_int8_t *signature, const int sig_len);
-	int (*verify)(const int mode, DST_KEY *key, void **context,
-		       const u_int8_t *data, const int len,
-		       const u_int8_t *signature, const int sig_len);
-	int (*compare)(const DST_KEY *key1, const DST_KEY *key2);
-	int (*generate)(DST_KEY *key, int parms);
-	void *(*destroy)(void *key);
-	/* conversion functions */
-	int (*to_dns_key)(const DST_KEY *key, u_int8_t *out,
-			   const int out_len);
-	int (*from_dns_key)(DST_KEY *key, const u_int8_t *str,
-			     const int str_len);
-	int (*to_file_fmt)(const DST_KEY *key, char *out,
-			    const int out_len);
-	int (*from_file_fmt)(DST_KEY *key, const char *out,
-			      const int out_len);
-
-} dst_func;
-
-extern dst_func *dst_t_func[DST_MAX_ALGS];
-extern const char *key_file_fmt_str;
-extern const char *dst_path;
-
-#ifndef DST_HASH_SIZE
-#define DST_HASH_SIZE 20	/* RIPEMD160 and SHA-1 are 20 bytes MD5 is 16 */
-#endif
-
-int dst_bsafe_init(void);
-
-int dst_rsaref_init(void);
-
-int dst_hmac_md5_init(void);
-
-int dst_cylink_init(void);
-
-int dst_eay_dss_init(void);
-
-/* from higher level support routines */
-int       dst_s_calculate_bits( const u_int8_t *str, const int max_bits); 
-int       dst_s_verify_str( const char **buf, const char *str);
-
-
-/* conversion between dns names and key file names */
-size_t    dst_s_filename_length( const char *name, const char *suffix); 
-int       dst_s_build_filename(  char *filename, const char *name, 
-			         u_int16_t id, int alg, const char *suffix, 
-			         size_t filename_length);
-
-FILE      *dst_s_fopen (const char *filename, const char *mode, int perm);
-
-/* 
- * read and write network byte order into u_int?_t  
- *  all of these should be retired
- */
-u_int16_t dst_s_get_int16( const u_int8_t *buf);
-void      dst_s_put_int16( u_int8_t *buf, const u_int16_t val);
-
-u_int32_t dst_s_get_int32( const u_int8_t *buf);
-void      dst_s_put_int32( u_int8_t *buf, const u_int32_t val);
-
-#ifdef DUMP
-# undef DUMP
-# define DUMP(a,b,c,d) dst_s_dump(a,b,c,d)
-#else
-# define DUMP(a,b,c,d)
-#endif
-void
-dst_s_dump(const int mode, const u_char *data, const int size,
-            const char *msg);
-
-
-
-#endif /* DST_INTERNAL_H */
diff --git a/contrib/bind9/lib/bind/dst/hmac_link.c b/contrib/bind9/lib/bind/dst/hmac_link.c
deleted file mode 100644
index aa66c80ec0d1..000000000000
--- a/contrib/bind9/lib/bind/dst/hmac_link.c
+++ /dev/null
@@ -1,479 +0,0 @@
-#ifdef HMAC_MD5
-#ifndef LINT
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.1.4.1 2005/07/28 07:43:16 marka Exp $";
-#endif
-/*
- * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
- *
- * Permission to use, copy modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
- */
-
-/* 
- * This file contains an implementation of the HMAC-MD5 algorithm.
- */
-#include "port_before.h"
-
-#include <stdio.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <memory.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include "dst_internal.h"
-
-#ifdef USE_MD5
-# ifndef HAVE_MD5
-#  include "md5.h"
-# else
-#  ifdef SOLARIS2
-#   include <sys/md5.h>
-#  endif
-# endif
-# ifndef _MD5_H_
-#  define _MD5_H_ 1	/* make sure we do not include rsaref md5.h file */
-# endif
-#endif
-
-#include "port_after.h"
-
-
-#define HMAC_LEN	64
-#define HMAC_IPAD	0x36
-#define HMAC_OPAD	0x5c
-#define MD5_LEN		16
-
-
-typedef struct hmackey {
-	u_char hk_ipad[64], hk_opad[64];
-} HMAC_Key;
-
-
-/************************************************************************** 
- * dst_hmac_md5_sign
- *     Call HMAC signing functions to sign a block of data.
- *     There are three steps to signing, INIT (initialize structures), 
- *     UPDATE (hash (more) data), FINAL (generate a signature).  This
- *     routine performs one or more of these steps.
- * Parameters
- *     mode	SIG_MODE_INIT, SIG_MODE_UPDATE and/or SIG_MODE_FINAL.
- *     priv_key    key to use for signing.
- *     context   the context to be used in this digest
- *     data	data to be signed.
- *     len	 length in bytes of data.
- *     signature   location to store signature.
- *     sig_len     size of the signature location
- * returns 
- *	N  Success on SIG_MODE_FINAL = returns signature length in bytes
- *	0  Success on SIG_MODE_INIT  and UPDATE
- *	 <0  Failure
- */
-
-static int
-dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context, 
-		  const u_char *data, const int len, 
-		  u_char *signature, const int sig_len)
-{
-	HMAC_Key *key;
-	int sign_len = 0;
-	MD5_CTX *ctx = NULL;
-
-	if (mode & SIG_MODE_INIT) 
-		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
-	else if (context)
-		ctx = (MD5_CTX *) *context;
-	if (ctx == NULL) 
-		return (-1);
-
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
-	key = (HMAC_Key *) d_key->dk_KEY_struct;
-
-	if (mode & SIG_MODE_INIT) {
-		MD5Init(ctx);
-		MD5Update(ctx, key->hk_ipad, HMAC_LEN);
-	}
-
-	if ((mode & SIG_MODE_UPDATE) && (data && len > 0))
-		MD5Update(ctx, data, len);
-
-	if (mode & SIG_MODE_FINAL) {
-		if (signature == NULL || sig_len < MD5_LEN)
-			return (SIGN_FINAL_FAILURE);
-		MD5Final(signature, ctx);
-
-		/* perform outer MD5 */
-		MD5Init(ctx);
-		MD5Update(ctx, key->hk_opad, HMAC_LEN);
-		MD5Update(ctx, signature, MD5_LEN);
-		MD5Final(signature, ctx);
-		sign_len = MD5_LEN;
-		SAFE_FREE(ctx);
-	}
-	else { 
-		if (context == NULL) 
-			return (-1);
-		*context = (void *) ctx;
-	}		
-	return (sign_len);
-}
-
-
-/************************************************************************** 
- * dst_hmac_md5_verify() 
- *     Calls HMAC verification routines.  There are three steps to 
- *     verification, INIT (initialize structures), UPDATE (hash (more) data), 
- *     FINAL (generate a signature).  This routine performs one or more of 
- *     these steps.
- * Parameters
- *     mode	SIG_MODE_INIT, SIG_MODE_UPDATE and/or SIG_MODE_FINAL.
- *     dkey	key to use for verify.
- *     data	data signed.
- *     len	 length in bytes of data.
- *     signature   signature.
- *     sig_len     length in bytes of signature.
- * returns 
- *     0  Success 
- *    <0  Failure
- */
-
-static int
-dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
-		const u_char *data, const int len,
-		const u_char *signature, const int sig_len)
-{
-	HMAC_Key *key;
-	MD5_CTX *ctx = NULL;
-
-	if (mode & SIG_MODE_INIT) 
-		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
-	else if (context)
-		ctx = (MD5_CTX *) *context;
-	if (ctx == NULL) 
-		return (-1);
-
-	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
-		return (-1);
-
-	key = (HMAC_Key *) d_key->dk_KEY_struct;
-	if (mode & SIG_MODE_INIT) {
-		MD5Init(ctx);
-		MD5Update(ctx, key->hk_ipad, HMAC_LEN);
-	}
-	if ((mode & SIG_MODE_UPDATE) && (data && len > 0))
-		MD5Update(ctx, data, len);
-
-	if (mode & SIG_MODE_FINAL) {
-		u_char digest[MD5_LEN];
-		if (signature == NULL || key == NULL || sig_len != MD5_LEN)
-			return (VERIFY_FINAL_FAILURE);
-		MD5Final(digest, ctx);
-
-		/* perform outer MD5 */
-		MD5Init(ctx);
-		MD5Update(ctx, key->hk_opad, HMAC_LEN);
-		MD5Update(ctx, digest, MD5_LEN);
-		MD5Final(digest, ctx);
-
-		SAFE_FREE(ctx);
-		if (memcmp(digest, signature, MD5_LEN) != 0)
-			return (VERIFY_FINAL_FAILURE);
-	}
-	else { 
-		if (context == NULL) 
-			return (-1);
-		*context = (void *) ctx;
-	}		
-	return (0);
-}
-
-
-/************************************************************************** 
- * dst_buffer_to_hmac_md5
- *     Converts key from raw data to an HMAC Key
- *     This function gets in a pointer to the data
- * Parameters
- *     hkey	the HMAC key to be filled in
- *     key	the key in raw format
- *     keylen	the length of the key
- * Return
- *	0	Success
- *	<0	Failure
- */
-static int
-dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen)
-{
-	int i;
-	HMAC_Key *hkey = NULL;
-	MD5_CTX ctx;
-	int local_keylen = keylen;
-
-	if (dkey == NULL || key == NULL || keylen < 0)
-		return (-1);
-
-	if ((hkey = (HMAC_Key *) malloc(sizeof(HMAC_Key))) == NULL)
-		  return (-2);
-
-	memset(hkey->hk_ipad, 0, sizeof(hkey->hk_ipad));
-	memset(hkey->hk_opad, 0, sizeof(hkey->hk_opad));
-
-	/* if key is longer than HMAC_LEN bytes reset it to key=MD5(key) */
-	if (keylen > HMAC_LEN) {
-		u_char tk[MD5_LEN];
-		MD5Init(&ctx);
-		MD5Update(&ctx, key, keylen);
-		MD5Final(tk, &ctx);
-		memset((void *) &ctx, 0, sizeof(ctx));
-		key = tk;
-		local_keylen = MD5_LEN;
-	}
-	/* start out by storing key in pads */
-	memcpy(hkey->hk_ipad, key, local_keylen);
-	memcpy(hkey->hk_opad, key, local_keylen);
-
-	/* XOR key with hk_ipad and opad values */
-	for (i = 0; i < HMAC_LEN; i++) {
-		hkey->hk_ipad[i] ^= HMAC_IPAD;
-		hkey->hk_opad[i] ^= HMAC_OPAD;
-	}
-	dkey->dk_key_size = local_keylen;
-	dkey->dk_KEY_struct = (void *) hkey;
-	return (1);
-}
-
-
-/************************************************************************** 
- *  dst_hmac_md5_key_to_file_format
- *	Encodes an HMAC Key into the portable file format.
- *  Parameters 
- *	hkey      HMAC KEY structure 
- *	buff      output buffer
- *	buff_len  size of output buffer 
- *  Return
- *	0  Failure - null input hkey
- *     -1  Failure - not enough space in output area
- *	N  Success - Length of data returned in buff
- */
-
-static int
-dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
-			    const int buff_len)
-{
-	char *bp;
-	int len, b_len, i, key_len;
-	u_char key[HMAC_LEN];
-	HMAC_Key *hkey;
-
-	if (dkey == NULL || dkey->dk_KEY_struct == NULL) 
-		return (0);
-	if (buff == NULL || buff_len <= (int) strlen(key_file_fmt_str))
-		return (-1);	/* no OR not enough space in output area */
-
-	hkey = (HMAC_Key *) dkey->dk_KEY_struct;
-	memset(buff, 0, buff_len);	/* just in case */
-	/* write file header */
-	sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC");
-
-	bp = (char *) strchr(buff, '\0');
-	b_len = buff_len - (bp - buff);
-
-	memset(key, 0, HMAC_LEN);
-	for (i = 0; i < HMAC_LEN; i++)
-		key[i] = hkey->hk_ipad[i] ^ HMAC_IPAD;
-	for (i = HMAC_LEN - 1; i >= 0; i--)
-		if (key[i] != 0)
-			break;
-	key_len = i + 1;
-
-	strcat(bp, "Key: ");
-	bp += strlen("Key: ");
-	b_len = buff_len - (bp - buff);
-
-	len = b64_ntop(key, key_len, bp, b_len);
-	if (len < 0) 
-		return (-1);
-	bp += len;
-	*(bp++) = '\n';
-	*bp = '\0';
-	b_len = buff_len - (bp - buff);
-
-	return (buff_len - b_len);
-}
-
-
-/************************************************************************** 
- * dst_hmac_md5_key_from_file_format
- *     Converts contents of a key file into an HMAC key. 
- * Parameters 
- *     hkey    structure to put key into 
- *     buff       buffer containing the encoded key 
- *     buff_len   the length of the buffer
- * Return
- *     n >= 0 Foot print of the key converted 
- *     n <  0 Error in conversion 
- */
-
-static int
-dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
-			      const int buff_len)
-{
-	const char *p = buff, *eol;
-	u_char key[HMAC_LEN+1];	/* b64_pton needs more than 64 bytes do decode
-							 * it should probably be fixed rather than doing
-							 * this
-							 */
-	u_char *tmp;
-	int key_len, len;
-
-	if (dkey == NULL)
-		return (-2);
-	if (buff == NULL || buff_len < 0)
-		return (-1);
-
-	memset(key, 0, sizeof(key));
-
-	if (!dst_s_verify_str(&p, "Key: "))
-		return (-3);
-
-	eol = strchr(p, '\n');
-	if (eol == NULL)
-		return (-4);
-	len = eol - p;
-	tmp = malloc(len + 2);
-	memcpy(tmp, p, len);
-	*(tmp + len) = 0x0;
-	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/* see above */
-	SAFE_FREE2(tmp, len + 2);
-
-	if (dst_buffer_to_hmac_md5(dkey, key, key_len) < 0) {
-		return (-6);
-	}
-	return (0);
-}
-
-/*
- * dst_hmac_md5_to_dns_key() 
- *         function to extract hmac key from DST_KEY structure 
- * intput: 
- *      in_key:  HMAC-MD5 key 
- * output: 
- *	out_str: buffer to write ot
- *      out_len: size of output buffer 
- * returns:
- *      number of bytes written to output buffer 
- */
-static int
-dst_hmac_md5_to_dns_key(const DST_KEY *in_key, u_char *out_str,
-			const int out_len)
-{
-
-	HMAC_Key *hkey;
-	int i;
-	
-	if (in_key == NULL || in_key->dk_KEY_struct == NULL ||
-	    out_len <= in_key->dk_key_size || out_str == NULL)
-		return (-1);
-
-	hkey = (HMAC_Key *) in_key->dk_KEY_struct;
-	for (i = 0; i < in_key->dk_key_size; i++)
-		out_str[i] = hkey->hk_ipad[i] ^ HMAC_IPAD;
-	return (i);
-}
-
-/************************************************************************** 
- *  dst_hmac_md5_compare_keys
- *	Compare two keys for equality.
- *  Return
- *	0	  The keys are equal
- *	NON-ZERO   The keys are not equal
- */
-
-static int
-dst_hmac_md5_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
-{
-	HMAC_Key *hkey1 = (HMAC_Key *) key1->dk_KEY_struct;
-	HMAC_Key *hkey2 = (HMAC_Key *) key2->dk_KEY_struct;
-	return memcmp(hkey1->hk_ipad, hkey2->hk_ipad, HMAC_LEN);
-}
-
-/************************************************************************** 
- * dst_hmac_md5_free_key_structure
- *     Frees all (none) dynamically allocated structures in hkey
- */
-
-static void *
-dst_hmac_md5_free_key_structure(void *key)
-{
-	HMAC_Key *hkey = key;
-	SAFE_FREE(hkey);
-	return (NULL);
-}
-
-
-/*************************************************************************** 
- * dst_hmac_md5_generate_key
- *     Creates a HMAC key of size size with a maximum size of 63 bytes
- *     generating a HMAC key larger than 63 bytes makes no sense as that key 
- *     is digested before use. 
- */
-
-static int
-dst_hmac_md5_generate_key(DST_KEY *key, const int nothing)
-{
-	(void)key;
-	(void)nothing;
-	return (-1);
-}
-
-/*
- * dst_hmac_md5_init()  Function to answer set up function pointers for HMAC
- *	   related functions 
- */
-int
-#ifdef	SUNW_LIBMD5
-dst_md5_hmac_init()
-#else
-dst_hmac_md5_init()
-#endif
-{
-	if (dst_t_func[KEY_HMAC_MD5] != NULL)
-		return (1);
-	dst_t_func[KEY_HMAC_MD5] = malloc(sizeof(struct dst_func));
-	if (dst_t_func[KEY_HMAC_MD5] == NULL)
-		return (0);
-	memset(dst_t_func[KEY_HMAC_MD5], 0, sizeof(struct dst_func));
-	dst_t_func[KEY_HMAC_MD5]->sign = dst_hmac_md5_sign;
-	dst_t_func[KEY_HMAC_MD5]->verify = dst_hmac_md5_verify;
-	dst_t_func[KEY_HMAC_MD5]->compare = dst_hmac_md5_compare_keys;
-	dst_t_func[KEY_HMAC_MD5]->generate = dst_hmac_md5_generate_key;
-	dst_t_func[KEY_HMAC_MD5]->destroy = dst_hmac_md5_free_key_structure;
-	dst_t_func[KEY_HMAC_MD5]->to_dns_key = dst_hmac_md5_to_dns_key;
-	dst_t_func[KEY_HMAC_MD5]->from_dns_key = dst_buffer_to_hmac_md5;
-	dst_t_func[KEY_HMAC_MD5]->to_file_fmt = dst_hmac_md5_key_to_file_format;
-	dst_t_func[KEY_HMAC_MD5]->from_file_fmt = dst_hmac_md5_key_from_file_format;
-	return (1);
-}
-
-#else 
-#define	dst_hmac_md5_init	__dst_hmac_md5_init
-
-int
-dst_hmac_md5_init(){
-	return (0);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/dst/md5.h b/contrib/bind9/lib/bind/dst/md5.h
deleted file mode 100644
index 6525662b67f0..000000000000
--- a/contrib/bind9/lib/bind/dst/md5.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/* crypto/md/md5.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifndef HEADER_MD5_H
-#define HEADER_MD5_H
-
-#ifndef	HAVE_MD5
-
-#ifdef  __cplusplus
-extern "C" {
-#endif
-
-#define MD5_CBLOCK	64
-#define MD5_LBLOCK	16
-#define MD5_BLOCK	16
-#define MD5_LAST_BLOCK  56
-#define MD5_LENGTH_BLOCK 8
-#define MD5_DIGEST_LENGTH 16
-
-typedef struct MD5state_st
-	{
-	unsigned long A,B,C,D;
-	unsigned long Nl,Nh;
-	unsigned long data[MD5_LBLOCK];
-	int num;
-	} MD5_CTX;
-
-#ifndef NOPROTO
-void MD5_Init(MD5_CTX *c);
-void MD5_Update(MD5_CTX *c, const unsigned char *data, unsigned long len);
-void MD5_Final(unsigned char *md, MD5_CTX *c);
-unsigned char *MD5(unsigned char *d, unsigned long n, unsigned char *md);
-#else
-void MD5_Init();
-void MD5_Update();
-void MD5_Final();
-unsigned char *MD5();
-#endif
-
-/* to provide backward compatabilty to RSAREF calls ogud@tis.com 1997/11/14 */
-#define MD5Init(c)             MD5_Init(c)
-#define MD5Update(c,data, len) MD5_Update(c,data,len)
-#define MD5Final(md, c)        MD5_Final(md, c) 
-#ifdef  __cplusplus
-}
-#endif
-
-#endif
-#else 
-#include <sys/md5.h>
-#endif /* HAVE_MD5 */
diff --git a/contrib/bind9/lib/bind/dst/md5_dgst.c b/contrib/bind9/lib/bind/dst/md5_dgst.c
deleted file mode 100644
index ba0a5a13db38..000000000000
--- a/contrib/bind9/lib/bind/dst/md5_dgst.c
+++ /dev/null
@@ -1,372 +0,0 @@
-/* crypto/md/md5_dgst.c */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#ifdef USE_MD5 /* Added by ogud@tis.com 1998/1/26 */
-#include <port_before.h>
-#ifndef HAVE_MD5
-#include <stdio.h>
-#include "md5_locl.h"
-#include <port_after.h>
-
-const char *MD5_version="MD5 part of SSLeay 0.8.1 19-Jul-1997";
-
-/* Implemented from RFC1321 The MD5 Message-Digest Algorithm
- */
-
-#define INIT_DATA_A (unsigned long)0x67452301L
-#define INIT_DATA_B (unsigned long)0xefcdab89L
-#define INIT_DATA_C (unsigned long)0x98badcfeL
-#define INIT_DATA_D (unsigned long)0x10325476L
-
-#ifndef NOPROTO
-static void md5_block(MD5_CTX *c, unsigned long *p);
-#else
-static void md5_block();
-#endif
-
-void MD5_Init(c)
-MD5_CTX *c;
-	{
-	c->A=INIT_DATA_A;
-	c->B=INIT_DATA_B;
-	c->C=INIT_DATA_C;
-	c->D=INIT_DATA_D;
-	c->Nl=0;
-	c->Nh=0;
-	c->num=0;
-	}
-
-void MD5_Update(c, data, len)
-MD5_CTX *c;
-register const unsigned char *data;
-unsigned long len;
-	{
-	register ULONG *p;
-	int sw,sc;
-	ULONG l;
-
-	if (len == 0U) return;
-
-	l=(c->Nl+(len<<3))&0xffffffffL;
-	/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
-	 * Wei Dai <weidai@eskimo.com> for pointing it out. */
-	if (l < c->Nl) /* overflow */
-		c->Nh++;
-	c->Nh+=(len>>29);
-	c->Nl=l;
-
-	if (c->num != 0)
-		{
-		p=c->data;
-		sw=c->num>>2;
-		sc=c->num&0x03;
-
-		if ((c->num+len) >= (size_t)MD5_CBLOCK)
-			{
-			l= p[sw];
-			p_c2l(data,l,sc);
-			p[sw++]=l;
-			for (; sw<MD5_LBLOCK; sw++)
-				{
-				c2l(data,l);
-				p[sw]=l;
-				}
-			len-=(MD5_CBLOCK-c->num);
-
-			md5_block(c,p);
-			c->num=0;
-			/* drop through and do the rest */
-			}
-		else
-			{
-			int ew,ec;
-
-			c->num+=(int)len;
-			if ((sc+len) < 4U) /* ugly, add char's to a word */
-				{
-				l= p[sw];
-				p_c2l_p(data,l,sc,len);
-				p[sw]=l;
-				}
-			else
-				{
-				ew=(c->num>>2);
-				ec=(c->num&0x03);
-				l= p[sw];
-				p_c2l(data,l,sc);
-				p[sw++]=l;
-				for (; sw < ew; sw++)
-					{ c2l(data,l); p[sw]=l; }
-				if (ec)
-					{
-					c2l_p(data,l,ec);
-					p[sw]=l;
-					}
-				}
-			return;
-			}
-		}
-	/* we now can process the input data in blocks of MD5_CBLOCK
-	 * chars and save the leftovers to c->data. */
-	p=c->data;
-	while (len >= (size_t)MD5_CBLOCK)
-		{
-#if defined(L_ENDIAN) || defined(B_ENDIAN)
-		memcpy(p,data,MD5_CBLOCK);
-		data+=MD5_CBLOCK;
-#ifdef B_ENDIAN
-		for (sw=(MD5_LBLOCK/4); sw; sw--)
-			{
-			Endian_Reverse32(p[0]);
-			Endian_Reverse32(p[1]);
-			Endian_Reverse32(p[2]);
-			Endian_Reverse32(p[3]);
-			p+=4;
-			}
-#endif
-#else
-		for (sw=(MD5_LBLOCK/4); sw; sw--)
-			{
-			c2l(data,l); *(p++)=l;
-			c2l(data,l); *(p++)=l;
-			c2l(data,l); *(p++)=l;
-			c2l(data,l); *(p++)=l; 
-			} 
-#endif
-		p=c->data;
-		md5_block(c,p);
-		len-=MD5_CBLOCK;
-		}
-	sc=(int)len;
-	c->num=sc;
-	if (sc)
-		{
-		sw=sc>>2;	/* words to copy */
-#ifdef L_ENDIAN
-		p[sw]=0;
-		memcpy(p,data,sc);
-#else
-		sc&=0x03;
-		for ( ; sw; sw--)
-			{ c2l(data,l); *(p++)=l; }
-		c2l_p(data,l,sc);
-		*p=l;
-#endif
-		}
-	}
-
-static void md5_block(c, X)
-MD5_CTX *c;
-register ULONG *X;
-	{
-	register ULONG A,B,C,D;
-
-	A=c->A;
-	B=c->B;
-	C=c->C;
-	D=c->D;
-
-	/* Round 0 */
-	R0(A,B,C,D,X[ 0], 7,0xd76aa478L);
-	R0(D,A,B,C,X[ 1],12,0xe8c7b756L);
-	R0(C,D,A,B,X[ 2],17,0x242070dbL);
-	R0(B,C,D,A,X[ 3],22,0xc1bdceeeL);
-	R0(A,B,C,D,X[ 4], 7,0xf57c0fafL);
-	R0(D,A,B,C,X[ 5],12,0x4787c62aL);
-	R0(C,D,A,B,X[ 6],17,0xa8304613L);
-	R0(B,C,D,A,X[ 7],22,0xfd469501L);
-	R0(A,B,C,D,X[ 8], 7,0x698098d8L);
-	R0(D,A,B,C,X[ 9],12,0x8b44f7afL);
-	R0(C,D,A,B,X[10],17,0xffff5bb1L);
-	R0(B,C,D,A,X[11],22,0x895cd7beL);
-	R0(A,B,C,D,X[12], 7,0x6b901122L);
-	R0(D,A,B,C,X[13],12,0xfd987193L);
-	R0(C,D,A,B,X[14],17,0xa679438eL);
-	R0(B,C,D,A,X[15],22,0x49b40821L);
-	/* Round 1 */
-	R1(A,B,C,D,X[ 1], 5,0xf61e2562L);
-	R1(D,A,B,C,X[ 6], 9,0xc040b340L);
-	R1(C,D,A,B,X[11],14,0x265e5a51L);
-	R1(B,C,D,A,X[ 0],20,0xe9b6c7aaL);
-	R1(A,B,C,D,X[ 5], 5,0xd62f105dL);
-	R1(D,A,B,C,X[10], 9,0x02441453L);
-	R1(C,D,A,B,X[15],14,0xd8a1e681L);
-	R1(B,C,D,A,X[ 4],20,0xe7d3fbc8L);
-	R1(A,B,C,D,X[ 9], 5,0x21e1cde6L);
-	R1(D,A,B,C,X[14], 9,0xc33707d6L);
-	R1(C,D,A,B,X[ 3],14,0xf4d50d87L);
-	R1(B,C,D,A,X[ 8],20,0x455a14edL);
-	R1(A,B,C,D,X[13], 5,0xa9e3e905L);
-	R1(D,A,B,C,X[ 2], 9,0xfcefa3f8L);
-	R1(C,D,A,B,X[ 7],14,0x676f02d9L);
-	R1(B,C,D,A,X[12],20,0x8d2a4c8aL);
-	/* Round 2 */
-	R2(A,B,C,D,X[ 5], 4,0xfffa3942L);
-	R2(D,A,B,C,X[ 8],11,0x8771f681L);
-	R2(C,D,A,B,X[11],16,0x6d9d6122L);
-	R2(B,C,D,A,X[14],23,0xfde5380cL);
-	R2(A,B,C,D,X[ 1], 4,0xa4beea44L);
-	R2(D,A,B,C,X[ 4],11,0x4bdecfa9L);
-	R2(C,D,A,B,X[ 7],16,0xf6bb4b60L);
-	R2(B,C,D,A,X[10],23,0xbebfbc70L);
-	R2(A,B,C,D,X[13], 4,0x289b7ec6L);
-	R2(D,A,B,C,X[ 0],11,0xeaa127faL);
-	R2(C,D,A,B,X[ 3],16,0xd4ef3085L);
-	R2(B,C,D,A,X[ 6],23,0x04881d05L);
-	R2(A,B,C,D,X[ 9], 4,0xd9d4d039L);
-	R2(D,A,B,C,X[12],11,0xe6db99e5L);
-	R2(C,D,A,B,X[15],16,0x1fa27cf8L);
-	R2(B,C,D,A,X[ 2],23,0xc4ac5665L);
-	/* Round 3 */
-	R3(A,B,C,D,X[ 0], 6,0xf4292244L);
-	R3(D,A,B,C,X[ 7],10,0x432aff97L);
-	R3(C,D,A,B,X[14],15,0xab9423a7L);
-	R3(B,C,D,A,X[ 5],21,0xfc93a039L);
-	R3(A,B,C,D,X[12], 6,0x655b59c3L);
-	R3(D,A,B,C,X[ 3],10,0x8f0ccc92L);
-	R3(C,D,A,B,X[10],15,0xffeff47dL);
-	R3(B,C,D,A,X[ 1],21,0x85845dd1L);
-	R3(A,B,C,D,X[ 8], 6,0x6fa87e4fL);
-	R3(D,A,B,C,X[15],10,0xfe2ce6e0L);
-	R3(C,D,A,B,X[ 6],15,0xa3014314L);
-	R3(B,C,D,A,X[13],21,0x4e0811a1L);
-	R3(A,B,C,D,X[ 4], 6,0xf7537e82L);
-	R3(D,A,B,C,X[11],10,0xbd3af235L);
-	R3(C,D,A,B,X[ 2],15,0x2ad7d2bbL);
-	R3(B,C,D,A,X[ 9],21,0xeb86d391L);
-
-	c->A+=A&0xffffffffL;
-	c->B+=B&0xffffffffL;
-	c->C+=C&0xffffffffL;
-	c->D+=D&0xffffffffL;
-	}
-
-void MD5_Final(md, c)
-unsigned char *md;
-MD5_CTX *c;
-	{
-	register int i,j;
-	register ULONG l;
-	register ULONG *p;
-	static unsigned char end[4]={0x80,0x00,0x00,0x00};
-	unsigned char *cp=end;
-
-	/* c->num should definitly have room for at least one more byte. */
-	p=c->data;
-	j=c->num;
-	i=j>>2;
-
-	/* purify often complains about the following line as an
-	 * Uninitialized Memory Read.  While this can be true, the
-	 * following p_c2l macro will reset l when that case is true.
-	 * This is because j&0x03 contains the number of 'valid' bytes
-	 * already in p[i].  If and only if j&0x03 == 0, the UMR will
-	 * occur but this is also the only time p_c2l will do
-	 * l= *(cp++) instead of l|= *(cp++)
-	 * Many thanks to Alex Tang <altitude@cic.net> for pickup this
-	 * 'potential bug' */
-#ifdef PURIFY
-	if ((j&0x03) == 0) p[i]=0;
-#endif
-	l=p[i];
-	p_c2l(cp,l,j&0x03);
-	p[i]=l;
-	i++;
-	/* i is the next 'undefined word' */
-	if (c->num >= MD5_LAST_BLOCK)
-		{
-		for (; i<MD5_LBLOCK; i++)
-			p[i]=0;
-		md5_block(c,p);
-		i=0;
-		}
-	for (; i<(MD5_LBLOCK-2); i++)
-		p[i]=0;
-	p[MD5_LBLOCK-2]=c->Nl;
-	p[MD5_LBLOCK-1]=c->Nh;
-	md5_block(c,p);
-	cp=md;
-	l=c->A; l2c(l,cp);
-	l=c->B; l2c(l,cp);
-	l=c->C; l2c(l,cp);
-	l=c->D; l2c(l,cp);
-
-	/* clear stuff, md5_block may be leaving some stuff on the stack
-	 * but I'm not worried :-) */
-	c->num=0;
-/*	memset((char *)&c,0,sizeof(c));*/
-	}
-
-#ifdef undef
-int printit(l)
-unsigned long *l;
-	{
-	int i,ii;
-
-	for (i=0; i<2; i++)
-		{
-		for (ii=0; ii<8; ii++)
-			{
-			fprintf(stderr,"%08lx ",l[i*8+ii]);
-			}
-		fprintf(stderr,"\n");
-		}
-	}
-#endif
-#endif /* HAVE_MD5 */
-#endif /* USE_MD5 */
diff --git a/contrib/bind9/lib/bind/dst/md5_locl.h b/contrib/bind9/lib/bind/dst/md5_locl.h
deleted file mode 100644
index ce4c765c1b83..000000000000
--- a/contrib/bind9/lib/bind/dst/md5_locl.h
+++ /dev/null
@@ -1,190 +0,0 @@
-/* crypto/md/md5_locl.h */
-/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdlib.h>
-#include <string.h>
-#include "md5.h"
-
-#define ULONG	unsigned long
-#define UCHAR	unsigned char
-#define UINT	unsigned int
-
-#if defined(NOCONST)
-#define const
-#endif
-
-#undef c2l
-#define c2l(c,l)	(l = ((unsigned long)(*((c)++)))     , \
-			 l|=(((unsigned long)(*((c)++)))<< 8), \
-			 l|=(((unsigned long)(*((c)++)))<<16), \
-			 l|=(((unsigned long)(*((c)++)))<<24))
-
-#undef p_c2l
-#define p_c2l(c,l,n)	{ \
-			switch (n) { \
-			case 0: l =((unsigned long)(*((c)++))); \
-			case 1: l|=((unsigned long)(*((c)++)))<< 8; \
-			case 2: l|=((unsigned long)(*((c)++)))<<16; \
-			case 3: l|=((unsigned long)(*((c)++)))<<24; \
-				} \
-			}
-
-/* NOTE the pointer is not incremented at the end of this */
-#undef c2l_p
-#define c2l_p(c,l,n)	{ \
-			l=0; \
-			(c)+=n; \
-			switch (n) { \
-			case 3: l =((unsigned long)(*(--(c))))<<16; \
-			case 2: l|=((unsigned long)(*(--(c))))<< 8; \
-			case 1: l|=((unsigned long)(*(--(c))))    ; \
-				} \
-			}
-
-#undef p_c2l_p
-#define p_c2l_p(c,l,sc,len) { \
-			switch (sc) \
-				{ \
-			case 0: l =((unsigned long)(*((c)++))); \
-				if (--len == 0U) break; \
-			case 1: l|=((unsigned long)(*((c)++)))<< 8; \
-				if (--len == 0U) break; \
-			case 2: l|=((unsigned long)(*((c)++)))<<16; \
-				} \
-			}
-
-#undef l2c
-#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff), \
-			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-			 *((c)++)=(unsigned char)(((l)>>24)&0xff))
-
-/* NOTE - c is not incremented as per l2c */
-#undef l2cn
-#define l2cn(l1,l2,c,n)	{ \
-			c+=n; \
-			switch (n) { \
-			case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
-			case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
-			case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
-			case 5: *(--(c))=(unsigned char)(((l2)    )&0xff); \
-			case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
-			case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
-			case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
-			case 1: *(--(c))=(unsigned char)(((l1)    )&0xff); \
-				} \
-			}
-
-/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
-#if defined(WIN32)
-/* 5 instructions with rotate instruction, else 9 */
-#define Endian_Reverse32(a) \
-	{ \
-	unsigned long l=(a); \
-	(a)=((ROTATE(l,8)&0x00FF00FF)|(ROTATE(l,24)&0xFF00FF00)); \
-	}
-#else
-/* 6 instructions with rotate instruction, else 8 */
-#define Endian_Reverse32(a) \
-	{ \
-	unsigned long l=(a); \
-	l=(((l&0xFF00FF00)>>8L)|((l&0x00FF00FF)<<8L)); \
-	(a)=ROTATE(l,16L); \
-	}
-#endif
-/*
-#define	F(x,y,z)	(((x) & (y))  |  ((~(x)) & (z)))
-#define	G(x,y,z)	(((x) & (z))  |  ((y) & (~(z))))
-*/
-
-/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
- * simplified to the code below.  Wei attributes these optimisations
- * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
- */
-#define	F(x,y,z)	((((y) ^ (z)) & (x)) ^ (z))
-#define	G(x,y,z)	((((x) ^ (y)) & (z)) ^ (y))
-#define	H(x,y,z)	((x) ^ (y) ^ (z))
-#define	I(x,y,z)	(((x) | (~(z))) ^ (y))
-
-#undef ROTATE
-#if defined(WIN32)
-#define ROTATE(a,n)     _lrotl(a,n)
-#else
-#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
-#endif
-
-
-#define R0(a,b,c,d,k,s,t) { \
-	a+=((k)+(t)+F((b),(c),(d))); \
-	a=ROTATE(a,s); \
-	a+=b; };\
-
-#define R1(a,b,c,d,k,s,t) { \
-	a+=((k)+(t)+G((b),(c),(d))); \
-	a=ROTATE(a,s); \
-	a+=b; };
-
-#define R2(a,b,c,d,k,s,t) { \
-	a+=((k)+(t)+H((b),(c),(d))); \
-	a=ROTATE(a,s); \
-	a+=b; };
-
-#define R3(a,b,c,d,k,s,t) { \
-	a+=((k)+(t)+I((b),(c),(d))); \
-	a=ROTATE(a,s); \
-	a+=b; };
diff --git a/contrib/bind9/lib/bind/dst/support.c b/contrib/bind9/lib/bind/dst/support.c
deleted file mode 100644
index 8fe3cdb4780d..000000000000
--- a/contrib/bind9/lib/bind/dst/support.c
+++ /dev/null
@@ -1,346 +0,0 @@
-static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.c,v 1.2.2.1.10.2 2005/10/11 00:48:14 marka Exp $";
-
-
-/*
- * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
- *
- * Permission to use, copy modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
- * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
- */
-
-#include "port_before.h"
-
-#include <stdio.h>
-#include <unistd.h>
-#include <memory.h>
-#include <string.h>
-#include <errno.h>
-#include <sys/stat.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include "dst_internal.h"
-
-#include "port_after.h"
-
-/*
- * dst_s_verify_str()
- *     Validate that the input string(*str) is at the head of the input
- *     buffer(**buf).  If so, move the buffer head pointer (*buf) to
- *     the first byte of data following the string(*str).
- * Parameters
- *     buf     Input buffer.
- *     str     Input string.
- * Return
- *	0       *str is not the head of **buff
- *	1       *str is the head of **buff, *buf is is advanced to
- *	the tail of **buf.
- */
-
-int
-dst_s_verify_str(const char **buf, const char *str)
-{
-	int b, s;
-	if (*buf == NULL)	/* error checks */
-		return (0);
-	if (str == NULL || *str == '\0')
-		return (1);
-
-	b = strlen(*buf);	/* get length of strings */
-	s = strlen(str);
-	if (s > b || strncmp(*buf, str, s))	/* check if same */
-		return (0);	/* not a match */
-	(*buf) += s;		/* advance pointer */
-	return (1);
-}
-
-/*
- * dst_s_calculate_bits
- *     Given a binary number represented in a u_char[], determine
- *     the number of significant bits used.
- * Parameters
- *     str       An input character string containing a binary number.
- *     max_bits The maximum possible significant bits.
- * Return
- *     N       The number of significant bits in str.
- */
-
-int
-dst_s_calculate_bits(const u_char *str, const int max_bits)
-{
-	const u_char *p = str;
-	u_char i, j = 0x80;
-	int bits;
-	for (bits = max_bits; *p == 0x00 && bits > 0; p++)
-		bits -= 8;
-	for (i = *p; (i & j) != j; j >>= 1)
-		bits--;
-	return (bits);
-}
-
-
-/*
- * calculates a checksum used in dst for an id.
- * takes an array of bytes and a length.
- * returns a 16  bit checksum.
- */
-u_int16_t
-dst_s_id_calc(const u_char *key, const int keysize)
-{
-	u_int32_t ac;
-	const u_char *kp = key;
-	int size = keysize;
-
-	if (!key || (keysize <= 0))
-		return (0xffffU);
- 
-	for (ac = 0; size > 1; size -= 2, kp += 2)
-		ac += ((*kp) << 8) + *(kp + 1);
-
-	if (size > 0)
-		ac += ((*kp) << 8);
-	ac += (ac >> 16) & 0xffff;
-
-	return (ac & 0xffff);
-}
-
-/* 
- * dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
- *   rdata
- * Input:
- *	dns_key_rdata: the raw data in wire format 
- *      rdata_len: the size of the input data 
- * Output:
- *      the key footprint/id calculated from the key data 
- */ 
-u_int16_t
-dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
-{
-	if (!dns_key_rdata)
-		return 0;
-
-	/* compute id */
-	if (dns_key_rdata[3] == KEY_RSA)	/* Algorithm RSA */
-		return dst_s_get_int16((const u_char *)
-				       &dns_key_rdata[rdata_len - 3]);
-	else if (dns_key_rdata[3] == KEY_HMAC_MD5)
-		/* compatibility */
-		return 0;
-	else
-		/* compute a checksum on the key part of the key rr */
-		return dst_s_id_calc(dns_key_rdata, rdata_len);
-}
-
-/*
- * dst_s_get_int16
- *     This routine extracts a 16 bit integer from a two byte character
- *     string.  The character string is assumed to be in network byte
- *     order and may be unaligned.  The number returned is in host order.
- * Parameter
- *     buf     A two byte character string.
- * Return
- *     The converted integer value.
- */
-
-u_int16_t
-dst_s_get_int16(const u_char *buf)
-{
-	register u_int16_t a = 0;
-	a = ((u_int16_t)(buf[0] << 8)) | ((u_int16_t)(buf[1]));
-	return (a);
-}
-
-
-/*
- * dst_s_get_int32
- *     This routine extracts a 32 bit integer from a four byte character
- *     string.  The character string is assumed to be in network byte
- *     order and may be unaligned.  The number returned is in host order.
- * Parameter
- *     buf     A four byte character string.
- * Return
- *     The converted integer value.
- */
-
-u_int32_t
-dst_s_get_int32(const u_char *buf)
-{
-	register u_int32_t a = 0;
-	a = ((u_int32_t)(buf[0] << 24)) | ((u_int32_t)(buf[1] << 16)) |
-		((u_int32_t)(buf[2] << 8)) | ((u_int32_t)(buf[3]));
-	return (a);
-}
-
-
-/*
- * dst_s_put_int16
- *     Take a 16 bit integer and store the value in a two byte
- *     character string.  The integer is assumed to be in network
- *     order and the string is returned in host order.
- *
- * Parameters
- *     buf     Storage for a two byte character string.
- *     val     16 bit integer.
- */
-
-void
-dst_s_put_int16(u_int8_t *buf, const u_int16_t val)
-{
-	buf[0] = (u_int8_t)(val >> 8);
-	buf[1] = (u_int8_t)(val);
-}
-
-
-/*
- * dst_s_put_int32
- *     Take a 32 bit integer and store the value in a four byte
- *     character string.  The integer is assumed to be in network
- *     order and the string is returned in host order.
- *
- * Parameters
- *     buf     Storage for a four byte character string.
- *     val     32 bit integer.
- */
-
-void
-dst_s_put_int32(u_int8_t *buf, const u_int32_t val)
-{
-	buf[0] = (u_int8_t)(val >> 24);
-	buf[1] = (u_int8_t)(val >> 16);
-	buf[2] = (u_int8_t)(val >> 8);
-	buf[3] = (u_int8_t)(val);
-}
-
-
-/*
- *  dst_s_filename_length
- *
- *	This function returns the number of bytes needed to hold the
- *	filename for a key file.  '/', '\' and ':' are not allowed.
- *	form:  K<keyname>+<alg>+<id>.<suffix>
- *
- *	Returns 0 if the filename would contain either '\', '/' or ':'
- */
-size_t
-dst_s_filename_length(const char *name, const char *suffix)
-{
-	if (name == NULL)
-		return (0);
-	if (strrchr(name, '\\'))
-		return (0);
-	if (strrchr(name, '/'))
-		return (0);
-	if (strrchr(name, ':'))
-		return (0);
-	if (suffix == NULL)
-		return (0);
-	if (strrchr(suffix, '\\'))
-		return (0);
-	if (strrchr(suffix, '/'))
-		return (0);
-	if (strrchr(suffix, ':'))
-		return (0);
-	return (1 + strlen(name) + 6 + strlen(suffix));
-}
-
-
-/*
- *  dst_s_build_filename ()
- *	Builds a key filename from the key name, it's id, and a
- *	suffix.  '\', '/' and ':' are not allowed. fA filename is of the
- *	form:  K<keyname><id>.<suffix>
- *	form: K<keyname>+<alg>+<id>.<suffix>
- *
- *	Returns -1 if the conversion fails:
- *	  if the filename would be too long for space allotted
- *	  if the filename would contain a '\', '/' or ':'
- *	Returns 0 on success
- */
-
-int
-dst_s_build_filename(char *filename, const char *name, u_int16_t id,
-		     int alg, const char *suffix, size_t filename_length)
-{
-	u_int32_t my_id;
-	if (filename == NULL)
-		return (-1);
-	memset(filename, 0, filename_length);
-	if (name == NULL)
-		return (-1);
-	if (suffix == NULL)
-		return (-1);
-	if (filename_length < 1 + strlen(name) + 4 + 6 + 1 + strlen(suffix))
-		return (-1);
-	my_id = id;
-	sprintf(filename, "K%s+%03d+%05d.%s", name, alg, my_id,
-		(const char *) suffix);
-	if (strrchr(filename, '/'))
-		return (-1);
-	if (strrchr(filename, '\\'))
-		return (-1);
-	if (strrchr(filename, ':'))
-		return (-1);
-	return (0);
-}
-
-/*
- *  dst_s_fopen ()
- *     Open a file in the dst_path directory.  If perm is specified, the
- *     file is checked for existence first, and not opened if it exists.
- *  Parameters
- *     filename  File to open
- *     mode       Mode to open the file (passed directly to fopen)
- *     perm       File permission, if creating a new file.
- *  Returns
- *     NULL       Failure
- *     NON-NULL  (FILE *) of opened file.
- */
-FILE *
-dst_s_fopen(const char *filename, const char *mode, int perm)
-{
-	FILE *fp;
-	char pathname[PATH_MAX];
-
-	if (strlen(filename) + strlen(dst_path) >= sizeof(pathname))
-		return (NULL);
-
-	if (*dst_path != '\0') {
-		strcpy(pathname, dst_path);
-		strcat(pathname, filename);
-	} else
-		strcpy(pathname, filename);
-	
-	fp = fopen(pathname, mode);
-	if (perm)
-		chmod(pathname, perm);
-	return (fp);
-}
-
-void
-dst_s_dump(const int mode, const u_char *data, const int size, 
-	    const char *msg)
-{
-	UNUSED(data);
-
-	if (size > 0) {
-#ifdef LONG_TEST
-		static u_char scratch[1000];
-		int n ;
-		n = b64_ntop(data, scratch, size, sizeof(scratch));
-		printf("%s: %x %d %s\n", msg, mode, n, scratch);
-#else
-		printf("%s,%x %d\n", msg, mode, size);
-#endif
-	}
-}
diff --git a/contrib/bind9/lib/bind/include/Makefile.in b/contrib/bind9/lib/bind/include/Makefile.in
deleted file mode 100644
index a6e5553f3300..000000000000
--- a/contrib/bind9/lib/bind/include/Makefile.in
+++ /dev/null
@@ -1,47 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3.206.1 2004/03/06 08:13:22 marka Exp $
-
-srcdir =        @srcdir@
-VPATH =         @srcdir@
-top_srcdir =    @top_srcdir@
-
-HEADERS=fd_setsize.h hesiod.h irp.h irs.h netdb.h netgroup.h res_update.h \
-	resolv.h
-AHEADERS= arpa/inet.h arpa/nameser.h arpa/nameser_compat.h
-IHEADERS= isc/assertions.h isc/ctl.h isc/dst.h isc/eventlib.h isc/heap.h \
-	isc/irpmarshall.h isc/list.h isc/logging.h isc/memcluster.h \
-	isc/misc.h isc/tree.h
-
-all:
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir} \
-	${DESTDIR}${includedir}/arpa ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}; \
-	done
-	for i in ${IHEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isc; \
-	done
-	for i in ${AHEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/arpa; \
-	done
-
diff --git a/contrib/bind9/lib/bind/include/arpa/inet.h b/contrib/bind9/lib/bind/include/arpa/inet.h
deleted file mode 100644
index 46caa49f5907..000000000000
--- a/contrib/bind9/lib/bind/include/arpa/inet.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * ++Copyright++ 1983, 1993
- * -
- * Copyright (c) 1983, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * --Copyright--
- */
-
-/*
- *	@(#)inet.h	8.1 (Berkeley) 6/2/93
- *	$Id: inet.h,v 1.1.206.1 2004/03/09 08:33:30 marka Exp $
- */
-
-#ifndef _INET_H_
-#define	_INET_H_
-
-/* External definitions for functions in inet(3) */
-
-#include <sys/param.h>
-#if (!defined(BSD)) || (BSD < 199306)
-# include <sys/bitypes.h>
-#else
-# include <sys/types.h>
-#endif
-#include <sys/cdefs.h>
-
-#define	inet_addr		__inet_addr
-#define	inet_aton		__inet_aton
-#define	inet_lnaof		__inet_lnaof
-#define	inet_makeaddr		__inet_makeaddr
-#define	inet_neta		__inet_neta
-#define	inet_netof		__inet_netof
-#define	inet_network		__inet_network
-#define	inet_net_ntop		__inet_net_ntop
-#define	inet_net_pton		__inet_net_pton
-#define	inet_cidr_ntop		__inet_cidr_ntop
-#define	inet_cidr_pton		__inet_cidr_pton
-#define	inet_ntoa		__inet_ntoa
-#define	inet_pton		__inet_pton
-#define	inet_ntop		__inet_ntop
-#define	inet_nsap_addr		__inet_nsap_addr
-#define	inet_nsap_ntoa		__inet_nsap_ntoa
-
-__BEGIN_DECLS
-unsigned long	 inet_addr __P((const char *));
-int		 inet_aton __P((const char *, struct in_addr *));
-unsigned long	 inet_lnaof __P((struct in_addr));
-struct in_addr	 inet_makeaddr __P((u_long , u_long));
-char *		 inet_neta __P((u_long, char *, size_t));
-unsigned long	 inet_netof __P((struct in_addr));
-unsigned long	 inet_network __P((const char *));
-char		*inet_net_ntop __P((int, const void *, int, char *, size_t));
-int		 inet_net_pton __P((int, const char *, void *, size_t));
-char		*inet_cidr_ntop __P((int, const void *, int, char *, size_t));
-int		 inet_cidr_pton __P((int, const char *, void *, int *));
-/*const*/ char	*inet_ntoa __P((struct in_addr));
-int		 inet_pton __P((int, const char *, void *));
-const char	*inet_ntop __P((int, const void *, char *, size_t));
-u_int		 inet_nsap_addr __P((const char *, u_char *, int));
-char		*inet_nsap_ntoa __P((int, const u_char *, char *));
-__END_DECLS
-
-#if defined(__hpux) && defined(_XOPEN_SOURCE_EXTENDED)
-/*
- * Macros for number representation conversion.
- *
- *    netinet/in.h is another location for these macros
- */
-#ifndef ntohl
-#define ntohl(x)	(x)
-#define ntohs(x)	(x)
-#define htonl(x)	(x)
-#define htons(x)	(x)
-#endif
-#endif
-
-#endif /* !_INET_H_ */
diff --git a/contrib/bind9/lib/bind/include/arpa/nameser.h b/contrib/bind9/lib/bind/include/arpa/nameser.h
deleted file mode 100644
index 23db49871dcf..000000000000
--- a/contrib/bind9/lib/bind/include/arpa/nameser.h
+++ /dev/null
@@ -1,576 +0,0 @@
-/*
- * Copyright (c) 1983, 1989, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- *	$Id: nameser.h,v 1.2.2.4.4.1 2004/03/09 08:33:30 marka Exp $
- */
-
-#ifndef _ARPA_NAMESER_H_
-#define _ARPA_NAMESER_H_
-
-#define BIND_4_COMPAT
-
-#include <sys/param.h>
-#if (!defined(BSD)) || (BSD < 199306)
-# include <sys/bitypes.h>
-#else
-# include <sys/types.h>
-#endif
-#include <sys/cdefs.h>
-
-/*
- * Revision information.  This is the release date in YYYYMMDD format.
- * It can change every day so the right thing to do with it is use it
- * in preprocessor commands such as "#if (__NAMESER > 19931104)".  Do not
- * compare for equality; rather, use it to determine whether your libbind.a
- * contains a new enough lib/nameser/ to support the feature you need.
- */
-
-#define __NAMESER	19991006	/* New interface version stamp. */
-
-/*
- * Define constants based on RFC 883, RFC 1034, RFC 1035
- */
-#define NS_PACKETSZ	512	/* default UDP packet size */
-#define NS_MAXDNAME	1025	/* maximum domain name */
-#define NS_MAXMSG	65535	/* maximum message size */
-#define NS_MAXCDNAME	255	/* maximum compressed domain name */
-#define NS_MAXLABEL	63	/* maximum length of domain label */
-#define NS_HFIXEDSZ	12	/* #/bytes of fixed data in header */
-#define NS_QFIXEDSZ	4	/* #/bytes of fixed data in query */
-#define NS_RRFIXEDSZ	10	/* #/bytes of fixed data in r record */
-#define NS_INT32SZ	4	/* #/bytes of data in a u_int32_t */
-#define NS_INT16SZ	2	/* #/bytes of data in a u_int16_t */
-#define NS_INT8SZ	1	/* #/bytes of data in a u_int8_t */
-#define NS_INADDRSZ	4	/* IPv4 T_A */
-#define NS_IN6ADDRSZ	16	/* IPv6 T_AAAA */
-#define NS_CMPRSFLGS	0xc0	/* Flag bits indicating name compression. */
-#define NS_DEFAULTPORT	53	/* For both TCP and UDP. */
-
-/*
- * These can be expanded with synonyms, just keep ns_parse.c:ns_parserecord()
- * in synch with it.
- */
-typedef enum __ns_sect {
-	ns_s_qd = 0,		/* Query: Question. */
-	ns_s_zn = 0,		/* Update: Zone. */
-	ns_s_an = 1,		/* Query: Answer. */
-	ns_s_pr = 1,		/* Update: Prerequisites. */
-	ns_s_ns = 2,		/* Query: Name servers. */
-	ns_s_ud = 2,		/* Update: Update. */
-	ns_s_ar = 3,		/* Query|Update: Additional records. */
-	ns_s_max = 4
-} ns_sect;
-
-/*
- * This is a message handle.  It is caller allocated and has no dynamic data.
- * This structure is intended to be opaque to all but ns_parse.c, thus the
- * leading _'s on the member names.  Use the accessor functions, not the _'s.
- */
-typedef struct __ns_msg {
-	const u_char	*_msg, *_eom;
-	u_int16_t	_id, _flags, _counts[ns_s_max];
-	const u_char	*_sections[ns_s_max];
-	ns_sect		_sect;
-	int		_rrnum;
-	const u_char	*_msg_ptr;
-} ns_msg;
-
-/* Private data structure - do not use from outside library. */
-struct _ns_flagdata {  int mask, shift;  };
-extern struct _ns_flagdata _ns_flagdata[];
-
-/* Accessor macros - this is part of the public interface. */
-
-#define ns_msg_id(handle) ((handle)._id + 0)
-#define ns_msg_base(handle) ((handle)._msg + 0)
-#define ns_msg_end(handle) ((handle)._eom + 0)
-#define ns_msg_size(handle) ((handle)._eom - (handle)._msg)
-#define ns_msg_count(handle, section) ((handle)._counts[section] + 0)
-
-/*
- * This is a parsed record.  It is caller allocated and has no dynamic data.
- */
-typedef	struct __ns_rr {
-	char		name[NS_MAXDNAME];
-	u_int16_t	type;
-	u_int16_t	rr_class;
-	u_int32_t	ttl;
-	u_int16_t	rdlength;
-	const u_char *	rdata;
-} ns_rr;
-
-/* Accessor macros - this is part of the public interface. */
-#define ns_rr_name(rr)	(((rr).name[0] != '\0') ? (rr).name : ".")
-#define ns_rr_type(rr)	((ns_type)((rr).type + 0))
-#define ns_rr_class(rr)	((ns_class)((rr).rr_class + 0))
-#define ns_rr_ttl(rr)	((rr).ttl + 0)
-#define ns_rr_rdlen(rr)	((rr).rdlength + 0)
-#define ns_rr_rdata(rr)	((rr).rdata + 0)
-
-/*
- * These don't have to be in the same order as in the packet flags word,
- * and they can even overlap in some cases, but they will need to be kept
- * in synch with ns_parse.c:ns_flagdata[].
- */
-typedef enum __ns_flag {
-	ns_f_qr,		/* Question/Response. */
-	ns_f_opcode,		/* Operation code. */
-	ns_f_aa,		/* Authoritative Answer. */
-	ns_f_tc,		/* Truncation occurred. */
-	ns_f_rd,		/* Recursion Desired. */
-	ns_f_ra,		/* Recursion Available. */
-	ns_f_z,			/* MBZ. */
-	ns_f_ad,		/* Authentic Data (DNSSEC). */
-	ns_f_cd,		/* Checking Disabled (DNSSEC). */
-	ns_f_rcode,		/* Response code. */
-	ns_f_max
-} ns_flag;
-
-/*
- * Currently defined opcodes.
- */
-typedef enum __ns_opcode {
-	ns_o_query = 0,		/* Standard query. */
-	ns_o_iquery = 1,	/* Inverse query (deprecated/unsupported). */
-	ns_o_status = 2,	/* Name server status query (unsupported). */
-				/* Opcode 3 is undefined/reserved. */
-	ns_o_notify = 4,	/* Zone change notification. */
-	ns_o_update = 5,	/* Zone update message. */
-	ns_o_max = 6
-} ns_opcode;
-
-/*
- * Currently defined response codes.
- */
-typedef	enum __ns_rcode {
-	ns_r_noerror = 0,	/* No error occurred. */
-	ns_r_formerr = 1,	/* Format error. */
-	ns_r_servfail = 2,	/* Server failure. */
-	ns_r_nxdomain = 3,	/* Name error. */
-	ns_r_notimpl = 4,	/* Unimplemented. */
-	ns_r_refused = 5,	/* Operation refused. */
-	/* these are for BIND_UPDATE */
-	ns_r_yxdomain = 6,	/* Name exists */
-	ns_r_yxrrset = 7,	/* RRset exists */
-	ns_r_nxrrset = 8,	/* RRset does not exist */
-	ns_r_notauth = 9,	/* Not authoritative for zone */
-	ns_r_notzone = 10,	/* Zone of record different from zone section */
-	ns_r_max = 11,
-	/* The following are EDNS extended rcodes */
-	ns_r_badvers = 16,
-	/* The following are TSIG errors */
-	ns_r_badsig = 16,
-	ns_r_badkey = 17,
-	ns_r_badtime = 18
-} ns_rcode;
-
-/* BIND_UPDATE */
-typedef enum __ns_update_operation {
-	ns_uop_delete = 0,
-	ns_uop_add = 1,
-	ns_uop_max = 2
-} ns_update_operation;
-
-/*
- * This structure is used for TSIG authenticated messages
- */
-struct ns_tsig_key {
-        char name[NS_MAXDNAME], alg[NS_MAXDNAME];
-        unsigned char *data;
-        int len;
-};
-typedef struct ns_tsig_key ns_tsig_key;
-
-/*
- * This structure is used for TSIG authenticated TCP messages
- */
-struct ns_tcp_tsig_state {
-	int counter;
-	struct dst_key *key;
-	void *ctx;
-	unsigned char sig[NS_PACKETSZ];
-	int siglen;
-};
-typedef struct ns_tcp_tsig_state ns_tcp_tsig_state;
-
-#define NS_TSIG_FUDGE 300
-#define NS_TSIG_TCP_COUNT 100
-#define NS_TSIG_ALG_HMAC_MD5 "HMAC-MD5.SIG-ALG.REG.INT"
-
-#define NS_TSIG_ERROR_NO_TSIG -10
-#define NS_TSIG_ERROR_NO_SPACE -11
-#define NS_TSIG_ERROR_FORMERR -12
-
-/*
- * Currently defined type values for resources and queries.
- */
-typedef enum __ns_type {
-	ns_t_invalid = 0,	/* Cookie. */
-	ns_t_a = 1,		/* Host address. */
-	ns_t_ns = 2,		/* Authoritative server. */
-	ns_t_md = 3,		/* Mail destination. */
-	ns_t_mf = 4,		/* Mail forwarder. */
-	ns_t_cname = 5,		/* Canonical name. */
-	ns_t_soa = 6,		/* Start of authority zone. */
-	ns_t_mb = 7,		/* Mailbox domain name. */
-	ns_t_mg = 8,		/* Mail group member. */
-	ns_t_mr = 9,		/* Mail rename name. */
-	ns_t_null = 10,		/* Null resource record. */
-	ns_t_wks = 11,		/* Well known service. */
-	ns_t_ptr = 12,		/* Domain name pointer. */
-	ns_t_hinfo = 13,	/* Host information. */
-	ns_t_minfo = 14,	/* Mailbox information. */
-	ns_t_mx = 15,		/* Mail routing information. */
-	ns_t_txt = 16,		/* Text strings. */
-	ns_t_rp = 17,		/* Responsible person. */
-	ns_t_afsdb = 18,	/* AFS cell database. */
-	ns_t_x25 = 19,		/* X_25 calling address. */
-	ns_t_isdn = 20,		/* ISDN calling address. */
-	ns_t_rt = 21,		/* Router. */
-	ns_t_nsap = 22,		/* NSAP address. */
-	ns_t_nsap_ptr = 23,	/* Reverse NSAP lookup (deprecated). */
-	ns_t_sig = 24,		/* Security signature. */
-	ns_t_key = 25,		/* Security key. */
-	ns_t_px = 26,		/* X.400 mail mapping. */
-	ns_t_gpos = 27,		/* Geographical position (withdrawn). */
-	ns_t_aaaa = 28,		/* Ip6 Address. */
-	ns_t_loc = 29,		/* Location Information. */
-	ns_t_nxt = 30,		/* Next domain (security). */
-	ns_t_eid = 31,		/* Endpoint identifier. */
-	ns_t_nimloc = 32,	/* Nimrod Locator. */
-	ns_t_srv = 33,		/* Server Selection. */
-	ns_t_atma = 34,		/* ATM Address */
-	ns_t_naptr = 35,	/* Naming Authority PoinTeR */
-	ns_t_kx = 36,		/* Key Exchange */
-	ns_t_cert = 37,		/* Certification record */
-	ns_t_a6 = 38,		/* IPv6 address (deprecates AAAA) */
-	ns_t_dname = 39,	/* Non-terminal DNAME (for IPv6) */
-	ns_t_sink = 40,		/* Kitchen sink (experimentatl) */
-	ns_t_opt = 41,		/* EDNS0 option (meta-RR) */
-	ns_t_apl = 42,		/* Address prefix list (RFC 3123) */
-	ns_t_tkey = 249,	/* Transaction key */
-	ns_t_tsig = 250,	/* Transaction signature. */
-	ns_t_ixfr = 251,	/* Incremental zone transfer. */
-	ns_t_axfr = 252,	/* Transfer zone of authority. */
-	ns_t_mailb = 253,	/* Transfer mailbox records. */
-	ns_t_maila = 254,	/* Transfer mail agent records. */
-	ns_t_any = 255,		/* Wildcard match. */
-	ns_t_zxfr = 256,	/* BIND-specific, nonstandard. */
-	ns_t_max = 65536
-} ns_type;
-
-/* Exclusively a QTYPE? (not also an RTYPE) */
-#define	ns_t_qt_p(t) (ns_t_xfr_p(t) || (t) == ns_t_any || \
-		      (t) == ns_t_mailb || (t) == ns_t_maila)
-/* Some kind of meta-RR? (not a QTYPE, but also not an RTYPE) */
-#define	ns_t_mrr_p(t) ((t) == ns_t_tsig || (t) == ns_t_opt)
-/* Exclusively an RTYPE? (not also a QTYPE or a meta-RR) */
-#define ns_t_rr_p(t) (!ns_t_qt_p(t) && !ns_t_mrr_p(t))
-#define ns_t_udp_p(t) ((t) != ns_t_axfr && (t) != ns_t_zxfr)
-#define ns_t_xfr_p(t) ((t) == ns_t_axfr || (t) == ns_t_ixfr || \
-		       (t) == ns_t_zxfr)
-
-/*
- * Values for class field
- */
-typedef enum __ns_class {
-	ns_c_invalid = 0,	/* Cookie. */
-	ns_c_in = 1,		/* Internet. */
-	ns_c_2 = 2,		/* unallocated/unsupported. */
-	ns_c_chaos = 3,		/* MIT Chaos-net. */
-	ns_c_hs = 4,		/* MIT Hesiod. */
-	/* Query class values which do not appear in resource records */
-	ns_c_none = 254,	/* for prereq. sections in update requests */
-	ns_c_any = 255,		/* Wildcard match. */
-	ns_c_max = 65536
-} ns_class;
-
-/* DNSSEC constants. */
-
-typedef enum __ns_key_types {
-	ns_kt_rsa = 1,		/* key type RSA/MD5 */
-	ns_kt_dh  = 2,		/* Diffie Hellman */
-	ns_kt_dsa = 3,		/* Digital Signature Standard (MANDATORY) */
-	ns_kt_private = 254	/* Private key type starts with OID */
-} ns_key_types;
-
-typedef enum __ns_cert_types {
-	cert_t_pkix = 1,	/* PKIX (X.509v3) */
-	cert_t_spki = 2,	/* SPKI */
-	cert_t_pgp  = 3,	/* PGP */
-	cert_t_url  = 253,	/* URL private type */
-	cert_t_oid  = 254	/* OID private type */
-} ns_cert_types;
-
-/* Flags field of the KEY RR rdata. */
-#define	NS_KEY_TYPEMASK		0xC000	/* Mask for "type" bits */
-#define	NS_KEY_TYPE_AUTH_CONF	0x0000	/* Key usable for both */
-#define	NS_KEY_TYPE_CONF_ONLY	0x8000	/* Key usable for confidentiality */
-#define	NS_KEY_TYPE_AUTH_ONLY	0x4000	/* Key usable for authentication */
-#define	NS_KEY_TYPE_NO_KEY	0xC000	/* No key usable for either; no key */
-/* The type bits can also be interpreted independently, as single bits: */
-#define	NS_KEY_NO_AUTH		0x8000	/* Key unusable for authentication */
-#define	NS_KEY_NO_CONF		0x4000	/* Key unusable for confidentiality */
-#define	NS_KEY_RESERVED2	0x2000	/* Security is *mandatory* if bit=0 */
-#define	NS_KEY_EXTENDED_FLAGS	0x1000	/* reserved - must be zero */
-#define	NS_KEY_RESERVED4	0x0800  /* reserved - must be zero */
-#define	NS_KEY_RESERVED5	0x0400  /* reserved - must be zero */
-#define	NS_KEY_NAME_TYPE	0x0300	/* these bits determine the type */
-#define	NS_KEY_NAME_USER	0x0000	/* key is assoc. with user */
-#define	NS_KEY_NAME_ENTITY	0x0200	/* key is assoc. with entity eg host */
-#define	NS_KEY_NAME_ZONE	0x0100	/* key is zone key */
-#define	NS_KEY_NAME_RESERVED	0x0300	/* reserved meaning */
-#define	NS_KEY_RESERVED8	0x0080  /* reserved - must be zero */
-#define	NS_KEY_RESERVED9	0x0040  /* reserved - must be zero */
-#define	NS_KEY_RESERVED10	0x0020  /* reserved - must be zero */
-#define	NS_KEY_RESERVED11	0x0010  /* reserved - must be zero */
-#define	NS_KEY_SIGNATORYMASK	0x000F	/* key can sign RR's of same name */
-#define	NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \
-				  NS_KEY_RESERVED4 | \
-				  NS_KEY_RESERVED5 | \
-				  NS_KEY_RESERVED8 | \
-				  NS_KEY_RESERVED9 | \
-				  NS_KEY_RESERVED10 | \
-				  NS_KEY_RESERVED11 )
-#define NS_KEY_RESERVED_BITMASK2 0xFFFF /* no bits defined here */
-
-/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define	NS_ALG_MD5RSA		1	/* MD5 with RSA */
-#define	NS_ALG_DH               2	/* Diffie Hellman KEY */
-#define	NS_ALG_DSA              3	/* DSA KEY */
-#define	NS_ALG_DSS              NS_ALG_DSA
-#define	NS_ALG_EXPIRE_ONLY	253	/* No alg, no security */
-#define	NS_ALG_PRIVATE_OID	254	/* Key begins with OID giving alg */
-
-/* Protocol values  */
-/* value 0 is reserved */
-#define NS_KEY_PROT_TLS         1
-#define NS_KEY_PROT_EMAIL       2
-#define NS_KEY_PROT_DNSSEC      3
-#define NS_KEY_PROT_IPSEC       4
-#define NS_KEY_PROT_ANY		255
-
-/* Signatures */
-#define	NS_MD5RSA_MIN_BITS	 512	/* Size of a mod or exp in bits */
-#define	NS_MD5RSA_MAX_BITS	4096
-	/* Total of binary mod and exp */
-#define	NS_MD5RSA_MAX_BYTES	((NS_MD5RSA_MAX_BITS+7/8)*2+3)
-	/* Max length of text sig block */
-#define	NS_MD5RSA_MAX_BASE64	(((NS_MD5RSA_MAX_BYTES+2)/3)*4)
-#define NS_MD5RSA_MIN_SIZE	((NS_MD5RSA_MIN_BITS+7)/8)
-#define NS_MD5RSA_MAX_SIZE	((NS_MD5RSA_MAX_BITS+7)/8)
-
-#define NS_DSA_SIG_SIZE         41
-#define NS_DSA_MIN_SIZE         213
-#define NS_DSA_MAX_BYTES        405
-
-/* Offsets into SIG record rdata to find various values */
-#define	NS_SIG_TYPE	0	/* Type flags */
-#define	NS_SIG_ALG	2	/* Algorithm */
-#define	NS_SIG_LABELS	3	/* How many labels in name */
-#define	NS_SIG_OTTL	4	/* Original TTL */
-#define	NS_SIG_EXPIR	8	/* Expiration time */
-#define	NS_SIG_SIGNED	12	/* Signature time */
-#define	NS_SIG_FOOT	16	/* Key footprint */
-#define	NS_SIG_SIGNER	18	/* Domain name of who signed it */
-
-/* How RR types are represented as bit-flags in NXT records */
-#define	NS_NXT_BITS 8
-#define	NS_NXT_BIT_SET(  n,p) (p[(n)/NS_NXT_BITS] |=  (0x80>>((n)%NS_NXT_BITS)))
-#define	NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] &= ~(0x80>>((n)%NS_NXT_BITS)))
-#define	NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] &   (0x80>>((n)%NS_NXT_BITS)))
-#define NS_NXT_MAX 127
-
-/*
- * EDNS0 extended flags, host order.
- */
-#define NS_OPT_DNSSEC_OK	0x8000U
-
-/*
- * Inline versions of get/put short/long.  Pointer is advanced.
- */
-#define NS_GET16(s, cp) do { \
-	register const u_char *t_cp = (const u_char *)(cp); \
-	(s) = ((u_int16_t)t_cp[0] << 8) \
-	    | ((u_int16_t)t_cp[1]) \
-	    ; \
-	(cp) += NS_INT16SZ; \
-} while (0)
-
-#define NS_GET32(l, cp) do { \
-	register const u_char *t_cp = (const u_char *)(cp); \
-	(l) = ((u_int32_t)t_cp[0] << 24) \
-	    | ((u_int32_t)t_cp[1] << 16) \
-	    | ((u_int32_t)t_cp[2] << 8) \
-	    | ((u_int32_t)t_cp[3]) \
-	    ; \
-	(cp) += NS_INT32SZ; \
-} while (0)
-
-#define NS_PUT16(s, cp) do { \
-	register u_int16_t t_s = (u_int16_t)(s); \
-	register u_char *t_cp = (u_char *)(cp); \
-	*t_cp++ = t_s >> 8; \
-	*t_cp   = t_s; \
-	(cp) += NS_INT16SZ; \
-} while (0)
-
-#define NS_PUT32(l, cp) do { \
-	register u_int32_t t_l = (u_int32_t)(l); \
-	register u_char *t_cp = (u_char *)(cp); \
-	*t_cp++ = t_l >> 24; \
-	*t_cp++ = t_l >> 16; \
-	*t_cp++ = t_l >> 8; \
-	*t_cp   = t_l; \
-	(cp) += NS_INT32SZ; \
-} while (0)
-
-/*
- * ANSI C identifier hiding for bind's lib/nameser.
- */
-#define	ns_msg_getflag		__ns_msg_getflag
-#define ns_get16		__ns_get16
-#define ns_get32		__ns_get32
-#define ns_put16		__ns_put16
-#define ns_put32		__ns_put32
-#define ns_initparse		__ns_initparse
-#define ns_skiprr		__ns_skiprr
-#define ns_parserr		__ns_parserr
-#define	ns_sprintrr		__ns_sprintrr
-#define	ns_sprintrrf		__ns_sprintrrf
-#define	ns_format_ttl		__ns_format_ttl
-#define	ns_parse_ttl		__ns_parse_ttl
-#define ns_datetosecs		__ns_datetosecs
-#define	ns_name_ntol		__ns_name_ntol
-#define	ns_name_ntop		__ns_name_ntop
-#define	ns_name_pton		__ns_name_pton
-#define	ns_name_unpack		__ns_name_unpack
-#define	ns_name_pack		__ns_name_pack
-#define	ns_name_compress	__ns_name_compress
-#define	ns_name_uncompress	__ns_name_uncompress
-#define	ns_name_skip		__ns_name_skip
-#define	ns_name_rollback	__ns_name_rollback
-#define	ns_sign			__ns_sign
-#define	ns_sign2		__ns_sign2
-#define	ns_sign_tcp		__ns_sign_tcp
-#define	ns_sign_tcp2		__ns_sign_tcp2
-#define	ns_sign_tcp_init	__ns_sign_tcp_init
-#define ns_find_tsig		__ns_find_tsig
-#define	ns_verify		__ns_verify
-#define	ns_verify_tcp		__ns_verify_tcp
-#define	ns_verify_tcp_init	__ns_verify_tcp_init
-#define	ns_samedomain		__ns_samedomain
-#define	ns_subdomain		__ns_subdomain
-#define	ns_makecanon		__ns_makecanon
-#define	ns_samename		__ns_samename
-
-__BEGIN_DECLS
-int		ns_msg_getflag __P((ns_msg, int));
-u_int		ns_get16 __P((const u_char *));
-u_long		ns_get32 __P((const u_char *));
-void		ns_put16 __P((u_int, u_char *));
-void		ns_put32 __P((u_long, u_char *));
-int		ns_initparse __P((const u_char *, int, ns_msg *));
-int		ns_skiprr __P((const u_char *, const u_char *, ns_sect, int));
-int		ns_parserr __P((ns_msg *, ns_sect, int, ns_rr *));
-int		ns_sprintrr __P((const ns_msg *, const ns_rr *,
-				 const char *, const char *, char *, size_t));
-int		ns_sprintrrf __P((const u_char *, size_t, const char *,
-				  ns_class, ns_type, u_long, const u_char *,
-				  size_t, const char *, const char *,
-				  char *, size_t));
-int		ns_format_ttl __P((u_long, char *, size_t));
-int		ns_parse_ttl __P((const char *, u_long *));
-u_int32_t	ns_datetosecs __P((const char *cp, int *errp));
-int		ns_name_ntol __P((const u_char *, u_char *, size_t));
-int		ns_name_ntop __P((const u_char *, char *, size_t));
-int		ns_name_pton __P((const char *, u_char *, size_t));
-int		ns_name_unpack __P((const u_char *, const u_char *,
-				    const u_char *, u_char *, size_t));
-int		ns_name_pack __P((const u_char *, u_char *, int,
-				  const u_char **, const u_char **));
-int		ns_name_uncompress __P((const u_char *, const u_char *,
-					const u_char *, char *, size_t));
-int		ns_name_compress __P((const char *, u_char *, size_t,
-				      const u_char **, const u_char **));
-int		ns_name_skip __P((const u_char **, const u_char *));
-void		ns_name_rollback __P((const u_char *, const u_char **,
-				      const u_char **));
-int		ns_sign __P((u_char *, int *, int, int, void *,
-			     const u_char *, int, u_char *, int *, time_t));
-int		ns_sign2 __P((u_char *, int *, int, int, void *,
-			      const u_char *, int, u_char *, int *, time_t,
-			      u_char **, u_char **));
-int		ns_sign_tcp __P((u_char *, int *, int, int,
-				 ns_tcp_tsig_state *, int));
-int		ns_sign_tcp2 __P((u_char *, int *, int, int,
-				  ns_tcp_tsig_state *, int,
-				  u_char **, u_char **));
-int		ns_sign_tcp_init __P((void *, const u_char *, int,
-					ns_tcp_tsig_state *));
-u_char		*ns_find_tsig __P((u_char *, u_char *));
-int		ns_verify __P((u_char *, int *, void *,
-			       const u_char *, int, u_char *, int *,
-			       time_t *, int));
-int		ns_verify_tcp __P((u_char *, int *, ns_tcp_tsig_state *, int));
-int		ns_verify_tcp_init __P((void *, const u_char *, int,
-					ns_tcp_tsig_state *));
-int		ns_samedomain __P((const char *, const char *));
-int		ns_subdomain __P((const char *, const char *));
-int		ns_makecanon __P((const char *, char *, size_t));
-int		ns_samename __P((const char *, const char *));
-__END_DECLS
-
-#ifdef BIND_4_COMPAT
-#include <arpa/nameser_compat.h>
-#endif
-
-#endif /* !_ARPA_NAMESER_H_ */
diff --git a/contrib/bind9/lib/bind/include/arpa/nameser_compat.h b/contrib/bind9/lib/bind/include/arpa/nameser_compat.h
deleted file mode 100644
index 464f12e13aa5..000000000000
--- a/contrib/bind9/lib/bind/include/arpa/nameser_compat.h
+++ /dev/null
@@ -1,232 +0,0 @@
-/* Copyright (c) 1983, 1989
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- *      from nameser.h	8.1 (Berkeley) 6/2/93
- *	$Id: nameser_compat.h,v 1.1.2.3.4.2 2004/07/01 04:43:41 marka Exp $
- */
-
-#ifndef _ARPA_NAMESER_COMPAT_
-#define	_ARPA_NAMESER_COMPAT_
-
-#define	__BIND		19950621	/* (DEAD) interface version stamp. */
-
-#ifndef BYTE_ORDER
-#if (BSD >= 199103)
-# include <machine/endian.h>
-#else
-#ifdef __linux
-# include <endian.h>
-#else
-#define	LITTLE_ENDIAN	1234	/* least-significant byte first (vax, pc) */
-#define	BIG_ENDIAN	4321	/* most-significant byte first (IBM, net) */
-#define	PDP_ENDIAN	3412	/* LSB first in word, MSW first in long (pdp)*/
-
-#if defined(vax) || defined(ns32000) || defined(sun386) || defined(i386) || \
-    defined(MIPSEL) || defined(_MIPSEL) || defined(BIT_ZERO_ON_RIGHT) || \
-    defined(__alpha__) || defined(__alpha) || \
-    (defined(__Lynx__) && defined(__x86__))
-#define BYTE_ORDER	LITTLE_ENDIAN
-#endif
-
-#if defined(sel) || defined(pyr) || defined(mc68000) || defined(sparc) || \
-    defined(is68k) || defined(tahoe) || defined(ibm032) || defined(ibm370) || \
-    defined(MIPSEB) || defined(_MIPSEB) || defined(_IBMR2) || defined(DGUX) ||\
-    defined(apollo) || defined(__convex__) || defined(_CRAY) || \
-    defined(__hppa) || defined(__hp9000) || \
-    defined(__hp9000s300) || defined(__hp9000s700) || \
-    defined(__hp3000s900) || defined(__hpux) || defined(MPE) || \
-    defined (BIT_ZERO_ON_LEFT) || defined(m68k) || defined(__sparc) ||  \
-    (defined(__Lynx__) && \
-     (defined(__68k__) || defined(__sparc__) || defined(__powerpc__)))
-#define BYTE_ORDER	BIG_ENDIAN
-#endif
-#endif /* __linux */
-#endif /* BSD */
-#endif /* BYTE_ORDER */
-
-#if !defined(BYTE_ORDER) || \
-    (BYTE_ORDER != BIG_ENDIAN && BYTE_ORDER != LITTLE_ENDIAN && \
-    BYTE_ORDER != PDP_ENDIAN)
-	/* you must determine what the correct bit order is for
-	 * your compiler - the next line is an intentional error
-	 * which will force your compiles to bomb until you fix
-	 * the above macros.
-	 */
-  error "Undefined or invalid BYTE_ORDER";
-#endif
-
-/*
- * Structure for query header.  The order of the fields is machine- and
- * compiler-dependent, depending on the byte/bit order and the layout
- * of bit fields.  We use bit fields only in int variables, as this
- * is all ANSI requires.  This requires a somewhat confusing rearrangement.
- */
-
-typedef struct {
-	unsigned	id :16;		/* query identification number */
-#if BYTE_ORDER == BIG_ENDIAN
-			/* fields in third byte */
-	unsigned	qr: 1;		/* response flag */
-	unsigned	opcode: 4;	/* purpose of message */
-	unsigned	aa: 1;		/* authoritive answer */
-	unsigned	tc: 1;		/* truncated message */
-	unsigned	rd: 1;		/* recursion desired */
-			/* fields in fourth byte */
-	unsigned	ra: 1;		/* recursion available */
-	unsigned	unused :1;	/* unused bits (MBZ as of 4.9.3a3) */
-	unsigned	ad: 1;		/* authentic data from named */
-	unsigned	cd: 1;		/* checking disabled by resolver */
-	unsigned	rcode :4;	/* response code */
-#endif
-#if BYTE_ORDER == LITTLE_ENDIAN || BYTE_ORDER == PDP_ENDIAN
-			/* fields in third byte */
-	unsigned	rd :1;		/* recursion desired */
-	unsigned	tc :1;		/* truncated message */
-	unsigned	aa :1;		/* authoritive answer */
-	unsigned	opcode :4;	/* purpose of message */
-	unsigned	qr :1;		/* response flag */
-			/* fields in fourth byte */
-	unsigned	rcode :4;	/* response code */
-	unsigned	cd: 1;		/* checking disabled by resolver */
-	unsigned	ad: 1;		/* authentic data from named */
-	unsigned	unused :1;	/* unused bits (MBZ as of 4.9.3a3) */
-	unsigned	ra :1;		/* recursion available */
-#endif
-			/* remaining bytes */
-	unsigned	qdcount :16;	/* number of question entries */
-	unsigned	ancount :16;	/* number of answer entries */
-	unsigned	nscount :16;	/* number of authority entries */
-	unsigned	arcount :16;	/* number of resource entries */
-} HEADER;
-
-#define PACKETSZ	NS_PACKETSZ
-#define MAXDNAME	NS_MAXDNAME
-#define MAXCDNAME	NS_MAXCDNAME
-#define MAXLABEL	NS_MAXLABEL
-#define	HFIXEDSZ	NS_HFIXEDSZ
-#define QFIXEDSZ	NS_QFIXEDSZ
-#define RRFIXEDSZ	NS_RRFIXEDSZ
-#define	INT32SZ		NS_INT32SZ
-#define	INT16SZ		NS_INT16SZ
-#define	INT8SZ		NS_INT8SZ
-#define	INADDRSZ	NS_INADDRSZ
-#define	IN6ADDRSZ	NS_IN6ADDRSZ
-#define	INDIR_MASK	NS_CMPRSFLGS
-#define NAMESERVER_PORT	NS_DEFAULTPORT
-
-#define S_ZONE		ns_s_zn
-#define S_PREREQ	ns_s_pr
-#define S_UPDATE	ns_s_ud
-#define S_ADDT		ns_s_ar
-
-#define QUERY		ns_o_query
-#define IQUERY		ns_o_iquery
-#define STATUS		ns_o_status
-#define	NS_NOTIFY_OP	ns_o_notify
-#define	NS_UPDATE_OP	ns_o_update
-
-#define NOERROR		ns_r_noerror
-#define FORMERR		ns_r_formerr
-#define SERVFAIL	ns_r_servfail
-#define NXDOMAIN	ns_r_nxdomain
-#define NOTIMP		ns_r_notimpl
-#define REFUSED		ns_r_refused
-#define YXDOMAIN	ns_r_yxdomain
-#define YXRRSET		ns_r_yxrrset
-#define NXRRSET		ns_r_nxrrset
-#define NOTAUTH		ns_r_notauth
-#define NOTZONE		ns_r_notzone
-/*#define BADSIG		ns_r_badsig*/
-/*#define BADKEY		ns_r_badkey*/
-/*#define BADTIME		ns_r_badtime*/
-
-
-#define DELETE		ns_uop_delete
-#define ADD		ns_uop_add
-
-#define T_A		ns_t_a
-#define T_NS		ns_t_ns
-#define T_MD		ns_t_md
-#define T_MF		ns_t_mf
-#define T_CNAME		ns_t_cname
-#define T_SOA		ns_t_soa
-#define T_MB		ns_t_mb
-#define T_MG		ns_t_mg
-#define T_MR		ns_t_mr
-#define T_NULL		ns_t_null
-#define T_WKS		ns_t_wks
-#define T_PTR		ns_t_ptr
-#define T_HINFO		ns_t_hinfo
-#define T_MINFO		ns_t_minfo
-#define T_MX		ns_t_mx
-#define T_TXT		ns_t_txt
-#define	T_RP		ns_t_rp
-#define T_AFSDB		ns_t_afsdb
-#define T_X25		ns_t_x25
-#define T_ISDN		ns_t_isdn
-#define T_RT		ns_t_rt
-#define T_NSAP		ns_t_nsap
-#define T_NSAP_PTR	ns_t_nsap_ptr
-#define	T_SIG		ns_t_sig
-#define	T_KEY		ns_t_key
-#define	T_PX		ns_t_px
-#define	T_GPOS		ns_t_gpos
-#define	T_AAAA		ns_t_aaaa
-#define	T_LOC		ns_t_loc
-#define	T_NXT		ns_t_nxt
-#define	T_EID		ns_t_eid
-#define	T_NIMLOC	ns_t_nimloc
-#define	T_SRV		ns_t_srv
-#define T_ATMA		ns_t_atma
-#define T_NAPTR		ns_t_naptr
-#define T_A6		ns_t_a6
-#define	T_TSIG		ns_t_tsig
-#define	T_IXFR		ns_t_ixfr
-#define T_AXFR		ns_t_axfr
-#define T_MAILB		ns_t_mailb
-#define T_MAILA		ns_t_maila
-#define T_ANY		ns_t_any
-
-#define C_IN		ns_c_in
-#define C_CHAOS		ns_c_chaos
-#define C_HS		ns_c_hs
-/* BIND_UPDATE */
-#define C_NONE		ns_c_none
-#define C_ANY		ns_c_any
-
-#define	GETSHORT		NS_GET16
-#define	GETLONG			NS_GET32
-#define	PUTSHORT		NS_PUT16
-#define	PUTLONG			NS_PUT32
-
-#endif /* _ARPA_NAMESER_COMPAT_ */
diff --git a/contrib/bind9/lib/bind/include/fd_setsize.h b/contrib/bind9/lib/bind/include/fd_setsize.h
deleted file mode 100644
index 235b1ad1c222..000000000000
--- a/contrib/bind9/lib/bind/include/fd_setsize.h
+++ /dev/null
@@ -1,9 +0,0 @@
-#ifndef _FD_SETSIZE_H
-#define _FD_SETSIZE_H
-
-/*
- * If you need a bigger FD_SETSIZE, this is NOT the place to set it.
- * This file is a fallback for BIND ports which don't specify their own.
- */
-
-#endif /* _FD_SETSIZE_H */
diff --git a/contrib/bind9/lib/bind/include/hesiod.h b/contrib/bind9/lib/bind/include/hesiod.h
deleted file mode 100644
index 7165d486175b..000000000000
--- a/contrib/bind9/lib/bind/include/hesiod.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
- */
-
-/*
- * $Id: hesiod.h,v 1.1.2.1.4.1 2004/03/09 08:33:29 marka Exp $
- */
-
-#ifndef _HESIOD_H_INCLUDED
-#define _HESIOD_H_INCLUDED
-
-int		hesiod_init __P((void **));
-void		hesiod_end __P((void *));
-char *		hesiod_to_bind __P((void *, const char *, const char *));
-char **		hesiod_resolve __P((void *, const char *, const char *));
-void		hesiod_free_list __P((void *, char **));
-struct __res_state * __hesiod_res_get __P((void *));
-void		__hesiod_res_set __P((void *, struct __res_state *,
-				      void (*)(void *)));
-
-#endif /*_HESIOD_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/include/irp.h b/contrib/bind9/lib/bind/include/irp.h
deleted file mode 100644
index 4462f208accd..000000000000
--- a/contrib/bind9/lib/bind/include/irp.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: irp.h,v 1.1.2.1.4.1 2004/03/09 08:33:29 marka Exp $
- */
-
-#ifndef _IRP_H_INCLUDED
-#define _IRP_H_INCLUDED
-
-#define IRPD_TIMEOUT 30			/* seconds */
-#define IRPD_MAXSESS 50			/* number of simultaneous sessions. */
-#define IRPD_PORT 6660			/* 10 times the number of the beast. */
-#define IRPD_PATH "/var/run/irpd"	/* af_unix socket path */
-
-/* If sets the environment variable IRPDSERVER to an IP address
-   (e.g. "192.5.5.1"), then that's the host the client expects irpd to be
-   running on. */
-#define IRPD_HOST_ENV "IRPDSERVER"
-
-/* Protocol response codes.  */
-#define IRPD_WELCOME_CODE 200
-#define IRPD_NOT_WELCOME_CODE 500
-
-#define IRPD_GETHOST_ERROR 510
-#define IRPD_GETHOST_NONE 210
-#define IRPD_GETHOST_OK 211
-#define IRPD_GETHOST_SETOK 212
-
-#define IRPD_GETNET_ERROR 520
-#define IRPD_GETNET_NONE 220
-#define IRPD_GETNET_OK 221
-#define IRPD_GETNET_SETOK 222
-
-#define IRPD_GETUSER_ERROR 530
-#define IRPD_GETUSER_NONE 230
-#define IRPD_GETUSER_OK 231
-#define IRPD_GETUSER_SETOK 232
-
-#define IRPD_GETGROUP_ERROR 540
-#define IRPD_GETGROUP_NONE 240
-#define IRPD_GETGROUP_OK 241
-#define IRPD_GETGROUP_SETOK 242
-
-#define IRPD_GETSERVICE_ERROR 550
-#define IRPD_GETSERVICE_NONE 250
-#define IRPD_GETSERVICE_OK 251
-#define IRPD_GETSERVICE_SETOK 252
-
-#define IRPD_GETPROTO_ERROR 560
-#define IRPD_GETPROTO_NONE 260
-#define IRPD_GETPROTO_OK 261
-#define IRPD_GETPROTO_SETOK 262
-
-#define IRPD_GETNETGR_ERROR 570
-#define IRPD_GETNETGR_NONE 270
-#define IRPD_GETNETGR_OK 271
-#define IRPD_GETNETGR_NOMORE 272
-#define IRPD_GETNETGR_MATCHES 273
-#define IRPD_GETNETGR_NOMATCH 274
-#define IRPD_GETNETGR_SETOK 275
-#define IRPD_GETNETGR_SETERR 276
-
-#define	irs_irp_read_body __irs_irp_read_body
-#define irs_irp_read_response __irs_irp_read_response
-#define irs_irp_disconnect __irs_irp_disconnect
-#define irs_irp_connect __irs_irp_connect
-#define irs_irp_connection_setup __irs_irp_connection_setup
-#define irs_irp_send_command __irs_irp_send_command
-
-struct irp_p;
-
-char   *irs_irp_read_body(struct irp_p *, size_t *);
-int	irs_irp_read_response(struct irp_p *, char *, size_t);
-void	irs_irp_disconnect(struct irp_p *);
-int	irs_irp_connect(struct irp_p *);
-int	irs_irp_is_connected(struct irp_p *);
-int	irs_irp_connection_setup(struct irp_p *, int *);
-#ifdef __GNUC__
-int	irs_irp_send_command(struct irp_p *, const char *, ...)
-			     __attribute__((__format__(__printf__, 2, 3)));
-#else
-int	irs_irp_send_command(struct irp_p *, const char *, ...);
-#endif
-int	irs_irp_get_full_response(struct irp_p *, int *, char *, size_t,
-				  char **, size_t *);
-int	irs_irp_read_line(struct irp_p *, char *, int);
-
-#endif
diff --git a/contrib/bind9/lib/bind/include/irs.h b/contrib/bind9/lib/bind/include/irs.h
deleted file mode 100644
index a3b7903df79f..000000000000
--- a/contrib/bind9/lib/bind/include/irs.h
+++ /dev/null
@@ -1,345 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: irs.h,v 1.2.2.1.4.1 2004/03/09 08:33:29 marka Exp $
- */
-
-#ifndef _IRS_H_INCLUDED
-#define _IRS_H_INCLUDED
-
-#include <sys/types.h>
-
-#include <arpa/nameser.h>
-
-#include <grp.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <pwd.h>
-
-/*
- * This is the group map class.
- */
-struct irs_gr {
-	void *		private;
-	void		(*close) __P((struct irs_gr *));
-	struct group *	(*next) __P((struct irs_gr *));
-	struct group *	(*byname) __P((struct irs_gr *, const char *));
-	struct group *	(*bygid) __P((struct irs_gr *, gid_t));
-	int		(*list) __P((struct irs_gr *, const char *,
-				     gid_t, gid_t *, int *));
-	void		(*rewind) __P((struct irs_gr *));
-	void		(*minimize) __P((struct irs_gr *));
-	struct __res_state * (*res_get) __P((struct irs_gr *));
-	void		(*res_set) __P((struct irs_gr *, res_state,
-					void (*)(void *)));
-};
-
-/*
- * This is the password map class.
- */
-struct irs_pw {
-	void *		private;
-	void		(*close) __P((struct irs_pw *));
-	struct passwd *	(*next) __P((struct irs_pw *));
-	struct passwd *	(*byname) __P((struct irs_pw *, const char *));
-	struct passwd *	(*byuid) __P((struct irs_pw *, uid_t));
-	void		(*rewind) __P((struct irs_pw *));
-	void		(*minimize) __P((struct irs_pw *));
-	struct __res_state * (*res_get) __P((struct irs_pw *));
-	void		(*res_set) __P((struct irs_pw *, res_state,
-					void (*)(void *)));
-};
-
-/*
- * This is the service map class.
- */
-struct irs_sv {
-	void *		private;
-	void		(*close) __P((struct irs_sv *));
-	struct servent *(*byname) __P((struct irs_sv *,
-				       const char *, const char *));
-	struct servent *(*byport) __P((struct irs_sv *, int, const char *));
-	struct servent *(*next) __P((struct irs_sv *));
-	void		(*rewind) __P((struct irs_sv *));
-	void		(*minimize) __P((struct irs_sv *));
-	struct __res_state * (*res_get) __P((struct irs_sv *));
-	void		(*res_set) __P((struct irs_sv *, res_state,
-					void (*)(void *)));
-};
-
-/*
- * This is the protocols map class.
- */
-struct irs_pr {
-	void *		private;
-	void		(*close) __P((struct irs_pr *));
-	struct protoent	*(*byname) __P((struct irs_pr *, const char *));
-	struct protoent	*(*bynumber) __P((struct irs_pr *, int));
-	struct protoent	*(*next) __P((struct irs_pr *));
-	void		(*rewind) __P((struct irs_pr *));
-	void		(*minimize) __P((struct irs_pr *));
-	struct __res_state * (*res_get) __P((struct irs_pr *));
-	void		(*res_set) __P((struct irs_pr *, res_state,
-					void (*)(void *)));
-};
-
-/*
- * This is the hosts map class.
- */
-struct irs_ho {
-	void *		private;
-	void		(*close) __P((struct irs_ho *));
-	struct hostent *(*byname) __P((struct irs_ho *, const char *));
-	struct hostent *(*byname2) __P((struct irs_ho *, const char *, int));
-	struct hostent *(*byaddr) __P((struct irs_ho *,
-				       const void *, int, int));
-	struct hostent *(*next) __P((struct irs_ho *));
-	void		(*rewind) __P((struct irs_ho *));
-	void		(*minimize) __P((struct irs_ho *));
-	struct __res_state * (*res_get) __P((struct irs_ho *));
-	void		(*res_set) __P((struct irs_ho *, res_state,
-					void (*)(void *)));
-	struct addrinfo *(*addrinfo) __P((struct irs_ho *, const char *,
-					  const struct addrinfo *));
-};
-
-/*
- * This is the networks map class.
- */
-struct irs_nw {
-	void *		private;
-	void		(*close) __P((struct irs_nw *));
-	struct nwent *	(*byname) __P((struct irs_nw *, const char *, int));
-	struct nwent *	(*byaddr) __P((struct irs_nw *, void *, int, int));
-	struct nwent *	(*next) __P((struct irs_nw *));
-	void		(*rewind) __P((struct irs_nw *));
-	void		(*minimize) __P((struct irs_nw *));
-	struct __res_state * (*res_get) __P((struct irs_nw *));
-	void		(*res_set) __P((struct irs_nw *, res_state,
-					void (*)(void *)));
-};
-
-/*
- * This is the netgroups map class.
- */
-struct irs_ng {
-	void *		private;
-	void		(*close) __P((struct irs_ng *));
-	int		(*next) __P((struct irs_ng *, const char **,
-				     const char **, const char **));
-	int		(*test) __P((struct irs_ng *, const char *,
-				     const char *, const char *,
-				     const char *));
-	void		(*rewind) __P((struct irs_ng *, const char *));
-	void		(*minimize) __P((struct irs_ng *));
-};
-
-/*
- * This is the generic map class, which copies the front of all others.
- */
-struct irs_map {
-	void *		private;
-	void		(*close) __P((void *));
-};
-
-/*
- * This is the accessor class.  It contains pointers to all of the
- * initializers for the map classes for a particular accessor.
- */
-struct irs_acc {
-	void *		private;
-	void		(*close) __P((struct irs_acc *));
-	struct irs_gr *	(*gr_map) __P((struct irs_acc *));
-	struct irs_pw *	(*pw_map) __P((struct irs_acc *));
-	struct irs_sv *	(*sv_map) __P((struct irs_acc *));
-	struct irs_pr *	(*pr_map) __P((struct irs_acc *));
-	struct irs_ho *	(*ho_map) __P((struct irs_acc *));
-	struct irs_nw *	(*nw_map) __P((struct irs_acc *));
-	struct irs_ng *	(*ng_map) __P((struct irs_acc *));
-	struct __res_state * (*res_get) __P((struct irs_acc *));
-	void		(*res_set) __P((struct irs_acc *, res_state,
-					void (*)(void *)));
-};
-
-/*
- * This is because the official definition of "struct netent" has no
- * concept of CIDR even though it allows variant address families (on
- * output but not input).  The compatibility stubs convert the structs
- * below into "struct netent"'s.
- */
-struct nwent {
-	char		*n_name;	/* official name of net */
-	char		**n_aliases;	/* alias list */
-	int		n_addrtype;	/* net address type */
-	void		*n_addr;	/* network address */
-	int		n_length;	/* address length, in bits */
-};
-
-/*
- * Hide external function names from POSIX.
- */
-#define	irs_gen_acc	__irs_gen_acc
-#define	irs_lcl_acc	__irs_lcl_acc
-#define	irs_dns_acc	__irs_dns_acc
-#define	irs_nis_acc	__irs_nis_acc
-#define	irs_irp_acc	__irs_irp_acc
-#define	irs_destroy	__irs_destroy
-#define	irs_dns_gr	__irs_dns_gr
-#define	irs_dns_ho	__irs_dns_ho
-#define	irs_dns_nw	__irs_dns_nw
-#define	irs_dns_pr	__irs_dns_pr
-#define	irs_dns_pw	__irs_dns_pw
-#define	irs_dns_sv	__irs_dns_sv
-#define	irs_gen_gr	__irs_gen_gr
-#define	irs_gen_ho	__irs_gen_ho
-#define	irs_gen_ng	__irs_gen_ng
-#define	irs_gen_nw	__irs_gen_nw
-#define	irs_gen_pr	__irs_gen_pr
-#define	irs_gen_pw	__irs_gen_pw
-#define	irs_gen_sv	__irs_gen_sv
-#define	irs_irp_get_full_response	__irs_irp_get_full_response
-#define	irs_irp_gr	__irs_irp_gr
-#define	irs_irp_ho	__irs_irp_ho
-#define	irs_irp_is_connected	__irs_irp_is_connected
-#define	irs_irp_ng	__irs_irp_ng
-#define	irs_irp_nw	__irs_irp_nw
-#define	irs_irp_pr	__irs_irp_pr
-#define	irs_irp_pw	__irs_irp_pw
-#define	irs_irp_read_line	__irs_irp_read_line
-#define	irs_irp_sv	__irs_irp_sv
-#define	irs_lcl_gr	__irs_lcl_gr
-#define	irs_lcl_ho	__irs_lcl_ho
-#define	irs_lcl_ng	__irs_lcl_ng
-#define	irs_lcl_nw	__irs_lcl_nw
-#define	irs_lcl_pr	__irs_lcl_pr
-#define	irs_lcl_pw	__irs_lcl_pw
-#define	irs_lcl_sv	__irs_lcl_sv
-#define	irs_nis_gr	__irs_nis_gr
-#define	irs_nis_ho	__irs_nis_ho
-#define	irs_nis_ng	__irs_nis_ng
-#define	irs_nis_nw	__irs_nis_nw
-#define	irs_nis_pr	__irs_nis_pr
-#define	irs_nis_pw	__irs_nis_pw
-#define	irs_nis_sv	__irs_nis_sv
-#define	net_data_create	__net_data_create
-#define	net_data_destroy	__net_data_destroy
-#define	net_data_minimize	__net_data_minimize
-
-/*
- * Externs.
- */
-extern struct irs_acc *	irs_gen_acc __P((const char *, const char *));
-extern struct irs_acc *	irs_lcl_acc __P((const char *));
-extern struct irs_acc *	irs_dns_acc __P((const char *));
-extern struct irs_acc *	irs_nis_acc __P((const char *));
-extern struct irs_acc *	irs_irp_acc __P((const char *));
-
-extern void		irs_destroy __P((void));
-
-/*
- * These forward declarations are for the semi-private functions in
- * the get*.c files. Each of these funcs implements the real get*
- * functionality and the standard versions are just wrappers that
- * call these. Apart from the wrappers, only irpd is expected to
- * call these directly, hence these decls are put here and not in
- * the /usr/include replacements.
- */
-
-struct net_data;			/* forward */
-
-/*
- * net_data_create gets a singleton net_data object.  net_data_init
- * creates as many net_data objects as times it is called.  Clients using
- * the default interface will use net_data_create by default.  Servers will
- * probably want net_data_init (one call per client)
- */
-struct net_data *net_data_create __P((const char *));
-struct net_data *net_data_init __P((const char *));
-void		net_data_destroy __P((void *));
-	
-extern struct group    *getgrent_p __P((struct net_data *));
-extern struct group    *getgrnam_p __P((const char *, struct net_data *));
-extern struct group    *getgrgid_p __P((gid_t, struct net_data *));
-extern int 		setgroupent_p __P((int, struct net_data *));
-extern void 		endgrent_p __P((struct net_data *));
-extern int		getgrouplist_p __P((const char *, gid_t, gid_t *, int *,
-					    struct net_data *));
-
-#ifdef SETGRENT_VOID
-extern void 		setgrent_p __P((struct net_data *));
-#else
-extern int 		setgrent_p __P((struct net_data *));
-#endif
-
-extern struct hostent 	*gethostbyname_p __P((const char *,
-					      struct net_data *));
-extern struct hostent 	*gethostbyname2_p __P((const char *, int,
-					       struct net_data *));
-extern struct hostent 	*gethostbyaddr_p __P((const char *, int, int,
-					      struct net_data *));
-extern struct hostent 	*gethostent_p __P((struct net_data *));
-extern void 		sethostent_p __P((int, struct net_data *));
-extern void 		endhostent_p __P((struct net_data *));
-extern struct hostent 	*getipnodebyname_p __P((const char *, int, int, int *,
-					       struct net_data *));
-extern struct hostent 	*getipnodebyaddr_p __P((const void *, size_t,
-					      int, int *, struct net_data *));
-
-extern struct netent 	*getnetent_p __P((struct net_data *));
-extern struct netent 	*getnetbyname_p __P((const char *, struct net_data *));
-extern struct netent 	*getnetbyaddr_p __P((unsigned long, int,
-					     struct net_data *));
-extern void		setnetent_p __P((int, struct net_data *));
-extern void		endnetent_p __P((struct net_data *));
-
-extern void		setnetgrent_p __P((const char *, struct net_data *));
-extern void		endnetgrent_p __P((struct net_data *));
-extern int		innetgr_p __P((const char *, const char *, const char *,
-				       const char *, struct net_data *));
-extern int		getnetgrent_p __P((const char **, const char **,
-					   const char **, struct net_data *));
-
-extern struct protoent  *getprotoent_p __P((struct net_data *));
-extern struct protoent  *getprotobyname_p __P((const char *,
-					       struct net_data *));
-extern struct protoent	*getprotobynumber_p __P((int, struct net_data *));
-extern void		setprotoent_p __P((int, struct net_data *));
-extern void		endprotoent_p __P((struct net_data *));
-
-
-extern struct passwd 	*getpwent_p __P((struct net_data *));
-extern struct passwd 	*getpwnam_p __P((const char *, struct net_data *));
-extern struct passwd 	*getpwuid_p __P((uid_t, struct net_data *));
-extern int		setpassent_p __P((int, struct net_data *));
-extern void		endpwent_p __P((struct net_data *));
-
-#ifdef SETPWENT_VOID
-extern void		setpwent_p __P((struct net_data *));
-#else
-extern int		setpwent_p __P((struct net_data *));
-#endif
-
-extern struct servent 	*getservent_p __P((struct net_data *));
-extern struct servent 	*getservbyname_p __P((const char *, const char *,
-					      struct net_data *));
-extern struct servent 	*getservbyport_p __P((int, const char *,
-					      struct net_data *));
-extern void		setservent_p __P((int, struct net_data *));
-extern void		endservent_p __P((struct net_data *));
-
-#endif /*_IRS_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/include/isc/assertions.h b/contrib/bind9/lib/bind/include/isc/assertions.h
deleted file mode 100644
index 9a9b9dec9855..000000000000
--- a/contrib/bind9/lib/bind/include/isc/assertions.h
+++ /dev/null
@@ -1,122 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1997-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: assertions.h,v 1.1.206.1 2004/03/09 08:33:30 marka Exp $
- */
-
-#ifndef ASSERTIONS_H
-#define ASSERTIONS_H		1
-
-typedef enum {
-	assert_require, assert_ensure, assert_insist, assert_invariant
-} assertion_type;
-
-typedef void (*assertion_failure_callback)(const char *, int, assertion_type,
-					   const char *, int);
-
-extern assertion_failure_callback __assertion_failed;
-void set_assertion_failure_callback(assertion_failure_callback f);
-const char *assertion_type_to_text(assertion_type type);
-
-#ifdef CHECK_ALL
-#define CHECK_REQUIRE		1
-#define CHECK_ENSURE		1
-#define CHECK_INSIST		1
-#define CHECK_INVARIANT		1
-#endif
-
-#ifdef CHECK_NONE
-#define CHECK_REQUIRE		0
-#define CHECK_ENSURE		0
-#define CHECK_INSIST		0
-#define CHECK_INVARIANT		0
-#endif
-
-#ifndef CHECK_REQUIRE
-#define CHECK_REQUIRE		1
-#endif
-
-#ifndef CHECK_ENSURE
-#define CHECK_ENSURE		1
-#endif
-
-#ifndef CHECK_INSIST
-#define CHECK_INSIST		1
-#endif
-
-#ifndef CHECK_INVARIANT
-#define CHECK_INVARIANT		1
-#endif
-
-#if CHECK_REQUIRE != 0
-#define REQUIRE(cond) \
-	((void) ((cond) || \
-		 ((__assertion_failed)(__FILE__, __LINE__, assert_require, \
-				       #cond, 0), 0)))
-#define REQUIRE_ERR(cond) \
-	((void) ((cond) || \
-		 ((__assertion_failed)(__FILE__, __LINE__, assert_require, \
-				       #cond, 1), 0)))
-#else
-#define REQUIRE(cond)		((void) (cond))
-#define REQUIRE_ERR(cond)	((void) (cond))
-#endif /* CHECK_REQUIRE */
-
-#if CHECK_ENSURE != 0
-#define ENSURE(cond) \
-	((void) ((cond) || \
-		 ((__assertion_failed)(__FILE__, __LINE__, assert_ensure, \
-				       #cond, 0), 0)))
-#define ENSURE_ERR(cond) \
-	((void) ((cond) || \
-		 ((__assertion_failed)(__FILE__, __LINE__, assert_ensure, \
-				       #cond, 1), 0)))
-#else
-#define ENSURE(cond)		((void) (cond))
-#define ENSURE_ERR(cond)	((void) (cond))
-#endif /* CHECK_ENSURE */
-
-#if CHECK_INSIST != 0
-#define INSIST(cond) \
-	((void) ((cond) || \
-		 ((__assertion_failed)(__FILE__, __LINE__, assert_insist, \
-				       #cond, 0), 0)))
-#define INSIST_ERR(cond) \
-	((void) ((cond) || \
-		 ((__assertion_failed)(__FILE__, __LINE__, assert_insist, \
-				       #cond, 1), 0)))
-#else
-#define INSIST(cond)		((void) (cond))
-#define INSIST_ERR(cond)	((void) (cond))
-#endif /* CHECK_INSIST */
-
-#if CHECK_INVARIANT != 0
-#define INVARIANT(cond) \
-	((void) ((cond) || \
-		 ((__assertion_failed)(__FILE__, __LINE__, assert_invariant, \
-				       #cond, 0), 0)))
-#define INVARIANT_ERR(cond) \
-	((void) ((cond) || \
-		 ((__assertion_failed)(__FILE__, __LINE__, assert_invariant, \
-				       #cond, 1), 0)))
-#else
-#define INVARIANT(cond)		((void) (cond))
-#define INVARIANT_ERR(cond)	((void) (cond))
-#endif /* CHECK_INVARIANT */
-
-#endif /* ASSERTIONS_H */
diff --git a/contrib/bind9/lib/bind/include/isc/ctl.h b/contrib/bind9/lib/bind/include/isc/ctl.h
deleted file mode 100644
index 74957bcb8169..000000000000
--- a/contrib/bind9/lib/bind/include/isc/ctl.h
+++ /dev/null
@@ -1,109 +0,0 @@
-#ifndef ISC_CTL_H
-#define ISC_CTL_H
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: ctl.h,v 1.1.2.2.4.1 2004/03/09 08:33:30 marka Exp $
- */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <isc/eventlib.h>
-
-/* Macros. */
-
-#define	CTL_MORE	0x0001	/* More will be / should be sent. */
-#define	CTL_EXIT	0x0002	/* Close connection after this. */
-#define	CTL_DATA	0x0004	/* Go into / this is DATA mode. */
-
-/* Types. */
-
-struct ctl_cctx;
-struct ctl_sctx;
-struct ctl_sess;
-struct ctl_verb;
-
-enum ctl_severity { ctl_debug, ctl_warning, ctl_error };
-
-typedef void (*ctl_logfunc)(enum ctl_severity, const char *, ...);
-
-typedef void (*ctl_verbfunc)(struct ctl_sctx *, struct ctl_sess *,
-			     const struct ctl_verb *, const char *,
-			     u_int, const void *, void *);
-
-typedef void (*ctl_srvrdone)(struct ctl_sctx *, struct ctl_sess *, void *);
-
-typedef void (*ctl_clntdone)(struct ctl_cctx *, void *, const char *, u_int);
-
-struct ctl_verb {
-	const char *	name;
-	ctl_verbfunc	func;
-	const char *	help;
-};
-
-/* General symbols. */
-
-#define	ctl_logger	__ctl_logger
-
-#ifdef __GNUC__
-void			ctl_logger(enum ctl_severity, const char *, ...)
-				__attribute__((__format__(__printf__, 2, 3)));
-#else
-void			ctl_logger(enum ctl_severity, const char *, ...);
-#endif
-
-/* Client symbols. */
-
-#define	ctl_client	__ctl_client
-#define	ctl_endclient	__ctl_endclient
-#define	ctl_command	__ctl_command
-
-struct ctl_cctx *	ctl_client(evContext, const struct sockaddr *, size_t,
-				   const struct sockaddr *, size_t,
-				   ctl_clntdone, void *,
-				   u_int, ctl_logfunc);
-void			ctl_endclient(struct ctl_cctx *);
-int			ctl_command(struct ctl_cctx *, const char *, size_t,
-				    ctl_clntdone, void *);
-
-/* Server symbols. */
-
-#define	ctl_server	__ctl_server
-#define	ctl_endserver	__ctl_endserver
-#define	ctl_response	__ctl_response
-#define	ctl_sendhelp	__ctl_sendhelp
-#define ctl_getcsctx	__ctl_getcsctx
-#define ctl_setcsctx	__ctl_setcsctx
-
-struct ctl_sctx *	ctl_server(evContext, const struct sockaddr *, size_t,
-				   const struct ctl_verb *,
-				   u_int, u_int,
-				   u_int, int, int,
-				   ctl_logfunc, void *);
-void			ctl_endserver(struct ctl_sctx *);
-void			ctl_response(struct ctl_sess *, u_int,
-				     const char *, u_int, const void *,
-				     ctl_srvrdone, void *,
-				     const char *, size_t);
-void			ctl_sendhelp(struct ctl_sess *, u_int);
-void *			ctl_getcsctx(struct ctl_sess *);
-void *			ctl_setcsctx(struct ctl_sess *, void *);
-
-#endif /*ISC_CTL_H*/
diff --git a/contrib/bind9/lib/bind/include/isc/dst.h b/contrib/bind9/lib/bind/include/isc/dst.h
deleted file mode 100644
index fe9229725a91..000000000000
--- a/contrib/bind9/lib/bind/include/isc/dst.h
+++ /dev/null
@@ -1,180 +0,0 @@
-#ifndef DST_H
-#define DST_H
-
-#ifndef HAS_DST_KEY
-typedef struct dst_key {
-	char	*dk_key_name;   /* name of the key */
-	int	dk_key_size;    /* this is the size of the key in bits */
-	int	dk_proto;       /* what protocols this key can be used for */
-	int	dk_alg;         /* algorithm number from key record */
-	u_int32_t dk_flags;     /* and the flags of the public key */
-	u_int16_t dk_id;        /* identifier of the key */
-} DST_KEY;
-#endif /* HAS_DST_KEY */
-
-/*
- * do not taint namespace
- */
-#define	dst_bsafe_init		__dst_bsafe_init
-#define	dst_buffer_to_key	__dst_buffer_to_key
-#define	dst_check_algorithm	__dst_check_algorithm
-#define	dst_compare_keys	__dst_compare_keys
-#define	dst_cylink_init		__dst_cylink_init
-#define	dst_dnskey_to_key	__dst_dnskey_to_key
-#define	dst_eay_dss_init	__dst_eay_dss_init
-#define	dst_free_key		__dst_free_key
-#define	dst_generate_key	__dst_generate_key
-#define	dst_hmac_md5_init	__dst_hmac_md5_init
-#define	dst_init		__dst_init
-#define	dst_key_to_buffer	__dst_key_to_buffer
-#define	dst_key_to_dnskey	__dst_key_to_dnskey
-#define	dst_read_key		__dst_read_key
-#define	dst_rsaref_init		__dst_rsaref_init
-#define	dst_s_build_filename	__dst_s_build_filename
-#define	dst_s_calculate_bits	__dst_s_calculate_bits
-#define	dst_s_conv_bignum_b64_to_u8	__dst_s_conv_bignum_b64_to_u8
-#define	dst_s_conv_bignum_u8_to_b64	__dst_s_conv_bignum_u8_to_b64
-#define	dst_s_dns_key_id	__dst_s_dns_key_id
-#define	dst_s_dump		__dst_s_dump
-#define	dst_s_filename_length	__dst_s_filename_length
-#define	dst_s_fopen		__dst_s_fopen
-#define	dst_s_get_int16		__dst_s_get_int16
-#define	dst_s_get_int32		__dst_s_get_int32
-#define	dst_s_id_calc		__dst_s_id_calc
-#define	dst_s_put_int16		__dst_s_put_int16
-#define	dst_s_put_int32		__dst_s_put_int32
-#define	dst_s_quick_random	__dst_s_quick_random
-#define	dst_s_quick_random_set	__dst_s_quick_random_set
-#define	dst_s_random		__dst_s_random
-#define	dst_s_semi_random	__dst_s_semi_random
-#define	dst_s_verify_str	__dst_s_verify_str
-#define	dst_sig_size		__dst_sig_size
-#define	dst_sign_data		__dst_sign_data
-#define	dst_verify_data		__dst_verify_data
-#define	dst_write_key		__dst_write_key
-
-/* 
- * DST Crypto API defintions 
- */
-void     dst_init(void);
-int      dst_check_algorithm(const int);
-
-int dst_sign_data(const int,	 	/* specifies INIT/UPDATE/FINAL/ALL */
-		  DST_KEY *,	 	/* the key to use */
-		  void **,	 	/* pointer to state structure */
-		  const u_char *,	/* data to be signed */
-		  const int,	 	/* length of input data */
-		  u_char *,	 	/* buffer to write signature to */
-		  const int);	 	/* size of output buffer */
-
-int dst_verify_data(const int,	 	/* specifies INIT/UPDATE/FINAL/ALL */
-		    DST_KEY *,	 	/* the key to use */
-		    void **,	 	/* pointer to state structure */
-		    const u_char *,	/* data to be verified */
-		    const int,	 	/* length of input data */
-		    const u_char *,	/* buffer containing signature */
-		    const int);	 	/* length of signature */
-
-
-DST_KEY *dst_read_key(const char *,	/* name of key */
-		      const u_int16_t,	/* key tag identifier */
-		      const int,	/* key algorithm */
-		      const int);	/* Private/PublicKey wanted*/
-
-int      dst_write_key(const DST_KEY *,	/* key to write out */
-		       const int); 	/* Public/Private */
-
-DST_KEY *dst_dnskey_to_key(const char *,	/* KEY record name */
-			   const u_char *,	/* KEY RDATA */
-			   const int);		/* size of input buffer*/
-
-
-int      dst_key_to_dnskey(const DST_KEY *,	/* key to translate */
-			   u_char *,		/* output buffer */
-			   const int);		/* size of out_storage*/
-
-
-DST_KEY *dst_buffer_to_key(const char *,  	/* name of the key */
-			   const int,	  	/* algorithm */
-			   const int,	  	/* dns flags */
-			   const int,	  	/* dns protocol */
-			   const u_char *, 	/* key in dns wire fmt */
-			   const int);	  	/* size of key */
-
-
-int     dst_key_to_buffer(DST_KEY *, u_char *, int);
-
-DST_KEY *dst_generate_key(const char *,    	/* name of new key */
-			  const int,       	/* key algorithm to generate */
-			  const int,      	/* size of new key */
-			  const int,       	/* alg dependent parameter*/
-			  const int,     	/* key DNS flags */
-			  const int);		/* key DNS protocol */
-
-DST_KEY *dst_free_key(DST_KEY *);
-int      dst_compare_keys(const DST_KEY *, const DST_KEY *);
-
-int	dst_sig_size(DST_KEY *);
-
-
-/* support for dns key tags/ids */
-u_int16_t dst_s_dns_key_id(const u_char *, const int);
-u_int16_t dst_s_id_calc(const u_char *, const int);
-
-/* Used by callers as well as by the library.  */
-#define RAW_KEY_SIZE    8192        /* large enough to store any key */
-
-/* DST_API control flags */
-/* These are used used in functions dst_sign_data and dst_verify_data */
-#define SIG_MODE_INIT		1  /* initialize digest */
-#define SIG_MODE_UPDATE		2  /* add data to digest */
-#define SIG_MODE_FINAL		4  /* generate/verify signature */
-#define SIG_MODE_ALL		(SIG_MODE_INIT|SIG_MODE_UPDATE|SIG_MODE_FINAL)
-
-/* Flags for dst_read_private_key()  */
-#define DST_FORCE_READ		0x1000000
-#define DST_CAN_SIGN		0x010F
-#define DST_NO_AUTHEN		0x8000
-#define DST_EXTEND_FLAG         0x1000
-#define DST_STANDARD		0
-#define DST_PRIVATE             0x2000000
-#define DST_PUBLIC              0x4000000
-#define DST_RAND_SEMI           1
-#define DST_RAND_STD            2
-#define DST_RAND_KEY            3
-#define DST_RAND_DSS            4
-
-
-/* DST algorithm codes */
-#define KEY_RSA			1
-#define KEY_DH			2
-#define KEY_DSA			3
-#define KEY_PRIVATE		254
-#define KEY_EXPAND		255
-#define KEY_HMAC_MD5		157
-#define KEY_HMAC_SHA1		158
-#define UNKNOWN_KEYALG		0
-#define DST_MAX_ALGS            KEY_HMAC_SHA1
-
-/* DST constants to locations in KEY record  changes in new KEY record */
-#define DST_FLAGS_SIZE		2
-#define DST_KEY_PROT		2
-#define DST_KEY_ALG		3
-#define DST_EXT_FLAG            4
-#define DST_KEY_START		4
-
-#ifndef SIGN_F_NOKEY 
-#define SIGN_F_NOKEY		0xC000
-#endif
-
-/* error codes from dst routines */
-#define SIGN_INIT_FAILURE	(-23)
-#define SIGN_UPDATE_FAILURE	(-24)
-#define SIGN_FINAL_FAILURE	(-25)
-#define VERIFY_INIT_FAILURE	(-26)
-#define VERIFY_UPDATE_FAILURE	(-27)
-#define VERIFY_FINAL_FAILURE	(-28)
-#define MISSING_KEY_OR_SIGNATURE (-30)
-#define UNSUPPORTED_KEYALG	(-31)
-
-#endif /* DST_H */
diff --git a/contrib/bind9/lib/bind/include/isc/eventlib.h b/contrib/bind9/lib/bind/include/isc/eventlib.h
deleted file mode 100644
index 033b3123d7cc..000000000000
--- a/contrib/bind9/lib/bind/include/isc/eventlib.h
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* eventlib.h - exported interfaces for eventlib
- * vix 09sep95 [initial]
- *
- * $Id: eventlib.h,v 1.1.2.1.4.2 2005/07/28 07:43:18 marka Exp $
- */
-
-#ifndef _EVENTLIB_H
-#define _EVENTLIB_H
-
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <sys/time.h>
-#include <stdio.h>
-
-#ifndef __P
-# define __EVENTLIB_P_DEFINED
-# ifdef __STDC__
-#  define __P(x) x
-# else
-#  define __P(x) ()
-# endif
-#endif
-
-/* In the absence of branded types... */
-typedef struct { void *opaque; } evConnID;
-typedef struct { void *opaque; } evFileID;
-typedef struct { void *opaque; } evStreamID;
-typedef struct { void *opaque; } evTimerID;
-typedef struct { void *opaque; } evWaitID;
-typedef struct { void *opaque; } evContext;
-typedef struct { void *opaque; } evEvent;
-
-#define	evInitID(id) ((id)->opaque = NULL)
-#define	evTestID(id) ((id).opaque != NULL)
-
-typedef void (*evConnFunc)__P((evContext, void *, int, const void *, int,
-			       const void *, int));
-typedef void (*evFileFunc)__P((evContext, void *, int, int));
-typedef	void (*evStreamFunc)__P((evContext, void *, int, int));
-typedef void (*evTimerFunc)__P((evContext, void *,
-				struct timespec, struct timespec));
-typedef	void (*evWaitFunc)__P((evContext, void *, const void *));
-
-typedef	struct { unsigned char mask[256/8]; } evByteMask;
-#define	EV_BYTEMASK_BYTE(b) ((b) / 8)
-#define	EV_BYTEMASK_MASK(b) (1 << ((b) % 8))
-#define	EV_BYTEMASK_SET(bm, b) \
-	((bm).mask[EV_BYTEMASK_BYTE(b)] |= EV_BYTEMASK_MASK(b))
-#define	EV_BYTEMASK_CLR(bm, b) \
-	((bm).mask[EV_BYTEMASK_BYTE(b)] &= ~EV_BYTEMASK_MASK(b))
-#define	EV_BYTEMASK_TST(bm, b) \
-	((bm).mask[EV_BYTEMASK_BYTE(b)] & EV_BYTEMASK_MASK(b))
-
-#define	EV_POLL		1
-#define	EV_WAIT		2
-#define	EV_NULL		4
-
-#define	EV_READ		1
-#define	EV_WRITE	2
-#define	EV_EXCEPT	4
-
-#define EV_WASNONBLOCKING 8	/* Internal library use. */
-
-/* eventlib.c */
-#define evCreate	__evCreate
-#define evSetDebug	__evSetDebug
-#define evDestroy	__evDestroy
-#define evGetNext	__evGetNext
-#define evDispatch	__evDispatch
-#define evDrop		__evDrop
-#define evMainLoop	__evMainLoop
-#define evHighestFD	__evHighestFD
-#define evGetOption	__evGetOption
-#define evSetOption	__evSetOption
-
-int  evCreate __P((evContext *));
-void evSetDebug __P((evContext, int, FILE *));
-int  evDestroy __P((evContext));
-int  evGetNext __P((evContext, evEvent *, int));
-int  evDispatch __P((evContext, evEvent));
-void evDrop __P((evContext, evEvent));
-int  evMainLoop __P((evContext));
-int  evHighestFD __P((evContext));
-int  evGetOption __P((evContext *, const char *, int *));
-int  evSetOption __P((evContext *, const char *, int));
-
-/* ev_connects.c */
-#define evListen	__evListen
-#define evConnect	__evConnect
-#define evCancelConn	__evCancelConn
-#define evHold		__evHold
-#define evUnhold	__evUnhold
-#define evTryAccept	__evTryAccept
-
-int evListen __P((evContext, int, int, evConnFunc, void *, evConnID *));
-int evConnect __P((evContext, int, const void *, int,
-		   evConnFunc, void *, evConnID *));
-int evCancelConn __P((evContext, evConnID));
-int evHold __P((evContext, evConnID));
-int evUnhold __P((evContext, evConnID));
-int evTryAccept __P((evContext, evConnID, int *));
-
-/* ev_files.c */
-#define evSelectFD	__evSelectFD
-#define evDeselectFD	__evDeselectFD
-
-int evSelectFD __P((evContext, int, int, evFileFunc, void *, evFileID *));
-int evDeselectFD __P((evContext, evFileID));
-
-/* ev_streams.c */
-#define evConsIovec	__evConsIovec
-#define evWrite		__evWrite
-#define evRead		__evRead
-#define evTimeRW	__evTimeRW
-#define evUntimeRW	__evUntimeRW
-#define	evCancelRW	__evCancelRW
-
-struct iovec evConsIovec __P((void *, size_t));
-int evWrite __P((evContext, int, const struct iovec *, int,
-		 evStreamFunc func, void *, evStreamID *));
-int evRead __P((evContext, int, const struct iovec *, int,
-		evStreamFunc func, void *, evStreamID *));
-int evTimeRW __P((evContext, evStreamID, evTimerID timer));
-int evUntimeRW __P((evContext, evStreamID));
-int evCancelRW __P((evContext, evStreamID));
-
-/* ev_timers.c */
-#define evConsTime	__evConsTime
-#define evAddTime	__evAddTime
-#define evSubTime	__evSubTime
-#define evCmpTime	__evCmpTime
-#define	evTimeSpec	__evTimeSpec
-#define	evTimeVal	__evTimeVal
-
-#define evNowTime		__evNowTime
-#define evUTCTime		__evUTCTime
-#define evLastEventTime		__evLastEventTime
-#define evSetTimer		__evSetTimer
-#define evClearTimer		__evClearTimer
-#define evConfigTimer		__evConfigTimer
-#define evResetTimer		__evResetTimer
-#define evSetIdleTimer		__evSetIdleTimer
-#define evClearIdleTimer	__evClearIdleTimer
-#define evResetIdleTimer	__evResetIdleTimer
-#define evTouchIdleTimer	__evTouchIdleTimer
-
-struct timespec evConsTime __P((time_t sec, long nsec));
-struct timespec evAddTime __P((struct timespec, struct timespec));
-struct timespec evSubTime __P((struct timespec, struct timespec));
-struct timespec evNowTime __P((void));
-struct timespec evUTCTime __P((void));
-struct timespec evLastEventTime __P((evContext));
-struct timespec evTimeSpec __P((struct timeval));
-struct timeval evTimeVal __P((struct timespec));
-int evCmpTime __P((struct timespec, struct timespec));
-int evSetTimer __P((evContext, evTimerFunc, void *, struct timespec,
-		    struct timespec, evTimerID *));
-int evClearTimer __P((evContext, evTimerID));
-int evConfigTimer __P((evContext, evTimerID, const char *param,
-		      int value));
-int evResetTimer __P((evContext, evTimerID, evTimerFunc, void *,
-		      struct timespec, struct timespec));
-int evSetIdleTimer __P((evContext, evTimerFunc, void *, struct timespec,
-			evTimerID *));
-int evClearIdleTimer __P((evContext, evTimerID));
-int evResetIdleTimer __P((evContext, evTimerID, evTimerFunc, void *,
-			  struct timespec));
-int evTouchIdleTimer __P((evContext, evTimerID));
-
-/* ev_waits.c */
-#define evWaitFor	__evWaitFor
-#define evDo		__evDo
-#define evUnwait	__evUnwait
-#define evDefer		__evDefer
-
-int evWaitFor __P((evContext, const void *, evWaitFunc, void *, evWaitID *));
-int evDo __P((evContext, const void *));
-int evUnwait __P((evContext, evWaitID));
-int evDefer __P((evContext, evWaitFunc, void *));
-
-#ifdef __EVENTLIB_P_DEFINED
-# undef __P
-#endif
-
-#endif /*_EVENTLIB_H*/
diff --git a/contrib/bind9/lib/bind/include/isc/heap.h b/contrib/bind9/lib/bind/include/isc/heap.h
deleted file mode 100644
index 691c821d1e38..000000000000
--- a/contrib/bind9/lib/bind/include/isc/heap.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1997,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-typedef int (*heap_higher_priority_func)(void *, void *);
-typedef void (*heap_index_func)(void *, int);
-typedef void (*heap_for_each_func)(void *, void *);
-
-typedef struct heap_context {
-	int array_size;
-	int array_size_increment;
-	int heap_size;
-	void **heap;
-	heap_higher_priority_func higher_priority;
-	heap_index_func index;
-} *heap_context;
-
-#define heap_new	__heap_new
-#define heap_free	__heap_free
-#define heap_insert	__heap_insert
-#define heap_delete	__heap_delete
-#define heap_increased	__heap_increased
-#define heap_decreased	__heap_decreased
-#define heap_element	__heap_element
-#define heap_for_each	__heap_for_each
-
-heap_context	heap_new(heap_higher_priority_func, heap_index_func, int);
-int		heap_free(heap_context);
-int		heap_insert(heap_context, void *);
-int		heap_delete(heap_context, int);
-int		heap_increased(heap_context, int);
-int		heap_decreased(heap_context, int);
-void *		heap_element(heap_context, int);
-int		heap_for_each(heap_context, heap_for_each_func, void *);
diff --git a/contrib/bind9/lib/bind/include/isc/irpmarshall.h b/contrib/bind9/lib/bind/include/isc/irpmarshall.h
deleted file mode 100644
index e672f97966cd..000000000000
--- a/contrib/bind9/lib/bind/include/isc/irpmarshall.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: irpmarshall.h,v 1.1.2.1.4.1 2004/03/09 08:33:31 marka Exp $
- */
-
-#ifndef _IRPMARSHALL_H_INCLUDED
-#define _IRPMARSHALL_H_INCLUDED
-
-/* Hide function names */
-#define irp_marshall_gr __irp_marshall_gr
-#define irp_marshall_ho __irp_marshall_ho
-#define irp_marshall_ne __irp_marshall_ne
-#define irp_marshall_ng __irp_marshall_ng
-#define irp_marshall_nw __irp_marshall_nw
-#define irp_marshall_pr __irp_marshall_pr
-#define irp_marshall_pw __irp_marshall_pw
-#define irp_marshall_sv __irp_marshall_sv
-#define irp_unmarshall_gr __irp_unmarshall_gr
-#define irp_unmarshall_ho __irp_unmarshall_ho
-#define irp_unmarshall_ne __irp_unmarshall_ne
-#define irp_unmarshall_ng __irp_unmarshall_ng
-#define irp_unmarshall_nw __irp_unmarshall_nw
-#define irp_unmarshall_pr __irp_unmarshall_pr
-#define irp_unmarshall_pw __irp_unmarshall_pw
-#define irp_unmarshall_sv __irp_unmarshall_sv
-
-#define MAXPADDRSIZE (sizeof "255.255.255.255" + 1)
-#define ADDR_T_STR(x) (x == AF_INET ? "AF_INET" :\
-		       (x == AF_INET6 ? "AF_INET6" : "UNKNOWN"))
-
-/* See comment below on usage */
-int irp_marshall_pw(const struct passwd *, char **, size_t *);
-int irp_unmarshall_pw(struct passwd *, char *);
-int irp_marshall_gr(const struct group *, char **, size_t *);
-int irp_unmarshall_gr(struct group *, char *);
-int irp_marshall_sv(const struct servent *, char **, size_t *);
-int irp_unmarshall_sv(struct servent *, char *);
-int irp_marshall_pr(struct protoent *, char **, size_t *);
-int irp_unmarshall_pr(struct protoent *, char *);
-int irp_marshall_ho(struct hostent *, char **, size_t *);
-int irp_unmarshall_ho(struct hostent *, char *);
-int irp_marshall_ng(const char *, const char *, const char *,
-		    char **, size_t *);
-int irp_unmarshall_ng(const char **, const char **, const char **, char *);
-int irp_marshall_nw(struct nwent *, char **, size_t *);
-int irp_unmarshall_nw(struct nwent *, char *);
-int irp_marshall_ne(struct netent *, char **, size_t *);
-int irp_unmarshall_ne(struct netent *, char *);
-
-/*
- * Functions to marshall and unmarshall various system data structures. We
- * use a printable ascii format that is as close to various system config
- * files as reasonable (e.g. /etc/passwd format).
- *
- * We are not forgiving with unmarhsalling misformatted buffers. In
- * particular whitespace in fields is not ignored. So a formatted password
- * entry "brister  :1364:100:...." will yield a username of "brister   "
- *
- * We potentially do a lot of mallocs to fill fields that are of type
- * (char **) like a hostent h_addr field. Building (for example) the
- * h_addr field and its associated addresses all in one buffer is
- * certainly possible, but not done here.
- *
- * The following description is true for all the marshalling functions:
- *
- */
-
-/* int irp_marshall_XX(struct yyyy *XX, char **buffer, size_t *len);
- *
- * The argument XX (of type struct passwd for example) is marshalled in the
- * buffer pointed at by *BUFFER, which is of length *LEN. Returns 0
- * on success and -1 on failure. Failure will occur if *LEN is
- * smaller than needed.
- *
- * If BUFFER is NULL, then *LEN is set to the size of the buffer
- * needed to marshall the data and no marshalling is actually done.
- *
- * If *BUFFER is NULL, then a buffer large enough will be allocated
- * with memget() and the size allocated will be stored in *LEN. An extra 2
- * bytes will be allocated for the client to append CRLF if wanted. The
- * value of *LEN will include these two bytes.
- *
- * All the marshalling functions produce a buffer with the fields
- * separated by colons (except for the hostent marshalling, which uses '@'
- * to separate fields). Fields that have multiple subfields (like the
- * gr_mem field in struct group) have their subparts separated by
- * commas.
- */
-
-/*
- * int irp_unmarshall_XX(struct YYYYY *XX, char *buffer);
- *
- * The unmashalling functions break apart the buffer and store the
- * values in the struct pointed to by XX. All pointer values inside
- * XX are allocated with malloc. All arrays of pointers have a NULL
- * as the last element.
- */
-
-#endif
diff --git a/contrib/bind9/lib/bind/include/isc/list.h b/contrib/bind9/lib/bind/include/isc/list.h
deleted file mode 100644
index ad574ac2b587..000000000000
--- a/contrib/bind9/lib/bind/include/isc/list.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1997,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef LIST_H
-#define LIST_H 1
-#include <isc/assertions.h>
-
-#define LIST(type) struct { type *head, *tail; }
-#define INIT_LIST(list) \
-	do { (list).head = NULL; (list).tail = NULL; } while (0)
-
-#define LINK(type) struct { type *prev, *next; }
-#define INIT_LINK_TYPE(elt, link, type) \
-	do { \
-		(elt)->link.prev = (type *)(-1); \
-		(elt)->link.next = (type *)(-1); \
-	} while (0)
-#define INIT_LINK(elt, link) \
-	INIT_LINK_TYPE(elt, link, void)
-#define LINKED(elt, link) ((void *)((elt)->link.prev) != (void *)(-1))
-
-#define HEAD(list) ((list).head)
-#define TAIL(list) ((list).tail)
-#define EMPTY(list) ((list).head == NULL)
-
-#define PREPEND(list, elt, link) \
-	do { \
-		INSIST(!LINKED(elt, link));\
-		if ((list).head != NULL) \
-			(list).head->link.prev = (elt); \
-		else \
-			(list).tail = (elt); \
-		(elt)->link.prev = NULL; \
-		(elt)->link.next = (list).head; \
-		(list).head = (elt); \
-	} while (0)
-
-#define APPEND(list, elt, link) \
-	do { \
-		INSIST(!LINKED(elt, link));\
-		if ((list).tail != NULL) \
-			(list).tail->link.next = (elt); \
-		else \
-			(list).head = (elt); \
-		(elt)->link.prev = (list).tail; \
-		(elt)->link.next = NULL; \
-		(list).tail = (elt); \
-	} while (0)
-
-#define UNLINK_TYPE(list, elt, link, type) \
-	do { \
-		INSIST(LINKED(elt, link));\
-		if ((elt)->link.next != NULL) \
-			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
-			(list).tail = (elt)->link.prev; \
-		if ((elt)->link.prev != NULL) \
-			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
-			(list).head = (elt)->link.next; \
-		INIT_LINK_TYPE(elt, link, type); \
-	} while (0)
-#define UNLINK(list, elt, link) \
-	UNLINK_TYPE(list, elt, link, void)
-
-#define PREV(elt, link) ((elt)->link.prev)
-#define NEXT(elt, link) ((elt)->link.next)
-
-#define INSERT_BEFORE(list, before, elt, link) \
-	do { \
-		INSIST(!LINKED(elt, link));\
-		if ((before)->link.prev == NULL) \
-			PREPEND(list, elt, link); \
-		else { \
-			(elt)->link.prev = (before)->link.prev; \
-			(before)->link.prev = (elt); \
-			(elt)->link.prev->link.next = (elt); \
-			(elt)->link.next = (before); \
-		} \
-	} while (0)
-
-#define INSERT_AFTER(list, after, elt, link) \
-	do { \
-		INSIST(!LINKED(elt, link));\
-		if ((after)->link.next == NULL) \
-			APPEND(list, elt, link); \
-		else { \
-			(elt)->link.next = (after)->link.next; \
-			(after)->link.next = (elt); \
-			(elt)->link.next->link.prev = (elt); \
-			(elt)->link.prev = (after); \
-		} \
-	} while (0)
-
-#define ENQUEUE(list, elt, link) APPEND(list, elt, link)
-#define DEQUEUE(list, elt, link) UNLINK(list, elt, link)
-
-#endif /* LIST_H */
diff --git a/contrib/bind9/lib/bind/include/isc/logging.h b/contrib/bind9/lib/bind/include/isc/logging.h
deleted file mode 100644
index 574fd8a25728..000000000000
--- a/contrib/bind9/lib/bind/include/isc/logging.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef LOGGING_H
-#define LOGGING_H
-
-#include <sys/types.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <unistd.h>
-
-#define log_critical		(-5)
-#define log_error   		(-4)
-#define log_warning 		(-3)
-#define log_notice  		(-2)
-#define log_info  		(-1)
-#define log_debug(level)	(level)
-
-typedef enum { log_syslog, log_file, log_null } log_channel_type;
-
-#define LOG_MAX_VERSIONS 99
-
-#define LOG_CLOSE_STREAM		0x0001
-#define LOG_TIMESTAMP			0x0002
-#define LOG_TRUNCATE			0x0004
-#define LOG_USE_CONTEXT_LEVEL		0x0008
-#define LOG_PRINT_LEVEL			0x0010
-#define LOG_REQUIRE_DEBUG		0x0020
-#define LOG_CHANNEL_BROKEN		0x0040
-#define LOG_PRINT_CATEGORY		0x0080
-#define LOG_CHANNEL_OFF			0x0100
-
-typedef struct log_context *log_context;
-typedef struct log_channel *log_channel;
-
-#define LOG_OPTION_DEBUG		0x01
-#define LOG_OPTION_LEVEL		0x02
-
-#define log_open_stream		__log_open_stream
-#define log_close_stream	__log_close_stream
-#define log_get_stream		__log_get_stream
-#define log_get_filename	__log_get_filename
-#define log_check_channel	__log_check_channel
-#define log_check		__log_check
-#define log_vwrite		__log_vwrite
-#define log_write		__log_write
-#define log_new_context		__log_new_context
-#define log_free_context	__log_free_context
-#define log_add_channel		__log_add_channel
-#define log_remove_channel	__log_remove_channel
-#define log_option		__log_option
-#define log_category_is_active	__log_category_is_active
-#define log_new_syslog_channel	__log_new_syslog_channel
-#define log_new_file_channel	__log_new_file_channel
-#define log_set_file_owner	__log_set_file_owner
-#define log_new_null_channel	__log_new_null_channel
-#define log_inc_references	__log_inc_references
-#define log_dec_references	__log_dec_references
-#define log_get_channel_type	__log_get_channel_type
-#define log_free_channel	__log_free_channel
-#define log_close_debug_channels	__log_close_debug_channels
-
-FILE *			log_open_stream(log_channel);
-int			log_close_stream(log_channel);
-FILE *			log_get_stream(log_channel);
-char *			log_get_filename(log_channel);
-int			log_check_channel(log_context, int, log_channel);
-int			log_check(log_context, int, int);
-#ifdef __GNUC__
-void			log_vwrite(log_context, int, int, const char *, 
-				   va_list args)
-				__attribute__((__format__(__printf__, 4, 0)));
-void			log_write(log_context, int, int, const char *, ...)
-				__attribute__((__format__(__printf__, 4, 5)));
-#else
-void			log_vwrite(log_context, int, int, const char *, 
-				   va_list args);
-void			log_write(log_context, int, int, const char *, ...);
-#endif
-int			log_new_context(int, char **, log_context *);
-void			log_free_context(log_context);
-int			log_add_channel(log_context, int, log_channel);
-int			log_remove_channel(log_context, int, log_channel);
-int			log_option(log_context, int, int);
-int			log_category_is_active(log_context, int);
-log_channel		log_new_syslog_channel(unsigned int, int, int);
-log_channel		log_new_file_channel(unsigned int, int, const char *,
-					     FILE *, unsigned int,
-					     unsigned long);
-int			log_set_file_owner(log_channel, uid_t, gid_t);
-log_channel		log_new_null_channel(void);
-int			log_inc_references(log_channel);
-int			log_dec_references(log_channel);
-log_channel_type	log_get_channel_type(log_channel);
-int			log_free_channel(log_channel);
-void			log_close_debug_channels(log_context);
-
-#endif /* !LOGGING_H */
diff --git a/contrib/bind9/lib/bind/include/isc/memcluster.h b/contrib/bind9/lib/bind/include/isc/memcluster.h
deleted file mode 100644
index 11e1fa381d0e..000000000000
--- a/contrib/bind9/lib/bind/include/isc/memcluster.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1997,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef MEMCLUSTER_H
-#define MEMCLUSTER_H
-
-#include <stdio.h>
-
-#define meminit		__meminit
-#ifdef MEMCLUSTER_DEBUG
-#define memget(s)	__memget_debug(s, __FILE__, __LINE__)
-#define memput(p, s)	__memput_debug(p, s, __FILE__, __LINE__)
-#else /*MEMCLUSTER_DEBUG*/
-#ifdef MEMCLUSTER_RECORD
-#define memget(s)	__memget_record(s, __FILE__, __LINE__)
-#define memput(p, s)	__memput_record(p, s, __FILE__, __LINE__)
-#else /*MEMCLUSTER_RECORD*/
-#define memget		__memget
-#define memput		__memput
-#endif /*MEMCLUSTER_RECORD*/
-#endif /*MEMCLUSTER_DEBUG*/
-#define memstats	__memstats
-#define memactive	__memactive
-
-int	meminit(size_t, size_t);
-void *	__memget(size_t);
-void 	__memput(void *, size_t);
-void *	__memget_debug(size_t, const char *, int);
-void 	__memput_debug(void *, size_t, const char *, int);
-void *	__memget_record(size_t, const char *, int);
-void 	__memput_record(void *, size_t, const char *, int);
-void 	memstats(FILE *);
-int	memactive(void);
-
-#endif /* MEMCLUSTER_H */
diff --git a/contrib/bind9/lib/bind/include/isc/misc.h b/contrib/bind9/lib/bind/include/isc/misc.h
deleted file mode 100644
index b08b02d2890e..000000000000
--- a/contrib/bind9/lib/bind/include/isc/misc.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: misc.h,v 1.2.2.1.4.1 2004/03/09 08:33:31 marka Exp $
- */
-
-#ifndef _ISC_MISC_H
-#define _ISC_MISC_H
-
-#include <stdio.h>
-
-#define	bitncmp		__bitncmp
-/*#define isc_movefile	__isc_movefile */
-
-extern int		bitncmp(const void *, const void *, int);
-extern int		isc_movefile(const char *, const char *);
-
-extern int		isc_gethexstring(unsigned char *, size_t, int, FILE *,
-					 int *);
-extern void		isc_puthexstring(FILE *, const unsigned char *, size_t,
-					 size_t, size_t, const char *);
-extern void		isc_tohex(const unsigned char *, size_t, char *);
-
-#endif /*_ISC_MISC_H*/
diff --git a/contrib/bind9/lib/bind/include/isc/tree.h b/contrib/bind9/lib/bind/include/isc/tree.h
deleted file mode 100644
index 0572c407c89d..000000000000
--- a/contrib/bind9/lib/bind/include/isc/tree.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/* tree.h - declare structures used by tree library
- *
- * vix 22jan93 [revisited; uses RCS, ANSI, POSIX; has bug fixes]
- * vix 27jun86 [broken out of tree.c]
- *
- * $Id: tree.h,v 1.1.2.1 2003/06/27 03:51:39 marka Exp $
- */
-
-
-#ifndef	_TREE_H_INCLUDED
-#define	_TREE_H_INCLUDED
-
-
-#ifndef __P
-# if defined(__STDC__) || defined(__GNUC__)
-#  define __P(x) x
-# else
-#  define __P(x) ()
-# endif
-#endif
-
-/*
- * tree_t is our package-specific anonymous pointer.
- */
-#if defined(__STDC__) || defined(__GNUC__)
-typedef	void *tree_t;
-#else
-typedef	char *tree_t;
-#endif
-
-/*
- * Do not taint namespace
- */
-#define	tree_add	__tree_add
-#define	tree_delete	__tree_delete
-#define	tree_init	__tree_init
-#define	tree_mung	__tree_mung
-#define	tree_srch	__tree_srch
-#define	tree_trav	__tree_trav
-
-
-typedef	struct tree_s {
-		tree_t		data;
-		struct tree_s	*left, *right;
-		short		bal;
-	}
-	tree;
-
-
-void	tree_init	__P((tree **));
-tree_t	tree_srch	__P((tree **, int (*)(), tree_t));
-tree_t	tree_add	__P((tree **, int (*)(), tree_t, void (*)()));
-int	tree_delete	__P((tree **, int (*)(), tree_t, void (*)()));
-int	tree_trav	__P((tree **, int (*)()));
-void	tree_mung	__P((tree **, void (*)()));
-
-
-#endif	/* _TREE_H_INCLUDED */
diff --git a/contrib/bind9/lib/bind/include/netdb.h b/contrib/bind9/lib/bind/include/netdb.h
deleted file mode 100644
index 48a382941c7b..000000000000
--- a/contrib/bind9/lib/bind/include/netdb.h
+++ /dev/null
@@ -1,552 +0,0 @@
-/*
- * ++Copyright++ 1980, 1983, 1988, 1993
- * -
- * Copyright (c) 1980, 1983, 1988, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- * -
- * Portions Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    This product includes software developed by WIDE Project and
- *    its contributors.
- * 4. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * -
- * --Copyright--
- */
-
-/*
- *      @(#)netdb.h	8.1 (Berkeley) 6/2/93
- *	$Id: netdb.h,v 1.12.2.1.4.5 2004/11/30 01:15:42 marka Exp $
- */
-
-#ifndef _NETDB_H_
-#define _NETDB_H_
-
-#include <sys/param.h>
-#include <sys/types.h>
-#if (!defined(BSD)) || (BSD < 199306)
-# include <sys/bitypes.h>
-#endif
-#include <sys/cdefs.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <stdio.h>
-
-#ifndef _PATH_HEQUIV
-#define _PATH_HEQUIV	"/etc/hosts.equiv"
-#endif
-#ifndef _PATH_HOSTS
-#define	_PATH_HOSTS	"/etc/hosts"
-#endif
-#ifndef _PATH_NETWORKS
-#define	_PATH_NETWORKS	"/etc/networks"
-#endif
-#ifndef _PATH_PROTOCOLS
-#define	_PATH_PROTOCOLS	"/etc/protocols"
-#endif
-#ifndef _PATH_SERVICES
-#define	_PATH_SERVICES	"/etc/services"
-#endif
-
-#if (__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
-#define __h_errno __h_errno_location
-#endif
-__BEGIN_DECLS
-extern int * __h_errno __P((void));
-__END_DECLS
-#if defined(_REENTRANT) || \
-    (__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
-#define	h_errno (*__h_errno())
-#else
-extern int h_errno;
-#endif
-
-/*
- * Structures returned by network data base library.  All addresses are
- * supplied in host order, and returned in network order (suitable for
- * use in system calls).
- */
-struct	hostent {
-	char	*h_name;	/* official name of host */
-	char	**h_aliases;	/* alias list */
-	int	h_addrtype;	/* host address type */
-	int	h_length;	/* length of address */
-	char	**h_addr_list;	/* list of addresses from name server */
-#define	h_addr	h_addr_list[0]	/* address, for backward compatiblity */
-};
-
-/*
- * Assumption here is that a network number
- * fits in an unsigned long -- probably a poor one.
- */
-struct	netent {
-	char		*n_name;	/* official name of net */
-	char		**n_aliases;	/* alias list */
-	int		n_addrtype;	/* net address type */
-	unsigned long	n_net;		/* network # */
-};
-
-struct	servent {
-	char	*s_name;	/* official service name */
-	char	**s_aliases;	/* alias list */
-	int	s_port;		/* port # */
-	char	*s_proto;	/* protocol to use */
-};
-
-struct	protoent {
-	char	*p_name;	/* official protocol name */
-	char	**p_aliases;	/* alias list */
-	int	p_proto;	/* protocol # */
-};
-
-struct	addrinfo {
-	int		ai_flags;	/* AI_PASSIVE, AI_CANONNAME */
-	int		ai_family;	/* PF_xxx */
-	int		ai_socktype;	/* SOCK_xxx */
-	int		ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-#if defined(sun) && defined(_SOCKLEN_T)
-#ifdef __sparc9
-	int		_ai_pad;
-#endif
-	socklen_t	ai_addrlen;
-#else
-	size_t		ai_addrlen;	/* length of ai_addr */
-#endif
-#ifdef __linux
-	struct sockaddr	*ai_addr; 	/* binary address */
-	char		*ai_canonname;	/* canonical name for hostname */
-#else
-	char		*ai_canonname;	/* canonical name for hostname */
-	struct sockaddr	*ai_addr; 	/* binary address */
-#endif
-	struct addrinfo	*ai_next; 	/* next structure in linked list */
-};
-
-/*
- * Error return codes from gethostbyname() and gethostbyaddr()
- * (left in extern int h_errno).
- */
-
-#define	NETDB_INTERNAL	-1	/* see errno */
-#define	NETDB_SUCCESS	0	/* no problem */
-#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
-#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
-#define	NO_DATA		4 /* Valid name, no data record of requested type */
-#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
-
-/*
- * Error return codes from getaddrinfo()
- */
-#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
-#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
-#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
-#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
-#define	EAI_FAMILY	 5	/* ai_family not supported */
-#define	EAI_MEMORY	 6	/* memory allocation failure */
-#define	EAI_NODATA	 7	/* no address associated with hostname */
-#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
-#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
-#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
-#define	EAI_SYSTEM	11	/* system error returned in errno */
-#define EAI_BADHINTS	12
-#define EAI_PROTOCOL	13
-#define EAI_MAX		14
-
-/*
- * Flag values for getaddrinfo()
- */
-#define	AI_PASSIVE	0x00000001
-#define	AI_CANONNAME	0x00000002
-#define AI_NUMERICHOST	0x00000004
-#define	AI_MASK		0x00000007
-
-/*
- * Flag values for getipnodebyname()
- */
-#define AI_V4MAPPED	0x00000008
-#define AI_ALL		0x00000010
-#define AI_ADDRCONFIG	0x00000020
-#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
-
-/*
- * Constants for getnameinfo()
- */
-#define	NI_MAXHOST	1025
-#define	NI_MAXSERV	32
-
-/*
- * Flag values for getnameinfo()
- */
-#define	NI_NOFQDN	0x00000001
-#define	NI_NUMERICHOST	0x00000002
-#define	NI_NAMEREQD	0x00000004
-#define	NI_NUMERICSERV	0x00000008
-#define	NI_DGRAM	0x00000010
-#define	NI_WITHSCOPEID	0x00000020
-#define NI_NUMERICSCOPE	0x00000040
-
-/*
- * Scope delimit character
- */
-#define SCOPE_DELIMITER	'%'
-
-
-#ifdef _REENTRANT
-#if defined (__hpux) || defined(__osf__) || defined(_AIX)
-#define	_MAXALIASES	35
-#define	_MAXLINELEN	1024
-#define	_MAXADDRS	35
-#define	_HOSTBUFSIZE	(BUFSIZ + 1)
-
-struct hostent_data {
-	struct in_addr	host_addr;
-	char		*h_addr_ptrs[_MAXADDRS + 1];
-	char		hostaddr[_MAXADDRS];
-	char		hostbuf[_HOSTBUFSIZE];
-	char		*host_aliases[_MAXALIASES];
-	char		*host_addrs[2];
-	FILE		*hostf;
-#ifdef __osf__
-	int		svc_gethostflag;
-	int		svc_gethostbind;
-#endif
-#ifdef __hpux
-	short		_nsw_src;
-	short		_flags;
-	char		*current;
-	int		currentlen;
-#endif
-};
-
-struct  netent_data {
-	FILE	*net_fp;
-#ifdef __osf__
-	char	line[_MAXLINELEN];
-#endif
-#ifdef __hpux
-	char	line[_MAXLINELEN+1];
-#endif
-	char	*net_aliases[_MAXALIASES];
-#ifdef __osf__
-	int	_net_stayopen;
-	int	svc_getnetflag;
-#endif
-#ifdef __hpux
-	short	_nsw_src;
-	short	_flags;
-	char	*current;
-	int	currentlen;
-#endif
-};
-
-struct	protoent_data {
-	FILE	*proto_fp;
-#ifdef __osf__
-	char	line[1024];
-#endif
-#ifdef __hpux
-	char	line[_MAXLINELEN+1];
-#endif
-	char	*proto_aliases[_MAXALIASES];
-#ifdef __osf__
-	int	_proto_stayopen;
-	int	svc_getprotoflag;
-#endif
-#ifdef __hpux
-	short	_nsw_src;
-	short	_flags;
-	char	*current;
-	int	currentlen;
-#endif
-};
-
-struct	servent_data {
-	FILE	*serv_fp;
-#ifdef __osf__
-	char	line[_MAXLINELEN];
-#endif
-#ifdef __hpux
-	char	line[_MAXLINELEN+1];
-#endif
-	char	*serv_aliases[_MAXALIASES];
-#ifdef __osf__
-	int	_serv_stayopen;
-	int	svc_getservflag;
-#endif
-#ifdef __hpux
-	short	_nsw_src;
-	short	_flags;
-	char	*current;
-	int	currentlen;
-#endif
-};
-#endif
-#endif
-__BEGIN_DECLS
-void		endhostent __P((void));
-void		endnetent __P((void));
-void		endprotoent __P((void));
-void		endservent __P((void));
-void		freehostent __P((struct hostent *));
-struct hostent	*gethostbyaddr __P((const char *, int, int));
-struct hostent	*gethostbyname __P((const char *));
-struct hostent	*gethostbyname2 __P((const char *, int));
-struct hostent	*gethostent __P((void));
-struct hostent	*getipnodebyaddr __P((const void *, size_t, int, int *));
-struct hostent	*getipnodebyname __P((const char *, int, int, int *));
-struct netent	*getnetbyaddr __P((unsigned long, int));
-struct netent	*getnetbyname __P((const char *));
-struct netent	*getnetent __P((void));
-struct protoent	*getprotobyname __P((const char *));
-struct protoent	*getprotobynumber __P((int));
-struct protoent	*getprotoent __P((void));
-struct servent	*getservbyname __P((const char *, const char *));
-struct servent	*getservbyport __P((int, const char *));
-struct servent	*getservent __P((void));
-void		herror __P((const char *));
-const char	*hstrerror __P((int));
-void		sethostent __P((int));
-/* void		sethostfile __P((const char *)); */
-void		setnetent __P((int));
-void		setprotoent __P((int));
-void		setservent __P((int));
-int		getaddrinfo __P((const char *, const char *,
-				 const struct addrinfo *, struct addrinfo **));
-int		getnameinfo __P((const struct sockaddr *, size_t, char *,
-				 size_t, char *, size_t, int));
-void		freeaddrinfo __P((struct addrinfo *));
-const char	*gai_strerror __P((int));
-struct hostent  *getipnodebyname __P((const char *, int, int, int *));
-struct hostent	*getipnodebyaddr __P((const void *, size_t, int, int *));
-void		freehostent __P((struct hostent *));
-#ifdef __GLIBC__
-int		getnetgrent __P((/* const */ char **, /* const */ char **,
-				 /* const */ char **));
-void		setnetgrent __P((const char *));
-void		endnetgrent __P((void));
-int		innetgr __P((const char *, const char *, const char *,
-			     const char *));
-#endif
-
-#ifdef _REENTRANT
-#if defined(__hpux) || defined(__osf__) || defined(_AIX)
-int		gethostbyaddr_r __P((const char *, int, int, struct hostent *,
-					struct hostent_data *));
-int		gethostbyname_r __P((const char *, struct hostent *, 
-					struct hostent_data *));
-int		gethostent_r __P((struct hostent *, struct hostent_data *));
-#if defined(_AIX)
-void		sethostent_r __P((int, struct hostent_data *));
-#else
-int		sethostent_r __P((int, struct hostent_data *));
-#endif 
-#if defined(__hpux)
-int		endhostent_r __P((struct hostent_data *));
-#else
-void		endhostent_r __P((struct hostent_data *));
-#endif
-
-#if defined(__hpux) || defined(__osf__)
-int		getnetbyaddr_r __P((int, int,
-				struct netent *, struct netent_data *));
-#else
-int		getnetbyaddr_r __P((long, int,
-				struct netent *, struct netent_data *));
-#endif
-int		getnetbyname_r __P((const char *,
-				struct netent *, struct netent_data *));
-int		getnetent_r __P((struct netent *, struct netent_data *));
-int		setnetent_r __P((int, struct netent_data *));
-#ifdef __hpux
-int		endnetent_r __P((struct netent_data *buffer));
-#else
-void		endnetent_r __P((struct netent_data *buffer));
-#endif
-
-int		getprotobyname_r __P((const char *,
-				struct protoent *, struct protoent_data *));
-int		getprotobynumber_r __P((int,
-				struct protoent *, struct protoent_data *));
-int		getprotoent_r __P((struct protoent *, struct protoent_data *));
-int		setprotoent_r __P((int, struct protoent_data *));
-#ifdef __hpux
-int		endprotoent_r __P((struct protoent_data *));
-#else
-void		endprotoent_r __P((struct protoent_data *));
-#endif
-
-int		getservbyname_r __P((const char *, const char *,
-				struct servent *, struct servent_data *));
-int		getservbyport_r __P((int, const char *,
-				struct servent *, struct servent_data *));
-int		getservent_r __P((struct servent *, struct servent_data *));
-int		setservent_r __P((int, struct servent_data *));
-#ifdef __hpux
-int		endservent_r __P((struct servent_data *));
-#else
-void		endservent_r __P((struct servent_data *));
-#endif
-#else
- /* defined(sun) || defined(bsdi) */
-#ifdef __GLIBC__
-int gethostbyaddr_r __P((const char *, int, int, struct hostent *,
-		         char *, size_t, struct hostent **, int *));
-int gethostbyname_r __P((const char *, struct hostent *,
-		        char *, size_t, struct hostent **, int *));
-int gethostent_r __P((struct hostent *, char *, size_t,
-			 struct hostent **, int *));
-#else
-struct hostent	*gethostbyaddr_r __P((const char *, int, int, struct hostent *,
-					char *, int, int *));
-struct hostent	*gethostbyname_r __P((const char *, struct hostent *,
-					char *, int, int *));
-struct hostent	*gethostent_r __P((struct hostent *, char *, int, int *));
-#endif
-void		sethostent_r __P((int));
-void		endhostent_r __P((void));
-
-#ifdef __GLIBC__
-int getnetbyname_r __P((const char *, struct netent *,
-			char *, size_t, struct netent **, int*));
-int getnetbyaddr_r __P((unsigned long int, int, struct netent *,
-			char *, size_t, struct netent **, int*));
-int getnetent_r __P((struct netent *, char *, size_t, struct netent **, int*));
-#else
-struct netent	*getnetbyname_r __P((const char *, struct netent *,
-					char *, int));
-struct netent	*getnetbyaddr_r __P((long, int, struct netent *,
-					char *, int));
-struct netent	*getnetent_r __P((struct netent *, char *, int));
-#endif
-void		setnetent_r __P((int));
-void		endnetent_r __P((void));
-
-#ifdef __GLIBC__
-int getprotobyname_r __P((const char *, struct protoent *, char *,
-			  size_t, struct protoent **));
-int getprotobynumber_r __P((int, struct protoent *, char *, size_t,
-			    struct protoent **));
-int getprotoent_r __P((struct protoent *, char *, size_t, struct protoent **));
-#else
-struct protoent	*getprotobyname_r __P((const char *,
-				struct protoent *, char *, int));
-struct protoent	*getprotobynumber_r __P((int,
-				struct protoent *, char *, int));
-struct protoent	*getprotoent_r __P((struct protoent *, char *, int));
-#endif
-void		setprotoent_r __P((int));
-void		endprotoent_r __P((void));
-
-#ifdef __GLIBC__
-int getservbyname_r __P((const char *name, const char *,
-			 struct servent *, char *, size_t, struct servent **));
-int getservbyport_r __P((int port, const char *,
-			 struct servent *, char *, size_t, struct servent **));
-int getservent_r __P((struct servent *, char *, size_t, struct servent **));
-#else
-struct servent	*getservbyname_r __P((const char *name, const char *,
-					struct servent *, char *, int));
-struct servent	*getservbyport_r __P((int port, const char *,
-					struct servent *, char *, int));
-struct servent	*getservent_r __P((struct servent *, char *, int));
-#endif
-void		setservent_r __P((int));
-void		endservent_r __P((void));
-
-#ifdef __GLIBC__
-int		getnetgrent_r __P((char **, char **, char **, char *, size_t));
-#endif
-#ifdef _AIX
-int		setnetgrent_r __P((char *, void **));
-#endif
-
-#endif
-#endif
-__END_DECLS
-
-/* This is nec'y to make this include file properly replace the sun version. */
-#ifdef sun
-#ifdef __GNU_LIBRARY__
-#include <rpc/netdb.h>
-#else
-struct rpcent {
-	char	*r_name;	/* name of server for this rpc program */
-	char	**r_aliases;	/* alias list */
-	int	r_number;	/* rpc program number */
-};
-struct rpcent	*getrpcbyname(), *getrpcbynumber(), *getrpcent();
-#endif /* __GNU_LIBRARY__ */
-#endif /* sun */
-
-#endif /* !_NETDB_H_ */
diff --git a/contrib/bind9/lib/bind/include/netgroup.h b/contrib/bind9/lib/bind/include/netgroup.h
deleted file mode 100644
index 2296208c156b..000000000000
--- a/contrib/bind9/lib/bind/include/netgroup.h
+++ /dev/null
@@ -1,24 +0,0 @@
-#ifndef netgroup_h
-#define netgroup_h
-#ifndef __GLIBC__
-
-/*
- * The standard is crazy.  These values "belong" to getnetgrent() and
- * shouldn't be altered by the caller.
- */
-int getnetgrent __P((/* const */ char **, /* const */ char **,
-		     /* const */ char **));
-
-int getnetgrent_r __P((char **, char **, char **, char *, int));
-
-void endnetgrent __P((void));
-
-#ifdef __osf__
-int innetgr __P((char *, char *, char *, char *));
-void setnetgrent __P((char *));
-#else
-void setnetgrent __P((const char *));
-int innetgr __P((const char *, const char *, const char *, const char *));
-#endif
-#endif
-#endif
diff --git a/contrib/bind9/lib/bind/include/res_update.h b/contrib/bind9/lib/bind/include/res_update.h
deleted file mode 100644
index 07a37f34c264..000000000000
--- a/contrib/bind9/lib/bind/include/res_update.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1999 by Internet Software Consortium, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- *	$Id: res_update.h,v 1.1.206.1 2004/03/09 08:33:29 marka Exp $
- */
-
-#ifndef __RES_UPDATE_H
-#define __RES_UPDATE_H
-
-#include <sys/types.h>
-#include <arpa/nameser.h>
-#include <isc/list.h>
-#include <resolv.h>
-
-/*
- * This RR-like structure is particular to UPDATE.
- */
-struct ns_updrec {
-	LINK(struct ns_updrec) r_link, r_glink;
-	ns_sect		r_section;	/* ZONE/PREREQUISITE/UPDATE */
-	char *		r_dname;	/* owner of the RR */
-	ns_class	r_class;	/* class number */
-	ns_type		r_type;		/* type number */
-	u_int32_t	r_ttl;		/* time to live */
-	u_char *	r_data;		/* rdata fields as text string */
-	u_int		r_size;		/* size of r_data field */
-	int		r_opcode;	/* type of operation */
-	/* following fields for private use by the resolver/server routines */
-	struct databuf *r_dp;		/* databuf to process */
-	struct databuf *r_deldp;	/* databuf's deleted/overwritten */
-	u_int		r_zone;		/* zone number on server */
-};
-typedef struct ns_updrec ns_updrec;
-typedef	LIST(ns_updrec)	ns_updque;
-
-#define res_mkupdate		__res_mkupdate
-#define res_update		__res_update
-#define res_mkupdrec		__res_mkupdrec
-#define res_freeupdrec		__res_freeupdrec
-#define res_nmkupdate		__res_nmkupdate
-#define res_nupdate		__res_nupdate
-
-int		res_mkupdate __P((ns_updrec *, u_char *, int));
-int		res_update __P((ns_updrec *));
-ns_updrec *	res_mkupdrec __P((int, const char *, u_int, u_int, u_long));
-void		res_freeupdrec __P((ns_updrec *));
-int		res_nmkupdate __P((res_state, ns_updrec *, u_char *, int));
-int		res_nupdate __P((res_state, ns_updrec *, ns_tsig_key *));
-
-#endif /*__RES_UPDATE_H*/
diff --git a/contrib/bind9/lib/bind/include/resolv.h b/contrib/bind9/lib/bind/include/resolv.h
deleted file mode 100644
index 87a95200bb95..000000000000
--- a/contrib/bind9/lib/bind/include/resolv.h
+++ /dev/null
@@ -1,506 +0,0 @@
-/*
- * Copyright (c) 1983, 1987, 1989
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- *	@(#)resolv.h	8.1 (Berkeley) 6/2/93
- *	$Id: resolv.h,v 1.7.2.11.4.3 2005/08/25 04:44:13 marka Exp $
- */
-
-#ifndef _RESOLV_H_
-#define	_RESOLV_H_
-
-#include <sys/param.h>
-#if (!defined(BSD)) || (BSD < 199306)
-# include <sys/bitypes.h>
-#else
-# include <sys/types.h>
-#endif
-#include <sys/cdefs.h>
-#include <sys/socket.h>
-#include <stdio.h>
-#include <arpa/nameser.h>
-
-/*
- * Revision information.  This is the release date in YYYYMMDD format.
- * It can change every day so the right thing to do with it is use it
- * in preprocessor commands such as "#if (__RES > 19931104)".  Do not
- * compare for equality; rather, use it to determine whether your resolver
- * is new enough to contain a certain feature.
- */
-
-#define	__RES	20030124
-
-/*
- * This used to be defined in res_query.c, now it's in herror.c.
- * [XXX no it's not.  It's in irs/irs_data.c]
- * It was
- * never extern'd by any *.h file before it was placed here.  For thread
- * aware programs, the last h_errno value set is stored in res->h_errno.
- *
- * XXX:	There doesn't seem to be a good reason for exposing RES_SET_H_ERRNO
- *	(and __h_errno_set) to the public via <resolv.h>.
- * XXX:	__h_errno_set is really part of IRS, not part of the resolver.
- *	If somebody wants to build and use a resolver that doesn't use IRS,
- *	what do they do?  Perhaps something like
- *		#ifdef WANT_IRS
- *		# define RES_SET_H_ERRNO(r,x) __h_errno_set(r,x)
- *		#else
- *		# define RES_SET_H_ERRNO(r,x) (h_errno = (r)->res_h_errno = (x))
- *		#endif
- */
-
-#define RES_SET_H_ERRNO(r,x) __h_errno_set(r,x)
-struct __res_state; /* forward */
-__BEGIN_DECLS
-void __h_errno_set(struct __res_state *res, int err);
-__END_DECLS
-
-/*
- * Resolver configuration file.
- * Normally not present, but may contain the address of the
- * initial name server(s) to query and the domain search list.
- */
-
-#ifndef _PATH_RESCONF
-#define _PATH_RESCONF        "/etc/resolv.conf"
-#endif
-
-typedef enum { res_goahead, res_nextns, res_modified, res_done, res_error }
-	res_sendhookact;
-
-#ifndef __PMT
-#if defined(__STDC__) || defined(__cplusplus)
-#define __PMT(args) args
-#else
-#define __PMT(args) ()
-#endif
-#endif
-
-typedef res_sendhookact (*res_send_qhook)__PMT((struct sockaddr * const *,
-						const u_char **, int *,
-						u_char *, int, int *));
-
-typedef res_sendhookact (*res_send_rhook)__PMT((const struct sockaddr *,
-						const u_char *, int, u_char *,
-						int, int *));
-
-struct res_sym {
-	int		number;	   /* Identifying number, like T_MX */
-	const char *	name;	   /* Its symbolic name, like "MX" */
-	const char *	humanname; /* Its fun name, like "mail exchanger" */
-};
-
-/*
- * Global defines and variables for resolver stub.
- */
-#define	MAXNS			3	/* max # name servers we'll track */
-#define	MAXDFLSRCH		3	/* # default domain levels to try */
-#define	MAXDNSRCH		6	/* max # domains in search path */
-#define	LOCALDOMAINPARTS	2	/* min levels in name that is "local" */
-
-#define	RES_TIMEOUT		5	/* min. seconds between retries */
-#define	MAXRESOLVSORT		10	/* number of net to sort on */
-#define	RES_MAXNDOTS		15	/* should reflect bit field size */
-#define	RES_MAXRETRANS		30	/* only for resolv.conf/RES_OPTIONS */
-#define	RES_MAXRETRY		5	/* only for resolv.conf/RES_OPTIONS */
-#define	RES_DFLRETRY		2	/* Default #/tries. */
-#define	RES_MAXTIME		65535	/* Infinity, in milliseconds. */
-
-struct __res_state_ext;
-
-struct __res_state {
-	int	retrans;	 	/* retransmission time interval */
-	int	retry;			/* number of times to retransmit */
-#ifdef sun
-	u_int	options;		/* option flags - see below. */
-#else
-	u_long	options;		/* option flags - see below. */
-#endif
-	int	nscount;		/* number of name servers */
-	struct sockaddr_in
-		nsaddr_list[MAXNS];	/* address of name server */
-#define	nsaddr	nsaddr_list[0]		/* for backward compatibility */
-	u_short	id;			/* current message id */
-	char	*dnsrch[MAXDNSRCH+1];	/* components of domain to search */
-	char	defdname[256];		/* default domain (deprecated) */
-#ifdef sun
-	u_int	pfcode;			/* RES_PRF_ flags - see below. */
-#else
-	u_long	pfcode;			/* RES_PRF_ flags - see below. */
-#endif
-	unsigned ndots:4;		/* threshold for initial abs. query */
-	unsigned nsort:4;		/* number of elements in sort_list[] */
-	char	unused[3];
-	struct {
-		struct in_addr	addr;
-		u_int32_t	mask;
-	} sort_list[MAXRESOLVSORT];
-	res_send_qhook qhook;		/* query hook */
-	res_send_rhook rhook;		/* response hook */
-	int	res_h_errno;		/* last one set for this context */
-	int	_vcsock;		/* PRIVATE: for res_send VC i/o */
-	u_int	_flags;			/* PRIVATE: see below */
-	u_int	_pad;			/* make _u 64 bit aligned */
-	union {
-		/* On an 32-bit arch this means 512b total. */
-		char	pad[72 - 4*sizeof (int) - 2*sizeof (void *)];
-		struct {
-			u_int16_t		nscount;
-			u_int16_t		nstimes[MAXNS];	/* ms. */
-			int			nssocks[MAXNS];
-			struct __res_state_ext *ext;	/* extention for IPv6 */
-		} _ext;
-	} _u;
-};
-
-typedef struct __res_state *res_state;
-
-union res_sockaddr_union {
-	struct sockaddr_in	sin;
-#ifdef IN6ADDR_ANY_INIT
-	struct sockaddr_in6	sin6;
-#endif
-#ifdef ISC_ALIGN64
-	int64_t			__align64;	/* 64bit alignment */
-#else
-	int32_t			__align32;	/* 32bit alignment */
-#endif
-	char			__space[128];   /* max size */
-};
-
-/*
- * Resolver flags (used to be discrete per-module statics ints).
- */
-#define	RES_F_VC	0x00000001	/* socket is TCP */
-#define	RES_F_CONN	0x00000002	/* socket is connected */
-#define	RES_F_EDNS0ERR	0x00000004	/* EDNS0 caused errors */
-#define	RES_F__UNUSED	0x00000008	/* (unused) */
-#define	RES_F_LASTMASK	0x000000F0	/* ordinal server of last res_nsend */
-#define	RES_F_LASTSHIFT	4		/* bit position of LASTMASK "flag" */
-#define	RES_GETLAST(res) (((res)._flags & RES_F_LASTMASK) >> RES_F_LASTSHIFT)
-
-/* res_findzonecut2() options */
-#define	RES_EXHAUSTIVE	0x00000001	/* always do all queries */
-#define	RES_IPV4ONLY	0x00000002	/* IPv4 only */
-#define	RES_IPV6ONLY	0x00000004	/* IPv6 only */
-
-/*
- * Resolver options (keep these in synch with res_debug.c, please)
- */
-#define RES_INIT	0x00000001	/* address initialized */
-#define RES_DEBUG	0x00000002	/* print debug messages */
-#define RES_AAONLY	0x00000004	/* authoritative answers only (!IMPL)*/
-#define RES_USEVC	0x00000008	/* use virtual circuit */
-#define RES_PRIMARY	0x00000010	/* query primary server only (!IMPL) */
-#define RES_IGNTC	0x00000020	/* ignore trucation errors */
-#define RES_RECURSE	0x00000040	/* recursion desired */
-#define RES_DEFNAMES	0x00000080	/* use default domain name */
-#define RES_STAYOPEN	0x00000100	/* Keep TCP socket open */
-#define RES_DNSRCH	0x00000200	/* search up local domain tree */
-#define	RES_INSECURE1	0x00000400	/* type 1 security disabled */
-#define	RES_INSECURE2	0x00000800	/* type 2 security disabled */
-#define	RES_NOALIASES	0x00001000	/* shuts off HOSTALIASES feature */
-#define	RES_USE_INET6	0x00002000	/* use/map IPv6 in gethostbyname() */
-#define RES_ROTATE	0x00004000	/* rotate ns list after each query */
-#define	RES_NOCHECKNAME	0x00008000	/* do not check names for sanity. */
-#define	RES_KEEPTSIG	0x00010000	/* do not strip TSIG records */
-#define	RES_BLAST	0x00020000	/* blast all recursive servers */
-#define RES_NOTLDQUERY	0x00100000	/* don't unqualified name as a tld */
-#define RES_USE_DNSSEC	0x00200000	/* use DNSSEC using OK bit in OPT */
-/* #define RES_DEBUG2	0x00400000 */	/* nslookup internal */
-/* KAME extensions: use higher bit to avoid conflict with ISC use */
-#define RES_USE_DNAME	0x10000000	/* use DNAME */
-#define RES_USE_EDNS0	0x40000000	/* use EDNS0 if configured */
-#define RES_NO_NIBBLE2	0x80000000	/* disable alternate nibble lookup */
-
-#define RES_DEFAULT	(RES_RECURSE | RES_DEFNAMES | \
-			 RES_DNSRCH | RES_NO_NIBBLE2)
-
-/*
- * Resolver "pfcode" values.  Used by dig.
- */
-#define RES_PRF_STATS	0x00000001
-#define RES_PRF_UPDATE	0x00000002
-#define RES_PRF_CLASS   0x00000004
-#define RES_PRF_CMD	0x00000008
-#define RES_PRF_QUES	0x00000010
-#define RES_PRF_ANS	0x00000020
-#define RES_PRF_AUTH	0x00000040
-#define RES_PRF_ADD	0x00000080
-#define RES_PRF_HEAD1	0x00000100
-#define RES_PRF_HEAD2	0x00000200
-#define RES_PRF_TTLID	0x00000400
-#define RES_PRF_HEADX	0x00000800
-#define RES_PRF_QUERY	0x00001000
-#define RES_PRF_REPLY	0x00002000
-#define RES_PRF_INIT	0x00004000
-#define RES_PRF_TRUNC	0x00008000
-/*			0x00010000	*/
-
-/* Things involving an internal (static) resolver context. */
-#ifdef _REENTRANT
-__BEGIN_DECLS
-extern struct __res_state *__res_state(void);
-__END_DECLS
-#define _res (*__res_state())
-#else
-#ifdef __linux
-__BEGIN_DECLS
-extern struct __res_state * __res_state(void);
-__END_DECLS
-#endif
-#ifndef __BIND_NOSTATIC
-extern struct __res_state _res;
-#endif
-#endif
-
-#ifndef __BIND_NOSTATIC
-#define fp_nquery		__fp_nquery
-#define fp_query		__fp_query
-#define hostalias		__hostalias
-#define p_query			__p_query
-#define res_close		__res_close
-#define res_init		__res_init
-#define res_isourserver		__res_isourserver
-#define res_mkquery		__res_mkquery
-#define res_query		__res_query
-#define res_querydomain		__res_querydomain
-#define res_search		__res_search
-#define res_send		__res_send
-#define res_sendsigned		__res_sendsigned
-
-__BEGIN_DECLS
-void		fp_nquery __P((const u_char *, int, FILE *));
-void		fp_query __P((const u_char *, FILE *));
-const char *	hostalias __P((const char *));
-void		p_query __P((const u_char *));
-void		res_close __P((void));
-int		res_init __P((void));
-int		res_isourserver __P((const struct sockaddr_in *));
-int		res_mkquery __P((int, const char *, int, int, const u_char *,
-				 int, const u_char *, u_char *, int));
-int		res_query __P((const char *, int, int, u_char *, int));
-int		res_querydomain __P((const char *, const char *, int, int,
-				     u_char *, int));
-int		res_search __P((const char *, int, int, u_char *, int));
-int		res_send __P((const u_char *, int, u_char *, int));
-int		res_sendsigned __P((const u_char *, int, ns_tsig_key *,
-				    u_char *, int));
-__END_DECLS
-#endif
-
-#if !defined(SHARED_LIBBIND) || defined(LIB)
-/*
- * If libbind is a shared object (well, DLL anyway)
- * these externs break the linker when resolv.h is 
- * included by a lib client (like named)
- * Make them go away if a client is including this
- *
- */
-extern const struct res_sym __p_key_syms[];
-extern const struct res_sym __p_cert_syms[];
-extern const struct res_sym __p_class_syms[];
-extern const struct res_sym __p_type_syms[];
-extern const struct res_sym __p_rcode_syms[];
-#endif /* SHARED_LIBBIND */
-
-#define b64_ntop		__b64_ntop
-#define b64_pton		__b64_pton
-#define dn_comp			__dn_comp
-#define dn_count_labels		__dn_count_labels
-#define dn_expand		__dn_expand
-#define dn_skipname		__dn_skipname
-#define fp_resstat		__fp_resstat
-#define loc_aton		__loc_aton
-#define loc_ntoa		__loc_ntoa
-#define p_cdname		__p_cdname
-#define p_cdnname		__p_cdnname
-#define p_class			__p_class
-#define p_fqname		__p_fqname
-#define p_fqnname		__p_fqnname
-#define p_option		__p_option
-#define p_secstodate		__p_secstodate
-#define p_section		__p_section
-#define p_time			__p_time
-#define p_type			__p_type
-#define p_rcode			__p_rcode
-#define p_sockun		__p_sockun
-#define putlong			__putlong
-#define putshort		__putshort
-#define res_dnok		__res_dnok
-#define res_findzonecut		__res_findzonecut
-#define res_findzonecut2	__res_findzonecut2
-#define res_hnok		__res_hnok
-#define res_hostalias		__res_hostalias
-#define res_mailok		__res_mailok
-#define res_nameinquery		__res_nameinquery
-#define res_nclose		__res_nclose
-#define res_ninit		__res_ninit
-#define res_nmkquery		__res_nmkquery
-#define res_pquery		__res_pquery
-#define res_nquery		__res_nquery
-#define res_nquerydomain	__res_nquerydomain
-#define res_nsearch		__res_nsearch
-#define res_nsend		__res_nsend
-#define res_nsendsigned		__res_nsendsigned
-#define res_nisourserver	__res_nisourserver
-#define res_ownok		__res_ownok
-#define res_queriesmatch	__res_queriesmatch
-#define res_randomid		__res_randomid
-#define sym_ntop		__sym_ntop
-#define sym_ntos		__sym_ntos
-#define sym_ston		__sym_ston
-#define res_nopt		__res_nopt
-#define res_ndestroy		__res_ndestroy
-#define	res_nametoclass		__res_nametoclass
-#define	res_nametotype		__res_nametotype
-#define	res_setservers		__res_setservers
-#define	res_getservers		__res_getservers
-#define	res_buildprotolist	__res_buildprotolist
-#define	res_destroyprotolist	__res_destroyprotolist
-#define	res_destroyservicelist	__res_destroyservicelist
-#define	res_get_nibblesuffix	__res_get_nibblesuffix
-#define	res_get_nibblesuffix2	__res_get_nibblesuffix2
-#define	res_ourserver_p		__res_ourserver_p
-#define	res_protocolname	__res_protocolname
-#define	res_protocolnumber	__res_protocolnumber
-#define	res_send_setqhook	__res_send_setqhook
-#define	res_send_setrhook	__res_send_setrhook
-#define	res_servicename		__res_servicename
-#define	res_servicenumber	__res_servicenumber
-__BEGIN_DECLS
-int		res_hnok __P((const char *));
-int		res_ownok __P((const char *));
-int		res_mailok __P((const char *));
-int		res_dnok __P((const char *));
-int		sym_ston __P((const struct res_sym *, const char *, int *));
-const char *	sym_ntos __P((const struct res_sym *, int, int *));
-const char *	sym_ntop __P((const struct res_sym *, int, int *));
-int		b64_ntop __P((u_char const *, size_t, char *, size_t));
-int		b64_pton __P((char const *, u_char *, size_t));
-int		loc_aton __P((const char *, u_char *));
-const char *	loc_ntoa __P((const u_char *, char *));
-int		dn_skipname __P((const u_char *, const u_char *));
-void		putlong __P((u_int32_t, u_char *));
-void		putshort __P((u_int16_t, u_char *));
-#ifndef __ultrix__
-u_int16_t	_getshort __P((const u_char *));
-u_int32_t	_getlong __P((const u_char *));
-#endif
-const char *	p_class __P((int));
-const char *	p_time __P((u_int32_t));
-const char *	p_type __P((int));
-const char *	p_rcode __P((int));
-const char *	p_sockun __P((union res_sockaddr_union, char *, size_t));
-const u_char *	p_cdnname __P((const u_char *, const u_char *, int, FILE *));
-const u_char *	p_cdname __P((const u_char *, const u_char *, FILE *));
-const u_char *	p_fqnname __P((const u_char *, const u_char *,
-			       int, char *, int));
-const u_char *	p_fqname __P((const u_char *, const u_char *, FILE *));
-const char *	p_option __P((u_long));
-char *		p_secstodate __P((u_long));
-int		dn_count_labels __P((const char *));
-int		dn_comp __P((const char *, u_char *, int,
-			     u_char **, u_char **));
-int		dn_expand __P((const u_char *, const u_char *, const u_char *,
-			       char *, int));
-u_int		res_randomid __P((void));
-int		res_nameinquery __P((const char *, int, int, const u_char *,
-				     const u_char *));
-int		res_queriesmatch __P((const u_char *, const u_char *,
-				      const u_char *, const u_char *));
-const char *	p_section __P((int, int));
-/* Things involving a resolver context. */
-int		res_ninit __P((res_state));
-int		res_nisourserver __P((const res_state,
-				      const struct sockaddr_in *));
-void		fp_resstat __P((const res_state, FILE *));
-void		res_pquery __P((const res_state, const u_char *, int, FILE *));
-const char *	res_hostalias __P((const res_state, const char *,
-				   char *, size_t));
-int		res_nquery __P((res_state, const char *, int, int,
-				u_char *, int));
-int		res_nsearch __P((res_state, const char *, int, int, u_char *,
-				 int));
-int		res_nquerydomain __P((res_state, const char *, const char *,
-				      int, int, u_char *, int));
-int		res_nmkquery __P((res_state, int, const char *, int, int,
-				  const u_char *, int, const u_char *,
-				  u_char *, int));
-int		res_nsend __P((res_state, const u_char *, int, u_char *, int));
-int		res_nsendsigned __P((res_state, const u_char *, int,
-				     ns_tsig_key *, u_char *, int));
-int		res_findzonecut __P((res_state, const char *, ns_class, int,
-				     char *, size_t, struct in_addr *, int));
-int		res_findzonecut2 __P((res_state, const char *, ns_class, int,
-				      char *, size_t,
-				      union res_sockaddr_union *, int));
-void		res_nclose __P((res_state));
-int		res_nopt __P((res_state, int, u_char *, int, int));
-void		res_send_setqhook __P((res_send_qhook));
-void		res_send_setrhook __P((res_send_rhook));
-int		__res_vinit __P((res_state, int));
-void		res_destroyservicelist __P((void));
-const char *	res_servicename __P((u_int16_t, const char *));
-const char *	res_protocolname __P((int));
-void		res_destroyprotolist __P((void));
-void		res_buildprotolist __P((void));
-const char *	res_get_nibblesuffix __P((res_state));
-const char *	res_get_nibblesuffix2 __P((res_state));
-void		res_ndestroy __P((res_state));
-u_int16_t	res_nametoclass __P((const char *, int *));
-u_int16_t	res_nametotype __P((const char *, int *));
-void		res_setservers __P((res_state,
-				    const union res_sockaddr_union *, int));
-int		res_getservers __P((res_state,
-				    union res_sockaddr_union *, int));
-__END_DECLS
-
-#endif /* !_RESOLV_H_ */
diff --git a/contrib/bind9/lib/bind/include/resolv_mt.h b/contrib/bind9/lib/bind/include/resolv_mt.h
deleted file mode 100644
index 27963a12077a..000000000000
--- a/contrib/bind9/lib/bind/include/resolv_mt.h
+++ /dev/null
@@ -1,47 +0,0 @@
-#ifndef _RESOLV_MT_H
-#define _RESOLV_MT_H
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-/* Access functions for the libresolv private interface */
-
-int	__res_enable_mt(void);
-int	__res_disable_mt(void);
-
-/* Per-thread context */
-
-typedef struct {
-int	no_hosts_fallback_private;
-int	retry_save;
-int	retry_private;
-char	inet_nsap_ntoa_tmpbuf[255*3];
-char	sym_ntos_unname[20];
-char	sym_ntop_unname[20];
-char	p_option_nbuf[40];
-char	p_time_nbuf[40];
-char	precsize_ntoa_retbuf[sizeof "90000000.00"];
-char	loc_ntoa_tmpbuf[sizeof
-"1000 60 60.000 N 1000 60 60.000 W -12345678.00m 90000000.00m 90000000.00m 90000000.00m"];
-char	p_secstodate_output[15];
-} mtctxres_t;
-
-/* Thread-specific data (TSD) */
-
-mtctxres_t	*___mtctxres(void);
-#define mtctxres	(___mtctxres())
-
-/* Various static data that should be TSD */
-
-#define sym_ntos_unname		(mtctxres->sym_ntos_unname)
-#define sym_ntop_unname		(mtctxres->sym_ntop_unname)
-#define inet_nsap_ntoa_tmpbuf	(mtctxres->inet_nsap_ntoa_tmpbuf)
-#define p_option_nbuf		(mtctxres->p_option_nbuf)
-#define p_time_nbuf		(mtctxres->p_time_nbuf)
-#define precsize_ntoa_retbuf	(mtctxres->precsize_ntoa_retbuf)
-#define loc_ntoa_tmpbuf		(mtctxres->loc_ntoa_tmpbuf)
-#define p_secstodate_output	(mtctxres->p_secstodate_output)
-
-#endif /* _RESOLV_MT_H */
diff --git a/contrib/bind9/lib/bind/inet/Makefile.in b/contrib/bind9/lib/bind/inet/Makefile.in
deleted file mode 100644
index 96698fde7f8b..000000000000
--- a/contrib/bind9/lib/bind/inet/Makefile.in
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:13:23 marka Exp $
-
-srcdir=		@srcdir@
-VPATH =         @srcdir@
-
-OBJS=	inet_addr.@O@ inet_cidr_ntop.@O@ inet_cidr_pton.@O@ inet_data.@O@ \
-	inet_lnaof.@O@ inet_makeaddr.@O@ inet_net_ntop.@O@ inet_net_pton.@O@ \
-	inet_neta.@O@ inet_netof.@O@ inet_network.@O@ inet_ntoa.@O@ \
-	inet_ntop.@O@ inet_pton.@O@ nsap_addr.@O@
-
-SRCS=	inet_addr.c inet_cidr_ntop.c inet_cidr_pton.c inet_data.c \
-	inet_lnaof.c inet_makeaddr.c inet_net_ntop.c inet_net_pton.c \
-	inet_neta.c inet_netof.c inet_network.c inet_ntoa.c \
-	inet_ntop.c inet_pton.c nsap_addr.c
-
-TARGETS= ${OBJS}
-
-CINCLUDES= -I.. -I${srcdir}/../include
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/inet/inet_addr.c b/contrib/bind9/lib/bind/inet/inet_addr.c
deleted file mode 100644
index b967dc22039c..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_addr.c
+++ /dev/null
@@ -1,206 +0,0 @@
-/*
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static const char rcsid[] = "$Id: inet_addr.c,v 1.2.206.2 2004/03/17 00:29:45 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <ctype.h>
-
-#include "port_after.h"
-
-/*
- * Ascii internet address interpretation routine.
- * The value returned is in network order.
- */
-u_long
-inet_addr(const char *cp) {
-	struct in_addr val;
-
-	if (inet_aton(cp, &val))
-		return (val.s_addr);
-	return (INADDR_NONE);
-}
-
-/* 
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-inet_aton(const char *cp, struct in_addr *addr) {
-	u_long val;
-	int base, n;
-	char c;
-	u_int8_t parts[4];
-	u_int8_t *pp = parts;
-	int digit;
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit((unsigned char)c))
-			return (0);
-		val = 0; base = 10; digit = 0;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X')
-				base = 16, c = *++cp;
-			else {
-				base = 8;
-				digit = 1 ;
-			}
-		}
-		for (;;) {
-			if (isascii(c) && isdigit((unsigned char)c)) {
-				if (base == 8 && (c == '8' || c == '9'))
-					return (0);
-				val = (val * base) + (c - '0');
-				c = *++cp;
-				digit = 1;
-			} else if (base == 16 && isascii(c) && 
-				   isxdigit((unsigned char)c)) {
-				val = (val << 4) |
-					(c + 10 - (islower((unsigned char)c) ? 'a' : 'A'));
-				c = *++cp;
-				digit = 1;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3 || val > 0xffU)
-				return (0);
-			*pp++ = val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace((unsigned char)c)))
-		return (0);
-	/*
-	 * Did we get a valid digit?
-	 */
-	if (!digit)
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffffU)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffffU)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xffU)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr != NULL)
-		addr->s_addr = htonl(val);
-	return (1);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c b/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c
deleted file mode 100644
index 192cf1e752ef..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c
+++ /dev/null
@@ -1,261 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.1.8.3 2005/11/03 23:08:40 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-static char *	inet_cidr_ntop_ipv4 __P((const u_char *src, int bits,
-					 char *dst, size_t size));
-static char *	inet_cidr_ntop_ipv6 __P((const u_char *src, int bits,
-					 char *dst, size_t size));
-
-/*
- * char *
- * inet_cidr_ntop(af, src, bits, dst, size)
- *	convert network address from network to presentation format.
- *	"src"'s size is determined from its "af".
- * return:
- *	pointer to dst, or NULL if an error occurred (check errno).
- * note:
- *	192.5.5.1/28 has a nonzero host part, which means it isn't a network
- *	as called for by inet_net_ntop() but it can be a host address with
- *	an included netmask.
- * author:
- *	Paul Vixie (ISC), October 1998
- */
-char *
-inet_cidr_ntop(int af, const void *src, int bits, char *dst, size_t size) {
-	switch (af) {
-	case AF_INET:
-		return (inet_cidr_ntop_ipv4(src, bits, dst, size));
-	case AF_INET6:
-		return (inet_cidr_ntop_ipv6(src, bits, dst, size));
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-}
-
-static int
-decoct(const u_char *src, int bytes, char *dst, size_t size) {
-	char *odst = dst;
-	char *t;
-	int b;
-
-	for (b = 1; b <= bytes; b++) {
-		if (size < sizeof "255.")
-			return (0);
-		t = dst;
-		dst += SPRINTF((dst, "%u", *src++));
-		if (b != bytes) {
-			*dst++ = '.';
-			*dst = '\0';
-		}
-		size -= (size_t)(dst - t);
-	}
-	return (dst - odst);
-}
-
-/*
- * static char *
- * inet_cidr_ntop_ipv4(src, bits, dst, size)
- *	convert IPv4 network address from network to presentation format.
- *	"src"'s size is determined from its "af".
- * return:
- *	pointer to dst, or NULL if an error occurred (check errno).
- * note:
- *	network byte order assumed.  this means 192.5.5.240/28 has
- *	0b11110000 in its fourth octet.
- * author:
- *	Paul Vixie (ISC), October 1998
- */
-static char *
-inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size) {
-	char *odst = dst;
-	size_t len = 4;
-	size_t b;
-	size_t bytes;
-
-	if ((bits < -1) || (bits > 32)) {
-		errno = EINVAL;
-		return (NULL);
-	}
-
-	/* Find number of significant bytes in address. */
-	if (bits == -1)
-		len = 4;
-	else
-		for (len = 1, b = 1 ; b < 4U; b++)
-			if (*(src + b))
-				len = b + 1;
-
-	/* Format whole octets plus nonzero trailing octets. */
-	bytes = (((bits <= 0) ? 1 : bits) + 7) / 8;
-	if (len > bytes)
-		bytes = len;
-	b = decoct(src, bytes, dst, size);
-	if (b == 0U)
-		goto emsgsize;
-	dst += b;
-	size -= b;
-
-	if (bits != -1) {
-		/* Format CIDR /width. */
-		if (size < sizeof "/32")
-			goto emsgsize;
-		dst += SPRINTF((dst, "/%u", bits));
-	}
-
-	return (odst);
-
- emsgsize:
-	errno = EMSGSIZE;
-	return (NULL);
-}
- 
-static char *
-inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
-	/*
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255/128"];
-	char *tp;
-	struct { int base, len; } best, cur;
-	u_int words[NS_IN6ADDRSZ / NS_INT16SZ];
-	int i;
-
-	if ((bits < -1) || (bits > 128)) {
-		errno = EINVAL;
-		return (NULL);
-	}
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof words);
-	for (i = 0; i < NS_IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	best.len = 0;
-	cur.base = -1;
-	cur.len = 0;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base)
-				*tp++ = ':';
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0)
-			*tp++ = ':';
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 && (best.len == 6 ||
-		    (best.len == 7 && words[7] != 0x0001) ||
-		    (best.len == 5 && words[5] == 0xffff))) {
-			int n;
-
-			if (src[15] || bits == -1 || bits > 120)
-				n = 4;
-			else if (src[14] || bits > 112)
-				n = 3;
-			else
-				n = 2;
-			n = decoct(src+12, n, tp, sizeof tmp - (tp - tmp));
-			if (n == 0) {
-				errno = EMSGSIZE;
-				return (NULL);
-			}
-			tp += strlen(tp);
-			break;
-		}
-		tp += SPRINTF((tp, "%x", words[i]));
-	}
-
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) == 
-	    (NS_IN6ADDRSZ / NS_INT16SZ))
-		*tp++ = ':';
-	*tp = '\0';
-
-	if (bits != -1)
-		tp += SPRINTF((tp, "/%u", bits));
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((size_t)(tp - tmp) > size) {
-		errno = EMSGSIZE;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_cidr_pton.c b/contrib/bind9/lib/bind/inet/inet_cidr_pton.c
deleted file mode 100644
index 5bfef71ba721..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_cidr_pton.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.2.2.1.8.2 2004/03/17 00:29:46 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <isc/assertions.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-static int	inet_cidr_pton_ipv4 __P((const char *src, u_char *dst,
-					 int *bits, int ipv6));
-static int	inet_cidr_pton_ipv6 __P((const char *src, u_char *dst,
-					 int *bits));
-
-static int	getbits(const char *, int ipv6);
-
-/*
- * int
- * inet_cidr_pton(af, src, dst, *bits)
- *	convert network address from presentation to network format.
- *	accepts inet_pton()'s input for this "af" plus trailing "/CIDR".
- *	"dst" is assumed large enough for its "af".  "bits" is set to the
- *	/CIDR prefix length, which can have defaults (like /32 for IPv4).
- * return:
- *	-1 if an error occurred (inspect errno; ENOENT means bad format).
- *	0 if successful conversion occurred.
- * note:
- *	192.5.5.1/28 has a nonzero host part, which means it isn't a network
- *	as called for by inet_net_pton() but it can be a host address with
- *	an included netmask.
- * author:
- *	Paul Vixie (ISC), October 1998
- */
-int
-inet_cidr_pton(int af, const char *src, void *dst, int *bits) {
-	switch (af) {
-	case AF_INET:
-		return (inet_cidr_pton_ipv4(src, dst, bits, 0));
-	case AF_INET6:
-		return (inet_cidr_pton_ipv6(src, dst, bits));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-}
-
-static const char digits[] = "0123456789";
-
-static int
-inet_cidr_pton_ipv4(const char *src, u_char *dst, int *pbits, int ipv6) {
-	const u_char *odst = dst;
-	int n, ch, tmp, bits;
-	size_t size = 4;
-
-	/* Get the mantissa. */
-	while (ch = *src++, (isascii(ch) && isdigit(ch))) {
-		tmp = 0;
-		do {
-			n = strchr(digits, ch) - digits;
-			INSIST(n >= 0 && n <= 9);
-			tmp *= 10;
-			tmp += n;
-			if (tmp > 255)
-				goto enoent;
-		} while ((ch = *src++) != '\0' && isascii(ch) && isdigit(ch));
-		if (size-- == 0U)
-			goto emsgsize;
-		*dst++ = (u_char) tmp;
-		if (ch == '\0' || ch == '/')
-			break;
-		if (ch != '.')
-			goto enoent;
-	}
-
-	/* Get the prefix length if any. */
-	bits = -1;
-	if (ch == '/' && dst > odst) {
-		bits = getbits(src, ipv6);
-		if (bits == -2)
-			goto enoent;
-	} else if (ch != '\0')
-		goto enoent;
-
-	/* Prefix length can default to /32 only if all four octets spec'd. */
-	if (bits == -1) {
-		if (dst - odst == 4)
-			bits = ipv6 ? 128 : 32;
-		else
-			goto enoent;
-	}
-
-	/* If nothing was written to the destination, we found no address. */
-	if (dst == odst)
-		goto enoent;
-
-	/* If prefix length overspecifies mantissa, life is bad. */
-	if (((bits - (ipv6 ? 96 : 0)) / 8) > (dst - odst))
-		goto enoent;
-
-	/* Extend address to four octets. */
-	while (size-- > 0U)
-		*dst++ = 0;
-
-	*pbits = bits;
-	return (0);
-
- enoent:
-	errno = ENOENT;
-	return (-1);
-
- emsgsize:
-	errno = EMSGSIZE;
-	return (-1);
-}
-
-static int
-inet_cidr_pton_ipv6(const char *src, u_char *dst, int *pbits) {
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, saw_xdigit;
-	u_int val;
-	int bits;
-
-	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
-	endp = tp + NS_IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	saw_xdigit = 0;
-	val = 0;
-	bits = -1;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (val > 0xffff)
-				return (0);
-			saw_xdigit = 1;
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!saw_xdigit) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			} else if (*src == '\0') {
-				return (0);
-			}
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (u_char) (val >> 8) & 0xff;
-			*tp++ = (u_char) val & 0xff;
-			saw_xdigit = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
-		    inet_cidr_pton_ipv4(curtok, tp, &bits, 1) == 0) {
-			tp += NS_INADDRSZ;
-			saw_xdigit = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		if (ch == '/') {
-			bits = getbits(src, 1);
-			if (bits == -2)
-				goto enoent;
-			break;
-		}
-		goto enoent;
-	}
-	if (saw_xdigit) {
-		if (tp + NS_INT16SZ > endp)
-			goto emsgsize;
-		*tp++ = (u_char) (val >> 8) & 0xff;
-		*tp++ = (u_char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		if (tp == endp)
-			goto enoent;
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-
-	memcpy(dst, tmp, NS_IN6ADDRSZ);
-
-	*pbits = bits;
-	return (0);
-
- enoent:
-	errno = ENOENT;
-	return (-1);
-
- emsgsize:
-	errno = EMSGSIZE;
-	return (-1);
-}
-
-static int
-getbits(const char *src, int ipv6) {
-	int bits = 0;
-	char *cp, ch;
-	
-	if (*src == '\0')			/* syntax */
-		return (-2);
-	do {
-		ch = *src++;
-		cp = strchr(digits, ch);
-		if (cp == NULL)			/* syntax */
-			return (-2);
-		bits *= 10;
-		bits += cp - digits;
-		if (bits == 0 && *src != '\0')	/* no leading zeros */
-			return (-2);
-		if (bits > (ipv6 ? 128 : 32))	/* range error */
-			return (-2);
-	} while (*src != '\0');
-
-	return (bits);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_data.c b/contrib/bind9/lib/bind/inet/inet_data.c
deleted file mode 100644
index e58629710a65..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_data.c
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: inet_data.c,v 1.2.206.1 2004/03/09 08:33:32 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "port_after.h"
-
-const struct in6_addr isc_in6addr_any = IN6ADDR_ANY_INIT;
-const struct in6_addr isc_in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
diff --git a/contrib/bind9/lib/bind/inet/inet_lnaof.c b/contrib/bind9/lib/bind/inet/inet_lnaof.c
deleted file mode 100644
index 97b80cffdb5b..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_lnaof.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)inet_lnaof.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include "port_after.h"
-
-/*
- * Return the local network address portion of an
- * internet address; handles class a/b/c network
- * number formats.
- */
-u_long
-inet_lnaof(in)
-	struct in_addr in;
-{
-	register u_long i = ntohl(in.s_addr);
-
-	if (IN_CLASSA(i))
-		return ((i)&IN_CLASSA_HOST);
-	else if (IN_CLASSB(i))
-		return ((i)&IN_CLASSB_HOST);
-	else
-		return ((i)&IN_CLASSC_HOST);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_makeaddr.c b/contrib/bind9/lib/bind/inet/inet_makeaddr.c
deleted file mode 100644
index 6e4ecc37ccab..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_makeaddr.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)inet_makeaddr.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include "port_after.h"
-
-/*
- * Formulate an Internet address from network + host.  Used in
- * building addresses stored in the ifnet structure.
- */
-struct in_addr
-inet_makeaddr(net, host)
-	u_long net, host;
-{
-	struct in_addr a;
-
-	if (net < 128U)
-		a.s_addr = (net << IN_CLASSA_NSHIFT) | (host & IN_CLASSA_HOST);
-	else if (net < 65536U)
-		a.s_addr = (net << IN_CLASSB_NSHIFT) | (host & IN_CLASSB_HOST);
-	else if (net < 16777216L)
-		a.s_addr = (net << IN_CLASSC_NSHIFT) | (host & IN_CLASSC_HOST);
-	else
-		a.s_addr = net | host;
-	a.s_addr = htonl(a.s_addr);
-	return (a);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_net_ntop.c b/contrib/bind9/lib/bind/inet/inet_net_ntop.c
deleted file mode 100644
index f508629d617a..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_net_ntop.c
+++ /dev/null
@@ -1,277 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.1.8.1 2004/03/09 08:33:32 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-static char *	inet_net_ntop_ipv4 __P((const u_char *src, int bits,
-					char *dst, size_t size));
-static char *	inet_net_ntop_ipv6 __P((const u_char *src, int bits,
-					char *dst, size_t size));
-
-/*
- * char *
- * inet_net_ntop(af, src, bits, dst, size)
- *	convert network number from network to presentation format.
- *	generates CIDR style result always.
- * return:
- *	pointer to dst, or NULL if an error occurred (check errno).
- * author:
- *	Paul Vixie (ISC), July 1996
- */
-char *
-inet_net_ntop(af, src, bits, dst, size)
-	int af;
-	const void *src;
-	int bits;
-	char *dst;
-	size_t size;
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_net_ntop_ipv4(src, bits, dst, size));
-	case AF_INET6:
-		return (inet_net_ntop_ipv6(src, bits, dst, size));
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-}
-
-/*
- * static char *
- * inet_net_ntop_ipv4(src, bits, dst, size)
- *	convert IPv4 network number from network to presentation format.
- *	generates CIDR style result always.
- * return:
- *	pointer to dst, or NULL if an error occurred (check errno).
- * note:
- *	network byte order assumed.  this means 192.5.5.240/28 has
- *	0b11110000 in its fourth octet.
- * author:
- *	Paul Vixie (ISC), July 1996
- */
-static char *
-inet_net_ntop_ipv4(src, bits, dst, size)
-	const u_char *src;
-	int bits;
-	char *dst;
-	size_t size;
-{
-	char *odst = dst;
-	char *t;
-	u_int m;
-	int b;
-
-	if (bits < 0 || bits > 32) {
-		errno = EINVAL;
-		return (NULL);
-	}
-
-	if (bits == 0) {
-		if (size < sizeof "0")
-			goto emsgsize;
-		*dst++ = '0';
-		size--;
-		*dst = '\0';
-	}
-
-	/* Format whole octets. */
-	for (b = bits / 8; b > 0; b--) {
-		if (size <= sizeof "255.")
-			goto emsgsize;
-		t = dst;
-		dst += SPRINTF((dst, "%u", *src++));
-		if (b > 1) {
-			*dst++ = '.';
-			*dst = '\0';
-		}
-		size -= (size_t)(dst - t);
-	}
-
-	/* Format partial octet. */
-	b = bits % 8;
-	if (b > 0) {
-		if (size <= sizeof ".255")
-			goto emsgsize;
-		t = dst;
-		if (dst != odst)
-			*dst++ = '.';
-		m = ((1 << b) - 1) << (8 - b);
-		dst += SPRINTF((dst, "%u", *src & m));
-		size -= (size_t)(dst - t);
-	}
-
-	/* Format CIDR /width. */
-	if (size <= sizeof "/32")
-		goto emsgsize;
-	dst += SPRINTF((dst, "/%u", bits));
-	return (odst);
-
- emsgsize:
-	errno = EMSGSIZE;
-	return (NULL);
-}
-
-/*
- * static char *
- * inet_net_ntop_ipv6(src, bits, fakebits, dst, size)
- *	convert IPv6 network number from network to presentation format.
- *	generates CIDR style result always. Picks the shortest representation
- *	unless the IP is really IPv4.
- *	always prints specified number of bits (bits).
- * return:
- *	pointer to dst, or NULL if an error occurred (check errno).
- * note:
- *	network byte order assumed.  this means 192.5.5.240/28 has
- *	0x11110000 in its fourth octet.
- * author:
- *	Vadim Kogan (UCB), June 2001
- *  Original version (IPv4) by Paul Vixie (ISC), July 1996
- */
-
-static char *
-inet_net_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
-	u_int	m;
-	int	b;
-	int	p;
-	int	zero_s, zero_l, tmp_zero_s, tmp_zero_l;
-	int	i;
-	int	is_ipv4 = 0;
-	unsigned char inbuf[16];
-	char outbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255/128")];
-	char	*cp;
-	int	words;
-	u_char	*s;
-
-	if (bits < 0 || bits > 128) {
-		errno = EINVAL;
-		return (NULL);
-	}
-
-	cp = outbuf;
-
-	if (bits == 0) {
-		*cp++ = ':';
-		*cp++ = ':';
-		*cp = '\0';
-	} else {
-		/* Copy src to private buffer.  Zero host part. */	
-		p = (bits + 7) / 8;
-		memcpy(inbuf, src, p);
-		memset(inbuf + p, 0, 16 - p);
-		b = bits % 8;
-		if (b != 0) {
-			m = ~0 << (8 - b);
-			inbuf[p-1] &= m;
-		}
-
-		s = inbuf;
-
-		/* how many words need to be displayed in output */
-		words = (bits + 15) / 16;
-		if (words == 1)
-			words = 2;
-		
-		/* Find the longest substring of zero's */
-		zero_s = zero_l = tmp_zero_s = tmp_zero_l = 0;
-		for (i = 0; i < (words * 2); i += 2) {
-			if ((s[i] | s[i+1]) == 0) {
-				if (tmp_zero_l == 0)
-					tmp_zero_s = i / 2;
-				tmp_zero_l++;
-			} else {
-				if (tmp_zero_l && zero_l < tmp_zero_l) {
-					zero_s = tmp_zero_s;
-					zero_l = tmp_zero_l;
-					tmp_zero_l = 0;
-				}
-			}
-		}
-
-		if (tmp_zero_l && zero_l < tmp_zero_l) {
-			zero_s = tmp_zero_s;
-			zero_l = tmp_zero_l;
-		}
-
-		if (zero_l != words && zero_s == 0 && ((zero_l == 6) ||
-		    ((zero_l == 5 && s[10] == 0xff && s[11] == 0xff) ||
-		    ((zero_l == 7 && s[14] != 0 && s[15] != 1)))))
-			is_ipv4 = 1;
-
-		/* Format whole words. */
-		for (p = 0; p < words; p++) {
-			if (zero_l != 0 && p >= zero_s && p < zero_s + zero_l) {
-				/* Time to skip some zeros */
-				if (p == zero_s)
-					*cp++ = ':';
-				if (p == words - 1)
-					*cp++ = ':';
-				s++;
-				s++;
-				continue;
-			}
-
-			if (is_ipv4 && p > 5 ) {
-				*cp++ = (p == 6) ? ':' : '.';
-				cp += SPRINTF((cp, "%u", *s++));
-				/* we can potentially drop the last octet */
-				if (p != 7 || bits > 120) {
-					*cp++ = '.';
-					cp += SPRINTF((cp, "%u", *s++));
-				}
-			} else {
-				if (cp != outbuf)
-					*cp++ = ':';
-				cp += SPRINTF((cp, "%x", *s * 256 + s[1]));
-				s += 2;
-			}
-		}
-	}
-	/* Format CIDR /width. */
-	SPRINTF((cp, "/%u", bits));
-	if (strlen(outbuf) + 1 > size)
-		goto emsgsize;
-	strcpy(dst, outbuf);
-	
-	return (dst);
-
-emsgsize:
-	errno = EMSGSIZE;
-	return (NULL);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_net_pton.c b/contrib/bind9/lib/bind/inet/inet_net_pton.c
deleted file mode 100644
index abecfc79cd2c..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_net_pton.c
+++ /dev/null
@@ -1,405 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_net_pton.c,v 1.4.2.1.8.2 2004/03/17 00:29:47 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <isc/assertions.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-/*
- * static int
- * inet_net_pton_ipv4(src, dst, size)
- *	convert IPv4 network number from presentation to network format.
- *	accepts hex octets, hex strings, decimal octets, and /CIDR.
- *	"size" is in bytes and describes "dst".
- * return:
- *	number of bits, either imputed classfully or specified with /CIDR,
- *	or -1 if some failure occurred (check errno).  ENOENT means it was
- *	not an IPv4 network specification.
- * note:
- *	network byte order assumed.  this means 192.5.5.240/28 has
- *	0b11110000 in its fourth octet.
- * author:
- *	Paul Vixie (ISC), June 1996
- */
-static int
-inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) {
-	static const char xdigits[] = "0123456789abcdef";
-	static const char digits[] = "0123456789";
-	int n, ch, tmp = 0, dirty, bits;
-	const u_char *odst = dst;
-
-	ch = *src++;
-	if (ch == '0' && (src[0] == 'x' || src[0] == 'X')
-	    && isascii((unsigned char)(src[1]))
-	    && isxdigit((unsigned char)(src[1]))) {
-		/* Hexadecimal: Eat nybble string. */
-		if (size <= 0U)
-			goto emsgsize;
-		dirty = 0;
-		src++;	/* skip x or X. */
-		while ((ch = *src++) != '\0' && isascii(ch) && isxdigit(ch)) {
-			if (isupper(ch))
-				ch = tolower(ch);
-			n = strchr(xdigits, ch) - xdigits;
-			INSIST(n >= 0 && n <= 15);
-			if (dirty == 0)
-				tmp = n;
-			else
-				tmp = (tmp << 4) | n;
-			if (++dirty == 2) {
-				if (size-- <= 0U)
-					goto emsgsize;
-				*dst++ = (u_char) tmp;
-				dirty = 0;
-			}
-		}
-		if (dirty) {  /* Odd trailing nybble? */
-			if (size-- <= 0U)
-				goto emsgsize;
-			*dst++ = (u_char) (tmp << 4);
-		}
-	} else if (isascii(ch) && isdigit(ch)) {
-		/* Decimal: eat dotted digit string. */
-		for (;;) {
-			tmp = 0;
-			do {
-				n = strchr(digits, ch) - digits;
-				INSIST(n >= 0 && n <= 9);
-				tmp *= 10;
-				tmp += n;
-				if (tmp > 255)
-					goto enoent;
-			} while ((ch = *src++) != '\0' &&
-				 isascii(ch) && isdigit(ch));
-			if (size-- <= 0U)
-				goto emsgsize;
-			*dst++ = (u_char) tmp;
-			if (ch == '\0' || ch == '/')
-				break;
-			if (ch != '.')
-				goto enoent;
-			ch = *src++;
-			if (!isascii(ch) || !isdigit(ch))
-				goto enoent;
-		}
-	} else
-		goto enoent;
-
-	bits = -1;
-	if (ch == '/' && isascii((unsigned char)(src[0])) &&
-	    isdigit((unsigned char)(src[0])) && dst > odst) {
-		/* CIDR width specifier.  Nothing can follow it. */
-		ch = *src++;	/* Skip over the /. */
-		bits = 0;
-		do {
-			n = strchr(digits, ch) - digits;
-			INSIST(n >= 0 && n <= 9);
-			bits *= 10;
-			bits += n;
-		} while ((ch = *src++) != '\0' && isascii(ch) && isdigit(ch));
-		if (ch != '\0')
-			goto enoent;
-		if (bits > 32)
-			goto emsgsize;
-	}
-
-	/* Firey death and destruction unless we prefetched EOS. */
-	if (ch != '\0')
-		goto enoent;
-
-	/* If nothing was written to the destination, we found no address. */
-	if (dst == odst)
-		goto enoent;
-	/* If no CIDR spec was given, infer width from net class. */
-	if (bits == -1) {
-		if (*odst >= 240)	/* Class E */
-			bits = 32;
-		else if (*odst >= 224)	/* Class D */
-			bits = 8;
-		else if (*odst >= 192)	/* Class C */
-			bits = 24;
-		else if (*odst >= 128)	/* Class B */
-			bits = 16;
-		else			/* Class A */
-			bits = 8;
-		/* If imputed mask is narrower than specified octets, widen. */
-		if (bits < ((dst - odst) * 8))
-			bits = (dst - odst) * 8;
-		/*
-		 * If there are no additional bits specified for a class D
-		 * address adjust bits to 4.
-		 */
-		if (bits == 8 && *odst == 224)
-			bits = 4;
-	}
-	/* Extend network to cover the actual mask. */
-	while (bits > ((dst - odst) * 8)) {
-		if (size-- <= 0U)
-			goto emsgsize;
-		*dst++ = '\0';
-	}
-	return (bits);
-
- enoent:
-	errno = ENOENT;
-	return (-1);
-
- emsgsize:
-	errno = EMSGSIZE;
-	return (-1);
-}
-
-static int
-getbits(const char *src, int *bitsp) {
-	static const char digits[] = "0123456789";
-	int n;
-	int val;
-	char ch;
-
-	val = 0;
-	n = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		pch = strchr(digits, ch);
-		if (pch != NULL) {
-			if (n++ != 0 && val == 0)	/* no leading zeros */
-				return (0);
-			val *= 10;
-			val += (pch - digits);
-			if (val > 128)			/* range */
-				return (0);
-			continue;
-		}
-		return (0);
-	}
-	if (n == 0)
-		return (0);
-	*bitsp = val;
-	return (1);
-}
-
-static int
-getv4(const char *src, u_char *dst, int *bitsp) {
-	static const char digits[] = "0123456789";
-	u_char *odst = dst;
-	int n;
-	u_int val;
-	char ch;
-
-	val = 0;
-	n = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		pch = strchr(digits, ch);
-		if (pch != NULL) {
-			if (n++ != 0 && val == 0)	/* no leading zeros */
-				return (0);
-			val *= 10;
-			val += (pch - digits);
-			if (val > 255)			/* range */
-				return (0);
-			continue;
-		}
-		if (ch == '.' || ch == '/') {
-			if (dst - odst > 3)		/* too many octets? */
-				return (0);
-			*dst++ = val;
-			if (ch == '/')
-				return (getbits(src, bitsp));
-			val = 0;
-			n = 0;
-			continue;
-		}
-		return (0);
-	}
-	if (n == 0)
-		return (0);
-	if (dst - odst > 3)		/* too many octets? */
-		return (0);
-	*dst++ = val;
-	return (1);
-}
-
-static int
-inet_net_pton_ipv6(const char *src, u_char *dst, size_t size) {
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, saw_xdigit;
-	u_int val;
-	int digits;
-	int bits;
-	size_t bytes;
-	int words;
-	int ipv4;
-
-	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
-	endp = tp + NS_IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			goto enoent;
-	curtok = src;
-	saw_xdigit = 0;
-	val = 0;
-	digits = 0;
-	bits = -1;
-	ipv4 = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (++digits > 4)
-				goto enoent;
-			saw_xdigit = 1;
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!saw_xdigit) {
-				if (colonp)
-					goto enoent;
-				colonp = tp;
-				continue;
-			} else if (*src == '\0')
-				goto enoent;
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (u_char) (val >> 8) & 0xff;
-			*tp++ = (u_char) val & 0xff;
-			saw_xdigit = 0;
-			digits = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
-		     getv4(curtok, tp, &bits) > 0) {
-			tp += NS_INADDRSZ;
-			saw_xdigit = 0;
-			ipv4 = 1;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		if (ch == '/' && getbits(src, &bits) > 0)
-			break;
-		goto enoent;
-	}
-	if (saw_xdigit) {
-		if (tp + NS_INT16SZ > endp)
-			goto enoent;
-		*tp++ = (u_char) (val >> 8) & 0xff;
-		*tp++ = (u_char) val & 0xff;
-	}
-	if (bits == -1)
-		bits = 128;
-
-	words = (bits + 15) / 16;
-	if (words < 2)
-		words = 2;
-	if (ipv4)
-		words = 8;
-	endp =  tmp + 2 * words;
-
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		if (tp == endp)
-			goto enoent;
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		goto enoent;
-
-	bytes = (bits + 7) / 8;
-	if (bytes > size)
-		goto emsgsize;
-	memcpy(dst, tmp, bytes);
-	return (bits);
-
- enoent:
-	errno = ENOENT;
-	return (-1);
-
- emsgsize:
-	errno = EMSGSIZE;
-	return (-1);
-}
-
-/*
- * int
- * inet_net_pton(af, src, dst, size)
- *	convert network number from presentation to network format.
- *	accepts hex octets, hex strings, decimal octets, and /CIDR.
- *	"size" is in bytes and describes "dst".
- * return:
- *	number of bits, either imputed classfully or specified with /CIDR,
- *	or -1 if some failure occurred (check errno).  ENOENT means it was
- *	not a valid network specification.
- * author:
- *	Paul Vixie (ISC), June 1996
- */
-int
-inet_net_pton(int af, const char *src, void *dst, size_t size) {
-	switch (af) {
-	case AF_INET:
-		return (inet_net_pton_ipv4(src, dst, size));
-	case AF_INET6:
-		return (inet_net_pton_ipv6(src, dst, size));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_neta.c b/contrib/bind9/lib/bind/inet/inet_neta.c
deleted file mode 100644
index 325b7ce814e3..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_neta.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_neta.c,v 1.1.206.1 2004/03/09 08:33:33 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-/*
- * char *
- * inet_neta(src, dst, size)
- *	format a u_long network number into presentation format.
- * return:
- *	pointer to dst, or NULL if an error occurred (check errno).
- * note:
- *	format of ``src'' is as for inet_network().
- * author:
- *	Paul Vixie (ISC), July 1996
- */
-char *
-inet_neta(src, dst, size)
-	u_long src;
-	char *dst;
-	size_t size;
-{
-	char *odst = dst;
-	char *tp;
-
-	while (src & 0xffffffff) {
-		u_char b = (src & 0xff000000) >> 24;
-
-		src <<= 8;
-		if (b) {
-			if (size < sizeof "255.")
-				goto emsgsize;
-			tp = dst;
-			dst += SPRINTF((dst, "%u", b));
-			if (src != 0L) {
-				*dst++ = '.';
-				*dst = '\0';
-			}
-			size -= (size_t)(dst - tp);
-		}
-	}
-	if (dst == odst) {
-		if (size < sizeof "0.0.0.0")
-			goto emsgsize;
-		strcpy(dst, "0.0.0.0");
-	}
-	return (odst);
-
- emsgsize:
-	errno = EMSGSIZE;
-	return (NULL);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_netof.c b/contrib/bind9/lib/bind/inet/inet_netof.c
deleted file mode 100644
index e887530088a1..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_netof.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)inet_netof.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include "port_after.h"
-
-/*
- * Return the network number from an internet
- * address; handles class a/b/c network #'s.
- */
-u_long
-inet_netof(in)
-	struct in_addr in;
-{
-	register u_long i = ntohl(in.s_addr);
-
-	if (IN_CLASSA(i))
-		return (((i)&IN_CLASSA_NET) >> IN_CLASSA_NSHIFT);
-	else if (IN_CLASSB(i))
-		return (((i)&IN_CLASSB_NET) >> IN_CLASSB_NSHIFT);
-	else
-		return (((i)&IN_CLASSC_NET) >> IN_CLASSC_NSHIFT);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_network.c b/contrib/bind9/lib/bind/inet/inet_network.c
deleted file mode 100644
index aaa50c831578..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_network.c
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)inet_network.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <ctype.h>
-
-#include "port_after.h"
-
-/*
- * Internet network address interpretation routine.
- * The library routines call this routine to interpret
- * network numbers.
- */
-u_long
-inet_network(cp)
-	register const char *cp;
-{
-	register u_long val, base, n, i;
-	register char c;
-	u_long parts[4], *pp = parts;
-	int digit;
-
-again:
-	val = 0; base = 10; digit = 0;
-	if (*cp == '0')
-		digit = 1, base = 8, cp++;
-	if (*cp == 'x' || *cp == 'X')
-		base = 16, cp++;
-	while ((c = *cp) != 0) {
-		if (isdigit((unsigned char)c)) {
-			if (base == 8U && (c == '8' || c == '9'))
-				return (INADDR_NONE);
-			val = (val * base) + (c - '0');
-			cp++;
-			digit = 1;
-			continue;
-		}
-		if (base == 16U && isxdigit((unsigned char)c)) {
-			val = (val << 4) +
-			      (c + 10 - (islower((unsigned char)c) ? 'a' : 'A'));
-			cp++;
-			digit = 1;
-			continue;
-		}
-		break;
-	}
-	if (!digit)
-		return (INADDR_NONE);
-	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
-		*pp++ = val, cp++;
-		goto again;
-	}
-	if (*cp && !isspace(*cp&0xff))
-		return (INADDR_NONE);
-	*pp++ = val;
-	n = pp - parts;
-	if (n > 4U)
-		return (INADDR_NONE);
-	for (val = 0, i = 0; i < n; i++) {
-		val <<= 8;
-		val |= parts[i] & 0xff;
-	}
-	return (val);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_ntoa.c b/contrib/bind9/lib/bind/inet/inet_ntoa.c
deleted file mode 100644
index 7fad4b8902a4..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_ntoa.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)inet_ntoa.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: inet_ntoa.c,v 1.1 2001/03/29 06:31:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include "port_after.h"
-
-/*
- * Convert network-format internet address
- * to base 256 d.d.d.d representation.
- */
-/*const*/ char *
-inet_ntoa(struct in_addr in) {
-	static char ret[18];
-
-	strcpy(ret, "[inet_ntoa error]");
-	(void) inet_ntop(AF_INET, &in, ret, sizeof ret);
-	return (ret);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_ntop.c b/contrib/bind9/lib/bind/inet/inet_ntop.c
deleted file mode 100644
index cd502ab75862..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_ntop.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_ntop.c,v 1.1.2.1.8.2 2005/11/03 23:08:40 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static const char *inet_ntop4 __P((const u_char *src, char *dst, size_t size));
-static const char *inet_ntop6 __P((const u_char *src, char *dst, size_t size));
-
-/* char *
- * inet_ntop(af, src, dst, size)
- *	convert a network format address to presentation format.
- * return:
- *	pointer to presentation format address (`dst'), or NULL (see errno).
- * author:
- *	Paul Vixie, 1996.
- */
-const char *
-inet_ntop(af, src, dst, size)
-	int af;
-	const void *src;
-	char *dst;
-	size_t size;
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_ntop4(src, dst, size));
-	case AF_INET6:
-		return (inet_ntop6(src, dst, size));
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	/* NOTREACHED */
-}
-
-/* const char *
- * inet_ntop4(src, dst, size)
- *	format an IPv4 address
- * return:
- *	`dst' (as a const)
- * notes:
- *	(1) uses no statics
- *	(2) takes a u_char* not an in_addr as input
- * author:
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop4(src, dst, size)
-	const u_char *src;
-	char *dst;
-	size_t size;
-{
-	static const char fmt[] = "%u.%u.%u.%u";
-	char tmp[sizeof "255.255.255.255"];
-
-	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) >= size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
-
-/* const char *
- * inet_ntop6(src, dst, size)
- *	convert IPv6 binary address into presentation (printable) format
- * author:
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop6(src, dst, size)
-	const u_char *src;
-	char *dst;
-	size_t size;
-{
-	/*
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
-	struct { int base, len; } best, cur;
-	u_int words[NS_IN6ADDRSZ / NS_INT16SZ];
-	int i;
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof words);
-	for (i = 0; i < NS_IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	best.len = 0;
-	cur.base = -1;
-	cur.len = 0;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base)
-				*tp++ = ':';
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0)
-			*tp++ = ':';
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 && (best.len == 6 ||
-		    (best.len == 7 && words[7] != 0x0001) ||
-		    (best.len == 5 && words[5] == 0xffff))) {
-			if (!inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp)))
-				return (NULL);
-			tp += strlen(tp);
-			break;
-		}
-		tp += SPRINTF((tp, "%x", words[i]));
-	}
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) == 
-	    (NS_IN6ADDRSZ / NS_INT16SZ))
-		*tp++ = ':';
-	*tp++ = '\0';
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((size_t)(tp - tmp) > size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
diff --git a/contrib/bind9/lib/bind/inet/inet_pton.c b/contrib/bind9/lib/bind/inet/inet_pton.c
deleted file mode 100644
index f18a7b64fde2..000000000000
--- a/contrib/bind9/lib/bind/inet/inet_pton.c
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: inet_pton.c,v 1.2.206.2 2005/07/28 07:43:18 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <string.h>
-#include <errno.h>
-#include "port_after.h"
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int	inet_pton4 __P((const char *src, u_char *dst));
-static int	inet_pton6 __P((const char *src, u_char *dst));
-
-/* int
- * inet_pton(af, src, dst)
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * return:
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
- *	Paul Vixie, 1996.
- */
-int
-inet_pton(af, src, dst)
-	int af;
-	const char *src;
-	void *dst;
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/* int
- * inet_pton4(src, dst)
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
- *	1 if `src' is a valid dotted quad, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(src, dst)
-	const char *src;
-	u_char *dst;
-{
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	u_char tmp[NS_INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			u_int new = *tp * 10 + (pch - digits);
-
-			if (saw_digit && *tp == 0)
-				return (0);
-			if (new > 255)
-				return (0);
-			*tp = new;
-			if (!saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			*++tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-	memcpy(dst, tmp, NS_INADDRSZ);
-	return (1);
-}
-
-/* int
- * inet_pton6(src, dst)
- *	convert presentation level address to network order binary form.
- * return:
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
- *	(1) does not touch `dst' unless it's returning 1.
- *	(2) :: in a full address is silently ignored.
- * credit:
- *	inspired by Mark Andrews.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(src, dst)
-	const char *src;
-	u_char *dst;
-{
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, seen_xdigits;
-	u_int val;
-
-	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
-	endp = tp + NS_IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	seen_xdigits = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
-				return (0);
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!seen_xdigits) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			} else if (*src == '\0') {
-				return (0);
-			}
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (u_char) (val >> 8) & 0xff;
-			*tp++ = (u_char) val & 0xff;
-			seen_xdigits = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += NS_INADDRSZ;
-			seen_xdigits = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (seen_xdigits) {
-		if (tp + NS_INT16SZ > endp)
-			return (0);
-		*tp++ = (u_char) (val >> 8) & 0xff;
-		*tp++ = (u_char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		if (tp == endp)
-			return (0);
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, NS_IN6ADDRSZ);
-	return (1);
-}
diff --git a/contrib/bind9/lib/bind/inet/nsap_addr.c b/contrib/bind9/lib/bind/inet/nsap_addr.c
deleted file mode 100644
index a4b98e7c4a09..000000000000
--- a/contrib/bind9/lib/bind/inet/nsap_addr.c
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nsap_addr.c,v 1.2.206.2 2005/07/28 07:43:18 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <resolv.h>
-#include <resolv_mt.h>
-
-#include "port_after.h"
-
-static char
-xtob(int c) {
-	return (c - (((c >= '0') && (c <= '9')) ? '0' : '7'));
-}
-
-u_int
-inet_nsap_addr(const char *ascii, u_char *binary, int maxlen) {
-	u_char c, nib;
-	u_int len = 0;
-
-	if (ascii[0] != '0' || (ascii[1] != 'x' && ascii[1] != 'X'))
-		return (0);
-	ascii += 2;
-
-	while ((c = *ascii++) != '\0' && len < (u_int)maxlen) {
-		if (c == '.' || c == '+' || c == '/')
-			continue;
-		if (!isascii(c))
-			return (0);
-		if (islower(c))
-			c = toupper(c);
-		if (isxdigit(c)) {
-			nib = xtob(c);
-			c = *ascii++;
-			if (c != '\0') {
-				c = toupper(c);
-				if (isxdigit(c)) {
-					*binary++ = (nib << 4) | xtob(c);
-					len++;
-				} else
-					return (0);
-			}
-			else
-				return (0);
-		}
-		else
-			return (0);
-	}
-	return (len);
-}
-
-char *
-inet_nsap_ntoa(int binlen, const u_char *binary, char *ascii) {
-	int nib;
-	int i;
-	char *tmpbuf = inet_nsap_ntoa_tmpbuf;
-	char *start;
-
-	if (ascii)
-		start = ascii;
-	else {
-		ascii = tmpbuf;
-		start = tmpbuf;
-	}
-
-	*ascii++ = '0';
-	*ascii++ = 'x';
-
-	if (binlen > 255)
-		binlen = 255;
-
-	for (i = 0; i < binlen; i++) {
-		nib = *binary >> 4;
-		*ascii++ = nib + (nib < 10 ? '0' : '7');
-		nib = *binary++ & 0x0f;
-		*ascii++ = nib + (nib < 10 ? '0' : '7');
-		if (((i % 2) == 0 && (i + 1) < binlen))
-			*ascii++ = '.';
-	}
-	*ascii = '\0';
-	return (start);
-}
diff --git a/contrib/bind9/lib/bind/irs/Makefile.in b/contrib/bind9/lib/bind/irs/Makefile.in
deleted file mode 100644
index 9695435ba66f..000000000000
--- a/contrib/bind9/lib/bind/irs/Makefile.in
+++ /dev/null
@@ -1,70 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.7.206.3 2004/12/07 00:38:35 marka Exp $
-
-srcdir=		@srcdir@
-VPATH =         @srcdir@
-
-WANT_IRS_THREADS_OBJS=	gethostent_r.@O@ getnetent_r.@O@ getnetgrent_r.@O@ \
-	getprotoent_r.@O@ getservent_r.@O@
-
-WANT_IRS_NISGR_OBJS= nis_gr.@O@ 
-WANT_IRS_GR_OBJS= dns_gr.@O@ irp_gr.@O@ lcl_gr.@O@ gen_gr.@O@ getgrent.@O@ \
-	@WANT_IRS_NISGR_OBJS@ @WANT_IRS_THREADSGR_OBJS@
-
-WANT_IRS_THREADSPW_OBJS=getpwent_r.@O@
-WANT_IRS_NISPW_OBJS= nis_pw.@O@
-WANT_IRS_DBPW_OBJS=irp_pw.@O@ lcl_pw.@O@
-WANT_IRS_PW_OBJS= dns_pw.@O@ gen_pw.@O@ getpwent.@O@ \
-	@WANT_IRS_DBPW_OBJS@ @WANT_IRS_NISPW_OBJS@ @WANT_IRS_THREADSPW_OBJS@
-
-WANT_IRS_NIS_OBJS= \
-	nis_ho.@O@ nis_ng.@O@ nis_nw.@O@ nis_pr.@O@ nis_sv.@O@
-
-OBJS=	@WANT_IRS_GR_OBJS@ @WANT_IRS_NIS_OBJS@ @WANT_IRS_THREADS_OBJS@ \
-	@WANT_IRS_PW_OBJS@ \
-	dns.@O@ dns_ho.@O@ dns_nw.@O@ dns_pr.@O@ \
-	dns_sv.@O@ gai_strerror.@O@ gen.@O@ gen_ho.@O@ \
-	gen_ng.@O@ gen_nw.@O@ gen_pr.@O@ gen_sv.@O@ \
-	getaddrinfo.@O@ gethostent.@O@ \
-	getnameinfo.@O@ getnetent.@O@ \
-	getnetgrent.@O@ getprotoent.@O@ getservent.@O@ \
-	hesiod.@O@ irp.@O@ irp_ho.@O@ irp_ng.@O@ irp_nw.@O@ \
-	irp_pr.@O@ irp_sv.@O@ irpmarshall.@O@ irs_data.@O@ \
-	lcl.@O@ lcl_ho.@O@ lcl_ng.@O@ lcl_nw.@O@ lcl_pr.@O@ \
-	lcl_sv.@O@ nis.@O@ nul_ng.@O@ util.@O@
-
-SRCS=	dns.c dns_gr.c dns_ho.c dns_nw.c dns_pr.c dns_pw.c \
-	dns_sv.c gai_strerror.c gen.c gen_gr.c gen_ho.c \
-	gen_ng.c gen_nw.c gen_pr.c gen_pw.c gen_sv.c \
-	getaddrinfo.c getgrent.c gethostent.c \
-	getnameinfo.c getnetent.c getnetent_r.c \
-	getnetgrent.c getprotoent.c getpwent.c getservent.c \
-	hesiod.c irp.c irp_gr.c irp_ho.c irp_ng.c irp_nw.c \
-	irp_pr.c irp_pw.c irp_sv.c irpmarshall.c irs_data.c \
-	lcl.c lcl_gr.c lcl_ho.c lcl_ng.c lcl_nw.c lcl_pr.c \
-	lcl_pw.c lcl_sv.c nis.c nis_gr.c nis_ho.c nis_ng.c \
-	nis_nw.c nis_pr.c nis_pw.c nis_sv.c nul_ng.c \
-	util.c getgrent_r.c gethostent_r.c getnetgrent_r.c getprotoent_r.c \
-	getpwent_r.c getservent_r.c
-
-WANT_IRS_THREADSGR_OBJS=getgrent_r.@O@
-
-TARGETS= ${OBJS}
-
-CINCLUDES= -I.. -I${srcdir}/../include
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/irs/dns.c b/contrib/bind9/lib/bind/irs/dns.c
deleted file mode 100644
index ab83b3e4a497..000000000000
--- a/contrib/bind9/lib/bind/irs/dns.c
+++ /dev/null
@@ -1,153 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns.c,v 1.1.206.2 2004/03/17 00:29:47 marka Exp $";
-#endif
-
-/*
- * dns.c --- this is the top-level accessor function for the dns
- */
-
-#include "port_before.h"
-
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "hesiod.h"
-#include "dns_p.h"
-
-/* forward */
-
-static void		dns_close(struct irs_acc *);
-static struct __res_state *	dns_res_get(struct irs_acc *);
-static void		dns_res_set(struct irs_acc *, struct __res_state *,
-				void (*)(void *));
-
-/* public */
-
-struct irs_acc *
-irs_dns_acc(const char *options) {
-	struct irs_acc *acc;
-	struct dns_p *dns;
-
-	UNUSED(options);
-
-	if (!(acc = memget(sizeof *acc))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(acc, 0x5e, sizeof *acc);
-	if (!(dns = memget(sizeof *dns))) {
-		errno = ENOMEM;
-		memput(acc, sizeof *acc);
-		return (NULL);
-	}
-	memset(dns, 0x5e, sizeof *dns);
-	dns->res = NULL;
-	dns->free_res = NULL;
-	if (hesiod_init(&dns->hes_ctx) < 0) {
-		/*
-		 * We allow the dns accessor class to initialize
-		 * despite hesiod failing to initialize correctly,
-		 * since dns host queries don't depend on hesiod.
-		 */
-		dns->hes_ctx = NULL;
-	}
-	acc->private = dns;
-#ifdef WANT_IRS_GR
-	acc->gr_map = irs_dns_gr;
-#else
-	acc->gr_map = NULL;
-#endif
-#ifdef WANT_IRS_PW
-	acc->pw_map = irs_dns_pw;
-#else
-	acc->pw_map = NULL;
-#endif
-	acc->sv_map = irs_dns_sv;
-	acc->pr_map = irs_dns_pr;
-	acc->ho_map = irs_dns_ho;
-	acc->nw_map = irs_dns_nw;
-	acc->ng_map = irs_nul_ng;
-	acc->res_get = dns_res_get;
-	acc->res_set = dns_res_set;
-	acc->close = dns_close;
-	return (acc);
-}
-
-/* methods */
-static struct __res_state *
-dns_res_get(struct irs_acc *this) {
-	struct dns_p *dns = (struct dns_p *)this->private;
-
-	if (dns->res == NULL) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (res == NULL)
-			return (NULL);
-		memset(dns->res, 0, sizeof *dns->res);
-		dns_res_set(this, res, free);
-	}
-
-	if ((dns->res->options & RES_INIT) == 0U &&
-	    res_ninit(dns->res) < 0)
-		return (NULL);
-
-	return (dns->res);
-}
-
-static void
-dns_res_set(struct irs_acc *this, struct __res_state *res,
-	    void (*free_res)(void *)) {
-	struct dns_p *dns = (struct dns_p *)this->private;
-
-	if (dns->res && dns->free_res) {
-		res_nclose(dns->res);
-		(*dns->free_res)(dns->res);
-	}
-	dns->res = res;
-	dns->free_res = free_res;
-}
-
-static void
-dns_close(struct irs_acc *this) {
-	struct dns_p *dns;
-
-	dns = (struct dns_p *)this->private;
-	if (dns->res && dns->free_res)
-		(*dns->free_res)(dns->res);
-	if (dns->hes_ctx)
-		hesiod_end(dns->hes_ctx);
-	memput(dns, sizeof *dns);
-	memput(this, sizeof *this);
-}
-
diff --git a/contrib/bind9/lib/bind/irs/dns_gr.c b/contrib/bind9/lib/bind/irs/dns_gr.c
deleted file mode 100644
index a35b10ca0435..000000000000
--- a/contrib/bind9/lib/bind/irs/dns_gr.c
+++ /dev/null
@@ -1,293 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_gr.c,v 1.1.2.1.4.1 2004/03/09 08:33:34 marka Exp $";
-#endif
-
-/*
- * dns_gr.c --- this file contains the functions for accessing
- * 	group information from Hesiod.
- */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_GR
-static int __bind_irs_gr_unneeded;
-#else
-
-#include <sys/param.h>
-#include <sys/types.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-
-#include <sys/types.h>
-#include <netinet/in.h> 
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "hesiod.h"
-#include "dns_p.h"
-
-/* Types. */
-
-struct pvt {
-	/*
-	 * This is our private accessor data.  It has a shared hesiod context.
-	 */
-	struct dns_p *	dns;
-	/*
-	 * Need space to store the entries read from the group file.
-	 * The members list also needs space per member, and the
-	 * strings making up the user names must be allocated
-	 * somewhere.  Rather than doing lots of small allocations,
-	 * we keep one buffer and resize it as needed.
-	 */
-	struct group	group;
-	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
-	char *		membuf;
-	size_t		membufsize;
-};
-
-/* Forward. */
-
-static struct group *	gr_next(struct irs_gr *);
-static struct group *	gr_byname(struct irs_gr *, const char *);
-static struct group *	gr_bygid(struct irs_gr *, gid_t);
-static void		gr_rewind(struct irs_gr *);
-static void		gr_close(struct irs_gr *);
-static int		gr_list(struct irs_gr *, const char *,
-				gid_t, gid_t *, int *);
-static void		gr_minimize(struct irs_gr *);
-static struct __res_state * gr_res_get(struct irs_gr *);
-static void		gr_res_set(struct irs_gr *,
-				   struct __res_state *,
-				   void (*)(void *));
-
-static struct group *	get_hes_group(struct irs_gr *this,
-				      const char *name,
-				      const char *type);
-
-/* Public. */
-
-struct irs_gr *
-irs_dns_gr(struct irs_acc *this) {
-	struct dns_p *dns = (struct dns_p *)this->private;
-	struct irs_gr *gr;
-	struct pvt *pvt;
-
-	if (!dns || !dns->hes_ctx) {
-		errno = ENODEV;
-		return (NULL);
-	}
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->dns = dns;
-	if (!(gr = memget(sizeof *gr))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(gr, 0x5e, sizeof *gr);
-	gr->private = pvt;
-	gr->next = gr_next;
-	gr->byname = gr_byname;
-	gr->bygid = gr_bygid;
-	gr->rewind = gr_rewind;
-	gr->close = gr_close;
-	gr->list = gr_list;
-	gr->minimize = gr_minimize;
-	gr->res_get = gr_res_get;
-	gr->res_set = gr_res_set;
-	return (gr);
-}
-
-/* methods */
-
-static void
-gr_close(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->group.gr_mem)
-		free(pvt->group.gr_mem);
-	if (pvt->membuf)
-		free(pvt->membuf);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct group *
-gr_next(struct irs_gr *this) {
-
-	UNUSED(this);
-
-	return (NULL);
-}
-
-static struct group *
-gr_byname(struct irs_gr *this, const char *name) {
-	return (get_hes_group(this, name, "group"));
-}
-
-static struct group *
-gr_bygid(struct irs_gr *this, gid_t gid) {
-	char name[32];
-
-	sprintf(name, "%ld", (long)gid);
-	return (get_hes_group(this, name, "gid"));
-}
-
-static void
-gr_rewind(struct irs_gr *this) {
-
-	UNUSED(this);
-
-	/* NOOP */
-}
-
-static int
-gr_list(struct irs_gr *this, const char *name,
-	gid_t basegid, gid_t *groups, int *ngroups)
-{
-	UNUSED(this);
-	UNUSED(name);
-	UNUSED(basegid);
-	UNUSED(groups);
-
-	*ngroups = 0;
-	/* There's some way to do this in Hesiod. */
-	return (-1);
-}
-
-static void
-gr_minimize(struct irs_gr *this) {
-
-	UNUSED(this);
-	/* NOOP */
-}
-
-/* Private. */
-
-static struct group *
-get_hes_group(struct irs_gr *this, const char *name, const char *type) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char **hes_list, *cp, **new;
-	size_t num_members = 0;
-	u_long t;
-
-	hes_list = hesiod_resolve(pvt->dns->hes_ctx, name, type);
-	if (!hes_list)
-		return (NULL);
-
-	/*
-	 * Copy the returned hesiod string into storage space.
-	 */
-	if (pvt->membuf)
-		free(pvt->membuf);
-	pvt->membuf = strdup(*hes_list);
-	hesiod_free_list(pvt->dns->hes_ctx, hes_list);
-
-	cp = pvt->membuf;
-	pvt->group.gr_name = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-	
-	pvt->group.gr_passwd = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	errno = 0;
-	t = strtoul(cp, NULL, 10);
-	if (errno == ERANGE)
-		goto cleanup;
-	pvt->group.gr_gid = (gid_t) t;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	cp++;
-
-	/*
-	 * Parse the members out.
-	 */
-	while (*cp) {
-		if (num_members+1 >= pvt->nmemb || pvt->group.gr_mem == NULL) {
-			pvt->nmemb += 10;
-			new = realloc(pvt->group.gr_mem,
-				      pvt->nmemb * sizeof(char *));
-			if (new == NULL)
-				goto cleanup;
-			pvt->group.gr_mem = new;
-		}
-		pvt->group.gr_mem[num_members++] = cp;
-		if (!(cp = strchr(cp, ',')))
-			break;
-		*cp++ = '\0';
-	}
-	if (!pvt->group.gr_mem) {
-		pvt->group.gr_mem = malloc(sizeof(char*));
-		if (!pvt->group.gr_mem)
-			goto cleanup;
-	}
-	pvt->group.gr_mem[num_members] = NULL;
-	
-	return (&pvt->group);
-	
- cleanup:	
-	if (pvt->group.gr_mem) {
-		free(pvt->group.gr_mem);
-		pvt->group.gr_mem = NULL;
-	}
-	if (pvt->membuf) {
-		free(pvt->membuf);
-		pvt->membuf = NULL;
-	}
-	return (NULL);
-}
-
-static struct __res_state *
-gr_res_get(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-
-	return (__hesiod_res_get(dns->hes_ctx));
-}
-
-static void
-gr_res_set(struct irs_gr *this, struct __res_state * res,
-	   void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-
-	__hesiod_res_set(dns->hes_ctx, res, free_res);
-}
-
-#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/dns_ho.c b/contrib/bind9/lib/bind/irs/dns_ho.c
deleted file mode 100644
index e8da61a0c1a8..000000000000
--- a/contrib/bind9/lib/bind/irs/dns_ho.c
+++ /dev/null
@@ -1,1149 +0,0 @@
-/*
- * Copyright (c) 1985, 1988, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* from gethostnamadr.c	8.1 (Berkeley) 6/4/93 */
-/* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.6 2005/10/11 00:48:14 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports. */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-#include <syslog.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "dns_p.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) sprintf x
-#endif
-
-/* Definitions. */
-
-#define	MAXALIASES	35
-#define	MAXADDRS	35
-
-#define MAXPACKET (65535)	/* Maximum TCP message size */
-
-#define BOUNDS_CHECK(ptr, count) \
-	if ((ptr) + (count) > eom) { \
-		had_error++; \
-		continue; \
-	} else (void)0
-
-typedef union {
-	HEADER hdr;
-	u_char buf[MAXPACKET];
-} querybuf;
-
-struct dns_res_target {
-	struct dns_res_target *next;
-	querybuf qbuf;		/* query buffer */
-	u_char *answer;		/* buffer to put answer */
-	int anslen;		/* size of answer buffer */
-	int qclass, qtype;	/* class and type of query */
-	int action;		/* condition whether query is really issued */
-	char qname[MAXDNAME +1]; /* domain name */
-#if 0
-	int n;			/* result length */
-#endif
-};
-enum {RESTGT_DOALWAYS, RESTGT_AFTERFAILURE, RESTGT_IGNORE};
-enum {RESQRY_SUCCESS, RESQRY_FAIL};
-
-struct pvt {
-	struct hostent	host;
-	char *		h_addr_ptrs[MAXADDRS + 1];
-	char *		host_aliases[MAXALIASES];
-	char		hostbuf[8*1024];
-	u_char		host_addr[16];	/* IPv4 or IPv6 */
-	struct __res_state  *res;
-	void		(*free_res)(void *);
-};
-
-typedef union {
-	int32_t al;
-	char ac;
-} align;
-
-static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
-static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
-/* Note: the IPv6 loopback address is in the "tunnel" space */
-static const u_char v6local[] = { 0,0, 0,1 }; /* last 4 bytes of IPv6 addr */
-
-/* Forwards. */
-
-static void		ho_close(struct irs_ho *this);
-static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
-static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
-				   int af);
-static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
-				  int len, int af);
-static struct hostent *	ho_next(struct irs_ho *this);
-static void		ho_rewind(struct irs_ho *this);
-static void		ho_minimize(struct irs_ho *this);
-static struct __res_state * ho_res_get(struct irs_ho *this);
-static void		ho_res_set(struct irs_ho *this,
-				   struct __res_state *res,
-				   void (*free_res)(void *));
-static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
-				     const struct addrinfo *pai);
-
-static void		map_v4v6_hostent(struct hostent *hp, char **bp,
-					 char *ep);
-static void		addrsort(res_state, char **, int);
-static struct hostent *	gethostans(struct irs_ho *this,
-				   const u_char *ansbuf, int anslen,
-				   const char *qname, int qtype,
-				   int af, int size,
-				   struct addrinfo **ret_aip,
-				   const struct addrinfo *pai);
-static int add_hostent(struct pvt *pvt, char *bp, char **hap,
-		       struct addrinfo *ai);
-static int		init(struct irs_ho *this);
-
-/* Exports. */
-
-struct irs_ho *
-irs_dns_ho(struct irs_acc *this) {
-	struct irs_ho *ho;
-	struct pvt *pvt;
-
-	UNUSED(this);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-
-	if (!(ho = memget(sizeof *ho))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ho, 0x5e, sizeof *ho);
-	ho->private = pvt;
-	ho->close = ho_close;
-	ho->byname = ho_byname;
-	ho->byname2 = ho_byname2;
-	ho->byaddr = ho_byaddr;
-	ho->next = ho_next;
-	ho->rewind = ho_rewind;
-	ho->minimize = ho_minimize;
-	ho->res_get = ho_res_get;
-	ho->res_set = ho_res_set;
-	ho->addrinfo = ho_addrinfo;
-	return (ho);
-}
-
-/* Methods. */
-
-static void
-ho_close(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	ho_minimize(this);
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-	if (pvt)
-		memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct hostent *
-ho_byname(struct irs_ho *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *hp;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	if (pvt->res->options & RES_USE_INET6) {
-		hp = ho_byname2(this, name, AF_INET6);
-		if (hp)
-			return (hp);
-	}
-	return (ho_byname2(this, name, AF_INET));
-}
-
-static struct hostent *
-ho_byname2(struct irs_ho *this, const char *name, int af)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *hp = NULL;
-	int n, size;
-	char tmp[NS_MAXDNAME];
-	const char *cp;
-	struct addrinfo ai;
-	struct dns_res_target *q, *p;
-	int querystate = RESQRY_FAIL;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	q = memget(sizeof(*q));
-	if (q == NULL) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = ENOMEM;
-		goto cleanup;
-	}
-	memset(q, 0, sizeof(q));
-
-	switch (af) {
-	case AF_INET:
-		size = INADDRSZ;
-		q->qclass = C_IN;
-		q->qtype = T_A;
-		q->answer = q->qbuf.buf;
-		q->anslen = sizeof(q->qbuf);
-		q->action = RESTGT_DOALWAYS;
-		break;
-	case AF_INET6:
-		size = IN6ADDRSZ;
-		q->qclass = C_IN;
-		q->qtype = T_AAAA;
-		q->answer = q->qbuf.buf;
-		q->anslen = sizeof(q->qbuf);
-		q->action = RESTGT_DOALWAYS;
-		break;
-	default:
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = EAFNOSUPPORT;
-		hp = NULL;
-		goto cleanup;
-	}
-
-	/*
-	 * if there aren't any dots, it could be a user-level alias.
-	 * this is also done in res_nquery() since we are not the only
-	 * function that looks up host names.
-	 */
-	if (!strchr(name, '.') && (cp = res_hostalias(pvt->res, name,
-						      tmp, sizeof tmp)))
-		name = cp;
-
-	for (p = q; p; p = p->next) {
-		switch(p->action) {
-		case RESTGT_DOALWAYS:
-			break;
-		case RESTGT_AFTERFAILURE:
-			if (querystate == RESQRY_SUCCESS)
-				continue;
-			break;
-		case RESTGT_IGNORE:
-			continue;
-		}
-
-		if ((n = res_nsearch(pvt->res, name, p->qclass, p->qtype,
-				     p->answer, p->anslen)) < 0) {
-			querystate = RESQRY_FAIL;
-			continue;
-		}
-
-		memset(&ai, 0, sizeof(ai));
-		ai.ai_family = af;
-		if ((hp = gethostans(this, p->answer, n, name, p->qtype,
-				     af, size, NULL,
-				     (const struct addrinfo *)&ai)) != NULL)
-			goto cleanup;	/* no more loop is necessary */
-
-		querystate = RESQRY_FAIL;
-		continue;
-	}
-
- cleanup:
-	if (q != NULL)
-		memput(q, sizeof(*q));
-	return(hp);
-}
-
-static struct hostent *
-ho_byaddr(struct irs_ho *this, const void *addr, int len, int af)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	const u_char *uaddr = addr;
-	char *qp;
-	struct hostent *hp = NULL;
-	struct addrinfo ai;
-	struct dns_res_target *q, *q2, *p;
-	int n, size, i;
-	int querystate = RESQRY_FAIL;
-	
-	if (init(this) == -1)
-		return (NULL);
-
-	q = memget(sizeof(*q));
-	q2 = memget(sizeof(*q2));
-	if (q == NULL || q2 == NULL) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = ENOMEM;
-		goto cleanup;
-	}
-	memset(q, 0, sizeof(q));
-	memset(q2, 0, sizeof(q2));
-
-	if (af == AF_INET6 && len == IN6ADDRSZ &&
-	    (!memcmp(uaddr, mapped, sizeof mapped) ||
-           (!memcmp(uaddr, tunnelled, sizeof tunnelled) &&
-            memcmp(&uaddr[sizeof tunnelled], v6local, sizeof(v6local))))) {
-		/* Unmap. */
-		addr = (const char *)addr + sizeof mapped;
-		uaddr += sizeof mapped;
-		af = AF_INET;
-		len = INADDRSZ;
-	}
-	switch (af) {
-	case AF_INET:
-		size = INADDRSZ;
-		q->qclass = C_IN;
-		q->qtype = T_PTR;
-		q->answer = q->qbuf.buf;
-		q->anslen = sizeof(q->qbuf);
-		q->action = RESTGT_DOALWAYS;
-		break;
-	case AF_INET6:
-		size = IN6ADDRSZ;
-		q->qclass = C_IN;
-		q->qtype = T_PTR;
-		q->answer = q->qbuf.buf;
-		q->anslen = sizeof(q->qbuf);
-		q->next = q2;
-		q->action = RESTGT_DOALWAYS;
-		q2->qclass = C_IN;
-		q2->qtype = T_PTR;
-		q2->answer = q2->qbuf.buf;
-		q2->anslen = sizeof(q2->qbuf);
-		if ((pvt->res->options & RES_NO_NIBBLE2) != 0U)
-			q2->action = RESTGT_IGNORE;
-		else
-			q2->action = RESTGT_AFTERFAILURE;
-		break;
-	default:
-		errno = EAFNOSUPPORT;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		hp = NULL;
-		goto cleanup;
-	}
-	if (size > len) {
-		errno = EINVAL;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		hp = NULL;
-		goto cleanup;
-	}
-	switch (af) {
-	case AF_INET:
-		qp = q->qname;
-		(void) sprintf(qp, "%u.%u.%u.%u.in-addr.arpa",
-			       (uaddr[3] & 0xff),
-			       (uaddr[2] & 0xff),
-			       (uaddr[1] & 0xff),
-			       (uaddr[0] & 0xff));
-		break;
-	case AF_INET6:
-		if (q->action != RESTGT_IGNORE) {
-			const char *nibsuff = res_get_nibblesuffix(pvt->res);
-			qp = q->qname;
-			for (n = IN6ADDRSZ - 1; n >= 0; n--) {
-				i = SPRINTF((qp, "%x.%x.",
-					       uaddr[n] & 0xf,
-					       (uaddr[n] >> 4) & 0xf));
-				if (i != 4)
-					abort();
-				qp += i;
-			}
-			if (strlen(q->qname) + strlen(nibsuff) + 1 >
-			    sizeof q->qname) {
-				errno = ENAMETOOLONG;
-				RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-				hp = NULL;
-				goto cleanup;
-			}
-			strcpy(qp, nibsuff);	/* (checked) */
-		}
-		if (q2->action != RESTGT_IGNORE) {
-			const char *nibsuff2 = res_get_nibblesuffix2(pvt->res);
-			qp = q2->qname;
-			for (n = IN6ADDRSZ - 1; n >= 0; n--) {
-				i = SPRINTF((qp, "%x.%x.",
-					       uaddr[n] & 0xf,
-					       (uaddr[n] >> 4) & 0xf));
-				if (i != 4)
-					abort();
-				qp += i;
-			}
-			if (strlen(q2->qname) + strlen(nibsuff2) + 1 >
-			    sizeof q2->qname) {
-				errno = ENAMETOOLONG;
-				RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-				hp = NULL;
-				goto cleanup;
-			}
-			strcpy(qp, nibsuff2);	/* (checked) */
-		}
-		break;
-	default:
-		abort();
-	}
-
-	for (p = q; p; p = p->next) {
-		switch(p->action) {
-		case RESTGT_DOALWAYS:
-			break;
-		case RESTGT_AFTERFAILURE:
-			if (querystate == RESQRY_SUCCESS)
-				continue;
-			break;
-		case RESTGT_IGNORE:
-			continue;
-		}
-
-		if ((n = res_nquery(pvt->res, p->qname, p->qclass, p->qtype,
-				    p->answer, p->anslen)) < 0) {
-			querystate = RESQRY_FAIL;
-			continue;
-		}
-
-		memset(&ai, 0, sizeof(ai));
-		ai.ai_family = af;
-		hp = gethostans(this, p->answer, n, p->qname, T_PTR, af, size,
-				NULL, (const struct addrinfo *)&ai);
-		if (!hp) {
-			querystate = RESQRY_FAIL;
-			continue;
-		}
-			
-		memcpy(pvt->host_addr, addr, len);
-		pvt->h_addr_ptrs[0] = (char *)pvt->host_addr;
-		pvt->h_addr_ptrs[1] = NULL;
-		if (af == AF_INET && (pvt->res->options & RES_USE_INET6)) {
-			map_v4v6_address((char*)pvt->host_addr,
-					 (char*)pvt->host_addr);
-			pvt->host.h_addrtype = AF_INET6;
-			pvt->host.h_length = IN6ADDRSZ;
-		}
-
-		RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
-		goto cleanup;	/* no more loop is necessary. */
-	}
-	hp = NULL; /* H_ERRNO was set by subroutines */
-
- cleanup:
-	if (q != NULL)
-		memput(q, sizeof(*q));
-	if (q2 != NULL)
-		memput(q2, sizeof(*q2));
-	return(hp);
-}
-
-static struct hostent *
-ho_next(struct irs_ho *this) {
-
-	UNUSED(this);
-
-	return (NULL);
-}
-
-static void
-ho_rewind(struct irs_ho *this) {
-
-	UNUSED(this);
-
-	/* NOOP */
-}
-
-static void
-ho_minimize(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res)
-		res_nclose(pvt->res);
-}
-
-static struct __res_state *
-ho_res_get(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		ho_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-/* XXX */
-extern struct addrinfo *addr2addrinfo __P((const struct addrinfo *,
-					   const char *));
-
-static struct addrinfo *
-ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	int n;
-	char tmp[NS_MAXDNAME];
-	const char *cp;
-	struct dns_res_target *q, *q2, *p;
-	struct addrinfo sentinel, *cur;
-	int querystate = RESQRY_FAIL;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	memset(&sentinel, 0, sizeof(sentinel));
-	cur = &sentinel;
-
-	q = memget(sizeof(*q));
-	q2 = memget(sizeof(*q2));
-	if (q == NULL || q2 == NULL) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = ENOMEM;
-		goto cleanup;
-	}
-	memset(q, 0, sizeof(q2));
-	memset(q2, 0, sizeof(q2));
-
-	switch (pai->ai_family) {
-	case AF_UNSPEC:
-		/* prefer IPv6 */
-		q->qclass = C_IN;
-		q->qtype = T_AAAA;
-		q->answer = q->qbuf.buf;
-		q->anslen = sizeof(q->qbuf);
-		q->next = q2;
-		q->action = RESTGT_DOALWAYS;
-		q2->qclass = C_IN;
-		q2->qtype = T_A;
-		q2->answer = q2->qbuf.buf;
-		q2->anslen = sizeof(q2->qbuf);
-		q2->action = RESTGT_DOALWAYS;
-		break;
-	case AF_INET:
-		q->qclass = C_IN;
-		q->qtype = T_A;
-		q->answer = q->qbuf.buf;
-		q->anslen = sizeof(q->qbuf);
-		q->action = RESTGT_DOALWAYS;
-		break;
-	case AF_INET6:
-		q->qclass = C_IN;
-		q->qtype = T_AAAA;
-		q->answer = q->qbuf.buf;
-		q->anslen = sizeof(q->qbuf);
-		q->action = RESTGT_DOALWAYS;
-		break;
-	default:
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* better error? */
-		goto cleanup;
-	}
-
-	/*
-	 * if there aren't any dots, it could be a user-level alias.
-	 * this is also done in res_nquery() since we are not the only
-	 * function that looks up host names.
-	 */
-	if (!strchr(name, '.') && (cp = res_hostalias(pvt->res, name,
-						      tmp, sizeof tmp)))
-		name = cp;
-
-	for (p = q; p; p = p->next) {
-		struct addrinfo *ai;
-
-		switch(p->action) {
-		case RESTGT_DOALWAYS:
-			break;
-		case RESTGT_AFTERFAILURE:
-			if (querystate == RESQRY_SUCCESS)
-				continue;
-			break;
-		case RESTGT_IGNORE:
-			continue;
-		}
-
-		if ((n = res_nsearch(pvt->res, name, p->qclass, p->qtype,
-				     p->answer, p->anslen)) < 0) {
-			querystate = RESQRY_FAIL;
-			continue;
-		}
-		(void)gethostans(this, p->answer, n, name, p->qtype,
-				 pai->ai_family, /* XXX: meaningless */
-				 0, &ai, pai);
-		if (ai) {
-			querystate = RESQRY_SUCCESS;
-			cur->ai_next = ai;
-			while (cur && cur->ai_next)
-				cur = cur->ai_next;
-		}
-		else
-			querystate = RESQRY_FAIL;
-	}
-
- cleanup:
-	if (q != NULL)
-		memput(q, sizeof(*q));
-	if (q2 != NULL)
-		memput(q2, sizeof(*q2));
-	return(sentinel.ai_next);
-}
-
-static void
-ho_res_set(struct irs_ho *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-}
-
-/* Private. */
-
-static struct hostent *
-gethostans(struct irs_ho *this,
-	   const u_char *ansbuf, int anslen, const char *qname, int qtype,
-	   int af, int size,	/* meaningless for addrinfo cases */
-	   struct addrinfo **ret_aip, const struct addrinfo *pai)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	int type, class, ancount, qdcount, n, haveanswer, had_error;
-	int error = NETDB_SUCCESS;
-	int (*name_ok)(const char *);
-	const HEADER *hp;
-	const u_char *eom;
-	const u_char *eor;
-	const u_char *cp;
-	const char *tname;
-	const char *hname;
-	char *bp, *ep, **ap, **hap;
-	char tbuf[MAXDNAME+1];
-	struct addrinfo sentinel, *cur, ai;
-
-	if (pai == NULL) abort();
-	if (ret_aip != NULL)
-		*ret_aip = NULL;
-	memset(&sentinel, 0, sizeof(sentinel));
-	cur = &sentinel;
-
-	tname = qname;
-	eom = ansbuf + anslen;
-	switch (qtype) {
-	case T_A:
-	case T_AAAA:
-	case T_ANY:	/* use T_ANY only for T_A/T_AAAA lookup */
-		name_ok = res_hnok;
-		break;
-	case T_PTR:
-		name_ok = res_dnok;
-		break;
-	default:
-		abort();
-	}
-
-	pvt->host.h_addrtype = af;
-	pvt->host.h_length = size;
-	hname = pvt->host.h_name = NULL;
-
-	/*
-	 * Find first satisfactory answer.
-	 */
-	if (ansbuf + HFIXEDSZ > eom) {
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-		return (NULL);
-	}
-	hp = (const HEADER *)ansbuf;
-	ancount = ntohs(hp->ancount);
-	qdcount = ntohs(hp->qdcount);
-	bp = pvt->hostbuf;
-	ep = pvt->hostbuf + sizeof(pvt->hostbuf);
-	cp = ansbuf + HFIXEDSZ;
-	if (qdcount != 1) {
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-		return (NULL);
-	}
-	n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
-	if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-		return (NULL);
-	}
-	cp += n + QFIXEDSZ;
-	if (cp > eom) {
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-		return (NULL);
-	}
-	if (qtype == T_A || qtype == T_AAAA || qtype == T_ANY) {
-		/* res_nsend() has already verified that the query name is the
-		 * same as the one we sent; this just gets the expanded name
-		 * (i.e., with the succeeding search-domain tacked on).
-		 */
-		n = strlen(bp) + 1;		/* for the \0 */
-		if (n > MAXHOSTNAMELEN) {
-			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-			return (NULL);
-		}
-		pvt->host.h_name = bp;
-		hname = bp;
-		bp += n;
-		/* The qname can be abbreviated, but hname is now absolute. */
-		qname = pvt->host.h_name;
-	}
-	ap = pvt->host_aliases;
-	*ap = NULL;
-	pvt->host.h_aliases = pvt->host_aliases;
-	hap = pvt->h_addr_ptrs;
-	*hap = NULL;
-	pvt->host.h_addr_list = pvt->h_addr_ptrs;
-	haveanswer = 0;
-	had_error = 0;
-	while (ancount-- > 0 && cp < eom && !had_error) {
-		n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
-		if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
-			had_error++;
-			continue;
-		}
-		cp += n;			/* name */
-		BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
-		type = ns_get16(cp);
- 		cp += INT16SZ;			/* type */
-		class = ns_get16(cp);
- 		cp += INT16SZ + INT32SZ;	/* class, TTL */
-		n = ns_get16(cp);
-		cp += INT16SZ;			/* len */
-		BOUNDS_CHECK(cp, n);
-		if (class != C_IN) {
-			cp += n;
-			continue;
-		}
-		eor = cp + n;
-		if ((qtype == T_A || qtype == T_AAAA || qtype == T_ANY) &&
-		    type == T_CNAME) {
-			if (haveanswer) {
-				int level = LOG_CRIT;
-#ifdef LOG_SECURITY
-				level |= LOG_SECURITY;
-#endif
-				syslog(level,
- "gethostans: possible attempt to exploit buffer overflow while looking up %s",
-					*qname ? qname : ".");
-			}
-			n = dn_expand(ansbuf, eor, cp, tbuf, sizeof tbuf);
-			if (n < 0 || !maybe_ok(pvt->res, tbuf, name_ok)) {
-				had_error++;
-				continue;
-			}
-			cp += n;
-			/* Store alias. */
-			if (ap >= &pvt->host_aliases[MAXALIASES-1])
-				continue;
-			*ap++ = bp;
-			n = strlen(bp) + 1;	/* for the \0 */
-			bp += n;
-			/* Get canonical name. */
-			n = strlen(tbuf) + 1;	/* for the \0 */
-			if (n > (ep - bp) || n > MAXHOSTNAMELEN) {
-				had_error++;
-				continue;
-			}
-			strcpy(bp, tbuf);	/* (checked) */
-			pvt->host.h_name = bp;
-			hname = bp;
-			bp += n;
-			continue;
-		}
-		if (qtype == T_PTR && type == T_CNAME) {
-			n = dn_expand(ansbuf, eor, cp, tbuf, sizeof tbuf);
-			if (n < 0 || !maybe_dnok(pvt->res, tbuf)) {
-				had_error++;
-				continue;
-			}
-			cp += n;
-#ifdef RES_USE_DNAME
-			if ((pvt->res->options & RES_USE_DNAME) != 0U)
-#endif
-			{
-				/*
-				 * We may be able to check this regardless
-				 * of the USE_DNAME bit, but we add the check
-				 * for now since the DNAME support is
-				 * experimental.
-				 */
-				if (ns_samename(tname, bp) != 1)
-					continue;
-			}
-			/* Get canonical name. */
-			n = strlen(tbuf) + 1;	/* for the \0 */
-			if (n > (ep - bp)) {
-				had_error++;
-				continue;
-			}
-			strcpy(bp, tbuf);	/* (checked) */
-			tname = bp;
-			bp += n;
-			continue;
-		}
-		if (qtype == T_ANY) {
-			if (!(type == T_A || type == T_AAAA)) {
-				cp += n;
-				continue;
-			}
-		} else if (type != qtype) {
-			cp += n;
-			continue;
-		}
-		switch (type) {
-		case T_PTR:
-			if (ret_aip != NULL) {
-				/* addrinfo never needs T_PTR */
-				cp += n;
-				continue;
-			}
-			if (ns_samename(tname, bp) != 1) {
-				cp += n;
-				continue;
-			}
-			n = dn_expand(ansbuf, eor, cp, bp, ep - bp);
-			if (n < 0 || !maybe_hnok(pvt->res, bp) ||
-			    n >= MAXHOSTNAMELEN) {
-				had_error++;
-				break;
-			}
-			cp += n;
-			if (!haveanswer) {
-				pvt->host.h_name = bp;
-				hname = bp;
-			}
-			else if (ap < &pvt->host_aliases[MAXALIASES-1])
-				*ap++ = bp;
-			else
-				n = -1;
-			if (n != -1) {
-				n = strlen(bp) + 1;	/* for the \0 */
-				bp += n;
-			}
-			break;
-		case T_A:
-		case T_AAAA:
-			if (ns_samename(hname, bp) != 1) {
-				cp += n;
-				continue;
-			}
-			if (type == T_A && n != INADDRSZ) {
-				cp += n;
-				continue;
-			}
-			if (type == T_AAAA && n != IN6ADDRSZ) {
-				cp += n;
-				continue;
-			}
-
-			/* make addrinfo. don't overwrite constant PAI */
-			ai = *pai;
-			ai.ai_family = (type == T_AAAA) ? AF_INET6 : AF_INET;
-			cur->ai_next = addr2addrinfo(
-					(const struct addrinfo *)&ai,
-					(const char *)cp);
-			if (cur->ai_next == NULL)
-				had_error++;
-
-			if (!haveanswer) {
-				int nn;
-
-				nn = strlen(bp) + 1;	/* for the \0 */
-				if (nn >= MAXHOSTNAMELEN) {
-					cp += n;
-					had_error++;
-					continue;
-				}
-				pvt->host.h_name = bp;
-				hname = bp;
-				bp += nn;
-			}
-			/* Ensure alignment. */
-			bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
-				      ~(sizeof(align) - 1));
-			/* Avoid overflows. */
-			if (bp + n >= &pvt->hostbuf[sizeof pvt->hostbuf]) {
-				had_error++;
-				continue;
-			}
-			if (ret_aip) { /* need addrinfo. keep it. */
-				while (cur && cur->ai_next)
-					cur = cur->ai_next;
-			} else if (cur->ai_next) { /* need hostent */
-				struct addrinfo *aip = cur->ai_next;
-
-				for (aip = cur->ai_next; aip;
-				     aip = aip->ai_next) {
-					int m;
-
-					m = add_hostent(pvt, bp, hap, aip);
-					if (m < 0) {
-						had_error++;
-						break;
-					}
-					if (m == 0)
-						continue;
-					if (hap < &pvt->h_addr_ptrs[MAXADDRS-1])
-						hap++;
-					*hap = NULL;
-					bp += m;
-				}
-
-				freeaddrinfo(cur->ai_next);
-				cur->ai_next = NULL;
-			}
-			cp += n;
-			break;
-		default:
-			abort();
-		}
-		if (!had_error)
-			haveanswer++;
-	}
-	if (haveanswer) {
-		if (ret_aip == NULL) {
-			*ap = NULL;
-			*hap = NULL;
-
-			if (pvt->res->nsort && haveanswer > 1 && qtype == T_A)
-				addrsort(pvt->res, pvt->h_addr_ptrs,
-					 haveanswer);
-			if (pvt->host.h_name == NULL) {
-				n = strlen(qname) + 1;	/* for the \0 */
-				if (n > (ep - bp) || n >= MAXHOSTNAMELEN)
-					goto no_recovery;
-				strcpy(bp, qname);	/* (checked) */
-				pvt->host.h_name = bp;
-				bp += n;
-			}
-			if (pvt->res->options & RES_USE_INET6)
-				map_v4v6_hostent(&pvt->host, &bp, ep);
-			RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
-			return (&pvt->host);
-		} else {
-			if ((pai->ai_flags & AI_CANONNAME) != 0) {
-				if (pvt->host.h_name == NULL) {
-					sentinel.ai_next->ai_canonname =
-						strdup(qname);
-				}
-				else {
-					sentinel.ai_next->ai_canonname =
-						strdup(pvt->host.h_name);
-				}
-			}
-			*ret_aip = sentinel.ai_next;
-			return(NULL);
-		}
-	}
- no_recovery:
-	if (sentinel.ai_next) {
-		/* this should be impossible, but check it for safety */
-		freeaddrinfo(sentinel.ai_next);
-	}
-	if (error == NETDB_SUCCESS)
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-	else
-		RES_SET_H_ERRNO(pvt->res, error);
-	return(NULL);
-}
-
-static int
-add_hostent(struct pvt *pvt, char *bp, char **hap, struct addrinfo *ai)
-{
-	int addrlen;
-	char *addrp;
-	const char **tap;
-	char *obp = bp;
-
-	switch(ai->ai_addr->sa_family) {
-	case AF_INET6:
-		addrlen = IN6ADDRSZ;
-		addrp = (char *)&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr;
-		break;
-	case AF_INET:
-		addrlen = INADDRSZ;
-		addrp = (char *)&((struct sockaddr_in *)ai->ai_addr)->sin_addr;
-		break;
-	default:
-		return(-1);	/* abort? */
-	}
-
-	/* Ensure alignment. */
-	bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
-		      ~(sizeof(align) - 1));
-	/* Avoid overflows. */
-	if (bp + addrlen >= &pvt->hostbuf[sizeof pvt->hostbuf])
-		return(-1);
-	if (hap >= &pvt->h_addr_ptrs[MAXADDRS-1])
-		return(0); /* fail, but not treat it as an error. */
-
-	/* Suppress duplicates. */
-	for (tap = (const char **)pvt->h_addr_ptrs;
-	     *tap != NULL;
-	     tap++)
-		if (memcmp(*tap, addrp, addrlen) == 0)
-			break;
-	if (*tap != NULL)
-		return (0);
-
-	memcpy(*hap = bp, addrp, addrlen);
-	return((bp + addrlen) - obp);
-}
-
-static void
-map_v4v6_hostent(struct hostent *hp, char **bpp, char *ep) {
-	char **ap;
-
-	if (hp->h_addrtype != AF_INET || hp->h_length != INADDRSZ)
-		return;
-	hp->h_addrtype = AF_INET6;
-	hp->h_length = IN6ADDRSZ;
-	for (ap = hp->h_addr_list; *ap; ap++) {
-		int i = (u_long)*bpp % sizeof(align);
-
-		if (i != 0)
-			i = sizeof(align) - i;
-
-		if ((ep - *bpp) < (i + IN6ADDRSZ)) {
-			/* Out of memory.  Truncate address list here. */
-			*ap = NULL;
-			return;
-		}
-		*bpp += i;
-		map_v4v6_address(*ap, *bpp);
-		*ap = *bpp;
-		*bpp += IN6ADDRSZ;
-	}
-}
-
-static void
-addrsort(res_state statp, char **ap, int num) {
-	int i, j, needsort = 0, aval[MAXADDRS];
-	char **p;
-
-	p = ap;
-	for (i = 0; i < num; i++, p++) {
-		for (j = 0 ; (unsigned)j < statp->nsort; j++)
-			if (statp->sort_list[j].addr.s_addr == 
-			    (((struct in_addr *)(*p))->s_addr &
-			     statp->sort_list[j].mask))
-				break;
-		aval[i] = j;
-		if (needsort == 0 && i > 0 && j < aval[i-1])
-			needsort = i;
-	}
-	if (!needsort)
-		return;
-
-	while (needsort < num) {
-		for (j = needsort - 1; j >= 0; j--) {
-			if (aval[j] > aval[j+1]) {
-				char *hp;
-
-				i = aval[j];
-				aval[j] = aval[j+1];
-				aval[j+1] = i;
-
-				hp = ap[j];
-				ap[j] = ap[j+1];
-				ap[j+1] = hp;
-
-			} else
-				break;
-		}
-		needsort++;
-	}
-}
-
-static int
-init(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (!pvt->res && !ho_res_get(this))
-		return (-1);
-	if (((pvt->res->options & RES_INIT) == 0U) &&
-	    res_ninit(pvt->res) == -1)
-		return (-1);
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/irs/dns_nw.c b/contrib/bind9/lib/bind/irs/dns_nw.c
deleted file mode 100644
index 8a5937dbb665..000000000000
--- a/contrib/bind9/lib/bind/irs/dns_nw.c
+++ /dev/null
@@ -1,589 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_nw.c,v 1.3.2.4.4.4 2004/09/16 00:57:34 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports. */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "dns_p.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) sprintf x
-#endif
-
-/* Definitions. */
-
-#define	MAXALIASES	35
-
-#define	MAXPACKET	(64*1024)
-
-struct pvt {
-	struct nwent	net;
-	char *		ali[MAXALIASES];
-	char		buf[BUFSIZ+1];
-	struct __res_state * res;
-	void		(*free_res)(void *);
-};
-
-typedef union {
-	long	al;
-	char	ac;
-} align;
-
-enum by_what { by_addr, by_name };
-
-/* Forwards. */
-
-static void		nw_close(struct irs_nw *);
-static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
-static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
-static struct nwent *	nw_next(struct irs_nw *);
-static void		nw_rewind(struct irs_nw *);
-static void		nw_minimize(struct irs_nw *);
-static struct __res_state * nw_res_get(struct irs_nw *this);
-static void		nw_res_set(struct irs_nw *this,
-				   struct __res_state *res,
-				   void (*free_res)(void *));
-
-static struct nwent *	get1101byaddr(struct irs_nw *, u_char *, int);
-static struct nwent *	get1101byname(struct irs_nw *, const char *);
-static struct nwent *	get1101answer(struct irs_nw *,
-				      u_char *ansbuf, int anslen,
-				      enum by_what by_what,
-				      int af, const char *name,
-				      const u_char *addr, int addrlen);
-static struct nwent *	get1101mask(struct irs_nw *this, struct nwent *);
-static int		make1101inaddr(const u_char *, int, char *, int);
-static void		normalize_name(char *name);
-static int		init(struct irs_nw *this);
-
-/* Exports. */
-
-struct irs_nw *
-irs_dns_nw(struct irs_acc *this) {
-	struct irs_nw *nw;
-	struct pvt *pvt;
-
-	UNUSED(this);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	if (!(nw = memget(sizeof *nw))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(nw, 0x5e, sizeof *nw);
-	nw->private = pvt;
-	nw->close = nw_close;
-	nw->byname = nw_byname;
-	nw->byaddr = nw_byaddr;
-	nw->next = nw_next;
-	nw->rewind = nw_rewind;
-	nw->minimize = nw_minimize;
-	nw->res_get = nw_res_get;
-	nw->res_set = nw_res_set;
-	return (nw);
-}
-
-/* Methods. */
-
-static void
-nw_close(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	nw_minimize(this);
-
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct nwent *
-nw_byname(struct irs_nw *this, const char *name, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	switch (af) {
-	case AF_INET:
-		return (get1101byname(this, name));
-	default:
-		(void)NULL;
-	}
-	RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-	errno = EAFNOSUPPORT;
-	return (NULL);
-}
-
-static struct nwent *
-nw_byaddr(struct irs_nw *this, void *net, int len, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	switch (af) {
-	case AF_INET:
-		return (get1101byaddr(this, net, len));
-	default:
-		(void)NULL;
-	}
-	RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-	errno = EAFNOSUPPORT;
-	return (NULL);
-}
-
-static struct nwent *
-nw_next(struct irs_nw *this) {
-
-	UNUSED(this);
-
-	return (NULL);
-}
-
-static void
-nw_rewind(struct irs_nw *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-static void
-nw_minimize(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res)
-		res_nclose(pvt->res);
-}
-
-static struct __res_state *
-nw_res_get(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		nw_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-nw_res_set(struct irs_nw *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-}
-
-/* Private. */
-
-static struct nwent *
-get1101byname(struct irs_nw *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	u_char *ansbuf;
-	int anslen;
-	struct nwent *result;
-
-	ansbuf = memget(MAXPACKET);
-	if (ansbuf == NULL) {
-		errno = ENOMEM;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	anslen = res_nsearch(pvt->res, name, C_IN, T_PTR, ansbuf, MAXPACKET);
-	if (anslen < 0) {
-		memput(ansbuf, MAXPACKET);
-		return (NULL);
-	}
-	result = get1101mask(this, get1101answer(this, ansbuf, anslen, by_name,
-						 AF_INET, name, NULL, 0));
-	memput(ansbuf, MAXPACKET);
-	return (result);
-}
-
-static struct nwent *
-get1101byaddr(struct irs_nw *this, u_char *net, int len) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char qbuf[sizeof "255.255.255.255.in-addr.arpa"];
-	struct nwent *result;
-	u_char *ansbuf;
-	int anslen;
-
-	if (len < 1 || len > 32) {
-		errno = EINVAL;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	if (make1101inaddr(net, len, qbuf, sizeof qbuf) < 0)
-		return (NULL);
-	ansbuf = memget(MAXPACKET);
-	if (ansbuf == NULL) {
-		errno = ENOMEM;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	anslen = res_nquery(pvt->res, qbuf, C_IN, T_PTR, ansbuf, MAXPACKET);
-	if (anslen < 0) {
-		memput(ansbuf, MAXPACKET);
-		return (NULL);
-	}
-	result = get1101mask(this, get1101answer(this, ansbuf, anslen, by_addr,
-						 AF_INET, NULL, net, len));
-	memput(ansbuf, MAXPACKET);
-	return (result);
-}
-
-static struct nwent *
-get1101answer(struct irs_nw *this,
-	      u_char *ansbuf, int anslen, enum by_what by_what,
-	      int af, const char *name, const u_char *addr, int addrlen)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	int type, class, ancount, qdcount, haveanswer;
-	char *bp, *ep, **ap;
-	u_char *cp, *eom;
-	HEADER *hp;
-
-	/* Initialize, and parse header. */
-	eom = ansbuf + anslen;
-	if (ansbuf + HFIXEDSZ > eom) {
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-		return (NULL);
-	}
-	hp = (HEADER *)ansbuf;
-	cp = ansbuf + HFIXEDSZ;
-	qdcount = ntohs(hp->qdcount);
-	while (qdcount-- > 0) {
-		int n = dn_skipname(cp, eom);
-		cp += n + QFIXEDSZ;
-		if (n < 0 || cp > eom) {
-			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-			return (NULL);
-		}
-	}
-	ancount = ntohs(hp->ancount);
-	if (!ancount) {
-		if (hp->aa)
-			RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-		else
-			RES_SET_H_ERRNO(pvt->res, TRY_AGAIN);
-		return (NULL);
-	}
-
-	/* Prepare a return structure. */
-	bp = pvt->buf;
-	ep = pvt->buf + sizeof(pvt->buf);
-	pvt->net.n_name = NULL;
-	pvt->net.n_aliases = pvt->ali;
-	pvt->net.n_addrtype = af;
-	pvt->net.n_addr = NULL;
-	pvt->net.n_length = addrlen;
-
-	/* Save input key if given. */
-	switch (by_what) {
-	case by_name:
-		if (name != NULL) {
-			int n = strlen(name) + 1;
-
-			if (n > (ep - bp)) {
-				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-				return (NULL);
-			}
-			pvt->net.n_name = strcpy(bp, name);	/* (checked) */
-			bp += n;
-		}
-		break;
-	case by_addr:
-		if (addr != NULL && addrlen != 0) {
-			int n = addrlen / 8 + ((addrlen % 8) != 0);
-
-			if (INADDRSZ > (ep - bp)) {
-				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-				return (NULL);
-			}
-			memset(bp, 0, INADDRSZ);
-			memcpy(bp, addr, n);
-			pvt->net.n_addr = bp;
-			bp += INADDRSZ;
-		}
-		break;
-	default:
-		abort();
-	}
-
-	/* Parse the answer, collect aliases. */
-	ap = pvt->ali;
-	haveanswer = 0;
-	while (--ancount >= 0 && cp < eom) {
-		int n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
-
-		cp += n;		/* Owner */
-		if (n < 0 || !maybe_dnok(pvt->res, bp) ||
-		    cp + 3 * INT16SZ + INT32SZ > eom) {
-			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-			return (NULL);
-		}
-		GETSHORT(type, cp);	/* Type */
-		GETSHORT(class, cp);	/* Class */
-		cp += INT32SZ;		/* TTL */
-		GETSHORT(n, cp);	/* RDLENGTH */
-		if (class == C_IN && type == T_PTR) {
-			int nn;
-
-			nn = dn_expand(ansbuf, eom, cp, bp, ep - bp);
-			if (nn < 0 || !maybe_hnok(pvt->res, bp) || nn != n) {
-				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-				return (NULL);
-			}
-			normalize_name(bp);
-			switch (by_what) {
-			case by_addr: {
-				if (pvt->net.n_name == NULL)
-					pvt->net.n_name = bp;
-				else if (ns_samename(pvt->net.n_name, bp) == 1)
-					break;
-				else
-					*ap++ = bp;
-				nn = strlen(bp) + 1;
-				bp += nn;
-				haveanswer++;
-				break;
-			    }
-			case by_name: {
-				u_int b1, b2, b3, b4;
-
-				if (pvt->net.n_addr != NULL ||
-				    sscanf(bp, "%u.%u.%u.%u.in-addr.arpa",
-					   &b1, &b2, &b3, &b4) != 4)
-					break;
-				if ((ep - bp) < INADDRSZ) {
-					RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-					return (NULL);
-				}
-				pvt->net.n_addr = bp;
-				*bp++ = b4;
-				*bp++ = b3;
-				*bp++ = b2;
-				*bp++ = b1;
-				pvt->net.n_length = INADDRSZ * 8;
-				haveanswer++;
-			    }
-			}
-		}
-		cp += n;		/* RDATA */
-	}
-	if (!haveanswer) {
-		RES_SET_H_ERRNO(pvt->res, TRY_AGAIN);
-		return (NULL);
-	}
-	*ap = NULL;
-
-	return (&pvt->net);
-}
-
-static struct nwent *
-get1101mask(struct irs_nw *this, struct nwent *nwent) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char qbuf[sizeof "255.255.255.255.in-addr.arpa"], owner[MAXDNAME];
-	int anslen, type, class, ancount, qdcount;
-	u_char *ansbuf, *cp, *eom;
-	HEADER *hp;
-
-	if (!nwent)
-		return (NULL);
-	if (make1101inaddr(nwent->n_addr, nwent->n_length, qbuf, sizeof qbuf)
-	    < 0) {
-		/* "First, do no harm." */
-		return (nwent);
-	}
-
-	ansbuf = memget(MAXPACKET);
-	if (ansbuf == NULL) {
-		errno = ENOMEM;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	/* Query for the A RR that would hold this network's mask. */
-	anslen = res_nquery(pvt->res, qbuf, C_IN, T_A, ansbuf, MAXPACKET);
-	if (anslen < HFIXEDSZ) {
-		memput(ansbuf, MAXPACKET);
-		return (nwent);
-	}
-
-	/* Initialize, and parse header. */
-	hp = (HEADER *)ansbuf;
-	cp = ansbuf + HFIXEDSZ;
-	eom = ansbuf + anslen;
-	qdcount = ntohs(hp->qdcount);
-	while (qdcount-- > 0) {
-		int n = dn_skipname(cp, eom);
-		cp += n + QFIXEDSZ;
-		if (n < 0 || cp > eom) {
-			memput(ansbuf, MAXPACKET);
-			return (nwent);
-		}
-	}
-	ancount = ntohs(hp->ancount);
-
-	/* Parse the answer, collect aliases. */
-	while (--ancount >= 0 && cp < eom) {
-		int n = dn_expand(ansbuf, eom, cp, owner, sizeof owner);
-
-		if (n < 0 || !maybe_dnok(pvt->res, owner))
-			break;
-		cp += n;		/* Owner */
-		if (cp + 3 * INT16SZ + INT32SZ > eom)
-			break;
-		GETSHORT(type, cp);	/* Type */
-		GETSHORT(class, cp);	/* Class */
-		cp += INT32SZ;		/* TTL */
-		GETSHORT(n, cp);	/* RDLENGTH */
-		if (cp + n > eom)
-			break;
-		if (n == INADDRSZ && class == C_IN && type == T_A &&
-		    ns_samename(qbuf, owner) == 1) {
-			/* This A RR indicates the actual netmask. */
-			int nn, mm;
-
-			nwent->n_length = 0;
-			for (nn = 0; nn < INADDRSZ; nn++)
-				for (mm = 7; mm >= 0; mm--)
-					if (cp[nn] & (1 << mm))
-						nwent->n_length++;
-					else
-						break;
-		}
-		cp += n;		/* RDATA */
-	}
-	memput(ansbuf, MAXPACKET);
-	return (nwent);
-}
-
-static int
-make1101inaddr(const u_char *net, int bits, char *name, int size) {
-	int n, m;
-	char *ep;
-
-	ep = name + size;
-
-	/* Zero fill any whole bytes left out of the prefix. */
-	for (n = (32 - bits) / 8; n > 0; n--) {
-		if (ep - name < (int)(sizeof "0."))
-			goto emsgsize;
-		m = SPRINTF((name, "0."));
-		name += m;
-	}
-
-	/* Format the partial byte, if any, within the prefix. */
-	if ((n = bits % 8) != 0) {
-		if (ep - name < (int)(sizeof "255."))
-			goto emsgsize;
-		m = SPRINTF((name, "%u.",
-			     net[bits / 8] & ~((1 << (8 - n)) - 1)));
-		name += m;
-	}
-
-	/* Format the whole bytes within the prefix. */
-	for (n = bits / 8; n > 0; n--) {
-		if (ep - name < (int)(sizeof "255."))
-			goto emsgsize;
-		m = SPRINTF((name, "%u.", net[n - 1]));
-		name += m;
-	}
-
-	/* Add the static text. */
-	if (ep - name < (int)(sizeof "in-addr.arpa"))
-		goto emsgsize;
-	(void) SPRINTF((name, "in-addr.arpa"));
-	return (0);
-
- emsgsize:
-	errno = EMSGSIZE;
-	return (-1);
-}
-
-static void
-normalize_name(char *name) {
-	char *t;
-
-	/* Make lower case. */
-	for (t = name; *t; t++)
-		if (isascii((unsigned char)*t) && isupper((unsigned char)*t))
-			*t = tolower((*t)&0xff);
-
-	/* Remove trailing dots. */
-	while (t > name && t[-1] == '.')
-		*--t = '\0';
-}
-
-static int
-init(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (!pvt->res && !nw_res_get(this))
-		return (-1);
-	if (((pvt->res->options & RES_INIT) == 0U) &&
-	    res_ninit(pvt->res) == -1)
-		return (-1);
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/irs/dns_p.h b/contrib/bind9/lib/bind/irs/dns_p.h
deleted file mode 100644
index f984c1cd50e3..000000000000
--- a/contrib/bind9/lib/bind/irs/dns_p.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: dns_p.h,v 1.1.206.2 2004/03/17 00:29:48 marka Exp $
- */
-
-#ifndef _DNS_P_H_INCLUDED
-#define	_DNS_P_H_INCLUDED
-
-#define	maybe_ok(res, nm, ok) (((res)->options & RES_NOCHECKNAME) != 0U || \
-			       (ok)(nm) != 0)
-#define maybe_hnok(res, hn) maybe_ok((res), (hn), res_hnok)
-#define maybe_dnok(res, dn) maybe_ok((res), (dn), res_dnok)
-
-/*
- * Object state.
- */
-struct dns_p {
-	void			*hes_ctx;
-	struct __res_state	*res;
-	void                    (*free_res) __P((void *));
-};
-
-/*
- * Methods.
- */
-
-extern struct irs_gr *	irs_dns_gr __P((struct irs_acc *));
-extern struct irs_pw *	irs_dns_pw __P((struct irs_acc *));
-extern struct irs_sv *	irs_dns_sv __P((struct irs_acc *));
-extern struct irs_pr *	irs_dns_pr __P((struct irs_acc *));
-extern struct irs_ho *	irs_dns_ho __P((struct irs_acc *));
-extern struct irs_nw *	irs_dns_nw __P((struct irs_acc *));
-
-#endif /*_DNS_P_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/irs/dns_pr.c b/contrib/bind9/lib/bind/irs/dns_pr.c
deleted file mode 100644
index ffcca15239a1..000000000000
--- a/contrib/bind9/lib/bind/irs/dns_pr.c
+++ /dev/null
@@ -1,266 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_pr.c,v 1.3.206.1 2004/03/09 08:33:34 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <errno.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "hesiod.h"
-#include "dns_p.h"
-
-/* Types. */
-
-struct pvt {
-	struct dns_p *		dns;
-	struct protoent		proto;
-	char *			prbuf;
-};
-
-/* Forward. */
-
-static void 			pr_close(struct irs_pr *);
-static struct protoent *	pr_byname(struct irs_pr *, const char *);
-static struct protoent *	pr_bynumber(struct irs_pr *, int);
-static struct protoent *	pr_next(struct irs_pr *);
-static void			pr_rewind(struct irs_pr *);
-static void			pr_minimize(struct irs_pr *);
-static struct __res_state *	pr_res_get(struct irs_pr *);
-static void			pr_res_set(struct irs_pr *,
-					   struct __res_state *,
-					   void (*)(void *));
-
-static struct protoent *	parse_hes_list(struct irs_pr *, char **);
-
-/* Public. */
-
-struct irs_pr *
-irs_dns_pr(struct irs_acc *this) {
-	struct dns_p *dns = (struct dns_p *)this->private;
-	struct pvt *pvt;
-	struct irs_pr *pr;
-
-	if (!dns->hes_ctx) {
-		errno = ENODEV;
-		return (NULL);
-	}
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	if (!(pr = memget(sizeof *pr))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pr, 0x5e, sizeof *pr);
-	pvt->dns = dns;
-	pr->private = pvt;
-	pr->byname = pr_byname;
-	pr->bynumber = pr_bynumber;
-	pr->next = pr_next;
-	pr->rewind = pr_rewind;
-	pr->close = pr_close;
-	pr->minimize = pr_minimize;
-	pr->res_get = pr_res_get;
-	pr->res_set = pr_res_set;
-	return (pr);
-}
-
-/* Methods. */
-
-static void
-pr_close(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->proto.p_aliases)
-		free(pvt->proto.p_aliases);
-	if (pvt->prbuf)
-		free(pvt->prbuf);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct protoent *
-pr_byname(struct irs_pr *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-	struct protoent *proto;
-	char **hes_list;
-
-	if (!(hes_list = hesiod_resolve(dns->hes_ctx, name, "protocol")))
-		return (NULL);
-
-	proto = parse_hes_list(this, hes_list);
-	hesiod_free_list(dns->hes_ctx, hes_list);
-	return (proto);
-}
-
-static struct protoent *
-pr_bynumber(struct irs_pr *this, int num) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-	struct protoent *proto;
-	char numstr[16];
-	char **hes_list;
-
-	sprintf(numstr, "%d", num);
-	if (!(hes_list = hesiod_resolve(dns->hes_ctx, numstr, "protonum")))
-		return (NULL);
-	
-	proto = parse_hes_list(this, hes_list);
-	hesiod_free_list(dns->hes_ctx, hes_list);
-	return (proto);
-}
-
-static struct protoent *
-pr_next(struct irs_pr *this) {
-	UNUSED(this);
-	errno = ENODEV;
-	return (NULL);
-}
-
-static void
-pr_rewind(struct irs_pr *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-static void
-pr_minimize(struct irs_pr *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-static struct __res_state *
-pr_res_get(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-
-	return (__hesiod_res_get(dns->hes_ctx));
-}
-
-static void
-pr_res_set(struct irs_pr *this, struct __res_state * res,
-	   void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-
-	__hesiod_res_set(dns->hes_ctx, res, free_res);
-}
-
-/* Private. */
-
-static struct protoent *
-parse_hes_list(struct irs_pr *this, char **hes_list) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *p, *cp, **cpp, **new;
-	int num = 0;
-	int max = 0;
-	
-	for (cpp = hes_list; *cpp; cpp++) {
-		cp = *cpp;
-
-		/* Strip away comments, if any. */
-		if ((p = strchr(cp, '#')))
-			*p = 0;
-
-		/* Skip blank lines. */
-		p = cp;
-		while (*p && !isspace((unsigned char)*p))
-			p++;
-		if (!*p)
-			continue;
-
-		/* OK, we've got a live one.  Let's parse it for real. */
-		if (pvt->prbuf)
-			free(pvt->prbuf);
-		pvt->prbuf = strdup(cp);
-
-		p = pvt->prbuf;
-		pvt->proto.p_name = p;
-		while (*p && !isspace((unsigned char)*p))
-			p++;
-		if (!*p)
-			continue;
-		*p++ = '\0';
-
-		pvt->proto.p_proto = atoi(p);
-		while (*p && !isspace((unsigned char)*p))
-			p++;
-		if (*p)
-			*p++ = '\0';
-
-		while (*p) {
-			if ((num + 1) >= max || !pvt->proto.p_aliases) {
-				max += 10;
-				new = realloc(pvt->proto.p_aliases,
-					      max * sizeof(char *));
-				if (!new) {
-					errno = ENOMEM;
-					goto cleanup;
-				}
-				pvt->proto.p_aliases = new;
-			}
-			pvt->proto.p_aliases[num++] = p;
-			while (*p && !isspace((unsigned char)*p))
-				p++;
-			if (*p)
-				*p++ = '\0';
-		}
-		if (!pvt->proto.p_aliases)
-			pvt->proto.p_aliases = malloc(sizeof(char *));
-		if (!pvt->proto.p_aliases)
-			goto cleanup;
-		pvt->proto.p_aliases[num] = NULL;
-		return (&pvt->proto);
-	}
-	
- cleanup:
-	if (pvt->proto.p_aliases) {
-		free(pvt->proto.p_aliases);
-		pvt->proto.p_aliases = NULL;
-	}
-	if (pvt->prbuf) {
-		free(pvt->prbuf);
-		pvt->prbuf = NULL;
-	}
-	return (NULL);
-}
diff --git a/contrib/bind9/lib/bind/irs/dns_pw.c b/contrib/bind9/lib/bind/irs/dns_pw.c
deleted file mode 100644
index 41b3795f2370..000000000000
--- a/contrib/bind9/lib/bind/irs/dns_pw.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_pw.c,v 1.1.206.1 2004/03/09 08:33:34 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_PW
-static int __bind_irs_pw_unneeded;
-#else
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "hesiod.h"
-#include "dns_p.h"
-
-/* Types. */
-
-struct pvt {
-	struct dns_p *	dns;
-	struct passwd	passwd;
-	char *		pwbuf;
-};
-
-/* Forward. */
-
-static void 			pw_close(struct irs_pw *);
-static struct passwd *		pw_byname(struct irs_pw *, const char *);
-static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
-static struct passwd *		pw_next(struct irs_pw *);
-static void 			pw_rewind(struct irs_pw *);
-static void			pw_minimize(struct irs_pw *);
-static struct __res_state *	pw_res_get(struct irs_pw *);
-static void			pw_res_set(struct irs_pw *,
-					   struct __res_state *,
-					   void (*)(void *));
-
-static struct passwd *		getpwcommon(struct irs_pw *, const char *,
-					    const char *);
-
-/* Public. */
-
-struct irs_pw *
-irs_dns_pw(struct irs_acc *this) {
-	struct dns_p *dns = (struct dns_p *)this->private;
-	struct irs_pw *pw;
-	struct pvt *pvt;
-
-	if (!dns || !dns->hes_ctx) {
-		errno = ENODEV;
-		return (NULL);
-	}
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->dns = dns;
-	if (!(pw = memget(sizeof *pw))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pw, 0x5e, sizeof *pw);
-	pw->private = pvt;
-	pw->close = pw_close;
-	pw->byname = pw_byname;
-	pw->byuid = pw_byuid;
-	pw->next = pw_next;
-	pw->rewind = pw_rewind;
-	pw->minimize = pw_minimize;
-	pw->res_get = pw_res_get;
-	pw->res_set = pw_res_set;
-	return (pw);
-}
-
-/* Methods. */
-
-static void
-pw_close(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->pwbuf)
-		free(pvt->pwbuf);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct passwd *
-pw_byname(struct irs_pw *this, const char *nam) {
-	return (getpwcommon(this, nam, "passwd"));
-}
-
-static struct passwd *
-pw_byuid(struct irs_pw *this, uid_t uid) {
-	char uidstr[16];
-
-	sprintf(uidstr, "%lu", (u_long)uid);
-	return (getpwcommon(this, uidstr, "uid"));
-}
-
-static struct passwd *
-pw_next(struct irs_pw *this) {
-	UNUSED(this);
-	errno = ENODEV;
-	return (NULL);
-}
-
-static void
-pw_rewind(struct irs_pw *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-static void
-pw_minimize(struct irs_pw *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-static struct __res_state *
-pw_res_get(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-
-	return (__hesiod_res_get(dns->hes_ctx));
-}
-
-static void
-pw_res_set(struct irs_pw *this, struct __res_state * res,
-	   void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-
-	__hesiod_res_set(dns->hes_ctx, res, free_res);
-}
-
-/* Private. */
-
-static struct passwd *
-getpwcommon(struct irs_pw *this, const char *arg, const char *type) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char **hes_list, *cp;
-
-	if (!(hes_list = hesiod_resolve(pvt->dns->hes_ctx, arg, type)))
-		return (NULL);
-	if (!*hes_list) {
-		hesiod_free_list(pvt->dns->hes_ctx, hes_list);
-		errno = ENOENT;
-		return (NULL);
-	}
-
-	memset(&pvt->passwd, 0, sizeof pvt->passwd);
-	if (pvt->pwbuf)
-		free(pvt->pwbuf);
-	pvt->pwbuf = strdup(*hes_list);
-	hesiod_free_list(pvt->dns->hes_ctx, hes_list);
-
-	cp = pvt->pwbuf;
-	pvt->passwd.pw_name = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_passwd = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-	
-	pvt->passwd.pw_uid = atoi(cp);
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_gid = atoi(cp);
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_gecos = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_dir = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_shell = cp;
-	return (&pvt->passwd);
-	
- cleanup:
-	free(pvt->pwbuf);
-	pvt->pwbuf = NULL;
-	return (NULL);
-}
-
-#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/dns_sv.c b/contrib/bind9/lib/bind/irs/dns_sv.c
deleted file mode 100644
index a2aafde825a4..000000000000
--- a/contrib/bind9/lib/bind/irs/dns_sv.c
+++ /dev/null
@@ -1,298 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: dns_sv.c,v 1.3.206.1 2004/03/09 08:33:34 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <errno.h>
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "hesiod.h"
-#include "dns_p.h"
-
-/* Definitions */
-
-struct pvt {
-	struct dns_p *		dns;
-	struct servent		serv;
-	char *			svbuf;
-	struct __res_state *	res;
-	void			(*free_res)(void *);
-};
-
-/* Forward. */
-
-static void 			sv_close(struct irs_sv *);
-static struct servent *		sv_byname(struct irs_sv *,
-					  const char *, const char *);
-static struct servent *		sv_byport(struct irs_sv *, int, const char *);
-static struct servent *		sv_next(struct irs_sv *);
-static void			sv_rewind(struct irs_sv *);
-static void			sv_minimize(struct irs_sv *);
-#ifdef SV_RES_SETGET
-static struct __res_state *	sv_res_get(struct irs_sv *);
-static void			sv_res_set(struct irs_sv *,
-					   struct __res_state *,
-					   void (*)(void *));
-#endif
-
-static struct servent *		parse_hes_list(struct irs_sv *,
-					       char **, const char *);
-
-/* Public */
-
-struct irs_sv *
-irs_dns_sv(struct irs_acc *this) {
-	struct dns_p *dns = (struct dns_p *)this->private;
-	struct irs_sv *sv;
-	struct pvt *pvt;
-
-	if (!dns || !dns->hes_ctx) {
-		errno = ENODEV;
-		return (NULL);
-	}
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->dns = dns;
-	if (!(sv = memget(sizeof *sv))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(sv, 0x5e, sizeof *sv);
-	sv->private = pvt;
-	sv->byname = sv_byname;
-	sv->byport = sv_byport;
-	sv->next = sv_next;
-	sv->rewind = sv_rewind;
-	sv->close = sv_close;
-	sv->minimize = sv_minimize;
-#ifdef SV_RES_SETGET
-	sv->res_get = sv_res_get;
-	sv->res_set = sv_res_set;
-#else
-	sv->res_get = NULL; /* sv_res_get; */
-	sv->res_set = NULL; /* sv_res_set; */
-#endif
-	return (sv);
-}
-
-/* Methods */
-
-static void
-sv_close(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->serv.s_aliases)
-		free(pvt->serv.s_aliases);
-	if (pvt->svbuf)
-		free(pvt->svbuf);
-
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct servent *
-sv_byname(struct irs_sv *this, const char *name, const char *proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-	struct servent *s;
-	char **hes_list;
-
-	if (!(hes_list = hesiod_resolve(dns->hes_ctx, name, "service")))
-		return (NULL);
-
-	s = parse_hes_list(this, hes_list, proto);
-	hesiod_free_list(dns->hes_ctx, hes_list);
-	return (s);
-}
-
-static struct servent *
-sv_byport(struct irs_sv *this, int port, const char *proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-	struct servent *s;
-	char portstr[16];
-	char **hes_list;
-
-	sprintf(portstr, "%d", ntohs(port));
-	if (!(hes_list = hesiod_resolve(dns->hes_ctx, portstr, "port")))
-		return (NULL);
-	
-	s = parse_hes_list(this, hes_list, proto);
-	hesiod_free_list(dns->hes_ctx, hes_list);
-	return (s);
-}
-
-static struct servent *
-sv_next(struct irs_sv *this) {
-	UNUSED(this);
-	errno = ENODEV;
-	return (NULL);
-}
-
-static void
-sv_rewind(struct irs_sv *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-/* Private */
-
-static struct servent *
-parse_hes_list(struct irs_sv *this, char **hes_list, const char *proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *p, *cp, **cpp, **new;
-	int proto_len;
-	int num = 0;
-	int max = 0;
-	
-	for (cpp = hes_list; *cpp; cpp++) {
-		cp = *cpp;
-
-		/* Strip away comments, if any. */
-		if ((p = strchr(cp, '#')))
-			*p = 0;
-
-		/* Check to make sure the protocol matches. */
-		p = cp;
-		while (*p && !isspace((unsigned char)*p))
-			p++;
-		if (!*p)
-			continue;
-		if (proto) {
-		     proto_len = strlen(proto);
-		     if (strncasecmp(++p, proto, proto_len) != 0)
-			  continue;
-		     if (p[proto_len] && !isspace(p[proto_len]&0xff))
-			  continue;
-		}
-		/* OK, we've got a live one.  Let's parse it for real. */
-		if (pvt->svbuf)
-			free(pvt->svbuf);
-		pvt->svbuf = strdup(cp);
-
-		p = pvt->svbuf;
-		pvt->serv.s_name = p;
-		while (*p && !isspace(*p&0xff))
-			p++;
-		if (!*p)
-			continue;
-		*p++ = '\0';
-
-		pvt->serv.s_proto = p;
-		while (*p && !isspace(*p&0xff))
-			p++;
-		if (!*p)
-			continue;
-		*p++ = '\0';
-
-		pvt->serv.s_port = htons((u_short) atoi(p));
-		while (*p && !isspace(*p&0xff))
-			p++;
-		if (*p)
-			*p++ = '\0';
-
-		while (*p) {
-			if ((num + 1) >= max || !pvt->serv.s_aliases) {
-				max += 10;
-				new = realloc(pvt->serv.s_aliases,
-					      max * sizeof(char *));
-				if (!new) {
-					errno = ENOMEM;
-					goto cleanup;
-				}
-				pvt->serv.s_aliases = new;
-			}
-			pvt->serv.s_aliases[num++] = p;
-			while (*p && !isspace(*p&0xff))
-				p++;
-			if (*p)
-				*p++ = '\0';
-		}
-		if (!pvt->serv.s_aliases)
-			pvt->serv.s_aliases = malloc(sizeof(char *));
-		if (!pvt->serv.s_aliases)
-			goto cleanup;
-		pvt->serv.s_aliases[num] = NULL;
-		return (&pvt->serv);
-	}
-	
- cleanup:
-	if (pvt->serv.s_aliases) {
-		free(pvt->serv.s_aliases);
-		pvt->serv.s_aliases = NULL;
-	}
-	if (pvt->svbuf) {
-		free(pvt->svbuf);
-		pvt->svbuf = NULL;
-	}
-	return (NULL);
-}
-
-static void
-sv_minimize(struct irs_sv *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-#ifdef SV_RES_SETGET
-static struct __res_state *
-sv_res_get(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-
-	return (__hesiod_res_get(dns->hes_ctx));
-}
-
-static void
-sv_res_set(struct irs_sv *this, struct __res_state * res,
-	   void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct dns_p *dns = pvt->dns;
-
-	__hesiod_res_set(dns->hes_ctx, res, free_res);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/irs/gai_strerror.c b/contrib/bind9/lib/bind/irs/gai_strerror.c
deleted file mode 100644
index 6aeaaa1910b5..000000000000
--- a/contrib/bind9/lib/bind/irs/gai_strerror.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 2001 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <port_before.h>
-#include <netdb.h>
-#include <port_after.h>
-
-#ifdef DO_PTHREADS
-#include <pthread.h>
-#include <stdlib.h>
-#endif
-
-static const char *gai_errlist[] = {
-	"no error",
-	"address family not supported for name",/* EAI_ADDRFAMILY */
-	"temporary failure",			/* EAI_AGAIN */
-	"invalid flags",			/* EAI_BADFLAGS */
-	"permanent failure",			/* EAI_FAIL */
-	"address family not supported",		/* EAI_FAMILY */
-	"memory failure",			/* EAI_MEMORY */
-	"no address",				/* EAI_NODATA */
-	"unknown name or service",		/* EAI_NONAME */
-	"service not supported for socktype",	/* EAI_SERVICE */
-	"socktype not supported",		/* EAI_SOCKTYPE */
-	"system failure",			/* EAI_SYSTEM */
-	"bad hints",				/* EAI_BADHINTS */
-	"bad protocol",				/* EAI_PROTOCOL */
-
-	"unknown error"				/* Must be last. */
-};
-
-static const int gai_nerr = (sizeof(gai_errlist)/sizeof(*gai_errlist));
-
-#define EAI_BUFSIZE 128
-
-const char *
-gai_strerror(int ecode) {
-#ifndef DO_PTHREADS
-	static char buf[EAI_BUFSIZE];
-#else	/* DO_PTHREADS */
-#ifndef LIBBIND_MUTEX_INITIALIZER
-#define LIBBIND_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
-#endif
-	static pthread_mutex_t lock = LIBBIND_MUTEX_INITIALIZER;
-	static pthread_key_t key;
-	static int once = 0;
-	char *buf;
-#endif
-
-	if (ecode >= 0 && ecode < (gai_nerr - 1))
-		return (gai_errlist[ecode]);
-
-#ifdef DO_PTHREADS
-        if (!once) {
-                pthread_mutex_lock(&lock);
-                if (!once++)
-                        pthread_key_create(&key, free);
-                pthread_mutex_unlock(&lock);
-        }
-
-	buf = pthread_getspecific(key);
-        if (buf == NULL) {
-		buf = malloc(EAI_BUFSIZE);
-                if (buf == NULL)
-                        return ("unknown error");
-                pthread_setspecific(key, buf);
-        }
-#endif
-	/* 
-	 * XXX This really should be snprintf(buf, EAI_BUFSIZE, ...).
-	 * It is safe until message catalogs are used.
-	 */
-	sprintf(buf, "%s: %d", gai_errlist[gai_nerr - 1], ecode);
-	return (buf);
-}
diff --git a/contrib/bind9/lib/bind/irs/gen.c b/contrib/bind9/lib/bind/irs/gen.c
deleted file mode 100644
index e093db371e9e..000000000000
--- a/contrib/bind9/lib/bind/irs/gen.c
+++ /dev/null
@@ -1,432 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen.c,v 1.3.206.3 2004/09/16 00:57:34 marka Exp $";
-#endif
-
-/*
- * this is the top level dispatcher
- *
- * The dispatcher is implemented as an accessor class; it is an
- * accessor class that calls other accessor classes, as controlled by a
- * configuration file.
- * 
- * A big difference between this accessor class and others is that the
- * map class initializers are NULL, and the map classes are already
- * filled in with method functions that will do the right thing.
- */
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <isc/assertions.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <sys/types.h>
-#include <netinet/in.h> 
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "gen_p.h"
-
-/* Definitions */
-
-struct nameval {
-	const char *	name;
-	int		val;
-};
-
-static const struct nameval acc_names[irs_nacc+1] = {
-	{ "local", irs_lcl },
-	{ "dns", irs_dns },
-	{ "nis", irs_nis },
-	{ "irp", irs_irp },
-	{ NULL, irs_nacc }
-};
-
-typedef struct irs_acc *(*accinit) __P((const char *options));
-
-static const accinit accs[irs_nacc+1] = {
-	irs_lcl_acc,
-	irs_dns_acc,
-#ifdef WANT_IRS_NIS
-	irs_nis_acc,
-#else
-	NULL,
-#endif
-	irs_irp_acc,
-	NULL
-};
-
-static const struct nameval map_names[irs_nmap+1] = {
-	{ "group", irs_gr },
-	{ "passwd", irs_pw },
-	{ "services", irs_sv },
-	{ "protocols", irs_pr },
-	{ "hosts", irs_ho },
-	{ "networks", irs_nw },
-	{ "netgroup", irs_ng },
-	{ NULL, irs_nmap }
-};
-
-static const struct nameval option_names[] = {
-	{ "merge", IRS_MERGE },
-	{ "continue", IRS_CONTINUE },
-	{ NULL, 0 }
-};
-
-/* Forward */
-
-static void		gen_close(struct irs_acc *);
-static struct __res_state * gen_res_get(struct irs_acc *);
-static void		gen_res_set(struct irs_acc *, struct __res_state *,
-				    void (*)(void *));
-static int		find_name(const char *, const struct nameval nv[]);
-static void 		init_map_rules(struct gen_p *, const char *conf_file);
-static struct irs_rule *release_rule(struct irs_rule *);
-static int		add_rule(struct gen_p *,
-				 enum irs_map_id, enum irs_acc_id,
-				 const char *);
-
-/* Public */
-
-struct irs_acc *
-irs_gen_acc(const char *options, const char *conf_file) {
-	struct irs_acc *acc;
-	struct gen_p *irs;
-		
-	if (!(acc = memget(sizeof *acc))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(acc, 0x5e, sizeof *acc);
-	if (!(irs = memget(sizeof *irs))) {
-		errno = ENOMEM;
-		memput(acc, sizeof *acc);
-		return (NULL);
-	}
-	memset(irs, 0x5e, sizeof *irs);
-	irs->options = strdup(options);
-	irs->res = NULL;
-	irs->free_res = NULL;
-	memset(irs->accessors, 0, sizeof irs->accessors);
-	memset(irs->map_rules, 0, sizeof irs->map_rules);
-	init_map_rules(irs, conf_file);
-	acc->private = irs;
-#ifdef WANT_IRS_GR
-	acc->gr_map = irs_gen_gr;
-#else
-	acc->gr_map = NULL;
-#endif
-#ifdef WANT_IRS_PW
-	acc->pw_map = irs_gen_pw;
-#else
-	acc->pw_map = NULL;
-#endif
-	acc->sv_map = irs_gen_sv;
-	acc->pr_map = irs_gen_pr;
-	acc->ho_map = irs_gen_ho;
-	acc->nw_map = irs_gen_nw;
-	acc->ng_map = irs_gen_ng;
-	acc->res_get = gen_res_get;
-	acc->res_set = gen_res_set;
-	acc->close = gen_close;
-	return (acc);
-}
-
-/* Methods */
-
-static struct __res_state *
-gen_res_get(struct irs_acc *this) {
-	struct gen_p *irs = (struct gen_p *)this->private;
-
-	if (irs->res == NULL) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (res == NULL)
-			return (NULL);
-		memset(res, 0, sizeof *res);
-		gen_res_set(this, res, free);
-	}
-
-	if (((irs->res->options & RES_INIT) == 0U) && res_ninit(irs->res) < 0)
-		return (NULL);
-
-	return (irs->res);
-}
-
-static void
-gen_res_set(struct irs_acc *this, struct __res_state *res,
-	    void (*free_res)(void *)) {
-	struct gen_p *irs = (struct gen_p *)this->private;
-#if 0
-	struct irs_rule *rule;
-	struct irs_ho *ho;
-	struct irs_nw *nw;
-#endif
-
-	if (irs->res && irs->free_res) {
-		res_nclose(irs->res);
-		(*irs->free_res)(irs->res);
-	}
-
-	irs->res = res;
-	irs->free_res = free_res;
-
-#if 0
-	for (rule = irs->map_rules[irs_ho]; rule; rule = rule->next) {
-                ho = rule->inst->ho;
-
-                (*ho->res_set)(ho, res, NULL);
-	}
-	for (rule = irs->map_rules[irs_nw]; rule; rule = rule->next) {
-                nw = rule->inst->nw;
-
-                (*nw->res_set)(nw, res, NULL);
-	}
-#endif
-}
-
-static void
-gen_close(struct irs_acc *this) {
-	struct gen_p *irs = (struct gen_p *)this->private;
-	int n;
-	
-	/* Search rules. */
-	for (n = 0; n < irs_nmap; n++)
-		while (irs->map_rules[n] != NULL)
-			irs->map_rules[n] = release_rule(irs->map_rules[n]);
-
-	/* Access methods. */
-	for (n = 0; n < irs_nacc; n++) {
-		/* Map objects. */
-		if (irs->accessors[n].gr != NULL)
-			(*irs->accessors[n].gr->close)(irs->accessors[n].gr);
-		if (irs->accessors[n].pw != NULL)
-			(*irs->accessors[n].pw->close)(irs->accessors[n].pw);
-		if (irs->accessors[n].sv != NULL)
-			(*irs->accessors[n].sv->close)(irs->accessors[n].sv);
-		if (irs->accessors[n].pr != NULL)
-			(*irs->accessors[n].pr->close)(irs->accessors[n].pr);
-		if (irs->accessors[n].ho != NULL)
-			(*irs->accessors[n].ho->close)(irs->accessors[n].ho);
-		if (irs->accessors[n].nw != NULL)
-			(*irs->accessors[n].nw->close)(irs->accessors[n].nw);
-		if (irs->accessors[n].ng != NULL)
-			(*irs->accessors[n].ng->close)(irs->accessors[n].ng);
-		/* Enclosing accessor. */
-		if (irs->accessors[n].acc != NULL)
-			(*irs->accessors[n].acc->close)(irs->accessors[n].acc);
-	}
-
-	/* The options string was strdup'd. */
-	free((void*)irs->options);
-
-	if (irs->res && irs->free_res)
-		(*irs->free_res)(irs->res);
-
-	/* The private data container. */
-	memput(irs, sizeof *irs);
-
-	/* The object. */
-	memput(this, sizeof *this);
-}
-
-/* Private */
-
-static int
-find_name(const char *name, const struct nameval names[]) {
-	int n;
-
-	for (n = 0; names[n].name != NULL; n++)
-		if (strcmp(name, names[n].name) == 0)
-			return (names[n].val);
-	return (-1);
-}
-
-static struct irs_rule *
-release_rule(struct irs_rule *rule) {
-	struct irs_rule *next = rule->next;
-
-	memput(rule, sizeof *rule);
-	return (next);
-}
-
-static int
-add_rule(struct gen_p *irs,
-	 enum irs_map_id map, enum irs_acc_id acc,
-	 const char *options)
-{
-	struct irs_rule **rules, *last, *tmp, *new;
-	struct irs_inst *inst;
-	const char *cp;
-	int n;
-
-#ifndef WANT_IRS_GR
-	if (map == irs_gr)
-		return (-1);
-#endif
-#ifndef WANT_IRS_PW
-	if (map == irs_pw)
-		return (-1);
-#endif
-#ifndef WANT_IRS_NIS
-	if (acc == irs_nis)
-		return (-1);
-#endif
-	new = memget(sizeof *new);
-	if (new == NULL)
-		return (-1);
-	memset(new, 0x5e, sizeof *new);
-	new->next = NULL;
-
-	new->inst = &irs->accessors[acc];
-
-	new->flags = 0;
-	cp = options;
-	while (cp && *cp) {
-		char option[50], *next;
-
-		next = strchr(cp, ',');
-		if (next)
-			n = next++ - cp;
-		else
-			n = strlen(cp);
-		if ((size_t)n > sizeof option - 1)
-			n = sizeof option - 1;
-		strncpy(option, cp, n);
-		option[n] = '\0';
-
-		n = find_name(option, option_names);
-		if (n >= 0)
-			new->flags |= n;
-
-		cp = next;
-	}
-
-	rules = &irs->map_rules[map];
-	for (last = NULL, tmp = *rules;
-	     tmp != NULL;
-	     last = tmp, tmp = tmp->next)
-		(void)NULL;
-	if (last == NULL)
-		*rules = new;
-	else
-		last->next = new;
-
-	/* Try to instantiate map accessors for this if necessary & approp. */
-	inst = &irs->accessors[acc];
-	if (inst->acc == NULL && accs[acc] != NULL)
-		inst->acc = (*accs[acc])(irs->options);
-	if (inst->acc != NULL) {
-		if (inst->gr == NULL && inst->acc->gr_map != NULL)
-			inst->gr = (*inst->acc->gr_map)(inst->acc);
-		if (inst->pw == NULL && inst->acc->pw_map != NULL)
-			inst->pw = (*inst->acc->pw_map)(inst->acc);
-		if (inst->sv == NULL && inst->acc->sv_map != NULL)
-			inst->sv = (*inst->acc->sv_map)(inst->acc);
-		if (inst->pr == NULL && inst->acc->pr_map != NULL)
-			inst->pr = (*inst->acc->pr_map)(inst->acc);
-		if (inst->ho == NULL && inst->acc->ho_map != NULL)
-			inst->ho = (*inst->acc->ho_map)(inst->acc);
-		if (inst->nw == NULL && inst->acc->nw_map != NULL)
-			inst->nw = (*inst->acc->nw_map)(inst->acc);
-		if (inst->ng == NULL && inst->acc->ng_map != NULL)
-			inst->ng = (*inst->acc->ng_map)(inst->acc);
-	}
-
-	return (0);
-}
-
-static void
-default_map_rules(struct gen_p *irs) {
-	/* Install time honoured and proved BSD style rules as default. */
-	add_rule(irs, irs_gr, irs_lcl, "");
-	add_rule(irs, irs_pw, irs_lcl, "");
-	add_rule(irs, irs_sv, irs_lcl, "");
-	add_rule(irs, irs_pr, irs_lcl, "");
-	add_rule(irs, irs_ho, irs_dns, "continue");
-	add_rule(irs, irs_ho, irs_lcl, "");
-	add_rule(irs, irs_nw, irs_dns, "continue");
-	add_rule(irs, irs_nw, irs_lcl, "");
-	add_rule(irs, irs_ng, irs_lcl, "");
-}
-
-static void
-init_map_rules(struct gen_p *irs, const char *conf_file) {
-	char line[1024], pattern[40], mapname[20], accname[20], options[100];
-	FILE *conf;
-
-	if (conf_file == NULL) 
-		conf_file = _PATH_IRS_CONF ;
-
-	/* A conf file of "" means compiled in defaults. Irpd wants this */
-	if (conf_file[0] == '\0' || (conf = fopen(conf_file, "r")) == NULL) {
-		default_map_rules(irs);
-		return;
-	}
-	(void) sprintf(pattern, "%%%lus %%%lus %%%lus\n",
-		       (unsigned long)sizeof mapname,
-		       (unsigned long)sizeof accname,
-		       (unsigned long)sizeof options);
-	while (fgets(line, sizeof line, conf)) {
-		enum irs_map_id map;
-		enum irs_acc_id acc;
-		char *tmp;
-		int n;
-
-		for (tmp = line;
-		     isascii((unsigned char)*tmp) &&
-		     isspace((unsigned char)*tmp);
-		     tmp++)
-			(void)NULL;
-		if (*tmp == '#' || *tmp == '\n' || *tmp == '\0')
-			continue;
-		n = sscanf(tmp, pattern, mapname, accname, options);
-		if (n < 2)
-			continue;
-		if (n < 3)
-			options[0] = '\0';
-
-		n = find_name(mapname, map_names);
-		INSIST(n < irs_nmap);
-		if (n < 0)
-			continue;
-		map = (enum irs_map_id) n;
-
-		n = find_name(accname, acc_names);
-		INSIST(n < irs_nacc);
-		if (n < 0)
-			continue;
-		acc = (enum irs_acc_id) n;
-
-		add_rule(irs, map, acc, options);
-	}
-	fclose(conf);
-}
diff --git a/contrib/bind9/lib/bind/irs/gen_gr.c b/contrib/bind9/lib/bind/irs/gen_gr.c
deleted file mode 100644
index e0c6dba52935..000000000000
--- a/contrib/bind9/lib/bind/irs/gen_gr.c
+++ /dev/null
@@ -1,492 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_gr.c,v 1.4.2.1.4.2 2004/05/17 07:48:56 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_GR
-static int __bind_irs_gr_unneeded;
-#else
-
-#include <sys/types.h>
-
-#include <isc/assertions.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "gen_p.h"
-
-/* Definitions */
-
-struct pvt {
-	struct irs_rule *	rules;
-	struct irs_rule *	rule;
-	struct irs_gr *		gr;
-	/*
-	 * Need space to store the entries read from the group file.
-	 * The members list also needs space per member, and the
-	 * strings making up the user names must be allocated
-	 * somewhere.  Rather than doing lots of small allocations,
-	 * we keep one buffer and resize it as needed.
-	 */
-	struct group		group;
-	size_t			nmemb;    /* Malloc'd max index of gr_mem[]. */
-	char *			membuf;
-	size_t			membufsize;
-	struct __res_state *	res;
-	void			(*free_res)(void *);
-};
-
-/* Forward */
-
-static void		gr_close(struct irs_gr *);
-static struct group *	gr_next(struct irs_gr *);
-static struct group *	gr_byname(struct irs_gr *, const char *);
-static struct group *	gr_bygid(struct irs_gr *, gid_t);
-static void		gr_rewind(struct irs_gr *);
-static int		gr_list(struct irs_gr *, const char *,
-				gid_t, gid_t *, int *);
-static void		gr_minimize(struct irs_gr *);
-static struct __res_state * gr_res_get(struct irs_gr *);
-static void		gr_res_set(struct irs_gr *,
-				      struct __res_state *,
-				      void (*)(void *));
-
-static int		grmerge(struct irs_gr *gr, const struct group *src,
-				int preserve);
-
-static int		countvec(char **vec);
-static int		isnew(char **old, char *new);
-static int		countnew(char **old, char **new);
-static size_t		sizenew(char **old, char **new);
-static int		newgid(int, gid_t *, gid_t);
-
-/* Macros */
-
-#define FREE_IF(x) do { if ((x) != NULL) { free(x); (x) = NULL; } } while (0)
-
-/* Public */
-
-struct irs_gr *
-irs_gen_gr(struct irs_acc *this) {
-	struct gen_p *accpvt = (struct gen_p *)this->private;
-	struct irs_gr *gr;
-	struct pvt *pvt;
-
-	if (!(gr = memget(sizeof *gr))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(gr, 0x5e, sizeof *gr);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(gr, sizeof *gr);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->rules = accpvt->map_rules[irs_gr];
-	pvt->rule = pvt->rules;
-	gr->private = pvt;
-	gr->close = gr_close;
-	gr->next = gr_next;
-	gr->byname = gr_byname;
-	gr->bygid = gr_bygid;
-	gr->rewind = gr_rewind;
-	gr->list = gr_list;
-	gr->minimize = gr_minimize;
-	gr->res_get = gr_res_get;
-	gr->res_set = gr_res_set;
-	return (gr);
-}
-
-/* Methods. */
-
-static void
-gr_close(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct group *
-gr_next(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct group *rval;
-	struct irs_gr *gr;
-
-	while (pvt->rule) {
-		gr = pvt->rule->inst->gr;
-		rval = (*gr->next)(gr);
-		if (rval)
-			return (rval);
-		if (!(pvt->rule->flags & IRS_CONTINUE))
-			break;
-		pvt->rule = pvt->rule->next;
-		if (pvt->rule) {
-			gr = pvt->rule->inst->gr;
-			(*gr->rewind)(gr);
-		}
-	}
-	return (NULL);
-}
-
-static struct group *
-gr_byname(struct irs_gr *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct group *tval;
-	struct irs_gr *gr;
-	int dirty;
-
-	dirty = 0;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		gr = rule->inst->gr;
-		tval = (*gr->byname)(gr, name);
-		if (tval) {
-			if (!grmerge(this, tval, dirty++))
-				return (NULL);
-			if (!(rule->flags & IRS_MERGE))
-				break;
-		} else {
-			if (!(rule->flags & IRS_CONTINUE))
-				break;
-		}
-	}
-	if (dirty)
-		return (&pvt->group);
-	return (NULL);
-}
-
-static struct group *
-gr_bygid(struct irs_gr *this, gid_t gid) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct group *tval;
-	struct irs_gr *gr;
-	int dirty;
-
-	dirty = 0;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		gr = rule->inst->gr;
-		tval = (*gr->bygid)(gr, gid);
-		if (tval) {
-			if (!grmerge(this, tval, dirty++))
-				return (NULL);
-			if (!(rule->flags & IRS_MERGE))
-				break;
-		} else {
-			if (!(rule->flags & IRS_CONTINUE))
-				break;
-		}
-	}
-	if (dirty)
-		return (&pvt->group);
-	return (NULL);
-}
-
-static void
-gr_rewind(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_gr *gr;
-
-	pvt->rule = pvt->rules;
-	if (pvt->rule) {
-		gr = pvt->rule->inst->gr;
-		(*gr->rewind)(gr);
-	}
-}
-
-static int
-gr_list(struct irs_gr *this, const char *name,
-	gid_t basegid, gid_t *groups, int *ngroups)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct irs_gr *gr;
-	int t_ngroups, maxgroups;
-	gid_t *t_groups;
-	int n, t, rval = 0;
-
-	maxgroups = *ngroups;
-	*ngroups = 0;
-	t_groups = (gid_t *)malloc(maxgroups * sizeof(gid_t));
-	if (!t_groups) {
-		errno = ENOMEM;
-		return (-1);
-	}
-
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		t_ngroups = maxgroups;
-		gr = rule->inst->gr;
-		t = (*gr->list)(gr, name, basegid, t_groups, &t_ngroups);
-		for (n = 0; n < t_ngroups; n++) {
-			if (newgid(*ngroups, groups, t_groups[n])) {
-				if (*ngroups == maxgroups) {
-					rval = -1;
-					goto done;
-				}
-				groups[(*ngroups)++] = t_groups[n];
-			}
-		}
-		if (t == 0) {
-			if (!(rule->flags & IRS_MERGE))
-				break;
-		} else {
-			if (!(rule->flags & IRS_CONTINUE))
-				break;
-		}
-	}
- done:
-	free(t_groups);
-	return (rval);
-}
-
-static void
-gr_minimize(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_gr *gr = rule->inst->gr;
-
-		(*gr->minimize)(gr);
-	}
-}
-
-static struct __res_state *
-gr_res_get(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		gr_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-gr_res_set(struct irs_gr *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_gr *gr = rule->inst->gr;
-
-		if (gr->res_set)
-			(*gr->res_set)(gr, pvt->res, NULL);
-	}
-}
-
-/* Private. */
-
-static int
-grmerge(struct irs_gr *this, const struct group *src, int preserve) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *cp, **m, **p, *oldmembuf, *ep;
-	int n, ndst, nnew;
-	size_t used;
-
-	if (!preserve) {
-		pvt->group.gr_gid = src->gr_gid;
-		if (pvt->nmemb < 1) {
-			m = malloc(sizeof *m);
-			if (m == NULL) {
-				/* No harm done, no work done. */
-				return (0);
-			}
-			pvt->group.gr_mem = m;
-			pvt->nmemb = 1;
-		}
-		pvt->group.gr_mem[0] = NULL;
-	}
-	ndst = countvec(pvt->group.gr_mem);
-	nnew = countnew(pvt->group.gr_mem, src->gr_mem);
-
-	/*
-	 * Make sure destination member array is large enough.
-	 * p points to new portion.
-	 */
-	n = ndst + nnew + 1;
-	if ((size_t)n > pvt->nmemb) {
-		m = realloc(pvt->group.gr_mem, n * sizeof *m);
-		if (m == NULL) {
-			/* No harm done, no work done. */
-			return (0);
-		}
-		pvt->group.gr_mem = m;
-		pvt->nmemb = n;
-	}
-	p = pvt->group.gr_mem + ndst;
-
-	/*
-	 * Enlarge destination membuf; cp points at new portion.
-	 */
-	n = sizenew(pvt->group.gr_mem, src->gr_mem);
-	INSIST((nnew == 0) == (n == 0));
-	if (!preserve) {
-		n += strlen(src->gr_name) + 1;
-		n += strlen(src->gr_passwd) + 1;
-	}
-	if (n == 0) {
-		/* No work to do. */
-		return (1);
-	}
-	used = preserve ? pvt->membufsize : 0;
-	cp = malloc(used + n);
-	if (cp == NULL) {
-		/* No harm done, no work done. */
-		return (0);
-	}
-	ep = cp + used + n;
-	if (used != 0)
-		memcpy(cp, pvt->membuf, used);
-	oldmembuf = pvt->membuf;
-	pvt->membuf = cp;
-	pvt->membufsize = used + n;
-	cp += used;
-
-	/*
-	 * Adjust group.gr_mem.
-	 */
-	if (pvt->membuf != oldmembuf)
-		for (m = pvt->group.gr_mem; *m; m++)
-			*m = pvt->membuf + (*m - oldmembuf);
-
-	/*
-	 * Add new elements.
-	 */
-	for (m = src->gr_mem; *m; m++)
-		if (isnew(pvt->group.gr_mem, *m)) {
-			*p++ = cp;
-			*p = NULL;
-			n = strlen(*m) + 1;
-			if (n > ep - cp) {
-				FREE_IF(oldmembuf);
-				return (0);
-			}
-			strcpy(cp, *m);		/* (checked) */
-			cp += n;
-		}
-	if (preserve) {
-		pvt->group.gr_name = pvt->membuf + 
-				     (pvt->group.gr_name - oldmembuf);
-		pvt->group.gr_passwd = pvt->membuf + 
-				       (pvt->group.gr_passwd - oldmembuf);
-	} else {
-		pvt->group.gr_name = cp;
-		n = strlen(src->gr_name) + 1;
-		if (n > ep - cp) {
-			FREE_IF(oldmembuf);
-			return (0);
-		}
-		strcpy(cp, src->gr_name);	/* (checked) */
-		cp += n;
-
-		pvt->group.gr_passwd = cp;
-		n = strlen(src->gr_passwd) + 1;
-		if (n > ep - cp) {
-			FREE_IF(oldmembuf);
-			return (0);
-		}
-		strcpy(cp, src->gr_passwd);	/* (checked) */
-		cp += n;
-	}
-	FREE_IF(oldmembuf);
-	INSIST(cp >= pvt->membuf && cp <= &pvt->membuf[pvt->membufsize]);
-	return (1);
-}
-
-static int
-countvec(char **vec) {
-	int n = 0;
-
-	while (*vec++)
-		n++;
-	return (n);
-}
-
-static int
-isnew(char **old, char *new) {
-	for (; *old; old++)
-		if (strcmp(*old, new) == 0)
-			return (0);
-	return (1);
-}
-
-static int
-countnew(char **old, char **new) {
-	int n = 0;
-
-	for (; *new; new++)
-		n += isnew(old, *new);
-	return (n);
-}
-
-static size_t
-sizenew(char **old, char **new) {
-	size_t n = 0;
-
-	for (; *new; new++)
-		if (isnew(old, *new))
-			n += strlen(*new) + 1;
-	return (n);
-}
-
-static int
-newgid(int ngroups, gid_t *groups, gid_t group) {
-	ngroups--, groups++;
-	for (; ngroups-- > 0; groups++)
-		if (*groups == group)
-			return (0);
-	return (1);
-}
-
-#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/gen_ho.c b/contrib/bind9/lib/bind/irs/gen_ho.c
deleted file mode 100644
index e9e2c8909764..000000000000
--- a/contrib/bind9/lib/bind/irs/gen_ho.c
+++ /dev/null
@@ -1,391 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gen_ho.c,v 1.1.206.2 2004/03/17 01:49:39 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "gen_p.h"
-
-/* Definitions */
-
-struct pvt {
-	struct irs_rule *	rules;
-	struct irs_rule *	rule;
-	struct irs_ho *		ho;
-	struct __res_state *	res;
-	void			(*free_res)(void *);
-};
-
-/* Forwards */
-
-static void		ho_close(struct irs_ho *this);
-static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
-static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
-				   int af);
-static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
-				  int len, int af);
-static struct hostent *	ho_next(struct irs_ho *this);
-static void		ho_rewind(struct irs_ho *this);
-static void		ho_minimize(struct irs_ho *this);
-static struct __res_state * ho_res_get(struct irs_ho *this);
-static void		ho_res_set(struct irs_ho *this,
-				   struct __res_state *res,
-				   void (*free_res)(void *));
-static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
-				     const struct addrinfo *pai);
-
-static int		init(struct irs_ho *this);
-
-/* Exports */
-
-struct irs_ho *
-irs_gen_ho(struct irs_acc *this) {
-	struct gen_p *accpvt = (struct gen_p *)this->private;
-	struct irs_ho *ho;
-	struct pvt *pvt;
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	if (!(ho = memget(sizeof *ho))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ho, 0x5e, sizeof *ho);
-	pvt->rules = accpvt->map_rules[irs_ho];
-	pvt->rule = pvt->rules;
-	ho->private = pvt;
-	ho->close = ho_close;
-	ho->byname = ho_byname;
-	ho->byname2 = ho_byname2;
-	ho->byaddr = ho_byaddr;
-	ho->next = ho_next;
-	ho->rewind = ho_rewind;
-	ho->minimize = ho_minimize;
-	ho->res_get = ho_res_get;
-	ho->res_set = ho_res_set;
-	ho->addrinfo = ho_addrinfo;
-	return (ho);
-}
-
-/* Methods. */
-
-static void
-ho_close(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	ho_minimize(this);
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct hostent *
-ho_byname(struct irs_ho *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct hostent *rval;
-	struct irs_ho *ho;
-	int therrno = NETDB_INTERNAL;
-	int softerror = 0;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		ho = rule->inst->ho;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = 0;
-		rval = (*ho->byname)(ho, name);
-		if (rval != NULL)
-			return (rval);
-		if (softerror == 0 &&
-		    pvt->res->res_h_errno != HOST_NOT_FOUND &&
-		    pvt->res->res_h_errno != NETDB_INTERNAL) {
-			softerror = 1;
-			therrno = pvt->res->res_h_errno;
-		}
-		if (rule->flags & IRS_CONTINUE)
-			continue;
-		/*
-		 * The value TRY_AGAIN can mean that the service
-		 * is not available, or just that this particular name
-		 * cannot be resolved now.  We use the errno ECONNREFUSED
-		 * to distinguish.  If a lookup sets that errno when
-		 * H_ERRNO is TRY_AGAIN, we continue to try other lookup
-		 * functions, otherwise we return the TRY_AGAIN error.
-		 */
-		if (pvt->res->res_h_errno != TRY_AGAIN || errno != ECONNREFUSED)
-			break;
-	}
-	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
-		RES_SET_H_ERRNO(pvt->res, therrno);
-	return (NULL);
-}
-
-static struct hostent *
-ho_byname2(struct irs_ho *this, const char *name, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct hostent *rval;
-	struct irs_ho *ho;
-	int therrno = NETDB_INTERNAL;
-	int softerror = 0;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		ho = rule->inst->ho;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = 0;
-		rval = (*ho->byname2)(ho, name, af);
-		if (rval != NULL)
-			return (rval);
-		if (softerror == 0 &&
-		    pvt->res->res_h_errno != HOST_NOT_FOUND &&
-		    pvt->res->res_h_errno != NETDB_INTERNAL) {
-			softerror = 1;
-			therrno = pvt->res->res_h_errno;
-		}
-		if (rule->flags & IRS_CONTINUE)
-			continue;
-		/*
-		 * See the comments in ho_byname() explaining
-		 * the interpretation of TRY_AGAIN and ECONNREFUSED.
-		 */
-		if (pvt->res->res_h_errno != TRY_AGAIN || errno != ECONNREFUSED)
-			break;
-	}
-	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
-		RES_SET_H_ERRNO(pvt->res, therrno);
-	return (NULL);
-}
-
-static struct hostent *
-ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct hostent *rval;
-	struct irs_ho *ho;
-	int therrno = NETDB_INTERNAL;
-	int softerror = 0;
-
-
-	if (init(this) == -1)
-		return (NULL);
-
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		ho = rule->inst->ho;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = 0;
-		rval = (*ho->byaddr)(ho, addr, len, af);
-		if (rval != NULL)
-			return (rval);
-		if (softerror == 0 &&
-		    pvt->res->res_h_errno != HOST_NOT_FOUND &&
-		    pvt->res->res_h_errno != NETDB_INTERNAL) {
-			softerror = 1;
-			therrno = pvt->res->res_h_errno;
-		}
-
-		if (rule->flags & IRS_CONTINUE)
-			continue;
-		/*
-		 * See the comments in ho_byname() explaining
-		 * the interpretation of TRY_AGAIN and ECONNREFUSED.
-		 */
-		if (pvt->res->res_h_errno != TRY_AGAIN || errno != ECONNREFUSED)
-			break;
-	}
-	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
-		RES_SET_H_ERRNO(pvt->res, therrno);
-	return (NULL);
-}
-
-static struct hostent *
-ho_next(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *rval;
-	struct irs_ho *ho;
-
-	while (pvt->rule) {
-		ho = pvt->rule->inst->ho;
-		rval = (*ho->next)(ho);
-		if (rval)
-			return (rval);
-		if (!(pvt->rule->flags & IRS_CONTINUE))
-			break;
-		pvt->rule = pvt->rule->next;
-		if (pvt->rule) {
-			ho = pvt->rule->inst->ho;
-			(*ho->rewind)(ho);
-		}
-	}
-	return (NULL);
-}
-
-static void
-ho_rewind(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_ho *ho;
-
-	pvt->rule = pvt->rules;
-	if (pvt->rule) {
-		ho = pvt->rule->inst->ho;
-		(*ho->rewind)(ho);
-	}
-}
-
-static void
-ho_minimize(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	if (pvt->res)
-		res_nclose(pvt->res);
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_ho *ho = rule->inst->ho;
-
-		(*ho->minimize)(ho);
-	}
-}
-
-static struct __res_state *
-ho_res_get(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		ho_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-ho_res_set(struct irs_ho *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_ho *ho = rule->inst->ho;
-
-		(*ho->res_set)(ho, pvt->res, NULL);
-	}
-}
-
-static struct addrinfo *
-ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct addrinfo *rval = NULL;
-	struct irs_ho *ho;
-	int therrno = NETDB_INTERNAL;
-	int softerror = 0;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		ho = rule->inst->ho;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = 0;
-		if (ho->addrinfo == NULL) /* for safety */
-			continue;
-		rval = (*ho->addrinfo)(ho, name, pai);
-		if (rval != NULL)
-			return (rval);
-		if (softerror == 0 &&
-		    pvt->res->res_h_errno != HOST_NOT_FOUND &&
-		    pvt->res->res_h_errno != NETDB_INTERNAL) {
-			softerror = 1;
-			therrno = pvt->res->res_h_errno;
-		}
-		if (rule->flags & IRS_CONTINUE)
-			continue;
-		/*
-		 * See the comments in ho_byname() explaining
-		 * the interpretation of TRY_AGAIN and ECONNREFUSED.
-		 */
-		if (pvt->res->res_h_errno != TRY_AGAIN ||
-		    errno != ECONNREFUSED)
-			break;
-	}
-	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
-		RES_SET_H_ERRNO(pvt->res, therrno);
-	if (rval)
-		freeaddrinfo(rval);
-	return (NULL);
-}
-
-static int
-init(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-        if (!pvt->res && !ho_res_get(this))
-                return (-1);
-
-        if (((pvt->res->options & RES_INIT) == 0U) &&
-            (res_ninit(pvt->res) == -1))
-                return (-1);
-
-        return (0);
-}
diff --git a/contrib/bind9/lib/bind/irs/gen_ng.c b/contrib/bind9/lib/bind/irs/gen_ng.c
deleted file mode 100644
index 9f3ecad99dfb..000000000000
--- a/contrib/bind9/lib/bind/irs/gen_ng.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_ng.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "gen_p.h"
-
-/* Types */
-
-struct pvt {
-	struct irs_rule *	rules;
-	struct irs_rule *	rule;
-	char *			curgroup;
-};
-
-/* Forward */
-
-static void		ng_close(struct irs_ng *);
-static int		ng_next(struct irs_ng *, const char **,
-				const char **, const char **);
-static int 		ng_test(struct irs_ng *, const char *,
-				const char *, const char *,
-				const char *);
-static void 		ng_rewind(struct irs_ng *, const char *);
-static void		ng_minimize(struct irs_ng *);
-
-/* Public */
-
-struct irs_ng *
-irs_gen_ng(struct irs_acc *this) {
-	struct gen_p *accpvt = (struct gen_p *)this->private;
-	struct irs_ng *ng;
-	struct pvt *pvt;
-	
-	if (!(ng = memget(sizeof *ng))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ng, 0x5e, sizeof *ng);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(ng, sizeof *ng);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->rules = accpvt->map_rules[irs_ng];
-	pvt->rule = pvt->rules;
-	ng->private = pvt;
-	ng->close = ng_close;
-	ng->next = ng_next;
-	ng->test = ng_test;
-	ng->rewind = ng_rewind;
-	ng->minimize = ng_minimize;
-	return (ng);
-}
-
-/* Methods */
-
-static void 
-ng_close(struct irs_ng *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	ng_minimize(this);
-	if (pvt->curgroup)
-		free(pvt->curgroup);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static int
-ng_next(struct irs_ng *this, const char **host, const char **user,
-	const char **domain)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_ng *ng;
-	
-	while (pvt->rule) {
-		ng = pvt->rule->inst->ng;
-		if ((*ng->next)(ng, host, user, domain) == 1)
-			return (1);
-		if (!(pvt->rule->flags & IRS_CONTINUE))
-			break;
-		pvt->rule = pvt->rule->next;
-		if (pvt->rule) {
-			ng = pvt->rule->inst->ng;
-			(*ng->rewind)(ng, pvt->curgroup);
-		}
-	}
-	return (0);
-}
-
-static int
-ng_test(struct irs_ng *this, const char *name,
-	const char *user, const char *host, const char *domain)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct irs_ng *ng;
-	int rval;
-	
-	rval = 0;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		ng = rule->inst->ng;
-		rval = (*ng->test)(ng, name, user, host, domain);
-		if (rval || !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (rval);
-}
-
-static void
-ng_rewind(struct irs_ng *this, const char *group) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_ng *ng;
-	
-	pvt->rule = pvt->rules;
-	if (pvt->rule) {
-		if (pvt->curgroup)
-			free(pvt->curgroup);
-		pvt->curgroup = strdup(group);
-		ng = pvt->rule->inst->ng;
-		(*ng->rewind)(ng, pvt->curgroup);
-	}
-}
-
-static void
-ng_minimize(struct irs_ng *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_ng *ng = rule->inst->ng;
-
-		(*ng->minimize)(ng);
-	}
-}
diff --git a/contrib/bind9/lib/bind/irs/gen_nw.c b/contrib/bind9/lib/bind/irs/gen_nw.c
deleted file mode 100644
index cb41f5dbc99c..000000000000
--- a/contrib/bind9/lib/bind/irs/gen_nw.c
+++ /dev/null
@@ -1,262 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_nw.c,v 1.1.206.2 2004/03/17 01:49:40 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <resolv.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "gen_p.h"
-
-/* Types */
-
-struct pvt {
-	struct irs_rule *	rules;
-	struct irs_rule *	rule;
-	struct __res_state *	res;
-	void 			(*free_res)(void *);
-};
-
-/* Forward */
-
-static void		nw_close(struct irs_nw*);
-static struct nwent *	nw_next(struct irs_nw *);
-static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
-static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
-static void    		nw_rewind(struct irs_nw *);
-static void		nw_minimize(struct irs_nw *);
-static struct __res_state * nw_res_get(struct irs_nw *this);
-static void		nw_res_set(struct irs_nw *this,
-				   struct __res_state *res,
-				   void (*free_res)(void *));
-
-static int		init(struct irs_nw *this);
-
-/* Public */
-
-struct irs_nw *
-irs_gen_nw(struct irs_acc *this) {
-	struct gen_p *accpvt = (struct gen_p *)this->private;
-	struct irs_nw *nw;
-	struct pvt *pvt;
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	if (!(nw = memget(sizeof *nw))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(nw, 0x5e, sizeof *nw);
-	pvt->rules = accpvt->map_rules[irs_nw];
-	pvt->rule = pvt->rules;
-	nw->private = pvt;
-	nw->close = nw_close;
-	nw->next = nw_next;
-	nw->byname = nw_byname;
-	nw->byaddr = nw_byaddr;
-	nw->rewind = nw_rewind;
-	nw->minimize = nw_minimize;
-	nw->res_get = nw_res_get;
-	nw->res_set = nw_res_set;
-	return (nw);
-}
-
-/* Methods */
-
-static void
-nw_close(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	nw_minimize(this);
-
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct nwent *
-nw_next(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct nwent *rval;
-	struct irs_nw *nw;
-
-	if (init(this) == -1)
-		return(NULL);
-
-	while (pvt->rule) {
-		nw = pvt->rule->inst->nw;
-		rval = (*nw->next)(nw);
-		if (rval)
-			return (rval);
-		if (!(pvt->rules->flags & IRS_CONTINUE))
-			break;
-		pvt->rule = pvt->rule->next;
-		if (pvt->rule) {
-			nw = pvt->rule->inst->nw;
-			(*nw->rewind)(nw);
-		}
-	}
-	return (NULL);
-}
-
-static struct nwent *
-nw_byname(struct irs_nw *this, const char *name, int type) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct nwent *rval;
-	struct irs_nw *nw;
-	
-	if (init(this) == -1)
-		return(NULL);
-
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		nw = rule->inst->nw;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		rval = (*nw->byname)(nw, name, type);
-		if (rval != NULL)
-			return (rval);
-		if (pvt->res->res_h_errno != TRY_AGAIN &&
-		    !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (NULL);
-}
-
-static struct nwent *
-nw_byaddr(struct irs_nw *this, void *net, int length, int type) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct nwent *rval;
-	struct irs_nw *nw;
-	
-	if (init(this) == -1)
-		return(NULL);
-
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		nw = rule->inst->nw;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		rval = (*nw->byaddr)(nw, net, length, type);
-		if (rval != NULL)
-			return (rval);
-		if (pvt->res->res_h_errno != TRY_AGAIN &&
-		    !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (NULL);
-}
-
-static void
-nw_rewind(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_nw *nw;
-
-	pvt->rule = pvt->rules;
-	if (pvt->rule) {
-		nw = pvt->rule->inst->nw;
-		(*nw->rewind)(nw);
-	}
-}
-
-static void
-nw_minimize(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	if (pvt->res)
-		res_nclose(pvt->res);
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_nw *nw = rule->inst->nw;
-
-		(*nw->minimize)(nw);
-	}
-}
-
-static struct __res_state *
-nw_res_get(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		nw_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-nw_res_set(struct irs_nw *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_nw *nw = rule->inst->nw;
-
-		(*nw->res_set)(nw, pvt->res, NULL);
-	}
-}
-
-static int
-init(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (!pvt->res && !nw_res_get(this))
-		return (-1);
-	if (((pvt->res->options & RES_INIT) == 0U) &&
-	    res_ninit(pvt->res) == -1)
-		return (-1);
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/irs/gen_p.h b/contrib/bind9/lib/bind/irs/gen_p.h
deleted file mode 100644
index 0a7ea2b3796c..000000000000
--- a/contrib/bind9/lib/bind/irs/gen_p.h
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: gen_p.h,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $
- */
-
-/* Notes:
- *	We hope to create a complete set of thread-safe entry points someday,
- *	which will mean a set of getXbyY() functions that take as an argument
- *	a pointer to the map class, which will have a pointer to the private
- *	data, which will be used preferentially to the static variables that
- *	are necessary to support the "classic" interface.  This "classic"
- *	interface will then be reimplemented as stubs on top of the thread
- *	safe modules, and will keep the map class pointers as their only
- *	static data.  HOWEVER, we are not there yet.  So while we will call
- *	the just-barely-converted map class methods with map class pointers,
- *	right now they probably all still use statics.  We're not fooling
- *	anybody, and we're not trying to (yet).
- */
-
-#ifndef _GEN_P_H_INCLUDED
-#define _GEN_P_H_INCLUDED
-
-/*
- * These are the access methods.
- */
-enum irs_acc_id {
-	irs_lcl,	/* Local. */
-	irs_dns,	/* DNS or Hesiod. */
-	irs_nis,	/* Sun NIS ("YP"). */
-	irs_irp,	/* IR protocol.  */
-	irs_nacc
-};
-
-/*
- * These are the map types.
- */
-enum irs_map_id {
-	irs_gr,		/* "group" */
-	irs_pw,		/* "passwd" */
-	irs_sv,		/* "services" */
-	irs_pr,		/* "protocols" */
-	irs_ho,		/* "hosts" */
-	irs_nw,		/* "networks" */
-	irs_ng,		/* "netgroup" */
-	irs_nmap
-};
-
-/*
- * This is an accessor instance.
- */
-struct irs_inst {
-	struct irs_acc *acc;
-	struct irs_gr *	gr;
-	struct irs_pw *	pw;
-	struct irs_sv *	sv;
-	struct irs_pr *	pr;
-	struct irs_ho *	ho;
-	struct irs_nw *	nw;
-	struct irs_ng *	ng;
-};
-
-/*
- * This is a search rule for some map type.
- */
-struct irs_rule {
-	struct irs_rule *	next;
-	struct irs_inst *	inst;
-	int			flags;
-};
-#define IRS_MERGE		0x0001	/* Don't stop if acc. has data? */
-#define	IRS_CONTINUE		0x0002	/* Don't stop if acc. has no data? */
-
-/*
- * This is the private data for a search access class.
- */
-struct gen_p {
-	char *			options;
-	struct irs_rule *	map_rules[(int)irs_nmap];
-	struct irs_inst		accessors[(int)irs_nacc];
-	struct __res_state *	res;
-	void			(*free_res) __P((void *));
-};
-
-/*
- * Externs.
- */
-
-extern struct irs_acc *	irs_gen_acc __P((const char *, const char *conf_file));
-extern struct irs_gr *	irs_gen_gr __P((struct irs_acc *));
-extern struct irs_pw *	irs_gen_pw __P((struct irs_acc *));
-extern struct irs_sv *	irs_gen_sv __P((struct irs_acc *));
-extern struct irs_pr *	irs_gen_pr __P((struct irs_acc *));
-extern struct irs_ho *	irs_gen_ho __P((struct irs_acc *));
-extern struct irs_nw *	irs_gen_nw __P((struct irs_acc *));
-extern struct irs_ng *	irs_gen_ng __P((struct irs_acc *));
-
-#endif /*_IRS_P_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/irs/gen_pr.c b/contrib/bind9/lib/bind/irs/gen_pr.c
deleted file mode 100644
index 465fee3c0939..000000000000
--- a/contrib/bind9/lib/bind/irs/gen_pr.c
+++ /dev/null
@@ -1,226 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_pr.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <resolv.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "gen_p.h"
-
-/* Types */
-
-struct pvt {
-	struct irs_rule *	rules;
-	struct irs_rule *	rule;
-	struct __res_state *	res;
-	void			(*free_res)(void *);
-};
-
-/* Forward */
-
-static void			pr_close(struct irs_pr*);
-static struct protoent *	pr_next(struct irs_pr *);
-static struct protoent *	pr_byname(struct irs_pr *, const char *);
-static struct protoent * 	pr_bynumber(struct irs_pr *, int);
-static void 			pr_rewind(struct irs_pr *);
-static void			pr_minimize(struct irs_pr *);
-static struct __res_state *	pr_res_get(struct irs_pr *);
-static void			pr_res_set(struct irs_pr *,
-					   struct __res_state *,
-					   void (*)(void *));
-
-/* Public */
-
-struct irs_pr *
-irs_gen_pr(struct irs_acc *this) {
-	struct gen_p *accpvt = (struct gen_p *)this->private;
-	struct irs_pr *pr;
-	struct pvt *pvt;
-
-	if (!(pr = memget(sizeof *pr))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pr, 0x5e, sizeof *pr);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(pr, sizeof *pr);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->rules = accpvt->map_rules[irs_pr];
-	pvt->rule = pvt->rules;
-	pr->private = pvt;
-	pr->close = pr_close;
-	pr->next = pr_next;
-	pr->byname = pr_byname;
-	pr->bynumber = pr_bynumber;
-	pr->rewind = pr_rewind;
-	pr->minimize = pr_minimize;
-	pr->res_get = pr_res_get;
-	pr->res_set = pr_res_set;
-	return (pr);
-}
-
-/* Methods */
-
-static void
-pr_close(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct protoent *
-pr_next(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct protoent *rval;
-	struct irs_pr *pr;
-
-	while (pvt->rule) {
-		pr = pvt->rule->inst->pr;
-		rval = (*pr->next)(pr);
-		if (rval)
-			return (rval);
-		if (!(pvt->rules->flags & IRS_CONTINUE))
-			break;
-		pvt->rule = pvt->rule->next;
-		if (pvt->rule) {
-			pr = pvt->rule->inst->pr;
-			(*pr->rewind)(pr);
-		}
-	}
-	return (NULL);
-}
-
-static struct protoent *
-pr_byname(struct irs_pr *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct protoent *rval;
-	struct irs_pr *pr;
-	
-	rval = NULL;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		pr = rule->inst->pr;
-		rval = (*pr->byname)(pr, name);
-		if (rval || !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (rval);
-}
-
-static struct protoent *
-pr_bynumber(struct irs_pr *this, int proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct protoent *rval;
-	struct irs_pr *pr;
-	
-	rval = NULL;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		pr = rule->inst->pr;
-		rval = (*pr->bynumber)(pr, proto);
-		if (rval || !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (rval);
-}
-
-static void
-pr_rewind(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_pr *pr;
-
-	pvt->rule = pvt->rules;
-	if (pvt->rule) {
-		pr = pvt->rule->inst->pr;
-		(*pr->rewind)(pr);
-	}
-}
-
-static void
-pr_minimize(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_pr *pr = rule->inst->pr;
-
-		(*pr->minimize)(pr);
-	}
-}
-
-static struct __res_state *
-pr_res_get(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		pr_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-pr_res_set(struct irs_pr *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_pr *pr = rule->inst->pr;
-
-		if (pr->res_set)
-			(*pr->res_set)(pr, pvt->res, NULL);
-	}
-}
diff --git a/contrib/bind9/lib/bind/irs/gen_pw.c b/contrib/bind9/lib/bind/irs/gen_pw.c
deleted file mode 100644
index ca313021df17..000000000000
--- a/contrib/bind9/lib/bind/irs/gen_pw.c
+++ /dev/null
@@ -1,233 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_pw.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_PW
-static int __bind_irs_pw_unneeded;
-#else
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <errno.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "gen_p.h"
-
-/* Types */
-
-struct pvt {
-	struct irs_rule *	rules;
-	struct irs_rule *	rule;
-	struct __res_state *	res;
-	void			(*free_res)(void *);
-};
-
-/* Forward */
-
-static void			pw_close(struct irs_pw *);
-static struct passwd *		pw_next(struct irs_pw *);
-static struct passwd *		pw_byname(struct irs_pw *, const char *);
-static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
-static void			pw_rewind(struct irs_pw *);
-static void			pw_minimize(struct irs_pw *);
-static struct __res_state *	pw_res_get(struct irs_pw *);
-static void			pw_res_set(struct irs_pw *,
-					   struct __res_state *,
-					   void (*)(void *));
-
-/* Public */
-
-struct irs_pw *
-irs_gen_pw(struct irs_acc *this) {
-	struct gen_p *accpvt = (struct gen_p *)this->private;
-	struct irs_pw *pw;
-	struct pvt *pvt;
-
-	if (!(pw = memget(sizeof *pw))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pw, 0x5e, sizeof *pw);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(pw, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->rules = accpvt->map_rules[irs_pw];
-	pvt->rule = pvt->rules;
-	pw->private = pvt;
-	pw->close = pw_close;
-	pw->next = pw_next;
-	pw->byname = pw_byname;
-	pw->byuid = pw_byuid;
-	pw->rewind = pw_rewind;
-	pw->minimize = pw_minimize;
-	pw->res_get = pw_res_get;
-	pw->res_set = pw_res_set;
-	return (pw);
-}
-
-/* Methods */
-
-static void
-pw_close(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct passwd *
-pw_next(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct passwd *rval;
-	struct irs_pw *pw;
-	
-	while (pvt->rule) {
-		pw = pvt->rule->inst->pw;
-		rval = (*pw->next)(pw);
-		if (rval)
-			return (rval);
-		if (!(pvt->rule->flags & IRS_CONTINUE))
-			break;
-		pvt->rule = pvt->rule->next;
-		if (pvt->rule) {
-			pw = pvt->rule->inst->pw;
-			(*pw->rewind)(pw);
-		}
-	}
-	return (NULL);
-}
-
-static void
-pw_rewind(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_pw *pw;
-	
-	pvt->rule = pvt->rules;
-	if (pvt->rule) {
-		pw = pvt->rule->inst->pw;
-		(*pw->rewind)(pw);
-	}
-}
-
-static struct passwd *
-pw_byname(struct irs_pw *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct passwd *rval;
-	struct irs_pw *pw;
-	
-	rval = NULL;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		pw = rule->inst->pw;
-		rval = (*pw->byname)(pw, name);
-		if (rval || !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (rval);
-}
-
-static struct passwd *
-pw_byuid(struct irs_pw *this, uid_t uid) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct passwd *rval;
-	struct irs_pw *pw;
-	
-	rval = NULL;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		pw = rule->inst->pw;
-		rval = (*pw->byuid)(pw, uid);
-		if (rval || !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (rval);
-}	
-
-static void
-pw_minimize(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_pw *pw = rule->inst->pw;
-
-		(*pw->minimize)(pw);
-	}
-}
-
-static struct __res_state *
-pw_res_get(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		pw_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-pw_res_set(struct irs_pw *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_pw *pw = rule->inst->pw;
-
-		if (pw->res_set)
-			(*pw->res_set)(pw, pvt->res, NULL);
-	}
-}
-
-#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/gen_sv.c b/contrib/bind9/lib/bind/irs/gen_sv.c
deleted file mode 100644
index e8f611420680..000000000000
--- a/contrib/bind9/lib/bind/irs/gen_sv.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gen_sv.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "gen_p.h"
-
-/* Types */
-
-struct pvt {
-	struct irs_rule *	rules;
-	struct irs_rule *	rule;
-	struct __res_state *	res;
-	void			(*free_res)(void *);
-};
-
-/* Forward */
-
-static void			sv_close(struct irs_sv*);
-static struct servent *		sv_next(struct irs_sv *);
-static struct servent *		sv_byname(struct irs_sv *, const char *,
-					  const char *);
-static struct servent *		sv_byport(struct irs_sv *, int, const char *);
-static void			sv_rewind(struct irs_sv *);
-static void			sv_minimize(struct irs_sv *);
-static struct __res_state *	sv_res_get(struct irs_sv *);
-static void			sv_res_set(struct irs_sv *,
-					      struct __res_state *,
-					      void (*)(void *));
-
-/* Public */
-
-struct irs_sv *
-irs_gen_sv(struct irs_acc *this) {
-	struct gen_p *accpvt = (struct gen_p *)this->private;
-	struct irs_sv *sv;
-	struct pvt *pvt;
-
-	if (!(sv = memget(sizeof *sv))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(sv, 0x5e, sizeof *sv);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(sv, sizeof *sv);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->rules = accpvt->map_rules[irs_sv];
-	pvt->rule = pvt->rules;
-	sv->private = pvt;
-	sv->close = sv_close;
-	sv->next = sv_next;
-	sv->byname = sv_byname;
-	sv->byport = sv_byport;
-	sv->rewind = sv_rewind;
-	sv->minimize = sv_minimize;
-	sv->res_get = sv_res_get;
-	sv->res_set = sv_res_set;
-	return (sv);
-}
-
-/* Methods */
-
-static void
-sv_close(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct servent *
-sv_next(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct servent *rval;
-	struct irs_sv *sv;
-	
-	while (pvt->rule) {
-		sv = pvt->rule->inst->sv;
-		rval = (*sv->next)(sv);
-		if (rval)
-			return (rval);
-		if (!(pvt->rule->flags & IRS_CONTINUE))
-			break;
-		pvt->rule = pvt->rule->next;
-		if (pvt->rule) {
-			sv = pvt->rule->inst->sv;
-			(*sv->rewind)(sv);
-		}
-	}
-	return (NULL);
-}
-
-static struct servent *
-sv_byname(struct irs_sv *this, const char *name, const char *proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct servent *rval;
-	struct irs_sv *sv;
-	
-	rval = NULL;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		sv = rule->inst->sv;
-		rval = (*sv->byname)(sv, name, proto);
-		if (rval || !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (rval);
-}
-
-static struct servent *
-sv_byport(struct irs_sv *this, int port, const char *proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-	struct servent *rval;
-	struct irs_sv *sv;
-	
-	rval = NULL;
-	for (rule = pvt->rules; rule; rule = rule->next) {
-		sv = rule->inst->sv;
-		rval = (*sv->byport)(sv, port, proto);
-		if (rval || !(rule->flags & IRS_CONTINUE))
-			break;
-	}
-	return (rval);
-}
-
-static void
-sv_rewind(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_sv *sv;
-
-	pvt->rule = pvt->rules;
-	if (pvt->rule) {
-		sv = pvt->rule->inst->sv;
-		(*sv->rewind)(sv);
-	}
-}
-
-static void
-sv_minimize(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_sv *sv = rule->inst->sv;
-
-		(*sv->minimize)(sv);
-	}
-}
-
-static struct __res_state *
-sv_res_get(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		sv_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-sv_res_set(struct irs_sv *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct irs_rule *rule;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-
-	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
-		struct irs_sv *sv = rule->inst->sv;
-
-		if (sv->res_set)
-			(*sv->res_set)(sv, pvt->res, NULL);
-	}
-}
diff --git a/contrib/bind9/lib/bind/irs/getgrent.c b/contrib/bind9/lib/bind/irs/getgrent.c
deleted file mode 100644
index 7c394f27c9ca..000000000000
--- a/contrib/bind9/lib/bind/irs/getgrent.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getgrent.c,v 1.3.206.1 2004/03/09 08:33:35 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(WANT_IRS_GR) || defined(__BIND_NOSTATIC)
-static int __bind_irs_gr_unneeded;
-#else
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <grp.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_data.h"
-
-/* Forward */
-
-static struct net_data *init(void);
-void			endgrent(void);
-
-/* Public */
-
-struct group *
-getgrent() {
-	struct net_data *net_data = init();
-
-	return (getgrent_p(net_data));
-}
-
-struct group *
-getgrnam(const char *name) {
-	struct net_data *net_data = init();
-
-	return (getgrnam_p(name, net_data));
-}
-
-struct group *
-getgrgid(gid_t gid) {
-	struct net_data *net_data = init();
-
-	return (getgrgid_p(gid, net_data));
-}
-
-int
-setgroupent(int stayopen) {
-	struct net_data *net_data = init();
-
-	return (setgroupent_p(stayopen, net_data));
-}
-
-#ifdef SETGRENT_VOID
-void
-setgrent(void) {
-	struct net_data *net_data = init();
-
-	setgrent_p(net_data);
-}
-#else
-int
-setgrent(void) {
-	struct net_data *net_data = init();
-
-	return (setgrent_p(net_data));
-}
-#endif /* SETGRENT_VOID */
-
-void
-endgrent() {
-	struct net_data *net_data = init();
-
-	endgrent_p(net_data);
-}
-
-int
-getgrouplist(GETGROUPLIST_ARGS) {
-	struct net_data *net_data = init();
-
-	return (getgrouplist_p(name, basegid, groups, ngroups, net_data));
-}
-
-/* Shared private. */
-
-struct group *
-getgrent_p(struct net_data *net_data) {
-	struct irs_gr *gr;
-
-	if (!net_data || !(gr = net_data->gr))
-		return (NULL);
-	net_data->gr_last = (*gr->next)(gr);
-	return (net_data->gr_last);
-}
-
-struct group *
-getgrnam_p(const char *name, struct net_data *net_data) {
-	struct irs_gr *gr;
-
-	if (!net_data || !(gr = net_data->gr))
-		return (NULL);
-	if (net_data->gr_stayopen && net_data->gr_last &&
-	    !strcmp(net_data->gr_last->gr_name, name))
-		return (net_data->gr_last);
-	net_data->gr_last = (*gr->byname)(gr, name);
-	if (!net_data->gr_stayopen)
-		endgrent();
-	return (net_data->gr_last);
-}
-
-struct group *
-getgrgid_p(gid_t gid, struct net_data *net_data) {
-	struct irs_gr *gr;
-
-	if (!net_data || !(gr = net_data->gr))
-		return (NULL);
-	if (net_data->gr_stayopen && net_data->gr_last &&
-	    (gid_t)net_data->gr_last->gr_gid == gid)
-		return (net_data->gr_last);
-	net_data->gr_last = (*gr->bygid)(gr, gid);
-	if (!net_data->gr_stayopen)
-		endgrent();
-	return (net_data->gr_last);
-}
-
-int
-setgroupent_p(int stayopen, struct net_data *net_data) {
-	struct irs_gr *gr;
-
-	if (!net_data || !(gr = net_data->gr))
-		return (0);
-	(*gr->rewind)(gr);
-	net_data->gr_stayopen = (stayopen != 0);
-	if (stayopen == 0)
-		net_data_minimize(net_data);
-	return (1);
-}
-
-#ifdef SETGRENT_VOID
-void
-setgrent_p(struct net_data *net_data) {
-	(void)setgroupent_p(0, net_data);
-}
-#else
-int
-setgrent_p(struct net_data *net_data) {
-	return (setgroupent_p(0, net_data));
-}
-#endif /* SETGRENT_VOID */
-
-void
-endgrent_p(struct net_data *net_data) {
-	struct irs_gr *gr;
-
-	if ((net_data != NULL) && ((gr = net_data->gr) != NULL))
-		(*gr->minimize)(gr);
-}
-
-int
-getgrouplist_p(const char *name, gid_t basegid, gid_t *groups, int *ngroups,
-	       struct net_data *net_data) {
-	struct irs_gr *gr;
-
-	if (!net_data || !(gr = net_data->gr)) {
-		*ngroups = 0;
-		return (-1);
-	}
-	return ((*gr->list)(gr, name, basegid, groups, ngroups));
-}
-
-/* Private */
-
-static struct net_data *
-init() {
-	struct net_data *net_data;
-
-	if (!(net_data = net_data_init(NULL)))
-		goto error;
-	if (!net_data->gr) {
-		net_data->gr = (*net_data->irs->gr_map)(net_data->irs);
-
-		if (!net_data->gr || !net_data->res) {
- error: 
-			errno = EIO;
-			return (NULL);
-		}
-		(*net_data->gr->res_set)(net_data->gr, net_data->res,
-					 NULL);
-	}
-	
-	return (net_data);
-}
-
-#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/getgrent_r.c b/contrib/bind9/lib/bind/irs/getgrent_r.c
deleted file mode 100644
index 1e8b1a639c15..000000000000
--- a/contrib/bind9/lib/bind/irs/getgrent_r.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getgrent_r.c,v 1.5.206.1 2004/03/09 08:33:35 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <port_before.h>
-#if !defined(_REENTRANT) || !defined(DO_PTHREADS) || !defined(WANT_IRS_PW)
-	static int getgrent_r_not_required = 0;
-#else
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <sys/types.h>
-#if (defined(POSIX_GETGRNAM_R) || defined(POSIX_GETGRGID_R)) && \
-    defined(_POSIX_PTHREAD_SEMANTICS)
-	/* turn off solaris remapping in <grp.h> */
-#define _UNIX95
-#undef _POSIX_PTHREAD_SEMANTICS
-#include <grp.h>
-#define _POSIX_PTHREAD_SEMANTICS 1
-#else
-#include <grp.h>
-#endif
-#include <sys/param.h>
-#include <port_after.h>
-
-#ifdef GROUP_R_RETURN
-
-static int
-copy_group(struct group *, struct group *, char *buf, int buflen);
-
-/* POSIX 1003.1c */
-#ifdef POSIX_GETGRNAM_R
-int
-__posix_getgrnam_r(const char *name,  struct group *gptr,
-		char *buf, int buflen, struct group **result) {
-#else
-int
-getgrnam_r(const char *name,  struct group *gptr,
-		char *buf, size_t buflen, struct group **result) {
-#endif
-	struct group *ge = getgrnam(name);
-	int res;
-
-	if (ge == NULL) {
-		*result = NULL;
-		return (0);
-	}
-
-	res = copy_group(ge, gptr, buf, buflen);
-	*result = res ? NULL : gptr;
-	return (res);
-}
-
-#ifdef POSIX_GETGRNAM_R
-struct group *
-getgrnam_r(const char *name,  struct group *gptr,
-		char *buf, int buflen) {
-	struct group *ge = getgrnam(name);
-	int res;
-
-	if (ge == NULL)
-		return (NULL);
-	res = copy_group(ge, gptr, buf, buflen);
-	return (res ? NULL : gptr);
-}
-#endif /* POSIX_GETGRNAM_R */
-
-/* POSIX 1003.1c */
-#ifdef POSIX_GETGRGID_R
-int
-__posix_getgrgid_r(gid_t gid, struct group *gptr,
-		char *buf, int buflen, struct group **result) {
-#else /* POSIX_GETGRGID_R */
-int
-getgrgid_r(gid_t gid, struct group *gptr,
-		char *buf, size_t buflen, struct group **result) {
-#endif /* POSIX_GETGRGID_R */
-	struct group *ge = getgrgid(gid);
-	int res;
-
-	if (ge == NULL) {
-		*result = NULL;
-		return (0);
-	}
-
-	res = copy_group(ge, gptr, buf, buflen);
-	*result = res ? NULL : gptr;
-	return (res);
-}
-
-#ifdef POSIX_GETGRGID_R
-struct group *
-getgrgid_r(gid_t gid, struct group *gptr,
-		char *buf, int buflen) {
-	struct group *ge = getgrgid(gid);
-	int res;
-
-	if (ge == NULL)
-		return (NULL);
-
-	res = copy_group(ge, gptr, buf, buflen);
-	return (res ? NULL : gptr);
-}
-#endif
-
-/*
- *	These assume a single context is in operation per thread.
- *	If this is not the case we will need to call irs directly
- *	rather than through the base functions.
- */
-
-GROUP_R_RETURN
-getgrent_r(struct group *gptr, GROUP_R_ARGS) {
-	struct group *ge = getgrent();
-	int res;
-
-	if (ge == NULL) {
-		return (GROUP_R_BAD);
-	}
-
-	res = copy_group(ge, gptr, buf, buflen);
-	return (res ? GROUP_R_BAD : GROUP_R_OK);
-}
-
-GROUP_R_SET_RETURN
-setgrent_r(GROUP_R_ENT_ARGS) {
-
-	setgrent();
-#ifdef GROUP_R_SET_RESULT
-	return (GROUP_R_SET_RESULT);
-#endif
-}
-
-GROUP_R_END_RETURN
-endgrent_r(GROUP_R_ENT_ARGS) {
-
-	endgrent();
-	GROUP_R_END_RESULT(GROUP_R_OK);
-}
-
-
-#if 0
-	/* XXX irs does not have a fgetgrent() */
-GROUP_R_RETURN
-fgetgrent_r(FILE *f, struct group *gptr, GROUP_R_ARGS) {
-	struct group *ge = fgetgrent(f);
-	int res;
-
-	if (ge == NULL)
-		return (GROUP_R_BAD);
-
-	res = copy_group(ge, gptr, buf, buflen);
-	return (res ? GROUP_R_BAD : GROUP_R_OK);
-}
-#endif
-
-/* Private */
-
-static int
-copy_group(struct group *ge, struct group *gptr, char *buf, int buflen) {
-	char *cp;
-	int i, n;
-	int numptr, len;
-
-	/* Find out the amount of space required to store the answer. */
-	numptr = 1; /* NULL ptr */
-	len = (char *)ALIGN(buf) - buf;
-	for (i = 0; ge->gr_mem[i]; i++, numptr++) {
-		len += strlen(ge->gr_mem[i]) + 1;
-	}
-	len += strlen(ge->gr_name) + 1;
-	len += strlen(ge->gr_passwd) + 1;
-	len += numptr * sizeof(char*);
-	
-	if (len > buflen) {
-		errno = ERANGE;
-		return (ERANGE);
-	}
-
-	/* copy group id */
-	gptr->gr_gid = ge->gr_gid;
-
-	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
-
-	/* copy official name */
-	n = strlen(ge->gr_name) + 1;
-	strcpy(cp, ge->gr_name);
-	gptr->gr_name = cp;
-	cp += n;
-
-	/* copy member list */
-	gptr->gr_mem = (char **)ALIGN(buf);
-	for (i = 0 ; ge->gr_mem[i]; i++) {
-		n = strlen(ge->gr_mem[i]) + 1;
-		strcpy(cp, ge->gr_mem[i]);
-		gptr->gr_mem[i] = cp;
-		cp += n;
-	}
-	gptr->gr_mem[i] = NULL;
-
-	/* copy password */
-	n = strlen(ge->gr_passwd) + 1;
-	strcpy(cp, ge->gr_passwd);
-	gptr->gr_passwd = cp;
-	cp += n;
-
-	return (0);
-}
-#else /* GROUP_R_RETURN */
-	static int getgrent_r_unknown_system = 0;
-#endif /* GROUP_R_RETURN */
-#endif /* !def(_REENTRANT) || !def(DO_PTHREADS) || !def(WANT_IRS_PW) */
diff --git a/contrib/bind9/lib/bind/irs/gethostent.c b/contrib/bind9/lib/bind/irs/gethostent.c
deleted file mode 100644
index b471c529e01d..000000000000
--- a/contrib/bind9/lib/bind/irs/gethostent.c
+++ /dev/null
@@ -1,1069 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: gethostent.c,v 1.1.2.2.4.2 2004/03/17 01:49:40 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(__BIND_NOSTATIC)
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <netinet/in.h>
-#include <net/if.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "irs_data.h"
-
-/* Definitions */
-
-struct pvt {
-	char *		aliases[1];
-	char *		addrs[2];
-	char		addr[NS_IN6ADDRSZ];
-	char		name[NS_MAXDNAME + 1];
-	struct hostent	host;
-};
-
-/* Forward */
-
-static struct net_data *init(void);
-static void		freepvt(struct net_data *);
-static struct hostent  *fakeaddr(const char *, int, struct net_data *);
-
-
-/* Public */
-
-struct hostent *
-gethostbyname(const char *name) {
-	struct net_data *net_data = init();
-
-	return (gethostbyname_p(name, net_data));
-}
-
-struct hostent *
-gethostbyname2(const char *name, int af) {
-	struct net_data *net_data = init();
-
-	return (gethostbyname2_p(name, af, net_data));
-}
-
-struct hostent *
-gethostbyaddr(const char *addr, int len, int af) {
-	struct net_data *net_data = init();
-
-	return (gethostbyaddr_p(addr, len, af, net_data));
-}
-
-struct hostent *
-gethostent() {
-	struct net_data *net_data = init();
-
-	return (gethostent_p(net_data));
-}
-
-void
-sethostent(int stayopen) {
-	struct net_data *net_data = init();
-	sethostent_p(stayopen, net_data);
-}
-
-
-void
-endhostent() {
-	struct net_data *net_data = init();
-	endhostent_p(net_data);
-}
-
-/* Shared private. */
-
-struct hostent *
-gethostbyname_p(const char *name, struct net_data *net_data) {
-	struct hostent *hp;
-
-	if (!net_data)
-		return (NULL);
-
-	if (net_data->res->options & RES_USE_INET6) {
-		hp = gethostbyname2_p(name, AF_INET6, net_data);
-		if (hp)
-			return (hp);
-	}
-	return (gethostbyname2_p(name, AF_INET, net_data));
-}
-
-struct hostent *
-gethostbyname2_p(const char *name, int af, struct net_data *net_data) {
-	struct irs_ho *ho;
-	char tmp[NS_MAXDNAME];
-	struct hostent *hp;
-	const char *cp;
-	char **hap;
-
-	if (!net_data || !(ho = net_data->ho))
-		return (NULL);
-	if (net_data->ho_stayopen && net_data->ho_last &&
-	    net_data->ho_last->h_addrtype == af) {
-		if (ns_samename(name, net_data->ho_last->h_name) == 1)
-			return (net_data->ho_last);
-		for (hap = net_data->ho_last->h_aliases; hap && *hap; hap++)
-			if (ns_samename(name, *hap) == 1)
-				return (net_data->ho_last);
-	}
-	if (!strchr(name, '.') && (cp = res_hostalias(net_data->res, name,
-						      tmp, sizeof tmp)))
-		name = cp;
-	if ((hp = fakeaddr(name, af, net_data)) != NULL)
-		return (hp);
-	net_data->ho_last = (*ho->byname2)(ho, name, af);
-	if (!net_data->ho_stayopen)
-		endhostent();
-	return (net_data->ho_last);
-}
-
-struct hostent *
-gethostbyaddr_p(const char *addr, int len, int af, struct net_data *net_data) {
-	struct irs_ho *ho;
-	char **hap;
-
-	if (!net_data || !(ho = net_data->ho))
-		return (NULL);
-	if (net_data->ho_stayopen && net_data->ho_last &&
-	    net_data->ho_last->h_length == len)
-		for (hap = net_data->ho_last->h_addr_list;
-		     hap && *hap;
-		     hap++)
-			if (!memcmp(addr, *hap, len))
-				return (net_data->ho_last);
-	net_data->ho_last = (*ho->byaddr)(ho, addr, len, af);
-	if (!net_data->ho_stayopen)
-		endhostent();
-	return (net_data->ho_last);
-}
-
-
-struct hostent *
-gethostent_p(struct net_data *net_data) {
-	struct irs_ho *ho;
-	struct hostent *hp;
-
-	if (!net_data || !(ho = net_data->ho))
-		return (NULL);
-	while ((hp = (*ho->next)(ho)) != NULL &&
-	       hp->h_addrtype == AF_INET6 &&
-	       (net_data->res->options & RES_USE_INET6) == 0U)
-		continue;
-	net_data->ho_last = hp;
-	return (net_data->ho_last);
-}
-
-
-void
-sethostent_p(int stayopen, struct net_data *net_data) {
-	struct irs_ho *ho;
-
-	if (!net_data || !(ho = net_data->ho))
-		return;
-	freepvt(net_data);
-	(*ho->rewind)(ho);
-	net_data->ho_stayopen = (stayopen != 0);
-	if (stayopen == 0)
-		net_data_minimize(net_data);
-}
-
-void
-endhostent_p(struct net_data *net_data) {
-	struct irs_ho *ho;
-
-	if ((net_data != NULL) && ((ho = net_data->ho) != NULL))
-		(*ho->minimize)(ho);
-}
-
-#ifndef IN6_IS_ADDR_V4COMPAT
-static const unsigned char in6addr_compat[12] = {
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
-#define IN6_IS_ADDR_V4COMPAT(x) (!memcmp((x)->s6_addr, in6addr_compat, 12) && \
-				 ((x)->s6_addr[12] != 0 || \
-				  (x)->s6_addr[13] != 0 || \
-				  (x)->s6_addr[14] != 0 || \
-				   ((x)->s6_addr[15] != 0 && \
-				    (x)->s6_addr[15] != 1)))
-#endif
-#ifndef IN6_IS_ADDR_V4MAPPED
-#define IN6_IS_ADDR_V4MAPPED(x) (!memcmp((x)->s6_addr, in6addr_mapped, 12))
-#endif
-
-static const unsigned char in6addr_mapped[12] = {
-	0, 0, 0, 0,  0, 0, 0, 0,  0, 0, 0xff, 0xff };
-
-static int scan_interfaces(int *, int *);
-static struct hostent *copyandmerge(struct hostent *, struct hostent *, int, int *);
-
-/*
- *	Public functions
- */
-
-/*
- *	AI_V4MAPPED + AF_INET6
- *	If no IPv6 address then a query for IPv4 and map returned values.
- *
- *	AI_ALL + AI_V4MAPPED + AF_INET6
- *	Return IPv6 and IPv4 mapped.
- *
- *	AI_ADDRCONFIG
- *	Only return IPv6 / IPv4 address if there is an interface of that
- *	type active.
- */
-
-struct hostent *
-getipnodebyname(const char *name, int af, int flags, int *error_num) {
-	int have_v4 = 1, have_v6 = 1;
-	struct in_addr in4;
-	struct in6_addr in6;
-	struct hostent he, *he1 = NULL, *he2 = NULL, *he3;
-	int v4 = 0, v6 = 0;
-	struct net_data *net_data = init();
-	u_long options;
-	int tmp_err;
-
-	if (net_data == NULL) {
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-
-	/* If we care about active interfaces then check. */
-	if ((flags & AI_ADDRCONFIG) != 0)
-		if (scan_interfaces(&have_v4, &have_v6) == -1) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-
-	/* Check for literal address. */
-	if ((v4 = inet_pton(AF_INET, name, &in4)) != 1)
-		v6 = inet_pton(AF_INET6, name, &in6);
-
-	/* Impossible combination? */
-	 
-	if ((af == AF_INET6 && (flags & AI_V4MAPPED) == 0 && v4 == 1) ||
-	    (af == AF_INET && v6 == 1) ||
-	    (have_v4 == 0 && v4 == 1) ||
-	    (have_v6 == 0 && v6 == 1) ||
-	    (have_v4 == 0 && af == AF_INET) ||
-	    (have_v6 == 0 && af == AF_INET6)) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-
-	/* Literal address? */
-	if (v4 == 1 || v6 == 1) {
-		char *addr_list[2];
-		char *aliases[1];
-
-		DE_CONST(name, he.h_name);
-		he.h_addr_list = addr_list;
-		he.h_addr_list[0] = (v4 == 1) ? (char *)&in4 : (char *)&in6;
-		he.h_addr_list[1] = NULL;
-		he.h_aliases = aliases;
-		he.h_aliases[0] = NULL;
-		he.h_length = (v4 == 1) ? INADDRSZ : IN6ADDRSZ;
-		he.h_addrtype = (v4 == 1) ? AF_INET : AF_INET6;
-		return (copyandmerge(&he, NULL, af, error_num));
-	}
-
-	options = net_data->res->options;
-	net_data->res->options &= ~RES_USE_INET6;
-
-	tmp_err = NO_RECOVERY;
-	if (have_v6 && af == AF_INET6) {
-		he2 = gethostbyname2_p(name, AF_INET6, net_data);
-		if (he2 != NULL) {
-			he1 = copyandmerge(he2, NULL, af, error_num);
-			if (he1 == NULL)
-				return (NULL);
-			he2 = NULL;
-		} else {
-			tmp_err = net_data->res->res_h_errno;
-		}
-	}
-
-	if (have_v4 &&
-	    ((af == AF_INET) ||
-	     (af == AF_INET6 && (flags & AI_V4MAPPED) != 0 &&
-	      (he1 == NULL || (flags & AI_ALL) != 0)))) {
-		he2 = gethostbyname2_p(name, AF_INET, net_data);
-		if (he1 == NULL && he2 == NULL) {
-			*error_num = net_data->res->res_h_errno;
-			return (NULL);
-		} 
-	} else
-		*error_num = tmp_err;
-
-	net_data->res->options = options;
-
-	he3 = copyandmerge(he1, he2, af, error_num);
-
-	if (he1 != NULL)
-		freehostent(he1);
-	return (he3);
-}
-
-struct hostent *
-getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
-	struct hostent *he1, *he2;
-	struct net_data *net_data = init();
-
-	/* Sanity Checks. */
-	if (src == NULL) {
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-		
-	switch (af) {
-	case AF_INET:
-		if (len != (size_t)INADDRSZ) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		break;
-	case AF_INET6:
-		if (len != (size_t)IN6ADDRSZ) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		break;
-	default:
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-
-	/*
-	 * Lookup IPv4 and IPv4 mapped/compatible addresses
-	 */
-	if ((af == AF_INET6 &&
-	     IN6_IS_ADDR_V4COMPAT((const struct in6_addr *)src)) ||
-	    (af == AF_INET6 &&
-	     IN6_IS_ADDR_V4MAPPED((const struct in6_addr *)src)) ||
-	    (af == AF_INET)) {
-		const char *cp = src;
-
-		if (af == AF_INET6)
-			cp += 12;
-		he1 = gethostbyaddr_p(cp, 4, AF_INET, net_data);
-		if (he1 == NULL) {
-			*error_num = net_data->res->res_h_errno;
-			return (NULL);
-		}
-		he2 = copyandmerge(he1, NULL, af, error_num);
-		if (he2 == NULL)
-			return (NULL);
-		/*
-		 * Restore original address if mapped/compatible.
-		 */
-		if (af == AF_INET6)
-			memcpy(he1->h_addr, src, len);
-		return (he2);
-	}
-
-	/*
-	 * Lookup IPv6 address.
-	 */
-	if (memcmp((const struct in6_addr *)src, &in6addr_any, 16) == 0) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-
-	he1 = gethostbyaddr_p(src, 16, AF_INET6, net_data);
-	if (he1 == NULL) {
-		*error_num = net_data->res->res_h_errno;
-		return (NULL);
-	}
-	return (copyandmerge(he1, NULL, af, error_num));
-}
-
-void
-freehostent(struct hostent *he) {
-	char **cpp;
-	int names = 1;
-	int addresses = 1;
-
-	memput(he->h_name, strlen(he->h_name) + 1);
-
-	cpp = he->h_addr_list;
-	while (*cpp != NULL) {
-		memput(*cpp, (he->h_addrtype == AF_INET) ?
-			     INADDRSZ : IN6ADDRSZ);
-		*cpp = NULL;
-		cpp++;
-		addresses++;
-	}
-
-	cpp = he->h_aliases;
-	while (*cpp != NULL) {
-		memput(*cpp, strlen(*cpp) + 1);
-		cpp++;
-		names++;
-	}
-
-	memput(he->h_aliases, sizeof(char *) * (names));
-	memput(he->h_addr_list, sizeof(char *) * (addresses));
-	memput(he, sizeof *he);
-}
-
-/*
- * Private
- */
-
-/*
- * Scan the interface table and set have_v4 and have_v6 depending
- * upon whether there are IPv4 and IPv6 interface addresses.
- *
- * Returns:
- *	0 on success
- *	-1 on failure.
- */
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
-    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
-
-#ifdef __hpux
-#define lifc_len iflc_len
-#define lifc_buf iflc_buf
-#define lifc_req iflc_req
-#define LIFCONF if_laddrconf
-#else
-#define SETFAMILYFLAGS
-#define LIFCONF lifconf
-#endif
- 
-#ifdef __hpux
-#define lifr_addr iflr_addr
-#define lifr_name iflr_name
-#define lifr_dstaddr iflr_dstaddr
-#define lifr_flags iflr_flags
-#define ss_family sa_family
-#define LIFREQ if_laddrreq
-#else
-#define LIFREQ lifreq
-#endif
-
-static void
-scan_interfaces6(int *have_v4, int *have_v6) {
-	struct LIFCONF lifc;
-	struct LIFREQ lifreq;
-	struct in_addr in4;
-	struct in6_addr in6;
-	char *buf = NULL, *cp, *cplim;
-	static unsigned int bufsiz = 4095;
-	int s, cpsize, n;
-
-	/* Get interface list from system. */
-	if ((s = socket(AF_INET6, SOCK_DGRAM, 0)) == -1)
-		goto cleanup;
-
-	/*
-	 * Grow buffer until large enough to contain all interface
-	 * descriptions.
-	 */
-	for (;;) {
-		buf = memget(bufsiz);
-		if (buf == NULL)
-			goto cleanup;
-#ifdef SETFAMILYFLAGS
-		lifc.lifc_family = AF_UNSPEC;	/* request all families */
-		lifc.lifc_flags = 0;
-#endif
-		lifc.lifc_len = bufsiz;
-		lifc.lifc_buf = buf;
-		if ((n = ioctl(s, SIOCGLIFCONF, (char *)&lifc)) != -1) {
-			/*
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If 
-			 * lifc.lifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (lifc.lifc_len + 2 * sizeof(lifreq) < bufsiz)
-				break;
-		}
-		if ((n == -1) && errno != EINVAL)
-			goto cleanup;
-
-		if (bufsiz > 1000000)
-			goto cleanup;
-
-		memput(buf, bufsiz);
-		bufsiz += 4096;
-	}
-
-	/* Parse system's interface list. */
-	cplim = buf + lifc.lifc_len;    /* skip over if's with big ifr_addr's */
-	for (cp = buf;
-	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
-	     cp += cpsize) {
-		memcpy(&lifreq, cp, sizeof lifreq);
-#ifdef HAVE_SA_LEN
-#ifdef FIX_ZERO_SA_LEN
-		if (lifreq.lifr_addr.sa_len == 0)
-			lifreq.lifr_addr.sa_len = 16;
-#endif
-#ifdef HAVE_MINIMUM_IFREQ
-		cpsize = sizeof lifreq;
-		if (lifreq.lifr_addr.sa_len > sizeof (struct sockaddr))
-			cpsize += (int)lifreq.lifr_addr.sa_len -
-				(int)(sizeof (struct sockaddr));
-#else
-		cpsize = sizeof lifreq.lifr_name + lifreq.lifr_addr.sa_len;
-#endif /* HAVE_MINIMUM_IFREQ */
-#elif defined SIOCGIFCONF_ADDR
-		cpsize = sizeof lifreq;
-#else
-		cpsize = sizeof lifreq.lifr_name;
-		/* XXX maybe this should be a hard error? */
-		if (ioctl(s, SIOCGLIFADDR, (char *)&lifreq) < 0)
-			continue;
-#endif
-		switch (lifreq.lifr_addr.ss_family) {
-		case AF_INET:
-			if (*have_v4 == 0) {
-				memcpy(&in4,
-				       &((struct sockaddr_in *)
-				       &lifreq.lifr_addr)->sin_addr,
-				       sizeof in4);
-				if (in4.s_addr == INADDR_ANY)
-					break;
-				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
-				if (n < 0)
-					break;
-				if ((lifreq.lifr_flags & IFF_UP) == 0)
-					break;
-				*have_v4 = 1;
-			} 
-			break;
-		case AF_INET6:
-			if (*have_v6 == 0) {
-				memcpy(&in6,
-				       &((struct sockaddr_in6 *)
-				       &lifreq.lifr_addr)->sin6_addr, sizeof in6);
-				if (memcmp(&in6, &in6addr_any, sizeof in6) == 0)
-					break;
-				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
-				if (n < 0)
-					break;
-				if ((lifreq.lifr_flags & IFF_UP) == 0)
-					break;
-				*have_v6 = 1;
-			}
-			break;
-		}
-	}
-	if (buf != NULL)
-		memput(buf, bufsiz);
-	close(s);
-	/* printf("scan interface -> 4=%d 6=%d\n", *have_v4, *have_v6); */
-	return;
- cleanup:
-	if (buf != NULL)
-		memput(buf, bufsiz);
-	if (s != -1)
-		close(s);
-	/* printf("scan interface -> 4=%d 6=%d\n", *have_v4, *have_v6); */
-	return;
-}
-#endif
-
-#ifdef __linux
-#ifndef IF_NAMESIZE
-# ifdef IFNAMSIZ
-#  define IF_NAMESIZE  IFNAMSIZ
-# else
-#  define IF_NAMESIZE 16
-# endif
-#endif
-static void
-scan_linux6(int *have_v6) {
-	FILE *proc = NULL;
-	char address[33];
-	char name[IF_NAMESIZE+1];
-	int ifindex, prefix, flag3, flag4;
-	
-	proc = fopen("/proc/net/if_inet6", "r");
-	if (proc == NULL)
-		return;
-
-	if (fscanf(proc, "%32[a-f0-9] %x %x %x %x %16s\n",
-		   address, &ifindex, &prefix, &flag3, &flag4, name) == 6)
-		*have_v6 = 1;
-	fclose(proc);
-	return;
-}
-#endif
-
-static int
-scan_interfaces(int *have_v4, int *have_v6) {
-	struct ifconf ifc;
-	union {
-		char _pad[256];		/* leave space for IPv6 addresses */
-		struct ifreq ifreq;
-	} u;
-	struct in_addr in4;
-	struct in6_addr in6;
-	char *buf = NULL, *cp, *cplim;
-	static unsigned int bufsiz = 4095;
-	int s, n;
-	size_t cpsize;
-
-	/* Set to zero.  Used as loop terminators below. */
-	*have_v4 = *have_v6 = 0;
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
-    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
-	/*
-	 * Try to scan the interfaces using IPv6 ioctls().
-	 */
-	scan_interfaces6(have_v4, have_v6);
-	if (*have_v4 != 0 && *have_v6 != 0)
-		return (0);
-#endif
-#ifdef __linux
-	scan_linux6(have_v6);
-#endif
-
-	/* Get interface list from system. */
-	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
-		goto err_ret;
-
-	/*
-	 * Grow buffer until large enough to contain all interface
-	 * descriptions.
-	 */
-	for (;;) {
-		buf = memget(bufsiz);
-		if (buf == NULL)
-			goto err_ret;
-		ifc.ifc_len = bufsiz;
-		ifc.ifc_buf = buf;
-#ifdef IRIX_EMUL_IOCTL_SIOCGIFCONF
-		/*
-		 * This is a fix for IRIX OS in which the call to ioctl with
-		 * the flag SIOCGIFCONF may not return an entry for all the
-		 * interfaces like most flavors of Unix.
-		 */
-		if (emul_ioctl(&ifc) >= 0)
-			break;
-#else
-		if ((n = ioctl(s, SIOCGIFCONF, (char *)&ifc)) != -1) {
-			/*
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If 
-			 * ifc.ifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (ifc.ifc_len + 2 * sizeof(u.ifreq) < bufsiz)
-				break;
-		}
-#endif
-		if ((n == -1) && errno != EINVAL)
-			goto err_ret;
-
-		if (bufsiz > 1000000)
-			goto err_ret;
-
-		memput(buf, bufsiz);
-		bufsiz += 4096;
-	}
-
-	/* Parse system's interface list. */
-	cplim = buf + ifc.ifc_len;    /* skip over if's with big ifr_addr's */
-	for (cp = buf;
-	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
-	     cp += cpsize) {
-		memcpy(&u.ifreq, cp, sizeof u.ifreq);
-#ifdef HAVE_SA_LEN
-#ifdef FIX_ZERO_SA_LEN
-		if (u.ifreq.ifr_addr.sa_len == 0)
-			u.ifreq.ifr_addr.sa_len = 16;
-#endif
-#ifdef HAVE_MINIMUM_IFREQ
-		cpsize = sizeof u.ifreq;
-		if (u.ifreq.ifr_addr.sa_len > sizeof (struct sockaddr))
-			cpsize += (int)u.ifreq.ifr_addr.sa_len -
-				(int)(sizeof (struct sockaddr));
-#else
-		cpsize = sizeof u.ifreq.ifr_name + u.ifreq.ifr_addr.sa_len;
-#endif /* HAVE_MINIMUM_IFREQ */
-		if (cpsize > sizeof u.ifreq && cpsize <= sizeof u)
-			memcpy(&u.ifreq, cp, cpsize);
-#elif defined SIOCGIFCONF_ADDR
-		cpsize = sizeof u.ifreq;
-#else
-		cpsize = sizeof u.ifreq.ifr_name;
-		/* XXX maybe this should be a hard error? */
-		if (ioctl(s, SIOCGIFADDR, (char *)&u.ifreq) < 0)
-			continue;
-#endif
-		switch (u.ifreq.ifr_addr.sa_family) {
-		case AF_INET:
-			if (*have_v4 == 0) {
-				memcpy(&in4,
-				       &((struct sockaddr_in *)
-				       &u.ifreq.ifr_addr)->sin_addr,
-				       sizeof in4);
-				if (in4.s_addr == INADDR_ANY)
-					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
-				if (n < 0)
-					break;
-				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
-					break;
-				*have_v4 = 1;
-			} 
-			break;
-		case AF_INET6:
-			if (*have_v6 == 0) {
-				memcpy(&in6,
-				       &((struct sockaddr_in6 *)
-				       &u.ifreq.ifr_addr)->sin6_addr,
-				       sizeof in6);
-				if (memcmp(&in6, &in6addr_any, sizeof in6) == 0)
-					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
-				if (n < 0)
-					break;
-				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
-					break;
-				*have_v6 = 1;
-			}
-			break;
-		}
-	}
-	if (buf != NULL)
-		memput(buf, bufsiz);
-	close(s);
-	/* printf("scan interface -> 4=%d 6=%d\n", *have_v4, *have_v6); */
-	return (0);
- err_ret:
-	if (buf != NULL)
-		memput(buf, bufsiz);
-	if (s != -1)
-		close(s);
-	/* printf("scan interface -> 4=%d 6=%d\n", *have_v4, *have_v6); */
-	return (-1);
-}
-
-static struct hostent *
-copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num) {
-	struct hostent *he = NULL;
-	int addresses = 1;	/* NULL terminator */
-	int names = 1;		/* NULL terminator */
-	int len = 0;
-	char **cpp, **npp;
-
-	/*
-	 * Work out array sizes;
-	 */
-	if (he1 != NULL) {
-		cpp = he1->h_addr_list;
-		while (*cpp != NULL) {
-			addresses++;
-			cpp++;
-		}
-		cpp = he1->h_aliases;
-		while (*cpp != NULL) {
-			names++;
-			cpp++;
-		}
-	}
-
-	if (he2 != NULL) {
-		cpp = he2->h_addr_list;
-		while (*cpp != NULL) {
-			addresses++;
-			cpp++;
-		}
-		if (he1 == NULL) {
-			cpp = he2->h_aliases;
-			while (*cpp != NULL) {
-				names++;
-				cpp++;
-			}
-		}
-	}
-
-	if (addresses == 1) {
-		*error_num = NO_ADDRESS;
-		return (NULL);
-	}
-
-	he = memget(sizeof *he);
-	if (he == NULL)
-		goto no_recovery;
-
-	he->h_addr_list = memget(sizeof(char *) * (addresses));
-	if (he->h_addr_list == NULL)
-		goto cleanup0;
-	memset(he->h_addr_list, 0, sizeof(char *) * (addresses));
-
-	/* copy addresses */
-	npp = he->h_addr_list;
-	if (he1 != NULL) {
-		cpp = he1->h_addr_list;
-		while (*cpp != NULL) {
-			*npp = memget((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			if (*npp == NULL)
-				goto cleanup1;
-			/* convert to mapped if required */
-			if (af == AF_INET6 && he1->h_addrtype == AF_INET) {
-				memcpy(*npp, in6addr_mapped,
-				       sizeof in6addr_mapped);
-				memcpy(*npp + sizeof in6addr_mapped, *cpp,
-				       INADDRSZ);
-			} else {
-				memcpy(*npp, *cpp,
-				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			}
-			cpp++;
-			npp++;
-		}
-	}
-
-	if (he2 != NULL) {
-		cpp = he2->h_addr_list;
-		while (*cpp != NULL) {
-			*npp = memget((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			if (*npp == NULL)
-				goto cleanup1;
-			/* convert to mapped if required */
-			if (af == AF_INET6 && he2->h_addrtype == AF_INET) {
-				memcpy(*npp, in6addr_mapped,
-				       sizeof in6addr_mapped);
-				memcpy(*npp + sizeof in6addr_mapped, *cpp,
-				       INADDRSZ);
-			} else {
-				memcpy(*npp, *cpp,
-				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			}
-			cpp++;
-			npp++;
-		}
-	}
-
-	he->h_aliases = memget(sizeof(char *) * (names));
-	if (he->h_aliases == NULL)
-		goto cleanup1;
-	memset(he->h_aliases, 0, sizeof(char *) * (names));
-
-	/* copy aliases */
-	npp = he->h_aliases;
-	cpp = (he1 != NULL) ? he1->h_aliases : he2->h_aliases;
-	while (*cpp != NULL) {
-		len = strlen (*cpp) + 1;
-		*npp = memget(len);
-		if (*npp == NULL)
-			goto cleanup2;
-		strcpy(*npp, *cpp);
-		npp++;
-		cpp++;
-	}
-
-	/* copy hostname */
-	he->h_name = memget(strlen((he1 != NULL) ?
-			    he1->h_name : he2->h_name) + 1);
-	if (he->h_name == NULL)
-		goto cleanup2;
-	strcpy(he->h_name, (he1 != NULL) ? he1->h_name : he2->h_name);
-
-	/* set address type and length */
-	he->h_addrtype = af;
-	he->h_length = (af == AF_INET) ? INADDRSZ : IN6ADDRSZ;
-	return(he);
-
- cleanup2:
-	cpp = he->h_aliases;
-	while (*cpp != NULL) {
-		memput(*cpp, strlen(*cpp) + 1);
-		cpp++;
-	}
-	memput(he->h_aliases, sizeof(char *) * (names));
-
- cleanup1:
-	cpp = he->h_addr_list;
-	while (*cpp != NULL) {
-		memput(*cpp, (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-		*cpp = NULL;
-		cpp++;
-	}
-	memput(he->h_addr_list, sizeof(char *) * (addresses));
-
- cleanup0:
-	memput(he, sizeof *he);
-
- no_recovery:
-	*error_num = NO_RECOVERY;
-	return (NULL);
-}
-
-static struct net_data *
-init() {
-	struct net_data *net_data;
-
-	if (!(net_data = net_data_init(NULL)))
-		goto error;
-	if (!net_data->ho) {
-		net_data->ho = (*net_data->irs->ho_map)(net_data->irs);
-		if (!net_data->ho || !net_data->res) {
-  error:
-			errno = EIO;
-			if (net_data && net_data->res)
-				RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
-			return (NULL);
-		}
-	
-		(*net_data->ho->res_set)(net_data->ho, net_data->res, NULL);
-	}
-	
-	return (net_data);
-}
-
-static void
-freepvt(struct net_data *net_data) {
-	if (net_data->ho_data) {
-		free(net_data->ho_data);
-		net_data->ho_data = NULL;
-	}
-}
-
-static struct hostent *
-fakeaddr(const char *name, int af, struct net_data *net_data) {
-	struct pvt *pvt;
-
-	freepvt(net_data);
-	net_data->ho_data = malloc(sizeof (struct pvt));
-	if (!net_data->ho_data) {
-		errno = ENOMEM;
-		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	pvt = net_data->ho_data;
-#ifndef __bsdi__
-	/*
-	 * Unlike its forebear(inet_aton), our friendly inet_pton() is strict
-	 * in its interpretation of its input, and it will only return "1" if
-	 * the input string is a formally valid(and thus unambiguous with
-	 * respect to host names) internet address specification for this AF.
-	 *
-	 * This means "telnet 0xdeadbeef" and "telnet 127.1" are dead now.
-	 */
-	if (inet_pton(af, name, pvt->addr) != 1) {
-#else
-	/* BSDI XXX
-	 * We put this back to inet_aton -- we really want the old behavior
-	 * Long live 127.1...
-	 */
-	if ((af != AF_INET ||
-	    inet_aton(name, (struct in_addr *)pvt->addr) != 1) &&
-	    inet_pton(af, name, pvt->addr) != 1) {
-#endif
-		RES_SET_H_ERRNO(net_data->res, HOST_NOT_FOUND);
-		return (NULL);
-	}
-	strncpy(pvt->name, name, NS_MAXDNAME);
-	pvt->name[NS_MAXDNAME] = '\0';
-	if (af == AF_INET && (net_data->res->options & RES_USE_INET6) != 0U) {
-		map_v4v6_address(pvt->addr, pvt->addr);
-		af = AF_INET6;
-	}
-	pvt->host.h_addrtype = af;
-	switch(af) {
-	case AF_INET:
-		pvt->host.h_length = NS_INADDRSZ;
-		break;
-	case AF_INET6:
-		pvt->host.h_length = NS_IN6ADDRSZ;
-		break;
-	default:
-		errno = EAFNOSUPPORT;
-		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	pvt->host.h_name = pvt->name;
-	pvt->host.h_aliases = pvt->aliases;
-	pvt->aliases[0] = NULL;
-	pvt->addrs[0] = (char *)pvt->addr;
-	pvt->addrs[1] = NULL;
-	pvt->host.h_addr_list = pvt->addrs;
-	RES_SET_H_ERRNO(net_data->res, NETDB_SUCCESS);
-	return (&pvt->host);
-}
-
-#ifdef grot	/* for future use in gethostbyaddr(), for "SUNSECURITY" */
-	struct hostent *rhp;
-	char **haddr;
-	u_long old_options;
-	char hname2[MAXDNAME+1];
-
-	if (af == AF_INET) {
-	    /*
-	     * turn off search as the name should be absolute,
-	     * 'localhost' should be matched by defnames
-	     */
-	    strncpy(hname2, hp->h_name, MAXDNAME);
-	    hname2[MAXDNAME] = '\0';
-	    old_options = net_data->res->options;
-	    net_data->res->options &= ~RES_DNSRCH;
-	    net_data->res->options |= RES_DEFNAMES;
-	    if (!(rhp = gethostbyname(hname2))) {
-		net_data->res->options = old_options;
-		RES_SET_H_ERRNO(net_data->res, HOST_NOT_FOUND);
-		return (NULL);
-	    }
-	    net_data->res->options = old_options;
-	    for (haddr = rhp->h_addr_list; *haddr; haddr++)
-		if (!memcmp(*haddr, addr, INADDRSZ))
-			break;
-	    if (!*haddr) {
-		RES_SET_H_ERRNO(net_data->res, HOST_NOT_FOUND);
-		return (NULL);
-	    }
-	}
-#endif /* grot */
-
-#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/gethostent_r.c b/contrib/bind9/lib/bind/irs/gethostent_r.c
deleted file mode 100644
index 8a7cff06fe03..000000000000
--- a/contrib/bind9/lib/bind/irs/gethostent_r.c
+++ /dev/null
@@ -1,274 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: gethostent_r.c,v 1.4.206.4 2005/09/03 12:47:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <port_before.h>
-#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
-	static int gethostent_r_not_required = 0;
-#else
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <sys/param.h>
-#include <port_after.h>
-
-#ifdef HOST_R_RETURN
-
-static HOST_R_RETURN 
-copy_hostent(struct hostent *, struct hostent *, HOST_R_COPY_ARGS);
-
-HOST_R_RETURN
-gethostbyname_r(const char *name,  struct hostent *hptr, HOST_R_ARGS) {
-	struct hostent *he = gethostbyname(name);
-#ifdef HOST_R_SETANSWER
-	int n = 0;
-#endif
-
-#ifdef HOST_R_ERRNO
-	HOST_R_ERRNO;
-#endif
-
-#ifdef HOST_R_SETANSWER
-	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = hptr;
-	
-	return (n);
-#else
-	if (he == NULL)
-		return (HOST_R_BAD);
-
-	return (copy_hostent(he, hptr, HOST_R_COPY));
-#endif
-}
-
-HOST_R_RETURN
-gethostbyaddr_r(const char *addr, int len, int type,
-		struct hostent *hptr, HOST_R_ARGS) {
-	struct hostent *he = gethostbyaddr(addr, len, type);
-#ifdef HOST_R_SETANSWER
-	int n = 0;
-#endif
-
-#ifdef HOST_R_ERRNO
-	HOST_R_ERRNO;
-#endif
-
-#ifdef HOST_R_SETANSWER
-	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = hptr;
-	
-	return (n);
-#else
-	if (he == NULL)
-		return (HOST_R_BAD);
-
-	return (copy_hostent(he, hptr, HOST_R_COPY));
-#endif
-}
-
-/*
- *	These assume a single context is in operation per thread.
- *	If this is not the case we will need to call irs directly
- *	rather than through the base functions.
- */
-
-HOST_R_RETURN
-gethostent_r(struct hostent *hptr, HOST_R_ARGS) {
-	struct hostent *he = gethostent();
-#ifdef HOST_R_SETANSWER
-	int n = 0;
-#endif
-
-#ifdef HOST_R_ERRNO
-	HOST_R_ERRNO;
-#endif
-
-#ifdef HOST_R_SETANSWER
-	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = hptr;
-	
-	return (n);
-#else
-	if (he == NULL)
-		return (HOST_R_BAD);
-
-	return (copy_hostent(he, hptr, HOST_R_COPY));
-#endif
-}
-
-HOST_R_SET_RETURN
-#ifdef HOST_R_ENT_ARGS
-sethostent_r(int stay_open, HOST_R_ENT_ARGS)
-#else
-sethostent_r(int stay_open)
-#endif
-{
-#ifdef HOST_R_ENT_ARGS
-	UNUSED(hdptr);
-#endif
-	sethostent(stay_open);
-#ifdef	HOST_R_SET_RESULT
-	return (HOST_R_SET_RESULT);
-#endif
-}
-
-HOST_R_END_RETURN
-#ifdef HOST_R_ENT_ARGS
-endhostent_r(HOST_R_ENT_ARGS)
-#else
-endhostent_r(void)
-#endif
-{
-#ifdef HOST_R_ENT_ARGS
-	UNUSED(hdptr);
-#endif
-	endhostent();
-	HOST_R_END_RESULT(HOST_R_OK);
-}
-
-/* Private */
-
-#ifndef HOSTENT_DATA
-static HOST_R_RETURN
-copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) {
-	char *cp;
-	char **ptr;
-	int i, n;
-	int nptr, len;
-
-	/* Find out the amount of space required to store the answer. */
-	nptr = 2; /* NULL ptrs */
-	len = (char *)ALIGN(buf) - buf;
-	for (i = 0; he->h_addr_list[i]; i++, nptr++) {
-		len += he->h_length;
-	}
-	for (i = 0; he->h_aliases[i]; i++, nptr++) {
-		len += strlen(he->h_aliases[i]) + 1;
-	}
-	len += strlen(he->h_name) + 1;
-	len += nptr * sizeof(char*);
-	
-	if (len > buflen) {
-		errno = ERANGE;
-		return (HOST_R_BAD);
-	}
-
-	/* copy address size and type */
-	hptr->h_addrtype = he->h_addrtype;
-	n = hptr->h_length = he->h_length;
-
-	ptr = (char **)ALIGN(buf);
-	cp = (char *)ALIGN(buf) + nptr * sizeof(char *);
-
-	/* copy address list */
-	hptr->h_addr_list = ptr;
-	for (i = 0; he->h_addr_list[i]; i++ , ptr++) {
-		memcpy(cp, he->h_addr_list[i], n);
-		hptr->h_addr_list[i] = cp;
-		cp += n;
-	}
-	hptr->h_addr_list[i] = NULL;
-	ptr++;
-
-	/* copy official name */
-	n = strlen(he->h_name) + 1;
-	strcpy(cp, he->h_name);
-	hptr->h_name = cp;
-	cp += n;
-
-	/* copy aliases */
-	hptr->h_aliases = ptr;
-	for (i = 0 ; he->h_aliases[i]; i++) {
-		n = strlen(he->h_aliases[i]) + 1;
-		strcpy(cp, he->h_aliases[i]);
-		hptr->h_aliases[i] = cp;
-		cp += n;
-	}
-	hptr->h_aliases[i] = NULL;
-
-	return (HOST_R_OK);
-}
-#else /* !HOSTENT_DATA */
-static int
-copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) {
-	char *cp, *eob;
-	int i, n;
-
-	/* copy address size and type */
-	hptr->h_addrtype = he->h_addrtype;
-	n = hptr->h_length = he->h_length;
-
-	/* copy up to first 35 addresses */
-	i = 0;
-	cp = hdptr->hostbuf;
-	eob = hdptr->hostbuf + sizeof(hdptr->hostbuf);
-	hptr->h_addr_list = hdptr->h_addr_ptrs;
-	while (he->h_addr_list[i] && i < (_MAXADDRS)) {
-		if (n < (eob - cp)) {
-			memcpy(cp, he->h_addr_list[i], n);
-			hptr->h_addr_list[i] = cp;
-			cp += n;
-		} else {
-			break;
-		}
-		i++;
-	}
-	hptr->h_addr_list[i] = NULL;
-
-	/* copy official name */
-	if ((n = strlen(he->h_name) + 1) < (eob - cp)) {
-		strcpy(cp, he->h_name);
-		hptr->h_name = cp;
-		cp += n;
-	} else {
-		return (-1);
-	}
-
-	/* copy aliases */
-	i = 0;
-	hptr->h_aliases = hdptr->host_aliases;
-	while (he->h_aliases[i] && i < (_MAXALIASES-1)) {
-		if ((n = strlen(he->h_aliases[i]) + 1) < (eob - cp)) {
-			strcpy(cp, he->h_aliases[i]);
-			hptr->h_aliases[i] = cp;
-			cp += n;
-		} else {
-			break;
-		}
-		i++;
-	}
-	hptr->h_aliases[i] = NULL;
-
-	return (HOST_R_OK);
-}
-#endif /* !HOSTENT_DATA */
-#else /* HOST_R_RETURN */
-	static int gethostent_r_unknown_system = 0;
-#endif /* HOST_R_RETURN */
-#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/getnameinfo.c b/contrib/bind9/lib/bind/irs/getnameinfo.c
deleted file mode 100644
index 5947c038984e..000000000000
--- a/contrib/bind9/lib/bind/irs/getnameinfo.c
+++ /dev/null
@@ -1,322 +0,0 @@
-/*
- * Issues to be discussed:
- * - Thread safe-ness must be checked
- */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    This product includes software developed by WIDE Project and
- *    its contributors.
- * 4. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <port_before.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <net/if.h>
-
-#include <netdb.h>
-#include <resolv.h>
-#include <string.h>
-#include <stddef.h>
-
-#include <port_after.h>
-
-/*
- * Note that a_off will be dynamically adjusted so that to be consistent
- * with the definition of sockaddr_in{,6}.
- * The value presented below is just a guess.
- */
-static struct afd {
-	int a_af;
-	int a_addrlen;
-	size_t a_socklen;
-	int a_off;
-} afdl [] = {
-	/* first entry is linked last... */
-	{PF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in),
-	 offsetof(struct sockaddr_in, sin_addr)},
-	{PF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6),
-	 offsetof(struct sockaddr_in6, sin6_addr)},
-	{0, 0, 0, 0},
-};
-
-struct sockinet {
-#ifdef HAVE_SA_LEN
-	u_char	si_len;
-#endif
-	u_char	si_family;
-	u_short	si_port;
-};
-
-static int ip6_parsenumeric __P((const struct sockaddr *, const char *, char *,
-				 size_t, int));
-#ifdef HAVE_SIN6_SCOPE_ID
-static int ip6_sa2str __P((const struct sockaddr_in6 *, char *, size_t, int));
-#endif
-
-int
-getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
-	const struct sockaddr *sa;
-	size_t salen;
-	char *host;
-	size_t hostlen;
-	char *serv;
-	size_t servlen;
-	int flags;
-{
-	struct afd *afd;
-	struct servent *sp;
-	struct hostent *hp;
-	u_short port;
-#ifdef HAVE_SA_LEN
-	size_t len;
-#endif
-	int family, i;
-	const char *addr;
-	char *p;
-	char numserv[512];
-	char numaddr[512];
-	const struct sockaddr_in6 *sin6;
-
-	if (sa == NULL)
-		return EAI_FAIL;
-
-#ifdef HAVE_SA_LEN
-	len = sa->sa_len;
-	if (len != salen) return EAI_FAIL;
-#endif
-
-	family = sa->sa_family;
-	for (i = 0; afdl[i].a_af; i++)
-		if (afdl[i].a_af == family) {
-			afd = &afdl[i];
-			goto found;
-		}
-	return EAI_FAMILY;
-
- found:
-	if (salen != afd->a_socklen) return EAI_FAIL;
-
-	port = ((const struct sockinet *)sa)->si_port; /* network byte order */
-	addr = (const char *)sa + afd->a_off;
-
-	if (serv == NULL || servlen == 0U) {
-		/*
-		 * rfc2553bis says that serv == NULL or servlen == 0 means that
-		 * the caller does not want the result.
-		 */
-	} else if (flags & NI_NUMERICSERV) {
-		sprintf(numserv, "%d", ntohs(port));
-		if (strlen(numserv) > servlen)
-			return EAI_MEMORY;
-		strcpy(serv, numserv);
-	} else {
-		sp = getservbyport(port, (flags & NI_DGRAM) ? "udp" : "tcp");
-		if (sp) {
-			if (strlen(sp->s_name) + 1 > servlen)
-				return EAI_MEMORY;
-			strcpy(serv, sp->s_name);
-		} else
-			return EAI_NONAME;
-	}
-
-	switch (sa->sa_family) {
-	case AF_INET:
-		if (ntohl(*(const u_int32_t *)addr) >> IN_CLASSA_NSHIFT == 0)
-			flags |= NI_NUMERICHOST;			
-		break;
-	case AF_INET6:
-		sin6 = (const struct sockaddr_in6 *)sa;
-		switch (sin6->sin6_addr.s6_addr[0]) {
-		case 0x00:
-			if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
-				;
-			else if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr))
-				;
-			else
-				flags |= NI_NUMERICHOST;
-			break;
-		default:
-			if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
-				flags |= NI_NUMERICHOST;
-			else if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
-				flags |= NI_NUMERICHOST;
-			break;
-		}
-		break;
-	}
-	if (host == NULL || hostlen == 0U) {
-		/*
-		 * rfc2553bis says that host == NULL or hostlen == 0 means that
-		 * the caller does not want the result.
-		 */
-	} else if (flags & NI_NUMERICHOST) {
-		goto numeric;
-	} else {
-		hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af);
-
-		if (hp) {
-			if (flags & NI_NOFQDN) {
-				p = strchr(hp->h_name, '.');
-				if (p) *p = '\0';
-			}
-			if (strlen(hp->h_name) + 1 > hostlen)
-				return EAI_MEMORY;
-			strcpy(host, hp->h_name);
-		} else {
-			if (flags & NI_NAMEREQD)
-				return EAI_NONAME;
-		  numeric:
-			switch(afd->a_af) {
-			case AF_INET6:
-			{
-				int error;
-
-				if ((error = ip6_parsenumeric(sa, addr, host,
-							      hostlen,
-							      flags)) != 0)
-					return(error);
-				break;
-			}
-
-			default:
-				if (inet_ntop(afd->a_af, addr, numaddr,
-					      sizeof(numaddr)) == NULL)
-					return EAI_NONAME;
-				if (strlen(numaddr) + 1 > hostlen)
-					return EAI_MEMORY;
-				strcpy(host, numaddr);
-			}
-		}
-	}
-	return(0);
-}
-
-static int
-ip6_parsenumeric(const struct sockaddr *sa, const char *addr, char *host,
-		 size_t hostlen, int flags)
-{
-	size_t numaddrlen;
-	char numaddr[512];
-
-#ifndef HAVE_SIN6_SCOPE_ID
-	UNUSED(sa);
-	UNUSED(flags);
-#endif
-
-	if (inet_ntop(AF_INET6, addr, numaddr, sizeof(numaddr))
-	    == NULL)
-		return EAI_SYSTEM;
-
-	numaddrlen = strlen(numaddr);
-	if (numaddrlen + 1 > hostlen) /* don't forget terminator */
-		return EAI_MEMORY;
-	strcpy(host, numaddr);
-
-#ifdef HAVE_SIN6_SCOPE_ID
-	if (((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
-		char scopebuf[MAXHOSTNAMELEN]; /* XXX */
-		int scopelen;
-
-		/* ip6_sa2str never fails */
-		scopelen = ip6_sa2str((const struct sockaddr_in6 *)sa,
-				      scopebuf, sizeof(scopebuf), flags);
-
-		if (scopelen + 1 + numaddrlen + 1 > hostlen)
-			return EAI_MEMORY;
-
-		/* construct <numeric-addr><delim><scopeid> */
-		memcpy(host + numaddrlen + 1, scopebuf,
-		       scopelen);
-		host[numaddrlen] = SCOPE_DELIMITER;
-		host[numaddrlen + 1 + scopelen] = '\0';
-	}
-#endif
-
-	return 0;
-}
-
-#ifdef HAVE_SIN6_SCOPE_ID
-/* ARGSUSED */
-static int
-ip6_sa2str(const struct sockaddr_in6 *sa6, char *buf,
-	   size_t bufsiz, int flags)
-{
-#ifdef USE_IFNAMELINKID
-	unsigned int ifindex = (unsigned int)sa6->sin6_scope_id;
-	const struct in6_addr *a6 = &sa6->sin6_addr;
-#endif
-	char tmp[64];
-
-#ifdef NI_NUMERICSCOPE
-	if (flags & NI_NUMERICSCOPE) {
-		sprintf(tmp, "%u", sa6->sin6_scope_id);
-		if (bufsiz != 0U) {
-			strncpy(buf, tmp, bufsiz - 1);
-			buf[bufsiz - 1] = '\0';
-		}
-		return(strlen(tmp));
-	}
-#endif
-
-#ifdef USE_IFNAMELINKID
-	/*
-	 * For a link-local address, convert the index to an interface
-	 * name, assuming a one-to-one mapping between links and interfaces.
-	 * Note, however, that this assumption is stronger than the
-	 * specification of the scoped address architecture;  the
-	 * specficication says that more than one interfaces can belong to
-	 * a single link.
-	 */
-
-	/* if_indextoname() does not take buffer size.  not a good api... */
-	if ((IN6_IS_ADDR_LINKLOCAL(a6) || IN6_IS_ADDR_MC_LINKLOCAL(a6)) &&
-	    bufsiz >= IF_NAMESIZE) {
-		char *p = if_indextoname(ifindex, buf);
-		if (p) {
-			return(strlen(p));
-		}
-	}
-#endif
-
-	/* last resort */
-	sprintf(tmp, "%u", sa6->sin6_scope_id);
-	if (bufsiz != 0U) {
-		strncpy(buf, tmp, bufsiz - 1);
-		buf[bufsiz - 1] = '\0';
-	}
-	return(strlen(tmp));
-}
-#endif
diff --git a/contrib/bind9/lib/bind/irs/getnetent.c b/contrib/bind9/lib/bind/irs/getnetent.c
deleted file mode 100644
index 4d1cd1e7ac0b..000000000000
--- a/contrib/bind9/lib/bind/irs/getnetent.c
+++ /dev/null
@@ -1,343 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getnetent.c,v 1.4.206.2 2004/03/17 01:49:40 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(__BIND_NOSTATIC)
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "irs_data.h"
-
-/* Definitions */
-
-struct pvt {
-	struct netent	netent;
-	char *		aliases[1];
-	char		name[MAXDNAME + 1];
-};
-
-/* Forward */
-
-static struct net_data *init(void);
-static struct netent   *nw_to_net(struct nwent *, struct net_data *);
-static void		freepvt(struct net_data *);
-static struct netent   *fakeaddr(const char *, int af, struct net_data *);
-
-/* Portability */
-
-#ifndef INADDR_NONE
-# define INADDR_NONE 0xffffffff
-#endif
-
-/* Public */
-
-struct netent *
-getnetent() {
-	struct net_data *net_data = init();
-
-	return (getnetent_p(net_data));
-}
-
-struct netent *
-getnetbyname(const char *name) {
-	struct net_data *net_data = init();
-
-	return (getnetbyname_p(name, net_data));
-}
-
-struct netent *
-getnetbyaddr(unsigned long net, int type) {
-	struct net_data *net_data = init();
-
-	return (getnetbyaddr_p(net, type, net_data));
-}
-
-void
-setnetent(int stayopen) {
-	struct net_data *net_data = init();
-
-	setnetent_p(stayopen, net_data);
-}
-
-
-void
-endnetent() {
-	struct net_data *net_data = init();
-
-	endnetent_p(net_data);
-}
-
-/* Shared private. */
-
-struct netent *
-getnetent_p(struct net_data *net_data) {
-	struct irs_nw *nw;
-
-	if (!net_data || !(nw = net_data->nw))
-		return (NULL);
-	net_data->nww_last = (*nw->next)(nw);
-	net_data->nw_last = nw_to_net(net_data->nww_last, net_data);
-	return (net_data->nw_last);
-}
-
-struct netent *
-getnetbyname_p(const char *name, struct net_data *net_data) {
-	struct irs_nw *nw;
-	struct netent *np;
-	char **nap;
-
-	if (!net_data || !(nw = net_data->nw))
-		return (NULL);
-	if (net_data->nw_stayopen && net_data->nw_last) {
-		if (!strcmp(net_data->nw_last->n_name, name))
-			return (net_data->nw_last);
-		for (nap = net_data->nw_last->n_aliases; nap && *nap; nap++)
-			if (!strcmp(name, *nap))
-				return (net_data->nw_last);
-	}
-	if ((np = fakeaddr(name, AF_INET, net_data)) != NULL)
-		return (np);
-	net_data->nww_last = (*nw->byname)(nw, name, AF_INET);
-	net_data->nw_last = nw_to_net(net_data->nww_last, net_data);
-	if (!net_data->nw_stayopen)
-		endnetent();
-	return (net_data->nw_last);
-}
-
-struct netent *
-getnetbyaddr_p(unsigned long net, int type, struct net_data *net_data) {
-	struct irs_nw *nw;
-	u_char addr[4];
-	int bits;
-
-	if (!net_data || !(nw = net_data->nw))
-		return (NULL);
-	if (net_data->nw_stayopen && net_data->nw_last)
-		if (type == net_data->nw_last->n_addrtype &&
-		    net == net_data->nw_last->n_net)
-			return (net_data->nw_last);
-
-	/* cannonize net(host order) */
-	if (net < 256UL) {
-		net <<= 24;
-		bits = 8;
-	} else if (net < 65536UL) {
-		net <<= 16;
-		bits = 16;
-	} else if (net < 16777216UL) {
-		net <<= 8;
-		bits = 24;
-	} else
-		bits = 32;
-
-	/* convert to net order */
-	addr[0] = (0xFF000000 & net) >> 24;
-	addr[1] = (0x00FF0000 & net) >> 16;
-	addr[2] = (0x0000FF00 & net) >> 8;
-	addr[3] = (0x000000FF & net);
-
-	/* reduce bits to as close to natural number as possible */
-	if ((bits == 32) && (addr[0] < 224) && (addr[3] == 0)) {
-		if ((addr[0] < 192) && (addr[2] == 0)) {
-			if ((addr[0] < 128) && (addr[1] == 0))
-				bits = 8;
-			else
-				bits = 16;
-		} else {
-			bits = 24;
-		}
-	}
-
-	net_data->nww_last = (*nw->byaddr)(nw, addr, bits, AF_INET);
-	net_data->nw_last = nw_to_net(net_data->nww_last, net_data);
-	if (!net_data->nw_stayopen)
-		endnetent();
-	return (net_data->nw_last);
-}
-
-
-
-
-void
-setnetent_p(int stayopen, struct net_data *net_data) {
-	struct irs_nw *nw;
-
-	if (!net_data || !(nw = net_data->nw))
-		return;
-	freepvt(net_data);
-	(*nw->rewind)(nw);
-	net_data->nw_stayopen = (stayopen != 0);
-	if (stayopen == 0)
-		net_data_minimize(net_data);
-}
-
-void
-endnetent_p(struct net_data *net_data) {
-	struct irs_nw *nw;
-
-	if ((net_data != NULL) && ((nw	= net_data->nw) != NULL))
-		(*nw->minimize)(nw);
-}
-
-/* Private */
-
-static struct net_data *
-init() {
-	struct net_data *net_data;
-
-	if (!(net_data = net_data_init(NULL)))
-		goto error;
-	if (!net_data->nw) {
-		net_data->nw = (*net_data->irs->nw_map)(net_data->irs);
-
-		if (!net_data->nw || !net_data->res) {
- error:		
-			errno = EIO;
-			return (NULL);
-		}
-		(*net_data->nw->res_set)(net_data->nw, net_data->res, NULL);
-	}
-	
-	return (net_data);
-}
-
-static void
-freepvt(struct net_data *net_data) {
-	if (net_data->nw_data) {
-		free(net_data->nw_data);
-		net_data->nw_data = NULL;
-	}
-}
-
-static struct netent *
-fakeaddr(const char *name, int af, struct net_data *net_data) {
-	struct pvt *pvt;
-	const char *cp;
-	u_long tmp;
-
-	if (af != AF_INET) {
-		/* XXX should support IPv6 some day */
-		errno = EAFNOSUPPORT;
-		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	if (!isascii((unsigned char)(name[0])) ||
-	    !isdigit((unsigned char)(name[0])))
-		return (NULL);
-	for (cp = name; *cp; ++cp)
-		if (!isascii(*cp) || (!isdigit((unsigned char)*cp) && *cp != '.'))
-			return (NULL);
-	if (*--cp == '.')
-		return (NULL);
-
-	/* All-numeric, no dot at the end. */
-
-	tmp = inet_network(name);
-	if (tmp == INADDR_NONE) {
-		RES_SET_H_ERRNO(net_data->res, HOST_NOT_FOUND);
-		return (NULL);
-	}
-
-	/* Valid network number specified.
-	 * Fake up a netent as if we'd actually
-	 * done a lookup.
-	 */
-	freepvt(net_data);
-	net_data->nw_data = malloc(sizeof (struct pvt));
-	if (!net_data->nw_data) {
-		errno = ENOMEM;
-		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	pvt = net_data->nw_data;
-
-	strncpy(pvt->name, name, MAXDNAME);
-	pvt->name[MAXDNAME] = '\0';
-	pvt->netent.n_name = pvt->name;
-	pvt->netent.n_addrtype = AF_INET;
-	pvt->netent.n_aliases = pvt->aliases;
-	pvt->aliases[0] = NULL;
-	pvt->netent.n_net = tmp;
-
-	return (&pvt->netent);
-}
-
-static struct netent *
-nw_to_net(struct nwent *nwent, struct net_data *net_data) {
-	struct pvt *pvt;
-	u_long addr = 0;
-	int i;
-	int msbyte;
-
-	if (!nwent || nwent->n_addrtype != AF_INET)
-		return (NULL);
-	freepvt(net_data);
-	net_data->nw_data = malloc(sizeof (struct pvt));
-	if (!net_data->nw_data) {
-		errno = ENOMEM;
-		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	pvt = net_data->nw_data;
-	pvt->netent.n_name = nwent->n_name;
-	pvt->netent.n_aliases = nwent->n_aliases;
-	pvt->netent.n_addrtype = nwent->n_addrtype;
-
-/*
- * What this code does: Converts net addresses from network to host form.
- *
- * msbyte: the index of the most significant byte in the n_addr array.
- *
- * Shift bytes in significant order into addr. When all signicant
- * bytes are in, zero out bits in the LSB that are not part of the network.
- */
-	msbyte = nwent->n_length / 8 +
-		((nwent->n_length % 8) != 0 ? 1 : 0) - 1;
-	for (i = 0; i <= msbyte; i++)
-		addr = (addr << 8) | ((unsigned char *)nwent->n_addr)[i];
-	i = (32 - nwent->n_length) % 8;
-	if (i != 0)
-		addr &= ~((1 << (i + 1)) - 1);
-	pvt->netent.n_net = addr;
-	return (&pvt->netent);
-}
-
-#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/getnetent_r.c b/contrib/bind9/lib/bind/irs/getnetent_r.c
deleted file mode 100644
index 1f8290d17146..000000000000
--- a/contrib/bind9/lib/bind/irs/getnetent_r.c
+++ /dev/null
@@ -1,233 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetent_r.c,v 1.3.206.2 2005/09/03 12:47:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <port_before.h>
-#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
-	static int getnetent_r_not_required = 0;
-#else
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <sys/param.h>
-#include <port_after.h>
-
-#ifdef NET_R_RETURN
-
-static NET_R_RETURN 
-copy_netent(struct netent *, struct netent *, NET_R_COPY_ARGS);
-
-NET_R_RETURN
-getnetbyname_r(const char *name,  struct netent *nptr, NET_R_ARGS) {
-	struct netent *ne = getnetbyname(name);
-#ifdef NET_R_SETANSWER
-	int n = 0;
-
-	if (ne == NULL || (n = copy_netent(ne, nptr, NET_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = ne;
-	if (ne == NULL)
-		*h_errnop = h_errno;
-	return (n);
-#else
-	if (ne == NULL)
-		return (NET_R_BAD);
-
-	return (copy_netent(ne, nptr, NET_R_COPY));
-#endif
-}
-
-#ifndef GETNETBYADDR_ADDR_T
-#define GETNETBYADDR_ADDR_T long
-#endif
-NET_R_RETURN
-getnetbyaddr_r(GETNETBYADDR_ADDR_T addr, int type, struct netent *nptr, NET_R_ARGS) {
-	struct netent *ne = getnetbyaddr(addr, type);
-#ifdef NET_R_SETANSWER
-	int n = 0;
-
-	if (ne == NULL || (n = copy_netent(ne, nptr, NET_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = ne;
-	if (ne == NULL)
-		*h_errnop = h_errno;
-	return (n);
-#else
-
-	if (ne == NULL)
-		return (NET_R_BAD);
-
-	return (copy_netent(ne, nptr, NET_R_COPY));
-#endif
-}
-
-/*
- *	These assume a single context is in operation per thread.
- *	If this is not the case we will need to call irs directly
- *	rather than through the base functions.
- */
-
-NET_R_RETURN
-getnetent_r(struct netent *nptr, NET_R_ARGS) {
-	struct netent *ne = getnetent();
-#ifdef NET_R_SETANSWER
-	int n = 0;
-
-	if (ne == NULL || (n = copy_netent(ne, nptr, NET_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = ne;
-	if (ne == NULL)
-		*h_errnop = h_errno;
-	return (n);
-#else
-
-	if (ne == NULL)
-		return (NET_R_BAD);
-
-	return (copy_netent(ne, nptr, NET_R_COPY));
-#endif
-}
-
-NET_R_SET_RETURN
-#ifdef NET_R_ENT_ARGS
-setnetent_r(int stay_open, NET_R_ENT_ARGS)
-#else
-setnetent_r(int stay_open)
-#endif
-{
-#ifdef NET_R_ENT_ARGS
-	UNUSED(ndptr);
-#endif
-	setnetent(stay_open);
-#ifdef NET_R_SET_RESULT
-	return (NET_R_SET_RESULT);
-#endif
-}
-
-NET_R_END_RETURN
-#ifdef NET_R_ENT_ARGS
-endnetent_r(NET_R_ENT_ARGS)
-#else
-endnetent_r()
-#endif
-{
-#ifdef NET_R_ENT_ARGS
-	UNUSED(ndptr);
-#endif
-	endnetent();
-	NET_R_END_RESULT(NET_R_OK);
-}
-
-/* Private */
-
-#ifndef NETENT_DATA
-static NET_R_RETURN
-copy_netent(struct netent *ne, struct netent *nptr, NET_R_COPY_ARGS) {
-	char *cp;
-	int i, n;
-	int numptr, len;
-
-	/* Find out the amount of space required to store the answer. */
-	numptr = 1; /* NULL ptr */
-	len = (char *)ALIGN(buf) - buf;
-	for (i = 0; ne->n_aliases[i]; i++, numptr++) {
-		len += strlen(ne->n_aliases[i]) + 1;
-	}
-	len += strlen(ne->n_name) + 1;
-	len += numptr * sizeof(char*);
-	
-	if (len > (int)buflen) {
-		errno = ERANGE;
-		return (NET_R_BAD);
-	}
-
-	/* copy net value and type */
-	nptr->n_addrtype = ne->n_addrtype;
-	nptr->n_net = ne->n_net;
-
-	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
-
-	/* copy official name */
-	n = strlen(ne->n_name) + 1;
-	strcpy(cp, ne->n_name);
-	nptr->n_name = cp;
-	cp += n;
-
-	/* copy aliases */
-	nptr->n_aliases = (char **)ALIGN(buf);
-	for (i = 0 ; ne->n_aliases[i]; i++) {
-		n = strlen(ne->n_aliases[i]) + 1;
-		strcpy(cp, ne->n_aliases[i]);
-		nptr->n_aliases[i] = cp;
-		cp += n;
-	}
-	nptr->n_aliases[i] = NULL;
-
-	return (NET_R_OK);
-}
-#else /* !NETENT_DATA */
-static int
-copy_netent(struct netent *ne, struct netent *nptr, NET_R_COPY_ARGS) {
-	char *cp, *eob;
-	int i, n;
-
-	/* copy net value and type */
-	nptr->n_addrtype = ne->n_addrtype;
-	nptr->n_net = ne->n_net;
-
-	/* copy official name */
-	cp = ndptr->line;
-	eob = ndptr->line + sizeof(ndptr->line);
-	if ((n = strlen(ne->n_name) + 1) < (eob - cp)) {
-		strcpy(cp, ne->n_name);
-		nptr->n_name = cp;
-		cp += n;
-	} else {
-		return (-1);
-	}
-
-	/* copy aliases */
-	i = 0;
-	nptr->n_aliases = ndptr->net_aliases;
-	while (ne->n_aliases[i] && i < (_MAXALIASES-1)) {
-		if ((n = strlen(ne->n_aliases[i]) + 1) < (eob - cp)) {
-			strcpy(cp, ne->n_aliases[i]);
-			nptr->n_aliases[i] = cp;
-			cp += n;
-		} else {
-			break;
-		}
-		i++;
-	}
-	nptr->n_aliases[i] = NULL;
-
-	return (NET_R_OK);
-}
-#endif /* !NETENT_DATA */
-#else /* NET_R_RETURN */
-	static int getnetent_r_unknown_system = 0;
-#endif /* NET_R_RETURN */
-#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/getnetgrent.c b/contrib/bind9/lib/bind/irs/getnetgrent.c
deleted file mode 100644
index b2751536f248..000000000000
--- a/contrib/bind9/lib/bind/irs/getnetgrent.c
+++ /dev/null
@@ -1,156 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetgrent.c,v 1.1.2.1.4.1 2004/03/09 08:33:36 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(__BIND_NOSTATIC)
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <resolv.h>
-#include <stdio.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_data.h"
-
-/* Forward */
-
-static struct net_data *init(void);
-
-
-/* Public */
-
-#ifndef SETNETGRENT_ARGS
-#define SETNETGRENT_ARGS const char *netgroup
-#endif
-void
-setnetgrent(SETNETGRENT_ARGS) {
-	struct net_data *net_data = init();
-
-	setnetgrent_p(netgroup, net_data);
-}
-
-void
-endnetgrent(void) {
-	struct net_data *net_data = init();
-
-	endnetgrent_p(net_data);
-}
-
-#ifndef INNETGR_ARGS
-#define INNETGR_ARGS const char *netgroup, const char *host, \
-		     const char *user, const char *domain
-#endif
-int
-innetgr(INNETGR_ARGS) {
-	struct net_data *net_data = init();
-
-	return (innetgr_p(netgroup, host, user, domain, net_data));
-}
-
-int
-getnetgrent(char **host, char **user, char **domain) {
-	struct net_data *net_data = init();
-	const char *ch, *cu, *cd;
-	int ret;
-
-	ret = getnetgrent_p(&ch, &cu, &cd, net_data);
-	if (ret != 1)
-		return (ret);
-
-	DE_CONST(ch, *host);
-	DE_CONST(cu, *user);
-	DE_CONST(cd, *domain);
-	return (ret);
-}
-
-/* Shared private. */
-
-void
-setnetgrent_p(const char *netgroup, struct net_data *net_data) {
-	struct irs_ng *ng;
-
-	if ((net_data != NULL) && ((ng = net_data->ng) != NULL))
-		(*ng->rewind)(ng, netgroup);
-}
-
-void
-endnetgrent_p(struct net_data *net_data) {
-	struct irs_ng *ng;
-
-	if (!net_data)
-		return;
-	if ((ng = net_data->ng) != NULL)
-		(*ng->close)(ng);
-	net_data->ng = NULL;
-}
-
-int
-innetgr_p(const char *netgroup, const char *host,
-	  const char *user, const char *domain,
-	  struct net_data *net_data) {
-	struct irs_ng *ng;
-
-	if (!net_data || !(ng = net_data->ng))
-		return (0);
-	return ((*ng->test)(ng, netgroup, host, user, domain));
-}
-
-int
-getnetgrent_p(const char **host, const char **user, const char **domain,
-	      struct net_data *net_data ) {
-	struct irs_ng *ng;
-
-	if (!net_data || !(ng = net_data->ng))
-		return (0);
-	return ((*ng->next)(ng, host, user, domain));
-}
-
-/* Private */
-
-static struct net_data *
-init(void) {
-	struct net_data *net_data;
-
-	if (!(net_data = net_data_init(NULL)))
-		goto error;
-	if (!net_data->ng) {
-		net_data->ng = (*net_data->irs->ng_map)(net_data->irs);
-		if (!net_data->ng) {
-  error:
-			errno = EIO;
-			return (NULL);
-		}
-	}
-	
-	return (net_data);
-}
-
-#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/getnetgrent_r.c b/contrib/bind9/lib/bind/irs/getnetgrent_r.c
deleted file mode 100644
index b5d9bb167d1b..000000000000
--- a/contrib/bind9/lib/bind/irs/getnetgrent_r.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.5.2.1.4.4 2005/09/03 12:47:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <port_before.h>
-#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
-	static int getnetgrent_r_not_required = 0;
-#else
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <stdlib.h>
-#include <port_after.h>
-
-#ifdef NGR_R_RETURN
-
-static NGR_R_RETURN 
-copy_protoent(char **, char **, char **, const char *, const char *,
-	      const char *, NGR_R_COPY_ARGS);
-
-NGR_R_RETURN
-innetgr_r(const char *netgroup, const char *host, const char *user,
-	  const char *domain) {
-	char *ng, *ho, *us, *dom;
-
-	DE_CONST(netgroup, ng);
-	DE_CONST(host, ho);
-	DE_CONST(user, us);
-	DE_CONST(domain, dom);
-
-	return (innetgr(ng, ho, us, dom));
-}
-
-/*
- *	These assume a single context is in operation per thread.
- *	If this is not the case we will need to call irs directly
- *	rather than through the base functions.
- */
-
-NGR_R_RETURN
-getnetgrent_r(char **machinep, char **userp, char **domainp, NGR_R_ARGS) {
-	char *mp, *up, *dp;
-	int res = getnetgrent(&mp, &up, &dp);
-
-	if (res != 1) 
-		return (res);
-
-	return (copy_protoent(machinep, userp, domainp,
-				mp, up, dp, NGR_R_COPY));
-}
-
-NGR_R_SET_RETURN
-#ifdef NGR_R_ENT_ARGS
-setnetgrent_r(const char *netgroup, NGR_R_ENT_ARGS)
-#else
-setnetgrent_r(const char *netgroup)
-#endif
-{
-	char *tmp;
-#if defined(NGR_R_ENT_ARGS) && !defined(NGR_R_PRIVATE)
-	UNUSED(buf);
-	UNUSED(buflen);
-#endif
-
-	DE_CONST(netgroup, tmp);
-	setnetgrent(tmp);
-
-#ifdef NGR_R_PRIVATE
-	*buf = NULL;
-#endif
-#ifdef NGR_R_SET_RESULT
-	return (NGR_R_SET_RESULT);
-#endif
-}
-
-NGR_R_END_RETURN
-#ifdef NGR_R_ENT_ARGS
-endnetgrent_r(NGR_R_ENT_ARGS)
-#else
-endnetgrent_r(void)
-#endif
-{
-#if defined(NGR_R_ENT_ARGS) && !defined(NGR_R_PRIVATE)
-	UNUSED(buf);
-	UNUSED(buflen);
-#endif
-
-	endnetgrent();
-#ifdef NGR_R_PRIVATE
-	if (*buf != NULL)
-		free(*buf);
-	*buf = NULL;
-#endif
-	NGR_R_END_RESULT(NGR_R_OK);
-}
-
-/* Private */
-
-static int
-copy_protoent(char **machinep, char **userp, char **domainp,
-	      const char *mp, const char *up, const char *dp,
-	      NGR_R_COPY_ARGS) {
-	char *cp;
-	int n;
-	int len;
-
-	/* Find out the amount of space required to store the answer. */
-	len = 0;
-	if (mp != NULL) len += strlen(mp) + 1;
-	if (up != NULL) len += strlen(up) + 1;
-	if (dp != NULL) len += strlen(dp) + 1;
-	
-#ifdef NGR_R_PRIVATE
-	free(*buf);
-	*buf = malloc(len);
-	if (*buf == NULL)
-		return(NGR_R_BAD);
-	cp = *buf;
-#else
-	if (len > (int)buflen) {
-		errno = ERANGE;
-		return (NGR_R_BAD);
-	}
-	cp = buf;
-#endif
-
-
-	if (mp != NULL) {
-		n = strlen(mp) + 1;
-		strcpy(cp, mp);
-		*machinep = cp;
-		cp += n;
-	} else
-		*machinep = NULL;
-
-	if (up != NULL) {
-		n = strlen(up) + 1;
-		strcpy(cp, up);
-		*userp = cp;
-		cp += n;
-	} else
-		*userp = NULL;
-
-	if (dp != NULL) {
-		n = strlen(dp) + 1;
-		strcpy(cp, dp);
-		*domainp = cp;
-		cp += n;
-	} else
-		*domainp = NULL;
-
-	return (NGR_R_OK);
-}
-#else /* NGR_R_RETURN */
-	static int getnetgrent_r_unknown_system = 0;
-#endif /* NGR_R_RETURN */
-#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/getprotoent.c b/contrib/bind9/lib/bind/irs/getprotoent.c
deleted file mode 100644
index 145062fd77e7..000000000000
--- a/contrib/bind9/lib/bind/irs/getprotoent.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getprotoent.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(__BIND_NOSTATIC)
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_data.h"
-
-/* Forward */
-
-static struct net_data *init(void);
-
-/* Public */
-
-struct protoent *
-getprotoent() {
-	struct net_data *net_data = init();
-
-	return (getprotoent_p(net_data));
-}
-
-struct protoent *
-getprotobyname(const char *name) {
-	struct net_data *net_data = init();
-
-	return (getprotobyname_p(name, net_data));
-}
-
-struct protoent *
-getprotobynumber(int proto) {
-	struct net_data *net_data = init();
-
-	return (getprotobynumber_p(proto, net_data));
-}
-
-void
-setprotoent(int stayopen) {
-	struct net_data *net_data = init();
-
-	setprotoent_p(stayopen, net_data);
-}
-
-void
-endprotoent() {
-	struct net_data *net_data = init();
-
-	endprotoent_p(net_data);
-}
-
-/* Shared private. */
-
-struct protoent *
-getprotoent_p(struct net_data *net_data) {
-	struct irs_pr *pr;
-
-	if (!net_data || !(pr = net_data->pr))
-		return (NULL);
-	net_data->pr_last = (*pr->next)(pr);
-	return (net_data->pr_last);
-}
-
-struct protoent *
-getprotobyname_p(const char *name, struct net_data *net_data) {
-	struct irs_pr *pr;
-	char **pap;
-
-	if (!net_data || !(pr = net_data->pr))
-		return (NULL);
-	if (net_data->pr_stayopen && net_data->pr_last) {
-		if (!strcmp(net_data->pr_last->p_name, name))
-			return (net_data->pr_last);
-		for (pap = net_data->pr_last->p_aliases; pap && *pap; pap++)
-			if (!strcmp(name, *pap))
-				return (net_data->pr_last);
-	}
-	net_data->pr_last = (*pr->byname)(pr, name);
-	if (!net_data->pr_stayopen)
-		endprotoent();
-	return (net_data->pr_last);
-}
-
-struct protoent *
-getprotobynumber_p(int proto, struct net_data *net_data) {
-	struct irs_pr *pr;
-
-	if (!net_data || !(pr = net_data->pr))
-		return (NULL);
-	if (net_data->pr_stayopen && net_data->pr_last)
-		if (net_data->pr_last->p_proto == proto)
-			return (net_data->pr_last);
-	net_data->pr_last = (*pr->bynumber)(pr, proto);
-	if (!net_data->pr_stayopen)
-		endprotoent();
-	return (net_data->pr_last);
-}
-
-void
-setprotoent_p(int stayopen, struct net_data *net_data) {
-	struct irs_pr *pr;
-
-	if (!net_data || !(pr = net_data->pr))
-		return;
-	(*pr->rewind)(pr);
-	net_data->pr_stayopen = (stayopen != 0);
-	if (stayopen == 0)
-		net_data_minimize(net_data);
-}
-
-void
-endprotoent_p(struct net_data *net_data) {
-	struct irs_pr *pr;
-
-	if ((net_data != NULL) && ((pr = net_data->pr) != NULL))
-		(*pr->minimize)(pr);
-}
-
-/* Private */
-
-static struct net_data *
-init() {
-	struct net_data *net_data;
-
-	if (!(net_data = net_data_init(NULL)))
-		goto error;
-	if (!net_data->pr) {
-		net_data->pr = (*net_data->irs->pr_map)(net_data->irs);
-
-		if (!net_data->pr || !net_data->res) {
- error:		
-			errno = EIO;
-			return (NULL);
-		}
-		(*net_data->pr->res_set)(net_data->pr, net_data->res, NULL);
-	}
-	
-	return (net_data);
-}
-
-#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/getprotoent_r.c b/contrib/bind9/lib/bind/irs/getprotoent_r.c
deleted file mode 100644
index 96bb4e323df6..000000000000
--- a/contrib/bind9/lib/bind/irs/getprotoent_r.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <port_before.h>
-#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
-	static int getprotoent_r_not_required = 0;
-#else
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <port_after.h>
-
-#ifdef PROTO_R_RETURN
-
-static PROTO_R_RETURN 
-copy_protoent(struct protoent *, struct protoent *, PROTO_R_COPY_ARGS);
-
-PROTO_R_RETURN
-getprotobyname_r(const char *name, struct protoent *pptr, PROTO_R_ARGS) {
-	struct protoent *pe = getprotobyname(name);
-#ifdef PROTO_R_SETANSWER
-	int n = 0;
-
-	if (pe == NULL || (n = copy_protoent(pe, pptr, PROTO_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = pptr;
-	
-	return (n);
-#else
-	if (pe == NULL)
-		return (PROTO_R_BAD);
-
-	return (copy_protoent(pe, pptr, PROTO_R_COPY));
-#endif
-}
-
-PROTO_R_RETURN
-getprotobynumber_r(int proto, struct protoent *pptr, PROTO_R_ARGS) {
-	struct protoent *pe = getprotobynumber(proto);
-#ifdef PROTO_R_SETANSWER
-	int n = 0;
-
-	if (pe == NULL || (n = copy_protoent(pe, pptr, PROTO_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = pptr;
-	
-	return (n);
-#else
-	if (pe == NULL)
-		return (PROTO_R_BAD);
-
-	return (copy_protoent(pe, pptr, PROTO_R_COPY));
-#endif
-}
-
-/*
- *	These assume a single context is in operation per thread.
- *	If this is not the case we will need to call irs directly
- *	rather than through the base functions.
- */
-
-PROTO_R_RETURN
-getprotoent_r(struct protoent *pptr, PROTO_R_ARGS) {
-	struct protoent *pe = getprotoent();
-#ifdef PROTO_R_SETANSWER
-	int n = 0;
-
-	if (pe == NULL || (n = copy_protoent(pe, pptr, PROTO_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = pptr;
-	
-	return (n);
-#else
-	if (pe == NULL)
-		return (PROTO_R_BAD);
-
-	return (copy_protoent(pe, pptr, PROTO_R_COPY));
-#endif
-}
-
-PROTO_R_SET_RETURN
-#ifdef PROTO_R_ENT_ARGS
-setprotoent_r(int stay_open, PROTO_R_ENT_ARGS)
-#else
-setprotoent_r(int stay_open)
-#endif
-{
-	setprotoent(stay_open);
-#ifdef PROTO_R_SET_RESULT
-	return (PROTO_R_SET_RESULT);
-#endif
-}
-
-PROTO_R_END_RETURN
-#ifdef PROTO_R_ENT_ARGS
-endprotoent_r(PROTO_R_ENT_ARGS)
-#else
-endprotoent_r()
-#endif
-{
-	endprotoent();
-	PROTO_R_END_RESULT(PROTO_R_OK);
-}
-
-/* Private */
-
-#ifndef PROTOENT_DATA
-static PROTO_R_RETURN
-copy_protoent(struct protoent *pe, struct protoent *pptr, PROTO_R_COPY_ARGS) {
-	char *cp;
-	int i, n;
-	int numptr, len;
-
-	/* Find out the amount of space required to store the answer. */
-	numptr = 1; /* NULL ptr */
-	len = (char *)ALIGN(buf) - buf;
-	for (i = 0; pe->p_aliases[i]; i++, numptr++) {
-		len += strlen(pe->p_aliases[i]) + 1;
-	}
-	len += strlen(pe->p_name) + 1;
-	len += numptr * sizeof(char*);
-	
-	if (len > (int)buflen) {
-		errno = ERANGE;
-		return (PROTO_R_BAD);
-	}
-
-	/* copy protocol value*/
-	pptr->p_proto = pe->p_proto;
-
-	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
-
-	/* copy official name */
-	n = strlen(pe->p_name) + 1;
-	strcpy(cp, pe->p_name);
-	pptr->p_name = cp;
-	cp += n;
-
-	/* copy aliases */
-	pptr->p_aliases = (char **)ALIGN(buf);
-	for (i = 0 ; pe->p_aliases[i]; i++) {
-		n = strlen(pe->p_aliases[i]) + 1;
-		strcpy(cp, pe->p_aliases[i]);
-		pptr->p_aliases[i] = cp;
-		cp += n;
-	}
-	pptr->p_aliases[i] = NULL;
-
-	return (PROTO_R_OK);
-}
-#else /* !PROTOENT_DATA */
-static int
-copy_protoent(struct protoent *pe, struct protoent *pptr, PROTO_R_COPY_ARGS) {
-	char *cp, *eob;
-	int i, n;
-
-	/* copy protocol value */
-	pptr->p_proto = pe->p_proto;
-
-	/* copy official name */
-	cp = pdptr->line;
-	eob = pdptr->line + sizeof(pdptr->line);
-	if ((n = strlen(pe->p_name) + 1) < (eob - cp)) {
-		strcpy(cp, pe->p_name);
-		pptr->p_name = cp;
-		cp += n;
-	} else {
-		return (-1);
-	}
-
-	/* copy aliases */
-	i = 0;
-	pptr->p_aliases = pdptr->proto_aliases;
-	while (pe->p_aliases[i] && i < (_MAXALIASES-1)) {
-		if ((n = strlen(pe->p_aliases[i]) + 1) < (eob - cp)) {
-			strcpy(cp, pe->p_aliases[i]);
-			pptr->p_aliases[i] = cp;
-			cp += n;
-		} else {
-			break;
-		}
-		i++;
-	}
-	pptr->p_aliases[i] = NULL;
-
-	return (PROTO_R_OK);
-}
-#endif /* PROTOENT_DATA */
-#else /* PROTO_R_RETURN */
-	static int getprotoent_r_unknown_system = 0;
-#endif /* PROTO_R_RETURN */
-#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/getpwent.c b/contrib/bind9/lib/bind/irs/getpwent.c
deleted file mode 100644
index 10c237edc010..000000000000
--- a/contrib/bind9/lib/bind/irs/getpwent.c
+++ /dev/null
@@ -1,200 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getpwent.c,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(WANT_IRS_PW) || defined(__BIND_NOSTATIC)
-static int __bind_irs_pw_unneeded;
-#else
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <pwd.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_data.h"
-
-/* Forward */
-
-static struct net_data * init(void);
-
-/* Public */
-
-struct passwd *
-getpwent(void) {
-	struct net_data *net_data = init();
-
-	return (getpwent_p(net_data));
-}
-
-struct passwd *
-getpwnam(const char *name) {
-	struct net_data *net_data = init();
-
-	return (getpwnam_p(name, net_data));
-}
-
-struct passwd *
-getpwuid(uid_t uid) {
-	struct net_data *net_data = init();
-
-	return (getpwuid_p(uid, net_data));
-}
-
-int
-setpassent(int stayopen) {
-	struct net_data *net_data = init();
-
-	return (setpassent_p(stayopen, net_data));
-}
-
-#ifdef SETPWENT_VOID
-void
-setpwent() {
-	struct net_data *net_data = init();
-
-	setpwent_p(net_data);
-}
-#else
-int
-setpwent() {
-	struct net_data *net_data = init();
-
-	return (setpwent_p(net_data));
-}
-#endif
-
-void
-endpwent() {
-	struct net_data *net_data = init();
-
-	endpwent_p(net_data);
-}
-
-/* Shared private. */
-
-struct passwd *
-getpwent_p(struct net_data *net_data) {
-	struct irs_pw *pw;
-
-	if (!net_data || !(pw = net_data->pw))
-		return (NULL);
-	net_data->pw_last = (*pw->next)(pw);
-	return (net_data->pw_last);
-}
-
-struct passwd *
-getpwnam_p(const char *name, struct net_data *net_data) {
-	struct irs_pw *pw;
-
-	if (!net_data || !(pw = net_data->pw))
-		return (NULL);
-	if (net_data->pw_stayopen && net_data->pw_last &&
-	    !strcmp(net_data->pw_last->pw_name, name))
-		return (net_data->pw_last);
-	net_data->pw_last = (*pw->byname)(pw, name);
-	if (!net_data->pw_stayopen)
-		endpwent();
-	return (net_data->pw_last);
-}
-
-struct passwd *
-getpwuid_p(uid_t uid, struct net_data *net_data) {
-	struct irs_pw *pw;
-
-	if (!net_data || !(pw = net_data->pw))
-		return (NULL);
-	if (net_data->pw_stayopen && net_data->pw_last &&
-	    net_data->pw_last->pw_uid == uid)
-		return (net_data->pw_last);
-	net_data->pw_last = (*pw->byuid)(pw, uid);
-	if (!net_data->pw_stayopen)
-		endpwent();
-	return (net_data->pw_last);
-}
-
-int
-setpassent_p(int stayopen, struct net_data *net_data) {
-	struct irs_pw *pw;
-
-	if (!net_data || !(pw = net_data->pw))
-		return (0);
-	(*pw->rewind)(pw);
-	net_data->pw_stayopen = (stayopen != 0);
-	if (stayopen == 0)
-		net_data_minimize(net_data);
-	return (1);
-}
-
-#ifdef SETPWENT_VOID
-void
-setpwent_p(struct net_data *net_data) {
-	(void) setpassent_p(0, net_data);
-}
-#else
-int
-setpwent_p(struct net_data *net_data) {
-	return (setpassent_p(0, net_data));
-}
-#endif
-
-void
-endpwent_p(struct net_data *net_data) {
-	struct irs_pw *pw;
-
-	if ((net_data != NULL) && ((pw = net_data->pw) != NULL))
-		(*pw->minimize)(pw);
-}
-
-/* Private */
-
-static struct net_data *
-init() {
-	struct net_data *net_data;
-	if (!(net_data = net_data_init(NULL)))
-		goto error;
-	if (!net_data->pw) {
-		net_data->pw = (*net_data->irs->pw_map)(net_data->irs);
-
-		if (!net_data->pw || !net_data->res) {
- error: 
-			errno = EIO;
-			return (NULL);
-		}
-		(*net_data->pw->res_set)(net_data->pw, net_data->res, NULL);
-	}
-	
-	return (net_data);
-}
-
-#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/getpwent_r.c b/contrib/bind9/lib/bind/irs/getpwent_r.c
deleted file mode 100644
index d28f184405ff..000000000000
--- a/contrib/bind9/lib/bind/irs/getpwent_r.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getpwent_r.c,v 1.5.206.2 2004/09/17 13:32:37 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <port_before.h>
-#if !defined(_REENTRANT) || !defined(DO_PTHREADS) || !defined(WANT_IRS_PW)
-	static int getpwent_r_not_required = 0;
-#else
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <sys/types.h>
-#if (defined(POSIX_GETPWNAM_R) || defined(POSIX_GETPWUID_R))
-#if defined(_POSIX_PTHREAD_SEMANTICS)
-	/* turn off solaris remapping in <grp.h> */
-#undef _POSIX_PTHREAD_SEMANTICS
-#include <pwd.h>
-#define _POSIX_PTHREAD_SEMANTICS 1
-#else
-#define _UNIX95 1
-#include <pwd.h>
-#endif
-#else
-#include <pwd.h>
-#endif
-#include <port_after.h>
-
-#ifdef PASS_R_RETURN
-
-static int 
-copy_passwd(struct passwd *, struct passwd *, char *buf, int buflen);
-
-/* POSIX 1003.1c */
-#ifdef POSIX_GETPWNAM_R
-int
-__posix_getpwnam_r(const char *login,  struct passwd *pwptr,
-		char *buf, size_t buflen, struct passwd **result) {
-#else
-int
-getpwnam_r(const char *login,  struct passwd *pwptr,
-		char *buf, size_t buflen, struct passwd **result) {
-#endif
-	struct passwd *pw = getpwnam(login);
-	int res;
-
-	if (pw == NULL) {
-		*result = NULL;
-		return (0);
-	}
-
-	res = copy_passwd(pw, pwptr, buf, buflen);
-	*result = res ? NULL : pwptr;
-	return (res);
-}
-
-#ifdef POSIX_GETPWNAM_R
-struct passwd *
-getpwnam_r(const char *login,  struct passwd *pwptr, char *buf, int buflen) {
-	struct passwd *pw = getpwnam(login);
-	int res;
-
-	if (pw == NULL)
-		return (NULL);
-
-	res = copy_passwd(pw, pwptr, buf, buflen);
-	return (res ? NULL : pwptr);
-}
-#endif
-
-/* POSIX 1003.1c */
-#ifdef POSIX_GETPWUID_R
-int
-__posix_getpwuid_r(uid_t uid, struct passwd *pwptr,
-		char *buf, int buflen, struct passwd **result) {
-#else
-int
-getpwuid_r(uid_t uid, struct passwd *pwptr,
-		char *buf, size_t buflen, struct passwd **result) {
-#endif
-	struct passwd *pw = getpwuid(uid);
-	int res;
-
-	if (pw == NULL) {
-		*result = NULL;
-		return (0);
-	}
-
-	res = copy_passwd(pw, pwptr, buf, buflen);
-	*result = res ? NULL : pwptr;
-	return (res);
-}
-
-#ifdef POSIX_GETPWUID_R
-struct passwd *
-getpwuid_r(uid_t uid,  struct passwd *pwptr, char *buf, int buflen) {
-	struct passwd *pw = getpwuid(uid);
-	int res;
-
-	if (pw == NULL)
-		return (NULL);
-
-	res = copy_passwd(pw, pwptr, buf, buflen);
-	return (res ? NULL : pwptr);
-}
-#endif
-
-/*
- *	These assume a single context is in operation per thread.
- *	If this is not the case we will need to call irs directly
- *	rather than through the base functions.
- */
-
-PASS_R_RETURN
-getpwent_r(struct passwd *pwptr, PASS_R_ARGS) {
-	struct passwd *pw = getpwent();
-	int res = 0;
-
-	if (pw == NULL)
-		return (PASS_R_BAD);
-
-	res = copy_passwd(pw, pwptr, buf, buflen);
-	return (res ? PASS_R_BAD : PASS_R_OK);
-}
-
-PASS_R_SET_RETURN
-#ifdef PASS_R_ENT_ARGS
-setpassent_r(int stayopen, PASS_R_ENT_ARGS)
-#else
-setpassent_r(int stayopen)
-#endif
-{
-
-	setpassent(stayopen);
-#ifdef PASS_R_SET_RESULT
-	return (PASS_R_SET_RESULT);
-#endif
-}
-
-PASS_R_SET_RETURN
-#ifdef PASS_R_ENT_ARGS
-setpwent_r(PASS_R_ENT_ARGS)
-#else
-setpwent_r(void)
-#endif
-{
-
-	setpwent();
-#ifdef PASS_R_SET_RESULT
-	return (PASS_R_SET_RESULT);
-#endif
-}
-
-PASS_R_END_RETURN
-#ifdef PASS_R_ENT_ARGS
-endpwent_r(PASS_R_ENT_ARGS)
-#else
-endpwent_r(void)
-#endif
-{
-
-	endpwent();
-	PASS_R_END_RESULT(PASS_R_OK);
-}
-
-
-#ifdef HAS_FGETPWENT
-PASS_R_RETURN
-fgetpwent_r(FILE *f, struct passwd *pwptr, PASS_R_COPY_ARGS) {
-	struct passwd *pw = fgetpwent(f);
-	int res = 0;
-
-	if (pw == NULL)
-		return (PASS_R_BAD);
-
-	res = copy_passwd(pw, pwptr, PASS_R_COPY);
-	return (res ? PASS_R_BAD : PASS_R_OK );
-}
-#endif
-
-/* Private */
-
-static int
-copy_passwd(struct passwd *pw, struct passwd *pwptr, char *buf, int buflen) {
-	char *cp;
-	int n;
-	int len;
-
-	/* Find out the amount of space required to store the answer. */
-	len = strlen(pw->pw_name) + 1;
-	len += strlen(pw->pw_passwd) + 1;
-#ifdef HAVE_PW_CLASS
-	len += strlen(pw->pw_class) + 1;
-#endif
-	len += strlen(pw->pw_gecos) + 1;
-	len += strlen(pw->pw_dir) + 1;
-	len += strlen(pw->pw_shell) + 1;
-	
-	if (len > buflen) {
-		errno = ERANGE;
-		return (ERANGE);
-	}
-
-	/* copy fixed atomic values*/
-	pwptr->pw_uid = pw->pw_uid;
-	pwptr->pw_gid = pw->pw_gid;
-#ifdef HAVE_PW_CHANGE
-	pwptr->pw_change = pw->pw_change;
-#endif
-#ifdef HAVE_PW_EXPIRE
-	pwptr->pw_expire = pw->pw_expire;
-#endif
-
-	cp = buf;
-
-	/* copy official name */
-	n = strlen(pw->pw_name) + 1;
-	strcpy(cp, pw->pw_name);
-	pwptr->pw_name = cp;
-	cp += n;
-
-	/* copy password */
-	n = strlen(pw->pw_passwd) + 1;
-	strcpy(cp, pw->pw_passwd);
-	pwptr->pw_passwd = cp;
-	cp += n;
-
-#ifdef HAVE_PW_CLASS
-	/* copy class */
-	n = strlen(pw->pw_class) + 1;
-	strcpy(cp, pw->pw_class);
-	pwptr->pw_class = cp;
-	cp += n;
-#endif
-
-	/* copy gecos */
-	n = strlen(pw->pw_gecos) + 1;
-	strcpy(cp, pw->pw_gecos);
-	pwptr->pw_gecos = cp;
-	cp += n;
-
-	/* copy directory */
-	n = strlen(pw->pw_dir) + 1;
-	strcpy(cp, pw->pw_dir);
-	pwptr->pw_dir = cp;
-	cp += n;
-
-	/* copy login shell */
-	n = strlen(pw->pw_shell) + 1;
-	strcpy(cp, pw->pw_shell);
-	pwptr->pw_shell = cp;
-	cp += n;
-
-	return (0);
-}
-#else /* PASS_R_RETURN */
-	static int getpwent_r_unknown_system = 0;
-#endif /* PASS_R_RETURN */
-#endif /* !def(_REENTRANT) || !def(DO_PTHREADS) || !def(WANT_IRS_PW) */
diff --git a/contrib/bind9/lib/bind/irs/getservent.c b/contrib/bind9/lib/bind/irs/getservent.c
deleted file mode 100644
index a13e36fe9aef..000000000000
--- a/contrib/bind9/lib/bind/irs/getservent.c
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: getservent.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(__BIND_NOSTATIC)
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_data.h"
-
-/* Forward */
-
-static struct net_data *init(void);
-
-/* Public */
-
-struct servent *
-getservent(void) {
-	struct net_data *net_data = init();
-
-	return (getservent_p(net_data));
-}
-
-struct servent *
-getservbyname(const char *name, const char *proto) {
-	struct net_data *net_data = init();
-
-	return (getservbyname_p(name, proto, net_data));
-}
-
-struct servent *
-getservbyport(int port, const char *proto) {
-	struct net_data *net_data = init();
-
-	return (getservbyport_p(port, proto, net_data));
-}
-
-void
-setservent(int stayopen) {
-	struct net_data *net_data = init();
-
-	setservent_p(stayopen, net_data);
-}
-
-void
-endservent() {
-	struct net_data *net_data = init();
-
-	endservent_p(net_data);
-}
-
-/* Shared private. */
-
-struct servent *
-getservent_p(struct net_data *net_data) {
-	struct irs_sv *sv;
-
-	if (!net_data || !(sv = net_data->sv))
-		return (NULL);
-	net_data->sv_last = (*sv->next)(sv);
-	return (net_data->sv_last);
-}
-
-struct servent *
-getservbyname_p(const char *name, const char *proto,
-		struct net_data *net_data) {
-	struct irs_sv *sv;
-	char **sap;
-
-	if (!net_data || !(sv = net_data->sv))
-		return (NULL);
-	if (net_data->sv_stayopen && net_data->sv_last)
-		if (!proto || !strcmp(net_data->sv_last->s_proto, proto)) {
-			if (!strcmp(net_data->sv_last->s_name, name))
-				return (net_data->sv_last);
-			for (sap = net_data->sv_last->s_aliases;
-			     sap && *sap; sap++)
-				if (!strcmp(name, *sap))
-					return (net_data->sv_last);
-		}
-	net_data->sv_last = (*sv->byname)(sv, name, proto);
-	if (!net_data->sv_stayopen)
-		endservent();
-	return (net_data->sv_last);
-}
-
-struct servent *
-getservbyport_p(int port, const char *proto, struct net_data *net_data) {
-	struct irs_sv *sv;
-
-	if (!net_data || !(sv = net_data->sv))
-		return (NULL);
-	if (net_data->sv_stayopen && net_data->sv_last)
-		if (port == net_data->sv_last->s_port &&
-		    ( !proto ||
-		     !strcmp(net_data->sv_last->s_proto, proto)))
-			return (net_data->sv_last);
-	net_data->sv_last = (*sv->byport)(sv, port, proto);
-	return (net_data->sv_last);
-}
-
-void
-setservent_p(int stayopen, struct net_data *net_data) {
-	struct irs_sv *sv;
-
-	if (!net_data || !(sv = net_data->sv))
-		return;
-	(*sv->rewind)(sv);
-	net_data->sv_stayopen = (stayopen != 0);
-	if (stayopen == 0)
-		net_data_minimize(net_data);
-}
-
-void
-endservent_p(struct net_data *net_data) {
-	struct irs_sv *sv;
-
-	if ((net_data != NULL) && ((sv = net_data->sv) != NULL))
-		(*sv->minimize)(sv);
-}
-
-/* Private */
-
-static struct net_data *
-init() {
-	struct net_data *net_data;
-
-	if (!(net_data = net_data_init(NULL)))
-		goto error;
-	if (!net_data->sv) {
-		net_data->sv = (*net_data->irs->sv_map)(net_data->irs);
-
-		if (!net_data->sv || !net_data->res) {
- error:		
-			errno = EIO;
-			return (NULL);
-		}
-		(*net_data->sv->res_set)(net_data->sv, net_data->res, NULL);
-	}
-	
-	return (net_data);
-}
-
-#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/getservent_r.c b/contrib/bind9/lib/bind/irs/getservent_r.c
deleted file mode 100644
index b24f468ab484..000000000000
--- a/contrib/bind9/lib/bind/irs/getservent_r.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: getservent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <port_before.h>
-#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
-	static int getservent_r_not_required = 0;
-#else
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <sys/param.h>
-#include <port_after.h>
-
-#ifdef SERV_R_RETURN
-
-static SERV_R_RETURN 
-copy_servent(struct servent *, struct servent *, SERV_R_COPY_ARGS);
-
-SERV_R_RETURN
-getservbyname_r(const char *name, const char *proto,
-		struct servent *sptr, SERV_R_ARGS) {
-	struct servent *se = getservbyname(name, proto);
-#ifdef SERV_R_SETANSWER
-	int n = 0;
-	
-	if (se == NULL || (n = copy_servent(se, sptr, SERV_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = sptr;
-
-	return (n);
-#else
-	if (se == NULL)
-		return (SERV_R_BAD);
-
-	return (copy_servent(se, sptr, SERV_R_COPY));
-#endif
-}
-
-SERV_R_RETURN
-getservbyport_r(int port, const char *proto,
-		struct servent *sptr, SERV_R_ARGS) {
-	struct servent *se = getservbyport(port, proto);
-#ifdef SERV_R_SETANSWER
-	int n = 0;
-	
-	if (se == NULL || (n = copy_servent(se, sptr, SERV_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = sptr;
-
-	return (n);
-#else
-	if (se == NULL)
-		return (SERV_R_BAD);
-
-	return (copy_servent(se, sptr, SERV_R_COPY));
-#endif
-}
-
-/*
- *	These assume a single context is in operation per thread.
- *	If this is not the case we will need to call irs directly
- *	rather than through the base functions.
- */
-
-SERV_R_RETURN
-getservent_r(struct servent *sptr, SERV_R_ARGS) {
-	struct servent *se = getservent();
-#ifdef SERV_R_SETANSWER
-	int n = 0;
-	
-	if (se == NULL || (n = copy_servent(se, sptr, SERV_R_COPY)) != 0)
-		*answerp = NULL;
-	else
-		*answerp = sptr;
-
-	return (n);
-#else
-	if (se == NULL)
-		return (SERV_R_BAD);
-
-	return (copy_servent(se, sptr, SERV_R_COPY));
-#endif
-}
-
-SERV_R_SET_RETURN
-#ifdef SERV_R_ENT_ARGS
-setservent_r(int stay_open, SERV_R_ENT_ARGS)
-#else
-setservent_r(int stay_open)
-#endif
-{
-
-	setservent(stay_open);
-#ifdef SERV_R_SET_RESULT
-	return (SERV_R_SET_RESULT);
-#endif
-}
-
-SERV_R_END_RETURN
-#ifdef SERV_R_ENT_ARGS
-endservent_r(SERV_R_ENT_ARGS)
-#else
-endservent_r()
-#endif
-{
-
-	endservent();
-	SERV_R_END_RESULT(SERV_R_OK);
-}
-
-/* Private */
-
-#ifndef SERVENT_DATA
-static SERV_R_RETURN
-copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
-	char *cp;
-	int i, n;
-	int numptr, len;
-
-	/* Find out the amount of space required to store the answer. */
-	numptr = 1; /* NULL ptr */
-	len = (char *)ALIGN(buf) - buf;
-	for (i = 0; se->s_aliases[i]; i++, numptr++) {
-		len += strlen(se->s_aliases[i]) + 1;
-	}
-	len += strlen(se->s_name) + 1;
-	len += strlen(se->s_proto) + 1;
-	len += numptr * sizeof(char*);
-	
-	if (len > (int)buflen) {
-		errno = ERANGE;
-		return (SERV_R_BAD);
-	}
-
-	/* copy port value */
-	sptr->s_port = se->s_port;
-
-	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
-
-	/* copy official name */
-	n = strlen(se->s_name) + 1;
-	strcpy(cp, se->s_name);
-	sptr->s_name = cp;
-	cp += n;
-
-	/* copy aliases */
-	sptr->s_aliases = (char **)ALIGN(buf);
-	for (i = 0 ; se->s_aliases[i]; i++) {
-		n = strlen(se->s_aliases[i]) + 1;
-		strcpy(cp, se->s_aliases[i]);
-		sptr->s_aliases[i] = cp;
-		cp += n;
-	}
-	sptr->s_aliases[i] = NULL;
-
-	/* copy proto */
-	n = strlen(se->s_proto) + 1;
-	strcpy(cp, se->s_proto);
-	sptr->s_proto = cp;
-	cp += n;
-
-	return (SERV_R_OK);
-}
-#else /* !SERVENT_DATA */
-static int
-copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
-	char *cp, *eob;
-	int i, n;
-
-	/* copy port value */
-	sptr->s_port = se->s_port;
-
-	/* copy official name */
-	cp = ndptr->line;
-	eob = ndptr->line + sizeof(ndptr->line);
-	if ((n = strlen(se->s_name) + 1) < (eob - cp)) {
-		strcpy(cp, se->s_name);
-		sptr->s_name = cp;
-		cp += n;
-	} else {
-		return (-1);
-	}
-
-	/* copy aliases */
-	i = 0;
-	sptr->s_aliases = ndptr->serv_aliases;
-	while (se->s_aliases[i] && i < (_MAXALIASES-1)) {
-		if ((n = strlen(se->s_aliases[i]) + 1) < (eob - cp)) {
-			strcpy(cp, se->s_aliases[i]);
-			sptr->s_aliases[i] = cp;
-			cp += n;
-		} else {
-			break;
-		}
-		i++;
-	}
-	sptr->s_aliases[i] = NULL;
-
-	/* copy proto */
-	if ((n = strlen(se->s_proto) + 1) < (eob - cp)) {
-		strcpy(cp, se->s_proto);
-		sptr->s_proto = cp;
-		cp += n;
-	} else {
-		return (-1);
-	}
-
-	return (SERV_R_OK);
-}
-#endif /* !SERVENT_DATA */
-#else /*SERV_R_RETURN */
-	static int getservent_r_unknown_system = 0;
-#endif /*SERV_R_RETURN */
-#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/hesiod.c b/contrib/bind9/lib/bind/irs/hesiod.c
deleted file mode 100644
index 618c592249b7..000000000000
--- a/contrib/bind9/lib/bind/irs/hesiod.c
+++ /dev/null
@@ -1,505 +0,0 @@
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: hesiod.c,v 1.1.2.1.4.4 2005/07/28 07:43:19 marka Exp $";
-#endif
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
- */
-
-/*
- * hesiod.c --- the core portion of the hesiod resolver.
- *
- * This file is derived from the hesiod library from Project Athena;
- * It has been extensively rewritten by Theodore Ts'o to have a more
- * thread-safe interface.
- */
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "port_after.h"
-
-#include "pathnames.h"
-#include "hesiod.h"
-#include "hesiod_p.h"
-
-/* Forward */
-
-int		hesiod_init(void **context);
-void		hesiod_end(void *context);
-char *		hesiod_to_bind(void *context, const char *name,
-			       const char *type);
-char **		hesiod_resolve(void *context, const char *name,
-			       const char *type);
-void		hesiod_free_list(void *context, char **list);
-
-static int	parse_config_file(struct hesiod_p *ctx, const char *filename);
-static char **	get_txt_records(struct hesiod_p *ctx, int class,
-				const char *name);
-static int	init(struct hesiod_p *ctx);
-
-/* Public */
-
-/*
- * This function is called to initialize a hesiod_p.
- */
-int
-hesiod_init(void **context) {
-	struct hesiod_p *ctx;
-	char *cp;
-
-	ctx = malloc(sizeof(struct hesiod_p));
-	if (ctx == 0) {
-		errno = ENOMEM;
-		return (-1);
-	}
-
-	memset(ctx, 0, sizeof (*ctx));
-
-	if (parse_config_file(ctx, _PATH_HESIOD_CONF) < 0) {
-#ifdef DEF_RHS
-		/*
-		 * Use compiled in defaults.
-		 */
-		ctx->LHS = malloc(strlen(DEF_LHS) + 1);
-		ctx->RHS = malloc(strlen(DEF_RHS) + 1);
-		if (ctx->LHS == NULL || ctx->RHS == NULL) {
-			errno = ENOMEM;
-			goto cleanup;
-		}
-		strcpy(ctx->LHS, DEF_LHS);	/* (checked) */
-		strcpy(ctx->RHS, DEF_RHS);	/* (checked) */
-#else
-		goto cleanup;
-#endif
-	}
-	/*
-	 * The default RHS can be overridden by an environment
-	 * variable.
-	 */
-	if ((cp = getenv("HES_DOMAIN")) != NULL) {
-		size_t RHSlen = strlen(cp) + 2;
-		if (ctx->RHS)
-			free(ctx->RHS);
-		ctx->RHS = malloc(RHSlen);
-		if (!ctx->RHS) {
-			errno = ENOMEM;
-			goto cleanup;
-		}
-		if (cp[0] == '.') {
-			strcpy(ctx->RHS, cp);	/* (checked) */
-		} else {
-			strcpy(ctx->RHS, ".");	/* (checked) */
-			strcat(ctx->RHS, cp);	/* (checked) */
-		}
-	}
-
-	/*
-	 * If there is no default hesiod realm set, we return an
-	 * error.
-	 */
-	if (!ctx->RHS) {
-		errno = ENOEXEC;
-		goto cleanup;
-	}
-	
-#if 0
-	if (res_ninit(ctx->res) < 0)
-		goto cleanup;
-#endif
-
-	*context = ctx;
-	return (0);
-
- cleanup:
-	hesiod_end(ctx);
-	return (-1);
-}
-
-/*
- * This function deallocates the hesiod_p
- */
-void
-hesiod_end(void *context) {
-	struct hesiod_p *ctx = (struct hesiod_p *) context;
-	int save_errno = errno;
-
-	if (ctx->res)
-		res_nclose(ctx->res);
-	if (ctx->RHS)
-		free(ctx->RHS);
-	if (ctx->LHS)
-		free(ctx->LHS);
-	if (ctx->res && ctx->free_res)
-		(*ctx->free_res)(ctx->res);
-	free(ctx);
-	errno = save_errno;
-}
-
-/*
- * This function takes a hesiod (name, type) and returns a DNS
- * name which is to be resolved.
- */
-char *
-hesiod_to_bind(void *context, const char *name, const char *type) {
-	struct hesiod_p *ctx = (struct hesiod_p *) context;
-	char *bindname;
-	char **rhs_list = NULL;
-	const char *RHS, *cp;
-
-	/* Decide what our RHS is, and set cp to the end of the actual name. */
-	if ((cp = strchr(name, '@')) != NULL) {
-		if (strchr(cp + 1, '.'))
-			RHS = cp + 1;
-		else if ((rhs_list = hesiod_resolve(context, cp + 1,
-		    "rhs-extension")) != NULL)
-			RHS = *rhs_list;
-		else {
-			errno = ENOENT;
-			return (NULL);
-		}
-	} else {
-		RHS = ctx->RHS;
-		cp = name + strlen(name);
-	}
-
-	/*
-	 * Allocate the space we need, including up to three periods and
-	 * the terminating NUL.
-	 */
-	if ((bindname = malloc((cp - name) + strlen(type) + strlen(RHS) +
-	    (ctx->LHS ? strlen(ctx->LHS) : 0) + 4)) == NULL) {
-		errno = ENOMEM;
-		if (rhs_list)
-			hesiod_free_list(context, rhs_list);
-		return NULL;
-	}
-
-	/* Now put together the DNS name. */
-	memcpy(bindname, name, cp - name);
-	bindname[cp - name] = '\0';
-	strcat(bindname, ".");
-	strcat(bindname, type);
-	if (ctx->LHS) {
-		if (ctx->LHS[0] != '.')
-			strcat(bindname, ".");
-		strcat(bindname, ctx->LHS);
-	}
-	if (RHS[0] != '.')
-		strcat(bindname, ".");
-	strcat(bindname, RHS);
-
-	if (rhs_list)
-		hesiod_free_list(context, rhs_list);
-
-	return (bindname);
-}
-
-/*
- * This is the core function.  Given a hesiod (name, type), it
- * returns an array of strings returned by the resolver.
- */
-char **
-hesiod_resolve(void *context, const char *name, const char *type) {
-	struct hesiod_p *ctx = (struct hesiod_p *) context;
-	char *bindname = hesiod_to_bind(context, name, type);
-	char **retvec;
-
-	if (bindname == NULL)
-		return (NULL);
-	if (init(ctx) == -1) {
-		free(bindname);
-		return (NULL);
-	}
-
-	if ((retvec = get_txt_records(ctx, C_IN, bindname))) {
-		free(bindname);
-		return (retvec);
-	}
-	
-	if (errno != ENOENT)
-		return (NULL);
-
-	retvec = get_txt_records(ctx, C_HS, bindname);
-	free(bindname);
-	return (retvec);
-}
-
-void
-hesiod_free_list(void *context, char **list) {
-	char **p;
-
-	UNUSED(context);
-
-	for (p = list; *p; p++)
-		free(*p);
-	free(list);
-}
-
-/*
- * This function parses the /etc/hesiod.conf file
- */
-static int
-parse_config_file(struct hesiod_p *ctx, const char *filename) {
-	char *key, *data, *cp, **cpp;
-	char buf[MAXDNAME+7];
-	FILE *fp;
-
-	/*
-	 * Clear the existing configuration variable, just in case
-	 * they're set.
-	 */
-	if (ctx->RHS)
-		free(ctx->RHS);
-	if (ctx->LHS)
-		free(ctx->LHS);
-	ctx->RHS = ctx->LHS = 0;
-
-	/*
-	 * Now open and parse the file...
-	 */
-	if (!(fp = fopen(filename, "r")))
-		return (-1);
-	
-	while (fgets(buf, sizeof(buf), fp) != NULL) {
-		cp = buf;
-		if (*cp == '#' || *cp == '\n' || *cp == '\r')
-			continue;
-		while(*cp == ' ' || *cp == '\t')
-			cp++;
-		key = cp;
-		while(*cp != ' ' && *cp != '\t' && *cp != '=')
-			cp++;
-		*cp++ = '\0';
-		
-		while(*cp == ' ' || *cp == '\t' || *cp == '=')
-			cp++;
-		data = cp;
-		while(*cp != ' ' && *cp != '\n' && *cp != '\r')
-			cp++;
-		*cp++ = '\0';
-
-		if (strcmp(key, "lhs") == 0)
-			cpp = &ctx->LHS;
-		else if (strcmp(key, "rhs") == 0)
-			cpp = &ctx->RHS;
-		else
-			continue;
-
-		*cpp = malloc(strlen(data) + 1);
-		if (!*cpp) {
-			errno = ENOMEM;
-			goto cleanup;
-		}
-		strcpy(*cpp, data);
-	}
-	fclose(fp);
-	return (0);
-	
- cleanup:
-	fclose(fp);
-	if (ctx->RHS)
-		free(ctx->RHS);
-	if (ctx->LHS)
-		free(ctx->LHS);
-	ctx->RHS = ctx->LHS = 0;
-	return (-1);
-}
-
-/*
- * Given a DNS class and a DNS name, do a lookup for TXT records, and
- * return a list of them.
- */
-static char **
-get_txt_records(struct hesiod_p *ctx, int class, const char *name) {
-	struct {
-		int type;		/* RR type */
-		int class;		/* RR class */
-		int dlen;		/* len of data section */
-		u_char *data;		/* pointer to data */
-	} rr;
-	HEADER *hp;
-	u_char qbuf[MAX_HESRESP], abuf[MAX_HESRESP];
-	u_char *cp, *erdata, *eom;
-	char *dst, *edst, **list;
-	int ancount, qdcount;
-	int i, j, n, skip;
-
-	/*
-	 * Construct the query and send it.
-	 */
-	n = res_nmkquery(ctx->res, QUERY, name, class, T_TXT, NULL, 0,
-			 NULL, qbuf, MAX_HESRESP);
-	if (n < 0) {
-		errno = EMSGSIZE;
-		return (NULL);
-	}
-	n = res_nsend(ctx->res, qbuf, n, abuf, MAX_HESRESP);
-	if (n < 0) {
-		errno = ECONNREFUSED;
-		return (NULL);
-	}
-	if (n < HFIXEDSZ) {
-		errno = EMSGSIZE;
-		return (NULL);
-	}
-
-	/*
-	 * OK, parse the result.
-	 */
-	hp = (HEADER *) abuf;
-	ancount = ntohs(hp->ancount);
-	qdcount = ntohs(hp->qdcount);
-	cp = abuf + sizeof(HEADER);
-	eom = abuf + n;
-
-	/* Skip query, trying to get to the answer section which follows. */
-	for (i = 0; i < qdcount; i++) {
-		skip = dn_skipname(cp, eom);
-		if (skip < 0 || cp + skip + QFIXEDSZ > eom) {
-			errno = EMSGSIZE;
-			return (NULL);
-		}
-		cp += skip + QFIXEDSZ;
-	}
-
-	list = malloc((ancount + 1) * sizeof(char *));
-	if (!list) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	j = 0;
-	for (i = 0; i < ancount; i++) {
-		skip = dn_skipname(cp, eom);
-		if (skip < 0) {
-			errno = EMSGSIZE;
-			goto cleanup;
-		}
-		cp += skip;
-		if (cp + 3 * INT16SZ + INT32SZ > eom) {
-			errno = EMSGSIZE;
-			goto cleanup;
-		}
-		rr.type = ns_get16(cp);
-		cp += INT16SZ;
-		rr.class = ns_get16(cp);
-		cp += INT16SZ + INT32SZ;	/* skip the ttl, too */
-		rr.dlen = ns_get16(cp);
-		cp += INT16SZ;
-		if (cp + rr.dlen > eom) {
-			errno = EMSGSIZE;
-			goto cleanup;
-		}
-		rr.data = cp;
-		cp += rr.dlen;
-		if (rr.class != class || rr.type != T_TXT)
-			continue;
-		if (!(list[j] = malloc(rr.dlen)))
-			goto cleanup;
-		dst = list[j++];
-		edst = dst + rr.dlen;
-		erdata = rr.data + rr.dlen;
-		cp = rr.data;
-		while (cp < erdata) {
-			n = (unsigned char) *cp++;
-			if (cp + n > eom || dst + n > edst) {
-				errno = EMSGSIZE;
-				goto cleanup;
-			}
-			memcpy(dst, cp, n);
-			cp += n;
-			dst += n;
-		}
-		if (cp != erdata) {
-			errno = EMSGSIZE;
-			goto cleanup;
-		}
-		*dst = '\0';
-	}
-	list[j] = NULL;
-	if (j == 0) {
-		errno = ENOENT;
-		goto cleanup;
-	}
-	return (list);
-
- cleanup:
-	for (i = 0; i < j; i++)
-		free(list[i]);
-	free(list);
-	return (NULL);
-}
-
-struct __res_state *
-__hesiod_res_get(void *context) {
-	struct hesiod_p *ctx = context;
-
-	if (!ctx->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (res == NULL) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		__hesiod_res_set(ctx, res, free);
-	}
-
-	return (ctx->res);
-}
-
-void
-__hesiod_res_set(void *context, struct __res_state *res,
-	         void (*free_res)(void *)) {
-	struct hesiod_p *ctx = context;
-
-	if (ctx->res && ctx->free_res) {
-		res_nclose(ctx->res);
-		(*ctx->free_res)(ctx->res);
-	}
-
-	ctx->res = res;
-	ctx->free_res = free_res;
-}
-
-static int
-init(struct hesiod_p *ctx) {
-	
-	if (!ctx->res && !__hesiod_res_get(ctx))
-		return (-1);
-
-	if (((ctx->res->options & RES_INIT) == 0U) &&
-	    (res_ninit(ctx->res) == -1))
-		return (-1);
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/irs/hesiod_p.h b/contrib/bind9/lib/bind/irs/hesiod_p.h
deleted file mode 100644
index 5af70a792bd1..000000000000
--- a/contrib/bind9/lib/bind/irs/hesiod_p.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
- */
-
-/*
- * $Id: hesiod_p.h,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $
- */
-
-/*
- * hesiod_p.h -- private definitions for the hesiod library
- */
-
-#ifndef _HESIOD_P_H_INCLUDED
-#define _HESIOD_P_H_INCLUDED
-
-#define DEF_RHS		".Athena.MIT.EDU"	/* Defaults if HESIOD_CONF */
-#define DEF_LHS		".ns"			/*    file is not */
-						/*    present. */
-struct hesiod_p {
-	char *		LHS;		/* normally ".ns" */
-	char *		RHS;		/* AKA the default hesiod domain */
-	struct __res_state * res;	/* resolver context */
-	void		(*free_res)(void *);
-	void		(*res_set)(struct hesiod_p *, struct __res_state *,
-				   void (*)(void *));
-	struct __res_state * (*res_get)(struct hesiod_p *);
-};
-
-#define MAX_HESRESP	1024
-
-#endif /*_HESIOD_P_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/irs/irp.c b/contrib/bind9/lib/bind/irs/irp.c
deleted file mode 100644
index e5620db3e23f..000000000000
--- a/contrib/bind9/lib/bind/irs/irp.c
+++ /dev/null
@@ -1,592 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996, 1998 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp.c,v 1.3.2.1.10.2 2004/03/17 01:49:41 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <syslog.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-#include <stdarg.h>
-#include <fcntl.h>
-#include <syslog.h>
-#include <ctype.h>
-#include <unistd.h>
-
-#include <isc/memcluster.h>
-
-#include <irs.h>
-#include <irp.h>
-
-#include "irs_p.h"
-#include "irp_p.h"
-
-#include "port_after.h"
-
-/* Forward. */
-
-static void		irp_close(struct irs_acc *);
-
-#define LINEINCR 128
-
-#if !defined(SUN_LEN)
-#define SUN_LEN(su) \
-	(sizeof (*(su)) - sizeof ((su)->sun_path) + strlen((su)->sun_path))
-#endif
-
-
-/* Public */
-
-
-/* send errors to syslog if true. */
-int irp_log_errors = 1;
-
-/*
- * This module handles the irp module connection to irpd.
- *
- * The client expects a synchronous interface to functions like
- * getpwnam(3), so we can't use the ctl_* i/o library on this end of
- * the wire (it's used in the server).
- */
-
-/*
- * irs_acc *irs_irp_acc(const char *options);
- *
- *	Initialize the irp module.
- */
-struct irs_acc *
-irs_irp_acc(const char *options) {
-	struct irs_acc *acc;
-	struct irp_p *irp;
-
-	UNUSED(options);
-
-	if (!(acc = memget(sizeof *acc))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(acc, 0x5e, sizeof *acc);
-	if (!(irp = memget(sizeof *irp))) {
-		errno = ENOMEM;
-		free(acc);
-		return (NULL);
-	}
-	irp->inlast = 0;
-	irp->incurr = 0;
-	irp->fdCxn = -1;
-	acc->private = irp;
-
-#ifdef WANT_IRS_GR
-	acc->gr_map = irs_irp_gr;
-#else
-	acc->gr_map = NULL;
-#endif
-#ifdef WANT_IRS_PW
-	acc->pw_map = irs_irp_pw;
-#else
-	acc->pw_map = NULL;
-#endif
-	acc->sv_map = irs_irp_sv;
-	acc->pr_map = irs_irp_pr;
-	acc->ho_map = irs_irp_ho;
-	acc->nw_map = irs_irp_nw;
-	acc->ng_map = irs_irp_ng;
-	acc->close = irp_close;
-	return (acc);
-}
-
-
-int
-irs_irp_connection_setup(struct irp_p *cxndata, int *warned) {
-	if (irs_irp_is_connected(cxndata)) {
-		return (0);
-	} else if (irs_irp_connect(cxndata) != 0) {
-		if (warned != NULL && !*warned) {
-			syslog(LOG_ERR, "irpd connection failed: %m\n");
-			(*warned)++;
-		}
-
-		return (-1);
-	}
-
-	return (0);
-}
-
-
-/*
- * int irs_irp_connect(void);
- *
- *	Sets up the connection to the remote irpd server.
- *
- * Returns:
- *
- *	0 on success, -1 on failure.
- *
- */
-int
-irs_irp_connect(struct irp_p *pvt) {
-	int flags;
-	struct sockaddr *addr;
-	struct sockaddr_in iaddr;
-#ifndef NO_SOCKADDR_UN
-	struct sockaddr_un uaddr;
-#endif
-	long ipaddr;
-	const char *irphost;
-	int code;
-	char text[256];
-	int socklen = 0;
-
-	if (pvt->fdCxn != -1) {
-		perror("fd != 1");
-		return (-1);
-	}
-
-#ifndef NO_SOCKADDR_UN
-	memset(&uaddr, 0, sizeof uaddr);
-#endif
-	memset(&iaddr, 0, sizeof iaddr);
-
-	irphost = getenv(IRPD_HOST_ENV);
-	if (irphost == NULL) {
-		irphost = "127.0.0.1";
-	}
-
-#ifndef NO_SOCKADDR_UN
-	if (irphost[0] == '/') {
-		addr = (struct sockaddr *)&uaddr;
-		strncpy(uaddr.sun_path, irphost, sizeof uaddr.sun_path);
-		uaddr.sun_family = AF_UNIX;
-		socklen = SUN_LEN(&uaddr);
-#ifdef HAVE_SA_LEN
-		uaddr.sun_len = socklen;
-#endif
-	} else
-#endif
-	{
-		if (inet_pton(AF_INET, irphost, &ipaddr) != 1) {
-			errno = EADDRNOTAVAIL;
-			perror("inet_pton");
-			return (-1);
-		}
-
-		addr = (struct sockaddr *)&iaddr;
-		socklen = sizeof iaddr;
-#ifdef HAVE_SA_LEN
-		iaddr.sin_len = socklen;
-#endif
-		iaddr.sin_family = AF_INET;
-		iaddr.sin_port = htons(IRPD_PORT);
-		iaddr.sin_addr.s_addr = ipaddr;
-	}
-
-
-	pvt->fdCxn = socket(addr->sa_family, SOCK_STREAM, PF_UNSPEC);
-	if (pvt->fdCxn < 0) {
-		perror("socket");
-		return (-1);
-	}
-
-	if (connect(pvt->fdCxn, addr, socklen) != 0) {
-		perror("connect");
-		return (-1);
-	}
-
-	flags = fcntl(pvt->fdCxn, F_GETFL, 0);
-	if (flags < 0) {
-		close(pvt->fdCxn);
-		perror("close");
-		return (-1);
-	}
-
-#if 0
-	flags |= O_NONBLOCK;
-	if (fcntl(pvt->fdCxn, F_SETFL, flags) < 0) {
-		close(pvt->fdCxn);
-		perror("fcntl");
-		return (-1);
-	}
-#endif
-
-	code = irs_irp_read_response(pvt, text, sizeof text);
-	if (code != IRPD_WELCOME_CODE) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "Connection failed: %s", text);
-		}
-		irs_irp_disconnect(pvt);
-		return (-1);
-	}
-
-	return (0);
-}
-
-
-
-/*
- * int	irs_irp_is_connected(struct irp_p *pvt);
- *
- * Returns:
- *
- *	Non-zero if streams are setup to remote.
- *
- */
-
-int
-irs_irp_is_connected(struct irp_p *pvt) {
-	return (pvt->fdCxn >= 0);
-}
-
-
-
-/*
- * void
- * irs_irp_disconnect(struct irp_p *pvt);
- *
- *	Closes streams to remote.
- */
-
-void
-irs_irp_disconnect(struct irp_p *pvt) {
-	if (pvt->fdCxn != -1) {
-		close(pvt->fdCxn);
-		pvt->fdCxn = -1;
-	}
-}
-
-
-
-int
-irs_irp_read_line(struct irp_p *pvt, char *buffer, int len) {
-	char *realstart = &pvt->inbuffer[0];
-	char *p, *start, *end;
-	int spare;
-	int i;
-	int buffpos = 0;
-	int left = len - 1;
-
-	while (left > 0) {
-		start = p = &pvt->inbuffer[pvt->incurr];
-		end = &pvt->inbuffer[pvt->inlast];
-
-		while (p != end && *p != '\n')
-			p++;
-
-		if (p == end) {
-			/* Found no newline so shift data down if necessary
-			 * and append new data to buffer
-			 */
-			if (start > realstart) {
-				memmove(realstart, start, end - start);
-				pvt->inlast = end - start;
-				start = realstart;
-				pvt->incurr = 0;
-				end = &pvt->inbuffer[pvt->inlast];
-			}
-
-			spare = sizeof (pvt->inbuffer) - pvt->inlast;
-
-			p = end;
-			i = read(pvt->fdCxn, end, spare);
-			if (i < 0) {
-				close(pvt->fdCxn);
-				pvt->fdCxn = -1;
-				return (buffpos > 0 ? buffpos : -1);
-			} else if (i == 0) {
-				return (buffpos);
-			}
-
-			end += i;
-			pvt->inlast += i;
-
-			while (p != end && *p != '\n')
-				p++;
-		}
-
-		if (p == end) {
-			/* full buffer and still no newline */
-			i = sizeof pvt->inbuffer;
-		} else {
-			/* include newline */
-			i = p - start + 1;
-		}
-
-		if (i > left)
-			i = left;
-		memcpy(buffer + buffpos, start, i);
-		pvt->incurr += i;
-		buffpos += i;
-		buffer[buffpos] = '\0';
-
-		if (p != end) {
-			left = 0;
-		} else {
-			left -= i;
-		}
-	}
-
-#if 0
-	fprintf(stderr, "read line: %s\n", buffer);
-#endif
-	return (buffpos);
-}
-
-
-
-
-
-/*
- * int irp_read_response(struct irp_p *pvt);
- *
- * Returns:
- *
- *	The number found at the beginning of the line read from
- *	FP. 0 on failure(0 is not a legal response code). The
- *	rest of the line is discarded.
- *
- */
-
-int
-irs_irp_read_response(struct irp_p *pvt, char *text, size_t textlen) {
-	char line[1024];
-	int code;
-	char *p;
-
-	if (irs_irp_read_line(pvt, line, sizeof line) <= 0) {
-		return (0);
-	}
-
-	p = strchr(line, '\n');
-	if (p == NULL) {
-		return (0);
-	}
-
-	if (sscanf(line, "%d", &code) != 1) {
-		code = 0;
-	} else if (text != NULL && textlen > 0U) {
-		p = line;
-		while (isspace((unsigned char)*p)) p++;
-		while (isdigit((unsigned char)*p)) p++;
-		while (isspace((unsigned char)*p)) p++;
-		strncpy(text, p, textlen - 1);
-		p[textlen - 1] = '\0';
-	}
-
-	return (code);
-}
-
-
-
-/*
- * char *irp_read_body(struct irp_p *pvt, size_t *size);
- *
- *	Read in the body of a response. Terminated by a line with
- *	just a dot on it. Lines should be terminated with a CR-LF
- *	sequence, but we're nt piccky if the CR is missing.
- *	No leading dot escaping is done as the protcol doesn't
- *	use leading dots anywhere.
- *
- * Returns:
- *
- *	Pointer to null-terminated buffer allocated by memget.
- *	*SIZE is set to the length of the buffer.
- *
- */
-
-char *
-irs_irp_read_body(struct irp_p *pvt, size_t *size) {
-	char line[1024];
-	u_int linelen;
-	size_t len = LINEINCR;
-	char *buffer = memget(len);
-	int idx = 0;
-
-	for (;;) {
-		if (irs_irp_read_line(pvt, line, sizeof line) <= 0 ||
-		    strchr(line, '\n') == NULL)
-			goto death;
-
-		linelen = strlen(line);
-
-		if (line[linelen - 1] != '\n')
-			goto death;
-
-		/* We're not strict about missing \r. Should we be??  */
-		if (linelen > 2 && line[linelen - 2] == '\r') {
-			line[linelen - 2] = '\n';
-			line[linelen - 1] = '\0';
-			linelen--;
-		}
-
-		if (linelen == 2 && line[0] == '.') {
-			*size = len;
-			buffer[idx] = '\0';
-
-			return (buffer);
-		}
-
-		if (linelen > (len - (idx + 1))) {
-			char *p = memget(len + LINEINCR);
-
-			if (p == NULL)
-				goto death;
-			memcpy(p, buffer, len);
-			memput(buffer, len);
-			buffer = p;
-			len += LINEINCR;
-		}
-
-		memcpy(buffer + idx, line, linelen);
-		idx += linelen;
-	}
- death:
-	memput(buffer, len);
-	return (NULL);
-}
-
-
-/*
- * int irs_irp_get_full_response(struct irp_p *pvt, int *code,
- *			char **body, size_t *bodylen);
- *
- *	Gets the response to a command. If the response indicates
- *	there's a body to follow(code % 10 == 1), then the
- *	body buffer is allcoated with memget and stored in
- *	*BODY. The length of the allocated body buffer is stored
- *	in *BODY. The caller must give the body buffer back to
- *	memput when done. The results code is stored in *CODE.
- *
- * Returns:
- *
- *	0 if a result was read. -1 on some sort of failure.
- *
- */
-
-int
-irs_irp_get_full_response(struct irp_p *pvt, int *code, char *text,
-			  size_t textlen, char **body, size_t *bodylen) {
-	int result = irs_irp_read_response(pvt, text, textlen);
-
-	*body = NULL;
-
-	if (result == 0) {
-		return (-1);
-	}
-
-	*code = result;
-
-	/* Code that matches 2xx is a good result code.
-	 * Code that matches xx1 means there's a response body coming.
-	 */
-	if ((result / 100) == 2 && (result % 10) == 1) {
-		*body = irs_irp_read_body(pvt, bodylen);
-		if (*body == NULL) {
-			return (-1);
-		}
-	}
-
-	return (0);
-}
-
-
-/*
- * int irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...);
- *
- *	Sends command to remote connected via the PVT
- *	struture. FMT and args after it are fprintf-like
- *	arguments for formatting.
- *
- * Returns:
- *
- *	0 on success, -1 on failure.
- */
-
-int
-irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...) {
-	va_list ap;
-	char buffer[1024];
-	int pos = 0;
-	int i, todo;
-
-
-	if (pvt->fdCxn < 0) {
-		return (-1);
-	}
-
-	va_start(ap, fmt);
-	todo = vsprintf(buffer, fmt, ap);
-	va_end(ap);
-	if (todo > (int)sizeof(buffer) - 3) {
-		syslog(LOG_CRIT, "memory overrun in irs_irp_send_command()");
-		exit(1);
-	}
-	strcat(buffer, "\r\n");
-	todo = strlen(buffer);
-
-	while (todo > 0) {
-		i = write(pvt->fdCxn, buffer + pos, todo);
-#if 0
-		/* XXX brister */
-		fprintf(stderr, "Wrote: \"");
-		fwrite(buffer + pos, sizeof (char), todo, stderr);
-		fprintf(stderr, "\"\n");
-#endif
-		if (i < 0) {
-			close(pvt->fdCxn);
-			pvt->fdCxn = -1;
-			return (-1);
-		}
-		todo -= i;
-	}
-
-	return (0);
-}
-
-
-/* Methods */
-
-
-
-/*
- * void irp_close(struct irs_acc *this)
- *
- */
-
-static void
-irp_close(struct irs_acc *this) {
-	struct irp_p *irp = (struct irp_p *)this->private;
-
-	if (irp != NULL) {
-		irs_irp_disconnect(irp);
-		memput(irp, sizeof *irp);
-	}
-
-	memput(this, sizeof *this);
-}
-
-
-
diff --git a/contrib/bind9/lib/bind/irs/irp_gr.c b/contrib/bind9/lib/bind/irs/irp_gr.c
deleted file mode 100644
index f7e3a2fa8279..000000000000
--- a/contrib/bind9/lib/bind/irs/irp_gr.c
+++ /dev/null
@@ -1,408 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright(c) 1996, 1998 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_gr.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* extern */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_PW
-static int __bind_irs_gr_unneeded;
-#else
-
-#include <syslog.h>
-#include <sys/param.h>
-#include <sys/types.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <grp.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <syslog.h>
-
-#include <irs.h>
-#include <irp.h>
-#include <isc/memcluster.h>
-#include <isc/irpmarshall.h>
-
-#include "irs_p.h"
-#include "lcl_p.h"
-#include "irp_p.h"
-
-#include "port_after.h"
-
-
-/* Types. */
-
-/*
- * Module for the getnetgrent(3) family to use when connected to a
- * remote irp daemon.
- *
- * See irpd.c for justification of caching done here.
- *
- */
-
-struct pvt {
-	struct irp_p   *girpdata;	/* global IRP data */
-	int		warned;
-	struct group	group;
-};
-
-/* Forward. */
-
-static void		gr_close(struct irs_gr *);
-static struct group *	gr_next(struct irs_gr *);
-static struct group *	gr_byname(struct irs_gr *, const char *);
-static struct group *	gr_bygid(struct irs_gr *, gid_t);
-static void		gr_rewind(struct irs_gr *);
-static void		gr_minimize(struct irs_gr *);
-
-/* Private */
-static void		free_group(struct group *gr);
-
-
-/* Public. */
-
-
-
-
-
-/*
- * struct irs_gr * irs_irp_gr(struct irs_acc *this)
- *
- * Notes:
- *
- *	Initialize the group sub-module.
- *
- * Notes:
- *
- *	Module data.
- *
- */
-
-struct irs_gr *
-irs_irp_gr(struct irs_acc *this) {
-	struct irs_gr *gr;
-	struct pvt *pvt;
-
-	if (!(gr = memget(sizeof *gr))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(gr, 0x0, sizeof *gr);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(gr, sizeof *gr);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0x0, sizeof *pvt);
-	pvt->girpdata = this->private;
-
-	gr->private = pvt;
-	gr->close = gr_close;
-	gr->next = gr_next;
-	gr->byname = gr_byname;
-	gr->bygid = gr_bygid;
-	gr->rewind = gr_rewind;
-	gr->list = make_group_list;
-	gr->minimize = gr_minimize;
-	return (gr);
-}
-
-/* Methods. */
-
-
-
-/*
- * void gr_close(struct irs_gr *this)
- *
- * Notes:
- *
- *	Close the sub-module.
- *
- */
-
-static void
-gr_close(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	gr_minimize(this);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-
-
-
-/*
- * struct group * gr_next(struct irs_gr *this)
- *
- * Notes:
- *
- *	Gets the next group out of the cached data and returns it.
- *
- */
-
-static struct group *
-gr_next(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct group *gr = &pvt->group;
-	char *body;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getgrent") != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "getgrent failed: %s", text);
-		}
-		return (NULL);
-	}
-
-	if (code == IRPD_GETGROUP_OK) {
-		free_group(gr);
-		if (irp_unmarshall_gr(gr, body) != 0) {
-			gr = NULL;
-		}
-	} else {
-		gr = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (gr);
-}
-
-
-
-
-
-/*
- * struct group * gr_byname(struct irs_gr *this, const char *name)
- *
- * Notes:
- *
- *	Gets a group by name from irpd and returns it.
- *
- */
-
-static struct group *
-gr_byname(struct irs_gr *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct group *gr = &pvt->group;
-	char *body;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-
-	if (gr->gr_name != NULL && strcmp(name, gr->gr_name) == 0) {
-		return (gr);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getgrnam %s", name) != 0)
-		return (NULL);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETGROUP_OK) {
-		free_group(gr);
-		if (irp_unmarshall_gr(gr, body) != 0) {
-			gr = NULL;
-		}
-	} else {
-		gr = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (gr);
-}
-
-
-
-
-
-/*
- * struct group * gr_bygid(struct irs_gr *this, gid_t gid)
- *
- * Notes:
- *
- *	Gets a group by gid from irpd and returns it.
- *
- */
-
-static struct group *
-gr_bygid(struct irs_gr *this, gid_t gid) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct group *gr = &pvt->group;
-	char *body;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (gr->gr_name != NULL && (gid_t)gr->gr_gid == gid) {
-		return (gr);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getgrgid %d", gid) != 0)
-		return (NULL);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETGROUP_OK) {
-		free_group(gr);
-		if (irp_unmarshall_gr(gr, body) != 0) {
-			gr = NULL;
-		}
-	} else {
-		gr = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (gr);
-}
-
-
-
-
-/*
- * void gr_rewind(struct irs_gr *this)
- *
- */
-
-static void
-gr_rewind(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char text[256];
-	int code;
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return;
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "setgrent") != 0) {
-		return;
-	}
-
-	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
-	if (code != IRPD_GETGROUP_SETOK) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "setgrent failed: %s", text);
-		}
-	}
-
-	return;
-}
-
-
-
-
-/*
- * void gr_minimize(struct irs_gr *this)
- *
- * Notes:
- *
- *	Frees up cached data and disconnects(if necessary) from the remote.
- *
- */
-
-static void
-gr_minimize(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	free_group(&pvt->group);
-	irs_irp_disconnect(pvt->girpdata);
-}
-
-/* Private. */
-
-
-
-/*
- * static void free_group(struct group *gr);
- *
- *	Deallocate all the memory irp_unmarshall_gr allocated.
- *
- */
-
-static void
-free_group(struct group *gr) {
-	char **p;
-
-	if (gr == NULL)
-		return;
-
-	if (gr->gr_name != NULL)
-		free(gr->gr_name);
-
-	if (gr->gr_passwd != NULL)
-		free(gr->gr_passwd);
-
-	for (p = gr->gr_mem ; p != NULL && *p != NULL ; p++)
-		free(*p);
-
-	if (gr->gr_mem)
-		free(gr->gr_mem);
-
-	if (p != NULL)
-		free(p);
-}
-
-
-#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/irp_ho.c b/contrib/bind9/lib/bind/irs/irp_ho.c
deleted file mode 100644
index 905661254b7e..000000000000
--- a/contrib/bind9/lib/bind/irs/irp_ho.c
+++ /dev/null
@@ -1,429 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996,1998 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_ho.c,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports. */
-
-#include "port_before.h"
-
-#include <syslog.h>
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-
-#include <irs.h>
-#include <irp.h>
-#include <isc/irpmarshall.h>
-#include <isc/memcluster.h>
-
-#include "irs_p.h"
-#include "dns_p.h"
-#include "irp_p.h"
-
-#include "port_after.h"
-
-/* Definitions. */
-
-#define	MAXALIASES	35
-#define	MAXADDRS	35
-#define	Max(a,b)	((a) > (b) ? (a) : (b))
-
-
-struct pvt {
-	struct irp_p	       *girpdata;
-	int			warned;
-	struct hostent		host;
-};
-
-/* Forward. */
-
-static void		ho_close(struct irs_ho *this);
-static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
-static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
-				   int af);
-static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
-				  int len, int af);
-static struct hostent *	ho_next(struct irs_ho *this);
-static void		ho_rewind(struct irs_ho *this);
-static void		ho_minimize(struct irs_ho *this);
-
-static void		free_host(struct hostent *ho);
-static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
-				     const struct addrinfo *pai);
-
-/* Public. */
-
-
-
-/*
- * struct irs_ho * irs_irp_ho(struct irs_acc *this)
- *
- * Notes:
- *
- *	Initializes the irp_ho module.
- *
- */
-
-struct irs_ho *
-irs_irp_ho(struct irs_acc *this) {
-	struct irs_ho *ho;
-	struct pvt *pvt;
-
-	if (!(ho = memget(sizeof *ho))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ho, 0x0, sizeof *ho);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(ho, sizeof *ho);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->girpdata = this->private;
-
-	ho->private = pvt;
-	ho->close = ho_close;
-	ho->byname = ho_byname;
-	ho->byname2 = ho_byname2;
-	ho->byaddr = ho_byaddr;
-	ho->next = ho_next;
-	ho->rewind = ho_rewind;
-	ho->minimize = ho_minimize;
-	ho->addrinfo = ho_addrinfo;
-
-	return (ho);
-}
-
-/* Methods. */
-
-
-
-/*
- * void ho_close(struct irs_ho *this)
- *
- * Notes:
- *
- *	Closes down the module.
- *
- */
-
-static void
-ho_close(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	ho_minimize(this);
-
-	free_host(&pvt->host);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-
-
-/*
- * struct hostent * ho_byname(struct irs_ho *this, const char *name)
- *
- */
-
-static struct hostent *
-ho_byname(struct irs_ho *this, const char *name) {
-	return (ho_byname2(this, name, AF_INET));
-}
-
-
-
-
-
-/*
- * struct hostent * ho_byname2(struct irs_ho *this, const char *name, int af)
- *
- */
-
-static struct hostent *
-ho_byname2(struct irs_ho *this, const char *name, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *ho = &pvt->host;
-	char *body = NULL;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (ho->h_name != NULL &&
-	    strcmp(name, ho->h_name) == 0 &&
-	    af == ho->h_addrtype) {
-		return (ho);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "gethostbyname2 %s %s",
-				 name, ADDR_T_STR(af)) != 0)
-		return (NULL);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETHOST_OK) {
-		free_host(ho);
-		if (irp_unmarshall_ho(ho, body) != 0) {
-			ho = NULL;
-		}
-	} else {
-		ho = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (ho);
-}
-
-
-
-/*
- * struct hostent * ho_byaddr(struct irs_ho *this, const void *addr,
- *			   int len, int af)
- *
- */
-
-static struct hostent *
-ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *ho = &pvt->host;
-	char *body = NULL;
-	size_t bodylen;
-	int code;
-	char **p;
-	char paddr[MAXPADDRSIZE];
-	char text[256];
-
-	if (ho->h_name != NULL &&
-	    af == ho->h_addrtype &&
-	    len == ho->h_length) {
-		for (p = ho->h_addr_list ; *p != NULL ; p++) {
-			if (memcmp(*p, addr, len) == 0)
-				return (ho);
-		}
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (inet_ntop(af, addr, paddr, sizeof paddr) == NULL) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "gethostbyaddr %s %s",
-				 paddr, ADDR_T_STR(af)) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETHOST_OK) {
-		free_host(ho);
-		if (irp_unmarshall_ho(ho, body) != 0) {
-			ho = NULL;
-		}
-	} else {
-		ho = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (ho);
-}
-
-
-
-
-
-/*
- * struct hostent * ho_next(struct irs_ho *this)
- *
- * Notes:
- *
- *	The implementation for gethostent(3). The first time it's
- *	called all the data is pulled from the remote(i.e. what
- *	the maximum number of gethostent(3) calls would return)
- *	and that data is cached.
- *
- */
-
-static struct hostent *
-ho_next(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *ho = &pvt->host;
-	char *body;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "gethostent") != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETHOST_OK) {
-		free_host(ho);
-		if (irp_unmarshall_ho(ho, body) != 0) {
-			ho = NULL;
-		}
-	} else {
-		ho = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (ho);
-}
-
-
-
-
-
-/*
- * void ho_rewind(struct irs_ho *this)
- *
- */
-
-static void
-ho_rewind(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char text[256];
-	int code;
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return;
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "sethostent") != 0) {
-		return;
-	}
-
-	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
-	if (code != IRPD_GETHOST_SETOK) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "sethostent failed: %s", text);
-		}
-	}
-
-	return;
-}
-
-
-
-
-/*
- * void ho_minimize(struct irs_ho *this)
- *
- */
-
-static void
-ho_minimize(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	free_host(&pvt->host);
-
-	irs_irp_disconnect(pvt->girpdata);
-}
-
-
-
-
-/*
- * void free_host(struct hostent *ho)
- *
- */
-
-static void
-free_host(struct hostent *ho) {
-	char **p;
-
-	if (ho == NULL) {
-		return;
-	}
-
-	if (ho->h_name != NULL)
-		free(ho->h_name);
-
-	if (ho->h_aliases != NULL) {
-		for (p = ho->h_aliases ; *p != NULL ; p++)
-			free(*p);
-		free(ho->h_aliases);
-	}
-
-	if (ho->h_addr_list != NULL) {
-		for (p = ho->h_addr_list ; *p != NULL ; p++)
-			free(*p);
-		free(ho->h_addr_list);
-	}
-}
-
-/* dummy */
-static struct addrinfo *
-ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
-{
-	UNUSED(this);
-	UNUSED(name);
-	UNUSED(pai);
-	return(NULL);
-}
diff --git a/contrib/bind9/lib/bind/irs/irp_ng.c b/contrib/bind9/lib/bind/irs/irp_ng.c
deleted file mode 100644
index cf7bc7c31ea2..000000000000
--- a/contrib/bind9/lib/bind/irs/irp_ng.c
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996, 1998 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irp_ng.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <syslog.h>
-
-#include <irs.h>
-#include <irp.h>
-#include <isc/memcluster.h>
-#include <isc/irpmarshall.h>
-
-#include "irs_p.h"
-#include "irp_p.h"
-
-#include "port_after.h"
-
-/* Definitions */
-
-struct pvt {
-	struct irp_p	       *girpdata;
-	int			warned;
-};
-
-
-/* Forward */
-
-static void		ng_rewind(struct irs_ng *, const char*);
-static void		ng_close(struct irs_ng *);
-static int		ng_next(struct irs_ng *, const char **, const char **,
-				const char **);
-static int		ng_test(struct irs_ng *, const char *,
-				const char *, const char *,
-				const char *);
-static void		ng_minimize(struct irs_ng *);
-
-
-/* Public */
-
-
-
-/*
- * struct irs_ng * irs_irp_ng(struct irs_acc *this)
- *
- * Notes:
- *
- *	Intialize the irp netgroup module.
- *
- */
-
-struct irs_ng *
-irs_irp_ng(struct irs_acc *this) {
-	struct irs_ng *ng;
-	struct pvt *pvt;
-
-	if (!(ng = memget(sizeof *ng))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ng, 0x5e, sizeof *ng);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(ng, sizeof *ng);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->girpdata = this->private;
-
-	ng->private = pvt;
-	ng->close = ng_close;
-	ng->next = ng_next;
-	ng->test = ng_test;
-	ng->rewind = ng_rewind;
-	ng->minimize = ng_minimize;
-	return (ng);
-}
-
-/* Methods */
-
-
-
-/*
- * void ng_close(struct irs_ng *this)
- *
- */
-
-static void
-ng_close(struct irs_ng *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	ng_minimize(this);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-
-
-
-/*
- * void ng_rewind(struct irs_ng *this, const char *group)
- *
- *
- */
-
-static void
-ng_rewind(struct irs_ng *this, const char *group) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char text[256];
-	int code;
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return;
-	}
-
-	if (irs_irp_send_command(pvt->girpdata,
-				 "setnetgrent %s", group) != 0) {
-		return;
-	}
-
-	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
-	if (code != IRPD_GETNETGR_SETOK) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "setnetgrent(%s) failed: %s",
-			       group, text);
-		}
-	}
-
-	return;
-}
-
-
-
-
-/*
- * int ng_next(struct irs_ng *this, const char **host, const char **user,
- *	       const char **domain)
- *
- * Notes:
- *
- *	Get the next netgroup item from the cache.
- *
- */
-
-static int
-ng_next(struct irs_ng *this, const char **host, const char **user,
-        const char **domain)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	int code;
-	char *body = NULL;
-	size_t bodylen;
-	int rval = 0;
-	char text[256];
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (0);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getnetgrent") != 0)
-		return (0);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (0);
-	}
-
-	if (code == IRPD_GETNETGR_OK) {
-		if (irp_unmarshall_ng(host, user, domain, body) == 0) {
-			rval = 1;
-		}
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (rval);
-}
-
-
-
-/*
- * int ng_test(struct irs_ng *this, const char *name, const char *host,
- *		const char *user, const char *domain)
- *
- * Notes:
- *
- *	Search for a match in a netgroup.
- *
- */
-
-static int
-ng_test(struct irs_ng *this, const char *name,
-	const char *host, const char *user, const char *domain)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *body = NULL;
-	size_t bodylen = 0;
-	int code;
-	char text[256];
-	int rval = 0;
-
-	UNUSED(name);
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (0);
-	}
-
-	if (irp_marshall_ng(host, user, domain, &body, &bodylen) != 0) {
-		return (0);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "innetgr %s", body) == 0) {
-		memput(body, bodylen);
-
-		code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
-		if (code == IRPD_GETNETGR_MATCHES) {
-			rval = 1;
-		}
-	}
-
-	return (rval);
-}
-
-
-
-
-/*
- * void ng_minimize(struct irs_ng *this)
- *
- */
-
-static void
-ng_minimize(struct irs_ng *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	irs_irp_disconnect(pvt->girpdata);
-}
-
-
-
-
-/* Private */
-
diff --git a/contrib/bind9/lib/bind/irs/irp_nw.c b/contrib/bind9/lib/bind/irs/irp_nw.c
deleted file mode 100644
index 346e5a4d8002..000000000000
--- a/contrib/bind9/lib/bind/irs/irp_nw.c
+++ /dev/null
@@ -1,375 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996,1998 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_nw.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#if 0
-
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <syslog.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-
-#include <irs.h>
-#include <irp.h>
-#include <isc/irpmarshall.h>
-
-#include <isc/memcluster.h>
-#include <isc/misc.h>
-
-#include "irs_p.h"
-#include "lcl_p.h"
-#include "irp_p.h"
-
-#include "port_after.h"
-
-#define MAXALIASES 35
-#define MAXADDRSIZE 4
-
-struct pvt {
-	struct irp_p	       *girpdata;
-	int			warned;
-	struct nwent		net;
-};
-
-/* Forward */
-
-static void		nw_close(struct irs_nw *);
-static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
-static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
-static struct nwent *	nw_next(struct irs_nw *);
-static void		nw_rewind(struct irs_nw *);
-static void		nw_minimize(struct irs_nw *);
-
-static void		free_nw(struct nwent *nw);
-
-
-/* Public */
-
-
-
-/*
- * struct irs_nw * irs_irp_nw(struct irs_acc *this) 
- *
- */
-
-struct irs_nw *
-irs_irp_nw(struct irs_acc *this) {
-	struct irs_nw *nw;
-	struct pvt *pvt;
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-
-	if (!(nw = memget(sizeof *nw))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(nw, 0x0, sizeof *nw);
-	pvt->girpdata = this->private;
-
-	nw->private = pvt;
-	nw->close = nw_close;
-	nw->byname = nw_byname;
-	nw->byaddr = nw_byaddr;
-	nw->next = nw_next;
-	nw->rewind = nw_rewind;
-	nw->minimize = nw_minimize;
-	return (nw);
-}
-
-/* Methods */
-
-
-
-/*
- * void nw_close(struct irs_nw *this) 
- *
- */
-
-static void
-nw_close(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	nw_minimize(this);
-
-	free_nw(&pvt->net);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-
-
-
-/*
- * struct nwent * nw_byaddr(struct irs_nw *this, void *net, 
- * 				int length, int type) 
- *
- */
-
-static struct nwent *
-nw_byaddr(struct irs_nw *this, void *net, int length, int type) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct nwent *nw = &pvt->net;
-	char *body = NULL;
-	size_t bodylen;
-	int code;
-	char paddr[24];			/* bigenough for ip4 w/ cidr spec. */
-	char text[256];
-
-	if (inet_net_ntop(type, net, length, paddr, sizeof paddr) == NULL) {
-		return (NULL);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getnetbyaddr %s %s",
-				 paddr, ADDR_T_STR(type)) != 0)
-		return (NULL);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETNET_OK) {
-		free_nw(nw);
-		if (irp_unmarshall_nw(nw, body) != 0) {
-			nw = NULL;
-		}
-	} else {
-		nw = NULL;
-	}
-		
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-	
-	return (nw);
-}
-
-
-
-
-/*
- * struct nwent * nw_byname(struct irs_nw *this, const char *name, int type) 
- *
- */
-
-static struct nwent *
-nw_byname(struct irs_nw *this, const char *name, int type) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct nwent *nw = &pvt->net;
-	char *body = NULL;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (nw->n_name != NULL &&
-	    strcmp(name, nw->n_name) == 0 &&
-	    nw->n_addrtype == type) {
-		return (nw);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getnetbyname %s", name) != 0)
-		return (NULL);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETNET_OK) {
-		free_nw(nw);
-		if (irp_unmarshall_nw(nw, body) != 0) {
-			nw = NULL;
-		}
-	} else {
-		nw = NULL;
-	}
-	
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-	
-	return (nw);
-}
-
-
-
-
-/*
- * void nw_rewind(struct irs_nw *this) 
- *
- */
-
-static void
-nw_rewind(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char text[256];
-	int code;
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return;
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "setnetent") != 0) {
-		return;
-	}
-
-	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
-	if (code != IRPD_GETNET_SETOK) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "setnetent failed: %s", text);
-		}
-	}
-	
-	return;
-}
-
-
-
-
-
-
-/*
- * struct nwent * nw_next(struct irs_nw *this) 
- *
- * Notes:
- * 	
- * 	Prepares the cache if necessary and returns the first, or 
- * 	next item from it.
- */
-
-static struct nwent *
-nw_next(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct nwent *nw = &pvt->net;
-	char *body;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getnetent") != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETNET_OK) {
-		free_nw(nw);
-		if (irp_unmarshall_nw(nw, body) != 0) {
-			nw = NULL;
-		}
-	} else {
-		nw = NULL;
-	}
-
-	return (nw);
-}
-
-
-
-
-
-
-/*
- * void nw_minimize(struct irs_nw *this) 
- *
- */
-
-static void
-nw_minimize(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	irs_irp_disconnect(pvt->girpdata);
-}
-
-
-
-
-/* private. */
-
-
-
-/*
- * static void free_passwd(struct passwd *pw);
- *
- *	deallocate all the memory irp_unmarshall_pw allocated.
- *
- */
-
-static void
-free_nw(struct nwent *nw) {
-	char **p;
-
-	if (nw == NULL)
-		return;
-
-	if (nw->n_name != NULL)
-		free(nw->n_name);
-
-	if (nw->n_aliases != NULL) {
-		for (p = nw->n_aliases ; *p != NULL ; p++) {
-			free(*p);
-		}
-		free(nw->n_aliases);
-	}
-
-	if (nw->n_addr != NULL)
-		free(nw->n_addr);
-}
diff --git a/contrib/bind9/lib/bind/irs/irp_p.h b/contrib/bind9/lib/bind/irs/irp_p.h
deleted file mode 100644
index fa2858dba444..000000000000
--- a/contrib/bind9/lib/bind/irs/irp_p.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: irp_p.h,v 1.1.2.2.4.1 2004/03/09 08:33:37 marka Exp $
- */
-
-#ifndef _IRP_P_H_INCLUDED
-#define _IRP_P_H_INCLUDED
-
-#include <stdio.h>
-
-struct irp_p {
-	char inbuffer[1024];
-	int inlast; /* index of one past the last char in buffer */
-	int incurr; /* index of the next char to be read from buffer */
-
-	int fdCxn;
-};
-
-/*
- * Externs.
- */
-
-extern struct irs_acc *	irs_irp_acc __P((const char *));
-extern struct irs_gr *	irs_irp_gr __P((struct irs_acc *));
-extern struct irs_pw *	irs_irp_pw __P((struct irs_acc *));
-extern struct irs_sv *	irs_irp_sv __P((struct irs_acc *));
-extern struct irs_pr *	irs_irp_pr __P((struct irs_acc *));
-extern struct irs_ho *	irs_irp_ho __P((struct irs_acc *));
-extern struct irs_nw *	irs_irp_nw __P((struct irs_acc *));
-extern struct irs_ng *	irs_irp_ng __P((struct irs_acc *));
-
-int irs_irp_connect(struct irp_p *pvt);
-int irs_irp_is_connected(struct irp_p *pvt);
-void irs_irp_disconnect(struct irp_p *pvt);
-int irs_irp_read_response(struct irp_p *pvt, char *text, size_t textlen);
-char *irs_irp_read_body(struct irp_p *pvt, size_t *size);
-int irs_irp_get_full_response(struct irp_p *pvt, int *code,
-			      char *text, size_t textlen,
-			      char **body, size_t *bodylen);
-
-extern int irp_log_errors;
-
-#endif
diff --git a/contrib/bind9/lib/bind/irs/irp_pr.c b/contrib/bind9/lib/bind/irs/irp_pr.c
deleted file mode 100644
index 07d739d62b19..000000000000
--- a/contrib/bind9/lib/bind/irs/irp_pr.c
+++ /dev/null
@@ -1,353 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_pr.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* extern */
-
-#include "port_before.h"
-
-#include <syslog.h>
-#include <sys/types.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <syslog.h>
-
-#include <irs.h>
-#include <irp.h>
-#include <isc/memcluster.h>
-#include <isc/irpmarshall.h>
-
-#include "irs_p.h"
-#include "lcl_p.h"
-#include "irp_p.h"
-
-#include "port_after.h"
-
-
-#define MAXALIASES	35
-
-/* Types */
-
-struct pvt {
-	struct irp_p	       *girpdata;
-	int			warned;
-	struct protoent		proto;
-};
-
-/* Forward */
-
-static void			pr_close(struct irs_pr *);
-static struct protoent *	pr_next(struct irs_pr *);
-static struct protoent *	pr_byname(struct irs_pr *, const char *);
-static struct protoent *	pr_bynumber(struct irs_pr *, int);
-static void			pr_rewind(struct irs_pr *);
-static void			pr_minimize(struct irs_pr *);
-
-static void			free_proto(struct protoent *pr);
-
-/* Public */
-
-
-
-/*
- * struct irs_pr * irs_irp_pr(struct irs_acc *this)
- *
- */
-
-struct irs_pr *
-irs_irp_pr(struct irs_acc *this) {
-	struct irs_pr *pr;
-	struct pvt *pvt;
-
-	if (!(pr = memget(sizeof *pr))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pr, 0x0, sizeof *pr);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(pr, sizeof *pr);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->girpdata = this->private;
-
-	pr->private = pvt;
-	pr->close = pr_close;
-	pr->byname = pr_byname;
-	pr->bynumber = pr_bynumber;
-	pr->next = pr_next;
-	pr->rewind = pr_rewind;
-	pr->minimize = pr_minimize;
-	return (pr);
-}
-
-/* Methods */
-
-
-
-/*
- * void pr_close(struct irs_pr *this)
- *
- */
-
-static void
-pr_close(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pr_minimize(this);
-
-	free_proto(&pvt->proto);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-
-
-/*
- * struct protoent * pr_byname(struct irs_pr *this, const char *name)
- *
- */
-
-static struct protoent *
-pr_byname(struct irs_pr *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct protoent *pr = &pvt->proto;
-	char *body = NULL;
-	size_t bodylen;
-	int code;
-	int i;
-	char text[256];
-
-	if (pr->p_name != NULL && strcmp(name, pr->p_name) == 0) {
-		return (pr);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	i = irs_irp_send_command(pvt->girpdata, "getprotobyname %s", name);
-	if (i != 0)
-		return (NULL);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETPROTO_OK) {
-		free_proto(pr);
-		if (irp_unmarshall_pr(pr, body) != 0) {
-			pr = NULL;
-		}
-	} else {
-		pr = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (pr);
-}
-
-
-
-/*
- * struct protoent * pr_bynumber(struct irs_pr *this, int proto)
- *
- */
-
-static struct protoent *
-pr_bynumber(struct irs_pr *this, int proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct protoent *pr = &pvt->proto;
-	char *body = NULL;
-	size_t bodylen;
-	int code;
-	int i;
-	char text[256];
-
-	if (pr->p_name != NULL && proto == pr->p_proto) {
-		return (pr);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	i = irs_irp_send_command(pvt->girpdata, "getprotobynumber %d", proto);
-	if (i != 0)
-		return (NULL);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETPROTO_OK) {
-		free_proto(pr);
-		if (irp_unmarshall_pr(pr, body) != 0) {
-			pr = NULL;
-		}
-	} else {
-		pr = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (pr);
-}
-
-
-
-
-/*
- * void pr_rewind(struct irs_pr *this)
- *
- */
-
-static void
-pr_rewind(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char text[256];
-	int code;
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return;
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "setprotoent") != 0) {
-		return;
-	}
-
-	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
-	if (code != IRPD_GETPROTO_SETOK) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "setprotoent failed: %s", text);
-		}
-	}
-
-	return;
-}
-
-
-
-
-/*
- * struct protoent * pr_next(struct irs_pr *this)
- *
- * Notes:
- *
- *	Prepares the cache if necessary and returns the next item in it.
- *
- */
-
-static struct protoent *
-pr_next(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct protoent *pr = &pvt->proto;
-	char *body;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getprotoent") != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETPROTO_OK) {
-		free_proto(pr);
-		if (irp_unmarshall_pr(pr, body) != 0) {
-			pr = NULL;
-		}
-	} else {
-		pr = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (pr);
-}
-
-
-
-
-/*
- * void pr_minimize(struct irs_pr *this)
- *
- */
-
-static void
-pr_minimize(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	irs_irp_disconnect(pvt->girpdata);
-}
-
-
-
-
-
-
-/*
- * static void free_proto(struct protoent *pw);
- *
- *	Deallocate all the memory irp_unmarshall_pr allocated.
- *
- */
-
-static void
-free_proto(struct protoent *pr) {
-	char **p;
-
-	if (pr == NULL)
-		return;
-
-	if (pr->p_name != NULL)
-		free(pr->p_name);
-
-	for (p = pr->p_aliases ; p != NULL && *p != NULL ; p++)
-		free(*p);
-}
diff --git a/contrib/bind9/lib/bind/irs/irp_pw.c b/contrib/bind9/lib/bind/irs/irp_pw.c
deleted file mode 100644
index 069f5887495a..000000000000
--- a/contrib/bind9/lib/bind/irs/irp_pw.c
+++ /dev/null
@@ -1,358 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_pw.c,v 1.2.206.1 2004/03/09 08:33:37 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Extern */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_PW
-static int __bind_irs_pw_unneeded;
-#else
-
-#include <syslog.h>
-#include <sys/param.h>
-
-#include <db.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <utmp.h>
-#include <unistd.h>
-
-#include <irs.h>
-#include <irp.h>
-#include <isc/memcluster.h>
-#include <isc/irpmarshall.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "irp_p.h"
-
-
-/* Types */
-
-struct	pvt {
-	struct irp_p   *girpdata; /* global IRP data */
-	int		warned;
-	struct passwd	passwd;		/* password structure */
-};
-
-/* Forward */
-
-static void			pw_close(struct irs_pw *);
-static struct passwd *		pw_next(struct irs_pw *);
-static struct passwd *		pw_byname(struct irs_pw *, const char *);
-static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
-static void			pw_rewind(struct irs_pw *);
-static void			pw_minimize(struct irs_pw *);
-
-static void			free_passwd(struct passwd *pw);
-
-/* Public */
-struct irs_pw *
-irs_irp_pw(struct irs_acc *this) {
-	struct irs_pw *pw;
-	struct pvt *pvt;
-
-	if (!(pw = memget(sizeof *pw))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pw, 0, sizeof *pw);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(pw, sizeof *pw);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->girpdata = this->private;
-
-	pw->private = pvt;
-	pw->close = pw_close;
-	pw->next = pw_next;
-	pw->byname = pw_byname;
-	pw->byuid = pw_byuid;
-	pw->rewind = pw_rewind;
-	pw->minimize = pw_minimize;
-
-	return (pw);
-}
-
-/* Methods */
-
-
-
-/*
- * void pw_close(struct irs_pw *this)
- *
- */
-
-static void
-pw_close(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pw_minimize(this);
-
-	free_passwd(&pvt->passwd);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-
-
-
-/*
- * struct passwd * pw_next(struct irs_pw *this)
- *
- */
-
-static struct passwd *
-pw_next(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct passwd *pw = &pvt->passwd;
-	char *body;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getpwent") != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETUSER_OK) {
-		free_passwd(pw);
-		if (irp_unmarshall_pw(pw, body) != 0) {
-			pw = NULL;
-		}
-	} else {
-		pw = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (pw);
-}
-
-
-
-
-/*
- * struct passwd * pw_byname(struct irs_pw *this, const char *name)
- *
- */
-
-static struct passwd *
-pw_byname(struct irs_pw *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct passwd *pw = &pvt->passwd;
-	char *body = NULL;
-	char text[256];
-	size_t bodylen;
-	int code;
-
-	if (pw->pw_name != NULL && strcmp(name, pw->pw_name) == 0) {
-		return (pw);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getpwnam %s", name) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETUSER_OK) {
-		free_passwd(pw);
-		if (irp_unmarshall_pw(pw, body) != 0) {
-			pw = NULL;
-		}
-	} else {
-		pw = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (pw);
-}
-
-
-
-
-/*
- * struct passwd * pw_byuid(struct irs_pw *this, uid_t uid)
- *
- */
-
-static struct passwd *
-pw_byuid(struct irs_pw *this, uid_t uid) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *body;
-	char text[256];
-	size_t bodylen;
-	int code;
-	struct passwd *pw = &pvt->passwd;
-
-	if (pw->pw_name != NULL && pw->pw_uid == uid) {
-		return (pw);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getpwuid %d", uid) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETUSER_OK) {
-		free_passwd(pw);
-		if (irp_unmarshall_pw(pw, body) != 0) {
-			pw = NULL;
-		}
-	} else {
-		pw = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (pw);
-}
-
-
-
-
-/*
- * void pw_rewind(struct irs_pw *this)
- *
- */
-
-static void
-pw_rewind(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char text[256];
-	int code;
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return;
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "setpwent") != 0) {
-		return;
-	}
-
-	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
-	if (code != IRPD_GETUSER_SETOK) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "setpwent failed: %s", text);
-		}
-	}
-
-	return;
-}
-
-
-/*
- * void pw_minimize(struct irs_pw *this)
- *
- */
-
-static void
-pw_minimize(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	irs_irp_disconnect(pvt->girpdata);
-}
-
-
-/* Private. */
-
-
-
-/*
- * static void free_passwd(struct passwd *pw);
- *
- *	Deallocate all the memory irp_unmarshall_pw allocated.
- *
- */
-
-static void
-free_passwd(struct passwd *pw) {
-	if (pw == NULL)
-		return;
-
-	if (pw->pw_name != NULL)
-		free(pw->pw_name);
-
-	if (pw->pw_passwd != NULL)
-		free(pw->pw_passwd);
-
-#ifdef HAVE_PW_CLASS
-	if (pw->pw_class != NULL)
-		free(pw->pw_class);
-#endif
-
-	if (pw->pw_gecos != NULL)
-		free(pw->pw_gecos);
-
-	if (pw->pw_dir != NULL)
-		free(pw->pw_dir);
-
-	if (pw->pw_shell != NULL)
-		free(pw->pw_shell);
-}
-
-#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/irp_sv.c b/contrib/bind9/lib/bind/irs/irp_sv.c
deleted file mode 100644
index 0c4d6a182a98..000000000000
--- a/contrib/bind9/lib/bind/irs/irp_sv.c
+++ /dev/null
@@ -1,369 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996,1998 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irp_sv.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* extern */
-
-#include "port_before.h"
-
-#include <syslog.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#ifdef IRS_LCL_SV_DB
-#include <db.h>
-#endif
-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <syslog.h>
-
-#include <irs.h>
-#include <irp.h>
-#include <isc/irpmarshall.h>
-#include <isc/memcluster.h>
-
-#include "irs_p.h"
-#include "lcl_p.h"
-#include "irp_p.h"
-
-#include "port_after.h"
-
-/* Types */
-
-struct pvt {
-	struct irp_p	       *girpdata;
-	int			warned;
-	struct servent		service;
-};
-
-/* Forward */
-
-static void			sv_close(struct irs_sv*);
-static struct servent *		sv_next(struct irs_sv *);
-static struct servent *		sv_byname(struct irs_sv *, const char *,
-					  const char *);
-static struct servent *		sv_byport(struct irs_sv *, int, const char *);
-static void			sv_rewind(struct irs_sv *);
-static void			sv_minimize(struct irs_sv *);
-
-static void			free_service(struct servent *sv);
-
-
-
-/* Public */
-
-
-
-/*
- * struct irs_sv * irs_irp_sv(struct irs_acc *this)
- *
- */
-
-struct irs_sv *
-irs_irp_sv(struct irs_acc *this) {
-	struct irs_sv *sv;
-	struct pvt *pvt;
-
-	if ((sv = memget(sizeof *sv)) == NULL) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(sv, 0x0, sizeof *sv);
-
-	if ((pvt = memget(sizeof *pvt)) == NULL) {
-		memput(sv, sizeof *sv);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->girpdata = this->private;
-
-	sv->private = pvt;
-	sv->close = sv_close;
-	sv->next = sv_next;
-	sv->byname = sv_byname;
-	sv->byport = sv_byport;
-	sv->rewind = sv_rewind;
-	sv->minimize = sv_minimize;
-
-	return (sv);
-}
-
-/* Methods */
-
-
-
-/*
- * void sv_close(struct irs_sv *this)
- *
- */
-
-static void
-sv_close(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	sv_minimize(this);
-
-	free_service(&pvt->service);
-
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-
-
-
-/*
- * struct servent * sv_next(struct irs_sv *this)
- *
- * Notes:
- *
- *	Fills the cache if necessary and returns the next item from it.
- *
- */
-
-static struct servent *
-sv_next(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct servent *sv = &pvt->service;
-	char *body;
-	size_t bodylen;
-	int code;
-	char text[256];
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getservent") != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETSERVICE_OK) {
-		free_service(sv);
-		if (irp_unmarshall_sv(sv, body) != 0) {
-			sv = NULL;
-		}
-	} else {
-		sv = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (sv);
-}
-
-
-
-
-/*
- * struct servent * sv_byname(struct irs_sv *this, const char *name,
- *				const char *proto)
- *
- */
-
-static struct servent *
-sv_byname(struct irs_sv *this, const char *name, const char *proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct servent *sv = &pvt->service;
-	char *body;
-	char text[256];
-	size_t bodylen;
-	int code;
-
-	if (sv->s_name != NULL &&
-	    strcmp(name, sv->s_name) == 0 &&
-	    strcasecmp(proto, sv->s_proto) == 0) {
-		return (sv);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getservbyname %s %s",
-				 name, proto) != 0)
-		return (NULL);
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETSERVICE_OK) {
-		free_service(sv);
-		if (irp_unmarshall_sv(sv, body) != 0) {
-			sv = NULL;
-		}
-	} else {
-		sv = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (sv);
-}
-
-
-
-
-/*
- * struct servent * sv_byport(struct irs_sv *this, int port,
- *				const char *proto)
- *
- */
-
-static struct servent *
-sv_byport(struct irs_sv *this, int port, const char *proto) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct servent *sv = &pvt->service;
-	char *body;
-	size_t bodylen;
-	char text[256];
-	int code;
-
-	if (sv->s_name != NULL &&
-	    port == sv->s_port &&
-	    strcasecmp(proto, sv->s_proto) == 0) {
-		return (sv);
-	}
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "getservbyport %d %s",
-				 ntohs((short)port), proto) != 0) {
-		return (NULL);
-	}
-
-	if (irs_irp_get_full_response(pvt->girpdata, &code,
-				      text, sizeof text,
-				      &body, &bodylen) != 0) {
-		return (NULL);
-	}
-
-	if (code == IRPD_GETSERVICE_OK) {
-		free_service(sv);
-		if (irp_unmarshall_sv(sv, body) != 0) {
-			sv = NULL;
-		}
-	} else {
-		sv = NULL;
-	}
-
-	if (body != NULL) {
-		memput(body, bodylen);
-	}
-
-	return (sv);
-}
-
-
-
-
-
-/*
- * void sv_rewind(struct irs_sv *this)
- *
- */
-
-static void
-sv_rewind(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char text[256];
-	int code;
-
-	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
-		return;
-	}
-
-	if (irs_irp_send_command(pvt->girpdata, "setservent") != 0) {
-		return;
-	}
-
-	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
-	if (code != IRPD_GETSERVICE_SETOK) {
-		if (irp_log_errors) {
-			syslog(LOG_WARNING, "setservent failed: %s", text);
-		}
-	}
-
-	return;
-}
-
-
-
-
-
-/*
- * void sv_minimize(struct irs_sv *this)
- *
- */
-
-static void
-sv_minimize(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	irs_irp_disconnect(pvt->girpdata);
-}
-
-
-
-
-
-
-static void
-free_service(struct servent *sv) {
-	char **p;
-
-	if (sv == NULL) {
-		return;
-	}
-
-	if (sv->s_name != NULL) {
-		free(sv->s_name);
-	}
-
-	for (p = sv->s_aliases ; p != NULL && *p != NULL ; p++) {
-		free(*p);
-	}
-
-	if (sv->s_proto != NULL) {
-		free(sv->s_proto);
-	}
-}
-
-
diff --git a/contrib/bind9/lib/bind/irs/irpmarshall.c b/contrib/bind9/lib/bind/irs/irpmarshall.c
deleted file mode 100644
index 6d2ebd484334..000000000000
--- a/contrib/bind9/lib/bind/irs/irpmarshall.c
+++ /dev/null
@@ -1,2344 +0,0 @@
-/*
- * Copyright(c) 1989, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.206.3 2004/03/17 01:13:34 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#if 0
-
-Check values are in approrpriate endian order.
-
-Double check memory allocations on unmarhsalling
-
-#endif
-
-
-/* Extern */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <stdio.h>
-#include <ctype.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <utmp.h>
-#include <unistd.h>
-#include <assert.h>
-#include <errno.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-#include <isc/irpmarshall.h>
-
-#include "port_after.h"
-
-
-#ifndef HAVE_STRNDUP
-static char    *strndup(const char *str, size_t len);
-#endif
-
-static char   **splitarray(const char *buffer, const char *buffend, char delim);
-static int	joinarray(char * const * argv, char *buffer, char delim);
-static char    *getfield(char **res, size_t reslen, char **buffer, char delim);
-static size_t	joinlength(char * const *argv);
-static void	free_array(char **argv, size_t entries);
-
-#define ADDR_T_STR(x) (x == AF_INET ? "AF_INET" :\
-		       (x == AF_INET6 ? "AF_INET6" : "UNKNOWN"))
-
-#define MAXPADDRSIZE (sizeof "255.255.255.255" + 1)
-
-static char COMMA = ',';
-
-static const char *COMMASTR = ",";
-static const char *COLONSTR = ":";
-
-
-
-/* See big comment at bottom of irpmarshall.h for description. */
-
-
-#ifdef WANT_IRS_PW
-/* +++++++++++++++++++++++++ struct passwd +++++++++++++++++++++++++ */
-
-
-/*
- * int irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len)
- *
- * notes:
- *
- *	See above
- *
- * return:
- *
- *	0 on sucess, -1 on failure.
- *
- */
-
-int
-irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len) {
-	size_t need = 1 ;		/* for null byte */
-	char pwUid[24];
-	char pwGid[24];
-	char pwChange[24];
-	char pwExpire[24];
-	const char *pwClass;
-	const char *fieldsep = COLONSTR;
-
-	if (pw == NULL || len == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	sprintf(pwUid, "%ld", (long)pw->pw_uid);
-	sprintf(pwGid, "%ld", (long)pw->pw_gid);
-
-#ifdef HAVE_PW_CHANGE
-	sprintf(pwChange, "%ld", (long)pw->pw_change);
-#else
-	pwChange[0] = '0';
-	pwChange[1] = '\0';
-#endif
-
-#ifdef HAVE_PW_EXPIRE
-	sprintf(pwExpire, "%ld", (long)pw->pw_expire);
-#else
-	pwExpire[0] = '0';
-	pwExpire[1] = '\0';
-#endif
-
-#ifdef HAVE_PW_CLASS
-	pwClass = pw->pw_class;
-#else
-	pwClass = "";
-#endif
-
-	need += strlen(pw->pw_name)	+ 1; /* one for fieldsep */
-	need += strlen(pw->pw_passwd)	+ 1;
-	need += strlen(pwUid)		+ 1;
-	need += strlen(pwGid)		+ 1;
-	need += strlen(pwClass)		+ 1;
-	need += strlen(pwChange)	+ 1;
-	need += strlen(pwExpire)	+ 1;
-	need += strlen(pw->pw_gecos)	+ 1;
-	need += strlen(pw->pw_dir)	+ 1;
-	need += strlen(pw->pw_shell)	+ 1;
-
-	if (buffer == NULL) {
-		*len = need;
-		return (0);
-	}
-
-	if (*buffer != NULL && need > *len) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
-		*buffer = memget(need);
-		if (*buffer == NULL) {
-			errno = ENOMEM;
-			return (-1);
-		}
-
-		*len = need;
-	}
-
-	strcpy(*buffer, pw->pw_name);		strcat(*buffer, fieldsep);
-	strcat(*buffer, pw->pw_passwd);		strcat(*buffer, fieldsep);
-	strcat(*buffer, pwUid);			strcat(*buffer, fieldsep);
-	strcat(*buffer, pwGid);			strcat(*buffer, fieldsep);
-	strcat(*buffer, pwClass);		strcat(*buffer, fieldsep);
-	strcat(*buffer, pwChange);		strcat(*buffer, fieldsep);
-	strcat(*buffer, pwExpire);		strcat(*buffer, fieldsep);
-	strcat(*buffer, pw->pw_gecos);		strcat(*buffer, fieldsep);
-	strcat(*buffer, pw->pw_dir);		strcat(*buffer, fieldsep);
-	strcat(*buffer, pw->pw_shell);		strcat(*buffer, fieldsep);
-
-	return (0);
-}
-
-
-
-
-
-/*
- * int irp_unmarshall_pw(struct passwd *pw, char *buffer)
- *
- * notes:
- *
- *	see above
- *
- * return:
- *
- *	0 on success, -1 on failure
- *
- */
-
-int
-irp_unmarshall_pw(struct passwd *pw, char *buffer) {
-	char *name, *pass, *class, *gecos, *dir, *shell;
-	uid_t pwuid;
-	gid_t pwgid;
-	time_t pwchange;
-	time_t pwexpire;
-	char *p;
-	long t;
-	char tmpbuf[24];
-	char *tb = &tmpbuf[0];
-	char fieldsep = ':';
-	int myerrno = EINVAL;
-
-	name = pass = class = gecos = dir = shell = NULL;
-	p = buffer;
-
-	/* pw_name field */
-	name = NULL;
-	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0) {
-		goto error;
-	}
-
-	/* pw_passwd field */
-	pass = NULL;
-	if (getfield(&pass, 0, &p, fieldsep) == NULL) { /* field can be empty */
-		goto error;
-	}
-
-
-	/* pw_uid field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0) {
-		goto error;
-	}
-	t = strtol(tmpbuf, &tb, 10);
-	if (*tb) {
-		goto error;	/* junk in value */
-	}
-	pwuid = (uid_t)t;
-	if ((long) pwuid != t) {	/* value must have been too big. */
-		goto error;
-	}
-
-
-
-	/* pw_gid field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0) {
-		goto error;
-	}
-	t = strtol(tmpbuf, &tb, 10);
-	if (*tb) {
-		goto error;	/* junk in value */
-	}
-	pwgid = (gid_t)t;
-	if ((long)pwgid != t) {	/* value must have been too big. */
-		goto error;
-	}
-
-
-
-	/* pw_class field */
-	class = NULL;
-	if (getfield(&class, 0, &p, fieldsep) == NULL) {
-		goto error;
-	}
-
-
-
-	/* pw_change field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0) {
-		goto error;
-	}
-	t = strtol(tmpbuf, &tb, 10);
-	if (*tb) {
-		goto error;	/* junk in value */
-	}
-	pwchange = (time_t)t;
-	if ((long)pwchange != t) {	/* value must have been too big. */
-		goto error;
-	}
-
-
-
-	/* pw_expire field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0) {
-		goto error;
-	}
-	t = strtol(tmpbuf, &tb, 10);
-	if (*tb) {
-		goto error;	/* junk in value */
-	}
-	pwexpire = (time_t)t;
-	if ((long) pwexpire != t) {	/* value must have been too big. */
-		goto error;
-	}
-
-
-
-	/* pw_gecos field */
-	gecos = NULL;
-	if (getfield(&gecos, 0, &p, fieldsep) == NULL) {
-		goto error;
-	}
-
-
-
-	/* pw_dir field */
-	dir = NULL;
-	if (getfield(&dir, 0, &p, fieldsep) == NULL) {
-		goto error;
-	}
-
-
-
-	/* pw_shell field */
-	shell = NULL;
-	if (getfield(&shell, 0, &p, fieldsep) == NULL) {
-		goto error;
-	}
-
-
-
-	pw->pw_name = name;
-	pw->pw_passwd = pass;
-	pw->pw_uid = pwuid;
-	pw->pw_gid = pwgid;
-	pw->pw_gecos = gecos;
-	pw->pw_dir = dir;
-	pw->pw_shell = shell;
-
-#ifdef HAVE_PW_CHANGE
-	pw->pw_change = pwchange;
-#endif
-#ifdef HAVE_PW_CLASS
-	pw->pw_class = class;
-#endif
-#ifdef HAVE_PW_EXPIRE
-	pw->pw_expire = pwexpire;
-#endif
-
-	return (0);
-
- error:
-	errno = myerrno;
-
-	if (name != NULL) free(name);
-	if (pass != NULL) free(pass);
-	if (gecos != NULL) free(gecos);
-	if (dir != NULL) free(dir);
-	if (shell != NULL) free(shell);
-
-	return (-1);
-}
-
-/* ------------------------- struct passwd ------------------------- */
-#endif /* WANT_IRS_PW */
-
-
-
-/* +++++++++++++++++++++++++ struct group +++++++++++++++++++++++++ */
-
-
-
-/*
- * int irp_marshall_gr(const struct group *gr, char **buffer, size_t *len)
- *
- * notes:
- *
- *	see above.
- *
- * return:
- *
- *	0 on success, -1 on failure
- */
-
-int
-irp_marshall_gr(const struct group *gr, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
-	char grGid[24];
-	const char *fieldsep = COLONSTR;
-
-	if (gr == NULL || len == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	sprintf(grGid, "%ld", (long)gr->gr_gid);
-
-	need += strlen(gr->gr_name) + 1;
-#ifndef MISSING_GR_PASSWD
-	need += strlen(gr->gr_passwd) + 1;
-#else
-	need++;
-#endif
-	need += strlen(grGid) + 1;
-	need += joinlength(gr->gr_mem) + 1;
-
-	if (buffer == NULL) {
-		*len = need;
-		return (0);
-	}
-
-	if (*buffer != NULL && need > *len) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
-		*buffer = memget(need);
-		if (*buffer == NULL) {
-			errno = ENOMEM;
-			return (-1);
-		}
-
-		*len = need;
-	}
-
-	strcpy(*buffer, gr->gr_name);		strcat(*buffer, fieldsep);
-#ifndef MISSING_GR_PASSWD
-	strcat(*buffer, gr->gr_passwd);
-#endif
-	strcat(*buffer, fieldsep);
-	strcat(*buffer, grGid);			strcat(*buffer, fieldsep);
-	joinarray(gr->gr_mem, *buffer, COMMA) ;	strcat(*buffer, fieldsep);
-
-	return (0);
-}
-
-
-
-
-/*
- * int irp_unmarshall_gr(struct group *gr, char *buffer)
- *
- * notes:
- *
- *	see above
- *
- * return:
- *
- *	0 on success and -1 on failure.
- *
- */
-
-int
-irp_unmarshall_gr(struct group *gr, char *buffer) {
-	char *p, *q;
-	gid_t grgid;
-	long t;
-	char *name = NULL;
-	char *pass = NULL;
-	char **members = NULL;
-	char tmpbuf[24];
-	char *tb;
-	char fieldsep = ':';
-	int myerrno = EINVAL;
-
-	if (gr == NULL || buffer == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	p = buffer;
-
-	/* gr_name field */
-	name = NULL;
-	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
-		goto error;
-	}
-
-
-	/* gr_passwd field */
-	pass = NULL;
-	if (getfield(&pass, 0, &p, fieldsep) == NULL) {
-		goto error;
-	}
-
-
-	/* gr_gid field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	t = strtol(tmpbuf, &tb, 10);
-	if (*tb) {
-		goto error;	/* junk in value */
-	}
-	grgid = (gid_t)t;
-	if ((long) grgid != t) {	/* value must have been too big. */
-		goto error;
-	}
-
-
-	/* gr_mem field. Member names are separated by commas */
-	q = strchr(p, fieldsep);
-	if (q == NULL) {
-		goto error;
-	}
-	members = splitarray(p, q, COMMA);
-	if (members == NULL) {
-		myerrno = errno;
-		goto error;
-	}
-	p = q + 1;
-
-
-	gr->gr_name = name;
-#ifndef MISSING_GR_PASSWD
-	gr->gr_passwd = pass;
-#endif
-	gr->gr_gid = grgid;
-	gr->gr_mem = members;
-
-	return (0);
-
- error:
-	errno = myerrno;
-
-	if (name != NULL) free(name);
-	if (pass != NULL) free(pass);
-
-	return (-1);
-}
-
-
-/* ------------------------- struct group ------------------------- */
-
-
-
-
-/* +++++++++++++++++++++++++ struct servent +++++++++++++++++++++++++ */
-
-
-
-/*
- * int irp_marshall_sv(const struct servent *sv, char **buffer, size_t *len)
- *
- * notes:
- *
- *	see above
- *
- * return:
- *
- *	0 on success, -1 on failure.
- *
- */
-
-int
-irp_marshall_sv(const struct servent *sv, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
-	char svPort[24];
-	const char *fieldsep = COLONSTR;
-	short realport;
-
-	if (sv == NULL || len == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	/* the int s_port field is actually a short in network order. We
-	   want host order to make the marshalled data look correct */
-	realport = ntohs((short)sv->s_port);
-	sprintf(svPort, "%d", realport);
-
-	need += strlen(sv->s_name) + 1;
-	need += joinlength(sv->s_aliases) + 1;
-	need += strlen(svPort) + 1;
-	need += strlen(sv->s_proto) + 1;
-
-	if (buffer == NULL) {
-		*len = need;
-		return (0);
-	}
-
-	if (*buffer != NULL && need > *len) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
-		*buffer = memget(need);
-		if (*buffer == NULL) {
-			errno = ENOMEM;
-			return (-1);
-		}
-
-		*len = need;
-	}
-
-	strcpy(*buffer, sv->s_name);		strcat(*buffer, fieldsep);
-	joinarray(sv->s_aliases, *buffer, COMMA); strcat(*buffer, fieldsep);
-	strcat(*buffer, svPort);		strcat(*buffer, fieldsep);
-	strcat(*buffer, sv->s_proto);		strcat(*buffer, fieldsep);
-
-	return (0);
-}
-
-
-
-
-
-/*
- * int irp_unmarshall_sv(struct servent *sv, char *buffer)
- *
- * notes:
- *
- *	see above
- *
- * return:
- *
- *	0 on success, -1 on failure.
- *
- */
-
-int
-irp_unmarshall_sv(struct servent *sv, char *buffer) {
-	char *p, *q;
-	short svport;
-	long t;
-	char *name = NULL;
-	char *proto = NULL;
-	char **aliases = NULL;
-	char tmpbuf[24];
-	char *tb;
-	char fieldsep = ':';
-	int myerrno = EINVAL;
-
-	if (sv == NULL || buffer == NULL)
-		return (-1);
-
-	p = buffer;
-
-
-	/* s_name field */
-	name = NULL;
-	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
-		goto error;
-	}
-
-
-	/* s_aliases field */
-	q = strchr(p, fieldsep);
-	if (q == NULL) {
-		goto error;
-	}
-	aliases = splitarray(p, q, COMMA);
-	if (aliases == NULL) {
-		myerrno = errno;
-		goto error;
-	}
-	p = q + 1;
-
-
-	/* s_port field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	t = strtol(tmpbuf, &tb, 10);
-	if (*tb) {
-		goto error;	/* junk in value */
-	}
-	svport = (short)t;
-	if ((long) svport != t) {	/* value must have been too big. */
-		goto error;
-	}
-	svport = htons(svport);
-
-	/* s_proto field */
-	proto = NULL;
-	if (getfield(&proto, 0, &p, fieldsep) == NULL) {
-		goto error;
-	}
-
-	sv->s_name = name;
-	sv->s_aliases = aliases;
-	sv->s_port = svport;
-	sv->s_proto = proto;
-
-	return (0);
-
- error:
-	errno = myerrno;
-
-	if (name != NULL) free(name);
-	if (proto != NULL) free(proto);
-	free_array(aliases, 0);
-
-	return (-1);
-}
-
-
-/* ------------------------- struct servent ------------------------- */
-
-/* +++++++++++++++++++++++++ struct protoent +++++++++++++++++++++++++ */
-
-
-
-/*
- * int irp_marshall_pr(struct protoent *pr, char **buffer, size_t *len)
- *
- * notes:
- *
- *	see above
- *
- * return:
- *
- *	0 on success and -1 on failure.
- *
- */
-
-int
-irp_marshall_pr(struct protoent *pr, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
-	char prProto[24];
-	const char *fieldsep = COLONSTR;
-
-	if (pr == NULL || len == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	sprintf(prProto, "%d", (int)pr->p_proto);
-
-	need += strlen(pr->p_name) + 1;
-	need += joinlength(pr->p_aliases) + 1;
-	need += strlen(prProto) + 1;
-
-	if (buffer == NULL) {
-		*len = need;
-		return (0);
-	}
-
-	if (*buffer != NULL && need > *len) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
-		*buffer = memget(need);
-		if (*buffer == NULL) {
-			errno = ENOMEM;
-			return (-1);
-		}
-
-		*len = need;
-	}
-
-	strcpy(*buffer, pr->p_name);		strcat(*buffer, fieldsep);
-	joinarray(pr->p_aliases, *buffer, COMMA); strcat(*buffer, fieldsep);
-	strcat(*buffer, prProto);		strcat(*buffer, fieldsep);
-
-	return (0);
-
-}
-
-
-
-/*
- * int irp_unmarshall_pr(struct protoent *pr, char *buffer)
- *
- * notes:
- *
- *	See above
- *
- * return:
- *
- *	0 on success, -1 on failure
- *
- */
-
-int irp_unmarshall_pr(struct protoent *pr, char *buffer) {
-	char *p, *q;
-	int prproto;
-	long t;
-	char *name = NULL;
-	char **aliases = NULL;
-	char tmpbuf[24];
-	char *tb;
-	char fieldsep = ':';
-	int myerrno = EINVAL;
-
-	if (pr == NULL || buffer == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	p = buffer;
-
-	/* p_name field */
-	name = NULL;
-	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
-		goto error;
-	}
-
-
-	/* p_aliases field */
-	q = strchr(p, fieldsep);
-	if (q == NULL) {
-		goto error;
-	}
-	aliases = splitarray(p, q, COMMA);
-	if (aliases == NULL) {
-		myerrno = errno;
-		goto error;
-	}
-	p = q + 1;
-
-
-	/* p_proto field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	t = strtol(tmpbuf, &tb, 10);
-	if (*tb) {
-		goto error;	/* junk in value */
-	}
-	prproto = (int)t;
-	if ((long) prproto != t) {	/* value must have been too big. */
-		goto error;
-	}
-
-	pr->p_name = name;
-	pr->p_aliases = aliases;
-	pr->p_proto = prproto;
-
-	return (0);
-
- error:
-	errno = myerrno;
-
-	if (name != NULL) free(name);
-	free_array(aliases, 0);
-
-	return (-1);
-}
-
-/* ------------------------- struct protoent ------------------------- */
-
-
-
-/* +++++++++++++++++++++++++ struct hostent +++++++++++++++++++++++++ */
-
-
-/*
- * int irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len)
- *
- * notes:
- *
- *	see above.
- *
- * return:
- *
- *	0 on success, -1 on failure.
- *
- */
-
-int
-irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
-	char hoaddrtype[24];
-	char holength[24];
-	char **av;
-	char *p;
-	int addrlen;
-	int malloced = 0;
-	size_t remlen;
-	const char *fieldsep = "@";
-
-	if (ho == NULL || len == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	switch(ho->h_addrtype) {
-	case AF_INET:
-		strcpy(hoaddrtype, "AF_INET");
-		break;
-
-	case AF_INET6:
-		strcpy(hoaddrtype, "AF_INET6");
-		break;
-
-	default:
-		errno = EINVAL;
-		return (-1);
-	}
-
-	sprintf(holength, "%d", ho->h_length);
-
-	need += strlen(ho->h_name) + 1;
-	need += joinlength(ho->h_aliases) + 1;
-	need += strlen(hoaddrtype) + 1;
-	need += strlen(holength) + 1;
-
-	/* we determine an upper bound on the string length needed, not an
-	   exact length. */
-	addrlen = (ho->h_addrtype == AF_INET ? 16 : 46) ; /* XX other AF's?? */
-	for (av = ho->h_addr_list; av != NULL && *av != NULL ; av++)
-		need += addrlen;
-
-	if (buffer == NULL) {
-		*len = need;
-		return (0);
-	}
-
-	if (*buffer != NULL && need > *len) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
-		*buffer = memget(need);
-		if (*buffer == NULL) {
-			errno = ENOMEM;
-			return (-1);
-		}
-
-		*len = need;
-		malloced = 1;
-	}
-
-	strcpy(*buffer, ho->h_name);		strcat(*buffer, fieldsep);
-	joinarray(ho->h_aliases, *buffer, COMMA); strcat(*buffer, fieldsep);
-	strcat(*buffer, hoaddrtype);		strcat(*buffer, fieldsep);
-	strcat(*buffer, holength);		strcat(*buffer, fieldsep);
-
-	p = *buffer + strlen(*buffer);
-	remlen = need - strlen(*buffer);
-	for (av = ho->h_addr_list ; av != NULL && *av != NULL ; av++) {
-		if (inet_ntop(ho->h_addrtype, *av, p, remlen) == NULL) {
-			goto error;
-		}
-		if (*(av + 1) != NULL)
-			strcat(p, COMMASTR);
-		remlen -= strlen(p);
-		p += strlen(p);
-	}
-	strcat(*buffer, fieldsep);
-
-	return (0);
-
- error:
-	if (malloced) {
-		memput(*buffer, need);
-	}
-
-	return (-1);
-}
-
-
-
-/*
- * int irp_unmarshall_ho(struct hostent *ho, char *buffer)
- *
- * notes:
- *
- *	See above.
- *
- * return:
- *
- *	0 on success, -1 on failure.
- *
- */
-
-int
-irp_unmarshall_ho(struct hostent *ho, char *buffer) {
-	char *p, *q, *r;
-	int hoaddrtype;
-	int holength;
-	long t;
-	char *name = NULL;
-	char **aliases = NULL;
-	char **hohaddrlist = NULL;
-	size_t hoaddrsize;
-	char tmpbuf[24];
-	char *tb;
-	char **alist;
-	int addrcount;
-	char fieldsep = '@';
-	int myerrno = EINVAL;
-
-	if (ho == NULL || buffer == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	p = buffer;
-
-	/* h_name field */
-	name = NULL;
-	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
-		goto error;
-	}
-
-
-	/* h_aliases field */
-	q = strchr(p, fieldsep);
-	if (q == NULL) {
-		goto error;
-	}
-	aliases = splitarray(p, q, COMMA);
-	if (aliases == NULL) {
-		myerrno = errno;
-		goto error;
-	}
-	p = q + 1;
-
-
-	/* h_addrtype field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	if (strcmp(tmpbuf, "AF_INET") == 0)
-		hoaddrtype = AF_INET;
-	else if (strcmp(tmpbuf, "AF_INET6") == 0)
-		hoaddrtype = AF_INET6;
-	else
-		goto error;
-
-
-	/* h_length field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	t = strtol(tmpbuf, &tb, 10);
-	if (*tb) {
-		goto error;	/* junk in value */
-	}
-	holength = (int)t;
-	if ((long) holength != t) {	/* value must have been too big. */
-		goto error;
-	}
-
-
-	/* h_addr_list field */
-	q = strchr(p, fieldsep);
-	if (q == NULL)
-		goto error;
-
-	/* count how many addresss are in there */
-	if (q > p + 1) {
-		for (addrcount = 1, r = p ; r != q ; r++) {
-			if (*r == COMMA)
-				addrcount++;
-		}
-	} else {
-		addrcount = 0;
-	}
-
-	hoaddrsize = (addrcount + 1) * sizeof (char *);
-	hohaddrlist = malloc(hoaddrsize);
-	if (hohaddrlist == NULL) {
-		myerrno = ENOMEM;
-		goto error;
-	}
-
-	memset(hohaddrlist, 0x0, hoaddrsize);
-
-	alist = hohaddrlist;
-	for (t = 0, r = p ; r != q ; p = r + 1, t++) {
-		char saved;
-		while (r != q && *r != COMMA) r++;
-		saved = *r;
-		*r = 0x0;
-
-		alist[t] = malloc(hoaddrtype == AF_INET ? 4 : 16);
-		if (alist[t] == NULL) {
-			myerrno = ENOMEM;
-			goto error;
-		}
-
-		if (inet_pton(hoaddrtype, p, alist[t]) == -1)
-			goto error;
-		*r = saved;
-	}
-	alist[t] = NULL;
-
-	ho->h_name = name;
-	ho->h_aliases = aliases;
-	ho->h_addrtype = hoaddrtype;
-	ho->h_length = holength;
-	ho->h_addr_list = hohaddrlist;
-
-	return (0);
-
- error:
-	errno = myerrno;
-
-	if (name != NULL) free(name);
-	free_array(aliases, 0);
-
-	return (-1);
-}
-
-/* ------------------------- struct hostent------------------------- */
-
-
-
-/* +++++++++++++++++++++++++ struct netgrp +++++++++++++++++++++++++ */
-
-
-/*
- * int irp_marshall_ng(const char *host, const char *user,
- *		       const char *domain, char *buffer, size_t *len)
- *
- * notes:
- *
- *	See note for irp_marshall_ng_start
- *
- * return:
- *
- *	0 on success, 0 on failure.
- *
- */
-
-int
-irp_marshall_ng(const char *host, const char *user, const char *domain,
-		char **buffer, size_t *len) {
-	size_t need = 1; /* for nul byte */
-	const char *fieldsep = ",";
-
-	if (len == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	need += 4;		       /* two parens and two commas */
-	need += (host == NULL ? 0 : strlen(host));
-	need += (user == NULL ? 0 : strlen(user));
-	need += (domain == NULL ? 0 : strlen(domain));
-
-	if (buffer == NULL) {
-		*len = need;
-		return (0);
-	} else if (*buffer != NULL && need > *len) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
-		*buffer = memget(need);
-		if (*buffer == NULL) {
-			errno = ENOMEM;
-			return (-1);
-		}
-
-		*len = need;
-	}
-
-	(*buffer)[0] = '(';
-	(*buffer)[1] = '\0';
-
-	if (host != NULL)
-		strcat(*buffer, host);
-	strcat(*buffer, fieldsep);
-
-	if (user != NULL)
-		strcat(*buffer, user);
-	strcat(*buffer, fieldsep);
-
-	if (domain != NULL)
-		strcat(*buffer, domain);
-	strcat(*buffer, ")");
-
-	return (0);
-}
-
-
-
-/* ---------- */
-
-
-/*
- * int irp_unmarshall_ng(const char **host, const char **user,
- *			 const char **domain, char *buffer)
- *
- * notes:
- *
- *	Unpacks the BUFFER into 3 character arrays it allocates and assigns
- *	to *HOST, *USER and *DOMAIN. If any field of the value is empty,
- *	then the corresponding paramater value will be set to NULL.
- *
- * return:
- *
- *	0 on success and -1 on failure.
- */
-
-int
-irp_unmarshall_ng(const char **hostp, const char **userp, const char **domainp,
-		  char *buffer)
-{
-	char *p, *q;
-	char fieldsep = ',';
-	int myerrno = EINVAL;
-	char *host, *user, *domain;
-
-	if (userp == NULL || hostp == NULL ||
-	    domainp == NULL || buffer == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	host = user = domain = NULL;
-
-	p = buffer;
-	while (isspace((unsigned char)*p)) {
-		p++;
-	}
-	if (*p != '(') {
-		goto error;
-	}
-
-	q = p + 1;
-	while (*q && *q != fieldsep)
-		q++;
-	if (!*q) {
-		goto error;
-	} else if (q > p + 1) {
-		host = strndup(p, q - p);
-	}
-
-	p = q + 1;
-	if (!*p) {
-		goto error;
-	} else if (*p != fieldsep) {
-		q = p + 1;
-		while (*q && *q != fieldsep)
-			q++;
-		if (!*q) {
-			goto error;
-		}
-		user = strndup(p, q - p);
-	} else {
-		p++;
-	}
-
-	if (!*p) {
-		goto error;
-	} else if (*p != ')') {
-		q = p + 1;
-		while (*q && *q != ')')
-			q++;
-		if (!*q) {
-			goto error;
-		}
-		domain = strndup(p, q - p);
-	}
-	*hostp = host;
-	*userp = user;
-	*domainp = domain;
-
-	return (0);
-
- error:
-	errno = myerrno;
-
-	if (host != NULL) free(host);
-	if (user != NULL) free(user);
-	if (domain != NULL) free(domain);
-
-	return (-1);
-}
-
-/* ------------------------- struct netgrp ------------------------- */
-
-
-
-
-/* +++++++++++++++++++++++++ struct nwent +++++++++++++++++++++++++ */
-
-
-/*
- * int irp_marshall_nw(struct nwent *ne, char **buffer, size_t *len)
- *
- * notes:
- *
- *	See at top.
- *
- * return:
- *
- *	0 on success and -1 on failure.
- *
- */
-
-int
-irp_marshall_nw(struct nwent *ne, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
-	char nAddrType[24];
-	char nNet[MAXPADDRSIZE];
-	const char *fieldsep = COLONSTR;
-
-	if (ne == NULL || len == NULL) {
-		return (-1);
-	}
-
-	strcpy(nAddrType, ADDR_T_STR(ne->n_addrtype));
-
-	if (inet_net_ntop(ne->n_addrtype, ne->n_addr, ne->n_length,
-			  nNet, sizeof nNet) == NULL) {
-		return (-1);
-	}
-
-
-	need += strlen(ne->n_name) + 1;
-	need += joinlength(ne->n_aliases) + 1;
-	need += strlen(nAddrType) + 1;
-	need += strlen(nNet) + 1;
-
-	if (buffer == NULL) {
-		*len = need;
-		return (0);
-	}
-
-	if (*buffer != NULL && need > *len) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
-		*buffer = memget(need);
-		if (*buffer == NULL) {
-			errno = ENOMEM;
-			return (-1);
-		}
-
-		*len = need;
-	}
-
-	strcpy(*buffer, ne->n_name);		strcat(*buffer, fieldsep);
-	joinarray(ne->n_aliases, *buffer, COMMA) ; strcat(*buffer, fieldsep);
-	strcat(*buffer, nAddrType);		strcat(*buffer, fieldsep);
-	strcat(*buffer, nNet);			strcat(*buffer, fieldsep);
-
-	return (0);
-}
-
-
-
-/*
- * int irp_unmarshall_nw(struct nwent *ne, char *buffer)
- *
- * notes:
- *
- *	See note up top.
- *
- * return:
- *
- *	0 on success and -1 on failure.
- *
- */
-
-int
-irp_unmarshall_nw(struct nwent *ne, char *buffer) {
-	char *p, *q;
-	int naddrtype;
-	long nnet;
-	int bits;
-	char *name = NULL;
-	char **aliases = NULL;
-	char tmpbuf[24];
-	char *tb;
-	char fieldsep = ':';
-	int myerrno = EINVAL;
-
-	if (ne == NULL || buffer == NULL) {
-		goto error;
-	}
-
-	p = buffer;
-
-	/* n_name field */
-	name = NULL;
-	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
-		goto error;
-	}
-
-
-	/* n_aliases field. Aliases are separated by commas */
-	q = strchr(p, fieldsep);
-	if (q == NULL) {
-		goto error;
-	}
-	aliases = splitarray(p, q, COMMA);
-	if (aliases == NULL) {
-		myerrno = errno;
-		goto error;
-	}
-	p = q + 1;
-
-
-	/* h_addrtype field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	if (strcmp(tmpbuf, "AF_INET") == 0)
-		naddrtype = AF_INET;
-	else if (strcmp(tmpbuf, "AF_INET6") == 0)
-		naddrtype = AF_INET6;
-	else
-		goto error;
-
-
-	/* n_net field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	nnet = 0;
-	bits = inet_net_pton(naddrtype, tmpbuf, &nnet, sizeof nnet);
-	if (bits < 0) {
-		goto error;
-	}
-
-	/* nnet = ntohl(nnet); */ /* keep in network order for nwent */
-
-	ne->n_name = name;
-	ne->n_aliases = aliases;
-	ne->n_addrtype = naddrtype;
-	ne->n_length = bits;
-	ne->n_addr = malloc(sizeof nnet);
-	if (ne->n_addr == NULL) {
-		goto error;
-	}
-
-	memcpy(ne->n_addr, &nnet, sizeof nnet);
-
-	return (0);
-
- error:
-	errno = myerrno;
-
-	if (name != NULL) free(name);
-	free_array(aliases, 0);
-
-	return (-1);
-}
-
-
-/* ------------------------- struct nwent ------------------------- */
-
-
-/* +++++++++++++++++++++++++ struct netent +++++++++++++++++++++++++ */
-
-
-/*
- * int irp_marshall_ne(struct netent *ne, char **buffer, size_t *len)
- *
- * notes:
- *
- *	See at top.
- *
- * return:
- *
- *	0 on success and -1 on failure.
- *
- */
-
-int
-irp_marshall_ne(struct netent *ne, char **buffer, size_t *len) {
-	size_t need = 1;	/* for null byte */
-	char nAddrType[24];
-	char nNet[MAXPADDRSIZE];
-	const char *fieldsep = COLONSTR;
-	long nval;
-
-	if (ne == NULL || len == NULL) {
-		return (-1);
-	}
-
-	strcpy(nAddrType, ADDR_T_STR(ne->n_addrtype));
-
-	nval = htonl(ne->n_net);
-	if (inet_ntop(ne->n_addrtype, &nval, nNet, sizeof nNet) == NULL) {
-		return (-1);
-	}
-
-	need += strlen(ne->n_name) + 1;
-	need += joinlength(ne->n_aliases) + 1;
-	need += strlen(nAddrType) + 1;
-	need += strlen(nNet) + 1;
-
-	if (buffer == NULL) {
-		*len = need;
-		return (0);
-	}
-
-	if (*buffer != NULL && need > *len) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (*buffer == NULL) {
-		need += 2;		/* for CRLF */
-		*buffer = memget(need);
-		if (*buffer == NULL) {
-			errno = ENOMEM;
-			return (-1);
-		}
-
-		*len = need;
-	}
-
-	strcpy(*buffer, ne->n_name);		strcat(*buffer, fieldsep);
-	joinarray(ne->n_aliases, *buffer, COMMA) ; strcat(*buffer, fieldsep);
-	strcat(*buffer, nAddrType);		strcat(*buffer, fieldsep);
-	strcat(*buffer, nNet);			strcat(*buffer, fieldsep);
-
-	return (0);
-}
-
-
-
-/*
- * int irp_unmarshall_ne(struct netent *ne, char *buffer)
- *
- * notes:
- *
- *	See note up top.
- *
- * return:
- *
- *	0 on success and -1 on failure.
- *
- */
-
-int
-irp_unmarshall_ne(struct netent *ne, char *buffer) {
-	char *p, *q;
-	int naddrtype;
-	long nnet;
-	int bits;
-	char *name = NULL;
-	char **aliases = NULL;
-	char tmpbuf[24];
-	char *tb;
-	char fieldsep = ':';
-	int myerrno = EINVAL;
-
-	if (ne == NULL || buffer == NULL) {
-		goto error;
-	}
-
-	p = buffer;
-
-	/* n_name field */
-	name = NULL;
-	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
-		goto error;
-	}
-
-
-	/* n_aliases field. Aliases are separated by commas */
-	q = strchr(p, fieldsep);
-	if (q == NULL) {
-		goto error;
-	}
-	aliases = splitarray(p, q, COMMA);
-	if (aliases == NULL) {
-		myerrno = errno;
-		goto error;
-	}
-	p = q + 1;
-
-
-	/* h_addrtype field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	if (strcmp(tmpbuf, "AF_INET") == 0)
-		naddrtype = AF_INET;
-	else if (strcmp(tmpbuf, "AF_INET6") == 0)
-		naddrtype = AF_INET6;
-	else
-		goto error;
-
-
-	/* n_net field */
-	tb = tmpbuf;
-	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
-	    strlen(tb) == 0U) {
-		goto error;
-	}
-	bits = inet_net_pton(naddrtype, tmpbuf, &nnet, sizeof nnet);
-	if (bits < 0) {
-		goto error;
-	}
-	nnet = ntohl(nnet);
-
-	ne->n_name = name;
-	ne->n_aliases = aliases;
-	ne->n_addrtype = naddrtype;
-	ne->n_net = nnet;
-
-	return (0);
-
- error:
-	errno = myerrno;
-
-	if (name != NULL) free(name);
-	free_array(aliases, 0);
-
-	return (-1);
-}
-
-
-/* ------------------------- struct netent ------------------------- */
-
-
-/* =========================================================================== */
-
-
-/*
- * static char ** splitarray(const char *buffer, const char *buffend, char delim)
- *
- * notes:
- *
- *	Split a delim separated astring. Not allowed
- *	to have two delims next to each other. BUFFER points to begining of
- *	string, BUFFEND points to one past the end of the string
- *	(i.e. points at where the null byte would be if null
- *	terminated).
- *
- * return:
- *
- *	Returns a malloced array of pointers, each pointer pointing to a
- *	malloced string. If BUFEER is an empty string, then return values is
- *	array of 1 pointer that is NULL. Returns NULL on failure.
- *
- */
-
-static char **
-splitarray(const char *buffer, const char *buffend, char delim) {
-	const char *p, *q;
-	int count = 0;
-	char **arr = NULL;
-	char **aptr;
-
-	if (buffend < buffer)
-		return (NULL);
-	else if (buffend > buffer && *buffer == delim)
-		return (NULL);
-	else if (buffend > buffer && *(buffend - 1) == delim)
-		return (NULL);
-
-	/* count the number of field and make sure none are empty */
-	if (buffend > buffer + 1) {
-		for (count = 1, q = buffer ; q != buffend ; q++) {
-			if (*q == delim) {
-				if (q > buffer && (*(q - 1) == delim)) {
-					errno = EINVAL;
-					return (NULL);
-				}
-				count++;
-			}
-		}
-	}
-
-	if (count > 0) {
-		count++ ;		/* for NULL at end */
-		aptr = arr = malloc(count * sizeof (char *));
-		if (aptr == NULL) {
-			 errno = ENOMEM;
-			 return (NULL);
-		 }
-
-		memset(arr, 0x0, count * sizeof (char *));
-		for (p = buffer ; p < buffend ; p++) {
-			for (q = p ; *q != delim && q != buffend ; q++)
-				/* nothing */;
-			*aptr = strndup(p, q - p);
-
-			p = q;
-			aptr++;
-		}
-		*aptr = NULL;
-	} else {
-		arr = malloc(sizeof (char *));
-		if (arr == NULL) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-
-		*arr = NULL;
-	}
-
-	return (arr);
-}
-
-
-
-
-/*
- * static size_t joinlength(char * const *argv)
- *
- * return:
- *
- *	the number of bytes in all the arrays pointed at
- *	by argv, including their null bytes(which will usually be turned
- *	into commas).
- *
- *
- */
-
-static size_t
-joinlength(char * const *argv) {
-	int len = 0;
-
-	while (argv && *argv) {
-		len += (strlen(*argv) + 1);
-		argv++;
-	}
-
-	return (len);
-}
-
-
-
-/*
- * int joinarray(char * const *argv, char *buffer, char delim)
- *
- * notes:
- *
- *	Copy all the ARGV strings into the end of BUFFER
- *	separating them with DELIM.  BUFFER is assumed to have
- *	enough space to hold everything and to be already null-terminated.
- *
- * return:
- *
- *	0 unless argv or buffer is NULL.
- *
- *
- */
-
-static int
-joinarray(char * const *argv, char *buffer, char delim) {
-	char * const *p;
-	char sep[2];
-
-	if (argv == NULL || buffer == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	sep[0] = delim;
-	sep[1] = 0x0;
-
-	for (p = argv ; *p != NULL ; p++) {
-		strcat(buffer, *p);
-		if (*(p + 1) != NULL) {
-			strcat(buffer, sep);
-		}
-	}
-
-	return (0);
-}
-
-
-/*
- * static char * getfield(char **res, size_t reslen, char **ptr, char delim)
- *
- * notes:
- *
- *	Stores in *RES, which is a buffer of length RESLEN, a
- *	copy of the bytes from *PTR up to and including the first
- *	instance of DELIM. If *RES is NULL, then it will be
- *	assigned a malloced buffer to hold the copy. *PTR is
- *	modified to point at the found delimiter.
- *
- * return:
- *
- *	If there was no delimiter, then NULL is returned,
- *	otherewise *RES is returned.
- *
- */
-
-static char *
-getfield(char **res, size_t reslen, char **ptr, char delim) {
-	char *q;
-
-	if (res == NULL || ptr == NULL || *ptr == NULL) {
-		errno = EINVAL;
-		return (NULL);
-	}
-
-	q = strchr(*ptr, delim);
-
-	if (q == NULL) {
-		errno = EINVAL;
-		return (NULL);
-	} else {
-		if (*res == NULL) {
-			*res = strndup(*ptr, q - *ptr);
-		} else {
-			if ((size_t)(q - *ptr + 1) > reslen) { /* to big for res */
-				errno = EINVAL;
-				return (NULL);
-			} else {
-				strncpy(*res, *ptr, q - *ptr);
-				(*res)[q - *ptr] = 0x0;
-			}
-		}
-		*ptr = q + 1;
-	}
-
-	return (*res);
-}
-
-
-
-
-
-#ifndef HAVE_STRNDUP
-/*
- * static char * strndup(const char *str, size_t len)
- *
- * notes:
- *
- *	like strdup, except do len bytes instead of the whole string. Always
- *	null-terminates.
- *
- * return:
- *
- *	The newly malloced string.
- *
- */
-
-static char *
-strndup(const char *str, size_t len) {
-	char *p = malloc(len + 1);
-
-	if (p == NULL)
-		return (NULL);
-	strncpy(p, str, len);
-	p[len] = 0x0;
-	return (p);
-}
-#endif
-
-#if WANT_MAIN
-
-/*
- * static int strcmp_nws(const char *a, const char *b)
- *
- * notes:
- *
- *	do a strcmp, except uneven lengths of whitespace compare the same
- *
- * return:
- *
- */
-
-static int
-strcmp_nws(const char *a, const char *b) {
-	while (*a && *b) {
-		if (isspace(*a) && isspace(*b)) {
-			do {
-				a++;
-			} while (isspace(*a));
-			do {
-				b++;
-			} while (isspace(*b));
-		}
-		if (*a < *b)
-			return (-1);
-		else if (*a > *b)
-			return (1);
-
-		a++;
-		b++;;
-	}
-
-	if (*a == *b)
-		return (0);
-	else if (*a > *b)
-		return (1);
-	else
-		return (-1);
-}
-
-#endif
-
-
-
-
-
-/*
- * static void free_array(char **argv, size_t entries)
- *
- * notes:
- *
- *	Free argv and each of the pointers inside it. The end of
- *	the array is when a NULL pointer is found inside. If
- *	entries is > 0, then NULL pointers inside the array do
- *	not indicate the end of the array.
- *
- */
-
-static void
-free_array(char **argv, size_t entries) {
-	char **p = argv;
-	int useEntries = (entries > 0U);
-
-	if (argv == NULL)
-		return;
-
-	while ((useEntries && entries > 0U) || *p) {
-		if (*p)
-			free(*p);
-		p++;
-		if (useEntries)
-			entries--;
-	}
-	free(argv);
-}
-
-
-
-
-
-/* ************************************************** */
-
-#if WANT_MAIN
-
-/* takes an option to indicate what sort of marshalling(read the code) and
-   an argument. If the argument looks like a marshalled buffer(has a ':'
-   embedded) then it's unmarshalled and the remarshalled and the new string
-   is compared to the old one.
-*/
-
-int
-main(int argc, char **argv) {
-	char buffer[1024];
-	char *b = &buffer[0];
-	size_t len = sizeof buffer;
-	char option;
-
-	if (argc < 2 || argv[1][0] != '-')
-		exit(1);
-
-	option = argv[1][1];
-	argv++;
-	argc--;
-
-
-#if 0
-	{
-		char buff[10];
-		char *p = argv[1], *q = &buff[0];
-
-		while (getfield(&q, sizeof buff, &p, ':') != NULL) {
-			printf("field: \"%s\"\n", q);
-			p++;
-		}
-		printf("p is now \"%s\"\n", p);
-	}
-#endif
-
-#if 0
-	{
-		char **x = splitarray(argv[1], argv[1] + strlen(argv[1]),
-				      argv[2][0]);
-		char **p;
-
-		if (x == NULL)
-			printf("split failed\n");
-
-		for (p = x ; p != NULL && *p != NULL ; p++) {
-			printf("\"%s\"\n", *p);
-		}
-	}
-#endif
-
-#if 1
-	switch(option) {
-	case 'n': {
-		struct nwent ne;
-		int i;
-
-		if (strchr(argv[1], ':') != NULL) {
-			if (irp_unmarshall_nw(&ne, argv[1]) != 0) {
-				printf("Unmarhsalling failed\n");
-				exit(1);
-			}
-
-			printf("Name: \"%s\"\n", ne.n_name);
-			printf("Aliases:");
-			for (i = 0 ; ne.n_aliases[i] != NULL ; i++)
-				printf("\n\t\"%s\"", ne.n_aliases[i]);
-			printf("\nAddrtype: %s\n", ADDR_T_STR(ne.n_addrtype));
-			inet_net_ntop(ne.n_addrtype, ne.n_addr, ne.n_length,
-				      buffer, sizeof buffer);
-			printf("Net: \"%s\"\n", buffer);
-			*((long*)ne.n_addr) = htonl(*((long*)ne.n_addr));
-			inet_net_ntop(ne.n_addrtype, ne.n_addr, ne.n_length,
-				      buffer, sizeof buffer);
-			printf("Corrected Net: \"%s\"\n", buffer);
-		} else {
-			struct netent *np1 = getnetbyname(argv[1]);
-			ne.n_name = np1->n_name;
-			ne.n_aliases = np1->n_aliases;
-			ne.n_addrtype = np1->n_addrtype;
-			ne.n_addr = &np1->n_net;
-			ne.n_length = (IN_CLASSA(np1->n_net) ?
-				       8 :
-				       (IN_CLASSB(np1->n_net) ?
-					16 :
-					(IN_CLASSC(np1->n_net) ?
-					 24 : -1)));
-			np1->n_net = htonl(np1->n_net);
-			if (irp_marshall_nw(&ne, &b, &len) != 0) {
-				printf("Marshalling failed\n");
-			}
-			printf("%s\n", b);
-		}
-		break;
-	}
-
-
-	case 'r': {
-		char **hosts, **users, **domains;
-		size_t entries;
-		int i;
-		char *buff;
-		size_t size;
-		char *ngname;
-
-		if (strchr(argv[1], '(') != NULL) {
-			if (irp_unmarshall_ng(&ngname, &entries,
-					      &hosts, &users, &domains,
-					      argv[1]) != 0) {
-				printf("unmarshall failed\n");
-				exit(1);
-			}
-
-#define STRVAL(x) (x == NULL ? "*" : x)
-
-			printf("%s {\n", ngname);
-			for (i = 0 ; i < entries ; i++)
-				printf("\t\"%s\" : \"%s\" : \"%s\"\n",
-				       STRVAL(hosts[i]),
-				       STRVAL(users[i]),
-				       STRVAL(domains[i]));
-			printf("}\n\n\n");
-
-
-			irp_marshall_ng_start(ngname, NULL, &size);
-			for (i = 0 ; i < entries ; i++)
-				irp_marshall_ng_next(hosts[i], users[i],
-						     domains[i], NULL, &size);
-			irp_marshall_ng_end(NULL, &size);
-
-			buff = malloc(size);
-
-			irp_marshall_ng_start(ngname, buff, &size);
-			for (i = 0 ; i < entries ; i++) {
-				if (irp_marshall_ng_next(hosts[i], users[i],
-							 domains[i], buff,
-							 &size) != 0)
-					printf("next marshalling failed.\n");
-			}
-			irp_marshall_ng_end(buff, &size);
-
-			if (strcmp_nws(argv[1], buff) != 0) {
-				printf("compare failed:\n\t%s\n\t%s\n",
-				       buffer, argv[1]);
-			} else {
-				printf("compare ok\n");
-			}
-		} else {
-			char *h, *u, *d, *buff;
-			size_t size;
-
-			/* run through two times. First to figure out how
-			   much of a buffer we need. Second to do the
-			   actual marshalling */
-
-			setnetgrent(argv[1]);
-			irp_marshall_ng_start(argv[1], NULL, &size);
-			while (getnetgrent(&h, &u, &d) == 1)
-				irp_marshall_ng_next(h, u, d, NULL, &size);
-			irp_marshall_ng_end(NULL, &size);
-			endnetgrent(argv[1]);
-
-			buff = malloc(size);
-
-			setnetgrent(argv[1]);
-			if (irp_marshall_ng_start(argv[1], buff, &size) != 0)
-				printf("Marshalling start failed\n");
-
-			while (getnetgrent(&h, &u, &d) == 1) {
-				if (irp_marshall_ng_next(h, u, d, buff, &size)
-				    != 0) {
-					printf("Marshalling failed\n");
-				}
-			}
-
-			irp_marshall_ng_end(buff, &size);
-			endnetgrent();
-
-			printf("success: %s\n", buff);
-		}
-		break;
-	}
-
-
-
-	case 'h': {
-		struct hostent he, *hp;
-		int i;
-
-
-		if (strchr(argv[1], '@') != NULL) {
-			if (irp_unmarshall_ho(&he, argv[1]) != 0) {
-				printf("unmarshall failed\n");
-				exit(1);
-			}
-
-			printf("Host: \"%s\"\nAliases:", he.h_name);
-			for (i = 0 ; he.h_aliases[i] != NULL ; i++)
-				printf("\n\t\t\"%s\"", he.h_aliases[i]);
-			printf("\nAddr Type: \"%s\"\n",
-			       ADDR_T_STR(he.h_addrtype));
-			printf("Length: %d\nAddresses:", he.h_length);
-			for (i = 0 ; he.h_addr_list[i] != 0 ; i++) {
-				inet_ntop(he.h_addrtype, he.h_addr_list[i],
-					  buffer, sizeof buffer);
-				printf("\n\t\"%s\"\n", buffer);
-			}
-			printf("\n\n");
-
-			irp_marshall_ho(&he, &b, &len);
-			if (strcmp(argv[1], buffer) != 0) {
-				printf("compare failed:\n\t\"%s\"\n\t\"%s\"\n",
-				       buffer, argv[1]);
-			} else {
-				printf("compare ok\n");
-			}
-		} else {
-			if ((hp = gethostbyname(argv[1])) == NULL) {
-				perror("gethostbyname");
-				printf("\"%s\"\n", argv[1]);
-				exit(1);
-			}
-
-			if (irp_marshall_ho(hp, &b, &len) != 0) {
-				printf("irp_marshall_ho failed\n");
-				exit(1);
-			}
-
-			printf("success: \"%s\"\n", buffer);
-		}
-		break;
-	}
-
-
-	case 's': {
-		struct servent *sv;
-		struct servent sv1;
-
-		if (strchr(argv[1], ':') != NULL) {
-			sv = &sv1;
-			memset(sv, 0xef, sizeof (struct servent));
-			if (irp_unmarshall_sv(sv, argv[1]) != 0) {
-				printf("unmarshall failed\n");
-
-			}
-
-			irp_marshall_sv(sv, &b, &len);
-			if (strcmp(argv[1], buffer) != 0) {
-				printf("compare failed:\n\t\"%s\"\n\t\"%s\"\n",
-				       buffer, argv[1]);
-			} else {
-				printf("compare ok\n");
-			}
-		} else {
-			if ((sv = getservbyname(argv[1], argv[2])) == NULL) {
-				perror("getservent");
-				exit(1);
-			}
-
-			if (irp_marshall_sv(sv, &b, &len) != 0) {
-				printf("irp_marshall_sv failed\n");
-				exit(1);
-			}
-
-			printf("success: \"%s\"\n", buffer);
-		}
-		break;
-	}
-
-	case 'g': {
-		struct group *gr;
-		struct group gr1;
-
-		if (strchr(argv[1], ':') != NULL) {
-			gr = &gr1;
-			memset(gr, 0xef, sizeof (struct group));
-			if (irp_unmarshall_gr(gr, argv[1]) != 0) {
-				printf("unmarshall failed\n");
-
-			}
-
-			irp_marshall_gr(gr, &b, &len);
-			if (strcmp(argv[1], buffer) != 0) {
-				printf("compare failed:\n\t\"%s\"\n\t\"%s\"\n",
-				       buffer, argv[1]);
-			} else {
-				printf("compare ok\n");
-			}
-		} else {
-			if ((gr = getgrnam(argv[1])) == NULL) {
-				perror("getgrnam");
-				exit(1);
-			}
-
-			if (irp_marshall_gr(gr, &b, &len) != 0) {
-				printf("irp_marshall_gr failed\n");
-				exit(1);
-			}
-
-			printf("success: \"%s\"\n", buffer);
-		}
-		break;
-	}
-
-
-	case 'p': {
-		struct passwd *pw;
-		struct passwd pw1;
-
-		if (strchr(argv[1], ':') != NULL) {
-			pw = &pw1;
-			memset(pw, 0xef, sizeof (*pw));
-			if (irp_unmarshall_pw(pw, argv[1]) != 0) {
-				printf("unmarshall failed\n");
-				exit(1);
-			}
-
-			printf("User: \"%s\"\nPasswd: \"%s\"\nUid: %ld\nGid: %ld\n",
-			       pw->pw_name, pw->pw_passwd, (long)pw->pw_uid,
-			       (long)pw->pw_gid);
-			printf("Class: \"%s\"\nChange: %ld\nGecos: \"%s\"\n",
-			       pw->pw_class, (long)pw->pw_change, pw->pw_gecos);
-			printf("Shell: \"%s\"\nDirectory: \"%s\"\n",
-			       pw->pw_shell, pw->pw_dir);
-
-			pw = getpwnam(pw->pw_name);
-			irp_marshall_pw(pw, &b, &len);
-			if (strcmp(argv[1], buffer) != 0) {
-				printf("compare failed:\n\t\"%s\"\n\t\"%s\"\n",
-				       buffer, argv[1]);
-			} else {
-				printf("compare ok\n");
-			}
-		} else {
-			if ((pw = getpwnam(argv[1])) == NULL) {
-				perror("getpwnam");
-				exit(1);
-			}
-
-			if (irp_marshall_pw(pw, &b, &len) != 0) {
-				printf("irp_marshall_pw failed\n");
-				exit(1);
-			}
-
-			printf("success: \"%s\"\n", buffer);
-		}
-		break;
-	}
-
-	default:
-		printf("Wrong option: %c\n", option);
-		break;
-	}
-
-#endif
-
-	return (0);
-}
-
-#endif
diff --git a/contrib/bind9/lib/bind/irs/irs_data.c b/contrib/bind9/lib/bind/irs/irs_data.c
deleted file mode 100644
index f8e65adfe6f3..000000000000
--- a/contrib/bind9/lib/bind/irs/irs_data.c
+++ /dev/null
@@ -1,233 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.2.4.3 2004/11/30 01:15:43 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#ifndef __BIND_NOSTATIC
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-#include <isc/memcluster.h>
-
-#ifdef DO_PTHREADS
-#include <pthread.h>
-#endif
-
-#include <irs.h>
-#include <stdlib.h>
-
-#include "port_after.h"
-
-#include "irs_data.h"
-#undef _res
-#if !(__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
-#undef h_errno
-extern int h_errno;
-#endif
-
-extern struct __res_state _res;
-
-#ifdef	DO_PTHREADS
-static pthread_key_t	key;
-static int		once = 0;
-#else
-static struct net_data	*net_data;
-#endif
-
-void
-irs_destroy(void) {
-#ifndef DO_PTHREADS
-	if (net_data != NULL)
-		net_data_destroy(net_data);
-	net_data = NULL;
-#endif
-}
-
-void
-net_data_destroy(void *p) {
-	struct net_data *net_data = p;
-
-	res_ndestroy(net_data->res);
-	if (net_data->gr != NULL) {
-		(*net_data->gr->close)(net_data->gr);
-		net_data->gr = NULL;
-	}
-	if (net_data->pw != NULL) {
-		(*net_data->pw->close)(net_data->pw);
-		net_data->pw = NULL;
-	}
-	if (net_data->sv != NULL) {
-		(*net_data->sv->close)(net_data->sv);
-		net_data->sv = NULL;
-	}
-	if (net_data->pr != NULL) {
-		(*net_data->pr->close)(net_data->pr);
-		net_data->pr = NULL;
-	}
-	if (net_data->ho != NULL) {
-		(*net_data->ho->close)(net_data->ho);
-		net_data->ho = NULL;
-	}
-	if (net_data->nw != NULL) {
-		(*net_data->nw->close)(net_data->nw);
-		net_data->nw = NULL;
-	}
-	if (net_data->ng != NULL) {
-		(*net_data->ng->close)(net_data->ng);
-		net_data->ng = NULL;
-	}
-	if (net_data->ho_data != NULL) {
-		free(net_data->ho_data);
-		net_data->ho_data = NULL;
-	}
-	if (net_data->nw_data != NULL) {
-		free(net_data->nw_data);
-		net_data->nw_data = NULL;
-	}
-
-	(*net_data->irs->close)(net_data->irs);
-	memput(net_data, sizeof *net_data);
-}
-
-/* applications that need a specific config file other than
- * _PATH_IRS_CONF should call net_data_init directly rather than letting
- *   the various wrapper functions make the first call. - brister
- */
-
-struct net_data *
-net_data_init(const char *conf_file) {
-#ifdef	DO_PTHREADS
-#ifndef LIBBIND_MUTEX_INITIALIZER
-#define LIBBIND_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
-#endif
-	static pthread_mutex_t keylock = LIBBIND_MUTEX_INITIALIZER;
-	struct net_data *net_data;
-
-	if (!once) {
-		pthread_mutex_lock(&keylock);
-		if (!once++)
-			pthread_key_create(&key, net_data_destroy);
-		pthread_mutex_unlock(&keylock);
-	}
-	net_data = pthread_getspecific(key);
-#endif
-
-	if (net_data == NULL) {
-		net_data = net_data_create(conf_file);
-		if (net_data == NULL)
-			return (NULL);
-#ifdef	DO_PTHREADS
-		pthread_setspecific(key, net_data);
-#endif
-	}
-
-	return (net_data);
-}
-
-struct net_data *
-net_data_create(const char *conf_file) {
-	struct net_data *net_data;
-
-	net_data = memget(sizeof (struct net_data));
-	if (net_data == NULL)
-		return (NULL);
-	memset(net_data, 0, sizeof (struct net_data));
-
-	if ((net_data->irs = irs_gen_acc("", conf_file)) == NULL) {
-		memput(net_data, sizeof (struct net_data));
-		return (NULL);
-	}
-#ifndef DO_PTHREADS
-	(*net_data->irs->res_set)(net_data->irs, &_res, NULL);
-#endif
-
-	net_data->res = (*net_data->irs->res_get)(net_data->irs);
-	if (net_data->res == NULL) {
-		(*net_data->irs->close)(net_data->irs);
-		memput(net_data, sizeof (struct net_data));
-		return (NULL);
-	}
-
-	if ((net_data->res->options & RES_INIT) == 0U &&
-	    res_ninit(net_data->res) == -1) {
-		(*net_data->irs->close)(net_data->irs);
-		memput(net_data, sizeof (struct net_data));
-		return (NULL);
-	}
-
-	return (net_data);
-}
-
-void
-net_data_minimize(struct net_data *net_data) {
-	res_nclose(net_data->res);
-}
-
-#ifdef _REENTRANT
-struct __res_state *
-__res_state(void) {
-	/* NULL param here means use the default config file. */
-	struct net_data *net_data = net_data_init(NULL);
-	if (net_data && net_data->res)
-		return (net_data->res);
-
-	return (&_res);
-}
-#else
-#ifdef __linux
-struct __res_state *
-__res_state(void) {
-	return (&_res);
-}
-#endif
-#endif
-
-int *
-__h_errno(void) {
-	/* NULL param here means use the default config file. */
-	struct net_data *net_data = net_data_init(NULL);
-	if (net_data && net_data->res)
-		return (&net_data->res->res_h_errno);
-#if !(__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
-	return(&_res.res_h_errno);
-#else
-	return (&h_errno);
-#endif
-}
-
-void
-__h_errno_set(struct __res_state *res, int err) {
-
-
-#if (__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
-	res->res_h_errno = err;
-#else
-	h_errno = res->res_h_errno = err;
-#endif
-}
-
-#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/irs_data.h b/contrib/bind9/lib/bind/irs/irs_data.h
deleted file mode 100644
index 90eb78c5f24e..000000000000
--- a/contrib/bind9/lib/bind/irs/irs_data.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: irs_data.h,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $
- */
-
-#ifndef __BIND_NOSTATIC
-
-#define	net_data_init		__net_data_init
-
-struct net_data {
-	struct irs_acc *	irs;
-
-	struct irs_gr *		gr;
-	struct irs_pw *		pw;
-	struct irs_sv *		sv;
-	struct irs_pr *		pr;
-	struct irs_ho *		ho;
-	struct irs_nw *		nw;
-	struct irs_ng *		ng;
-
-	struct group *		gr_last;
-	struct passwd *		pw_last;
-	struct servent *	sv_last;
-	struct protoent *	pr_last;
-	struct netent *		nw_last; /* should have been ne_last */
-	struct nwent *		nww_last;
-	struct hostent *	ho_last;
-
-	unsigned int		gr_stayopen :1;
-	unsigned int		pw_stayopen :1;
-	unsigned int		sv_stayopen :1;
-	unsigned int		pr_stayopen :1;
-	unsigned int		ho_stayopen :1;
-	unsigned int		nw_stayopen :1;
-
-	void *			nw_data;
-	void *			ho_data;
-
-	struct __res_state *	res;	/* for gethostent.c */
-
-};
-
-extern struct net_data *	net_data_init(const char *conf_file);
-extern void			net_data_minimize(struct net_data *);
-
-#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/irs_p.h b/contrib/bind9/lib/bind/irs/irs_p.h
deleted file mode 100644
index 6d340f21e7b9..000000000000
--- a/contrib/bind9/lib/bind/irs/irs_p.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: irs_p.h,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $
- */
-
-#ifndef _IRS_P_H_INCLUDED
-#define _IRS_P_H_INCLUDED
-
-#include <stdio.h>
-
-#include "pathnames.h"
-
-#define IRS_SV_MAXALIASES	35
-
-struct lcl_sv {
-	FILE *		fp;
-	char		line[BUFSIZ+1];
-	struct servent	serv;
-	char *		serv_aliases[IRS_SV_MAXALIASES];
-};
-
-#define	irs_nul_ng	__irs_nul_ng
-#define	map_v4v6_address __map_v4v6_address
-#define	make_group_list	__make_group_list
-#define	irs_lclsv_fnxt	__irs_lclsv_fnxt
-
-extern void		map_v4v6_address(const char *src, char *dst);
-extern int		make_group_list(struct irs_gr *, const char *,
-					gid_t, gid_t *, int *);
-extern struct irs_ng *	irs_nul_ng(struct irs_acc *);
-extern struct servent * irs_lclsv_fnxt(struct lcl_sv *);
-
-#endif
diff --git a/contrib/bind9/lib/bind/irs/lcl.c b/contrib/bind9/lib/bind/irs/lcl.c
deleted file mode 100644
index e02c90d1f648..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl.c
+++ /dev/null
@@ -1,140 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: lcl.c,v 1.1.206.2 2004/03/17 00:29:49 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <stdlib.h>
-#include <errno.h>
-#include <string.h>
-
-#include <sys/types.h>
-#include <netinet/in.h> 
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "lcl_p.h"
-
-/* Forward. */
-
-static void		lcl_close(struct irs_acc *);
-static struct __res_state *	lcl_res_get(struct irs_acc *);
-static void		lcl_res_set(struct irs_acc *, struct __res_state *,
-				void (*)(void *));
-
-/* Public */
-
-struct irs_acc *
-irs_lcl_acc(const char *options) {
-	struct irs_acc *acc;
-	struct lcl_p *lcl;
-
-	UNUSED(options);
-
-	if (!(acc = memget(sizeof *acc))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(acc, 0x5e, sizeof *acc);
-	if (!(lcl = memget(sizeof *lcl))) {
-		errno = ENOMEM;
-		free(acc);
-		return (NULL);
-	}
-	memset(lcl, 0x5e, sizeof *lcl);
-	lcl->res = NULL;
-	lcl->free_res = NULL;
-	acc->private = lcl;
-#ifdef WANT_IRS_GR
-	acc->gr_map = irs_lcl_gr;
-#else
-	acc->gr_map = NULL;
-#endif
-#ifdef WANT_IRS_PW
-	acc->pw_map = irs_lcl_pw;
-#else
-	acc->pw_map = NULL;
-#endif
-	acc->sv_map = irs_lcl_sv;
-	acc->pr_map = irs_lcl_pr;
-	acc->ho_map = irs_lcl_ho;
-	acc->nw_map = irs_lcl_nw;
-	acc->ng_map = irs_lcl_ng;
-	acc->res_get = lcl_res_get;
-	acc->res_set = lcl_res_set;
-	acc->close = lcl_close;
-	return (acc);
-}
-
-/* Methods */
-static struct __res_state *
-lcl_res_get(struct irs_acc *this) {
-	struct lcl_p *lcl = (struct lcl_p *)this->private;
-
-	if (lcl->res == NULL) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (res == NULL)
-			return (NULL);
-		memset(res, 0, sizeof *res);
-		lcl_res_set(this, res, free);
-	}
-
-	if ((lcl->res->options & RES_INIT) == 0U &&
-	    res_ninit(lcl->res) < 0)
-		return (NULL);
-
-	return (lcl->res);
-}
-
-static void
-lcl_res_set(struct irs_acc *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct lcl_p *lcl = (struct lcl_p *)this->private;
-
-	if (lcl->res && lcl->free_res) {
-		res_nclose(lcl->res);
-		(*lcl->free_res)(lcl->res);
-	}
-
-	lcl->res = res;
-	lcl->free_res = free_res;
-}
-
-static void
-lcl_close(struct irs_acc *this) {
-	struct lcl_p *lcl = (struct lcl_p *)this->private;
-
-	if (lcl) {
-		if (lcl->free_res)
-			(*lcl->free_res)(lcl->res);
-		memput(lcl, sizeof *lcl);
-	}
-	memput(this, sizeof *this);
-}
diff --git a/contrib/bind9/lib/bind/irs/lcl_gr.c b/contrib/bind9/lib/bind/irs/lcl_gr.c
deleted file mode 100644
index ccf7b797e99c..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl_gr.c
+++ /dev/null
@@ -1,354 +0,0 @@
-/*
- * Copyright (c) 1989, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_gr.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
-/* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
-/* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
-#endif /* LIBC_SCCS and not lint */
-
-/* extern */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_PW
-static int __bind_irs_gr_unneeded;
-#else
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <grp.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-
-#include "irs_p.h"
-#include "lcl_p.h"
-#include "irp_p.h"
-
-#include "port_after.h"
-
-
-/* Types. */
-
-struct pvt {
-	FILE *		fp;
-	/*
-	 * Need space to store the entries read from the group file.
-	 * The members list also needs space per member, and the
-	 * strings making up the user names must be allocated
-	 * somewhere.  Rather than doing lots of small allocations,
-	 * we keep one buffer and resize it as needed.
-	 */
-	struct group	group;
-	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
-	char *		membuf;
-	size_t		membufsize;
-};
-
-/* Forward. */
-
-static void		gr_close(struct irs_gr *);
-static struct group *	gr_next(struct irs_gr *);
-static struct group *	gr_byname(struct irs_gr *, const char *);
-static struct group *	gr_bygid(struct irs_gr *, gid_t);
-static void		gr_rewind(struct irs_gr *);
-static void		gr_minimize(struct irs_gr *);
-
-static int		grstart(struct pvt *);
-static char *		grnext(struct pvt *);
-static struct group *	grscan(struct irs_gr *, int, gid_t, const char *);
-
-/* Portability. */
-
-#ifndef SEEK_SET
-# define SEEK_SET 0
-#endif
-
-/* Public. */
-
-struct irs_gr *
-irs_lcl_gr(struct irs_acc *this) {
-	struct irs_gr *gr;
-	struct pvt *pvt;
-
-	UNUSED(this);
-
-	if (!(gr = memget(sizeof *gr))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(gr, 0x5e, sizeof *gr);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(gr, sizeof *gr);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	gr->private = pvt;
-	gr->close = gr_close;
-	gr->next = gr_next;
-	gr->byname = gr_byname;
-	gr->bygid = gr_bygid;
-	gr->rewind = gr_rewind;
-	gr->list = make_group_list;
-	gr->minimize = gr_minimize;
-	gr->res_get = NULL;
-	gr->res_set = NULL;
-	return (gr);
-}
-
-/* Methods. */
-
-static void
-gr_close(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->fp)
-		(void)fclose(pvt->fp);
-	if (pvt->group.gr_mem)
-		free(pvt->group.gr_mem);
-	if (pvt->membuf)
-		free(pvt->membuf);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct group *
-gr_next(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->fp && !grstart(pvt))
-		return (NULL);
-	return (grscan(this, 0, 0, NULL));
-}
-
-static struct group *
-gr_byname(struct irs_gr *this, const char *name) {
-	if (!grstart((struct pvt *)this->private))
-		return (NULL);
-	return (grscan(this, 1, 0, name));
-}
-
-static struct group *
-gr_bygid(struct irs_gr *this, gid_t gid) {
-	if (!grstart((struct pvt *)this->private))
-		return (NULL);
-	return (grscan(this, 1, gid, NULL));
-}
-
-static void
-gr_rewind(struct irs_gr *this) {
-	(void) grstart((struct pvt *)this->private);
-}
-
-static void
-gr_minimize(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->fp != NULL) {
-		(void)fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-}
-
-/* Private. */
-
-static int
-grstart(struct pvt *pvt) {
-	if (pvt->fp) {
-		if (fseek(pvt->fp, 0L, SEEK_SET) == 0)
-			return (1);
-		(void)fclose(pvt->fp);
-	}
-	if (!(pvt->fp = fopen(_PATH_GROUP, "r")))
-		return (0);
-	if (fcntl(fileno(pvt->fp), F_SETFD, 1) < 0) {
-		fclose(pvt->fp);
-		return (0);
-	}
-	return (1);
-}
-
-#define	INITIAL_NMEMB	30			/* about 120 bytes */
-#define	INITIAL_BUFSIZ	(INITIAL_NMEMB * 8)	/* about 240 bytes */
-
-static char *
-grnext(struct pvt *pvt) {
-	char *w, *e;
-	int ch;
-
-	/* Make sure we have a buffer. */
-	if (pvt->membuf == NULL) {
-		pvt->membuf = malloc(INITIAL_BUFSIZ);
-		if (pvt->membuf == NULL) {
- enomem:
-			errno = ENOMEM;
-			return (NULL);
-		}
-		pvt->membufsize = INITIAL_BUFSIZ;
-	}
-
-	/* Read until EOF or EOL. */
-	w = pvt->membuf;
-	e = pvt->membuf + pvt->membufsize;
-	while ((ch = fgetc(pvt->fp)) != EOF && ch != '\n') {
-		/* Make sure we have room for this character and a \0. */
-		if (w + 1 == e) {
-			size_t o = w - pvt->membuf;
-			size_t n = pvt->membufsize * 2;
-			char *t = realloc(pvt->membuf, n);
-
-			if (t == NULL)
-				goto enomem;
-			pvt->membuf = t;
-			pvt->membufsize = n;
-			w = pvt->membuf + o;
-			e = pvt->membuf + pvt->membufsize;
-		}
-		/* Store it. */
-		*w++ = (char)ch;
-	}
-
-	/* Hitting EOF on the first character really does mean EOF. */
-	if (w == pvt->membuf && ch == EOF) {
-		errno = ENOENT;
-		return (NULL);
-	}
-
-	/* Last line of /etc/group need not end with \n; we don't care. */
-	*w = '\0';
-	return (pvt->membuf);
-}
-
-static struct group *
-grscan(struct irs_gr *this, int search, gid_t gid, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	size_t n;
-	char *bp, **m, *p;
-
-	/* Read lines until we find one that matches our search criteria. */
-	for (;;) {
-		if ((bp = grnext(pvt)) == NULL)
-			return (NULL);
-
-		/* Optimize the usual case of searching for a name. */
-		pvt->group.gr_name = strsep(&bp, ":");
-		if (search && name != NULL &&
-		    strcmp(pvt->group.gr_name, name) != 0)
-			continue;
-		if (bp == NULL || *bp == '\0')
-			goto corrupt;
-
-		/* Skip past the password field. */
-		pvt->group.gr_passwd = strsep(&bp, ":");
-		if (bp == NULL || *bp == '\0')
-			goto corrupt;
-
-		/* Checking for a gid. */
-		if ((p = strsep(&bp, ":")) == NULL)
-			continue;
-		/*
-		 * Unlike the tests above, the test below is supposed to be
-		 * testing 'p' and not 'bp', in case you think it's a typo.
-		 */
-		if (p == NULL || *p == '\0') {
- corrupt:
-			/* warning: corrupted %s file!", _PATH_GROUP */
-			continue;
-		}
-		pvt->group.gr_gid = atoi(p);
-		if (search && name == NULL && (gid_t)pvt->group.gr_gid != gid)
-			continue;
-
-		/* We want this record. */
-		break;
-	}
-
-	/*
-	 * Count commas to find out how many members there might be.
-	 * Note that commas separate, so if there is one comma there
-	 * can be two members (group:*:id:user1,user2).  Add another
-	 * to account for the NULL terminator.  As above, allocate
-	 * largest of INITIAL_NMEMB, or 2*n.
-	 */
-	n = 1;
-	if (bp != NULL)
-		for (n = 2, p = bp; (p = strpbrk(p, ", ")) != NULL; ++n)
-			p += strspn(p, ", ");
-	if (n > pvt->nmemb || pvt->group.gr_mem == NULL) {
-		if ((n *= 2) < INITIAL_NMEMB)
-			n = INITIAL_NMEMB;
-		if ((m = realloc(pvt->group.gr_mem, n * sizeof *m)) == NULL)
-			return (NULL);
-		pvt->group.gr_mem = m;
-		pvt->nmemb = n;
-	}
-
-	/* Set the name pointers. */
-	for (m = pvt->group.gr_mem; (p = strsep(&bp, ", ")) != NULL;)
-		if (p[0] != '\0')
-			*m++ = p;
-	*m = NULL;
-
-	return (&pvt->group);
-}
-
-#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/lcl_ho.c b/contrib/bind9/lib/bind/irs/lcl_ho.c
deleted file mode 100644
index 45d267782021..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl_ho.c
+++ /dev/null
@@ -1,576 +0,0 @@
-/*
- * Copyright (c) 1985, 1988, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* from gethostnamadr.c	8.1 (Berkeley) 6/4/93 */
-/* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports. */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "dns_p.h"
-#include "lcl_p.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) sprintf x
-#endif
-
-/* Definitions. */
-
-#define	MAXALIASES	35
-#define	MAXADDRS	35
-#define	Max(a,b)	((a) > (b) ? (a) : (b))
-
-#if PACKETSZ > 1024
-#define	MAXPACKET	PACKETSZ
-#else
-#define	MAXPACKET	1024
-#endif
-
-struct pvt {
-	FILE *		fp;
-	struct hostent	host;
-	char *		h_addr_ptrs[MAXADDRS + 1];
-	char *		host_aliases[MAXALIASES];
-	char		hostbuf[8*1024];
-	u_char		host_addr[16];	/* IPv4 or IPv6 */
-	struct __res_state  *res;
-	void		(*free_res)(void *);
-};
-
-typedef union {
-	int32_t al;
-	char ac;
-} align;
-
-static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
-static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
-
-/* Forward. */
-
-static void		ho_close(struct irs_ho *this);
-static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
-static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
-				   int af);
-static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
-				  int len, int af);
-static struct hostent *	ho_next(struct irs_ho *this);
-static void		ho_rewind(struct irs_ho *this);
-static void		ho_minimize(struct irs_ho *this);
-static struct __res_state * ho_res_get(struct irs_ho *this);
-static void		ho_res_set(struct irs_ho *this,
-				   struct __res_state *res,
-				   void (*free_res)(void *));
-static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
-				     const struct addrinfo *pai);
-
-static size_t		ns_namelen(const char *);
-static int		init(struct irs_ho *this);
-
-/* Portability. */
-
-#ifndef SEEK_SET
-# define SEEK_SET 0
-#endif
-
-/* Public. */
-
-struct irs_ho *
-irs_lcl_ho(struct irs_acc *this) {
-	struct irs_ho *ho;
-	struct pvt *pvt;
-
-	UNUSED(this);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	if (!(ho = memget(sizeof *ho))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ho, 0x5e, sizeof *ho);
-	ho->private = pvt;
-	ho->close = ho_close;
-	ho->byname = ho_byname;
-	ho->byname2 = ho_byname2;
-	ho->byaddr = ho_byaddr;
-	ho->next = ho_next;
-	ho->rewind = ho_rewind;
-	ho->minimize = ho_minimize;
-	ho->res_get = ho_res_get;
-	ho->res_set = ho_res_set;
-	ho->addrinfo = ho_addrinfo;
-	return (ho);
-}
-
-/* Methods. */
-
-static void
-ho_close(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	ho_minimize(this);
-	if (pvt->fp)
-		(void) fclose(pvt->fp);
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct hostent *
-ho_byname(struct irs_ho *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *hp;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	if (pvt->res->options & RES_USE_INET6) {
-		hp = ho_byname2(this, name, AF_INET6);
-		if (hp)
-			return (hp);
-	}
-	return (ho_byname2(this, name, AF_INET));
-}
-
-static struct hostent *
-ho_byname2(struct irs_ho *this, const char *name, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *hp;
-	char **hap;
-	size_t n;
-	
-	if (init(this) == -1)
-		return (NULL);
-
-	ho_rewind(this);
-	n = ns_namelen(name);
-	while ((hp = ho_next(this)) != NULL) {
-		size_t nn;
-
-		if (hp->h_addrtype != af)
-			continue;
-		nn = ns_namelen(hp->h_name);
-		if (strncasecmp(hp->h_name, name, Max(n, nn)) == 0)
-			goto found;
-		for (hap = hp->h_aliases; *hap; hap++) {
-			nn = ns_namelen(*hap);
-			if (strncasecmp(*hap, name, Max(n, nn)) == 0)
-				goto found;
-		}
-	}
- found:
-	if (!hp) {
-		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-		return (NULL);
-	}
-	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
-	return (hp);
-}
-
-static struct hostent *
-ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	const u_char *uaddr = addr;
-	struct hostent *hp;
-	int size;
-	
-	if (init(this) == -1)
-		return (NULL);
-
-	if (af == AF_INET6 && len == IN6ADDRSZ &&
-	    (!memcmp(uaddr, mapped, sizeof mapped) ||
-	     !memcmp(uaddr, tunnelled, sizeof tunnelled))) {
-		/* Unmap. */
-		addr = (const u_char *)addr + sizeof mapped;
-		uaddr += sizeof mapped;
-		af = AF_INET;
-		len = INADDRSZ;
-	}
-	switch (af) {
-	case AF_INET:
-		size = INADDRSZ;
-		break;
-	case AF_INET6:
-		size = IN6ADDRSZ;
-		break;
-	default:
-		errno = EAFNOSUPPORT;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	if (size > len) {
-		errno = EINVAL;
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-
-	/*
-	 * Do the search.
-	 */
-	ho_rewind(this);
-	while ((hp = ho_next(this)) != NULL) {
-		char **hap;
-
-		for (hap = hp->h_addr_list; *hap; hap++) {
-			const u_char *taddr = (const u_char *)*hap;
-			int taf = hp->h_addrtype;
-			int tlen = hp->h_length;
-
-			if (taf == AF_INET6 && tlen == IN6ADDRSZ &&
-			    (!memcmp(taddr, mapped, sizeof mapped) ||
-			     !memcmp(taddr, tunnelled, sizeof tunnelled))) {
-				/* Unmap. */
-				taddr += sizeof mapped;
-				taf = AF_INET;
-				tlen = INADDRSZ;
-			}
-			if (taf == af && tlen == len &&
-			    !memcmp(taddr, uaddr, tlen))
-				goto found;
-		}
-	}
- found:
-	if (!hp) {
-		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-		return (NULL);
-	}
-	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
-	return (hp);
-}
-
-static struct hostent *
-ho_next(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *cp, **q, *p;
-	char *bufp, *ndbuf, *dbuf = NULL;
-	int c, af, len, bufsiz, offset;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	if (!pvt->fp)
-		ho_rewind(this);
-	if (!pvt->fp) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	bufp = pvt->hostbuf;
-	bufsiz = sizeof pvt->hostbuf;
-	offset = 0;
- again:
-	if (!(p = fgets(bufp + offset, bufsiz - offset, pvt->fp))) {
-		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-		if (dbuf)
-			free(dbuf);
-		return (NULL);
-	}
-	if (!strchr(p, '\n') && !feof(pvt->fp)) {
-#define GROWBUF 1024
-		/* allocate space for longer line */
-		if (dbuf == NULL) {
-			if ((ndbuf = malloc(bufsiz + GROWBUF)) != NULL)
-				strcpy(ndbuf, bufp);
-		} else
-			ndbuf = realloc(dbuf, bufsiz + GROWBUF);
-		if (ndbuf) {
-			dbuf = ndbuf;
-			bufp = dbuf;
-			bufsiz += GROWBUF;
-			offset = strlen(dbuf);
-		} else {
-			/* allocation failed; skip this long line */
-			while ((c = getc(pvt->fp)) != EOF)
-				if (c == '\n')
-					break;
-			if (c != EOF)
-				ungetc(c, pvt->fp);
-		}
-		goto again;
-	}
-
-	p -= offset;
-	offset = 0;
-
-	if (*p == '#')
-		goto again;
-	if ((cp = strpbrk(p, "#\n")) != NULL)
-		*cp = '\0';
-	if (!(cp = strpbrk(p, " \t")))
-		goto again;
-	*cp++ = '\0';
-	if (inet_pton(AF_INET6, p, pvt->host_addr) > 0) {
-		af = AF_INET6;
-		len = IN6ADDRSZ;
-	} else if (inet_aton(p, (struct in_addr *)pvt->host_addr) > 0) {
-		if (pvt->res->options & RES_USE_INET6) {
-			map_v4v6_address((char*)pvt->host_addr,
-					 (char*)pvt->host_addr);
-			af = AF_INET6;
-			len = IN6ADDRSZ;
-		} else {
-			af = AF_INET;
-			len = INADDRSZ;
-		}
-	} else {
-		goto again;
-	}
-	pvt->h_addr_ptrs[0] = (char *)pvt->host_addr;
-	pvt->h_addr_ptrs[1] = NULL;
-	pvt->host.h_addr_list = pvt->h_addr_ptrs;
-	pvt->host.h_length = len;
-	pvt->host.h_addrtype = af;
-	while (*cp == ' ' || *cp == '\t')
-		cp++;
-	pvt->host.h_name = cp;
-	q = pvt->host.h_aliases = pvt->host_aliases;
-	if ((cp = strpbrk(cp, " \t")) != NULL)
-		*cp++ = '\0';
-	while (cp && *cp) {
-		if (*cp == ' ' || *cp == '\t') {
-			cp++;
-			continue;
-		}
-		if (q < &pvt->host_aliases[MAXALIASES - 1])
-			*q++ = cp;
-		if ((cp = strpbrk(cp, " \t")) != NULL)
-			*cp++ = '\0';
-	}
-	*q = NULL;
-	if (dbuf)
-		free(dbuf);
-	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
-	return (&pvt->host);
-}
-
-static void
-ho_rewind(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->fp) {
-		if (fseek(pvt->fp, 0L, SEEK_SET) == 0)
-			return;
-		(void)fclose(pvt->fp);
-	}
-	if (!(pvt->fp = fopen(_PATH_HOSTS, "r")))
-		return;
-	if (fcntl(fileno(pvt->fp), F_SETFD, 1) < 0) {
-		(void)fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-}
-
-static void
-ho_minimize(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->fp != NULL) {
-		(void)fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-	if (pvt->res)
-		res_nclose(pvt->res);
-} 
-
-static struct __res_state *
-ho_res_get(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		ho_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-ho_res_set(struct irs_ho *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-}
-
-struct lcl_res_target {
-	struct lcl_res_target *next;
-	int family;
-};
-
-/* XXX */
-extern struct addrinfo *hostent2addrinfo __P((struct hostent *,
-					      const struct addrinfo *pai));
-
-static struct addrinfo *
-ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *hp;
-	struct lcl_res_target q, q2, *p;
-	struct addrinfo sentinel, *cur;
-
-	memset(&q, 0, sizeof(q2));
-	memset(&q2, 0, sizeof(q2));
-	memset(&sentinel, 0, sizeof(sentinel));
-	cur = &sentinel;
-
-	switch(pai->ai_family) {
-	case AF_UNSPEC:		/* INET6 then INET4 */
-		q.family = AF_INET6;
-		q.next = &q2;
-		q2.family = AF_INET;
-		break;
-	case AF_INET6:
-		q.family = AF_INET6;
-		break;
-	case AF_INET:
-		q.family = AF_INET;
-		break;
-	default:
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* ??? */
-		return(NULL);
-	}
-
-	for (p = &q; p; p = p->next) {
-		struct addrinfo *ai;
-
-		hp = (*this->byname2)(this, name, p->family);
-		if (hp == NULL) {
-			/* byname2 should've set an appropriate error */
-			continue;
-		}
-		if ((hp->h_name == NULL) || (hp->h_name[0] == 0) ||
-		    (hp->h_addr_list[0] == NULL)) {
-			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-			continue;
-		}
-
-		ai = hostent2addrinfo(hp, pai);
-		if (ai) {
-			cur->ai_next = ai;
-			while (cur && cur->ai_next)
-				cur = cur->ai_next;
-		}
-	}
-
-	if (sentinel.ai_next == NULL)
-		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-
-	return(sentinel.ai_next);
-}
-
-/* Private. */
-
-static size_t
-ns_namelen(const char *s) {
-	int i;
-
-	for (i = strlen(s); i > 0 && s[i-1] == '.'; i--)
-		(void)NULL;
-	return ((size_t) i);
-}
-
-static int
-init(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (!pvt->res && !ho_res_get(this))
-		return (-1);
-	if (((pvt->res->options & RES_INIT) == 0U) &&
-	    res_ninit(pvt->res) == -1)
-		return (-1);
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/irs/lcl_ng.c b/contrib/bind9/lib/bind/irs/lcl_ng.c
deleted file mode 100644
index 3c678f273eee..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl_ng.c
+++ /dev/null
@@ -1,444 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: lcl_ng.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "lcl_p.h"
-
-/* Definitions */
-
-#define NG_HOST         0       /* Host name */
-#define NG_USER         1       /* User name */
-#define NG_DOM          2       /* and Domain name */
-#define LINSIZ		1024    /* Length of netgroup file line */
-
-/*
- * XXX Warning XXX
- * This code is a hack-and-slash special.  It realy needs to be
- * rewritten with things like strdup, and realloc in mind.
- * More reasonable data structures would not be a bad thing.
- */
-
-/*
- * Static Variables and functions used by setnetgrent(), getnetgrent() and
- * endnetgrent().
- * There are two linked lists:
- * - linelist is just used by setnetgrent() to parse the net group file via.
- *   parse_netgrp()
- * - netgrp is the list of entries for the current netgroup
- */
-struct linelist {
-	struct linelist *l_next;	/* Chain ptr. */
-	int		l_parsed;	/* Flag for cycles */
-	char *		l_groupname;	/* Name of netgroup */
-	char *		l_line;		/* Netgroup entrie(s) to be parsed */
-};
-
-struct ng_old_struct {
-	struct ng_old_struct *ng_next;	/* Chain ptr */
-	char *		ng_str[3];	/* Field pointers, see below */
-};
-
-struct pvt {
-	FILE			*fp;
-	struct linelist		*linehead;
-	struct ng_old_struct    *nextgrp;
-	struct {
-		struct ng_old_struct	*gr;
-		char			*grname;
-	} grouphead;
-};
-
-/* Forward */
-
-static void 		ng_rewind(struct irs_ng *, const char*);
-static void 		ng_close(struct irs_ng *);
-static int		ng_next(struct irs_ng *, const char **,
-				const char **, const char **);
-static int 		ng_test(struct irs_ng *, const char *,
-				const char *, const char *,
-				const char *);
-static void		ng_minimize(struct irs_ng *);
-
-static int 		parse_netgrp(struct irs_ng *, const char*);
-static struct linelist *read_for_group(struct irs_ng *, const char *);
-static void		freelists(struct irs_ng *);
-
-/* Public */
-
-struct irs_ng *
-irs_lcl_ng(struct irs_acc *this) {
-	struct irs_ng *ng;
-	struct pvt *pvt;
-
-	UNUSED(this);
-	
-	if (!(ng = memget(sizeof *ng))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ng, 0x5e, sizeof *ng);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(ng, sizeof *ng);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	ng->private = pvt;
-	ng->close = ng_close;
-	ng->next = ng_next;
-	ng->test = ng_test;
-	ng->rewind = ng_rewind;
-	ng->minimize = ng_minimize;
-	return (ng);
-}
-
-/* Methods */
-
-static void
-ng_close(struct irs_ng *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (pvt->fp != NULL)
-		fclose(pvt->fp);
-	freelists(this);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-	
-/*
- * Parse the netgroup file looking for the netgroup and build the list
- * of netgrp structures. Let parse_netgrp() and read_for_group() do
- * most of the work.
- */
-static void
-ng_rewind(struct irs_ng *this, const char *group) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (pvt->fp != NULL && fseek(pvt->fp, SEEK_CUR, 0L) == -1) {
-		fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-
-	if (pvt->fp == NULL || pvt->grouphead.gr == NULL || 
-	    strcmp(group, pvt->grouphead.grname)) {
-		freelists(this);
-		if (pvt->fp != NULL)
-			fclose(pvt->fp);
-		pvt->fp = fopen(_PATH_NETGROUP, "r");
-		if (pvt->fp != NULL) {
-			if (parse_netgrp(this, group))
-				freelists(this);
-			if (!(pvt->grouphead.grname = strdup(group)))
-				freelists(this);
-			fclose(pvt->fp);
-			pvt->fp = NULL;
-		}
-	}
-	pvt->nextgrp = pvt->grouphead.gr;
-}
-
-/*
- * Get the next netgroup off the list.
- */
-static int
-ng_next(struct irs_ng *this, const char **host, const char **user,
-	const char **domain)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (pvt->nextgrp) {
-		*host = pvt->nextgrp->ng_str[NG_HOST];
-		*user = pvt->nextgrp->ng_str[NG_USER];
-		*domain = pvt->nextgrp->ng_str[NG_DOM];
-		pvt->nextgrp = pvt->nextgrp->ng_next;
-		return (1);
-	}
-	return (0);
-}
-
-/*
- * Search for a match in a netgroup.
- */
-static int
-ng_test(struct irs_ng *this, const char *name,
-	const char *host, const char *user, const char *domain)
-{
-	const char *ng_host, *ng_user, *ng_domain;
-
-	ng_rewind(this, name);
-	while (ng_next(this, &ng_host, &ng_user, &ng_domain))
-		if ((host == NULL || ng_host == NULL || 
-		     !strcmp(host, ng_host)) &&
-		    (user ==  NULL || ng_user == NULL || 
-		     !strcmp(user, ng_user)) &&
-		    (domain == NULL || ng_domain == NULL ||
-		     !strcmp(domain, ng_domain))) {
-			freelists(this);
-			return (1);
-		}
-	freelists(this);
-	return (0);
-}
-
-static void
-ng_minimize(struct irs_ng *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->fp != NULL) {
-		(void)fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-}
-
-/* Private */
-
-/*
- * endnetgrent() - cleanup
- */
-static void
-freelists(struct irs_ng *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct linelist *lp, *olp;
-	struct ng_old_struct *gp, *ogp;
-
-	lp = pvt->linehead;
-	while (lp) {
-		olp = lp;
-		lp = lp->l_next;
-		free(olp->l_groupname);
-		free(olp->l_line);
-		free((char *)olp);
-	}
-	pvt->linehead = NULL;
-	if (pvt->grouphead.grname) {
-		free(pvt->grouphead.grname);
-		pvt->grouphead.grname = NULL;
-	}
-	gp = pvt->grouphead.gr;
-	while (gp) {
-		ogp = gp;
-		gp = gp->ng_next;
-		if (ogp->ng_str[NG_HOST])
-			free(ogp->ng_str[NG_HOST]);
-		if (ogp->ng_str[NG_USER])
-			free(ogp->ng_str[NG_USER]);
-		if (ogp->ng_str[NG_DOM])
-			free(ogp->ng_str[NG_DOM]);
-		free((char *)ogp);
-	}
-	pvt->grouphead.gr = NULL;
-}
-
-/*
- * Parse the netgroup file setting up the linked lists.
- */
-static int
-parse_netgrp(struct irs_ng *this, const char *group) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *spos, *epos;
-	int len, strpos;
-	char *pos, *gpos;
-	struct ng_old_struct *grp;
-	struct linelist *lp = pvt->linehead;
-
-        /*
-         * First, see if the line has already been read in.
-         */
-	while (lp) {
-		if (!strcmp(group, lp->l_groupname))
-			break;
-		lp = lp->l_next;
-	}
-	if (lp == NULL &&
-	    (lp = read_for_group(this, group)) == NULL)
-		return (1);
-	if (lp->l_parsed) {
-		/*fprintf(stderr, "Cycle in netgroup %s\n", lp->l_groupname);*/
-		return (1);
-	} else
-		lp->l_parsed = 1;
-	pos = lp->l_line;
-	while (*pos != '\0') {
-		if (*pos == '(') {
-			if (!(grp = malloc(sizeof (struct ng_old_struct)))) {
-				freelists(this);
-				errno = ENOMEM;
-				return (1);
-			}
-			memset(grp, 0, sizeof (struct ng_old_struct));
-			grp->ng_next = pvt->grouphead.gr;
-			pvt->grouphead.gr = grp;
-			pos++;
-			gpos = strsep(&pos, ")");
-			for (strpos = 0; strpos < 3; strpos++) {
-				if ((spos = strsep(&gpos, ","))) {
-					while (*spos == ' ' || *spos == '\t')
-						spos++;
-					if ((epos = strpbrk(spos, " \t"))) {
-						*epos = '\0';
-						len = epos - spos;
-					} else
-						len = strlen(spos);
-					if (len > 0) {
-						if(!(grp->ng_str[strpos] 
-						   =  (char *)
-						   malloc(len + 1))) {
-							freelists(this);
-							return (1);
-						}
-						memcpy(grp->ng_str[strpos],
-						       spos,
-						       len + 1);
-					}
-				} else
-					goto errout;
-			}
-		} else {
-			spos = strsep(&pos, ", \t");
-			if (spos != NULL && parse_netgrp(this, spos)) {
-				freelists(this);
-				return (1);
-			}
-		}
-		if (pos == NULL)
-			break;
-		while (*pos == ' ' || *pos == ',' || *pos == '\t')
-			pos++;
-	}
-	return (0);
- errout:
-	/*fprintf(stderr, "Bad netgroup %s at ..%s\n", lp->l_groupname,
-		  spos);*/
-	return (1);
-}
-
-/*
- * Read the netgroup file and save lines until the line for the netgroup
- * is found. Return 1 if eof is encountered.
- */
-static struct linelist *
-read_for_group(struct irs_ng *this, const char *group) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *pos, *spos, *linep = NULL, *olinep;
-	int len, olen, cont;
-	struct linelist *lp;
-	char line[LINSIZ + 1];
-	
-	while (fgets(line, LINSIZ, pvt->fp) != NULL) {
-		pos = line;
-		if (*pos == '#')
-			continue;
-		while (*pos == ' ' || *pos == '\t')
-			pos++;
-		spos = pos;
-		while (*pos != ' ' && *pos != '\t' && *pos != '\n' &&
-			*pos != '\0')
-			pos++;
-		len = pos - spos;
-		while (*pos == ' ' || *pos == '\t')
-			pos++;
-		if (*pos != '\n' && *pos != '\0') {
-			if (!(lp = malloc(sizeof (*lp)))) {
-				freelists(this);
-				return (NULL);
-			}
-			lp->l_parsed = 0;
-			if (!(lp->l_groupname = malloc(len + 1))) {
-				free(lp);
-				freelists(this);
-				return (NULL);
-			}
-			memcpy(lp->l_groupname, spos,  len);
-			*(lp->l_groupname + len) = '\0';
-			len = strlen(pos);
-			olen = 0;
-			olinep = NULL;
-
-			/*
-			 * Loop around handling line continuations.
-			 */
-			do {
-				if (*(pos + len - 1) == '\n')
-					len--;
-				if (*(pos + len - 1) == '\\') {
-					len--;
-					cont = 1;
-				} else
-					cont = 0;
-				if (len > 0) {
-					if (!(linep = malloc(olen + len + 1))){
-						if (olen > 0)
-							free(olinep);
-						free(lp->l_groupname);
-						free(lp);
-						freelists(this);
-						errno = ENOMEM;
-						return (NULL);
-					}
-					if (olen > 0) {
-						memcpy(linep, olinep, olen);
-						free(olinep);
-					}
-					memcpy(linep + olen, pos, len);
-					olen += len;
-					*(linep + olen) = '\0';
-					olinep = linep;
-				}
-				if (cont) {
-					if (fgets(line, LINSIZ, pvt->fp)) {
-						pos = line;
-						len = strlen(pos);
-					} else
-						cont = 0;
-				}
-			} while (cont);
-			lp->l_line = linep;
-			lp->l_next = pvt->linehead;
-			pvt->linehead = lp;
-			
-			/*
-			 * If this is the one we wanted, we are done.
-			 */
-			if (!strcmp(lp->l_groupname, group))
-				return (lp);
-		}
-	}
-	return (NULL);
-}
diff --git a/contrib/bind9/lib/bind/irs/lcl_nw.c b/contrib/bind9/lib/bind/irs/lcl_nw.c
deleted file mode 100644
index 7d04672c94d1..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl_nw.c
+++ /dev/null
@@ -1,371 +0,0 @@
-/*
- * Copyright (c) 1989, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_nw.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
-/* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
-/* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-
-#include "port_after.h"
-
-#include <isc/misc.h>
-#include "irs_p.h"
-#include "lcl_p.h"
-
-#define MAXALIASES 35
-#define MAXADDRSIZE 4
-
-struct pvt {
-	FILE *		fp;
-	char 		line[BUFSIZ+1];
-	struct nwent 	net;
-	char *		aliases[MAXALIASES];
-	char		addr[MAXADDRSIZE];
-	struct __res_state *  res;
-	void		(*free_res)(void *);
-};
-
-/* Forward */
-
-static void 		nw_close(struct irs_nw *);
-static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
-static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
-static struct nwent *	nw_next(struct irs_nw *);
-static void		nw_rewind(struct irs_nw *);
-static void		nw_minimize(struct irs_nw *);
-static struct __res_state * nw_res_get(struct irs_nw *this);
-static void		nw_res_set(struct irs_nw *this,
-				   struct __res_state *res,
-				   void (*free_res)(void *));
-
-static int		init(struct irs_nw *this);
-
-/* Portability. */
-
-#ifndef SEEK_SET
-# define SEEK_SET 0
-#endif
-
-/* Public */
-
-struct irs_nw *
-irs_lcl_nw(struct irs_acc *this) {
-	struct irs_nw *nw;
-	struct pvt *pvt;
-
-	UNUSED(this);
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	if (!(nw = memget(sizeof *nw))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(nw, 0x5e, sizeof *nw);
-	nw->private = pvt;
-	nw->close = nw_close;
-	nw->byname = nw_byname;
-	nw->byaddr = nw_byaddr;
-	nw->next = nw_next;
-	nw->rewind = nw_rewind;
-	nw->minimize = nw_minimize;
-	nw->res_get = nw_res_get;
-	nw->res_set = nw_res_set;
-	return (nw);
-}
-
-/* Methods */
-
-static void
-nw_close(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	nw_minimize(this);
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-	if (pvt->fp)
-		(void)fclose(pvt->fp);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct nwent *
-nw_byaddr(struct irs_nw *this, void *net, int length, int type) {
-	struct nwent *p;
-	
-	if (init(this) == -1)
-		return(NULL);
-
-	nw_rewind(this);
-	while ((p = nw_next(this)) != NULL)
-		if (p->n_addrtype == type && p->n_length == length)
-			if (bitncmp(p->n_addr, net, length) == 0)
-				break;
-	return (p);
-}
-
-static struct nwent *
-nw_byname(struct irs_nw *this, const char *name, int type) {
-	struct nwent *p;
-	char **ap;
-	
-	if (init(this) == -1)
-		return(NULL);
-
-	nw_rewind(this);
-	while ((p = nw_next(this)) != NULL) {
-		if (ns_samename(p->n_name, name) == 1 &&
-		    p->n_addrtype == type)
-			break;
-		for (ap = p->n_aliases; *ap; ap++)
-			if ((ns_samename(*ap, name) == 1) &&
-			    (p->n_addrtype == type))
-				goto found;
-	}
- found:
-	return (p);
-}
-
-static void
-nw_rewind(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (pvt->fp) {
-		if (fseek(pvt->fp, 0L, SEEK_SET) == 0)
-			return;
-		(void)fclose(pvt->fp);
-	}
-	if (!(pvt->fp = fopen(_PATH_NETWORKS, "r")))
-		return;
-	if (fcntl(fileno(pvt->fp), F_SETFD, 1) < 0) {
-		(void)fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-}
-
-static struct nwent *
-nw_next(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct nwent *ret = NULL;
-	char *p, *cp, **q;
-	char *bufp, *ndbuf, *dbuf = NULL;
-	int c, bufsiz, offset = 0;
-
-	if (init(this) == -1)
-		return(NULL);
-
-	if (pvt->fp == NULL)
-		nw_rewind(this);
-	if (pvt->fp == NULL) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	bufp = pvt->line;
-	bufsiz = sizeof(pvt->line);
-
- again:
-	p = fgets(bufp + offset, bufsiz - offset, pvt->fp);
-	if (p == NULL)
-		goto cleanup;
-	if (!strchr(p, '\n') && !feof(pvt->fp)) {
-#define GROWBUF 1024
-		/* allocate space for longer line */
-	  	if (dbuf == NULL) {
-			if ((ndbuf = malloc(bufsiz + GROWBUF)) != NULL)
-				strcpy(ndbuf, bufp);
-		} else
-			ndbuf = realloc(dbuf, bufsiz + GROWBUF);
-		if (ndbuf) {
-			dbuf = ndbuf;
-			bufp = dbuf;
-			bufsiz += GROWBUF;
-			offset = strlen(dbuf);
-		} else {
-			/* allocation failed; skip this long line */
-			while ((c = getc(pvt->fp)) != EOF)
-				if (c == '\n')
-					break;
-			if (c != EOF)
-				ungetc(c, pvt->fp);
-		}
-		goto again;
-	}
-
-	p -= offset;
-	offset = 0;
-
-	if (*p == '#')
-		goto again;
-
-	cp = strpbrk(p, "#\n");
-	if (cp != NULL)
-		*cp = '\0';
-	pvt->net.n_name = p;
-	cp = strpbrk(p, " \t");
-	if (cp == NULL)
-		goto again;
-	*cp++ = '\0';
-	while (*cp == ' ' || *cp == '\t')
-		cp++;
-	p = strpbrk(cp, " \t");
-	if (p != NULL)
-		*p++ = '\0';
-	pvt->net.n_length = inet_net_pton(AF_INET, cp, pvt->addr,
-					  sizeof pvt->addr);
-	if (pvt->net.n_length < 0)
-		goto again;
-	pvt->net.n_addrtype = AF_INET;
-	pvt->net.n_addr = pvt->addr;
-	q = pvt->net.n_aliases = pvt->aliases;
-	if (p != NULL) {
-		cp = p;
-		while (cp && *cp) {
-			if (*cp == ' ' || *cp == '\t') {
-				cp++;
-				continue;
-			}
-			if (q < &pvt->aliases[MAXALIASES - 1])
-				*q++ = cp;
-			cp = strpbrk(cp, " \t");
-			if (cp != NULL)
-				*cp++ = '\0';
-		}
-	}
-	*q = NULL;
-	ret = &pvt->net;
-
- cleanup:
-	if (dbuf)
-		free(dbuf);
-
-	return (ret);
-}
-
-static void
-nw_minimize(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res)
-		res_nclose(pvt->res);
-	if (pvt->fp != NULL) {
-		(void)fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-}
-
-static struct __res_state *
-nw_res_get(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		nw_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-nw_res_set(struct irs_nw *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-}
-
-static int
-init(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (!pvt->res && !nw_res_get(this))
-		return (-1);
-	if (((pvt->res->options & RES_INIT) == 0U) &&
-	    res_ninit(pvt->res) == -1)
-		return (-1);
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/irs/lcl_p.h b/contrib/bind9/lib/bind/irs/lcl_p.h
deleted file mode 100644
index 44dd621e4411..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl_p.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: lcl_p.h,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $
- */
-
-/*
- * lcl_p.h - private include file for the local accessor functions.
- */
-
-#ifndef _LCL_P_H_INCLUDED
-#define _LCL_P_H_INCLUDED
-
-/*
- * Object state.
- */
-struct lcl_p {
-	struct __res_state *	res;
-	void                    (*free_res) __P((void *));
-};
-
-/*
- * Externs.
- */
-
-extern struct irs_acc *	irs_lcl_acc __P((const char *));
-extern struct irs_gr *	irs_lcl_gr __P((struct irs_acc *));
-extern struct irs_pw *	irs_lcl_pw __P((struct irs_acc *));
-extern struct irs_sv *	irs_lcl_sv __P((struct irs_acc *));
-extern struct irs_pr *	irs_lcl_pr __P((struct irs_acc *));
-extern struct irs_ho *	irs_lcl_ho __P((struct irs_acc *));
-extern struct irs_nw *	irs_lcl_nw __P((struct irs_acc *));
-extern struct irs_ng *	irs_lcl_ng __P((struct irs_acc *));
-
-#endif /*_LCL_P_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/irs/lcl_pr.c b/contrib/bind9/lib/bind/irs/lcl_pr.c
deleted file mode 100644
index d8f909e89f98..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl_pr.c
+++ /dev/null
@@ -1,284 +0,0 @@
-/*
- * Copyright (c) 1989, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* extern */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "lcl_p.h"
-
-#ifndef _PATH_PROTOCOLS
-#define _PATH_PROTOCOLS "/etc/protocols"
-#endif
-#define MAXALIASES      35
-
-/* Types */
-
-struct pvt {
-	FILE *		fp;
-	char		line[BUFSIZ+1];
-	struct protoent	proto;
-	char *		proto_aliases[MAXALIASES];
-};
-
-/* Forward */
-
-static void			pr_close(struct irs_pr *);
-static struct protoent *	pr_next(struct irs_pr *);
-static struct protoent *	pr_byname(struct irs_pr *, const char *);
-static struct protoent *	pr_bynumber(struct irs_pr *, int);
-static void			pr_rewind(struct irs_pr *);
-static void			pr_minimize(struct irs_pr *);
-
-/* Portability. */
-
-#ifndef SEEK_SET
-# define SEEK_SET 0
-#endif
-
-/* Public */
-
-struct irs_pr *
-irs_lcl_pr(struct irs_acc *this) {
-	struct irs_pr *pr;
-	struct pvt *pvt;
-	
-	if (!(pr = memget(sizeof *pr))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(pr, sizeof *this);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pr->private = pvt;
-	pr->close = pr_close;
-	pr->byname = pr_byname;
-	pr->bynumber = pr_bynumber;
-	pr->next = pr_next;
-	pr->rewind = pr_rewind;
-	pr->minimize = pr_minimize;
-	pr->res_get = NULL;
-	pr->res_set = NULL;
-	return (pr);
-}
-
-/* Methods */
-
-static void
-pr_close(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->fp)
-		(void) fclose(pvt->fp);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct protoent *
-pr_byname(struct irs_pr *this, const char *name) {
-		
-	struct protoent *p;
-	char **cp;
-
-	pr_rewind(this);
-	while ((p = pr_next(this))) {
-		if (!strcmp(p->p_name, name))
-			goto found;
-		for (cp = p->p_aliases; *cp; cp++)
-			if (!strcmp(*cp, name))
-				goto found;
-	}
- found:
-	return (p);
-}
-
-static struct protoent *
-pr_bynumber(struct irs_pr *this, int proto) {
-	struct protoent *p;
-
-	pr_rewind(this);
-	while ((p = pr_next(this)))
-		if (p->p_proto == proto)
-			break;
-	return (p);
-}
-
-static void
-pr_rewind(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (pvt->fp) {
-		if (fseek(pvt->fp, 0L, SEEK_SET) == 0)
-			return;
-		(void)fclose(pvt->fp);
-	}
-	if (!(pvt->fp = fopen(_PATH_PROTOCOLS, "r" )))
-		return;
-	if (fcntl(fileno(pvt->fp), F_SETFD, 1) < 0) {
-		(void)fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-}
-
-static struct protoent *
-pr_next(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *p, *cp, **q;
-	char *bufp, *ndbuf, *dbuf = NULL;
-	int c, bufsiz, offset;
-
-	if (!pvt->fp)
-		pr_rewind(this);
-	if (!pvt->fp)
-		return (NULL);
-	bufp = pvt->line;
-	bufsiz = BUFSIZ;
-	offset = 0;
- again:
-	if ((p = fgets(bufp + offset, bufsiz - offset, pvt->fp)) == NULL) {
-		if (dbuf)
-			free(dbuf);
-		return (NULL);
-	}
-	if (!strchr(p, '\n') && !feof(pvt->fp)) {
-#define GROWBUF 1024
-		/* allocate space for longer line */
-		if (dbuf == NULL) {
-			if ((ndbuf = malloc(bufsiz + GROWBUF)) != NULL)
-				strcpy(ndbuf, bufp);
-		} else
-			ndbuf = realloc(dbuf, bufsiz + GROWBUF);
-		if (ndbuf) {
-			dbuf = ndbuf;
-			bufp = dbuf;
-			bufsiz += GROWBUF;
-			offset = strlen(dbuf);
-		} else {
-			/* allocation failed; skip this long line */
-			while ((c = getc(pvt->fp)) != EOF)
-				if (c == '\n')
-					break;
-			if (c != EOF)
-				ungetc(c, pvt->fp);
-		}
-		goto again;
-	}
-
-	p -= offset;
-	offset = 0;
-
-	if (*p == '#')
-		goto again;
-	cp = strpbrk(p, "#\n");
-	if (cp != NULL)
-		*cp = '\0';
-	pvt->proto.p_name = p;
-	cp = strpbrk(p, " \t");
-	if (cp == NULL)
-		goto again;
-	*cp++ = '\0';
-	while (*cp == ' ' || *cp == '\t')
-		cp++;
-	p = strpbrk(cp, " \t");
-	if (p != NULL)
-		*p++ = '\0';
-	pvt->proto.p_proto = atoi(cp);
-	q = pvt->proto.p_aliases = pvt->proto_aliases;
-	if (p != NULL) {
-		cp = p;
-		while (cp && *cp) {
-			if (*cp == ' ' || *cp == '\t') {
-				cp++;
-				continue;
-			}
-			if (q < &pvt->proto_aliases[MAXALIASES - 1])
-				*q++ = cp;
-			cp = strpbrk(cp, " \t");
-			if (cp != NULL)
-				*cp++ = '\0';
-		}
-	}
-	*q = NULL;
-	return (&pvt->proto);
-}
-
-static void
-pr_minimize(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->fp != NULL) {
-		(void)fclose(pvt->fp);
-		pvt->fp = NULL;
-	}
-}
diff --git a/contrib/bind9/lib/bind/irs/lcl_pw.c b/contrib/bind9/lib/bind/irs/lcl_pw.c
deleted file mode 100644
index dc31dd2296d6..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl_pw.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/*
- * Copyright (c) 1989, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_pw.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Extern */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_PW
-static int __bind_irs_pw_unneeded;
-#else
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <db.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <utmp.h>
-#include <unistd.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "lcl_p.h"
-
-/*
- * The lookup techniques and data extraction code here must be kept
- * in sync with that in `pwd_mkdb'.
- */
- 
-
-/* Types */
-
-struct  pvt {
-	struct passwd	passwd;		/* password structure */
-	DB 		*pw_db;		/* password database */
-	int		pw_keynum;	/* key counter */
-	int		warned;
-	u_int		max;
-	char *		line;
-};
-
-/* Forward */
-
-static void			pw_close(struct irs_pw *);
-static struct passwd *		pw_next(struct irs_pw *);
-static struct passwd *		pw_byname(struct irs_pw *, const char *);
-static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
-static void			pw_rewind(struct irs_pw *);
-static void			pw_minimize(struct irs_pw *);
-
-static int			initdb(struct pvt *);
-static int			hashpw(struct irs_pw *, DBT *);
-
-/* Public */
-struct irs_pw *
-irs_lcl_pw(struct irs_acc *this) {
-	struct irs_pw *pw;
-	struct pvt *pvt;
-
-	UNUSED(this);
-		 
-        if (!(pw = memget(sizeof *pw))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pw, 0x5e, sizeof *pw);
-	if (!(pvt = memget(sizeof *pvt))) {
-		free(pw);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pw->private = pvt;
-	pw->close = pw_close;
-	pw->next = pw_next;
-	pw->byname = pw_byname;
-	pw->byuid = pw_byuid;
-	pw->rewind = pw_rewind;
-	pw->minimize = pw_minimize;
-	pw->res_get = NULL;
-	pw->res_set = NULL;
-	return (pw);
-}
-
-/* Methods */
-
-static void
-pw_close(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (pvt->pw_db) {
-		(void)(pvt->pw_db->close)(pvt->pw_db);
-		pvt->pw_db = NULL;
-	}
-	if (pvt->line)
-		memput(pvt->line, pvt->max);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct passwd *
-pw_next(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	DBT key;
-	char bf[sizeof(pvt->pw_keynum) + 1];
- 
-	if (!initdb(pvt))
-		return (NULL);
- 
-	++pvt->pw_keynum;
-	bf[0] = _PW_KEYBYNUM;
-	memcpy(bf + 1, (char *)&pvt->pw_keynum, sizeof(pvt->pw_keynum));
-	key.data = (u_char *)bf;
-	key.size = sizeof(pvt->pw_keynum) + 1;
-	return (hashpw(this, &key) ? &pvt->passwd : NULL);
-}
- 
-static struct passwd *
-pw_byname(struct irs_pw *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	DBT key;
-	int len, rval;
-	char bf[UT_NAMESIZE + 1];
- 
-	if (!initdb(pvt))
-		return (NULL);
- 
-	bf[0] = _PW_KEYBYNAME;
-	len = strlen(name);
-	memcpy(bf + 1, name, MIN(len, UT_NAMESIZE));
-	key.data = (u_char *)bf;
-	key.size = len + 1;
-	rval = hashpw(this, &key);
- 
-	return (rval ? &pvt->passwd : NULL);
-}
- 
-
-static struct passwd *
-pw_byuid(struct irs_pw *this, uid_t uid) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	DBT key;
-	int keyuid, rval;
-	char bf[sizeof(keyuid) + 1];
- 
-	if (!initdb(pvt))
-		return (NULL);
- 
-	bf[0] = _PW_KEYBYUID;
-	keyuid = uid;
-	memcpy(bf + 1, &keyuid, sizeof(keyuid));
-	key.data = (u_char *)bf;
-	key.size = sizeof(keyuid) + 1;
-	rval = hashpw(this, &key);
- 
-	return (rval ? &pvt->passwd : NULL);
-}
-
-static void
-pw_rewind(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pvt->pw_keynum = 0;
-}
-
-static void
-pw_minimize(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->pw_db != NULL) {
-		(void) (*pvt->pw_db->close)(pvt->pw_db);
-		pvt->pw_db = NULL;
-	}
-}
-
-/* Private. */
-
-static int
-initdb(struct pvt *pvt) {
-	const char *p;
-
-	if (pvt->pw_db) {
-		if (lseek((*pvt->pw_db->fd)(pvt->pw_db), 0L, SEEK_CUR) >= 0L)
-			return (1);
-		else
-			(void) (*pvt->pw_db->close)(pvt->pw_db);
-	}
-	pvt->pw_db = dbopen((p = _PATH_SMP_DB), O_RDONLY, 0, DB_HASH, NULL);
-	if (!pvt->pw_db)
-		pvt->pw_db = dbopen((p =_PATH_MP_DB), O_RDONLY,
-				    0, DB_HASH, NULL);
-	if (pvt->pw_db)
-		return (1);
-	if (!pvt->warned) {
-		syslog(LOG_ERR, "%s: %m", p);
-		pvt->warned++;
-	}
-	return (0);
-}
-
-static int
-hashpw(struct irs_pw *this, DBT *key) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *p, *t, *l;
-	DBT data;
- 
-	if ((pvt->pw_db->get)(pvt->pw_db, key, &data, 0))
-		return (0);
-	p = (char *)data.data;
-	if (data.size > pvt->max) {
-		size_t newlen = pvt->max + 1024;
-		char *p = memget(newlen);
-		if (p == NULL) {
-			return (0);
-		}
-		if (pvt->line != NULL) {
-			memcpy(p, pvt->line, pvt->max);
-			memput(pvt->line, pvt->max);
-		}
-		pvt->max = newlen;
-		pvt->line = p;
-	}
-
-	/* THIS CODE MUST MATCH THAT IN pwd_mkdb. */
-	t = pvt->line;
-	l = pvt->line + pvt->max;
-#define EXPAND(e) if ((e = t) == NULL) return (0); else \
-		  do if (t >= l) return (0); while ((*t++ = *p++) != '\0')
-#define SCALAR(v) if (t + sizeof v >= l) return (0); else \
-		  (memmove(&(v), p, sizeof v), p += sizeof v)
-	EXPAND(pvt->passwd.pw_name);
-	EXPAND(pvt->passwd.pw_passwd);
-	SCALAR(pvt->passwd.pw_uid);
-	SCALAR(pvt->passwd.pw_gid);
-	SCALAR(pvt->passwd.pw_change);
-	EXPAND(pvt->passwd.pw_class);
-	EXPAND(pvt->passwd.pw_gecos);
-	EXPAND(pvt->passwd.pw_dir);
-	EXPAND(pvt->passwd.pw_shell);
-	SCALAR(pvt->passwd.pw_expire);
-	return (1);
-}
-
-#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/lcl_sv.c b/contrib/bind9/lib/bind/irs/lcl_sv.c
deleted file mode 100644
index b407d7f88745..000000000000
--- a/contrib/bind9/lib/bind/irs/lcl_sv.c
+++ /dev/null
@@ -1,431 +0,0 @@
-/*
- * Copyright (c) 1989, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: lcl_sv.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* extern */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#ifdef IRS_LCL_SV_DB
-#include <db.h>
-#endif
-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "lcl_p.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-/* Types */
-
-struct pvt {
-#ifdef IRS_LCL_SV_DB
-	DB *		dbh;
-	int		dbf;
-#endif
-	struct lcl_sv	sv;
-};
-
-/* Forward */
-
-static void			sv_close(struct irs_sv*);
-static struct servent *		sv_next(struct irs_sv *);
-static struct servent *		sv_byname(struct irs_sv *, const char *,
-					  const char *);
-static struct servent *		sv_byport(struct irs_sv *, int, const char *);
-static void			sv_rewind(struct irs_sv *);
-static void			sv_minimize(struct irs_sv *);
-/*global*/ struct servent *	irs_lclsv_fnxt(struct lcl_sv *);
-#ifdef IRS_LCL_SV_DB
-static struct servent *		sv_db_rec(struct lcl_sv *, DBT *, DBT *);
-#endif
-
-/* Portability */
-
-#ifndef SEEK_SET
-# define SEEK_SET 0
-#endif
-
-/* Public */
-
-struct irs_sv *
-irs_lcl_sv(struct irs_acc *this) {
-	struct irs_sv *sv;
-	struct pvt *pvt;
-
-	UNUSED(this);
-	
-	if ((sv = memget(sizeof *sv)) == NULL) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(sv, 0x5e, sizeof *sv);
-	if ((pvt = memget(sizeof *pvt)) == NULL) {
-		memput(sv, sizeof *sv);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	sv->private = pvt;
-	sv->close = sv_close;
-	sv->next = sv_next;
-	sv->byname = sv_byname;
-	sv->byport = sv_byport;
-	sv->rewind = sv_rewind;
-	sv->minimize = sv_minimize;
-	sv->res_get = NULL;
-	sv->res_set = NULL;
-#ifdef IRS_LCL_SV_DB
-	pvt->dbf = R_FIRST;
-#endif
-	return (sv);
-}
-
-/* Methods */
-
-static void
-sv_close(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-#ifdef IRS_LCL_SV_DB
-	if (pvt->dbh != NULL)
-		(*pvt->dbh->close)(pvt->dbh);
-#endif
-	if (pvt->sv.fp)
-		fclose(pvt->sv.fp);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct servent *
-sv_byname(struct irs_sv *this, const char *name, const char *proto) {
-#ifdef IRS_LCL_SV_DB
-	struct pvt *pvt = (struct pvt *)this->private;
-#endif
-	struct servent *p;
-	char **cp;
-
-	sv_rewind(this);
-#ifdef IRS_LCL_SV_DB
-	if (pvt->dbh != NULL) {
-		DBT key, data;
-
-		/* Note that (sizeof "/") == 2. */
-		if ((strlen(name) + sizeof "/" + proto ? strlen(proto) : 0)
-		    > sizeof pvt->sv.line)
-			goto try_local;
-		key.data = pvt->sv.line;
-		key.size = SPRINTF((pvt->sv.line, "%s/%s", name,
-				    proto ? proto : "")) + 1;
-		if (proto != NULL) {
-			if ((*pvt->dbh->get)(pvt->dbh, &key, &data, 0) != 0)
-				return (NULL);
-		} else if ((*pvt->dbh->seq)(pvt->dbh, &key, &data, R_CURSOR)
-			   != 0)
-			return (NULL);
-		return (sv_db_rec(&pvt->sv, &key, &data));
-	}
- try_local:
-#endif
-
-	while ((p = sv_next(this))) {
-		if (strcmp(name, p->s_name) == 0)
-			goto gotname;
-		for (cp = p->s_aliases; *cp; cp++)
-			if (strcmp(name, *cp) == 0)
-				goto gotname;
-		continue;
- gotname:
-		if (proto == NULL || strcmp(p->s_proto, proto) == 0)
-			break;
-	}
-	return (p);
-}
-
-static struct servent *
-sv_byport(struct irs_sv *this, int port, const char *proto) {
-#ifdef IRS_LCL_SV_DB
-	struct pvt *pvt = (struct pvt *)this->private;
-#endif
-	struct servent *p;
-
-	sv_rewind(this);
-#ifdef IRS_LCL_SV_DB
-	if (pvt->dbh != NULL) {
-		DBT key, data;
-		u_short *ports;
-
-		ports = (u_short *)pvt->sv.line;
-		ports[0] = 0;
-		ports[1] = port;
-		key.data = ports;
-		key.size = sizeof(u_short) * 2;
-		if (proto && *proto) {
-			strncpy((char *)ports + key.size, proto,
-				BUFSIZ - key.size);
-			key.size += strlen((char *)ports + key.size) + 1;
-			if ((*pvt->dbh->get)(pvt->dbh, &key, &data, 0) != 0)
-				return (NULL);
-		} else {
-			if ((*pvt->dbh->seq)(pvt->dbh, &key, &data, R_CURSOR)
-			    != 0)
-				return (NULL);
-		}
-		return (sv_db_rec(&pvt->sv, &key, &data));
-	}
-#endif
-	while ((p = sv_next(this))) {
-		if (p->s_port != port)
-			continue;
-		if (proto == NULL || strcmp(p->s_proto, proto) == 0)
-			break;
-	}
-	return (p);
-}
-
-static void
-sv_rewind(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->sv.fp) {
-		if (fseek(pvt->sv.fp, 0L, SEEK_SET) == 0)
-			return;
-		(void)fclose(pvt->sv.fp);
-		pvt->sv.fp = NULL;
-	}
-#ifdef IRS_LCL_SV_DB
-	pvt->dbf = R_FIRST;
-	if (pvt->dbh != NULL)
-		return;
-	pvt->dbh = dbopen(_PATH_SERVICES_DB, O_RDONLY,O_RDONLY,DB_BTREE, NULL);
-	if (pvt->dbh != NULL) {
-		if (fcntl((*pvt->dbh->fd)(pvt->dbh), F_SETFD, 1) < 0) {
-			(*pvt->dbh->close)(pvt->dbh);
-			pvt->dbh = NULL;
-		}
-		return;
-	}
-#endif
-	if ((pvt->sv.fp = fopen(_PATH_SERVICES, "r")) == NULL)
-		return;
-	if (fcntl(fileno(pvt->sv.fp), F_SETFD, 1) < 0) {
-		(void)fclose(pvt->sv.fp);
-		pvt->sv.fp = NULL;
-	}
-}
-
-static struct servent *
-sv_next(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-#ifdef IRS_LCL_SV_DB
-	if (pvt->dbh == NULL && pvt->sv.fp == NULL)
-#else
-	if (pvt->sv.fp == NULL)
-#endif
-		sv_rewind(this);
-
-#ifdef IRS_LCL_SV_DB
-	if (pvt->dbh != NULL) {
-		DBT key, data;
-
-		while ((*pvt->dbh->seq)(pvt->dbh, &key, &data, pvt->dbf) == 0){
-			pvt->dbf = R_NEXT;
-			if (((char *)key.data)[0])
-				continue;
-			return (sv_db_rec(&pvt->sv, &key, &data));
-		}
-	}
-#endif
-
-	if (pvt->sv.fp == NULL)
-		return (NULL);
-	return (irs_lclsv_fnxt(&pvt->sv));
-}
-
-static void
-sv_minimize(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-#ifdef IRS_LCL_SV_DB
-	if (pvt->dbh != NULL) {
-		(*pvt->dbh->close)(pvt->dbh);
-		pvt->dbh = NULL;
-	}
-#endif
-	if (pvt->sv.fp != NULL) {
-		(void)fclose(pvt->sv.fp);
-		pvt->sv.fp = NULL;
-	}
-}
-
-/* Quasipublic. */
-
-struct servent *
-irs_lclsv_fnxt(struct lcl_sv *sv) {
-	char *p, *cp, **q;
-
- again:
-	if ((p = fgets(sv->line, BUFSIZ, sv->fp)) == NULL)
-		return (NULL);
-	if (*p == '#')
-		goto again;
-	sv->serv.s_name = p;
-	while (*p && *p != '\n' && *p != ' ' && *p != '\t' && *p != '#')
-		++p;
-	if (*p == '\0' || *p == '#' || *p == '\n')
-		goto again;
-	*p++ = '\0';
-	while (*p == ' ' || *p == '\t')
-		p++;
-	if (*p == '\0' || *p == '#' || *p == '\n')
-		goto again;
-	sv->serv.s_port = htons((u_short)strtol(p, &cp, 10));
-	if (cp == p || (*cp != '/' && *cp != ','))
-		goto again;
-	p = cp + 1;
-	sv->serv.s_proto = p;
-
-	q = sv->serv.s_aliases = sv->serv_aliases;
-
-	while (*p && *p != '\n' && *p != ' ' && *p != '\t' && *p != '#')
-		++p;
-
-	while (*p == ' ' || *p == '\t') {
-		*p++ = '\0';
-		while (*p == ' ' || *p == '\t')
-			++p;
-		if (*p == '\0' || *p == '#' || *p == '\n')
-			break;
-		if (q < &sv->serv_aliases[IRS_SV_MAXALIASES - 1])
-			*q++ = p;
-		while (*p && *p != '\n' && *p != ' ' && *p != '\t' && *p != '#')
-			++p;
-	}
-		
-	*p = '\0';
-	*q = NULL;
-	return (&sv->serv);
-}
-
-/* Private. */
-
-#ifdef IRS_LCL_SV_DB
-static struct servent *
-sv_db_rec(struct lcl_sv *sv, DBT *key, DBT *data) {
-	char *p, **q;
-	int n;
-
-	p = data->data;
-	p[data->size - 1] = '\0';	/* should be, but we depend on it */
-
-	if (((char *)key->data)[0] == '\0') {
-		if (key->size < sizeof(u_short)*2 || data->size < 2)
-			return (NULL);
-		sv->serv.s_port = ((u_short *)key->data)[1];
-		n = strlen(p) + 1;
-		if ((size_t)n > sizeof(sv->line)) {
-			n = sizeof(sv->line);
-		}
-		memcpy(sv->line, p, n);
-		sv->serv.s_name = sv->line;
-		if ((sv->serv.s_proto = strchr(sv->line, '/')) != NULL)
-			*(sv->serv.s_proto)++ = '\0';
-		p += n;
-		data->size -= n;
-	} else {
-		if (data->size < sizeof(u_short) + 1)
-			return (NULL);
-		if (key->size > sizeof(sv->line))
-			key->size = sizeof(sv->line);
-		((char *)key->data)[key->size - 1] = '\0';
-		memcpy(sv->line, key->data, key->size);
-		sv->serv.s_name = sv->line;
-		if ((sv->serv.s_proto = strchr(sv->line, '/')) != NULL)
-			*(sv->serv.s_proto)++ = '\0';
-		sv->serv.s_port = *(u_short *)data->data;
-		p += sizeof(u_short);
-		data->size -= sizeof(u_short);
-	}
-	q = sv->serv.s_aliases = sv->serv_aliases;
-	while (data->size > 0 && q < &sv->serv_aliases[IRS_SV_MAXALIASES - 1]) {
-
-		*q++ = p;
-		n = strlen(p) + 1;
-		data->size -= n;
-		p += n;
-	}
-	*q = NULL;
-	return (&sv->serv);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/irs/nis.c b/contrib/bind9/lib/bind/irs/nis.c
deleted file mode 100644
index 70eaaedb10d1..000000000000
--- a/contrib/bind9/lib/bind/irs/nis.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#ifdef WANT_IRS_NIS
-
-#include <rpc/rpc.h>
-#include <rpc/xdr.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#include <sys/types.h>
-#include <netinet/in.h> 
-#ifdef T_NULL
-#undef T_NULL			/* Silence re-definition warning of T_NULL. */
-#endif
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "hesiod.h"
-#include "nis_p.h"
-
-/* Forward */
-
-static void		nis_close(struct irs_acc *);
-static struct __res_state * nis_res_get(struct irs_acc *);
-static void		nis_res_set(struct irs_acc *, struct __res_state *,
-				void (*)(void *));
-
-/* Public */
-
-struct irs_acc *
-irs_nis_acc(const char *options) {
-	struct nis_p *nis;
-	struct irs_acc *acc;
-	char *domain;
-
-	UNUSED(options);
-
-	if (yp_get_default_domain(&domain) != 0)
-		return (NULL);
-	if (!(nis = memget(sizeof *nis))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(nis, 0, sizeof *nis);
-	if (!(acc = memget(sizeof *acc))) {
-		memput(nis, sizeof *nis);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(acc, 0x5e, sizeof *acc);
-	acc->private = nis;
-	nis->domain = strdup(domain);
-#ifdef WANT_IRS_GR
-	acc->gr_map = irs_nis_gr;
-#else
-	acc->gr_map = NULL;
-#endif
-#ifdef WANT_IRS_PW
-	acc->pw_map = irs_nis_pw;
-#else
-	acc->pw_map = NULL;
-#endif
-	acc->sv_map = irs_nis_sv;
-	acc->pr_map = irs_nis_pr;
-	acc->ho_map = irs_nis_ho;
-	acc->nw_map = irs_nis_nw;
-	acc->ng_map = irs_nis_ng;
-	acc->res_get = nis_res_get;
-	acc->res_set = nis_res_set;
-	acc->close = nis_close;
-	return (acc);
-}
-
-/* Methods */
-
-static struct __res_state *
-nis_res_get(struct irs_acc *this) {
-	struct nis_p *nis = (struct nis_p *)this->private;
-
-	if (nis->res == NULL) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (res == NULL)
-			return (NULL);
-		memset(res, 0, sizeof *res);
-		nis_res_set(this, res, free);
-	}
-
-	if ((nis->res->options & RES_INIT) == 0 &&
-	    res_ninit(nis->res) < 0)
-		return (NULL);
-
-	return (nis->res);
-}
-
-static void
-nis_res_set(struct irs_acc *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct nis_p *nis = (struct nis_p *)this->private;
-
-	if (nis->res && nis->free_res) {
-		res_nclose(nis->res);
-		(*nis->free_res)(nis->res);
-	}
-
-	nis->res = res;
-	nis->free_res = free_res;
-}
-
-static void
-nis_close(struct irs_acc *this) {
-	struct nis_p *nis = (struct nis_p *)this->private;
-
-	if (nis->res && nis->free_res)
-		(*nis->free_res)(nis->res);
-	free(nis->domain);
-	memput(nis, sizeof *nis);
-	memput(this, sizeof *this);
-}
-
-#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_gr.c b/contrib/bind9/lib/bind/irs/nis_gr.c
deleted file mode 100644
index e06861f0971f..000000000000
--- a/contrib/bind9/lib/bind/irs/nis_gr.c
+++ /dev/null
@@ -1,353 +0,0 @@
-/*
- * Copyright (c) 1989, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_gr.c,v 1.1.2.1.4.1 2004/03/09 08:33:38 marka Exp $";
-/* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
-/* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(WANT_IRS_GR) || !defined(WANT_IRS_NIS)
-static int __bind_irs_gr_unneeded;
-#else
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <isc/memcluster.h>
-
-#include <rpc/rpc.h>
-#include <rpc/xdr.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include <errno.h>
-#include <grp.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <isc/memcluster.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "nis_p.h"
-
-/* Definitions */
-
-struct pvt {
-	int		needrewind;
-	char *		nis_domain;
-	char *		curkey_data;
-	int		curkey_len;
-	char *		curval_data;
-	int		curval_len;
-	/*
-	 * Need space to store the entries read from the group file.
-	 * The members list also needs space per member, and the
-	 * strings making up the user names must be allocated
-	 * somewhere.  Rather than doing lots of small allocations,
-	 * we keep one buffer and resize it as needed.
-	 */
-	struct group	group;
-	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
-	char *		membuf;
-	size_t		membufsize;
-};
-
-enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
-
-static /*const*/ char group_bygid[] =	"group.bygid";
-static /*const*/ char group_byname[] =	"group.byname";
-
-/* Forward */
-
-static void		gr_close(struct irs_gr *);
-static struct group *	gr_next(struct irs_gr *);
-static struct group *	gr_byname(struct irs_gr *, const char *);
-static struct group *	gr_bygid(struct irs_gr *, gid_t);
-static void		gr_rewind(struct irs_gr *);
-static void		gr_minimize(struct irs_gr *);
-
-static struct group *	makegroupent(struct irs_gr *);
-static void		nisfree(struct pvt *, enum do_what);
-
-/* Public */
-
-struct irs_gr *
-irs_nis_gr(struct irs_acc *this) {
-	struct irs_gr *gr;
-	struct pvt *pvt;
-
-	if (!(gr = memget(sizeof *gr))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(gr, 0x5e, sizeof *gr);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(gr, sizeof *gr);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->needrewind = 1;
-	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
-	gr->private = pvt;
-	gr->close = gr_close;
-	gr->next = gr_next;
-	gr->byname = gr_byname;
-	gr->bygid = gr_bygid;
-	gr->rewind = gr_rewind;
-	gr->list = make_group_list;
-	gr->minimize = gr_minimize;
-	gr->res_get = NULL;
-	gr->res_set = NULL;
-	return (gr);
-}
-
-/* Methods */
-
-static void
-gr_close(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->group.gr_mem)
-		free(pvt->group.gr_mem);
-	if (pvt->membuf)
-		free(pvt->membuf);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct group *
-gr_next(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct group *rval;
-	int r;
-
-	do {
-		if (pvt->needrewind) {
-			nisfree(pvt, do_all);
-			r = yp_first(pvt->nis_domain, group_byname,
-				     &pvt->curkey_data, &pvt->curkey_len,
-				     &pvt->curval_data, &pvt->curval_len);
-			pvt->needrewind = 0;
-		} else {
-			char *newkey_data;
-			int newkey_len;
-
-			nisfree(pvt, do_val);
-			r = yp_next(pvt->nis_domain, group_byname,
-				    pvt->curkey_data, pvt->curkey_len,
-				    &newkey_data, &newkey_len,
-				    &pvt->curval_data, &pvt->curval_len);
-			nisfree(pvt, do_key);
-			pvt->curkey_data = newkey_data;
-			pvt->curkey_len = newkey_len;
-		}
-		if (r != 0) {
-			errno = ENOENT;
-			return (NULL);
-		}
-		rval = makegroupent(this);
-	} while (rval == NULL);
-	return (rval);
-}
-
-static struct group *
-gr_byname(struct irs_gr *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	int r;
-
-	nisfree(pvt, do_val);
-	r = yp_match(pvt->nis_domain, group_byname, name, strlen(name),
-		     &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		errno = ENOENT;
-		return (NULL);
-	}
-	return (makegroupent(this));
-}
-
-static struct group *
-gr_bygid(struct irs_gr *this, gid_t gid) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char tmp[sizeof "4294967295"];
-	int r;
-
-	nisfree(pvt, do_val);
-	(void) sprintf(tmp, "%u", (unsigned int)gid);
-	r = yp_match(pvt->nis_domain, group_bygid, tmp, strlen(tmp),
-		     &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		errno = ENOENT;
-		return (NULL);
-	}
-	return (makegroupent(this));
-}
-
-static void
-gr_rewind(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pvt->needrewind = 1;
-}
-
-static void
-gr_minimize(struct irs_gr *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-/* Private */
-
-static struct group *
-makegroupent(struct irs_gr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	unsigned int num_members = 0;
-	char *cp, **new;
-	u_long t;
-
-	if (pvt->group.gr_mem) {
-		free(pvt->group.gr_mem);
-		pvt->group.gr_mem = NULL;
-		pvt->nmemb = 0;
-	}
-	if (pvt->membuf)
-		free(pvt->membuf);
-	pvt->membuf = pvt->curval_data;
-	pvt->curval_data = NULL;
-
-	cp = pvt->membuf;
-	pvt->group.gr_name = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-	
-	pvt->group.gr_passwd = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	errno = 0;
-	t = strtoul(cp, NULL, 10);
-	if (errno == ERANGE)
-		goto cleanup;
-	pvt->group.gr_gid = (gid_t) t;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	cp++;
-
-        if (*cp && cp[strlen(cp)-1] == '\n')
-          cp[strlen(cp)-1] = '\0';
-
-	/*
-	 * Parse the members out.
-	 */
-	while (*cp) {
-		if (num_members+1 >= pvt->nmemb || pvt->group.gr_mem == NULL) {
-			pvt->nmemb += 10;
-			new = realloc(pvt->group.gr_mem,
-				      pvt->nmemb * sizeof(char *));
-			if (new == NULL)
-				goto cleanup;
-			pvt->group.gr_mem = new;
-		}
-		pvt->group.gr_mem[num_members++] = cp;
-		if (!(cp = strchr(cp, ',')))
-			break;
-		*cp++ = '\0';
-	}
-	if (pvt->group.gr_mem == NULL) {
-		pvt->group.gr_mem = malloc(sizeof(char*));
-		if (!pvt->group.gr_mem)
-			goto cleanup;
-		pvt->nmemb = 1;
-	}
-	pvt->group.gr_mem[num_members] = NULL;
-	
-	return (&pvt->group);
-	
- cleanup:	
-	if (pvt->group.gr_mem) {
-		free(pvt->group.gr_mem);
-		pvt->group.gr_mem = NULL;
-		pvt->nmemb = 0;
-	}
-	if (pvt->membuf) {
-		free(pvt->membuf);
-		pvt->membuf = NULL;
-	}
-	return (NULL);
-}
-
-static void
-nisfree(struct pvt *pvt, enum do_what do_what) {
-	if ((do_what & do_key) && pvt->curkey_data) {
-		free(pvt->curkey_data);
-		pvt->curkey_data = NULL;
-	}
-	if ((do_what & do_val) && pvt->curval_data) {
-		free(pvt->curval_data);
-		pvt->curval_data = NULL;
-	}
-}
-
-#endif /* WANT_IRS_GR && WANT_IRS_NIS */
diff --git a/contrib/bind9/lib/bind/irs/nis_ho.c b/contrib/bind9/lib/bind/irs/nis_ho.c
deleted file mode 100644
index 7f0b125b7bb7..000000000000
--- a/contrib/bind9/lib/bind/irs/nis_ho.c
+++ /dev/null
@@ -1,533 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_ho.c,v 1.2.2.1.4.1 2004/03/09 08:33:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_NIS
-static int __bind_irs_nis_unneeded;
-#else
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#ifdef T_NULL
-#undef T_NULL			/* Silence re-definition warning of T_NULL. */
-#endif
-#include <rpc/rpc.h>
-#include <rpc/xdr.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "nis_p.h"
-
-/* Definitions */
-
-#define	MAXALIASES	35
-#define	MAXADDRS	35
-
-#if PACKETSZ > 1024
-#define	MAXPACKET	PACKETSZ
-#else
-#define	MAXPACKET	1024
-#endif
-
-struct pvt {
-	int		needrewind;
-	char *		nis_domain;
-	char *		curkey_data;
-	int		curkey_len;
-	char *		curval_data;
-	int		curval_len;
-	struct hostent	host;
-	char *		h_addr_ptrs[MAXADDRS + 1];
-	char *		host_aliases[MAXALIASES + 1];
-	char		hostbuf[8*1024];
-	u_char		host_addr[16];	/* IPv4 or IPv6 */
-	struct __res_state  *res;
-	void		(*free_res)(void *);
-};
-
-enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
-
-static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
-static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
-static /*const*/ char hosts_byname[] = "hosts.byname";
-static /*const*/ char hosts_byaddr[] = "hosts.byaddr";
-static /*const*/ char ipnode_byname[] = "ipnode.byname";
-static /*const*/ char ipnode_byaddr[] = "ipnode.byaddr";
-static /*const*/ char yp_multi[] = "YP_MULTI_";
-
-/* Forwards */
-
-static void		ho_close(struct irs_ho *this);
-static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
-static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
-					int af);
-static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
-				       int len, int af);
-static struct hostent *	ho_next(struct irs_ho *this);
-static void		ho_rewind(struct irs_ho *this);
-static void		ho_minimize(struct irs_ho *this);
-static struct __res_state * ho_res_get(struct irs_ho *this);
-static void		ho_res_set(struct irs_ho *this,
-				   struct __res_state *res,
-				   void (*free_res)(void *));
-static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
-				     const struct addrinfo *pai);
-
-static struct hostent *	makehostent(struct irs_ho *this);
-static void		nisfree(struct pvt *, enum do_what);
-static int		init(struct irs_ho *this);
-
-/* Public */
-
-struct irs_ho *
-irs_nis_ho(struct irs_acc *this) {
-	struct irs_ho *ho;
-	struct pvt *pvt;
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	if (!(ho = memget(sizeof *ho))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ho, 0x5e, sizeof *ho);
-	pvt->needrewind = 1;
-	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
-	ho->private = pvt;
-	ho->close = ho_close;
-	ho->byname = ho_byname;
-	ho->byname2 = ho_byname2;
-	ho->byaddr = ho_byaddr;
-	ho->next = ho_next;
-	ho->rewind = ho_rewind;
-	ho->minimize = ho_minimize;
-	ho->res_set = ho_res_set;
-	ho->res_get = ho_res_get;
-	ho->addrinfo = ho_addrinfo;
-	return (ho);
-}
-
-/* Methods */
-
-static void
-ho_close(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	ho_minimize(this);
-	nisfree(pvt, do_all);
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct hostent *
-ho_byname(struct irs_ho *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *hp;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	if (pvt->res->options & RES_USE_INET6) {
-		hp = ho_byname2(this, name, AF_INET6);
-		if (hp)
-			return (hp);
-	}
-	return (ho_byname2(this, name, AF_INET));
-}
-
-static struct hostent *
-ho_byname2(struct irs_ho *this, const char *name, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	int r;
-	char *tmp;
-
-	UNUSED(af);
-	
-	if (init(this) == -1)
-		return (NULL);
-
-	nisfree(pvt, do_val);
-
-	strcpy(pvt->hostbuf, yp_multi);
-	strncat(pvt->hostbuf, name, sizeof(pvt->hostbuf) - sizeof(yp_multi));
-	pvt->hostbuf[sizeof(pvt->hostbuf) - 1] = '\0';
-	for (r = sizeof(yp_multi) - 1; pvt->hostbuf[r] != '\0'; r++)
-		if (isupper((unsigned char)pvt->hostbuf[r]))
-			tolower(pvt->hostbuf[r]);
-
-	tmp = pvt->hostbuf;
-	r = yp_match(pvt->nis_domain, ipnode_byname, tmp,
-		     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		tmp = pvt->hostbuf + sizeof(yp_multi) - 1;
-		r = yp_match(pvt->nis_domain, ipnode_byname, tmp,
-			     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
-	}
-	if (r != 0) {
-		tmp = pvt->hostbuf;
-		r = yp_match(pvt->nis_domain, hosts_byname, tmp,
-			     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
-	}
-	if (r != 0) {
-		tmp = pvt->hostbuf + sizeof(yp_multi) - 1;
-		r = yp_match(pvt->nis_domain, hosts_byname, tmp,
-			     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
-	}
-	if (r != 0) {
-		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-		return (NULL);
-	}
-	return (makehostent(this));
-}
-
-static struct hostent *
-ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
-	const u_char *uaddr = addr;
-	int r;
-	
-	if (init(this) == -1)
-		return (NULL);
-
-	if (af == AF_INET6 && len == IN6ADDRSZ &&
-	    (!memcmp(uaddr, mapped, sizeof mapped) ||
-	     !memcmp(uaddr, tunnelled, sizeof tunnelled))) {
-		/* Unmap. */
-		addr = (const u_char *)addr + sizeof mapped;
-		uaddr += sizeof mapped;
-		af = AF_INET;
-		len = INADDRSZ;
-	}
-	if (inet_ntop(af, uaddr, tmp, sizeof tmp) == NULL) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	nisfree(pvt, do_val);
-	r = yp_match(pvt->nis_domain, ipnode_byaddr, tmp, strlen(tmp),
-		     &pvt->curval_data, &pvt->curval_len);
-	if (r != 0)
-		r = yp_match(pvt->nis_domain, hosts_byaddr, tmp, strlen(tmp),
-			     &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-		return (NULL);
-	}
-	return (makehostent(this));
-}
-
-static struct hostent *
-ho_next(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *rval;
-	int r;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	do {
-		if (pvt->needrewind) {
-			nisfree(pvt, do_all);
-			r = yp_first(pvt->nis_domain, hosts_byaddr,
-				     &pvt->curkey_data, &pvt->curkey_len,
-				     &pvt->curval_data, &pvt->curval_len);
-			pvt->needrewind = 0;
-		} else {
-			char *newkey_data;
-			int newkey_len;
-
-			nisfree(pvt, do_val);
-			r = yp_next(pvt->nis_domain, hosts_byaddr,
-				    pvt->curkey_data, pvt->curkey_len,
-				    &newkey_data, &newkey_len,
-				    &pvt->curval_data, &pvt->curval_len);
-			nisfree(pvt, do_key);
-			pvt->curkey_data = newkey_data;
-			pvt->curkey_len = newkey_len;
-		}
-		if (r != 0) {
-			RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-			return (NULL);
-		}
-		rval = makehostent(this);
-	} while (rval == NULL);
-	return (rval);
-}
-
-static void
-ho_rewind(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pvt->needrewind = 1;
-}
-
-static void
-ho_minimize(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res)
-		res_nclose(pvt->res);
-}
-
-static struct __res_state *
-ho_res_get(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		ho_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-ho_res_set(struct irs_ho *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-}
-
-struct nis_res_target {
-	struct nis_res_target *next;
-	int family;
-};
-
-/* XXX */
-extern struct addrinfo *hostent2addrinfo __P((struct hostent *,
-					      const struct addrinfo *pai));
-
-static struct addrinfo *
-ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct hostent *hp;
-	struct nis_res_target q, q2, *p;
-	struct addrinfo sentinel, *cur;
-
-	memset(&q, 0, sizeof(q2));
-	memset(&q2, 0, sizeof(q2));
-	memset(&sentinel, 0, sizeof(sentinel));
-	cur = &sentinel;
-
-	switch(pai->ai_family) {
-	case AF_UNSPEC:		/* INET6 then INET4 */
-		q.family = AF_INET6;
-		q.next = &q2;
-		q2.family = AF_INET;
-		break;
-	case AF_INET6:
-		q.family = AF_INET6;
-		break;
-	case AF_INET:
-		q.family = AF_INET;
-		break;
-	default:
-		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* ??? */
-		return(NULL);
-	}
-
-	for (p = &q; p; p = p->next) {
-		struct addrinfo *ai;
-
-		hp = (*this->byname2)(this, name, p->family);
-		if (hp == NULL) {
-			/* byname2 should've set an appropriate error */
-			continue;
-		}
-		if ((hp->h_name == NULL) || (hp->h_name[0] == 0) ||
-		    (hp->h_addr_list[0] == NULL)) {
-			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
-			continue;
-		}
-		ai = hostent2addrinfo(hp, pai);
-		if (ai) {
-			cur->ai_next = ai;
-			while (cur && cur->ai_next)
-				cur = cur->ai_next;
-		}
-	}
-
-	if (sentinel.ai_next == NULL)
-		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-
-	return(sentinel.ai_next);
-}
-
-/* Private */
-
-/*
-ipnodes:
-::1             localhost
-127.0.0.1       localhost
-1.2.3.4         FOO bar
-1.2.6.4         FOO bar
-1.2.6.5         host
-
-ipnodes.byname:
-YP_MULTI_localhost ::1,127.0.0.1        localhost
-YP_MULTI_foo 1.2.3.4,1.2.6.4    FOO bar
-YP_MULTI_bar 1.2.3.4,1.2.6.4    FOO bar
-host 1.2.6.5    host
-
-hosts.byname:
-localhost 127.0.0.1     localhost
-host 1.2.6.5    host
-YP_MULTI_foo 1.2.3.4,1.2.6.4    FOO bar
-YP_MULTI_bar 1.2.3.4,1.2.6.4    FOO bar
-*/
-
-static struct hostent *
-makehostent(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	static const char spaces[] = " \t";
-	char *cp, **q, *p, *comma, *ap;
-	int af = 0, len = 0;
-	int multi = 0;
-	int addr = 0;
-
-	p = pvt->curval_data;
-	if ((cp = strpbrk(p, "#\n")) != NULL)
-		*cp = '\0';
-	if (!(cp = strpbrk(p, spaces)))
-		return (NULL);
-	*cp++ = '\0';
-	ap = pvt->hostbuf;
-	do {
-		if ((comma = strchr(p, ',')) != NULL) {
-			*comma++ = '\0';
-			multi = 1;
-		}
-		if ((ap + IN6ADDRSZ) > (pvt->hostbuf + sizeof(pvt->hostbuf)))
-			break;
-		if ((pvt->res->options & RES_USE_INET6) &&
-		    inet_pton(AF_INET6, p, ap) > 0) {
-			af = AF_INET6;
-			len = IN6ADDRSZ;
-		} else if (inet_pton(AF_INET, p, pvt->host_addr) > 0) {
-			if (pvt->res->options & RES_USE_INET6) {
-				map_v4v6_address((char*)pvt->host_addr, ap);
-				af = AF_INET6;
-				len = IN6ADDRSZ;
-			} else {
-				af = AF_INET;
-				len = INADDRSZ;
-			}
-		} else {
-			if (!multi)
-				return (NULL);
-			continue;
-		}
-		if (addr < MAXADDRS) {
-			pvt->h_addr_ptrs[addr++] = ap;
-			pvt->h_addr_ptrs[addr] = NULL;
-			ap += len;
-		}
-	} while ((p = comma) != NULL);
-	if (ap == pvt->hostbuf)
-		return (NULL);
-	pvt->host.h_addr_list = pvt->h_addr_ptrs;
-	pvt->host.h_length = len;
-	pvt->host.h_addrtype = af;
-	cp += strspn(cp, spaces);
-	pvt->host.h_name = cp;
-	q = pvt->host.h_aliases = pvt->host_aliases;
-	if ((cp = strpbrk(cp, spaces)) != NULL)
-		*cp++ = '\0';
-	while (cp && *cp) {
-		if (*cp == ' ' || *cp == '\t') {
-			cp++;
-			continue;
-		}
-		if (q < &pvt->host_aliases[MAXALIASES])
-			*q++ = cp;
-		if ((cp = strpbrk(cp, spaces)) != NULL)
-			*cp++ = '\0';
-	}
-	*q = NULL;
-	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
-	return (&pvt->host);
-}
-
-static void
-nisfree(struct pvt *pvt, enum do_what do_what) {
-	if ((do_what & do_key) && pvt->curkey_data) {
-		free(pvt->curkey_data);
-		pvt->curkey_data = NULL;
-	}
-	if ((do_what & do_val) && pvt->curval_data) {
-		free(pvt->curval_data);
-		pvt->curval_data = NULL;
-	}
-}
-
-static int
-init(struct irs_ho *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (!pvt->res && !ho_res_get(this))
-		return (-1);
-	if (((pvt->res->options & RES_INIT) == 0) &&
-	    res_ninit(pvt->res) == -1)
-		return (-1);
-	return (0);
-}
-#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_ng.c b/contrib/bind9/lib/bind/irs/nis_ng.c
deleted file mode 100644
index 4ee700c500f2..000000000000
--- a/contrib/bind9/lib/bind/irs/nis_ng.c
+++ /dev/null
@@ -1,302 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_ng.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_NIS
-static int __bind_irs_nis_unneeded;
-#else
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <rpc/rpc.h>
-#include <rpc/xdr.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include <isc/assertions.h>
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <netinet/in.h>
-#ifdef T_NULL
-#undef T_NULL			/* Silence re-definition warning of T_NULL. */
-#endif
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "nis_p.h"
-
-/* Definitions */
-
-struct tmpgrp {
-	const char *	name;
-	const char *	host;
-	const char *	user;
-	const char *	domain;
-	struct tmpgrp *	next;
-};
-
-struct pvt {
-	char *		nis_domain;
-	struct tmpgrp *	tmp;
-	struct tmpgrp *	cur;
-	char *		tmpgroup;
-};
-
-enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
-
-static /*const*/ char netgroup_map[]	= "netgroup";
-
-/* Forward */
-
-static void 		ng_close(struct irs_ng *);
-static int		ng_next(struct irs_ng *, const char **,
-				const char **, const char **);
-static int		ng_test(struct irs_ng *,
- 				const char *, const char *,
-				const char *, const char *);
-static void		ng_rewind(struct irs_ng *, const char *);
-static void		ng_minimize(struct irs_ng *);
-
-static void		add_group_to_list(struct pvt *, const char *, int);
-static void		add_tuple_to_list(struct pvt *, const char *, char *);
-static void		tmpfree(struct pvt *);
-
-/* Public */
-
-struct irs_ng *
-irs_nis_ng(struct irs_acc *this) {
-	struct irs_ng *ng;
-	struct pvt *pvt;
-
-	if (!(ng = memget(sizeof *ng))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ng, 0x5e, sizeof *ng);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(ng, sizeof *ng);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
-	ng->private = pvt;
-	ng->close = ng_close;
-	ng->next = ng_next;
-	ng->test = ng_test;
-	ng->rewind = ng_rewind;
-	ng->minimize = ng_minimize;
-	return (ng);
-}
-
-/* Methods */
-
-static void
-ng_close(struct irs_ng *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	tmpfree(pvt);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static int
-ng_next(struct irs_ng *this, const char **host, const char **user, const char **domain) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->cur)
-		return (0);
-	*host = pvt->cur->host;
-	*user = pvt->cur->user;
-	*domain = pvt->cur->domain;
-	pvt->cur = pvt->cur->next;
-	return (1);
-}
-
-static int
-ng_test(struct irs_ng *this, const char *name,
-	const char *host, const char *user, const char *domain)
-{
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct tmpgrp *cur;
-
-	tmpfree(pvt);
-	add_group_to_list(pvt, name, strlen(name));
-	for (cur = pvt->tmp; cur; cur = cur->next) {
-		if ((!host || !cur->host || !strcmp(host, cur->host)) &&
-		    (!user || !cur->user || !strcmp(user, cur->user)) &&
-		    (!domain || !cur->domain || !strcmp(domain, cur->domain)))
-			break;
-	}
-	tmpfree(pvt);
-	return ((cur == NULL) ? 0 : 1);
-}
-
-static void
-ng_rewind(struct irs_ng *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	/* Either hand back or free the existing list. */
-	if (pvt->tmpgroup) {
-		if (pvt->tmp && !strcmp(pvt->tmpgroup, name))
-			goto reset;
-		tmpfree(pvt);
-	}
-	pvt->tmpgroup = strdup(name);
-	add_group_to_list(pvt, name, strlen(name));
- reset:
-	pvt->cur = pvt->tmp;
-}
-
-static void
-ng_minimize(struct irs_ng *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-/* Private */
-
-static void
-add_group_to_list(struct pvt *pvt, const char *name, int len) {
-	char *vdata, *cp, *np;
-	struct tmpgrp *tmp;
-	int vlen, r;
-	char *nametmp;
-
-	/* Don't add the same group to the list more than once. */
-	for (tmp = pvt->tmp; tmp; tmp = tmp->next)
-		if (!strcmp(tmp->name, name))
-			return;
-
-	DE_CONST(name, nametmp);
-	r = yp_match(pvt->nis_domain, netgroup_map, nametmp, len,
-		     &vdata, &vlen);
-	if (r == 0) {
-		cp = vdata;
-		if (*cp && cp[strlen(cp)-1] == '\n')
-                  cp[strlen(cp)-1] = '\0';
-		for ( ; cp; cp = np) {
-			np = strchr(cp, ' ');
-			if (np)
-				*np++ = '\0';
-			if (*cp == '(')
-				add_tuple_to_list(pvt, name, cp);
-			else
-				add_group_to_list(pvt, cp, strlen(cp));
-		}
-		free(vdata);
-	}
-}
-
-static void
-add_tuple_to_list(struct pvt *pvt, const char *name, char *cp) {
-	struct tmpgrp *tmp;
-	char *tp, *np;
-
-	INSIST(*cp++ == '(');
-
-	tmp = malloc(sizeof *tmp + strlen(name) + sizeof '\0' +
-		     strlen(cp) - sizeof ')');
-	if (!tmp)
-		return;
-	memset(tmp, 0, sizeof *tmp);
-	tp = ((char *)tmp) + sizeof *tmp;
-
-	/* Name */
-	strcpy(tp, name);
-	tmp->name = tp;
-	tp += strlen(tp) + 1;
-
-	/* Host */
-	if (!(np = strchr(cp, ',')))
-		goto cleanup;
-	*np++ = '\0';
-	strcpy(tp, cp);
-	tmp->host = tp;
-	tp += strlen(tp) + 1;
-	cp = np;
-
-	/* User */
-	if (!(np = strchr(cp, ',')))
-		goto cleanup;
-	*np++ = '\0';
-	strcpy(tp, cp);
-	tmp->user = tp;
-	tp += strlen(tp) + 1;
-	cp = np;
-
-	/* Domain */
-	if (!(np = strchr(cp, ')')))
-		goto cleanup;
-	*np++ = '\0';
-	strcpy(tp, cp);
-	tmp->domain = tp;
-
-	/*
-	 * Empty string in file means wildcard, but
-	 * NULL string in return value means wildcard.
-	 */
-	if (!*tmp->host)
-		tmp->host = NULL;
-	if (!*tmp->user)
-		tmp->user = NULL;
-	if (!*tmp->domain)
-		tmp->domain = NULL;
-
-	/* Add to list (LIFO). */
-	tmp->next = pvt->tmp;
-	pvt->tmp = tmp;
-	return;
-
- cleanup:
-	free(tmp);
-}
-
-static void
-tmpfree(struct pvt *pvt) {
-	struct tmpgrp *cur, *next;
-
-	if (pvt->tmpgroup) {
-		free(pvt->tmpgroup);
-		pvt->tmpgroup = NULL;
-	}
-	for (cur = pvt->tmp; cur; cur = next) {
-		next = cur->next;
-		free(cur);
-	}
-	pvt->tmp = NULL;
-}
-
-#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_nw.c b/contrib/bind9/lib/bind/irs/nis_nw.c
deleted file mode 100644
index 669b29d49eb8..000000000000
--- a/contrib/bind9/lib/bind/irs/nis_nw.c
+++ /dev/null
@@ -1,383 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_nw.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_NIS
-static int __bind_irs_nis_unneeded;
-#else
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#ifdef T_NULL
-#undef T_NULL		/* Silence re-definition warning of T_NULL. */
-#endif
-#include <rpc/rpc.h>
-#include <rpc/xdr.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include <errno.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "nis_p.h"
-
-/* Definitions */
-
-#define MAXALIASES 35
-#define MAXADDRSIZE 4
-
-struct pvt {
-	int		needrewind;
-	char *		nis_domain;
-	char *		curkey_data;
-	int		curkey_len;
-	char *		curval_data;
-	int		curval_len;
-
-	struct nwent 	nwent;
-	char *		nwbuf;
-
-	char *		aliases[MAXALIASES + 1];
-	u_char		addr[MAXADDRSIZE];
-
-	struct __res_state *  res;
-	void		(*free_res)(void *);
-};
-
-enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
-
-static /*const*/ char networks_byname[] = "networks.byname";
-static /*const*/ char networks_byaddr[] = "networks.byaddr";
-
-/* Forward */
-
-static void 		nw_close(struct irs_nw *);
-static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
-static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
-static struct nwent *	nw_next(struct irs_nw *);
-static void		nw_rewind(struct irs_nw *);
-static void		nw_minimize(struct irs_nw *);
-static struct __res_state * nw_res_get(struct irs_nw *this);
-static void		nw_res_set(struct irs_nw *this,
-				   struct __res_state *res,
-				   void (*free_res)(void *));
-
-static struct nwent *	makenwent(struct irs_nw *this);
-static void		nisfree(struct pvt *, enum do_what);
-static int		init(struct irs_nw *this);
-
-/* Public */
-
-struct irs_nw *
-irs_nis_nw(struct irs_acc *this) {
-	struct irs_nw *nw;
-	struct pvt *pvt;
-
-	if (!(pvt = memget(sizeof *pvt))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	if (!(nw = memget(sizeof *nw))) {
-		memput(pvt, sizeof *pvt);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(nw, 0x5e, sizeof *nw);
-	pvt->needrewind = 1;
-	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
-	nw->private = pvt;
-	nw->close = nw_close;
-	nw->byname = nw_byname;
-	nw->byaddr = nw_byaddr;
-	nw->next = nw_next;
-	nw->rewind = nw_rewind;
-	nw->minimize = nw_minimize;
-	nw->res_get = nw_res_get;
-	nw->res_set = nw_res_set;
-	return (nw);
-}
-
-/* Methods */
-
-static void
-nw_close(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;	
-
-	nw_minimize(this);
-	if (pvt->res && pvt->free_res)
-		(*pvt->free_res)(pvt->res);
-	if (pvt->nwbuf)
-		free(pvt->nwbuf);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct nwent *
-nw_byaddr(struct irs_nw *this, void *net, int length, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char tmp[sizeof "255.255.255.255/32"], *t;
-	int r;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	if (af != AF_INET) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	nisfree(pvt, do_val);
-	/* Try it with /CIDR first. */
-	if (inet_net_ntop(AF_INET, net, length, tmp, sizeof tmp) == NULL) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		return (NULL);
-	}
-	r = yp_match(pvt->nis_domain, networks_byaddr, tmp, strlen(tmp),
-		     &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		/* Give it a shot without the /CIDR. */
-		if ((t = strchr(tmp, '/')) != NULL) {
-			*t = '\0';
-			r = yp_match(pvt->nis_domain, networks_byaddr,
-				     tmp, strlen(tmp),
-				     &pvt->curval_data, &pvt->curval_len);
-		}
-		if (r != 0) {
-			RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-			return (NULL);
-		}
-	}
-	return (makenwent(this));
-}
-
-static struct nwent *
-nw_byname(struct irs_nw *this, const char *name, int af) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	int r;
-	char *tmp;
-	
-	if (init(this) == -1)
-		return (NULL);
-
-	if (af != AF_INET) {
-		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	nisfree(pvt, do_val);
-	DE_CONST(name, tmp);
-	r = yp_match(pvt->nis_domain, networks_byname, tmp,
-		     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-		return (NULL);
-	}
-	return (makenwent(this));
-}
-
-static void
-nw_rewind(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pvt->needrewind = 1;
-}
-
-static struct nwent *
-nw_next(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct nwent *rval;
-	int r;
-
-	if (init(this) == -1)
-		return (NULL);
-
-	do {
-		if (pvt->needrewind) {
-			nisfree(pvt, do_all);
-			r = yp_first(pvt->nis_domain, networks_byaddr,
-				     &pvt->curkey_data, &pvt->curkey_len,
-				     &pvt->curval_data, &pvt->curval_len);
-			pvt->needrewind = 0;
-		} else {
-			char *newkey_data;
-			int newkey_len;
-
-			nisfree(pvt, do_val);
-			r = yp_next(pvt->nis_domain, networks_byaddr,
-				    pvt->curkey_data, pvt->curkey_len,
-				    &newkey_data, &newkey_len,
-				    &pvt->curval_data, &pvt->curval_len);
-			nisfree(pvt, do_key);
-			pvt->curkey_data = newkey_data;
-			pvt->curkey_len = newkey_len;
-		}
-		if (r != 0) {
-			RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
-			return (NULL);
-		}
-		rval = makenwent(this);
-	} while (rval == NULL);
-	return (rval);
-}
-
-static void
-nw_minimize(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res)
-		res_nclose(pvt->res);
-}
-
-static struct __res_state *
-nw_res_get(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (!pvt->res) {
-		struct __res_state *res;
-		res = (struct __res_state *)malloc(sizeof *res);
-		if (!res) {
-			errno = ENOMEM;
-			return (NULL);
-		}
-		memset(res, 0, sizeof *res);
-		nw_res_set(this, res, free);
-	}
-
-	return (pvt->res);
-}
-
-static void
-nw_res_set(struct irs_nw *this, struct __res_state *res,
-		void (*free_res)(void *)) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	if (pvt->res && pvt->free_res) {
-		res_nclose(pvt->res);
-		(*pvt->free_res)(pvt->res);
-	}
-
-	pvt->res = res;
-	pvt->free_res = free_res;
-}
-
-/* Private */
-
-static struct nwent *
-makenwent(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	static const char spaces[] = " \t";
-	char *t, *cp, **ap;
-
-	if (pvt->nwbuf)
-		free(pvt->nwbuf);
-	pvt->nwbuf = pvt->curval_data;
-	pvt->curval_data = NULL;
-
-	if ((cp = strpbrk(pvt->nwbuf, "#\n")) != NULL)
-		*cp = '\0';
-	cp = pvt->nwbuf;
-
-	/* Name */
-	pvt->nwent.n_name = cp;
-	cp += strcspn(cp, spaces);
-	if (!*cp)
-		goto cleanup;
-	*cp++ = '\0';
-	cp += strspn(cp, spaces);
-
-	/* Network */
-	pvt->nwent.n_addrtype = AF_INET;
-	t = cp + strcspn(cp, spaces);
-	if (*t)
-		*t++ = '\0';
-	pvt->nwent.n_length = inet_net_pton(AF_INET, cp,
-					    pvt->addr, sizeof pvt->addr);
-	if (pvt->nwent.n_length < 0)
-		goto cleanup;
-	pvt->nwent.n_addr = pvt->addr;
-	cp = t;
-
-	/* Aliases */
-	ap = pvt->nwent.n_aliases = pvt->aliases;
-	while (*cp) {
-		if (ap >= &pvt->aliases[MAXALIASES])
-			break;
-		*ap++ = cp;
-		cp += strcspn(cp, spaces);
-		if (!*cp)
-			break;
-		*cp++ = '\0';
-		cp += strspn(cp, spaces);
-	}
-	*ap = NULL;
-
-	return (&pvt->nwent);
-
- cleanup:
-	if (pvt->nwbuf) {
-		free(pvt->nwbuf);
-		pvt->nwbuf = NULL;
-	}
-	return (NULL);
-}
-
-static void
-nisfree(struct pvt *pvt, enum do_what do_what) {
-	if ((do_what & do_key) && pvt->curkey_data) {
-		free(pvt->curkey_data);
-		pvt->curkey_data = NULL;
-	}
-	if ((do_what & do_val) && pvt->curval_data) {
-		free(pvt->curval_data);
-		pvt->curval_data = NULL;
-	}
-}
-
-static int
-init(struct irs_nw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (!pvt->res && !nw_res_get(this))
-		return (-1);
-	if (((pvt->res->options & RES_INIT) == 0) &&
-	    res_ninit(pvt->res) == -1)
-		return (-1);
-	return (0);
-}
-
-#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_p.h b/contrib/bind9/lib/bind/irs/nis_p.h
deleted file mode 100644
index 95f5851a36ac..000000000000
--- a/contrib/bind9/lib/bind/irs/nis_p.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: nis_p.h,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $
- */
-
-/*
- * nis_p.h - private include file for the NIS functions.
- */
-
-/*
- * Object state.
- */
-struct nis_p {
-	char *			domain;
-	struct __res_state *	res;
-	void                    (*free_res) __P((void *));
-};
-
-
-/*
- * Methods.
- */
-
-extern struct irs_gr *	irs_nis_gr __P((struct irs_acc *));
-extern struct irs_pw *	irs_nis_pw __P((struct irs_acc *));
-extern struct irs_sv *	irs_nis_sv __P((struct irs_acc *));
-extern struct irs_pr *	irs_nis_pr __P((struct irs_acc *));
-extern struct irs_ho *	irs_nis_ho __P((struct irs_acc *));
-extern struct irs_nw *	irs_nis_nw __P((struct irs_acc *));
-extern struct irs_ng *	irs_nis_ng __P((struct irs_acc *));
diff --git a/contrib/bind9/lib/bind/irs/nis_pr.c b/contrib/bind9/lib/bind/irs/nis_pr.c
deleted file mode 100644
index 8173f3efe175..000000000000
--- a/contrib/bind9/lib/bind/irs/nis_pr.c
+++ /dev/null
@@ -1,300 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_pr.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif
-
-/* Imports */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_NIS
-static int __bind_irs_nis_unneeded;
-#else
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#ifdef T_NULL
-#undef T_NULL			/* Silence re-definition warning of T_NULL. */
-#endif
-#include <rpc/rpc.h>
-#include <rpc/xdr.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <errno.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "nis_p.h"
-
-/* Definitions */
-
-struct pvt {
-	int		needrewind;
-	char *		nis_domain;
-	char *		curkey_data;
-	int		curkey_len;
-	char *		curval_data;
-	int		curval_len;
-	struct protoent	proto;
-	char *		prbuf;
-};
-
-enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
-
-static /*const*/ char protocols_byname[] =	"protocols.byname";
-static /*const*/ char protocols_bynumber[] =	"protocols.bynumber";
-
-/* Forward */
-
-static void 			pr_close(struct irs_pr *);
-static struct protoent *	pr_byname(struct irs_pr *, const char *);
-static struct protoent *	pr_bynumber(struct irs_pr *, int);
-static struct protoent *	pr_next(struct irs_pr *);
-static void			pr_rewind(struct irs_pr *);
-static void			pr_minimize(struct irs_pr *);
-
-static struct protoent *	makeprotoent(struct irs_pr *this);
-static void			nisfree(struct pvt *, enum do_what);
-
-/* Public */
-
-struct irs_pr *
-irs_nis_pr(struct irs_acc *this) {
-	struct irs_pr *pr;
-	struct pvt *pvt;
-
-	if (!(pr = memget(sizeof *pr))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pr, 0x5e, sizeof *pr);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(pr, sizeof *pr);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->needrewind = 1;
-	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
-	pr->private = pvt;
-	pr->byname = pr_byname;
-	pr->bynumber = pr_bynumber;
-	pr->next = pr_next;
-	pr->rewind = pr_rewind;
-	pr->close = pr_close;
-	pr->minimize = pr_minimize;
-	pr->res_get = NULL;
-	pr->res_set = NULL;
-	return (pr);
-}
-
-/* Methods. */
-
-static void
-pr_close(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	nisfree(pvt, do_all);
-	if (pvt->proto.p_aliases)
-		free(pvt->proto.p_aliases);
-	if (pvt->prbuf)
-		free(pvt->prbuf);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct protoent *
-pr_byname(struct irs_pr *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	int r;
-	char *tmp;
-	
-	nisfree(pvt, do_val);
-	DE_CONST(name, tmp);
-	r = yp_match(pvt->nis_domain, protocols_byname, tmp,
-		     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		errno = ENOENT;
-		return (NULL);
-	}
-	return (makeprotoent(this));
-}
-
-static struct protoent *
-pr_bynumber(struct irs_pr *this, int num) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char tmp[sizeof "-4294967295"];
-	int r;
-	
-	nisfree(pvt, do_val);
-	(void) sprintf(tmp, "%d", num);
-	r = yp_match(pvt->nis_domain, protocols_bynumber, tmp, strlen(tmp),
-		     &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		errno = ENOENT;
-		return (NULL);
-	}
-	return (makeprotoent(this));
-}
-
-static struct protoent *
-pr_next(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct protoent *rval;
-	int r;
-
-	do {
-		if (pvt->needrewind) {
-			nisfree(pvt, do_all);
-			r = yp_first(pvt->nis_domain, protocols_bynumber,
-				     &pvt->curkey_data, &pvt->curkey_len,
-				     &pvt->curval_data, &pvt->curval_len);
-			pvt->needrewind = 0;
-		} else {
-			char *newkey_data;
-			int newkey_len;
-
-			nisfree(pvt, do_val);
-			r = yp_next(pvt->nis_domain, protocols_bynumber,
-				    pvt->curkey_data, pvt->curkey_len,
-				    &newkey_data, &newkey_len,
-				    &pvt->curval_data, &pvt->curval_len);
-			nisfree(pvt, do_key);
-			pvt->curkey_data = newkey_data;
-			pvt->curkey_len = newkey_len;
-		}
-		if (r != 0) {
-			errno = ENOENT;
-			return (NULL);
-		}
-		rval = makeprotoent(this);
-	} while (rval == NULL);
-	return (rval);
-}
-
-static void
-pr_rewind(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pvt->needrewind = 1;
-}
-
-static void
-pr_minimize(struct irs_pr *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-/* Private */
-
-static struct protoent *
-makeprotoent(struct irs_pr *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *p, **t;
-	int n, m;
-
-	if (pvt->prbuf)
-		free(pvt->prbuf);
-	pvt->prbuf = pvt->curval_data;
-	pvt->curval_data = NULL;
-
-	for (p = pvt->prbuf; *p && *p != '#';)
-		p++;
-	while (p > pvt->prbuf && isspace((unsigned char)(p[-1])))
-		p--;
-	*p = '\0';
-
-	p = pvt->prbuf;
-	n = m = 0;
-
-	pvt->proto.p_name = p;
-	while (*p && !isspace((unsigned char)*p))
-		p++;
-	if (!*p)
-		return (NULL);
-	*p++ = '\0';
-
-	while (*p && isspace((unsigned char)*p))
-		p++;
-	pvt->proto.p_proto = atoi(p);
-	while (*p && !isspace((unsigned char)*p))
-		p++;
-	*p++ = '\0';
-
-	while (*p) {
-		if ((n + 1) >= m || !pvt->proto.p_aliases) {
-			m += 10;
-			t = realloc(pvt->proto.p_aliases,
-				      m * sizeof(char *));
-			if (!t) {
-				errno = ENOMEM;
-				goto cleanup;
-			}
-			pvt->proto.p_aliases = t;
-		}
-		pvt->proto.p_aliases[n++] = p;
-		while (*p && !isspace((unsigned char)*p))
-			p++;
-		if (*p)
-			*p++ = '\0';
-	}
-	if (!pvt->proto.p_aliases)
-		pvt->proto.p_aliases = malloc(sizeof(char *));
-	if (!pvt->proto.p_aliases)
-		goto cleanup;
-	pvt->proto.p_aliases[n] = NULL;
-	return (&pvt->proto);
-	
- cleanup:
-	if (pvt->proto.p_aliases) {
-		free(pvt->proto.p_aliases);
-		pvt->proto.p_aliases = NULL;
-	}
-	if (pvt->prbuf) {
-		free(pvt->prbuf);
-		pvt->prbuf = NULL;
-	}
-	return (NULL);
-}
-
-static void
-nisfree(struct pvt *pvt, enum do_what do_what) {
-	if ((do_what & do_key) && pvt->curkey_data) {
-		free(pvt->curkey_data);
-		pvt->curkey_data = NULL;
-	}
-	if ((do_what & do_val) && pvt->curval_data) {
-		free(pvt->curval_data);
-		pvt->curval_data = NULL;
-	}
-}
-
-#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_pw.c b/contrib/bind9/lib/bind/irs/nis_pw.c
deleted file mode 100644
index 889d97ff771b..000000000000
--- a/contrib/bind9/lib/bind/irs/nis_pw.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_pw.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports */
-
-#include "port_before.h"
-
-#if !defined(WANT_IRS_PW) || !defined(WANT_IRS_NIS)
-static int __bind_irs_pw_unneeded;
-#else
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <isc/memcluster.h>
-#include <rpc/rpc.h>
-#include <rpc/xdr.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <pwd.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <isc/memcluster.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "nis_p.h"
-
-/* Definitions */
-
-struct pvt {
-	int		needrewind;
-	char *		nis_domain;
-	char *		curkey_data;
-	int		curkey_len;
-	char *		curval_data;
-	int		curval_len;
-	struct passwd 	passwd;
-	char *		pwbuf;
-};
-
-enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
-
-static /*const*/ char passwd_byname[] =	"passwd.byname";
-static /*const*/ char passwd_byuid[] =	"passwd.byuid";
-
-/* Forward */
-
-static void			pw_close(struct irs_pw *);
-static struct passwd *		pw_next(struct irs_pw *);
-static struct passwd *		pw_byname(struct irs_pw *, const char *);
-static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
-static void			pw_rewind(struct irs_pw *);
-static void			pw_minimize(struct irs_pw *);
-
-static struct passwd *		makepasswdent(struct irs_pw *);
-static void			nisfree(struct pvt *, enum do_what);
-
-/* Public */
-
-struct irs_pw *
-irs_nis_pw(struct irs_acc *this) {
-	struct irs_pw *pw;
-	struct pvt *pvt;
-		 
-        if (!(pw = memget(sizeof *pw))) {
-                errno = ENOMEM;
-                return (NULL);
-        }
-        memset(pw, 0x5e, sizeof *pw);
-        if (!(pvt = memget(sizeof *pvt))) {
-                memput(pw, sizeof *pw);
-                errno = ENOMEM;
-                return (NULL);
-        }
-        memset(pvt, 0, sizeof *pvt);
-	pvt->needrewind = 1;
-	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
-	pw->private = pvt;
-	pw->close = pw_close;
-	pw->next = pw_next;
-	pw->byname = pw_byname;
-	pw->byuid = pw_byuid;
-	pw->rewind = pw_rewind;
-	pw->minimize = pw_minimize;
-	pw->res_get = NULL;
-	pw->res_set = NULL;
-	return (pw);
-}
-
-/* Methods */
-
-static void
-pw_close(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	if (pvt->pwbuf)
-		free(pvt->pwbuf);
-	nisfree(pvt, do_all);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct passwd *
-pw_next(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct passwd *rval;
-	int r;
-
-	do {
-		if (pvt->needrewind) {
-			nisfree(pvt, do_all);
-			r = yp_first(pvt->nis_domain, passwd_byname,
-				     &pvt->curkey_data, &pvt->curkey_len,
-				     &pvt->curval_data, &pvt->curval_len);
-			pvt->needrewind = 0;
-		} else {
-			char *newkey_data;
-			int newkey_len;
-
-			nisfree(pvt, do_val);
-			r = yp_next(pvt->nis_domain, passwd_byname,
-				    pvt->curkey_data, pvt->curkey_len,
-				    &newkey_data, &newkey_len,
-				    &pvt->curval_data, &pvt->curval_len);
-			nisfree(pvt, do_key);
-			pvt->curkey_data = newkey_data;
-			pvt->curkey_len = newkey_len;
-		}
-		if (r != 0) {
-			errno = ENOENT;
-			return (NULL);
-		}
-		rval = makepasswdent(this);
-	} while (rval == NULL);
-	return (rval);
-}
-
-static struct passwd *
-pw_byname(struct irs_pw *this, const char *name) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	int r;
-	char *tmp;
-
-	nisfree(pvt, do_val);
-	DE_CONST(name, tmp);
-	r = yp_match(pvt->nis_domain, passwd_byname, tmp, strlen(tmp),
-		     &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		errno = ENOENT;
-		return (NULL);
-	}
-	return (makepasswdent(this));
-}
-
-static struct passwd *
-pw_byuid(struct irs_pw *this, uid_t uid) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char tmp[sizeof "4294967295"];
-	int r;
-
-	nisfree(pvt, do_val);
-	(void) sprintf(tmp, "%u", (unsigned int)uid);
-	r = yp_match(pvt->nis_domain, passwd_byuid, tmp, strlen(tmp),
-		     &pvt->curval_data, &pvt->curval_len);
-	if (r != 0) {
-		errno = ENOENT;
-		return (NULL);
-	}
-	return (makepasswdent(this));
-}
-
-static void
-pw_rewind(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pvt->needrewind = 1;
-}
-
-static void
-pw_minimize(struct irs_pw *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-/* Private */
-
-static struct passwd *
-makepasswdent(struct irs_pw *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	char *cp;
-
-	memset(&pvt->passwd, 0, sizeof pvt->passwd);
-	if (pvt->pwbuf)
-		free(pvt->pwbuf);
-	pvt->pwbuf = pvt->curval_data;
-	pvt->curval_data = NULL;
-
-	cp = pvt->pwbuf;
-	pvt->passwd.pw_name = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-#ifdef HAS_PW_CLASS
-	pvt->passwd.pw_class = cp;	/* Needs to point at a \0. */
-#endif
-	*cp++ = '\0';
-
-	pvt->passwd.pw_passwd = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-	
-	pvt->passwd.pw_uid = atoi(cp);
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_gid = atoi(cp);
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_gecos = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_dir = cp;
-	if (!(cp = strchr(cp, ':')))
-		goto cleanup;
-	*cp++ = '\0';
-
-	pvt->passwd.pw_shell = cp;
-
-	if ((cp = strchr(cp, '\n')) != NULL)
-		*cp = '\0';
-
-	return (&pvt->passwd);
-	
- cleanup:
-	free(pvt->pwbuf);
-	pvt->pwbuf = NULL;
-	return (NULL);
-}
-
-static void
-nisfree(struct pvt *pvt, enum do_what do_what) {
-	if ((do_what & do_key) && pvt->curkey_data) {
-		free(pvt->curkey_data);
-		pvt->curkey_data = NULL;
-	}
-	if ((do_what & do_val) && pvt->curval_data) {
-		free(pvt->curval_data);
-		pvt->curval_data = NULL;
-	}
-}
-
-#endif /* WANT_IRS_PW && WANT_IRS_NIS */
diff --git a/contrib/bind9/lib/bind/irs/nis_sv.c b/contrib/bind9/lib/bind/irs/nis_sv.c
deleted file mode 100644
index b8c1c6b38d29..000000000000
--- a/contrib/bind9/lib/bind/irs/nis_sv.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nis_sv.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/* Imports */
-
-#include "port_before.h"
-
-#ifndef WANT_IRS_NIS
-static int __bind_irs_nis_unneeded;
-#else
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#include <sys/socket.h>
-#ifdef T_NULL
-#undef T_NULL			/* Silence re-definition warning of T_NULL. */
-#endif
-#include <rpc/rpc.h>
-#include <rpc/xdr.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/memcluster.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "nis_p.h"
-
-/* Definitions */
-
-struct pvt {
-	int		needrewind;
-	char *		nis_domain;
-	char *		curkey_data;
-	int		curkey_len;
-	char *		curval_data;
-	int		curval_len;
-	char		line[BUFSIZ+1];
-	struct servent	serv;
-	char *		svbuf;
-};
-
-enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
-
-static /*const*/ char services_byname[] = "services.byname";
-
-/* Forward */
-
-static void			sv_close(struct irs_sv*);
-static struct servent *		sv_next(struct irs_sv *);
-static struct servent *		sv_byname(struct irs_sv *, const char *,
-					  const char *);
-static struct servent *		sv_byport(struct irs_sv *, int, const char *);
-static void			sv_rewind(struct irs_sv *);
-static void			sv_minimize(struct irs_sv *);
-
-static struct servent *		makeservent(struct irs_sv *this);
-static void			nisfree(struct pvt *, enum do_what);
-
-/* Public */
-
-struct irs_sv *
-irs_nis_sv(struct irs_acc *this) {
-	struct irs_sv *sv;
-	struct pvt *pvt;
-	
-	if (!(sv = memget(sizeof *sv))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(sv, 0x5e, sizeof *sv);
-	if (!(pvt = memget(sizeof *pvt))) {
-		memput(sv, sizeof *sv);
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(pvt, 0, sizeof *pvt);
-	pvt->needrewind = 1;
-	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
-	sv->private = pvt;
-	sv->close = sv_close;
-	sv->next = sv_next;
-	sv->byname = sv_byname;
-	sv->byport = sv_byport;
-	sv->rewind = sv_rewind;
-	sv->minimize = sv_minimize;
-	sv->res_get = NULL;
-	sv->res_set = NULL;
-	return (sv);
-}
-
-/* Methods */
-
-static void
-sv_close(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	
-	nisfree(pvt, do_all);
-	if (pvt->serv.s_aliases)
-		free(pvt->serv.s_aliases);
-	if (pvt->svbuf)
-		free(pvt->svbuf);
-	memput(pvt, sizeof *pvt);
-	memput(this, sizeof *this);
-}
-
-static struct servent *
-sv_byname(struct irs_sv *this, const char *name, const char *proto) {
-	struct servent *serv;
-	char **sap;
-
-	sv_rewind(this);
-	while ((serv = sv_next(this)) != NULL) {
-		if (proto != NULL && strcmp(proto, serv->s_proto))
-			continue;
-		if (!strcmp(name, serv->s_name))
-			break;
-		for (sap = serv->s_aliases; sap && *sap; sap++)
-			if (!strcmp(name, *sap))
-				break;
-	}
-	return (serv);
-}
-
-static struct servent *
-sv_byport(struct irs_sv *this, int port, const char *proto) {
-	struct servent *serv;
-
-	sv_rewind(this);
-	while ((serv = sv_next(this)) != NULL) {
-		if (proto != NULL && strcmp(proto, serv->s_proto))
-			continue;
-		if (serv->s_port == port)
-			break;
-	}
-	return (serv);
-}
-
-static void
-sv_rewind(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-
-	pvt->needrewind = 1;
-}
-
-static struct servent *
-sv_next(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	struct servent *rval;
-	int r;
-
-	do {
-		if (pvt->needrewind) {
-			nisfree(pvt, do_all);
-			r = yp_first(pvt->nis_domain, services_byname,
-				     &pvt->curkey_data, &pvt->curkey_len,
-				     &pvt->curval_data, &pvt->curval_len);
-			pvt->needrewind = 0;
-		} else {
-			char *newkey_data;
-			int newkey_len;
-
-			nisfree(pvt, do_val);
-			r = yp_next(pvt->nis_domain, services_byname,
-				    pvt->curkey_data, pvt->curkey_len,
-				    &newkey_data, &newkey_len,
-				    &pvt->curval_data, &pvt->curval_len);
-			nisfree(pvt, do_key);
-			pvt->curkey_data = newkey_data;
-			pvt->curkey_len = newkey_len;
-		}
-		if (r != 0) {
-			errno = ENOENT;
-			return (NULL);
-		}
-		rval = makeservent(this);
-	} while (rval == NULL);
-	return (rval);
-}
-
-static void
-sv_minimize(struct irs_sv *this) {
-	UNUSED(this);
-	/* NOOP */
-}
-
-/* Private */
-
-static struct servent *
-makeservent(struct irs_sv *this) {
-	struct pvt *pvt = (struct pvt *)this->private;
-	static const char spaces[] = " \t";
-	char *p, **t;
-	int n, m;
-
-	if (pvt->svbuf)
-		free(pvt->svbuf);
-	pvt->svbuf = pvt->curval_data;
-	pvt->curval_data = NULL;
-
-	if (pvt->serv.s_aliases) {
-		free(pvt->serv.s_aliases);
-		pvt->serv.s_aliases = NULL;
-	}
-
-	if ((p = strpbrk(pvt->svbuf, "#\n")))
-		*p = '\0';
-
-	p = pvt->svbuf;
-
-	pvt->serv.s_name = p;
-	p += strcspn(p, spaces);
-	if (!*p)
-		goto cleanup;
-	*p++ = '\0';
-	p += strspn(p, spaces);
-
-	pvt->serv.s_port = htons((u_short) atoi(p));
-	pvt->serv.s_proto = NULL;
-	
-	while (*p && !isspace((unsigned char)*p))
-		if (*p++ == '/')
-			pvt->serv.s_proto = p;
-	if (!pvt->serv.s_proto)
-		goto cleanup;
-	if (*p) {
-		*p++ = '\0';
-		p += strspn(p, spaces);
-	}
-
-	n = m = 0;
-	while (*p) {
-		if ((n + 1) >= m || !pvt->serv.s_aliases) {
-			m += 10;
-			t = realloc(pvt->serv.s_aliases, m * sizeof(char *));
-			if (!t) {
-				errno = ENOMEM;
-				goto cleanup;
-			}
-			pvt->serv.s_aliases = t;
-		}
-		pvt->serv.s_aliases[n++] = p;
-		p += strcspn(p, spaces);
-		if (!*p)
-			break;
-		*p++ = '\0';
-		p += strspn(p, spaces);
-	}
-	if (!pvt->serv.s_aliases)
-		pvt->serv.s_aliases = malloc(sizeof(char *));
-	if (!pvt->serv.s_aliases)
-		goto cleanup;
-	pvt->serv.s_aliases[n] = NULL;
-	return (&pvt->serv);
-	
- cleanup:
-	if (pvt->serv.s_aliases) {
-		free(pvt->serv.s_aliases);
-		pvt->serv.s_aliases = NULL;
-	}
-	if (pvt->svbuf) {
-		free(pvt->svbuf);
-		pvt->svbuf = NULL;
-	}
-	return (NULL);
-}
-
-static void
-nisfree(struct pvt *pvt, enum do_what do_what) {
-	if ((do_what & do_key) && pvt->curkey_data) {
-		free(pvt->curkey_data);
-		pvt->curkey_data = NULL;
-	}
-	if ((do_what & do_val) && pvt->curval_data) {
-		free(pvt->curval_data);
-		pvt->curval_data = NULL;
-	}
-}
-
-#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nul_ng.c b/contrib/bind9/lib/bind/irs/nul_ng.c
deleted file mode 100644
index 828bebe0af15..000000000000
--- a/contrib/bind9/lib/bind/irs/nul_ng.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: nul_ng.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
-#endif
-
-/*
- * nul_ng.c - the netgroup accessor null map
- */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <netdb.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <errno.h>
-
-#include <irs.h>
-#include <isc/memcluster.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-#include "hesiod.h"
-#include "dns_p.h"
-
-/* Forward. */
-
-static void 		ng_close(struct irs_ng *);
-static int		ng_next(struct irs_ng *, const char **,
-				const char **, const char **);
-static int		ng_test(struct irs_ng *,
- 				const char *, const char *,
-				const char *, const char *);
-static void		ng_rewind(struct irs_ng *, const char *);
-static void		ng_minimize(struct irs_ng *);
-
-/* Public. */
-
-struct irs_ng *
-irs_nul_ng(struct irs_acc *this) {
-	struct irs_ng *ng;
-
-	UNUSED(this);
-
-	if (!(ng = memget(sizeof *ng))) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	memset(ng, 0x5e, sizeof *ng);
-	ng->private = NULL;
-	ng->close = ng_close;
-	ng->next = ng_next;
-	ng->test = ng_test;
-	ng->rewind = ng_rewind;
-	ng->minimize = ng_minimize;
-	return (ng);
-}
-
-/* Methods. */
-
-static void
-ng_close(struct irs_ng *this) {
-	memput(this, sizeof *this);
-}
-
-/* ARGSUSED */
-static int
-ng_next(struct irs_ng *this, const char **host, const char **user,
-	const char **domain)
-{
-	UNUSED(this);
-	UNUSED(host);
-	UNUSED(user);
-	UNUSED(domain);
-	errno = ENOENT;
-	return (-1);
-}
-
-static int
-ng_test(struct irs_ng *this, const char *name,
-	const char *user, const char *host, const char *domain)
-{
-	UNUSED(this);
-	UNUSED(name);
-	UNUSED(user);
-	UNUSED(host);
-	UNUSED(domain);
-	errno = ENODEV;
-	return (-1);
-}
-
-static void
-ng_rewind(struct irs_ng *this, const char *netgroup) {
-	UNUSED(this);
-	UNUSED(netgroup);
-	/* NOOP */
-}
-
-static void
-ng_minimize(struct irs_ng *this) {
-	UNUSED(this);
-	/* NOOP */
-}
diff --git a/contrib/bind9/lib/bind/irs/pathnames.h b/contrib/bind9/lib/bind/irs/pathnames.h
deleted file mode 100644
index 412dc76f4c9a..000000000000
--- a/contrib/bind9/lib/bind/irs/pathnames.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: pathnames.h,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $
- */
-
-#ifndef _PATH_IRS_CONF
-#define	_PATH_IRS_CONF "/etc/irs.conf"
-#endif
-
-#ifndef _PATH_NETWORKS 
-#define _PATH_NETWORKS  "/etc/networks"
-#endif
-
-#ifndef _PATH_GROUP
-#define _PATH_GROUP "/etc/group"
-#endif
-
-#ifndef _PATH_NETGROUP
-#define _PATH_NETGROUP "/etc/netgroup"
-#endif
-
-#ifndef _PATH_SERVICES 
-#define _PATH_SERVICES "/etc/services"
-#endif
-
-#ifdef IRS_LCL_SV_DB
-#ifndef _PATH_SERVICES_DB
-#define	_PATH_SERVICES_DB _PATH_SERVICES ".db"
-#endif
-#endif
-
-#ifndef _PATH_HESIOD_CONF
-#define _PATH_HESIOD_CONF "/etc/hesiod.conf"
-#endif
diff --git a/contrib/bind9/lib/bind/irs/util.c b/contrib/bind9/lib/bind/irs/util.c
deleted file mode 100644
index 095e7ad59aea..000000000000
--- a/contrib/bind9/lib/bind/irs/util.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: util.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include <irs.h>
-
-#include "port_after.h"
-
-#include "irs_p.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) sprintf x
-#endif
-
-void
-map_v4v6_address(const char *src, char *dst) {
-	u_char *p = (u_char *)dst;
-	char tmp[NS_INADDRSZ];
-	int i;
-
-	/* Stash a temporary copy so our caller can update in place. */
-	memcpy(tmp, src, NS_INADDRSZ);
-	/* Mark this ipv6 addr as a mapped ipv4. */
-	for (i = 0; i < 10; i++)
-		*p++ = 0x00;
-	*p++ = 0xff;
-	*p++ = 0xff;
-	/* Retrieve the saved copy and we're done. */
-	memcpy((void*)p, tmp, NS_INADDRSZ);
-}
-
-int
-make_group_list(struct irs_gr *this, const char *name,
-	gid_t basegid, gid_t *groups, int *ngroups)
-{
-	struct group *grp;
-	int i, ng;
-	int ret, maxgroups;
-
-	ret = -1;
-	ng = 0;
-	maxgroups = *ngroups;
-	/*
-	 * When installing primary group, duplicate it;
-	 * the first element of groups is the effective gid
-	 * and will be overwritten when a setgid file is executed.
-	 */
-	if (ng >= maxgroups)
-		goto done;
-	groups[ng++] = basegid;
-	if (ng >= maxgroups)
-		goto done;
-	groups[ng++] = basegid;
-	/*
-	 * Scan the group file to find additional groups.
-	 */
-	(*this->rewind)(this);
-	while ((grp = (*this->next)(this)) != NULL) {
-		if ((gid_t)grp->gr_gid == basegid)
-			continue;
-		for (i = 0; grp->gr_mem[i]; i++) {
-			if (!strcmp(grp->gr_mem[i], name)) {
-				if (ng >= maxgroups)
-					goto done;
-				groups[ng++] = grp->gr_gid;
-				break;
-			}
-		}
-	}
-	ret = 0;
- done:
-	*ngroups = ng;
-	return (ret);
-}
diff --git a/contrib/bind9/lib/bind/isc/Makefile.in b/contrib/bind9/lib/bind/isc/Makefile.in
deleted file mode 100644
index d8e8889ab385..000000000000
--- a/contrib/bind9/lib/bind/isc/Makefile.in
+++ /dev/null
@@ -1,35 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:13:23 marka Exp $
-
-srcdir=		@srcdir@
-VPATH =         @srcdir@
-
-OBJS=	assertions.@O@ base64.@O@ bitncmp.@O@ ctl_clnt.@O@ ctl_p.@O@ \
-	ctl_srvr.@O@ ev_connects.@O@ ev_files.@O@ ev_streams.@O@ \
-	ev_timers.@O@ ev_waits.@O@ eventlib.@O@ heap.@O@ hex.@O@ \
-	logging.@O@ memcluster.@O@ movefile.@O@ tree.@O@
-
-SRCS=	assertions.c base64.c bitncmp.c ctl_clnt.c ctl_p.c \
-	ctl_srvr.c ev_connects.c ev_files.c ev_streams.c \
-	ev_timers.c ev_waits.c eventlib.c heap.c hex.c logging.c \
-	memcluster.c movefile.c tree.c
-
-TARGETS= ${OBJS}
-
-CINCLUDES= -I.. -I${srcdir}/../include
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/isc/assertions.c b/contrib/bind9/lib/bind/isc/assertions.c
deleted file mode 100644
index f1fb2efe9570..000000000000
--- a/contrib/bind9/lib/bind/isc/assertions.c
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1997,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: assertions.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-
-#include "port_after.h"
-
-/*
- * Forward.
- */
-
-static void default_assertion_failed(const char *, int, assertion_type,
-				     const char *, int);
-
-/*
- * Public.
- */
-
-assertion_failure_callback __assertion_failed = default_assertion_failed;
-
-void
-set_assertion_failure_callback(assertion_failure_callback f) {
-	if (f == NULL)
-		__assertion_failed = default_assertion_failed;
-	else
-		__assertion_failed = f;
-}
-
-const char *
-assertion_type_to_text(assertion_type type) {
-	const char *result;
-
-	switch (type) {
-	case assert_require:
-		result = "REQUIRE";
-		break;
-	case assert_ensure:
-		result = "ENSURE";
-		break;
-	case assert_insist:
-		result = "INSIST";
-		break;
-	case assert_invariant:
-		result = "INVARIANT";
-		break;
-	default:
-		result = NULL;
-	}
-	return (result);
-}
-
-/*
- * Private.
- */
-
-static void
-default_assertion_failed(const char *file, int line, assertion_type type,
-			 const char *cond, int print_errno)
-{
-	fprintf(stderr, "%s:%d: %s(%s)%s%s failed.\n",
-		file, line, assertion_type_to_text(type), cond,
-		(print_errno) ? ": " : "",
-		(print_errno) ? strerror(errno) : "");
-	abort();
-	/* NOTREACHED */
-}
diff --git a/contrib/bind9/lib/bind/isc/assertions.mdoc b/contrib/bind9/lib/bind/isc/assertions.mdoc
deleted file mode 100644
index c2144531290a..000000000000
--- a/contrib/bind9/lib/bind/isc/assertions.mdoc
+++ /dev/null
@@ -1,138 +0,0 @@
-.\" $Id: assertions.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:39 marka Exp $
-.\"
-.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (c) 1997,1999 by Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd November 17, 1997
-.Dt ASSERTIONS 3
-.Os ISC
-.Sh NAME
-.Nm REQUIRE ,
-.Nm REQUIRE_ERR ,
-.Nm ENSURE ,
-.Nm ENSURE_ERR ,
-.Nm INSIST ,
-.Nm INSIST_ERR ,
-.Nm INVARIANT ,
-.Nm INVARIANT_ERR ,
-.Nm set_assertion_failure_callback
-.Nd assertion system
-.Sh SYNOPSIS
-.Fd #include <isc/assertions.h>
-.Fo "typedef void (*assertion_failure_callback)"
-.Fa "char *filename"
-.Fa "int line"
-.Fa "assertion_type type"
-.Fa "char *condition"
-.Fa "int print_errno"
-.Fc
-.Fn REQUIRE "int boolean_expression"
-.Fn REQUIRE_ERR "int boolean_expression"
-.Fn ENSURE "int boolean_expression"
-.Fn ENSURE_ERR "int boolean_expression"
-.Fn INSIST "int boolean_expression"
-.Fn INSIST_ERR "int boolean_expression"
-.Fn INVARIANT "int boolean_expression"
-.Fn INVARIANT_ERR "int boolean_expression"
-.Ft void
-.Fn set_assertion_failure_callback "assertion_failure_callback callback"
-.Ft char *
-.Fn assertion_type_to_text "assertion_type type"
-.Sh DESCRIPTION
-The
-.Fn REQUIRE ,
-.Fn ENSURE ,
-.Fn INSIST ,
-and
-.Fn INVARIANT
-macros evaluate a boolean expression, and if it is false, they invoke the
-current assertion failure callback.  The default callback will print a message
-to 
-.Li stderr
-describing the failure, and then cause the program to dump core.
-If the
-.Dq Fn _ERR
-variant of the assertion is used, the callback will include
-.Fn strerror "errno"
-in its message.
-.Pp
-Each assertion type has an associated
-.Li CHECK
-macro.  If this macro's value is
-.Dq 0
-when
-.Dq "<isc/assertions.h>"
-is included, then assertions of that type will not be checked.  E.g.
-.Pp
-.Dl #define CHECK_ENSURE 0
-.Pp
-will disable checking of
-.Fn ENSURE
-and
-.Fn ENSURE_ERR .
-The macros
-.Li CHECK_ALL
-and
-.Li CHECK_NONE
-may also be used, respectively specifying that either all or none of the
-assertion types should be checked.
-.Pp
-.Fn set_assertion_failure_callback
-specifies the function to call when an assertion fails.
-.Pp
-When an
-.Fn assertion_failure_callback
-is called, the 
-.Fa filename
-and
-.Fa line
-arguments specify the filename and line number of the failing assertion.
-The
-.Fa type
-is one of:
-.Bd -literal -offset indent
-assert_require
-assert_ensure
-assert_insist
-assert_invariant
-.Ed
-.Pp
-and may be used by the callback to determine the type of the failing
-assertion.
-.Fa condition
-is the literal text of the assertion that failed. 
-.Fa print_errno
-will be non-zero if the callback should print
-.Fa strerror "errno"
-as part of its output.
-.Pp
-.Fn assertion_type_to_text
-returns a textual representation of
-.Fa type .
-For example,
-.Fn assertion_type_to_text "assert_require"
-returns the string
-.Dq REQUIRE .
-.Sh SEE ALSO
-.Rs
-.%A Bertrand Meyer
-.%B Object-Oriented Software Construction, 2nd edition
-.%Q Prentice\-Hall
-.%D 1997
-.%O ISBN 0\-13\-629155\-4
-.%P chapter 11
-.Re
-.Sh AUTHOR
-Bob Halley (ISC).
diff --git a/contrib/bind9/lib/bind/isc/base64.c b/contrib/bind9/lib/bind/isc/base64.c
deleted file mode 100644
index 51676f37fed3..000000000000
--- a/contrib/bind9/lib/bind/isc/base64.c
+++ /dev/null
@@ -1,320 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: base64.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
-#endif /* not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "port_after.h"
-
-#define Assert(Cond) if (!(Cond)) abort()
-
-static const char Base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-static const char Pad64 = '=';
-
-/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
-   The following encoding technique is taken from RFC 1521 by Borenstein
-   and Freed.  It is reproduced here in a slightly edited form for
-   convenience.
-
-   A 65-character subset of US-ASCII is used, enabling 6 bits to be
-   represented per printable character. (The extra 65th character, "=",
-   is used to signify a special processing function.)
-
-   The encoding process represents 24-bit groups of input bits as output
-   strings of 4 encoded characters. Proceeding from left to right, a
-   24-bit input group is formed by concatenating 3 8-bit input groups.
-   These 24 bits are then treated as 4 concatenated 6-bit groups, each
-   of which is translated into a single digit in the base64 alphabet.
-
-   Each 6-bit group is used as an index into an array of 64 printable
-   characters. The character referenced by the index is placed in the
-   output string.
-
-                         Table 1: The Base64 Alphabet
-
-      Value Encoding  Value Encoding  Value Encoding  Value Encoding
-          0 A            17 R            34 i            51 z
-          1 B            18 S            35 j            52 0
-          2 C            19 T            36 k            53 1
-          3 D            20 U            37 l            54 2
-          4 E            21 V            38 m            55 3
-          5 F            22 W            39 n            56 4
-          6 G            23 X            40 o            57 5
-          7 H            24 Y            41 p            58 6
-          8 I            25 Z            42 q            59 7
-          9 J            26 a            43 r            60 8
-         10 K            27 b            44 s            61 9
-         11 L            28 c            45 t            62 +
-         12 M            29 d            46 u            63 /
-         13 N            30 e            47 v
-         14 O            31 f            48 w         (pad) =
-         15 P            32 g            49 x
-         16 Q            33 h            50 y
-
-   Special processing is performed if fewer than 24 bits are available
-   at the end of the data being encoded.  A full encoding quantum is
-   always completed at the end of a quantity.  When fewer than 24 input
-   bits are available in an input group, zero bits are added (on the
-   right) to form an integral number of 6-bit groups.  Padding at the
-   end of the data is performed using the '=' character.
-
-   Since all base64 input is an integral number of octets, only the
-         -------------------------------------------------                       
-   following cases can arise:
-   
-       (1) the final quantum of encoding input is an integral
-           multiple of 24 bits; here, the final unit of encoded
-	   output will be an integral multiple of 4 characters
-	   with no "=" padding,
-       (2) the final quantum of encoding input is exactly 8 bits;
-           here, the final unit of encoded output will be two
-	   characters followed by two "=" padding characters, or
-       (3) the final quantum of encoding input is exactly 16 bits;
-           here, the final unit of encoded output will be three
-	   characters followed by one "=" padding character.
-   */
-
-int
-b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) {
-	size_t datalength = 0;
-	u_char input[3];
-	u_char output[4];
-	size_t i;
-
-	while (2U < srclength) {
-		input[0] = *src++;
-		input[1] = *src++;
-		input[2] = *src++;
-		srclength -= 3;
-
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-		output[3] = input[2] & 0x3f;
-		Assert(output[0] < 64);
-		Assert(output[1] < 64);
-		Assert(output[2] < 64);
-		Assert(output[3] < 64);
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		target[datalength++] = Base64[output[2]];
-		target[datalength++] = Base64[output[3]];
-	}
-    
-	/* Now we worry about padding. */
-	if (0U != srclength) {
-		/* Get what's left. */
-		input[0] = input[1] = input[2] = '\0';
-		for (i = 0; i < srclength; i++)
-			input[i] = *src++;
-	
-		output[0] = input[0] >> 2;
-		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
-		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
-		Assert(output[0] < 64);
-		Assert(output[1] < 64);
-		Assert(output[2] < 64);
-
-		if (datalength + 4 > targsize)
-			return (-1);
-		target[datalength++] = Base64[output[0]];
-		target[datalength++] = Base64[output[1]];
-		if (srclength == 1U)
-			target[datalength++] = Pad64;
-		else
-			target[datalength++] = Base64[output[2]];
-		target[datalength++] = Pad64;
-	}
-	if (datalength >= targsize)
-		return (-1);
-	target[datalength] = '\0';	/* Returned value doesn't count \0. */
-	return (datalength);
-}
-
-/* skips all whitespace anywhere.
-   converts characters, four at a time, starting at (or after)
-   src from base - 64 numbers into three 8 bit bytes in the target area.
-   it returns the number of data bytes stored at the target, or -1 on error.
- */
-
-int
-b64_pton(src, target, targsize)
-	char const *src;
-	u_char *target;
-	size_t targsize;
-{
-	int tarindex, state, ch;
-	char *pos;
-
-	state = 0;
-	tarindex = 0;
-
-	while ((ch = *src++) != '\0') {
-		if (isspace(ch))	/* Skip whitespace anywhere. */
-			continue;
-
-		if (ch == Pad64)
-			break;
-
-		pos = strchr(Base64, ch);
-		if (pos == 0) 		/* A non-base64 character. */
-			return (-1);
-
-		switch (state) {
-		case 0:
-			if (target) {
-				if ((size_t)tarindex >= targsize)
-					return (-1);
-				target[tarindex] = (pos - Base64) << 2;
-			}
-			state = 1;
-			break;
-		case 1:
-			if (target) {
-				if ((size_t)tarindex + 1 >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 4;
-				target[tarindex+1]  = ((pos - Base64) & 0x0f)
-							<< 4 ;
-			}
-			tarindex++;
-			state = 2;
-			break;
-		case 2:
-			if (target) {
-				if ((size_t)tarindex + 1 >= targsize)
-					return (-1);
-				target[tarindex]   |=  (pos - Base64) >> 2;
-				target[tarindex+1]  = ((pos - Base64) & 0x03)
-							<< 6;
-			}
-			tarindex++;
-			state = 3;
-			break;
-		case 3:
-			if (target) {
-				if ((size_t)tarindex >= targsize)
-					return (-1);
-				target[tarindex] |= (pos - Base64);
-			}
-			tarindex++;
-			state = 0;
-			break;
-		default:
-			abort();
-		}
-	}
-
-	/*
-	 * We are done decoding Base-64 chars.  Let's see if we ended
-	 * on a byte boundary, and/or with erroneous trailing characters.
-	 */
-
-	if (ch == Pad64) {		/* We got a pad char. */
-		ch = *src++;		/* Skip it, get next. */
-		switch (state) {
-		case 0:		/* Invalid = in first position */
-		case 1:		/* Invalid = in second position */
-			return (-1);
-
-		case 2:		/* Valid, means one byte of info */
-			/* Skip any number of spaces. */
-			for ((void)NULL; ch != '\0'; ch = *src++)
-				if (!isspace(ch))
-					break;
-			/* Make sure there is another trailing = sign. */
-			if (ch != Pad64)
-				return (-1);
-			ch = *src++;		/* Skip the = */
-			/* Fall through to "single trailing =" case. */
-			/* FALLTHROUGH */
-
-		case 3:		/* Valid, means two bytes of info */
-			/*
-			 * We know this char is an =.  Is there anything but
-			 * whitespace after it?
-			 */
-			for ((void)NULL; ch != '\0'; ch = *src++)
-				if (!isspace(ch))
-					return (-1);
-
-			/*
-			 * Now make sure for cases 2 and 3 that the "extra"
-			 * bits that slopped past the last full byte were
-			 * zeros.  If we don't check them, they become a
-			 * subliminal channel.
-			 */
-			if (target && target[tarindex] != 0)
-				return (-1);
-		}
-	} else {
-		/*
-		 * We ended by seeing the end of the string.  Make sure we
-		 * have no partial bytes lying around.
-		 */
-		if (state != 0)
-			return (-1);
-	}
-
-	return (tarindex);
-}
diff --git a/contrib/bind9/lib/bind/isc/bitncmp.c b/contrib/bind9/lib/bind/isc/bitncmp.c
deleted file mode 100644
index fcff9f71ed3f..000000000000
--- a/contrib/bind9/lib/bind/isc/bitncmp.c
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: bitncmp.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-
-#include <string.h>
-
-#include "port_after.h"
-
-#include <isc/misc.h>
-
-/*
- * int
- * bitncmp(l, r, n)
- *	compare bit masks l and r, for n bits.
- * return:
- *	-1, 1, or 0 in the libc tradition.
- * note:
- *	network byte order assumed.  this means 192.5.5.240/28 has
- *	0x11110000 in its fourth octet.
- * author:
- *	Paul Vixie (ISC), June 1996
- */
-int
-bitncmp(const void *l, const void *r, int n) {
-	u_int lb, rb;
-	int x, b;
-
-	b = n / 8;
-	x = memcmp(l, r, b);
-	if (x)
-		return (x);
-
-	lb = ((const u_char *)l)[b];
-	rb = ((const u_char *)r)[b];
-	for (b = n % 8; b > 0; b--) {
-		if ((lb & 0x80) != (rb & 0x80)) {
-			if (lb & 0x80)
-				return (1);
-			return (-1);
-		}
-		lb <<= 1;
-		rb <<= 1;
-	}
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/isc/bitncmp.mdoc b/contrib/bind9/lib/bind/isc/bitncmp.mdoc
deleted file mode 100644
index 5462c2fd9e73..000000000000
--- a/contrib/bind9/lib/bind/isc/bitncmp.mdoc
+++ /dev/null
@@ -1,82 +0,0 @@
-.\" $Id: bitncmp.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:39 marka Exp $
-.\"
-.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (c) 1996,1999 by Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd June 1, 1996
-.Dt BITNCMP 3
-.Os BSD 4
-.Sh NAME
-.Nm bitncmp 
-.Nd compare bit masks
-.Sh SYNOPSIS
-.Ft int
-.Fn bitncmp "const void *l" "const void *r" "int n"
-.Sh DESCRIPTION
-The function
-.Fn bitncmp
-compares the
-.Dq Fa n
-most-significant bits of the two masks pointed to by
-.Dq Fa l
-and
-.Dq Fa r ,
-and returns an integer less than, equal to, or greater than 0, according to
-whether or not
-.Dq Fa l
-is lexicographically less than, equal to, or greater than
-.Dq Fa r
-when taken to be unsigned characters (this behaviour is just like that of
-.Xr memcmp 3 ) .
-.Pp
-.Sy NOTE :
-.Fn Bitncmp 
-assumes 
-.Sy network byte order ;
-this means that the fourth octet of 
-.Li 192.5.5.240/28 
-.Li 0x11110000 .
-.Sh RETURN VALUES
-.Fn Bitncmp
-returns values in the manner of
-.Xr memcmp 3 :
-.Bd -ragged -offset indent
-+1 if 
-.Dq Fa 1
-is greater than 
-.Dq Fa r ;
-.Pp
--1 if 
-.Dq Fa l
-is less than 
-.Dq Fa r ; 
-and
-.Pp
-0 if 
-.Dq Fa l
-is equal to
-.Dq Fa r ,
-.Ed
-.Pp
-where 
-.Dq Fa l
-and 
-.Dq Fa r
-are both interpreted as strings of unsigned characters (through bit 
-.Dq Fa n . )
-.Sh SEE ALSO
-.Xr memcmp 3 .
-.Sh AUTHOR
-Paul Vixie (ISC). 
diff --git a/contrib/bind9/lib/bind/isc/ctl_clnt.c b/contrib/bind9/lib/bind/isc/ctl_clnt.c
deleted file mode 100644
index e1fa7e798072..000000000000
--- a/contrib/bind9/lib/bind/isc/ctl_clnt.c
+++ /dev/null
@@ -1,602 +0,0 @@
-#if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_clnt.c,v 1.4.2.1.4.3 2004/03/17 01:13:35 marka Exp $";
-#endif /* not lint */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Extern. */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <isc/assertions.h>
-#include <isc/ctl.h>
-#include <isc/eventlib.h>
-#include <isc/list.h>
-#include <isc/memcluster.h>
-
-#include "ctl_p.h"
-
-#include "port_after.h"
-
-/* Constants. */
-
-
-/* Macros. */
-
-#define donefunc_p(ctx) ((ctx).donefunc != NULL)
-#define arpacode_p(line) (isdigit((unsigned char)(line[0])) && \
-			  isdigit((unsigned char)(line[1])) && \
-			  isdigit((unsigned char)(line[2])))
-#define arpacont_p(line) (line[3] == '-')
-#define arpadone_p(line) (line[3] == ' ' || line[3] == '\t' || \
-			  line[3] == '\r' || line[3] == '\0')
-
-/* Types. */
-
-enum state {
-	initializing = 0, connecting, connected, destroyed
-};
-
-struct ctl_tran {
-	LINK(struct ctl_tran)	link;
-	LINK(struct ctl_tran)	wlink;
-	struct ctl_cctx *	ctx;
-	struct ctl_buf		outbuf;
-	ctl_clntdone		donefunc;
-	void *			uap;
-};
-
-struct ctl_cctx {
-	enum state		state;
-	evContext		ev;
-	int			sock;
-	ctl_logfunc		logger;
-	ctl_clntdone		donefunc;
-	void *			uap;
-	evConnID		coID;
-	evTimerID		tiID;
-	evFileID		rdID;
-	evStreamID		wrID;
-	struct ctl_buf		inbuf;
-	struct timespec		timeout;
-	LIST(struct ctl_tran)	tran;
-	LIST(struct ctl_tran)	wtran;
-};
-
-/* Forward. */
-
-static struct ctl_tran *new_tran(struct ctl_cctx *, ctl_clntdone, void *, int);
-static void		start_write(struct ctl_cctx *);
-static void		destroy(struct ctl_cctx *, int);
-static void		error(struct ctl_cctx *);
-static void		new_state(struct ctl_cctx *, enum state);
-static void		conn_done(evContext, void *, int,
-				  const void *, int,
-				  const void *, int);
-static void		write_done(evContext, void *, int, int);
-static void		start_read(struct ctl_cctx *);
-static void		stop_read(struct ctl_cctx *);
-static void		readable(evContext, void *, int, int);
-static void		start_timer(struct ctl_cctx *);
-static void		stop_timer(struct ctl_cctx *);
-static void		touch_timer(struct ctl_cctx *);
-static void		timer(evContext, void *,
-			      struct timespec, struct timespec);
-
-/* Private data. */
-
-static const char * const state_names[] = {
-	"initializing", "connecting", "connected", "destroyed"
-};
-
-/* Public. */
-
-/*
- * void
- * ctl_client()
- *	create, condition, and connect to a listener on the control port.
- */
-struct ctl_cctx *
-ctl_client(evContext lev, const struct sockaddr *cap, size_t cap_len,
-	   const struct sockaddr *sap, size_t sap_len,
-	   ctl_clntdone donefunc, void *uap,
-	   u_int timeout, ctl_logfunc logger)
-{
-	static const char me[] = "ctl_client";
-	static const int on = 1;
-	struct ctl_cctx *ctx;
-	struct sockaddr *captmp;
-
-	if (logger == NULL)
-		logger = ctl_logger;
-	ctx = memget(sizeof *ctx);
-	if (ctx == NULL) {
-		(*logger)(ctl_error, "%s: getmem: %s", me, strerror(errno));
-		goto fatal;
-	}
-	ctx->state = initializing;
-	ctx->ev = lev;
-	ctx->logger = logger;
-	ctx->timeout = evConsTime(timeout, 0);
-	ctx->donefunc = donefunc;
-	ctx->uap = uap;
-	ctx->coID.opaque = NULL;
-	ctx->tiID.opaque = NULL;
-	ctx->rdID.opaque = NULL;
-	ctx->wrID.opaque = NULL;
-	buffer_init(ctx->inbuf);
-	INIT_LIST(ctx->tran);
-	INIT_LIST(ctx->wtran);
-	ctx->sock = socket(sap->sa_family, SOCK_STREAM, PF_UNSPEC);
-	if (ctx->sock > evHighestFD(ctx->ev)) {
-		ctx->sock = -1;
-		errno = ENOTSOCK;
-	}
-	if (ctx->sock < 0) {
-		(*ctx->logger)(ctl_error, "%s: socket: %s",
-			       me, strerror(errno));
-		goto fatal;
-	}
-	if (cap != NULL) {
-		if (setsockopt(ctx->sock, SOL_SOCKET, SO_REUSEADDR,
-			       (const char *)&on, sizeof on) != 0) {
-			(*ctx->logger)(ctl_warning,
-				       "%s: setsockopt(REUSEADDR): %s",
-				       me, strerror(errno));
-		}
-		DE_CONST(cap, captmp);
-		if (bind(ctx->sock, captmp, cap_len) < 0) {
-			(*ctx->logger)(ctl_error, "%s: bind: %s", me,
-				       strerror(errno));
-			goto fatal;
-		}
-	}
-	if (evConnect(lev, ctx->sock, (const struct sockaddr *)sap, sap_len,
-		      conn_done, ctx, &ctx->coID) < 0) {
-		(*ctx->logger)(ctl_error, "%s: evConnect(fd %d): %s",
-			       me, ctx->sock, strerror(errno));
- fatal:
-		if (ctx != NULL) {
-			if (ctx->sock >= 0)
-				close(ctx->sock);
-			memput(ctx, sizeof *ctx);
-		}
-		return (NULL);
-	}
-	new_state(ctx, connecting);
-	return (ctx);
-}
-
-/*
- * void
- * ctl_endclient(ctx)
- *	close a client and release all of its resources.
- */
-void
-ctl_endclient(struct ctl_cctx *ctx) {
-	if (ctx->state != destroyed)
-		destroy(ctx, 0);
-	memput(ctx, sizeof *ctx);
-}
-
-/*
- * int
- * ctl_command(ctx, cmd, len, donefunc, uap)
- *	Queue a transaction, which will begin with sending cmd
- *	and complete by calling donefunc with the answer.
- */
-int
-ctl_command(struct ctl_cctx *ctx, const char *cmd, size_t len,
-	    ctl_clntdone donefunc, void *uap)
-{
-	struct ctl_tran *tran;
-	char *pc;
-	unsigned int n;
-
-	switch (ctx->state) {
-	case destroyed:
-		errno = ENOTCONN;
-		return (-1);
-	case connecting:
-	case connected:
-		break;
-	default:
-		abort();
-	}
-	if (len >= (size_t)MAX_LINELEN) {
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	tran = new_tran(ctx, donefunc, uap, 1);
-	if (tran == NULL)
-		return (-1);
-	if (ctl_bufget(&tran->outbuf, ctx->logger) < 0)
-		return (-1);
-	memcpy(tran->outbuf.text, cmd, len);
-	tran->outbuf.used = len;
-	for (pc = tran->outbuf.text, n = 0; n < tran->outbuf.used; pc++, n++)
-		if (!isascii((unsigned char)*pc) ||
-		    !isprint((unsigned char)*pc))
-			*pc = '\040';
-	start_write(ctx);
-	return (0);
-}
-
-/* Private. */
-
-static struct ctl_tran *
-new_tran(struct ctl_cctx *ctx, ctl_clntdone donefunc, void *uap, int w) {
-	struct ctl_tran *new = memget(sizeof *new);
-
-	if (new == NULL)
-		return (NULL);
-	new->ctx = ctx;
-	buffer_init(new->outbuf);
-	new->donefunc = donefunc;
-	new->uap = uap;
-	INIT_LINK(new, link);
-	INIT_LINK(new, wlink);
-	APPEND(ctx->tran, new, link);
-	if (w)
-		APPEND(ctx->wtran, new, wlink);
-	return (new);
-}
-
-static void
-start_write(struct ctl_cctx *ctx) {
-	static const char me[] = "isc/ctl_clnt::start_write";
-	struct ctl_tran *tran;
-	struct iovec iov[2], *iovp = iov;
-	char * tmp;
-
-	REQUIRE(ctx->state == connecting || ctx->state == connected);
-	/* If there is a write in progress, don't try to write more yet. */
-	if (ctx->wrID.opaque != NULL)
-		return;
-	/* If there are no trans, make sure timer is off, and we're done. */
-	if (EMPTY(ctx->wtran)) {
-		if (ctx->tiID.opaque != NULL)
-			stop_timer(ctx);
-		return;
-	}
-	/* Pull it off the head of the write queue. */
-	tran = HEAD(ctx->wtran);
-	UNLINK(ctx->wtran, tran, wlink);
-	/* Since there are some trans, make sure timer is successfully "on". */
-	if (ctx->tiID.opaque != NULL)
-		touch_timer(ctx);
-	else
-		start_timer(ctx);
-	if (ctx->state == destroyed)
-		return;
-	/* Marshall a newline-terminated message and clock it out. */
-	*iovp++ = evConsIovec(tran->outbuf.text, tran->outbuf.used);
-	DE_CONST("\r\n", tmp);
-	*iovp++ = evConsIovec(tmp, 2);
-	if (evWrite(ctx->ev, ctx->sock, iov, iovp - iov,
-		    write_done, tran, &ctx->wrID) < 0) {
-		(*ctx->logger)(ctl_error, "%s: evWrite: %s", me,
-			       strerror(errno));
-		error(ctx);
-		return;
-	}
-	if (evTimeRW(ctx->ev, ctx->wrID, ctx->tiID) < 0) {
-		(*ctx->logger)(ctl_error, "%s: evTimeRW: %s", me,
-			       strerror(errno));
-		error(ctx);
-		return;
-	}
-}
-
-static void
-destroy(struct ctl_cctx *ctx, int notify) {
-	struct ctl_tran *this, *next;
-
-	if (ctx->sock != -1) {
-		(void) close(ctx->sock);
-		ctx->sock = -1;
-	}
-	switch (ctx->state) {
-	case connecting:
-		REQUIRE(ctx->wrID.opaque == NULL);
-		REQUIRE(EMPTY(ctx->tran));
-		/*
-		 * This test is nec'y since destroy() can be called from
-		 * start_read() while the state is still "connecting".
-		 */
-		if (ctx->coID.opaque != NULL) {
-			(void)evCancelConn(ctx->ev, ctx->coID);
-			ctx->coID.opaque = NULL;
-		}
-		break;
-	case connected:
-		REQUIRE(ctx->coID.opaque == NULL);
-		if (ctx->wrID.opaque != NULL) {
-			(void)evCancelRW(ctx->ev, ctx->wrID);
-			ctx->wrID.opaque = NULL;
-		}
-		if (ctx->rdID.opaque != NULL)
-			stop_read(ctx);
-		break;
-	case destroyed:
-		break;
-	default:
-		abort();
-	}
-	if (allocated_p(ctx->inbuf))
-		ctl_bufput(&ctx->inbuf);
-	for (this = HEAD(ctx->tran); this != NULL; this = next) {
-		next = NEXT(this, link);
-		if (allocated_p(this->outbuf))
-			ctl_bufput(&this->outbuf);
-		if (notify && this->donefunc != NULL)
-			(*this->donefunc)(ctx, this->uap, NULL, 0);
-		memput(this, sizeof *this);
-	}
-	if (ctx->tiID.opaque != NULL)
-		stop_timer(ctx);
-	new_state(ctx, destroyed);
-}
-
-static void
-error(struct ctl_cctx *ctx) {
-	REQUIRE(ctx->state != destroyed);
-	destroy(ctx, 1);
-}
-
-static void
-new_state(struct ctl_cctx *ctx, enum state new_state) {
-	static const char me[] = "isc/ctl_clnt::new_state";
-
-	(*ctx->logger)(ctl_debug, "%s: %s -> %s", me,
-		       state_names[ctx->state], state_names[new_state]);
-	ctx->state = new_state;
-}
-
-static void
-conn_done(evContext ev, void *uap, int fd,
-	  const void *la, int lalen,
-	  const void *ra, int ralen)
-{
-	static const char me[] = "isc/ctl_clnt::conn_done";
-	struct ctl_cctx *ctx = uap;
-	struct ctl_tran *tran;
-
-	UNUSED(ev);
-	UNUSED(la);
-	UNUSED(lalen);
-	UNUSED(ra);
-	UNUSED(ralen);
-
-	ctx->coID.opaque = NULL;
-	if (fd < 0) {
-		(*ctx->logger)(ctl_error, "%s: evConnect: %s", me,
-			       strerror(errno));
-		error(ctx);
-		return;
-	}
-	new_state(ctx, connected);
-	tran = new_tran(ctx, ctx->donefunc, ctx->uap, 0);
-	if (tran == NULL) {
-		(*ctx->logger)(ctl_error, "%s: new_tran failed: %s", me,
-			       strerror(errno));
-		error(ctx);
-		return;
-	}
-	start_read(ctx);
-	if (ctx->state == destroyed) {
-		(*ctx->logger)(ctl_error, "%s: start_read failed: %s",
-			       me, strerror(errno));
-		error(ctx);
-		return;
-	}
-}
-
-static void
-write_done(evContext lev, void *uap, int fd, int bytes) {
-	struct ctl_tran *tran = (struct ctl_tran *)uap;
-	struct ctl_cctx *ctx = tran->ctx;
-
-	UNUSED(lev);
-	UNUSED(fd);
-
-	ctx->wrID.opaque = NULL;
-	if (ctx->tiID.opaque != NULL)
-		touch_timer(ctx);
-	ctl_bufput(&tran->outbuf);
-	start_write(ctx);
-	if (bytes < 0)
-		destroy(ctx, 1);
-	else
-		start_read(ctx);
-}
-
-static void
-start_read(struct ctl_cctx *ctx) {
-	static const char me[] = "isc/ctl_clnt::start_read";
-
-	REQUIRE(ctx->state == connecting || ctx->state == connected);
-	REQUIRE(ctx->rdID.opaque == NULL);
-	if (evSelectFD(ctx->ev, ctx->sock, EV_READ, readable, ctx,
-		       &ctx->rdID) < 0)
-	{
-		(*ctx->logger)(ctl_error, "%s: evSelect(fd %d): %s", me,
-			       ctx->sock, strerror(errno));
-		error(ctx);
-		return;
-	}
-}
-
-static void
-stop_read(struct ctl_cctx *ctx) {
-	REQUIRE(ctx->coID.opaque == NULL);
-	REQUIRE(ctx->rdID.opaque != NULL);
-	(void)evDeselectFD(ctx->ev, ctx->rdID);
-	ctx->rdID.opaque = NULL;
-}
-
-static void
-readable(evContext ev, void *uap, int fd, int evmask) {
-	static const char me[] = "isc/ctl_clnt::readable";
-	struct ctl_cctx *ctx = uap;
-	struct ctl_tran *tran;
-	ssize_t n;
-	char *eos;
-
-	UNUSED(ev);
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(fd >= 0);
-	REQUIRE(evmask == EV_READ);
-	REQUIRE(ctx->state == connected);
-	REQUIRE(!EMPTY(ctx->tran));
-	tran = HEAD(ctx->tran);
-	if (!allocated_p(ctx->inbuf) &&
-	    ctl_bufget(&ctx->inbuf, ctx->logger) < 0) {
-		(*ctx->logger)(ctl_error, "%s: can't get an input buffer", me);
-		error(ctx);
-		return;
-	}
-	n = read(ctx->sock, ctx->inbuf.text + ctx->inbuf.used,
-		 MAX_LINELEN - ctx->inbuf.used);
-	if (n <= 0) {
-		(*ctx->logger)(ctl_warning, "%s: read: %s", me,
-			       (n == 0) ? "Unexpected EOF" : strerror(errno));
-		error(ctx);
-		return;
-	}
-	if (ctx->tiID.opaque != NULL)
-		touch_timer(ctx);
-	ctx->inbuf.used += n;
-	(*ctx->logger)(ctl_debug, "%s: read %d, used %d", me,
-		       n, ctx->inbuf.used);
- again:
-	eos = memchr(ctx->inbuf.text, '\n', ctx->inbuf.used);
-	if (eos != NULL && eos != ctx->inbuf.text && eos[-1] == '\r') {
-		int done = 0;
-
-		eos[-1] = '\0';
-		if (!arpacode_p(ctx->inbuf.text)) {
-			/* XXX Doesn't FTP do this sometimes? Is it legal? */
-			(*ctx->logger)(ctl_error, "%s: no arpa code (%s)", me,
-				       ctx->inbuf.text);
-			error(ctx);
-			return;
-		}
-		if (arpadone_p(ctx->inbuf.text))
-			done = 1;
-		else if (arpacont_p(ctx->inbuf.text))
-			done = 0;
-		else {
-			/* XXX Doesn't FTP do this sometimes? Is it legal? */
-			(*ctx->logger)(ctl_error, "%s: no arpa flag (%s)", me,
-				       ctx->inbuf.text);
-			error(ctx);
-			return;
-		}
-		(*tran->donefunc)(ctx, tran->uap, ctx->inbuf.text,
-				  (done ? 0 : CTL_MORE));
-		ctx->inbuf.used -= ((eos - ctx->inbuf.text) + 1);
-		if (ctx->inbuf.used == 0U)
-			ctl_bufput(&ctx->inbuf);
-		else
-			memmove(ctx->inbuf.text, eos + 1, ctx->inbuf.used);
-		if (done) {
-			UNLINK(ctx->tran, tran, link);
-			memput(tran, sizeof *tran);
-			stop_read(ctx);
-			start_write(ctx);
-			return;
-		}
-		if (allocated_p(ctx->inbuf))
-			goto again;
-		return;
-	}
-	if (ctx->inbuf.used == (size_t)MAX_LINELEN) {
-		(*ctx->logger)(ctl_error, "%s: line too long (%-10s...)", me,
-			       ctx->inbuf.text);
-		error(ctx);
-	}
-}
-
-/* Timer related stuff. */
-
-static void
-start_timer(struct ctl_cctx *ctx) {
-	static const char me[] = "isc/ctl_clnt::start_timer";
-
-	REQUIRE(ctx->tiID.opaque == NULL);
-	if (evSetIdleTimer(ctx->ev, timer, ctx, ctx->timeout, &ctx->tiID) < 0){
-		(*ctx->logger)(ctl_error, "%s: evSetIdleTimer: %s", me,
-			       strerror(errno));
-		error(ctx);
-		return;
-	}
-}
-
-static void
-stop_timer(struct ctl_cctx *ctx) {
-	static const char me[] = "isc/ctl_clnt::stop_timer";
-
-	REQUIRE(ctx->tiID.opaque != NULL);
-	if (evClearIdleTimer(ctx->ev, ctx->tiID) < 0) {
-		(*ctx->logger)(ctl_error, "%s: evClearIdleTimer: %s", me,
-			       strerror(errno));
-		error(ctx);
-		return;
-	}
-	ctx->tiID.opaque = NULL;
-}
-
-static void
-touch_timer(struct ctl_cctx *ctx) {
-	REQUIRE(ctx->tiID.opaque != NULL);
-
-	evTouchIdleTimer(ctx->ev, ctx->tiID);
-}
-
-static void
-timer(evContext ev, void *uap, struct timespec due, struct timespec itv) {
-	static const char me[] = "isc/ctl_clnt::timer";
-	struct ctl_cctx *ctx = uap;
-
-	UNUSED(ev);
-	UNUSED(due);
-	UNUSED(itv);
-
-	ctx->tiID.opaque = NULL;
-	(*ctx->logger)(ctl_error, "%s: timeout after %u seconds while %s", me,
-		       ctx->timeout.tv_sec, state_names[ctx->state]);
-	error(ctx);
-}
diff --git a/contrib/bind9/lib/bind/isc/ctl_p.c b/contrib/bind9/lib/bind/isc/ctl_p.c
deleted file mode 100644
index bc45004c7be7..000000000000
--- a/contrib/bind9/lib/bind/isc/ctl_p.c
+++ /dev/null
@@ -1,186 +0,0 @@
-#if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_p.c,v 1.1.206.2 2004/03/17 00:29:51 marka Exp $";
-#endif /* not lint */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Extern. */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <isc/assertions.h>
-#include <isc/eventlib.h>
-#include <isc/logging.h>
-#include <isc/memcluster.h>
-#include <isc/ctl.h>
-
-#include "ctl_p.h"
-
-#include "port_after.h"
-
-/* Constants. */
-
-const char * const ctl_sevnames[] = {
-	"debug", "warning", "error"
-};
-
-/* Public. */
-
-/*
- * ctl_logger()
- *	if ctl_startup()'s caller didn't specify a logger, this one
- *	is used.  this pollutes stderr with all kinds of trash so it will
- *	probably never be used in real applications.
- */
-void
-ctl_logger(enum ctl_severity severity, const char *format, ...) {
-	va_list ap;
-	static const char me[] = "ctl_logger";
-
-	fprintf(stderr, "%s(%s): ", me, ctl_sevnames[severity]);
-	va_start(ap, format);
-	vfprintf(stderr, format, ap);
-	va_end(ap);
-	fputc('\n', stderr);
-}
-
-int
-ctl_bufget(struct ctl_buf *buf, ctl_logfunc logger) {
-	static const char me[] = "ctl_bufget";
-
-	REQUIRE(!allocated_p(*buf) && buf->used == 0U);
-	buf->text = memget(MAX_LINELEN);
-	if (!allocated_p(*buf)) {
-		(*logger)(ctl_error, "%s: getmem: %s", me, strerror(errno));
-		return (-1);
-	}
-	buf->used = 0;
-	return (0);
-}
-
-void
-ctl_bufput(struct ctl_buf *buf) {
-
-	REQUIRE(allocated_p(*buf));
-	memput(buf->text, MAX_LINELEN);
-	buf->text = NULL;
-	buf->used = 0;
-}
-
-const char *
-ctl_sa_ntop(const struct sockaddr *sa,
-	    char *buf, size_t size,
-	    ctl_logfunc logger)
-{
-	static const char me[] = "ctl_sa_ntop";
-	static const char punt[] = "[0].-1";
-	char tmp[INET6_ADDRSTRLEN];
-
-	switch (sa->sa_family) {
-	case AF_INET6: {
-		const struct sockaddr_in6 *in6 =
-					(const struct sockaddr_in6 *) sa;
-
-		if (inet_ntop(in6->sin6_family, &in6->sin6_addr, tmp, sizeof tmp)
-		    == NULL) {
-			(*logger)(ctl_error, "%s: inet_ntop(%u %04x): %s",
-				  me, in6->sin6_family,
-				  in6->sin6_port, strerror(errno));
-			return (punt);
-		}
-		if (strlen(tmp) + sizeof "[].65535" > size) {
-			(*logger)(ctl_error, "%s: buffer overflow", me);
-			return (punt);
-		}
-		(void) sprintf(buf, "[%s].%u", tmp, ntohs(in6->sin6_port));
-		return (buf);
-	    }
-	case AF_INET: {
-		const struct sockaddr_in *in =
-					      (const struct sockaddr_in *) sa;
-
-		if (inet_ntop(in->sin_family, &in->sin_addr, tmp, sizeof tmp)
-		    == NULL) {
-			(*logger)(ctl_error, "%s: inet_ntop(%u %04x %08x): %s",
-				  me, in->sin_family,
-				  in->sin_port, in->sin_addr.s_addr,
-				  strerror(errno));
-			return (punt);
-		}
-		if (strlen(tmp) + sizeof "[].65535" > size) {
-			(*logger)(ctl_error, "%s: buffer overflow", me);
-			return (punt);
-		}
-		(void) sprintf(buf, "[%s].%u", tmp, ntohs(in->sin_port));
-		return (buf);
-	    }
-#ifndef NO_SOCKADDR_UN
-	case AF_UNIX: {
-		const struct sockaddr_un *un = 
-					      (const struct sockaddr_un *) sa;
-		unsigned int x = sizeof un->sun_path;
-
-		if (x > size)
-			x = size;
-		strncpy(buf, un->sun_path, x - 1);
-		buf[x - 1] = '\0';
-		return (buf);
-	    }
-#endif
-	default:
-		return (punt);
-	}
-}
-
-void
-ctl_sa_copy(const struct sockaddr *src, struct sockaddr *dst) {
-	switch (src->sa_family) {
-	case AF_INET6:
-		*((struct sockaddr_in6 *)dst) =
-					 *((const struct sockaddr_in6 *)src);
-		break;
-	case AF_INET:
-		*((struct sockaddr_in *)dst) =
-					  *((const struct sockaddr_in *)src);
-		break;
-#ifndef NO_SOCKADDR_UN
-	case AF_UNIX:
-		*((struct sockaddr_un *)dst) =
-					  *((const struct sockaddr_un *)src);
-		break;
-#endif
-	default:
-		*dst = *src;
-		break;
-	}
-}
diff --git a/contrib/bind9/lib/bind/isc/ctl_p.h b/contrib/bind9/lib/bind/isc/ctl_p.h
deleted file mode 100644
index 42aade7d669d..000000000000
--- a/contrib/bind9/lib/bind/isc/ctl_p.h
+++ /dev/null
@@ -1,26 +0,0 @@
-struct ctl_buf {
-	char *			text;
-	size_t			used;
-};
-
-#define	MAX_LINELEN		990	/* Like SMTP. */
-#ifndef NO_SOCKADDR_UN
-#define MAX_NTOP			PATH_MAX
-#else
-#define	MAX_NTOP		(sizeof "[255.255.255.255].65535")
-#endif
-
-#define	allocated_p(Buf) ((Buf).text != NULL)
-#define	buffer_init(Buf) ((Buf).text = 0, (Buf.used) = 0)
-
-#define	ctl_bufget	__ctl_bufget
-#define	ctl_bufput	__ctl_bufput
-#define	ctl_sa_ntop	__ctl_sa_ntop
-#define	ctl_sa_copy	__ctl_sa_copy
-
-int			ctl_bufget(struct ctl_buf *, ctl_logfunc);
-void			ctl_bufput(struct ctl_buf *);
-const char *		ctl_sa_ntop(const struct sockaddr *, char *, size_t,
-				    ctl_logfunc);
-void			ctl_sa_copy(const struct sockaddr *,
-				    struct sockaddr *);
diff --git a/contrib/bind9/lib/bind/isc/ctl_srvr.c b/contrib/bind9/lib/bind/isc/ctl_srvr.c
deleted file mode 100644
index 56c768486673..000000000000
--- a/contrib/bind9/lib/bind/isc/ctl_srvr.c
+++ /dev/null
@@ -1,780 +0,0 @@
-#if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: ctl_srvr.c,v 1.3.2.1.4.3 2004/03/17 01:13:35 marka Exp $";
-#endif /* not lint */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Extern. */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/file.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-#include <fcntl.h>
-
-#include <isc/assertions.h>
-#include <isc/ctl.h>
-#include <isc/eventlib.h>
-#include <isc/list.h>
-#include <isc/logging.h>
-#include <isc/memcluster.h>
-
-#include "ctl_p.h"
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-/* Macros. */
-
-#define	lastverb_p(verb)	(verb->name == NULL || verb->func == NULL)
-#define	address_expr		ctl_sa_ntop((struct sockaddr *)&sess->sa, \
-					    tmp, sizeof tmp, ctx->logger)
-
-/* Types. */
-
-enum state {
-	available = 0, initializing, writing, reading, reading_data,
-	processing, idling, quitting, closing
-};
-
-union sa_un {
-	struct sockaddr_in in;
-#ifndef NO_SOCKADDR_UN
-	struct sockaddr_un un;
-#endif
-};
-
-struct ctl_sess {
-	LINK(struct ctl_sess)	link;
-	struct ctl_sctx *	ctx;
-	enum state		state;
-	int			sock;
-	union sa_un		sa;
-	evFileID		rdID;
-	evStreamID		wrID;
-	evTimerID		rdtiID;
-	evTimerID		wrtiID;
-	struct ctl_buf		inbuf;
-	struct ctl_buf		outbuf;
-	const struct ctl_verb *	verb;
-	u_int			helpcode;
-	const void *		respctx;
-	u_int			respflags;
-	ctl_srvrdone		donefunc;
-	void *			uap;
-	void *			csctx;
-};
-
-struct ctl_sctx {
-	evContext		ev;
-	void *			uctx;
-	u_int			unkncode;
-	u_int			timeoutcode;
-	const struct ctl_verb *	verbs;
-	const struct ctl_verb *	connverb;
-	int			sock;
-	int			max_sess;
-	int			cur_sess;
-	struct timespec		timeout;
-	ctl_logfunc		logger;
-	evConnID		acID;
-	LIST(struct ctl_sess)	sess;
-};
-
-/* Forward. */
-
-static void			ctl_accept(evContext, void *, int,
-					   const void *, int,
-					   const void *, int);
-static void			ctl_close(struct ctl_sess *);
-static void			ctl_new_state(struct ctl_sess *,
-					      enum state,
-					      const char *);
-static void			ctl_start_read(struct ctl_sess *);
-static void			ctl_stop_read(struct ctl_sess *);
-static void			ctl_readable(evContext, void *, int, int);
-static void			ctl_rdtimeout(evContext, void *,
-					      struct timespec,
-					      struct timespec);
-static void			ctl_wrtimeout(evContext, void *,
-					      struct timespec,
-					      struct timespec);
-static void			ctl_docommand(struct ctl_sess *);
-static void			ctl_writedone(evContext, void *, int, int);
-static void			ctl_morehelp(struct ctl_sctx *,
-					     struct ctl_sess *,
-					     const struct ctl_verb *,
-					     const char *,
-					     u_int, const void *, void *);
-static void			ctl_signal_done(struct ctl_sctx *,
-						struct ctl_sess *);
-
-/* Private data. */
-
-static const char *		state_names[] = {
-	"available", "initializing", "writing", "reading",
-	"reading_data", "processing", "idling", "quitting", "closing"
-};
-
-static const char		space[] = " ";
-
-static const struct ctl_verb	fakehelpverb = {
-	"fakehelp", ctl_morehelp , NULL
-};
-
-/* Public. */
-
-/*
- * void
- * ctl_server()
- *	create, condition, and start a listener on the control port.
- */
-struct ctl_sctx *
-ctl_server(evContext lev, const struct sockaddr *sap, size_t sap_len,
-	   const struct ctl_verb *verbs,
-	   u_int unkncode, u_int timeoutcode,
-	   u_int timeout, int backlog, int max_sess,
-	   ctl_logfunc logger, void *uctx)
-{
-	static const char me[] = "ctl_server";
-	static const int on = 1;
-	const struct ctl_verb *connverb;
-	struct ctl_sctx *ctx;
-	int save_errno;
-
-	if (logger == NULL)
-		logger = ctl_logger;
-	for (connverb = verbs;
-	     connverb->name != NULL && connverb->func != NULL;
-	     connverb++)
-		if (connverb->name[0] == '\0')
-			break;
-	if (connverb->func == NULL) {
-		(*logger)(ctl_error, "%s: no connection verb found", me);
-		return (NULL);
-	}
-	ctx = memget(sizeof *ctx);
-	if (ctx == NULL) {
-		(*logger)(ctl_error, "%s: getmem: %s", me, strerror(errno));
-		return (NULL);
-	}
-	ctx->ev = lev;
-	ctx->uctx = uctx;
-	ctx->unkncode = unkncode;
-	ctx->timeoutcode = timeoutcode;
-	ctx->verbs = verbs;
-	ctx->timeout = evConsTime(timeout, 0);
-	ctx->logger = logger;
-	ctx->connverb = connverb;
-	ctx->max_sess = max_sess;
-	ctx->cur_sess = 0;
-	INIT_LIST(ctx->sess);
-	ctx->sock = socket(sap->sa_family, SOCK_STREAM, PF_UNSPEC);
-	if (ctx->sock > evHighestFD(ctx->ev)) {
-		ctx->sock = -1;
-		errno = ENOTSOCK;
-	}
-	if (ctx->sock < 0) {
-		save_errno = errno;
-		(*ctx->logger)(ctl_error, "%s: socket: %s",
-			       me, strerror(errno));
-		memput(ctx, sizeof *ctx);
-		errno = save_errno;
-		return (NULL);
-	}
-	if (ctx->sock > evHighestFD(lev)) {
-		close(ctx->sock);
-		(*ctx->logger)(ctl_error, "%s: file descriptor > evHighestFD");
-		errno = ENFILE;
-		memput(ctx, sizeof *ctx);
-		return (NULL);
-	}
-#ifdef NO_UNIX_REUSEADDR
-	if (sap->sa_family != AF_UNIX)
-#endif
-		if (setsockopt(ctx->sock, SOL_SOCKET, SO_REUSEADDR,
-			       (const char *)&on, sizeof on) != 0) {
-			(*ctx->logger)(ctl_warning,
-				       "%s: setsockopt(REUSEADDR): %s",
-				       me, strerror(errno));
-		}
-	if (bind(ctx->sock, sap, sap_len) < 0) {
-		char tmp[MAX_NTOP];
-		save_errno = errno;
-		(*ctx->logger)(ctl_error, "%s: bind: %s: %s",
-			       me, ctl_sa_ntop((const struct sockaddr *)sap,
-			       tmp, sizeof tmp, ctx->logger),
-			       strerror(save_errno));
-		close(ctx->sock);
-		memput(ctx, sizeof *ctx);
-		errno = save_errno;
-		return (NULL);
-	}
-	if (fcntl(ctx->sock, F_SETFD, 1) < 0) {
-		(*ctx->logger)(ctl_warning, "%s: fcntl: %s", me,
-			       strerror(errno));
-	}
-	if (evListen(lev, ctx->sock, backlog, ctl_accept, ctx,
-		     &ctx->acID) < 0) {
-		save_errno = errno;
-		(*ctx->logger)(ctl_error, "%s: evListen(fd %d): %s",
-			       me, ctx->sock, strerror(errno));
-		close(ctx->sock);
-		memput(ctx, sizeof *ctx);
-		errno = save_errno;
-		return (NULL);
-	}
-	(*ctx->logger)(ctl_debug, "%s: new ctx %p, sock %d",
-		       me, ctx, ctx->sock);
-	return (ctx);
-}
-
-/*
- * void
- * ctl_endserver(ctx)
- *	if the control listener is open, close it.  clean out all eventlib
- *	stuff.  close all active sessions.
- */
-void
-ctl_endserver(struct ctl_sctx *ctx) {
-	static const char me[] = "ctl_endserver";
-	struct ctl_sess *this, *next;
-
-	(*ctx->logger)(ctl_debug, "%s: ctx %p, sock %d, acID %p, sess %p",
-		       me, ctx, ctx->sock, ctx->acID.opaque, ctx->sess);
-	if (ctx->acID.opaque != NULL) {
-		(void)evCancelConn(ctx->ev, ctx->acID);
-		ctx->acID.opaque = NULL;
-	}
-	if (ctx->sock != -1) {
-		(void) close(ctx->sock);
-		ctx->sock = -1;
-	}
-	for (this = HEAD(ctx->sess); this != NULL; this = next) {
-		next = NEXT(this, link);
-		ctl_close(this);
-	}
-	memput(ctx, sizeof *ctx);
-}
-
-/*
- * If body is non-NULL then it we add a "." line after it.
- * Caller must have  escaped lines with leading ".".
- */
-void
-ctl_response(struct ctl_sess *sess, u_int code, const char *text,
-	     u_int flags, const void *respctx, ctl_srvrdone donefunc,
-	     void *uap, const char *body, size_t bodylen)
-{
-	static const char me[] = "ctl_response";
-	struct iovec iov[3], *iovp = iov;
-	struct ctl_sctx *ctx = sess->ctx;
-	char tmp[MAX_NTOP], *pc;
-	int n;
-
-	REQUIRE(sess->state == initializing ||
-		sess->state == processing ||
-		sess->state == reading_data ||
-		sess->state == writing);
-	REQUIRE(sess->wrtiID.opaque == NULL);
-	REQUIRE(sess->wrID.opaque == NULL);
-	ctl_new_state(sess, writing, me);
-	sess->donefunc = donefunc;
-	sess->uap = uap;
-	if (!allocated_p(sess->outbuf) &&
-	    ctl_bufget(&sess->outbuf, ctx->logger) < 0) {
-		(*ctx->logger)(ctl_error, "%s: %s: cant get an output buffer",
-			       me, address_expr);
-		goto untimely;
-	}
-	if (sizeof "000-\r\n" + strlen(text) > (size_t)MAX_LINELEN) {
-		(*ctx->logger)(ctl_error, "%s: %s: output buffer ovf, closing",
-			       me, address_expr);
-		goto untimely;
-	}
-	sess->outbuf.used = SPRINTF((sess->outbuf.text, "%03d%c%s\r\n",
-				     code, (flags & CTL_MORE) != 0 ? '-' : ' ',
-				     text));
-	for (pc = sess->outbuf.text, n = 0;
-	     n < (int)sess->outbuf.used-2; pc++, n++)
-		if (!isascii((unsigned char)*pc) ||
-		    !isprint((unsigned char)*pc))
-			*pc = '\040';
-	*iovp++ = evConsIovec(sess->outbuf.text, sess->outbuf.used);
-	if (body != NULL) {
-		char *tmp;
-		DE_CONST(body, tmp);
-		*iovp++ = evConsIovec(tmp, bodylen);
-		DE_CONST(".\r\n", tmp);
-		*iovp++ = evConsIovec(tmp, 3);
-	}
-	(*ctx->logger)(ctl_debug, "%s: [%d] %s", me,
-		       sess->outbuf.used, sess->outbuf.text);
-	if (evWrite(ctx->ev, sess->sock, iov, iovp - iov,
-		    ctl_writedone, sess, &sess->wrID) < 0) {
-		(*ctx->logger)(ctl_error, "%s: %s: evWrite: %s", me,
-			       address_expr, strerror(errno));
-		goto untimely;
-	}
-	if (evSetIdleTimer(ctx->ev, ctl_wrtimeout, sess, ctx->timeout,
-			   &sess->wrtiID) < 0)
-	{
-		(*ctx->logger)(ctl_error, "%s: %s: evSetIdleTimer: %s", me,
-			       address_expr, strerror(errno));
-		goto untimely;
-	}
-	if (evTimeRW(ctx->ev, sess->wrID, sess->wrtiID) < 0) {
-		(*ctx->logger)(ctl_error, "%s: %s: evTimeRW: %s", me,
-			       address_expr, strerror(errno));
- untimely:
-		ctl_signal_done(ctx, sess);
-		ctl_close(sess);
-		return;
-	}
-	sess->respctx = respctx;
-	sess->respflags = flags;
-}
-
-void
-ctl_sendhelp(struct ctl_sess *sess, u_int code) {
-	static const char me[] = "ctl_sendhelp";
-	struct ctl_sctx *ctx = sess->ctx;
-
-	sess->helpcode = code;
-	sess->verb = &fakehelpverb;
-	ctl_morehelp(ctx, sess, NULL, me, CTL_MORE,
-		     (const void *)ctx->verbs, NULL);
-}
-
-void *
-ctl_getcsctx(struct ctl_sess *sess) {
-	return (sess->csctx);
-}
-
-void *
-ctl_setcsctx(struct ctl_sess *sess, void *csctx) {
-	void *old = sess->csctx;
-
-	sess->csctx = csctx;
-	return (old);
-}
-
-/* Private functions. */
-
-static void
-ctl_accept(evContext lev, void *uap, int fd,
-	   const void *lav, int lalen,
-	   const void *rav, int ralen)
-{
-	static const char me[] = "ctl_accept";
-	struct ctl_sctx *ctx = uap;
-	struct ctl_sess *sess = NULL;
-	char tmp[MAX_NTOP];
-
-	UNUSED(lev);
-	UNUSED(lalen);
-	UNUSED(ralen);
-
-	if (fd < 0) {
-		(*ctx->logger)(ctl_error, "%s: accept: %s",
-			       me, strerror(errno));
-		return;
-	}
-	if (ctx->cur_sess == ctx->max_sess) {
-		(*ctx->logger)(ctl_error, "%s: %s: too many control sessions",
-			       me, ctl_sa_ntop((const struct sockaddr *)rav,
-					       tmp, sizeof tmp,
-					       ctx->logger));
-		(void) close(fd);
-		return;
-	}
-	sess = memget(sizeof *sess);
-	if (sess == NULL) {
-		(*ctx->logger)(ctl_error, "%s: memget: %s", me,
-			       strerror(errno));
-		(void) close(fd);
-		return;
-	}
-	if (fcntl(fd, F_SETFD, 1) < 0) {
-		(*ctx->logger)(ctl_warning, "%s: fcntl: %s", me,
-			       strerror(errno));
-	}
-	ctx->cur_sess++;
-	INIT_LINK(sess, link);
-	APPEND(ctx->sess, sess, link);
-	sess->ctx = ctx;
-	sess->sock = fd;
-	sess->wrID.opaque = NULL;
-	sess->rdID.opaque = NULL;
-	sess->wrtiID.opaque = NULL;
-	sess->rdtiID.opaque = NULL;
-	sess->respctx = NULL;
-	sess->csctx = NULL;
-	if (((const struct sockaddr *)rav)->sa_family == AF_UNIX)
-		ctl_sa_copy((const struct sockaddr *)lav,
-			    (struct sockaddr *)&sess->sa);
-	else
-		ctl_sa_copy((const struct sockaddr *)rav,
-			    (struct sockaddr *)&sess->sa);
-	sess->donefunc = NULL;
-	buffer_init(sess->inbuf);
-	buffer_init(sess->outbuf);
-	sess->state = available;
-	ctl_new_state(sess, initializing, me);
-	sess->verb = ctx->connverb;
-	(*ctx->logger)(ctl_debug, "%s: %s: accepting (fd %d)",
-		       me, address_expr, sess->sock);
-	(*ctx->connverb->func)(ctx, sess, ctx->connverb, "", 0,
-			       (const struct sockaddr *)rav, ctx->uctx);
-}
-
-static void
-ctl_new_state(struct ctl_sess *sess, enum state new_state, const char *reason)
-{
-	static const char me[] = "ctl_new_state";
-	struct ctl_sctx *ctx = sess->ctx;
-	char tmp[MAX_NTOP];
-
-	(*ctx->logger)(ctl_debug, "%s: %s: %s -> %s (%s)",
-		       me, address_expr,
-		       state_names[sess->state],
-		       state_names[new_state], reason);
-	sess->state = new_state;
-}
-
-static void
-ctl_close(struct ctl_sess *sess) {
-	static const char me[] = "ctl_close";
-	struct ctl_sctx *ctx = sess->ctx;
-	char tmp[MAX_NTOP];
-
-	REQUIRE(sess->state == initializing ||
-		sess->state == writing ||
-		sess->state == reading ||
-		sess->state == processing ||
-		sess->state == reading_data ||
-		sess->state == idling);
-	REQUIRE(sess->sock != -1);
-	if (sess->state == reading || sess->state == reading_data)
-		ctl_stop_read(sess);
-	else if (sess->state == writing) {
-		if (sess->wrID.opaque != NULL) {
-			(void) evCancelRW(ctx->ev, sess->wrID);
-			sess->wrID.opaque = NULL;
-		}
-		if (sess->wrtiID.opaque != NULL) {
-			(void) evClearIdleTimer(ctx->ev, sess->wrtiID);
-			sess->wrtiID.opaque = NULL;
-		}
-	}
-	ctl_new_state(sess, closing, me);
-	(void) close(sess->sock);
-	if (allocated_p(sess->inbuf))
-		ctl_bufput(&sess->inbuf);
-	if (allocated_p(sess->outbuf))
-		ctl_bufput(&sess->outbuf);
-	(*ctx->logger)(ctl_debug, "%s: %s: closed (fd %d)",
-		       me, address_expr, sess->sock);
-	UNLINK(ctx->sess, sess, link);
-	memput(sess, sizeof *sess);
-	ctx->cur_sess--;
-}
-
-static void
-ctl_start_read(struct ctl_sess *sess) {
-	static const char me[] = "ctl_start_read";
-	struct ctl_sctx *ctx = sess->ctx;
-	char tmp[MAX_NTOP];
-
-	REQUIRE(sess->state == initializing ||
-		sess->state == writing ||
-		sess->state == processing ||
-		sess->state == idling);
-	REQUIRE(sess->rdtiID.opaque == NULL);
-	REQUIRE(sess->rdID.opaque == NULL);
-	sess->inbuf.used = 0;
-	if (evSetIdleTimer(ctx->ev, ctl_rdtimeout, sess, ctx->timeout,
-			   &sess->rdtiID) < 0)
-	{
-		(*ctx->logger)(ctl_error, "%s: %s: evSetIdleTimer: %s", me,
-			       address_expr, strerror(errno));
-		ctl_close(sess);
-		return;
-	}
-	if (evSelectFD(ctx->ev, sess->sock, EV_READ,
-		       ctl_readable, sess, &sess->rdID) < 0) {
-		(*ctx->logger)(ctl_error, "%s: %s: evSelectFD: %s", me,
-			       address_expr, strerror(errno));
-		return;
-	}
-	ctl_new_state(sess, reading, me);
-}
-
-static void
-ctl_stop_read(struct ctl_sess *sess) {
-	static const char me[] = "ctl_stop_read";
-	struct ctl_sctx *ctx = sess->ctx;
-
-	REQUIRE(sess->state == reading || sess->state == reading_data);
-	REQUIRE(sess->rdID.opaque != NULL);
-	(void) evDeselectFD(ctx->ev, sess->rdID);
-	sess->rdID.opaque = NULL;
-	if (sess->rdtiID.opaque != NULL) {
-		(void) evClearIdleTimer(ctx->ev, sess->rdtiID);
-		sess->rdtiID.opaque = NULL;
-	}
-	ctl_new_state(sess, idling, me);
-}
-
-static void
-ctl_readable(evContext lev, void *uap, int fd, int evmask) {
-	static const char me[] = "ctl_readable";
-	struct ctl_sess *sess = uap;
-	struct ctl_sctx *ctx = sess->ctx;
-	char *eos, tmp[MAX_NTOP];
-	ssize_t n;
-
-	REQUIRE(sess != NULL);
-	REQUIRE(fd >= 0);
-	REQUIRE(evmask == EV_READ);
-	REQUIRE(sess->state == reading || sess->state == reading_data);
-	evTouchIdleTimer(lev, sess->rdtiID);
-	if (!allocated_p(sess->inbuf) &&
-	    ctl_bufget(&sess->inbuf, ctx->logger) < 0) {
-		(*ctx->logger)(ctl_error, "%s: %s: cant get an input buffer",
-			       me, address_expr);
-		ctl_close(sess);
-		return;
-	}
-	n = read(sess->sock, sess->inbuf.text + sess->inbuf.used,
-		 MAX_LINELEN - sess->inbuf.used);
-	if (n <= 0) {
-		(*ctx->logger)(ctl_debug, "%s: %s: read: %s",
-			       me, address_expr,
-			       (n == 0) ? "Unexpected EOF" : strerror(errno));
-		ctl_close(sess);
-		return;
-	}
-	sess->inbuf.used += n;
-	eos = memchr(sess->inbuf.text, '\n', sess->inbuf.used);
-	if (eos != NULL && eos != sess->inbuf.text && eos[-1] == '\r') {
-		eos[-1] = '\0';
-		if ((sess->respflags & CTL_DATA) != 0) {
-			INSIST(sess->verb != NULL);
-			(*sess->verb->func)(sess->ctx, sess, sess->verb,
-					    sess->inbuf.text,
-					    CTL_DATA, sess->respctx,
-					    sess->ctx->uctx);
-		} else {
-			ctl_stop_read(sess);
-			ctl_docommand(sess);
-		}
-		sess->inbuf.used -= ((eos - sess->inbuf.text) + 1);
-		if (sess->inbuf.used == 0U)
-			ctl_bufput(&sess->inbuf);
-		else
-			memmove(sess->inbuf.text, eos + 1, sess->inbuf.used);
-		return;
-	}
-	if (sess->inbuf.used == (size_t)MAX_LINELEN) {
-		(*ctx->logger)(ctl_error, "%s: %s: line too long, closing",
-			       me, address_expr);
-		ctl_close(sess);
-	}
-}
-
-static void
-ctl_wrtimeout(evContext lev, void *uap,
-	      struct timespec due,
-	      struct timespec itv)
-{
-	static const char me[] = "ctl_wrtimeout";
-	struct ctl_sess *sess = uap;
-	struct ctl_sctx *ctx = sess->ctx;
-	char tmp[MAX_NTOP];
-	
-	UNUSED(lev);
-	UNUSED(due);
-	UNUSED(itv);
-
-	REQUIRE(sess->state == writing);
-	sess->wrtiID.opaque = NULL;
-	(*ctx->logger)(ctl_warning, "%s: %s: write timeout, closing",
-		       me, address_expr);
-	if (sess->wrID.opaque != NULL) {
-		(void) evCancelRW(ctx->ev, sess->wrID);
-		sess->wrID.opaque = NULL;
-	}
-	ctl_signal_done(ctx, sess);
-	ctl_new_state(sess, processing, me);
-	ctl_close(sess);
-}
-
-static void
-ctl_rdtimeout(evContext lev, void *uap,
-	      struct timespec due,
-	      struct timespec itv)
-{
-	static const char me[] = "ctl_rdtimeout";
-	struct ctl_sess *sess = uap;
-	struct ctl_sctx *ctx = sess->ctx;
-	char tmp[MAX_NTOP];
-
-	UNUSED(lev);
-	UNUSED(due);
-	UNUSED(itv);
-
-	REQUIRE(sess->state == reading);
-	sess->rdtiID.opaque = NULL;
-	(*ctx->logger)(ctl_warning, "%s: %s: timeout, closing",
-		       me, address_expr);
-	if (sess->state == reading || sess->state == reading_data)
-		ctl_stop_read(sess);
-	ctl_signal_done(ctx, sess);
-	ctl_new_state(sess, processing, me);
-	ctl_response(sess, ctx->timeoutcode, "Timeout.", CTL_EXIT, NULL,
-		     NULL, NULL, NULL, 0);
-}
-
-static void
-ctl_docommand(struct ctl_sess *sess) {
-	static const char me[] = "ctl_docommand";
-	char *name, *rest, tmp[MAX_NTOP];
-	struct ctl_sctx *ctx = sess->ctx;
-	const struct ctl_verb *verb;
-
-	REQUIRE(allocated_p(sess->inbuf));
-	(*ctx->logger)(ctl_debug, "%s: %s: \"%s\" [%u]",
-		       me, address_expr,
-		       sess->inbuf.text, (u_int)sess->inbuf.used);
-	ctl_new_state(sess, processing, me);
-	name = sess->inbuf.text + strspn(sess->inbuf.text, space);
-	rest = name + strcspn(name, space);
-	if (*rest != '\0') {
-		*rest++ = '\0';
-		rest += strspn(rest, space);
-	}
-	for (verb = ctx->verbs;
-	     verb != NULL && verb->name != NULL && verb->func != NULL;
-	     verb++)
-		if (verb->name[0] != '\0' && strcasecmp(name, verb->name) == 0)
-			break;
-	if (verb != NULL && verb->name != NULL && verb->func != NULL) {
-		sess->verb = verb;
-		(*verb->func)(ctx, sess, verb, rest, 0, NULL, ctx->uctx);
-	} else {
-		char buf[1100];
-
-		if (sizeof "Unrecognized command \"\" (args \"\")" +
-		    strlen(name) + strlen(rest) > sizeof buf)
-			strcpy(buf, "Unrecognized command (buf ovf)");
-		else
-			sprintf(buf,
-				"Unrecognized command \"%s\" (args \"%s\")",
-				name, rest);
-		ctl_response(sess, ctx->unkncode, buf, 0, NULL, NULL, NULL,
-			     NULL, 0);
-	}
-}
-
-static void
-ctl_writedone(evContext lev, void *uap, int fd, int bytes) {
-	static const char me[] = "ctl_writedone";
-	struct ctl_sess *sess = uap;
-	struct ctl_sctx *ctx = sess->ctx;
-	char tmp[MAX_NTOP];
-	int save_errno = errno;
-
-	UNUSED(lev);
-	UNUSED(uap);
-
-	REQUIRE(sess->state == writing);
-	REQUIRE(fd == sess->sock);
-	REQUIRE(sess->wrtiID.opaque != NULL);
-	sess->wrID.opaque = NULL;
-	(void) evClearIdleTimer(ctx->ev, sess->wrtiID);
-	sess->wrtiID.opaque = NULL;
-	if (bytes < 0) {
-		(*ctx->logger)(ctl_error, "%s: %s: %s",
-			       me, address_expr, strerror(save_errno));
-		ctl_close(sess);
-		return;
-	}
-
-	INSIST(allocated_p(sess->outbuf));
-	ctl_bufput(&sess->outbuf);
-	if ((sess->respflags & CTL_EXIT) != 0) {
-		ctl_signal_done(ctx, sess);
-		ctl_close(sess);
-		return;
-	} else if ((sess->respflags & CTL_MORE) != 0) {
-		INSIST(sess->verb != NULL);
-		(*sess->verb->func)(sess->ctx, sess, sess->verb, "",
-				    CTL_MORE, sess->respctx, sess->ctx->uctx);
-	} else {
-		ctl_signal_done(ctx, sess);
-		ctl_start_read(sess);
-	}
-}
-
-static void
-ctl_morehelp(struct ctl_sctx *ctx, struct ctl_sess *sess,
-	     const struct ctl_verb *verb, const char *text,
-	     u_int respflags, const void *respctx, void *uctx)
-{
-	const struct ctl_verb *this = respctx, *next = this + 1;
-
-	UNUSED(ctx);
-	UNUSED(verb);
-	UNUSED(text);
-	UNUSED(uctx);
-
-	REQUIRE(!lastverb_p(this));
-	REQUIRE((respflags & CTL_MORE) != 0);
-	if (lastverb_p(next))
-		respflags &= ~CTL_MORE;
-	ctl_response(sess, sess->helpcode, this->help, respflags, next,
-		     NULL, NULL, NULL, 0);
-}
-
-static void
-ctl_signal_done(struct ctl_sctx *ctx, struct ctl_sess *sess) {
-	if (sess->donefunc != NULL) {
-		(*sess->donefunc)(ctx, sess, sess->uap);
-		sess->donefunc = NULL;
-	}
-}
diff --git a/contrib/bind9/lib/bind/isc/ev_connects.c b/contrib/bind9/lib/bind/isc/ev_connects.c
deleted file mode 100644
index 4b0dd2222a0f..000000000000
--- a/contrib/bind9/lib/bind/isc/ev_connects.c
+++ /dev/null
@@ -1,367 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* ev_connects.c - implement asynch connect/accept for the eventlib
- * vix 16sep96 [initial]
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_connects.c,v 1.4.206.2 2005/07/08 04:52:54 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <unistd.h>
-
-#include <isc/eventlib.h>
-#include <isc/assertions.h>
-#include "eventlib_p.h"
-
-#include "port_after.h"
-
-/* Macros. */
-
-#define GETXXXNAME(f, s, sa, len) ( \
-	(f((s), (&sa), (&len)) >= 0) ? 0 : \
-		(errno != EAFNOSUPPORT && errno != EOPNOTSUPP) ? -1 : ( \
-			memset(&(sa), 0, sizeof (sa)), \
-			(len) = sizeof (sa), \
-			(sa).sa_family = AF_UNIX, \
-			0 \
-		) \
-	)
-
-/* Forward. */
-
-static void	listener(evContext ctx, void *uap, int fd, int evmask);
-static void	connector(evContext ctx, void *uap, int fd, int evmask);
-
-/* Public. */
-
-int
-evListen(evContext opaqueCtx, int fd, int maxconn,
-	 evConnFunc func, void *uap, evConnID *id)
-{
-	evContext_p *ctx = opaqueCtx.opaque;
-	evConn *new;
-	int mode;
-
-	OKNEW(new);
-	new->flags = EV_CONN_LISTEN;
-	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
-	/*
-	 * Remember the nonblocking status.  We assume that either evSelectFD
-	 * has not been done to this fd, or that if it has then the caller
-	 * will evCancelConn before they evDeselectFD.  If our assumptions
-	 * are not met, then we might restore the old nonblocking status
-	 * incorrectly.
-	 */
-	if ((mode & PORT_NONBLOCK) == 0) {
-#ifdef USE_FIONBIO_IOCTL
-		int on = 1;
-		OK(ioctl(fd, FIONBIO, (char *)&on));
-#else
-		OK(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK));
-#endif
-		new->flags |= EV_CONN_BLOCK;
-	}
-	OK(listen(fd, maxconn));
-	if (evSelectFD(opaqueCtx, fd, EV_READ, listener, new, &new->file) < 0){
-		int save = errno;
-
-		FREE(new);
-		errno = save;
-		return (-1);
-	}
-	new->flags |= EV_CONN_SELECTED;
-	new->func = func;
-	new->uap = uap;
-	new->fd = fd;
-	if (ctx->conns != NULL)
-		ctx->conns->prev = new;
-	new->prev = NULL;
-	new->next = ctx->conns;
-	ctx->conns = new;
-	if (id)
-		id->opaque = new;
-	return (0);
-}
-
-int
-evConnect(evContext opaqueCtx, int fd, const void *ra, int ralen,
-	  evConnFunc func, void *uap, evConnID *id)
-{
-	evContext_p *ctx = opaqueCtx.opaque;
-	evConn *new;
-
-	OKNEW(new);
-	new->flags = 0;
-	/* Do the select() first to get the socket into nonblocking mode. */
-	if (evSelectFD(opaqueCtx, fd, EV_MASK_ALL,
-		       connector, new, &new->file) < 0) {
-		int save = errno;
-
-		FREE(new);
-		errno = save;
-		return (-1);
-	}
-	new->flags |= EV_CONN_SELECTED;
-	if (connect(fd, ra, ralen) < 0 &&
-	    errno != EWOULDBLOCK &&
-	    errno != EAGAIN &&
-	    errno != EINPROGRESS) {
-		int save = errno;
-
-		(void) evDeselectFD(opaqueCtx, new->file);
-		FREE(new);
-		errno = save;
-		return (-1);
-	}
-	/* No error, or EWOULDBLOCK.  select() tells when it's ready. */
-	new->func = func;
-	new->uap = uap;
-	new->fd = fd;
-	if (ctx->conns != NULL)
-		ctx->conns->prev = new;
-	new->prev = NULL;
-	new->next = ctx->conns;
-	ctx->conns = new;
-	if (id)
-		id->opaque = new;
-	return (0);
-}
-
-int
-evCancelConn(evContext opaqueCtx, evConnID id) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evConn *this = id.opaque;
-	evAccept *acc, *nxtacc;
-	int mode;
-
-	if ((this->flags & EV_CONN_SELECTED) != 0)
-		(void) evDeselectFD(opaqueCtx, this->file);
-	if ((this->flags & EV_CONN_BLOCK) != 0) {
-		mode = fcntl(this->fd, F_GETFL, NULL);
-		if (mode == -1) {
-			if (errno != EBADF)
-				return (-1);
-		} else {
-#ifdef USE_FIONBIO_IOCTL
-			int off = 0;
-			OK(ioctl(this->fd, FIONBIO, (char *)&off));
-#else
-			OK(fcntl(this->fd, F_SETFL, mode & ~PORT_NONBLOCK));
-#endif
-		}
-	}
-	
-	/* Unlink from ctx->conns. */
-	if (this->prev != NULL)
-		this->prev->next = this->next;
-	else
-		ctx->conns = this->next;
-	if (this->next != NULL)
-		this->next->prev = this->prev;
-
-	/*
-	 * Remove `this' from the ctx->accepts list (zero or more times).
-	 */
-	for (acc = HEAD(ctx->accepts), nxtacc = NULL;
-	     acc != NULL;
-	     acc = nxtacc)
-	{
-		nxtacc = NEXT(acc, link);
-		if (acc->conn == this) {
-			UNLINK(ctx->accepts, acc, link);
-			close(acc->fd);
-			FREE(acc);
-		}
-	}
-
-	/* Wrap up and get out. */
-	FREE(this);
-	return (0);
-}
-
-int evHold(evContext opaqueCtx, evConnID id) {
-	evConn *this = id.opaque;
-
-	if ((this->flags & EV_CONN_LISTEN) == 0) {
-		errno = EINVAL;
-		return (-1);
-	}
-	if ((this->flags & EV_CONN_SELECTED) == 0)
-		return (0);
-	this->flags &= ~EV_CONN_SELECTED;
-	return (evDeselectFD(opaqueCtx, this->file));
-}
-
-int evUnhold(evContext opaqueCtx, evConnID id) {
-	evConn *this = id.opaque;
-	int ret;
-
-	if ((this->flags & EV_CONN_LISTEN) == 0) {
-		errno = EINVAL;
-		return (-1);
-	}
-	if ((this->flags & EV_CONN_SELECTED) != 0)
-		return (0);
-	ret = evSelectFD(opaqueCtx, this->fd, EV_READ, listener, this,
-			 &this->file);
-	if (ret == 0)
-		this->flags |= EV_CONN_SELECTED;
-	return (ret);
-}
-
-int
-evTryAccept(evContext opaqueCtx, evConnID id, int *sys_errno) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evConn *conn = id.opaque;
-	evAccept *new;
-
-	if ((conn->flags & EV_CONN_LISTEN) == 0) {
-		errno = EINVAL;
-		return (-1);
-	}
-	OKNEW(new);
-	new->conn = conn;
-	new->ralen = sizeof new->ra;
-	new->fd = accept(conn->fd, &new->ra.sa, &new->ralen);
-	if (new->fd > ctx->highestFD) {
-		close(new->fd);
-		new->fd = -1;
-		new->ioErrno = ENOTSOCK;
-	}
-	if (new->fd >= 0) {
-		new->lalen = sizeof new->la;
-		if (GETXXXNAME(getsockname, new->fd, new->la.sa, new->lalen) < 0) {
-			new->ioErrno = errno;
-			(void) close(new->fd);
-			new->fd = -1;
-		} else
-			new->ioErrno = 0;
-	} else {
-		new->ioErrno = errno;
-		if (errno == EAGAIN || errno == EWOULDBLOCK) {
-			FREE(new);
-			return (-1);
-		}
-	}
-	INIT_LINK(new, link);
-	APPEND(ctx->accepts, new, link);
-	*sys_errno = new->ioErrno;
-	return (0);
-}
-
-/* Private. */
-
-static void
-listener(evContext opaqueCtx, void *uap, int fd, int evmask) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evConn *conn = uap;
-	union {
-		struct sockaddr    sa;
-		struct sockaddr_in in;
-#ifndef NO_SOCKADDR_UN
-		struct sockaddr_un un;
-#endif
-	} la, ra;
-	int new; 
-	ISC_SOCKLEN_T lalen = 0, ralen;
-
-	REQUIRE((evmask & EV_READ) != 0);
-	ralen = sizeof ra;
-	new = accept(fd, &ra.sa, &ralen);
-	if (new > ctx->highestFD) {
-		close(new);
-		new = -1;
-		errno = ENOTSOCK;
-	}
-	if (new >= 0) {
-		lalen = sizeof la;
-		if (GETXXXNAME(getsockname, new, la.sa, lalen) < 0) {
-			int save = errno;
-
-			(void) close(new);
-			errno = save;
-			new = -1;
-		}
-	} else if (errno == EAGAIN || errno == EWOULDBLOCK)
-		return;
-	(*conn->func)(opaqueCtx, conn->uap, new, &la.sa, lalen, &ra.sa, ralen);
-}
-
-static void
-connector(evContext opaqueCtx, void *uap, int fd, int evmask) {
-	evConn *conn = uap;
-	union {
-		struct sockaddr    sa;
-		struct sockaddr_in in;
-#ifndef NO_SOCKADDR_UN
-		struct sockaddr_un un;
-#endif
-	} la, ra;
-	ISC_SOCKLEN_T lalen, ralen;
-#ifndef NETREAD_BROKEN
-	char buf[1];
-#endif
-	void *conn_uap;
-	evConnFunc conn_func;
-	evConnID id;
-	int socket_errno = 0;
-	ISC_SOCKLEN_T optlen;
-
-	UNUSED(evmask);
-
-	lalen = sizeof la;
-	ralen = sizeof ra;
-	conn_uap = conn->uap;
-	conn_func = conn->func;
-	id.opaque = conn;
-#ifdef SO_ERROR
-	optlen = sizeof socket_errno;
-	if (fd < 0 &&
-	    getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, (char *)&socket_errno,
-		       &optlen) < 0)
-		socket_errno = errno;
-	else
-		errno = socket_errno;
-#endif
-	if (evCancelConn(opaqueCtx, id) < 0 ||
-	    socket_errno ||
-#ifdef NETREAD_BROKEN
-	    0 ||
-#else
-	    read(fd, buf, 0) < 0 ||
-#endif
-	    GETXXXNAME(getsockname, fd, la.sa, lalen) < 0 ||
-	    GETXXXNAME(getpeername, fd, ra.sa, ralen) < 0) {
-		int save = errno;
-
-		(void) close(fd);	/* XXX closing caller's fd */
-		errno = save;
-		fd = -1;
-	}
-	(*conn_func)(opaqueCtx, conn_uap, fd, &la.sa, lalen, &ra.sa, ralen);
-}
diff --git a/contrib/bind9/lib/bind/isc/ev_files.c b/contrib/bind9/lib/bind/isc/ev_files.c
deleted file mode 100644
index 1f95ed04c999..000000000000
--- a/contrib/bind9/lib/bind/isc/ev_files.c
+++ /dev/null
@@ -1,276 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* ev_files.c - implement asynch file IO for the eventlib
- * vix 11sep95 [initial]
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_files.c,v 1.3.2.1.4.3 2005/07/28 07:43:19 marka Exp $";
-#endif
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/ioctl.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <unistd.h>
-
-#include <isc/eventlib.h>
-#include "eventlib_p.h"
-
-#include "port_after.h"
-
-static evFile *FindFD(const evContext_p *ctx, int fd, int eventmask);
-
-int
-evSelectFD(evContext opaqueCtx,
-	   int fd,
-	   int eventmask,
-	   evFileFunc func,
-	   void *uap,
-	   evFileID *opaqueID
-) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evFile *id;
-	int mode;
-
-	evPrintf(ctx, 1,
-		 "evSelectFD(ctx %p, fd %d, mask 0x%x, func %p, uap %p)\n",
-		 ctx, fd, eventmask, func, uap);
-	if (eventmask == 0 || (eventmask & ~EV_MASK_ALL) != 0)
-		EV_ERR(EINVAL);
-#ifndef USE_POLL
-	if (fd > ctx->highestFD)
-		EV_ERR(EINVAL);
-#endif
-	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
-
-	/*
-	 * The first time we touch a file descriptor, we need to check to see
-	 * if the application already had it in O_NONBLOCK mode and if so, all
-	 * of our deselect()'s have to leave it in O_NONBLOCK.  If not, then
-	 * all but our last deselect() has to leave it in O_NONBLOCK.
-	 */
-#ifdef USE_POLL
-	/* Make sure both ctx->pollfds[] and ctx->fdTable[] are large enough */
-	if (fd >= ctx->maxnfds && evPollfdRealloc(ctx, 1, fd) != 0)
-		EV_ERR(ENOMEM);
-#endif /* USE_POLL */
-	id = FindFD(ctx, fd, EV_MASK_ALL);
-	if (id == NULL) {
-		if (mode & PORT_NONBLOCK)
-			FD_SET(fd, &ctx->nonblockBefore);
-		else {
-#ifdef USE_FIONBIO_IOCTL
-			int on = 1;
-			OK(ioctl(fd, FIONBIO, (char *)&on));
-#else
-			OK(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK));
-#endif
-			FD_CLR(fd, &ctx->nonblockBefore);
-		}
-	}
-
-	/*
-	 * If this descriptor is already in use, search for it again to see
-	 * if any of the eventmask bits we want to set are already captured.
-	 * We cannot usefully capture the same fd event more than once in the
-	 * same context.
-	 */
-	if (id != NULL && FindFD(ctx, fd, eventmask) != NULL)
-		EV_ERR(ETOOMANYREFS);
-
-	/* Allocate and fill. */
-	OKNEW(id);
-	id->func = func;
-	id->uap = uap;
-	id->fd = fd;
-	id->eventmask = eventmask;
-
-	/*
-	 * Insert at head.  Order could be important for performance if we
-	 * believe that evGetNext()'s accesses to the fd_sets will be more
-	 * serial and therefore more cache-lucky if the list is ordered by
-	 * ``fd.''  We do not believe these things, so we don't do it.
-	 *
-	 * The interesting sequence is where GetNext() has cached a select()
-	 * result and the caller decides to evSelectFD() on some descriptor.
-	 * Since GetNext() starts at the head, it can miss new entries we add
-	 * at the head.  This is not a serious problem since the event being
-	 * evSelectFD()'d for has to occur before evSelectFD() is called for
-	 * the file event to be considered "missed" -- a real corner case.
-	 * Maintaining a "tail" pointer for ctx->files would fix this, but I'm
-	 * not sure it would be ``more correct.''
-	 */
-	if (ctx->files != NULL)
-		ctx->files->prev = id;
-	id->prev = NULL;
-	id->next = ctx->files;
-	ctx->files = id;
-
-	/* Insert into fd table. */
-	if (ctx->fdTable[fd] != NULL)
-		ctx->fdTable[fd]->fdprev = id;
-	id->fdprev = NULL;
-	id->fdnext = ctx->fdTable[fd];
-	ctx->fdTable[fd] = id;
-
-	/* Turn on the appropriate bits in the {rd,wr,ex}Next fd_set's. */
-	if (eventmask & EV_READ)
-		FD_SET(fd, &ctx->rdNext);
-	if (eventmask & EV_WRITE)
-		FD_SET(fd, &ctx->wrNext);
-	if (eventmask & EV_EXCEPT)
-		FD_SET(fd, &ctx->exNext);
-
-	/* Update fdMax. */
-	if (fd > ctx->fdMax)
-		ctx->fdMax = fd;
-
-	/* Remember the ID if the caller provided us a place for it. */
-	if (opaqueID)
-		opaqueID->opaque = id;
-
-	return (0);
-}
-
-int
-evDeselectFD(evContext opaqueCtx, evFileID opaqueID) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evFile *del = opaqueID.opaque;
-	evFile *cur;
-	int mode, eventmask;
-
-	if (!del) {
-		evPrintf(ctx, 11, "evDeselectFD(NULL) ignored\n");
-		errno = EINVAL;
-		return (-1);
-	}
-
-	evPrintf(ctx, 1, "evDeselectFD(fd %d, mask 0x%x)\n",
-		 del->fd, del->eventmask);
-
-	/* Get the mode.  Unless the file has been closed, errors are bad. */
-	mode = fcntl(del->fd, F_GETFL, NULL);
-	if (mode == -1 && errno != EBADF)
-		EV_ERR(errno);
-
-	/* Remove from the list of files. */
-	if (del->prev != NULL)
-		del->prev->next = del->next;
-	else
-		ctx->files = del->next;
-	if (del->next != NULL)
-		del->next->prev = del->prev;
-
-	/* Remove from the fd table. */
-	if (del->fdprev != NULL)
-		del->fdprev->fdnext = del->fdnext;
-	else
-		ctx->fdTable[del->fd] = del->fdnext;
-	if (del->fdnext != NULL)
-		del->fdnext->fdprev = del->fdprev;
-
-	/*
-	 * If the file descriptor does not appear in any other select() entry,
-	 * and if !EV_WASNONBLOCK, and if we got no EBADF when we got the mode
-	 * earlier, then: restore the fd to blocking status.
-	 */
-	if (!(cur = FindFD(ctx, del->fd, EV_MASK_ALL)) &&
-	    !FD_ISSET(del->fd, &ctx->nonblockBefore) &&
-	    mode != -1) {
-		/*
-		 * Note that we won't return an error status to the caller if
-		 * this fcntl() fails since (a) we've already done the work
-		 * and (b) the caller didn't ask us anything about O_NONBLOCK.
-		 */
-#ifdef USE_FIONBIO_IOCTL
-		int off = 0;
-		(void) ioctl(del->fd, FIONBIO, (char *)&off);
-#else
-		(void) fcntl(del->fd, F_SETFL, mode & ~PORT_NONBLOCK);
-#endif
-	}
-
-	/*
-	 * Now find all other uses of this descriptor and OR together an event
-	 * mask so that we don't turn off {rd,wr,ex}Next bits that some other
-	 * file event is using.  As an optimization, stop if the event mask
-	 * fills.
-	 */
-	eventmask = 0;
-	for ((void)NULL;
-	     cur != NULL && eventmask != EV_MASK_ALL;
-	     cur = cur->next)
-		if (cur->fd == del->fd)
-			eventmask |= cur->eventmask;
-
-	/* OK, now we know which bits we can clear out. */
-	if (!(eventmask & EV_READ)) {
-		FD_CLR(del->fd, &ctx->rdNext);
-		if (FD_ISSET(del->fd, &ctx->rdLast)) {
-			FD_CLR(del->fd, &ctx->rdLast);
-			ctx->fdCount--;
-		}
-	}
-	if (!(eventmask & EV_WRITE)) {
-		FD_CLR(del->fd, &ctx->wrNext);
-		if (FD_ISSET(del->fd, &ctx->wrLast)) {
-			FD_CLR(del->fd, &ctx->wrLast);
-			ctx->fdCount--;
-		}
-	}
-	if (!(eventmask & EV_EXCEPT)) {
-		FD_CLR(del->fd, &ctx->exNext);
-		if (FD_ISSET(del->fd, &ctx->exLast)) {
-			FD_CLR(del->fd, &ctx->exLast);
-			ctx->fdCount--;
-		}
-	}
-
-	/* If this was the maxFD, find the new one. */
-	if (del->fd == ctx->fdMax) {
-		ctx->fdMax = -1;
-		for (cur = ctx->files; cur; cur = cur->next)
-			if (cur->fd > ctx->fdMax)
-				ctx->fdMax = cur->fd;
-	}
-
-	/* If this was the fdNext, cycle that to the next entry. */
-	if (del == ctx->fdNext)
-		ctx->fdNext = del->next;
-
-	/* Couldn't free it before now since we were using fields out of it. */
-	FREE(del);
-
-	return (0);
-}
-
-static evFile *
-FindFD(const evContext_p *ctx, int fd, int eventmask) {
-	evFile *id;
-
-	for (id = ctx->fdTable[fd]; id != NULL; id = id->fdnext)
-		if (id->fd == fd && (id->eventmask & eventmask) != 0)
-			break;
-	return (id);
-}
diff --git a/contrib/bind9/lib/bind/isc/ev_streams.c b/contrib/bind9/lib/bind/isc/ev_streams.c
deleted file mode 100644
index 64e88b0c00d6..000000000000
--- a/contrib/bind9/lib/bind/isc/ev_streams.c
+++ /dev/null
@@ -1,306 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* ev_streams.c - implement asynch stream file IO for the eventlib
- * vix 04mar96 [initial]
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_streams.c,v 1.2.206.2 2004/03/17 00:29:51 marka Exp $";
-#endif
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <sys/types.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-
-#include <isc/eventlib.h>
-#include <isc/assertions.h>
-#include "eventlib_p.h"
-
-#include "port_after.h"
-
-static int	copyvec(evStream *str, const struct iovec *iov, int iocnt);
-static void	consume(evStream *str, size_t bytes);
-static void	done(evContext opaqueCtx, evStream *str);
-static void	writable(evContext opaqueCtx, void *uap, int fd, int evmask);
-static void	readable(evContext opaqueCtx, void *uap, int fd, int evmask);
-
-struct iovec
-evConsIovec(void *buf, size_t cnt) {
-	struct iovec ret;
-
-	memset(&ret, 0xf5, sizeof ret);
-	ret.iov_base = buf;
-	ret.iov_len = cnt;
-	return (ret);
-}
-
-int
-evWrite(evContext opaqueCtx, int fd, const struct iovec *iov, int iocnt,
-	evStreamFunc func, void *uap, evStreamID *id)
-{
-	evContext_p *ctx = opaqueCtx.opaque;
-	evStream *new;
-	int save;
-
-	OKNEW(new);
-	new->func = func;
-	new->uap = uap;
-	new->fd = fd;
-	new->flags = 0;
-	if (evSelectFD(opaqueCtx, fd, EV_WRITE, writable, new, &new->file) < 0)
-		goto free;
-	if (copyvec(new, iov, iocnt) < 0)
-		goto free;
-	new->prevDone = NULL;
-	new->nextDone = NULL;
-	if (ctx->streams != NULL)
-		ctx->streams->prev = new;
-	new->prev = NULL;
-	new->next = ctx->streams;
-	ctx->streams = new;
-	if (id != NULL)
-		id->opaque = new;
-	return (0);
- free:
-	save = errno;
-	FREE(new);
-	errno = save;
-	return (-1);
-}
-
-int
-evRead(evContext opaqueCtx, int fd, const struct iovec *iov, int iocnt,
-       evStreamFunc func, void *uap, evStreamID *id)
-{
-	evContext_p *ctx = opaqueCtx.opaque;
-	evStream *new;
-	int save;
-
-	OKNEW(new);
-	new->func = func;
-	new->uap = uap;
-	new->fd = fd;
-	new->flags = 0;
-	if (evSelectFD(opaqueCtx, fd, EV_READ, readable, new, &new->file) < 0)
-		goto free;
-	if (copyvec(new, iov, iocnt) < 0)
-		goto free;
-	new->prevDone = NULL;
-	new->nextDone = NULL;
-	if (ctx->streams != NULL)
-		ctx->streams->prev = new;
-	new->prev = NULL;
-	new->next = ctx->streams;
-	ctx->streams = new;
-	if (id)
-		id->opaque = new;
-	return (0);
- free:
-	save = errno;
-	FREE(new);
-	errno = save;
-	return (-1);
-}
-
-int
-evTimeRW(evContext opaqueCtx, evStreamID id, evTimerID timer) /*ARGSUSED*/ {
-	evStream *str = id.opaque;
-
-	UNUSED(opaqueCtx);
-
-	str->timer = timer;
-	str->flags |= EV_STR_TIMEROK;
-	return (0);
-}
-
-int
-evUntimeRW(evContext opaqueCtx, evStreamID id) /*ARGSUSED*/ {
-	evStream *str = id.opaque;
-
-	UNUSED(opaqueCtx);
-
-	str->flags &= ~EV_STR_TIMEROK;
-	return (0);
-}
-
-int
-evCancelRW(evContext opaqueCtx, evStreamID id) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evStream *old = id.opaque;
-
-	/*
-	 * The streams list is doubly threaded.  First, there's ctx->streams
-	 * that's used by evDestroy() to find and cancel all streams.  Second,
-	 * there's ctx->strDone (head) and ctx->strLast (tail) which thread
-	 * through the potentially smaller number of "IO completed" streams,
-	 * used in evGetNext() to avoid scanning the entire list.
-	 */
-
-	/* Unlink from ctx->streams. */
-	if (old->prev != NULL)
-		old->prev->next = old->next;
-	else
-		ctx->streams = old->next;
-	if (old->next != NULL)
-		old->next->prev = old->prev;
-
-	/*
-	 * If 'old' is on the ctx->strDone list, remove it.  Update
-	 * ctx->strLast if necessary.
-	 */
-	if (old->prevDone == NULL && old->nextDone == NULL) {
-		/*
-		 * Either 'old' is the only item on the done list, or it's
-		 * not on the done list.  If the former, then we unlink it
-		 * from the list.  If the latter, we leave the list alone.
-		 */
-		if (ctx->strDone == old) {
-			ctx->strDone = NULL;
-			ctx->strLast = NULL;
-		}
-	} else {
-		if (old->prevDone != NULL)
-			old->prevDone->nextDone = old->nextDone;
-		else
-			ctx->strDone = old->nextDone;
-		if (old->nextDone != NULL)
-			old->nextDone->prevDone = old->prevDone;
-		else
-			ctx->strLast = old->prevDone;
-	}
-
-	/* Deallocate the stream. */
-	if (old->file.opaque)
-		evDeselectFD(opaqueCtx, old->file);
-	memput(old->iovOrig, sizeof (struct iovec) * old->iovOrigCount);
-	FREE(old);
-	return (0);
-}
-
-/* Copy a scatter/gather vector and initialize a stream handler's IO. */
-static int
-copyvec(evStream *str, const struct iovec *iov, int iocnt) {
-	int i;
-
-	str->iovOrig = (struct iovec *)memget(sizeof(struct iovec) * iocnt);
-	if (str->iovOrig == NULL) {
-		errno = ENOMEM;
-		return (-1);
-	}
-	str->ioTotal = 0;
-	for (i = 0; i < iocnt; i++) {
-		str->iovOrig[i] = iov[i];
-		str->ioTotal += iov[i].iov_len;
-	}
-	str->iovOrigCount = iocnt;
-	str->iovCur = str->iovOrig;
-	str->iovCurCount = str->iovOrigCount;
-	str->ioDone = 0;
-	return (0);
-}
-
-/* Pull off or truncate lead iovec(s). */
-static void
-consume(evStream *str, size_t bytes) {
-	while (bytes > 0U) {
-		if (bytes < (size_t)str->iovCur->iov_len) {
-			str->iovCur->iov_len -= bytes;
-			str->iovCur->iov_base = (void *)
-				((u_char *)str->iovCur->iov_base + bytes);
-			str->ioDone += bytes;
-			bytes = 0;
-		} else {
-			bytes -= str->iovCur->iov_len;
-			str->ioDone += str->iovCur->iov_len;
-			str->iovCur++;
-			str->iovCurCount--;
-		}
-	}
-}
-
-/* Add a stream to Done list and deselect the FD. */
-static void
-done(evContext opaqueCtx, evStream *str) {
-	evContext_p *ctx = opaqueCtx.opaque;
-
-	if (ctx->strLast != NULL) {
-		str->prevDone = ctx->strLast;
-		ctx->strLast->nextDone = str;
-		ctx->strLast = str;
-	} else {
-		INSIST(ctx->strDone == NULL);
-		ctx->strDone = ctx->strLast = str;
-	}
-	evDeselectFD(opaqueCtx, str->file);
-	str->file.opaque = NULL;
-	/* evDrop() will call evCancelRW() on us. */
-}
-
-/* Dribble out some bytes on the stream.  (Called by evDispatch().) */
-static void
-writable(evContext opaqueCtx, void *uap, int fd, int evmask) {
-	evStream *str = uap;
-	int bytes;
-
-	UNUSED(evmask);
-
-	bytes = writev(fd, str->iovCur, str->iovCurCount);
-	if (bytes > 0) {
-		if ((str->flags & EV_STR_TIMEROK) != 0)
-			evTouchIdleTimer(opaqueCtx, str->timer);
-		consume(str, bytes);
-	} else {
-		if (bytes < 0 && errno != EINTR) {
-			str->ioDone = -1;
-			str->ioErrno = errno;
-		}
-	}
-	if (str->ioDone == -1 || str->ioDone == str->ioTotal)
-		done(opaqueCtx, str);
-}
-
-/* Scoop up some bytes from the stream.  (Called by evDispatch().) */
-static void
-readable(evContext opaqueCtx, void *uap, int fd, int evmask) {
-	evStream *str = uap;
-	int bytes;
-
-	UNUSED(evmask);
-
-	bytes = readv(fd, str->iovCur, str->iovCurCount);
-	if (bytes > 0) {
-		if ((str->flags & EV_STR_TIMEROK) != 0)
-			evTouchIdleTimer(opaqueCtx, str->timer);
-		consume(str, bytes);
-	} else {
-		if (bytes == 0)
-			str->ioDone = 0;
-		else {
-			if (errno != EINTR) {
-				str->ioDone = -1;
-				str->ioErrno = errno;
-			}
-		}
-	}
-	if (str->ioDone <= 0 || str->ioDone == str->ioTotal)
-		done(opaqueCtx, str);
-}
diff --git a/contrib/bind9/lib/bind/isc/ev_timers.c b/contrib/bind9/lib/bind/isc/ev_timers.c
deleted file mode 100644
index 11433fbffa2f..000000000000
--- a/contrib/bind9/lib/bind/isc/ev_timers.c
+++ /dev/null
@@ -1,497 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* ev_timers.c - implement timers for the eventlib
- * vix 09sep95 [initial]
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_timers.c,v 1.2.2.1.4.5 2004/03/17 02:39:13 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <errno.h>
-
-#include <isc/assertions.h>
-#include <isc/eventlib.h>
-#include "eventlib_p.h"
-
-#include "port_after.h"
-
-/* Constants. */
-
-#define	MILLION 1000000
-#define BILLION 1000000000
-
-/* Forward. */
-
-static int due_sooner(void *, void *);
-static void set_index(void *, int);
-static void free_timer(void *, void *);
-static void print_timer(void *, void *);
-static void idle_timeout(evContext, void *, struct timespec, struct timespec);
-
-/* Private type. */
-
-typedef struct {
-	evTimerFunc	func;
-	void *		uap;
-	struct timespec	lastTouched;
-	struct timespec	max_idle;
-	evTimer *	timer;
-} idle_timer;
-
-/* Public. */
-
-struct timespec
-evConsTime(time_t sec, long nsec) {
-	struct timespec x;
-
-	x.tv_sec = sec;
-	x.tv_nsec = nsec;
-	return (x);
-}
-
-struct timespec
-evAddTime(struct timespec addend1, struct timespec addend2) {
-	struct timespec x;
-
-	x.tv_sec = addend1.tv_sec + addend2.tv_sec;
-	x.tv_nsec = addend1.tv_nsec + addend2.tv_nsec;
-	if (x.tv_nsec >= BILLION) {
-		x.tv_sec++;
-		x.tv_nsec -= BILLION;
-	}
-	return (x);
-}
-
-struct timespec
-evSubTime(struct timespec minuend, struct timespec subtrahend) {
-	struct timespec x;
-
-	x.tv_sec = minuend.tv_sec - subtrahend.tv_sec;
-	if (minuend.tv_nsec >= subtrahend.tv_nsec)
-		x.tv_nsec = minuend.tv_nsec - subtrahend.tv_nsec;
-	else {
-		x.tv_nsec = BILLION - subtrahend.tv_nsec + minuend.tv_nsec;
-		x.tv_sec--;
-	}
-	return (x);
-}
-
-int
-evCmpTime(struct timespec a, struct timespec b) {
-	long x = a.tv_sec - b.tv_sec;
-
-	if (x == 0L)
-		x = a.tv_nsec - b.tv_nsec;
-	return (x < 0L ? (-1) : x > 0L ? (1) : (0));
-}
-
-struct timespec
-evNowTime() {
-	struct timeval now;
-#ifdef CLOCK_REALTIME
-	struct timespec tsnow;
-	int m = CLOCK_REALTIME;
-
-#ifdef CLOCK_MONOTONIC
-	if (__evOptMonoTime)
-		m = CLOCK_MONOTONIC;
-#endif
-	if (clock_gettime(m, &tsnow) == 0)
-		return (tsnow);
-#endif
-	if (gettimeofday(&now, NULL) < 0)
-		return (evConsTime(0, 0));
-	return (evTimeSpec(now));
-}
-
-struct timespec
-evUTCTime() {
-	struct timeval now;
-#ifdef CLOCK_REALTIME
-	struct timespec tsnow;
-	if (clock_gettime(CLOCK_REALTIME, &tsnow) == 0)
-		return (tsnow);
-#endif
-	if (gettimeofday(&now, NULL) < 0)
-		return (evConsTime(0, 0));
-	return (evTimeSpec(now));
-}
-
-struct timespec
-evLastEventTime(evContext opaqueCtx) {
-	evContext_p *ctx = opaqueCtx.opaque;
-
-	return (ctx->lastEventTime);
-}
-
-struct timespec
-evTimeSpec(struct timeval tv) {
-	struct timespec ts;
-
-	ts.tv_sec = tv.tv_sec;
-	ts.tv_nsec = tv.tv_usec * 1000;
-	return (ts);
-}
-
-struct timeval
-evTimeVal(struct timespec ts) {
-	struct timeval tv;
-
-	tv.tv_sec = ts.tv_sec;
-	tv.tv_usec = ts.tv_nsec / 1000;
-	return (tv);
-}
-
-int
-evSetTimer(evContext opaqueCtx,
-	   evTimerFunc func,
-	   void *uap,
-	   struct timespec due,
-	   struct timespec inter,
-	   evTimerID *opaqueID
-) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evTimer *id;
-
-	evPrintf(ctx, 1,
-"evSetTimer(ctx %p, func %p, uap %p, due %ld.%09ld, inter %ld.%09ld)\n",
-		 ctx, func, uap,
-		 (long)due.tv_sec, due.tv_nsec,
-		 (long)inter.tv_sec, inter.tv_nsec);
-
-#ifdef __hpux
-	/*
-	 * tv_sec and tv_nsec are unsigned.
-	 */
-	if (due.tv_nsec >= BILLION)
-		EV_ERR(EINVAL);
-
-	if (inter.tv_nsec >= BILLION)
-		EV_ERR(EINVAL);
-#else
-	if (due.tv_sec < 0 || due.tv_nsec < 0 || due.tv_nsec >= BILLION)
-		EV_ERR(EINVAL);
-
-	if (inter.tv_sec < 0 || inter.tv_nsec < 0 || inter.tv_nsec >= BILLION)
-		EV_ERR(EINVAL);
-#endif
-
-	/* due={0,0} is a magic cookie meaning "now." */
-	if (due.tv_sec == (time_t)0 && due.tv_nsec == 0L)
-		due = evNowTime();
-
-	/* Allocate and fill. */
-	OKNEW(id);
-	id->func = func;
-	id->uap = uap;
-	id->due = due;
-	id->inter = inter;
-
-	if (heap_insert(ctx->timers, id) < 0)
-		return (-1);
-
-	/* Remember the ID if the caller provided us a place for it. */
-	if (opaqueID)
-		opaqueID->opaque = id;
-
-	if (ctx->debug > 7) {
-		evPrintf(ctx, 7, "timers after evSetTimer:\n");
-		(void) heap_for_each(ctx->timers, print_timer, (void *)ctx);
-	}
-
-	return (0);
-}
-
-int
-evClearTimer(evContext opaqueCtx, evTimerID id) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evTimer *del = id.opaque;
-
-	if (ctx->cur != NULL &&
-	    ctx->cur->type == Timer &&
-	    ctx->cur->u.timer.this == del) {
-		evPrintf(ctx, 8, "deferring delete of timer (executing)\n");
-		/*
-		 * Setting the interval to zero ensures that evDrop() will
-		 * clean up the timer.
-		 */
-		del->inter = evConsTime(0, 0);
-		return (0);
-	}
-
-	if (heap_element(ctx->timers, del->index) != del)
-		EV_ERR(ENOENT);
-
-	if (heap_delete(ctx->timers, del->index) < 0)
-		return (-1);
-	FREE(del);
-
-	if (ctx->debug > 7) {
-		evPrintf(ctx, 7, "timers after evClearTimer:\n");
-		(void) heap_for_each(ctx->timers, print_timer, (void *)ctx);
-	}
-
-	return (0);
-}
-
-int
-evConfigTimer(evContext opaqueCtx,
-	     evTimerID id,
-	     const char *param,
-	     int value
-) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evTimer *timer = id.opaque;
-	int result=0;
-
-	UNUSED(value);
-
-	if (heap_element(ctx->timers, timer->index) != timer)
-		EV_ERR(ENOENT);
-
-	if (strcmp(param, "rate") == 0)
-		timer->mode |= EV_TMR_RATE;
-	else if (strcmp(param, "interval") == 0)
-		timer->mode &= ~EV_TMR_RATE;
-	else
-		EV_ERR(EINVAL);
-
-	return (result);
-}
-
-int
-evResetTimer(evContext opaqueCtx,
-	     evTimerID id,
-	     evTimerFunc func,
-	     void *uap,
-	     struct timespec due,
-	     struct timespec inter
-) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evTimer *timer = id.opaque;
-	struct timespec old_due;
-	int result=0;
-
-	if (heap_element(ctx->timers, timer->index) != timer)
-		EV_ERR(ENOENT);
-
-#ifdef __hpux
-	/*
-	 * tv_sec and tv_nsec are unsigned.
-	 */
-	if (due.tv_nsec >= BILLION)
-		EV_ERR(EINVAL);
-
-	if (inter.tv_nsec >= BILLION)
-		EV_ERR(EINVAL);
-#else
-	if (due.tv_sec < 0 || due.tv_nsec < 0 || due.tv_nsec >= BILLION)
-		EV_ERR(EINVAL);
-
-	if (inter.tv_sec < 0 || inter.tv_nsec < 0 || inter.tv_nsec >= BILLION)
-		EV_ERR(EINVAL);
-#endif
-
-	old_due = timer->due;
-
-	timer->func = func;
-	timer->uap = uap;
-	timer->due = due;
-	timer->inter = inter;
-
-	switch (evCmpTime(due, old_due)) {
-	case -1:
-		result = heap_increased(ctx->timers, timer->index);
-		break;
-	case 0:
-		result = 0;
-		break;
-	case 1:
-		result = heap_decreased(ctx->timers, timer->index);
-		break;
-	}
-
-	if (ctx->debug > 7) {
-		evPrintf(ctx, 7, "timers after evResetTimer:\n");
-		(void) heap_for_each(ctx->timers, print_timer, (void *)ctx);
-	}
-
-	return (result);
-}
-
-int
-evSetIdleTimer(evContext opaqueCtx,
-		evTimerFunc func,
-		void *uap,
-		struct timespec max_idle,
-		evTimerID *opaqueID
-) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	idle_timer *tt;
-
-	/* Allocate and fill. */
-	OKNEW(tt);
-	tt->func = func;
-	tt->uap = uap;
-	tt->lastTouched = ctx->lastEventTime;
-	tt->max_idle = max_idle;
-
-	if (evSetTimer(opaqueCtx, idle_timeout, tt,
-		       evAddTime(ctx->lastEventTime, max_idle),
-		       max_idle, opaqueID) < 0) {
-		FREE(tt);
-		return (-1);
-	}
-
-	tt->timer = opaqueID->opaque;
-
-	return (0);
-}
-
-int
-evClearIdleTimer(evContext opaqueCtx, evTimerID id) {
-	evTimer *del = id.opaque;
-	idle_timer *tt = del->uap;
-
-	FREE(tt);
-	return (evClearTimer(opaqueCtx, id));
-}
-
-int
-evResetIdleTimer(evContext opaqueCtx,
-		 evTimerID opaqueID,
-		 evTimerFunc func,
-		 void *uap,
-		 struct timespec max_idle
-) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evTimer *timer = opaqueID.opaque;
-	idle_timer *tt = timer->uap;
-
-	tt->func = func;
-	tt->uap = uap;
-	tt->lastTouched = ctx->lastEventTime;
-	tt->max_idle = max_idle;
-
-	return (evResetTimer(opaqueCtx, opaqueID, idle_timeout, tt,
-			     evAddTime(ctx->lastEventTime, max_idle),
-			     max_idle));
-}
-
-int
-evTouchIdleTimer(evContext opaqueCtx, evTimerID id) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evTimer *t = id.opaque;
-	idle_timer *tt = t->uap;
-
-	tt->lastTouched = ctx->lastEventTime;
-
-	return (0);
-}
-
-/* Public to the rest of eventlib. */
-
-heap_context
-evCreateTimers(const evContext_p *ctx) {
-
-	UNUSED(ctx);
-
-	return (heap_new(due_sooner, set_index, 2048));
-}
-
-void
-evDestroyTimers(const evContext_p *ctx) {
-	(void) heap_for_each(ctx->timers, free_timer, NULL);
-	(void) heap_free(ctx->timers);
-}
-
-/* Private. */
-
-static int
-due_sooner(void *a, void *b) {
-	evTimer *a_timer, *b_timer;
-
-	a_timer = a;
-	b_timer = b;
-	return (evCmpTime(a_timer->due, b_timer->due) < 0);
-}
-
-static void
-set_index(void *what, int index) {
-	evTimer *timer;
-
-	timer = what;
-	timer->index = index;
-}
-
-static void
-free_timer(void *what, void *uap) {
-	evTimer *t = what;
-
-	UNUSED(uap);
-
-	FREE(t);
-}
-
-static void
-print_timer(void *what, void *uap) {
-	evTimer *cur = what;
-	evContext_p *ctx = uap;
-
-	cur = what;
-	evPrintf(ctx, 7,
-	    "  func %p, uap %p, due %ld.%09ld, inter %ld.%09ld\n",
-		 cur->func, cur->uap,
-		 (long)cur->due.tv_sec, cur->due.tv_nsec,
-		 (long)cur->inter.tv_sec, cur->inter.tv_nsec);
-}
-
-static void
-idle_timeout(evContext opaqueCtx,
-	     void *uap,
-	     struct timespec due,
-	     struct timespec inter
-) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	idle_timer *this = uap;
-	struct timespec idle;
-
-	UNUSED(due);
-	UNUSED(inter);
-	
-	idle = evSubTime(ctx->lastEventTime, this->lastTouched);
-	if (evCmpTime(idle, this->max_idle) >= 0) {
-		(this->func)(opaqueCtx, this->uap, this->timer->due,
-			     this->max_idle);
-		/*
-		 * Setting the interval to zero will cause the timer to
-		 * be cleaned up in evDrop().
-		 */
-		this->timer->inter = evConsTime(0, 0);
-		FREE(this);
-	} else {
-		/* evDrop() will reschedule the timer. */
-		this->timer->inter = evSubTime(this->max_idle, idle);
-	}
-}
diff --git a/contrib/bind9/lib/bind/isc/ev_waits.c b/contrib/bind9/lib/bind/isc/ev_waits.c
deleted file mode 100644
index f30280d43815..000000000000
--- a/contrib/bind9/lib/bind/isc/ev_waits.c
+++ /dev/null
@@ -1,245 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* ev_waits.c - implement deferred function calls for the eventlib
- * vix 05dec95 [initial]
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: ev_waits.c,v 1.1.2.1.4.1 2004/03/09 08:33:43 marka Exp $";
-#endif
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <errno.h>
-
-#include <isc/eventlib.h>
-#include <isc/assertions.h>
-#include "eventlib_p.h"
-
-#include "port_after.h"
-
-/* Forward. */
-
-static void		print_waits(evContext_p *ctx);
-static evWaitList *	evNewWaitList(evContext_p *);
-static void		evFreeWaitList(evContext_p *, evWaitList *);
-static evWaitList *	evGetWaitList(evContext_p *, const void *, int);
-
-
-/* Public. */
-
-/*
- * Enter a new wait function on the queue.
- */
-int
-evWaitFor(evContext opaqueCtx, const void *tag,
-	  evWaitFunc func, void *uap, evWaitID *id)
-{
-	evContext_p *ctx = opaqueCtx.opaque;
-	evWait *new;
-	evWaitList *wl = evGetWaitList(ctx, tag, 1);
-
-	OKNEW(new);
-	new->func = func;
-	new->uap = uap;
-	new->tag = tag;
-	new->next = NULL;
-	if (wl->last != NULL)
-		wl->last->next = new;
-	else
-		wl->first = new;
-	wl->last = new;
-	if (id != NULL)
-		id->opaque = new;
-	if (ctx->debug >= 9)
-		print_waits(ctx);
-	return (0);
-}
-
-/*
- * Mark runnable all waiting functions having a certain tag.
- */
-int
-evDo(evContext opaqueCtx, const void *tag) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evWaitList *wl = evGetWaitList(ctx, tag, 0);
-	evWait *first;
-
-	if (!wl) {
-		errno = ENOENT;
-		return (-1);
-	}
-
-	first = wl->first;
-	INSIST(first != NULL);
-
-	if (ctx->waitDone.last != NULL)
-		ctx->waitDone.last->next = first;
-	else
-		ctx->waitDone.first = first;
-	ctx->waitDone.last = wl->last;
-	evFreeWaitList(ctx, wl);
-
-	return (0);
-}
-
-/*
- * Remove a waiting (or ready to run) function from the queue.
- */
-int
-evUnwait(evContext opaqueCtx, evWaitID id) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evWait *this, *prev;
-	evWaitList *wl;
-	int found = 0;
-
-	this = id.opaque;
-	INSIST(this != NULL);
-	wl = evGetWaitList(ctx, this->tag, 0);
-	if (wl != NULL) {
-		for (prev = NULL, this = wl->first;
-		     this != NULL;
-		     prev = this, this = this->next)
-			if (this == (evWait *)id.opaque) {
-				found = 1;
-				if (prev != NULL)
-					prev->next = this->next;
-				else
-					wl->first = this->next;
-				if (wl->last == this)
-					wl->last = prev;
-				if (wl->first == NULL)
-					evFreeWaitList(ctx, wl);
-				break;
-			}
-	}
-
-	if (!found) {
-		/* Maybe it's done */
-		for (prev = NULL, this = ctx->waitDone.first;
-		     this != NULL;
-		     prev = this, this = this->next)
-			if (this == (evWait *)id.opaque) {
-				found = 1;
-				if (prev != NULL)
-					prev->next = this->next;
-				else
-					ctx->waitDone.first = this->next;
-				if (ctx->waitDone.last == this)
-					ctx->waitDone.last = prev;
-				break;
-			}
-	}
-
-	if (!found) {
-		errno = ENOENT;
-		return (-1);
-	}
-
-	FREE(this);
-
-	if (ctx->debug >= 9)
-		print_waits(ctx);
-
-	return (0);
-}
-
-int
-evDefer(evContext opaqueCtx, evWaitFunc func, void *uap) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evWait *new;
-
-	OKNEW(new);
-	new->func = func;
-	new->uap = uap;
-	new->tag = NULL;
-	new->next = NULL;
-	if (ctx->waitDone.last != NULL)
-		ctx->waitDone.last->next = new;
-	else
-		ctx->waitDone.first = new;
-	ctx->waitDone.last = new;
-	if (ctx->debug >= 9)
-		print_waits(ctx);
-	return (0);
-}
-
-/* Private. */
-
-static void
-print_waits(evContext_p *ctx) {
-	evWaitList *wl;
-	evWait *this;
-
-	evPrintf(ctx, 9, "wait waiting:\n");
-	for (wl = ctx->waitLists; wl != NULL; wl = wl->next) {
-		INSIST(wl->first != NULL);
-		evPrintf(ctx, 9, "  tag %p:", wl->first->tag);
-		for (this = wl->first; this != NULL; this = this->next)
-			evPrintf(ctx, 9, " %p", this);
-		evPrintf(ctx, 9, "\n");
-	}
-	evPrintf(ctx, 9, "wait done:");
-	for (this = ctx->waitDone.first; this != NULL; this = this->next)
-		evPrintf(ctx, 9, " %p", this);
-	evPrintf(ctx, 9, "\n");
-}
-
-static evWaitList *
-evNewWaitList(evContext_p *ctx) {
-	evWaitList *new;
-
-	NEW(new);
-	if (new == NULL)
-		return (NULL);
-	new->first = new->last = NULL;
-	new->prev = NULL;
-	new->next = ctx->waitLists;
-	if (new->next != NULL)
-		new->next->prev = new;
-	ctx->waitLists = new;
-	return (new);
-}
-
-static void
-evFreeWaitList(evContext_p *ctx, evWaitList *this) {
-
-	INSIST(this != NULL);
-
-	if (this->prev != NULL)
-		this->prev->next = this->next;
-	else
-		ctx->waitLists = this->next;
-	if (this->next != NULL)
-		this->next->prev = this->prev;
-	FREE(this);
-}
-
-static evWaitList *
-evGetWaitList(evContext_p *ctx, const void *tag, int should_create) {
-	evWaitList *this;
-
-	for (this = ctx->waitLists; this != NULL; this = this->next) {
-		if (this->first != NULL && this->first->tag == tag)
-			break;
-	}
-	if (this == NULL && should_create)
-		this = evNewWaitList(ctx);
-	return (this);
-}
diff --git a/contrib/bind9/lib/bind/isc/eventlib.c b/contrib/bind9/lib/bind/isc/eventlib.c
deleted file mode 100644
index 77b14144b97b..000000000000
--- a/contrib/bind9/lib/bind/isc/eventlib.c
+++ /dev/null
@@ -1,937 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* eventlib.c - implement glue for the eventlib
- * vix 09sep95 [initial]
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.1.4.5 2005/07/28 07:43:20 marka Exp $";
-#endif
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-#ifdef SOLARIS2
-#include <limits.h>
-#endif /* SOLARIS2 */
-
-#include <errno.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/eventlib.h>
-#include <isc/assertions.h>
-#include "eventlib_p.h"
-
-#include "port_after.h"
-
-int      __evOptMonoTime;
-
-#ifdef USE_POLL
-#define pselect Pselect
-#endif /* USE_POLL */
-
-/* Forward. */
-
-#if defined(NEED_PSELECT) || defined(USE_POLL)
-static int		pselect(int, void *, void *, void *,
-				struct timespec *,
-				const sigset_t *);
-#endif
-
-int    __evOptMonoTime;
-
-/* Public. */
-
-int
-evCreate(evContext *opaqueCtx) {
-	evContext_p *ctx;
-
-	/* Make sure the memory heap is initialized. */
-	if (meminit(0, 0) < 0 && errno != EEXIST)
-		return (-1);
-
-	OKNEW(ctx);
-
-	/* Global. */
-	ctx->cur = NULL;
-
-	/* Debugging. */
-	ctx->debug = 0;
-	ctx->output = NULL;
-
-	/* Connections. */
-	ctx->conns = NULL;
-	INIT_LIST(ctx->accepts);
-
-	/* Files. */
-#ifdef USE_POLL
-	ctx->pollfds = NULL;
-	ctx->maxnfds = 0;
-	ctx->firstfd = 0;
-	emulMaskInit(ctx, rdLast, EV_READ, 1);
-	emulMaskInit(ctx, rdNext, EV_READ, 0);
-	emulMaskInit(ctx, wrLast, EV_WRITE, 1);
-	emulMaskInit(ctx, wrNext, EV_WRITE, 0);
-	emulMaskInit(ctx, exLast, EV_EXCEPT, 1);
-	emulMaskInit(ctx, exNext, EV_EXCEPT, 0);
-	emulMaskInit(ctx, nonblockBefore, EV_WASNONBLOCKING, 0);
-#endif /* USE_POLL */
-	ctx->files = NULL;
-	FD_ZERO(&ctx->rdNext);
-	FD_ZERO(&ctx->wrNext);
-	FD_ZERO(&ctx->exNext);
-	FD_ZERO(&ctx->nonblockBefore);
-	ctx->fdMax = -1;
-	ctx->fdNext = NULL;
-	ctx->fdCount = 0;	/* Invalidate {rd,wr,ex}Last. */
-#ifndef USE_POLL
-	ctx->highestFD = FD_SETSIZE - 1;
-	memset(ctx->fdTable, 0, sizeof ctx->fdTable);
-#else
-	ctx->highestFD = INT_MAX / sizeof(struct pollfd);
-	ctx->fdTable = NULL;
-#endif
-#ifdef EVENTLIB_TIME_CHECKS
-	ctx->lastFdCount = 0;
-#endif
-
-	/* Streams. */
-	ctx->streams = NULL;
-	ctx->strDone = NULL;
-	ctx->strLast = NULL;
-
-	/* Timers. */
-	ctx->lastEventTime = evNowTime();
-#ifdef EVENTLIB_TIME_CHECKS
-	ctx->lastSelectTime = ctx->lastEventTime;
-#endif
-	ctx->timers = evCreateTimers(ctx);
-	if (ctx->timers == NULL)
-		return (-1);
-
-	/* Waits. */
-	ctx->waitLists = NULL;
-	ctx->waitDone.first = ctx->waitDone.last = NULL;
-	ctx->waitDone.prev = ctx->waitDone.next = NULL;
-
-	opaqueCtx->opaque = ctx;
-	return (0);
-}
-
-void
-evSetDebug(evContext opaqueCtx, int level, FILE *output) {
-	evContext_p *ctx = opaqueCtx.opaque;
-
-	ctx->debug = level;
-	ctx->output = output;
-}
-
-int
-evDestroy(evContext opaqueCtx) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	int revs = 424242;	/* Doug Adams. */
-	evWaitList *this_wl, *next_wl;
-	evWait *this_wait, *next_wait;
-
-	/* Connections. */
-	while (revs-- > 0 && ctx->conns != NULL) {
-		evConnID id;
-
-		id.opaque = ctx->conns;
-		(void) evCancelConn(opaqueCtx, id);
-	}
-	INSIST(revs >= 0);
-
-	/* Streams. */
-	while (revs-- > 0 && ctx->streams != NULL) {
-		evStreamID id;
-
-		id.opaque = ctx->streams;
-		(void) evCancelRW(opaqueCtx, id);
-	}
-
-	/* Files. */
-	while (revs-- > 0 && ctx->files != NULL) {
-		evFileID id;
-
-		id.opaque = ctx->files;
-		(void) evDeselectFD(opaqueCtx, id);
-	}
-	INSIST(revs >= 0);
-
-	/* Timers. */
-	evDestroyTimers(ctx);
-
-	/* Waits. */
-	for (this_wl = ctx->waitLists;
-	     revs-- > 0 && this_wl != NULL;
-	     this_wl = next_wl) {
-		next_wl = this_wl->next;
-		for (this_wait = this_wl->first;
-		     revs-- > 0 && this_wait != NULL;
-		     this_wait = next_wait) {
-			next_wait = this_wait->next;
-			FREE(this_wait);
-		}
-		FREE(this_wl);
-	}
-	for (this_wait = ctx->waitDone.first;
-	     revs-- > 0 && this_wait != NULL;
-	     this_wait = next_wait) {
-		next_wait = this_wait->next;
-		FREE(this_wait);
-	}
-
-	FREE(ctx);
-	return (0);
-}
-
-int
-evGetNext(evContext opaqueCtx, evEvent *opaqueEv, int options) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	struct timespec nextTime;
-	evTimer *nextTimer;
-	evEvent_p *new;
-	int x, pselect_errno, timerPast;
-#ifdef EVENTLIB_TIME_CHECKS
-	struct timespec interval;
-#endif
-
-	/* Ensure that exactly one of EV_POLL or EV_WAIT was specified. */
-	x = ((options & EV_POLL) != 0) + ((options & EV_WAIT) != 0);
-	if (x != 1)
-		EV_ERR(EINVAL);
-
-	/* Get the time of day.  We'll do this again after select() blocks. */
-	ctx->lastEventTime = evNowTime();
-
- again:
-	/* Finished accept()'s do not require a select(). */
-	if (!EMPTY(ctx->accepts)) {
-		OKNEW(new);
-		new->type = Accept;
-		new->u.accept.this = HEAD(ctx->accepts);
-		UNLINK(ctx->accepts, HEAD(ctx->accepts), link);
-		opaqueEv->opaque = new;
-		return (0);
-	}
-
-	/* Stream IO does not require a select(). */
-	if (ctx->strDone != NULL) {
-		OKNEW(new);
-		new->type = Stream;
-		new->u.stream.this = ctx->strDone;
-		ctx->strDone = ctx->strDone->nextDone;
-		if (ctx->strDone == NULL)
-			ctx->strLast = NULL;
-		opaqueEv->opaque = new;
-		return (0);
-	}
-
-	/* Waits do not require a select(). */
-	if (ctx->waitDone.first != NULL) {
-		OKNEW(new);
-		new->type = Wait;
-		new->u.wait.this = ctx->waitDone.first;
-		ctx->waitDone.first = ctx->waitDone.first->next;
-		if (ctx->waitDone.first == NULL)
-			ctx->waitDone.last = NULL;
-		opaqueEv->opaque = new;
-		return (0);
-	}
-
-	/* Get the status and content of the next timer. */
-	if ((nextTimer = heap_element(ctx->timers, 1)) != NULL) {
-		nextTime = nextTimer->due;
-		timerPast = (evCmpTime(nextTime, ctx->lastEventTime) <= 0);
-	} else
-		timerPast = 0;	/* Make gcc happy. */
-
-	evPrintf(ctx, 9, "evGetNext: fdCount %d\n", ctx->fdCount);
-	if (ctx->fdCount == 0) {
-		static const struct timespec NoTime = {0, 0L};
-		enum { JustPoll, Block, Timer } m;
-		struct timespec t, *tp;
-
-		/* Are there any events at all? */
-		if ((options & EV_WAIT) != 0 && !nextTimer && ctx->fdMax == -1)
-			EV_ERR(ENOENT);
-
-		/* Figure out what select()'s timeout parameter should be. */
-		if ((options & EV_POLL) != 0) {
-			m = JustPoll;
-			t = NoTime;
-			tp = &t;
-		} else if (nextTimer == NULL) {
-			m = Block;
-			/* ``t'' unused. */
-			tp = NULL;
-		} else if (timerPast) {
-			m = JustPoll;
-			t = NoTime;
-			tp = &t;
-		} else {
-			m = Timer;
-			/* ``t'' filled in later. */
-			tp = &t;
-		}
-#ifdef EVENTLIB_TIME_CHECKS
-		if (ctx->debug > 0) {
-			interval = evSubTime(ctx->lastEventTime,
-					     ctx->lastSelectTime);
-			if (interval.tv_sec > 0 || interval.tv_nsec > 0)
-				evPrintf(ctx, 1,
-				   "time between pselect() %u.%09u count %d\n",
-					 interval.tv_sec, interval.tv_nsec,
-					 ctx->lastFdCount);
-		}
-#endif
-		do {
-#ifndef USE_POLL
-			/* XXX need to copy only the bits we are using. */
-			ctx->rdLast = ctx->rdNext;
-			ctx->wrLast = ctx->wrNext;
-			ctx->exLast = ctx->exNext;
-#else
-			/*
-			 * The pollfd structure uses separate fields for
-			 * the input and output events (corresponding to
-			 * the ??Next and ??Last fd sets), so there's no
-			 * need to copy one to the other.
-			 */
-#endif /* USE_POLL */
-			if (m == Timer) {
-				INSIST(tp == &t);
-				t = evSubTime(nextTime, ctx->lastEventTime);
-			}
-
-			/* XXX should predict system's earliness and adjust. */
-			x = pselect(ctx->fdMax+1,
-				    &ctx->rdLast, &ctx->wrLast, &ctx->exLast,
-				    tp, NULL);
-			pselect_errno = errno;
-
-#ifndef USE_POLL
-			evPrintf(ctx, 4, "select() returns %d (err: %s)\n",
-				 x, (x == -1) ? strerror(errno) : "none");
-#else
-			evPrintf(ctx, 4, "poll() returns %d (err: %s)\n",
-				x, (x == -1) ? strerror(errno) : "none");
-#endif /* USE_POLL */
-			/* Anything but a poll can change the time. */
-			if (m != JustPoll)
-				ctx->lastEventTime = evNowTime();
-
-			/* Select() likes to finish about 10ms early. */
-		} while (x == 0 && m == Timer &&
-			 evCmpTime(ctx->lastEventTime, nextTime) < 0);
-#ifdef EVENTLIB_TIME_CHECKS
-		ctx->lastSelectTime = ctx->lastEventTime;
-#endif
-		if (x < 0) {
-			if (pselect_errno == EINTR) {
-				if ((options & EV_NULL) != 0)
-					goto again;
-				OKNEW(new);
-				new->type = Null;
-				/* No data. */
-				opaqueEv->opaque = new;
-				return (0);
-			}
-			if (pselect_errno == EBADF) {
-				for (x = 0; x <= ctx->fdMax; x++) {
-					struct stat sb;
-
-					if (FD_ISSET(x, &ctx->rdNext) == 0 &&
-					    FD_ISSET(x, &ctx->wrNext) == 0 &&
-					    FD_ISSET(x, &ctx->exNext) == 0)
-						continue;
-					if (fstat(x, &sb) == -1 &&
-					    errno == EBADF)
-						evPrintf(ctx, 1, "EBADF: %d\n",
-							 x);
-				}
-				abort();
-			}
-			EV_ERR(pselect_errno);
-		}
-		if (x == 0 && (nextTimer == NULL || !timerPast) &&
-		    (options & EV_POLL))
-			EV_ERR(EWOULDBLOCK);
-		ctx->fdCount = x;
-#ifdef EVENTLIB_TIME_CHECKS
-		ctx->lastFdCount = x;
-#endif
-	}
-	INSIST(nextTimer || ctx->fdCount);
-
-	/* Timers go first since we'd like them to be accurate. */
-	if (nextTimer && !timerPast) {
-		/* Has anything happened since we blocked? */
-		timerPast = (evCmpTime(nextTime, ctx->lastEventTime) <= 0);
-	}
-	if (nextTimer && timerPast) {
-		OKNEW(new);
-		new->type = Timer;
-		new->u.timer.this = nextTimer;
-		opaqueEv->opaque = new;
-		return (0);
-	}
-
-	/* No timers, so there should be a ready file descriptor. */
-	x = 0;
-	while (ctx->fdCount > 0) {
-		evFile *fid;
-		int fd, eventmask;
-
-		if (ctx->fdNext == NULL) {
-			if (++x == 2) {
-				/*
-				 * Hitting the end twice means that the last
-				 * select() found some FD's which have since
-				 * been deselected.
-				 *
-				 * On some systems, the count returned by
-				 * selects is the total number of bits in
-				 * all masks that are set, and on others it's
-				 * the number of fd's that have some bit set,
-				 * and on others, it's just broken.  We 
-				 * always assume that it's the number of
-				 * bits set in all masks, because that's what
-				 * the man page says it should do, and
-				 * the worst that can happen is we do an
-				 * extra select().
-				 */
-				ctx->fdCount = 0;
-				break;
-			}
-			ctx->fdNext = ctx->files;
-		}
-		fid = ctx->fdNext;
-		ctx->fdNext = fid->next;
-
-		fd = fid->fd;
-		eventmask = 0;
-		if (FD_ISSET(fd, &ctx->rdLast))
-			eventmask |= EV_READ;
-		if (FD_ISSET(fd, &ctx->wrLast))
-			eventmask |= EV_WRITE;
-		if (FD_ISSET(fd, &ctx->exLast))
-			eventmask |= EV_EXCEPT;
-		eventmask &= fid->eventmask;
-		if (eventmask != 0) {
-			if ((eventmask & EV_READ) != 0) {
-				FD_CLR(fd, &ctx->rdLast);
-				ctx->fdCount--;
-			}
-			if ((eventmask & EV_WRITE) != 0) {
-				FD_CLR(fd, &ctx->wrLast);
-				ctx->fdCount--;
-			}
-			if ((eventmask & EV_EXCEPT) != 0) {
-				FD_CLR(fd, &ctx->exLast);
-				ctx->fdCount--;
-			}
-			OKNEW(new);
-			new->type = File;
-			new->u.file.this = fid;
-			new->u.file.eventmask = eventmask;
-			opaqueEv->opaque = new;
-			return (0);
-		}
-	}
-	if (ctx->fdCount < 0) {
-		/*
-		 * select()'s count is off on a number of systems, and
-		 * can result in fdCount < 0.
-		 */
-		evPrintf(ctx, 4, "fdCount < 0 (%d)\n", ctx->fdCount);
-		ctx->fdCount = 0;
-	}
-
-	/* We get here if the caller deselect()'s an FD. Gag me with a goto. */
-	goto again;
-}
-
-int
-evDispatch(evContext opaqueCtx, evEvent opaqueEv) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evEvent_p *ev = opaqueEv.opaque;
-#ifdef EVENTLIB_TIME_CHECKS
-	void *func;
-	struct timespec start_time;
-	struct timespec interval;
-#endif
-
-#ifdef EVENTLIB_TIME_CHECKS
-	if (ctx->debug > 0)
-		start_time = evNowTime();
-#endif
-	ctx->cur = ev;
-	switch (ev->type) {
-	    case Accept: {
-		evAccept *this = ev->u.accept.this;
-
-		evPrintf(ctx, 5,
-			"Dispatch.Accept: fd %d -> %d, func %p, uap %p\n",
-			 this->conn->fd, this->fd,
-			 this->conn->func, this->conn->uap);
-		errno = this->ioErrno;
-		(this->conn->func)(opaqueCtx, this->conn->uap, this->fd,
-				   &this->la, this->lalen,
-				   &this->ra, this->ralen);
-#ifdef EVENTLIB_TIME_CHECKS
-		func = this->conn->func;
-#endif
-		break;
-	    }
-	    case File: {
-		evFile *this = ev->u.file.this;
-		int eventmask = ev->u.file.eventmask;
-
-		evPrintf(ctx, 5,
-			"Dispatch.File: fd %d, mask 0x%x, func %p, uap %p\n",
-			 this->fd, this->eventmask, this->func, this->uap);
-		(this->func)(opaqueCtx, this->uap, this->fd, eventmask);
-#ifdef EVENTLIB_TIME_CHECKS
-		func = this->func;
-#endif
-		break;
-	    }
-	    case Stream: {
-		evStream *this = ev->u.stream.this;
-
-		evPrintf(ctx, 5,
-			 "Dispatch.Stream: fd %d, func %p, uap %p\n",
-			 this->fd, this->func, this->uap);
-		errno = this->ioErrno;
-		(this->func)(opaqueCtx, this->uap, this->fd, this->ioDone);
-#ifdef EVENTLIB_TIME_CHECKS
-		func = this->func;
-#endif
-		break;
-	    }
-	    case Timer: {
-		evTimer *this = ev->u.timer.this;
-
-		evPrintf(ctx, 5, "Dispatch.Timer: func %p, uap %p\n",
-			 this->func, this->uap);
-		(this->func)(opaqueCtx, this->uap, this->due, this->inter);
-#ifdef EVENTLIB_TIME_CHECKS
-		func = this->func;
-#endif
-		break;
-	    }
-	    case Wait: {
-		evWait *this = ev->u.wait.this;
-
-		evPrintf(ctx, 5,
-			 "Dispatch.Wait: tag %p, func %p, uap %p\n",
-			 this->tag, this->func, this->uap);
-		(this->func)(opaqueCtx, this->uap, this->tag);
-#ifdef EVENTLIB_TIME_CHECKS
-		func = this->func;
-#endif
-		break;
-	    }
-	    case Null: {
-		/* No work. */
-#ifdef EVENTLIB_TIME_CHECKS
-		func = NULL;
-#endif
-		break;
-	    }
-	    default: {
-		abort();
-	    }
-	}
-#ifdef EVENTLIB_TIME_CHECKS
-	if (ctx->debug > 0) {
-		interval = evSubTime(evNowTime(), start_time);
-		/* 
-		 * Complain if it took longer than 50 milliseconds.
-		 *
-		 * We call getuid() to make an easy to find mark in a kernel
-		 * trace.
-		 */
-		if (interval.tv_sec > 0 || interval.tv_nsec > 50000000)
-			evPrintf(ctx, 1,
-			 "dispatch interval %u.%09u uid %d type %d func %p\n",
-				 interval.tv_sec, interval.tv_nsec,
-				 getuid(), ev->type, func);
-	}
-#endif
-	ctx->cur = NULL;
-	evDrop(opaqueCtx, opaqueEv);
-	return (0);
-}
-
-void
-evDrop(evContext opaqueCtx, evEvent opaqueEv) {
-	evContext_p *ctx = opaqueCtx.opaque;
-	evEvent_p *ev = opaqueEv.opaque;
-
-	switch (ev->type) {
-	    case Accept: {
-		FREE(ev->u.accept.this);
-		break;
-	    }
-	    case File: {
-		/* No work. */
-		break;
-	    }
-	    case Stream: {
-		evStreamID id;
-
-		id.opaque = ev->u.stream.this;
-		(void) evCancelRW(opaqueCtx, id);
-		break;
-	    }
-	    case Timer: {
-		evTimer *this = ev->u.timer.this;
-		evTimerID opaque;
-
-		/* Check to see whether the user func cleared the timer. */
-		if (heap_element(ctx->timers, this->index) != this) {
-			evPrintf(ctx, 5, "Dispatch.Timer: timer rm'd?\n");
-			break;
-		}
-		/*
-		 * Timer is still there.  Delete it if it has expired,
-		 * otherwise set it according to its next interval.
-		 */
-		if (this->inter.tv_sec == (time_t)0 &&
-		    this->inter.tv_nsec == 0L) {
-			opaque.opaque = this;			
-			(void) evClearTimer(opaqueCtx, opaque);
-		} else {
-			opaque.opaque = this;
-			(void) evResetTimer(opaqueCtx, opaque, this->func,
-					    this->uap,
-					    evAddTime((this->mode & EV_TMR_RATE) ?
-						      this->due :
-						      ctx->lastEventTime,
-						      this->inter),
-					    this->inter);
-		}
-		break;
-	    }
-	    case Wait: {
-		FREE(ev->u.wait.this);
-		break;
-	    }
-	    case Null: {
-		/* No work. */
-		break;
-	    }
-	    default: {
-		abort();
-	    }
-	}
-	FREE(ev);
-}
-
-int
-evMainLoop(evContext opaqueCtx) {
-	evEvent event;
-	int x;
-
-	while ((x = evGetNext(opaqueCtx, &event, EV_WAIT)) == 0)
-		if ((x = evDispatch(opaqueCtx, event)) < 0)
-			break;
-	return (x);
-}
-
-int
-evHighestFD(evContext opaqueCtx) {
-	evContext_p *ctx = opaqueCtx.opaque;
-
-	return (ctx->highestFD);
-}
-
-void
-evPrintf(const evContext_p *ctx, int level, const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	if (ctx->output != NULL && ctx->debug >= level) {
-		vfprintf(ctx->output, fmt, ap);
-		fflush(ctx->output);
-	}
-	va_end(ap);
-}
-
-int
-evSetOption(evContext *opaqueCtx, const char *option, int value) {
-	/* evContext_p *ctx = opaqueCtx->opaque; */
-
-	UNUSED(opaqueCtx);
-	UNUSED(value);
-#ifndef CLOCK_MONOTONIC
-	UNUSED(option);
-#endif 
-
-#ifdef CLOCK_MONOTONIC
-	if (strcmp(option, "monotime") == 0) {
-		if (opaqueCtx  != NULL)
-			errno = EINVAL;
-		if (value == 0 || value == 1) {
-			__evOptMonoTime = value;
-			return (0);
-		} else {
-			errno = EINVAL;
-			return (-1);
-		}
-	} 
-#endif
-	errno = ENOENT;
-	return (-1);
-}
-
-int
-evGetOption(evContext *opaqueCtx, const char *option, int *value) {
-	/* evContext_p *ctx = opaqueCtx->opaque; */
-
-	UNUSED(opaqueCtx);
-#ifndef CLOCK_MONOTONIC
-	UNUSED(value);
-	UNUSED(option);
-#endif 
-
-#ifdef CLOCK_MONOTONIC
-	if (strcmp(option, "monotime") == 0) {
-		if (opaqueCtx  != NULL)
-			errno = EINVAL;
-		*value = __evOptMonoTime;
-		return (0);
-	}
-#endif
-	errno = ENOENT;
-	return (-1);
-}
-
-#if defined(NEED_PSELECT) || defined(USE_POLL)
-/* XXX needs to move to the porting library. */
-static int
-pselect(int nfds, void *rfds, void *wfds, void *efds,
-	struct timespec *tsp,
-	const sigset_t *sigmask)
-{
-	struct timeval tv, *tvp;
-	sigset_t sigs;
-	int n;
-#ifdef USE_POLL
-	int polltimeout = INFTIM;
-	evContext_p *ctx;
-	struct pollfd *fds;
-	nfds_t pnfds;
-
-	UNUSED(nfds);
-#endif /* USE_POLL */
-
-	if (tsp) {
-		tvp = &tv;
-		tv = evTimeVal(*tsp);
-#ifdef USE_POLL
-		polltimeout = 1000 * tv.tv_sec + tv.tv_usec / 1000;
-#endif /* USE_POLL */
-	} else
-		tvp = NULL;
-	if (sigmask)
-		sigprocmask(SIG_SETMASK, sigmask, &sigs);
-#ifndef USE_POLL
-	n = select(nfds, rfds, wfds, efds, tvp);
-#else
-	/*
-	 * rfds, wfds, and efds should all be from the same evContext_p,
-	 * so any of them will do. If they're all NULL, the caller is
-	 * presumably calling us to block.
-	 */
-	if (rfds != NULL)
-		ctx = ((__evEmulMask *)rfds)->ctx;
-	else if (wfds != NULL)
-		ctx = ((__evEmulMask *)wfds)->ctx;
-	else if (efds != NULL)
-		ctx = ((__evEmulMask *)efds)->ctx;
-	else
-		ctx = NULL;
-	if (ctx != NULL && ctx->fdMax != -1) {
-		fds = &(ctx->pollfds[ctx->firstfd]);
-		pnfds = ctx->fdMax - ctx->firstfd + 1;
-	} else {
-		fds = NULL;
-		pnfds = 0;
-	}
-	n = poll(fds, pnfds, polltimeout);
-	/*
-	 * pselect() should return the total number of events on the file
-	 * desriptors, not just the count of fd:s with activity. Hence,
-	 * traverse the pollfds array and count the events.
-	 */
-	if (n > 0) {
-		int     i, e;
-		for (e = 0, i = ctx->firstfd; i <= ctx->fdMax; i++) {
-			if (ctx->pollfds[i].fd < 0)
-				continue;
-			if (FD_ISSET(i, &ctx->rdLast))
-				e++;
-			if (FD_ISSET(i, &ctx->wrLast))
-				e++;
-			if (FD_ISSET(i, &ctx->exLast))
-				e++;
-			}
-		n = e;
-	}
-#endif /* USE_POLL */
-	if (sigmask)
-		sigprocmask(SIG_SETMASK, &sigs, NULL);
-	if (tsp)
-		*tsp = evTimeSpec(tv);
-	return (n);
-}
-#endif
-
-#ifdef USE_POLL
-int
-evPollfdRealloc(evContext_p *ctx, int pollfd_chunk_size, int fd) {
- 
-	int     i, maxnfds;
-	void	*pollfds, *fdTable;
- 
-	if (fd < ctx->maxnfds)
-		return (0);
- 
-	/* Don't allow ridiculously small values for pollfd_chunk_size */
-	if (pollfd_chunk_size < 20)
-		pollfd_chunk_size = 20;
- 
-	maxnfds = (1 + (fd/pollfd_chunk_size)) * pollfd_chunk_size;
- 
-	pollfds = realloc(ctx->pollfds, maxnfds * sizeof(*ctx->pollfds));
-	if (pollfds != NULL)
-		ctx->pollfds = pollfds;
-	fdTable = realloc(ctx->fdTable, maxnfds * sizeof(*ctx->fdTable));
-	if (fdTable != NULL)
-		ctx->fdTable = fdTable;
- 
-	if (pollfds == NULL || fdTable == NULL) {
-		evPrintf(ctx, 2, "pollfd() realloc (%ld) failed\n",
-			 (long)maxnfds*sizeof(struct pollfd));
-		return (-1);
-	}
- 
-	for (i = ctx->maxnfds; i < maxnfds; i++) {
-		ctx->pollfds[i].fd = -1;
-		ctx->pollfds[i].events = 0;
-		ctx->fdTable[i] = 0;
-	}
-
-	ctx->maxnfds = maxnfds;
-
-	return (0);
-}
- 
-/* Find the appropriate 'events' or 'revents' field in the pollfds array */
-short *
-__fd_eventfield(int fd, __evEmulMask *maskp) {
- 
-	evContext_p     *ctx = (evContext_p *)maskp->ctx;
- 
-	if (!maskp->result || maskp->type == EV_WASNONBLOCKING)
-		return (&(ctx->pollfds[fd].events));
-	else
-		return (&(ctx->pollfds[fd].revents));
-}
- 
-/* Translate to poll(2) event */
-short
-__poll_event(__evEmulMask *maskp) {
- 
-	switch ((maskp)->type) {
-	case EV_READ:
-		return (POLLRDNORM);
-	case EV_WRITE:
-		return (POLLWRNORM);
-	case EV_EXCEPT:
-		return (POLLRDBAND | POLLPRI | POLLWRBAND);
-	case EV_WASNONBLOCKING:
-		return (POLLHUP);
-	default:
-		return (0);
-	}
-}
- 
-/*
- * Clear the events corresponding to the specified mask. If this leaves
- * the events mask empty (apart from the POLLHUP bit), set the fd field
- * to -1 so that poll(2) will ignore this fd.
- */
-void
-__fd_clr(int fd, __evEmulMask *maskp) {
- 
-	evContext_p     *ctx = maskp->ctx;
- 
-	*__fd_eventfield(fd, maskp) &= ~__poll_event(maskp);
-	if ((ctx->pollfds[fd].events & ~POLLHUP) == 0) {
-		ctx->pollfds[fd].fd = -1;
-		if (fd == ctx->fdMax)
-			while (ctx->fdMax > ctx->firstfd &&
-			       ctx->pollfds[ctx->fdMax].fd < 0)
-				ctx->fdMax--;
-		if (fd == ctx->firstfd)
-			while (ctx->firstfd <= ctx->fdMax &&
-			       ctx->pollfds[ctx->firstfd].fd < 0)
-				ctx->firstfd++;
-		/*
-		 * Do we have a empty set of descriptors?
-		 */
-		if (ctx->firstfd > ctx->fdMax) {
-			ctx->fdMax = -1;
-			ctx->firstfd = 0;
-		}
-	}
-}
- 
-/*
- * Set the events bit(s) corresponding to the specified mask. If the events
- * field has any other bits than POLLHUP set, also set the fd field so that
- * poll(2) will watch this fd.
- */
-void
-__fd_set(int fd, __evEmulMask *maskp) {
- 
-	evContext_p     *ctx = maskp->ctx;
-
-	*__fd_eventfield(fd, maskp) |= __poll_event(maskp);
-	if ((ctx->pollfds[fd].events & ~POLLHUP) != 0) {
-		ctx->pollfds[fd].fd = fd;
-		if (fd < ctx->firstfd || ctx->fdMax == -1)
-			ctx->firstfd = fd;
-		if (fd > ctx->fdMax)
-			ctx->fdMax = fd;
-	}
-}
-#endif /* USE_POLL */
-
-/*! \file */
diff --git a/contrib/bind9/lib/bind/isc/eventlib.mdoc b/contrib/bind9/lib/bind/isc/eventlib.mdoc
deleted file mode 100644
index 3bf6ffbc9db7..000000000000
--- a/contrib/bind9/lib/bind/isc/eventlib.mdoc
+++ /dev/null
@@ -1,918 +0,0 @@
-.\" $Id: eventlib.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
-.\"
-.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (c) 1995-1999 by Internet Software Consortium
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd March 6, 1996
-.Dt EVENTLIB 3
-.Os BSD 4
-.Sh NAME
-.Nm evConnFunc ,
-.Nm evFileFunc ,
-.Nm evStreamFunc ,
-.Nm evTimerFunc ,
-.Nm evWaitFunc ,
-.Nm evCreate ,
-.Nm evDestroy ,
-.Nm evGetNext ,
-.Nm evDispatch ,
-.Nm evDrop ,
-.Nm evMainLoop ,
-.Nm evConsTime ,
-.Nm evTimeSpec ,
-.Nm evTimeVal ,
-.Nm evAddTime ,
-.Nm evSubTime ,
-.Nm evCmpTime ,
-.Nm evNowTime ,
-.Nm evUTCTime ,
-.Nm evLastEventTime ,
-.Nm evSetTimer ,
-.Nm evResetTimer ,
-.Nm evConfigTimer ,
-.Nm evClearTimer ,
-.Nm evSetIdleTimer ,
-.Nm evTouchIdleTimer ,
-.Nm evClearIdleTimer ,
-.Nm evWaitFor ,
-.Nm evDo ,
-.Nm evUnwait ,
-.Nm evDefer ,
-.Nm evSelectFD ,
-.Nm evDeselectFD ,
-.Nm evWrite ,
-.Nm evRead ,
-.Nm evCancelRW ,
-.Nm evTimeRW ,
-.Nm evUntimeRW ,
-.Nm evListen ,
-.Nm evConnect ,
-.Nm evCancelConn ,
-.Nm evHold ,
-.Nm evUnhold ,
-.Nm evTryAccept ,
-.Nm evConsIovec ,
-.Nm evSetDebug ,
-.Nm evPrintf ,
-.Nm evInitID ,
-.Nm evTestID ,
-.Nm evGetOption ,
-.Nm evSetOption
-.Nd event handling library
-.Sh SYNOPSIS
-.Fd #include <isc/eventlib.h>
-.Ft typedef void
-.Fn \*(lp*evConnFunc\*(rp "evContext ctx" "void *uap" "int fd" \
-"const void *la" "int lalen" "const void *ra" "int ralen"
-.Ft typedef void
-.Fn \*(lp*evTimerFunc\*(rp "evContext ctx" "void *uap" \
-"struct timespec due" "struct timespec inter"
-.Ft typedef void
-.Fn \*(lp*evFileFunc\*(rp "evContext ctx" "void *uap" "int fd" "int eventmask"
-.Ft typedef void
-.Fn \*(lp*evStreamFunc\*(rp "evContext ctx" "void *uap" "int fd" "int bytes"
-.Ft typedef void
-.Fn \*(lp*evWaitFunc\*(rp "evContext ctx" "void *uap" "const void *tag"
-.Ft int
-.Fn evCreate "evContext *ctx"
-.Ft int
-.Fn evDestroy "evContext ctx"
-.Ft int
-.Fn evGetNext "evContext ctx" "evEvent *ev" "int options"
-.Ft int
-.Fn evDispatch "evContext ctx" "evEvent ev"
-.Ft void
-.Fn evDrop "evContext ctx" "evEvent ev"
-.Ft int
-.Fn evMainLoop "evContext ctx"
-.Ft struct timespec
-.Fn evConsTime "int sec" "int usec"
-.Ft struct timespec
-.Fn evTimeSpec "struct timeval tv"
-.Ft struct timeval
-.Fn evTimeVal "struct timespec ts"
-.Ft struct timespec
-.Fn evAddTime "struct timespec addend1" "struct timespec addend2"
-.Ft struct timespec
-.Fn evSubTime "struct timespec minuend" "struct timespec subtrahend"
-.Ft struct timespec
-.Fn evCmpTime "struct timespec a" "struct timespec b"
-.Ft struct timespec
-.Fn evNowTime "void"
-.Ft struct timespec
-.Fn evUTCTime "void"
-.Ft struct timespec
-.Fn evLastEventTime "evContext opaqueCtx"
-.Ft int
-.Fn evSetTimer "evContext ctx" "evTimerFunc func" "void *uap" \
-"struct timespec due" "struct timespec inter" "evTimerID *id"
-.Ft int
-.Fn evResetTimer "evContext ctx" "evTimerID id" "evTimerFunc func" \
-"void *uap" "struct timespec due" "struct timespec inter"
-.Ft int
-.Fn evConfigTimer "evContext ctx" "evTimerID id" "const char *param" \
-"int value"
-.Ft int
-.Fn evClearTimer "evContext ctx" "evTimerID id"
-.Ft int
-.Fn evSetIdleTimer "evContext opaqueCtx" "evTimerFunc func" "void *uap" \
-"struct timespec max_idle" "evTimerID *opaqueID"
-.Ft int 
-.Fn evTouchIdleTimer "evContext opaqueCtx" "evTimerID id"
-.Ft int 
-.Fn evResetIdleTimer "evContext opaqueCtx" "evTimerID id" "evTimerFunc func" \
-"void *uap" "struct timespec max_idle"
-.Ft int
-.Fn evClearIdleTimer "evContext opaqueCtx" "evTimerID id"
-.Ft int
-.Fn evWaitFor "evContext opaqueCtx" "const void *tag" \
-"evWaitFunc func" "void *uap" "evWaitID *id"
-.Ft int
-.Fn evDo "evContext opaqueCtx" "const void *tag"
-.Ft int
-.Fn evUnwait "evContext opaqueCtx" "evWaitID id"
-.Ft int
-.Fn evDefer "evContext opaqueCtx" "evWaitFunc func" "void *uap"
-.Ft int
-.Fn evSelectFD "evContext ctx" "int fd" "int eventmask" \
-"evFileFunc func" "void *uap" "evFileID *id"
-.Ft int
-.Fn evDeselectFD "evContext ctx" "evFileID id"
-.Ft struct iovec
-.Fn evConsIovec "void *buf" "size_t cnt"
-.Ft int
-.Fn evWrite "evContext ctx" "int fd" "const struct iovec *iov" "int cnt" \
-"evStreamFunc func" "void *uap" "evStreamID *id"
-.Ft int
-.Fn evRead "evContext ctx" "int fd" "const struct iovec *iov" "int cnt" \
-"evStreamFunc func" "void *uap" "evStreamID *id"
-.Ft int
-.Fn evCancelRW "evContext ctx" "evStreamID id"
-.Ft int
-.Fn evTimeRW "evContext opaqueCtx" "evStreamID id" "evTimerID timer"
-.Ft int
-.Fn evUntimeRW "evContext opaqueCtx" "evStreamID id"
-.Ft int
-.Fn evListen "evContext ctx" "int fd" "int maxconn" \
-"evConnFunc func" "void *uap" "evConnID *id"
-.Ft int
-.Fn evConnect "evContext ctx" "int fd" "void *ra" "int ralen" \
-"evConnFunc func" "void *uap" "evConnID *id"
-.Ft int
-.Fn evCancelConn "evContext ctx" "evConnID id"
-.Ft int
-.Fn evHold "evContext ctx" "evConnID id"
-.Ft int
-.Fn evUnhold "evContext ctx" "evConnID id"
-.Ft int
-.Fn evTryAccept "evContext ctx" "evConnID id" "int *sys_errno"
-.Ft void
-.Fn evSetDebug "evContext ctx" "int level" "FILE *output"
-.Ft void
-.Fn evPrintf "const evContext_p *ctx" "int level" "const char *fmt" "..."
-.Ft void
-.Fn evInitID "*\s-1ID\s+1"
-.Ft int
-.Fn evTestID "\s-1ID\s+1"
-.Ft int
-.Fn evGetOption "evContext *ctx" "const char *option" "int *ret"
-.Ft int
-.Fn evSetOption "evContext *ctx" "const char *option" "int val"
-.Sh DESCRIPTION
-This library provides multiple outstanding asynchronous timers and I/O
-to a cooperating application.  The model is similar to that of the X
-Toolkit, in that events are registered with the library and the application
-spends most of its time in the
-.Fn evMainLoop
-function.  If an application already has a main loop, it can safely register
-events with this library as long as it periodically calls the
-.Fn evGetNext
-and
-.Fn evDispatch
-functions.  (Note that
-.Fn evGetNext
-has both polling and blocking modes.)
-.Pp
-The function
-.Fn evCreate
-creates an event context which is needed by all the other functions in this
-library.  All information used internally by this library is bound to this
-context, rather than to static storage.  This makes the library 
-.Dq thread safe ,
-and permits other library functions to use events without
-disrupting the application's use of events.
-.Pp
-The function
-.Fn evDestroy
-destroys a context that has been created by
-.Fn evCreate .
-All dynamic memory bound to this context will be freed.  An implicit
-.Fn evTimerClear
-will be done on all timers set in this event context.  An implicit
-.Fn evDeselectFD
-will be done on all file descriptors selected in this event context.
-.Pp
-The function
-.Fn evGetNext
-potentially waits for and then retrieves the next asynchronous event,
-placing it in the object of the
-.Fa ev
-pointer argument.  The following
-.Fa options
-are available:
-.Fa EV_POLL ,
-meaning that
-.Fn evGetNext
-should not block, but rather return
-.Dq Fa -1
-with
-.Fa errno
-set to
-.Fa EWOULDBLOCK
-if no events have occurred;
-.Fa EV_WAIT ,
-which tells
-.Fn evGetNext
-to block internally until the next event occurs; and
-.Fa EV_NULL ,
-which tells
-.Fn evGetNext
-that it should return a special 
-.Dq no-op 
-event, which is ignored by
-.Fn evDispatch
-but handled correctly by
-.Fn evDrop .
-.Fa EV_NULL
-can be necessary to the correct functioning of a caller\-written equivilent to
-.Fn evMainLoop ,
-wherein perterbations caused by external system events must be polled for, and
-the default behaviour of internally ignoring such events is undesirable.
-Note that
-.Fa EV_POLL
-and
-.Fa EV_WAIT
-are mutually exclusive.
-.Pp
-The function
-.Fn evDispatch
-dispatches an event retrieved by
-.Fn evGetNext .
-This usually involves calling the function that was associated with the event
-when the event was registered with
-.Fn evSetTimer ,
-.Fn evResetTimer ,
-or
-.Fn evSelectFD .
-All events retrieved by
-.Fn evGetNext
-must be given over to
-.Fn evDispatch
-at some point, since there is some dynamic memory associated with each event.
-.Pp
-The function
-.Fn evDrop
-deallocates dynamic memory that has been allocated by
-.Fn evGetNext .
-Calling
-.Fn evDispatch
-has the side effect of calling
-.Fn evDrop ,
-but if you are going to drop the event rather than dispatch it, you will have
-to call
-.Fn evDrop
-directly.
-.Pp
-The function
-.Fn evMainLoop
-is just:
-.Bd -literal -offset indent
-while ((x = evGetNext(opaqueCtx, &event, EV_WAIT)) == 0)
-	if ((x = evDispatch(opaqueCtx, event)) < 0)
-		break;
-return (x);
-.Ed
-.Pp
-In other words, get events and dispatch them until an error occurs.  One such
-error would be that all the events under this context become unregistered; in
-that event, there will be nothing to wait for and
-.Fn evGetNext
-becomes an undefined operation.
-.Pp
-The function
-.Fn evConsTime
-is a constructor for
-.Dq Fa struct timespec
-which allows these structures to be created and then passed as arguments to
-other functions without the use of temporary variables.  (If C had inline
-constructors, there would be no need for this function.)
-.Pp
-The functions
-.Fn evTimeSpec
-and
-.Fn evTimeVal 
-are utilities which allow the caller to convert a
-.Dq Fa struct timeval
-to a 
-.Dq Fa struct timespec
-(the function of
-.Fn evTimeSpec )
-or vice versa (the function of
-.Fn evTimeVal ) .
-Note that the name of the function indicates the type of the return value.
-.Pp
-The function
-.Fn evAddTime
-adds two
-.Dq Fa struct timespec
-values and returns the result as a
-.Dq Fa struct timespec .
-.Pp
-The function
-.Fn evSubTime
-subtracts its second
-.Dq Fa struct timespec
-argument from its first
-.Dq Fa struct timespec
-argument and returns the result as a
-.Dq Fa struct timespec .
-.Pp
-The function
-.Fn evCmpTime
-compares its two
-.Dq Fa struct timespec
-arguments and returns an
-.Dq Fa int
-that is less than zero if the first argument specifies an earlier time than
-the second, or more than zero if the first argument specifies a later time
-than the second, or equal to zero if both arguments specify the same time.
-.Pp
-The function
-.Fn evNowTime
-returns a
-.Dq Fa struct timespec
-which either describes the current time
-(using
-.Xr clock_gettime 2 or
-.Xr gettimeofday 2 ) ,
-if successful, or has its fields set to zero, if there is an error.
-(In the latter case, the caller can check
-.Va errno ,
-since it will be set by
-.Xr gettimeofday 2 . )
-The timestamp returned may not be UTC time if
-the "monotime" option has been enabled with
-.Fn evSetOption .
-.Pp
-The function 
-.Fn evUTCTime
-is like 
-.Fn evNowTime
-except the result is always on the UTC timescale.
-.Pp
-The function
-.Fn evLastEventTime 
-returns the
-.Dq Fa struct timespec
-which describes the last time that certain events happened to the 
-event context indicated by 
-.Fa opaqueCtx .
-This value is updated by
-.Fn evCreate 
-and
-.Fn evGetNext 
-(upon entry and after
-.Xr select 2
-returns); it is routinely compared with other times in the internal handling
-of, e.g., timers.
-.Pp
-The function
-.Fn evSetTimer
-registers a timer event, which will be delivered as a function call to the
-function specified by the
-.Fa func
-argument.  The event will be delivered at absolute time
-.Fa due ,
-and then if time
-.Fa inter
-is not equal to
-.Dq Fn evConsTime 0 0 ,
-subsequently at intervals equal to time
-.Fa inter .
-As a special case, specifying a
-.Fa due
-argument equal to
-.Dq Fn evConsTime 0 0
-means 
-.Dq due immediately .
-The
-.Fa opaqueID
-argument, if specified as a value other than
-.Fa NULL ,
-will be used to store the resulting 
-.Dq timer \s-1ID\s+1 , 
-useful as an argument to
-.Fn evClearTimer .
-Note that in a 
-.Dq one\-shot 
-timer (which has an
-.Fa inter
-argument equal to
-.Dq Fa evConsTime(0,0) )
-the user function
-.Fa func
-should deallocate any dynamic memory that is uniquely bound to the
-.Fa uap ,
-since no handles to this memory will exist within the event library
-after a one\-shot timer has been delivered.
-.Pp
-The function
-.Fn evResetTimer
-resets the values of the timer specified by
-.Fa id
-to the given arguments.  The arguments are the same as in the description of
-.Fn evSetTimer
-above.
-.Pp
-The function
-.Fn evClearTimer
-will unregister the timer event specified by
-.Fa id .
-Note that if the
-.Fa uap
-specified in the corresponding
-.Fn evSetTimer
-call is uniquely bound to any dynamic memory, then that dynamic memory should
-be freed by the caller before the handle is lost.  After a call to
-.Fn evClearTimer ,
-no handles to this
-.Fa uap
-will exist within the event library.
-.Pp
-The function
-.Fn evConfigTimer
-can be used to manipulate other aspects of a timer.
-Currently two modes are defined "rate" and "interval" which affect the
-way recurrent timers are scheduled.
-The default mode is "interval" where the event gets scheduled
-.Fa inter
-after last time it was run.
-If mode "rate" is selected the event gets scheduled
-.Fa inter
-after last time it was scheduled.
-For both "rate" and "interval" the numerical argument
-.Fa value
-is ignored.
-.Pp
-The function
-.Fn evSetIdleTimer 
-is similar to (and built on)
-.Fn evSetTimer ;
-it registers an idle timer event which provides for the function call to
-.Fa func
-to occur.  However, for an
-.Em idle
-timer, the call will occur after at least
-.Dq Fa max_idle
-time has passed since the time the idle timer was
-.Dq last touched ;
-originally, this is set to the time returned by
-.Fn evLastEventTime 
-(described above) for the event context specified by 
-.Fa opaqueCtx .  
-This is a 
-.Dq one\-shot 
-timer, but the time at which the
-.Fa func
-is actually called can be changed by recourse to
-.Fn evTouchIdleTimer
-(described below).  The pointer to the underlying 
-.Dq timer \s-1ID\s+1 
-is returned in
-.Fa opaqueID ,
-if it is
-.No non- Ns Dv NULL .
-.Pp
-The
-.Fn evTouchIdleTimer 
-function updates the idle timer associated with
-.Fa id ,
-setting its idea of the time it was last accessed to the value returned by
-.Fn evLastEventTime
-(described above) for the event context specified by
-.Fa opaqueCtx .
-This means that the idle timer will expire after at least
-.Fa max_idle
-time has passed since this (possibly new) time, providing a caller mechanism
-for resetting the call to the
-.Fa func
-associated with the idle timer.  (See the description of
-.Fn evSetIdleTimer ,
-above, for information about
-.Fa func
-and
-.Fa max_idle . )
-.Pp
-The
-.Fn evResetIdleTimer
-function reschedules a timer and resets the callback function and its argument.
-Note that resetting a timer also ``touches'' it.
-.Pp
-The
-.Fn evClearIdleTimer
-function unregisters the idle timer associated with
-.Fa id .
-See the discussion under
-.Fn evClearTimer , 
-above, for information regarding caller handling of the
-.Fa uap
-associated with the corresponding
-.Fn evSetIdleTimer
-call.
-.Pp
-The function
-.Fn evWaitFor
-places the function
-.Fa func
-on the given event context's wait queue with the associated (possibly
-.Dv NULL )
-.Dq Fa tag ;
-if 
-.Fa id
-is 
-.No non- Ns Dv NULL ,
-then it will contain the 
-.Dq wait \s-1ID\s+1 
-associated with the created queue element.
-.Pp
-The function
-.Fn evDo 
-marks 
-.Em all
-of the 
-.Dq waiting 
-functions in the given event context's wait queue with the associated (possibly
-.Dv NULL )
-.Dq Fa tag
-as runnable.  This places these functions in a
-.Dq done
-queue which will be read by
-.Fn evGetNext .
-.Pp
-The function
-.Fn evUnwait 
-will search for the
-.Dq wait \s-1ID\s+1 
-.Fa id
-in the wait queue of the given event context; if an element with the given
-.Fa id 
-is not found, then the
-.Dq done
-queue of that context is searched.  If found, the queue element is removed
-from the appropriate list.
-.Pp
-The function
-.Fn evDefer
-causes a function (specified as
-.Fa func ,
-with argument
-.Fa uap )
-to be dispatched at some later time.  Note that the
-.Fa tag
-argument to
-.Fa func
-will always be
-.Fa NULL
-when dispatched.
-.Pp
-The function
-.Fn evSelectFD
-registers a file I/O event for the file descriptor specified by
-.Fa fd .
-Bits in the
-.Fa eventmask
-argument are named
-.Fa EV_READ ,
-.Fa EV_WRITE ,
-and
-.Fa EV_EXCEPT .
-At least one of these bits must be specified.  If the
-.Fa id
-argument is not equal to
-.Fa NULL ,
-it will be used to store a unique ``file event \s-1ID\s+1'' for this event,
-which is useful in subsequent calls to
-.Fn evDeselectFD .
-A file descriptor will be made nonblocking using the
-.Fa O_NONBLOCK
-flag with
-.Xr fcntl 2
-on its first concurrent registration via
-.Fn evSelectFD .
-An
-.Fn evSelectFD
-remains in effect until cancelled via
-.Fn evDeselectFD .
-.Pp
-The function
-.Fn evDeselectFD
-unregisters the ``file event'' specified by the
-.Fa id
-argument.  If the corresponding
-.Fa uap
-uniquely points to dynamic memory, that memory should be freed before its
-handle is lost, since after a call to
-.Fn evDeselectFD ,
-no handles to this event's
-.Fa uap
-will remain within the event library.  A file descriptor will be taken out of
-nonblocking mode (see
-.Fa O_NONBLOCK
-and
-.Xr fcntl 2 )
-when its last event registration is removed via
-.Fn evDeselectFD ,
-if it was in blocking mode before the first registration via
-.Fn evSelectFD .
-.Pp
-The function
-.Fn evConsIovec
-is a constructor for a single
-.Ft struct iovec
-structure, which is useful for
-.Fn evWrite
-and
-.Fn evRead .
-.Pp
-The functions
-.Fn evWrite
-and
-.Fn evRead
-start asynchronous stream I/O operations on file descriptor
-.Fa fd .
-The data to be written or read is in the scatter/gather descriptor specified by
-.Fa iov
-and
-.Fa cnt .
-The supplied function
-.Fa func
-will be called with argument
-.Fa uap
-when the I/O operation is complete.  If
-.Fa id
-is not
-.Fa NULL ,
-it will be filled a with the stream event identifier suitable for use with
-.Fn evCancelRW .
-.Pp
-The function
-.Fn evCancelRW
-extinguishes an outstanding
-.Fn evWrite
-or
-.Fn evRead
-call.  System I/O calls cannot always be cancelled, but you are guaranteed
-that the
-.Fa func
-function supplied to
-.Fn evWrite
-or
-.Fn evRead
-will not be called after a call to
-.Fn evCancelRW .
-Care should be taken not to deallocate or otherwise reuse the space pointed
-to by the segment descriptors in
-.Fa iov
-unless the underlying file descriptor is closed first.
-.Pp
-The function
-.Fn evTimeRW
-sets the stream associated with the given stream \s-1ID\s+1 
-.Dq Fa id
-to have the idle timer associated with the timer \s-1ID\s+1 
-.Dq Fa timer .
-.Pp
-The function
-.Fn evUntimeRW
-says that the stream associated with the given stream \s-1ID\s+1
-.Dq Fa id
-should ignore its idle timer, if present.
-.Pp
-The functions
-.Fn evListen ,
-.Fn evConnect ,
-and
-.Fn evCancelConn
-can be used to manage asynchronous incoming and outgoing socket connections.
-Sockets to be used with these functions should first be created with
-.Xr socket 2
-and given a local name with
-.Xr bind 2 .
-It is extremely unlikely that the same socket will ever be
-useful for both incoming and outgoing connections.  The
-.Fa id
-argument to
-.Fn evListen
-and
-.Fn evConnect
-is either
-.Fa NULL
-or the address of a
-.Ft evFileID
-variable which can then be used in a subsequent call to
-.Fn evCancelConn .
-.Pp
-After a call to
-.Fn evListen ,
-each incoming connection arriving on
-.Fa fd
-will cause
-.Fa func
-to be called with
-.Fa uap
-as one of its arguments.
-.Fn evConnect
-initiates an outgoing connection on
-.Fa fd
-to destination address
-.Fa ra
-(whose length is
-.Fa ralen ) .
-When the connection is complete,
-.Fa func
-will be called with
-.Fa uap
-as one of its arguments.  The argument
-.Fa fd
-to
-.Fn \*(lp*func\*(rp
-will be
-.Fa -1
-if an error occurred that prevented this connection from completing 
-successfully.  In this case
-.Fn errno
-will have been set and the socket described by
-.Fa fd
-will have been closed.  The
-.Fn evCancelConn
-function will prevent delivery of all pending and subsequent
-events for the outstanding connection.  The
-.Fn evHold
-function will suspend the acceptance of new connections on the listener
-specified by
-.Fa id .
-Connections will be queued by the protocol stack up to the system's limit.  The
-.Fn evUnhold
-function will reverse the effects of
-.Fn evHold ,
-allowing incoming connections to be delivered for listener
-.Fa id .
-The
-.Fn evTryAccept
-function will poll the listener specified by
-.Fa id ,
-accepting a new connection if one is available, and queuing a connection event
-for later retrieval by
-.Fn evGetNext .
-If the connection event queued is an accept error(), sys_errno will contain
-the error code; otherwise it will be zero.  All connection events queued by
-.Fn evTryAccept
-will be delivered by
-.Fn evGetNext
-before a new select is done on the listener.
-.Pp
-The function
-.Fn evSetDebug
-sets the debugging
-.Fa level
-and diagnostic
-.Fa output
-file handle for an event context.  Greater numeric levels will
-result in more verbose output being sent to the output FILE during program
-execution.
-.Pp
-The function
-.Fn evPrintf
-prints a message with the format
-.Dq Fa fmt
-and the following arguments (if any), on the output stream associated
-with the event context pointed to by
-.Fa ctx .
-The message is output if the event context's debug level is greater than
-or equal to the indicated
-.Fa level .
-.Pp
-The function
-.Fn evInitID
-will initialize an opaque 
-.Dq evConn \s-1ID\s+1 , 
-.Dq evFile \s-1ID\s+1 , 
-.Dq evStream \s-1ID\s+1 , 
-.Dq evTimer \s-1ID\s+1 , 
-.Dq evWait \s-1ID\s+1 , 
-.Dq evContext , 
-or
-.Dq evEvent ,
-which is passed by reference to a state which
-.Fn evTestID
-will recognize.
-This is useful to make a handle as "not in use".
-.Pp
-The function
-.Fn evTestID
-will examine an opaque \s-1ID\s+1 and return
-.Dq TRUE
-only if it is not in its initialized state.
-.Pp
-The functions
-.Fn evGetOption
-and 
-.Fn evSetOption
-can be used to inspect and modify options.
-Currently there is only one option,  "monotime" and it is global for all 
-instances of eventlib so the ctx argument must be passed as NULL.
-.Pp
-The default value for the "monotime" option is zero which selects
-the UTC timescale.
-When set to a value of one, eventlib will use the
-CLOCK_MONOTONIC timescale from
-.Xr clock_gettime
-instead.
-The CLOCK_MONOTONIC timescale is never stepped and should
-run at a rate as close to TAI as possible, so it is unaffected
-when the system clock is set.
-If timerevents should run at a predictable rate, set the value
-to one, of they should run at a predictable time of day, leave
-it at zero.
-If the CLOCK_MONOTONIC timescale is not available on the system,
-attempts to set/get this option will fail.
-.Sh RETURN VALUES
-All the functions whose return type is
-.Dq Fa int
-use the standard convention of returning zero (0) to indicate success, or
-returning
-.Dq Fa -1
-and setting
-.Fa errno
-to indicate failure.
-.Sh FILE
-.Pa heap.h ,
-which is in the 
-.Pa src/lib/isc
-directory of the current 
-.Sy BIND
-distribution.
-.Sh ERRORS
-The possible values for
-.Fa errno
-when one of the
-.Dq Fa int
-functions in this library returns
-.Dq Fa -1
-include those of the Standard C Library and also:
-.Bl -tag -width EWOULDBLOCKAA
-.It Bq Er EINVAL
-Some function argument has an unreasonable value.
-.It Bq Er EINVAL
-The specified file descriptor has an integer value greater than the default
-.Fa FD_SETSIZE ,
-meaning that the application's limit is higher than the library's.
-.It Bq Er ENOENT
-The specified 
-.Dq event \s-1ID\s+1 
-does not exist.
-.It Bq Er EWOULDBLOCK
-No events have occurred and the
-.Fa EV_POLL
-option was specified.
-.It Bq Er EBADF
-The specified signal was unblocked outside the library.
-.El
-.Sh SEE ALSO
-.Xr gettimeofday 2 ,
-.Xr select 2 ,
-.Xr fcntl 3 ,
-.Xr malloc 3 ,
-.Xr @INDOT@named @SYS_OPS_EXT@ ,
-.Xr readv 3 ,
-.Xr writev 3 .
-.Sh BUGS
-This huge man page needs to be broken up into a handful of smaller ones.
-.Sh HISTORY
-The
-.Nm eventlib
-library was designed by Paul Vixie with excellent advice from his friends
-and with tips 'o the cap to the X Consortium and the implementors of DEC SRC
-Modula-3.
diff --git a/contrib/bind9/lib/bind/isc/eventlib_p.h b/contrib/bind9/lib/bind/isc/eventlib_p.h
deleted file mode 100644
index b95741d7aff3..000000000000
--- a/contrib/bind9/lib/bind/isc/eventlib_p.h
+++ /dev/null
@@ -1,278 +0,0 @@
-/*
- * Copyright (c) 2005 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* eventlib_p.h - private interfaces for eventlib
- * vix 09sep95 [initial]
- *
- * $Id: eventlib_p.h,v 1.3.2.1.4.3 2005/07/28 07:43:20 marka Exp $
- */
-
-#ifndef _EVENTLIB_P_H
-#define _EVENTLIB_P_H
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <sys/un.h>
-
-#define EVENTLIB_DEBUG 1
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/heap.h>
-#include <isc/list.h>
-#include <isc/memcluster.h>
-
-#define	EV_MASK_ALL	(EV_READ | EV_WRITE | EV_EXCEPT)
-#define EV_ERR(e)		return (errno = (e), -1)
-#define OK(x)		if ((x) < 0) EV_ERR(errno); else (void)NULL
-
-#define	NEW(p)		if (((p) = memget(sizeof *(p))) != NULL) \
-				FILL(p); \
-			else \
-				(void)NULL;
-#define OKNEW(p)	if (!((p) = memget(sizeof *(p)))) { \
-				errno = ENOMEM; \
-				return (-1); \
-			} else \
-				FILL(p)
-#define FREE(p)		memput((p), sizeof *(p))
-
-#if EVENTLIB_DEBUG
-#define FILL(p)		memset((p), 0xF5, sizeof *(p))
-#else
-#define FILL(p)
-#endif
-
-#ifdef USE_POLL
-#ifdef HAVE_STROPTS_H
-#include <stropts.h>
-#endif
-#include <poll.h>
-#endif /* USE_POLL */
-
-typedef struct evConn {
-	evConnFunc	func;
-	void *		uap;
-	int		fd;
-	int		flags;
-#define EV_CONN_LISTEN		0x0001		/* Connection is a listener. */
-#define EV_CONN_SELECTED	0x0002		/* evSelectFD(conn->file). */
-#define EV_CONN_BLOCK		0x0004		/* Listener fd was blocking. */
-	evFileID	file;
-	struct evConn *	prev;
-	struct evConn *	next;
-} evConn;
-
-typedef struct evAccept {
-	int		fd;
-	union {
-		struct sockaddr		sa;
-		struct sockaddr_in	in;
-#ifndef NO_SOCKADDR_UN
-		struct sockaddr_un	un;
-#endif
-	}		la;
-	ISC_SOCKLEN_T	lalen;
-	union {
-		struct sockaddr		sa;
-		struct sockaddr_in	in;
-#ifndef NO_SOCKADDR_UN
-		struct sockaddr_un	un;
-#endif
-	}		ra;
-	ISC_SOCKLEN_T	ralen;
-	int		ioErrno;
-	evConn *	conn;
-	LINK(struct evAccept) link;
-} evAccept;
-
-typedef struct evFile {
-	evFileFunc	func;
-	void *		uap;
-	int		fd;
-	int		eventmask;
-	int		preemptive;
-	struct evFile *	prev;
-	struct evFile *	next;
-	struct evFile *	fdprev;
-	struct evFile *	fdnext;
-} evFile;
-
-typedef struct evStream {
-	evStreamFunc	func;
-	void *		uap;
-	evFileID	file;
-	evTimerID	timer;
-	int		flags;
-#define EV_STR_TIMEROK	0x0001	/* IFF timer valid. */
-	int		fd;
-	struct iovec *	iovOrig;
-	int		iovOrigCount;
-	struct iovec *	iovCur;
-	int		iovCurCount;
-	int		ioTotal;
-	int		ioDone;
-	int		ioErrno;
-	struct evStream	*prevDone, *nextDone;
-	struct evStream	*prev, *next;
-} evStream;
-
-typedef struct evTimer {
-	evTimerFunc	func;
-	void *		uap;
-	struct timespec	due, inter;
-	int		index;
-	int		mode;
-#define EV_TMR_RATE	1
-} evTimer;
-
-typedef struct evWait {
-	evWaitFunc	func;
-	void *		uap;
-	const void *	tag;
-	struct evWait *	next;
-} evWait;
-
-typedef struct evWaitList {
-	evWait *		first;
-	evWait *		last;
-	struct evWaitList *	prev;
-	struct evWaitList *	next;
-} evWaitList;
-
-typedef struct evEvent_p {
-	enum {  Accept, File, Stream, Timer, Wait, Free, Null  } type;
-	union {
-		struct {  evAccept *this;  }			accept;
-		struct {  evFile *this; int eventmask;  }	file;
-		struct {  evStream *this;  }			stream;
-		struct {  evTimer *this;  }			timer;
-		struct {  evWait *this;  }			wait;
-		struct {  struct evEvent_p *next;  }		free;
-		struct {  const void *placeholder;  }		null;
-	} u;
-} evEvent_p;
-
-#ifdef USE_POLL
-typedef struct { 
-	void		*ctx;	/* pointer to the evContext_p   */ 
-	uint32_t	type;	/* READ, WRITE, EXCEPT, nonblk  */ 
-	uint32_t	result;	/* 1 => revents, 0 => events    */ 
-} __evEmulMask; 
-
-#define emulMaskInit(ctx, field, ev, lastnext) \
-	ctx->field.ctx = ctx; \
-	ctx->field.type = ev; \
-	ctx->field.result = lastnext; 
-  
-extern short	*__fd_eventfield(int fd, __evEmulMask *maskp); 
-extern short	__poll_event(__evEmulMask *maskp); 
-extern void		__fd_clr(int fd, __evEmulMask *maskp); 
-extern void		__fd_set(int fd, __evEmulMask *maskp); 
-
-#undef  FD_ZERO 
-#define FD_ZERO(maskp) 
-  
-#undef  FD_SET 
-#define FD_SET(fd, maskp) \
-	__fd_set(fd, maskp) 
-
-#undef  FD_CLR 
-#define FD_CLR(fd, maskp) \
-	__fd_clr(fd, maskp) 
-
-#undef  FD_ISSET 
-#define FD_ISSET(fd, maskp) \
-	((*__fd_eventfield(fd, maskp) & __poll_event(maskp)) != 0) 
-
-#endif /* USE_POLL */
-
-typedef struct {
-	/* Global. */
-	const evEvent_p	*cur;
-	/* Debugging. */
-	int		debug;
-	FILE		*output;
-	/* Connections. */
-	evConn		*conns;
-	LIST(evAccept)	accepts;
-	/* Files. */
-	evFile		*files, *fdNext;
-#ifndef USE_POLL
-	fd_set		rdLast, rdNext;
-	fd_set		wrLast, wrNext;
-	fd_set		exLast, exNext;
-	fd_set		nonblockBefore;
-	int		fdMax, fdCount, highestFD;
-	evFile		*fdTable[FD_SETSIZE];
-#else
-	struct pollfd	*pollfds;	/* Allocated as needed  */ 
-	evFile		**fdTable;	/* Ditto                */ 
-	int		maxnfds;	/* # elements in above  */ 
-	int		firstfd;	/* First active fd      */ 
-	int		fdMax;		/* Last active fd       */ 
-	int		fdCount;	/* # fd:s with I/O      */ 
-	int		highestFD;	/* max fd allowed by OS */ 
-	__evEmulMask	rdLast, rdNext; 
-	__evEmulMask	wrLast, wrNext; 
-	__evEmulMask	exLast, exNext; 
-	__evEmulMask	nonblockBefore; 
-#endif /* USE_POLL */
-#ifdef EVENTLIB_TIME_CHECKS
-	struct timespec	lastSelectTime;
-	int		lastFdCount;
-#endif
-	/* Streams. */
-	evStream	*streams;
-	evStream	*strDone, *strLast;
-	/* Timers. */
-	struct timespec	lastEventTime;
-	heap_context	timers;
-	/* Waits. */
-	evWaitList	*waitLists;
-	evWaitList	waitDone;
-} evContext_p;
-
-/* eventlib.c */
-#define evPrintf __evPrintf
-void evPrintf(const evContext_p *ctx, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-#ifdef USE_POLL
-extern int evPollfdRealloc(evContext_p *ctx, int pollfd_chunk_size, int fd);
-#endif /* USE_POLL */
-
-/* ev_timers.c */
-#define evCreateTimers __evCreateTimers
-heap_context evCreateTimers(const evContext_p *);
-#define evDestroyTimers __evDestroyTimers
-void evDestroyTimers(const evContext_p *);
-
-/* ev_waits.c */
-#define evFreeWait __evFreeWait
-evWait *evFreeWait(evContext_p *ctx, evWait *old);
-
-/* Global options */
-extern int	__evOptMonoTime;
-
-#endif /*_EVENTLIB_P_H*/
diff --git a/contrib/bind9/lib/bind/isc/heap.c b/contrib/bind9/lib/bind/isc/heap.c
deleted file mode 100644
index f63619f5688f..000000000000
--- a/contrib/bind9/lib/bind/isc/heap.c
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1997,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Heap implementation of priority queues adapted from the following:
- *
- *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
- *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
- *
- *	_Algorithms_, Second Edition, Sedgewick, Addison-Wesley, 1988,
- *	ISBN 0-201-06673-4, chapter 11.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: heap.c,v 1.1.206.1 2004/03/09 08:33:43 marka Exp $";
-#endif /* not lint */
-
-#include "port_before.h"
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <errno.h>
-
-#include "port_after.h"
-
-#include <isc/heap.h>
-
-/*
- * Note: to make heap_parent and heap_left easy to compute, the first
- * element of the heap array is not used; i.e. heap subscripts are 1-based,
- * not 0-based.
- */
-#define heap_parent(i) ((i) >> 1)
-#define heap_left(i) ((i) << 1)
-
-#define ARRAY_SIZE_INCREMENT 512
-
-heap_context
-heap_new(heap_higher_priority_func higher_priority, heap_index_func index,
-	 int array_size_increment) {
-	heap_context ctx;
-
-	ctx = (heap_context)malloc(sizeof (struct heap_context));
-	if (ctx == NULL || higher_priority == NULL)
-		return (NULL);
-	ctx->array_size = 0;
-	if (array_size_increment == 0)
-		ctx->array_size_increment = ARRAY_SIZE_INCREMENT;
-	else
-		ctx->array_size_increment = array_size_increment;
-	ctx->heap_size = 0;
-	ctx->heap = NULL;
-	ctx->higher_priority = higher_priority;
-	ctx->index = index;
-	return (ctx);
-}
-
-int
-heap_free(heap_context ctx) {
-	if (ctx == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (ctx->heap != NULL)
-		free(ctx->heap);
-	free(ctx);
-
-	return (0);
-}
-
-static int
-heap_resize(heap_context ctx) {
-	void **new_heap;
-
-	ctx->array_size += ctx->array_size_increment;
-	new_heap = (void **)realloc(ctx->heap,
-				    (ctx->array_size) * (sizeof (void *)));
-	if (new_heap == NULL) {
-		errno = ENOMEM;
-		return (-1);
-	}
-	ctx->heap = new_heap;
-	return (0);
-}
-
-static void
-float_up(heap_context ctx, int i, void *elt) {
-	int p;
-
-	for ( p = heap_parent(i); 
-	      i > 1 && ctx->higher_priority(elt, ctx->heap[p]);
-	      i = p, p = heap_parent(i) ) {
-		ctx->heap[i] = ctx->heap[p];
-		if (ctx->index != NULL)
-			(ctx->index)(ctx->heap[i], i);
-	}
-	ctx->heap[i] = elt;
-	if (ctx->index != NULL)
-		(ctx->index)(ctx->heap[i], i);
-}
-
-static void
-sink_down(heap_context ctx, int i, void *elt) {
-	int j, size, half_size;
-
-	size = ctx->heap_size;
-	half_size = size / 2;
-	while (i <= half_size) {
-		/* find smallest of the (at most) two children */
-		j = heap_left(i);
-		if (j < size && ctx->higher_priority(ctx->heap[j+1],
-						     ctx->heap[j]))
-			j++;
-		if (ctx->higher_priority(elt, ctx->heap[j]))
-			break;
-		ctx->heap[i] = ctx->heap[j];
-		if (ctx->index != NULL)
-			(ctx->index)(ctx->heap[i], i);
-		i = j;
-	}
-	ctx->heap[i] = elt;
-	if (ctx->index != NULL)
-		(ctx->index)(ctx->heap[i], i);
-}
-
-int
-heap_insert(heap_context ctx, void *elt) {
-	int i;
-
-	if (ctx == NULL || elt == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	i = ++ctx->heap_size;
-	if (ctx->heap_size >= ctx->array_size && heap_resize(ctx) < 0)
-		return (-1);
-	
-	float_up(ctx, i, elt);
-
-	return (0);
-}
-
-int
-heap_delete(heap_context ctx, int i) {
-	void *elt;
-	int less;
-
-	if (ctx == NULL || i < 1 || i > ctx->heap_size) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	if (i == ctx->heap_size) {
-		ctx->heap_size--;
-	} else {
-		elt = ctx->heap[ctx->heap_size--];
-		less = ctx->higher_priority(elt, ctx->heap[i]);
-		ctx->heap[i] = elt;
-		if (less)
-			float_up(ctx, i, ctx->heap[i]);
-		else
-			sink_down(ctx, i, ctx->heap[i]);
-	}
-
-	return (0);
-}
-
-int
-heap_increased(heap_context ctx, int i) {
-     	if (ctx == NULL || i < 1 || i > ctx->heap_size) {
-		errno = EINVAL;
-		return (-1);
-	}
-	
-	float_up(ctx, i, ctx->heap[i]);
-
-	return (0);
-}
-
-int
-heap_decreased(heap_context ctx, int i) {
-     	if (ctx == NULL || i < 1 || i > ctx->heap_size) {
-		errno = EINVAL;
-		return (-1);
-	}
-	
-	sink_down(ctx, i, ctx->heap[i]);
-
-	return (0);
-}
-
-void *
-heap_element(heap_context ctx, int i) {
-	if (ctx == NULL || i < 1 || i > ctx->heap_size) {
-		errno = EINVAL;
-		return (NULL);
-	}
-
-	return (ctx->heap[i]);
-}
-
-int
-heap_for_each(heap_context ctx, heap_for_each_func action, void *uap) {
-	int i;
-
-	if (ctx == NULL || action == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	for (i = 1; i <= ctx->heap_size; i++)
-		(action)(ctx->heap[i], uap);
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/isc/heap.mdoc b/contrib/bind9/lib/bind/isc/heap.mdoc
deleted file mode 100644
index 95c9444ff3de..000000000000
--- a/contrib/bind9/lib/bind/isc/heap.mdoc
+++ /dev/null
@@ -1,378 +0,0 @@
-.\" $Id: heap.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
-.\"
-.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (c) 1997,1999 by Internet Software Consortium.
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd January 1, 1997
-.\"Os OPERATING_SYSTEM [version/release]
-.Os BSD 4
-.Dt HEAP @SYSCALL_EXT@
-.Sh NAME
-.Nm heap_new ,
-.Nm heap_free ,
-.Nm heap_insert ,
-.Nm heap_delete ,
-.Nm heap_increased ,
-.Nm heap_decreased ,
-.Nm heap_element ,
-.Nm heap_for_each 
-.Nd heap implementation of priority queues
-.Sh SYNOPSIS
-.Fd #include \&"heap.h\&"
-.Ft heap_context    
-.Fn heap_new "heap_higher_priority_func higher_priority" \
-"heap_index_func index" "int array_size_increment"
-.Ft int
-.Fn heap_free "heap_context ctx"
-.Ft int
-.Fn heap_insert "heap_context ctx" "void *elt"
-.Ft int
-.Fn heap_delete "heap_context ctx" "int i"
-.Ft int
-.Fn heap_increased "heap_context ctx" "int i"
-.Ft int
-.Fn heap_decreased "heap_context ctx" "int i"
-.Ft void *
-.Fn heap_element "heap_context ctx" "int i"
-.Ft int 
-.Fn heap_for_each "heap_context ctx" "heap_for_each_func action" "void *uap"
-.Sh DESCRIPTION
-These functions implement heap\-based priority queues.  The user defines a
-priority scheme, and provides a function for comparison of the priority
-of heap elements
-(see the description of the
-.Ft heap_higher_priority_func
-function pointer, below).
-.Pp
-Each of the functions depends upon the
-.Ft heap_context
-type, which is a pointer to a
-.Ft struct heap_context 
-.Pq see Pa heap.h No for more information .
-.Pp
-The
-.Pa heap.h
-header file also defines the following set of function
-function pointers:
-.Bd -literal -offset indent
-typedef int (*heap_higher_priority_func)(void *, void *);
-typedef void (*heap_index_func)(void *, int);
-typedef void (*heap_for_each_func)(void *, void *);
-.Ed
-.Pp
-These are pointers to user-defined functions.
-The 
-.Ft heap_higher_priority_func
-type is a pointer to a function which compares two
-different heap (queue) elements and returns an
-.Ft int
-which answers the question, "Does the first queue element 
-have a higher priority than the second?"  In other words, 
-a function pointer of this type 
-.Em must 
-return a number greater than zero
-if the element indicated by the first argument is of a higher priority than 
-that indicated by the second element, and zero otherwise.  
-.Pp
-The other two function pointers are documented in the descriptions
-of 
-.Fn heap_new
-.Pq Va heap_index_func
-and
-.Fn heap_for_each
-.Pq Va heap_for_each_func ,
-below.
-.Pp
-The function
-.Fn heap_new
-initializes a 
-.Ft struct heap_context
-and returns a pointer to it.  The
-.Fa higher_priority
-function pointer 
-.Em must 
-be 
-.No non\- Ns Dv NULL .
-As explained above, this refers to a 
-function supplied by the user which compares the priority of two different
-queue or heap elements; see above for more information. 
-The second argument, 
-.Fa index ,
-is a pointer to a user-defined function whose arguments are
-a heap element and its index in the heap.
-.Fa Index 
-is intended to provide the user a means of knowing the internal index
-of an element in the heap while maintaining the opacity of the implementation;
-since the user has to know the actual indexes of heap elements in order to use,
-e.g., 
-.Fn heap_delete
-or
-.Fn heap_element ,
-the user 
-.Fa index
-function could store the index in the heap element, itself.  If 
-.Fa index
-is 
-.No non\- Ns Dv NULL ,
-then it is called 
-.Em whenever 
-the index of an element changes, allowing the user to stay up\-to\-date
-with index changes.
-The last argument, 
-.Fa array_size_increment
-will be used, as its name suggests, by
-.Xr malloc 3
-or
-.Xr realloc 3
-to increment the array which implements the heap; if zero, a default value 
-will be used.
-.Pp
-The
-.Fn heap_free
-function frees the given
-.Ft heap_context
-argument 
-.Pq Fa ctx ,
-which also frees the entire
-.Nm heap ,
-if it is
-.No non\- Ns Dv NULL .
-The argument
-.Fa ctx
-should be
-.No non\- Ns Dv NULL .
-.Pp
-The 
-.Fn heap_insert
-function is used to insert the new heap element
-.Fa elt
-into the appropriate place (priority\-wise) in the
-.Ft heap
-indicated by 
-.Fa ctx
-(a pointer to a
-.Ft heap_context ) .
-If 
-.No non\- Ns Dv NULL ,
-the user-defined
-.Ft higher_priority
-function pointer associated with the indicated 
-.Nm heap
-is used to determine that
-.Dq appropriate place ;
-the highest\-priority elements are at the front of the queue (top of
-the heap).
-(See the description of 
-.Fn heap_new , 
-above, for more information.)
-.Pp
-The function
-.Fn heap_delete
-is used to delete the 
-.Fa i\- Ns th
-element of the queue (heap), and fixing up the queue (heap) from that
-element onward via the priority as determined by the user function
-pointed to by
-.Ft higher_priority 
-function pointer
-(see description of
-.Fn heap_new ,
-above).
-.Pp
-.Fn heap_increased
-.Pp
-.Fn heap_decreased
-.Pp
-The 
-.Fn heap_element
-function returns the
-.Fa i\- Ns th
-element of the queue/heap indicated by
-.Fa ctx ,
-if possible.
-.Pp
-The
-.Fn heap_for_each
-function provides a mechanism for the user to increment through the entire
-queue (heap) and perform some
-.Fa action 
-upon each of the queue elements.  This
-.Fa action 
-is pointer to a user\-defined function with two arguments, the first of
-which should be interpreted by the user's function as a heap element.  The 
-second value passed to the user function is just the
-.Fa uap
-argument to 
-.Fn heap_for_each ;
-this allows the user to specify additional arguments, if necessary, to
-the function pointed to by 
-.Fa action .
-.\" The following requests should be uncommented and
-.\" used where appropriate.  This next request is
-.\" for sections 2 and 3 function return values only.
-.Sh RETURN VALUES
-.Bl -tag -width "heap_decreased()"
-.It Fn heap_new
-.Dv NULL
-if unable to 
-.Xr malloc 3
-a 
-.Ft struct heap_context
-or if the
-.Fa higher_priority
-function pointer is 
-.Dv NULL ;
-otherwise, a valid
-.Ft heap_context 
-.Ns .
-.It Fn heap_free
--1 if 
-.Fa ctx
-is 
-.Dv NULL 
-(with 
-.Va errno
-set to
-.Dv EINVAL ) ;
-otherwise, 0.
-.It Fn heap_insert
--1 
-if either
-.Fa ctx
-or 
-.Fa elt
-is 
-.Dv NULL ,
-or if an attempt to 
-.Xr malloc 3
-or 
-.Xr realloc 3
-the heap array fails (with
-.Va errno
-set to 
-.Dv EINVAL
-or 
-.Dv ENOMEM ,
-respectively).
-Otherwise, 0.
-.It Fn heap_delete
--1 if 
-.Fa ctx
-is 
-.Dv NULL
-or 
-.Fa i 
-is out\-of\-range (with
-.Va errno
-set to
-.Dv EINVAL ) ;
-0 otherwise.
-.It Fn heap_increased
-As for
-.Fn heap_delete .
-.It Fn heap_decreased
-As for
-.Fn heap_delete .
-.It Fn heap_element
-NULL if 
-.Fa ctx 
-is 
-.Dv NULL
-or
-.Fa i
-out\-of-bounds (with
-.Va errno
-set to
-.Dv EINVAL ) ;
-otherwise, a pointer to the
-.Fa i\- Ns th
-queue element.
-.It Fn heap_for_each
--1 if either
-.Fa ctx
-or 
-.Fa action
-is 
-.Dv NULL
-(with 
-.Va errno
-set to
-.Dv EINVAL ) ;
-0 otherwise.
-.El
-.\" This next request is for sections 1, 6, 7 & 8 only
-.\" .Sh ENVIRONMENT
-.Sh FILES
-.Bl -tag -width "heap.h000"
-.It Pa heap.h
- heap library header file
-.El
-.\" .Sh EXAMPLES
-.\" This next request is for sections 1, 6, 7 & 8 only
-.\"     (command return values (to shell) and
-.\"    fprintf/stderr type diagnostics)
-.Sh DIAGNOSTICS
-Please refer to
-.Sx RETURN VALUES .
-.\" The next request is for sections 2 and 3 error
-.\" and signal handling only.
-.Sh ERRORS
-The variable
-.Va errno
-is set by
-.Fn heap_free , 
-.Fn heap_insert , 
-.Fn heap_delete , 
-.Fn heap_increased , 
-and
-.Fn heap_decreased 
-under the conditions of invalid input
-.Pq Dv EINVAL
-or lack of memory
-.Pq Dv ENOMEM ;
-please refer to
-.Sx RETURN VALUES .
-.Sh SEE ALSO
-.Xr malloc 3 ,
-.Xr realloc 3 .
-.Rs
-.%A Cormen
-.%A Leiserson
-.%A Rivest
-.%B Introduction to Algorithms
-.%Q "MIT Press / McGraw Hill"
-.%D 1990
-.%O ISBN 0\-262\-03141\-8
-.%P chapter 7
-.Re
-.Rs
-.%A Sedgewick
-.%B Algorithms, 2nd ed'n
-.%Q Addison\-Wesley
-.%D 1988
-.%O ISBN 0\-201\-06673\-4
-.%P chapter 11
-.Re
-.\" .Sh STANDARDS
-.\" .Sh HISTORY
-.Sh AUTHORS
-The
-.Nm heap
-library was implemented by Bob Halley (halley@vix.com) of Vixie Enterprises, 
-Inc., for the Internet Software consortium, and was adapted from
-the two books listed in the 
-.Sx SEE ALSO
-section, above.
-.\" .Sh BUGS
diff --git a/contrib/bind9/lib/bind/isc/hex.c b/contrib/bind9/lib/bind/isc/hex.c
deleted file mode 100644
index c177ca0fa328..000000000000
--- a/contrib/bind9/lib/bind/isc/hex.c
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 2001 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <port_before.h>
-#include <ctype.h>
-#include <stdio.h>
-#include <string.h>
-#include <isc/misc.h>
-#include <port_after.h>
-
-static const char hex[17] = "0123456789abcdef";
-
-int
-isc_gethexstring(unsigned char *buf, size_t len, int count, FILE *fp,
-		 int *multiline)
-{
-	int c, n;
-	unsigned char x;
-	char *s;
-	int result = count;
-	
-	x = 0; /* silence compiler */
-	n = 0;
-	while (count > 0) {
-		c = fgetc(fp);
-
-		if ((c == EOF) ||
-		    (c == '\n' && !*multiline) ||
-		    (c == '(' && *multiline) ||
-		    (c == ')' && !*multiline))
-			goto formerr;
-		/* comment */
-		if (c == ';') {
-			while ((c = fgetc(fp)) != EOF && c != '\n')
-				/* empty */
-			if (c == '\n' && *multiline)
-				continue;
-			goto formerr;
-		}
-		/* white space */
-		if (c == ' ' || c == '\t' || c == '\n' || c == '\r')
-			continue;
-		/* multiline */
-		if ('(' == c || c == ')') {
-			*multiline = (c == '(' /*)*/);
-			continue;
-		}
-		if ((s = strchr(hex, tolower(c))) == NULL)
-			goto formerr;
-		x = (x<<4) | (s - hex);
-		if (++n == 2) {
-			if (len > 0U) {
-				*buf++ = x;
-				len--;
-			} else
-				result = -1;
-			count--;
-			n = 0;
-		}
-	}
-	return (result);
-
- formerr:
-	if (c == '\n')
-		ungetc(c, fp);
-	return (-1);
-}
-
-void
-isc_puthexstring(FILE *fp, const unsigned char *buf, size_t buflen,
-		 size_t len1, size_t len2, const char *sep)
-{
-	size_t i = 0;
-
-	if (len1 < 4U)
-		len1 = 4;
-	if (len2 < 4U)
-		len2 = 4;
-	while (buflen > 0U) {
-		fputc(hex[(buf[0]>>4)&0xf], fp);
-		fputc(hex[buf[0]&0xf], fp);
-		i += 2;
-		buflen--;
-		buf++;
-		if (i >= len1 && sep != NULL) {
-			fputs(sep, fp);
-			i = 0;
-			len1 = len2;
-		}
-	}
-}
-
-void
-isc_tohex(const unsigned char *buf, size_t buflen, char *t) {
-	while (buflen > 0U) {
-		*t++ = hex[(buf[0]>>4)&0xf];
-		*t++ = hex[buf[0]&0xf];
-		buf++;
-		buflen--;
-	}
-	*t = '\0';
-}
diff --git a/contrib/bind9/lib/bind/isc/logging.c b/contrib/bind9/lib/bind/isc/logging.c
deleted file mode 100644
index d4c7be28523b..000000000000
--- a/contrib/bind9/lib/bind/isc/logging.c
+++ /dev/null
@@ -1,720 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: logging.c,v 1.3.2.1.4.2 2004/03/17 01:49:42 marka Exp $";
-#endif /* not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-
-#include <fcntl.h>
-#include <limits.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <errno.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <isc/assertions.h>
-#include <isc/logging.h>
-#include <isc/memcluster.h>
-#include <isc/misc.h>
-
-#include "port_after.h"
-
-#ifdef VSPRINTF_CHAR
-# define VSPRINTF(x) strlen(vsprintf/**/x)
-#else
-# define VSPRINTF(x) ((size_t)vsprintf x)
-#endif
-
-#include "logging_p.h"
-
-static const int syslog_priority[] = { LOG_DEBUG, LOG_INFO, LOG_NOTICE,
-				       LOG_WARNING, LOG_ERR, LOG_CRIT };
-
-static const char *months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
-				"Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
-
-static const char *level_text[] = {
-	"info: ", "notice: ", "warning: ", "error: ", "critical: "
-};
-
-static void
-version_rename(log_channel chan) {
-	unsigned int ver;
-	char old_name[PATH_MAX+1];
-	char new_name[PATH_MAX+1];
-	
-	ver = chan->out.file.versions;
-	if (ver < 1)
-		return;
-	if (ver > LOG_MAX_VERSIONS)
-		ver = LOG_MAX_VERSIONS;
-	/*
-	 * Need to have room for '.nn' (XXX assumes LOG_MAX_VERSIONS < 100)
-	 */
-	if (strlen(chan->out.file.name) > (size_t)(PATH_MAX-3))
-		return;
-	for (ver--; ver > 0; ver--) {
-		sprintf(old_name, "%s.%d", chan->out.file.name, ver-1);
-		sprintf(new_name, "%s.%d", chan->out.file.name, ver);
-		(void)isc_movefile(old_name, new_name);
-	}
-	sprintf(new_name, "%s.0", chan->out.file.name);
-	(void)isc_movefile(chan->out.file.name, new_name);
-}
-
-FILE *
-log_open_stream(log_channel chan) {
-	FILE *stream;
-	int fd, flags;
-	struct stat sb;
-	int regular;
-
-	if (chan == NULL || chan->type != log_file) {
-		errno = EINVAL;
-		return (NULL);
-	}
-	
-	/*
-	 * Don't open already open streams
-	 */
-	if (chan->out.file.stream != NULL)
-		return (chan->out.file.stream);
-
-	if (stat(chan->out.file.name, &sb) < 0) {
-		if (errno != ENOENT) {
-			syslog(LOG_ERR,
-			       "log_open_stream: stat of %s failed: %s",
-			       chan->out.file.name, strerror(errno));
-			chan->flags |= LOG_CHANNEL_BROKEN;
-			return (NULL);
-		}
-		regular = 1;
-	} else
-		regular = (sb.st_mode & S_IFREG);
-
-	if (chan->out.file.versions) {
-		if (!regular) {
-			syslog(LOG_ERR,
-       "log_open_stream: want versions but %s isn't a regular file",
-			       chan->out.file.name);
-			chan->flags |= LOG_CHANNEL_BROKEN;
-			errno = EINVAL;
-			return (NULL);
-		}
-	}
-
-	flags = O_WRONLY|O_CREAT|O_APPEND;
-
-	if ((chan->flags & LOG_TRUNCATE) != 0) {
-		if (regular) {
-			(void)unlink(chan->out.file.name);
-			flags |= O_EXCL;
-		} else {
-			syslog(LOG_ERR,
-       "log_open_stream: want truncation but %s isn't a regular file",
-			       chan->out.file.name);
-			chan->flags |= LOG_CHANNEL_BROKEN;
-			errno = EINVAL;
-			return (NULL);
-		}
-	}
-
-	fd = open(chan->out.file.name, flags,
-		  S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
-	if (fd < 0) {
-		syslog(LOG_ERR, "log_open_stream: open(%s) failed: %s",
-		       chan->out.file.name, strerror(errno));
-		chan->flags |= LOG_CHANNEL_BROKEN;
-		return (NULL);
-	}
-	stream = fdopen(fd, "a");
-	if (stream == NULL) {
-		syslog(LOG_ERR, "log_open_stream: fdopen() failed");
-		chan->flags |= LOG_CHANNEL_BROKEN;
-		return (NULL);
-	}
-	(void) fchown(fd, chan->out.file.owner, chan->out.file.group);
-
-	chan->out.file.stream = stream;
-	return (stream);
-}
-
-int
-log_close_stream(log_channel chan) {
-	FILE *stream;
-
-	if (chan == NULL || chan->type != log_file) {
-		errno = EINVAL;
-		return (0);
-	}
-	stream = chan->out.file.stream;
-	chan->out.file.stream = NULL;
-	if (stream != NULL && fclose(stream) == EOF)
-		return (-1);
-	return (0);
-}
-
-void
-log_close_debug_channels(log_context lc) {
-	log_channel_list lcl;
-	int i;
-
-	for (i = 0; i < lc->num_categories; i++)
-		for (lcl = lc->categories[i]; lcl != NULL; lcl = lcl->next)
-			if (lcl->channel->type == log_file &&
-			    lcl->channel->out.file.stream != NULL &&
-			    lcl->channel->flags & LOG_REQUIRE_DEBUG)
-				(void)log_close_stream(lcl->channel);
-}
-
-FILE *
-log_get_stream(log_channel chan) {
-	if (chan == NULL || chan->type != log_file) {
-		errno = EINVAL;
-		return (NULL);
-	}
-	return (chan->out.file.stream);
-}
-
-char *
-log_get_filename(log_channel chan) {
-	if (chan == NULL || chan->type != log_file) {
-		errno = EINVAL;
-		return (NULL);
-	}
-	return (chan->out.file.name);
-}
-
-int
-log_check_channel(log_context lc, int level, log_channel chan) {
-	int debugging, chan_level;
-
-	REQUIRE(lc != NULL);
-
-	debugging = ((lc->flags & LOG_OPTION_DEBUG) != 0);
-
-	/*
-	 * If not debugging, short circuit debugging messages very early.
-	 */
-	if (level > 0 && !debugging)
-		return (0);
-
-	if ((chan->flags & (LOG_CHANNEL_BROKEN|LOG_CHANNEL_OFF)) != 0)
-		return (0);
-
-	/* Some channels only log when debugging is on. */
-	if ((chan->flags & LOG_REQUIRE_DEBUG) && !debugging)
-		return (0);
-
-	/* Some channels use the global level. */
-	if ((chan->flags & LOG_USE_CONTEXT_LEVEL) != 0) {
-		chan_level = lc->level;
-	} else
-		chan_level = chan->level;
-
-	if (level > chan_level)
-		return (0);
-
-	return (1);
-}
-
-int 
-log_check(log_context lc, int category, int level) {
-	log_channel_list lcl;
-	int debugging;
-
-	REQUIRE(lc != NULL);
-
-	debugging = ((lc->flags & LOG_OPTION_DEBUG) != 0);
-
-	/*
-	 * If not debugging, short circuit debugging messages very early.
-	 */
-	if (level > 0 && !debugging)
-		return (0);
-
-	if (category < 0 || category > lc->num_categories)
-		category = 0;		/* use default */
-	lcl = lc->categories[category];
-	if (lcl == NULL) {
-		category = 0;
-		lcl = lc->categories[0];
-	}
-
-	for ( /* nothing */; lcl != NULL; lcl = lcl->next) {
-		if (log_check_channel(lc, level, lcl->channel))
-			return (1);
-	}
-	return (0);
-}
-
-void
-log_vwrite(log_context lc, int category, int level, const char *format, 
-	   va_list args) {
-	log_channel_list lcl;
-	int pri, debugging, did_vsprintf = 0;
-	int original_category;
-	FILE *stream;
-	log_channel chan;
-	struct timeval tv;
-	struct tm *local_tm;
-#ifdef HAVE_TIME_R
-	struct tm tm_tmp;
-#endif
-	time_t tt;
-	const char *category_name;
-	const char *level_str;
-	char time_buf[256];
-	char level_buf[256];
-
-	REQUIRE(lc != NULL);
-
-	debugging = (lc->flags & LOG_OPTION_DEBUG);
-
-	/*
-	 * If not debugging, short circuit debugging messages very early.
-	 */
-	if (level > 0 && !debugging)
-		return;
-
-	if (category < 0 || category > lc->num_categories)
-		category = 0;		/* use default */
-	original_category = category;
-	lcl = lc->categories[category];
-	if (lcl == NULL) {
-		category = 0;
-		lcl = lc->categories[0];
-	}
-
-	/*
-	 * Get the current time and format it.
-	 */
-	time_buf[0]='\0';
-	if (gettimeofday(&tv, NULL) < 0) {
-		syslog(LOG_INFO, "gettimeofday failed in log_vwrite()");
-	} else {
-		tt = tv.tv_sec;
-#ifdef HAVE_TIME_R
-		local_tm = localtime_r(&tt, &tm_tmp);
-#else
-		local_tm = localtime(&tt);
-#endif
-		if (local_tm != NULL) {
-			sprintf(time_buf, "%02d-%s-%4d %02d:%02d:%02d.%03ld ",
-				local_tm->tm_mday, months[local_tm->tm_mon],
-				local_tm->tm_year+1900, local_tm->tm_hour,
-				local_tm->tm_min, local_tm->tm_sec,
-				(long)tv.tv_usec/1000);
-		}
-	}
-
-	/*
-	 * Make a string representation of the current category and level
-	 */
-
-	if (lc->category_names != NULL &&
-	    lc->category_names[original_category] != NULL)
-		category_name = lc->category_names[original_category];
-	else
-		category_name = "";
-
-	if (level >= log_critical) {
-		if (level >= 0) {
-			sprintf(level_buf, "debug %d: ", level);
-			level_str = level_buf;
-		} else
-			level_str = level_text[-level-1];
-	} else {
-		sprintf(level_buf, "level %d: ", level);
-		level_str = level_buf;
-	}
-
-	/*
-	 * Write the message to channels.
-	 */
-	for ( /* nothing */; lcl != NULL; lcl = lcl->next) {
-		chan = lcl->channel;
-
-		if (!log_check_channel(lc, level, chan))
-			continue;
-
-		if (!did_vsprintf) {
-			if (VSPRINTF((lc->buffer, format, args)) >
-			    (size_t)LOG_BUFFER_SIZE) {
-				syslog(LOG_CRIT,
-				       "memory overrun in log_vwrite()");
-				exit(1);
-			}
-			did_vsprintf = 1;
-		}
-
-		switch (chan->type) {
-		case log_syslog:
-			if (level >= log_critical)
-				pri = (level >= 0) ? 0 : -level;
-			else
-				pri = -log_critical;
-			syslog(chan->out.facility|syslog_priority[pri],
-			       "%s%s%s%s",
-			       (chan->flags & LOG_TIMESTAMP) ?	time_buf : "",
-			       (chan->flags & LOG_PRINT_CATEGORY) ?
-			       category_name : "",
-			       (chan->flags & LOG_PRINT_LEVEL) ?
-			       level_str : "",
-			       lc->buffer);
-			break;
-		case log_file:
-			stream = chan->out.file.stream;
-			if (stream == NULL) {
-				stream = log_open_stream(chan);
-				if (stream == NULL)
-					break;
-			}
-			if (chan->out.file.max_size != ULONG_MAX) {
-				long pos;
-				
-				pos = ftell(stream);
-				if (pos >= 0 &&
-				    (unsigned long)pos >
-				    chan->out.file.max_size) {
-					/*
-					 * try to roll over the log files,
-					 * ignoring all all return codes
-					 * except the open (we don't want
-					 * to write any more anyway)
-					 */
-					log_close_stream(chan);
-					version_rename(chan);
-					stream = log_open_stream(chan);
-					if (stream == NULL)
-						break;
-				}
-			}
-			fprintf(stream, "%s%s%s%s\n", 
-				(chan->flags & LOG_TIMESTAMP) ?	time_buf : "",
-				(chan->flags & LOG_PRINT_CATEGORY) ?
-				category_name : "",
-				(chan->flags & LOG_PRINT_LEVEL) ?
-				level_str : "",
-				lc->buffer);
-			fflush(stream);
-			break;
-		case log_null:
-			break;
-		default:
-			syslog(LOG_ERR,
-			       "unknown channel type in log_vwrite()");
-		}
-	}
-}
-
-void
-log_write(log_context lc, int category, int level, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	log_vwrite(lc, category, level, format, args);
-	va_end(args);
-}
-
-/*
- * Functions to create, set, or destroy contexts
- */
-
-int
-log_new_context(int num_categories, char **category_names, log_context *lc) {
-	log_context nlc;
-
-	nlc = memget(sizeof (struct log_context));
-	if (nlc == NULL) {
-		errno = ENOMEM;
-		return (-1);
-	}
-	nlc->num_categories = num_categories;
-	nlc->category_names = category_names;
-	nlc->categories = memget(num_categories * sizeof (log_channel_list));
-	if (nlc->categories == NULL) {
-		memput(nlc, sizeof (struct log_context));
-		errno = ENOMEM;
-		return (-1);
-	}
-	memset(nlc->categories, '\0',
-	       num_categories * sizeof (log_channel_list));
-	nlc->flags = 0U;
-	nlc->level = 0;
-	*lc = nlc;
-	return (0);
-}
-
-void
-log_free_context(log_context lc) {
-	log_channel_list lcl, lcl_next;
-	log_channel chan;
-	int i;
-
-	REQUIRE(lc != NULL);
-
-	for (i = 0; i < lc->num_categories; i++)
-		for (lcl = lc->categories[i]; lcl != NULL; lcl = lcl_next) {
-			lcl_next = lcl->next;
-			chan = lcl->channel;
-			(void)log_free_channel(chan);
-			memput(lcl, sizeof (struct log_channel_list));
-		}
-	memput(lc->categories,
-	       lc->num_categories * sizeof (log_channel_list));
-	memput(lc, sizeof (struct log_context));
-}
-
-int
-log_add_channel(log_context lc, int category, log_channel chan) {
-	log_channel_list lcl;
-
-	if (lc == NULL || category < 0 || category >= lc->num_categories) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	lcl = memget(sizeof (struct log_channel_list));
-	if (lcl == NULL) {
-		errno = ENOMEM;
-		return(-1);
-	}
-	lcl->channel = chan;
-	lcl->next = lc->categories[category];
-	lc->categories[category] = lcl;
-	chan->references++;
-	return (0);
-}
-
-int
-log_remove_channel(log_context lc, int category, log_channel chan) {
-	log_channel_list lcl, prev_lcl, next_lcl;
-	int found = 0;
-
-	if (lc == NULL || category < 0 || category >= lc->num_categories) {
-		errno = EINVAL;
-		return (-1);
-	}
-
-	for (prev_lcl = NULL, lcl = lc->categories[category];
-	     lcl != NULL;
-	     lcl = next_lcl) {
-		next_lcl = lcl->next;
-		if (lcl->channel == chan) {
-			log_free_channel(chan);
-			if (prev_lcl != NULL)
-				prev_lcl->next = next_lcl;
-			else
-				lc->categories[category] = next_lcl;
-			memput(lcl, sizeof (struct log_channel_list));
-			/*
-			 * We just set found instead of returning because
-			 * the channel might be on the list more than once.
-			 */
-			found = 1;
-		} else
-			prev_lcl = lcl;
-	}
-	if (!found) {
-		errno = ENOENT;
-		return (-1);
-	}
-	return (0);
-}
-
-int
-log_option(log_context lc, int option, int value) {
-	if (lc == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-	switch (option) {
-	case LOG_OPTION_DEBUG:
-		if (value)
-			lc->flags |= option;
-		else
-			lc->flags &= ~option;
-		break;
-	case LOG_OPTION_LEVEL:
-		lc->level = value;
-		break;
-	default:
-		errno = EINVAL;
-		return (-1);
-	}
-	return (0);
-}
-
-int
-log_category_is_active(log_context lc, int category) {
-	if (lc == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-	if (category >= 0 && category < lc->num_categories &&
-	    lc->categories[category] != NULL)
-		return (1);
-	return (0);
-}
-
-log_channel
-log_new_syslog_channel(unsigned int flags, int level, int facility) {
-	log_channel chan;
-
-	chan = memget(sizeof (struct log_channel));
-	if (chan == NULL) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	chan->type = log_syslog;
-	chan->flags = flags;
-	chan->level = level;
-	chan->out.facility = facility;
-	chan->references = 0;
-	return (chan);
-}
-
-log_channel
-log_new_file_channel(unsigned int flags, int level,
-		     const char *name, FILE *stream, unsigned int versions,
-		     unsigned long max_size) {
-	log_channel chan;
-
-	chan = memget(sizeof (struct log_channel));
-	if (chan == NULL) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	chan->type = log_file;
-	chan->flags = flags;
-	chan->level = level;
-	if (name != NULL) {
-		size_t len;
-		
-		len = strlen(name);
-		/* 
-		 * Quantize length to a multiple of 256.  There's space for the
-		 * NUL, since if len is a multiple of 256, the size chosen will
-		 * be the next multiple.
-		 */
-		chan->out.file.name_size = ((len / 256) + 1) * 256;
-		chan->out.file.name = memget(chan->out.file.name_size);
-		if (chan->out.file.name == NULL) {
-			memput(chan, sizeof (struct log_channel));
-			errno = ENOMEM;
-			return (NULL);
-		}
-		/* This is safe. */
-		strcpy(chan->out.file.name, name);
-	} else {
-		chan->out.file.name_size = 0;
-		chan->out.file.name = NULL;
-	}
-	chan->out.file.stream = stream;
-	chan->out.file.versions = versions;
-	chan->out.file.max_size = max_size;
-	chan->out.file.owner = getuid();
-	chan->out.file.group = getgid();
-	chan->references = 0;
-	return (chan);
-}
-
-int
-log_set_file_owner(log_channel chan, uid_t owner, gid_t group) {
-	if (chan->type != log_file) {
-		errno = EBADF;
-		return (-1);
-	}
-	chan->out.file.owner = owner;
-	chan->out.file.group = group;
-	return (0);
-}
-
-log_channel
-log_new_null_channel() {
-	log_channel chan;
-
-	chan = memget(sizeof (struct log_channel));
-	if (chan == NULL) {
-		errno = ENOMEM;
-		return (NULL);
-	}
-	chan->type = log_null;
-	chan->flags = LOG_CHANNEL_OFF;
-	chan->level = log_info;
-	chan->references = 0;
-	return (chan);
-}
-
-int
-log_inc_references(log_channel chan) {
-	if (chan == NULL) {
-		errno = EINVAL;
-		return (-1);
-	}
-	chan->references++;
-	return (0);
-}
-
-int
-log_dec_references(log_channel chan) {
-	if (chan == NULL || chan->references <= 0) {
-		errno = EINVAL;
-		return (-1);
-	}
-	chan->references--;
-	return (0);
-}
-
-log_channel_type
-log_get_channel_type(log_channel chan) {
-	REQUIRE(chan != NULL);
-	
-	return (chan->type);
-}
-
-int
-log_free_channel(log_channel chan) {
-	if (chan == NULL || chan->references <= 0) {
-		errno = EINVAL;
-		return (-1);
-	}
-	chan->references--;
-	if (chan->references == 0) {
-		if (chan->type == log_file) {
-			if ((chan->flags & LOG_CLOSE_STREAM) &&
-			    chan->out.file.stream != NULL)
-				(void)fclose(chan->out.file.stream);
-			if (chan->out.file.name != NULL)
-				memput(chan->out.file.name,
-				       chan->out.file.name_size);
-		}
-		memput(chan, sizeof (struct log_channel));
-	}
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/isc/logging.mdoc b/contrib/bind9/lib/bind/isc/logging.mdoc
deleted file mode 100644
index fc6351fad2b7..000000000000
--- a/contrib/bind9/lib/bind/isc/logging.mdoc
+++ /dev/null
@@ -1,1056 +0,0 @@
-.\" $Id: logging.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
-.\"
-.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (c) 1995-1999 by Internet Software Consortium
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The following six UNCOMMENTED lines are required.
-.Dd January 1, 1996
-.\"Os OPERATING_SYSTEM [version/release]
-.Os BSD 4
-.\"Dt DOCUMENT_TITLE [section number] [volume]
-.Dt LOGGING @SYSCALL_EXT@
-.Sh NAME
-.Nm log_open_stream ,
-.Nm log_close_stream ,
-.Nm log_get_stream ,
-.Nm log_get_filename ,
-.Nm log_vwrite ,
-.Nm log_write ,
-.Nm log_new_context ,
-.Nm log_free_context ,
-.Nm log_add_channel ,
-.Nm log_remove_channel ,
-.Nm log_option ,
-.Nm log_category_is_active ,
-.Nm log_new_syslog_channel ,
-.Nm log_new_file_channel ,
-.Nm log_set_file_owner ,
-.Nm log_new_null_channel ,
-.Nm log_inc_references ,
-.Nm log_dec_references ,
-.Nm log_free_channel
-.Nd logging system
-.Sh SYNOPSIS
-.Fd #include <isc/logging.h>
-.Ft FILE *
-.Fn log_open_stream "log_channel chan"
-.Ft int
-.Fn log_close_stream "log_channel chan"
-.Ft FILE * 
-.Fn log_get_stream "log_channel chan"
-.Ft char * 
-.Fn log_get_filename "log_channel chan"
-.Ft void 
-.Fn log_vwrite "log_context lc" "int category" "int level" \
-    "const char *format" va_list args"
-.Ft void 
-.Fn log_write "log_context lc" "int category" "int level" \
-    "const char *format" "..."
-.Ft int
-.Fn log_check_channel "log_context lc" "int level" "log_channel chan"
-.Ft int
-.Fn log_check "log_context lc" "int category" "int level"
-.Ft int 
-.Fn log_new_context "int num_categories" "char **category_names" \
-    "log_context *lc"
-.Ft void 
-.Fn log_free_context "log_context lc"
-.Ft int 
-.Fn log_add_channel "log_context lc" "int category" "log_channel chan"
-.Ft int 
-.Fn log_remove_channel "log_context lc" "int category" "log_channel chan"
-.Ft int 
-.Fn log_option "log_context lc" "int option" "int value"
-.Ft int 
-.Fn log_category_is_active "log_context lc" "int category"
-.Ft log_channel 
-.Fn log_new_syslog_channel "unsigned int flags" "int level" "int facility"
-.Ft log_channel 
-.Fn log_new_file_channel "unsigned int flags" "int level" \
-    "char *name" "FILE *stream" "unsigned int versions" \
-    "unsigned long max_size"
-.Ft int
-.Fn log_set_file_owner "log_channel chan" "uid_t owner" "gid_t group"
-.Ft log_channel 
-.Fn log_new_null_channel "void"
-.Ft int 
-.Fn log_inc_references "log_channel chan"
-.Ft int 
-.Fn log_dec_references "log_channel chan"
-.Ft int 
-.Fn log_free_channel "log_channel chan"
-.Sh DESCRIPTION
-The
-.Sy ISC
-.Nm logging library
-is flexible logging system which is based upon a set of concepts:
-.Nm logging channels ,
-.Nm categories ,
-and 
-.Nm logging contexts .
-.Pp
-The basic building block is the
-.Dq Nm logging channel , 
-which includes a 
-.Nm priority 
-(logging level), which type of logging is to occur, and other
-flags and information associated with technical aspects of the logging.  
-The set of priorities which are supported is shown below, in the section
-.Sx Message Priorities .
-A priority sets a threshold for message logging; a logging channel will
-.Em only
-log those messages which are 
-.Em at least as important
-as its priority indicates.  (The fact that 
-.Dq more important
-means 
-.Dq more negative ,
-under the current scheme, is an implementation detail; if a channel has
-a priority of
-.Dv log_error ,
-then it will
-.Em not
-log messages with the
-.Dv log_warning
-priority, but it
-.Em will
-log messages with the
-.Dv log_error
-or 
-.Dv log_critical
-priority.)
-.Pp
-The
-.Nm logging channel
-also has an indication of the type of logging performed.  Currently, 
-the supported
-.Nm logging types 
-include (see also 
-.Sx Logging Types ,
-below):
-.Bl -tag -width "log_syslog" -compact -offset indent
-.It Dv log_syslog
-for 
-.Xr syslog 3 Ns -style
-logging
-.It Dv log_file
-for use of a file
-.It Dv log_null
-for 
-.Em no
-logging
-.El
-A new logging channel is created by calling either
-.Fn log_new_syslog_channel ,
-.Fn log_new_file_channel ,
-or
-.Fn log_new_null_channel ,
-respectively.  
-When a channel is no longer to be used, it can be freed using
-.Fn log_free_channel .
-.Pp
-Both 
-.Dv log_syslog
-and
-.Dv log_file
-channel types can include more information; for instance, a
-.Dv log_syslog Ns -type 
-channel allows the specification of a 
-.Xr syslog 3 Ns -style
-.Dq facility , 
-and a
-.Dv log_file Ns -type
-channels allows the caller to set a maximum file size and number
-of versions.  (See 
-.Fn log_new_syslog_channel
-or
-.Fn log_new_file_channel ,
-below.)
-Additionally, once a logging channel of type
-.Dv log_file
-is defined, the functions
-.Fn log_open_stream
-and 
-.Fn log_close_stream
-can open or close the stream associated with the logging channel's logging
-filename.  The
-.Fn log_get_stream
-and
-.Fn log_get_filename
-functions return the stream or filename, respectively, of such a logging 
-channel.  Also unique to logging channels of type
-.Dv log_file
-is the
-.Fn log_set_file_owner
-function, which tells the logging system what user and group ought to own
-newly created files (which is only effective if the caller is privileged.)
-.Pp
-Callers provide
-.Dq Nm categories ,
-determining both the number of such categories and any (optional) names.
-Categories are like array indexes in C; if the caller declares 
-.Dq Va n
-categories, then they are considered to run from 0 to
-.Va n-1 ;
-with this scheme, a category number would be invalid if it were negative or 
-greater than/equal to 
-.Va n .
-Each category can have its own list of 
-.Nm logging channels 
-associated with it; we say that such a channel is 
-.Dq in 
-the particular category.
-.Sy NOTE :
-Individual logging channels can appear in more than one category.
-.Pp
-A
-.Dq Nm logging context
-is the set of all 
-.Nm logging channels 
-associated with the context's
-.Nm categories ;
-thus, a particular 
-.Nm category 
-scheme is associated with a particular
-.Nm logging context .
-.Sy NOTE :
-A logging channel may appear in more than one logging context, and in 
-multiple categories within each logging context.
-.Pp
-Use 
-.Fn log_add_channel
-and
-.Fn log_remove_channel
-to add or remove a logging channel to some category in a logging context.
-To see if a given category in a logging context is being used, use the
-Boolean test
-.Fn log_category_is_active .
-.Pp
-A 
-.Nm logging context
-can also have a 
-.Nm priority
-(logging level)
-and various flags associated with the whole context; in order to alter the
-flags or change the priority of a context, use
-.Fn log_option .
-.Ss Message Priorities
-Currently, five 
-.Nm priorities
-(logging levels) are supported (they can also be found in the header file):
-.Bd -literal -offset indent
-#define log_critical            (-5)
-#define log_error               (-4)
-#define log_warning             (-3)
-#define log_notice              (-2)
-#define log_info                (-1)
-.Ed
-.Pp
-In the current implementation, logging messages which have a level greater
-than 0 are considered to be debugging messages.
-.Ss Logging Types
-The three different
-.Nm logging types 
-currently supported are different values of the enumerated type
-.Ft log_output_type 
-(these are also listed in the header file): 
-.Bd -literal -offset indent
-typedef enum { log_syslog, log_file, log_null } log_output_type;
-.Ed
-.Ss Logging Channel Flags 
-There are several flags which can be set on a logging channel; the flags 
-and their meanings are as follows (they are also found in the header file):
-.Bl -tag -width "LOG_USE_CONTEXT_LEVEL  " -offset indent
-.It Dv LOG_CHANNEL_BROKEN
-This is set only when some portion of 
-.Fn log_open_stream
-fails:
-.Xr open 2 
-or
-.Xr fdopen 3  
-fail;
-.Xr stat 2
-fails in a
-.Dq bad
-way; versioning or truncation is requested on a non-normal file.
-.It Dv LOG_CHANNEL_OFF
-This is set for channels opened by 
-.Fn log_new_null_channel .
-.It Dv LOG_CLOSE_STREAM
-If this flag is set, then 
-.Fn log_free_channel
-will free a 
-.No non- Dv NULL
-stream of a logging channel which is being
-.Xr free 3 Ns -d 
-(if the logging channel is of type
-.Dv log_file ,
-of course).
-.It Dv LOG_PRINT_CATEGORY
-If set, 
-.Fn log_vwrite
-will insert the category name, if available, into logging messages which are 
-logged to channels of type
-.Dv log_syslog
-or 
-.Dv log_file .
-.It Dv LOG_PRINT_LEVEL
-If set, 
-.Fn log_vwrite
-will insert a string identifying the message priority level into the 
-information logged to channels of type
-.Dv log_syslog
-or 
-.Dv log_file .
-.It Dv LOG_REQUIRE_DEBUG
-Only log debugging messages (i.e., those with a priority greater than zero).
-.It Dv LOG_TIMESTAMP
-If set, 
-.Fn log_vwrite
-will insert a timestamp into logging messages which are logged to channels of
-type
-.Dv log_syslog
-or 
-.Dv log_file .
-.It Dv LOG_TRUNCATE
-Truncate logging file when re-opened
-.Fn ( log_open_stream 
-will
-.Xr unlink 2
-the file and then 
-.Xr open 2
-a new file of the same name with the
-.Dv O_EXCL
-bit set).
-.It Dv LOG_USE_CONTEXT_LEVEL
-Use the logging context's priority or logging level, rather than the logging 
-channel's own priority.  This can be useful for those channels which are 
-included in multiple logging contexts.
-.El
-.Ss FUNCTION DESCRIPTIONS
-The function
-.Fn log_open_stream 
-is for use with channels which log to a file; i.e., logging channels with a
-.Va type 
-field set to
-.Dq Dv log_file .
-If the logging channel pointed to by 
-.Dq Fa chan
-is valid, it attempts to open (and return) the stream associated with that
-channel.  If the stream is already opened, then it is returned; otherwise,
-.Xr stat 2
-is used to test the filename for the stream.
-.Pp
-At this point, if the logging file is supposed to have different
-.Va versions 
-(i.e., incremented version numbers; higher numbers indicate older versions
-of the logging file).  If so, then any existing versions are
-.Xr rename 2 Ns -d
-to have one version-number higher than previously, and the
-.Dq current
-filename for the stream is set to the
-.Dq \&.0
-form of the name.  Next, if the logging file is supposed to be truncated
-(i.e., the
-.Dv LOG_TRUNCATE
-bit of the
-.Va flags
-field of the logging channel structure is set), then any file with the
-.Dq current
-filename for the stream is
-.Xr unlink 2 Ns -d .
-.Sy NOTE :
-If the logging file is 
-.Em not 
-a regular file, and either of the above operations (version numbering
-or truncation) is supposed to take place, a
-.Dv NULL
-file pointer is returned.
-.Pp
-Finally, the filename associated with the logging channel is
-.Xr open 2 Ns -d
-using the appropriate flags and a mode which sets the read/write permissions
-for the user, group, and others.  The file descriptor returned by 
-.Xr open 2
-is then passed to
-.Xr fopen 3 ,
-with the append mode set, and the stream returned by this call is stored
-in the 
-.Fa chan
-structure and returned.
-.Pp
-If 
-.Fn log_open_stream
-fails at any point, then the 
-.Dv LOG_CHANNEL_BROKEN 
-bit of the
-.Va flags 
-field of the logging channel pointed to by
-.Fa chan
-is set, a 
-.Dv NULL
-is returned, and 
-.Va errno
-contains pertinent information.
-.Pp
-The
-.Fn log_close_stream
-function closes the stream associated with the logging channel pointed to by
-.Dq Fa chan 
-(if
-.Fa chan 
-is valid and the stream exists and can be closed properly by
-.Xr fclose 3 ) .  
-The stream is set to 
-.Dv NULL
-even if the call to 
-.Xr fclose 3
-fails.
-.Pp
-The function
-.Fn log_get_stream
-returns the stream associated with the logging channel pointed to by
-.Dq Fa chan ,
-if it is 
-.No non- Ns Dv NULL
-and specifies a logging channel which has a 
-.Dv FILE *
-or stream associated with it.
-.Pp
-The
-.Fn log_get_filename
-function returns the name of the file associated with the logging channel 
-pointed to by
-.Dq Fa chan ,
-if it is 
-.No non- Ns Dv NULL
-and specifies a logging channel which has a file associated with it.
-.Pp
-The
-.Fn log_vwrite 
-function performs the actual logging of a message to the various logging
-channels of a logging context
-.Fa lc .
-The message consists of an
-.Xr fprint 3 Ns -style
-.Fa format 
-and its associated
-.Fa args 
-(if any); it will be written to all logging channels in the given
-.Fa category
-which have a priority set to
-.Fa level
-or any 
-.Em less important
-priority value.  If the
-.Fa category
-is not valid or has no logging channels, then the category defaults to 0.
-.Pp
-There are a number of conditions under which a call to 
-.Fn log_vwrite
-will not result in actually logging the message: if there is no logging channel 
-at even the default category (0), or if a given channel is either 
-.Dq broken
-or
-.Dq off
-(i.e., its flags have 
-.Dv LOG_CHANNEL_BROKEN
-or
-.Dv LOG_CHANNEL_OFF
-set, respectively), or if the logging channel channel is of type
-.Dv log_null .
-Additionally, if the logging channel's flag has
-.Dv LOG_REQUIRE_DEBUG
-set and the message is not a debugging message (i.e., has a level greater
-than 0), then it will not be logged.
-Finally, if the message's priority is less important than the
-channel's logging level (the priority threshold), will not be logged.
-.Sy NOTE :
-If a logging channel's flag has
-.Dv LOG_USE_CONTEXT_LEVEL
-set, it will use the logging context's priority, rather than its own.
-.Pp
-If all of these hurdles are passed, then only
-.Dv log_syslog
-and
-.Dv log_file
-channels actually can have logging.  For channels which use
-.Xr syslog 3 ,
-the channel's 
-.Xr syslog 3
-facility is used in conjunction with a potentially modified form of the
-message's priority level, since 
-.Xr syslog 3
-has its own system of priorities
-.Pq Pa /usr/include/syslog.h . 
-All debug messages (priority >= 0) are mapped to 
-.Xr syslog 3 Ns 's
-.Dv LOG_DEBUG
-priority, all messages 
-.Dq more important
-than
-.Dv log_critical
-are mapped to
-.Dv LOG_CRIT ,
-and the priorities corresponding to the ones listed in the section
-.Sx Message Priorities
-are given the obvious corresponding 
-.Xr syslog 3
-priority.
-.Pp
-For 
-.Dv log_file
-type logging channels, if the file size is greater than the maximum file 
-size, then no logging occurs.  (The same thing happens if a 
-.Dv NULL
-stream is encountered and
-.Fn log_open_stream
-fails to open the channel's stream.)
-.Pp
-For both logging to normal files and logging via
-.Xr syslog 3 ,
-the value of the flags
-.Dv LOG_TIMESTAMP ,
-.Dv LOG_PRINT_CATEGORY , 
-and
-.Dv LOG_PRINT_LEVEL 
-are used in determining whether or not these items are included in the logged 
-information.
-.Pp
-The 
-.Fn log_write 
-function is merely a front-end to a call to 
-.Fn log_vwrite ;
-see the description of that function, above, for more information.
-.Pp
-.Fn log_check
-and
-.Fn log_check_channel
-are used to see if a contemplated logging call will actually generate any
-output, which is useful when creating a log message involves non-trivial
-work.
-.Fn log_check
-will return non-zero if a call to
-.Fn log_vwrite
-with the given 
-.Fa category
-and
-.Fa level
-would generate output on any channels, and zero otherwise.
-.Fn log_check_channel
-will return non-zero if writing to the
-.Fa chan
-at the given
-.Fa level
-would generate output.
-.Pp
-The function
-.Fn log_new_context 
-creates a new 
-.Nm logging context ,
-and stores this in the
-.Dq Va opaque
-field of the argument
-.Dq Fa lc , 
-and opaque structure used internally.  This new 
-.Nm context 
-will include the
-.Dq Fa num_categories
-and
-.Dq Fa category_names
-which are supplied; the latter can be
-.Dv NULL .
-.Sy NOTE :
-Since 
-.Dq Fa category_names
-is used directly, it 
-.Em must not 
-be freed by the caller, if it is 
-.No non- Ns Dv NULL .
-The initial logging flags and priority are both set to zero.
-.Pp
-The
-.Fn log_free_context 
-function is used to free the opaque structure 
-.Dq Va lc.opaque
-and its components.
-.Sy NOTE :
-The
-.Dq Va opaque
-field of 
-.Dq Fa lc
-.Em must 
-be
-.No non- Ns Dv NULL .
-For each of the various
-.Dq categories
-(indicated by the
-.Dq Va num_categories
-which were in the corresponding call to
-.Fn log_new_context ) 
-associated with the given 
-.Nm logging context ,
-.Em all 
-of the 
-.Nm logging channels
-are 
-.Xr free 3 Ns -d .
-The opaque structure itself is then
-.Xr free 3 Ns -d ,
-and 
-.Dq Va lc.opaque
-is set to
-.Dv NULL .
-.Pp
-.Sy NOTE :
-The function 
-.Fn log_free_context 
-does
-.Em not
-free the memory associated with 
-.Fa category_names ,
-since the logging library did not allocate the memory for it, originally;
-it was supplied in the call to
-.Fn log_new_context .
-.Pp
-The function
-.Fn log_add_channel 
-adds the 
-.Nm logging channel
-.Dq Fa chan
-to the list of logging channels in the given 
-.Fa category
-of the 
-.Nm logging context
-.Dq Fa lc .
-No checking is performed to see whether or not
-.Fa chan
-is already present in the given
-.Fa category ,
-so multiple instances in a single 
-.Fa category 
-can occur (but see
-.Fn log_remove_channel ,
-below).
-.Pp
-The
-.Fn log_remove_channel 
-function
-removes 
-.Em all
-occurrences of the
-.Nm logging channel
-.Dq Fa chan
-from the list of logging channels in the given 
-.Fa category
-of the 
-.Nm logging context
-.Dq Fa lc .
-It also attempts to free the channel by calling
-.Fn log_free_channel 
-(see its description, below).
-.Pp
-The
-.Fn log_option 
-function is used to change the
-.Fa option 
-of the indicated logging context
-.Fa lc
-to the given
-.Fa value .
-The 
-.Fa option
-can be either
-.Dv LOG_OPTION_LEVEL
-or
-.Dv LOG_OPTION_DEBUG ;
-in the first case, the log context's debugging level is reset to the
-indicated level.  If the
-.Fa option 
-is 
-.Dv LOG_OPTION_DEBUG , 
-then a non-zero
-.Fa value
-results in setting the debug flag of the logging context, while a zero
-.Fa value
-means that the debug flag is reset.
-.Pp
-The
-.Fn log_category_is_active 
-test returns a 1 if the given
-.Fa category
-of the indicated logging context
-.Fa lc
-has at least one logging channel, and 0, otherwise.
-.Pp
-The functions
-.Fn log_new_syslog_channel ,
-.Fn log_new_file_channel ,
-and 
-.Fn log_new_null_channel
-create a new channel of the type specified (thus, the difference in arguments);
-the 
-.Dq Va type
-field of the new
-.Do
-.Ft struct log_channel
-.Dc
-is always set to the appropriate value.
-.Pp
-The 
-.Fn log_new_syslog_channel
-function 
-.Xr malloc 3 Ns -s
-a new
-.Ft struct log_channel
-of
-.Va type
-.Dv log_syslog ,
-i.e., a logging channel which will use
-.Xr syslog 3 .
-The new structure is filled out with the 
-.Dq Fa flags ,
-.Dq Fa level , 
-and 
-.Dq Fa facility 
-which are given; the 
-.Va references
-field is initialized to zero.
-See 
-.Sx Logging Channel Flags
-and
-.Sx Message Priorities ,
-above, or the header file for information about acceptable values for
-.Dq Fa flags ,
-and 
-.Dq Fa level .
-The
-.Dq Fa facility .
-can be any valid
-.Xr syslog 3
-facility; see the appropriate system header file or manpage for more 
-information.
-.Pp
-.Ft log_channel 
-.Fn log_new_file_channel "unsigned int flags" "int level" \
-    "char *name" "FILE *stream" "unsigned int versions" \
-    "unsigned long max_size"
-.Pp
-.Fn log_new_null_channel 
-.Pp
-The functions
-.Fn log_inc_references 
-and
-.Fn log_dec_references 
-increment or decrements, respectively, the
-.Va references 
-field of the logging channel pointed to by
-.Dq Fa chan ,
-if it is a valid channel (and if the 
-.Va references
-field is strictly positive, in the case of
-.Fn log_dec_references ) .
-These functions are meant to track changes in the number of different clients
-which refer to the given logging channel.
-.Pp
-The 
-.Fn log_free_channel
-function frees the 
-field of the logging channel pointed to by
-.Dq Fa chan 
-if there are no more outstanding references to it.  If the channel uses a file, 
-the stream is 
-.Xr fclose 3 Ns -d 
-(if the
-.Dv LOG_CLOSE_STREAM
-flag is set), and the filename, if 
-.No non- Ns Dv NULL ,
-is 
-.Xr free 3 Ns -d 
-before 
-.Dq Fa chan
-is 
-.Xr free 3 Ns -d .
-.Pp
-.\" The following requests should be uncommented and
-.\" used where appropriate.  This next request is
-.\" for sections 2 and 3 function return values only.
-.Sh RETURN VALUES
-.\" This next request is for sections 1, 6, 7 & 8 only
-.Bl -tag -width "log_category_is_active()"
-.It Fn log_open_stream
-.Dv NULL 
-is returned under any of several error conditions:
-a) if 
-.Dq Fa chan
-is either
-.Dv NULL
-or a 
-.No non- Ns Dv log_file
-channel
-.Pq Va errno No is set to Dv EINVAL ;
-b) if either versioning or truncation is requested for a non-normal file
-.Pq Va errno No is set to Dv EINVAL ;
-c) if any of
-.Xr stat 2 , 
-.Xr open 2 , 
-or
-.Xr fdopen 3
-fails
-.Po
-.Va errno 
-is set by the call which failed 
-.Pc .
-If some value other than
-.Dv NULL
-is returned, then it is a valid logging stream (either newly-opened or 
-already-open).
-.It Fn log_close_stream
--1 if the stream associated with
-.Dq Fa chan
-is 
-.No non- Ns Dv NULL
-and the call to
-.Xr fclose 3
-fails.
-0 if successful or the logging channel pointed to by
-.Dq Fa chan
-is invalid (i.e.,
-.Dv NULL
-or not a logging channel which has uses a file); in the latter case, 
-.Va errno
-is set to 
-.Dv EINVAL .  
-.It Fn log_get_stream
-.Dv NULL 
-under the same conditions as those under which
-.Fn log_close_stream ,
-above, returns 0 (including the setting of 
-.Va errno ) .
-Otherwise, the stream associated with the logging channel is returned.
-.It Fn log_get_filename
-.Dv NULL 
-under the same conditions as those under which
-.Fn log_close_stream ,
-above, returns 0 (including the setting of 
-.Va errno ) .
-Otherwise, the name of the file associated with the logging channel is 
-returned.
-.It Fn log_new_context
--1 if 
-.Xr malloc 3
-fails
-.Pq with Va errno No set to Dv ENOMEM .
-Otherwise, 0, with 
-.Dq Va lc->opaque
-containing the new structures and information.
-.It Fn log_add_channel
--1 if
-a) either
-.Dq Va lc.opaque
-is
-.Dv NULL 
-or 
-.Fa category
-is invalid (negative or greater than or equal to 
-.Va lcp->num_categories ) ,
-with
-.Va errno 
-set to 
-.Dv EINVAL ;
-b) 
-.Xr malloc 3
-fails
-.Pq with Va errno No set to Dv ENOMEM .
-Otherwise, 0.
-.It Fn log_remove_channel
--1 if
-a) either
-.Dq Va lc.opaque
-is 
-.Dv NULL
-or 
-.Fa category
-is invalid, as under failure condition a) for
-.Fn log_add_channel ,
-above, including the setting of
-.Va errno ;
-b) no channel numbered
-.Fa chan
-is found in the logging context indicated by
-.Fa lc 
-.Pq with Va errno No set to Dv ENOENT .
-Otherwise, 0.
-.It Fn log_option
--1 if
-a) 
-.Dq Va lc.opaque
-is
-.Dv NULL , 
-b)
-.Fa option
-specifies an unknown logging option;
-in either case, 
-.Va errno 
-is set to 
-.Dv EINVAL .
-Otherwise, 0.
-.It Fn log_category_is_active
--1 if
-.Dq Va lc.opaque
-is
-.Dv NULL 
-.Pq with Va errno No set to Dv EINVAL ;
-1 if the
-.Fa category
-number is valid and there are logging channels in this 
-.Fa category
-within the indicated logging context; 0 if the
-.Fa category
-number is invalid or there are no logging channels in this
-.Fa category
-within the indicated logging context.
-.It Fn log_new_syslog_channel
-.Dv NULL
-if
-.Xr malloc 3
-fails
-.Pq with Va errno No set to ENOMEM ;
-otherwise, a valid 
-.Dv log_syslog Ns -type
-.Ft log_channel .
-.It Fn log_new_file_channel
-.Dv NULL
-if
-.Xr malloc 3
-fails
-.Pq with Va errno No set to ENOMEM ;
-otherwise, a valid
-.Dv log_file Ns -type
-.Ft log_channel .
-.It Fn log_new_null_channel
-.Dv NULL
-if
-.Xr malloc 3
-fails
-.Pq with Va errno No set to ENOMEM ;
-otherwise, a valid 
-.Dv log_null Ns -type
-.Ft log_channel .
-.It Fn log_inc_references
--1 if 
-.Dq Fa chan
-is 
-.Dv NULL 
-.Pq with Va errno set to Dv EINVAL .
-Otherwise, 0.
-.It Fn log_dec_references
--1 if 
-.Dq Fa chan
-is 
-.Dv NULL 
-or its
-.Va references
-field is already <= 0
-.Pq with Va errno set to Dv EINVAL .
-Otherwise, 0.
-.It Fn log_free_channel
--1 under the same conditions as
-.Fn log_dec_references ,
-above, including the setting of 
-.Va errno ;
-0 otherwise.
-.El
-.\" .Sh ENVIRONMENT
-.Sh FILES
-.Bl -tag -width "isc/logging.h"
-.It Pa isc/logging.h
-include file for logging library
-.It Pa syslog.h
-.Xr syslog 3 Ns -style
-priorities
-.El
-.\" .Sh EXAMPLES
-.\" This next request is for sections 1, 6, 7 & 8 only
-.\"     (command return values (to shell) and
-.\"    fprintf/stderr type diagnostics)
-.\" .Sh DIAGNOSTICS
-.\" The next request is for sections 2 and 3 error
-.\" and signal handling only.
-.Sh ERRORS
-This table shows which functions can return the indicated error in the
-.Va errno
-variable; see the
-.Sx RETURN VALUES
-section, above, for more information.
-.Bl -tag -width "(any0other0value)0"
-.It Dv EINVAL
-.Fn log_open_stream ,
-.Fn log_close_stream ,
-.Fn log_get_stream ,
-.Fn log_get_filename ,
-.Fn log_add_channel ,
-.Fn log_remove_channel ,
-.Fn log_option ,
-.Fn log_category_is_active ,
-.Fn log_inc_references ,
-.Fn log_dec_references ,
-.Fn log_free_channel .
-.It Dv ENOENT
-.Fn log_remove_channel .
-.It Dv ENOMEM
-.Fn log_new_context ,
-.Fn log_add_channel ,
-.Fn log_new_syslog_channel ,
-.Fn log_new_file_channel ,
-.Fn log_new_null_channel .
-.It (any other value)
-returned via a pass-through of an error code from
-.Xr stat 2 , 
-.Xr open 2 , 
-or
-.Xr fdopen 3 ,
-which can occur in 
-.Fn log_open_stream
-and functions which call it
-.Pq currently, only Fn log_vwrite .
-.El
-.Pp
-Additionally, 
-.Fn log_vwrite
-and
-.Fn log_free_context
-will fail via 
-.Fn assert
-if 
-.Dq Va lc.opaque
-is
-.Dv NULL .
-The function
-.Fn log_vwrite
-can also exit with a critical error logged via
-.Xr syslog 3
-indicating a memory overrun
-.Sh SEE ALSO
-.Xr @INDOT@named @SYS_OPS_EXT@ ,
-.Xr syslog 3 .
-The HTML documentation includes a file,
-.Pa logging.html ,
-which has more information about this logging system.
-.\" .Sh STANDARDS
-.\" .Sh HISTORY
-.Sh AUTHORS
-Bob Halley...TODO
-.\" .Sh BUGS
diff --git a/contrib/bind9/lib/bind/isc/logging_p.h b/contrib/bind9/lib/bind/isc/logging_p.h
deleted file mode 100644
index 99f6976f6c2a..000000000000
--- a/contrib/bind9/lib/bind/isc/logging_p.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef LOGGING_P_H
-#define LOGGING_P_H
-
-typedef struct log_file_desc {
-	char *name;
-	size_t name_size;
-	FILE *stream;
-	unsigned int versions;
-	unsigned long max_size;
-	uid_t owner;
-	gid_t group;
-} log_file_desc;
-
-typedef union log_output {
-	int facility;
-	log_file_desc file;
-} log_output;
-
-struct log_channel {
-	int level;			/* don't log messages > level */
-	log_channel_type type;
-	log_output out;
-	unsigned int flags;
-	int references;
-};
-
-typedef struct log_channel_list {
-	log_channel channel;
-	struct log_channel_list *next;
-} *log_channel_list;
-
-#define LOG_BUFFER_SIZE 20480
-
-struct log_context {
-	int num_categories;
-	char **category_names;
-	log_channel_list *categories;
-	int flags;
-	int level;
-	char buffer[LOG_BUFFER_SIZE];
-};
-
-#endif /* !LOGGING_P_H */
diff --git a/contrib/bind9/lib/bind/isc/memcluster.c b/contrib/bind9/lib/bind/isc/memcluster.c
deleted file mode 100644
index c5b7202817c5..000000000000
--- a/contrib/bind9/lib/bind/isc/memcluster.c
+++ /dev/null
@@ -1,585 +0,0 @@
-/*
- * Copyright (c) 2005 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1997,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-
-/* When this symbol is defined allocations via memget are made slightly 
-   bigger and some debugging info stuck before and after the region given 
-   back to the caller. */
-/* #define DEBUGGING_MEMCLUSTER */
-#define MEMCLUSTER_ATEND
-
-
-#if !defined(LINT) && !defined(CODECENTER)
-static const char rcsid[] = "$Id: memcluster.c,v 1.3.206.7 2005/10/11 00:48:15 marka Exp $";
-#endif /* not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/uio.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include <isc/memcluster.h>
-#include <isc/assertions.h>
-
-#include "port_after.h"
-
-#ifdef MEMCLUSTER_RECORD
-#ifndef DEBUGGING_MEMCLUSTER
-#define DEBUGGING_MEMCLUSTER
-#endif
-#endif
-
-#define DEF_MAX_SIZE		1100
-#define DEF_MEM_TARGET		4096
-
-typedef u_int32_t fence_t;
-
-typedef struct {
-	void *			next;
-#if defined(DEBUGGING_MEMCLUSTER)
-#if defined(MEMCLUSTER_RECORD)
-	const char *		file;
-	int			line;
-#endif
-	size_t			size;
-	fence_t			fencepost;
-#endif
-} memcluster_element;
-
-#define SMALL_SIZE_LIMIT sizeof(memcluster_element)
-#define P_SIZE sizeof(void *)
-#define FRONT_FENCEPOST 0xfebafeba
-#define BACK_FENCEPOST 0xabefabef
-#define FENCEPOST_SIZE 4
-
-#ifndef MEMCLUSTER_LITTLE_MALLOC
-#define MEMCLUSTER_BIG_MALLOC 1
-#define NUM_BASIC_BLOCKS 64
-#endif
-
-struct stats {
-	u_long			gets;
-	u_long			totalgets;
-	u_long			blocks;
-	u_long			freefrags;
-};
-
-#ifdef DO_PTHREADS
-#include <pthread.h>
-static pthread_mutex_t	memlock = PTHREAD_MUTEX_INITIALIZER;
-#define MEMLOCK		(void)pthread_mutex_lock(&memlock)
-#define MEMUNLOCK	(void)pthread_mutex_unlock(&memlock)
-#else
-/*
- * Catch bad lock usage in non threaded build.
- */
-static unsigned int	memlock = 0;
-#define MEMLOCK		do { INSIST(memlock == 0); memlock = 1; } while (0)
-#define MEMUNLOCK	do { INSIST(memlock == 1); memlock = 0; } while (0)
-#endif  /* DO_PTHEADS */
-
-/* Private data. */
-
-static size_t			max_size;
-static size_t			mem_target;
-#ifndef MEMCLUSTER_BIG_MALLOC
-static size_t			mem_target_half;
-static size_t			mem_target_fudge;
-#endif
-static memcluster_element **	freelists;
-#ifdef MEMCLUSTER_RECORD
-static memcluster_element **	activelists;
-#endif
-#ifdef MEMCLUSTER_BIG_MALLOC
-static memcluster_element *	basic_blocks;
-#endif
-static struct stats *		stats;
-
-/* Forward. */
-
-static size_t			quantize(size_t);
-#if defined(DEBUGGING_MEMCLUSTER)
-static void			check(unsigned char *, int, size_t);
-#endif
-
-/* Public. */
-
-int
-meminit(size_t init_max_size, size_t target_size) {
-
-#if defined(DEBUGGING_MEMCLUSTER)
-	INSIST(sizeof(fence_t) == FENCEPOST_SIZE);
-#endif
-	if (freelists != NULL) {
-		errno = EEXIST;
-		return (-1);
-	}
-	if (init_max_size == 0U)
-		max_size = DEF_MAX_SIZE;
-	else
-		max_size = init_max_size;
-	if (target_size == 0U)
-		mem_target = DEF_MEM_TARGET;
-	else
-		mem_target = target_size;
-#ifndef MEMCLUSTER_BIG_MALLOC
-	mem_target_half = mem_target / 2;
-	mem_target_fudge = mem_target + mem_target / 4;
-#endif
-	freelists = malloc(max_size * sizeof (memcluster_element *));
-	stats = malloc((max_size+1) * sizeof (struct stats));
-	if (freelists == NULL || stats == NULL) {
-		errno = ENOMEM;
-		return (-1);
-	}
-	memset(freelists, 0,
-	       max_size * sizeof (memcluster_element *));
-	memset(stats, 0, (max_size + 1) * sizeof (struct stats));
-#ifdef MEMCLUSTER_RECORD
-	activelists = malloc((max_size + 1) * sizeof (memcluster_element *));
-	if (activelists == NULL) {
-		errno = ENOMEM;
-		return (-1);
-	}
-	memset(activelists, 0,
-	       (max_size + 1) * sizeof (memcluster_element *));
-#endif
-#ifdef MEMCLUSTER_BIG_MALLOC
-	basic_blocks = NULL;
-#endif
-	return (0);
-}
-
-void *
-__memget(size_t size) {
-	return (__memget_record(size, NULL, 0));
-}
-
-void *
-__memget_record(size_t size, const char *file, int line) {
-	size_t new_size = quantize(size);
-#if defined(DEBUGGING_MEMCLUSTER)
-	memcluster_element *e;
-	char *p;
-	fence_t fp = BACK_FENCEPOST;
-#endif
-	void *ret;
-
-	MEMLOCK;
-
-#if !defined(MEMCLUSTER_RECORD)
-	UNUSED(file);
-	UNUSED(line);
-#endif
-	if (freelists == NULL) {
-		if (meminit(0, 0) == -1) {
-			MEMUNLOCK;
-			return (NULL);
-		}
-	}
-	if (size == 0U) {
-		MEMUNLOCK;
-		errno = EINVAL;
-		return (NULL);
-	}
-	if (size >= max_size || new_size >= max_size) {
-		/* memget() was called on something beyond our upper limit. */
-		stats[max_size].gets++;
-		stats[max_size].totalgets++;
-#if defined(DEBUGGING_MEMCLUSTER)
-		e = malloc(new_size);
-		if (e == NULL) {
-			MEMUNLOCK;
-			errno = ENOMEM;
-			return (NULL);
-		}
-		e->next = NULL;
-		e->size = size;
-#ifdef MEMCLUSTER_RECORD
-		e->file = file;
-		e->line = line;
-		e->next = activelists[max_size];
-		activelists[max_size] = e;
-#endif
-		MEMUNLOCK;
-		e->fencepost = FRONT_FENCEPOST;
-		p = (char *)e + sizeof *e + size;
-		memcpy(p, &fp, sizeof fp);
-		return ((char *)e + sizeof *e);
-#else
-		MEMUNLOCK;
-		return (malloc(size));
-#endif
-	}
-
-	/* 
-	 * If there are no blocks in the free list for this size, get a chunk
-	 * of memory and then break it up into "new_size"-sized blocks, adding
-	 * them to the free list.
-	 */
-	if (freelists[new_size] == NULL) {
-		int i, frags;
-		size_t total_size;
-		void *new;
-		char *curr, *next;
-
-#ifdef MEMCLUSTER_BIG_MALLOC
-		if (basic_blocks == NULL) {
-			new = malloc(NUM_BASIC_BLOCKS * mem_target);
-			if (new == NULL) {
-				MEMUNLOCK;
-				errno = ENOMEM;
-				return (NULL);
-			}
-			curr = new;
-			next = curr + mem_target;
-			for (i = 0; i < (NUM_BASIC_BLOCKS - 1); i++) {
-				((memcluster_element *)curr)->next = next;
-				curr = next;
-				next += mem_target;
-			}
-			/*
-			 * curr is now pointing at the last block in the
-			 * array.
-			 */
-			((memcluster_element *)curr)->next = NULL;
-			basic_blocks = new;
-		}
-		total_size = mem_target;
-		new = basic_blocks;
-		basic_blocks = basic_blocks->next;
-#else
-		if (new_size > mem_target_half)
-			total_size = mem_target_fudge;
-		else
-			total_size = mem_target;
-		new = malloc(total_size);
-		if (new == NULL) {
-			MEMUNLOCK;
-			errno = ENOMEM;
-			return (NULL);
-		}
-#endif
-		frags = total_size / new_size;
-		stats[new_size].blocks++;
-		stats[new_size].freefrags += frags;
-		/* Set up a linked-list of blocks of size "new_size". */
-		curr = new;
-		next = curr + new_size;
-		for (i = 0; i < (frags - 1); i++) {
-#if defined (DEBUGGING_MEMCLUSTER)
-			memset(curr, 0xa5, new_size);
-#endif
-			((memcluster_element *)curr)->next = next;
-			curr = next;
-			next += new_size;
-		}
-		/* curr is now pointing at the last block in the array. */
-#if defined (DEBUGGING_MEMCLUSTER)
-		memset(curr, 0xa5, new_size);
-#endif
-		((memcluster_element *)curr)->next = freelists[new_size];
-		freelists[new_size] = new;
-	}
-
-	/* The free list uses the "rounded-up" size "new_size". */
-#if defined (DEBUGGING_MEMCLUSTER)
-	e = freelists[new_size];
-	ret = (char *)e + sizeof *e;
-	/*
-	 * Check to see if this buffer has been written to while on free list.
-	 */
-	check(ret, 0xa5, new_size - sizeof *e);
-	/*
-	 * Mark memory we are returning.
-	 */
-	memset(ret, 0xe5, size);
-#else
-	ret = freelists[new_size];
-#endif
-	freelists[new_size] = freelists[new_size]->next;
-#if defined(DEBUGGING_MEMCLUSTER)
-	e->next = NULL;
-	e->size = size;
-	e->fencepost = FRONT_FENCEPOST;
-#ifdef MEMCLUSTER_RECORD
-	e->file = file;
-	e->line = line;
-	e->next = activelists[size];
-	activelists[size] = e;
-#endif
-	p = (char *)e + sizeof *e + size;
-	memcpy(p, &fp, sizeof fp);
-#endif
-
-	/* 
-	 * The stats[] uses the _actual_ "size" requested by the
-	 * caller, with the caveat (in the code above) that "size" >= the
-	 * max. size (max_size) ends up getting recorded as a call to
-	 * max_size.
-	 */
-	stats[size].gets++;
-	stats[size].totalgets++;
-	stats[new_size].freefrags--;
-	MEMUNLOCK;
-#if defined(DEBUGGING_MEMCLUSTER)
-	return ((char *)e + sizeof *e);
-#else
-	return (ret);
-#endif
-}
-
-/* 
- * This is a call from an external caller, 
- * so we want to count this as a user "put". 
- */
-void
-__memput(void *mem, size_t size) {
-	__memput_record(mem, size, NULL, 0);
-}
-
-void
-__memput_record(void *mem, size_t size, const char *file, int line) {
-	size_t new_size = quantize(size);
-#if defined (DEBUGGING_MEMCLUSTER)
-	memcluster_element *e;
-	memcluster_element *el;
-#ifdef MEMCLUSTER_RECORD
-	memcluster_element *prev;
-#endif
-	fence_t fp;
-	char *p;
-#endif
-
-	MEMLOCK;
-
-#if !defined (MEMCLUSTER_RECORD)
-	UNUSED(file);
-	UNUSED(line);
-#endif
-
-	REQUIRE(freelists != NULL);
-
-	if (size == 0U) {
-		MEMUNLOCK;
-		errno = EINVAL;
-		return;
-	}
-
-#if defined (DEBUGGING_MEMCLUSTER)
-	e = (memcluster_element *) ((char *)mem - sizeof *e);
-	INSIST(e->fencepost == FRONT_FENCEPOST);
-	INSIST(e->size == size);
-	p = (char *)e + sizeof *e + size;
-	memcpy(&fp, p, sizeof fp);
-	INSIST(fp == BACK_FENCEPOST);
-	INSIST(((int)mem % 4) == 0);
-#ifdef MEMCLUSTER_RECORD
-	prev = NULL;
-	if (size == max_size || new_size >= max_size)
-		el = activelists[max_size];
-	else
-		el = activelists[size];
-	while (el != NULL && el != e) {
-		prev = el;
-		el = el->next;
-	}
-	INSIST(el != NULL);	/* double free */
-	if (prev == NULL) {
-		if (size == max_size || new_size >= max_size)
-			activelists[max_size] = el->next;
-		else
-			activelists[size] = el->next;
-	} else
-		prev->next = el->next;
-#endif
-#endif
-
-	if (size == max_size || new_size >= max_size) {
-		/* memput() called on something beyond our upper limit */
-#if defined(DEBUGGING_MEMCLUSTER)
-		free(e);
-#else
-		free(mem);
-#endif
-
-		INSIST(stats[max_size].gets != 0U);
-		stats[max_size].gets--;
-		MEMUNLOCK;
-		return;
-	}
-
-	/* The free list uses the "rounded-up" size "new_size": */
-#if defined(DEBUGGING_MEMCLUSTER)
-	memset(mem, 0xa5, new_size - sizeof *e); /* catch write after free */
-	e->size = 0;	/* catch double memput() */
-#ifdef MEMCLUSTER_RECORD
-	e->file = file;
-	e->line = line;
-#endif
-#ifdef MEMCLUSTER_ATEND
-	e->next = NULL;
-	el = freelists[new_size];
-	while (el != NULL && el->next != NULL)
-		el = el->next;
-	if (el)
-		el->next = e;
-	else
-		freelists[new_size] = e;
-#else
-	e->next = freelists[new_size];
-	freelists[new_size] = (void *)e;
-#endif
-#else
-	((memcluster_element *)mem)->next = freelists[new_size];
-	freelists[new_size] = (memcluster_element *)mem;
-#endif
-
-	/* 
-	 * The stats[] uses the _actual_ "size" requested by the
-	 * caller, with the caveat (in the code above) that "size" >= the
-	 * max. size (max_size) ends up getting recorded as a call to
-	 * max_size.
-	 */
-	INSIST(stats[size].gets != 0U);
-	stats[size].gets--;
-	stats[new_size].freefrags++;
-	MEMUNLOCK;
-}
-
-void *
-__memget_debug(size_t size, const char *file, int line) {
-	void *ptr;
-	ptr = __memget_record(size, file, line);
-	fprintf(stderr, "%s:%d: memget(%lu) -> %p\n", file, line,
-		(u_long)size, ptr);
-	return (ptr);
-}
-
-void
-__memput_debug(void *ptr, size_t size, const char *file, int line) {
-	fprintf(stderr, "%s:%d: memput(%p, %lu)\n", file, line, ptr,
-		(u_long)size);
-	__memput_record(ptr, size, file, line);
-}
-
-/*
- * Print the stats[] on the stream "out" with suitable formatting.
- */
-void
-memstats(FILE *out) {
-	size_t i;
-#ifdef MEMCLUSTER_RECORD
-	memcluster_element *e;
-#endif
-
-	MEMLOCK;
-
-	if (freelists == NULL) {
-		MEMUNLOCK;
-		return;
-	}
-	for (i = 1; i <= max_size; i++) {
-		const struct stats *s = &stats[i];
-
-		if (s->totalgets == 0U && s->gets == 0U)
-			continue;
-		fprintf(out, "%s%5lu: %11lu gets, %11lu rem",
-			(i == max_size) ? ">=" : "  ",
-			(unsigned long)i, s->totalgets, s->gets);
-		if (s->blocks != 0U)
-			fprintf(out, " (%lu bl, %lu ff)",
-				s->blocks, s->freefrags);
-		fputc('\n', out);
-	}
-#ifdef MEMCLUSTER_RECORD
-	fprintf(out, "Active Memory:\n");
-	for (i = 1; i <= max_size; i++) {
-		if ((e = activelists[i]) != NULL)
-			while (e != NULL) {
-				fprintf(out, "%s:%d %p:%d\n",
-				        e->file != NULL ? e->file :
-						"<UNKNOWN>", e->line,
-					(char *)e + sizeof *e, e->size);
-				e = e->next;
-			}
-	}
-#endif
-	MEMUNLOCK;
-}
-
-int
-memactive(void) {
-	size_t i;
-
-	if (stats == NULL)
-		return (0);
-	for (i = 1; i <= max_size; i++)
-		if (stats[i].gets != 0U)
-			return (1);
-	return (0);
-}
-
-/* Private. */
-
-/* 
- * Round up size to a multiple of sizeof(void *).  This guarantees that a
- * block is at least sizeof void *, and that we won't violate alignment
- * restrictions, both of which are needed to make lists of blocks.
- */
-static size_t
-quantize(size_t size) {
-	int remainder;
-	/*
-	 * If there is no remainder for the integer division of 
-	 *
-	 *	(rightsize/P_SIZE)
-	 *
-	 * then we already have a good size; if not, then we need
-	 * to round up the result in order to get a size big
-	 * enough to satisfy the request _and_ aligned on P_SIZE boundaries.
-	 */
-	remainder = size % P_SIZE;
-	if (remainder != 0)
-		size += P_SIZE - remainder;
-#if defined(DEBUGGING_MEMCLUSTER)
-	return (size + SMALL_SIZE_LIMIT + sizeof (int));
-#else
-	return (size);
-#endif
-}
-
-#if defined(DEBUGGING_MEMCLUSTER)
-static void
-check(unsigned char *a, int value, size_t len) {
-	size_t i;
-	for (i = 0; i < len; i++)
-		INSIST(a[i] == value);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/isc/memcluster.mdoc b/contrib/bind9/lib/bind/isc/memcluster.mdoc
deleted file mode 100644
index cd4e6fbf2f97..000000000000
--- a/contrib/bind9/lib/bind/isc/memcluster.mdoc
+++ /dev/null
@@ -1,376 +0,0 @@
-.\" $Id: memcluster.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
-.\"
-.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (c) 1995-1999 by Internet Software Consortium
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" The following six UNCOMMENTED lines are required.
-.Dd Month day, year
-.\"Os OPERATING_SYSTEM [version/release]
-.Os BSD 4
-.\"Dt DOCUMENT_TITLE [section number] [volume]
-.Dt MEMCLUSTER 3
-.Sh NAME
-.Nm meminit ,
-.Nm memget ,
-.Nm memput ,
-.Nm memstats 
-.Nd memory allocation/deallocation system
-.Sh SYNOPSIS
-.Fd #include \&<isc/memcluster.h\&>
-.Ft void * 
-.Fn memget "size_t size"
-.Ft void 
-.Fn memput "void *mem" "size_t size"
-.Ft void 
-.Fn memstats "FILE *out"
-.Sh DESCRIPTION
-These functions access a memory management system which allows callers to not 
-fragment memory to the extent which can ordinarily occur through many random 
-calls to
-.Xr malloc 3 .
-Instead, 
-.Fn memget
-gets a large contiguous chunk of blocks of the requested 
-.Fa size 
-and parcels out these blocks as requested.  The symmetric call is
-.Fn memput ,
-which callers use to return a piece of memory obtained from
-.Fn memget .
-Statistics about memory usage are returned by
-.Fn memstats , 
-which prints a report on the stream
-.Fa out .
-.Ss INTERNALS
-Internally, linked lists of free memory blocks are stored in an array.
-The size of this array is determined by the value
-.Dv MEM_FREECOUNT ,
-currently set to 1100.  In general, for any requested blocksize
-.Dq Fa size ,
-any free blocks will be stored on the linked list at that index.
-No free lists are managed for blocks greater than or equal to
-.Dv MEM_FREECOUNT
-bytes; instead, calls to
-.Xr malloc 3
-or
-.Xr free 3
-are made, directly.
-.Pp
-Since the blocks are actually stored as linked lists, they must at least
-be large enough to hold a pointer to the next block.  This size, which is
-.Dv SMALL_SIZE_LIMIT ,
-is currently defined as
-.Bd -literal -offset indent
-#define SMALL_SIZE_LIMIT sizeof(struct { void *next; })
-.Ed
-.Pp
-Both 
-.Fn memget
-and
-.Fn memput
-enforce this limit; for example, any call to 
-.Fn memget 
-requesting a block smaller than
-.Dv SMALL_SIZE_LIMIT
-bytes will actually be considered to be of size
-.Dv SMALL_SIZE_LIMIT 
-internally.  (Such a caller request will be logged for 
-.Fn memstats
-purposes using the caller-requested
-.Fa size ;
-see the discussion of
-.Fn memstats ,
-below, for more information.)
-.Pp
-Additionally, the requested
-.Fa size
-will be adjusted so that when a large 
-.Xr malloc 3 Ns No -d
-chunk of memory is broken up into a linked list, the blocks will all fall on
-the correct memory alignment boundaries.  Thus, one can conceptualize a call
-which mentions
-.Fa size
-as resulting in a
-.Fa new_size
-which is used internally.
-.Pp
-In order to more efficiently allocate memory, there is a 
-.Dq target
-size for calls to 
-.Xr malloc 3 .
-It is given by the pre-defined value
-.Dv MEM_TARGET , 
-which is currently 4096 bytes.
-For any requested block
-.Fa size ,
-enough memory is 
-.Xr malloc 3 Ns No -d
-in order to fill up a block of about
-.Dv MEM_TARGET
-bytes.  
-.No [ Ns Sy NOTE :
-For allocations larger than
-.Dv MEM_TARGET Ns No /2
-bytes, there is a 
-.Dq fudge factor
-introduced which boosts the target size by 25% of
-.Dv MEM_TARGET .
-This means that enough memory for two blocks
-will actually be allocated for any 
-.Fa size
-such that
-.Pq Dv MEM_TARGET Ns No / 3 
-.No < Fa size No < 
-.Pq Dv MEM_TARGET Ns No *5/8 ,
-provided that the value of
-.Dv MEM_FREECOUNT 
-is at least as large as the upper limit shown above.]
-.Pp
-.Ss FUNCTION DESCRIPTIONS
-.Pp
-The function
-.Fn memget
-returns a pointer to a block of memory of at least the requested
-.Fa size .
-After adjusting
-.Fa size
-to the value
-.Va new_size
-as mentioned above in the 
-.Sx INTERNALS
-subsection, the internal array of free lists is checked.
-If there is no block of the needed
-.Va new_size ,
-then
-.Fn memget 
-will 
-.Xr malloc 3
-a chunk of memory which is as many times as 
-.Va new_size
-will fit into the target size.  This memory is then turned into a linked list 
-of 
-.Va new_size Ns No -sized
-blocks which are given out as requested; the last such block is the first one 
-returned by 
-.Fn memget .
-If the requested
-.Fa size
-is zero or negative, then 
-.Dv NULL
-is returned and
-.Va errno
-is set to
-.Dv EINVAL ;
-if 
-.Fa size
-is larger than or equal to the pre-defined maximum size
-.Dv MEM_FREECOUNT ,
-then only a single block of exactly 
-.Fa size
-will be
-.Xr malloc 3 Ns No -d
-and returned.
-.Pp
-The
-.Fn memput
-call is used to return memory once the caller is finished with it.
-After adjusting
-.Fa size
-the the value
-.Va new_size
-as mentioned in the 
-.Sx INTERNALS 
-subsection, above, the block is placed at the head of the free list of 
-.Va new_size Ns -sized
-blocks.
-If the given
-.Fa size
-is zero or negative, then 
-.Va errno
-is set to
-.Dv EINVAL ,
-as for
-.Fn memget .
-If 
-.Fa size
-is larger than or equal to the pre-defined maximum size
-.Dv MEM_FREECOUNT ,
-then the block is immediately
-.Xr free 3 Ns No -d .
-.Pp
-.Sy NOTE :
-It is important that callers give 
-.Fn memput
-.Em only
-blocks of memory which were previously obtained from
-.Fn memget 
-if the block is 
-.Em actually 
-less than
-.Dv SMALL_SIZE_LIMIT
-bytes in size.  Since all blocks will be added to a free list, any block 
-which is not at least
-.Dv SMALL_SIZE_LIMIT
-bytes long will not be able to hold a pointer to the next block in the
-free list.
-.Pp
-The
-.Fn memstats
-function will summarize the number of calls to 
-.Fn memget
-and
-.Fn memput
-for any block size from 1 byte up to
-.Pq Dv MEM_FREECOUNT No - 1  
-bytes, followed by a single line for any calls using a 
-.Fa size
-greater than or equal to 
-.Dv MEM_FREECOUNT ; 
-a brief header with shell-style comment lines prefaces the report and
-explains the information.  The 
-.Dv FILE 
-pointer
-.Fa out
-identifies the stream which is used for this report.  Currently, 
-.Fn memstat
-reports the number of calls to 
-.Fn memget
-and
-.Fn memput
-using the caller-supplied value 
-.Fa size ; 
-the percentage of outstanding blocks of a given size (i.e., the percentage
-by which calls to
-.Fn memget
-exceed 
-.Fn memput )
-are also reported on the line for blocks of the given
-.Fa size .
-However, the percent of blocks used is computed using the number of 
-blocks allocated according to the internal parameter
-.Va new_size ;
-it is the percentage of blocks used to those available at a given
-.Va new_size ,
-and is computed using the
-.Em total
-number of caller 
-.Dq gets
-for any caller
-.Fa size Ns No -s
-which map to the internally-computed
-.Va new_size .
-Keep in mind that
-.Va new_size
-is generally 
-.Em not
-equal to
-.Fa size , 
-which has these implications:
-.Bl -enum -offset indent
-.It
-For
-.Fa size
-smaller than
-.Dv SMALL_SIZE_LIMIT ,
-.Fn memstat
-.Em will 
-show statistics for caller requests under
-.Fa size , 
-but "percent used" information about such blocks will be reported under
-.Dv SMALL_SIZE_LIMIT Ns No -sized
-blocks.  
-.It
-As a general case of point 1, internal statistics are reported on the the
-line corresponding to
-.Va new_size ,
-so that, for a given caller-supplied
-.Fa size ,
-the associated internal information will appear on that line or on the next
-line which shows "percent used" information.
-.El
-.Pp
-.Sy NOTE :
-If the caller returns blocks of a given
-.Fa size
-and requests others of 
-.Fa size Ns No -s 
-which map to the same internal
-.Va new_size ,
-it is possible for
-.Fn memstats
-to report usage of greater than 100% for blocks of size
-.Va new_size .
-This should be viewed as A Good Thing.
-.Sh RETURN VALUES
-The function
-.Fn memget
-returns a 
-.No non- Ns Dv NULL
-pointer to a block of memory of the requested
-.Fa size .
-It returns
-.Dv NULL
-if either the
-.Fa size
-is invalid (less than or equal to zero) or a 
-.Xr malloc 3
-of a new block of memory fails.  In the former case, 
-.Va errno
-is set to 
-.Dv EINVAL ; 
-in the latter, it is set to
-.Dv ENOMEM .
-.Pp
-Neither
-.Fn memput
-nor
-.Fn memstats
-return a value.
-.\" This next request is for sections 1, 6, 7 & 8 only
-.\" .Sh ENVIRONMENT
-.\" .Sh FILES
-.\" .Sh EXAMPLES
-.\" This next request is for sections 1, 6, 7 & 8 only
-.\"     (command return values (to shell) and
-.\"    fprintf/stderr type diagnostics)
-.\" .Sh DIAGNOSTICS
-.\" The next request is for sections 2 and 3 error
-.\" and signal handling only.
-.Sh ERRORS
-.Va errno
-is set as follows:
-.Bl -tag -width "ENOMEM  " -offset indent
-.It Dv EINVAL
-set by both
-.Fn memget
-and
-.Fn memput
-if the 
-.Fa size
-is zero or negative
-.It Dv ENOMEM
-set by 
-.Fn memget
-if a call to
-.Xr malloc 3
-fails
-.El
-.Sh SEE ALSO
-.Xr free 3 ,
-.Xr malloc 3 .
-.\" .Sh STANDARDS
-.\" .Sh HISTORY
-.Sh AUTHORS
-Steven J. Richardson and Paul Vixie, Vixie Enterprises.
-.\" .Sh BUGS
diff --git a/contrib/bind9/lib/bind/isc/movefile.c b/contrib/bind9/lib/bind/isc/movefile.c
deleted file mode 100644
index 8582aa72bda5..000000000000
--- a/contrib/bind9/lib/bind/isc/movefile.c
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 2000 by Internet Software Consortium, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-
-#include <port_before.h>
-#include <stdio.h>
-#include <isc/misc.h>
-#include <port_after.h>
-#ifndef HAVE_MOVEFILE
-/*
- * rename() is lame (can't overwrite an existing file) on some systems.
- * use movefile() instead, and let lame OS ports do what they need to.
- */
-
-int
-isc_movefile(const char *oldname, const char *newname) {
-	return (rename(oldname, newname));
-}
-#else
-	static int os_port_has_isc_movefile = 1;
-#endif
diff --git a/contrib/bind9/lib/bind/isc/tree.c b/contrib/bind9/lib/bind/isc/tree.c
deleted file mode 100644
index 9bdf6d62affd..000000000000
--- a/contrib/bind9/lib/bind/isc/tree.c
+++ /dev/null
@@ -1,532 +0,0 @@
-#ifndef LINT
-static const char rcsid[] = "$Id: tree.c,v 1.2.206.1 2004/03/09 08:33:43 marka Exp $";
-#endif
-
-/*
- * tree - balanced binary tree library
- *
- * vix 05apr94 [removed vixie.h dependencies; cleaned up formatting, names]
- * vix 22jan93 [revisited; uses RCS, ANSI, POSIX; has bug fixes]
- * vix 23jun86 [added delete uar to add for replaced nodes]
- * vix 20jun86 [added tree_delete per wirth a+ds (mod2 v.) p. 224]
- * vix 06feb86 [added tree_mung()]
- * vix 02feb86 [added tree balancing from wirth "a+ds=p" p. 220-221]
- * vix 14dec85 [written]
- */
-
-/*
- * This program text was created by Paul Vixie using examples from the book:
- * "Algorithms & Data Structures," Niklaus Wirth, Prentice-Hall, 1986, ISBN
- * 0-13-022005-1.  Any errors in the conversion from Modula-2 to C are Paul
- * Vixie's.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*#define		DEBUG	"tree"*/
-
-#include "port_before.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "port_after.h"
-
-#include <isc/memcluster.h>
-#include <isc/tree.h>
-
-#ifdef DEBUG
-static int	debugDepth = 0;
-static char	*debugFuncs[256];
-# define ENTER(proc) { \
-			debugFuncs[debugDepth] = proc; \
-			fprintf(stderr, "ENTER(%d:%s.%s)\n", \
-				debugDepth, DEBUG, \
-				debugFuncs[debugDepth]); \
-			debugDepth++; \
-		}
-# define RET(value) { \
-			debugDepth--; \
-			fprintf(stderr, "RET(%d:%s.%s)\n", \
-				debugDepth, DEBUG, \
-				debugFuncs[debugDepth]); \
-			return (value); \
-		}
-# define RETV { \
-			debugDepth--; \
-			fprintf(stderr, "RETV(%d:%s.%s)\n", \
-				debugDepth, DEBUG, \
-				debugFuncs[debugDepth]); \
-			return; \
-		}
-# define MSG(msg)	fprintf(stderr, "MSG(%s)\n", msg);
-#else
-# define ENTER(proc)	;
-# define RET(value)	return (value);
-# define RETV		return;
-# define MSG(msg)	;
-#endif
-
-#ifndef TRUE
-# define TRUE		1
-# define FALSE		0
-#endif
-
-static tree *	sprout(tree **, tree_t, int *, int (*)(), void (*)());
-static int	delete(tree **, int (*)(), tree_t, void (*)(), int *, int *);
-static void	del(tree **, int *, tree **, void (*)(), int *);
-static void	bal_L(tree **, int *);
-static void	bal_R(tree **, int *);
-
-void
-tree_init(tree **ppr_tree) {
-	ENTER("tree_init")
-	*ppr_tree = NULL;
-	RETV
-}
-	
-tree_t
-tree_srch(tree **ppr_tree, int (*pfi_compare)(tree_t, tree_t), tree_t	p_user) {
-	ENTER("tree_srch")
-
-	if (*ppr_tree) {
-		int i_comp = (*pfi_compare)(p_user, (**ppr_tree).data);
-
-		if (i_comp > 0)
-			RET(tree_srch(&(**ppr_tree).right,
-				      pfi_compare,
-				      p_user))
-
-		if (i_comp < 0)
-			RET(tree_srch(&(**ppr_tree).left,
-				      pfi_compare,
-				      p_user))
-
-		/* not higher, not lower... this must be the one.
-		 */
-		RET((**ppr_tree).data)
-	}
-
-	/* grounded. NOT found.
-	 */
-	RET(NULL)
-}
-
-tree_t
-tree_add(tree **ppr_tree, int (*pfi_compare)(tree_t, tree_t),
-	 tree_t p_user, void (*pfv_uar)())
-{
-	int i_balance = FALSE;
-
-	ENTER("tree_add")
-	if (!sprout(ppr_tree, p_user, &i_balance, pfi_compare, pfv_uar))
-		RET(NULL)
-	RET(p_user)
-}
-
-int
-tree_delete(tree **ppr_p, int (*pfi_compare)(tree_t, tree_t),
-	    tree_t p_user, void	(*pfv_uar)())
-{
-	int i_balance = FALSE, i_uar_called = FALSE;
-
-	ENTER("tree_delete");
-	RET(delete(ppr_p, pfi_compare, p_user, pfv_uar,
-		   &i_balance, &i_uar_called))
-}
-
-int
-tree_trav(tree **ppr_tree, int (*pfi_uar)(tree_t)) {
-	ENTER("tree_trav")
-
-	if (!*ppr_tree)
-		RET(TRUE)
-
-	if (!tree_trav(&(**ppr_tree).left, pfi_uar))
-		RET(FALSE)
-	if (!(*pfi_uar)((**ppr_tree).data))
-		RET(FALSE)
-	if (!tree_trav(&(**ppr_tree).right, pfi_uar))
-		RET(FALSE)
-	RET(TRUE)
-}
-
-void
-tree_mung(tree **ppr_tree, void	(*pfv_uar)(tree_t)) {
-	ENTER("tree_mung")
-	if (*ppr_tree) {
-		tree_mung(&(**ppr_tree).left, pfv_uar);
-		tree_mung(&(**ppr_tree).right, pfv_uar);
-		if (pfv_uar)
-			(*pfv_uar)((**ppr_tree).data);
-		memput(*ppr_tree, sizeof(tree));
-		*ppr_tree = NULL;
-	}
-	RETV
-}
-
-static tree *
-sprout(tree **ppr, tree_t p_data, int *pi_balance,
-       int (*pfi_compare)(tree_t, tree_t), void (*pfv_delete)(tree_t))
-{
-	tree *p1, *p2, *sub;
-	int cmp;
-
-	ENTER("sprout")
-
-	/* are we grounded?  if so, add the node "here" and set the rebalance
-	 * flag, then exit.
-	 */
-	if (!*ppr) {
-		MSG("grounded. adding new node, setting h=true")
-		*ppr = (tree *) memget(sizeof(tree));
-		if (*ppr) {
-			(*ppr)->left = NULL;
-			(*ppr)->right = NULL;
-			(*ppr)->bal = 0;
-			(*ppr)->data = p_data;
-			*pi_balance = TRUE;
-		}
-		RET(*ppr);
-	}
-
-	/* compare the data using routine passed by caller.
-	 */
-	cmp = (*pfi_compare)(p_data, (*ppr)->data);
-
-	/* if LESS, prepare to move to the left.
-	 */
-	if (cmp < 0) {
-		MSG("LESS. sprouting left.")
-		sub = sprout(&(*ppr)->left, p_data, pi_balance,
-			     pfi_compare, pfv_delete);
-		if (sub && *pi_balance) {	/* left branch has grown */
-			MSG("LESS: left branch has grown")
-			switch ((*ppr)->bal) {
-			case 1:
-				/* right branch WAS longer; bal is ok now */
-				MSG("LESS: case 1.. bal restored implicitly")
-				(*ppr)->bal = 0;
-				*pi_balance = FALSE;
-				break;
-			case 0:
-				/* balance WAS okay; now left branch longer */
-				MSG("LESS: case 0.. balnce bad but still ok")
-				(*ppr)->bal = -1;
-				break;
-			case -1:
-				/* left branch was already too long. rebal */
-				MSG("LESS: case -1: rebalancing")
-				p1 = (*ppr)->left;
-				if (p1->bal == -1) {		/* LL */
-					MSG("LESS: single LL")
-					(*ppr)->left = p1->right;
-					p1->right = *ppr;
-					(*ppr)->bal = 0;
-					*ppr = p1;
-				} else {			/* double LR */
-					MSG("LESS: double LR")
-
-					p2 = p1->right;
-					p1->right = p2->left;
-					p2->left = p1;
-
-					(*ppr)->left = p2->right;
-					p2->right = *ppr;
-
-					if (p2->bal == -1)
-						(*ppr)->bal = 1;
-					else
-						(*ppr)->bal = 0;
-
-					if (p2->bal == 1)
-						p1->bal = -1;
-					else
-						p1->bal = 0;
-					*ppr = p2;
-				} /*else*/
-				(*ppr)->bal = 0;
-				*pi_balance = FALSE;
-			} /*switch*/
-		} /*if*/
-		RET(sub)
-	} /*if*/
-
-	/* if MORE, prepare to move to the right.
-	 */
-	if (cmp > 0) {
-		MSG("MORE: sprouting to the right")
-		sub = sprout(&(*ppr)->right, p_data, pi_balance,
-			     pfi_compare, pfv_delete);
-		if (sub && *pi_balance) {
-			MSG("MORE: right branch has grown")
-
-			switch ((*ppr)->bal) {
-			case -1:
-				MSG("MORE: balance was off, fixed implicitly")
-				(*ppr)->bal = 0;
-				*pi_balance = FALSE;
-				break;
-			case 0:
-				MSG("MORE: balance was okay, now off but ok")
-				(*ppr)->bal = 1;
-				break;
-			case 1:
-				MSG("MORE: balance was off, need to rebalance")
-				p1 = (*ppr)->right;
-				if (p1->bal == 1) {		/* RR */
-					MSG("MORE: single RR")
-					(*ppr)->right = p1->left;
-					p1->left = *ppr;
-					(*ppr)->bal = 0;
-					*ppr = p1;
-				} else {			/* double RL */
-					MSG("MORE: double RL")
-
-					p2 = p1->left;
-					p1->left = p2->right;
-					p2->right = p1;
-
-					(*ppr)->right = p2->left;
-					p2->left = *ppr;
-
-					if (p2->bal == 1)
-						(*ppr)->bal = -1;
-					else
-						(*ppr)->bal = 0;
-
-					if (p2->bal == -1)
-						p1->bal = 1;
-					else
-						p1->bal = 0;
-
-					*ppr = p2;
-				} /*else*/
-				(*ppr)->bal = 0;
-				*pi_balance = FALSE;
-			} /*switch*/
-		} /*if*/
-		RET(sub)
-	} /*if*/
-
-	/* not less, not more: this is the same key!  replace...
-	 */
-	MSG("FOUND: Replacing data value")
-	*pi_balance = FALSE;
-	if (pfv_delete)
-		(*pfv_delete)((*ppr)->data);
-	(*ppr)->data = p_data;
-	RET(*ppr)
-}
-
-static int
-delete(tree **ppr_p, int (*pfi_compare)(tree_t, tree_t), tree_t p_user,
-       void (*pfv_uar)(tree_t), int *pi_balance, int *pi_uar_called)
-{
-	tree *pr_q;
-	int i_comp, i_ret;
-
-	ENTER("delete")
-
-	if (*ppr_p == NULL) {
-		MSG("key not in tree")
-		RET(FALSE)
-	}
-
-	i_comp = (*pfi_compare)((*ppr_p)->data, p_user);
-	if (i_comp > 0) {
-		MSG("too high - scan left")
-		i_ret = delete(&(*ppr_p)->left, pfi_compare, p_user, pfv_uar,
-			       pi_balance, pi_uar_called);
-		if (*pi_balance)
-			bal_L(ppr_p, pi_balance);
-	} else if (i_comp < 0) {
-		MSG("too low - scan right")
-		i_ret = delete(&(*ppr_p)->right, pfi_compare, p_user, pfv_uar,
-			       pi_balance, pi_uar_called);
-		if (*pi_balance)
-			bal_R(ppr_p, pi_balance);
-	} else {
-		MSG("equal")
-		pr_q = *ppr_p;
-		if (pr_q->right == NULL) {
-			MSG("right subtree null")
-			*ppr_p = pr_q->left;
-			*pi_balance = TRUE;
-		} else if (pr_q->left == NULL) {
-			MSG("right subtree non-null, left subtree null")
-			*ppr_p = pr_q->right;
-			*pi_balance = TRUE;
-		} else {
-			MSG("neither subtree null")
-			del(&pr_q->left, pi_balance, &pr_q,
-			    pfv_uar, pi_uar_called);
-			if (*pi_balance)
-				bal_L(ppr_p, pi_balance);
-		}
-		if (!*pi_uar_called && pfv_uar)
-			(*pfv_uar)(pr_q->data);
-		/* Thanks to wuth@castrov.cuc.ab.ca for the following stmt. */
-		memput(pr_q, sizeof(tree));
-		i_ret = TRUE;
-	}
-	RET(i_ret)
-}
-
-static void
-del(tree **ppr_r, int *pi_balance, tree **ppr_q,
-    void (*pfv_uar)(tree_t), int *pi_uar_called)
-{
-	ENTER("del")
-
-	if ((*ppr_r)->right != NULL) {
-		del(&(*ppr_r)->right, pi_balance, ppr_q,
-		    pfv_uar, pi_uar_called);
-		if (*pi_balance)
-			bal_R(ppr_r, pi_balance);
-	} else {
-		if (pfv_uar)
-			(*pfv_uar)((*ppr_q)->data);
-		*pi_uar_called = TRUE;
-		(*ppr_q)->data = (*ppr_r)->data;
-		*ppr_q = *ppr_r;
-		*ppr_r = (*ppr_r)->left;
-		*pi_balance = TRUE;
-	}
-
-	RETV
-}
-
-static void
-bal_L(tree **ppr_p, int *pi_balance) {
-	tree *p1, *p2;
-	int b1, b2;
-
-	ENTER("bal_L")
-	MSG("left branch has shrunk")
-
-	switch ((*ppr_p)->bal) {
-	case -1:
-		MSG("was imbalanced, fixed implicitly")
-		(*ppr_p)->bal = 0;
-		break;
-	case 0:
-		MSG("was okay, is now one off")
-		(*ppr_p)->bal = 1;
-		*pi_balance = FALSE;
-		break;
-	case 1:
-		MSG("was already off, this is too much")
-		p1 = (*ppr_p)->right;
-		b1 = p1->bal;
-		if (b1 >= 0) {
-			MSG("single RR")
-			(*ppr_p)->right = p1->left;
-			p1->left = *ppr_p;
-			if (b1 == 0) {
-				MSG("b1 == 0")
-				(*ppr_p)->bal = 1;
-				p1->bal = -1;
-				*pi_balance = FALSE;
-			} else {
-				MSG("b1 != 0")
-				(*ppr_p)->bal = 0;
-				p1->bal = 0;
-			}
-			*ppr_p = p1;
-		} else {
-			MSG("double RL")
-			p2 = p1->left;
-			b2 = p2->bal;
-			p1->left = p2->right;
-			p2->right = p1;
-			(*ppr_p)->right = p2->left;
-			p2->left = *ppr_p;
-			if (b2 == 1)
-				(*ppr_p)->bal = -1;
-			else
-				(*ppr_p)->bal = 0;
-			if (b2 == -1)
-				p1->bal = 1;
-			else
-				p1->bal = 0;
-			*ppr_p = p2;
-			p2->bal = 0;
-		}
-	}
-	RETV
-}
-
-static void
-bal_R(tree **ppr_p, int *pi_balance) {
-	tree *p1, *p2;
-	int b1, b2;
-
-	ENTER("bal_R")
-	MSG("right branch has shrunk")
-	switch ((*ppr_p)->bal) {
-	case 1:
-		MSG("was imbalanced, fixed implicitly")
-		(*ppr_p)->bal = 0;
-		break;
-	case 0:
-		MSG("was okay, is now one off")
-		(*ppr_p)->bal = -1;
-		*pi_balance = FALSE;
-		break;
-	case -1:
-		MSG("was already off, this is too much")
-		p1 = (*ppr_p)->left;
-		b1 = p1->bal;
-		if (b1 <= 0) {
-			MSG("single LL")
-			(*ppr_p)->left = p1->right;
-			p1->right = *ppr_p;
-			if (b1 == 0) {
-				MSG("b1 == 0")
-				(*ppr_p)->bal = -1;
-				p1->bal = 1;
-				*pi_balance = FALSE;
-			} else {
-				MSG("b1 != 0")
-				(*ppr_p)->bal = 0;
-				p1->bal = 0;
-			}
-			*ppr_p = p1;
-		} else {
-			MSG("double LR")
-			p2 = p1->right;
-			b2 = p2->bal;
-			p1->right = p2->left;
-			p2->left = p1;
-			(*ppr_p)->left = p2->right;
-			p2->right = *ppr_p;
-			if (b2 == -1)
-				(*ppr_p)->bal = 1;
-			else
-				(*ppr_p)->bal = 0;
-			if (b2 == 1)
-				p1->bal = -1;
-			else
-				p1->bal = 0;
-			*ppr_p = p2;
-			p2->bal = 0;
-		}
-	}
-	RETV
-}
diff --git a/contrib/bind9/lib/bind/isc/tree.mdoc b/contrib/bind9/lib/bind/isc/tree.mdoc
deleted file mode 100644
index c46fa7dc1d7d..000000000000
--- a/contrib/bind9/lib/bind/isc/tree.mdoc
+++ /dev/null
@@ -1,154 +0,0 @@
-.\" $Id: tree.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:44 marka Exp $
-.\"
-.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (c) 1995-1999 by Internet Software Consortium
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
-.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd April 5, 1994
-.Dt TREE 3
-.Os BSD 4
-.Sh NAME
-.Nm tree_init ,
-.Nm tree_mung ,
-.Nm tree_srch ,
-.Nm tree_add ,
-.Nm tree_delete ,
-.Nm tree_trav
-.Nd balanced binary tree routines
-.Sh SYNOPSIS
-.Ft void
-.Fn tree_init "void **tree"
-.Ft void *
-.Fn tree_srch "void **tree" "int (*compare)()" "void *data"
-.Ft void
-.Fn tree_add "void **tree" "int (*compare)()" \
-"void *data" "void (*del_uar)()"
-.Ft int
-.Fn tree_delete "void **tree" "int (*compare)()" \
-"void *data" "void (*del_uar)()"
-.Ft int
-.Fn tree_trav "void **tree" "int (*trav_uar)()"
-.Ft void
-.Fn tree_mung "void **tree" "void (*del_uar)()"
-.Sh DESCRIPTION
-These functions create and manipulate a balanced binary (AVL) tree.  Each node
-of the tree contains the expected left & right subtree pointers, a short int
-balance indicator, and a pointer to the user data.  On a 32 bit system, this
-means an overhead of 4+4+2+4 bytes per node (or, on a RISC or otherwise
-alignment constrained system with implied padding, 4+4+4+4 bytes per node).
-There is no key data type enforced by this package; a caller supplied
-compare routine is used to compare user data blocks.
-.Pp
-Balanced binary trees are very fast on searches and replacements, but have a
-moderately high cost for additions and deletions.  If your application does a
-lot more searches and replacements than it does additions and deletions, the
-balanced (AVL) binary tree is a good choice for a data structure.
-.Pp
-.Fn Tree_init
-creates an empty tree and binds it to
-.Dq Fa tree
-(which for this and all other routines in this package should be declared as
-a pointer to void or int, and passed by reference), which can then be used by
-other routines in this package.  Note that more than one
-.Dq Fa tree
-variable can exist at once; thus multiple trees can be manipulated
-simultaneously.
-.Pp
-.Fn Tree_srch
-searches a tree for a specific node and returns either
-.Fa NULL
-if no node was found, or the value of the user data pointer if the node
-was found.
-.Fn compare
-is the address of a function to compare two user data blocks.  This routine
-should work much the way 
-.Xr strcmp 3
-does; in fact,
-.Xr strcmp
-could be used if the user data was a \s-2NUL\s+2 terminated string.
-.Dq Fa Data
-is the address of a user data block to be used by
-.Fn compare
-as the search criteria.  The tree is searched for a node where
-.Fn compare
-returns 0.
-.Pp
-.Fn Tree_add
-inserts or replaces a node in the specified tree.  The tree specified by
-.Dq Fa tree
-is searched as in
-.Fn tree_srch ,
-and if a node is found to match
-.Dq Fa data ,
-then the
-.Fn del_uar
-function, if non\-\s-2NULL\s+2, is called with the address of the user data
-block for the node (this routine should deallocate any dynamic memory which
-is referenced exclusively by the node); the user data pointer for the node
-is then replaced by the value of
-.Dq Fa data .
-If no node is found to match, a new node is added (which may or may not
-cause a transparent rebalance operation), with a user data pointer equal to
-.Dq Fa data .
-A rebalance may or may not occur, depending on where the node is added
-and what the rest of the tree looks like.
-.Fn Tree_add
-will return the
-.Dq Fa data
-pointer unless catastrophe occurs in which case it will return \s-2NULL\s+2.
-.Pp
-.Fn Tree_delete
-deletes a node from
-.Dq Fa tree .
-A rebalance may or may not occur, depending on where the node is removed from
-and what the rest of the tree looks like.
-.Fn Tree_delete
-returns TRUE if a node was deleted, FALSE otherwise.
-.Pp
-.Fn Tree_trav
-traverses all of
-.Dq Fa tree ,
-calling
-.Fn trav_uar
-with the address of each user data block.  If
-.Fn trav_uar
-returns FALSE at any time,
-.Fn tree_trav
-will immediately return FALSE to its caller.  Otherwise all nodes will be 
-reached and
-.Fn tree_trav
-will return TRUE.
-.Pp
-.Fn Tree_mung
-deletes every node in
-.Dq Fa tree ,
-calling
-.Fn del_uar
-(if it is not \s-2NULL\s+2) with the user data address from each node (see
-.Fn tree_add
-and
-.Fn tree_delete
-above).  The tree is left in the same state that
-.Fn tree_init
-leaves it in \- i.e., empty.
-.Sh BUGS
-Should have a way for the caller to specify application-specific
-.Xr malloc
-and
-.Xr free
-functions to be used internally when allocating meta data.
-.Sh AUTHOR
-Paul Vixie, converted and augumented from Modula\-2 examples in
-.Dq Algorithms & Data Structures ,
-Niklaus Wirth, Prentice\-Hall, ISBN 0\-13\-022005\-1.
diff --git a/contrib/bind9/lib/bind/make/includes.in b/contrib/bind9/lib/bind/make/includes.in
deleted file mode 100644
index f08020288348..000000000000
--- a/contrib/bind9/lib/bind/make/includes.in
+++ /dev/null
@@ -1,44 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: includes.in,v 1.1.206.1 2004/03/15 01:02:44 marka Exp $
-
-# Search for machine-generated header files in the build tree,
-# and for normal headers in the source tree (${top_srcdir}).
-# We only need to look in OS-specific subdirectories for the
-# latter case, because there are no machine-generated OS-specific
-# headers.
-
-ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/isc \
-	-I${top_srcdir}/lib/isc/include \
-	-I${top_srcdir}/lib/isc/unix/include \
-	-I${top_srcdir}/lib/isc/@ISC_THREAD_DIR@/include
-
-ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
-       -I${top_srcdir}/lib/isccfg/include
-
-DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/dns/include \
-	-I${top_srcdir}/lib/dns/sec/dst/include
-
-OMAPI_INCLUDES = @BIND9_OMAPI_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/omapi/include
-
-LWRES_INCLUDES = @BIND9_LWRES_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/lwres/include
-
-TEST_INCLUDES = \
-	-I${top_srcdir}/lib/tests/include
diff --git a/contrib/bind9/lib/bind/make/mkdep.in b/contrib/bind9/lib/bind/make/mkdep.in
deleted file mode 100644
index 60aea6fc6c97..000000000000
--- a/contrib/bind9/lib/bind/make/mkdep.in
+++ /dev/null
@@ -1,147 +0,0 @@
-#!/bin/sh -
-
-## ++Copyright++ 1987
-## -
-## Copyright (c) 1987 Regents of the University of California.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted provided that the following conditions
-## are met:
-## 1. Redistributions of source code must retain the above copyright
-##    notice, this list of conditions and the following disclaimer.
-## 2. Redistributions in binary form must reproduce the above copyright
-##    notice, this list of conditions and the following disclaimer in the
-##    documentation and/or other materials provided with the distribution.
-## 3. All advertising materials mentioning features or use of this software
-##    must display the following acknowledgement:
-## This product includes software developed by the University of
-## California, Berkeley and its contributors.
-## 4. Neither the name of the University nor the names of its contributors
-##    may be used to endorse or promote products derived from this software
-##    without specific prior written permission.
-## THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-## ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-## SUCH DAMAGE.
-## -
-## Portions Copyright (c) 1993 by Digital Equipment Corporation.
-##
-## Permission to use, copy, modify, and distribute this software for any
-## purpose with or without fee is hereby granted, provided that the above
-## copyright notice and this permission notice appear in all copies, and that
-## the name of Digital Equipment Corporation not be used in advertising or
-## publicity pertaining to distribution of the document or software without
-## specific, written prior permission.
-##
-## THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
-## WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
-## OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
-## CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
-## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
-## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
-## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-## SOFTWARE.
-## -
-## --Copyright--
-
-#
-#	@(#)mkdep.sh	5.12 (Berkeley) 6/30/88
-#
-
-MAKE=Makefile			# default makefile name is "Makefile"
-
-while :
-	do case "$1" in
-		# -f allows you to select a makefile name
-		-f)
-			MAKE=$2
-			shift; shift ;;
-
-		# the -p flag produces "program: program.c" style dependencies
-		# so .o's don't get produced
-		-p)
-			SED='s;\.o;;'
-			shift ;;
-		*)
-			break ;;
-	esac
-done
-
-if [ $# = 0 ] ; then
-	echo 'usage: mkdep [-p] [-f makefile] [flags] file ...'
-	exit 1
-fi
-
-if [ ! -w $MAKE ]; then
-	echo "mkdep: no writeable file \"$MAKE\""
-	exit 1
-fi
-
-TMP=mkdep$$
-
-trap 'rm -f $TMP ; exit 1' 1 2 3 13 15
-
-cp $MAKE ${MAKE}.bak
-
-sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP
-
-cat << _EOF_ >> $TMP
-# DO NOT DELETE THIS LINE -- mkdep uses it.
-# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY.
-
-_EOF_
-
-# If your compiler doesn't have -M, add it.  If you can't, the next two
-# lines will try and replace the "cc -M".  The real problem is that this
-# hack can't deal with anything that requires a search path, and doesn't
-# even try for anything using bracket (<>) syntax.
-#
-# egrep '^#include[ 	]*".*"' /dev/null $* |
-# sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
-
-MKDEPPROG="@MKDEPPROG@"
-if [ X"${MKDEPPROG}" != X ]; then
-    @SHELL@ -c "${MKDEPPROG} $*"
-else
-    @MKDEPCC@ @MKDEPCFLAGS@ $* |
-    sed "
-	s; \./; ;g
-	$SED" |
-    awk '{
-	if ($1 != prev) {
-		if (rec != "")
-			print rec;
-		rec = $0;
-		prev = $1;
-	}
-	else {
-		if (length(rec $2) > 78) {
-			print rec;
-			rec = $0;
-		}
-		else
-			rec = rec " " $2
-	}
-    }
-    END {
-	print rec
-    }' >> $TMP
-fi
-
-cat << _EOF_ >> $TMP
-
-# IF YOU PUT ANYTHING HERE IT WILL GO AWAY
-_EOF_
-
-# copy to preserve permissions
-cp $TMP $MAKE
-rm -f ${MAKE}.bak $TMP
-exit 0
diff --git a/contrib/bind9/lib/bind/make/rules.in b/contrib/bind9/lib/bind/make/rules.in
deleted file mode 100644
index 1a4e81d603d6..000000000000
--- a/contrib/bind9/lib/bind/make/rules.in
+++ /dev/null
@@ -1,177 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: rules.in,v 1.3.2.3.4.4 2004/10/20 00:14:47 marka Exp $
-
-###
-### Common Makefile rules for BIND 9.
-###
-
-###
-### Paths
-###
-### Note: paths that vary by Makefile MUST NOT be listed
-### here, or they won't get expanded correctly.
-
-prefix =	@prefix@
-exec_prefix =	@exec_prefix@
-bindir =	@bindir@
-sbindir =	@sbindir@
-includedir =	@includedir@
-libdir =	@libdir@
-sysconfdir =	@sysconfdir@
-localstatedir =	@localstatedir@
-mandir =	@mandir@
-
-DESTDIR =
-MAKEDEFS= 'DESTDIR=${DESTDIR}'
-
-@SET_MAKE@
-
-top_builddir =	@BIND9_TOP_BUILDDIR@
-abs_top_srcdir = @abs_top_srcdir@
-
-###
-### All
-###
-### Makefile may define:
-###	TARGETS
-
-all: subdirs ${TARGETS}
-
-###
-### Subdirectories
-###
-### Makefile may define:
-###	SUBDIRS
-
-ALL_SUBDIRS = ${SUBDIRS} nulldir
-
-#
-# We use a single-colon rule so that additional dependencies of
-# subdirectories can be specified after the inclusion of this file.
-# The "depend" target is treated the same way.
-#
-subdirs:
-	@for i in ${ALL_SUBDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making all in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} all) || exit 1; \
-		fi; \
-	done
-
-install clean distclean docclean manclean::
-	@for i in ${ALL_SUBDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making $@ in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
-		fi \
-	done
-
-###
-### C Programs
-###
-### Makefile must define
-###	CC
-### Makefile may define
-###	CFLAGS
-###	CINCLUDES
-###	CDEFINES
-###	CWARNINGS
-### User may define externally
-###     EXT_CFLAGS
-
-CC = 		@CC@
-CFLAGS =	@CFLAGS@
-STD_CINCLUDES =	@STD_CINCLUDES@
-STD_CDEFINES =	@STD_CDEFINES@
-STD_CWARNINGS =	@STD_CWARNINGS@
-
-.SUFFIXES:
-.SUFFIXES: .c .@O@
-
-ALWAYS_INCLUDES = -I${top_builddir} -I${abs_top_srcdir}/@PORT_INCLUDE@
-ALWAYS_DEFINES = @ALWAYS_DEFINES@
-ALWAYS_WARNINGS =
-
-ALL_CPPFLAGS = \
-	${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
-	${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
-
-ALL_CFLAGS = ${EXT_CFLAGS} ${CFLAGS} \
-	${ALL_CPPFLAGS} \
-	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
-
-.c.@O@:
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $<
-
-SHELL = @SHELL@
-LIBTOOL = @LIBTOOL@
-LIBTOOL_MODE_COMPILE = ${LIBTOOL} @LIBTOOL_MODE_COMPILE@
-LIBTOOL_MODE_INSTALL = ${LIBTOOL} @LIBTOOL_MODE_INSTALL@
-LIBTOOL_MODE_LINK = ${LIBTOOL} @LIBTOOL_MODE_LINK@
-PURIFY = @PURIFY@
-
-MKDEP = ${SHELL} ${top_builddir}/make/mkdep
-
-cleandir: distclean
-
-clean distclean::
-	rm -f *.@O@ *.lo *.la core *.core .depend
-	rm -rf .libs
-
-distclean::
-	rm -f Makefile
-
-depend:
-	@for i in ${ALL_SUBDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making depend in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
-		fi \
-	done
-	@if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
-		${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
-		${DEPENDEXTRA} \
-	elif [ X"${SRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${DEPENDEXTRA} \
-	elif [ X"${PSRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${PSRCS}; \
-		${MKDEP} -p ${ALL_CPPFLAGS} ${PSRCS}; \
-		${DEPENDEXTRA} \
-	fi
-
-FORCE:
-
-###
-### Libraries
-###
-
-AR =		@AR@
-ARFLAGS =	@ARFLAGS@
-RANLIB =	@RANLIB@
-
-###
-### Installation
-###
-
-INSTALL =		@INSTALL@
-INSTALL_PROGRAM =	@INSTALL_PROGRAM@
-INSTALL_DATA =		@INSTALL_DATA@
diff --git a/contrib/bind9/lib/bind/mkinstalldirs b/contrib/bind9/lib/bind/mkinstalldirs
deleted file mode 100755
index 74a611ae8357..000000000000
--- a/contrib/bind9/lib/bind/mkinstalldirs
+++ /dev/null
@@ -1,40 +0,0 @@
-#! /bin/sh
-# mkinstalldirs --- make directory hierarchy
-# Author: Noah Friedman <friedman@prep.ai.mit.edu>
-# Created: 1993-05-16
-# Public domain
-
-# $Id: mkinstalldirs,v 1.1 2001/07/06 22:23:42 gson Exp $
-
-errstatus=0
-
-for file
-do
-   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
-   shift
-
-   pathcomp=
-   for d
-   do
-     pathcomp="$pathcomp$d"
-     case "$pathcomp" in
-       -* ) pathcomp=./$pathcomp ;;
-     esac
-
-     if test ! -d "$pathcomp"; then
-        echo "mkdir $pathcomp" 1>&2
-
-        mkdir "$pathcomp" || lasterr=$?
-
-        if test ! -d "$pathcomp"; then
-  	  errstatus=$lasterr
-        fi
-     fi
-
-     pathcomp="$pathcomp/"
-   done
-done
-
-exit $errstatus
-
-# mkinstalldirs ends here
diff --git a/contrib/bind9/lib/bind/nameser/Makefile.in b/contrib/bind9/lib/bind/nameser/Makefile.in
deleted file mode 100644
index aa4bc6cf6b4b..000000000000
--- a/contrib/bind9/lib/bind/nameser/Makefile.in
+++ /dev/null
@@ -1,31 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4.206.1 2004/03/15 01:02:45 marka Exp $
-
-srcdir=		@srcdir@
-VPATH =         @srcdir@
-
-OBJS=	ns_date.@O@ ns_name.@O@ ns_netint.@O@ ns_parse.@O@ ns_print.@O@ \
-	ns_samedomain.@O@ ns_sign.@O@ ns_ttl.@O@ ns_verify.@O@
-
-SRCS=	ns_date.c ns_name.c ns_netint.c ns_parse.c ns_print.c \
-	ns_samedomain.c ns_sign.c ns_ttl.c ns_verify.c
-
-TARGETS= ${OBJS}
-
-CINCLUDES= -I.. -I${srcdir}/../include
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/nameser/ns_date.c b/contrib/bind9/lib/bind/nameser/ns_date.c
deleted file mode 100644
index d6b347a905b9..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_date.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_date.c,v 1.3.206.2 2004/03/16 12:34:16 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-/* Forward. */
-
-static int	datepart(const char *, int, int, int, int *);
-
-/* Public. */
-
-/* Convert a date in ASCII into the number of seconds since
-   1 January 1970 (GMT assumed).  Format is yyyymmddhhmmss, all
-   digits required, no spaces allowed.  */
-
-u_int32_t
-ns_datetosecs(const char *cp, int *errp) {
-	struct tm time;
-	u_int32_t result;
-	int mdays, i;
-	static const int days_per_month[12] =
-		{31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
-
-	if (strlen(cp) != 14U) {
-		*errp = 1;
-		return (0);
-	}
-	*errp = 0;
-
-	memset(&time, 0, sizeof time);
-	time.tm_year  = datepart(cp +  0, 4, 1990, 9999, errp) - 1900;
-	time.tm_mon   = datepart(cp +  4, 2,   01,   12, errp) - 1;
-	time.tm_mday  = datepart(cp +  6, 2,   01,   31, errp);
-	time.tm_hour  = datepart(cp +  8, 2,   00,   23, errp);
-	time.tm_min   = datepart(cp + 10, 2,   00,   59, errp);
-	time.tm_sec   = datepart(cp + 12, 2,   00,   59, errp);
-	if (*errp)		/* Any parse errors? */
-		return (0);
-
-	/* 
-	 * OK, now because timegm() is not available in all environments,
-	 * we will do it by hand.  Roll up sleeves, curse the gods, begin!
-	 */
-
-#define SECS_PER_DAY    ((u_int32_t)24*60*60)
-#define isleap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
-
-	result  = time.tm_sec;				/* Seconds */
-	result += time.tm_min * 60;			/* Minutes */
-	result += time.tm_hour * (60*60);		/* Hours */
-	result += (time.tm_mday - 1) * SECS_PER_DAY;	/* Days */
-
-	/* Months are trickier.  Look without leaping, then leap */
-	mdays = 0;
-	for (i = 0; i < time.tm_mon; i++)
-		mdays += days_per_month[i];
-	result += mdays * SECS_PER_DAY;			/* Months */
-	if (time.tm_mon > 1 && isleap(1900+time.tm_year))
-		result += SECS_PER_DAY;		/* Add leapday for this year */
-
-	/* First figure years without leapdays, then add them in.  */
-	/* The loop is slow, FIXME, but simple and accurate.  */
-	result += (time.tm_year - 70) * (SECS_PER_DAY*365); /* Years */
-	for (i = 70; i < time.tm_year; i++)
-		if (isleap(1900+i))
-			result += SECS_PER_DAY; /* Add leapday for prev year */
-
-	return (result);
-}
-
-/* Private. */
-
-/*
- * Parse part of a date.  Set error flag if any error.
- * Don't reset the flag if there is no error.
- */
-static int
-datepart(const char *buf, int size, int min, int max, int *errp) {
-	int result = 0;
-	int i;
-
-	for (i = 0; i < size; i++) {
-		if (!isdigit((unsigned char)(buf[i])))
-			*errp = 1;
-		result = (result * 10) + buf[i] - '0';
-	}
-	if (result < min)
-		*errp = 1;
-	if (result > max)
-		*errp = 1;
-	return (result);
-}
diff --git a/contrib/bind9/lib/bind/nameser/ns_name.c b/contrib/bind9/lib/bind/nameser/ns_name.c
deleted file mode 100644
index 5ac91e3da94a..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_name.c
+++ /dev/null
@@ -1,963 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_name.c,v 1.3.2.4.4.2 2004/05/04 03:27:47 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <resolv.h>
-#include <string.h>
-#include <ctype.h>
-#include <stdlib.h>
-#include <limits.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-#define NS_TYPE_ELT			0x40 /* EDNS0 extended label type */
-#define DNS_LABELTYPE_BITSTRING		0x41
-
-/* Data. */
-
-static const char	digits[] = "0123456789";
-
-static const char digitvalue[256] = {
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,	/*16*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*32*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*48*/
-	 0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, /*64*/
-	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*80*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*96*/
-	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*112*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*128*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*256*/
-};
-
-/* Forward. */
-
-static int		special(int);
-static int		printable(int);
-static int		dn_find(const u_char *, const u_char *,
-				const u_char * const *,
-				const u_char * const *);
-static int		encode_bitsring(const char **, const char *,
-					unsigned char **, unsigned char **,
-					unsigned const char *);
-static int		labellen(const u_char *);
-static int		decode_bitstring(const unsigned char **,
-					 char *, const char *);
-
-/* Public. */
-
-/*
- * ns_name_ntop(src, dst, dstsiz)
- *	Convert an encoded domain name to printable ascii as per RFC1035.
- * return:
- *	Number of bytes written to buffer, or -1 (with errno set)
- * notes:
- *	The root is returned as "."
- *	All other domains are returned in non absolute form
- */
-int
-ns_name_ntop(const u_char *src, char *dst, size_t dstsiz)
-{
-	const u_char *cp;
-	char *dn, *eom;
-	u_char c;
-	u_int n;
-	int l;
-
-	cp = src;
-	dn = dst;
-	eom = dst + dstsiz;
-
-	while ((n = *cp++) != 0) {
-		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
-			/* Some kind of compression pointer. */
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		if (dn != dst) {
-			if (dn >= eom) {
-				errno = EMSGSIZE;
-				return (-1);
-			}
-			*dn++ = '.';
-		}
-		if ((l = labellen(cp - 1)) < 0) {
-			errno = EMSGSIZE; /* XXX */
-			return(-1);
-		}
-		if (dn + l >= eom) {
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		if ((n & NS_CMPRSFLGS) == NS_TYPE_ELT) {
-			int m;
-
-			if (n != DNS_LABELTYPE_BITSTRING) {
-				/* XXX: labellen should reject this case */
-				errno = EINVAL;
-				return(-1);
-			}
-			if ((m = decode_bitstring(&cp, dn, eom)) < 0)
-			{
-				errno = EMSGSIZE;
-				return(-1);
-			}
-			dn += m; 
-			continue;
-		}
-		for ((void)NULL; l > 0; l--) {
-			c = *cp++;
-			if (special(c)) {
-				if (dn + 1 >= eom) {
-					errno = EMSGSIZE;
-					return (-1);
-				}
-				*dn++ = '\\';
-				*dn++ = (char)c;
-			} else if (!printable(c)) {
-				if (dn + 3 >= eom) {
-					errno = EMSGSIZE;
-					return (-1);
-				}
-				*dn++ = '\\';
-				*dn++ = digits[c / 100];
-				*dn++ = digits[(c % 100) / 10];
-				*dn++ = digits[c % 10];
-			} else {
-				if (dn >= eom) {
-					errno = EMSGSIZE;
-					return (-1);
-				}
-				*dn++ = (char)c;
-			}
-		}
-	}
-	if (dn == dst) {
-		if (dn >= eom) {
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		*dn++ = '.';
-	}
-	if (dn >= eom) {
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	*dn++ = '\0';
-	return (dn - dst);
-}
-
-/*
- * ns_name_pton(src, dst, dstsiz)
- *	Convert a ascii string into an encoded domain name as per RFC1035.
- * return:
- *	-1 if it fails
- *	1 if string was fully qualified
- *	0 is string was not fully qualified
- * notes:
- *	Enforces label and domain length limits.
- */
-
-int
-ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
-{
-	u_char *label, *bp, *eom;
-	int c, n, escaped, e = 0;
-	char *cp;
-
-	escaped = 0;
-	bp = dst;
-	eom = dst + dstsiz;
-	label = bp++;
-
-	while ((c = *src++) != 0) {
-		if (escaped) {
-			if (c == '[') { /* start a bit string label */
-				if ((cp = strchr(src, ']')) == NULL) {
-					errno = EINVAL; /* ??? */
-					return(-1);
-				}
-				if ((e = encode_bitsring(&src, cp + 2,
-							 &label, &bp, eom))
-				    != 0) {
-					errno = e;
-					return(-1);
-				}
-				escaped = 0;
-				label = bp++;
-				if ((c = *src++) == 0)
-					goto done;
-				else if (c != '.') {
-					errno = EINVAL;
-					return(-1);
-				}
-				continue;
-			}
-			else if ((cp = strchr(digits, c)) != NULL) {
-				n = (cp - digits) * 100;
-				if ((c = *src++) == 0 ||
-				    (cp = strchr(digits, c)) == NULL) {
-					errno = EMSGSIZE;
-					return (-1);
-				}
-				n += (cp - digits) * 10;
-				if ((c = *src++) == 0 ||
-				    (cp = strchr(digits, c)) == NULL) {
-					errno = EMSGSIZE;
-					return (-1);
-				}
-				n += (cp - digits);
-				if (n > 255) {
-					errno = EMSGSIZE;
-					return (-1);
-				}
-				c = n;
-			}
-			escaped = 0;
-		} else if (c == '\\') {
-			escaped = 1;
-			continue;
-		} else if (c == '.') {
-			c = (bp - label - 1);
-			if ((c & NS_CMPRSFLGS) != 0) {	/* Label too big. */
-				errno = EMSGSIZE;
-				return (-1);
-			}
-			if (label >= eom) {
-				errno = EMSGSIZE;
-				return (-1);
-			}
-			*label = c;
-			/* Fully qualified ? */
-			if (*src == '\0') {
-				if (c != 0) {
-					if (bp >= eom) {
-						errno = EMSGSIZE;
-						return (-1);
-					}
-					*bp++ = '\0';
-				}
-				if ((bp - dst) > MAXCDNAME) {
-					errno = EMSGSIZE;
-					return (-1);
-				}
-				return (1);
-			}
-			if (c == 0 || *src == '.') {
-				errno = EMSGSIZE;
-				return (-1);
-			}
-			label = bp++;
-			continue;
-		}
-		if (bp >= eom) {
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		*bp++ = (u_char)c;
-	}
-	c = (bp - label - 1);
-	if ((c & NS_CMPRSFLGS) != 0) {		/* Label too big. */
-		errno = EMSGSIZE;
-		return (-1);
-	}
-  done:
-	if (label >= eom) {
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	*label = c;
-	if (c != 0) {
-		if (bp >= eom) {
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		*bp++ = 0;
-	}
-	if ((bp - dst) > MAXCDNAME) {	/* src too big */
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	return (0);
-}
-
-/*
- * ns_name_ntol(src, dst, dstsiz)
- *	Convert a network strings labels into all lowercase.
- * return:
- *	Number of bytes written to buffer, or -1 (with errno set)
- * notes:
- *	Enforces label and domain length limits.
- */
-
-int
-ns_name_ntol(const u_char *src, u_char *dst, size_t dstsiz)
-{
-	const u_char *cp;
-	u_char *dn, *eom;
-	u_char c;
-	u_int n;
-	int l;
-
-	cp = src;
-	dn = dst;
-	eom = dst + dstsiz;
-
-	if (dn >= eom) {
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	while ((n = *cp++) != 0) {
-		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
-			/* Some kind of compression pointer. */
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		*dn++ = n;
-		if ((l = labellen(cp - 1)) < 0) {
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		if (dn + l >= eom) {
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		for ((void)NULL; l > 0; l--) {
-			c = *cp++;
-			if (isupper(c))
-				*dn++ = tolower(c);
-			else
-				*dn++ = c;
-		}
-	}
-	*dn++ = '\0';
-	return (dn - dst);
-}
-
-/*
- * ns_name_unpack(msg, eom, src, dst, dstsiz)
- *	Unpack a domain name from a message, source may be compressed.
- * return:
- *	-1 if it fails, or consumed octets if it succeeds.
- */
-int
-ns_name_unpack(const u_char *msg, const u_char *eom, const u_char *src,
-	       u_char *dst, size_t dstsiz)
-{
-	const u_char *srcp, *dstlim;
-	u_char *dstp;
-	int n, len, checked, l;
-
-	len = -1;
-	checked = 0;
-	dstp = dst;
-	srcp = src;
-	dstlim = dst + dstsiz;
-	if (srcp < msg || srcp >= eom) {
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	/* Fetch next label in domain name. */
-	while ((n = *srcp++) != 0) {
-		/* Check for indirection. */
-		switch (n & NS_CMPRSFLGS) {
-		case 0:
-		case NS_TYPE_ELT:
-			/* Limit checks. */
-			if ((l = labellen(srcp - 1)) < 0) {
-				errno = EMSGSIZE;
-				return(-1);
-			}
-			if (dstp + l + 1 >= dstlim || srcp + l >= eom) {
-				errno = EMSGSIZE;
-				return (-1);
-			}
-			checked += l + 1;
-			*dstp++ = n;
-			memcpy(dstp, srcp, l);
-			dstp += l;
-			srcp += l;
-			break;
-
-		case NS_CMPRSFLGS:
-			if (srcp >= eom) {
-				errno = EMSGSIZE;
-				return (-1);
-			}
-			if (len < 0)
-				len = srcp - src + 1;
-			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
-			if (srcp < msg || srcp >= eom) {  /* Out of range. */
-				errno = EMSGSIZE;
-				return (-1);
-			}
-			checked += 2;
-			/*
-			 * Check for loops in the compressed name;
-			 * if we've looked at the whole message,
-			 * there must be a loop.
-			 */
-			if (checked >= eom - msg) {
-				errno = EMSGSIZE;
-				return (-1);
-			}
-			break;
-
-		default:
-			errno = EMSGSIZE;
-			return (-1);			/* flag error */
-		}
-	}
-	*dstp = '\0';
-	if (len < 0)
-		len = srcp - src;
-	return (len);
-}
-
-/*
- * ns_name_pack(src, dst, dstsiz, dnptrs, lastdnptr)
- *	Pack domain name 'domain' into 'comp_dn'.
- * return:
- *	Size of the compressed name, or -1.
- * notes:
- *	'dnptrs' is an array of pointers to previous compressed names.
- *	dnptrs[0] is a pointer to the beginning of the message. The array
- *	ends with NULL.
- *	'lastdnptr' is a pointer to the end of the array pointed to
- *	by 'dnptrs'.
- * Side effects:
- *	The list of pointers in dnptrs is updated for labels inserted into
- *	the message as we compress the name.  If 'dnptr' is NULL, we don't
- *	try to compress names. If 'lastdnptr' is NULL, we don't update the
- *	list.
- */
-int
-ns_name_pack(const u_char *src, u_char *dst, int dstsiz,
-	     const u_char **dnptrs, const u_char **lastdnptr)
-{
-	u_char *dstp;
-	const u_char **cpp, **lpp, *eob, *msg;
-	const u_char *srcp;
-	int n, l, first = 1;
-
-	srcp = src;
-	dstp = dst;
-	eob = dstp + dstsiz;
-	lpp = cpp = NULL;
-	if (dnptrs != NULL) {
-		if ((msg = *dnptrs++) != NULL) {
-			for (cpp = dnptrs; *cpp != NULL; cpp++)
-				(void)NULL;
-			lpp = cpp;	/* end of list to search */
-		}
-	} else
-		msg = NULL;
-
-	/* make sure the domain we are about to add is legal */
-	l = 0;
-	do {
-		int l0;
-
-		n = *srcp;
-		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		if ((l0 = labellen(srcp)) < 0) {
-			errno = EINVAL;
-			return(-1);
-		}
-		l += l0 + 1;
-		if (l > MAXCDNAME) {
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		srcp += l0 + 1;
-	} while (n != 0);
-
-	/* from here on we need to reset compression pointer array on error */
-	srcp = src;
-	do {
-		/* Look to see if we can use pointers. */
-		n = *srcp;
-		if (n != 0 && msg != NULL) {
-			l = dn_find(srcp, msg, (const u_char * const *)dnptrs,
-				    (const u_char * const *)lpp);
-			if (l >= 0) {
-				if (dstp + 1 >= eob) {
-					goto cleanup;
-				}
-				*dstp++ = (l >> 8) | NS_CMPRSFLGS;
-				*dstp++ = l % 256;
-				return (dstp - dst);
-			}
-			/* Not found, save it. */
-			if (lastdnptr != NULL && cpp < lastdnptr - 1 &&
-			    (dstp - msg) < 0x4000 && first) {
-				*cpp++ = dstp;
-				*cpp = NULL;
-				first = 0;
-			}
-		}
-		/* copy label to buffer */
-		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
-			/* Should not happen. */
-			goto cleanup;
-		}
-		n = labellen(srcp);
-		if (dstp + 1 + n >= eob) {
-			goto cleanup;
-		}
-		memcpy(dstp, srcp, n + 1);
-		srcp += n + 1;
-		dstp += n + 1;
-	} while (n != 0);
-
-	if (dstp > eob) {
-cleanup:
-		if (msg != NULL)
-			*lpp = NULL;
-		errno = EMSGSIZE;
-		return (-1);
-	} 
-	return (dstp - dst);
-}
-
-/*
- * ns_name_uncompress(msg, eom, src, dst, dstsiz)
- *	Expand compressed domain name to presentation format.
- * return:
- *	Number of bytes read out of `src', or -1 (with errno set).
- * note:
- *	Root domain returns as "." not "".
- */
-int
-ns_name_uncompress(const u_char *msg, const u_char *eom, const u_char *src,
-		   char *dst, size_t dstsiz)
-{
-	u_char tmp[NS_MAXCDNAME];
-	int n;
-	
-	if ((n = ns_name_unpack(msg, eom, src, tmp, sizeof tmp)) == -1)
-		return (-1);
-	if (ns_name_ntop(tmp, dst, dstsiz) == -1)
-		return (-1);
-	return (n);
-}
-
-/*
- * ns_name_compress(src, dst, dstsiz, dnptrs, lastdnptr)
- *	Compress a domain name into wire format, using compression pointers.
- * return:
- *	Number of bytes consumed in `dst' or -1 (with errno set).
- * notes:
- *	'dnptrs' is an array of pointers to previous compressed names.
- *	dnptrs[0] is a pointer to the beginning of the message.
- *	The list ends with NULL.  'lastdnptr' is a pointer to the end of the
- *	array pointed to by 'dnptrs'. Side effect is to update the list of
- *	pointers for labels inserted into the message as we compress the name.
- *	If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
- *	is NULL, we don't update the list.
- */
-int
-ns_name_compress(const char *src, u_char *dst, size_t dstsiz,
-		 const u_char **dnptrs, const u_char **lastdnptr)
-{
-	u_char tmp[NS_MAXCDNAME];
-
-	if (ns_name_pton(src, tmp, sizeof tmp) == -1)
-		return (-1);
-	return (ns_name_pack(tmp, dst, dstsiz, dnptrs, lastdnptr));
-}
-
-/*
- * Reset dnptrs so that there are no active references to pointers at or
- * after src.
- */
-void
-ns_name_rollback(const u_char *src, const u_char **dnptrs,
-		 const u_char **lastdnptr)
-{
-	while (dnptrs < lastdnptr && *dnptrs != NULL) {
-		if (*dnptrs >= src) {
-			*dnptrs = NULL;
-			break;
-		}
-		dnptrs++;
-	}
-}
-
-/*
- * ns_name_skip(ptrptr, eom)
- *	Advance *ptrptr to skip over the compressed name it points at.
- * return:
- *	0 on success, -1 (with errno set) on failure.
- */
-int
-ns_name_skip(const u_char **ptrptr, const u_char *eom)
-{
-	const u_char *cp;
-	u_int n;
-	int l;
-
-	cp = *ptrptr;
-	while (cp < eom && (n = *cp++) != 0) {
-		/* Check for indirection. */
-		switch (n & NS_CMPRSFLGS) {
-		case 0:			/* normal case, n == len */
-			cp += n;
-			continue;
-		case NS_TYPE_ELT: /* EDNS0 extended label */
-			if ((l = labellen(cp - 1)) < 0) {
-				errno = EMSGSIZE; /* XXX */
-				return(-1);
-			}
-			cp += l;
-			continue;
-		case NS_CMPRSFLGS:	/* indirection */
-			cp++;
-			break;
-		default:		/* illegal type */
-			errno = EMSGSIZE;
-			return (-1);
-		}
-		break;
-	}
-	if (cp > eom) {
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	*ptrptr = cp;
-	return (0);
-}
-
-/* Private. */
-
-/*
- * special(ch)
- *	Thinking in noninternationalized USASCII (per the DNS spec),
- *	is this characted special ("in need of quoting") ?
- * return:
- *	boolean.
- */
-static int
-special(int ch) {
-	switch (ch) {
-	case 0x22: /* '"' */
-	case 0x2E: /* '.' */
-	case 0x3B: /* ';' */
-	case 0x5C: /* '\\' */
-	case 0x28: /* '(' */
-	case 0x29: /* ')' */
-	/* Special modifiers in zone files. */
-	case 0x40: /* '@' */
-	case 0x24: /* '$' */
-		return (1);
-	default:
-		return (0);
-	}
-}
-
-/*
- * printable(ch)
- *	Thinking in noninternationalized USASCII (per the DNS spec),
- *	is this character visible and not a space when printed ?
- * return:
- *	boolean.
- */
-static int
-printable(int ch) {
-	return (ch > 0x20 && ch < 0x7f);
-}
-
-/*
- *	Thinking in noninternationalized USASCII (per the DNS spec),
- *	convert this character to lower case if it's upper case.
- */
-static int
-mklower(int ch) {
-	if (ch >= 0x41 && ch <= 0x5A)
-		return (ch + 0x20);
-	return (ch);
-}
-
-/*
- * dn_find(domain, msg, dnptrs, lastdnptr)
- *	Search for the counted-label name in an array of compressed names.
- * return:
- *	offset from msg if found, or -1.
- * notes:
- *	dnptrs is the pointer to the first name on the list,
- *	not the pointer to the start of the message.
- */
-static int
-dn_find(const u_char *domain, const u_char *msg,
-	const u_char * const *dnptrs,
-	const u_char * const *lastdnptr)
-{
-	const u_char *dn, *cp, *sp;
-	const u_char * const *cpp;
-	u_int n;
-
-	for (cpp = dnptrs; cpp < lastdnptr; cpp++) {
-		sp = *cpp;
-		/*
-		 * terminate search on:
-		 * root label
-		 * compression pointer
-		 * unusable offset
-		 */
-		while (*sp != 0 && (*sp & NS_CMPRSFLGS) == 0 &&
-		       (sp - msg) < 0x4000) {
-			dn = domain;
-			cp = sp;
-			while ((n = *cp++) != 0) {
-				/*
-				 * check for indirection
-				 */
-				switch (n & NS_CMPRSFLGS) {
-				case 0:		/* normal case, n == len */
-					n = labellen(cp - 1); /* XXX */
-
-					if (n != *dn++)
-						goto next;
-
-					for ((void)NULL; n > 0; n--)
-						if (mklower(*dn++) !=
-						    mklower(*cp++))
-							goto next;
-					/* Is next root for both ? */
-					if (*dn == '\0' && *cp == '\0')
-						return (sp - msg);
-					if (*dn)
-						continue;
-					goto next;
-				case NS_CMPRSFLGS:	/* indirection */
-					cp = msg + (((n & 0x3f) << 8) | *cp);
-					break;
-
-				default:	/* illegal type */
-					errno = EMSGSIZE;
-					return (-1);
-				}
-			}
- next: ;
-			sp += *sp + 1;
-		}
-	}
-	errno = ENOENT;
-	return (-1);
-}
-
-static int
-decode_bitstring(const unsigned char **cpp, char *dn, const char *eom)
-{
-	const unsigned char *cp = *cpp;
-	char *beg = dn, tc;
-	int b, blen, plen, i;
-
-	if ((blen = (*cp & 0xff)) == 0)
-		blen = 256;
-	plen = (blen + 3) / 4;
-	plen += sizeof("\\[x/]") + (blen > 99 ? 3 : (blen > 9) ? 2 : 1);
-	if (dn + plen >= eom)
-		return(-1);
-
-	cp++;
-	i = SPRINTF((dn, "\\[x"));
-	if (i < 0)
-		return (-1);
-	dn += i;
-	for (b = blen; b > 7; b -= 8, cp++) {
-		i = SPRINTF((dn, "%02x", *cp & 0xff));
-		if (i < 0)
-			return (-1);
-		dn += i;
-	}
-	if (b > 4) {
-		tc = *cp++;
-		i = SPRINTF((dn, "%02x", tc & (0xff << (8 - b))));
-		if (i < 0)
-			return (-1);
-		dn += i;
-	} else if (b > 0) {
-		tc = *cp++;
-		i = SPRINTF((dn, "%1x",
-			       ((tc >> 4) & 0x0f) & (0x0f << (4 - b)))); 
-		if (i < 0)
-			return (-1);
-		dn += i;
-	}
-	i = SPRINTF((dn, "/%d]", blen));
-	if (i < 0)
-		return (-1);
-	dn += i;
-
-	*cpp = cp;
-	return(dn - beg);
-}
-
-static int
-encode_bitsring(const char **bp, const char *end, unsigned char **labelp,
-	        unsigned char ** dst, unsigned const char *eom)
-{
-	int afterslash = 0;
-	const char *cp = *bp;
-	unsigned char *tp;
-	char c;
-	const char *beg_blen;
-	char *end_blen = NULL;
-	int value = 0, count = 0, tbcount = 0, blen = 0;
-
-	beg_blen = end_blen = NULL;
-
-	/* a bitstring must contain at least 2 characters */
-	if (end - cp < 2)
-		return(EINVAL);
-
-	/* XXX: currently, only hex strings are supported */
-	if (*cp++ != 'x')
-		return(EINVAL);
-	if (!isxdigit((*cp) & 0xff)) /* reject '\[x/BLEN]' */
-		return(EINVAL);
-
-	for (tp = *dst + 1; cp < end && tp < eom; cp++) {
-		switch((c = *cp)) {
-		case ']':	/* end of the bitstring */
-			if (afterslash) {
-				if (beg_blen == NULL)
-					return(EINVAL);
-				blen = (int)strtol(beg_blen, &end_blen, 10);
-				if (*end_blen != ']')
-					return(EINVAL);
-			}
-			if (count)
-				*tp++ = ((value << 4) & 0xff);
-			cp++;	/* skip ']' */
-			goto done;
-		case '/':
-			afterslash = 1;
-			break;
-		default:
-			if (afterslash) {
-				if (!isdigit(c&0xff))
-					return(EINVAL);
-				if (beg_blen == NULL) {
-					
-					if (c == '0') {
-						/* blen never begings with 0 */
-						return(EINVAL);
-					}
-					beg_blen = cp;
-				}
-			} else {
-				if (!isxdigit(c&0xff))
-					return(EINVAL);
-				value <<= 4;
-				value += digitvalue[(int)c];
-				count += 4;
-				tbcount += 4;
-				if (tbcount > 256)
-					return(EINVAL);
-				if (count == 8) {
-					*tp++ = value;
-					count = 0;
-				}
-			}
-			break;
-		}
-	}
-  done:
-	if (cp >= end || tp >= eom)
-		return(EMSGSIZE);
-
-	/*
-	 * bit length validation:
-	 * If a <length> is present, the number of digits in the <bit-data>
-	 * MUST be just sufficient to contain the number of bits specified
-	 * by the <length>. If there are insignificant bits in a final
-	 * hexadecimal or octal digit, they MUST be zero.
-	 * RFC 2673, Section 3.2.
-	 */
-	if (blen > 0) {
-		int traillen;
-
-		if (((blen + 3) & ~3) != tbcount)
-			return(EINVAL);
-		traillen = tbcount - blen; /* between 0 and 3 */
-		if (((value << (8 - traillen)) & 0xff) != 0)
-			return(EINVAL);
-	}
-	else
-		blen = tbcount;
-	if (blen == 256)
-		blen = 0;
-
-	/* encode the type and the significant bit fields */
-	**labelp = DNS_LABELTYPE_BITSTRING;
-	**dst = blen;
-
-	*bp = cp;
-	*dst = tp;
-
-	return(0);
-}
-
-static int
-labellen(const u_char *lp)
-{
-	int bitlen;
-	u_char l = *lp;
-
-	if ((l & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
-		/* should be avoided by the caller */
-		return(-1);
-	}
-
-	if ((l & NS_CMPRSFLGS) == NS_TYPE_ELT) {
-		if (l == DNS_LABELTYPE_BITSTRING) {
-			if ((bitlen = *(lp + 1)) == 0)
-				bitlen = 256;
-			return((bitlen + 7 ) / 8 + 1);
-		}
-		return(-1);	/* unknwon ELT */
-	}
-	return(l);
-}
diff --git a/contrib/bind9/lib/bind/nameser/ns_netint.c b/contrib/bind9/lib/bind/nameser/ns_netint.c
deleted file mode 100644
index 15fc93e40e95..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_netint.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_netint.c,v 1.1.206.1 2004/03/09 08:33:44 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-
-#include <arpa/nameser.h>
-
-#include "port_after.h"
-
-/* Public. */
-
-u_int
-ns_get16(const u_char *src) {
-	u_int dst;
-
-	NS_GET16(dst, src);
-	return (dst);
-}
-
-u_long
-ns_get32(const u_char *src) {
-	u_long dst;
-
-	NS_GET32(dst, src);
-	return (dst);
-}
-
-void
-ns_put16(u_int src, u_char *dst) {
-	NS_PUT16(src, dst);
-}
-
-void
-ns_put32(u_long src, u_char *dst) {
-	NS_PUT32(src, dst);
-}
diff --git a/contrib/bind9/lib/bind/nameser/ns_parse.c b/contrib/bind9/lib/bind/nameser/ns_parse.c
deleted file mode 100644
index 19a6f51b2db1..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_parse.c
+++ /dev/null
@@ -1,209 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_parse.c,v 1.3.2.1.4.3 2005/10/11 00:48:16 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <resolv.h>
-#include <string.h>
-
-#include "port_after.h"
-
-/* Forward. */
-
-static void	setsection(ns_msg *msg, ns_sect sect);
-
-/* Macros. */
-
-#ifndef SOLARIS2
-#define RETERR(err) do { errno = (err); return (-1); } while (0)
-#else
-#define RETERR(err) \
-	do { errno = (err); if (errno == errno) return (-1); } while (0)
-#endif
-
-/* Public. */
-
-/* These need to be in the same order as the nres.h:ns_flag enum. */
-struct _ns_flagdata _ns_flagdata[16] = {
-	{ 0x8000, 15 },		/* qr. */
-	{ 0x7800, 11 },		/* opcode. */
-	{ 0x0400, 10 },		/* aa. */
-	{ 0x0200, 9 },		/* tc. */
-	{ 0x0100, 8 },		/* rd. */
-	{ 0x0080, 7 },		/* ra. */
-	{ 0x0040, 6 },		/* z. */
-	{ 0x0020, 5 },		/* ad. */
-	{ 0x0010, 4 },		/* cd. */
-	{ 0x000f, 0 },		/* rcode. */
-	{ 0x0000, 0 },		/* expansion (1/6). */
-	{ 0x0000, 0 },		/* expansion (2/6). */
-	{ 0x0000, 0 },		/* expansion (3/6). */
-	{ 0x0000, 0 },		/* expansion (4/6). */
-	{ 0x0000, 0 },		/* expansion (5/6). */
-	{ 0x0000, 0 },		/* expansion (6/6). */
-};
-
-int ns_msg_getflag(ns_msg handle, int flag) {
-	return(((handle)._flags & _ns_flagdata[flag].mask) >> _ns_flagdata[flag].shift);
-}
-
-int
-ns_skiprr(const u_char *ptr, const u_char *eom, ns_sect section, int count) {
-	const u_char *optr = ptr;
-
-	for ((void)NULL; count > 0; count--) {
-		int b, rdlength;
-
-		b = dn_skipname(ptr, eom);
-		if (b < 0)
-			RETERR(EMSGSIZE);
-		ptr += b/*Name*/ + NS_INT16SZ/*Type*/ + NS_INT16SZ/*Class*/;
-		if (section != ns_s_qd) {
-			if (ptr + NS_INT32SZ + NS_INT16SZ > eom)
-				RETERR(EMSGSIZE);
-			ptr += NS_INT32SZ/*TTL*/;
-			NS_GET16(rdlength, ptr);
-			ptr += rdlength/*RData*/;
-		}
-	}
-	if (ptr > eom)
-		RETERR(EMSGSIZE);
-	return (ptr - optr);
-}
-
-int
-ns_initparse(const u_char *msg, int msglen, ns_msg *handle) {
-	const u_char *eom = msg + msglen;
-	int i;
-
-	memset(handle, 0x5e, sizeof *handle);
-	handle->_msg = msg;
-	handle->_eom = eom;
-	if (msg + NS_INT16SZ > eom)
-		RETERR(EMSGSIZE);
-	NS_GET16(handle->_id, msg);
-	if (msg + NS_INT16SZ > eom)
-		RETERR(EMSGSIZE);
-	NS_GET16(handle->_flags, msg);
-	for (i = 0; i < ns_s_max; i++) {
-		if (msg + NS_INT16SZ > eom)
-			RETERR(EMSGSIZE);
-		NS_GET16(handle->_counts[i], msg);
-	}
-	for (i = 0; i < ns_s_max; i++)
-		if (handle->_counts[i] == 0)
-			handle->_sections[i] = NULL;
-		else {
-			int b = ns_skiprr(msg, eom, (ns_sect)i,
-					  handle->_counts[i]);
-
-			if (b < 0)
-				return (-1);
-			handle->_sections[i] = msg;
-			msg += b;
-		}
-	if (msg != eom)
-		RETERR(EMSGSIZE);
-	setsection(handle, ns_s_max);
-	return (0);
-}
-
-int
-ns_parserr(ns_msg *handle, ns_sect section, int rrnum, ns_rr *rr) {
-	int b;
-	int tmp;
-
-	/* Make section right. */
-	tmp = section;
-	if (tmp < 0 || section >= ns_s_max)
-		RETERR(ENODEV);
-	if (section != handle->_sect)
-		setsection(handle, section);
-
-	/* Make rrnum right. */
-	if (rrnum == -1)
-		rrnum = handle->_rrnum;
-	if (rrnum < 0 || rrnum >= handle->_counts[(int)section])
-		RETERR(ENODEV);
-	if (rrnum < handle->_rrnum)
-		setsection(handle, section);
-	if (rrnum > handle->_rrnum) {
-		b = ns_skiprr(handle->_msg_ptr, handle->_eom, section,
-			      rrnum - handle->_rrnum);
-
-		if (b < 0)
-			return (-1);
-		handle->_msg_ptr += b;
-		handle->_rrnum = rrnum;
-	}
-
-	/* Do the parse. */
-	b = dn_expand(handle->_msg, handle->_eom,
-		      handle->_msg_ptr, rr->name, NS_MAXDNAME);
-	if (b < 0)
-		return (-1);
-	handle->_msg_ptr += b;
-	if (handle->_msg_ptr + NS_INT16SZ + NS_INT16SZ > handle->_eom)
-		RETERR(EMSGSIZE);
-	NS_GET16(rr->type, handle->_msg_ptr);
-	NS_GET16(rr->rr_class, handle->_msg_ptr);
-	if (section == ns_s_qd) {
-		rr->ttl = 0;
-		rr->rdlength = 0;
-		rr->rdata = NULL;
-	} else {
-		if (handle->_msg_ptr + NS_INT32SZ + NS_INT16SZ > handle->_eom)
-			RETERR(EMSGSIZE);
-		NS_GET32(rr->ttl, handle->_msg_ptr);
-		NS_GET16(rr->rdlength, handle->_msg_ptr);
-		if (handle->_msg_ptr + rr->rdlength > handle->_eom)
-			RETERR(EMSGSIZE);
-		rr->rdata = handle->_msg_ptr;
-		handle->_msg_ptr += rr->rdlength;
-	}
-	if (++handle->_rrnum > handle->_counts[(int)section])
-		setsection(handle, (ns_sect)((int)section + 1));
-
-	/* All done. */
-	return (0);
-}
-
-/* Private. */
-
-static void
-setsection(ns_msg *msg, ns_sect sect) {
-	msg->_sect = sect;
-	if (sect == ns_s_max) {
-		msg->_rrnum = -1;
-		msg->_msg_ptr = NULL;
-	} else {
-		msg->_rrnum = 0;
-		msg->_msg_ptr = msg->_sections[(int)sect];
-	}
-}
diff --git a/contrib/bind9/lib/bind/nameser/ns_print.c b/contrib/bind9/lib/bind/nameser/ns_print.c
deleted file mode 100644
index cb61cb1add30..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_print.c
+++ /dev/null
@@ -1,898 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_print.c,v 1.3.2.1.4.7 2004/09/16 07:01:12 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <isc/assertions.h>
-#include <isc/dst.h>
-#include <errno.h>
-#include <resolv.h>
-#include <string.h>
-#include <ctype.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-/* Forward. */
-
-static size_t	prune_origin(const char *name, const char *origin);
-static int	charstr(const u_char *rdata, const u_char *edata,
-			char **buf, size_t *buflen);
-static int	addname(const u_char *msg, size_t msglen,
-			const u_char **p, const char *origin,
-			char **buf, size_t *buflen);
-static void	addlen(size_t len, char **buf, size_t *buflen);
-static int	addstr(const char *src, size_t len,
-		       char **buf, size_t *buflen);
-static int	addtab(size_t len, size_t target, int spaced,
-		       char **buf, size_t *buflen);
-
-/* Macros. */
-
-#define	T(x) \
-	do { \
-		if ((x) < 0) \
-			return (-1); \
-	} while (0)
-
-/* Public. */
-
-/*
- * int
- * ns_sprintrr(handle, rr, name_ctx, origin, buf, buflen)
- *	Convert an RR to presentation format.
- * return:
- *	Number of characters written to buf, or -1 (check errno).
- */
-int
-ns_sprintrr(const ns_msg *handle, const ns_rr *rr,
-	    const char *name_ctx, const char *origin,
-	    char *buf, size_t buflen)
-{
-	int n;
-
-	n = ns_sprintrrf(ns_msg_base(*handle), ns_msg_size(*handle),
-			 ns_rr_name(*rr), ns_rr_class(*rr), ns_rr_type(*rr),
-			 ns_rr_ttl(*rr), ns_rr_rdata(*rr), ns_rr_rdlen(*rr),
-			 name_ctx, origin, buf, buflen);
-	return (n);
-}
-
-/*
- * int
- * ns_sprintrrf(msg, msglen, name, class, type, ttl, rdata, rdlen,
- *	       name_ctx, origin, buf, buflen)
- *	Convert the fields of an RR into presentation format.
- * return:
- *	Number of characters written to buf, or -1 (check errno).
- */
-int
-ns_sprintrrf(const u_char *msg, size_t msglen,
-	    const char *name, ns_class class, ns_type type,
-	    u_long ttl, const u_char *rdata, size_t rdlen,
-	    const char *name_ctx, const char *origin,
-	    char *buf, size_t buflen)
-{
-	const char *obuf = buf;
-	const u_char *edata = rdata + rdlen;
-	int spaced = 0;
-
-	const char *comment;
-	char tmp[100];
-	int len, x;
-
-	/*
-	 * Owner.
-	 */
-	if (name_ctx != NULL && ns_samename(name_ctx, name) == 1) {
-		T(addstr("\t\t\t", 3, &buf, &buflen));
-	} else {
-		len = prune_origin(name, origin);
-		if (*name == '\0') {
-			goto root;
-		} else if (len == 0) {
-			T(addstr("@\t\t\t", 4, &buf, &buflen));
-		} else {
-			T(addstr(name, len, &buf, &buflen));
-			/* Origin not used or not root, and no trailing dot? */
-			if (((origin == NULL || origin[0] == '\0') ||
-			    (origin[0] != '.' && origin[1] != '\0' &&
-			    name[len] == '\0')) && name[len - 1] != '.') {
- root:
-				T(addstr(".", 1, &buf, &buflen));
-				len++;
-			}
-			T(spaced = addtab(len, 24, spaced, &buf, &buflen));
-		}
-	}
-
-	/*
-	 * TTL, Class, Type.
-	 */
-	T(x = ns_format_ttl(ttl, buf, buflen));
-	addlen(x, &buf, &buflen);
-	len = SPRINTF((tmp, " %s %s", p_class(class), p_type(type)));
-	T(addstr(tmp, len, &buf, &buflen));
-	T(spaced = addtab(x + len, 16, spaced, &buf, &buflen));
-
-	/*
-	 * RData.
-	 */
-	switch (type) {
-	case ns_t_a:
-		if (rdlen != (size_t)NS_INADDRSZ)
-			goto formerr;
-		(void) inet_ntop(AF_INET, rdata, buf, buflen);
-		addlen(strlen(buf), &buf, &buflen);
-		break;
-
-	case ns_t_cname:
-	case ns_t_mb:
-	case ns_t_mg:
-	case ns_t_mr:
-	case ns_t_ns:
-	case ns_t_ptr:
-	case ns_t_dname:
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		break;
-
-	case ns_t_hinfo:
-	case ns_t_isdn:
-		/* First word. */
-		T(len = charstr(rdata, edata, &buf, &buflen));
-		if (len == 0)
-			goto formerr;
-		rdata += len;
-		T(addstr(" ", 1, &buf, &buflen));
-
-		    
-		/* Second word, optional in ISDN records. */
-		if (type == ns_t_isdn && rdata == edata)
-			break;
-		    
-		T(len = charstr(rdata, edata, &buf, &buflen));
-		if (len == 0)
-			goto formerr;
-		rdata += len;
-		break;
-
-	case ns_t_soa: {
-		u_long t;
-
-		/* Server name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" ", 1, &buf, &buflen));
-
-		/* Administrator name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" (\n", 3, &buf, &buflen));
-		spaced = 0;
-
-		if ((edata - rdata) != 5*NS_INT32SZ)
-			goto formerr;
-
-		/* Serial number. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
-		len = SPRINTF((tmp, "%lu", t));
-		T(addstr(tmp, len, &buf, &buflen));
-		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
-		T(addstr("; serial\n", 9, &buf, &buflen));
-		spaced = 0;
-
-		/* Refresh interval. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
-		T(len = ns_format_ttl(t, buf, buflen));
-		addlen(len, &buf, &buflen);
-		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
-		T(addstr("; refresh\n", 10, &buf, &buflen));
-		spaced = 0;
-
-		/* Retry interval. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
-		T(len = ns_format_ttl(t, buf, buflen));
-		addlen(len, &buf, &buflen);
-		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
-		T(addstr("; retry\n", 8, &buf, &buflen));
-		spaced = 0;
-
-		/* Expiry. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
-		T(len = ns_format_ttl(t, buf, buflen));
-		addlen(len, &buf, &buflen);
-		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
-		T(addstr("; expiry\n", 9, &buf, &buflen));
-		spaced = 0;
-
-		/* Minimum TTL. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
-		T(len = ns_format_ttl(t, buf, buflen));
-		addlen(len, &buf, &buflen);
-		T(addstr(" )", 2, &buf, &buflen));
-		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
-		T(addstr("; minimum\n", 10, &buf, &buflen));
-
-		break;
-	    }
-
-	case ns_t_mx:
-	case ns_t_afsdb:
-	case ns_t_rt: {
-		u_int t;
-
-		if (rdlen < (size_t)NS_INT16SZ)
-			goto formerr;
-
-		/* Priority. */
-		t = ns_get16(rdata);
-		rdata += NS_INT16SZ;
-		len = SPRINTF((tmp, "%u ", t));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Target. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		break;
-	    }
-
-	case ns_t_px: {
-		u_int t;
-
-		if (rdlen < (size_t)NS_INT16SZ)
-			goto formerr;
-
-		/* Priority. */
-		t = ns_get16(rdata);
-		rdata += NS_INT16SZ;
-		len = SPRINTF((tmp, "%u ", t));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Name1. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" ", 1, &buf, &buflen));
-
-		/* Name2. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		break;
-	    }
-
-	case ns_t_x25:
-		T(len = charstr(rdata, edata, &buf, &buflen));
-		if (len == 0)
-			goto formerr;
-		rdata += len;
-		break;
-
-	case ns_t_txt:
-		while (rdata < edata) {
-			T(len = charstr(rdata, edata, &buf, &buflen));
-			if (len == 0)
-				goto formerr;
-			rdata += len;
-			if (rdata < edata)
-				T(addstr(" ", 1, &buf, &buflen));
-		}
-		break;
-
-	case ns_t_nsap: {
-		char t[2+255*3];
-
-		(void) inet_nsap_ntoa(rdlen, rdata, t);
-		T(addstr(t, strlen(t), &buf, &buflen));
-		break;
-	    }
-
-	case ns_t_aaaa:
-		if (rdlen != (size_t)NS_IN6ADDRSZ)
-			goto formerr;
-		(void) inet_ntop(AF_INET6, rdata, buf, buflen);
-		addlen(strlen(buf), &buf, &buflen);
-		break;
-
-	case ns_t_loc: {
-		char t[255];
-
-		/* XXX protocol format checking? */
-		(void) loc_ntoa(rdata, t);
-		T(addstr(t, strlen(t), &buf, &buflen));
-		break;
-	    }
-
-	case ns_t_naptr: {
-		u_int order, preference;
-		char t[50];
-
-		if (rdlen < 2U*NS_INT16SZ)
-			goto formerr;
-
-		/* Order, Precedence. */
-		order = ns_get16(rdata);	rdata += NS_INT16SZ;
-		preference = ns_get16(rdata);	rdata += NS_INT16SZ;
-		len = SPRINTF((t, "%u %u ", order, preference));
-		T(addstr(t, len, &buf, &buflen));
-
-		/* Flags. */
-		T(len = charstr(rdata, edata, &buf, &buflen));
-		if (len == 0)
-			goto formerr;
-		rdata += len;
-		T(addstr(" ", 1, &buf, &buflen));
-
-		/* Service. */
-		T(len = charstr(rdata, edata, &buf, &buflen));
-		if (len == 0)
-			goto formerr;
-		rdata += len;
-		T(addstr(" ", 1, &buf, &buflen));
-
-		/* Regexp. */
-		T(len = charstr(rdata, edata, &buf, &buflen));
-		if (len < 0)
-			return (-1);
-		if (len == 0)
-			goto formerr;
-		rdata += len;
-		T(addstr(" ", 1, &buf, &buflen));
-
-		/* Server. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		break;
-	    }
-
-	case ns_t_srv: {
-		u_int priority, weight, port;
-		char t[50];
-
-		if (rdlen < 3U*NS_INT16SZ)
-			goto formerr;
-
-		/* Priority, Weight, Port. */
-		priority = ns_get16(rdata);  rdata += NS_INT16SZ;
-		weight   = ns_get16(rdata);  rdata += NS_INT16SZ;
-		port     = ns_get16(rdata);  rdata += NS_INT16SZ;
-		len = SPRINTF((t, "%u %u %u ", priority, weight, port));
-		T(addstr(t, len, &buf, &buflen));
-
-		/* Server. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		break;
-	    }
-
-	case ns_t_minfo:
-	case ns_t_rp:
-		/* Name1. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" ", 1, &buf, &buflen));
-
-		/* Name2. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		break;
-
-	case ns_t_wks: {
-		int n, lcnt;
-
-		if (rdlen < 1U + NS_INT32SZ)
-			goto formerr;
-
-		/* Address. */
-		(void) inet_ntop(AF_INET, rdata, buf, buflen);
-		addlen(strlen(buf), &buf, &buflen);
-		rdata += NS_INADDRSZ;
-
-		/* Protocol. */
-		len = SPRINTF((tmp, " %u ( ", *rdata));
-		T(addstr(tmp, len, &buf, &buflen));
-		rdata += NS_INT8SZ;
-
-		/* Bit map. */
-		n = 0;
-		lcnt = 0;
-		while (rdata < edata) {
-			u_int c = *rdata++;
-			do {
-				if (c & 0200) {
-					if (lcnt == 0) {
-						T(addstr("\n\t\t\t\t", 5,
-							 &buf, &buflen));
-						lcnt = 10;
-						spaced = 0;
-					}
-					len = SPRINTF((tmp, "%d ", n));
-					T(addstr(tmp, len, &buf, &buflen));
-					lcnt--;
-				}
-				c <<= 1;
-			} while (++n & 07);
-		}
-		T(addstr(")", 1, &buf, &buflen));
-
-		break;
-	    }
-
-	case ns_t_key: {
-		char base64_key[NS_MD5RSA_MAX_BASE64];
-		u_int keyflags, protocol, algorithm, key_id;
-		const char *leader;
-		int n;
-
-		if (rdlen < 0U + NS_INT16SZ + NS_INT8SZ + NS_INT8SZ)
-			goto formerr;
-
-		/* Key flags, Protocol, Algorithm. */
-		key_id = dst_s_dns_key_id(rdata, edata-rdata);
-		keyflags = ns_get16(rdata);  rdata += NS_INT16SZ;
-		protocol = *rdata++;
-		algorithm = *rdata++;
-		len = SPRINTF((tmp, "0x%04x %u %u",
-			       keyflags, protocol, algorithm));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Public key data. */
-		len = b64_ntop(rdata, edata - rdata,
-			       base64_key, sizeof base64_key);
-		if (len < 0)
-			goto formerr;
-		if (len > 15) {
-			T(addstr(" (", 2, &buf, &buflen));
-			leader = "\n\t\t";
-			spaced = 0;
-		} else
-			leader = " ";
-		for (n = 0; n < len; n += 48) {
-			T(addstr(leader, strlen(leader), &buf, &buflen));
-			T(addstr(base64_key + n, MIN(len - n, 48),
-				 &buf, &buflen));
-		}
-		if (len > 15)
-			T(addstr(" )", 2, &buf, &buflen));
-		n = SPRINTF((tmp, " ; key_tag= %u", key_id));
-		T(addstr(tmp, n, &buf, &buflen));
-
-		break;
-	    }
-
-	case ns_t_sig: {
-		char base64_key[NS_MD5RSA_MAX_BASE64];
-		u_int type, algorithm, labels, footprint;
-		const char *leader;
-		u_long t;
-		int n;
-
-		if (rdlen < 22U)
-			goto formerr;
-
-		/* Type covered, Algorithm, Label count, Original TTL. */
-	        type = ns_get16(rdata);  rdata += NS_INT16SZ;
-		algorithm = *rdata++;
-		labels = *rdata++;
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s %d %d %lu ",
-			       p_type(type), algorithm, labels, t));
-		T(addstr(tmp, len, &buf, &buflen));
-		if (labels > (u_int)dn_count_labels(name))
-			goto formerr;
-
-		/* Signature expiry. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Time signed. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Signature Footprint. */
-		footprint = ns_get16(rdata);  rdata += NS_INT16SZ;
-		len = SPRINTF((tmp, "%u ", footprint));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Signer's name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		/* Signature. */
-		len = b64_ntop(rdata, edata - rdata,
-			       base64_key, sizeof base64_key);
-		if (len > 15) {
-			T(addstr(" (", 2, &buf, &buflen));
-			leader = "\n\t\t";
-			spaced = 0;
-		} else
-			leader = " ";
-		if (len < 0)
-			goto formerr;
-		for (n = 0; n < len; n += 48) {
-			T(addstr(leader, strlen(leader), &buf, &buflen));
-			T(addstr(base64_key + n, MIN(len - n, 48),
-				 &buf, &buflen));
-		}
-		if (len > 15)
-			T(addstr(" )", 2, &buf, &buflen));
-		break;
-	    }
-
-	case ns_t_nxt: {
-		int n, c;
-
-		/* Next domain name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-
-		/* Type bit map. */
-		n = edata - rdata;
-		for (c = 0; c < n*8; c++)
-			if (NS_NXT_BIT_ISSET(c, rdata)) {
-				len = SPRINTF((tmp, " %s", p_type(c)));
-				T(addstr(tmp, len, &buf, &buflen));
-			}
-		break;
-	    }
-
-	case ns_t_cert: {
-		u_int c_type, key_tag, alg;
-		int n;
-		unsigned int siz;
-		char base64_cert[8192], tmp[40];
-		const char *leader;
-
-		c_type  = ns_get16(rdata); rdata += NS_INT16SZ;
-		key_tag = ns_get16(rdata); rdata += NS_INT16SZ;
-		alg = (u_int) *rdata++;
-
-		len = SPRINTF((tmp, "%d %d %d ", c_type, key_tag, alg));
-		T(addstr(tmp, len, &buf, &buflen));
-		siz = (edata-rdata)*4/3 + 4; /* "+4" accounts for trailing \0 */
-		if (siz > sizeof(base64_cert) * 3/4) {
-			const char *str = "record too long to print";
-			T(addstr(str, strlen(str), &buf, &buflen));
-		}
-		else {
-			len = b64_ntop(rdata, edata-rdata, base64_cert, siz);
-
-			if (len < 0)
-				goto formerr;
-			else if (len > 15) {
-				T(addstr(" (", 2, &buf, &buflen));
-				leader = "\n\t\t";
-				spaced = 0;
-			}
-			else
-				leader = " ";
-	
-			for (n = 0; n < len; n += 48) {
-				T(addstr(leader, strlen(leader),
-					 &buf, &buflen));
-				T(addstr(base64_cert + n, MIN(len - n, 48),
-					 &buf, &buflen));
-			}
-			if (len > 15)
-				T(addstr(" )", 2, &buf, &buflen));
-		}
-		break;
-	    }
-
-	case ns_t_tkey: {
-		/* KJD - need to complete this */
-		u_long t;
-		int mode, err, keysize;
-
-		/* Algorithm name. */
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" ", 1, &buf, &buflen));
-
-		/* Inception. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Experation. */
-		t = ns_get32(rdata);  rdata += NS_INT32SZ;
-		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* Mode , Error, Key Size. */
-		/* Priority, Weight, Port. */
-		mode = ns_get16(rdata);  rdata += NS_INT16SZ;
-		err  = ns_get16(rdata);  rdata += NS_INT16SZ;
-		keysize  = ns_get16(rdata);  rdata += NS_INT16SZ;
-		len = SPRINTF((tmp, "%u %u %u ", mode, err, keysize));
-		T(addstr(tmp, len, &buf, &buflen));
-
-		/* XXX need to dump key, print otherdata length & other data */
-		break;
-	    }
-
-	case ns_t_tsig: {
-		/* BEW - need to complete this */
-		int n;
-
-		T(len = addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		T(addstr(" ", 1, &buf, &buflen));
-		rdata += 8; /* time */
-		n = ns_get16(rdata); rdata += INT16SZ;
-		rdata += n; /* sig */
-		n = ns_get16(rdata); rdata += INT16SZ; /* original id */
-		sprintf(buf, "%d", ns_get16(rdata));
-		rdata += INT16SZ;
-		addlen(strlen(buf), &buf, &buflen);
-		break;
-	    }
-
-	case ns_t_a6: {
-		struct in6_addr a;
-		int pbyte, pbit;
-
-		/* prefix length */
-		if (rdlen == 0U) goto formerr;
-		len = SPRINTF((tmp, "%d ", *rdata));
-		T(addstr(tmp, len, &buf, &buflen));
-		pbit = *rdata;
-		if (pbit > 128) goto formerr;
-		pbyte = (pbit & ~7) / 8;
-		rdata++;
-
-		/* address suffix: provided only when prefix len != 128 */
-		if (pbit < 128) {
-			if (rdata + pbyte >= edata) goto formerr;
-			memset(&a, 0, sizeof(a));
-			memcpy(&a.s6_addr[pbyte], rdata, sizeof(a) - pbyte);
-			(void) inet_ntop(AF_INET6, &a, buf, buflen);
-			addlen(strlen(buf), &buf, &buflen);
-			rdata += sizeof(a) - pbyte;
-		}
-
-		/* prefix name: provided only when prefix len > 0 */
-		if (pbit == 0)
-			break;
-		if (rdata >= edata) goto formerr;
-		T(addstr(" ", 1, &buf, &buflen));
-		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
-		
-		break;
-	    }
-
-	case ns_t_opt: {
-		len = SPRINTF((tmp, "%u bytes", class));
-		T(addstr(tmp, len, &buf, &buflen));
-		break;
-	    }
-
-	default:
-		comment = "unknown RR type";
-		goto hexify;
-	}
-	return (buf - obuf);
- formerr:
-	comment = "RR format error";
- hexify: {
-	int n, m;
-	char *p;
-
-	len = SPRINTF((tmp, "\\# %u%s\t; %s", (unsigned)(edata - rdata),
-		       rdlen != 0U ? " (" : "", comment));
-	T(addstr(tmp, len, &buf, &buflen));
-	while (rdata < edata) {
-		p = tmp;
-		p += SPRINTF((p, "\n\t"));
-		spaced = 0;
-		n = MIN(16, edata - rdata);
-		for (m = 0; m < n; m++)
-			p += SPRINTF((p, "%02x ", rdata[m]));
-		T(addstr(tmp, p - tmp, &buf, &buflen));
-		if (n < 16) {
-			T(addstr(")", 1, &buf, &buflen));
-			T(addtab(p - tmp + 1, 48, spaced, &buf, &buflen));
-		}
-		p = tmp;
-		p += SPRINTF((p, "; "));
-		for (m = 0; m < n; m++)
-			*p++ = (isascii(rdata[m]) && isprint(rdata[m]))
-				? rdata[m]
-				: '.';
-		T(addstr(tmp, p - tmp, &buf, &buflen));
-		rdata += n;
-	}
-	return (buf - obuf);
-    }
-}
-
-/* Private. */
-
-/*
- * size_t
- * prune_origin(name, origin)
- *	Find out if the name is at or under the current origin.
- * return:
- *	Number of characters in name before start of origin,
- *	or length of name if origin does not match.
- * notes:
- *	This function should share code with samedomain().
- */
-static size_t
-prune_origin(const char *name, const char *origin) {
-	const char *oname = name;
-
-	while (*name != '\0') {
-		if (origin != NULL && ns_samename(name, origin) == 1)
-			return (name - oname - (name > oname));
-		while (*name != '\0') {
-			if (*name == '\\') {
-				name++;
-				/* XXX need to handle \nnn form. */
-				if (*name == '\0')
-					break;
-			} else if (*name == '.') {
-				name++;
-				break;
-			}
-			name++;
-		}
-	}
-	return (name - oname);
-}
-
-/*
- * int
- * charstr(rdata, edata, buf, buflen)
- *	Format a <character-string> into the presentation buffer.
- * return:
- *	Number of rdata octets consumed
- *	0 for protocol format error
- *	-1 for output buffer error
- * side effects:
- *	buffer is advanced on success.
- */
-static int
-charstr(const u_char *rdata, const u_char *edata, char **buf, size_t *buflen) {
-	const u_char *odata = rdata;
-	size_t save_buflen = *buflen;
-	char *save_buf = *buf;
-
-	if (addstr("\"", 1, buf, buflen) < 0)
-		goto enospc;
-	if (rdata < edata) {
-		int n = *rdata;
-
-		if (rdata + 1 + n <= edata) {
-			rdata++;
-			while (n-- > 0) {
-				if (strchr("\n\"\\", *rdata) != NULL)
-					if (addstr("\\", 1, buf, buflen) < 0)
-						goto enospc;
-				if (addstr((const char *)rdata, 1,
-					   buf, buflen) < 0)
-					goto enospc;
-				rdata++;
-			}
-		}
-	}
-	if (addstr("\"", 1, buf, buflen) < 0)
-		goto enospc;
-	return (rdata - odata);
- enospc:
-	errno = ENOSPC;
-	*buf = save_buf;
-	*buflen = save_buflen;
-	return (-1);
-}
-
-static int
-addname(const u_char *msg, size_t msglen,
-	const u_char **pp, const char *origin,
-	char **buf, size_t *buflen)
-{
-	size_t newlen, save_buflen = *buflen;
-	char *save_buf = *buf;
-	int n;
-
-	n = dn_expand(msg, msg + msglen, *pp, *buf, *buflen);
-	if (n < 0)
-		goto enospc;	/* Guess. */
-	newlen = prune_origin(*buf, origin);
-	if (**buf == '\0') {
-		goto root;
-	} else if (newlen == 0U) {
-		/* Use "@" instead of name. */
-		if (newlen + 2 > *buflen)
-			goto enospc;        /* No room for "@\0". */
-		(*buf)[newlen++] = '@';
-		(*buf)[newlen] = '\0';
-	} else {
-		if (((origin == NULL || origin[0] == '\0') ||
-		    (origin[0] != '.' && origin[1] != '\0' &&
-		    (*buf)[newlen] == '\0')) && (*buf)[newlen - 1] != '.') {
-			/* No trailing dot. */
- root:
-			if (newlen + 2 > *buflen)
-				goto enospc;	/* No room for ".\0". */
-			(*buf)[newlen++] = '.';
-			(*buf)[newlen] = '\0';
-		}
-	}
-	*pp += n;
-	addlen(newlen, buf, buflen);
-	**buf = '\0';
-	return (newlen);
- enospc:
-	errno = ENOSPC;
-	*buf = save_buf;
-	*buflen = save_buflen;
-	return (-1);
-}
-
-static void
-addlen(size_t len, char **buf, size_t *buflen) {
-	INSIST(len <= *buflen);
-	*buf += len;
-	*buflen -= len;
-}
-
-static int
-addstr(const char *src, size_t len, char **buf, size_t *buflen) {
-	if (len >= *buflen) {
-		errno = ENOSPC;
-		return (-1);
-	}
-	memcpy(*buf, src, len);
-	addlen(len, buf, buflen);
-	**buf = '\0';
-	return (0);
-}
-
-static int
-addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen) {
-	size_t save_buflen = *buflen;
-	char *save_buf = *buf;
-	int t;
-
-	if (spaced || len >= target - 1) {
-		T(addstr("  ", 2, buf, buflen));
-		spaced = 1;
-	} else {
-		for (t = (target - len - 1) / 8; t >= 0; t--)
-			if (addstr("\t", 1, buf, buflen) < 0) {
-				*buflen = save_buflen;
-				*buf = save_buf;
-				return (-1);
-			}
-		spaced = 0;
-	}
-	return (spaced);
-}
diff --git a/contrib/bind9/lib/bind/nameser/ns_samedomain.c b/contrib/bind9/lib/bind/nameser/ns_samedomain.c
deleted file mode 100644
index d4ca550a7ae3..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_samedomain.c
+++ /dev/null
@@ -1,206 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_samedomain.c,v 1.1.2.2.4.2 2004/03/16 12:34:17 marka Exp $";
-#endif
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <arpa/nameser.h>
-#include <errno.h>
-#include <string.h>
-
-#include "port_after.h"
-
-/*
- * int
- * ns_samedomain(a, b)
- *	Check whether a name belongs to a domain.
- * Inputs:
- *	a - the domain whose ancestory is being verified
- *	b - the potential ancestor we're checking against
- * Return:
- *	boolean - is a at or below b?
- * Notes:
- *	Trailing dots are first removed from name and domain.
- *	Always compare complete subdomains, not only whether the
- *	domain name is the trailing string of the given name.
- *
- *	"host.foobar.top" lies in "foobar.top" and in "top" and in ""
- *	but NOT in "bar.top"
- */
-
-int
-ns_samedomain(const char *a, const char *b) {
-	size_t la, lb;
-	int diff, i, escaped;
-	const char *cp;
-
-	la = strlen(a);
-	lb = strlen(b);
-
-	/* Ignore a trailing label separator (i.e. an unescaped dot) in 'a'. */
-	if (la != 0U && a[la - 1] == '.') {
-		escaped = 0;
-		/* Note this loop doesn't get executed if la==1. */
-		for (i = la - 2; i >= 0; i--)
-			if (a[i] == '\\') {
-				if (escaped)
-					escaped = 0;
-				else
-					escaped = 1;
-			} else
-				break;
-		if (!escaped)
-			la--;
-	}
-
-	/* Ignore a trailing label separator (i.e. an unescaped dot) in 'b'. */
-	if (lb != 0U && b[lb - 1] == '.') {
-		escaped = 0;
-		/* note this loop doesn't get executed if lb==1 */
-		for (i = lb - 2; i >= 0; i--)
-			if (b[i] == '\\') {
-				if (escaped)
-					escaped = 0;
-				else
-					escaped = 1;
-			} else
-				break;
-		if (!escaped)
-			lb--;
-	}
-
-	/* lb == 0 means 'b' is the root domain, so 'a' must be in 'b'. */
-	if (lb == 0U)
-		return (1);
-
-	/* 'b' longer than 'a' means 'a' can't be in 'b'. */
-	if (lb > la)
-		return (0);
-
-	/* 'a' and 'b' being equal at this point indicates sameness. */
-	if (lb == la)
-		return (strncasecmp(a, b, lb) == 0);
-
-	/* Ok, we know la > lb. */
-
-	diff = la - lb;
-
-	/*
-	 * If 'a' is only 1 character longer than 'b', then it can't be
-	 * a subdomain of 'b' (because of the need for the '.' label
-	 * separator).
-	 */
-	if (diff < 2)
-		return (0);
-
-	/*
-	 * If the character before the last 'lb' characters of 'b'
-	 * isn't '.', then it can't be a match (this lets us avoid
-	 * having "foobar.com" match "bar.com").
-	 */
-	if (a[diff - 1] != '.')
-		return (0);
-
-	/*
-	 * We're not sure about that '.', however.  It could be escaped
-         * and thus not a really a label separator.
-	 */
-	escaped = 0;
-	for (i = diff - 2; i >= 0; i--)
-		if (a[i] == '\\') {
-			if (escaped)
-				escaped = 0;
-			else
-				escaped = 1;
-		} else
-			break;
-	if (escaped)
-		return (0);
-	  
-	/* Now compare aligned trailing substring. */
-	cp = a + diff;
-	return (strncasecmp(cp, b, lb) == 0);
-}
-
-/*
- * int
- * ns_subdomain(a, b)
- *	is "a" a subdomain of "b"?
- */
-int
-ns_subdomain(const char *a, const char *b) {
-	return (ns_samename(a, b) != 1 && ns_samedomain(a, b));
-}
-
-/*
- * int
- * ns_makecanon(src, dst, dstsize)
- *	make a canonical copy of domain name "src"
- * notes:
- *	foo -> foo.
- *	foo. -> foo.
- *	foo.. -> foo.
- *	foo\. -> foo\..
- *	foo\\. -> foo\\.
- */
-
-int
-ns_makecanon(const char *src, char *dst, size_t dstsize) {
-	size_t n = strlen(src);
-
-	if (n + sizeof "." > dstsize) {			/* Note: sizeof == 2 */
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	strcpy(dst, src);
-	while (n >= 1U && dst[n - 1] == '.')		/* Ends in "." */
-		if (n >= 2U && dst[n - 2] == '\\' &&	/* Ends in "\." */
-		    (n < 3U || dst[n - 3] != '\\'))	/* But not "\\." */
-			break;
-		else
-			dst[--n] = '\0';
-	dst[n++] = '.';
-	dst[n] = '\0';
-	return (0);
-}
-
-/*
- * int
- * ns_samename(a, b)
- *	determine whether domain name "a" is the same as domain name "b"
- * return:
- *	-1 on error
- *	0 if names differ
- *	1 if names are the same
- */
-
-int
-ns_samename(const char *a, const char *b) {
-	char ta[NS_MAXDNAME], tb[NS_MAXDNAME];
-
-	if (ns_makecanon(a, ta, sizeof ta) < 0 ||
-	    ns_makecanon(b, tb, sizeof tb) < 0)
-		return (-1);
-	if (strcasecmp(ta, tb) == 0)
-		return (1);
-	else
-		return (0);
-}
diff --git a/contrib/bind9/lib/bind/nameser/ns_sign.c b/contrib/bind9/lib/bind/nameser/ns_sign.c
deleted file mode 100644
index 56248a59a800..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_sign.c
+++ /dev/null
@@ -1,380 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1999 by Internet Software Consortium, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.2.4.1 2004/03/09 08:33:45 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <isc/dst.h>
-#include <isc/assertions.h>
-
-#include "port_after.h"
-
-#define BOUNDS_CHECK(ptr, count) \
-	do { \
-		if ((ptr) + (count) > eob) { \
-			errno = EMSGSIZE; \
-			return(NS_TSIG_ERROR_NO_SPACE); \
-		} \
-	} while (0)
-
-/* ns_sign
- * Parameters:
- *	msg		message to be sent
- *	msglen		input - length of message
- *			output - length of signed message
- *	msgsize		length of buffer containing message
- *	error		value to put in the error field
- *	key		tsig key used for signing
- *	querysig	(response), the signature in the query
- *	querysiglen	(response), the length of the signature in the query
- *	sig		a buffer to hold the generated signature
- *	siglen		input - length of signature buffer
- *			output - length of signature
- *
- * Errors:
- *	- bad input data (-1)
- *	- bad key / sign failed (-BADKEY)
- *	- not enough space (NS_TSIG_ERROR_NO_SPACE)
- */
-int
-ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
-	const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
-	time_t in_timesigned)
-{
-	return(ns_sign2(msg, msglen, msgsize, error, k,
-			querysig, querysiglen, sig, siglen,
-			in_timesigned, NULL, NULL));
-}
-
-int
-ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
-	 const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
-	 time_t in_timesigned, u_char **dnptrs, u_char **lastdnptr)
-{
-	HEADER *hp = (HEADER *)msg;
-	DST_KEY *key = (DST_KEY *)k;
-	u_char *cp = msg + *msglen, *eob = msg + msgsize;
-	u_char *lenp;
-	u_char *alg;
-	int n;
-	time_t timesigned;
-        u_char name[NS_MAXCDNAME];
-
-	dst_init();
-	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
-		return (-1);
-
-	/* Name. */
-	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
-		n = ns_name_pton(key->dk_key_name, name, sizeof name);
-		if (n != -1)
-			n = ns_name_pack(name, cp, eob - cp,
-					 (const u_char **)dnptrs,
-					 (const u_char **)lastdnptr);
-
-	} else {
-		n = ns_name_pton("", name, sizeof name);
-		if (n != -1)
-			n = ns_name_pack(name, cp, eob - cp, NULL, NULL);
-	}
-	if (n < 0)
-		return (NS_TSIG_ERROR_NO_SPACE);
-	cp += n;
-
-	/* Type, class, ttl, length (not filled in yet). */
-	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
-	PUTSHORT(ns_t_tsig, cp);
-	PUTSHORT(ns_c_any, cp);
-	PUTLONG(0, cp);		/* TTL */
-	lenp = cp;
-	cp += 2;
-
-	/* Alg. */
-	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
-		if (key->dk_alg != KEY_HMAC_MD5)
-			return (-ns_r_badkey);
-		n = dn_comp(NS_TSIG_ALG_HMAC_MD5, cp, eob - cp, NULL, NULL);
-	}
-	else
-		n = dn_comp("", cp, eob - cp, NULL, NULL);
-	if (n < 0)
-		return (NS_TSIG_ERROR_NO_SPACE);
-	alg = cp;
-	cp += n;
-	
-	/* Time. */
-	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
-	PUTSHORT(0, cp);
-	timesigned = time(NULL);
-	if (error != ns_r_badtime)
-		PUTLONG(timesigned, cp);
-	else
-		PUTLONG(in_timesigned, cp);
-	PUTSHORT(NS_TSIG_FUDGE, cp);
-
-	/* Compute the signature. */
-	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
-		void *ctx;
-		u_char buf[NS_MAXCDNAME], *cp2;
-		int n;
-
-		dst_sign_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
-
-		/* Digest the query signature, if this is a response. */
-		if (querysiglen > 0 && querysig != NULL) {
-			u_int16_t len_n = htons(querysiglen);
-			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
-				      (u_char *)&len_n, INT16SZ, NULL, 0);
-			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
-				      querysig, querysiglen, NULL, 0);
-		}
-
-		/* Digest the message. */
-		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, msg, *msglen,
-			      NULL, 0);
-
-		/* Digest the key name. */
-		n = ns_name_ntol(name, buf, sizeof(buf));
-		INSIST(n > 0);
-		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
-
-		/* Digest the class and TTL. */
-		cp2 = buf;
-		PUTSHORT(ns_c_any, cp2);
-		PUTLONG(0, cp2);
-		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
-			      NULL, 0);
-
-		/* Digest the algorithm. */
-		n = ns_name_ntol(alg, buf, sizeof(buf));
-		INSIST(n > 0);
-		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
-
-		/* Digest the time signed, fudge, error, and other data */
-		cp2 = buf;
-		PUTSHORT(0, cp2);	/* Top 16 bits of time */
-		if (error != ns_r_badtime)
-			PUTLONG(timesigned, cp2);
-		else
-			PUTLONG(in_timesigned, cp2);
-		PUTSHORT(NS_TSIG_FUDGE, cp2);
-		PUTSHORT(error, cp2);	/* Error */
-		if (error != ns_r_badtime)
-			PUTSHORT(0, cp2);	/* Other data length */
-		else {
-			PUTSHORT(INT16SZ+INT32SZ, cp2);	/* Other data length */
-			PUTSHORT(0, cp2);	/* Top 16 bits of time */
-			PUTLONG(timesigned, cp2);
-		}
-		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
-			      NULL, 0);
-
-		n = dst_sign_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
-				  sig, *siglen);
-		if (n < 0)
-			return (-ns_r_badkey);
-		*siglen = n;
-	} else
-		*siglen = 0;
-
-	/* Add the signature. */
-	BOUNDS_CHECK(cp, INT16SZ + (*siglen));
-	PUTSHORT(*siglen, cp);
-	memcpy(cp, sig, *siglen);
-	cp += (*siglen);
-
-	/* The original message ID & error. */
-	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
-	PUTSHORT(ntohs(hp->id), cp);	/* already in network order */
-	PUTSHORT(error, cp);
-
-	/* Other data. */
-	BOUNDS_CHECK(cp, INT16SZ);
-	if (error != ns_r_badtime)
-		PUTSHORT(0, cp);	/* Other data length */
-	else {
-		PUTSHORT(INT16SZ+INT32SZ, cp);	/* Other data length */
-		BOUNDS_CHECK(cp, INT32SZ+INT16SZ);
-		PUTSHORT(0, cp);	/* Top 16 bits of time */
-		PUTLONG(timesigned, cp);
-	}
-
-	/* Go back and fill in the length. */
-	PUTSHORT(cp - lenp - INT16SZ, lenp);
-
-	hp->arcount = htons(ntohs(hp->arcount) + 1);
-	*msglen = (cp - msg);
-	return (0);
-}
-
-int
-ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
-		 ns_tcp_tsig_state *state)
-{
-	dst_init();
-	if (state == NULL || k == NULL || querysig == NULL || querysiglen < 0)
-		return (-1);
-	state->counter = -1;
-	state->key = k;
-	if (state->key->dk_alg != KEY_HMAC_MD5)
-		return (-ns_r_badkey);
-	if (querysiglen > (int)sizeof(state->sig))
-		return (-1);
-	memcpy(state->sig, querysig, querysiglen);
-	state->siglen = querysiglen;
-	return (0);
-}
-
-int
-ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
-	    ns_tcp_tsig_state *state, int done)
-{
-	return (ns_sign_tcp2(msg, msglen, msgsize, error, state,
-			     done, NULL, NULL));
-}
-
-int
-ns_sign_tcp2(u_char *msg, int *msglen, int msgsize, int error,
-	     ns_tcp_tsig_state *state, int done,
-	     u_char **dnptrs, u_char **lastdnptr)
-{
-	u_char *cp, *eob, *lenp;
-	u_char buf[MAXDNAME], *cp2;
-	HEADER *hp = (HEADER *)msg;
-	time_t timesigned;
-	int n;
-
-	if (msg == NULL || msglen == NULL || state == NULL)
-		return (-1);
-
-	state->counter++;
-	if (state->counter == 0)
-		return (ns_sign2(msg, msglen, msgsize, error, state->key,
-				 state->sig, state->siglen,
-				 state->sig, &state->siglen, 0,
-				 dnptrs, lastdnptr));
-
-	if (state->siglen > 0) {
-		u_int16_t siglen_n = htons(state->siglen);
-		dst_sign_data(SIG_MODE_INIT, state->key, &state->ctx,
-			      NULL, 0, NULL, 0);
-		dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
-			      (u_char *)&siglen_n, INT16SZ, NULL, 0);
-		dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
-			      state->sig, state->siglen, NULL, 0);
-		state->siglen = 0;
-	}
-
-	dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx, msg, *msglen,
-		      NULL, 0);
-
-	if (done == 0 && (state->counter % 100 != 0))
-		return (0);
-
-	cp = msg + *msglen;
-	eob = msg + msgsize;
-
-	/* Name. */
-	n = dn_comp(state->key->dk_key_name, cp, eob - cp, dnptrs, lastdnptr);
-	if (n < 0)
-		return (NS_TSIG_ERROR_NO_SPACE);
-	cp += n;
-
-	/* Type, class, ttl, length (not filled in yet). */
-	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
-	PUTSHORT(ns_t_tsig, cp);
-	PUTSHORT(ns_c_any, cp);
-	PUTLONG(0, cp);		/* TTL */
-	lenp = cp;
-	cp += 2;
-
-	/* Alg. */
-	n = dn_comp(NS_TSIG_ALG_HMAC_MD5, cp, eob - cp, NULL, NULL);
-	if (n < 0)
-		return (NS_TSIG_ERROR_NO_SPACE);
-	cp += n;
-	
-	/* Time. */
-	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
-	PUTSHORT(0, cp);
-	timesigned = time(NULL);
-	PUTLONG(timesigned, cp);
-	PUTSHORT(NS_TSIG_FUDGE, cp);
-
-	/*
-	 * Compute the signature.
-	 */
-
-	/* Digest the time signed and fudge. */
-	cp2 = buf;
-	PUTSHORT(0, cp2);	/* Top 16 bits of time */
-	PUTLONG(timesigned, cp2);
-	PUTSHORT(NS_TSIG_FUDGE, cp2);
-
-	dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
-		      buf, cp2 - buf, NULL, 0);
-
-	n = dst_sign_data(SIG_MODE_FINAL, state->key, &state->ctx, NULL, 0,
-			  state->sig, sizeof(state->sig));
-	if (n < 0)
-		return (-ns_r_badkey);
-	state->siglen = n;
-
-	/* Add the signature. */
-	BOUNDS_CHECK(cp, INT16SZ + state->siglen);
-	PUTSHORT(state->siglen, cp);
-	memcpy(cp, state->sig, state->siglen);
-	cp += state->siglen;
-
-	/* The original message ID & error. */
-	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
-	PUTSHORT(ntohs(hp->id), cp);	/* already in network order */
-	PUTSHORT(error, cp);
-
-	/* Other data. */
-	BOUNDS_CHECK(cp, INT16SZ);
-	PUTSHORT(0, cp);
-
-	/* Go back and fill in the length. */
-	PUTSHORT(cp - lenp - INT16SZ, lenp);
-
-	hp->arcount = htons(ntohs(hp->arcount) + 1);
-	*msglen = (cp - msg);
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/nameser/ns_ttl.c b/contrib/bind9/lib/bind/nameser/ns_ttl.c
deleted file mode 100644
index 4d18d3f281db..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_ttl.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_ttl.c,v 1.1.206.2 2005/07/28 07:43:21 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) ((size_t)sprintf x)
-#endif
-
-/* Forward. */
-
-static int	fmt1(int t, char s, char **buf, size_t *buflen);
-
-/* Macros. */
-
-#define T(x) if ((x) < 0) return (-1); else (void)NULL
-
-/* Public. */
-
-int
-ns_format_ttl(u_long src, char *dst, size_t dstlen) {
-	char *odst = dst;
-	int secs, mins, hours, days, weeks, x;
-	char *p;
-
-	secs = src % 60;   src /= 60;
-	mins = src % 60;   src /= 60;
-	hours = src % 24;  src /= 24;
-	days = src % 7;    src /= 7;
-	weeks = src;       src = 0;
-
-	x = 0;
-	if (weeks) {
-		T(fmt1(weeks, 'W', &dst, &dstlen));
-		x++;
-	}
-	if (days) {
-		T(fmt1(days, 'D', &dst, &dstlen));
-		x++;
-	}
-	if (hours) {
-		T(fmt1(hours, 'H', &dst, &dstlen));
-		x++;
-	}
-	if (mins) {
-		T(fmt1(mins, 'M', &dst, &dstlen));
-		x++;
-	}
-	if (secs || !(weeks || days || hours || mins)) {
-		T(fmt1(secs, 'S', &dst, &dstlen));
-		x++;
-	}
-
-	if (x > 1) {
-		int ch;
-
-		for (p = odst; (ch = *p) != '\0'; p++)
-			if (isascii(ch) && isupper(ch))
-				*p = tolower(ch);
-	}
-
-	return (dst - odst);
-}
-
-int
-ns_parse_ttl(const char *src, u_long *dst) {
-	u_long ttl, tmp;
-	int ch, digits, dirty;
-
-	ttl = 0;
-	tmp = 0;
-	digits = 0;
-	dirty = 0;
-	while ((ch = *src++) != '\0') {
-		if (!isascii(ch) || !isprint(ch))
-			goto einval;
-		if (isdigit(ch)) {
-			tmp *= 10;
-			tmp += (ch - '0');
-			digits++;
-			continue;
-		}
-		if (digits == 0)
-			goto einval;
-		if (islower(ch))
-			ch = toupper(ch);
-		switch (ch) {
-		case 'W':  tmp *= 7;
-		case 'D':  tmp *= 24;
-		case 'H':  tmp *= 60;
-		case 'M':  tmp *= 60;
-		case 'S':  break;
-		default:   goto einval;
-		}
-		ttl += tmp;
-		tmp = 0;
-		digits = 0;
-		dirty = 1;
-	}
-	if (digits > 0) {
-		if (dirty)
-			goto einval;
-		else
-			ttl += tmp;
-	} else if (!dirty)
-		goto einval;
-	*dst = ttl;
-	return (0);
-
- einval:
-	errno = EINVAL;
-	return (-1);
-}
-
-/* Private. */
-
-static int
-fmt1(int t, char s, char **buf, size_t *buflen) {
-	char tmp[50];
-	size_t len;
-
-	len = SPRINTF((tmp, "%d%c", t, s));
-	if (len + 1 > *buflen)
-		return (-1);
-	strcpy(*buf, tmp);
-	*buf += len;
-	*buflen -= len;
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/nameser/ns_verify.c b/contrib/bind9/lib/bind/nameser/ns_verify.c
deleted file mode 100644
index adda249bb4c3..000000000000
--- a/contrib/bind9/lib/bind/nameser/ns_verify.c
+++ /dev/null
@@ -1,479 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1999 by Internet Software Consortium, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef lint
-static const char rcsid[] = "$Id: ns_verify.c,v 1.1.206.2 2005/10/11 00:48:16 marka Exp $";
-#endif
-
-/* Import. */
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <isc/dst.h>
-
-#include "port_after.h"
-
-/* Private. */
-
-#define BOUNDS_CHECK(ptr, count) \
-	do { \
-		if ((ptr) + (count) > eom) { \
-			return (NS_TSIG_ERROR_FORMERR); \
-		} \
-	} while (0)
-
-/* Public. */
-
-u_char *
-ns_find_tsig(u_char *msg, u_char *eom) {
-	HEADER *hp = (HEADER *)msg;
-	int n, type;
-	u_char *cp = msg, *start;
-
-	if (msg == NULL || eom == NULL || msg > eom)
-		return (NULL);
-
-	if (cp + HFIXEDSZ >= eom)
-		return (NULL);
-
-	if (hp->arcount == 0)
-		return (NULL);
-
-	cp += HFIXEDSZ;
-
-	n = ns_skiprr(cp, eom, ns_s_qd, ntohs(hp->qdcount));
-	if (n < 0)
-		return (NULL);
-	cp += n;
-
-	n = ns_skiprr(cp, eom, ns_s_an, ntohs(hp->ancount));
-	if (n < 0)
-		return (NULL);
-	cp += n;
-
-	n = ns_skiprr(cp, eom, ns_s_ns, ntohs(hp->nscount));
-	if (n < 0)
-		return (NULL);
-	cp += n;
-
-	n = ns_skiprr(cp, eom, ns_s_ar, ntohs(hp->arcount) - 1);
-	if (n < 0)
-		return (NULL);
-	cp += n;
-
-	start = cp;
-	n = dn_skipname(cp, eom);
-	if (n < 0)
-		return (NULL);
-	cp += n;
-	if (cp + INT16SZ >= eom)
-		return (NULL);
-
-	GETSHORT(type, cp);
-	if (type != ns_t_tsig)
-		return (NULL);
-	return (start);
-}
-
-/* ns_verify
- * Parameters:
- *	statp		res stuff
- *	msg		received message
- *	msglen		length of message
- *	key		tsig key used for verifying.
- *	querysig	(response), the signature in the query
- *	querysiglen	(response), the length of the signature in the query
- *	sig		(query), a buffer to hold the signature
- *	siglen		(query), input - length of signature buffer
- *				 output - length of signature
- *
- * Errors:
- *	- bad input (-1)
- *	- invalid dns message (NS_TSIG_ERROR_FORMERR)
- *	- TSIG is not present (NS_TSIG_ERROR_NO_TSIG)
- *	- key doesn't match (-ns_r_badkey)
- *	- TSIG verification fails with BADKEY (-ns_r_badkey)
- *	- TSIG verification fails with BADSIG (-ns_r_badsig)
- *	- TSIG verification fails with BADTIME (-ns_r_badtime)
- *	- TSIG verification succeeds, error set to BAKEY (ns_r_badkey)
- *	- TSIG verification succeeds, error set to BADSIG (ns_r_badsig)
- *	- TSIG verification succeeds, error set to BADTIME (ns_r_badtime)
- */
-int
-ns_verify(u_char *msg, int *msglen, void *k,
-	  const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
-	  time_t *timesigned, int nostrip)
-{
-	HEADER *hp = (HEADER *)msg;
-	DST_KEY *key = (DST_KEY *)k;
-	u_char *cp = msg, *eom;
-	char name[MAXDNAME], alg[MAXDNAME];
-	u_char *recstart, *rdatastart;
-	u_char *sigstart, *otherstart;
-	int n;
-	int error;
-	u_int16_t type, length;
-	u_int16_t fudge, sigfieldlen, otherfieldlen;
-
-	dst_init();
-	if (msg == NULL || msglen == NULL || *msglen < 0)
-		return (-1);
-
-	eom = msg + *msglen;
-
-	recstart = ns_find_tsig(msg, eom);
-	if (recstart == NULL)
-		return (NS_TSIG_ERROR_NO_TSIG);
-
-	cp = recstart;
-
-	/* Read the key name. */
-	n = dn_expand(msg, eom, cp, name, MAXDNAME);
-	if (n < 0)
-		return (NS_TSIG_ERROR_FORMERR);
-	cp += n;
-
-	/* Read the type. */
-	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
-	GETSHORT(type, cp);
-	if (type != ns_t_tsig)
-		return (NS_TSIG_ERROR_NO_TSIG);
-
-	/* Skip the class and TTL, save the length. */
-	cp += INT16SZ + INT32SZ;
-	GETSHORT(length, cp);
-	if (eom - cp != length)
-		return (NS_TSIG_ERROR_FORMERR);
-
-	/* Read the algorithm name. */
-	rdatastart = cp;
-	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
-	if (n < 0)
-		return (NS_TSIG_ERROR_FORMERR);
-	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
-		return (-ns_r_badkey);
-	cp += n;
-
-	/* Read the time signed and fudge. */
-	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
-	cp += INT16SZ;
-	GETLONG((*timesigned), cp);
-	GETSHORT(fudge, cp);
-
-	/* Read the signature. */
-	BOUNDS_CHECK(cp, INT16SZ);
-	GETSHORT(sigfieldlen, cp);
-	BOUNDS_CHECK(cp, sigfieldlen);
-	sigstart = cp;
-	cp += sigfieldlen;
-
-	/* Skip id and read error. */
-	BOUNDS_CHECK(cp, 2*INT16SZ);
-	cp += INT16SZ;
-	GETSHORT(error, cp);
-
-	/* Parse the other data. */
-	BOUNDS_CHECK(cp, INT16SZ);
-	GETSHORT(otherfieldlen, cp);
-	BOUNDS_CHECK(cp, otherfieldlen);
-	otherstart = cp;
-	cp += otherfieldlen;
-
-	if (cp != eom)
-		return (NS_TSIG_ERROR_FORMERR);
-
-	/* Verify that the key used is OK. */
-	if (key != NULL) {
-		if (key->dk_alg != KEY_HMAC_MD5)
-			return (-ns_r_badkey);
-		if (error != ns_r_badsig && error != ns_r_badkey) {
-			if (ns_samename(key->dk_key_name, name) != 1)
-				return (-ns_r_badkey);
-		}
-	}
-
-	hp->arcount = htons(ntohs(hp->arcount) - 1);
-
-	/*
-	 * Do the verification.
-	 */
-
-	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
-		void *ctx;
-		u_char buf[MAXDNAME];
-		u_char buf2[MAXDNAME];
-
-		/* Digest the query signature, if this is a response. */
-		dst_verify_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
-		if (querysiglen > 0 && querysig != NULL) {
-			u_int16_t len_n = htons(querysiglen);
-			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
-					(u_char *)&len_n, INT16SZ, NULL, 0);
-			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
-					querysig, querysiglen, NULL, 0);
-		}
-		
- 		/* Digest the message. */
-		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, msg, recstart - msg,
-				NULL, 0);
-
-		/* Digest the key name. */
-		n = ns_name_pton(name, buf2, sizeof(buf2));
-		if (n < 0)
-			return (-1);
-		n = ns_name_ntol(buf2, buf, sizeof(buf));
-		if (n < 0)
-			return (-1);
-		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
-
-		/* Digest the class and TTL. */
-		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
-				recstart + dn_skipname(recstart, eom) + INT16SZ,
-				INT16SZ + INT32SZ, NULL, 0);
-
-		/* Digest the algorithm. */
-		n = ns_name_pton(alg, buf2, sizeof(buf2));
-		if (n < 0)
-			return (-1);
-		n = ns_name_ntol(buf2, buf, sizeof(buf));
-		if (n < 0)
-			return (-1);
-		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
-
-		/* Digest the time signed and fudge. */
-		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
-				rdatastart + dn_skipname(rdatastart, eom),
-				INT16SZ + INT32SZ + INT16SZ, NULL, 0);
-
-		/* Digest the error and other data. */
-		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
-				otherstart - INT16SZ - INT16SZ,
-				otherfieldlen + INT16SZ + INT16SZ, NULL, 0);
-
-		n = dst_verify_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
-				    sigstart, sigfieldlen);
-
-		if (n < 0)
-			return (-ns_r_badsig);
-
-		if (sig != NULL && siglen != NULL) {
-			if (*siglen < sigfieldlen)
-				return (NS_TSIG_ERROR_NO_SPACE);
-			memcpy(sig, sigstart, sigfieldlen);
-			*siglen = sigfieldlen;
-		}
-	} else {
-		if (sigfieldlen > 0)
-			return (NS_TSIG_ERROR_FORMERR);
-		if (sig != NULL && siglen != NULL)
-			*siglen = 0;
-	}
-
-	/* Reset the counter, since we still need to check for badtime. */
-	hp->arcount = htons(ntohs(hp->arcount) + 1);
-
-	/* Verify the time. */
-	if (abs((*timesigned) - time(NULL)) > fudge)
-		return (-ns_r_badtime);
-
-	if (nostrip == 0) {
-		*msglen = recstart - msg;
-		hp->arcount = htons(ntohs(hp->arcount) - 1);
-	}
-
-	if (error != NOERROR)
-		return (error);
-
-	return (0);
-}
-
-int
-ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
-		   ns_tcp_tsig_state *state)
-{
-	dst_init();
-	if (state == NULL || k == NULL || querysig == NULL || querysiglen < 0)
-		return (-1);
-	state->counter = -1;
-	state->key = k;
-	if (state->key->dk_alg != KEY_HMAC_MD5)
-		return (-ns_r_badkey);
-	if (querysiglen > (int)sizeof(state->sig))
-		return (-1);
-	memcpy(state->sig, querysig, querysiglen);
-	state->siglen = querysiglen;
-	return (0);
-}
-
-int
-ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
-	      int required)
-{
-	HEADER *hp = (HEADER *)msg;
-	u_char *recstart, *sigstart;
-	unsigned int sigfieldlen, otherfieldlen;
-	u_char *cp, *eom = msg + *msglen, *cp2;
-	char name[MAXDNAME], alg[MAXDNAME];
-	u_char buf[MAXDNAME];
-	int n, type, length, fudge, error;
-	time_t timesigned;
-
-	if (msg == NULL || msglen == NULL || state == NULL)
-		return (-1);
-
-	state->counter++;
-	if (state->counter == 0)
-		return (ns_verify(msg, msglen, state->key,
-				  state->sig, state->siglen,
-				  state->sig, &state->siglen, &timesigned, 0));
-
-	if (state->siglen > 0) {
-		u_int16_t siglen_n = htons(state->siglen);
-
-		dst_verify_data(SIG_MODE_INIT, state->key, &state->ctx,
-				NULL, 0, NULL, 0);
-		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
-				(u_char *)&siglen_n, INT16SZ, NULL, 0);
-		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
-				state->sig, state->siglen, NULL, 0);
-		state->siglen = 0;
-	}
-
-	cp = recstart = ns_find_tsig(msg, eom);
-
-	if (recstart == NULL) {
-		if (required)
-			return (NS_TSIG_ERROR_NO_TSIG);
-		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
-				msg, *msglen, NULL, 0);
-		return (0);
-	}
-
-	hp->arcount = htons(ntohs(hp->arcount) - 1);
-	dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
-			msg, recstart - msg, NULL, 0);
-	
-	/* Read the key name. */
-	n = dn_expand(msg, eom, cp, name, MAXDNAME);
-	if (n < 0)
-		return (NS_TSIG_ERROR_FORMERR);
-	cp += n;
-
-	/* Read the type. */
-	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
-	GETSHORT(type, cp);
-	if (type != ns_t_tsig)
-		return (NS_TSIG_ERROR_NO_TSIG);
-
-	/* Skip the class and TTL, save the length. */
-	cp += INT16SZ + INT32SZ;
-	GETSHORT(length, cp);
-	if (eom - cp != length)
-		return (NS_TSIG_ERROR_FORMERR);
-
-	/* Read the algorithm name. */
-	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
-	if (n < 0)
-		return (NS_TSIG_ERROR_FORMERR);
-	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
-		return (-ns_r_badkey);
-	cp += n;
-
-	/* Verify that the key used is OK. */
-	if ((ns_samename(state->key->dk_key_name, name) != 1 ||
-	     state->key->dk_alg != KEY_HMAC_MD5))
-		return (-ns_r_badkey);
-
-	/* Read the time signed and fudge. */
-	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
-	cp += INT16SZ;
-	GETLONG(timesigned, cp);
-	GETSHORT(fudge, cp);
-
-	/* Read the signature. */
-	BOUNDS_CHECK(cp, INT16SZ);
-	GETSHORT(sigfieldlen, cp);
-	BOUNDS_CHECK(cp, sigfieldlen);
-	sigstart = cp;
-	cp += sigfieldlen;
-
-	/* Skip id and read error. */
-	BOUNDS_CHECK(cp, 2*INT16SZ);
-	cp += INT16SZ;
-	GETSHORT(error, cp);
-
-	/* Parse the other data. */
-	BOUNDS_CHECK(cp, INT16SZ);
-	GETSHORT(otherfieldlen, cp);
-	BOUNDS_CHECK(cp, otherfieldlen);
-	cp += otherfieldlen;
-
-	if (cp != eom)
-		return (NS_TSIG_ERROR_FORMERR);
-
-	/*
-	 * Do the verification.
-	 */
-
-	/* Digest the time signed and fudge. */
-	cp2 = buf;
-	PUTSHORT(0, cp2);       /* Top 16 bits of time. */
-	PUTLONG(timesigned, cp2);
-	PUTSHORT(NS_TSIG_FUDGE, cp2);
-
-	dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
-			buf, cp2 - buf, NULL, 0);
-
-	n = dst_verify_data(SIG_MODE_FINAL, state->key, &state->ctx, NULL, 0,
-			    sigstart, sigfieldlen);
-	if (n < 0)
-		return (-ns_r_badsig);
-
-	if (sigfieldlen > sizeof(state->sig))
-		return (NS_TSIG_ERROR_NO_SPACE);
-
-	memcpy(state->sig, sigstart, sigfieldlen);
-	state->siglen = sigfieldlen;
-
-	/* Verify the time. */
-	if (abs(timesigned - time(NULL)) > fudge)
-		return (-ns_r_badtime);
-
-	*msglen = recstart - msg;
-
-	if (error != NOERROR)
-		return (error);
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/bind/port/Makefile.in b/contrib/bind9/lib/bind/port/Makefile.in
deleted file mode 100644
index 99e59854895b..000000000000
--- a/contrib/bind9/lib/bind/port/Makefile.in
+++ /dev/null
@@ -1,14 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
diff --git a/contrib/bind9/lib/bind/port/freebsd/Makefile.in b/contrib/bind9/lib/bind/port/freebsd/Makefile.in
deleted file mode 100644
index 99e59854895b..000000000000
--- a/contrib/bind9/lib/bind/port/freebsd/Makefile.in
+++ /dev/null
@@ -1,14 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
diff --git a/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in b/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in
deleted file mode 100644
index c18acf297f7c..000000000000
--- a/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:47 marka Exp $
-
-srcdir =        @srcdir@
-VPATH =         @srcdir@
-top_srcdir =    @top_srcdir@
-
-HEADERS= sys/bitypes.h
-
-all:
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/sys 
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/sys; \
-	done
diff --git a/contrib/bind9/lib/bind/port/freebsd/include/sys/bitypes.h b/contrib/bind9/lib/bind/port/freebsd/include/sys/bitypes.h
deleted file mode 100644
index ef3a6d483208..000000000000
--- a/contrib/bind9/lib/bind/port/freebsd/include/sys/bitypes.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef __BIT_TYPES_DEFINED__
-#define __BIT_TYPES_DEFINED__
-
-	/*
-	 * Basic integral types.  Omit the typedef if
-	 * not possible for a machine/compiler combination.
-	 */
-	typedef /*signed*/ char            int8_t;
-	typedef unsigned char            u_int8_t;
-	typedef short                     int16_t;
-	typedef unsigned short          u_int16_t;
-	typedef int                       int32_t;
-	typedef unsigned int            u_int32_t;
-
-# if 0	/* don't fight with these unless you need them */
-	typedef long long                 int64_t;
-	typedef unsigned long long      u_int64_t;
-# endif
-
-#endif	/* __BIT_TYPES_DEFINED__ */
diff --git a/contrib/bind9/lib/bind/port_after.h.in b/contrib/bind9/lib/bind/port_after.h.in
deleted file mode 100644
index 0c956b71ed0e..000000000000
--- a/contrib/bind9/lib/bind/port_after.h.in
+++ /dev/null
@@ -1,411 +0,0 @@
-#ifndef port_after_h
-#define port_after_h
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/param.h>
-#if (!defined(BSD)) || (BSD < 199306)
-#include <sys/bitypes.h>
-#endif
-#ifdef HAVE_INTTYPES_H
-#include <inttypes.h>
-#endif
-
-@NEED_PSELECT@
-@HAVE_SA_LEN@
-@HAVE_MINIMUM_IFREQ@
-@NEED_DAEMON@
-@NEED_STRSEP@
-@NEED_STRERROR@
-@HAS_INET6_STRUCTS@
-@HAVE_SIN6_SCOPE_ID@
-@NEED_IN6ADDR_ANY@
-@HAS_IN_ADDR6@
-@HAVE_SOCKADDR_STORAGE@
-@NEED_GETTIMEOFDAY@
-@HAVE_STRNDUP@
-@USE_FIONBIO_IOCTL@
-@USE_SYSERROR_LIST@
-@INNETGR_ARGS@
-@SETNETGRENT_ARGS@
-@USE_IFNAMELINKID@
-@PORT_NONBLOCK@
-
-/*
- * We need to know the IPv6 address family number even on IPv4-only systems.
- * Note that this is NOT a protocol constant, and that if the system has its
- * own AF_INET6, different from ours below, all of BIND's libraries and
- * executables will need to be recompiled after the system <sys/socket.h>
- * has had this type added.  The type number below is correct on most BSD-
- * derived systems for which AF_INET6 is defined.
- */
-#ifndef AF_INET6
-#define AF_INET6        24
-#endif
-
-#ifndef PF_INET6
-#define PF_INET6        AF_INET6
-#endif
-
-#ifdef HAS_IN_ADDR6
-/* Map to pre-RFC structure. */
-#define in6_addr in_addr6
-#endif
-
-#ifndef HAS_INET6_STRUCTS
-/* Replace with structure from later rev of O/S if known. */
-struct in6_addr {
-        u_int8_t        s6_addr[16];
-};
-
-#define IN6ADDR_ANY_INIT \
-	{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
-	   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }}
-
-#define IN6ADDR_LOOPBACK_INIT \
-	{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
-	   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }}
-
-/* Replace with structure from later rev of O/S if known. */
-struct sockaddr_in6 {
-#ifdef  HAVE_SA_LEN
-        u_int8_t        sin6_len;       /* length of this struct */
-        u_int8_t        sin6_family;    /* AF_INET6 */
-#else
-        u_int16_t       sin6_family;    /* AF_INET6 */
-#endif
-        u_int16_t       sin6_port;      /* transport layer port # */
-        u_int32_t       sin6_flowinfo;  /* IPv6 flow information */
-        struct in6_addr sin6_addr;      /* IPv6 address */
-        u_int32_t       sin6_scope_id;  /* set of interfaces for a scope */
-};
-#endif  /* HAS_INET6_STRUCTS */
-
-#ifdef BROKEN_IN6ADDR_INIT_MACROS
-#undef IN6ADDR_ANY_INIT
-#undef IN6ADDR_LOOPBACK_INIT
-#endif
-
-#ifdef _AIX
-#ifndef IN6ADDR_ANY_INIT
-#define IN6ADDR_ANY_INIT {{{ 0, 0, 0, 0 }}}
-#endif
-#ifndef IN6ADDR_LOOPBACK_INIT
-#if BYTE_ORDER == BIG_ENDIAN
-#define IN6ADDR_LOOPBACK_INIT {{{ 0, 0, 0, 1 }}}
-#else
-#define IN6ADDR_LOOPBACK_INIT {{{0, 0, 0, 0x01000000}}}
-#endif
-#endif
-#endif
-
-#ifndef IN6ADDR_ANY_INIT
-#ifdef s6_addr
-#define IN6ADDR_ANY_INIT \
-	{{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
-	    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }}}
-#else
-#define IN6ADDR_ANY_INIT \
-	{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
-	   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }}
-#endif
-
-#endif
-#ifndef IN6ADDR_LOOPBACK_INIT
-#ifdef s6_addr
-#define IN6ADDR_LOOPBACK_INIT \
-	{{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
-	    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }}}
-#else
-#define IN6ADDR_LOOPBACK_INIT \
-	{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
-	   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }}
-#endif
-#endif
-
-#ifndef HAVE_SOCKADDR_STORAGE
-#define __SS_MAXSIZE 128 
-#define __SS_ALLIGSIZE (sizeof (long)) 
-
-struct sockaddr_storage {
-#ifdef  HAVE_SA_LEN
-        u_int8_t        ss_len;       /* address length */
-        u_int8_t        ss_family;    /* address family */
-        char            __ss_pad1[__SS_ALLIGSIZE - 2 * sizeof(u_int8_t)];
-        long            __ss_align;
-        char            __ss_pad2[__SS_MAXSIZE - 2 * __SS_ALLIGSIZE];
-#else   
-        u_int16_t       ss_family;    /* address family */
-        char            __ss_pad1[__SS_ALLIGSIZE - sizeof(u_int16_t)];
-        long            __ss_align;
-        char            __ss_pad2[__SS_MAXSIZE - 2 * __SS_ALLIGSIZE];
-#endif
-};
-#endif
-
-
-#if !defined(HAS_INET6_STRUCTS) || defined(NEED_IN6ADDR_ANY)
-#define in6addr_any isc_in6addr_any
-extern const struct in6_addr in6addr_any;
-#endif
-
-/*
- * IN6_ARE_ADDR_EQUAL, IN6_IS_ADDR_UNSPECIFIED, IN6_IS_ADDR_V4COMPAT and
- * IN6_IS_ADDR_V4MAPPED are broken in glibc 2.1.
- */
-#ifdef __GLIBC__
-#if __GLIBC__ < 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ < 2)
-#undef IN6_ARE_ADDR_EQUAL
-#undef IN6_IS_ADDR_UNSPECIFIED
-#undef IN6_IS_ADDR_V4COMPAT
-#undef IN6_IS_ADDR_V4MAPPED
-#endif
-#endif
-
-#ifndef IN6_ARE_ADDR_EQUAL
-#define IN6_ARE_ADDR_EQUAL(a,b) \
-   (memcmp(&(a)->s6_addr[0], &(b)->s6_addr[0], sizeof(struct in6_addr)) == 0)
-#endif
-
-#ifndef IN6_IS_ADDR_UNSPECIFIED
-#define IN6_IS_ADDR_UNSPECIFIED(a)      \
-	IN6_ARE_ADDR_EQUAL(a, &in6addr_any)
-#endif
-
-#ifndef IN6_IS_ADDR_LOOPBACK
-extern const struct in6_addr isc_in6addr_loopback;
-#define IN6_IS_ADDR_LOOPBACK(a) \
-	IN6_ARE_ADDR_EQUAL(a, &isc_in6addr_loopback)
-#endif
-
-#ifndef IN6_IS_ADDR_V4MAPPED
-#define IN6_IS_ADDR_V4MAPPED(a)	\
-	((a)->s6_addr[0] == 0x00 && (a)->s6_addr[1] == 0x00 && \
-	(a)->s6_addr[2] == 0x00 && (a)->s6_addr[3] == 0x00 && \
-	(a)->s6_addr[4] == 0x00 && (a)->s6_addr[5] == 0x00 && \
-	(a)->s6_addr[6] == 0x00 && (a)->s6_addr[9] == 0x00 && \
-	(a)->s6_addr[8] == 0x00 && (a)->s6_addr[9] == 0x00 && \
-	(a)->s6_addr[10] == 0xff && (a)->s6_addr[11] == 0xff)
-#endif
-
-#ifndef IN6_IS_ADDR_SITELOCAL
-#define IN6_IS_ADDR_SITELOCAL(a)        \
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
-#endif
-
-#ifndef IN6_IS_ADDR_LINKLOCAL
-#define IN6_IS_ADDR_LINKLOCAL(a)        \
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
-#endif
-
-#ifndef IN6_IS_ADDR_MULTICAST
-#define IN6_IS_ADDR_MULTICAST(a)        ((a)->s6_addr[0] == 0xff)
-#endif
-
-#ifndef __IPV6_ADDR_MC_SCOPE
-#define __IPV6_ADDR_MC_SCOPE(a)         ((a)->s6_addr[1] & 0x0f)
-#endif
-
-#ifndef __IPV6_ADDR_SCOPE_SITELOCAL
-#define __IPV6_ADDR_SCOPE_SITELOCAL 0x05
-#endif
-#ifndef __IPV6_ADDR_SCOPE_ORGLOCAL
-#define __IPV6_ADDR_SCOPE_ORGLOCAL  0x08
-#endif
-
-#ifndef IN6_IS_ADDR_MC_SITELOCAL
-#define IN6_IS_ADDR_MC_SITELOCAL(a)     \
-	(IN6_IS_ADDR_MULTICAST(a) &&    \
-	 (__IPV6_ADDR_MC_SCOPE(a) == __IPV6_ADDR_SCOPE_SITELOCAL))
-#endif
-
-#ifndef IN6_IS_ADDR_MC_ORGLOCAL
-#define IN6_IS_ADDR_MC_ORGLOCAL(a)      \
-	(IN6_IS_ADDR_MULTICAST(a) &&    \
-	 (__IPV6_ADDR_MC_SCOPE(a) == __IPV6_ADDR_SCOPE_ORGLOCAL))
-#endif
-
-#ifndef INADDR_NONE
-#define INADDR_NONE 0xffffffff
-#endif
-
-#ifndef MAXHOSTNAMELEN
-#define MAXHOSTNAMELEN 256
-#endif
-
-#ifndef INET6_ADDRSTRLEN
-/* sizeof("aaaa:bbbb:cccc:dddd:eeee:ffff:123.123.123.123") */
-#define INET6_ADDRSTRLEN 46
-#endif
-
-#ifndef MIN
-#define MIN(x,y) (((x) <= (y)) ? (x) : (y))
-#endif
-
-#ifndef MAX
-#define MAX(x,y) (((x) >= (y)) ? (x) : (y))
-#endif
-
-#ifdef NEED_DAEMON
-int daemon(int nochdir, int noclose);
-#endif
-  
-#ifdef NEED_STRSEP
-char * strsep(char **stringp, const char *delim);
-#endif
-
-#ifndef ALIGN
-#define ALIGN(p) (((uintptr_t)(p) + (sizeof(long) - 1)) & ~(sizeof(long) - 1))
-#endif
-
-#ifdef NEED_SETGROUPENT
-int setgroupent(int stayopen);
-#endif
-
-#ifdef NEED_GETGROUPLIST
-int getgrouplist(GETGROUPLIST_ARGS);
-#endif
-
-#ifdef POSIX_GETGRNAM_R
-int
-__posix_getgrnam_r(const char *, struct group *, char *, int, struct group **);
-#endif
-
-#ifdef NEED_GETGRNAM_R
-int
-getgrnam_r(const char *,  struct group *, char *, size_t, struct group **);
-#endif
-
-#ifdef POSIX_GETGRGID_R
-int
-__posix_getgrgid_r(gid_t, struct group *, char *, int, struct group **) ;
-#endif
-
-#ifdef NEED_GETGRGID_R
-int
-getgrgid_r(gid_t, struct group *, char *, size_t, struct group **);
-#endif
-
-#ifdef NEED_GETGRENT_R
-GROUP_R_RETURN getgrent_r(struct group *gptr, GROUP_R_ARGS);
-#endif
-
-#ifdef NEED_SETGRENT_R
-GROUP_R_SET_RETURN setgrent_r(GROUP_R_ENT_ARGS);
-#endif
-
-#ifdef NEED_ENDGRENT_R
-GROUP_R_END_RETURN endgrent_r(GROUP_R_ENT_ARGS);
-#endif
-
-#if defined(NEED_INNETGR_R) && defined(NGR_R_RETURN)
-NGR_R_RETURN
-innetgr_r(const char *, const char *, const char *, const char *);
-#endif
-
-#ifdef NEED_SETNETGRENT_R
-#ifdef NGR_R_ENT_ARGS
-NGR_R_SET_RETURN setnetgrent_r(const char *netgroup, NGR_R_ENT_ARGS);
-#else
-NGR_R_SET_RETURN setnetgrent_r(const char *netgroup);
-#endif
-#endif
-
-#ifdef NEED_ENDNETGRENT_R
-#ifdef NGR_R_ENT_ARGS
-NGR_R_END_RETURN endnetgrent_r(NGR_R_ENT_ARGS);
-#else
-NGR_R_END_RETURN endnetgrent_r(void);
-#endif
-#endif
-
-#ifdef POSIX_GETPWNAM_R
-int
-__posix_getpwnam_r(const char *login,  struct passwd *pwptr,
-                char *buf, size_t buflen, struct passwd **result);
-#endif
-
-#ifdef NEED_GETPWNAM_R
-int
-getpwnam_r(const char *login,  struct passwd *pwptr,
-                char *buf, size_t buflen, struct passwd **result);
-#endif
-
-#ifdef POSIX_GETPWUID_R
-int
-__posix_getpwuid_r(uid_t uid, struct passwd *pwptr,
-                char *buf, int buflen, struct passwd **result);
-#endif
-
-#ifdef NEED_GETPWUID_R
-int
-getpwuid_r(uid_t uid, struct passwd *pwptr,
-                char *buf, size_t buflen, struct passwd **result);
-#endif
-
-#ifdef NEED_SETPWENT_R
-#ifdef PASS_R_ENT_ARGS
-PASS_R_SET_RETURN setpwent_r(PASS_R_ENT_ARGS);
-#else
-PASS_R_SET_RETURN setpwent_r(void);
-#endif
-
-#endif
-
-#ifdef NEED_SETPASSENT_R
-#ifdef PASS_R_ENT_ARGS
-PASS_R_SET_RETURN setpassent_r(int stayopen, PASS_R_ENT_ARGS);
-#else
-PASS_R_SET_RETURN setpassent_r(int stayopen);
-#endif
-#endif
-
-#ifdef NEED_GETPWENT_R
-PASS_R_RETURN getpwent_r(struct passwd *pwptr, PASS_R_ARGS);
-#endif
-
-#ifdef NEED_ENDPWENT_R
-void endpwent_r(void);
-#endif
-
-#ifdef NEED_SETPASSENT
-int setpassent(int stayopen);
-#endif
-
-#define gettimeofday isc__gettimeofday
-#ifdef NEED_GETTIMEOFDAY
-int isc__gettimeofday(struct timeval *tvp, struct _TIMEZONE *tzp);
-#else
-int isc__gettimeofday(struct timeval *tp, struct timezone *tzp);
-#endif
-
-int getnetgrent(char **machinep, char **userp, char **domainp);
-
-#ifdef NGR_R_ARGS
-int getnetgrent_r(char **machinep, char **userp, char **domainp, NGR_R_ARGS);
-#endif
-
-#ifdef SETNETGRENT_ARGS
-void setnetgrent(SETNETGRENT_ARGS);
-#else
-void setnetgrent(const char *netgroup);
-#endif
-
-void endnetgrent(void);
-
-#ifdef INNETGR_ARGS
-int innetgr(INNETGR_ARGS);
-#else
-int innetgr(const char *netgroup, const char *machine,
-	    const char *user, const char *domain);
-#endif
-
-#ifdef NGR_R_ENT_ARGS
-NGR_R_SET_RETURN
-setnetgrent_r(const char *netgroup, NGR_R_ENT_ARGS);
-#else
-NGR_R_SET_RETURN
-setnetgrent_r(const char *netgroup);
-#endif
-#endif
diff --git a/contrib/bind9/lib/bind/port_before.h.in b/contrib/bind9/lib/bind/port_before.h.in
deleted file mode 100644
index c754efd2b03a..000000000000
--- a/contrib/bind9/lib/bind/port_before.h.in
+++ /dev/null
@@ -1,146 +0,0 @@
-#ifndef port_before_h
-#define port_before_h
-#include <config.h>
-
-struct group;           /* silence warning */
-struct passwd;          /* silence warning */
-struct timeval;         /* silence warning */
-struct timezone;        /* silence warning */
-
-#ifdef HAVE_SYS_TIMERS_H
-#include <sys/timers.h>
-#endif
-#include <limits.h>
-
-
-@WANT_IRS_GR@
-@WANT_IRS_NIS@
-@WANT_IRS_PW@
-
-@BSD_COMP@
-@USE_POLL@
-@HAVE_MD5@
-@SOLARIS2@
-
-@DO_PTHREADS@
-@GETGROUPLIST_ARGS@
-@GETNETBYADDR_ADDR_T@
-@SETPWENT_VOID@
-@SETGRENT_VOID@
-
-@NET_R_ARGS@
-@NET_R_BAD@
-@NET_R_COPY@
-@NET_R_COPY_ARGS@
-@NET_R_END_RESULT@
-@NET_R_END_RETURN@
-@NET_R_ENT_ARGS@
-@NET_R_OK@
-@NET_R_RETURN@
-@NET_R_SET_RESULT@
-@NET_R_SETANSWER@
-@NET_R_SET_RETURN@
-@NETENT_DATA@
-
-@GROUP_R_RETURN@
-@GROUP_R_SET_RETURN@
-@GROUP_R_SET_RESULT@
-@GROUP_R_END_RETURN@
-@GROUP_R_END_RESULT@
-@GROUP_R_ARGS@
-@GROUP_R_ENT_ARGS@
-@GROUP_R_OK@
-@GROUP_R_BAD@
-
-@HOST_R_ARGS@
-@HOST_R_BAD@
-@HOST_R_COPY@
-@HOST_R_COPY_ARGS@
-@HOST_R_END_RESULT@
-@HOST_R_END_RETURN@
-@HOST_R_ENT_ARGS@
-@HOST_R_ERRNO@
-@HOST_R_OK@
-@HOST_R_RETURN@
-@HOST_R_SETANSWER@
-@HOST_R_SET_RESULT@
-@HOST_R_SET_RETURN@
-@HOSTENT_DATA@
-
-@NGR_R_ARGS@
-@NGR_R_BAD@
-@NGR_R_COPY@
-@NGR_R_COPY_ARGS@
-@NGR_R_END_RESULT@
-@NGR_R_END_RETURN@
-@NGR_R_ENT_ARGS@
-@NGR_R_OK@
-@NGR_R_RETURN@
-@NGR_R_SET_RESULT@
-@NGR_R_SET_RETURN@
-@NGR_R_PRIVATE@
-
-@PROTO_R_ARGS@
-@PROTO_R_BAD@
-@PROTO_R_COPY@
-@PROTO_R_COPY_ARGS@
-@PROTO_R_END_RESULT@
-@PROTO_R_END_RETURN@
-@PROTO_R_ENT_ARGS@
-@PROTO_R_OK@
-@PROTO_R_SETANSWER@
-@PROTO_R_RETURN@
-@PROTO_R_SET_RESULT@
-@PROTO_R_SET_RETURN@
-
-@PASS_R_ARGS@
-@PASS_R_BAD@
-@PASS_R_COPY@
-@PASS_R_COPY_ARGS@
-@PASS_R_END_RESULT@
-@PASS_R_END_RETURN@
-@PASS_R_ENT_ARGS@
-@PASS_R_OK@
-@PASS_R_RETURN@
-@PASS_R_SET_RESULT@
-@PASS_R_SET_RETURN@
-
-@SERV_R_ARGS@
-@SERV_R_BAD@
-@SERV_R_COPY@
-@SERV_R_COPY_ARGS@
-@SERV_R_END_RESULT@
-@SERV_R_END_RETURN@
-@SERV_R_ENT_ARGS@
-@SERV_R_OK@
-@SERV_R_SETANSWER@
-@SERV_R_RETURN@
-@SERV_R_SET_RESULT@
-@SERV_R_SET_RETURN@
-
-
-#define DE_CONST(konst, var) \
-        do { \
-                union { const void *k; void *v; } _u; \
-                _u.k = konst; \
-                var = _u.v; \
-        } while (0)
-
-#define UNUSED(x) (x) = (x)
-
-@SOLARIS_BITTYPES@
-@ISC_SOCKLEN_T@
-
-#ifdef __GNUC__
-#define ISC_FORMAT_PRINTF(fmt, args) \
-	__attribute__((__format__(__printf__, fmt, args)))
-#else
-#define ISC_FORMAT_PRINTF(fmt, args)
-#endif
-
-/* Pull in host order macros when _XOPEN_SOURCE_EXTENDED is defined. */
-#if defined(__hpux) && defined(_XOPEN_SOURCE_EXTENDED)
-#include <sys/byteorder.h>
-#endif
-
-#endif
diff --git a/contrib/bind9/lib/bind/resolv/Makefile.in b/contrib/bind9/lib/bind/resolv/Makefile.in
deleted file mode 100644
index a235fbc7a5e3..000000000000
--- a/contrib/bind9/lib/bind/resolv/Makefile.in
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3.206.3 2005/07/29 00:13:09 marka Exp $
-
-srcdir=		@srcdir@
-VPATH =         @srcdir@
-
-OBJS=	herror.@O@ mtctxres.@O@ res_comp.@O@ res_data.@O@ res_debug.@O@ \
-	res_findzonecut.@O@ res_init.@O@ res_mkquery.@O@ res_mkupdate.@O@ \
-	res_query.@O@ res_send.@O@ res_sendsigned.@O@ res_update.@O@
-
-SRCS=	herror.c mtctxres.c res_comp.c res_data.c res_debug.c \
-	res_findzonecut.c res_init.c res_mkquery.c res_mkupdate.c \
-	res_query.c res_send.c res_sendsigned.c res_update.c
-
-TARGETS= ${OBJS}
-
-CINCLUDES= -I.. -I${srcdir}/../include
-CWARNINGS=
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/resolv/herror.c b/contrib/bind9/lib/bind/resolv/herror.c
deleted file mode 100644
index 58807e9678e0..000000000000
--- a/contrib/bind9/lib/bind/resolv/herror.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (c) 1987, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: herror.c,v 1.2.206.1 2004/03/09 08:33:54 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/uio.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-
-#include <netdb.h>
-#include <resolv.h>
-#include <string.h>
-#include <unistd.h>
-#include <irs.h>
-
-#include "port_after.h"
-
-const char *h_errlist[] = {
-	"Resolver Error 0 (no error)",
-	"Unknown host",				/* 1 HOST_NOT_FOUND */
-	"Host name lookup failure",		/* 2 TRY_AGAIN */
-	"Unknown server error",			/* 3 NO_RECOVERY */
-	"No address associated with name",	/* 4 NO_ADDRESS */
-};
-int	h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
-
-#if !(__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
-#undef	h_errno
-int	h_errno;
-#endif
-
-/*
- * herror --
- *	print the error indicated by the h_errno value.
- */
-void
-herror(const char *s) {
-	struct iovec iov[4], *v = iov;
-	char *t;
-
-	if (s != NULL && *s != '\0') {
-		DE_CONST(s, t);
-		v->iov_base = t;
-		v->iov_len = strlen(t);
-		v++;
-		DE_CONST(": ", t);
-		v->iov_base = t;
-		v->iov_len = 2;
-		v++;
-	}
-	DE_CONST(hstrerror(*__h_errno()), t);
-	v->iov_base = t;
-	v->iov_len = strlen(v->iov_base);
-	v++;
-	DE_CONST("\n", t);
-	v->iov_base = t;
-	v->iov_len = 1;
-	writev(STDERR_FILENO, iov, (v - iov) + 1);
-}
-
-/*
- * hstrerror --
- *	return the string associated with a given "host" errno value.
- */
-const char *
-hstrerror(int err) {
-	if (err < 0)
-		return ("Resolver internal error");
-	else if (err < h_nerr)
-		return (h_errlist[err]);
-	return ("Unknown resolver error");
-}
diff --git a/contrib/bind9/lib/bind/resolv/mtctxres.c b/contrib/bind9/lib/bind/resolv/mtctxres.c
deleted file mode 100644
index f33cf11e3f42..000000000000
--- a/contrib/bind9/lib/bind/resolv/mtctxres.c
+++ /dev/null
@@ -1,128 +0,0 @@
-#include <port_before.h>
-#ifdef DO_PTHREADS
-#include <pthread.h>
-#endif
-#include <errno.h>
-#include <netdb.h>
-#include <stdlib.h>
-#include <string.h>
-#include <resolv_mt.h>
-#include <irs.h>
-#include <port_after.h>
-
-#ifdef DO_PTHREADS
-static pthread_key_t	key;
-static int		mt_key_initialized = 0;
-
-static int		__res_init_ctx(void);
-static void		__res_destroy_ctx(void *);
-
-#if defined(sun) && !defined(__GNUC__)
-#pragma init	(_mtctxres_init)
-#endif
-#endif
-
-static mtctxres_t	sharedctx;
-
-#ifdef DO_PTHREADS
-/*
- * Initialize the TSD key. By doing this at library load time, we're
- * implicitly running without interference from other threads, so there's
- * no need for locking.
- */
-static void
-_mtctxres_init(void) {
-	int pthread_keycreate_ret;
-
-	pthread_keycreate_ret = pthread_key_create(&key, __res_destroy_ctx);
-	if (pthread_keycreate_ret == 0)
-		mt_key_initialized = 1;
-}
-#endif
-
-/*
- * To support binaries that used the private MT-safe interface in
- * Solaris 8, we still need to provide the __res_enable_mt()
- * and __res_disable_mt() entry points. They're do-nothing routines.
- */
-int
-__res_enable_mt(void) {
-	return (-1);
-}
-
-int
-__res_disable_mt(void) {
-	return (0);
-}
-
-#ifdef DO_PTHREADS
-static int
-__res_init_ctx(void) {
-
-	mtctxres_t	*mt;
-	int		ret;
-
-
-	if (pthread_getspecific(key) != 0) {
-		/* Already exists */
-		return (0);
-	}
-
-	if ((mt = malloc(sizeof (mtctxres_t))) == 0) {
-		errno = ENOMEM;
-		return (-1);
-	}
-
-	memset(mt, 0, sizeof (mtctxres_t));
-
-	if ((ret = pthread_setspecific(key, mt)) != 0) {
-		free(mt);
-		errno = ret;
-		return (-1);
-	}
-
-	return (0);
-}
-
-static void
-__res_destroy_ctx(void *value) {
-
-	mtctxres_t	*mt = (mtctxres_t *)value;
-
-	if (mt != 0)
-		free(mt);
-}
-#endif
-
-mtctxres_t *
-___mtctxres(void) {
-#ifdef DO_PTHREADS
-	mtctxres_t	*mt;
-
-	/*
-	 * This if clause should only be executed if we are linking
-	 * statically.  When linked dynamically _mtctxres_init() should
-	 * be called at binding time due the #pragma above.
-	 */
-	if (!mt_key_initialized) {
-		static pthread_mutex_t keylock = PTHREAD_MUTEX_INITIALIZER;
-                pthread_mutex_lock(&keylock);
-		_mtctxres_init();
-                pthread_mutex_unlock(&keylock);
-	}
-
-	/*
-	 * If we have already been called in this thread return the existing
-	 * context.  Otherwise recreat a new context and return it.  If
-	 * that fails return a global context.
-	 */
-	if (mt_key_initialized) {
-		if (((mt = pthread_getspecific(key)) != 0) ||
-		    (__res_init_ctx() == 0 &&
-		     (mt = pthread_getspecific(key)) != 0)) {
-			return (mt);
-		}
-	}
-#endif
-	return (&sharedctx);
-}
diff --git a/contrib/bind9/lib/bind/resolv/res_comp.c b/contrib/bind9/lib/bind/resolv/res_comp.c
deleted file mode 100644
index 8cc99a762884..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_comp.c
+++ /dev/null
@@ -1,263 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)res_comp.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_comp.c,v 1.1.2.1.4.2 2005/07/28 07:43:22 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-#include <sys/types.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <ctype.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include "port_after.h"
-
-/*
- * Expand compressed domain name 'src' to full domain name.
- * 'msg' is a pointer to the begining of the message,
- * 'eom' points to the first location after the message,
- * 'dst' is a pointer to a buffer of size 'dstsiz' for the result.
- * Return size of compressed name or -1 if there was an error.
- */
-int
-dn_expand(const u_char *msg, const u_char *eom, const u_char *src,
-	  char *dst, int dstsiz)
-{
-	int n = ns_name_uncompress(msg, eom, src, dst, (size_t)dstsiz);
-
-	if (n > 0 && dst[0] == '.')
-		dst[0] = '\0';
-	return (n);
-}
-
-/*
- * Pack domain name 'exp_dn' in presentation form into 'comp_dn'.
- * Return the size of the compressed name or -1.
- * 'length' is the size of the array pointed to by 'comp_dn'.
- */
-int
-dn_comp(const char *src, u_char *dst, int dstsiz,
-	u_char **dnptrs, u_char **lastdnptr)
-{
-	return (ns_name_compress(src, dst, (size_t)dstsiz,
-				 (const u_char **)dnptrs,
-				 (const u_char **)lastdnptr));
-}
-
-/*
- * Skip over a compressed domain name. Return the size or -1.
- */
-int
-dn_skipname(const u_char *ptr, const u_char *eom) {
-	const u_char *saveptr = ptr;
-
-	if (ns_name_skip(&ptr, eom) == -1)
-		return (-1);
-	return (ptr - saveptr);
-}
-
-/*
- * Verify that a domain name uses an acceptable character set.
- */
-
-/*
- * Note the conspicuous absence of ctype macros in these definitions.  On
- * non-ASCII hosts, we can't depend on string literals or ctype macros to
- * tell us anything about network-format data.  The rest of the BIND system
- * is not careful about this, but for some reason, we're doing it right here.
- */
-#define PERIOD 0x2e
-#define	hyphenchar(c) ((c) == 0x2d)
-#define bslashchar(c) ((c) == 0x5c)
-#define periodchar(c) ((c) == PERIOD)
-#define asterchar(c) ((c) == 0x2a)
-#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
-		   || ((c) >= 0x61 && (c) <= 0x7a))
-#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
-
-#define borderchar(c) (alphachar(c) || digitchar(c))
-#define middlechar(c) (borderchar(c) || hyphenchar(c))
-#define	domainchar(c) ((c) > 0x20 && (c) < 0x7f)
-
-int
-res_hnok(const char *dn) {
-	int pch = PERIOD, ch = *dn++;
-
-	while (ch != '\0') {
-		int nch = *dn++;
-
-		if (periodchar(ch)) {
-			(void)NULL;
-		} else if (periodchar(pch)) {
-			if (!borderchar(ch))
-				return (0);
-		} else if (periodchar(nch) || nch == '\0') {
-			if (!borderchar(ch))
-				return (0);
-		} else {
-			if (!middlechar(ch))
-				return (0);
-		}
-		pch = ch, ch = nch;
-	}
-	return (1);
-}
-
-/*
- * hostname-like (A, MX, WKS) owners can have "*" as their first label
- * but must otherwise be as a host name.
- */
-int
-res_ownok(const char *dn) {
-	if (asterchar(dn[0])) {
-		if (periodchar(dn[1]))
-			return (res_hnok(dn+2));
-		if (dn[1] == '\0')
-			return (1);
-	}
-	return (res_hnok(dn));
-}
-
-/*
- * SOA RNAMEs and RP RNAMEs can have any printable character in their first
- * label, but the rest of the name has to look like a host name.
- */
-int
-res_mailok(const char *dn) {
-	int ch, escaped = 0;
-
-	/* "." is a valid missing representation */
-	if (*dn == '\0')
-		return (1);
-
-	/* otherwise <label>.<hostname> */
-	while ((ch = *dn++) != '\0') {
-		if (!domainchar(ch))
-			return (0);
-		if (!escaped && periodchar(ch))
-			break;
-		if (escaped)
-			escaped = 0;
-		else if (bslashchar(ch))
-			escaped = 1;
-	}
-	if (periodchar(ch))
-		return (res_hnok(dn));
-	return (0);
-}
-
-/*
- * This function is quite liberal, since RFC 1034's character sets are only
- * recommendations.
- */
-int
-res_dnok(const char *dn) {
-	int ch;
-
-	while ((ch = *dn++) != '\0')
-		if (!domainchar(ch))
-			return (0);
-	return (1);
-}
-
-#ifdef BIND_4_COMPAT
-/*
- * This module must export the following externally-visible symbols:
- *	___putlong
- *	___putshort
- *	__getlong
- *	__getshort
- * Note that one _ comes from C and the others come from us.
- */
-
-#ifdef SOLARIS2
-#ifdef  __putlong
-#undef  __putlong
-#endif
-#ifdef  __putshort
-#undef  __putshort
-#endif
-#pragma weak    putlong         =       __putlong
-#pragma weak    putshort        =       __putshort
-#endif /* SOLARIS2 */
-
-void __putlong(u_int32_t src, u_char *dst) { ns_put32(src, dst); }
-void __putshort(u_int16_t src, u_char *dst) { ns_put16(src, dst); }
-#ifndef __ultrix__
-u_int32_t _getlong(const u_char *src) { return (ns_get32(src)); }
-u_int16_t _getshort(const u_char *src) { return (ns_get16(src)); }
-#endif /*__ultrix__*/
-#endif /*BIND_4_COMPAT*/
diff --git a/contrib/bind9/lib/bind/resolv/res_data.c b/contrib/bind9/lib/bind/resolv/res_data.c
deleted file mode 100644
index 204e03d685f4..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_data.c
+++ /dev/null
@@ -1,291 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1995-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char rcsid[] = "$Id: res_data.c,v 1.1.206.2 2004/03/16 12:34:18 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <res_update.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "port_after.h"
-#undef _res
-
-const char *_res_opcodes[] = {
-	"QUERY",
-	"IQUERY",
-	"CQUERYM",
-	"CQUERYU",	/* experimental */
-	"NOTIFY",	/* experimental */
-	"UPDATE",
-	"6",
-	"7",
-	"8",
-	"9",
-	"10",
-	"11",
-	"12",
-	"13",
-	"ZONEINIT",
-	"ZONEREF",
-};
-
-#ifdef BIND_UPDATE
-const char *_res_sectioncodes[] = {
-	"ZONE",
-	"PREREQUISITES",
-	"UPDATE",
-	"ADDITIONAL",
-};
-#endif
-
-#ifndef __BIND_NOSTATIC
-struct __res_state _res
-# if defined(__BIND_RES_TEXT)
-	= { RES_TIMEOUT, }	/* Motorola, et al. */
-# endif
-        ;
-
-/* Proto. */
-
-int  res_ourserver_p(const res_state, const struct sockaddr_in *);
-
-int
-res_init(void) {
-	extern int __res_vinit(res_state, int);
-
-	/*
-	 * These three fields used to be statically initialized.  This made
-	 * it hard to use this code in a shared library.  It is necessary,
-	 * now that we're doing dynamic initialization here, that we preserve
-	 * the old semantics: if an application modifies one of these three
-	 * fields of _res before res_init() is called, res_init() will not
-	 * alter them.  Of course, if an application is setting them to
-	 * _zero_ before calling res_init(), hoping to override what used
-	 * to be the static default, we can't detect it and unexpected results
-	 * will follow.  Zero for any of these fields would make no sense,
-	 * so one can safely assume that the applications were already getting
-	 * unexpected results.
-	 *
-	 * _res.options is tricky since some apps were known to diddle the bits
-	 * before res_init() was first called. We can't replicate that semantic
-	 * with dynamic initialization (they may have turned bits off that are
-	 * set in RES_DEFAULT).  Our solution is to declare such applications
-	 * "broken".  They could fool us by setting RES_INIT but none do (yet).
-	 */
-	if (!_res.retrans)
-		_res.retrans = RES_TIMEOUT;
-	if (!_res.retry)
-		_res.retry = 4;
-	if (!(_res.options & RES_INIT))
-		_res.options = RES_DEFAULT;
-
-	/*
-	 * This one used to initialize implicitly to zero, so unless the app
-	 * has set it to something in particular, we can randomize it now.
-	 */
-	if (!_res.id)
-		_res.id = res_randomid();
-
-	return (__res_vinit(&_res, 1));
-}
-
-void
-p_query(const u_char *msg) {
-	fp_query(msg, stdout);
-}
-
-void
-fp_query(const u_char *msg, FILE *file) {
-	fp_nquery(msg, PACKETSZ, file);
-}
-
-void
-fp_nquery(const u_char *msg, int len, FILE *file) {
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1)
-		return;
-
-	res_pquery(&_res, msg, len, file);
-}
-
-int
-res_mkquery(int op,			/* opcode of query */
-	    const char *dname,		/* domain name */
-	    int class, int type,	/* class and type of query */
-	    const u_char *data,		/* resource record data */
-	    int datalen,		/* length of data */
-	    const u_char *newrr_in,	/* new rr for modify or append */
-	    u_char *buf,		/* buffer to put query */
-	    int buflen)			/* size of buffer */
-{
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
-		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
-		return (-1);
-	}
-	return (res_nmkquery(&_res, op, dname, class, type,
-			     data, datalen,
-			     newrr_in, buf, buflen));
-}
-
-int
-res_mkupdate(ns_updrec *rrecp_in, u_char *buf, int buflen) {
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
-		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
-		return (-1);
-	}
-
-	return (res_nmkupdate(&_res, rrecp_in, buf, buflen));
-}
-
-int
-res_query(const char *name,	/* domain name */
-	  int class, int type,	/* class and type of query */
-	  u_char *answer,	/* buffer to put answer */
-	  int anslen)		/* size of answer buffer */
-{
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
-		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
-		return (-1);
-	}
-	return (res_nquery(&_res, name, class, type, answer, anslen));
-}
-
-void
-res_send_setqhook(res_send_qhook hook) {
-	_res.qhook = hook;
-}
-
-void
-res_send_setrhook(res_send_rhook hook) {
-	_res.rhook = hook;
-}
-
-int
-res_isourserver(const struct sockaddr_in *inp) {
-	return (res_ourserver_p(&_res, inp));
-}
-
-int
-res_send(const u_char *buf, int buflen, u_char *ans, int anssiz) {
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
-		/* errno should have been set by res_init() in this case. */
-		return (-1);
-	}
-
-	return (res_nsend(&_res, buf, buflen, ans, anssiz));
-}
-
-int
-res_sendsigned(const u_char *buf, int buflen, ns_tsig_key *key,
-	       u_char *ans, int anssiz)
-{
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
-		/* errno should have been set by res_init() in this case. */
-		return (-1);
-	}
-
-	return (res_nsendsigned(&_res, buf, buflen, key, ans, anssiz));
-}
-
-void
-res_close(void) {
-	res_nclose(&_res);
-}
-
-int
-res_update(ns_updrec *rrecp_in) {
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
-		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
-		return (-1);
-	}
-
-	return (res_nupdate(&_res, rrecp_in, NULL));
-}
-
-int
-res_search(const char *name,	/* domain name */
-	   int class, int type,	/* class and type of query */
-	   u_char *answer,	/* buffer to put answer */
-	   int anslen)		/* size of answer */
-{
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
-		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
-		return (-1);
-	}
-
-	return (res_nsearch(&_res, name, class, type, answer, anslen));
-}
-
-int
-res_querydomain(const char *name,
-		const char *domain,
-		int class, int type,	/* class and type of query */
-		u_char *answer,		/* buffer to put answer */
-		int anslen)		/* size of answer */
-{
-	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
-		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
-		return (-1);
-	}
-
-	return (res_nquerydomain(&_res, name, domain,
-				 class, type,
-				 answer, anslen));
-}
-
-const char *
-hostalias(const char *name) {
-	static char abuf[MAXDNAME];
-
-	return (res_hostalias(&_res, name, abuf, sizeof abuf));
-}
-
-#ifdef ultrix
-int
-local_hostname_length(const char *hostname) {
-	int len_host, len_domain;
-
-	if (!*_res.defdname)
-		res_init();
-	len_host = strlen(hostname);
-	len_domain = strlen(_res.defdname);
-	if (len_host > len_domain &&
-	    !strcasecmp(hostname + len_host - len_domain, _res.defdname) &&
-	    hostname[len_host - len_domain - 1] == '.')
-		return (len_host - len_domain - 1);
-	return (0);
-}
-#endif /*ultrix*/
-
-#endif
diff --git a/contrib/bind9/lib/bind/resolv/res_debug.c b/contrib/bind9/lib/bind/resolv/res_debug.c
deleted file mode 100644
index 8dda12c5e81c..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_debug.c
+++ /dev/null
@@ -1,1163 +0,0 @@
-/*
- * Copyright (c) 1985
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1995 by International Business Machines, Inc.
- *
- * International Business Machines, Inc. (hereinafter called IBM) grants
- * permission under its copyrights to use, copy, modify, and distribute this
- * Software with or without fee, provided that the above copyright notice and
- * all paragraphs of this notice appear in all copies, and that the name of IBM
- * not be used in connection with the marketing of any product incorporating
- * the Software or modifications thereof, without specific, written prior
- * permission.
- *
- * To the extent it has a right to do so, IBM grants an immunity from suit
- * under its patents, if any, for the use, sale or manufacture of products to
- * the extent that such products are used for performing Domain Name System
- * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
- * granted for any product per se or for any other function of any product.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
- * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
- * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
- * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
- * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
- * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)res_debug.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_debug.c,v 1.3.2.5.4.6 2005/07/28 07:43:22 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <math.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <resolv_mt.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#include "port_after.h"
-
-#ifdef SPRINTF_CHAR
-# define SPRINTF(x) strlen(sprintf/**/x)
-#else
-# define SPRINTF(x) sprintf x
-#endif
-
-extern const char *_res_opcodes[];
-extern const char *_res_sectioncodes[];
-
-/*
- * Print the current options.
- */
-void
-fp_resstat(const res_state statp, FILE *file) {
-	u_long mask;
-
-	fprintf(file, ";; res options:");
-	for (mask = 1;  mask != 0U;  mask <<= 1)
-		if (statp->options & mask)
-			fprintf(file, " %s", p_option(mask));
-	putc('\n', file);
-}
-
-static void
-do_section(const res_state statp,
-	   ns_msg *handle, ns_sect section,
-	   int pflag, FILE *file)
-{
-	int n, sflag, rrnum;
-	static int buflen = 2048;
-	char *buf;
-	ns_opcode opcode;
-	ns_rr rr;
-
-	/*
-	 * Print answer records.
-	 */
-	sflag = (statp->pfcode & pflag);
-	if (statp->pfcode && !sflag)
-		return;
-
-	buf = malloc(buflen);
-	if (buf == NULL) {
-		fprintf(file, ";; memory allocation failure\n");
-		return;
-	}
-
-	opcode = (ns_opcode) ns_msg_getflag(*handle, ns_f_opcode);
-	rrnum = 0;
-	for (;;) {
-		if (ns_parserr(handle, section, rrnum, &rr)) {
-			if (errno != ENODEV)
-				fprintf(file, ";; ns_parserr: %s\n",
-					strerror(errno));
-			else if (rrnum > 0 && sflag != 0 &&
-				 (statp->pfcode & RES_PRF_HEAD1))
-				putc('\n', file);
-			goto cleanup;
-		}
-		if (rrnum == 0 && sflag != 0 && (statp->pfcode & RES_PRF_HEAD1))
-			fprintf(file, ";; %s SECTION:\n",
-				p_section(section, opcode));
-		if (section == ns_s_qd)
-			fprintf(file, ";;\t%s, type = %s, class = %s\n",
-				ns_rr_name(rr),
-				p_type(ns_rr_type(rr)),
-				p_class(ns_rr_class(rr)));
-		else if (section == ns_s_ar && ns_rr_type(rr) == ns_t_opt) {
-			u_int32_t ttl = ns_rr_ttl(rr);
-			fprintf(file,
-				"; EDNS: version: %u, udp=%u, flags=%04x\n",
-				(ttl>>16)&0xff, ns_rr_class(rr), ttl&0xffff);
-		} else {
-			n = ns_sprintrr(handle, &rr, NULL, NULL,
-					buf, buflen);
-			if (n < 0) {
-				if (errno == ENOSPC) {
-					free(buf);
-					buf = NULL;
-					if (buflen < 131072)
-						buf = malloc(buflen += 1024);
-					if (buf == NULL) {
-						fprintf(file,
-				              ";; memory allocation failure\n");
-					      return;
-					}
-					continue;
-				}
-				fprintf(file, ";; ns_sprintrr: %s\n",
-					strerror(errno));
-				goto cleanup;
-			}
-			fputs(buf, file);
-			fputc('\n', file);
-		}
-		rrnum++;
-	}
- cleanup:
-	if (buf != NULL)
-		free(buf);
-}
-
-/*
- * Print the contents of a query.
- * This is intended to be primarily a debugging routine.
- */
-void
-res_pquery(const res_state statp, const u_char *msg, int len, FILE *file) {
-	ns_msg handle;
-	int qdcount, ancount, nscount, arcount;
-	u_int opcode, rcode, id;
-
-	if (ns_initparse(msg, len, &handle) < 0) {
-		fprintf(file, ";; ns_initparse: %s\n", strerror(errno));
-		return;
-	}
-	opcode = ns_msg_getflag(handle, ns_f_opcode);
-	rcode = ns_msg_getflag(handle, ns_f_rcode);
-	id = ns_msg_id(handle);
-	qdcount = ns_msg_count(handle, ns_s_qd);
-	ancount = ns_msg_count(handle, ns_s_an);
-	nscount = ns_msg_count(handle, ns_s_ns);
-	arcount = ns_msg_count(handle, ns_s_ar);
-
-	/*
-	 * Print header fields.
-	 */
-	if ((!statp->pfcode) || (statp->pfcode & RES_PRF_HEADX) || rcode)
-		fprintf(file,
-			";; ->>HEADER<<- opcode: %s, status: %s, id: %d\n",
-			_res_opcodes[opcode], p_rcode(rcode), id);
-	if ((!statp->pfcode) || (statp->pfcode & RES_PRF_HEADX))
-		putc(';', file);
-	if ((!statp->pfcode) || (statp->pfcode & RES_PRF_HEAD2)) {
-		fprintf(file, "; flags:");
-		if (ns_msg_getflag(handle, ns_f_qr))
-			fprintf(file, " qr");
-		if (ns_msg_getflag(handle, ns_f_aa))
-			fprintf(file, " aa");
-		if (ns_msg_getflag(handle, ns_f_tc))
-			fprintf(file, " tc");
-		if (ns_msg_getflag(handle, ns_f_rd))
-			fprintf(file, " rd");
-		if (ns_msg_getflag(handle, ns_f_ra))
-			fprintf(file, " ra");
-		if (ns_msg_getflag(handle, ns_f_z))
-			fprintf(file, " ??");
-		if (ns_msg_getflag(handle, ns_f_ad))
-			fprintf(file, " ad");
-		if (ns_msg_getflag(handle, ns_f_cd))
-			fprintf(file, " cd");
-	}
-	if ((!statp->pfcode) || (statp->pfcode & RES_PRF_HEAD1)) {
-		fprintf(file, "; %s: %d",
-			p_section(ns_s_qd, opcode), qdcount);
-		fprintf(file, ", %s: %d",
-			p_section(ns_s_an, opcode), ancount);
-		fprintf(file, ", %s: %d",
-			p_section(ns_s_ns, opcode), nscount);
-		fprintf(file, ", %s: %d",
-			p_section(ns_s_ar, opcode), arcount);
-	}
-	if ((!statp->pfcode) || (statp->pfcode & 
-		(RES_PRF_HEADX | RES_PRF_HEAD2 | RES_PRF_HEAD1))) {
-		putc('\n',file);
-	}
-	/*
-	 * Print the various sections.
-	 */
-	do_section(statp, &handle, ns_s_qd, RES_PRF_QUES, file);
-	do_section(statp, &handle, ns_s_an, RES_PRF_ANS, file);
-	do_section(statp, &handle, ns_s_ns, RES_PRF_AUTH, file);
-	do_section(statp, &handle, ns_s_ar, RES_PRF_ADD, file);
-	if (qdcount == 0 && ancount == 0 &&
-	    nscount == 0 && arcount == 0)
-		putc('\n', file);
-}
-
-const u_char *
-p_cdnname(const u_char *cp, const u_char *msg, int len, FILE *file) {
-	char name[MAXDNAME];
-	int n;
-
-	if ((n = dn_expand(msg, msg + len, cp, name, sizeof name)) < 0)
-		return (NULL);
-	if (name[0] == '\0')
-		putc('.', file);
-	else
-		fputs(name, file);
-	return (cp + n);
-}
-
-const u_char *
-p_cdname(const u_char *cp, const u_char *msg, FILE *file) {
-	return (p_cdnname(cp, msg, PACKETSZ, file));
-}
-
-/* Return a fully-qualified domain name from a compressed name (with
-   length supplied).  */
-
-const u_char *
-p_fqnname(cp, msg, msglen, name, namelen)
-	const u_char *cp, *msg;
-	int msglen;
-	char *name;
-	int namelen;
-{
-	int n, newlen;
-
-	if ((n = dn_expand(msg, cp + msglen, cp, name, namelen)) < 0)
-		return (NULL);
-	newlen = strlen(name);
-	if (newlen == 0 || name[newlen - 1] != '.') {
-		if (newlen + 1 >= namelen)	/* Lack space for final dot */
-			return (NULL);
-		else
-			strcpy(name + newlen, ".");
-	}
-	return (cp + n);
-}
-
-/* XXX:	the rest of these functions need to become length-limited, too. */
-
-const u_char *
-p_fqname(const u_char *cp, const u_char *msg, FILE *file) {
-	char name[MAXDNAME];
-	const u_char *n;
-
-	n = p_fqnname(cp, msg, MAXCDNAME, name, sizeof name);
-	if (n == NULL)
-		return (NULL);
-	fputs(name, file);
-	return (n);
-}
-
-/*
- * Names of RR classes and qclasses.  Classes and qclasses are the same, except
- * that C_ANY is a qclass but not a class.  (You can ask for records of class
- * C_ANY, but you can't have any records of that class in the database.)
- */
-const struct res_sym __p_class_syms[] = {
-	{C_IN,		"IN",		(char *)0},
-	{C_CHAOS,	"CH",		(char *)0},
-	{C_CHAOS,	"CHAOS",	(char *)0},
-	{C_HS,		"HS",		(char *)0},
-	{C_HS,		"HESIOD",	(char *)0},
-	{C_ANY,		"ANY",		(char *)0},
-	{C_NONE,	"NONE",		(char *)0},
-	{C_IN, 		(char *)0,	(char *)0}
-};
-
-/*
- * Names of message sections.
- */
-const struct res_sym __p_default_section_syms[] = {
-	{ns_s_qd,	"QUERY",	(char *)0},
-	{ns_s_an,	"ANSWER",	(char *)0},
-	{ns_s_ns,	"AUTHORITY",	(char *)0},
-	{ns_s_ar,	"ADDITIONAL",	(char *)0},
-	{0,             (char *)0,	(char *)0}
-};
-
-const struct res_sym __p_update_section_syms[] = {
-	{S_ZONE,	"ZONE",		(char *)0},
-	{S_PREREQ,	"PREREQUISITE",	(char *)0},
-	{S_UPDATE,	"UPDATE",	(char *)0},
-	{S_ADDT,	"ADDITIONAL",	(char *)0},
-	{0,             (char *)0,	(char *)0}
-};
-
-const struct res_sym __p_key_syms[] = {
-	{NS_ALG_MD5RSA,		"RSA",		"RSA KEY with MD5 hash"},
-	{NS_ALG_DH,		"DH",		"Diffie Hellman"},
-	{NS_ALG_DSA,		"DSA",		"Digital Signature Algorithm"},
-	{NS_ALG_EXPIRE_ONLY,	"EXPIREONLY",	"No algorithm"},
-	{NS_ALG_PRIVATE_OID,	"PRIVATE",	"Algorithm obtained from OID"},
-	{0,			NULL,		NULL}
-};
-
-const struct res_sym __p_cert_syms[] = {
-	{cert_t_pkix,	"PKIX",		"PKIX (X.509v3) Certificate"},
-	{cert_t_spki,	"SPKI",		"SPKI certificate"},
-	{cert_t_pgp,	"PGP",		"PGP certificate"},
-	{cert_t_url,	"URL",		"URL Private"},
-	{cert_t_oid,	"OID",		"OID Private"},
-	{0,		NULL,		NULL}
-};
-
-/*
- * Names of RR types and qtypes.  Types and qtypes are the same, except
- * that T_ANY is a qtype but not a type.  (You can ask for records of type
- * T_ANY, but you can't have any records of that type in the database.)
- */
-const struct res_sym __p_type_syms[] = {
-	{ns_t_a,	"A",		"address"},
-	{ns_t_ns,	"NS",		"name server"},
-	{ns_t_md,	"MD",		"mail destination (deprecated)"},
-	{ns_t_mf,	"MF",		"mail forwarder (deprecated)"},
-	{ns_t_cname,	"CNAME",	"canonical name"},
-	{ns_t_soa,	"SOA",		"start of authority"},
-	{ns_t_mb,	"MB",		"mailbox"},
-	{ns_t_mg,	"MG",		"mail group member"},
-	{ns_t_mr,	"MR",		"mail rename"},
-	{ns_t_null,	"NULL",		"null"},
-	{ns_t_wks,	"WKS",		"well-known service (deprecated)"},
-	{ns_t_ptr,	"PTR",		"domain name pointer"},
-	{ns_t_hinfo,	"HINFO",	"host information"},
-	{ns_t_minfo,	"MINFO",	"mailbox information"},
-	{ns_t_mx,	"MX",		"mail exchanger"},
-	{ns_t_txt,	"TXT",		"text"},
-	{ns_t_rp,	"RP",		"responsible person"},
-	{ns_t_afsdb,	"AFSDB",	"DCE or AFS server"},
-	{ns_t_x25,	"X25",		"X25 address"},
-	{ns_t_isdn,	"ISDN",		"ISDN address"},
-	{ns_t_rt,	"RT",		"router"},
-	{ns_t_nsap,	"NSAP",		"nsap address"},
-	{ns_t_nsap_ptr,	"NSAP_PTR",	"domain name pointer"},
-	{ns_t_sig,	"SIG",		"signature"},
-	{ns_t_key,	"KEY",		"key"},
-	{ns_t_px,	"PX",		"mapping information"},
-	{ns_t_gpos,	"GPOS",		"geographical position (withdrawn)"},
-	{ns_t_aaaa,	"AAAA",		"IPv6 address"},
-	{ns_t_loc,	"LOC",		"location"},
-	{ns_t_nxt,	"NXT",		"next valid name (unimplemented)"},
-	{ns_t_eid,	"EID",		"endpoint identifier (unimplemented)"},
-	{ns_t_nimloc,	"NIMLOC",	"NIMROD locator (unimplemented)"},
-	{ns_t_srv,	"SRV",		"server selection"},
-	{ns_t_atma,	"ATMA",		"ATM address (unimplemented)"},
-	{ns_t_tkey,	"TKEY",		"tkey"},
-	{ns_t_tsig,	"TSIG",		"transaction signature"},
-	{ns_t_ixfr,	"IXFR",		"incremental zone transfer"},
-	{ns_t_axfr,	"AXFR",		"zone transfer"},
-	{ns_t_zxfr,	"ZXFR",		"compressed zone transfer"},
-	{ns_t_mailb,	"MAILB",	"mailbox-related data (deprecated)"},
-	{ns_t_maila,	"MAILA",	"mail agent (deprecated)"},
-	{ns_t_naptr,	"NAPTR",	"URN Naming Authority"},
-	{ns_t_kx,	"KX",		"Key Exchange"},
-	{ns_t_cert,	"CERT",		"Certificate"},
-	{ns_t_a6,	"A6",		"IPv6 Address"},
-	{ns_t_dname,	"DNAME",	"dname"},
-	{ns_t_sink,	"SINK",		"Kitchen Sink (experimental)"},
-	{ns_t_opt,	"OPT",		"EDNS Options"},
-	{ns_t_any,	"ANY",		"\"any\""},
-	{0, 		NULL,		NULL}
-};
-
-/*
- * Names of DNS rcodes.
- */
-const struct res_sym __p_rcode_syms[] = {
-	{ns_r_noerror,	"NOERROR",		"no error"},
-	{ns_r_formerr,	"FORMERR",		"format error"},
-	{ns_r_servfail,	"SERVFAIL",		"server failed"},
-	{ns_r_nxdomain,	"NXDOMAIN",		"no such domain name"},
-	{ns_r_notimpl,	"NOTIMP",		"not implemented"},
-	{ns_r_refused,	"REFUSED",		"refused"},
-	{ns_r_yxdomain,	"YXDOMAIN",		"domain name exists"},
-	{ns_r_yxrrset,	"YXRRSET",		"rrset exists"},
-	{ns_r_nxrrset,	"NXRRSET",		"rrset doesn't exist"},
-	{ns_r_notauth,	"NOTAUTH",		"not authoritative"},
-	{ns_r_notzone,	"NOTZONE",		"Not in zone"},
-	{ns_r_max,	"",			""},
-	{ns_r_badsig,	"BADSIG",		"bad signature"},
-	{ns_r_badkey,	"BADKEY",		"bad key"},
-	{ns_r_badtime,	"BADTIME",		"bad time"},
-	{0, 		NULL,			NULL}
-};
-
-int
-sym_ston(const struct res_sym *syms, const char *name, int *success) {
-	for ((void)NULL; syms->name != 0; syms++) {
-		if (strcasecmp (name, syms->name) == 0) {
-			if (success)
-				*success = 1;
-			return (syms->number);
-		}
-	}
-	if (success)
-		*success = 0;
-	return (syms->number);		/* The default value. */
-}
-
-const char *
-sym_ntos(const struct res_sym *syms, int number, int *success) {
-	char *unname = sym_ntos_unname;
-
-	for ((void)NULL; syms->name != 0; syms++) {
-		if (number == syms->number) {
-			if (success)
-				*success = 1;
-			return (syms->name);
-		}
-	}
-
-	sprintf(unname, "%d", number);		/* XXX nonreentrant */
-	if (success)
-		*success = 0;
-	return (unname);
-}
-
-const char *
-sym_ntop(const struct res_sym *syms, int number, int *success) {
-	char *unname = sym_ntop_unname;
-
-	for ((void)NULL; syms->name != 0; syms++) {
-		if (number == syms->number) {
-			if (success)
-				*success = 1;
-			return (syms->humanname);
-		}
-	}
-	sprintf(unname, "%d", number);		/* XXX nonreentrant */
-	if (success)
-		*success = 0;
-	return (unname);
-}
-
-/*
- * Return a string for the type.
- */
-const char *
-p_type(int type) {
-	int success;
-	const char *result;
-	static char typebuf[20];
-
-	result = sym_ntos(__p_type_syms, type, &success);
-	if (success)
-		return (result);
-	if (type < 0 || type > 0xffff)
-		return ("BADTYPE");
-	sprintf(typebuf, "TYPE%d", type);
-	return (typebuf);
-}
-
-/*
- * Return a string for the type.
- */
-const char *
-p_section(int section, int opcode) {
-	const struct res_sym *symbols;
-
-	switch (opcode) {
-	case ns_o_update:
-		symbols = __p_update_section_syms;
-		break;
-	default:
-		symbols = __p_default_section_syms;
-		break;
-	}
-	return (sym_ntos(symbols, section, (int *)0));
-}
-
-/*
- * Return a mnemonic for class.
- */
-const char *
-p_class(int class) {
-	int success;
-	const char *result;
-	static char classbuf[20];
-
-	result = sym_ntos(__p_class_syms, class, &success);
-	if (success)
-		return (result);
-	if (class < 0 || class > 0xffff)
-		return ("BADCLASS");
-	sprintf(classbuf, "CLASS%d", class);
-	return (classbuf);
-}
-
-/*
- * Return a mnemonic for an option
- */
-const char *
-p_option(u_long option) {
-	char *nbuf = p_option_nbuf;
-
-	switch (option) {
-	case RES_INIT:		return "init";
-	case RES_DEBUG:		return "debug";
-	case RES_AAONLY:	return "aaonly(unimpl)";
-	case RES_USEVC:		return "usevc";
-	case RES_PRIMARY:	return "primry(unimpl)";
-	case RES_IGNTC:		return "igntc";
-	case RES_RECURSE:	return "recurs";
-	case RES_DEFNAMES:	return "defnam";
-	case RES_STAYOPEN:	return "styopn";
-	case RES_DNSRCH:	return "dnsrch";
-	case RES_INSECURE1:	return "insecure1";
-	case RES_INSECURE2:	return "insecure2";
-	case RES_NOALIASES:	return "noaliases";
-	case RES_USE_INET6:	return "inet6";
-#ifdef RES_USE_EDNS0	/* KAME extension */
-	case RES_USE_EDNS0:	return "edns0";
-#endif
-#ifdef RES_USE_DNAME
-	case RES_USE_DNAME:	return "dname";
-#endif
-#ifdef RES_USE_DNSSEC
-	case RES_USE_DNSSEC:	return "dnssec";
-#endif
-#ifdef RES_NOTLDQUERY
-	case RES_NOTLDQUERY:	return "no-tld-query";
-#endif
-#ifdef RES_NO_NIBBLE2
-	case RES_NO_NIBBLE2:	return "no-nibble2";
-#endif
-				/* XXX nonreentrant */
-	default:		sprintf(nbuf, "?0x%lx?", (u_long)option);
-				return (nbuf);
-	}
-}
-
-/*
- * Return a mnemonic for a time to live.
- */
-const char *
-p_time(u_int32_t value) {
-	char *nbuf = p_time_nbuf;
-
-	if (ns_format_ttl(value, nbuf, sizeof nbuf) < 0)
-		sprintf(nbuf, "%u", value);
-	return (nbuf);
-}
-
-/*
- * Return a string for the rcode.
- */
-const char *
-p_rcode(int rcode) {
-	return (sym_ntos(__p_rcode_syms, rcode, (int *)0));
-}
-
-/*
- * Return a string for a res_sockaddr_union.
- */
-const char *
-p_sockun(union res_sockaddr_union u, char *buf, size_t size) {
-	char ret[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:123.123.123.123"];
-
-	switch (u.sin.sin_family) {
-	case AF_INET:
-		inet_ntop(AF_INET, &u.sin.sin_addr, ret, sizeof ret);
-		break;
-#ifdef HAS_INET6_STRUCTS
-	case AF_INET6:
-		inet_ntop(AF_INET6, &u.sin6.sin6_addr, ret, sizeof ret);
-		break;
-#endif
-	default:
-		sprintf(ret, "[af%d]", u.sin.sin_family);
-		break;
-	}
-	if (size > 0U) {
-		strncpy(buf, ret, size - 1);
-		buf[size - 1] = '0';
-	}
-	return (buf);
-}
-
-/*
- * routines to convert between on-the-wire RR format and zone file format.
- * Does not contain conversion to/from decimal degrees; divide or multiply
- * by 60*60*1000 for that.
- */
-
-static unsigned int poweroften[10] = {1, 10, 100, 1000, 10000, 100000,
-				      1000000,10000000,100000000,1000000000};
-
-/* takes an XeY precision/size value, returns a string representation. */
-static const char *
-precsize_ntoa(prec)
-	u_int8_t prec;
-{
-	char *retbuf = precsize_ntoa_retbuf;
-	unsigned long val;
-	int mantissa, exponent;
-
-	mantissa = (int)((prec >> 4) & 0x0f) % 10;
-	exponent = (int)((prec >> 0) & 0x0f) % 10;
-
-	val = mantissa * poweroften[exponent];
-
-	(void) sprintf(retbuf, "%lu.%.2lu", val/100, val%100);
-	return (retbuf);
-}
-
-/* converts ascii size/precision X * 10**Y(cm) to 0xXY.  moves pointer. */
-static u_int8_t
-precsize_aton(const char **strptr) {
-	unsigned int mval = 0, cmval = 0;
-	u_int8_t retval = 0;
-	const char *cp;
-	int exponent;
-	int mantissa;
-
-	cp = *strptr;
-
-	while (isdigit((unsigned char)*cp))
-		mval = mval * 10 + (*cp++ - '0');
-
-	if (*cp == '.') {		/* centimeters */
-		cp++;
-		if (isdigit((unsigned char)*cp)) {
-			cmval = (*cp++ - '0') * 10;
-			if (isdigit((unsigned char)*cp)) {
-				cmval += (*cp++ - '0');
-			}
-		}
-	}
-	cmval = (mval * 100) + cmval;
-
-	for (exponent = 0; exponent < 9; exponent++)
-		if (cmval < poweroften[exponent+1])
-			break;
-
-	mantissa = cmval / poweroften[exponent];
-	if (mantissa > 9)
-		mantissa = 9;
-
-	retval = (mantissa << 4) | exponent;
-
-	*strptr = cp;
-
-	return (retval);
-}
-
-/* converts ascii lat/lon to unsigned encoded 32-bit number.  moves pointer. */
-static u_int32_t
-latlon2ul(const char **latlonstrptr, int *which) {
-	const char *cp;
-	u_int32_t retval;
-	int deg = 0, min = 0, secs = 0, secsfrac = 0;
-
-	cp = *latlonstrptr;
-
-	while (isdigit((unsigned char)*cp))
-		deg = deg * 10 + (*cp++ - '0');
-
-	while (isspace((unsigned char)*cp))
-		cp++;
-
-	if (!(isdigit((unsigned char)*cp)))
-		goto fndhemi;
-
-	while (isdigit((unsigned char)*cp))
-		min = min * 10 + (*cp++ - '0');
-
-	while (isspace((unsigned char)*cp))
-		cp++;
-
-	if (!(isdigit((unsigned char)*cp)))
-		goto fndhemi;
-
-	while (isdigit((unsigned char)*cp))
-		secs = secs * 10 + (*cp++ - '0');
-
-	if (*cp == '.') {		/* decimal seconds */
-		cp++;
-		if (isdigit((unsigned char)*cp)) {
-			secsfrac = (*cp++ - '0') * 100;
-			if (isdigit((unsigned char)*cp)) {
-				secsfrac += (*cp++ - '0') * 10;
-				if (isdigit((unsigned char)*cp)) {
-					secsfrac += (*cp++ - '0');
-				}
-			}
-		}
-	}
-
-	while (!isspace((unsigned char)*cp))	/* if any trailing garbage */
-		cp++;
-
-	while (isspace((unsigned char)*cp))
-		cp++;
-
- fndhemi:
-	switch (*cp) {
-	case 'N': case 'n':
-	case 'E': case 'e':
-		retval = ((unsigned)1<<31)
-			+ (((((deg * 60) + min) * 60) + secs) * 1000)
-			+ secsfrac;
-		break;
-	case 'S': case 's':
-	case 'W': case 'w':
-		retval = ((unsigned)1<<31)
-			- (((((deg * 60) + min) * 60) + secs) * 1000)
-			- secsfrac;
-		break;
-	default:
-		retval = 0;	/* invalid value -- indicates error */
-		break;
-	}
-
-	switch (*cp) {
-	case 'N': case 'n':
-	case 'S': case 's':
-		*which = 1;	/* latitude */
-		break;
-	case 'E': case 'e':
-	case 'W': case 'w':
-		*which = 2;	/* longitude */
-		break;
-	default:
-		*which = 0;	/* error */
-		break;
-	}
-
-	cp++;			/* skip the hemisphere */
-
-	while (!isspace((unsigned char)*cp))	/* if any trailing garbage */
-		cp++;
-
-	while (isspace((unsigned char)*cp))	/* move to next field */
-		cp++;
-
-	*latlonstrptr = cp;
-
-	return (retval);
-}
-
-/* converts a zone file representation in a string to an RDATA on-the-wire
- * representation. */
-int
-loc_aton(ascii, binary)
-	const char *ascii;
-	u_char *binary;
-{
-	const char *cp, *maxcp;
-	u_char *bcp;
-
-	u_int32_t latit = 0, longit = 0, alt = 0;
-	u_int32_t lltemp1 = 0, lltemp2 = 0;
-	int altmeters = 0, altfrac = 0, altsign = 1;
-	u_int8_t hp = 0x16;	/* default = 1e6 cm = 10000.00m = 10km */
-	u_int8_t vp = 0x13;	/* default = 1e3 cm = 10.00m */
-	u_int8_t siz = 0x12;	/* default = 1e2 cm = 1.00m */
-	int which1 = 0, which2 = 0;
-
-	cp = ascii;
-	maxcp = cp + strlen(ascii);
-
-	lltemp1 = latlon2ul(&cp, &which1);
-
-	lltemp2 = latlon2ul(&cp, &which2);
-
-	switch (which1 + which2) {
-	case 3:			/* 1 + 2, the only valid combination */
-		if ((which1 == 1) && (which2 == 2)) { /* normal case */
-			latit = lltemp1;
-			longit = lltemp2;
-		} else if ((which1 == 2) && (which2 == 1)) { /* reversed */
-			longit = lltemp1;
-			latit = lltemp2;
-		} else {	/* some kind of brokenness */
-			return (0);
-		}
-		break;
-	default:		/* we didn't get one of each */
-		return (0);
-	}
-
-	/* altitude */
-	if (*cp == '-') {
-		altsign = -1;
-		cp++;
-	}
-    
-	if (*cp == '+')
-		cp++;
-
-	while (isdigit((unsigned char)*cp))
-		altmeters = altmeters * 10 + (*cp++ - '0');
-
-	if (*cp == '.') {		/* decimal meters */
-		cp++;
-		if (isdigit((unsigned char)*cp)) {
-			altfrac = (*cp++ - '0') * 10;
-			if (isdigit((unsigned char)*cp)) {
-				altfrac += (*cp++ - '0');
-			}
-		}
-	}
-
-	alt = (10000000 + (altsign * (altmeters * 100 + altfrac)));
-
-	while (!isspace((unsigned char)*cp) && (cp < maxcp)) /* if trailing garbage or m */
-		cp++;
-
-	while (isspace((unsigned char)*cp) && (cp < maxcp))
-		cp++;
-
-	if (cp >= maxcp)
-		goto defaults;
-
-	siz = precsize_aton(&cp);
-	
-	while (!isspace((unsigned char)*cp) && (cp < maxcp))	/* if trailing garbage or m */
-		cp++;
-
-	while (isspace((unsigned char)*cp) && (cp < maxcp))
-		cp++;
-
-	if (cp >= maxcp)
-		goto defaults;
-
-	hp = precsize_aton(&cp);
-
-	while (!isspace((unsigned char)*cp) && (cp < maxcp))	/* if trailing garbage or m */
-		cp++;
-
-	while (isspace((unsigned char)*cp) && (cp < maxcp))
-		cp++;
-
-	if (cp >= maxcp)
-		goto defaults;
-
-	vp = precsize_aton(&cp);
-
- defaults:
-
-	bcp = binary;
-	*bcp++ = (u_int8_t) 0;	/* version byte */
-	*bcp++ = siz;
-	*bcp++ = hp;
-	*bcp++ = vp;
-	PUTLONG(latit,bcp);
-	PUTLONG(longit,bcp);
-	PUTLONG(alt,bcp);
-    
-	return (16);		/* size of RR in octets */
-}
-
-/* takes an on-the-wire LOC RR and formats it in a human readable format. */
-const char *
-loc_ntoa(binary, ascii)
-	const u_char *binary;
-	char *ascii;
-{
-	static const char *error = "?";
-	static char tmpbuf[sizeof
-"1000 60 60.000 N 1000 60 60.000 W -12345678.00m 90000000.00m 90000000.00m 90000000.00m"];
-	const u_char *cp = binary;
-
-	int latdeg, latmin, latsec, latsecfrac;
-	int longdeg, longmin, longsec, longsecfrac;
-	char northsouth, eastwest;
-	const char *altsign;
-	int altmeters, altfrac;
-
-	const u_int32_t referencealt = 100000 * 100;
-
-	int32_t latval, longval, altval;
-	u_int32_t templ;
-	u_int8_t sizeval, hpval, vpval, versionval;
-    
-	char *sizestr, *hpstr, *vpstr;
-
-	versionval = *cp++;
-
-	if (ascii == NULL)
-		ascii = tmpbuf;
-
-	if (versionval) {
-		(void) sprintf(ascii, "; error: unknown LOC RR version");
-		return (ascii);
-	}
-
-	sizeval = *cp++;
-
-	hpval = *cp++;
-	vpval = *cp++;
-
-	GETLONG(templ, cp);
-	latval = (templ - ((unsigned)1<<31));
-
-	GETLONG(templ, cp);
-	longval = (templ - ((unsigned)1<<31));
-
-	GETLONG(templ, cp);
-	if (templ < referencealt) { /* below WGS 84 spheroid */
-		altval = referencealt - templ;
-		altsign = "-";
-	} else {
-		altval = templ - referencealt;
-		altsign = "";
-	}
-
-	if (latval < 0) {
-		northsouth = 'S';
-		latval = -latval;
-	} else
-		northsouth = 'N';
-
-	latsecfrac = latval % 1000;
-	latval = latval / 1000;
-	latsec = latval % 60;
-	latval = latval / 60;
-	latmin = latval % 60;
-	latval = latval / 60;
-	latdeg = latval;
-
-	if (longval < 0) {
-		eastwest = 'W';
-		longval = -longval;
-	} else
-		eastwest = 'E';
-
-	longsecfrac = longval % 1000;
-	longval = longval / 1000;
-	longsec = longval % 60;
-	longval = longval / 60;
-	longmin = longval % 60;
-	longval = longval / 60;
-	longdeg = longval;
-
-	altfrac = altval % 100;
-	altmeters = (altval / 100);
-
-	sizestr = strdup(precsize_ntoa(sizeval));
-	hpstr = strdup(precsize_ntoa(hpval));
-	vpstr = strdup(precsize_ntoa(vpval));
-
-	sprintf(ascii,
-	    "%d %.2d %.2d.%.3d %c %d %.2d %.2d.%.3d %c %s%d.%.2dm %sm %sm %sm",
-		latdeg, latmin, latsec, latsecfrac, northsouth,
-		longdeg, longmin, longsec, longsecfrac, eastwest,
-		altsign, altmeters, altfrac,
-		(sizestr != NULL) ? sizestr : error,
-		(hpstr != NULL) ? hpstr : error,
-		(vpstr != NULL) ? vpstr : error);
-
-	if (sizestr != NULL)
-		free(sizestr);
-	if (hpstr != NULL)
-		free(hpstr);
-	if (vpstr != NULL)
-		free(vpstr);
-
-	return (ascii);
-}
-
-
-/* Return the number of DNS hierarchy levels in the name. */
-int
-dn_count_labels(const char *name) {
-	int i, len, count;
-
-	len = strlen(name);
-	for (i = 0, count = 0; i < len; i++) {
-		/* XXX need to check for \. or use named's nlabels(). */
-		if (name[i] == '.')
-			count++;
-	}
-
-	/* don't count initial wildcard */
-	if (name[0] == '*')
-		if (count)
-			count--;
-
-	/* don't count the null label for root. */
-	/* if terminating '.' not found, must adjust */
-	/* count to include last label */
-	if (len > 0 && name[len-1] != '.')
-		count++;
-	return (count);
-}
-
-
-/* 
- * Make dates expressed in seconds-since-Jan-1-1970 easy to read.  
- * SIG records are required to be printed like this, by the Secure DNS RFC.
- */
-char *
-p_secstodate (u_long secs) {
-	char *output = p_secstodate_output;
-	time_t clock = secs;
-	struct tm *time;
-#ifdef HAVE_TIME_R
-	struct tm res;
-	
-	time = gmtime_r(&clock, &res);
-#else
-	time = gmtime(&clock);
-#endif
-	time->tm_year += 1900;
-	time->tm_mon += 1;
-	sprintf(output, "%04d%02d%02d%02d%02d%02d",
-		time->tm_year, time->tm_mon, time->tm_mday,
-		time->tm_hour, time->tm_min, time->tm_sec);
-	return (output);
-}
-
-u_int16_t
-res_nametoclass(const char *buf, int *successp) {
-	unsigned long result;
-	char *endptr;
-	int success;
-
-	result = sym_ston(__p_class_syms, buf, &success);
-	if (success)
-		goto done;
-
-	if (strncasecmp(buf, "CLASS", 5) != 0 ||
-	    !isdigit((unsigned char)buf[5]))
-		goto done;
-	errno = 0;
-	result = strtoul(buf + 5, &endptr, 10);
-	if (errno == 0 && *endptr == '\0' && result <= 0xffffU)
-		success = 1;
- done:
-	if (successp)
-		*successp = success;
-	return (result);
-}
-
-u_int16_t
-res_nametotype(const char *buf, int *successp) {
-	unsigned long result;
-	char *endptr;
-	int success;
-
-	result = sym_ston(__p_type_syms, buf, &success);
-	if (success)
-		goto done;
-
-	if (strncasecmp(buf, "type", 4) != 0 ||
-	    !isdigit((unsigned char)buf[4]))
-		goto done;
-	errno = 0;
-	result = strtoul(buf + 4, &endptr, 10);
-	if (errno == 0 && *endptr == '\0' && result <= 0xffffU)
-		success = 1;
- done:
-	if (successp)
-		*successp = success;
-	return (result);
-}
diff --git a/contrib/bind9/lib/bind/resolv/res_debug.h b/contrib/bind9/lib/bind/resolv/res_debug.h
deleted file mode 100644
index 2a9c0ae6f53a..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_debug.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _RES_DEBUG_H_
-#define _RES_DEBUG_H_
-
-#ifndef DEBUG
-#   define Dprint(cond, args) /*empty*/
-#   define DprintQ(cond, args, query, size) /*empty*/
-#   define Aerror(statp, file, string, error, address) /*empty*/
-#   define Perror(statp, file, string, error) /*empty*/
-#else
-#   define Dprint(cond, args) if (cond) {fprintf args;} else {}
-#   define DprintQ(cond, args, query, size) if (cond) {\
-			fprintf args;\
-			res_pquery(statp, query, size, stdout);\
-		} else {}
-#endif
-
-#endif /* _RES_DEBUG_H_ */ 
diff --git a/contrib/bind9/lib/bind/resolv/res_findzonecut.c b/contrib/bind9/lib/bind/resolv/res_findzonecut.c
deleted file mode 100644
index 804beb647464..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_findzonecut.c
+++ /dev/null
@@ -1,719 +0,0 @@
-#if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_findzonecut.c,v 1.2.2.3.4.4 2005/10/11 00:48:16 marka Exp $";
-#endif /* not lint */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Import. */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <limits.h>
-#include <netdb.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/list.h>
-
-#include "port_after.h"
-
-#include <resolv.h>
-
-/* Data structures. */
-
-typedef struct rr_a {
-	LINK(struct rr_a)	link;
-	union res_sockaddr_union addr;
-} rr_a;
-typedef LIST(rr_a) rrset_a;
-
-typedef struct rr_ns {
-	LINK(struct rr_ns)	link;
-	const char *		name;
-	unsigned int		flags;
-	rrset_a			addrs;
-} rr_ns;
-typedef LIST(rr_ns) rrset_ns;
-
-#define	RR_NS_HAVE_V4		0x01
-#define	RR_NS_HAVE_V6		0x02
-
-/* Forward. */
-
-static int	satisfy(res_state, const char *, rrset_ns *,
-			union res_sockaddr_union *, int);
-static int	add_addrs(res_state, rr_ns *,
-			  union res_sockaddr_union *, int);
-static int	get_soa(res_state, const char *, ns_class, int,
-			char *, size_t, char *, size_t,
-			rrset_ns *);
-static int	get_ns(res_state, const char *, ns_class, int, rrset_ns *);
-static int	get_glue(res_state, ns_class, int, rrset_ns *);
-static int	save_ns(res_state, ns_msg *, ns_sect,
-			const char *, ns_class, int, rrset_ns *);
-static int	save_a(res_state, ns_msg *, ns_sect,
-		       const char *, ns_class, int, rr_ns *);
-static void	free_nsrrset(rrset_ns *);
-static void	free_nsrr(rrset_ns *, rr_ns *);
-static rr_ns *	find_ns(rrset_ns *, const char *);
-static int	do_query(res_state, const char *, ns_class, ns_type,
-			 u_char *, ns_msg *);
-static void	res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2);
-
-/* Macros. */
-
-#define DPRINTF(x) do {\
-		int save_errno = errno; \
-		if ((statp->options & RES_DEBUG) != 0U) res_dprintf x; \
-		errno = save_errno; \
-	} while (0)
-
-/* Public. */
-
-/*
- * int
- * res_findzonecut(res, dname, class, zname, zsize, addrs, naddrs)
- *	find enclosing zone for a <dname,class>, and some server addresses
- * parameters:
- *	res - resolver context to work within (is modified)
- *	dname - domain name whose enclosing zone is desired
- *	class - class of dname (and its enclosing zone)
- *	zname - found zone name
- *	zsize - allocated size of zname
- *	addrs - found server addresses
- *	naddrs - max number of addrs
- * return values:
- *	< 0 - an error occurred (check errno)
- *	= 0 - zname is now valid, but addrs[] wasn't changed
- *	> 0 - zname is now valid, and return value is number of addrs[] found
- * notes:
- *	this function calls res_nsend() which means it depends on correctly
- *	functioning recursive nameservers (usually defined in /etc/resolv.conf
- *	or its local equivilent).
- *
- *	we start by asking for an SOA<dname,class>.  if we get one as an
- *	answer, that just means <dname,class> is a zone top, which is fine.
- *	more than likely we'll be told to go pound sand, in the form of a
- *	negative answer.
- *
- *	note that we are not prepared to deal with referrals since that would
- *	only come from authority servers and our correctly functioning local
- *	recursive server would have followed the referral and got us something
- *	more definite.
- *
- *	if the authority section contains an SOA, this SOA should also be the
- *	closest enclosing zone, since any intermediary zone cuts would've been
- *	returned as referrals and dealt with by our correctly functioning local
- *	recursive name server.  but an SOA in the authority section should NOT
- *	match our dname (since that would have been returned in the answer
- *	section).  an authority section SOA has to be "above" our dname.
- *
- *	however, since authority section SOA's were once optional, it's
- *	possible that we'll have to go hunting for the enclosing SOA by
- *	ripping labels off the front of our dname -- this is known as "doing
- *	it the hard way."
- *
- *	ultimately we want some server addresses, which are ideally the ones
- *	pertaining to the SOA.MNAME, but only if there is a matching NS RR.
- *	so the second phase (after we find an SOA) is to go looking for the
- *	NS RRset for that SOA's zone.
- *
- *	no answer section processed by this code is allowed to contain CNAME
- *	or DNAME RR's.  for the SOA query this means we strip a label and
- *	keep going.  for the NS and A queries this means we just give up.
- */
-
-int
-res_findzonecut(res_state statp, const char *dname, ns_class class, int opts,
-		char *zname, size_t zsize, struct in_addr *addrs, int naddrs)
-{
-	int result, i;
-	union res_sockaddr_union *u;
-
-	
-	opts |= RES_IPV4ONLY;
-	opts &= ~RES_IPV6ONLY;
-
-	u = calloc(naddrs, sizeof(*u));
-	if (u == NULL)
-		return(-1);
-
-	result = res_findzonecut2(statp, dname, class, opts, zname, zsize,
-				  u, naddrs);
-
-	for (i = 0; i < result; i++) {
-		addrs[i] = u[i].sin.sin_addr;
-	}
-	free(u);
-	return (result);
-}
-
-int
-res_findzonecut2(res_state statp, const char *dname, ns_class class, int opts,
-		 char *zname, size_t zsize, union res_sockaddr_union *addrs,
-		 int naddrs)
-{
-	char mname[NS_MAXDNAME];
-	u_long save_pfcode;
-	rrset_ns nsrrs;
-	int n;
-
-	DPRINTF(("START dname='%s' class=%s, zsize=%ld, naddrs=%d",
-		 dname, p_class(class), (long)zsize, naddrs));
-	save_pfcode = statp->pfcode;
-	statp->pfcode |= RES_PRF_HEAD2 | RES_PRF_HEAD1 | RES_PRF_HEADX |
-			 RES_PRF_QUES | RES_PRF_ANS |
-			 RES_PRF_AUTH | RES_PRF_ADD;
-	INIT_LIST(nsrrs);
-
-	DPRINTF(("get the soa, and see if it has enough glue"));
-	if ((n = get_soa(statp, dname, class, opts, zname, zsize,
-			 mname, sizeof mname, &nsrrs)) < 0 ||
-	    ((opts & RES_EXHAUSTIVE) == 0 &&
-	     (n = satisfy(statp, mname, &nsrrs, addrs, naddrs)) > 0))
-		goto done;
-
-	DPRINTF(("get the ns rrset and see if it has enough glue"));
-	if ((n = get_ns(statp, zname, class, opts, &nsrrs)) < 0 ||
-	    ((opts & RES_EXHAUSTIVE) == 0 &&
-	     (n = satisfy(statp, mname, &nsrrs, addrs, naddrs)) > 0))
-		goto done;
-
-	DPRINTF(("get the missing glue and see if it's finally enough"));
-	if ((n = get_glue(statp, class, opts, &nsrrs)) >= 0)
-		n = satisfy(statp, mname, &nsrrs, addrs, naddrs);
-
- done:
-	DPRINTF(("FINISH n=%d (%s)", n, (n < 0) ? strerror(errno) : "OK"));
-	free_nsrrset(&nsrrs);
-	statp->pfcode = save_pfcode;
-	return (n);
-}
-
-/* Private. */
-
-static int
-satisfy(res_state statp, const char *mname, rrset_ns *nsrrsp,
-	union res_sockaddr_union *addrs, int naddrs)
-{
-	rr_ns *nsrr;
-	int n, x;
-
-	n = 0;
-	nsrr = find_ns(nsrrsp, mname);
-	if (nsrr != NULL) {
-		x = add_addrs(statp, nsrr, addrs, naddrs);
-		addrs += x;
-		naddrs -= x;
-		n += x;
-	}
-	for (nsrr = HEAD(*nsrrsp);
-	     nsrr != NULL && naddrs > 0;
-	     nsrr = NEXT(nsrr, link))
-		if (ns_samename(nsrr->name, mname) != 1) {
-			x = add_addrs(statp, nsrr, addrs, naddrs);
-			addrs += x;
-			naddrs -= x;
-			n += x;
-		}
-	DPRINTF(("satisfy(%s): %d", mname, n));
-	return (n);
-}
-
-static int
-add_addrs(res_state statp, rr_ns *nsrr,
-	  union res_sockaddr_union *addrs, int naddrs)
-{
-	rr_a *arr;
-	int n = 0;
-
-	for (arr = HEAD(nsrr->addrs); arr != NULL; arr = NEXT(arr, link)) {
-		if (naddrs <= 0)
-			return (0);
-		*addrs++ = arr->addr;
-		naddrs--;
-		n++;
-	}
-	DPRINTF(("add_addrs: %d", n));
-	return (n);
-}
-
-static int
-get_soa(res_state statp, const char *dname, ns_class class, int opts,
-	char *zname, size_t zsize, char *mname, size_t msize,
-	rrset_ns *nsrrsp)
-{
-	char tname[NS_MAXDNAME];
-	u_char *resp = NULL;
-	int n, i, ancount, nscount;
-	ns_sect sect;
-	ns_msg msg;
-	u_int rcode;
-
-	/*
-	 * Find closest enclosing SOA, even if it's for the root zone.
-	 */
-
-	/* First canonicalize dname (exactly one unescaped trailing "."). */
-	if (ns_makecanon(dname, tname, sizeof tname) < 0)
-		goto cleanup;
-	dname = tname;
-
-	resp = malloc(NS_MAXMSG);
-	if (resp == NULL)
-		goto cleanup;
-
-	/* Now grovel the subdomains, hunting for an SOA answer or auth. */
-	for (;;) {
-		/* Leading or inter-label '.' are skipped here. */
-		while (*dname == '.')
-			dname++;
-
-		/* Is there an SOA? */
-		n = do_query(statp, dname, class, ns_t_soa, resp, &msg);
-		if (n < 0) {
-			DPRINTF(("get_soa: do_query('%s', %s) failed (%d)",
-				 dname, p_class(class), n));
-			goto cleanup;
-		}
-		if (n > 0) {
-			DPRINTF(("get_soa: CNAME or DNAME found"));
-			sect = ns_s_max, n = 0;
-		} else {
-			rcode = ns_msg_getflag(msg, ns_f_rcode);
-			ancount = ns_msg_count(msg, ns_s_an);
-			nscount = ns_msg_count(msg, ns_s_ns);
-			if (ancount > 0 && rcode == ns_r_noerror)
-				sect = ns_s_an, n = ancount;
-			else if (nscount > 0)
-				sect = ns_s_ns, n = nscount;
-			else
-				sect = ns_s_max, n = 0;
-		}
-		for (i = 0; i < n; i++) {
-			const char *t;
-			const u_char *rdata;
-			ns_rr rr;
-
-			if (ns_parserr(&msg, sect, i, &rr) < 0) {
-				DPRINTF(("get_soa: ns_parserr(%s, %d) failed",
-					 p_section(sect, ns_o_query), i));
-				goto cleanup;
-			}
-			if (ns_rr_type(rr) == ns_t_cname ||
-			    ns_rr_type(rr) == ns_t_dname)
-				break;
-			if (ns_rr_type(rr) != ns_t_soa ||
-			    ns_rr_class(rr) != class)
-				continue;
-			t = ns_rr_name(rr);
-			switch (sect) {
-			case ns_s_an:
-				if (ns_samedomain(dname, t) == 0) {
-					DPRINTF(
-				    ("get_soa: ns_samedomain('%s', '%s') == 0",
-						dname, t)
-						);
-					errno = EPROTOTYPE;
-					goto cleanup;
-				}
-				break;
-			case ns_s_ns:
-				if (ns_samename(dname, t) == 1 ||
-				    ns_samedomain(dname, t) == 0) {
-					DPRINTF(
-		       ("get_soa: ns_samename() || !ns_samedomain('%s', '%s')",
-						dname, t)
-						);
-					errno = EPROTOTYPE;
-					goto cleanup;
-				}
-				break;
-			default:
-				abort();
-			}
-			if (strlen(t) + 1 > zsize) {
-				DPRINTF(("get_soa: zname(%lu) too small (%lu)",
-					 (unsigned long)zsize,
-					 (unsigned long)strlen(t) + 1));
-				errno = EMSGSIZE;
-				goto cleanup;
-			}
-			strcpy(zname, t);
-			rdata = ns_rr_rdata(rr);
-			if (ns_name_uncompress(resp, ns_msg_end(msg), rdata,
-					       mname, msize) < 0) {
-				DPRINTF(("get_soa: ns_name_uncompress failed")
-					);
-				goto cleanup;
-			}
-			if (save_ns(statp, &msg, ns_s_ns,
-				    zname, class, opts, nsrrsp) < 0) {
-				DPRINTF(("get_soa: save_ns failed"));
-				goto cleanup;
-			}
-			free(resp);
-			return (0);
-		}
-
-		/* If we're out of labels, then not even "." has an SOA! */
-		if (*dname == '\0')
-			break;
-
-		/* Find label-terminating "."; top of loop will skip it. */
-		while (*dname != '.') {
-			if (*dname == '\\')
-				if (*++dname == '\0') {
-					errno = EMSGSIZE;
-					goto cleanup;
-				}
-			dname++;
-		}
-	}
-	DPRINTF(("get_soa: out of labels"));
-	errno = EDESTADDRREQ;
- cleanup:
-	if (resp != NULL)
-		free(resp);
-	return (-1);
-}
-
-static int
-get_ns(res_state statp, const char *zname, ns_class class, int opts,
-      rrset_ns *nsrrsp)
-{
-	u_char *resp;
-	ns_msg msg;
-	int n;
-
-	resp = malloc(NS_MAXMSG);
-	if (resp == NULL)
-		return (-1);
-
-	/* Go and get the NS RRs for this zone. */
-	n = do_query(statp, zname, class, ns_t_ns, resp, &msg);
-	if (n != 0) {
-		DPRINTF(("get_ns: do_query('%s', %s) failed (%d)",
-			 zname, p_class(class), n));
-		free(resp);
-		return (-1);
-	}
-
-	/* Remember the NS RRs and associated A RRs that came back. */
-	if (save_ns(statp, &msg, ns_s_an, zname, class, opts, nsrrsp) < 0) {
-		DPRINTF(("get_ns save_ns('%s', %s) failed",
-			 zname, p_class(class)));
-		free(resp);
-		return (-1);
-	}
-
-	free(resp);
-	return (0);
-}
-
-static int
-get_glue(res_state statp, ns_class class, int opts, rrset_ns *nsrrsp) {
-	rr_ns *nsrr, *nsrr_n;
-	u_char *resp;
-
-	resp = malloc(NS_MAXMSG);
-	if (resp == NULL)
-		return(-1);
-
-	/* Go and get the A RRs for each empty NS RR on our list. */
-	for (nsrr = HEAD(*nsrrsp); nsrr != NULL; nsrr = nsrr_n) {
-		ns_msg msg;
-		int n;
-
-		nsrr_n = NEXT(nsrr, link);
-
-		if ((nsrr->flags & RR_NS_HAVE_V4) == 0) {
-			n = do_query(statp, nsrr->name, class, ns_t_a,
-				     resp, &msg);
-			if (n < 0) {
-				DPRINTF(
-				       ("get_glue: do_query('%s', %s') failed",
-					nsrr->name, p_class(class)));
-				goto cleanup;
-			}
-			if (n > 0) {
-				DPRINTF((
-			"get_glue: do_query('%s', %s') CNAME or DNAME found",
-					 nsrr->name, p_class(class)));
-			}
-			if (save_a(statp, &msg, ns_s_an, nsrr->name, class,
-				   opts, nsrr) < 0) {
-				DPRINTF(("get_glue: save_r('%s', %s) failed",
-					 nsrr->name, p_class(class)));
-				goto cleanup;
-			}
-		}
-
-		if ((nsrr->flags & RR_NS_HAVE_V6) == 0) {
-			n = do_query(statp, nsrr->name, class, ns_t_aaaa,
-				     resp, &msg);
-			if (n < 0) {
-				DPRINTF(
-				       ("get_glue: do_query('%s', %s') failed",
-					nsrr->name, p_class(class)));
-				goto cleanup;
-			}
-			if (n > 0) {
-				DPRINTF((
-			"get_glue: do_query('%s', %s') CNAME or DNAME found",
-					 nsrr->name, p_class(class)));
-			}
-			if (save_a(statp, &msg, ns_s_an, nsrr->name, class,
-				   opts, nsrr) < 0) {
-				DPRINTF(("get_glue: save_r('%s', %s) failed",
-					 nsrr->name, p_class(class)));
-				goto cleanup;
-			}
-		}
-
-		/* If it's still empty, it's just chaff. */
-		if (EMPTY(nsrr->addrs)) {
-			DPRINTF(("get_glue: removing empty '%s' NS",
-				 nsrr->name));
-			free_nsrr(nsrrsp, nsrr);
-		}
-	}
-	free(resp);
-	return (0);
-
- cleanup:
-	free(resp);
-	return (-1);
-}
-
-static int
-save_ns(res_state statp, ns_msg *msg, ns_sect sect,
-	const char *owner, ns_class class, int opts,
-	rrset_ns *nsrrsp)
-{
-	int i;
-
-	for (i = 0; i < ns_msg_count(*msg, sect); i++) {
-		char tname[MAXDNAME];
-		const u_char *rdata;
-		rr_ns *nsrr;
-		ns_rr rr;
-
-		if (ns_parserr(msg, sect, i, &rr) < 0) {
-			DPRINTF(("save_ns: ns_parserr(%s, %d) failed",
-				 p_section(sect, ns_o_query), i));
-			return (-1);
-		}
-		if (ns_rr_type(rr) != ns_t_ns ||
-		    ns_rr_class(rr) != class ||
-		    ns_samename(ns_rr_name(rr), owner) != 1)
-			continue;
-		nsrr = find_ns(nsrrsp, ns_rr_name(rr));
-		if (nsrr == NULL) {
-			nsrr = malloc(sizeof *nsrr);
-			if (nsrr == NULL) {
-				DPRINTF(("save_ns: malloc failed"));
-				return (-1);
-			}
-			rdata = ns_rr_rdata(rr);
-			if (ns_name_uncompress(ns_msg_base(*msg),
-					       ns_msg_end(*msg), rdata,
-					       tname, sizeof tname) < 0) {
-				DPRINTF(("save_ns: ns_name_uncompress failed")
-					);
-				free(nsrr);
-				return (-1);
-			}
-			nsrr->name = strdup(tname);
-			if (nsrr->name == NULL) {
-				DPRINTF(("save_ns: strdup failed"));
-				free(nsrr);
-				return (-1);
-			}
-			INIT_LINK(nsrr, link);
-			INIT_LIST(nsrr->addrs);
-			nsrr->flags = 0;
-			APPEND(*nsrrsp, nsrr, link);
-		}
-		if (save_a(statp, msg, ns_s_ar,
-			   nsrr->name, class, opts, nsrr) < 0) {
-			DPRINTF(("save_ns: save_r('%s', %s) failed",
-				 nsrr->name, p_class(class)));
-			return (-1);
-		}
-	}
-	return (0);
-}
-
-static int
-save_a(res_state statp, ns_msg *msg, ns_sect sect,
-       const char *owner, ns_class class, int opts,
-       rr_ns *nsrr)
-{
-	int i;
-
-	for (i = 0; i < ns_msg_count(*msg, sect); i++) {
-		ns_rr rr;
-		rr_a *arr;
-
-		if (ns_parserr(msg, sect, i, &rr) < 0) {
-			DPRINTF(("save_a: ns_parserr(%s, %d) failed",
-				 p_section(sect, ns_o_query), i));
-			return (-1);
-		}
-		if ((ns_rr_type(rr) != ns_t_a &&
-		     ns_rr_type(rr) != ns_t_aaaa) ||
-		    ns_rr_class(rr) != class ||
-		    ns_samename(ns_rr_name(rr), owner) != 1 ||
-		    ns_rr_rdlen(rr) != NS_INADDRSZ)
-			continue;
-		if ((opts & RES_IPV6ONLY) != 0 && ns_rr_type(rr) != ns_t_aaaa)
-			continue;
-		if ((opts & RES_IPV4ONLY) != 0 && ns_rr_type(rr) != ns_t_a)
-			continue;
-		arr = malloc(sizeof *arr);
-		if (arr == NULL) {
-			DPRINTF(("save_a: malloc failed"));
-			return (-1);
-		}
-		INIT_LINK(arr, link);
-		memset(&arr->addr, 0, sizeof(arr->addr));
-		switch (ns_rr_type(rr)) {
-		case ns_t_a:
-			arr->addr.sin.sin_family = AF_INET;
-#ifdef HAVE_SA_LEN
-			arr->addr.sin.sin_len = sizeof(arr->addr.sin);
-#endif
-			memcpy(&arr->addr.sin.sin_addr, ns_rr_rdata(rr),
-			       NS_INADDRSZ);
-			arr->addr.sin.sin_port = htons(NAMESERVER_PORT);
-			nsrr->flags |= RR_NS_HAVE_V4;
-			break;
-		case ns_t_aaaa:
-			arr->addr.sin6.sin6_family = AF_INET6;
-#ifdef HAVE_SA_LEN
-			arr->addr.sin6.sin6_len = sizeof(arr->addr.sin6);
-#endif
-			memcpy(&arr->addr.sin6.sin6_addr, ns_rr_rdata(rr), 16);
-			arr->addr.sin.sin_port = htons(NAMESERVER_PORT);
-			nsrr->flags |= RR_NS_HAVE_V6;
-			break;
-		default:
-			abort();
-		}
-		APPEND(nsrr->addrs, arr, link);
-	}
-	return (0);
-}
-
-static void
-free_nsrrset(rrset_ns *nsrrsp) {
-	rr_ns *nsrr;
-
-	while ((nsrr = HEAD(*nsrrsp)) != NULL)
-		free_nsrr(nsrrsp, nsrr);
-}
-
-static void
-free_nsrr(rrset_ns *nsrrsp, rr_ns *nsrr) {
-	rr_a *arr;
-	char *tmp;
-
-	while ((arr = HEAD(nsrr->addrs)) != NULL) {
-		UNLINK(nsrr->addrs, arr, link);
-		free(arr);
-	}
-	DE_CONST(nsrr->name, tmp);
-	free(tmp);
-	UNLINK(*nsrrsp, nsrr, link);
-	free(nsrr);
-}
-
-static rr_ns *
-find_ns(rrset_ns *nsrrsp, const char *dname) {
-	rr_ns *nsrr;
-
-	for (nsrr = HEAD(*nsrrsp); nsrr != NULL; nsrr = NEXT(nsrr, link))
-		if (ns_samename(nsrr->name, dname) == 1)
-			return (nsrr);
-	return (NULL);
-}
-
-static int
-do_query(res_state statp, const char *dname, ns_class class, ns_type qtype,
-	 u_char *resp, ns_msg *msg)
-{
-	u_char req[NS_PACKETSZ];
-	int i, n;
-
-	n = res_nmkquery(statp, ns_o_query, dname, class, qtype,
-			 NULL, 0, NULL, req, NS_PACKETSZ);
-	if (n < 0) {
-		DPRINTF(("do_query: res_nmkquery failed"));
-		return (-1);
-	}
-	n = res_nsend(statp, req, n, resp, NS_MAXMSG);
-	if (n < 0) {
-		DPRINTF(("do_query: res_nsend failed"));
-		return (-1);
-	}
-	if (n == 0) {
-		DPRINTF(("do_query: res_nsend returned 0"));
-		errno = EMSGSIZE;
-		return (-1);
-	}
-	if (ns_initparse(resp, n, msg) < 0) {
-		DPRINTF(("do_query: ns_initparse failed"));
-		return (-1);
-	}
-	n = 0;
-	for (i = 0; i < ns_msg_count(*msg, ns_s_an); i++) {
-		ns_rr rr;
-
-		if (ns_parserr(msg, ns_s_an, i, &rr) < 0) {
-			DPRINTF(("do_query: ns_parserr failed"));
-			return (-1);
-		}
-		n += (ns_rr_class(rr) == class &&
-		      (ns_rr_type(rr) == ns_t_cname ||
-		       ns_rr_type(rr) == ns_t_dname));
-	}
-	return (n);
-}
-
-static void
-res_dprintf(const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	fputs(";; res_findzonecut: ", stderr);
-	vfprintf(stderr, fmt, ap);
-	fputc('\n', stderr);
-	va_end(ap);
-}
diff --git a/contrib/bind9/lib/bind/resolv/res_init.c b/contrib/bind9/lib/bind/resolv/res_init.c
deleted file mode 100644
index 28a3ebd088e9..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_init.c
+++ /dev/null
@@ -1,799 +0,0 @@
-/*
- * Copyright (c) 1985, 1989, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)res_init.c	8.1 (Berkeley) 6/7/93";
-static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.5 2005/11/03 00:00:52 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <ctype.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <netdb.h>
-
-#include "port_after.h"
-
-/* ensure that sockaddr_in6 and IN6ADDR_ANY_INIT are declared / defined */
-#include <resolv.h>
-
-#include "res_private.h"
-
-/* Options.  Should all be left alone. */
-#define RESOLVSORT
-#define DEBUG
-
-#ifdef SOLARIS2
-#include <sys/systeminfo.h>
-#endif
-
-static void res_setoptions __P((res_state, const char *, const char *));
-
-#ifdef RESOLVSORT
-static const char sort_mask[] = "/&";
-#define ISSORTMASK(ch) (strchr(sort_mask, ch) != NULL)
-static u_int32_t net_mask __P((struct in_addr));
-#endif
-
-#if !defined(isascii)	/* XXX - could be a function */
-# define isascii(c) (!(c & 0200))
-#endif
-
-/*
- * Resolver state default settings.
- */
-
-/*
- * Set up default settings.  If the configuration file exist, the values
- * there will have precedence.  Otherwise, the server address is set to
- * INADDR_ANY and the default domain name comes from the gethostname().
- *
- * An interrim version of this code (BIND 4.9, pre-4.4BSD) used 127.0.0.1
- * rather than INADDR_ANY ("0.0.0.0") as the default name server address
- * since it was noted that INADDR_ANY actually meant ``the first interface
- * you "ifconfig"'d at boot time'' and if this was a SLIP or PPP interface,
- * it had to be "up" in order for you to reach your own name server.  It
- * was later decided that since the recommended practice is to always 
- * install local static routes through 127.0.0.1 for all your network
- * interfaces, that we could solve this problem without a code change.
- *
- * The configuration file should always be used, since it is the only way
- * to specify a default domain.  If you are running a server on your local
- * machine, you should say "nameserver 0.0.0.0" or "nameserver 127.0.0.1"
- * in the configuration file.
- *
- * Return 0 if completes successfully, -1 on error
- */
-int
-res_ninit(res_state statp) {
-	extern int __res_vinit(res_state, int);
-
-	return (__res_vinit(statp, 0));
-}
-
-/* This function has to be reachable by res_data.c but not publically. */
-int
-__res_vinit(res_state statp, int preinit) {
-	register FILE *fp;
-	register char *cp, **pp;
-	register int n;
-	char buf[BUFSIZ];
-	int nserv = 0;    /* number of nameserver records read from file */
-	int haveenv = 0;
-	int havesearch = 0;
-#ifdef RESOLVSORT
-	int nsort = 0;
-	char *net;
-#endif
-	int dots;
-	union res_sockaddr_union u[2];
-
-	if (statp->_u._ext.ext != NULL)
-		res_ndestroy(statp);
-
-	if (!preinit) {
-		statp->retrans = RES_TIMEOUT;
-		statp->retry = RES_DFLRETRY;
-		statp->options = RES_DEFAULT;
-		statp->id = res_randomid();
-	}
-
-	memset(u, 0, sizeof(u));
-#ifdef USELOOPBACK
-	u[nserv].sin.sin_addr = inet_makeaddr(IN_LOOPBACKNET, 1);
-#else
-	u[nserv].sin.sin_addr.s_addr = INADDR_ANY;
-#endif
-	u[nserv].sin.sin_family = AF_INET;
-	u[nserv].sin.sin_port = htons(NAMESERVER_PORT);
-#ifdef HAVE_SA_LEN
-	u[nserv].sin.sin_len = sizeof(struct sockaddr_in);
-#endif
-	nserv++;
-#ifdef HAS_INET6_STRUCTS
-#ifdef USELOOPBACK
-	u[nserv].sin6.sin6_addr = in6addr_loopback;
-#else
-	u[nserv].sin6.sin6_addr = in6addr_any;
-#endif
-	u[nserv].sin6.sin6_family = AF_INET6;
-	u[nserv].sin6.sin6_port = htons(NAMESERVER_PORT);
-#ifdef HAVE_SA_LEN
-	u[nserv].sin6.sin6_len = sizeof(struct sockaddr_in6);
-#endif
-	nserv++;
-#endif
-	statp->nscount = 0;
-	statp->ndots = 1;
-	statp->pfcode = 0;
-	statp->_vcsock = -1;
-	statp->_flags = 0;
-	statp->qhook = NULL;
-	statp->rhook = NULL;
-	statp->_u._ext.nscount = 0;
-	statp->_u._ext.ext = malloc(sizeof(*statp->_u._ext.ext));
-	if (statp->_u._ext.ext != NULL) {
-	        memset(statp->_u._ext.ext, 0, sizeof(*statp->_u._ext.ext));
-		statp->_u._ext.ext->nsaddrs[0].sin = statp->nsaddr;
-		strcpy(statp->_u._ext.ext->nsuffix, "ip6.arpa");
-		strcpy(statp->_u._ext.ext->nsuffix2, "ip6.int");
-	} else
-		return (-1);
-#ifdef RESOLVSORT
-	statp->nsort = 0;
-#endif
-	res_setservers(statp, u, nserv);
-
-#ifdef	SOLARIS2
-	/*
-	 * The old libresolv derived the defaultdomain from NIS/NIS+.
-	 * We want to keep this behaviour
-	 */
-	{
-		char buf[sizeof(statp->defdname)], *cp;
-		int ret;
-
-		if ((ret = sysinfo(SI_SRPC_DOMAIN, buf, sizeof(buf))) > 0 &&
-			(unsigned int)ret <= sizeof(buf)) {
-			if (buf[0] == '+')
-				buf[0] = '.';
-			cp = strchr(buf, '.');
-			if (cp == NULL) {
-				if (strlcpy(statp->defdname, buf,
-					sizeof(statp->defdname))
-					>= sizeof(statp->defdname))
-					goto freedata;
-			} else {
-				if (strlcpy(statp->defdname, cp+1,
-					sizeof(statp->defdname))
-					 >= sizeof(statp->defdname))
-					goto freedata;
-			}
-		}
-	}
-#endif	/* SOLARIS2 */
-
-	/* Allow user to override the local domain definition */
-	if ((cp = getenv("LOCALDOMAIN")) != NULL) {
-		(void)strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
-		statp->defdname[sizeof(statp->defdname) - 1] = '\0';
-		haveenv++;
-
-		/*
-		 * Set search list to be blank-separated strings
-		 * from rest of env value.  Permits users of LOCALDOMAIN
-		 * to still have a search list, and anyone to set the
-		 * one that they want to use as an individual (even more
-		 * important now that the rfc1535 stuff restricts searches)
-		 */
-		cp = statp->defdname;
-		pp = statp->dnsrch;
-		*pp++ = cp;
-		for (n = 0; *cp && pp < statp->dnsrch + MAXDNSRCH; cp++) {
-			if (*cp == '\n')	/* silly backwards compat */
-				break;
-			else if (*cp == ' ' || *cp == '\t') {
-				*cp = 0;
-				n = 1;
-			} else if (n) {
-				*pp++ = cp;
-				n = 0;
-				havesearch = 1;
-			}
-		}
-		/* null terminate last domain if there are excess */
-		while (*cp != '\0' && *cp != ' ' && *cp != '\t' && *cp != '\n')
-			cp++;
-		*cp = '\0';
-		*pp++ = 0;
-	}
-
-#define	MATCH(line, name) \
-	(!strncmp(line, name, sizeof(name) - 1) && \
-	(line[sizeof(name) - 1] == ' ' || \
-	 line[sizeof(name) - 1] == '\t'))
-
-	nserv = 0;
-	if ((fp = fopen(_PATH_RESCONF, "r")) != NULL) {
-	    /* read the config file */
-	    while (fgets(buf, sizeof(buf), fp) != NULL) {
-		/* skip comments */
-		if (*buf == ';' || *buf == '#')
-			continue;
-		/* read default domain name */
-		if (MATCH(buf, "domain")) {
-		    if (haveenv)	/* skip if have from environ */
-			    continue;
-		    cp = buf + sizeof("domain") - 1;
-		    while (*cp == ' ' || *cp == '\t')
-			    cp++;
-		    if ((*cp == '\0') || (*cp == '\n'))
-			    continue;
-		    strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
-		    statp->defdname[sizeof(statp->defdname) - 1] = '\0';
-		    if ((cp = strpbrk(statp->defdname, " \t\n")) != NULL)
-			    *cp = '\0';
-		    havesearch = 0;
-		    continue;
-		}
-		/* set search list */
-		if (MATCH(buf, "search")) {
-		    if (haveenv)	/* skip if have from environ */
-			    continue;
-		    cp = buf + sizeof("search") - 1;
-		    while (*cp == ' ' || *cp == '\t')
-			    cp++;
-		    if ((*cp == '\0') || (*cp == '\n'))
-			    continue;
-		    strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
-		    statp->defdname[sizeof(statp->defdname) - 1] = '\0';
-		    if ((cp = strchr(statp->defdname, '\n')) != NULL)
-			    *cp = '\0';
-		    /*
-		     * Set search list to be blank-separated strings
-		     * on rest of line.
-		     */
-		    cp = statp->defdname;
-		    pp = statp->dnsrch;
-		    *pp++ = cp;
-		    for (n = 0; *cp && pp < statp->dnsrch + MAXDNSRCH; cp++) {
-			    if (*cp == ' ' || *cp == '\t') {
-				    *cp = 0;
-				    n = 1;
-			    } else if (n) {
-				    *pp++ = cp;
-				    n = 0;
-			    }
-		    }
-		    /* null terminate last domain if there are excess */
-		    while (*cp != '\0' && *cp != ' ' && *cp != '\t')
-			    cp++;
-		    *cp = '\0';
-		    *pp++ = 0;
-		    havesearch = 1;
-		    continue;
-		}
-		/* read nameservers to query */
-		if (MATCH(buf, "nameserver") && nserv < MAXNS) {
-		    struct addrinfo hints, *ai;
-		    char sbuf[NI_MAXSERV];
-		    const size_t minsiz =
-		        sizeof(statp->_u._ext.ext->nsaddrs[0]);
-
-		    cp = buf + sizeof("nameserver") - 1;
-		    while (*cp == ' ' || *cp == '\t')
-			cp++;
-		    cp[strcspn(cp, ";# \t\n")] = '\0';
-		    if ((*cp != '\0') && (*cp != '\n')) {
-			memset(&hints, 0, sizeof(hints));
-			hints.ai_family = PF_UNSPEC;
-			hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-			hints.ai_flags = AI_NUMERICHOST;
-			sprintf(sbuf, "%u", NAMESERVER_PORT);
-			if (getaddrinfo(cp, sbuf, &hints, &ai) == 0 &&
-			    ai->ai_addrlen <= minsiz) {
-			    if (statp->_u._ext.ext != NULL) {
-				memcpy(&statp->_u._ext.ext->nsaddrs[nserv],
-				    ai->ai_addr, ai->ai_addrlen);
-			    }
-			    if (ai->ai_addrlen <=
-			        sizeof(statp->nsaddr_list[nserv])) {
-				memcpy(&statp->nsaddr_list[nserv],
-				    ai->ai_addr, ai->ai_addrlen);
-			    } else
-				statp->nsaddr_list[nserv].sin_family = 0;
-			    freeaddrinfo(ai);
-			    nserv++;
-			}
-		    }
-		    continue;
-		}
-#ifdef RESOLVSORT
-		if (MATCH(buf, "sortlist")) {
-		    struct in_addr a;
-
-		    cp = buf + sizeof("sortlist") - 1;
-		    while (nsort < MAXRESOLVSORT) {
-			while (*cp == ' ' || *cp == '\t')
-			    cp++;
-			if (*cp == '\0' || *cp == '\n' || *cp == ';')
-			    break;
-			net = cp;
-			while (*cp && !ISSORTMASK(*cp) && *cp != ';' &&
-			       isascii(*cp) && !isspace((unsigned char)*cp))
-				cp++;
-			n = *cp;
-			*cp = 0;
-			if (inet_aton(net, &a)) {
-			    statp->sort_list[nsort].addr = a;
-			    if (ISSORTMASK(n)) {
-				*cp++ = n;
-				net = cp;
-				while (*cp && *cp != ';' &&
-					isascii(*cp) &&
-					!isspace((unsigned char)*cp))
-				    cp++;
-				n = *cp;
-				*cp = 0;
-				if (inet_aton(net, &a)) {
-				    statp->sort_list[nsort].mask = a.s_addr;
-				} else {
-				    statp->sort_list[nsort].mask = 
-					net_mask(statp->sort_list[nsort].addr);
-				}
-			    } else {
-				statp->sort_list[nsort].mask = 
-				    net_mask(statp->sort_list[nsort].addr);
-			    }
-			    nsort++;
-			}
-			*cp = n;
-		    }
-		    continue;
-		}
-#endif
-		if (MATCH(buf, "options")) {
-		    res_setoptions(statp, buf + sizeof("options") - 1, "conf");
-		    continue;
-		}
-	    }
-	    if (nserv > 0) 
-		statp->nscount = nserv;
-#ifdef RESOLVSORT
-	    statp->nsort = nsort;
-#endif
-	    (void) fclose(fp);
-	}
-/*
- * Last chance to get a nameserver.  This should not normally
- * be necessary
- */
-#ifdef NO_RESOLV_CONF
-	if(nserv == 0)
-		nserv = get_nameservers(statp);
-#endif
-
-	if (statp->defdname[0] == 0 &&
-	    gethostname(buf, sizeof(statp->defdname) - 1) == 0 &&
-	    (cp = strchr(buf, '.')) != NULL)
-		strcpy(statp->defdname, cp + 1);
-
-	/* find components of local domain that might be searched */
-	if (havesearch == 0) {
-		pp = statp->dnsrch;
-		*pp++ = statp->defdname;
-		*pp = NULL;
-
-		dots = 0;
-		for (cp = statp->defdname; *cp; cp++)
-			dots += (*cp == '.');
-
-		cp = statp->defdname;
-		while (pp < statp->dnsrch + MAXDFLSRCH) {
-			if (dots < LOCALDOMAINPARTS)
-				break;
-			cp = strchr(cp, '.') + 1;    /* we know there is one */
-			*pp++ = cp;
-			dots--;
-		}
-		*pp = NULL;
-#ifdef DEBUG
-		if (statp->options & RES_DEBUG) {
-			printf(";; res_init()... default dnsrch list:\n");
-			for (pp = statp->dnsrch; *pp; pp++)
-				printf(";;\t%s\n", *pp);
-			printf(";;\t..END..\n");
-		}
-#endif
-	}
-
-	if ((cp = getenv("RES_OPTIONS")) != NULL)
-		res_setoptions(statp, cp, "env");
-	statp->options |= RES_INIT;
-	return (0);
-
-#ifdef	SOLARIS2
- freedata:
-	if (statp->_u._ext.ext != NULL) {
-		free(statp->_u._ext.ext);
-		statp->_u._ext.ext = NULL;
-	}
-	return (-1);
-#endif
-}
-
-static void
-res_setoptions(res_state statp, const char *options, const char *source)
-{
-	const char *cp = options;
-	int i;
-	struct __res_state_ext *ext = statp->_u._ext.ext;
-
-#ifdef DEBUG
-	if (statp->options & RES_DEBUG)
-		printf(";; res_setoptions(\"%s\", \"%s\")...\n",
-		       options, source);
-#endif
-	while (*cp) {
-		/* skip leading and inner runs of spaces */
-		while (*cp == ' ' || *cp == '\t')
-			cp++;
-		/* search for and process individual options */
-		if (!strncmp(cp, "ndots:", sizeof("ndots:") - 1)) {
-			i = atoi(cp + sizeof("ndots:") - 1);
-			if (i <= RES_MAXNDOTS)
-				statp->ndots = i;
-			else
-				statp->ndots = RES_MAXNDOTS;
-#ifdef DEBUG
-			if (statp->options & RES_DEBUG)
-				printf(";;\tndots=%d\n", statp->ndots);
-#endif
-		} else if (!strncmp(cp, "timeout:", sizeof("timeout:") - 1)) {
-			i = atoi(cp + sizeof("timeout:") - 1);
-			if (i <= RES_MAXRETRANS)
-				statp->retrans = i;
-			else
-				statp->retrans = RES_MAXRETRANS;
-#ifdef DEBUG
-			if (statp->options & RES_DEBUG)
-				printf(";;\ttimeout=%d\n", statp->retrans);
-#endif
-#ifdef	SOLARIS2
-		} else if (!strncmp(cp, "retrans:", sizeof("retrans:") - 1)) {
-			/*
-		 	 * For backward compatibility, 'retrans' is
-		 	 * supported as an alias for 'timeout', though
-		 	 * without an imposed maximum.
-		 	 */
-			statp->retrans = atoi(cp + sizeof("retrans:") - 1);
-		} else if (!strncmp(cp, "retry:", sizeof("retry:") - 1)){
-			/*
-			 * For backward compatibility, 'retry' is
-			 * supported as an alias for 'attempts', though
-			 * without an imposed maximum.
-			 */
-			statp->retry = atoi(cp + sizeof("retry:") - 1);
-#endif	/* SOLARIS2 */
-		} else if (!strncmp(cp, "attempts:", sizeof("attempts:") - 1)){
-			i = atoi(cp + sizeof("attempts:") - 1);
-			if (i <= RES_MAXRETRY)
-				statp->retry = i;
-			else
-				statp->retry = RES_MAXRETRY;
-#ifdef DEBUG
-			if (statp->options & RES_DEBUG)
-				printf(";;\tattempts=%d\n", statp->retry);
-#endif
-		} else if (!strncmp(cp, "debug", sizeof("debug") - 1)) {
-#ifdef DEBUG
-			if (!(statp->options & RES_DEBUG)) {
-				printf(";; res_setoptions(\"%s\", \"%s\")..\n",
-				       options, source);
-				statp->options |= RES_DEBUG;
-			}
-			printf(";;\tdebug\n");
-#endif
-		} else if (!strncmp(cp, "no_tld_query",
-				    sizeof("no_tld_query") - 1) ||
-			   !strncmp(cp, "no-tld-query",
-				    sizeof("no-tld-query") - 1)) {
-			statp->options |= RES_NOTLDQUERY;
-		} else if (!strncmp(cp, "inet6", sizeof("inet6") - 1)) {
-			statp->options |= RES_USE_INET6;
-		} else if (!strncmp(cp, "rotate", sizeof("rotate") - 1)) {
-			statp->options |= RES_ROTATE;
-		} else if (!strncmp(cp, "no-check-names",
-				    sizeof("no-check-names") - 1)) {
-			statp->options |= RES_NOCHECKNAME;
-		}
-#ifdef RES_USE_EDNS0
-		else if (!strncmp(cp, "edns0", sizeof("edns0") - 1)) {
-			statp->options |= RES_USE_EDNS0;
-		}
-#endif
-		else if (!strncmp(cp, "dname", sizeof("dname") - 1)) {
-			statp->options |= RES_USE_DNAME;
-		}
-		else if (!strncmp(cp, "nibble:", sizeof("nibble:") - 1)) {
-			if (ext == NULL)
-				goto skip;
-			cp += sizeof("nibble:") - 1;
-			i = MIN(strcspn(cp, " \t"), sizeof(ext->nsuffix) - 1);
-			strncpy(ext->nsuffix, cp, i);
-			ext->nsuffix[i] = '\0';
-		}
-		else if (!strncmp(cp, "nibble2:", sizeof("nibble2:") - 1)) {
-			if (ext == NULL)
-				goto skip;
-			cp += sizeof("nibble2:") - 1;
-			i = MIN(strcspn(cp, " \t"), sizeof(ext->nsuffix2) - 1);
-			strncpy(ext->nsuffix2, cp, i);
-			ext->nsuffix2[i] = '\0';
-		}
-		else if (!strncmp(cp, "v6revmode:", sizeof("v6revmode:") - 1)) {
-			cp += sizeof("v6revmode:") - 1;
-			/* "nibble" and "bitstring" used to be valid */
-			if (!strncmp(cp, "single", sizeof("single") - 1)) {
-				statp->options |= RES_NO_NIBBLE2;
-			} else if (!strncmp(cp, "both", sizeof("both") - 1)) {
-				statp->options &=
-					 ~RES_NO_NIBBLE2;
-			}
-		}
-		else {
-			/* XXX - print a warning here? */
-		}
-   skip:
-		/* skip to next run of spaces */
-		while (*cp && *cp != ' ' && *cp != '\t')
-			cp++;
-	}
-}
-
-#ifdef RESOLVSORT
-/* XXX - should really support CIDR which means explicit masks always. */
-static u_int32_t
-net_mask(in)		/* XXX - should really use system's version of this */
-	struct in_addr in;
-{
-	register u_int32_t i = ntohl(in.s_addr);
-
-	if (IN_CLASSA(i))
-		return (htonl(IN_CLASSA_NET));
-	else if (IN_CLASSB(i))
-		return (htonl(IN_CLASSB_NET));
-	return (htonl(IN_CLASSC_NET));
-}
-#endif
-
-u_int
-res_randomid(void) {
-	struct timeval now;
-
-	gettimeofday(&now, NULL);
-	return (0xffff & (now.tv_sec ^ now.tv_usec ^ getpid()));
-}
-
-/*
- * This routine is for closing the socket if a virtual circuit is used and
- * the program wants to close it.  This provides support for endhostent()
- * which expects to close the socket.
- *
- * This routine is not expected to be user visible.
- */
-void
-res_nclose(res_state statp) {
-	int ns;
-
-	if (statp->_vcsock >= 0) { 
-		(void) close(statp->_vcsock);
-		statp->_vcsock = -1;
-		statp->_flags &= ~(RES_F_VC | RES_F_CONN);
-	}
-	for (ns = 0; ns < statp->_u._ext.nscount; ns++) {
-		if (statp->_u._ext.nssocks[ns] != -1) {
-			(void) close(statp->_u._ext.nssocks[ns]);
-			statp->_u._ext.nssocks[ns] = -1;
-		}
-	}
-}
-
-void
-res_ndestroy(res_state statp) {
-	res_nclose(statp);
-	if (statp->_u._ext.ext != NULL)
-		free(statp->_u._ext.ext);
-	statp->options &= ~RES_INIT;
-	statp->_u._ext.ext = NULL;
-}
-
-const char *
-res_get_nibblesuffix(res_state statp) {
-	if (statp->_u._ext.ext)
-		return (statp->_u._ext.ext->nsuffix);
-	return ("ip6.arpa");
-}
-
-const char *
-res_get_nibblesuffix2(res_state statp) {
-	if (statp->_u._ext.ext)
-		return (statp->_u._ext.ext->nsuffix2);
-	return ("ip6.int");
-}
-
-void
-res_setservers(res_state statp, const union res_sockaddr_union *set, int cnt) {
-	int i, nserv;
-	size_t size;
-
-	/* close open servers */
-	res_nclose(statp);
-
-	/* cause rtt times to be forgotten */
-	statp->_u._ext.nscount = 0;
-
-	nserv = 0;
-	for (i = 0; i < cnt && nserv < MAXNS; i++) {
-		switch (set->sin.sin_family) {
-		case AF_INET:
-			size = sizeof(set->sin);
-			if (statp->_u._ext.ext)
-				memcpy(&statp->_u._ext.ext->nsaddrs[nserv],
-					&set->sin, size);
-			if (size <= sizeof(statp->nsaddr_list[nserv]))
-				memcpy(&statp->nsaddr_list[nserv],
-					&set->sin, size);
-			else
-				statp->nsaddr_list[nserv].sin_family = 0;
-			nserv++;
-			break;
-
-#ifdef HAS_INET6_STRUCTS
-		case AF_INET6:
-			size = sizeof(set->sin6);
-			if (statp->_u._ext.ext)
-				memcpy(&statp->_u._ext.ext->nsaddrs[nserv],
-					&set->sin6, size);
-			if (size <= sizeof(statp->nsaddr_list[nserv]))
-				memcpy(&statp->nsaddr_list[nserv],
-					&set->sin6, size);
-			else
-				statp->nsaddr_list[nserv].sin_family = 0;
-			nserv++;
-			break;
-#endif
-
-		default:
-			break;
-		}
-		set++;
-	}
-	statp->nscount = nserv;
-	
-}
-
-int
-res_getservers(res_state statp, union res_sockaddr_union *set, int cnt) {
-	int i;
-	size_t size;
-	u_int16_t family;
-
-	for (i = 0; i < statp->nscount && i < cnt; i++) {
-		if (statp->_u._ext.ext)
-			family = statp->_u._ext.ext->nsaddrs[i].sin.sin_family;
-		else 
-			family = statp->nsaddr_list[i].sin_family;
-
-		switch (family) {
-		case AF_INET:
-			size = sizeof(set->sin);
-			if (statp->_u._ext.ext)
-				memcpy(&set->sin,
-				       &statp->_u._ext.ext->nsaddrs[i],
-				       size);
-			else
-				memcpy(&set->sin, &statp->nsaddr_list[i],
-				       size);
-			break;
-
-#ifdef HAS_INET6_STRUCTS
-		case AF_INET6:
-			size = sizeof(set->sin6);
-			if (statp->_u._ext.ext)
-				memcpy(&set->sin6,
-				       &statp->_u._ext.ext->nsaddrs[i],
-				       size);
-			else
-				memcpy(&set->sin6, &statp->nsaddr_list[i],
-				       size);
-			break;
-#endif
-
-		default:
-			set->sin.sin_family = 0;
-			break;
-		}
-		set++;
-	}
-	return (statp->nscount);
-}
diff --git a/contrib/bind9/lib/bind/resolv/res_mkquery.c b/contrib/bind9/lib/bind/resolv/res_mkquery.c
deleted file mode 100644
index 89000edf6ad4..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_mkquery.c
+++ /dev/null
@@ -1,256 +0,0 @@
-/*
- * Copyright (c) 1985, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)res_mkquery.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_mkquery.c,v 1.1.2.2.4.2 2004/03/16 12:34:18 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-#include <sys/types.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <string.h>
-#include "port_after.h"
-
-/* Options.  Leave them on. */
-#define DEBUG
-
-extern const char *_res_opcodes[];
-
-/*
- * Form all types of queries.
- * Returns the size of the result or -1.
- */
-int
-res_nmkquery(res_state statp,
-	     int op,			/* opcode of query */
-	     const char *dname,		/* domain name */
-	     int class, int type,	/* class and type of query */
-	     const u_char *data,	/* resource record data */
-	     int datalen,		/* length of data */
-	     const u_char *newrr_in,	/* new rr for modify or append */
-	     u_char *buf,		/* buffer to put query */
-	     int buflen)		/* size of buffer */
-{
-	register HEADER *hp;
-	register u_char *cp, *ep;
-	register int n;
-	u_char *dnptrs[20], **dpp, **lastdnptr;
-
-	UNUSED(newrr_in);
-
-#ifdef DEBUG
-	if (statp->options & RES_DEBUG)
-		printf(";; res_nmkquery(%s, %s, %s, %s)\n",
-		       _res_opcodes[op], dname, p_class(class), p_type(type));
-#endif
-	/*
-	 * Initialize header fields.
-	 */
-	if ((buf == NULL) || (buflen < HFIXEDSZ))
-		return (-1);
-	memset(buf, 0, HFIXEDSZ);
-	hp = (HEADER *) buf;
-	hp->id = htons(++statp->id);
-	hp->opcode = op;
-	hp->rd = (statp->options & RES_RECURSE) != 0U;
-	hp->rcode = NOERROR;
-	cp = buf + HFIXEDSZ;
-	ep = buf + buflen;
-	dpp = dnptrs;
-	*dpp++ = buf;
-	*dpp++ = NULL;
-	lastdnptr = dnptrs + sizeof dnptrs / sizeof dnptrs[0];
-	/*
-	 * perform opcode specific processing
-	 */
-	switch (op) {
-	case QUERY:	/*FALLTHROUGH*/
-	case NS_NOTIFY_OP:
-		if (ep - cp < QFIXEDSZ)
-			return (-1);
-		if ((n = dn_comp(dname, cp, ep - cp - QFIXEDSZ, dnptrs,
-		    lastdnptr)) < 0)
-			return (-1);
-		cp += n;
-		ns_put16(type, cp);
-		cp += INT16SZ;
-		ns_put16(class, cp);
-		cp += INT16SZ;
-		hp->qdcount = htons(1);
-		if (op == QUERY || data == NULL)
-			break;
-		/*
-		 * Make an additional record for completion domain.
-		 */
-		if ((ep - cp) < RRFIXEDSZ)
-			return (-1);
-		n = dn_comp((const char *)data, cp, ep - cp - RRFIXEDSZ,
-			    dnptrs, lastdnptr);
-		if (n < 0)
-			return (-1);
-		cp += n;
-		ns_put16(T_NULL, cp);
-		cp += INT16SZ;
-		ns_put16(class, cp);
-		cp += INT16SZ;
-		ns_put32(0, cp);
-		cp += INT32SZ;
-		ns_put16(0, cp);
-		cp += INT16SZ;
-		hp->arcount = htons(1);
-		break;
-
-	case IQUERY:
-		/*
-		 * Initialize answer section
-		 */
-		if (ep - cp < 1 + RRFIXEDSZ + datalen)
-			return (-1);
-		*cp++ = '\0';	/* no domain name */
-		ns_put16(type, cp);
-		cp += INT16SZ;
-		ns_put16(class, cp);
-		cp += INT16SZ;
-		ns_put32(0, cp);
-		cp += INT32SZ;
-		ns_put16(datalen, cp);
-		cp += INT16SZ;
-		if (datalen) {
-			memcpy(cp, data, datalen);
-			cp += datalen;
-		}
-		hp->ancount = htons(1);
-		break;
-
-	default:
-		return (-1);
-	}
-	return (cp - buf);
-}
-
-#ifdef RES_USE_EDNS0
-/* attach OPT pseudo-RR, as documented in RFC2671 (EDNS0). */
-#ifndef T_OPT
-#define T_OPT	41
-#endif
-
-int
-res_nopt(res_state statp,
-	 int n0,		/* current offset in buffer */
-	 u_char *buf,		/* buffer to put query */
-	 int buflen,		/* size of buffer */
-	 int anslen)		/* UDP answer buffer size */
-{
-	register HEADER *hp;
-	register u_char *cp, *ep;
-	u_int16_t flags = 0;
-
-#ifdef DEBUG
-	if ((statp->options & RES_DEBUG) != 0U)
-		printf(";; res_nopt()\n");
-#endif
-
-	hp = (HEADER *) buf;
-	cp = buf + n0;
-	ep = buf + buflen;
-
-	if ((ep - cp) < 1 + RRFIXEDSZ)
-		return (-1);
-
-	*cp++ = 0;	/* "." */
-
-	ns_put16(T_OPT, cp);	/* TYPE */
-	cp += INT16SZ;
-	ns_put16(anslen & 0xffff, cp);	/* CLASS = UDP payload size */
-	cp += INT16SZ;
-	*cp++ = NOERROR;	/* extended RCODE */
-	*cp++ = 0;		/* EDNS version */
-	if (statp->options & RES_USE_DNSSEC) {
-#ifdef DEBUG
-		if (statp->options & RES_DEBUG)
-			printf(";; res_opt()... ENDS0 DNSSEC\n");
-#endif
-		flags |= NS_OPT_DNSSEC_OK;
-	}
-	ns_put16(flags, cp);
-	cp += INT16SZ;
-	ns_put16(0, cp);	/* RDLEN */
-	cp += INT16SZ;
-	hp->arcount = htons(ntohs(hp->arcount) + 1);
-
-	return (cp - buf);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/resolv/res_mkupdate.c b/contrib/bind9/lib/bind/resolv/res_mkupdate.c
deleted file mode 100644
index 01078f1a51a6..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_mkupdate.c
+++ /dev/null
@@ -1,1158 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Based on the Dynamic DNS reference implementation by Viraj Bais
- * <viraj_bais@ccm.fm.intel.com>
- */
-
-#if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_mkupdate.c,v 1.1.2.1.4.5 2005/10/14 05:43:47 marka Exp $";
-#endif /* not lint */
-
-#include "port_before.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <limits.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <res_update.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <ctype.h>
-
-#include "port_after.h"
-
-/* Options.  Leave them on. */
-#define DEBUG
-#define MAXPORT 1024
-
-static int getnum_str(u_char **, u_char *);
-static int gethexnum_str(u_char **, u_char *);
-static int getword_str(char *, int, u_char **, u_char *);
-static int getstr_str(char *, int, u_char **, u_char *);
-
-#define ShrinkBuffer(x)  if ((buflen -= x) < 0) return (-2);
-
-/* Forward. */
-
-int res_protocolnumber(const char *);
-int res_servicenumber(const char *);
-
-/*
- * Form update packets.
- * Returns the size of the resulting packet if no error
- * On error,
- *	returns -1 if error in reading a word/number in rdata
- *		   portion for update packets
- *		-2 if length of buffer passed is insufficient
- *		-3 if zone section is not the first section in
- *		   the linked list, or section order has a problem
- *		-4 on a number overflow
- *		-5 unknown operation or no records
- */
-int
-res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
-	ns_updrec *rrecp_start = rrecp_in;
-	HEADER *hp;
-	u_char *cp, *sp2, *startp, *endp;
-	int n, i, soanum, multiline;
-	ns_updrec *rrecp;
-	struct in_addr ina;
-	struct in6_addr in6a;
-        char buf2[MAXDNAME];
-	u_char buf3[MAXDNAME];
-	int section, numrrs = 0, counts[ns_s_max];
-	u_int16_t rtype, rclass;
-	u_int32_t n1, rttl;
-	u_char *dnptrs[20], **dpp, **lastdnptr;
-	int siglen, keylen, certlen;
-
-	/*
-	 * Initialize header fields.
-	 */
-	if ((buf == NULL) || (buflen < HFIXEDSZ))
-		return (-1);
-	memset(buf, 0, HFIXEDSZ);
-	hp = (HEADER *) buf;
-	hp->id = htons(++statp->id);
-	hp->opcode = ns_o_update;
-	hp->rcode = NOERROR;
-	cp = buf + HFIXEDSZ;
-	buflen -= HFIXEDSZ;
-	dpp = dnptrs;
-	*dpp++ = buf;
-	*dpp++ = NULL;
-	lastdnptr = dnptrs + sizeof dnptrs / sizeof dnptrs[0];
-
-	if (rrecp_start == NULL)
-		return (-5);
-	else if (rrecp_start->r_section != S_ZONE)
-		return (-3);
-
-	memset(counts, 0, sizeof counts);
-	for (rrecp = rrecp_start; rrecp; rrecp = NEXT(rrecp, r_glink)) {
-		numrrs++;
-                section = rrecp->r_section;
-		if (section < 0 || section >= ns_s_max)
-			return (-1);
-		counts[section]++;
-		for (i = section + 1; i < ns_s_max; i++)
-			if (counts[i])
-				return (-3);
-		rtype = rrecp->r_type;
-		rclass = rrecp->r_class;
-		rttl = rrecp->r_ttl;
-		/* overload class and type */
-		if (section == S_PREREQ) {
-			rttl = 0;
-			switch (rrecp->r_opcode) {
-			case YXDOMAIN:
-				rclass = C_ANY;
-				rtype = T_ANY;
-				rrecp->r_size = 0;
-				break;
-			case NXDOMAIN:
-				rclass = C_NONE;
-				rtype = T_ANY;
-				rrecp->r_size = 0;
-				break;
-			case NXRRSET:
-				rclass = C_NONE;
-				rrecp->r_size = 0;
-				break;
-			case YXRRSET:
-				if (rrecp->r_size == 0)
-					rclass = C_ANY;
-				break;
-			default:
-				fprintf(stderr,
-					"res_mkupdate: incorrect opcode: %d\n",
-					rrecp->r_opcode);
-				fflush(stderr);
-				return (-1);
-			}
-		} else if (section == S_UPDATE) {
-			switch (rrecp->r_opcode) {
-			case DELETE:
-				rclass = rrecp->r_size == 0 ? C_ANY : C_NONE;
-				break;
-			case ADD:
-				break;
-			default:
-				fprintf(stderr,
-					"res_mkupdate: incorrect opcode: %d\n",
-					rrecp->r_opcode);
-				fflush(stderr);
-				return (-1);
-			}
-		}
-
-		/*
-		 * XXX	appending default domain to owner name is omitted,
-		 *	fqdn must be provided
-		 */
-		if ((n = dn_comp(rrecp->r_dname, cp, buflen, dnptrs,
-				 lastdnptr)) < 0)
-			return (-1);
-		cp += n;
-		ShrinkBuffer(n + 2*INT16SZ);
-		PUTSHORT(rtype, cp);
-		PUTSHORT(rclass, cp);
-		if (section == S_ZONE) {
-			if (numrrs != 1 || rrecp->r_type != T_SOA)
-				return (-3);
-			continue;
-		}
-		ShrinkBuffer(INT32SZ + INT16SZ);
-		PUTLONG(rttl, cp);
-		sp2 = cp;  /* save pointer to length byte */
-		cp += INT16SZ;
-		if (rrecp->r_size == 0) {
-			if (section == S_UPDATE && rclass != C_ANY)
-				return (-1);
-			else {
-				PUTSHORT(0, sp2);
-				continue;
-			}
-		}
-		startp = rrecp->r_data;
-		endp = startp + rrecp->r_size - 1;
-		/* XXX this should be done centrally. */
-		switch (rrecp->r_type) {
-		case T_A:
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			if (!inet_aton(buf2, &ina))
-				return (-1);
-			n1 = ntohl(ina.s_addr);
-			ShrinkBuffer(INT32SZ);
-			PUTLONG(n1, cp);
-			break;
-		case T_CNAME:
-		case T_MB:
-		case T_MG:
-		case T_MR:
-		case T_NS:
-		case T_PTR:
-		case ns_t_dname:
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
-			if (n < 0)
-				return (-1);
-			cp += n;
-			ShrinkBuffer(n);
-			break;
-		case T_MINFO:
-		case T_SOA:
-		case T_RP:
-			for (i = 0; i < 2; i++) {
-				if (!getword_str(buf2, sizeof buf2, &startp,
-						 endp))
-				return (-1);
-				n = dn_comp(buf2, cp, buflen,
-					    dnptrs, lastdnptr);
-				if (n < 0)
-					return (-1);
-				cp += n;
-				ShrinkBuffer(n);
-			}
-			if (rrecp->r_type == T_SOA) {
-				ShrinkBuffer(5 * INT32SZ);
-				while (isspace(*startp) || !*startp)
-					startp++;
-				if (*startp == '(') {
-					multiline = 1;
-					startp++;
-				} else
-					multiline = 0;
-				/* serial, refresh, retry, expire, minimum */
-				for (i = 0; i < 5; i++) {
-					soanum = getnum_str(&startp, endp);
-					if (soanum < 0)
-						return (-1);
-					PUTLONG(soanum, cp);
-				}
-				if (multiline) {
-					while (isspace(*startp) || !*startp)
-						startp++;
-					if (*startp != ')')
-						return (-1);
-				}
-			}
-			break;
-		case T_MX:
-		case T_AFSDB:
-		case T_RT:
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
-			if (n < 0)
-				return (-1);
-			cp += n;
-			ShrinkBuffer(n);
-			break;
-		case T_SRV:
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			n = dn_comp(buf2, cp, buflen, NULL, NULL);
-			if (n < 0)
-				return (-1);
-			cp += n;
-			ShrinkBuffer(n);
-			break;
-		case T_PX:
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			PUTSHORT(n, cp);
-			ShrinkBuffer(INT16SZ);
-			for (i = 0; i < 2; i++) {
-				if (!getword_str(buf2, sizeof buf2, &startp,
-						 endp))
-					return (-1);
-				n = dn_comp(buf2, cp, buflen, dnptrs,
-					    lastdnptr);
-				if (n < 0)
-					return (-1);
-				cp += n;
-				ShrinkBuffer(n);
-			}
-			break;
-		case T_WKS: {
-			char bm[MAXPORT/8];
-			unsigned int maxbm = 0;
-
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			if (!inet_aton(buf2, &ina))
-				return (-1);
-			n1 = ntohl(ina.s_addr);
-			ShrinkBuffer(INT32SZ);
-			PUTLONG(n1, cp);
-
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			if ((i = res_protocolnumber(buf2)) < 0)
-				return (-1);
-			ShrinkBuffer(1);
-			*cp++ = i & 0xff;
-			 
-			for (i = 0; i < MAXPORT/8 ; i++)
-				bm[i] = 0;
-
-			while (getword_str(buf2, sizeof buf2, &startp, endp)) {
-				if ((n = res_servicenumber(buf2)) <= 0)
-					return (-1);
-
-				if (n < MAXPORT) {
-					bm[n/8] |= (0x80>>(n%8));
-					if ((unsigned)n > maxbm)
-						maxbm = n;
-				} else
-					return (-1);
-			}
-			maxbm = maxbm/8 + 1;
-			ShrinkBuffer(maxbm);
-			memcpy(cp, bm, maxbm);
-			cp += maxbm;
-			break;
-		}
-		case T_HINFO:
-			for (i = 0; i < 2; i++) {
-				if ((n = getstr_str(buf2, sizeof buf2,
-						&startp, endp)) < 0)
-					return (-1);
-				if (n > 255)
-					return (-1);
-				ShrinkBuffer(n+1);
-				*cp++ = n;
-				memcpy(cp, buf2, n);
-				cp += n;
-			}
-			break;
-		case T_TXT:
-			for (;;) {
-				if ((n = getstr_str(buf2, sizeof buf2,
-						&startp, endp)) < 0) {
-					if (cp != (sp2 + INT16SZ))
-						break;
-					return (-1);
-				}
-				if (n > 255)
-					return (-1);
-				ShrinkBuffer(n+1);
-				*cp++ = n;
-				memcpy(cp, buf2, n);
-				cp += n;
-			}
-			break;
-		case T_X25:
-			/* RFC 1183 */
-			if ((n = getstr_str(buf2, sizeof buf2, &startp,
-					 endp)) < 0)
-				return (-1);
-			if (n > 255)
-				return (-1);
-			ShrinkBuffer(n+1);
-			*cp++ = n;
-			memcpy(cp, buf2, n);
-			cp += n;
-			break;
-		case T_ISDN:
-			/* RFC 1183 */
-			if ((n = getstr_str(buf2, sizeof buf2, &startp,
-					 endp)) < 0)
-				return (-1);
-			if ((n > 255) || (n == 0))
-				return (-1);
-			ShrinkBuffer(n+1);
-			*cp++ = n;
-			memcpy(cp, buf2, n);
-			cp += n;
-			if ((n = getstr_str(buf2, sizeof buf2, &startp,
-					 endp)) < 0)
-				n = 0;
-			if (n > 255)
-				return (-1);
-			ShrinkBuffer(n+1);
-			*cp++ = n;
-			memcpy(cp, buf2, n);
-			cp += n;
-			break;
-		case T_NSAP:
-			if ((n = inet_nsap_addr((char *)startp, (u_char *)buf2, sizeof(buf2))) != 0) {
-				ShrinkBuffer(n);
-				memcpy(cp, buf2, n);
-				cp += n;
-			} else {
-				return (-1);
-			}
-			break;
-		case T_LOC:
-			if ((n = loc_aton((char *)startp, (u_char *)buf2)) != 0) {
-				ShrinkBuffer(n);
-				memcpy(cp, buf2, n);
-				cp += n;
-			} else
-				return (-1);
-			break;
-		case ns_t_sig:
-		    {
-			int sig_type, success, dateerror;
-			u_int32_t exptime, timesigned;
-
-			/* type */
-			if ((n = getword_str(buf2, sizeof buf2,
-					     &startp, endp)) < 0)
-				return (-1);
-			sig_type = sym_ston(__p_type_syms, buf2, &success);
-			if (!success || sig_type == ns_t_any)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(sig_type, cp);
-			/* alg */
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(1);
-			*cp++ = n;
-			/* labels */
-			n = getnum_str(&startp, endp);
-			if (n <= 0 || n > 255)
-				return (-1);
-			ShrinkBuffer(1);
-			*cp++ = n;
-			/* ottl  & expire */
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			exptime = ns_datetosecs(buf2, &dateerror);
-			if (!dateerror) {
-				ShrinkBuffer(INT32SZ);
-				PUTLONG(rttl, cp);
-			}
-			else {
-				char *ulendp;
-				u_int32_t ottl;
-
-				errno = 0;
-				ottl = strtoul(buf2, &ulendp, 10);
-				if (errno != 0 ||
-				    (ulendp != NULL && *ulendp != '\0'))
-					return (-1);
-				ShrinkBuffer(INT32SZ);
-				PUTLONG(ottl, cp);
-				if (!getword_str(buf2, sizeof buf2, &startp,
-						 endp))
-					return (-1);
-				exptime = ns_datetosecs(buf2, &dateerror);
-				if (dateerror)
-					return (-1);
-			}
-			/* expire */
-			ShrinkBuffer(INT32SZ);
-			PUTLONG(exptime, cp);
-			/* timesigned */
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			timesigned = ns_datetosecs(buf2, &dateerror);
-			if (!dateerror) {
-				ShrinkBuffer(INT32SZ);
-				PUTLONG(timesigned, cp);
-			}
-			else
-				return (-1);
-			/* footprint */
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-			/* signer name */
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
-			if (n < 0)
-				return (-1);
-			cp += n;
-			ShrinkBuffer(n);
-			/* sig */
-			if ((n = getword_str(buf2, sizeof buf2,
-					     &startp, endp)) < 0)
-				return (-1);
-			siglen = b64_pton(buf2, buf3, sizeof(buf3));
-			if (siglen < 0)
-				return (-1);
-			ShrinkBuffer(siglen);
-			memcpy(cp, buf3, siglen);
-			cp += siglen;
-			break;
-		    }
-		case ns_t_key:
-			/* flags */
-			n = gethexnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-			/* proto */
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(1);
-			*cp++ = n;
-			/* alg */
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(1);
-			*cp++ = n;
-			/* key */
-			if ((n = getword_str(buf2, sizeof buf2,
-					     &startp, endp)) < 0)
-				return (-1);
-			keylen = b64_pton(buf2, buf3, sizeof(buf3));
-			if (keylen < 0)
-				return (-1);
-			ShrinkBuffer(keylen);
-			memcpy(cp, buf3, keylen);
-			cp += keylen;
-			break;
-		case ns_t_nxt:
-		    {
-			int success, nxt_type;
-			u_char data[32];
-			int maxtype;
-
-			/* next name */
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			n = dn_comp(buf2, cp, buflen, NULL, NULL);
-			if (n < 0)
-				return (-1);
-			cp += n;
-			ShrinkBuffer(n);
-			maxtype = 0;
-			memset(data, 0, sizeof data);
-			for (;;) {
-				if (!getword_str(buf2, sizeof buf2, &startp,
-						 endp))
-					break;
-				nxt_type = sym_ston(__p_type_syms, buf2,
-						    &success);
-				if (!success || !ns_t_rr_p(nxt_type))
-					return (-1);
-				NS_NXT_BIT_SET(nxt_type, data);
-				if (nxt_type > maxtype)
-					maxtype = nxt_type;
-			}
-			n = maxtype/NS_NXT_BITS+1;
-			ShrinkBuffer(n);
-			memcpy(cp, data, n);
-			cp += n;
-			break;
-		    }
-		case ns_t_cert:
-			/* type */
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-			/* key tag */
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-			/* alg */
-			n = getnum_str(&startp, endp);
-			if (n < 0)
-				return (-1);
-			ShrinkBuffer(1);
-			*cp++ = n;
-			/* cert */
-			if ((n = getword_str(buf2, sizeof buf2,
-					     &startp, endp)) < 0)
-				return (-1);
-			certlen = b64_pton(buf2, buf3, sizeof(buf3));
-			if (certlen < 0)
-				return (-1);
-			ShrinkBuffer(certlen);
-			memcpy(cp, buf3, certlen);
-			cp += certlen;
-			break;
-		case ns_t_aaaa:
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			if (inet_pton(AF_INET6, buf2, &in6a) <= 0)
-				return (-1);
-			ShrinkBuffer(NS_IN6ADDRSZ);
-			memcpy(cp, &in6a, NS_IN6ADDRSZ);
-			cp += NS_IN6ADDRSZ;
-			break;
-		case ns_t_naptr:
-			/* Order Preference Flags Service Replacement Regexp */
-			/* Order */
-			n = getnum_str(&startp, endp);
-			if (n < 0 || n > 65535)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-			/* Preference */
-			n = getnum_str(&startp, endp);
-			if (n < 0 || n > 65535)
-				return (-1);
-			ShrinkBuffer(INT16SZ);
-			PUTSHORT(n, cp);
-			/* Flags */
-			if ((n = getstr_str(buf2, sizeof buf2,
-					&startp, endp)) < 0) {
-				return (-1);
-			}
-			if (n > 255)
-				return (-1);
-			ShrinkBuffer(n+1);
-			*cp++ = n;
-			memcpy(cp, buf2, n);
-			cp += n;
-			/* Service Classes */
-			if ((n = getstr_str(buf2, sizeof buf2,
-					&startp, endp)) < 0) {
-				return (-1);
-			}
-			if (n > 255)
-				return (-1);
-			ShrinkBuffer(n+1);
-			*cp++ = n;
-			memcpy(cp, buf2, n);
-			cp += n;
-			/* Pattern */
-			if ((n = getstr_str(buf2, sizeof buf2,
-					&startp, endp)) < 0) {
-				return (-1);
-			}
-			if (n > 255)
-				return (-1);
-			ShrinkBuffer(n+1);
-			*cp++ = n;
-			memcpy(cp, buf2, n);
-			cp += n;
-			/* Replacement */
-			if (!getword_str(buf2, sizeof buf2, &startp, endp))
-				return (-1);
-			n = dn_comp(buf2, cp, buflen, NULL, NULL);
-			if (n < 0)
-				return (-1);
-			cp += n;
-			ShrinkBuffer(n);
-			break;
-		default:
-			return (-1);
-		} /*switch*/
-		n = (u_int16_t)((cp - sp2) - INT16SZ);
-		PUTSHORT(n, sp2);
-	} /*for*/
-		
-	hp->qdcount = htons(counts[0]);
-	hp->ancount = htons(counts[1]);
-	hp->nscount = htons(counts[2]);
-	hp->arcount = htons(counts[3]);
-	return (cp - buf);
-}
-
-/*
- * Get a whitespace delimited word from a string (not file)
- * into buf. modify the start pointer to point after the
- * word in the string.
- */
-static int
-getword_str(char *buf, int size, u_char **startpp, u_char *endp) {
-        char *cp;
-        int c;
- 
-        for (cp = buf; *startpp <= endp; ) {
-                c = **startpp;
-                if (isspace(c) || c == '\0') {
-                        if (cp != buf) /* trailing whitespace */
-                                break;
-                        else { /* leading whitespace */
-                                (*startpp)++;
-                                continue;
-                        }
-                }
-                (*startpp)++;
-                if (cp >= buf+size-1)
-                        break;
-                *cp++ = (u_char)c;
-        }
-        *cp = '\0';
-        return (cp != buf);
-}
-
-/*
- * get a white spae delimited string from memory.  Process quoted strings
- * and \DDD escapes.  Return length or -1 on error.  Returned string may
- * contain nulls.
- */
-static char digits[] = "0123456789";
-static int
-getstr_str(char *buf, int size, u_char **startpp, u_char *endp) {
-        char *cp;
-        int c, c1 = 0;
-	int inquote = 0;
-	int seen_quote = 0;
-	int escape = 0;
-	int dig = 0;
- 
-	for (cp = buf; *startpp <= endp; ) {
-                if ((c = **startpp) == '\0')
-			break;
-		/* leading white space */
-		if ((cp == buf) && !seen_quote && isspace(c)) {
-			(*startpp)++;
-			continue;
-		}
-
-		switch (c) {
-		case '\\':
-			if (!escape)  {
-				escape = 1;
-				dig = 0;
-				c1 = 0;
-				(*startpp)++;
-				continue;
-			} 
-			goto do_escape;
-		case '"':
-			if (!escape) {
-				inquote = !inquote;
-				seen_quote = 1;
-				(*startpp)++;
-				continue;
-			}
-			/* fall through */
-		default:
-		do_escape:
-			if (escape) {
-				switch (c) {
-				case '0':
-				case '1':
-				case '2':
-				case '3':
-				case '4':
-				case '5':
-				case '6':
-				case '7':
-				case '8':
-				case '9':
-					c1 = c1 * 10 + 
-						(strchr(digits, c) - digits);
-
-					if (++dig == 3) {
-						c = c1 &0xff;
-						break;
-					}
-					(*startpp)++;
-					continue;
-				}
-				escape = 0;
-			} else if (!inquote && isspace(c))
-				goto done;
-			if (cp >= buf+size-1)
-				goto done;
-			*cp++ = (u_char)c;
-			(*startpp)++;
-		}
-	}
- done:
-	*cp = '\0';
-	return ((cp == buf)?  (seen_quote? 0: -1): (cp - buf));
-}
-/*
- * Get a whitespace delimited base 16 number from a string (not file) into buf
- * update the start pointer to point after the number in the string.
- */
-static int
-gethexnum_str(u_char **startpp, u_char *endp) {
-        int c, n;
-        int seendigit = 0;
-        int m = 0;
-
-	if (*startpp + 2 >= endp || strncasecmp((char *)*startpp, "0x", 2) != 0)
-		return getnum_str(startpp, endp);
-	(*startpp)+=2;
-        for (n = 0; *startpp <= endp; ) {
-                c = **startpp;
-                if (isspace(c) || c == '\0') {
-                        if (seendigit) /* trailing whitespace */
-                                break;
-                        else { /* leading whitespace */
-                                (*startpp)++;
-                                continue;
-                        }
-                }
-                if (c == ';') {
-                        while ((*startpp <= endp) &&
-			       ((c = **startpp) != '\n'))
-					(*startpp)++;
-                        if (seendigit)
-                                break;
-                        continue;
-                }
-                if (!isxdigit(c)) {
-                        if (c == ')' && seendigit) {
-                                (*startpp)--;
-                                break;
-                        }
-			return (-1);
-                }        
-                (*startpp)++;
-		if (isdigit(c))
-	                n = n * 16 + (c - '0');
-		else
-			n = n * 16 + (tolower(c) - 'a' + 10);
-                seendigit = 1;
-        }
-        return (n + m);
-}
-
-/*
- * Get a whitespace delimited base 10 number from a string (not file) into buf
- * update the start pointer to point after the number in the string.
- */
-static int
-getnum_str(u_char **startpp, u_char *endp) {
-        int c, n;
-        int seendigit = 0;
-        int m = 0;
-
-        for (n = 0; *startpp <= endp; ) {
-                c = **startpp;
-                if (isspace(c) || c == '\0') {
-                        if (seendigit) /* trailing whitespace */
-                                break;
-                        else { /* leading whitespace */
-                                (*startpp)++;
-                                continue;
-                        }
-                }
-                if (c == ';') {
-                        while ((*startpp <= endp) &&
-			       ((c = **startpp) != '\n'))
-					(*startpp)++;
-                        if (seendigit)
-                                break;
-                        continue;
-                }
-                if (!isdigit(c)) {
-                        if (c == ')' && seendigit) {
-                                (*startpp)--;
-                                break;
-                        }
-			return (-1);
-                }        
-                (*startpp)++;
-                n = n * 10 + (c - '0');
-                seendigit = 1;
-        }
-        return (n + m);
-}
-
-/*
- * Allocate a resource record buffer & save rr info.
- */
-ns_updrec *
-res_mkupdrec(int section, const char *dname,
-	     u_int class, u_int type, u_long ttl) {
-	ns_updrec *rrecp = (ns_updrec *)calloc(1, sizeof(ns_updrec));
-
-	if (!rrecp || !(rrecp->r_dname = strdup(dname))) {
-		if (rrecp)
-			free((char *)rrecp);
-		return (NULL);
-	}
-	INIT_LINK(rrecp, r_link);
-	INIT_LINK(rrecp, r_glink);
- 	rrecp->r_class = (ns_class)class;
-	rrecp->r_type = (ns_type)type;
-	rrecp->r_ttl = ttl;
-	rrecp->r_section = (ns_sect)section;
-	return (rrecp);
-}
-
-/*
- * Free a resource record buffer created by res_mkupdrec.
- */
-void
-res_freeupdrec(ns_updrec *rrecp) {
-	/* Note: freeing r_dp is the caller's responsibility. */
-	if (rrecp->r_dname != NULL)
-		free(rrecp->r_dname);
-	free(rrecp);
-}
-
-struct valuelist {
-	struct valuelist *	next;
-	struct valuelist *	prev;
-	char *			name;
-	char *			proto;
-	int			port;
-};
-static struct valuelist *servicelist, *protolist;
-
-static void
-res_buildservicelist() {
-	struct servent *sp;
-	struct valuelist *slp;
-
-#ifdef MAYBE_HESIOD
-	setservent(0);
-#else
-	setservent(1);
-#endif
-	while ((sp = getservent()) != NULL) {
-		slp = (struct valuelist *)malloc(sizeof(struct valuelist));
-		if (!slp)
-			break;
-		slp->name = strdup(sp->s_name);
-		slp->proto = strdup(sp->s_proto);
-		if ((slp->name == NULL) || (slp->proto == NULL)) {
-			if (slp->name) free(slp->name);
-			if (slp->proto) free(slp->proto);
-			free(slp);
-			break;
-		}
-		slp->port = ntohs((u_int16_t)sp->s_port);  /* host byt order */
-		slp->next = servicelist;
-		slp->prev = NULL;
-		if (servicelist)
-			servicelist->prev = slp;
-		servicelist = slp;
-	}
-	endservent();
-}
-
-void
-res_destroyservicelist() {
-	struct valuelist *slp, *slp_next;
-
-	for (slp = servicelist; slp != NULL; slp = slp_next) {
-		slp_next = slp->next;
-		free(slp->name);
-		free(slp->proto);
-		free(slp);
-	}
-	servicelist = (struct valuelist *)0;
-}
-
-void
-res_buildprotolist(void) {
-	struct protoent *pp;
-	struct valuelist *slp;
-
-#ifdef MAYBE_HESIOD
-	setprotoent(0);
-#else
-	setprotoent(1);
-#endif
-	while ((pp = getprotoent()) != NULL) {
-		slp = (struct valuelist *)malloc(sizeof(struct valuelist));
-		if (!slp)
-			break;
-		slp->name = strdup(pp->p_name);
-		if (slp->name == NULL) {
-			free(slp);
-			break;
-		}
-		slp->port = pp->p_proto;	/* host byte order */
-		slp->next = protolist;
-		slp->prev = NULL;
-		if (protolist)
-			protolist->prev = slp;
-		protolist = slp;
-	}
-	endprotoent();
-}
-
-void
-res_destroyprotolist(void) {
-	struct valuelist *plp, *plp_next;
-
-	for (plp = protolist; plp != NULL; plp = plp_next) {
-		plp_next = plp->next;
-		free(plp->name);
-		free(plp);
-	}
-	protolist = (struct valuelist *)0;
-}
-
-static int
-findservice(const char *s, struct valuelist **list) {
-	struct valuelist *lp = *list;
-	int n;
-
-	for (; lp != NULL; lp = lp->next)
-		if (strcasecmp(lp->name, s) == 0) {
-			if (lp != *list) {
-				lp->prev->next = lp->next;
-				if (lp->next)
-					lp->next->prev = lp->prev;
-				(*list)->prev = lp;
-				lp->next = *list;
-				*list = lp;
-			}
-			return (lp->port);	/* host byte order */
-		}
-	if (sscanf(s, "%d", &n) != 1 || n <= 0)
-		n = -1;
-	return (n);
-}
-
-/*
- * Convert service name or (ascii) number to int.
- */
-int
-res_servicenumber(const char *p) {
-	if (servicelist == (struct valuelist *)0)
-		res_buildservicelist();
-	return (findservice(p, &servicelist));
-}
-
-/*
- * Convert protocol name or (ascii) number to int.
- */
-int
-res_protocolnumber(const char *p) {
-	if (protolist == (struct valuelist *)0)
-		res_buildprotolist();
-	return (findservice(p, &protolist));
-}
-
-static struct servent *
-cgetservbyport(u_int16_t port, const char *proto) {	/* Host byte order. */
-	struct valuelist **list = &servicelist;
-	struct valuelist *lp = *list;
-	static struct servent serv;
-
-	port = ntohs(port);
-	for (; lp != NULL; lp = lp->next) {
-		if (port != (u_int16_t)lp->port)	/* Host byte order. */
-			continue;
-		if (strcasecmp(lp->proto, proto) == 0) {
-			if (lp != *list) {
-				lp->prev->next = lp->next;
-				if (lp->next)
-					lp->next->prev = lp->prev;
-				(*list)->prev = lp;
-				lp->next = *list;
-				*list = lp;
-			}
-			serv.s_name = lp->name;
-			serv.s_port = htons((u_int16_t)lp->port);
-			serv.s_proto = lp->proto;
-			return (&serv);
-		}
-	}
-	return (0);
-}
-
-static struct protoent *
-cgetprotobynumber(int proto) {				/* Host byte order. */
-	struct valuelist **list = &protolist;
-	struct valuelist *lp = *list;
-	static struct protoent prot;
-
-	for (; lp != NULL; lp = lp->next)
-		if (lp->port == proto) {		/* Host byte order. */
-			if (lp != *list) {
-				lp->prev->next = lp->next;
-				if (lp->next)
-					lp->next->prev = lp->prev;
-				(*list)->prev = lp;
-				lp->next = *list;
-				*list = lp;
-			}
-			prot.p_name = lp->name;
-			prot.p_proto = lp->port;	/* Host byte order. */
-			return (&prot);
-		}
-	return (0);
-}
-
-const char *
-res_protocolname(int num) {
-	static char number[8];
-	struct protoent *pp;
-
-	if (protolist == (struct valuelist *)0)
-		res_buildprotolist();
-	pp = cgetprotobynumber(num);
-	if (pp == 0)  {
-		(void) sprintf(number, "%d", num);
-		return (number);
-	}
-	return (pp->p_name);
-}
-
-const char *
-res_servicename(u_int16_t port, const char *proto) {	/* Host byte order. */
-	static char number[8];
-	struct servent *ss;
-
-	if (servicelist == (struct valuelist *)0)
-		res_buildservicelist();
-	ss = cgetservbyport(htons(port), proto);
-	if (ss == 0)  {
-		(void) sprintf(number, "%d", port);
-		return (number);
-	}
-	return (ss->s_name);
-}
diff --git a/contrib/bind9/lib/bind/resolv/res_mkupdate.h b/contrib/bind9/lib/bind/resolv/res_mkupdate.h
deleted file mode 100644
index a8f1e7ce951d..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_mkupdate.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1998,1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _RES_MKUPDATE_H_
-#define _RES_MKUPDATE_H_
-
-__BEGIN_DECLS
-__END_DECLS
-
-#endif /* _RES_MKUPDATE_H_ */ 
diff --git a/contrib/bind9/lib/bind/resolv/res_private.h b/contrib/bind9/lib/bind/resolv/res_private.h
deleted file mode 100644
index d7b66cd691bc..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_private.h
+++ /dev/null
@@ -1,20 +0,0 @@
-#ifndef res_private_h
-#define res_private_h
-
-struct __res_state_ext {
-	union res_sockaddr_union nsaddrs[MAXNS];
-	struct sort_list {
-		int     af;
-		union {
-			struct in_addr  ina;
-			struct in6_addr in6a;
-		} addr, mask;
-	} sort_list[MAXRESOLVSORT];
-	char nsuffix[64];
-	char nsuffix2[64];
-};
-
-extern int
-res_ourserver_p(const res_state statp, const struct sockaddr *sa);
-
-#endif
diff --git a/contrib/bind9/lib/bind/resolv/res_query.c b/contrib/bind9/lib/bind/resolv/res_query.c
deleted file mode 100644
index 5156ce84c086..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_query.c
+++ /dev/null
@@ -1,432 +0,0 @@
-/*
- * Copyright (c) 1988, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)res_query.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_query.c,v 1.2.2.3.4.2 2004/03/16 12:34:19 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include "port_before.h"
-#include <sys/types.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#include <ctype.h>
-#include <errno.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "port_after.h"
-
-/* Options.  Leave them on. */
-#define DEBUG
-
-#if PACKETSZ > 1024
-#define MAXPACKET	PACKETSZ
-#else
-#define MAXPACKET	1024
-#endif
-
-/*
- * Formulate a normal query, send, and await answer.
- * Returned answer is placed in supplied buffer "answer".
- * Perform preliminary check of answer, returning success only
- * if no error is indicated and the answer count is nonzero.
- * Return the size of the response on success, -1 on error.
- * Error number is left in H_ERRNO.
- *
- * Caller must parse answer and determine whether it answers the question.
- */
-int
-res_nquery(res_state statp,
-	   const char *name,	/* domain name */
-	   int class, int type,	/* class and type of query */
-	   u_char *answer,	/* buffer to put answer */
-	   int anslen)		/* size of answer buffer */
-{
-	u_char buf[MAXPACKET];
-	HEADER *hp = (HEADER *) answer;
-	int n;
-	u_int oflags;
-
-	oflags = statp->_flags;
-
-again:
-	hp->rcode = NOERROR;	/* default */
-
-#ifdef DEBUG
-	if (statp->options & RES_DEBUG)
-		printf(";; res_query(%s, %d, %d)\n", name, class, type);
-#endif
-
-	n = res_nmkquery(statp, QUERY, name, class, type, NULL, 0, NULL,
-			 buf, sizeof(buf));
-#ifdef RES_USE_EDNS0
-	if (n > 0 && (statp->_flags & RES_F_EDNS0ERR) == 0 &&
-	    (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0U)
-		n = res_nopt(statp, n, buf, sizeof(buf), anslen);
-#endif
-	if (n <= 0) {
-#ifdef DEBUG
-		if (statp->options & RES_DEBUG)
-			printf(";; res_query: mkquery failed\n");
-#endif
-		RES_SET_H_ERRNO(statp, NO_RECOVERY);
-		return (n);
-	}
-	n = res_nsend(statp, buf, n, answer, anslen);
-	if (n < 0) {
-#ifdef RES_USE_EDNS0
-		/* if the query choked with EDNS0, retry without EDNS0 */
-		if ((statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0U &&
-		    ((oflags ^ statp->_flags) & RES_F_EDNS0ERR) != 0) {
-			statp->_flags |= RES_F_EDNS0ERR;
-			if (statp->options & RES_DEBUG)
-				printf(";; res_nquery: retry without EDNS0\n");
-			goto again;
-		}
-#endif
-#ifdef DEBUG
-		if (statp->options & RES_DEBUG)
-			printf(";; res_query: send error\n");
-#endif
-		RES_SET_H_ERRNO(statp, TRY_AGAIN);
-		return (n);
-	}
-
-	if (hp->rcode != NOERROR || ntohs(hp->ancount) == 0) {
-#ifdef DEBUG
-		if (statp->options & RES_DEBUG)
-			printf(";; rcode = (%s), counts = an:%d ns:%d ar:%d\n",
-			       p_rcode(hp->rcode),
-			       ntohs(hp->ancount),
-			       ntohs(hp->nscount),
-			       ntohs(hp->arcount));
-#endif
-		switch (hp->rcode) {
-		case NXDOMAIN:
-			RES_SET_H_ERRNO(statp, HOST_NOT_FOUND);
-			break;
-		case SERVFAIL:
-			RES_SET_H_ERRNO(statp, TRY_AGAIN);
-			break;
-		case NOERROR:
-			RES_SET_H_ERRNO(statp, NO_DATA);
-			break;
-		case FORMERR:
-		case NOTIMP:
-		case REFUSED:
-		default:
-			RES_SET_H_ERRNO(statp, NO_RECOVERY);
-			break;
-		}
-		return (-1);
-	}
-	return (n);
-}
-
-/*
- * Formulate a normal query, send, and retrieve answer in supplied buffer.
- * Return the size of the response on success, -1 on error.
- * If enabled, implement search rules until answer or unrecoverable failure
- * is detected.  Error code, if any, is left in H_ERRNO.
- */
-int
-res_nsearch(res_state statp,
-	    const char *name,	/* domain name */
-	    int class, int type,	/* class and type of query */
-	    u_char *answer,	/* buffer to put answer */
-	    int anslen)		/* size of answer */
-{
-	const char *cp, * const *domain;
-	HEADER *hp = (HEADER *) answer;
-	char tmp[NS_MAXDNAME];
-	u_int dots;
-	int trailing_dot, ret, saved_herrno;
-	int got_nodata = 0, got_servfail = 0, root_on_list = 0;
-	int tried_as_is = 0;
-	int searched = 0;
-
-	errno = 0;
-	RES_SET_H_ERRNO(statp, HOST_NOT_FOUND);  /* True if we never query. */
-
-	dots = 0;
-	for (cp = name; *cp != '\0'; cp++)
-		dots += (*cp == '.');
-	trailing_dot = 0;
-	if (cp > name && *--cp == '.')
-		trailing_dot++;
-
-	/* If there aren't any dots, it could be a user-level alias. */
-	if (!dots && (cp = res_hostalias(statp, name, tmp, sizeof tmp))!= NULL)
-		return (res_nquery(statp, cp, class, type, answer, anslen));
-
-	/*
-	 * If there are enough dots in the name, let's just give it a
-	 * try 'as is'. The threshold can be set with the "ndots" option.
-	 * Also, query 'as is', if there is a trailing dot in the name.
-	 */
-	saved_herrno = -1;
-	if (dots >= statp->ndots || trailing_dot) {
-		ret = res_nquerydomain(statp, name, NULL, class, type,
-					 answer, anslen);
-		if (ret > 0 || trailing_dot)
-			return (ret);
-		saved_herrno = statp->res_h_errno;
-		tried_as_is++;
-	}
-
-	/*
-	 * We do at least one level of search if
-	 *	- there is no dot and RES_DEFNAME is set, or
-	 *	- there is at least one dot, there is no trailing dot,
-	 *	  and RES_DNSRCH is set.
-	 */
-	if ((!dots && (statp->options & RES_DEFNAMES) != 0U) ||
-	    (dots && !trailing_dot && (statp->options & RES_DNSRCH) != 0U)) {
-		int done = 0;
-
-		for (domain = (const char * const *)statp->dnsrch;
-		     *domain && !done;
-		     domain++) {
-			searched = 1;
-
-			if (domain[0][0] == '\0' ||
-			    (domain[0][0] == '.' && domain[0][1] == '\0'))
-				root_on_list++;
-
-			ret = res_nquerydomain(statp, name, *domain,
-					       class, type,
-					       answer, anslen);
-			if (ret > 0)
-				return (ret);
-
-			/*
-			 * If no server present, give up.
-			 * If name isn't found in this domain,
-			 * keep trying higher domains in the search list
-			 * (if that's enabled).
-			 * On a NO_DATA error, keep trying, otherwise
-			 * a wildcard entry of another type could keep us
-			 * from finding this entry higher in the domain.
-			 * If we get some other error (negative answer or
-			 * server failure), then stop searching up,
-			 * but try the input name below in case it's
-			 * fully-qualified.
-			 */
-			if (errno == ECONNREFUSED) {
-				RES_SET_H_ERRNO(statp, TRY_AGAIN);
-				return (-1);
-			}
-
-			switch (statp->res_h_errno) {
-			case NO_DATA:
-				got_nodata++;
-				/* FALLTHROUGH */
-			case HOST_NOT_FOUND:
-				/* keep trying */
-				break;
-			case TRY_AGAIN:
-				if (hp->rcode == SERVFAIL) {
-					/* try next search element, if any */
-					got_servfail++;
-					break;
-				}
-				/* FALLTHROUGH */
-			default:
-				/* anything else implies that we're done */
-				done++;
-			}
-
-			/* if we got here for some reason other than DNSRCH,
-			 * we only wanted one iteration of the loop, so stop.
-			 */
-			if ((statp->options & RES_DNSRCH) == 0U)
-				done++;
-		}
-	}
-
-	/*
-	 * If the query has not already been tried as is then try it
-	 * unless RES_NOTLDQUERY is set and there were no dots.
-	 */
-	if ((dots || !searched || (statp->options & RES_NOTLDQUERY) == 0U) &&
-	    !(tried_as_is || root_on_list)) {
-		ret = res_nquerydomain(statp, name, NULL, class, type,
-				       answer, anslen);
-		if (ret > 0)
-			return (ret);
-	}
-
-	/* if we got here, we didn't satisfy the search.
-	 * if we did an initial full query, return that query's H_ERRNO
-	 * (note that we wouldn't be here if that query had succeeded).
-	 * else if we ever got a nodata, send that back as the reason.
-	 * else send back meaningless H_ERRNO, that being the one from
-	 * the last DNSRCH we did.
-	 */
-	if (saved_herrno != -1)
-		RES_SET_H_ERRNO(statp, saved_herrno);
-	else if (got_nodata)
-		RES_SET_H_ERRNO(statp, NO_DATA);
-	else if (got_servfail)
-		RES_SET_H_ERRNO(statp, TRY_AGAIN);
-	return (-1);
-}
-
-/*
- * Perform a call on res_query on the concatenation of name and domain,
- * removing a trailing dot from name if domain is NULL.
- */
-int
-res_nquerydomain(res_state statp,
-	    const char *name,
-	    const char *domain,
-	    int class, int type,	/* class and type of query */
-	    u_char *answer,		/* buffer to put answer */
-	    int anslen)		/* size of answer */
-{
-	char nbuf[MAXDNAME];
-	const char *longname = nbuf;
-	int n, d;
-
-#ifdef DEBUG
-	if (statp->options & RES_DEBUG)
-		printf(";; res_nquerydomain(%s, %s, %d, %d)\n",
-		       name, domain?domain:"<Nil>", class, type);
-#endif
-	if (domain == NULL) {
-		/*
-		 * Check for trailing '.';
-		 * copy without '.' if present.
-		 */
-		n = strlen(name);
-		if (n >= MAXDNAME) {
-			RES_SET_H_ERRNO(statp, NO_RECOVERY);
-			return (-1);
-		}
-		n--;
-		if (n >= 0 && name[n] == '.') {
-			strncpy(nbuf, name, n);
-			nbuf[n] = '\0';
-		} else
-			longname = name;
-	} else {
-		n = strlen(name);
-		d = strlen(domain);
-		if (n + d + 1 >= MAXDNAME) {
-			RES_SET_H_ERRNO(statp, NO_RECOVERY);
-			return (-1);
-		}
-		sprintf(nbuf, "%s.%s", name, domain);
-	}
-	return (res_nquery(statp, longname, class, type, answer, anslen));
-}
-
-const char *
-res_hostalias(const res_state statp, const char *name, char *dst, size_t siz) {
-	char *file, *cp1, *cp2;
-	char buf[BUFSIZ];
-	FILE *fp;
-
-	if (statp->options & RES_NOALIASES)
-		return (NULL);
-	file = getenv("HOSTALIASES");
-	if (file == NULL || (fp = fopen(file, "r")) == NULL)
-		return (NULL);
-	setbuf(fp, NULL);
-	buf[sizeof(buf) - 1] = '\0';
-	while (fgets(buf, sizeof(buf), fp)) {
-		for (cp1 = buf; *cp1 && !isspace((unsigned char)*cp1); ++cp1)
-			;
-		if (!*cp1)
-			break;
-		*cp1 = '\0';
-		if (ns_samename(buf, name) == 1) {
-			while (isspace((unsigned char)*++cp1))
-				;
-			if (!*cp1)
-				break;
-			for (cp2 = cp1 + 1; *cp2 &&
-			     !isspace((unsigned char)*cp2); ++cp2)
-				;
-			*cp2 = '\0';
-			strncpy(dst, cp1, siz - 1);
-			dst[siz - 1] = '\0';
-			fclose(fp);
-			return (dst);
-		}
-	}
-	fclose(fp);
-	return (NULL);
-}
diff --git a/contrib/bind9/lib/bind/resolv/res_send.c b/contrib/bind9/lib/bind/resolv/res_send.c
deleted file mode 100644
index 5be248932596..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_send.c
+++ /dev/null
@@ -1,1088 +0,0 @@
-/*
- * Copyright (c) 1985, 1989, 1993
- *    The Regents of the University of California.  All rights reserved.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- * 
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- * 
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- * 
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-/*
- * Copyright (c) 2005 by Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] = "$Id: res_send.c,v 1.5.2.2.4.7 2005/08/15 02:04:41 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-/*
- * Send query to name server and wait for reply.
- */
-
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/uio.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <isc/eventlib.h>
-
-#include "port_after.h"
-
-#ifdef USE_POLL
-#ifdef HAVE_STROPTS_H
-#include <stropts.h>
-#endif
-#include <poll.h>
-#endif /* USE_POLL */
-
-/* Options.  Leave them on. */
-#define DEBUG
-#include "res_debug.h"
-#include "res_private.h"
-
-#define EXT(res) ((res)->_u._ext)
-
-#ifndef USE_POLL
-static const int highestFD = FD_SETSIZE - 1;
-#else
-static int highestFD = 0;
-#endif
-
-/* Forward. */
-
-static int		get_salen __P((const struct sockaddr *));
-static struct sockaddr * get_nsaddr __P((res_state, size_t));
-static int		send_vc(res_state, const u_char *, int,
-				u_char *, int, int *, int);
-static int		send_dg(res_state, const u_char *, int,
-				u_char *, int, int *, int,
-				int *, int *);
-static void		Aerror(const res_state, FILE *, const char *, int,
-			       const struct sockaddr *, int);
-static void		Perror(const res_state, FILE *, const char *, int);
-static int		sock_eq(struct sockaddr *, struct sockaddr *);
-#if defined(NEED_PSELECT) && !defined(USE_POLL)
-static int		pselect(int, void *, void *, void *,
-				struct timespec *,
-				const sigset_t *);
-#endif
-void res_pquery(const res_state, const u_char *, int, FILE *);
-
-static const int niflags = NI_NUMERICHOST | NI_NUMERICSERV;
-
-/* Public. */
-
-/* int
- * res_isourserver(ina)
- *	looks up "ina" in _res.ns_addr_list[]
- * returns:
- *	0  : not found
- *	>0 : found
- * author:
- *	paul vixie, 29may94
- */
-int
-res_ourserver_p(const res_state statp, const struct sockaddr *sa) {
-	const struct sockaddr_in *inp, *srv;
-	const struct sockaddr_in6 *in6p, *srv6;
-	int ns;
-
-	switch (sa->sa_family) {
-	case AF_INET:
-		inp = (const struct sockaddr_in *)sa;
-		for (ns = 0;  ns < statp->nscount;  ns++) {
-			srv = (struct sockaddr_in *)get_nsaddr(statp, ns);
-			if (srv->sin_family == inp->sin_family &&
-			    srv->sin_port == inp->sin_port &&
-			    (srv->sin_addr.s_addr == INADDR_ANY ||
-			     srv->sin_addr.s_addr == inp->sin_addr.s_addr))
-				return (1);
-		}
-		break;
-	case AF_INET6:
-		if (EXT(statp).ext == NULL)
-			break;
-		in6p = (const struct sockaddr_in6 *)sa;
-		for (ns = 0;  ns < statp->nscount;  ns++) {
-			srv6 = (struct sockaddr_in6 *)get_nsaddr(statp, ns);
-			if (srv6->sin6_family == in6p->sin6_family &&
-			    srv6->sin6_port == in6p->sin6_port &&
-#ifdef HAVE_SIN6_SCOPE_ID
-			    (srv6->sin6_scope_id == 0 ||
-			     srv6->sin6_scope_id == in6p->sin6_scope_id) &&
-#endif
-			    (IN6_IS_ADDR_UNSPECIFIED(&srv6->sin6_addr) ||
-			     IN6_ARE_ADDR_EQUAL(&srv6->sin6_addr, &in6p->sin6_addr)))
-				return (1);
-		}
-		break;
-	default:
-		break;
-	}
-	return (0);
-}
-
-/* int
- * res_nameinquery(name, type, class, buf, eom)
- *	look for (name,type,class) in the query section of packet (buf,eom)
- * requires:
- *	buf + HFIXEDSZ <= eom
- * returns:
- *	-1 : format error
- *	0  : not found
- *	>0 : found
- * author:
- *	paul vixie, 29may94
- */
-int
-res_nameinquery(const char *name, int type, int class,
-		const u_char *buf, const u_char *eom)
-{
-	const u_char *cp = buf + HFIXEDSZ;
-	int qdcount = ntohs(((const HEADER*)buf)->qdcount);
-
-	while (qdcount-- > 0) {
-		char tname[MAXDNAME+1];
-		int n, ttype, tclass;
-
-		n = dn_expand(buf, eom, cp, tname, sizeof tname);
-		if (n < 0)
-			return (-1);
-		cp += n;
-		if (cp + 2 * INT16SZ > eom)
-			return (-1);
-		ttype = ns_get16(cp); cp += INT16SZ;
-		tclass = ns_get16(cp); cp += INT16SZ;
-		if (ttype == type && tclass == class &&
-		    ns_samename(tname, name) == 1)
-			return (1);
-	}
-	return (0);
-}
-
-/* int
- * res_queriesmatch(buf1, eom1, buf2, eom2)
- *	is there a 1:1 mapping of (name,type,class)
- *	in (buf1,eom1) and (buf2,eom2)?
- * returns:
- *	-1 : format error
- *	0  : not a 1:1 mapping
- *	>0 : is a 1:1 mapping
- * author:
- *	paul vixie, 29may94
- */
-int
-res_queriesmatch(const u_char *buf1, const u_char *eom1,
-		 const u_char *buf2, const u_char *eom2)
-{
-	const u_char *cp = buf1 + HFIXEDSZ;
-	int qdcount = ntohs(((const HEADER*)buf1)->qdcount);
-
-	if (buf1 + HFIXEDSZ > eom1 || buf2 + HFIXEDSZ > eom2)
-		return (-1);
-
-	/*
-	 * Only header section present in replies to
-	 * dynamic update packets.
-	 */
-	if ((((const HEADER *)buf1)->opcode == ns_o_update) &&
-	    (((const HEADER *)buf2)->opcode == ns_o_update))
-		return (1);
-
-	if (qdcount != ntohs(((const HEADER*)buf2)->qdcount))
-		return (0);
-	while (qdcount-- > 0) {
-		char tname[MAXDNAME+1];
-		int n, ttype, tclass;
-
-		n = dn_expand(buf1, eom1, cp, tname, sizeof tname);
-		if (n < 0)
-			return (-1);
-		cp += n;
-		if (cp + 2 * INT16SZ > eom1)
-			return (-1);
-		ttype = ns_get16(cp);	cp += INT16SZ;
-		tclass = ns_get16(cp); cp += INT16SZ;
-		if (!res_nameinquery(tname, ttype, tclass, buf2, eom2))
-			return (0);
-	}
-	return (1);
-}
-
-int
-res_nsend(res_state statp,
-	  const u_char *buf, int buflen, u_char *ans, int anssiz)
-{
-	int gotsomewhere, terrno, try, v_circuit, resplen, ns, n;
-	char abuf[NI_MAXHOST];
-
-#ifdef USE_POLL
-	highestFD = sysconf(_SC_OPEN_MAX) - 1;
-#endif
-
-	if (statp->nscount == 0) {
-		errno = ESRCH;
-		return (-1);
-	}
-	if (anssiz < HFIXEDSZ) {
-		errno = EINVAL;
-		return (-1);
-	}
-	DprintQ((statp->options & RES_DEBUG) || (statp->pfcode & RES_PRF_QUERY),
-		(stdout, ";; res_send()\n"), buf, buflen);
-	v_circuit = (statp->options & RES_USEVC) || buflen > PACKETSZ;
-	gotsomewhere = 0;
-	terrno = ETIMEDOUT;
-
-	/*
-	 * If the ns_addr_list in the resolver context has changed, then
-	 * invalidate our cached copy and the associated timing data.
-	 */
-	if (EXT(statp).nscount != 0) {
-		int needclose = 0;
-		struct sockaddr_storage peer;
-		ISC_SOCKLEN_T peerlen;
-
-		if (EXT(statp).nscount != statp->nscount)
-			needclose++;
-		else
-			for (ns = 0; ns < statp->nscount; ns++) {
-				if (statp->nsaddr_list[ns].sin_family &&
-				    !sock_eq((struct sockaddr *)&statp->nsaddr_list[ns],
-					     (struct sockaddr *)&EXT(statp).ext->nsaddrs[ns])) {
-					needclose++;
-					break;
-				}
-
-				if (EXT(statp).nssocks[ns] == -1)
-					continue;
-				peerlen = sizeof(peer);
-				if (getsockname(EXT(statp).nssocks[ns],
-				    (struct sockaddr *)&peer, &peerlen) < 0) {
-					needclose++;
-					break;
-				}
-				if (!sock_eq((struct sockaddr *)&peer,
-				    get_nsaddr(statp, ns))) {
-					needclose++;
-					break;
-				}
-			}
-		if (needclose) {
-			res_nclose(statp);
-			EXT(statp).nscount = 0;
-		}
-	}
-
-	/*
-	 * Maybe initialize our private copy of the ns_addr_list.
-	 */
-	if (EXT(statp).nscount == 0) {
-		for (ns = 0; ns < statp->nscount; ns++) {
-			EXT(statp).nstimes[ns] = RES_MAXTIME;
-			EXT(statp).nssocks[ns] = -1;
-			if (!statp->nsaddr_list[ns].sin_family)
-				continue;
-			EXT(statp).ext->nsaddrs[ns].sin =
-				 statp->nsaddr_list[ns];
-		}
-		EXT(statp).nscount = statp->nscount;
-	}
-
-	/*
-	 * Some resolvers want to even out the load on their nameservers.
-	 * Note that RES_BLAST overrides RES_ROTATE.
-	 */
-	if ((statp->options & RES_ROTATE) != 0U &&
-	    (statp->options & RES_BLAST) == 0U) {
-		union res_sockaddr_union inu;
-		struct sockaddr_in ina;
-		int lastns = statp->nscount - 1;
-		int fd;
-		u_int16_t nstime;
-
-		if (EXT(statp).ext != NULL)
-			inu = EXT(statp).ext->nsaddrs[0];
-		ina = statp->nsaddr_list[0];
-		fd = EXT(statp).nssocks[0];
-		nstime = EXT(statp).nstimes[0];
-		for (ns = 0; ns < lastns; ns++) {
-			if (EXT(statp).ext != NULL)
-                                EXT(statp).ext->nsaddrs[ns] = 
-					EXT(statp).ext->nsaddrs[ns + 1];
-			statp->nsaddr_list[ns] = statp->nsaddr_list[ns + 1];
-			EXT(statp).nssocks[ns] = EXT(statp).nssocks[ns + 1];
-			EXT(statp).nstimes[ns] = EXT(statp).nstimes[ns + 1];
-		}
-		if (EXT(statp).ext != NULL)
-			EXT(statp).ext->nsaddrs[lastns] = inu;
-		statp->nsaddr_list[lastns] = ina;
-		EXT(statp).nssocks[lastns] = fd;
-		EXT(statp).nstimes[lastns] = nstime;
-	}
-
-	/*
-	 * Send request, RETRY times, or until successful.
-	 */
-	for (try = 0; try < statp->retry; try++) {
-	    for (ns = 0; ns < statp->nscount; ns++) {
-		struct sockaddr *nsap;
-		int nsaplen;
-		nsap = get_nsaddr(statp, ns);
-		nsaplen = get_salen(nsap);
-		statp->_flags &= ~RES_F_LASTMASK;
-		statp->_flags |= (ns << RES_F_LASTSHIFT);
- same_ns:
-		if (statp->qhook) {
-			int done = 0, loops = 0;
-
-			do {
-				res_sendhookact act;
-
-				act = (*statp->qhook)(&nsap, &buf, &buflen,
-						      ans, anssiz, &resplen);
-				switch (act) {
-				case res_goahead:
-					done = 1;
-					break;
-				case res_nextns:
-					res_nclose(statp);
-					goto next_ns;
-				case res_done:
-					return (resplen);
-				case res_modified:
-					/* give the hook another try */
-					if (++loops < 42) /*doug adams*/
-						break;
-					/*FALLTHROUGH*/
-				case res_error:
-					/*FALLTHROUGH*/
-				default:
-					goto fail;
-				}
-			} while (!done);
-		}
-
-		Dprint(((statp->options & RES_DEBUG) &&
-			getnameinfo(nsap, nsaplen, abuf, sizeof(abuf),
-				    NULL, 0, niflags) == 0),
-		       (stdout, ";; Querying server (# %d) address = %s\n",
-			ns + 1, abuf));
-
-
-		if (v_circuit) {
-			/* Use VC; at most one attempt per server. */
-			try = statp->retry;
-			n = send_vc(statp, buf, buflen, ans, anssiz, &terrno,
-				    ns);
-			if (n < 0)
-				goto fail;
-			if (n == 0)
-				goto next_ns;
-			resplen = n;
-		} else {
-			/* Use datagrams. */
-			n = send_dg(statp, buf, buflen, ans, anssiz, &terrno,
-				    ns, &v_circuit, &gotsomewhere);
-			if (n < 0)
-				goto fail;
-			if (n == 0)
-				goto next_ns;
-			if (v_circuit)
-				goto same_ns;
-			resplen = n;
-		}
-
-		Dprint((statp->options & RES_DEBUG) ||
-		       ((statp->pfcode & RES_PRF_REPLY) &&
-			(statp->pfcode & RES_PRF_HEAD1)),
-		       (stdout, ";; got answer:\n"));
-
-		DprintQ((statp->options & RES_DEBUG) ||
-			(statp->pfcode & RES_PRF_REPLY),
-			(stdout, "%s", ""),
-			ans, (resplen > anssiz) ? anssiz : resplen);
-
-		/*
-		 * If we have temporarily opened a virtual circuit,
-		 * or if we haven't been asked to keep a socket open,
-		 * close the socket.
-		 */
-		if ((v_circuit && (statp->options & RES_USEVC) == 0U) ||
-		    (statp->options & RES_STAYOPEN) == 0U) {
-			res_nclose(statp);
-		}
-		if (statp->rhook) {
-			int done = 0, loops = 0;
-
-			do {
-				res_sendhookact act;
-
-				act = (*statp->rhook)(nsap, buf, buflen,
-						      ans, anssiz, &resplen);
-				switch (act) {
-				case res_goahead:
-				case res_done:
-					done = 1;
-					break;
-				case res_nextns:
-					res_nclose(statp);
-					goto next_ns;
-				case res_modified:
-					/* give the hook another try */
-					if (++loops < 42) /*doug adams*/
-						break;
-					/*FALLTHROUGH*/
-				case res_error:
-					/*FALLTHROUGH*/
-				default:
-					goto fail;
-				}
-			} while (!done);
-
-		}
-		return (resplen);
- next_ns: ;
-	   } /*foreach ns*/
-	} /*foreach retry*/
-	res_nclose(statp);
-	if (!v_circuit) {
-		if (!gotsomewhere)
-			errno = ECONNREFUSED;	/* no nameservers found */
-		else
-			errno = ETIMEDOUT;	/* no answer obtained */
-	} else
-		errno = terrno;
-	return (-1);
- fail:
-	res_nclose(statp);
-	return (-1);
-}
-
-/* Private */
-
-static int
-get_salen(sa)
-	const struct sockaddr *sa;
-{
-
-#ifdef HAVE_SA_LEN
-	/* There are people do not set sa_len.  Be forgiving to them. */
-	if (sa->sa_len)
-		return (sa->sa_len);
-#endif
-
-	if (sa->sa_family == AF_INET)
-		return (sizeof(struct sockaddr_in));
-	else if (sa->sa_family == AF_INET6)
-		return (sizeof(struct sockaddr_in6));
-	else
-		return (0);	/* unknown, die on connect */
-}
-
-/*
- * pick appropriate nsaddr_list for use.  see res_init() for initialization.
- */
-static struct sockaddr *
-get_nsaddr(statp, n)
-	res_state statp;
-	size_t n;
-{
-
-	if (!statp->nsaddr_list[n].sin_family && EXT(statp).ext) {
-		/*
-		 * - EXT(statp).ext->nsaddrs[n] holds an address that is larger
-		 *   than struct sockaddr, and
-		 * - user code did not update statp->nsaddr_list[n].
-		 */
-		return (struct sockaddr *)(void *)&EXT(statp).ext->nsaddrs[n];
-	} else {
-		/*
-		 * - user code updated statp->nsaddr_list[n], or
-		 * - statp->nsaddr_list[n] has the same content as
-		 *   EXT(statp).ext->nsaddrs[n].
-		 */
-		return (struct sockaddr *)(void *)&statp->nsaddr_list[n];
-	}
-}
-
-static int
-send_vc(res_state statp,
-	const u_char *buf, int buflen, u_char *ans, int anssiz,
-	int *terrno, int ns)
-{
-	const HEADER *hp = (const HEADER *) buf;
-	HEADER *anhp = (HEADER *) ans;
-	struct sockaddr *nsap;
-	int nsaplen;
-	int truncating, connreset, resplen, n;
-	struct iovec iov[2];
-	u_short len;
-	u_char *cp;
-	void *tmp;
-
-	nsap = get_nsaddr(statp, ns);
-	nsaplen = get_salen(nsap);
-
-	connreset = 0;
- same_ns:
-	truncating = 0;
-
-	/* Are we still talking to whom we want to talk to? */
-	if (statp->_vcsock >= 0 && (statp->_flags & RES_F_VC) != 0) {
-		struct sockaddr_storage peer;
-		ISC_SOCKLEN_T size = sizeof peer;
-
-		if (getpeername(statp->_vcsock,
-				(struct sockaddr *)&peer, &size) < 0 ||
-		    !sock_eq((struct sockaddr *)&peer, nsap)) {
-			res_nclose(statp);
-			statp->_flags &= ~RES_F_VC;
-		}
-	}
-
-	if (statp->_vcsock < 0 || (statp->_flags & RES_F_VC) == 0) {
-		if (statp->_vcsock >= 0)
-			res_nclose(statp);
-
-		statp->_vcsock = socket(nsap->sa_family, SOCK_STREAM, 0);
-		if (statp->_vcsock > highestFD) {
-			res_nclose(statp);
-			errno = ENOTSOCK;
-		}
-		if (statp->_vcsock < 0) {
-			switch (errno) {
-			case EPROTONOSUPPORT:
-#ifdef EPFNOSUPPORT
-			case EPFNOSUPPORT:
-#endif
-			case EAFNOSUPPORT:
-				Perror(statp, stderr, "socket(vc)", errno);
-				return (0);
-			default:
-				*terrno = errno;
-				Perror(statp, stderr, "socket(vc)", errno);
-				return (-1);
-			}
-		}
-		errno = 0;
-		if (connect(statp->_vcsock, nsap, nsaplen) < 0) {
-			*terrno = errno;
-			Aerror(statp, stderr, "connect/vc", errno, nsap,
-			    nsaplen);
-			res_nclose(statp);
-			return (0);
-		}
-		statp->_flags |= RES_F_VC;
-	}
-
-	/*
-	 * Send length & message
-	 */
-	ns_put16((u_short)buflen, (u_char*)&len);
-	iov[0] = evConsIovec(&len, INT16SZ);
-	DE_CONST(buf, tmp);
-	iov[1] = evConsIovec(tmp, buflen);
-	if (writev(statp->_vcsock, iov, 2) != (INT16SZ + buflen)) {
-		*terrno = errno;
-		Perror(statp, stderr, "write failed", errno);
-		res_nclose(statp);
-		return (0);
-	}
-	/*
-	 * Receive length & response
-	 */
- read_len:
-	cp = ans;
-	len = INT16SZ;
-	while ((n = read(statp->_vcsock, (char *)cp, (int)len)) > 0) {
-		cp += n;
-		if ((len -= n) == 0)
-			break;
-	}
-	if (n <= 0) {
-		*terrno = errno;
-		Perror(statp, stderr, "read failed", errno);
-		res_nclose(statp);
-		/*
-		 * A long running process might get its TCP
-		 * connection reset if the remote server was
-		 * restarted.  Requery the server instead of
-		 * trying a new one.  When there is only one
-		 * server, this means that a query might work
-		 * instead of failing.  We only allow one reset
-		 * per query to prevent looping.
-		 */
-		if (*terrno == ECONNRESET && !connreset) {
-			connreset = 1;
-			res_nclose(statp);
-			goto same_ns;
-		}
-		res_nclose(statp);
-		return (0);
-	}
-	resplen = ns_get16(ans);
-	if (resplen > anssiz) {
-		Dprint(statp->options & RES_DEBUG,
-		       (stdout, ";; response truncated\n")
-		       );
-		truncating = 1;
-		len = anssiz;
-	} else
-		len = resplen;
-	if (len < HFIXEDSZ) {
-		/*
-		 * Undersized message.
-		 */
-		Dprint(statp->options & RES_DEBUG,
-		       (stdout, ";; undersized: %d\n", len));
-		*terrno = EMSGSIZE;
-		res_nclose(statp);
-		return (0);
-	}
-	cp = ans;
-	while (len != 0 && (n = read(statp->_vcsock, (char *)cp, (int)len)) > 0){
-		cp += n;
-		len -= n;
-	}
-	if (n <= 0) {
-		*terrno = errno;
-		Perror(statp, stderr, "read(vc)", errno);
-		res_nclose(statp);
-		return (0);
-	}
-	if (truncating) {
-		/*
-		 * Flush rest of answer so connection stays in synch.
-		 */
-		anhp->tc = 1;
-		len = resplen - anssiz;
-		while (len != 0) {
-			char junk[PACKETSZ];
-
-			n = read(statp->_vcsock, junk,
-				 (len > sizeof junk) ? sizeof junk : len);
-			if (n > 0)
-				len -= n;
-			else
-				break;
-		}
-	}
-	/*
-	 * If the calling applicating has bailed out of
-	 * a previous call and failed to arrange to have
-	 * the circuit closed or the server has got
-	 * itself confused, then drop the packet and
-	 * wait for the correct one.
-	 */
-	if (hp->id != anhp->id) {
-		DprintQ((statp->options & RES_DEBUG) ||
-			(statp->pfcode & RES_PRF_REPLY),
-			(stdout, ";; old answer (unexpected):\n"),
-			ans, (resplen > anssiz) ? anssiz: resplen);
-		goto read_len;
-	}
-
-	/*
-	 * All is well, or the error is fatal.  Signal that the
-	 * next nameserver ought not be tried.
-	 */
-	return (resplen);
-}
-
-static int
-send_dg(res_state statp,
-	const u_char *buf, int buflen, u_char *ans, int anssiz,
-	int *terrno, int ns, int *v_circuit, int *gotsomewhere)
-{
-	const HEADER *hp = (const HEADER *) buf;
-	HEADER *anhp = (HEADER *) ans;
-	const struct sockaddr *nsap;
-	int nsaplen;
-	struct timespec now, timeout, finish;
-	struct sockaddr_storage from;
-	ISC_SOCKLEN_T fromlen;
-	int resplen, seconds, n, s;
-#ifdef USE_POLL
-	int     polltimeout;
-	struct pollfd   pollfd;
-#else
-	fd_set dsmask;
-#endif
-
-	nsap = get_nsaddr(statp, ns);
-	nsaplen = get_salen(nsap);
-	if (EXT(statp).nssocks[ns] == -1) {
-		EXT(statp).nssocks[ns] = socket(nsap->sa_family, SOCK_DGRAM, 0);
-		if (EXT(statp).nssocks[ns] > highestFD) {
-			res_nclose(statp);
-			errno = ENOTSOCK;
-		}
-		if (EXT(statp).nssocks[ns] < 0) {
-			switch (errno) {
-			case EPROTONOSUPPORT:
-#ifdef EPFNOSUPPORT
-			case EPFNOSUPPORT:
-#endif
-			case EAFNOSUPPORT:
-				Perror(statp, stderr, "socket(dg)", errno);
-				return (0);
-			default:
-				*terrno = errno;
-				Perror(statp, stderr, "socket(dg)", errno);
-				return (-1);
-			}
-		}
-#ifndef CANNOT_CONNECT_DGRAM
-		/*
-		 * On a 4.3BSD+ machine (client and server,
-		 * actually), sending to a nameserver datagram
-		 * port with no nameserver will cause an
-		 * ICMP port unreachable message to be returned.
-		 * If our datagram socket is "connected" to the
-		 * server, we get an ECONNREFUSED error on the next
-		 * socket operation, and select returns if the
-		 * error message is received.  We can thus detect
-		 * the absence of a nameserver without timing out.
-		 */
-		if (connect(EXT(statp).nssocks[ns], nsap, nsaplen) < 0) {
-			Aerror(statp, stderr, "connect(dg)", errno, nsap,
-			    nsaplen);
-			res_nclose(statp);
-			return (0);
-		}
-#endif /* !CANNOT_CONNECT_DGRAM */
-		Dprint(statp->options & RES_DEBUG,
-		       (stdout, ";; new DG socket\n"))
-	}
-	s = EXT(statp).nssocks[ns];
-#ifndef CANNOT_CONNECT_DGRAM
-	if (send(s, (const char*)buf, buflen, 0) != buflen) {
-		Perror(statp, stderr, "send", errno);
-		res_nclose(statp);
-		return (0);
-	}
-#else /* !CANNOT_CONNECT_DGRAM */
-	if (sendto(s, (const char*)buf, buflen, 0, nsap, nsaplen) != buflen)
-	{
-		Aerror(statp, stderr, "sendto", errno, nsap, nsaplen);
-		res_nclose(statp);
-		return (0);
-	}
-#endif /* !CANNOT_CONNECT_DGRAM */
-
-	/*
-	 * Wait for reply.
-	 */
-	seconds = (statp->retrans << ns);
-	if (ns > 0)
-		seconds /= statp->nscount;
-	if (seconds <= 0)
-		seconds = 1;
-	now = evNowTime();
-	timeout = evConsTime(seconds, 0);
-	finish = evAddTime(now, timeout);
-	goto nonow;
- wait:
-	now = evNowTime();
- nonow:
-#ifndef USE_POLL
-	FD_ZERO(&dsmask);
-	FD_SET(s, &dsmask);
-	if (evCmpTime(finish, now) > 0)
-		timeout = evSubTime(finish, now);
-	else
-		timeout = evConsTime(0, 0);
-	n = pselect(s + 1, &dsmask, NULL, NULL, &timeout, NULL);
-#else
-	timeout = evSubTime(finish, now);
-	if (timeout.tv_sec < 0)
-		timeout = evConsTime(0, 0);
-	polltimeout = 1000*timeout.tv_sec +
-		timeout.tv_nsec/1000000;
-	pollfd.fd = s;
-	pollfd.events = POLLRDNORM;
-	n = poll(&pollfd, 1, polltimeout);
-#endif /* USE_POLL */
-
-	if (n == 0) {
-		Dprint(statp->options & RES_DEBUG, (stdout, ";; timeout\n"));
-		*gotsomewhere = 1;
-		return (0);
-	}
-	if (n < 0) {
-		if (errno == EINTR)
-			goto wait;
-#ifndef USE_POLL
-		Perror(statp, stderr, "select", errno);
-#else
-		Perror(statp, stderr, "poll", errno);
-#endif /* USE_POLL */
-		res_nclose(statp);
-		return (0);
-	}
-	errno = 0;
-	fromlen = sizeof(from);
-	resplen = recvfrom(s, (char*)ans, anssiz,0,
-			   (struct sockaddr *)&from, &fromlen);
-	if (resplen <= 0) {
-		Perror(statp, stderr, "recvfrom", errno);
-		res_nclose(statp);
-		return (0);
-	}
-	*gotsomewhere = 1;
-	if (resplen < HFIXEDSZ) {
-		/*
-		 * Undersized message.
-		 */
-		Dprint(statp->options & RES_DEBUG,
-		       (stdout, ";; undersized: %d\n",
-			resplen));
-		*terrno = EMSGSIZE;
-		res_nclose(statp);
-		return (0);
-	}
-	if (hp->id != anhp->id) {
-		/*
-		 * response from old query, ignore it.
-		 * XXX - potential security hazard could
-		 *	 be detected here.
-		 */
-		DprintQ((statp->options & RES_DEBUG) ||
-			(statp->pfcode & RES_PRF_REPLY),
-			(stdout, ";; old answer:\n"),
-			ans, (resplen > anssiz) ? anssiz : resplen);
-		goto wait;
-	}
-	if (!(statp->options & RES_INSECURE1) &&
-	    !res_ourserver_p(statp, (struct sockaddr *)&from)) {
-		/*
-		 * response from wrong server? ignore it.
-		 * XXX - potential security hazard could
-		 *	 be detected here.
-		 */
-		DprintQ((statp->options & RES_DEBUG) ||
-			(statp->pfcode & RES_PRF_REPLY),
-			(stdout, ";; not our server:\n"),
-			ans, (resplen > anssiz) ? anssiz : resplen);
-		goto wait;
-	}
-#ifdef RES_USE_EDNS0
-	if (anhp->rcode == FORMERR && (statp->options & RES_USE_EDNS0) != 0U) {
-		/*
-		 * Do not retry if the server do not understand EDNS0.
-		 * The case has to be captured here, as FORMERR packet do not
-		 * carry query section, hence res_queriesmatch() returns 0.
-		 */
-		DprintQ(statp->options & RES_DEBUG,
-			(stdout, "server rejected query with EDNS0:\n"),
-			ans, (resplen > anssiz) ? anssiz : resplen);
-		/* record the error */
-		statp->_flags |= RES_F_EDNS0ERR;
-		res_nclose(statp);
-		return (0);
-	}
-#endif
-	if (!(statp->options & RES_INSECURE2) &&
-	    !res_queriesmatch(buf, buf + buflen,
-			      ans, ans + anssiz)) {
-		/*
-		 * response contains wrong query? ignore it.
-		 * XXX - potential security hazard could
-		 *	 be detected here.
-		 */
-		DprintQ((statp->options & RES_DEBUG) ||
-			(statp->pfcode & RES_PRF_REPLY),
-			(stdout, ";; wrong query name:\n"),
-			ans, (resplen > anssiz) ? anssiz : resplen);
-		goto wait;
-	}
-	if (anhp->rcode == SERVFAIL ||
-	    anhp->rcode == NOTIMP ||
-	    anhp->rcode == REFUSED) {
-		DprintQ(statp->options & RES_DEBUG,
-			(stdout, "server rejected query:\n"),
-			ans, (resplen > anssiz) ? anssiz : resplen);
-		res_nclose(statp);
-		/* don't retry if called from dig */
-		if (!statp->pfcode)
-			return (0);
-	}
-	if (!(statp->options & RES_IGNTC) && anhp->tc) {
-		/*
-		 * To get the rest of answer,
-		 * use TCP with same server.
-		 */
-		Dprint(statp->options & RES_DEBUG,
-		       (stdout, ";; truncated answer\n"));
-		*v_circuit = 1;
-		res_nclose(statp);
-		return (1);
-	}
-	/*
-	 * All is well, or the error is fatal.  Signal that the
-	 * next nameserver ought not be tried.
-	 */
-	return (resplen);
-}
-
-static void
-Aerror(const res_state statp, FILE *file, const char *string, int error,
-       const struct sockaddr *address, int alen)
-{
-	int save = errno;
-	char hbuf[NI_MAXHOST];
-	char sbuf[NI_MAXSERV];
-
-	alen = alen;
-
-	if ((statp->options & RES_DEBUG) != 0U) {
-		if (getnameinfo(address, alen, hbuf, sizeof(hbuf),
-		    sbuf, sizeof(sbuf), niflags)) {
-			strncpy(hbuf, "?", sizeof(hbuf) - 1);
-			hbuf[sizeof(hbuf) - 1] = '\0';
-			strncpy(sbuf, "?", sizeof(sbuf) - 1);
-			sbuf[sizeof(sbuf) - 1] = '\0';
-		}
-		fprintf(file, "res_send: %s ([%s].%s): %s\n",
-			string, hbuf, sbuf, strerror(error));
-	}
-	errno = save;
-}
-
-static void
-Perror(const res_state statp, FILE *file, const char *string, int error) {
-	int save = errno;
-
-	if ((statp->options & RES_DEBUG) != 0U)
-		fprintf(file, "res_send: %s: %s\n",
-			string, strerror(error));
-	errno = save;
-}
-
-static int
-sock_eq(struct sockaddr *a, struct sockaddr *b) {
-	struct sockaddr_in *a4, *b4;
-	struct sockaddr_in6 *a6, *b6;
-
-	if (a->sa_family != b->sa_family)
-		return 0;
-	switch (a->sa_family) {
-	case AF_INET:
-		a4 = (struct sockaddr_in *)a;
-		b4 = (struct sockaddr_in *)b;
-		return a4->sin_port == b4->sin_port &&
-		    a4->sin_addr.s_addr == b4->sin_addr.s_addr;
-	case AF_INET6:
-		a6 = (struct sockaddr_in6 *)a;
-		b6 = (struct sockaddr_in6 *)b;
-		return a6->sin6_port == b6->sin6_port &&
-#ifdef HAVE_SIN6_SCOPE_ID
-		    a6->sin6_scope_id == b6->sin6_scope_id &&
-#endif
-		    IN6_ARE_ADDR_EQUAL(&a6->sin6_addr, &b6->sin6_addr);
-	default:
-		return 0;
-	}
-}
-
-#if defined(NEED_PSELECT) && !defined(USE_POLL)
-/* XXX needs to move to the porting library. */
-static int
-pselect(int nfds, void *rfds, void *wfds, void *efds,
-	struct timespec *tsp, const sigset_t *sigmask)
-{
-	struct timeval tv, *tvp;
-	sigset_t sigs;
-	int n;
-
-	if (tsp) {
-		tvp = &tv;
-		tv = evTimeVal(*tsp);
-	} else
-		tvp = NULL;
-	if (sigmask)
-		sigprocmask(SIG_SETMASK, sigmask, &sigs);
-	n = select(nfds, rfds, wfds, efds, tvp);
-	if (sigmask)
-		sigprocmask(SIG_SETMASK, &sigs, NULL);
-	if (tsp)
-		*tsp = evTimeSpec(tv);
-	return (n);
-}
-#endif
diff --git a/contrib/bind9/lib/bind/resolv/res_sendsigned.c b/contrib/bind9/lib/bind/resolv/res_sendsigned.c
deleted file mode 100644
index d1d227457566..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_sendsigned.c
+++ /dev/null
@@ -1,167 +0,0 @@
-#include "port_before.h"
-#include "fd_setsize.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-
-#include <isc/dst.h>
-
-#include <errno.h>
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "port_after.h"
-
-#define DEBUG
-#include "res_debug.h"
-
-
-/* res_nsendsigned */
-int
-res_nsendsigned(res_state statp, const u_char *msg, int msglen,
-		ns_tsig_key *key, u_char *answer, int anslen)
-{
-	res_state nstatp;
-	DST_KEY *dstkey;
-	int usingTCP = 0;
-	u_char *newmsg;
-	int newmsglen, bufsize, siglen;
-	u_char sig[64];
-	HEADER *hp;
-	time_t tsig_time;
-	int ret;
-	int len;
-
-	dst_init();
-
-	nstatp = (res_state) malloc(sizeof(*statp));
-	if (nstatp == NULL) {
-		errno = ENOMEM;
-		return (-1);
-	}
-	memcpy(nstatp, statp, sizeof(*statp));
-
-	bufsize = msglen + 1024;
-	newmsg = (u_char *) malloc(bufsize);
-	if (newmsg == NULL) {
-		errno = ENOMEM;
-		return (-1);
-	}
-	memcpy(newmsg, msg, msglen);
-	newmsglen = msglen;
-
-	if (ns_samename(key->alg, NS_TSIG_ALG_HMAC_MD5) != 1)
-		dstkey = NULL;
-	else
-		dstkey = dst_buffer_to_key(key->name, KEY_HMAC_MD5,
-					   NS_KEY_TYPE_AUTH_ONLY,
-					   NS_KEY_PROT_ANY,
-					   key->data, key->len);
-	if (dstkey == NULL) {
-		errno = EINVAL;
-		free(nstatp);
-		free(newmsg);
-		return (-1);
-	}
-
-	nstatp->nscount = 1;
-	siglen = sizeof(sig);
-	ret = ns_sign(newmsg, &newmsglen, bufsize, NOERROR, dstkey, NULL, 0,
-		      sig, &siglen, 0);
-	if (ret < 0) {
-		free (nstatp);
-		free (newmsg);
-		dst_free_key(dstkey);
-		if (ret == NS_TSIG_ERROR_NO_SPACE)
-			errno  = EMSGSIZE;
-		else if (ret == -1)
-			errno  = EINVAL;
-		return (ret);
-	}
-
-	if (newmsglen > PACKETSZ || nstatp->options & RES_USEVC)
-		usingTCP = 1;
-	if (usingTCP == 0)
-		nstatp->options |= RES_IGNTC;
-	else
-		nstatp->options |= RES_USEVC;
-	/*
-	 * Stop res_send printing the answer.
-	 */
-	nstatp->options &= ~RES_DEBUG;
-	nstatp->pfcode &= ~RES_PRF_REPLY;
-
-retry:
-
-	len = res_nsend(nstatp, newmsg, newmsglen, answer, anslen);
-	if (ret < 0) {
-		free (nstatp);
-		free (newmsg);
-		dst_free_key(dstkey);
-		return (ret);
-	}
-
-	ret = ns_verify(answer, &len, dstkey, sig, siglen,
-			NULL, NULL, &tsig_time, nstatp->options & RES_KEEPTSIG);
-	if (ret != 0) {
-		Dprint((statp->options & RES_DEBUG) ||
-		       ((statp->pfcode & RES_PRF_REPLY) &&
-			(statp->pfcode & RES_PRF_HEAD1)),
-		       (stdout, ";; got answer:\n"));
-
-		DprintQ((statp->options & RES_DEBUG) ||
-			(statp->pfcode & RES_PRF_REPLY),
-			(stdout, "%s", ""),
-			answer, (anslen > len) ? len : anslen);
-
-		if (ret > 0) {
-			Dprint(statp->pfcode & RES_PRF_REPLY,
-			       (stdout, ";; server rejected TSIG (%s)\n",
-				p_rcode(ret)));
-		} else {
-			Dprint(statp->pfcode & RES_PRF_REPLY,
-			       (stdout, ";; TSIG invalid (%s)\n",
-				p_rcode(-ret)));
-		}
-
-		free (nstatp);
-		free (newmsg);
-		dst_free_key(dstkey);
-		if (ret == -1)
-			errno = EINVAL;
-		else
-			errno = ENOTTY;
-		return (-1);
-	}
-
-	hp = (HEADER *) answer;
-	if (hp->tc && !usingTCP && (statp->options & RES_IGNTC) == 0U) {
-		nstatp->options &= ~RES_IGNTC;
-		usingTCP = 1;
-		goto retry;
-	}
-	Dprint((statp->options & RES_DEBUG) ||
-	       ((statp->pfcode & RES_PRF_REPLY) &&
-		(statp->pfcode & RES_PRF_HEAD1)),
-	       (stdout, ";; got answer:\n"));
-
-	DprintQ((statp->options & RES_DEBUG) ||
-		(statp->pfcode & RES_PRF_REPLY),
-		(stdout, "%s", ""),
-		answer, (anslen > len) ? len : anslen);
-
-	Dprint(statp->pfcode & RES_PRF_REPLY, (stdout, ";; TSIG ok\n"));
-
-	free (nstatp);
-	free (newmsg);
-	dst_free_key(dstkey);
-	return (len);
-}
diff --git a/contrib/bind9/lib/bind/resolv/res_update.c b/contrib/bind9/lib/bind/resolv/res_update.c
deleted file mode 100644
index 8783d8a7645b..000000000000
--- a/contrib/bind9/lib/bind/resolv/res_update.c
+++ /dev/null
@@ -1,212 +0,0 @@
-#if !defined(lint) && !defined(SABER)
-static const char rcsid[] = "$Id: res_update.c,v 1.6.2.4.4.2 2004/03/16 12:34:20 marka Exp $";
-#endif /* not lint */
-
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Based on the Dynamic DNS reference implementation by Viraj Bais
- * <viraj_bais@ccm.fm.intel.com>
- */
-
-#include "port_before.h"
-
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <limits.h>
-#include <netdb.h>
-#include <res_update.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/list.h>
-#include <resolv.h>
-
-#include "port_after.h"
-#include "res_private.h"
-
-/*
- * Separate a linked list of records into groups so that all records
- * in a group will belong to a single zone on the nameserver.
- * Create a dynamic update packet for each zone and send it to the
- * nameservers for that zone, and await answer.
- * Abort if error occurs in updating any zone.
- * Return the number of zones updated on success, < 0 on error.
- *
- * On error, caller must deal with the unsynchronized zones
- * eg. an A record might have been successfully added to the forward
- * zone but the corresponding PTR record would be missing if error
- * was encountered while updating the reverse zone.
- */
-
-struct zonegrp {
-	char			z_origin[MAXDNAME];
-	ns_class		z_class;
-	union res_sockaddr_union z_nsaddrs[MAXNS];
-	int			z_nscount;
-	int			z_flags;
-	LIST(ns_updrec)		z_rrlist;
-	LINK(struct zonegrp)	z_link;
-};
-
-#define ZG_F_ZONESECTADDED	0x0001
-
-/* Forward. */
-
-static void	res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2);
-
-/* Macros. */
-
-#define DPRINTF(x) do {\
-		int save_errno = errno; \
-		if ((statp->options & RES_DEBUG) != 0U) res_dprintf x; \
-		errno = save_errno; \
-	} while (0)
-
-/* Public. */
-
-int
-res_nupdate(res_state statp, ns_updrec *rrecp_in, ns_tsig_key *key) {
-	ns_updrec *rrecp;
-	u_char answer[PACKETSZ];
-	u_char *packet;
-	struct zonegrp *zptr, tgrp;
-	LIST(struct zonegrp) zgrps;
-	int nzones = 0, nscount = 0, n;
-	union res_sockaddr_union nsaddrs[MAXNS];
-
-	packet = malloc(NS_MAXMSG);
-	if (packet == NULL) {
-		DPRINTF(("malloc failed"));
-		return (0);
-	}
-	/* Thread all of the updates onto a list of groups. */
-	INIT_LIST(zgrps);
-	memset(&tgrp, 0, sizeof (tgrp));
-	for (rrecp = rrecp_in; rrecp;
-	     rrecp = LINKED(rrecp, r_link) ? NEXT(rrecp, r_link) : NULL) {
-		int nscnt;
-		/* Find the origin for it if there is one. */
-		tgrp.z_class = rrecp->r_class;
-		nscnt = res_findzonecut2(statp, rrecp->r_dname, tgrp.z_class,
-					 RES_EXHAUSTIVE, tgrp.z_origin,
-					 sizeof tgrp.z_origin, 
-					 tgrp.z_nsaddrs, MAXNS);
-		if (nscnt <= 0) {
-			DPRINTF(("res_findzonecut failed (%d)", nscnt));
-			goto done;
-		}
-		tgrp.z_nscount = nscnt;
-		/* Find the group for it if there is one. */
-		for (zptr = HEAD(zgrps); zptr != NULL; zptr = NEXT(zptr, z_link))
-			if (ns_samename(tgrp.z_origin, zptr->z_origin) == 1 &&
-			    tgrp.z_class == zptr->z_class)
-				break;
-		/* Make a group for it if there isn't one. */
-		if (zptr == NULL) {
-			zptr = malloc(sizeof *zptr);
-			if (zptr == NULL) {
-				DPRINTF(("malloc failed"));
-				goto done;
-			}
-			*zptr = tgrp;
-			zptr->z_flags = 0;
-			INIT_LINK(zptr, z_link);
-			INIT_LIST(zptr->z_rrlist);
-			APPEND(zgrps, zptr, z_link);
-		}
-		/* Thread this rrecp onto the right group. */
-		APPEND(zptr->z_rrlist, rrecp, r_glink);
-	}
-
-	for (zptr = HEAD(zgrps); zptr != NULL; zptr = NEXT(zptr, z_link)) {
-		/* Construct zone section and prepend it. */
-		rrecp = res_mkupdrec(ns_s_zn, zptr->z_origin,
-				     zptr->z_class, ns_t_soa, 0);
-		if (rrecp == NULL) {
-			DPRINTF(("res_mkupdrec failed"));
-			goto done;
-		}
-		PREPEND(zptr->z_rrlist, rrecp, r_glink);
-		zptr->z_flags |= ZG_F_ZONESECTADDED;
-
-		/* Marshall the update message. */
-		n = res_nmkupdate(statp, HEAD(zptr->z_rrlist),
-				  packet, NS_MAXMSG);
-		DPRINTF(("res_mkupdate -> %d", n));
-		if (n < 0)
-			goto done;
-
-		/* Temporarily replace the resolver's nameserver set. */
-		nscount = res_getservers(statp, nsaddrs, MAXNS);
-		res_setservers(statp, zptr->z_nsaddrs, zptr->z_nscount);
-
-		/* Send the update and remember the result. */
-		if (key != NULL)
-			n = res_nsendsigned(statp, packet, n, key,
-					    answer, sizeof answer);
-		else
-			n = res_nsend(statp, packet, n, answer, sizeof answer);
-		if (n < 0) {
-			DPRINTF(("res_nsend: send error, n=%d (%s)\n",
-				 n, strerror(errno)));
-			goto done;
-		}
-		if (((HEADER *)answer)->rcode == NOERROR)
-			nzones++;
-
-		/* Restore resolver's nameserver set. */
-		res_setservers(statp, nsaddrs, nscount);
-		nscount = 0;
-	}
- done:
-	while (!EMPTY(zgrps)) {
-		zptr = HEAD(zgrps);
-		if ((zptr->z_flags & ZG_F_ZONESECTADDED) != 0)
-			res_freeupdrec(HEAD(zptr->z_rrlist));
-		UNLINK(zgrps, zptr, z_link);
-		free(zptr);
-	}
-	if (nscount != 0)
-		res_setservers(statp, nsaddrs, nscount);
-
-	free(packet);
-	return (nzones);
-}
-
-/* Private. */
-
-static void
-res_dprintf(const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	fputs(";; res_nupdate: ", stderr);
-	vfprintf(stderr, fmt, ap);
-	fputc('\n', stderr);
-	va_end(ap);
-}
diff --git a/contrib/bind9/lib/bind9/Makefile.in b/contrib/bind9/lib/bind9/Makefile.in
deleted file mode 100644
index cd822f39a64b..000000000000
--- a/contrib/bind9/lib/bind9/Makefile.in
+++ /dev/null
@@ -1,84 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2.200.10 2004/12/10 00:05:48 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBBIND9_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		${ISCCFG_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCCFGLIBS =    ../../lib/isccfg/libisccfg.@A@
-DNSLIBS =    ../../lib/dns/libdns.@A@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
-DNSDEPLIBS =    ../../lib/dns/libdns.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-
-# Alphabetically
-OBJS =		check.@O@ getaddresses.@O@ version.@O@
-
-# Alphabetically
-SRCS =		check.c getaddresses.c version.c
-
-TARGETS = 	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libbind9.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libbind9.la: ${OBJS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS} ${DNSDEPLIBS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind9.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} ${LIBS}
-
-timestamp: libbind9.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libbind9.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libbind9.@A@ timestamp
diff --git a/contrib/bind9/lib/bind9/api b/contrib/bind9/lib/bind9/api
deleted file mode 100644
index 0a12b5e852c1..000000000000
--- a/contrib/bind9/lib/bind9/api
+++ /dev/null
@@ -1,3 +0,0 @@
-LIBINTERFACE = 0
-LIBREVISION = 7
-LIBAGE = 0
diff --git a/contrib/bind9/lib/bind9/check.c b/contrib/bind9/lib/bind9/check.c
deleted file mode 100644
index e6e86fd14dfc..000000000000
--- a/contrib/bind9/lib/bind9/check.c
+++ /dev/null
@@ -1,1435 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: check.c,v 1.37.6.32 2005/11/03 23:08:41 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/parseint.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/symtab.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatatype.h>
-#include <dns/secalg.h>
-
-#include <isccfg/cfg.h>
-
-#include <bind9/check.h>
-
-static void
-freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
-	UNUSED(type);
-	UNUSED(value);
-	isc_mem_free(userarg, key);
-}
-
-static isc_result_t
-check_orderent(cfg_obj_t *ent, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_textregion_t r;
-	dns_fixedname_t fixed;
-	cfg_obj_t *obj;
-	dns_rdataclass_t rdclass;
-	dns_rdatatype_t rdtype;
-	isc_buffer_t b;
-	const char *str;
-
-	dns_fixedname_init(&fixed);
-	obj = cfg_tuple_get(ent, "class");
-	if (cfg_obj_isstring(obj)) {
-
-		DE_CONST(cfg_obj_asstring(obj), r.base);
-		r.length = strlen(r.base);
-		tresult = dns_rdataclass_fromtext(&rdclass, &r);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "rrset-order: invalid class '%s'",
-				    r.base);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	obj = cfg_tuple_get(ent, "type");
-	if (cfg_obj_isstring(obj)) {
-
-		DE_CONST(cfg_obj_asstring(obj), r.base);
-		r.length = strlen(r.base);
-		tresult = dns_rdatatype_fromtext(&rdtype, &r);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "rrset-order: invalid type '%s'",
-				    r.base);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	obj = cfg_tuple_get(ent, "name");
-	if (cfg_obj_isstring(obj)) {
-		str = cfg_obj_asstring(obj);
-		isc_buffer_init(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, ISC_FALSE, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "rrset-order: invalid name '%s'", str);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	obj = cfg_tuple_get(ent, "order");
-	if (!cfg_obj_isstring(obj) ||
-	    strcasecmp("order", cfg_obj_asstring(obj)) != 0) {
-		cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
-			    "rrset-order: keyword 'order' missing");
-		result = ISC_R_FAILURE;
-	}
-
-	obj = cfg_tuple_get(ent, "ordering");
-	if (!cfg_obj_isstring(obj)) {
-	    cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
-			"rrset-order: missing ordering");
-		result = ISC_R_FAILURE;
-	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
-		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "rrset-order: order 'fixed' not fully implemented");
-	} else if (/* strcasecmp(cfg_obj_asstring(obj), "fixed") != 0 && */
-		   strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
-		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "rrset-order: invalid order '%s'",
-			    cfg_obj_asstring(obj));
-		result = ISC_R_FAILURE;
-	}
-	return (result);
-}
-
-static isc_result_t
-check_order(cfg_obj_t *options, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	cfg_listelt_t *element;
-	cfg_obj_t *obj = NULL;
-
-	if (cfg_map_get(options, "rrset-order", &obj) != ISC_R_SUCCESS)
-		return (result);
-
-	for (element = cfg_list_first(obj);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		tresult = check_orderent(cfg_listelt_value(element), logctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-	return (result);
-}
-
-static isc_result_t
-check_dual_stack(cfg_obj_t *options, isc_log_t *logctx) {
-	cfg_listelt_t *element;
-	cfg_obj_t *alternates = NULL;
-	cfg_obj_t *value;
-	cfg_obj_t *obj;
-	char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_buffer_t buffer;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-
-	(void)cfg_map_get(options, "dual-stack-servers", &alternates);
-
-	if (alternates == NULL)
-		return (ISC_R_SUCCESS);
-
-	obj = cfg_tuple_get(alternates, "port");
-	if (cfg_obj_isuint32(obj)) {
-		isc_uint32_t val = cfg_obj_asuint32(obj);
-		if (val > ISC_UINT16_MAX) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "port '%u' out of range", val);
-			result = ISC_R_FAILURE;
-		}
-	}
-	obj = cfg_tuple_get(alternates, "addresses");
-	for (element = cfg_list_first(obj);
-	     element != NULL;
-	     element = cfg_list_next(element)) {
-		value = cfg_listelt_value(element);
-		if (cfg_obj_issockaddr(value))
-			continue;
-		obj = cfg_tuple_get(value, "name");
-		str = cfg_obj_asstring(obj);
-		isc_buffer_init(&buffer, str, strlen(str));
-		isc_buffer_add(&buffer, strlen(str));
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-		tresult = dns_name_fromtext(name, &buffer, dns_rootname,
-					   ISC_FALSE, NULL);
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "bad name '%s'", str);
-			result = ISC_R_FAILURE;
-		}
-		obj = cfg_tuple_get(value, "port");
-		if (cfg_obj_isuint32(obj)) {
-			isc_uint32_t val = cfg_obj_asuint32(obj);
-			if (val > ISC_UINT16_MAX) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "port '%u' out of range", val);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-	return (result);
-}
-
-static isc_result_t
-check_forward(cfg_obj_t *options, isc_log_t *logctx) {
-	cfg_obj_t *forward = NULL;
-	cfg_obj_t *forwarders = NULL;
-
-	(void)cfg_map_get(options, "forward", &forward);
-	(void)cfg_map_get(options, "forwarders", &forwarders);
-
-	if (forward != NULL && forwarders == NULL) {
-		cfg_obj_log(forward, logctx, ISC_LOG_ERROR,
-			    "no matching 'forwarders' statement");
-		return (ISC_R_FAILURE);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	cfg_listelt_t *element;
-	const char *str;
-	isc_buffer_t b;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	cfg_obj_t *obj;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	obj = cfg_tuple_get(disabled, "name");
-	str = cfg_obj_asstring(obj);
-	isc_buffer_init(&b, str, strlen(str));
-	isc_buffer_add(&b, strlen(str));
-	tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
-	if (tresult != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "bad domain name '%s'", str);
-		result = tresult;
-	}
-
-	obj = cfg_tuple_get(disabled, "algorithms");
-
-	for (element = cfg_list_first(obj);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		isc_textregion_t r;
-		dns_secalg_t alg;
-		isc_result_t tresult;
-
-		r.base = cfg_obj_asstring(cfg_listelt_value(element));
-		r.length = strlen(r.base);
-
-		tresult = dns_secalg_fromtext(&alg, &r);
-		if (tresult != ISC_R_SUCCESS) {
-			isc_uint8_t ui;
-			result = isc_parse_uint8(&ui, r.base, 10);
-		}
-		if (tresult != ISC_R_SUCCESS) {
-			cfg_obj_log(cfg_listelt_value(element), logctx,
-				    ISC_LOG_ERROR, "invalid algorithm");
-			result = tresult;
-		}
-	}
-	return (result);
-}
-
-static isc_result_t
-nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
-	  const char *fmt, isc_log_t *logctx, isc_mem_t *mctx)
-{
-	char *key;
-	const char *file;
-	unsigned int line;
-	isc_result_t result;
-	isc_symvalue_t symvalue;
-
-	key = isc_mem_strdup(mctx, name);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-	symvalue.as_pointer = obj;
-	result = isc_symtab_define(symtab, key, value, symvalue,
-				   isc_symexists_reject);
-	if (result == ISC_R_EXISTS) {
-		RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value,
-						&symvalue) == ISC_R_SUCCESS);
-		file = cfg_obj_file(symvalue.as_pointer);
-		line = cfg_obj_line(symvalue.as_pointer);
-
-		if (file == NULL)
-			file = "<unknown file>";
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR, fmt, key, file, line);
-		isc_mem_free(mctx, key);
-		result = ISC_R_EXISTS;
-	} else if (result != ISC_R_SUCCESS) {
-		isc_mem_free(mctx, key);
-	}
-	return (result);
-}
-
-static isc_result_t
-mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
-	     isc_mem_t *mctx)
-{
-	cfg_obj_t *obj;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	const char *str;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	isc_buffer_t b;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	dns_fixedname_init(&fixed);
-	name = dns_fixedname_name(&fixed);
-	obj = cfg_tuple_get(secure, "name");
-	str = cfg_obj_asstring(obj);
-	isc_buffer_init(&b, str, strlen(str));
-	isc_buffer_add(&b, strlen(str));
-	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "bad domain name '%s'", str);
-	} else {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		result = nameexist(secure, namebuf, 1, symtab,
-				   "dnssec-must-be-secure '%s': already "
-				   "exists previous definition: %s:%u",
-				   logctx, mctx);
-	}
-	return (result);
-}
-
-typedef struct {
-	const char *name;
-	unsigned int scale;
-	unsigned int max;
-} intervaltable;
-
-static isc_result_t
-check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	unsigned int i;
-	cfg_obj_t *obj = NULL;
-	cfg_listelt_t *element;
-	isc_symtab_t *symtab = NULL;
-
-	static intervaltable intervals[] = {
-	{ "cleaning-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "heartbeat-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "interface-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-idle-in", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "sig-validity-interval", 86400, 10 * 366 },	/* 10 years */
-	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
-	};
-
-	/*
-	 * Check that fields specified in units of time other than seconds
-	 * have reasonable values.
-	 */
-	for (i = 0; i < sizeof(intervals) / sizeof(intervals[0]); i++) {
-		isc_uint32_t val;
-		obj = NULL;
-		(void)cfg_map_get(options, intervals[i].name, &obj);
-		if (obj == NULL)
-			continue;
-		val = cfg_obj_asuint32(obj);
-		if (val > intervals[i].max) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "%s '%u' is out of range (0..%u)",
-				    intervals[i].name, val,
-				    intervals[i].max);
-			result = ISC_R_RANGE;
-		} else if (val > (ISC_UINT32_MAX / intervals[i].scale)) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "%s '%d' is out of range",
-				    intervals[i].name, val);
-			result = ISC_R_RANGE;
-		}
-	}
-	obj = NULL;
-	(void)cfg_map_get(options, "preferred-glue", &obj);
-	if (obj != NULL) {
-		const char *str;
-                str = cfg_obj_asstring(obj);
-                if (strcasecmp(str, "a") != 0 &&
-		    strcasecmp(str, "aaaa") != 0 &&
-		    strcasecmp(str, "none") != 0)
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "preferred-glue unexpected value '%s'",
-				    str);
-	}
-	obj = NULL;
-	(void)cfg_map_get(options, "root-delegation-only", &obj);
-	if (obj != NULL) {
-		if (!cfg_obj_isvoid(obj)) {
-			cfg_listelt_t *element;
-			cfg_obj_t *exclude;
-			char *str;
-			dns_fixedname_t fixed;
-			dns_name_t *name;
-			isc_buffer_t b;
-
-			dns_fixedname_init(&fixed);
-			name = dns_fixedname_name(&fixed);
-			for (element = cfg_list_first(obj);
-			     element != NULL;
-			     element = cfg_list_next(element)) {
-				exclude = cfg_listelt_value(element);
-				str = cfg_obj_asstring(exclude);
-				isc_buffer_init(&b, str, strlen(str));
-				isc_buffer_add(&b, strlen(str));
-				tresult = dns_name_fromtext(name, &b,
-							   dns_rootname,
-                                                           ISC_FALSE, NULL);
-				if (tresult != ISC_R_SUCCESS) {
-					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-						    "bad domain name '%s'",
-						    str);
-					result = tresult;
-				}
-			}
-		}
-	}
-       
-	/*
-	 * Set supported DNSSEC algorithms.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "disable-algorithms", &obj);
-	if (obj != NULL) {
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			obj = cfg_listelt_value(element);
-			tresult = disabled_algorithms(obj, logctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-	}
-
-	/*
-	 * Check the DLV zone name.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "dnssec-lookaside", &obj);
-	if (obj != NULL) {
-		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
-					    ISC_TRUE, &symtab);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			dns_fixedname_t fixedname;
-			dns_name_t *name;
-			const char *dlv;
-			isc_buffer_t b;
-
-			obj = cfg_listelt_value(element);
-
-			dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain"));
-			dns_fixedname_init(&fixedname);
-			name = dns_fixedname_name(&fixedname);
-			isc_buffer_init(&b, dlv, strlen(dlv));
-			isc_buffer_add(&b, strlen(dlv));
-			tresult = dns_name_fromtext(name, &b, dns_rootname,
-						    ISC_TRUE, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "bad domain name '%s'", dlv);
-				result = tresult;
-			}
-			if (symtab != NULL) {
-				tresult = nameexist(obj, dlv, 1, symtab,
-						    "dnssec-lookaside '%s': "
-						    "already exists previous "
-						    "definition: %s:%u",
-						    logctx, mctx);
-				if (tresult != ISC_R_SUCCESS &&
-				    result == ISC_R_SUCCESS)
-					result = tresult;
-			}
-			/*
-			 * XXXMPA to be removed when multiple lookaside
-			 * namespaces are supported.
-			 */
-			if (!dns_name_equal(dns_rootname, name)) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "dnssec-lookaside '%s': "
-					    "non-root not yet supported", dlv);
-				if (result == ISC_R_SUCCESS)
-					result = ISC_R_FAILURE;
-			}
-			dlv = cfg_obj_asstring(cfg_tuple_get(obj,
-					       "trust-anchor"));
-			dns_fixedname_init(&fixedname);
-			isc_buffer_init(&b, dlv, strlen(dlv));
-			isc_buffer_add(&b, strlen(dlv));
-			tresult = dns_name_fromtext(name, &b, dns_rootname,
-						    ISC_TRUE, NULL);
-			if (tresult != ISC_R_SUCCESS) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "bad domain name '%s'", dlv);
-				if (result == ISC_R_SUCCESS)
-					result = tresult;
-			}
-		}
-		if (symtab != NULL)
-			isc_symtab_destroy(&symtab);
-	}
-
-	/*
-	 * Check dnssec-must-be-secure.
-	 */
-	obj = NULL;
-	(void)cfg_map_get(options, "dnssec-must-be-secure", &obj);
-	if (obj != NULL) {
-		isc_symtab_t *symtab = NULL;
-		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
-					    ISC_FALSE, &symtab);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-		for (element = cfg_list_first(obj);
-		     element != NULL;
-		     element = cfg_list_next(element))
-		{
-			obj = cfg_listelt_value(element);
-			tresult = mustbesecure(obj, symtab, logctx, mctx);
-			if (tresult != ISC_R_SUCCESS)
-				result = tresult;
-		}
-		if (symtab != NULL)
-			isc_symtab_destroy(&symtab);
-	}
-
-	return (result);
-}
-
-static isc_result_t
-get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *masters = NULL;
-	cfg_listelt_t *elt;
-
-	result = cfg_map_get(cctx, "masters", &masters);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (elt = cfg_list_first(masters);
-	     elt != NULL;
-	     elt = cfg_list_next(elt)) {
-		cfg_obj_t *list;
-		const char *listname;
-
-		list = cfg_listelt_value(elt);
-		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
-
-		if (strcasecmp(listname, name) == 0) {
-			*ret = list;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
-		 isc_log_t *logctx, isc_mem_t *mctx)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_uint32_t count = 0;
-	isc_symtab_t *symtab = NULL;
-	isc_symvalue_t symvalue;
-	cfg_listelt_t *element;
-	cfg_listelt_t **stack = NULL;
-	isc_uint32_t stackcount = 0, pushed = 0;
-	cfg_obj_t *list;
-
-	REQUIRE(countp != NULL);
-	result = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE, &symtab);
-	if (result != ISC_R_SUCCESS) {
-		*countp = count;
-		return (result);
-	}
-
- newlist:
-	list = cfg_tuple_get(obj, "addresses");
-	element = cfg_list_first(list);
- resume:	
-	for ( ;
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		char *listname;
-		cfg_obj_t *addr;
-		cfg_obj_t *key;
-
-		addr = cfg_tuple_get(cfg_listelt_value(element),
-				     "masterselement");
-		key = cfg_tuple_get(cfg_listelt_value(element), "key");
-
-		if (cfg_obj_issockaddr(addr)) {
-			count++;
-			continue;
-		}
-		if (!cfg_obj_isvoid(key)) {
-			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "unexpected token '%s'",
-				    cfg_obj_asstring(key));
-			if (result == ISC_R_SUCCESS)
-				result = ISC_R_FAILURE;
-		}
-		listname = cfg_obj_asstring(addr);
-		symvalue.as_pointer = addr;
-		tresult = isc_symtab_define(symtab, listname, 1, symvalue,
-					    isc_symexists_reject);
-		if (tresult == ISC_R_EXISTS)
-			continue;
-		tresult = get_masters_def(config, listname, &obj);
-		if (tresult != ISC_R_SUCCESS) {
-			if (result == ISC_R_SUCCESS)
-				result = tresult;
-			cfg_obj_log(addr, logctx, ISC_LOG_ERROR,
-				    "unable to find masters list '%s'",
-				    listname);
-			continue;
-		}
-		/* Grow stack? */
-		if (stackcount == pushed) {
-			void * new;
-			isc_uint32_t newlen = stackcount + 16;
-			size_t newsize, oldsize;
-
-			newsize = newlen * sizeof(*stack);
-			oldsize = stackcount * sizeof(*stack);
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
-				goto cleanup;
-			if (stackcount != 0) {
-				memcpy(new, stack, oldsize);
-				isc_mem_put(mctx, stack, oldsize);
-			}
-			stack = new;
-			stackcount = newlen;
-		}
-		stack[pushed++] = cfg_list_next(element);
-		goto newlist;
-	}
-	if (pushed != 0) {
-		element = stack[--pushed];
-		goto resume;
-	}
- cleanup:
-	if (stack != NULL)
-		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
-	isc_symtab_destroy(&symtab);
-	*countp = count;
-	return (result);
-}
-
-#define MASTERZONE	1
-#define SLAVEZONE	2
-#define STUBZONE	4
-#define HINTZONE	8
-#define FORWARDZONE	16
-#define DELEGATIONZONE	32
-
-typedef struct {
-	const char *name;
-	int allowed;
-} optionstable;
-
-static isc_result_t
-check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
-	       dns_rdataclass_t defclass, isc_log_t *logctx, isc_mem_t *mctx)
-{
-	const char *zname;
-	const char *typestr;
-	unsigned int ztype;
-	cfg_obj_t *zoptions;
-	cfg_obj_t *obj = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	unsigned int i;
-	dns_rdataclass_t zclass;
-	dns_fixedname_t fixedname;
-	isc_buffer_t b;
-
-	static optionstable options[] = {
-	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "allow-notify", SLAVEZONE },
-	{ "allow-transfer", MASTERZONE | SLAVEZONE },
-	{ "notify", MASTERZONE | SLAVEZONE },
-	{ "also-notify", MASTERZONE | SLAVEZONE },
-	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "delegation-only", HINTZONE | STUBZONE },
-	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
-	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
-	{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE },
-	{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE },
-	{ "notify-source", MASTERZONE | SLAVEZONE },
-	{ "notify-source-v6", MASTERZONE | SLAVEZONE },
-	{ "transfer-source", SLAVEZONE | STUBZONE },
-	{ "transfer-source-v6", SLAVEZONE | STUBZONE },
-	{ "max-transfer-time-in", SLAVEZONE | STUBZONE },
-	{ "max-transfer-time-out", MASTERZONE | SLAVEZONE },
-	{ "max-transfer-idle-in", SLAVEZONE | STUBZONE },
-	{ "max-transfer-idle-out", MASTERZONE | SLAVEZONE },
-	{ "max-retry-time", SLAVEZONE | STUBZONE },
-	{ "min-retry-time", SLAVEZONE | STUBZONE },
-	{ "max-refresh-time", SLAVEZONE | STUBZONE },
-	{ "min-refresh-time", SLAVEZONE | STUBZONE },
-	{ "sig-validity-interval", MASTERZONE },
-	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "allow-update", MASTERZONE },
-	{ "allow-update-forwarding", SLAVEZONE },
-	{ "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
-	{ "ixfr-base", MASTERZONE | SLAVEZONE },
-	{ "ixfr-tmp-file", MASTERZONE | SLAVEZONE },
-	{ "masters", SLAVEZONE | STUBZONE },
-	{ "pubkey", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "update-policy", MASTERZONE },
-	{ "database", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "key-directory", MASTERZONE },
-	};
-
-	static optionstable dialups[] = {
-	{ "notify", MASTERZONE | SLAVEZONE },
-	{ "notify-passive", SLAVEZONE },
-	{ "refresh", SLAVEZONE | STUBZONE },
-	{ "passive", SLAVEZONE | STUBZONE },
-	};
-
-	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
-
-	zoptions = cfg_tuple_get(zconfig, "options");
-
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "type", &obj);
-	if (obj == NULL) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': type not present", zname);
-		return (ISC_R_FAILURE);
-	}
-
-	typestr = cfg_obj_asstring(obj);
-	if (strcasecmp(typestr, "master") == 0)
-		ztype = MASTERZONE;
-	else if (strcasecmp(typestr, "slave") == 0)
-		ztype = SLAVEZONE;
-	else if (strcasecmp(typestr, "stub") == 0)
-		ztype = STUBZONE;
-	else if (strcasecmp(typestr, "forward") == 0)
-		ztype = FORWARDZONE;
-	else if (strcasecmp(typestr, "hint") == 0)
-		ztype = HINTZONE;
-	else if (strcasecmp(typestr, "delegation-only") == 0)
-		ztype = DELEGATIONZONE;
-	else {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "zone '%s': invalid type %s",
-			    zname, typestr);
-		return (ISC_R_FAILURE);
-	}
-
-	obj = cfg_tuple_get(zconfig, "class");
-	if (cfg_obj_isstring(obj)) {
-		isc_textregion_t r;
-
-		DE_CONST(cfg_obj_asstring(obj), r.base);
-		r.length = strlen(r.base);
-		result = dns_rdataclass_fromtext(&zclass, &r);
-		if (result != ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "zone '%s': invalid class %s",
-				    zname, r.base);
-			return (ISC_R_FAILURE);
-		}
-		if (zclass != defclass) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "zone '%s': class '%s' does not "
-				    "match view/default class",
-				    zname, r.base);
-			return (ISC_R_FAILURE);
-		}
-	}
-
-	/*
-	 * Look for an already existing zone.
-	 * We need to make this cannonical as isc_symtab_define()
-	 * deals with strings.
-	 */
-	dns_fixedname_init(&fixedname);
-	isc_buffer_init(&b, zname, strlen(zname));
-	isc_buffer_add(&b, strlen(zname));
-	tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
-				   dns_rootname, ISC_TRUE, NULL);
-	if (result != ISC_R_SUCCESS) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': is not a valid name", zname);
-		tresult = ISC_R_FAILURE;
-	} else {
-		char namebuf[DNS_NAME_FORMATSIZE];
-
-		dns_name_format(dns_fixedname_name(&fixedname),
-				namebuf, sizeof(namebuf));
-		tresult = nameexist(zconfig, namebuf, ztype == HINTZONE ? 1 : 2,
-				   symtab, "zone '%s': already exists "
-				   "previous definition: %s:%u", logctx, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = tresult;
-	}
-
-	/*
-	 * Look for inappropriate options for the given zone type.
-	 */
-	for (i = 0; i < sizeof(options) / sizeof(options[0]); i++) {
-		obj = NULL;
-		if ((options[i].allowed & ztype) == 0 &&
-		    cfg_map_get(zoptions, options[i].name, &obj) ==
-		    ISC_R_SUCCESS)
-		{
-			if (strcmp(options[i].name, "allow-update") != 0 ||
-			    ztype != SLAVEZONE) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "option '%s' is not allowed "
-					    "in '%s' zone '%s'",
-					    options[i].name, typestr, zname);
-					result = ISC_R_FAILURE;
-			} else
-				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-					    "option '%s' is not allowed "
-					    "in '%s' zone '%s'",
-					    options[i].name, typestr, zname);
-		}
-	}
-
-	/*
-	 * Slave & stub zones must have a "masters" field.
-	 */
-	if (ztype == SLAVEZONE || ztype == STUBZONE) {
-		obj = NULL;
-		if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) {
-			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
-				    "zone '%s': missing 'masters' entry",
-				    zname);
-			result = ISC_R_FAILURE;
-		} else {
-			isc_uint32_t count;
-			tresult = validate_masters(obj, config, &count,
-						   logctx, mctx);
-			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
-				result = tresult;
-			if (tresult == ISC_R_SUCCESS && count == 0) {
-				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
-					    "zone '%s': empty 'masters' entry",
-					    zname);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	/*
-	 * Master zones can't have both "allow-update" and "update-policy".
-	 */
-	if (ztype == MASTERZONE) {
-		isc_result_t res1, res2;
-		obj = NULL;
-		res1 = cfg_map_get(zoptions, "allow-update", &obj);
-		obj = NULL;
-		res2 = cfg_map_get(zoptions, "update-policy", &obj);
-		if (res1 == ISC_R_SUCCESS && res2 == ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "zone '%s': 'allow-update' is ignored "
-				    "when 'update-policy' is present",
-				    zname);
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	/*
-	 * Check the excessively complicated "dialup" option.
-	 */
-	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
-		cfg_obj_t *dialup = NULL;
-		(void)cfg_map_get(zoptions, "dialup", &dialup);
-		if (dialup != NULL && cfg_obj_isstring(dialup)) {
-			char *str = cfg_obj_asstring(dialup);
-			for (i = 0;
-			     i < sizeof(dialups) / sizeof(dialups[0]);
-			     i++)
-			{
-				if (strcasecmp(dialups[i].name, str) != 0)
-					continue;
-				if ((dialups[i].allowed & ztype) == 0) {
-					cfg_obj_log(obj, logctx,
-						    ISC_LOG_ERROR,
-						    "dialup type '%s' is not "
-						    "allowed in '%s' "
-						    "zone '%s'",
-						    str, typestr, zname);
-					result = ISC_R_FAILURE;
-				}
-				break;
-			}
-			if (i == sizeof(dialups) / sizeof(dialups[0])) {
-				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					    "invalid dialup type '%s' in zone "
-					    "'%s'", str, zname);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-
-	/*
-	 * Check that forwarding is reasonable.
-	 */
-	if (check_forward(zoptions, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	/*
-	 * Check various options.
-	 */
-	tresult = check_options(zoptions, logctx, mctx);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
-	/*
-	 * If the zone type is rbt/rbt64 then master/hint zones
-	 * require file clauses.
-	 */
-	obj = NULL;
-	tresult = cfg_map_get(zoptions, "database", &obj);
-	if (tresult == ISC_R_NOTFOUND ||
-	    (tresult == ISC_R_SUCCESS &&
-	     (strcmp("rbt", cfg_obj_asstring(obj)) == 0 ||
-	      strcmp("rbt64", cfg_obj_asstring(obj)) == 0))) {
-		obj = NULL;
-		tresult = cfg_map_get(zoptions, "file", &obj);
-		if (tresult != ISC_R_SUCCESS &&
-		    (ztype == MASTERZONE || ztype == HINTZONE)) {
-			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-				    "zone '%s': missing 'file' entry",
-				    zname);
-			result = tresult;
-		}
-	}
-	
-	return (result);
-}
-
-isc_result_t
-bind9_check_key(cfg_obj_t *key, isc_log_t *logctx) {
-	cfg_obj_t *algobj = NULL;
-	cfg_obj_t *secretobj = NULL;
-	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
-	
-	(void)cfg_map_get(key, "algorithm", &algobj);
-	(void)cfg_map_get(key, "secret", &secretobj);
-	if (secretobj == NULL || algobj == NULL) {
-		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-			    "key '%s' must have both 'secret' and "
-			    "'algorithm' defined",
-			    keyname);
-		return (ISC_R_FAILURE);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	cfg_listelt_t *element;
-
-	for (element = cfg_list_first(keys);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *key = cfg_listelt_value(element);
-		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
-		isc_symvalue_t symvalue;
-
-		symvalue.as_pointer = key;
-		tresult = isc_symtab_define(symtab, keyname, 1,
-					    symvalue, isc_symexists_reject);
-		if (tresult == ISC_R_EXISTS) {
-			const char *file;
-			unsigned int line;
-
-			RUNTIME_CHECK(isc_symtab_lookup(symtab, keyname,
-					    1, &symvalue) == ISC_R_SUCCESS);
-			file = cfg_obj_file(symvalue.as_pointer);
-			line = cfg_obj_line(symvalue.as_pointer);
-
-			if (file == NULL)
-				file = "<unknown file>";
-			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "key '%s': already exists "
-				    "previous definition: %s:%u",
-				    keyname, file, line);
-			result = tresult;
-		} else if (tresult != ISC_R_SUCCESS)
-			return (tresult);
-
-		tresult = bind9_check_key(key, logctx);
-		if (tresult != ISC_R_SUCCESS)
-			return (tresult);
-	}
-	return (result);
-}
-
-static isc_result_t
-check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
-	isc_result_t result = ISC_R_SUCCESS;
-	cfg_listelt_t *e1, *e2;
-	cfg_obj_t *v1, *v2;
-	isc_sockaddr_t *s1, *s2;
-	isc_netaddr_t na;
-	cfg_obj_t *ts;
-	char buf[128];
-	const char *xfr;
-	isc_buffer_t target;
-
-	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
-		v1 = cfg_listelt_value(e1);
-		s1 = cfg_obj_assockaddr(cfg_map_getname(v1));
-		ts = NULL;
-		if (isc_sockaddr_pf(s1) == AF_INET)
-			xfr = "transfer-source-v6";
-		else
-			xfr = "transfer-source";
-		(void)cfg_map_get(v1, xfr, &ts);
-		if (ts != NULL) {
-			isc_netaddr_fromsockaddr(&na, s1);
-			isc_buffer_init(&target, buf, sizeof(buf) - 1);
-			RUNTIME_CHECK(isc_netaddr_totext(&na, &target)
-				      == ISC_R_SUCCESS);
-			buf[isc_buffer_usedlength(&target)] = '\0';
-			cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
-				    "server '%s': %s not valid", buf, xfr);
-			result = ISC_R_FAILURE;
-		}
-		e2 = e1;
-		while ((e2 = cfg_list_next(e2)) != NULL) {
-			v2 = cfg_listelt_value(e2);
-			s2 = cfg_obj_assockaddr(cfg_map_getname(v2));
-			if (isc_sockaddr_eqaddr(s1, s2)) {
-				const char *file = cfg_obj_file(v1);
-				unsigned int line = cfg_obj_line(v1);
-
-				if (file == NULL)
-					file = "<unknown file>";
-
-				isc_netaddr_fromsockaddr(&na, s2);
-				isc_buffer_init(&target, buf, sizeof(buf) - 1);
-				RUNTIME_CHECK(isc_netaddr_totext(&na, &target)
-					      == ISC_R_SUCCESS);
-				buf[isc_buffer_usedlength(&target)] = '\0';
-
-				cfg_obj_log(v2, logctx, ISC_LOG_ERROR,
-					    "server '%s': already exists "
-					    "previous definition: %s:%u",
-					    buf, file, line);
-				result = ISC_R_FAILURE;
-			}
-		}
-	}
-	return (result);
-}
-		
-static isc_result_t
-check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass,
-	       isc_log_t *logctx, isc_mem_t *mctx)
-{
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *zones = NULL;
-	cfg_obj_t *keys = NULL;
-	cfg_listelt_t *element;
-	isc_symtab_t *symtab = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult = ISC_R_SUCCESS;
-
-	/*
-	 * Check that all zone statements are syntactically correct and
-	 * there are no duplicate zones.
-	 */
-	tresult = isc_symtab_create(mctx, 100, freekey, mctx,
-				    ISC_FALSE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
-
-	if (vconfig != NULL)
-		(void)cfg_map_get(vconfig, "zone", &zones);
-	else
-		(void)cfg_map_get(config, "zone", &zones);
-
-	for (element = cfg_list_first(zones);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		isc_result_t tresult;
-		cfg_obj_t *zone = cfg_listelt_value(element);
-
-		tresult = check_zoneconf(zone, config, symtab, vclass,
-					 logctx, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	isc_symtab_destroy(&symtab);
-
-	/*
-	 * Check that all key statements are syntactically correct and
-	 * there are no duplicate keys.
-	 */
-	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
-
-	(void)cfg_map_get(config, "key", &keys);
-	tresult = check_keylist(keys, symtab, logctx);
-	if (tresult == ISC_R_EXISTS)
-		result = ISC_R_FAILURE;
-	else if (tresult != ISC_R_SUCCESS) {
-		isc_symtab_destroy(&symtab);
-		return (tresult);
-	}
-	
-	if (vconfig != NULL) {
-		keys = NULL;
-		(void)cfg_map_get(vconfig, "key", &keys);
-		tresult = check_keylist(keys, symtab, logctx);
-		if (tresult == ISC_R_EXISTS)
-			result = ISC_R_FAILURE;
-		else if (tresult != ISC_R_SUCCESS) {
-			isc_symtab_destroy(&symtab);
-			return (tresult);
-		}
-	}
-
-	isc_symtab_destroy(&symtab);
-
-	/*
-	 * Check that forwarding is reasonable.
-	 */
-	if (vconfig == NULL) {
-		cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			if (check_forward(options, logctx) != ISC_R_SUCCESS)
-				result = ISC_R_FAILURE;
-	} else {
-		if (check_forward(vconfig, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-	/*
-	 * Check that dual-stack-servers is reasonable.
-	 */
-	if (vconfig == NULL) {
-		cfg_obj_t *options = NULL;
-		(void)cfg_map_get(config, "options", &options);
-		if (options != NULL)
-			if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
-				result = ISC_R_FAILURE;
-	} else {
-		if (check_dual_stack(vconfig, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	/*
-	 * Check that rrset-order is reasonable.
-	 */
-	if (vconfig != NULL) {
-		if (check_order(vconfig, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	if (vconfig != NULL) {
-		(void)cfg_map_get(vconfig, "server", &servers);
-		if (servers != NULL &&
-		    check_servers(servers, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-
-	if (vconfig != NULL)
-		tresult = check_options(vconfig, logctx, mctx);
-	else
-		tresult = check_options(config, logctx, mctx);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-
-	return (result);
-}
-
-
-isc_result_t
-bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
-	cfg_obj_t *options = NULL;
-	cfg_obj_t *servers = NULL;
-	cfg_obj_t *views = NULL;
-	cfg_obj_t *acls = NULL;
-	cfg_obj_t *kals = NULL;
-	cfg_obj_t *obj;
-	cfg_listelt_t *velement;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t tresult;
-	isc_symtab_t *symtab = NULL;
-
-	static const char *builtin[] = { "localhost", "localnets",
-					 "any", "none"};
-
-	(void)cfg_map_get(config, "options", &options);
-
-	if (options != NULL &&
-	    check_options(options, logctx, mctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	(void)cfg_map_get(config, "server", &servers);
-	if (servers != NULL &&
-	    check_servers(servers, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	if (options != NULL && 
-	    check_order(options, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
-	(void)cfg_map_get(config, "view", &views);
-
-	if (views != NULL && options != NULL)
-		if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-
-	if (views == NULL) {
-		if (check_viewconf(config, NULL, dns_rdataclass_in,
-				   logctx, mctx) != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	} else {
-		cfg_obj_t *zones = NULL;
-
-		(void)cfg_map_get(config, "zone", &zones);
-		if (zones != NULL) {
-			cfg_obj_log(zones, logctx, ISC_LOG_ERROR,
-				    "when using 'view' statements, "
-				    "all zones must be in views");
-			result = ISC_R_FAILURE;
-		}
-	}
-
-	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		result = tresult;
-	for (velement = cfg_list_first(views);
-	     velement != NULL;
-	     velement = cfg_list_next(velement))
-	{
-		cfg_obj_t *view = cfg_listelt_value(velement);
-		cfg_obj_t *vname = cfg_tuple_get(view, "name");
-		cfg_obj_t *voptions = cfg_tuple_get(view, "options");
-		cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
-		dns_rdataclass_t vclass = dns_rdataclass_in;
-		isc_result_t tresult = ISC_R_SUCCESS;
-		const char *key = cfg_obj_asstring(vname);
-		isc_symvalue_t symvalue;
-
-		if (cfg_obj_isstring(vclassobj)) {
-			isc_textregion_t r;
-
-			DE_CONST(cfg_obj_asstring(vclassobj), r.base);
-			r.length = strlen(r.base);
-			tresult = dns_rdataclass_fromtext(&vclass, &r);
-			if (tresult != ISC_R_SUCCESS)
-				cfg_obj_log(vclassobj, logctx, ISC_LOG_ERROR,
-					    "view '%s': invalid class %s",
-					    cfg_obj_asstring(vname), r.base);
-		}
-		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
-			symvalue.as_pointer = view;
-			tresult = isc_symtab_define(symtab, key, vclass,
-						    symvalue,
-						    isc_symexists_reject);
-			if (tresult == ISC_R_EXISTS) {
-				const char *file;
-				unsigned int line;
-				RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
-				           vclass, &symvalue) == ISC_R_SUCCESS);
-				file = cfg_obj_file(symvalue.as_pointer);
-				line = cfg_obj_line(symvalue.as_pointer);
-				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
-					    "view '%s': already exists "
-					    "previous definition: %s:%u",
-					    key, file, line);
-				result = tresult;
-			} else if (result != ISC_R_SUCCESS) {
-				result = tresult;
-			} else if ((strcasecmp(key, "_bind") == 0 &&
-				    vclass == dns_rdataclass_ch) ||
-				   (strcasecmp(key, "_default") == 0 &&
-				    vclass == dns_rdataclass_in)) {
-				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
-					    "attempt to redefine builtin view "
-					    "'%s'", key);
-				result = ISC_R_EXISTS;
-			}
-		}
-		if (tresult == ISC_R_SUCCESS)
-			tresult = check_viewconf(config, voptions,
-						 vclass, logctx, mctx);
-		if (tresult != ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-	}
-	if (symtab != NULL)
-		isc_symtab_destroy(&symtab);
-
-	if (views != NULL && options != NULL) {
-		obj = NULL;
-		tresult = cfg_map_get(options, "cache-file", &obj);
-		if (tresult == ISC_R_SUCCESS) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "'cache-file' cannot be a global "
-				    "option if views are present");
-			result = ISC_R_FAILURE;
-		}
-	}
-
-        tresult = cfg_map_get(config, "acl", &acls);
-        if (tresult == ISC_R_SUCCESS) {
-		cfg_listelt_t *elt;
-		cfg_listelt_t *elt2;
-		const char *aclname;
-
-		for (elt = cfg_list_first(acls);
-		     elt != NULL;
-		     elt = cfg_list_next(elt)) {
-			cfg_obj_t *acl = cfg_listelt_value(elt);
-			unsigned int i;
-
-			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-			for (i = 0;
-			     i < sizeof(builtin) / sizeof(builtin[0]);
-			     i++)
-				if (strcasecmp(aclname, builtin[i]) == 0) {
-					cfg_obj_log(acl, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "builtin acl '%s'",
-				    		    aclname);
-					result = ISC_R_FAILURE;
-					break;
-				}
-
-			for (elt2 = cfg_list_next(elt);
-			     elt2 != NULL;
-			     elt2 = cfg_list_next(elt2)) {
-				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
-				const char *name;
-				name = cfg_obj_asstring(cfg_tuple_get(acl2,
-								      "name"));
-				if (strcasecmp(aclname, name) == 0) {
-					const char *file = cfg_obj_file(acl);
-					unsigned int line = cfg_obj_line(acl);
-
-					if (file == NULL)
-						file = "<unknown file>";
-
-					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "acl '%s' previous "
-						    "definition: %s:%u",
-						     name, file, line);
-					result = ISC_R_FAILURE;
-				}
-			}
-		}
-	}
-
-        tresult = cfg_map_get(config, "kal", &kals);
-        if (tresult == ISC_R_SUCCESS) {
-		cfg_listelt_t *elt;
-		cfg_listelt_t *elt2;
-		const char *aclname;
-
-		for (elt = cfg_list_first(kals);
-		     elt != NULL;
-		     elt = cfg_list_next(elt)) {
-			cfg_obj_t *acl = cfg_listelt_value(elt);
-
-			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
-
-			for (elt2 = cfg_list_next(elt);
-			     elt2 != NULL;
-			     elt2 = cfg_list_next(elt2)) {
-				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
-				const char *name;
-				name = cfg_obj_asstring(cfg_tuple_get(acl2,
-								      "name"));
-				if (strcasecmp(aclname, name) == 0) {
-					const char *file = cfg_obj_file(acl);
-					unsigned int line = cfg_obj_line(acl);
-
-					if (file == NULL)
-						file = "<unknown file>";
-
-					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
-						    "attempt to redefine "
-						    "kal '%s' previous "
-						    "definition: %s:%u",
-						     name, file, line);
-					result = ISC_R_FAILURE;
-				}
-			}
-		}
-	}
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/bind9/getaddresses.c b/contrib/bind9/lib/bind9/getaddresses.c
deleted file mode 100644
index 02d110478cc1..000000000000
--- a/contrib/bind9/lib/bind9/getaddresses.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getaddresses.c,v 1.13.126.8 2005/10/14 02:13:06 marka Exp $ */
-
-#include <config.h>
-#include <string.h>
-
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/netdb.h>
-#include <isc/netscope.h>
-#include <isc/result.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <bind9/getaddresses.h>
-
-#ifdef HAVE_ADDRINFO
-#ifdef HAVE_GETADDRINFO
-#ifdef HAVE_GAISTRERROR
-#define USE_GETADDRINFO
-#endif
-#endif
-#endif
-
-#ifndef USE_GETADDRINFO
-#ifndef ISC_PLATFORM_NONSTDHERRNO
-extern int h_errno;
-#endif
-#endif
-
-isc_result_t
-bind9_getaddresses(const char *hostname, in_port_t port,
-		   isc_sockaddr_t *addrs, int addrsize, int *addrcount)
-{
-	struct in_addr in4;
-	struct in6_addr in6;
-	isc_boolean_t have_ipv4, have_ipv6;
-	int i;
-
-#ifdef USE_GETADDRINFO
-	struct addrinfo *ai = NULL, *tmpai, hints;
-	int result;
-#else
-	struct hostent *he;
-#endif
-
-	REQUIRE(hostname != NULL);
-	REQUIRE(addrs != NULL);
-	REQUIRE(addrcount != NULL);
-	REQUIRE(addrsize > 0);
-
-	have_ipv4 = ISC_TF((isc_net_probeipv4() == ISC_R_SUCCESS));
-	have_ipv6 = ISC_TF((isc_net_probeipv6() == ISC_R_SUCCESS));
-
-	/*
-	 * Try IPv4, then IPv6.  In order to handle the extended format
-	 * for IPv6 scoped addresses (address%scope_ID), we'll use a local
-	 * working buffer of 128 bytes.  The length is an ad-hoc value, but
-	 * should be enough for this purpose; the buffer can contain a string
-	 * of at least 80 bytes for scope_ID in addition to any IPv6 numeric
-	 * addresses (up to 46 bytes), the delimiter character and the
-	 * terminating NULL character.
-	 */
-	if (inet_pton(AF_INET, hostname, &in4) == 1) {
-		if (have_ipv4)
-			isc_sockaddr_fromin(&addrs[0], &in4, port);
-		else
-			isc_sockaddr_v6fromin(&addrs[0], &in4, port);
-		*addrcount = 1;
-		return (ISC_R_SUCCESS);
-	} else if (strlen(hostname) <= 127U) {
-		char tmpbuf[128], *d;
-		isc_uint32_t zone = 0;
-
-		strcpy(tmpbuf, hostname);
-		d = strchr(tmpbuf, '%');
-		if (d != NULL)
-			*d = '\0';
-
-		if (inet_pton(AF_INET6, tmpbuf, &in6) == 1) {
-			isc_netaddr_t na;
-
-			if (!have_ipv6)
-				return (ISC_R_FAMILYNOSUPPORT);
-
-			if (d != NULL) {
-#ifdef ISC_PLATFORM_HAVESCOPEID
-				isc_result_t result;
-
-				result = isc_netscope_pton(AF_INET6, d + 1,
-							   &in6, &zone);
-				    
-				if (result != ISC_R_SUCCESS)
-					return (result);
-#else
-				/*
-				 * The extended format is specified while the
-				 * system does not provide the ability to use
-				 * it.  Throw an explicit error instead of
-				 * ignoring the specified value.
-				 */
-				return (ISC_R_BADADDRESSFORM);
-#endif
-			}
-
-			isc_netaddr_fromin6(&na, &in6);
-			isc_netaddr_setzone(&na, zone);
-			isc_sockaddr_fromnetaddr(&addrs[0],
-						 (const isc_netaddr_t *)&na,
-						 port);
-
-			*addrcount = 1;
-			return (ISC_R_SUCCESS);
-			
-		}
-	}
-#ifdef USE_GETADDRINFO
-	memset(&hints, 0, sizeof(hints));
-	if (!have_ipv6)
-		hints.ai_family = PF_INET;
-	else if (!have_ipv4)
-		hints.ai_family = PF_INET6;
-	else {
-		hints.ai_family = PF_UNSPEC;
-#ifdef AI_ADDRCONFIG
-		hints.ai_flags = AI_ADDRCONFIG;
-#endif
-	}
-	hints.ai_socktype = SOCK_STREAM;
-#ifdef AI_ADDRCONFIG
- again:
-#endif
-	result = getaddrinfo(hostname, NULL, &hints, &ai);
-	switch (result) {
-	case 0:
-		break;
-	case EAI_NONAME:
-#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
-	case EAI_NODATA:
-#endif
-		return (ISC_R_NOTFOUND);
-#ifdef AI_ADDRCONFIG
-	case EAI_BADFLAGS:
-		if ((hints.ai_flags & AI_ADDRCONFIG) != 0) {
-			hints.ai_flags &= ~AI_ADDRCONFIG;
-			goto again;
-		}
-#endif
-	default:
-		return (ISC_R_FAILURE);
-	}
-	for (tmpai = ai, i = 0;
-	     tmpai != NULL && i < addrsize;
-	     tmpai = tmpai->ai_next)
-	{
-		if (tmpai->ai_family != AF_INET &&
-		    tmpai->ai_family != AF_INET6)
-			continue;
-		if (tmpai->ai_family == AF_INET) {
-			struct sockaddr_in *sin;
-			sin = (struct sockaddr_in *)tmpai->ai_addr;
-			isc_sockaddr_fromin(&addrs[i], &sin->sin_addr, port);
-		} else {
-			struct sockaddr_in6 *sin6;
-			sin6 = (struct sockaddr_in6 *)tmpai->ai_addr;
-			isc_sockaddr_fromin6(&addrs[i], &sin6->sin6_addr,
-					     port);
-		}
-		i++;
-
-	}
-	freeaddrinfo(ai);
-	*addrcount = i;
-#else
-	he = gethostbyname(hostname);
-	if (he == NULL) {
-		switch (h_errno) {
-		case HOST_NOT_FOUND:
-#ifdef NO_DATA
-		case NO_DATA:
-#endif
-#if defined(NO_ADDRESS) && (!defined(NO_DATA) || (NO_DATA != NO_ADDRESS))
-		case NO_ADDRESS:
-#endif
-			return (ISC_R_NOTFOUND);
-		default:
-			return (ISC_R_FAILURE);
-		}
-	}
-	if (he->h_addrtype != AF_INET && he->h_addrtype != AF_INET6)
-		return (ISC_R_NOTFOUND);
-	for (i = 0; i < addrsize; i++) {
-		if (he->h_addrtype == AF_INET) {
-			struct in_addr *inp;
-			inp = (struct in_addr *)(he->h_addr_list[i]);
-			if (inp == NULL)
-				break;
-			isc_sockaddr_fromin(&addrs[i], inp, port);
-		} else {
-			struct in6_addr *in6p;
-			in6p = (struct in6_addr *)(he->h_addr_list[i]);
-			if (in6p == NULL)
-				break;
-			isc_sockaddr_fromin6(&addrs[i], in6p, port);
-		}
-	}
-	*addrcount = i;
-#endif
-	if (*addrcount == 0)
-		return (ISC_R_NOTFOUND);
-	else
-		return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/bind9/include/Makefile.in b/contrib/bind9/lib/bind9/include/Makefile.in
deleted file mode 100644
index 9081d9ecb1b0..000000000000
--- a/contrib/bind9/lib/bind9/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.200.3 2004/03/08 09:04:27 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	bind9
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind9/include/bind9/Makefile.in b/contrib/bind9/lib/bind9/include/bind9/Makefile.in
deleted file mode 100644
index dec298276d3a..000000000000
--- a/contrib/bind9/lib/bind9/include/bind9/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.5.200.4 2004/03/08 09:04:28 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	check.h getaddresses.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/bind9
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/bind9 ; \
-	done
diff --git a/contrib/bind9/lib/bind9/include/bind9/check.h b/contrib/bind9/lib/bind9/include/bind9/check.h
deleted file mode 100644
index dcda517bb430..000000000000
--- a/contrib/bind9/lib/bind9/include/bind9/check.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: check.h,v 1.1.200.4 2004/03/08 09:04:28 marka Exp $ */
-
-#ifndef BIND9_CHECK_H
-#define BIND9_CHECK_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <isccfg/cfg.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
-/*
- * Check the syntactic validity of a configuration parse tree generated from
- * a named.conf file.
- *
- * Requires:
- *	config is a valid parse tree
- *
- *	logctx is a valid logging context.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_FAILURE
- */
-
-isc_result_t
-bind9_check_key(cfg_obj_t *config, isc_log_t *logctx);
-/*
- * As above, but for a single 'key' statement.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* BIND9_CHECK_H */
diff --git a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h b/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
deleted file mode 100644
index 4a3a5466ea40..000000000000
--- a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getaddresses.h,v 1.2.200.3 2004/03/08 09:04:28 marka Exp $ */
-
-#ifndef BIND9_GETADDRESSES_H
-#define BIND9_GETADDRESSES_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <isc/net.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-bind9_getaddresses(const char *hostname, in_port_t port,
-		   isc_sockaddr_t *addrs, int addrsize, int *addrcount);
-/*
- * Use the system resolver to get the addresses associated with a hostname.
- * If successful, the number of addresses found is returned in 'addrcount'.
- * If a hostname lookup is performed and addresses of an unknown family is
- * seen, it is ignored.  If more than 'addrsize' addresses are seen, the
- * first 'addrsize' are returned and the remainder silently truncated.
- *
- * This routine may block.  If called by a program using the isc_app
- * framework, it should be surounded by isc_app_block()/isc_app_unblock().
- *
- *  Requires:
- *	'hostname' is not NULL.
- *	'addrs' is not NULL.
- *	'addrsize' > 0
- *	'addrcount' is not NULL.
- *
- * 
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *	ISC_R_NOFAMILYSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
- *		not supported.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* BIND9_GETADDRESSES_H */
diff --git a/contrib/bind9/lib/bind9/include/bind9/version.h b/contrib/bind9/lib/bind9/include/bind9/version.h
deleted file mode 100644
index a3b812ea8f1c..000000000000
--- a/contrib/bind9/lib/bind9/include/bind9/version.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.2.208.3 2004/03/08 09:04:28 marka Exp $ */
-
-#include <isc/platform.h>
-
-LIBBIND9_EXTERNAL_DATA extern const char bind9_version[];
-
-LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libinterface;
-LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_librevision;
-LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libage;
diff --git a/contrib/bind9/lib/bind9/version.c b/contrib/bind9/lib/bind9/version.c
deleted file mode 100644
index 5fee2cf4316a..000000000000
--- a/contrib/bind9/lib/bind9/version.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.3.200.4 2004/03/08 09:04:27 marka Exp $ */
-
-#include <bind9/version.h>
-
-const char bind9_version[] = VERSION;
-
-const unsigned int bind9_libinterface = LIBINTERFACE;
-const unsigned int bind9_librevision = LIBREVISION;
-const unsigned int bind9_libage = LIBAGE;
diff --git a/contrib/bind9/lib/dns/Makefile.in b/contrib/bind9/lib/dns/Makefile.in
deleted file mode 100644
index fbbec2eba8e7..000000000000
--- a/contrib/bind9/lib/dns/Makefile.in
+++ /dev/null
@@ -1,168 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.126.2.3.2.17 2004/12/09 04:07:15 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-# Attempt to disable parallel processing.
-.NOTPARALLEL:
-.NO_PARALLEL:
-
-@BIND9_VERSION@
-
-@LIBDNS_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
-		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-
-CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
-CWARNINGS =
-
-ISCLIBS =	../../lib/isc/libisc.@A@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-
-LIBS =		@LIBS@
-
-# Alphabetically
-
-DSTOBJS =	dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
-		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ \
-		openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
-		opensslrsa_link.@O@
-
-# Alphabetically
-DNSOBJS =	acl.@O@ adb.@O@ byaddr.@O@ \
-		cache.@O@ callbacks.@O@ compress.@O@ \
-		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
-		dnssec.@O@ ds.@O@ forward.@O@ journal.@O@ keytable.@O@ \
-		lib.@O@ log.@O@ lookup.@O@ \
-		master.@O@ masterdump.@O@ message.@O@ \
-		name.@O@ ncache.@O@ nsec.@O@ order.@O@ peer.@O@ portlist.@O@ \
-		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
-		rdatalist.@O@ \
-		rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
-		resolver.@O@ result.@O@ rootns.@O@ sdb.@O@ soa.@O@ ssu.@O@ \
-		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
-		tsig.@O@ ttl.@O@ validator.@O@ \
-		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
-
-OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
-
-# Alphabetically
-DSTSRCS =	dst_api.c dst_lib.c dst_parse.c \
-		dst_result.c gssapi_link.c gssapictx.c \
-		hmac_link.c key.c \
-		openssl_link.c openssldh_link.c \
-		openssldsa_link.c opensslrsa_link.c
-
-SRCS =		acl.c adb.c byaddr.c \
-		cache.c callbacks.c compress.c \
-		db.c dbiterator.c dbtable.c diff.c dispatch.c \
-		dnssec.c ds.c forward.c journal.c keytable.c \
-		lib.c log.c lookup.c \
-		master.c masterdump.c message.c \
-		name.c ncache.c nsec.c order.c peer.c portlist.c \
-		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
-		rdatalist.c \
-		rdataset.c rdatasetiter.c rdataslab.c request.c \
-		resolver.c result.c rootns.c sdb.c soa.c ssu.c \
-		stats.c tcpmsg.c time.c timer.c tkey.c \
-		tsig.c ttl.c validator.c \
-		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
-SRCS = ${DSTSRCS} ${DNSSRCS}
-
-SUBDIRS =	include 
-TARGETS =	include/dns/enumtype.h include/dns/enumclass.h \
-		include/dns/rdatastruct.h timestamp
-
-DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
-		-s ${srcdir} -d >> Makefile ;
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libdns.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libdns.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
-
-timestamp: libdns.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libdns.@A@ timestamp
-	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
-	rm -f include/dns/rdatastruct.h
-
-newrr::
-	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
-	rm -f include/dns/rdatastruct.h
-
-include: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h
-
-rdata.@O@: code.h
-
-include/dns/enumtype.h: gen
-	./gen -s ${srcdir} -t > $@
-
-include/dns/enumclass.h: gen
-	./gen -s ${srcdir} -c > $@
-
-include/dns/rdatastruct.h: gen \
-		${srcdir}/rdata/rdatastructpre.h \
-		${srcdir}/rdata/rdatastructsuf.h
-	./gen -s ${srcdir} -i \
-		-P ${srcdir}/rdata/rdatastructpre.h \
-		-S ${srcdir}/rdata/rdatastructsuf.h > $@
-
-code.h:	gen
-	./gen -s ${srcdir} > code.h
-
-gen: gen.c
-	${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS}
-
-rbtdb64.@O@: rbtdb.c
-
-depend: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h code.h
-subdirs: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h code.h
-${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h
diff --git a/contrib/bind9/lib/dns/acl.c b/contrib/bind9/lib/dns/acl.c
deleted file mode 100644
index d2814405a720..000000000000
--- a/contrib/bind9/lib/dns/acl.c
+++ /dev/null
@@ -1,446 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acl.c,v 1.23.52.4 2004/03/09 05:21:08 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-
-isc_result_t
-dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
-	isc_result_t result;
-	dns_acl_t *acl;
-
-	/*
-	 * Work around silly limitation of isc_mem_get().
-	 */
-	if (n == 0)
-		n = 1;
-
-	acl = isc_mem_get(mctx, sizeof(*acl));
-	if (acl == NULL)
-		return (ISC_R_NOMEMORY);
-	acl->mctx = mctx;
-	acl->name = NULL;
-	isc_refcount_init(&acl->refcount, 1);
-	acl->elements = NULL;
-	acl->alloc = 0;
-	acl->length = 0;
-
-	ISC_LINK_INIT(acl, nextincache);
-	/*
-	 * Must set magic early because we use dns_acl_detach() to clean up.
-	 */
-	acl->magic = DNS_ACL_MAGIC;
-
-	acl->elements = isc_mem_get(mctx, n * sizeof(dns_aclelement_t));
-	if (acl->elements == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	acl->alloc = n;
-	memset(acl->elements, 0, n * sizeof(dns_aclelement_t));
-	*target = acl;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_acl_detach(&acl);
-	return (result);
-}
-
-isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt) {
-	if (acl->length + 1 > acl->alloc) {
-		/*
-		 * Resize the ACL.
-		 */
-		unsigned int newalloc;
-		void *newmem;
-
-		newalloc = acl->alloc * 2;
-		if (newalloc < 4)
-			newalloc = 4;
-		newmem = isc_mem_get(acl->mctx,
-				     newalloc * sizeof(dns_aclelement_t));
-		if (newmem == NULL)
-			return (ISC_R_NOMEMORY);
-		memcpy(newmem, acl->elements,
-		       acl->length * sizeof(dns_aclelement_t));
-		isc_mem_put(acl->mctx, acl->elements,
-			    acl->alloc * sizeof(dns_aclelement_t));
-		acl->elements = newmem;
-		acl->alloc = newalloc;
-	}
-	/*
-	 * Append the new element.
-	 */
-	acl->elements[acl->length++] = *elt;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
-	isc_result_t result;
-	dns_acl_t *acl = NULL;
-	result = dns_acl_create(mctx, 1, &acl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	acl->elements[0].negative = neg;
-	acl->elements[0].type = dns_aclelementtype_any;
-	acl->length = 1;
-	*target = acl;
-	return (result);
-}
-
-isc_result_t
-dns_acl_any(isc_mem_t *mctx, dns_acl_t **target) {
-	return (dns_acl_anyornone(mctx, ISC_FALSE, target));
-}
-
-isc_result_t
-dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
-	return (dns_acl_anyornone(mctx, ISC_TRUE, target));
-}
-
-isc_result_t
-dns_acl_match(isc_netaddr_t *reqaddr,
-	      dns_name_t *reqsigner,
-	      dns_acl_t *acl,
-	      dns_aclenv_t *env,
-	      int *match,
-	      dns_aclelement_t **matchelt)
-{
-	unsigned int i;
-
-	REQUIRE(reqaddr != NULL);
-	REQUIRE(matchelt == NULL || *matchelt == NULL);
-	
-	for (i = 0; i < acl->length; i++) {
-		dns_aclelement_t *e = &acl->elements[i];
-
-		if (dns_aclelement_match(reqaddr, reqsigner,
-					 e, env, matchelt)) {
-			*match = e->negative ? -((int)i+1) : ((int)i+1);
-			return (ISC_R_SUCCESS);
-		}
-	}
-	/* No match. */
-	*match = 0;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_acl_elementmatch(dns_acl_t *acl,
-		     dns_aclelement_t *elt,
-		     dns_aclelement_t **matchelt)
-{
-	unsigned int i;
-
-	REQUIRE(elt != NULL);
-	REQUIRE(matchelt == NULL || *matchelt == NULL);
-	
-	for (i = 0; i < acl->length; i++) {
-		dns_aclelement_t *e = &acl->elements[i];
-
-		if (dns_aclelement_equal(e, elt) == ISC_TRUE) {
-			if (matchelt != NULL)
-				*matchelt = e;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_boolean_t
-dns_aclelement_match(isc_netaddr_t *reqaddr,
-		     dns_name_t *reqsigner,
-		     dns_aclelement_t *e,
-		     dns_aclenv_t *env,
-		     dns_aclelement_t **matchelt)
-{
-	dns_acl_t *inner = NULL;
-	isc_netaddr_t *addr;
-	isc_netaddr_t v4addr;
-	int indirectmatch;
-	isc_result_t result;
-
-	switch (e->type) {
-	case dns_aclelementtype_ipprefix:
-		if (env == NULL ||
-		    env->match_mapped == ISC_FALSE ||
-		    reqaddr->family != AF_INET6 ||
-		    !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
-			addr = reqaddr;
-		else {
-			isc_netaddr_fromv4mapped(&v4addr, reqaddr);
-			addr = &v4addr;
-		}
-
-		if (isc_netaddr_eqprefix(addr,
-					 &e->u.ip_prefix.address, 
-					 e->u.ip_prefix.prefixlen))
-			goto matched;
-		break;
-		
-	case dns_aclelementtype_keyname:
-		if (reqsigner != NULL &&
-		    dns_name_equal(reqsigner, &e->u.keyname))
-			goto matched;
-		break;
-		
-	case dns_aclelementtype_nestedacl:
-		inner = e->u.nestedacl;
-	nested:
-		result = dns_acl_match(reqaddr, reqsigner,
-				       inner,
-				       env,
-				       &indirectmatch, matchelt);
-		INSIST(result == ISC_R_SUCCESS);
-
-		/*
-		 * Treat negative matches in indirect ACLs as
-		 * "no match".
-		 * That way, a negated indirect ACL will never become 
-		 * a surprise positive match through double negation.
-		 * XXXDCL this should be documented.
-		 */
-		if (indirectmatch > 0)
-			goto matchelt_set;
-		
-		/*
-		 * A negative indirect match may have set *matchelt,
-		 * but we don't want it set when we return.
-		 */
-		if (matchelt != NULL)
-			*matchelt = NULL;
-		break;
-		
-	case dns_aclelementtype_any:
-	matched:
-		if (matchelt != NULL)
-			*matchelt = e;
-	matchelt_set:
-		return (ISC_TRUE);
-			
-	case dns_aclelementtype_localhost:
-		if (env != NULL && env->localhost != NULL) {
-			inner = env->localhost;
-			goto nested;
-		} else {
-			break;
-		}
-		
-	case dns_aclelementtype_localnets:
-		if (env != NULL && env->localnets != NULL) {
-			inner = env->localnets;
-			goto nested;
-		} else {
-			break;
-		}
-		
-	default:
-		INSIST(0);
-		break;
-	}
-
-	return (ISC_FALSE);
-}	
-
-void
-dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
-	REQUIRE(DNS_ACL_VALID(source));
-	isc_refcount_increment(&source->refcount, NULL);
-	*target = source;
-}
-
-static void
-destroy(dns_acl_t *dacl) {
-	unsigned int i;
-	for (i = 0; i < dacl->length; i++) {
-		dns_aclelement_t *de = &dacl->elements[i];
-		switch (de->type) {
-		case dns_aclelementtype_keyname:
-			dns_name_free(&de->u.keyname, dacl->mctx);
-			break;
-		case dns_aclelementtype_nestedacl:
-			dns_acl_detach(&de->u.nestedacl);
-			break;
-		default:
-			break;
-		}
-	}
-	if (dacl->elements != NULL)
-		isc_mem_put(dacl->mctx, dacl->elements,
-			    dacl->alloc * sizeof(dns_aclelement_t));
-	if (dacl->name != NULL)
-		isc_mem_free(dacl->mctx, dacl->name);
-	isc_refcount_destroy(&dacl->refcount);
-	dacl->magic = 0;
-	isc_mem_put(dacl->mctx, dacl, sizeof(*dacl));
-}
-
-void
-dns_acl_detach(dns_acl_t **aclp) {
-	dns_acl_t *acl = *aclp;
-	unsigned int refs;
-	REQUIRE(DNS_ACL_VALID(acl));
-	isc_refcount_decrement(&acl->refcount, &refs);
-	if (refs == 0)
-		destroy(acl);
-	*aclp = NULL;
-}
-
-isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
-	if (ea->type != eb->type)
-		return (ISC_FALSE);
-	switch (ea->type) {
-	case dns_aclelementtype_ipprefix:
-		if (ea->u.ip_prefix.prefixlen !=
-		    eb->u.ip_prefix.prefixlen)
-			return (ISC_FALSE);
-		return (isc_netaddr_eqprefix(&ea->u.ip_prefix.address,
-					     &eb->u.ip_prefix.address,
-					     ea->u.ip_prefix.prefixlen));
-	case dns_aclelementtype_keyname:
-		return (dns_name_equal(&ea->u.keyname, &eb->u.keyname));
-	case dns_aclelementtype_nestedacl:
-		return (dns_acl_equal(ea->u.nestedacl, eb->u.nestedacl));
-	case dns_aclelementtype_localhost:
-	case dns_aclelementtype_localnets:
-	case dns_aclelementtype_any:
-		return (ISC_TRUE);
-	default:
-		INSIST(0);
-		return (ISC_FALSE);
-	}
-}
-
-isc_boolean_t
-dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
-	unsigned int i;
-	if (a == b)
-		return (ISC_TRUE);
-	if (a->length != b->length)
-		return (ISC_FALSE);
-	for (i = 0; i < a->length; i++) {
-		if (! dns_aclelement_equal(&a->elements[i],
-					   &b->elements[i]))
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-is_loopback(dns_aclipprefix_t *p) {
-	switch (p->address.family) {
-	case AF_INET:
-		if (p->prefixlen == 32 &&
-		    htonl(p->address.type.in.s_addr) == INADDR_LOOPBACK)
-			return (ISC_TRUE);
-		break;
-	case AF_INET6:
-		if (p->prefixlen == 128 &&
-		    IN6_IS_ADDR_LOOPBACK(&p->address.type.in6))
-			return (ISC_TRUE);
-		break;
-	default:
-		break;
-	}
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_acl_isinsecure(dns_acl_t *a) {
-	unsigned int i;
-	for (i = 0; i < a->length; i++) {
-		dns_aclelement_t *e = &a->elements[i];
-
-		/* A negated match can never be insecure. */
-		if (e->negative)
-			continue;
-
-		switch (e->type) {
-		case dns_aclelementtype_ipprefix:
-			/* The loopback address is considered secure. */
-			if (! is_loopback(&e->u.ip_prefix))
-				return (ISC_TRUE);
-			continue;
-			
-		case dns_aclelementtype_keyname:
-		case dns_aclelementtype_localhost:
-			continue;
-
-		case dns_aclelementtype_nestedacl:
-			if (dns_acl_isinsecure(e->u.nestedacl))
-				return (ISC_TRUE);
-			continue;
-			
-		case dns_aclelementtype_localnets:
-		case dns_aclelementtype_any:
-			return (ISC_TRUE);
-
-		default:
-			INSIST(0);
-			return (ISC_TRUE);
-		}
-	}
-	/* No insecure elements were found. */
-	return (ISC_FALSE);
-}
-
-isc_result_t
-dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
-	isc_result_t result;
-	env->localhost = NULL;
-	env->localnets = NULL;
-	result = dns_acl_create(mctx, 0, &env->localhost);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_nothing;
-	result = dns_acl_create(mctx, 0, &env->localnets);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_localhost;
-	env->match_mapped = ISC_FALSE;
-	return (ISC_R_SUCCESS);
-
- cleanup_localhost:
-	dns_acl_detach(&env->localhost);
- cleanup_nothing:
-	return (result);
-}
-
-void
-dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
-	dns_acl_detach(&t->localhost);
-	dns_acl_attach(s->localhost, &t->localhost);
-	dns_acl_detach(&t->localnets);
-	dns_acl_attach(s->localnets, &t->localnets);
-	t->match_mapped = s->match_mapped;
-}
-
-void
-dns_aclenv_destroy(dns_aclenv_t *env) {
-	dns_acl_detach(&env->localhost);
-	dns_acl_detach(&env->localnets);
-}
diff --git a/contrib/bind9/lib/dns/adb.c b/contrib/bind9/lib/dns/adb.c
deleted file mode 100644
index c0b31db1129d..000000000000
--- a/contrib/bind9/lib/dns/adb.c
+++ /dev/null
@@ -1,3597 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: adb.c,v 1.181.2.11.2.24 2005/10/14 05:19:00 marka Exp $ */
-
-/*
- * Implementation notes
- * --------------------
- *
- * In finds, if task == NULL, no events will be generated, and no events
- * have been sent.  If task != NULL but taskaction == NULL, an event has been
- * posted but not yet freed.  If neither are NULL, no event was posted.
- *
- */
-
-/*
- * After we have cleaned all buckets, dump the database contents.
- */
-#if 0
-#define DUMP_ADB_AFTER_CLEANING
-#endif
-
-#include <config.h>
-
-#include <limits.h>
-
-#include <isc/mutexblock.h>
-#include <isc/netaddr.h>
-#include <isc/random.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/adb.h>
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-
-#define DNS_ADB_MAGIC		  ISC_MAGIC('D', 'a', 'd', 'b')
-#define DNS_ADB_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
-#define DNS_ADBNAME_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'N')
-#define DNS_ADBNAME_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
-#define DNS_ADBNAMEHOOK_MAGIC	  ISC_MAGIC('a', 'd', 'N', 'H')
-#define DNS_ADBNAMEHOOK_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBNAMEHOOK_MAGIC)
-#define DNS_ADBZONEINFO_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'Z')
-#define DNS_ADBZONEINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBZONEINFO_MAGIC)
-#define DNS_ADBENTRY_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'E')
-#define DNS_ADBENTRY_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
-#define DNS_ADBFETCH_MAGIC	  ISC_MAGIC('a', 'd', 'F', '4')
-#define DNS_ADBFETCH_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
-#define DNS_ADBFETCH6_MAGIC	  ISC_MAGIC('a', 'd', 'F', '6')
-#define DNS_ADBFETCH6_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
-
-/*
- * The number of buckets needs to be a prime (for good hashing).
- *
- * XXXRTH  How many buckets do we need?
- */
-#define NBUCKETS	       1009	/* how many buckets for names/addrs */
-
-/*
- * For type 3 negative cache entries, we will remember that the address is
- * broken for this long.  XXXMLG This is also used for actual addresses, too.
- * The intent is to keep us from constantly asking about A/AAAA records
- * if the zone has extremely low TTLs.
- */
-#define ADB_CACHE_MINIMUM	10	/* seconds */
-#define ADB_CACHE_MAXIMUM	86400	/* seconds (86400 = 24 hours) */
-#define ADB_ENTRY_WINDOW	1800	/* seconds */
-
-/*
- * Wake up every CLEAN_SECONDS and clean CLEAN_BUCKETS buckets, so that all
- * buckets are cleaned in CLEAN_PERIOD seconds.
- */
-#define CLEAN_PERIOD		3600
-#define CLEAN_SECONDS		30
-#define CLEAN_BUCKETS		((NBUCKETS * CLEAN_SECONDS) / CLEAN_PERIOD)
-
-#define FREE_ITEMS		64	/* free count for memory pools */
-#define FILL_COUNT		16	/* fill count for memory pools */
-
-#define DNS_ADB_INVALIDBUCKET (-1)	/* invalid bucket address */
-
-#define DNS_ADB_MINADBSIZE	(1024*1024)	/* 1 Megabyte */
-
-typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
-typedef struct dns_adbnamehook dns_adbnamehook_t;
-typedef ISC_LIST(dns_adbnamehook_t) dns_adbnamehooklist_t;
-typedef struct dns_adbzoneinfo dns_adbzoneinfo_t;
-typedef ISC_LIST(dns_adbentry_t) dns_adbentrylist_t;
-typedef struct dns_adbfetch dns_adbfetch_t;
-typedef struct dns_adbfetch6 dns_adbfetch6_t;
-
-struct dns_adb {
-	unsigned int			magic;
-
-	isc_mutex_t			lock;
-	isc_mutex_t			reflock; /* Covers irefcnt, erefcnt */
-	isc_mem_t		       *mctx;
-	dns_view_t		       *view;
-	isc_timermgr_t		       *timermgr;
-	isc_timer_t		       *timer;
-	isc_taskmgr_t		       *taskmgr;
-	isc_task_t		       *task;
-	isc_boolean_t			overmem;
-
-	isc_interval_t			tick_interval;
-	int				next_cleanbucket;
-
-	unsigned int			irefcnt;
-	unsigned int			erefcnt;
-
-	isc_mutex_t			mplock;
-	isc_mempool_t		       *nmp;	/* dns_adbname_t */
-	isc_mempool_t		       *nhmp;	/* dns_adbnamehook_t */
-	isc_mempool_t		       *zimp;	/* dns_adbzoneinfo_t */
-	isc_mempool_t		       *emp;	/* dns_adbentry_t */
-	isc_mempool_t		       *ahmp;	/* dns_adbfind_t */
-	isc_mempool_t		       *aimp;	/* dns_adbaddrinfo_t */
-	isc_mempool_t		       *afmp;	/* dns_adbfetch_t */
-
-	/*
-	 * Bucketized locks and lists for names.
-	 *
-	 * XXXRTH  Have a per-bucket structure that contains all of these?
-	 */
-	dns_adbnamelist_t		names[NBUCKETS];
-	isc_mutex_t			namelocks[NBUCKETS];
-	isc_boolean_t			name_sd[NBUCKETS];
-	unsigned int			name_refcnt[NBUCKETS];
-
-	/*
-	 * Bucketized locks for entries.
-	 *
-	 * XXXRTH  Have a per-bucket structure that contains all of these?
-	 */
-	dns_adbentrylist_t		entries[NBUCKETS];
-	isc_mutex_t			entrylocks[NBUCKETS];
-	isc_boolean_t			entry_sd[NBUCKETS]; /* shutting down */
-	unsigned int			entry_refcnt[NBUCKETS];
-
-	isc_event_t			cevent;
-	isc_boolean_t			cevent_sent;
-	isc_boolean_t			shutting_down;
-	isc_eventlist_t			whenshutdown;
-};
-
-/*
- * XXXMLG  Document these structures.
- */
-
-struct dns_adbname {
-	unsigned int			magic;
-	dns_name_t			name;
-	dns_adb_t		       *adb;
-	unsigned int			partial_result;
-	unsigned int			flags;
-	int				lock_bucket;
-	dns_name_t			target;
-	isc_stdtime_t			expire_target;
-	isc_stdtime_t			expire_v4;
-	isc_stdtime_t			expire_v6;
-	unsigned int			chains;
-	dns_adbnamehooklist_t		v4;
-	dns_adbnamehooklist_t		v6;
-	dns_adbfetch_t		       *fetch_a;
-	dns_adbfetch_t		       *fetch_aaaa;
-	unsigned int			fetch_err;
-	unsigned int			fetch6_err;
-	dns_adbfindlist_t		finds;
-	ISC_LINK(dns_adbname_t)		plink;
-};
-
-struct dns_adbfetch {
-	unsigned int			magic;
-	dns_adbnamehook_t	       *namehook;
-	dns_adbentry_t		       *entry;
-	dns_fetch_t		       *fetch;
-	dns_rdataset_t			rdataset;
-};
-
-/*
- * dns_adbnamehook_t
- *
- * This is a small widget that dangles off a dns_adbname_t.  It contains a
- * pointer to the address information about this host, and a link to the next
- * namehook that will contain the next address this host has.
- */
-struct dns_adbnamehook {
-	unsigned int			magic;
-	dns_adbentry_t		       *entry;
-	ISC_LINK(dns_adbnamehook_t)	plink;
-};
-
-/*
- * dns_adbzoneinfo_t
- *
- * This is a small widget that holds zone-specific information about an
- * address.  Currently limited to lameness, but could just as easily be
- * extended to other types of information about zones.
- */
-struct dns_adbzoneinfo {
-	unsigned int			magic;
-
-	dns_name_t			zone;
-	isc_stdtime_t			lame_timer;
-
-	ISC_LINK(dns_adbzoneinfo_t)	plink;
-};
-
-/*
- * An address entry.  It holds quite a bit of information about addresses,
- * including edns state (in "flags"), rtt, and of course the address of
- * the host.
- */
-struct dns_adbentry {
-	unsigned int			magic;
-
-	int				lock_bucket;
-	unsigned int			refcnt;
-
-	unsigned int			flags;
-	unsigned int			srtt;
-	isc_sockaddr_t			sockaddr;
-
-	isc_stdtime_t			expires;
-	/*
-	 * A nonzero 'expires' field indicates that the entry should
-	 * persist until that time.  This allows entries found
-	 * using dns_adb_findaddrinfo() to persist for a limited time
-	 * even though they are not necessarily associated with a
-	 * name.
-	 */
-
-	ISC_LIST(dns_adbzoneinfo_t)	zoneinfo;
-	ISC_LINK(dns_adbentry_t)	plink;
-};
-
-/*
- * Internal functions (and prototypes).
- */
-static inline dns_adbname_t *new_adbname(dns_adb_t *, dns_name_t *);
-static inline void free_adbname(dns_adb_t *, dns_adbname_t **);
-static inline dns_adbnamehook_t *new_adbnamehook(dns_adb_t *,
-						 dns_adbentry_t *);
-static inline void free_adbnamehook(dns_adb_t *, dns_adbnamehook_t **);
-static inline dns_adbzoneinfo_t *new_adbzoneinfo(dns_adb_t *, dns_name_t *);
-static inline void free_adbzoneinfo(dns_adb_t *, dns_adbzoneinfo_t **);
-static inline dns_adbentry_t *new_adbentry(dns_adb_t *);
-static inline void free_adbentry(dns_adb_t *, dns_adbentry_t **);
-static inline dns_adbfind_t *new_adbfind(dns_adb_t *);
-static inline isc_boolean_t free_adbfind(dns_adb_t *, dns_adbfind_t **);
-static inline dns_adbaddrinfo_t *new_adbaddrinfo(dns_adb_t *, dns_adbentry_t *,
-						 in_port_t);
-static inline dns_adbfetch_t *new_adbfetch(dns_adb_t *);
-static inline void free_adbfetch(dns_adb_t *, dns_adbfetch_t **);
-static inline dns_adbname_t *find_name_and_lock(dns_adb_t *, dns_name_t *,
-						unsigned int, int *);
-static inline dns_adbentry_t *find_entry_and_lock(dns_adb_t *,
-						  isc_sockaddr_t *, int *);
-static void dump_adb(dns_adb_t *, FILE *, isc_boolean_t debug, isc_stdtime_t);
-static void print_dns_name(FILE *, dns_name_t *);
-static void print_namehook_list(FILE *, const char *legend,
-				dns_adbnamehooklist_t *list,
-				isc_boolean_t debug,
-				isc_stdtime_t now);
-static void print_find_list(FILE *, dns_adbname_t *);
-static void print_fetch_list(FILE *, dns_adbname_t *);
-static inline isc_boolean_t dec_adb_irefcnt(dns_adb_t *);
-static inline void inc_adb_irefcnt(dns_adb_t *);
-static inline void inc_adb_erefcnt(dns_adb_t *);
-static inline void inc_entry_refcnt(dns_adb_t *, dns_adbentry_t *,
-				    isc_boolean_t);
-static inline isc_boolean_t dec_entry_refcnt(dns_adb_t *, dns_adbentry_t *,
-					     isc_boolean_t);
-static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
-static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
-static void clean_target(dns_adb_t *, dns_name_t *);
-static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
-				unsigned int);
-static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t,
-					    isc_boolean_t);
-static void cancel_fetches_at_name(dns_adbname_t *);
-static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
-				dns_rdatatype_t);
-static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
-			       dns_rdatatype_t);
-static inline void check_exit(dns_adb_t *);
-static void timer_cleanup(isc_task_t *, isc_event_t *);
-static void destroy(dns_adb_t *);
-static isc_boolean_t shutdown_names(dns_adb_t *);
-static isc_boolean_t shutdown_entries(dns_adb_t *);
-static inline void link_name(dns_adb_t *, int, dns_adbname_t *);
-static inline isc_boolean_t unlink_name(dns_adb_t *, dns_adbname_t *);
-static inline void link_entry(dns_adb_t *, int, dns_adbentry_t *);
-static inline isc_boolean_t unlink_entry(dns_adb_t *, dns_adbentry_t *);
-static isc_boolean_t kill_name(dns_adbname_t **, isc_eventtype_t);
-static void water(void *, int);
-static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
-
-/*
- * MUST NOT overlap DNS_ADBFIND_* flags!
- */
-#define FIND_EVENT_SENT		0x40000000
-#define FIND_EVENT_FREED	0x80000000
-#define FIND_EVENTSENT(h)	(((h)->flags & FIND_EVENT_SENT) != 0)
-#define FIND_EVENTFREED(h)	(((h)->flags & FIND_EVENT_FREED) != 0)
-
-#define NAME_NEEDS_POKE		0x80000000
-#define NAME_IS_DEAD		0x40000000
-#define NAME_HINT_OK		DNS_ADBFIND_HINTOK
-#define NAME_GLUE_OK		DNS_ADBFIND_GLUEOK
-#define NAME_STARTATZONE	DNS_ADBFIND_STARTATZONE
-#define NAME_DEAD(n)		(((n)->flags & NAME_IS_DEAD) != 0)
-#define NAME_NEEDSPOKE(n)	(((n)->flags & NAME_NEEDS_POKE) != 0)
-#define NAME_GLUEOK(n)		(((n)->flags & NAME_GLUE_OK) != 0)
-#define NAME_HINTOK(n)		(((n)->flags & NAME_HINT_OK) != 0)
-
-/*
- * To the name, address classes are all that really exist.  If it has a
- * V6 address it doesn't care if it came from a AAAA query.
- */
-#define NAME_HAS_V4(n)		(!ISC_LIST_EMPTY((n)->v4))
-#define NAME_HAS_V6(n)		(!ISC_LIST_EMPTY((n)->v6))
-#define NAME_HAS_ADDRS(n)	(NAME_HAS_V4(n) || NAME_HAS_V6(n))
-
-/*
- * Fetches are broken out into A and AAAA types.  In some cases,
- * however, it makes more sense to test for a particular class of fetches,
- * like V4 or V6 above.
- * Note: since we have removed the support of A6 in adb, FETCH_A and FETCH_AAAA
- * are now equal to FETCH_V4 and FETCH_V6, respectively.
- */
-#define NAME_FETCH_A(n)		((n)->fetch_a != NULL)
-#define NAME_FETCH_AAAA(n)	((n)->fetch_aaaa != NULL)
-#define NAME_FETCH_V4(n)	(NAME_FETCH_A(n))
-#define NAME_FETCH_V6(n)	(NAME_FETCH_AAAA(n))
-#define NAME_FETCH(n)		(NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
-
-/*
- * Find options and tests to see if there are addresses on the list.
- */
-#define FIND_WANTEVENT(fn)	(((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
-#define FIND_WANTEMPTYEVENT(fn)	(((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
-#define FIND_AVOIDFETCHES(fn)	(((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
-				 != 0)
-#define FIND_STARTATZONE(fn)	(((fn)->options & DNS_ADBFIND_STARTATZONE) \
-				 != 0)
-#define FIND_HINTOK(fn)		(((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-#define FIND_GLUEOK(fn)		(((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-#define FIND_HAS_ADDRS(fn)	(!ISC_LIST_EMPTY((fn)->list))
-#define FIND_RETURNLAME(fn)	(((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-
-/*
- * These are currently used on simple unsigned ints, so they are
- * not really associated with any particular type.
- */
-#define WANT_INET(x)		(((x) & DNS_ADBFIND_INET) != 0)
-#define WANT_INET6(x)		(((x) & DNS_ADBFIND_INET6) != 0)
-
-#define EXPIRE_OK(exp, now)	((exp == INT_MAX) || (exp < now))
-
-/*
- * Find out if the flags on a name (nf) indicate if it is a hint or
- * glue, and compare this to the appropriate bits set in o, to see if
- * this is ok.
- */
-#define GLUE_OK(nf, o) (!NAME_GLUEOK(nf) || (((o) & DNS_ADBFIND_GLUEOK) != 0))
-#define HINT_OK(nf, o) (!NAME_HINTOK(nf) || (((o) & DNS_ADBFIND_HINTOK) != 0))
-#define GLUEHINT_OK(nf, o) (GLUE_OK(nf, o) || HINT_OK(nf, o))
-#define STARTATZONE_MATCHES(nf, o) (((nf)->flags & NAME_STARTATZONE) == \
-				    ((o) & DNS_ADBFIND_STARTATZONE))
-
-#define ENTER_LEVEL		ISC_LOG_DEBUG(50)
-#define EXIT_LEVEL		ENTER_LEVEL
-#define CLEAN_LEVEL		ISC_LOG_DEBUG(100)
-#define DEF_LEVEL		ISC_LOG_DEBUG(5)
-#define NCACHE_LEVEL		ISC_LOG_DEBUG(20)
-
-#define NCACHE_RESULT(r)	((r) == DNS_R_NCACHENXDOMAIN || \
-				 (r) == DNS_R_NCACHENXRRSET)
-#define AUTH_NX(r)		((r) == DNS_R_NXDOMAIN || \
-				 (r) == DNS_R_NXRRSET)
-#define NXDOMAIN_RESULT(r)	((r) == DNS_R_NXDOMAIN || \
-				 (r) == DNS_R_NCACHENXDOMAIN)
-#define NXRRSET_RESULT(r)	((r) == DNS_R_NCACHENXRRSET || \
-				 (r) == DNS_R_NXRRSET || \
-				 (r) == DNS_R_HINTNXRRSET)
-
-/*
- * Error state rankings.
- */
-
-#define FIND_ERR_SUCCESS		0  /* highest rank */
-#define FIND_ERR_CANCELED		1
-#define FIND_ERR_FAILURE		2
-#define FIND_ERR_NXDOMAIN		3
-#define FIND_ERR_NXRRSET		4
-#define FIND_ERR_UNEXPECTED		5
-#define FIND_ERR_NOTFOUND		6
-#define FIND_ERR_MAX			7
-
-static const char *errnames[] = {
-	"success",
-	"canceled",
-	"failure",
-	"nxdomain",
-	"nxrrset",
-	"unexpected",
-	"not_found"
-};
-
-#define NEWERR(old, new)	(ISC_MIN((old), (new)))
-
-static isc_result_t find_err_map[FIND_ERR_MAX] = {
-	ISC_R_SUCCESS,
-	ISC_R_CANCELED,
-	ISC_R_FAILURE,
-	DNS_R_NXDOMAIN,
-	DNS_R_NXRRSET,
-	ISC_R_UNEXPECTED,
-	ISC_R_NOTFOUND		/* not YET found */
-};
-
-static void
-DP(int level, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
-
-static void
-DP(int level, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	isc_log_vwrite(dns_lctx,
-		       DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
-		       level, format, args);
-	va_end(args);
-}
-
-static inline dns_ttl_t
-ttlclamp(dns_ttl_t ttl) {
-	if (ttl < ADB_CACHE_MINIMUM)
-		ttl = ADB_CACHE_MINIMUM;
-	if (ttl > ADB_CACHE_MAXIMUM)
-		ttl = ADB_CACHE_MAXIMUM;
-
-	return (ttl);
-}
-
-/*
- * Requires the adbname bucket be locked and that no entry buckets be locked.
- *
- * This code handles A and AAAA rdatasets only.
- */
-static isc_result_t
-import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
-		isc_stdtime_t now)
-{
-	isc_result_t result;
-	dns_adb_t *adb;
-	dns_adbnamehook_t *nh;
-	dns_adbnamehook_t *anh;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	struct in_addr ina;
-	struct in6_addr in6a;
-	isc_sockaddr_t sockaddr;
-	dns_adbentry_t *foundentry;  /* NO CLEAN UP! */
-	int addr_bucket;
-	isc_boolean_t new_addresses_added;
-	dns_rdatatype_t rdtype;
-	unsigned int findoptions;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	rdtype = rdataset->type;
-	INSIST((rdtype == dns_rdatatype_a) || (rdtype == dns_rdatatype_aaaa));
-	if (rdtype == dns_rdatatype_a)
-		findoptions = DNS_ADBFIND_INET;
-	else
-		findoptions = DNS_ADBFIND_INET6;
-
-	addr_bucket = DNS_ADB_INVALIDBUCKET;
-	new_addresses_added = ISC_FALSE;
-
-	nh = NULL;
-	result = dns_rdataset_first(rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		if (rdtype == dns_rdatatype_a) {
-			INSIST(rdata.length == 4);
-			memcpy(&ina.s_addr, rdata.data, 4);
-			isc_sockaddr_fromin(&sockaddr, &ina, 0);
-		} else {
-			INSIST(rdata.length == 16);
-			memcpy(in6a.s6_addr, rdata.data, 16);
-			isc_sockaddr_fromin6(&sockaddr, &in6a, 0);
-		}
-
-		INSIST(nh == NULL);
-		nh = new_adbnamehook(adb, NULL);
-		if (nh == NULL) {
-			adbname->partial_result |= findoptions;
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-
-		foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket);
-		if (foundentry == NULL) {
-			dns_adbentry_t *entry;
-
-			entry = new_adbentry(adb);
-			if (entry == NULL) {
-				adbname->partial_result |= findoptions;
-				result = ISC_R_NOMEMORY;
-				goto fail;
-			}
-
-			entry->sockaddr = sockaddr;
-			entry->refcnt = 1;
-
-			nh->entry = entry;
-
-			link_entry(adb, addr_bucket, entry);
-		} else {
-			for (anh = ISC_LIST_HEAD(adbname->v4);
-			     anh != NULL;
-			     anh = ISC_LIST_NEXT(anh, plink))
-				if (anh->entry == foundentry)
-					break;
-			if (anh == NULL) {
-				foundentry->refcnt++;
-				nh->entry = foundentry;
-			} else
-				free_adbnamehook(adb, &nh);
-		}
-
-		new_addresses_added = ISC_TRUE;
-		if (nh != NULL) {
-			if (rdtype == dns_rdatatype_a)
-				ISC_LIST_APPEND(adbname->v4, nh, plink);
-			else
-				ISC_LIST_APPEND(adbname->v6, nh, plink);
-		}
-		nh = NULL;
-		result = dns_rdataset_next(rdataset);
-	}
-
- fail:
-	if (nh != NULL)
-		free_adbnamehook(adb, &nh);
-
-	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->entrylocks[addr_bucket]);
-
-	if (rdataset->trust == dns_trust_glue ||
-	    rdataset->trust == dns_trust_additional)
-		rdataset->ttl = ADB_CACHE_MINIMUM;
-	else
-		rdataset->ttl = ttlclamp(rdataset->ttl);
-
-	if (rdtype == dns_rdatatype_a) {
-		DP(NCACHE_LEVEL, "expire_v4 set to MIN(%u,%u) import_rdataset",
-		   adbname->expire_v4, now + rdataset->ttl);
-		adbname->expire_v4 = ISC_MIN(adbname->expire_v4,
-					     now + rdataset->ttl);
-	} else {
-		DP(NCACHE_LEVEL, "expire_v6 set to MIN(%u,%u) import_rdataset",
-		   adbname->expire_v6, now + rdataset->ttl);
-		adbname->expire_v6 = ISC_MIN(adbname->expire_v6,
-					     now + rdataset->ttl);
-	}
-
-	if (new_addresses_added) {
-		/*
-		 * Lie a little here.  This is more or less so code that cares
-		 * can find out if any new information was added or not.
-		 */
-		return (ISC_R_SUCCESS);
-	}
-
-	return (result);
-}
-
-/*
- * Requires the name's bucket be locked.
- */
-static isc_boolean_t
-kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
-	dns_adbname_t *name;
-	isc_boolean_t result = ISC_FALSE;
-	isc_boolean_t result4, result6;
-	dns_adb_t *adb;
-
-	INSIST(n != NULL);
-	name = *n;
-	*n = NULL;
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	DP(DEF_LEVEL, "killing name %p", name);
-
-	/*
-	 * If we're dead already, just check to see if we should go
-	 * away now or not.
-	 */
-	if (NAME_DEAD(name) && !NAME_FETCH(name)) {
-		result = unlink_name(adb, name);
-		free_adbname(adb, &name);
-		if (result)
-			result = dec_adb_irefcnt(adb);
-		return (result);
-	}
-
-	/*
-	 * Clean up the name's various lists.  These two are destructive
-	 * in that they will always empty the list.
-	 */
-	clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
-	result4 = clean_namehooks(adb, &name->v4);
-	result6 = clean_namehooks(adb, &name->v6);
-	clean_target(adb, &name->target);
-	result = ISC_TF(result4 || result6);
-
-	/*
-	 * If fetches are running, cancel them.  If none are running, we can
-	 * just kill the name here.
-	 */
-	if (!NAME_FETCH(name)) {
-		INSIST(result == ISC_FALSE);
-		result = unlink_name(adb, name);
-		free_adbname(adb, &name);
-		if (result)
-			result = dec_adb_irefcnt(adb);
-	} else {
-		name->flags |= NAME_IS_DEAD;
-		cancel_fetches_at_name(name);
-	}
-	return (result);
-}
-
-/*
- * Requires the name's bucket be locked and no entry buckets be locked.
- */
-static isc_boolean_t
-check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
-		       isc_boolean_t overmem)
-{
-	dns_adb_t *adb;
-	isc_boolean_t expire;
-	isc_boolean_t result4 = ISC_FALSE;
-	isc_boolean_t result6 = ISC_FALSE;
-
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	if (overmem) {
-		isc_uint32_t val;
-
-		isc_random_get(&val);
-
-		expire = ISC_TF((val % 4) == 0);
-	} else
-		expire = ISC_FALSE;
-
-	/*
-	 * Check to see if we need to remove the v4 addresses
-	 */
-	if (!NAME_FETCH_V4(name) &&
-	    (expire || EXPIRE_OK(name->expire_v4, now))) {
-		if (NAME_HAS_V4(name)) {
-			DP(DEF_LEVEL, "expiring v4 for name %p", name);
-			result4 = clean_namehooks(adb, &name->v4);
-			name->partial_result &= ~DNS_ADBFIND_INET;
-		}
-		name->expire_v4 = INT_MAX;
-		name->fetch_err = FIND_ERR_UNEXPECTED;
-	}
-
-	/*
-	 * Check to see if we need to remove the v6 addresses
-	 */
-	if (!NAME_FETCH_V6(name) &&
-	    (expire || EXPIRE_OK(name->expire_v6, now))) {
-		if (NAME_HAS_V6(name)) {
-			DP(DEF_LEVEL, "expiring v6 for name %p", name);
-			result6 = clean_namehooks(adb, &name->v6);
-			name->partial_result &= ~DNS_ADBFIND_INET6;
-		}
-		name->expire_v6 = INT_MAX;
-		name->fetch6_err = FIND_ERR_UNEXPECTED;
-	}
-
-	/*
-	 * Check to see if we need to remove the alias target.
-	 */
-	if (expire || EXPIRE_OK(name->expire_target, now)) {
-		clean_target(adb, &name->target);
-		name->expire_target = INT_MAX;
-	}
-	return (ISC_TF(result4 || result6));
-}
-
-/*
- * Requires the name's bucket be locked.
- */
-static inline void
-link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name) {
-	INSIST(name->lock_bucket == DNS_ADB_INVALIDBUCKET);
-
-	ISC_LIST_PREPEND(adb->names[bucket], name, plink);
-	name->lock_bucket = bucket;
-	adb->name_refcnt[bucket]++;
-}
-
-/*
- * Requires the name's bucket be locked.
- */
-static inline isc_boolean_t
-unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
-	int bucket;
-	isc_boolean_t result = ISC_FALSE;
-
-	bucket = name->lock_bucket;
-	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-
-	ISC_LIST_UNLINK(adb->names[bucket], name, plink);
-	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
-	INSIST(adb->name_refcnt[bucket] > 0);
-	adb->name_refcnt[bucket]--;
-	if (adb->name_sd[bucket] && adb->name_refcnt[bucket] == 0)
-		result = ISC_TRUE;
-	return (result);
-}
-
-/*
- * Requires the entry's bucket be locked.
- */
-static inline void
-link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) {
-	ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
-	entry->lock_bucket = bucket;
-	adb->entry_refcnt[bucket]++;
-}
-
-/*
- * Requires the entry's bucket be locked.
- */
-static inline isc_boolean_t
-unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) {
-	int bucket;
-	isc_boolean_t result = ISC_FALSE;
-
-	bucket = entry->lock_bucket;
-	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
-
-	ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
-	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
-	INSIST(adb->entry_refcnt[bucket] > 0);
-	adb->entry_refcnt[bucket]--;
-	if (adb->entry_sd[bucket] && adb->entry_refcnt[bucket] == 0)
-		result = ISC_TRUE;
-	return (result);
-}
-
-static inline void
-violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) {
-	if (isc_mutex_trylock(want) != ISC_R_SUCCESS) {
-		UNLOCK(have);
-		LOCK(want);
-		LOCK(have);
-	}
-}
-
-/*
- * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
- * checked after calling this function.
- */
-static isc_boolean_t
-shutdown_names(dns_adb_t *adb) {
-	int bucket;
-	isc_boolean_t result = ISC_FALSE;
-	dns_adbname_t *name;
-	dns_adbname_t *next_name;
-
-	for (bucket = 0; bucket < NBUCKETS; bucket++) {
-		LOCK(&adb->namelocks[bucket]);
-		adb->name_sd[bucket] = ISC_TRUE;
-
-		name = ISC_LIST_HEAD(adb->names[bucket]);
-		if (name == NULL) {
-			/*
-			 * This bucket has no names.  We must decrement the
-			 * irefcnt ourselves, since it will not be
-			 * automatically triggered by a name being unlinked.
-			 */
-			INSIST(result == ISC_FALSE);
-			result = dec_adb_irefcnt(adb);
-		} else {
-			/*
-			 * Run through the list.  For each name, clean up finds
-			 * found there, and cancel any fetches running.  When
-			 * all the fetches are canceled, the name will destroy
-			 * itself.
-			 */
-			while (name != NULL) {
-				next_name = ISC_LIST_NEXT(name, plink);
-				INSIST(result == ISC_FALSE);
-				result = kill_name(&name,
-						   DNS_EVENT_ADBSHUTDOWN);
-				name = next_name;
-			}
-		}
-
-		UNLOCK(&adb->namelocks[bucket]);
-	}
-	return (result);
-}
-
-/*
- * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
- * checked after calling this function.
- */
-static isc_boolean_t
-shutdown_entries(dns_adb_t *adb) {
-	int bucket;
-	isc_boolean_t result = ISC_FALSE;
-	dns_adbentry_t *entry;
-	dns_adbentry_t *next_entry;
-
-	for (bucket = 0; bucket < NBUCKETS; bucket++) {
-		LOCK(&adb->entrylocks[bucket]);
-		adb->entry_sd[bucket] = ISC_TRUE;
-
-		entry = ISC_LIST_HEAD(adb->entries[bucket]);
-		if (entry == NULL) {
-			/*
-			 * This bucket has no entries.  We must decrement the
-			 * irefcnt ourselves, since it will not be
-			 * automatically triggered by an entry being unlinked.
-			 */
-			result = dec_adb_irefcnt(adb);
-		} else {
-			/*
-			 * Run through the list.  Cleanup any entries not
-			 * associated with names, and which are not in use.
-			 */
-			while (entry != NULL) {
-				next_entry = ISC_LIST_NEXT(entry, plink);
-				if (entry->refcnt == 0 &&
-				    entry->expires != 0) {
-					result = unlink_entry(adb, entry);
-					free_adbentry(adb, &entry);
-					if (result)
-						result = dec_adb_irefcnt(adb);
-				}
-				entry = next_entry;
-			}
-		}
-
-		UNLOCK(&adb->entrylocks[bucket]);
-	}
-	return (result);
-}
-
-/*
- * Name bucket must be locked
- */
-static void
-cancel_fetches_at_name(dns_adbname_t *name) {
-	if (NAME_FETCH_A(name))
-	    dns_resolver_cancelfetch(name->fetch_a->fetch);
-
-	if (NAME_FETCH_AAAA(name))
-	    dns_resolver_cancelfetch(name->fetch_aaaa->fetch);
-}
-
-/*
- * Assumes the name bucket is locked.
- */
-static isc_boolean_t
-clean_namehooks(dns_adb_t *adb, dns_adbnamehooklist_t *namehooks) {
-	dns_adbentry_t *entry;
-	dns_adbnamehook_t *namehook;
-	int addr_bucket;
-	isc_boolean_t result = ISC_FALSE;
-
-	addr_bucket = DNS_ADB_INVALIDBUCKET;
-	namehook = ISC_LIST_HEAD(*namehooks);
-	while (namehook != NULL) {
-		INSIST(DNS_ADBNAMEHOOK_VALID(namehook));
-
-		/*
-		 * Clean up the entry if needed.
-		 */
-		entry = namehook->entry;
-		if (entry != NULL) {
-			INSIST(DNS_ADBENTRY_VALID(entry));
-
-			if (addr_bucket != entry->lock_bucket) {
-				if (addr_bucket != DNS_ADB_INVALIDBUCKET)
-					UNLOCK(&adb->entrylocks[addr_bucket]);
-				addr_bucket = entry->lock_bucket;
-				LOCK(&adb->entrylocks[addr_bucket]);
-			}
-
-			result = dec_entry_refcnt(adb, entry, ISC_FALSE);
-		}
-
-		/*
-		 * Free the namehook
-		 */
-		namehook->entry = NULL;
-		ISC_LIST_UNLINK(*namehooks, namehook, plink);
-		free_adbnamehook(adb, &namehook);
-
-		namehook = ISC_LIST_HEAD(*namehooks);
-	}
-
-	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->entrylocks[addr_bucket]);
-	return (result);
-}
-
-static void
-clean_target(dns_adb_t *adb, dns_name_t *target) {
-	if (dns_name_countlabels(target) > 0) {
-		dns_name_free(target, adb->mctx);
-		dns_name_init(target, NULL);
-	}
-}
-
-static isc_result_t
-set_target(dns_adb_t *adb, dns_name_t *name, dns_name_t *fname,
-	   dns_rdataset_t *rdataset, dns_name_t *target)
-{
-	isc_result_t result;
-	dns_namereln_t namereln;
-	unsigned int nlabels;
-	int order;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_fixedname_t fixed1, fixed2;
-	dns_name_t *prefix, *new_target;
-
-	REQUIRE(dns_name_countlabels(target) == 0);
-
-	if (rdataset->type == dns_rdatatype_cname) {
-		dns_rdata_cname_t cname;
-
-		/*
-		 * Copy the CNAME's target into the target name.
-		 */
-		result = dns_rdataset_first(rdataset);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &cname, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = dns_name_dup(&cname.cname, adb->mctx, target);
-		dns_rdata_freestruct(&cname);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else {
-		dns_rdata_dname_t dname;
-
-		INSIST(rdataset->type == dns_rdatatype_dname);
-		namereln = dns_name_fullcompare(name, fname, &order, &nlabels);
-		INSIST(namereln == dns_namereln_subdomain);
-		/*
-		 * Get the target name of the DNAME.
-		 */
-		result = dns_rdataset_first(rdataset);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &dname, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		/*
-		 * Construct the new target name.
-		 */
-		dns_fixedname_init(&fixed1);
-		prefix = dns_fixedname_name(&fixed1);
-		dns_fixedname_init(&fixed2);
-		new_target = dns_fixedname_name(&fixed2);
-		dns_name_split(name, nlabels, prefix, NULL);
-		result = dns_name_concatenate(prefix, &dname.dname, new_target,
-					      NULL);
-		dns_rdata_freestruct(&dname);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = dns_name_dup(new_target, adb->mctx, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Assumes nothing is locked, since this is called by the client.
- */
-static void
-event_free(isc_event_t *event) {
-	dns_adbfind_t *find;
-
-	INSIST(event != NULL);
-	find = event->ev_destroy_arg;
-	INSIST(DNS_ADBFIND_VALID(find));
-
-	LOCK(&find->lock);
-	find->flags |= FIND_EVENT_FREED;
-	event->ev_destroy_arg = NULL;
-	UNLOCK(&find->lock);
-}
-
-/*
- * Assumes the name bucket is locked.
- */
-static void
-clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
-		    unsigned int addrs)
-{
-	isc_event_t *ev;
-	isc_task_t *task;
-	dns_adbfind_t *find;
-	dns_adbfind_t *next_find;
-	isc_boolean_t process;
-	unsigned int wanted, notify;
-
-	DP(ENTER_LEVEL,
-	   "ENTER clean_finds_at_name, name %p, evtype %08x, addrs %08x",
-	   name, evtype, addrs);
-
-	find = ISC_LIST_HEAD(name->finds);
-	while (find != NULL) {
-		LOCK(&find->lock);
-		next_find = ISC_LIST_NEXT(find, plink);
-
-		process = ISC_FALSE;
-		wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
-		notify = wanted & addrs;
-
-		switch (evtype) {
-		case DNS_EVENT_ADBMOREADDRESSES:
-			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBMOREADDRESSES");
-			if ((notify) != 0) {
-				find->flags &= ~addrs;
-				process = ISC_TRUE;
-			}
-			break;
-		case DNS_EVENT_ADBNOMOREADDRESSES:
-			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBNOMOREADDRESSES");
-			find->flags &= ~addrs;
-			wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
-			if (wanted == 0)
-				process = ISC_TRUE;
-			break;
-		default:
-			find->flags &= ~addrs;
-			process = ISC_TRUE;
-		}
-
-		if (process) {
-			DP(DEF_LEVEL, "cfan: processing find %p", find);
-			/*
-			 * Unlink the find from the name, letting the caller
-			 * call dns_adb_destroyfind() on it to clean it up
-			 * later.
-			 */
-			ISC_LIST_UNLINK(name->finds, find, plink);
-			find->adbname = NULL;
-			find->name_bucket = DNS_ADB_INVALIDBUCKET;
-
-			INSIST(!FIND_EVENTSENT(find));
-
-			ev = &find->event;
-			task = ev->ev_sender;
-			ev->ev_sender = find;
-			find->result_v4 = find_err_map[name->fetch_err];
-			find->result_v6 = find_err_map[name->fetch6_err];
-			ev->ev_type = evtype;
-			ev->ev_destroy = event_free;
-			ev->ev_destroy_arg = find;
-
-			DP(DEF_LEVEL,
-			   "sending event %p to task %p for find %p",
-			   ev, task, find);
-
-			isc_task_sendanddetach(&task, (isc_event_t **)&ev);
-		} else {
-			DP(DEF_LEVEL, "cfan: skipping find %p", find);
-		}
-
-		UNLOCK(&find->lock);
-		find = next_find;
-	}
-
-	DP(ENTER_LEVEL, "EXIT clean_finds_at_name, name %p", name);
-}
-
-static inline void
-check_exit(dns_adb_t *adb) {
-	isc_event_t *event;
-	/*
-	 * The caller must be holding the adb lock.
-	 */
-	if (adb->shutting_down) {
-		/*
-		 * If there aren't any external references either, we're
-		 * done.  Send the control event to initiate shutdown.
-		 */
-		INSIST(!adb->cevent_sent);	/* Sanity check. */
-		event = &adb->cevent;
-		isc_task_send(adb->task, &event);
-		adb->cevent_sent = ISC_TRUE;
-	}
-}
-
-static inline isc_boolean_t
-dec_adb_irefcnt(dns_adb_t *adb) {
-	isc_event_t *event;
-	isc_task_t *etask;
-	isc_boolean_t result = ISC_FALSE;
-
-	LOCK(&adb->reflock);
-
-	INSIST(adb->irefcnt > 0);
-	adb->irefcnt--;
-
-	if (adb->irefcnt == 0) {
-		event = ISC_LIST_HEAD(adb->whenshutdown);
-		while (event != NULL) {
-			ISC_LIST_UNLINK(adb->whenshutdown, event, ev_link);
-			etask = event->ev_sender;
-			event->ev_sender = adb;
-			isc_task_sendanddetach(&etask, &event);
-			event = ISC_LIST_HEAD(adb->whenshutdown);
-		}
-	}
-
-	if (adb->irefcnt == 0 && adb->erefcnt == 0)
-		result = ISC_TRUE;
-	UNLOCK(&adb->reflock);
-	return (result);
-}
-
-static inline void
-inc_adb_irefcnt(dns_adb_t *adb) {
-	LOCK(&adb->reflock);
-	adb->irefcnt++;
-	UNLOCK(&adb->reflock);
-}
-
-static inline void
-inc_adb_erefcnt(dns_adb_t *adb) {
-	LOCK(&adb->reflock);
-	adb->erefcnt++;
-	UNLOCK(&adb->reflock);
-}
-
-static inline void
-inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
-	int bucket;
-
-	bucket = entry->lock_bucket;
-
-	if (lock)
-		LOCK(&adb->entrylocks[bucket]);
-
-	entry->refcnt++;
-
-	if (lock)
-		UNLOCK(&adb->entrylocks[bucket]);
-}
-
-static inline isc_boolean_t
-dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
-	int bucket;
-	isc_boolean_t destroy_entry;
-	isc_boolean_t result = ISC_FALSE;
-
-	bucket = entry->lock_bucket;
-
-	if (lock)
-		LOCK(&adb->entrylocks[bucket]);
-
-	INSIST(entry->refcnt > 0);
-	entry->refcnt--;
-
-	destroy_entry = ISC_FALSE;
-	if (entry->refcnt == 0 &&
-	    (adb->entry_sd[bucket] || entry->expires == 0)) {
-		destroy_entry = ISC_TRUE;
-		result = unlink_entry(adb, entry);
-	}
-
-	if (lock)
-		UNLOCK(&adb->entrylocks[bucket]);
-
-	if (!destroy_entry)
-		return (result);
-
-	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
-
-	free_adbentry(adb, &entry);
-	if (result)
-		result =dec_adb_irefcnt(adb);
-
-	return (result);
-}
-
-static inline dns_adbname_t *
-new_adbname(dns_adb_t *adb, dns_name_t *dnsname) {
-	dns_adbname_t *name;
-
-	name = isc_mempool_get(adb->nmp);
-	if (name == NULL)
-		return (NULL);
-
-	dns_name_init(&name->name, NULL);
-	if (dns_name_dup(dnsname, adb->mctx, &name->name) != ISC_R_SUCCESS) {
-		isc_mempool_put(adb->nmp, name);
-		return (NULL);
-	}
-	dns_name_init(&name->target, NULL);
-	name->magic = DNS_ADBNAME_MAGIC;
-	name->adb = adb;
-	name->partial_result = 0;
-	name->flags = 0;
-	name->expire_v4 = INT_MAX;
-	name->expire_v6 = INT_MAX;
-	name->expire_target = INT_MAX;
-	name->chains = 0;
-	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
-	ISC_LIST_INIT(name->v4);
-	ISC_LIST_INIT(name->v6);
-	name->fetch_a = NULL;
-	name->fetch_aaaa = NULL;
-	name->fetch_err = FIND_ERR_UNEXPECTED;
-	name->fetch6_err = FIND_ERR_UNEXPECTED;
-	ISC_LIST_INIT(name->finds);
-	ISC_LINK_INIT(name, plink);
-
-	return (name);
-}
-
-static inline void
-free_adbname(dns_adb_t *adb, dns_adbname_t **name) {
-	dns_adbname_t *n;
-
-	INSIST(name != NULL && DNS_ADBNAME_VALID(*name));
-	n = *name;
-	*name = NULL;
-
-	INSIST(!NAME_HAS_V4(n));
-	INSIST(!NAME_HAS_V6(n));
-	INSIST(!NAME_FETCH(n));
-	INSIST(ISC_LIST_EMPTY(n->finds));
-	INSIST(!ISC_LINK_LINKED(n, plink));
-	INSIST(n->lock_bucket == DNS_ADB_INVALIDBUCKET);
-	INSIST(n->adb == adb);
-
-	n->magic = 0;
-	dns_name_free(&n->name, adb->mctx);
-
-	isc_mempool_put(adb->nmp, n);
-}
-
-static inline dns_adbnamehook_t *
-new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry) {
-	dns_adbnamehook_t *nh;
-
-	nh = isc_mempool_get(adb->nhmp);
-	if (nh == NULL)
-		return (NULL);
-
-	nh->magic = DNS_ADBNAMEHOOK_MAGIC;
-	nh->entry = entry;
-	ISC_LINK_INIT(nh, plink);
-
-	return (nh);
-}
-
-static inline void
-free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook) {
-	dns_adbnamehook_t *nh;
-
-	INSIST(namehook != NULL && DNS_ADBNAMEHOOK_VALID(*namehook));
-	nh = *namehook;
-	*namehook = NULL;
-
-	INSIST(nh->entry == NULL);
-	INSIST(!ISC_LINK_LINKED(nh, plink));
-
-	nh->magic = 0;
-	isc_mempool_put(adb->nhmp, nh);
-}
-
-static inline dns_adbzoneinfo_t *
-new_adbzoneinfo(dns_adb_t *adb, dns_name_t *zone) {
-	dns_adbzoneinfo_t *zi;
-
-	zi = isc_mempool_get(adb->zimp);
-	if (zi == NULL)
-		return (NULL);
-
-	dns_name_init(&zi->zone, NULL);
-	if (dns_name_dup(zone, adb->mctx, &zi->zone) != ISC_R_SUCCESS) {
-		isc_mempool_put(adb->zimp, zi);
-		return (NULL);
-	}
-
-	zi->magic = DNS_ADBZONEINFO_MAGIC;
-	zi->lame_timer = 0;
-	ISC_LINK_INIT(zi, plink);
-
-	return (zi);
-}
-
-static inline void
-free_adbzoneinfo(dns_adb_t *adb, dns_adbzoneinfo_t **zoneinfo) {
-	dns_adbzoneinfo_t *zi;
-
-	INSIST(zoneinfo != NULL && DNS_ADBZONEINFO_VALID(*zoneinfo));
-	zi = *zoneinfo;
-	*zoneinfo = NULL;
-
-	INSIST(!ISC_LINK_LINKED(zi, plink));
-
-	dns_name_free(&zi->zone, adb->mctx);
-
-	zi->magic = 0;
-
-	isc_mempool_put(adb->zimp, zi);
-}
-
-static inline dns_adbentry_t *
-new_adbentry(dns_adb_t *adb) {
-	dns_adbentry_t *e;
-	isc_uint32_t r;
-
-	e = isc_mempool_get(adb->emp);
-	if (e == NULL)
-		return (NULL);
-
-	e->magic = DNS_ADBENTRY_MAGIC;
-	e->lock_bucket = DNS_ADB_INVALIDBUCKET;
-	e->refcnt = 0;
-	e->flags = 0;
-	isc_random_get(&r);
-	e->srtt = (r & 0x1f) + 1;
-	e->expires = 0;
-	ISC_LIST_INIT(e->zoneinfo);
-	ISC_LINK_INIT(e, plink);
-
-	return (e);
-}
-
-static inline void
-free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
-	dns_adbentry_t *e;
-	dns_adbzoneinfo_t *zi;
-
-	INSIST(entry != NULL && DNS_ADBENTRY_VALID(*entry));
-	e = *entry;
-	*entry = NULL;
-
-	INSIST(e->lock_bucket == DNS_ADB_INVALIDBUCKET);
-	INSIST(e->refcnt == 0);
-	INSIST(!ISC_LINK_LINKED(e, plink));
-
-	e->magic = 0;
-
-	zi = ISC_LIST_HEAD(e->zoneinfo);
-	while (zi != NULL) {
-		ISC_LIST_UNLINK(e->zoneinfo, zi, plink);
-		free_adbzoneinfo(adb, &zi);
-		zi = ISC_LIST_HEAD(e->zoneinfo);
-	}
-
-	isc_mempool_put(adb->emp, e);
-}
-
-static inline dns_adbfind_t *
-new_adbfind(dns_adb_t *adb) {
-	dns_adbfind_t *h;
-	isc_result_t result;
-
-	h = isc_mempool_get(adb->ahmp);
-	if (h == NULL)
-		return (NULL);
-
-	/*
-	 * Public members.
-	 */
-	h->magic = 0;
-	h->adb = adb;
-	h->partial_result = 0;
-	h->options = 0;
-	h->flags = 0;
-	h->result_v4 = ISC_R_UNEXPECTED;
-	h->result_v6 = ISC_R_UNEXPECTED;
-	ISC_LINK_INIT(h, publink);
-	ISC_LINK_INIT(h, plink);
-	ISC_LIST_INIT(h->list);
-	h->adbname = NULL;
-	h->name_bucket = DNS_ADB_INVALIDBUCKET;
-
-	/*
-	 * private members
-	 */
-	result = isc_mutex_init(&h->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init failed in new_adbfind()");
-		isc_mempool_put(adb->ahmp, h);
-		return (NULL);
-	}
-
-	ISC_EVENT_INIT(&h->event, sizeof(isc_event_t), 0, 0, 0, NULL, NULL,
-		       NULL, NULL, h);
-
-	inc_adb_irefcnt(adb);
-	h->magic = DNS_ADBFIND_MAGIC;
-	return (h);
-}
-
-static inline dns_adbfetch_t *
-new_adbfetch(dns_adb_t *adb) {
-	dns_adbfetch_t *f;
-
-	f = isc_mempool_get(adb->afmp);
-	if (f == NULL)
-		return (NULL);
-
-	f->magic = 0;
-	f->namehook = NULL;
-	f->entry = NULL;
-	f->fetch = NULL;
-
-	f->namehook = new_adbnamehook(adb, NULL);
-	if (f->namehook == NULL)
-		goto err;
-
-	f->entry = new_adbentry(adb);
-	if (f->entry == NULL)
-		goto err;
-
-	dns_rdataset_init(&f->rdataset);
-
-	f->magic = DNS_ADBFETCH_MAGIC;
-
-	return (f);
-
- err:
-	if (f->namehook != NULL)
-		free_adbnamehook(adb, &f->namehook);
-	if (f->entry != NULL)
-		free_adbentry(adb, &f->entry);
-	isc_mempool_put(adb->afmp, f);
-	return (NULL);
-}
-
-static inline void
-free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
-	dns_adbfetch_t *f;
-
-	INSIST(fetch != NULL && DNS_ADBFETCH_VALID(*fetch));
-	f = *fetch;
-	*fetch = NULL;
-
-	f->magic = 0;
-
-	if (f->namehook != NULL)
-		free_adbnamehook(adb, &f->namehook);
-	if (f->entry != NULL)
-		free_adbentry(adb, &f->entry);
-
-	if (dns_rdataset_isassociated(&f->rdataset))
-		dns_rdataset_disassociate(&f->rdataset);
-
-	isc_mempool_put(adb->afmp, f);
-}
-
-static inline isc_boolean_t
-free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp) {
-	dns_adbfind_t *find;
-
-	INSIST(findp != NULL && DNS_ADBFIND_VALID(*findp));
-	find = *findp;
-	*findp = NULL;
-
-	INSIST(!FIND_HAS_ADDRS(find));
-	INSIST(!ISC_LINK_LINKED(find, publink));
-	INSIST(!ISC_LINK_LINKED(find, plink));
-	INSIST(find->name_bucket == DNS_ADB_INVALIDBUCKET);
-	INSIST(find->adbname == NULL);
-
-	find->magic = 0;
-
-	DESTROYLOCK(&find->lock);
-	isc_mempool_put(adb->ahmp, find);
-	return (dec_adb_irefcnt(adb));
-}
-
-/*
- * Copy bits from the entry into the newly allocated addrinfo.  The entry
- * must be locked, and the reference count must be bumped up by one
- * if this function returns a valid pointer.
- */
-static inline dns_adbaddrinfo_t *
-new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry, in_port_t port) {
-	dns_adbaddrinfo_t *ai;
-
-	ai = isc_mempool_get(adb->aimp);
-	if (ai == NULL)
-		return (NULL);
-
-	ai->magic = DNS_ADBADDRINFO_MAGIC;
-	ai->sockaddr = entry->sockaddr;
-	isc_sockaddr_setport(&ai->sockaddr, port);
-	ai->srtt = entry->srtt;
-	ai->flags = entry->flags;
-	ai->entry = entry;
-	ISC_LINK_INIT(ai, publink);
-
-	return (ai);
-}
-
-static inline void
-free_adbaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **ainfo) {
-	dns_adbaddrinfo_t *ai;
-
-	INSIST(ainfo != NULL && DNS_ADBADDRINFO_VALID(*ainfo));
-	ai = *ainfo;
-	*ainfo = NULL;
-
-	INSIST(ai->entry == NULL);
-	INSIST(!ISC_LINK_LINKED(ai, publink));
-
-	ai->magic = 0;
-
-	isc_mempool_put(adb->aimp, ai);
-}
-
-/*
- * Search for the name.  NOTE:  The bucket is kept locked on both
- * success and failure, so it must always be unlocked by the caller!
- *
- * On the first call to this function, *bucketp must be set to
- * DNS_ADB_INVALIDBUCKET.
- */
-static inline dns_adbname_t *
-find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
-		   unsigned int options, int *bucketp)
-{
-	dns_adbname_t *adbname;
-	int bucket;
-
-	bucket = dns_name_fullhash(name, ISC_FALSE) % NBUCKETS;
-
-	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
-		LOCK(&adb->namelocks[bucket]);
-		*bucketp = bucket;
-	} else if (*bucketp != bucket) {
-		UNLOCK(&adb->namelocks[*bucketp]);
-		LOCK(&adb->namelocks[bucket]);
-		*bucketp = bucket;
-	}
-
-	adbname = ISC_LIST_HEAD(adb->names[bucket]);
-	while (adbname != NULL) {
-		if (!NAME_DEAD(adbname)) {
-			if (dns_name_equal(name, &adbname->name)
-			    && GLUEHINT_OK(adbname, options)
-			    && STARTATZONE_MATCHES(adbname, options))
-				return (adbname);
-		}
-		adbname = ISC_LIST_NEXT(adbname, plink);
-	}
-
-	return (NULL);
-}
-
-/*
- * Search for the address.  NOTE:  The bucket is kept locked on both
- * success and failure, so it must always be unlocked by the caller.
- *
- * On the first call to this function, *bucketp must be set to
- * DNS_ADB_INVALIDBUCKET.  This will cause a lock to occur.  On
- * later calls (within the same "lock path") it can be left alone, so
- * if this function is called multiple times locking is only done if
- * the bucket changes.
- */
-static inline dns_adbentry_t *
-find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp) {
-	dns_adbentry_t *entry;
-	int bucket;
-
-	bucket = isc_sockaddr_hash(addr, ISC_TRUE) % NBUCKETS;
-
-	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
-		LOCK(&adb->entrylocks[bucket]);
-		*bucketp = bucket;
-	} else if (*bucketp != bucket) {
-		UNLOCK(&adb->entrylocks[*bucketp]);
-		LOCK(&adb->entrylocks[bucket]);
-		*bucketp = bucket;
-	}
-
-	entry = ISC_LIST_HEAD(adb->entries[bucket]);
-	while (entry != NULL) {
-		if (isc_sockaddr_equal(addr, &entry->sockaddr))
-			return (entry);
-		entry = ISC_LIST_NEXT(entry, plink);
-	}
-
-	return (NULL);
-}
-
-/*
- * Entry bucket MUST be locked!
- */
-static isc_boolean_t
-entry_is_bad_for_zone(dns_adb_t *adb, dns_adbentry_t *entry, dns_name_t *zone,
-		      isc_stdtime_t now)
-{
-	dns_adbzoneinfo_t *zi, *next_zi;
-	isc_boolean_t is_bad;
-
-	is_bad = ISC_FALSE;
-
-	zi = ISC_LIST_HEAD(entry->zoneinfo);
-	if (zi == NULL)
-		return (ISC_FALSE);
-	while (zi != NULL) {
-		next_zi = ISC_LIST_NEXT(zi, plink);
-
-		/*
-		 * Has the entry expired?
-		 */
-		if (zi->lame_timer < now) {
-			ISC_LIST_UNLINK(entry->zoneinfo, zi, plink);
-			free_adbzoneinfo(adb, &zi);
-		}
-
-		/*
-		 * Order tests from least to most expensive.
-		 */
-		if (zi != NULL && !is_bad) {
-			if (dns_name_equal(zone, &zi->zone))
-				is_bad = ISC_TRUE;
-		}
-
-		zi = next_zi;
-	}
-
-	return (is_bad);
-}
-
-static void
-copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *zone,
-		    dns_adbname_t *name, isc_stdtime_t now)
-{
-	dns_adbnamehook_t *namehook;
-	dns_adbaddrinfo_t *addrinfo;
-	dns_adbentry_t *entry;
-	int bucket;
-
-	bucket = DNS_ADB_INVALIDBUCKET;
-
-	if (find->options & DNS_ADBFIND_INET) {
-		namehook = ISC_LIST_HEAD(name->v4);
-		while (namehook != NULL) {
-			entry = namehook->entry;
-			bucket = entry->lock_bucket;
-			LOCK(&adb->entrylocks[bucket]);
-
-			if (!FIND_RETURNLAME(find)
-			    && entry_is_bad_for_zone(adb, entry, zone, now)) {
-				find->options |= DNS_ADBFIND_LAMEPRUNED;
-				goto nextv4;
-			}
-			addrinfo = new_adbaddrinfo(adb, entry, find->port);
-			if (addrinfo == NULL) {
-				find->partial_result |= DNS_ADBFIND_INET;
-				goto out;
-			}
-			/*
-			 * Found a valid entry.  Add it to the find's list.
-			 */
-			inc_entry_refcnt(adb, entry, ISC_FALSE);
-			ISC_LIST_APPEND(find->list, addrinfo, publink);
-			addrinfo = NULL;
-		nextv4:
-			UNLOCK(&adb->entrylocks[bucket]);
-			bucket = DNS_ADB_INVALIDBUCKET;
-			namehook = ISC_LIST_NEXT(namehook, plink);
-		}
-	}
-
-	if (find->options & DNS_ADBFIND_INET6) {
-		namehook = ISC_LIST_HEAD(name->v6);
-		while (namehook != NULL) {
-			entry = namehook->entry;
-			bucket = entry->lock_bucket;
-			LOCK(&adb->entrylocks[bucket]);
-
-			if (entry_is_bad_for_zone(adb, entry, zone, now))
-				goto nextv6;
-			addrinfo = new_adbaddrinfo(adb, entry, find->port);
-			if (addrinfo == NULL) {
-				find->partial_result |= DNS_ADBFIND_INET6;
-				goto out;
-			}
-			/*
-			 * Found a valid entry.  Add it to the find's list.
-			 */
-			inc_entry_refcnt(adb, entry, ISC_FALSE);
-			ISC_LIST_APPEND(find->list, addrinfo, publink);
-			addrinfo = NULL;
-		nextv6:
-			UNLOCK(&adb->entrylocks[bucket]);
-			bucket = DNS_ADB_INVALIDBUCKET;
-			namehook = ISC_LIST_NEXT(namehook, plink);
-		}
-	}
-
- out:
-	if (bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->entrylocks[bucket]);
-}
-
-static void
-shutdown_task(isc_task_t *task, isc_event_t *ev) {
-	dns_adb_t *adb;
-
-	UNUSED(task);
-
-	adb = ev->ev_arg;
-	INSIST(DNS_ADB_VALID(adb));
-
-	/*
-	 * Kill the timer, and then the ADB itself.  Note that this implies
-	 * that this task was the one scheduled to get timer events.  If
-	 * this is not true (and it is unfortunate there is no way to INSIST()
-	 * this) badness will occur.
-	 */
-	LOCK(&adb->lock);
-	isc_timer_detach(&adb->timer);
-	UNLOCK(&adb->lock);
-	isc_event_free(&ev);
-	destroy(adb);
-}
-
-/*
- * Name bucket must be locked; adb may be locked; no other locks held.
- */
-static isc_boolean_t
-check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
-	dns_adbname_t *name;
-	isc_boolean_t result = ISC_FALSE;
-
-	INSIST(namep != NULL && DNS_ADBNAME_VALID(*namep));
-	name = *namep;
-
-	if (NAME_HAS_V4(name) || NAME_HAS_V6(name))
-		return (result);
-	if (NAME_FETCH(name))
-		return (result);
-	if (!EXPIRE_OK(name->expire_v4, now))
-		return (result);
-	if (!EXPIRE_OK(name->expire_v6, now))
-		return (result);
-	if (!EXPIRE_OK(name->expire_target, now))
-		return (result);
-
-	/*
-	 * The name is empty.  Delete it.
-	 */
-	result = kill_name(&name, DNS_EVENT_ADBEXPIRED);
-	*namep = NULL;
-
-	/*
-	 * Our caller, or one of its callers, will be calling check_exit() at
-	 * some point, so we don't need to do it here.
-	 */
-	return (result);
-}
-
-/*
- * Entry bucket must be locked; adb may be locked; no other locks held.
- */
-static isc_boolean_t
-check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
-{
-	dns_adbentry_t *entry;
-	isc_boolean_t expire;
-	isc_boolean_t result = ISC_FALSE;
-
-	INSIST(entryp != NULL && DNS_ADBENTRY_VALID(*entryp));
-	entry = *entryp;
-
-	if (entry->refcnt != 0)
-		return (result);
-
-	if (adb->overmem) {
-		isc_uint32_t val;
-
-		isc_random_get(&val);
-
-		expire = ISC_TF((val % 4) == 0);
-	} else
-		expire = ISC_FALSE;
-
-	if (entry->expires == 0 || (! expire && entry->expires > now))
-		return (result);
-
-	/*
-	 * The entry is not in use.  Delete it.
-	 */
-	DP(DEF_LEVEL, "killing entry %p", entry);
-	INSIST(ISC_LINK_LINKED(entry, plink));
-	result = unlink_entry(adb, entry);
-	free_adbentry(adb, &entry);
-	if (result)
-		dec_adb_irefcnt(adb);
-	*entryp = NULL;
-	return (result);
-}
-
-/*
- * ADB must be locked, and no other locks held.
- */
-static isc_boolean_t
-cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
-	dns_adbname_t *name;
-	dns_adbname_t *next_name;
-	isc_boolean_t result = ISC_FALSE;
-
-	DP(CLEAN_LEVEL, "cleaning name bucket %d", bucket);
-
-	LOCK(&adb->namelocks[bucket]);
-	if (adb->name_sd[bucket]) {
-		UNLOCK(&adb->namelocks[bucket]);
-		return (result);
-	}
-
-	name = ISC_LIST_HEAD(adb->names[bucket]);
-	while (name != NULL) {
-		next_name = ISC_LIST_NEXT(name, plink);
-		INSIST(result == ISC_FALSE);
-		result = check_expire_namehooks(name, now, adb->overmem);
-		if (!result)
-			result = check_expire_name(&name, now);
-		name = next_name;
-	}
-	UNLOCK(&adb->namelocks[bucket]);
-	return (result);
-}
-
-/*
- * ADB must be locked, and no other locks held.
- */
-static isc_boolean_t
-cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
-	dns_adbentry_t *entry, *next_entry;
-	isc_boolean_t result = ISC_FALSE;
-
-	DP(CLEAN_LEVEL, "cleaning entry bucket %d", bucket);
-
-	LOCK(&adb->entrylocks[bucket]);
-	entry = ISC_LIST_HEAD(adb->entries[bucket]);
-	while (entry != NULL) {
-		next_entry = ISC_LIST_NEXT(entry, plink);
-		INSIST(result == ISC_FALSE);
-		result = check_expire_entry(adb, &entry, now);
-		entry = next_entry;
-	}
-	UNLOCK(&adb->entrylocks[bucket]);
-	return (result);
-}
-
-static void
-timer_cleanup(isc_task_t *task, isc_event_t *ev) {
-	dns_adb_t *adb;
-	isc_stdtime_t now;
-	unsigned int i;
-	isc_interval_t interval;
-
-	UNUSED(task);
-
-	adb = ev->ev_arg;
-	INSIST(DNS_ADB_VALID(adb));
-
-	LOCK(&adb->lock);
-
-	isc_stdtime_get(&now);
-
-	for (i = 0; i < CLEAN_BUCKETS; i++) {
-		/*
-		 * Call our cleanup routines.
-		 */
-		RUNTIME_CHECK(cleanup_names(adb, adb->next_cleanbucket, now) ==
-			      ISC_FALSE);
-		RUNTIME_CHECK(cleanup_entries(adb, adb->next_cleanbucket, now)
-			      == ISC_FALSE);
-
-		/*
-		 * Set the next bucket to be cleaned.
-		 */
-		adb->next_cleanbucket++;
-		if (adb->next_cleanbucket >= NBUCKETS) {
-			adb->next_cleanbucket = 0;
-#ifdef DUMP_ADB_AFTER_CLEANING
-			dump_adb(adb, stdout, ISC_TRUE, now);
-#endif
-		}
-	}
-
-	/*
-	 * Reset the timer.
-	 * XXXDCL isc_timer_reset might return ISC_R_UNEXPECTED or
-	 * ISC_R_NOMEMORY, but it isn't clear what could be done here
-	 * if either one of those things happened.
-	 */
-	interval = adb->tick_interval;
-	if (adb->overmem)
-		isc_interval_set(&interval, 0, 1);
-	(void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
-			      &interval, ISC_FALSE);
-
-	UNLOCK(&adb->lock);
-
-	isc_event_free(&ev);
-}
-
-static void
-destroy(dns_adb_t *adb) {
-	adb->magic = 0;
-
-	/*
-	 * The timer is already dead, from the task's shutdown callback.
-	 */
-	isc_task_detach(&adb->task);
-
-	isc_mempool_destroy(&adb->nmp);
-	isc_mempool_destroy(&adb->nhmp);
-	isc_mempool_destroy(&adb->zimp);
-	isc_mempool_destroy(&adb->emp);
-	isc_mempool_destroy(&adb->ahmp);
-	isc_mempool_destroy(&adb->aimp);
-	isc_mempool_destroy(&adb->afmp);
-
-	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
-	DESTROYMUTEXBLOCK(adb->namelocks, NBUCKETS);
-
-	DESTROYLOCK(&adb->reflock);
-	DESTROYLOCK(&adb->lock);
-	DESTROYLOCK(&adb->mplock);
-
-	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
-}
-
-
-/*
- * Public functions.
- */
-
-isc_result_t
-dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
-	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb)
-{
-	dns_adb_t *adb;
-	isc_result_t result;
-	int i;
-
-	REQUIRE(mem != NULL);
-	REQUIRE(view != NULL);
-	REQUIRE(timermgr != NULL);
-	REQUIRE(taskmgr != NULL);
-	REQUIRE(newadb != NULL && *newadb == NULL);
-
-	adb = isc_mem_get(mem, sizeof(dns_adb_t));
-	if (adb == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * Initialize things here that cannot fail, and especially things
-	 * that must be NULL for the error return to work properly.
-	 */
-	adb->magic = 0;
-	adb->erefcnt = 1;
-	adb->irefcnt = 0;
-	adb->nmp = NULL;
-	adb->nhmp = NULL;
-	adb->zimp = NULL;
-	adb->emp = NULL;
-	adb->ahmp = NULL;
-	adb->aimp = NULL;
-	adb->afmp = NULL;
-	adb->task = NULL;
-	adb->timer = NULL;
-	adb->mctx = NULL;
-	adb->view = view;
-	adb->timermgr = timermgr;
-	adb->taskmgr = taskmgr;
-	adb->next_cleanbucket = 0;
-	ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
-		       DNS_EVENT_ADBCONTROL, shutdown_task, adb,
-		       adb, NULL, NULL);
-	adb->cevent_sent = ISC_FALSE;
-	adb->shutting_down = ISC_FALSE;
-	adb->overmem = ISC_FALSE;
-	ISC_LIST_INIT(adb->whenshutdown);
-
-	isc_mem_attach(mem, &adb->mctx);
-
-	result = isc_mutex_init(&adb->lock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0b;
-
-	result = isc_mutex_init(&adb->mplock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0c;
-
-	result = isc_mutex_init(&adb->reflock);
-	if (result != ISC_R_SUCCESS)
-		goto fail0d;
-
-	/*
-	 * Initialize the bucket locks for names and elements.
-	 * May as well initialize the list heads, too.
-	 */
-	result = isc_mutexblock_init(adb->namelocks, NBUCKETS);
-	if (result != ISC_R_SUCCESS)
-		goto fail1;
-	for (i = 0; i < NBUCKETS; i++) {
-		ISC_LIST_INIT(adb->names[i]);
-		adb->name_sd[i] = ISC_FALSE;
-		adb->name_refcnt[i] = 0;
-		adb->irefcnt++;
-	}
-	for (i = 0; i < NBUCKETS; i++) {
-		ISC_LIST_INIT(adb->entries[i]);
-		adb->entry_sd[i] = ISC_FALSE;
-		adb->entry_refcnt[i] = 0;
-		adb->irefcnt++;
-	}
-	result = isc_mutexblock_init(adb->entrylocks, NBUCKETS);
-	if (result != ISC_R_SUCCESS)
-		goto fail2;
-
-	/*
-	 * Memory pools
-	 */
-#define MPINIT(t, p, n) do { \
-	result = isc_mempool_create(mem, sizeof(t), &(p)); \
-	if (result != ISC_R_SUCCESS) \
-		goto fail3; \
-	isc_mempool_setfreemax((p), FREE_ITEMS); \
-	isc_mempool_setfillcount((p), FILL_COUNT); \
-	isc_mempool_setname((p), n); \
-	isc_mempool_associatelock((p), &adb->mplock); \
-} while (0)
-
-	MPINIT(dns_adbname_t, adb->nmp, "adbname");
-	MPINIT(dns_adbnamehook_t, adb->nhmp, "adbnamehook");
-	MPINIT(dns_adbzoneinfo_t, adb->zimp, "adbzoneinfo");
-	MPINIT(dns_adbentry_t, adb->emp, "adbentry");
-	MPINIT(dns_adbfind_t, adb->ahmp, "adbfind");
-	MPINIT(dns_adbaddrinfo_t, adb->aimp, "adbaddrinfo");
-	MPINIT(dns_adbfetch_t, adb->afmp, "adbfetch");
-
-#undef MPINIT
-
-	/*
-	 * Allocate a timer and a task for our periodic cleanup.
-	 */
-	result = isc_task_create(adb->taskmgr, 0, &adb->task);
-	if (result != ISC_R_SUCCESS)
-		goto fail3;
-	isc_task_setname(adb->task, "ADB", adb);
-	/*
-	 * XXXMLG When this is changed to be a config file option,
-	 */
-	isc_interval_set(&adb->tick_interval, CLEAN_SECONDS, 0);
-	result = isc_timer_create(adb->timermgr, isc_timertype_once,
-				  NULL, &adb->tick_interval, adb->task,
-				  timer_cleanup, adb, &adb->timer);
-	if (result != ISC_R_SUCCESS)
-		goto fail3;
-
-	DP(ISC_LOG_DEBUG(5), "cleaning interval for adb: "
-	   "%u buckets every %u seconds, %u buckets in system, %u cl.interval",
-	   CLEAN_BUCKETS, CLEAN_SECONDS, NBUCKETS, CLEAN_PERIOD);
-
-	/*
-	 * Normal return.
-	 */
-	adb->magic = DNS_ADB_MAGIC;
-	*newadb = adb;
-	return (ISC_R_SUCCESS);
-
- fail3:
-	if (adb->task != NULL)
-		isc_task_detach(&adb->task);
-	if (adb->timer != NULL)
-		isc_timer_detach(&adb->timer);
-
-	/* clean up entrylocks */
-	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
-
- fail2: /* clean up namelocks */
-	DESTROYMUTEXBLOCK(adb->namelocks, NBUCKETS);
-
- fail1: /* clean up only allocated memory */
-	if (adb->nmp != NULL)
-		isc_mempool_destroy(&adb->nmp);
-	if (adb->nhmp != NULL)
-		isc_mempool_destroy(&adb->nhmp);
-	if (adb->zimp != NULL)
-		isc_mempool_destroy(&adb->zimp);
-	if (adb->emp != NULL)
-		isc_mempool_destroy(&adb->emp);
-	if (adb->ahmp != NULL)
-		isc_mempool_destroy(&adb->ahmp);
-	if (adb->aimp != NULL)
-		isc_mempool_destroy(&adb->aimp);
-	if (adb->afmp != NULL)
-		isc_mempool_destroy(&adb->afmp);
-
-	DESTROYLOCK(&adb->reflock);
- fail0d:
-	DESTROYLOCK(&adb->mplock);
- fail0c:
-	DESTROYLOCK(&adb->lock);
- fail0b:
-	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
-
-	return (result);
-}
-
-void
-dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbx) {
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(adbx != NULL && *adbx == NULL);
-
-	inc_adb_erefcnt(adb);
-	*adbx = adb;
-}
-
-void
-dns_adb_detach(dns_adb_t **adbx) {
-	dns_adb_t *adb;
-	isc_boolean_t need_exit_check;
-
-	REQUIRE(adbx != NULL && DNS_ADB_VALID(*adbx));
-
-	adb = *adbx;
-	*adbx = NULL;
-
-	INSIST(adb->erefcnt > 0);
-
-	LOCK(&adb->reflock);
-	adb->erefcnt--;
-	need_exit_check = ISC_TF(adb->erefcnt == 0 && adb->irefcnt == 0);
-	UNLOCK(&adb->reflock);
-
-	if (need_exit_check) {
-		LOCK(&adb->lock);
-		INSIST(adb->shutting_down);
-		check_exit(adb);
-		UNLOCK(&adb->lock);
-	}
-}
-
-void
-dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
-	isc_task_t *clone;
-	isc_event_t *event;
-	isc_boolean_t zeroirefcnt = ISC_FALSE;
-
-	/*
-	 * Send '*eventp' to 'task' when 'adb' has shutdown.
-	 */
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(eventp != NULL);
-
-	event = *eventp;
-	*eventp = NULL;
-
-	LOCK(&adb->lock);
-
-	LOCK(&adb->reflock);
-	zeroirefcnt = ISC_TF(adb->irefcnt == 0);
-
-	if (adb->shutting_down && zeroirefcnt &&
-	    isc_mempool_getallocated(adb->ahmp) == 0) {
-		/*
-		 * We're already shutdown.  Send the event.
-		 */
-		event->ev_sender = adb;
-		isc_task_send(task, &event);
-	} else {
-		clone = NULL;
-		isc_task_attach(task, &clone);
-		event->ev_sender = clone;
-		ISC_LIST_APPEND(adb->whenshutdown, event, ev_link);
-	}
-
-	UNLOCK(&adb->reflock);
-	UNLOCK(&adb->lock);
-}
-
-void
-dns_adb_shutdown(dns_adb_t *adb) {
-	isc_boolean_t need_check_exit;
-
-	/*
-	 * Shutdown 'adb'.
-	 */
-
-	LOCK(&adb->lock);
-
-	if (!adb->shutting_down) {
-		adb->shutting_down = ISC_TRUE;
-		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
-		need_check_exit = shutdown_names(adb);
-		if (!need_check_exit)
-			need_check_exit = shutdown_entries(adb);
-		if (need_check_exit)
-			check_exit(adb);
-	}
-
-	UNLOCK(&adb->lock);
-}
-
-isc_result_t
-dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
-		   void *arg, dns_name_t *name, dns_name_t *zone,
-		   unsigned int options, isc_stdtime_t now, dns_name_t *target,
-		   in_port_t port, dns_adbfind_t **findp)
-{
-	dns_adbfind_t *find;
-	dns_adbname_t *adbname;
-	int bucket;
-	isc_boolean_t want_event, start_at_zone, alias, have_address;
-	isc_result_t result;
-	unsigned int wanted_addresses;
-	unsigned int wanted_fetches;
-	unsigned int query_pending;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	if (task != NULL) {
-		REQUIRE(action != NULL);
-	}
-	REQUIRE(name != NULL);
-	REQUIRE(zone != NULL);
-	REQUIRE(findp != NULL && *findp == NULL);
-	REQUIRE(target == NULL || dns_name_hasbuffer(target));
-
-	REQUIRE((options & DNS_ADBFIND_ADDRESSMASK) != 0);
-
-	result = ISC_R_UNEXPECTED;
-	wanted_addresses = (options & DNS_ADBFIND_ADDRESSMASK);
-	wanted_fetches = 0;
-	query_pending = 0;
-	want_event = ISC_FALSE;
-	start_at_zone = ISC_FALSE;
-	alias = ISC_FALSE;
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	/*
-	 * XXXMLG  Move this comment somewhere else!
-	 *
-	 * Look up the name in our internal database.
-	 *
-	 * Possibilities:  Note that these are not always exclusive.
-	 *
-	 *	No name found.  In this case, allocate a new name header and
-	 *	an initial namehook or two.  If any of these allocations
-	 *	fail, clean up and return ISC_R_NOMEMORY.
-	 *
-	 *	Name found, valid addresses present.  Allocate one addrinfo
-	 *	structure for each found and append it to the linked list
-	 *	of addresses for this header.
-	 *
-	 *	Name found, queries pending.  In this case, if a task was
-	 *	passed in, allocate a job id, attach it to the name's job
-	 *	list and remember to tell the caller that there will be
-	 *	more info coming later.
-	 */
-
-	find = new_adbfind(adb);
-	if (find == NULL)
-		return (ISC_R_NOMEMORY);
-
-	find->port = port;
-
-	/*
-	 * Remember what types of addresses we are interested in.
-	 */
-	find->options = options;
-	find->flags |= wanted_addresses;
-	if (FIND_WANTEVENT(find)) {
-		REQUIRE(task != NULL);
-	}
-
-	/*
-	 * Try to see if we know anything about this name at all.
-	 */
-	bucket = DNS_ADB_INVALIDBUCKET;
-	adbname = find_name_and_lock(adb, name, find->options, &bucket);
-	if (adb->name_sd[bucket]) {
-		DP(DEF_LEVEL,
-		   "dns_adb_createfind: returning ISC_R_SHUTTINGDOWN");
-		RUNTIME_CHECK(free_adbfind(adb, &find) == ISC_FALSE);
-		result = ISC_R_SHUTTINGDOWN;
-		goto out;
-	}
-
-	/*
-	 * Nothing found.  Allocate a new adbname structure for this name.
-	 */
-	if (adbname == NULL) {
-		adbname = new_adbname(adb, name);
-		if (adbname == NULL) {
-			RUNTIME_CHECK(free_adbfind(adb, &find) == ISC_FALSE);
-			result = ISC_R_NOMEMORY;
-			goto out;
-		}
-		link_name(adb, bucket, adbname);
-		if (FIND_HINTOK(find))
-			adbname->flags |= NAME_HINT_OK;
-		if (FIND_GLUEOK(find))
-			adbname->flags |= NAME_GLUE_OK;
-		if (FIND_STARTATZONE(find))
-			adbname->flags |= NAME_STARTATZONE;
-	}
-
-	/*
-	 * Expire old entries, etc.
-	 */
-	RUNTIME_CHECK(check_expire_namehooks(adbname, now, adb->overmem) ==
-		      ISC_FALSE);
-
-	/*
-	 * Do we know that the name is an alias?
-	 */
-	if (!EXPIRE_OK(adbname->expire_target, now)) {
-		/*
-		 * Yes, it is.
-		 */
-		DP(DEF_LEVEL,
-		   "dns_adb_createfind: name %p is an alias (cached)",
-		   adbname);
-		alias = ISC_TRUE;
-		goto post_copy;
-	}
-
-	/*
-	 * Try to populate the name from the database and/or
-	 * start fetches.  First try looking for an A record
-	 * in the database.
-	 */
-	if (!NAME_HAS_V4(adbname) && EXPIRE_OK(adbname->expire_v4, now)
-	    && WANT_INET(wanted_addresses)) {
-		result = dbfind_name(adbname, now, dns_rdatatype_a);
-		if (result == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: found A for name %p in db",
-			   adbname);
-			goto v6;
-		}
-
-		/*
-		 * Did we get a CNAME or DNAME?
-		 */
-		if (result == DNS_R_ALIAS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: name %p is an alias",
-			   adbname);
-			alias = ISC_TRUE;
-			goto post_copy;
-		}
-
-		/*
-		 * If the name doesn't exist at all, don't bother with
-		 * v6 queries; they won't work.
-		 *
-		 * If the name does exist but we didn't get our data, go
-		 * ahead and try AAAA.
-		 *
-		 * If the result is neither of these, try a fetch for A.
-		 */
-		if (NXDOMAIN_RESULT(result))
-			goto fetch;
-		else if (NXRRSET_RESULT(result))
-			goto v6;
-
-		if (!NAME_FETCH_V4(adbname))
-			wanted_fetches |= DNS_ADBFIND_INET;
-	}
-
- v6:
-	if (!NAME_HAS_V6(adbname) && EXPIRE_OK(adbname->expire_v6, now)
-	    && WANT_INET6(wanted_addresses)) {
-		result = dbfind_name(adbname, now, dns_rdatatype_aaaa);
-		if (result == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: found AAAA for name %p",
-			   adbname);
-			goto fetch;
-		}
-
-		/*
-		 * Did we get a CNAME or DNAME?
-		 */
-		if (result == DNS_R_ALIAS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: name %p is an alias",
-			   adbname);
-			alias = ISC_TRUE;
-			goto post_copy;
-		}
-
-		/*
-		 * Listen to negative cache hints, and don't start
-		 * another query.
-		 */
-		if (NCACHE_RESULT(result) || AUTH_NX(result))
-			goto fetch;
-
-		if (!NAME_FETCH_V6(adbname))
-			wanted_fetches |= DNS_ADBFIND_INET6;
-	}
-
- fetch:
-	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
-	    (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
-		have_address = ISC_TRUE;
-	else
-		have_address = ISC_FALSE;
-	if (wanted_fetches != 0 &&
-	    ! (FIND_AVOIDFETCHES(find) && have_address)) {
-		/*
-		 * We're missing at least one address family.  Either the
-		 * caller hasn't instructed us to avoid fetches, or we don't
-		 * know anything about any of the address families that would
-		 * be acceptable so we have to launch fetches.
-		 */
-
-		if (FIND_STARTATZONE(find))
-			start_at_zone = ISC_TRUE;
-
-		/*
-		 * Start V4.
-		 */
-		if (WANT_INET(wanted_fetches) &&
-		    fetch_name(adbname, start_at_zone,
-			       dns_rdatatype_a) == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: started A fetch for name %p",
-			   adbname);
-		}
-
-		/*
-		 * Start V6.
-		 */
-		if (WANT_INET6(wanted_fetches) &&
-		    fetch_name(adbname, start_at_zone,
-			       dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
-			DP(DEF_LEVEL,
-			   "dns_adb_createfind: "
-			   "started AAAA fetch for name %p",
-			   adbname);
-		}
-	}
-
-	/*
-	 * Run through the name and copy out the bits we are
-	 * interested in.
-	 */
-	copy_namehook_lists(adb, find, zone, adbname, now);
-
- post_copy:
-	if (NAME_FETCH_V4(adbname))
-		query_pending |= DNS_ADBFIND_INET;
-	if (NAME_FETCH_V6(adbname))
-		query_pending |= DNS_ADBFIND_INET6;
-
-	/*
-	 * Attach to the name's query list if there are queries
-	 * already running, and we have been asked to.
-	 */
-	want_event = ISC_TRUE;
-	if (!FIND_WANTEVENT(find))
-		want_event = ISC_FALSE;
-	if (FIND_WANTEMPTYEVENT(find) && FIND_HAS_ADDRS(find))
-		want_event = ISC_FALSE;
-	if ((wanted_addresses & query_pending) == 0)
-		want_event = ISC_FALSE;
-	if (alias)
-		want_event = ISC_FALSE;
-	if (want_event) {
-		find->adbname = adbname;
-		find->name_bucket = bucket;
-		ISC_LIST_APPEND(adbname->finds, find, plink);
-		find->query_pending = (query_pending & wanted_addresses);
-		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
-		find->flags |= (find->query_pending & DNS_ADBFIND_ADDRESSMASK);
-		DP(DEF_LEVEL, "createfind: attaching find %p to adbname %p",
-		   find, adbname);
-	} else {
-		/*
-		 * Remove the flag so the caller knows there will never
-		 * be an event, and set internal flags to fake that
-		 * the event was sent and freed, so dns_adb_destroyfind() will
-		 * do the right thing.
-		 */
-		find->query_pending = (query_pending & wanted_addresses);
-		find->options &= ~DNS_ADBFIND_WANTEVENT;
-		find->flags |= (FIND_EVENT_SENT | FIND_EVENT_FREED);
-		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
-	}
-
-	find->partial_result |= (adbname->partial_result & wanted_addresses);
-	if (alias) {
-		if (target != NULL) {
-			result = dns_name_copy(&adbname->target, target, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto out;
-		}
-		result = DNS_R_ALIAS;
-	} else
-		result = ISC_R_SUCCESS;
-
-	/*
-	 * Copy out error flags from the name structure into the find.
-	 */
-	find->result_v4 = find_err_map[adbname->fetch_err];
-	find->result_v6 = find_err_map[adbname->fetch6_err];
-
- out:
-	if (find != NULL) {
-		*findp = find;
-
-		if (want_event) {
-			isc_task_t *taskp;
-
-			INSIST((find->flags & DNS_ADBFIND_ADDRESSMASK) != 0);
-			taskp = NULL;
-			isc_task_attach(task, &taskp);
-			find->event.ev_sender = taskp;
-			find->event.ev_action = action;
-			find->event.ev_arg = arg;
-		}
-	}
-
-	if (bucket != DNS_ADB_INVALIDBUCKET)
-		UNLOCK(&adb->namelocks[bucket]);
-
-	return (result);
-}
-
-void
-dns_adb_destroyfind(dns_adbfind_t **findp) {
-	dns_adbfind_t *find;
-	dns_adbentry_t *entry;
-	dns_adbaddrinfo_t *ai;
-	int bucket;
-	dns_adb_t *adb;
-
-	REQUIRE(findp != NULL && DNS_ADBFIND_VALID(*findp));
-	find = *findp;
-	*findp = NULL;
-
-	LOCK(&find->lock);
-
-	DP(DEF_LEVEL, "dns_adb_destroyfind on find %p", find);
-
-	adb = find->adb;
-	REQUIRE(DNS_ADB_VALID(adb));
-
-	REQUIRE(FIND_EVENTFREED(find));
-
-	bucket = find->name_bucket;
-	INSIST(bucket == DNS_ADB_INVALIDBUCKET);
-
-	UNLOCK(&find->lock);
-
-	/*
-	 * The find doesn't exist on any list, and nothing is locked.
-	 * Return the find to the memory pool, and decrement the adb's
-	 * reference count.
-	 */
-	ai = ISC_LIST_HEAD(find->list);
-	while (ai != NULL) {
-		ISC_LIST_UNLINK(find->list, ai, publink);
-		entry = ai->entry;
-		ai->entry = NULL;
-		INSIST(DNS_ADBENTRY_VALID(entry));
-		RUNTIME_CHECK(dec_entry_refcnt(adb, entry, ISC_TRUE) ==
-			      ISC_FALSE);
-		free_adbaddrinfo(adb, &ai);
-		ai = ISC_LIST_HEAD(find->list);
-	}
-
-	/*
-	 * WARNING:  The find is freed with the adb locked.  This is done
-	 * to avoid a race condition where we free the find, some other
-	 * thread tests to see if it should be destroyed, detects it should
-	 * be, destroys it, and then we try to lock it for our check, but the
-	 * lock is destroyed.
-	 */
-	LOCK(&adb->lock);
-	if (free_adbfind(adb, &find))
-		check_exit(adb);
-	UNLOCK(&adb->lock);
-}
-
-void
-dns_adb_cancelfind(dns_adbfind_t *find) {
-	isc_event_t *ev;
-	isc_task_t *task;
-	dns_adb_t *adb;
-	int bucket;
-	int unlock_bucket;
-
-	LOCK(&find->lock);
-
-	DP(DEF_LEVEL, "dns_adb_cancelfind on find %p", find);
-
-	adb = find->adb;
-	REQUIRE(DNS_ADB_VALID(adb));
-
-	REQUIRE(!FIND_EVENTFREED(find));
-	REQUIRE(FIND_WANTEVENT(find));
-
-	bucket = find->name_bucket;
-	if (bucket == DNS_ADB_INVALIDBUCKET)
-		goto cleanup;
-
-	/*
-	 * We need to get the adbname's lock to unlink the find.
-	 */
-	unlock_bucket = bucket;
-	violate_locking_hierarchy(&find->lock, &adb->namelocks[unlock_bucket]);
-	bucket = find->name_bucket;
-	if (bucket != DNS_ADB_INVALIDBUCKET) {
-		ISC_LIST_UNLINK(find->adbname->finds, find, plink);
-		find->adbname = NULL;
-		find->name_bucket = DNS_ADB_INVALIDBUCKET;
-	}
-	UNLOCK(&adb->namelocks[unlock_bucket]);
-	bucket = DNS_ADB_INVALIDBUCKET;
-
- cleanup:
-
-	if (!FIND_EVENTSENT(find)) {
-		ev = &find->event;
-		task = ev->ev_sender;
-		ev->ev_sender = find;
-		ev->ev_type = DNS_EVENT_ADBCANCELED;
-		ev->ev_destroy = event_free;
-		ev->ev_destroy_arg = find;
-		find->result_v4 = ISC_R_CANCELED;
-		find->result_v6 = ISC_R_CANCELED;
-
-		DP(DEF_LEVEL, "sending event %p to task %p for find %p",
-		   ev, task, find);
-
-		isc_task_sendanddetach(&task, (isc_event_t **)&ev);
-	}
-
-	UNLOCK(&find->lock);
-}
-
-void
-dns_adb_dump(dns_adb_t *adb, FILE *f) {
-	int i;
-	isc_stdtime_t now;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(f != NULL);
-
-	/*
-	 * Lock the adb itself, lock all the name buckets, then lock all
-	 * the entry buckets.  This should put the adb into a state where
-	 * nothing can change, so we can iterate through everything and
-	 * print at our leisure.
-	 */
-
-	LOCK(&adb->lock);
-	isc_stdtime_get(&now);
-
-	for (i = 0; i < NBUCKETS; i++)
-		RUNTIME_CHECK(cleanup_names(adb, i, now) == ISC_FALSE);
-	for (i = 0; i < NBUCKETS; i++)
-		RUNTIME_CHECK(cleanup_entries(adb, i, now) == ISC_FALSE);
-
-	dump_adb(adb, f, ISC_FALSE, now);
-	UNLOCK(&adb->lock);
-}
-
-static void
-dump_ttl(FILE *f, const char *legend, isc_stdtime_t value, isc_stdtime_t now) {
-	if (value == INT_MAX)
-		return;
-	fprintf(f, " [%s TTL %d]", legend, value - now);
-}
-
-static void
-dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug, isc_stdtime_t now) {
-	int i;
-	dns_adbname_t *name;
-	dns_adbentry_t *entry;
-
-	fprintf(f, ";\n; Address database dump\n;\n");
-	if (debug)
-		fprintf(f, "; addr %p, erefcnt %u, irefcnt %u, finds out %u\n",
-			adb, adb->erefcnt, adb->irefcnt,
-			isc_mempool_getallocated(adb->nhmp));
-
-	for (i = 0; i < NBUCKETS; i++)
-		LOCK(&adb->namelocks[i]);
-	for (i = 0; i < NBUCKETS; i++)
-		LOCK(&adb->entrylocks[i]);
-
-	/*
-	 * Dump the names
-	 */
-	for (i = 0; i < NBUCKETS; i++) {
-		name = ISC_LIST_HEAD(adb->names[i]);
-		if (name == NULL)
-			continue;
-		if (debug)
-			fprintf(f, "; bucket %d\n", i);
-		for (;
-		     name != NULL;
-		     name = ISC_LIST_NEXT(name, plink))
-		{
-			if (debug)
-				fprintf(f, "; name %p (flags %08x)\n",
-					name, name->flags);
-
-			fprintf(f, "; ");
-			print_dns_name(f, &name->name);
-			if (dns_name_countlabels(&name->target) > 0) {
-				fprintf(f, " alias ");
-				print_dns_name(f, &name->target);
-			}
-
-			dump_ttl(f, "v4", name->expire_v4, now);
-			dump_ttl(f, "v6", name->expire_v6, now);
-			dump_ttl(f, "target", name->expire_target, now);
-
-			fprintf(f, " [v4 %s] [v6 %s]",
-				errnames[name->fetch_err],
-				errnames[name->fetch6_err]);
-
-			fprintf(f, "\n");
-
-			print_namehook_list(f, "v4", &name->v4, debug, now);
-			print_namehook_list(f, "v6", &name->v6, debug, now);
-
-			if (debug)
-				print_fetch_list(f, name);
-			if (debug)
-				print_find_list(f, name);
-
-		}
-	}
-
-	fprintf(f, ";\n; Unassociated entries\n;\n");
-
-	for (i = 0; i < NBUCKETS; i++) {
-		entry = ISC_LIST_HEAD(adb->entries[i]);
-		while (entry != NULL) {
-			if (entry->refcnt == 0)
-				dump_entry(f, entry, debug, now);
-			entry = ISC_LIST_NEXT(entry, plink);
-		}
-	}
-
-	/*
-	 * Unlock everything
-	 */
-	for (i = 0; i < NBUCKETS; i++)
-		UNLOCK(&adb->entrylocks[i]);
-	for (i = 0; i < NBUCKETS; i++)
-		UNLOCK(&adb->namelocks[i]);
-}
-
-static void
-dump_entry(FILE *f, dns_adbentry_t *entry, isc_boolean_t debug,
-	   isc_stdtime_t now)
-{
-	char addrbuf[ISC_NETADDR_FORMATSIZE];
-	isc_netaddr_t netaddr;
-	dns_adbzoneinfo_t *zi;
-
-	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
-	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
-
-	if (debug)
-		fprintf(f, ";\t%p: refcnt %u\n", entry, entry->refcnt);
-
-	fprintf(f, ";\t%s [srtt %u] [flags %08x]",
-		addrbuf, entry->srtt, entry->flags);
-	if (entry->expires != 0)
-		fprintf(f, " [ttl %d]", entry->expires - now);
-	fprintf(f, "\n");
-	for (zi = ISC_LIST_HEAD(entry->zoneinfo);
-	     zi != NULL;
-	     zi = ISC_LIST_NEXT(zi, plink)) {
-		fprintf(f, ";\t\t");
-		print_dns_name(f, &zi->zone);
-		fprintf(f, " [lame TTL %d]\n", zi->lame_timer - now);
-	}
-}
-
-void
-dns_adb_dumpfind(dns_adbfind_t *find, FILE *f) {
-	char tmp[512];
-	const char *tmpp;
-	dns_adbaddrinfo_t *ai;
-	isc_sockaddr_t *sa;
-
-	/*
-	 * Not used currently, in the API Just In Case we
-	 * want to dump out the name and/or entries too.
-	 */
-
-	LOCK(&find->lock);
-
-	fprintf(f, ";Find %p\n", find);
-	fprintf(f, ";\tqpending %08x partial %08x options %08x flags %08x\n",
-		find->query_pending, find->partial_result,
-		find->options, find->flags);
-	fprintf(f, ";\tname_bucket %d, name %p, event sender %p\n",
-		find->name_bucket, find->adbname, find->event.ev_sender);
-
-	ai = ISC_LIST_HEAD(find->list);
-	if (ai != NULL)
-		fprintf(f, "\tAddresses:\n");
-	while (ai != NULL) {
-		sa = &ai->sockaddr;
-		switch (sa->type.sa.sa_family) {
-		case AF_INET:
-			tmpp = inet_ntop(AF_INET, &sa->type.sin.sin_addr,
-					 tmp, sizeof(tmp));
-			break;
-		case AF_INET6:
-			tmpp = inet_ntop(AF_INET6, &sa->type.sin6.sin6_addr,
-					 tmp, sizeof(tmp));
-			break;
-		default:
-			tmpp = "UnkFamily";
-		}
-
-		if (tmpp == NULL)
-			tmpp = "BadAddress";
-
-		fprintf(f, "\t\tentry %p, flags %08x"
-			" srtt %u addr %s\n",
-			ai->entry, ai->flags, ai->srtt, tmpp);
-
-		ai = ISC_LIST_NEXT(ai, publink);
-	}
-
-	UNLOCK(&find->lock);
-}
-
-static void
-print_dns_name(FILE *f, dns_name_t *name) {
-	char buf[DNS_NAME_FORMATSIZE];
-
-	INSIST(f != NULL);
-
-	dns_name_format(name, buf, sizeof(buf));
-	fprintf(f, "%s", buf);
-}
-
-static void
-print_namehook_list(FILE *f, const char *legend, dns_adbnamehooklist_t *list,
-		    isc_boolean_t debug, isc_stdtime_t now)
-{
-	dns_adbnamehook_t *nh;
-
-	for (nh = ISC_LIST_HEAD(*list);
-	     nh != NULL;
-	     nh = ISC_LIST_NEXT(nh, plink))
-	{
-		if (debug)
-			fprintf(f, ";\tHook(%s) %p\n", legend, nh);
-		dump_entry(f, nh->entry, debug, now);
-	}
-}
-
-static inline void
-print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) {
-	fprintf(f, "\t\tFetch(%s): %p -> { nh %p, entry %p, fetch %p }\n",
-		type, ft, ft->namehook, ft->entry, ft->fetch);
-}
-
-static void
-print_fetch_list(FILE *f, dns_adbname_t *n) {
-	if (NAME_FETCH_A(n))
-		print_fetch(f, n->fetch_a, "A");
-	if (NAME_FETCH_AAAA(n))
-		print_fetch(f, n->fetch_aaaa, "AAAA");
-}
-
-static void
-print_find_list(FILE *f, dns_adbname_t *name) {
-	dns_adbfind_t *find;
-
-	find = ISC_LIST_HEAD(name->finds);
-	while (find != NULL) {
-		dns_adb_dumpfind(find, f);
-		find = ISC_LIST_NEXT(find, plink);
-	}
-}
-
-static isc_result_t
-dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	dns_adb_t *adb;
-	dns_fixedname_t foundname;
-	dns_name_t *fname;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-	INSIST(rdtype == dns_rdatatype_a || rdtype == dns_rdatatype_aaaa);
-
-	dns_fixedname_init(&foundname);
-	fname =	dns_fixedname_name(&foundname);
-	dns_rdataset_init(&rdataset);
-
-	if (rdtype == dns_rdatatype_a)
-		adbname->fetch_err = FIND_ERR_UNEXPECTED;
-	else
-		adbname->fetch6_err = FIND_ERR_UNEXPECTED;
-
-	result = dns_view_find(adb->view, &adbname->name, rdtype, now,
-			       NAME_GLUEOK(adbname),
-			       ISC_TF(NAME_HINTOK(adbname)),
-			       NULL, NULL, fname, &rdataset, NULL);
-
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (result) {
-	case DNS_R_GLUE:
-	case DNS_R_HINT:
-	case ISC_R_SUCCESS:
-		/*
-		 * Found in the database.  Even if we can't copy out
-		 * any information, return success, or else a fetch
-		 * will be made, which will only make things worse.
-		 */
-		if (rdtype == dns_rdatatype_a)
-			adbname->fetch_err = FIND_ERR_SUCCESS;
-		else
-			adbname->fetch6_err = FIND_ERR_SUCCESS;
-		result = import_rdataset(adbname, &rdataset, now);
-		break;
-	case DNS_R_NXDOMAIN:
-	case DNS_R_NXRRSET:
-		/*
-		 * We're authoritative and the data doesn't exist.
-		 * Make up a negative cache entry so we don't ask again
-		 * for a while.
-		 *
-		 * XXXRTH  What time should we use?  I'm putting in 30 seconds
-		 * for now.
-		 */
-		if (rdtype == dns_rdatatype_a) {
-			adbname->expire_v4 = now + 30;
-			DP(NCACHE_LEVEL,
-			   "adb name %p: Caching auth negative entry for A",
-			   adbname);
-			if (result == DNS_R_NXDOMAIN)
-				adbname->fetch_err = FIND_ERR_NXDOMAIN;
-			else
-				adbname->fetch_err = FIND_ERR_NXRRSET;
-		} else {
-			DP(NCACHE_LEVEL,
-			   "adb name %p: Caching auth negative entry for AAAA",
-			   adbname);
-			adbname->expire_v6 = now + 30;
-			if (result == DNS_R_NXDOMAIN)
-				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
-			else
-				adbname->fetch6_err = FIND_ERR_NXRRSET;
-		}
-		break;
-	case DNS_R_NCACHENXDOMAIN:
-	case DNS_R_NCACHENXRRSET:
-		/*
-		 * We found a negative cache entry.  Pull the TTL from it
-		 * so we won't ask again for a while.
-		 */
-		rdataset.ttl = ttlclamp(rdataset.ttl);
-		if (rdtype == dns_rdatatype_a) {
-			adbname->expire_v4 = rdataset.ttl + now;
-			if (result == DNS_R_NCACHENXDOMAIN)
-				adbname->fetch_err = FIND_ERR_NXDOMAIN;
-			else
-				adbname->fetch_err = FIND_ERR_NXRRSET;
-			DP(NCACHE_LEVEL,
-			  "adb name %p: Caching negative entry for A (ttl %u)",
-			   adbname, rdataset.ttl);
-		} else {
-			DP(NCACHE_LEVEL,
-		       "adb name %p: Caching negative entry for AAAA (ttl %u)",
-			   adbname, rdataset.ttl);
-			adbname->expire_v6 = rdataset.ttl + now;
-			if (result == DNS_R_NCACHENXDOMAIN)
-				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
-			else
-				adbname->fetch6_err = FIND_ERR_NXRRSET;
-		}
-		break;
-	case DNS_R_CNAME:
-	case DNS_R_DNAME:
-		/*
-		 * Clear the hint and glue flags, so this will match
-		 * more often.
-		 */
-		adbname->flags &= ~(DNS_ADBFIND_GLUEOK | DNS_ADBFIND_HINTOK);
-
-		rdataset.ttl = ttlclamp(rdataset.ttl);
-		clean_target(adb, &adbname->target);
-		adbname->expire_target = INT_MAX;
-		result = set_target(adb, &adbname->name, fname, &rdataset,
-				    &adbname->target);
-		if (result == ISC_R_SUCCESS) {
-			result = DNS_R_ALIAS;
-			DP(NCACHE_LEVEL,
-			   "adb name %p: caching alias target",
-			   adbname);
-			adbname->expire_target = rdataset.ttl + now;
-		}
-		if (rdtype == dns_rdatatype_a)
-			adbname->fetch_err = FIND_ERR_SUCCESS;
-		else
-			adbname->fetch6_err = FIND_ERR_SUCCESS;
-		break;
-	}
-
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-
-	return (result);
-}
-
-static void
-fetch_callback(isc_task_t *task, isc_event_t *ev) {
-	dns_fetchevent_t *dev;
-	dns_adbname_t *name;
-	dns_adb_t *adb;
-	dns_adbfetch_t *fetch;
-	int bucket;
-	isc_eventtype_t ev_status;
-	isc_stdtime_t now;
-	isc_result_t result;
-	unsigned int address_type;
-	isc_boolean_t want_check_exit = ISC_FALSE;
-
-	UNUSED(task);
-
-	INSIST(ev->ev_type == DNS_EVENT_FETCHDONE);
-	dev = (dns_fetchevent_t *)ev;
-	name = ev->ev_arg;
-	INSIST(DNS_ADBNAME_VALID(name));
-	adb = name->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	bucket = name->lock_bucket;
-	LOCK(&adb->namelocks[bucket]);
-
-	INSIST(NAME_FETCH_A(name) || NAME_FETCH_AAAA(name));
-	address_type = 0;
-	if (NAME_FETCH_A(name) && (name->fetch_a->fetch == dev->fetch)) {
-		address_type = DNS_ADBFIND_INET;
-		fetch = name->fetch_a;
-		name->fetch_a = NULL;
-	} else if (NAME_FETCH_AAAA(name)
-		   && (name->fetch_aaaa->fetch == dev->fetch)) {
-		address_type = DNS_ADBFIND_INET6;
-		fetch = name->fetch_aaaa;
-		name->fetch_aaaa = NULL;
-	}
-	INSIST(address_type != 0);
-
-	dns_resolver_destroyfetch(&fetch->fetch);
-	dev->fetch = NULL;
-
-	ev_status = DNS_EVENT_ADBNOMOREADDRESSES;
-
-	/*
-	 * Cleanup things we don't care about.
-	 */
-	if (dev->node != NULL)
-		dns_db_detachnode(dev->db, &dev->node);
-	if (dev->db != NULL)
-		dns_db_detach(&dev->db);
-
-	/*
-	 * If this name is marked as dead, clean up, throwing away
-	 * potentially good data.
-	 */
-	if (NAME_DEAD(name)) {
-		free_adbfetch(adb, &fetch);
-		isc_event_free(&ev);
-
-		want_check_exit = kill_name(&name, DNS_EVENT_ADBCANCELED);
-
-		UNLOCK(&adb->namelocks[bucket]);
-
-		if (want_check_exit) {
-			LOCK(&adb->lock);
-			check_exit(adb);
-			UNLOCK(&adb->lock);
-		}
-
-		return;
-	}
-
-	isc_stdtime_get(&now);
-
-	/*
-	 * If we got a negative cache response, remember it.
-	 */
-	if (NCACHE_RESULT(dev->result)) {
-		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
-		if (address_type == DNS_ADBFIND_INET) {
-			DP(NCACHE_LEVEL, "adb fetch name %p: "
-			   "caching negative entry for A (ttl %u)",
-			   name, dev->rdataset->ttl);
-			name->expire_v4 = ISC_MIN(name->expire_v4,
-						  dev->rdataset->ttl + now);
-			if (dev->result == DNS_R_NCACHENXDOMAIN)
-				name->fetch_err = FIND_ERR_NXDOMAIN;
-			else
-				name->fetch_err = FIND_ERR_NXRRSET;
-		} else {
-			DP(NCACHE_LEVEL, "adb fetch name %p: "
-			   "caching negative entry for AAAA (ttl %u)",
-			   name, dev->rdataset->ttl);
-			name->expire_v6 = ISC_MIN(name->expire_v6,
-						  dev->rdataset->ttl + now);
-			if (dev->result == DNS_R_NCACHENXDOMAIN)
-				name->fetch6_err = FIND_ERR_NXDOMAIN;
-			else
-				name->fetch6_err = FIND_ERR_NXRRSET;
-		}
-		goto out;
-	}
-
-	/*
-	 * Handle CNAME/DNAME.
-	 */
-	if (dev->result == DNS_R_CNAME || dev->result == DNS_R_DNAME) {
-		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
-		clean_target(adb, &name->target);
-		name->expire_target = INT_MAX;
-		result = set_target(adb, &name->name,
-				    dns_fixedname_name(&dev->foundname),
-				    dev->rdataset,
-				    &name->target);
-		if (result == ISC_R_SUCCESS) {
-			DP(NCACHE_LEVEL,
-			   "adb fetch name %p: caching alias target",
-			   name);
-			name->expire_target = dev->rdataset->ttl + now;
-		}
-		goto check_result;
-	}
-
-	/*
-	 * Did we get back junk?  If so, and there are no more fetches
-	 * sitting out there, tell all the finds about it.
-	 */
-	if (dev->result != ISC_R_SUCCESS) {
-		char buf[DNS_NAME_FORMATSIZE];
-
-		dns_name_format(&name->name, buf, sizeof(buf));
-		DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
-		   buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
-		   dns_result_totext(dev->result));
-		/* XXXMLG Don't pound on bad servers. */
-		if (address_type == DNS_ADBFIND_INET) {
-			name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
-			name->fetch_err = FIND_ERR_FAILURE;
-		} else {
-			name->expire_v6 = ISC_MIN(name->expire_v6, now + 300);
-			name->fetch6_err = FIND_ERR_FAILURE;
-		}
-		goto out;
-	}
-
-	/*
-	 * We got something potentially useful.
-	 */
-	result = import_rdataset(name, &fetch->rdataset, now);
-
- check_result:
-	if (result == ISC_R_SUCCESS) {
-		ev_status = DNS_EVENT_ADBMOREADDRESSES;
-		if (address_type == DNS_ADBFIND_INET)
-			name->fetch_err = FIND_ERR_SUCCESS;
-		else
-			name->fetch6_err = FIND_ERR_SUCCESS;
-	}
-
- out:
-	free_adbfetch(adb, &fetch);
-	isc_event_free(&ev);
-
-	clean_finds_at_name(name, ev_status, address_type);
-
-	UNLOCK(&adb->namelocks[bucket]);
-}
-
-static isc_result_t
-fetch_name(dns_adbname_t *adbname,
-	   isc_boolean_t start_at_zone,
-	   dns_rdatatype_t type)
-{
-	isc_result_t result;
-	dns_adbfetch_t *fetch = NULL;
-	dns_adb_t *adb;
-	dns_fixedname_t fixed;
-	dns_name_t *name;
-	dns_rdataset_t rdataset;
-	dns_rdataset_t *nameservers;
-	unsigned int options;
-
-	INSIST(DNS_ADBNAME_VALID(adbname));
-	adb = adbname->adb;
-	INSIST(DNS_ADB_VALID(adb));
-
-	INSIST((type == dns_rdatatype_a && !NAME_FETCH_V4(adbname)) ||
-	       (type == dns_rdatatype_aaaa && !NAME_FETCH_V6(adbname)));
-
-	adbname->fetch_err = FIND_ERR_NOTFOUND;
-
-	name = NULL;
-	nameservers = NULL;
-	dns_rdataset_init(&rdataset);
-
-	options = DNS_FETCHOPT_NOVALIDATE;
-	if (start_at_zone) {
-		DP(ENTER_LEVEL,
-		   "fetch_name: starting at zone for name %p",
-		   adbname);
-		dns_fixedname_init(&fixed);
-		name = dns_fixedname_name(&fixed);
-		result = dns_view_findzonecut2(adb->view, &adbname->name, name,
-					       0, 0, ISC_TRUE, ISC_FALSE,
-					       &rdataset, NULL);
-		if (result != ISC_R_SUCCESS && result != DNS_R_HINT)
-			goto cleanup;
-		nameservers = &rdataset;
-		options |= DNS_FETCHOPT_UNSHARED;
-	}
-
-	fetch = new_adbfetch(adb);
-	if (fetch == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-
-	result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
-					  type, name, nameservers, NULL,
-					  options, adb->task, fetch_callback,
-					  adbname, &fetch->rdataset, NULL,
-					  &fetch->fetch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	if (type == dns_rdatatype_a)
-		adbname->fetch_a = fetch;
-	else
-		adbname->fetch_aaaa = fetch;
-	fetch = NULL;  /* Keep us from cleaning this up below. */
-
- cleanup:
-	if (fetch != NULL)
-		free_adbfetch(adb, &fetch);
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-
-	return (result);
-}
-
-/*
- * XXXMLG Needs to take a find argument and an address info, no zone or adb,
- * since these can be extracted from the find itself.
- */
-isc_result_t
-dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
-		 isc_stdtime_t expire_time)
-{
-	dns_adbzoneinfo_t *zi;
-	int bucket;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-	REQUIRE(zone != NULL);
-
-	bucket = addr->entry->lock_bucket;
-	LOCK(&adb->entrylocks[bucket]);
-	zi = ISC_LIST_HEAD(addr->entry->zoneinfo);
-	while (zi != NULL && !dns_name_equal(zone, &zi->zone))
-		zi = ISC_LIST_NEXT(zi, plink);
-	if (zi != NULL) {
-		if (expire_time > zi->lame_timer)
-			zi->lame_timer = expire_time;
-		goto unlock;
-	}
-	zi = new_adbzoneinfo(adb, zone);
-	if (zi == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto unlock;
-	}
-
-	zi->lame_timer = expire_time;
-
-	ISC_LIST_PREPEND(addr->entry->zoneinfo, zi, plink);
- unlock:
-	UNLOCK(&adb->entrylocks[bucket]);
-
-	return (result);
-}
-
-void
-dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
-		   unsigned int rtt, unsigned int factor)
-{
-	int bucket;
-	unsigned int new_srtt;
-	isc_stdtime_t now;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-	REQUIRE(factor <= 10);
-
-	bucket = addr->entry->lock_bucket;
-	LOCK(&adb->entrylocks[bucket]);
-
-	if (factor == DNS_ADB_RTTADJAGE)
-		new_srtt = addr->entry->srtt * 98 / 100;
-	else
-		new_srtt = (addr->entry->srtt / 10 * factor)
-			+ (rtt / 10 * (10 - factor));
-
-	addr->entry->srtt = new_srtt;
-	addr->srtt = new_srtt;
-
-	isc_stdtime_get(&now);
-	addr->entry->expires = now + ADB_ENTRY_WINDOW;
-
-	UNLOCK(&adb->entrylocks[bucket]);
-}
-
-void
-dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
-		    unsigned int bits, unsigned int mask)
-{
-	int bucket;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-
-	bucket = addr->entry->lock_bucket;
-	LOCK(&adb->entrylocks[bucket]);
-
-	addr->entry->flags = (addr->entry->flags & ~mask) | (bits & mask);
-	/*
-	 * Note that we do not update the other bits in addr->flags with
-	 * the most recent values from addr->entry->flags.
-	 */
-	addr->flags = (addr->flags & ~mask) | (bits & mask);
-
-	UNLOCK(&adb->entrylocks[bucket]);
-}
-
-isc_result_t
-dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
-		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now)
-{
-	int bucket;
-	dns_adbentry_t *entry;
-	dns_adbaddrinfo_t *addr;
-	isc_result_t result;
-	in_port_t port;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(addrp != NULL && *addrp == NULL);
-
-	UNUSED(now);
-
-	result = ISC_R_SUCCESS;
-	bucket = DNS_ADB_INVALIDBUCKET;
-	entry = find_entry_and_lock(adb, sa, &bucket);
-	if (adb->entry_sd[bucket]) {
-		result = ISC_R_SHUTTINGDOWN;
-		goto unlock;
-	}
-	if (entry == NULL) {
-		/*
-		 * We don't know anything about this address.
-		 */
-		entry = new_adbentry(adb);
-		if (entry == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto unlock;
-		}
-		entry->sockaddr = *sa;
-		link_entry(adb, bucket, entry);
-		DP(ENTER_LEVEL, "findaddrinfo: new entry %p", entry);
-	} else
-		DP(ENTER_LEVEL, "findaddrinfo: found entry %p", entry);
-
-	port = isc_sockaddr_getport(sa);
-	addr = new_adbaddrinfo(adb, entry, port);
-	if (addr != NULL) {
-		inc_entry_refcnt(adb, entry, ISC_FALSE);
-		*addrp = addr;
-	}
-
- unlock:
-	UNLOCK(&adb->entrylocks[bucket]);
-
-	return (result);
-}
-
-void
-dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp) {
-	dns_adbaddrinfo_t *addr;
-	dns_adbentry_t *entry;
-	int bucket;
-	isc_stdtime_t now;
-	isc_boolean_t want_check_exit = ISC_FALSE;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-	REQUIRE(addrp != NULL);
-	addr = *addrp;
-	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
-	entry = addr->entry;
-	REQUIRE(DNS_ADBENTRY_VALID(entry));
-
-	isc_stdtime_get(&now);
-
-	*addrp = NULL;
-
-	bucket = addr->entry->lock_bucket;
-	LOCK(&adb->entrylocks[bucket]);
-
-	entry->expires = now + ADB_ENTRY_WINDOW;
-
-	want_check_exit = dec_entry_refcnt(adb, entry, ISC_FALSE);
-
-	UNLOCK(&adb->entrylocks[bucket]);
-
-	addr->entry = NULL;
-	free_adbaddrinfo(adb, &addr);
-
-	if (want_check_exit) {
-		LOCK(&adb->lock);
-		check_exit(adb);
-		UNLOCK(&adb->lock);
-	}
-}
-
-void
-dns_adb_flush(dns_adb_t *adb) {
-	unsigned int i;
-
-	INSIST(DNS_ADB_VALID(adb));
-
-	LOCK(&adb->lock);
-
-	/*
-	 * Call our cleanup routines.
-	 */
-	for (i = 0; i < NBUCKETS; i++)
-		RUNTIME_CHECK(cleanup_names(adb, i, INT_MAX) == ISC_FALSE);
-	for (i = 0; i < NBUCKETS; i++)
-		RUNTIME_CHECK(cleanup_entries(adb, i, INT_MAX) == ISC_FALSE);
-
-#ifdef DUMP_ADB_AFTER_CLEANING
-	dump_adb(adb, stdout, ISC_TRUE, INT_MAX);
-#endif
-
-	UNLOCK(&adb->lock);
-}
-
-void
-dns_adb_flushname(dns_adb_t *adb, dns_name_t *name) {
-	dns_adbname_t *adbname;
-	dns_adbname_t *nextname;
-	int bucket;
-
-	INSIST(DNS_ADB_VALID(adb));
-
-	LOCK(&adb->lock);
-	bucket = dns_name_hash(name, ISC_FALSE) % NBUCKETS;
-	LOCK(&adb->namelocks[bucket]);
-	adbname = ISC_LIST_HEAD(adb->names[bucket]);
-	while (adbname != NULL) {
-		nextname = ISC_LIST_NEXT(adbname, plink);
-		if (!NAME_DEAD(adbname) &&
-		    dns_name_equal(name, &adbname->name)) {
-			RUNTIME_CHECK(kill_name(&adbname,
-						DNS_EVENT_ADBCANCELED) ==
-				      ISC_FALSE);
-		}
-		adbname = nextname;
-	}
-	UNLOCK(&adb->namelocks[bucket]);
-	UNLOCK(&adb->lock);
-}
-
-static void
-water(void *arg, int mark) {
-	dns_adb_t *adb = arg;
-	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
-	isc_interval_t interval;
-
-	REQUIRE(DNS_ADB_VALID(adb));
-
-	DP(ISC_LOG_DEBUG(1),
-	   "adb reached %s water mark", overmem ? "high" : "low");
-
-	adb->overmem = overmem;
-	if (overmem) {
-		isc_interval_set(&interval, 0, 1);
-		(void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
-				      &interval, ISC_TRUE);
-	}
-}
-
-void
-dns_adb_setadbsize(dns_adb_t *adb, isc_uint32_t size) {
-	isc_uint32_t hiwater;
-	isc_uint32_t lowater;
-
-	INSIST(DNS_ADB_VALID(adb));
-
-	if (size != 0 && size < DNS_ADB_MINADBSIZE)
-		size = DNS_ADB_MINADBSIZE;
-
-	hiwater = size - (size >> 3);   /* Approximately 7/8ths. */
-	lowater = size - (size >> 2);   /* Approximately 3/4ths. */
-
-	if (size == 0 || hiwater == 0 || lowater == 0)
-		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
-	else
-		isc_mem_setwater(adb->mctx, water, adb, hiwater, lowater);
-}
diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api
deleted file mode 100644
index 7df81573fd7f..000000000000
--- a/contrib/bind9/lib/dns/api
+++ /dev/null
@@ -1,3 +0,0 @@
-LIBINTERFACE = 21
-LIBREVISION = 1
-LIBAGE = 0
diff --git a/contrib/bind9/lib/dns/byaddr.c b/contrib/bind9/lib/dns/byaddr.c
deleted file mode 100644
index ace4fb0a7a2d..000000000000
--- a/contrib/bind9/lib/dns/byaddr.c
+++ /dev/null
@@ -1,314 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: byaddr.c,v 1.29.2.1.2.8 2004/08/28 06:25:18 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/byaddr.h>
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/lookup.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-/*
- * XXXRTH  We could use a static event...
- */
-
-struct dns_byaddr {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	isc_mutex_t		lock;
-	dns_fixedname_t		name;
-	/* Locked by lock. */
-	unsigned int		options;
-	dns_lookup_t *		lookup;
-	isc_task_t *		task;
-	dns_byaddrevent_t *	event;
-	isc_boolean_t		canceled;
-};
-
-#define BYADDR_MAGIC			ISC_MAGIC('B', 'y', 'A', 'd')
-#define VALID_BYADDR(b)			ISC_MAGIC_VALID(b, BYADDR_MAGIC)
-
-#define MAX_RESTARTS 16
-
-static char hex_digits[] = {
-	'0', '1', '2', '3', '4', '5', '6', '7',
-	'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
-};
-
-isc_result_t
-dns_byaddr_createptrname(isc_netaddr_t *address, isc_boolean_t nibble,
-			 dns_name_t *name)
-{
-	/*
-	 * We dropped bitstring labels, so all lookups will use nibbles.
-	 */
-	UNUSED(nibble);
-
-	return (dns_byaddr_createptrname2(address,
-					  DNS_BYADDROPT_IPV6INT, name));
-}
-
-isc_result_t
-dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
-			  dns_name_t *name)
-{
-	char textname[128];
-	unsigned char *bytes;
-	int i;
-	char *cp;
-	isc_buffer_t buffer;
-	unsigned int len;
-
-	REQUIRE(address != NULL);
-
-	/*
-	 * We create the text representation and then convert to a
-	 * dns_name_t.  This is not maximally efficient, but it keeps all
-	 * of the knowledge of wire format in the dns_name_ routines.
-	 */
-
-	bytes = (unsigned char *)(&address->type);
-	if (address->family == AF_INET) {
-		(void)snprintf(textname, sizeof(textname),
-			       "%u.%u.%u.%u.in-addr.arpa.",
-			       (bytes[3] & 0xff),
-			       (bytes[2] & 0xff),
-			       (bytes[1] & 0xff),
-			       (bytes[0] & 0xff));
-	} else if (address->family == AF_INET6) {
-		cp = textname;
-		for (i = 15; i >= 0; i--) {
-			*cp++ = hex_digits[bytes[i] & 0x0f];
-			*cp++ = '.';
-			*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
-			*cp++ = '.';
-		}
-		if ((options & DNS_BYADDROPT_IPV6INT) != 0)
-			strcpy(cp, "ip6.int.");
-		else
-			strcpy(cp, "ip6.arpa.");
-	} else
-		return (ISC_R_NOTIMPLEMENTED);
-
-	len = (unsigned int)strlen(textname);
-	isc_buffer_init(&buffer, textname, len);
-	isc_buffer_add(&buffer, len);
-	return (dns_name_fromtext(name, &buffer, dns_rootname,
-				  ISC_FALSE, NULL));
-}
-
-static inline isc_result_t
-copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * The caller must be holding the byaddr's lock.
-	 */
-
-	result = dns_rdataset_first(rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdata_ptr_t ptr;
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ptr, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		name = isc_mem_get(byaddr->mctx, sizeof(*name));
-		if (name == NULL) {
-			dns_rdata_freestruct(&ptr);
-			return (ISC_R_NOMEMORY);
-		}
-		dns_name_init(name, NULL);
-		result = dns_name_dup(&ptr.ptr, byaddr->mctx, name);
-		dns_rdata_freestruct(&ptr);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(byaddr->mctx, name, sizeof(*name));
-			return (ISC_R_NOMEMORY);
-		}
-		ISC_LIST_APPEND(byaddr->event->names, name, link);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(rdataset);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static void
-lookup_done(isc_task_t *task, isc_event_t *event) {
-	dns_byaddr_t *byaddr = event->ev_arg;
-	dns_lookupevent_t *levent;
-	isc_result_t result;
-
-	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
-	REQUIRE(VALID_BYADDR(byaddr));
-	REQUIRE(byaddr->task == task);
-
-	UNUSED(task);
-
-	levent = (dns_lookupevent_t *)event;
-
-	if (levent->result == ISC_R_SUCCESS) {
-		result = copy_ptr_targets(byaddr, levent->rdataset);
-		byaddr->event->result = result;
-	} else
-		byaddr->event->result = levent->result;
-	isc_event_free(&event);
-	isc_task_sendanddetach(&byaddr->task, (isc_event_t **)&byaddr->event);
-}
-
-static void
-bevent_destroy(isc_event_t *event) {
-	dns_byaddrevent_t *bevent;
-	dns_name_t *name, *next_name;
-	isc_mem_t *mctx;
-
-	REQUIRE(event->ev_type == DNS_EVENT_BYADDRDONE);
-	mctx = event->ev_destroy_arg;
-	bevent = (dns_byaddrevent_t *)event;
-
-	for (name = ISC_LIST_HEAD(bevent->names);
-	     name != NULL;
-	     name = next_name) {
-		next_name = ISC_LIST_NEXT(name, link);
-		ISC_LIST_UNLINK(bevent->names, name, link);
-		dns_name_free(name, mctx);
-		isc_mem_put(mctx, name, sizeof(*name));
-	}
-	isc_mem_put(mctx, event, event->ev_size);
-}
-
-isc_result_t
-dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
-		  unsigned int options, isc_task_t *task,
-		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp)
-{
-	isc_result_t result;
-	dns_byaddr_t *byaddr;
-	isc_event_t *ievent;
-
-	byaddr = isc_mem_get(mctx, sizeof(*byaddr));
-	if (byaddr == NULL)
-		return (ISC_R_NOMEMORY);
-	byaddr->mctx = mctx;
-	byaddr->options = options;
-
-	byaddr->event = isc_mem_get(mctx, sizeof(*byaddr->event));
-	if (byaddr->event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_byaddr;
-	}
-	ISC_EVENT_INIT(byaddr->event, sizeof(*byaddr->event), 0, NULL,
-		       DNS_EVENT_BYADDRDONE, action, arg, byaddr,
-		       bevent_destroy, mctx);
-	byaddr->event->result = ISC_R_FAILURE;
-	ISC_LIST_INIT(byaddr->event->names);
-
-	byaddr->task = NULL;
-	isc_task_attach(task, &byaddr->task);
-
-	result = isc_mutex_init(&byaddr->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_event;
-
-	dns_fixedname_init(&byaddr->name);
-
-	result = dns_byaddr_createptrname2(address, options,
-					   dns_fixedname_name(&byaddr->name));
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	byaddr->lookup = NULL;
-	result = dns_lookup_create(mctx, dns_fixedname_name(&byaddr->name),
-				   dns_rdatatype_ptr, view, 0, task,
-				   lookup_done, byaddr, &byaddr->lookup);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	byaddr->canceled = ISC_FALSE;
-	byaddr->magic = BYADDR_MAGIC;
-
-	*byaddrp = byaddr;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_lock:
-	DESTROYLOCK(&byaddr->lock);
-
- cleanup_event:
-	ievent = (isc_event_t *)byaddr->event;
-	isc_event_free(&ievent);
-	byaddr->event = NULL;
-
-	isc_task_detach(&byaddr->task);
-
- cleanup_byaddr:
-	isc_mem_put(mctx, byaddr, sizeof(*byaddr));
-
-	return (result);
-}
-
-void
-dns_byaddr_cancel(dns_byaddr_t *byaddr) {
-	REQUIRE(VALID_BYADDR(byaddr));
-
-	LOCK(&byaddr->lock);
-
-	if (!byaddr->canceled) {
-		byaddr->canceled = ISC_TRUE;
-		if (byaddr->lookup != NULL)
-			dns_lookup_cancel(byaddr->lookup);
-	}
-
-	UNLOCK(&byaddr->lock);
-}
-
-void
-dns_byaddr_destroy(dns_byaddr_t **byaddrp) {
-	dns_byaddr_t *byaddr;
-
-	REQUIRE(byaddrp != NULL);
-	byaddr = *byaddrp;
-	REQUIRE(VALID_BYADDR(byaddr));
-	REQUIRE(byaddr->event == NULL);
-	REQUIRE(byaddr->task == NULL);
-	dns_lookup_destroy(&byaddr->lookup);
-
-	DESTROYLOCK(&byaddr->lock);
-	byaddr->magic = 0;
-	isc_mem_put(byaddr->mctx, byaddr, sizeof(*byaddr));
-
-	*byaddrp = NULL;
-}
diff --git a/contrib/bind9/lib/dns/cache.c b/contrib/bind9/lib/dns/cache.c
deleted file mode 100644
index 0e17a957d17a..000000000000
--- a/contrib/bind9/lib/dns/cache.c
+++ /dev/null
@@ -1,1041 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cache.c,v 1.45.2.4.8.9 2005/03/17 03:58:30 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/cache.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/events.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-
-#define CACHE_MAGIC		ISC_MAGIC('$', '$', '$', '$')
-#define VALID_CACHE(cache)	ISC_MAGIC_VALID(cache, CACHE_MAGIC)
-
-/*
- * The following two variables control incremental cleaning.
- * MINSIZE is how many bytes is the floor for dns_cache_setcachesize().
- * CLEANERINCREMENT is how many nodes are examined in one pass.
- */
-#define DNS_CACHE_MINSIZE 		2097152	/* Bytes.  2097152 = 2 MB */
-#define DNS_CACHE_CLEANERINCREMENT	1000	/* Number of nodes. */
-
-/***
- ***	Types
- ***/
-
-/*
- * A cache_cleaner_t encapsulsates the state of the periodic
- * cache cleaning.
- */
-
-typedef struct cache_cleaner cache_cleaner_t;
-
-typedef enum {
-	cleaner_s_idle,	/* Waiting for cleaning-interval to expire. */
-	cleaner_s_busy,	/* Currently cleaning. */
-	cleaner_s_done  /* Freed enough memory after being overmem. */
-} cleaner_state_t;
-
-/*
- * Convenience macros for comprehensive assertion checking.
- */
-#define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
-			 (c)->iterator == NULL && \
-			 (c)->resched_event != NULL)
-#define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
-			 (c)->iterator != NULL && \
-			 (c)->resched_event == NULL)
-
-/*
- * Accesses to a cache cleaner object are synchronized through
- * task/event serialization, or locked from the cache object.
- */
-struct cache_cleaner {
-	isc_mutex_t	lock;
-	/*
-	 * Locks overmem_event, overmem.  Note: never allocate memory
-	 * while holding this lock - that could lead to deadlock since
-	 * the lock is take by water() which is called from the memory
-	 * allocator.
-	 */
-
-	dns_cache_t	*cache;
-	isc_task_t 	*task;
-	unsigned int	cleaning_interval; /* The cleaning-interval from
-					      named.conf, in seconds. */
-	isc_timer_t 	*cleaning_timer;
-	isc_event_t	*resched_event;	/* Sent by cleaner task to
-					   itself to reschedule */
-	isc_event_t	*overmem_event;
-
-	dns_dbiterator_t *iterator;
-	int 		 increment;	/* Number of names to
-					   clean in one increment */
-	cleaner_state_t  state;		/* Idle/Busy. */
-	isc_boolean_t	 overmem;	/* The cache is in an overmem state. */
-};
-
-/*
- * The actual cache object.
- */
-
-struct dns_cache {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mutex_t		lock;
-	isc_mutex_t		filelock;
-	isc_mem_t		*mctx;
-
-	/* Locked by 'lock'. */
-	int			references;
-	int			live_tasks;
-	dns_rdataclass_t	rdclass;
-	dns_db_t		*db;
-	cache_cleaner_t		cleaner;
-	char			*db_type;
-	int			db_argc;
-	char			**db_argv;
-
-	/* Locked by 'filelock'. */
-	char *			filename;
-	/* Access to the on-disk cache file is also locked by 'filelock'. */
-};
-
-/***
- ***	Functions
- ***/
-
-static isc_result_t
-cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
-		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner);
-
-static void
-cleaning_timer_action(isc_task_t *task, isc_event_t *event);
-
-static void
-incremental_cleaning_action(isc_task_t *task, isc_event_t *event);
-
-static void
-cleaner_shutdown_action(isc_task_t *task, isc_event_t *event);
-
-static void
-overmem_cleaning_action(isc_task_t *task, isc_event_t *event);
-
-static inline isc_result_t
-cache_create_db(dns_cache_t *cache, dns_db_t **db) {
-	return (dns_db_create(cache->mctx, cache->db_type, dns_rootname,
-			      dns_dbtype_cache, cache->rdclass,
-			      cache->db_argc, cache->db_argv, db));
-}
-
-isc_result_t
-dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
-		 const char *db_type, unsigned int db_argc, char **db_argv,
-		 dns_cache_t **cachep)
-{
-	isc_result_t result;
-	dns_cache_t *cache;
-	int i;
-
-	REQUIRE(cachep != NULL);
-	REQUIRE(*cachep == NULL);
-	REQUIRE(mctx != NULL);
-
-	cache = isc_mem_get(mctx, sizeof(*cache));
-	if (cache == NULL)
-		return (ISC_R_NOMEMORY);
-
-	cache->mctx = NULL;
-	isc_mem_attach(mctx, &cache->mctx);
-
-	result = isc_mutex_init(&cache->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 dns_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_mem;
-	}
-
-	result = isc_mutex_init(&cache->filelock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 dns_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_lock;
-	}
-
-	cache->references = 1;
-	cache->live_tasks = 0;
-	cache->rdclass = rdclass;
-
-	cache->db_type = isc_mem_strdup(mctx, db_type);
-	if (cache->db_type == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_filelock;
-	}
-
-	cache->db_argc = db_argc;
-	if (cache->db_argc == 0)
-		cache->db_argv = NULL;
-	else {
-		cache->db_argv = isc_mem_get(mctx,
-					     cache->db_argc * sizeof(char *));
-		if (cache->db_argv == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup_dbtype;
-		}
-		for (i = 0; i < cache->db_argc; i++)
-			cache->db_argv[i] = NULL;
-		for (i = 0; i < cache->db_argc; i++) {
-			cache->db_argv[i] = isc_mem_strdup(mctx, db_argv[i]);
-			if (cache->db_argv[i] == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup_dbargv;
-			}
-		}
-	}
-
-	cache->db = NULL;
-	result = cache_create_db(cache, &cache->db);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_dbargv;
-
-	cache->filename = NULL;
-
-	cache->magic = CACHE_MAGIC;
-
-	result = cache_cleaner_init(cache, taskmgr, timermgr, &cache->cleaner);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_db;
-
-	*cachep = cache;
-	return (ISC_R_SUCCESS);
-
- cleanup_db:
-	dns_db_detach(&cache->db);
- cleanup_dbargv:
-	for (i = 0; i < cache->db_argc; i++)
-		if (cache->db_argv[i] != NULL)
-			isc_mem_free(mctx, cache->db_argv[i]);
-	if (cache->db_argv != NULL)
-		isc_mem_put(mctx, cache->db_argv,
-			    cache->db_argc * sizeof(char *));
- cleanup_dbtype:
-	isc_mem_free(mctx, cache->db_type);
- cleanup_filelock:
-	DESTROYLOCK(&cache->filelock);
- cleanup_lock:
-	DESTROYLOCK(&cache->lock);
- cleanup_mem:
-	isc_mem_put(mctx, cache, sizeof(*cache));
-	isc_mem_detach(&mctx);
-	return (result);
-}
-
-static void
-cache_free(dns_cache_t *cache) {
-	isc_mem_t *mctx;
-	int i;
-
-	REQUIRE(VALID_CACHE(cache));
-	REQUIRE(cache->references == 0);
-
-	isc_mem_setwater(cache->mctx, NULL, NULL, 0, 0);
-
-	if (cache->cleaner.task != NULL)
-		isc_task_detach(&cache->cleaner.task);
-
-	if (cache->cleaner.overmem_event != NULL)
-		isc_event_free(&cache->cleaner.overmem_event);
-
-	if (cache->cleaner.resched_event != NULL)
-		isc_event_free(&cache->cleaner.resched_event);
-
-	if (cache->cleaner.iterator != NULL)
-		dns_dbiterator_destroy(&cache->cleaner.iterator);
-
-	DESTROYLOCK(&cache->cleaner.lock);
-
-	if (cache->filename) {
-		isc_mem_free(cache->mctx, cache->filename);
-		cache->filename = NULL;
-	}
-
-	if (cache->db != NULL)
-		dns_db_detach(&cache->db);
-
-	if (cache->db_argv != NULL) {
-		for (i = 0; i < cache->db_argc; i++)
-			if (cache->db_argv[i] != NULL)
-				isc_mem_free(cache->mctx, cache->db_argv[i]);
-		isc_mem_put(cache->mctx, cache->db_argv,
-			    cache->db_argc * sizeof(char *));
-	}
-
-	if (cache->db_type != NULL)
-		isc_mem_free(cache->mctx, cache->db_type);
-
-	DESTROYLOCK(&cache->lock);
-	DESTROYLOCK(&cache->filelock);
-	cache->magic = 0;
-	mctx = cache->mctx;
-	isc_mem_put(cache->mctx, cache, sizeof(*cache));
-	isc_mem_detach(&mctx);
-}
-
-
-void
-dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp) {
-
-	REQUIRE(VALID_CACHE(cache));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&cache->lock);
-	cache->references++;
-	UNLOCK(&cache->lock);
-
-	*targetp = cache;
-}
-
-void
-dns_cache_detach(dns_cache_t **cachep) {
-	dns_cache_t *cache;
-	isc_boolean_t free_cache = ISC_FALSE;
-
-	REQUIRE(cachep != NULL);
-	cache = *cachep;
-	REQUIRE(VALID_CACHE(cache));
-
-	LOCK(&cache->lock);
-	REQUIRE(cache->references > 0);
-	cache->references--;
-	if (cache->references == 0) {
-		cache->cleaner.overmem = ISC_FALSE;
-		free_cache = ISC_TRUE;
-	}
-
-	*cachep = NULL;
-
-	if (free_cache) {
-		/*
-		 * When the cache is shut down, dump it to a file if one is
-		 * specified.
-		 */
-		isc_result_t result = dns_cache_dump(cache);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-				      "error dumping cache: %s ",
-				      isc_result_totext(result));
-
-		/*
-		 * If the cleaner task exists, let it free the cache.
-		 */
-		if (cache->live_tasks > 0) {
-			isc_task_shutdown(cache->cleaner.task);
-			free_cache = ISC_FALSE;
-		}
-	}
-
-	UNLOCK(&cache->lock);
-
-	if (free_cache)
-		cache_free(cache);
-}
-
-void
-dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
-	REQUIRE(VALID_CACHE(cache));
-	REQUIRE(dbp != NULL && *dbp == NULL);
-	REQUIRE(cache->db != NULL);
-
-	LOCK(&cache->lock);
-	dns_db_attach(cache->db, dbp);
-	UNLOCK(&cache->lock);
-
-}
-
-isc_result_t
-dns_cache_setfilename(dns_cache_t *cache, char *filename) {
-	char *newname;
-
-	REQUIRE(VALID_CACHE(cache));
-	REQUIRE(filename != NULL);
-
-	newname = isc_mem_strdup(cache->mctx, filename);
-	if (newname == NULL)
-		return (ISC_R_NOMEMORY);
-
-	LOCK(&cache->filelock);
-	if (cache->filename)
-		isc_mem_free(cache->mctx, cache->filename);
-	cache->filename = newname;
-	UNLOCK(&cache->filelock);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_cache_load(dns_cache_t *cache) {
-	isc_result_t result;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	if (cache->filename == NULL)
-		return (ISC_R_SUCCESS);
-
-	LOCK(&cache->filelock);
-	result = dns_db_load(cache->db, cache->filename);
-	UNLOCK(&cache->filelock);
-
-	return (result);
-}
-
-isc_result_t
-dns_cache_dump(dns_cache_t *cache) {
-	isc_result_t result;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	if (cache->filename == NULL)
-		return (ISC_R_SUCCESS);
-
-	LOCK(&cache->filelock);
-	result = dns_master_dump(cache->mctx, cache->db, NULL,
-				 &dns_master_style_cache, cache->filename);
-	UNLOCK(&cache->filelock);
-
-	return (result);
-}
-
-void
-dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
-	isc_interval_t interval;
-	isc_result_t result;
-
-	LOCK(&cache->lock);
-
-	/*
-	 * It may be the case that the cache has already shut down.
-	 * If so, it has no timer.
-	 */
-	if (cache->cleaner.cleaning_timer == NULL)
-		goto unlock;
-
-	cache->cleaner.cleaning_interval = t;
-
-	if (t == 0) {
-		result = isc_timer_reset(cache->cleaner.cleaning_timer,
-					 isc_timertype_inactive,
-					 NULL, NULL, ISC_TRUE);
-	} else {
-		isc_interval_set(&interval, cache->cleaner.cleaning_interval,
-				 0);
-		result = isc_timer_reset(cache->cleaner.cleaning_timer,
-					 isc_timertype_ticker,
-					 NULL, &interval, ISC_FALSE);
-	}
-	if (result != ISC_R_SUCCESS)	
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-			      "could not set cache cleaning interval: %s",
-			      isc_result_totext(result));
-
- unlock:
-	UNLOCK(&cache->lock);
-}
-
-/*
- * Initialize the cache cleaner object at *cleaner.
- * Space for the object must be allocated by the caller.
- */
-
-static isc_result_t
-cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
-		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner)
-{
-	isc_result_t result;
-
-	result = isc_mutex_init(&cleaner->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 dns_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto fail;
-	}
-
-	cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
-	cleaner->state = cleaner_s_idle;
-	cleaner->cache = cache;
-	cleaner->iterator = NULL;
-	cleaner->overmem = ISC_FALSE;
-
-	cleaner->task = NULL;
-	cleaner->cleaning_timer = NULL;
-	cleaner->resched_event = NULL;
-	cleaner->overmem_event = NULL;
-
-	if (taskmgr != NULL && timermgr != NULL) {
-		result = isc_task_create(taskmgr, 1, &cleaner->task);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_task_create() failed: %s",
-					 dns_result_totext(result));
-			result = ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
-		cleaner->cache->live_tasks++;
-		isc_task_setname(cleaner->task, "cachecleaner", cleaner);
-
-		result = isc_task_onshutdown(cleaner->task,
-					     cleaner_shutdown_action, cache);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "cache cleaner: "
-					 "isc_task_onshutdown() failed: %s",
-					 dns_result_totext(result));
-			goto cleanup;
-		}
-
-		cleaner->cleaning_interval = 0; /* Initially turned off. */
-		result = isc_timer_create(timermgr, isc_timertype_inactive,
-					   NULL, NULL,
-					   cleaner->task,
-					   cleaning_timer_action, cleaner,
-					   &cleaner->cleaning_timer);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_timer_create() failed: %s",
-					 dns_result_totext(result));
-			result = ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
-
-		cleaner->resched_event =
-			isc_event_allocate(cache->mctx, cleaner,
-					   DNS_EVENT_CACHECLEAN,
-					   incremental_cleaning_action,
-					   cleaner, sizeof(isc_event_t));
-		if (cleaner->resched_event == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		
-		cleaner->overmem_event =
-			isc_event_allocate(cache->mctx, cleaner,
-					   DNS_EVENT_CACHEOVERMEM,
-					   overmem_cleaning_action,
-					   cleaner, sizeof(isc_event_t));
-		if (cleaner->overmem_event == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (cleaner->overmem_event != NULL)
-		isc_event_free(&cleaner->overmem_event);
-	if (cleaner->resched_event != NULL)
-		isc_event_free(&cleaner->resched_event);
-	if (cleaner->cleaning_timer != NULL)
-		isc_timer_detach(&cleaner->cleaning_timer);
-	if (cleaner->task != NULL)
-		isc_task_detach(&cleaner->task);
-	DESTROYLOCK(&cleaner->lock);
- fail:
-	return (result);
-}
-
-static void
-begin_cleaning(cache_cleaner_t *cleaner) {
-	isc_result_t result;
-
-	REQUIRE(CLEANER_IDLE(cleaner));
-
-	/*
-	 * Create an iterator and position it at the beginning of the cache.
-	 */
-	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
-				       &cleaner->iterator);
-	if (result != ISC_R_SUCCESS)
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-			      "cache cleaner could not create "
-			      "iterator: %s", isc_result_totext(result));
-	else {
-		dns_dbiterator_setcleanmode(cleaner->iterator, ISC_TRUE);
-		result = dns_dbiterator_first(cleaner->iterator);
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * If the result is ISC_R_NOMORE, the database is empty,
-		 * so there is nothing to be cleaned.
-		 */
-		if (result != ISC_R_NOMORE)
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "cache cleaner: "
-					 "dns_dbiterator_first() failed: %s",
-					 dns_result_totext(result));
-
-		if (cleaner->iterator != NULL)
-			dns_dbiterator_destroy(&cleaner->iterator);
-	} else {
-		/*
-		 * Pause the iterator to free its lock.
-		 */
-		result = dns_dbiterator_pause(cleaner->iterator);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-			      "begin cache cleaning, mem inuse %lu",
-		            (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
-		cleaner->state = cleaner_s_busy;
-		isc_task_send(cleaner->task, &cleaner->resched_event);
-	}
-
-	return;
-}
-
-static void
-end_cleaning(cache_cleaner_t *cleaner, isc_event_t *event) {
-	REQUIRE(CLEANER_BUSY(cleaner));
-	REQUIRE(event != NULL);
-
-	dns_dbiterator_destroy(&cleaner->iterator);
-
-	dns_cache_setcleaninginterval(cleaner->cache,
-				      cleaner->cleaning_interval);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "end cache cleaning, mem inuse %lu",
-		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
-
-	cleaner->state = cleaner_s_idle;
-	cleaner->resched_event = event;
-}
-
-/*
- * This is run once for every cache-cleaning-interval as defined in named.conf.
- */
-static void
-cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
-	cache_cleaner_t *cleaner = event->ev_arg;
-
-	UNUSED(task);
-
-	INSIST(task == cleaner->task);
-	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "cache cleaning timer fired, "
-		      "cleaner state = %d", cleaner->state);
-
-	if (cleaner->state == cleaner_s_idle)
-		begin_cleaning(cleaner);
-
-	isc_event_free(&event);
-}
-
-/*
- * This is called when the cache either surpasses its upper limit
- * or shrinks beyond its lower limit.
- */
-static void
-overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
-	cache_cleaner_t *cleaner = event->ev_arg;
-	isc_boolean_t want_cleaning = ISC_FALSE;
-	
-	UNUSED(task);
-
-	INSIST(task == cleaner->task);
-	INSIST(event->ev_type == DNS_EVENT_CACHEOVERMEM);
-	INSIST(cleaner->overmem_event == NULL);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "overmem_cleaning_action called, "
-		      "overmem = %d, state = %d", cleaner->overmem,
-		      cleaner->state);
-
-	LOCK(&cleaner->lock);
-
-	if (cleaner->overmem) {
-		if (cleaner->state == cleaner_s_idle)
-			want_cleaning = ISC_TRUE;
-	} else {
-		if (cleaner->state == cleaner_s_busy)
-			/*
-			 * end_cleaning() can't be called here because
-			 * then both cleaner->overmem_event and
-			 * cleaner->resched_event will point to this
-			 * event.  Set the state to done, and then
-			 * when the incremental_cleaning_action() event
-			 * is posted, it will handle the end_cleaning.
-			 */
-			cleaner->state = cleaner_s_done;
-	}
-
-	cleaner->overmem_event = event;
-
-	UNLOCK(&cleaner->lock);
-
-	if (want_cleaning)
-		begin_cleaning(cleaner);
-}
-
-/*
- * Do incremental cleaning.
- */
-static void
-incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
-	cache_cleaner_t *cleaner = event->ev_arg;
-	isc_result_t result;
-	int n_names;
-
-	UNUSED(task);
-
-	INSIST(task == cleaner->task);
-	INSIST(event->ev_type == DNS_EVENT_CACHECLEAN);
-
-	if (cleaner->state == cleaner_s_done) {
-		cleaner->state = cleaner_s_busy;
-		end_cleaning(cleaner, event);
-		return;
-	}
-
-	INSIST(CLEANER_BUSY(cleaner));
-
-	n_names = cleaner->increment;
-
-	REQUIRE(DNS_DBITERATOR_VALID(cleaner->iterator));
-
-	while (n_names-- > 0) {
-		dns_dbnode_t *node = NULL;
-
-		result = dns_dbiterator_current(cleaner->iterator, &node,
-						NULL);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "cache cleaner: dns_dbiterator_current() "
-				 "failed: %s", dns_result_totext(result));
-
-			end_cleaning(cleaner, event);
-			return;
-		}
-
-		/*
-		 * The node was not needed, but was required by
-		 * dns_dbiterator_current().  Give up its reference.
-		 */
-		dns_db_detachnode(cleaner->cache->db, &node);
-
-		/*
-		 * Step to the next node.
-		 */
-		result = dns_dbiterator_next(cleaner->iterator);
-
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * Either the end was reached (ISC_R_NOMORE) or
-			 * some error was signaled.  If the cache is still
-			 * overmem and no error was encountered,
-			 * keep trying to clean it, otherwise stop cleanng.
-			 */
-			if (result != ISC_R_NOMORE)
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 "cache cleaner: "
-						 "dns_dbiterator_next() "
-						 "failed: %s",
-						 dns_result_totext(result));
-			else if (cleaner->overmem) {
-				result = dns_dbiterator_first(cleaner->
-							      iterator);
-				if (result == ISC_R_SUCCESS) {
-					isc_log_write(dns_lctx,
-						      DNS_LOGCATEGORY_DATABASE,
-						      DNS_LOGMODULE_CACHE,
-						      ISC_LOG_DEBUG(1),
-						      "cache cleaner: "
-						      "still overmem, "
-						      "reset and try again");
-					continue;
-				}
-			}
-
-			end_cleaning(cleaner, event);
-			return;
-		}
-	}
-
-	/*
-	 * We have successfully performed a cleaning increment but have
-	 * not gone through the entire cache.  Free the iterator locks
-	 * and reschedule another batch.  If it fails, just try to continue
-	 * anyway.
-	 */
-	result = dns_dbiterator_pause(cleaner->iterator);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "cache cleaner: checked %d nodes, "
-		      "mem inuse %lu, sleeping", cleaner->increment,
-		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
-
-	isc_task_send(task, &event);
-	INSIST(CLEANER_BUSY(cleaner));
-	return;
-}
-
-/*
- * Do immediate cleaning.
- */
-isc_result_t
-dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now) {
-	isc_result_t result;
-	dns_dbiterator_t *iterator = NULL;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	result = dns_db_createiterator(cache->db, ISC_FALSE, &iterator);
-	if (result != ISC_R_SUCCESS)
-		return result;
-
-	result = dns_dbiterator_first(iterator);
-
-	while (result == ISC_R_SUCCESS) {
-		dns_dbnode_t *node = NULL;
-		result = dns_dbiterator_current(iterator, &node,
-						(dns_name_t *)NULL);
-		if (result != ISC_R_SUCCESS)
-			break;
-
-		/*
-		 * Check TTLs, mark expired rdatasets stale.
-		 */
-		result = dns_db_expirenode(cache->db, node, now);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "cache cleaner: dns_db_expirenode() "
-					 "failed: %s",
-					 dns_result_totext(result));
-			/*
-			 * Continue anyway.
-			 */
-		}
-
-		/*
-		 * This is where the actual freeing takes place.
-		 */
-		dns_db_detachnode(cache->db, &node);
-
-		result = dns_dbiterator_next(iterator);
-	}
-
-	dns_dbiterator_destroy(&iterator);
-
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static void
-water(void *arg, int mark) {
-	dns_cache_t *cache = arg;
-	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
-
-	REQUIRE(VALID_CACHE(cache));
-
-	LOCK(&cache->cleaner.lock);
-	
-	dns_db_overmem(cache->db, overmem);
-	cache->cleaner.overmem = overmem;
-
-	if (cache->cleaner.overmem_event != NULL)
-		isc_task_send(cache->cleaner.task,
-			      &cache->cleaner.overmem_event);
-
-	UNLOCK(&cache->cleaner.lock);
-}
-
-void
-dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size) {
-	isc_uint32_t lowater;
-	isc_uint32_t hiwater;
-
-	REQUIRE(VALID_CACHE(cache));
-
-	/*
-	 * Impose a minumum cache size; pathological things happen if there
-	 * is too little room.
-	 */
-	if (size != 0 && size < DNS_CACHE_MINSIZE)
-		size = DNS_CACHE_MINSIZE;
-
-	hiwater = size - (size >> 3);	/* Approximately 7/8ths. */
-	lowater = size - (size >> 2);	/* Approximately 3/4ths. */
-
-	/*
-	 * If the cache was overmem and cleaning, but now with the new limits
-	 * it is no longer in an overmem condition, then the next
-	 * isc_mem_put for cache memory will do the right thing and trigger
-	 * water().
-	 */
-
-	if (size == 0 || hiwater == 0 || lowater == 0)
-		/*
-		 * Disable cache memory limiting.
-		 */
-		isc_mem_setwater(cache->mctx, water, cache, 0, 0);
-	else
-		/*
-		 * Establish new cache memory limits (either for the first
-		 * time, or replacing other limits).
-		 */
-		isc_mem_setwater(cache->mctx, water, cache, hiwater, lowater);
-}
-
-/*
- * The cleaner task is shutting down; do the necessary cleanup.
- */
-static void
-cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
-	dns_cache_t *cache = event->ev_arg;
-	isc_boolean_t should_free = ISC_FALSE;
-
-	UNUSED(task);
-
-	INSIST(task == cache->cleaner.task);
-	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
-
-	if (CLEANER_BUSY(&cache->cleaner))
-		end_cleaning(&cache->cleaner, event);
-	else
-		isc_event_free(&event);
-
-	LOCK(&cache->lock);
-
-	cache->live_tasks--;
-	INSIST(cache->live_tasks == 0);
-
-	if (cache->references == 0)
-		should_free = ISC_TRUE;
-
-	/*
-	 * By detaching the timer in the context of its task,
-	 * we are guaranteed that there will be no further timer
-	 * events.
-	 */
-	if (cache->cleaner.cleaning_timer != NULL)
-		isc_timer_detach(&cache->cleaner.cleaning_timer);
-
-	/* Make sure we don't reschedule anymore. */
-	(void)isc_task_purge(task, NULL, DNS_EVENT_CACHECLEAN, NULL);
-
-	UNLOCK(&cache->lock);
-
-	if (should_free)
-		cache_free(cache);
-}
-
-isc_result_t
-dns_cache_flush(dns_cache_t *cache) {
-	dns_db_t *db = NULL;
-	isc_result_t result;
-
-	result = cache_create_db(cache, &db);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_db_detach(&cache->db);
-	cache->db = db;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_cache_flushname(dns_cache_t *cache, dns_name_t *name) {
-	isc_result_t result;
-	dns_rdatasetiter_t *iter = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_db_t *db = NULL;
-	
-	LOCK(&cache->lock);
-	if (cache->db != NULL)
-		dns_db_attach(cache->db, &db);
-	UNLOCK(&cache->lock);
-	if (db == NULL)
-		return (ISC_R_SUCCESS);
-	result = dns_db_findnode(cache->db, name, ISC_FALSE, &node);
-	if (result == ISC_R_NOTFOUND) {
-		result = ISC_R_SUCCESS;
-		goto cleanup_db;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_db;
-
-	result = dns_db_allrdatasets(cache->db, node, NULL,
-				     (isc_stdtime_t)0, &iter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdatasetiter_first(iter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(iter))
-	{
-		dns_rdataset_t rdataset;
-		dns_rdataset_init(&rdataset);
-
-		dns_rdatasetiter_current(iter, &rdataset);
-		result = dns_db_deleterdataset(cache->db, node, NULL,
-					       rdataset.type, rdataset.covers);
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
-			break;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	dns_rdatasetiter_destroy(&iter);
-
- cleanup_node:
-	dns_db_detachnode(cache->db, &node);
-
- cleanup_db:
-	dns_db_detach(&db);
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/callbacks.c b/contrib/bind9/lib/dns/callbacks.c
deleted file mode 100644
index 431c7ef4ec79..000000000000
--- a/contrib/bind9/lib/dns/callbacks.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: callbacks.c,v 1.12.206.1 2004/03/06 08:13:36 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/log.h>
-
-static void
-stdio_error_warn_callback(dns_rdatacallbacks_t *, const char *, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-static void
-isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-static void
-isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-/*
- * Private
- */
-
-static void
-stdio_error_warn_callback(dns_rdatacallbacks_t *callbacks,
-			  const char *fmt, ...)
-{
-	va_list ap;
-
-	UNUSED(callbacks);
-
-	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
-	va_end(ap);
-	fprintf(stderr, "\n");
-}
-
-static void
-isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
-	va_list ap;
-
-	UNUSED(callbacks);
-
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_MASTER, /* XXX */
-		       ISC_LOG_ERROR, fmt, ap);
-	va_end(ap);
-}
-
-static void
-isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
-	va_list ap;
-
-	UNUSED(callbacks);
-
-	va_start(ap, fmt);
-
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_MASTER, /* XXX */
-		       ISC_LOG_WARNING, fmt, ap);
-	va_end(ap);
-}
-
-static void
-dns_rdatacallbacks_initcommon(dns_rdatacallbacks_t *callbacks) {
-	REQUIRE(callbacks != NULL);
-
-	callbacks->add = NULL;
-	callbacks->add_private = NULL;
-	callbacks->error_private = NULL;
-	callbacks->warn_private = NULL;
-}
-
-/*
- * Public.
- */
-
-void
-dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks) {
-	dns_rdatacallbacks_initcommon(callbacks);
-	callbacks->error = isclog_error_callback;
-	callbacks->warn = isclog_warn_callback;
-}
-
-void
-dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks) {
-	dns_rdatacallbacks_initcommon(callbacks);
-	callbacks->error = stdio_error_warn_callback;
-	callbacks->warn = stdio_error_warn_callback;
-}
-
diff --git a/contrib/bind9/lib/dns/compress.c b/contrib/bind9/lib/dns/compress.c
deleted file mode 100644
index e0fe8c276a13..000000000000
--- a/contrib/bind9/lib/dns/compress.c
+++ /dev/null
@@ -1,316 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: compress.c,v 1.50.206.2 2004/03/06 08:13:37 marka Exp $ */
-
-#define DNS_NAME_USEINLINE 1
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/compress.h>
-#include <dns/fixedname.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-
-#define CCTX_MAGIC	ISC_MAGIC('C', 'C', 'T', 'X')
-#define VALID_CCTX(x)	ISC_MAGIC_VALID(x, CCTX_MAGIC)
-
-#define DCTX_MAGIC	ISC_MAGIC('D', 'C', 'T', 'X')
-#define VALID_DCTX(x)	ISC_MAGIC_VALID(x, DCTX_MAGIC)
-
-/***
- ***	Compression
- ***/
-
-isc_result_t
-dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx) {
-	unsigned int i;
-
-	REQUIRE(cctx != NULL);
-	REQUIRE(mctx != NULL);	/* See: rdataset.c:towiresorted(). */
-
-	cctx->allowed = 0;
-	cctx->edns = edns;
-	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++)
-		cctx->table[i] = NULL;
-	cctx->mctx = mctx;
-	cctx->count = 0;
-	cctx->magic = CCTX_MAGIC;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_compress_invalidate(dns_compress_t *cctx) {
-	dns_compressnode_t *node;
-	unsigned int i;
-
-	REQUIRE(VALID_CCTX(cctx));
-
-	cctx->magic = 0;
-	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
-		while (cctx->table[i] != NULL) {
-			node = cctx->table[i];
-			cctx->table[i] = cctx->table[i]->next;
-			if (node->count < DNS_COMPRESS_INITIALNODES)
-				continue;
-			isc_mem_put(cctx->mctx, node, sizeof(*node));
-		}
-	}
-	cctx->allowed = 0;
-	cctx->edns = -1;
-}
-
-void
-dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed) {
-	REQUIRE(VALID_CCTX(cctx));
-
-	cctx->allowed = allowed;
-}
-
-unsigned int
-dns_compress_getmethods(dns_compress_t *cctx) {
-	REQUIRE(VALID_CCTX(cctx));
-	return (cctx->allowed);
-}
-
-int
-dns_compress_getedns(dns_compress_t *cctx) {
-	REQUIRE(VALID_CCTX(cctx));
-	return (cctx->edns);
-}
-
-#define NODENAME(node, name) \
-do { \
-	(name)->length = (node)->r.length; \
-	(name)->labels = (node)->labels; \
-	(name)->ndata = (node)->r.base; \
-	(name)->attributes = DNS_NAMEATTR_ABSOLUTE; \
-} while (0)
-
-/*
- * Find the longest match of name in the table.
- * If match is found return ISC_TRUE. prefix, suffix and offset are updated.
- * If no match is found return ISC_FALSE.
- */
-isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
-			dns_name_t *prefix, isc_uint16_t *offset)
-{
-	dns_name_t tname, nname;
-	dns_compressnode_t *node = NULL;
-	unsigned int labels, hash, n;
-
-	REQUIRE(VALID_CCTX(cctx));
-	REQUIRE(dns_name_isabsolute(name) == ISC_TRUE);
-	REQUIRE(offset != NULL);
-
-	if (cctx->count == 0)
-		return (ISC_FALSE);
-
-	labels = dns_name_countlabels(name);
-	INSIST(labels > 0);
-
-	dns_name_init(&tname, NULL);
-	dns_name_init(&nname, NULL);
-
-	for (n = 0; n < labels - 1; n++) {
-		dns_name_getlabelsequence(name, n, labels - n, &tname);
-		hash = dns_name_hash(&tname, ISC_FALSE) %
-		       DNS_COMPRESS_TABLESIZE;
-		for (node = cctx->table[hash]; node != NULL; node = node->next)
-		{
-			NODENAME(node, &nname);
-			if (dns_name_equal(&nname, &tname))
-				break;
-		}
-		if (node != NULL)
-			break;
-	}
-
-	/*
-	 * If node == NULL, we found no match at all.
-	 */
-	if (node == NULL)
-		return (ISC_FALSE);
-
-	if (n == 0)
-		dns_name_reset(prefix);
-	else
-		dns_name_getlabelsequence(name, 0, n, prefix);
-
-	*offset = node->offset;
-	return (ISC_TRUE);
-}
-
-static inline unsigned int
-name_length(dns_name_t *name) {
-	isc_region_t r;
-	dns_name_toregion(name, &r);
-	return (r.length);
-}
-
-void
-dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
-		 isc_uint16_t offset)
-{
-	dns_name_t tname;
-	unsigned int start;
-	unsigned int n;
-	unsigned int count;
-	unsigned int hash;
-	dns_compressnode_t *node;
-	unsigned int length;
-	unsigned int tlength;
-	isc_uint16_t toffset;
-
-	REQUIRE(VALID_CCTX(cctx));
-	REQUIRE(dns_name_isabsolute(name));
-
-	dns_name_init(&tname, NULL);
-
-	n = dns_name_countlabels(name);
-	count = dns_name_countlabels(prefix);
-	if (dns_name_isabsolute(prefix))
-		count--;
-	start = 0;
-	length = name_length(name);
-	while (count > 0) {
-		if (offset >= 0x4000)
-			break;
-		dns_name_getlabelsequence(name, start, n, &tname);
-		hash = dns_name_hash(&tname, ISC_FALSE) %
-		       DNS_COMPRESS_TABLESIZE;
-		tlength = name_length(&tname);
-		toffset = (isc_uint16_t)(offset + (length - tlength));
-		/*
-		 * Create a new node and add it.
-		 */
-		if (cctx->count < DNS_COMPRESS_INITIALNODES)
-			node = &cctx->initialnodes[cctx->count];
-		else {
-			node = isc_mem_get(cctx->mctx,
-					   sizeof(dns_compressnode_t));
-			if (node == NULL)
-				return;
-		}
-		node->count = cctx->count++;
-		node->offset = toffset;
-		dns_name_toregion(&tname, &node->r);
-		node->labels = (isc_uint8_t)dns_name_countlabels(&tname);
-		node->next = cctx->table[hash];
-		cctx->table[hash] = node;
-		start++;
-		n--;
-		count--;
-	}
-}
-
-void
-dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset) {
-	unsigned int i;
-	dns_compressnode_t *node;
-
-	REQUIRE(VALID_CCTX(cctx));
-
-	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
-		node = cctx->table[i];
-		/*
-		 * This relies on nodes with greater offsets being
-		 * closer to the beginning of the list, and the
-		 * items with the greatest offsets being at the end 
-		 * of the initialnodes[] array.
-		 */
-		while (node != NULL && node->offset >= offset) {
-			cctx->table[i] = node->next;
-			if (node->count >= DNS_COMPRESS_INITIALNODES)
-				isc_mem_put(cctx->mctx, node, sizeof(*node));
-			cctx->count--;
-			node = cctx->table[i];
-		}
-	}
-}
-
-/***
- ***	Decompression
- ***/
-
-void
-dns_decompress_init(dns_decompress_t *dctx, int edns,
-		    dns_decompresstype_t type) {
-
-	REQUIRE(dctx != NULL);
-	REQUIRE(edns >= -1 && edns <= 255);
-
-	dctx->allowed = DNS_COMPRESS_NONE;
-	dctx->edns = edns;
-	dctx->type = type;
-	dctx->magic = DCTX_MAGIC;
-}
-
-void
-dns_decompress_invalidate(dns_decompress_t *dctx) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	dctx->magic = 0;
-}
-
-void
-dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	switch (dctx->type) {
-	case DNS_DECOMPRESS_ANY:
-		dctx->allowed = DNS_COMPRESS_ALL;
-		break;
-	case DNS_DECOMPRESS_NONE:
-		dctx->allowed = DNS_COMPRESS_NONE;
-		break;
-	case DNS_DECOMPRESS_STRICT:
-		dctx->allowed = allowed;
-		break;
-	}
-}
-
-unsigned int
-dns_decompress_getmethods(dns_decompress_t *dctx) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	return (dctx->allowed);
-}
-
-int
-dns_decompress_edns(dns_decompress_t *dctx) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	return (dctx->edns);
-}
-
-dns_decompresstype_t
-dns_decompress_type(dns_decompress_t *dctx) {
-
-	REQUIRE(VALID_DCTX(dctx));
-
-	return (dctx->type);
-}
diff --git a/contrib/bind9/lib/dns/db.c b/contrib/bind9/lib/dns/db.c
deleted file mode 100644
index 347ce1e4abbe..000000000000
--- a/contrib/bind9/lib/dns/db.c
+++ /dev/null
@@ -1,793 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: db.c,v 1.69.2.1.10.4 2004/03/08 02:07:52 marka Exp $ */
-
-/***
- *** Imports
- ***/
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/rwlock.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-
-/***
- *** Private Types
- ***/
-
-struct dns_dbimplementation {
-	const char *				name;
-	dns_dbcreatefunc_t			create;
-	isc_mem_t *				mctx;
-	void *					driverarg;
-	ISC_LINK(dns_dbimplementation_t)	link;
-};
-
-/***
- *** Supported DB Implementations Registry
- ***/
-
-/*
- * Built in database implementations are registered here.
- */
-
-#include "rbtdb.h"
-#include "rbtdb64.h"
-
-static ISC_LIST(dns_dbimplementation_t) implementations;
-static isc_rwlock_t implock;
-static isc_once_t once = ISC_ONCE_INIT;
-
-static dns_dbimplementation_t rbtimp;
-static dns_dbimplementation_t rbt64imp;
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_rwlock_init(&implock, 0, 0) == ISC_R_SUCCESS);
-
-	rbtimp.name = "rbt";
-	rbtimp.create = dns_rbtdb_create;
-	rbtimp.mctx = NULL;
-	rbtimp.driverarg = NULL;
-	ISC_LINK_INIT(&rbtimp, link);
-
-	rbt64imp.name = "rbt64";
-	rbt64imp.create = dns_rbtdb64_create;
-	rbt64imp.mctx = NULL;
-	rbt64imp.driverarg = NULL;
-	ISC_LINK_INIT(&rbt64imp, link);
-
-	ISC_LIST_INIT(implementations);
-	ISC_LIST_APPEND(implementations, &rbtimp, link);
-	ISC_LIST_APPEND(implementations, &rbt64imp, link);
-}
-
-static inline dns_dbimplementation_t *
-impfind(const char *name) {
-	dns_dbimplementation_t *imp;
-
-	for (imp = ISC_LIST_HEAD(implementations); 
-	     imp != NULL;
-	     imp = ISC_LIST_NEXT(imp, link))
-		if (strcasecmp(name, imp->name) == 0)
-			return (imp);
-	return (NULL);
-}
-
-
-/***
- *** Basic DB Methods
- ***/
-
-isc_result_t
-dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
-	      dns_dbtype_t type, dns_rdataclass_t rdclass,
-	      unsigned int argc, char *argv[], dns_db_t **dbp)
-{
-	dns_dbimplementation_t *impinfo;
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	/*
-	 * Create a new database using implementation 'db_type'.
-	 */
-
-	REQUIRE(dbp != NULL && *dbp == NULL);
-	REQUIRE(dns_name_isabsolute(origin));
-
-	RWLOCK(&implock, isc_rwlocktype_read);
-	impinfo = impfind(db_type);
-	if (impinfo != NULL) {
-		isc_result_t result;
-		result = ((impinfo->create)(mctx, origin, type,
-					    rdclass, argc, argv,
-					    impinfo->driverarg, dbp));
-		RWUNLOCK(&implock, isc_rwlocktype_read);
-		return (result);
-	}
-
-	RWUNLOCK(&implock, isc_rwlocktype_read);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-		      DNS_LOGMODULE_DB, ISC_LOG_ERROR,
-		      "unsupported database type '%s'", db_type);
-
-	return (ISC_R_NOTFOUND);
-}
-
-void
-dns_db_attach(dns_db_t *source, dns_db_t **targetp) {
-
-	/*
-	 * Attach *targetp to source.
-	 */
-
-	REQUIRE(DNS_DB_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	(source->methods->attach)(source, targetp);
-
-	ENSURE(*targetp == source);
-}
-
-void
-dns_db_detach(dns_db_t **dbp) {
-
-	/*
-	 * Detach *dbp from its database.
-	 */
-
-	REQUIRE(dbp != NULL);
-	REQUIRE(DNS_DB_VALID(*dbp));
-
-	((*dbp)->methods->detach)(dbp);
-
-	ENSURE(*dbp == NULL);
-}
-
-isc_result_t
-dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp)
-{
-	REQUIRE(DNS_DB_VALID(db));
-
-	return (isc_ondestroy_register(&db->ondest, task, eventp));
-}
-
-
-isc_boolean_t
-dns_db_iscache(dns_db_t *db) {
-
-	/*
-	 * Does 'db' have cache semantics?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	if ((db->attributes & DNS_DBATTR_CACHE) != 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_db_iszone(dns_db_t *db) {
-
-	/*
-	 * Does 'db' have zone semantics?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	if ((db->attributes & (DNS_DBATTR_CACHE|DNS_DBATTR_STUB)) == 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_db_isstub(dns_db_t *db) {
-
-	/*
-	 * Does 'db' have stub semantics?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	if ((db->attributes & DNS_DBATTR_STUB) != 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_db_issecure(dns_db_t *db) {
-
-	/*
-	 * Is 'db' secure?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-
-	return ((db->methods->issecure)(db));
-}
-
-isc_boolean_t
-dns_db_ispersistent(dns_db_t *db) {
-
-	/*
-	 * Is 'db' persistent?
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	return ((db->methods->ispersistent)(db));
-}
-
-dns_name_t *
-dns_db_origin(dns_db_t *db) {
-	/*
-	 * The origin of the database.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	return (&db->origin);
-}
-
-dns_rdataclass_t
-dns_db_class(dns_db_t *db) {
-	/*
-	 * The class of the database.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	return (db->rdclass);
-}
-
-isc_result_t
-dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
-		 dns_dbload_t **dbloadp) {
-	/*
-	 * Begin loading 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(addp != NULL && *addp == NULL);
-	REQUIRE(dbloadp != NULL && *dbloadp == NULL);
-
-	return ((db->methods->beginload)(db, addp, dbloadp));
-}
-
-isc_result_t
-dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp) {
-	/*
-	 * Finish loading 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(dbloadp != NULL && *dbloadp != NULL);
-
-	return ((db->methods->endload)(db, dbloadp));
-}
-
-isc_result_t
-dns_db_load(dns_db_t *db, const char *filename) {
-	isc_result_t result, eresult;
-	dns_rdatacallbacks_t callbacks;
-	unsigned int options = 0;
-
-	/*
-	 * Load master file 'filename' into 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	if ((db->attributes & DNS_DBATTR_CACHE) != 0)
-		options |= DNS_MASTER_AGETTL;
-
-	dns_rdatacallbacks_init(&callbacks);
-
-	result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_master_loadfile(filename, &db->origin, &db->origin,
-				     db->rdclass, options,
-				     &callbacks, db->mctx);
-	eresult = dns_db_endload(db, &callbacks.add_private);
-	/*
-	 * We always call dns_db_endload(), but we only want to return its
-	 * result if dns_master_loadfile() succeeded.  If dns_master_loadfile()
-	 * failed, we want to return the result code it gave us.
-	 */
-	if (eresult != ISC_R_SUCCESS &&
-	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
-		result = eresult;
-
-	return (result);
-}
-
-isc_result_t
-dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
-	/*
-	 * Dump 'db' into master file 'filename'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	return ((db->methods->dump)(db, version, filename));
-}
-
-/***
- *** Version Methods
- ***/
-
-void
-dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
-
-	/*
-	 * Open the current version for reading.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-	REQUIRE(versionp != NULL && *versionp == NULL);
-
-	(db->methods->currentversion)(db, versionp);
-}
-
-isc_result_t
-dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-
-	/*
-	 * Open a new version for reading and writing.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-	REQUIRE(versionp != NULL && *versionp == NULL);
-
-	return ((db->methods->newversion)(db, versionp));
-}
-
-void
-dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
-		     dns_dbversion_t **targetp)
-{
-	/*
-	 * Attach '*targetp' to 'source'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-	REQUIRE(source != NULL);
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	(db->methods->attachversion)(db, source, targetp);
-
-	ENSURE(*targetp != NULL);
-}
-
-void
-dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
-		    isc_boolean_t commit)
-{
-
-	/*
-	 * Close version '*versionp'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
-	REQUIRE(versionp != NULL && *versionp != NULL);
-
-	(db->methods->closeversion)(db, versionp, commit);
-
-	ENSURE(*versionp == NULL);
-}
-
-/***
- *** Node Methods
- ***/
-
-isc_result_t
-dns_db_findnode(dns_db_t *db, dns_name_t *name,
-		isc_boolean_t create, dns_dbnode_t **nodep)
-{
-
-	/*
-	 * Find the node with name 'name'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	return ((db->methods->findnode)(db, name, create, nodep));
-}
-
-isc_result_t
-dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	    dns_dbnode_t **nodep, dns_name_t *foundname,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-
-	/*
-	 * Find the best match for 'name' and 'type' in version 'version'
-	 * of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(type != dns_rdatatype_rrsig);
-	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
-	REQUIRE(dns_name_hasbuffer(foundname));
-	REQUIRE(rdataset == NULL ||
-		(DNS_RDATASET_VALID(rdataset) &&
-		 ! dns_rdataset_isassociated(rdataset)));
-	REQUIRE(sigrdataset == NULL ||
-		(DNS_RDATASET_VALID(sigrdataset) &&
-		 ! dns_rdataset_isassociated(sigrdataset)));
-
-	return ((db->methods->find)(db, name, version, type, options, now,
-				    nodep, foundname, rdataset, sigrdataset));
-}
-
-isc_result_t
-dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
-		   unsigned int options, isc_stdtime_t now,
-		   dns_dbnode_t **nodep, dns_name_t *foundname,
-		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	/*
-	 * Find the deepest known zonecut which encloses 'name' in 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
-	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
-	REQUIRE(dns_name_hasbuffer(foundname));
-	REQUIRE(sigrdataset == NULL ||
-		(DNS_RDATASET_VALID(sigrdataset) &&
-		 ! dns_rdataset_isassociated(sigrdataset)));
-
-	return ((db->methods->findzonecut)(db, name, options, now, nodep,
-					   foundname, rdataset, sigrdataset));
-}
-
-void
-dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
-
-	/*
-	 * Attach *targetp to source.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(source != NULL);
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	(db->methods->attachnode)(db, source, targetp);
-}
-
-void
-dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
-
-	/*
-	 * Detach *nodep from its node.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(nodep != NULL && *nodep != NULL);
-
-	(db->methods->detachnode)(db, nodep);
-
-	ENSURE(*nodep == NULL);
-}
-
-isc_result_t
-dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
-
-	/*
-	 * Mark as stale all records at 'node' which expire at or before 'now'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
-	REQUIRE(node != NULL);
-
-	return ((db->methods->expirenode)(db, node, now));
-}
-
-void
-dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
-	/*
-	 * Print a textual representation of the contents of the node to
-	 * 'out'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-
-	(db->methods->printnode)(db, node, out);
-}
-
-/***
- *** DB Iterator Creation
- ***/
-
-isc_result_t
-dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
-		      dns_dbiterator_t **iteratorp)
-{
-	/*
-	 * Create an iterator for version 'version' of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
-
-	return (db->methods->createiterator(db, relative_names, iteratorp));
-}
-
-/***
- *** Rdataset Methods
- ***/
-
-isc_result_t
-dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		    dns_rdatatype_t type, dns_rdatatype_t covers,
-		    isc_stdtime_t now, dns_rdataset_t *rdataset,
-		    dns_rdataset_t *sigrdataset)
-{
-	/*
-	 * Search for an rdataset of type 'type' at 'node' that are in version
-	 * 'version' of 'db'.  If found, make 'rdataset' refer to it.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(! dns_rdataset_isassociated(rdataset));
-	REQUIRE(covers == 0 || type == dns_rdatatype_rrsig);
-	REQUIRE(type != dns_rdatatype_any);
-	REQUIRE(sigrdataset == NULL ||
-		(DNS_RDATASET_VALID(sigrdataset) &&
-		 ! dns_rdataset_isassociated(sigrdataset)));
-
-	return ((db->methods->findrdataset)(db, node, version, type, covers,
-					    now, rdataset, sigrdataset));
-}
-
-isc_result_t
-dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
-{
-	/*
-	 * Make '*iteratorp' an rdataset iteratator for all rdatasets at
-	 * 'node' in version 'version' of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
-
-	return ((db->methods->allrdatasets)(db, node, version, now,
-					    iteratorp));
-}
-
-isc_result_t
-dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		   isc_stdtime_t now, dns_rdataset_t *rdataset,
-		   unsigned int options, dns_rdataset_t *addedrdataset)
-{
-	/*
-	 * Add 'rdataset' to 'node' in version 'version' of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
-		((db->attributes & DNS_DBATTR_CACHE) != 0 &&
-		 version == NULL && (options & DNS_DBADD_MERGE) == 0));
-	REQUIRE((options & DNS_DBADD_EXACT) == 0 ||
-		(options & DNS_DBADD_MERGE) != 0);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(dns_rdataset_isassociated(rdataset));
-	REQUIRE(rdataset->rdclass == db->rdclass);
-	REQUIRE(addedrdataset == NULL ||
-		(DNS_RDATASET_VALID(addedrdataset) &&
-		 ! dns_rdataset_isassociated(addedrdataset)));
-
-	return ((db->methods->addrdataset)(db, node, version, now, rdataset,
-					   options, addedrdataset));
-}
-
-isc_result_t
-dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
-			dns_dbversion_t *version, dns_rdataset_t *rdataset,
-			unsigned int options, dns_rdataset_t *newrdataset)
-{
-	/*
-	 * Remove any rdata in 'rdataset' from 'node' in version 'version' of
-	 * 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(dns_rdataset_isassociated(rdataset));
-	REQUIRE(rdataset->rdclass == db->rdclass);
-	REQUIRE(newrdataset == NULL ||
-		(DNS_RDATASET_VALID(newrdataset) &&
-		 ! dns_rdataset_isassociated(newrdataset)));
-
-	return ((db->methods->subtractrdataset)(db, node, version, rdataset,
-						options, newrdataset));
-}
-
-isc_result_t
-dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
-		      dns_dbversion_t *version, dns_rdatatype_t type,
-		      dns_rdatatype_t covers)
-{
-	/*
-	 * Make it so that no rdataset of type 'type' exists at 'node' in
-	 * version version 'version' of 'db'.
-	 */
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(node != NULL);
-	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
-		((db->attributes & DNS_DBATTR_CACHE) != 0 && version == NULL));
-
-	return ((db->methods->deleterdataset)(db, node, version,
-					      type, covers));
-}
-
-void 
-dns_db_overmem(dns_db_t *db, isc_boolean_t overmem) {
-
-	REQUIRE(DNS_DB_VALID(db));
-
-	(db->methods->overmem)(db, overmem);
-}
-
-isc_result_t
-dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_buffer_t buffer;
-
-	REQUIRE(dns_db_iszone(db) || dns_db_isstub(db));
-
-	result = dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
-				     (isc_stdtime_t)0, &rdataset, NULL);
- 	if (result != ISC_R_SUCCESS)
-		goto freenode;
-
-	result = dns_rdataset_first(&rdataset);
- 	if (result != ISC_R_SUCCESS)
-		goto freerdataset;
-	dns_rdataset_current(&rdataset, &rdata);
-	result = dns_rdataset_next(&rdataset);
-	INSIST(result == ISC_R_NOMORE);
-
-	INSIST(rdata.length > 20);
-	isc_buffer_init(&buffer, rdata.data, rdata.length);
-	isc_buffer_add(&buffer, rdata.length);
-	isc_buffer_forward(&buffer, rdata.length - 20);
-	*serialp = isc_buffer_getuint32(&buffer);
-
-	result = ISC_R_SUCCESS;
-
- freerdataset:
-	dns_rdataset_disassociate(&rdataset);
-
- freenode:
-	dns_db_detachnode(db, &node);
-	return (result);
-}
-
-unsigned int
-dns_db_nodecount(dns_db_t *db) {
-	REQUIRE(DNS_DB_VALID(db));
-
-	return ((db->methods->nodecount)(db));
-}
-
-void
-dns_db_settask(dns_db_t *db, isc_task_t *task) {
-	REQUIRE(DNS_DB_VALID(db));
-
-	(db->methods->settask)(db, task);
-}
-
-isc_result_t
-dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
-		isc_mem_t *mctx, dns_dbimplementation_t **dbimp)
-{
-	dns_dbimplementation_t *imp;
-
-	REQUIRE(name != NULL);
-	REQUIRE(dbimp != NULL && *dbimp == NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	RWLOCK(&implock, isc_rwlocktype_write);
-	imp = impfind(name);
-	if (imp != NULL) {
-		RWUNLOCK(&implock, isc_rwlocktype_write);
-		return (ISC_R_EXISTS);
-	}
-	
-	imp = isc_mem_get(mctx, sizeof(dns_dbimplementation_t));
-	if (imp == NULL) {
-		RWUNLOCK(&implock, isc_rwlocktype_write);
-		return (ISC_R_NOMEMORY);
-	}
-	imp->name = name;
-	imp->create = create;
-	imp->mctx = NULL;
-	imp->driverarg = driverarg;
-	isc_mem_attach(mctx, &imp->mctx);
-	ISC_LINK_INIT(imp, link);
-	ISC_LIST_APPEND(implementations, imp, link);
-	RWUNLOCK(&implock, isc_rwlocktype_write);
-
-	*dbimp = imp;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_db_unregister(dns_dbimplementation_t **dbimp) {
-	dns_dbimplementation_t *imp;
-	isc_mem_t *mctx;
-
-	REQUIRE(dbimp != NULL && *dbimp != NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
-
-	imp = *dbimp;
-	RWLOCK(&implock, isc_rwlocktype_write);
-	ISC_LIST_UNLINK(implementations, imp, link);
-	mctx = imp->mctx;
-	isc_mem_put(mctx, imp, sizeof(dns_dbimplementation_t));
-	isc_mem_detach(&mctx);
-	RWUNLOCK(&implock, isc_rwlocktype_write);
-}
diff --git a/contrib/bind9/lib/dns/dbiterator.c b/contrib/bind9/lib/dns/dbiterator.c
deleted file mode 100644
index 0bf354bd94c8..000000000000
--- a/contrib/bind9/lib/dns/dbiterator.c
+++ /dev/null
@@ -1,141 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dbiterator.c,v 1.13.206.1 2004/03/06 08:13:37 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <dns/dbiterator.h>
-#include <dns/name.h>
-
-void
-dns_dbiterator_destroy(dns_dbiterator_t **iteratorp) {
-	/*
-	 * Destroy '*iteratorp'.
-	 */
-
-	REQUIRE(iteratorp != NULL);
-	REQUIRE(DNS_DBITERATOR_VALID(*iteratorp));
-
-	(*iteratorp)->methods->destroy(iteratorp);
-
-	ENSURE(*iteratorp == NULL);
-}
-
-isc_result_t
-dns_dbiterator_first(dns_dbiterator_t *iterator) {
-	/*
-	 * Move the node cursor to the first node in the database (if any).
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->first(iterator));
-}
-
-isc_result_t
-dns_dbiterator_last(dns_dbiterator_t *iterator) {
-	/*
-	 * Move the node cursor to the first node in the database (if any).
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->last(iterator));
-}
-
-isc_result_t
-dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
-	/*
-	 * Move the node cursor to the node with name 'name'.
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->seek(iterator, name));
-}
-
-isc_result_t
-dns_dbiterator_prev(dns_dbiterator_t *iterator) {
-	/*
-	 * Move the node cursor to the previous node in the database (if any).
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->prev(iterator));
-}
-
-isc_result_t
-dns_dbiterator_next(dns_dbiterator_t *iterator) {
-	/*
-	 * Move the node cursor to the next node in the database (if any).
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->next(iterator));
-}
-
-isc_result_t
-dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		       dns_name_t *name)
-{
-	/*
-	 * Return the current node.
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-	REQUIRE(name == NULL || dns_name_hasbuffer(name));
-
-	return (iterator->methods->current(iterator, nodep, name));
-}
-
-isc_result_t
-dns_dbiterator_pause(dns_dbiterator_t *iterator) {
-	/*
-	 * Pause iteration.
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	return (iterator->methods->pause(iterator));
-}
-
-isc_result_t
-dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
-
-	/*
-	 * Return the origin to which returned node names are relative.
-	 */
-
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-	REQUIRE(iterator->relative_names);
-	REQUIRE(dns_name_hasbuffer(name));
-
-	return (iterator->methods->origin(iterator, name));
-}
-
-void
-dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, isc_boolean_t mode) {
-	REQUIRE(DNS_DBITERATOR_VALID(iterator));
-
-	iterator->cleaning = mode;
-}
diff --git a/contrib/bind9/lib/dns/dbtable.c b/contrib/bind9/lib/dns/dbtable.c
deleted file mode 100644
index d027fa3fff9b..000000000000
--- a/contrib/bind9/lib/dns/dbtable.c
+++ /dev/null
@@ -1,291 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: dbtable.c,v 1.25.12.4 2004/03/09 05:21:08 marka Exp $
- */
-
-/*
- * Principal Author: DCL
- */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/rwlock.h>
-#include <isc/util.h>
-
-#include <dns/dbtable.h>
-#include <dns/db.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-
-struct dns_dbtable {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	dns_rdataclass_t	rdclass;
-	isc_mutex_t		lock;
-	isc_rwlock_t		tree_lock;
-	/* Locked by lock. */
-	unsigned int		references;
-	/* Locked by tree_lock. */
-	dns_rbt_t *		rbt;
-	dns_db_t *		default_db;
-};
-
-#define DBTABLE_MAGIC		ISC_MAGIC('D', 'B', '-', '-')
-#define VALID_DBTABLE(dbtable)	ISC_MAGIC_VALID(dbtable, DBTABLE_MAGIC)
-
-static void
-dbdetach(void *data, void *arg) {
-	dns_db_t *db = data;
-
-	UNUSED(arg);
-
-	dns_db_detach(&db);
-}
-
-isc_result_t
-dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		   dns_dbtable_t **dbtablep)
-{
-	dns_dbtable_t *dbtable;
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(dbtablep != NULL && *dbtablep == NULL);
-
-	dbtable = (dns_dbtable_t *)isc_mem_get(mctx, sizeof(*dbtable));
-	if (dbtable == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dbtable->rbt = NULL;
-	result = dns_rbt_create(mctx, dbdetach, NULL, &dbtable->rbt);
-	if (result != ISC_R_SUCCESS)
-		goto clean1;
-
-	result = isc_mutex_init(&dbtable->lock);
-	if (result != ISC_R_SUCCESS)
-		goto clean2;
-
-	result = isc_rwlock_init(&dbtable->tree_lock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto clean3;
-	
-
-	dbtable->default_db = NULL;
-	dbtable->mctx = mctx;
-	dbtable->rdclass = rdclass;
-	dbtable->magic = DBTABLE_MAGIC;
-	dbtable->references = 1;
-
-	*dbtablep = dbtable;
-
-	return (ISC_R_SUCCESS);
-
- clean3:
-	DESTROYLOCK(&dbtable->lock);
-
- clean2:
-	dns_rbt_destroy(&dbtable->rbt);
-
- clean1:
-	isc_mem_put(mctx, dbtable, sizeof(*dbtable));
-
-	return (result);
-}
-
-static inline void
-dbtable_free(dns_dbtable_t *dbtable) {
-	/*
-	 * Caller must ensure that it is safe to call.
-	 */
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	if (dbtable->default_db != NULL)
-		dns_db_detach(&dbtable->default_db);
-
-	dns_rbt_destroy(&dbtable->rbt);
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	isc_rwlock_destroy(&dbtable->tree_lock);
-
-	dbtable->magic = 0;
-
-	isc_mem_put(dbtable->mctx, dbtable, sizeof(*dbtable));
-}
-
-void
-dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp) {
-	REQUIRE(VALID_DBTABLE(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-dns_dbtable_detach(dns_dbtable_t **dbtablep) {
-	dns_dbtable_t *dbtable;
-	isc_boolean_t free_dbtable = ISC_FALSE;
-
-	REQUIRE(dbtablep != NULL);
-	dbtable = *dbtablep;
-	REQUIRE(VALID_DBTABLE(dbtable));
-
-	LOCK(&dbtable->lock);
-
-	INSIST(dbtable->references > 0);
-	dbtable->references--;
-	if (dbtable->references == 0)
-		free_dbtable = ISC_TRUE;
-
-	UNLOCK(&dbtable->lock);
-
-	if (free_dbtable)
-		dbtable_free(dbtable);
-
-	*dbtablep = NULL;
-}
-
-isc_result_t
-dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db) {
-	isc_result_t result;
-	dns_db_t *clone;
-
-	REQUIRE(VALID_DBTABLE(dbtable));
-	REQUIRE(dns_db_class(db) == dbtable->rdclass);
-
-	clone = NULL;
-	dns_db_attach(db, &clone);
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-	result = dns_rbt_addname(dbtable->rbt, dns_db_origin(clone), clone);
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-void
-dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db) {
-	dns_db_t *stored_data = NULL;
-	isc_result_t result;
-	dns_name_t *name;
-
-	REQUIRE(VALID_DBTABLE(dbtable));
-
-	name = dns_db_origin(db);
-
-	/*
-	 * There is a requirement that the association of name with db
-	 * be verified.  With the current rbt.c this is expensive to do,
-	 * because effectively two find operations are being done, but
-	 * deletion is relatively infrequent.
-	 * XXXDCL ... this could be cheaper now with dns_rbt_deletenode.
-	 */
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	result = dns_rbt_findname(dbtable->rbt, name, 0, NULL,
-				  (void **) (void *)&stored_data);
-
-	if (result == ISC_R_SUCCESS) {
-		INSIST(stored_data == db);
-
-		(void)dns_rbt_deletename(dbtable->rbt, name, ISC_FALSE);
-	}
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-}
-
-void
-dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db) {
-	REQUIRE(VALID_DBTABLE(dbtable));
-	REQUIRE(dbtable->default_db == NULL);
-	REQUIRE(dns_name_compare(dns_db_origin(db), dns_rootname) == 0);
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	dbtable->default_db = NULL;
-	dns_db_attach(db, &dbtable->default_db);
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-}
-
-void
-dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **dbp) {
-	REQUIRE(VALID_DBTABLE(dbtable));
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
-
-	dns_db_attach(dbtable->default_db, dbp);
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
-}
-
-void
-dns_dbtable_removedefault(dns_dbtable_t *dbtable) {
-	REQUIRE(VALID_DBTABLE(dbtable));
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-
-	dns_db_detach(&dbtable->default_db);
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
-}
-
-isc_result_t
-dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
-		 unsigned int options, dns_db_t **dbp)
-{
-	dns_db_t *stored_data = NULL;
-	isc_result_t result;
-	unsigned int rbtoptions = 0;
-
-	REQUIRE(dbp != NULL && *dbp == NULL);
-
-	if ((options & DNS_DBTABLEFIND_NOEXACT) != 0)
-		rbtoptions |= DNS_RBTFIND_NOEXACT;
-
-	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
-
-	result = dns_rbt_findname(dbtable->rbt, name, rbtoptions, NULL,
-				  (void **) (void *)&stored_data);
-
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		dns_db_attach(stored_data, dbp);
-	else if (dbtable->default_db != NULL) {
-		dns_db_attach(dbtable->default_db, dbp);
-		result = DNS_R_PARTIALMATCH;
-	} else
-		result = ISC_R_NOTFOUND;
-
-	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/diff.c b/contrib/bind9/lib/dns/diff.c
deleted file mode 100644
index 8cd5643695a4..000000000000
--- a/contrib/bind9/lib/dns/diff.c
+++ /dev/null
@@ -1,539 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: diff.c,v 1.4.2.1.8.4 2004/03/08 02:07:52 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/diff.h>
-#include <dns/log.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-
-#define CHECK(op) \
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define DIFF_COMMON_LOGARGS \
-	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DIFF
-
-static dns_rdatatype_t
-rdata_covers(dns_rdata_t *rdata) {
-	return (rdata->type == dns_rdatatype_rrsig ?
-		dns_rdata_covers(rdata) : 0);
-}
-
-isc_result_t
-dns_difftuple_create(isc_mem_t *mctx,
-		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
-		     dns_rdata_t *rdata, dns_difftuple_t **tp)
-{
-	dns_difftuple_t *t;
-	unsigned int size;
-	unsigned char *datap;
-
-	REQUIRE(tp != NULL && *tp == NULL);
-
-	/*
-	 * Create a new tuple.  The variable-size wire-format name data and
-	 * rdata immediately follow the dns_difftuple_t structure
-	 * in memory.
-	 */
-	size = sizeof(*t) + name->length + rdata->length;
-	t = isc_mem_allocate(mctx, size);
-	if (t == NULL)
-		return (ISC_R_NOMEMORY);
-	t->mctx = mctx;
-	t->op = op;
-
-	datap = (unsigned char *)(t + 1);
-
-	memcpy(datap, name->ndata, name->length);
-	dns_name_init(&t->name, NULL);
-	dns_name_clone(name, &t->name);
-	t->name.ndata = datap;
-	datap += name->length;
-
-	t->ttl = ttl;
-
-	memcpy(datap, rdata->data, rdata->length);
-	dns_rdata_init(&t->rdata);
-	dns_rdata_clone(rdata, &t->rdata);
-	t->rdata.data = datap;
-	datap += rdata->length;
-
-	ISC_LINK_INIT(&t->rdata, link);
-	ISC_LINK_INIT(t, link);
-	t->magic = DNS_DIFFTUPLE_MAGIC;
-
-	INSIST(datap == (unsigned char *)t + size);
-
-	*tp = t;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_difftuple_free(dns_difftuple_t **tp) {
-	dns_difftuple_t *t = *tp;
-	REQUIRE(DNS_DIFFTUPLE_VALID(t));
-	dns_name_invalidate(&t->name);
-	t->magic = 0;
-	isc_mem_free(t->mctx, t);
-	*tp = NULL;
-}
-
-isc_result_t
-dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
-	return (dns_difftuple_create(orig->mctx, orig->op, &orig->name,
-				     orig->ttl, &orig->rdata, copyp));
-}
-
-void
-dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
-	diff->mctx = mctx;
-	ISC_LIST_INIT(diff->tuples);
-	diff->magic = DNS_DIFF_MAGIC;
-}
-
-void
-dns_diff_clear(dns_diff_t *diff) {
-	dns_difftuple_t *t;
-	REQUIRE(DNS_DIFF_VALID(diff));
-	while ((t = ISC_LIST_HEAD(diff->tuples)) != NULL) {
-		ISC_LIST_UNLINK(diff->tuples, t, link);
-		dns_difftuple_free(&t);
-	}
-	ENSURE(ISC_LIST_EMPTY(diff->tuples));
-}
-
-void
-dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuplep)
-{
-	ISC_LIST_APPEND(diff->tuples, *tuplep, link);
-	*tuplep = NULL;
-}
-
-/* XXX this is O(N) */
-
-void
-dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
-{
-	dns_difftuple_t *ot, *next_ot;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-	REQUIRE(DNS_DIFFTUPLE_VALID(*tuplep));
-
-	/*
-	 * Look for an existing tuple with the same owner name,
-	 * rdata, and TTL.   If we are doing an addition and find a
-	 * deletion or vice versa, remove both the old and the
-	 * new tuple since they cancel each other out (assuming
-	 * that we never delete nonexistent data or add existing
-	 * data).
-	 *
-	 * If we find an old update of the same kind as
-	 * the one we are doing, there must be a programming
-	 * error.  We report it but try to continue anyway.
-	 */
-	for (ot = ISC_LIST_HEAD(diff->tuples); ot != NULL;
-	     ot = next_ot)
-	{
-		next_ot = ISC_LIST_NEXT(ot, link);
-		if (dns_name_equal(&ot->name, &(*tuplep)->name) &&
-		    dns_rdata_compare(&ot->rdata, &(*tuplep)->rdata) == 0 &&
-		    ot->ttl == (*tuplep)->ttl)
-		{
-			ISC_LIST_UNLINK(diff->tuples, ot, link);
-			if ((*tuplep)->op == ot->op) {
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "unexpected non-minimal diff");
-			} else {
-				dns_difftuple_free(tuplep);
-			}
-			dns_difftuple_free(&ot);
-			break;
-		}
-	}
-
-	if (*tuplep != NULL) {
-		ISC_LIST_APPEND(diff->tuples, *tuplep, link);
-		*tuplep = NULL;
-	}
-
-	ENSURE(*tuplep == NULL);
-}
-
-static isc_result_t
-diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
-	   isc_boolean_t warn)
-{
-	dns_difftuple_t *t;
-	dns_dbnode_t *node = NULL;
-	isc_result_t result;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-	REQUIRE(DNS_DB_VALID(db));
-
-	t = ISC_LIST_HEAD(diff->tuples);
-	while (t != NULL) {
-		dns_name_t *name;
-
-		INSIST(node == NULL);
-		name = &t->name;
-		/*
-		 * Find the node.
-		 * We create the node if it does not exist.
-		 * This will cause an empty node to be created if the diff
-		 * contains a deletion of an RR at a nonexistent name,
-		 * but such diffs should never be created in the first
-		 * place.
-		 */
-		node = NULL;
-		CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
-
-		while (t != NULL && dns_name_equal(&t->name, name)) {
-			dns_rdatatype_t type, covers;
-			dns_diffop_t op;
-			dns_rdatalist_t rdl;
-			dns_rdataset_t rds;
-
-			op = t->op;
-			type = t->rdata.type;
-			covers = rdata_covers(&t->rdata);
-
-			/*
-			 * Collect a contiguous set of updates with
-			 * the same operation (add/delete) and RR type
-			 * into a single rdatalist so that the
-			 * database rrset merging/subtraction code
-			 * can work more efficiently than if each
-			 * RR were merged into / subtracted from
-			 * the database separately.
-			 *
-			 * This is done by linking rdata structures from the
-			 * diff into "rdatalist".  This uses the rdata link
-			 * field, not the diff link field, so the structure
-			 * of the diff itself is not affected.
-			 */
-
-			rdl.type = type;
-			rdl.covers = covers;
-			rdl.rdclass = t->rdata.rdclass;
-			rdl.ttl = t->ttl;
-			ISC_LIST_INIT(rdl.rdata);
-			ISC_LINK_INIT(&rdl, link);
-
-			while (t != NULL &&
-			       dns_name_equal(&t->name, name) &&
-			       t->op == op &&
-			       t->rdata.type == type &&
-			       rdata_covers(&t->rdata) == covers)
-			{
-				if (t->ttl != rdl.ttl && warn)
-					isc_log_write(DIFF_COMMON_LOGARGS,
-					      	ISC_LOG_WARNING,
-						"TTL differs in rdataset, "
-						"adjusting %lu -> %lu",
-						(unsigned long) t->ttl,
-						(unsigned long) rdl.ttl);
-				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
-				t = ISC_LIST_NEXT(t, link);
-			}
-
-			/*
-			 * Convert the rdatalist into a rdataset.
-			 */
-			dns_rdataset_init(&rds);
-			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
-			rds.trust = dns_trust_ultimate;
-
-			/*
-			 * Merge the rdataset into the database.
-			 */
-			if (op == DNS_DIFFOP_ADD) {
-				result = dns_db_addrdataset(db, node, ver,
-							    0, &rds,
-							    DNS_DBADD_MERGE|
-							    DNS_DBADD_EXACT|
-							    DNS_DBADD_EXACTTTL,
-							    NULL);
-			} else if (op == DNS_DIFFOP_DEL) {
-				result = dns_db_subtractrdataset(db, node, ver,
-							       &rds,
-							       DNS_DBSUB_EXACT,
-							       NULL);
-			} else {
-				INSIST(0);
-			}
-			if (result == DNS_R_UNCHANGED) {
-			  	/*
-				 * This will not happen when executing a
-				 * dynamic update, because that code will
-				 * generate strictly minimal diffs.
-				 * It may happen when receiving an IXFR
-				 * from a server that is not as careful.
-				 * Issue a warning and continue.
-				 */
-				if (warn)
-					isc_log_write(DIFF_COMMON_LOGARGS,
-						      ISC_LOG_WARNING,
-						      "update with no effect");
-			} else if (result == ISC_R_SUCCESS ||
-				   result == DNS_R_NXRRSET) {
-				/*
-				 * OK.
-				 */
-			} else {
-				CHECK(result);
-			}
-		}
-		dns_db_detachnode(db, &node);
-	}
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	return (result);
-}
-
-isc_result_t
-dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
-	return (diff_apply(diff, db, ver, ISC_TRUE));
-}
-
-isc_result_t
-dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
-	return (diff_apply(diff, db, ver, ISC_FALSE));
-}
-
-/* XXX this duplicates lots of code in diff_apply(). */
-
-isc_result_t
-dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
-	      void *add_private)
-{
-	dns_difftuple_t *t;
-	isc_result_t result;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-
-	t = ISC_LIST_HEAD(diff->tuples);
-	while (t != NULL) {
-		dns_name_t *name;
-
-		name = &t->name;
-		while (t != NULL && dns_name_equal(&t->name, name)) {
-			dns_rdatatype_t type, covers;
-			dns_diffop_t op;
-			dns_rdatalist_t rdl;
-			dns_rdataset_t rds;
-
-			op = t->op;
-			type = t->rdata.type;
-			covers = rdata_covers(&t->rdata);
-
-			rdl.type = type;
-			rdl.covers = covers;
-			rdl.rdclass = t->rdata.rdclass;
-			rdl.ttl = t->ttl;
-			ISC_LIST_INIT(rdl.rdata);
-			ISC_LINK_INIT(&rdl, link);
-
-			while (t != NULL && dns_name_equal(&t->name, name) &&
-			       t->op == op && t->rdata.type == type &&
-			       rdata_covers(&t->rdata) == covers)
-			{
-				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
-				t = ISC_LIST_NEXT(t, link);
-			}
-
-			/*
-			 * Convert the rdatalist into a rdataset.
-			 */
-			dns_rdataset_init(&rds);
-			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
-			rds.trust = dns_trust_ultimate;
-
-			INSIST(op == DNS_DIFFOP_ADD);
-			result = (*addfunc)(add_private, name, &rds);
-			if (result == DNS_R_UNCHANGED) {
-				isc_log_write(DIFF_COMMON_LOGARGS,
-					      ISC_LOG_WARNING,
-					      "update with no effect");
-			} else if (result == ISC_R_SUCCESS ||
-				   result == DNS_R_NXRRSET) {
-				/*
-				 * OK.
-				 */
-			} else {
-				CHECK(result);
-			}
-		}
-	}
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/*
- * XXX uses qsort(); a merge sort would be more natural for lists,
- * and perhaps safer wrt thread stack overflow.
- */
-isc_result_t
-dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) {
-	unsigned int length = 0;
-	unsigned int i;
-	dns_difftuple_t **v;
-	dns_difftuple_t *p;
-	REQUIRE(DNS_DIFF_VALID(diff));
-
-	for (p = ISC_LIST_HEAD(diff->tuples);
-	     p != NULL;
-	     p = ISC_LIST_NEXT(p, link))
-		length++;
-	if (length == 0)
-		return (ISC_R_SUCCESS);
-	v = isc_mem_get(diff->mctx, length * sizeof(dns_difftuple_t *));
-	if (v == NULL)
-		return (ISC_R_NOMEMORY);
-	i = 0;
-	for (i = 0; i < length; i++) {
-		p = ISC_LIST_HEAD(diff->tuples);
-		v[i] = p;
-		ISC_LIST_UNLINK(diff->tuples, p, link);
-	}
-	INSIST(ISC_LIST_HEAD(diff->tuples) == NULL);
-	qsort(v, length, sizeof(v[0]), compare);
-	for (i = 0; i < length; i++) {
-		ISC_LIST_APPEND(diff->tuples, v[i], link);
-	}
-	isc_mem_put(diff->mctx, v, length * sizeof(dns_difftuple_t *));
-	return (ISC_R_SUCCESS);
-}
-
-
-/*
- * Create an rdataset containing the single RR of the given
- * tuple.  The caller must allocate the the rdata, rdataset and
- * an rdatalist structure for it to refer to.
- */
-
-static isc_result_t
-diff_tuple_tordataset(dns_difftuple_t *t, dns_rdata_t *rdata,
-		      dns_rdatalist_t *rdl, dns_rdataset_t *rds)
-{
-	REQUIRE(DNS_DIFFTUPLE_VALID(t));
-	REQUIRE(rdl != NULL);
-	REQUIRE(rds != NULL);
-
-	rdl->type = t->rdata.type;
-	rdl->rdclass = t->rdata.rdclass;
-	rdl->ttl = t->ttl;
-	ISC_LIST_INIT(rdl->rdata);
-	ISC_LINK_INIT(rdl, link);
-	dns_rdataset_init(rds);
-	ISC_LINK_INIT(rdata, link);
-	dns_rdata_clone(&t->rdata, rdata);
-	ISC_LIST_APPEND(rdl->rdata, rdata, link);
-	return (dns_rdatalist_tordataset(rdl, rds));
-}
-
-isc_result_t
-dns_diff_print(dns_diff_t *diff, FILE *file) {
-	isc_result_t result;
-	dns_difftuple_t *t;
-	char *mem = NULL;
-	unsigned int size = 2048;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-
-	mem = isc_mem_get(diff->mctx, size);
-	if (mem == NULL)
-		return (ISC_R_NOMEMORY);
-
-	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		isc_buffer_t buf;
-		isc_region_t r;
-
-		dns_rdatalist_t rdl;
-		dns_rdataset_t rds;
-		dns_rdata_t rd = DNS_RDATA_INIT;
-
-		result = diff_tuple_tordataset(t, &rd, &rdl, &rds);
-		if (result != ISC_R_SUCCESS) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "diff_tuple_tordataset failed: %s",
-					 dns_result_totext(result));
-			result =  ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
- again:
-		isc_buffer_init(&buf, mem, size);
-		result = dns_rdataset_totext(&rds, &t->name,
-					     ISC_FALSE, ISC_FALSE, &buf);
-
-		if (result == ISC_R_NOSPACE) {
-			isc_mem_put(diff->mctx, mem, size);
-			size += 1024;
-			mem = isc_mem_get(diff->mctx, size);
-			if (mem == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			goto again;
-		}
-
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		/*
-		 * Get rid of final newline.
-		 */
-		INSIST(buf.used >= 1 &&
-		       ((char *) buf.base)[buf.used-1] == '\n');
-		buf.used--;
-
-		isc_buffer_usedregion(&buf, &r);
-		if (file != NULL)
-			fprintf(file, "%s %.*s\n",
-				t->op == DNS_DIFFOP_ADD ?  "add" : "del",
-				(int) r.length, (char *) r.base);
-		else
-			isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
-				      "%s %.*s",
-				      t->op == DNS_DIFFOP_ADD ?  "add" : "del",
-				      (int) r.length, (char *) r.base);
-	}
-	result = ISC_R_SUCCESS;
- cleanup:
-	if (mem != NULL)
-		isc_mem_put(diff->mctx, mem, size);
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/dispatch.c b/contrib/bind9/lib/dns/dispatch.c
deleted file mode 100644
index 8534fe15ad10..000000000000
--- a/contrib/bind9/lib/dns/dispatch.c
+++ /dev/null
@@ -1,2199 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dispatch.c,v 1.101.2.6.2.10 2004/09/01 04:27:41 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/entropy.h>
-#include <isc/lfsr.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/dispatch.h>
-#include <dns/events.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/portlist.h>
-#include <dns/tcpmsg.h>
-#include <dns/types.h>
-
-typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
-
-typedef struct dns_qid {
-	unsigned int	magic;
-	unsigned int	qid_nbuckets;	/* hash table size */
-	unsigned int	qid_increment;	/* id increment on collision */
-	isc_mutex_t	lock;
-	isc_lfsr_t	qid_lfsr1;	/* state generator info */
-	isc_lfsr_t	qid_lfsr2;	/* state generator info */
-	dns_displist_t	*qid_table;	/* the table itself */
-} dns_qid_t;
-
-struct dns_dispatchmgr {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t		       *mctx;
-	dns_acl_t		       *blackhole;
-	dns_portlist_t		       *portlist;
-
-	/* Locked by "lock". */
-	isc_mutex_t			lock;
-	unsigned int			state;
-	ISC_LIST(dns_dispatch_t)	list;
-
-	/* locked by buffer lock */
-	dns_qid_t			*qid;
-	isc_mutex_t			buffer_lock;
-	unsigned int			buffers;    /* allocated buffers */
-	unsigned int			buffersize; /* size of each buffer */
-	unsigned int			maxbuffers; /* max buffers */
-
-	/* Locked internally. */
-	isc_mutex_t			pool_lock;
-	isc_mempool_t		       *epool;	/* memory pool for events */
-	isc_mempool_t		       *rpool;	/* memory pool for replies */
-	isc_mempool_t		       *dpool;  /* dispatch allocations */
-	isc_mempool_t		       *bpool;	/* memory pool for buffers */
-
-	isc_entropy_t		       *entropy; /* entropy source */
-};
-
-#define MGR_SHUTTINGDOWN		0x00000001U
-#define MGR_IS_SHUTTINGDOWN(l)	(((l)->state & MGR_SHUTTINGDOWN) != 0)
-
-#define IS_PRIVATE(d)	(((d)->attributes & DNS_DISPATCHATTR_PRIVATE) != 0)
-
-struct dns_dispentry {
-	unsigned int			magic;
-	dns_dispatch_t		       *disp;
-	dns_messageid_t			id;
-	unsigned int			bucket;
-	isc_sockaddr_t			host;
-	isc_task_t		       *task;
-	isc_taskaction_t		action;
-	void			       *arg;
-	isc_boolean_t			item_out;
-	ISC_LIST(dns_dispatchevent_t)	items;
-	ISC_LINK(dns_dispentry_t)	link;
-};
-
-#define INVALID_BUCKET		(0xffffdead)
-
-struct dns_dispatch {
-	/* Unlocked. */
-	unsigned int		magic;		/* magic */
-	dns_dispatchmgr_t      *mgr;		/* dispatch manager */
-	isc_task_t	       *task;		/* internal task */
-	isc_socket_t	       *socket;		/* isc socket attached to */
-	isc_sockaddr_t		local;		/* local address */
-	unsigned int		maxrequests;	/* max requests */
-	isc_event_t	       *ctlevent;
-
-	/* Locked by mgr->lock. */
-	ISC_LINK(dns_dispatch_t) link;
-
-	/* Locked by "lock". */
-	isc_mutex_t		lock;		/* locks all below */
-	isc_sockettype_t	socktype;
-	unsigned int		attributes;
-	unsigned int		refcount;	/* number of users */
-	dns_dispatchevent_t    *failsafe_ev;	/* failsafe cancel event */
-	unsigned int		shutting_down : 1,
-				shutdown_out : 1,
-				connected : 1,
-				tcpmsg_valid : 1,
-				recv_pending : 1; /* is a recv() pending? */
-	isc_result_t		shutdown_why;
-	unsigned int		requests;	/* how many requests we have */
-	unsigned int		tcpbuffers;	/* allocated buffers */
-	dns_tcpmsg_t		tcpmsg;		/* for tcp streams */
-	dns_qid_t		*qid;
-};
-
-#define QID_MAGIC		ISC_MAGIC('Q', 'i', 'd', ' ')
-#define VALID_QID(e)		ISC_MAGIC_VALID((e), QID_MAGIC)
-
-#define RESPONSE_MAGIC		ISC_MAGIC('D', 'r', 's', 'p')
-#define VALID_RESPONSE(e)	ISC_MAGIC_VALID((e), RESPONSE_MAGIC)
-
-#define DISPATCH_MAGIC		ISC_MAGIC('D', 'i', 's', 'p')
-#define VALID_DISPATCH(e)	ISC_MAGIC_VALID((e), DISPATCH_MAGIC)
-
-#define DNS_DISPATCHMGR_MAGIC	ISC_MAGIC('D', 'M', 'g', 'r')
-#define VALID_DISPATCHMGR(e)	ISC_MAGIC_VALID((e), DNS_DISPATCHMGR_MAGIC)
-
-#define DNS_QID(disp) ((disp)->socktype == isc_sockettype_tcp) ? \
-		       (disp)->qid : (disp)->mgr->qid
-/*
- * Statics.
- */
-static dns_dispentry_t *bucket_search(dns_qid_t *, isc_sockaddr_t *,
-				      dns_messageid_t, unsigned int);
-static isc_boolean_t destroy_disp_ok(dns_dispatch_t *);
-static void destroy_disp(isc_task_t *task, isc_event_t *event);
-static void udp_recv(isc_task_t *, isc_event_t *);
-static void tcp_recv(isc_task_t *, isc_event_t *);
-static void startrecv(dns_dispatch_t *);
-static dns_messageid_t dns_randomid(dns_qid_t *);
-static isc_uint32_t dns_hash(dns_qid_t *, isc_sockaddr_t *, dns_messageid_t);
-static void free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len);
-static void *allocate_udp_buffer(dns_dispatch_t *disp);
-static inline void free_event(dns_dispatch_t *disp, dns_dispatchevent_t *ev);
-static inline dns_dispatchevent_t *allocate_event(dns_dispatch_t *disp);
-static void do_cancel(dns_dispatch_t *disp);
-static dns_dispentry_t *linear_first(dns_qid_t *disp);
-static dns_dispentry_t *linear_next(dns_qid_t *disp,
-				    dns_dispentry_t *resp);
-static void dispatch_free(dns_dispatch_t **dispp);
-static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr,
-				       isc_socketmgr_t *sockmgr,
-				       isc_taskmgr_t *taskmgr,
-				       isc_sockaddr_t *localaddr,
-				       unsigned int maxrequests,
-				       unsigned int attributes,
-				       dns_dispatch_t **dispp);
-static isc_boolean_t destroy_mgr_ok(dns_dispatchmgr_t *mgr);
-static void destroy_mgr(dns_dispatchmgr_t **mgrp);
-static isc_result_t qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
-				 unsigned int increment, dns_qid_t **qidp);
-static void qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp);
-
-#define LVL(x) ISC_LOG_DEBUG(x)
-
-static void
-mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-static void
-mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...) {
-	char msgbuf[2048];
-	va_list ap;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	isc_log_write(dns_lctx,
-		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
-		      level, "dispatchmgr %p: %s", mgr, msgbuf);
-}
-
-static void
-dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-static void
-dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...) {
-	char msgbuf[2048];
-	va_list ap;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	isc_log_write(dns_lctx,
-		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
-		      level, "dispatch %p: %s", disp, msgbuf);
-}
-
-static void
-request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
-	    int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(4, 5);
-
-static void
-request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
-	    int level, const char *fmt, ...)
-{
-	char msgbuf[2048];
-	char peerbuf[256];
-	va_list ap;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	if (VALID_RESPONSE(resp)) {
-		isc_sockaddr_format(&resp->host, peerbuf, sizeof(peerbuf));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
-			      DNS_LOGMODULE_DISPATCH, level,
-			      "dispatch %p response %p %s: %s", disp, resp,
-			      peerbuf, msgbuf);
-	} else {
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
-			      DNS_LOGMODULE_DISPATCH, level,
-			      "dispatch %p req/resp %p: %s", disp, resp,
-			      msgbuf);
-	}
-}
-
-static void
-reseed_lfsr(isc_lfsr_t *lfsr, void *arg)
-{
-	dns_dispatchmgr_t *mgr = arg;
-	isc_result_t result;
-	isc_uint32_t val;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-
-	if (mgr->entropy != NULL) {
-		result = isc_entropy_getdata(mgr->entropy, &val, sizeof(val),
-					     NULL, 0);
-		INSIST(result == ISC_R_SUCCESS);
-		lfsr->count = (val & 0x1f) + 32;
-		lfsr->state = val;
-		return;
-	}
-
-	lfsr->count = (random() & 0x1f) + 32;	/* From 32 to 63 states */
-	lfsr->state = random();
-}
-
-/*
- * Return an unpredictable message ID.
- */
-static dns_messageid_t
-dns_randomid(dns_qid_t *qid) {
-	isc_uint32_t id;
-
-	id = isc_lfsr_generate32(&qid->qid_lfsr1, &qid->qid_lfsr2);
-
-	return (dns_messageid_t)(id & 0xFFFF);
-}
-
-/*
- * Return a hash of the destination and message id.
- */
-static isc_uint32_t
-dns_hash(dns_qid_t *qid, isc_sockaddr_t *dest, dns_messageid_t id) {
-	unsigned int ret;
-
-	ret = isc_sockaddr_hash(dest, ISC_TRUE);
-	ret ^= id;
-	ret %= qid->qid_nbuckets;
-
-	INSIST(ret < qid->qid_nbuckets);
-
-	return (ret);
-}
-
-/*
- * Find the first entry in 'qid'.  Returns NULL if there are no entries.
- */
-static dns_dispentry_t *
-linear_first(dns_qid_t *qid) {
-	dns_dispentry_t *ret;
-	unsigned int bucket;
-
-	bucket = 0;
-
-	while (bucket < qid->qid_nbuckets) {
-		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
-		if (ret != NULL)
-			return (ret);
-		bucket++;
-	}
-
-	return (NULL);
-}
-
-/*
- * Find the next entry after 'resp' in 'qid'.  Return NULL if there are
- * no more entries.
- */
-static dns_dispentry_t *
-linear_next(dns_qid_t *qid, dns_dispentry_t *resp) {
-	dns_dispentry_t *ret;
-	unsigned int bucket;
-
-	ret = ISC_LIST_NEXT(resp, link);
-	if (ret != NULL)
-		return (ret);
-
-	bucket = resp->bucket;
-	bucket++;
-	while (bucket < qid->qid_nbuckets) {
-		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
-		if (ret != NULL)
-			return (ret);
-		bucket++;
-	}
-
-	return (NULL);
-}
-
-/*
- * The dispatch must be locked.
- */
-static isc_boolean_t
-destroy_disp_ok(dns_dispatch_t *disp)
-{
-	if (disp->refcount != 0)
-		return (ISC_FALSE);
-
-	if (disp->recv_pending != 0)
-		return (ISC_FALSE);
-
-	if (disp->shutting_down == 0)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-
-/*
- * Called when refcount reaches 0 (and safe to destroy).
- *
- * The dispatcher must not be locked.
- * The manager must be locked.
- */
-static void
-destroy_disp(isc_task_t *task, isc_event_t *event) {
-	dns_dispatch_t *disp;
-	dns_dispatchmgr_t *mgr;
-	isc_boolean_t killmgr;
-
-	INSIST(event->ev_type == DNS_EVENT_DISPATCHCONTROL);
-
-	UNUSED(task);
-
-	disp = event->ev_arg;
-	mgr = disp->mgr;
-
-	LOCK(&mgr->lock);
-	ISC_LIST_UNLINK(mgr->list, disp, link);
-
-	dispatch_log(disp, LVL(90),
-		     "shutting down; detaching from sock %p, task %p",
-		     disp->socket, disp->task);
-
-	isc_socket_detach(&disp->socket);
-	isc_task_detach(&disp->task);
-	isc_event_free(&event);
-
-	dispatch_free(&disp);
-
-	killmgr = destroy_mgr_ok(mgr);
-	UNLOCK(&mgr->lock);
-	if (killmgr)
-		destroy_mgr(&mgr);
-}
-
-
-/*
- * Find an entry for query ID 'id' and socket address 'dest' in 'qid'.
- * Return NULL if no such entry exists.
- */
-static dns_dispentry_t *
-bucket_search(dns_qid_t *qid, isc_sockaddr_t *dest, dns_messageid_t id,
-	      unsigned int bucket)
-{
-	dns_dispentry_t *res;
-
-	REQUIRE(bucket < qid->qid_nbuckets);
-
-	res = ISC_LIST_HEAD(qid->qid_table[bucket]);
-
-	while (res != NULL) {
-		if ((res->id == id) && isc_sockaddr_equal(dest, &res->host))
-			return (res);
-		res = ISC_LIST_NEXT(res, link);
-	}
-
-	return (NULL);
-}
-
-static void
-free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len) {
-	INSIST(buf != NULL && len != 0);
-
-
-	switch (disp->socktype) {
-	case isc_sockettype_tcp:
-		INSIST(disp->tcpbuffers > 0);
-		disp->tcpbuffers--;
-		isc_mem_put(disp->mgr->mctx, buf, len);
-		break;
-	case isc_sockettype_udp:
-		LOCK(&disp->mgr->buffer_lock);
-		INSIST(disp->mgr->buffers > 0);
-		INSIST(len == disp->mgr->buffersize);
-		disp->mgr->buffers--;
-		isc_mempool_put(disp->mgr->bpool, buf);
-		UNLOCK(&disp->mgr->buffer_lock);
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-}
-
-static void *
-allocate_udp_buffer(dns_dispatch_t *disp) {
-	void *temp;
-
-	LOCK(&disp->mgr->buffer_lock);
-	temp = isc_mempool_get(disp->mgr->bpool);
-
-	if (temp != NULL)
-		disp->mgr->buffers++;
-	UNLOCK(&disp->mgr->buffer_lock);
-
-	return (temp);
-}
-
-static inline void
-free_event(dns_dispatch_t *disp, dns_dispatchevent_t *ev) {
-	if (disp->failsafe_ev == ev) {
-		INSIST(disp->shutdown_out == 1);
-		disp->shutdown_out = 0;
-
-		return;
-	}
-
-	isc_mempool_put(disp->mgr->epool, ev);
-}
-
-static inline dns_dispatchevent_t *
-allocate_event(dns_dispatch_t *disp) {
-	dns_dispatchevent_t *ev;
-
-	ev = isc_mempool_get(disp->mgr->epool);
-	if (ev == NULL)
-		return (NULL);
-	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, 0,
-		       NULL, NULL, NULL, NULL, NULL);
-
-	return (ev);
-}
-
-/*
- * General flow:
- *
- * If I/O result == CANCELED or error, free the buffer.
- *
- * If query, free the buffer, restart.
- *
- * If response:
- *	Allocate event, fill in details.
- *		If cannot allocate, free buffer, restart.
- *	find target.  If not found, free buffer, restart.
- *	if event queue is not empty, queue.  else, send.
- *	restart.
- */
-static void
-udp_recv(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	dns_dispatch_t *disp = ev_in->ev_arg;
-	dns_messageid_t id;
-	isc_result_t dres;
-	isc_buffer_t source;
-	unsigned int flags;
-	dns_dispentry_t *resp;
-	dns_dispatchevent_t *rev;
-	unsigned int bucket;
-	isc_boolean_t killit;
-	isc_boolean_t queue_response;
-	dns_dispatchmgr_t *mgr;
-	dns_qid_t *qid;
-	isc_netaddr_t netaddr;
-	int match;
-
-	UNUSED(task);
-
-	LOCK(&disp->lock);
-
-	mgr = disp->mgr;
-	qid = mgr->qid;
-
-	dispatch_log(disp, LVL(90),
-		     "got packet: requests %d, buffers %d, recvs %d",
-		     disp->requests, disp->mgr->buffers, disp->recv_pending);
-
-	if (ev->ev_type == ISC_SOCKEVENT_RECVDONE) {
-		/*
-		 * Unless the receive event was imported from a listening
-		 * interface, in which case the event type is
-		 * DNS_EVENT_IMPORTRECVDONE, receive operation must be pending.
-		 */
-		INSIST(disp->recv_pending != 0);
-		disp->recv_pending = 0;
-	}
-
-	if (disp->shutting_down) {
-		/*
-		 * This dispatcher is shutting down.
-		 */
-		free_buffer(disp, ev->region.base, ev->region.length);
-
-		isc_event_free(&ev_in);
-		ev = NULL;
-
-		killit = destroy_disp_ok(disp);
-		UNLOCK(&disp->lock);
-		if (killit)
-			isc_task_send(disp->task, &disp->ctlevent);
-
-		return;
-	}
-
-	if (ev->result != ISC_R_SUCCESS) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-
-		if (ev->result != ISC_R_CANCELED)
-			dispatch_log(disp, ISC_LOG_ERROR,
-				     "odd socket result in udp_recv(): %s",
-				     isc_result_totext(ev->result));
-
-		UNLOCK(&disp->lock);
-		isc_event_free(&ev_in);
-		return;
-	}
-
-	/*
-	 * If this is from a blackholed address, drop it.
-	 */
-	isc_netaddr_fromsockaddr(&netaddr, &ev->address);
-	if (disp->mgr->blackhole != NULL &&
-	    dns_acl_match(&netaddr, NULL, disp->mgr->blackhole,
-		    	  NULL, &match, NULL) == ISC_R_SUCCESS &&
-	    match > 0)
-	{
-		if (isc_log_wouldlog(dns_lctx, LVL(10))) {
-			char netaddrstr[ISC_NETADDR_FORMATSIZE];
-			isc_netaddr_format(&netaddr, netaddrstr,
-					   sizeof(netaddrstr));
-			dispatch_log(disp, LVL(10),
-				     "blackholed packet from %s",
-				     netaddrstr);
-		}
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto restart;
-	}
-
-	/*
-	 * Peek into the buffer to see what we can see.
-	 */
-	isc_buffer_init(&source, ev->region.base, ev->region.length);
-	isc_buffer_add(&source, ev->n);
-	dres = dns_message_peekheader(&source, &id, &flags);
-	if (dres != ISC_R_SUCCESS) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-		dispatch_log(disp, LVL(10), "got garbage packet");
-		goto restart;
-	}
-
-	dispatch_log(disp, LVL(92),
-		     "got valid DNS message header, /QR %c, id %u",
-		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
-
-	/*
-	 * Look at flags.  If query, drop it. If response,
-	 * look to see where it goes.
-	 */
-	queue_response = ISC_FALSE;
-	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
-		/* query */
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto restart;
-	}
-
-	/* response */
-	bucket = dns_hash(qid, &ev->address, id);
-	LOCK(&qid->lock);
-	resp = bucket_search(qid, &ev->address, id, bucket);
-	dispatch_log(disp, LVL(90),
-		     "search for response in bucket %d: %s",
-		     bucket, (resp == NULL ? "not found" : "found"));
-
-	if (resp == NULL) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto unlock;
-	} 
-	queue_response = resp->item_out;
-	rev = allocate_event(resp->disp);
-	if (rev == NULL) {
-		free_buffer(disp, ev->region.base, ev->region.length);
-		goto unlock;
-	}
-
-	/*
-	 * At this point, rev contains the event we want to fill in, and
-	 * resp contains the information on the place to send it to.
-	 * Send the event off.
-	 */
-	isc_buffer_init(&rev->buffer, ev->region.base, ev->region.length);
-	isc_buffer_add(&rev->buffer, ev->n);
-	rev->result = ISC_R_SUCCESS;
-	rev->id = id;
-	rev->addr = ev->address;
-	rev->pktinfo = ev->pktinfo;
-	rev->attributes = ev->attributes;
-	if (queue_response) {
-		ISC_LIST_APPEND(resp->items, rev, ev_link);
-	} else {
-		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL,
-			       DNS_EVENT_DISPATCH,
-			       resp->action, resp->arg, resp, NULL, NULL);
-		request_log(disp, resp, LVL(90),
-			    "[a] Sent event %p buffer %p len %d to task %p",
-			    rev, rev->buffer.base, rev->buffer.length,
-			    resp->task);
-		resp->item_out = ISC_TRUE;
-		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
-	}
- unlock:
-	UNLOCK(&qid->lock);
-
-	/*
-	 * Restart recv() to get the next packet.
-	 */
- restart:
-	startrecv(disp);
-
-	UNLOCK(&disp->lock);
-
-	isc_event_free(&ev_in);
-}
-
-/*
- * General flow:
- *
- * If I/O result == CANCELED, EOF, or error, notify everyone as the
- * various queues drain.
- *
- * If query, restart.
- *
- * If response:
- *	Allocate event, fill in details.
- *		If cannot allocate, restart.
- *	find target.  If not found, restart.
- *	if event queue is not empty, queue.  else, send.
- *	restart.
- */
-static void
-tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
-	dns_dispatch_t *disp = ev_in->ev_arg;
-	dns_tcpmsg_t *tcpmsg = &disp->tcpmsg;
-	dns_messageid_t id;
-	isc_result_t dres;
-	unsigned int flags;
-	dns_dispentry_t *resp;
-	dns_dispatchevent_t *rev;
-	unsigned int bucket;
-	isc_boolean_t killit;
-	isc_boolean_t queue_response;
-	dns_qid_t *qid;
-	int level;
-	char buf[ISC_SOCKADDR_FORMATSIZE];
-
-	UNUSED(task);
-
-	REQUIRE(VALID_DISPATCH(disp));
-
-	qid = disp->qid;
-
-	dispatch_log(disp, LVL(90),
-		     "got TCP packet: requests %d, buffers %d, recvs %d",
-		     disp->requests, disp->tcpbuffers, disp->recv_pending);
-
-	LOCK(&disp->lock);
-
-	INSIST(disp->recv_pending != 0);
-	disp->recv_pending = 0;
-
-	if (disp->refcount == 0) {
-		/*
-		 * This dispatcher is shutting down.  Force cancelation.
-		 */
-		tcpmsg->result = ISC_R_CANCELED;
-	}
-
-	if (tcpmsg->result != ISC_R_SUCCESS) {
-		switch (tcpmsg->result) {
-		case ISC_R_CANCELED:
-			break;
-			
-		case ISC_R_EOF:
-			dispatch_log(disp, LVL(90), "shutting down on EOF");
-			do_cancel(disp);
-			break;
-
-		case ISC_R_CONNECTIONRESET:
-			level = ISC_LOG_INFO;
-			goto logit;
-
-		default:
-			level = ISC_LOG_ERROR;
-		logit:
-			isc_sockaddr_format(&tcpmsg->address, buf, sizeof(buf));
-			dispatch_log(disp, level, "shutting down due to TCP "
-				     "receive error: %s: %s", buf,
-				     isc_result_totext(tcpmsg->result));
-			do_cancel(disp);
-			break;
-		}
-
-		/*
-		 * The event is statically allocated in the tcpmsg
-		 * structure, and destroy_disp() frees the tcpmsg, so we must
-		 * free the event *before* calling destroy_disp().
-		 */
-		isc_event_free(&ev_in);
-
-		disp->shutting_down = 1;
-		disp->shutdown_why = tcpmsg->result;
-
-		/*
-		 * If the recv() was canceled pass the word on.
-		 */
-		killit = destroy_disp_ok(disp);
-		UNLOCK(&disp->lock);
-		if (killit)
-			isc_task_send(disp->task, &disp->ctlevent);
-		return;
-	}
-
-	dispatch_log(disp, LVL(90), "result %d, length == %d, addr = %p",
-		     tcpmsg->result,
-		     tcpmsg->buffer.length, tcpmsg->buffer.base);
-
-	/*
-	 * Peek into the buffer to see what we can see.
-	 */
-	dres = dns_message_peekheader(&tcpmsg->buffer, &id, &flags);
-	if (dres != ISC_R_SUCCESS) {
-		dispatch_log(disp, LVL(10), "got garbage packet");
-		goto restart;
-	}
-
-	dispatch_log(disp, LVL(92),
-		     "got valid DNS message header, /QR %c, id %u",
-		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
-
-	/*
-	 * Allocate an event to send to the query or response client, and
-	 * allocate a new buffer for our use.
-	 */
-
-	/*
-	 * Look at flags.  If query, drop it. If response,
-	 * look to see where it goes.
-	 */
-	queue_response = ISC_FALSE;
-	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
-		/*
-		 * Query.
-		 */
-		goto restart;
-	}
-
-	/*
-	 * Response.
-	 */
-	bucket = dns_hash(qid, &tcpmsg->address, id);
-	LOCK(&qid->lock);
-	resp = bucket_search(qid, &tcpmsg->address, id, bucket);
-	dispatch_log(disp, LVL(90),
-		     "search for response in bucket %d: %s",
-		     bucket, (resp == NULL ? "not found" : "found"));
-
-	if (resp == NULL)
-		goto unlock;
-	queue_response = resp->item_out;
-	rev = allocate_event(disp);
-	if (rev == NULL)
-		goto unlock;
-
-	/*
-	 * At this point, rev contains the event we want to fill in, and
-	 * resp contains the information on the place to send it to.
-	 * Send the event off.
-	 */
-	dns_tcpmsg_keepbuffer(tcpmsg, &rev->buffer);
-	disp->tcpbuffers++;
-	rev->result = ISC_R_SUCCESS;
-	rev->id = id;
-	rev->addr = tcpmsg->address;
-	if (queue_response) {
-		ISC_LIST_APPEND(resp->items, rev, ev_link);
-	} else {
-		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL, DNS_EVENT_DISPATCH,
-			       resp->action, resp->arg, resp, NULL, NULL);
-		request_log(disp, resp, LVL(90),
-			    "[b] Sent event %p buffer %p len %d to task %p",
-			    rev, rev->buffer.base, rev->buffer.length,
-			    resp->task);
-		resp->item_out = ISC_TRUE;
-		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
-	}
- unlock:
-	UNLOCK(&qid->lock);
-
-	/*
-	 * Restart recv() to get the next packet.
-	 */
- restart:
-	startrecv(disp);
-
-	UNLOCK(&disp->lock);
-
-	isc_event_free(&ev_in);
-}
-
-/*
- * disp must be locked.
- */
-static void
-startrecv(dns_dispatch_t *disp) {
-	isc_result_t res;
-	isc_region_t region;
-
-	if (disp->shutting_down == 1)
-		return;
-
-	if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
-		return;
-
-	if (disp->recv_pending != 0)
-		return;
-
-	if (disp->mgr->buffers >= disp->mgr->maxbuffers)
-		return;
-
-	switch (disp->socktype) {
-		/*
-		 * UDP reads are always maximal.
-		 */
-	case isc_sockettype_udp:
-		region.length = disp->mgr->buffersize;
-		region.base = allocate_udp_buffer(disp);
-		if (region.base == NULL)
-			return;
-		res = isc_socket_recv(disp->socket, &region, 1,
-				      disp->task, udp_recv, disp);
-		if (res != ISC_R_SUCCESS) {
-			free_buffer(disp, region.base, region.length);
-			disp->shutdown_why = res;
-			disp->shutting_down = 1;
-			do_cancel(disp);
-			return;
-		}
-		INSIST(disp->recv_pending == 0);
-		disp->recv_pending = 1;
-		break;
-
-	case isc_sockettype_tcp:
-		res = dns_tcpmsg_readmessage(&disp->tcpmsg, disp->task,
-					     tcp_recv, disp);
-		if (res != ISC_R_SUCCESS) {
-			disp->shutdown_why = res;
-			disp->shutting_down = 1;
-			do_cancel(disp);
-			return;
-		}
-		INSIST(disp->recv_pending == 0);
-		disp->recv_pending = 1;
-		break;
-	}
-}
-
-/*
- * Mgr must be locked when calling this function.
- */
-static isc_boolean_t
-destroy_mgr_ok(dns_dispatchmgr_t *mgr) {
-	mgr_log(mgr, LVL(90),
-		"destroy_mgr_ok: shuttingdown=%d, listnonempty=%d, "
-		"epool=%d, rpool=%d, dpool=%d",
-		MGR_IS_SHUTTINGDOWN(mgr), !ISC_LIST_EMPTY(mgr->list),
-		isc_mempool_getallocated(mgr->epool),
-		isc_mempool_getallocated(mgr->rpool),
-		isc_mempool_getallocated(mgr->dpool));
-	if (!MGR_IS_SHUTTINGDOWN(mgr))
-		return (ISC_FALSE);
-	if (!ISC_LIST_EMPTY(mgr->list))
-		return (ISC_FALSE);
-	if (isc_mempool_getallocated(mgr->epool) != 0)
-		return (ISC_FALSE);
-	if (isc_mempool_getallocated(mgr->rpool) != 0)
-		return (ISC_FALSE);
-	if (isc_mempool_getallocated(mgr->dpool) != 0)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-/*
- * Mgr must be unlocked when calling this function.
- */
-static void
-destroy_mgr(dns_dispatchmgr_t **mgrp) {
-	isc_mem_t *mctx;
-	dns_dispatchmgr_t *mgr;
-
-	mgr = *mgrp;
-	*mgrp = NULL;
-
-	mctx = mgr->mctx;
-
-	mgr->magic = 0;
-	mgr->mctx = NULL;
-	DESTROYLOCK(&mgr->lock);
-	mgr->state = 0;
-
-	isc_mempool_destroy(&mgr->epool);
-	isc_mempool_destroy(&mgr->rpool);
-	isc_mempool_destroy(&mgr->dpool);
-	isc_mempool_destroy(&mgr->bpool);
-
-	DESTROYLOCK(&mgr->pool_lock);
-
-	if (mgr->entropy != NULL)
-		isc_entropy_detach(&mgr->entropy);
-	if (mgr->qid != NULL)
-		qid_destroy(mctx, &mgr->qid);
-
-	DESTROYLOCK(&mgr->buffer_lock);
-
-	if (mgr->blackhole != NULL)
-		dns_acl_detach(&mgr->blackhole);
-
-	if (mgr->portlist != NULL)
-		dns_portlist_detach(&mgr->portlist);
-
-	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
-	isc_mem_detach(&mctx);
-}
-
-static isc_result_t
-create_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
-	      isc_socket_t **sockp)
-{
-	isc_socket_t *sock;
-	isc_result_t result;
-
-	sock = NULL;
-	result = isc_socket_create(mgr, isc_sockaddr_pf(local),
-				   isc_sockettype_udp, &sock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-#ifndef ISC_ALLOW_MAPPED
-	isc_socket_ipv6only(sock, ISC_TRUE);
-#endif
-	result = isc_socket_bind(sock, local);
-	if (result != ISC_R_SUCCESS) {
-		isc_socket_detach(&sock);
-		return (result);
-	}
-
-	*sockp = sock;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Publics.
- */
-
-isc_result_t
-dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
-		       dns_dispatchmgr_t **mgrp)
-{
-	dns_dispatchmgr_t *mgr;
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(mgrp != NULL && *mgrp == NULL);
-
-	mgr = isc_mem_get(mctx, sizeof(dns_dispatchmgr_t));
-	if (mgr == NULL)
-		return (ISC_R_NOMEMORY);
-
-	mgr->mctx = NULL;
-	isc_mem_attach(mctx, &mgr->mctx);
-
-	mgr->blackhole = NULL;
-	mgr->portlist = NULL;
-
-	result = isc_mutex_init(&mgr->lock);
-	if (result != ISC_R_SUCCESS)
-		goto deallocate;
-
-	result = isc_mutex_init(&mgr->buffer_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_lock;
-
-	result = isc_mutex_init(&mgr->pool_lock);
-	if (result != ISC_R_SUCCESS)
-		goto kill_buffer_lock;
-
-	mgr->epool = NULL;
-	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatchevent_t),
-			       &mgr->epool) != ISC_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
-		goto kill_pool_lock;
-	}
-
-	mgr->rpool = NULL;
-	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispentry_t),
-			       &mgr->rpool) != ISC_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
-		goto kill_epool;
-	}
-
-	mgr->dpool = NULL;
-	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatch_t),
-			       &mgr->dpool) != ISC_R_SUCCESS) {
-		result = ISC_R_NOMEMORY;
-		goto kill_rpool;
-	}
-
-	isc_mempool_setname(mgr->epool, "dispmgr_epool");
-	isc_mempool_setfreemax(mgr->epool, 1024);
-	isc_mempool_associatelock(mgr->epool, &mgr->pool_lock);
-
-	isc_mempool_setname(mgr->rpool, "dispmgr_rpool");
-	isc_mempool_setfreemax(mgr->rpool, 1024);
-	isc_mempool_associatelock(mgr->rpool, &mgr->pool_lock);
-
-	isc_mempool_setname(mgr->dpool, "dispmgr_dpool");
-	isc_mempool_setfreemax(mgr->dpool, 1024);
-	isc_mempool_associatelock(mgr->dpool, &mgr->pool_lock);
-
-	mgr->buffers = 0;
-	mgr->buffersize = 0;
-	mgr->maxbuffers = 0;
-	mgr->bpool = NULL;
-	mgr->entropy = NULL;
-	mgr->qid = NULL;
-	mgr->state = 0;
-	ISC_LIST_INIT(mgr->list);
-	mgr->magic = DNS_DISPATCHMGR_MAGIC;
-
-	if (entropy != NULL)
-		isc_entropy_attach(entropy, &mgr->entropy);
-
-	*mgrp = mgr;
-	return (ISC_R_SUCCESS);
-
- kill_rpool:
-	isc_mempool_destroy(&mgr->rpool);
- kill_epool:
-	isc_mempool_destroy(&mgr->epool);
- kill_pool_lock:
-	DESTROYLOCK(&mgr->pool_lock);
- kill_buffer_lock:
-	DESTROYLOCK(&mgr->buffer_lock);
- kill_lock:
-	DESTROYLOCK(&mgr->lock);
- deallocate:
-	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
-	isc_mem_detach(&mctx);
-
-	return (result);
-}
-
-void
-dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole) {
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	if (mgr->blackhole != NULL)
-		dns_acl_detach(&mgr->blackhole);
-	dns_acl_attach(blackhole, &mgr->blackhole);
-}
-
-dns_acl_t *
-dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr) {
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	return (mgr->blackhole);
-}
-
-void
-dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
-				 dns_portlist_t *portlist)
-{
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	if (mgr->portlist != NULL)
-		dns_portlist_detach(&mgr->portlist);
-	if (portlist != NULL)
-		dns_portlist_attach(portlist, &mgr->portlist);
-}
-
-dns_portlist_t *
-dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr) {
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	return (mgr->portlist);
-}
-
-static isc_result_t
-dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
-			unsigned int buffersize, unsigned int maxbuffers,
-			unsigned int buckets, unsigned int increment)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
-	REQUIRE(maxbuffers > 0);
-	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
-	REQUIRE(increment > buckets);
-
-	/*
-	 * Keep some number of items around.  This should be a config
-	 * option.  For now, keep 8, but later keep at least two even
-	 * if the caller wants less.  This allows us to ensure certain
-	 * things, like an event can be "freed" and the next allocation
-	 * will always succeed.
-	 *
-	 * Note that if limits are placed on anything here, we use one
-	 * event internally, so the actual limit should be "wanted + 1."
-	 *
-	 * XXXMLG
-	 */
-
-	if (maxbuffers < 8)
-		maxbuffers = 8;
-
-	LOCK(&mgr->buffer_lock);
-	if (mgr->bpool != NULL) {
-		isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
-		mgr->maxbuffers = maxbuffers;
-		UNLOCK(&mgr->buffer_lock);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (isc_mempool_create(mgr->mctx, buffersize,
-			       &mgr->bpool) != ISC_R_SUCCESS) {
-		return (ISC_R_NOMEMORY);
-	}
-
-	isc_mempool_setname(mgr->bpool, "dispmgr_bpool");
-	isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
-	isc_mempool_associatelock(mgr->bpool, &mgr->pool_lock);
-
-	result = qid_allocate(mgr, buckets, increment, &mgr->qid);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	mgr->buffersize = buffersize;
-	mgr->maxbuffers = maxbuffers;
-	UNLOCK(&mgr->buffer_lock);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mempool_destroy(&mgr->bpool);
-	UNLOCK(&mgr->buffer_lock);
-	return (ISC_R_NOMEMORY);
-}
-
-void
-dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
-	dns_dispatchmgr_t *mgr;
-	isc_boolean_t killit;
-
-	REQUIRE(mgrp != NULL);
-	REQUIRE(VALID_DISPATCHMGR(*mgrp));
-
-	mgr = *mgrp;
-	*mgrp = NULL;
-
-	LOCK(&mgr->lock);
-	mgr->state |= MGR_SHUTTINGDOWN;
-
-	killit = destroy_mgr_ok(mgr);
-	UNLOCK(&mgr->lock);
-
-	mgr_log(mgr, LVL(90), "destroy: killit=%d", killit);
-
-	if (killit)
-		destroy_mgr(&mgr);
-}
-
-static isc_boolean_t
-blacklisted(dns_dispatchmgr_t *mgr, isc_socket_t *sock) {
-	isc_sockaddr_t sockaddr;
-	isc_result_t result;
-
-	if (mgr->portlist == NULL)
-		return (ISC_FALSE);
-
-	result = isc_socket_getsockname(sock, &sockaddr);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	if (mgr->portlist != NULL &&
-	    dns_portlist_match(mgr->portlist, isc_sockaddr_pf(&sockaddr),
-			       isc_sockaddr_getport(&sockaddr)))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-#define ATTRMATCH(_a1, _a2, _mask) (((_a1) & (_mask)) == ((_a2) & (_mask)))
-
-static isc_boolean_t
-local_addr_match(dns_dispatch_t *disp, isc_sockaddr_t *addr) {
-	isc_sockaddr_t sockaddr;
-	isc_result_t result;
-
-	if (addr == NULL)
-		return (ISC_TRUE);
-
-	/*
-	 * Don't match wildcard ports against newly blacklisted ports.
-	 */
-	if (disp->mgr->portlist != NULL &&
-	    isc_sockaddr_getport(addr) == 0 &&
-	    isc_sockaddr_getport(&disp->local) == 0 &&
-	    blacklisted(disp->mgr, disp->socket))
-		return (ISC_FALSE);
-
-	/*
-	 * Check if we match the binding <address,port>.
-	 * Wildcard ports match/fail here.
-	 */
-	if (isc_sockaddr_equal(&disp->local, addr))
-		return (ISC_TRUE);
-	if (isc_sockaddr_getport(addr) == 0)
-		return (ISC_FALSE);
-
-	/*
-	 * Check if we match a bound wildcard port <address,port>.
-	 */
-	if (!isc_sockaddr_eqaddr(&disp->local, addr))
-		return (ISC_FALSE);
-	result = isc_socket_getsockname(disp->socket, &sockaddr);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	return (isc_sockaddr_equal(&sockaddr, addr));
-}
-
-/*
- * Requires mgr be locked.
- *
- * No dispatcher can be locked by this thread when calling this function.
- *
- *
- * NOTE:
- *	If a matching dispatcher is found, it is locked after this function
- *	returns, and must be unlocked by the caller.
- */
-static isc_result_t
-dispatch_find(dns_dispatchmgr_t *mgr, isc_sockaddr_t *local,
-	      unsigned int attributes, unsigned int mask,
-	      dns_dispatch_t **dispp)
-{
-	dns_dispatch_t *disp;
-	isc_result_t result;
-
-	/*
-	 * Make certain that we will not match a private dispatch.
-	 */
-	attributes &= ~DNS_DISPATCHATTR_PRIVATE;
-	mask |= DNS_DISPATCHATTR_PRIVATE;
-
-	disp = ISC_LIST_HEAD(mgr->list);
-	while (disp != NULL) {
-		LOCK(&disp->lock);
-		if ((disp->shutting_down == 0)
-		    && ATTRMATCH(disp->attributes, attributes, mask)
-		    && local_addr_match(disp, local))
-			break;
-		UNLOCK(&disp->lock);
-		disp = ISC_LIST_NEXT(disp, link);
-	}
-
-	if (disp == NULL) {
-		result = ISC_R_NOTFOUND;
-		goto out;
-	}
-
-	*dispp = disp;
-	result = ISC_R_SUCCESS;
- out:
-
-	return (result);
-}
-
-static isc_result_t
-qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
-	     unsigned int increment, dns_qid_t **qidp)
-{
-	dns_qid_t *qid;
-	unsigned int i;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
-	REQUIRE(increment > buckets);
-	REQUIRE(qidp != NULL && *qidp == NULL);
-
-	qid = isc_mem_get(mgr->mctx, sizeof(*qid));
-	if (qid == NULL)
-		return (ISC_R_NOMEMORY);
-
-	qid->qid_table = isc_mem_get(mgr->mctx,
-				     buckets * sizeof(dns_displist_t));
-	if (qid->qid_table == NULL) {
-		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
-		return (ISC_R_NOMEMORY);
-	}
-
-	if (isc_mutex_init(&qid->lock) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed");
-		isc_mem_put(mgr->mctx, qid->qid_table,
-			    buckets * sizeof(dns_displist_t));
-		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	for (i = 0; i < buckets; i++)
-		ISC_LIST_INIT(qid->qid_table[i]);
-
-	qid->qid_nbuckets = buckets;
-	qid->qid_increment = increment;
-	qid->magic = QID_MAGIC;
-
-	/*
-	 * Initialize to a 32-bit LFSR.  Both of these are from Applied
-	 * Cryptography.
-	 *
-	 * lfsr1:
-	 *	x^32 + x^7 + x^5 + x^3 + x^2 + x + 1
-	 *
-	 * lfsr2:
-	 *	x^32 + x^7 + x^6 + x^2 + 1
-	 */
-	isc_lfsr_init(&qid->qid_lfsr1, 0, 32, 0x80000057U,
-		      0, reseed_lfsr, mgr);
-	isc_lfsr_init(&qid->qid_lfsr2, 0, 32, 0x80000062U,
-		      0, reseed_lfsr, mgr);
-	*qidp = qid;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp) {
-	dns_qid_t *qid;
-
-	REQUIRE(qidp != NULL);
-	qid = *qidp;
-
-	REQUIRE(VALID_QID(qid));
-
-	*qidp = NULL;
-	qid->magic = 0;
-	isc_mem_put(mctx, qid->qid_table,
-		    qid->qid_nbuckets * sizeof(dns_displist_t));
-	DESTROYLOCK(&qid->lock);
-	isc_mem_put(mctx, qid, sizeof(*qid));
-}
-
-/*
- * Allocate and set important limits.
- */
-static isc_result_t
-dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
-		  dns_dispatch_t **dispp)
-{
-	dns_dispatch_t *disp;
-	isc_result_t res;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(dispp != NULL && *dispp == NULL);
-
-	/*
-	 * Set up the dispatcher, mostly.  Don't bother setting some of
-	 * the options that are controlled by tcp vs. udp, etc.
-	 */
-
-	disp = isc_mempool_get(mgr->dpool);
-	if (disp == NULL)
-		return (ISC_R_NOMEMORY);
-
-	disp->magic = 0;
-	disp->mgr = mgr;
-	disp->maxrequests = maxrequests;
-	disp->attributes = 0;
-	ISC_LINK_INIT(disp, link);
-	disp->refcount = 1;
-	disp->recv_pending = 0;
-	memset(&disp->local, 0, sizeof(disp->local));
-	disp->shutting_down = 0;
-	disp->shutdown_out = 0;
-	disp->connected = 0;
-	disp->tcpmsg_valid = 0;
-	disp->shutdown_why = ISC_R_UNEXPECTED;
-	disp->requests = 0;
-	disp->tcpbuffers = 0;
-	disp->qid = NULL;
-
-	if (isc_mutex_init(&disp->lock) != ISC_R_SUCCESS) {
-		res = ISC_R_UNEXPECTED;
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed");
-		goto deallocate;
-	}
-
-	disp->failsafe_ev = allocate_event(disp);
-	if (disp->failsafe_ev == NULL) {
-		res = ISC_R_NOMEMORY;
-		goto kill_lock;
-	}
-
-	disp->magic = DISPATCH_MAGIC;
-
-	*dispp = disp;
-	return (ISC_R_SUCCESS);
-
-	/*
-	 * error returns
-	 */
- kill_lock:
-	DESTROYLOCK(&disp->lock);
- deallocate:
-	isc_mempool_put(mgr->dpool, disp);
-
-	return (res);
-}
-
-
-/*
- * MUST be unlocked, and not used by anthing.
- */
-static void
-dispatch_free(dns_dispatch_t **dispp)
-{
-	dns_dispatch_t *disp;
-	dns_dispatchmgr_t *mgr;
-
-	REQUIRE(VALID_DISPATCH(*dispp));
-	disp = *dispp;
-	*dispp = NULL;
-
-	mgr = disp->mgr;
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-
-	if (disp->tcpmsg_valid) {
-		dns_tcpmsg_invalidate(&disp->tcpmsg);
-		disp->tcpmsg_valid = 0;
-	}
-
-	INSIST(disp->tcpbuffers == 0);
-	INSIST(disp->requests == 0);
-	INSIST(disp->recv_pending == 0);
-
-	isc_mempool_put(mgr->epool, disp->failsafe_ev);
-	disp->failsafe_ev = NULL;
-
-	if (disp->qid != NULL)
-		qid_destroy(mgr->mctx, &disp->qid);
-	disp->mgr = NULL;
-	DESTROYLOCK(&disp->lock);
-	disp->magic = 0;
-	isc_mempool_put(mgr->dpool, disp);
-}
-
-isc_result_t
-dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
-		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
-		       unsigned int maxbuffers, unsigned int maxrequests,
-		       unsigned int buckets, unsigned int increment,
-		       unsigned int attributes, dns_dispatch_t **dispp)
-{
-	isc_result_t result;
-	dns_dispatch_t *disp;
-
-	UNUSED(maxbuffers);
-	UNUSED(buffersize);
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(isc_socket_gettype(sock) == isc_sockettype_tcp);
-	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) != 0);
-	REQUIRE((attributes & DNS_DISPATCHATTR_UDP) == 0);
-
-	attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
-
-	LOCK(&mgr->lock);
-
-	/*
-	 * dispatch_allocate() checks mgr for us.
-	 * qid_allocate() checks buckets and increment for us.
-	 */
-	disp = NULL;
-	result = dispatch_allocate(mgr, maxrequests, &disp);
-	if (result != ISC_R_SUCCESS) {
-		UNLOCK(&mgr->lock);
-		return (result);
-	}
-
-	result = qid_allocate(mgr, buckets, increment, &disp->qid);
-	if (result != ISC_R_SUCCESS)
-		goto deallocate_dispatch;
-
-	disp->socktype = isc_sockettype_tcp;
-	disp->socket = NULL;
-	isc_socket_attach(sock, &disp->socket);
-
-	disp->task = NULL;
-	result = isc_task_create(taskmgr, 0, &disp->task);
-	if (result != ISC_R_SUCCESS)
-		goto kill_socket;
-
-	disp->ctlevent = isc_event_allocate(mgr->mctx, disp,
-					    DNS_EVENT_DISPATCHCONTROL,
-					    destroy_disp, disp,
-					    sizeof(isc_event_t));
-	if (disp->ctlevent == NULL)
-		goto kill_task;
-
-	isc_task_setname(disp->task, "tcpdispatch", disp);
-
-	dns_tcpmsg_init(mgr->mctx, disp->socket, &disp->tcpmsg);
-	disp->tcpmsg_valid = 1;
-
-	disp->attributes = attributes;
-
-	/*
-	 * Append it to the dispatcher list.
-	 */
-	ISC_LIST_APPEND(mgr->list, disp, link);
-	UNLOCK(&mgr->lock);
-
-	mgr_log(mgr, LVL(90), "created TCP dispatcher %p", disp);
-	dispatch_log(disp, LVL(90), "created task %p", disp->task);
-
-	*dispp = disp;
-
-	return (ISC_R_SUCCESS);
-
-	/*
-	 * Error returns.
-	 */
- kill_task:
-	isc_task_detach(&disp->task);
- kill_socket:
-	isc_socket_detach(&disp->socket);
- deallocate_dispatch:
-	dispatch_free(&disp);
-
-	UNLOCK(&mgr->lock);
-
-	return (result);
-}
-
-isc_result_t
-dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
-		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
-		    unsigned int buffersize,
-		    unsigned int maxbuffers, unsigned int maxrequests,
-		    unsigned int buckets, unsigned int increment,
-		    unsigned int attributes, unsigned int mask,
-		    dns_dispatch_t **dispp)
-{
-	isc_result_t result;
-	dns_dispatch_t *disp;
-
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-	REQUIRE(sockmgr != NULL);
-	REQUIRE(localaddr != NULL);
-	REQUIRE(taskmgr != NULL);
-	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
-	REQUIRE(maxbuffers > 0);
-	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
-	REQUIRE(increment > buckets);
-	REQUIRE(dispp != NULL && *dispp == NULL);
-	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) == 0);
-
-	result = dns_dispatchmgr_setudp(mgr, buffersize, maxbuffers,
-					buckets, increment);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	LOCK(&mgr->lock);
-
-	/*
-	 * First, see if we have a dispatcher that matches.
-	 */
-	disp = NULL;
-	result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
-	if (result == ISC_R_SUCCESS) {
-		disp->refcount++;
-
-		if (disp->maxrequests < maxrequests)
-			disp->maxrequests = maxrequests;
-
-		if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) == 0 &&
-		    (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
-		{
-			disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
-			if (disp->recv_pending != 0)
-				isc_socket_cancel(disp->socket, disp->task,
-						  ISC_SOCKCANCEL_RECV);
-		}
-
-		UNLOCK(&disp->lock);
-		UNLOCK(&mgr->lock);
-
-		*dispp = disp;
-
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Nope, create one.
-	 */
-	result = dispatch_createudp(mgr, sockmgr, taskmgr, localaddr,
-				    maxrequests, attributes, &disp);
-	if (result != ISC_R_SUCCESS) {
-		UNLOCK(&mgr->lock);
-		return (result);
-	}
-
-	UNLOCK(&mgr->lock);
-	*dispp = disp;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * mgr should be locked.
- */
-static isc_result_t
-dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
-		   isc_taskmgr_t *taskmgr,
-		   isc_sockaddr_t *localaddr,
-		   unsigned int maxrequests,
-		   unsigned int attributes,
-		   dns_dispatch_t **dispp)
-{
-	isc_result_t result;
-	dns_dispatch_t *disp;
-	isc_socket_t *sock;
-
-	/*
-	 * dispatch_allocate() checks mgr for us.
-	 */
-	disp = NULL;
-	result = dispatch_allocate(mgr, maxrequests, &disp);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * This assumes that the IP stack will *not* quickly reallocate
-	 * the same port.  If it does continually reallocate the same port
-	 * then we need a mechanism to hold all the blacklisted sockets
-	 * until we find a usable socket.
-	 */
- getsocket:
-	result = create_socket(sockmgr, localaddr, &sock);
-	if (result != ISC_R_SUCCESS)
-		goto deallocate_dispatch;
-	if (isc_sockaddr_getport(localaddr) == 0 && blacklisted(mgr, sock)) {
-		isc_socket_detach(&sock);
-		goto getsocket;
-	}
-
-	disp->socktype = isc_sockettype_udp;
-	disp->socket = sock;
-	disp->local = *localaddr;
-
-	disp->task = NULL;
-	result = isc_task_create(taskmgr, 0, &disp->task);
-	if (result != ISC_R_SUCCESS)
-		goto kill_socket;
-
-	disp->ctlevent = isc_event_allocate(mgr->mctx, disp,
-					    DNS_EVENT_DISPATCHCONTROL,
-					    destroy_disp, disp,
-					    sizeof(isc_event_t));
-	if (disp->ctlevent == NULL)
-		goto kill_task;
-
-	isc_task_setname(disp->task, "udpdispatch", disp);
-
-	attributes &= ~DNS_DISPATCHATTR_TCP;
-	attributes |= DNS_DISPATCHATTR_UDP;
-	disp->attributes = attributes;
-
-	/*
-	 * Append it to the dispatcher list.
-	 */
-	ISC_LIST_APPEND(mgr->list, disp, link);
-
-	mgr_log(mgr, LVL(90), "created UDP dispatcher %p", disp);
-	dispatch_log(disp, LVL(90), "created task %p", disp->task);
-	dispatch_log(disp, LVL(90), "created socket %p", disp->socket);
-
-	*dispp = disp;
-
-	return (ISC_R_SUCCESS);
-
-	/*
-	 * Error returns.
-	 */
- kill_task:
-	isc_task_detach(&disp->task);
- kill_socket:
-	isc_socket_detach(&disp->socket);
- deallocate_dispatch:
-	dispatch_free(&disp);
-
-	return (result);
-}
-
-void
-dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp) {
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE(dispp != NULL && *dispp == NULL);
-
-	LOCK(&disp->lock);
-	disp->refcount++;
-	UNLOCK(&disp->lock);
-
-	*dispp = disp;
-}
-
-/*
- * It is important to lock the manager while we are deleting the dispatch,
- * since dns_dispatch_getudp will call dispatch_find, which returns to
- * the caller a dispatch but does not attach to it until later.  _getudp
- * locks the manager, however, so locking it here will keep us from attaching
- * to a dispatcher that is in the process of going away.
- */
-void
-dns_dispatch_detach(dns_dispatch_t **dispp) {
-	dns_dispatch_t *disp;
-	isc_boolean_t killit;
-
-	REQUIRE(dispp != NULL && VALID_DISPATCH(*dispp));
-
-	disp = *dispp;
-	*dispp = NULL;
-
-	LOCK(&disp->lock);
-
-	INSIST(disp->refcount > 0);
-	disp->refcount--;
-	killit = ISC_FALSE;
-	if (disp->refcount == 0) {
-		if (disp->recv_pending > 0)
-			isc_socket_cancel(disp->socket, disp->task,
-					  ISC_SOCKCANCEL_RECV);
-		disp->shutting_down = 1;
-	}
-
-	dispatch_log(disp, LVL(90), "detach: refcount %d", disp->refcount);
-
-	killit = destroy_disp_ok(disp);
-	UNLOCK(&disp->lock);
-	if (killit)
-		isc_task_send(disp->task, &disp->ctlevent);
-}
-
-isc_result_t
-dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
-			 isc_task_t *task, isc_taskaction_t action, void *arg,
-			 dns_messageid_t *idp, dns_dispentry_t **resp)
-{
-	dns_dispentry_t *res;
-	unsigned int bucket;
-	dns_messageid_t id;
-	int i;
-	isc_boolean_t ok;
-	dns_qid_t *qid;
-
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE(task != NULL);
-	REQUIRE(dest != NULL);
-	REQUIRE(resp != NULL && *resp == NULL);
-	REQUIRE(idp != NULL);
-
-	LOCK(&disp->lock);
-
-	if (disp->shutting_down == 1) {
-		UNLOCK(&disp->lock);
-		return (ISC_R_SHUTTINGDOWN);
-	}
-
-	if (disp->requests >= disp->maxrequests) {
-		UNLOCK(&disp->lock);
-		return (ISC_R_QUOTA);
-	}
-
-	/*
-	 * Try somewhat hard to find an unique ID.
-	 */
-	qid = DNS_QID(disp);
-	LOCK(&qid->lock);
-	id = dns_randomid(qid);
-	bucket = dns_hash(qid, dest, id);
-	ok = ISC_FALSE;
-	for (i = 0; i < 64; i++) {
-		if (bucket_search(qid, dest, id, bucket) == NULL) {
-			ok = ISC_TRUE;
-			break;
-		}
-		id += qid->qid_increment;
-		id &= 0x0000ffff;
-		bucket = dns_hash(qid, dest, id);
-	}
-
-	if (!ok) {
-		UNLOCK(&qid->lock);
-		UNLOCK(&disp->lock);
-		return (ISC_R_NOMORE);
-	}
-
-	res = isc_mempool_get(disp->mgr->rpool);
-	if (res == NULL) {
-		UNLOCK(&qid->lock);
-		UNLOCK(&disp->lock);
-		return (ISC_R_NOMEMORY);
-	}
-
-	disp->refcount++;
-	disp->requests++;
-	res->task = NULL;
-	isc_task_attach(task, &res->task);
-	res->disp = disp;
-	res->id = id;
-	res->bucket = bucket;
-	res->host = *dest;
-	res->action = action;
-	res->arg = arg;
-	res->item_out = ISC_FALSE;
-	ISC_LIST_INIT(res->items);
-	ISC_LINK_INIT(res, link);
-	res->magic = RESPONSE_MAGIC;
-	ISC_LIST_APPEND(qid->qid_table[bucket], res, link);
-	UNLOCK(&qid->lock);
-
-	request_log(disp, res, LVL(90),
-		    "attached to task %p", res->task);
-
-	if (((disp->attributes & DNS_DISPATCHATTR_UDP) != 0) ||
-	    ((disp->attributes & DNS_DISPATCHATTR_CONNECTED) != 0))
-		startrecv(disp);
-
-	UNLOCK(&disp->lock);
-
-	*idp = id;
-	*resp = res;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_dispatch_starttcp(dns_dispatch_t *disp) {
-
-	REQUIRE(VALID_DISPATCH(disp));
-
-	dispatch_log(disp, LVL(90), "starttcp %p", disp->task);
-
-	LOCK(&disp->lock);
-	disp->attributes |= DNS_DISPATCHATTR_CONNECTED;
-	startrecv(disp);
-	UNLOCK(&disp->lock);
-}
-
-void
-dns_dispatch_removeresponse(dns_dispentry_t **resp,
-			    dns_dispatchevent_t **sockevent)
-{
-	dns_dispatchmgr_t *mgr;
-	dns_dispatch_t *disp;
-	dns_dispentry_t *res;
-	dns_dispatchevent_t *ev;
-	unsigned int bucket;
-	isc_boolean_t killit;
-	unsigned int n;
-	isc_eventlist_t events;
-	dns_qid_t *qid;
-
-	REQUIRE(resp != NULL);
-	REQUIRE(VALID_RESPONSE(*resp));
-
-	res = *resp;
-	*resp = NULL;
-
-	disp = res->disp;
-	REQUIRE(VALID_DISPATCH(disp));
-	mgr = disp->mgr;
-	REQUIRE(VALID_DISPATCHMGR(mgr));
-
-	qid = DNS_QID(disp);
-
-	if (sockevent != NULL) {
-		REQUIRE(*sockevent != NULL);
-		ev = *sockevent;
-		*sockevent = NULL;
-	} else {
-		ev = NULL;
-	}
-
-	LOCK(&disp->lock);
-
-	INSIST(disp->requests > 0);
-	disp->requests--;
-	INSIST(disp->refcount > 0);
-	disp->refcount--;
-	killit = ISC_FALSE;
-	if (disp->refcount == 0) {
-		if (disp->recv_pending > 0)
-			isc_socket_cancel(disp->socket, disp->task,
-					  ISC_SOCKCANCEL_RECV);
-		disp->shutting_down = 1;
-	}
-
-	bucket = res->bucket;
-
-	LOCK(&qid->lock);
-	ISC_LIST_UNLINK(qid->qid_table[bucket], res, link);
-	UNLOCK(&qid->lock);
-
-	if (ev == NULL && res->item_out) {
-		/*
-		 * We've posted our event, but the caller hasn't gotten it
-		 * yet.  Take it back.
-		 */
-		ISC_LIST_INIT(events);
-		n = isc_task_unsend(res->task, res, DNS_EVENT_DISPATCH,
-				    NULL, &events);
-		/*
-		 * We had better have gotten it back.
-		 */
-		INSIST(n == 1);
-		ev = (dns_dispatchevent_t *)ISC_LIST_HEAD(events);
-	}
-
-	if (ev != NULL) {
-		REQUIRE(res->item_out == ISC_TRUE);
-		res->item_out = ISC_FALSE;
-		if (ev->buffer.base != NULL)
-			free_buffer(disp, ev->buffer.base, ev->buffer.length);
-		free_event(disp, ev);
-	}
-
-	request_log(disp, res, LVL(90), "detaching from task %p", res->task);
-	isc_task_detach(&res->task);
-
-	/*
-	 * Free any buffered requests as well
-	 */
-	ev = ISC_LIST_HEAD(res->items);
-	while (ev != NULL) {
-		ISC_LIST_UNLINK(res->items, ev, ev_link);
-		if (ev->buffer.base != NULL)
-			free_buffer(disp, ev->buffer.base, ev->buffer.length);
-		free_event(disp, ev);
-		ev = ISC_LIST_HEAD(res->items);
-	}
-	res->magic = 0;
-	isc_mempool_put(disp->mgr->rpool, res);
-	if (disp->shutting_down == 1)
-		do_cancel(disp);
-	else
-		startrecv(disp);
-
-	killit = destroy_disp_ok(disp);
-	UNLOCK(&disp->lock);
-	if (killit)
-		isc_task_send(disp->task, &disp->ctlevent);
-}
-
-static void
-do_cancel(dns_dispatch_t *disp) {
-	dns_dispatchevent_t *ev;
-	dns_dispentry_t *resp;
-	dns_qid_t *qid;
-
-	if (disp->shutdown_out == 1)
-		return;
-
-	qid = DNS_QID(disp);
-
-	/*
-	 * Search for the first response handler without packets outstanding.
-	 */
-	LOCK(&qid->lock);
-	for (resp = linear_first(qid);
-	     resp != NULL && resp->item_out != ISC_FALSE;
-	     /* Empty. */)
-		resp = linear_next(qid, resp);
-	/*
-	 * No one to send the cancel event to, so nothing to do.
-	 */
-	if (resp == NULL)
-		goto unlock;
-
-	/*
-	 * Send the shutdown failsafe event to this resp.
-	 */
-	ev = disp->failsafe_ev;
-	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
-		       resp->action, resp->arg, resp, NULL, NULL);
-	ev->result = disp->shutdown_why;
-	ev->buffer.base = NULL;
-	ev->buffer.length = 0;
-	disp->shutdown_out = 1;
-	request_log(disp, resp, LVL(10),
-		    "cancel: failsafe event %p -> task %p",
-		    ev, resp->task);
-	resp->item_out = ISC_TRUE;
-	isc_task_send(resp->task, ISC_EVENT_PTR(&ev));
- unlock:
-	UNLOCK(&qid->lock);
-}
-
-isc_socket_t *
-dns_dispatch_getsocket(dns_dispatch_t *disp) {
-	REQUIRE(VALID_DISPATCH(disp));
-
-	return (disp->socket);
-}
-
-isc_result_t
-dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp) {
-
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE(addrp != NULL);
-
-	if (disp->socktype == isc_sockettype_udp) {
-		*addrp = disp->local;
-		return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-void
-dns_dispatch_cancel(dns_dispatch_t *disp) {
-	REQUIRE(VALID_DISPATCH(disp));
-
-	LOCK(&disp->lock);
-
-	if (disp->shutting_down == 1) {
-		UNLOCK(&disp->lock);
-		return;
-	}
-
-	disp->shutdown_why = ISC_R_CANCELED;
-	disp->shutting_down = 1;
-	do_cancel(disp);
-
-	UNLOCK(&disp->lock);
-
-	return;
-}
-
-void
-dns_dispatch_changeattributes(dns_dispatch_t *disp,
-			      unsigned int attributes, unsigned int mask)
-{
-	REQUIRE(VALID_DISPATCH(disp));
-
-	/* XXXMLG
-	 * Should check for valid attributes here!
-	 */
-
-	LOCK(&disp->lock);
-
-	if ((mask & DNS_DISPATCHATTR_NOLISTEN) != 0) {
-		if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0 &&
-		    (attributes & DNS_DISPATCHATTR_NOLISTEN) == 0) {
-			disp->attributes &= ~DNS_DISPATCHATTR_NOLISTEN;
-			startrecv(disp);
-		} else if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN)
-			   == 0 &&
-			   (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0) {
-			disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
-			if (disp->recv_pending != 0)
-				isc_socket_cancel(disp->socket, disp->task,
-						  ISC_SOCKCANCEL_RECV);
-		}
-	}
-
-	disp->attributes &= ~mask;
-	disp->attributes |= (attributes & mask);
-	UNLOCK(&disp->lock);
-}
-
-void
-dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) {
-	void *buf;
-	isc_socketevent_t *sevent, *newsevent;
-
-	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0);
-	REQUIRE(event != NULL);
-
-	sevent = (isc_socketevent_t *)event;
-
-	INSIST(sevent->n <= disp->mgr->buffersize);
-	newsevent = (isc_socketevent_t *)
-		    isc_event_allocate(disp->mgr->mctx, NULL,
-				      DNS_EVENT_IMPORTRECVDONE, udp_recv,
-				      disp, sizeof(isc_socketevent_t));
-	if (newsevent == NULL)
-		return;
-
-	buf = allocate_udp_buffer(disp);
-	if (buf == NULL) {
-		isc_event_free(ISC_EVENT_PTR(&newsevent));
-		return;
-	}
-	memcpy(buf, sevent->region.base, sevent->n);
-	newsevent->region.base = buf;
-	newsevent->region.length = disp->mgr->buffersize;
-	newsevent->n = sevent->n;
-	newsevent->result = sevent->result;
-	newsevent->address = sevent->address;
-	newsevent->timestamp = sevent->timestamp;
-	newsevent->pktinfo = sevent->pktinfo;
-	newsevent->attributes = sevent->attributes;
-	
-	isc_task_send(disp->task, ISC_EVENT_PTR(&newsevent));
-}
-
-#if 0
-void
-dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) {
-	dns_dispatch_t *disp;
-	char foo[1024];
-
-	disp = ISC_LIST_HEAD(mgr->list);
-	while (disp != NULL) {
-		isc_sockaddr_format(&disp->local, foo, sizeof(foo));
-		printf("\tdispatch %p, addr %s\n", disp, foo);
-		disp = ISC_LIST_NEXT(disp, link);
-	}
-}
-#endif
diff --git a/contrib/bind9/lib/dns/dnssec.c b/contrib/bind9/lib/dns/dnssec.c
deleted file mode 100644
index 34ff3d3aceb6..000000000000
--- a/contrib/bind9/lib/dns/dnssec.c
+++ /dev/null
@@ -1,857 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: dnssec.c,v 1.69.2.5.2.7 2004/06/11 00:30:54 marka Exp $
- */
-
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/serial.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/message.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/tsig.h>		/* for DNS_TSIG_FUDGE */
-
-#include <dst/result.h>
-
-#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-
-#define TYPE_SIGN 0
-#define TYPE_VERIFY 1
-
-static isc_result_t
-digest_callback(void *arg, isc_region_t *data);
-
-static int
-rdata_compare_wrapper(const void *rdata1, const void *rdata2);
-
-static isc_result_t
-rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
-			dns_rdata_t **rdata, int *nrdata);
-
-static isc_result_t
-digest_callback(void *arg, isc_region_t *data) {
-	dst_context_t *ctx = arg;
-
-	return (dst_context_adddata(ctx, data));
-}
-
-/*
- * Make qsort happy.
- */
-static int
-rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
-	return (dns_rdata_compare((const dns_rdata_t *)rdata1,
-				  (const dns_rdata_t *)rdata2));
-}
-
-/*
- * Sort the rdataset into an array.
- */
-static isc_result_t
-rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
-			dns_rdata_t **rdata, int *nrdata)
-{
-	isc_result_t ret;
-	int i = 0, n;
-	dns_rdata_t *data;
-
-	n = dns_rdataset_count(set);
-
-	data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
-	if (data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ret = dns_rdataset_first(set);
-	if (ret != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
-		return (ret);
-	}
-
-	/*
-	 * Put them in the array.
-	 */
-	do {
-		dns_rdata_init(&data[i]);
-		dns_rdataset_current(set, &data[i++]);
-	} while (dns_rdataset_next(set) == ISC_R_SUCCESS);
-
-	/*
-	 * Sort the array.
-	 */
-	qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
-	*rdata = data;
-	*nrdata = n;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
-			dst_key_t **key)
-{
-	isc_buffer_t b;
-	isc_region_t r;
-
-	INSIST(name != NULL);
-	INSIST(rdata != NULL);
-	INSIST(mctx != NULL);
-	INSIST(key != NULL);
-	INSIST(*key == NULL);
-	REQUIRE(rdata->type == dns_rdatatype_key ||
-		rdata->type == dns_rdatatype_dnskey);
-
-	dns_rdata_toregion(rdata, &r);
-	isc_buffer_init(&b, r.base, r.length);
-	isc_buffer_add(&b, r.length);
-	return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
-}
-
-static isc_result_t
-digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_rrsig_t *sig) {
-	isc_region_t r;
-	isc_result_t ret;
-	dns_fixedname_t fname;
-
-	dns_rdata_toregion(sigrdata, &r);
-	INSIST(r.length >= 19);
-
-	r.length = 18;
-	ret = dst_context_adddata(ctx, &r);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_fixedname_init(&fname);
-	RUNTIME_CHECK(dns_name_downcase(&sig->signer,
-					dns_fixedname_name(&fname), NULL)
-		      == ISC_R_SUCCESS);
-	dns_name_toregion(dns_fixedname_name(&fname), &r);
-	return (dst_context_adddata(ctx, &r));
-}
-
-isc_result_t
-dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		isc_stdtime_t *inception, isc_stdtime_t *expire,
-		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
-{
-	dns_rdata_rrsig_t sig;
-	dns_rdata_t tmpsigrdata;
-	dns_rdata_t *rdatas;
-	int nrdatas, i;
-	isc_buffer_t sigbuf, envbuf;
-	isc_region_t r;
-	dst_context_t *ctx = NULL;
-	isc_result_t ret;
-	isc_buffer_t *databuf = NULL;
-	char data[256 + 8];
-	isc_uint32_t flags;
-	unsigned int sigsize;
-	dns_fixedname_t fnewname;
-
-	REQUIRE(name != NULL);
-	REQUIRE(dns_name_countlabels(name) <= 255);
-	REQUIRE(set != NULL);
-	REQUIRE(key != NULL);
-	REQUIRE(inception != NULL);
-	REQUIRE(expire != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(sigrdata != NULL);
-
-	if (*inception >= *expire)
-		return (DNS_R_INVALIDTIME);
-
-	/*
-	 * Is the key allowed to sign data?
-	 */
-	flags = dst_key_flags(key);
-	if (flags & DNS_KEYTYPE_NOAUTH)
-		return (DNS_R_KEYUNAUTHORIZED);
-	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		return (DNS_R_KEYUNAUTHORIZED);
-
-	sig.mctx = mctx;
-	sig.common.rdclass = set->rdclass;
-	sig.common.rdtype = dns_rdatatype_rrsig;
-	ISC_LINK_INIT(&sig.common, link);
-
-	dns_name_init(&sig.signer, NULL);
-	dns_name_clone(dst_key_name(key), &sig.signer);
-
-	sig.covered = set->type;
-	sig.algorithm = dst_key_alg(key);
-	sig.labels = dns_name_countlabels(name) - 1;
-	if (dns_name_iswildcard(name))
-		sig.labels--;
-	sig.originalttl = set->ttl;
-	sig.timesigned = *inception;
-	sig.timeexpire = *expire;
-	sig.keyid = dst_key_id(key);
-	ret = dst_key_sigsize(key, &sigsize);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	sig.siglen = sigsize;
-	/*
-	 * The actual contents of sig.signature are not important yet, since
-	 * they're not used in digest_sig().
-	 */
-	sig.signature = isc_mem_get(mctx, sig.siglen);
-	if (sig.signature == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ret = isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
-
-	dns_rdata_init(&tmpsigrdata);
-	ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
-				   sig.common.rdtype, &sig, databuf);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_databuf;
-
-	ret = dst_context_create(key, mctx, &ctx);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_databuf;
-
-	/*
-	 * Digest the SIG rdata.
-	 */
-	ret = digest_sig(ctx, &tmpsigrdata, &sig);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	dns_fixedname_init(&fnewname);
-	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
-					NULL) == ISC_R_SUCCESS);
-	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
-
-	/*
-	 * Create an envelope for each rdata: <name|type|class|ttl>.
-	 */
-	isc_buffer_init(&envbuf, data, sizeof(data));
-	memcpy(data, r.base, r.length);
-	isc_buffer_add(&envbuf, r.length);
-	isc_buffer_putuint16(&envbuf, set->type);
-	isc_buffer_putuint16(&envbuf, set->rdclass);
-	isc_buffer_putuint32(&envbuf, set->ttl);
-
-	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-	isc_buffer_usedregion(&envbuf, &r);
-
-	for (i = 0; i < nrdatas; i++) {
-		isc_uint16_t len;
-		isc_buffer_t lenbuf;
-		isc_region_t lenr;
-
-		/*
-		 * Skip duplicates.
-		 */
-		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
-		    continue;
-
-		/*
-		 * Digest the envelope.
-		 */
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-
-		/*
-		 * Digest the length of the rdata.
-		 */
-		isc_buffer_init(&lenbuf, &len, sizeof(len));
-		INSIST(rdatas[i].length < 65536);
-		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
-		isc_buffer_usedregion(&lenbuf, &lenr);
-		ret = dst_context_adddata(ctx, &lenr);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-
-		/*
-		 * Digest the rdata.
-		 */
-		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-	}
-
-	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
-	ret = dst_context_sign(ctx, &sigbuf);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_array;
-	isc_buffer_usedregion(&sigbuf, &r);
-	if (r.length != sig.siglen) {
-		ret = ISC_R_NOSPACE;
-		goto cleanup_array;
-	}
-	memcpy(sig.signature, r.base, sig.siglen);
-
-	ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
-				  sig.common.rdtype, &sig, buffer);
-
-cleanup_array:
-	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
-cleanup_context:
-	dst_context_destroy(&ctx);
-cleanup_databuf:
-	if (databuf != NULL)
-		isc_buffer_free(&databuf);
-cleanup_signature:
-	isc_mem_put(mctx, sig.signature, sig.siglen);
-
-	return (ret);
-}
-
-isc_result_t
-dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		   isc_boolean_t ignoretime, isc_mem_t *mctx,
-		   dns_rdata_t *sigrdata, dns_name_t *wild)
-{
-	dns_rdata_rrsig_t sig;
-	dns_fixedname_t fnewname;
-	isc_region_t r;
-	isc_buffer_t envbuf;
-	dns_rdata_t *rdatas;
-	int nrdatas, i;
-	isc_stdtime_t now;
-	isc_result_t ret;
-	unsigned char data[300];
-	dst_context_t *ctx = NULL;
-	int labels = 0;
-	isc_uint32_t flags;
-
-	REQUIRE(name != NULL);
-	REQUIRE(set != NULL);
-	REQUIRE(key != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
-
-	ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	if (isc_serial_lt(sig.timeexpire, sig.timesigned))
-		return (DNS_R_SIGINVALID);
-
-	if (!ignoretime) {
-		isc_stdtime_get(&now);
-
-		/*
-		 * Is SIG temporally valid?
-		 */
-		if (isc_serial_lt((isc_uint32_t)now, sig.timesigned))
-			return (DNS_R_SIGFUTURE);
-		else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now))
-			return (DNS_R_SIGEXPIRED);
-	}
-
-	/*
-	 * Is the key allowed to sign data?
-	 */
-	flags = dst_key_flags(key);
-	if (flags & DNS_KEYTYPE_NOAUTH)
-		return (DNS_R_KEYUNAUTHORIZED);
-	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		return (DNS_R_KEYUNAUTHORIZED);
-
-	ret = dst_context_create(key, mctx, &ctx);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_struct;
-
-	/*
-	 * Digest the SIG rdata (not including the signature).
-	 */
-	ret = digest_sig(ctx, sigrdata, &sig);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	/*
-	 * If the name is an expanded wildcard, use the wildcard name.
-	 */
-	dns_fixedname_init(&fnewname);
-	labels = dns_name_countlabels(name) - 1;
-	if (labels - sig.labels > 0) {
-		dns_name_split(name, sig.labels + 1, NULL,
-			       dns_fixedname_name(&fnewname));
-		RUNTIME_CHECK(dns_name_downcase(dns_fixedname_name(&fnewname),
-						dns_fixedname_name(&fnewname),
-						NULL)
-			      == ISC_R_SUCCESS);
-	}
-	else
-		dns_name_downcase(name, dns_fixedname_name(&fnewname), NULL);
-
-	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
-
-	/*
-	 * Create an envelope for each rdata: <name|type|class|ttl>.
-	 */
-	isc_buffer_init(&envbuf, data, sizeof(data));
-	if (labels - sig.labels > 0) {
-		isc_buffer_putuint8(&envbuf, 1);
-		isc_buffer_putuint8(&envbuf, '*');
-		memcpy(data + 2, r.base, r.length);
-	}
-	else
-		memcpy(data, r.base, r.length);
-	isc_buffer_add(&envbuf, r.length);
-	isc_buffer_putuint16(&envbuf, set->type);
-	isc_buffer_putuint16(&envbuf, set->rdclass);
-	isc_buffer_putuint32(&envbuf, sig.originalttl);
-
-	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	isc_buffer_usedregion(&envbuf, &r);
-
-	for (i = 0; i < nrdatas; i++) {
-		isc_uint16_t len;
-		isc_buffer_t lenbuf;
-		isc_region_t lenr;
-
-		/*
-		 * Skip duplicates.
-		 */
-		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
-		    continue;
-
-		/*
-		 * Digest the envelope.
-		 */
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-
-		/*
-		 * Digest the rdata length.
-		 */
-		isc_buffer_init(&lenbuf, &len, sizeof(len));
-		INSIST(rdatas[i].length < 65536);
-		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
-		isc_buffer_usedregion(&lenbuf, &lenr);
-
-		/*
-		 * Digest the rdata.
-		 */
-		ret = dst_context_adddata(ctx, &lenr);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_array;
-	}
-
-	r.base = sig.signature;
-	r.length = sig.siglen;
-	ret = dst_context_verify(ctx, &r);
-	if (ret == DST_R_VERIFYFAILURE)
-		ret = DNS_R_SIGINVALID;
-
-cleanup_array:
-	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
-cleanup_context:
-	dst_context_destroy(&ctx);
-cleanup_struct:
-	dns_rdata_freestruct(&sig);
-
-	if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
-		if (wild != NULL) 
-			RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
-					         dns_fixedname_name(&fnewname),
-						 wild, NULL) == ISC_R_SUCCESS);
-		ret = DNS_R_FROMWILDCARD;
-	}
-	return (ret);
-}
-
-isc_result_t
-dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_boolean_t ignoretime, isc_mem_t *mctx,
-		  dns_rdata_t *sigrdata)
-{
-	isc_result_t result;
-
-	result = dns_dnssec_verify2(name, set, key, ignoretime, mctx,
-				    sigrdata, NULL);
-	if (result == DNS_R_FROMWILDCARD)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
-			  == DNS_KEYOWNER_ZONE)
-
-isc_result_t
-dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
-			dns_dbnode_t *node, dns_name_t *name,
-			const char *directory, isc_mem_t *mctx,
-			unsigned int maxkeys, dst_key_t **keys,
-			unsigned int *nkeys)
-{
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dst_key_t *pubkey = NULL;
-	unsigned int count = 0;
-
-	*nkeys = 0;
-	dns_rdataset_init(&rdataset);
-	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
-				   &rdataset, NULL));
-	RETERR(dns_rdataset_first(&rdataset));
-	while (result == ISC_R_SUCCESS && count < maxkeys) {
-		pubkey = NULL;
-		dns_rdataset_current(&rdataset, &rdata);
-		RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
-		if (!is_zone_key(pubkey))
-			goto next;
-		keys[count] = NULL;
-		result = dst_key_fromfile(dst_key_name(pubkey),
-					  dst_key_id(pubkey),
-					  dst_key_alg(pubkey),
-					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
-					  directory,
-					  mctx, &keys[count]);
-		if (result == ISC_R_FILENOTFOUND)
-			goto next;
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
-			dst_key_free(&keys[count]);
-			goto next;
-		}
-		count++;
- next:
-		dst_key_free(&pubkey);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(&rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-	if (count == 0)
-		result = ISC_R_NOTFOUND;
-	else
-		result = ISC_R_SUCCESS;
-
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	if (pubkey != NULL)
-		dst_key_free(&pubkey);
-	*nkeys = count;
-	return (result);
-}
-
-isc_result_t
-dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
-			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
-			unsigned int maxkeys, dst_key_t **keys,
-			unsigned int *nkeys)
-{
-	return (dns_dnssec_findzonekeys2(db, ver, node, name, NULL, mctx,
-					 maxkeys, keys, nkeys));
-}
-
-isc_result_t
-dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
-	dns_rdata_sig_t sig;	/* SIG(0) */
-	unsigned char data[512];
-	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	isc_buffer_t headerbuf, databuf, sigbuf;
-	unsigned int sigsize;
-	isc_buffer_t *dynbuf = NULL;
-	dns_rdata_t *rdata;
-	dns_rdatalist_t *datalist;
-	dns_rdataset_t *dataset;
-	isc_region_t r;
-	isc_stdtime_t now;
-	dst_context_t *ctx = NULL;
-	isc_mem_t *mctx;
-	isc_result_t result;
-	isc_boolean_t signeedsfree = ISC_TRUE;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(key != NULL);
-
-	if (is_response(msg))
-		REQUIRE(msg->query.base != NULL);
-
-	mctx = msg->mctx;
-
-	memset(&sig, 0, sizeof(sig));
-
-	sig.mctx = mctx;
-	sig.common.rdclass = dns_rdataclass_any;
-	sig.common.rdtype = dns_rdatatype_sig;	/* SIG(0) */
-	ISC_LINK_INIT(&sig.common, link);
-
-	sig.covered = 0;
-	sig.algorithm = dst_key_alg(key);
-	sig.labels = 0; /* the root name */
-	sig.originalttl = 0;
-
-	isc_stdtime_get(&now);
-	sig.timesigned = now - DNS_TSIG_FUDGE;
-	sig.timeexpire = now + DNS_TSIG_FUDGE;
-
-	sig.keyid = dst_key_id(key);
-
-	dns_name_init(&sig.signer, NULL);
-	dns_name_clone(dst_key_name(key), &sig.signer);
-
-	sig.siglen = 0;
-	sig.signature = NULL;
-
-	isc_buffer_init(&databuf, data, sizeof(data));
-
-	RETERR(dst_context_create(key, mctx, &ctx));
-
-	/*
-	 * Digest the fields of the SIG - we can cheat and use
-	 * dns_rdata_fromstruct.  Since siglen is 0, the digested data
-	 * is identical to dns format.
-	 */
-	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
-				    dns_rdatatype_sig /* SIG(0) */,
-				    &sig, &databuf));
-	isc_buffer_usedregion(&databuf, &r);
-	RETERR(dst_context_adddata(ctx, &r));
-
-	/*
-	 * If this is a response, digest the query.
-	 */
-	if (is_response(msg))
-		RETERR(dst_context_adddata(ctx, &msg->query));
-
-	/*
-	 * Digest the header.
-	 */
-	isc_buffer_init(&headerbuf, header, sizeof(header));
-	dns_message_renderheader(msg, &headerbuf);
-	isc_buffer_usedregion(&headerbuf, &r);
-	RETERR(dst_context_adddata(ctx, &r));
-
-	/*
-	 * Digest the remainder of the message.
-	 */
-	isc_buffer_usedregion(msg->buffer, &r);
-	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-	RETERR(dst_context_adddata(ctx, &r));
-
-	RETERR(dst_key_sigsize(key, &sigsize));
-	sig.siglen = sigsize;
-	sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
-	if (sig.signature == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-
-	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
-	RETERR(dst_context_sign(ctx, &sigbuf));
-	dst_context_destroy(&ctx);
-
-	rdata = NULL;
-	RETERR(dns_message_gettemprdata(msg, &rdata));
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
-	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
-				    dns_rdatatype_sig /* SIG(0) */,
-				    &sig, dynbuf));
-
-	isc_mem_put(mctx, sig.signature, sig.siglen);
-	signeedsfree = ISC_FALSE;
-
-	dns_message_takebuffer(msg, &dynbuf);
-
-	datalist = NULL;
-	RETERR(dns_message_gettemprdatalist(msg, &datalist));
-	datalist->rdclass = dns_rdataclass_any;
-	datalist->type = dns_rdatatype_sig;	/* SIG(0) */
-	datalist->covers = 0;
-	datalist->ttl = 0;
-	ISC_LIST_INIT(datalist->rdata);
-	ISC_LIST_APPEND(datalist->rdata, rdata, link);
-	dataset = NULL;
-	RETERR(dns_message_gettemprdataset(msg, &dataset));
-	dns_rdataset_init(dataset);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) == ISC_R_SUCCESS);
-	msg->sig0 = dataset;
-
-	return (ISC_R_SUCCESS);
-
-failure:
-	if (dynbuf != NULL)
-		isc_buffer_free(&dynbuf);
-	if (signeedsfree)
-		isc_mem_put(mctx, sig.signature, sig.siglen);
-	if (ctx != NULL)
-		dst_context_destroy(&ctx);
-
-	return (result);
-}
-
-isc_result_t
-dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
-			 dst_key_t *key)
-{
-	dns_rdata_sig_t sig;	/* SIG(0) */
-	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t r, source_r, sig_r, header_r;
-	isc_stdtime_t now;
-	dst_context_t *ctx = NULL;
-	isc_mem_t *mctx;
-	isc_result_t result;
-	isc_uint16_t addcount;
-	isc_boolean_t signeedsfree = ISC_FALSE;
-
-	REQUIRE(source != NULL);
-	REQUIRE(msg != NULL);
-	REQUIRE(key != NULL);
-
-	mctx = msg->mctx;
-
-	msg->verify_attempted = 1;
-
-	if (is_response(msg)) {
-		if (msg->query.base == NULL)
-			return (DNS_R_UNEXPECTEDTSIG);
-	}
-
-	isc_buffer_usedregion(source, &source_r);
-
-	RETERR(dns_rdataset_first(msg->sig0));
-	dns_rdataset_current(msg->sig0, &rdata);
-
-	RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
-	signeedsfree = ISC_TRUE;
-
-	if (sig.labels != 0) {
-		result = DNS_R_SIGINVALID;
-		goto failure;
-	}
-
-	if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
-		result = DNS_R_SIGINVALID;
-		msg->sig0status = dns_tsigerror_badtime;
-		goto failure;
-	}
-
-	isc_stdtime_get(&now);
-	if (isc_serial_lt((isc_uint32_t)now, sig.timesigned)) {
-		result = DNS_R_SIGFUTURE;
-		msg->sig0status = dns_tsigerror_badtime;
-		goto failure;
-	}
-	else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now)) {
-		result = DNS_R_SIGEXPIRED;
-		msg->sig0status = dns_tsigerror_badtime;
-		goto failure;
-	}
-
-	if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
-		result = DNS_R_SIGINVALID;
-		msg->sig0status = dns_tsigerror_badkey;
-		goto failure;
-	}
-
-	RETERR(dst_context_create(key, mctx, &ctx));
-
-	/*
- 	 * Digest the SIG(0) record, except for the signature.
-	 */
-	dns_rdata_toregion(&rdata, &r);
-	r.length -= sig.siglen;
-	RETERR(dst_context_adddata(ctx, &r));
-
-	/*
-	 * If this is a response, digest the query.
-	 */
-	if (is_response(msg))
-		RETERR(dst_context_adddata(ctx, &msg->query));
-
-	/*
-	 * Extract the header.
-	 */
-	memcpy(header, source_r.base, DNS_MESSAGE_HEADERLEN);
-
-	/*
-	 * Decrement the additional field counter.
-	 */
-	memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
-	addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
-	memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
-
-	/*
-	 * Digest the modified header.
-	 */
-	header_r.base = (unsigned char *) header;
-	header_r.length = DNS_MESSAGE_HEADERLEN;
-	RETERR(dst_context_adddata(ctx, &header_r));
-
-	/*
-	 * Digest all non-SIG(0) records.
-	 */
-	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
-	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-	RETERR(dst_context_adddata(ctx, &r));
-
-	sig_r.base = sig.signature;
-	sig_r.length = sig.siglen;
-	result = dst_context_verify(ctx, &sig_r);
-	if (result != ISC_R_SUCCESS) {
-		msg->sig0status = dns_tsigerror_badsig;
-		goto failure;
-	}
-
-	msg->verified_sig = 1;
-
-	dst_context_destroy(&ctx);
-	dns_rdata_freestruct(&sig);
-
-	return (ISC_R_SUCCESS);
-
-failure:
-	if (signeedsfree)
-		dns_rdata_freestruct(&sig);
-	if (ctx != NULL)
-		dst_context_destroy(&ctx);
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/ds.c b/contrib/bind9/lib/dns/ds.c
deleted file mode 100644
index b0ca52340756..000000000000
--- a/contrib/bind9/lib/dns/ds.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ds.c,v 1.4.2.1 2004/03/08 02:07:53 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/region.h>
-#include <isc/sha1.h>
-#include <isc/util.h>
-
-#include <dns/ds.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-
-#include <dst/dst.h>
-
-isc_result_t
-dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
-		  unsigned int digest_type, unsigned char *buffer,
-		  dns_rdata_t *rdata)
-{
-	isc_sha1_t sha1;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	isc_region_t r;
-	isc_buffer_t b;
-	dns_rdata_ds_t ds;
-
-	REQUIRE(key != NULL);
-	REQUIRE(key->type == dns_rdatatype_dnskey);
-
-	if (digest_type != DNS_DSDIGEST_SHA1)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	dns_fixedname_init(&fname);
-	name = dns_fixedname_name(&fname);
-	(void)dns_name_downcase(owner, name, NULL);
-
-	memset(buffer, 0, DNS_DS_BUFFERSIZE);
-	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
-
-	isc_sha1_init(&sha1);
-	dns_name_toregion(name, &r);
-	isc_sha1_update(&sha1, r.base, r.length);
-	dns_rdata_toregion(key, &r);
-	INSIST(r.length >= 4);
-	isc_sha1_update(&sha1, r.base, r.length);
-	isc_sha1_final(&sha1, digest);
-
-	ds.mctx = NULL;
-	ds.common.rdclass = key->rdclass;
-	ds.common.rdtype = dns_rdatatype_ds;
-	ds.algorithm = r.base[3];
-	ds.key_tag = dst_region_computeid(&r, ds.algorithm);
-	ds.digest_type = DNS_DSDIGEST_SHA1;
-	ds.length = ISC_SHA1_DIGESTLENGTH;
-	ds.digest = digest;
-
-	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
-				     &ds, &b));
-}
diff --git a/contrib/bind9/lib/dns/dst_api.c b/contrib/bind9/lib/dns/dst_api.c
deleted file mode 100644
index 19f60a27e805..000000000000
--- a/contrib/bind9/lib/dns/dst_api.c
+++ /dev/null
@@ -1,1185 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.1.4.1 2004/12/09 04:07:16 marka Exp $
- */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/fsaccess.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/ttl.h>
-#include <dns/types.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-
-#define DST_AS_STR(t) ((t).value.as_textregion.base)
-
-static dst_func_t *dst_t_func[DST_MAX_ALGS];
-static isc_entropy_t *dst_entropy_pool = NULL;
-static unsigned int dst_entropy_flags = 0;
-static isc_boolean_t dst_initialized = ISC_FALSE;
-
-isc_mem_t *dst__memory_pool = NULL;
-
-/*
- * Static functions.
- */
-static dst_key_t *	get_key_struct(dns_name_t *name,
-				       unsigned int alg,
-				       unsigned int flags,
-				       unsigned int protocol,
-				       unsigned int bits,
-				       dns_rdataclass_t rdclass,
-				       isc_mem_t *mctx);
-static isc_result_t	read_public_key(const char *filename,
-					int type,
-					isc_mem_t *mctx,
-					dst_key_t **keyp);
-static isc_result_t	write_public_key(const dst_key_t *key, int type,
-					 const char *directory);
-static isc_result_t	buildfilename(dns_name_t *name,
-				      dns_keytag_t id,
-				      unsigned int alg,
-				      unsigned int type,
-				      const char *directory,
-				      isc_buffer_t *out);
-static isc_result_t	computeid(dst_key_t *key);
-static isc_result_t	frombuffer(dns_name_t *name,
-				   unsigned int alg,
-				   unsigned int flags,
-				   unsigned int protocol,
-				   dns_rdataclass_t rdclass,
-				   isc_buffer_t *source,
-				   isc_mem_t *mctx,
-				   dst_key_t **keyp);
-
-static isc_result_t	algorithm_status(unsigned int alg);
-
-static isc_result_t	addsuffix(char *filename, unsigned int len,
-				  const char *ofilename, const char *suffix);
-
-#define RETERR(x) 				\
-	do {					\
-		result = (x);			\
-		if (result != ISC_R_SUCCESS)	\
-			goto out;		\
-	} while (0)
-
-#define CHECKALG(alg)				\
-	do {					\
-		isc_result_t _r;		\
-		_r = algorithm_status(alg);	\
-		if (_r != ISC_R_SUCCESS)	\
-			return (_r);		\
-	} while (0);				\
-
-isc_result_t
-dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL && ectx != NULL);
-	REQUIRE(dst_initialized == ISC_FALSE);
-
-	dst__memory_pool = NULL;
-
-#ifdef OPENSSL
-	UNUSED(mctx);
-	/*
-	 * When using --with-openssl, there seems to be no good way of not
-	 * leaking memory due to the openssl error handling mechanism.
-	 * Avoid assertions by using a local memory context and not checking
-	 * for leaks on exit.
-	 */
-	result = isc_mem_create(0, 0, &dst__memory_pool);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
-#else
-	isc_mem_attach(mctx, &dst__memory_pool);
-#endif
-	isc_entropy_attach(ectx, &dst_entropy_pool);
-	dst_entropy_flags = eflags;
-
-	dst_result_register();
-
-	memset(dst_t_func, 0, sizeof(dst_t_func));
-	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
-#ifdef OPENSSL
-	RETERR(dst__openssl_init());
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
-	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
-#ifdef HAVE_OPENSSL_DSA
-	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
-#endif
-	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
-#endif /* OPENSSL */
-#ifdef GSSAPI
-	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
-#endif
-	dst_initialized = ISC_TRUE;
-	return (ISC_R_SUCCESS);
-
- out:
-	dst_lib_destroy();
-	return (result);
-}
-
-void
-dst_lib_destroy(void) {
-	int i;
-	RUNTIME_CHECK(dst_initialized == ISC_TRUE);
-	dst_initialized = ISC_FALSE;
-
-	for (i = 0; i < DST_MAX_ALGS; i++)
-		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
-			dst_t_func[i]->cleanup();
-#ifdef OPENSSL
-	dst__openssl_destroy();
-#endif
-	if (dst__memory_pool != NULL)
-		isc_mem_detach(&dst__memory_pool);
-	if (dst_entropy_pool != NULL)
-		isc_entropy_detach(&dst_entropy_pool);
-
-}
-
-isc_boolean_t
-dst_algorithm_supported(unsigned int alg) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-
-	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-isc_result_t
-dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
-	dst_context_t *dctx;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(mctx != NULL);
-	REQUIRE(dctxp != NULL && *dctxp == NULL);
-
-	if (key->func->createctx == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-	if (key->opaque == NULL)
-		return (DST_R_NULLKEY);
-
-	dctx = isc_mem_get(mctx, sizeof(dst_context_t));
-	if (dctx == NULL)
-		return (ISC_R_NOMEMORY);
-	dctx->key = key;
-	dctx->mctx = mctx;
-	result = key->func->createctx(key, dctx);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, dctx, sizeof(dst_context_t));
-		return (result);
-	}
-	dctx->magic = CTX_MAGIC;
-	*dctxp = dctx;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dst_context_destroy(dst_context_t **dctxp) {
-	dst_context_t *dctx;
-
-	REQUIRE(dctxp != NULL && VALID_CTX(*dctxp));
-
-	dctx = *dctxp;
-	INSIST(dctx->key->func->destroyctx != NULL);
-	dctx->key->func->destroyctx(dctx);
-	dctx->magic = 0;
-	isc_mem_put(dctx->mctx, dctx, sizeof(dst_context_t));
-	*dctxp = NULL;
-}
-
-isc_result_t
-dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	REQUIRE(VALID_CTX(dctx));
-	REQUIRE(data != NULL);
-	INSIST(dctx->key->func->adddata != NULL);
-
-	return (dctx->key->func->adddata(dctx, data));
-}
-
-isc_result_t
-dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	dst_key_t *key;
-
-	REQUIRE(VALID_CTX(dctx));
-	REQUIRE(sig != NULL);
-
-	key = dctx->key;
-	CHECKALG(key->key_alg);
-	if (key->opaque == NULL)
-		return (DST_R_NULLKEY);
-	if (key->func->sign == NULL)
-		return (DST_R_NOTPRIVATEKEY);
-	if (key->func->isprivate == NULL ||
-	    key->func->isprivate(key) == ISC_FALSE)
-		return (DST_R_NOTPRIVATEKEY);
-
-	return (key->func->sign(dctx, sig));
-}
-
-isc_result_t
-dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
-	REQUIRE(VALID_CTX(dctx));
-	REQUIRE(sig != NULL);
-
-	CHECKALG(dctx->key->key_alg);
-	if (dctx->key->opaque == NULL)
-		return (DST_R_NULLKEY);
-	if (dctx->key->func->verify == NULL)
-		return (DST_R_NOTPUBLICKEY);
-
-	return (dctx->key->func->verify(dctx, sig));
-}
-
-isc_result_t
-dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
-		      isc_buffer_t *secret)
-{
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
-	REQUIRE(secret != NULL);
-
-	CHECKALG(pub->key_alg);
-	CHECKALG(priv->key_alg);
-
-	if (pub->opaque == NULL || priv->opaque == NULL)
-		return (DST_R_NULLKEY);
-
-	if (pub->key_alg != priv->key_alg ||
-	    pub->func->computesecret == NULL ||
-	    priv->func->computesecret == NULL)
-		return (DST_R_KEYCANNOTCOMPUTESECRET);
-
-	if (dst_key_isprivate(priv) == ISC_FALSE)
-		return (DST_R_NOTPRIVATEKEY);
-
-	return (pub->func->computesecret(pub, priv, secret));
-}
-
-isc_result_t
-dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
-	isc_result_t ret = ISC_R_SUCCESS;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
-
-	CHECKALG(key->key_alg);
-
-	if (key->func->tofile == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-
-	if (type & DST_TYPE_PUBLIC) {
-		ret = write_public_key(key, type, directory);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-	}
-
-	if ((type & DST_TYPE_PRIVATE) &&
-	    (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
-		return (key->func->tofile(key, directory));
-	else
-		return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
-		 unsigned int alg, int type, const char *directory,
-		 isc_mem_t *mctx, dst_key_t **keyp)
-{
-	char filename[ISC_DIR_NAMEMAX];
-	isc_buffer_t b;
-	dst_key_t *key;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	CHECKALG(alg);
-
-	isc_buffer_init(&b, filename, sizeof(filename));
-	result = buildfilename(name, id, alg, type, directory, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	key = NULL;
-	result = dst_key_fromnamedfile(filename, type, mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = computeid(key);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
-
-	if (!dns_name_equal(name, key->key_name) ||
-	    id != key->key_id ||
-	    alg != key->key_alg)
-	{
-		dst_key_free(&key);
-		return (DST_R_INVALIDPRIVATEKEY);
-	}
-	key->key_id = id;
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
-		      dst_key_t **keyp)
-{
-	isc_result_t result;
-	dst_key_t *pubkey = NULL, *key = NULL;
-	dns_keytag_t id;
-	char *newfilename = NULL;
-	int newfilenamelen = 0;
-	isc_lex_t *lex = NULL;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(filename != NULL);
-	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	result = read_public_key(filename, type, mctx, &pubkey);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
-	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
-	{
-		result = computeid(pubkey);
-		if (result != ISC_R_SUCCESS) {
-			dst_key_free(&pubkey);
-			return (result);
-		}
-
-		*keyp = pubkey;
-		return (ISC_R_SUCCESS);
-	}
-
-	result = algorithm_status(pubkey->key_alg);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&pubkey);
-		return (result);
-	}
-
-	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
-			     pubkey->key_flags, pubkey->key_proto, 0,
-			     pubkey->key_class, mctx);
-	id = pubkey->key_id;
-	dst_key_free(&pubkey);
-
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (key->func->parse == NULL)
-		RETERR(DST_R_UNSUPPORTEDALG);
-
-	newfilenamelen = strlen(filename) + 9;
-	newfilename = isc_mem_get(mctx, newfilenamelen);
-	if (newfilename == NULL)
-		RETERR(ISC_R_NOMEMORY);
-	result = addsuffix(newfilename, newfilenamelen, filename, ".private");
-	INSIST(result == ISC_R_SUCCESS);
-
-	RETERR(isc_lex_create(mctx, 1500, &lex));
-	RETERR(isc_lex_openfile(lex, newfilename));
-	isc_mem_put(mctx, newfilename, newfilenamelen);
-
-	RETERR(key->func->parse(key, lex));
-	isc_lex_destroy(&lex);
-
-	RETERR(computeid(key));
-
-	if (id != key->key_id)
-		RETERR(DST_R_INVALIDPRIVATEKEY);
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
- out:
-	if (newfilename != NULL)
-		isc_mem_put(mctx, newfilename, newfilenamelen);
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-	dst_key_free(&key);
-	return (result);
-}
-
-isc_result_t
-dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(target != NULL);
-
-	CHECKALG(key->key_alg);
-
-	if (key->func->todns == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-
-	if (isc_buffer_availablelength(target) < 4)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint16(target, (isc_uint16_t)(key->key_flags & 0xffff));
-	isc_buffer_putuint8(target, (isc_uint8_t)key->key_proto);
-	isc_buffer_putuint8(target, (isc_uint8_t)key->key_alg);
-
-	if (key->key_flags & DNS_KEYFLAG_EXTENDED) {
-		if (isc_buffer_availablelength(target) < 2)
-			return (ISC_R_NOSPACE);
-		isc_buffer_putuint16(target,
-				     (isc_uint16_t)((key->key_flags >> 16)
-						    & 0xffff));
-	}
-
-	if (key->opaque == NULL) /* NULL KEY */
-		return (ISC_R_SUCCESS);
-
-	return (key->func->todns(key, target));
-}
-
-isc_result_t
-dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
-		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
-{
-	isc_uint8_t alg, proto;
-	isc_uint32_t flags, extflags;
-	dst_key_t *key = NULL;
-	dns_keytag_t id;
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized);
-
-	isc_buffer_remainingregion(source, &r);
-
-	if (isc_buffer_remaininglength(source) < 4)
-		return (DST_R_INVALIDPUBLICKEY);
-	flags = isc_buffer_getuint16(source);
-	proto = isc_buffer_getuint8(source);
-	alg = isc_buffer_getuint8(source);
-
-	id = dst_region_computeid(&r, alg);
-
-	if (flags & DNS_KEYFLAG_EXTENDED) {
-		if (isc_buffer_remaininglength(source) < 2)
-			return (DST_R_INVALIDPUBLICKEY);
-		extflags = isc_buffer_getuint16(source);
-		flags |= (extflags << 16);
-	}
-
-	result = frombuffer(name, alg, flags, proto, rdclass, source,
-			    mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	key->key_id = id;
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_frombuffer(dns_name_t *name, unsigned int alg,
-		   unsigned int flags, unsigned int protocol,
-		   dns_rdataclass_t rdclass,
-		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
-{
-	dst_key_t *key = NULL;
-	isc_result_t result;
-
-	REQUIRE(dst_initialized);
-
-	result = frombuffer(name, alg, flags, protocol, rdclass, source,
-			    mctx, &key);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = computeid(key);
-	if (result != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (result);
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(target != NULL);
-
-	CHECKALG(key->key_alg);
-
-	if (key->func->todns == NULL)
-		return (DST_R_UNSUPPORTEDALG);
-
-	return (key->func->todns(key, target));
-}
-
-isc_result_t
-dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
-	isc_lex_t *lex = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(!dst_key_isprivate(key));
-	REQUIRE(buffer != NULL);
-
-	if (key->func->parse == NULL)
-		RETERR(DST_R_UNSUPPORTEDALG);
-
-	RETERR(isc_lex_create(key->mctx, 1500, &lex));
-	RETERR(isc_lex_openbuffer(lex, buffer));
-	RETERR(key->func->parse(key, lex));
- out:
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-	return (result);
-}
-
-isc_result_t
-dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
-		   dst_key_t **keyp)
-{
-	dst_key_t *key;
-
-	REQUIRE(opaque != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
-			     0, dns_rdataclass_in, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-	key->opaque = opaque;
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_generate(dns_name_t *name, unsigned int alg,
-		 unsigned int bits, unsigned int param,
-		 unsigned int flags, unsigned int protocol,
-		 dns_rdataclass_t rdclass,
-		 isc_mem_t *mctx, dst_key_t **keyp)
-{
-	dst_key_t *key;
-	isc_result_t ret;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	CHECKALG(alg);
-
-	key = get_key_struct(name, alg, flags, protocol, bits, rdclass, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (bits == 0) { /* NULL KEY */
-		key->key_flags |= DNS_KEYTYPE_NOKEY;
-		*keyp = key;
-		return (ISC_R_SUCCESS);
-	}
-
-	if (key->func->generate == NULL) {
-		dst_key_free(&key);
-		return (DST_R_UNSUPPORTEDALG);
-	}
-
-	ret = key->func->generate(key, param);
-	if (ret != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (ret);
-	}
-
-	ret = computeid(key);
-	if (ret != ISC_R_SUCCESS) {
-		dst_key_free(&key);
-		return (ret);
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key1));
-	REQUIRE(VALID_KEY(key2));
-
-	if (key1 == key2)
-		return (ISC_TRUE);
-	if (key1 == NULL || key2 == NULL)
-		return (ISC_FALSE);
-	if (key1->key_alg == key2->key_alg &&
-	    key1->key_id == key2->key_id &&
-	    key1->func->compare != NULL &&
-	    key1->func->compare(key1, key2) == ISC_TRUE)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-isc_boolean_t
-dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key1));
-	REQUIRE(VALID_KEY(key2));
-
-	if (key1 == key2)
-		return (ISC_TRUE);
-	if (key1 == NULL || key2 == NULL)
-		return (ISC_FALSE);
-	if (key1->key_alg == key2->key_alg &&
-	    key1->func->paramcompare != NULL &&
-	    key1->func->paramcompare(key1, key2) == ISC_TRUE)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-void
-dst_key_free(dst_key_t **keyp) {
-	isc_mem_t *mctx;
-	dst_key_t *key;
-
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(keyp != NULL && VALID_KEY(*keyp));
-
-	key = *keyp;
-	mctx = key->mctx;
-
-	if (key->opaque != NULL) {
-		INSIST(key->func->destroy != NULL);
-		key->func->destroy(key);
-	}
-
-	dns_name_free(key->key_name, mctx);
-	isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
-	memset(key, 0, sizeof(dst_key_t));
-	isc_mem_put(mctx, key, sizeof(dst_key_t));
-	*keyp = NULL;
-}
-
-isc_boolean_t
-dst_key_isprivate(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	INSIST(key->func->isprivate != NULL);
-	return (key->func->isprivate(key));
-}
-
-isc_result_t
-dst_key_buildfilename(const dst_key_t *key, int type,
-		      const char *directory, isc_buffer_t *out) {
-
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||
-		type == 0);
-
-	return (buildfilename(key->key_name, key->key_id, key->key_alg,
-			      type, directory, out));
-}
-
-isc_result_t
-dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(n != NULL);
-
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (key->key_alg) {
-	case DST_ALG_RSAMD5:
-	case DST_ALG_RSASHA1:
-		*n = (key->key_size + 7) / 8;
-		break;
-	case DST_ALG_DSA:
-		*n = DNS_SIG_DSASIGSIZE;
-		break;
-	case DST_ALG_HMACMD5:
-		*n = 16;
-		break;
-	case DST_ALG_GSSAPI:
-		*n = 128; /* XXX */
-		break;
-	case DST_ALG_DH:
-	default:
-		return (DST_R_UNSUPPORTEDALG);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-	REQUIRE(n != NULL);
-
-	if (key->key_alg == DST_ALG_DH)
-		*n = (key->key_size + 7) / 8;
-	else
-		return (DST_R_UNSUPPORTEDALG);
-	return (ISC_R_SUCCESS);
-}
-
-/***
- *** Static methods
- ***/
-
-/*
- * Allocates a key structure and fills in some of the fields.
- */
-static dst_key_t *
-get_key_struct(dns_name_t *name, unsigned int alg,
-	       unsigned int flags, unsigned int protocol,
-	       unsigned int bits, dns_rdataclass_t rdclass,
-	       isc_mem_t *mctx)
-{
-	dst_key_t *key;
-	isc_result_t result;
-
-	key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
-	if (key == NULL)
-		return (NULL);
-
-	memset(key, 0, sizeof(dst_key_t));
-	key->magic = KEY_MAGIC;
-
-	key->key_name = isc_mem_get(mctx, sizeof(dns_name_t));
-	if (key->key_name == NULL) {
-		isc_mem_put(mctx, key, sizeof(dst_key_t));
-		return (NULL);
-	}
-	dns_name_init(key->key_name, NULL);
-	result = dns_name_dup(name, mctx, key->key_name);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
-		isc_mem_put(mctx, key, sizeof(dst_key_t));
-		return (NULL);
-	}
-	key->key_alg = alg;
-	key->key_flags = flags;
-	key->key_proto = protocol;
-	key->mctx = mctx;
-	key->opaque = NULL;
-	key->key_size = bits;
-	key->key_class = rdclass;
-	key->func = dst_t_func[alg];
-	return (key);
-}
-
-/*
- * Reads a public key from disk
- */
-static isc_result_t
-read_public_key(const char *filename, int type,
-		isc_mem_t *mctx, dst_key_t **keyp)
-{
-	u_char rdatabuf[DST_KEY_MAXSIZE];
-	isc_buffer_t b;
-	dns_fixedname_t name;
-	isc_lex_t *lex = NULL;
-	isc_token_t token;
-	isc_result_t ret;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
-	char *newfilename;
-	unsigned int newfilenamelen;
-	dns_rdataclass_t rdclass = dns_rdataclass_in;
-	isc_lexspecials_t specials;
-	isc_uint32_t ttl;
-	isc_result_t result;
-	dns_rdatatype_t keytype;
-
-	newfilenamelen = strlen(filename) + 5;
-	newfilename = isc_mem_get(mctx, newfilenamelen);
-	if (newfilename == NULL)
-		return (ISC_R_NOMEMORY);
-	ret = addsuffix(newfilename, newfilenamelen, filename, ".key");
-	INSIST(ret == ISC_R_SUCCESS);
-
-	/*
-	 * Open the file and read its formatted contents
-	 * File format:
-	 *    domain.name [ttl] [class] KEY <flags> <protocol> <algorithm> <key>
-	 */
-
-	/* 1500 should be large enough for any key */
-	ret = isc_lex_create(mctx, 1500, &lex);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-	memset(specials, 0, sizeof(specials));
-	specials['('] = 1;
-	specials[')'] = 1;
-	specials['"'] = 1;
-	isc_lex_setspecials(lex, specials);
-	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
-
-	ret = isc_lex_openfile(lex, newfilename);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-#define NEXTTOKEN(lex, opt, token) { \
-	ret = isc_lex_gettoken(lex, opt, token); \
-	if (ret != ISC_R_SUCCESS) \
-		goto cleanup; \
-	}
-
-#define BADTOKEN() { \
-	ret = ISC_R_UNEXPECTEDTOKEN; \
-	goto cleanup; \
-	}
-
-	/* Read the domain name */
-	NEXTTOKEN(lex, opt, &token);
-	if (token.type != isc_tokentype_string)
-		BADTOKEN();
-	dns_fixedname_init(&name);
-	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
-	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
-	ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
-				ISC_FALSE, NULL);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Read the next word: either TTL, class, or 'KEY' */
-	NEXTTOKEN(lex, opt, &token);
-
-	/* If it's a TTL, read the next one */
-	result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
-	if (result == ISC_R_SUCCESS)
-		NEXTTOKEN(lex, opt, &token);
-
-	if (token.type != isc_tokentype_string)
-		BADTOKEN();
-
-	ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
-	if (ret == ISC_R_SUCCESS)
-		NEXTTOKEN(lex, opt, &token);
-
-	if (token.type != isc_tokentype_string)
-		BADTOKEN();
-
-	if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
-		keytype = dns_rdatatype_dnskey;
-	else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
-		keytype = dns_rdatatype_key; /* SIG(0), TKEY */
-	else
-		BADTOKEN();
-
-	if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||
-	    ((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey)) {
-		ret = DST_R_BADKEYTYPE;
-		goto cleanup;
-	}
-
-	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
-	ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL,
-				 ISC_FALSE, mctx, &b, NULL);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
-	ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,
-			      keyp);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup;
-
- cleanup:
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-	isc_mem_put(mctx, newfilename, newfilenamelen);
-
-	return (ret);
-}
-
-static isc_boolean_t
-issymmetric(const dst_key_t *key) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-	REQUIRE(VALID_KEY(key));
-
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (key->key_alg) {
-	case DST_ALG_RSAMD5:
-	case DST_ALG_RSASHA1:
-	case DST_ALG_DSA:
-	case DST_ALG_DH:
-		return (ISC_FALSE);
-	case DST_ALG_HMACMD5:
-	case DST_ALG_GSSAPI:
-		return (ISC_TRUE);
-	default:
-		return (ISC_FALSE);
-	}
-}
-
-/*
- * Writes a public key to disk in DNS format.
- */
-static isc_result_t
-write_public_key(const dst_key_t *key, int type, const char *directory) {
-	FILE *fp;
-	isc_buffer_t keyb, textb, fileb, classb;
-	isc_region_t r;
-	char filename[ISC_DIR_NAMEMAX];
-	unsigned char key_array[DST_KEY_MAXSIZE];
-	char text_array[DST_KEY_MAXTEXTSIZE];
-	char class_array[10];
-	isc_result_t ret;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_fsaccess_t access;
-
-	REQUIRE(VALID_KEY(key));
-
-	isc_buffer_init(&keyb, key_array, sizeof(key_array));
-	isc_buffer_init(&textb, text_array, sizeof(text_array));
-	isc_buffer_init(&classb, class_array, sizeof(class_array));
-
-	ret = dst_key_todns(key, &keyb);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_usedregion(&keyb, &r);
-	dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_dnskey, &r);
-
-	ret = dns_rdata_totext(&rdata, (dns_name_t *) NULL, &textb);
-	if (ret != ISC_R_SUCCESS)
-		return (DST_R_INVALIDPUBLICKEY);
-
-	ret = dns_rdataclass_totext(key->key_class, &classb);
-	if (ret != ISC_R_SUCCESS)
-		return (DST_R_INVALIDPUBLICKEY);
-
-	/*
-	 * Make the filename.
-	 */
-	isc_buffer_init(&fileb, filename, sizeof(filename));
-	ret = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &fileb);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	/*
-	 * Create public key file.
-	 */
-	if ((fp = fopen(filename, "w")) == NULL)
-		return (DST_R_WRITEERROR);
-
-	if (issymmetric(key)) {
-		access = 0;
-		isc_fsaccess_add(ISC_FSACCESS_OWNER,
-				 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
-				 &access);
-		(void)isc_fsaccess_set(filename, access);
-	}
-
-	ret = dns_name_print(key->key_name, fp);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	fprintf(fp, " ");
-
-	isc_buffer_usedregion(&classb, &r);
-	fwrite(r.base, 1, r.length, fp);
-
-	if ((type & DST_TYPE_KEY) != 0)
-		fprintf(fp, " KEY ");
-	else
-		fprintf(fp, " DNSKEY ");
-
-	isc_buffer_usedregion(&textb, &r);
-	fwrite(r.base, 1, r.length, fp);
-
-	fputc('\n', fp);
-	fclose(fp);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-buildfilename(dns_name_t *name, dns_keytag_t id,
-	      unsigned int alg, unsigned int type,
-	      const char *directory, isc_buffer_t *out)
-{
-	const char *suffix = "";
-	unsigned int len;
-	isc_result_t result;
-
-	REQUIRE(out != NULL);
-	if ((type & DST_TYPE_PRIVATE) != 0)
-		suffix = ".private";
-	else if (type == DST_TYPE_PUBLIC)
-		suffix = ".key";
-	if (directory != NULL) {
-		if (isc_buffer_availablelength(out) < strlen(directory))
-			return (ISC_R_NOSPACE);
-		isc_buffer_putstr(out, directory);
-		if (strlen(directory) > 0U &&
-		    directory[strlen(directory) - 1] != '/')
-			isc_buffer_putstr(out, "/");
-	}
-	if (isc_buffer_availablelength(out) < 1)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putstr(out, "K");
-	result = dns_name_tofilenametext(name, ISC_FALSE, out);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
-	if (isc_buffer_availablelength(out) < len)
-		return (ISC_R_NOSPACE);
-	sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id, suffix);
-	isc_buffer_add(out, len);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-computeid(dst_key_t *key) {
-	isc_buffer_t dnsbuf;
-	unsigned char dns_array[DST_KEY_MAXSIZE];
-	isc_region_t r;
-	isc_result_t ret;
-
-	isc_buffer_init(&dnsbuf, dns_array, sizeof(dns_array));
-	ret = dst_key_todns(key, &dnsbuf);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_usedregion(&dnsbuf, &r);
-	key->key_id = dst_region_computeid(&r, key->key_alg);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
-	   unsigned int protocol, dns_rdataclass_t rdclass,
-	   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
-{
-	dst_key_t *key;
-	isc_result_t ret;
-
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(source != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (isc_buffer_remaininglength(source) > 0) {
-		ret = algorithm_status(alg);
-		if (ret != ISC_R_SUCCESS) {
-			dst_key_free(&key);
-			return (ret);
-		}
-		if (key->func->fromdns == NULL) {
-			dst_key_free(&key);
-			return (DST_R_UNSUPPORTEDALG);
-		}
-
-		ret = key->func->fromdns(key, source);
-		if (ret != ISC_R_SUCCESS) {
-			dst_key_free(&key);
-			return (ret);
-		}
-	}
-
-	*keyp = key;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-algorithm_status(unsigned int alg) {
-	REQUIRE(dst_initialized == ISC_TRUE);
-
-	if (dst_algorithm_supported(alg))
-		return (ISC_R_SUCCESS);
-#ifndef OPENSSL
-	if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
-	    alg == DST_ALG_DSA || alg == DST_ALG_DH ||
-	    alg == DST_ALG_HMACMD5)
-		return (DST_R_NOCRYPTO);
-#endif
-	return (DST_R_UNSUPPORTEDALG);
-}
-
-static isc_result_t
-addsuffix(char *filename, unsigned int len, const char *ofilename,
-	  const char *suffix)
-{
-	int olen = strlen(ofilename);
-	int n;
-
-	if (olen > 1 && ofilename[olen - 1] == '.')
-		olen -= 1;
-	else if (olen > 8 && strcmp(ofilename + olen - 8, ".private") == 0)
-		olen -= 8;
-	else if (olen > 4 && strcmp(ofilename + olen - 4, ".key") == 0)
-		olen -= 4;
-
-	n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
-	if (n < 0)
-		return (ISC_R_NOSPACE);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
-	unsigned int flags = dst_entropy_flags;
-	if (pseudo)
-		flags &= ~ISC_ENTROPY_GOODONLY;
-	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
-}
diff --git a/contrib/bind9/lib/dns/dst_internal.h b/contrib/bind9/lib/dns/dst_internal.h
deleted file mode 100644
index 982eb6d22958..000000000000
--- a/contrib/bind9/lib/dns/dst_internal.h
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2002  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dst_internal.h,v 1.1.4.1 2004/12/09 04:07:16 marka Exp $ */
-
-#ifndef DST_DST_INTERNAL_H
-#define DST_DST_INTERNAL_H 1
-
-#include <isc/lang.h>
-#include <isc/buffer.h>
-#include <isc/int.h>
-#include <isc/magic.h>
-#include <isc/region.h>
-#include <isc/types.h>
-
-#include <dst/dst.h>
-
-ISC_LANG_BEGINDECLS
-
-#define KEY_MAGIC       ISC_MAGIC('D','S','T','K')
-#define CTX_MAGIC       ISC_MAGIC('D','S','T','C')
-
-#define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
-#define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
-
-extern isc_mem_t *dst__memory_pool;
-
-/***
- *** Types
- ***/
-
-typedef struct dst_func dst_func_t;
-
-struct dst_key {
-	unsigned int	magic;
-	dns_name_t *	key_name;	/* name of the key */
-	unsigned int	key_size;	/* size of the key in bits */
-	unsigned int	key_proto;	/* protocols this key is used for */
-	unsigned int	key_alg;	/* algorithm of the key */
-	isc_uint32_t	key_flags;	/* flags of the public key */
-	isc_uint16_t	key_id;		/* identifier of the key */
-	dns_rdataclass_t key_class;	/* class of the key record */
-	isc_mem_t	*mctx;		/* memory context */
-	void *		opaque;		/* pointer to key in crypto pkg fmt */
-	dst_func_t *	func;		/* crypto package specific functions */
-};
-
-struct dst_context {
-	unsigned int magic;
-	dst_key_t *key;
-	isc_mem_t *mctx;
-	void *opaque;
-};
-
-struct dst_func {
-	/*
-	 * Context functions
-	 */
-	isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx);
-	void (*destroyctx)(dst_context_t *dctx);
-	isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data);
-
-	/*
-	 * Key operations
-	 */
-	isc_result_t (*sign)(dst_context_t *dctx, isc_buffer_t *sig);
-	isc_result_t (*verify)(dst_context_t *dctx, const isc_region_t *sig);
-	isc_result_t (*computesecret)(const dst_key_t *pub,
-				      const dst_key_t *priv,
-				      isc_buffer_t *secret);
-	isc_boolean_t (*compare)(const dst_key_t *key1, const dst_key_t *key2);
-	isc_boolean_t (*paramcompare)(const dst_key_t *key1,
-				      const dst_key_t *key2);
-	isc_result_t (*generate)(dst_key_t *key, int parms);
-	isc_boolean_t (*isprivate)(const dst_key_t *key);
-	void (*destroy)(dst_key_t *key);
-
-	/* conversion functions */
-	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
-	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
-	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
-	isc_result_t (*parse)(dst_key_t *key, isc_lex_t *lexer);
-
-	/* cleanup */
-	void (*cleanup)(void);
-};
-
-/*
- * Initializers
- */
-isc_result_t dst__openssl_init(void);
-
-isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
-isc_result_t dst__opensslrsa_init(struct dst_func **funcp);
-isc_result_t dst__openssldsa_init(struct dst_func **funcp);
-isc_result_t dst__openssldh_init(struct dst_func **funcp);
-isc_result_t dst__gssapi_init(struct dst_func **funcp);
-
-/*
- * Destructors
- */
-void dst__openssl_destroy(void);
-
-/*
- * Memory allocators using the DST memory pool.
- */
-void * dst__mem_alloc(size_t size);
-void   dst__mem_free(void *ptr);
-void * dst__mem_realloc(void *ptr, size_t size);
-
-/*
- * Entropy retriever using the DST entropy pool.
- */
-isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
-				  isc_boolean_t pseudo);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_DST_INTERNAL_H */
diff --git a/contrib/bind9/lib/dns/dst_lib.c b/contrib/bind9/lib/dns/dst_lib.c
deleted file mode 100644
index 804611043524..000000000000
--- a/contrib/bind9/lib/dns/dst_lib.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.1.4.1 2004/12/09 04:07:16 marka Exp $
- */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/once.h>
-#include <isc/msgcat.h>
-#include <isc/util.h>
-
-#include <dst/lib.h>
-
-/***
- *** Globals
- ***/
-
-LIBDNS_EXTERNAL_DATA isc_msgcat_t *		dst_msgcat = NULL;
-
-
-/***
- *** Private
- ***/
-
-static isc_once_t		msgcat_once = ISC_ONCE_INIT;
-
-
-/***
- *** Functions
- ***/
-
-static void
-open_msgcat(void) {
-	isc_msgcat_open("libdst.cat", &dst_msgcat);
-}
-
-void
-dst_lib_initmsgcat(void) {
-
-	/*
-	 * Initialize the DST library's message catalog, dst_msgcat, if it
-	 * has not already been initialized.
-	 */
-
-	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/dst_openssl.h b/contrib/bind9/lib/dns/dst_openssl.h
deleted file mode 100644
index 8dbc35073b52..000000000000
--- a/contrib/bind9/lib/dns/dst_openssl.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dst_openssl.h,v 1.1.2.1 2004/12/09 04:07:17 marka Exp $ */
-
-#ifndef DST_OPENSSL_H
-#define DST_OPENSSL_H 1
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dst__openssl_toresult(isc_result_t fallback);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_OPENSSL_H */
diff --git a/contrib/bind9/lib/dns/dst_parse.c b/contrib/bind9/lib/dns/dst_parse.c
deleted file mode 100644
index d34aeca9b516..000000000000
--- a/contrib/bind9/lib/dns/dst_parse.c
+++ /dev/null
@@ -1,412 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $
- */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/dir.h>
-#include <isc/fsaccess.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-#include "dst/result.h"
-
-#define DST_AS_STR(t) ((t).value.as_textregion.base)
-
-#define PRIVATE_KEY_STR "Private-key-format:"
-#define ALGORITHM_STR "Algorithm:"
-
-struct parse_map {
-	const int value;
-	const char *tag;
-};
-
-static struct parse_map map[] = {
-	{TAG_RSA_MODULUS, "Modulus:"},
-	{TAG_RSA_PUBLICEXPONENT, "PublicExponent:"},
-	{TAG_RSA_PRIVATEEXPONENT, "PrivateExponent:"},
-	{TAG_RSA_PRIME1, "Prime1:"},
-	{TAG_RSA_PRIME2, "Prime2:"},
-	{TAG_RSA_EXPONENT1, "Exponent1:"},
-	{TAG_RSA_EXPONENT2, "Exponent2:"},
-	{TAG_RSA_COEFFICIENT, "Coefficient:"},
-
-	{TAG_DH_PRIME, "Prime(p):"},
-	{TAG_DH_GENERATOR, "Generator(g):"},
-	{TAG_DH_PRIVATE, "Private_value(x):"},
-	{TAG_DH_PUBLIC, "Public_value(y):"},
-
-	{TAG_DSA_PRIME, "Prime(p):"},
-	{TAG_DSA_SUBPRIME, "Subprime(q):"},
-	{TAG_DSA_BASE, "Base(g):"},
-	{TAG_DSA_PRIVATE, "Private_value(x):"},
-	{TAG_DSA_PUBLIC, "Public_value(y):"},
-
-	{TAG_HMACMD5_KEY, "Key:"},
-	{0, NULL}
-};
-
-static int
-find_value(const char *s, const unsigned int alg) {
-	int i;
-
-	for (i = 0; ; i++) {
-		if (map[i].tag == NULL)
-			return (-1);
-		else if (strcasecmp(s, map[i].tag) == 0 &&
-			 TAG_ALG(map[i].value) == alg)
-			return (map[i].value);
-	}
-}
-
-static const char *
-find_tag(const int value) {
-	int i;
-
-	for (i = 0; ; i++) {
-		if (map[i].tag == NULL)
-			return (NULL);
-		else if (value == map[i].value)
-			return (map[i].tag);
-	}
-}
-
-static int
-check_rsa(const dst_private_t *priv) {
-	int i, j;
-	if (priv->nelements != RSA_NTAGS)
-		return (-1);
-	for (i = 0; i < RSA_NTAGS; i++) {
-		for (j = 0; j < priv->nelements; j++)
-			if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
-				break;
-		if (j == priv->nelements)
-			return (-1);
-	}
-	return (0);
-}
-
-static int
-check_dh(const dst_private_t *priv) {
-	int i, j;
-	if (priv->nelements != DH_NTAGS)
-		return (-1);
-	for (i = 0; i < DH_NTAGS; i++) {
-		for (j = 0; j < priv->nelements; j++)
-			if (priv->elements[j].tag == TAG(DST_ALG_DH, i))
-				break;
-		if (j == priv->nelements)
-			return (-1);
-	}
-	return (0);
-}
-
-static int
-check_dsa(const dst_private_t *priv) {
-	int i, j;
-	if (priv->nelements != DSA_NTAGS)
-		return (-1);
-	for (i = 0; i < DSA_NTAGS; i++) {
-		for (j = 0; j < priv->nelements; j++)
-			if (priv->elements[j].tag == TAG(DST_ALG_DSA, i))
-				break;
-		if (j == priv->nelements)
-			return (-1);
-	}
-	return (0);
-}
-
-static int
-check_hmac_md5(const dst_private_t *priv) {
-	if (priv->nelements != HMACMD5_NTAGS)
-		return (-1);
-	if (priv->elements[0].tag != TAG_HMACMD5_KEY)
-		return (-1);
-	return (0);
-}
-
-static int
-check_data(const dst_private_t *priv, const unsigned int alg) {
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (alg) {
-	case DST_ALG_RSAMD5:
-	case DST_ALG_RSASHA1:
-		return (check_rsa(priv));
-	case DST_ALG_DH:
-		return (check_dh(priv));
-	case DST_ALG_DSA:
-		return (check_dsa(priv));
-	case DST_ALG_HMACMD5:
-		return (check_hmac_md5(priv));
-	default:
-		return (DST_R_UNSUPPORTEDALG);
-	}
-}
-
-void
-dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
-	int i;
-
-	if (priv == NULL)
-		return;
-	for (i = 0; i < priv->nelements; i++) {
-		if (priv->elements[i].data == NULL)
-			continue;
-		memset(priv->elements[i].data, 0, MAXFIELDSIZE);
-		isc_mem_put(mctx, priv->elements[i].data, MAXFIELDSIZE);
-	}
-	priv->nelements = 0;
-}
-
-int
-dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
-		      isc_mem_t *mctx, dst_private_t *priv)
-{
-	int n = 0, major, minor;
-	isc_buffer_t b;
-	isc_token_t token;
-	unsigned char *data = NULL;
-	unsigned int opt = ISC_LEXOPT_EOL;
-	isc_result_t ret;
-
-	REQUIRE(priv != NULL);
-
-	priv->nelements = 0;
-
-#define NEXTTOKEN(lex, opt, token)				\
-	do {							\
-		ret = isc_lex_gettoken(lex, opt, token);	\
-		if (ret != ISC_R_SUCCESS)			\
-			goto fail;				\
-	} while (0)
-
-#define READLINE(lex, opt, token)				\
-	do {							\
-		ret = isc_lex_gettoken(lex, opt, token);	\
-		if (ret == ISC_R_EOF)				\
-			break;					\
-		else if (ret != ISC_R_SUCCESS)			\
-			goto fail;				\
-	} while ((*token).type != isc_tokentype_eol)
-
-	/*
-	 * Read the description line.
-	 */
-	NEXTTOKEN(lex, opt, &token);
-	if (token.type != isc_tokentype_string ||
-	    strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	NEXTTOKEN(lex, opt, &token);
-	if (token.type != isc_tokentype_string ||
-	    (DST_AS_STR(token))[0] != 'v')
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-	if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	if (major > MAJOR_VERSION ||
-	    (major == MAJOR_VERSION && minor > MINOR_VERSION))
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	READLINE(lex, opt, &token);
-
-	/*
-	 * Read the algorithm line.
-	 */
-	NEXTTOKEN(lex, opt, &token);
-	if (token.type != isc_tokentype_string ||
-	    strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
-	if (token.type != isc_tokentype_number ||
-	    token.value.as_ulong != (unsigned long) dst_key_alg(key))
-	{
-		ret = DST_R_INVALIDPRIVATEKEY;
-		goto fail;
-	}
-
-	READLINE(lex, opt, &token);
-
-	/*
-	 * Read the key data.
-	 */
-	for (n = 0; n < MAXFIELDS; n++) {
-		int tag;
-		isc_region_t r;
-
-		do {
-			ret = isc_lex_gettoken(lex, opt, &token);
-			if (ret == ISC_R_EOF)
-				goto done;
-			if (ret != ISC_R_SUCCESS)
-				goto fail;
-		} while (token.type == isc_tokentype_eol);
-
-		if (token.type != isc_tokentype_string) {
-			ret = DST_R_INVALIDPRIVATEKEY;
-			goto fail;
-		}
-
-		memset(&priv->elements[n], 0, sizeof(dst_private_element_t));
-		tag = find_value(DST_AS_STR(token), alg);
-		if (tag < 0 || TAG_ALG(tag) != alg) {
-			ret = DST_R_INVALIDPRIVATEKEY;
-			goto fail;
-		}
-		priv->elements[n].tag = tag;
-
-		data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
-		if (data == NULL)
-			goto fail;
-
-		isc_buffer_init(&b, data, MAXFIELDSIZE);
-		ret = isc_base64_tobuffer(lex, &b, -1);
-		if (ret != ISC_R_SUCCESS)
-			goto fail;
-		isc_buffer_usedregion(&b, &r);
-		priv->elements[n].length = r.length;
-		priv->elements[n].data = r.base;
-
-		READLINE(lex, opt, &token);
-		data = NULL;
-	}
- done:
-	priv->nelements = n;
-
-	if (check_data(priv, alg) < 0)
-		goto fail;
-
-	return (ISC_R_SUCCESS);
-
-fail:
-	priv->nelements = n;
-	dst__privstruct_free(priv, mctx);
-	if (data != NULL)
-		isc_mem_put(mctx, data, MAXFIELDSIZE);
-
-	return (ret);
-}
-
-int
-dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
-			  const char *directory)
-{
-	FILE *fp;
-	int ret, i;
-	isc_result_t iret;
-	char filename[ISC_DIR_NAMEMAX];
-	char buffer[MAXFIELDSIZE * 2];
-	isc_buffer_t b;
-	isc_fsaccess_t access;
-
-	REQUIRE(priv != NULL);
-
-	if (check_data(priv, dst_key_alg(key)) < 0)
-		return (DST_R_INVALIDPRIVATEKEY);
-
-	isc_buffer_init(&b, filename, sizeof(filename));
-	ret = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	if ((fp = fopen(filename, "w")) == NULL)
-		return (DST_R_WRITEERROR);
-
-	access = 0;
-	isc_fsaccess_add(ISC_FSACCESS_OWNER,
-			 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
-			 &access);
-	(void)isc_fsaccess_set(filename, access);
-
-	/* XXXDCL return value should be checked for full filesystem */
-	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION,
-		MINOR_VERSION);
-
-	fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
-	/* XXXVIX this switch statement is too sparse to gen a jump table. */
-	switch (dst_key_alg(key)) {
-	case DST_ALG_RSAMD5:
-		fprintf(fp, "(RSA)\n");
-		break;
-	case DST_ALG_DH:
-		fprintf(fp, "(DH)\n");
-		break;
-	case DST_ALG_DSA:
-		fprintf(fp, "(DSA)\n");
-		break;
-	case DST_ALG_RSASHA1:
-		fprintf(fp, "(RSASHA1)\n");
-		break;
-	case DST_ALG_HMACMD5:
-		fprintf(fp, "(HMAC_MD5)\n");
-		break;
-	default:
-		fprintf(fp, "(?)\n");
-		break;
-	}
-
-	for (i = 0; i < priv->nelements; i++) {
-		isc_buffer_t b;
-		isc_region_t r;
-		const char *s;
-
-		s = find_tag(priv->elements[i].tag);
-
-		r.base = priv->elements[i].data;
-		r.length = priv->elements[i].length;
-		isc_buffer_init(&b, buffer, sizeof(buffer));
-		iret = isc_base64_totext(&r, sizeof(buffer), "", &b);
-		if (iret != ISC_R_SUCCESS) {
-			fclose(fp);
-			return (DST_R_INVALIDPRIVATEKEY);
-		}
-		isc_buffer_usedregion(&b, &r);
-
-		fprintf(fp, "%s ", s);
-		fwrite(r.base, 1, r.length, fp);
-		fprintf(fp, "\n");
-	}
-
-	fclose(fp);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/dst_parse.h b/contrib/bind9/lib/dns/dst_parse.h
deleted file mode 100644
index 9ecef4f7b646..000000000000
--- a/contrib/bind9/lib/dns/dst_parse.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2002  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dst_parse.h,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $ */
-
-#ifndef DST_DST_PARSE_H
-#define DST_DST_PARSE_H 1
-
-#include <isc/lang.h>
-
-#include <dst/dst.h>
-
-#define MAJOR_VERSION		1
-#define MINOR_VERSION		2
-
-#define MAXFIELDSIZE		512
-#define MAXFIELDS		12
-
-#define TAG_SHIFT		4
-#define TAG_ALG(tag)		((unsigned int)(tag) >> TAG_SHIFT)
-#define TAG(alg, off)		(((alg) << TAG_SHIFT) + (off))
-
-/* These are used by both RSA-MD5 and RSA-SHA1 */
-#define RSA_NTAGS		8
-#define TAG_RSA_MODULUS		((DST_ALG_RSAMD5 << TAG_SHIFT) + 0)
-#define TAG_RSA_PUBLICEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 1)
-#define TAG_RSA_PRIVATEEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 2)
-#define TAG_RSA_PRIME1		((DST_ALG_RSAMD5 << TAG_SHIFT) + 3)
-#define TAG_RSA_PRIME2		((DST_ALG_RSAMD5 << TAG_SHIFT) + 4)
-#define TAG_RSA_EXPONENT1	((DST_ALG_RSAMD5 << TAG_SHIFT) + 5)
-#define TAG_RSA_EXPONENT2	((DST_ALG_RSAMD5 << TAG_SHIFT) + 6)
-#define TAG_RSA_COEFFICIENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
-
-#define DH_NTAGS		4
-#define TAG_DH_PRIME		((DST_ALG_DH << TAG_SHIFT) + 0)
-#define TAG_DH_GENERATOR	((DST_ALG_DH << TAG_SHIFT) + 1)
-#define TAG_DH_PRIVATE		((DST_ALG_DH << TAG_SHIFT) + 2)
-#define TAG_DH_PUBLIC		((DST_ALG_DH << TAG_SHIFT) + 3)
-
-#define DSA_NTAGS		5
-#define TAG_DSA_PRIME		((DST_ALG_DSA << TAG_SHIFT) + 0)
-#define TAG_DSA_SUBPRIME	((DST_ALG_DSA << TAG_SHIFT) + 1)
-#define TAG_DSA_BASE		((DST_ALG_DSA << TAG_SHIFT) + 2)
-#define TAG_DSA_PRIVATE		((DST_ALG_DSA << TAG_SHIFT) + 3)
-#define TAG_DSA_PUBLIC		((DST_ALG_DSA << TAG_SHIFT) + 4)
-
-#define HMACMD5_NTAGS		1
-#define TAG_HMACMD5_KEY		((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
-
-struct dst_private_element {
-	unsigned short tag;
-	unsigned short length;
-	unsigned char *data;
-};
-
-typedef struct dst_private_element dst_private_element_t;
-
-struct dst_private {
-	unsigned short nelements;
-	dst_private_element_t elements[MAXFIELDS];
-};
-
-typedef struct dst_private dst_private_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
-
-int
-dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
-		      isc_mem_t *mctx, dst_private_t *priv);
-
-int
-dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
-			  const char *directory);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_DST_PARSE_H */
diff --git a/contrib/bind9/lib/dns/dst_result.c b/contrib/bind9/lib/dns/dst_result.c
deleted file mode 100644
index 9b1536c3cc4e..000000000000
--- a/contrib/bind9/lib/dns/dst_result.c
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $
- */
-
-#include <config.h>
-
-#include <isc/once.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-#include <dst/lib.h>
-
-static const char *text[DST_R_NRESULTS] = {
-	"algorithm is unsupported",		/*  0 */
-	"openssl failure",			/*  1 */
-	"built with no crypto support",		/*  2 */
-	"illegal operation for a null key",	/*  3 */
-	"public key is invalid",		/*  4 */
-	"private key is invalid",		/*  5 */
-	"UNUSED6",				/*  6 */
-	"error occurred writing key to disk",	/*  7 */
-	"invalid algorithm specific parameter",	/*  8 */
-	"UNUSED9",				/*  9 */
-	"UNUSED10",				/* 10 */
-	"sign failure",				/* 11 */
-	"UNUSED12",				/* 12 */
-	"UNUSED13",				/* 13 */
-	"verify failure",			/* 14 */
-	"not a public key",			/* 15 */
-	"not a private key",			/* 16 */
-	"not a key that can compute a secret",	/* 17 */
-	"failure computing a shared secret",	/* 18 */
-	"no randomness available",		/* 19 */
-	"bad key type"				/* 20 */
-};
-
-#define DST_RESULT_RESULTSET			2
-
-static isc_once_t		once = ISC_ONCE_INIT;
-
-static void
-initialize_action(void) {
-	isc_result_t result;
-
-	result = isc_result_register(ISC_RESULTCLASS_DST, DST_R_NRESULTS,
-				     text, dst_msgcat, DST_RESULT_RESULTSET);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_result_register() failed: %u", result);
-}
-
-static void
-initialize(void) {
-	dst_lib_initmsgcat();
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-dst_result_totext(isc_result_t result) {
-	initialize();
-
-	return (isc_result_totext(result));
-}
-
-void
-dst_result_register(void) {
-	initialize();
-}
diff --git a/contrib/bind9/lib/dns/forward.c b/contrib/bind9/lib/dns/forward.c
deleted file mode 100644
index 1455fbad43ce..000000000000
--- a/contrib/bind9/lib/dns/forward.c
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: forward.c,v 1.5.206.3 2005/03/17 03:58:30 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/rwlock.h>
-#include <isc/sockaddr.h>
-#include <isc/util.h>
-
-#include <dns/forward.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-#include <dns/types.h>
-
-struct dns_fwdtable {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_rwlock_t		rwlock;
-	/* Locked by lock. */
-	dns_rbt_t		*table;
-};
-
-#define FWDTABLEMAGIC		ISC_MAGIC('F', 'w', 'd', 'T')
-#define VALID_FWDTABLE(ft) 	ISC_MAGIC_VALID(ft, FWDTABLEMAGIC)
-
-static void
-auto_detach(void *, void *);
-
-isc_result_t
-dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep) {
-	dns_fwdtable_t *fwdtable;
-	isc_result_t result;
-
-	REQUIRE(fwdtablep != NULL && *fwdtablep == NULL);
-
-	fwdtable = isc_mem_get(mctx, sizeof(dns_fwdtable_t));
-	if (fwdtable == NULL)
-		return (ISC_R_NOMEMORY);
-
-	fwdtable->table = NULL;
-	result = dns_rbt_create(mctx, auto_detach, fwdtable, &fwdtable->table);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_fwdtable;
-
-	result = isc_rwlock_init(&fwdtable->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_rbt;
-	}
-
-	fwdtable->mctx = NULL;
-	isc_mem_attach(mctx, &fwdtable->mctx);
-	fwdtable->magic = FWDTABLEMAGIC;
-	*fwdtablep = fwdtable;
-
-	return (ISC_R_SUCCESS);
-
-   cleanup_rbt:
-	dns_rbt_destroy(&fwdtable->table);
-
-   cleanup_fwdtable:
-	isc_mem_put(mctx, fwdtable, sizeof(dns_fwdtable_t));
-
-	return (result);
-}
-
-isc_result_t
-dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t fwdpolicy)
-{
-	isc_result_t result;
-	dns_forwarders_t *forwarders;
-	isc_sockaddr_t *sa, *nsa;
-
-	REQUIRE(VALID_FWDTABLE(fwdtable));
-
-	forwarders = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarders_t));
-	if (forwarders == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ISC_LIST_INIT(forwarders->addrs);
-	for (sa = ISC_LIST_HEAD(*addrs);
-	     sa != NULL;
-	     sa = ISC_LIST_NEXT(sa, link))
-	{
-		nsa = isc_mem_get(fwdtable->mctx, sizeof(isc_sockaddr_t));
-		if (nsa == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		*nsa = *sa;
-		ISC_LINK_INIT(nsa, link);
-		ISC_LIST_APPEND(forwarders->addrs, nsa, link);
-	}
-	forwarders->fwdpolicy = fwdpolicy;
-
-	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
-	result = dns_rbt_addname(fwdtable->table, name, forwarders);
-	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	while (!ISC_LIST_EMPTY(forwarders->addrs)) {
-		sa = ISC_LIST_HEAD(forwarders->addrs);
-		ISC_LIST_UNLINK(forwarders->addrs, sa, link);
-		isc_mem_put(fwdtable->mctx, sa, sizeof(isc_sockaddr_t));
-	}
-	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
-	return (result);
-}
-
-isc_result_t
-dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		  dns_forwarders_t **forwardersp)
-{
-	return (dns_fwdtable_find2(fwdtable, name, NULL, forwardersp));
-} 
-
-isc_result_t
-dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		   dns_name_t *foundname, dns_forwarders_t **forwardersp)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_FWDTABLE(fwdtable));
-
-	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-
-	result = dns_rbt_findname(fwdtable->table, name, 0, foundname,
-				  (void **)forwardersp);
-	if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_SUCCESS;
-
-	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-void
-dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep) {
-	dns_fwdtable_t *fwdtable;
-	isc_mem_t *mctx;
-
-	REQUIRE(fwdtablep != NULL && VALID_FWDTABLE(*fwdtablep));
-
-	fwdtable = *fwdtablep;
-
-	dns_rbt_destroy(&fwdtable->table);
-	isc_rwlock_destroy(&fwdtable->rwlock);
-	fwdtable->magic = 0;
-	mctx = fwdtable->mctx;
-	isc_mem_put(mctx, fwdtable, sizeof(dns_fwdtable_t));
-	isc_mem_detach(&mctx);
-
-	*fwdtablep = NULL;
-}
-
-/***
- *** Private
- ***/
-
-static void
-auto_detach(void *data, void *arg) {
-	dns_forwarders_t *forwarders = data;
-	dns_fwdtable_t *fwdtable = arg;
-	isc_sockaddr_t *sa;
-
-	UNUSED(arg);
-
-	while (!ISC_LIST_EMPTY(forwarders->addrs)) {
-		sa = ISC_LIST_HEAD(forwarders->addrs);
-		ISC_LIST_UNLINK(forwarders->addrs, sa, link);
-		isc_mem_put(fwdtable->mctx, sa, sizeof(isc_sockaddr_t));
-	}
-	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
-}
diff --git a/contrib/bind9/lib/dns/gen-unix.h b/contrib/bind9/lib/dns/gen-unix.h
deleted file mode 100644
index bd007c4541f3..000000000000
--- a/contrib/bind9/lib/dns/gen-unix.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gen-unix.h,v 1.12.12.5 2005/06/09 23:54:29 marka Exp $ */
-
-/*
- * This file is responsible for defining two operations that are not
- * directly portable between Unix-like systems and Windows NT, option
- * parsing and directory scanning.  It is here because it was decided
- * that the "gen" build utility was not to depend on libisc.a, so
- * the functions delcared in isc/commandline.h and isc/dir.h could not
- * be used.
- *
- * The commandline stuff is really just a wrapper around getopt().
- * The dir stuff was shrunk to fit the needs of gen.c.
- */
-
-#ifndef DNS_GEN_UNIX_H
-#define DNS_GEN_UNIX_H 1
-
-#include <sys/types.h>          /* Required on some systems for dirent.h. */
-
-#include <dirent.h>
-#include <unistd.h>		/* XXXDCL Required for ?. */
-
-#include <isc/boolean.h>
-#include <isc/lang.h>
-
-#ifdef NEED_OPTARG
-extern char *optarg;
-#endif
-
-#define isc_commandline_parse		getopt
-#define isc_commandline_argument 	optarg
-
-typedef struct {
-	DIR *handle;
-	char *filename;
-} isc_dir_t;
-
-ISC_LANG_BEGINDECLS
-
-static isc_boolean_t
-start_directory(const char *path, isc_dir_t *dir) {
-	dir->handle = opendir(path);
-
-	if (dir->handle != NULL)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-
-}
-
-static isc_boolean_t
-next_file(isc_dir_t *dir) {
-	struct dirent *dirent;
-
-	dir->filename = NULL;
-
-	if (dir->handle != NULL) {
-		dirent = readdir(dir->handle);
-		if (dirent != NULL)
-			dir->filename = dirent->d_name;
-	}
-
-	if (dir->filename != NULL)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static void
-end_directory(isc_dir_t *dir) {
-	if (dir->handle != NULL)
-		(void)closedir(dir->handle);
-
-	dir->handle = NULL;
-}
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_GEN_UNIX_H */
diff --git a/contrib/bind9/lib/dns/gen.c b/contrib/bind9/lib/dns/gen.c
deleted file mode 100644
index 4a6cc0d796d5..000000000000
--- a/contrib/bind9/lib/dns/gen.c
+++ /dev/null
@@ -1,878 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gen.c,v 1.65.2.5.2.6 2004/03/15 01:02:54 marka Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-
-#ifdef WIN32
-#include "gen-win32.h"
-#else
-#include "gen-unix.h"
-#endif
-
-#define FROMTEXTARGS "rdclass, type, lexer, origin, options, target, callbacks"
-#define FROMTEXTCLASS "rdclass"
-#define FROMTEXTTYPE "type"
-#define FROMTEXTDEF "result = DNS_R_UNKNOWN"
-
-#define TOTEXTARGS "rdata, tctx, target"
-#define TOTEXTCLASS "rdata->rdclass"
-#define TOTEXTTYPE "rdata->type"
-#define TOTEXTDEF "use_default = ISC_TRUE"
-
-#define FROMWIREARGS "rdclass, type, source, dctx, options, target"
-#define FROMWIRECLASS "rdclass"
-#define FROMWIRETYPE "type"
-#define FROMWIREDEF "use_default = ISC_TRUE"
-
-#define TOWIREARGS "rdata, cctx, target"
-#define TOWIRECLASS "rdata->rdclass"
-#define TOWIRETYPE "rdata->type"
-#define TOWIREDEF "use_default = ISC_TRUE"
-
-#define FROMSTRUCTARGS "rdclass, type, source, target"
-#define FROMSTRUCTCLASS "rdclass"
-#define FROMSTRUCTTYPE "type"
-#define FROMSTRUCTDEF "use_default = ISC_TRUE"
-
-#define TOSTRUCTARGS "rdata, target, mctx"
-#define TOSTRUCTCLASS "rdata->rdclass"
-#define TOSTRUCTTYPE "rdata->type"
-#define TOSTRUCTDEF "use_default = ISC_TRUE"
-
-#define FREESTRUCTARGS "source"
-#define FREESTRUCTCLASS "common->rdclass"
-#define FREESTRUCTTYPE "common->rdtype"
-#define FREESTRUCTDEF NULL
-
-#define COMPAREARGS "rdata1, rdata2"
-#define COMPARECLASS "rdata1->rdclass"
-#define COMPARETYPE "rdata1->type"
-#define COMPAREDEF "use_default = ISC_TRUE"
-
-#define ADDITIONALDATAARGS "rdata, add, arg"
-#define ADDITIONALDATACLASS "rdata->rdclass"
-#define ADDITIONALDATATYPE "rdata->type"
-#define ADDITIONALDATADEF "use_default = ISC_TRUE"
-
-#define DIGESTARGS "rdata, digest, arg"
-#define DIGESTCLASS "rdata->rdclass"
-#define DIGESTTYPE "rdata->type"
-#define DIGESTDEF "use_default = ISC_TRUE"
-
-#define CHECKOWNERARGS "name, rdclass, type, wildcard"
-#define CHECKOWNERCLASS "rdclass"
-#define CHECKOWNERTYPE "type"
-#define CHECKOWNERDEF "result = ISC_TRUE"
-
-#define CHECKNAMESARGS "rdata, owner, bad"
-#define CHECKNAMESCLASS "rdata->rdclass"
-#define CHECKNAMESTYPE "rdata->type"
-#define CHECKNAMESDEF "result = ISC_TRUE"
-
-const char copyright[] =
-"/*\n"
-" * Copyright (C) 2004%s Internet Systems Consortium, Inc. (\"ISC\")\n"
-" * Copyright (C) 1998-2003 Internet Software Consortium.\n"
-" *\n"
-" * Permission to use, copy, modify, and distribute this software for any\n"
-" * purpose with or without fee is hereby granted, provided that the above\n"
-" * copyright notice and this permission notice appear in all copies.\n"
-" *\n"
-" * THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
-" * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
-" * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
-" * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
-" * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
-" * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
-" * PERFORMANCE OF THIS SOFTWARE.\n"
-" */\n"
-"\n"
-"/***************\n"
-" ***************\n"
-" ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.\n"
-" ***************   DO NOT EDIT!\n"
-" ***************\n"
-" ***************/\n"
-"\n";
-
-#define TYPENAMES 256
-
-struct cc {
-	struct cc *next;
-	int rdclass;
-	char classname[11];
-} *classes;
-
-struct tt {
-	struct tt *next;
-	int rdclass;
-	int type;
-	char classname[11];
-	char typename[11];
-	char dirname[256];		/* XXX Should be max path length */
-} *types;
-
-struct ttnam {
-	char typename[11];
-	char macroname[11];
-	char attr[256];
-	unsigned int sorted;
-	int type;
-} typenames[TYPENAMES];
-
-int maxtype = -1;
-
-char *
-upper(char *);
-char *
-funname(const char *, char *);
-void
-doswitch(const char *, const char *, const char *, const char *,
-	 const char *, const char *);
-void
-dodecl(char *, char *, char *);
-void
-add(int, const char *, int, const char *, const char *);
-void
-sd(int, const char *, const char *, char);
-void
-insert_into_typenames(int, const char *, const char *);
-
-/*
- * If you use more than 10 of these in, say, a printf(), you'll have problems.
- */
-char *
-upper(char *s) {
-	static int buf_to_use = 0;
-	static char buf[10][256];
-	char *b;
-	int c;
-
-	buf_to_use++;
-	if (buf_to_use > 9)
-		buf_to_use = 0;
-
-	b = buf[buf_to_use];
-	memset(b, 0, 256);
-
-	while ((c = (*s++) & 0xff))
-		*b++ = islower(c) ? toupper(c) : c;
-	*b = '\0';
-	return (buf[buf_to_use]);
-}
-
-char *
-funname(const char *s, char *buf) {
-	char *b = buf;
-	char c;
-
-	while ((c = *s++)) {
-		*b++ = (c == '-') ? '_' : c;
-	}
-	*b = '\0';
-	return (buf);
-}
-
-void
-doswitch(const char *name, const char *function, const char *args,
-	 const char *tsw, const char *csw, const char *res)
-{
-	struct tt *tt;
-	int first = 1;
-	int lasttype = 0;
-	int subswitch = 0;
-	char buf1[11], buf2[11];
-	const char *result = " result =";
-
-	if (res == NULL)
-		result = "";
-
-	for (tt = types; tt != NULL; tt = tt->next) {
-		if (first) {
-			fprintf(stdout, "\n#define %s \\\n", name);
-			fprintf(stdout, "\tswitch (%s) { \\\n" /*}*/, tsw);
-			first = 0;
-		}
-		if (tt->type != lasttype && subswitch) {
-			if (res == NULL)
-				fprintf(stdout, "\t\tdefault: break; \\\n");
-			else
-				fprintf(stdout,
-					"\t\tdefault: %s; break; \\\n", res);
-			fputs(/*{*/ "\t\t} \\\n", stdout);
-			fputs("\t\tbreak; \\\n", stdout);
-			subswitch = 0;
-		}
-		if (tt->rdclass && tt->type != lasttype) {
-			fprintf(stdout, "\tcase %d: switch (%s) { \\\n" /*}*/,
-				tt->type, csw);
-			subswitch = 1;
-		}
-		if (tt->rdclass == 0)
-			fprintf(stdout,
-				"\tcase %d:%s %s_%s(%s); break;",
-				tt->type, result, function,
-				funname(tt->typename, buf1), args);
-		else
-			fprintf(stdout,
-				"\t\tcase %d:%s %s_%s_%s(%s); break;",
-				tt->rdclass, result, function,
-				funname(tt->classname, buf1),
-				funname(tt->typename, buf2), args);
-		fputs(" \\\n", stdout);
-		lasttype = tt->type;
-	}
-	if (subswitch) {
-		if (res == NULL)
-			fprintf(stdout, "\t\tdefault: break; \\\n");
-		else
-			fprintf(stdout, "\t\tdefault: %s; break; \\\n", res);
-		fputs(/*{*/ "\t\t} \\\n", stdout);
-		fputs("\t\tbreak; \\\n", stdout);
-	}
-	if (first) {
-		if (res == NULL)
-			fprintf(stdout, "\n#define %s\n", name);
-		else
-			fprintf(stdout, "\n#define %s %s;\n", name, res);
-	} else {
-		if (res == NULL)
-			fprintf(stdout, "\tdefault: break; \\\n");
-		else
-			fprintf(stdout, "\tdefault: %s; break; \\\n", res);
-		fputs(/*{*/ "\t}\n", stdout);
-	}
-}
-
-void
-dodecl(char *type, char *function, char *args) {
-	struct tt *tt;
-	char buf1[11], buf2[11];
-
-	fputs("\n", stdout);
-	for (tt = types; tt; tt = tt->next)
-		if (tt->rdclass)
-			fprintf(stdout,
-				"static inline %s %s_%s_%s(%s);\n",
-				type, function,
-				funname(tt->classname, buf1),
-				funname(tt->typename, buf2), args);
-		else
-			fprintf(stdout,
-				"static inline %s %s_%s(%s);\n",
-				type, function,
-				funname(tt->typename, buf1), args);
-}
-
-static struct ttnam *
-find_typename(int type) {
-	int i;
-
-	for (i = 0; i < TYPENAMES; i++) {
-		if (typenames[i].typename[0] != 0 &&
-		    typenames[i].type == type)
-			return (&typenames[i]);
-	}
-	return (NULL);
-}
-
-void
-insert_into_typenames(int type, const char *typename, const char *attr) {
-	struct ttnam *ttn = NULL;
-	int c, i;
-	char tmp[256];
-
-	for (i = 0; i < TYPENAMES; i++) {
-		if (typenames[i].typename[0] != 0 &&
-		    typenames[i].type == type &&
-		    strcmp(typename, typenames[i].typename) != 0) {
-			fprintf(stderr,
-				"Error:  type %d has two names: %s, %s\n",
-				type, typenames[i].typename, typename);
-			exit(1);
-		}
-		if (typenames[i].typename[0] == 0 && ttn == NULL)
-			ttn = &typenames[i];
-	}
-	if (ttn == NULL) {
-		fprintf(stderr, "Error: typenames array too small\n");
-		exit(1);
-	}
-	
-	if (strlen(typename) > sizeof(ttn->typename) - 1) {
-		fprintf(stderr, "Error:  type name %s is too long\n",
-			typename);
-		exit(1);
-	}
-	strcpy(ttn->typename, typename);
-	ttn->type = type;
-
-	strcpy(ttn->macroname, ttn->typename);
-	c = strlen(ttn->macroname);
-	while (c > 0) {
-		if (ttn->macroname[c - 1] == '-')
-			ttn->macroname[c - 1] = '_';
-		c--;
-	}
-
-	if (attr == NULL) {
-		sprintf(tmp, "RRTYPE_%s_ATTRIBUTES", upper(ttn->macroname));
-		attr = tmp;
-	}
-
-	if (ttn->attr[0] != 0 && strcmp(attr, ttn->attr) != 0) {
-		fprintf(stderr, "Error:  type %d has different attributes: "
-			"%s, %s\n", type, ttn->attr, attr);
-		exit(1);
-	}
-
-	if (strlen(attr) > sizeof(ttn->attr) - 1) {
-		fprintf(stderr, "Error:  attr (%s) [name %s] is too long\n",
-			attr, typename);
-		exit(1);
-	}
-	strcpy(ttn->attr, attr);
-	ttn->sorted = 0;
-	if (maxtype < type)
-		maxtype = type;
-}
-
-void
-add(int rdclass, const char *classname, int type, const char *typename,
-    const char *dirname)
-{
-	struct tt *newtt = (struct tt *)malloc(sizeof(*newtt));
-	struct tt *tt, *oldtt;
-	struct cc *newcc;
-	struct cc *cc, *oldcc;
-
-	insert_into_typenames(type, typename, NULL);
-
-	if (newtt == NULL) {
-		fprintf(stderr, "malloc() failed\n");
-		exit(1);
-	}
-
-	newtt->next = NULL;
-	newtt->rdclass = rdclass;
-	newtt->type = type;
-	strcpy(newtt->classname, classname);
-	strcpy(newtt->typename, typename);
-	strcpy(newtt->dirname, dirname);
-
-	tt = types;
-	oldtt = NULL;
-
-	while ((tt != NULL) && (tt->type < type)) {
-		oldtt = tt;
-		tt = tt->next;
-	}
-
-	while ((tt != NULL) && (tt->type == type) && (tt->rdclass < rdclass)) {
-		if (strcmp(tt->typename, typename) != 0)
-			exit(1);
-		oldtt = tt;
-		tt = tt->next;
-	}
-
-	if ((tt != NULL) && (tt->type == type) && (tt->rdclass == rdclass))
-		exit(1);
-
-	newtt->next = tt;
-	if (oldtt != NULL)
-		oldtt->next = newtt;
-	else
-		types = newtt;
-
-	/*
-	 * Do a class switch for this type.
-	 */
-	if (rdclass == 0)
-		return;
-
-	newcc = (struct cc *)malloc(sizeof(*newcc));
-	newcc->rdclass = rdclass;
-	strcpy(newcc->classname, classname);
-	cc = classes;
-	oldcc = NULL;
-
-	while ((cc != NULL) && (cc->rdclass < rdclass)) {
-		oldcc = cc;
-		cc = cc->next;
-	}
-
-	if ((cc != NULL) && cc->rdclass == rdclass) {
-		free((char *)newcc);
-		return;
-	}
-
-	newcc->next = cc;
-	if (oldcc != NULL)
-		oldcc->next = newcc;
-	else
-		classes = newcc;
-}
-
-void
-sd(int rdclass, const char *classname, const char *dirname, char filetype) {
-	char buf[sizeof("0123456789_65535.h")];
-	char fmt[sizeof("%10[-0-9a-z]_%d.h")];
-	int type;
-	char typename[11];
-	isc_dir_t dir;
-
-	if (!start_directory(dirname, &dir))
-		return;
-
-	sprintf(fmt,"%s%c", "%10[-0-9a-z]_%d.", filetype);
-	while (next_file(&dir)) {
-		if (sscanf(dir.filename, fmt, typename, &type) != 2)
-			continue;
-		if ((type > 65535) || (type < 0))
-			continue;
-
-		sprintf(buf, "%s_%d.%c", typename, type, filetype);
-		if (strcmp(buf, dir.filename) != 0)
-			continue;
-		add(rdclass, classname, type, typename, dirname);
-	}
-
-	end_directory(&dir);
-}
-
-static unsigned int
-HASH(char *string) {
-	unsigned int n;
-	unsigned char a, b;
-
-	n = strlen(string);
-	if (n == 0) {
-		fprintf(stderr, "n == 0?\n");
-		exit(1);
-	}
-	a = tolower((unsigned char)string[0]);
-	b = tolower((unsigned char)string[n - 1]);
-
-	return ((a + n) * b) % 256;
-}
-
-int
-main(int argc, char **argv) {
-	char buf[256];			/* XXX Should be max path length */
-	char srcdir[256];		/* XXX Should be max path length */
-	int rdclass;
-	char classname[11];
-	struct tt *tt;
-	struct cc *cc;
-	struct ttnam *ttn, *ttn2;
-	unsigned int hash;
-	struct tm *tm;
-	time_t now;
-	char year[11];
-	int lasttype;
-	int code = 1;
-	int class_enum = 0;
-	int type_enum = 0;
-	int structs = 0;
-	int depend = 0;
-	int c, i, j;
-	char buf1[11];
-	char filetype = 'c';
-	FILE *fd;
-	char *prefix = NULL;
-	char *suffix = NULL;
-	char *file = NULL;
-	isc_dir_t dir;
-
-	for (i = 0; i < TYPENAMES; i++)
-		memset(&typenames[i], 0, sizeof(typenames[i]));
-
-	strcpy(srcdir, "");
-	while ((c = isc_commandline_parse(argc, argv, "cdits:F:P:S:")) != -1)
-		switch (c) {
-		case 'c':
-			code = 0;
-			depend = 0;
-			type_enum = 0;
-			class_enum = 1;
-			filetype = 'c';
-			structs = 0;
-			break;
-		case 'd':
-			code = 0;
-			depend = 1;
-			class_enum = 0;
-			type_enum = 0;
-			structs = 0;
-			filetype = 'h';
-			break;
-		case 't':
-			code = 0;
-			depend = 0;
-			class_enum = 0;
-			type_enum = 1;
-			filetype = 'c';
-			structs = 0;
-			break;
-		case 'i':
-			code = 0;
-			depend = 0;
-			class_enum = 0;
-			type_enum = 0;
-			structs = 1;
-			filetype = 'h';
-			break;
-		case 's':
-			sprintf(srcdir, "%s/", isc_commandline_argument);
-			break;
-		case 'F':
-			file = isc_commandline_argument;
-			break;
-		case 'P':
-			prefix = isc_commandline_argument;
-			break;
-		case 'S':
-			suffix = isc_commandline_argument;
-			break;
-		case '?':
-			exit(1);
-		}
-
-	sprintf(buf, "%srdata", srcdir);
-
-	if (!start_directory(buf, &dir))
-		exit(1);
-
-	while (next_file(&dir)) {
-		if (sscanf(dir.filename, "%10[0-9a-z]_%d",
-			   classname, &rdclass) != 2)
-			continue;
-		if ((rdclass > 65535) || (rdclass < 0))
-			continue;
-
-		sprintf(buf, "%srdata/%s_%d", srcdir, classname, rdclass);
-		if (strcmp(buf + 6 + strlen(srcdir), dir.filename) != 0)
-			continue;
-		sd(rdclass, classname, buf, filetype);
-	}
-	end_directory(&dir);
-	sprintf(buf, "%srdata/generic", srcdir);
-	sd(0, "", buf, filetype);
-
-	if (time(&now) != -1) {
-		if ((tm = localtime(&now)) != NULL && tm->tm_year > 104) 
-			sprintf(year, "-%d", tm->tm_year + 1900);
-		else
-			year[0] = 0;
-	} else
-		year[0] = 0;
-
-	if (!depend) fprintf(stdout, copyright, year);
-
-	if (code) {
-		fputs("#ifndef DNS_CODE_H\n", stdout);
-		fputs("#define DNS_CODE_H 1\n\n", stdout);
-
-		fputs("#include <isc/boolean.h>\n", stdout);
-		fputs("#include <isc/result.h>\n\n", stdout);
-		fputs("#include <dns/name.h>\n\n", stdout);
-
-		for (tt = types; tt != NULL; tt = tt->next)
-			fprintf(stdout, "#include \"%s/%s_%d.c\"\n",
-				tt->dirname, tt->typename, tt->type);
-
-		fputs("\n\n", stdout);
-
-		doswitch("FROMTEXTSWITCH", "fromtext", FROMTEXTARGS,
-			 FROMTEXTTYPE, FROMTEXTCLASS, FROMTEXTDEF);
-		doswitch("TOTEXTSWITCH", "totext", TOTEXTARGS,
-			 TOTEXTTYPE, TOTEXTCLASS, TOTEXTDEF);
-		doswitch("FROMWIRESWITCH", "fromwire", FROMWIREARGS,
-			 FROMWIRETYPE, FROMWIRECLASS, FROMWIREDEF);
-		doswitch("TOWIRESWITCH", "towire", TOWIREARGS,
-			 TOWIRETYPE, TOWIRECLASS, TOWIREDEF);
-		doswitch("COMPARESWITCH", "compare", COMPAREARGS,
-			  COMPARETYPE, COMPARECLASS, COMPAREDEF);
-		doswitch("FROMSTRUCTSWITCH", "fromstruct", FROMSTRUCTARGS,
-			  FROMSTRUCTTYPE, FROMSTRUCTCLASS, FROMSTRUCTDEF);
-		doswitch("TOSTRUCTSWITCH", "tostruct", TOSTRUCTARGS,
-			  TOSTRUCTTYPE, TOSTRUCTCLASS, TOSTRUCTDEF);
-		doswitch("FREESTRUCTSWITCH", "freestruct", FREESTRUCTARGS,
-			  FREESTRUCTTYPE, FREESTRUCTCLASS, FREESTRUCTDEF);
-		doswitch("ADDITIONALDATASWITCH", "additionaldata",
-			 ADDITIONALDATAARGS, ADDITIONALDATATYPE,
-			 ADDITIONALDATACLASS, ADDITIONALDATADEF);
-		doswitch("DIGESTSWITCH", "digest",
-			 DIGESTARGS, DIGESTTYPE,
-			 DIGESTCLASS, DIGESTDEF);
-		doswitch("CHECKOWNERSWITCH", "checkowner",
-			CHECKOWNERARGS, CHECKOWNERTYPE,
-			CHECKOWNERCLASS, CHECKOWNERDEF);
-		doswitch("CHECKNAMESSWITCH", "checknames",
-			CHECKNAMESARGS, CHECKNAMESTYPE,
-			CHECKNAMESCLASS, CHECKNAMESDEF);
-
-		/*
-		 * From here down, we are processing the rdata names and
-		 * attributes.
-		 */
-
-#define PRINT_COMMA(x) (x == maxtype ? "" : ",")
-
-#define METANOTQUESTION  "DNS_RDATATYPEATTR_META | " \
-			 "DNS_RDATATYPEATTR_NOTQUESTION"
-#define METAQUESTIONONLY "DNS_RDATATYPEATTR_META | " \
-			 "DNS_RDATATYPEATTR_QUESTIONONLY"
-#define RESERVED "DNS_RDATATYPEATTR_RESERVED"
-
-		/*
-		 * Add in reserved/special types.  This will let us
-		 * sort them without special cases.
-		 */
-		insert_into_typenames(0, "reserved0", RESERVED);
-		insert_into_typenames(31, "eid", RESERVED);
-		insert_into_typenames(32, "nimloc", RESERVED);
-		insert_into_typenames(34, "atma", RESERVED);
-		insert_into_typenames(100, "uinfo", RESERVED);
-		insert_into_typenames(101, "uid", RESERVED);
-		insert_into_typenames(102, "gid", RESERVED);
-		insert_into_typenames(251, "ixfr", METAQUESTIONONLY);
-		insert_into_typenames(252, "axfr", METAQUESTIONONLY);
-		insert_into_typenames(253, "mailb", METAQUESTIONONLY);
-		insert_into_typenames(254, "maila", METAQUESTIONONLY);
-		insert_into_typenames(255, "any", METAQUESTIONONLY);
-
-		/*
-		 * Spit out a quick and dirty hash function.  Here,
-		 * we walk through the list of type names, and calculate
-		 * a hash.  This isn't perfect, but it will generate "pretty
-		 * good" estimates.  Lowercase the characters before
-		 * computing in all cases.
-		 *
-		 * Here, walk the list from top to bottom, calculating
-		 * the hash (mod 256) for each name.
-		 */
-		fprintf(stdout, "#define RDATATYPE_COMPARE(_s, _d, _tn, _n, _tp) \\\n");
-		fprintf(stdout, "\tdo { \\\n");
-		fprintf(stdout, "\t\tif (sizeof(_s) - 1 == _n && \\\n"
-				"\t\t    strncasecmp(_s,(_tn),"
-				"(sizeof(_s) - 1)) == 0) { \\\n");
-		fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & "
-		       		  "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
-		fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
-		fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n");
-		fprintf(stdout, "\t\t\treturn (ISC_R_SUCCESS); \\\n");
-		fprintf(stdout, "\t\t} \\\n");
-		fprintf(stdout, "\t} while (0)\n\n");
-
-		fprintf(stdout, "#define RDATATYPE_FROMTEXT_SW(_hash,"
-				"_typename,_length,_typep) \\\n");
-		fprintf(stdout, "\tswitch (_hash) { \\\n");
-		for (i = 0; i <= maxtype; i++) {
-			ttn = find_typename(i);
-			if (ttn == NULL)
-				continue;
-
-			/*
-			 * Skip entries we already processed.
-			 */
-			if (ttn->sorted != 0)
-				continue;
-
-			hash = HASH(ttn->typename);
-			fprintf(stdout, "\t\tcase %u: \\\n", hash);
-
-			/*
-			 * Find all other entries that happen to match
-			 * this hash.
-			 */
-			for (j = 0; j <= maxtype; j++) {
-				ttn2 = find_typename(j);
-				if (ttn2 == NULL)
-					continue;
-				if (hash == HASH(ttn2->typename)) {
-					fprintf(stdout, "\t\t\tRDATATYPE_COMPARE"
-					       "(\"%s\", %u, "
-					       "_typename, _length, _typep); \\\n",
-					       ttn2->typename, ttn2->type);
-					ttn2->sorted = 1;
-				}
-			}
-			fprintf(stdout, "\t\t\tbreak; \\\n");
-		}
-		fprintf(stdout, "\t}\n");
-
-		fprintf(stdout, "#define RDATATYPE_ATTRIBUTE_SW \\\n");
-		fprintf(stdout, "\tswitch (type) { \\\n");
-		for (i = 0; i <= maxtype; i++) {
-			ttn = find_typename(i);
-			if (ttn == NULL)
-				continue;
-			fprintf(stdout, "\tcase %u: return (%s); \\\n",
-			        i, upper(ttn->attr));
-		}
-		fprintf(stdout, "\t}\n");
-
-		fprintf(stdout, "#define RDATATYPE_TOTEXT_SW \\\n");
-		fprintf(stdout, "\tswitch (type) { \\\n");
-		for (i = 0; i <= maxtype; i++) {
-			ttn = find_typename(i);
-			if (ttn == NULL)
-				continue;
-			fprintf(stdout, "\tcase %u: return "
-				"(str_totext(\"%s\", target)); \\\n",
-			        i, upper(ttn->typename));
-		}
-		fprintf(stdout, "\t}\n");
-
-		fputs("#endif /* DNS_CODE_H */\n", stdout);
-	} else if (type_enum) {
-		char *s;
-
-		fprintf(stdout, "#ifndef DNS_ENUMTYPE_H\n");
-		fprintf(stdout, "#define DNS_ENUMTYPE_H 1\n\n");
-
-		fprintf(stdout, "enum {\n");
-		fprintf(stdout, "\tdns_rdatatype_none = 0,\n");
-
-		lasttype = 0;
-		for (tt = types; tt != NULL; tt = tt->next)
-			if (tt->type != lasttype)
-				fprintf(stdout,
-					"\tdns_rdatatype_%s = %d,\n",
-					funname(tt->typename, buf1),
-					lasttype = tt->type);
-
-		fprintf(stdout, "\tdns_rdatatype_ixfr = 251,\n");
-		fprintf(stdout, "\tdns_rdatatype_axfr = 252,\n");
-		fprintf(stdout, "\tdns_rdatatype_mailb = 253,\n");
-		fprintf(stdout, "\tdns_rdatatype_maila = 254,\n");
-		fprintf(stdout, "\tdns_rdatatype_any = 255\n");
-
-		fprintf(stdout, "};\n\n");
-
-		fprintf(stdout, "#define dns_rdatatype_none\t"
-			"((dns_rdatatype_t)dns_rdatatype_none)\n");
-
-		for (tt = types; tt != NULL; tt = tt->next)
-			if (tt->type != lasttype) {
-				s = funname(tt->typename, buf1);
-				fprintf(stdout,
-					"#define dns_rdatatype_%s\t%s"
-					"((dns_rdatatype_t)dns_rdatatype_%s)"
-					"\n",
-					s, strlen(s) < 2U ? "\t" : "", s);
-				lasttype = tt->type;
-			}
-
-		fprintf(stdout, "#define dns_rdatatype_ixfr\t"
-			"((dns_rdatatype_t)dns_rdatatype_ixfr)\n");
-		fprintf(stdout, "#define dns_rdatatype_axfr\t"
-			"((dns_rdatatype_t)dns_rdatatype_axfr)\n");
-		fprintf(stdout, "#define dns_rdatatype_mailb\t"
-			"((dns_rdatatype_t)dns_rdatatype_mailb)\n");
-		fprintf(stdout, "#define dns_rdatatype_maila\t"
-			"((dns_rdatatype_t)dns_rdatatype_maila)\n");
-		fprintf(stdout, "#define dns_rdatatype_any\t"
-			"((dns_rdatatype_t)dns_rdatatype_any)\n");
-
-		fprintf(stdout, "\n#endif /* DNS_ENUMTYPE_H */\n");
-
-	} else if (class_enum) {
-		char *s;
-		int classnum;
-
-		fprintf(stdout, "#ifndef DNS_ENUMCLASS_H\n");
-		fprintf(stdout, "#define DNS_ENUMCLASS_H 1\n\n");
-
-		fprintf(stdout, "enum {\n");
-
-		fprintf(stdout, "\tdns_rdataclass_reserved0 = 0,\n");
-		fprintf(stdout, "#define dns_rdataclass_reserved0 \\\n\t\t\t\t"
-			"((dns_rdataclass_t)dns_rdataclass_reserved0)\n");
-
-#define PRINTCLASS(name, num) \
-	do { \
-		s = funname(name, buf1); \
-		classnum = num; \
-		fprintf(stdout, "\tdns_rdataclass_%s = %d%s\n", s, classnum, \
-		       classnum != 255 ? "," : ""); \
-		fprintf(stdout, "#define dns_rdataclass_%s\t" \
-		       "((dns_rdataclass_t)dns_rdataclass_%s)\n", s, s); \
-	} while (0)
-
-		for (cc = classes; cc != NULL; cc = cc->next) {
-			if (cc->rdclass == 4) {
-				PRINTCLASS("ch", 3);
-				PRINTCLASS("chaos", 3);
-
-			} else if (cc->rdclass == 255) {
-				PRINTCLASS("none", 254);
-			}
-			PRINTCLASS(cc->classname, cc->rdclass);
-		}
-
-#undef PRINTCLASS
-
-		fprintf(stdout, "};\n\n");
-		fprintf(stdout, "#endif /* DNS_ENUMCLASS_H */\n");
-	} else if (structs) {
-		if (prefix != NULL) {
-			if ((fd = fopen(prefix,"r")) != NULL) {
-				while (fgets(buf, sizeof(buf), fd) != NULL)
-					fputs(buf, stdout);
-				fclose(fd);
-			}
-		}
-		for (tt = types; tt != NULL; tt = tt->next) {
-			sprintf(buf, "%s/%s_%d.h",
-				tt->dirname, tt->typename, tt->type);
-			if ((fd = fopen(buf,"r")) != NULL) {
-				while (fgets(buf, sizeof(buf), fd) != NULL)
-					fputs(buf, stdout);
-				fclose(fd);
-			}
-		}
-		if (suffix != NULL) {
-			if ((fd = fopen(suffix,"r")) != NULL) {
-				while (fgets(buf, sizeof(buf), fd) != NULL)
-					fputs(buf, stdout);
-				fclose(fd);
-			}
-		}
-	} else if (depend) {
-		for (tt = types; tt != NULL; tt = tt->next)
-			fprintf(stdout, "%s:\t%s/%s_%d.h\n", file,
-				tt->dirname, tt->typename, tt->type);
-	}
-
-	if (ferror(stdout) != 0)
-		exit(1);
-
-	return (0);
-}
diff --git a/contrib/bind9/lib/dns/gssapi_link.c b/contrib/bind9/lib/dns/gssapi_link.c
deleted file mode 100644
index 0a2e848a5894..000000000000
--- a/contrib/bind9/lib/dns/gssapi_link.c
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: gssapi_link.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $
- */
-
-#ifdef GSSAPI
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-
-#include <gssapi/gssapi.h>
-
-#define INITIAL_BUFFER_SIZE 1024
-#define BUFFER_EXTRA 1024
-
-#define REGION_TO_GBUFFER(r, gb) \
-	do { \
-		(gb).length = (r).length;	\
-		(gb).value = (r).base;	\
-	} while (0)
-
-typedef struct gssapi_ctx {
-	isc_buffer_t *buffer;
-	gss_ctx_id_t *context_id;
-} gssapi_ctx_t;
-
-
-static isc_result_t
-gssapi_createctx(dst_key_t *key, dst_context_t *dctx) {
-	gssapi_ctx_t *ctx;
-	isc_result_t result;
-
-	UNUSED(key);
-
-	ctx = isc_mem_get(dctx->mctx, sizeof(gssapi_ctx_t));
-	if (ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	ctx->buffer = NULL;
-	result = isc_buffer_allocate(dctx->mctx, &ctx->buffer,
-				     INITIAL_BUFFER_SIZE);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
-		return (result);
-	}
-	ctx->context_id = key->opaque;
-	dctx->opaque = ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-gssapi_destroyctx(dst_context_t *dctx) {
-	gssapi_ctx_t *ctx = dctx->opaque;
-
-	if (ctx != NULL) {
-		if (ctx->buffer != NULL)
-			isc_buffer_free(&ctx->buffer);
-		isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
-		dctx->opaque = NULL;
-	}
-}
-
-static isc_result_t
-gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	gssapi_ctx_t *ctx = dctx->opaque;
-	isc_buffer_t *newbuffer = NULL;
-	isc_region_t r;
-	unsigned int length;
-	isc_result_t result;
-
-	result = isc_buffer_copyregion(ctx->buffer, data);
-	if (result == ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-
-	length = isc_buffer_length(ctx->buffer) + data->length + BUFFER_EXTRA;
-
-	result = isc_buffer_allocate(dctx->mctx, &newbuffer, length);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	isc_buffer_usedregion(ctx->buffer, &r);
-	(void) isc_buffer_copyregion(newbuffer, &r);
-	(void) isc_buffer_copyregion(newbuffer, data);
-
-	isc_buffer_free(&ctx->buffer);
-	ctx->buffer = newbuffer;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	gssapi_ctx_t *ctx = dctx->opaque;
-	isc_region_t message;
-	gss_buffer_desc gmessage, gsig;
-	OM_uint32 minor, gret;
-
-	isc_buffer_usedregion(ctx->buffer, &message);
-	REGION_TO_GBUFFER(message, gmessage);
-
-	gret = gss_get_mic(&minor, ctx->context_id,
-			   GSS_C_QOP_DEFAULT, &gmessage, &gsig);
-	if (gret != 0)
-		return (ISC_R_FAILURE);
-
-	if (gsig.length > isc_buffer_availablelength(sig)) {
-		gss_release_buffer(&minor, &gsig);
-		return (ISC_R_NOSPACE);
-	}
-
-	isc_buffer_putmem(sig, gsig.value, gsig.length);
-
-	gss_release_buffer(&minor, &gsig);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	gssapi_ctx_t *ctx = dctx->opaque;
-	isc_region_t message;
-	gss_buffer_desc gmessage, gsig;
-	OM_uint32 minor, gret;
-
-	isc_buffer_usedregion(ctx->buffer, &message);
-	REGION_TO_GBUFFER(message, gmessage);
-
-	REGION_TO_GBUFFER(*sig, gsig);
-
-	gret = gss_verify_mic(&minor, ctx->context_id, &gmessage, &gsig, NULL);
-	if (gret != 0)
-		return (ISC_R_FAILURE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	gss_ctx_id_t gsskey1 = key1->opaque;
-	gss_ctx_id_t gsskey2 = key2->opaque;
-
-	/* No idea */
-	return (ISC_TF(gsskey1 == gsskey2));
-}
-
-static isc_result_t
-gssapi_generate(dst_key_t *key, int unused) {
-	UNUSED(key);
-	UNUSED(unused);
-
-	/* No idea */
-	return (ISC_R_FAILURE);
-}
-
-static isc_boolean_t
-gssapi_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-        return (ISC_TRUE);
-}
-
-static void
-gssapi_destroy(dst_key_t *key) {
-	UNUSED(key);
-	/* No idea */
-}
-
-static dst_func_t gssapi_functions = {
-	gssapi_createctx,
-	gssapi_destroyctx,
-	gssapi_adddata,
-	gssapi_sign,
-	gssapi_verify,
-	NULL, /* computesecret */
-	gssapi_compare,
-	NULL, /* paramcompare */
-	gssapi_generate,
-	gssapi_isprivate,
-	gssapi_destroy,
-	NULL, /* todns */
-	NULL, /* fromdns */
-	NULL, /* tofile */
-	NULL, /* parse */
-	NULL, /* cleanup */
-};
-
-isc_result_t
-dst__gssapi_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &gssapi_functions;
-	return (ISC_R_SUCCESS);
-}
-
-#else
-int  gssapi_link_unneeded = 1;
-#endif
diff --git a/contrib/bind9/lib/dns/gssapictx.c b/contrib/bind9/lib/dns/gssapictx.c
deleted file mode 100644
index 2605a7a051ad..000000000000
--- a/contrib/bind9/lib/dns/gssapictx.c
+++ /dev/null
@@ -1,262 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gssapictx.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/entropy.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/types.h>
-#include <dns/keyvalues.h>
-
-#include <dst/gssapi.h>
-#include <dst/result.h>
-
-#include "dst_internal.h"
-
-#ifdef GSSAPI
-
-#include <gssapi/gssapi.h>
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto out; \
-	} while (0)
-
-#define REGION_TO_GBUFFER(r, gb)		\
-	do {					\
-		(gb).length = (r).length;	\
-		(gb).value = (r).base;		\
-	} while (0)
-
-#define GBUFFER_TO_REGION(gb, r)		\
-	do {					\
-		(r).length = (gb).length;	\
-		(r).base = (gb).value;		\
-	} while (0)
-
-static inline void
-name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
-		gss_buffer_desc *gbuffer)
-{
-	dns_name_t tname, *namep;
-	isc_region_t r;
-	isc_result_t result;
-
-	if (!dns_name_isabsolute(name))
-		namep = name;
-	else {
-		unsigned int labels;
-		dns_name_init(&tname, NULL);
-		labels = dns_name_countlabels(name);
-		dns_name_getlabelsequence(name, 0, labels - 1, &tname);
-		namep = &tname;
-	}
-					
-	result = dns_name_totext(namep, ISC_FALSE, buffer);
-	isc_buffer_putuint8(buffer, 0);
-	isc_buffer_usedregion(buffer, &r);
-	REGION_TO_GBUFFER(r, *gbuffer);
-}
-
-isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
-	isc_buffer_t namebuf;
-	gss_name_t gname;
-	gss_buffer_desc gnamebuf;
-	unsigned char array[DNS_NAME_MAXTEXT + 1];
-	OM_uint32 gret, minor;
-	gss_OID_set mechs;
-	OM_uint32 lifetime;
-	gss_cred_usage_t usage;
-
-	REQUIRE(cred != NULL && *cred == NULL);
-
-	if (name != NULL) {
-		isc_buffer_init(&namebuf, array, sizeof(array));
-		name_to_gbuffer(name, &namebuf, &gnamebuf);
-		gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID,
-				       &gname);
-		if (gret != GSS_S_COMPLETE)
-			return (ISC_R_FAILURE);
-	} else
-		gname = NULL;
-
-	if (initiate)
-		usage = GSS_C_INITIATE;
-	else
-		usage = GSS_C_ACCEPT;
-
-	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
-				GSS_C_NO_OID_SET, usage,
-				cred, &mechs, &lifetime);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context)
-{
-	isc_region_t r;
-	isc_buffer_t namebuf;
-	gss_buffer_desc gnamebuf, gintoken, *gintokenp, gouttoken;
-	OM_uint32 gret, minor, flags, ret_flags;
-	gss_OID mech_type, ret_mech_type;
-	OM_uint32 lifetime;
-	gss_name_t gname;
-	isc_result_t result;
-	unsigned char array[DNS_NAME_MAXTEXT + 1];
-
-	isc_buffer_init(&namebuf, array, sizeof(array));
-	name_to_gbuffer(name, &namebuf, &gnamebuf);
-	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
-
-	if (intoken != NULL) {
-		REGION_TO_GBUFFER(*intoken, gintoken);
-		gintokenp = &gintoken;
-	} else
-		gintokenp = NULL;
-
-	if (*context == NULL)
-		*context = GSS_C_NO_CONTEXT;
-	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
-		GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG;
-	mech_type = GSS_C_NO_OID;
-
-	gret = gss_init_sec_context(&minor, cred, context, gname,
-				    mech_type, flags, 0,
-				    GSS_C_NO_CHANNEL_BINDINGS, gintokenp,
-				    &ret_mech_type, &gouttoken, &ret_flags,
-				    &lifetime);
-	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED)
-		return (ISC_R_FAILURE);
-
-	GBUFFER_TO_REGION(gouttoken, r);
-	RETERR(isc_buffer_copyregion(outtoken, &r));
-
-	if (gret == GSS_S_COMPLETE)
-		return (ISC_R_SUCCESS);
-	else
-		return (DNS_R_CONTINUE);
-
- out:
- 	return (result);
-}
-
-isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context)
-{
-	isc_region_t r;
-	isc_buffer_t namebuf;
-	gss_buffer_desc gnamebuf, gintoken, gouttoken;
-	OM_uint32 gret, minor, flags;
-	gss_OID mech_type;
-	OM_uint32 lifetime;
-	gss_cred_id_t delegated_cred;
-	gss_name_t gname;
-	isc_result_t result;
-	unsigned char array[DNS_NAME_MAXTEXT + 1];
-
-	isc_buffer_init(&namebuf, array, sizeof(array));
-	name_to_gbuffer(name, &namebuf, &gnamebuf);
-	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
-
-	REGION_TO_GBUFFER(*intoken, gintoken);
-
-	if (*context == NULL)
-		*context = GSS_C_NO_CONTEXT;
-
-	gret = gss_accept_sec_context(&minor, context, cred, &gintoken,
-				      GSS_C_NO_CHANNEL_BINDINGS, gname,
-				      &mech_type, &gouttoken, &flags,
-				      &lifetime, &delegated_cred);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
-
-	GBUFFER_TO_REGION(gouttoken, r);
-	RETERR(isc_buffer_copyregion(outtoken, &r));
-
-	return (ISC_R_SUCCESS);
-
- out:
-	return (result);
-}
-
-#else
-
-isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
-	UNUSED(name);
-	UNUSED(initiate);
-	UNUSED(cred);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context)
-{
-	UNUSED(name);
-	UNUSED(cred);
-	UNUSED(intoken);
-	UNUSED(outtoken);
-	UNUSED(context);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context)
-{
-	UNUSED(name);
-	UNUSED(cred);
-	UNUSED(intoken);
-	UNUSED(outtoken);
-	UNUSED(context);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-#endif
diff --git a/contrib/bind9/lib/dns/hmac_link.c b/contrib/bind9/lib/dns/hmac_link.c
deleted file mode 100644
index 762fceecb42f..000000000000
--- a/contrib/bind9/lib/dns/hmac_link.c
+++ /dev/null
@@ -1,282 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.1.4.1 2004/12/09 04:07:17 marka Exp $
- */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/hmacmd5.h>
-#include <isc/md5.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-
-#define HMAC_LEN	64
-#define HMAC_IPAD	0x36
-#define HMAC_OPAD	0x5c
-
-static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
-
-typedef struct hmackey {
-	unsigned char key[HMAC_LEN];
-} HMAC_Key;
-
-static isc_result_t
-hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_hmacmd5_t *hmacmd5ctx;
-	HMAC_Key *hkey = key->opaque;
-
-	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
-	if (hmacmd5ctx == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
-	dctx->opaque = hmacmd5ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-hmacmd5_destroyctx(dst_context_t *dctx) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
-
-	if (hmacmd5ctx != NULL) {
-		isc_hmacmd5_invalidate(hmacmd5ctx);
-		isc_mem_put(dctx->mctx, hmacmd5ctx, sizeof(isc_hmacmd5_t));
-		dctx->opaque = NULL;
-	}
-}
-
-static isc_result_t
-hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
-
-	isc_hmacmd5_update(hmacmd5ctx, data->base, data->length);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
-	unsigned char *digest;
-
-	if (isc_buffer_availablelength(sig) < ISC_MD5_DIGESTLENGTH)
-		return (ISC_R_NOSPACE);
-	digest = isc_buffer_used(sig);
-	isc_hmacmd5_sign(hmacmd5ctx, digest);
-	isc_buffer_add(sig, ISC_MD5_DIGESTLENGTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
-
-	if (sig->length < ISC_MD5_DIGESTLENGTH)
-		return (DST_R_VERIFYFAILURE);
-
-	if (isc_hmacmd5_verify(hmacmd5ctx, sig->base))
-		return (ISC_R_SUCCESS);
-	else
-		return (DST_R_VERIFYFAILURE);
-}
-
-static isc_boolean_t
-hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMAC_Key *hkey1, *hkey2;
-
-	hkey1 = (HMAC_Key *)key1->opaque;
-	hkey2 = (HMAC_Key *)key2->opaque;
-
-	if (hkey1 == NULL && hkey2 == NULL)
-		return (ISC_TRUE);
-	else if (hkey1 == NULL || hkey2 == NULL)
-		return (ISC_FALSE);
-
-	if (memcmp(hkey1->key, hkey2->key, HMAC_LEN) == 0)
-		return (ISC_TRUE);
-	else
-		return (ISC_FALSE);
-}
-
-static isc_result_t
-hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
-	isc_buffer_t b;
-	isc_result_t ret;
-	int bytes;
-	unsigned char data[HMAC_LEN];
-
-	bytes = (key->key_size + 7) / 8;
-	if (bytes > 64) {
-		bytes = 64;
-		key->key_size = 512;
-	}
-
-	memset(data, 0, HMAC_LEN);
-	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
-
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, data, bytes);
-	isc_buffer_add(&b, bytes);
-	ret = hmacmd5_fromdns(key, &b);
-	memset(data, 0, HMAC_LEN);
-
-	return (ret);
-}
-
-static isc_boolean_t
-hmacmd5_isprivate(const dst_key_t *key) {
-	UNUSED(key);
-	return (ISC_TRUE);
-}
-
-static void
-hmacmd5_destroy(dst_key_t *key) {
-	HMAC_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMAC_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMAC_Key));
-	key->opaque = NULL;
-}
-
-static isc_result_t
-hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMAC_Key *hkey;
-	unsigned int bytes;
-
-	REQUIRE(key->opaque != NULL);
-
-	hkey = (HMAC_Key *) key->opaque;
-
-	bytes = (key->key_size + 7) / 8;
-	if (isc_buffer_availablelength(data) < bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putmem(data, hkey->key, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMAC_Key *hkey;
-	int keylen;
-	isc_region_t r;
-	isc_md5_t md5ctx;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	hkey = (HMAC_Key *) isc_mem_get(key->mctx, sizeof(HMAC_Key));
-	if (hkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(hkey->key, 0, sizeof(hkey->key));
-
-	if (r.length > HMAC_LEN) {
-		isc_md5_init(&md5ctx);
-		isc_md5_update(&md5ctx, r.base, r.length);
-		isc_md5_final(&md5ctx, hkey->key);
-		keylen = ISC_MD5_DIGESTLENGTH;
-	}
-	else {
-		memcpy(hkey->key, r.base, r.length);
-		keylen = r.length;
-	}
-
-	key->key_size = keylen * 8;
-	key->opaque = hkey;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-hmacmd5_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	HMAC_Key *hkey;
-	dst_private_t priv;
-	int bytes = (key->key_size + 7) / 8;
-
-	if (key->opaque == NULL)
-		return (DST_R_NULLKEY);
-
-	hkey = (HMAC_Key *) key->opaque;
-
-	priv.elements[cnt].tag = TAG_HMACMD5_KEY;
-	priv.elements[cnt].length = bytes;
-	priv.elements[cnt++].data = hkey->key;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {
-	dst_private_t priv;
-	isc_result_t ret;
-	isc_buffer_t b;
-	isc_mem_t *mctx = key->mctx;
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_init(&b, priv.elements[0].data, priv.elements[0].length);
-	isc_buffer_add(&b, priv.elements[0].length);
-	ret = hmacmd5_fromdns(key, &b);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static dst_func_t hmacmd5_functions = {
-	hmacmd5_createctx,
-	hmacmd5_destroyctx,
-	hmacmd5_adddata,
-	hmacmd5_sign,
-	hmacmd5_verify,
-	NULL, /* computesecret */
-	hmacmd5_compare,
-	NULL, /* paramcompare */
-	hmacmd5_generate,
-	hmacmd5_isprivate,
-	hmacmd5_destroy,
-	hmacmd5_todns,
-	hmacmd5_fromdns,
-	hmacmd5_tofile,
-	hmacmd5_parse,
-	NULL, /* cleanup */
-};
-
-isc_result_t
-dst__hmacmd5_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &hmacmd5_functions;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/include/Makefile.in b/contrib/bind9/lib/dns/include/Makefile.in
deleted file mode 100644
index 92dfb3b816dd..000000000000
--- a/contrib/bind9/lib/dns/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.11.206.2 2004/12/09 04:07:19 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	dns dst
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/dns/include/dns/Makefile.in b/contrib/bind9/lib/dns/include/dns/Makefile.in
deleted file mode 100644
index 267bc8d01b00..000000000000
--- a/contrib/bind9/lib/dns/include/dns/Makefile.in
+++ /dev/null
@@ -1,54 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.43.2.1.10.6 2004/03/08 09:04:34 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h \
-		cert.h compress.h \
-		db.h dbiterator.h dbtable.h diff.h dispatch.h \
-		dnssec.h ds.h events.h fixedname.h journal.h keyflags.h \
-		keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
-		message.h name.h ncache.h \
-		nsec.h peer.h portlist.h rbt.h rcode.h \
-		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
-		rdataslab.h rdatatype.h request.h resolver.h result.h \
-		rootns.h sdb.h secalg.h secproto.h soa.h ssu.h \
-		tcpmsg.h time.h tkey.h \
-		tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
-		zone.h zonekey.h zt.h
-
-GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dns
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dns ; \
-	done
-	for i in ${GENHEADERS}; do \
-		${INSTALL_DATA} $$i ${DESTDIR}${includedir}/dns ; \
-	done
diff --git a/contrib/bind9/lib/dns/include/dns/acl.h b/contrib/bind9/lib/dns/include/dns/acl.h
deleted file mode 100644
index bc723f43bf99..000000000000
--- a/contrib/bind9/lib/dns/include/dns/acl.h
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: acl.h,v 1.20.52.3 2004/03/08 09:04:34 marka Exp $ */
-
-#ifndef DNS_ACL_H
-#define DNS_ACL_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Address match list handling.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/netaddr.h>
-#include <isc/refcount.h>
-
-#include <dns/name.h>
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-typedef enum {
-	dns_aclelementtype_ipprefix,
-	dns_aclelementtype_keyname,
-	dns_aclelementtype_nestedacl,
-	dns_aclelementtype_localhost,
-	dns_aclelementtype_localnets,
-	dns_aclelementtype_any
-} dns_aclelemettype_t;
-
-typedef struct dns_aclipprefix dns_aclipprefix_t;
-
-struct dns_aclipprefix {
-	isc_netaddr_t address; /* IP4/IP6 */
-	unsigned int prefixlen;
-};
-
-struct dns_aclelement {
-	dns_aclelemettype_t type;
-	isc_boolean_t negative;
-	union {
-		dns_aclipprefix_t ip_prefix;
-		dns_name_t 	  keyname;
-		dns_acl_t 	  *nestedacl;
-	} u;
-};
-
-struct dns_acl {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_refcount_t		refcount;
-	dns_aclelement_t	*elements;
-	unsigned int 		alloc;		/* Elements allocated */
-	unsigned int 		length;		/* Elements initialized */
-	char 			*name;		/* Temporary use only */
-	ISC_LINK(dns_acl_t) 	nextincache;	/* Ditto */
-};
-
-struct dns_aclenv {
-	dns_acl_t *localhost;
-	dns_acl_t *localnets;
-	isc_boolean_t match_mapped;
-};
-
-#define DNS_ACL_MAGIC		ISC_MAGIC('D','a','c','l')
-#define DNS_ACL_VALID(a)	ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
-/*
- * Create a new ACL with room for 'n' elements.
- * The elements are uninitialized and the length is 0.
- */
-
-isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt);
-/*
- * Append an element to an existing ACL.
- */
-
-isc_result_t
-dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
-/*
- * Create a new ACL that matches everything.
- */
-
-isc_result_t
-dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
-/*
- * Create a new ACL that matches nothing.
- */
-
-void
-dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
-
-void
-dns_acl_detach(dns_acl_t **aclp);
-
-isc_boolean_t
-dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
-
-isc_boolean_t
-dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
-
-isc_boolean_t
-dns_acl_isinsecure(dns_acl_t *a);
-/*
- * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
- * if it contains IP addresses other than those of the local host.
- * This is intended for applications such as printing warning 
- * messages for suspect ACLs; it is not intended for making access
- * control decisions.  We make no guarantee that an ACL for which
- * this function returns ISC_FALSE is safe.
- */
-
-isc_result_t
-dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
-
-void
-dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
-
-void
-dns_aclenv_destroy(dns_aclenv_t *env);
-
-isc_result_t
-dns_acl_match(isc_netaddr_t *reqaddr,
-	      dns_name_t *reqsigner,
-	      dns_acl_t *acl,
-	      dns_aclenv_t *env,
-	      int *match,
-	      dns_aclelement_t **matchelt);
-/*
- * General, low-level ACL matching.  This is expected to
- * be useful even for weird stuff like the topology and sortlist statements.
- *
- * Match the address 'reqaddr', and optionally the key name 'reqsigner',
- * against 'acl'.  'reqsigner' may be NULL.
- *
- * If there is a positive match, '*match' will be set to a positive value
- * indicating the distance from the beginning of the list.
- *
- * If there is a negative match, '*match' will be set to a negative value
- * whose absolute value indicates the distance from the beginning of
- * the list.
- *
- * If there is a match (either positive or negative) and 'matchelt' is
- * non-NULL, *matchelt will be attached to the primitive
- * (non-indirect) address match list element that matched.
- *
- * If there is no match, *match will be set to zero.
- *
- * Returns:
- *	ISC_R_SUCCESS		Always succeeds.
- */
-
-isc_boolean_t
-dns_aclelement_match(isc_netaddr_t *reqaddr,
-		     dns_name_t *reqsigner,
-		     dns_aclelement_t *e,
-		     dns_aclenv_t *env,		     
-		     dns_aclelement_t **matchelt);
-/*
- * Like dns_acl_match, but matches against the single ACL element 'e'
- * rather than a complete list and returns ISC_TRUE iff it matched.
- * To determine whether the match was prositive or negative, the 
- * caller should examine e->negative.  Since the element 'e' may be
- * a reference to a named ACL or a nested ACL, the matching element
- * returned through 'matchelt' is not necessarily 'e' itself.
- */
-
-isc_result_t
-dns_acl_elementmatch(dns_acl_t *acl,
-		     dns_aclelement_t *elt,
-		     dns_aclelement_t **matchelt);
-/*
- * Search for an ACL element in 'acl' which is exactly the same as 'elt'.
- * If there is one, and 'matchelt' is non NULL, then '*matchelt' will point
- * to the entry.
- *
- * This function is intended to be used for avoiding duplicated ACL entries
- * before adding an entry.
- *
- * Returns:
- *	ISC_R_SUCCESS		Match succeeds.
- *	ISC_R_NOTFOUND		Match fails.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ACL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/adb.h b/contrib/bind9/lib/dns/include/dns/adb.h
deleted file mode 100644
index 7a17eff08690..000000000000
--- a/contrib/bind9/lib/dns/include/dns/adb.h
+++ /dev/null
@@ -1,596 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: adb.h,v 1.66.2.5.2.4 2004/03/06 08:13:50 marka Exp $ */
-
-#ifndef DNS_ADB_H
-#define DNS_ADB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Address Database
- *
- * This module implements an address database (ADB) for mapping a name
- * to an isc_sockaddr_t. It also provides statistical information on
- * how good that address might be.
- *
- * A client will pass in a dns_name_t, and the ADB will walk through
- * the rdataset looking up addresses associated with the name.  If it
- * is found on the internal lists, a structure is filled in with the
- * address information and stats for found addresses.
- *
- * If the name cannot be found on the internal lists, a new entry will
- * be created for a name if all the information needed can be found
- * in the zone table or cache.  This new address will then be returned.
- *
- * If a request must be made to remote servers to satisfy a name lookup,
- * this module will start fetches to try to complete these addresses.  When
- * at least one more completes, an event is sent to the caller.  If none of
- * them resolve before the fetch times out, an event indicating this is
- * sent instead.
- *
- * Records are stored internally until a timer expires. The timer is the
- * smaller of the TTL or signature validity period.
- *
- * Lameness is stored per-zone, and this data hangs off each address field.
- * When an address is marked lame for a given zone the address will not
- * be returned to a caller.
- *
- *
- * MP:
- *
- *	The ADB takes care of all necessary locking.
- *
- *	Only the task which initiated the name lookup can cancel the lookup.
- *
- *
- * Security:
- *
- *	None, since all data stored is required to be pre-filtered.
- *	(Cache needs to be sane, fetches return bounds-checked and sanity-
- *       checked data, caller passes a good dns_name_t for the zone, etc)
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/sockaddr.h>
-
-#include <dns/types.h>
-#include <dns/view.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Magic number checks
- ***/
-
-#define DNS_ADBFIND_MAGIC	  ISC_MAGIC('a','d','b','H')
-#define DNS_ADBFIND_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFIND_MAGIC)
-#define DNS_ADBADDRINFO_MAGIC	  ISC_MAGIC('a','d','A','I')
-#define DNS_ADBADDRINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBADDRINFO_MAGIC)
-
-
-/***
- *** TYPES
- ***/
-
-typedef struct dns_adbname		dns_adbname_t;
-
-/* dns_adbfind_t
- *
- * Represents a lookup for a single name.
- *
- * On return, the client can safely use "list", and can reorder the list.
- * Items may not be _deleted_ from this list, however, or added to it
- * other than by using the dns_adb_*() API.
- */
-struct dns_adbfind {
-	/* Public */
-	unsigned int			magic;		/* RO: magic */
-	dns_adbaddrinfolist_t		list;		/* RO: list of addrs */
-	unsigned int			query_pending;	/* RO: partial list */
-	unsigned int			partial_result;	/* RO: addrs missing */
-	unsigned int			options;	/* RO: options */
-	isc_result_t			result_v4;	/* RO: v4 result */
-	isc_result_t			result_v6;	/* RO: v6 result */
-	ISC_LINK(dns_adbfind_t)		publink;	/* RW: client use */
-
-	/* Private */
-	isc_mutex_t			lock;		/* locks all below */
-	in_port_t			port;
-	int				name_bucket;
-	unsigned int			flags;
-	dns_adbname_t		       *adbname;
-	dns_adb_t		       *adb;
-	isc_event_t			event;
-	ISC_LINK(dns_adbfind_t)		plink;
-};
-
-/*
- * _INET:
- * _INET6:
- *	return addresses of that type.
- *
- * _EMPTYEVENT:
- *	Only schedule an event if no addresses are known.
- *	Must set _WANTEVENT for this to be meaningful.
- *
- * _WANTEVENT:
- *	An event is desired.  Check this bit in the returned find to see
- *	if one will actually be generated.
- *
- * _AVOIDFETCHES:
- *	If set, fetches will not be generated unless no addresses are
- *	available in any of the address families requested.
- *
- * _STARTATZONE:
- *	Fetches will start using the closest zone data or use the root servers.
- *	This is useful for reestablishing glue that has expired.
- *
- * _GLUEOK:
- * _HINTOK:
- *	Glue or hints are ok.  These are used when matching names already
- *	in the adb, and when dns databases are searched.
- *
- * _RETURNLAME:
- *	Return lame servers in a find, so that all addresses are returned.
- *
- * _LAMEPRUNED:
- *	At least one address was omitted from the list because it was lame.
- *	This bit will NEVER be set if _RETURNLAME is set in the createfind().
- */
-#define DNS_ADBFIND_INET		0x00000001
-#define DNS_ADBFIND_INET6		0x00000002
-#define DNS_ADBFIND_ADDRESSMASK		0x00000003
-
-#define DNS_ADBFIND_EMPTYEVENT		0x00000004
-#define DNS_ADBFIND_WANTEVENT		0x00000008
-#define DNS_ADBFIND_AVOIDFETCHES	0x00000010
-#define DNS_ADBFIND_STARTATZONE		0x00000020
-#define DNS_ADBFIND_GLUEOK		0x00000040
-#define DNS_ADBFIND_HINTOK		0x00000080
-#define DNS_ADBFIND_RETURNLAME		0x00000100
-#define DNS_ADBFIND_LAMEPRUNED		0x00000200
-
-/* dns_adbaddrinfo_t
- *
- * The answers to queries come back as a list of these.
- */
-struct dns_adbaddrinfo {
-	unsigned int			magic;		/* private */
-
-	isc_sockaddr_t			sockaddr;	/* [rw] */
-	unsigned int			srtt;		/* [rw] microseconds */
-	unsigned int			flags;		/* [rw] */
-	dns_adbentry_t		       *entry;		/* private */
-	ISC_LINK(dns_adbaddrinfo_t)	publink;
-};
-
-/*
- * The event sent to the caller task is just a plain old isc_event_t.  It
- * contains no data other than a simple status, passed in the "type" field
- * to indicate that another address resolved, or all partially resolved
- * addresses have failed to resolve.
- *
- * "sender" is the dns_adbfind_t used to issue this query.
- *
- * This is simply a standard event, with the "type" set to:
- *
- *	DNS_EVENT_ADBMOREADDRESSES   -- another address resolved.
- *	DNS_EVENT_ADBNOMOREADDRESSES -- all pending addresses failed,
- *					were canceled, or otherwise will
- *					not be usable.
- *	DNS_EVENT_ADBCANCELED	     -- The request was canceled by a
- *					3rd party.
- *	DNS_EVENT_ADBNAMEDELETED     -- The name was deleted, so this request
- *					was canceled.
- *
- * In each of these cases, the addresses returned by the initial call
- * to dns_adb_createfind() can still be used until they are no longer needed.
- */
-
-/****
- **** FUNCTIONS
- ****/
-
-
-isc_result_t
-dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *tmgr,
-	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb);
-/*
- * Create a new ADB.
- *
- * Notes:
- *
- *	Generally, applications should not create an ADB directly, but
- *	should instead call dns_view_createresolver().
- *
- * Requires:
- *
- *	'mem' must be a valid memory context.
- *
- *	'view' be a pointer to a valid view.
- *
- *	'tmgr' be a pointer to a valid timer manager.
- *
- *	'taskmgr' be a pointer to a valid task manager.
- *
- *	'newadb' != NULL && '*newadb' == NULL.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS	after happiness.
- *	ISC_R_NOMEMORY	after resource allocation failure.
- */
-
-void
-dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbp);
-/*
- * Attach to an 'adb' to 'adbp'.
- *
- * Requires:
- *	'adb' to be a valid dns_adb_t, created via dns_adb_create().
- *	'adbp' to be a valid pointer to a *dns_adb_t which is initialized
- *	to NULL.
- */
-
-void
-dns_adb_detach(dns_adb_t **adb);
-/*
- * Delete the ADB. Sets *ADB to NULL. Cancels any outstanding requests.
- *
- * Requires:
- *
- *	'adb' be non-NULL and '*adb' be a valid dns_adb_t, created via
- *	dns_adb_create().
- */
-
-void
-dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp);
-/*
- * Send '*eventp' to 'task' when 'adb' has shutdown.
- *
- * Requires:
- *
- *	'*adb' is a valid dns_adb_t.
- *
- *	eventp != NULL && *eventp is a valid event.
- *
- * Ensures:
- *
- *	*eventp == NULL
- *
- *	The event's sender field is set to the value of adb when the event
- *	is sent.
- */
-
-void
-dns_adb_shutdown(dns_adb_t *adb);
-/*
- * Shutdown 'adb'.
- *
- * Requires:
- *
- * 	'*adb' is a valid dns_adb_t.
- */
-
-isc_result_t
-dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
-		   void *arg, dns_name_t *name, dns_name_t *zone,
-		   unsigned int options, isc_stdtime_t now, dns_name_t *target,
-		   in_port_t port, dns_adbfind_t **find);
-/*
- * Main interface for clients. The adb will look up the name given in
- * "name" and will build up a list of found addresses, and perhaps start
- * internal fetches to resolve names that are unknown currently.
- *
- * If other addresses resolve after this call completes, an event will
- * be sent to the <task, taskaction, arg> with the sender of that event
- * set to a pointer to the dns_adbfind_t returned by this function.
- *
- * If no events will be generated, the *find->result_v4 and/or result_v6
- * members may be examined for address lookup status.  The usual ISC_R_SUCCESS,
- * ISC_R_FAILURE, and DNS_R_NX{DOMAIN,RRSET} are returned, along with
- * ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
- * latter case, retrying may produce more addresses.
- *
- * If events will be returned, the result_v[46] members are only valid
- * when that event is actually returned.
- *
- * The list of addresses returned is unordered.  The caller must impose
- * any ordering required.  The list will not contain "known bad" addresses,
- * however.  For instance, it will not return hosts that are known to be
- * lame for the zone in question.
- *
- * The caller cannot (directly) modify the contents of the address list's
- * fields other than the "link" field.  All values can be read at any
- * time, however.
- *
- * The "now" parameter is used only for determining which entries that
- * have a specific time to live or expire time should be removed from
- * the running database.  If specified as zero, the current time will
- * be retrieved and used.
- *
- * If 'target' is not NULL and 'name' is an alias (i.e. the name is
- * CNAME'd or DNAME'd to another name), then 'target' will be updated with
- * the domain name that 'name' is aliased to.
- *
- * All addresses returned will have the sockaddr's port set to 'port.'
- * The caller may change them directly in the dns_adbaddrinfo_t since
- * they are copies of the internal address only.
- *
- * XXXMLG  Document options, especially the flags which control how
- *         events are sent.
- *
- * Requires:
- *
- *	*adb be a valid isc_adb_t object.
- *
- *	If events are to be sent, *task be a valid task,
- *	and isc_taskaction_t != NULL.
- *
- *	*name is a valid dns_name_t.
- *
- *	zone != NULL and *zone be a valid dns_name_t.
- *
- *	target == NULL or target is a valid name with a buffer.
- *
- *	find != NULL && *find == NULL.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS	Addresses might have been returned, and events will be
- *			delivered for unresolved addresses.
- *	ISC_R_NOMORE	Addresses might have been returned, but no events
- *			will ever be posted for this context.  This is only
- *			returned if task != NULL.
- *	ISC_R_NOMEMORY	insufficient resources
- *	DNS_R_ALIAS	'name' is an alias for another name.
- *
- * Calls, and returns error codes from:
- *
- *	isc_stdtime_get()
- *
- * Notes:
- *
- *	No internal reference to "name" exists after this function
- *	returns.
- */
-
-void
-dns_adb_cancelfind(dns_adbfind_t *find);
-/*
- * Cancels the find, and sends the event off to the caller.
- *
- * It is an error to call dns_adb_cancelfind() on a find where
- * no event is wanted, or will ever be sent.
- *
- * Note:
- *
- *	It is possible that the real completion event was posted just
- *	before the dns_adb_cancelfind() call was made.  In this case,
- *	dns_adb_cancelfind() will do nothing.  The event callback needs
- *	to be prepared to find this situation (i.e. result is valid but
- *	the caller expects it to be canceled).
- *
- * Requires:
- *
- *	'find' be a valid dns_adbfind_t pointer.
- *
- *	events would have been posted to the task.  This can be checked
- *	with (find->options & DNS_ADBFIND_WANTEVENT).
- *
- * Ensures:
- *
- *	The event was posted to the task.
- */
-
-void
-dns_adb_destroyfind(dns_adbfind_t **find);
-/*
- * Destroys the find reference.
- *
- * Note:
- *
- *	This can only be called after the event was delivered for a
- *	find.  Additionally, the event MUST have been freed via
- *	isc_event_free() BEFORE this function is called.
- *
- * Requires:
- *
- *	'find' != NULL and *find be valid dns_adbfind_t pointer.
- *
- * Ensures:
- *
- *	No "address found" events will be posted to the originating task
- *	after this function returns.
- */
-
-void
-dns_adb_dump(dns_adb_t *adb, FILE *f);
-/*
- * This function is only used for debugging.  It will dump as much of the
- * state of the running system as possible.
- *
- * Requires:
- *
- *	adb be valid.
- *
- *	f != NULL, and is a file open for writing.
- */
-
-void
-dns_adb_dumpfind(dns_adbfind_t *find, FILE *f);
-/*
- * This function is only used for debugging.  Dump the data associated
- * with a find.
- *
- * Requires:
- *
- *	find is valid.
- *
- * 	f != NULL, and is a file open for writing.
- */
-
-isc_result_t
-dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
-		 isc_stdtime_t expire_time);
-/*
- * Mark the given address as lame for the zone "zone".  expire_time should
- * be set to the time when the entry should expire.  That is, if it is to
- * expire 10 minutes in the future, it should set it to (now + 10 * 60).
- *
- * Requires:
- *
- *	adb be valid.
- *
- *	addr be valid.
- *
- *	zone be the zone used in the dns_adb_createfind() call.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOMEMORY		-- could not mark address as lame.
- */
-
-/*
- * A reasonable default for RTT adjustments
- */
-#define DNS_ADB_RTTADJDEFAULT		7	/* default scale */
-#define DNS_ADB_RTTADJREPLACE		0	/* replace with our rtt */
-#define DNS_ADB_RTTADJAGE		10	/* age this rtt */
-
-void
-dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
-		   unsigned int rtt, unsigned int factor);
-/*
- * Mix the round trip time into the existing smoothed rtt.  The formula used
- * (where srtt is the existing rtt value, and rtt and factor are arguments to
- * this function):
- *
- *	new_srtt = (old_srtt / 10 * factor) + (rtt / 10 * (10 - factor));
- *
- * XXXRTH  Do we want to publish the formula?  What if we want to change how
- *         this works later on?  Recommend/require that the units are
- *	   microseconds?
- *
- * Requires:
- *
- *	adb be valid.
- *
- *	addr be valid.
- *
- *	0 <= factor <= 10
- *
- * Note:
- *
- *	The srtt in addr will be updated to reflect the new global
- *	srtt value.  This may include changes made by others.
- */
-
-void
-dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
-		    unsigned int bits, unsigned int mask);
-/*
- * Set the flags as given by:
- *
- *	newflags = (oldflags & ~mask) | (bits & mask);
- *
- * Requires:
- *
- *	adb be valid.
- *
- *	addr be valid.
- */
-
-isc_result_t
-dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
-		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now);
-/*
- * Return a dns_adbaddrinfo_t that is associated with address 'sa'.
- *
- * Requires:
- *
- *	adb is valid.
- *
- *	sa is valid.
- *
- *	addrp != NULL && *addrp == NULL
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_SHUTTINGDOWN
- */
-
-void
-dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp);
-/*
- * Free a dns_adbaddrinfo_t allocated by dns_adb_findaddrinfo().
- *
- * Requires:
- *
- *	adb is valid.
- *
- *	*addrp is a valid dns_adbaddrinfo_t *.
- */
-
-void
-dns_adb_flush(dns_adb_t *adb);
-/*
- * Flushes all cached data from the adb.
- *
- * Requires:
- * 	adb is valid.
- */
-
-void
-dns_adb_setadbsize(dns_adb_t *adb, isc_uint32_t size);
-/*
- * Set a target memory size.  If memory usage exceeds the target
- * size entries will be removed before they would have expired on
- * a random basis.
- *
- * If 'size' is 0 then memory usage is unlimited.
- *
- * Requires:
- *	'adb' is valid.
- */
-
-void
-dns_adb_flushname(dns_adb_t *adb, dns_name_t *name);
-/*
- * Flush 'name' from the adb cache.
- * 
- * Requires:
- *	'adb' is valid.
- *	'name' is valid.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ADB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/bit.h b/contrib/bind9/lib/dns/include/dns/bit.h
deleted file mode 100644
index e4a7d20a8942..000000000000
--- a/contrib/bind9/lib/dns/include/dns/bit.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bit.h,v 1.7.206.1 2004/03/06 08:13:51 marka Exp $ */
-
-#ifndef DNS_BIT_H
-#define DNS_BIT_H 1
-
-#include <isc/int.h>
-#include <isc/boolean.h>
-
-typedef isc_uint64_t dns_bitset_t;
-
-#define DNS_BIT_SET(bit, bitset) \
-     (*(bitset) |= ((dns_bitset_t)1 << (bit)))
-#define DNS_BIT_CLEAR(bit, bitset) \
-     (*(bitset) &= ~((dns_bitset_t)1 << (bit)))
-#define DNS_BIT_CHECK(bit, bitset) \
-     ISC_TF((*(bitset) & ((dns_bitset_t)1 << (bit))) \
-	    == ((dns_bitset_t)1 << (bit)))
-
-#endif /* DNS_BIT_H */
-
diff --git a/contrib/bind9/lib/dns/include/dns/byaddr.h b/contrib/bind9/lib/dns/include/dns/byaddr.h
deleted file mode 100644
index 8f69cd9e27ff..000000000000
--- a/contrib/bind9/lib/dns/include/dns/byaddr.h
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: byaddr.h,v 1.12.2.1.2.4 2004/03/08 09:04:34 marka Exp $ */
-
-#ifndef DNS_BYADDR_H
-#define DNS_BYADDR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS ByAddr
- *
- * The byaddr module provides reverse lookup services for IPv4 and IPv6
- * addresses.
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	RFCs:	1034, 1035, 2181, <TBS>
- *	Drafts:	<TBS>
- */
-
-#include <isc/lang.h>
-#include <isc/event.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * A 'dns_byaddrevent_t' is returned when a byaddr completes.
- * The sender field will be set to the byaddr that completed.  If 'result'
- * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
- * with the address.  The recipient of the event must not change the list
- * and must not refer to any of the name data after the event is freed.
- */
-typedef struct dns_byaddrevent {
-	ISC_EVENT_COMMON(struct dns_byaddrevent);
-	isc_result_t			result;
-	dns_namelist_t			names;
-} dns_byaddrevent_t;
-
-/*
- * This option is deprecated since we now only consider nibbles.
-#define DNS_BYADDROPT_IPV6NIBBLE	0x0001
- */
-#define DNS_BYADDROPT_IPV6INT		0x0002
-
-isc_result_t
-dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
-		  unsigned int options, isc_task_t *task,
-		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp);
-/*
- * Find the domain name of 'address'.
- *
- * Notes:
- *
- *	There is a reverse lookup format for IPv6 addresses, 'nibble'
- *
- *	The 'nibble' format for that address is
- *
- *   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
- *
- *	DNS_BYADDROPT_IPV6INT can be used to get nibble lookups under ip6.int.
- *
- * Requires:
- *
- *	'mctx' is a valid mctx.
- *
- *	'address' is a valid IPv4 or IPv6 address.
- *
- *	'view' is a valid view which has a resolver.
- *
- *	'task' is a valid task.
- *
- *	byaddrp != NULL && *byaddrp == NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- *	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
- *	returned.
- */
-
-void
-dns_byaddr_cancel(dns_byaddr_t *byaddr);
-/*
- * Cancel 'byaddr'.
- *
- * Notes:
- *
- *	If 'byaddr' has not completed, post its BYADDRDONE event with a
- *	result code of ISC_R_CANCELED.
- *
- * Requires:
- *
- *	'byaddr' is a valid byaddr.
- */
-
-void
-dns_byaddr_destroy(dns_byaddr_t **byaddrp);
-/*
- * Destroy 'byaddr'.
- *
- * Requires:
- *
- *	'*byaddrp' is a valid byaddr.
- *
- *	The caller has received the BYADDRDONE event (either because the
- *	byaddr completed or because dns_byaddr_cancel() was called).
- *
- * Ensures:
- *
- *	*byaddrp == NULL.
- */
-
-isc_result_t
-dns_byaddr_createptrname(isc_netaddr_t *address, isc_boolean_t nibble,
-			 dns_name_t *name);
-
-isc_result_t
-dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
-			  dns_name_t *name);
-/*
- * Creates a name that would be used in a PTR query for this address.  The
- * nibble flag indicates that the 'nibble' format is to be used if an IPv6
- * address is provided, instead of the 'bitstring' format.  Since we dropped
- * the support of the bitstring labels, it is expected that the flag is always
- * set.  'options' are the same as for dns_byaddr_create().
- *
- * Requires:
- * 
- * 	'address' is a valid address.
- * 	'name' is a valid name with a dedicated buffer.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_BYADDR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/cache.h b/contrib/bind9/lib/dns/include/dns/cache.h
deleted file mode 100644
index 79c53de8f010..000000000000
--- a/contrib/bind9/lib/dns/include/dns/cache.h
+++ /dev/null
@@ -1,255 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cache.h,v 1.17.12.3 2004/03/08 09:04:34 marka Exp $ */
-
-#ifndef DNS_CACHE_H
-#define DNS_CACHE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * cache
- *
- * Defines dns_cache_t, the cache object.
- *
- * Notes:
- * 	A cache object contains DNS data of a single class.
- *	Multiple classes will be handled by creating multiple
- *	views, each with a different class and its own cache.
- *
- * MP:
- *	See notes at the individual functions.
- *
- * Reliability:
- *
- * Resources:
- *
- * Security:
- *
- * Standards:
- */
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
-		 const char *db_type, unsigned int db_argc, char **db_argv,
-		 dns_cache_t **cachep);
-/*
- * Create a new DNS cache.
- *
- * Requires:
- *
- *	'mctx' is a valid memory context
- *
- *	'taskmgr' is a valid task manager and 'timermgr' is a valid timer
- * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
- * 	cache will take place.
- *
- *	'cachep' is a valid pointer, and *cachep == NULL
- *
- * Ensures:
- *
- *	'*cachep' is attached to the newly created cache
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-void
-dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp);
-/*
- * Attach *targetp to cache.
- *
- * Requires:
- *
- *	'cache' is a valid cache.
- *
- *	'targetp' points to a NULL dns_cache_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to cache.
- */
-
-void
-dns_cache_detach(dns_cache_t **cachep);
-/*
- * Detach *cachep from its cache.
- *
- * Requires:
- *
- *	'cachep' points to a valid cache.
- *
- * Ensures:
- *
- *	*cachep is NULL.
- *
- *	If '*cachep' is the last reference to the cache,
- *
- *		All resources used by the cache will be freed
- */
-
-void
-dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
-/*
- * Attach *dbp to the cache's database.
- *
- * Notes:
- *
- *	This may be used to get a reference to the database for
- *	the purpose of cache lookups (XXX currently it is also
- * 	the way to add data to the cache, but having a
- * 	separate dns_cache_add() interface instead would allow
- * 	more control over memory usage).
- *	The caller should call dns_db_detach() on the reference
- *	when it is no longer needed.
- *
- * Requires:
- *
- *	'cache' is a valid cache.
- *
- *	'dbp' points to a NULL dns_db *.
- *
- * Ensures:
- *
- *	*dbp is attached to the database.
- */
-
-
-isc_result_t
-dns_cache_setfilename(dns_cache_t *cahce, char *filename);
-/*
- * If 'filename' is non-NULL, make the cache persistent.
- * The cache's data will be stored in the given file.
- * If 'filename' is NULL, make the cache non-persistent.
- * Files that are no longer used are not unlinked automatically.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	Various file-related failures
- */
-
-isc_result_t
-dns_cache_load(dns_cache_t *cache);
-/*
- * If the cache has a file name, load the cache contents from the file.
- * Previous cache contents are not discarded.
- * If no file name has been set, do nothing and return success.
- *
- * MT:
- *	Multiple simultaneous attempts to load or dump the cache
- * 	will be serialized with respect to one another, but
- *	the cache may be read and updated while the dump is
- *	in progress.  Updates performed during loading
- *	may or may not be preserved, and reads may return
- * 	either the old or the newly loaded data.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *      Various failures depending on the database implementation type
- */
-
-isc_result_t
-dns_cache_dump(dns_cache_t *cache);
-/*
- * If the cache has a file name, write the cache contents to disk,
- * overwriting any preexisting file.  If no file name has been set,
- * do nothing and return success.
- *
- * MT:
- *	Multiple simultaneous attempts to load or dump the cache
- * 	will be serialized with respect to one another, but
- *	the cache may be read and updated while the dump is
- *	in progress.  Updates performed during the dump may
- * 	or may not be reflected in the dumped file.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *      Various failures depending on the database implementation type
- */
-
-isc_result_t
-dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now);
-/*
- * Force immediate cleaning of the cache, freeing all rdatasets
- * whose TTL has expired as of 'now' and that have no pending
- * references.
- */
-
-void
-dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
-/*
- * Set the periodic cache cleaning interval to 'interval' seconds.
- */
-
-void
-dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size);
-/*
- * Set the maximum cache size.  0 means unlimited.
- */
-
-isc_result_t
-dns_cache_flush(dns_cache_t *cache);
-/*
- * Flushes all data from the cache.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_cache_flushname(dns_cache_t *cache, dns_name_t *name);
-/*
- * Flushes a given name from the cache.
- *
- * Requires:
- *	'cache' to be valid.
- *	'name' to be valid.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	other error returns.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_CACHE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/callbacks.h b/contrib/bind9/lib/dns/include/dns/callbacks.h
deleted file mode 100644
index 9c2710a57ceb..000000000000
--- a/contrib/bind9/lib/dns/include/dns/callbacks.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: callbacks.h,v 1.15.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */
-
-#ifndef DNS_CALLBACKS_H
-#define DNS_CALLBACKS_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Types
- ***/
-
-struct dns_rdatacallbacks {
-	/*
-	 * dns_load_master calls this when it has rdatasets to commit.
-	 */
-	dns_addrdatasetfunc_t add;
-	/*
-	 * dns_load_master / dns_rdata_fromtext call this to issue a error.
-	 */
-	void	(*error)(struct dns_rdatacallbacks *, const char *, ...);
-	/*
-	 * dns_load_master / dns_rdata_fromtext call this to issue a warning.
-	 */
-	void	(*warn)(struct dns_rdatacallbacks *, const char *, ...);
-	/*
-	 * Private data handles for use by the above callback functions.
-	 */
-	void	*add_private;
-	void	*error_private;
-	void	*warn_private;
-};
-
-/***
- ***	Initialization
- ***/
-
-void
-dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
-/*
- * Initialize 'callbacks'.
- * 	'error' and 'warn' are set to default callbacks that print the
- *	error message through the DNS library log context.
- *
- *	All other elements are initialized to NULL.
- *
- * Requires:
- *      'callbacks' is a valid dns_rdatacallbacks_t,
- */
-
-void
-dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
-/*
- * Like dns_rdatacallbacks_init, but logs to stdio.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_CALLBACKS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/cert.h b/contrib/bind9/lib/dns/include/dns/cert.h
deleted file mode 100644
index 28a3d4c45218..000000000000
--- a/contrib/bind9/lib/dns/include/dns/cert.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cert.h,v 1.12.206.1 2004/03/06 08:13:51 marka Exp $ */
-
-#ifndef DNS_CERT_H
-#define DNS_CERT_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
-/*
- * Convert the text 'source' refers to into a certificate type.
- * The text may contain either a mnemonic type name or a decimal type number.
- *
- * Requires:
- *	'certp' is a valid pointer.
- *
- *	'source' is a valid text region.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_RANGE			numeric type is out of range
- *	DNS_R_UNKNOWN			mnemonic type is unknown
- */
-
-isc_result_t
-dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
-/*
- * Put a textual representation of certificate type 'cert' into 'target'.
- *
- * Requires:
- *	'cert' is a valid cert.
- *
- *	'target' is a valid text buffer.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_CERT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/compress.h b/contrib/bind9/lib/dns/include/dns/compress.h
deleted file mode 100644
index 0f6451cc6bf9..000000000000
--- a/contrib/bind9/lib/dns/include/dns/compress.h
+++ /dev/null
@@ -1,248 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: compress.h,v 1.29.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */
-
-#ifndef DNS_COMPRESS_H
-#define DNS_COMPRESS_H 1
-
-#include <isc/lang.h>
-#include <isc/region.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_COMPRESS_NONE		0x00	/* no compression */
-#define DNS_COMPRESS_GLOBAL14		0x01	/* "normal" compression. */
-#define DNS_COMPRESS_ALL		0x01	/* all compression. */
-
-/*
- *	Direct manipulation of the structures is strongly discouraged.
- */
-
-#define DNS_COMPRESS_TABLESIZE 64
-#define DNS_COMPRESS_INITIALNODES 16
-
-typedef struct dns_compressnode dns_compressnode_t;
-
-struct dns_compressnode {
-	isc_region_t		r;
-	isc_uint16_t		offset;
-	isc_uint16_t		count;
-	isc_uint8_t		labels;
-	dns_compressnode_t	*next;
-};
-
-struct dns_compress {
-	unsigned int		magic;		/* Magic number. */
-	unsigned int		allowed;	/* Allowed methods. */
-	int			edns;		/* Edns version or -1. */
-	/* Global compression table. */
-	dns_compressnode_t	*table[DNS_COMPRESS_TABLESIZE];
-	/* Preallocated nodes for the table. */
-	dns_compressnode_t	initialnodes[DNS_COMPRESS_INITIALNODES];
-	isc_uint16_t		count;		/* Number of nodes. */
-	isc_mem_t		*mctx;		/* Memory context. */
-};
-
-typedef enum {
-	DNS_DECOMPRESS_ANY,			/* Any compression */
-	DNS_DECOMPRESS_STRICT,			/* Allowed compression */
-	DNS_DECOMPRESS_NONE			/* No compression */
-} dns_decompresstype_t;
-
-struct dns_decompress {
-	unsigned int		magic;		/* Magic number. */
-	unsigned int		allowed;	/* Allowed methods. */
-	int			edns;		/* Edns version or -1. */
-	dns_decompresstype_t	type;		/* Strict checking */
-};
-
-isc_result_t
-dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
-/*
- *	Inialise the compression context structure pointed to by 'cctx'.
- *
- *	Requires:
- *		'cctx' is a valid dns_compress_t structure.
- *		'mctx' is an initialized memory context.
- *	Ensures:
- *		cctx->global is initialized.
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		failures from dns_rbt_create()
- */
-
-void
-dns_compress_invalidate(dns_compress_t *cctx);
-
-/*
- *	Invalidate the compression structure pointed to by cctx.
- *
- *	Requires:
- *		'cctx' to be initialized.
- */
-
-void
-dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed);
-
-/*
- *	Sets allowed compression methods.
- *
- *	Requires:
- *		'cctx' to be initialized.
- */
-
-unsigned int
-dns_compress_getmethods(dns_compress_t *cctx);
-
-/*
- *	Gets allowed compression methods.
- *
- *	Requires:
- *		'cctx' to be initialized.
- *
- *	Returns:
- *		allowed compression bitmap.
- */
-
-int
-dns_compress_getedns(dns_compress_t *cctx);
-
-/*
- *	Gets edns value.
- *
- *	Requires:
- *		'cctx' to be initialized.
- *
- *	Returns:
- *		-1 .. 255
- */
-
-isc_boolean_t
-dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
-			dns_name_t *prefix, isc_uint16_t *offset);
-/*
- *	Finds longest possible match of 'name' in the global compression table.
- *
- *	Requires:
- *		'cctx' to be initialized.
- *		'name' to be a absolute name.
- *		'prefix' to be initialized.
- *		'offset' to point to an isc_uint16_t.
- *
- *	Ensures:
- *		'prefix' and 'offset' are valid if ISC_TRUE is 	returned.
- *
- *	Returns:
- *		ISC_TRUE / ISC_FALSE
- */
-
-void
-dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
-		 isc_uint16_t offset);
-/*
- *	Add compression pointers for 'name' to the compression table,
- *	not replacing existing pointers.
- *
- *	Requires:
- *		'cctx' initialized
- *
- *		'name' must be initialized and absolute, and must remain
- *		valid until the message compression is complete.
- *
- *		'prefix' must be a prefix returned by
- *		dns_compress_findglobal(), or the same as 'name'.
- */
-
-void
-dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset);
-
-/*
- *	Remove any compression pointers from global table >= offset.
- *
- *	Requires:
- *		'cctx' is initialized.
- */
-
-void
-dns_decompress_init(dns_decompress_t *dctx, int edns,
-		    dns_decompresstype_t type);
-
-/*
- *	Initializes 'dctx'.
- *	Records 'edns' and 'type' into the structure.
- *
- *	Requires:
- *		'dctx' to be a valid pointer.
- */
-
-void
-dns_decompress_invalidate(dns_decompress_t *dctx);
-
-/*
- *	Invalidates 'dctx'.
- *
- *	Requires:
- *		'dctx' to be initialized
- */
-
-void
-dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
-
-/*
- *	Sets 'dctx->allowed' to 'allowed'.
- *
- *	Requires:
- *		'dctx' to be initialized
- */
-
-unsigned int
-dns_decompress_getmethods(dns_decompress_t *dctx);
-
-/*
- *	Returns 'dctx->allowed'
- *
- *	Requires:
- *		'dctx' to be initialized
- */
-
-int
-dns_decompress_edns(dns_decompress_t *dctx);
-
-/*
- *	Returns 'dctx->edns'
- *
- *	Requires:
- *		'dctx' to be initialized
- */
-
-dns_decompresstype_t
-dns_decompress_type(dns_decompress_t *dctx);
-
-/*
- *	Returns 'dctx->type'
- *
- *	Requires:
- *		'dctx' to be initialized
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_COMPRESS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/db.h b/contrib/bind9/lib/dns/include/dns/db.h
deleted file mode 100644
index 8e088823ac2e..000000000000
--- a/contrib/bind9/lib/dns/include/dns/db.h
+++ /dev/null
@@ -1,1271 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: db.h,v 1.67.12.8 2004/05/14 05:06:41 marka Exp $ */
-
-#ifndef DNS_DB_H
-#define DNS_DB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS DB
- *
- * The DNS DB interface allows named rdatasets to be stored and retrieved.
- *
- * The dns_db_t type is like a "virtual class".  To actually use
- * DBs, an implementation of the class is required.
- *
- * XXX <more> XXX
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/ondestroy.h>
-#include <isc/stdtime.h>
-
-#include <dns/name.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types
- *****/
-
-typedef struct dns_dbmethods {
-	void		(*attach)(dns_db_t *source, dns_db_t **targetp);
-	void		(*detach)(dns_db_t **dbp);
-	isc_result_t	(*beginload)(dns_db_t *db, dns_addrdatasetfunc_t *addp,
-				     dns_dbload_t **dbloadp);
-	isc_result_t	(*endload)(dns_db_t *db, dns_dbload_t **dbloadp);
-	isc_result_t	(*dump)(dns_db_t *db, dns_dbversion_t *version,
-				const char *filename);
-	void		(*currentversion)(dns_db_t *db,
-					  dns_dbversion_t **versionp);
-	isc_result_t	(*newversion)(dns_db_t *db,
-				      dns_dbversion_t **versionp);
-	void		(*attachversion)(dns_db_t *db, dns_dbversion_t *source,
-					 dns_dbversion_t **targetp);
-	void		(*closeversion)(dns_db_t *db,
-					dns_dbversion_t **versionp,
-					isc_boolean_t commit);
-	isc_result_t	(*findnode)(dns_db_t *db, dns_name_t *name,
-				    isc_boolean_t create,
-				    dns_dbnode_t **nodep);
-	isc_result_t	(*find)(dns_db_t *db, dns_name_t *name,
-				dns_dbversion_t *version,
-				dns_rdatatype_t type, unsigned int options,
-				isc_stdtime_t now,
-				dns_dbnode_t **nodep, dns_name_t *foundname,
-				dns_rdataset_t *rdataset,
-				dns_rdataset_t *sigrdataset);
-	isc_result_t	(*findzonecut)(dns_db_t *db, dns_name_t *name,
-				       unsigned int options, isc_stdtime_t now,
-				       dns_dbnode_t **nodep,
-				       dns_name_t *foundname,
-				       dns_rdataset_t *rdataset,
-				       dns_rdataset_t *sigrdataset);
-	void		(*attachnode)(dns_db_t *db,
-				      dns_dbnode_t *source,
-				      dns_dbnode_t **targetp);
-	void		(*detachnode)(dns_db_t *db,
-				      dns_dbnode_t **targetp);
-	isc_result_t	(*expirenode)(dns_db_t *db, dns_dbnode_t *node,
-				      isc_stdtime_t now);
-	void		(*printnode)(dns_db_t *db, dns_dbnode_t *node,
-				     FILE *out);
-	isc_result_t 	(*createiterator)(dns_db_t *db,
-					  isc_boolean_t relative_names,
-					  dns_dbiterator_t **iteratorp);
-	isc_result_t	(*findrdataset)(dns_db_t *db, dns_dbnode_t *node,
-					dns_dbversion_t *version,
-					dns_rdatatype_t type,
-					dns_rdatatype_t covers,
-					isc_stdtime_t now,
-					dns_rdataset_t *rdataset,
-					dns_rdataset_t *sigrdataset);
-	isc_result_t	(*allrdatasets)(dns_db_t *db, dns_dbnode_t *node,
-					dns_dbversion_t *version,
-					isc_stdtime_t now,
-					dns_rdatasetiter_t **iteratorp);
-	isc_result_t	(*addrdataset)(dns_db_t *db, dns_dbnode_t *node,
-				       dns_dbversion_t *version,
-				       isc_stdtime_t now,
-				       dns_rdataset_t *rdataset,
-				       unsigned int options,
-				       dns_rdataset_t *addedrdataset);
-	isc_result_t	(*subtractrdataset)(dns_db_t *db, dns_dbnode_t *node,
-					    dns_dbversion_t *version,
-					    dns_rdataset_t *rdataset,
-					    unsigned int options,
-					    dns_rdataset_t *newrdataset);
-	isc_result_t	(*deleterdataset)(dns_db_t *db, dns_dbnode_t *node,
-					  dns_dbversion_t *version,
-					  dns_rdatatype_t type,
-					  dns_rdatatype_t covers);
-	isc_boolean_t	(*issecure)(dns_db_t *db);
-	unsigned int	(*nodecount)(dns_db_t *db);
-	isc_boolean_t	(*ispersistent)(dns_db_t *db);
-	void		(*overmem)(dns_db_t *db, isc_boolean_t overmem);
-	void		(*settask)(dns_db_t *db, isc_task_t *);
-} dns_dbmethods_t;
-
-typedef isc_result_t
-(*dns_dbcreatefunc_t)(isc_mem_t *mctx, dns_name_t *name,
-		      dns_dbtype_t type, dns_rdataclass_t rdclass,
-		      unsigned int argc, char *argv[], void *driverarg,
-		      dns_db_t **dbp);
-					
-#define DNS_DB_MAGIC		ISC_MAGIC('D','N','S','D')
-#define DNS_DB_VALID(db)	ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
-
-/*
- * This structure is actually just the common prefix of a DNS db
- * implementation's version of a dns_db_t.
- *
- * Direct use of this structure by clients is forbidden.  DB implementations
- * may change the structure.  'magic' must be DNS_DB_MAGIC for any of the
- * dns_db_ routines to work.  DB implementations must maintain all DB
- * invariants.
- */
-struct dns_db {
-	unsigned int			magic;
-	unsigned int			impmagic;
-	dns_dbmethods_t *		methods;
-	isc_uint16_t			attributes;
-	dns_rdataclass_t		rdclass;
-	dns_name_t			origin;
-	isc_ondestroy_t			ondest;
-	isc_mem_t *			mctx;
-};
-
-#define DNS_DBATTR_CACHE		0x01
-#define DNS_DBATTR_STUB			0x02
-
-/*
- * Options that can be specified for dns_db_find().
- */
-#define DNS_DBFIND_GLUEOK		0x01
-#define DNS_DBFIND_VALIDATEGLUE		0x02
-#define DNS_DBFIND_NOWILD		0x04
-#define DNS_DBFIND_PENDINGOK		0x08
-#define DNS_DBFIND_NOEXACT		0x10
-#define DNS_DBFIND_FORCENSEC		0x20
-#define DNS_DBFIND_COVERINGNSEC		0x40
-
-/*
- * Options that can be specified for dns_db_addrdataset().
- */
-#define DNS_DBADD_MERGE			0x01
-#define DNS_DBADD_FORCE			0x02
-#define DNS_DBADD_EXACT			0x04
-#define DNS_DBADD_EXACTTTL		0x08
-
-/*
- * Options that can be specified for dns_db_subtractrdataset().
- */
-#define DNS_DBSUB_EXACT			0x01
-
-/*****
- ***** Methods
- *****/
-
-/***
- *** Basic DB Methods
- ***/
-
-isc_result_t
-dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
-	      dns_dbtype_t type, dns_rdataclass_t rdclass,
-	      unsigned int argc, char *argv[], dns_db_t **dbp);
-/*
- * Create a new database using implementation 'db_type'.
- *
- * Notes:
- *	All names in the database must be subdomains of 'origin' and in class
- *	'rdclass'.  The database makes its own copy of the origin, so the
- *	caller may do whatever they like with 'origin' and its storage once the
- *	call returns.
- *
- *	DB implementation-specific parameters are passed using argc and argv.
- *
- * Requires:
- *
- *	dbp != NULL and *dbp == NULL
- *
- *	'origin' is a valid absolute domain name.
- *
- *	mctx is a valid memory context
- *
- * Ensures:
- *
- *	A copy of 'origin' has been made for the databases use, and the
- *	caller is free to do whatever they want with the name and storage
- *	associated with 'origin'.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_NOTFOUND				db_type not found
- *
- *	Many other errors are possible, depending on what db_type was
- *	specified.
- */
-
-void
-dns_db_attach(dns_db_t *source, dns_db_t **targetp);
-/*
- * Attach *targetp to source.
- *
- * Requires:
- *
- *	'source' is a valid database.
- *
- *	'targetp' points to a NULL dns_db_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to source.
- */
-
-void
-dns_db_detach(dns_db_t **dbp);
-/*
- * Detach *dbp from its database.
- *
- * Requires:
- *
- *	'dbp' points to a valid database.
- *
- * Ensures:
- *
- *	*dbp is NULL.
- *
- *	If '*dbp' is the last reference to the database,
- *
- *		All resources used by the database will be freed
- */
-
-isc_result_t
-dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp);
-/*
- * Causes 'eventp' to be sent to be sent to 'task' when the database is
- * destroyed.
- *
- * Note; ownership of the eventp is taken from the caller (and *eventp is
- * set to NULL). The sender field of the event is set to 'db' before it is
- * sent to the task.
- */
-
-isc_boolean_t
-dns_db_iscache(dns_db_t *db);
-/*
- * Does 'db' have cache semantics?
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- * Returns:
- *	ISC_TRUE	'db' has cache semantics
- *	ISC_FALSE	otherwise
- */
-
-isc_boolean_t
-dns_db_iszone(dns_db_t *db);
-/*
- * Does 'db' have zone semantics?
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- * Returns:
- *	ISC_TRUE	'db' has zone semantics
- *	ISC_FALSE	otherwise
- */
-
-isc_boolean_t
-dns_db_isstub(dns_db_t *db);
-/*
- * Does 'db' have stub semantics?
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- * Returns:
- *	ISC_TRUE	'db' has zone semantics
- *	ISC_FALSE	otherwise
- */
-
-isc_boolean_t
-dns_db_issecure(dns_db_t *db);
-/*
- * Is 'db' secure?
- *
- * Requires:
- *
- *	'db' is a valid database with zone semantics.
- *
- * Returns:
- *	ISC_TRUE	'db' is secure.
- *	ISC_FALSE	'db' is not secure.
- */
-
-dns_name_t *
-dns_db_origin(dns_db_t *db);
-/*
- * The origin of the database.
- *
- * Note: caller must not try to change this name.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- * Returns:
- *
- *	The origin of the database.
- */
-
-dns_rdataclass_t
-dns_db_class(dns_db_t *db);
-/*
- * The class of the database.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- * Returns:
- *
- *	The class of the database.
- */
-
-isc_result_t
-dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
-		 dns_dbload_t **dbloadp);
-/*
- * Begin loading 'db'.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	This is the first attempt to load 'db'.
- *
- *	addp != NULL && *addp == NULL
- *
- *	dbloadp != NULL && *dbloadp == NULL
- *
- * Ensures:
- *
- *	On success, *addp will be a valid dns_addrdatasetfunc_t suitable
- *	for loading 'db'.  *dbloadp will be a valid DB load context which
- *	should be used as 'arg' when *addp is called.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- *	Other results are possible, depending upon the database
- *	implementation used, syntax errors in the master file, etc.
- */
-
-isc_result_t
-dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp);
-/*
- * Finish loading 'db'.
- *
- * Requires:
- *
- *	'db' is a valid database that is being loaded.
- *
- *	dbloadp != NULL and *dbloadp is a valid database load context.
- *
- * Ensures:
- *
- *	*dbloadp == NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- *	Other results are possible, depending upon the database
- *	implementation used, syntax errors in the master file, etc.
- */
-
-isc_result_t
-dns_db_load(dns_db_t *db, const char *filename);
-/*
- * Load master file 'filename' into 'db'.
- *
- * Notes:
- *	This routine is equivalent to calling
- *
- *		dns_db_beginload();
- *		dns_master_loadfile();
- *		dns_db_endload();
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	This is the first attempt to load 'db'.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- *	Other results are possible, depending upon the database
- *	implementation used, syntax errors in the master file, etc.
- */
-
-isc_result_t
-dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
-/*
- * Dump version 'version' of 'db' to master file 'filename'.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'version' is a valid version.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- *	Other results are possible, depending upon the database
- *	implementation used, OS file errors, etc.
- */
-
-/***
- *** Version Methods
- ***/
-
-void
-dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp);
-/*
- * Open the current version for reading.
- *
- * Requires:
- *
- *	'db' is a valid database with zone semantics.
- *
- *	versionp != NULL && *verisonp == NULL
- *
- * Ensures:
- *
- *	On success, '*versionp' is attached to the current version.
- *
- */
-
-isc_result_t
-dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp);
-/*
- * Open a new version for reading and writing.
- *
- * Requires:
- *
- *	'db' is a valid database with zone semantics.
- *
- *	versionp != NULL && *verisonp == NULL
- *
- * Ensures:
- *
- *	On success, '*versionp' is attached to the current version.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- *	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-void
-dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
-		     dns_dbversion_t **targetp);
-/*
- * Attach '*targetp' to 'source'.
- *
- * Requires:
- *
- *	'db' is a valid database with zone semantics.
- *
- *	source is a valid open version
- *
- *	targetp != NULL && *targetp == NULL
- *
- * Ensures:
- *
- *	'*targetp' is attached to source.
- */
-
-void
-dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
-		    isc_boolean_t commit);
-/*
- * Close version '*versionp'.
- *
- * Note: if '*versionp' is a read-write version and 'commit' is ISC_TRUE,
- * then all changes made in the version will take effect, otherwise they
- * will be rolled back.  The value if 'commit' is ignored for read-only
- * versions.
- *
- * Requires:
- *
- *	'db' is a valid database with zone semantics.
- *
- *	'*versionp' refers to a valid version.
- *
- *	If committing a writable version, then there must be no other
- *	outstanding references to the version (e.g. an active rdataset
- *	iterator).
- *
- * Ensures:
- *
- *	*versionp == NULL
- *
- *	If *versionp is a read-write version, and commit is ISC_TRUE, then
- *	the version will become the current version.  If !commit, then all
- *	changes made in the version will be undone, and the version will
- *	not become the current version.
- */
-
-/***
- *** Node Methods
- ***/
-
-isc_result_t
-dns_db_findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-		dns_dbnode_t **nodep);
-/*
- * Find the node with name 'name'.
- *
- * Notes:
- *	If 'create' is ISC_TRUE and no node with name 'name' exists, then
- *	such a node will be created.
- *
- *	This routine is for finding or creating a node with the specified
- *	name.  There are no partial matches.  It is not suitable for use
- *	in building responses to ordinary DNS queries; clients which wish
- *	to do that should use dns_db_find() instead.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'name' is a valid, non-empty, absolute name.
- *
- *	nodep != NULL && *nodep == NULL
- *
- * Ensures:
- *
- *	On success, *nodep is attached to the node with name 'name'.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND			If !create and name not found.
- *	ISC_R_NOMEMORY		        Can only happen if create is ISC_TRUE.
- *
- *	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	    dns_dbnode_t **nodep, dns_name_t *foundname,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
- * Find the best match for 'name' and 'type' in version 'version' of 'db'.
- *
- * Notes:
- *
- *	If type == dns_rdataset_any, then rdataset will not be bound.
- *
- *	If 'options' does not have DNS_DBFIND_GLUEOK set, then no glue will
- *	be returned.  For zone databases, glue is as defined in RFC 2181.
- *	For cache databases, glue is any rdataset with a trust of
- *	dns_trust_glue.
- *
- *	If 'options' does not have DNS_DBFIND_PENDINGOK set, then no
- *	pending data will be returned.  This option is only meaningful for
- *	cache databases.
- *
- *	If the DNS_DBFIND_NOWILD option is set, then wildcard matching will
- *	be disabled.  This option is only meaningful for zone databases.
- *
- *	If the DNS_DBFIND_FORCENSEC option is set, the database is assumed to
- *	have NSEC records, and these will be returned when appropriate.  This
- *	is only necessary when querying a database that was not secure
- *	when created.
- *
- *	If the DNS_DBFIND_COVERINGNSEC option is set, then look for a
- *	NSEC record that potentially covers 'name' if a answer cannot
- *	be found.  Note the returned NSEC needs to be checked to ensure
- *	that it is correct.  This only affects answers returned from the
- *	cache.
- *
- *	To respond to a query for SIG records, the caller should create a
- *	rdataset iterator and extract the signatures from each rdataset.
- *
- *	Making queries of type ANY with DNS_DBFIND_GLUEOK is not recommended,
- *	because the burden of determining whether a given rdataset is valid
- *	glue or not falls upon the caller.
- *
- *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
- *	cache database, an rdataset will not be found unless it expires after
- *	'now'.  Any ANY query will not match unless at least one rdataset at
- *	the node expires after 'now'.  If 'now' is zero, then the current time
- *	will be used.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'type' is not SIG, or a meta-RR type other than 'ANY' (e.g. 'OPT').
- *
- *	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
- *
- *	'foundname' is a valid name with a dedicated buffer.
- *
- *	'rdataset' is NULL, or is a valid unassociated rdataset.
- *
- * Ensures:
- *	On a non-error completion:
- *
- *		If nodep != NULL, then it is bound to the found node.
- *
- *		If foundname != NULL, then it contains the full name of the
- *		found node.
- *
- *		If rdataset != NULL and type != dns_rdatatype_any, then
- *		rdataset is bound to the found rdataset.
- *
- * Returns:
- *
- *	Non-error results are:
- *
- *		ISC_R_SUCCESS			The desired node and type were
- *						found.
- *
- *		DNS_R_WILDCARD			The desired node and type were
- *						found after performing
- *						wildcard matching.  This is
- *						only returned if the
- *						DNS_DBFIND_INDICATEWILD
- *						option is set; otherwise
- *						ISC_R_SUCCESS is returned.
- *
- *		DNS_R_GLUE			The desired node and type were
- *						found, but are glue.  This
- *						result can only occur if
- *						the DNS_DBFIND_GLUEOK option
- *						is set.  This result can only
- *						occur if 'db' is a zone
- *						database.  If type ==
- *						dns_rdatatype_any, then the
- *						node returned may contain, or
- *						consist entirely of invalid
- *						glue (i.e. data occluded by a
- *						zone cut).  The caller must
- *						take care not to return invalid
- *						glue to a client.
- *
- *		DNS_R_DELEGATION		The data requested is beneath
- *						a zone cut.  node, foundname,
- *						and rdataset reference the
- *						NS RRset of the zone cut.
- *						If 'db' is a cache database,
- *						then this is the deepest known
- *						delegation.
- *
- *		DNS_R_ZONECUT			type == dns_rdatatype_any, and
- *						the desired node is a zonecut.
- *						The caller must take care not
- *						to return inappropriate glue
- *						to a client.  This result can
- *						only occur if 'db' is a zone
- *						database and DNS_DBFIND_GLUEOK
- *						is set.
- *
- *		DNS_R_DNAME			The data requested is beneath
- *						a DNAME.  node, foundname,
- *						and rdataset reference the
- *						DNAME RRset.
- *
- *		DNS_R_CNAME			The rdataset requested was not
- *						found, but there is a CNAME
- *						at the desired name.  node,
- *						foundname, and rdataset
- *						reference the CNAME RRset.
- *
- *		DNS_R_NXDOMAIN			The desired name does not
- *						exist.
- *
- *		DNS_R_NXRRSET			The desired name exists, but
- *						the desired type does not.
- *
- *		ISC_R_NOTFOUND			The desired name does not
- *						exist, and no delegation could
- *						be found.  This result can only
- *						occur if 'db' is a cache
- *						database.  The caller should
- *						use its nameserver(s) of last
- *						resort (e.g. root hints).
- *
- *		DNS_R_NCACHENXDOMAIN		The desired name does not
- *						exist.  'node' is bound to the
- *						cache node with the desired
- *						name, and 'rdataset' contains
- *						the negative caching proof.
- *
- *		DNS_R_NCACHENXRRSET		The desired type does not
- *						exist.  'node' is bound to the
- *						cache node with the desired
- *						name, and 'rdataset' contains
- *						the negative caching proof.
- *
- *		DNS_R_EMPTYNAME			The name exists but there is
- *						no data at the name. 
- *
- *		DNS_R_COVERINGNSEC		The returned data is a NSEC
- *						that potentially covers 'name'.
- *
- *	Error results:
- *
- *		ISC_R_NOMEMORY
- *
- *		DNS_R_BADDB			Data that is required to be
- *						present in the DB, e.g. an NSEC
- *						record in a secure zone, is not
- *						present.
- *
- *		Other results are possible, and should all be treated as
- *		errors.
- */
-
-isc_result_t
-dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
-		   unsigned int options, isc_stdtime_t now,
-		   dns_dbnode_t **nodep, dns_name_t *foundname,
-		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
- * Find the deepest known zonecut which encloses 'name' in 'db'.
- *
- * Notes:
- *
- *	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
- *	(if any) will be the deepest known ancestor of 'name'.
- *
- *	If 'now' is zero, then the current time will be used.
- *
- * Requires:
- *
- *	'db' is a valid database with cache semantics.
- *
- *	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
- *
- *	'foundname' is a valid name with a dedicated buffer.
- *
- *	'rdataset' is NULL, or is a valid unassociated rdataset.
- *
- * Ensures:
- *	On a non-error completion:
- *
- *		If nodep != NULL, then it is bound to the found node.
- *
- *		If foundname != NULL, then it contains the full name of the
- *		found node.
- *
- *		If rdataset != NULL and type != dns_rdatatype_any, then
- *		rdataset is bound to the found rdataset.
- *
- * Returns:
- *
- *	Non-error results are:
- *
- *		ISC_R_SUCCESS
- *
- *		ISC_R_NOTFOUND
- *
- *		Other results are possible, and should all be treated as
- *		errors.
- */
-
-void
-dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp);
-/*
- * Attach *targetp to source.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'source' is a valid node.
- *
- *	'targetp' points to a NULL dns_node_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to source.
- */
-
-void
-dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
-/*
- * Detach *nodep from its node.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'nodep' points to a valid node.
- *
- * Ensures:
- *
- *	*nodep is NULL.
- */
-
-isc_result_t
-dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
-/*
- * Mark as stale all records at 'node' which expire at or before 'now'.
- *
- * Note: if 'now' is zero, then the current time will be used.
- *
- * Requires:
- *
- *	'db' is a valid cache database.
- *
- *	'node' is a valid node.
- */
-
-void
-dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
-/*
- * Print a textual representation of the contents of the node to
- * 'out'.
- *
- * Note: this function is intended for debugging, not general use.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'node' is a valid node.
- */
-
-/***
- *** DB Iterator Creation
- ***/
-
-isc_result_t
-dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
-		      dns_dbiterator_t **iteratorp);
-/*
- * Create an iterator for version 'version' of 'db'.
- *
- * Notes:
- *
- *	If 'relative_names' is ISC_TRUE, then node names returned by the
- *	iterator will be relative to the iterator's current origin.  If
- *	ISC_FALSE, then the node names will be absolute.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	iteratorp != NULL && *iteratorp == NULL
- *
- * Ensures:
- *
- *	On success, *iteratorp will be a valid database iterator.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-/***
- *** Rdataset Methods
- ***/
-
-/*
- * XXXRTH  Should we check for glue and pending data in dns_db_findrdataset()?
- */
-
-isc_result_t
-dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		    dns_rdatatype_t type, dns_rdatatype_t covers,
-		    isc_stdtime_t now, dns_rdataset_t *rdataset,
-		    dns_rdataset_t *sigrdataset);
-/*
- * Search for an rdataset of type 'type' at 'node' that are in version
- * 'version' of 'db'.  If found, make 'rdataset' refer to it.
- *
- * Notes:
- *
- *	If 'version' is NULL, then the current version will be used.
- *
- *	Care must be used when using this routine to build a DNS response:
- *	'node' should have been found with dns_db_find(), not
- *	dns_db_findnode().  No glue checking is done.  No checking for
- *	pending data is done.
- *
- *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
- *	cache database, an rdataset will not be found unless it expires after
- *	'now'.  If 'now' is zero, then the current time will be used.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'node' is a valid node.
- *
- *	'rdataset' is a valid, disassociated rdataset.
- *
- *	'sigrdataset' is a valid, disassociated rdataset, or it is NULL.
- *
- *	If 'covers' != 0, 'type' must be SIG.
- *
- *	'type' is not a meta-RR type such as 'ANY' or 'OPT'.
- *
- * Ensures:
- *
- *	On success, 'rdataset' is associated with the found rdataset.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *
- *	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp);
-/*
- * Make '*iteratorp' an rdataset iteratator for all rdatasets at 'node' in
- * version 'version' of 'db'.
- *
- * Notes:
- *
- *	If 'version' is NULL, then the current version will be used.
- *
- *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
- *	cache database, an rdataset will not be found unless it expires after
- *	'now'.  Any ANY query will not match unless at least one rdataset at
- *	the node expires after 'now'.  If 'now' is zero, then the current time
- *	will be used.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'node' is a valid node.
- *
- *	iteratorp != NULL && *iteratorp == NULL
- *
- * Ensures:
- *
- *	On success, '*iteratorp' is a valid rdataset iterator.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *
- *	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		   isc_stdtime_t now, dns_rdataset_t *rdataset,
-		   unsigned int options, dns_rdataset_t *addedrdataset);
-/*
- * Add 'rdataset' to 'node' in version 'version' of 'db'.
- *
- * Notes:
- *
- *	If the database has zone semantics, the DNS_DBADD_MERGE option is set,
- *	and an rdataset of the same type as 'rdataset' already exists at
- *	'node' then the contents of 'rdataset' will be merged with the existing
- *	rdataset.  If the option is not set, then rdataset will replace any
- *	existing rdataset of the same type.  If not merging and the
- *	DNS_DBADD_FORCE option is set, then the data will update the database
- *	without regard to trust levels.  If not forcing the data, then the
- *	rdataset will only be added if its trust level is >= the trust level of
- *	any existing rdataset.  Forcing is only meaningful for cache databases.
- *	If DNS_DBADD_EXACT is set then there must be no rdata in common between
- *	the old and new rdata sets.  If DNS_DBADD_EXACTTTL is set then both
- *	the old and new rdata sets must have the same ttl.
- *
- *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is
- *	a cache database, then the added rdataset will expire no later than
- *	now + rdataset->ttl.
- *
- *	If 'addedrdataset' is not NULL, then it will be attached to the
- *	resulting new rdataset in the database, or to the existing data if
- *	the existing data was better.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'node' is a valid node.
- *
- *	'rdataset' is a valid, associated rdataset with the same class
- *	as 'db'.
- *
- *	'addedrdataset' is NULL, or a valid, unassociated rdataset.
- *
- *	The database has zone semantics and 'version' is a valid
- *	read-write version, or the database has cache semantics
- *	and version is NULL.
- *
- *	If the database has cache semantics, the DNS_DBADD_MERGE option must
- *	not be set.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	DNS_R_UNCHANGED			The operation did not change anything.
- *	ISC_R_NOMEMORY
- *	DNS_R_NOTEXACT
- *
- *	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
-			dns_dbversion_t *version, dns_rdataset_t *rdataset,
-			unsigned int options, dns_rdataset_t *newrdataset);
-/*
- * Remove any rdata in 'rdataset' from 'node' in version 'version' of
- * 'db'.
- *
- * Notes:
- *
- *	If 'newrdataset' is not NULL, then it will be attached to the
- *	resulting new rdataset in the database, unless the rdataset has
- *	become nonexistent.  If DNS_DBSUB_EXACT is set then all elements
- *	of 'rdataset' must exist at 'node'.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'node' is a valid node.
- *
- *	'rdataset' is a valid, associated rdataset with the same class
- *	as 'db'.
- *
- *	'newrdataset' is NULL, or a valid, unassociated rdataset.
- *
- *	The database has zone semantics and 'version' is a valid
- *	read-write version.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	DNS_R_UNCHANGED			The operation did not change anything.
- *	DNS_R_NXRRSET			All rdata of the same type as those
- *					in 'rdataset' have been deleted.
- *	DNS_R_NOTEXACT			Some part of 'rdataset' did not
- *					exist and DNS_DBSUB_EXACT was set.
- *
- *	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
-		      dns_dbversion_t *version, dns_rdatatype_t type,
-		      dns_rdatatype_t covers);
-/*
- * Make it so that no rdataset of type 'type' exists at 'node' in version
- * version 'version' of 'db'.
- *
- * Notes:
- *
- *	If 'type' is dns_rdatatype_any, then no rdatasets will exist in
- *	'version' (provided that the dns_db_deleterdataset() isn't followed
- *	by one or more dns_db_addrdataset() calls).
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- *	'node' is a valid node.
- *
- *	The database has zone semantics and 'version' is a valid
- *	read-write version, or the database has cache semantics
- *	and version is NULL.
- *
- *	'type' is not a meta-RR type, except for dns_rdatatype_any, which is
- *	allowed.
- *
- *	If 'covers' != 0, 'type' must be SIG.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	DNS_R_UNCHANGED			No rdatasets of 'type' existed before
- *					the operation was attempted.
- *
- *	Other results are possible, depending upon the database
- *	implementation used.
- */
-
-isc_result_t
-dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
-/*
- * Get the current SOA serial number from a zone database.
- *
- * Requires:
- *      'db' is a valid database with zone semantics.
- *      'ver' is a valid version.
- */
-
-void
-dns_db_overmem(dns_db_t *db, isc_boolean_t overmem);
-/*
- * Enable / disable agressive cache cleaning.
- */
-
-unsigned int
-dns_db_nodecount(dns_db_t *db);
-/*
- * Count the number of nodes in 'db'.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- * Returns:
- * 	The number of nodes in the database
- */
-
-void
-dns_db_settask(dns_db_t *db, isc_task_t *task);
-/*
- * If task is set then the final detach maybe performed asynchronously.
- *
- * Requires:
- *	'db' is a valid database.
- *	'task' to be valid or NULL.
- */
-
-isc_boolean_t
-dns_db_ispersistent(dns_db_t *db);
-/*
- * Is 'db' persistent?  A persistent database does not need to be loaded
- * from disk or written to disk.
- *
- * Requires:
- *
- *	'db' is a valid database.
- *
- * Returns:
- *	ISC_TRUE	'db' is persistent.
- *	ISC_FALSE	'db' is not persistent.
- */
-
-isc_result_t
-dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
-		isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
-
-/*
- * Register a new database implementation and add it to the list of
- * supported implementations.
- *
- * Requires:
- *
- * 	'name' is not NULL
- * 	'order' is a valid function pointer
- * 	'mctx' is a valid memory context
- * 	dbimp != NULL && *dbimp == NULL
- *
- * Returns:
- * 	ISC_R_SUCCESS	The registration succeeded
- * 	ISC_R_NOMEMORY	Out of memory
- * 	ISC_R_EXISTS	A database implementation with the same name exists
- *
- * Ensures:
- *
- *	*dbimp points to an opaque structure which must be passed to
- *	dns_db_unregister().
- */
-
-void
-dns_db_unregister(dns_dbimplementation_t **dbimp);
-/*
- * Remove a database implementation from the the list of supported
- * implementations.  No databases of this type can be active when this
- * is called.
- *
- * Requires:
- * 	dbimp != NULL && *dbimp == NULL
- *
- * Ensures:
- *
- * 	Any memory allocated in *dbimp will be freed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dbiterator.h b/contrib/bind9/lib/dns/include/dns/dbiterator.h
deleted file mode 100644
index 8b8cb1b37d22..000000000000
--- a/contrib/bind9/lib/dns/include/dns/dbiterator.h
+++ /dev/null
@@ -1,298 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dbiterator.h,v 1.18.206.1 2004/03/06 08:13:54 marka Exp $ */
-
-#ifndef DNS_DBITERATOR_H
-#define DNS_DBITERATOR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS DB Iterator
- *
- * The DNS DB Iterator interface allows iteration of all of the nodes in a
- * database.
- *
- * The dns_dbiterator_t type is like a "virtual class".  To actually use
- * it, an implementation of the class is required.  This implementation is
- * supplied by the database.
- *
- * It is the client's responsibility to call dns_db_detachnode() on all
- * nodes returned.
- *
- * XXX <more> XXX
- *
- * MP:
- *	The iterator itself is not locked.  The caller must ensure
- *	synchronization.
- *
- *	The iterator methods ensure appropriate database locking.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types
- *****/
-
-typedef struct dns_dbiteratormethods {
-	void		(*destroy)(dns_dbiterator_t **iteratorp);
-	isc_result_t	(*first)(dns_dbiterator_t *iterator);
-	isc_result_t	(*last)(dns_dbiterator_t *iterator);
-	isc_result_t	(*seek)(dns_dbiterator_t *iterator, dns_name_t *name);
-	isc_result_t	(*prev)(dns_dbiterator_t *iterator);
-	isc_result_t	(*next)(dns_dbiterator_t *iterator);
-	isc_result_t	(*current)(dns_dbiterator_t *iterator,
-				   dns_dbnode_t **nodep, dns_name_t *name);
-	isc_result_t	(*pause)(dns_dbiterator_t *iterator);
-	isc_result_t	(*origin)(dns_dbiterator_t *iterator,
-				  dns_name_t *name);
-} dns_dbiteratormethods_t;
-
-#define DNS_DBITERATOR_MAGIC	     ISC_MAGIC('D','N','S','I')
-#define DNS_DBITERATOR_VALID(dbi)    ISC_MAGIC_VALID(dbi, DNS_DBITERATOR_MAGIC)
-/*
- * This structure is actually just the common prefix of a DNS db
- * implementation's version of a dns_dbiterator_t.
- *
- * Clients may use the 'db' field of this structure.  Except for that field,
- * direct use of this structure by clients is forbidden.  DB implementations
- * may change the structure.  'magic' must be DNS_DBITERATOR_MAGIC for any of
- * the dns_dbiterator routines to work.  DB iterator implementations must
- * maintain all DB iterator invariants.
- */
-struct dns_dbiterator {
-	/* Unlocked. */
-	unsigned int			magic;
-	dns_dbiteratormethods_t *	methods;
-	dns_db_t *			db;
-	isc_boolean_t			relative_names;
-	isc_boolean_t			cleaning;
-};
-
-void
-dns_dbiterator_destroy(dns_dbiterator_t **iteratorp);
-/*
- * Destroy '*iteratorp'.
- *
- * Requires:
- *
- *	'*iteratorp' is a valid iterator.
- *
- * Ensures:
- *
- *	All resources used by the iterator are freed.
- *
- *	*iteratorp == NULL.
- */
-
-isc_result_t
-dns_dbiterator_first(dns_dbiterator_t *iterator);
-/*
- * Move the node cursor to the first node in the database (if any).
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no nodes in the database.
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_last(dns_dbiterator_t *iterator);
-/*
- * Move the node cursor to the last node in the database (if any).
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no nodes in the database.
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name);
-/*
- * Move the node cursor to the node with name 'name'.
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- *	'name' is a valid name.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_prev(dns_dbiterator_t *iterator);
-/*
- * Move the node cursor to the previous node in the database (if any).
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no more nodes in the
- *					database.
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_next(dns_dbiterator_t *iterator);
-/*
- * Move the node cursor to the next node in the database (if any).
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no more nodes in the
- *					database.
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		       dns_name_t *name);
-/*
- * Return the current node.
- *
- * Notes:
- *	If 'name' is not NULL, it will be set to the name of the node.
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- *	nodep != NULL && *nodep == NULL
- *
- *	The node cursor of 'iterator' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was ISC_R_SUCCESS).
- *
- *	'name' is NULL, or is a valid name with a dedicated buffer.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	DNS_R_NEWORIGIN			If this iterator was created with
- *					'relative_names' set to ISC_TRUE,
- *					then DNS_R_NEWORIGIN will be returned
- *					when the origin the names are
- *					relative to changes.  This result
- *					can occur only when 'name' is not
- *					NULL.  This is also a successful
- *					result.
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_pause(dns_dbiterator_t *iterator);
-/*
- * Pause iteration.
- *
- * Calling a cursor movement method or dns_dbiterator_current() may cause
- * database locks to be acquired.  Rather than reacquire these locks every
- * time one of these routines is called, the locks may simply be held.
- * Calling dns_dbiterator_pause() releases any such locks.  Iterator clients
- * should call this routine any time they are not going to execute another
- * iterator method in the immediate future.
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- * Ensures:
- *	Any database locks being held for efficiency of iterator access are
- *	released.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
-/*
- * Return the origin to which returned node names are relative.
- *
- * Requires:
- *
- *	'iterator' is a valid relative_names iterator.
- *
- *	'name' is a valid name with a dedicated buffer.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-void
-dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, isc_boolean_t mode);
-/*
- * Indicate that the given iterator is/is not cleaning the DB.
- *
- * Notes:
- *	When 'mode' is ISC_TRUE, 
- *
- * Requires:
- *	'iterator' is a valid iterator.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DBITERATOR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dbtable.h b/contrib/bind9/lib/dns/include/dns/dbtable.h
deleted file mode 100644
index 3874b46c58f0..000000000000
--- a/contrib/bind9/lib/dns/include/dns/dbtable.h
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dbtable.h,v 1.16.206.1 2004/03/06 08:13:55 marka Exp $ */
-
-#ifndef DNS_DBTABLE_H
-#define DNS_DBTABLE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS DB Tables
- *
- * XXX <TBS> XXX
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	None.
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#define DNS_DBTABLEFIND_NOEXACT		0x01
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		   dns_dbtable_t **dbtablep);
-/*
- * Make a new dbtable of class 'rdclass'
- *
- * Requires:
- *	mctx != NULL
- * 	dbtablep != NULL && *dptablep == NULL
- *	'rdclass' is a valid class
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- */
-
-void
-dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp);
-/*
- * Attach '*targetp' to 'source'.
- *
- * Requires:
- *
- *	'source' is a valid dbtable.
- *
- *	'targetp' points to a NULL dns_dbtable_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to source.
- */
-
-void
-dns_dbtable_detach(dns_dbtable_t **dbtablep);
-/*
- * Detach *dbtablep from its dbtable.
- *
- * Requires:
- *
- *	'*dbtablep' points to a valid dbtable.
- *
- * Ensures:
- *
- *	*dbtablep is NULL.
- *
- *	If '*dbtablep' is the last reference to the dbtable,
- *
- *		All resources used by the dbtable will be freed
- */
-
-isc_result_t
-dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db);
-/*
- * Add 'db' to 'dbtable'.
- *
- * Requires:
- *	'dbtable' is a valid dbtable.
- *
- *	'db' is a valid database with the same class as 'dbtable'
- */
-
-void
-dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db);
-/*
- * Remove 'db' from 'dbtable'.
- *
- * Requires:
- *	'db' was previously added to 'dbtable'.
- */
-
-void
-dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db);
-/*
- * Use 'db' as the result of a dns_dbtable_find() if no better match is
- * available.
- */
-
-void
-dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **db);
-/*
- * Get the 'db' used as the result of a dns_dbtable_find()
- * if no better match is available.
- */
-
-void
-dns_dbtable_removedefault(dns_dbtable_t *dbtable);
-/*
- * Remove the default db from 'dbtable'.
- */
-
-isc_result_t
-dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
-		 unsigned int options, dns_db_t **dbp);
-/*
- * Find the deepest match to 'name' in the dbtable, and return it
- *
- * Notes:
- *	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
- *	match (if any) to 'name' will be returned.
- *
- * Returns:  ISC_R_SUCCESS		on success
- *	     <something else>		no default and match
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DBTABLE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/diff.h b/contrib/bind9/lib/dns/include/dns/diff.h
deleted file mode 100644
index 604f702c118b..000000000000
--- a/contrib/bind9/lib/dns/include/dns/diff.h
+++ /dev/null
@@ -1,279 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: diff.h,v 1.4.12.3 2004/03/08 09:04:35 marka Exp $ */
-
-#ifndef DNS_DIFF_H
-#define DNS_DIFF_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * A diff is a convenience type representing a list of changes to be
- * made to a database.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-/*
- * A dns_difftuple_t represents a single RR being added or deleted.
- * The RR type and class are in the 'rdata' member; the class is always
- * the real one, not a DynDNS meta-class, so that the rdatas can be
- * compared using dns_rdata_compare().  The TTL is significant
- * even for deletions, because a deletion/addition pair cannot
- * be canceled out if the TTL differs (it might be an explicit
- * TTL update).
- *
- * Tuples are also used to represent complete RRs with owner
- * names for a couple of other purposes, such as the
- * individual RRs of a "RRset exists (value dependent)"
- * prerequisite set.  In this case, op==DNS_DIFFOP_EXISTS,
- * and the TTL is ignored.
- */
-
-typedef enum {
-	DNS_DIFFOP_ADD,	        /* Add an RR. */
-	DNS_DIFFOP_DEL,		/* Delete an RR. */
-	DNS_DIFFOP_EXISTS	/* Assert RR existence. */
-} dns_diffop_t;
-
-typedef struct dns_difftuple dns_difftuple_t;
-
-#define DNS_DIFFTUPLE_MAGIC	ISC_MAGIC('D','I','F','T')
-#define DNS_DIFFTUPLE_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFFTUPLE_MAGIC)
-
-struct dns_difftuple {
-        unsigned int			magic;
-	isc_mem_t			*mctx;
-	dns_diffop_t			op;
-	dns_name_t			name;
-	dns_ttl_t			ttl;
-	dns_rdata_t			rdata;
-	ISC_LINK(dns_difftuple_t)	link;
-	/* Variable-size name data and rdata follows. */
-};
-
-/*
- * A dns_diff_t represents a set of changes being applied to
- * a zone.  Diffs are also used to represent "RRset exists
- * (value dependent)" prerequisites.
- */
-typedef struct dns_diff dns_diff_t;
-
-#define DNS_DIFF_MAGIC		ISC_MAGIC('D','I','F','F')
-#define DNS_DIFF_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFF_MAGIC)
-
-struct dns_diff {
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	ISC_LIST(dns_difftuple_t)	tuples;
-};
-
-/* Type of comparision function for sorting diffs. */
-typedef int dns_diff_compare_func(const void *, const void *);
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-/**************************************************************************/
-/*
- * Maniuplation of diffs and tuples.
- */
-
-isc_result_t
-dns_difftuple_create(isc_mem_t *mctx,
-		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
-		     dns_rdata_t *rdata, dns_difftuple_t **tp);
-/*
- * Create a tuple.  Deep copies are made of the name and rdata, so
- * they need not remain valid after the call.
- *
- * Requires:
- *	*tp != NULL && *tp == NULL.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *      ISC_R_NOMEMORY
- */
-
-void
-dns_difftuple_free(dns_difftuple_t **tp);
-/*
- * Free a tuple.
- *
- * Requires:
- *       **tp is a valid tuple.
- *
- * Ensures:
- *       *tp == NULL
- *       All memory used by the tuple is freed.
- */
-
-isc_result_t
-dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp);
-/*
- * Copy a tuple.
- *
- * Requires:
- * 	'orig' points to a valid tuple
- *	copyp != NULL && *copyp == NULL
- */
-
-void
-dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
-/*
- * Initialize a diff.
- *
- * Requires:
- *    'diff' points to an uninitialized dns_diff_t
- *    allocated by the caller.
- *
- * Ensures:
- *    '*diff' is a valid, empty diff.
- */
-
-void
-dns_diff_clear(dns_diff_t *diff);
-/*
- * Clear a diff, destroying all its tuples.
- *
- * Requires:
- *    'diff' points to a valid dns_diff_t.
- *
- * Ensures:
- *     Any tuples in the diff are destroyed.
- *     The diff now empty, but it is still valid
- *     and may be reused without calling dns_diff_init
- *     again.  The only memory used is that of the
- *     dns_diff_t structure itself.
- *
- * Notes:
- *     Managing the memory of the dns_diff_t structure itself
- *     is the caller's responsibility.
- */
-
-void
-dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuple);
-/*
- * Append a single tuple to a diff.
- *
- *	'diff' is a valid diff.
- * 	'*tuple' is a valid tuple.
- *
- * Ensures:
- *	*tuple is NULL.
- *	The tuple has been freed, or will be freed when the diff is cleared.
- */
-
-void
-dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuple);
-/*
- * Append 'tuple' to 'diff', removing any duplicate
- * or conflicting updates as needed to create a minimal diff.
- *
- * Requires:
- *	'diff' is a minimal diff.
- *
- * Ensures:
- *	'diff' is still a minimal diff.
- *   	*tuple is NULL.
- *   	The tuple has been freed, or will be freed when the diff is cleared.
- *
- */
-
-isc_result_t
-dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare);
-/*
- * Sort 'diff' in-place according to the comparison function 'compare'.
- */
-
-isc_result_t
-dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
-isc_result_t
-dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
-/*
- * Apply 'diff' to the database 'db'.
- *
- * dns_diff_apply() logs warnings about updates with no effect or
- * with inconsistent TTLs; dns_diff_applysilently() does not.
- *
- * For efficiency, the diff should be sorted by owner name.
- * If it is not sorted, operation will still be correct,
- * but less efficient.
- *
- * Requires:
- *	*diff is a valid diff (possibly empty), containing
- *   	tuples of type DNS_DIFFOP_ADD and/or
- *   	For DNS_DIFFOP_DEL tuples, the TTL is ignored.
- *
- */
-
-isc_result_t
-dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
-	      void *add_private);
-/*
- * Like dns_diff_apply, but for use when loading a new database
- * instead of modifying an existing one.  This bypasses the
- * database transaction mechanisms.
- *
- * Requires:
- * 	'addfunc' is a valid dns_addradatasetfunc_t obtained from
- * 	dns_db_beginload()
- *
- *	'add_private' points to a corresponding dns_dbload_t *
- *      (XXX why is it a void pointer, then?)
- */
-
-isc_result_t
-dns_diff_print(dns_diff_t *diff, FILE *file);
-
-/*
- * Print the differences to 'file' or if 'file' is NULL via the
- * logging system.
- *
- * Require:
- *	'diff' to be valid.
- *	'file' to refer to a open file or NULL.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- *	any error from dns_rdataset_totext()
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DIFF_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dispatch.h b/contrib/bind9/lib/dns/include/dns/dispatch.h
deleted file mode 100644
index 201a65a60ed4..000000000000
--- a/contrib/bind9/lib/dns/include/dns/dispatch.h
+++ /dev/null
@@ -1,442 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dispatch.h,v 1.45.2.2.4.2 2004/03/06 08:13:55 marka Exp $ */
-
-#ifndef DNS_DISPATCH_H
-#define DNS_DISPATCH_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Dispatch Management
- *
- * 	Shared UDP and single-use TCP dispatches for queries and responses.
- *
- * MP:
- *
- *     	All locking is performed internally to each dispatch.
- * 	Restrictions apply to dns_dispatch_removeresponse().
- *
- * Reliability:
- *
- * Resources:
- *
- * Security:
- *
- *	Depends on the isc_socket_t and dns_message_t for prevention of
- *	buffer overruns.
- *
- * Standards:
- *
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-#include <isc/socket.h>
-#include <dns/types.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * This event is sent to a task when a response comes in.
- * No part of this structure should ever be modified by the caller,
- * other than parts of the buffer.  The holy parts of the buffer are
- * the base and size of the buffer.  All other parts of the buffer may
- * be used.  On event delivery the used region contains the packet.
- *
- * "id" is the received message id,
- *
- * "addr" is the host that sent it to us,
- *
- * "buffer" holds state on the received data.
- *
- * The "free" routine for this event will clean up itself as well as
- * any buffer space allocated from common pools.
- */
-
-struct dns_dispatchevent {
-	ISC_EVENT_COMMON(dns_dispatchevent_t);	/* standard event common */
-	isc_result_t		result;		/* result code */
-	isc_int32_t		id;		/* message id */
-	isc_sockaddr_t		addr;		/* address recv'd from */
-	struct in6_pktinfo	pktinfo;	/* reply info for v6 */
-	isc_buffer_t	        buffer;		/* data buffer */
-	isc_uint32_t		attributes;	/* mirrored from socket.h */
-};
-
-/*
- * Attributes for added dispatchers.
- *
- * Values with the mask 0xffff0000 are application defined.
- * Values with the mask 0x0000ffff are library defined.
- *
- * Insane values (like setting both TCP and UDP) are not caught.  Don't
- * do that.
- *
- * _PRIVATE
- *	The dispatcher cannot be shared.
- *
- * _TCP, _UDP
- *	The dispatcher is a TCP or UDP socket.
- *
- * _IPV4, _IPV6
- *	The dispatcher uses an ipv4 or ipv6 socket.
- *
- * _NOLISTEN
- *	The dispatcher should not listen on the socket.
- *
- * _MAKEQUERY
- *	The dispatcher can be used to issue queries to other servers, and
- *	accept replies from them.
- */
-#define DNS_DISPATCHATTR_PRIVATE	0x00000001U
-#define DNS_DISPATCHATTR_TCP		0x00000002U
-#define DNS_DISPATCHATTR_UDP		0x00000004U
-#define DNS_DISPATCHATTR_IPV4		0x00000008U
-#define DNS_DISPATCHATTR_IPV6		0x00000010U
-#define DNS_DISPATCHATTR_NOLISTEN	0x00000020U
-#define DNS_DISPATCHATTR_MAKEQUERY	0x00000040U
-#define DNS_DISPATCHATTR_CONNECTED	0x00000080U
-
-isc_result_t
-dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
-		       dns_dispatchmgr_t **mgrp);
-/*
- * Creates a new dispatchmgr object.
- *
- * Requires:
- *	"mctx" be a valid memory context.
- *
- *	mgrp != NULL && *mgrp == NULL
- *
- *	"entropy" may be NULL, in which case an insecure random generator
- *	will be used.  If it is non-NULL, it must be a valid entropy
- *	source.
- *
- * Returns:
- *	ISC_R_SUCCESS	-- all ok
- *
- *	anything else	-- failure
- */
-
-
-void
-dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp);
-/*
- * Destroys the dispatchmgr when it becomes empty.  This could be
- * immediately.
- *
- * Requires:
- *	mgrp != NULL && *mgrp is a valid dispatchmgr.
- */
-
-
-void
-dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole);
-/*
- * Sets the dispatcher's "blackhole list," a list of addresses that will
- * be ignored by all dispatchers created by the dispatchmgr.
- *
- * Requires:
- * 	mgrp is a valid dispatchmgr
- * 	blackhole is a valid acl
- */
-
-
-dns_acl_t *
-dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr);
-/*
- * Gets a pointer to the dispatcher's current blackhole list,
- * without incrementing its reference count.
- *
- * Requires:
- * 	mgr is a valid dispatchmgr
- * Returns:
- *	A pointer to the current blackhole list, or NULL.
- */
-
-void
-dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
-                                 dns_portlist_t *portlist);
-/*
- * Sets a list of UDP ports that won't be used when creating a udp
- * dispatch with a wildcard port.
- *
- * Requires:
- *	mgr is a valid dispatchmgr
- *	portlist to be NULL or a valid port list.
- */
-
-dns_portlist_t *
-dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr);
-/*
- * Return the current port list.
- *
- * Requires:
- *	mgr is a valid dispatchmgr
- */
-
-
-
-isc_result_t
-dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
-		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
-		    unsigned int buffersize,
-		    unsigned int maxbuffers, unsigned int maxrequests,
-		    unsigned int buckets, unsigned int increment,
-		    unsigned int attributes, unsigned int mask,
-		    dns_dispatch_t **dispp);
-/*
- * Attach to existing dns_dispatch_t if one is found with dns_dispatchmgr_find,
- * otherwise create a new UDP dispatch.
- *
- * Requires:
- *	All pointer parameters be valid for their respective types.
- *
- *	dispp != NULL && *disp == NULL
- *
- *	512 <= buffersize <= 64k
- *
- *	maxbuffers > 0
- *
- *	buckets < 2097169
- *
- *	increment > buckets
- *
- *	(attributes & DNS_DISPATCHATTR_TCP) == 0
- *
- * Returns:
- *	ISC_R_SUCCESS	-- success.
- *
- *	Anything else	-- failure.
- */
-
-isc_result_t
-dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
-		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
-		       unsigned int maxbuffers, unsigned int maxrequests,
-		       unsigned int buckets, unsigned int increment,
-		       unsigned int attributes, dns_dispatch_t **dispp);
-/*
- * Create a new dns_dispatch and attach it to the provided isc_socket_t.
- *
- * For all dispatches, "buffersize" is the maximum packet size we will
- * accept.
- *
- * "maxbuffers" and "maxrequests" control the number of buffers in the
- * overall system and the number of buffers which can be allocated to
- * requests.
- *
- * "buckets" is the number of buckets to use, and should be prime.
- *
- * "increment" is used in a collision avoidance function, and needs to be
- * a prime > buckets, and not 2.
- *
- * Requires:
- *
- *	mgr is a valid dispatch manager.
- *
- *	sock is a valid.
- *
- *	task is a valid task that can be used internally to this dispatcher.
- *
- * 	512 <= buffersize <= 64k
- *
- *	maxbuffers > 0.
- *
- *	maxrequests <= maxbuffers.
- *
- *	buckets < 2097169 (the next prime after 65536 * 32)
- *
- *	increment > buckets (and prime).
- *
- *	attributes includes DNS_DISPATCHATTR_TCP and does not include
- *	DNS_DISPATCHATTR_UDP.
- *
- * Returns:
- *	ISC_R_SUCCESS	-- success.
- *
- *	Anything else	-- failure.
- */
-
-void
-dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
-/*
- * Attach to a dispatch handle.
- *
- * Requires:
- *	disp is valid.
- *
- *	dispp != NULL && *dispp == NULL
- */
-
-void
-dns_dispatch_detach(dns_dispatch_t **dispp);
-/*
- * Detaches from the dispatch.
- *
- * Requires:
- *	dispp != NULL and *dispp be a valid dispatch.
- */
-
-void
-dns_dispatch_starttcp(dns_dispatch_t *disp);
-/*
- * Start processing of a TCP dispatch once the socket connects.
- *
- * Requires:
- *	'disp' is valid.
- */
-
-isc_result_t
-dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
-			 isc_task_t *task, isc_taskaction_t action, void *arg,
-			 isc_uint16_t *idp, dns_dispentry_t **resp);
-/*
- * Add a response entry for this dispatch.
- *
- * "*idp" is filled in with the assigned message ID, and *resp is filled in
- * to contain the magic token used to request event flow stop.
- *
- * Arranges for the given task to get a callback for response packets.  When
- * the event is delivered, it must be returned using dns_dispatch_freeevent()
- * or through dns_dispatch_removeresponse() for another to be delivered.
- *
- * Requires:
- *	"idp" be non-NULL.
- *
- *	"task" "action" and "arg" be set as appropriate.
- *
- *	"dest" be non-NULL and valid.
- *
- *	"resp" be non-NULL and *resp be NULL
- *
- * Ensures:
- *
- *	<id, dest> is a unique tuple.  That means incoming messages
- *	are identifiable.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOMEMORY		-- memory could not be allocated.
- *	ISC_R_NOMORE		-- no more message ids can be allocated
- *				   for this destination.
- */
-
-
-void
-dns_dispatch_removeresponse(dns_dispentry_t **resp,
-			    dns_dispatchevent_t **sockevent);
-/*
- * Stops the flow of responses for the provided id and destination.
- * If "sockevent" is non-NULL, the dispatch event and associated buffer is
- * also returned to the system.
- *
- * Requires:
- *	"resp" != NULL and "*resp" contain a value previously allocated
- *	by dns_dispatch_addresponse();
- *
- *	May only be called from within the task given as the 'task' 
- * 	argument to dns_dispatch_addresponse() when allocating '*resp'.
- */
-
-
-isc_socket_t *
-dns_dispatch_getsocket(dns_dispatch_t *disp);
-/*
- * Return the socket associated with this dispatcher.
- *
- * Requires:
- *	disp is valid.
- *
- * Returns:
- *	The socket the dispatcher is using.
- */
-
-isc_result_t 
-dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp);
-/*
- * Return the local address for this dispatch.
- * This currently only works for dispatches using UDP sockets.
- *
- * Requires:
- *	disp is valid.
- *	addrp to be non null.
- *
- * Returns:
- *	ISC_R_SUCCESS	
- *	ISC_R_NOTIMPLEMENTED
- */
-
-void
-dns_dispatch_cancel(dns_dispatch_t *disp);
-/*
- * cancel outstanding clients
- *
- * Requires:
- *	disp is valid.
- */
-
-void
-dns_dispatch_changeattributes(dns_dispatch_t *disp,
-			      unsigned int attributes, unsigned int mask);
-/*
- * Set the bits described by "mask" to the corresponding values in
- * "attributes".
- *
- * That is:
- *
- *	new = (old & ~mask) | (attributes & mask)
- *
- * This function has a side effect when DNS_DISPATCHATTR_NOLISTEN changes. 
- * When the flag becomes off, the dispatch will start receiving on the
- * corresponding socket.  When the flag becomes on, receive events on the
- * corresponding socket will be canceled.
- *
- * Requires:
- *	disp is valid.
- *
- *	attributes are reasonable for the dispatch.  That is, setting the UDP
- *	attribute on a TCP socket isn't reasonable.
- */
-
-void
-dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
-/*
- * Inform the dispatcher of a socket receive.  This is used for sockets
- * shared between dispatchers and clients.  If the dispatcher fails to copy
- * or send the event, nothing happens.
- *
- * Requires:
- * 	disp is valid, and the attribute DNS_DISPATCHATTR_NOLISTEN is set.
- * 	event != NULL
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DISPATCH_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dnssec.h b/contrib/bind9/lib/dns/include/dns/dnssec.h
deleted file mode 100644
index 5f86178a84f6..000000000000
--- a/contrib/bind9/lib/dns/include/dns/dnssec.h
+++ /dev/null
@@ -1,179 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnssec.h,v 1.21.12.5 2004/03/08 09:04:35 marka Exp $ */
-
-#ifndef DNS_DNSSEC_H
-#define DNS_DNSSEC_H 1
-
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
-			dst_key_t **key);
-/*
- *	Creates a DST key from a DNS record.  Basically a wrapper around
- *	dst_key_fromdns().
- *
- *	Requires:
- *		'name' is not NULL
- *		'rdata' is not NULL
- *		'mctx' is not NULL
- *		'key' is not NULL
- *		'*key' is NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		DST_R_INVALIDPUBLICKEY
- *		various errors from dns_name_totext
- */
-
-isc_result_t
-dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		isc_stdtime_t *inception, isc_stdtime_t *expire,
-		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata);
-/*
- *	Generates a SIG record covering this rdataset.  This has no effect
- *	on existing SIG records.
- *
- *	Requires:
- *		'name' (the owner name of the record) is a valid name
- *		'set' is a valid rdataset
- *		'key' is a valid key
- *		'inception' is not NULL
- *		'expire' is not NULL
- *		'mctx' is not NULL
- *		'buffer' is not NULL
- *		'sigrdata' is not NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		ISC_R_NOSPACE
- *		DNS_R_INVALIDTIME - the expiration is before the inception
- *		DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
- *			it is not a zone key or its flags prevent
- *			authentication)
- *		DST_R_*
- */
-
-isc_result_t
-dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		  isc_boolean_t ignoretime, isc_mem_t *mctx,
-		  dns_rdata_t *sigrdata);
-
-isc_result_t
-dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
-		   isc_boolean_t ignoretime, isc_mem_t *mctx,
-		   dns_rdata_t *sigrdata, dns_name_t *wild);
-/*
- *	Verifies the SIG record covering this rdataset signed by a specific
- *	key.  This does not determine if the key's owner is authorized to
- *	sign this record, as this requires a resolver or database.
- *	If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
- *
- *	Requires:
- *		'name' (the owner name of the record) is a valid name
- *		'set' is a valid rdataset
- *		'key' is a valid key
- *		'mctx' is not NULL
- *		'sigrdata' is a valid rdata containing a SIG record
- *		'wild' if non-NULL then is a valid and has a buffer.
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		DNS_R_FROMWILDCARD - the signature is valid and is from
- *			a wildcard expansion.  dns_dnssec_verify2() only.
- *			'wild' contains the name of the wildcard if non-NULL.
- *		DNS_R_SIGINVALID - the signature fails to verify
- *		DNS_R_SIGEXPIRED - the signature has expired
- *		DNS_R_SIGFUTURE - the signature's validity period has not begun
- *		DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
- *			it is not a zone key or its flags prevent
- *			authentication)
- *		DST_R_*
- */
-
-isc_result_t
-dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
-			dns_name_t *name, isc_mem_t *mctx,
-			unsigned int maxkeys, dst_key_t **keys,
-			unsigned int *nkeys);
-isc_result_t
-dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
-			 dns_dbnode_t *node, dns_name_t *name,
-			 const char *directory, isc_mem_t *mctx,
-			 unsigned int maxkeys, dst_key_t **keys,
-			 unsigned int *nkeys);
-/*
- * 	Finds a set of zone keys.
- * 	XXX temporary - this should be handled in dns_zone_t.
- */
-
-isc_result_t
-dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
-/*
- *	Signs a message with a SIG(0) record.  This is implicitly called by
- *	dns_message_renderend() if msg->sig0key is not NULL.
- *
- *	Requires:
- *		'msg' is a valid message
- *		'key' is a valid key that can be used for signing
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		DST_R_*
- */
-
-isc_result_t
-dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
-			 dst_key_t *key);
-/*
- *	Verifies a message signed by a SIG(0) record.  This is not
- *	called implicitly by dns_message_parse().  If dns_message_signer()
- *	is called before dns_dnssec_verifymessage(), it will return
- *	DNS_R_NOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
- *	the verified_sig0 flag in msg if the verify succeeds, and
- *	the sig0status field otherwise.
- *
- *	Requires:
- *		'source' is a valid buffer containing the unparsed message
- *		'msg' is a valid message
- *		'key' is a valid key
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		ISC_R_NOTFOUND - no SIG(0) was found
- *		DNS_R_SIGINVALID - the SIG record is not well-formed or
- *				   was not generated by the key.
- *		DST_R_*
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DNSSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ds.h b/contrib/bind9/lib/dns/include/dns/ds.h
deleted file mode 100644
index 979ac9f673c5..000000000000
--- a/contrib/bind9/lib/dns/include/dns/ds.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ds.h,v 1.3.2.1 2004/03/08 02:08:00 marka Exp $ */
-
-#ifndef DNS_DS_H
-#define DNS_DS_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#define DNS_DSDIGEST_SHA1 (1)
-
-/*
- * Assuming SHA-1 digest type.
- */
-#define DNS_DS_BUFFERSIZE (24)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
-		  unsigned int digest_type, unsigned char *buffer,
-		  dns_rdata_t *rdata);
-/*
- * Build the rdata of a DS record.
- *
- * Requires:
- *	key	Points to a valid DNS KEY record.
- *	buffer	Points to a temporary buffer of at least
- * 		DNS_DS_BUFFERSIZE bytes.
- *	rdata	Points to an initialized dns_rdata_t.
- *
- * Ensures:
- *      *rdata	Contains a valid DS rdata.  The 'data' member refers
- *		to 'buffer'.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_DS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/events.h b/contrib/bind9/lib/dns/include/dns/events.h
deleted file mode 100644
index 1e66139efb1e..000000000000
--- a/contrib/bind9/lib/dns/include/dns/events.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: events.h,v 1.37.2.1.4.4 2004/03/08 09:04:36 marka Exp $ */
-
-#ifndef DNS_EVENTS_H
-#define DNS_EVENTS_H 1
-
-#include <isc/eventclass.h>
-
-/*
- * Registry of DNS event numbers.
- */
-
-#define DNS_EVENT_FETCHCONTROL			(ISC_EVENTCLASS_DNS + 0)
-#define DNS_EVENT_FETCHDONE			(ISC_EVENTCLASS_DNS + 1)
-#define DNS_EVENT_VIEWRESSHUTDOWN		(ISC_EVENTCLASS_DNS + 2)
-#define DNS_EVENT_VIEWADBSHUTDOWN		(ISC_EVENTCLASS_DNS + 3)
-#define DNS_EVENT_UPDATE			(ISC_EVENTCLASS_DNS + 4)
-#define DNS_EVENT_UPDATEDONE			(ISC_EVENTCLASS_DNS + 5)
-#define DNS_EVENT_DISPATCH			(ISC_EVENTCLASS_DNS + 6)
-#define DNS_EVENT_TCPMSG			(ISC_EVENTCLASS_DNS + 7)
-#define DNS_EVENT_ADBMOREADDRESSES		(ISC_EVENTCLASS_DNS + 8)
-#define DNS_EVENT_ADBNOMOREADDRESSES		(ISC_EVENTCLASS_DNS + 9)
-#define DNS_EVENT_ADBCANCELED			(ISC_EVENTCLASS_DNS + 10)
-#define DNS_EVENT_ADBNAMEDELETED		(ISC_EVENTCLASS_DNS + 11)
-#define DNS_EVENT_ADBSHUTDOWN			(ISC_EVENTCLASS_DNS + 12)
-#define DNS_EVENT_ADBEXPIRED			(ISC_EVENTCLASS_DNS + 13)
-#define DNS_EVENT_ADBCONTROL			(ISC_EVENTCLASS_DNS + 14)
-#define DNS_EVENT_CACHECLEAN			(ISC_EVENTCLASS_DNS + 15)
-#define DNS_EVENT_BYADDRDONE			(ISC_EVENTCLASS_DNS + 16)
-#define DNS_EVENT_ZONECONTROL			(ISC_EVENTCLASS_DNS + 17)
-#define DNS_EVENT_DBDESTROYED			(ISC_EVENTCLASS_DNS + 18)
-#define DNS_EVENT_VALIDATORDONE			(ISC_EVENTCLASS_DNS + 19)
-#define DNS_EVENT_REQUESTDONE			(ISC_EVENTCLASS_DNS + 20)
-#define DNS_EVENT_VALIDATORSTART		(ISC_EVENTCLASS_DNS + 21)
-#define DNS_EVENT_VIEWREQSHUTDOWN		(ISC_EVENTCLASS_DNS + 22)
-#define DNS_EVENT_NOTIFYSENDTOADDR		(ISC_EVENTCLASS_DNS + 23)
-#define DNS_EVENT_ZONE				(ISC_EVENTCLASS_DNS + 24)
-#define DNS_EVENT_ZONESTARTXFRIN		(ISC_EVENTCLASS_DNS + 25)
-#define DNS_EVENT_MASTERQUANTUM			(ISC_EVENTCLASS_DNS + 26)
-#define DNS_EVENT_CACHEOVERMEM			(ISC_EVENTCLASS_DNS + 27)
-#define DNS_EVENT_MASTERNEXTZONE		(ISC_EVENTCLASS_DNS + 28)
-#define DNS_EVENT_IOREADY			(ISC_EVENTCLASS_DNS + 29)
-#define DNS_EVENT_LOOKUPDONE			(ISC_EVENTCLASS_DNS + 30)
-/* #define DNS_EVENT_unused			(ISC_EVENTCLASS_DNS + 31) */
-#define DNS_EVENT_DISPATCHCONTROL		(ISC_EVENTCLASS_DNS + 32)
-#define DNS_EVENT_REQUESTCONTROL		(ISC_EVENTCLASS_DNS + 33)
-#define DNS_EVENT_DUMPQUANTUM			(ISC_EVENTCLASS_DNS + 34)
-#define DNS_EVENT_IMPORTRECVDONE		(ISC_EVENTCLASS_DNS + 35)
-#define DNS_EVENT_FREESTORAGE			(ISC_EVENTCLASS_DNS + 36)
-
-#define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
-#define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
-
-#endif /* DNS_EVENTS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/fixedname.h b/contrib/bind9/lib/dns/include/dns/fixedname.h
deleted file mode 100644
index 3ee306fcfc2a..000000000000
--- a/contrib/bind9/lib/dns/include/dns/fixedname.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: fixedname.h,v 1.12.206.1 2004/03/06 08:13:55 marka Exp $ */
-
-#ifndef DNS_FIXEDNAME_H
-#define DNS_FIXEDNAME_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Fixed-size Names
- *
- * dns_fixedname_t is a convenience type containing a name, an offsets table,
- * and a dedicated buffer big enough for the longest possible name.
- *
- * MP:
- *	The caller must ensure any required synchronization.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	Per dns_fixedname_t:
- *		sizeof(dns_name_t) + sizeof(dns_offsets_t) +
- *		sizeof(isc_buffer_t) + 255 bytes + structure padding
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/buffer.h>
-
-#include <dns/name.h>
-
-/*****
- ***** Types
- *****/
-
-struct dns_fixedname {
-	dns_name_t			name;
-	dns_offsets_t			offsets;
-	isc_buffer_t			buffer;
-	unsigned char			data[DNS_NAME_MAXWIRE];
-};
-
-#define dns_fixedname_init(fn) \
-	do { \
-		dns_name_init(&((fn)->name), (fn)->offsets); \
-		isc_buffer_init(&((fn)->buffer), (fn)->data, \
-                                  DNS_NAME_MAXWIRE); \
-		dns_name_setbuffer(&((fn)->name), &((fn)->buffer)); \
-	} while (0)
-
-#define dns_fixedname_invalidate(fn) \
-	dns_name_invalidate(&((fn)->name))
-
-#define dns_fixedname_name(fn)		(&((fn)->name))
-
-#endif /* DNS_FIXEDNAME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/forward.h b/contrib/bind9/lib/dns/include/dns/forward.h
deleted file mode 100644
index 1eb62d2a99d0..000000000000
--- a/contrib/bind9/lib/dns/include/dns/forward.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: forward.h,v 1.2.206.3 2005/03/17 03:58:31 marka Exp $ */
-
-#ifndef DNS_FORWARD_H
-#define DNS_FORWARD_H 1
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-struct dns_forwarders {
-	isc_sockaddrlist_t	addrs;
-	dns_fwdpolicy_t		fwdpolicy;
-};
-
-isc_result_t
-dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep);
-/*
- * Creates a new forwarding table.
- *
- * Requires:
- * 	mctx is a valid memory context.
- * 	fwdtablep != NULL && *fwdtablep == NULL
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t policy);
-/*
- * Adds an entry to the forwarding table.  The entry associates
- * a domain with a list of forwarders and a forwarding policy.  The
- * addrs list is copied if not empty, so the caller should free its copy.
- *
- * Requires:
- * 	fwdtable is a valid forwarding table.
- * 	name is a valid name
- * 	addrs is a valid list of sockaddrs, which may be empty.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		  dns_forwarders_t **forwardersp);
-
-isc_result_t
-dns_fwdtable_find2(dns_fwdtable_t *fwdtable, dns_name_t *name,
-		   dns_name_t *foundname, dns_forwarders_t **forwardersp);
-/*
- * Finds a domain in the forwarding table.  The closest matching parent
- * domain is returned.
- *
- * Requires:
- * 	fwdtable is a valid forwarding table.
- * 	name is a valid name
- * 	forwardersp != NULL && *forwardersp == NULL
- *	foundname to be NULL or a valid name with buffer.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOTFOUND
- */
-
-void
-dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep);
-/*
- * Destroys a forwarding table.
- *
- * Requires:
- * 	fwtablep != NULL && *fwtablep != NULL
- *
- * Ensures:
- * 	all memory associated with the forwarding table is freed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_FORWARD_H */
diff --git a/contrib/bind9/lib/dns/include/dns/journal.h b/contrib/bind9/lib/dns/include/dns/journal.h
deleted file mode 100644
index fdf609404ed4..000000000000
--- a/contrib/bind9/lib/dns/include/dns/journal.h
+++ /dev/null
@@ -1,271 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: journal.h,v 1.23.12.3 2004/03/08 09:04:36 marka Exp $ */
-
-#ifndef DNS_JOURNAL_H
-#define DNS_JOURNAL_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Database journalling.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/name.h>
-#include <dns/diff.h>
-#include <dns/rdata.h>
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-/*
- * A dns_journal_t represents an open journal file.  This is an opaque type.
- *
- * A particular dns_journal_t object may be opened for writing, in which case
- * it can be used for writing transactions to a journal file, or it can be
- * opened for reading, in which case it can be used for reading transactions
- * from (iterating over) a journal file.  A single dns_journal_t object may
- * not be used for both purposes.
- */
-typedef struct dns_journal dns_journal_t;
-
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-/**************************************************************************/
-
-isc_result_t
-dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
-		   dns_diffop_t op, dns_difftuple_t **tp);
-/*
- * Create a diff tuple for the current database SOA.
- * XXX this probably belongs somewhere else.
- */
-
-
-#define DNS_SERIAL_GT(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) > 0)
-#define DNS_SERIAL_GE(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) >= 0)
-/*
- * Compare SOA serial numbers.  DNS_SERIAL_GT(a, b) returns true iff
- * a is "greater than" b where "greater than" is as defined in RFC1982.
- * DNS_SERIAL_GE(a, b) returns true iff a is "greater than or equal to" b.
- */
-
-/**************************************************************************/
-/*
- * Journal object creation and destruction.
- */
-
-isc_result_t
-dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
-		 dns_journal_t **journalp);
-/*
- * Open the journal file 'filename' and create a dns_journal_t object for it.
- *
- * If 'write' is ISC_TRUE, the journal is open for writing.  If it does
- * not exist, it is created.
- *
- * If 'write' is ISC_FALSE, the journal is open for reading.  If it does
- * not exist, ISC_R_NOTFOUND is returned.
- */
-
-void
-dns_journal_destroy(dns_journal_t **journalp);
-/*
- * Destroy a dns_journal_t, closing any open files and freeing its memory.
- */
-
-/**************************************************************************/
-/*
- * Writing transactions to journals.
- */
-
-isc_result_t
-dns_journal_begin_transaction(dns_journal_t *j);
-/*
- * Prepare to write a new transaction to the open journal file 'j'.
- *
- * Requires:
- *      'j' is open for writing.
- */
-
-isc_result_t
-dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff);
-/*
- * Write 'diff' to the current transaction of journal file 'j'.
- *
- * Requires:
- *      'j' is open for writing and dns_journal_begin_transaction()
- * 	has been called.
- *
- * 	'diff' is a full or partial, correctly ordered IXFR
- *      difference sequence.
- */
-
-isc_result_t
-dns_journal_commit(dns_journal_t *j);
-/*
- * Commit the current transaction of journal file 'j'.
- *
- * Requires:
- *      'j' is open for writing and dns_journal_begin_transaction()
- * 	has been called.
- *
- *      dns_journal_writediff() has been called one or more times
- * 	to form a complete, correctly ordered IXFR difference
- *      sequence.
- */
-
-isc_result_t
-dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff);
-/*
- * Write a complete transaction at once to a journal file,
- * sorting it if necessary, and commit it.  Equivalent to calling
- * dns_diff_sort(), dns_journal_begin_transaction(),
- * dns_journal_writediff(), and dns_journal_commit().
- *
- * Requires:
- *      'j' is open for writing.
- *
- * 	'diff' contains exactly one SOA deletion, one SOA addition
- *       with a greater serial number, and possibly other changes,
- *       in arbitrary order.
- */
-
-/**************************************************************************/
-/*
- * Reading transactions from journals.
- */
-
-isc_uint32_t
-dns_journal_first_serial(dns_journal_t *j);
-isc_uint32_t
-dns_journal_last_serial(dns_journal_t *j);
-/*
- * Get the first and last addressable serial number in the journal.
- */
-
-isc_result_t
-dns_journal_iter_init(dns_journal_t *j,
-		      isc_uint32_t begin_serial, isc_uint32_t end_serial);
-/*
- * Prepare to iterate over the transactions that will bring the database
- * from SOA serial number 'begin_serial' to 'end_serial'.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_RANGE	begin_serial is outside the addressable range.
- *	ISC_R_NOTFOUND	begin_serial is within the range of adressable
- *			serial numbers covered by the journal, but
- *			this particular serial number does not exist.
- */
-
-isc_result_t
-dns_journal_first_rr(dns_journal_t *j);
-isc_result_t
-dns_journal_next_rr(dns_journal_t *j);
-/*
- * Position the iterator at the first/next RR in a journal
- * transaction sequence established using dns_journal_iter_init().
- *
- * Requires:
- *      dns_journal_iter_init() has been called.
- *
- */
-
-void
-dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
-		       dns_rdata_t **rdata);
-/*
- * Get the name, ttl, and rdata of the current journal RR.
- *
- * Requires:
- *      The last call to dns_journal_first_rr() or dns_journal_next_rr()
- *      returned ISC_R_SUCCESS.
- */
-
-/**************************************************************************/
-/*
- * Database roll-forward.
- */
-
-isc_result_t
-dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename);
-/*
- * Roll forward (play back) the journal file "filename" into the
- * database "db".  This should be called when the server starts
- * after a shutdown or crash.
- *
- * Requires:
- *      'mctx' is a valid memory context.
- *	'db' is a valid database which does not have a version
- *           open for writing.
- *      'filename' is the name of the journal file belonging to 'db'.
- *
- * Returns:
- *	DNS_R_NOJOURNAL when journal does not exist.
- *	ISC_R_NOTFOUND when current serial in not in journal.
- *	ISC_R_RANGE when current serial in not in journals range.
- *	ISC_R_SUCCESS journal has been applied successfully to database.
- *	others
- */
-
-isc_result_t
-dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file);
-/* For debugging not general use */
-
-isc_result_t
-dns_db_diff(isc_mem_t *mctx,
-	    dns_db_t *dba, dns_dbversion_t *dbvera,
-	    dns_db_t *dbb, dns_dbversion_t *dbverb,
-	    const char *journal_filename);
-/*
- * Compare the databases 'dba' and 'dbb' and generate a journal
- * entry containing the changes to make 'dba' from 'dbb' (note
- * the order).  This journal entry will consist of a single,
- * possibly very large transaction.  Append the journal
- * entry to the journal file specified by 'journal_filename'.
- */
-
-isc_result_t
-dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
-                    isc_uint32_t target_size);
-/*
- * Attempt to compact the journal if it is greater that 'target_size'.
- * Changes from 'serial' onwards will be preserved.  If the journal
- * exists and is non-empty 'serial' must exist in the journal.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_JOURNAL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keyflags.h b/contrib/bind9/lib/dns/include/dns/keyflags.h
deleted file mode 100644
index 025b137ec298..000000000000
--- a/contrib/bind9/lib/dns/include/dns/keyflags.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keyflags.h,v 1.9.206.1 2004/03/06 08:13:56 marka Exp $ */
-
-#ifndef DNS_KEYFLAGS_H
-#define DNS_KEYFLAGS_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source);
-/*
- * Convert the text 'source' refers to into a DNSSEC KEY flags value.
- * The text may contain either a set of flag mnemonics separated by
- * vertical bars or a decimal flags value.  For compatibility with
- * older versions of BIND and the DNSSEC signer, octal values
- * prefixed with a zero and hexadecimal values prefixed with "0x"
- * are also accepted.
- *
- * Requires:
- *	'flagsp' is a valid pointer.
- *
- *	'source' is a valid text region.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_RANGE			numeric flag value is out of range
- *	DNS_R_UNKNOWN			mnemonic flag is unknown
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_KEYFLAGS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keytable.h b/contrib/bind9/lib/dns/include/dns/keytable.h
deleted file mode 100644
index a07c05201e34..000000000000
--- a/contrib/bind9/lib/dns/include/dns/keytable.h
+++ /dev/null
@@ -1,255 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keytable.h,v 1.10.206.1 2004/03/06 08:13:56 marka Exp $ */
-
-#ifndef DNS_KEYTABLE_H
-#define DNS_KEYTABLE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Key Tables
- *
- * The keytable module provides services for storing and retrieving DNSSEC
- * trusted keys, as well as the ability to find the deepest matching key
- * for a given domain name.
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep);
-/*
- * Create a keytable.
- *
- * Requires:
- *
- *	'mctx' is a valid memory context.
- *
- *	keytablep != NULL && *keytablep == NULL
- *
- * Ensures:
- *
- *	On success, *keytablep is a valid, empty key table.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Any other result indicates failure.
- */
-
-
-void
-dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp);
-/*
- * Attach *targetp to source.
- *
- * Requires:
- *
- *	'source' is a valid keytable.
- *
- *	'targetp' points to a NULL dns_keytable_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to source.
- */
-
-void
-dns_keytable_detach(dns_keytable_t **keytablep);
-/*
- * Detach *keytablep from its keytable.
- *
- * Requires:
- *
- *	'keytablep' points to a valid keytable.
- *
- * Ensures:
- *
- *	*keytablep is NULL.
- *
- *	If '*keytablep' is the last reference to the keytable,
- *
- *		All resources used by the keytable will be freed
- */
-
-isc_result_t
-dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp);
-/*
- * Add '*keyp' to 'keytable'.
- *
- * Notes:
- *
- *	Ownership of *keyp is transferred to the keytable.
- *
- * Requires:
- *
- *	keyp != NULL && *keyp is a valid dst_key_t *.
- *
- * Ensures:
- *
- *	On success, *keyp == NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Any other result indicates failure.
- */
-
-isc_result_t
-dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
-			 dns_secalg_t algorithm, dns_keytag_t tag,
-			 dns_keynode_t **keynodep);
-/*
- * Search for a key named 'name', matching 'algorithm' and 'tag' in
- * 'keytable'.
- *
- * Requires:
- *
- *	'keytable' is a valid keytable.
- *
- *	'name' is a valid absolute name.
- *
- *	keynodep != NULL && *keynodep == NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *
- *	Any other result indicates an error.
- */
-
-isc_result_t
-dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
-		                             dns_keynode_t **nextnodep);
-/*
- * Search for the next key with the same properties as 'keynode' in
- * 'keytable'.
- *
- * Requires:
- *
- *	'keytable' is a valid keytable.
- *
- *	'keynode' is a valid keynode.
- *
- *	nextnodep != NULL && *nextnodep == NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *
- *	Any other result indicates an error.
- */
-
-isc_result_t
-dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
-			      dns_name_t *foundname);
-/*
- * Search for the deepest match of 'name' in 'keytable'.
- *
- * Requires:
- *
- *	'keytable' is a valid keytable.
- *
- *	'name' is a valid absolute name.
- *
- *	'foundname' is a name with a dedicated buffer.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *
- *	Any other result indicates an error.
- */
-
-void
-dns_keytable_detachkeynode(dns_keytable_t *keytable,
-			   dns_keynode_t **keynodep);
-/*
- * Give back a keynode found via dns_keytable_findkeynode().
- *
- * Requires:
- *
- *	'keytable' is a valid keytable.
- *
- *	*keynodep is a valid keynode returned by a call to
- *	dns_keytable_findkeynode().
- *
- * Ensures:
- *
- *	*keynodep == NULL
- */
-
-isc_result_t
-dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
-			    isc_boolean_t *wantdnssecp);
-/*
- * Is 'name' at or beneath a trusted key?
- *
- * Requires:
- *
- *	'keytable' is a valid keytable.
- *
- *	'name' is a valid absolute name.
- *
- *	'*wantsdnssecp' is a valid isc_boolean_t.
- *
- * Ensures:
- *
- *	On success, *wantsdnssecp will be ISC_TRUE if and only if 'name'
- *	is at or beneath a trusted key.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Any other result is an error.
- */
-
-dst_key_t *
-dns_keynode_key(dns_keynode_t *keynode);
-/*
- * Get the DST key associated with keynode.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_KEYTABLE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keyvalues.h b/contrib/bind9/lib/dns/include/dns/keyvalues.h
deleted file mode 100644
index ef9e82107e34..000000000000
--- a/contrib/bind9/lib/dns/include/dns/keyvalues.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keyvalues.h,v 1.11.12.3 2004/03/06 08:13:56 marka Exp $ */
-
-#ifndef DNS_KEYVALUES_H
-#define DNS_KEYVALUES_H 1
-
-/*
- * Flags field of the KEY RR rdata
- */
-#define DNS_KEYFLAG_TYPEMASK	0xC000	/* Mask for "type" bits */
-#define DNS_KEYTYPE_AUTHCONF	0x0000	/* Key usable for both */
-#define DNS_KEYTYPE_CONFONLY	0x8000	/* Key usable for confidentiality */
-#define DNS_KEYTYPE_AUTHONLY	0x4000	/* Key usable for authentication */
-#define DNS_KEYTYPE_NOKEY	0xC000	/* No key usable for either; no key */
-#define DNS_KEYTYPE_NOAUTH	DNS_KEYTYPE_CONFONLY
-#define DNS_KEYTYPE_NOCONF	DNS_KEYTYPE_AUTHONLY
-
-#define DNS_KEYFLAG_RESERVED2	0x2000	/* reserved - must be zero */
-#define DNS_KEYFLAG_EXTENDED	0x1000	/* key has extended flags */
-#define DNS_KEYFLAG_RESERVED4	0x0800	/* reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED5	0x0400	/* reserved - must be zero */
-#define DNS_KEYFLAG_OWNERMASK	0x0300	/* these bits determine the type */
-#define DNS_KEYOWNER_USER	0x0000	/* key is assoc. with user */
-#define DNS_KEYOWNER_ENTITY	0x0200	/* key is assoc. with entity eg host */
-#define DNS_KEYOWNER_ZONE	0x0100	/* key is zone key */
-#define DNS_KEYOWNER_RESERVED	0x0300	/* reserved meaning */
-#define DNS_KEYFLAG_RESERVED8	0x0080	/* reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED9	0x0040	/* reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED10	0x0020	/* reserved - must be zero */
-#define DNS_KEYFLAG_RESERVED11	0x0010	/* reserved - must be zero */
-#define DNS_KEYFLAG_SIGNATORYMASK 0x000F /* key can sign RR's of same name */
-
-#define DNS_KEYFLAG_RESERVEDMASK (DNS_KEYFLAG_RESERVED2 | \
-				  DNS_KEYFLAG_RESERVED4 | \
-				  DNS_KEYFLAG_RESERVED5 | \
-				  DNS_KEYFLAG_RESERVED8 | \
-				  DNS_KEYFLAG_RESERVED9 | \
-				  DNS_KEYFLAG_RESERVED10 | \
-				  DNS_KEYFLAG_RESERVED11 )
-#define DNS_KEYFLAG_KSK		0x0001	/* key signing key */
-
-#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF	/* no bits defined here */
-
-/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
-#define DNS_KEYALG_RSAMD5	1       /* RSA with MD5 */
-#define DNS_KEYALG_RSA		DNS_KEYALG_RSAMD5
-#define DNS_KEYALG_DH		2       /* Diffie Hellman KEY */
-#define DNS_KEYALG_DSA		3       /* DSA KEY */
-#define DNS_KEYALG_DSS		NS_ALG_DSA
-#define DNS_KEYALG_ECC		4
-#define DNS_KEYALG_RSASHA1	5
-#define DNS_KEYALG_INDIRECT	252
-#define DNS_KEYALG_PRIVATEDNS	253
-#define DNS_KEYALG_PRIVATEOID	254     /* Key begins with OID giving alg */
-
-/* Protocol values  */
-#define	DNS_KEYPROTO_RESERVED	0
-#define DNS_KEYPROTO_TLS	1
-#define DNS_KEYPROTO_EMAIL	2
-#define DNS_KEYPROTO_DNSSEC	3
-#define DNS_KEYPROTO_IPSEC	4
-#define DNS_KEYPROTO_ANY	255
-
-/* Signatures */
-#define DNS_SIG_RSAMINBITS	512	/* Size of a mod or exp in bits */
-#define DNS_SIG_RSAMAXBITS	2552
-	/* Total of binary mod and exp */
-#define DNS_SIG_RSAMAXBYTES	((DNS_SIG_RSAMAXBITS+7/8)*2+3)
-	/* Max length of text sig block */
-#define DNS_SIG_RSAMAXBASE64	(((DNS_SIG_RSAMAXBYTES+2)/3)*4)
-#define DNS_SIG_RSAMINSIZE	((DNS_SIG_RSAMINBITS+7)/8)
-#define DNS_SIG_RSAMAXSIZE	((DNS_SIG_RSAMAXBITS+7)/8)
-
-#define DNS_SIG_DSASIGSIZE	41
-#define DNS_SIG_DSAMINBITS	512
-#define DNS_SIG_DSAMAXBITS	1024
-#define DNS_SIG_DSAMINBYTES	213
-#define DNS_SIG_DSAMAXBYTES	405
-
-#endif /* DNS_KEYVALUES_H */
diff --git a/contrib/bind9/lib/dns/include/dns/lib.h b/contrib/bind9/lib/dns/include/dns/lib.h
deleted file mode 100644
index e53dd2b7e041..000000000000
--- a/contrib/bind9/lib/dns/include/dns/lib.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:36 marka Exp $ */
-
-#ifndef DNS_LIB_H
-#define DNS_LIB_H 1
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dns_msgcat;
-
-void
-dns_lib_initmsgcat(void);
-/*
- * Initialize the DNS library's message catalog, dns_msgcat, if it
- * has not already been initialized.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_LIB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/log.h b/contrib/bind9/lib/dns/include/dns/log.h
deleted file mode 100644
index 9901fc9b2131..000000000000
--- a/contrib/bind9/lib/dns/include/dns/log.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.h,v 1.30.2.1.10.2 2004/03/06 08:13:57 marka Exp $ */
-
-/* Principal Authors: DCL */
-
-#ifndef DNS_LOG_H
-#define DNS_LOG_H 1
-
-#include <isc/lang.h>
-#include <isc/log.h>
-
-LIBDNS_EXTERNAL_DATA extern isc_log_t *dns_lctx;
-LIBDNS_EXTERNAL_DATA extern isc_logcategory_t dns_categories[];
-LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
-
-#define DNS_LOGCATEGORY_NOTIFY		(&dns_categories[0])
-#define DNS_LOGCATEGORY_DATABASE	(&dns_categories[1])
-#define DNS_LOGCATEGORY_SECURITY	(&dns_categories[2])
-/* DNS_LOGCATEGORY_CONFIG superseded by CFG_LOGCATEGORY_CONFIG */
-#define DNS_LOGCATEGORY_DNSSEC		(&dns_categories[4])
-#define DNS_LOGCATEGORY_RESOLVER	(&dns_categories[5])
-#define DNS_LOGCATEGORY_XFER_IN		(&dns_categories[6])
-#define DNS_LOGCATEGORY_XFER_OUT	(&dns_categories[7])
-#define DNS_LOGCATEGORY_DISPATCH	(&dns_categories[8])
-#define DNS_LOGCATEGORY_LAME_SERVERS	(&dns_categories[9])
-#define DNS_LOGCATEGORY_DELEGATION_ONLY	(&dns_categories[10])
-
-/* Backwards compatibility. */
-#define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
-
-#define DNS_LOGMODULE_DB		(&dns_modules[0])
-#define DNS_LOGMODULE_RBTDB		(&dns_modules[1])
-#define DNS_LOGMODULE_RBTDB64		(&dns_modules[2])
-#define DNS_LOGMODULE_RBT		(&dns_modules[3])
-#define DNS_LOGMODULE_RDATA		(&dns_modules[4])
-#define DNS_LOGMODULE_MASTER		(&dns_modules[5])
-#define DNS_LOGMODULE_MESSAGE		(&dns_modules[6])
-#define DNS_LOGMODULE_CACHE		(&dns_modules[7])
-#define DNS_LOGMODULE_CONFIG		(&dns_modules[8])
-#define DNS_LOGMODULE_RESOLVER		(&dns_modules[9])
-#define DNS_LOGMODULE_ZONE		(&dns_modules[10])
-#define DNS_LOGMODULE_JOURNAL		(&dns_modules[11])
-#define DNS_LOGMODULE_ADB		(&dns_modules[12])
-#define DNS_LOGMODULE_XFER_IN		(&dns_modules[13])
-#define DNS_LOGMODULE_XFER_OUT		(&dns_modules[14])
-#define DNS_LOGMODULE_ACL		(&dns_modules[15])
-#define DNS_LOGMODULE_VALIDATOR		(&dns_modules[16])
-#define DNS_LOGMODULE_DISPATCH		(&dns_modules[17])
-#define DNS_LOGMODULE_REQUEST		(&dns_modules[18])
-#define DNS_LOGMODULE_MASTERDUMP	(&dns_modules[19])
-#define DNS_LOGMODULE_TSIG		(&dns_modules[20])
-#define DNS_LOGMODULE_TKEY		(&dns_modules[21])
-#define DNS_LOGMODULE_SDB		(&dns_modules[22])
-#define DNS_LOGMODULE_DIFF		(&dns_modules[23])
-#define DNS_LOGMODULE_HINTS		(&dns_modules[24])
-
-ISC_LANG_BEGINDECLS
-
-void
-dns_log_init(isc_log_t *lctx);
-/*
- * Make the libdns categories and modules available for use with the
- * ISC logging library.
- *
- * Requires:
- *	lctx is a valid logging context.
- *
- *	dns_log_init() is called only once.
- *
- * Ensures:
- * 	The catgories and modules defined above are available for
- * 	use by isc_log_usechannnel() and isc_log_write().
- */
-
-void
-dns_log_setcontext(isc_log_t *lctx);
-/*
- * Make the libdns library use the provided context for logging internal
- * messages.
- *
- * Requires:
- *	lctx is a valid logging context.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_LOG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/lookup.h b/contrib/bind9/lib/dns/include/dns/lookup.h
deleted file mode 100644
index 2be254c71b99..000000000000
--- a/contrib/bind9/lib/dns/include/dns/lookup.h
+++ /dev/null
@@ -1,138 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lookup.h,v 1.5.206.1 2004/03/06 08:13:57 marka Exp $ */
-
-#ifndef DNS_LOOKUP_H
-#define DNS_LOOKUP_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Lookup
- *
- * The lookup module performs simple DNS lookups.  It implements
- * the full resolver algorithm, both looking for local data and 
- * resoving external names as necessary.
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	RFCs:	1034, 1035, 2181, <TBS>
- *	Drafts:	<TBS>
- */
-
-#include <isc/lang.h>
-#include <isc/event.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * A 'dns_lookupevent_t' is returned when a lookup completes.
- * The sender field will be set to the lookup that completed.  If 'result'
- * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
- * with the address.  The recipient of the event must not change the list
- * and must not refer to any of the name data after the event is freed.
- */
-typedef struct dns_lookupevent {
-	ISC_EVENT_COMMON(struct dns_lookupevent);
-	isc_result_t			result;
-	dns_name_t			*name;
-	dns_rdataset_t			*rdataset;
-	dns_rdataset_t			*sigrdataset;
-	dns_db_t			*db;
-	dns_dbnode_t			*node;
-} dns_lookupevent_t;
-
-isc_result_t
-dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
-		  dns_view_t *view, unsigned int options, isc_task_t *task,
-		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp);
-/*
- * Finds the rrsets matching 'name' and 'type'.
- *
- * Requires:
- *
- *	'mctx' is a valid mctx.
- *
- *	'name' is a valid name.
- *
- *	'view' is a valid view which has a resolver.
- *
- *	'task' is a valid task.
- *
- *	lookupp != NULL && *lookupp == NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- *	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
- *	returned.
- */
-
-void
-dns_lookup_cancel(dns_lookup_t *lookup);
-/*
- * Cancel 'lookup'.
- *
- * Notes:
- *
- *	If 'lookup' has not completed, post its LOOKUPDONE event with a
- *	result code of ISC_R_CANCELED.
- *
- * Requires:
- *
- *	'lookup' is a valid lookup.
- */
-
-void
-dns_lookup_destroy(dns_lookup_t **lookupp);
-/*
- * Destroy 'lookup'.
- *
- * Requires:
- *
- *	'*lookupp' is a valid lookup.
- *
- *	The caller has received the LOOKUPDONE event (either because the
- *	lookup completed or because dns_lookup_cancel() was called).
- *
- * Ensures:
- *
- *	*lookupp == NULL.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_LOOKUP_H */
diff --git a/contrib/bind9/lib/dns/include/dns/master.h b/contrib/bind9/lib/dns/include/dns/master.h
deleted file mode 100644
index 0b861c671006..000000000000
--- a/contrib/bind9/lib/dns/include/dns/master.h
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: master.h,v 1.31.2.3.2.7 2004/03/08 09:04:36 marka Exp $ */
-
-#ifndef DNS_MASTER_H
-#define DNS_MASTER_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/*
- * Flags to be passed in the 'options' argument in the functions below.
- */
-#define	DNS_MASTER_AGETTL 	0x00000001	/* Age the ttl based on $DATE. */
-#define DNS_MASTER_MANYERRORS 	0x00000002	/* Continue processing on errors. */
-#define DNS_MASTER_NOINCLUDE 	0x00000004	/* Disallow $INCLUDE directives. */
-#define DNS_MASTER_ZONE 	0x00000008	/* Loading a zone master file. */
-#define DNS_MASTER_HINT 	0x00000010	/* Loading a hint master file. */
-#define DNS_MASTER_SLAVE 	0x00000020	/* Loading a slave master file. */
-#define DNS_MASTER_CHECKNS 	0x00000040	/* Check NS records to see if
-						 * they are an address */
-#define DNS_MASTER_FATALNS 	0x00000080	/* Treat DNS_MASTER_CHECKNS
-						 * matches as fatal */
-#define DNS_MASTER_CHECKNAMES   0x00000100
-#define DNS_MASTER_CHECKNAMESFAIL 0x00000200
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Function
- ***/
-
-isc_result_t
-dns_master_loadfile(const char *master_file,
-		    dns_name_t *top,
-		    dns_name_t *origin,
-		    dns_rdataclass_t zclass,
-		    unsigned int options,
-		    dns_rdatacallbacks_t *callbacks,
-		    isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadstream(FILE *stream,
-		      dns_name_t *top,
-		      dns_name_t *origin,
-		      dns_rdataclass_t zclass,
-		      unsigned int options,
-		      dns_rdatacallbacks_t *callbacks,
-		      isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadbuffer(isc_buffer_t *buffer,
-		      dns_name_t *top,
-		      dns_name_t *origin,
-		      dns_rdataclass_t zclass,
-		      unsigned int options,
-		      dns_rdatacallbacks_t *callbacks,
-		      isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadlexer(isc_lex_t *lex,
-		     dns_name_t *top,
-		     dns_name_t *origin,
-		     dns_rdataclass_t zclass,
-		     unsigned int options,
-		     dns_rdatacallbacks_t *callbacks,
-		     isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadfileinc(const char *master_file,
-		       dns_name_t *top,
-		       dns_name_t *origin,
-		       dns_rdataclass_t zclass,
-		       unsigned int options,
-		       dns_rdatacallbacks_t *callbacks,
-		       isc_task_t *task,
-		       dns_loaddonefunc_t done, void *done_arg,
-		       dns_loadctx_t **ctxp, isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadstreaminc(FILE *stream,
-			 dns_name_t *top,
-			 dns_name_t *origin,
-			 dns_rdataclass_t zclass,
-			 unsigned int options,
-			 dns_rdatacallbacks_t *callbacks,
-			 isc_task_t *task,
-			 dns_loaddonefunc_t done, void *done_arg,
-			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadbufferinc(isc_buffer_t *buffer,
-			 dns_name_t *top,
-			 dns_name_t *origin,
-			 dns_rdataclass_t zclass,
-			 unsigned int options,
-			 dns_rdatacallbacks_t *callbacks,
-			 isc_task_t *task,
-			 dns_loaddonefunc_t done, void *done_arg,
-			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
-
-isc_result_t
-dns_master_loadlexerinc(isc_lex_t *lex,
-			dns_name_t *top,
-			dns_name_t *origin,
-			dns_rdataclass_t zclass,
-			unsigned int options,
-			dns_rdatacallbacks_t *callbacks,
-			isc_task_t *task,
-			dns_loaddonefunc_t done, void *done_arg,
-			dns_loadctx_t **ctxp, isc_mem_t *mctx);
-
-/*
- * Loads a RFC 1305 master file from a file, stream, buffer, or existing
- * lexer into rdatasets and then calls 'callbacks->commit' to commit the
- * rdatasets.  Rdata memory belongs to dns_master_load and will be
- * reused / released when the callback completes.  dns_load_master will
- * abort if callbacks->commit returns any value other than ISC_R_SUCCESS.
- *
- * If 'DNS_MASTER_AGETTL' is set and the master file contains one or more
- * $DATE directives, the TTLs of the data will be aged accordingly.
- *
- * 'callbacks->commit' is assumed to call 'callbacks->error' or
- * 'callbacks->warn' to generate any error messages required.
- *
- * 'done' is called with 'done_arg' and a result code when the loading
- * is completed or has failed.  If the initial setup fails 'done' is
- * not called.
- *
- * Requires:
- *	'master_file' points to a valid string.
- *	'lexer' points to a valid lexer.
- *	'top' points to a valid name.
- *	'origin' points to a valid name.
- *	'callbacks->commit' points to a valid function.
- *	'callbacks->error' points to a valid function.
- *	'callbacks->warn' points to a valid function.
- *	'mctx' points to a valid memory context.
- *	'task' and 'done' to be valid.
- *	'lmgr' to be valid.
- *	'ctxp != NULL && ctxp == NULL'.
- *
- * Returns:
- *	ISC_R_SUCCESS upon successfully loading the master file.
- *	ISC_R_SEENINCLUDE upon successfully loading the master file with
- *		a $INCLUDE statement.
- *	ISC_R_NOMEMORY out of memory.
- *	ISC_R_UNEXPECTEDEND expected to be able to read a input token and
- *		there was not one.
- *	ISC_R_UNEXPECTED
- *	DNS_R_NOOWNER failed to specify a ownername.
- *	DNS_R_NOTTL failed to specify a ttl.
- *	DNS_R_BADCLASS record class did not match zone class.
- *	DNS_R_CONTINUE load still in progress (dns_master_load*inc() only).
- *	Any dns_rdata_fromtext() error code.
- *	Any error code from callbacks->commit().
- */
-
-void
-dns_loadctx_detach(dns_loadctx_t **ctxp);
-/*
- * Detach from the load context.
- *
- * Requires:
- *	'*ctxp' to be valid.
- *
- * Ensures:
- *	'*ctxp == NULL'
- */
-
-void
-dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target);
-/*
- * Attach to the load context.
- *
- * Requires:
- *	'source' to be valid.
- *	'target != NULL && *target == NULL'.
- */
-
-void
-dns_loadctx_cancel(dns_loadctx_t *ctx);
-/*
- * Cancel loading the zone file associated with this load context.
- *
- * Requires:
- *	'ctx' to be valid
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_MASTER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/masterdump.h b/contrib/bind9/lib/dns/include/dns/masterdump.h
deleted file mode 100644
index 888c588f3b62..000000000000
--- a/contrib/bind9/lib/dns/include/dns/masterdump.h
+++ /dev/null
@@ -1,303 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: masterdump.h,v 1.22.12.10 2005/09/06 02:12:41 marka Exp $ */
-
-#ifndef DNS_MASTERDUMP_H
-#define DNS_MASTERDUMP_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-typedef struct dns_master_style dns_master_style_t;
-
-/***
- *** Definitions
- ***/
-
-/*
- * Flags affecting master file formatting.  Flags 0x0000FFFF
- * define the formatting of the rdata part and are defined in
- * rdata.h.
- */
-
-/* Omit the owner name when possible. */
-#define	DNS_STYLEFLAG_OMIT_OWNER        0x00010000U
-
-/*
- * Omit the TTL when possible.  If DNS_STYLEFLAG_TTL is
- * also set, this means no TTLs are ever printed
- * because $TTL directives are generated before every
- * change in the TTL.  In this case, no columns need to
- * be reserved for the TTL.  Master files generated with
- * these options will be rejected by BIND 4.x because it
- * does not recognize the $TTL directive.
- *
- * If DNS_STYLEFLAG_TTL is not also set, the TTL will be
- * omitted when it is equal to the previous TTL.
- * This is correct according to RFC1035, but the
- * TTLs may be silently misinterpreted by older
- * versions of BIND which use the SOA MINTTL as a
- * default TTL value.
- */
-#define	DNS_STYLEFLAG_OMIT_TTL		0x00020000U
-
-/* Omit the class when possible. */
-#define	DNS_STYLEFLAG_OMIT_CLASS	0x00040000U
-
-/* Output $TTL directives. */
-#define	DNS_STYLEFLAG_TTL		0x00080000U
-
-/*
- * Output $ORIGIN directives and print owner names relative to
- * the origin when possible.
- */
-#define	DNS_STYLEFLAG_REL_OWNER		0x00100000U
-
-/* Print domain names in RR data in relative form when possible.
-   For this to take effect, DNS_STYLEFLAG_REL_OWNER must also be set. */
-#define	DNS_STYLEFLAG_REL_DATA		0x00200000U
-
-/* Print the trust level of each rdataset. */
-#define	DNS_STYLEFLAG_TRUST		0x00400000U
-
-/* Print negative caching entries. */
-#define	DNS_STYLEFLAG_NCACHE		0x00800000U
-
-/* Never print the TTL */
-#define	DNS_STYLEFLAG_NO_TTL		0x01000000U
-                    
-/* Never print the CLASS */
-#define	DNS_STYLEFLAG_NO_CLASS		0x02000000U 
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Constants
- ***/
-
-/*
- * The default master file style.
- *
- * This uses $TTL directives to avoid the need to dedicate a
- * tab stop for the TTL.  The class is only printed for the first
- * rrset in the file and shares a tab stop with the RR type.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
-
-/*
- * A master file style that dumps zones to a very generic format easily
- * imported/checked with external tools.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
-
-/*
- * A master file style that prints explicit TTL values on each 
- * record line, never using $TTL statements.  The TTL has a tab 
- * stop of its own, but the class and type share one.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
-					dns_master_style_explicitttl;
-
-/*
- * A master style format designed for cache files.  It prints explicit TTL
- * values on each record line and never uses $ORIGIN or relative names.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
-
-/*
- * A master style that prints name, ttl, class, type, and value on 
- * every line.  Similar to explicitttl above, but more verbose.  
- * Intended for generating master files which can be easily parsed 
- * by perl scripts and similar applications.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
-
-/*
- * The style used for debugging, "dig" output, etc.
- */
-LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
-
-/***
- ***	Functions
- ***/
-
-void
-dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target);
-/*
- * Attach to a dump context.
- *
- * Require:
- *	'source' to be valid.
- *	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_dumpctx_detach(dns_dumpctx_t **dctxp);
-/*
- * Detach from a dump context.
- *
- * Require:
- *	'dctxp' to point to a valid dump context.
- *
- * Ensures:
- *	'*dctxp' is NULL.
- */
-
-void
-dns_dumpctx_cancel(dns_dumpctx_t *dctx);
-/*
- * Cancel a in progress dump.
- *
- * Require:
- *	'dctx' to be valid.
- */
-
-dns_dbversion_t *
-dns_dumpctx_version(dns_dumpctx_t *dctx);
-/*
- * Return the version handle (if any) of the database being dumped.
- *
- * Require:
- *	'dctx' to be valid.
- */
-
-dns_db_t *
-dns_dumpctx_db(dns_dumpctx_t *dctx);
-/*
- * Return the database being dumped.
- *
- * Require:
- *	'dctx' to be valid.
- */
-
-
-isc_result_t
-dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
-			   dns_dbversion_t *version,
-			   const dns_master_style_t *style, FILE *f,
-			   isc_task_t *task, dns_dumpdonefunc_t done,
-			   void *done_arg, dns_dumpctx_t **dctxp);
-
-isc_result_t
-dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
-			dns_dbversion_t *version,
-			const dns_master_style_t *style, FILE *f);
-/*
- * Dump the database 'db' to the steam 'f' in RFC1035 master
- * file format, in the style defined by 'style'
- * (e.g., &dns_default_master_style_default)
- *
- * Temporary dynamic memory may be allocated from 'mctx'.
- *
- * Require:
- *	'task' to be valid.
- *	'done' to be non NULL.
- *	'dctxp' to be non NULL && '*dctxp' to be NULL.
- * 
- * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_CONTINUE	dns_master_dumptostreaminc() only.
- *	ISC_R_NOMEMORY
- * 	Any database or rrset iterator error.
- *	Any dns_rdata_totext() error code.
- */
-
-isc_result_t
-dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		   const dns_master_style_t *style, const char *filename,
-		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
-		   dns_dumpctx_t **dctxp);
-
-isc_result_t
-dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
-		dns_dbversion_t *version,
-		const dns_master_style_t *style, const char *filename);
-/*
- * Dump the database 'db' to the file 'filename' in RFC1035 master
- * file format, in the style defined by 'style'
- * (e.g., &dns_default_master_style_default)
- *
- * Temporary dynamic memory may be allocated from 'mctx'.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_CONTINUE	dns_master_dumpinc() only.
- *	ISC_R_NOMEMORY
- * 	Any database or rrset iterator error.
- *	Any dns_rdata_totext() error code.
- */
-
-isc_result_t
-dns_master_rdatasettotext(dns_name_t *owner_name,
-			  dns_rdataset_t *rdataset,
-			  const dns_master_style_t *style,
-			  isc_buffer_t *target);
-/*
- * Convert 'rdataset' to text format, storing the result in 'target'.
- *
- * Notes:
- *	The rdata cursor position will be changed.
- *
- * Requires:
- *	'rdataset' is a valid non-question rdataset.
- *
- *	'rdataset' is not empty.
- */
-
-isc_result_t
-dns_master_questiontotext(dns_name_t *owner_name,
-			  dns_rdataset_t *rdataset,
-			  const dns_master_style_t *style,
-			  isc_buffer_t *target);
-
-isc_result_t
-dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
-			    dns_dbversion_t *version,
-			    dns_dbnode_t *node, dns_name_t *name,
-			    const dns_master_style_t *style,
-			    FILE *f);
-
-isc_result_t
-dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *name,
-		    const dns_master_style_t *style, const char *filename);
-
-isc_result_t
-dns_master_stylecreate(dns_master_style_t **style, unsigned int flags,
-		       unsigned int ttl_column, unsigned int class_column,
-		       unsigned int type_column, unsigned int rdata_column,
-		       unsigned int line_length, unsigned int tab_width,
-		       isc_mem_t *mctx);
-
-void
-dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_MASTERDUMP_H */
diff --git a/contrib/bind9/lib/dns/include/dns/message.h b/contrib/bind9/lib/dns/include/dns/message.h
deleted file mode 100644
index c8273221460e..000000000000
--- a/contrib/bind9/lib/dns/include/dns/message.h
+++ /dev/null
@@ -1,1297 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: message.h,v 1.100.2.3.8.7 2004/03/08 02:08:00 marka Exp $ */
-
-#ifndef DNS_MESSAGE_H
-#define DNS_MESSAGE_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/compress.h>
-#include <dns/masterdump.h>
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-/*
- * How this beast works:
- *
- * When a dns message is received in a buffer, dns_message_fromwire() is called
- * on the memory region.  Various items are checked including the format
- * of the message (if counts are right, if counts consume the entire sections,
- * and if sections consume the entire message) and known pseudo-RRs in the
- * additional data section are analyzed and removed.
- *
- * TSIG checking is also done at this layer, and any DNSSEC transaction
- * signatures should also be checked here.
- *
- * Notes on using the gettemp*() and puttemp*() functions:
- *
- * These functions return items (names, rdatasets, etc) allocated from some
- * internal state of the dns_message_t.
- *
- * Names and rdatasets must be put back into the dns_message_t in
- * one of two ways.  Assume a name was allocated via
- * dns_message_gettempname():
- *
- *	(1) insert it into a section, using dns_message_addname().
- *
- *	(2) return it to the message using dns_message_puttempname().
- *
- * The same applies to rdatasets.
- *
- * On the other hand, offsets, rdatalists and rdatas allocated using
- * dns_message_gettemp*() will always be freed automatically
- * when the message is reset or destroyed; calling dns_message_puttemp*()
- * on rdatalists and rdatas is optional and serves only to enable the item
- * to be reused multiple times during the lifetime of the message; offsets
- * cannot be reused.
- *
- * Buffers allocated using isc_buffer_allocate() can be automatically freed
- * as well by giving the buffer to the message using dns_message_takebuffer().
- * Doing this will cause the buffer to be freed using isc_buffer_free()
- * when the section lists are cleared, such as in a reset or in a destroy.
- * Since the buffer itself exists until the message is destroyed, this sort
- * of code can be written:
- *
- *	buffer = isc_buffer_allocate(mctx, 512);
- *	name = NULL;
- *	name = dns_message_gettempname(message, &name);
- *	dns_name_init(name, NULL);
- *	result = dns_name_fromtext(name, &source, dns_rootname, ISC_FALSE,
- *				   buffer);
- *	dns_message_takebuffer(message, &buffer);
- *
- *
- * TODO:
- *
- * XXX Needed:  ways to set and retrieve EDNS information, add rdata to a
- * section, move rdata from one section to another, remove rdata, etc.
- */
-
-#define DNS_MESSAGEFLAG_QR		0x8000U
-#define DNS_MESSAGEFLAG_AA		0x0400U
-#define DNS_MESSAGEFLAG_TC		0x0200U
-#define DNS_MESSAGEFLAG_RD		0x0100U
-#define DNS_MESSAGEFLAG_RA		0x0080U
-#define DNS_MESSAGEFLAG_AD		0x0020U
-#define DNS_MESSAGEFLAG_CD		0x0010U
-
-#define DNS_MESSAGEEXTFLAG_DO		0x8000U
-
-#define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
-#define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
-
-#define DNS_MESSAGE_HEADERLEN		12 /* 6 isc_uint16_t's */
-
-#define DNS_MESSAGE_MAGIC		ISC_MAGIC('M','S','G','@')
-#define DNS_MESSAGE_VALID(msg)		ISC_MAGIC_VALID(msg, DNS_MESSAGE_MAGIC)
-
-/*
- * Ordering here matters.  DNS_SECTION_ANY must be the lowest and negative,
- * and DNS_SECTION_MAX must be one greater than the last used section.
- */
-typedef int dns_section_t;
-#define DNS_SECTION_ANY			(-1)
-#define DNS_SECTION_QUESTION		0
-#define DNS_SECTION_ANSWER		1
-#define DNS_SECTION_AUTHORITY		2
-#define DNS_SECTION_ADDITIONAL		3
-#define DNS_SECTION_MAX			4
-
-typedef int dns_pseudosection_t;
-#define DNS_PSEUDOSECTION_ANY		(-1)
-#define DNS_PSEUDOSECTION_OPT           0
-#define DNS_PSEUDOSECTION_TSIG          1
-#define DNS_PSEUDOSECTION_SIG0          2
-#define DNS_PSEUDOSECTION_MAX           3
-
-typedef int dns_messagetextflag_t;
-#define DNS_MESSAGETEXTFLAG_NOCOMMENTS	0x0001
-#define DNS_MESSAGETEXTFLAG_NOHEADERS	0x0002
-
-/*
- * Dynamic update names for these sections.
- */
-#define DNS_SECTION_ZONE		DNS_SECTION_QUESTION
-#define DNS_SECTION_PREREQUISITE	DNS_SECTION_ANSWER
-#define DNS_SECTION_UPDATE		DNS_SECTION_AUTHORITY
-
-/*
- * These tell the message library how the created dns_message_t will be used.
- */
-#define DNS_MESSAGE_INTENTUNKNOWN	0 /* internal use only */
-#define DNS_MESSAGE_INTENTPARSE		1 /* parsing messages */
-#define DNS_MESSAGE_INTENTRENDER	2 /* rendering */
-
-/*
- * Control behavior of parsing
- */
-#define DNS_MESSAGEPARSE_PRESERVEORDER	0x0001	/* preserve rdata order */
-#define DNS_MESSAGEPARSE_BESTEFFORT	0x0002	/* return a message if a
-						   recoverable parse error
-						   occurs */
-#define DNS_MESSAGEPARSE_CLONEBUFFER	0x0004	/* save a copy of the
-						   source buffer */
-#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /* trucation errors are
-						  * not fatal. */
-
-/*
- * Control behavior of rendering
- */
-#define DNS_MESSAGERENDER_ORDERED	0x0001	/* don't change order */
-#define DNS_MESSAGERENDER_PARTIAL	0x0002	/* allow a partial rdataset */
-#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/* omit DNSSEC records */
-#define DNS_MESSAGERENDER_PREFER_A	0x0008	/* prefer A records in
-						 * additional section. */
-#define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/* prefer AAAA records in
-						 * additional section. */
-
-typedef struct dns_msgblock dns_msgblock_t;
-
-struct dns_message {
-	/* public from here down */
-	unsigned int			magic;
-
-	dns_messageid_t			id;
-	unsigned int			flags;
-	dns_rcode_t			rcode;
-	unsigned int			opcode;
-	dns_rdataclass_t		rdclass;
-
-	/* 4 real, 1 pseudo */
-	unsigned int			counts[DNS_SECTION_MAX];
-
-	/* private from here down */
-	dns_namelist_t			sections[DNS_SECTION_MAX];
-	dns_name_t		       *cursors[DNS_SECTION_MAX];
-	dns_rdataset_t		       *opt;
-	dns_rdataset_t		       *sig0;
-	dns_rdataset_t		       *tsig;
-
-	int				state;
-	unsigned int			from_to_wire : 2;
-	unsigned int			header_ok : 1;
-	unsigned int			question_ok : 1;
-	unsigned int			tcp_continuation : 1;
-	unsigned int			verified_sig : 1;
-	unsigned int			verify_attempted : 1;
-	unsigned int			free_query : 1;
-	unsigned int			free_saved : 1;
-
-	unsigned int			opt_reserved;
-	unsigned int			sig_reserved;
-	unsigned int			reserved; /* reserved space (render) */
-
-	isc_buffer_t		       *buffer;
-	dns_compress_t		       *cctx;
-
-	isc_mem_t		       *mctx;
-	isc_mempool_t		       *namepool;
-	isc_mempool_t		       *rdspool;
-
-	isc_bufferlist_t		scratchpad;
-	isc_bufferlist_t		cleanup;
-
-	ISC_LIST(dns_msgblock_t)	rdatas;
-	ISC_LIST(dns_msgblock_t)	rdatalists;
-	ISC_LIST(dns_msgblock_t)	offsets;
-
-	ISC_LIST(dns_rdata_t)		freerdata;
-	ISC_LIST(dns_rdatalist_t)	freerdatalist;
-
-	dns_rcode_t			tsigstatus;
-	dns_rcode_t			querytsigstatus;
-	dns_name_t		       *tsigname; /* Owner name of TSIG, if any */
-	dns_rdataset_t		       *querytsig;
-	dns_tsigkey_t		       *tsigkey;
-	dst_context_t		       *tsigctx;
-	int				sigstart;
-	int				timeadjust;
-
-	dns_name_t		       *sig0name; /* Owner name of SIG0, if any */
-	dst_key_t		       *sig0key;
-	dns_rcode_t			sig0status;
-	isc_region_t			query;
-	isc_region_t			saved;
-
-	dns_rdatasetorderfunc_t		order;
-	void *				order_arg;
-};
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp);
-
-/*
- * Create msg structure.
- *
- * This function will allocate some internal blocks of memory that are
- * expected to be needed for parsing or rendering nearly any type of message.
- *
- * Requires:
- *	'mctx' be a valid memory context.
- *
- *	'msgp' be non-null and '*msg' be NULL.
- *
- *	'intent' must be one of DNS_MESSAGE_INTENTPARSE or
- *	DNS_MESSAGE_INTENTRENDER.
- *
- * Ensures:
- *	The data in "*msg" is set to indicate an unused and empty msg
- *	structure.
- *
- * Returns:
- *	ISC_R_NOMEMORY		-- out of memory
- *	ISC_R_SUCCESS		-- success
- */
-
-void
-dns_message_reset(dns_message_t *msg, unsigned int intent);
-/*
- * Reset a message structure to default state.  All internal lists are freed
- * or reset to a default state as well.  This is simply a more efficient
- * way to call dns_message_destroy() followed by dns_message_allocate(),
- * since it avoid many memory allocations.
- *
- * If any data loanouts (buffers, names, rdatas, etc) were requested,
- * the caller must no longer use them after this call.
- *
- * The intended next use of the message will be 'intent'.
- *
- * Requires:
- *
- *	'msg' be valid.
- *
- *	'intent' is DNS_MESSAGE_INTENTPARSE or DNS_MESSAGE_INTENTRENDER
- */
-
-void
-dns_message_destroy(dns_message_t **msgp);
-/*
- * Destroy all state in the message.
- *
- * Requires:
- *
- *	'msgp' be valid.
- *
- * Ensures:
- *	'*msgp' == NULL
- */
-
-isc_result_t
-dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
-			  const dns_master_style_t *style,
-			  dns_messagetextflag_t flags,
-			  isc_buffer_t *target);
-
-isc_result_t
-dns_message_pseudosectiontotext(dns_message_t *msg,
-				dns_pseudosection_t section,
-				const dns_master_style_t *style,
-				dns_messagetextflag_t flags,
-				isc_buffer_t *target);
-/*
- * Convert section 'section' or 'pseudosection' of message 'msg' to
- * a cleartext representation
- *
- * Notes:
- *      See dns_message_totext for meanings of flags.
- *
- * Requires:
- *
- *	'msg' is a valid message.
- *
- *	'style' is a valid master dump style.
- *
- *	'target' is a valid buffer.
- *
- *	'section' is a valid section label.
- *
- * Ensures:
- *
- *	If the result is success:
- *
- *		The used space in 'target' is updated.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *	ISC_R_NOMORE
- *
- *	Note: On error return, *target may be partially filled with data.
-*/
-
-isc_result_t
-dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
-		   dns_messagetextflag_t flags, isc_buffer_t *target);
-/*
- * Convert all sections of message 'msg' to a cleartext representation
- *
- * Notes:
- *      In flags, If DNS_MESSAGETEXTFLAG_OMITDOT is set, then the
- *      final '.' in absolute names will not be emitted.  If
- *      DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning
- *      with ";;" will be emitted indicating section name.  If
- *      DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will
- *      be emitted.
- *
- * Requires:
- *
- *	'msg' is a valid message.
- *
- *	'style' is a valid master dump style.
- *
- *	'target' is a valid buffer.
- *
- * Ensures:
- *
- *	If the result is success:
- *
- *		The used space in 'target' is updated.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *	ISC_R_NOMORE
- *
- *	Note: On error return, *target may be partially filled with data.
- */
-
-isc_result_t
-dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
-		  unsigned int options);
-/*
- * Parse raw wire data in 'source' as a DNS message.
- *
- * OPT records are detected and stored in the pseudo-section "opt".
- * TSIGs are detected and stored in the pseudo-section "tsig".
- *
- * If DNS_MESSAGEPARSE_PRESERVEORDER is set, or if the opcode of the message
- * is UPDATE, a separate dns_name_t object will be created for each RR in the
- * message.  Each such dns_name_t will have a single rdataset containing the
- * single RR, and the order of the RRs in the message is preserved.
- * Otherwise, only one dns_name_t object will be created for each unique
- * owner name in the section, and each such dns_name_t will have a list
- * of rdatasets.  To access the names and their data, use
- * dns_message_firstname() and dns_message_nextname().
- *
- * If DNS_MESSAGEPARSE_BESTEFFORT is set, errors in message content will
- * not be considered FORMERRs.  If the entire message can be parsed, it
- * will be returned and DNS_R_RECOVERABLE will be returned.
- *
- * If DNS_MESSAGEPARSE_IGNORETRUNCATION is set then return as many complete
- * RR's as possible, DNS_R_RECOVERABLE will be returned.
- *
- * OPT and TSIG records are always handled specially, regardless of the
- * 'preserve_order' setting.
- *
- * Requires:
- *	"msg" be valid.
- *
- *	"buffer" be a wire format buffer.
- *
- * Ensures:
- *	The buffer's data format is correct.
- *
- *	The buffer's contents verify as correct regarding header bits, buffer
- * 	and rdata sizes, etc.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOMEMORY		-- no memory
- *	DNS_R_RECOVERABLE	-- the message parsed properly, but contained
- *				   errors.
- *	Many other errors possible XXXMLG
- */
-
-isc_result_t
-dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
-			isc_buffer_t *buffer);
-/*
- * Begin rendering on a message.  Only one call can be made to this function
- * per message.
- *
- * The compression context is "owned" by the message library until
- * dns_message_renderend() is called.  It must be invalidated by the caller.
- *
- * The buffer is "owned" by the message library until dns_message_renderend()
- * is called.
- *
- * Requires:
- *
- *	'msg' be valid.
- *
- *	'cctx' be valid.
- *
- *	'buffer' is a valid buffer.
- *
- * Side Effects:
- *
- *	The buffer is cleared before it is used.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- all is well
- *	ISC_R_NOSPACE		-- output buffer is too small
- */
-
-isc_result_t
-dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
-/*
- * Reset the buffer.  This can be used after growing the old buffer
- * on a ISC_R_NOSPACE return from most of the render functions.
- *
- * On successful completion, the old buffer is no longer used by the
- * library.  The new buffer is owned by the library until
- * dns_message_renderend() is called.
- *
- * Requires:
- *
- *	'msg' be valid.
- *
- *	dns_message_renderbegin() was called.
- *
- *	buffer != NULL.
- *
- * Returns:
- *	ISC_R_NOSPACE		-- new buffer is too small
- *	ISC_R_SUCCESS		-- all is well.
- */
-
-isc_result_t
-dns_message_renderreserve(dns_message_t *msg, unsigned int space);
-/*
- * XXXMLG should use size_t rather than unsigned int once the buffer
- * API is cleaned up
- *
- * Reserve "space" bytes in the given buffer.
- *
- * Requires:
- *
- *	'msg' be valid.
- *
- *	dns_message_renderbegin() was called.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOSPACE		-- not enough free space in the buffer.
- */
-
-void
-dns_message_renderrelease(dns_message_t *msg, unsigned int space);
-/*
- * XXXMLG should use size_t rather than unsigned int once the buffer
- * API is cleaned up
- *
- * Release "space" bytes in the given buffer that was previously reserved.
- *
- * Requires:
- *
- *	'msg' be valid.
- *
- *	'space' is less than or equal to the total amount of space reserved
- *	via prior calls to dns_message_renderreserve().
- *
- *	dns_message_renderbegin() was called.
- */
-
-isc_result_t
-dns_message_rendersection(dns_message_t *msg, dns_section_t section,
-			  unsigned int options);
-/*
- * Render all names, rdatalists, etc from the given section at the
- * specified priority or higher.
- *
- * Requires:
- *	'msg' be valid.
- *
- *	'section' be a valid section.
- *
- *	dns_message_renderbegin() was called.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- all records were written, and there are
- *				   no more records for this section.
- *	ISC_R_NOSPACE		-- Not enough room in the buffer to write
- *				   all records requested.
- *	DNS_R_MOREDATA		-- All requested records written, and there
- *				   are records remaining for this section.
- */
-
-void
-dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target);
-/*
- * Render the message header.  This is implicitly called by
- * dns_message_renderend().
- *
- * Requires:
- *
- *	'msg' be a valid message.
- *
- *	dns_message_renderbegin() was called.
- *
- *	'target' is a valid buffer with enough space to hold a message header
- */
-
-isc_result_t
-dns_message_renderend(dns_message_t *msg);
-/*
- * Finish rendering to the buffer.  Note that more data can be in the
- * 'msg' structure.  Destroying the structure will free this, or in a multi-
- * part EDNS1 message this data can be rendered to another buffer later.
- *
- * Requires:
- *
- *	'msg' be a valid message.
- *
- *	dns_message_renderbegin() was called.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- all is well.
- */
-
-void
-dns_message_renderreset(dns_message_t *msg);
-/*
- * Reset the message so that it may be rendered again.
- *
- * Notes:
- *
- *	If dns_message_renderbegin() has been called, dns_message_renderend()
- *	must be called before calling this function.
- *
- * Requires:
- *
- *	'msg' be a valid message with rendering intent.
- */
-
-isc_result_t
-dns_message_firstname(dns_message_t *msg, dns_section_t section);
-/*
- * Set internal per-section name pointer to the beginning of the section.
- *
- * The functions dns_message_firstname() and dns_message_nextname() may
- * be used for iterating over the owner names in a section.
- *
- * Requires:
- *
- *   	'msg' be valid.
- *
- *	'section' be a valid section.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMORE		-- No names on given section.
- */
-
-isc_result_t
-dns_message_nextname(dns_message_t *msg, dns_section_t section);
-/*
- * Sets the internal per-section name pointer to point to the next name
- * in that section.
- *
- * Requires:
- *
- *   	'msg' be valid.
- *
- *	'section' be a valid section.
- *
- *	dns_message_firstname() must have been called on this section,
- *	and the result was ISC_R_SUCCESS.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMORE		-- No more names in given section.
- */
-
-void
-dns_message_currentname(dns_message_t *msg, dns_section_t section,
-			dns_name_t **name);
-/*
- * Sets 'name' to point to the name where the per-section internal name
- * pointer is currently set.
- *
- * This function returns the name in the database, so any data associated
- * with it (via the name's "list" member) contains the actual rdatasets.
- *
- * Requires:
- *
- *	'msg' be valid.
- *
- *	'name' be non-NULL, and *name be NULL.
- *
- *	'section' be a valid section.
- *
- *	dns_message_firstname() must have been called on this section,
- *	and the result of it and any dns_message_nextname() calls was
- *	ISC_R_SUCCESS.
- */
-
-isc_result_t
-dns_message_findname(dns_message_t *msg, dns_section_t section,
-		     dns_name_t *target, dns_rdatatype_t type,
-		     dns_rdatatype_t covers, dns_name_t **foundname,
-		     dns_rdataset_t **rdataset);
-/*
- * Search for a name in the specified section.  If it is found, *name is
- * set to point to the name, and *rdataset is set to point to the found
- * rdataset (if type is specified as other than dns_rdatatype_any).
- *
- * Requires:
- *	'msg' be valid.
- *
- *	'section' be a valid section.
- *
- *	If a pointer to the name is desired, 'foundname' should be non-NULL.
- *	If it is non-NULL, '*foundname' MUST be NULL.
- *
- *	If a type other than dns_datatype_any is searched for, 'rdataset'
- *	may be non-NULL, '*rdataset' be NULL, and will point at the found
- *	rdataset.  If the type is dns_datatype_any, 'rdataset' must be NULL.
- *
- *	'target' be a valid name.
- *
- *	'type' be a valid type.
- *
- *	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
- *	Otherwise it should be 0.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- all is well.
- *	DNS_R_NXDOMAIN		-- name does not exist in that section.
- *	DNS_R_NXRRSET		-- The name does exist, but the desired
- *				   type does not.
- */
-
-isc_result_t
-dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
-		     dns_rdatatype_t covers, dns_rdataset_t **rdataset);
-/*
- * Search the name for the specified type.  If it is found, *rdataset is
- * filled in with a pointer to that rdataset.
- *
- * Requires:
- *	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
- *
- *	'type' be a valid type, and NOT dns_rdatatype_any.
- *
- *	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
- *	Otherwise it should be 0.
- *
- * Returns:
- *	ISC_R_SUCCESS		-- all is well.
- *	ISC_R_NOTFOUND		-- the desired type does not exist.
- */
-
-void
-dns_message_movename(dns_message_t *msg, dns_name_t *name,
-		     dns_section_t fromsection,
-		     dns_section_t tosection);
-/*
- * Move a name from one section to another.
- *
- * Requires:
- *
- *	'msg' be valid.
- *
- *	'name' must be a name already in 'fromsection'.
- *
- *	'fromsection' must be a valid section.
- *
- *	'tosection' must be a valid section.
- */
-
-void
-dns_message_addname(dns_message_t *msg, dns_name_t *name,
-		    dns_section_t section);
-/*
- * Adds the name to the given section.
- *
- * It is the caller's responsibility to enforce any unique name requirements
- * in a section.
- *
- * Requires:
- *
- *	'msg' be valid, and be a renderable message.
- *
- *	'name' be a valid absolute name.
- *
- *	'section' be a named section.
- */
-
-/*
- * LOANOUT FUNCTIONS
- *
- * Each of these functions loan a particular type of data to the caller.
- * The storage for these will vanish when the message is destroyed or
- * reset, and must NOT be used after these operations.
- */
-
-isc_result_t
-dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
-/*
- * Return a name that can be used for any temporary purpose, including
- * inserting into the message's linked lists.  The name must be returned
- * to the message code using dns_message_puttempname() or inserted into
- * one of the message's sections before the message is destroyed.
- *
- * It is the caller's responsibility to initialize this name.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item == NULL
- *
- * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-isc_result_t
-dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item);
-/*
- * Return an offsets array that can be used for any temporary purpose,
- * such as attaching to a temporary name.  The offsets will be freed
- * when the message is destroyed or reset.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item == NULL
- *
- * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-isc_result_t
-dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item);
-/*
- * Return a rdata that can be used for any temporary purpose, including
- * inserting into the message's linked lists.  The rdata will be freed
- * when the message is destroyed or reset.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item == NULL
- *
- * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-isc_result_t
-dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item);
-/*
- * Return a rdataset that can be used for any temporary purpose, including
- * inserting into the message's linked lists. The name must be returned
- * to the message code using dns_message_puttempname() or inserted into
- * one of the message's sections before the message is destroyed.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item == NULL
- *
- * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-isc_result_t
-dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
-/*
- * Return a rdatalist that can be used for any temporary purpose, including
- * inserting into the message's linked lists.  The rdatalist will be
- * destroyed when the message is destroyed or reset.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item == NULL
- *
- * Returns:
- *	ISC_R_SUCCESS		-- All is well.
- *	ISC_R_NOMEMORY		-- No item can be allocated.
- */
-
-void
-dns_message_puttempname(dns_message_t *msg, dns_name_t **item);
-/*
- * Return a borrowed name to the message's name free list.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item point to a name returned by
- *	dns_message_gettempname()
- *
- * Ensures:
- *	*item == NULL
- */
-
-void
-dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item);
-/*
- * Return a borrowed rdata to the message's rdata free list.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item point to a rdata returned by
- *	dns_message_gettemprdata()
- *
- * Ensures:
- *	*item == NULL
- */
-
-void
-dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item);
-/*
- * Return a borrowed rdataset to the message's rdataset free list.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item point to a rdataset returned by
- *	dns_message_gettemprdataset()
- *
- * Ensures:
- *	*item == NULL
- */
-
-void
-dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
-/*
- * Return a borrowed rdatalist to the message's rdatalist free list.
- *
- * Requires:
- *	msg be a valid message
- *
- *	item != NULL && *item point to a rdatalist returned by
- *	dns_message_gettemprdatalist()
- *
- * Ensures:
- *	*item == NULL
- */
-
-isc_result_t
-dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
-		       unsigned int *flagsp);
-/*
- * Assume the remaining region of "source" is a DNS message.  Peek into
- * it and fill in "*idp" with the message id, and "*flagsp" with the flags.
- *
- * Requires:
- *
- *	source != NULL
- *
- * Ensures:
- *
- *	if (idp != NULL) *idp == message id.
- *
- *	if (flagsp != NULL) *flagsp == message flags.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- all is well.
- *
- *	ISC_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
- */
-
-isc_result_t
-dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section);
-/*
- * Start formatting a reply to the query in 'msg'.
- *
- * Requires:
- *
- *	'msg' is a valid message with parsing intent, and contains a query.
- *
- * Ensures:
- *
- *	The message will have a rendering intent.  If 'want_question_section'
- *	is true, the message opcode is query or notify, and the question
- *	section is present and properly formatted, then the question section
- *	will be included in the reply.  All other sections will be cleared.
- *	The QR flag will be set, the RD flag will be preserved, and all other
- *	flags will be cleared.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- all is well.
- *
- *	DNS_R_FORMERR		-- the header or question section of the
- *				   message is invalid, replying is impossible.
- *				   If DNS_R_FORMERR is returned when
- *				   want_question_section is ISC_FALSE, then
- *				   it's the header section that's bad;
- *				   otherwise either of the header or question
- *				   sections may be bad.
- */
-
-dns_rdataset_t *
-dns_message_getopt(dns_message_t *msg);
-/*
- * Get the OPT record for 'msg'.
- *
- * Requires:
- *
- *	'msg' is a valid message.
- *
- * Returns:
- *
- *	The OPT rdataset of 'msg', or NULL if there isn't one.
- */
-
-isc_result_t
-dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
-/*
- * Set the OPT record for 'msg'.
- *
- * Requires:
- *
- *	'msg' is a valid message with rendering intent
- *	and no sections have been rendered.
- *
- *	'opt' is a valid OPT record.
- *
- * Ensures:
- *
- *	The OPT record has either been freed or ownership of it has
- *	been transferred to the message.
- *
- *	If ISC_R_SUCCESS was returned, the OPT record will be rendered 
- *	when dns_message_renderend() is called.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- all is well.
- *
- *	ISC_R_NOSPACE		-- there is no space for the OPT record.
- */
-
-dns_rdataset_t *
-dns_message_gettsig(dns_message_t *msg, dns_name_t **owner);
-/*
- * Get the TSIG record and owner for 'msg'.
- *
- * Requires:
- *
- *	'msg' is a valid message.
- *	'owner' is NULL or *owner is NULL.
- *
- * Returns:
- *
- *	The TSIG rdataset of 'msg', or NULL if there isn't one.
- *
- * Ensures:
- *
- * 	If 'owner' is not NULL, it will point to the owner name.
- */
-
-isc_result_t
-dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key);
-/*
- * Set the tsig key for 'msg'.  This is only necessary for when rendering a
- * query or parsing a response.  The key (if non-NULL) is attached to, and
- * will be detached when the message is destroyed.
- *
- * Requires:
- *
- *	'msg' is a valid message with rendering intent,
- *	dns_message_renderbegin() has been called, and no sections have been
- *	rendered.
- *	'key' is a valid tsig key or NULL.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- all is well.
- *
- *	ISC_R_NOSPACE		-- there is no space for the TSIG record.
- */
-
-dns_tsigkey_t *
-dns_message_gettsigkey(dns_message_t *msg);
-/*
- * Gets the tsig key for 'msg'.
- *
- * Requires:
- *
- *	'msg' is a valid message
- */
-
-isc_result_t
-dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig);
-/*
- * Indicates that 'querytsig' is the TSIG from the signed query for which
- * 'msg' is the response.  This is also used for chained TSIGs in TCP
- * responses.
- *
- * Requires:
- *
- *	'querytsig' is a valid buffer as returned by dns_message_getquerytsig()
- *	or NULL
- *
- *	'msg' is a valid message
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
-			 isc_buffer_t **querytsig);
-/*
- * Gets the tsig from the TSIG from the signed query 'msg'.  This is also used
- * for chained TSIGs in TCP responses.  Unlike dns_message_gettsig, this makes
- * a copy of the data, so can be used if the message is destroyed.
- *
- * Requires:
- *
- *	'msg' is a valid signed message
- *	'mctx' is a valid memory context
- *	querytsig != NULL && *querytsig == NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- * Ensures:
- * 	'tsig' points to NULL or an allocated buffer which must be freed
- * 	by the caller.
- */
-
-dns_rdataset_t *
-dns_message_getsig0(dns_message_t *msg, dns_name_t **owner);
-/*
- * Get the SIG(0) record and owner for 'msg'.
- *
- * Requires:
- *
- *	'msg' is a valid message.
- *	'owner' is NULL or *owner is NULL.
- *
- * Returns:
- *
- *	The SIG(0) rdataset of 'msg', or NULL if there isn't one.
- *
- * Ensures:
- *
- * 	If 'owner' is not NULL, it will point to the owner name.
- */
-
-isc_result_t
-dns_message_setsig0key(dns_message_t *msg, dst_key_t *key);
-/*
- * Set the SIG(0) key for 'msg'.
- *
- * Requires:
- *
- *	'msg' is a valid message with rendering intent,
- *	dns_message_renderbegin() has been called, and no sections have been
- *	rendered.
- *	'key' is a valid sig key or NULL.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- all is well.
- *
- *	ISC_R_NOSPACE		-- there is no space for the SIG(0) record.
- */
-
-dst_key_t *
-dns_message_getsig0key(dns_message_t *msg);
-/*
- * Gets the SIG(0) key for 'msg'.
- *
- * Requires:
- *
- *	'msg' is a valid message
- */
-
-void
-dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
-/*
- * Give the *buffer to the message code to clean up when it is no
- * longer needed.  This is usually when the message is reset or
- * destroyed.
- *
- * Requires:
- *
- *	msg be a valid message.
- *
- *	buffer != NULL && *buffer is a valid isc_buffer_t, which was
- *	dynamincally allocated via isc_buffer_allocate().
- */
-
-isc_result_t
-dns_message_signer(dns_message_t *msg, dns_name_t *signer);
-/*
- * If this message was signed, return the identity of the signer.
- * Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
- * key that signed the message.
- *
- * Requires:
- *
- *	msg is a valid parsed message.
- *	signer is a valid name
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		- the message was signed, and *signer
- *				  contains the signing identity
- *
- *	ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
- *				  message
- *
- *	DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but the
- *				  signature failed to verify
- *
- *	DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
- *				  verified, but the query was rejected by
- *				  the server
- *
- *	DNS_R_NOIDENTITY	- the message was signed by a TSIG and
- *				  verified, but the key has no identity since
- *				  it was generated by an unsigned TKEY process
- *
- *	DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
- *				  the signature failed to verify
- *
- *	DNS_R_NOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
- *				  but the signature has not been verified yet
- */
-
-isc_result_t
-dns_message_checksig(dns_message_t *msg, dns_view_t *view);
-/*
- * If this message was signed, verify the signature.
- *
- * Requires:
- *
- *	msg is a valid parsed message.
- *	view is a valid view or NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		- the message was unsigned, or the message
- *				  was signed correctly.
- *
- *	DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
- *	DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
- *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
- */
-
-isc_result_t
-dns_message_rechecksig(dns_message_t *msg, dns_view_t *view);
-/*
- * Reset the signature state and then if the message was signed,
- * verify the message.
- *
- * Requires:
- *
- *	msg is a valid parsed message.
- *	view is a valid view or NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		- the message was unsigned, or the message
- *				  was signed correctly.
- *
- *	DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
- *	DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
- *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
- */
-
-void
-dns_message_resetsig(dns_message_t *msg);
-/*
- * Reset the signature state.
- *
- * Requires:
- *	'msg' is a valid parsed message.
- */
-
-isc_region_t *
-dns_message_getrawmessage(dns_message_t *msg);
-/*
- * Retrieve the raw message in compressed wire format.  The message must
- * have been successfully parsed for it to have been saved.
- *
- * Requires:
- *	msg is a valid parsed message.
- *
- * Returns:
- *	NULL	if there is no saved message.
- *	a pointer to a region which refers the dns message.
- */
-
-void
-dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 void *order_arg);
-/*
- * Define the order in which RR sets get rendered by
- * dns_message_rendersection() to be the ascending order
- * defined by the integer value returned by 'order' when
- * given each RR and 'arg' as arguments.  If 'order' and
- * 'order_arg' are NULL, a default order is used.
- *
- * Requires:
- *	msg be a valid message.
- *	order_arg is NULL if and only if order is NULL.
- */
-
-void 
-dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
-/*
- * Adjust the time used to sign/verify a message by timeadjust.
- * Currently only TSIG.
- *
- * Requires:
- *	msg be a valid message.
- */
-
-int 
-dns_message_gettimeadjust(dns_message_t *msg);
-/*
- * Return the current time adjustment.
- *
- * Requires:
- *	msg be a valid message.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_MESSAGE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/name.h b/contrib/bind9/lib/dns/include/dns/name.h
deleted file mode 100644
index 5f6a3db9c191..000000000000
--- a/contrib/bind9/lib/dns/include/dns/name.h
+++ /dev/null
@@ -1,1246 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: name.h,v 1.95.2.3.2.12 2004/09/08 00:29:34 marka Exp $ */
-
-#ifndef DNS_NAME_H
-#define DNS_NAME_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Names and Labels
- *
- * Provides facilities for manipulating DNS names and labels, including
- * conversions to and from wire format and text format.
- *
- * Given the large number of names possible in a nameserver, and because
- * names occur in rdata, it was important to come up with a very efficient
- * way of storing name data, but at the same time allow names to be
- * manipulated.  The decision was to store names in uncompressed wire format,
- * and not to make them fully abstracted objects; i.e. certain parts of the
- * server know names are stored that way.  This saves a lot of memory, and
- * makes adding names to messages easy.  Having much of the server know
- * the representation would be perilous, and we certainly don't want each
- * user of names to be manipulating such a low-level structure.  This is
- * where the Names and Labels module comes in.  The module allows name or
- * label handles to be created and attached to uncompressed wire format
- * regions.  All name operations and conversions are done through these
- * handles.
- *
- * MP:
- *	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *	This module deals with low-level byte streams.  Errors in any of
- *	the functions are likely to crash the server or corrupt memory.
- *
- * Resources:
- *	None.
- *
- * Security:
- *
- *	*** WARNING ***
- *
- *	dns_name_fromwire() deals with raw network data.  An error in
- *	this routine could result in the failure or hijacking of the server.
- *
- * Standards:
- *	RFC 1035
- *	Draft EDNS0 (0)
- *	Draft Binary Labels (2)
- *
- */
-
-/***
- *** Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/boolean.h>
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/region.h>		/* Required for storage size of dns_label_t. */
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Labels
- *****
- ***** A 'label' is basically a region.  It contains one DNS wire format
- ***** label of type 00 (ordinary).
- *****/
-
-/*****
- ***** Names
- *****
- ***** A 'name' is a handle to a binary region.  It contains a sequence of one
- ***** or more DNS wire format labels of type 00 (ordinary).
- ***** Note that all names are not required to end with the root label,
- ***** as they are in the actual DNS wire protocol.
- *****/
-
-/***
- *** Compression pointer chaining limit
- ***/
-
-#define DNS_POINTER_MAXHOPS		16
-
-/***
- *** Types
- ***/
-
-/*
- * Clients are strongly discouraged from using this type directly,  with
- * the exception of the 'link' and 'list' fields which may be used directly
- * for whatever purpose the client desires.
- */
-struct dns_name {
-	unsigned int			magic;
-	unsigned char *			ndata;
-	unsigned int			length;
-	unsigned int			labels;
-	unsigned int			attributes;
-	unsigned char *			offsets;
-	isc_buffer_t *			buffer;
-	ISC_LINK(dns_name_t)		link;
-	ISC_LIST(dns_rdataset_t)	list;
-};
-
-#define DNS_NAME_MAGIC			ISC_MAGIC('D','N','S','n')
-
-#define DNS_NAMEATTR_ABSOLUTE		0x0001
-#define DNS_NAMEATTR_READONLY		0x0002
-#define DNS_NAMEATTR_DYNAMIC		0x0004
-#define DNS_NAMEATTR_DYNOFFSETS		0x0008
-/*
- * Attributes below 0x0100 reserved for name.c usage.
- */
-#define DNS_NAMEATTR_CACHE		0x0100		/* Used by resolver. */
-#define DNS_NAMEATTR_ANSWER		0x0200		/* Used by resolver. */
-#define DNS_NAMEATTR_NCACHE		0x0400		/* Used by resolver. */
-#define DNS_NAMEATTR_CHAINING		0x0800		/* Used by resolver. */
-#define DNS_NAMEATTR_CHASE		0x1000		/* Used by resolver. */
-#define DNS_NAMEATTR_WILDCARD		0x2000		/* Used by server. */
-
-#define DNS_NAME_DOWNCASE		0x0001
-#define DNS_NAME_CHECKNAMES		0x0002		/* Used by rdata. */
-#define DNS_NAME_CHECKNAMESFAIL		0x0004		/* Used by rdata. */
-#define DNS_NAME_CHECKREVERSE		0x0008		/* Used by rdata. */
-
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_rootname;
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_wildcardname;
-
-/*
- * Standard size of a wire format name
- */
-#define DNS_NAME_MAXWIRE 255
-
-/***
- *** Initialization
- ***/
-
-void
-dns_name_init(dns_name_t *name, unsigned char *offsets);
-/*
- * Initialize 'name'.
- *
- * Notes:
- *	'offsets' is never required to be non-NULL, but specifying a
- *	dns_offsets_t for 'offsets' will improve the performance of most
- *	name operations if the name is used more than once.
- *
- * Requires:
- *	'name' is not NULL and points to a struct dns_name.
- *
- *	offsets == NULL or offsets is a dns_offsets_t.
- *
- * Ensures:
- *	'name' is a valid name.
- *	dns_name_countlabels(name) == 0
- *	dns_name_isabsolute(name) == ISC_FALSE
- */
-
-void
-dns_name_reset(dns_name_t *name);
-/*
- * Reinitialize 'name'.
- *
- * Notes:
- *	This function distinguishes itself from dns_name_init() in two
- *	key ways:
- *
- *	+ If any buffer is associated with 'name' (via dns_name_setbuffer()
- *	  or by being part of a dns_fixedname_t) the link to the buffer
- *	  is retained but the buffer itself is cleared.
- *
- *	+ Of the attributes associated with 'name', all are retained except
- *	  DNS_NAMEATTR_ABSOLUTE.
- *
- * Requires:
- *	'name' is a valid name.
- *
- * Ensures:
- *	'name' is a valid name.
- *	dns_name_countlabels(name) == 0
- *	dns_name_isabsolute(name) == ISC_FALSE
- */
-
-void
-dns_name_invalidate(dns_name_t *name);
-/*
- * Make 'name' invalid.
- *
- * Requires:
- *	'name' is a valid name.
- *
- * Ensures:
- *	If assertion checking is enabled, future attempts to use 'name'
- *	without initializing it will cause an assertion failure.
- *
- *	If the name had a dedicated buffer, that association is ended.
- */
-
-
-/***
- *** Dedicated Buffers
- ***/
-
-void
-dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
-/*
- * Dedicate a buffer for use with 'name'.
- *
- * Notes:
- *	Specification of a target buffer in dns_name_fromwire(),
- *	dns_name_fromtext(), and dns_name_concatentate() is optional if
- *	'name' has a dedicated buffer.
- *
- *	The caller must not write to buffer until the name has been
- *	invalidated or is otherwise known not to be in use.
- *
- *	If buffer is NULL and the name previously had a dedicated buffer,
- *	than that buffer is no longer dedicated to use with this name.
- *	The caller is responsible for ensuring that the storage used by
- *	the name remains valid.
- *
- * Requires:
- *	'name' is a valid name.
- *
- *	'buffer' is a valid binary buffer and 'name' doesn't have a
- *	dedicated buffer already, or 'buffer' is NULL.
- */
-
-isc_boolean_t
-dns_name_hasbuffer(const dns_name_t *name);
-/*
- * Does 'name' have a dedicated buffer?
- *
- * Requires:
- *	'name' is a valid name.
- *
- * Returns:
- *	ISC_TRUE	'name' has a dedicated buffer.
- *	ISC_FALSE	'name' does not have a dedicated buffer.
- */
-
-
-/***
- *** Properties
- ***/
-
-isc_boolean_t
-dns_name_isabsolute(const dns_name_t *name);
-/*
- * Does 'name' end in the root label?
- *
- * Requires:
- *	'name' is a valid name
- *
- * Returns:
- *	TRUE		The last label in 'name' is the root label.
- *	FALSE		The last label in 'name' is not the root label.
- */
-
-isc_boolean_t
-dns_name_iswildcard(const dns_name_t *name);
-/*
- * Is 'name' a wildcard name?
- *
- * Requires:
- *	'name' is a valid name
- *
- *	dns_name_countlabels(name) > 0
- *
- * Returns:
- *	TRUE		The least significant label of 'name' is '*'.
- *	FALSE		The least significant label of 'name' is not '*'.
- */
-
-unsigned int
-dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive);
-/*
- * Provide a hash value for 'name'.
- *
- * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
- * case will have the same hash value.
- *
- * Requires:
- *	'name' is a valid name
- *
- * Returns:
- *	A hash value
- */
-
-unsigned int
-dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive);
-/*
- * Provide a hash value for 'name'.  Unlike dns_name_hash(), this function
- * always takes into account of the entire name to calculate the hash value.
- *
- * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
- * case will have the same hash value.
- *
- * Requires:
- *	'name' is a valid name
- *
- * Returns:
- *	A hash value
- */
-
-unsigned int
-dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive);
-/*
- * Provide a hash value for 'name', where the hash value is the sum
- * of the hash values of each label.
- *
- * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
- * case will have the same hash value.
- *
- * Requires:
- *	'name' is a valid name
- *
- * Returns:
- *	A hash value
- */
-
-/***
- *** Comparisons
- ***/
-
-dns_namereln_t
-dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
-		     int *orderp, unsigned int *nlabelsp);
-/*
- * Determine the relative ordering under the DNSSEC order relation of
- * 'name1' and 'name2', and also determine the hierarchical
- * relationship of the names.
- *
- * Note: It makes no sense for one of the names to be relative and the
- * other absolute.  If both names are relative, then to be meaningfully
- * compared the caller must ensure that they are both relative to the
- * same domain.
- *
- * Requires:
- *	'name1' is a valid name
- *
- *	dns_name_countlabels(name1) > 0
- *
- *	'name2' is a valid name
- *
- *	dns_name_countlabels(name2) > 0
- *
- *	orderp and nlabelsp are valid pointers.
- *
- *	Either name1 is absolute and name2 is absolute, or neither is.
- *
- * Ensures:
- *
- *	*orderp is < 0 if name1 < name2, 0 if name1 = name2, > 0 if
- *	name1 > name2.
- *
- *	*nlabelsp is the number of common significant labels.
- *
- * Returns:
- *	dns_namereln_none		There's no hierarchical relationship
- *					between name1 and name2.
- *	dns_namereln_contains		name1 properly contains name2; i.e.
- *					name2 is a proper subdomain of name1.
- *	dns_namereln_subdomain		name1 is a proper subdomain of name2.
- *	dns_namereln_equal		name1 and name2 are equal.
- *	dns_namereln_commonancestor	name1 and name2 share a common
- *					ancestor.
- */
-
-int
-dns_name_compare(const dns_name_t *name1, const dns_name_t *name2);
-/*
- * Determine the relative ordering under the DNSSEC order relation of
- * 'name1' and 'name2'.
- *
- * Note: It makes no sense for one of the names to be relative and the
- * other absolute.  If both names are relative, then to be meaningfully
- * compared the caller must ensure that they are both relative to the
- * same domain.
- *
- * Requires:
- *	'name1' is a valid name
- *
- *	'name2' is a valid name
- *
- *	Either name1 is absolute and name2 is absolute, or neither is.
- *
- * Returns:
- *	< 0		'name1' is less than 'name2'
- *	0		'name1' is equal to 'name2'
- *	> 0		'name1' is greater than 'name2'
- */
-
-isc_boolean_t
-dns_name_equal(const dns_name_t *name1, const dns_name_t *name2);
-/*
- * Are 'name1' and 'name2' equal?
- *
- * Notes:
- *	Because it only needs to test for equality, dns_name_equal() can be
- *	significantly faster than dns_name_fullcompare() or dns_name_compare().
- *
- *	Offsets tables are not used in the comparision.
- *
- * 	It makes no sense for one of the names to be relative and the
- *	other absolute.  If both names are relative, then to be meaningfully
- * 	compared the caller must ensure that they are both relative to the
- * 	same domain.
- *
- * Requires:
- *	'name1' is a valid name
- *
- *	'name2' is a valid name
- *
- *	Either name1 is absolute and name2 is absolute, or neither is.
- *
- * Returns:
- *	ISC_TRUE	'name1' and 'name2' are equal
- *	ISC_FALSE	'name1' and 'name2' are not equal
- */
-
-int
-dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2);
-/*
- * Compare two names as if they are part of rdata in DNSSEC canonical
- * form.
- *
- * Requires:
- *	'name1' is a valid absolute name
- *
- *	dns_name_countlabels(name1) > 0
- *
- *	'name2' is a valid absolute name
- *
- *	dns_name_countlabels(name2) > 0
- *
- * Returns:
- *	< 0		'name1' is less than 'name2'
- *	0		'name1' is equal to 'name2'
- *	> 0		'name1' is greater than 'name2'
- */
-
-isc_boolean_t
-dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2);
-/*
- * Is 'name1' a subdomain of 'name2'?
- *
- * Notes:
- *	name1 is a subdomain of name2 if name1 is contained in name2, or
- *	name1 equals name2.
- *
- *	It makes no sense for one of the names to be relative and the
- *	other absolute.  If both names are relative, then to be meaningfully
- *	compared the caller must ensure that they are both relative to the
- *	same domain.
- *
- * Requires:
- *	'name1' is a valid name
- *
- *	'name2' is a valid name
- *
- *	Either name1 is absolute and name2 is absolute, or neither is.
- *
- * Returns:
- *	TRUE		'name1' is a subdomain of 'name2'
- *	FALSE		'name1' is not a subdomain of 'name2'
- */
-
-isc_boolean_t
-dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname);
-/*
- * Does 'name' match the wildcard specified in 'wname'?
- *
- * Notes:
- *	name matches the wildcard specified in wname if all labels
- *	following the wildcard in wname are identical to the same number
- *	of labels at the end of name.
- *
- *	It makes no sense for one of the names to be relative and the
- *	other absolute.  If both names are relative, then to be meaningfully
- *	compared the caller must ensure that they are both relative to the
- *	same domain.
- *
- * Requires:
- *	'name' is a valid name
- *
- *	dns_name_countlabels(name) > 0
- *
- *	'wname' is a valid name
- *
- *	dns_name_countlabels(wname) > 0
- *
- *	dns_name_iswildcard(wname) is true
- *
- *	Either name is absolute and wname is absolute, or neither is.
- *
- * Returns:
- *	TRUE		'name' matches the wildcard specified in 'wname'
- *	FALSE		'name' does not match the wildcard specified in 'wname'
- */
-
-/***
- *** Labels
- ***/
-
-unsigned int
-dns_name_countlabels(const dns_name_t *name);
-/*
- * How many labels does 'name' have?
- *
- * Notes:
- *	In this case, as in other places, a 'label' is an ordinary label.
- *
- * Requires:
- *	'name' is a valid name
- *
- * Ensures:
- *	The result is <= 128.
- *
- * Returns:
- *	The number of labels in 'name'.
- */
-
-void
-dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label);
-/*
- * Make 'label' refer to the 'n'th least significant label of 'name'.
- *
- * Notes:
- *	Numbering starts at 0.
- *
- *	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
- *	root label.
- *
- *	'label' refers to the same memory as 'name', so 'name' must not
- *	be changed while 'label' is still in use.
- *
- * Requires:
- *	n < dns_name_countlabels(name)
- */
-
-void
-dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
-			  unsigned int n, dns_name_t *target);
-/*
- * Make 'target' refer to the 'n' labels including and following 'first'
- * in 'source'.
- *
- * Notes:
- *	Numbering starts at 0.
- *
- *	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
- *	root label.
- *
- *	'target' refers to the same memory as 'source', so 'source'
- *	must not be changed while 'target' is still in use.
- *
- * Requires:
- *	'source' and 'target' are valid names.
- *
- *	first < dns_name_countlabels(name)
- *
- *	first + n <= dns_name_countlabels(name)
- */
-
-
-void
-dns_name_clone(dns_name_t *source, dns_name_t *target);
-/*
- * Make 'target' refer to the same name as 'source'.
- *
- * Notes:
- *
- *	'target' refers to the same memory as 'source', so 'source'
- *	must not be changed while 'target' is still in use.
- *
- *	This call is functionally equivalent to:
- *
- *		dns_name_getlabelsequence(source, 0,
- *					  dns_name_countlabels(source),
- *					  target);
- *
- *	but is more efficient.  Also, dns_name_clone() works even if 'source'
- *	is empty.
- *
- * Requires:
- *
- *	'source' is a valid name.
- *
- *	'target' is a valid name that is not read-only.
- */
-
-/***
- *** Conversions
- ***/
-
-void
-dns_name_fromregion(dns_name_t *name, const isc_region_t *r);
-/*
- * Make 'name' refer to region 'r'.
- *
- * Note:
- *	If the conversion encounters a root label before the end of the
- *	region the conversion stops and the length is set to the length
- *	so far converted.  A maximum of 255 bytes is converted.
- *
- * Requires:
- *	The data in 'r' is a sequence of one or more type 00 or type 01000001
- *	labels.
- */
-
-void
-dns_name_toregion(dns_name_t *name, isc_region_t *r);
-/*
- * Make 'r' refer to 'name'.
- *
- * Requires:
- *
- *	'name' is a valid name.
- *
- *	'r' is a valid region.
- */
-
-isc_result_t
-dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
-		  dns_decompress_t *dctx, unsigned int options,
-		  isc_buffer_t *target);
-/*
- * Copy the possibly-compressed name at source (active region) into target,
- * decompressing it.
- *
- * Notes:
- *	Decompression policy is controlled by 'dctx'.
- *
- *	If DNS_NAME_DOWNCASE is set, any uppercase letters in 'source' will be
- *	downcased when they are copied into 'target'.
- *
- * Security:
- *
- *	*** WARNING ***
- *
- *	This routine will often be used when 'source' contains raw network
- *	data.  A programming error in this routine could result in a denial
- *	of service, or in the hijacking of the server.
- *
- * Requires:
- *
- *	'name' is a valid name.
- *
- *	'source' is a valid buffer and the first byte of the active
- *	region should be the first byte of a DNS wire format domain name.
- *
- *	'target' is a valid buffer or 'target' is NULL and 'name' has
- *	a dedicated buffer.
- *
- *	'dctx' is a valid decompression context.
- *
- * Ensures:
- *
- *	If result is success:
- *	 	If 'target' is not NULL, 'name' is attached to it.
- *
- *		Uppercase letters are downcased in the copy iff
- *		DNS_NAME_DOWNCASE is set in options.
- *
- *		The current location in source is advanced, and the used space
- *		in target is updated.
- *
- * Result:
- *	Success
- *	Bad Form: Label Length
- *	Bad Form: Unknown Label Type
- *	Bad Form: Name Length
- *	Bad Form: Compression type not allowed
- *	Bad Form: Bad compression pointer
- *	Bad Form: Input too short
- *	Resource Limit: Too many compression pointers
- *	Resource Limit: Not enough space in buffer
- */
-
-isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target);
-/*
- * Convert 'name' into wire format, compressing it as specified by the
- * compression context 'cctx', and storing the result in 'target'.
- *
- * Notes:
- *	If the compression context allows global compression, then the
- *	global compression table may be updated.
- *
- * Requires:
- *	'name' is a valid name
- *
- *	dns_name_countlabels(name) > 0
- *
- *	dns_name_isabsolute(name) == TRUE
- *
- *	target is a valid buffer.
- *
- *	Any offsets specified in a global compression table are valid
- *	for buffer.
- *
- * Ensures:
- *
- *	If the result is success:
- *
- *		The used space in target is updated.
- *
- * Returns:
- *	Success
- *	Resource Limit: Not enough space in buffer
- */
-
-isc_result_t
-dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
-		  dns_name_t *origin, unsigned int options,
-		  isc_buffer_t *target);
-/*
- * Convert the textual representation of a DNS name at source
- * into uncompressed wire form stored in target.
- *
- * Notes:
- *	Relative domain names will have 'origin' appended to them
- *	unless 'origin' is NULL, in which case relative domain names
- *	will remain relative.
- *
- *	If DNS_NAME_DOWNCASE is set in 'options', any uppercase letters
- *	in 'source' will be downcased when they are copied into 'target'.
- *
- * Requires:
- *
- *	'name' is a valid name.
- *
- *	'source' is a valid buffer.
- *
- *	'target' is a valid buffer or 'target' is NULL and 'name' has
- *	a dedicated buffer.
- *
- * Ensures:
- *
- *	If result is success:
- *	 	If 'target' is not NULL, 'name' is attached to it.
- *
- *		Uppercase letters are downcased in the copy iff
- *		DNS_NAME_DOWNCASE is set in 'options'.
- *
- *		The current location in source is advanced, and the used space
- *		in target is updated.
- *
- * Result:
- *	ISC_R_SUCCESS
- *	DNS_R_EMPTYLABEL
- *	DNS_R_LABELTOOLONG
- *	DNS_R_BADESCAPE
- *	(DNS_R_BADBITSTRING: should not be returned)
- *	(DNS_R_BITSTRINGTOOLONG: should not be returned)
- *	DNS_R_BADDOTTEDQUAD
- *	ISC_R_NOSPACE
- *	ISC_R_UNEXPECTEDEND
- */
-
-isc_result_t
-dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
-		isc_buffer_t *target);
-/*
- * Convert 'name' into text format, storing the result in 'target'.
- *
- * Notes:
- *	If 'omit_final_dot' is true, then the final '.' in absolute
- *	names other than the root name will be omitted.
- *
- *	If dns_name_countlabels == 0, the name will be "@", representing the
- *	current origin as described by RFC 1035.
- *
- *	The name is not NUL terminated.
- *
- * Requires:
- *
- *	'name' is a valid name
- *
- *	'target' is a valid buffer.
- *
- *	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
- *
- * Ensures:
- *
- *	If the result is success:
- *
- *		The used space in target is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- */
-
-#define DNS_NAME_MAXTEXT 1023
-/*
- * The maximum length of the text representation of a domain
- * name as generated by dns_name_totext().  This does not
- * include space for a terminating NULL.
- *
- * This definition is conservative - the actual maximum 
- * is 1004, derived as follows:
- *
- *   A backslash-decimal escaped character takes 4 bytes.
- *   A wire-encoded name can be up to 255 bytes and each
- *   label is one length byte + at most 63 bytes of data.
- *   Maximizing the label lengths gives us a name of
- *   three 63-octet labels, one 61-octet label, and the
- *   root label:
- *
- *      1 + 63 + 1 + 63 + 1 + 63 + 1 + 61 + 1 = 255
- *
- *   When printed, this is (3 * 63 + 61) * 4
- *   bytes for the escaped label data + 4 bytes for the
- *   dot terminating each label = 1004 bytes total.
- */
-
-isc_result_t
-dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
-			isc_buffer_t *target);
-/*
- * Convert 'name' into an alternate text format appropriate for filenames,
- * storing the result in 'target'.  The name data is downcased, guaranteeing
- * that the filename does not depend on the case of the converted name.
- *
- * Notes:
- *	If 'omit_final_dot' is true, then the final '.' in absolute
- *	names other than the root name will be omitted.
- *
- *	The name is not NUL terminated.
- *
- * Requires:
- *
- *	'name' is a valid absolute name
- *
- *	'target' is a valid buffer.
- *
- * Ensures:
- *
- *	If the result is success:
- *
- *		The used space in target is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- */
-
-isc_result_t
-dns_name_downcase(dns_name_t *source, dns_name_t *name,
-		  isc_buffer_t *target);
-/*
- * Downcase 'source'.
- *
- * Requires:
- *
- *	'source' and 'name' are valid names.
- *
- *	If source == name, then
- *
- *		'source' must not be read-only
- *
- *	Otherwise,
- *
- *		'target' is a valid buffer or 'target' is NULL and
- *		'name' has a dedicated buffer.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *
- * Note: if source == name, then the result will always be ISC_R_SUCCESS.
- */
-
-isc_result_t
-dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
-		     dns_name_t *name, isc_buffer_t *target);
-/*
- *	Concatenate 'prefix' and 'suffix'.
- *
- * Requires:
- *
- *	'prefix' is a valid name or NULL.
- *
- *	'suffix' is a valid name or NULL.
- *
- *	'name' is a valid name or NULL.
- *
- *	'target' is a valid buffer or 'target' is NULL and 'name' has
- *	a dedicated buffer.
- *
- *	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
- *
- * Ensures:
- *
- *	On success,
- *	 	If 'target' is not NULL and 'name' is not NULL, then 'name'
- *		is attached to it.
- *
- *		The used space in target is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *	DNS_R_NAMETOOLONG
- */
-
-void
-dns_name_split(dns_name_t *name, unsigned int suffixlabels,
-	       dns_name_t *prefix, dns_name_t *suffix);
-/*
- *
- * Split 'name' into two pieces on a label boundary.
- *
- * Notes:
- *      'name' is split such that 'suffix' holds the most significant
- *      'suffixlabels' labels.  All other labels are stored in 'prefix'. 
- *
- *	Copying name data is avoided as much as possible, so 'prefix'
- *	and 'suffix' will end up pointing at the data for 'name'.
- *
- *	It is legitimate to pass a 'prefix' or 'suffix' that has
- *	its name data stored someplace other than the dedicated buffer.
- *	This is useful to avoid name copying in the calling function.
- *
- *	It is also legitimate to pass a 'prefix' or 'suffix' that is
- *	the same dns_name_t as 'name'.
- *
- * Requires:
- *	'name' is a valid name.
- *
- * 	'suffixlabels' cannot exceed the number of labels in 'name'.
- *
- *	'prefix' is a valid name or NULL, and cannot be read-only.
- *
- *	'suffix' is a valid name or NULL, and cannot be read-only.
- *
- *	If non-NULL, 'prefix' and 'suffix' must have dedicated buffers.
- *
- *	'prefix' and 'suffix' cannot point to the same buffer.
- *
- * Ensures:
- *
- *	On success:
- *		If 'prefix' is not NULL it will contain the least significant
- *		labels.
- *
- *		If 'suffix' is not NULL it will contain the most significant
- *		labels.  dns_name_countlabels(suffix) will be equal to
- *		suffixlabels.
- *
- *	On failure:
- *		Either 'prefix' or 'suffix' is invalidated (depending
- *		on which one the problem was encountered with).
- *
- * Returns:
- *	ISC_R_SUCCESS	No worries.  (This function should always success).
- */
-
-isc_result_t
-dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
-/*
- * Make 'target' a dynamically allocated copy of 'source'.
- *
- * Requires:
- *
- *	'source' is a valid non-empty name.
- *
- *	'target' is a valid name that is not read-only.
- *
- *	'mctx' is a valid memory context.
- */
-
-isc_result_t
-dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
-			dns_name_t *target);
-/*
- * Make 'target' a read-only dynamically allocated copy of 'source'.
- * 'target' will also have a dynamically allocated offsets table.
- *
- * Requires:
- *
- *	'source' is a valid non-empty name.
- *
- *	'target' is a valid name that is not read-only.
- *
- *	'target' has no offsets table.
- *
- *	'mctx' is a valid memory context.
- */
-
-void
-dns_name_free(dns_name_t *name, isc_mem_t *mctx);
-/*
- * Free 'name'.
- *
- * Requires:
- *
- *	'name' is a valid name created previously in 'mctx' by dns_name_dup().
- *
- *	'mctx' is a valid memory context.
- *
- * Ensures:
- *
- *	All dynamic resources used by 'name' are freed and the name is
- *	invalidated.
- */
-
-isc_result_t
-dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg);
-/*
- * Send 'name' in DNSSEC canonical form to 'digest'.
- *
- * Requires:
- *
- *	'name' is a valid name.
- *
- *	'digest' is a valid dns_digestfunc_t.
- *
- * Ensures:
- *
- *	If successful, the DNSSEC canonical form of 'name' will have been
- *	sent to 'digest'.
- *
- *	If digest() returns something other than ISC_R_SUCCESS, that result
- *	will be returned as the result of dns_name_digest().
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Many other results are possible if not successful.
- *
- */
-
-isc_boolean_t
-dns_name_dynamic(dns_name_t *name);
-/*
- * Returns whether there is dynamic memory associated with this name.
- *
- * Requires:
- *
- *	'name' is a valid name.
- *
- * Returns:
- *
- *	'ISC_TRUE' if the name is dynamic othewise 'ISC_FALSE'.
- */
-
-isc_result_t
-dns_name_print(dns_name_t *name, FILE *stream);
-/*
- * Print 'name' on 'stream'.
- *
- * Requires:
- *
- *	'name' is a valid name.
- *
- *	'stream' is a valid stream.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Any error that dns_name_totext() can return.
- */
-
-void
-dns_name_format(dns_name_t *name, char *cp, unsigned int size);
-/*
- * Format 'name' as text appropriate for use in log messages.
- *
- * Store the formatted name at 'cp', writing no more than
- * 'size' bytes.  The resulting string is guaranteed to be
- * null terminated.
- *
- * The formatted name will have a terminating dot only if it is
- * the root.
- *
- * This function cannot fail, instead any errors are indicated
- * in the returned text.
- *
- * Requires:
- *
- *	'name' is a valid name.
- *
- *	'cp' points a valid character array of size 'size'.
- *
- *	'size' > 0.
- *
- */
-
-#define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
-/*
- * Suggested size of buffer passed to dns_name_format().
- * Includes space for the terminating NULL.
- */
-
-isc_result_t
-dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target);
-/*
- * Makes 'dest' refer to a copy of the name in 'source'.  The data are
- * either copied to 'target' or the dedicated buffer in 'dest'.
- *
- * Requires:
- * 	'source' is a valid name.
- *
- * 	'dest' is an initialized name with a dedicated buffer.
- *
- * 	'target' is NULL or an initialized buffer.
- *
- * 	Either dest has a dedicated buffer or target != NULL.
- *
- * Ensures:
- *
- *	On success, the used space in target is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- */
-
-isc_boolean_t
-dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard);
-/*
- * Return if 'name' is a valid hostname.  RFC 952 / RFC 1123.
- * If 'wildcard' is ISC_TRUE then allow the first label of name to
- * be a wildcard.
- * The root is also accepted.
- *
- * Requires:
- *	'name' to be valid.
- */
- 
-
-isc_boolean_t
-dns_name_ismailbox(const dns_name_t *name);
-/*
- * Return if 'name' is a valid mailbox.  RFC 821.
- *
- * Requires:
- *	'name' to be valid.
- */
-
-ISC_LANG_ENDDECLS
-
-/***
- *** High Peformance Macros
- ***/
-
-/*
- * WARNING:  Use of these macros by applications may require recompilation
- *           of the application in some situations where calling the function
- *           would not.
- *
- * WARNING:  No assertion checking is done for these macros.
- */
-
-#define DNS_NAME_INIT(n, o) \
-do { \
-	(n)->magic = DNS_NAME_MAGIC; \
-	(n)->ndata = NULL; \
-	(n)->length = 0; \
-	(n)->labels = 0; \
-	(n)->attributes = 0; \
-	(n)->offsets = (o); \
-	(n)->buffer = NULL; \
-	ISC_LINK_INIT((n), link); \
-	ISC_LIST_INIT((n)->list); \
-} while (0)
-
-#define DNS_NAME_RESET(n) \
-do { \
-	(n)->ndata = NULL; \
-	(n)->length = 0; \
-	(n)->labels = 0; \
-	(n)->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
-	if ((n)->buffer != NULL) \
-		isc_buffer_clear((n)->buffer); \
-} while (0)
-
-#define DNS_NAME_SETBUFFER(n, b) \
-	(n)->buffer = (b)
-
-#define DNS_NAME_ISABSOLUTE(n) \
-	(((n)->attributes & DNS_NAMEATTR_ABSOLUTE) != 0 ? ISC_TRUE : ISC_FALSE)
-
-#define DNS_NAME_COUNTLABELS(n) \
-	((n)->labels)
-
-#define DNS_NAME_TOREGION(n, r) \
-do { \
-	(r)->base = (n)->ndata; \
-	(r)->length = (n)->length; \
-} while (0)
-
-#define DNS_NAME_SPLIT(n, l, p, s) \
-do { \
-	dns_name_t *_n = (n); \
-	dns_name_t *_p = (p); \
-	dns_name_t *_s = (s); \
-	unsigned int _l = (l); \
-	if (_p != NULL) \
-		dns_name_getlabelsequence(_n, 0, _n->labels - _l, _p); \
-	if (_s != NULL) \
-		dns_name_getlabelsequence(_n, _n->labels - _l, _l, _s); \
-} while (0)
-
-#ifdef DNS_NAME_USEINLINE
-
-#define dns_name_init(n, o)		DNS_NAME_INIT(n, o)
-#define dns_name_reset(n)		DNS_NAME_RESET(n)
-#define dns_name_setbuffer(n, b)	DNS_NAME_SETBUFFER(n, b)
-#define dns_name_countlabels(n)		DNS_NAME_COUNTLABELS(n)
-#define dns_name_isabsolute(n)		DNS_NAME_ISABSOLUTE(n)
-#define dns_name_toregion(n, r)		DNS_NAME_TOREGION(n, r)
-#define dns_name_split(n, l, p, s)	DNS_NAME_SPLIT(n, l, p, s)
-
-#endif /* DNS_NAME_USEINLINE */
-
-#endif /* DNS_NAME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ncache.h b/contrib/bind9/lib/dns/include/dns/ncache.h
deleted file mode 100644
index 6bf600371899..000000000000
--- a/contrib/bind9/lib/dns/include/dns/ncache.h
+++ /dev/null
@@ -1,158 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ncache.h,v 1.12.12.5 2004/03/08 09:04:37 marka Exp $ */
-
-#ifndef DNS_NCACHE_H
-#define DNS_NCACHE_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Ncache
- *
- * XXX <TBS> XXX
- *
- * MP:
- *	The caller must ensure any required synchronization.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	RFC 2308
- */
-
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * _OMITDNSSEC:
- *      Omit DNSSEC records when rendering.
- */
-#define DNS_NCACHETOWIRE_OMITDNSSEC   0x0001
-
-isc_result_t
-dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-	       dns_rdataset_t *addedrdataset);
-/*
- * Convert the authority data from 'message' into a negative cache
- * rdataset, and store it in 'cache' at 'node' with a TTL limited to
- * 'maxttl'.
- *
- * The 'covers' argument is the RR type whose nonexistence we are caching,
- * or dns_rdatatype_any when caching a NXDOMAIN response.
- *
- * Note:
- *	If 'addedrdataset' is not NULL, then it will be attached to the added
- *	rdataset.  See dns_db_addrdataset() for more details.
- *
- * Requires:
- *	'message' is a valid message with a properly formatting negative cache
- *	authority section.
- *
- *	The requirements of dns_db_addrdataset() apply to 'cache', 'node',
- *	'now', and 'addedrdataset'.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE
- *
- *	Any result code of dns_db_addrdataset() is a possible result code
- *	of dns_ncache_add().
- */
-
-isc_result_t
-dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int options,
-		  unsigned int *countp);
-/*
- * Convert the negative caching rdataset 'rdataset' to wire format,
- * compressing names as specified in 'cctx', and storing the result in
- * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
- * be added to 'target'.
- *
- * Notes:
- *	The number of RRs added to target will be added to *countp.
- *
- * Requires:
- *	'rdataset' is a valid negative caching rdataset.
- *
- *	'rdataset' is not empty.
- *
- *	'countp' is a valid pointer.
- *
- * Ensures:
- *	On a return of ISC_R_SUCCESS, 'target' contains a wire format
- *	for the data contained in 'rdataset'.  Any error return leaves
- *	the buffer unchanged.
- *
- *	*countp has been incremented by the number of RRs added to
- *	target.
- *
- * Returns:
- *	ISC_R_SUCCESS		- all ok
- *	ISC_R_NOSPACE		- 'target' doesn't have enough room
- *
- *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
- *	dns_name_towire().
- */
-
-isc_result_t
-dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
-		       dns_rdatatype_t type, dns_rdataset_t *rdataset);
-/*
- * Search the negative caching rdataset for an rdataset with the
- * specified name and type.
- *
- * Requires:
- *	'ncacherdataset' is a valid negative caching rdataset.
- *
- *	'ncacherdataset' is not empty.
- *
- *	'name' is a valid name.
- *
- *	'type' is not SIG, or a meta-RR type.
- *
- *	'rdataset' is a valid disassociated rdataset.
- *
- * Ensures:
- *	On a return of ISC_R_SUCCESS, 'rdataset' is bound to the found
- *	rdataset.
- *
- * Returns:
- *	ISC_R_SUCCESS		- the rdataset was found.
- *	ISC_R_NOTFOUND		- the rdataset was not found.
- *
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_NCACHE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/nsec.h b/contrib/bind9/lib/dns/include/dns/nsec.h
deleted file mode 100644
index 68a583369962..000000000000
--- a/contrib/bind9/lib/dns/include/dns/nsec.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsec.h,v 1.4.2.1 2004/03/08 02:08:00 marka Exp $ */
-
-#ifndef DNS_NSEC_H
-#define DNS_NSEC_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-#include <dns/name.h>
-
-#define DNS_NSEC_BUFFERSIZE (DNS_NAME_MAXWIRE + 8192 + 512)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *target,
-		    unsigned char *buffer, dns_rdata_t *rdata);
-/*
- * Build the rdata of a NSEC record.
- *
- * Requires:
- *	buffer	Points to a temporary buffer of at least
- * 		DNS_NSEC_BUFFERSIZE bytes.
- *	rdata	Points to an initialized dns_rdata_t.
- *
- * Ensures:
- *      *rdata	Contains a valid NSEC rdata.  The 'data' member refers
- *		to 'buffer'.
- */
-
-isc_result_t
-dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
-	       dns_name_t *target, dns_ttl_t ttl);
-/*
- * Build a NSEC record and add it to a database.
- */
-
-isc_boolean_t
-dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
-/*
- * Determine if a type is marked as present in an NSEC record.
- *
- * Requires:
- *	'nsec' points to a valid rdataset of type NSEC
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_NSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/opcode.h b/contrib/bind9/lib/dns/include/dns/opcode.h
deleted file mode 100644
index 4d656b8250ee..000000000000
--- a/contrib/bind9/lib/dns/include/dns/opcode.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: opcode.h,v 1.1.200.3 2004/03/08 09:04:37 marka Exp $ */
-
-#ifndef DNS_OPCODE_H
-#define DNS_OPCODE_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target);
-/*
- * Put a textual representation of error 'opcode' into 'target'.
- *
- * Requires:
- *	'opcode' is a valid opcode.
- *
- *	'target' is a valid text buffer.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_OPCODE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/order.h b/contrib/bind9/lib/dns/include/dns/order.h
deleted file mode 100644
index e28e3ca6ed43..000000000000
--- a/contrib/bind9/lib/dns/include/dns/order.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: order.h,v 1.2.202.3 2004/03/08 09:04:37 marka Exp $ */
-
-#ifndef DNS_ORDER_H
-#define DNS_ORDER_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_order_create(isc_mem_t *mctx, dns_order_t **orderp);
-/*
- * Create a order object.
- *
- * Requires:
- * 	'orderp' to be non NULL and '*orderp == NULL'.
- *	'mctx' to be valid.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_order_add(dns_order_t *order, dns_name_t *name,
-	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
-	      unsigned int mode);
-/*
- * Add a entry to the end of the order list.
- *
- * Requires:
- * 	'order' to be valid.
- *	'name' to be valid.
- *	'mode' to be one of DNS_RDATASERATTR_RANDOMIZE,
- *		DNS_RDATASERATTR_RANDOMIZE or zero (DNS_RDATASERATTR_CYCLIC).
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-unsigned int
-dns_order_find(dns_order_t *order, dns_name_t *name,
-	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass);
-/*
- * Find the first matching entry on the list.
- *
- * Requires:
- *	'order' to be valid.
- *	'name' to be valid.
- *
- * Returns the mode set by dns_order_add() or zero.
- */
-
-void
-dns_order_attach(dns_order_t *source, dns_order_t **target);
-/*
- * Attach to the 'source' object.
- *
- * Requires:
- * 	'source' to be valid.
- *	'target' to be non NULL and '*target == NULL'.
- */
-
-void
-dns_order_detach(dns_order_t **orderp);
-/*
- * Detach from the object.  Clean up if last this was the last
- * reference.
- *
- * Requires:
- *	'*orderp' to be valid.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ORDER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/peer.h b/contrib/bind9/lib/dns/include/dns/peer.h
deleted file mode 100644
index 03f720af3548..000000000000
--- a/contrib/bind9/lib/dns/include/dns/peer.h
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: peer.h,v 1.16.2.1.10.3 2004/03/06 08:13:58 marka Exp $ */
-
-#ifndef DNS_PEER_H
-#define DNS_PEER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Data structures for peers (e.g. a 'server' config file statement)
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/netaddr.h>
-
-#include <dns/types.h>
-
-#define DNS_PEERLIST_MAGIC	ISC_MAGIC('s','e','R','L')
-#define DNS_PEER_MAGIC		ISC_MAGIC('S','E','r','v')
-
-#define DNS_PEERLIST_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEERLIST_MAGIC)
-#define DNS_PEER_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEER_MAGIC)
-
-/***
- *** Types
- ***/
-
-struct dns_peerlist {
-	unsigned int		magic;
-	isc_uint32_t		refs;
-
-	isc_mem_t	       *mem;
-
-	ISC_LIST(dns_peer_t) elements;
-};
-
-struct dns_peer {
-	unsigned int		magic;
-	isc_uint32_t		refs;
-
-	isc_mem_t	       *mem;
-
-	isc_netaddr_t		address;
-	isc_boolean_t		bogus;
-	dns_transfer_format_t	transfer_format;
-	isc_uint32_t		transfers;
-	isc_boolean_t		support_ixfr;
-	isc_boolean_t		provide_ixfr;
-	isc_boolean_t		request_ixfr;
-	isc_boolean_t		support_edns;
-	dns_name_t	       *key;
-	isc_sockaddr_t	       *transfer_source;
-
-	isc_uint32_t		bitflags;
-
-	ISC_LINK(dns_peer_t)	next;
-};
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list);
-
-void
-dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target);
-
-void
-dns_peerlist_detach(dns_peerlist_t **list);
-
-/*
- * After return caller still holds a reference to peer.
- */
-void
-dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer);
-
-/*
- * Ditto. */
-isc_result_t
-dns_peerlist_peerbyaddr(dns_peerlist_t *peers, isc_netaddr_t *addr,
-			dns_peer_t **retval);
-
-/*
- * What he said.
- */
-isc_result_t
-dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval);
-
-isc_result_t
-dns_peer_new(isc_mem_t *mem, isc_netaddr_t *ipaddr, dns_peer_t **peer);
-
-void
-dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
-
-void
-dns_peer_detach(dns_peer_t **list);
-
-isc_result_t
-dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getbogus(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_setrequestixfr(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getrequestixfr(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_setprovideixfr(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval);
-
-isc_result_t
-dns_peer_getsupportedns(dns_peer_t *peer, isc_boolean_t *retval);
-
-isc_result_t
-dns_peer_settransfers(dns_peer_t *peer, isc_uint32_t newval);
-
-isc_result_t
-dns_peer_gettransfers(dns_peer_t *peer, isc_uint32_t *retval);
-
-isc_result_t
-dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval);
-
-isc_result_t
-dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval);
-
-isc_result_t
-dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval);
-
-isc_result_t
-dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval);
-
-isc_result_t
-dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
-
-isc_result_t
-dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
-
-isc_result_t
-dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_PEER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/portlist.h b/contrib/bind9/lib/dns/include/dns/portlist.h
deleted file mode 100644
index ea672a918be3..000000000000
--- a/contrib/bind9/lib/dns/include/dns/portlist.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: portlist.h,v 1.2.84.2 2004/03/06 08:13:58 marka Exp $ */
-
-#include <isc/lang.h>
-#include <isc/net.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp);
-/*
- * Create a port list.
- * 
- * Requires:
- *	'mctx' to be valid.
- *	'portlistp' to be non NULL and '*portlistp' to be NULL;
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port);
-/*
- * Add the given <port,af> tuple to the portlist.
- *
- * Requires:
- *	'portlist' to be valid.
- *	'af' to be AF_INET or AF_INET6
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-void
-dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port);
-/*
- * Remove the given <port,af> tuple to the portlist.
- *
- * Requires:
- *	'portlist' to be valid.
- *	'af' to be AF_INET or AF_INET6
- */
-
-isc_boolean_t
-dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port);
-/*
- * Find the given <port,af> tuple to the portlist.
- *
- * Requires:
- *	'portlist' to be valid.
- *	'af' to be AF_INET or AF_INET6
- *
- * Returns
- * 	ISC_TRUE if the tuple is found, ISC_FALSE otherwise.
- */
-
-void
-dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp);
-/*
- * Attach to a port list.
- *
- * Requires:
- *	'portlist' to be valid.
- *	'portlistp' to be non NULL and '*portlistp' to be NULL;
- */
-
-void
-dns_portlist_detach(dns_portlist_t **portlistp);
-/*
- * Detach from a port list.
- *
- * Requires:
- *	'*portlistp' to be valid.
- */
-
-ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/rbt.h b/contrib/bind9/lib/dns/include/dns/rbt.h
deleted file mode 100644
index 6f99a7dfb069..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rbt.h
+++ /dev/null
@@ -1,838 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbt.h,v 1.55.12.6 2004/10/11 05:55:51 marka Exp $ */
-
-#ifndef DNS_RBT_H
-#define DNS_RBT_H 1
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_RBT_USEHASH 1
-
-/*
- * Option values for dns_rbt_findnode() and dns_rbt_findname().
- * These are used to form a bitmask.
- */
-#define DNS_RBTFIND_NOOPTIONS			0x00
-#define DNS_RBTFIND_EMPTYDATA			0x01
-#define DNS_RBTFIND_NOEXACT			0x02
-#define DNS_RBTFIND_NOPREDECESSOR		0x04
-
-/*
- * These should add up to 30.
- */
-#define DNS_RBT_LOCKLENGTH			10
-#define DNS_RBT_REFLENGTH			20
-
-#define DNS_RBTNODE_MAGIC		ISC_MAGIC('R','B','N','O')
-#if DNS_RBT_USEMAGIC
-#define DNS_RBTNODE_VALID(n)		ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
-#else
-#define DNS_RBTNODE_VALID(n)		ISC_TRUE
-#endif
-
-/*
- * This is the structure that is used for each node in the red/black
- * tree of trees.  NOTE WELL:  the implementation manages this as a variable
- * length structure, with the actual wire-format name and other data
- * appended to this structure.  Allocating a contiguous block of memory for
- * multiple dns_rbtnode structures will not work.
- */
-typedef struct dns_rbtnode {
-#if DNS_RBT_USEMAGIC
-	unsigned int magic;
-#endif
-	struct dns_rbtnode *parent;
-	struct dns_rbtnode *left;
-	struct dns_rbtnode *right;
-	struct dns_rbtnode *down;
-#ifdef DNS_RBT_USEHASH
-	struct dns_rbtnode *hashnext;
-#endif
-	/*
-	 * The following bitfields add up to a total bitwidth of 32.
-	 * The range of values necessary for each item is indicated,
-	 * but in the case of "attributes" the field is wider to accomodate
-	 * possible future expansion.  "offsetlen" could be one bit
-	 * narrower by always adjusting its value by 1 to find the real
-	 * offsetlen, but doing so does not gain anything (except perhaps
-	 * another bit for "attributes", which doesn't yet need any more).
-	 *
-	 * In each case below the "range" indicated is what's _necessary_ for
-	 * the bitfield to hold, not what it actually _can_ hold.
-	 */
-	unsigned int is_root : 1;	/* range is 0..1 */
-	unsigned int color : 1;		/* range is 0..1 */
-	unsigned int find_callback : 1;	/* range is 0..1 */
-	unsigned int attributes : 4;	/* range is 0..2 */
-	unsigned int namelen : 8;	/* range is 1..255 */
-	unsigned int offsetlen : 8;	/* range is 1..128 */
-	unsigned int padbytes : 9;	/* range is 0..380 */
-
-#ifdef DNS_RBT_USEHASH
-	unsigned int hashval;
-#endif
-
-	/*
-	 * These values are used in the RBT DB implementation.  The appropriate
-	 * node lock must be held before accessing them.
-	 */
-	void *data;
-	unsigned int dirty:1;
-	unsigned int wild:1;
-	unsigned int locknum:DNS_RBT_LOCKLENGTH;
-	unsigned int references:DNS_RBT_REFLENGTH;
-} dns_rbtnode_t;
-
-typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
-					      dns_name_t *name,
-					      void *callback_arg);
-
-/*****
- *****	Chain Info
- *****/
-
-/*
- * A chain is used to keep track of the sequence of nodes to reach any given
- * node from the root of the tree.  Originally nodes did not have parent
- * pointers in them (for memory usage reasons) so there was no way to find
- * the path back to the root from any given node.  Now that nodes have parent
- * pointers, chains might be going away in a future release, though the
- * movement functionality would remain.
- *
- * In any event, parent information, whether via parent pointers or chains, is
- * necessary information for iterating through the tree or for basic internal
- * tree maintenance issues (ie, the rotations that are done to rebalance the
- * tree when a node is added).  The obvious implication of this is that for a
- * chain to remain valid, the tree has to be locked down against writes for the
- * duration of the useful life of the chain, because additions or removals can
- * change the path from the root to the node the chain has targetted.
- *
- * The dns_rbtnodechain_ functions _first, _last, _prev and _next all take
- * dns_name_t parameters for the name and the origin, which can be NULL.  If
- * non-NULL, 'name' will end up pointing to the name data and offsets that are
- * stored at the node (and thus it will be read-only), so it should be a
- * regular dns_name_t that has been initialized with dns_name_init.  When
- * 'origin' is non-NULL, it will get the name of the origin stored in it, so it
- * needs to have its own buffer space and offsets, which is most easily
- * accomplished with a dns_fixedname_t.  It is _not_ necessary to reinitialize
- * either 'name' or 'origin' between calls to the chain functions.
- *
- * NOTE WELL: even though the name data at the root of the tree of trees will
- * be absolute (typically just "."), it will will be made into a relative name
- * with an origin of "." -- an empty name when the node is ".".  This is
- * because a common on operation on 'name' and 'origin' is to use
- * dns_name_concatenate() on them to generate the complete name.  An empty name
- * can be detected when dns_name_countlabels == 0, and is printed by
- * dns_name_totext()/dns_name_format() as "@", consistent with RFC1035's
- * definition of "@" as the current origin.
- *
- * dns_rbtnodechain_current is similar to the _first, _last, _prev and _next
- * functions but additionally can provide the node to which the chain points.
- */
-
-/*
- * The number of level blocks to allocate at a time.  Currently the maximum
- * number of levels is allocated directly in the structure, but future
- * revisions of this code might have a static initial block with dynamic
- * growth.  Allocating space for 256 levels when the tree is almost never that
- * deep is wasteful, but it's not clear that it matters, since the waste is
- * only 2MB for 1000 concurrently active chains on a system with 64-bit
- * pointers.
- */
-#define DNS_RBT_LEVELBLOCK 254
-
-typedef struct dns_rbtnodechain {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	/*
-	 * The terminal node of the chain.  It is not in levels[].
-	 * This is ostensibly private ... but in a pinch it could be
-	 * used tell that the chain points nowhere without needing to
-	 * call dns_rbtnodechain_current().
-	 */
-	dns_rbtnode_t *		end;
-	/*
-	 * The maximum number of labels in a name is 128; bitstrings mean
-	 * a conceptually very large number (which I have not bothered to
-	 * compute) of logical levels because splitting can potentially occur
-	 * at each bit.  However, DNSSEC restricts the number of "logical"
-	 * labels in a name to 255, meaning only 254 pointers are needed
-	 * in the worst case.
-	 */
-	dns_rbtnode_t *		levels[DNS_RBT_LEVELBLOCK];
-	/*
-	 * level_count indicates how deep the chain points into the
-	 * tree of trees, and is the index into the levels[] array.
-	 * Thus, levels[level_count - 1] is the last level node stored.
-	 * A chain that points to the top level of the tree of trees has
-	 * a level_count of 0, the first level has a level_count of 1, and
-	 * so on.
-	 */
-	unsigned int		level_count;
-	/*
-	 * level_matches tells how many levels matched above the node
-	 * returned by dns_rbt_findnode().  A match (partial or exact) found
-	 * in the first level thus results in level_matches being set to 1.
-	 * This is used by the rbtdb to set the start point for a recursive
-	 * search of superdomains until the RR it is looking for is found.
-	 */
-	unsigned int		level_matches;
-} dns_rbtnodechain_t;
-
-/*****
- ***** Public interfaces.
- *****/
-
-isc_result_t
-dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
-	       void *deleter_arg, dns_rbt_t **rbtp);
-/*
- * Initialize a red-black tree of trees.
- *
- * Notes:
- *	The deleter argument, if non-null, points to a function that is
- *	responsible for cleaning up any memory associated with the data
- *	pointer of a node when the node is deleted.  It is passed the
- *	deleted node's data pointer as its first argument and deleter_arg
- *	as its second argument.
- *
- * Requires:
- * 	mctx is a pointer to a valid memory context.
- *	rbtp != NULL && *rbtp == NULL
- *	arg == NULL iff deleter == NULL
- *
- * Ensures:
- *	If result is ISC_R_SUCCESS:
- *		*rbtp points to a valid red-black tree manager
- *
- *	If result is failure:
- *		*rbtp does not point to a valid red-black tree manager.
- *
- * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOMEMORY	Resource limit: Out of Memory
- */
-
-isc_result_t
-dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
-/*
- * Add 'name' to the tree of trees, associated with 'data'.
- *
- * Notes:
- *	'data' is never required to be non-NULL, but specifying it
- *	when the name is added is faster than searching for 'name'
- *	again and then setting the data pointer.  The lack of a data pointer
- *	for a node also has other ramifications regarding whether
- *	dns_rbt_findname considers a node to exist, or dns_rbt_deletename
- *	joins nodes.
- *
- * Requires:
- *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE
- *
- * Ensures:
- *	'name' is not altered in any way.
- *
- *	Any external references to nodes in the tree are unaffected by
- *	node splits that are necessary to insert the new name.
- *
- *	If result is ISC_R_SUCCESS:
- *		'name' is findable in the red/black tree of trees in O(log N).
- *
- *		The data pointer of the node for 'name' is set to 'data'.
- *
- *	If result is ISC_R_EXISTS or ISC_R_NOSPACE:
- *		The tree of trees is unaltered.
- *
- *	If result is ISC_R_NOMEMORY:
- *		No guarantees.
- *
- * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_EXISTS	The name already exists with associated data.
- *	ISC_R_NOSPACE 	The name had more logical labels than are allowed.
- *	ISC_R_NOMEMORY	Resource Limit: Out of Memory
- */
-
-isc_result_t
-dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
-
-/*
- * Just like dns_rbt_addname, but returns the address of the node.
- *
- * Requires:
- *	rbt is a valid rbt structure.
- *	dns_name_isabsolute(name) == TRUE
- *	nodep != NULL && *nodep == NULL
- *
- * Ensures:
- *	'name' is not altered in any way.
- *
- *	Any external references to nodes in the tree are unaffected by
- *	node splits that are necessary to insert the new name.
- *
- *	If result is ISC_R_SUCCESS:
- *		'name' is findable in the red/black tree of trees in O(log N).
- *
- *		*nodep is the node that was added for 'name'.
- *
- *	If result is ISC_R_EXISTS:
- *		The tree of trees is unaltered.
- *
- *		*nodep is the existing node for 'name'.
- *
- *	If result is ISC_R_NOMEMORY:
- *		No guarantees.
- *
- * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_EXISTS	The name already exists, possibly without data.
- *	ISC_R_NOMEMORY	Resource Limit: Out of Memory
- */
-
-isc_result_t
-dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
-		 dns_name_t *foundname, void **data);
-/*
- * Get the data pointer associated with 'name'.
- *
- * Notes:
- *	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
- *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when there is
- *	an exact match in the tree.
- *
- *      A node that has no data is considered not to exist for this function,
- *      unless the DNS_RBTFIND_EMPTYDATA option is set.
- *
- * Requires:
- *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE
- *	data != NULL && *data == NULL
- *
- * Ensures:
- *	'name' and the tree are not altered in any way.
- *
- *	If result is ISC_R_SUCCESS:
- *		*data is the data associated with 'name'.
- *
- *	If result is DNS_R_PARTIALMATCH:
- *		*data is the data associated with the deepest superdomain
- * 		of 'name' which has data.
- *
- *	If result is ISC_R_NOTFOUND:
- *		Neither the name nor a superdomain was found with data.
- *
- * Returns:
- *	ISC_R_SUCCESS		Success
- *	DNS_R_PARTIALMATCH	Superdomain found with data
- *	ISC_R_NOTFOUND		No match
- *	ISC_R_NOSPACE		Concatenating nodes to form foundname failed
- */
-
-isc_result_t
-dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
-		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
-		 unsigned int options, dns_rbtfindcallback_t callback,
-		 void *callback_arg);
-/*
- * Find the node for 'name'.
- *
- * Notes:
- *	A node that has no data is considered not to exist for this function,
- *	unless the DNS_RBTFIND_EMPTYDATA option is set.  This applies to both
- *	exact matches and partial matches.
- *
- *	If the chain parameter is non-NULL, then the path through the tree
- *	to the DNSSEC predecessor of the searched for name is maintained,
- *	unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
- *	is used. (For more details on those options, see below.)
- *
- *	If there is no predecessor, then the chain will point to nowhere, as
- *	indicated by chain->end being NULL or dns_rbtnodechain_current
- *	returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
- *	there will always be a predecessor for all names except the root
- *	name, because '.' will exist and '.' is the predecessor of
- *	everything.  But you can certainly construct a trivial tree and a
- *	search for it that has no predecessor.
- *
- *	Within the chain structure, the 'levels' member of the structure holds
- *	the root node of each level except the first.
- *
- *	The 'level_count' of the chain indicates how deep the chain to the
- *	predecessor name is, as an index into the 'levels[]' array.  It does
- *	not count name elements, per se, but only levels of the tree of trees,
- *	the distinction arrising because multiple labels from a name can be
- *	stored on only one level.  It is also does not include the level
- *	that has the node, since that level is not stored in levels[].
- *
- *	The chain's 'level_matches' is not directly related to the predecessor.
- *	It is the number of levels above the level of the found 'node',
- *	regardless of whether it was a partial match or exact match.  When
- *	the node is found in the top level tree, or no node is found at all,
- *	level_matches is 0.
- *
- *	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
- *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
- *      there is an exact match in the tree.  In this case, the chain
- *	will not point to the DNSSEC predecessor, but will instead point
- *	to the exact match, if there was any.  Thus the preceding paragraphs
- *	should have "exact match" substituted for "predecessor" to describe
- *	how the various elements of the chain are set.  This was done to
- * 	ensure that the chain's state was sane, and to prevent problems that
- *	occurred when running the predecessor location code under conditions
- *	it was not designed for.  It is not clear *where* the chain should
- *	point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
- *	with this option because you want a particular node, let us know
- *	where you want the chain pointed, so this can be made more firm.
- *
- * Requires:
- *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE.
- *	node != NULL && *node == NULL.
- *	DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutally
- *		exclusive.
- *
- * Ensures:
- *	'name' and the tree are not altered in any way.
- *
- *	If result is ISC_R_SUCCESS:
- *		*node is the terminal node for 'name'.
- *
- *		'foundname' and 'name' represent the same name (though not
- *		the same memory).
- *
- *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
- *
- *		chain->level_matches and chain->level_count are equal.
- *
- * 	If result is DNS_R_PARTIALMATCH:
- *		*node is the data associated with the deepest superdomain
- * 		of 'name' which has data.
- *
- *		'foundname' is the name of deepest superdomain (which has
- *		data, unless the DNS_RBTFIND_EMPTYDATA option is set).
- *
- *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
- *
- *	If result is ISC_R_NOTFOUND:
- *		Neither the name nor a superdomain was found.  *node is NULL.
- *
- *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
- *
- *		chain->level_matches is 0.
- *
- * Returns:
- *	ISC_R_SUCCESS		Success
- *	DNS_R_PARTIALMATCH	Superdomain found with data
- *	ISC_R_NOTFOUND		No match, or superdomain with no data
- *	ISC_R_NOSPACE Concatenating nodes to form foundname failed
- */
-
-isc_result_t
-dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
-/*
- * Delete 'name' from the tree of trees.
- *
- * Notes:
- *	When 'name' is removed, if recurse is ISC_TRUE then all of its
- *      subnames are removed too.
- *
- * Requires:
- *	rbt is a valid rbt manager.
- *	dns_name_isabsolute(name) == TRUE
- *
- * Ensures:
- *	'name' is not altered in any way.
- *
- *	Does NOT ensure that any external references to nodes in the tree
- *	are unaffected by node joins.
- *
- *	If result is ISC_R_SUCCESS:
- *		'name' does not appear in the tree with data; however,
- *		the node for the name might still exist which can be
- *		found with dns_rbt_findnode (but not dns_rbt_findname).
- *
- *	If result is ISC_R_NOTFOUND:
- *		'name' does not appear in the tree with data, because
- *		it did not appear in the tree before the function was called.
- *
- *	If result is something else:
- *		See result codes for dns_rbt_findnode (if it fails, the
- *		node is not deleted) or dns_rbt_deletenode (if it fails,
- *		the node is deleted, but the tree is not optimized when
- *		it could have been).
- *
- * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOTFOUND	No match
- *	something_else	Any return code from dns_rbt_findnode except
- *			DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
- *			to be returned instead), and any code from
- *			dns_rbt_deletenode.
- */
-
-isc_result_t
-dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse);
-/*
- * Delete 'node' from the tree of trees.
- *
- * Notes:
- *	When 'node' is removed, if recurse is ISC_TRUE then all nodes
- *	in levels down from it are removed too.
- *
- * Requires:
- *	rbt is a valid rbt manager.
- *	node != NULL.
- *
- * Ensures:
- *	Does NOT ensure that any external references to nodes in the tree
- *	are unaffected by node joins.
- *
- *	If result is ISC_R_SUCCESS:
- *		'node' does not appear in the tree with data; however,
- *		the node might still exist if it serves as a pointer to
- *		a lower tree level as long as 'recurse' was false, hence
- *		the node could can be found with dns_rbt_findnode whem
- *		that function's empty_data_ok parameter is true.
- *
- *	If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
- *		The node was deleted, but the tree structure was not
- *		optimized.
- *
- * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOMEMORY	Resource Limit: Out of Memory when joining nodes.
- *	ISC_R_NOSPACE	dns_name_concatenate failed when joining nodes.
- */
-
-void
-dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
-/*
- * Convert the sequence of labels stored at 'node' into a 'name'.
- *
- * Notes:
- *	This function does not return the full name, from the root, but
- *	just the labels at the indicated node.
- *
- *	The name data pointed to by 'name' is the information stored
- *	in the node, not a copy.  Altering the data at this pointer
- *	will likely cause grief.
- *
- * Requires:
- *	name->offsets == NULL
- *
- * Ensures:
- *	'name' is DNS_NAMEATTR_READONLY.
- *
- *	'name' will point directly to the labels stored after the
- *	dns_rbtnode_t struct.
- *
- *	'name' will have offsets that also point to the information stored
- *	as part of the node.
- */
-
-isc_result_t
-dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name);
-/*
- * Like dns_rbt_namefromnode, but returns the full name from the root.
- *
- * Notes:
- *	Unlike dns_rbt_namefromnode, the name will not point directly
- *	to node data.  Rather, dns_name_concatenate will be used to copy
- *	the name data from each node into the 'name' argument.
- *
- * Requires:
- *	name != NULL
- *	name has a dedicated buffer.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE		(possible via dns_name_concatenate)
- *	DNS_R_NAMETOOLONG	(possible via dns_name_concatenate)
- */
-
-char *
-dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname,
-		       unsigned int size);
-/*
- * Format the full name of a node for printing, using dns_name_format().
- *
- * Notes:
- *	'size' is the length of the printname buffer.  This should be
- *	DNS_NAME_FORMATSIZE or larger.
- *
- * Requires:
- *	node and printname are not NULL.
- *
- * Returns:
- *	The 'printname' pointer.
- */
-
-unsigned int
-dns_rbt_nodecount(dns_rbt_t *rbt);
-/*
- * Obtain the number of nodes in the tree of trees.
- *
- * Requires:
- *	rbt is a valid rbt manager.
- */
-
-void
-dns_rbt_destroy(dns_rbt_t **rbtp);
-isc_result_t
-dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
-/*
- * Stop working with a red-black tree of trees. 
- * If 'quantum' is zero then the entire tree will be destroyed.
- * If 'quantum' is non zero then up to 'quantum' nodes will be destroyed
- * allowing the rbt to be incrementally destroyed by repeated calls to
- * dns_rbt_destroy2().  Once dns_rbt_destroy2() has been called no other
- * operations than dns_rbt_destroy()/dns_rbt_destroy2() should be
- * performed on the tree of trees.
- * 
- * Requires:
- * 	*rbt is a valid rbt manager.
- *
- * Ensures on ISC_R_SUCCESS:
- *	All space allocated by the RBT library has been returned.
- *
- *	*rbt is invalidated as an rbt manager.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_QUOTA if 'quantum' nodes have been destroyed.
- */
-
-void
-dns_rbt_printall(dns_rbt_t *rbt);
-/*
- * Print an ASCII representation of the internal structure of the red-black
- * tree of trees.
- *
- * Notes:
- *	The name stored at each node, along with the node's color, is printed.
- *	Then the down pointer, left and right pointers are displayed
- *	recursively in turn.  NULL down pointers are silently omitted;
- *	NULL left and right pointers are printed.
- */
-
-/*****
- ***** Chain Functions
- *****/
-
-void
-dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx);
-/*
- * Initialize 'chain'.
- *
- * Requires:
- *	'chain' is a valid pointer.
- *
- *	'mctx' is a valid memory context.
- *
- * Ensures:
- *	'chain' is suitable for use.
- */
-
-void
-dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
-/*
- * Free any dynamic storage associated with 'chain', and then reinitialize
- * 'chain'.
- *
- * Requires:
- *	'chain' is a valid pointer.
- *
- * Ensures:
- *	'chain' is suitable for use, and uses no dynamic storage.
- */
-
-void
-dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
-/*
- * Free any dynamic storage associated with 'chain', and then invalidates it.
- *
- * Notes:
- * 	Future calls to any dns_rbtnodechain_ function will need to call
- * 	dns_rbtnodechain_init on the chain first (except, of course,
- *	dns_rbtnodechain_init itself).
- *
- * Requires:
- *	'chain' is a valid chain.
- *
- * Ensures:
- *	'chain' is no longer suitable for use, and uses no dynamic storage.
- */
-
-isc_result_t
-dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
-			 dns_name_t *origin, dns_rbtnode_t **node);
-/*
- * Provide the name, origin and node to which the chain is currently pointed.
- *
- * Notes:
- *	The tree need not have be locked against additions for the chain
- *	to remain valid, however there are no guarantees if any deletion
- *	has been made since the chain was established.
- *
- * Requires:
- *	'chain' is a valid chain.
- *
- * Ensures:
- *	'node', if non-NULL, is the node to which the chain was pointed
- *	by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
- *	If none were called for the chain since it was initialized or reset,
- *	or if the was no predecessor to the name searched for with
- *	dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
- *
- *	'name', if non-NULL, is the name stored at the terminal level of
- *	the chain.  This is typically a single label, like the "www" of
- *	"www.isc.org", but need not be so.  At the root of the tree of trees,
- *	if the node is "." then 'name' is ".", otherwise it is relative to ".".
- *	(Minimalist and atypical case:  if the tree has just the name
- *	"isc.org." then the root node's stored name is "isc.org." but 'name'
- *	will be "isc.org".)
- *
- *	'origin', if non-NULL, is the sequence of labels in the levels
- *	above the terminal level, such as "isc.org." in the above example.
- *	'origin' is always "." for the root node.
- *
- *
- * Returns:
- *	ISC_R_SUCCESS		name, origin & node were successfully set.
- *	ISC_R_NOTFOUND		The chain does not point to any node.
- *	<something_else>	Any error return from dns_name_concatenate.
- */
-
-isc_result_t
-dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
-		       dns_name_t *name, dns_name_t *origin);
-/*
- * Set the chain to the lexically first node in the tree of trees.
- *
- * Notes:
- *	By the definition of ordering for DNS names, the root of the tree of
- *	trees is the very first node, since everything else in the megatree
- *	uses it as a common suffix.
- *
- * Requires:
- *	'chain' is a valid chain.
- *	'rbt' is a valid rbt manager.
- *
- * Ensures:
- *	The chain points to the very first node of the tree.
- *
- *	'name' and 'origin', if non-NULL, are set as described for
- *	dns_rbtnodechain_current.  Thus 'origin' will always be ".".
- *
- * Returns:
- *	DNS_R_NEWORIGIN		The name & origin were successfully set.
- *	<something_else>	Any error result from dns_rbtnodechain_current.
- */
-
-isc_result_t
-dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
-		       dns_name_t *name, dns_name_t *origin);
-/*
- * Set the chain to the lexically last node in the tree of trees.
- *
- * Requires:
- *	'chain' is a valid chain.
- *	'rbt' is a valid rbt manager.
- *
- * Ensures:
- *	The chain points to the very last node of the tree.
- *
- *	'name' and 'origin', if non-NULL, are set as described for
- *	dns_rbtnodechain_current.
- *
- * Returns:
- *	DNS_R_NEWORIGIN		The name & origin were successfully set.
- *	ISC_R_NOMEMORY		Resource Limit: Out of Memory building chain.
- *	<something_else>	Any error result from dns_name_concatenate.
- */
-
-isc_result_t
-dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin);
-/*
- * Adjusts chain to point the DNSSEC predecessor of the name to which it
- * is currently pointed.
- *
- * Requires:
- *	'chain' is a valid chain.
- *	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
- *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
- *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
- *	since there may have been no predecessor to the searched for name.
- *
- * Ensures:
- *	The chain is pointed to the predecessor of its current target.
- *
- *	'name' and 'origin', if non-NULL, are set as described for
- *	dns_rbtnodechain_current.
- *
- *	'origin' is only if a new origin was found.
- *
- * Returns:
- *	ISC_R_SUCCESS		The predecessor was found and 'name' was set.
- *	DNS_R_NEWORIGIN		The predecessor was found with a different
- *				origin and 'name' and 'origin' were set.
- *	ISC_R_NOMORE		There was no predecessor.
- *	<something_else>	Any error result from dns_rbtnodechain_current.
- */
-
-isc_result_t
-dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin);
-/*
- * Adjusts chain to point the DNSSEC successor of the name to which it
- * is currently pointed.
- *
- * Requires:
- *	'chain' is a valid chain.
- *	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
- *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
- *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
- *	since there may have been no predecessor to the searched for name.
- *
- * Ensures:
- *	The chain is pointed to the successor of its current target.
- *
- *	'name' and 'origin', if non-NULL, are set as described for
- *	dns_rbtnodechain_current.
- *
- *	'origin' is only if a new origin was found.
- *
- * Returns:
- *	ISC_R_SUCCESS		The successor was found and 'name' was set.
- *	DNS_R_NEWORIGIN		The successor was found with a different
- *				origin and 'name' and 'origin' were set.
- *	ISC_R_NOMORE		There was no successor.
- *	<something_else>	Any error result from dns_name_concatenate.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RBT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rcode.h b/contrib/bind9/lib/dns/include/dns/rcode.h
deleted file mode 100644
index b2494f733f4e..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rcode.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rcode.h,v 1.12.206.1 2004/03/06 08:13:59 marka Exp $ */
-
-#ifndef DNS_RCODE_H
-#define DNS_RCODE_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
-/*
- * Convert the text 'source' refers to into a DNS error value.
- *
- * Requires:
- *	'rcodep' is a valid pointer.
- *
- *	'source' is a valid text region.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	DNS_R_UNKNOWN			type is unknown
- */
-
-isc_result_t dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
-/*
- * Put a textual representation of error 'rcode' into 'target'.
- *
- * Requires:
- *	'rcode' is a valid rcode.
- *
- *	'target' is a valid text buffer.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
- */
-
-isc_result_t dns_tsigrcode_fromtext(dns_rcode_t *rcodep,
-				    isc_textregion_t *source);
-/*
- * Convert the text 'source' refers to into a TSIG/TKEY error value.
- *
- * Requires:
- *	'rcodep' is a valid pointer.
- *
- *	'source' is a valid text region.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	DNS_R_UNKNOWN			type is unknown
- */
-
-isc_result_t dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
-/*
- * Put a textual representation of TSIG/TKEY error 'rcode' into 'target'.
- *
- * Requires:
- *	'rcode' is a valid TSIG/TKEY error code.
- *
- *	'target' is a valid text buffer.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RCODE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdata.h b/contrib/bind9/lib/dns/include/dns/rdata.h
deleted file mode 100644
index b006b1780fb7..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rdata.h
+++ /dev/null
@@ -1,706 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdata.h,v 1.51.2.3.2.4 2004/03/08 02:08:01 marka Exp $ */
-
-#ifndef DNS_RDATA_H
-#define DNS_RDATA_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Rdata
- *
- * Provides facilities for manipulating DNS rdata, including conversions to
- * and from wire format and text format.
- *
- * Given the large amount of rdata possible in a nameserver, it was important
- * to come up with a very efficient way of storing rdata, but at the same
- * time allow it to be manipulated.
- *
- * The decision was to store rdata in uncompressed wire format,
- * and not to make it a fully abstracted object; i.e. certain parts of the
- * server know rdata is stored that way.  This saves a lot of memory, and
- * makes adding rdata to messages easy.  Having much of the server know
- * the representation would be perilous, and we certainly don't want each
- * user of rdata to be manipulating such a low-level structure.  This is
- * where the rdata module comes in.  The module allows rdata handles to be
- * created and attached to uncompressed wire format regions.  All rdata
- * operations and conversions are done through these handles.
- *
- * Implementation Notes:
- *
- *	The routines in this module are expected to be synthesized by the
- *	build process from a set of source files, one per rdata type.  For
- *	portability, it's probably best that the building be done by a C
- *	program.  Adding a new rdata type will be a simple matter of adding
- *	a file to a directory and rebuilding the server.  *All* knowlege of
- *	the format of a particular rdata type is in this file.
- *
- * MP:
- *	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *	This module deals with low-level byte streams.  Errors in any of
- *	the functions are likely to crash the server or corrupt memory.
- *
- *	Rdata is typed, and the caller must know what type of rdata it has.
- *	A caller that gets this wrong could crash the server.
- *
- *	The fromstruct() and tostruct() routines use a void * pointer to
- *	represent the structure.  The caller must ensure that it passes a
- *	pointer to the appropriate type, or the server could crash or memory
- *	could be corrupted.
- *
- * Resources:
- *	None.
- *
- * Security:
- *
- *	*** WARNING ***
- *
- *	dns_rdata_fromwire() deals with raw network data.  An error in
- *	this routine could result in the failure or hijacking of the server.
- *
- * Standards:
- *	RFC 1035
- *	Draft EDNS0 (0)
- *	Draft EDNS1 (0)
- *	Draft Binary Labels (2)
- *	Draft Local Compression (1)
- *	<Various RFCs for particular types; these will be documented in the
- *	 sources files of the types.>
- *
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-#include <dns/name.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** RData
- *****
- ***** An 'rdata' is a handle to a binary region.  The handle has an RR
- ***** class and type, and the data in the binary region is in the format
- ***** of the given class and type.
- *****/
-
-/***
- *** Types
- ***/
-
-/*
- * Clients are strongly discouraged from using this type directly, with
- * the exception of the 'link' field which may be used directly for whatever
- * purpose the client desires.
- */
-struct dns_rdata {
-	unsigned char *			data;
-	unsigned int			length;
-	dns_rdataclass_t		rdclass;
-	dns_rdatatype_t			type;
-	unsigned int			flags;
-	ISC_LINK(dns_rdata_t)		link;
-};
-
-#define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
-
-#define DNS_RDATA_UPDATE	0x0001		/* update pseudo record */
-
-/*
- * Flags affecting rdata formatting style.  Flags 0xFFFF0000
- * are used by masterfile-level formatting and defined elsewhere.
- * See additional comments at dns_rdata_tofmttext().
- */
-
-/* Split the rdata into multiple lines to try to keep it
- within the "width". */
-#define DNS_STYLEFLAG_MULTILINE		0x00000001U
-
-/* Output explanatory comments. */
-#define DNS_STYLEFLAG_COMMENT		0x00000002U
-
-#define DNS_RDATA_DOWNCASE		DNS_NAME_DOWNCASE
-#define DNS_RDATA_CHECKNAMES		DNS_NAME_CHECKNAMES
-#define DNS_RDATA_CHECKNAMESFAIL	DNS_NAME_CHECKNAMESFAIL
-#define DNS_RDATA_CHECKREVERSE		DNS_NAME_CHECKREVERSE
-
-/***
- *** Initialization
- ***/
-
-void
-dns_rdata_init(dns_rdata_t *rdata);
-/*
- * Make 'rdata' empty.
- *
- * Requires:
- *	'rdata' is a valid rdata (i.e. not NULL, points to a struct dns_rdata)
- */
-
-void
-dns_rdata_reset(dns_rdata_t *rdata);
-/*
- * Make 'rdata' empty.
- *
- * Requires:
- *	'rdata' is a previously initialized rdata and is not linked.
- */
-
-void
-dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target);
-/*
- * Clone 'target' from 'src'.
- *
- * Requires:
- *	'src' to be initialized.
- *	'target' to be initialized.
- */
-
-/***
- *** Comparisons
- ***/
-
-int
-dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
-/*
- * Determine the relative ordering under the DNSSEC order relation of
- * 'rdata1' and 'rdata2'.
- *
- * Requires:
- *
- *	'rdata1' is a valid, non-empty rdata
- *
- *	'rdata2' is a valid, non-empty rdata
- *
- * Returns:
- *	< 0		'rdata1' is less than 'rdata2'
- *	0		'rdata1' is equal to 'rdata2'
- *	> 0		'rdata1' is greater than 'rdata2'
- */
-
-/***
- *** Conversions
- ***/
-
-void
-dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, isc_region_t *r);
-/*
- * Make 'rdata' refer to region 'r'.
- *
- * Requires:
- *
- *	The data in 'r' is properly formatted for whatever type it is.
- */
-
-void
-dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r);
-/*
- * Make 'r' refer to 'rdata'.
- */
-
-isc_result_t
-dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		   dns_rdatatype_t type, isc_buffer_t *source,
-		   dns_decompress_t *dctx, unsigned int options,
-		   isc_buffer_t *target);
-/*
- * Copy the possibly-compressed rdata at source into the target region.
- *
- * Notes:
- *	Name decompression policy is controlled by 'dctx'.
- *
- *	'options'
- *	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
- *				into target.
- *
- * Requires:
- *
- *	'rdclass' and 'type' are valid.
- *
- *	'source' is a valid buffer, and the active region of 'source'
- *	references the rdata to be processed.
- *
- *	'target' is a valid buffer.
- *
- *	'dctx' is a valid decompression context.
- *
- * Ensures:
- *
- *	If result is success:
- *	 	If 'rdata' is not NULL, it is attached to the target.
- *
- *		The conditions dns_name_fromwire() ensures for names hold
- *		for all names in the rdata.
- *
- *		The current location in source is advanced, and the used space
- *		in target is updated.
- *
- * Result:
- *	Success
- *	<Any non-success status from dns_name_fromwire()>
- *	<Various 'Bad Form' class failures depending on class and type>
- *	Bad Form: Input too short
- *	Resource Limit: Not enough space
- */
-
-isc_result_t
-dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
-		 isc_buffer_t *target);
-/*
- * Convert 'rdata' into wire format, compressing it as specified by the
- * compression context 'cctx', and storing the result in 'target'.
- *
- * Notes:
- *	If the compression context allows global compression, then the
- *	global compression table may be updated.
- *
- * Requires:
- *	'rdata' is a valid, non-empty rdata
- *
- *	target is a valid buffer
- *
- *	Any offsets specified in a global compression table are valid
- *	for target.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in target is updated.
- *
- * Returns:
- *	Success
- *	<Any non-success status from dns_name_towire()>
- *	Resource Limit: Not enough space
- */
-
-isc_result_t
-dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		   dns_rdatatype_t type, isc_lex_t *lexer, dns_name_t *origin,
-		   unsigned int options, isc_mem_t *mctx,
-		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks);
-/*
- * Convert the textual representation of a DNS rdata into uncompressed wire
- * form stored in the target region.  Tokens constituting the text of the rdata
- * are taken from 'lexer'.
- *
- * Notes:
- *	Relative domain names in the rdata will have 'origin' appended to them.
- *	A NULL origin implies "origin == dns_rootname".
- *
- *
- *	'options'
- *	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
- *				into target.
- *	DNS_RDATA_CHECKNAMES 	perform checknames checks.
- *	DNS_RDATA_CHECKNAMESFAIL fail if the checknames check fail.  If
- *				not set a warning will be issued.
- *	DNS_RDATA_CHECKREVERSE  this should set if the owner name ends
- *				in IP6.ARPA, IP6.INT or IN-ADDR.ARPA.
- *
- * Requires:
- *
- *	'rdclass' and 'type' are valid.
- *
- *	'lexer' is a valid isc_lex_t.
- *
- *	'mctx' is a valid isc_mem_t.
- *
- *	'target' is a valid region.
- *
- *	'origin' if non NULL it must be absolute.
- *	
- *	'callbacks' to be NULL or callbacks->warn and callbacks->error be
- *	initialized.
- *
- * Ensures:
- *	If result is success:
- *	 	If 'rdata' is not NULL, it is attached to the target.
- *
- *		The conditions dns_name_fromtext() ensures for names hold
- *		for all names in the rdata.
- *
- *		The used space in target is updated.
- *
- * Result:
- *	Success
- *	<Translated result codes from isc_lex_gettoken>
- *	<Various 'Bad Form' class failures depending on class and type>
- *	Bad Form: Input too short
- *	Resource Limit: Not enough space
- *	Resource Limit: Not enough memory
- */
-
-isc_result_t
-dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target);
-/*
- * Convert 'rdata' into text format, storing the result in 'target'.
- * The text will consist of a single line, with fields separated by
- * single spaces.
- *
- * Notes:
- *	If 'origin' is not NULL, then any names in the rdata that are
- *	subdomains of 'origin' will be made relative it.
- *
- *	XXX Do we *really* want to support 'origin'?  I'm inclined towards "no"
- *	at the moment.
- *
- * Requires:
- *
- *	'rdata' is a valid, non-empty rdata
- *
- *	'origin' is NULL, or is a valid name
- *
- *	'target' is a valid text buffer
- *
- * Ensures:
- *	If the result is success:
- *
- *		The used space in target is updated.
- *
- * Returns:
- *	Success
- *	<Any non-success status from dns_name_totext()>
- *	Resource Limit: Not enough space
- */
-
-isc_result_t
-dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
-		    unsigned int width, char *linebreak, isc_buffer_t *target);
-/*
- * Like dns_rdata_totext, but do formatted output suitable for
- * database dumps.  This is intended for use by dns_db_dump();
- * library users are discouraged from calling it directly.
- *
- * If (flags & DNS_STYLEFLAG_MULTILINE) != 0, attempt to stay
- * within 'width' by breaking the text into multiple lines.
- * The string 'linebreak' is inserted between lines, and parentheses
- * are added when necessary.  Because RRs contain unbreakable elements
- * such as domain names whose length is variable, unpredictable, and
- * potentially large, there is no guarantee that the lines will
- * not exceed 'width' anyway.
- *
- * If (flags & DNS_STYLEFLAG_MULTILINE) == 0, the rdata is always
- * printed as a single line, and no parentheses are used.
- * The 'width' and 'linebreak' arguments are ignored.
- *
- * If (flags & DNS_STYLEFLAG_COMMENT) != 0, output explanatory
- * comments next to things like the SOA timer fields.  Some
- * comments (e.g., the SOA ones) are only printed when multiline
- * output is selected.
- */
-
-isc_result_t
-dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, void *source, isc_buffer_t *target);
-/*
- * Convert the C structure representation of an rdata into uncompressed wire
- * format in 'target'.
- *
- * XXX  Should we have a 'size' parameter as a sanity check on target?
- *
- * Requires:
- *
- *	'rdclass' and 'type' are valid.
- *
- *	'source' points to a valid C struct for the class and type.
- *
- *	'target' is a valid buffer.
- *
- *	All structure pointers to memory blocks should be NULL if their
- *	corresponding length values are zero.
- *
- * Ensures:
- *	If result is success:
- *	 	If 'rdata' is not NULL, it is attached to the target.
- *
- *		The used space in 'target' is updated.
- *
- * Result:
- *	Success
- *	<Various 'Bad Form' class failures depending on class and type>
- *	Resource Limit: Not enough space
- */
-
-isc_result_t
-dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
-/*
- * Convert an rdata into its C structure representation.
- *
- * If 'mctx' is NULL then 'rdata' must persist while 'target' is being used.
- *
- * If 'mctx' is non NULL then memory will be allocated if required.
- *
- * Requires:
- *
- *	'rdata' is a valid, non-empty rdata.
- *
- *	'target' to point to a valid pointer for the type and class.
- *
- * Result:
- *	Success
- *	Resource Limit: Not enough memory
- */
-
-void
-dns_rdata_freestruct(void *source);
-/*
- * Free dynamic memory attached to 'source' (if any).
- *
- * Requires:
- *
- *	'source' to point to the structure previously filled in by
- *	dns_rdata_tostruct().
- */
-
-isc_boolean_t
-dns_rdatatype_ismeta(dns_rdatatype_t type);
-/*
- * Return true iff the rdata type 'type' is a meta-type
- * like ANY or AXFR.
- */
-
-isc_boolean_t
-dns_rdatatype_issingleton(dns_rdatatype_t type);
-/*
- * Return true iff the rdata type 'type' is a singleton type,
- * like CNAME or SOA.
- *
- * Requires:
- * 	'type' is a valid rdata type.
- *
- */
-
-isc_boolean_t
-dns_rdataclass_ismeta(dns_rdataclass_t rdclass);
-/*
- * Return true iff the rdata class 'rdclass' is a meta-class
- * like ANY or NONE.
- */
-
-isc_boolean_t
-dns_rdatatype_isdnssec(dns_rdatatype_t type);
-/*
- * Return true iff 'type' is one of the DNSSEC
- * rdata types that may exist alongside a CNAME record.
- *
- * Requires:
- * 	'type' is a valid rdata type.
- */
-
-isc_boolean_t
-dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
-/*
- * Return true iff rdata of type 'type' is considered authoritative
- * data (not glue) in the NSEC chain when it occurs in the parent zone
- * at a zone cut.
- *
- * Requires:
- * 	'type' is a valid rdata type.
- *
- */
-
-isc_boolean_t
-dns_rdatatype_isknown(dns_rdatatype_t type);
-/*
- * Return true iff the rdata type 'type' is known.
- *
- * Requires:
- * 	'type' is a valid rdata type.
- *
- */
-
-
-isc_result_t
-dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
-			 void *arg);
-/*
- * Call 'add' for each name and type from 'rdata' which is subject to
- * additional section processing.
- *
- * Requires:
- *
- *	'rdata' is a valid, non-empty rdata.
- *
- *	'add' is a valid dns_additionalfunc_t.
- *
- * Ensures:
- *
- *	If successful, then add() will have been called for each name
- *	and type subject to additional section processing.
- *
- *	If add() returns something other than ISC_R_SUCCESS, that result
- *	will be returned as the result of dns_rdata_additionaldata().
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Many other results are possible if not successful.
- */
-
-isc_result_t
-dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg);
-/*
- * Send 'rdata' in DNSSEC canonical form to 'digest'.
- *
- * Note:
- *	'digest' may be called more than once by dns_rdata_digest().  The
- *	concatenation of all the regions, in the order they were given
- *	to 'digest', will be the DNSSEC canonical form of 'rdata'.
- *
- * Requires:
- *
- *	'rdata' is a valid, non-empty rdata.
- *
- *	'digest' is a valid dns_digestfunc_t.
- *
- * Ensures:
- *
- *	If successful, then all of the rdata's data has been sent, in
- *	DNSSEC canonical form, to 'digest'.
- *
- *	If digest() returns something other than ISC_R_SUCCESS, that result
- *	will be returned as the result of dns_rdata_digest().
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Many other results are possible if not successful.
- */
-
-isc_boolean_t
-dns_rdatatype_questiononly(dns_rdatatype_t type);
-/*
- * Return true iff rdata of type 'type' can only appear in the question
- * section of a properly formatted message.
- *
- * Requires:
- * 	'type' is a valid rdata type.
- *
- */
-
-isc_boolean_t
-dns_rdatatype_notquestion(dns_rdatatype_t type);
-/*
- * Return true iff rdata of type 'type' can not appear in the question
- * section of a properly formatted message.
- *
- * Requires:
- * 	'type' is a valid rdata type.
- *
- */
-
-isc_boolean_t
-dns_rdatatype_atparent(dns_rdatatype_t type);
-/*
- * Return true iff rdata of type 'type' should appear at the parent of
- * a zone cut.
- *
- * Requires:
- * 	'type' is a valid rdata type.
- *
- */
-
-unsigned int
-dns_rdatatype_attributes(dns_rdatatype_t rdtype);
-/*
- * Return attributes for the given type.
- *
- * Requires:
- *	'rdtype' are known.
- *
- * Returns:
- *	a bitmask consisting of the following flags.
- */
-
-/* only one may exist for a name */
-#define DNS_RDATATYPEATTR_SINGLETON		0x00000001U
-/* requires no other data be present */
-#define DNS_RDATATYPEATTR_EXCLUSIVE		0x00000002U
-/* Is a meta type */
-#define DNS_RDATATYPEATTR_META			0x00000004U
-/* Is a DNSSEC type, like RRSIG or NSEC */
-#define DNS_RDATATYPEATTR_DNSSEC		0x00000008U
-/* Is a zone cut authority type */
-#define DNS_RDATATYPEATTR_ZONECUTAUTH		0x00000010U
-/* Is reserved (unusable) */
-#define DNS_RDATATYPEATTR_RESERVED		0x00000020U
-/* Is an unknown type */
-#define DNS_RDATATYPEATTR_UNKNOWN		0x00000040U
-/* Is META, and can only be in a question section */
-#define DNS_RDATATYPEATTR_QUESTIONONLY		0x00000080U
-/* is META, and can NOT be in a question section */
-#define DNS_RDATATYPEATTR_NOTQUESTION		0x00000100U
-/* Is present at zone cuts in the parent, not the child */
-#define DNS_RDATATYPEATTR_ATPARENT		0x00000200U
-
-dns_rdatatype_t
-dns_rdata_covers(dns_rdata_t *rdata);
-/*
- * Return the rdatatype that this type covers.
- *
- * Requires:
- *	'rdata' is a valid, non-empty rdata.
- *
- *	'rdata' is a type that covers other rdata types.
- *
- * Returns:
- *	The type covered.
- */
-
-isc_boolean_t
-dns_rdata_checkowner(dns_name_t* name, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, isc_boolean_t wildcard);
-/*
- * Returns whether this is a valid ownername for this <type,class>.
- * If wildcard is true allow the first label to be a wildcard if
- * appropriate.
- *
- * Requires:
- *	'name' is a valid name.
- */
-
-isc_boolean_t
-dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad);
-/*
- * Returns whether 'rdata' contains valid domain names.  The checks are
- * sensitive to the owner name.
- *
- * If 'bad' is non-NULL and a domain name fails the check the
- * the offending name will be return in 'bad' by cloning from
- * the 'rdata' contents.
- *
- * Requires:
- *	'rdata' to be valid.
- *	'owner' to be valid.
- *	'bad'	to be NULL or valid.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataclass.h b/contrib/bind9/lib/dns/include/dns/rdataclass.h
deleted file mode 100644
index 359a2be6d214..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rdataclass.h
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdataclass.h,v 1.17.206.1 2004/03/06 08:13:59 marka Exp $ */
-
-#ifndef DNS_RDATACLASS_H
-#define DNS_RDATACLASS_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source);
-/*
- * Convert the text 'source' refers to into a DNS class.
- *
- * Requires:
- *	'classp' is a valid pointer.
- *
- *	'source' is a valid text region.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	DNS_R_UNKNOWN			class is unknown
- */
-
-isc_result_t
-dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target);
-/*
- * Put a textual representation of class 'rdclass' into 'target'.
- *
- * Requires:
- *	'rdclass' is a valid class.
- *
- *	'target' is a valid text buffer.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
- */
-
-void
-dns_rdataclass_format(dns_rdataclass_t rdclass,
-		      char *array, unsigned int size);
-/*
- * Format a human-readable representation of the class 'rdclass'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-
-#define DNS_RDATACLASS_FORMATSIZE sizeof("CLASS65535")
-/*
- * Minimum size of array to pass to dns_rdataclass_format().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATACLASS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatalist.h b/contrib/bind9/lib/dns/include/dns/rdatalist.h
deleted file mode 100644
index a846c8987b7c..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rdatalist.h
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatalist.h,v 1.13.206.1 2004/03/06 08:13:59 marka Exp $ */
-
-#ifndef DNS_RDATALIST_H
-#define DNS_RDATALIST_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Rdatalist
- *
- * A DNS rdatalist is a list of rdata of a common type and class.
- *
- * MP:
- *	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/*
- * Clients may use this type directly.
- */
-struct dns_rdatalist {
-	dns_rdataclass_t		rdclass;
-	dns_rdatatype_t			type;
-	dns_rdatatype_t			covers;
-	dns_ttl_t			ttl;
-	ISC_LIST(dns_rdata_t)		rdata;
-	ISC_LINK(dns_rdatalist_t)	link;
-};
-
-ISC_LANG_BEGINDECLS
-
-void
-dns_rdatalist_init(dns_rdatalist_t *rdatalist);
-/*
- * Initialize rdatalist.
- *
- * Ensures:
- *	All fields of rdatalist have been initialized to their default
- *	values.
- */
-
-isc_result_t
-dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
-			 dns_rdataset_t *rdataset);
-/*
- * Make 'rdataset' refer to the rdata in 'rdatalist'.
- *
- * Note:
- *	The caller must ensure that 'rdatalist' remains valid and unchanged
- *	while 'rdataset' is associated with it.
- *
- * Requires:
- *
- *	'rdatalist' is a valid rdatalist.
- *
- *	'rdataset' is a valid rdataset that is not currently associated with
- *	any rdata.
- *
- * Ensures:
- *	On success,
- *
- *		'rdataset' is associated with the rdata in rdatalist.
- *
- * Returns:
- *	ISC_R_SUCCESS
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATALIST_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataset.h b/contrib/bind9/lib/dns/include/dns/rdataset.h
deleted file mode 100644
index d856784c3e88..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rdataset.h
+++ /dev/null
@@ -1,469 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdataset.h,v 1.41.2.5.2.8 2005/03/17 03:58:31 marka Exp $ */
-
-#ifndef DNS_RDATASET_H
-#define DNS_RDATASET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Rdataset
- *
- * A DNS rdataset is a handle that can be associated with a collection of
- * rdata all having a common owner name, class, and type.
- *
- * The dns_rdataset_t type is like a "virtual class".  To actually use
- * rdatasets, an implementation of the method suite (e.g. "slabbed rdata") is
- * required.
- *
- * XXX <more> XXX
- *
- * MP:
- *	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef struct dns_rdatasetmethods {
-	void			(*disassociate)(dns_rdataset_t *rdataset);
-	isc_result_t		(*first)(dns_rdataset_t *rdataset);
-	isc_result_t		(*next)(dns_rdataset_t *rdataset);
-	void			(*current)(dns_rdataset_t *rdataset,
-					   dns_rdata_t *rdata);
-	void			(*clone)(dns_rdataset_t *source,
-					 dns_rdataset_t *target);
-	unsigned int		(*count)(dns_rdataset_t *rdataset);
-	isc_result_t		(*addnoqname)(dns_rdataset_t *rdataset,
-					      dns_name_t *name);
-	isc_result_t		(*getnoqname)(dns_rdataset_t *rdataset,
-					      dns_name_t *name,
-					      dns_rdataset_t *nsec,
-					      dns_rdataset_t *nsecsig);
-} dns_rdatasetmethods_t;
-
-#define DNS_RDATASET_MAGIC	       ISC_MAGIC('D','N','S','R')
-#define DNS_RDATASET_VALID(set)	       ISC_MAGIC_VALID(set, DNS_RDATASET_MAGIC)
-
-/*
- * Direct use of this structure by clients is strongly discouraged, except
- * for the 'link' field which may be used however the client wishes.  The
- * 'private', 'current', and 'index' fields MUST NOT be changed by clients.
- * rdataset implementations may change any of the fields.
- */
-struct dns_rdataset {
-	unsigned int			magic;		/* XXX ? */
-	dns_rdatasetmethods_t *		methods;
-	ISC_LINK(dns_rdataset_t)	link;
-	/*
-	 * XXX do we need these, or should they be retrieved by methods?
-	 * Leaning towards the latter, since they are not frequently required
-	 * once you have the rdataset.
-	 */
-	dns_rdataclass_t		rdclass;
-	dns_rdatatype_t			type;
-	dns_ttl_t			ttl;
-	dns_trust_t			trust;
-	dns_rdatatype_t			covers;
-	/*
-	 * attributes
-	 */
-	unsigned int			attributes;
-	/*
-	 * the counter provides the starting point in the "cyclic" order.
-	 * The value ISC_UINT32_MAX has a special meaning of "picking up a
-	 * random value." in order to take care of databases that do not
-	 * increment the counter.
-	 */
-	isc_uint32_t			count;
-	/*
-	 * These are for use by the rdataset implementation, and MUST NOT
-	 * be changed by clients.
-	 */
-	void *				private1;
-	void *				private2;
-	void *				private3;
-	unsigned int			privateuint4;
-	void *				private5;
-	void *				private6;
-};
-
-/*
- * _RENDERED:
- *	Used by message.c to indicate that the rdataset was rendered.
- *
- * _TTLADJUSTED:
- *	Used by message.c to indicate that the rdataset's rdata had differing
- *	TTL values, and the rdataset->ttl holds the smallest.
- */
-#define DNS_RDATASETATTR_QUESTION	0x00000001
-#define DNS_RDATASETATTR_RENDERED	0x00000002	/* Used by message.c */
-#define DNS_RDATASETATTR_ANSWERED	0x00000004	/* Used by server. */
-#define DNS_RDATASETATTR_CACHE		0x00000008	/* Used by resolver. */
-#define DNS_RDATASETATTR_ANSWER		0x00000010	/* Used by resolver. */
-#define DNS_RDATASETATTR_ANSWERSIG	0x00000020	/* Used by resolver. */
-#define DNS_RDATASETATTR_EXTERNAL	0x00000040	/* Used by resolver. */
-#define DNS_RDATASETATTR_NCACHE		0x00000080	/* Used by resolver. */
-#define DNS_RDATASETATTR_CHAINING	0x00000100	/* Used by resolver. */
-#define DNS_RDATASETATTR_TTLADJUSTED	0x00000200	/* Used by message.c */
-#define DNS_RDATASETATTR_FIXEDORDER	0x00000400
-#define DNS_RDATASETATTR_RANDOMIZE	0x00000800
-#define DNS_RDATASETATTR_CHASE		0x00001000	/* Used by resolver. */
-#define DNS_RDATASETATTR_NXDOMAIN	0x00002000
-#define DNS_RDATASETATTR_NOQNAME	0x00004000
-#define DNS_RDATASETATTR_CHECKNAMES	0x00008000	/* Used by resolver. */
-#define DNS_RDATASETATTR_REQUIREDGLUE	0x00010000
-
-/*
- * _OMITDNSSEC:
- * 	Omit DNSSEC records when rendering ncache records.
- */
-#define DNS_RDATASETTOWIRE_OMITDNSSEC	0x0001
-
-void
-dns_rdataset_init(dns_rdataset_t *rdataset);
-/*
- * Make 'rdataset' a valid, disassociated rdataset.
- *
- * Requires:
- *	'rdataset' is not NULL.
- *
- * Ensures:
- *	'rdataset' is a valid, disassociated rdataset.
- */
-
-void
-dns_rdataset_invalidate(dns_rdataset_t *rdataset);
-/*
- * Invalidate 'rdataset'.
- *
- * Requires:
- *	'rdataset' is a valid, disassociated rdataset.
- *
- * Ensures:
- *	If assertion checking is enabled, future attempts to use 'rdataset'
- *	without initializing it will cause an assertion failure.
- */
-
-void
-dns_rdataset_disassociate(dns_rdataset_t *rdataset);
-/*
- * Disassociate 'rdataset' from its rdata, allowing it to be reused.
- *
- * Notes:
- *	The client must ensure it has no references to rdata in the rdataset
- *	before disassociating.
- *
- * Requires:
- *	'rdataset' is a valid, associated rdataset.
- *
- * Ensures:
- *	'rdataset' is a valid, disassociated rdataset.
- */
-
-isc_boolean_t
-dns_rdataset_isassociated(dns_rdataset_t *rdataset);
-/*
- * Is 'rdataset' associated?
- *
- * Requires:
- *	'rdataset' is a valid rdataset.
- *
- * Returns:
- *	ISC_TRUE			'rdataset' is associated.
- *	ISC_FALSE			'rdataset' is not associated.
- */
-
-void
-dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
-			  dns_rdatatype_t type);
-/*
- * Make 'rdataset' a valid, associated, question rdataset, with a
- * question class of 'rdclass' and type 'type'.
- *
- * Notes:
- *	Question rdatasets have a class and type, but no rdata.
- *
- * Requires:
- *	'rdataset' is a valid, disassociated rdataset.
- *
- * Ensures:
- *	'rdataset' is a valid, associated, question rdataset.
- */
-
-void
-dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
-/*
- * Make 'target' refer to the same rdataset as 'source'.
- *
- * Requires:
- *	'source' is a valid, associated rdataset.
- *
- *	'target' is a valid, dissociated rdataset.
- *
- * Ensures:
- *	'target' references the same rdataset as 'source'.
- */
-
-unsigned int
-dns_rdataset_count(dns_rdataset_t *rdataset);
-/*
- * Return the number of records in 'rdataset'.
- *
- * Requires:
- *	'rdataset' is a valid, associated rdataset.
- *
- * Returns:
- *	The number of records in 'rdataset'.
- */
-
-isc_result_t
-dns_rdataset_first(dns_rdataset_t *rdataset);
-/*
- * Move the rdata cursor to the first rdata in the rdataset (if any).
- *
- * Requires:
- *	'rdataset' is a valid, associated rdataset.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no rdata in the set.
- */
-
-isc_result_t
-dns_rdataset_next(dns_rdataset_t *rdataset);
-/*
- * Move the rdata cursor to the next rdata in the rdataset (if any).
- *
- * Requires:
- *	'rdataset' is a valid, associated rdataset.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no more rdata in the set.
- */
-
-void
-dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
-/*
- * Make 'rdata' refer to the current rdata.
- *
- * Notes:
- *
- *	The data returned in 'rdata' is valid for the life of the
- *	rdataset; in particular, subsequent changes in the cursor position
- *	do not invalidate 'rdata'.
- *
- * Requires:
- *	'rdataset' is a valid, associated rdataset.
- *
- *	The rdata cursor of 'rdataset' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was ISC_R_SUCCESS).
- *
- * Ensures:
- *	'rdata' refers to the rdata at the rdata cursor location of
- *	'rdataset'.
- */
-
-isc_result_t
-dns_rdataset_totext(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    isc_boolean_t omit_final_dot,
-		    isc_boolean_t question,
-		    isc_buffer_t *target);
-/*
- * Convert 'rdataset' to text format, storing the result in 'target'.
- *
- * Notes:
- *	The rdata cursor position will be changed.
- *
- *	The 'question' flag should normally be ISC_FALSE.  If it is 
- *	ISC_TRUE, the TTL and rdata fields are not printed.  This is 
- *	for use when printing an rdata representing a question section.
- *
- *	This interface is deprecated; use dns_master_rdatasettottext()
- * 	and/or dns_master_questiontotext() instead.
- *
- * Requires:
- *	'rdataset' is a valid rdataset.
- *
- *	'rdataset' is not empty.
- */
-
-isc_result_t
-dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    dns_compress_t *cctx,
-		    isc_buffer_t *target,
-		    unsigned int options,
-		    unsigned int *countp);
-/*
- * Convert 'rdataset' to wire format, compressing names as specified
- * in 'cctx', and storing the result in 'target'.
- *
- * Notes:
- *	The rdata cursor position will be changed.
- *
- *	The number of RRs added to target will be added to *countp.
- *
- * Requires:
- *	'rdataset' is a valid rdataset.
- *
- *	'rdataset' is not empty.
- *
- *	'countp' is a valid pointer.
- *
- * Ensures:
- *	On a return of ISC_R_SUCCESS, 'target' contains a wire format
- *	for the data contained in 'rdataset'.  Any error return leaves
- *	the buffer unchanged.
- *
- *	*countp has been incremented by the number of RRs added to
- *	target.
- *
- * Returns:
- *	ISC_R_SUCCESS		- all ok
- *	ISC_R_NOSPACE		- 'target' doesn't have enough room
- *
- *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
- *	dns_name_towire().
- */
-
-isc_result_t
-dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  dns_name_t *owner_name,
-			  dns_compress_t *cctx,
-			  isc_buffer_t *target,
-			  dns_rdatasetorderfunc_t order,
-			  void *order_arg,
-			  unsigned int options,
-			  unsigned int *countp);
-/*
- * Like dns_rdataset_towire(), but sorting the rdatasets according to
- * the integer value returned by 'order' when called witih the rdataset
- * and 'order_arg' as arguments.
- *
- * Requires:
- *	All the requirements of dns_rdataset_towire(), and
- *	that order_arg is NULL if and only if order is NULL.
- */
-
-isc_result_t
-dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   dns_name_t *owner_name,
-			   dns_compress_t *cctx,
-			   isc_buffer_t *target,
-			   dns_rdatasetorderfunc_t order,
-			   void *order_arg,
-			   unsigned int options,
-			   unsigned int *countp,
-			   void **state);
-/*
- * Like dns_rdataset_towiresorted() except that a partial rdataset
- * may be written.
- *
- * Requires:
- *	All the requirements of dns_rdataset_towiresorted().
- *	If 'state' is non NULL then the current position in the
- *	rdataset will be remembered if the rdataset in not
- *	completely written and should be passed on on subsequent
- *	calls (NOT CURRENTLY IMPLEMENTED).
- *
- * Returns:
- *	ISC_R_SUCCESS if all of the records were written.
- *	ISC_R_NOSPACE if unable to fit in all of the records. *countp
- *		      will be updated to reflect the number of records
- *		      written.
- */
-
-
-isc_result_t
-dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
-			    dns_additionaldatafunc_t add, void *arg);
-/*
- * For each rdata in rdataset, call 'add' for each name and type in the
- * rdata which is subject to additional section processing.
- *
- * Requires:
- *
- *	'rdataset' is a valid, non-question rdataset.
- *
- *	'add' is a valid dns_additionaldatafunc_t
- *
- * Ensures:
- *
- *	If successful, dns_rdata_additionaldata() will have been called for
- *	each rdata in 'rdataset'.
- *
- *	If a call to dns_rdata_additionaldata() is not successful, the
- *	result returned will be the result of dns_rdataset_additionaldata().
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Any error that dns_rdata_additionaldata() can return.
- */
-
-isc_result_t
-dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
-/*
- * Return the noqname proof for this record.
- *
- * Requires:
- *	'rdataset' to be valid and DNS_RDATASETATTR_NOQNAME to be set.
- *	'name' to be valid.
- *	'nsec' and 'nsecsig' to be valid and not associated.
- */
-
-isc_result_t
-dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
-/*
- * Associate a noqname proof with this record.
- * Sets DNS_RDATASETATTR_NOQNAME if successful.
- * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
- * the 'nsec' and 'rrsig(nsec)' ttl.
- *
- * Requires:
- *	'rdataset' to be valid and DNS_RDATASETATTR_NOQNAME to be set.
- *	'name' to be valid and have NSEC and RRSIG(NSEC) rdatasets.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASET_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatasetiter.h b/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
deleted file mode 100644
index 198aebb3df75..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
+++ /dev/null
@@ -1,171 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatasetiter.h,v 1.14.206.1 2004/03/06 08:13:59 marka Exp $ */
-
-#ifndef DNS_RDATASETITER_H
-#define DNS_RDATASETITER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Rdataset Iterator
- *
- * The DNS Rdataset Iterator interface allows iteration of all of the
- * rdatasets at a node.
- *
- * The dns_rdatasetiter_t type is like a "virtual class".  To actually use
- * it, an implementation of the class is required.  This implementation is
- * supplied by the database.
- *
- * It is the client's responsibility to call dns_rdataset_disassociate()
- * on all rdatasets returned.
- *
- * XXX <more> XXX
- *
- * MP:
- *	The iterator itself is not locked.  The caller must ensure
- *	synchronization.
- *
- *	The iterator methods ensure appropriate database locking.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types
- *****/
-
-typedef struct dns_rdatasetitermethods {
-	void		(*destroy)(dns_rdatasetiter_t **iteratorp);
-	isc_result_t	(*first)(dns_rdatasetiter_t *iterator);
-	isc_result_t	(*next)(dns_rdatasetiter_t *iterator);
-	void		(*current)(dns_rdatasetiter_t *iterator,
-				   dns_rdataset_t *rdataset);
-} dns_rdatasetitermethods_t;
-
-#define DNS_RDATASETITER_MAGIC	     ISC_MAGIC('D','N','S','i')
-#define DNS_RDATASETITER_VALID(i)    ISC_MAGIC_VALID(i, DNS_RDATASETITER_MAGIC)
-
-/*
- * This structure is actually just the common prefix of a DNS db
- * implementation's version of a dns_rdatasetiter_t.
- *
- * Direct use of this structure by clients is forbidden.  DB implementations
- * may change the structure.  'magic' must be DNS_RDATASETITER_MAGIC for
- * any of the dns_rdatasetiter routines to work.  DB implementations must
- * maintain all DB rdataset iterator invariants.
- */
-struct dns_rdatasetiter {
-	/* Unlocked. */
-	unsigned int			magic;
-	dns_rdatasetitermethods_t *	methods;
-	dns_db_t *			db;
-	dns_dbnode_t *			node;
-	dns_dbversion_t *		version;
-	isc_stdtime_t			now;
-};
-
-void
-dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
-/*
- * Destroy '*iteratorp'.
- *
- * Requires:
- *
- *	'*iteratorp' is a valid iterator.
- *
- * Ensures:
- *
- *	All resources used by the iterator are freed.
- *
- *	*iteratorp == NULL.
- */
-
-isc_result_t
-dns_rdatasetiter_first(dns_rdatasetiter_t *iterator);
-/*
- * Move the rdataset cursor to the first rdataset at the node (if any).
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no rdatasets at the node.
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-isc_result_t
-dns_rdatasetiter_next(dns_rdatasetiter_t *iterator);
-/*
- * Move the rdataset cursor to the next rdataset at the node (if any).
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			There are no more rdatasets at the
- *					node.
- *
- *	Other results are possible, depending on the DB implementation.
- */
-
-void
-dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
-			 dns_rdataset_t *rdataset);
-/*
- * Return the current rdataset.
- *
- * Requires:
- *	'iterator' is a valid iterator.
- *
- *	'rdataset' is a valid, disassociated rdataset.
- *
- *	The rdataset cursor of 'iterator' is at a valid location (i.e. the
- *	result of last call to a cursor movement command was ISC_R_SUCCESS).
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASETITER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataslab.h b/contrib/bind9/lib/dns/include/dns/rdataslab.h
deleted file mode 100644
index a0912db320e6..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rdataslab.h
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdataslab.h,v 1.20.2.2.2.4 2004/03/08 09:04:39 marka Exp $ */
-
-#ifndef DNS_RDATASLAB_H
-#define DNS_RDATASLAB_H 1
-
-/*
- * DNS Rdata Slab
- *
- * Implements storage of rdatasets into slabs of memory.
- *
- * MP:
- *	Clients of this module must impose any required synchronization.
- *
- * Reliability:
- *	This module deals with low-level byte streams.  Errors in any of
- *	the functions are likely to crash the server or corrupt memory.
- *
- *	If the caller passes invalid memory references, these functions are
- *	likely to crash the server or corrupt memory.
- *
- * Resources:
- *	None.
- *
- * Security:
- *	None.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_RDATASLAB_FORCE 0x1
-#define DNS_RDATASLAB_EXACT 0x2
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
-			   isc_region_t *region, unsigned int reservelen);
-/*
- * Slabify a rdataset.  The slab area will be allocated and returned
- * in 'region'.
- *
- * Requires:
- *	'rdataset' is valid.
- *
- * Ensures:
- *	'region' will have base pointing to the start of allocated memory,
- *	with the slabified region beginning at region->base + reservelen.
- *	region->length contains the total length allocated.
- *
- * Returns:
- *	ISC_R_SUCCESS		- successful completion
- *	ISC_R_NOMEMORY		- no memory.
- *	<XXX others>
- */
-
-void
-dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
-			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
-			 dns_rdatatype_t covers, dns_ttl_t ttl,
-			 dns_rdataset_t *rdataset);
-/*
- * Construct an rdataset from a slab.
- *
- * Requires:
- *	'slab' points to a slab.
- *	'rdataset' is disassociated.
- *
- * Ensures:
- *	'rdataset' is associated and points to a valid rdataest.
- */
-
-unsigned int
-dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
-/*
- * Return the total size of an rdataslab.
- *
- * Requires:
- *	'slab' points to a slab.
- *
- * Returns:
- *	The number of bytes in the slab, including the reservelen.
- */
-
-isc_result_t
-dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
-		    unsigned int reservelen, isc_mem_t *mctx,
-		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		    unsigned int flags, unsigned char **tslabp);
-/*
- * Merge 'oslab' and 'nslab'.
- */
-
-isc_result_t
-dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
-		       unsigned int reservelen, isc_mem_t *mctx,
-		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		       unsigned int flags, unsigned char **tslabp);
-/*
- * Subtract 'sslab' from 'mslab'.  If 'exact' is true then all elements
- * of 'sslab' must exist in 'mslab'.
- *
- * XXX
- * valid flags are DNS_RDATASLAB_EXACT
- */
-
-isc_boolean_t
-dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
-		    unsigned int reservelen);
-
-/*
- * Compare two rdataslabs for equality.  This does _not_ do a full
- * DNSSEC comparison.
- *
- * Requires:
- *	'slab1' and 'slab2' point to slabs.
- *
- * Returns:
- *	ISC_TRUE if the slabs are equal, ISC_FALSE otherwise.
- */
-
-isc_boolean_t
-dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
-		     unsigned int reservelen, dns_rdataclass_t rdclass, 
-		     dns_rdatatype_t type);
-/*
- * Compare two rdataslabs for DNSSEC equality. 
- *
- * Requires:
- *	'slab1' and 'slab2' point to slabs.
- *
- * Returns:
- *	ISC_TRUE if the slabs are equal, ISC_FALSE otherwise.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASLAB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatatype.h b/contrib/bind9/lib/dns/include/dns/rdatatype.h
deleted file mode 100644
index 0fa865dc6212..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rdatatype.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatatype.h,v 1.17.206.1 2004/03/06 08:13:59 marka Exp $ */
-
-#ifndef DNS_RDATATYPE_H
-#define DNS_RDATATYPE_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source);
-/*
- * Convert the text 'source' refers to into a DNS rdata type.
- *
- * Requires:
- *	'typep' is a valid pointer.
- *
- *	'source' is a valid text region.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	DNS_R_UNKNOWN			type is unknown
- */
-
-isc_result_t
-dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target);
-/*
- * Put a textual representation of type 'type' into 'target'.
- *
- * Requires:
- *	'type' is a valid type.
- *
- *	'target' is a valid text buffer.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
- */
-
-void
-dns_rdatatype_format(dns_rdatatype_t rdtype,
-		     char *array, unsigned int size);
-/*
- * Format a human-readable representation of the type 'rdtype'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-
-#define DNS_RDATATYPE_FORMATSIZE sizeof("TYPE65535")
-/*
- * Minimum size of array to pass to dns_rdatatype_format().
- * May need to be adjusted if a new RR type with a very long
- * name is defined.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATATYPE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/request.h b/contrib/bind9/lib/dns/include/dns/request.h
deleted file mode 100644
index b3e7bcd7c222..000000000000
--- a/contrib/bind9/lib/dns/include/dns/request.h
+++ /dev/null
@@ -1,371 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: request.h,v 1.17.12.5 2004/03/08 09:04:39 marka Exp $ */
-
-#ifndef DNS_REQUEST_H
-#define DNS_REQUEST_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Request
- *
- * The request module provides simple request/response services useful for
- * sending SOA queries, DNS Notify messages, and dynamic update requests.
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- */
-
-#include <isc/lang.h>
-#include <isc/event.h>
-
-#include <dns/types.h>
-
-#define DNS_REQUESTOPT_TCP 0x00000001U
-
-typedef struct dns_requestevent {
-        ISC_EVENT_COMMON(struct dns_requestevent);
-	isc_result_t result;
-	dns_request_t *request;
-} dns_requestevent_t;
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		      isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
-		      dns_dispatchmgr_t *dispatchmgr,
-		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
-		      dns_requestmgr_t **requestmgrp);
-/*
- * Create a request manager.
- *
- * Requires:
- *
- *	'mctx' is a valid memory context.
- *
- *	'timermgr' is a valid timer manager.
- *
- *	'socketmgr' is a valid socket manager.
- *
- *	'taskmgr' is a valid task manager.
- *
- *	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
- *
- *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
- *
- *	requestmgrp != NULL && *requestmgrp == NULL
- *
- * Ensures:
- *
- *	On success, *requestmgrp is a valid request manager.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Any other result indicates failure.
- */
-
-void
-dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
-			    isc_event_t **eventp);
-/*
- * Send '*eventp' to 'task' when 'requestmgr' has completed shutdown.
- *
- * Notes:
- *
- *	It is not safe to detach the last reference to 'requestmgr' until
- *	shutdown is complete.
- *
- * Requires:
- *
- *	'requestmgr' is a valid request manager.
- *
- *	'task' is a valid task.
- *
- *	*eventp is a valid event.
- *
- * Ensures:
- *
- *	*eventp == NULL.
- */
-
-void
-dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr);
-/*
- * Start the shutdown process for 'requestmgr'.
- *
- * Notes:
- *
- *	This call has no effect if the request manager is already shutting
- *	down.
- *
- * Requires:
- *
- *	'requestmgr' is a valid requestmgr.
- */
-
-void
-dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp);
-/*
- *	Attach to the request manager.  dns_requestmgr_shutdown() must not
- *	have been called on 'source' prior to calling dns_requestmgr_attach().
- *
- * Requires:
- *
- *	'source' is a valid requestmgr.
- *
- *	'targetp' to be non NULL and '*targetp' to be NULL.
- */
-
-void
-dns_requestmgr_detach(dns_requestmgr_t **requestmgrp);
-/*
- *
- *	Detach from the given requestmgr.  If this is the final detach
- *	requestmgr will be destroyed.  dns_requestmgr_shutdown() must
- *	be called before the final detach.
- *
- * Requires:
- *
- *	'*requestmgrp' is a valid requestmgr.
- *
- * Ensures:
- *	'*requestmgrp' is NULL.
- */
-
-isc_result_t
-dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		   isc_sockaddr_t *address, unsigned int options,
-		   dns_tsigkey_t *key,
-		   unsigned int timeout, isc_task_t *task,
-		   isc_taskaction_t action, void *arg,
-		   dns_request_t **requestp);
-/*
- * Create and send a request.
- *
- * Notes:
- *
- *	'message' will be rendered and sent to 'address'.  If the
- *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
- *	will timeout after 'timeout' seconds.
- *
- *	When the request completes, successfully, due to a timeout, or
- *	because it was canceled, a completion event will be sent to 'task'.
- *
- * Requires:
- *
- *	'message' is a valid DNS message.
- *
- *	'address' is a valid sockaddr.
- *
- *	'timeout' > 0
- *
- *	'task' is a valid task.
- *
- *	requestp != NULL && *requestp == NULL
- */
-
-isc_result_t
-dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		      unsigned int options, dns_tsigkey_t *key,
-		      unsigned int timeout, isc_task_t *task,
-		      isc_taskaction_t action, void *arg,
-		      dns_request_t **requestp);
-
-isc_result_t
-dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, dns_tsigkey_t *key,
-		       unsigned int timeout, unsigned int udptimeout,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp);
-
-isc_result_t
-dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, dns_tsigkey_t *key,
-		       unsigned int timeout, unsigned int udptimeout,
-		       unsigned int udpretries, isc_task_t *task,
-		       isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp);
-/*
- * Create and send a request.
- *
- * Notes:
- *
- *	'message' will be rendered and sent to 'address'.  If the
- *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
- *	will timeout after 'timeout' seconds.  UDP requests will be resent
- *	at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero.
- *
- *	When the request completes, successfully, due to a timeout, or
- *	because it was canceled, a completion event will be sent to 'task'.
- *
- * Requires:
- *
- *	'message' is a valid DNS message.
- *
- *	'dstaddr' is a valid sockaddr.
- *
- *	'srcaddr' is a valid sockaddr or NULL.
- *
- *	'srcaddr' and 'dstaddr' are the same protocol family.
- *
- *	'timeout' > 0
- *
- *	'task' is a valid task.
- *
- *	requestp != NULL && *requestp == NULL
- */
-
-isc_result_t
-dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		      unsigned int options, unsigned int timeout,
-		      isc_task_t *task, isc_taskaction_t action, void *arg,
-		      dns_request_t **requestp);
-
-isc_result_t
-dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, unsigned int timeout,
-		       unsigned int udptimeout, isc_task_t *task,
-		       isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp);
-
-isc_result_t
-dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, unsigned int timeout,
-		       unsigned int udptimeout, unsigned int udpretries,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp);
-/*
- * Create and send a request.
- *
- * Notes:
- *
- *	'msgbuf' will be sent to 'destaddr' after setting the id.  If the
- *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
- *	will timeout after 'timeout' seconds.   UDP requests will be resent
- *	at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
- *	
- *	When the request completes, successfully, due to a timeout, or
- *	because it was canceled, a completion event will be sent to 'task'.
- *
- * Requires:
- *
- *	'msgbuf' is a valid DNS message in compressed wire format.
- *
- *	'destaddr' is a valid sockaddr.
- *
- *	'srcaddr' is a valid sockaddr or NULL.
- *
- *	'srcaddr' and 'dstaddr' are the same protocol family.
- *
- *	'timeout' > 0
- *
- *	'task' is a valid task.
- *
- *	requestp != NULL && *requestp == NULL
- */
-
-void
-dns_request_cancel(dns_request_t *request);
-/*
- * Cancel 'request'.
- *
- * Requires:
- *
- *	'request' is a valid request.
- *
- * Ensures:
- *
- *	If the completion event for 'request' has not yet been sent, it
- *	will be sent, and the result code will be ISC_R_CANCELED.
- */
-
-isc_result_t
-dns_request_getresponse(dns_request_t *request, dns_message_t *message,
-			unsigned int options);
-/*
- * Get the response to 'request' by filling in 'message'.
- *
- * 'options' is passed to dns_message_parse().  See dns_message_parse()
- * for more details.
- *
- * Requires:
- *
- *	'request' is a valid request for which the caller has received the
- *	completion event.
- *
- *	The result code of the completion event was ISC_R_SUCCESS.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *
- *	Any result that dns_message_parse() can return.
- */
-
-isc_boolean_t
-dns_request_usedtcp(dns_request_t *request);
-/*
- * Return whether this query used TCP or not.  Setting DNS_REQUESTOPT_TCP
- * in the call to dns_request_create() will cause the function to return
- * ISC_TRUE, othewise the result is based on the query message size.
- *
- * Requires:
- *	'request' is a valid request.
- *
- * Returns:
- *	ISC_TRUE	if TCP was used.
- *	ISC_FALSE	if UDP was used.
- */
-
-void
-dns_request_destroy(dns_request_t **requestp);
-/*
- * Destroy 'request'.
- *
- * Requires:
- *
- *	'request' is a valid request for which the caller has received the
- *	completion event.
- *
- * Ensures:
- *
- *	*requestp == NULL
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_REQUEST_H */
diff --git a/contrib/bind9/lib/dns/include/dns/resolver.h b/contrib/bind9/lib/dns/include/dns/resolver.h
deleted file mode 100644
index 0a6080d27a5e..000000000000
--- a/contrib/bind9/lib/dns/include/dns/resolver.h
+++ /dev/null
@@ -1,431 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resolver.h,v 1.34.12.7 2004/04/15 23:56:31 marka Exp $ */
-
-#ifndef DNS_RESOLVER_H
-#define DNS_RESOLVER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Resolver
- *
- * This is the BIND 9 resolver, the module responsible for resolving DNS
- * requests by iteratively querying authoritative servers and following
- * referrals.  This is a "full resolver", not to be confused with
- * the stub resolvers most people associate with the word "resolver".
- * The full resolver is part of the caching name server or resolver
- * daemon the stub resolver talks to.
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	RFCs:	1034, 1035, 2181, <TBS>
- *	Drafts:	<TBS>
- */
-
-#include <isc/lang.h>
-#include <isc/socket.h>
-
-#include <dns/types.h>
-#include <dns/fixedname.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * A dns_fetchevent_t is sent when a 'fetch' completes.  Any of 'db',
- * 'node', 'rdataset', and 'sigrdataset' may be bound.  It is the
- * receiver's responsibility to detach before freeing the event.
- *
- * 'rdataset' and 'sigrdataset' are the values that were supplied when
- * dns_resolver_createfetch() was called.  They are returned to the
- * caller so that they may be freed.
- */
-typedef struct dns_fetchevent {
-	ISC_EVENT_COMMON(struct dns_fetchevent);
-	dns_fetch_t *			fetch;
-	isc_result_t			result;
-	dns_rdatatype_t			qtype;
-	dns_db_t *			db;
-	dns_dbnode_t *			node;
-	dns_rdataset_t *		rdataset;
-	dns_rdataset_t *		sigrdataset;
-	dns_fixedname_t			foundname;
-} dns_fetchevent_t;
-
-/*
- * Options that modify how a 'fetch' is done.
- */
-#define DNS_FETCHOPT_TCP		0x01	     /* Use TCP. */
-#define DNS_FETCHOPT_UNSHARED		0x02	     /* See below. */
-#define DNS_FETCHOPT_RECURSIVE		0x04	     /* Set RD? */
-#define DNS_FETCHOPT_NOEDNS0		0x08	     /* Do not use EDNS. */
-#define DNS_FETCHOPT_FORWARDONLY	0x10	     /* Only use forwarders. */
-#define DNS_FETCHOPT_NOVALIDATE		0x20	     /* Disable validation. */
-
-/*
- * XXXRTH  Should this API be made semi-private?  (I.e.
- * _dns_resolver_create()).
- */
-
-#define DNS_RESOLVER_CHECKNAMES		0x01
-#define DNS_RESOLVER_CHECKNAMESFAIL	0x02
-
-isc_result_t
-dns_resolver_create(dns_view_t *view,
-		    isc_taskmgr_t *taskmgr, unsigned int ntasks,
-		    isc_socketmgr_t *socketmgr,
-		    isc_timermgr_t *timermgr,
-		    unsigned int options,
-		    dns_dispatchmgr_t *dispatchmgr,
-		    dns_dispatch_t *dispatchv4,
-		    dns_dispatch_t *dispatchv6,
-		    dns_resolver_t **resp);
-
-/*
- * Create a resolver.
- *
- * Notes:
- *
- *	Generally, applications should not create a resolver directly, but
- *	should instead call dns_view_createresolver().
- *
- *	No options are currently defined.
- *
- * Requires:
- *
- *	'view' is a valid view.
- *
- *	'taskmgr' is a valid task manager.
- *
- *	'ntasks' > 0.
- *
- *	'socketmgr' is a valid socket manager.
- *
- *	'timermgr' is a valid timer manager.
- *
- *	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
- *
- *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
- *
- *	*resp != NULL && *resp == NULL.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS				On success.
- *
- *	Anything else				Failure.
- */
-
-void
-dns_resolver_freeze(dns_resolver_t *res);
-/*
- * Freeze resolver.
- *
- * Notes:
- *
- *	Certain configuration changes cannot be made after the resolver
- *	is frozen.  Fetches cannot be created until the resolver is frozen.
- *
- * Requires:
- *
- *	'res' is a valid, unfrozen resolver.
- *
- * Ensures:
- *
- *	'res' is frozen.
- */
-
-void
-dns_resolver_prime(dns_resolver_t *res);
-/*
- * Prime resolver.
- *
- * Notes:
- *
- *	Resolvers which have a forwarding policy other than dns_fwdpolicy_only
- *	need to be primed with the root nameservers, otherwise the root
- *	nameserver hints data may be used indefinitely.  This function requests
- *	that the resolver start a priming fetch, if it isn't already priming.
- *
- * Requires:
- *
- *	'res' is a valid, frozen resolver.
- */
-
-
-void
-dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
-			  isc_event_t **eventp);
-/*
- * Send '*eventp' to 'task' when 'res' has completed shutdown.
- *
- * Notes:
- *
- *	It is not safe to detach the last reference to 'res' until
- *	shutdown is complete.
- *
- * Requires:
- *
- *	'res' is a valid resolver.
- *
- *	'task' is a valid task.
- *
- *	*eventp is a valid event.
- *
- * Ensures:
- *
- *	*eventp == NULL.
- */
-
-void
-dns_resolver_shutdown(dns_resolver_t *res);
-/*
- * Start the shutdown process for 'res'.
- *
- * Notes:
- *
- *	This call has no effect if the resolver is already shutting down.
- *
- * Requires:
- *
- *	'res' is a valid resolver.
- */
-
-void
-dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp);
-
-void
-dns_resolver_detach(dns_resolver_t **resp);
-
-isc_result_t
-dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
-			 dns_rdatatype_t type,
-			 dns_name_t *domain, dns_rdataset_t *nameservers,
-			 dns_forwarders_t *forwarders,
-			 unsigned int options, isc_task_t *task,
-			 isc_taskaction_t action, void *arg,
-			 dns_rdataset_t *rdataset,
-			 dns_rdataset_t *sigrdataset,
-			 dns_fetch_t **fetchp);
-/*
- * Recurse to answer a question.
- *
- * Notes:
- *
- *	This call starts a query for 'name', type 'type'.
- *
- *	The 'domain' is a parent domain of 'name' for which
- *	a set of name servers 'nameservers' is known.  If no
- *	such name server information is available, set
- * 	'domain' and 'nameservers' to NULL.
- *
- *	'forwarders' is unimplemented, and subject to change when
- *	we figure out how selective forwarding will work.
- *
- *	When the fetch completes (successfully or otherwise), a
- *	DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be
- *	posted to 'task'.
- *
- *	The values of 'rdataset' and 'sigrdataset' will be returned in
- *	the FETCHDONE event.
- *
- * Requires:
- *
- *	'res' is a valid resolver that has been frozen.
- *
- *	'name' is a valid name.
- *
- *	'type' is not a meta type other than ANY.
- *
- *	'domain' is a valid name or NULL.
- *
- *	'nameservers' is a valid NS rdataset (whose owner name is 'domain')
- *	iff. 'domain' is not NULL.
- *
- *	'forwarders' is NULL.
- *
- *	'options' contains valid options.
- *
- *	'rdataset' is a valid, disassociated rdataset.
- *
- *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
- *
- *	fetchp != NULL && *fetchp == NULL.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS					Success
- *
- *	Many other values are possible, all of which indicate failure.
- */
-
-void
-dns_resolver_cancelfetch(dns_fetch_t *fetch);
-/*
- * Cancel 'fetch'.
- *
- * Notes:
- *
- *	If 'fetch' has not completed, post its FETCHDONE event with a
- *	result code of ISC_R_CANCELED.
- *
- * Requires:
- *
- *	'fetch' is a valid fetch.
- */
-
-void
-dns_resolver_destroyfetch(dns_fetch_t **fetchp);
-/*
- * Destroy 'fetch'.
- *
- * Requires:
- *
- *	'*fetchp' is a valid fetch.
- *
- *	The caller has received the FETCHDONE event (either because the
- *	fetch completed or because dns_resolver_cancelfetch() was called).
- *
- * Ensures:
- *
- *	*fetchp == NULL.
- */
-
-dns_dispatchmgr_t *
-dns_resolver_dispatchmgr(dns_resolver_t *resolver);
-
-dns_dispatch_t *
-dns_resolver_dispatchv4(dns_resolver_t *resolver);
-
-dns_dispatch_t *
-dns_resolver_dispatchv6(dns_resolver_t *resolver);
-
-isc_socketmgr_t *
-dns_resolver_socketmgr(dns_resolver_t *resolver);
-
-isc_taskmgr_t *
-dns_resolver_taskmgr(dns_resolver_t *resolver);
-
-isc_uint32_t
-dns_resolver_getlamettl(dns_resolver_t *resolver);
-/*
- * Get the resolver's lame-ttl.  zero => no lame processing.
- *
- * Requires:
- *	'resolver' to be valid.
- */
-
-void
-dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl);
-/*
- * Set the resolver's lame-ttl.  zero => no lame processing.
- *
- * Requires:
- *	'resolver' to be valid.
- */
-
-unsigned int
-dns_resolver_nrunning(dns_resolver_t *resolver);
-/*
- * Return the number of currently running resolutions in this
- * resolver.  This is may be less than the number of outstanding
- * fetches due to multiple identical fetches, or more than the
- * number of of outstanding fetches due to the fact that resolution
- * can continue even though a fetch has been canceled.
- */
-
-isc_result_t
-dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
-			  dns_name_t *name, in_port_t port);
-/*
- * Add alternate addresses to be tried in the event that the nameservers
- * for a zone are not available in the address families supported by the
- * operating system.
- *
- * Require:
- * 	only one of 'name' or 'alt' to be valid.
- */
-
-void
-dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize);
-/*
- * Set the EDNS UDP buffer size advertised by the server.
- */
-
-isc_uint16_t
-dns_resolver_getudpsize(dns_resolver_t *resolver);
-/*
- * Get the current EDNS UDP buffer size.
- */
-
-void
-dns_resolver_reset_algorithms(dns_resolver_t *resolver);
-/*
- * Clear the disabled DNSSEC algorithms.
- */
-
-isc_result_t
-dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
-			       unsigned int alg);
-/*
- * Mark the give DNSSEC algorithm as disabled and below 'name'.
- * Valid algorithms are less than 256.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_RANGE
- *	ISC_R_NOMEMORY
- */
-
-isc_boolean_t
-dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
-				 unsigned int alg);
-/*
- * Check if the given algorithm is supported by this resolver.
- * This checks if the algorithm has been disabled via
- * dns_resolver_disable_algorithm() then the underlying
- * crypto libraries if not specifically disabled.
- */
-
-void
-dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
-
-isc_result_t
-dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
-			     isc_boolean_t value);
-
-isc_boolean_t
-dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RESOLVER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/result.h b/contrib/bind9/lib/dns/include/dns/result.h
deleted file mode 100644
index f1a71d98214b..000000000000
--- a/contrib/bind9/lib/dns/include/dns/result.h
+++ /dev/null
@@ -1,186 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.81.2.7.2.13 2004/05/14 05:06:41 marka Exp $ */
-
-#ifndef DNS_RESULT_H
-#define DNS_RESULT_H 1
-
-#include <isc/lang.h>
-#include <isc/resultclass.h>
-
-#include <dns/types.h>
-
-/*
- * Nothing in this file truly depends on <isc/result.h>, but the
- * DNS result codes are considered to be publicly derived from
- * the ISC result codes, so including this file buys you the ISC_R_
- * namespace too.
- */
-#include <isc/result.h>		/* Contractual promise. */
-
-/*
- * DNS library result codes
- */
-#define DNS_R_LABELTOOLONG		(ISC_RESULTCLASS_DNS + 0)
-#define DNS_R_BADESCAPE			(ISC_RESULTCLASS_DNS + 1)
-/*
- * Since we dropped the support of bitstring labels, deprecate the related
- * result codes too.
-
-#define DNS_R_BADBITSTRING		(ISC_RESULTCLASS_DNS + 2)
-#define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
-*/
-#define DNS_R_EMPTYLABEL		(ISC_RESULTCLASS_DNS + 4)
-#define DNS_R_BADDOTTEDQUAD		(ISC_RESULTCLASS_DNS + 5)
-#define DNS_R_INVALIDNS			(ISC_RESULTCLASS_DNS + 6)
-#define DNS_R_UNKNOWN			(ISC_RESULTCLASS_DNS + 7)
-#define DNS_R_BADLABELTYPE		(ISC_RESULTCLASS_DNS + 8)
-#define DNS_R_BADPOINTER		(ISC_RESULTCLASS_DNS + 9)
-#define DNS_R_TOOMANYHOPS		(ISC_RESULTCLASS_DNS + 10)
-#define DNS_R_DISALLOWED		(ISC_RESULTCLASS_DNS + 11)
-#define DNS_R_EXTRATOKEN		(ISC_RESULTCLASS_DNS + 12)
-#define DNS_R_EXTRADATA			(ISC_RESULTCLASS_DNS + 13)
-#define DNS_R_TEXTTOOLONG		(ISC_RESULTCLASS_DNS + 14)
-#define DNS_R_NOTZONETOP		(ISC_RESULTCLASS_DNS + 15)
-#define DNS_R_SYNTAX			(ISC_RESULTCLASS_DNS + 16)
-#define DNS_R_BADCKSUM			(ISC_RESULTCLASS_DNS + 17)
-#define DNS_R_BADAAAA			(ISC_RESULTCLASS_DNS + 18)
-#define DNS_R_NOOWNER			(ISC_RESULTCLASS_DNS + 19)
-#define DNS_R_NOTTL			(ISC_RESULTCLASS_DNS + 20)
-#define DNS_R_BADCLASS			(ISC_RESULTCLASS_DNS + 21)
-#define DNS_R_NAMETOOLONG		(ISC_RESULTCLASS_DNS + 22)
-#define DNS_R_PARTIALMATCH		(ISC_RESULTCLASS_DNS + 23)
-#define DNS_R_NEWORIGIN			(ISC_RESULTCLASS_DNS + 24)
-#define DNS_R_UNCHANGED			(ISC_RESULTCLASS_DNS + 25)
-#define DNS_R_BADTTL			(ISC_RESULTCLASS_DNS + 26)
-#define DNS_R_NOREDATA			(ISC_RESULTCLASS_DNS + 27)
-#define DNS_R_CONTINUE			(ISC_RESULTCLASS_DNS + 28)
-#define DNS_R_DELEGATION		(ISC_RESULTCLASS_DNS + 29)
-#define DNS_R_GLUE			(ISC_RESULTCLASS_DNS + 30)
-#define DNS_R_DNAME			(ISC_RESULTCLASS_DNS + 31)
-#define DNS_R_CNAME			(ISC_RESULTCLASS_DNS + 32)
-#define DNS_R_BADDB			(ISC_RESULTCLASS_DNS + 33)
-#define DNS_R_ZONECUT			(ISC_RESULTCLASS_DNS + 34)
-#define DNS_R_BADZONE			(ISC_RESULTCLASS_DNS + 35)
-#define DNS_R_MOREDATA			(ISC_RESULTCLASS_DNS + 36)
-#define DNS_R_UPTODATE			(ISC_RESULTCLASS_DNS + 37)
-#define DNS_R_TSIGVERIFYFAILURE		(ISC_RESULTCLASS_DNS + 38)
-#define DNS_R_TSIGERRORSET		(ISC_RESULTCLASS_DNS + 39)
-#define DNS_R_SIGINVALID		(ISC_RESULTCLASS_DNS + 40)
-#define DNS_R_SIGEXPIRED		(ISC_RESULTCLASS_DNS + 41)
-#define DNS_R_SIGFUTURE			(ISC_RESULTCLASS_DNS + 42)
-#define DNS_R_KEYUNAUTHORIZED		(ISC_RESULTCLASS_DNS + 43)
-#define DNS_R_INVALIDTIME		(ISC_RESULTCLASS_DNS + 44)
-#define DNS_R_EXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 45)
-#define DNS_R_UNEXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 46)
-#define DNS_R_INVALIDTKEY		(ISC_RESULTCLASS_DNS + 47)
-#define DNS_R_HINT			(ISC_RESULTCLASS_DNS + 48)
-#define DNS_R_DROP			(ISC_RESULTCLASS_DNS + 49)
-#define DNS_R_NOTLOADED			(ISC_RESULTCLASS_DNS + 50)
-#define DNS_R_NCACHENXDOMAIN		(ISC_RESULTCLASS_DNS + 51)
-#define DNS_R_NCACHENXRRSET		(ISC_RESULTCLASS_DNS + 52)
-#define DNS_R_WAIT			(ISC_RESULTCLASS_DNS + 53)
-#define DNS_R_NOTVERIFIEDYET		(ISC_RESULTCLASS_DNS + 54)
-#define DNS_R_NOIDENTITY		(ISC_RESULTCLASS_DNS + 55)
-#define DNS_R_NOJOURNAL			(ISC_RESULTCLASS_DNS + 56)
-#define DNS_R_ALIAS			(ISC_RESULTCLASS_DNS + 57)
-#define DNS_R_USETCP			(ISC_RESULTCLASS_DNS + 58)
-#define DNS_R_NOVALIDSIG		(ISC_RESULTCLASS_DNS + 59)
-#define DNS_R_NOVALIDNSEC		(ISC_RESULTCLASS_DNS + 60)
-#define DNS_R_NOTINSECURE		(ISC_RESULTCLASS_DNS + 61)
-#define DNS_R_UNKNOWNSERVICE		(ISC_RESULTCLASS_DNS + 62)
-#define DNS_R_RECOVERABLE		(ISC_RESULTCLASS_DNS + 63)
-#define DNS_R_UNKNOWNOPT		(ISC_RESULTCLASS_DNS + 64)
-#define DNS_R_UNEXPECTEDID		(ISC_RESULTCLASS_DNS + 65)
-#define DNS_R_SEENINCLUDE		(ISC_RESULTCLASS_DNS + 66)
-#define DNS_R_NOTEXACT			(ISC_RESULTCLASS_DNS + 67)
-#define DNS_R_BLACKHOLED		(ISC_RESULTCLASS_DNS + 68)
-#define DNS_R_BADALG			(ISC_RESULTCLASS_DNS + 69)
-#define DNS_R_METATYPE			(ISC_RESULTCLASS_DNS + 70)
-#define DNS_R_CNAMEANDOTHER		(ISC_RESULTCLASS_DNS + 71)
-#define DNS_R_SINGLETON			(ISC_RESULTCLASS_DNS + 72)
-#define DNS_R_HINTNXRRSET		(ISC_RESULTCLASS_DNS + 73)
-#define DNS_R_NOMASTERFILE		(ISC_RESULTCLASS_DNS + 74)
-#define DNS_R_UNKNOWNPROTO		(ISC_RESULTCLASS_DNS + 75)
-#define DNS_R_CLOCKSKEW			(ISC_RESULTCLASS_DNS + 76)
-#define DNS_R_BADIXFR			(ISC_RESULTCLASS_DNS + 77)
-#define DNS_R_NOTAUTHORITATIVE		(ISC_RESULTCLASS_DNS + 78)
-#define DNS_R_NOVALIDKEY		(ISC_RESULTCLASS_DNS + 79)
-#define DNS_R_OBSOLETE			(ISC_RESULTCLASS_DNS + 80)
-#define DNS_R_FROZEN			(ISC_RESULTCLASS_DNS + 81)
-#define DNS_R_UNKNOWNFLAG		(ISC_RESULTCLASS_DNS + 82)
-#define DNS_R_EXPECTEDRESPONSE		(ISC_RESULTCLASS_DNS + 83)
-#define DNS_R_NOVALIDDS			(ISC_RESULTCLASS_DNS + 84)
-#define DNS_R_NSISADDRESS		(ISC_RESULTCLASS_DNS + 85)
-#define DNS_R_REMOTEFORMERR		(ISC_RESULTCLASS_DNS + 86)
-#define DNS_R_TRUNCATEDTCP		(ISC_RESULTCLASS_DNS + 87)
-#define DNS_R_LAME			(ISC_RESULTCLASS_DNS + 88)
-#define DNS_R_UNEXPECTEDRCODE		(ISC_RESULTCLASS_DNS + 89)
-#define DNS_R_UNEXPECTEDOPCODE		(ISC_RESULTCLASS_DNS + 90)
-#define DNS_R_CHASEDSSERVERS		(ISC_RESULTCLASS_DNS + 91)
-#define DNS_R_EMPTYNAME			(ISC_RESULTCLASS_DNS + 92)
-#define DNS_R_EMPTYWILD			(ISC_RESULTCLASS_DNS + 93)
-#define DNS_R_BADBITMAP			(ISC_RESULTCLASS_DNS + 94)
-#define DNS_R_FROMWILDCARD		(ISC_RESULTCLASS_DNS + 95)
-#define DNS_R_BADOWNERNAME		(ISC_RESULTCLASS_DNS + 96)
-#define DNS_R_BADNAME			(ISC_RESULTCLASS_DNS + 97)
-#define DNS_R_DYNAMIC			(ISC_RESULTCLASS_DNS + 98)
-#define DNS_R_UNKNOWNCOMMAND		(ISC_RESULTCLASS_DNS + 99)
-#define DNS_R_MUSTBESECURE		(ISC_RESULTCLASS_DNS + 100)
-#define DNS_R_COVERINGNSEC		(ISC_RESULTCLASS_DNS + 101)
-
-#define DNS_R_NRESULTS			102	/* Number of results */
-
-/*
- * DNS wire format rcodes.
- *
- * By making these their own class we can easily convert them into the
- * wire-format rcode value simply by masking off the resultclass.
- */
-#define DNS_R_NOERROR			(ISC_RESULTCLASS_DNSRCODE + 0)
-#define DNS_R_FORMERR			(ISC_RESULTCLASS_DNSRCODE + 1)
-#define DNS_R_SERVFAIL			(ISC_RESULTCLASS_DNSRCODE + 2)
-#define DNS_R_NXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 3)
-#define DNS_R_NOTIMP			(ISC_RESULTCLASS_DNSRCODE + 4)
-#define DNS_R_REFUSED			(ISC_RESULTCLASS_DNSRCODE + 5)
-#define DNS_R_YXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 6)
-#define DNS_R_YXRRSET			(ISC_RESULTCLASS_DNSRCODE + 7)
-#define DNS_R_NXRRSET			(ISC_RESULTCLASS_DNSRCODE + 8)
-#define DNS_R_NOTAUTH			(ISC_RESULTCLASS_DNSRCODE + 9)
-#define DNS_R_NOTZONE			(ISC_RESULTCLASS_DNSRCODE + 10)
-#define DNS_R_BADVERS			(ISC_RESULTCLASS_DNSRCODE + 16)
-
-#define DNS_R_NRCODERESULTS		17	/* Number of rcode results */
-
-#define DNS_RESULT_ISRCODE(result) \
-	(ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result)))
-
-ISC_LANG_BEGINDECLS
-
-const char *
-dns_result_totext(isc_result_t);
-
-void
-dns_result_register(void);
-
-dns_rcode_t
-dns_result_torcode(isc_result_t result);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RESULT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rootns.h b/contrib/bind9/lib/dns/include/dns/rootns.h
deleted file mode 100644
index 02da556cdbf5..000000000000
--- a/contrib/bind9/lib/dns/include/dns/rootns.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rootns.h,v 1.8.206.1 2004/03/06 08:14:00 marka Exp $ */
-
-#ifndef DNS_ROOTNS_H
-#define DNS_ROOTNS_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-                  const char *filename, dns_db_t **target);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ROOTNS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/sdb.h b/contrib/bind9/lib/dns/include/dns/sdb.h
deleted file mode 100644
index 5fdeace147b9..000000000000
--- a/contrib/bind9/lib/dns/include/dns/sdb.h
+++ /dev/null
@@ -1,206 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sdb.h,v 1.12.12.3 2004/03/08 09:04:39 marka Exp $ */
-
-#ifndef DNS_SDB_H
-#define DNS_SDB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Simple database API.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-/*
- * A simple database.  This is an opaque type.
- */
-typedef struct dns_sdb dns_sdb_t;
-
-/*
- * A simple database lookup in progress.  This is an opaque type.
- */
-typedef struct dns_sdblookup dns_sdblookup_t;
-
-/*
- * A simple database traversal in progress.  This is an opaque type.
- */
-typedef struct dns_sdballnodes dns_sdballnodes_t;
-
-typedef isc_result_t
-(*dns_sdblookupfunc_t)(const char *zone, const char *name, void *dbdata,
-		       dns_sdblookup_t *);
-
-typedef isc_result_t
-(*dns_sdbauthorityfunc_t)(const char *zone, void *dbdata, dns_sdblookup_t *);
-
-typedef isc_result_t
-(*dns_sdballnodesfunc_t)(const char *zone, void *dbdata,
-			 dns_sdballnodes_t *allnodes);
-
-typedef isc_result_t
-(*dns_sdbcreatefunc_t)(const char *zone, int argc, char **argv,
-		       void *driverdata, void **dbdata);
-
-typedef void
-(*dns_sdbdestroyfunc_t)(const char *zone, void *driverdata, void **dbdata);
-
-
-typedef struct dns_sdbmethods {
-	dns_sdblookupfunc_t	lookup;
-	dns_sdbauthorityfunc_t	authority;
-	dns_sdballnodesfunc_t	allnodes;
-	dns_sdbcreatefunc_t	create;
-	dns_sdbdestroyfunc_t	destroy;
-} dns_sdbmethods_t;
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_SDBFLAG_RELATIVEOWNER 0x00000001U
-#define DNS_SDBFLAG_RELATIVERDATA 0x00000002U
-#define DNS_SDBFLAG_THREADSAFE 0x00000004U
-
-isc_result_t
-dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
-		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
-		 dns_sdbimplementation_t **sdbimp);
-/*
- * Register a simple database driver for the database type 'drivername',
- * implemented by the functions in '*methods'.
- *
- * sdbimp must point to a NULL dns_sdbimplementation_t pointer.  That is,
- * sdbimp != NULL && *sdbimp == NULL.  It will be assigned a value that
- * will later be used to identify the driver when deregistering it.
- *
- * The name server will perform lookups in the database by calling the
- * function 'lookup', passing it a printable zone name 'zone', a printable
- * domain name 'name', and a copy of the argument 'dbdata' that
- * was potentially returned by the create function.  The 'dns_sdblookup_t'
- * argument to 'lookup' and 'authority' is an opaque pointer to be passed to
- * ns_sdb_putrr().
- *
- * The lookup function returns the lookup results to the name server
- * by calling ns_sdb_putrr() once for each record found.  On success,
- * the return value of the lookup function should be ISC_R_SUCCESS.
- * If the domain name 'name' does not exist, the lookup function should
- * ISC_R_NOTFOUND.  Any other return value is treated as an error.
- *
- * Lookups at the zone apex will cause the server to also call the
- * function 'authority' (if non-NULL), which must provide an SOA record
- * and NS records for the zone by calling ns_sdb_putrr() once for each of
- * these records.  The 'authority' function may be NULL if invoking
- * the 'lookup' function on the zone apex will return SOA and NS records.
- *
- * The allnodes function, if non-NULL, fills in an opaque structure to be
- * used by a database iterator.  This allows the zone to be transferred.
- * This may use a considerable amount of memory for large zones, and the
- * zone transfer may not be fully RFC 1035 compliant if the zone is 
- * frequently changed.
- *
- * The create function will be called for each zone configured
- * into the name server using this database type.  It can be used
- * to create a "database object" containg zone specific data,
- * which can make use of the database arguments specified in the
- * name server configuration.
- *
- * The destroy function will be called to free the database object
- * when its zone is destroyed.
- *
- * The create and destroy functions may be NULL.
- *
- * If flags includes DNS_SDBFLAG_RELATIVEOWNER, the lookup and authority
- * functions will be called with relative names rather than absolute names.
- * The string "@" represents the zone apex in this case.
- *
- * If flags includes DNS_SDBFLAG_RELATIVERDATA, the rdata strings may
- * include relative names.  Otherwise, all names in the rdata string must
- * be absolute.  Be aware that if relative names are allowed, any
- * absolute names must contain a trailing dot.
- *
- * If flags includes DNS_SDBFLAG_THREADSAFE, the driver must be able to
- * handle multiple lookups in parallel.  Otherwise, calls into the driver
- * are serialized.
- */
-
-void
-dns_sdb_unregister(dns_sdbimplementation_t **sdbimp);
-/*
- * Removes the simple database driver from the list of registered database
- * types.  There must be no active databases of this type when this function
- * is called.
- */
-
-isc_result_t
-dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
-	      const char *data);
-isc_result_t
-dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t type, dns_ttl_t ttl,
-		 const unsigned char *rdata, unsigned int rdlen);
-/*
- * Add a single resource record to the lookup structure to be
- * returned in the query response.  dns_sdb_putrr() takes the
- * resource record in master file text format as a null-terminated
- * string, and dns_sdb_putrdata() takes the raw RDATA in
- * uncompressed wire format.
- */
-
-isc_result_t
-dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
-		   const char *type, dns_ttl_t ttl, const char *data);
-isc_result_t
-dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
-		      dns_rdatatype_t type, dns_ttl_t ttl,
-		      const void *rdata, unsigned int rdlen);
-/*
- * Add a single resource record to the allnodes structure to be
- * included in a zone transfer response, in text or wire
- * format as above.
- */
-
-isc_result_t
-dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
-	       isc_uint32_t serial);
-/*
- * This function may optionally be called from the 'authority' callback
- * to simplify construction of the SOA record for 'zone'.  It will
- * provide a SOA listing 'mname' as as the master server and 'rname' as
- * the responsible person mailbox.  It is the responsibility of the
- * driver to increment the serial number between responses if necessary.
- * All other SOA fields will have reasonable default values.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SDB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/secalg.h b/contrib/bind9/lib/dns/include/dns/secalg.h
deleted file mode 100644
index 3f7a16f09b10..000000000000
--- a/contrib/bind9/lib/dns/include/dns/secalg.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: secalg.h,v 1.12.206.1 2004/03/06 08:14:00 marka Exp $ */
-
-#ifndef DNS_SECALG_H
-#define DNS_SECALG_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source);
-/*
- * Convert the text 'source' refers to into a DNSSEC security algorithm value.
- * The text may contain either a mnemonic algorithm name or a decimal algorithm
- * number.
- *
- * Requires:
- *	'secalgp' is a valid pointer.
- *
- *	'source' is a valid text region.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_RANGE			numeric type is out of range
- *	DNS_R_UNKNOWN			mnemonic type is unknown
- */
-
-isc_result_t
-dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
-/*
- * Put a textual representation of the DNSSEC security algorithm 'secalg'
- * into 'target'.
- *
- * Requires:
- *	'secalg' is a valid secalg.
- *
- *	'target' is a valid text buffer.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SECALG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/secproto.h b/contrib/bind9/lib/dns/include/dns/secproto.h
deleted file mode 100644
index da8c1dd0098b..000000000000
--- a/contrib/bind9/lib/dns/include/dns/secproto.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: secproto.h,v 1.9.206.1 2004/03/06 08:14:00 marka Exp $ */
-
-#ifndef DNS_SECPROTO_H
-#define DNS_SECPROTO_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source);
-/*
- * Convert the text 'source' refers to into a DNSSEC security protocol value.
- * The text may contain either a mnemonic protocol name or a decimal protocol
- * number.
- *
- * Requires:
- *	'secprotop' is a valid pointer.
- *
- *	'source' is a valid text region.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_RANGE			numeric type is out of range
- *	DNS_R_UNKNOWN			mnemonic type is unknown
- */
-
-isc_result_t
-dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target);
-/*
- * Put a textual representation of the DNSSEC security protocol 'secproto'
- * into 'target'.
- *
- * Requires:
- *	'secproto' is a valid secproto.
- *
- *	'target' is a valid text buffer.
- *
- * Ensures:
- *	If the result is success:
- *		The used space in 'target' is updated.
- *
- * Returns:
- *	ISC_R_SUCCESS			on success
- *	ISC_R_NOSPACE			target buffer is too small
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SECPROTO_H */
diff --git a/contrib/bind9/lib/dns/include/dns/soa.h b/contrib/bind9/lib/dns/include/dns/soa.h
deleted file mode 100644
index 304ae15e90c0..000000000000
--- a/contrib/bind9/lib/dns/include/dns/soa.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: soa.h,v 1.2.206.1 2004/03/06 08:14:00 marka Exp $ */
-
-#ifndef DNS_SOA_H
-#define DNS_SOA_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * SOA utilities.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_uint32_t
-dns_soa_getserial(dns_rdata_t *rdata);
-isc_uint32_t
-dns_soa_getrefresh(dns_rdata_t *rdata);
-isc_uint32_t
-dns_soa_getretry(dns_rdata_t *rdata);
-isc_uint32_t
-dns_soa_getexpire(dns_rdata_t *rdata);
-isc_uint32_t
-dns_soa_getminimum(dns_rdata_t *rdata);
-/*
- * Extract an integer field from the rdata of a SOA record.
- *
- * Requires:
- *	rdata refers to the rdata of a well-formed SOA record.
- */
-
-void
-dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata);
-void
-dns_soa_setrefresh(isc_uint32_t val, dns_rdata_t *rdata);
-void
-dns_soa_setretry(isc_uint32_t val, dns_rdata_t *rdata);
-void
-dns_soa_setexpire(isc_uint32_t val, dns_rdata_t *rdata);
-void
-dns_soa_setminimum(isc_uint32_t val, dns_rdata_t *rdata);
-/*
- * Change an integer field of a SOA record by modifying the
- * rdata in-place.
- *
- * Requires:
- *	rdata refers to the rdata of a well-formed SOA record.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SOA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ssu.h b/contrib/bind9/lib/dns/include/dns/ssu.h
deleted file mode 100644
index f26a039ac5a6..000000000000
--- a/contrib/bind9/lib/dns/include/dns/ssu.h
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ssu.h,v 1.11.206.3 2004/03/08 09:04:39 marka Exp $ */
-
-#ifndef DNS_SSU_H
-#define DNS_SSU_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define DNS_SSUMATCHTYPE_NAME 0
-#define DNS_SSUMATCHTYPE_SUBDOMAIN 1
-#define DNS_SSUMATCHTYPE_WILDCARD 2
-#define DNS_SSUMATCHTYPE_SELF 3
-
-isc_result_t
-dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
-/*
- *	Creates a table that will be used to store simple-secure-update rules.
- *	Note: all locking must be provided by the client.
- *
- *	Requires:
- *		'mctx' is a valid memory context
- *		'table' is not NULL, and '*table' is NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- */
-
-void
-dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
-/*
- *	Attach '*targetp' to 'source'.
- *
- *	Requires:
- *		'source' is a valid SSU table
- *		'targetp' points to a NULL dns_ssutable_t *.
- *
- *	Ensures:
- *		*targetp is attached to source.
- */
-
-void
-dns_ssutable_detach(dns_ssutable_t **tablep);
-/*
- *	Detach '*tablep' from its simple-secure-update rule table.
- *
- *	Requires:
- *		'tablep' points to a valid dns_ssutable_t
- *
- *	Ensures:
- *		*tablep is NULL
- *		If '*tablep' is the last reference to the SSU table, all
- *			resources used by the table will be freed.
- */
-
-isc_result_t
-dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
-		     dns_name_t *identity, unsigned int matchtype,
-		     dns_name_t *name, unsigned int ntypes,
-		     dns_rdatatype_t *types);
-/*
- *	Adds a new rule to a simple-secure-update rule table.  The rule
- *	either grants or denies update privileges of an identity (or set of
- *	identities) to modify a name (or set of names) or certain types present
- *	at that name.
- *
- *	Notes:
- *		If 'matchtype' is SELF, this rule only matches if the name
- *		to be updated matches the signing identity.
- *
- *		If 'ntypes' is 0, this rule applies to all types except
- *		NS, SOA, RRSIG, and NSEC.
- *
- *		If 'types' includes ANY, this rule applies to all types
- *		except NSEC.
- *
- *	Requires:
- *		'table' is a valid SSU table
- *		'identity' is a valid absolute name
- *		'matchtype' must be one of the defined constants.
- *		'name' is a valid absolute name
- *		If 'ntypes' > 0, 'types' must not be NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- */
-
-isc_boolean_t
-dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
-			dns_name_t *name, dns_rdatatype_t type);
-/*
- *	Checks that the attempted update of (name, type) is allowed according
- *	to the rules specified in the simple-secure-update rule table.  If
- *	no rules are matched, access is denied.  If signer is NULL, access
- *	is denied.
- *
- *	Requires:
- *		'table' is a valid SSU table
- *		'signer' is NULL or a valid absolute name
- *		'name' is a valid absolute name
- */
-
-
-isc_boolean_t	dns_ssurule_isgrant(const dns_ssurule_t *rule);
-dns_name_t *	dns_ssurule_identity(const dns_ssurule_t *rule);
-unsigned int	dns_ssurule_matchtype(const dns_ssurule_t *rule);
-dns_name_t *	dns_ssurule_name(const dns_ssurule_t *rule);
-unsigned int	dns_ssurule_types(const dns_ssurule_t *rule,
-				  dns_rdatatype_t **types);
-/*
- * Accessor functions to extract rule components
- */
-
-isc_result_t	dns_ssutable_firstrule(const dns_ssutable_t *table,
-				       dns_ssurule_t **rule);
-/*
- * Initiates a rule iterator.  There is no need to maintain any state.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE
- */
-
-isc_result_t	dns_ssutable_nextrule(dns_ssurule_t *rule,
-				      dns_ssurule_t **nextrule);
-/*
- * Returns the next rule in the table.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_SSU_H */
diff --git a/contrib/bind9/lib/dns/include/dns/stats.h b/contrib/bind9/lib/dns/include/dns/stats.h
deleted file mode 100644
index db94b529199a..000000000000
--- a/contrib/bind9/lib/dns/include/dns/stats.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stats.h,v 1.4.206.1 2004/03/06 08:14:00 marka Exp $ */
-
-#ifndef DNS_STATS_H
-#define DNS_STATS_H 1
-
-#include <dns/types.h>
-
-/*
- * Query statistics counter types.
- */
-typedef enum {
-	dns_statscounter_success = 0,    /* Successful lookup */
-	dns_statscounter_referral = 1,   /* Referral result */
-	dns_statscounter_nxrrset = 2,    /* NXRRSET result */
-	dns_statscounter_nxdomain = 3,   /* NXDOMAIN result */
-	dns_statscounter_recursion = 4,  /* Recursion was used */
-	dns_statscounter_failure = 5     /* Some other failure */
-} dns_statscounter_t;
-
-#define DNS_STATS_NCOUNTERS 6
-
-LIBDNS_EXTERNAL_DATA extern const char *dns_statscounter_names[];
-
-isc_result_t
-dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
-/*
- * Allocate an array of query statistics counters from the memory
- * context 'mctx'.
- */
-
-void
-dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
-/*
- * Free an array of query statistics counters allocated from the memory
- * context 'mctx'.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_STATS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tcpmsg.h b/contrib/bind9/lib/dns/include/dns/tcpmsg.h
deleted file mode 100644
index ae1d7048471e..000000000000
--- a/contrib/bind9/lib/dns/include/dns/tcpmsg.h
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tcpmsg.h,v 1.15.206.1 2004/03/06 08:14:00 marka Exp $ */
-
-#ifndef DNS_TCPMSG_H
-#define DNS_TCPMSG_H 1
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-#include <isc/socket.h>
-
-typedef struct dns_tcpmsg {
-	/* private (don't touch!) */
-	unsigned int		magic;
-	isc_uint16_t		size;
-	isc_buffer_t		buffer;
-	unsigned int		maxsize;
-	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;
-	isc_task_t	       *task;
-	isc_taskaction_t	action;
-	void		       *arg;
-	isc_event_t		event;
-	/* public (read-only) */
-	isc_result_t		result;
-	isc_sockaddr_t		address;
-} dns_tcpmsg_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg);
-/*
- * Associate a tcp message state with a given memory context and
- * TCP socket.
- *
- * Requires:
- *
- *	"mctx" and "sock" be non-NULL and valid types.
- *
- *	"sock" be a read/write TCP socket.
- *
- *	"tcpmsg" be non-NULL and an uninitialized or invalidated structure.
- *
- * Ensures:
- *
- *	"tcpmsg" is a valid structure.
- */
-
-void
-dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize);
-/*
- * Set the maximum packet size to "maxsize"
- *
- * Requires:
- *
- *	"tcpmsg" be valid.
- *
- *	512 <= "maxsize" <= 65536
- */
-
-isc_result_t
-dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
-		       isc_task_t *task, isc_taskaction_t action, void *arg);
-/*
- * Schedule an event to be delivered when a DNS message is readable, or
- * when an error occurs on the socket.
- *
- * Requires:
- *
- *	"tcpmsg" be valid.
- *
- *	"task", "taskaction", and "arg" be valid.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- no error
- *	Anything that the isc_socket_recv() call can return.  XXXMLG
- *
- * Notes:
- *
- *	The event delivered is a fully generic event.  It will contain no
- *	actual data.  The sender will be a pointer to the dns_tcpmsg_t.
- *	The result code inside that structure should be checked to see
- *	what the final result was.
- */
-
-void
-dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg);
-/*
- * Cancel a readmessage() call.  The event will still be posted with a
- * CANCELED result code.
- *
- * Requires:
- *
- *	"tcpmsg" be valid.
- */
-
-void
-dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer);
-/*
- * If a dns buffer is to be kept between calls, this function marks the
- * internal state-machine buffer as invalid, and copies all the contents
- * of the state into "buffer".
- *
- * Requires:
- *
- *	"tcpmsg" be valid.
- *
- *	"buffer" be non-NULL.
- */
-
-void
-dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg);
-/*
- * Clean up all allocated state, and invalidate the structure.
- *
- * Requires:
- *
- *	"tcpmsg" be valid.
- *
- * Ensures:
- *
- *	"tcpmsg" is invalidated and disassociated with all memory contexts,
- *	sockets, etc.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TCPMSG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/time.h b/contrib/bind9/lib/dns/include/dns/time.h
deleted file mode 100644
index 0b82443a68a2..000000000000
--- a/contrib/bind9/lib/dns/include/dns/time.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: time.h,v 1.9.12.3 2004/03/08 09:04:39 marka Exp $ */
-
-#ifndef DNS_TIME_H
-#define DNS_TIME_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_time64_fromtext(const char *source, isc_int64_t *target);
-/*
- * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
- * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.
- * Store the count at 'target'.
- */
-
-isc_result_t
-dns_time32_fromtext(const char *source, isc_uint32_t *target);
-/*
- * Like dns_time64_fromtext, but returns the second count modulo 2^32
- * as per RFC2535.
- */
-
-
-isc_result_t
-dns_time64_totext(isc_int64_t value, isc_buffer_t *target);
-/*
- * Convert a 64-bit count of seconds since Jan 1 1970 0:00 GMT into
- * a YYYYMMDDHHMMSS text representation and append it to 'target'.
- */
-
-isc_result_t
-dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
-/*
- * Like dns_time64_totext, but for a 32-bit cyclic time value.
- * Of those dates whose counts of seconds since Jan 1 1970 0:00 GMT
- * are congruent with 'value' modulo 2^32, the one closest to the
- * current date is chosen.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TIME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/timer.h b/contrib/bind9/lib/dns/include/dns/timer.h
deleted file mode 100644
index 36e2ac3cc45c..000000000000
--- a/contrib/bind9/lib/dns/include/dns/timer.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer.h,v 1.2.206.1 2004/03/06 08:14:00 marka Exp $ */
-
-#ifndef DNS_TIMER_H
-#define DNS_TIMER_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
-		  unsigned int idletime, isc_boolean_t purge);
-/*
- * Convenience function for setting up simple, one-second-granularity
- * idle timers as used by zone transfers.
- *
- * Set the timer 'timer' to go off after 'idletime' seconds of inactivity,
- * or after 'maxtime' at the very latest.  Events are purged iff
- * 'purge' is ISC_TRUE.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TIMER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tkey.h b/contrib/bind9/lib/dns/include/dns/tkey.h
deleted file mode 100644
index e5ca3b3bf443..000000000000
--- a/contrib/bind9/lib/dns/include/dns/tkey.h
+++ /dev/null
@@ -1,196 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tkey.h,v 1.18.206.1 2004/03/06 08:14:00 marka Exp $ */
-
-#ifndef DNS_TKEY_H
-#define DNS_TKEY_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#include <dst/dst.h>
-
-ISC_LANG_BEGINDECLS
-
-/* Key agreement modes */
-#define DNS_TKEYMODE_SERVERASSIGNED		1
-#define DNS_TKEYMODE_DIFFIEHELLMAN		2
-#define DNS_TKEYMODE_GSSAPI			3
-#define DNS_TKEYMODE_RESOLVERASSIGNED		4
-#define DNS_TKEYMODE_DELETE			5
-
-struct dns_tkeyctx {
-	dst_key_t *dhkey;
-	dns_name_t *domain;
-	void *gsscred;
-	isc_mem_t *mctx;
-	isc_entropy_t *ectx;
-};
-
-isc_result_t
-dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
-/*
- *	Create an empty TKEY context.
- *
- * 	Requires:
- *		'mctx' is not NULL
- *		'tctx' is not NULL
- *		'*tctx' is NULL
- *
- *	Returns
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		return codes from dns_name_fromtext()
- */
-
-void
-dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp);
-/*
- *      Frees all data associated with the TKEY context
- *
- * 	Requires:
- *		'tctx' is not NULL
- *		'*tctx' is not NULL
- */
-
-isc_result_t
-dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
-		      dns_tsig_keyring_t *ring);
-/*
- *	Processes a query containing a TKEY record, adding or deleting TSIG
- *	keys if necessary, and modifies the message to contain the response.
- *
- *	Requires:
- *		'msg' is a valid message
- *		'tctx' is a valid TKEY context
- *		'ring' is a valid TSIG keyring
- *
- *	Returns
- *		ISC_R_SUCCESS	msg was updated (the TKEY operation succeeded,
- *				or msg now includes a TKEY with an error set)
- *		DNS_R_FORMERR	the packet was malformed (missing a TKEY
- *				or KEY).
- *		other		An error occurred while processing the message
- */
-
-isc_result_t
-dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
-		      dns_name_t *algorithm, isc_buffer_t *nonce,
-		      isc_uint32_t lifetime);
-/*
- *	Builds a query containing a TKEY that will generate a shared
- *	secret using a Diffie-Hellman key exchange.  The shared key
- *	will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
- *	is supported), and will be named either 'name',
- *	'name' + server chosen domain, or random data + server chosen domain
- *	if 'name' == dns_rootname.  If nonce is not NULL, it supplies
- *	random data used in the shared secret computation.  The key is
- *	requested to have the specified lifetime (in seconds)
- *
- *
- *	Requires:
- *		'msg' is a valid message
- *		'key' is a valid Diffie Hellman dst key
- *		'name' is a valid name
- *		'algorithm' is a valid name
- *
- *	Returns:
- *		ISC_R_SUCCESS	msg was successfully updated to include the
- *				query to be sent
- *		other		an error occurred while building the message
- */
-
-isc_result_t
-dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
-		       dns_name_t *gname, void *cred,
-		       isc_uint32_t lifetime, void **context);
-/*
- * XXX
- */
-
-isc_result_t
-dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
-/*
- *	Builds a query containing a TKEY record that will delete the
- *	specified shared secret from the server.
- *
- *	Requires:
- *		'msg' is a valid message
- *		'key' is a valid TSIG key
- *
- *	Returns:
- *		ISC_R_SUCCESS	msg was successfully updated to include the
- *				query to be sent
- *		other		an error occurred while building the message
- */
-
-isc_result_t
-dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-                           dst_key_t *key, isc_buffer_t *nonce,
-			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
-/*
- *	Processes a response to a query containing a TKEY that was
- *	designed to generate a shared secret using a Diffie-Hellman key
- *	exchange.  If the query was successful, a new shared key
- *	is created and added to the list of shared keys.
- *
- *	Requires:
- *		'qmsg' is a valid message (the query)
- *		'rmsg' is a valid message (the response)
- *		'key' is a valid Diffie Hellman dst key
- *		'outkey' is either NULL or a pointer to NULL
- *		'ring' is a valid keyring or NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS	the shared key was successfully added
- *		ISC_R_NOTFOUND	an error occurred while looking for a
- *				component of the query or response
- */
-
-isc_result_t
-dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			    dns_name_t *gname, void *cred, void **context,
-			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
-/*
- * XXX
- */
-
-isc_result_t
-dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			       dns_tsig_keyring_t *ring);
-/*
- *	Processes a response to a query containing a TKEY that was
- *	designed to delete a shared secret.  If the query was successful,
- *	the shared key is deleted from the list of shared keys.
- *
- *	Requires:
- *		'qmsg' is a valid message (the query)
- *		'rmsg' is a valid message (the response)
- *		'ring' is not NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS	the shared key was successfully deleted
- *		ISC_R_NOTFOUND	an error occurred while looking for a
- *				component of the query or response
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TKEY_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tsig.h b/contrib/bind9/lib/dns/include/dns/tsig.h
deleted file mode 100644
index 7b5b4585b643..000000000000
--- a/contrib/bind9/lib/dns/include/dns/tsig.h
+++ /dev/null
@@ -1,242 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsig.h,v 1.40.2.2.8.3 2004/03/08 09:04:39 marka Exp $ */
-
-#ifndef DNS_TSIG_H
-#define DNS_TSIG_H 1
-
-#include <isc/lang.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/stdtime.h>
-
-#include <dns/types.h>
-#include <dns/name.h>
-
-#include <dst/dst.h>
-
-/*
- * Algorithms.
- */
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacmd5_name;
-#define DNS_TSIG_HMACMD5_NAME		dns_tsig_hmacmd5_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name;
-#define DNS_TSIG_GSSAPI_NAME		dns_tsig_gssapi_name
-LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name;
-#define DNS_TSIG_GSSAPIMS_NAME		dns_tsig_gssapims_name
-
-/*
- * Default fudge value.
- */
-#define DNS_TSIG_FUDGE			300
-
-struct dns_tsig_keyring {
-	dns_rbt_t *keys;
-	isc_rwlock_t lock;
-	isc_mem_t *mctx;
-};
-
-struct dns_tsigkey {
-	/* Unlocked */
-	unsigned int		magic;		/* Magic number. */
-	isc_mem_t		*mctx;
-	dst_key_t		*key;		/* Key */
-	dns_name_t		name;		/* Key name */
-	dns_name_t		*algorithm;	/* Algorithm name */
-	dns_name_t		*creator;	/* name that created secret */
-	isc_boolean_t		generated;	/* was this generated? */
-	isc_stdtime_t		inception;	/* start of validity period */
-	isc_stdtime_t		expire;		/* end of validity period */
-	dns_tsig_keyring_t	*ring;		/* the enclosing keyring */
-	isc_refcount_t		refs;		/* reference counter */
-};
-
-#define dns_tsigkey_identity(tsigkey) \
-	((tsigkey)->generated ? ((tsigkey)->creator) : (&((tsigkey)->name)))
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
-		   unsigned char *secret, int length, isc_boolean_t generated,
-		   dns_name_t *creator, isc_stdtime_t inception,
-		   isc_stdtime_t expire, isc_mem_t *mctx,
-		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
-
-isc_result_t
-dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
-			  dst_key_t *dstkey, isc_boolean_t generated,
-			  dns_name_t *creator, isc_stdtime_t inception,
-			  isc_stdtime_t expire, isc_mem_t *mctx,
-			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
-/*
- *	Creates a tsig key structure and saves it in the keyring.  If key is
- *	not NULL, *key will contain a copy of the key.  The keys validity
- *	period is specified by (inception, expire), and will not expire if
- *	inception == expire.  If the key was generated, the creating identity,
- *	if there is one, should be in the creator parameter.  Specifying an
- *	unimplemented algorithm will cause failure only if dstkey != NULL; this
- *	allows a transient key with an invalid algorithm to exist long enough
- *	to generate a BADKEY response.
- *
- *	Requires:
- *		'name' is a valid dns_name_t
- *		'algorithm' is a valid dns_name_t
- *		'secret' is a valid pointer
- *		'length' is an integer >= 0
- *		'key' is a valid dst key or NULL
- *		'creator' points to a valid dns_name_t or is NULL
- *		'mctx' is a valid memory context
- *		'ring' is a valid TSIG keyring or NULL
- *		'key' or '*key' must be NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_EXISTS - a key with this name already exists
- *		ISC_R_NOTIMPLEMENTED - algorithm is not implemented
- *		ISC_R_NOMEMORY
- */
-
-void
-dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp);
-/*
- *	Attach '*targetp' to 'source'.
- *
- *	Requires:
- *		'key' is a valid TSIG key
- *
- *	Ensures:
- *		*targetp is attached to source.
- */
-
-void
-dns_tsigkey_detach(dns_tsigkey_t **keyp);
-/*
- *	Detaches from the tsig key structure pointed to by '*key'.
- *
- *	Requires:
- *		'keyp' is not NULL and '*keyp' is a valid TSIG key
- *
- *	Ensures:
- *		'keyp' points to NULL
- */
-
-void
-dns_tsigkey_setdeleted(dns_tsigkey_t *key);
-/*
- *	Prevents this key from being used again.  It will be deleted when
- *	no references exist.
- *
- *	Requires:
- *		'key' is a valid TSIG key on a keyring
- */
-
-isc_result_t
-dns_tsig_sign(dns_message_t *msg);
-/*
- *	Generates a TSIG record for this message
- *
- *	Requires:
- *		'msg' is a valid message
- *		'msg->tsigkey' is a valid TSIG key
- *		'msg->tsig' is NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		ISC_R_NOSPACE
- *		DNS_R_EXPECTEDTSIG
- *			- this is a response & msg->querytsig is NULL
- */
-
-isc_result_t
-dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
-		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2);
-/*
- *	Verifies the TSIG record in this message
- *
- *	Requires:
- *		'source' is a valid buffer containing the unparsed message
- *		'msg' is a valid message
- *		'msg->tsigkey' is a valid TSIG key if this is a response
- *		'msg->tsig' is NULL
- *		'msg->querytsig' is not NULL if this is a response
- *		'ring1' and 'ring2' are each either a valid keyring or NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- *		DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
- *		DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
- *		DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
- *				     and this is a query
- *		DNS_R_CLOCKSKEW - the TSIG failed to verify because of
- *				  the time was out of the allowed range.
- *		DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
- *		DNS_R_EXPECTEDRESPONSE - the message was set over TCP and
- *					 should have been a response,
- *					 but was not.
- */
-
-isc_result_t
-dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
-		 dns_name_t *algorithm, dns_tsig_keyring_t *ring);
-/*
- *	Returns the TSIG key corresponding to this name and (possibly)
- *	algorithm.  Also increments the key's reference counter.
- *
- *	Requires:
- *		'tsigkey' is not NULL
- *		'*tsigkey' is NULL
- *		'name' is a valid dns_name_t
- *		'algorithm' is a valid dns_name_t or NULL
- *		'ring' is a valid keyring
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOTFOUND
- */
-
-
-isc_result_t
-dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
-/*
- *	Create an empty TSIG key ring.
- *
- *	Requires:
- *		'mctx' is not NULL
- *		'ringp' is not NULL, and '*ringp' is NULL
- *
- *	Returns:
- *		ISC_R_SUCCESS
- *		ISC_R_NOMEMORY
- */
-
-
-void
-dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp);
-/*
- *	Destroy a TSIG key ring.
- *
- *	Requires:
- *		'ringp' is not NULL
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TSIG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ttl.h b/contrib/bind9/lib/dns/include/dns/ttl.h
deleted file mode 100644
index dc7167d6ca1f..000000000000
--- a/contrib/bind9/lib/dns/include/dns/ttl.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ttl.h,v 1.12.206.1 2004/03/06 08:14:01 marka Exp $ */
-
-#ifndef DNS_TTL_H
-#define DNS_TTL_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
-	       isc_buffer_t *target);
-/*
- * Output a TTL or other time interval in a human-readable form.
- * The time interval is given as a count of seconds in 'src'.
- * The text representation is appended to 'target'.
- *
- * If 'verbose' is ISC_FALSE, use the terse BIND 8 style, like "1w2d3h4m5s".
- *
- * If 'verbose' is ISC_TRUE, use a verbose style like the SOA comments
- * in "dig", like "1 week 2 days 3 hours 4 minutes 5 seconds".
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOSPACE
- */
-
-isc_result_t
-dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
-/*
- * Converts a counter from either a plain number or a BIND 8 style value.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_SYNTAX
- */
-
-isc_result_t
-dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
-/*
- * Converts a ttl from either a plain number or a BIND 8 style value.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_BADTTL
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_TTL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/types.h b/contrib/bind9/lib/dns/include/dns/types.h
deleted file mode 100644
index 2bad7ea02cca..000000000000
--- a/contrib/bind9/lib/dns/include/dns/types.h
+++ /dev/null
@@ -1,299 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: types.h,v 1.103.12.7 2004/03/08 09:04:39 marka Exp $ */
-
-#ifndef DNS_TYPES_H
-#define DNS_TYPES_H 1
-
-/*
- * Including this file gives you type declarations suitable for use in
- * .h files, which lets us avoid circular type reference problems.
- *
- * To actually use a type or get declarations of its methods, you must
- * include the appropriate .h file too.
- */
-
-#include <isc/types.h>
-
-typedef struct dns_acl 				dns_acl_t;
-typedef struct dns_aclelement 			dns_aclelement_t;
-typedef struct dns_aclenv			dns_aclenv_t;
-typedef struct dns_adb				dns_adb_t;
-typedef struct dns_adbaddrinfo			dns_adbaddrinfo_t;
-typedef ISC_LIST(dns_adbaddrinfo_t)		dns_adbaddrinfolist_t;
-typedef struct dns_adbentry			dns_adbentry_t;
-typedef struct dns_adbfind			dns_adbfind_t;
-typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
-typedef struct dns_byaddr			dns_byaddr_t;
-typedef struct dns_cache			dns_cache_t;
-typedef isc_uint16_t				dns_cert_t;
-typedef struct dns_compress			dns_compress_t;
-typedef struct dns_db				dns_db_t;
-typedef struct dns_dbimplementation		dns_dbimplementation_t;
-typedef struct dns_dbiterator			dns_dbiterator_t;
-typedef void					dns_dbload_t;
-typedef void					dns_dbnode_t;
-typedef struct dns_dbtable			dns_dbtable_t;
-typedef void					dns_dbversion_t;
-typedef struct dns_decompress			dns_decompress_t;
-typedef struct dns_dispatch			dns_dispatch_t;
-typedef struct dns_dispatchevent		dns_dispatchevent_t;
-typedef struct dns_dispatchlist			dns_dispatchlist_t;
-typedef struct dns_dispatchmgr			dns_dispatchmgr_t;
-typedef struct dns_dispentry			dns_dispentry_t;
-typedef struct dns_dumpctx			dns_dumpctx_t;
-typedef struct dns_fetch			dns_fetch_t;
-typedef struct dns_fixedname			dns_fixedname_t;
-typedef struct dns_forwarders			dns_forwarders_t;
-typedef struct dns_fwdtable			dns_fwdtable_t;
-typedef isc_uint16_t				dns_keyflags_t;
-typedef struct dns_keynode			dns_keynode_t;
-typedef struct dns_keytable			dns_keytable_t;
-typedef isc_uint16_t				dns_keytag_t;
-typedef struct dns_loadctx			dns_loadctx_t;
-typedef struct dns_loadmgr			dns_loadmgr_t;
-typedef struct dns_message			dns_message_t;
-typedef isc_uint16_t				dns_messageid_t;
-typedef isc_region_t				dns_label_t;
-typedef struct dns_lookup			dns_lookup_t;
-typedef struct dns_name				dns_name_t;
-typedef ISC_LIST(dns_name_t)			dns_namelist_t;
-typedef isc_uint16_t				dns_opcode_t;
-typedef unsigned char				dns_offsets_t[128];
-typedef struct dns_order			dns_order_t;
-typedef struct dns_peer				dns_peer_t;
-typedef struct dns_peerlist			dns_peerlist_t;
-typedef struct dns_portlist			dns_portlist_t;
-typedef struct dns_rbt				dns_rbt_t;
-typedef isc_uint16_t				dns_rcode_t;
-typedef struct dns_rdata			dns_rdata_t;
-typedef struct dns_rdatacallbacks		dns_rdatacallbacks_t;
-typedef isc_uint16_t				dns_rdataclass_t;
-typedef struct dns_rdatalist			dns_rdatalist_t;
-typedef struct dns_rdataset			dns_rdataset_t;
-typedef ISC_LIST(dns_rdataset_t)		dns_rdatasetlist_t;
-typedef struct dns_rdatasetiter			dns_rdatasetiter_t;
-typedef isc_uint16_t				dns_rdatatype_t;
-typedef struct dns_request			dns_request_t;
-typedef struct dns_requestmgr			dns_requestmgr_t;
-typedef struct dns_resolver			dns_resolver_t;
-typedef struct dns_sdbimplementation		dns_sdbimplementation_t;
-typedef isc_uint8_t				dns_secalg_t;
-typedef isc_uint8_t				dns_secproto_t;
-typedef struct dns_signature			dns_signature_t;
-typedef struct dns_ssurule			dns_ssurule_t;
-typedef struct dns_ssutable			dns_ssutable_t;
-typedef struct dns_tkeyctx			dns_tkeyctx_t;
-typedef isc_uint16_t				dns_trust_t;
-typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
-typedef struct dns_tsigkey			dns_tsigkey_t;
-typedef isc_uint32_t				dns_ttl_t;
-typedef struct dns_validator			dns_validator_t;
-typedef struct dns_view				dns_view_t;
-typedef ISC_LIST(dns_view_t)			dns_viewlist_t;
-typedef struct dns_zone				dns_zone_t;
-typedef ISC_LIST(dns_zone_t)			dns_zonelist_t;
-typedef struct dns_zonemgr			dns_zonemgr_t;
-typedef struct dns_zt				dns_zt_t;
-
-typedef enum {
-	dns_fwdpolicy_none = 0,
-	dns_fwdpolicy_first = 1,
-	dns_fwdpolicy_only = 2
-} dns_fwdpolicy_t;
-
-typedef enum {
-	dns_namereln_none = 0,
-	dns_namereln_contains = 1,
-	dns_namereln_subdomain = 2,
-	dns_namereln_equal = 3,
-	dns_namereln_commonancestor = 4
-} dns_namereln_t;
-
-typedef enum {
-	dns_one_answer, dns_many_answers
-} dns_transfer_format_t;
-
-typedef enum {
-	dns_dbtype_zone = 0, dns_dbtype_cache = 1, dns_dbtype_stub = 3
-} dns_dbtype_t;
-
-typedef enum {
-	dns_notifytype_no = 0,
-	dns_notifytype_yes = 1,
-	dns_notifytype_explicit = 2
-} dns_notifytype_t;
-
-typedef enum {
-	dns_dialuptype_no = 0,
-	dns_dialuptype_yes = 1,
-	dns_dialuptype_notify = 2,
-	dns_dialuptype_notifypassive = 3,
-	dns_dialuptype_refresh = 4,
-	dns_dialuptype_passive = 5
-} dns_dialuptype_t;
-
-/*
- * These are generated by gen.c.
- */
-#include <dns/enumtype.h>	/* Provides dns_rdatatype_t. */
-#include <dns/enumclass.h>	/* Provides dns_rdataclass_t. */
-
-/*
- * rcodes.
- */
-enum {
-	/*
-	 * Standard rcodes.
-	 */
-	dns_rcode_noerror = 0,
-#define dns_rcode_noerror		((dns_rcode_t)dns_rcode_noerror)
-	dns_rcode_formerr = 1,
-#define dns_rcode_formerr		((dns_rcode_t)dns_rcode_formerr)
-	dns_rcode_servfail = 2,
-#define dns_rcode_servfail		((dns_rcode_t)dns_rcode_servfail)
-	dns_rcode_nxdomain = 3,
-#define dns_rcode_nxdomain		((dns_rcode_t)dns_rcode_nxdomain)
-	dns_rcode_notimp = 4,
-#define dns_rcode_notimp		((dns_rcode_t)dns_rcode_notimp)
-	dns_rcode_refused = 5,
-#define dns_rcode_refused		((dns_rcode_t)dns_rcode_refused)
-	dns_rcode_yxdomain = 6,
-#define dns_rcode_yxdomain		((dns_rcode_t)dns_rcode_yxdomain)
-	dns_rcode_yxrrset = 7,
-#define dns_rcode_yxrrset		((dns_rcode_t)dns_rcode_yxrrset)
-	dns_rcode_nxrrset = 8,
-#define dns_rcode_nxrrset		((dns_rcode_t)dns_rcode_nxrrset)
-	dns_rcode_notauth = 9,
-#define dns_rcode_notauth		((dns_rcode_t)dns_rcode_notauth)
-	dns_rcode_notzone = 10,
-#define dns_rcode_notzone		((dns_rcode_t)dns_rcode_notzone)
-	/*
-	 * Extended rcodes.
-	 */
-	dns_rcode_badvers = 16
-#define dns_rcode_badvers		((dns_rcode_t)dns_rcode_badvers)
-};
-
-/*
- * TSIG errors.
- */
-enum {
-	dns_tsigerror_badsig = 16,
-	dns_tsigerror_badkey = 17,
-	dns_tsigerror_badtime = 18,
-	dns_tsigerror_badmode = 19,
-	dns_tsigerror_badname = 20,
-	dns_tsigerror_badalg = 21
-};
-
-/*
- * Opcodes.
- */
-enum {
-	dns_opcode_query = 0,
-#define dns_opcode_query		((dns_opcode_t)dns_opcode_query)
-	dns_opcode_iquery = 1,
-#define dns_opcode_iquery		((dns_opcode_t)dns_opcode_iquery)
-	dns_opcode_status = 2,
-#define dns_opcode_status		((dns_opcode_t)dns_opcode_status)
-	dns_opcode_notify = 4,
-#define dns_opcode_notify		((dns_opcode_t)dns_opcode_notify)
-	dns_opcode_update = 5		/* dynamic update */
-#define dns_opcode_update		((dns_opcode_t)dns_opcode_update)
-};
-
-/*
- * Trust levels.  Must be kept in sync with trustnames[] in masterdump.c.
- */
-enum {
-	/* Sentinel value; no data should have this trust level. */
-	dns_trust_none = 0,
-#define dns_trust_none			((dns_trust_t)dns_trust_none)
-
-	/* Subject to DNSSEC validation but has not yet been validated */
-	dns_trust_pending = 1,
-#define dns_trust_pending		((dns_trust_t)dns_trust_pending)
-
-	/* Received in the additional section of a response. */
-	dns_trust_additional = 2,
-#define dns_trust_additional		((dns_trust_t)dns_trust_additional)
-
-	/* Received in a referral response. */ 
-	dns_trust_glue = 3,
-#define dns_trust_glue			((dns_trust_t)dns_trust_glue)
-
-	/* Answser from a non-authoritative server */
-	dns_trust_answer = 4,
-#define dns_trust_answer		((dns_trust_t)dns_trust_answer)
-
-	/*  Received in the authority section as part of an
-	    authoritative response */
-	dns_trust_authauthority = 5,
-#define dns_trust_authauthority		((dns_trust_t)dns_trust_authauthority)
-
-	/* Answser from an authoritative server */
-	dns_trust_authanswer = 6,
-#define dns_trust_authanswer		((dns_trust_t)dns_trust_authanswer)
-
-	/* Successfully DNSSEC validated */	
-	dns_trust_secure = 7,
-#define dns_trust_secure		((dns_trust_t)dns_trust_secure)
-
-	/* This server is authoritative */
-	dns_trust_ultimate = 8
-#define dns_trust_ultimate		((dns_trust_t)dns_trust_ultimate)
-};
-
-/*
- * Name checking severites.
- */
-typedef enum {
-	dns_severity_ignore,
-	dns_severity_warn,
-	dns_severity_fail
-} dns_severity_t;
-
-/*
- * Functions.
- */
-typedef void
-(*dns_dumpdonefunc_t)(void *, isc_result_t);
-
-typedef void
-(*dns_loaddonefunc_t)(void *, isc_result_t);
-
-typedef isc_result_t
-(*dns_addrdatasetfunc_t)(void *, dns_name_t *, dns_rdataset_t *);
-
-typedef isc_result_t
-(*dns_additionaldatafunc_t)(void *, dns_name_t *, dns_rdatatype_t);
-
-typedef isc_result_t
-(*dns_digestfunc_t)(void *, isc_region_t *);
-
-typedef void
-(*dns_xfrindone_t)(dns_zone_t *, isc_result_t);
-
-typedef void
-(*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
-
-typedef int 
-(*dns_rdatasetorderfunc_t)(dns_rdata_t *rdata, void *arg);
-
-#endif /* DNS_TYPES_H */
diff --git a/contrib/bind9/lib/dns/include/dns/validator.h b/contrib/bind9/lib/dns/include/dns/validator.h
deleted file mode 100644
index 24769f3c88a5..000000000000
--- a/contrib/bind9/lib/dns/include/dns/validator.h
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: validator.h,v 1.18.12.9 2005/09/06 02:12:41 marka Exp $ */
-
-#ifndef DNS_VALIDATOR_H
-#define DNS_VALIDATOR_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Validator
- *
- * XXX <TBS> XXX
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	RFCs:	1034, 1035, 2181, 2535, <TBS>
- *	Drafts:	<TBS>
- */
-
-#include <isc/lang.h>
-#include <isc/event.h>
-#include <isc/mutex.h>
-
-#include <dns/fixedname.h>
-#include <dns/types.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
-
-#include <dst/dst.h>
-
-/*
- * A dns_validatorevent_t is sent when a 'validation' completes.
- *
- * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
- * supplied when dns_validator_create() was called.  They are returned to the
- * caller so that they may be freed.
- */
-typedef struct dns_validatorevent {
-	ISC_EVENT_COMMON(struct dns_validatorevent);
-	dns_validator_t *		validator;
-	isc_result_t			result;
-	dns_name_t *			name;
-	dns_rdatatype_t			type;
-	dns_rdataset_t *		rdataset;
-	dns_rdataset_t *		sigrdataset;
-	dns_message_t *			message;
-	dns_name_t *			proofs[3];
-} dns_validatorevent_t;
-
-#define DNS_VALIDATOR_NOQNAMEPROOF 0
-#define DNS_VALIDATOR_NODATAPROOF 1
-#define DNS_VALIDATOR_NOWILDCARDPROOF 2
-
-/*
- * A validator object represents a validation in procgress.
- *
- * Clients are strongly discouraged from using this type directly, with
- * the exception of the 'link' field, which may be used directly for
- * whatever purpose the client desires.
- */
-struct dns_validator {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mutex_t			lock;
-	dns_view_t *			view;
-	/* Locked by lock. */
-	unsigned int			options;
-	unsigned int			attributes;
-	dns_validatorevent_t *		event;
-	dns_fetch_t *			fetch;
-	dns_validator_t *		subvalidator;
-	dns_validator_t *		parent;
-	dns_keytable_t *		keytable;
-	dns_keynode_t *			keynode;
-	dst_key_t *			key;
-	dns_rdata_rrsig_t *		siginfo;
-	isc_task_t *			task;
-	isc_taskaction_t		action;
-	void *				arg;
-	unsigned int			labels;
-	dns_rdataset_t *		currentset;
-	isc_boolean_t			seensig;
-	dns_rdataset_t *		keyset;
-	dns_rdataset_t *		dsset;
-	dns_rdataset_t *		soaset;
-	dns_rdataset_t *		nsecset;
-	dns_name_t *			soaname;
-	dns_rdataset_t			frdataset;
-	dns_rdataset_t			fsigrdataset;
-	dns_fixedname_t			fname;
-	dns_fixedname_t			wild;
-	ISC_LINK(dns_validator_t)	link;
-	dns_rdataset_t 			dlv;
-	dns_fixedname_t			dlvsep;
-	isc_boolean_t			havedlvsep;
-	isc_boolean_t			mustbesecure;
-	unsigned int			dlvlabels;
-	unsigned int			depth;
-};
-
-#define DNS_VALIDATOR_DLV 1
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     dns_message_t *message, unsigned int options,
-		     isc_task_t *task, isc_taskaction_t action, void *arg,
-		     dns_validator_t **validatorp);
-/*
- * Start a DNSSEC validation.
- *
- * This validates a response to the question given by
- * 'name' and 'type'.
- *
- * To validate a positive response, the response data is
- * given by 'rdataset' and 'sigrdataset'.  If 'sigrdataset'
- * is NULL, the data is presumed insecure and an attempt
- * is made to prove its insecurity by finding the appropriate
- * null key.
- *
- * The complete response message may be given in 'message',
- * to make available any authority section NSECs that may be
- * needed for validation of a response resulting from a
- * wildcard expansion (though no such wildcard validation
- * is implemented yet).  If the complete response message
- * is not available, 'message' is NULL.
- *
- * To validate a negative response, the complete negative response
- * message is given in 'message'.  The 'rdataset', and
- * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
- * arguments must be provided.
- *
- * The validation is performed in the context of 'view'.
- * 'options' must be zero.
- *
- * When the validation finishes, a dns_validatorevent_t with
- * the given 'action' and 'arg' are sent to 'task'.
- * Its 'result' field will be ISC_R_SUCCESS iff the
- * response was successfully proven to be either secure or
- * part of a known insecure domain.
- */
-
-void
-dns_validator_cancel(dns_validator_t *validator);
-/*
- * Cancel a DNSSEC validation in progress.
- *
- * Requires:
- *	'validator' points to a valid DNSSEC validator, which
- *	may or may not already have completed.
- *
- * Ensures:
- *	It the validator has not already sent its completion
- *	event, it will send it with result code ISC_R_CANCELED.
- */
-
-void
-dns_validator_destroy(dns_validator_t **validatorp);
-/*
- * Destroy a DNSSEC validator.
- *
- * Requires:
- *	'*validatorp' points to a valid DNSSEC validator.
- * 	The validator must have completed and sent its completion
- * 	event.
- *
- * Ensures:
- *	All resources used by the validator are freed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_VALIDATOR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/version.h b/contrib/bind9/lib/dns/include/dns/version.h
deleted file mode 100644
index 28c83be19568..000000000000
--- a/contrib/bind9/lib/dns/include/dns/version.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.2.224.3 2004/03/08 09:04:40 marka Exp $ */
-
-#include <isc/platform.h>
-
-LIBDNS_EXTERNAL_DATA extern const char dns_version[];
-
-LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libinterface;
-LIBDNS_EXTERNAL_DATA extern const unsigned int dns_librevision;
-LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libage;
diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h
deleted file mode 100644
index a3cd935ce4f9..000000000000
--- a/contrib/bind9/lib/dns/include/dns/view.h
+++ /dev/null
@@ -1,789 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: view.h,v 1.73.2.4.2.12 2004/03/10 02:55:58 marka Exp $ */
-
-#ifndef DNS_VIEW_H
-#define DNS_VIEW_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS View
- *
- * A "view" is a DNS namespace, together with an optional resolver and a
- * forwarding policy.  A "DNS namespace" is a (possibly empty) set of
- * authoritative zones together with an optional cache and optional
- * "hints" information.
- *
- * Views start out "unfrozen".  In this state, core attributes like
- * the cache, set of zones, and forwarding policy may be set.  While
- * "unfrozen", the caller (e.g. nameserver configuration loading
- * code), must ensure exclusive access to the view.  When the view is
- * "frozen", the core attributes become immutable, and the view module
- * will ensure synchronization.  Freezing allows the view's core attributes
- * to be accessed without locking.
- *
- * MP:
- *	Before the view is frozen, the caller must ensure synchronization.
- *
- *	After the view is frozen, the module guarantees appropriate
- *	synchronization of any data structures it creates and manipulates.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/event.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/stdtime.h>
-
-#include <dns/acl.h>
-#include <dns/fixedname.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-struct dns_view {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	dns_rdataclass_t		rdclass;
-	char *				name;
-	dns_zt_t *			zonetable;
-	dns_resolver_t *		resolver;
-	dns_adb_t *			adb;
-	dns_requestmgr_t *		requestmgr;
-	dns_cache_t *			cache;
-	dns_db_t *			cachedb;
-	dns_db_t *			hints;
-	dns_keytable_t *		secroots;
-	dns_keytable_t *		trustedkeys;
-	isc_mutex_t			lock;
-	isc_boolean_t			frozen;
-	isc_task_t *			task;
-	isc_event_t			resevent;
-	isc_event_t			adbevent;
-	isc_event_t			reqevent;
-	/* Configurable data. */
-	dns_tsig_keyring_t *		statickeys;
-	dns_tsig_keyring_t *		dynamickeys;
-	dns_peerlist_t *		peers;
-	dns_order_t *			order;
-	dns_fwdtable_t *		fwdtable;
-	isc_boolean_t			recursion;
-	isc_boolean_t			auth_nxdomain;
-	isc_boolean_t			additionalfromcache;
-	isc_boolean_t			additionalfromauth;
-	isc_boolean_t			minimalresponses;
-	isc_boolean_t			enablednssec;
-	dns_transfer_format_t		transfer_format;
-	dns_acl_t *			queryacl;
-	dns_acl_t *			recursionacl;
-	dns_acl_t *			sortlist;
-	isc_boolean_t			requestixfr;
-	isc_boolean_t			provideixfr;
-	dns_ttl_t			maxcachettl;
-	dns_ttl_t			maxncachettl;
-	in_port_t			dstport;
-	dns_aclenv_t			aclenv;
-	dns_rdatatype_t			preferred_glue;
-	isc_boolean_t			flush;
-	dns_namelist_t *		delonly;
-	isc_boolean_t			rootdelonly;
-	dns_namelist_t *		rootexclude;
-	isc_boolean_t			checknames;
-	dns_name_t *			dlv;
-	dns_fixedname_t			dlv_fixed;
-
-	/*
-	 * Configurable data for server use only,
-	 * locked by server configuration lock.
-	 */
-	dns_acl_t *			matchclients;
-	dns_acl_t *			matchdestinations;
-	isc_boolean_t			matchrecursiveonly;
-
-	/* Locked by themselves. */
-	isc_refcount_t			references;
-
-	/* Locked by lock. */
-	unsigned int			weakrefs;
-	unsigned int			attributes;
-	/* Under owner's locking control. */
-	ISC_LINK(struct dns_view)	link;
-};
-
-#define DNS_VIEW_MAGIC			ISC_MAGIC('V','i','e','w')
-#define DNS_VIEW_VALID(view)		ISC_MAGIC_VALID(view, DNS_VIEW_MAGIC)
-
-#define DNS_VIEWATTR_RESSHUTDOWN	0x01
-#define DNS_VIEWATTR_ADBSHUTDOWN	0x02
-#define DNS_VIEWATTR_REQSHUTDOWN	0x04
-
-isc_result_t
-dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		const char *name, dns_view_t **viewp);
-/*
- * Create a view.
- *
- * Notes:
- *
- *	The newly created view has no cache, no resolver, and an empty
- *	zone table.  The view is not frozen.
- *
- * Requires:
- *
- *	'mctx' is a valid memory context.
- *
- *	'rdclass' is a valid class.
- *
- *	'name' is a valid C string.
- *
- *	viewp != NULL && *viewp == NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *
- *	Other errors are possible.
- */
-
-void
-dns_view_attach(dns_view_t *source, dns_view_t **targetp);
-/*
- * Attach '*targetp' to 'source'.
- *
- * Requires:
- *
- *	'source' is a valid, frozen view.
- *
- *	'targetp' points to a NULL dns_view_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to source.
- *
- *	While *targetp is attached, the view will not shut down.
- */
-
-void
-dns_view_detach(dns_view_t **viewp);
-/*
- * Detach '*viewp' from its view.
- *
- * Requires:
- *
- *	'viewp' points to a valid dns_view_t *
- *
- * Ensures:
- *
- *	*viewp is NULL.
- */
-
-void
-dns_view_flushanddetach(dns_view_t **viewp);
-/*
- * Detach '*viewp' from its view.  If this was the last reference
- * uncommited changed in zones will be flushed to disk.
- *
- * Requires:
- *
- *	'viewp' points to a valid dns_view_t *
- *
- * Ensures:
- *
- *	*viewp is NULL.
- */
-
-void
-dns_view_weakattach(dns_view_t *source, dns_view_t **targetp);
-/*
- * Weakly attach '*targetp' to 'source'.
- *
- * Requires:
- *
- *	'source' is a valid, frozen view.
- *
- *	'targetp' points to a NULL dns_view_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to source.
- *
- * 	While *targetp is attached, the view will not be freed.
- */
-
-void
-dns_view_weakdetach(dns_view_t **targetp);
-/*
- * Detach '*viewp' from its view.
- *
- * Requires:
- *
- *	'viewp' points to a valid dns_view_t *.
- *
- * Ensures:
- *
- *	*viewp is NULL.
- */
-
-isc_result_t
-dns_view_createresolver(dns_view_t *view,
-			isc_taskmgr_t *taskmgr, unsigned int ntasks,
-			isc_socketmgr_t *socketmgr,
-			isc_timermgr_t *timermgr,
-			unsigned int options,
-			dns_dispatchmgr_t *dispatchmgr,
-			dns_dispatch_t *dispatchv4,
-			dns_dispatch_t *dispatchv6);
-/*
- * Create a resolver and address database for the view.
- *
- * Requires:
- *
- *	'view' is a valid, unfrozen view.
- *
- *	'view' does not have a resolver already.
- *
- *	The requirements of dns_resolver_create() apply to 'taskmgr',
- *	'ntasks', 'socketmgr', 'timermgr', 'options', 'dispatchv4', and
- *	'dispatchv6'.
- *
- * Returns:
- *
- *     	ISC_R_SUCCESS
- *
- *	Any error that dns_resolver_create() can return.
- */
-
-void
-dns_view_setcache(dns_view_t *view, dns_cache_t *cache);
-/*
- * Set the view's cache database.
- *
- * Requires:
- *
- *	'view' is a valid, unfrozen view.
- *
- *	'cache' is a valid cache.
- *
- * Ensures:
- *
- *     	The cache of 'view' is 'cached.
- *
- *	If this is not the first call to dns_view_setcache() for this
- *	view, then previously set cache is detached.
- */
-
-void
-dns_view_sethints(dns_view_t *view, dns_db_t *hints);
-/*
- * Set the view's hints database.
- *
- * Requires:
- *
- *	'view' is a valid, unfrozen view, whose hints database has not been
- *	set.
- *
- *	'hints' is a valid zone database.
- *
- * Ensures:
- *
- *     	The hints database of 'view' is 'hints'.
- */
-
-void
-dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
-/*
- * Set the view's static TSIG keys
- *
- * Requires:
- *
- *      'view' is a valid, unfrozen view, whose static TSIG keyring has not
- *	been set.
- *
- *      'ring' is a valid TSIG keyring
- *
- * Ensures:
- *
- *      The static TSIG keyring of 'view' is 'ring'.
- */
-
-void
-dns_view_setdstport(dns_view_t *view, in_port_t dstport);
-/*
- * Set the view's destination port.  This is the port to
- * which outgoing queries are sent.  The default is 53,
- * the standard DNS port.
- *
- * Requires:
- *
- *      'view' is a valid view.
- *
- *      'dstport' is a valid TCP/UDP port number.
- *
- * Ensures:
- *	External name servers will be assumed to be listning
- *	on 'dstport'.  For servers whose address has already
- *	obtained obtained at the time of the call, the view may
- *	continue to use the previously set port until the address
- *	times out from the view's address database.
- */
-
-
-isc_result_t
-dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
-/*
- * Add zone 'zone' to 'view'.
- *
- * Requires:
- *
- *	'view' is a valid, unfrozen view.
- *
- *	'zone' is a valid zone.
- */
-
-void
-dns_view_freeze(dns_view_t *view);
-/*
- * Freeze view.
- *
- * Requires:
- *
- *	'view' is a valid, unfrozen view.
- *
- * Ensures:
- *
- *	'view' is frozen.
- */
-
-isc_result_t
-dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
-	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
-	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
- * Find an rdataset whose owner name is 'name', and whose type is
- * 'type'.
- *
- * Notes:
- *
- *	See the description of dns_db_find() for information about 'options'.
- *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
- *	and 'type' are appropriate for glue retrieval.
- *
- *	If 'now' is zero, then the current time will be used.
- *
- *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
- *	it will be searched last.  If the answer is found in the hints
- *	database, the result code will be DNS_R_HINT.  If the name is found
- *	in the hints database but not the type, the result code will be
- *	DNS_R_HINTNXRRSET.
- *
- *	'foundname' must meet the requirements of dns_db_find().
- *
- *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
- *	covers 'type', then 'sigrdataset' will be bound to it.
- *
- * Requires:
- *
- *	'view' is a valid, frozen view.
- *
- *	'name' is valid name.
- *
- *	'type' is a valid dns_rdatatype_t, and is not a meta query type
- *	except dns_rdatatype_any.
- *
- *	dbp == NULL || *dbp == NULL
- *
- *	nodep == NULL || *nodep == NULL.  If nodep != NULL, dbp != NULL.
- *
- *	'foundname' is a valid name with a dedicated buffer or NULL.
- *
- *	'rdataset' is a valid, disassociated rdataset.
- *
- *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
- *
- * Ensures:
- *
- *	In successful cases, 'rdataset', and possibly 'sigrdataset', are
- *	bound to the found data.
- *
- *	If dbp != NULL, it points to the database containing the data.
- *
- *	If nodep != NULL, it points to the database node containing the data.
- *
- *	If foundname != NULL, it contains the full name of the found data.
- *
- * Returns:
- *
- *	Any result that dns_db_find() can return, with the exception of
- *	DNS_R_DELEGATION.
- */
-
-isc_result_t
-dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-		    isc_stdtime_t now, unsigned int options,
-		    isc_boolean_t use_hints,
-		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
- * Find an rdataset whose owner name is 'name', and whose type is
- * 'type'.
- *
- * Notes:
- *
- *	This routine is appropriate for simple, exact-match queries of the
- *	view.  'name' must be a canonical name; there is no DNAME or CNAME
- *	processing.
- *
- *	See the description of dns_db_find() for information about 'options'.
- *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
- *	and 'type' are appropriate for glue retrieval.
- *
- *	If 'now' is zero, then the current time will be used.
- *
- *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
- *	it will be searched last.  If the answer is found in the hints
- *	database, the result code will be DNS_R_HINT.  If the name is found
- *	in the hints database but not the type, the result code will be
- *	DNS_R_HINTNXRRSET.
- *
- *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
- *	covers 'type', then 'sigrdataset' will be bound to it.
- *
- * Requires:
- *
- *	'view' is a valid, frozen view.
- *
- *	'name' is valid name.
- *
- *	'type' is a valid dns_rdatatype_t, and is not a meta query type
- *	(e.g. dns_rdatatype_any), or dns_rdatatype_rrsig.
- *
- *	'rdataset' is a valid, disassociated rdataset.
- *
- *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
- *
- * Ensures:
- *
- *	In successful cases, 'rdataset', and possibly 'sigrdataset', are
- *	bound to the found data.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS			Success; result is desired type.
- *	DNS_R_GLUE			Success; result is glue.
- *	DNS_R_HINT			Success; result is a hint.
- *	DNS_R_NCACHENXDOMAIN		Success; result is a ncache entry.
- *	DNS_R_NCACHENXRRSET		Success; result is a ncache entry.
- *	DNS_R_NXDOMAIN			The name does not exist.
- *	DNS_R_NXRRSET			The rrset does not exist.
- *	ISC_R_NOTFOUND			No matching data found,
- *					or an error occurred.
- */
-
-isc_result_t
-dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
-		     isc_stdtime_t now, unsigned int options,
-		     isc_boolean_t use_hints,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-
-isc_result_t
-dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
-		      isc_stdtime_t now, unsigned int options,
-		      isc_boolean_t use_hints, isc_boolean_t use_cache,
-		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
-/*
- * Find the best known zonecut containing 'name'.
- *
- * This uses local authority, cache, and optionally hints data.
- * No external queries are performed.
- *
- * Notes:
- *
- *	If 'now' is zero, then the current time will be used.
- *
- *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
- *	it will be searched last.
- *
- *	If 'use_cache' is ISC_TRUE, and the view has a cache, then it will be
- *	searched.
- *
- *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
- *	covers 'type', then 'sigrdataset' will be bound to it.
- *
- *	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
- *	(if any) will be the deepest known ancestor of 'name'.
- *
- * Requires:
- *
- *	'view' is a valid, frozen view.
- *
- *	'name' is valid name.
- *
- *	'rdataset' is a valid, disassociated rdataset.
- *
- *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS				Success.
- *
- *	Many other results are possible.
- */
-
-isc_result_t
-dns_viewlist_find(dns_viewlist_t *list, const char *name,
-		  dns_rdataclass_t rdclass, dns_view_t **viewp);
-/*
- * Search for a view with name 'name' and class 'rdclass' in 'list'.
- * If found, '*viewp' is (strongly) attached to it.
- *
- * Requires:
- *
- *	'viewp' points to a NULL dns_view_t *.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		A matching view was found.
- *	ISC_R_NOTFOUND		No matching view was found.
- */
-
-isc_result_t
-dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep);
-/*
- * Search for the zone 'name' in the zone table of 'view'.
- * If found, 'zonep' is (strongly) attached to it.  There
- * are no partial matches.
- *
- * Requires:
- *
- *	'zonep' points to a NULL dns_zone_t *.
- *
- * Returns:
- *	ISC_R_SUCCESS		A matching zone was found.
- *	ISC_R_NOTFOUND		No matching zone was found.
- *	others			An error occurred.
- */
-
-isc_result_t
-dns_view_load(dns_view_t *view, isc_boolean_t stop);
-
-isc_result_t
-dns_view_loadnew(dns_view_t *view, isc_boolean_t stop);
-/*
- * Load zones attached to this view.  dns_view_load() loads
- * all zones whose master file has changed since the last
- * load; dns_view_loadnew() loads only zones that have never 
- * been loaded.
- *
- * If 'stop' is ISC_TRUE, stop on the first error and return it.
- * If 'stop' is ISC_FALSE, ignore errors.
- *
- * Requires:
- *
- *	'view' is valid.
- */
-
-isc_result_t
-dns_view_gettsig(dns_view_t *view, dns_name_t *keyname,
-		 dns_tsigkey_t **keyp);
-/*
- * Find the TSIG key configured in 'view' with name 'keyname',
- * if any.
- *
- * Reqires:
- *	keyp points to a NULL dns_tsigkey_t *.
- *
- * Returns:
- *	ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
- *	ISC_R_NOTFOUND	No key was found.
- *	others		An error occurred.
- */
-
-isc_result_t
-dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
-		     dns_tsigkey_t **keyp);
-/*
- * Find the TSIG key configured in 'view' for the server whose
- * address is 'peeraddr', if any.
- *
- * Reqires:
- *	keyp points to a NULL dns_tsigkey_t *.
- *
- * Returns:
- *	ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
- *	ISC_R_NOTFOUND	No key was found.
- *	others		An error occurred.
- */
-
-isc_result_t
-dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg);
-/*
- * Verifies the signature of a message.
- *
- * Requires:
- *
- *	'view' is a valid view.
- *	'source' is a valid buffer containing the message
- *	'msg' is a valid message
- *
- * Returns:
- *	see dns_tsig_verify()
- */
-
-void
-dns_view_dialup(dns_view_t *view);
-/*
- * Perform dialup-time maintenance on the zones of 'view'.
- */
-
-isc_result_t
-dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
-/*
- * Dump the current state of the view 'view' to the stream 'fp'
- * for purposes of analysis or debugging.
- *
- * Currently the dumped state includes the view's cache; in the future
- * it may also include other state such as the address database.
- * It will not not include authoritative data since it is voluminous and
- * easily obtainable by other means.
- *
- * Requires:
- * 	
- *	'view' is valid.
- *
- *	'fp' refers to a file open for writing.
- *
- * Returns:
- * 	ISC_R_SUCCESS	The cache was successfully dumped.
- * 	others		An error occurred (see dns_master_dump)
- */
-
-isc_result_t
-dns_view_flushcache(dns_view_t *view);
-/*
- * Flush the view's cache (and ADB).
- *
- * Requires:
- * 	'view' is valid.
- *
- * 	No other tasks are executing.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_view_flushname(dns_view_t *view, dns_name_t *);
-/*
- * Flush the given name from the view's cache (and ADB).
- *
- * Requires:
- *	'view' is valid.
- *	'name' is valid.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	other returns are failures.
- */
-
-isc_result_t
-dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name);
-/*
- * Add the given name to the delegation only table.
- * 
- *
- * Requires:
- *	'view' is valid.
- *	'name' is valid.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name);
-/*
- * Add the given name to be excluded from the root-delegation-only.
- * 
- *
- * Requires:
- *	'view' is valid.
- *	'name' is valid.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_boolean_t
-dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name);
-/*
- * Check if 'name' is in the delegation only table or if
- * rootdelonly is set that name is not being excluded.
- *
- * Requires:
- *	'view' is valid.
- *	'name' is valid.
- *
- * Returns:
- *	ISC_TRUE if the name is is the table.
- *	ISC_FALSE othewise.
- */
-
-void
-dns_view_setrootdelonly(dns_view_t *view, isc_boolean_t value);
-/*
- * Set the root delegation only flag.
- *
- * Requires:
- *	'view' is valid.
- */
-
-isc_boolean_t
-dns_view_getrootdelonly(dns_view_t *view);
-/*
- * Get the root delegation only flag.
- *
- * Requires:
- *	'view' is valid.
- */
-
-#endif /* DNS_VIEW_H */
diff --git a/contrib/bind9/lib/dns/include/dns/xfrin.h b/contrib/bind9/lib/dns/include/dns/xfrin.h
deleted file mode 100644
index 0050238f94a1..000000000000
--- a/contrib/bind9/lib/dns/include/dns/xfrin.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: xfrin.h,v 1.18.136.2 2004/03/06 08:14:01 marka Exp $ */
-
-#ifndef DNS_XFRIN_H
-#define DNS_XFRIN_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Incoming zone transfers (AXFR + IXFR).
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-/***
- *** Types
- ***/
-
-/*
- * A transfer in progress.  This is an opaque type.
- */
-typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
-		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
-		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		 isc_socketmgr_t *socketmgr, isc_task_t *task,
-		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp);
-
-isc_result_t
-dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
-		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
-		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
-		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
-		  isc_task_t *task, dns_xfrindone_t done,
-		  dns_xfrin_ctx_t **xfrp);
-/*
- * Attempt to start an incoming zone transfer of 'zone'
- * from 'masteraddr', creating a dns_xfrin_ctx_t object to
- * manage it.  Attach '*xfrp' to the newly created object.
- *
- * Iff ISC_R_SUCCESS is returned, '*done' is guaranteed to be
- * called in the context of 'task', with 'zone' and a result
- * code as arguments when the transfer finishes.
- *
- * Requires:
- *	'xfrtype' is dns_rdatatype_axfr or dns_rdatatype_ixfr.
- *
- *	If 'xfrtype' is dns_rdatatype_ixfr, the zone has a
- * 	database.
- */
-
-void
-dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
-/*
- * If the zone transfer 'xfr' has already finished,
- * do nothing.  Otherwise, abort it and cause it to call
- * its done callback with a status of ISC_R_CANCELLED.
- */
-
-void
-dns_xfrin_detach(dns_xfrin_ctx_t **xfrp);
-/*
- * Detach a reference to a zone transfer object.
- * Caller to maintain external locking if required.
- */
-
-void
-dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target);
-/*
- * Caller to maintain external locking if required.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_XFRIN_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zone.h b/contrib/bind9/lib/dns/include/dns/zone.h
deleted file mode 100644
index b7680fa27741..000000000000
--- a/contrib/bind9/lib/dns/include/dns/zone.h
+++ /dev/null
@@ -1,1437 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zone.h,v 1.106.2.7.4.15 2004/10/26 02:08:43 marka Exp $ */
-
-#ifndef DNS_ZONE_H
-#define DNS_ZONE_H 1
-
-/***
- ***	Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/rwlock.h>
-
-#include <dns/types.h>
-
-typedef enum {
-	dns_zone_none,
-	dns_zone_master,
-	dns_zone_slave,
-	dns_zone_stub
-} dns_zonetype_t;
-
-#define DNS_ZONEOPT_SERVERS	  0x00000001U	/* perform server checks */
-#define DNS_ZONEOPT_PARENTS	  0x00000002U	/* perform parent checks */
-#define DNS_ZONEOPT_CHILDREN	  0x00000004U	/* perform child checks */
-#define DNS_ZONEOPT_NOTIFY	  0x00000008U	/* perform NOTIFY */
-#define DNS_ZONEOPT_MANYERRORS	  0x00000010U	/* return many errors on load */
-#define DNS_ZONEOPT_IXFRFROMDIFFS 0x00000020U	/* calculate differences */
-#define DNS_ZONEOPT_NOMERGE	  0x00000040U	/* don't merge journal */
-#define DNS_ZONEOPT_CHECKNS	  0x00000080U	/* check if NS's are addresses */
-#define DNS_ZONEOPT_FATALNS	  0x00000100U	/* DNS_ZONEOPT_CHECKNS is fatal */
-#define DNS_ZONEOPT_MULTIMASTER	  0x00000200U	/* this zone has multiple masters */
-#define DNS_ZONEOPT_USEALTXFRSRC  0x00000400U	/* use alternate transfer sources */
-#define DNS_ZONEOPT_CHECKNAMES	  0x00000800U	/* check-names */
-#define DNS_ZONEOPT_CHECKNAMESFAIL 0x00001000U	/* fatal check-name failures */
-
-#ifndef NOMINUM_PUBLIC
-/*
- * Nominum specific options build down.
- */
-#define DNS_ZONEOPT_NOTIFYFORWARD 0x80000000U	/* forward notify to master */
-#endif /* NOMINUM_PUBLIC */
-
-#ifndef DNS_ZONE_MINREFRESH
-#define DNS_ZONE_MINREFRESH		    300	/* 5 minutes */
-#endif
-#ifndef DNS_ZONE_MAXREFRESH
-#define DNS_ZONE_MAXREFRESH		2419200	/* 4 weeks */
-#endif
-#ifndef DNS_ZONE_DEFAULTREFRESH
-#define DNS_ZONE_DEFAULTREFRESH		   3600	/* 1 hour */
-#endif
-#ifndef DNS_ZONE_MINRETRY
-#define DNS_ZONE_MINRETRY		    300	/* 5 minutes */
-#endif
-#ifndef DNS_ZONE_MAXRETRY
-#define DNS_ZONE_MAXRETRY		1209600	/* 2 weeks */
-#endif
-#ifndef DNS_ZONE_DEFAULTRETRY
-#define DNS_ZONE_DEFAULTRETRY		     60	/* 1 minute, subject to
-						   exponential backoff */
-#endif
-
-#define DNS_ZONESTATE_XFERRUNNING	1
-#define DNS_ZONESTATE_XFERDEFERRED	2
-#define DNS_ZONESTATE_SOAQUERY		3
-#define DNS_ZONESTATE_ANY		4
-
-ISC_LANG_BEGINDECLS
-
-/***
- ***	Functions
- ***/
-
-isc_result_t
-dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
-/*
- *	Creates a new empty zone and attach '*zonep' to it.
- *
- * Requires:
- *	'zonep' to point to a NULL pointer.
- *	'mctx' to be a valid memory context.
- *
- * Ensures:
- *	'*zonep' refers to a valid zone.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- */
-
-void
-dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
-/*
- *	Sets the class of a zone.  This operation can only be performed
- *	once on a zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	dns_zone_setclass() not to have been called since the zone was
- *	created.
- *	'rdclass' != dns_rdataclass_none.
- */
-
-dns_rdataclass_t
-dns_zone_getclass(dns_zone_t *zone);
-/*
- *	Returns the current zone class.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
-/*
- *	Sets the zone type. This operation can only be performed once on
- *	a zone.
- *
- * Requires:
- *	'zone' to be a valid zone.
- *	dns_zone_settype() not to have been called since the zone was
- *	created.
- *	'type' != dns_zone_none
- */
-
-void
-dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
-/*
- *	Associate the zone with a view.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-dns_view_t *
-dns_zone_getview(dns_zone_t *zone);
-/*
- *	Returns the zone's associated view.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
-/*
- *	Sets the zones origin to 'origin'.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'origin' to be non NULL.
- *
- * Returns:
- *	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
- */
-
-dns_name_t *
-dns_zone_getorigin(dns_zone_t *zone);
-/*
- *	Returns the value of the origin.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setfile(dns_zone_t *zone, const char *file);
-/*
- *	Sets the name of the master file from which the zone
- *	loads its database to 'file'.  For zones that have
- *	no associated master file, 'file' will be NULL.
- *
- *	For zones with persistent databases, the file name
- *	setting is ignored.
- *
- * Require:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	ISC_R_NOMEMORY
- *	ISC_R_SUCCESS
- */
-
-const char *
-dns_zone_getfile(dns_zone_t *zone);
-/*
- * 	Gets the name of the zone's master file, if any.
- *
- * Requires:
- *	'zone' to be valid initialised zone.
- *
- * Returns:
- *	Pointer to null-terminated file name, or NULL.
- */
-
-isc_result_t
-dns_zone_load(dns_zone_t *zone);
-
-isc_result_t
-dns_zone_loadnew(dns_zone_t *zone);
-/*
- *	Cause the database to be loaded from its backing store.
- *	Confirm that the minimum requirements for the zone type are
- *	met, otherwise DNS_R_BADZONE is returned.
- *
- *	dns_zone_loadnew() only loads zones that are not yet loaded.
- *	dns_zone_load() also loads zones that are already loaded and
- *	and whose master file has changed since the last load.
- *
- * Require:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	ISC_R_UNEXPECTED
- *	ISC_R_SUCCESS
- *	DNS_R_CONTINUE	  Incremental load has been queued.
- *	DNS_R_UPTODATE	  The zone has already been loaded based on
- *			  file system timestamps.
- *	DNS_R_BADZONE
- *	Any result value from dns_db_load().
- */
-
-void
-dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
-/*
- *	Attach '*target' to 'source' incrementing its external
- * 	reference count.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_zone_detach(dns_zone_t **zonep);
-/*
- *	Detach from a zone decrementing its external reference count.
- *	If this was the last external reference to the zone it will be
- * 	shut down and eventually freed.
- *
- * Require:
- *	'zonep' to point to a valid zone.
- */
-
-void
-dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
-/*
- *	Attach '*target' to 'source' incrementing its internal
- * 	reference count.  This is intended for use by operations
- * 	such as zone transfers that need to prevent the zone
- * 	object from being freed but not from shutting down.
- *
- * Require:
- *	The caller is running in the context of the zone's task.
- *	'zone' to be a valid zone.
- *	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_zone_idetach(dns_zone_t **zonep);
-/*
- *	Detach from a zone decrementing its internal reference count.
- *	If there are no more internal or external references to the
- * 	zone, it will be freed.
- *
- * Require:
- *	The caller is running in the context of the zone's task.
- *	'zonep' to point to a valid zone.
- */
-
-void
-dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value);
-/*
- *	Sets ('value' == 'ISC_TRUE') / clears ('value' == 'IS_FALSE')
- *	zone flags.  Valid flag bits are DNS_ZONE_F_*.
- *
- * Requires
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
-/*
- * 	Attach '*dbp' to the database to if it exists otherwise
- *	return DNS_R_NOTLOADED.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'dbp' to be != NULL && '*dbp' == NULL.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	DNS_R_NOTLOADED
- */
-
-isc_result_t
-dns_zone_setdbtype(dns_zone_t *zone,
-		   unsigned int dbargc, const char * const *dbargv);
-/*
- *	Sets the database type to dbargv[0] and database arguments
- *	to subsequent dbargv elements.
- *	'db_type' is not checked to see if it is a valid database type.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'database' to be non NULL.
- *	'dbargc' to be >= 1
- *	'dbargv' to point to dbargc NULL-terminated strings
- *
- * Returns:
- *	ISC_R_NOMEMORY
- *	ISC_R_SUCCESS
- */
-
-void
-dns_zone_markdirty(dns_zone_t *zone);
-/*
- *	Mark a zone as 'dirty'.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_expire(dns_zone_t *zone);
-/*
- *	Mark the zone as expired.  If the zone requires dumping cause it to
- *	be initiated.  Set the refresh and retry intervals to there default
- *	values and unload the zone.
- *
- * Require
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_refresh(dns_zone_t *zone);
-/*
- *	Initiate zone up to date checks.  The zone must already be being
- *	managed.
- *
- * Require
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_flush(dns_zone_t *zone);
-/*
- *	Write the zone to database if there are uncommited changes.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_dump(dns_zone_t *zone);
-/*
- *	Write the zone to database.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
-/*
- *	Write the zone to stream 'fd'.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'fd' to be a stream open for writing.
- */
-
-isc_result_t
-dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd);
-/*
- *	The same as dns_zone_dumptostream, but dumps the zone with
- *	different dump settings (dns_master_style_full).
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'fd' to be a stream open for writing.
- */
-
-void
-dns_zone_maintenance(dns_zone_t *zone);
-/*
- *	Perform regular maintenace on the zone.  This is called as a
- *	result of a zone being managed.
- *
- * Require
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
-		    isc_uint32_t count);
-isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
-			    dns_name_t **keynames, isc_uint32_t count);
-/*
- *	Set the list of master servers for the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'masters' array of isc_sockaddr_t with port set or NULL.
- *	'count' the number of masters.
- *      'keynames' array of dns_name_t's for tsig keys or NULL.
- *
- *      dns_zone_setmasters() is just a wrapper to setmasterswithkeys(),
- *      passing NULL in the keynames field.
- *
- * 	If 'masters' is NULL then 'count' must be zero.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *      Any result dns_name_dup() can return, if keynames!=NULL
- */
-
-isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
-		       isc_uint32_t count);
-/*
- *	Set the list of additional servers to be notified when
- *	a zone changes.	 To clear the list use 'count = 0'.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'notify' to be non-NULL if count != 0.
- *	'count' to be the number of notifyees.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-void
-dns_zone_unload(dns_zone_t *zone);
-/*
- *	detach the database from the zone structure.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value);
-/*
- *	Set given options on ('value' == ISC_TRUE) or off ('value' ==
- *	ISC_FALSE).
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-unsigned int
-dns_zone_getoptions(dns_zone_t *zone);
-/*
- *	Returns the current zone options.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val);
-/*
- *	Set the minimum refresh time.
- *
- * Requires:
- *	'zone' is valid.
- *	val > 0.
- */
-
-void
-dns_zone_setmaxrefreshtime(dns_zone_t *zone, isc_uint32_t val);
-/*
- *	Set the maximum refresh time.
- *
- * Requires:
- *	'zone' is valid.
- *	val > 0.
- */
-
-void
-dns_zone_setminretrytime(dns_zone_t *zone, isc_uint32_t val);
-/*
- *	Set the minimum retry time.
- *
- * Requires:
- *	'zone' is valid.
- *	val > 0.
- */
-
-void
-dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val);
-/*
- *	Set the maximum retry time.
- *
- * Requires:
- *	'zone' is valid.
- *	val > 0.
- */
-
-isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
-isc_result_t
-dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
-/*
- * 	Set the source address to be used in IPv4 zone transfers.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'xfrsource' to contain the address.
- *
- * Returns:
- *	ISC_R_SUCCESS
- */
-
-isc_sockaddr_t *
-dns_zone_getxfrsource4(dns_zone_t *zone);
-isc_sockaddr_t *
-dns_zone_getaltxfrsource4(dns_zone_t *zone);
-/*
- *	Returns the source address set by a previous dns_zone_setxfrsource4
- *	call, or the default of inaddr_any, port 0.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
-isc_result_t
-dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
-/*
- * 	Set the source address to be used in IPv6 zone transfers.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'xfrsource' to contain the address.
- *
- * Returns:
- *	ISC_R_SUCCESS
- */
-
-isc_sockaddr_t *
-dns_zone_getxfrsource6(dns_zone_t *zone);
-isc_sockaddr_t *
-dns_zone_getaltxfrsource6(dns_zone_t *zone);
-/*
- *	Returns the source address set by a previous dns_zone_setxfrsource6
- *	call, or the default of in6addr_any, port 0.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
-/*
- * 	Set the source address to be used with IPv4 NOTIFY messages.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'notifysrc' to contain the address.
- *
- * Returns:
- *	ISC_R_SUCCESS
- */
-
-isc_sockaddr_t *
-dns_zone_getnotifysrc4(dns_zone_t *zone);
-/*
- *	Returns the source address set by a previous dns_zone_setnotifysrc4
- *	call, or the default of inaddr_any, port 0.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
-/*
- * 	Set the source address to be used with IPv6 NOTIFY messages.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'notifysrc' to contain the address.
- *
- * Returns:
- *	ISC_R_SUCCESS
- */
-
-isc_sockaddr_t *
-dns_zone_getnotifysrc6(dns_zone_t *zone);
-/*
- *	Returns the source address set by a previous dns_zone_setnotifysrc6
- *	call, or the default of in6addr_any, port 0.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl);
-/*
- *	Sets the notify acl list for the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be a valid acl.
- */
-
-void
-dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
-/*
- *	Sets the query acl list for the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be a valid acl.
- */
-
-void
-dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
-/*
- *	Sets the update acl list for the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be valid acl.
- */
-
-void
-dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl);
-/*
- *	Sets the forward unsigned updates acl list for the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be valid acl.
- */
-
-void
-dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
-/*
- *	Sets the transfer acl list for the zone.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'acl' to be valid acl.
- */
-
-dns_acl_t *
-dns_zone_getnotifyacl(dns_zone_t *zone);
-/*
- * 	Returns the current notify acl or NULL.
- *
- * Require:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	acl a pointer to the acl.
- *	NULL
- */
-
-dns_acl_t *
-dns_zone_getqueryacl(dns_zone_t *zone);
-/*
- * 	Returns the current query acl or NULL.
- *
- * Require:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	acl a pointer to the acl.
- *	NULL
- */
-
-dns_acl_t *
-dns_zone_getupdateacl(dns_zone_t *zone);
-/*
- * 	Returns the current update acl or NULL.
- *
- * Require:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	acl a pointer to the acl.
- *	NULL
- */
-
-dns_acl_t *
-dns_zone_getforwardacl(dns_zone_t *zone);
-/*
- * 	Returns the current forward unsigned updates acl or NULL.
- *
- * Require:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	acl a pointer to the acl.
- *	NULL
- */
-
-dns_acl_t *
-dns_zone_getxfracl(dns_zone_t *zone);
-/*
- * 	Returns the current transfer acl or NULL.
- *
- * Require:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	acl a pointer to the acl.
- *	NULL
- */
-
-void
-dns_zone_clearupdateacl(dns_zone_t *zone);
-/*
- *	Clear the current update acl.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearforwardacl(dns_zone_t *zone);
-/*
- *	Clear the current forward unsigned updates acl.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearnotifyacl(dns_zone_t *zone);
-/*
- *	Clear the current notify acl.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearqueryacl(dns_zone_t *zone);
-/*
- *	Clear the current query acl.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_clearxfracl(dns_zone_t *zone);
-/*
- *	Clear the current transfer acl.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-isc_boolean_t
-dns_zone_getupdatedisabled(dns_zone_t *zone);
-
-void
-dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state);
-
-void
-dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
-/*
- * 	Set the severity of name checking when loading a zone.
- *
- * Require:
- *      'zone' to be a valid zone.
- */
-
-dns_severity_t
-dns_zone_getchecknames(dns_zone_t *zone);
-/*
- *	Return the current severity of name checking.
- *
- * Require:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size);
-/*
- *	Sets the journal size for the zone.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-isc_int32_t
-dns_zone_getjournalsize(dns_zone_t *zone);
-/*
- *	Return the journal size as set with a previous call to
- *	dns_zone_setjournalsize().
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
-		       dns_message_t *msg);
-/*
- *	Tell the zone that it has recieved a NOTIFY message from another
- *	server.  This may cause some zone maintainence activity to occur.
- *
- * Requires:
- *	'zone' to be a valid zone.
- *	'*from' to contain the address of the server from which 'msg'
- *		was recieved.
- *	'msg' a message with opcode NOTIFY and qr clear.
- *
- * Returns:
- *	DNS_R_REFUSED
- *	DNS_R_NOTIMP
- *	DNS_R_FORMERR
- *	DNS_R_SUCCESS
- */
-
-void
-dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin);
-/*
- * Set the maximum time (in seconds) that a zone transfer in (AXFR/IXFR)
- * of this zone will use before being aborted.
- *
- * Requires:
- * 	'zone' to be valid initialised zone.
- */
-
-isc_uint32_t
-dns_zone_getmaxxfrin(dns_zone_t *zone);
-/*
- * Returns the maximum transfer time for this zone.  This will be
- * either the value set by the last call to dns_zone_setmaxxfrin() or
- * the default value of 1 hour.
- *
- * Requires:
- *	'zone' to be valid initialised zone.
- */
-
-void
-dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout);
-/*
- * Set the maximum time (in seconds) that a zone transfer out (AXFR/IXFR)
- * of this zone will use before being aborted.
- *
- * Requires:
- * 	'zone' to be valid initialised zone.
- */
-
-isc_uint32_t
-dns_zone_getmaxxfrout(dns_zone_t *zone);
-/*
- * Returns the maximum transfer time for this zone.  This will be
- * either the value set by the last call to dns_zone_setmaxxfrout() or
- * the default value of 1 hour.
- *
- * Requires:
- *	'zone' to be valid initialised zone.
- */
-
-isc_result_t
-dns_zone_setjournal(dns_zone_t *zone, const char *journal);
-/*
- * Sets the filename used for journaling updates / IXFR transfers.
- * The default journal name is set by dns_zone_setfile() to be
- * "file.jnl".  If 'journal' is NULL, the zone will have no
- * journal name.
- *
- * Requires:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-char *
-dns_zone_getjournal(dns_zone_t *zone);
-/*
- * Returns the journal name associated with this zone.
- * If no journal has been set this will be NULL.
- *
- * Requires:
- *	'zone' to be valid initialised zone.
- */
-
-dns_zonetype_t
-dns_zone_gettype(dns_zone_t *zone);
-/*
- * Returns the type of the zone (master/slave/etc.)
- *
- * Requires:
- *	'zone' to be valid initialised zone.
- */
-
-void
-dns_zone_settask(dns_zone_t *zone, isc_task_t *task);
-/*
- * Give a zone a task to work with.  Any current task will be detached.
- *
- * Requires:
- *	'zone' to be valid.
- *	'task' to be valid.
- */
-
-void
-dns_zone_gettask(dns_zone_t *zone, isc_task_t **target);
-/*
- * Attach '*target' to the zone's task.
- *
- * Requires:
- *	'zone' to be valid initialised zone.
- *	'zone' to have a task.
- *	'target' to be != NULL && '*target' == NULL.
- */
-
-void
-dns_zone_notify(dns_zone_t *zone);
-/*
- * Generate notify events for this zone.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
-/*
- * Replace the database of "zone" with a new database "db".
- *
- * If "dump" is ISC_TRUE, then the new zone contents are dumped
- * into to the zone's master file for persistence.  When replacing
- * a zone database by one just loaded from a master file, set
- * "dump" to ISC_FALSE to avoid a redunant redump of the data just
- * loaded.  Otherwise, it should be set to ISC_TRUE.
- *
- * If the "diff-on-reload" option is enabled in the configuration file,
- * the differences between the old and the new database are added to the
- * journal file, and the master file dump is postponed.
- *
- * Requires:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	DNS_R_SUCCESS
- *	DNS_R_BADZONE	zone failed basic consistancy checks:
- *			* a single SOA must exist
- *			* some NS records must exist.
- *	Others
- */
-
-isc_uint32_t
-dns_zone_getidlein(dns_zone_t *zone);
-/*
- * Requires:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	number of seconds of idle time before we abort the transfer in.
- */
-
-void
-dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein);
-/*
- *	Set the idle timeout for transfer the.
- *	Zero set the default value, 1 hour.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-isc_uint32_t
-dns_zone_getidleout(dns_zone_t *zone);
-/*
- *
- * Requires:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	number of seconds of idle time before we abort a transfer out.
- */
-
-void
-dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout);
-/*
- *	Set the idle timeout for transfers out.
- *	Zero set the default value, 1 hour.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table);
-/*
- * Get the simple-secure-update policy table.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table);
-/*
- * Set / clear the simple-secure-update policy table.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-isc_mem_t *
-dns_zone_getmctx(dns_zone_t *zone);
-/*
- * Get the memory context of a zone.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-dns_zonemgr_t *
-dns_zone_getmgr(dns_zone_t *zone);
-/*
- *	If 'zone' is managed return the zone manager otherwise NULL.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
-/*
- * Set the zone's SIG validity interval.  This is the length of time
- * for which DNSSEC signatures created as a result of dynamic updates
- * to secure zones will remain valid, in seconds.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-isc_uint32_t
-dns_zone_getsigvalidityinterval(dns_zone_t *zone);
-/*
- * Get the zone's SIG validity interval.
- *
- * Requires:
- *	'zone' to be a valid zone.
- */
-
-void
-dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype);
-/*
- * Sets zone notify method to "notifytype"
- */
-
-isc_result_t
-dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
-                       dns_updatecallback_t callback, void *callback_arg);
-/*
- * Forward 'msg' to each master in turn until we get an answer or we
- * have exausted the list of masters. 'callback' will be called with
- * ISC_R_SUCCESS if we get an answer and the returned message will be
- * passed as 'answer_message', otherwise a non ISC_R_SUCCESS result code
- * will be passed and answer_message will be NULL.  The callback function
- * is responsible for destroying 'answer_message'.
- *		(callback)(callback_arg, result, answer_message);
- *
- * Require:
- *	'zone' to be valid
- *	'msg' to be valid.
- *	'callback' to be non NULL.
- * Returns:
- *	ISC_R_SUCCESS if the message has been forwarded,
- *	ISC_R_NOMEMORY
- *	Others
- */
-
-isc_result_t
-dns_zone_next(dns_zone_t *zone, dns_zone_t **next);
-/*
- * Find the next zone in the list of managed zones.
- *
- * Requires:
- *	'zone' to be valid
- *	The zone manager for the indicated zone MUST be locked
- *	by the caller.  This is not checked.
- *	'next' be non-NULL, and '*next' be NULL.
- *
- * Ensures:
- *	'next' points to a valid zone (result ISC_R_SUCCESS) or to NULL
- *	(result ISC_R_NOMORE).
- */
-
-isc_result_t
-dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
-/*
- * Find the first zone in the list of managed zones.
- *
- * Requires:
- *	'zonemgr' to be valid
- *	The zone manager for the indicated zone MUST be locked
- *	by the caller.  This is not checked.
- *	'first' be non-NULL, and '*first' be NULL
- *
- * Ensures:
- *	'first' points to a valid zone (result ISC_R_SUCCESS) or to NULL
- *	(result ISC_R_NOMORE).
- */
-
-isc_result_t
-dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
-/*
- *	Sets the name of the directory where private keys used for
- *	online signing of dynamic zones are found.
- *
- * Require:
- *	'zone' to be a valid zone.
- *
- * Returns:
- *	ISC_R_NOMEMORY
- *	ISC_R_SUCCESS
- */
-
-const char *
-dns_zone_getkeydirectory(dns_zone_t *zone);
-/*
- * 	Gets the name of the directory where private keys used for
- *	online signing of dynamic zones are found.
- *
- * Requires:
- *	'zone' to be valid initialised zone.
- *
- * Returns:
- *	Pointer to null-terminated file name, or NULL.
- */
-
-
-isc_result_t
-dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
-		   dns_zonemgr_t **zmgrp);
-/*
- * Create a zone manager.
- *
- * Requires:
- *	'mctx' to be a valid memory context.
- *	'taskmgr' to be a valid task manager.
- *	'timermgr' to be a valid timer manager.
- *	'zmgrp'	to point to a NULL pointer.
- */
-
-isc_result_t
-dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
-/*
- *	Bring the zone under control of a zone manager.
- *
- * Require:
- *	'zmgr' to be a valid zone manager.
- *	'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
-/*
- * Force zone maintenance of all zones managed by 'zmgr' at its
- * earliest conveniene.
- */
-
-void
-dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr);
-/*
- * Attempt to start any stalled zone transfers.
- */
-
-void
-dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
-/*
- *	Shut down the zone manager.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- */
-
-void
-dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target);
-/*
- *	Attach '*target' to 'source' incrementing its external
- * 	reference count.
- *
- * Require:
- *	'zone' to be a valid zone.
- *	'target' to be non NULL and '*target' to be NULL.
- */
-
-void
-dns_zonemgr_detach(dns_zonemgr_t **zmgrp);
-/*
- *	 Detach from a zone manager.
- *
- * Requires:
- *	'*zmgrp' is a valid, non-NULL zone manager pointer.
- *
- * Ensures:
- *	'*zmgrp' is NULL.
- */
-
-void
-dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
-/*
- *	Release 'zone' from the managed by 'zmgr'.  'zmgr' is implicitly
- *	detached from 'zone'.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- *	'zone' to be a valid zone.
- *	'zmgr' == 'zone->zmgr'
- *
- * Ensures:
- *	'zone->zmgr' == NULL;
- */
-
-void
-dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
-/*
- *	Set the maximum number of simultanious transfers in allowed by
- *	the zone manager.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- */
-
-isc_uint32_t
-dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
-/*
- *	Return the the maximum number of simultanious transfers in allowed.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- */
-
-void
-dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, isc_uint32_t value);
-/*
- *	Set the number of zone transfers allowed per nameserver.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager
- */
-
-isc_uint32_t
-dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr);
-/*
- *	Return the number of transfers allowed per nameserver.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- */
-
-void
-dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit);
-/*
- *	Set the number of simultaneous file descriptors available for 
- *	reading and writing masterfiles.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- *	'iolimit' to be positive.
- */
-
-isc_uint32_t
-dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr);
-/*
- *	Get the number of simultaneous file descriptors available for 
- *	reading and writing masterfiles.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- */
-
-void
-dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value);
-/*
- *	Set the number of SOA queries sent per second.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager
- */
-
-unsigned int
-dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr);
-/*
- *	Return the number of SOA queries sent per second.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- */
-
-unsigned int
-dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state);
-/*
- *	Returns the number of zones in the specified state.
- *
- * Requires:
- *	'zmgr' to be a valid zone manager.
- *	'state' to be a valid DNS_ZONESTATE_ constant.
- */
-
-void
-dns_zone_forcereload(dns_zone_t *zone);
-/*
- *      Force a reload of specified zone.
- *
- * Requires:
- *      'zone' to be a valid zone.
- */
-
-isc_boolean_t
-dns_zone_isforced(dns_zone_t *zone);
-/*
- *      Check if the zone is waiting a forced reload.
- *
- * Requires:
- *      'zone' to be a valid zone.
- */
-
-isc_result_t
-dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on);
-/*
- *      Make the zone keep or not keep an array of statistics
- * 	counter.
- *
- * Requires:
- *      zone be a valid zone.
- */
-
-isc_uint64_t *
-dns_zone_getstatscounters(dns_zone_t *zone);
-/*
- * Requires:
- *      zone be a valid zone.
- *
- * Returns:
- *      A pointer to the zone's array of statistics counters,
- *	or NULL if it has none.
- */
-
-void
-dns_zone_dialup(dns_zone_t *zone);
-/*
- * Perform dialup-time maintenance on 'zone'.
- */
-
-void
-dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup);
-/*
- * Set the dialup type of 'zone' to 'dialup'.
- *
- * Requires:
- * 	'zone' to be valid initialised zone.
- *	'dialup' to be a valid dialup type.
- */
-
-void
-dns_zone_log(dns_zone_t *zone, int level, const char *msg, ...)
-	ISC_FORMAT_PRINTF(3, 4);
-/*
- * Log the message 'msg...' at 'level', including text that identifies
- * the message as applying to 'zone'.
- */
-
-void
-dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
-	      const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
-/*
- * Log the message 'msg...' at 'level', including text that identifies
- * the message as applying to 'zone'.
- */
-
-void
-dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
-/*
- * Return the name of the zone with class and view.
- * 
- * Requires:
- *	'zone' to be valid.
- *	'buf' to be non NULL.
- */
-
-isc_result_t
-dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata);
-/*
- * Check if this record meets the check-names policy.
- *
- * Requires:
- *	'zone' to be valid.
- *	'name' to be valid.
- *	'rdata' to be valid.
- *
- * Returns:
- *	DNS_R_SUCCESS		passed checks.
- *	DNS_R_BADOWNERNAME	failed ownername checks.
- *	DNS_R_BADNAME		failed rdata checks.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ZONE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zonekey.h b/contrib/bind9/lib/dns/include/dns/zonekey.h
deleted file mode 100644
index 1ac906647f14..000000000000
--- a/contrib/bind9/lib/dns/include/dns/zonekey.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zonekey.h,v 1.3.206.1 2004/03/06 08:14:01 marka Exp $ */
-
-#ifndef DNS_ZONEKEY_H
-#define DNS_ZONEKEY_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_boolean_t
-dns_zonekey_iszonekey(dns_rdata_t *keyrdata);
-/*
- *	Determines if the key record contained in the rdata is a zone key.
- *
- *	Requires:
- *		'keyrdata' is not NULL.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ZONEKEY_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zt.h b/contrib/bind9/lib/dns/include/dns/zt.h
deleted file mode 100644
index fb435905cd46..000000000000
--- a/contrib/bind9/lib/dns/include/dns/zt.h
+++ /dev/null
@@ -1,167 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zt.h,v 1.27.2.2.8.1 2004/03/06 08:14:01 marka Exp $ */
-
-#ifndef DNS_ZT_H
-#define DNS_ZT_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-#define DNS_ZTFIND_NOEXACT		0x01
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **zt);
-/*
- * Creates a new zone table.
- *
- * Requires:
- * 	'mctx' to be initialized.
- *
- * Returns:
- *	ISC_R_SUCCESS on success.
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
-/*
- * Mounts the zone on the zone table.
- *
- * Requires:
- *	'zt' to be valid
- *	'zone' to be valid
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_EXISTS
- *	ISC_R_NOSPACE
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
-/*
- * Unmount the given zone from the table.
- *
- * Requires:
- * 	'zt' to be valid
- *	'zone' to be valid
- *
- * Returns:
- * 	ISC_R_SUCCESS
- *	ISC_R_NOTFOUND
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
-	    dns_name_t *foundname, dns_zone_t **zone);
-/*
- * Find the best match for 'name' in 'zt'.  If foundname is non NULL
- * then the name of the zone found is returned.
- *
- * Notes:
- *	If the DNS_ZTFIND_NOEXACT is set, the best partial match (if any)
- *	to 'name' will be returned.
- *
- * Requires:
- *	'zt' to be valid
- *	'name' to be valid
- *	'foundname' to be initialized and associated with a fixedname or NULL
- *	'zone' to be non NULL and '*zone' to be NULL
- *
- * Returns:
- * 	ISC_R_SUCCESS
- *	DNS_R_PARTIALMATCH
- *	ISC_R_NOTFOUND
- *	ISC_R_NOSPACE
- */
-
-void
-dns_zt_detach(dns_zt_t **ztp);
-/*
- * Detach the given zonetable, if the reference count goes to zero the
- * zonetable will be freed.  In either case 'ztp' is set to NULL.
- *
- * Requires:
- *	'*ztp' to be valid
- */
-
-void
-dns_zt_flushanddetach(dns_zt_t **ztp);
-/*
- * Detach the given zonetable, if the reference count goes to zero the
- * zonetable will be flushed and then freed.  In either case 'ztp' is
- * set to NULL.
- *
- * Requires:
- *	'*ztp' to be valid
- */
-
-void
-dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
-/*
- * Attach 'zt' to '*ztp'.
- *
- * Requires:
- *	'zt' to be valid
- *	'*ztp' to be NULL
- */
-
-isc_result_t
-dns_zt_load(dns_zt_t *zt, isc_boolean_t stop);
-
-isc_result_t
-dns_zt_loadnew(dns_zt_t *zt, isc_boolean_t stop);
-/*
- * Load all zones in the table.  If 'stop' is ISC_TRUE,
- * stop on the first error and return it.  If 'stop'
- * is ISC_FALSE, ignore errors.
- *
- * dns_zt_loadnew() only loads zones that are not yet loaded.
- * dns_zt_load() also loads zones that are already loaded and
- * and whose master file has changed since the last load.
- *
- * Requires:
- *	'zt' to be valid
- */
-
-isc_result_t
-dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
-	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
-/*
- * Apply a given 'action' to all zone zones in the table.
- * If 'stop' is 'ISC_TRUE' then walking the zone tree will stop if
- * 'action' does not return ISC_R_SUCCESS.
- *
- * Requires:
- *	'zt' to be valid.
- *	'action' to be non NULL.
- *
- * Returns:
- *	ISC_R_SUCCESS if action was applied to all nodes.
- *	any error code from 'action'.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_ZT_H */
diff --git a/contrib/bind9/lib/dns/include/dst/Makefile.in b/contrib/bind9/lib/dns/include/dst/Makefile.in
deleted file mode 100644
index efebfaa59bf0..000000000000
--- a/contrib/bind9/lib/dns/include/dst/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.4.1 2004/12/09 04:07:19 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	dst.h lib.h result.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dst
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dst ; \
-	done
diff --git a/contrib/bind9/lib/dns/include/dst/dst.h b/contrib/bind9/lib/dns/include/dst/dst.h
deleted file mode 100644
index 1629da592a75..000000000000
--- a/contrib/bind9/lib/dns/include/dst/dst.h
+++ /dev/null
@@ -1,570 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dst.h,v 1.1.4.1 2004/12/09 04:07:19 marka Exp $ */
-
-#ifndef DST_DST_H
-#define DST_DST_H 1
-
-#include <isc/lang.h>
-
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-/*
- * The dst_key structure is opaque.  Applications should use the accessor
- * functions provided to retrieve key attributes.  If an application needs
- * to set attributes, new accessor functions will be written.
- */
-
-typedef struct dst_key		dst_key_t;
-typedef struct dst_context 	dst_context_t;
-
-/* DST algorithm codes */
-#define DST_ALG_UNKNOWN		0
-#define DST_ALG_RSAMD5		1
-#define DST_ALG_RSA		DST_ALG_RSAMD5	/* backwards compatibility */
-#define DST_ALG_DH		2
-#define DST_ALG_DSA		3
-#define DST_ALG_ECC		4
-#define DST_ALG_RSASHA1		5
-#define DST_ALG_HMACMD5		157
-#define DST_ALG_GSSAPI		160
-#define DST_ALG_PRIVATE		254
-#define DST_ALG_EXPAND		255
-#define DST_MAX_ALGS		255
-
-/* A buffer of this size is large enough to hold any key */
-#define DST_KEY_MAXSIZE		1280
-
-/*
- * A buffer of this size is large enough to hold the textual representation
- * of any key
- */
-#define DST_KEY_MAXTEXTSIZE	2048
-
-/* 'Type' for dst_read_key() */
-#define DST_TYPE_KEY		0x1000000	/* KEY key */
-#define DST_TYPE_PRIVATE	0x2000000
-#define DST_TYPE_PUBLIC		0x4000000
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
-/*
- * Initializes the DST subsystem.
- *
- * Requires:
- * 	"mctx" is a valid memory context
- * 	"ectx" is a valid entropy context
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
- *
- * Ensures:
- * 	DST is properly initialized.
- */
-
-void
-dst_lib_destroy(void);
-/*
- * Releases all resources allocated by DST.
- */
-
-isc_boolean_t
-dst_algorithm_supported(unsigned int alg);
-/*
- * Checks that a given algorithm is supported by DST.
- *
- * Returns:
- * 	ISC_TRUE
- * 	ISC_FALSE
- */
-
-isc_result_t
-dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);
-/*
- * Creates a context to be used for a sign or verify operation.
- *
- * Requires:
- *	"key" is a valid key.
- * 	"mctx" is a valid memory context.
- * 	dctxp != NULL && *dctxp == NULL
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
- *
- * Ensures:
- *	*dctxp will contain a usable context.
- */
-
-void
-dst_context_destroy(dst_context_t **dctxp);
-/*
- * Destroys all memory associated with a context.
- *
- * Requires:
- * 	*dctxp != NULL && *dctxp == NULL
- *
- * Ensures:
- *	*dctxp == NULL
- */
-
-isc_result_t
-dst_context_adddata(dst_context_t *dctx, const isc_region_t *data);
-/*
- * Incrementally adds data to the context to be used in a sign or verify
- * operation.
- *
- * Requires:
- * 	"dctx" is a valid context
- * 	"data" is a valid region
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	DST_R_SIGNFAILURE
- * 	all other errors indicate failure
- */
-
-isc_result_t
-dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig);
-/*
- * Computes a signature using the data and key stored in the context.
- *
- * Requires:
- * 	"dctx" is a valid context.
- *	"sig" is a valid buffer.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	DST_R_VERIFYFAILURE
- * 	all other errors indicate failure
- *
- * Ensures:
- *	"sig" will contain the signature
- */
-
-isc_result_t
-dst_context_verify(dst_context_t *dctx, isc_region_t *sig);
-/*
- * Verifies the signature using the data and key stored in the context.
- *
- * Requires:
- * 	"dctx" is a valid context.
- *	"sig" is a valid region.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	all other errors indicate failure
- *
- * Ensures:
- *	"sig" will contain the signature
- */
-
-isc_result_t
-dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
-		      isc_buffer_t *secret);
-/*
- * Computes a shared secret from two (Diffie-Hellman) keys.
- *
- * Requires:
- *     "pub" is a valid key that can be used to derive a shared secret
- *     "priv" is a valid private key that can be used to derive a shared secret
- *     "secret" is a valid buffer
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *      If successful, secret will contain the derived shared secret.
- */
-
-isc_result_t
-dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
-		 const char *directory, isc_mem_t *mctx, dst_key_t **keyp);
-/*
- * Reads a key from permanent storage.  The key can either be a public or
- * private key, and is specified by name, algorithm, and id.  If a private key
- * is specified, the public key must also be present.  If directory is NULL,
- * the current directory is assumed.
- *
- * Requires:
- *	"name" is a valid absolute dns name.
- *	"id" is a valid key tag identifier.
- *	"alg" is a supported key algorithm.
- *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
- *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
- *	"mctx" is a valid memory context.
- *	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, *keyp will contain a valid key.
- */
-
-isc_result_t
-dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
-		      dst_key_t **keyp);
-/*
- * Reads a key from permanent storage.  The key can either be a public or
- * key, and is specified by filename.  If a private key is specified, the
- * public key must also be present.
- *
- * Requires:
- * 	"filename" is not NULL
- *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
- *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
- *	"mctx" is a valid memory context
- *	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, *keyp will contain a valid key.
- */
-
-isc_result_t
-dst_key_tofile(const dst_key_t *key, int type, const char *directory);
-/*
- * Writes a key to permanent storage.  The key can either be a public or
- * private key.  Public keys are written in DNS format and private keys
- * are written as a set of base64 encoded values.  If directory is NULL,
- * the current directory is assumed.
- *
- * Requires:
- *	"key" is a valid key.
- *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- */
-
-isc_result_t
-dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
-		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
-/*
- * Converts a DNS KEY record into a DST key.
- *
- * Requires:
- *	"name" is a valid absolute dns name.
- *	"source" is a valid buffer.  There must be at least 4 bytes available.
- *	"mctx" is a valid memory context.
- *	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, *keyp will contain a valid key, and the consumed
- *	pointer in data will be advanced.
- */
-
-isc_result_t
-dst_key_todns(const dst_key_t *key, isc_buffer_t *target);
-/*
- * Converts a DST key into a DNS KEY record.
- *
- * Requires:
- *	"key" is a valid key.
- *	"target" is a valid buffer.  There must be at least 4 bytes unused.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, the used pointer in 'target' is advanced by at least 4.
- */
-
-isc_result_t
-dst_key_frombuffer(dns_name_t *name, unsigned int alg,
-		   unsigned int flags, unsigned int protocol,
-		   dns_rdataclass_t rdclass,
-		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
-/*
- * Converts a buffer containing DNS KEY RDATA into a DST key.
- *
- * Requires:
- *	"name" is a valid absolute dns name.
- *	"alg" is a supported key algorithm.
- *	"source" is a valid buffer.
- *	"mctx" is a valid memory context.
- *	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, *keyp will contain a valid key, and the consumed
- *	pointer in source will be advanced.
- */
-
-isc_result_t
-dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
-/*
- * Converts a DST key into DNS KEY RDATA format.
- *
- * Requires:
- *	"key" is a valid key.
- *	"target" is a valid buffer.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, the used pointer in 'target' is advanced.
- */
-
-isc_result_t
-dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
-/*
- * Converts a public key into a private key, reading the private key
- * information from the buffer.  The buffer should contain the same data
- * as the .private key file would.
- *
- * Requires:
- * 	"key" is a valid public key.
- *	"buffer" is not NULL.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, key will contain a valid private key.
- */
-
-
-isc_result_t
-dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
-		                   dst_key_t **keyp);
-/*
- * Converts a GSSAPI opaque context id into a DST key.
- *
- * Requires:
- *	"name" is a valid absolute dns name.
- *	"opaque" is a GSSAPI context id.
- *	"mctx" is a valid memory context.
- *	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, *keyp will contain a valid key and be responsible for
- *	the context id.
- */
-
-isc_result_t
-dst_key_generate(dns_name_t *name, unsigned int alg,
-		 unsigned int bits, unsigned int param,
-		 unsigned int flags, unsigned int protocol,
-		 dns_rdataclass_t rdclass,
-		 isc_mem_t *mctx, dst_key_t **keyp);
-/*
- * Generate a DST key (or keypair) with the supplied parameters.  The
- * interpretation of the "param" field depends on the algorithm:
- * 	RSA:	exponent
- * 		0	use exponent 3
- * 		!0	use Fermat4 (2^16 + 1)
- * 	DH:	generator
- * 		0	default - use well known prime if bits == 768 or 1024,
- * 			otherwise use 2 as the generator.
- * 		!0	use this value as the generator.
- * 	DSA:	unused
- * 	HMACMD5: entropy
- *		0	default - require good entropy
- *		!0	lack of good entropy is ok
- *
- * Requires:
- *	"name" is a valid absolute dns name.
- *	"keyp" is not NULL and "*keyp" is NULL.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	any other result indicates failure
- *
- * Ensures:
- *	If successful, *keyp will contain a valid key.
- */
-
-isc_boolean_t
-dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
-/*
- * Compares two DST keys.
- *
- * Requires:
- *	"key1" is a valid key.
- *	"key2" is a valid key.
- *
- * Returns:
- * 	ISC_TRUE
- * 	ISC_FALSE
- */
-
-isc_boolean_t
-dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
-/*
- * Compares the parameters of two DST keys.  This is used to determine if
- * two (Diffie-Hellman) keys can be used to derive a shared secret.
- *
- * Requires:
- *	"key1" is a valid key.
- *	"key2" is a valid key.
- *
- * Returns:
- * 	ISC_TRUE
- * 	ISC_FALSE
- */
-
-void
-dst_key_free(dst_key_t **keyp);
-/*
- * Release all memory associated with the key.
- *
- * Requires:
- *	"keyp" is not NULL and "*keyp" is a valid key.
- *
- * Ensures:
- *	All memory associated with "*keyp" will be freed.
- *	*keyp == NULL
- */
-
-/*
- * Accessor functions to obtain key fields.
- *
- * Require:
- *	"key" is a valid key.
- */
-dns_name_t *
-dst_key_name(const dst_key_t *key);
-
-unsigned int
-dst_key_size(const dst_key_t *key);
-
-unsigned int
-dst_key_proto(const dst_key_t *key);
-
-unsigned int
-dst_key_alg(const dst_key_t *key);
-
-isc_uint32_t
-dst_key_flags(const dst_key_t *key);
-
-dns_keytag_t
-dst_key_id(const dst_key_t *key);
-
-dns_rdataclass_t
-dst_key_class(const dst_key_t *key);
-
-isc_boolean_t
-dst_key_isprivate(const dst_key_t *key);
-
-isc_boolean_t
-dst_key_iszonekey(const dst_key_t *key);
-
-isc_boolean_t
-dst_key_isnullkey(const dst_key_t *key);
-
-isc_result_t
-dst_key_buildfilename(const dst_key_t *key, int type,
-		      const char *directory, isc_buffer_t *out);
-/*
- * Generates the filename used by dst to store the specified key.
- * If directory is NULL, the current directory is assumed.
- *
- * Requires:
- *	"key" is a valid key
- *	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.
- *	"out" is a valid buffer
- *
- * Ensures:
- *	the file name will be written to "out", and the used pointer will
- *		be advanced.
- */
-
-isc_result_t
-dst_key_sigsize(const dst_key_t *key, unsigned int *n);
-/*
- * Computes the size of a signature generated by the given key.
- *
- * Requires:
- *	"key" is a valid key.
- *	"n" is not NULL
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	DST_R_UNSUPPORTEDALG
- *
- * Ensures:
- * 	"n" stores the size of a generated signature
- */
-
-isc_result_t
-dst_key_secretsize(const dst_key_t *key, unsigned int *n);
-/*
- * Computes the size of a shared secret generated by the given key.
- *
- * Requires:
- *	"key" is a valid key.
- *	"n" is not NULL
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	DST_R_UNSUPPORTEDALG
- *
- * Ensures:
- * 	"n" stores the size of a generated shared secret
- */
-
-isc_uint16_t
-dst_region_computeid(const isc_region_t *source, unsigned int alg);
-/*
- * Computes the key id of the key stored in the provided region with the
- * given algorithm.
- *
- * Requires:
- * 	"source" contains a valid, non-NULL region.
- *
- * Returns:
- * 	the key id
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_DST_H */
diff --git a/contrib/bind9/lib/dns/include/dst/gssapi.h b/contrib/bind9/lib/dns/include/dst/gssapi.h
deleted file mode 100644
index 1d746568d638..000000000000
--- a/contrib/bind9/lib/dns/include/dst/gssapi.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gssapi.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */
-
-#ifndef DST_GSSAPI_H
-#define DST_GSSAPI_H 1
-
-#include <isc/lang.h>
-
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred);
-
-isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context);
-
-isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context);
-
-/*
- * XXX
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_GSSAPI_H */
diff --git a/contrib/bind9/lib/dns/include/dst/lib.h b/contrib/bind9/lib/dns/include/dst/lib.h
deleted file mode 100644
index 7a8e73e4dc55..000000000000
--- a/contrib/bind9/lib/dns/include/dst/lib.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */
-
-#ifndef DST_LIB_H
-#define DST_LIB_H 1
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dst_msgcat;
-
-void
-dst_lib_initmsgcat(void);
-/*
- * Initialize the DST library's message catalog, dst_msgcat, if it
- * has not already been initialized.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_LIB_H */
diff --git a/contrib/bind9/lib/dns/include/dst/result.h b/contrib/bind9/lib/dns/include/dst/result.h
deleted file mode 100644
index 015e0863c4d8..000000000000
--- a/contrib/bind9/lib/dns/include/dst/result.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.1.4.1 2004/12/09 04:07:20 marka Exp $ */
-
-#ifndef DST_RESULT_H
-#define DST_RESULT_H 1
-
-#include <isc/lang.h>
-#include <isc/resultclass.h>
-
-/*
- * Nothing in this file truly depends on <isc/result.h>, but the
- * DST result codes are considered to be publicly derived from
- * the ISC result codes, so including this file buys you the ISC_R_
- * namespace too.
- */
-#include <isc/result.h>		/* Contractual promise. */
-
-#define DST_R_UNSUPPORTEDALG		(ISC_RESULTCLASS_DST + 0)
-#define DST_R_OPENSSLFAILURE		(ISC_RESULTCLASS_DST + 1)
-#define DST_R_NOCRYPTO			(ISC_RESULTCLASS_DST + 2)
-#define DST_R_NULLKEY			(ISC_RESULTCLASS_DST + 3)
-#define DST_R_INVALIDPUBLICKEY		(ISC_RESULTCLASS_DST + 4)
-#define DST_R_INVALIDPRIVATEKEY		(ISC_RESULTCLASS_DST + 5)
-/* 6 is unused */
-#define DST_R_WRITEERROR		(ISC_RESULTCLASS_DST + 7)
-#define DST_R_INVALIDPARAM		(ISC_RESULTCLASS_DST + 8)
-/* 9 is unused */
-/* 10 is unused */
-#define DST_R_SIGNFAILURE		(ISC_RESULTCLASS_DST + 11)
-/* 12 is unused */
-/* 13 is unused */
-#define DST_R_VERIFYFAILURE		(ISC_RESULTCLASS_DST + 14)
-#define DST_R_NOTPUBLICKEY		(ISC_RESULTCLASS_DST + 15)
-#define DST_R_NOTPRIVATEKEY		(ISC_RESULTCLASS_DST + 16)
-#define DST_R_KEYCANNOTCOMPUTESECRET	(ISC_RESULTCLASS_DST + 17)
-#define DST_R_COMPUTESECRETFAILURE	(ISC_RESULTCLASS_DST + 18)
-#define DST_R_NORANDOMNESS		(ISC_RESULTCLASS_DST + 19)
-#define DST_R_BADKEYTYPE		(ISC_RESULTCLASS_DST + 20)
-
-#define DST_R_NRESULTS			21	/* Number of results */
-
-ISC_LANG_BEGINDECLS
-
-const char *
-dst_result_totext(isc_result_t);
-
-void
-dst_result_register(void);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DST_RESULT_H */
diff --git a/contrib/bind9/lib/dns/journal.c b/contrib/bind9/lib/dns/journal.c
deleted file mode 100644
index 536416d931a1..000000000000
--- a/contrib/bind9/lib/dns/journal.c
+++ /dev/null
@@ -1,2142 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: journal.c,v 1.77.2.1.10.13 2005/11/03 23:08:41 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <isc/file.h>
-#include <isc/mem.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/compress.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/diff.h>
-#include <dns/fixedname.h>
-#include <dns/journal.h>
-#include <dns/log.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-
-/*
- * When true, accept IXFR difference sequences where the
- * SOA serial number does not change (BIND 8 sends such
- * sequences).
- */
-static isc_boolean_t bind8_compat = ISC_TRUE; /* XXX config */
-
-/**************************************************************************/
-/*
- * Miscellaneous utilities.
- */
-
-#define JOURNAL_COMMON_LOGARGS \
-	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_JOURNAL
-
-#define JOURNAL_DEBUG_LOGARGS(n) \
-	JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
-
-/*
- * It would be non-sensical (or at least obtuse) to use FAIL() with an
- * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAIL(code) \
-	do { result = (code);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define CHECK(op) \
-     	do { result = (op); 					\
-		if (result != ISC_R_SUCCESS) goto failure; 	\
-	} while (0)
-
-static isc_result_t index_to_disk(dns_journal_t *);
-
-static inline isc_uint32_t
-decode_uint32(unsigned char *p) {
-	return ((p[0] << 24) +
-		(p[1] << 16) +
-		(p[2] <<  8) +
-		(p[3] <<  0));
-}
-
-static inline void
-encode_uint32(isc_uint32_t val, unsigned char *p) {
-	p[0] = (isc_uint8_t)(val >> 24);
-	p[1] = (isc_uint8_t)(val >> 16);
-	p[2] = (isc_uint8_t)(val >>  8);
-	p[3] = (isc_uint8_t)(val >>  0);
-}
-
-isc_result_t
-dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
-		      dns_diffop_t op, dns_difftuple_t **tp)
-{
-	isc_result_t result;
-	dns_dbnode_t *node;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_name_t *zonename;
-
-	zonename = dns_db_origin(db);
-
-	node = NULL;
-	result = dns_db_findnode(db, zonename, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto nonode;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
-				     (isc_stdtime_t)0, &rdataset, NULL);
- 	if (result != ISC_R_SUCCESS)
-		goto freenode;
-
-	result = dns_rdataset_first(&rdataset);
- 	if (result != ISC_R_SUCCESS)
-		goto freenode;
-
-	dns_rdataset_current(&rdataset, &rdata);
-
-	result = dns_difftuple_create(mctx, op, zonename, rdataset.ttl,
-				      &rdata, tp);
-
-	dns_rdataset_disassociate(&rdataset);
-	dns_db_detachnode(db, &node);
-	return (ISC_R_SUCCESS);
-
- freenode:
-	dns_db_detachnode(db, &node);
- nonode:
-	UNEXPECTED_ERROR(__FILE__, __LINE__, "missing SOA");
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Journalling.
- */
-
-/*
- * A journal file consists of
- *
- *   - A fixed-size header of type journal_rawheader_t.
- *
- *   - The index.  This is an unordered array of index entries
- *     of type journal_rawpos_t giving the locations
- *     of some arbitrary subset of the journal's addressable
- *     transactions.  The index entries are used as hints to
- *     speed up the process of locating a transaction with a given
- *     serial number.  Unused index entries have an "offset"
- *     field of zero.  The size of the index can vary between
- *     journal files, but does not change during the lifetime
- *     of a file.  The size can be zero.
- *
- *   - The journal data.  This  consists of one or more transactions.
- *     Each transaction begins with a transaction header of type
- *     journal_rawxhdr_t.  The transaction header is followed by a
- *     sequence of RRs, similar in structure to an IXFR difference
- *     sequence (RFC1995).  That is, the pre-transaction SOA,
- *     zero or more other deleted RRs, the post-transaction SOA,
- *     and zero or more other added RRs.  Unlike in IXFR, each RR
- *     is prefixed with a 32-bit length.
- *
- *     The journal data part grows as new transactions are
- *     appended to the file.  Only those transactions
- *     whose serial number is current-(2^31-1) to current
- *     are considered "addressable" and may be pointed
- *     to from the header or index.  They may be preceded
- *     by old transactions that are no longer addressable,
- *     and they may be followed by transactions that were
- *     appended to the journal but never committed by updating
- *     the "end" position in the header.  The latter will
- *     be overwritten when new transactions are added.
- */
-
-/*
- * On-disk representation of a "pointer" to a journal entry.
- * These are used in the journal header to locate the beginning
- * and end of the journal, and in the journal index to locate
- * other transactions.
- */
-typedef struct {
-	unsigned char	serial[4];  /* SOA serial before update. */
-	/*
-	 * XXXRTH  Should offset be 8 bytes?
-	 * XXXDCL ... probably, since isc_offset_t is 8 bytes on many OSs.
-	 * XXXAG  ... but we will not be able to seek >2G anyway on many
-	 *            platforms as long as we are using fseek() rather
-	 *            than lseek().
-	 */
-	unsigned char	offset[4];  /* Offset from beginning of file. */
-} journal_rawpos_t;
-
-/*
- * The on-disk representation of the journal header.
- * All numbers are stored in big-endian order.
- */
-
-/*
- * The header is of a fixed size, with some spare room for future
- * extensions.
- */
-#define JOURNAL_HEADER_SIZE 64 /* Bytes. */
-
-typedef union {
-	struct {
-		/* File format version ID. */
-		unsigned char 		format[16];
-		/* Position of the first addressable transaction */
-		journal_rawpos_t 	begin;
-		/* Position of the next (yet nonexistent) transaction. */
-		journal_rawpos_t 	end;
-		/* Number of index entries following the header. */
-		unsigned char 		index_size[4];
-	} h;
-	/* Pad the header to a fixed size. */
-	unsigned char pad[JOURNAL_HEADER_SIZE];
-} journal_rawheader_t;
-
-/*
- * The on-disk representation of the transaction header.
- * There is one of these at the beginning of each transaction.
- */
-typedef struct {
-	unsigned char	size[4]; 	/* In bytes, excluding header. */
-	unsigned char	serial0[4];	/* SOA serial before update. */
-	unsigned char	serial1[4];	/* SOA serial after update. */
-} journal_rawxhdr_t;
-
-/*
- * The on-disk representation of the RR header.
- * There is one of these at the beginning of each RR.
- */
-typedef struct {
-	unsigned char	size[4]; 	/* In bytes, excluding header. */
-} journal_rawrrhdr_t;
-
-/*
- * The in-core representation of the journal header.
- */
-typedef struct {
-	isc_uint32_t	serial;
-	isc_offset_t	offset;
-} journal_pos_t;
-
-#define POS_VALID(pos) 		((pos).offset != 0)
-#define POS_INVALIDATE(pos) 	((pos).offset = 0, (pos).serial = 0)
-
-typedef struct {
-	unsigned char 	format[16];
-	journal_pos_t 	begin;
-	journal_pos_t 	end;
-	isc_uint32_t	index_size;
-} journal_header_t;
-
-/*
- * The in-core representation of the transaction header.
- */
-
-typedef struct {
-	isc_uint32_t	size;
-	isc_uint32_t	serial0;
-	isc_uint32_t	serial1;
-} journal_xhdr_t;
-
-/*
- * The in-core representation of the RR header.
- */
-typedef struct {
-	isc_uint32_t	size;
-} journal_rrhdr_t;
-
-
-/*
- * Initial contents to store in the header of a newly created
- * journal file.
- *
- * The header starts with the magic string ";BIND LOG V9\n"
- * to identify the file as a BIND 9 journal file.  An ASCII
- * identification string is used rather than a binary magic
- * number to be consistent with BIND 8 (BIND 8 journal files
- * are ASCII text files).
- */
-
-static journal_header_t
-initial_journal_header = { ";BIND LOG V9\n", { 0, 0 }, { 0, 0 }, 0 };
-
-#define JOURNAL_EMPTY(h) ((h)->begin.offset == (h)->end.offset)
-
-typedef enum {
-	JOURNAL_STATE_INVALID,
-	JOURNAL_STATE_READ,
-	JOURNAL_STATE_WRITE,
-	JOURNAL_STATE_TRANSACTION
-} journal_state_t;
-
-struct dns_journal {
-	unsigned int		magic;		/* JOUR */
-	isc_mem_t		*mctx;		/* Memory context */
-	journal_state_t		state;
-	const char 		*filename;	/* Journal file name */
-	FILE *			fp;		/* File handle */
-	isc_offset_t		offset;		/* Current file offset */
-	journal_header_t 	header;		/* In-core journal header */
-	unsigned char		*rawindex;	/* In-core buffer for journal
-						   index in on-disk format */
-	journal_pos_t		*index;		/* In-core journal index */
-
-	/* Current transaction state (when writing). */
-	struct {
-		unsigned int	n_soa;		/* Number of SOAs seen */
-		journal_pos_t	pos[2];		/* Begin/end position */
-	} x;
-
-	/* Iteration state (when reading). */
-	struct {
-		/* These define the part of the journal we iterate over. */
-		journal_pos_t bpos;		/* Position before first, */
-		journal_pos_t epos;		/* and after last
-						   transaction */
-		/* The rest is iterator state. */
-		isc_uint32_t current_serial;	/* Current SOA serial */
-		isc_buffer_t source;		/* Data from disk */
-		isc_buffer_t target;		/* Data from _fromwire check */
-		dns_decompress_t dctx;		/* Dummy decompression ctx */
-		dns_name_t name;		/* Current domain name */
-		dns_rdata_t rdata;		/* Current rdata */
-		isc_uint32_t ttl;		/* Current TTL */
-		unsigned int xsize;		/* Size of transaction data */
-		unsigned int xpos;		/* Current position in it */
-		isc_result_t result;		/* Result of last call */
-	} it;
-};
-
-#define DNS_JOURNAL_MAGIC	ISC_MAGIC('J', 'O', 'U', 'R')
-#define DNS_JOURNAL_VALID(t)	ISC_MAGIC_VALID(t, DNS_JOURNAL_MAGIC)
-
-static void
-journal_pos_decode(journal_rawpos_t *raw, journal_pos_t *cooked) {
-	cooked->serial = decode_uint32(raw->serial);
-	cooked->offset = decode_uint32(raw->offset);
-}
-
-static void
-journal_pos_encode(journal_rawpos_t *raw, journal_pos_t *cooked) {
-	encode_uint32(cooked->serial, raw->serial);
-	encode_uint32(cooked->offset, raw->offset);
-}
-
-static void
-journal_header_decode(journal_rawheader_t *raw, journal_header_t *cooked) {
-	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
-	memcpy(cooked->format, raw->h.format, sizeof(cooked->format));
-	journal_pos_decode(&raw->h.begin, &cooked->begin);
-	journal_pos_decode(&raw->h.end, &cooked->end);
-	cooked->index_size = decode_uint32(raw->h.index_size);
-}
-
-static void
-journal_header_encode(journal_header_t *cooked, journal_rawheader_t *raw) {
-	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
-	memset(raw->pad, 0, sizeof(raw->pad));
-	memcpy(raw->h.format, cooked->format, sizeof(raw->h.format));
-	journal_pos_encode(&raw->h.begin, &cooked->begin);
-	journal_pos_encode(&raw->h.end, &cooked->end);
-	encode_uint32(cooked->index_size, raw->h.index_size);
-}
-
-/*
- * Journal file I/O subroutines, with error checking and reporting.
- */
-static isc_result_t
-journal_seek(dns_journal_t *j, isc_uint32_t offset) {
-	isc_result_t result;
-	result = isc_stdio_seek(j->fp, (long)offset, SEEK_SET);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: seek: %s", j->filename,
-			      isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	j->offset = offset;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_read(dns_journal_t *j, void *mem, size_t nbytes) {
-	isc_result_t result;
-
-	result = isc_stdio_read(mem, 1, nbytes, j->fp, NULL);
-	if (result != ISC_R_SUCCESS) {
-		if (result == ISC_R_EOF)
-			return (ISC_R_NOMORE);
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: read: %s",
-			      j->filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	j->offset += nbytes;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_write(dns_journal_t *j, void *mem, size_t nbytes) {
-	isc_result_t result;
-
-	result = isc_stdio_write(mem, 1, nbytes, j->fp, NULL);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: write: %s",
-			      j->filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	j->offset += nbytes;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_fsync(dns_journal_t *j) {
-	isc_result_t result;
-	result = isc_stdio_flush(j->fp);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: flush: %s",
-			      j->filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	result = isc_stdio_sync(j->fp);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: fsync: %s",
-			      j->filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Read/write a transaction header at the current file position.
- */
-
-static isc_result_t
-journal_read_xhdr(dns_journal_t *j, journal_xhdr_t *xhdr) {
-	journal_rawxhdr_t raw;
-	isc_result_t result;
-	result = journal_read(j, &raw, sizeof(raw));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	xhdr->size = decode_uint32(raw.size);
-	xhdr->serial0 = decode_uint32(raw.serial0);
-	xhdr->serial1 = decode_uint32(raw.serial1);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_write_xhdr(dns_journal_t *j, isc_uint32_t size,
-		   isc_uint32_t serial0, isc_uint32_t serial1)
-{
-	journal_rawxhdr_t raw;
-	encode_uint32(size, raw.size);
-	encode_uint32(serial0, raw.serial0);
-	encode_uint32(serial1, raw.serial1);
-	return (journal_write(j, &raw, sizeof(raw)));
-}
-
-
-/*
- * Read an RR header at the current file position.
- */
-
-static isc_result_t
-journal_read_rrhdr(dns_journal_t *j, journal_rrhdr_t *rrhdr) {
-	journal_rawrrhdr_t raw;
-	isc_result_t result;
-	result = journal_read(j, &raw, sizeof(raw));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rrhdr->size = decode_uint32(raw.size);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_file_create(isc_mem_t *mctx, const char *filename) {
-	FILE *fp = NULL;
-	isc_result_t result;
-	journal_header_t header;
-	journal_rawheader_t rawheader;
-	int index_size = 56; /* XXX configurable */
-	int size;
-	void *mem; /* Memory for temporary index image. */
-
-	INSIST(sizeof(journal_rawheader_t) == JOURNAL_HEADER_SIZE);
-
-	result = isc_stdio_open(filename, "wb", &fp);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: create: %s",
-			      filename, isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	header = initial_journal_header;
-	header.index_size = index_size;
-	journal_header_encode(&header, &rawheader);
-
-	size = sizeof(journal_rawheader_t) +
-		index_size * sizeof(journal_rawpos_t);
-
-	mem = isc_mem_get(mctx, size);
-	if (mem == NULL) {
-		(void)isc_stdio_close(fp);
-		(void)isc_file_remove(filename);
-		return (ISC_R_NOMEMORY);
-	}
-	memset(mem, 0, size);
-	memcpy(mem, &rawheader, sizeof(rawheader));
-
-	result = isc_stdio_write(mem, 1, (size_t) size, fp, NULL);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: write: %s",
-				 filename, isc_result_totext(result));
-		(void)isc_stdio_close(fp);
-		(void)isc_file_remove(filename);
-		isc_mem_put(mctx, mem, size);
-		return (ISC_R_UNEXPECTED);
-	}
-	isc_mem_put(mctx, mem, size);
-
-	result = isc_stdio_close(fp);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: close: %s",
-				 filename, isc_result_totext(result));
-		(void)isc_file_remove(filename);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
-	     isc_boolean_t create, dns_journal_t **journalp) {
-	FILE *fp = NULL;
-	isc_result_t result;
-	journal_rawheader_t rawheader;
-	dns_journal_t *j;
-
-	INSIST(journalp != NULL && *journalp == NULL);
-	j = isc_mem_get(mctx, sizeof(*j));
-	if (j == NULL)
-		return (ISC_R_NOMEMORY);
-
-	j->mctx = mctx;
-	j->state = JOURNAL_STATE_INVALID;
-	j->fp = NULL;
-	j->filename = filename;
-	j->index = NULL;
-	j->rawindex = NULL;
-
-	result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp);
-
-	if (result == ISC_R_FILENOTFOUND) {
-		if (create) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS,
-				      ISC_LOG_INFO,
-				      "journal file %s does not exist, "
-				      "creating it",
-				      j->filename);
-			CHECK(journal_file_create(mctx, filename));
-			/*
-			 * Retry.
-			 */
-			result = isc_stdio_open(j->filename, "rb+", &fp);
-		} else {
-			FAIL(ISC_R_NOTFOUND);
-		}
-	}
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: open: %s",
-			      j->filename, isc_result_totext(result));
-		FAIL(ISC_R_UNEXPECTED);
-	}
-
-	j->fp = fp;
-
-	/*
-	 * Set magic early so that seek/read can succeed.
-	 */
-	j->magic = DNS_JOURNAL_MAGIC;
-
-	CHECK(journal_seek(j, 0));
-	CHECK(journal_read(j, &rawheader, sizeof(rawheader)));
-
-	if (memcmp(rawheader.h.format, initial_journal_header.format,
-		   sizeof(initial_journal_header.format)) != 0) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: journal format not recognized",
-				 j->filename);
-		FAIL(ISC_R_UNEXPECTED);
-	}
-	journal_header_decode(&rawheader, &j->header);
-
-	/*
-	 * If there is an index, read the raw index into a dynamically
-	 * allocated buffer and then convert it into a cooked index.
-	 */
-	if (j->header.index_size != 0) {
-		unsigned int i;
-		unsigned int rawbytes;
-		unsigned char *p;
-
-		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
-		j->rawindex = isc_mem_get(mctx, rawbytes);
-		if (j->rawindex == NULL)
-			FAIL(ISC_R_NOMEMORY);
-
-		CHECK(journal_read(j, j->rawindex, rawbytes));
-
-		j->index = isc_mem_get(mctx, j->header.index_size *
-				       sizeof(journal_pos_t));
-		if (j->index == NULL)
-			FAIL(ISC_R_NOMEMORY);
-
-		p = j->rawindex;
-		for (i = 0; i < j->header.index_size; i++) {
-			j->index[i].serial = decode_uint32(p);
-			p += 4;
-			j->index[i].offset = decode_uint32(p);
-			p += 4;
-		}
-		INSIST(p == j->rawindex + rawbytes);
-	}
-	j->offset = -1; /* Invalid, must seek explicitly. */
-
-	/*
-	 * Initialize the iterator.
-	 */
-	dns_name_init(&j->it.name, NULL);
-	dns_rdata_init(&j->it.rdata);
-
-	/*
-	 * Set up empty initial buffers for uncheched and checked
-	 * wire format RR data.  They will be reallocated
-	 * later.
-	 */
-	isc_buffer_init(&j->it.source, NULL, 0);
-	isc_buffer_init(&j->it.target, NULL, 0);
-	dns_decompress_init(&j->it.dctx, -1, DNS_DECOMPRESS_NONE);
-
-	j->state =
-		write ? JOURNAL_STATE_WRITE : JOURNAL_STATE_READ;
-
-	*journalp = j;
-	return (ISC_R_SUCCESS);
-
- failure:
-	j->magic = 0;
-	if (j->index != NULL) {
-		isc_mem_put(j->mctx, j->index, j->header.index_size *
-			    sizeof(journal_rawpos_t));
-		j->index = NULL;
-	}
-	if (j->fp != NULL)
-		(void)isc_stdio_close(j->fp);
-	isc_mem_put(j->mctx, j, sizeof(*j));
-	return (result);
-}
-
-isc_result_t
-dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
-		 dns_journal_t **journalp) {
-	return (journal_open(mctx, filename, write, write, journalp));
-}
-
-/*
- * A comparison function defining the sorting order for
- * entries in the IXFR-style journal file.
- *
- * The IXFR format requires that deletions are sorted before
- * additions, and within either one, SOA records are sorted
- * before others.
- *
- * Also sort the non-SOA records by type as a courtesy to the
- * server receiving the IXFR - it may help reduce the amount of
- * rdataset merging it has to do.
- */
-static int
-ixfr_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	int r;
-
-	r = (b->op == DNS_DIFFOP_DEL) - (a->op == DNS_DIFFOP_DEL);
-	if (r != 0)
-		return (r);
-
-	r = (b->rdata.type == dns_rdatatype_soa) -
-		(a->rdata.type == dns_rdatatype_soa);
-	if (r != 0)
-		return (r);
-
-	r = (a->rdata.type - b->rdata.type);
-	return (r);
-}
-
-/*
- * Advance '*pos' to the next journal transaction.
- *
- * Requires:
- *	*pos refers to a valid journal transaction.
- *
- * Ensures:
- *	When ISC_R_SUCCESS is returned,
- *	*pos refers to the next journal transaction.
- *
- * Returns one of:
- *
- *    ISC_R_SUCCESS
- *    ISC_R_NOMORE 	*pos pointed at the last transaction
- *    Other results due to file errors are possible.
- */
-static isc_result_t
-journal_next(dns_journal_t *j, journal_pos_t *pos) {
-	isc_result_t result;
-	journal_xhdr_t xhdr;
-	REQUIRE(DNS_JOURNAL_VALID(j));
-
-	result = journal_seek(j, pos->offset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (pos->serial == j->header.end.serial)
-		return (ISC_R_NOMORE);
-	/*
-	 * Read the header of the current transaction.
-	 * This will return ISC_R_NOMORE if we are at EOF.
-	 */
-	result = journal_read_xhdr(j, &xhdr);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Check serial number consistency.
-	 */
-	if (xhdr.serial0 != pos->serial) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: journal file corrupt: "
-			      "expected serial %u, got %u",
-			      j->filename, pos->serial, xhdr.serial0);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * Check for offset wraparound.
-	 */
-	if ((isc_offset_t)(pos->offset + sizeof(journal_rawxhdr_t) + xhdr.size)
-	    < pos->offset) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: offset too large", j->filename);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	pos->offset += sizeof(journal_rawxhdr_t) + xhdr.size;
-	pos->serial = xhdr.serial1;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * If the index of the journal 'j' contains an entry "better"
- * than '*best_guess', replace '*best_guess' with it.
- *
- * "Better" means having a serial number closer to 'serial'
- * but not greater than 'serial'.
- */
-static void
-index_find(dns_journal_t *j, isc_uint32_t serial, journal_pos_t *best_guess) {
-	unsigned int i;
-	if (j->index == NULL)
-		return;
-	for (i = 0; i < j->header.index_size; i++) {
-		if (POS_VALID(j->index[i]) &&
-		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
-		    DNS_SERIAL_GT(j->index[i].serial, best_guess->serial))
-			*best_guess = j->index[i];
-	}
-}
-
-/*
- * Add a new index entry.  If there is no room, make room by removing
- * the odd-numbered entries and compacting the others into the first
- * half of the index.  This decimates old index entries exponentially
- * over time, so that the index always contains a much larger fraction
- * of recent serial numbers than of old ones.  This is deliberate -
- * most index searches are for outgoing IXFR, and IXFR tends to request
- * recent versions more often than old ones.
- */
-static void
-index_add(dns_journal_t *j, journal_pos_t *pos) {
-	unsigned int i;
-	if (j->index == NULL)
-		return;
-	/*
-	 * Search for a vacant position.
-	 */
-	for (i = 0; i < j->header.index_size; i++) {
-		if (! POS_VALID(j->index[i]))
-			break;
-	}
-	if (i == j->header.index_size) {
-		unsigned int k = 0;
-		/*
-		 * Found no vacant position.  Make some room.
-		 */
-		for (i = 0; i < j->header.index_size; i += 2) {
-			j->index[k++] = j->index[i];
-		}
-		i = k; /* 'i' identifies the first vacant position. */
-		while (k < j->header.index_size) {
-			POS_INVALIDATE(j->index[k]);
-			k++;
-		}
-	}
-	INSIST(i < j->header.index_size);
-	INSIST(! POS_VALID(j->index[i]));
-
-	/*
-	 * Store the new index entry.
-	 */
-	j->index[i] = *pos;
-}
-
-/*
- * Invalidate any existing index entries that could become
- * ambiguous when a new transaction with number 'serial' is added.
- */
-static void
-index_invalidate(dns_journal_t *j, isc_uint32_t serial) {
-	unsigned int i;
-	if (j->index == NULL)
-		return;
-	for (i = 0; i < j->header.index_size; i++) {
-		if (! DNS_SERIAL_GT(serial, j->index[i].serial))
-			POS_INVALIDATE(j->index[i]);
-	}
-}
-
-/*
- * Try to find a transaction with initial serial number 'serial'
- * in the journal 'j'.
- *
- * If found, store its position at '*pos' and return ISC_R_SUCCESS.
- *
- * If 'serial' is current (= the ending serial number of the
- * last transaction in the journal), set '*pos' to
- * the position immediately following the last transaction and
- * return ISC_R_SUCCESS.
- *
- * If 'serial' is within the range of addressable serial numbers
- * covered by the journal but that particular serial number is missing
- * (from the journal, not just from the index), return ISC_R_NOTFOUND.
- *
- * If 'serial' is outside the range of addressable serial numbers
- * covered by the journal, return ISC_R_RANGE.
- *
- */
-static isc_result_t
-journal_find(dns_journal_t *j, isc_uint32_t serial, journal_pos_t *pos) {
-	isc_result_t result;
-	journal_pos_t current_pos;
-	REQUIRE(DNS_JOURNAL_VALID(j));
-
-	if (DNS_SERIAL_GT(j->header.begin.serial, serial))
-		return (ISC_R_RANGE);
-	if (DNS_SERIAL_GT(serial, j->header.end.serial))
-		return (ISC_R_RANGE);
-	if (serial == j->header.end.serial) {
-		*pos = j->header.end;
-		return (ISC_R_SUCCESS);
-	}
-
-	current_pos = j->header.begin;
-	index_find(j, serial, &current_pos);
-
-	while (current_pos.serial != serial) {
-		if (DNS_SERIAL_GT(current_pos.serial, serial))
-			return (ISC_R_NOTFOUND);
-		result = journal_next(j, &current_pos);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	*pos = current_pos;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_journal_begin_transaction(dns_journal_t *j) {
-	isc_uint32_t offset;
-	isc_result_t result;
-	journal_rawxhdr_t hdr;
-
-	REQUIRE(DNS_JOURNAL_VALID(j));
-	REQUIRE(j->state == JOURNAL_STATE_WRITE);
-
-	/*
-	 * Find the file offset where the new transaction should
-	 * be written, and seek there.
-	 */
-	if (JOURNAL_EMPTY(&j->header)) {
-		offset = sizeof(journal_rawheader_t) +
-			j->header.index_size * sizeof(journal_rawpos_t);
-	} else {
-		offset = j->header.end.offset;
-	}
-	j->x.pos[0].offset = offset;
-	j->x.pos[1].offset = offset; /* Initial value, will be incremented. */
-	j->x.n_soa = 0;
-
-	CHECK(journal_seek(j, offset));
-
-	/*
-	 * Write a dummy transaction header of all zeroes to reserve
-	 * space.  It will be filled in when the transaction is
-	 * finished.
-	 */
-	memset(&hdr, 0, sizeof(hdr));
-	CHECK(journal_write(j, &hdr, sizeof(hdr)));
-	j->x.pos[1].offset = j->offset;
-
-	j->state = JOURNAL_STATE_TRANSACTION;
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
-	dns_difftuple_t *t;
-	isc_buffer_t buffer;
-	void *mem = NULL;
-	unsigned int size;
-	isc_result_t result;
-	isc_region_t used;
-
-	REQUIRE(DNS_DIFF_VALID(diff));
-	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
-
-	isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "writing to journal");
-	(void)dns_diff_print(diff, NULL);
-
-	/*
-	 * Pass 1: determine the buffer size needed, and
-	 * keep track of SOA serial numbers.
-	 */
-	size = 0;
-	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		if (t->rdata.type == dns_rdatatype_soa) {
-			if (j->x.n_soa < 2)
-				j->x.pos[j->x.n_soa].serial =
-					dns_soa_getserial(&t->rdata);
-			j->x.n_soa++;
-		}
-		size += sizeof(journal_rawrrhdr_t);
-		size += t->name.length; /* XXX should have access macro? */
-		size += 10;
-		size += t->rdata.length;
-	}
-
-	mem = isc_mem_get(j->mctx, size);
-	if (mem == NULL)
-		return (ISC_R_NOMEMORY);
-
-	isc_buffer_init(&buffer, mem, size);
-
-	/*
-	 * Pass 2.  Write RRs to buffer.
-	 */
-	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
-	     t = ISC_LIST_NEXT(t, link))
-	{
-		/*
-		 * Write the RR header.
-		 */
-		isc_buffer_putuint32(&buffer, t->name.length + 10 +
-				     t->rdata.length);
-		/*
-		 * Write the owner name, RR header, and RR data.
-		 */
-		isc_buffer_putmem(&buffer, t->name.ndata, t->name.length);
-		isc_buffer_putuint16(&buffer, t->rdata.type);
-		isc_buffer_putuint16(&buffer, t->rdata.rdclass);
-		isc_buffer_putuint32(&buffer, t->ttl);
-		INSIST(t->rdata.length < 65536);
-		isc_buffer_putuint16(&buffer, (isc_uint16_t)t->rdata.length);
-		INSIST(isc_buffer_availablelength(&buffer) >= t->rdata.length);
-		isc_buffer_putmem(&buffer, t->rdata.data, t->rdata.length);
-	}
-
-	isc_buffer_usedregion(&buffer, &used);
-	INSIST(used.length == size);
-
-	j->x.pos[1].offset += used.length;
-
-	/*
-	 * Write the buffer contents to the journal file.
-	 */
-	CHECK(journal_write(j, used.base, used.length));
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (mem != NULL)
-		isc_mem_put(j->mctx, mem, size);
-	return (result);
-
-}
-
-isc_result_t
-dns_journal_commit(dns_journal_t *j) {
-	isc_result_t result;
-	journal_rawheader_t rawheader;
-
-	REQUIRE(DNS_JOURNAL_VALID(j));
-	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
-
-	/*
-	 * Perform some basic consistency checks.
-	 */
-	if (j->x.n_soa != 2) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: malformed transaction: %d SOAs",
-			      j->filename, j->x.n_soa);
-		return (ISC_R_UNEXPECTED);
-	}
-	if (! (DNS_SERIAL_GT(j->x.pos[1].serial, j->x.pos[0].serial) ||
-	       (bind8_compat &&
-		j->x.pos[1].serial == j->x.pos[0].serial)))
-	{
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "%s: malformed transaction: serial number "
-			      "would decrease", j->filename);
-		return (ISC_R_UNEXPECTED);
-	}
-	if (! JOURNAL_EMPTY(&j->header)) {
-		if (j->x.pos[0].serial != j->header.end.serial) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-					 "malformed transaction: "
-					 "%s last serial %u != "
-					 "transaction first serial %u",
-					 j->filename,
-					 j->header.end.serial,
-					 j->x.pos[0].serial);
-			return (ISC_R_UNEXPECTED);
-		}
-	}
-
-	/*
-	 * Some old journal entries may become non-addressable
-	 * when we increment the current serial number.  Purge them
-	 * by stepping header.begin forward to the first addressable
-	 * transaction.  Also purge them from the index.
-	 */
-	if (! JOURNAL_EMPTY(&j->header)) {
-		while (! DNS_SERIAL_GT(j->x.pos[1].serial,
-				       j->header.begin.serial)) {
-			CHECK(journal_next(j, &j->header.begin));
-		}
-		index_invalidate(j, j->x.pos[1].serial);
-	}
-#ifdef notyet
-	if (DNS_SERIAL_GT(last_dumped_serial, j->x.pos[1].serial)) {
-		force_dump(...);
-	}
-#endif
-
-	/*
-	 * Commit the transaction data to stable storage.
-	 */
-	CHECK(journal_fsync(j));
-
-	/*
-	 * Update the transaction header.
-	 */
-	CHECK(journal_seek(j, j->x.pos[0].offset));
-	CHECK(journal_write_xhdr(j, (j->x.pos[1].offset - j->x.pos[0].offset) -
-				 sizeof(journal_rawxhdr_t),
-				 j->x.pos[0].serial, j->x.pos[1].serial));
-
-	/*
-	 * Update the journal header.
-	 */
-	if (JOURNAL_EMPTY(&j->header)) {
-		j->header.begin = j->x.pos[0];
-	}
-	j->header.end = j->x.pos[1];
-	journal_header_encode(&j->header, &rawheader);
-	CHECK(journal_seek(j, 0));
-	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
-
-	/*
-	 * Update the index.
-	 */
-	index_add(j, &j->x.pos[0]);
-
-	/*
-	 * Convert the index into on-disk format and write
-	 * it to disk.
-	 */
-	CHECK(index_to_disk(j));
-
-	/*
-	 * Commit the header to stable storage.
-	 */
-	CHECK(journal_fsync(j));
-
-	/*
-	 * We no longer have a transaction open.
-	 */
-	j->state = JOURNAL_STATE_WRITE;
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff) {
-	isc_result_t result;
-	CHECK(dns_diff_sort(diff, ixfr_order));
-	CHECK(dns_journal_begin_transaction(j));
-	CHECK(dns_journal_writediff(j, diff));
-	CHECK(dns_journal_commit(j));
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-void
-dns_journal_destroy(dns_journal_t **journalp) {
-	dns_journal_t *j = *journalp;
-	REQUIRE(DNS_JOURNAL_VALID(j));
-
-	j->it.result = ISC_R_FAILURE;
-	dns_name_invalidate(&j->it.name);
-	dns_decompress_invalidate(&j->it.dctx);
-	if (j->rawindex != NULL)
-		isc_mem_put(j->mctx, j->rawindex, j->header.index_size *
-			    sizeof(journal_rawpos_t));
-	if (j->index != NULL)
-		isc_mem_put(j->mctx, j->index, j->header.index_size *
-			    sizeof(journal_pos_t));
-	if (j->it.target.base != NULL)
-		isc_mem_put(j->mctx, j->it.target.base, j->it.target.length);
-	if (j->it.source.base != NULL)
-		isc_mem_put(j->mctx, j->it.source.base, j->it.source.length);
-
-	if (j->fp != NULL)
-		(void)isc_stdio_close(j->fp);
-	j->magic = 0;
-	isc_mem_put(j->mctx, j, sizeof(*j));
-	*journalp = NULL;
-}
-
-/*
- * Roll the open journal 'j' into the database 'db'.
- * A new database version will be created.
- */
-
-/* XXX Share code with incoming IXFR? */
-
-static isc_result_t
-roll_forward(dns_journal_t *j, dns_db_t *db) {
-	isc_buffer_t source;		/* Transaction data from disk */
-	isc_buffer_t target;		/* Ditto after _fromwire check */
-	isc_uint32_t db_serial;		/* Database SOA serial */
-	isc_uint32_t end_serial;	/* Last journal SOA serial */
-	isc_result_t result;
-	dns_dbversion_t *ver = NULL;
-	journal_pos_t pos;
-	dns_diff_t diff;
-	unsigned int n_soa = 0;
-	unsigned int n_put = 0;
-
-	REQUIRE(DNS_JOURNAL_VALID(j));
-	REQUIRE(DNS_DB_VALID(db));
-
-	dns_diff_init(j->mctx, &diff);
-
-	/*
-	 * Set up empty initial buffers for uncheched and checked
-	 * wire format transaction data.  They will be reallocated
-	 * later.
-	 */
-	isc_buffer_init(&source, NULL, 0);
-	isc_buffer_init(&target, NULL, 0);
-
-	/*
-	 * Create the new database version.
-	 */
-	CHECK(dns_db_newversion(db, &ver));
-
-	/*
-	 * Get the current database SOA serial number.
-	 */
-	CHECK(dns_db_getsoaserial(db, ver, &db_serial));
-
-	/*
-	 * Locate a journal entry for the current database serial.
-	 */
-	CHECK(journal_find(j, db_serial, &pos));
-	/*
-	 * XXX do more drastic things, like marking zone stale,
-	 * if this fails?
-	 */
-	/*
-	 * XXXRTH  The zone code should probably mark the zone as bad and
-	 *         scream loudly into the log if this is a dynamic update
-	 *	   log reply that failed.
-	 */
-
-	end_serial = dns_journal_last_serial(j);
-	if (db_serial == end_serial)
-		CHECK(DNS_R_UPTODATE);
-
-	CHECK(dns_journal_iter_init(j, db_serial, end_serial));
-
-	for (result = dns_journal_first_rr(j);
-	     result == ISC_R_SUCCESS;
-	     result = dns_journal_next_rr(j))
-	{
-		dns_name_t *name;
-		isc_uint32_t ttl;
-		dns_rdata_t *rdata;
-		dns_difftuple_t *tuple = NULL;
-
-		name = NULL;
-		rdata = NULL;
-		dns_journal_current_rr(j, &name, &ttl, &rdata);
-
-		if (rdata->type == dns_rdatatype_soa) {
-			n_soa++;
-			if (n_soa == 2)
-				db_serial = j->it.current_serial;
-		}
-
-		if (n_soa == 3)
-			n_soa = 1;
-		if (n_soa == 0) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-					 "%s: journal file corrupt: missing "
-					 "initial SOA", j->filename);
-			FAIL(ISC_R_UNEXPECTED);
-		}
-		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
-					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
-					   name, ttl, rdata, &tuple));
-		dns_diff_append(&diff, &tuple);
-
-		if (++n_put > 100)  {
-			isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
-				      "%s: applying diff to database (%u)",
-				      j->filename, db_serial);
-			(void)dns_diff_print(&diff, NULL);
-			CHECK(dns_diff_apply(&diff, db, ver));
-			dns_diff_clear(&diff);
-			n_put = 0;
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	CHECK(result);
-
-	if (n_put != 0) {
-		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
-			      "%s: applying final diff to database (%u)",
-			      j->filename, db_serial);
-		(void)dns_diff_print(&diff, NULL);
-		CHECK(dns_diff_apply(&diff, db, ver));
-		dns_diff_clear(&diff);
-	}
-
- failure:
-	if (ver != NULL)
-		dns_db_closeversion(db, &ver, result == ISC_R_SUCCESS ?
-				    ISC_TRUE : ISC_FALSE);
-
-	if (source.base != NULL)
-		isc_mem_put(j->mctx, source.base, source.length);
-	if (target.base != NULL)
-		isc_mem_put(j->mctx, target.base, target.length);
-
-	dns_diff_clear(&diff);
-
-	return (result);
-}
-
-isc_result_t
-dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename) {
-	dns_journal_t *j;
-	isc_result_t result;
-
-	REQUIRE(DNS_DB_VALID(db));
-	REQUIRE(filename != NULL);
-
-	j = NULL;
-	result = dns_journal_open(mctx, filename, ISC_FALSE, &j);
-	if (result == ISC_R_NOTFOUND) {
-		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
-			      "no journal file, but that's OK");
-		return (DNS_R_NOJOURNAL);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (JOURNAL_EMPTY(&j->header))
-		result = DNS_R_UPTODATE;
-	else
-		result = roll_forward(j, db);
-
-	dns_journal_destroy(&j);
-
-	return (result);
-}
-
-isc_result_t
-dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
-	dns_journal_t *j;
-	isc_buffer_t source;		/* Transaction data from disk */
-	isc_buffer_t target;		/* Ditto after _fromwire check */
-	isc_uint32_t start_serial;		/* Database SOA serial */
-	isc_uint32_t end_serial;	/* Last journal SOA serial */
-	isc_result_t result;
-	dns_diff_t diff;
-	unsigned int n_soa = 0;
-	unsigned int n_put = 0;
-
-	REQUIRE(filename != NULL);
-
-	j = NULL;
-	result = dns_journal_open(mctx, filename, ISC_FALSE, &j);
-	if (result == ISC_R_NOTFOUND) {
-		isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no journal file");
-		return (DNS_R_NOJOURNAL);
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-			      "journal open failure: %s: %s",
-			      isc_result_totext(result), j->filename);
-		return (result);
-	}
-
-	dns_diff_init(j->mctx, &diff);
-
-	/*
-	 * Set up empty initial buffers for uncheched and checked
-	 * wire format transaction data.  They will be reallocated
-	 * later.
-	 */
-	isc_buffer_init(&source, NULL, 0);
-	isc_buffer_init(&target, NULL, 0);
-
-	start_serial = dns_journal_first_serial(j);
-	end_serial = dns_journal_last_serial(j);
-
-	CHECK(dns_journal_iter_init(j, start_serial, end_serial));
-
-	for (result = dns_journal_first_rr(j);
-	     result == ISC_R_SUCCESS;
-	     result = dns_journal_next_rr(j))
-	{
-		dns_name_t *name;
-		isc_uint32_t ttl;
-		dns_rdata_t *rdata;
-		dns_difftuple_t *tuple = NULL;
-
-		name = NULL;
-		rdata = NULL;
-		dns_journal_current_rr(j, &name, &ttl, &rdata);
-
-		if (rdata->type == dns_rdatatype_soa)
-			n_soa++;
-
-		if (n_soa == 3)
-			n_soa = 1;
-		if (n_soa == 0) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-					 "%s: journal file corrupt: missing "
-					 "initial SOA", j->filename);
-			FAIL(ISC_R_UNEXPECTED);
-		}
-		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
-					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
-					   name, ttl, rdata, &tuple));
-		dns_diff_append(&diff, &tuple);
-
-		if (++n_put > 100)  {
-			result = dns_diff_print(&diff, file);
-			dns_diff_clear(&diff);
-			n_put = 0;
-			if (result != ISC_R_SUCCESS)
-				break;
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	CHECK(result);
-
-	if (n_put != 0) {
-		result = dns_diff_print(&diff, file);
-		dns_diff_clear(&diff);
-	}
-	goto cleanup;
-
- failure:
-	isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-		      "%s: cannot print: journal file corrupt", j->filename);
-
- cleanup:
-	if (source.base != NULL)
-		isc_mem_put(j->mctx, source.base, source.length);
-	if (target.base != NULL)
-		isc_mem_put(j->mctx, target.base, target.length);
-
-	dns_diff_clear(&diff);
-	dns_journal_destroy(&j);
-
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Miscellaneous accessors.
- */
-isc_uint32_t dns_journal_first_serial(dns_journal_t *j) {
-	return (j->header.begin.serial);
-}
-
-isc_uint32_t dns_journal_last_serial(dns_journal_t *j) {
-	return (j->header.end.serial);
-}
-
-/**************************************************************************/
-/*
- * Iteration support.
- *
- * When serving an outgoing IXFR, we transmit a part the journal starting
- * at the serial number in the IXFR request and ending at the serial
- * number that is current when the IXFR request arrives.  The ending
- * serial number is not necessarily at the end of the journal:
- * the journal may grow while the IXFR is in progress, but we stop
- * when we reach the serial number that was current when the IXFR started.
- */
-
-static isc_result_t read_one_rr(dns_journal_t *j);
-
-/*
- * Make sure the buffer 'b' is has at least 'size' bytes
- * allocated, and clear it.
- *
- * Requires:
- *	Either b->base is NULL, or it points to b->length bytes of memory
- *	previously allocated by isc_mem_get().
- */
-
-static isc_result_t
-size_buffer(isc_mem_t *mctx, isc_buffer_t *b, unsigned size) {
-	if (b->length < size) {
-		void *mem = isc_mem_get(mctx, size);
-		if (mem == NULL)
-			return (ISC_R_NOMEMORY);
-		if (b->base != NULL)
-			isc_mem_put(mctx, b->base, b->length);
-		b->base = mem;
-		b->length = size;
-	}
-	isc_buffer_clear(b);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_journal_iter_init(dns_journal_t *j,
-		      isc_uint32_t begin_serial, isc_uint32_t end_serial)
-{
-	isc_result_t result;
-
-	CHECK(journal_find(j, begin_serial, &j->it.bpos));
-	INSIST(j->it.bpos.serial == begin_serial);
-
-	CHECK(journal_find(j, end_serial, &j->it.epos));
-	INSIST(j->it.epos.serial == end_serial);
-
-	result = ISC_R_SUCCESS;
- failure:
-	j->it.result = result;
-	return (j->it.result);
-}
-
-
-isc_result_t
-dns_journal_first_rr(dns_journal_t *j) {
-	isc_result_t result;
-
-	/*
-	 * Seek to the beginning of the first transaction we are
-	 * interested in.
-	 */
-	CHECK(journal_seek(j, j->it.bpos.offset));
-	j->it.current_serial = j->it.bpos.serial;
-
-	j->it.xsize = 0;  /* We have no transaction data yet... */
-	j->it.xpos = 0;	  /* ...and haven't used any of it. */
-
-	return (read_one_rr(j));
-
- failure:
-	return (result);
-}
-
-static isc_result_t
-read_one_rr(dns_journal_t *j) {
-	isc_result_t result;
-
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	unsigned int rdlen;
-	isc_uint32_t ttl;
-	journal_xhdr_t xhdr;
-	journal_rrhdr_t rrhdr;
-
-	INSIST(j->offset <= j->it.epos.offset);
-	if (j->offset == j->it.epos.offset)
-		return (ISC_R_NOMORE);
-	if (j->it.xpos == j->it.xsize) {
-		/*
-		 * We are at a transaction boundary.
-		 * Read another transaction header.
-		 */
-		CHECK(journal_read_xhdr(j, &xhdr));
-		if (xhdr.size == 0) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				      "%s: journal corrupt: empty transaction",
-				      j->filename);
-			FAIL(ISC_R_UNEXPECTED);
-		}
-		if (xhdr.serial0 != j->it.current_serial) {
-			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-					 "%s: journal file corrupt: "
-					 "expected serial %u, got %u",
-					 j->filename,
-					 j->it.current_serial, xhdr.serial0);
-			FAIL(ISC_R_UNEXPECTED);
-		}
-		j->it.xsize = xhdr.size;
-		j->it.xpos = 0;
-	}
-	/*
-	 * Read an RR.
-	 */
-	CHECK(journal_read_rrhdr(j, &rrhdr));
-	/*
-	 * Perform a sanity check on the journal RR size.
-	 * The smallest possible RR has a 1-byte owner name
-	 * and a 10-byte header.  The largest possible
-	 * RR has 65535 bytes of data, a header, and a maximum-
-	 * size owner name, well below 70 k total.
-	 */
-	if (rrhdr.size < 1+10 || rrhdr.size > 70000) {
-		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
-				 "%s: journal corrupt: impossible RR size "
-				 "(%d bytes)", j->filename, rrhdr.size);
-		FAIL(ISC_R_UNEXPECTED);
-	}
-
-	CHECK(size_buffer(j->mctx, &j->it.source, rrhdr.size));
-	CHECK(journal_read(j, j->it.source.base, rrhdr.size));
-	isc_buffer_add(&j->it.source, rrhdr.size);
-
-	/*
-	 * The target buffer is made the same size
-	 * as the source buffer, with the assumption that when
-	 * no compression in present, the output of dns_*_fromwire()
-	 * is no larger than the input.
-	 */
-	CHECK(size_buffer(j->mctx, &j->it.target, rrhdr.size));
-
-	/*
-	 * Parse the owner name.  We don't know where it
-	 * ends yet, so we make the entire "remaining"
-	 * part of the buffer "active".
-	 */
-	isc_buffer_setactive(&j->it.source,
-			     j->it.source.used - j->it.source.current);
-	CHECK(dns_name_fromwire(&j->it.name, &j->it.source,
-				&j->it.dctx, 0, &j->it.target));
-
-	/*
-	 * Check that the RR header is there, and parse it.
-	 */
-	if (isc_buffer_remaininglength(&j->it.source) < 10)
-		FAIL(DNS_R_FORMERR);
-
-	rdtype = isc_buffer_getuint16(&j->it.source);
-	rdclass = isc_buffer_getuint16(&j->it.source);
-	ttl = isc_buffer_getuint32(&j->it.source);
-	rdlen = isc_buffer_getuint16(&j->it.source);
-
-	/*
-	 * Parse the rdata.
-	 */
-	isc_buffer_setactive(&j->it.source, rdlen);
-	dns_rdata_reset(&j->it.rdata);
-	CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass,
-				 rdtype, &j->it.source, &j->it.dctx,
-				 0, &j->it.target));
-	j->it.ttl = ttl;
-
-	j->it.xpos += sizeof(journal_rawrrhdr_t) + rrhdr.size;
-	if (rdtype == dns_rdatatype_soa) {
-		/* XXX could do additional consistency checks here */
-		j->it.current_serial = dns_soa_getserial(&j->it.rdata);
-	}
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	j->it.result = result;
-	return (result);
-}
-
-isc_result_t
-dns_journal_next_rr(dns_journal_t *j) {
-	j->it.result = read_one_rr(j);
-	return (j->it.result);
-}
-
-void
-dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
-		   dns_rdata_t **rdata)
-{
-	REQUIRE(j->it.result == ISC_R_SUCCESS);
-	*name = &j->it.name;
-	*ttl = j->it.ttl;
-	*rdata = &j->it.rdata;
-}
-
-/**************************************************************************/
-/*
- * Generating diffs from databases
- */
-
-/*
- * Construct a diff containing all the RRs at the current name of the
- * database iterator 'dbit' in database 'db', version 'ver'.
- * Set '*name' to the current name, and append the diff to 'diff'.
- * All new tuples will have the operation 'op'.
- *
- * Requires: 'name' must have buffer large enough to hold the name.
- * Typically, a dns_fixedname_t would be used.
- */
-static isc_result_t
-get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
-	      dns_dbiterator_t *dbit, dns_name_t *name, dns_diffop_t op,
-	      dns_diff_t *diff)
-{
-	isc_result_t result;
-	dns_dbnode_t *node = NULL;
-	dns_rdatasetiter_t *rdsiter = NULL;
-	dns_difftuple_t *tuple = NULL;
-
-	result = dns_dbiterator_current(dbit, &node, name);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_allrdatasets(db, node, ver, now, &rdsiter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_node;
-
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter))
-	{
-		dns_rdataset_t rdataset;
-
-		dns_rdataset_init(&rdataset);
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-
-		for (result = dns_rdataset_first(&rdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset))
-		{
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			dns_rdataset_current(&rdataset, &rdata);
-			result = dns_difftuple_create(diff->mctx, op, name,
-						      rdataset.ttl, &rdata,
-						      &tuple);
-			if (result != ISC_R_SUCCESS) {
-				dns_rdataset_disassociate(&rdataset);
-				goto cleanup_iterator;
-			}
-			dns_diff_append(diff, &tuple);
-		}
-		dns_rdataset_disassociate(&rdataset);
-		if (result != ISC_R_NOMORE)
-			goto cleanup_iterator;
-	}
-	if (result != ISC_R_NOMORE)
-		goto cleanup_iterator;
-
-	result = ISC_R_SUCCESS;
-
- cleanup_iterator:
-	dns_rdatasetiter_destroy(&rdsiter);
-
- cleanup_node:
-	dns_db_detachnode(db, &node);
-
-	return (result);
-}
-
-/*
- * Comparison function for use by dns_diff_subtract when sorting
- * the diffs to be subtracted.  The sort keys are the rdata type
- * and the rdata itself.  The owner name is ignored, because
- * it is known to be the same for all tuples.
- */
-static int
-rdata_order(const void *av, const void *bv) {
-	dns_difftuple_t const * const *ap = av;
-	dns_difftuple_t const * const *bp = bv;
-	dns_difftuple_t const *a = *ap;
-	dns_difftuple_t const *b = *bp;
-	int r;
-	r = (b->rdata.type - a->rdata.type);
-	if (r != 0)
-		return (r);
-	r = dns_rdata_compare(&a->rdata, &b->rdata);
-	return (r);
-}
-
-static isc_result_t
-dns_diff_subtract(dns_diff_t diff[2], dns_diff_t *r) {
-	isc_result_t result;
-	dns_difftuple_t *p[2];
-	int i, t;
-	isc_boolean_t append;
-
-	CHECK(dns_diff_sort(&diff[0], rdata_order));
-	CHECK(dns_diff_sort(&diff[1], rdata_order));
-
-	for (;;) {
-		p[0] = ISC_LIST_HEAD(diff[0].tuples);
-		p[1] = ISC_LIST_HEAD(diff[1].tuples);
-		if (p[0] == NULL && p[1] == NULL)
-			break;
-
-		for (i = 0; i < 2; i++)
-			if (p[!i] == NULL) {
-				ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
-				ISC_LIST_APPEND(r->tuples, p[i], link);
-				goto next;
-			}
-		t = rdata_order(&p[0], &p[1]);
-		if (t < 0) {
-			ISC_LIST_UNLINK(diff[0].tuples, p[0], link);
-			ISC_LIST_APPEND(r->tuples, p[0], link);
-			goto next;
-		}
-		if (t > 0) {
-			ISC_LIST_UNLINK(diff[1].tuples, p[1], link);
-			ISC_LIST_APPEND(r->tuples, p[1], link);
-			goto next;
-		}
-		INSIST(t == 0);
-		/*
-		 * Identical RRs in both databases; skip them both
-		 * if the ttl differs.
-		 */
-		append = ISC_TF(p[0]->ttl != p[1]->ttl);
-		for (i = 0; i < 2; i++) {
-			ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
-			if (append) {
-				ISC_LIST_APPEND(r->tuples, p[i], link);
-			} else {
-				dns_difftuple_free(&p[i]);
-			}
-		}
-	next: ;
-	}
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/*
- * Compare the databases 'dba' and 'dbb' and generate a journal
- * entry containing the changes to make 'dba' from 'dbb' (note
- * the order).  This journal entry will consist of a single,
- * possibly very large transaction.
- */
-
-isc_result_t
-dns_db_diff(isc_mem_t *mctx,
-	    dns_db_t *dba, dns_dbversion_t *dbvera,
-	    dns_db_t *dbb, dns_dbversion_t *dbverb,
-	    const char *journal_filename)
-{
-	dns_db_t *db[2];
-	dns_dbversion_t *ver[2];
-	dns_dbiterator_t *dbit[2] = { NULL, NULL };
-	isc_boolean_t have[2] = { ISC_FALSE, ISC_FALSE };
-	dns_fixedname_t fixname[2];
-	isc_result_t result, itresult[2];
-	dns_diff_t diff[2], resultdiff;
-	int i, t;
-	dns_journal_t *journal = NULL;
-
-	db[0] = dba, db[1] = dbb;
-	ver[0] = dbvera, ver[1] = dbverb;
-
-	dns_diff_init(mctx, &diff[0]);
-	dns_diff_init(mctx, &diff[1]);
-	dns_diff_init(mctx, &resultdiff);
-
-	dns_fixedname_init(&fixname[0]);
-	dns_fixedname_init(&fixname[1]);
-
-	result = dns_journal_open(mctx, journal_filename, ISC_TRUE, &journal);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_db_createiterator(db[0], ISC_FALSE, &dbit[0]);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_journal;
-	result = dns_db_createiterator(db[1], ISC_FALSE, &dbit[1]);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_interator0;
-
-	itresult[0] = dns_dbiterator_first(dbit[0]);
-	itresult[1] = dns_dbiterator_first(dbit[1]);
-
-	for (;;) {
-		for (i = 0; i < 2; i++) {
-			if (! have[i] && itresult[i] == ISC_R_SUCCESS) {
-				CHECK(get_name_diff(db[i], ver[i], 0, dbit[i],
-					    dns_fixedname_name(&fixname[i]),
-					    i == 0 ?
-					    DNS_DIFFOP_ADD :
-					    DNS_DIFFOP_DEL,
-					    &diff[i]));
-				itresult[i] = dns_dbiterator_next(dbit[i]);
-				have[i] = ISC_TRUE;
-			}
-		}
-
-		if (! have[0] && ! have[1]) {
-			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
-			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-			break;
-		}
-
-		for (i = 0; i < 2; i++) {
-			if (! have[!i]) {
-				ISC_LIST_APPENDLIST(resultdiff.tuples,
-						    diff[i].tuples, link);
-				INSIST(ISC_LIST_EMPTY(diff[i].tuples));
-				have[i] = ISC_FALSE;
-				goto next;
-			}
-		}
-
-		t = dns_name_compare(dns_fixedname_name(&fixname[0]),
-				     dns_fixedname_name(&fixname[1]));
-		if (t < 0) {
-			ISC_LIST_APPENDLIST(resultdiff.tuples,
-					    diff[0].tuples, link);
-			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
-			have[0] = ISC_FALSE;
-			continue;
-		}
-		if (t > 0) {
-			ISC_LIST_APPENDLIST(resultdiff.tuples,
-					    diff[1].tuples, link);
-			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-			have[1] = ISC_FALSE;
-			continue;
-		}
-		INSIST(t == 0);
-		CHECK(dns_diff_subtract(diff, &resultdiff));
-		INSIST(ISC_LIST_EMPTY(diff[0].tuples));
-		INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-		have[0] = have[1] = ISC_FALSE;
-	next: ;
-	}
-	if (itresult[0] != ISC_R_NOMORE)
-		FAIL(itresult[0]);
-	if (itresult[1] != ISC_R_NOMORE)
-		FAIL(itresult[1]);
-
-	if (ISC_LIST_EMPTY(resultdiff.tuples)) {
-		isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no changes");
-	} else {
-		CHECK(dns_journal_write_transaction(journal, &resultdiff));
-	}
-	INSIST(ISC_LIST_EMPTY(diff[0].tuples));
-	INSIST(ISC_LIST_EMPTY(diff[1].tuples));
-
- failure:
-	dns_diff_clear(&resultdiff);
-	dns_dbiterator_destroy(&dbit[1]);
- cleanup_interator0:
-	dns_dbiterator_destroy(&dbit[0]);
- cleanup_journal:
-	dns_journal_destroy(&journal);
-	return (result);
-}
-
-isc_result_t
-dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
-		    isc_uint32_t target_size)
-{
-	unsigned int i;
-	journal_pos_t best_guess;
-	journal_pos_t current_pos;
-	dns_journal_t *j = NULL;
-	journal_rawheader_t rawheader;
-	unsigned int copy_length;
-	unsigned int len;
-	char *buf = NULL;
-	unsigned int size = 0;
-	isc_result_t result;
-	unsigned int indexend;
-
-	CHECK(journal_open(mctx, filename, ISC_TRUE, ISC_FALSE, &j));
-
-	if (JOURNAL_EMPTY(&j->header)) {
-		dns_journal_destroy(&j);
-		return (ISC_R_SUCCESS);
-	}
-		
-	if (DNS_SERIAL_GT(j->header.begin.serial, serial) ||
-	    DNS_SERIAL_GT(serial, j->header.end.serial)) {
-		dns_journal_destroy(&j);
-		return (ISC_R_RANGE);
-	}
-
-	/*
-	 * Cope with very small target sizes.
-	 */
-	indexend = sizeof(journal_rawheader_t) +
-		   j->header.index_size * sizeof(journal_rawpos_t);
-	if (target_size < indexend * 2)
-		target_size = target_size/2 + indexend;
-
-	/*
-	 * See if there is any work to do.
-	 */
-	if ((isc_uint32_t) j->header.end.offset < target_size) {
-		dns_journal_destroy(&j);
-		return (ISC_R_SUCCESS);
-	}
-	
-	/*
-	 * Remove overhead so space test below can succeed.
-	 */
-	if (target_size >= indexend)
-		target_size -= indexend;
-
-	/*
-	 * Find if we can create enough free space.
-	 */
-	best_guess = j->header.begin;
-	for (i = 0; i < j->header.index_size; i++) {
-		if (POS_VALID(j->index[i]) &&
-		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
-		    ((isc_uint32_t)(j->header.end.offset - j->index[i].offset)
-		     >= target_size / 2) &&
-		    j->index[i].offset > best_guess.offset)
-			best_guess = j->index[i];
-	}
-
-	current_pos = best_guess;
-	while (current_pos.serial != serial) {
-		CHECK(journal_next(j, &current_pos));
-		if (current_pos.serial == j->header.end.serial)
-			break;
-
-		if (DNS_SERIAL_GE(serial, current_pos.serial) &&
-		   ((isc_uint32_t)(j->header.end.offset - current_pos.offset)
-		     >= (target_size / 2)) &&
-		    current_pos.offset > best_guess.offset)
-			best_guess = current_pos;
-		else
-			break;
-	}
-
-	INSIST(best_guess.serial != j->header.end.serial);
-	if (best_guess.serial != serial)
-		CHECK(journal_next(j, &best_guess));
-
-	/*
-	 * Enough space to proceed?
-	 */
-	if ((isc_uint32_t) (j->header.end.offset - best_guess.offset) >
-	     (isc_uint32_t) (best_guess.offset - indexend)) {
-		dns_journal_destroy(&j);
-		return (ISC_R_NOSPACE);
-	}
-
-	copy_length = j->header.end.offset - best_guess.offset;
-
-	/*
-	 * Invalidate entire index, will be rebuilt at end.
-	 */
-	for (i = 0; i < j->header.index_size; i++) {
-		if (POS_VALID(j->index[i]))
-			POS_INVALIDATE(j->index[i]);
-	}
-
-	/*
-	 * Convert the index into on-disk format and write
-	 * it to disk.
-	 */
-	CHECK(index_to_disk(j));
-	CHECK(journal_fsync(j));
-
-	/*
-	 * Update the journal header.
-	 */
-	if (copy_length == 0) {
-		j->header.begin.serial = 0;
-		j->header.end.serial = 0;
-		j->header.begin.offset = 0;
-		j->header.end.offset = 0;
-	} else {
-		j->header.begin = best_guess;
-	}
-	journal_header_encode(&j->header, &rawheader);
-	CHECK(journal_seek(j, 0));
-	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
-	CHECK(journal_fsync(j));
-
-	if (copy_length != 0) {
-		/*
-		 * Copy best_guess to end into space just freed.
-		 */
-		size = 64*1024;
-		if (copy_length < size)
-			size = copy_length;
-		buf = isc_mem_get(mctx, size);
-		if (buf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-	
-		for (i = 0; i < copy_length; i += size) {
-			len = (copy_length - i) > size ? size :
-							 (copy_length - i);
-			CHECK(journal_seek(j, best_guess.offset + i));
-			CHECK(journal_read(j, buf, len));
-			CHECK(journal_seek(j, indexend + i));
-			CHECK(journal_write(j, buf, len));
-		}
-
-		CHECK(journal_fsync(j));
-
-		/*
-		 * Compute new header.
-		 */
-		j->header.begin.offset = indexend;
-		j->header.end.offset = indexend + copy_length;
-		/*
-		 * Update the journal header.
-		 */
-		journal_header_encode(&j->header, &rawheader);
-		CHECK(journal_seek(j, 0));
-		CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
-		CHECK(journal_fsync(j));
-
-		/*
-		 * Build new index.
-		 */
-		current_pos = j->header.begin;
-		while (current_pos.serial != j->header.end.serial) {
-			index_add(j, &current_pos);
-			CHECK(journal_next(j, &current_pos));
-		}
-
-		/*
-		 * Write index.
-		 */
-		CHECK(index_to_disk(j));
-		CHECK(journal_fsync(j));
-
-		indexend = j->header.end.offset;
-	}
-	dns_journal_destroy(&j);
-	(void)isc_file_truncate(filename, (isc_offset_t)indexend);
-	result = ISC_R_SUCCESS;
-
- failure:
-	if (buf != NULL)
-		isc_mem_put(mctx, buf, size);
-	if (j != NULL)
-		dns_journal_destroy(&j);
-	return (result);
-}
-
-static isc_result_t
-index_to_disk(dns_journal_t *j) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	if (j->header.index_size != 0) {
-		unsigned int i;
-		unsigned char *p;
-		unsigned int rawbytes;
-
-		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
-
-		p = j->rawindex;
-		for (i = 0; i < j->header.index_size; i++) {
-			encode_uint32(j->index[i].serial, p);
-			p += 4;
-			encode_uint32(j->index[i].offset, p);
-			p += 4;
-		}
-		INSIST(p == j->rawindex + rawbytes);
-
-		CHECK(journal_seek(j, sizeof(journal_rawheader_t)));
-		CHECK(journal_write(j, j->rawindex, rawbytes));
-	}
-failure:
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/key.c b/contrib/bind9/lib/dns/key.c
deleted file mode 100644
index 97d970ed5e7a..000000000000
--- a/contrib/bind9/lib/dns/key.c
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: key.c,v 1.1.4.3 2005/06/09 23:54:29 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/region.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-
-#include <dst/dst.h>
-
-#include "dst_internal.h"
-
-isc_uint16_t
-dst_region_computeid(const isc_region_t *source, unsigned int alg) {
-	isc_uint32_t ac;
-	const unsigned char *p;
-	int size;
-
-	REQUIRE(source != NULL);
-	REQUIRE(source->length >= 4);
-
-	p = source->base;
-	size = source->length;
-
-	if (alg == DST_ALG_RSAMD5)
-		return ((p[size - 3] << 8) + p[size - 2]);
-
-	for (ac = 0; size > 1; size -= 2, p += 2)
-		ac += ((*p) << 8) + *(p + 1);
-
-	if (size > 0)
-		ac += ((*p) << 8);
-	ac += (ac >> 16) & 0xffff;
-
-	return ((isc_uint16_t)(ac & 0xffff));
-}
-
-dns_name_t *
-dst_key_name(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_name);
-}
-
-unsigned int
-dst_key_size(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_size);
-}
-
-unsigned int
-dst_key_proto(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_proto);
-}
-
-unsigned int
-dst_key_alg(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_alg);
-}
-
-isc_uint32_t
-dst_key_flags(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_flags);
-}
-
-dns_keytag_t
-dst_key_id(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_id);
-}
-
-dns_rdataclass_t
-dst_key_class(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-	return (key->key_class);
-}
-
-isc_boolean_t
-dst_key_iszonekey(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-
-	if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0)
-		return (ISC_FALSE);
-	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		return (ISC_FALSE);
-	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
-	    key->key_proto != DNS_KEYPROTO_ANY)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dst_key_isnullkey(const dst_key_t *key) {
-	REQUIRE(VALID_KEY(key));
-
-	if ((key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
-		return (ISC_FALSE);
-	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		return (ISC_FALSE);
-	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
-	    key->key_proto != DNS_KEYPROTO_ANY)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
diff --git a/contrib/bind9/lib/dns/keytable.c b/contrib/bind9/lib/dns/keytable.c
deleted file mode 100644
index 922c09af118a..000000000000
--- a/contrib/bind9/lib/dns/keytable.c
+++ /dev/null
@@ -1,396 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keytable.c,v 1.26.12.3 2004/03/08 09:04:30 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/rwlock.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/keytable.h>
-#include <dns/fixedname.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-
-struct dns_keytable {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_mutex_t		lock;
-	isc_rwlock_t		rwlock;
-	/* Locked by lock. */
-	isc_uint32_t		active_nodes;
-	/* Locked by rwlock. */
-	isc_uint32_t		references;
-	dns_rbt_t		*table;
-};
-
-#define KEYTABLE_MAGIC			ISC_MAGIC('K', 'T', 'b', 'l')
-#define VALID_KEYTABLE(kt)	 	ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
-
-struct dns_keynode {
-	unsigned int		magic;
-	dst_key_t *		key;
-	struct dns_keynode *	next;
-};
-
-#define KEYNODE_MAGIC			ISC_MAGIC('K', 'N', 'o', 'd')
-#define VALID_KEYNODE(kn)	 	ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
-
-static void
-free_keynode(void *node, void *arg) {
-	dns_keynode_t *keynode = node;
-	isc_mem_t *mctx = arg;
-
-	REQUIRE(VALID_KEYNODE(keynode));
-	dst_key_free(&keynode->key);
-	if (keynode->next != NULL)
-		free_keynode(keynode->next, mctx);
-	isc_mem_put(mctx, keynode, sizeof(dns_keynode_t));
-}
-
-isc_result_t
-dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
-	dns_keytable_t *keytable;
-	isc_result_t result;
-
-	/*
-	 * Create a keytable.
-	 */
-
-	REQUIRE(keytablep != NULL && *keytablep == NULL);
-
-	keytable = isc_mem_get(mctx, sizeof(*keytable));
-	if (keytable == NULL)
-		return (ISC_R_NOMEMORY);
-
-	keytable->table = NULL;
-	result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_keytable;
-
-	result = isc_mutex_init(&keytable->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_rbt;
-	}
-
-	result = isc_rwlock_init(&keytable->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_lock;
-	}
-
-	keytable->mctx = mctx;
-	keytable->active_nodes = 0;
-	keytable->references = 1;
-	keytable->magic = KEYTABLE_MAGIC;
-	*keytablep = keytable;
-
-	return (ISC_R_SUCCESS);
-
-   cleanup_lock:
-	DESTROYLOCK(&keytable->lock);
-
-   cleanup_rbt:
-	dns_rbt_destroy(&keytable->table);
-
-   cleanup_keytable:
-	isc_mem_put(mctx, keytable, sizeof(*keytable));
-
-	return (result);
-}
-
-
-void
-dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
-
-	/*
-	 * Attach *targetp to source.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	RWLOCK(&source->rwlock, isc_rwlocktype_write);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-
-	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
-
-	*targetp = source;
-}
-
-void
-dns_keytable_detach(dns_keytable_t **keytablep) {
-	isc_boolean_t destroy = ISC_FALSE;
-	dns_keytable_t *keytable;
-
-	/*
-	 * Detach *keytablep from its keytable.
-	 */
-
-	REQUIRE(keytablep != NULL && VALID_KEYTABLE(*keytablep));
-
-	keytable = *keytablep;
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	INSIST(keytable->references > 0);
-	keytable->references--;
-	LOCK(&keytable->lock);
-	if (keytable->references == 0 && keytable->active_nodes == 0)
-		destroy = ISC_TRUE;
-	UNLOCK(&keytable->lock);
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	if (destroy) {
-		dns_rbt_destroy(&keytable->table);
-		isc_rwlock_destroy(&keytable->rwlock);
-		DESTROYLOCK(&keytable->lock);
-		keytable->magic = 0;
-		isc_mem_put(keytable->mctx, keytable, sizeof(*keytable));
-	}
-
-	*keytablep = NULL;
-}
-
-isc_result_t
-dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp) {
-	isc_result_t result;
-	dns_keynode_t *knode;
-	dns_rbtnode_t *node;
-	dns_name_t *keyname;
-
-	/*
-	 * Add '*keyp' to 'keytable'.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(keyp != NULL);
-
-	keyname = dst_key_name(*keyp);
-
-	knode = isc_mem_get(keytable->mctx, sizeof(*knode));
-	if (knode == NULL)
-		return (ISC_R_NOMEMORY);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	node = NULL;
-	result = dns_rbt_addnode(keytable->table, keyname, &node);
-
-	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
-		knode->magic = KEYNODE_MAGIC;
-		knode->key = *keyp;
-		knode->next = node->data;
-		node->data = knode;
-		*keyp = NULL;
-		knode = NULL;
-		result = ISC_R_SUCCESS;
-	}
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	if (knode != NULL)
-		isc_mem_put(keytable->mctx, knode, sizeof(*knode));
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
-			 dns_secalg_t algorithm, dns_keytag_t tag,
-			 dns_keynode_t **keynodep)
-{
-	isc_result_t result;
-	dns_keynode_t *knode;
-	void *data;
-
-	/*
-	 * Search for a key named 'name', matching 'algorithm' and 'tag' in
-	 * 'keytable'.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(keynodep != NULL && *keynodep == NULL);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	knode = NULL;
-	data = NULL;
-	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
-
-	if (result == ISC_R_SUCCESS) {
-		INSIST(data != NULL);
-		for (knode = data; knode != NULL; knode = knode->next) {
-			if (algorithm == dst_key_alg(knode->key)
-			    && tag == dst_key_id(knode->key))
-				break;
-		}
-		if (knode != NULL) {
-			LOCK(&keytable->lock);
-			keytable->active_nodes++;
-			UNLOCK(&keytable->lock);
-			*keynodep = knode;
-		} else
-			result = ISC_R_NOTFOUND;
-	} else if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
-			     dns_keynode_t **nextnodep)
-{
-	isc_result_t result;
-	dns_keynode_t *knode;
-
-	/*
-	 * Search for the next key with the same properties as 'keynode' in
-	 * 'keytable'.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(VALID_KEYNODE(keynode));
-	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
-
-	for (knode = keynode->next; knode != NULL; knode = knode->next) {
-		if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
-		    dst_key_id(keynode->key) == dst_key_id(knode->key))
-			break;
-	}
-	if (knode != NULL) {
-		LOCK(&keytable->lock);
-		keytable->active_nodes++;
-		UNLOCK(&keytable->lock);
-		result = ISC_R_SUCCESS;
-		*nextnodep = knode;
-	} else
-		result = ISC_R_NOTFOUND;
-
-	return (result);
-}
-
-isc_result_t
-dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
-			      dns_name_t *foundname)
-{
-	isc_result_t result;
-	void *data;
-
-	/*
-	 * Search for the deepest match in 'keytable'.
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(foundname != NULL);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	data = NULL;
-	result = dns_rbt_findname(keytable->table, name, 0, foundname, &data);
-
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = ISC_R_SUCCESS;
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-void
-dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
-{
-	/*
-	 * Give back a keynode found via dns_keytable_findkeynode().
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
-
-	LOCK(&keytable->lock);
-	INSIST(keytable->active_nodes > 0);
-	keytable->active_nodes--;
-	UNLOCK(&keytable->lock);
-
-	*keynodep = NULL;
-}
-
-isc_result_t
-dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
-			    isc_boolean_t *wantdnssecp)
-{
-	isc_result_t result;
-	void *data;
-
-	/*
-	 * Is 'name' at or beneath a trusted key?
-	 */
-
-	REQUIRE(VALID_KEYTABLE(keytable));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(wantdnssecp != NULL);
-
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	data = NULL;
-	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
-
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		INSIST(data != NULL);
-		*wantdnssecp = ISC_TRUE;
-		result = ISC_R_SUCCESS;
-	} else if (result == ISC_R_NOTFOUND) {
-		*wantdnssecp = ISC_FALSE;
-		result = ISC_R_SUCCESS;
-	}
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-dst_key_t *
-dns_keynode_key(dns_keynode_t *keynode) {
-
-	/*
-	 * Get the DST key associated with keynode.
-	 */
-
-	REQUIRE(VALID_KEYNODE(keynode));
-
-	return (keynode->key);
-}
diff --git a/contrib/bind9/lib/dns/lib.c b/contrib/bind9/lib/dns/lib.c
deleted file mode 100644
index 44490675a8e5..000000000000
--- a/contrib/bind9/lib/dns/lib.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.c,v 1.9.12.3 2004/03/08 09:04:30 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/once.h>
-#include <isc/msgcat.h>
-#include <isc/util.h>
-
-#include <dns/lib.h>
-
-/***
- *** Globals
- ***/
-
-LIBDNS_EXTERNAL_DATA isc_msgcat_t *			dns_msgcat = NULL;
-
-
-/***
- *** Private
- ***/
-
-static isc_once_t		msgcat_once = ISC_ONCE_INIT;
-
-
-/***
- *** Functions
- ***/
-
-static void
-open_msgcat(void) {
-	isc_msgcat_open("libdns.cat", &dns_msgcat);
-}
-
-void
-dns_lib_initmsgcat(void) {
-
-	/*
-	 * Initialize the DNS library's message catalog, dns_msgcat, if it
-	 * has not already been initialized.
-	 */
-
-	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/log.c b/contrib/bind9/lib/dns/log.c
deleted file mode 100644
index d240767cbf72..000000000000
--- a/contrib/bind9/lib/dns/log.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.c,v 1.33.2.2.10.3 2004/03/06 08:13:39 marka Exp $ */
-
-/* Principal Authors: DCL */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <dns/log.h>
-
-/*
- * When adding a new category, be sure to add the appropriate
- * #define to <dns/log.h>.
- */
-LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
-	{ "notify", 	0 },
-	{ "database", 	0 },
-	{ "security", 	0 },
-	{ "_placeholder", 0 },
-	{ "dnssec",	0 },
-	{ "resolver",	0 },
-	{ "xfer-in",	0 },
-	{ "xfer-out",	0 },
-	{ "dispatch",	0 },
-	{ "lame-servers", 0 },
-	{ "delegation-only", 0 },
-	{ NULL, 	0 }
-};
-
-/*
- * When adding a new module, be sure to add the appropriate
- * #define to <dns/log.h>.
- */
-LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
-	{ "dns/db",	 	0 },
-	{ "dns/rbtdb", 		0 },
-	{ "dns/rbtdb64", 	0 },
-	{ "dns/rbt", 		0 },
-	{ "dns/rdata", 		0 },
-	{ "dns/master", 	0 },
-	{ "dns/message", 	0 },
-	{ "dns/cache", 		0 },
-	{ "dns/config",		0 },
-	{ "dns/resolver",	0 },
-	{ "dns/zone",		0 },
-	{ "dns/journal",	0 },
-	{ "dns/adb",		0 },
-	{ "dns/xfrin",		0 },
-	{ "dns/xfrout",		0 },
-	{ "dns/acl",		0 },
-	{ "dns/validator",	0 },
-	{ "dns/dispatch",	0 },
-	{ "dns/request",	0 },
-	{ "dns/masterdump",	0 },
-	{ "dns/tsig",		0 },
-	{ "dns/tkey",		0 },
-	{ "dns/sdb",		0 },
-	{ "dns/diff",		0 },
-	{ "dns/hints",		0 },
-	{ NULL, 		0 }
-};
-
-LIBDNS_EXTERNAL_DATA isc_log_t *dns_lctx = NULL;
-
-void
-dns_log_init(isc_log_t *lctx) {
-	REQUIRE(lctx != NULL);
-
-	isc_log_registercategories(lctx, dns_categories);
-	isc_log_registermodules(lctx, dns_modules);
-}
-
-void
-dns_log_setcontext(isc_log_t *lctx) {
-	dns_lctx = lctx;
-}
diff --git a/contrib/bind9/lib/dns/lookup.c b/contrib/bind9/lib/dns/lookup.c
deleted file mode 100644
index e593c7be7fe4..000000000000
--- a/contrib/bind9/lib/dns/lookup.c
+++ /dev/null
@@ -1,487 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lookup.c,v 1.9.12.5 2004/04/15 02:10:40 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/netaddr.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/lookup.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/view.h>
-
-struct dns_lookup {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	isc_mutex_t		lock;
-	dns_rdatatype_t		type;
-	dns_fixedname_t		name;
-	/* Locked by lock. */
-	unsigned int		options;
-	isc_task_t *		task;
-	dns_view_t *		view;
-	dns_lookupevent_t *	event;
-	dns_fetch_t *		fetch;
-	unsigned int		restarts;
-	isc_boolean_t		canceled;
-	dns_rdataset_t		rdataset;
-	dns_rdataset_t		sigrdataset;
-};
-
-#define LOOKUP_MAGIC			ISC_MAGIC('l', 'o', 'o', 'k')
-#define VALID_LOOKUP(l)			ISC_MAGIC_VALID((l), LOOKUP_MAGIC)
-
-#define MAX_RESTARTS 16
-
-static void lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event);
-
-static void
-fetch_done(isc_task_t *task, isc_event_t *event) {
-	dns_lookup_t *lookup = event->ev_arg;
-	dns_fetchevent_t *fevent;
-
-	UNUSED(task);
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	REQUIRE(VALID_LOOKUP(lookup));
-	REQUIRE(lookup->task == task);
-	fevent = (dns_fetchevent_t *)event;
-	REQUIRE(fevent->fetch == lookup->fetch);
-
-	lookup_find(lookup, fevent);
-}
-
-static inline isc_result_t
-start_fetch(dns_lookup_t *lookup) {
-	isc_result_t result;
-
-	/*
-	 * The caller must be holding the lookup's lock.
-	 */
-
-	REQUIRE(lookup->fetch == NULL);
-
-	result = dns_resolver_createfetch(lookup->view->resolver,
-					  dns_fixedname_name(&lookup->name),
-					  lookup->type,
-					  NULL, NULL, NULL, 0,
-					  lookup->task, fetch_done, lookup,
-					  &lookup->rdataset,
-					  &lookup->sigrdataset,
-					  &lookup->fetch);
-
-	return (result);
-}
-
-static isc_result_t
-build_event(dns_lookup_t *lookup) {
-	dns_name_t *name = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdataset_t *sigrdataset = NULL;
-	isc_result_t result;
-
-	name = isc_mem_get(lookup->mctx, sizeof(dns_name_t));
-	if (name == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto fail;
-	}
-	dns_name_init(name, NULL);
-	result = dns_name_dup(dns_fixedname_name(&lookup->name),
-			      lookup->mctx, name);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	if (dns_rdataset_isassociated(&lookup->rdataset)) {
-		rdataset = isc_mem_get(lookup->mctx, sizeof(dns_rdataset_t));
-		if (rdataset == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-		dns_rdataset_init(rdataset);
-		dns_rdataset_clone(&lookup->rdataset, rdataset);
-	}
-
-	if (dns_rdataset_isassociated(&lookup->sigrdataset)) {
-		sigrdataset = isc_mem_get(lookup->mctx,
-					  sizeof(dns_rdataset_t));
-		if (sigrdataset == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-		dns_rdataset_init(sigrdataset);
-		dns_rdataset_clone(&lookup->sigrdataset, sigrdataset);
-	}
-
-	lookup->event->name = name;
-	lookup->event->rdataset = rdataset;
-	lookup->event->sigrdataset = sigrdataset;
-
-	return (ISC_R_SUCCESS);
-
- fail:
-	if (name != NULL) {
-		if (dns_name_dynamic(name))
-			dns_name_free(name, lookup->mctx);
-		isc_mem_put(lookup->mctx, name, sizeof(dns_name_t));
-	}
-	if (rdataset != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		isc_mem_put(lookup->mctx, rdataset, sizeof(dns_rdataset_t));
-	}
-	if (sigrdataset != NULL) {
-		if (dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		isc_mem_put(lookup->mctx, sigrdataset, sizeof(dns_rdataset_t));
-	}
-	return (result);
-}
-
-static isc_result_t
-view_find(dns_lookup_t *lookup, dns_name_t *foundname) {
-	isc_result_t result;
-	dns_name_t *name = dns_fixedname_name(&lookup->name);
-	dns_rdatatype_t type;
-
-	if (lookup->type == dns_rdatatype_rrsig)
-		type = dns_rdatatype_any;
-	else
-		type = lookup->type;
-
-	result = dns_view_find(lookup->view, name, type, 0, 0, ISC_FALSE,
-			       &lookup->event->db, &lookup->event->node,
-			       foundname, &lookup->rdataset,
-			       &lookup->sigrdataset);
-	return (result);
-}
-
-static void
-lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
-	isc_result_t result;
-	isc_boolean_t want_restart;
-	isc_boolean_t send_event = ISC_FALSE;
-	dns_name_t *name, *fname, *prefix;
-	dns_fixedname_t foundname, fixed;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int nlabels;
-	int order;
-	dns_namereln_t namereln;
-	dns_rdata_cname_t cname;
-	dns_rdata_dname_t dname;
-
-	REQUIRE(VALID_LOOKUP(lookup));
-
-	LOCK(&lookup->lock);
-
-	result = ISC_R_SUCCESS;
-	name = dns_fixedname_name(&lookup->name);
-
-	do {
-		lookup->restarts++;
-		want_restart = ISC_FALSE;
-
-		if (event == NULL && !lookup->canceled) {
-			dns_fixedname_init(&foundname);
-			fname = dns_fixedname_name(&foundname);
-			INSIST(!dns_rdataset_isassociated(&lookup->rdataset));
-			INSIST(!dns_rdataset_isassociated
-						(&lookup->sigrdataset));
-			result = view_find(lookup, fname);
-			if (result == ISC_R_NOTFOUND) {
-				/*
-				 * We don't know anything about the name.
-				 * Launch a fetch.
-				 */
-				if  (lookup->event->node != NULL) {
-					INSIST(lookup->event->db != NULL);
-					dns_db_detachnode(lookup->event->db,
-							 &lookup->event->node);
-				}
-				if (lookup->event->db != NULL)
-					dns_db_detach(&lookup->event->db);
-				result = start_fetch(lookup);
-				if (result != ISC_R_SUCCESS)
-					send_event = ISC_TRUE;
-				goto done;
-			}
-		} else {
-			result = event->result;
-			fname = dns_fixedname_name(&event->foundname);
-			dns_resolver_destroyfetch(&lookup->fetch);
-			INSIST(event->rdataset == &lookup->rdataset);
-			INSIST(event->sigrdataset == &lookup->sigrdataset);
-		}
-
-		/*
-		 * If we've been canceled, forget about the result.
-		 */
-		if (lookup->canceled)
-			result = ISC_R_CANCELED;
-
-		switch (result) {
-		case ISC_R_SUCCESS:
-			result = build_event(lookup);
-			send_event = ISC_TRUE;
-			if (event == NULL)
-				break;
-			if (event->db != NULL)
-				dns_db_attach(event->db, &lookup->event->db);
-			if (event->node != NULL)
-				dns_db_attachnode(lookup->event->db,
-						  event->node,
-						  &lookup->event->node);
-			break;
-		case DNS_R_CNAME:
-			/*
-			 * Copy the CNAME's target into the lookup's
-			 * query name and start over.
-			 */
-			result = dns_rdataset_first(&lookup->rdataset);
-			if (result != ISC_R_SUCCESS)
-				break;
-			dns_rdataset_current(&lookup->rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &cname, NULL);
-			dns_rdata_reset(&rdata);
-			if (result != ISC_R_SUCCESS)
-				break;
-			result = dns_name_copy(&cname.cname, name, NULL);
-			dns_rdata_freestruct(&cname);
-			if (result == ISC_R_SUCCESS)
-				want_restart = ISC_TRUE;
-			break;
-		case DNS_R_DNAME:
-			namereln = dns_name_fullcompare(name, fname, &order,
-							&nlabels);
-			INSIST(namereln == dns_namereln_subdomain);
-			/*
-			 * Get the target name of the DNAME.
-			 */
-			result = dns_rdataset_first(&lookup->rdataset);
-			if (result != ISC_R_SUCCESS)
-				break;
-			dns_rdataset_current(&lookup->rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &dname, NULL);
-			dns_rdata_reset(&rdata);
-			if (result != ISC_R_SUCCESS)
-				break;
-			/*
-			 * Construct the new query name and start over.
-			 */
-			dns_fixedname_init(&fixed);
-			prefix = dns_fixedname_name(&fixed);
-			dns_name_split(name, nlabels, prefix, NULL);
-			result = dns_name_concatenate(prefix, &dname.dname,
-						      name, NULL);
-			dns_rdata_freestruct(&dname);
-			if (result == ISC_R_SUCCESS)
-				want_restart = ISC_TRUE;
-			break;
-		default:
-			send_event = ISC_TRUE;
-		}
-
-		if (dns_rdataset_isassociated(&lookup->rdataset))
-			dns_rdataset_disassociate(&lookup->rdataset);
-		if (dns_rdataset_isassociated(&lookup->sigrdataset))
-			dns_rdataset_disassociate(&lookup->sigrdataset);
-
-	done:
-		if (event != NULL) {
-			if (event->node != NULL)
-				dns_db_detachnode(event->db, &event->node);
-			if (event->db != NULL)
-				dns_db_detach(&event->db);
-			isc_event_free(ISC_EVENT_PTR(&event));
-		}
-
-		/*
-		 * Limit the number of restarts.
-		 */
-		if (want_restart && lookup->restarts == MAX_RESTARTS) {
-			want_restart = ISC_FALSE;
-			result = ISC_R_QUOTA;
-			send_event = ISC_TRUE;
-		}
-
-	} while (want_restart);
-
-	if (send_event) {
-		lookup->event->result = result;
-		lookup->event->ev_sender = lookup;
-		isc_task_sendanddetach(&lookup->task,
-				       (isc_event_t **)&lookup->event);
-		dns_view_detach(&lookup->view);
-	}
-
-	UNLOCK(&lookup->lock);
-}
-
-static void
-levent_destroy(isc_event_t *event) {
-	dns_lookupevent_t *levent;
-	isc_mem_t *mctx;
- 
-	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
-	mctx = event->ev_destroy_arg;
-	levent = (dns_lookupevent_t *)event;
-
-	if (levent->name != NULL) {
-		if (dns_name_dynamic(levent->name))
-			dns_name_free(levent->name, mctx);
-		isc_mem_put(mctx, levent->name, sizeof(dns_name_t));
-	}
-	if (levent->rdataset != NULL) {
-		dns_rdataset_disassociate(levent->rdataset);
-		isc_mem_put(mctx, levent->rdataset, sizeof(dns_rdataset_t));
-	}
-	if (levent->sigrdataset != NULL) {
-		dns_rdataset_disassociate(levent->sigrdataset);
-		isc_mem_put(mctx, levent->sigrdataset, sizeof(dns_rdataset_t));
-	}
-	if (levent->node != NULL)
-		dns_db_detachnode(levent->db, &levent->node);
-	if (levent->db != NULL)
-		dns_db_detach(&levent->db);
-	isc_mem_put(mctx, event, event->ev_size);
-}
-
-
-isc_result_t
-dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
-		  dns_view_t *view, unsigned int options, isc_task_t *task,
-		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp)
-{
-	isc_result_t result;
-	dns_lookup_t *lookup;
-	isc_event_t *ievent;
-
-	lookup = isc_mem_get(mctx, sizeof(*lookup));
-	if (lookup == NULL)
-		return (ISC_R_NOMEMORY);
-	lookup->mctx = mctx;
-	lookup->options = options;
-
-	ievent = isc_event_allocate(mctx, lookup, DNS_EVENT_LOOKUPDONE,
-				    action, arg, sizeof(*lookup->event));
-	if (ievent == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_lookup;
-	}
-	lookup->event = (dns_lookupevent_t *)ievent;
-	lookup->event->ev_destroy = levent_destroy;
-	lookup->event->ev_destroy_arg = mctx;
-	lookup->event->result = ISC_R_FAILURE;
-	lookup->event->name = NULL;
-	lookup->event->rdataset = NULL;
-	lookup->event->sigrdataset = NULL;
-	lookup->event->db = NULL;
-	lookup->event->node = NULL;
-
-	lookup->task = NULL;
-	isc_task_attach(task, &lookup->task);
-
-	result = isc_mutex_init(&lookup->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_event;
-
-	dns_fixedname_init(&lookup->name);
-
-	result = dns_name_copy(name, dns_fixedname_name(&lookup->name), NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	lookup->type = type;
-	lookup->view = NULL;
-	dns_view_attach(view, &lookup->view);
-	lookup->fetch = NULL;
-	lookup->restarts = 0;
-	lookup->canceled = ISC_FALSE;
-	dns_rdataset_init(&lookup->rdataset);
-	dns_rdataset_init(&lookup->sigrdataset);
-	lookup->magic = LOOKUP_MAGIC;
-
-	*lookupp = lookup;
-
-	lookup_find(lookup, NULL);
-
-	return (ISC_R_SUCCESS);
-
- cleanup_lock:
-	DESTROYLOCK(&lookup->lock);
-
- cleanup_event:
-	ievent = (isc_event_t *)lookup->event;
-	isc_event_free(&ievent);
-	lookup->event = NULL;
-
-	isc_task_detach(&lookup->task);
-
- cleanup_lookup:
-	isc_mem_put(mctx, lookup, sizeof(*lookup));
-
-	return (result);
-}
-
-void
-dns_lookup_cancel(dns_lookup_t *lookup) {
-	REQUIRE(VALID_LOOKUP(lookup));
-
-	LOCK(&lookup->lock);
-
-	if (!lookup->canceled) {
-		lookup->canceled = ISC_TRUE;
-		if (lookup->fetch != NULL) {
-			INSIST(lookup->view != NULL);
-			dns_resolver_cancelfetch(lookup->fetch);
-		}
-	}
-
-	UNLOCK(&lookup->lock);
-}
-
-void
-dns_lookup_destroy(dns_lookup_t **lookupp) {
-	dns_lookup_t *lookup;
-
-	REQUIRE(lookupp != NULL);
-	lookup = *lookupp;
-	REQUIRE(VALID_LOOKUP(lookup));
-	REQUIRE(lookup->event == NULL);
-	REQUIRE(lookup->task == NULL);
-	REQUIRE(lookup->view == NULL);
-	if (dns_rdataset_isassociated(&lookup->rdataset))
-		dns_rdataset_disassociate(&lookup->rdataset);
-	if (dns_rdataset_isassociated(&lookup->sigrdataset))
-		dns_rdataset_disassociate(&lookup->sigrdataset);
-
-	DESTROYLOCK(&lookup->lock);
-	lookup->magic = 0;
-	isc_mem_put(lookup->mctx, lookup, sizeof(*lookup));
-
-	*lookupp = NULL;
-}
diff --git a/contrib/bind9/lib/dns/master.c b/contrib/bind9/lib/dns/master.c
deleted file mode 100644
index 7a2dab3adef2..000000000000
--- a/contrib/bind9/lib/dns/master.c
+++ /dev/null
@@ -1,2376 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: master.c,v 1.122.2.8.2.14 2004/05/05 01:32:16 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/event.h>
-#include <isc/lex.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/serial.h>
-#include <isc/stdtime.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/master.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-#include <dns/time.h>
-#include <dns/ttl.h>
-
-/*
- * Grow the number of dns_rdatalist_t (RDLSZ) and dns_rdata_t (RDSZ) structures
- * by these sizes when we need to.
- *
- * RDLSZ reflects the number of different types with the same name expected.
- * RDSZ reflects the number of rdata expected at a give name that can fit into
- * 64k.
- */
-
-#define RDLSZ 32
-#define RDSZ 512
-
-#define NBUFS 4
-#define MAXWIRESZ 255
-
-/*
- * Target buffer size and minimum target size.
- * MINTSIZ must be big enough to hold the largest rdata record.
- *
- * TSIZ >= MINTSIZ
- */
-#define TSIZ (128*1024)
-/*
- * max message size - header - root - type - class - ttl - rdlen
- */
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
-/*
- * Size for tokens in the presentation format,
- * The largest tokens are the base64 blocks in KEY and CERT records,
- * Largest key allowed is about 1372 bytes but
- * there is no fixed upper bound on CERT records.
- * 2K is too small for some X.509s, 8K is overkill.
- */
-#define TOKENSIZ (8*1024)
-
-#define DNS_MASTER_BUFSZ 2048
-
-typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
-
-typedef struct dns_incctx dns_incctx_t;
-
-/*
- * Master file load state.
- */
-
-struct dns_loadctx {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_lex_t		*lex;
-	isc_boolean_t		keep_lex;
-	dns_rdatacallbacks_t	*callbacks;
-	isc_task_t		*task;
-	dns_loaddonefunc_t	done;
-	void			*done_arg;
-	unsigned int		options;
-	isc_boolean_t		ttl_known;
-	isc_boolean_t		default_ttl_known;
-	isc_boolean_t		warn_1035;
-	isc_boolean_t		warn_tcr;
-	isc_boolean_t		warn_sigexpired;
-	isc_boolean_t		seen_include;
-	isc_uint32_t		ttl;
-	isc_uint32_t		default_ttl;
-	dns_rdataclass_t	zclass;
-	dns_fixedname_t		fixed_top;
-	dns_name_t		*top;			/* top of zone */
-	/* Which fixed buffers we are using? */
-	unsigned int		loop_cnt;		/* records per quantum,
-							 * 0 => all. */
-	isc_boolean_t		canceled;
-	isc_mutex_t		lock;
-	isc_result_t		result;
-	/* locked by lock */
-	isc_uint32_t		references;
-	dns_incctx_t		*inc;
-};
-
-struct dns_incctx {
-	dns_incctx_t		*parent;
-	dns_name_t		*origin;
-	dns_name_t		*current;
-	dns_name_t		*glue;
-	dns_fixedname_t		fixed[NBUFS];		/* working buffers */
-	unsigned int		in_use[NBUFS];		/* covert to bitmap? */
-	int			glue_in_use;
-	int			current_in_use;
-	int			origin_in_use;
-	isc_boolean_t		drop;
-	unsigned int		glue_line;
-	unsigned int		current_line;
-};
-
-#define DNS_LCTX_MAGIC ISC_MAGIC('L','c','t','x')
-#define DNS_LCTX_VALID(lctx) ISC_MAGIC_VALID(lctx, DNS_LCTX_MAGIC)
-
-#define DNS_AS_STR(t) ((t).value.as_textregion.base)
-
-static isc_result_t
-pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx);
-
-static isc_result_t
-commit(dns_rdatacallbacks_t *, dns_loadctx_t *, rdatalist_head_t *,
-       dns_name_t *, const char *, unsigned int);
-
-static isc_boolean_t
-is_glue(rdatalist_head_t *, dns_name_t *);
-
-static dns_rdatalist_t *
-grow_rdatalist(int, dns_rdatalist_t *, int, rdatalist_head_t *,
-		rdatalist_head_t *, isc_mem_t *mctx);
-
-static dns_rdata_t *
-grow_rdata(int, dns_rdata_t *, int, rdatalist_head_t *, rdatalist_head_t *,
-	   isc_mem_t *);
-
-static void
-load_quantum(isc_task_t *task, isc_event_t *event);
-
-static isc_result_t
-task_send(dns_loadctx_t *lctx);
-
-static void
-loadctx_destroy(dns_loadctx_t *lctx);
-
-#define GETTOKEN(lexer, options, token, eol) \
-	do { \
-		result = gettoken(lexer, options, token, eol, callbacks); \
-		switch (result) { \
-		case ISC_R_SUCCESS: \
-			break; \
-		case ISC_R_UNEXPECTED: \
-			goto insist_and_cleanup; \
-		default: \
-			if (MANYERRS(lctx, result)) { \
-				SETRESULT(lctx, result); \
-				LOGIT(result); \
-				read_till_eol = ISC_TRUE; \
-				goto next_line; \
-			} else \
-				goto log_and_cleanup; \
-		} \
-		if ((token)->type == isc_tokentype_special) { \
-			result = DNS_R_SYNTAX; \
-			if (MANYERRS(lctx, result)) { \
-				SETRESULT(lctx, result); \
-				LOGIT(result); \
-				read_till_eol = ISC_TRUE; \
-				goto next_line; \
-			} else \
-				goto log_and_cleanup; \
-		} \
-	} while (0)
-
-#define COMMITALL \
-	do { \
-		result = commit(callbacks, lctx, &current_list, \
-				ictx->current, source, ictx->current_line); \
-		if (MANYERRS(lctx, result)) { \
-			SETRESULT(lctx, result); \
-		} else if (result != ISC_R_SUCCESS) \
-			goto insist_and_cleanup; \
-		result = commit(callbacks, lctx, &glue_list, \
-				ictx->glue, source, ictx->glue_line); \
-		if (MANYERRS(lctx, result)) { \
-			SETRESULT(lctx, result); \
-		} else if (result != ISC_R_SUCCESS) \
-			goto insist_and_cleanup; \
-		rdcount = 0; \
-		rdlcount = 0; \
-		isc_buffer_init(&target, target_mem, target_size); \
-		rdcount_save = rdcount; \
-		rdlcount_save = rdlcount; \
-	} while (0)
-
-#define WARNUNEXPECTEDEOF(lexer) \
-	do { \
-		if (isc_lex_isfile(lexer)) \
-			(*callbacks->warn)(callbacks, \
-				"%s: file does not end with newline", \
-				source); \
-	} while (0)
-
-#define EXPECTEOL \
-	do { \
-		GETTOKEN(lctx->lex, 0, &token, ISC_TRUE); \
-		if (token.type != isc_tokentype_eol) { \
-			isc_lex_ungettoken(lctx->lex, &token); \
-			result = DNS_R_EXTRATOKEN; \
-			if (MANYERRS(lctx, result)) { \
-				SETRESULT(lctx, result); \
-				LOGIT(result); \
-				read_till_eol = ISC_TRUE; \
-				continue; \
-			} else if (result != ISC_R_SUCCESS) \
-				goto log_and_cleanup; \
-		} \
-	} while (0)
-
-#define MANYERRS(lctx, result) \
-		((result != ISC_R_SUCCESS) && \
-		((lctx)->options & DNS_MASTER_MANYERRORS) != 0)
-
-#define SETRESULT(lctx, r) \
-		do { \
-			if ((lctx)->result == ISC_R_SUCCESS) \
-				(lctx)->result = r; \
-		} while (0)
-
-#define LOGITFILE(result, filename) \
-	if (result == ISC_R_INVALIDFILE || result == ISC_R_FILENOTFOUND || \
-	    result == ISC_R_IOERROR || result == ISC_R_TOOMANYOPENFILES || \
-	    result == ISC_R_NOPERM) \
-		(*callbacks->error)(callbacks, "%s: %s:%lu: %s: %s", \
-				    "dns_master_load", source, line, \
-				    filename, dns_result_totext(result)); \
-	else LOGIT(result)
-
-#define LOGIT(result) \
-	if (result == ISC_R_NOMEMORY) \
-		(*callbacks->error)(callbacks, "dns_master_load: %s", \
-				    dns_result_totext(result)); \
-	else \
-		(*callbacks->error)(callbacks, "%s: %s:%lu: %s", \
-				    "dns_master_load", \
-				    source, line, dns_result_totext(result))
-
-
-static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
-static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
-static const dns_name_t in_addr_arpa =
-{
-	DNS_NAME_MAGIC,
-	in_addr_arpa_data, 14, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	in_addr_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static unsigned char ip6_int_data[]  = "\003IP6\003INT";
-static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
-static const dns_name_t ip6_int =
-{
-	DNS_NAME_MAGIC,
-	ip6_int_data, 9, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_int_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
-static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
-static const dns_name_t ip6_arpa =
-{
-	DNS_NAME_MAGIC,
-	ip6_arpa_data, 10, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-
-static inline isc_result_t
-gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token,
-	 isc_boolean_t eol, dns_rdatacallbacks_t *callbacks)
-{
-	isc_result_t result;
-
-	options |= ISC_LEXOPT_EOL | ISC_LEXOPT_EOF | ISC_LEXOPT_DNSMULTILINE |
-		ISC_LEXOPT_ESCAPE;
-	result = isc_lex_gettoken(lex, options, token);
-	if (result != ISC_R_SUCCESS) {
-		switch (result) {
-		case ISC_R_NOMEMORY:
-			return (ISC_R_NOMEMORY);
-		default:
-			(*callbacks->error)(callbacks,
-					    "dns_master_load: %s:%lu:"
-					    " isc_lex_gettoken() failed: %s",
-					    isc_lex_getsourcename(lex),
-					    isc_lex_getsourceline(lex),
-					    isc_result_totext(result));
-			return (result);
-		}
-		/*NOTREACHED*/
-	}
-	if (eol != ISC_TRUE)
-		if (token->type == isc_tokentype_eol ||
-		    token->type == isc_tokentype_eof) {
-			(*callbacks->error)(callbacks,
-			    "dns_master_load: %s:%lu: unexpected end of %s",
-					    isc_lex_getsourcename(lex),
-					    isc_lex_getsourceline(lex),
-					    (token->type ==
-					     isc_tokentype_eol) ?
-					    "line" : "file");
-			return (ISC_R_UNEXPECTEDEND);
-		}
-	return (ISC_R_SUCCESS);
-}
-
-
-void
-dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target) {
-
-	REQUIRE(target != NULL && *target == NULL);
-	REQUIRE(DNS_LCTX_VALID(source));
-
-	LOCK(&source->lock);
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);	/* Overflow? */
-	UNLOCK(&source->lock);
-
-	*target = source;
-}
-
-void
-dns_loadctx_detach(dns_loadctx_t **lctxp) {
-	dns_loadctx_t *lctx;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(lctxp != NULL);
-	lctx = *lctxp;
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	LOCK(&lctx->lock);
-	INSIST(lctx->references > 0);
-	lctx->references--;
-	if (lctx->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&lctx->lock);
-
-	if (need_destroy)
-		loadctx_destroy(lctx);
-	*lctxp = NULL;
-}
-
-static void
-incctx_destroy(isc_mem_t *mctx, dns_incctx_t *ictx) {
-	dns_incctx_t *parent;
-
- again:
-	parent = ictx->parent;
-	ictx->parent = NULL;
-
-	isc_mem_put(mctx, ictx, sizeof(*ictx));
-
-	if (parent != NULL) {
-		ictx = parent;
-		goto again;
-	}
-}
-
-static void
-loadctx_destroy(dns_loadctx_t *lctx) {
-	isc_mem_t *mctx;
-
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	lctx->magic = 0;
-	if (lctx->inc != NULL)
-		incctx_destroy(lctx->mctx, lctx->inc);
-
-	/* isc_lex_destroy() will close all open streams */
-	if (lctx->lex != NULL && !lctx->keep_lex)
-		isc_lex_destroy(&lctx->lex);
-
-	if (lctx->task != NULL)
-		isc_task_detach(&lctx->task);
-	DESTROYLOCK(&lctx->lock);
-	mctx = NULL;
-	isc_mem_attach(lctx->mctx, &mctx);
-	isc_mem_detach(&lctx->mctx);
-	isc_mem_put(mctx, lctx, sizeof(*lctx));
-	isc_mem_detach(&mctx);
-}
-
-static isc_result_t
-incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
-	dns_incctx_t *ictx;
-	isc_region_t r;
-	int i;
-
-	ictx = isc_mem_get(mctx, sizeof(*ictx));
-	if (ictx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	for (i = 0; i < NBUFS; i++) {
-		dns_fixedname_init(&ictx->fixed[i]);
-		ictx->in_use[i] = ISC_FALSE;
-	}
-
-	ictx->origin_in_use = 0;
-	ictx->origin = dns_fixedname_name(&ictx->fixed[ictx->origin_in_use]);
-	ictx->in_use[ictx->origin_in_use] = ISC_TRUE;
-	dns_name_toregion(origin, &r);
-	dns_name_fromregion(ictx->origin, &r);
-
-	ictx->glue = NULL;
-	ictx->current = NULL;
-	ictx->glue_in_use = -1;
-	ictx->current_in_use = -1;
-	ictx->parent = NULL;
-	ictx->drop = ISC_FALSE;
-	ictx->glue_line = 0;
-	ictx->current_line = 0;
-
-	*ictxp = ictx;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
-	       dns_rdataclass_t zclass, dns_name_t *origin,
-	       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-	       dns_loaddonefunc_t done, void *done_arg, isc_lex_t *lex,
-	       dns_loadctx_t **lctxp)
-{
-	dns_loadctx_t *lctx;
-	isc_result_t result;
-	isc_region_t r;
-	isc_lexspecials_t specials;
-
-	REQUIRE(lctxp != NULL && *lctxp == NULL);
-	REQUIRE(callbacks != NULL);
-	REQUIRE(callbacks->add != NULL);
-	REQUIRE(callbacks->error != NULL);
-	REQUIRE(callbacks->warn != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(dns_name_isabsolute(top));
-	REQUIRE(dns_name_isabsolute(origin));
-	REQUIRE((task == NULL && done == NULL) ||
-		(task != NULL && done != NULL));
-
-	lctx = isc_mem_get(mctx, sizeof(*lctx));
-	if (lctx == NULL)
-		return (ISC_R_NOMEMORY);
-	result = isc_mutex_init(&lctx->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, lctx, sizeof(*lctx));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	lctx->inc = NULL;
-	result = incctx_create(mctx, origin, &lctx->inc);
-	if (result != ISC_R_SUCCESS) 
-		goto cleanup_ctx;
-
-	if (lex != NULL) {
-		lctx->lex = lex;
-		lctx->keep_lex = ISC_TRUE;
-	} else {
-		lctx->lex = NULL;
-		result = isc_lex_create(mctx, TOKENSIZ, &lctx->lex);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_inc;
-		lctx->keep_lex = ISC_FALSE;
-		memset(specials, 0, sizeof(specials));
-		specials['('] = 1;
-		specials[')'] = 1;
-		specials['"'] = 1;
-		isc_lex_setspecials(lctx->lex, specials);
-		isc_lex_setcomments(lctx->lex, ISC_LEXCOMMENT_DNSMASTERFILE);
-	}
-
-	lctx->ttl_known = ISC_FALSE;
-	lctx->ttl = 0;
-	lctx->default_ttl_known = ISC_FALSE;
-	lctx->default_ttl = 0;
-	lctx->warn_1035 = ISC_TRUE;	/* XXX Argument? */
-	lctx->warn_tcr = ISC_TRUE;	/* XXX Argument? */
-	lctx->warn_sigexpired = ISC_TRUE;	/* XXX Argument? */
-	lctx->options = options;
-	lctx->seen_include = ISC_FALSE;
-	lctx->zclass = zclass;
-	lctx->result = ISC_R_SUCCESS;
-
-	dns_fixedname_init(&lctx->fixed_top);
-	lctx->top = dns_fixedname_name(&lctx->fixed_top);
-	dns_name_toregion(top, &r);
-	dns_name_fromregion(lctx->top, &r);
-
-	lctx->loop_cnt = (done != NULL) ? 100 : 0;
-	lctx->callbacks = callbacks;
-	lctx->task = NULL;
-	if (task != NULL)
-		isc_task_attach(task, &lctx->task);
-	lctx->done = done;
-	lctx->done_arg = done_arg;
-	lctx->canceled = ISC_FALSE;
-	lctx->mctx = NULL;
-	isc_mem_attach(mctx, &lctx->mctx);
-	lctx->references = 1;			/* Implicit attach. */
-	lctx->magic = DNS_LCTX_MAGIC;
-	*lctxp = lctx;
-	return (ISC_R_SUCCESS);
-
- cleanup_inc:
-	incctx_destroy(mctx, lctx->inc);
- cleanup_ctx:
-	isc_mem_put(mctx, lctx, sizeof(*lctx));
-	return (result);
-}
-
-static isc_result_t
-genname(char *name, int it, char *buffer, size_t length) {
-	char fmt[sizeof("%04000000000d")];
-	char numbuf[128];
-	char *cp;
-	char mode[2];
-	int delta = 0;
-	isc_textregion_t r;
-	unsigned int n;
-	unsigned int width;
-
-	r.base = buffer;
-	r.length = length;
-
-	while (*name != '\0') {
-		if (*name == '$') {
-			name++;
-			if (*name == '$') {
-				if (r.length == 0)
-					return (ISC_R_NOSPACE);
-				r.base[0] = *name++;
-				isc_textregion_consume(&r, 1);
-				continue;
-			}
-			strcpy(fmt, "%d");
-			/* Get format specifier. */
-			if (*name == '{' ) {
-				n = sscanf(name, "{%d,%u,%1[doxX]}",
-					   &delta, &width, mode);
-				switch (n) {
-				case 1:
-					break;
-				case 2:
-					n = snprintf(fmt, sizeof(fmt),
-						     "%%0%ud", width);
-					break;
-				case 3:
-					n = snprintf(fmt, sizeof(fmt),
-						     "%%0%u%c", width, mode[0]);
-					break;
-				default:
-					return (DNS_R_SYNTAX);
-				}
-				if (n >= sizeof(fmt))
-					return (ISC_R_NOSPACE);
-				/* Skip past closing brace. */
-				while (*name != '\0' && *name++ != '}')
-					continue;
-			}
-			n = snprintf(numbuf, sizeof(numbuf), fmt, it + delta);
-			if (n >= sizeof(numbuf))
-				return (ISC_R_NOSPACE);
-			cp = numbuf;
-			while (*cp != '\0') {
-				if (r.length == 0)
-					return (ISC_R_NOSPACE);
-				r.base[0] = *cp++;
-				isc_textregion_consume(&r, 1);
-			}
-		} else if (*name == '\\') {
-			if (r.length == 0)
-				return (ISC_R_NOSPACE);
-			r.base[0] = *name++;
-			isc_textregion_consume(&r, 1);
-			if (*name == '\0')
-				continue;
-			if (r.length == 0)
-				return (ISC_R_NOSPACE);
-			r.base[0] = *name++;
-			isc_textregion_consume(&r, 1);
-		} else {
-			if (r.length == 0)
-				return (ISC_R_NOSPACE);
-			r.base[0] = *name++;
-			isc_textregion_consume(&r, 1);
-		}
-	}
-	if (r.length == 0)
-		return (ISC_R_NOSPACE);
-	r.base[0] = '\0';
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
-	 const char *source, unsigned int line)
-{
-	char *target_mem = NULL;
-	char *lhsbuf = NULL;
-	char *rhsbuf = NULL;
-	dns_fixedname_t ownerfixed;
-	dns_name_t *owner;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdatacallbacks_t *callbacks;
-	dns_rdatalist_t rdatalist;
-	dns_rdatatype_t type;
-	rdatalist_head_t head;
-	int n;
-	int target_size = MINTSIZ;	/* only one rdata at a time */
-	isc_buffer_t buffer;
-	isc_buffer_t target;
-	isc_result_t result;
-	isc_textregion_t r;
-	unsigned int start, stop, step, i;
-	dns_incctx_t *ictx;
-
-	ictx = lctx->inc;
-	callbacks = lctx->callbacks;
-	dns_fixedname_init(&ownerfixed);
-	owner = dns_fixedname_name(&ownerfixed);
-	ISC_LIST_INIT(head);
-
-	target_mem = isc_mem_get(lctx->mctx, target_size);
-	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_BUFSZ);
-	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_BUFSZ);
-	if (target_mem == NULL || rhsbuf == NULL || lhsbuf == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto error_cleanup;
-	}
-	isc_buffer_init(&target, target_mem, target_size);
-
-	n = sscanf(range, "%u-%u/%u", &start, &stop, &step);
-	if (n < 2 || stop < start) {
-	       (*callbacks->error)(callbacks,
-				  "%s: %s:%lu: invalid range '%s'",
-				  "$GENERATE", source, line, range);
-		result = DNS_R_SYNTAX;
-		goto insist_cleanup;
-	}
-	if (n == 2)
-		step = 1;
-
-	/*
-	 * Get type.
-	 */
-	r.base = gtype;
-	r.length = strlen(gtype);
-	result = dns_rdatatype_fromtext(&type, &r);
-	if (result != ISC_R_SUCCESS) {
-		(*callbacks->error)(callbacks,
-				   "%s: %s:%lu: unknown RR type '%s'",
-				   "$GENERATE", source, line, gtype);
-		goto insist_cleanup;
-	}
-
-	switch (type) {
-	case dns_rdatatype_ns:
-	case dns_rdatatype_ptr:
-	case dns_rdatatype_cname:
-	case dns_rdatatype_dname:
-		break;
-
-	case dns_rdatatype_a:
-	case dns_rdatatype_aaaa:
-		if (lctx->zclass == dns_rdataclass_in ||
-		    lctx->zclass == dns_rdataclass_hs)
-			break;
-		/* FALLTHROUGH */
-	default:
-	       (*callbacks->error)(callbacks,
-				  "%s: %s:%lu: unsupported type '%s'",
-				  "$GENERATE", source, line, gtype);
-		result = ISC_R_NOTIMPLEMENTED;
-		goto error_cleanup;
-	}
-
-	ISC_LIST_INIT(rdatalist.rdata);
-	ISC_LINK_INIT(&rdatalist, link);
-	for (i = start; i <= stop; i += step) {
-		result = genname(lhs, i, lhsbuf, DNS_MASTER_BUFSZ);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-		result = genname(rhs, i, rhsbuf, DNS_MASTER_BUFSZ);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-
-		isc_buffer_init(&buffer, lhsbuf, strlen(lhsbuf));
-		isc_buffer_add(&buffer, strlen(lhsbuf));
-		isc_buffer_setactive(&buffer, strlen(lhsbuf));
-		result = dns_name_fromtext(owner, &buffer, ictx->origin,
-					   0, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-
-		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-		    !dns_name_issubdomain(owner, lctx->top))
-		{
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(owner, namebuf, sizeof(namebuf));
-			/*
-			 * Ignore out-of-zone data.
-			 */
-			(*callbacks->warn)(callbacks,
-					   "%s:%lu: "
-					   "ignoring out-of-zone data (%s)",
-					   source, line, namebuf);
-			continue;
-		}
-
-		isc_buffer_init(&buffer, rhsbuf, strlen(rhsbuf));
-		isc_buffer_add(&buffer, strlen(rhsbuf));
-		isc_buffer_setactive(&buffer, strlen(rhsbuf));
-
-		result = isc_lex_openbuffer(lctx->lex, &buffer);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-
-		isc_buffer_init(&target, target_mem, target_size);
-		result = dns_rdata_fromtext(&rdata, lctx->zclass, type,
-					    lctx->lex, ictx->origin, 0,
-					    lctx->mctx, &target, callbacks);
-		RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-
-		rdatalist.type = type;
-		rdatalist.covers = 0;
-		rdatalist.rdclass = lctx->zclass;
-		rdatalist.ttl = lctx->ttl;
-		ISC_LIST_PREPEND(head, &rdatalist, link);
-		ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
-		result = commit(callbacks, lctx, &head, owner, source, line);
-		ISC_LIST_UNLINK(rdatalist.rdata, &rdata, link);
-		if (result != ISC_R_SUCCESS)
-			goto error_cleanup;
-		dns_rdata_reset(&rdata);
-	}
-	result = ISC_R_SUCCESS;
-	goto cleanup;
-
- error_cleanup:
-	if (result == ISC_R_NOMEMORY)
-		(*callbacks->error)(callbacks, "$GENERATE: %s",
-				    dns_result_totext(result));
-	else
-		(*callbacks->error)(callbacks, "$GENERATE: %s:%lu: %s",
-				    source, line, dns_result_totext(result));
-
- insist_cleanup:
-	INSIST(result != ISC_R_SUCCESS);
-
- cleanup:
-	if (target_mem != NULL)
-		isc_mem_put(lctx->mctx, target_mem, target_size);
-	if (lhsbuf != NULL)
-		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_BUFSZ);
-	if (rhsbuf != NULL)
-		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_BUFSZ);
-	return (result);
-}
-
-static void
-limit_ttl(dns_rdatacallbacks_t *callbacks, const char *source, unsigned int line,
-	  isc_uint32_t *ttlp)
-{
-	if (*ttlp > 0x7fffffffUL) {
-		(callbacks->warn)(callbacks,
-				  "%s: %s:%lu: "
-				  "$TTL %lu > MAXTTL, "
-				  "setting $TTL to 0",
-				  "dns_master_load",
-				  source, line,
-				  *ttlp);
-		*ttlp = 0;
-	}
-}
-
-static isc_result_t
-check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source,
-	 unsigned long line)
-{
-	char *tmp = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-	void (*callback)(struct dns_rdatacallbacks *, const char *, ...);
-
-	if ((lctx->options & DNS_MASTER_FATALNS) != 0)
-		callback = lctx->callbacks->error;
-	else
-		callback = lctx->callbacks->warn;
-		
-	if (token->type == isc_tokentype_string) {
-		struct in_addr addr;
-		struct in6_addr addr6;
-
-		tmp = isc_mem_strdup(lctx->mctx, DNS_AS_STR(*token));
-		if (tmp == NULL)
-			return (ISC_R_NOMEMORY);
-		/*
-		 * Catch both "1.2.3.4" and "1.2.3.4."
-		 */
-		if (tmp[strlen(tmp) - 1] == '.')
-			tmp[strlen(tmp) - 1] = '\0';
-		if (inet_aton(tmp, &addr) == 1 ||
-		    inet_pton(AF_INET6, tmp, &addr6) == 1)
-			result = DNS_R_NSISADDRESS;
-	}
-	if (result != ISC_R_SUCCESS)
-		(*callback)(lctx->callbacks, "%s:%lu: NS record '%s' "
-			    "appears to be an address",
-			    source, line, DNS_AS_STR(*token));
-	if (tmp != NULL)
-		isc_mem_free(lctx->mctx, tmp);
-	return (result);
-}
-
-static isc_result_t
-load(dns_loadctx_t *lctx) {
-	dns_rdataclass_t rdclass;
-	dns_rdatatype_t type, covers;
-	isc_uint32_t ttl_offset = 0;
-	dns_name_t *new_name;
-	isc_boolean_t current_has_delegation = ISC_FALSE;
-	isc_boolean_t done = ISC_FALSE;
-	isc_boolean_t finish_origin = ISC_FALSE;
-	isc_boolean_t finish_include = ISC_FALSE;
-	isc_boolean_t read_till_eol = ISC_FALSE;
-	isc_boolean_t initialws;
-	char *include_file = NULL;
-	isc_token_t token;
-	isc_result_t result = ISC_R_UNEXPECTED;
-	rdatalist_head_t glue_list;
-	rdatalist_head_t current_list;
-	dns_rdatalist_t *this;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdatalist_t *new_rdatalist;
-	int rdlcount = 0;
-	int rdlcount_save = 0;
-	int rdatalist_size = 0;
-	isc_buffer_t buffer;
-	isc_buffer_t target;
-	isc_buffer_t target_ft;
-	isc_buffer_t target_save;
-	dns_rdata_t *rdata = NULL;
-	dns_rdata_t *new_rdata;
-	int rdcount = 0;
-	int rdcount_save = 0;
-	int rdata_size = 0;
-	unsigned char *target_mem = NULL;
-	int target_size = TSIZ;
-	int new_in_use;
-	unsigned int loop_cnt = 0;
-	isc_mem_t *mctx;
-	dns_rdatacallbacks_t *callbacks;
-	dns_incctx_t *ictx;
-	char *range = NULL;
-	char *lhs = NULL;
-	char *gtype = NULL;
-	char *rhs = NULL;
-	const char *source = "";
-	unsigned long line = 0;
-	isc_boolean_t explicit_ttl;
-	isc_stdtime_t now;
-	char classname1[DNS_RDATACLASS_FORMATSIZE];
-	char classname2[DNS_RDATACLASS_FORMATSIZE];
-	unsigned int options = 0;
-
-	REQUIRE(DNS_LCTX_VALID(lctx));
-	callbacks = lctx->callbacks;
-	mctx = lctx->mctx;
-	ictx = lctx->inc;
-
-	ISC_LIST_INIT(glue_list);
-	ISC_LIST_INIT(current_list);
-
-	isc_stdtime_get(&now);
-
-	/*
-	 * Allocate target_size of buffer space.  This is greater than twice
-	 * the maximum individual RR data size.
-	 */
-	target_mem = isc_mem_get(mctx, target_size);
-	if (target_mem == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto log_and_cleanup;
-	}
-	isc_buffer_init(&target, target_mem, target_size);
-	target_save = target;
-
-	if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0)
-		options |= DNS_RDATA_CHECKNAMES;
-	if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0)
-		options |= DNS_RDATA_CHECKNAMESFAIL;
-	source = isc_lex_getsourcename(lctx->lex);
-	do {
-		initialws = ISC_FALSE;
-		line = isc_lex_getsourceline(lctx->lex);
-		GETTOKEN(lctx->lex, ISC_LEXOPT_INITIALWS, &token, ISC_TRUE);
-		line = isc_lex_getsourceline(lctx->lex);
-
-		if (token.type == isc_tokentype_eof) {
-			if (read_till_eol)
-				WARNUNEXPECTEDEOF(lctx->lex);
-			/* Pop the include stack? */
-			if (ictx->parent != NULL) {
-				COMMITALL;
-				lctx->inc = ictx->parent;
-				ictx->parent = NULL;
-				incctx_destroy(lctx->mctx, ictx);
-				RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
-				line = isc_lex_getsourceline(lctx->lex);
-				source = isc_lex_getsourcename(lctx->lex);
-				ictx = lctx->inc;
-				EXPECTEOL;
-				continue;
-			}
-			done = ISC_TRUE;
-			continue;
-		}
-
-		if (token.type == isc_tokentype_eol) {
-			read_till_eol = ISC_FALSE;
-			continue;		/* blank line */
-		}
-
-		if (read_till_eol)
-			continue;
-
-		if (token.type == isc_tokentype_initialws) {
-			/*
-			 * Still working on the same name.
-			 */
-			initialws = ISC_TRUE;
-		} else if (token.type == isc_tokentype_string) {
-
-			/*
-			 * "$" Support.
-			 *
-			 * "$ORIGIN" and "$INCLUDE" can both take domain names.
-			 * The processing of "$ORIGIN" and "$INCLUDE" extends
-			 * across the normal domain name processing.
-			 */
-
-			if (strcasecmp(DNS_AS_STR(token), "$ORIGIN") == 0) {
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				finish_origin = ISC_TRUE;
-			} else if (strcasecmp(DNS_AS_STR(token),
-					      "$TTL") == 0) {
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				result =
-				   dns_ttl_fromtext(&token.value.as_textregion,
-						    &lctx->ttl);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					lctx->ttl = 0;
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-				limit_ttl(callbacks, source, line, &lctx->ttl);
-				lctx->default_ttl = lctx->ttl;
-				lctx->default_ttl_known = ISC_TRUE;
-				EXPECTEOL;
-				continue;
-			} else if (strcasecmp(DNS_AS_STR(token),
-					      "$INCLUDE") == 0) {
-				COMMITALL;
-				if ((lctx->options & DNS_MASTER_NOINCLUDE)
-				    != 0)
-				{
-					(callbacks->error)(callbacks,
-					   "%s: %s:%lu: $INCLUDE not allowed",
-					   "dns_master_load",
-					   source, line);
-					result = DNS_R_REFUSED;
-					goto insist_and_cleanup;
-				}
-				if (ttl_offset != 0) {
-					(callbacks->error)(callbacks,
-					   "%s: %s:%lu: $INCLUDE "
-					   "may not be used with $DATE",
-					   "dns_master_load",
-					   source, line);
-					result = DNS_R_SYNTAX;
-					goto insist_and_cleanup;
-				}
-				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING, &token,
-					 ISC_FALSE);
-				if (include_file != NULL)
-					isc_mem_free(mctx, include_file);
-				include_file = isc_mem_strdup(mctx,
-							   DNS_AS_STR(token));
-				if (include_file == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				GETTOKEN(lctx->lex, 0, &token, ISC_TRUE);
-
-				if (token.type == isc_tokentype_eol ||
-				    token.type == isc_tokentype_eof) {
-					if (token.type == isc_tokentype_eof)
-						WARNUNEXPECTEDEOF(lctx->lex);
-					isc_lex_ungettoken(lctx->lex, &token);
-					/*
-					 * No origin field.
-					 */
-					result = pushfile(include_file,
-							  ictx->origin, lctx);
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-						LOGITFILE(result, include_file);
-						continue;
-					} else if (result != ISC_R_SUCCESS) {
-						LOGITFILE(result, include_file);
-						goto insist_and_cleanup;
-					}
-					ictx = lctx->inc;
-					line = isc_lex_getsourceline(lctx->lex);
-					source =
-					       isc_lex_getsourcename(lctx->lex);
-					continue;
-				}
-				/*
-				 * There is an origin field.  Fall through
-				 * to domain name processing code and do
-				 * the actual inclusion later.
-				 */
-				finish_include = ISC_TRUE;
-			} else if (strcasecmp(DNS_AS_STR(token),
-					      "$DATE") == 0) {
-				isc_int64_t dump_time64;
-				isc_stdtime_t dump_time, current_time;
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				isc_stdtime_get(&current_time);
-				result = dns_time64_fromtext(DNS_AS_STR(token),
-							     &dump_time64);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					LOGIT(result);
-					dump_time64 = 0;
-				} else if (result != ISC_R_SUCCESS)
-					goto log_and_cleanup;
-				dump_time = (isc_stdtime_t)dump_time64;
-				if (dump_time != dump_time64) {
-					UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "%s: %s:%lu: $DATE outside epoch",
-					 "dns_master_load", source, line);
-					result = ISC_R_UNEXPECTED;
-					goto insist_and_cleanup;
-				}
-				if (dump_time > current_time) {
-					UNEXPECTED_ERROR(__FILE__, __LINE__,
-					"%s: %s:%lu: "
-					"$DATE in future, using current date",
-					"dns_master_load", source, line);
-					dump_time = current_time;
-				}
-				ttl_offset = current_time - dump_time;
-				EXPECTEOL;
-				continue;
-			} else if (strcasecmp(DNS_AS_STR(token),
-					      "$GENERATE") == 0) {
-				/*
-				 * Lazy cleanup.
-				 */
-				if (range != NULL)
-					isc_mem_free(mctx, range);
-				if (lhs != NULL)
-					isc_mem_free(mctx, lhs);
-				if (gtype != NULL)
-					isc_mem_free(mctx, gtype);
-				if (rhs != NULL)
-					isc_mem_free(mctx, rhs);
-				/* RANGE */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				range = isc_mem_strdup(mctx,
-						     DNS_AS_STR(token));
-				if (range == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				/* LHS */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				lhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
-				if (lhs == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				rdclass = 0;
-				explicit_ttl = ISC_FALSE;
-				/* CLASS? */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				if (dns_rdataclass_fromtext(&rdclass,
-                                            &token.value.as_textregion)
-						== ISC_R_SUCCESS) {
-					GETTOKEN(lctx->lex, 0, &token,
-						 ISC_FALSE);
-				}
-				/* TTL? */
-				if (dns_ttl_fromtext(&token.value.as_textregion,
-						     &lctx->ttl)
-						== ISC_R_SUCCESS) {
-					limit_ttl(callbacks, source, line,
-						  &lctx->ttl);
-					lctx->ttl_known = ISC_TRUE;
-					explicit_ttl = ISC_TRUE;
-					GETTOKEN(lctx->lex, 0, &token,
-						 ISC_FALSE);
-				}
-				/* CLASS? */
-				if (rdclass == 0 &&
-				    dns_rdataclass_fromtext(&rdclass,
-						    &token.value.as_textregion)
-						== ISC_R_SUCCESS)
-					GETTOKEN(lctx->lex, 0, &token,
-						 ISC_FALSE);
-				/* TYPE */
-				gtype = isc_mem_strdup(mctx,
-						       DNS_AS_STR(token));
-				if (gtype == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				/* RHS */
-				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-				rhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
-				if (rhs == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				if (!lctx->ttl_known &&
-				    !lctx->default_ttl_known) {
-					(*callbacks->error)(callbacks,
-					    "%s: %s:%lu: no TTL specified",
-					    "dns_master_load", source, line);
-					result = DNS_R_NOTTL;
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-						lctx->ttl = 0;
-					} else if (result != ISC_R_SUCCESS)
-						goto insist_and_cleanup;
-				} else if (!explicit_ttl &&
-					   lctx->default_ttl_known) {
-					lctx->ttl = lctx->default_ttl;
-				}
-				/*
-				 * If the class specified does not match the
-				 * zone's class print out a error message and
-				 * exit.
-				 */
-				if (rdclass != 0 && rdclass != lctx->zclass) {
-					goto bad_class;
-				}
-				result = generate(lctx, range, lhs, gtype, rhs,
-						  source, line);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-				EXPECTEOL;
-				continue;
-			} else if (strncasecmp(DNS_AS_STR(token),
-					       "$", 1) == 0) {
-				(callbacks->error)(callbacks,
-					   "%s: %s:%lu: "
-					   "unknown $ directive '%s'",
-					   "dns_master_load", source, line,
-					   DNS_AS_STR(token));
-				result = DNS_R_SYNTAX;
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-			}
-
-			/*
-			 * Normal processing resumes.
-			 *
-			 * Find a free name buffer.
-			 */
-			for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
-				if (!ictx->in_use[new_in_use])
-					break;
-			INSIST(new_in_use < NBUFS);
-			dns_fixedname_init(&ictx->fixed[new_in_use]);
-			new_name = dns_fixedname_name(&ictx->fixed[new_in_use]);
-			isc_buffer_init(&buffer, token.value.as_region.base,
-					token.value.as_region.length);
-			isc_buffer_add(&buffer, token.value.as_region.length);
-			isc_buffer_setactive(&buffer,
-					     token.value.as_region.length);
-			result = dns_name_fromtext(new_name, &buffer,
-					  ictx->origin, ISC_FALSE, NULL);
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				LOGIT(result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto log_and_cleanup;
-
-			/*
-			 * Finish $ORIGIN / $INCLUDE processing if required.
-			 */
-			if (finish_origin) {
-				if (ictx->origin_in_use != -1)
-					ictx->in_use[ictx->origin_in_use] =
-						ISC_FALSE;
-				ictx->origin_in_use = new_in_use;
-				ictx->in_use[ictx->origin_in_use] = ISC_TRUE;
-				ictx->origin = new_name;
-				finish_origin = ISC_FALSE;
-				EXPECTEOL;
-				continue;
-			}
-			if (finish_include) {
-				finish_include = ISC_FALSE;
-				result = pushfile(include_file, new_name, lctx);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					LOGITFILE(result, include_file);
-					continue;
-				} else if (result != ISC_R_SUCCESS) {
-					LOGITFILE(result, include_file);
-					goto insist_and_cleanup;
-				}
-				ictx = lctx->inc;
-				line = isc_lex_getsourceline(lctx->lex);
-				source = isc_lex_getsourcename(lctx->lex);
-				continue;
-			}
-
-			/*
-			 * "$" Processing Finished
-			 */
-
-			/*
-			 * If we are processing glue and the new name does
-			 * not match the current glue name, commit the glue
-			 * and pop stacks leaving us in 'normal' processing
-			 * state.  Linked lists are undone by commit().
-			 */
-			if (ictx->glue != NULL &&
-			    dns_name_compare(ictx->glue, new_name) != 0) {
-				result = commit(callbacks, lctx, &glue_list,
-						ictx->glue, source,
-						ictx->glue_line);
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-				if (ictx->glue_in_use != -1)
-					ictx->in_use[ictx->glue_in_use] =
-						ISC_FALSE;
-				ictx->glue_in_use = -1;
-				ictx->glue = NULL;
-				rdcount = rdcount_save;
-				rdlcount = rdlcount_save;
-				target = target_save;
-			}
-
-			/*
-			 * If we are in 'normal' processing state and the new
-			 * name does not match the current name, see if the
-			 * new name is for glue and treat it as such,
-			 * otherwise we have a new name so commit what we
-			 * have.
-			 */
-			if ((ictx->glue == NULL) && (ictx->current == NULL ||
-			    dns_name_compare(ictx->current, new_name) != 0)) {
-				if (current_has_delegation &&
-					is_glue(&current_list, new_name)) {
-					rdcount_save = rdcount;
-					rdlcount_save = rdlcount;
-					target_save = target;
-					ictx->glue = new_name;
-					ictx->glue_in_use = new_in_use;
-					ictx->in_use[ictx->glue_in_use] = 
-						ISC_TRUE;
-				} else {
-					result = commit(callbacks, lctx,
-							&current_list,
-							ictx->current,
-							source,
-							ictx->current_line);
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-					} else if (result != ISC_R_SUCCESS)
-						goto insist_and_cleanup;
-					rdcount = 0;
-					rdlcount = 0;
-					if (ictx->current_in_use != -1)
-					    ictx->in_use[ictx->current_in_use] =
-						ISC_FALSE;
-					ictx->current_in_use = new_in_use;
-					ictx->in_use[ictx->current_in_use] =
-						ISC_TRUE;
-					ictx->current = new_name;
-					current_has_delegation = ISC_FALSE;
-					isc_buffer_init(&target, target_mem,
-							target_size);
-				}
-			}
-			if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-			    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-			    !dns_name_issubdomain(new_name, lctx->top))
-			{
-				char namebuf[DNS_NAME_FORMATSIZE];
-				dns_name_format(new_name, namebuf,
-						sizeof(namebuf));
-				/*
-				 * Ignore out-of-zone data.
-				 */
-				(*callbacks->warn)(callbacks,
-				       "%s:%lu: "
-				       "ignoring out-of-zone data (%s)",
-				       source, line, namebuf);
-				ictx->drop = ISC_TRUE;
-			} else
-				ictx->drop = ISC_FALSE;
-		} else {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "%s:%lu: isc_lex_gettoken() returned "
-					 "unexpeced token type (%d)",
-					 source, line, token.type);
-			result = ISC_R_UNEXPECTED;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				LOGIT(result);
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		/*
-		 * Find TTL, class and type.  Both TTL and class are optional
-		 * and may occur in any order if they exist. TTL and class
-		 * come before type which must exist.
-		 *
-		 * [<TTL>] [<class>] <type> <RDATA>
-		 * [<class>] [<TTL>] <type> <RDATA>
-		 */
-
-		type = 0;
-		rdclass = 0;
-
-		GETTOKEN(lctx->lex, 0, &token, initialws);
-
-		if (initialws) {
-			if (token.type == isc_tokentype_eol) {
-				read_till_eol = ISC_FALSE;
-				continue;		/* blank line */
-			}
-
-			if (token.type == isc_tokentype_eof) {
-				WARNUNEXPECTEDEOF(lctx->lex);
-				read_till_eol = ISC_FALSE;
-				isc_lex_ungettoken(lctx->lex, &token);
-				continue;
-			}
-
-			if (ictx->current == NULL) {
-				(*callbacks->error)(callbacks,
-					"%s:%lu: no current owner name",
-					source, line);
-				result = DNS_R_NOOWNER;
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					read_till_eol = ISC_TRUE;
-					continue;
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-			}
-		}
-
-		if (dns_rdataclass_fromtext(&rdclass,
-					    &token.value.as_textregion)
-				== ISC_R_SUCCESS)
-			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-
-		explicit_ttl = ISC_FALSE;
-		if (dns_ttl_fromtext(&token.value.as_textregion, &lctx->ttl)
-				== ISC_R_SUCCESS) {
-			limit_ttl(callbacks, source, line, &lctx->ttl);
-			explicit_ttl = ISC_TRUE;
-			lctx->ttl_known = ISC_TRUE;
-			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-		}
-
-		if (token.type != isc_tokentype_string) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-			"isc_lex_gettoken() returned unexpected token type");
-			result = ISC_R_UNEXPECTED;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		if (rdclass == 0 &&
-		    dns_rdataclass_fromtext(&rdclass,
-					    &token.value.as_textregion)
-				== ISC_R_SUCCESS)
-			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-
-		if (token.type != isc_tokentype_string) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-			"isc_lex_gettoken() returned unexpected token type");
-			result = ISC_R_UNEXPECTED;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		result = dns_rdatatype_fromtext(&type,
-						&token.value.as_textregion);
-		if (result != ISC_R_SUCCESS) {
-			(*callbacks->warn)(callbacks,
-				   "%s:%lu: unknown RR type '%.*s'",
-				   source, line,
-				   token.value.as_textregion.length,
-				   token.value.as_textregion.base);
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		/*
-		 * If the class specified does not match the zone's class
-		 * print out a error message and exit.
-		 */
-		if (rdclass != 0 && rdclass != lctx->zclass) {
-  bad_class:
-
-			dns_rdataclass_format(rdclass, classname1,
-					      sizeof(classname1));
-			dns_rdataclass_format(lctx->zclass, classname2,
-					      sizeof(classname2));
-			(*callbacks->error)(callbacks,
-					    "%s:%lu: class '%s' != "
-					    "zone class '%s'",
-					    source, line,
-					    classname1, classname2);
-			result = DNS_R_BADCLASS;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-		if (type == dns_rdatatype_ns && ictx->glue == NULL)
-			current_has_delegation = ISC_TRUE;
-
-		/*
-		 * RFC 1123: MD and MF are not allowed to be loaded from
-		 * master files.
-		 */
-		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
-		    (type == dns_rdatatype_md || type == dns_rdatatype_mf)) {
-			char typename[DNS_RDATATYPE_FORMATSIZE];
-
-			result = DNS_R_OBSOLETE;
-
-			dns_rdatatype_format(type, typename, sizeof(typename));
-			(*callbacks->error)(callbacks,
-					    "%s:%lu: %s '%s': %s",
-					    source, line,
-					    "type", typename,
-					    dns_result_totext(result));
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-			} else
-				goto insist_and_cleanup;
-		}
-
-		/*
-		 * Find a rdata structure.
-		 */
-		if (rdcount == rdata_size) {
-			new_rdata = grow_rdata(rdata_size + RDSZ, rdata,
-					       rdata_size, &current_list,
-					       &glue_list, mctx);
-			if (new_rdata == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto log_and_cleanup;
-			}
-			rdata_size += RDSZ;
-			rdata = new_rdata;
-		}
-
-		/*
-		 * Peek at the NS record.
-		 */
-		if (type == dns_rdatatype_ns &&
-		    lctx->zclass == dns_rdataclass_in &&
-		    (lctx->options & DNS_MASTER_CHECKNS) != 0) {
-
-			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
-			result = check_ns(lctx, &token, source, line);
-			isc_lex_ungettoken(lctx->lex, &token);
-			if ((lctx->options & DNS_MASTER_FATALNS) != 0) {
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
-					goto insist_and_cleanup;
-			}
-		}
-
-		/*
-		 * Check owner name.
-		 */
-		options &= ~DNS_RDATA_CHECKREVERSE;
-		if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0) {
-			isc_boolean_t ok;
-			dns_name_t *name;
-
-			name = (ictx->glue != NULL) ? ictx-> glue :
-						      ictx->current;
-			ok = dns_rdata_checkowner(name, lctx->zclass, type,
-						  ISC_TRUE);
-			if (!ok) {
-				char namebuf[DNS_NAME_FORMATSIZE];
-				const char *desc;
-				dns_name_format(name, namebuf, sizeof(namebuf));
-				result = DNS_R_BADOWNERNAME;
-				desc = dns_result_totext(result);
-			        if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0) {
-					(*callbacks->error)(callbacks,
-							    "%s:%lu: %s: %s",
-							    source, line,
-							    namebuf, desc);
-					if (MANYERRS(lctx, result)) {
-						SETRESULT(lctx, result);
-					} else if (result != ISC_R_SUCCESS)
-						goto cleanup;
-				} else {
-					(*callbacks->warn)(callbacks,
-							   "%s:%lu: %s: %s",
-							   source, line,
-							   namebuf, desc);
-				}
-			}
-			if (type == dns_rdatatype_ptr &&
-			    (dns_name_issubdomain(name, &in_addr_arpa) ||
-			     dns_name_issubdomain(name, &ip6_arpa) ||
-			     dns_name_issubdomain(name, &ip6_int)))
-				options |= DNS_RDATA_CHECKREVERSE;
-		}
-
-		/*
-		 * Read rdata contents.
-		 */
-		dns_rdata_init(&rdata[rdcount]);
-		target_ft = target;
-		result = dns_rdata_fromtext(&rdata[rdcount], lctx->zclass,
-					    type, lctx->lex, ictx->origin,
-					    options, lctx->mctx, &target,
-					    callbacks);
-		if (MANYERRS(lctx, result)) {
-			SETRESULT(lctx, result);
-			continue;
-		} else if (result != ISC_R_SUCCESS)
-			goto insist_and_cleanup;
-
-		if (ictx->drop) {
-			target = target_ft;
-			continue;
-		}
-
-		if (type == dns_rdatatype_soa &&
-		    (lctx->options & DNS_MASTER_ZONE) != 0 &&
-		    dns_name_compare(ictx->current, lctx->top) != 0) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(ictx->current, namebuf,
-					sizeof(namebuf));
-			(*callbacks->error)(callbacks,
-				            "%s:%lu: SOA "
-			                    "record not at top of zone (%s)",
-				            source, line, namebuf);
-			result = DNS_R_NOTZONETOP;
-			if (MANYERRS(lctx, result)) {
-				SETRESULT(lctx, result);
-				read_till_eol = ISC_TRUE;
-				target = target_ft;
-				continue;
-			} else if (result != ISC_R_SUCCESS)
-				goto insist_and_cleanup;
-		}
-
-
-		if (type == dns_rdatatype_rrsig ||
-		    type == dns_rdatatype_sig)
-			covers = dns_rdata_covers(&rdata[rdcount]);
-		else
-			covers = 0;
-
-		if (!lctx->ttl_known && !lctx->default_ttl_known) {
-			if (type == dns_rdatatype_soa) {
-				(*callbacks->warn)(callbacks,
-						   "%s:%lu: no TTL specified; "
-						   "using SOA MINTTL instead",
-						   source, line);
-				lctx->ttl = dns_soa_getminimum(&rdata[rdcount]);
-				limit_ttl(callbacks, source, line, &lctx->ttl);
-				lctx->default_ttl = lctx->ttl;
-				lctx->default_ttl_known = ISC_TRUE;
-			} else if ((lctx->options & DNS_MASTER_HINT) != 0) {
-				/*
-				 * Zero TTL's are fine for hints.
-				 */
-				lctx->ttl = 0;
-				lctx->default_ttl = lctx->ttl;
-				lctx->default_ttl_known = ISC_TRUE;
-			} else {
-				(*callbacks->warn)(callbacks,
-						   "%s:%lu: no TTL specified; "
-						   "zone rejected",
-						   source, line);
-				result = DNS_R_NOTTL;
-				if (MANYERRS(lctx, result)) {
-					SETRESULT(lctx, result);
-					lctx->ttl = 0;
-				} else {
-					goto insist_and_cleanup;
-				}
-			}
-		} else if (!explicit_ttl && lctx->default_ttl_known) {
-			lctx->ttl = lctx->default_ttl;
-		} else if (!explicit_ttl && lctx->warn_1035) {
-			(*callbacks->warn)(callbacks,
-					   "%s:%lu: "
-					   "using RFC 1035 TTL semantics",
-					   source, line);
-			lctx->warn_1035 = ISC_FALSE;
-		}
-
-		if (type == dns_rdatatype_rrsig && lctx->warn_sigexpired) {
-			dns_rdata_rrsig_t sig;
-			(void)dns_rdata_tostruct(&rdata[rdcount], &sig, NULL);
-			if (isc_serial_lt(sig.timeexpire, now)) {
-				(*callbacks->warn)(callbacks,
-						   "%s:%lu: "
-						   "signature has expired",
-						   source, line);
-				lctx->warn_sigexpired = ISC_FALSE;
-			}
-		}
-
-		if ((type == dns_rdatatype_sig || type == dns_rdatatype_nxt) &&
-		    lctx->warn_tcr && (lctx->options & DNS_MASTER_ZONE) != 0 &&
-                    (lctx->options & DNS_MASTER_SLAVE) == 0) {
-			(*callbacks->warn)(callbacks, "%s:%lu: old style DNSSEC "
-					   " zone detected", source, line);
-			lctx->warn_tcr = ISC_FALSE;
-		}
-
-		if ((lctx->options & DNS_MASTER_AGETTL) != 0) {
-			/*
-			 * Adjust the TTL for $DATE.  If the RR has already
-			 * expired, ignore it.
-			 */
-			if (lctx->ttl < ttl_offset)
-				continue;
-			lctx->ttl -= ttl_offset;
-		}
-
-		/*
-		 * Find type in rdatalist.
-		 * If it does not exist create new one and prepend to list
-		 * as this will mimimise list traversal.
-		 */
-		if (ictx->glue != NULL)
-			this = ISC_LIST_HEAD(glue_list);
-		else
-			this = ISC_LIST_HEAD(current_list);
-
-		while (this != NULL) {
-			if (this->type == type && this->covers == covers)
-				break;
-			this = ISC_LIST_NEXT(this, link);
-		}
-
-		if (this == NULL) {
-			if (rdlcount == rdatalist_size) {
-				new_rdatalist =
-					grow_rdatalist(rdatalist_size + RDLSZ,
-						       rdatalist,
-						       rdatalist_size,
-						       &current_list,
-						       &glue_list,
-						       mctx);
-				if (new_rdatalist == NULL) {
-					result = ISC_R_NOMEMORY;
-					goto log_and_cleanup;
-				}
-				rdatalist = new_rdatalist;
-				rdatalist_size += RDLSZ;
-			}
-			this = &rdatalist[rdlcount++];
-			this->type = type;
-			this->covers = covers;
-			this->rdclass = lctx->zclass;
-			this->ttl = lctx->ttl;
-			ISC_LIST_INIT(this->rdata);
-			if (ictx->glue != NULL)
-				ISC_LIST_INITANDPREPEND(glue_list, this, link);
-			else
-				ISC_LIST_INITANDPREPEND(current_list, this,
-						        link);
-		} else if (this->ttl != lctx->ttl) {
-			(*callbacks->warn)(callbacks,
-					   "%s:%lu: "
-					   "TTL set to prior TTL (%lu)",
-					   source, line, this->ttl);
-			lctx->ttl = this->ttl;
-		}
-
-		ISC_LIST_APPEND(this->rdata, &rdata[rdcount], link);
-		if (ictx->glue != NULL) 
-			ictx->glue_line = line;
-		else
-			ictx->current_line = line;
-		rdcount++;
-
-		/*
-		 * We must have at least 64k as rdlen is 16 bits.
-		 * If we don't commit everything we have so far.
-		 */
-		if ((target.length - target.used) < MINTSIZ)
-			COMMITALL;
- next_line:
-		;
-	} while (!done && (lctx->loop_cnt == 0 || loop_cnt++ < lctx->loop_cnt));
-
-	/*
-	 * Commit what has not yet been committed.
-	 */
-	result = commit(callbacks, lctx, &current_list, ictx->current,
-			source, ictx->current_line);
-	if (MANYERRS(lctx, result)) {
-		SETRESULT(lctx, result);
-	} else if (result != ISC_R_SUCCESS)
-		goto insist_and_cleanup;
-	result = commit(callbacks, lctx, &glue_list, ictx->glue,
-			source, ictx->glue_line);
-	if (MANYERRS(lctx, result)) {
-		SETRESULT(lctx, result);
-	} else if (result != ISC_R_SUCCESS)
-		goto insist_and_cleanup;
-
-	if (!done) {
-		INSIST(lctx->done != NULL && lctx->task != NULL);
-		result = DNS_R_CONTINUE;
-	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS) {
-		result = lctx->result;
-	} else if (result == ISC_R_SUCCESS && lctx->seen_include)
-		result = DNS_R_SEENINCLUDE;
-	goto cleanup;
-
- log_and_cleanup:
-	LOGIT(result);
-
- insist_and_cleanup:
-	INSIST(result != ISC_R_SUCCESS);
-
- cleanup:
-	while ((this = ISC_LIST_HEAD(current_list)) != NULL)
-		ISC_LIST_UNLINK(current_list, this, link);
-	while ((this = ISC_LIST_HEAD(glue_list)) != NULL)
-		ISC_LIST_UNLINK(glue_list, this, link);
-	if (rdatalist != NULL)
-		isc_mem_put(mctx, rdatalist,
-			    rdatalist_size * sizeof(*rdatalist));
-	if (rdata != NULL)
-		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
-	if (target_mem != NULL)
-		isc_mem_put(mctx, target_mem, target_size);
-	if (include_file != NULL)
-		isc_mem_free(mctx, include_file);
-	if (range != NULL)
-		isc_mem_free(mctx, range);
-	if (lhs != NULL)
-		isc_mem_free(mctx, lhs);
-	if (gtype != NULL)
-		isc_mem_free(mctx, gtype);
-	if (rhs != NULL)
-		isc_mem_free(mctx, rhs);
-	return (result);
-}
-
-static isc_result_t
-pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
-	isc_result_t result;
-	dns_incctx_t *ictx;
-	dns_incctx_t *new = NULL;
-	isc_region_t r;
-	int new_in_use;
-
-	REQUIRE(master_file != NULL);
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	ictx = lctx->inc;
-	lctx->seen_include = ISC_TRUE;
-
-	result = incctx_create(lctx->mctx, origin, &new);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/* Set current domain. */
-	if (ictx->glue != NULL || ictx->current != NULL) {
-		for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
-			if (!new->in_use[new_in_use])
-				break;
-		INSIST(new_in_use < NBUFS);
-		new->current_in_use = new_in_use;
-		new->current =
-			dns_fixedname_name(&new->fixed[new->current_in_use]);
-		new->in_use[new->current_in_use] = ISC_TRUE;
-		dns_name_toregion((ictx->glue != NULL) ?
-				   ictx->glue : ictx->current, &r);
-		dns_name_fromregion(new->current, &r);
-		new->drop = ictx->drop;
-	}
-
-	result = isc_lex_openfile(lctx->lex, master_file);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	new->parent = ictx;
-	lctx->inc = new;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (new != NULL)
-		incctx_destroy(lctx->mctx, new);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadfile(const char *master_file, dns_name_t *top,
-		    dns_name_t *origin,
-		    dns_rdataclass_t zclass, unsigned int options,
-		    dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
-{
-	dns_loadctx_t *lctx = NULL;
-	isc_result_t result;
-
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_lex_openfile(lctx->lex, master_file);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = load(lctx);
-	INSIST(result != DNS_R_CONTINUE);
-
- cleanup:
-	if (lctx != NULL)
-		dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadfileinc(const char *master_file, dns_name_t *top,
-		       dns_name_t *origin, dns_rdataclass_t zclass,
-		       unsigned int options, dns_rdatacallbacks_t *callbacks,
-		       isc_task_t *task, dns_loaddonefunc_t done,
-		       void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx)
-{
-	dns_loadctx_t *lctx = NULL;
-	isc_result_t result;
-	
-	REQUIRE(task != NULL);
-	REQUIRE(done != NULL);
-
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_lex_openfile(lctx->lex, master_file);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = task_send(lctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_loadctx_attach(lctx, lctxp);
-		return (DNS_R_CONTINUE);
-	}
-
- cleanup:
-	if (lctx != NULL)
-		dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
-		      dns_rdataclass_t zclass, unsigned int options,
-		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(stream != NULL);
-
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_lex_openstream(lctx->lex, stream);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = load(lctx);
-	INSIST(result != DNS_R_CONTINUE);
-
- cleanup:
-	if (lctx != NULL)
-		dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
-			 dns_rdataclass_t zclass, unsigned int options,
-			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-			 dns_loaddonefunc_t done, void *done_arg,
-			 dns_loadctx_t **lctxp, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(stream != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(done != NULL);
-
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_lex_openstream(lctx->lex, stream);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = task_send(lctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_loadctx_attach(lctx, lctxp);
-		return (DNS_R_CONTINUE);
-	}
-
- cleanup:
-	if (lctx != NULL)
-		dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
-		      dns_name_t *origin, dns_rdataclass_t zclass,
-		      unsigned int options,
-		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(buffer != NULL);
-
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_lex_openbuffer(lctx->lex, buffer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = load(lctx);
-	INSIST(result != DNS_R_CONTINUE);
-
- cleanup:
-	if (lctx != NULL)
-		dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
-			 dns_name_t *origin, dns_rdataclass_t zclass,
-			 unsigned int options,
-			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-			 dns_loaddonefunc_t done, void *done_arg,
-			 dns_loadctx_t **lctxp, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(buffer != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(done != NULL);
-
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, NULL, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = isc_lex_openbuffer(lctx->lex, buffer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = task_send(lctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_loadctx_attach(lctx, lctxp);
-		return (DNS_R_CONTINUE);
-	}
-
- cleanup:
-	if (lctx != NULL)
-		dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
-		     dns_name_t *origin, dns_rdataclass_t zclass,
-		     unsigned int options,
-		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(lex != NULL);
-
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, lex, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = load(lctx);
-	INSIST(result != DNS_R_CONTINUE);
-
-	dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-isc_result_t
-dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
-			dns_name_t *origin, dns_rdataclass_t zclass,
-			unsigned int options,
-			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
-			dns_loaddonefunc_t done, void *done_arg,
-			dns_loadctx_t **lctxp, isc_mem_t *mctx)
-{
-	isc_result_t result;
-	dns_loadctx_t *lctx = NULL;
-
-	REQUIRE(lex != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(done != NULL);
-
-	result = loadctx_create(mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, lex, &lctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = task_send(lctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_loadctx_attach(lctx, lctxp);
-		return (DNS_R_CONTINUE);
-	}
-
-	dns_loadctx_detach(&lctx);
-	return (result);
-}
-
-/*
- * Grow the slab of dns_rdatalist_t structures.
- * Re-link glue and current list.
- */
-static dns_rdatalist_t *
-grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
-	       rdatalist_head_t *current, rdatalist_head_t *glue,
-	       isc_mem_t *mctx)
-{
-	dns_rdatalist_t *new;
-	int rdlcount = 0;
-	ISC_LIST(dns_rdatalist_t) save;
-	dns_rdatalist_t *this;
-
-	new = isc_mem_get(mctx, new_len * sizeof(*new));
-	if (new == NULL)
-		return (NULL);
-
-	ISC_LIST_INIT(save);
-	this = ISC_LIST_HEAD(*current);
-	while ((this = ISC_LIST_HEAD(*current)) != NULL) {
-		ISC_LIST_UNLINK(*current, this, link);
-		ISC_LIST_APPEND(save, this, link);
-	}
-	while ((this = ISC_LIST_HEAD(save)) != NULL) {
-		ISC_LIST_UNLINK(save, this, link);
-		new[rdlcount] = *this;
-		ISC_LIST_APPEND(*current, &new[rdlcount], link);
-		rdlcount++;
-	}
-
-	ISC_LIST_INIT(save);
-	this = ISC_LIST_HEAD(*glue);
-	while ((this = ISC_LIST_HEAD(*glue)) != NULL) {
-		ISC_LIST_UNLINK(*glue, this, link);
-		ISC_LIST_APPEND(save, this, link);
-	}
-	while ((this = ISC_LIST_HEAD(save)) != NULL) {
-		ISC_LIST_UNLINK(save, this, link);
-		new[rdlcount] = *this;
-		ISC_LIST_APPEND(*glue, &new[rdlcount], link);
-		rdlcount++;
-	}
-
-	INSIST(rdlcount == old_len);
-	if (old != NULL)
-		isc_mem_put(mctx, old, old_len * sizeof(*old));
-	return (new);
-}
-
-/*
- * Grow the slab of rdata structs.
- * Re-link the current and glue chains.
- */
-static dns_rdata_t *
-grow_rdata(int new_len, dns_rdata_t *old, int old_len,
-	   rdatalist_head_t *current, rdatalist_head_t *glue,
-	   isc_mem_t *mctx)
-{
-	dns_rdata_t *new;
-	int rdcount = 0;
-	ISC_LIST(dns_rdata_t) save;
-	dns_rdatalist_t *this;
-	dns_rdata_t *rdata;
-
-	new = isc_mem_get(mctx, new_len * sizeof(*new));
-	if (new == NULL)
-		return (NULL);
-	memset(new, 0, new_len * sizeof(*new));
-
-	/*
-	 * Copy current relinking.
-	 */
-	this = ISC_LIST_HEAD(*current);
-	while (this != NULL) {
-		ISC_LIST_INIT(save);
-		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
-			ISC_LIST_UNLINK(this->rdata, rdata, link);
-			ISC_LIST_APPEND(save, rdata, link);
-		}
-		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
-			ISC_LIST_UNLINK(save, rdata, link);
-			new[rdcount] = *rdata;
-			ISC_LIST_APPEND(this->rdata, &new[rdcount], link);
-			rdcount++;
-		}
-		this = ISC_LIST_NEXT(this, link);
-	}
-
-	/*
-	 * Copy glue relinking.
-	 */
-	this = ISC_LIST_HEAD(*glue);
-	while (this != NULL) {
-		ISC_LIST_INIT(save);
-		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
-			ISC_LIST_UNLINK(this->rdata, rdata, link);
-			ISC_LIST_APPEND(save, rdata, link);
-		}
-		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
-			ISC_LIST_UNLINK(save, rdata, link);
-			new[rdcount] = *rdata;
-			ISC_LIST_APPEND(this->rdata, &new[rdcount], link);
-			rdcount++;
-		}
-		this = ISC_LIST_NEXT(this, link);
-	}
-	INSIST(rdcount == old_len);
-	if (old != NULL)
-		isc_mem_put(mctx, old, old_len * sizeof(*old));
-	return (new);
-}
-
-/*
- * Convert each element from a rdatalist_t to rdataset then call commit.
- * Unlink each element as we go.
- */
-
-static isc_result_t
-commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
-       rdatalist_head_t *head, dns_name_t *owner,
-       const char *source, unsigned int line)
-{
-	dns_rdatalist_t *this;
-	dns_rdataset_t dataset;
-	isc_result_t result;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	void    (*error)(struct dns_rdatacallbacks *, const char *, ...);
-
-	this = ISC_LIST_HEAD(*head);
-	error = callbacks->error;
-
-	if (this == NULL)
-		return (ISC_R_SUCCESS);
-	do {
-		dns_rdataset_init(&dataset);
-		RUNTIME_CHECK(dns_rdatalist_tordataset(this, &dataset)
-			      == ISC_R_SUCCESS);
-		dataset.trust = dns_trust_ultimate;
-		result = ((*callbacks->add)(callbacks->add_private, owner,
-					    &dataset));
-		if (result == ISC_R_NOMEMORY) {
-			(*error)(callbacks, "dns_master_load: %s",
-				 dns_result_totext(result));
-		} else if (result != ISC_R_SUCCESS) {
-			dns_name_format(owner, namebuf,
-					sizeof(namebuf));
-			(*error)(callbacks, "%s: %s:%lu: %s: %s",
-				 "dns_master_load", source, line,
-				 namebuf, dns_result_totext(result));
-		}
-		if (MANYERRS(lctx, result))
-			SETRESULT(lctx, result);
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-		ISC_LIST_UNLINK(*head, this, link);
-		this = ISC_LIST_HEAD(*head);
-	} while (this != NULL);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Returns ISC_TRUE if one of the NS rdata's contains 'owner'.
- */
-
-static isc_boolean_t
-is_glue(rdatalist_head_t *head, dns_name_t *owner) {
-	dns_rdatalist_t *this;
-	dns_rdata_t *rdata;
-	isc_region_t region;
-	dns_name_t name;
-
-	/*
-	 * Find NS rrset.
-	 */
-	this = ISC_LIST_HEAD(*head);
-	while (this != NULL) {
-		if (this->type == dns_rdatatype_ns)
-			break;
-		this = ISC_LIST_NEXT(this, link);
-	}
-	if (this == NULL)
-		return (ISC_FALSE);
-
-	rdata = ISC_LIST_HEAD(this->rdata);
-	while (rdata != NULL) {
-		dns_name_init(&name, NULL);
-		dns_rdata_toregion(rdata, &region);
-		dns_name_fromregion(&name, &region);
-		if (dns_name_compare(&name, owner) == 0)
-			return (ISC_TRUE);
-		rdata = ISC_LIST_NEXT(rdata, link);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-load_quantum(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_loadctx_t *lctx;
-
-	REQUIRE(event != NULL);
-	lctx = event->ev_arg;
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	if (lctx->canceled)
-		result = ISC_R_CANCELED;
-	else
-		result = load(lctx);
-	if (result == DNS_R_CONTINUE) {
-		event->ev_arg = lctx;
-		isc_task_send(task, &event);
-	} else {
-		(lctx->done)(lctx->done_arg, result);
-		isc_event_free(&event);
-		dns_loadctx_detach(&lctx);
-	}
-}
-
-static isc_result_t
-task_send(dns_loadctx_t *lctx) {
-	isc_event_t *event;
-
-	event = isc_event_allocate(lctx->mctx, NULL,
-				   DNS_EVENT_MASTERQUANTUM,
-				   load_quantum, lctx, sizeof(*event));
-	if (event == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_task_send(lctx->task, &event);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_loadctx_cancel(dns_loadctx_t *lctx) {
-	REQUIRE(DNS_LCTX_VALID(lctx));
-
-	LOCK(&lctx->lock);
-	lctx->canceled = ISC_TRUE;
-	UNLOCK(&lctx->lock);
-}
diff --git a/contrib/bind9/lib/dns/masterdump.c b/contrib/bind9/lib/dns/masterdump.c
deleted file mode 100644
index 0225d7243f88..000000000000
--- a/contrib/bind9/lib/dns/masterdump.c
+++ /dev/null
@@ -1,1455 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: masterdump.c,v 1.56.2.5.2.12 2004/08/28 06:25:19 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/event.h>
-#include <isc/file.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/time.h>
-#include <dns/ttl.h>
-
-#define DNS_DCTX_MAGIC		ISC_MAGIC('D', 'c', 't', 'x')
-#define DNS_DCTX_VALID(d)	ISC_MAGIC_VALID(d, DNS_DCTX_MAGIC)
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-struct dns_master_style {
-	unsigned int flags;		/* DNS_STYLEFLAG_* */
-	unsigned int ttl_column;
-	unsigned int class_column;
-	unsigned int type_column;
-	unsigned int rdata_column;
-	unsigned int line_length;
-	unsigned int tab_width;
-};
-
-/*
- * The maximum length of the newline+indentation that is output
- * when inserting a line break in an RR.  This effectively puts an
- * upper limits on the value of "rdata_column", because if it is
- * very large, the tabs and spaces needed to reach it will not fit.
- */
-#define DNS_TOTEXT_LINEBREAK_MAXLEN 100
-
-/*
- * Context structure for a masterfile dump in progress.
- */
-typedef struct dns_totext_ctx {
-	dns_master_style_t	style;
-	isc_boolean_t 		class_printed;
-	char *			linebreak;
-	char 			linebreak_buf[DNS_TOTEXT_LINEBREAK_MAXLEN];
-	dns_name_t *		origin;
-	dns_name_t *		neworigin;
-	dns_fixedname_t		origin_fixname;
-	isc_uint32_t 		current_ttl;
-	isc_boolean_t 		current_ttl_valid;
-} dns_totext_ctx_t;
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_default = {
-	DNS_STYLEFLAG_OMIT_OWNER |
-	DNS_STYLEFLAG_OMIT_CLASS |
-	DNS_STYLEFLAG_REL_OWNER |
-	DNS_STYLEFLAG_REL_DATA |
-	DNS_STYLEFLAG_OMIT_TTL |
-	DNS_STYLEFLAG_TTL |
-	DNS_STYLEFLAG_COMMENT |
-	DNS_STYLEFLAG_MULTILINE,
-	24, 24, 24, 32, 80, 8
-};
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_full = {
-	DNS_STYLEFLAG_COMMENT,
-	46, 46, 46, 64, 120, 8
-};
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_explicitttl = {
-	DNS_STYLEFLAG_OMIT_OWNER |
-	DNS_STYLEFLAG_OMIT_CLASS |
-	DNS_STYLEFLAG_REL_OWNER |
-	DNS_STYLEFLAG_REL_DATA |
-	DNS_STYLEFLAG_COMMENT |
-	DNS_STYLEFLAG_MULTILINE,
-	24, 32, 32, 40, 80, 8
-};
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_cache = {
-	DNS_STYLEFLAG_OMIT_OWNER |
-	DNS_STYLEFLAG_OMIT_CLASS |
-	DNS_STYLEFLAG_MULTILINE |
-	DNS_STYLEFLAG_TRUST |
-	DNS_STYLEFLAG_NCACHE,
-	24, 32, 32, 40, 80, 8
-};
-
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_simple = {
-	0,
-	24, 32, 32, 40, 80, 8
-};
-
-/*
- * A style suitable for dns_rdataset_totext().
- */
-LIBDNS_EXTERNAL_DATA const dns_master_style_t
-dns_master_style_debug = {
-	DNS_STYLEFLAG_REL_OWNER,
-	24, 32, 40, 48, 80, 8
-};
-
-
-#define N_SPACES 10
-static char spaces[N_SPACES+1] = "          ";
-
-#define N_TABS 10
-static char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
-
-struct dns_dumpctx {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	isc_mutex_t		lock;
-	unsigned int		references;
-	isc_boolean_t		canceled;
-	isc_boolean_t		first;
-	isc_boolean_t		do_date;
-	isc_stdtime_t		now;
-	FILE			*f;
-	dns_db_t		*db;
-	dns_dbversion_t		*version;
-	dns_dbiterator_t	*dbiter;
-	dns_totext_ctx_t	tctx;
-	isc_task_t		*task;
-	dns_dumpdonefunc_t	done;
-	void			*done_arg;
-	unsigned int		nodes;
-	/* dns_master_dumpinc() */
-	char			*file;
-	char 			*tmpfile;
-};
-
-#define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) 
-
-/*
- * Output tabs and spaces to go from column '*current' to
- * column 'to', and update '*current' to reflect the new
- * current column.
- */
-static isc_result_t
-indent(unsigned int *current, unsigned int to, int tabwidth,
-       isc_buffer_t *target)
-{
-	isc_region_t r;
-	unsigned char *p;
-	unsigned int from;
-	int ntabs, nspaces, t;
-
-	from = *current;
-
-	if (to < from + 1)
-		to = from + 1;
-
-	ntabs = to / tabwidth - from / tabwidth;
-	if (ntabs < 0)
-		ntabs = 0;
-
-	if (ntabs > 0) {
-		isc_buffer_availableregion(target, &r);
-		if (r.length < (unsigned) ntabs)
-			return (ISC_R_NOSPACE);
-		p = r.base;
-
-		t = ntabs;
-		while (t) {
-			int n = t;
-			if (n > N_TABS)
-				n = N_TABS;
-			memcpy(p, tabs, n);
-			p += n;
-			t -= n;
-		}
-		isc_buffer_add(target, ntabs);
-		from = (to / tabwidth) * tabwidth;
-	}
-
-	nspaces = to - from;
-	INSIST(nspaces >= 0);
-
-	isc_buffer_availableregion(target, &r);
-	if (r.length < (unsigned) nspaces)
-		return (ISC_R_NOSPACE);
-	p = r.base;
-
-	t = nspaces;
-	while (t) {
-		int n = t;
-		if (n > N_SPACES)
-			n = N_SPACES;
-		memcpy(p, spaces, n);
-		p += n;
-		t -= n;
-	}
-	isc_buffer_add(target, nspaces);
-
-	*current = to;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) {
-	isc_result_t result;
-
-	REQUIRE(style->tab_width != 0);
-
-	ctx->style = *style;
-	ctx->class_printed = ISC_FALSE;
-
-	dns_fixedname_init(&ctx->origin_fixname);
-
-	/*
-	 * Set up the line break string if needed.
-	 */
-	if ((ctx->style.flags & DNS_STYLEFLAG_MULTILINE) != 0) {
-		isc_buffer_t buf;
-		isc_region_t r;
-		unsigned int col = 0;
-
-		isc_buffer_init(&buf, ctx->linebreak_buf,
-				sizeof(ctx->linebreak_buf));
-
-		isc_buffer_availableregion(&buf, &r);
-		if (r.length < 1)
-			return (DNS_R_TEXTTOOLONG);
-		r.base[0] = '\n';
-		isc_buffer_add(&buf, 1);
-
-		result = indent(&col, ctx->style.rdata_column,
-				ctx->style.tab_width, &buf);
-		/*
-		 * Do not return ISC_R_NOSPACE if the line break string
-		 * buffer is too small, because that would just make
-		 * dump_rdataset() retry indenfinitely with ever
-		 * bigger target buffers.  That's a different buffer,
-		 * so it won't help.  Use DNS_R_TEXTTOOLONG as a substitute.
-		 */
-		if (result == ISC_R_NOSPACE)
-			return (DNS_R_TEXTTOOLONG);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		isc_buffer_availableregion(&buf, &r);
-		if (r.length < 1)
-			return (DNS_R_TEXTTOOLONG);
-		r.base[0] = '\0';
-		isc_buffer_add(&buf, 1);
-		ctx->linebreak = ctx->linebreak_buf;
-	} else {
-		ctx->linebreak = NULL;
-	}
-
-	ctx->origin = NULL;
-	ctx->neworigin = NULL;
-	ctx->current_ttl = 0;
-	ctx->current_ttl_valid = ISC_FALSE;
-
-	return (ISC_R_SUCCESS);
-}
-
-#define INDENT_TO(col) \
-	do { \
-		 if ((result = indent(&column, ctx->style.col, \
-				      ctx->style.tab_width, target)) \
-		     != ISC_R_SUCCESS) \
-			    return (result); \
-	} while (0)
-
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Convert 'rdataset' to master file text format according to 'ctx',
- * storing the result in 'target'.  If 'owner_name' is NULL, it
- * is omitted; otherwise 'owner_name' must be valid and have at least
- * one label.
- */
-
-static isc_result_t
-rdataset_totext(dns_rdataset_t *rdataset,
-		dns_name_t *owner_name,
-		dns_totext_ctx_t *ctx,
-		isc_boolean_t omit_final_dot,
-		isc_buffer_t *target)
-{
-	isc_result_t result;
-	unsigned int column;
-	isc_boolean_t first = ISC_TRUE;
-	isc_uint32_t current_ttl;
-	isc_boolean_t current_ttl_valid;
-	dns_rdatatype_t type;
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-
-	result = dns_rdataset_first(rdataset);
-	REQUIRE(result == ISC_R_SUCCESS);
-
-	current_ttl = ctx->current_ttl;
-	current_ttl_valid = ctx->current_ttl_valid;
-
-	do {
-		column = 0;
-
-		/*
-		 * Owner name.
-		 */
-		if (owner_name != NULL &&
-		    ! ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0 &&
-		       !first))
-		{
-			unsigned int name_start = target->used;
-			RETERR(dns_name_totext(owner_name,
-					       omit_final_dot,
-					       target));
-			column += target->used - name_start;
-		}
-
-		/*
-		 * TTL.
-		 */
-		if ((ctx->style.flags & DNS_STYLEFLAG_NO_TTL) == 0 &&
-		    !((ctx->style.flags & DNS_STYLEFLAG_OMIT_TTL) != 0 &&
-		      current_ttl_valid &&
-		      rdataset->ttl == current_ttl))
-		{
-			char ttlbuf[64];
-			isc_region_t r;
-			unsigned int length;
-
-			INDENT_TO(ttl_column);
-			length = snprintf(ttlbuf, sizeof(ttlbuf), "%u",
-					  rdataset->ttl);
-			INSIST(length <= sizeof(ttlbuf));
-			isc_buffer_availableregion(target, &r);
-			if (r.length < length)
-				return (ISC_R_NOSPACE);
-			memcpy(r.base, ttlbuf, length);
-			isc_buffer_add(target, length);
-			column += length;
-
-			/*
-			 * If the $TTL directive is not in use, the TTL we
-			 * just printed becomes the default for subsequent RRs.
-			 */
-			if ((ctx->style.flags & DNS_STYLEFLAG_TTL) == 0) {
-				current_ttl = rdataset->ttl;
-				current_ttl_valid = ISC_TRUE;
-			}
-		}
-
-		/*
-		 * Class.
-		 */
-		if ((ctx->style.flags & DNS_STYLEFLAG_NO_CLASS) == 0 &&
-		    ((ctx->style.flags & DNS_STYLEFLAG_OMIT_CLASS) == 0 ||
-		     ctx->class_printed == ISC_FALSE))
-		{
-			unsigned int class_start;
-			INDENT_TO(class_column);
-			class_start = target->used;
-			result = dns_rdataclass_totext(rdataset->rdclass,
-						       target);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			column += (target->used - class_start);
-		}
-
-		/*
-		 * Type.
-		 */
-
-		if (rdataset->type == 0) {
-			type = rdataset->covers;
-		} else {
-			type = rdataset->type;
-		}
-
-		{
-			unsigned int type_start;
-			INDENT_TO(type_column);
-			type_start = target->used;
-			if (rdataset->type == 0)
-				RETERR(str_totext("\\-", target));
-			result = dns_rdatatype_totext(type, target);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			column += (target->used - type_start);
-		}
-
-		/*
-		 * Rdata.
-		 */
-		INDENT_TO(rdata_column);
-		if (rdataset->type == 0) {
-			if (NXDOMAIN(rdataset))
-				RETERR(str_totext(";-$NXDOMAIN\n", target));
-			else
-				RETERR(str_totext(";-$NXRRSET\n", target));
-		} else {
-			dns_rdata_t rdata = DNS_RDATA_INIT;
-			isc_region_t r;
-
-			dns_rdataset_current(rdataset, &rdata);
-
-			RETERR(dns_rdata_tofmttext(&rdata,
-						   ctx->origin,
-						   ctx->style.flags,
-						   ctx->style.line_length -
-						       ctx->style.rdata_column,
-						   ctx->linebreak,
-						   target));
-
-			isc_buffer_availableregion(target, &r);
-			if (r.length < 1)
-				return (ISC_R_NOSPACE);
-			r.base[0] = '\n';
-			isc_buffer_add(target, 1);
-		}
-
-		first = ISC_FALSE;
-		result = dns_rdataset_next(rdataset);
-	} while (result == ISC_R_SUCCESS);
-
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	/*
-	 * Update the ctx state to reflect what we just printed.
-	 * This is done last, only when we are sure we will return
-	 * success, because this function may be called multiple
-	 * times with increasing buffer sizes until it succeeds,
-	 * and failed attempts must not update the state prematurely.
-	 */
-	ctx->class_printed = ISC_TRUE;
-	ctx->current_ttl= current_ttl;
-	ctx->current_ttl_valid = current_ttl_valid;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Print the name, type, and class of an empty rdataset,
- * such as those used to represent the question section
- * of a DNS message.
- */
-static isc_result_t
-question_totext(dns_rdataset_t *rdataset,
-		dns_name_t *owner_name,
-		dns_totext_ctx_t *ctx,
-		isc_boolean_t omit_final_dot,
-		isc_buffer_t *target)
-{
-	unsigned int column;
-	isc_result_t result;
-	isc_region_t r;
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	result = dns_rdataset_first(rdataset);
-	REQUIRE(result == ISC_R_NOMORE);
-
-	column = 0;
-
-	/* Owner name */
-	{
-		unsigned int name_start = target->used;
-		RETERR(dns_name_totext(owner_name,
-				       omit_final_dot,
-				       target));
-		column += target->used - name_start;
-	}
-
-	/* Class */
-	{
-		unsigned int class_start;
-		INDENT_TO(class_column);
-		class_start = target->used;
-		result = dns_rdataclass_totext(rdataset->rdclass, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		column += (target->used - class_start);
-	}
-
-	/* Type */
-	{
-		unsigned int type_start;
-		INDENT_TO(type_column);
-		type_start = target->used;
-		result = dns_rdatatype_totext(rdataset->type, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		column += (target->used - type_start);
-	}
-
-	isc_buffer_availableregion(target, &r);
-	if (r.length < 1)
-		return (ISC_R_NOSPACE);
-	r.base[0] = '\n';
-	isc_buffer_add(target, 1);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdataset_totext(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    isc_boolean_t omit_final_dot,
-		    isc_boolean_t question,
-		    isc_buffer_t *target)
-{
-	dns_totext_ctx_t ctx;
-	isc_result_t result;
-	result = totext_ctx_init(&dns_master_style_debug, &ctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * The caller might want to give us an empty owner
-	 * name (e.g. if they are outputting into a master
-	 * file and this rdataset has the same name as the
-	 * previous one.)
-	 */
-	if (dns_name_countlabels(owner_name) == 0)
-		owner_name = NULL;
-
-	if (question)
-		return (question_totext(rdataset, owner_name, &ctx,
-					omit_final_dot, target));
-	else
-		return (rdataset_totext(rdataset, owner_name, &ctx,
-					omit_final_dot, target));
-}
-
-isc_result_t
-dns_master_rdatasettotext(dns_name_t *owner_name,
-			  dns_rdataset_t *rdataset,
-			  const dns_master_style_t *style,
-			  isc_buffer_t *target)
-{
-	dns_totext_ctx_t ctx;
-	isc_result_t result;
-	result = totext_ctx_init(style, &ctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (rdataset_totext(rdataset, owner_name, &ctx,
-				ISC_FALSE, target));
-}
-
-isc_result_t
-dns_master_questiontotext(dns_name_t *owner_name,
-			  dns_rdataset_t *rdataset,
-			  const dns_master_style_t *style,
-			  isc_buffer_t *target)
-{
-	dns_totext_ctx_t ctx;
-	isc_result_t result;
-	result = totext_ctx_init(style, &ctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (question_totext(rdataset, owner_name, &ctx,
-				ISC_FALSE, target));
-}
-
-/*
- * Print an rdataset.  'buffer' is a scratch buffer, which must have been
- * dynamically allocated by the caller.  It must be large enough to
- * hold the result from dns_ttl_totext().  If more than that is needed,
- * the buffer will be grown automatically.
- */
-
-static isc_result_t
-dump_rdataset(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
-	      dns_totext_ctx_t *ctx,
-	      isc_buffer_t *buffer, FILE *f)
-{
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE(buffer->length > 0);
-
-	/*
-	 * Output a $TTL directive if needed.
-	 */
-
-	if ((ctx->style.flags & DNS_STYLEFLAG_TTL) != 0) {
-		if (ctx->current_ttl_valid == ISC_FALSE ||
-		    ctx->current_ttl != rdataset->ttl)
-		{
-			if ((ctx->style.flags & DNS_STYLEFLAG_COMMENT) != 0)
-			{
-				isc_buffer_clear(buffer);
-				result = dns_ttl_totext(rdataset->ttl,
-							ISC_TRUE, buffer);
-				INSIST(result == ISC_R_SUCCESS);
-				isc_buffer_usedregion(buffer, &r);
-				fprintf(f, "$TTL %u\t; %.*s\n", rdataset->ttl,
-					(int) r.length, (char *) r.base);
-			} else {
-				fprintf(f, "$TTL %u\n", rdataset->ttl);
-			}
-			ctx->current_ttl = rdataset->ttl;
-			ctx->current_ttl_valid = ISC_TRUE;
-		}
-	}
-
-	isc_buffer_clear(buffer);
-
-	/*
-	 * Generate the text representation of the rdataset into
-	 * the buffer.  If the buffer is too small, grow it.
-	 */
-	for (;;) {
-		int newlength;
-		void *newmem;
-		result = rdataset_totext(rdataset, name, ctx,
-					 ISC_FALSE, buffer);
-		if (result != ISC_R_NOSPACE)
-			break;
-
-		newlength = buffer->length * 2;
-		newmem = isc_mem_get(mctx, newlength);
-		if (newmem == NULL)
-			return (ISC_R_NOMEMORY);
-		isc_mem_put(mctx, buffer->base, buffer->length);
-		isc_buffer_init(buffer, newmem, newlength);
-	}
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Write the buffer contents to the master file.
-	 */
-	isc_buffer_usedregion(buffer, &r);
-	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
-
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "master file write failed: %s",
-				 isc_result_totext(result));
-		return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Define the order in which rdatasets should be printed in zone
- * files.  We will print SOA and NS records before others, SIGs
- * immediately following the things they sign, and order everything
- * else by RR number.  This is all just for aesthetics and
- * compatibility with buggy software that expects the SOA to be first;
- * the DNS specifications allow any order.
- */
-
-static int
-dump_order(const dns_rdataset_t *rds) {
-	int t;
-	int sig;
-	if (rds->type == dns_rdatatype_rrsig) {
-		t = rds->covers;
-		sig = 1;
-	} else {
-		t = rds->type;
-		sig = 0;
-	}
-	switch (t) {
-	case dns_rdatatype_soa:
-		t = 0;
-		break;
-	case dns_rdatatype_ns:
-		t = 1;
-		break;
-	default:
-		t += 2;
-		break;
-	}
-	return (t << 1) + sig;
-}
-
-static int
-dump_order_compare(const void *a, const void *b) {
-	return (dump_order(*((const dns_rdataset_t * const *) a)) -
-		dump_order(*((const dns_rdataset_t * const *) b)));
-}
-
-/*
- * Dump all the rdatasets of a domain name to a master file.  We make
- * a "best effort" attempt to sort the RRsets in a nice order, but if
- * there are more than MAXSORT RRsets, we punt and only sort them in
- * groups of MAXSORT.  This is not expected to ever happen in practice
- * since much less than 64 RR types have been registered with the
- * IANA, so far, and the output will be correct (though not
- * aesthetically pleasing) even if it does happen.
- */
-
-#define MAXSORT 64
-
-static const char *trustnames[] = {
-	"none",
-	"pending",
-	"additional",
-	"glue",
-	"answer",
-	"authauthority",
-	"authanswer",
-	"secure",
-	"local" /* aka ultimate */
-};
-
-static isc_result_t
-dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
-	       dns_totext_ctx_t *ctx,
-	       isc_buffer_t *buffer, FILE *f)
-{
-	isc_result_t itresult, dumpresult;
-	isc_region_t r;
-	dns_rdataset_t rdatasets[MAXSORT];
-	dns_rdataset_t *sorted[MAXSORT];
-	int i, n;
-
-	itresult = dns_rdatasetiter_first(rdsiter);
-	dumpresult = ISC_R_SUCCESS;
-
-	if (itresult == ISC_R_SUCCESS && ctx->neworigin != NULL) {
-		isc_buffer_clear(buffer);
-		itresult = dns_name_totext(ctx->neworigin, ISC_FALSE, buffer);
-		RUNTIME_CHECK(itresult == ISC_R_SUCCESS);
-		isc_buffer_usedregion(buffer, &r);
-		fprintf(f, "$ORIGIN %.*s\n", (int) r.length, (char *) r.base);
-		ctx->neworigin = NULL;
-	}
-
- again:
-	for (i = 0;
-	     itresult == ISC_R_SUCCESS && i < MAXSORT;
-	     itresult = dns_rdatasetiter_next(rdsiter), i++) {
-		dns_rdataset_init(&rdatasets[i]);
-		dns_rdatasetiter_current(rdsiter, &rdatasets[i]);
-		sorted[i] = &rdatasets[i];
-	}
-	n = i;
-	INSIST(n <= MAXSORT);
-
-	qsort(sorted, n, sizeof(sorted[0]), dump_order_compare);
-
-	for (i = 0; i < n; i++) {
-		dns_rdataset_t *rds = sorted[i];
-		if (ctx->style.flags & DNS_STYLEFLAG_TRUST) {
-			unsigned int trust = rds->trust;
-			INSIST(trust < (sizeof(trustnames) /
-					sizeof(trustnames[0])));
-			fprintf(f, "; %s\n", trustnames[trust]);
-		}
-		if (rds->type == 0 &&
-		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
-			/* Omit negative cache entries */
-		} else {
-			isc_result_t result =
-				dump_rdataset(mctx, name, rds, ctx,
-					       buffer, f);
-			if (result != ISC_R_SUCCESS)
-				dumpresult = result;
-			if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0)
-				name = NULL;
-		}
-		dns_rdataset_disassociate(rds);
-	}
-
-	if (dumpresult != ISC_R_SUCCESS)
-		return (dumpresult);
-
-	/*
-	 * If we got more data than could be sorted at once,
-	 * go handle the rest.
-	 */
-	if (itresult == ISC_R_SUCCESS)
-		goto again;
-
-	if (itresult == ISC_R_NOMORE)
-		itresult = ISC_R_SUCCESS;
-
-	return (itresult);
-}
-
-
-/*
- * Initial size of text conversion buffer.  The buffer is used
- * for several purposes: converting origin names, rdatasets,
- * $DATE timestamps, and comment strings for $TTL directives.
- *
- * When converting rdatasets, it is dynamically resized, but
- * when converting origins, timestamps, etc it is not.  Therefore,
- * the  initial size must large enough to hold the longest possible
- * text representation of any domain name (for $ORIGIN).
- */
-static const int initial_buffer_length = 1200;
-
-static isc_result_t
-dumptostreaminc(dns_dumpctx_t *dctx);
-
-static void
-dumpctx_destroy(dns_dumpctx_t *dctx) {
-
-	dctx->magic = 0;
-	DESTROYLOCK(&dctx->lock);
-	if (dctx->version != NULL)
-		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
-	dns_dbiterator_destroy(&dctx->dbiter);
-	dns_db_detach(&dctx->db);
-	if (dctx->task != NULL)
-		isc_task_detach(&dctx->task);
-	if (dctx->file != NULL)
-		isc_mem_free(dctx->mctx, dctx->file);
-	if (dctx->tmpfile != NULL)
-		isc_mem_free(dctx->mctx, dctx->tmpfile);
-	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(*dctx));
-}
-
-void
-dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target) {
-
-	REQUIRE(DNS_DCTX_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-
-	LOCK(&source->lock);
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);	/* Overflow? */
-	UNLOCK(&source->lock);
-
-	*target = source;
-}
-
-void
-dns_dumpctx_detach(dns_dumpctx_t **dctxp) {
-	dns_dumpctx_t *dctx;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(dctxp != NULL);
-	dctx = *dctxp;
-	REQUIRE(DNS_DCTX_VALID(dctx));
-
-	*dctxp = NULL;
-
-	LOCK(&dctx->lock);
-	INSIST(dctx->references != 0);
-	dctx->references--;
-	if (dctx->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&dctx->lock);
-	if (need_destroy)
-		dumpctx_destroy(dctx);
-}
-
-dns_dbversion_t *
-dns_dumpctx_version(dns_dumpctx_t *dctx) {
-        REQUIRE(DNS_DCTX_VALID(dctx));
-	return (dctx->version);
-}
-
-dns_db_t *
-dns_dumpctx_db(dns_dumpctx_t *dctx) {
-        REQUIRE(DNS_DCTX_VALID(dctx));
-	return (dctx->db);
-}
-
-void
-dns_dumpctx_cancel(dns_dumpctx_t *dctx) {
-	REQUIRE(DNS_DCTX_VALID(dctx));
-
-	LOCK(&dctx->lock);
-	dctx->canceled = ISC_TRUE;
-	UNLOCK(&dctx->lock);
-}
-
-static isc_result_t
-closeandrename(FILE *f, isc_result_t result, const char *temp, const char *file)
-{
-	isc_result_t tresult;
-	isc_boolean_t logit = ISC_TF(result == ISC_R_SUCCESS);
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_stdio_sync(f);
-	if (result != ISC_R_SUCCESS && logit) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: fsync: %s",
-			      temp, isc_result_totext(result));
-		logit = ISC_FALSE;
-	}
-	tresult = isc_stdio_close(f);
-	if (result == ISC_R_SUCCESS)
-		result = tresult;
-	if (result != ISC_R_SUCCESS && logit) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: fclose: %s",
-			      temp, isc_result_totext(result));
-		logit = ISC_FALSE;
-	}
-	if (result == ISC_R_SUCCESS)
-		result = isc_file_rename(temp, file);
-	else
-		(void)isc_file_remove(temp);
-	if (result != ISC_R_SUCCESS && logit) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: rename: %s: %s",
-			      file, isc_result_totext(result));
-	}
-	return (result);
-}
-
-static void
-dump_quantum(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	isc_result_t tresult;
-	dns_dumpctx_t *dctx;
-
-	REQUIRE(event != NULL);
-	dctx = event->ev_arg;
-	REQUIRE(DNS_DCTX_VALID(dctx));
-	if (dctx->canceled)
-		result = ISC_R_CANCELED;
-	else
-		result = dumptostreaminc(dctx);
-	if (result == DNS_R_CONTINUE) {
-		event->ev_arg = dctx;
-		isc_task_send(task, &event);
-		return;
-	}
-
-	if (dctx->file != NULL) {
-		tresult = closeandrename(dctx->f, result,
-					 dctx->tmpfile, dctx->file);
-		if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
-			result = tresult;
-	}
-	(dctx->done)(dctx->done_arg, result);
-	isc_event_free(&event);
-	dns_dumpctx_detach(&dctx);
-}
-
-static isc_result_t
-task_send(dns_dumpctx_t *dctx) {
-	isc_event_t *event;
-
-	event = isc_event_allocate(dctx->mctx, NULL, DNS_EVENT_DUMPQUANTUM,
-				   dump_quantum, dctx, sizeof(*event));
-	if (event == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_task_send(dctx->task, &event);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-	       const dns_master_style_t *style, FILE *f, dns_dumpctx_t **dctxp)
-{
-	dns_dumpctx_t *dctx;
-	isc_result_t result;
-	isc_boolean_t relative;
-
-	dctx = isc_mem_get(mctx, sizeof(*dctx));
-	if (dctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dctx->mctx = NULL;
-	dctx->f = f;
-	dctx->dbiter = NULL;
-	dctx->db = NULL;
-	dctx->version = NULL;
-	dctx->done = NULL;
-	dctx->done_arg = NULL;
-	dctx->task = NULL;
-	dctx->nodes = 0;
-	dctx->first = ISC_TRUE;
-	dctx->canceled = ISC_FALSE;
-	dctx->file = NULL;
-	dctx->tmpfile = NULL;
-
-	result = totext_ctx_init(style, &dctx->tctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		goto cleanup;
-	}
-
-	isc_stdtime_get(&dctx->now);
-	dns_db_attach(db, &dctx->db);
-
-	dctx->do_date = dns_db_iscache(dctx->db);
-
-	relative = ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) ?
-			ISC_TRUE : ISC_FALSE;
-	result = dns_db_createiterator(dctx->db, relative, &dctx->dbiter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_mutex_init(&dctx->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (version != NULL)
-		dns_db_attachversion(dctx->db, version, &dctx->version);
-	else if (!dns_db_iscache(db))
-		dns_db_currentversion(dctx->db, &dctx->version);
-	isc_mem_attach(mctx, &dctx->mctx);
-	dctx->references = 1;
-	dctx->magic = DNS_DCTX_MAGIC;
-	*dctxp = dctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (dctx->dbiter != NULL)
-		dns_dbiterator_destroy(&dctx->dbiter);
-	if (dctx->db != NULL)
-		dns_db_detach(&dctx->db);
-	if (dctx != NULL)
-		isc_mem_put(mctx, dctx, sizeof(*dctx));
-	return (result);
-}
-
-static isc_result_t
-dumptostreaminc(dns_dumpctx_t *dctx) {
-	isc_result_t result;
-	isc_buffer_t buffer;
-	char *bufmem;
-	isc_region_t r;
-	dns_name_t *name;
-	dns_fixedname_t fixname;
-	unsigned int nodes;
-
-	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
-	if (bufmem == NULL)
-		return (ISC_R_NOMEMORY);
-
-	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
-
-	dns_fixedname_init(&fixname);
-	name = dns_fixedname_name(&fixname);
-
-	if (dctx->first) {
-		/*
-		 * If the database has cache semantics, output an RFC2540
-		 * $DATE directive so that the TTLs can be adjusted when
-		 * it is reloaded.  For zones it is not really needed, and
-		 * it would make the file incompatible with pre-RFC2540
-		 * software, so we omit it in the zone case.
-		 */
-		if (dctx->do_date) {
-			result = dns_time32_totext(dctx->now, &buffer);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			isc_buffer_usedregion(&buffer, &r);
-			fprintf(dctx->f, "$DATE %.*s\n",
-				(int) r.length, (char *) r.base);
-		}
-		result = dns_dbiterator_first(dctx->dbiter);
-		dctx->first = ISC_FALSE;
-	} else
-		result = ISC_R_SUCCESS;
-
-	nodes = dctx->nodes;
-	while (result == ISC_R_SUCCESS && (dctx->nodes == 0 || nodes--)) {
-		dns_rdatasetiter_t *rdsiter = NULL;
-		dns_dbnode_t *node = NULL;
-
-		result = dns_dbiterator_current(dctx->dbiter, &node, name);
-		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
-			break;
-		if (result == DNS_R_NEWORIGIN) {
-			dns_name_t *origin =
-				dns_fixedname_name(&dctx->tctx.origin_fixname);
-			result = dns_dbiterator_origin(dctx->dbiter, origin);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			if ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_DATA) != 0)
-				dctx->tctx.origin = origin;
-			dctx->tctx.neworigin = origin;
-		}
-		result = dns_db_allrdatasets(dctx->db, node, dctx->version,
-					     dctx->now, &rdsiter);
-		if (result != ISC_R_SUCCESS) {
-			dns_db_detachnode(dctx->db, &node);
-			goto fail;
-		}
-		result = dump_rdatasets(dctx->mctx, name, rdsiter, &dctx->tctx,
-					&buffer, dctx->f);
-		dns_rdatasetiter_destroy(&rdsiter);
-		if (result != ISC_R_SUCCESS) {
-			dns_db_detachnode(dctx->db, &node);
-			goto fail;
-		}
-		dns_db_detachnode(dctx->db, &node);
-		result = dns_dbiterator_next(dctx->dbiter);
-	}
-
-	if (dctx->nodes != 0 && result == ISC_R_SUCCESS) {
-		dns_dbiterator_pause(dctx->dbiter);
-		result = DNS_R_CONTINUE;
-	} else if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- fail:
-	isc_mem_put(dctx->mctx, buffer.base, buffer.length);
-	return (result);
-}
-
-isc_result_t
-dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
-			   dns_dbversion_t *version,
-			   const dns_master_style_t *style,
-			   FILE *f, isc_task_t *task,
-			   dns_dumpdonefunc_t done, void *done_arg,
-			   dns_dumpctx_t **dctxp)
-{
-	dns_dumpctx_t *dctx = NULL;
-	isc_result_t result;
-
-	REQUIRE(task != NULL);
-	REQUIRE(f != NULL);
-	REQUIRE(done != NULL);
-
-	result = dumpctx_create(mctx, db, version, style, f, &dctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_task_attach(task, &dctx->task);
-	dctx->done = done;
-	dctx->done_arg = done_arg;
-	dctx->nodes = 100;
-
-	result = task_send(dctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_dumpctx_attach(dctx, dctxp);
-		return (DNS_R_CONTINUE);
-	}
-	if (dctx != NULL)
-		dns_dumpctx_detach(&dctx);
-
-	return (result);
-}
-
-/*
- * Dump an entire database into a master file.
- */
-isc_result_t
-dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
-			dns_dbversion_t *version,
-			const dns_master_style_t *style,
-			FILE *f)
-{
-	dns_dumpctx_t *dctx = NULL;
-	isc_result_t result;
-
-	result = dumpctx_create(mctx, db, version, style, f, &dctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dumptostreaminc(dctx);
-	INSIST(result != DNS_R_CONTINUE);
-	dns_dumpctx_detach(&dctx);
-	return (result);
-}
-
-static isc_result_t
-opentmp(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
-	FILE *f = NULL;
-	isc_result_t result;
-	char *tempname = NULL;
-	int tempnamelen;
-
-	tempnamelen = strlen(file) + 20;
-	tempname = isc_mem_allocate(mctx, tempnamelen);
-	if (tempname == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_file_mktemplate(file, tempname, tempnamelen);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_file_openunique(tempname, &f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: open: %s",
-			      tempname, isc_result_totext(result));
-		goto cleanup;
-	}
-	*tempp = tempname;
-	*fp = f;
-	return (ISC_R_SUCCESS);
-
-cleanup:
-	isc_mem_free(mctx, tempname);
-	return (result);
-}
-
-isc_result_t
-dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		   const dns_master_style_t *style, const char *filename,
-		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
-		   dns_dumpctx_t **dctxp)
-{
-	FILE *f = NULL;
-	isc_result_t result;
-	char *tempname = NULL;
-	char *file = NULL;
-	dns_dumpctx_t *dctx = NULL;
-
-	file = isc_mem_strdup(mctx, filename);
-	if (file == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = opentmp(mctx, filename, &tempname, &f);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dumpctx_create(mctx, db, version, style, f, &dctx);
-	if (result != ISC_R_SUCCESS) {
-		(void)isc_stdio_close(f);
-		(void)isc_file_remove(tempname);
-		goto cleanup;
-	}
-
-	isc_task_attach(task, &dctx->task);
-	dctx->done = done;
-	dctx->done_arg = done_arg;
-	dctx->nodes = 100;
-	dctx->file = file;
-	file = NULL;
-	dctx->tmpfile = tempname;
-	tempname = NULL;
-
-	result = task_send(dctx);
-	if (result == ISC_R_SUCCESS) {
-		dns_dumpctx_attach(dctx, dctxp);
-		return (DNS_R_CONTINUE);
-	}
-
- cleanup:
-	if (dctx != NULL)
-		dns_dumpctx_detach(&dctx);
-	if (file != NULL)
-		isc_mem_free(mctx, file);
-	if (tempname != NULL)
-		isc_mem_free(mctx, tempname);
-	return (result);
-}
-
-isc_result_t
-dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		const dns_master_style_t *style, const char *filename)
-{
-	FILE *f = NULL;
-	isc_result_t result;
-	char *tempname;
-	dns_dumpctx_t *dctx = NULL;
-
-	result = opentmp(mctx, filename, &tempname, &f);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dumpctx_create(mctx, db, version, style, f, &dctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dumptostreaminc(dctx);
-	INSIST(result != DNS_R_CONTINUE);
-	dns_dumpctx_detach(&dctx);
-
-	result = closeandrename(f, result, tempname, filename);
-
- cleanup:
-	isc_mem_free(mctx, tempname);
-	return (result);
-}
-
-/*
- * Dump a database node into a master file.
- */
-isc_result_t
-dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
-			    dns_dbversion_t *version,
-			    dns_dbnode_t *node, dns_name_t *name,
-			    const dns_master_style_t *style,
-			    FILE *f)
-{
-	isc_result_t result;
-	isc_buffer_t buffer;
-	char *bufmem;
-	isc_stdtime_t now;
-	dns_totext_ctx_t ctx;
-	dns_rdatasetiter_t *rdsiter = NULL;
-
-	result = totext_ctx_init(style, &ctx);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "could not set master file style");
-		return (ISC_R_UNEXPECTED);
-	}
-
-	isc_stdtime_get(&now);
-
-	bufmem = isc_mem_get(mctx, initial_buffer_length);
-	if (bufmem == NULL)
-		return (ISC_R_NOMEMORY);
-
-	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
-
-	result = dns_db_allrdatasets(db, node, version, now, &rdsiter);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	result = dump_rdatasets(mctx, name, rdsiter, &ctx, &buffer, f);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	dns_rdatasetiter_destroy(&rdsiter);
-
-	result = ISC_R_SUCCESS;
-
- failure:
-	isc_mem_put(mctx, buffer.base, buffer.length);
-	return (result);
-}
-
-isc_result_t
-dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *name,
-		    const dns_master_style_t *style, const char *filename)
-{
-	FILE *f = NULL;
-	isc_result_t result;
-
-	result = isc_stdio_open(filename, "w", &f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping node to file: %s: open: %s", filename,
-			      isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = dns_master_dumpnodetostream(mctx, db, version, node, name,
-					     style, f);
-
-	result = isc_stdio_close(f);
-	if (result != ISC_R_SUCCESS) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
-			      "dumping master file: %s: close: %s", filename,
-			      isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_master_stylecreate(dns_master_style_t **stylep, unsigned int flags,
-                       unsigned int ttl_column, unsigned int class_column,
-                       unsigned int type_column, unsigned int rdata_column,
-                       unsigned int line_length, unsigned int tab_width,
-                       isc_mem_t *mctx)
-{
-	dns_master_style_t *style;
-
-	REQUIRE(stylep != NULL && *stylep == NULL);
-	style = isc_mem_get(mctx, sizeof(*style));
-	if (style == NULL)
-		return (ISC_R_NOMEMORY);
-
-	style->flags = flags;
-	style->ttl_column = ttl_column;
-	style->class_column = class_column;
-	style->type_column = type_column;
-	style->rdata_column = rdata_column;
-	style->line_length = line_length;
-	style->tab_width = tab_width;
-
-	*stylep = style;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_master_styledestroy(dns_master_style_t **stylep, isc_mem_t *mctx) {
-	dns_master_style_t *style;
-
-	REQUIRE(stylep != NULL && *stylep != NULL);
-	style = *stylep;
-	*stylep = NULL;
-	isc_mem_put(mctx, style, sizeof(*style));
-}
-
diff --git a/contrib/bind9/lib/dns/message.c b/contrib/bind9/lib/dns/message.c
deleted file mode 100644
index d4b2e1962f99..000000000000
--- a/contrib/bind9/lib/dns/message.c
+++ /dev/null
@@ -1,3218 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: message.c,v 1.194.2.10.2.20 2005/06/07 01:42:23 marka Exp $ */
-
-/***
- *** Imports
- ***/
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/dnssec.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/opcode.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-
-#define DNS_MESSAGE_OPCODE_MASK		0x7800U
-#define DNS_MESSAGE_OPCODE_SHIFT	11
-#define DNS_MESSAGE_RCODE_MASK		0x000fU
-#define DNS_MESSAGE_FLAG_MASK		0x8ff0U
-#define DNS_MESSAGE_EDNSRCODE_MASK	0xff000000U
-#define DNS_MESSAGE_EDNSRCODE_SHIFT	24
-#define DNS_MESSAGE_EDNSVERSION_MASK	0x00ff0000U
-#define DNS_MESSAGE_EDNSVERSION_SHIFT	16
-
-#define VALID_NAMED_SECTION(s)  (((s) > DNS_SECTION_ANY) \
-				 && ((s) < DNS_SECTION_MAX))
-#define VALID_SECTION(s)	(((s) >= DNS_SECTION_ANY) \
-				 && ((s) < DNS_SECTION_MAX))
-#define ADD_STRING(b, s)	{if (strlen(s) >= \
-				   isc_buffer_availablelength(b)) \
-				       return(ISC_R_NOSPACE); else \
-				       isc_buffer_putstr(b, s);}
-#define VALID_PSEUDOSECTION(s)	(((s) >= DNS_PSEUDOSECTION_ANY) \
-				 && ((s) < DNS_PSEUDOSECTION_MAX))
-
-/*
- * This is the size of each individual scratchpad buffer, and the numbers
- * of various block allocations used within the server.
- * XXXMLG These should come from a config setting.
- */
-#define SCRATCHPAD_SIZE		512
-#define NAME_COUNT		  8
-#define OFFSET_COUNT		  4
-#define RDATA_COUNT		  8
-#define RDATALIST_COUNT		  8
-#define RDATASET_COUNT		 RDATALIST_COUNT
-
-/*
- * Text representation of the different items, for message_totext
- * functions.
- */
-static const char *sectiontext[] = {
-	"QUESTION",
-	"ANSWER",
-	"AUTHORITY",
-	"ADDITIONAL"
-};
-
-static const char *updsectiontext[] = {
-	"ZONE",
-	"PREREQUISITE",
-	"UPDATE",
-	"ADDITIONAL"
-};
-
-static const char *opcodetext[] = {
-	"QUERY",
-	"IQUERY",
-	"STATUS",
-	"RESERVED3",
-	"NOTIFY",
-	"UPDATE",
-	"RESERVED6",
-	"RESERVED7",
-	"RESERVED8",
-	"RESERVED9",
-	"RESERVED10",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15"
-};
-
-static const char *rcodetext[] = {
-	"NOERROR",
-	"FORMERR",
-	"SERVFAIL",
-	"NXDOMAIN",
-	"NOTIMP",
-	"REFUSED",
-	"YXDOMAIN",
-	"YXRRSET",
-	"NXRRSET",
-	"NOTAUTH",
-	"NOTZONE",
-	"RESERVED11",
-	"RESERVED12",
-	"RESERVED13",
-	"RESERVED14",
-	"RESERVED15",
-	"BADVERS"
-};
-
-
-/*
- * "helper" type, which consists of a block of some type, and is linkable.
- * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
- * size, or the allocated elements will not be alligned correctly.
- */
-struct dns_msgblock {
-	unsigned int			count;
-	unsigned int			remaining;
-	ISC_LINK(dns_msgblock_t)	link;
-}; /* dynamically sized */
-
-static inline dns_msgblock_t *
-msgblock_allocate(isc_mem_t *, unsigned int, unsigned int);
-
-#define msgblock_get(block, type) \
-	((type *)msgblock_internalget(block, sizeof(type)))
-
-static inline void *
-msgblock_internalget(dns_msgblock_t *, unsigned int);
-
-static inline void
-msgblock_reset(dns_msgblock_t *);
-
-static inline void
-msgblock_free(isc_mem_t *, dns_msgblock_t *, unsigned int);
-
-/*
- * Allocate a new dns_msgblock_t, and return a pointer to it.  If no memory
- * is free, return NULL.
- */
-static inline dns_msgblock_t *
-msgblock_allocate(isc_mem_t *mctx, unsigned int sizeof_type,
-		  unsigned int count)
-{
-	dns_msgblock_t *block;
-	unsigned int length;
-
-	length = sizeof(dns_msgblock_t) + (sizeof_type * count);
-
-	block = isc_mem_get(mctx, length);
-	if (block == NULL)
-		return (NULL);
-
-	block->count = count;
-	block->remaining = count;
-
-	ISC_LINK_INIT(block, link);
-
-	return (block);
-}
-
-/*
- * Return an element from the msgblock.  If no more are available, return
- * NULL.
- */
-static inline void *
-msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type) {
-	void *ptr;
-
-	if (block == NULL || block->remaining == 0)
-		return (NULL);
-
-	block->remaining--;
-
-	ptr = (((unsigned char *)block)
-	       + sizeof(dns_msgblock_t)
-	       + (sizeof_type * block->remaining));
-
-	return (ptr);
-}
-
-static inline void
-msgblock_reset(dns_msgblock_t *block) {
-	block->remaining = block->count;
-}
-
-/*
- * Release memory associated with a message block.
- */
-static inline void
-msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block, unsigned int sizeof_type)
-{
-	unsigned int length;
-
-	length = sizeof(dns_msgblock_t) + (sizeof_type * block->count);
-
-	isc_mem_put(mctx, block, length);
-}
-
-/*
- * Allocate a new dynamic buffer, and attach it to this message as the
- * "current" buffer.  (which is always the last on the list, for our
- * uses)
- */
-static inline isc_result_t
-newbuffer(dns_message_t *msg, unsigned int size) {
-	isc_result_t result;
-	isc_buffer_t *dynbuf;
-
-	dynbuf = NULL;
-	result = isc_buffer_allocate(msg->mctx, &dynbuf, size);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
-
-	ISC_LIST_APPEND(msg->scratchpad, dynbuf, link);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_buffer_t *
-currentbuffer(dns_message_t *msg) {
-	isc_buffer_t *dynbuf;
-
-	dynbuf = ISC_LIST_TAIL(msg->scratchpad);
-	INSIST(dynbuf != NULL);
-
-	return (dynbuf);
-}
-
-static inline void
-releaserdata(dns_message_t *msg, dns_rdata_t *rdata) {
-	ISC_LIST_PREPEND(msg->freerdata, rdata, link);
-}
-
-static inline dns_rdata_t *
-newrdata(dns_message_t *msg) {
-	dns_msgblock_t *msgblock;
-	dns_rdata_t *rdata;
-
-	rdata = ISC_LIST_HEAD(msg->freerdata);
-	if (rdata != NULL) {
-		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
-		return (rdata);
-	}
-
-	msgblock = ISC_LIST_TAIL(msg->rdatas);
-	rdata = msgblock_get(msgblock, dns_rdata_t);
-	if (rdata == NULL) {
-		msgblock = msgblock_allocate(msg->mctx, sizeof(dns_rdata_t),
-					     RDATA_COUNT);
-		if (msgblock == NULL)
-			return (NULL);
-
-		ISC_LIST_APPEND(msg->rdatas, msgblock, link);
-
-		rdata = msgblock_get(msgblock, dns_rdata_t);
-	}
-
-	dns_rdata_init(rdata);
-	return (rdata);
-}
-
-static inline void
-releaserdatalist(dns_message_t *msg, dns_rdatalist_t *rdatalist) {
-	ISC_LIST_PREPEND(msg->freerdatalist, rdatalist, link);
-}
-
-static inline dns_rdatalist_t *
-newrdatalist(dns_message_t *msg) {
-	dns_msgblock_t *msgblock;
-	dns_rdatalist_t *rdatalist;
-
-	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
-	if (rdatalist != NULL) {
-		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
-		return (rdatalist);
-	}
-
-	msgblock = ISC_LIST_TAIL(msg->rdatalists);
-	rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
-	if (rdatalist == NULL) {
-		msgblock = msgblock_allocate(msg->mctx,
-					     sizeof(dns_rdatalist_t),
-					     RDATALIST_COUNT);
-		if (msgblock == NULL)
-			return (NULL);
-
-		ISC_LIST_APPEND(msg->rdatalists, msgblock, link);
-
-		rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
-	}
-
-	return (rdatalist);
-}
-
-static inline dns_offsets_t *
-newoffsets(dns_message_t *msg) {
-	dns_msgblock_t *msgblock;
-	dns_offsets_t *offsets;
-
-	msgblock = ISC_LIST_TAIL(msg->offsets);
-	offsets = msgblock_get(msgblock, dns_offsets_t);
-	if (offsets == NULL) {
-		msgblock = msgblock_allocate(msg->mctx,
-					     sizeof(dns_offsets_t),
-					     OFFSET_COUNT);
-		if (msgblock == NULL)
-			return (NULL);
-
-		ISC_LIST_APPEND(msg->offsets, msgblock, link);
-
-		offsets = msgblock_get(msgblock, dns_offsets_t);
-	}
-
-	return (offsets);
-}
-
-static inline void
-msginitheader(dns_message_t *m) {
-	m->id = 0;
-	m->flags = 0;
-	m->rcode = 0;
-	m->opcode = 0;
-	m->rdclass = 0;
-}
-
-static inline void
-msginitprivate(dns_message_t *m) {
-	unsigned int i;
-
-	for (i = 0; i < DNS_SECTION_MAX; i++) {
-		m->cursors[i] = NULL;
-		m->counts[i] = 0;
-	}
-	m->opt = NULL;
-	m->sig0 = NULL;
-	m->sig0name = NULL;
-	m->tsig = NULL;
-	m->tsigname = NULL;
-	m->state = DNS_SECTION_ANY;  /* indicate nothing parsed or rendered */
-	m->opt_reserved = 0;
-	m->sig_reserved = 0;
-	m->reserved = 0;
-	m->buffer = NULL;
-}
-
-static inline void
-msginittsig(dns_message_t *m) {
-	m->tsigstatus = dns_rcode_noerror;
-	m->querytsigstatus = dns_rcode_noerror;
-	m->tsigkey = NULL;
-	m->tsigctx = NULL;
-	m->sigstart = -1;
-	m->sig0key = NULL;
-	m->sig0status = dns_rcode_noerror;
-	m->timeadjust = 0;
-}
-
-/*
- * Init elements to default state.  Used both when allocating a new element
- * and when resetting one.
- */
-static inline void
-msginit(dns_message_t *m) {
-	msginitheader(m);
-	msginitprivate(m);
-	msginittsig(m);
-	m->header_ok = 0;
-	m->question_ok = 0;
-	m->tcp_continuation = 0;
-	m->verified_sig = 0;
-	m->verify_attempted = 0;
-	m->order = NULL;
-	m->order_arg = NULL;
-	m->query.base = NULL;
-	m->query.length = 0;
-	m->free_query = 0;
-	m->saved.base = NULL;
-	m->saved.length = 0;
-	m->free_saved = 0;
-	m->querytsig = NULL;
-}
-
-static inline void
-msgresetnames(dns_message_t *msg, unsigned int first_section) {
-	unsigned int i;
-	dns_name_t *name, *next_name;
-	dns_rdataset_t *rds, *next_rds;
-
-	/*
-	 * Clean up name lists by calling the rdataset disassociate function.
-	 */
-	for (i = first_section; i < DNS_SECTION_MAX; i++) {
-		name = ISC_LIST_HEAD(msg->sections[i]);
-		while (name != NULL) {
-			next_name = ISC_LIST_NEXT(name, link);
-			ISC_LIST_UNLINK(msg->sections[i], name, link);
-
-			rds = ISC_LIST_HEAD(name->list);
-			while (rds != NULL) {
-				next_rds = ISC_LIST_NEXT(rds, link);
-				ISC_LIST_UNLINK(name->list, rds, link);
-
-				INSIST(dns_rdataset_isassociated(rds));
-				dns_rdataset_disassociate(rds);
-				isc_mempool_put(msg->rdspool, rds);
-				rds = next_rds;
-			}
-			if (dns_name_dynamic(name))
-				dns_name_free(name, msg->mctx);
-			isc_mempool_put(msg->namepool, name);
-			name = next_name;
-		}
-	}
-}
-
-static void
-msgresetopt(dns_message_t *msg)
-{
-	if (msg->opt != NULL) {
-		if (msg->opt_reserved > 0) {
-			dns_message_renderrelease(msg, msg->opt_reserved);
-			msg->opt_reserved = 0;
-		}
-		INSIST(dns_rdataset_isassociated(msg->opt));
-		dns_rdataset_disassociate(msg->opt);
-		isc_mempool_put(msg->rdspool, msg->opt);
-		msg->opt = NULL;
-	}
-}
-
-static void
-msgresetsigs(dns_message_t *msg, isc_boolean_t replying) {
-	if (msg->sig_reserved > 0) {
-		dns_message_renderrelease(msg, msg->sig_reserved);
-		msg->sig_reserved = 0;
-	}
-	if (msg->tsig != NULL) {
-		INSIST(dns_rdataset_isassociated(msg->tsig));
-		INSIST(msg->namepool != NULL);
-		if (replying) {
-			INSIST(msg->querytsig == NULL);
-			msg->querytsig = msg->tsig;
-		} else {
-			dns_rdataset_disassociate(msg->tsig);
-			isc_mempool_put(msg->rdspool, msg->tsig);
-			if (msg->querytsig != NULL) {
-				dns_rdataset_disassociate(msg->querytsig);
-				isc_mempool_put(msg->rdspool, msg->querytsig);
-			}
-		}
-		if (dns_name_dynamic(msg->tsigname))
-			dns_name_free(msg->tsigname, msg->mctx);
-		isc_mempool_put(msg->namepool, msg->tsigname);
-		msg->tsig = NULL;
-		msg->tsigname = NULL;
-	} else if (msg->querytsig != NULL && !replying) {
-		dns_rdataset_disassociate(msg->querytsig);
-		isc_mempool_put(msg->rdspool, msg->querytsig);
-		msg->querytsig = NULL;
-	}
-	if (msg->sig0 != NULL) {
-		INSIST(dns_rdataset_isassociated(msg->sig0));
-		dns_rdataset_disassociate(msg->sig0);
-		isc_mempool_put(msg->rdspool, msg->sig0);
-		if (msg->sig0name != NULL) {
-			if (dns_name_dynamic(msg->sig0name))
-				dns_name_free(msg->sig0name, msg->mctx);
-			isc_mempool_put(msg->namepool, msg->sig0name);
-		}
-		msg->sig0 = NULL;
-		msg->sig0name = NULL;
-	}
-}
-
-/*
- * Free all but one (or everything) for this message.  This is used by
- * both dns_message_reset() and dns_message_destroy().
- */
-static void
-msgreset(dns_message_t *msg, isc_boolean_t everything) {
-	dns_msgblock_t *msgblock, *next_msgblock;
-	isc_buffer_t *dynbuf, *next_dynbuf;
-	dns_rdata_t *rdata;
-	dns_rdatalist_t *rdatalist;
-
-	msgresetnames(msg, 0);
-	msgresetopt(msg);
-	msgresetsigs(msg, ISC_FALSE);
-
-	/*
-	 * Clean up linked lists.
-	 */
-
-	/*
-	 * Run through the free lists, and just unlink anything found there.
-	 * The memory isn't lost since these are part of message blocks we
-	 * have allocated.
-	 */
-	rdata = ISC_LIST_HEAD(msg->freerdata);
-	while (rdata != NULL) {
-		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
-		rdata = ISC_LIST_HEAD(msg->freerdata);
-	}
-	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
-	while (rdatalist != NULL) {
-		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
-		rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
-	}
-
-	dynbuf = ISC_LIST_HEAD(msg->scratchpad);
-	INSIST(dynbuf != NULL);
-	if (!everything) {
-		isc_buffer_clear(dynbuf);
-		dynbuf = ISC_LIST_NEXT(dynbuf, link);
-	}
-	while (dynbuf != NULL) {
-		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
-		ISC_LIST_UNLINK(msg->scratchpad, dynbuf, link);
-		isc_buffer_free(&dynbuf);
-		dynbuf = next_dynbuf;
-	}
-
-	msgblock = ISC_LIST_HEAD(msg->rdatas);
-	if (!everything && msgblock != NULL) {
-		msgblock_reset(msgblock);
-		msgblock = ISC_LIST_NEXT(msgblock, link);
-	}
-	while (msgblock != NULL) {
-		next_msgblock = ISC_LIST_NEXT(msgblock, link);
-		ISC_LIST_UNLINK(msg->rdatas, msgblock, link);
-		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdata_t));
-		msgblock = next_msgblock;
-	}
-
-	/*
-	 * rdatalists could be empty.
-	 */
-
-	msgblock = ISC_LIST_HEAD(msg->rdatalists);
-	if (!everything && msgblock != NULL) {
-		msgblock_reset(msgblock);
-		msgblock = ISC_LIST_NEXT(msgblock, link);
-	}
-	while (msgblock != NULL) {
-		next_msgblock = ISC_LIST_NEXT(msgblock, link);
-		ISC_LIST_UNLINK(msg->rdatalists, msgblock, link);
-		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdatalist_t));
-		msgblock = next_msgblock;
-	}
-
-	msgblock = ISC_LIST_HEAD(msg->offsets);
-	if (!everything && msgblock != NULL) {
-		msgblock_reset(msgblock);
-		msgblock = ISC_LIST_NEXT(msgblock, link);
-	}
-	while (msgblock != NULL) {
-		next_msgblock = ISC_LIST_NEXT(msgblock, link);
-		ISC_LIST_UNLINK(msg->offsets, msgblock, link);
-		msgblock_free(msg->mctx, msgblock, sizeof(dns_offsets_t));
-		msgblock = next_msgblock;
-	}
-
-	if (msg->tsigkey != NULL) {
-		dns_tsigkey_detach(&msg->tsigkey);
-		msg->tsigkey = NULL;
-	}
-
-	if (msg->query.base != NULL) {
-		if (msg->free_query != 0)
-			isc_mem_put(msg->mctx, msg->query.base,
-				    msg->query.length);
-		msg->query.base = NULL;
-		msg->query.length = 0;
-	}
-
-	if (msg->saved.base != NULL) {
-		if (msg->free_saved != 0)
-			isc_mem_put(msg->mctx, msg->saved.base,
-				    msg->saved.length);
-		msg->saved.base = NULL;
-		msg->saved.length = 0;
-	}
-
-	/*
-	 * cleanup the buffer cleanup list
-	 */
-	dynbuf = ISC_LIST_HEAD(msg->cleanup);
-	while (dynbuf != NULL) {
-		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
-		ISC_LIST_UNLINK(msg->cleanup, dynbuf, link);
-		isc_buffer_free(&dynbuf);
-		dynbuf = next_dynbuf;
-	}
-
-	/*
-	 * Set other bits to normal default values.
-	 */
-	if (!everything)
-		msginit(msg);
-
-	ENSURE(isc_mempool_getallocated(msg->namepool) == 0);
-	ENSURE(isc_mempool_getallocated(msg->rdspool) == 0);
-}
-
-static unsigned int
-spacefortsig(dns_tsigkey_t *key, int otherlen) {
-	isc_region_t r1, r2;
-	unsigned int x;
-	isc_result_t result;
-
-	/*
-	 * The space required for an TSIG record is:
-	 *
-	 *	n1 bytes for the name
-	 *	2 bytes for the type
-	 *	2 bytes for the class
-	 *	4 bytes for the ttl
-	 *	2 bytes for the rdlength
-	 *	n2 bytes for the algorithm name
-	 *	6 bytes for the time signed
-	 *	2 bytes for the fudge
-	 *	2 bytes for the MAC size
-	 *	x bytes for the MAC
-	 *	2 bytes for the original id
-	 *	2 bytes for the error
-	 *	2 bytes for the other data length
-	 *	y bytes for the other data (at most)
-	 * ---------------------------------
-	 *     26 + n1 + n2 + x + y bytes
-	 */
-
-	dns_name_toregion(&key->name, &r1);
-	dns_name_toregion(key->algorithm, &r2);
-	if (key->key == NULL)
-		x = 0;
-	else {
-		result = dst_key_sigsize(key->key, &x);
-		if (result != ISC_R_SUCCESS)
-			x = 0;
-	}
-	return (26 + r1.length + r2.length + x + otherlen);
-}
-
-isc_result_t
-dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
-{
-	dns_message_t *m;
-	isc_result_t result;
-	isc_buffer_t *dynbuf;
-	unsigned int i;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(msgp != NULL);
-	REQUIRE(*msgp == NULL);
-	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
-		|| intent == DNS_MESSAGE_INTENTRENDER);
-
-	m = isc_mem_get(mctx, sizeof(dns_message_t));
-	if (m == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * No allocations until further notice.  Just initialize all lists
-	 * and other members that are freed in the cleanup phase here.
-	 */
-
-	m->magic = DNS_MESSAGE_MAGIC;
-	m->from_to_wire = intent;
-	msginit(m);
-
-	for (i = 0; i < DNS_SECTION_MAX; i++)
-		ISC_LIST_INIT(m->sections[i]);
-	m->mctx = mctx;
-
-	ISC_LIST_INIT(m->scratchpad);
-	ISC_LIST_INIT(m->cleanup);
-	m->namepool = NULL;
-	m->rdspool = NULL;
-	ISC_LIST_INIT(m->rdatas);
-	ISC_LIST_INIT(m->rdatalists);
-	ISC_LIST_INIT(m->offsets);
-	ISC_LIST_INIT(m->freerdata);
-	ISC_LIST_INIT(m->freerdatalist);
-
-	/*
-	 * Ok, it is safe to allocate (and then "goto cleanup" if failure)
-	 */
-
-	result = isc_mempool_create(m->mctx, sizeof(dns_name_t), &m->namepool);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_mempool_setfreemax(m->namepool, NAME_COUNT);
-	isc_mempool_setname(m->namepool, "msg:names");
-
-	result = isc_mempool_create(m->mctx, sizeof(dns_rdataset_t),
-				    &m->rdspool);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_mempool_setfreemax(m->rdspool, NAME_COUNT);
-	isc_mempool_setname(m->rdspool, "msg:rdataset");
-
-	dynbuf = NULL;
-	result = isc_buffer_allocate(mctx, &dynbuf, SCRATCHPAD_SIZE);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	ISC_LIST_APPEND(m->scratchpad, dynbuf, link);
-
-	m->cctx = NULL;
-
-	*msgp = m;
-	return (ISC_R_SUCCESS);
-
-	/*
-	 * Cleanup for error returns.
-	 */
- cleanup:
-	dynbuf = ISC_LIST_HEAD(m->scratchpad);
-	if (dynbuf != NULL) {
-		ISC_LIST_UNLINK(m->scratchpad, dynbuf, link);
-		isc_buffer_free(&dynbuf);
-	}
-	if (m->namepool != NULL)
-		isc_mempool_destroy(&m->namepool);
-	if (m->rdspool != NULL)
-		isc_mempool_destroy(&m->rdspool);
-	m->magic = 0;
-	isc_mem_put(mctx, m, sizeof(dns_message_t));
-
-	return (ISC_R_NOMEMORY);
-}
-
-void
-dns_message_reset(dns_message_t *msg, unsigned int intent) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
-		|| intent == DNS_MESSAGE_INTENTRENDER);
-
-	msgreset(msg, ISC_FALSE);
-	msg->from_to_wire = intent;
-}
-
-void
-dns_message_destroy(dns_message_t **msgp) {
-	dns_message_t *msg;
-
-	REQUIRE(msgp != NULL);
-	REQUIRE(DNS_MESSAGE_VALID(*msgp));
-
-	msg = *msgp;
-	*msgp = NULL;
-
-	msgreset(msg, ISC_TRUE);
-	isc_mempool_destroy(&msg->namepool);
-	isc_mempool_destroy(&msg->rdspool);
-	msg->magic = 0;
-	isc_mem_put(msg->mctx, msg, sizeof(dns_message_t));
-}
-
-static isc_result_t
-findname(dns_name_t **foundname, dns_name_t *target,
-	 dns_namelist_t *section)
-{
-	dns_name_t *curr;
-
-	for (curr = ISC_LIST_TAIL(*section);
-	     curr != NULL;
-	     curr = ISC_LIST_PREV(curr, link)) {
-		if (dns_name_equal(curr, target)) {
-			if (foundname != NULL)
-				*foundname = curr;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
-		     dns_rdatatype_t covers, dns_rdataset_t **rdataset)
-{
-	dns_rdataset_t *curr;
-
-	if (rdataset != NULL) {
-		REQUIRE(*rdataset == NULL);
-	}
-
-	for (curr = ISC_LIST_TAIL(name->list);
-	     curr != NULL;
-	     curr = ISC_LIST_PREV(curr, link)) {
-		if (curr->type == type && curr->covers == covers) {
-			if (rdataset != NULL)
-				*rdataset = curr;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-/*
- * Read a name from buffer "source".
- */
-static isc_result_t
-getname(dns_name_t *name, isc_buffer_t *source, dns_message_t *msg,
-	dns_decompress_t *dctx)
-{
-	isc_buffer_t *scratch;
-	isc_result_t result;
-	unsigned int tries;
-
-	scratch = currentbuffer(msg);
-
-	/*
-	 * First try:  use current buffer.
-	 * Second try:  allocate a new buffer and use that.
-	 */
-	tries = 0;
-	while (tries < 2) {
-		result = dns_name_fromwire(name, source, dctx, ISC_FALSE,
-					   scratch);
-
-		if (result == ISC_R_NOSPACE) {
-			tries++;
-
-			result = newbuffer(msg, SCRATCHPAD_SIZE);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-
-			scratch = currentbuffer(msg);
-			dns_name_reset(name);
-		} else {
-			return (result);
-		}
-	}
-
-	INSIST(0);  /* Cannot get here... */
-	return (ISC_R_UNEXPECTED);
-}
-
-static isc_result_t
-getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-	 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
-	 unsigned int rdatalen, dns_rdata_t *rdata)
-{
-	isc_buffer_t *scratch;
-	isc_result_t result;
-	unsigned int tries;
-	unsigned int trysize;
-
-	scratch = currentbuffer(msg);
-
-	isc_buffer_setactive(source, rdatalen);
-
-	/*
-	 * First try:  use current buffer.
-	 * Second try:  allocate a new buffer of size
-	 *     max(SCRATCHPAD_SIZE, 2 * compressed_rdatalen)
-	 *     (the data will fit if it was not more than 50% compressed)
-	 * Subsequent tries: double buffer size on each try.
-	 */
-	tries = 0;
-	trysize = 0;
-	/* XXX possibly change this to a while (tries < 2) loop */
-	for (;;) {
-		result = dns_rdata_fromwire(rdata, rdclass, rdtype,
-					    source, dctx, 0,
-					    scratch);
-
-		if (result == ISC_R_NOSPACE) {
-			if (tries == 0) {
-				trysize = 2 * rdatalen;
-				if (trysize < SCRATCHPAD_SIZE)
-					trysize = SCRATCHPAD_SIZE;
-			} else {
-				INSIST(trysize != 0);
-				if (trysize >= 65535)
-					return (ISC_R_NOSPACE);
-					/* XXX DNS_R_RRTOOLONG? */
-				trysize *= 2;
-			}
-			tries++;
-			result = newbuffer(msg, trysize);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-
-			scratch = currentbuffer(msg);
-		} else {
-			return (result);
-		}
-	}
-}
-
-#define DO_FORMERR					\
-	do {						\
-		if (best_effort)			\
-			seen_problem = ISC_TRUE;	\
-		else {					\
-			result = DNS_R_FORMERR;		\
-			goto cleanup;			\
-		}					\
-	} while (0)
-
-static isc_result_t
-getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-	     unsigned int options)
-{
-	isc_region_t r;
-	unsigned int count;
-	dns_name_t *name;
-	dns_name_t *name2;
-	dns_offsets_t *offsets;
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	isc_result_t result;
-	dns_rdatatype_t rdtype;
-	dns_rdataclass_t rdclass;
-	dns_namelist_t *section;
-	isc_boolean_t free_name;
-	isc_boolean_t best_effort;
-	isc_boolean_t seen_problem;
-
-	section = &msg->sections[DNS_SECTION_QUESTION];
-
-	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
-	seen_problem = ISC_FALSE;
-
-	name = NULL;
-	rdataset = NULL;
-	rdatalist = NULL;
-
-	for (count = 0; count < msg->counts[DNS_SECTION_QUESTION]; count++) {
-		name = isc_mempool_get(msg->namepool);
-		if (name == NULL)
-			return (ISC_R_NOMEMORY);
-		free_name = ISC_TRUE;
-		
-		offsets = newoffsets(msg);
-		if (offsets == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		dns_name_init(name, *offsets);
-
-		/*
-		 * Parse the name out of this packet.
-		 */
-		isc_buffer_remainingregion(source, &r);
-		isc_buffer_setactive(source, r.length);
-		result = getname(name, source, msg, dctx);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/*
-		 * Run through the section, looking to see if this name
-		 * is already there.  If it is found, put back the allocated
-		 * name since we no longer need it, and set our name pointer
-		 * to point to the name we found.
-		 */
-		result = findname(&name2, name, section);
-
-		/*
-		 * If it is the first name in the section, accept it.
-		 *
-		 * If it is not, but is not the same as the name already
-		 * in the question section, append to the section.  Note that
-		 * here in the question section this is illegal, so return
-		 * FORMERR.  In the future, check the opcode to see if
-		 * this should be legal or not.  In either case we no longer
-		 * need this name pointer.
-		 */
-		if (result != ISC_R_SUCCESS) {
-			if (!ISC_LIST_EMPTY(*section))
-				DO_FORMERR;
-			ISC_LIST_APPEND(*section, name, link);
-			free_name = ISC_FALSE;
-		} else {
-			isc_mempool_put(msg->namepool, name);
-			name = name2;
-			name2 = NULL;
-			free_name = ISC_FALSE;
-		}
-
-		/*
-		 * Get type and class.
-		 */
-		isc_buffer_remainingregion(source, &r);
-		if (r.length < 4) {
-			result = ISC_R_UNEXPECTEDEND;
-			goto cleanup;
-		}
-		rdtype = isc_buffer_getuint16(source);
-		rdclass = isc_buffer_getuint16(source);
-
-		/*
-		 * If this class is different than the one we already read,
-		 * this is an error.
-		 */
-		if (msg->state == DNS_SECTION_ANY) {
-			msg->state = DNS_SECTION_QUESTION;
-			msg->rdclass = rdclass;
-		} else if (msg->rdclass != rdclass)
-			DO_FORMERR;
-
-		/*
-		 * Can't ask the same question twice.
-		 */
-		result = dns_message_findtype(name, rdtype, 0, NULL);
-		if (result == ISC_R_SUCCESS)
-			DO_FORMERR;
-
-		/*
-		 * Allocate a new rdatalist.
-		 */
-		rdatalist = newrdatalist(msg);
-		if (rdatalist == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		rdataset =  isc_mempool_get(msg->rdspool);
-		if (rdataset == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-
-		/*
-		 * Convert rdatalist to rdataset, and attach the latter to
-		 * the name.
-		 */
-		rdatalist->type = rdtype;
-		rdatalist->covers = 0;
-		rdatalist->rdclass = rdclass;
-		rdatalist->ttl = 0;
-		ISC_LIST_INIT(rdatalist->rdata);
-
-		dns_rdataset_init(rdataset);
-		result = dns_rdatalist_tordataset(rdatalist, rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
-
-		ISC_LIST_APPEND(name->list, rdataset, link);
-		rdataset = NULL;
-	}
-
-	if (seen_problem)
-		return (DNS_R_RECOVERABLE);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (rdataset != NULL) {
-		INSIST(!dns_rdataset_isassociated(rdataset));
-		isc_mempool_put(msg->rdspool, rdataset);
-	}
-#if 0
-	if (rdatalist != NULL)
-		isc_mempool_put(msg->rdlpool, rdatalist);
-#endif
-	if (free_name)
-		isc_mempool_put(msg->namepool, name);
-
-	return (result);
-}
-
-static isc_boolean_t
-update(dns_section_t section, dns_rdataclass_t rdclass) {
-	if (section == DNS_SECTION_PREREQUISITE)
-		return (ISC_TF(rdclass == dns_rdataclass_any ||
-			       rdclass == dns_rdataclass_none));
-	if (section == DNS_SECTION_UPDATE)
-		return (ISC_TF(rdclass == dns_rdataclass_any));
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
-	   dns_section_t sectionid, unsigned int options)
-{
-	isc_region_t r;
-	unsigned int count, rdatalen;
-	dns_name_t *name;
-	dns_name_t *name2;
-	dns_offsets_t *offsets;
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	isc_result_t result;
-	dns_rdatatype_t rdtype, covers;
-	dns_rdataclass_t rdclass;
-	dns_rdata_t *rdata;
-	dns_ttl_t ttl;
-	dns_namelist_t *section;
-	isc_boolean_t free_name, free_rdataset;
-	isc_boolean_t preserve_order, best_effort, seen_problem;
-	isc_boolean_t issigzero;
-
-	preserve_order = ISC_TF(options & DNS_MESSAGEPARSE_PRESERVEORDER);
-	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
-	seen_problem = ISC_FALSE;
-
-	for (count = 0; count < msg->counts[sectionid]; count++) {
-		int recstart = source->current;
-		isc_boolean_t skip_name_search, skip_type_search;
-
-		section = &msg->sections[sectionid];
-
-		skip_name_search = ISC_FALSE;
-		skip_type_search = ISC_FALSE;
-		free_name = ISC_FALSE;
-		free_rdataset = ISC_FALSE;
-
-		name = isc_mempool_get(msg->namepool);
-		if (name == NULL)
-			return (ISC_R_NOMEMORY);
-		free_name = ISC_TRUE;
-
-		offsets = newoffsets(msg);
-		if (offsets == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		dns_name_init(name, *offsets);
-
-		/*
-		 * Parse the name out of this packet.
-		 */
-		isc_buffer_remainingregion(source, &r);
-		isc_buffer_setactive(source, r.length);
-		result = getname(name, source, msg, dctx);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-
-		/*
-		 * Get type, class, ttl, and rdatalen.  Verify that at least
-		 * rdatalen bytes remain.  (Some of this is deferred to
-		 * later.)
-		 */
-		isc_buffer_remainingregion(source, &r);
-		if (r.length < 2 + 2 + 4 + 2) {
-			result = ISC_R_UNEXPECTEDEND;
-			goto cleanup;
-		}
-		rdtype = isc_buffer_getuint16(source);
-		rdclass = isc_buffer_getuint16(source);
-
-		/*
-		 * If there was no question section, we may not yet have
-		 * established a class.  Do so now.
-		 */
-		if (msg->state == DNS_SECTION_ANY &&
-		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
-		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
-		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
-			msg->rdclass = rdclass;
-			msg->state = DNS_SECTION_QUESTION;
-		}
-
-		/*
-		 * If this class is different than the one in the question
-		 * section, bail.
-		 */
-		if (msg->opcode != dns_opcode_update
-		    && rdtype != dns_rdatatype_tsig
-		    && rdtype != dns_rdatatype_opt
-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
-		    && rdtype != dns_rdatatype_sig /* SIG(0) */
-		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
-		    && msg->rdclass != rdclass)
-			DO_FORMERR;
-
-		/*
-		 * Special type handling for TSIG, OPT, and TKEY.
-		 */
-		if (rdtype == dns_rdatatype_tsig) {
-			/*
-			 * If it is a tsig, verify that it is in the
-			 * additional data section.
-			 */
-			if (sectionid != DNS_SECTION_ADDITIONAL ||
-			    rdclass != dns_rdataclass_any ||
-			    count != msg->counts[sectionid]  - 1)
-				DO_FORMERR;
-			msg->sigstart = recstart;
-			skip_name_search = ISC_TRUE;
-			skip_type_search = ISC_TRUE;
-		} else if (rdtype == dns_rdatatype_opt) {
-			/*
-			 * The name of an OPT record must be ".", it
-			 * must be in the additional data section, and
-			 * it must be the first OPT we've seen.
-			 */
-			if (!dns_name_equal(dns_rootname, name) ||
-			    msg->opt != NULL)
-				DO_FORMERR;
-			skip_name_search = ISC_TRUE;
-			skip_type_search = ISC_TRUE;
-		} else if (rdtype == dns_rdatatype_tkey) {
-			/*
-			 * A TKEY must be in the additional section if this
-			 * is a query, and the answer section if this is a
-			 * response.  Unless it's a Win2000 client.
-			 *
-			 * Its class is ignored.
-			 */
-			dns_section_t tkeysection;
-
-			if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0)
-				tkeysection = DNS_SECTION_ADDITIONAL;
-			else
-				tkeysection = DNS_SECTION_ANSWER;
-			if (sectionid != tkeysection &&
-			    sectionid != DNS_SECTION_ANSWER)
-				DO_FORMERR;
-		}
-
-		/*
-		 * ... now get ttl and rdatalen, and check buffer.
-		 */
-		ttl = isc_buffer_getuint32(source);
-		rdatalen = isc_buffer_getuint16(source);
-		r.length -= (2 + 2 + 4 + 2);
-		if (r.length < rdatalen) {
-			result = ISC_R_UNEXPECTEDEND;
-			goto cleanup;
-		}
-
-		/*
-		 * Read the rdata from the wire format.  Interpret the
-		 * rdata according to its actual class, even if it had a
-		 * DynDNS meta-class in the packet (unless this is a TSIG).
-		 * Then put the meta-class back into the finished rdata.
-		 */
-		rdata = newrdata(msg);
-		if (rdata == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto cleanup;
-		}
-		if (msg->opcode == dns_opcode_update &&
-		    update(sectionid, rdclass)) {
-			if (rdatalen != 0) {
-				result = DNS_R_FORMERR;
-				goto cleanup;
-			}
-			/*
-			 * When the rdata is empty, the data pointer is
-			 * never dereferenced, but it must still be non-NULL. 
-			 * Casting 1 rather than "" avoids warnings about
-			 * discarding the const attribute of a string,
-			 * for compilers that would warn about such things.
-			 */
-			rdata->data = (unsigned char *)1;
-			rdata->length = 0;
-			rdata->rdclass = rdclass;
-			rdata->type = rdtype;
-			rdata->flags = DNS_RDATA_UPDATE;
-			result = ISC_R_SUCCESS;
-		} else if (rdtype == dns_rdatatype_tsig)
-			result = getrdata(source, msg, dctx, rdclass,
-					  rdtype, rdatalen, rdata);
-		else
-			result = getrdata(source, msg, dctx, msg->rdclass,
-					  rdtype, rdatalen, rdata);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		rdata->rdclass = rdclass;
-		issigzero = ISC_FALSE;
-		if (rdtype == dns_rdatatype_rrsig  &&
-		    rdata->flags == 0) {
-			covers = dns_rdata_covers(rdata);
-			if (covers == 0)
-				DO_FORMERR;
-		} else if (rdtype == dns_rdatatype_sig /* SIG(0) */ &&
-			   rdata->flags == 0) {
-			covers = dns_rdata_covers(rdata);
-			if (covers == 0) {
-				if (sectionid != DNS_SECTION_ADDITIONAL ||
-				    count != msg->counts[sectionid]  - 1)
-					DO_FORMERR;
-				msg->sigstart = recstart;
-				skip_name_search = ISC_TRUE;
-				skip_type_search = ISC_TRUE;
-				issigzero = ISC_TRUE;
-			}
-		} else
-			covers = 0;
-
-		/*
-		 * If we are doing a dynamic update or this is a meta-type,
-		 * don't bother searching for a name, just append this one
-		 * to the end of the message.
-		 */
-		if (preserve_order || msg->opcode == dns_opcode_update ||
-		    skip_name_search) {
-			if (rdtype != dns_rdatatype_opt &&
-			    rdtype != dns_rdatatype_tsig &&
-			    !issigzero)
-			{
-				ISC_LIST_APPEND(*section, name, link);
-				free_name = ISC_FALSE;
-			}
-		} else {
-			/*
-			 * Run through the section, looking to see if this name
-			 * is already there.  If it is found, put back the
-			 * allocated name since we no longer need it, and set
-			 * our name pointer to point to the name we found.
-			 */
-			result = findname(&name2, name, section);
-
-			/*
-			 * If it is a new name, append to the section.
-			 */
-			if (result == ISC_R_SUCCESS) {
-				isc_mempool_put(msg->namepool, name);
-				name = name2;
-			} else {
-				ISC_LIST_APPEND(*section, name, link);
-			}
-			free_name = ISC_FALSE;
-		}
-
-		/*
-		 * Search name for the particular type and class.
-		 * Skip this stage if in update mode or this is a meta-type.
-		 */
-		if (preserve_order || msg->opcode == dns_opcode_update ||
-		    skip_type_search)
-			result = ISC_R_NOTFOUND;
-		else {
-			/*
-			 * If this is a type that can only occur in
-			 * the question section, fail.
-			 */
-			if (dns_rdatatype_questiononly(rdtype))
-				DO_FORMERR;
-
-			rdataset = NULL;
-			result = dns_message_findtype(name, rdtype, covers,
-						      &rdataset);
-		}
-
-		/*
-		 * If we found an rdataset that matches, we need to
-		 * append this rdata to that set.  If we did not, we need
-		 * to create a new rdatalist, store the important bits there,
-		 * convert it to an rdataset, and link the latter to the name.
-		 * Yuck.  When appending, make certain that the type isn't
-		 * a singleton type, such as SOA or CNAME.
-		 *
-		 * Note that this check will be bypassed when preserving order,
-		 * the opcode is an update, or the type search is skipped.
-		 */
-		if (result == ISC_R_SUCCESS) {
-			if (dns_rdatatype_issingleton(rdtype))
-				DO_FORMERR;
-		}
-
-		if (result == ISC_R_NOTFOUND) {
-			rdataset = isc_mempool_get(msg->rdspool);
-			if (rdataset == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			free_rdataset = ISC_TRUE;
-
-			rdatalist = newrdatalist(msg);
-			if (rdatalist == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-
-			rdatalist->type = rdtype;
-			rdatalist->covers = covers;
-			rdatalist->rdclass = rdclass;
-			rdatalist->ttl = ttl;
-			ISC_LIST_INIT(rdatalist->rdata);
-
-			dns_rdataset_init(rdataset);
-			RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist,
-							       rdataset)
-				      == ISC_R_SUCCESS);
-
-			if (rdtype != dns_rdatatype_opt && 
-			    rdtype != dns_rdatatype_tsig &&
-			    !issigzero)
-			{
-				ISC_LIST_APPEND(name->list, rdataset, link);
-				free_rdataset = ISC_FALSE;
-			}
-		}
-
-		/*
-		 * Minimize TTLs.
-		 *
-		 * Section 5.2 of RFC 2181 says we should drop
-		 * nonauthoritative rrsets where the TTLs differ, but we
-		 * currently treat them the as if they were authoritative and
-		 * minimize them.
-		 */
-		if (ttl != rdataset->ttl) {
-			rdataset->attributes |= DNS_RDATASETATTR_TTLADJUSTED;
-			if (ttl < rdataset->ttl)
-				rdataset->ttl = ttl;
-		}
-
-		/*
-		 * XXXMLG Perform a totally ugly hack here to pull
-		 * the rdatalist out of the private field in the rdataset,
-		 * and append this rdata to the rdatalist's linked list
-		 * of rdata.
-		 */
-		rdatalist = (dns_rdatalist_t *)(rdataset->private1);
-
-		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-
-		/*
-		 * If this is an OPT record, remember it.  Also, set
-		 * the extended rcode.  Note that msg->opt will only be set
-		 * if best-effort parsing is enabled.
-		 */
-		if (rdtype == dns_rdatatype_opt && msg->opt == NULL) {
-			dns_rcode_t ercode;
-
-			msg->opt = rdataset;
-			rdataset = NULL;
-			free_rdataset = ISC_FALSE;
-			ercode = (dns_rcode_t)
-				((msg->opt->ttl & DNS_MESSAGE_EDNSRCODE_MASK)
-				 >> 20);
-			msg->rcode |= ercode;
-			isc_mempool_put(msg->namepool, name);
-			free_name = ISC_FALSE;
-		}
-
-		/*
-		 * If this is an SIG(0) or TSIG record, remember it.  Note
-		 * that msg->sig0 or msg->tsig will only be set if best-effort
-		 * parsing is enabled.
-		 */
-		if (issigzero && msg->sig0 == NULL) {
-			msg->sig0 = rdataset;
-			msg->sig0name = name;
-			rdataset = NULL;
-			free_rdataset = ISC_FALSE;
-			free_name = ISC_FALSE;
-		} else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
-			msg->tsig = rdataset;
-			msg->tsigname = name;
-			rdataset = NULL;
-			free_rdataset = ISC_FALSE;
-			free_name = ISC_FALSE;
-		}
-
-		if (seen_problem) {
-			if (free_name)
-				isc_mempool_put(msg->namepool, name);
-			if (free_rdataset)
-				isc_mempool_put(msg->rdspool, rdataset);
-			free_name = free_rdataset = ISC_FALSE;
-		}
-		INSIST(free_name == ISC_FALSE);
-		INSIST(free_rdataset == ISC_FALSE);
-	}
-
-	if (seen_problem)
-		return (DNS_R_RECOVERABLE);
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (free_name)
-		isc_mempool_put(msg->namepool, name);
-	if (free_rdataset)
-		isc_mempool_put(msg->rdspool, rdataset);
-
-	return (result);
-}
-
-isc_result_t
-dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
-		  unsigned int options)
-{
-	isc_region_t r;
-	dns_decompress_t dctx;
-	isc_result_t ret;
-	isc_uint16_t tmpflags;
-	isc_buffer_t origsource;
-	isc_boolean_t seen_problem;
-	isc_boolean_t ignore_tc;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(source != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
-
-	seen_problem = ISC_FALSE;
-	ignore_tc = ISC_TF(options & DNS_MESSAGEPARSE_IGNORETRUNCATION);
-
-	origsource = *source;
-
-	msg->header_ok = 0;
-	msg->question_ok = 0;
-
-	isc_buffer_remainingregion(source, &r);
-	if (r.length < DNS_MESSAGE_HEADERLEN)
-		return (ISC_R_UNEXPECTEDEND);
-
-	msg->id = isc_buffer_getuint16(source);
-	tmpflags = isc_buffer_getuint16(source);
-	msg->opcode = ((tmpflags & DNS_MESSAGE_OPCODE_MASK)
-		       >> DNS_MESSAGE_OPCODE_SHIFT);
-	msg->rcode = (dns_rcode_t)(tmpflags & DNS_MESSAGE_RCODE_MASK);
-	msg->flags = (tmpflags & DNS_MESSAGE_FLAG_MASK);
-	msg->counts[DNS_SECTION_QUESTION] = isc_buffer_getuint16(source);
-	msg->counts[DNS_SECTION_ANSWER] = isc_buffer_getuint16(source);
-	msg->counts[DNS_SECTION_AUTHORITY] = isc_buffer_getuint16(source);
-	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
-
-	msg->header_ok = 1;
-
-	/*
-	 * -1 means no EDNS.
-	 */
-	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
-
-	dns_decompress_setmethods(&dctx, DNS_COMPRESS_GLOBAL14);
-
-	ret = getquestions(source, msg, &dctx, options);
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		goto truncated;
-	if (ret == DNS_R_RECOVERABLE) {
-		seen_problem = ISC_TRUE;
-		ret = ISC_R_SUCCESS;
-	}
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	msg->question_ok = 1;
-
-	ret = getsection(source, msg, &dctx, DNS_SECTION_ANSWER, options);
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		goto truncated;
-	if (ret == DNS_R_RECOVERABLE) {
-		seen_problem = ISC_TRUE;
-		ret = ISC_R_SUCCESS;
-	}
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	ret = getsection(source, msg, &dctx, DNS_SECTION_AUTHORITY, options);
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		goto truncated;
-	if (ret == DNS_R_RECOVERABLE) {
-		seen_problem = ISC_TRUE;
-		ret = ISC_R_SUCCESS;
-	}
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	ret = getsection(source, msg, &dctx, DNS_SECTION_ADDITIONAL, options);
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		goto truncated;
-	if (ret == DNS_R_RECOVERABLE) {
-		seen_problem = ISC_TRUE;
-		ret = ISC_R_SUCCESS;
-	}
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	isc_buffer_remainingregion(source, &r);
-	if (r.length != 0) {
-		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_MESSAGE, ISC_LOG_DEBUG(3),
-			      "message has %u byte(s) of trailing garbage",
-			      r.length);
-	}
-
- truncated:
-	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
-		isc_buffer_usedregion(&origsource, &msg->saved);
-	else {
-		msg->saved.length = isc_buffer_usedlength(&origsource);
-		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
-		if (msg->saved.base == NULL)
-			return (ISC_R_NOMEMORY);
-		memcpy(msg->saved.base, isc_buffer_base(&origsource),
-		       msg->saved.length);
-		msg->free_saved = 1;
-	}
-
-	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
-		return (DNS_R_RECOVERABLE);
-	if (seen_problem == ISC_TRUE)
-		return (DNS_R_RECOVERABLE);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
-			isc_buffer_t *buffer)
-{
-	isc_region_t r;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(buffer != NULL);
-	REQUIRE(msg->buffer == NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-
-	msg->cctx = cctx;
-
-	/*
-	 * Erase the contents of this buffer.
-	 */
-	isc_buffer_clear(buffer);
-
-	/*
-	 * Make certain there is enough for at least the header in this
-	 * buffer.
-	 */
-	isc_buffer_availableregion(buffer, &r);
-	if (r.length < DNS_MESSAGE_HEADERLEN)
-		return (ISC_R_NOSPACE);
-
-	if (r.length < msg->reserved)
-		return (ISC_R_NOSPACE);
-
-	/*
-	 * Reserve enough space for the header in this buffer.
-	 */
-	isc_buffer_add(buffer, DNS_MESSAGE_HEADERLEN);
-
-	msg->buffer = buffer;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer) {
-	isc_region_t r, rn;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(buffer != NULL);
-	REQUIRE(msg->buffer != NULL);
-
-	/*
-	 * Ensure that the new buffer is empty, and has enough space to
-	 * hold the current contents.
-	 */
-	isc_buffer_clear(buffer);
-
-	isc_buffer_availableregion(buffer, &rn);
-	isc_buffer_usedregion(msg->buffer, &r);
-	REQUIRE(rn.length > r.length);
-
-	/*
-	 * Copy the contents from the old to the new buffer.
-	 */
-	isc_buffer_add(buffer, r.length);
-	memcpy(rn.base, r.base, r.length);
-
-	msg->buffer = buffer;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_renderrelease(dns_message_t *msg, unsigned int space) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(space <= msg->reserved);
-
-	msg->reserved -= space;
-}
-
-isc_result_t
-dns_message_renderreserve(dns_message_t *msg, unsigned int space) {
-	isc_region_t r;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	if (msg->buffer != NULL) {
-		isc_buffer_availableregion(msg->buffer, &r);
-		if (r.length < (space + msg->reserved))
-			return (ISC_R_NOSPACE);
-	}
-
-	msg->reserved += space;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_boolean_t
-wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
-	int pass_needed;
-
-	/*
-	 * If we are not rendering class IN, this ordering is bogus.
-	 */
-	if (rds->rdclass != dns_rdataclass_in)
-		return (ISC_FALSE);
-
-	switch (rds->type) {
-	case dns_rdatatype_a:
-	case dns_rdatatype_aaaa:
-		if (preferred_glue == rds->type)
-			pass_needed = 4;
-		else
-			pass_needed = 3;
-		break;
-	case dns_rdatatype_rrsig:
-	case dns_rdatatype_dnskey:
-		pass_needed = 2;
-		break;
-	default:
-		pass_needed = 1;
-	}
-
-	if (pass_needed >= pass)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-isc_result_t
-dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
-			  unsigned int options)
-{
-	dns_namelist_t *section;
-	dns_name_t *name, *next_name;
-	dns_rdataset_t *rdataset, *next_rdataset;
-	unsigned int count, total;
-	isc_result_t result;
-	isc_buffer_t st; /* for rollbacks */
-	int pass;
-	isc_boolean_t partial = ISC_FALSE;
-	unsigned int rd_options;
-	dns_rdatatype_t preferred_glue = 0;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->buffer != NULL);
-	REQUIRE(VALID_NAMED_SECTION(sectionid));
-
-	section = &msg->sections[sectionid];
-
-	if ((sectionid == DNS_SECTION_ADDITIONAL)
-	    && (options & DNS_MESSAGERENDER_ORDERED) == 0) {
-		if ((options & DNS_MESSAGERENDER_PREFER_A) != 0) {
-			preferred_glue = dns_rdatatype_a;
-			pass = 4;
-		} else if ((options & DNS_MESSAGERENDER_PREFER_AAAA) != 0) {
-			preferred_glue = dns_rdatatype_aaaa;
-			pass = 4;
-		} else
-			pass = 3;
-	} else
-		pass = 1;
-
-	if ((options & DNS_MESSAGERENDER_OMITDNSSEC) == 0)
-		rd_options = 0;
-	else
-		rd_options = DNS_RDATASETTOWIRE_OMITDNSSEC;
-
-	/*
-	 * Shrink the space in the buffer by the reserved amount.
-	 */
-	msg->buffer->length -= msg->reserved;
-
-	total = 0;
-	if (msg->reserved == 0 && (options & DNS_MESSAGERENDER_PARTIAL) != 0)
-		partial = ISC_TRUE;
-
-	/*
-	 * Render required glue first.  Set TC if it won't fit.
-	 */
-	name = ISC_LIST_HEAD(*section);
-	if (name != NULL) {
-		rdataset = ISC_LIST_HEAD(name->list);
-		if (rdataset != NULL &&
-		    (rdataset->attributes & DNS_RDATASETATTR_REQUIREDGLUE) != 0 &&
-		    (rdataset->attributes & DNS_RDATASETATTR_RENDERED) == 0) {
-			void *order_arg = msg->order_arg;
-			st = *(msg->buffer);
-			count = 0;
-			if (partial)
-				result = dns_rdataset_towirepartial(rdataset,
-								    name,
-								    msg->cctx,
-								    msg->buffer,
-								    msg->order,
-								    order_arg,
-								    rd_options,
-								    &count,
-								    NULL);
-			else
-				result = dns_rdataset_towiresorted(rdataset,
-								   name,
-								   msg->cctx,
-								   msg->buffer,
-								   msg->order,
-								   order_arg,
-								   rd_options,
-								   &count);
-			total += count;
-			if (partial && result == ISC_R_NOSPACE) {
-				msg->flags |= DNS_MESSAGEFLAG_TC;
-				msg->buffer->length += msg->reserved;
-				msg->counts[sectionid] += total;
-				return (result);
-			}
-			if (result != ISC_R_SUCCESS) {
-				INSIST(st.used < 65536);
-				dns_compress_rollback(msg->cctx,
-						      (isc_uint16_t)st.used);
-				*(msg->buffer) = st;  /* rollback */
-				msg->buffer->length += msg->reserved;
-				msg->counts[sectionid] += total;
-				return (result);
-			}
-			rdataset->attributes |= DNS_RDATASETATTR_RENDERED;
-		}
-	}
-
-	do {
-		name = ISC_LIST_HEAD(*section);
-		if (name == NULL) {
-			msg->buffer->length += msg->reserved;
-			msg->counts[sectionid] += total;
-			return (ISC_R_SUCCESS);
-		}
-
-		while (name != NULL) {
-			next_name = ISC_LIST_NEXT(name, link);
-
-			rdataset = ISC_LIST_HEAD(name->list);
-			while (rdataset != NULL) {
-				next_rdataset = ISC_LIST_NEXT(rdataset, link);
-
-				if ((rdataset->attributes &
-				     DNS_RDATASETATTR_RENDERED) != 0)
-					goto next;
-
-				if (((options & DNS_MESSAGERENDER_ORDERED)
-				     == 0)
-				    && (sectionid == DNS_SECTION_ADDITIONAL)
-				    && wrong_priority(rdataset, pass,
-						      preferred_glue))
-					goto next;
-
-				st = *(msg->buffer);
-
-				count = 0;
-				if (partial)
-					result = dns_rdataset_towirepartial(
-							  rdataset,
-							  name,
-							  msg->cctx,
-							  msg->buffer,
-							  msg->order,
-							  msg->order_arg,
-							  rd_options,
-							  &count,
-							  NULL);
-				else
-					result = dns_rdataset_towiresorted(
-							  rdataset,
-							  name,
-							  msg->cctx,
-							  msg->buffer,
-							  msg->order,
-							  msg->order_arg,
-							  rd_options,
-							  &count);
-
-				total += count;
-
-				/*
-				 * If out of space, record stats on what we
-				 * rendered so far, and return that status.
-				 *
-				 * XXXMLG Need to change this when
-				 * dns_rdataset_towire() can render partial
-				 * sets starting at some arbitary point in the
-				 * set.  This will include setting a bit in the
-				 * rdataset to indicate that a partial
-				 * rendering was done, and some state saved
-				 * somewhere (probably in the message struct)
-				 * to indicate where to continue from.
-				 */
-				if (partial && result == ISC_R_NOSPACE) {
-					msg->buffer->length += msg->reserved;
-					msg->counts[sectionid] += total;
-					return (result);
-				}
-				if (result != ISC_R_SUCCESS) {
-					INSIST(st.used < 65536);
-					dns_compress_rollback(msg->cctx,
-							(isc_uint16_t)st.used);
-					*(msg->buffer) = st;  /* rollback */
-					msg->buffer->length += msg->reserved;
-					msg->counts[sectionid] += total;
-					return (result);
-				}
-
-				/*
-				 * If we have rendered non-validated data,
-				 * ensure that the AD bit is not set.
-				 */
-				if (rdataset->trust != dns_trust_secure &&
-				    (sectionid == DNS_SECTION_ANSWER ||
-				     sectionid == DNS_SECTION_AUTHORITY))
-					msg->flags &= ~DNS_MESSAGEFLAG_AD;
-
-				rdataset->attributes |=
-					DNS_RDATASETATTR_RENDERED;
-
-			next:
-				rdataset = next_rdataset;
-			}
-
-			name = next_name;
-		}
-	} while (--pass != 0);
-
-	msg->buffer->length += msg->reserved;
-	msg->counts[sectionid] += total;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target) {
-	isc_uint16_t tmp;
-	isc_region_t r;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(target != NULL);
-
-	isc_buffer_availableregion(target, &r);
-	REQUIRE(r.length >= DNS_MESSAGE_HEADERLEN);
-
-	isc_buffer_putuint16(target, msg->id);
-
-	tmp = ((msg->opcode << DNS_MESSAGE_OPCODE_SHIFT)
-	       & DNS_MESSAGE_OPCODE_MASK);
-	tmp |= (msg->rcode & DNS_MESSAGE_RCODE_MASK);
-	tmp |= (msg->flags & DNS_MESSAGE_FLAG_MASK);
-
-	INSIST(msg->counts[DNS_SECTION_QUESTION]  < 65536 &&
-	       msg->counts[DNS_SECTION_ANSWER]    < 65536 &&
-	       msg->counts[DNS_SECTION_AUTHORITY] < 65536 &&
-	       msg->counts[DNS_SECTION_ADDITIONAL] < 65536);
-
-	isc_buffer_putuint16(target, tmp);
-	isc_buffer_putuint16(target,
-			    (isc_uint16_t)msg->counts[DNS_SECTION_QUESTION]);
-	isc_buffer_putuint16(target,
-			    (isc_uint16_t)msg->counts[DNS_SECTION_ANSWER]);
-	isc_buffer_putuint16(target,
-			    (isc_uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
-	isc_buffer_putuint16(target,
-			    (isc_uint16_t)msg->counts[DNS_SECTION_ADDITIONAL]);
-}
-
-isc_result_t
-dns_message_renderend(dns_message_t *msg) {
-	isc_buffer_t tmpbuf;
-	isc_region_t r;
-	int result;
-	unsigned int count;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->buffer != NULL);
-
-	if ((msg->rcode & ~DNS_MESSAGE_RCODE_MASK) != 0 && msg->opt == NULL) {
-		/*
-		 * We have an extended rcode but are not using EDNS.
-		 */
-		return (DNS_R_FORMERR);
-	}
-
-	/*
-	 * If we've got an OPT record, render it.
-	 */
-	if (msg->opt != NULL) {
-		dns_message_renderrelease(msg, msg->opt_reserved);
-		msg->opt_reserved = 0;
-		/*
-		 * Set the extended rcode.
-		 */
-		msg->opt->ttl &= ~DNS_MESSAGE_EDNSRCODE_MASK;
-		msg->opt->ttl |= ((msg->rcode << 20) &
-				  DNS_MESSAGE_EDNSRCODE_MASK);
-		/*
-		 * Render.
-		 */
-		count = 0;
-		result = dns_rdataset_towire(msg->opt, dns_rootname,
-					     msg->cctx, msg->buffer, 0,
-					     &count);
-		msg->counts[DNS_SECTION_ADDITIONAL] += count;
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	/*
-	 * If we're adding a TSIG or SIG(0) to a truncated message,
-	 * clear all rdatasets from the message except for the question
-	 * before adding the TSIG or SIG(0).  If the question doesn't fit,
-	 * don't include it.
-	 */
-	if ((msg->tsigkey != NULL || msg->sig0key != NULL) &&
-	    (msg->flags & DNS_MESSAGEFLAG_TC) != 0)
-	{
-		isc_buffer_t *buf;
-
-		msgresetnames(msg, DNS_SECTION_ANSWER);
-		buf = msg->buffer;
-		dns_message_renderreset(msg);
-		msg->buffer = buf;
-		isc_buffer_clear(msg->buffer);
-		isc_buffer_add(msg->buffer, DNS_MESSAGE_HEADERLEN);
-		dns_compress_rollback(msg->cctx, 0);
-		result = dns_message_rendersection(msg, DNS_SECTION_QUESTION,
-						   0);
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
-			return (result);
-	}
-
-	/*
-	 * If we're adding a TSIG record, generate and render it.
-	 */
-	if (msg->tsigkey != NULL) {
-		dns_message_renderrelease(msg, msg->sig_reserved);
-		msg->sig_reserved = 0;
-		result = dns_tsig_sign(msg);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		count = 0;
-		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
-					     msg->cctx, msg->buffer, 0,
-					     &count);
-		msg->counts[DNS_SECTION_ADDITIONAL] += count;
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	/*
-	 * If we're adding a SIG(0) record, generate and render it.
-	 */
-	if (msg->sig0key != NULL) {
-		dns_message_renderrelease(msg, msg->sig_reserved);
-		msg->sig_reserved = 0;
-		result = dns_dnssec_signmessage(msg, msg->sig0key);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		count = 0;
-		/*
-		 * Note: dns_rootname is used here, not msg->sig0name, since
-		 * the owner name of a SIG(0) is irrelevant, and will not
-		 * be set in a message being rendered.
-		 */
-		result = dns_rdataset_towire(msg->sig0, dns_rootname,
-					     msg->cctx, msg->buffer, 0,
-					     &count);
-		msg->counts[DNS_SECTION_ADDITIONAL] += count;
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	isc_buffer_usedregion(msg->buffer, &r);
-	isc_buffer_init(&tmpbuf, r.base, r.length);
-
-	dns_message_renderheader(msg, &tmpbuf);
-
-	msg->buffer = NULL;  /* forget about this buffer only on success XXX */
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_renderreset(dns_message_t *msg) {
-	unsigned int i;
-	dns_name_t *name;
-	dns_rdataset_t *rds;
-
-	/*
-	 * Reset the message so that it may be rendered again.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-
-	msg->buffer = NULL;
-
-	for (i = 0; i < DNS_SECTION_MAX; i++) {
-		msg->cursors[i] = NULL;
-		msg->counts[i] = 0;
-		for (name = ISC_LIST_HEAD(msg->sections[i]);
-		     name != NULL;
-		     name = ISC_LIST_NEXT(name, link)) {
-			for (rds = ISC_LIST_HEAD(name->list);
-			     rds != NULL;
-			     rds = ISC_LIST_NEXT(rds, link)) {
-				rds->attributes &= ~DNS_RDATASETATTR_RENDERED;
-			}
-		}
-	}
-	if (msg->tsigname != NULL)
-		dns_message_puttempname(msg, &msg->tsigname);
-	if (msg->tsig != NULL) {
-		dns_rdataset_disassociate(msg->tsig);
-		dns_message_puttemprdataset(msg, &msg->tsig);
-	}
-	if (msg->sig0 != NULL) {
-		dns_rdataset_disassociate(msg->sig0);
-		dns_message_puttemprdataset(msg, &msg->sig0);
-	}
-}
-
-isc_result_t
-dns_message_firstname(dns_message_t *msg, dns_section_t section) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(VALID_NAMED_SECTION(section));
-
-	msg->cursors[section] = ISC_LIST_HEAD(msg->sections[section]);
-
-	if (msg->cursors[section] == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_nextname(dns_message_t *msg, dns_section_t section) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(VALID_NAMED_SECTION(section));
-	REQUIRE(msg->cursors[section] != NULL);
-
-	msg->cursors[section] = ISC_LIST_NEXT(msg->cursors[section], link);
-
-	if (msg->cursors[section] == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_currentname(dns_message_t *msg, dns_section_t section,
-			dns_name_t **name)
-{
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(VALID_NAMED_SECTION(section));
-	REQUIRE(name != NULL && *name == NULL);
-	REQUIRE(msg->cursors[section] != NULL);
-
-	*name = msg->cursors[section];
-}
-
-isc_result_t
-dns_message_findname(dns_message_t *msg, dns_section_t section,
-		     dns_name_t *target, dns_rdatatype_t type,
-		     dns_rdatatype_t covers, dns_name_t **name,
-		     dns_rdataset_t **rdataset)
-{
-	dns_name_t *foundname;
-	isc_result_t result;
-
-	/*
-	 * XXX These requirements are probably too intensive, especially
-	 * where things can be NULL, but as they are they ensure that if
-	 * something is NON-NULL, indicating that the caller expects it
-	 * to be filled in, that we can in fact fill it in.
-	 */
-	REQUIRE(msg != NULL);
-	REQUIRE(VALID_SECTION(section));
-	REQUIRE(target != NULL);
-	if (name != NULL)
-		REQUIRE(*name == NULL);
-	if (type == dns_rdatatype_any) {
-		REQUIRE(rdataset == NULL);
-	} else {
-		if (rdataset != NULL)
-			REQUIRE(*rdataset == NULL);
-	}
-
-	result = findname(&foundname, target,
-			  &msg->sections[section]);
-
-	if (result == ISC_R_NOTFOUND)
-		return (DNS_R_NXDOMAIN);
-	else if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (name != NULL)
-		*name = foundname;
-
-	/*
-	 * And now look for the type.
-	 */
-	if (type == dns_rdatatype_any)
-		return (ISC_R_SUCCESS);
-
-	result = dns_message_findtype(foundname, type, covers, rdataset);
-	if (result == ISC_R_NOTFOUND)
-		return (DNS_R_NXRRSET);
-
-	return (result);
-}
-
-void
-dns_message_movename(dns_message_t *msg, dns_name_t *name,
-		     dns_section_t fromsection,
-		     dns_section_t tosection)
-{
-	REQUIRE(msg != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(name != NULL);
-	REQUIRE(VALID_NAMED_SECTION(fromsection));
-	REQUIRE(VALID_NAMED_SECTION(tosection));
-
-	/*
-	 * Unlink the name from the old section
-	 */
-	ISC_LIST_UNLINK(msg->sections[fromsection], name, link);
-	ISC_LIST_APPEND(msg->sections[tosection], name, link);
-}
-
-void
-dns_message_addname(dns_message_t *msg, dns_name_t *name,
-		    dns_section_t section)
-{
-	REQUIRE(msg != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(name != NULL);
-	REQUIRE(VALID_NAMED_SECTION(section));
-
-	ISC_LIST_APPEND(msg->sections[section], name, link);
-}
-
-isc_result_t
-dns_message_gettempname(dns_message_t *msg, dns_name_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = isc_mempool_get(msg->namepool);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_init(*item, NULL);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = newoffsets(msg);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = newrdata(msg);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = isc_mempool_get(msg->rdspool);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_rdataset_init(*item);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item == NULL);
-
-	*item = newrdatalist(msg);
-	if (*item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_message_puttempname(dns_message_t *msg, dns_name_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item != NULL);
-
-	if (dns_name_dynamic(*item))
-		dns_name_free(*item, msg->mctx);
-	isc_mempool_put(msg->namepool, *item);
-	*item = NULL;
-}
-
-void
-dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item != NULL);
-
-	releaserdata(msg, *item);
-	*item = NULL;
-}
-
-void
-dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item != NULL);
-
-	REQUIRE(!dns_rdataset_isassociated(*item));
-	isc_mempool_put(msg->rdspool, *item);
-	*item = NULL;
-}
-
-void
-dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(item != NULL && *item != NULL);
-
-	releaserdatalist(msg, *item);
-	*item = NULL;
-}
-
-isc_result_t
-dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
-		       unsigned int *flagsp)
-{
-	isc_region_t r;
-	isc_buffer_t buffer;
-	dns_messageid_t id;
-	unsigned int flags;
-
-	REQUIRE(source != NULL);
-
-	buffer = *source;
-
-	isc_buffer_remainingregion(&buffer, &r);
-	if (r.length < DNS_MESSAGE_HEADERLEN)
-		return (ISC_R_UNEXPECTEDEND);
-
-	id = isc_buffer_getuint16(&buffer);
-	flags = isc_buffer_getuint16(&buffer);
-	flags &= DNS_MESSAGE_FLAG_MASK;
-
-	if (flagsp != NULL)
-		*flagsp = flags;
-	if (idp != NULL)
-		*idp = id;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
-	unsigned int first_section;
-	isc_result_t result;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE((msg->flags & DNS_MESSAGEFLAG_QR) == 0);
-
-	if (!msg->header_ok)
-		return (DNS_R_FORMERR);
-	if (msg->opcode != dns_opcode_query &&
-	    msg->opcode != dns_opcode_notify)
-		want_question_section = ISC_FALSE;
-	if (want_question_section) {
-		if (!msg->question_ok)
-			return (DNS_R_FORMERR);
-		first_section = DNS_SECTION_ANSWER;
-	} else
-		first_section = DNS_SECTION_QUESTION;
-	msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
-	msgresetnames(msg, first_section);
-	msgresetopt(msg);
-	msgresetsigs(msg, ISC_TRUE);
-	msginitprivate(msg);
-	/*
-	 * We now clear most flags and then set QR, ensuring that the
-	 * reply's flags will be in a reasonable state.
-	 */
-	msg->flags &= DNS_MESSAGE_REPLYPRESERVE;
-	msg->flags |= DNS_MESSAGEFLAG_QR;
-
-	/*
-	 * This saves the query TSIG status, if the query was signed, and
-	 * reserves space in the reply for the TSIG.
-	 */
-	if (msg->tsigkey != NULL) {
-		unsigned int otherlen = 0;
-		msg->querytsigstatus = msg->tsigstatus;
-		msg->tsigstatus = dns_rcode_noerror;
-		if (msg->querytsigstatus == dns_tsigerror_badtime)
-			otherlen = 6;
-		msg->sig_reserved = spacefortsig(msg->tsigkey, otherlen);
-		result = dns_message_renderreserve(msg, msg->sig_reserved);
-		if (result != ISC_R_SUCCESS) {
-			msg->sig_reserved = 0;
-			return (result);
-		}
-	}
-	if (msg->saved.base != NULL) {
-		msg->query.base = msg->saved.base;
-		msg->query.length = msg->saved.length;
-		msg->free_query = msg->free_saved;
-		msg->saved.base = NULL;
-		msg->saved.length = 0;
-		msg->free_saved = 0;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-dns_rdataset_t *
-dns_message_getopt(dns_message_t *msg) {
-
-	/*
-	 * Get the OPT record for 'msg'.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	return (msg->opt);
-}
-
-isc_result_t
-dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * Set the OPT record for 'msg'.
-	 */
-
-	/*
-	 * The space required for an OPT record is:
-	 *
-	 *	1 byte for the name
-	 *	2 bytes for the type
-	 *	2 bytes for the class
-	 *	4 bytes for the ttl
-	 *	2 bytes for the rdata length
-	 * ---------------------------------
-	 *     11 bytes
-	 *
-	 * plus the length of the rdata.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(opt->type == dns_rdatatype_opt);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(msg->state == DNS_SECTION_ANY);
-
-	msgresetopt(msg);
-
-	result = dns_rdataset_first(opt);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_rdataset_current(opt, &rdata);
-	msg->opt_reserved = 11 + rdata.length;
-	result = dns_message_renderreserve(msg, msg->opt_reserved);
-	if (result != ISC_R_SUCCESS) {
-		msg->opt_reserved = 0;
-		goto cleanup;
-	}
-
-	msg->opt = opt;
-
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_message_puttemprdataset(msg, &opt);
-	return (result);
-
-}
-
-dns_rdataset_t *
-dns_message_gettsig(dns_message_t *msg, dns_name_t **owner) {
-
-	/*
-	 * Get the TSIG record and owner for 'msg'.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(owner == NULL || *owner == NULL);
-
-	if (owner != NULL)
-		*owner = msg->tsigname;
-	return (msg->tsig);
-}
-
-isc_result_t
-dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key) {
-	isc_result_t result;
-
-	/*
-	 * Set the TSIG key for 'msg'
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->state == DNS_SECTION_ANY);
-
-	if (key == NULL && msg->tsigkey != NULL) {
-		if (msg->sig_reserved != 0) {
-			dns_message_renderrelease(msg, msg->sig_reserved);
-			msg->sig_reserved = 0;
-		}
-		dns_tsigkey_detach(&msg->tsigkey);
-	}
-	if (key != NULL) {
-		REQUIRE(msg->tsigkey == NULL && msg->sig0key == NULL);
-		dns_tsigkey_attach(key, &msg->tsigkey);
-		if (msg->from_to_wire == DNS_MESSAGE_INTENTRENDER) {
-			msg->sig_reserved = spacefortsig(msg->tsigkey, 0);
-			result = dns_message_renderreserve(msg,
-							   msg->sig_reserved);
-			if (result != ISC_R_SUCCESS) {
-				dns_tsigkey_detach(&msg->tsigkey);
-				msg->sig_reserved = 0;
-				return (result);
-			}
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-dns_tsigkey_t *
-dns_message_gettsigkey(dns_message_t *msg) {
-
-	/*
-	 * Get the TSIG key for 'msg'
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	return (msg->tsigkey);
-}
-
-isc_result_t
-dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig) {
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *list = NULL;
-	dns_rdataset_t *set = NULL;
-	isc_buffer_t *buf = NULL;
-	isc_region_t r;
-	isc_result_t result;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->querytsig == NULL);
-
-	if (querytsig == NULL)
-		return (ISC_R_SUCCESS);
-
-	result = dns_message_gettemprdata(msg, &rdata);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdatalist(msg, &list);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdataset(msg, &set);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	isc_buffer_usedregion(querytsig, &r);
-	result = isc_buffer_allocate(msg->mctx, &buf, r.length);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	isc_buffer_putmem(buf, r.base, r.length);
-	isc_buffer_usedregion(buf, &r);
-	dns_rdata_init(rdata);
-	dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_tsig, &r);
-	dns_message_takebuffer(msg, &buf);
-	ISC_LIST_INIT(list->rdata);
-	ISC_LIST_APPEND(list->rdata, rdata, link);
-	result = dns_rdatalist_tordataset(list, set);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	msg->querytsig = set;
-
-	return (result);
-
- cleanup:
-	if (rdata != NULL)
-		dns_message_puttemprdata(msg, &rdata);
-	if (list != NULL)
-		dns_message_puttemprdatalist(msg, &list);
-	if (set != NULL)
-		dns_message_puttemprdataset(msg, &set);
-	return (ISC_R_NOMEMORY);
-}
-
-isc_result_t
-dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
-			 isc_buffer_t **querytsig) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t r;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(mctx != NULL);
-	REQUIRE(querytsig != NULL && *querytsig == NULL);
-
-	if (msg->tsig == NULL)
-		return (ISC_R_SUCCESS);
-
-	result = dns_rdataset_first(msg->tsig);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(msg->tsig, &rdata);
-	dns_rdata_toregion(&rdata, &r);
-
-	result = isc_buffer_allocate(mctx, querytsig, r.length);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_putmem(*querytsig, r.base, r.length);
-	return (ISC_R_SUCCESS);
-}
-
-dns_rdataset_t *
-dns_message_getsig0(dns_message_t *msg, dns_name_t **owner) {
-
-	/*
-	 * Get the SIG(0) record for 'msg'.
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(owner == NULL || *owner == NULL);
-
-	if (msg->sig0 != NULL && owner != NULL) {
-		/* If dns_message_getsig0 is called on a rendered message
-		 * after the SIG(0) has been applied, we need to return the
-		 * root name, not NULL.
-		 */
-		if (msg->sig0name == NULL)
-			*owner = dns_rootname;
-		else
-			*owner = msg->sig0name;
-	}
-	return (msg->sig0);
-}
-
-isc_result_t
-dns_message_setsig0key(dns_message_t *msg, dst_key_t *key) {
-	isc_region_t r;
-	unsigned int x;
-	isc_result_t result;
-
-	/*
-	 * Set the SIG(0) key for 'msg'
-	 */
-
-	/*
-	 * The space required for an SIG(0) record is:
-	 *
-	 *	1 byte for the name
-	 *	2 bytes for the type
-	 *	2 bytes for the class
-	 *	4 bytes for the ttl
-	 *	2 bytes for the type covered
-	 *	1 byte for the algorithm
-	 *	1 bytes for the labels
-	 *	4 bytes for the original ttl
-	 *	4 bytes for the signature expiration
-	 *	4 bytes for the signature inception
-	 *	2 bytes for the key tag
-	 *	n bytes for the signer's name
-	 *	x bytes for the signature
-	 * ---------------------------------
-	 *     27 + n + x bytes
-	 */
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
-	REQUIRE(msg->state == DNS_SECTION_ANY);
-
-	if (key != NULL) {
-		REQUIRE(msg->sig0key == NULL && msg->tsigkey == NULL);
-		dns_name_toregion(dst_key_name(key), &r);
-		result = dst_key_sigsize(key, &x);
-		if (result != ISC_R_SUCCESS) {
-			msg->sig_reserved = 0;
-			return (result);
-		}
-		msg->sig_reserved = 27 + r.length + x;
-		result = dns_message_renderreserve(msg, msg->sig_reserved);
-		if (result != ISC_R_SUCCESS) {
-			msg->sig_reserved = 0;
-			return (result);
-		}
-		msg->sig0key = key;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-dst_key_t *
-dns_message_getsig0key(dns_message_t *msg) {
-
-	/*
-	 * Get the SIG(0) key for 'msg'
-	 */
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	return (msg->sig0key);
-}
-
-void
-dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(buffer != NULL);
-	REQUIRE(ISC_BUFFER_VALID(*buffer));
-
-	ISC_LIST_APPEND(msg->cleanup, *buffer, link);
-	*buffer = NULL;
-}
-
-isc_result_t
-dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(signer != NULL);
-	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
-
-	if (msg->tsig == NULL && msg->sig0 == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (msg->verify_attempted == 0)
-		return (DNS_R_NOTVERIFIEDYET);
-
-	if (!dns_name_hasbuffer(signer)) {
-		isc_buffer_t *dynbuf = NULL;
-		result = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_name_setbuffer(signer, dynbuf);
-		dns_message_takebuffer(msg, &dynbuf);
-	}
-
-	if (msg->sig0 != NULL) {
-		dns_rdata_sig_t sig;
-
-		result = dns_rdataset_first(msg->sig0);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdataset_current(msg->sig0, &rdata);
-
-		result = dns_rdata_tostruct(&rdata, &sig, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		if (msg->verified_sig && msg->sig0status == dns_rcode_noerror)
-			result = ISC_R_SUCCESS;
-		else
-			result = DNS_R_SIGINVALID;
-		dns_name_clone(&sig.signer, signer);
-		dns_rdata_freestruct(&sig);
-	} else {
-		dns_name_t *identity;
-		dns_rdata_any_tsig_t tsig;
-
-		result = dns_rdataset_first(msg->tsig);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdataset_current(msg->tsig, &rdata);
-
-		result = dns_rdata_tostruct(&rdata, &tsig, NULL);
-		if (msg->tsigstatus != dns_rcode_noerror)
-			result = DNS_R_TSIGVERIFYFAILURE;
-		else if (tsig.error != dns_rcode_noerror)
-			result = DNS_R_TSIGERRORSET;
-		else
-			result = ISC_R_SUCCESS;
-		dns_rdata_freestruct(&tsig);
-
-		if (msg->tsigkey == NULL) {
-			/*
-			 * If msg->tsigstatus & tsig.error are both
-			 * dns_rcode_noerror, the message must have been
-			 * verified, which means msg->tsigkey will be
-			 * non-NULL.
-			 */
-			INSIST(result != ISC_R_SUCCESS);
-		} else {
-			identity = dns_tsigkey_identity(msg->tsigkey);
-			if (identity == NULL) {
-				if (result == ISC_R_SUCCESS)
-					result = DNS_R_NOIDENTITY;
-				identity = &msg->tsigkey->name;
-			}
-			dns_name_clone(identity, signer);
-		}
-	}
-
-	return (result);
-}
-
-void
-dns_message_resetsig(dns_message_t *msg) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	msg->verified_sig = 0;
-	msg->verify_attempted = 0;
-	msg->tsigstatus = dns_rcode_noerror;
-	msg->sig0status = dns_rcode_noerror;
-	msg->timeadjust = 0;
-	if (msg->tsigkey != NULL) {
-		dns_tsigkey_detach(&msg->tsigkey);
-		msg->tsigkey = NULL;
-	}
-}
-
-isc_result_t
-dns_message_rechecksig(dns_message_t *msg, dns_view_t *view) {
-	dns_message_resetsig(msg);
-	return (dns_message_checksig(msg, view));
-}
-
-isc_result_t
-dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
-	isc_buffer_t b, msgb;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-
-	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
-		return (ISC_R_SUCCESS);
-	INSIST(msg->saved.base != NULL);
-	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
-	isc_buffer_add(&msgb, msg->saved.length);
-	if (msg->tsigkey != NULL || msg->tsig != NULL) {
-		if (view != NULL)
-			return (dns_view_checksig(view, &msgb, msg));
-		else
-			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
-	} else {
-		dns_rdata_t rdata = DNS_RDATA_INIT;
-		dns_rdata_sig_t sig;
-		dns_rdataset_t keyset;
-		isc_result_t result;
-
-		result = dns_rdataset_first(msg->sig0);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdataset_current(msg->sig0, &rdata);
-
-		/*
-		 * This can occur when the message is a dynamic update, since
-		 * the rdata length checking is relaxed.  This should not
-		 * happen in a well-formed message, since the SIG(0) is only
-		 * looked for in the additional section, and the dynamic update
-		 * meta-records are in the prerequisite and update sections.
-		 */
-		if (rdata.length == 0)
-			return (ISC_R_UNEXPECTEDEND);
-
-		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		dns_rdataset_init(&keyset);
-		if (view == NULL)
-			return (DNS_R_KEYUNAUTHORIZED);
-		result = dns_view_simplefind(view, &sig.signer,
-					     dns_rdatatype_key /* SIG(0) */,
-					     0, 0, ISC_FALSE, &keyset, NULL);
-
-		if (result != ISC_R_SUCCESS) {
-			/* XXXBEW Should possibly create a fetch here */
-			result = DNS_R_KEYUNAUTHORIZED;
-			goto freesig;
-		} else if (keyset.trust < dns_trust_secure) {
-			/* XXXBEW Should call a validator here */
-			result = DNS_R_KEYUNAUTHORIZED;
-			goto freesig;
-		}
-		result = dns_rdataset_first(&keyset);
-		INSIST(result == ISC_R_SUCCESS);
-		for (;
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&keyset))
-		{
-			dst_key_t *key = NULL;
-
-			dns_rdataset_current(&keyset, &rdata);
-			isc_buffer_init(&b, rdata.data, rdata.length);
-			isc_buffer_add(&b, rdata.length);
-
-			result = dst_key_fromdns(&sig.signer, rdata.rdclass,
-						 &b, view->mctx, &key);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			if (dst_key_alg(key) != sig.algorithm ||
-			    dst_key_id(key) != sig.keyid ||
-			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
-			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
-			{
-				dst_key_free(&key);
-				continue;
-			}
-			result = dns_dnssec_verifymessage(&msgb, msg, key);
-			dst_key_free(&key);
-			if (result == ISC_R_SUCCESS)
-				break;
-		}
-		if (result == ISC_R_NOMORE)
-			result = DNS_R_KEYUNAUTHORIZED;
-
- freesig:
-		if (dns_rdataset_isassociated(&keyset))
-			dns_rdataset_disassociate(&keyset);
-		dns_rdata_freestruct(&sig);
-		return (result);
-	}
-}
-
-isc_result_t
-dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
-			  const dns_master_style_t *style,
-			  dns_messagetextflag_t flags,
-			  isc_buffer_t *target) {
-	dns_name_t *name, empty_name;
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(target != NULL);
-	REQUIRE(VALID_SECTION(section));
-
-	if (ISC_LIST_EMPTY(msg->sections[section]))
-		return (ISC_R_SUCCESS);
-
-	if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
-		ADD_STRING(target, ";; ");
-		if (msg->opcode != dns_opcode_update) {
-			ADD_STRING(target, sectiontext[section]);
-		}
-		else {
-			ADD_STRING(target, updsectiontext[section]);
-		}
-		ADD_STRING(target, " SECTION:\n");
-	}
-
-	dns_name_init(&empty_name, NULL);
-	result = dns_message_firstname(msg, section);
-	if (result != ISC_R_SUCCESS) {
-		return (result);
-	}
-	do {
-		name = NULL;
-		dns_message_currentname(msg, section, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (section == DNS_SECTION_QUESTION) {
-				ADD_STRING(target, ";");
-				result = dns_master_questiontotext(name,
-								   rdataset,
-								   style,
-								   target);
-			} else {
-				result = dns_master_rdatasettotext(name,
-								   rdataset,
-								   style,
-								   target);
-			}
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-		result = dns_message_nextname(msg, section);
-	} while (result == ISC_R_SUCCESS);
-	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
-	    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-		ADD_STRING(target, "\n");
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-isc_result_t
-dns_message_pseudosectiontotext(dns_message_t *msg,
-				dns_pseudosection_t section,
-				const dns_master_style_t *style,
-				dns_messagetextflag_t flags,
-				isc_buffer_t *target) {
-	dns_rdataset_t *ps = NULL;
-	dns_name_t *name = NULL;
-	isc_result_t result;
-	char buf[sizeof("1234567890")];
-	isc_uint32_t mbz;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(target != NULL);
-	REQUIRE(VALID_PSEUDOSECTION(section));
-
-	switch (section) {
-	case DNS_PSEUDOSECTION_OPT:
-		ps = dns_message_getopt(msg);
-		if (ps == NULL)
-			return (ISC_R_SUCCESS);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, ";; OPT PSEUDOSECTION:\n");
-		ADD_STRING(target, "; EDNS: version: ");
-		snprintf(buf, sizeof(buf), "%u",
-			 (unsigned int)((ps->ttl & 0x00ff0000) >> 16));
-		ADD_STRING(target, buf);
-		ADD_STRING(target, ", flags:");
-		if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
-			ADD_STRING(target, " do");
-		mbz = ps->ttl & ~DNS_MESSAGEEXTFLAG_DO & 0xffff;
-		if (mbz != 0) {
-			ADD_STRING(target, "; MBZ: ");
-			snprintf(buf, sizeof(buf), "%.4x ", mbz);
-			ADD_STRING(target, buf);
-			ADD_STRING(target, ", udp: ");
-		} else
-			ADD_STRING(target, "; udp: ");
-		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
-		ADD_STRING(target, buf);
-		return (ISC_R_SUCCESS);
-	case DNS_PSEUDOSECTION_TSIG:
-		ps = dns_message_gettsig(msg, &name);
-		if (ps == NULL)
-			return (ISC_R_SUCCESS);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, ";; TSIG PSEUDOSECTION:\n");
-		result = dns_master_rdatasettotext(name, ps, style, target);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
-		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, "\n");
-		return (result);
-	case DNS_PSEUDOSECTION_SIG0:
-		ps = dns_message_getsig0(msg, &name);
-		if (ps == NULL)
-			return (ISC_R_SUCCESS);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, ";; SIG0 PSEUDOSECTION:\n");
-		result = dns_master_rdatasettotext(name, ps, style, target);
-		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
-		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
-			ADD_STRING(target, "\n");
-		return (result);
-	}
-	return (ISC_R_UNEXPECTED);
-}
-
-isc_result_t
-dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
-		   dns_messagetextflag_t flags, isc_buffer_t *target) {
-	char buf[sizeof("1234567890")];
-	isc_result_t result;
-
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	REQUIRE(target != NULL);
-
-	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0) {
-		ADD_STRING(target, ";; ->>HEADER<<- opcode: ");
-		ADD_STRING(target, opcodetext[msg->opcode]);
-		ADD_STRING(target, ", status: ");
-		ADD_STRING(target, rcodetext[msg->rcode]);
-		ADD_STRING(target, ", id: ");
-		snprintf(buf, sizeof(buf), "%6u", msg->id);
-		ADD_STRING(target, buf);
-		ADD_STRING(target, "\n;; flags: ");
-		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
-			ADD_STRING(target, "qr ");
-		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
-			ADD_STRING(target, "aa ");
-		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
-			ADD_STRING(target, "tc ");
-		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
-			ADD_STRING(target, "rd ");
-		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
-			ADD_STRING(target, "ra ");
-		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
-			ADD_STRING(target, "ad ");
-		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
-			ADD_STRING(target, "cd ");
-		if (msg->opcode != dns_opcode_update) {
-			ADD_STRING(target, "; QUESTION: ");
-		} else {
-			ADD_STRING(target, "; ZONE: ");
-		}
-		snprintf(buf, sizeof(buf), "%1u",
-			 msg->counts[DNS_SECTION_QUESTION]);
-		ADD_STRING(target, buf);
-		if (msg->opcode != dns_opcode_update) {
-			ADD_STRING(target, ", ANSWER: ");
-		} else {
-			ADD_STRING(target, ", PREREQ: ");
-		}
-		snprintf(buf, sizeof(buf), "%1u",
-			 msg->counts[DNS_SECTION_ANSWER]);
-		ADD_STRING(target, buf);
-		if (msg->opcode != dns_opcode_update) {
-			ADD_STRING(target, ", AUTHORITY: ");
-		} else {
-			ADD_STRING(target, ", UPDATE: ");
-		}
-		snprintf(buf, sizeof(buf), "%1u",
-			msg->counts[DNS_SECTION_AUTHORITY]);
-		ADD_STRING(target, buf);
-		ADD_STRING(target, ", ADDITIONAL: ");
-		snprintf(buf, sizeof(buf), "%1u",
-			msg->counts[DNS_SECTION_ADDITIONAL]);
-		ADD_STRING(target, buf);
-		ADD_STRING(target, "\n");
-	}
-	result = dns_message_pseudosectiontotext(msg,
-						 DNS_PSEUDOSECTION_OPT,
-						 style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_message_sectiontotext(msg, DNS_SECTION_QUESTION,
-					   style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_sectiontotext(msg, DNS_SECTION_ANSWER,
-					   style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_sectiontotext(msg, DNS_SECTION_AUTHORITY,
-					   style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_sectiontotext(msg, DNS_SECTION_ADDITIONAL,
-					   style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_message_pseudosectiontotext(msg,
-						 DNS_PSEUDOSECTION_TSIG,
-						 style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_message_pseudosectiontotext(msg,
-						 DNS_PSEUDOSECTION_SIG0,
-						 style, flags, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_region_t *
-dns_message_getrawmessage(dns_message_t *msg) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	return (&msg->saved);
-}
-
-void
-dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
-			 void *order_arg)
-{
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	msg->order = order;
-	msg->order_arg = order_arg;
-}
-
-void
-dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	msg->timeadjust = timeadjust;
-}
-
-int
-dns_message_gettimeadjust(dns_message_t *msg) {
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	return (msg->timeadjust);
-}
-
-isc_result_t
-dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target) {
-
-	REQUIRE(opcode < 16);
-
-	if (isc_buffer_availablelength(target) < strlen(opcodetext[opcode]))
-		return (ISC_R_NOSPACE);
-	isc_buffer_putstr(target, opcodetext[opcode]);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/name.c b/contrib/bind9/lib/dns/name.c
deleted file mode 100644
index 116a56a81867..000000000000
--- a/contrib/bind9/lib/dns/name.c
+++ /dev/null
@@ -1,2196 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: name.c,v 1.127.2.7.2.14 2005/10/14 01:38:48 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/buffer.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/compress.h>
-#include <dns/name.h>
-#include <dns/result.h>
-
-#define VALID_NAME(n)	ISC_MAGIC_VALID(n, DNS_NAME_MAGIC)
-
-typedef enum {
-	ft_init = 0,
-	ft_start,
-	ft_ordinary,
-	ft_initialescape,
-	ft_escape,
-	ft_escdecimal,
-	ft_at
-} ft_state;
-
-typedef enum {
-	fw_start = 0,
-	fw_ordinary,
-	fw_copy,
-	fw_newcurrent
-} fw_state;
-
-static char digitvalue[256] = {
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,	/*16*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*32*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*48*/
-	 0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, /*64*/
-	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*80*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*96*/
-	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*112*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*128*/
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*256*/
-};
-
-static unsigned char maptolower[] = {
-	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
-	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
-};
-
-#define CONVERTTOASCII(c)
-#define CONVERTFROMASCII(c)
-
-#define INIT_OFFSETS(name, var, default) \
-	if (name->offsets != NULL) \
-		var = name->offsets; \
-	else \
-		var = default;
-
-#define SETUP_OFFSETS(name, var, default) \
-	if (name->offsets != NULL) \
-		var = name->offsets; \
-	else { \
-		var = default; \
-		set_offsets(name, var, NULL); \
-	}
-
-/*
- * Note:  If additional attributes are added that should not be set for
- *	  empty names, MAKE_EMPTY() must be changed so it clears them.
- */
-#define MAKE_EMPTY(name) \
-do { \
-	name->ndata = NULL; \
-	name->length = 0; \
-	name->labels = 0; \
-	name->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
-} while (0);
-
-/*
- * A name is "bindable" if it can be set to point to a new value, i.e.
- * name->ndata and name->length may be changed.
- */
-#define BINDABLE(name) \
-	((name->attributes & (DNS_NAMEATTR_READONLY|DNS_NAMEATTR_DYNAMIC)) \
-	 == 0)
-
-/*
- * Note that the name data must be a char array, not a string
- * literal, to avoid compiler warnings about discarding
- * the const attribute of a string.
- */
-static unsigned char root_ndata[] = { '\0' };
-static unsigned char root_offsets[] = { 0 };
-
-static dns_name_t root = 
-{
-	DNS_NAME_MAGIC,
-	root_ndata, 1, 1,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	root_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-/* XXXDCL make const? */
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_rootname = &root;
-
-static unsigned char wild_ndata[] = { '\001', '*' };
-static unsigned char wild_offsets[] = { 0 };
-
-static dns_name_t wild =
-{
-	DNS_NAME_MAGIC,
-	wild_ndata, 2, 1,
-	DNS_NAMEATTR_READONLY,
-	wild_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-/* XXXDCL make const? */
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_wildcardname = &wild;
-
-unsigned int
-dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
-
-static void
-set_offsets(const dns_name_t *name, unsigned char *offsets,
-	    dns_name_t *set_name);
-
-void
-dns_name_init(dns_name_t *name, unsigned char *offsets) {
-	/*
-	 * Initialize 'name'.
-	 */
-	DNS_NAME_INIT(name, offsets);
-}
-
-void
-dns_name_reset(dns_name_t *name) {
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(BINDABLE(name));
-
-	DNS_NAME_RESET(name);
-}
-
-void
-dns_name_invalidate(dns_name_t *name) {
-	/*
-	 * Make 'name' invalid.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	name->magic = 0;
-	name->ndata = NULL;
-	name->length = 0;
-	name->labels = 0;
-	name->attributes = 0;
-	name->offsets = NULL;
-	name->buffer = NULL;
-	ISC_LINK_INIT(name, link);
-}
-
-void
-dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer) {
-	/*
-	 * Dedicate a buffer for use with 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE((buffer != NULL && name->buffer == NULL) ||
-		(buffer == NULL));
-
-	name->buffer = buffer;
-}
-
-isc_boolean_t
-dns_name_hasbuffer(const dns_name_t *name) {
-	/*
-	 * Does 'name' have a dedicated buffer?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	if (name->buffer != NULL)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_name_isabsolute(const dns_name_t *name) {
-
-	/*
-	 * Does 'name' end in the root label?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	if ((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-#define hyphenchar(c) ((c) == 0x2d)
-#define asterchar(c) ((c) == 0x2a)
-#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
-		      || ((c) >= 0x61 && (c) <= 0x7a))
-#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
-#define borderchar(c) (alphachar(c) || digitchar(c))
-#define middlechar(c) (borderchar(c) || hyphenchar(c))
-#define domainchar(c) ((c) > 0x20 && (c) < 0x7f)
-
-isc_boolean_t
-dns_name_ismailbox(const dns_name_t *name) {
-	unsigned char *ndata, ch;
-	unsigned int n;
-	isc_boolean_t first;
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
-
-	/* 
-	 * Root label.
-	 */
-	if (name->length == 1)
-		return (ISC_TRUE);
-
-	ndata = name->ndata;
-	n = *ndata++;
-	INSIST(n <= 63);
-	while (n--) {
-		ch = *ndata++;
-		if (!domainchar(ch))
-			return (ISC_FALSE);
-	}
-	
-	if (ndata == name->ndata + name->length)
-		return (ISC_FALSE);
-
-	/*
-	 * RFC292/RFC1123 hostname.
-	 */
-	while (ndata < (name->ndata + name->length)) {
-		n = *ndata++;
-		INSIST(n <= 63);
-		first = ISC_TRUE;
-		while (n--) {
-			ch = *ndata++;
-			if (first || n == 0) {
-				if (!borderchar(ch))
-					return (ISC_FALSE);
-			} else {
-				if (!middlechar(ch))
-					return (ISC_FALSE);
-			}
-			first = ISC_FALSE;
-		}
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard) {
-	unsigned char *ndata, ch;
-	unsigned int n;
-	isc_boolean_t first;
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
-	
-	/* 
-	 * Root label.
-	 */
-	if (name->length == 1)
-		return (ISC_TRUE);
-
-	/*
-	 * Skip wildcard if this is a ownername.
-	 */
-	ndata = name->ndata;
-	if (wildcard && ndata[0] == 1 && ndata[1] == '*')
-		ndata += 2;
-
-	/*
-	 * RFC292/RFC1123 hostname.
-	 */
-	while (ndata < (name->ndata + name->length)) {
-		n = *ndata++;
-		INSIST(n <= 63);
-		first = ISC_TRUE;
-		while (n--) {
-			ch = *ndata++;
-			if (first || n == 0) {
-				if (!borderchar(ch))
-					return (ISC_FALSE);
-			} else {
-				if (!middlechar(ch))
-					return (ISC_FALSE);
-			}
-			first = ISC_FALSE;
-		}
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dns_name_iswildcard(const dns_name_t *name) {
-	unsigned char *ndata;
-
-	/*
-	 * Is 'name' a wildcard name?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-
-	if (name->length >= 2) {
-		ndata = name->ndata;
-		if (ndata[0] == 1 && ndata[1] == '*')
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-static inline unsigned int
-name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
-	unsigned int length;
-	const unsigned char *s;
-	unsigned int h = 0;
-	unsigned char c;
-
-	length = name->length;
-	if (length > 16)
-		length = 16;
-
-	/*
-	 * This hash function is similar to the one Ousterhout
-	 * uses in Tcl.
-	 */
-	s = name->ndata;
-	if (case_sensitive) {
-		while (length > 0) {
-			h += ( h << 3 ) + *s;
-			s++;
-			length--;
-		}
-	} else {
-		while (length > 0) {
-			c = maptolower[*s];
-			h += ( h << 3 ) + c;
-			s++;
-			length--;
-		}
-	}
-
-	return (h);
-}
-
-unsigned int
-dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
-	/*
-	 * Provide a hash value for 'name'.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	if (name->labels == 0)
-		return (0);
-
-	return (name_hash(name, case_sensitive));
-}
-
-unsigned int
-dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive) {
-	/*
-	 * Provide a hash value for 'name'.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	if (name->labels == 0)
-		return (0);
-
-	return (isc_hash_calc((const unsigned char *)name->ndata,
-			      name->length, case_sensitive));
-}
-
-unsigned int
-dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
-	/*
-	 * This function was deprecated due to the breakage of the name space
-	 * convention.  We only keep this internally to provide binary backward
-	 * compatibility.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	return (dns_name_fullhash(name, case_sensitive));
-}
-
-unsigned int
-dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive) {
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	dns_name_t tname;
-	unsigned int h = 0;
-	unsigned int i;
-
-	/*
-	 * Provide a hash value for 'name'.
-	 */
-	REQUIRE(VALID_NAME(name));
-
-	if (name->labels == 0)
-		return (0);
-	else if (name->labels == 1)
-		return (name_hash(name, case_sensitive));
-
-	SETUP_OFFSETS(name, offsets, odata);
-	DNS_NAME_INIT(&tname, NULL);
-	tname.labels = 1;
-	h = 0;
-	for (i = 0; i < name->labels; i++) {
-		tname.ndata = name->ndata + offsets[i];
-		if (i == name->labels - 1)
-			tname.length = name->length - offsets[i];
-		else
-			tname.length = offsets[i + 1] - offsets[i];
-		h += name_hash(&tname, case_sensitive);
-	}
-
-	return (h);
-}
-
-dns_namereln_t
-dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
-		     int *orderp, unsigned int *nlabelsp)
-{
-	unsigned int l1, l2, l, count1, count2, count, nlabels;
-	int cdiff, ldiff, chdiff;
-	unsigned char *label1, *label2;
-	unsigned char *offsets1, *offsets2;
-	dns_offsets_t odata1, odata2;
-	dns_namereln_t namereln = dns_namereln_none;
-
-	/*
-	 * Determine the relative ordering under the DNSSEC order relation of
-	 * 'name1' and 'name2', and also determine the hierarchical
-	 * relationship of the names.
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	REQUIRE(VALID_NAME(name1));
-	REQUIRE(VALID_NAME(name2));
-	REQUIRE(orderp != NULL);
-	REQUIRE(nlabelsp != NULL);
-	/*
-	 * Either name1 is absolute and name2 is absolute, or neither is.
-	 */
-	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
-		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
-
-	SETUP_OFFSETS(name1, offsets1, odata1);
-	SETUP_OFFSETS(name2, offsets2, odata2);
-
-	nlabels = 0;
-	l1 = name1->labels;
-	l2 = name2->labels;
-	ldiff = (int)l1 - (int)l2;
-	if (ldiff < 0)
-		l = l1;
-	else
-		l = l2;
-
-	while (l > 0) {
-		l--;
-		l1--;
-		l2--;
-		label1 = &name1->ndata[offsets1[l1]];
-		label2 = &name2->ndata[offsets2[l2]];
-		count1 = *label1++;
-		count2 = *label2++;
-
-		/*
-		 * We dropped bitstring labels, and we don't support any
-		 * other extended label types.
-		 */
-		INSIST(count1 <= 63 && count2 <= 63);
-
-		cdiff = (int)count1 - (int)count2;
-		if (cdiff < 0)
-			count = count1;
-		else
-			count = count2;
-
-		while (count > 0) {
-			chdiff = (int)maptolower[*label1] -
-			    (int)maptolower[*label2];
-			if (chdiff != 0) {
-				*orderp = chdiff;
-				goto done;
-			}
-			count--;
-			label1++;
-			label2++;
-		}
-		if (cdiff != 0) {
-			*orderp = cdiff;
-			goto done;
-		}
-		nlabels++;
-	}
-
-	*orderp = ldiff;
-	if (ldiff < 0)
-		namereln = dns_namereln_contains;
-	else if (ldiff > 0)
-		namereln = dns_namereln_subdomain;
-	else
-		namereln = dns_namereln_equal;
-
- done:
-	*nlabelsp = nlabels;
-
-	if (nlabels > 0 && namereln == dns_namereln_none)
-		namereln = dns_namereln_commonancestor;
-
-	return (namereln);
-}
-
-int
-dns_name_compare(const dns_name_t *name1, const dns_name_t *name2) {
-	int order;
-	unsigned int nlabels;
-
-	/*
-	 * Determine the relative ordering under the DNSSEC order relation of
-	 * 'name1' and 'name2'.
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	(void)dns_name_fullcompare(name1, name2, &order, &nlabels);
-
-	return (order);
-}
-
-isc_boolean_t
-dns_name_equal(const dns_name_t *name1, const dns_name_t *name2) {
-	unsigned int l, count;
-	unsigned char c;
-	unsigned char *label1, *label2;
-
-	/*
-	 * Are 'name1' and 'name2' equal?
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	REQUIRE(VALID_NAME(name1));
-	REQUIRE(VALID_NAME(name2));
-	/*
-	 * Either name1 is absolute and name2 is absolute, or neither is.
-	 */
-	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
-		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
-
-	if (name1->length != name2->length)
-		return (ISC_FALSE);
-
-	l = name1->labels;
-
-	if (l != name2->labels)
-		return (ISC_FALSE);
-
-	label1 = name1->ndata;
-	label2 = name2->ndata;
-	while (l > 0) {
-		l--;
-		count = *label1++;
-		if (count != *label2++)
-			return (ISC_FALSE);
-
-		INSIST(count <= 63); /* no bitstring support */
-
-		while (count > 0) {
-			count--;
-			c = maptolower[*label1++];
-			if (c != maptolower[*label2++])
-				return (ISC_FALSE);
-		}
-	}
-
-	return (ISC_TRUE);
-}
-
-int
-dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2) {
-	unsigned int l1, l2, l, count1, count2, count;
-	unsigned char c1, c2;
-	unsigned char *label1, *label2;
-
-	/*
-	 * Compare two absolute names as rdata.
-	 */
-
-	REQUIRE(VALID_NAME(name1));
-	REQUIRE(name1->labels > 0);
-	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
-	REQUIRE(VALID_NAME(name2));
-	REQUIRE(name2->labels > 0);
-	REQUIRE((name2->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
-
-	l1 = name1->labels;
-	l2 = name2->labels;
-
-	l = (l1 < l2) ? l1 : l2;
-
-	label1 = name1->ndata;
-	label2 = name2->ndata;
-	while (l > 0) {
-		l--;
-		count1 = *label1++;
-		count2 = *label2++;
-
-		/* no bitstring support */
-		INSIST(count1 <= 63 && count2 <= 63);
-
-		if (count1 != count2)
-			return ((count1 < count2) ? -1 : 1);
-		count = count1;
-		while (count > 0) {
-			count--;
-			c1 = maptolower[*label1++];
-			c2 = maptolower[*label2++];
-			if (c1 < c2)
-				return (-1);
-			else if (c1 > c2)
-				return (1);
-		}
-	}
-
-	/*
-	 * If one name had more labels than the other, their common
-	 * prefix must have been different because the shorter name
-	 * ended with the root label and the longer one can't have
-	 * a root label in the middle of it.  Therefore, if we get
-	 * to this point, the lengths must be equal.
-	 */
-	INSIST(l1 == l2);
-
-	return (0);
-}
-
-isc_boolean_t
-dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2) {
-	int order;
-	unsigned int nlabels;
-	dns_namereln_t namereln;
-
-	/*
-	 * Is 'name1' a subdomain of 'name2'?
-	 *
-	 * Note: It makes no sense for one of the names to be relative and the
-	 * other absolute.  If both names are relative, then to be meaningfully
-	 * compared the caller must ensure that they are both relative to the
-	 * same domain.
-	 */
-
-	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
-	if (namereln == dns_namereln_subdomain ||
-	    namereln == dns_namereln_equal)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
-	int order;
-	unsigned int nlabels, labels;
-	dns_name_t tname;
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(VALID_NAME(wname));
-	labels = wname->labels;
-	REQUIRE(labels > 0);
-	REQUIRE(dns_name_iswildcard(wname));
-
-	DNS_NAME_INIT(&tname, NULL);
-	dns_name_getlabelsequence(wname, 1, labels - 1, &tname);
-	if (dns_name_fullcompare(name, &tname, &order, &nlabels) ==
-	    dns_namereln_subdomain)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-unsigned int
-dns_name_countlabels(const dns_name_t *name) {
-	/*
-	 * How many labels does 'name' have?
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	ENSURE(name->labels <= 128);
-
-	return (name->labels);
-}
-
-void
-dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label) {
-	unsigned char *offsets;
-	dns_offsets_t odata;
-
-	/*
-	 * Make 'label' refer to the 'n'th least significant label of 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(name->labels > 0);
-	REQUIRE(n < name->labels);
-	REQUIRE(label != NULL);
-
-	SETUP_OFFSETS(name, offsets, odata);
-
-	label->base = &name->ndata[offsets[n]];
-	if (n == name->labels - 1)
-		label->length = name->length - offsets[n];
-	else
-		label->length = offsets[n + 1] - offsets[n];
-}
-
-void
-dns_name_getlabelsequence(const dns_name_t *source,
-			  unsigned int first, unsigned int n,
-			  dns_name_t *target)
-{
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	unsigned int firstoffset, endoffset;
-
-	/*
-	 * Make 'target' refer to the 'n' labels including and following
-	 * 'first' in 'source'.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(VALID_NAME(target));
-	REQUIRE(first <= source->labels);
-	REQUIRE(first + n <= source->labels);
-	REQUIRE(BINDABLE(target));
-
-	SETUP_OFFSETS(source, offsets, odata);
-
-	if (first == source->labels)
-		firstoffset = source->length;
-	else
-		firstoffset = offsets[first];
-
-	if (first + n == source->labels)
-		endoffset = source->length;
-	else
-		endoffset = offsets[first + n];
-
-	target->ndata = &source->ndata[firstoffset];
-	target->length = endoffset - firstoffset;
-	
-	if (first + n == source->labels && n > 0 &&
-	    (source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
-	else
-		target->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
-
-	target->labels = n;
-
-	/*
-	 * If source and target are the same, and we're making target
-	 * a prefix of source, the offsets table is correct already
-	 * so we don't need to call set_offsets().
-	 */
-	if (target->offsets != NULL &&
-	    (target != source || first != 0))
-		set_offsets(target, target->offsets, NULL);
-}
-
-void
-dns_name_clone(dns_name_t *source, dns_name_t *target) {
-
-	/*
-	 * Make 'target' refer to the same name as 'source'.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(VALID_NAME(target));
-	REQUIRE(BINDABLE(target));
-
-	target->ndata = source->ndata;
-	target->length = source->length;
-	target->labels = source->labels;
-	target->attributes = source->attributes &
-		(unsigned int)~(DNS_NAMEATTR_READONLY | DNS_NAMEATTR_DYNAMIC |
-				DNS_NAMEATTR_DYNOFFSETS);
-	if (target->offsets != NULL && source->labels > 0) {
-		if (source->offsets != NULL)
-			memcpy(target->offsets, source->offsets,
-			       source->labels);
-		else
-			set_offsets(target, target->offsets, NULL);
-	}
-}
-
-void
-dns_name_fromregion(dns_name_t *name, const isc_region_t *r) {
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	unsigned int len;
-	isc_region_t r2;
-
-	/*
-	 * Make 'name' refer to region 'r'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(r != NULL);
-	REQUIRE(BINDABLE(name));
-
-	INIT_OFFSETS(name, offsets, odata);
-
-	if (name->buffer != NULL) {
-		isc_buffer_clear(name->buffer);
-		isc_buffer_availableregion(name->buffer, &r2);
-		len = (r->length < r2.length) ? r->length : r2.length;
-		if (len > DNS_NAME_MAXWIRE)
-			len = DNS_NAME_MAXWIRE;
-		memcpy(r2.base, r->base, len);
-		name->ndata = r2.base;
-		name->length = len;
-	} else {
-		name->ndata = r->base;
-		name->length = (r->length <= DNS_NAME_MAXWIRE) ? 
-			r->length : DNS_NAME_MAXWIRE;
-	}
-
-	if (r->length > 0)
-		set_offsets(name, offsets, name);
-	else {
-		name->labels = 0;
-		name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
-	}
-
-	if (name->buffer != NULL)
-		isc_buffer_add(name->buffer, name->length);
-}
-
-void
-dns_name_toregion(dns_name_t *name, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(r != NULL);
-
-	DNS_NAME_TOREGION(name, r);
-}
-
-
-isc_result_t
-dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
-		  dns_name_t *origin, unsigned int options,
-		  isc_buffer_t *target)
-{
-	unsigned char *ndata, *label;
-	char *tdata;
-	char c;
-	ft_state state;
-	unsigned int value, count;
-	unsigned int n1, n2, tlen, nrem, nused, digits, labels, tused;
-	isc_boolean_t done;
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	isc_boolean_t downcase;
-
-	/*
-	 * Convert the textual representation of a DNS name at source
-	 * into uncompressed wire form stored in target.
-	 *
-	 * Notes:
-	 *	Relative domain names will have 'origin' appended to them
-	 *	unless 'origin' is NULL, in which case relative domain names
-	 *	will remain relative.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(ISC_BUFFER_VALID(source));
-	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
-		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
-	
-	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
-
-	if (target == NULL && name->buffer != NULL) {
-		target = name->buffer;
-		isc_buffer_clear(target);
-	}
-
-	REQUIRE(BINDABLE(name));
-
-	INIT_OFFSETS(name, offsets, odata);
-	offsets[0] = 0;
-
-	/*
-	 * Initialize things to make the compiler happy; they're not required.
-	 */
-	n1 = 0;
-	n2 = 0;
-	label = NULL;
-	digits = 0;
-	value = 0;
-	count = 0;
-
-	/*
-	 * Make 'name' empty in case of failure.
-	 */
-	MAKE_EMPTY(name);
-
-	/*
-	 * Set up the state machine.
-	 */
-	tdata = (char *)source->base + source->current;
-	tlen = isc_buffer_remaininglength(source);
-	tused = 0;
-	ndata = isc_buffer_used(target);
-	nrem = isc_buffer_availablelength(target);
-	if (nrem > 255)
-		nrem = 255;
-	nused = 0;
-	labels = 0;
-	done = ISC_FALSE;
-	state = ft_init;
-
-	while (nrem > 0 && tlen > 0 && !done) {
-		c = *tdata++;
-		tlen--;
-		tused++;
-
-		switch (state) {
-		case ft_init:
-			/*
-			 * Is this the root name?
-			 */
-			if (c == '.') {
-				if (tlen != 0)
-					return (DNS_R_EMPTYLABEL);
-				labels++;
-				*ndata++ = 0;
-				nrem--;
-				nused++;
-				done = ISC_TRUE;
-				break;
-			}
-			if (c == '@' && tlen == 0) {
-				state = ft_at;
-				break;
-			}
-
-			/* FALLTHROUGH */
-		case ft_start:
-			label = ndata;
-			ndata++;
-			nrem--;
-			nused++;
-			count = 0;
-			if (c == '\\') {
-				state = ft_initialescape;
-				break;
-			}
-			state = ft_ordinary;
-			if (nrem == 0)
-				return (ISC_R_NOSPACE);
-			/* FALLTHROUGH */
-		case ft_ordinary:
-			if (c == '.') {
-				if (count == 0)
-					return (DNS_R_EMPTYLABEL);
-				*label = count;
-				labels++;
-				INSIST(labels <= 127);
-				offsets[labels] = nused;
-				if (tlen == 0) {
-					labels++;
-					*ndata++ = 0;
-					nrem--;
-					nused++;
-					done = ISC_TRUE;
-				}
-				state = ft_start;
-			} else if (c == '\\') {
-				state = ft_escape;
-			} else {
-				if (count >= 63)
-					return (DNS_R_LABELTOOLONG);
-				count++;
-				CONVERTTOASCII(c);
-				if (downcase)
-					c = maptolower[(int)c];
-				*ndata++ = c;
-				nrem--;
-				nused++;
-			}
-			break;
-		case ft_initialescape:
-			if (c == '[') {
-				/*
-				 * This looks like a bitstring label, which
-				 * was deprecated.  Intentionally drop it.
-				 */
-				return (DNS_R_BADLABELTYPE);
-			}
-			state = ft_escape;
-			/* FALLTHROUGH */
-		case ft_escape:
-			if (!isdigit(c & 0xff)) {
-				if (count >= 63)
-					return (DNS_R_LABELTOOLONG);
-				count++;
-				CONVERTTOASCII(c);
-				if (downcase)
-					c = maptolower[(int)c];
-				*ndata++ = c;
-				nrem--;
-				nused++;
-				state = ft_ordinary;
-				break;
-			}
-			digits = 0;
-			value = 0;
-			state = ft_escdecimal;
-			/* FALLTHROUGH */
-		case ft_escdecimal:
-			if (!isdigit(c & 0xff))
-				return (DNS_R_BADESCAPE);
-			value *= 10;
-			value += digitvalue[(int)c];
-			digits++;
-			if (digits == 3) {
-				if (value > 255)
-					return (DNS_R_BADESCAPE);
-				if (count >= 63)
-					return (DNS_R_LABELTOOLONG);
-				count++;
-				if (downcase)
-					value = maptolower[value];
-				*ndata++ = value;
-				nrem--;
-				nused++;
-				state = ft_ordinary;
-			}
-			break;
-		default:
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unexpected state %d", state);
-			/* Does not return. */
-		}
-	}
-
-	if (!done) {
-		if (nrem == 0)
-			return (ISC_R_NOSPACE);
-		INSIST(tlen == 0);
-		if (state != ft_ordinary && state != ft_at)
-			return (ISC_R_UNEXPECTEDEND);
-		if (state == ft_ordinary) {
-			INSIST(count != 0);
-			*label = count;
-			labels++;
-			INSIST(labels <= 127);
-			offsets[labels] = nused;
-		}
-		if (origin != NULL) {
-			if (nrem < origin->length)
-				return (ISC_R_NOSPACE);
-			label = origin->ndata;
-			n1 = origin->length;
-			nrem -= n1;
-			while (n1 > 0) {
-				n2 = *label++;
-				INSIST(n2 <= 63); /* no bitstring support */
-				*ndata++ = n2;
-				n1 -= n2 + 1;
-				nused += n2 + 1;
-				while (n2 > 0) {
-					c = *label++;
-					if (downcase)
-						c = maptolower[(int)c];
-					*ndata++ = c;
-					n2--;
-				}
-				labels++;
-				if (n1 > 0) {
-					INSIST(labels <= 127);
-					offsets[labels] = nused;
-				}
-			}
-			if ((origin->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-				name->attributes |= DNS_NAMEATTR_ABSOLUTE;
-		}
-	} else
-		name->attributes |= DNS_NAMEATTR_ABSOLUTE;
-
-	name->ndata = (unsigned char *)target->base + target->used;
-	name->labels = labels;
-	name->length = nused;
-
-	isc_buffer_forward(source, tused);
-	isc_buffer_add(target, name->length);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
-		isc_buffer_t *target)
-{
-	unsigned char *ndata;
-	char *tdata;
-	unsigned int nlen, tlen;
-	unsigned char c;
-	unsigned int trem, count;
-	unsigned int labels;
-	isc_boolean_t saw_root = ISC_FALSE;
-
-	/*
-	 * This function assumes the name is in proper uncompressed
-	 * wire format.
-	 */
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(ISC_BUFFER_VALID(target));
-
-	ndata = name->ndata;
-	nlen = name->length;
-	labels = name->labels;
-	tdata = isc_buffer_used(target);
-	tlen = isc_buffer_availablelength(target);
-
-	trem = tlen;
-
-	if (labels == 0 && nlen == 0) {
-		/*
-		 * Special handling for an empty name.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-
-		/*
-		 * The names of these booleans are misleading in this case.
-		 * This empty name is not necessarily from the root node of
-		 * the DNS root zone, nor is a final dot going to be included.
-		 * They need to be set this way, though, to keep the "@"
-		 * from being trounced.
-		 */
-		saw_root = ISC_TRUE;
-		omit_final_dot = ISC_FALSE;
-		*tdata++ = '@';
-		trem--;
-
-		/*
-		 * Skip the while() loop.
-		 */
-		nlen = 0;
-	} else if (nlen == 1 && labels == 1 && *ndata == '\0') {
-		/*
-		 * Special handling for the root label.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-
-		saw_root = ISC_TRUE;
-		omit_final_dot = ISC_FALSE;
-		*tdata++ = '.';
-		trem--;
-
-		/*
-		 * Skip the while() loop.
-		 */
-		nlen = 0;
-	}
-
-	while (labels > 0 && nlen > 0 && trem > 0) {
-		labels--;
-		count = *ndata++;
-		nlen--;
-		if (count == 0) {
-			saw_root = ISC_TRUE;
-			break;
-		}
-		if (count < 64) {
-			INSIST(nlen >= count);
-			while (count > 0) {
-				c = *ndata;
-				switch (c) {
-				case 0x22: /* '"' */
-				case 0x28: /* '(' */
-				case 0x29: /* ')' */
-				case 0x2E: /* '.' */
-				case 0x3B: /* ';' */
-				case 0x5C: /* '\\' */
-				/* Special modifiers in zone files. */
-				case 0x40: /* '@' */
-				case 0x24: /* '$' */
-					if (trem < 2)
-						return (ISC_R_NOSPACE);
-					*tdata++ = '\\';
-					CONVERTFROMASCII(c);
-					*tdata++ = c;
-					ndata++;
-					trem -= 2;
-					nlen--;
-					break;
-				default:
-					if (c > 0x20 && c < 0x7f) {
-						if (trem == 0)
-							return (ISC_R_NOSPACE);
-						CONVERTFROMASCII(c);
-						*tdata++ = c;
-						ndata++;
-						trem--;
-						nlen--;
-					} else {
-						if (trem < 4)
-							return (ISC_R_NOSPACE);
-						*tdata++ = 0x5c;
-						*tdata++ = 0x30 +
-							   ((c / 100) % 10);
-						*tdata++ = 0x30 +
-							   ((c / 10) % 10);
-						*tdata++ = 0x30 + (c % 10);
-						trem -= 4;
-						ndata++;
-						nlen--;
-					}
-				}
-				count--;
-			}
-		} else {
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unexpected label type %02x", count);
-			/* NOTREACHED */
-		}
-
-		/*
-		 * The following assumes names are absolute.  If not, we
-		 * fix things up later.  Note that this means that in some
-		 * cases one more byte of text buffer is required than is
-		 * needed in the final output.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-		*tdata++ = '.';
-		trem--;
-	}
-
-	if (nlen != 0 && trem == 0)
-		return (ISC_R_NOSPACE);
-
-	if (!saw_root || omit_final_dot)
-		trem++;
-
-	isc_buffer_add(target, tlen - trem);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
-			isc_buffer_t *target)
-{
-	unsigned char *ndata;
-	char *tdata;
-	unsigned int nlen, tlen;
-	unsigned char c;
-	unsigned int trem, count;
-	unsigned int labels;
-
-	/*
-	 * This function assumes the name is in proper uncompressed
-	 * wire format.
-	 */
-	REQUIRE(VALID_NAME(name));
-	REQUIRE((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
-	REQUIRE(ISC_BUFFER_VALID(target));
-
-	ndata = name->ndata;
-	nlen = name->length;
-	labels = name->labels;
-	tdata = isc_buffer_used(target);
-	tlen = isc_buffer_availablelength(target);
-
-	trem = tlen;
-
-	if (nlen == 1 && labels == 1 && *ndata == '\0') {
-		/*
-		 * Special handling for the root label.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-
-		omit_final_dot = ISC_FALSE;
-		*tdata++ = '.';
-		trem--;
-
-		/*
-		 * Skip the while() loop.
-		 */
-		nlen = 0;
-	}
-
-	while (labels > 0 && nlen > 0 && trem > 0) {
-		labels--;
-		count = *ndata++;
-		nlen--;
-		if (count == 0)
-			break;
-		if (count < 64) {
-			INSIST(nlen >= count);
-			while (count > 0) {
-				c = *ndata;
-				if ((c >= 0x30 && c <= 0x39) || /* digit */
-				    (c >= 0x41 && c <= 0x5A) ||	/* uppercase */
-				    (c >= 0x61 && c <= 0x7A) || /* lowercase */
-				    c == 0x2D ||		/* hyphen */
-				    c == 0x5F)			/* underscore */
-				{
-					if (trem == 0)
-						return (ISC_R_NOSPACE);
-					/* downcase */
-					if (c >= 0x41 && c <= 0x5A)
-						c += 0x20;
-					CONVERTFROMASCII(c);
-					*tdata++ = c;
-					ndata++;
-					trem--;
-					nlen--;
-				} else {
-					if (trem < 3)
-						return (ISC_R_NOSPACE);
-					sprintf(tdata, "%%%02X", c);
-					tdata += 3;
-					trem -= 3;
-					ndata++;
-					nlen--;
-				}
-				count--;
-			}
-		} else {
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unexpected label type %02x", count);
-			/* NOTREACHED */
-		}
-
-		/*
-		 * The following assumes names are absolute.  If not, we
-		 * fix things up later.  Note that this means that in some
-		 * cases one more byte of text buffer is required than is
-		 * needed in the final output.
-		 */
-		if (trem == 0)
-			return (ISC_R_NOSPACE);
-		*tdata++ = '.';
-		trem--;
-	}
-
-	if (nlen != 0 && trem == 0)
-		return (ISC_R_NOSPACE);
-
-	if (omit_final_dot)
-		trem++;
-
-	isc_buffer_add(target, tlen - trem);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_downcase(dns_name_t *source, dns_name_t *name, isc_buffer_t *target) {
-	unsigned char *sndata, *ndata;
-	unsigned int nlen, count, labels;
-	isc_buffer_t buffer;
-
-	/*
-	 * Downcase 'source'.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(VALID_NAME(name));
-	if (source == name) {
-		REQUIRE((name->attributes & DNS_NAMEATTR_READONLY) == 0);
-		isc_buffer_init(&buffer, source->ndata, source->length);
-		target = &buffer;
-		ndata = source->ndata;
-	} else {
-		REQUIRE(BINDABLE(name));
-		REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
-			(target == NULL && ISC_BUFFER_VALID(name->buffer)));
-		if (target == NULL) {
-			target = name->buffer;
-			isc_buffer_clear(name->buffer);
-		}
-		ndata = (unsigned char *)target->base + target->used;
-		name->ndata = ndata;
-	}
-
-	sndata = source->ndata;
-	nlen = source->length;
-	labels = source->labels;
-
-	if (nlen > (target->length - target->used)) {
-		MAKE_EMPTY(name);
-		return (ISC_R_NOSPACE);
-	}
-
-	while (labels > 0 && nlen > 0) {
-		labels--;
-		count = *sndata++;
-		*ndata++ = count;
-		nlen--;
-		if (count < 64) {
-			INSIST(nlen >= count);
-			while (count > 0) {
-				*ndata++ = maptolower[(*sndata++)];
-				nlen--;
-				count--;
-			}
-		} else {
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unexpected label type %02x", count);
-			/* Does not return. */
-		}
-	}
-
-	if (source != name) {
-		name->labels = source->labels;
-		name->length = source->length;
-		if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-			name->attributes = DNS_NAMEATTR_ABSOLUTE;
-		else
-			name->attributes = 0;
-		if (name->labels > 0 && name->offsets != NULL)
-			set_offsets(name, name->offsets, NULL);
-	}
-
-	isc_buffer_add(target, name->length);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-set_offsets(const dns_name_t *name, unsigned char *offsets,
-	    dns_name_t *set_name)
-{
-	unsigned int offset, count, length, nlabels;
-	unsigned char *ndata;
-	isc_boolean_t absolute;
-
-	ndata = name->ndata;
-	length = name->length;
-	offset = 0;
-	nlabels = 0;
-	absolute = ISC_FALSE;
-	while (offset != length) {
-		INSIST(nlabels < 128);
-		offsets[nlabels++] = offset;
-		count = *ndata++;
-		offset++;
-		INSIST(count <= 63);
-		offset += count;
-		ndata += count;
-		INSIST(offset <= length);
-		if (count == 0) {
-			absolute = ISC_TRUE;
-			break;
-		}
-	}
-	if (set_name != NULL) {
-		INSIST(set_name == name);
-
-		set_name->labels = nlabels;
-		set_name->length = offset;
-		if (absolute)
-			set_name->attributes |= DNS_NAMEATTR_ABSOLUTE;
-		else
-			set_name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
-	}
-	INSIST(nlabels == name->labels);
-	INSIST(offset == name->length);
-}
-
-isc_result_t
-dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
-		  dns_decompress_t *dctx, unsigned int options,
-		  isc_buffer_t *target)
-{
-	unsigned char *cdata, *ndata;
-	unsigned int cused; /* Bytes of compressed name data used */
-	unsigned int hops,  nused, labels, n, nmax;
-	unsigned int current, new_current, biggest_pointer;
-	isc_boolean_t done;
-	fw_state state = fw_start;
-	unsigned int c;
-	unsigned char *offsets;
-	dns_offsets_t odata;
-	isc_boolean_t downcase;
-
-	/*
-	 * Copy the possibly-compressed name at source into target,
-	 * decompressing it.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
-		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
-
-	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
-
-	if (target == NULL && name->buffer != NULL) {
-		target = name->buffer;
-		isc_buffer_clear(target);
-	}
-
-	REQUIRE(dctx != NULL);
-	REQUIRE(BINDABLE(name));
-
-	INIT_OFFSETS(name, offsets, odata);
-
-	/*
-	 * Make 'name' empty in case of failure.
-	 */
-	MAKE_EMPTY(name);
-
-	/*
-	 * Initialize things to make the compiler happy; they're not required.
-	 */
-	n = 0;
-	new_current = 0;
-
-	/*
-	 * Set up.
-	 */
-	labels = 0;
-	hops = 0;
-	done = ISC_FALSE;
-
-	ndata = isc_buffer_used(target);
-	nused = 0;
-
-	/*
-	 * Find the maximum number of uncompressed target name
-	 * bytes we are willing to generate.  This is the smaller
-	 * of the available target buffer length and the
-	 * maximum legal domain name length (255).
-	 */
-	nmax = isc_buffer_availablelength(target);
-	if (nmax > DNS_NAME_MAXWIRE)
-		nmax = DNS_NAME_MAXWIRE;
-
-	cdata = isc_buffer_current(source);
-	cused = 0;
-
-	current = source->current;
-	biggest_pointer = current;
-
-	/*
-	 * Note:  The following code is not optimized for speed, but
-	 * rather for correctness.  Speed will be addressed in the future.
-	 */
-
-	while (current < source->active && !done) {
-		c = *cdata++;
-		current++;
-		if (hops == 0)
-			cused++;
-
-		switch (state) {
-		case fw_start:
-			if (c < 64) {
-				offsets[labels] = nused;
-				labels++;
-				if (nused + c + 1 > nmax)
-					goto full;
-				nused += c + 1;
-				*ndata++ = c;
-				if (c == 0)
-					done = ISC_TRUE;
-				n = c;
-				state = fw_ordinary;
-			} else if (c >= 128 && c < 192) {
-				/*
-				 * 14 bit local compression pointer.
-				 * Local compression is no longer an
-				 * IETF draft.
-				 */
-				return (DNS_R_BADLABELTYPE);
-			} else if (c >= 192) {
-				/*
-				 * Ordinary 14-bit pointer.
-				 */
-				if ((dctx->allowed & DNS_COMPRESS_GLOBAL14) ==
-				    0)
-					return (DNS_R_DISALLOWED);
-				new_current = c & 0x3F;
-				n = 1;
-				state = fw_newcurrent;
-			} else
-				return (DNS_R_BADLABELTYPE);
-			break;
-		case fw_ordinary:
-			if (downcase)
-				c = maptolower[c];
-			/* FALLTHROUGH */
-		case fw_copy:
-			*ndata++ = c;
-			n--;
-			if (n == 0)
-				state = fw_start;
-			break;
-		case fw_newcurrent:
-			new_current *= 256;
-			new_current += c;
-			n--;
-			if (n != 0)
-				break;
-			if (new_current >= biggest_pointer)
-				return (DNS_R_BADPOINTER);
-			biggest_pointer = new_current;
-			current = new_current;
-			cdata = (unsigned char *)source->base +
-				current;
-			hops++;
-			if (hops > DNS_POINTER_MAXHOPS)
-				return (DNS_R_TOOMANYHOPS);
-			state = fw_start;
-			break;
-		default:
-			FATAL_ERROR(__FILE__, __LINE__,
-				    "Unknown state %d", state);
-			/* Does not return. */
-		}
-	}
-
-	if (!done)
-		return (ISC_R_UNEXPECTEDEND);
-
-	name->ndata = (unsigned char *)target->base + target->used;
-	name->labels = labels;
-	name->length = nused;
-	name->attributes |= DNS_NAMEATTR_ABSOLUTE;
-
-	isc_buffer_forward(source, cused);
-	isc_buffer_add(target, name->length);
-
-	return (ISC_R_SUCCESS);
-
- full:
-	if (nmax == DNS_NAME_MAXWIRE)
-		/*
-		 * The name did not fit even though we had a buffer
-		 * big enough to fit a maximum-length name.
-		 */
-		return (DNS_R_NAMETOOLONG);
-	else
-		/*
-		 * The name might fit if only the caller could give us a
-		 * big enough buffer.
-		 */
-		return (ISC_R_NOSPACE);
-
-}
-
-isc_result_t
-dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target) {
-	unsigned int methods;
-	isc_uint16_t offset;
-	dns_name_t gp;	/* Global compression prefix */
-	isc_boolean_t gf;	/* Global compression target found */
-	isc_uint16_t go;	/* Global compression offset */
-	dns_offsets_t clo;
-	dns_name_t clname;
-
-	/*
-	 * Convert 'name' into wire format, compressing it as specified by the
-	 * compression context 'cctx', and storing the result in 'target'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(cctx != NULL);
-	REQUIRE(ISC_BUFFER_VALID(target));
-
-	/*
-	 * If 'name' doesn't have an offsets table, make a clone which
-	 * has one.
-	 */
-	if (name->offsets == NULL) {
-		DNS_NAME_INIT(&clname, clo);
-		dns_name_clone(name, &clname);
-		name = &clname;
-	}
-	DNS_NAME_INIT(&gp, NULL);
-
-	offset = target->used;	/*XXX*/
-
-	methods = dns_compress_getmethods(cctx);
-
-	if ((methods & DNS_COMPRESS_GLOBAL14) != 0)
-		gf = dns_compress_findglobal(cctx, name, &gp, &go);
-	else
-		gf = ISC_FALSE;
-
-	/*
-	 * If the offset is too high for 14 bit global compression, we're
-	 * out of luck.
-	 */
-	if (gf && go >= 0x4000)
-		gf = ISC_FALSE;
-
-	/*
-	 * Will the compression pointer reduce the message size?
-	 */
-	if (gf && (gp.length + 2) >= name->length)
-		gf = ISC_FALSE;
-
-	if (gf) {
-		if (target->length - target->used < gp.length)
-			return (ISC_R_NOSPACE);
-		(void)memcpy((unsigned char *)target->base + target->used,
-			     gp.ndata, (size_t)gp.length);
-		isc_buffer_add(target, gp.length);
-		go |= 0xc000;
-		if (target->length - target->used < 2)
-			return (ISC_R_NOSPACE);
-		isc_buffer_putuint16(target, go);
-		if (gp.length != 0)
-			dns_compress_add(cctx, name, &gp, offset);
-	} else {
-		if (target->length - target->used < name->length)
-			return (ISC_R_NOSPACE);
-		(void)memcpy((unsigned char *)target->base + target->used,
-			     name->ndata, (size_t)name->length);
-		isc_buffer_add(target, name->length);
-		dns_compress_add(cctx, name, name, offset);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
-		     isc_buffer_t *target)
-{
-	unsigned char *ndata, *offsets;
-	unsigned int nrem, labels, prefix_length, length;
-	isc_boolean_t copy_prefix = ISC_TRUE;
-	isc_boolean_t copy_suffix = ISC_TRUE;
-	isc_boolean_t absolute = ISC_FALSE;
-	dns_name_t tmp_name;
-	dns_offsets_t odata;
-
-	/*
-	 * Concatenate 'prefix' and 'suffix'.
-	 */
-
-	REQUIRE(prefix == NULL || VALID_NAME(prefix));
-	REQUIRE(suffix == NULL || VALID_NAME(suffix));
-	REQUIRE(name == NULL || VALID_NAME(name));
-	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
-		(target == NULL && name != NULL && ISC_BUFFER_VALID(name->buffer)));
-	if (prefix == NULL || prefix->labels == 0)
-		copy_prefix = ISC_FALSE;
-	if (suffix == NULL || suffix->labels == 0)
-		copy_suffix = ISC_FALSE;
-	if (copy_prefix &&
-	    (prefix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
-		absolute = ISC_TRUE;
-		REQUIRE(!copy_suffix);
-	}
-	if (name == NULL) {
-		DNS_NAME_INIT(&tmp_name, odata);
-		name = &tmp_name;
-	}
-	if (target == NULL) {
-		INSIST(name->buffer != NULL);
-		target = name->buffer;
-		isc_buffer_clear(name->buffer);
-	}
-
-	REQUIRE(BINDABLE(name));
-
-	/*
-	 * Set up.
-	 */
-	nrem = target->length - target->used;
-	ndata = (unsigned char *)target->base + target->used;
-	if (nrem > DNS_NAME_MAXWIRE)
-		nrem = DNS_NAME_MAXWIRE;
-	length = 0;
-	prefix_length = 0;
-	labels = 0;
-	if (copy_prefix) {
-		prefix_length = prefix->length;
-		length += prefix_length;
-		labels += prefix->labels;
-	}
-	if (copy_suffix) {
-		length += suffix->length;
-		labels += suffix->labels;
-	}
-	if (length > DNS_NAME_MAXWIRE) {
-		MAKE_EMPTY(name);
-		return (DNS_R_NAMETOOLONG);
-	}
-	if (length > nrem) {
-		MAKE_EMPTY(name);
-		return (ISC_R_NOSPACE);
-	}
-
-	if (copy_suffix) {
-		if ((suffix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-			absolute = ISC_TRUE;
-		if (suffix == name && suffix->buffer == target)
-			memmove(ndata + prefix_length, suffix->ndata,
-				suffix->length);
-		else
-			memcpy(ndata + prefix_length, suffix->ndata,
-			       suffix->length);
-	}
-
-	/*
-	 * If 'prefix' and 'name' are the same object, and the object has
-	 * a dedicated buffer, and we're using it, then we don't have to
-	 * copy anything.
-	 */
-	if (copy_prefix && (prefix != name || prefix->buffer != target))
-		memcpy(ndata, prefix->ndata, prefix_length);
-
-	name->ndata = ndata;
-	name->labels = labels;
-	name->length = length;
-	if (absolute)
-		name->attributes = DNS_NAMEATTR_ABSOLUTE;
-	else
-		name->attributes = 0;
-
-	if (name->labels > 0 && name->offsets != NULL) {
-		INIT_OFFSETS(name, offsets, odata);
-		set_offsets(name, offsets, NULL);
-	}
-
-	isc_buffer_add(target, name->length);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_name_split(dns_name_t *name, unsigned int suffixlabels,
-	       dns_name_t *prefix, dns_name_t *suffix)
-
-{
-	unsigned int splitlabel;
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(suffixlabels > 0);
-	REQUIRE(suffixlabels < name->labels);
-	REQUIRE(prefix != NULL || suffix != NULL);
-	REQUIRE(prefix == NULL ||
-		(VALID_NAME(prefix) &&
-		 prefix->buffer != NULL &&
-		 BINDABLE(prefix)));
-	REQUIRE(suffix == NULL ||
-		(VALID_NAME(suffix) &&
-		 suffix->buffer != NULL &&
-		 BINDABLE(suffix)));
-
-	splitlabel = name->labels - suffixlabels;
-
-	if (prefix != NULL)
-		dns_name_getlabelsequence(name, 0, splitlabel, prefix);
-
-	if (suffix != NULL)
-		dns_name_getlabelsequence(name, splitlabel,
-					  suffixlabels, suffix);
-
-	return;
-}
-
-isc_result_t
-dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
-	/*
-	 * Make 'target' a dynamically allocated copy of 'source'.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(source->length > 0);
-	REQUIRE(VALID_NAME(target));
-	REQUIRE(BINDABLE(target));
-
-	/*
-	 * Make 'target' empty in case of failure.
-	 */
-	MAKE_EMPTY(target);
-
-	target->ndata = isc_mem_get(mctx, source->length);
-	if (target->ndata == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memcpy(target->ndata, source->ndata, source->length);
-
-	target->length = source->length;
-	target->labels = source->labels;
-	target->attributes = DNS_NAMEATTR_DYNAMIC;
-	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
-	if (target->offsets != NULL) {
-		if (source->offsets != NULL)
-			memcpy(target->offsets, source->offsets,
-			       source->labels);
-		else
-			set_offsets(target, target->offsets, NULL);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
-			dns_name_t *target)
-{
-	/*
-	 * Make 'target' a read-only dynamically allocated copy of 'source'.
-	 * 'target' will also have a dynamically allocated offsets table.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(source->length > 0);
-	REQUIRE(VALID_NAME(target));
-	REQUIRE(BINDABLE(target));
-	REQUIRE(target->offsets == NULL);
-
-	/*
-	 * Make 'target' empty in case of failure.
-	 */
-	MAKE_EMPTY(target);
-
-	target->ndata = isc_mem_get(mctx, source->length + source->labels);
-	if (target->ndata == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memcpy(target->ndata, source->ndata, source->length);
-
-	target->length = source->length;
-	target->labels = source->labels;
-	target->attributes = DNS_NAMEATTR_DYNAMIC | DNS_NAMEATTR_DYNOFFSETS |
-		DNS_NAMEATTR_READONLY;
-	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
-	target->offsets = target->ndata + source->length;
-	if (source->offsets != NULL)
-		memcpy(target->offsets, source->offsets, source->labels);
-	else
-		set_offsets(target, target->offsets, NULL);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_name_free(dns_name_t *name, isc_mem_t *mctx) {
-	size_t size;
-
-	/*
-	 * Free 'name'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0);
-
-	size = name->length;
-	if ((name->attributes & DNS_NAMEATTR_DYNOFFSETS) != 0)
-		size += name->labels;
-	isc_mem_put(mctx, name->ndata, size);
-	dns_name_invalidate(name);
-}
-
-isc_result_t
-dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg) {
-	dns_name_t downname;
-	unsigned char data[256];
-	isc_buffer_t buffer;
-	isc_result_t result;
-	isc_region_t r;
-
-	/*
-	 * Send 'name' in DNSSEC canonical form to 'digest'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-	REQUIRE(digest != NULL);
-
-	DNS_NAME_INIT(&downname, NULL);
-	isc_buffer_init(&buffer, data, sizeof(data));
-
-	result = dns_name_downcase(name, &downname, &buffer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	isc_buffer_usedregion(&buffer, &r);
-
-	return ((digest)(arg, &r));
-}
-
-isc_boolean_t
-dns_name_dynamic(dns_name_t *name) {
-	REQUIRE(VALID_NAME(name));
-
-	/*
-	 * Returns whether there is dynamic memory associated with this name.
-	 */
-
-	return ((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0 ?
-		ISC_TRUE : ISC_FALSE);
-}
-
-isc_result_t
-dns_name_print(dns_name_t *name, FILE *stream) {
-	isc_result_t result;
-	isc_buffer_t b;
-	isc_region_t r;
-	char t[1024];
-
-	/*
-	 * Print 'name' on 'stream'.
-	 */
-
-	REQUIRE(VALID_NAME(name));
-
-	isc_buffer_init(&b, t, sizeof(t));
-	result = dns_name_totext(name, ISC_FALSE, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_buffer_usedregion(&b, &r);
-	fprintf(stream, "%.*s", (int)r.length, (char *)r.base);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	REQUIRE(size > 0);
-
-	/*
-	 * Leave room for null termination after buffer.
-	 */
-	isc_buffer_init(&buf, cp, size - 1);
-	result = dns_name_totext(name, ISC_TRUE, &buf);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Null terminate.
-		 */
-		isc_region_t r;
-		isc_buffer_usedregion(&buf, &r);
-		((char *) r.base)[r.length] = '\0';
-
-	} else
-		snprintf(cp, size, "<unknown>");
-}
-
-isc_result_t
-dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
-	unsigned char *ndata;
-
-	/*
-	 * Make dest a copy of source.
-	 */
-
-	REQUIRE(VALID_NAME(source));
-	REQUIRE(VALID_NAME(dest));
-	REQUIRE(target != NULL || dest->buffer != NULL);
-
-	if (target == NULL) {
-		target = dest->buffer;
-		isc_buffer_clear(dest->buffer);
-	}
-
-	REQUIRE(BINDABLE(dest));
-
-	/*
-	 * Set up.
-	 */
-	if (target->length - target->used < source->length)
-		return (ISC_R_NOSPACE);
-
-	ndata = (unsigned char *)target->base + target->used;
-	dest->ndata = target->base;
-
-	memcpy(ndata, source->ndata, source->length);
-
-	dest->ndata = ndata;
-	dest->labels = source->labels;
-	dest->length = source->length;
-	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
-		dest->attributes = DNS_NAMEATTR_ABSOLUTE;
-	else
-		dest->attributes = 0;
-
-	if (dest->labels > 0 && dest->offsets != NULL) {
-		if (source->offsets != NULL)
-			memcpy(dest->offsets, source->offsets, source->labels);
-		else
-			set_offsets(dest, dest->offsets, NULL);
-	}
-
-	isc_buffer_add(target, dest->length);
-
-	return (ISC_R_SUCCESS);
-}
-
diff --git a/contrib/bind9/lib/dns/ncache.c b/contrib/bind9/lib/dns/ncache.c
deleted file mode 100644
index dddde60ee187..000000000000
--- a/contrib/bind9/lib/dns/ncache.c
+++ /dev/null
@@ -1,554 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ncache.c,v 1.24.2.4.2.7 2004/03/08 02:07:54 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/message.h>
-#include <dns/ncache.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-
-/*
- * The format of an ncache rdata is a sequence of one or more records of
- * the following format:
- *
- *	owner name
- *	type
- *	rdata count
- *		rdata length			These two occur 'rdata count'
- *		rdata				times.
- *
- */
-
-static inline isc_result_t
-copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
-	isc_result_t result;
-	unsigned int count;
-	isc_region_t ar, r;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * Copy the rdataset count to the buffer.
-	 */
-	isc_buffer_availableregion(buffer, &ar);
-	if (ar.length < 2)
-		return (ISC_R_NOSPACE);
-	count = dns_rdataset_count(rdataset);
-	INSIST(count <= 65535);
-	isc_buffer_putuint16(buffer, (isc_uint16_t)count);
-
-	result = dns_rdataset_first(rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(rdataset, &rdata);
-		dns_rdata_toregion(&rdata, &r);
-		INSIST(r.length <= 65535);
-		isc_buffer_availableregion(buffer, &ar);
-		if (ar.length < 2)
-			return (ISC_R_NOSPACE);
-		/*
-		 * Copy the rdata length to the buffer.
-		 */
-		isc_buffer_putuint16(buffer, (isc_uint16_t)r.length);
-		/*
-		 * Copy the rdata to the buffer.
-		 */
-		result = isc_buffer_copyregion(buffer, &r);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-	       dns_rdataset_t *addedrdataset)
-{
-	isc_result_t result;
-	isc_buffer_t buffer;
-	isc_region_t r;
-	dns_rdataset_t *rdataset;
-	dns_rdatatype_t type;
-	dns_name_t *name;
-	dns_ttl_t ttl;
-	dns_trust_t trust;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t ncrdataset;
-	dns_rdatalist_t ncrdatalist;
-	unsigned char data[4096];
-
-	/*
-	 * Convert the authority data from 'message' into a negative cache
-	 * rdataset, and store it in 'cache' at 'node'.
-	 */
-
-	REQUIRE(message != NULL);
-
-	/*
-	 * We assume that all data in the authority section has been
-	 * validated by the caller.
-	 */
-
-	/*
-	 * First, build an ncache rdata in buffer.
-	 */
-	ttl = maxttl;
-	trust = 0xffff;
-	isc_buffer_init(&buffer, data, sizeof(data));
-	if (message->counts[DNS_SECTION_AUTHORITY])
-		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	else
-		result = ISC_R_NOMORE;
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY,
-					&name);
-		if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if ((rdataset->attributes &
-				     DNS_RDATASETATTR_NCACHE) == 0)
-					continue;
-				type = rdataset->type;
-				if (type == dns_rdatatype_rrsig)
-					type = rdataset->covers;
-				if (type == dns_rdatatype_soa ||
-				    type == dns_rdatatype_nsec) {
-					if (ttl > rdataset->ttl)
-						ttl = rdataset->ttl;
-					if (trust > rdataset->trust)
-						trust = rdataset->trust;
-					/*
-					 * Copy the owner name to the buffer.
-					 */
-					dns_name_toregion(name, &r);
-					result = isc_buffer_copyregion(&buffer,
-								       &r);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-					/*
-					 * Copy the type to the buffer.
-					 */
-					isc_buffer_availableregion(&buffer,
-								   &r);
-					if (r.length < 2)
-						return (ISC_R_NOSPACE);
-					isc_buffer_putuint16(&buffer,
-							     rdataset->type);
-					/*
-					 * Copy the rdataset into the buffer.
-					 */
-					result = copy_rdataset(rdataset,
-							       &buffer);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-				}
-			}
-		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	if (trust == 0xffff) {
-		/*
-		 * We didn't find any authority data from which to create a
-		 * negative cache rdataset.  In particular, we have no SOA.
-		 *
-		 * We trust that the caller wants negative caching, so this
-		 * means we have a "type 3 nxdomain" or "type 3 nodata"
-		 * response (see RFC 2308 for details).
-		 *
-		 * We will now build a suitable negative cache rdataset that
-		 * will cause zero bytes to be emitted when converted to
-		 * wire format.
-		 */
-
-		/*
-		 * The ownername must exist, but it doesn't matter what value
-		 * it has.  We use the root name.
-		 */
-		dns_name_toregion(dns_rootname, &r);
-		result = isc_buffer_copyregion(&buffer, &r);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		/*
-		 * Copy the type and a zero rdata count to the buffer.
-		 */
-		isc_buffer_availableregion(&buffer, &r);
-		if (r.length < 4)
-			return (ISC_R_NOSPACE);
-		isc_buffer_putuint16(&buffer, 0);
-		isc_buffer_putuint16(&buffer, 0);
-		/*
-		 * RFC 2308, section 5, says that negative answers without
-		 * SOAs should not be cached.
-		 */
-		ttl = 0;
-		/*
-		 * Set trust.
-		 */
-		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
-		    message->counts[DNS_SECTION_ANSWER] == 0) {
-			/*
-			 * The response has aa set and we haven't followed
-			 * any CNAME or DNAME chains.
-			 */
-			trust = dns_trust_authauthority;
-		} else
-			trust = dns_trust_additional;
-	}
-
-	/*
-	 * Now add it to the cache.
-	 */
-	INSIST(trust != 0xffff);
-	isc_buffer_usedregion(&buffer, &r);
-	rdata.data = r.base;
-	rdata.length = r.length;
-	rdata.rdclass = dns_db_class(cache);
-	rdata.type = 0;
-	rdata.flags = 0;
-
-	ncrdatalist.rdclass = rdata.rdclass;
-	ncrdatalist.type = 0;
-	ncrdatalist.covers = covers;
-	ncrdatalist.ttl = ttl;
-	ISC_LIST_INIT(ncrdatalist.rdata);
-	ISC_LINK_INIT(&ncrdatalist, link);
-
-	ISC_LIST_APPEND(ncrdatalist.rdata, &rdata, link);
-
-	dns_rdataset_init(&ncrdataset);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
-		      == ISC_R_SUCCESS);
-	ncrdataset.trust = trust;
-	if (message->rcode == dns_rcode_nxdomain)
-		ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
-
-	return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
-				   0, addedrdataset));
-}
-
-isc_result_t
-dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int options,
-		  unsigned int *countp)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	isc_region_t remaining, tavailable;
-	isc_buffer_t source, savedbuffer, rdlen;
-	dns_name_t name;
-	dns_rdatatype_t type;
-	unsigned int i, rcount, count;
-
-	/*
-	 * Convert the negative caching rdataset 'rdataset' to wire format,
-	 * compressing names as specified in 'cctx', and storing the result in
-	 * 'target'.
-	 */
-
-	REQUIRE(rdataset != NULL);
-	REQUIRE(rdataset->type == 0);
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(rdataset, &rdata);
-	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
-	isc_buffer_init(&source, rdata.data, rdata.length);
-	isc_buffer_add(&source, rdata.length);
-
-	savedbuffer = *target;
-
-	count = 0;
-	do {
-		dns_name_init(&name, NULL);
-		isc_buffer_remainingregion(&source, &remaining);
-		dns_name_fromregion(&name, &remaining);
-		INSIST(remaining.length >= name.length);
-		isc_buffer_forward(&source, name.length);
-		remaining.length -= name.length;
-
-		INSIST(remaining.length >= 4);
-		type = isc_buffer_getuint16(&source);
-		rcount = isc_buffer_getuint16(&source);
-
-		for (i = 0; i < rcount; i++) {
-			/*
-			 * Get the length of this rdata and set up an
-			 * rdata structure for it.
-			 */
-			isc_buffer_remainingregion(&source, &remaining);
-			INSIST(remaining.length >= 2);
-			dns_rdata_reset(&rdata);
-			rdata.length = isc_buffer_getuint16(&source);
-			isc_buffer_remainingregion(&source, &remaining);
-			rdata.data = remaining.base;
-			rdata.type = type;
-			rdata.rdclass = rdataset->rdclass;
-			INSIST(remaining.length >= rdata.length);
-			isc_buffer_forward(&source, rdata.length);
-
-			if ((options & DNS_NCACHETOWIRE_OMITDNSSEC) != 0 &&
-			    dns_rdatatype_isdnssec(type))
-				continue;
-
-			/*
-			 * Write the name.
-			 */
-			dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-			result = dns_name_towire(&name, cctx, target);
-			if (result != ISC_R_SUCCESS)
-				goto rollback;
-
-			/*
-			 * See if we have space for type, class, ttl, and
-			 * rdata length.  Write the type, class, and ttl.
-			 */
-			isc_buffer_availableregion(target, &tavailable);
-			if (tavailable.length < 10) {
-				result = ISC_R_NOSPACE;
-				goto rollback;
-			}
-			isc_buffer_putuint16(target, type);
-			isc_buffer_putuint16(target, rdataset->rdclass);
-			isc_buffer_putuint32(target, rdataset->ttl);
-
-			/*
-			 * Save space for rdata length.
-			 */
-			rdlen = *target;
-			isc_buffer_add(target, 2);
-
-			/*
-			 * Write the rdata.
-			 */
-			result = dns_rdata_towire(&rdata, cctx, target);
-			if (result != ISC_R_SUCCESS)
-				goto rollback;
-
-			/*
-			 * Set the rdata length field to the compressed
-			 * length.
-			 */
-			INSIST((target->used >= rdlen.used + 2) &&
-			       (target->used - rdlen.used - 2 < 65536));
-			isc_buffer_putuint16(&rdlen,
-					     (isc_uint16_t)(target->used -
-							    rdlen.used - 2));
-
-			count++;
-		}
-		isc_buffer_remainingregion(&source, &remaining);
-	} while (remaining.length > 0);
-
-	*countp = count;
-
-	return (ISC_R_SUCCESS);
-
- rollback:
-	INSIST(savedbuffer.used < 65536);
-	dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
-	*countp = 0;
-	*target = savedbuffer;
-
-	return (result);
-}
-
-static void
-rdataset_disassociate(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-}
-
-static isc_result_t
-rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-	if (count == 0) {
-		rdataset->private5 = NULL;
-		return (ISC_R_NOMORE);
-	}
-	raw += 2;
-	/*
-	 * The privateuint4 field is the number of rdata beyond the cursor
-	 * position, so we decrement the total count by one before storing
-	 * it.
-	 */
-	count--;
-	rdataset->privateuint4 = count;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdataset_next(dns_rdataset_t *rdataset) {
-	unsigned int count;
-	unsigned int length;
-	unsigned char *raw;
-
-	count = rdataset->privateuint4;
-	if (count == 0)
-		return (ISC_R_NOMORE);
-	count--;
-	rdataset->privateuint4 = count;
-	raw = rdataset->private5;
-	length = raw[0] * 256 + raw[1];
-	raw += length + 2;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
-	isc_region_t r;
-
-	REQUIRE(raw != NULL);
-
-	r.length = raw[0] * 256 + raw[1];
-	raw += 2;
-	r.base = raw;
-	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	*target = *source;
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->privateuint4 = 0;
-	target->private5 = NULL;
-}
-
-static unsigned int
-rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-
-	return (count);
-}
-
-static dns_rdatasetmethods_t rdataset_methods = {
-	rdataset_disassociate,
-	rdataset_first,
-	rdataset_next,
-	rdataset_current,
-	rdataset_clone,
-	rdataset_count,
-	NULL,
-	NULL
-};
-
-isc_result_t
-dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
-		       dns_rdatatype_t type, dns_rdataset_t *rdataset)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t remaining;
-	isc_buffer_t source;
-	dns_name_t tname;
-	dns_rdatatype_t ttype;
-	unsigned int i, rcount;
-	isc_uint16_t length;
-
-	REQUIRE(ncacherdataset != NULL);
-	REQUIRE(ncacherdataset->type == 0);
-	REQUIRE(name != NULL);
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-	REQUIRE(type != dns_rdatatype_rrsig);
-
-	result = dns_rdataset_first(ncacherdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(ncacherdataset, &rdata);
-	INSIST(dns_rdataset_next(ncacherdataset) == ISC_R_NOMORE);
-	isc_buffer_init(&source, rdata.data, rdata.length);
-	isc_buffer_add(&source, rdata.length);
-
-	do {
-		dns_name_init(&tname, NULL);
-		isc_buffer_remainingregion(&source, &remaining);
-		dns_name_fromregion(&tname, &remaining);
-		INSIST(remaining.length >= tname.length);
-		isc_buffer_forward(&source, tname.length);
-		remaining.length -= tname.length;
-
-		INSIST(remaining.length >= 4);
-		ttype = isc_buffer_getuint16(&source);
-
-		if (ttype == type && dns_name_equal(&tname, name)) {
-			isc_buffer_remainingregion(&source, &remaining);
-			break;
-		}
-
-		rcount = isc_buffer_getuint16(&source);
-		for (i = 0; i < rcount; i++) {
-			isc_buffer_remainingregion(&source, &remaining);
-			INSIST(remaining.length >= 2);
-			length = isc_buffer_getuint16(&source);
-			isc_buffer_remainingregion(&source, &remaining);
-			INSIST(remaining.length >= length);
-			isc_buffer_forward(&source, length);
-		}
-		isc_buffer_remainingregion(&source, &remaining);
-	} while (remaining.length > 0);
-
-	if (remaining.length == 0)
-		return (ISC_R_NOTFOUND);
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = ncacherdataset->rdclass;
-	rdataset->type = type;
-	rdataset->covers = 0;
-	rdataset->ttl = ncacherdataset->ttl;
-	rdataset->trust = ncacherdataset->trust;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-
-	rdataset->private3 = remaining.base;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/nsec.c b/contrib/bind9/lib/dns/nsec.c
deleted file mode 100644
index c259706a643d..000000000000
--- a/contrib/bind9/lib/dns/nsec.c
+++ /dev/null
@@ -1,218 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsec.c,v 1.5.2.1 2004/03/08 02:07:55 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/nsec.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-static void
-set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
-	unsigned int shift, mask;
-
-	shift = 7 - (index % 8);
-	mask = 1 << shift;
-
-	if (bit != 0)
-		array[index / 8] |= mask;
-	else
-		array[index / 8] &= (~mask & 0xFF);
-}
-
-static unsigned int
-bit_isset(unsigned char *array, unsigned int index) {
-	unsigned int byte, shift, mask;
-
-	byte = array[index / 8];
-	shift = 7 - (index % 8);
-	mask = 1 << shift;
-
-	return ((byte & mask) != 0);
-}
-
-isc_result_t
-dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
-		    dns_dbnode_t *node, dns_name_t *target,
-		    unsigned char *buffer, dns_rdata_t *rdata)
-{
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-	isc_region_t r;
-	unsigned int i, window;
-	int octet;
-
-	unsigned char *nsec_bits, *bm;
-	unsigned int max_type;
-	dns_rdatasetiter_t *rdsiter;
-
-	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
-	dns_name_toregion(target, &r);
-	memcpy(buffer, r.base, r.length);
-	r.base = buffer;
-	/*
-	 * Use the end of the space for a raw bitmap leaving enough
-	 * space for the window identifiers and length octets.
-	 */
-	bm = r.base + r.length + 512;
-	nsec_bits = r.base + r.length;
-	set_bit(bm, dns_rdatatype_nsec, 1);
-	max_type = dns_rdatatype_nsec;
-	dns_rdataset_init(&rdataset);
-	rdsiter = NULL;
-	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	for (result = dns_rdatasetiter_first(rdsiter);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdatasetiter_next(rdsiter))
-	{
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec) {
-			if (rdataset.type > max_type)
-				max_type = rdataset.type;
-			set_bit(bm, rdataset.type, 1);
-		}
-		dns_rdataset_disassociate(&rdataset);
-	}
-
-	/*
-	 * At zone cuts, deny the existence of glue in the parent zone.
-	 */
-	if (bit_isset(bm, dns_rdatatype_ns) &&
-	    ! bit_isset(bm, dns_rdatatype_soa)) {
-		for (i = 0; i <= max_type; i++) {
-			if (bit_isset(bm, i) &&
-			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
-				set_bit(bm, i, 0);
-		}
-	}
-
-	dns_rdatasetiter_destroy(&rdsiter);
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	for (window = 0; window < 256; window++) {
-		if (window * 256 > max_type)
-			break;
-		for (octet = 31; octet >= 0; octet--)
-			if (bm[window * 32 + octet] != 0)
-				break;
-		if (octet < 0)
-			continue;
-		nsec_bits[0] = window;
-		nsec_bits[1] = octet + 1;
-		/*
-		 * Note: potential overlapping move.
-		 */
-		memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
-		nsec_bits += 3 + octet;
-	}
-	r.length = nsec_bits - r.base;
-	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
-	dns_rdata_fromregion(rdata,
-			     dns_db_class(db),
-			     dns_rdatatype_nsec,
-			     &r);
-
-	return (ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
-	       dns_name_t *target, dns_ttl_t ttl)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned char data[DNS_NSEC_BUFFERSIZE];
-	dns_rdatalist_t rdatalist;
-	dns_rdataset_t rdataset;
-
-	dns_rdataset_init(&rdataset);
-	dns_rdata_init(&rdata);
-
-	RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
-
-	rdatalist.rdclass = dns_db_class(db);
-	rdatalist.type = dns_rdatatype_nsec;
-	rdatalist.covers = 0;
-	rdatalist.ttl = ttl;
-	ISC_LIST_INIT(rdatalist.rdata);
-	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
-	RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
-	result = dns_db_addrdataset(db, node, version, 0, &rdataset,
-				    0, NULL);
-	if (result == DNS_R_UNCHANGED)
-		result = ISC_R_SUCCESS;
-	RETERR(result);
- failure:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-isc_boolean_t
-dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
-	dns_rdata_nsec_t nsecstruct;
-	isc_result_t result;
-	isc_boolean_t present;
-	unsigned int i, len, window;
-
-	REQUIRE(nsec != NULL);
-	REQUIRE(nsec->type == dns_rdatatype_nsec);
-
-	/* This should never fail */
-	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
-	INSIST(result == ISC_R_SUCCESS);
-	
-	present = ISC_FALSE;
-	for (i = 0; i < nsecstruct.len; i += len) {
-		INSIST(i + 2 <= nsecstruct.len);
-		window = nsecstruct.typebits[i];
-		len = nsecstruct.typebits[i + 1];
-		INSIST(len > 0 && len <= 32);
-		i += 2;
-		INSIST(i + len <= nsecstruct.len);
-		if (window * 256 > type)
-			break;
-		if ((window + 1) * 256 <= type)
-			continue;
-		if (type < (window * 256) + len * 8)
-			present = ISC_TF(bit_isset(&nsecstruct.typebits[i],
-						   type % 256));
-		break;
-	}
-	dns_rdata_freestruct(&nsec);
-	return (present);
-}
diff --git a/contrib/bind9/lib/dns/openssl_link.c b/contrib/bind9/lib/dns/openssl_link.c
deleted file mode 100644
index 62eac05f30a0..000000000000
--- a/contrib/bind9/lib/dns/openssl_link.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $
- */
-#ifdef OPENSSL
-
-#include <config.h>
-
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/mutexblock.h>
-#include <isc/string.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-
-#include <openssl/err.h>
-#include <openssl/rand.h>
-#include <openssl/crypto.h>
-
-#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER < 0x00907000L)
-#define USE_ENGINE 1
-#endif
-
-#ifdef USE_ENGINE
-#include <openssl/engine.h>
-#endif
-
-static RAND_METHOD *rm = NULL;
-static isc_mutex_t *locks = NULL;
-static int nlocks;
-
-#ifdef USE_ENGINE
-static ENGINE *e;
-#endif
-
-
-static int
-entropy_get(unsigned char *buf, int num) {
-	isc_result_t result;
-	if (num < 0)
-		return (-1);
-	result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE);
-	return (result == ISC_R_SUCCESS ? num : -1);
-}
-
-static int
-entropy_getpseudo(unsigned char *buf, int num) {
-	isc_result_t result;
-	if (num < 0)
-		return (-1);
-	result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
-	return (result == ISC_R_SUCCESS ? num : -1);
-}
-
-static void
-entropy_add(const void *buf, int num, double entropy) {
-	/*
-	 * Do nothing.  The only call to this provides no useful data anyway.
-	 */
-	UNUSED(buf);
-	UNUSED(num);
-	UNUSED(entropy);
-}
-
-static void
-lock_callback(int mode, int type, const char *file, int line) {
-	UNUSED(file);
-	UNUSED(line);
-	if ((mode & CRYPTO_LOCK) != 0)
-		LOCK(&locks[type]);
-	else
-		UNLOCK(&locks[type]);
-}
-
-static unsigned long
-id_callback(void) {
-	return ((unsigned long)isc_thread_self());
-}
-
-static void *
-mem_alloc(size_t size) {
-	INSIST(dst__memory_pool != NULL);
-	return (isc_mem_allocate(dst__memory_pool, size));
-}
-
-static void
-mem_free(void *ptr) {
-	INSIST(dst__memory_pool != NULL);
-	if (ptr != NULL)
-		isc_mem_free(dst__memory_pool, ptr);
-}
-
-static void *
-mem_realloc(void *ptr, size_t size) {
-	void *p;
-
-	INSIST(dst__memory_pool != NULL);
-	p = NULL;
-	if (size > 0U) {
-		p = mem_alloc(size);
-		if (p != NULL && ptr != NULL)
-			memcpy(p, ptr, size);
-	}
-	if (ptr != NULL)
-		mem_free(ptr);
-	return (p);
-}
-
-isc_result_t
-dst__openssl_init() {
-	isc_result_t result;
-
-	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
-	nlocks = CRYPTO_num_locks();
-	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
-	if (locks == NULL)
-		return (ISC_R_NOMEMORY);
-	result = isc_mutexblock_init(locks, nlocks);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mutexalloc;
-	CRYPTO_set_locking_callback(lock_callback);
-	CRYPTO_set_id_callback(id_callback);
-	rm = mem_alloc(sizeof(RAND_METHOD));
-	if (rm == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_mutexinit;
-	}
-	rm->seed = NULL;
-	rm->bytes = entropy_get;
-	rm->cleanup = NULL;
-	rm->add = entropy_add;
-	rm->pseudorand = entropy_getpseudo;
-	rm->status = NULL;
-#ifdef USE_ENGINE
-	e = ENGINE_new();
-	if (e == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_rm;
-	}
-	ENGINE_set_RAND(e, rm);
-	RAND_set_rand_method(e);
-#else
-	RAND_set_rand_method(rm);
-#endif
-	return (ISC_R_SUCCESS);
-
-#ifdef USE_ENGINE
- cleanup_rm:
-	mem_free(rm);
-#endif
- cleanup_mutexinit:
-	DESTROYMUTEXBLOCK(locks, nlocks);
- cleanup_mutexalloc:
-	mem_free(locks);
-	return (result);
-}
-
-void
-dst__openssl_destroy() {
-	ERR_clear_error();
-#ifdef USE_ENGINE
-	if (e != NULL) {
-		ENGINE_free(e);
-		e = NULL;
-	}
-#endif
-	if (locks != NULL) {
-		DESTROYMUTEXBLOCK(locks, nlocks);
-		mem_free(locks);
-	}
-	if (rm != NULL)
-		mem_free(rm);
-}
-
-isc_result_t
-dst__openssl_toresult(isc_result_t fallback) {
-	isc_result_t result = fallback;
-	int err = ERR_get_error();
-
-	switch (ERR_GET_REASON(err)) {
-	case ERR_R_MALLOC_FAILURE:
-		result = ISC_R_NOMEMORY;
-		break;
-	default:
-		break;
-	}
-	ERR_clear_error();
-	return (result);
-}
-
-#else /* OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* OPENSSL */
diff --git a/contrib/bind9/lib/dns/openssldh_link.c b/contrib/bind9/lib/dns/openssldh_link.c
deleted file mode 100644
index 24255834d780..000000000000
--- a/contrib/bind9/lib/dns/openssldh_link.c
+++ /dev/null
@@ -1,608 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $
- */
-
-#ifdef OPENSSL
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#include <openssl/dh.h>
-
-#define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
-	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
-	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
-
-#define PRIME1024 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \
-	"8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \
-	"5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \
-	"B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
-
-#define PRIME1536 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
-	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
-	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
-	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
-	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
-	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
-	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
-	"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
-
-
-static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
-
-static BIGNUM bn2, bn768, bn1024, bn1536;
-
-static isc_result_t
-openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
-			isc_buffer_t *secret)
-{
-	DH *dhpub, *dhpriv;
-	int ret;
-	isc_region_t r;
-	unsigned int len;
-
-	REQUIRE(pub->opaque != NULL);
-	REQUIRE(priv->opaque != NULL);
-
-	dhpub = (DH *) pub->opaque;
-	dhpriv = (DH *) priv->opaque;
-
-	len = DH_size(dhpriv);
-	isc_buffer_availableregion(secret, &r);
-	if (r.length < len)
-		return (ISC_R_NOSPACE);
-	ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
-	if (ret == 0)
-		return (dst__openssl_toresult(DST_R_COMPUTESECRETFAILURE));
-	isc_buffer_add(secret, len);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	DH *dh1, *dh2;
-
-	dh1 = (DH *) key1->opaque;
-	dh2 = (DH *) key2->opaque;
-
-	if (dh1 == NULL && dh2 == NULL)
-		return (ISC_TRUE);
-	else if (dh1 == NULL || dh2 == NULL)
-		return (ISC_FALSE);
-
-	status = BN_cmp(dh1->p, dh2->p) ||
-		 BN_cmp(dh1->g, dh2->g) ||
-		 BN_cmp(dh1->pub_key, dh2->pub_key);
-
-	if (status != 0)
-		return (ISC_FALSE);
-
-	if (dh1->priv_key != NULL || dh2->priv_key != NULL) {
-		if (dh1->priv_key == NULL || dh2->priv_key == NULL)
-			return (ISC_FALSE);
-		if (BN_cmp(dh1->priv_key, dh2->priv_key) != 0)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static isc_boolean_t
-openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	DH *dh1, *dh2;
-
-	dh1 = (DH *) key1->opaque;
-	dh2 = (DH *) key2->opaque;
-
-	if (dh1 == NULL && dh2 == NULL)
-		return (ISC_TRUE);
-	else if (dh1 == NULL || dh2 == NULL)
-		return (ISC_FALSE);
-
-	status = BN_cmp(dh1->p, dh2->p) ||
-		 BN_cmp(dh1->g, dh2->g);
-
-	if (status != 0)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-static isc_result_t
-openssldh_generate(dst_key_t *key, int generator) {
-	DH *dh = NULL;
-
-	if (generator == 0) {
-		if (key->key_size == 768 ||
-		    key->key_size == 1024 ||
-		    key->key_size == 1536)
-		{
-			dh = DH_new();
-			if (dh == NULL)
-				return (ISC_R_NOMEMORY);
-			if (key->key_size == 768)
-				dh->p = &bn768;
-			else if (key->key_size == 1024)
-				dh->p = &bn1024;
-			else
-				dh->p = &bn1536;
-			dh->g = &bn2;
-		}
-		else
-			generator = 2;
-	}
-
-	if (generator != 0)
-		dh = DH_generate_parameters(key->key_size, generator,
-					    NULL, NULL);
-
-	if (dh == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-
-	if (DH_generate_key(dh) == 0) {
-		DH_free(dh);
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-
-	key->opaque = dh;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-openssldh_isprivate(const dst_key_t *key) {
-	DH *dh = (DH *) key->opaque;
-	return (ISC_TF(dh != NULL && dh->priv_key != NULL));
-}
-
-static void
-openssldh_destroy(dst_key_t *key) {
-	DH *dh = key->opaque;
-
-	if (dh == NULL)
-		return;
-
-	if (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)
-		dh->p = NULL;
-	if (dh->g == &bn2)
-		dh->g = NULL;
-	DH_free(dh);
-	key->opaque = NULL;
-}
-
-static void
-uint16_toregion(isc_uint16_t val, isc_region_t *region) {
-	*region->base++ = (val & 0xff00) >> 8;
-	*region->base++ = (val & 0x00ff);
-}
-
-static isc_uint16_t
-uint16_fromregion(isc_region_t *region) {
-	isc_uint16_t val;
-	unsigned char *cp = region->base;
-
-	val = ((unsigned int)(cp[0])) << 8;
-	val |= ((unsigned int)(cp[1]));
-
-	region->base += 2;
-	return (val);
-}
-
-static isc_result_t
-openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
-	DH *dh;
-	isc_region_t r;
-	isc_uint16_t dnslen, plen, glen, publen;
-
-	REQUIRE(key->opaque != NULL);
-
-	dh = (DH *) key->opaque;
-
-	isc_buffer_availableregion(data, &r);
-
-	if (dh->g == &bn2 &&
-	    (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)) {
-		plen = 1;
-		glen = 0;
-	}
-	else {
-		plen = BN_num_bytes(dh->p);
-		glen = BN_num_bytes(dh->g);
-	}
-	publen = BN_num_bytes(dh->pub_key);
-	dnslen = plen + glen + publen + 6;
-	if (r.length < (unsigned int) dnslen)
-		return (ISC_R_NOSPACE);
-
-	uint16_toregion(plen, &r);
-	if (plen == 1) {
-		if (dh->p == &bn768)
-			*r.base = 1;
-		else if (dh->p == &bn1024)
-			*r.base = 2;
-		else
-			*r.base = 3;
-	}
-	else
-		BN_bn2bin(dh->p, r.base);
-	r.base += plen;
-
-	uint16_toregion(glen, &r);
-	if (glen > 0)
-		BN_bn2bin(dh->g, r.base);
-	r.base += glen;
-
-	uint16_toregion(publen, &r);
-	BN_bn2bin(dh->pub_key, r.base);
-	r.base += publen;
-
-	isc_buffer_add(data, dnslen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	DH *dh;
-	isc_region_t r;
-	isc_uint16_t plen, glen, publen;
-	int special = 0;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	dh = DH_new();
-	if (dh == NULL)
-		return (ISC_R_NOMEMORY);
-	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-
-	/*
-	 * Read the prime length.  1 & 2 are table entries, > 16 means a
-	 * prime follows, otherwise an error.
-	 */
-	if (r.length < 2) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	plen = uint16_fromregion(&r);
-	if (plen < 16 && plen != 1 && plen != 2) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	if (r.length < plen) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	if (plen == 1 || plen == 2) {
-		if (plen == 1)
-			special = *r.base++;
-		else
-			special = uint16_fromregion(&r);
-		switch (special) {
-			case 1:
-				dh->p = &bn768;
-				break;
-			case 2:
-				dh->p = &bn1024;
-				break;
-			case 3:
-				dh->p = &bn1536;
-				break;
-			default:
-				DH_free(dh);
-				return (DST_R_INVALIDPUBLICKEY);
-		}
-	}
-	else {
-		dh->p = BN_bin2bn(r.base, plen, NULL);
-		r.base += plen;
-	}
-
-	/*
-	 * Read the generator length.  This should be 0 if the prime was
-	 * special, but it might not be.  If it's 0 and the prime is not
-	 * special, we have a problem.
-	 */
-	if (r.length < 2) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	glen = uint16_fromregion(&r);
-	if (r.length < glen) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	if (special != 0) {
-		if (glen == 0)
-			dh->g = &bn2;
-		else {
-			dh->g = BN_bin2bn(r.base, glen, NULL);
-			if (BN_cmp(dh->g, &bn2) == 0) {
-				BN_free(dh->g);
-				dh->g = &bn2;
-			}
-			else {
-				DH_free(dh);
-				return (DST_R_INVALIDPUBLICKEY);
-			}
-		}
-	}
-	else {
-		if (glen == 0) {
-			DH_free(dh);
-			return (DST_R_INVALIDPUBLICKEY);
-		}
-		dh->g = BN_bin2bn(r.base, glen, NULL);
-	}
-	r.base += glen;
-
-	if (r.length < 2) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	publen = uint16_fromregion(&r);
-	if (r.length < publen) {
-		DH_free(dh);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
-	r.base += publen;
-
-	key->key_size = BN_num_bits(dh->p);
-
-	isc_buffer_forward(data, plen + glen + publen + 6);
-
-	key->opaque = (void *) dh;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldh_tofile(const dst_key_t *key, const char *directory) {
-	int i;
-	DH *dh;
-	dst_private_t priv;
-	unsigned char *bufs[4];
-	isc_result_t result;
-
-	if (key->opaque == NULL)
-		return (DST_R_NULLKEY);
-
-	dh = (DH *) key->opaque;
-
-	for (i = 0; i < 4; i++) {
-		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p));
-		if (bufs[i] == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-	}
-
-	i = 0;
-
-	priv.elements[i].tag = TAG_DH_PRIME;
-	priv.elements[i].length = BN_num_bytes(dh->p);
-	BN_bn2bin(dh->p, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_DH_GENERATOR;
-	priv.elements[i].length = BN_num_bytes(dh->g);
-	BN_bn2bin(dh->g, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_DH_PRIVATE;
-	priv.elements[i].length = BN_num_bytes(dh->priv_key);
-	BN_bn2bin(dh->priv_key, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_DH_PUBLIC;
-	priv.elements[i].length = BN_num_bytes(dh->pub_key);
-	BN_bn2bin(dh->pub_key, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.nelements = i;
-	result = dst__privstruct_writefile(key, &priv, directory);
- fail:
-	for (i = 0; i < 4; i++) {
-		if (bufs[i] == NULL)
-			break;
-		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(dh->p));
-	}
-	return (result);
-}
-
-static isc_result_t
-openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
-	dst_private_t priv;
-	isc_result_t ret;
-	int i;
-	DH *dh = NULL;
-	isc_mem_t *mctx;
-#define DST_RET(a) {ret = a; goto err;}
-
-	mctx = key->mctx;
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	dh = DH_new();
-	if (dh == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-	key->opaque = dh;
-
-	for (i = 0; i < priv.nelements; i++) {
-		BIGNUM *bn;
-		bn = BN_bin2bn(priv.elements[i].data,
-			       priv.elements[i].length, NULL);
-		if (bn == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-
-		switch (priv.elements[i].tag) {
-			case TAG_DH_PRIME:
-				dh->p = bn;
-				break;
-			case TAG_DH_GENERATOR:
-				dh->g = bn;
-				break;
-			case TAG_DH_PRIVATE:
-				dh->priv_key = bn;
-				break;
-			case TAG_DH_PUBLIC:
-				dh->pub_key = bn;
-				break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-
-	key->key_size = BN_num_bits(dh->p);
-
-	if ((key->key_size == 768 ||
-	     key->key_size == 1024 ||
-	     key->key_size == 1536) &&
-	    BN_cmp(dh->g, &bn2) == 0)
-	{
-		if (key->key_size == 768 && BN_cmp(dh->p, &bn768) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = &bn768;
-			dh->g = &bn2;
-		} else if (key->key_size == 1024 &&
-			   BN_cmp(dh->p, &bn1024) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = &bn1024;
-			dh->g = &bn2;
-		} else if (key->key_size == 1536 &&
-			   BN_cmp(dh->p, &bn1536) == 0) {
-			BN_free(dh->p);
-			BN_free(dh->g);
-			dh->p = &bn1536;
-			dh->g = &bn2;
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-
- err:
-	openssldh_destroy(key);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static void
-BN_fromhex(BIGNUM *b, const char *str) {
-	static const char hexdigits[] = "0123456789abcdef";
-	unsigned char data[512];
-	unsigned int i;
-	BIGNUM *out;
-
-	RUNTIME_CHECK(strlen(str) < 1024U && strlen(str) % 2 == 0U);
-	for (i = 0; i < strlen(str); i += 2) {
-		char *s;
-		unsigned int high, low;
-
-		s = strchr(hexdigits, tolower((unsigned char)str[i]));
-		RUNTIME_CHECK(s != NULL);
-		high = s - hexdigits;
-
-		s = strchr(hexdigits, tolower((unsigned char)str[i + 1]));
-		RUNTIME_CHECK(s != NULL);
-		low = s - hexdigits;
-
-		data[i/2] = (unsigned char)((high << 4) + low);
-	}
-	out = BN_bin2bn(data, strlen(str)/2, b);
-	RUNTIME_CHECK(out != NULL);
-}
-
-static void
-openssldh_cleanup(void) {
-	BN_free(&bn2);
-	BN_free(&bn768);
-	BN_free(&bn1024);
-	BN_free(&bn1536);
-}
-
-static dst_func_t openssldh_functions = {
-	NULL, /* createctx */
-	NULL, /* destroyctx */
-	NULL, /* adddata */
-	NULL, /* openssldh_sign */
-	NULL, /* openssldh_verify */
-	openssldh_computesecret,
-	openssldh_compare,
-	openssldh_paramcompare,
-	openssldh_generate,
-	openssldh_isprivate,
-	openssldh_destroy,
-	openssldh_todns,
-	openssldh_fromdns,
-	openssldh_tofile,
-	openssldh_parse,
-	openssldh_cleanup,
-};
-
-isc_result_t
-dst__openssldh_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL) {
-		BN_init(&bn2);
-		BN_init(&bn768);
-		BN_init(&bn1024);
-		BN_init(&bn1536);
-		BN_set_word(&bn2, 2);
-		BN_fromhex(&bn768, PRIME768);
-		BN_fromhex(&bn1024, PRIME1024);
-		BN_fromhex(&bn1536, PRIME1536);
-		*funcp = &openssldh_functions;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-#else /* OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* OPENSSL */
diff --git a/contrib/bind9/lib/dns/openssldsa_link.c b/contrib/bind9/lib/dns/openssldsa_link.c
deleted file mode 100644
index ac84a6565be4..000000000000
--- a/contrib/bind9/lib/dns/openssldsa_link.c
+++ /dev/null
@@ -1,443 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: openssldsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $ */
-
-#ifdef OPENSSL
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/entropy.h>
-#include <isc/mem.h>
-#include <isc/sha1.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#include <openssl/dsa.h>
-
-static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
-
-static isc_result_t
-openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_sha1_t *sha1ctx;
-
-	UNUSED(key);
-
-	sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
-	isc_sha1_init(sha1ctx);
-	dctx->opaque = sha1ctx;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-openssldsa_destroyctx(dst_context_t *dctx) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
-
-	if (sha1ctx != NULL) {
-		isc_sha1_invalidate(sha1ctx);
-		isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
-		dctx->opaque = NULL;
-	}
-}
-
-static isc_result_t
-openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
-
-	isc_sha1_update(sha1ctx, data->base, data->length);
-	return (ISC_R_SUCCESS);
-}
-
-static int
-BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
-	int bytes = size - BN_num_bytes(bn);
-	while (bytes-- > 0)
-		*buf++ = 0;
-	BN_bn2bin(bn, buf);
-	return (size);
-}
-
-static isc_result_t
-openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
-	dst_key_t *key = dctx->key;
-	DSA *dsa = key->opaque;
-	DSA_SIG *dsasig;
-	isc_region_t r;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-
-	isc_buffer_availableregion(sig, &r);
-	if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
-		return (ISC_R_NOSPACE);
-
-	isc_sha1_final(sha1ctx, digest);
-
-	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
-	if (dsasig == NULL)
-		return (dst__openssl_toresult(DST_R_SIGNFAILURE));
-
-	*r.base++ = (key->key_size - 512)/64;
-	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
-	r.base += ISC_SHA1_DIGESTLENGTH;
-	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
-	r.base += ISC_SHA1_DIGESTLENGTH;
-	DSA_SIG_free(dsasig);
-	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
-	dst_key_t *key = dctx->key;
-	DSA *dsa = key->opaque;
-	DSA_SIG *dsasig;
-	int status = 0;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	unsigned char *cp = sig->base;
-
-	isc_sha1_final(sha1ctx, digest);
-
-	if (sig->length < 2 * ISC_SHA1_DIGESTLENGTH + 1)
-		return (DST_R_VERIFYFAILURE);
-
-	cp++;	/* Skip T */
-	dsasig = DSA_SIG_new();
-	dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
-	cp += ISC_SHA1_DIGESTLENGTH;
-	dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
-	cp += ISC_SHA1_DIGESTLENGTH;
-
-	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
-	DSA_SIG_free(dsasig);
-	if (status == 0)
-		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	DSA *dsa1, *dsa2;
-
-	dsa1 = (DSA *) key1->opaque;
-	dsa2 = (DSA *) key2->opaque;
-
-	if (dsa1 == NULL && dsa2 == NULL)
-		return (ISC_TRUE);
-	else if (dsa1 == NULL || dsa2 == NULL)
-		return (ISC_FALSE);
-
-	status = BN_cmp(dsa1->p, dsa2->p) ||
-		 BN_cmp(dsa1->q, dsa2->q) ||
-		 BN_cmp(dsa1->g, dsa2->g) ||
-		 BN_cmp(dsa1->pub_key, dsa2->pub_key);
-
-	if (status != 0)
-		return (ISC_FALSE);
-
-	if (dsa1->priv_key != NULL || dsa2->priv_key != NULL) {
-		if (dsa1->priv_key == NULL || dsa2->priv_key == NULL)
-			return (ISC_FALSE);
-		if (BN_cmp(dsa1->priv_key, dsa2->priv_key))
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static isc_result_t
-openssldsa_generate(dst_key_t *key, int unused) {
-	DSA *dsa;
-	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
-	isc_result_t result;
-
-	UNUSED(unused);
-
-	result = dst__entropy_getdata(rand_array, sizeof(rand_array),
-				      ISC_FALSE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dsa = DSA_generate_parameters(key->key_size, rand_array,
-				      ISC_SHA1_DIGESTLENGTH, NULL, NULL,
-				      NULL, NULL);
-
-	if (dsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-
-	if (DSA_generate_key(dsa) == 0) {
-		DSA_free(dsa);
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-
-	key->opaque = dsa;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-openssldsa_isprivate(const dst_key_t *key) {
-	DSA *dsa = (DSA *) key->opaque;
-	return (ISC_TF(dsa != NULL && dsa->priv_key != NULL));
-}
-
-static void
-openssldsa_destroy(dst_key_t *key) {
-	DSA *dsa = key->opaque;
-	DSA_free(dsa);
-	key->opaque = NULL;
-}
-
-
-static isc_result_t
-openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-	DSA *dsa;
-	isc_region_t r;
-	int dnslen;
-	unsigned int t, p_bytes;
-
-	REQUIRE(key->opaque != NULL);
-
-	dsa = (DSA *) key->opaque;
-
-	isc_buffer_availableregion(data, &r);
-
-	t = (BN_num_bytes(dsa->p) - 64) / 8;
-	if (t > 8)
-		return (DST_R_INVALIDPUBLICKEY);
-	p_bytes = 64 + 8 * t;
-
-	dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
-	if (r.length < (unsigned int) dnslen)
-		return (ISC_R_NOSPACE);
-
-	*r.base++ = t;
-	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
-	r.base += ISC_SHA1_DIGESTLENGTH;
-	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
-	r.base += p_bytes;
-	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
-	r.base += p_bytes;
-	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
-	r.base += p_bytes;
-
-	isc_buffer_add(data, dnslen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	DSA *dsa;
-	isc_region_t r;
-	unsigned int t, p_bytes;
-	isc_mem_t *mctx = key->mctx;
-
-	UNUSED(mctx);
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	dsa = DSA_new();
-	if (dsa == NULL)
-		return (ISC_R_NOMEMORY);
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-
-	t = (unsigned int) *r.base++;
-	if (t > 8) {
-		DSA_free(dsa);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	p_bytes = 64 + 8 * t;
-
-	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
-		DSA_free(dsa);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-
-	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
-	r.base += ISC_SHA1_DIGESTLENGTH;
-
-	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += p_bytes;
-
-	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += p_bytes;
-
-	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
-	r.base += p_bytes;
-
-	key->key_size = p_bytes * 8;
-
-	isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
-
-	key->opaque = (void *) dsa;
-
-	return (ISC_R_SUCCESS);
-}
-
-
-static isc_result_t
-openssldsa_tofile(const dst_key_t *key, const char *directory) {
-	int cnt = 0;
-	DSA *dsa;
-	dst_private_t priv;
-	unsigned char bufs[5][128];
-
-	if (key->opaque == NULL)
-		return (DST_R_NULLKEY);
-
-	dsa = (DSA *) key->opaque;
-
-	priv.elements[cnt].tag = TAG_DSA_PRIME;
-	priv.elements[cnt].length = BN_num_bytes(dsa->p);
-	BN_bn2bin(dsa->p, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
-	priv.elements[cnt].length = BN_num_bytes(dsa->q);
-	BN_bn2bin(dsa->q, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.elements[cnt].tag = TAG_DSA_BASE;
-	priv.elements[cnt].length = BN_num_bytes(dsa->g);
-	BN_bn2bin(dsa->g, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.elements[cnt].tag = TAG_DSA_PRIVATE;
-	priv.elements[cnt].length = BN_num_bytes(dsa->priv_key);
-	BN_bn2bin(dsa->priv_key, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.elements[cnt].tag = TAG_DSA_PUBLIC;
-	priv.elements[cnt].length = BN_num_bytes(dsa->pub_key);
-	BN_bn2bin(dsa->pub_key, bufs[cnt]);
-	priv.elements[cnt].data = bufs[cnt];
-	cnt++;
-
-	priv.nelements = cnt;
-	return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
-	dst_private_t priv;
-	isc_result_t ret;
-	int i;
-	DSA *dsa = NULL;
-	isc_mem_t *mctx = key->mctx;
-#define DST_RET(a) {ret = a; goto err;}
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	dsa = DSA_new();
-	if (dsa == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-	key->opaque = dsa;
-
-	for (i=0; i < priv.nelements; i++) {
-		BIGNUM *bn;
-		bn = BN_bin2bn(priv.elements[i].data,
-			       priv.elements[i].length, NULL);
-		if (bn == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-
-		switch (priv.elements[i].tag) {
-			case TAG_DSA_PRIME:
-				dsa->p = bn;
-				break;
-			case TAG_DSA_SUBPRIME:
-				dsa->q = bn;
-				break;
-			case TAG_DSA_BASE:
-				dsa->g = bn;
-				break;
-			case TAG_DSA_PRIVATE:
-				dsa->priv_key = bn;
-				break;
-			case TAG_DSA_PUBLIC:
-				dsa->pub_key = bn;
-				break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-
-	key->key_size = BN_num_bits(dsa->p);
-
-	return (ISC_R_SUCCESS);
-
- err:
-	openssldsa_destroy(key);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static dst_func_t openssldsa_functions = {
-	openssldsa_createctx,
-	openssldsa_destroyctx,
-	openssldsa_adddata,
-	openssldsa_sign,
-	openssldsa_verify,
-	NULL, /* computesecret */
-	openssldsa_compare,
-	NULL, /* paramcompare */
-	openssldsa_generate,
-	openssldsa_isprivate,
-	openssldsa_destroy,
-	openssldsa_todns,
-	openssldsa_fromdns,
-	openssldsa_tofile,
-	openssldsa_parse,
-	NULL, /* cleanup */
-};
-
-isc_result_t
-dst__openssldsa_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &openssldsa_functions;
-	return (ISC_R_SUCCESS);
-}
-
-#else /* OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* OPENSSL */
diff --git a/contrib/bind9/lib/dns/opensslrsa_link.c b/contrib/bind9/lib/dns/opensslrsa_link.c
deleted file mode 100644
index 0d4426bfabef..000000000000
--- a/contrib/bind9/lib/dns/opensslrsa_link.c
+++ /dev/null
@@ -1,567 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.4.1 2004/12/09 04:07:18 marka Exp $
- */
-#ifdef OPENSSL
-
-#include <config.h>
-
-#include <isc/entropy.h>
-#include <isc/md5.h>
-#include <isc/sha1.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-
-	/*
-	 * XXXMPA  Temporarially disable RSA_BLINDING as it requires
-	 * good quality random data that cannot currently be guarenteed.
-	 * XXXMPA  Find which versions of openssl use pseudo random data
-	 * and set RSA_FLAG_BLINDING for those.
-	 */
-
-#if 0
-#if OPENSSL_VERSION_NUMBER < 0x0090601fL
-#define SET_FLAGS(rsa) \
-	do { \
-	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
-	(rsa)->flags |= RSA_FLAG_BLINDING; \
-	} while (0)
-#else
-#define SET_FLAGS(rsa) \
-	do { \
-		(rsa)->flags |= RSA_FLAG_BLINDING; \
-	} while (0)
-#endif
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x0090601fL
-#define SET_FLAGS(rsa) \
-	do { \
-	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
-	(rsa)->flags &= ~RSA_FLAG_BLINDING; \
-	} while (0)
-#else
-#define SET_FLAGS(rsa) \
-	do { \
-		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
-	} while (0)
-#endif
-
-static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
-
-static isc_result_t
-opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-	UNUSED(key);
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
-
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx;
-
-		md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
-		isc_md5_init(md5ctx);
-		dctx->opaque = md5ctx;
-	} else {
-		isc_sha1_t *sha1ctx;
-
-		sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
-		isc_sha1_init(sha1ctx);
-		dctx->opaque = sha1ctx;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-opensslrsa_destroyctx(dst_context_t *dctx) {
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
-
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
-
-		if (md5ctx != NULL) {
-			isc_md5_invalidate(md5ctx);
-			isc_mem_put(dctx->mctx, md5ctx, sizeof(isc_md5_t));
-		}
-	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
-
-		if (sha1ctx != NULL) {
-			isc_sha1_invalidate(sha1ctx);
-			isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
-		}
-	}
-	dctx->opaque = NULL;
-}
-
-static isc_result_t
-opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
-
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
-		isc_md5_update(md5ctx, data->base, data->length);
-	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
-		isc_sha1_update(sha1ctx, data->base, data->length);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	dst_key_t *key = dctx->key;
-	RSA *rsa = key->opaque;
-	isc_region_t r;
-	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	unsigned int siglen = 0;
-	int status;
-	int type;
-	unsigned int digestlen;
-	char *message;
-	unsigned long err;
-	const char* file;
-	int line;
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
-
-	isc_buffer_availableregion(sig, &r);
-
-	if (r.length < (unsigned int) RSA_size(rsa))
-		return (ISC_R_NOSPACE);
-
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
-		isc_md5_final(md5ctx, digest);
-		type = NID_md5;
-		digestlen = ISC_MD5_DIGESTLENGTH;
-	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
-		isc_sha1_final(sha1ctx, digest);
-		type = NID_sha1;
-		digestlen = ISC_SHA1_DIGESTLENGTH;
-	}
-
-	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
-	if (status == 0) {
-		err = ERR_peek_error_line(&file, &line);
-		if (err != 0U) {
-			message = ERR_error_string(err, NULL);
-			fprintf(stderr, "%s:%s:%d\n", message,
-				file ? file : "", line);
-		}
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-
-	isc_buffer_add(sig, siglen);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	dst_key_t *key = dctx->key;
-	RSA *rsa = key->opaque;
-	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	int status = 0;
-	int type;
-	unsigned int digestlen;
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
-
-	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
-		isc_md5_final(md5ctx, digest);
-		type = NID_md5;
-		digestlen = ISC_MD5_DIGESTLENGTH;
-	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
-		isc_sha1_final(sha1ctx, digest);
-		type = NID_sha1;
-		digestlen = ISC_SHA1_DIGESTLENGTH;
-	}
-
-	if (sig->length < (unsigned int) RSA_size(rsa))
-		return (DST_R_VERIFYFAILURE);
-
-	status = RSA_verify(type, digest, digestlen, sig->base,
-			    RSA_size(rsa), rsa);
-	if (status == 0)
-		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	RSA *rsa1, *rsa2;
-
-	rsa1 = (RSA *) key1->opaque;
-	rsa2 = (RSA *) key2->opaque;
-
-	if (rsa1 == NULL && rsa2 == NULL)
-		return (ISC_TRUE);
-	else if (rsa1 == NULL || rsa2 == NULL)
-		return (ISC_FALSE);
-
-	status = BN_cmp(rsa1->n, rsa2->n) ||
-		 BN_cmp(rsa1->e, rsa2->e);
-
-	if (status != 0)
-		return (ISC_FALSE);
-
-	if (rsa1->d != NULL || rsa2->d != NULL) {
-		if (rsa1->d == NULL || rsa2->d == NULL)
-			return (ISC_FALSE);
-		status = BN_cmp(rsa1->d, rsa2->d) ||
-			 BN_cmp(rsa1->p, rsa2->p) ||
-			 BN_cmp(rsa1->q, rsa2->q);
-
-		if (status != 0)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-static isc_result_t
-opensslrsa_generate(dst_key_t *key, int exp) {
-	RSA *rsa;
-	unsigned long e;
-
-	if (exp == 0)
-		e = RSA_3;
-	else
-		e = RSA_F4;
-	rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
-	if (rsa == NULL)
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	SET_FLAGS(rsa);
-	key->opaque = rsa;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-opensslrsa_isprivate(const dst_key_t *key) {
-	RSA *rsa = (RSA *) key->opaque;
-	return (ISC_TF(rsa != NULL && rsa->d != NULL));
-}
-
-static void
-opensslrsa_destroy(dst_key_t *key) {
-	RSA *rsa = key->opaque;
-	RSA_free(rsa);
-	key->opaque = NULL;
-}
-
-
-static isc_result_t
-opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-	RSA *rsa;
-	isc_region_t r;
-	unsigned int e_bytes;
-	unsigned int mod_bytes;
-
-	REQUIRE(key->opaque != NULL);
-
-	rsa = (RSA *) key->opaque;
-
-	isc_buffer_availableregion(data, &r);
-
-	e_bytes = BN_num_bytes(rsa->e);
-	mod_bytes = BN_num_bytes(rsa->n);
-
-	if (e_bytes < 256) {	/* key exponent is <= 2040 bits */
-		if (r.length < 1)
-			return (ISC_R_NOSPACE);
-		isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
-	} else {
-		if (r.length < 3)
-			return (ISC_R_NOSPACE);
-		isc_buffer_putuint8(data, 0);
-		isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
-	}
-
-	if (r.length < e_bytes + mod_bytes)
-		return (ISC_R_NOSPACE);
-	isc_buffer_availableregion(data, &r);
-
-	BN_bn2bin(rsa->e, r.base);
-	r.base += e_bytes;
-	BN_bn2bin(rsa->n, r.base);
-
-	isc_buffer_add(data, e_bytes + mod_bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	RSA *rsa;
-	isc_region_t r;
-	unsigned int e_bytes;
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
-
-	rsa = RSA_new();
-	if (rsa == NULL)
-		return (ISC_R_NOMEMORY);
-	SET_FLAGS(rsa);
-
-	if (r.length < 1) {
-		RSA_free(rsa);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	e_bytes = *r.base++;
-	r.length--;
-
-	if (e_bytes == 0) {
-		if (r.length < 2) {
-			RSA_free(rsa);
-			return (DST_R_INVALIDPUBLICKEY);
-		}
-		e_bytes = ((*r.base++) << 8);
-		e_bytes += *r.base++;
-		r.length -= 2;
-	}
-
-	if (r.length < e_bytes) {
-		RSA_free(rsa);
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
-	r.base += e_bytes;
-	r.length -= e_bytes;
-
-	rsa->n = BN_bin2bn(r.base, r.length, NULL);
-
-	key->key_size = BN_num_bits(rsa->n);
-
-	isc_buffer_forward(data, r.length);
-
-	key->opaque = (void *) rsa;
-
-	return (ISC_R_SUCCESS);
-}
-
-
-static isc_result_t
-opensslrsa_tofile(const dst_key_t *key, const char *directory) {
-	int i;
-	RSA *rsa;
-	dst_private_t priv;
-	unsigned char *bufs[8];
-	isc_result_t result;
-
-	if (key->opaque == NULL)
-		return (DST_R_NULLKEY);
-
-	rsa = (RSA *) key->opaque;
-
-	for (i = 0; i < 8; i++) {
-		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n));
-		if (bufs[i] == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto fail;
-		}
-	}
-
-	i = 0;
-
-	priv.elements[i].tag = TAG_RSA_MODULUS;
-	priv.elements[i].length = BN_num_bytes(rsa->n);
-	BN_bn2bin(rsa->n, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
-	priv.elements[i].length = BN_num_bytes(rsa->e);
-	BN_bn2bin(rsa->e, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
-	priv.elements[i].length = BN_num_bytes(rsa->d);
-	BN_bn2bin(rsa->d, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_RSA_PRIME1;
-	priv.elements[i].length = BN_num_bytes(rsa->p);
-	BN_bn2bin(rsa->p, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_RSA_PRIME2;
-	priv.elements[i].length = BN_num_bytes(rsa->q);
-	BN_bn2bin(rsa->q, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_RSA_EXPONENT1;
-	priv.elements[i].length = BN_num_bytes(rsa->dmp1);
-	BN_bn2bin(rsa->dmp1, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_RSA_EXPONENT2;
-	priv.elements[i].length = BN_num_bytes(rsa->dmq1);
-	BN_bn2bin(rsa->dmq1, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.elements[i].tag = TAG_RSA_COEFFICIENT;
-	priv.elements[i].length = BN_num_bytes(rsa->iqmp);
-	BN_bn2bin(rsa->iqmp, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
-
-	priv.nelements = i;
-	result =  dst__privstruct_writefile(key, &priv, directory);
- fail:
-	for (i = 0; i < 8; i++) {
-		if (bufs[i] == NULL)
-			break;
-		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(rsa->n));
-	}
-	return (result);
-}
-
-static isc_result_t
-opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
-	dst_private_t priv;
-	isc_result_t ret;
-	int i;
-	RSA *rsa = NULL;
-	isc_mem_t *mctx = key->mctx;
-#define DST_RET(a) {ret = a; goto err;}
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	rsa = RSA_new();
-	if (rsa == NULL)
-		DST_RET(ISC_R_NOMEMORY);
-	SET_FLAGS(rsa);
-	key->opaque = rsa;
-
-	for (i = 0; i < priv.nelements; i++) {
-		BIGNUM *bn;
-		bn = BN_bin2bn(priv.elements[i].data,
-			       priv.elements[i].length, NULL);
-		if (bn == NULL)
-			DST_RET(ISC_R_NOMEMORY);
-
-		switch (priv.elements[i].tag) {
-			case TAG_RSA_MODULUS:
-				rsa->n = bn;
-				break;
-			case TAG_RSA_PUBLICEXPONENT:
-				rsa->e = bn;
-				break;
-			case TAG_RSA_PRIVATEEXPONENT:
-				rsa->d = bn;
-				break;
-			case TAG_RSA_PRIME1:
-				rsa->p = bn;
-				break;
-			case TAG_RSA_PRIME2:
-				rsa->q = bn;
-				break;
-			case TAG_RSA_EXPONENT1:
-				rsa->dmp1 = bn;
-				break;
-			case TAG_RSA_EXPONENT2:
-				rsa->dmq1 = bn;
-				break;
-			case TAG_RSA_COEFFICIENT:
-				rsa->iqmp = bn;
-				break;
-		}
-	}
-	dst__privstruct_free(&priv, mctx);
-
-	key->key_size = BN_num_bits(rsa->n);
-
-	return (ISC_R_SUCCESS);
-
- err:
-	opensslrsa_destroy(key);
-	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
-	return (ret);
-}
-
-static dst_func_t opensslrsa_functions = {
-	opensslrsa_createctx,
-	opensslrsa_destroyctx,
-	opensslrsa_adddata,
-	opensslrsa_sign,
-	opensslrsa_verify,
-	NULL, /* computesecret */
-	opensslrsa_compare,
-	NULL, /* paramcompare */
-	opensslrsa_generate,
-	opensslrsa_isprivate,
-	opensslrsa_destroy,
-	opensslrsa_todns,
-	opensslrsa_fromdns,
-	opensslrsa_tofile,
-	opensslrsa_parse,
-	NULL, /* cleanup */
-};
-
-isc_result_t
-dst__opensslrsa_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL)
-		*funcp = &opensslrsa_functions;
-	return (ISC_R_SUCCESS);
-}
-
-#else /* OPENSSL */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
-#endif /* OPENSSL */
diff --git a/contrib/bind9/lib/dns/order.c b/contrib/bind9/lib/dns/order.c
deleted file mode 100644
index f09afedf6d61..000000000000
--- a/contrib/bind9/lib/dns/order.c
+++ /dev/null
@@ -1,157 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: order.c,v 1.4.202.4 2004/03/08 09:04:30 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/types.h>
-#include <isc/util.h>
-#include <isc/refcount.h>
-
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/order.h>
-#include <dns/rdataset.h>
-#include <dns/types.h>
-
-typedef struct dns_order_ent dns_order_ent_t;
-struct dns_order_ent {
-	dns_fixedname_t			name;
-	dns_rdataclass_t		rdclass;
-	dns_rdatatype_t			rdtype;
-	unsigned int			mode;
-	ISC_LINK(dns_order_ent_t)	link;
-};
-
-struct dns_order {
-	unsigned int			magic;
-	isc_refcount_t          	references;
-	ISC_LIST(dns_order_ent_t)	ents;
-	isc_mem_t			*mctx;
-};
-	
-#define DNS_ORDER_MAGIC ISC_MAGIC('O','r','d','r')
-#define DNS_ORDER_VALID(order)	ISC_MAGIC_VALID(order, DNS_ORDER_MAGIC)
-
-isc_result_t
-dns_order_create(isc_mem_t *mctx, dns_order_t **orderp) {
-	dns_order_t *order;
-	REQUIRE(orderp != NULL && *orderp == NULL);
-
-	order = isc_mem_get(mctx, sizeof(*order));
-	if (order == NULL)
-		return (ISC_R_NOMEMORY);
-	
-	ISC_LIST_INIT(order->ents);
-	isc_refcount_init(&order->references, 1);     /* Implicit attach. */
-
-	order->mctx = NULL;
-	isc_mem_attach(mctx, &order->mctx);
-	order->magic = DNS_ORDER_MAGIC;
-	*orderp = order;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_order_add(dns_order_t *order, dns_name_t *name,
-	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
-	      unsigned int mode)
-{
-	dns_order_ent_t *ent;
-
-	REQUIRE(DNS_ORDER_VALID(order));
-	REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE ||
-	        mode == DNS_RDATASETATTR_FIXEDORDER ||
-		mode == 0 /* DNS_RDATASETATTR_CYCLIC */ );
-
-	ent = isc_mem_get(order->mctx, sizeof(*ent));
-	if (ent == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_fixedname_init(&ent->name);
-	RUNTIME_CHECK(dns_name_copy(name, dns_fixedname_name(&ent->name), NULL)
-		      == ISC_R_SUCCESS);
-	ent->rdtype = rdtype;
-	ent->rdclass = rdclass;
-	ent->mode = mode;
-	ISC_LINK_INIT(ent, link);
-	ISC_LIST_INITANDAPPEND(order->ents, ent, link);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_boolean_t
-match(dns_name_t *name1, dns_name_t *name2) {
-	
-	if (dns_name_iswildcard(name2))
-		return(dns_name_matcheswildcard(name1, name2));
-	return (dns_name_equal(name1, name2));
-}
-
-unsigned int
-dns_order_find(dns_order_t *order, dns_name_t *name,
-	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass)
-{
-	dns_order_ent_t *ent;
-	REQUIRE(DNS_ORDER_VALID(order));
-
-	for (ent = ISC_LIST_HEAD(order->ents);
-	     ent != NULL;
-	     ent = ISC_LIST_NEXT(ent, link)) {
-		if (ent->rdtype != rdtype && ent->rdtype != dns_rdatatype_any)
-			continue;
-		if (ent->rdclass != rdclass &&
-		    ent->rdclass != dns_rdataclass_any)
-			continue;
-		if (match(name, dns_fixedname_name(&ent->name)))
-			return (ent->mode);
-	}
-	return (0);
-}
-
-void
-dns_order_attach(dns_order_t *source, dns_order_t **target) {
-	REQUIRE(DNS_ORDER_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-	isc_refcount_increment(&source->references, NULL);
-	*target = source;
-}
-
-void
-dns_order_detach(dns_order_t **orderp) {
-	dns_order_t *order;
-	dns_order_ent_t *ent;
-	unsigned int references;
-
-	REQUIRE(orderp != NULL);
-	order = *orderp;
-	REQUIRE(DNS_ORDER_VALID(order));
-	isc_refcount_decrement(&order->references, &references);
-	*orderp = NULL;
-	if (references != 0)
-		return;
-
-	order->magic = 0;
-	while ((ent = ISC_LIST_HEAD(order->ents)) != NULL) {
-		ISC_LIST_UNLINK(order->ents, ent, link);
-		isc_mem_put(order->mctx, ent, sizeof(*ent));
-	}
-	isc_refcount_destroy(&order->references);
-	isc_mem_putanddetach(&order->mctx, order, sizeof(*order));
-}
diff --git a/contrib/bind9/lib/dns/peer.c b/contrib/bind9/lib/dns/peer.c
deleted file mode 100644
index a50ff0c9abe5..000000000000
--- a/contrib/bind9/lib/dns/peer.c
+++ /dev/null
@@ -1,522 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: peer.c,v 1.14.2.1.10.4 2004/03/06 08:13:41 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-#include <isc/sockaddr.h>
-
-#include <dns/bit.h>
-#include <dns/fixedname.h>
-#include <dns/name.h>
-#include <dns/peer.h>
-
-/*
- * Bit positions in the dns_peer_t structure flags field
- */
-#define BOGUS_BIT			0
-#define SERVER_TRANSFER_FORMAT_BIT	1
-#define TRANSFERS_BIT			2
-#define PROVIDE_IXFR_BIT		3
-#define REQUEST_IXFR_BIT		4
-#define SUPPORT_EDNS_BIT		5
-
-static void
-peerlist_delete(dns_peerlist_t **list);
-
-static void
-peer_delete(dns_peer_t **peer);
-
-isc_result_t
-dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
-	dns_peerlist_t *l;
-
-	REQUIRE(list != NULL);
-
-	l = isc_mem_get(mem, sizeof(*l));
-	if (l == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ISC_LIST_INIT(l->elements);
-	l->mem = mem;
-	l->refs = 1;
-	l->magic = DNS_PEERLIST_MAGIC;
-
-	*list = l;
-
-	return (ISC_R_SUCCESS);
-}
-
-
-void
-dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target) {
-	REQUIRE(DNS_PEERLIST_VALID(source));
-	REQUIRE(target != NULL);
-	REQUIRE(*target == NULL);
-
-	source->refs++;
-
-	ENSURE(source->refs != 0xffffffffU);
-
-	*target = source;
-}
-
-void
-dns_peerlist_detach(dns_peerlist_t **list) {
-	dns_peerlist_t *plist;
-
-	REQUIRE(list != NULL);
-	REQUIRE(*list != NULL);
-	REQUIRE(DNS_PEERLIST_VALID(*list));
-
-	plist = *list;
-	*list = NULL;
-
-	REQUIRE(plist->refs > 0);
-
-	plist->refs--;
-
-	if (plist->refs == 0)
-		peerlist_delete(&plist);
-}
-
-static void
-peerlist_delete(dns_peerlist_t **list) {
-	dns_peerlist_t *l;
-	dns_peer_t *server, *stmp;
-
-	REQUIRE(list != NULL);
-	REQUIRE(DNS_PEERLIST_VALID(*list));
-
-	l = *list;
-
-	REQUIRE(l->refs == 0);
-
-	server = ISC_LIST_HEAD(l->elements);
-	while (server != NULL) {
-		stmp = ISC_LIST_NEXT(server, next);
-		ISC_LIST_UNLINK(l->elements, server, next);
-		dns_peer_detach(&server);
-		server = stmp;
-	}
-
-	l->magic = 0;
-	isc_mem_put(l->mem, l, sizeof(*l));
-
-	*list = NULL;
-}
-
-void
-dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer) {
-	dns_peer_t *p = NULL;
-
-	dns_peer_attach(peer, &p);
-
-	ISC_LIST_APPEND(peers->elements, peer, next);
-}
-
-isc_result_t
-dns_peerlist_peerbyaddr(dns_peerlist_t *servers,
-			isc_netaddr_t *addr, dns_peer_t **retval)
-{
-	dns_peer_t *server;
-	isc_result_t res;
-
-	REQUIRE(retval != NULL);
-	REQUIRE(DNS_PEERLIST_VALID(servers));
-
-	server = ISC_LIST_HEAD(servers->elements);
-	while (server != NULL) {
-		if (isc_netaddr_equal(addr, &server->address))
-			break;
-
-		server = ISC_LIST_NEXT(server, next);
-	}
-
-	if (server != NULL) {
-		*retval = server;
-		res = ISC_R_SUCCESS;
-	} else {
-		res = ISC_R_NOTFOUND;
-	}
-
-	return (res);
-}
-
-
-
-isc_result_t
-dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval) {
-	dns_peer_t *p = NULL;
-
-	p = ISC_LIST_TAIL(peers->elements);
-
-	dns_peer_attach(p, retval);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
-	dns_peer_t *peer;
-
-	REQUIRE(peerptr != NULL);
-
-	peer = isc_mem_get(mem, sizeof(*peer));
-	if (peer == NULL)
-		return (ISC_R_NOMEMORY);
-
-	peer->magic = DNS_PEER_MAGIC;
-	peer->address = *addr;
-	peer->mem = mem;
-	peer->bogus = ISC_FALSE;
-	peer->transfer_format = dns_one_answer;
-	peer->transfers = 0;
-	peer->request_ixfr = ISC_FALSE;
-	peer->provide_ixfr = ISC_FALSE;
-	peer->key = NULL;
-	peer->refs = 1;
-	peer->transfer_source = NULL;
-
-	memset(&peer->bitflags, 0x0, sizeof(peer->bitflags));
-
-	ISC_LINK_INIT(peer, next);
-
-	*peerptr = peer;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_peer_attach(dns_peer_t *source, dns_peer_t **target) {
-	REQUIRE(DNS_PEER_VALID(source));
-	REQUIRE(target != NULL);
-	REQUIRE(*target == NULL);
-
-	source->refs++;
-
-	ENSURE(source->refs != 0xffffffffU);
-
-	*target = source;
-}
-
-void
-dns_peer_detach(dns_peer_t **peer) {
-	dns_peer_t *p;
-
-	REQUIRE(peer != NULL);
-	REQUIRE(*peer != NULL);
-	REQUIRE(DNS_PEER_VALID(*peer));
-
-	p = *peer;
-
-	REQUIRE(p->refs > 0);
-
-	*peer = NULL;
-	p->refs--;
-
-	if (p->refs == 0)
-		peer_delete(&p);
-}
-
-static void
-peer_delete(dns_peer_t **peer) {
-	dns_peer_t *p;
-	isc_mem_t *mem;
-
-	REQUIRE(peer != NULL);
-	REQUIRE(DNS_PEER_VALID(*peer));
-
-	p = *peer;
-
-	REQUIRE(p->refs == 0);
-
-	mem = p->mem;
-	p->mem = NULL;
-	p->magic = 0;
-
-	if (p->key != NULL) {
-		dns_name_free(p->key, mem);
-		isc_mem_put(mem, p->key, sizeof(dns_name_t));
-	}
-
-	if (p->transfer_source != NULL) {
-		isc_mem_put(mem, p->transfer_source,
-			    sizeof(*p->transfer_source));
-	}
-
-	isc_mem_put(mem, p, sizeof(*p));
-
-	*peer = NULL;
-}
-
-isc_result_t
-dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags);
-
-	peer->bogus = newval;
-	DNS_BIT_SET(BOGUS_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getbogus(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags)) {
-		*retval = peer->bogus;
-		return (ISC_R_SUCCESS);
-	} else
-		return (ISC_R_NOTFOUND);
-}
-
-
-isc_result_t
-dns_peer_setprovideixfr(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags);
-
-	peer->provide_ixfr = newval;
-	DNS_BIT_SET(PROVIDE_IXFR_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags)) {
-		*retval = peer->provide_ixfr;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-isc_result_t
-dns_peer_setrequestixfr(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags);
-
-	peer->request_ixfr = newval;
-	DNS_BIT_SET(REQUEST_IXFR_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getrequestixfr(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags)) {
-		*retval = peer->request_ixfr;
-		return (ISC_R_SUCCESS);
-	} else
-		return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags);
-
-	peer->support_edns = newval;
-	DNS_BIT_SET(SUPPORT_EDNS_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_getsupportedns(dns_peer_t *peer, isc_boolean_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags)) {
-		*retval = peer->support_edns;
-		return (ISC_R_SUCCESS);
-	} else
-		return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-dns_peer_settransfers(dns_peer_t *peer, isc_uint32_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags);
-
-	peer->transfers = newval;
-	DNS_BIT_SET(TRANSFERS_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_gettransfers(dns_peer_t *peer, isc_uint32_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags)) {
-		*retval = peer->transfers;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-isc_result_t
-dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval) {
-	isc_boolean_t existed;
-
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	existed = DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT,
-				 &peer->bitflags);
-
-	peer->transfer_format = newval;
-	DNS_BIT_SET(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags);
-
-	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags)) {
-		*retval = peer->transfer_format;
-		return (ISC_R_SUCCESS);
-	} else {
-		return (ISC_R_NOTFOUND);
-	}
-}
-
-isc_result_t
-dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(retval != NULL);
-
-	if (peer->key != NULL) {
-		*retval = peer->key;
-	}
-
-	return (peer->key == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval) {
-	isc_boolean_t exists = ISC_FALSE;
-
-	if (peer->key != NULL) {
-		dns_name_free(peer->key, peer->mem);
-		isc_mem_put(peer->mem, peer->key, sizeof(dns_name_t));
-		exists = ISC_TRUE;
-	}
-
-	peer->key = *keyval;
-	*keyval = NULL;
-
-	return (exists ? ISC_R_EXISTS : ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
-	isc_buffer_t b;
-	dns_fixedname_t fname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	dns_fixedname_init(&fname);
-	isc_buffer_init(&b, keyval, strlen(keyval));
-	isc_buffer_add(&b, strlen(keyval));
-	result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
-				   dns_rootname, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	name = isc_mem_get(peer->mem, sizeof(dns_name_t));
-	if (name == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_name_init(name, NULL);
-	result = dns_name_dup(dns_fixedname_name(&fname), peer->mem, name);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
-		return (result);
-	}
-
-	result = dns_peer_setkey(peer, &name);
-	if (result != ISC_R_SUCCESS)
-		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
-
-	return (result);
-}
-
-isc_result_t
-dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
-	REQUIRE(DNS_PEER_VALID(peer));
-
-	if (peer->transfer_source != NULL) {
-		isc_mem_put(peer->mem, peer->transfer_source,
-			    sizeof(*peer->transfer_source));
-		peer->transfer_source = NULL;
-	}
-	if (transfer_source != NULL) {
-		peer->transfer_source = isc_mem_get(peer->mem,
-					        sizeof(*peer->transfer_source));
-		if (peer->transfer_source == NULL)
-			return (ISC_R_NOMEMORY);
-
-		*peer->transfer_source = *transfer_source;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
-	REQUIRE(DNS_PEER_VALID(peer));
-	REQUIRE(transfer_source != NULL);
-
-	if (peer->transfer_source == NULL)
-		return (ISC_R_NOTFOUND);
-	*transfer_source = *peer->transfer_source;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/portlist.c b/contrib/bind9/lib/dns/portlist.c
deleted file mode 100644
index 64546e374b17..000000000000
--- a/contrib/bind9/lib/dns/portlist.c
+++ /dev/null
@@ -1,260 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: portlist.c,v 1.3.72.4 2004/03/16 05:50:21 marka Exp $ */
-
-#include <stdlib.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
-#include <isc/refcount.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/types.h>
-#include <dns/portlist.h>
-
-#define DNS_PORTLIST_MAGIC	ISC_MAGIC('P','L','S','T')
-#define DNS_VALID_PORTLIST(p)	ISC_MAGIC_VALID(p, DNS_PORTLIST_MAGIC)
-
-typedef struct dns_element {
-	in_port_t	port;
-	isc_uint16_t	flags;
-} dns_element_t;
-
-struct dns_portlist {
-	unsigned int	magic;
-	isc_mem_t	*mctx;
-	isc_refcount_t	refcount;
-	isc_mutex_t	lock;
-	dns_element_t 	*list;
-	unsigned int	allocated;
-	unsigned int	active;
-};
-
-#define DNS_PL_INET	0x0001
-#define DNS_PL_INET6	0x0002
-#define DNS_PL_ALLOCATE	16
-
-static int
-compare(const void *arg1, const void *arg2) {
-	const dns_element_t *e1 = (const dns_element_t *)arg1;
-	const dns_element_t *e2 = (const dns_element_t *)arg2;
-
-	if (e1->port < e2->port)
-		return (-1);
-	if (e1->port > e2->port)
-		return (1);
-	return (0);
-}
-
-isc_result_t
-dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp) {
-	dns_portlist_t *portlist;
-	isc_result_t result;
-
-	REQUIRE(portlistp != NULL && *portlistp == NULL);
-
-	portlist = isc_mem_get(mctx, sizeof(*portlist));
-	if (portlist == NULL)
-		return (ISC_R_NOMEMORY);
-        result = isc_mutex_init(&portlist->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, portlist, sizeof(*portlist));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	isc_refcount_init(&portlist->refcount, 1);
-	portlist->list = NULL;
-	portlist->allocated = 0;
-	portlist->active = 0;
-	portlist->mctx = NULL;
-	isc_mem_attach(mctx, &portlist->mctx);
-	portlist->magic = DNS_PORTLIST_MAGIC;
-	*portlistp = portlist;
-	return (ISC_R_SUCCESS);
-}
-
-static dns_element_t *
-find_port(dns_element_t *list, unsigned int len, in_port_t port) {
-	unsigned int xtry = len / 2;
-	unsigned int min = 0;
-	unsigned int max = len - 1;
-	unsigned int last = len;
-
-	for (;;) {
-		if (list[xtry].port == port)
-			return (&list[xtry]);
-	        if (port > list[xtry].port) {
-			if (xtry == max)
-				break;
-			min = xtry;
-			xtry = xtry + (max - xtry + 1) / 2;
-			INSIST(xtry <= max);
-			if (xtry == last)
-				break;
-			last = min;
-		} else {
-			if (xtry == min)
-				break;
-			max = xtry;
-			xtry = xtry - (xtry - min + 1) / 2;
-			INSIST(xtry >= min);
-			if (xtry == last)
-				break;
-			last = max;
-		}
-	}
-	return (NULL);
-}
-
-isc_result_t
-dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port) {
-	dns_element_t *el;
-	isc_result_t result;
-
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	REQUIRE(af == AF_INET || af == AF_INET6);
-
-	LOCK(&portlist->lock);
-	if (portlist->active != 0) {
-		el = find_port(portlist->list, portlist->active, port);
-		if (el != NULL) {
-			if (af == AF_INET)
-				el->flags |= DNS_PL_INET;
-			else
-				el->flags |= DNS_PL_INET6;
-			result = ISC_R_SUCCESS;
-			goto unlock;
-		}
-	}
-
-	if (portlist->allocated <= portlist->active) {
-		unsigned int allocated;
-		allocated = portlist->allocated + DNS_PL_ALLOCATE;
-		el = isc_mem_get(portlist->mctx, sizeof(*el) * allocated);
-		if (el == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto unlock;
-		}
-		if (portlist->list != NULL) {
-			memcpy(el, portlist->list,
-			       portlist->allocated * sizeof(*el)); 
-			isc_mem_put(portlist->mctx, portlist->list,
-				    portlist->allocated * sizeof(*el));
-		}
-		portlist->list = el;
-		portlist->allocated = allocated;
-	}
-	portlist->list[portlist->active].port = port;
-	if (af == AF_INET)
-		portlist->list[portlist->active].flags = DNS_PL_INET;
-	else
-		portlist->list[portlist->active].flags = DNS_PL_INET6;
-	portlist->active++;
-	qsort(portlist->list, portlist->active, sizeof(*el), compare);
-	result = ISC_R_SUCCESS;
- unlock:
-	UNLOCK(&portlist->lock);
-	return (result);
-}
-
-void
-dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port) {
-	dns_element_t *el;
-
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	REQUIRE(af == AF_INET || af == AF_INET6);
-
-	LOCK(&portlist->lock);
-	if (portlist->active != 0) {
-		el = find_port(portlist->list, portlist->active, port);
-		if (el != NULL) {
-			if (af == AF_INET)
-				el->flags &= ~DNS_PL_INET;
-			else
-				el->flags &= ~DNS_PL_INET6;
-			if (el->flags == 0) {
-				*el = portlist->list[portlist->active];
-				portlist->active--;
-				qsort(portlist->list, portlist->active,
-				      sizeof(*el), compare);
-			}
-		}
-	}
-	UNLOCK(&portlist->lock);
-}
-
-isc_boolean_t
-dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port) {
-	dns_element_t *el;
-	isc_boolean_t result = ISC_FALSE;
-	
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	REQUIRE(af == AF_INET || af == AF_INET6);
-	LOCK(&portlist->lock);
-	if (portlist->active != 0) {
-		el = find_port(portlist->list, portlist->active, port);
-		if (el != NULL) {
-			if (af == AF_INET && (el->flags & DNS_PL_INET) != 0)
-				result = ISC_TRUE;
-			if (af == AF_INET6 && (el->flags & DNS_PL_INET6) != 0)
-				result = ISC_TRUE;
-		}
-	}	
-	UNLOCK(&portlist->lock);
-	return (result);
-}
-
-void
-dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp) {
-
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	REQUIRE(portlistp != NULL && *portlistp == NULL);
-
-	isc_refcount_increment(&portlist->refcount, NULL);
-	*portlistp = portlist;
-}
-
-void
-dns_portlist_detach(dns_portlist_t **portlistp) {
-	dns_portlist_t *portlist;
-	unsigned int count;
-
-	REQUIRE(portlistp != NULL);
-	portlist = *portlistp;
-	REQUIRE(DNS_VALID_PORTLIST(portlist));
-	*portlistp = NULL;
-	isc_refcount_decrement(&portlist->refcount, &count);
-	if (count == 0) {
-		portlist->magic = 0;
-		isc_refcount_destroy(&portlist->refcount);
-		if (portlist->list != NULL)
-			isc_mem_put(portlist->mctx, portlist->list,
-				    portlist->allocated *
-				    sizeof(*portlist->list));
-		DESTROYLOCK(&portlist->lock);
-		isc_mem_putanddetach(&portlist->mctx, portlist,
-				     sizeof(*portlist));
-	}
-}
diff --git a/contrib/bind9/lib/dns/rbt.c b/contrib/bind9/lib/dns/rbt.c
deleted file mode 100644
index ecff783724b2..000000000000
--- a/contrib/bind9/lib/dns/rbt.c
+++ /dev/null
@@ -1,2541 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbt.c,v 1.115.2.2.2.13 2005/06/18 01:03:24 marka Exp $ */
-
-/* Principal Authors: DCL */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-/*
- * This define is so dns/name.h (included by dns/fixedname.h) uses more
- * efficient macro calls instead of functions for a few operations.
- */
-#define DNS_NAME_USEINLINE 1
-
-#include <dns/fixedname.h>
-#include <dns/rbt.h>
-#include <dns/result.h>
-
-#define RBT_MAGIC		ISC_MAGIC('R', 'B', 'T', '+')
-#define VALID_RBT(rbt)		ISC_MAGIC_VALID(rbt, RBT_MAGIC)
-
-/*
- * XXXDCL Since parent pointers were added in again, I could remove all of the
- * chain junk, and replace with dns_rbt_firstnode, _previousnode, _nextnode,
- * _lastnode.  This would involve pretty major change to the API.
- */
-#define CHAIN_MAGIC		ISC_MAGIC('0', '-', '0', '-')
-#define VALID_CHAIN(chain)	ISC_MAGIC_VALID(chain, CHAIN_MAGIC)
-
-#define RBT_HASH_SIZE		64
-
-#ifdef RBT_MEM_TEST
-#undef RBT_HASH_SIZE
-#define RBT_HASH_SIZE 2	/* To give the reallocation code a workout. */
-#endif
-
-struct dns_rbt {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	dns_rbtnode_t *		root;
-	void			(*data_deleter)(void *, void *);
-	void *			deleter_arg;
-	unsigned int		nodecount;
-	unsigned int		hashsize;
-	dns_rbtnode_t **	hashtable;
-};
-
-#define RED 0
-#define BLACK 1
-
-/*
- * Elements of the rbtnode structure.
- */
-#define PARENT(node)		((node)->parent)
-#define LEFT(node)	 	((node)->left)
-#define RIGHT(node)		((node)->right)
-#define DOWN(node)		((node)->down)
-#define DATA(node)		((node)->data)
-#define HASHNEXT(node)		((node)->hashnext)
-#define HASHVAL(node)		((node)->hashval)
-#define COLOR(node) 		((node)->color)
-#define NAMELEN(node)		((node)->namelen)
-#define OFFSETLEN(node)		((node)->offsetlen)
-#define ATTRS(node)		((node)->attributes)
-#define PADBYTES(node)		((node)->padbytes)
-#define IS_ROOT(node)		ISC_TF((node)->is_root == 1)
-#define FINDCALLBACK(node)	ISC_TF((node)->find_callback == 1)
-
-/*
- * Structure elements from the rbtdb.c, not
- * used as part of the rbt.c algorithms.
- */
-#define DIRTY(node)	((node)->dirty)
-#define WILD(node)	((node)->wild)
-#define LOCKNUM(node)	((node)->locknum)
-#define REFS(node)	((node)->references)
-
-/*
- * The variable length stuff stored after the node.
- */
-#define NAME(node)	((unsigned char *)((node) + 1))
-#define OFFSETS(node)	(NAME(node) + NAMELEN(node))
-
-#define NODE_SIZE(node)	(sizeof(*node) + \
-			 NAMELEN(node) + OFFSETLEN(node) + PADBYTES(node))
-
-/*
- * Color management.
- */
-#define IS_RED(node)		((node) != NULL && (node)->color == RED)
-#define IS_BLACK(node)		((node) == NULL || (node)->color == BLACK)
-#define MAKE_RED(node)		((node)->color = RED)
-#define MAKE_BLACK(node)	((node)->color = BLACK)
-
-/*
- * Chain management.
- *
- * The "ancestors" member of chains were removed, with their job now
- * being wholy handled by parent pointers (which didn't exist, because
- * of memory concerns, when chains were first implemented).
- */
-#define ADD_LEVEL(chain, node) \
-			(chain)->levels[(chain)->level_count++] = (node)
-
-/*
- * The following macros directly access normally private name variables.
- * These macros are used to avoid a lot of function calls in the critical
- * path of the tree traversal code.
- */
-
-#define NODENAME(node, name) \
-do { \
-	(name)->length = NAMELEN(node); \
-	(name)->labels = OFFSETLEN(node); \
-	(name)->ndata = NAME(node); \
-	(name)->offsets = OFFSETS(node); \
-	(name)->attributes = ATTRS(node); \
-	(name)->attributes |= DNS_NAMEATTR_READONLY; \
-} while (0)
-
-#ifdef DNS_RBT_USEHASH
-static isc_result_t
-inithash(dns_rbt_t *rbt);
-#endif
-
-#ifdef DEBUG
-#define inline
-/*
- * A little something to help out in GDB.
- */
-dns_name_t Name(dns_rbtnode_t *node);
-dns_name_t
-Name(dns_rbtnode_t *node) {
-	dns_name_t name;
-
-	dns_name_init(&name, NULL);
-	if (node != NULL)
-		NODENAME(node, &name);
-
-	return (name);
-}
-
-static void dns_rbt_printnodename(dns_rbtnode_t *node);
-#endif
-
-static inline dns_rbtnode_t *
-find_up(dns_rbtnode_t *node) {
-	dns_rbtnode_t *root;
-
-	/*
-	 * Return the node in the level above the argument node that points
-	 * to the level the argument node is in.  If the argument node is in
-	 * the top level, the return value is NULL.
-	 */
-	for (root = node; ! IS_ROOT(root); root = PARENT(root))
-		; /* Nothing. */
-
-	return (PARENT(root));
-}
-
-/*
- * Forward declarations.
- */
-static isc_result_t
-create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep);
-
-#ifdef DNS_RBT_USEHASH
-static inline void
-hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name);
-static inline void
-unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node);
-#else
-#define hash_node(rbt, node, name) (ISC_R_SUCCESS)
-#define unhash_node(rbt, node)
-#endif
-
-static inline void
-rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
-static inline void
-rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
-
-static void
-dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, 
-		   dns_rbtnode_t **rootp);
-
-static void
-dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp);
-
-static isc_result_t
-dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node);
-
-static void
-dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
-		       dns_rbtnode_t **nodep);
-
-/*
- * Initialize a red/black tree of trees.
- */
-isc_result_t
-dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
-	       void *deleter_arg, dns_rbt_t **rbtp)
-{
-#ifdef DNS_RBT_USEHASH
-	isc_result_t result;
-#endif
-	dns_rbt_t *rbt;
-	
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(rbtp != NULL && *rbtp == NULL);
-	REQUIRE(deleter == NULL ? deleter_arg == NULL : 1);
-
-	rbt = (dns_rbt_t *)isc_mem_get(mctx, sizeof(*rbt));
-	if (rbt == NULL)
-		return (ISC_R_NOMEMORY);
-
-	rbt->mctx = mctx;
-	rbt->data_deleter = deleter;
-	rbt->deleter_arg = deleter_arg;
-	rbt->root = NULL;
-	rbt->nodecount = 0;
-	rbt->hashtable = NULL;
-	rbt->hashsize = 0;
-#ifdef DNS_RBT_USEHASH
-	result = inithash(rbt);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, rbt, sizeof(*rbt));
-		return (result);
-	}
-#endif
-	rbt->magic = RBT_MAGIC;
-
-	*rbtp = rbt;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Deallocate a red/black tree of trees.
- */
-void
-dns_rbt_destroy(dns_rbt_t **rbtp) {
-	RUNTIME_CHECK(dns_rbt_destroy2(rbtp, 0) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum) {
-	dns_rbt_t *rbt;
-
-	REQUIRE(rbtp != NULL && VALID_RBT(*rbtp));
-
-	rbt = *rbtp;
-
-	dns_rbt_deletetreeflat(rbt, quantum, &rbt->root);
-	if (rbt->root != NULL)
-		return (ISC_R_QUOTA);
-
-	INSIST(rbt->nodecount == 0);
-
-	if (rbt->hashtable != NULL)
-		isc_mem_put(rbt->mctx, rbt->hashtable,
-			    rbt->hashsize * sizeof(dns_rbtnode_t *));
-
-	rbt->magic = 0;
-
-	isc_mem_put(rbt->mctx, rbt, sizeof(*rbt));
-	*rbtp = NULL;
-	return (ISC_R_SUCCESS);
-}
-
-unsigned int
-dns_rbt_nodecount(dns_rbt_t *rbt) {
-	REQUIRE(VALID_RBT(rbt));
-	return (rbt->nodecount);
-}
-
-static inline isc_result_t
-chain_name(dns_rbtnodechain_t *chain, dns_name_t *name,
-	   isc_boolean_t include_chain_end)
-{
-	dns_name_t nodename;
-	isc_result_t result = ISC_R_SUCCESS;
-	int i;
-
-	dns_name_init(&nodename, NULL);
-
-	if (include_chain_end && chain->end != NULL) {
-		NODENAME(chain->end, &nodename);
-		result = dns_name_copy(&nodename, name, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else
-		dns_name_reset(name);
-
-	for (i = (int)chain->level_count - 1; i >= 0; i--) {
-		NODENAME(chain->levels[i], &nodename);
-		result = dns_name_concatenate(name, &nodename, name, NULL);
-
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	return (result);
-}
-
-static inline isc_result_t
-move_chain_to_last(dns_rbtnodechain_t *chain, dns_rbtnode_t *node) {
-	do {
-		/*
-		 * Go as far right and then down as much as possible,
-		 * as long as the rightmost node has a down pointer.
-		 */
-		while (RIGHT(node) != NULL)
-			node = RIGHT(node);
-
-		if (DOWN(node) == NULL)
-			break;
-
-		ADD_LEVEL(chain, node);
-		node = DOWN(node);
-	} while (1);
-
-	chain->end = node;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Add 'name' to tree, initializing its data pointer with 'data'.
- */
-
-isc_result_t
-dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
-	/*
-	 * Does this thing have too many variables or what?
-	 */
-	dns_rbtnode_t **root, *parent, *child, *current, *new_current;
-	dns_name_t *add_name, *new_name, current_name, *prefix, *suffix;
-	dns_fixedname_t fixedcopy, fixedprefix, fixedsuffix, fnewname;
-	dns_offsets_t current_offsets;
-	dns_namereln_t compared;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rbtnodechain_t chain;
-	unsigned int common_labels;
-	unsigned int nlabels, hlabels;
-	int order;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	/*
-	 * Create a copy of the name so the original name structure is
-	 * not modified.
-	 */
-	dns_fixedname_init(&fixedcopy);
-	add_name = dns_fixedname_name(&fixedcopy);
-	dns_name_clone(name, add_name);
-
-	if (rbt->root == NULL) {
-		result = create_node(rbt->mctx, add_name, &new_current);
-		if (result == ISC_R_SUCCESS) {
-			rbt->nodecount++;
-			new_current->is_root = 1;
-			rbt->root = new_current;
-			*nodep = new_current;
-			hash_node(rbt, new_current, name);
-		}
-		return (result);
-	}
-
-	dns_rbtnodechain_init(&chain, rbt->mctx);
-
-	dns_fixedname_init(&fixedprefix);
-	dns_fixedname_init(&fixedsuffix);
-	prefix = dns_fixedname_name(&fixedprefix);
-	suffix = dns_fixedname_name(&fixedsuffix);
-
-	root = &rbt->root;
-	INSIST(IS_ROOT(*root));
-	parent = NULL;
-	current = NULL;
-	child = *root;
-	dns_name_init(&current_name, current_offsets);
-	dns_fixedname_init(&fnewname);
-	new_name = dns_fixedname_name(&fnewname);
-	nlabels = dns_name_countlabels(name);
-	hlabels = 0;
-
-	do {
-		current = child;
-
-		NODENAME(current, &current_name);
-		compared = dns_name_fullcompare(add_name, &current_name,
-						&order, &common_labels);
-
-		if (compared == dns_namereln_equal) {
-			*nodep = current;
-			result = ISC_R_EXISTS;
-			break;
-
-		}
-
-		if (compared == dns_namereln_none) {
-
-			if (order < 0) {
-				parent = current;
-				child = LEFT(current);
-
-			} else if (order > 0) {
-				parent = current;
-				child = RIGHT(current);
-
-			}
-
-		} else {
-			/*
-			 * This name has some suffix in common with the
-			 * name at the current node.  If the name at
-			 * the current node is shorter, that means the
-			 * new name should be in a subtree.  If the
-			 * name at the current node is longer, that means
-			 * the down pointer to this tree should point
-			 * to a new tree that has the common suffix, and
-			 * the non-common parts of these two names should
-			 * start a new tree.
-			 */
-			hlabels += common_labels;
-			if (compared == dns_namereln_subdomain) {
-				/*
-				 * All of the existing labels are in common,
-				 * so the new name is in a subtree.
-				 * Whack off the common labels for the
-				 * not-in-common part to be searched for
-				 * in the next level.
-				 */
-				dns_name_split(add_name, common_labels,
-					       add_name, NULL);
-
-				/*
-				 * Follow the down pointer (possibly NULL).
-				 */
-				root = &DOWN(current);
-
-				INSIST(*root == NULL ||
-				       (IS_ROOT(*root) &&
-					PARENT(*root) == current));
-
-				parent = NULL;
-				child = DOWN(current);
-				ADD_LEVEL(&chain, current);
-
-			} else {
-				/*
-				 * The number of labels in common is fewer
-				 * than the number of labels at the current
-				 * node, so the current node must be adjusted
-				 * to have just the common suffix, and a down
-				 * pointer made to a new tree.
-				 */
-
-				INSIST(compared == dns_namereln_commonancestor
-				       || compared == dns_namereln_contains);
-
-				/*
-				 * Ensure the number of levels in the tree
-				 * does not exceed the number of logical
-				 * levels allowed by DNSSEC.
-				 *
-				 * XXXDCL need a better error result?
-				 *
-				 * XXXDCL Since chain ancestors were removed,
-				 * no longer used by dns_rbt_addonlevel(),
-				 * this is the only real use of chains in the
-				 * function.  It could be done instead with
-				 * a simple integer variable, but I am pressed
-				 * for time.
-				 */
-				if (chain.level_count ==
-				    (sizeof(chain.levels) /
-				     sizeof(*chain.levels))) {
-					result = ISC_R_NOSPACE;
-					break;
-				}
-
-				/*
-				 * Split the name into two parts, a prefix
-				 * which is the not-in-common parts of the
-				 * two names and a suffix that is the common
-				 * parts of them.
-				 */
-				dns_name_split(&current_name, common_labels,
-					       prefix, suffix);
-				result = create_node(rbt->mctx, suffix,
-						     &new_current);
-
-				if (result != ISC_R_SUCCESS)
-					break;
-
-				/*
-				 * Reproduce the tree attributes of the
-				 * current node.
-				 */
-				new_current->is_root = current->is_root;
-				PARENT(new_current)  = PARENT(current);
-				LEFT(new_current)    = LEFT(current);
-				RIGHT(new_current)   = RIGHT(current);
-				COLOR(new_current)   = COLOR(current);
-
-				/*
-				 * Fix pointers that were to the current node.
-				 */
-				if (parent != NULL) {
-					if (LEFT(parent) == current)
-						LEFT(parent) = new_current;
-					else
-						RIGHT(parent) = new_current;
-				}
-				if (LEFT(new_current) != NULL)
-					PARENT(LEFT(new_current)) =
-						new_current;
-				if (RIGHT(new_current) != NULL)
-					PARENT(RIGHT(new_current)) =
-						new_current;
-				if (*root == current)
-					*root = new_current;
-
-				NAMELEN(current) = prefix->length;
-				OFFSETLEN(current) = prefix->labels;
-				memcpy(OFFSETS(current), prefix->offsets,
-				       prefix->labels);
-				PADBYTES(current) +=
-				       (current_name.length - prefix->length) +
-				       (current_name.labels - prefix->labels);
-
-				/*
-				 * Set up the new root of the next level.
-				 * By definition it will not be the top
-				 * level tree, so clear DNS_NAMEATTR_ABSOLUTE.
-				 */
-				current->is_root = 1;
-				PARENT(current) = new_current;
-				DOWN(new_current) = current;
-				root = &DOWN(new_current);
-
-				ADD_LEVEL(&chain, new_current);
-
-				LEFT(current) = NULL;
-				RIGHT(current) = NULL;
-
-				MAKE_BLACK(current);
-				ATTRS(current) &= ~DNS_NAMEATTR_ABSOLUTE;
-
-				rbt->nodecount++;
-				dns_name_getlabelsequence(name,
-							  nlabels - hlabels,
-						          hlabels, new_name);
-				hash_node(rbt, new_current, new_name);
-
-				if (common_labels ==
-				    dns_name_countlabels(add_name)) {
-					/*
-					 * The name has been added by pushing
-					 * the not-in-common parts down to
-					 * a new level.
-					 */
-					*nodep = new_current;
-					return (ISC_R_SUCCESS);
-
-				} else {
-					/*
-					 * The current node has no data,
-					 * because it is just a placeholder.
-					 * Its data pointer is already NULL
-					 * from create_node()), so there's
-					 * nothing more to do to it.
-					 */
-
-					/*
-					 * The not-in-common parts of the new
-					 * name will be inserted into the new
-					 * level following this loop (unless
-					 * result != ISC_R_SUCCESS, which
-					 * is tested after the loop ends).
-					 */
-					dns_name_split(add_name, common_labels,
-						       add_name, NULL);
-
-					break;
-				}
-
-			}
-
-		}
-
-	} while (child != NULL);
-
-	if (result == ISC_R_SUCCESS)
-		result = create_node(rbt->mctx, add_name, &new_current);
-
-	if (result == ISC_R_SUCCESS) {
-		dns_rbt_addonlevel(new_current, current, order, root);
-		rbt->nodecount++;
-		*nodep = new_current;
-		hash_node(rbt, new_current, name);
-	}
-
-	return (result);
-}
-
-/*
- * Add a name to the tree of trees, associating it with some data.
- */
-isc_result_t
-dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data) {
-	isc_result_t result;
-	dns_rbtnode_t *node;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(dns_name_isabsolute(name));
-
-	node = NULL;
-
-	result = dns_rbt_addnode(rbt, name, &node);
-
-	/*
-	 * dns_rbt_addnode will report the node exists even when
-	 * it does not have data associated with it, but the
-	 * dns_rbt_*name functions all behave depending on whether
-	 * there is data associated with a node.
-	 */
-	if (result == ISC_R_SUCCESS ||
-	    (result == ISC_R_EXISTS && DATA(node) == NULL)) {
-		DATA(node) = data;
-		result = ISC_R_SUCCESS;
-	}
-
-	return (result);
-}
-
-/*
- * Find the node for "name" in the tree of trees.
- */
-isc_result_t
-dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
-		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
-		 unsigned int options, dns_rbtfindcallback_t callback,
-		 void *callback_arg)
-{
-	dns_rbtnode_t *current, *last_compared, *current_root;
-	dns_rbtnodechain_t localchain;
-	dns_name_t *search_name, current_name, *callback_name;
-	dns_fixedname_t fixedcallbackname, fixedsearchname;
-	dns_namereln_t compared;
-	isc_result_t result, saved_result;
-	unsigned int common_labels;
-	unsigned int hlabels = 0;
-	int order;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(node != NULL && *node == NULL);
-	REQUIRE((options & (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR))
-		!=         (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR));
-
-	/*
-	 * If there is a chain it needs to appear to be in a sane state,
-	 * otherwise a chain is still needed to generate foundname and
-	 * callback_name.
-	 */
-	if (chain == NULL) {
-		options |= DNS_RBTFIND_NOPREDECESSOR;
-		chain = &localchain;
-		dns_rbtnodechain_init(chain, rbt->mctx);
-	} else
-		dns_rbtnodechain_reset(chain);
-
-	if (rbt->root == NULL)
-		return (ISC_R_NOTFOUND);
-	else {
-		/*
-		 * Appease GCC about variables it incorrectly thinks are
-		 * possibly used uninitialized.
-		 */
-		compared = dns_namereln_none;
-		last_compared = NULL;
-	}
-
-	dns_fixedname_init(&fixedcallbackname);
-	callback_name = dns_fixedname_name(&fixedcallbackname);
-
-	/*
-	 * search_name is the name segment being sought in each tree level.
-	 * By using a fixedname, the search_name will definitely have offsets
-	 * for use by any splitting.
-	 * By using dns_name_clone, no name data should be copied thanks to
-	 * the lack of bitstring labels.
-	 */
-	dns_fixedname_init(&fixedsearchname);
-	search_name = dns_fixedname_name(&fixedsearchname);
-	dns_name_clone(name, search_name);
-
-	dns_name_init(&current_name, NULL);
-
-	saved_result = ISC_R_SUCCESS;
-	current = rbt->root;
-	current_root = rbt->root;
-
-	while (current != NULL) {
-		NODENAME(current, &current_name);
-		compared = dns_name_fullcompare(search_name, &current_name,
-						&order, &common_labels);
-		last_compared = current;
-
-		if (compared == dns_namereln_equal)
-			break;
-
-		if (compared == dns_namereln_none) {
-#ifdef DNS_RBT_USEHASH
-			dns_name_t hash_name;
-			dns_rbtnode_t *hnode;
-			dns_rbtnode_t *up_current;
-			unsigned int nlabels;
-			unsigned int tlabels = 1;
-			unsigned int hash;
-
-			/*
-			 * If there is no hash table, hashing can't be done.
-			 */
-			if (rbt->hashtable == NULL)
-				goto nohash;
-
-			/*
-			 * The case of current != current_root, that
-			 * means a left or right pointer was followed,
-			 * only happens when the algorithm fell through to
-			 * the traditional binary search because of a
-			 * bitstring label.  Since we dropped the bitstring
-			 * support, this should not happen.
-			 */
-			INSIST(current == current_root);
-
-			nlabels = dns_name_countlabels(search_name);
-
-			/*
-			 * current_root is the root of the current level, so
-			 * it's parent is the same as it's "up" pointer.
-			 */
-			up_current = PARENT(current_root);
-			dns_name_init(&hash_name, NULL);
-
-		hashagain:
-			/* 
-			 * Hash includes tail.
-			 */
-			dns_name_getlabelsequence(name,
-						  nlabels - tlabels,
-						  hlabels + tlabels,
-						  &hash_name);
-			hash = dns_name_fullhash(&hash_name, ISC_FALSE);
-			dns_name_getlabelsequence(search_name,
-						  nlabels - tlabels,
-						  tlabels, &hash_name);
-
-			for (hnode = rbt->hashtable[hash % rbt->hashsize];
-			     hnode != NULL;
-			     hnode = hnode->hashnext)
-			{
-				dns_name_t hnode_name;
-
-				if (hash != HASHVAL(hnode))
-					continue;
-				if (find_up(hnode) != up_current)
-					continue;
-				dns_name_init(&hnode_name, NULL);
-				NODENAME(hnode, &hnode_name);
-				if (dns_name_equal(&hnode_name, &hash_name))
-					break;
-			}
-
-			if (hnode != NULL) {
-				current = hnode;
-				/*
-				 * This is an optimization.  If hashing found
-				 * the right node, the next call to
-				 * dns_name_fullcompare() would obviously
-				 * return _equal or _subdomain.  Determine
-				 * which of those would be the case by
-				 * checking if the full name was hashed.  Then
-				 * make it look like dns_name_fullcompare
-				 * was called and jump to the right place.
-				 */
-				if (tlabels == nlabels) {
-					compared = dns_namereln_equal;
-					break;
-				} else {
-					common_labels = tlabels;
-					compared = dns_namereln_subdomain;
-					goto subdomain;
-				}
-			}
-
-			if (tlabels++ < nlabels)
-				goto hashagain;
-
-			/*
-			 * All of the labels have been tried against the hash
-			 * table.  Since we dropped the support of bitstring
-			 * labels, the name isn't in the table.
-			 */
-			current = NULL;
-			continue;
-			    
-		nohash:
-#endif /* DNS_RBT_USEHASH */
-			/*
-			 * Standard binary search tree movement.
-			 */
-			if (order < 0)
-				current = LEFT(current);
-			else
-				current = RIGHT(current);
-
-		} else {
-			/*
-			 * The names have some common suffix labels.
-			 *
-			 * If the number in common are equal in length to
-			 * the current node's name length, then follow the
-			 * down pointer and search in the new tree.
-			 */
-			if (compared == dns_namereln_subdomain) {
-		subdomain:
-				/*
-				 * Whack off the current node's common parts
-				 * for the name to search in the next level.
-				 */
-				dns_name_split(search_name, common_labels,
-					       search_name, NULL);
-				hlabels += common_labels;
-				/*
-				 * This might be the closest enclosing name.
-				 */
-				if (DATA(current) != NULL ||
-				    (options & DNS_RBTFIND_EMPTYDATA) != 0)
-					*node = current;
-
-				/*
-				 * Point the chain to the next level.   This
-				 * needs to be done before 'current' is pointed
-				 * there because the callback in the next
-				 * block of code needs the current 'current',
-				 * but in the event the callback requests that
-				 * the search be stopped then the
-				 * DNS_R_PARTIALMATCH code at the end of this
-				 * function needs the chain pointed to the
-				 * next level.
-				 */
-				ADD_LEVEL(chain, current);
-
-				/*
-				 * The caller may want to interrupt the
-				 * downward search when certain special nodes
-				 * are traversed.  If this is a special node,
-				 * the callback is used to learn what the
-				 * caller wants to do.
-				 */
-				if (callback != NULL &&
-				    FINDCALLBACK(current)) {
-					result = chain_name(chain,
-							    callback_name,
-							    ISC_FALSE);
-					if (result != ISC_R_SUCCESS) {
-						dns_rbtnodechain_reset(chain);
-						return (result);
-					}
-
-					result = (callback)(current,
-							    callback_name,
-							    callback_arg);
-					if (result != DNS_R_CONTINUE) {
-						saved_result = result;
-						/*
-						 * Treat this node as if it
-						 * had no down pointer.
-						 */
-						current = NULL;
-						break;
-					}
-				}
-
-				/*
-				 * Finally, head to the next tree level.
-				 */
-				current = DOWN(current);
-				current_root = current;
-
-			} else {
-				/*
-				 * Though there are labels in common, the
-				 * entire name at this node is not common
-				 * with the search name so the search
-				 * name does not exist in the tree.
-				 */
-				INSIST(compared == dns_namereln_commonancestor
-				       || compared == dns_namereln_contains);
-
-				current = NULL;
-			}
-		}
-	}
-
-	/*
-	 * If current is not NULL, NOEXACT is not disallowing exact matches,
-	 * and either the node has data or an empty node is ok, return
-	 * ISC_R_SUCCESS to indicate an exact match.
-	 */
-	if (current != NULL && (options & DNS_RBTFIND_NOEXACT) == 0 &&
-	    (DATA(current) != NULL ||
-	     (options & DNS_RBTFIND_EMPTYDATA) != 0)) {
-		/*
-		 * Found an exact match.
-		 */
-		chain->end = current;
-		chain->level_matches = chain->level_count;
-
-		if (foundname != NULL)
-			result = chain_name(chain, foundname, ISC_TRUE);
-		else
-			result = ISC_R_SUCCESS;
-
-		if (result == ISC_R_SUCCESS) {
-			*node = current;
-			result = saved_result;
-		} else
-			*node = NULL;
-	} else {
-		/*
-		 * Did not find an exact match (or did not want one).
-		 */
-		if (*node != NULL) {
-			/*
-			 * ... but found a partially matching superdomain.
-			 * Unwind the chain to the partial match node
-			 * to set level_matches to the level above the node,
-			 * and then to derive the name.
-			 *
-			 * chain->level_count is guaranteed to be at least 1
-			 * here because by definition of finding a superdomain,
-			 * the chain is pointed to at least the first subtree.
-			 */
-			chain->level_matches = chain->level_count - 1;
-
-			while (chain->levels[chain->level_matches] != *node) {
-				INSIST(chain->level_matches > 0);
-				chain->level_matches--;
-			}
-
-			if (foundname != NULL) {
-				unsigned int saved_count = chain->level_count;
-
-				chain->level_count = chain->level_matches + 1;
-
-				result = chain_name(chain, foundname,
-						    ISC_FALSE);
-
-				chain->level_count = saved_count;
-			} else
-				result = ISC_R_SUCCESS;
-
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_PARTIALMATCH;
-
-		} else
-			result = ISC_R_NOTFOUND;
-
-		if (current != NULL) {
-			/*
-			 * There was an exact match but either
-			 * DNS_RBTFIND_NOEXACT was set, or
-			 * DNS_RBTFIND_EMPTYDATA was set and the node had no
-			 * data.  A policy decision was made to set the
-			 * chain to the exact match, but this is subject
-			 * to change if it becomes apparent that something
-			 * else would be more useful.  It is important that
-			 * this case is handled here, because the predecessor
-			 * setting code below assumes the match was not exact.
-			 */
-			INSIST(((options & DNS_RBTFIND_NOEXACT) != 0) ||
-			       ((options & DNS_RBTFIND_EMPTYDATA) == 0 &&
-				DATA(current) == NULL));
-			chain->end = current;
-
-		} else if ((options & DNS_RBTFIND_NOPREDECESSOR) != 0) {
-			/*
-			 * Ensure the chain points nowhere.
-			 */
-			chain->end = NULL;
-
-		} else {
-			/*
-			 * Since there was no exact match, the chain argument
-			 * needs to be pointed at the DNSSEC predecessor of
-			 * the search name.
-			 */
-			if (compared == dns_namereln_subdomain) {
-				/*
-				 * Attempted to follow a down pointer that was
-				 * NULL, which means the searched for name was
-				 * a subdomain of a terminal name in the tree.
-				 * Since there are no existing subdomains to
-				 * order against, the terminal name is the
-				 * predecessor.
-				 */
-				INSIST(chain->level_count > 0);
-				INSIST(chain->level_matches <
-				       chain->level_count);
-				chain->end =
-					chain->levels[--chain->level_count];
-
-			} else {
-				isc_result_t result2;
-
-				/*
-				 * Point current to the node that stopped
-				 * the search.
-				 *
-				 * With the hashing modification that has been
-				 * added to the algorithm, the stop node of a
-				 * standard binary search is not known.  So it
-				 * has to be found.  There is probably a more
-				 * clever way of doing this.
-				 *
-				 * The assignment of current to NULL when
-				 * the relationship is *not* dns_namereln_none,
-				 * even though it later gets set to the same
-				 * last_compared anyway, is simply to not push
-				 * the while loop in one more level of
-				 * indentation.
-				 */
-				if (compared == dns_namereln_none)
-					current = last_compared;
-				else
-					current = NULL;
-
-				while (current != NULL) {
-					NODENAME(current, &current_name);
-					compared = dns_name_fullcompare(
-								search_name,
-								&current_name,
-								&order,
-								&common_labels);
-
-					last_compared = current;
-
-					/*
-					 * Standard binary search movement.
-					 */
-					if (order < 0)
-						current = LEFT(current);
-					else
-						current = RIGHT(current);
-
-				}
-
-				current = last_compared;
-
-				/*
-				 * Reached a point within a level tree that
-				 * positively indicates the name is not
-				 * present, but the stop node could be either
-				 * less than the desired name (order > 0) or
-				 * greater than the desired name (order < 0).
-				 *
-				 * If the stop node is less, it is not
-				 * necessarily the predecessor.  If the stop
-				 * node has a down pointer, then the real
-				 * predecessor is at the end of a level below
-				 * (not necessarily the next level).
-				 * Move down levels until the rightmost node
-				 * does not have a down pointer.
-				 *
-				 * When the stop node is greater, it is
-				 * the successor.  All the logic for finding
-				 * the predecessor is handily encapsulated
-				 * in dns_rbtnodechain_prev.  In the event
-				 * that the search name is less than anything
-				 * else in the tree, the chain is reset.
-				 * XXX DCL What is the best way for the caller
-				 *         to know that the search name has
-				 *         no predecessor?
-				 */
-
-
-				if (order > 0) {
-					if (DOWN(current) != NULL) {
-						ADD_LEVEL(chain, current);
-
-						result2 =
-						      move_chain_to_last(chain,
-								DOWN(current));
-
-						if (result2 != ISC_R_SUCCESS)
-							result = result2;
-					} else
-						/*
-						 * Ah, the pure and simple
-						 * case.  The stop node is the
-						 * predecessor.
-						 */
-						chain->end = current;
-
-				} else {
-					INSIST(order < 0);
-
-					chain->end = current;
-
-					result2 = dns_rbtnodechain_prev(chain,
-									NULL,
-									NULL);
-					if (result2 == ISC_R_SUCCESS ||
-					    result2 == DNS_R_NEWORIGIN)
-						; 	/* Nothing. */
-					else if (result2 == ISC_R_NOMORE)
-						/*
-						 * There is no predecessor.
-						 */
-						dns_rbtnodechain_reset(chain);
-					else
-						result = result2;
-				}
-
-			}
-		}
-	}
-
-	ENSURE(*node == NULL || DNS_RBTNODE_VALID(*node));
-
-	return (result);
-}
-
-/*
- * Get the data pointer associated with 'name'.
- */
-isc_result_t
-dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
-		 dns_name_t *foundname, void **data) {
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-
-	REQUIRE(data != NULL && *data == NULL);
-
-	result = dns_rbt_findnode(rbt, name, foundname, &node, NULL,
-				  options, NULL, NULL);
-
-	if (node != NULL &&
-	    (DATA(node) != NULL || (options & DNS_RBTFIND_EMPTYDATA) != 0))
-		*data = DATA(node);
-	else
-		result = ISC_R_NOTFOUND;
-
-	return (result);
-}
-
-/*
- * Delete a name from the tree of trees.
- */
-isc_result_t
-dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse) {
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(dns_name_isabsolute(name));
-
-	/*
-	 * First, find the node.
-	 *
-	 * When searching, the name might not have an exact match:
-	 * consider a.b.a.com, b.b.a.com and c.b.a.com as the only
-	 * elements of a tree, which would make layer 1 a single
-	 * node tree of "b.a.com" and layer 2 a three node tree of
-	 * a, b, and c.  Deleting a.com would find only a partial depth
-	 * match in the first layer.  Should it be a requirement that
-	 * that the name to be deleted have data?  For now, it is.
-	 *
-	 * ->dirty, ->locknum and ->references are ignored; they are
-	 * solely the province of rbtdb.c.
-	 */
-	result = dns_rbt_findnode(rbt, name, NULL, &node, NULL,
-				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
-
-	if (result == ISC_R_SUCCESS) {
-		if (DATA(node) != NULL)
-			result = dns_rbt_deletenode(rbt, node, recurse);
-		else
-			result = ISC_R_NOTFOUND;
-
-	} else if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-
-	return (result);
-}
-
-/*
- * Remove a node from the tree of trees.
- *
- * NOTE WELL: deletion is *not* symmetric with addition; that is, reversing
- * a sequence of additions to be deletions will not generally get the
- * tree back to the state it started in.  For example, if the addition
- * of "b.c" caused the node "a.b.c" to be split, pushing "a" to its own level,
- * then the subsequent deletion of "b.c" will not cause "a" to be pulled up,
- * restoring "a.b.c".  The RBT *used* to do this kind of rejoining, but it
- * turned out to be a bad idea because it could corrupt an active nodechain
- * that had "b.c" as one of its levels -- and the RBT has no idea what
- * nodechains are in use by callers, so it can't even *try* to helpfully
- * fix them up (which would probably be doomed to failure anyway).
- *
- * Similarly, it is possible to leave the tree in a state where a supposedly
- * deleted node still exists.  The first case of this is obvious; take
- * the tree which has "b.c" on one level, pointing to "a".  Now deleted "b.c".
- * It was just established in the previous paragraph why we can't pull "a"
- * back up to its parent level.  But what happens when "a" then gets deleted?
- * "b.c" is left hanging around without data or children.  This condition
- * is actually pretty easy to detect, but ... should it really be removed?
- * Is a chain pointing to it?  An iterator?  Who knows!  (Note that the
- * references structure member cannot be looked at because it is private to
- * rbtdb.)  This is ugly and makes me unhappy, but after hours of trying to
- * make it more aesthetically proper and getting nowhere, this is the way it
- * is going to stay until such time as it proves to be a *real* problem.
- *
- * Finally, for reference, note that the original routine that did node
- * joining was called join_nodes().  It has been excised, living now only
- * in the CVS history, but comments have been left behind that point to it just
- * in case someone wants to muck with this some more.
- *
- * The one positive aspect of all of this is that joining used to have a
- * case where it might fail.  Without trying to join, now this function always
- * succeeds. It still returns isc_result_t, though, so the API wouldn't change.
- */
-isc_result_t
-dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
-{
-	dns_rbtnode_t *parent;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(DNS_RBTNODE_VALID(node));
-
-	if (DOWN(node) != NULL) {
-		if (recurse)
-			RUNTIME_CHECK(dns_rbt_deletetree(rbt, DOWN(node))
-				      == ISC_R_SUCCESS);
-		else {
-			if (DATA(node) != NULL && rbt->data_deleter != NULL)
-				rbt->data_deleter(DATA(node),
-						  rbt->deleter_arg);
-			DATA(node) = NULL;
-
-			/*
-			 * Since there is at least one node below this one and
-			 * no recursion was requested, the deletion is
-			 * complete.  The down node from this node might be all
-			 * by itself on a single level, so join_nodes() could
-			 * be used to collapse the tree (with all the caveats
-			 * of the comment at the start of this function).
-			 */
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	/*
-	 * Note the node that points to the level of the node that is being
-	 * deleted.  If the deleted node is the top level, parent will be set
-	 * to NULL.
-	 */
-	parent = find_up(node);
-
-	/*
-	 * This node now has no down pointer (either because it didn't
-	 * have one to start, or because it was recursively removed).
-	 * So now the node needs to be removed from this level.
-	 */
-	dns_rbt_deletefromlevel(node, parent == NULL ? &rbt->root :
-						       &DOWN(parent));
-
-	if (DATA(node) != NULL && rbt->data_deleter != NULL)
-		rbt->data_deleter(DATA(node), rbt->deleter_arg);
-
-	unhash_node(rbt, node);
-#if DNS_RBT_USEMAGIC
-	node->magic = 0;
-#endif
-	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
-	rbt->nodecount--;
-
-	/*
-	 * There are now two special cases that can exist that would
-	 * not have existed if the tree had been created using only
-	 * the names that now exist in it.  (This is all related to
-	 * join_nodes() as described in this function's introductory comment.)
-	 * Both cases exist when the deleted node's parent (the node
-	 * that pointed to the deleted node's level) is not null but
-	 * it has no data:  parent != NULL && DATA(parent) == NULL.
-	 *
-	 * The first case is that the deleted node was the last on its level:
-	 * DOWN(parent) == NULL.  This case can only exist if the parent was
-	 * previously deleted -- and so now, apparently, the parent should go
-	 * away.  That can't be done though because there might be external
-	 * references to it, such as through a nodechain.
-	 *
-	 * The other case also involves a parent with no data, but with the
-	 * deleted node being the next-to-last node instead of the last:
-	 * LEFT(DOWN(parent)) == NULL && RIGHT(DOWN(parent)) == NULL.
-	 * Presumably now the remaining node on the level should be joined
-	 * with the parent, but it's already been described why that can't be
-	 * done.
-	 */
-
-	/*
-	 * This function never fails.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name) {
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(name != NULL);
-	REQUIRE(name->offsets == NULL);
-
-	NODENAME(node, name);
-}
-
-isc_result_t
-dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name) {
-	dns_name_t current;
-	isc_result_t result;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(name != NULL);
-	REQUIRE(name->buffer != NULL);
-
-	dns_name_init(&current, NULL);
-	dns_name_reset(name);
-
-	do {
-		INSIST(node != NULL);
-
-		NODENAME(node, &current);
-
-		result = dns_name_concatenate(name, &current, name, NULL);
-		if (result != ISC_R_SUCCESS)
-			break;
-		
-		node = find_up(node);
-	} while (! dns_name_isabsolute(name));
-
-	return (result);
-}
-
-char *
-dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname, unsigned int size)
-{
-	dns_fixedname_t fixedname;
-	dns_name_t *name;
-	isc_result_t result;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(printname != NULL);
-
-	dns_fixedname_init(&fixedname);
-	name = dns_fixedname_name(&fixedname);
-	result = dns_rbt_fullnamefromnode(node, name);
-	if (result == ISC_R_SUCCESS)
-		dns_name_format(name, printname, size);
-	else
-		snprintf(printname, size, "<error building name: %s>",
-			 dns_result_totext(result));
-
-	return (printname);
-}
-
-static isc_result_t
-create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
-	dns_rbtnode_t *node;
-	isc_region_t region;
-	unsigned int labels;
-
-	REQUIRE(name->offsets != NULL);
-
-	dns_name_toregion(name, &region);
-	labels = dns_name_countlabels(name);
-	ENSURE(labels > 0);
-
-	/*
-	 * Allocate space for the node structure, the name, and the offsets.
-	 */
-	node = (dns_rbtnode_t *)isc_mem_get(mctx, sizeof(*node) +
-					    region.length + labels);
-
-	if (node == NULL)
-		return (ISC_R_NOMEMORY);
-
-	node->is_root = 0;
-	PARENT(node) = NULL;
-	RIGHT(node) = NULL;
-	LEFT(node) = NULL;
-	DOWN(node) = NULL;
-	DATA(node) = NULL;
-#ifdef DNS_RBT_USEHASH
-	HASHNEXT(node) = NULL;
-	HASHVAL(node) = 0;
-#endif
-
-	LOCKNUM(node) = 0;
-	REFS(node) = 0;
-	WILD(node) = 0;
-	DIRTY(node) = 0;
-	node->find_callback = 0;
-
-	MAKE_BLACK(node);
-
-	/*
-	 * The following is stored to make reconstructing a name from the
-	 * stored value in the node easy:  the length of the name, the number
-	 * of labels, whether the name is absolute or not, the name itself,
-	 * and the name's offsets table.
-	 *
-	 * XXX RTH
-	 *	The offsets table could be made smaller by eliminating the
-	 *	first offset, which is always 0.  This requires changes to
-	 * 	lib/dns/name.c.
-	 */
-	NAMELEN(node) = region.length;
-	PADBYTES(node) = 0;
-	OFFSETLEN(node) = labels;
-	ATTRS(node) = name->attributes;
-
-	memcpy(NAME(node), region.base, region.length);
-	memcpy(OFFSETS(node), name->offsets, labels);
-
-#if DNS_RBT_USEMAGIC
-	node->magic = DNS_RBTNODE_MAGIC;
-#endif
-	*nodep = node;
-
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef DNS_RBT_USEHASH
-static inline void
-hash_add_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name) {
-	unsigned int hash;
-
-	HASHVAL(node) = dns_name_fullhash(name, ISC_FALSE);
-
-	hash = HASHVAL(node) % rbt->hashsize;
-	HASHNEXT(node) = rbt->hashtable[hash];
-
-	rbt->hashtable[hash] = node;
-}
-
-static isc_result_t
-inithash(dns_rbt_t *rbt) {
-	unsigned int bytes;
-
-	rbt->hashsize = RBT_HASH_SIZE;
-	bytes = rbt->hashsize * sizeof(dns_rbtnode_t *);
-	rbt->hashtable = isc_mem_get(rbt->mctx, bytes);
-
-	if (rbt->hashtable == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(rbt->hashtable, 0, bytes);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rehash(dns_rbt_t *rbt) {
-	unsigned int oldsize;
-	dns_rbtnode_t **oldtable;
-	dns_rbtnode_t *node;
-	unsigned int hash;
-	unsigned int i;
-
-	oldsize = rbt->hashsize;
-	oldtable = rbt->hashtable;
-	rbt->hashsize *= 2 + 1;
-	rbt->hashtable = isc_mem_get(rbt->mctx,
-				     rbt->hashsize * sizeof(dns_rbtnode_t *));
-	if (rbt->hashtable == NULL) {
-		rbt->hashtable = oldtable;
-		rbt->hashsize = oldsize;
-		return;
-	}
-
-	for (i = 0; i < rbt->hashsize; i++)
-		rbt->hashtable[i] = NULL;
-
-	for (i = 0; i < oldsize; i++) {
-		node = oldtable[i];
-		while (node != NULL) {
-			hash = HASHVAL(node) % rbt->hashsize;
-			oldtable[i] = HASHNEXT(node);
-			HASHNEXT(node) = rbt->hashtable[hash];
-			rbt->hashtable[hash] = node;
-			node = oldtable[i];
-		}
-	}
-
-	isc_mem_put(rbt->mctx, oldtable, oldsize * sizeof(dns_rbtnode_t *));
-}
-
-static inline void
-hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node, dns_name_t *name) {
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-
-	if (rbt->nodecount >= (rbt->hashsize *3))
-		rehash(rbt);
-
-	hash_add_node(rbt, node, name);
-}
-
-static inline void
-unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
-	unsigned int bucket;
-	dns_rbtnode_t *bucket_node;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-
-	if (rbt->hashtable != NULL) {
-		bucket = HASHVAL(node) % rbt->hashsize;
-		bucket_node = rbt->hashtable[bucket];
-
-		if (bucket_node == node)
-			rbt->hashtable[bucket] = HASHNEXT(node);
-		else {
-			while (HASHNEXT(bucket_node) != node) {
-				INSIST(HASHNEXT(bucket_node) != NULL);
-				bucket_node = HASHNEXT(bucket_node);
-			}
-			HASHNEXT(bucket_node) = HASHNEXT(node);
-		}
-	}
-}
-#endif /* DNS_RBT_USEHASH */
-
-static inline void
-rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
-	dns_rbtnode_t *child;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(rootp != NULL);
-
-	child = RIGHT(node);
-	INSIST(child != NULL);
-
-	RIGHT(node) = LEFT(child);
-	if (LEFT(child) != NULL)
-		PARENT(LEFT(child)) = node;
-	LEFT(child) = node;
-
-	if (child != NULL)
-		PARENT(child) = PARENT(node);
-
-	if (IS_ROOT(node)) {
-		*rootp = child;
-		child->is_root = 1;
-		node->is_root = 0;
-
-	} else {
-		if (LEFT(PARENT(node)) == node)
-			LEFT(PARENT(node)) = child;
-		else
-			RIGHT(PARENT(node)) = child;
-	}
-
-	PARENT(node) = child;
-}
-
-static inline void
-rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
-	dns_rbtnode_t *child;
-
-	REQUIRE(DNS_RBTNODE_VALID(node));
-	REQUIRE(rootp != NULL);
-
-	child = LEFT(node);
-	INSIST(child != NULL);
-
-	LEFT(node) = RIGHT(child);
-	if (RIGHT(child) != NULL)
-		PARENT(RIGHT(child)) = node;
-	RIGHT(child) = node;
-
-	if (child != NULL)
-		PARENT(child) = PARENT(node);
-
-	if (IS_ROOT(node)) {
-		*rootp = child;
-		child->is_root = 1;
-		node->is_root = 0;
-
-	} else {
-		if (LEFT(PARENT(node)) == node)
-			LEFT(PARENT(node)) = child;
-		else
-			RIGHT(PARENT(node)) = child;
-	}
-
-	PARENT(node) = child;
-}
-
-/*
- * This is the real workhorse of the insertion code, because it does the
- * true red/black tree on a single level.
- */
-static void
-dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, 
-		   dns_rbtnode_t **rootp)
-{
-	dns_rbtnode_t *child, *root, *parent, *grandparent;
-	dns_name_t add_name, current_name;
-	dns_offsets_t add_offsets, current_offsets;
-
-	REQUIRE(rootp != NULL);
-	REQUIRE(DNS_RBTNODE_VALID(node) && LEFT(node) == NULL &&
-		RIGHT(node) == NULL);
-	REQUIRE(current != NULL);
-
-	root = *rootp;
-	if (root == NULL) {
-		/*
-		 * First node of a level.
-		 */
-		MAKE_BLACK(node);
-		node->is_root = 1;
-		PARENT(node) = current;
-		*rootp = node;
-		return;
-	}
-
-	child = root;
-
-	dns_name_init(&add_name, add_offsets);
-	NODENAME(node, &add_name);
-
-	dns_name_init(&current_name, current_offsets);
-	NODENAME(current, &current_name);
-
-	if (order < 0) {
-		INSIST(LEFT(current) == NULL);
-		LEFT(current) = node;
-	} else {
-		INSIST(RIGHT(current) == NULL);
-		RIGHT(current) = node;
-	}
-
-	INSIST(PARENT(node) == NULL);
-	PARENT(node) = current;
-
-	MAKE_RED(node);
-
-	while (node != root && IS_RED(PARENT(node))) {
-		/*
-		 * XXXDCL could do away with separate parent and grandparent
-		 * variables.  They are vestiges of the days before parent
-		 * pointers.  However, they make the code a little clearer.
-		 */
-
-		parent = PARENT(node);
-		grandparent = PARENT(parent);
-
-		if (parent == LEFT(grandparent)) {
-			child = RIGHT(grandparent);
-			if (child != NULL && IS_RED(child)) {
-				MAKE_BLACK(parent);
-				MAKE_BLACK(child);
-				MAKE_RED(grandparent);
-				node = grandparent;
-			} else {
-				if (node == RIGHT(parent)) {
-					rotate_left(parent, &root);
-					node = parent;
-					parent = PARENT(node);
-					grandparent = PARENT(parent);
-				}
-				MAKE_BLACK(parent);
-				MAKE_RED(grandparent);
-				rotate_right(grandparent, &root);
-			}
-		} else {
-			child = LEFT(grandparent);
-			if (child != NULL && IS_RED(child)) {
-				MAKE_BLACK(parent);
-				MAKE_BLACK(child);
-				MAKE_RED(grandparent);
-				node = grandparent;
-			} else {
-				if (node == LEFT(parent)) {
-					rotate_right(parent, &root);
-					node = parent;
-					parent = PARENT(node);
-					grandparent = PARENT(parent);
-				}
-				MAKE_BLACK(parent);
-				MAKE_RED(grandparent);
-				rotate_left(grandparent, &root);
-			}
-		}
-	}
-
-	MAKE_BLACK(root);
-	ENSURE(IS_ROOT(root));
-	*rootp = root;
-
-	return;
-}
-
-/*
- * This is the real workhorse of the deletion code, because it does the
- * true red/black tree on a single level.
- */
-static void
-dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
-	dns_rbtnode_t *child, *sibling, *parent;
-	dns_rbtnode_t *successor;
-
-	REQUIRE(delete != NULL);
-
-	/*
-	 * Verify that the parent history is (apparently) correct.
-	 */
-	INSIST((IS_ROOT(delete) && *rootp == delete) ||
-	       (! IS_ROOT(delete) &&
-		(LEFT(PARENT(delete)) == delete ||
-		 RIGHT(PARENT(delete)) == delete)));
-
-	child = NULL;
-
-	if (LEFT(delete) == NULL) {
-		if (RIGHT(delete) == NULL) {
-			if (IS_ROOT(delete)) {
-				/*
-				 * This is the only item in the tree.
-				 */
-				*rootp = NULL;
-				return;
-			}
-		} else
-			/*
-			 * This node has one child, on the right.
-			 */
-			child = RIGHT(delete);
-
-	} else if (RIGHT(delete) == NULL)
-		/*
-		 * This node has one child, on the left.
-		 */
-		child = LEFT(delete);
-	else {
-		dns_rbtnode_t holder, *tmp = &holder;
-
-		/*
-		 * This node has two children, so it cannot be directly
-		 * deleted.  Find its immediate in-order successor and
-		 * move it to this location, then do the deletion at the
-		 * old site of the successor.
-		 */
-		successor = RIGHT(delete);
-		while (LEFT(successor) != NULL)
-			successor = LEFT(successor);
-
-		/*
-		 * The successor cannot possibly have a left child;
-		 * if there is any child, it is on the right.
-		 */
-		if (RIGHT(successor) != NULL)
-			child = RIGHT(successor);
-
-		/*
-		 * Swap the two nodes; it would be simpler to just replace
-		 * the value being deleted with that of the successor,
-		 * but this rigamarole is done so the caller has complete
-		 * control over the pointers (and memory allocation) of
-		 * all of nodes.  If just the key value were removed from
-		 * the tree, the pointer to the node would be unchanged.
-		 */
-
-		/*
-		 * First, put the successor in the tree location of the
-		 * node to be deleted.  Save its existing tree pointer
-		 * information, which will be needed when linking up
-		 * delete to the successor's old location.
-		 */
-		memcpy(tmp, successor, sizeof(dns_rbtnode_t));
-
-		if (IS_ROOT(delete)) {
-			*rootp = successor;
-			successor->is_root = ISC_TRUE;
-			delete->is_root = ISC_FALSE;
-
-		} else
-			if (LEFT(PARENT(delete)) == delete)
-				LEFT(PARENT(delete)) = successor;
-			else
-				RIGHT(PARENT(delete)) = successor;
-
-		PARENT(successor) = PARENT(delete);
-		LEFT(successor)   = LEFT(delete);
-		RIGHT(successor)  = RIGHT(delete);
-		COLOR(successor)  = COLOR(delete);
-
-		if (LEFT(successor) != NULL)
-			PARENT(LEFT(successor)) = successor;
-		if (RIGHT(successor) != successor)
-			PARENT(RIGHT(successor)) = successor;
-
-		/*
-		 * Now relink the node to be deleted into the
-		 * successor's previous tree location.  PARENT(tmp)
-		 * is the successor's original parent.
-		 */
-		INSIST(! IS_ROOT(delete));
-
-		if (PARENT(tmp) == delete) {
-			/*
-			 * Node being deleted was successor's parent.
-			 */
-			RIGHT(successor) = delete;
-			PARENT(delete) = successor;
-
-		} else {
-			LEFT(PARENT(tmp)) = delete;
-			PARENT(delete) = PARENT(tmp);
-		}
-
-		/*
-		 * Original location of successor node has no left.
-		 */
-		LEFT(delete)   = NULL;
-		RIGHT(delete)  = RIGHT(tmp);
-		COLOR(delete)  = COLOR(tmp);
-	}
-
-	/*
-	 * Remove the node by removing the links from its parent.
-	 */
-	if (! IS_ROOT(delete)) {
-		if (LEFT(PARENT(delete)) == delete)
-			LEFT(PARENT(delete)) = child;
-		else
-			RIGHT(PARENT(delete)) = child;
-
-		if (child != NULL)
-			PARENT(child) = PARENT(delete);
-
-	} else {
-		/*
-		 * This is the root being deleted, and at this point
-		 * it is known to have just one child.
-		 */
-		*rootp = child;
-		child->is_root = 1;
-		PARENT(child) = PARENT(delete);
-	}
-
-	/*
-	 * Fix color violations.
-	 */
-	if (IS_BLACK(delete)) {
-		parent = PARENT(delete);
-
-		while (child != *rootp && IS_BLACK(child)) {
-			INSIST(child == NULL || ! IS_ROOT(child));
-
-			if (LEFT(parent) == child) {
-				sibling = RIGHT(parent);
-
-				if (IS_RED(sibling)) {
-					MAKE_BLACK(sibling);
-					MAKE_RED(parent);
-					rotate_left(parent, rootp);
-					sibling = RIGHT(parent);
-				}
-
-				if (IS_BLACK(LEFT(sibling)) &&
-				    IS_BLACK(RIGHT(sibling))) {
-					MAKE_RED(sibling);
-					child = parent;
-
-				} else {
-
-					if (IS_BLACK(RIGHT(sibling))) {
-						MAKE_BLACK(LEFT(sibling));
-						MAKE_RED(sibling);
-						rotate_right(sibling, rootp);
-						sibling = RIGHT(parent);
-					}
-
-					COLOR(sibling) = COLOR(parent);
-					MAKE_BLACK(parent);
-					MAKE_BLACK(RIGHT(sibling));
-					rotate_left(parent, rootp);
-					child = *rootp;
-				}
-
-			} else {
-				/*
-				 * Child is parent's right child.
-				 * Everything is doen the same as above,
-				 * except mirrored.
-				 */
-				sibling = LEFT(parent);
-
-				if (IS_RED(sibling)) {
-					MAKE_BLACK(sibling);
-					MAKE_RED(parent);
-					rotate_right(parent, rootp);
-					sibling = LEFT(parent);
-				}
-
-				if (IS_BLACK(LEFT(sibling)) &&
-				    IS_BLACK(RIGHT(sibling))) {
-					MAKE_RED(sibling);
-					child = parent;
-
-				} else {
-					if (IS_BLACK(LEFT(sibling))) {
-						MAKE_BLACK(RIGHT(sibling));
-						MAKE_RED(sibling);
-						rotate_left(sibling, rootp);
-						sibling = LEFT(parent);
-					}
-
-					COLOR(sibling) = COLOR(parent);
-					MAKE_BLACK(parent);
-					MAKE_BLACK(LEFT(sibling));
-					rotate_right(parent, rootp);
-					child = *rootp;
-				}
-			}
-
-			parent = PARENT(child);
-		}
-
-		if (IS_RED(child))
-			MAKE_BLACK(child);
-	}
-}
-
-/*
- * This should only be used on the root of a tree, because no color fixup
- * is done at all.
- *
- * NOTE: No root pointer maintenance is done, because the function is only
- * used for two cases:
- * + deleting everything DOWN from a node that is itself being deleted, and
- * + deleting the entire tree of trees from dns_rbt_destroy.
- * In each case, the root pointer is no longer relevant, so there
- * is no need for a root parameter to this function.
- *
- * If the function is ever intended to be used to delete something where
- * a pointer needs to be told that this tree no longer exists,
- * this function would need to adjusted accordingly.
- */
-static isc_result_t
-dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node) {
-	isc_result_t result = ISC_R_SUCCESS;
-	REQUIRE(VALID_RBT(rbt));
-
-	if (node == NULL)
-		return (result);
-
-	if (LEFT(node) != NULL) {
-		result = dns_rbt_deletetree(rbt, LEFT(node));
-		if (result != ISC_R_SUCCESS)
-			goto done;
-		LEFT(node) = NULL;
-	}
-	if (RIGHT(node) != NULL) {
-		result = dns_rbt_deletetree(rbt, RIGHT(node));
-		if (result != ISC_R_SUCCESS)
-			goto done;
-		RIGHT(node) = NULL;
-	}
-	if (DOWN(node) != NULL) {
-		result = dns_rbt_deletetree(rbt, DOWN(node));
-		if (result != ISC_R_SUCCESS)
-			goto done;
-		DOWN(node) = NULL;
-	}
- done:
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (DATA(node) != NULL && rbt->data_deleter != NULL)
-		rbt->data_deleter(DATA(node), rbt->deleter_arg);
-
-	unhash_node(rbt, node);
-#if DNS_RBT_USEMAGIC
-	node->magic = 0;
-#endif
-	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
-	rbt->nodecount--;
-	return (result);
-}
-
-static void
-dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
-		       dns_rbtnode_t **nodep)
-{
-	dns_rbtnode_t *parent;
-	dns_rbtnode_t *node = *nodep;
-	REQUIRE(VALID_RBT(rbt));
-
- again:
-	if (node == NULL) {
-		*nodep = NULL;
-		return;
-	}
-
- traverse:
-	if (LEFT(node) != NULL) {
-		node = LEFT(node);
-		goto traverse;
-	}
-	if (RIGHT(node) != NULL) {
-		node = RIGHT(node);
-		goto traverse;
-	}
-	if (DOWN(node) != NULL) {
-		node = DOWN(node);
-		goto traverse;
-	}
-
-	if (DATA(node) != NULL && rbt->data_deleter != NULL)
-		rbt->data_deleter(DATA(node), rbt->deleter_arg);
-
-	/*
-	 * Note: we don't call unhash_node() here as we are destroying
-	 * the complete rbt tree. 
-         */
-#if DNS_RBT_USEMAGIC
-	node->magic = 0;
-#endif
-	parent = PARENT(node);
-	if (parent != NULL) {
-		if (LEFT(parent) == node)
-			LEFT(parent) = NULL;
-		else if (DOWN(parent) == node)
-			DOWN(parent) = NULL;
-		else if (RIGHT(parent) == node)
-			RIGHT(parent) = NULL;
-	}
-	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
-	rbt->nodecount--;
-	node = parent;
-	if (quantum != 0 && --quantum == 0) {
-		*nodep = node;
-		return;
-	}
-	goto again;
-}
-
-static void
-dns_rbt_indent(int depth) {
-	int i;
-
-	for (i = 0; i < depth; i++)
-		putchar('\t');
-}
-
-static void
-dns_rbt_printnodename(dns_rbtnode_t *node) {
-	isc_region_t r;
-	dns_name_t name;
-	char buffer[DNS_NAME_FORMATSIZE];
-	dns_offsets_t offsets;
-
-	r.length = NAMELEN(node);
-	r.base = NAME(node);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &r);
-
-	dns_name_format(&name, buffer, sizeof(buffer));
-
-	printf("%s", buffer);
-}
-
-static void
-dns_rbt_printtree(dns_rbtnode_t *root, dns_rbtnode_t *parent, int depth) {
-	dns_rbt_indent(depth);
-
-	if (root != NULL) {
-		dns_rbt_printnodename(root);
-		printf(" (%s", IS_RED(root) ? "RED" : "black");
-		if (parent) {
-			printf(" from ");
-			dns_rbt_printnodename(parent);
-		}
-
-		if ((! IS_ROOT(root) && PARENT(root) != parent) ||
-		    (  IS_ROOT(root) && depth > 0 &&
-		       DOWN(PARENT(root)) != root)) {
-
-			printf(" (BAD parent pointer! -> ");
-			if (PARENT(root) != NULL)
-				dns_rbt_printnodename(PARENT(root));
-			else
-				printf("NULL");
-			printf(")");
-		}
-
-		printf(")\n");
-
-
-		depth++;
-
-		if (DOWN(root)) {
-			dns_rbt_indent(depth);
-			printf("++ BEG down from ");
-			dns_rbt_printnodename(root);
-			printf("\n");
-			dns_rbt_printtree(DOWN(root), NULL, depth);
-			dns_rbt_indent(depth);
-			printf("-- END down from ");
-			dns_rbt_printnodename(root);
-			printf("\n");
-		}
-
-		if (IS_RED(root) && IS_RED(LEFT(root)))
-		    printf("** Red/Red color violation on left\n");
-		dns_rbt_printtree(LEFT(root), root, depth);
-
-		if (IS_RED(root) && IS_RED(RIGHT(root)))
-		    printf("** Red/Red color violation on right\n");
-		dns_rbt_printtree(RIGHT(root), root, depth);
-
-	} else
-		printf("NULL\n");
-}
-
-void
-dns_rbt_printall(dns_rbt_t *rbt) {
-	REQUIRE(VALID_RBT(rbt));
-
-	dns_rbt_printtree(rbt->root, NULL, 0);
-}
-
-/*
- * Chain Functions
- */
-
-void
-dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx) {
-	/*
-	 * Initialize 'chain'.
-	 */
-
-	REQUIRE(chain != NULL);
-
-	chain->mctx = mctx;
-	chain->end = NULL;
-	chain->level_count = 0;
-	chain->level_matches = 0;
-
-	chain->magic = CHAIN_MAGIC;
-}
-
-isc_result_t
-dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
-			 dns_name_t *origin, dns_rbtnode_t **node)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_CHAIN(chain));
-
-	if (node != NULL)
-		*node = chain->end;
-
-	if (chain->end == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (name != NULL) {
-		NODENAME(chain->end, name);
-
-		if (chain->level_count == 0) {
-			/*
-			 * Names in the top level tree are all absolute.
-			 * Always make 'name' relative.
-			 */
-			INSIST(dns_name_isabsolute(name));
-
-			/*
-			 * This is cheaper than dns_name_getlabelsequence().
-			 */
-			name->labels--;
-			name->length--;
-			name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
-		}
-	}
-
-	if (origin != NULL) {
-		if (chain->level_count > 0)
-			result = chain_name(chain, origin, ISC_FALSE);
-		else
-			result = dns_name_copy(dns_rootname, origin, NULL);
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin)
-{
-	dns_rbtnode_t *current, *previous, *predecessor;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t new_origin = ISC_FALSE;
-
-	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
-
-	predecessor = NULL;
-
-	current = chain->end;
-
-	if (LEFT(current) != NULL) {
-		/*
-		 * Moving left one then right as far as possible is the
-		 * previous node, at least for this level.
-		 */
-		current = LEFT(current);
-
-		while (RIGHT(current) != NULL)
-			current = RIGHT(current);
-
-		predecessor = current;
-
-	} else {
-		/*
-		 * No left links, so move toward the root.  If at any point on
-		 * the way there the link from parent to child is a right
-		 * link, then the parent is the previous node, at least
-		 * for this level.
-		 */
-		while (! IS_ROOT(current)) {
-			previous = current;
-			current = PARENT(current);
-
-			if (RIGHT(current) == previous) {
-				predecessor = current;
-				break;
-			}
-		}
-	}
-
-	if (predecessor != NULL) {
-		/*
-		 * Found a predecessor node in this level.  It might not
-		 * really be the predecessor, however.
-		 */
-		if (DOWN(predecessor) != NULL) {
-			/*
-			 * The predecessor is really down at least one level.
-			 * Go down and as far right as possible, and repeat
-			 * as long as the rightmost node has a down pointer.
-			 */
-			do {
-				/*
-				 * XXX DCL Need to do something about origins
-				 * here. See whether to go down, and if so
-				 * whether it is truly what Bob calls a
-				 * new origin.
-				 */
-				ADD_LEVEL(chain, predecessor);
-				predecessor = DOWN(predecessor);
-
-				/* XXX DCL duplicated from above; clever
-				 * way to unduplicate? */
-
-				while (RIGHT(predecessor) != NULL)
-					predecessor = RIGHT(predecessor);
-			} while (DOWN(predecessor) != NULL);
-
-			/* XXX DCL probably needs work on the concept */
-			if (origin != NULL)
-				new_origin = ISC_TRUE;
-		}
-
-	} else if (chain->level_count > 0) {
-		/*
-		 * Dang, didn't find a predecessor in this level.
-		 * Got to the root of this level without having traversed
-		 * any right links.  Ascend the tree one level; the
-		 * node that points to this tree is the predecessor.
-		 */
-		INSIST(chain->level_count > 0 && IS_ROOT(current));
-		predecessor = chain->levels[--chain->level_count];
-
-		/* XXX DCL probably needs work on the concept */
-		/*
-		 * Don't declare an origin change when the new origin is "."
-		 * at the top level tree, because "." is declared as the origin
-		 * for the second level tree.
-		 */
-		if (origin != NULL &&
-		    (chain->level_count > 0 || OFFSETLEN(predecessor) > 1))
-			new_origin = ISC_TRUE;
-	}
-
-	if (predecessor != NULL) {
-		chain->end = predecessor;
-
-		if (new_origin) {
-			result = dns_rbtnodechain_current(chain, name, origin,
-							  NULL);
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_NEWORIGIN;
-
-		} else
-			result = dns_rbtnodechain_current(chain, name, NULL,
-							  NULL);
-
-	} else
-		result = ISC_R_NOMORE;
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
-		      dns_name_t *origin)
-{
-	dns_rbtnode_t *current, *previous, *successor;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t new_origin = ISC_FALSE;
-
-	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
-
-	successor = NULL;
-
-	current = chain->end;
-
-	/*
-	 * If there is a level below this node, the next node is the leftmost
-	 * node of the next level.
-	 */
-	if (DOWN(current) != NULL) {
-		/*
-		 * Don't declare an origin change when the new origin is "."
-		 * at the second level tree, because "." is already declared
-		 * as the origin for the top level tree.
-		 */
-		if (chain->level_count > 0 ||
-		    OFFSETLEN(current) > 1)
-			new_origin = ISC_TRUE;
-
-		ADD_LEVEL(chain, current);
-		current = DOWN(current);
-
-		while (LEFT(current) != NULL)
-			current = LEFT(current);
-
-		successor = current;
-
-	} else if (RIGHT(current) == NULL) {
-		/*
-		 * The successor is up, either in this level or a previous one.
-		 * Head back toward the root of the tree, looking for any path
-		 * that was via a left link; the successor is the node that has
-		 * that left link.  In the event the root of the level is
-		 * reached without having traversed any left links, ascend one
-		 * level and look for either a right link off the point of
-		 * ascent, or search for a left link upward again, repeating
-		 * ascents until either case is true.
-		 */
-		do {
-			while (! IS_ROOT(current)) {
-				previous = current;
-				current = PARENT(current);
-
-				if (LEFT(current) == previous) {
-					successor = current;
-					break;
-				}
-			}
-
-			if (successor == NULL) {
-				/*
-				 * Reached the root without having traversed
-				 * any left pointers, so this level is done.
-				 */
-				if (chain->level_count == 0)
-					break;
-
-				current = chain->levels[--chain->level_count];
-				new_origin = ISC_TRUE;
-
-				if (RIGHT(current) != NULL)
-					break;
-			}
-		} while (successor == NULL);
-	}
-
-	if (successor == NULL && RIGHT(current) != NULL) {
-		current = RIGHT(current);
-
-		while (LEFT(current) != NULL)
-			current = LEFT(current);
-
-		successor = current;
-	}
-
-	if (successor != NULL) {
-		chain->end = successor;
-
-		/*
-		 * It is not necessary to use dns_rbtnodechain_current like
-		 * the other functions because this function will never
-		 * find a node in the topmost level.  This is because the
-		 * root level will never be more than one name, and everything
-		 * in the megatree is a successor to that node, down at
-		 * the second level or below.
-		 */
-
-		if (name != NULL)
-			NODENAME(chain->end, name);
-
-		if (new_origin) {
-			if (origin != NULL)
-				result = chain_name(chain, origin, ISC_FALSE);
-
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_NEWORIGIN;
-
-		} else
-			result = ISC_R_SUCCESS;
-
-	} else
-		result = ISC_R_NOMORE;
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
-		       dns_name_t *name, dns_name_t *origin)
-
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(VALID_CHAIN(chain));
-
-	dns_rbtnodechain_reset(chain);
-
-	chain->end = rbt->root;
-
-	result = dns_rbtnodechain_current(chain, name, origin, NULL);
-
-	if (result == ISC_R_SUCCESS)
-		result = DNS_R_NEWORIGIN;
-
-	return (result);
-}
-
-isc_result_t
-dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
-		       dns_name_t *name, dns_name_t *origin)
-
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_RBT(rbt));
-	REQUIRE(VALID_CHAIN(chain));
-
-	dns_rbtnodechain_reset(chain);
-
-	result = move_chain_to_last(chain, rbt->root);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_rbtnodechain_current(chain, name, origin, NULL);
-
-	if (result == ISC_R_SUCCESS)
-		result = DNS_R_NEWORIGIN;
-
-	return (result);
-}
-
-
-void
-dns_rbtnodechain_reset(dns_rbtnodechain_t *chain) {
-	/*
-	 * Free any dynamic storage associated with 'chain', and then
-	 * reinitialize 'chain'.
-	 */
-
-	REQUIRE(VALID_CHAIN(chain));
-
-	chain->end = NULL;
-	chain->level_count = 0;
-	chain->level_matches = 0;
-}
-
-void
-dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain) {
-	/*
-	 * Free any dynamic storage associated with 'chain', and then
-	 * invalidate 'chain'.
-	 */
-
-	dns_rbtnodechain_reset(chain);
-
-	chain->magic = 0;
-}
diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c
deleted file mode 100644
index f399dd17bcea..000000000000
--- a/contrib/bind9/lib/dns/rbtdb.c
+++ /dev/null
@@ -1,5723 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbtdb.c,v 1.168.2.11.2.22 2005/10/14 01:38:48 marka Exp $ */
-
-/*
- * Principal Author: Bob Halley
- */
-
-#include <config.h>
-
-#include <isc/event.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/mutex.h>
-#include <isc/random.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/events.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/masterdump.h>
-#include <dns/rbt.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdataslab.h>
-#include <dns/result.h>
-#include <dns/zonekey.h>
-
-#ifdef DNS_RBTDB_VERSION64
-#include "rbtdb64.h"
-#else
-#include "rbtdb.h"
-#endif
-
-#ifdef DNS_RBTDB_VERSION64
-#define RBTDB_MAGIC			ISC_MAGIC('R', 'B', 'D', '8')
-#else
-#define RBTDB_MAGIC			ISC_MAGIC('R', 'B', 'D', '4')
-#endif
-
-/*
- * Note that "impmagic" is not the first four bytes of the struct, so
- * ISC_MAGIC_VALID cannot be used.
- */
-#define VALID_RBTDB(rbtdb)	((rbtdb) != NULL && \
-				 (rbtdb)->common.impmagic == RBTDB_MAGIC)
-
-#ifdef DNS_RBTDB_VERSION64
-typedef isc_uint64_t			rbtdb_serial_t;
-/*
- * Make casting easier in symbolic debuggers by using different names
- * for the 64 bit version.
- */
-#define dns_rbtdb_t dns_rbtdb64_t
-#define rdatasetheader_t rdatasetheader64_t
-#define rbtdb_version_t rbtdb_version64_t
-#else
-typedef isc_uint32_t			rbtdb_serial_t;
-#endif
-
-typedef isc_uint32_t			rbtdb_rdatatype_t;
-
-#define RBTDB_RDATATYPE_BASE(type)	((dns_rdatatype_t)((type) & 0xFFFF))
-#define RBTDB_RDATATYPE_EXT(type)	((dns_rdatatype_t)((type) >> 16))
-#define RBTDB_RDATATYPE_VALUE(b, e)	(((e) << 16) | (b))
-
-#define RBTDB_RDATATYPE_SIGNSEC \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec)
-#define RBTDB_RDATATYPE_SIGNS \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns)
-#define RBTDB_RDATATYPE_SIGCNAME \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname)
-#define RBTDB_RDATATYPE_SIGDNAME \
-		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname)
-#define RBTDB_RDATATYPE_NCACHEANY \
-		RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
-
-/*
- * Allow clients with a virtual time of upto 5 minutes in the past to see
- * records that would have otherwise have expired.
- */
-#define RBTDB_VIRTUAL 300
-
-struct noqname {
-	dns_name_t name;
-	void *	   nsec;
-	void *	   nsecsig;
-};
-
-typedef struct rdatasetheader {
-	/*
-	 * Locked by the owning node's lock.
-	 */
-	rbtdb_serial_t			serial;
-	dns_ttl_t			ttl;
-	rbtdb_rdatatype_t		type;
-	isc_uint16_t			attributes;
-	dns_trust_t			trust;
-	struct noqname			*noqname;
-	/*
-	 * We don't use the LIST macros, because the LIST structure has
-	 * both head and tail pointers, and is doubly linked.
-	 */
-
-	struct rdatasetheader		*next;
-	/*
-	 * If this is the top header for an rdataset, 'next' points
-	 * to the top header for the next rdataset (i.e., the next type).
-	 * Otherwise, it points up to the header whose down pointer points
-	 * at this header.
-	 */
-	  
-	struct rdatasetheader		*down;
-	/*
-	 * Points to the header for the next older version of
-	 * this rdataset.
-	 */
-
-	isc_uint32_t			count;
-	/*
-	 * Monotonously increased every time this rdataset is bound so that
-	 * it is used as the base of the starting point in DNS responses
-	 * when the "cyclic" rrset-order is required.  Since the ordering
-	 * should not be so crucial, no lock is set for the counter for
-	 * performance reasons.
-	 */
-} rdatasetheader_t;
-
-#define RDATASET_ATTR_NONEXISTENT	0x0001
-#define RDATASET_ATTR_STALE		0x0002
-#define RDATASET_ATTR_IGNORE		0x0004
-#define RDATASET_ATTR_RETAIN		0x0008
-#define RDATASET_ATTR_NXDOMAIN		0x0010
-
-/*
- * XXX
- * When the cache will pre-expire data (due to memory low or other
- * situations) before the rdataset's TTL has expired, it MUST
- * respect the RETAIN bit and not expire the data until its TTL is
- * expired.
- */
-
-#undef IGNORE			/* WIN32 winbase.h defines this. */
-
-#define EXISTS(header) \
-	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) == 0)
-#define NONEXISTENT(header) \
-	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
-#define IGNORE(header) \
-	(((header)->attributes & RDATASET_ATTR_IGNORE) != 0)
-#define RETAIN(header) \
-	(((header)->attributes & RDATASET_ATTR_RETAIN) != 0)
-#define NXDOMAIN(header) \
-	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
-
-#define DEFAULT_NODE_LOCK_COUNT		7		/* Should be prime. */
-
-typedef struct {
-	isc_mutex_t			lock;
-	/* Locked by lock. */
-	unsigned int			references;
-	isc_boolean_t			exiting;
-} rbtdb_nodelock_t;
-
-typedef struct rbtdb_changed {
-	dns_rbtnode_t *			node;
-	isc_boolean_t			dirty;
-	ISC_LINK(struct rbtdb_changed)	link;
-} rbtdb_changed_t;
-
-typedef ISC_LIST(rbtdb_changed_t)	rbtdb_changedlist_t;
-
-typedef struct rbtdb_version {
-	/* Not locked */
-	rbtdb_serial_t			serial;
-	/* Locked by database lock. */
-	isc_boolean_t			writer;
-	unsigned int			references;
-	isc_boolean_t			commit_ok;
-	rbtdb_changedlist_t		changed_list;
-	ISC_LINK(struct rbtdb_version)	link;
-} rbtdb_version_t;
-
-typedef ISC_LIST(rbtdb_version_t)	rbtdb_versionlist_t;
-
-typedef struct {
-	/* Unlocked. */
-	dns_db_t			common;
-	isc_mutex_t			lock;
-	isc_rwlock_t			tree_lock;
-	unsigned int			node_lock_count;
-	rbtdb_nodelock_t *	       	node_locks;
-	dns_rbtnode_t *			origin_node;
-	/* Locked by lock. */
-	unsigned int			active;
-	isc_refcount_t			references;
-	unsigned int			attributes;
-	rbtdb_serial_t			current_serial;
-	rbtdb_serial_t			least_serial;
-	rbtdb_serial_t			next_serial;
-	rbtdb_version_t *		current_version;
-	rbtdb_version_t *		future_version;
-	rbtdb_versionlist_t		open_versions;
-	isc_boolean_t			overmem;
-	isc_task_t *			task;
-	/* Locked by tree_lock. */
-	dns_rbt_t *			tree;
-	isc_boolean_t			secure;
-} dns_rbtdb_t;
-
-#define RBTDB_ATTR_LOADED		0x01
-#define RBTDB_ATTR_LOADING		0x02
-
-/*
- * Search Context
- */
-typedef struct {
-	dns_rbtdb_t *		rbtdb;
-	rbtdb_version_t *	rbtversion;
-	rbtdb_serial_t		serial;
-	unsigned int		options;
-	dns_rbtnodechain_t	chain;
-	isc_boolean_t		copy_name;
-	isc_boolean_t		need_cleanup;
-	isc_boolean_t		wild;
-	dns_rbtnode_t *	       	zonecut;
-	rdatasetheader_t *	zonecut_rdataset;
-	rdatasetheader_t *	zonecut_sigrdataset;
-	dns_fixedname_t		zonecut_name;
-	isc_stdtime_t		now;
-} rbtdb_search_t;
-
-/*
- * Load Context
- */
-typedef struct {
-	dns_rbtdb_t *		rbtdb;
-	isc_stdtime_t		now;
-} rbtdb_load_t;
-
-static void rdataset_disassociate(dns_rdataset_t *rdataset);
-static isc_result_t rdataset_first(dns_rdataset_t *rdataset);
-static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
-static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
-static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
-static unsigned int rdataset_count(dns_rdataset_t *rdataset);
-static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset,
-				        dns_name_t *name,
-					dns_rdataset_t *nsec,
-					dns_rdataset_t *nsecsig);
-
-static dns_rdatasetmethods_t rdataset_methods = {
-	rdataset_disassociate,
-	rdataset_first,
-	rdataset_next,
-	rdataset_current,
-	rdataset_clone,
-	rdataset_count,
-	NULL,
-	rdataset_getnoqname
-};
-
-static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
-static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator);
-static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator);
-static void rdatasetiter_current(dns_rdatasetiter_t *iterator,
-				 dns_rdataset_t *rdataset);
-
-static dns_rdatasetitermethods_t rdatasetiter_methods = {
-	rdatasetiter_destroy,
-	rdatasetiter_first,
-	rdatasetiter_next,
-	rdatasetiter_current
-};
-
-typedef struct rbtdb_rdatasetiter {
-	dns_rdatasetiter_t		common;
-	rdatasetheader_t *		current;
-} rbtdb_rdatasetiter_t;
-
-static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
-static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
-					dns_name_t *name);
-static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
-					   dns_dbnode_t **nodep,
-					   dns_name_t *name);
-static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
-					  dns_name_t *name);
-
-static dns_dbiteratormethods_t dbiterator_methods = {
-	dbiterator_destroy,
-	dbiterator_first,
-	dbiterator_last,
-	dbiterator_seek,
-	dbiterator_prev,
-	dbiterator_next,
-	dbiterator_current,
-	dbiterator_pause,
-	dbiterator_origin
-};
-
-#define DELETION_BATCH_MAX 64
-
-/*
- * If 'paused' is ISC_TRUE, then the tree lock is not being held.
- */
-typedef struct rbtdb_dbiterator {
-	dns_dbiterator_t		common;
-	isc_boolean_t			paused;
-	isc_boolean_t			new_origin;
-	isc_rwlocktype_t		tree_locked;
-	isc_result_t			result;
-	dns_fixedname_t			name;
-	dns_fixedname_t			origin;
-	dns_rbtnodechain_t		chain;
-	dns_rbtnode_t			*node;
-	dns_rbtnode_t			*deletions[DELETION_BATCH_MAX];
-	int				delete;
-} rbtdb_dbiterator_t;
-
-
-#define IS_STUB(rbtdb)  (((rbtdb)->common.attributes & DNS_DBATTR_STUB)  != 0)
-#define IS_CACHE(rbtdb) (((rbtdb)->common.attributes & DNS_DBATTR_CACHE) != 0)
-
-static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
-		       isc_event_t *event);
-
-/*
- * Locking
- *
- * If a routine is going to lock more than one lock in this module, then
- * the locking must be done in the following order:
- *
- *	Tree Lock
- *
- *	Node Lock	(Only one from the set may be locked at one time by
- *			 any caller)
- *
- *	Database Lock
- *
- * Failure to follow this hierarchy can result in deadlock.
- */
-
-/*
- * Deleting Nodes
- *
- * Currently there is no deletion of nodes from the database, except when
- * the database is being destroyed.
- *
- * If node deletion is added in the future, then for zone databases the node
- * for the origin of the zone MUST NOT be deleted.
- */
-
-
-/*
- * DB Routines
- */
-
-static void
-attach(dns_db_t *source, dns_db_t **targetp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)source;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	isc_refcount_increment(&rbtdb->references, NULL);
-
-	*targetp = source;
-}
-
-static void
-free_rbtdb_callback(isc_task_t *task, isc_event_t *event) {
-	dns_rbtdb_t *rbtdb = event->ev_arg;
-
-	UNUSED(task);
-
-	free_rbtdb(rbtdb, ISC_TRUE, event);
-}
-
-static void
-free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
-	unsigned int i;
-	isc_ondestroy_t ondest;
-	isc_result_t result;
-	char buf[DNS_NAME_FORMATSIZE];
-
-	REQUIRE(EMPTY(rbtdb->open_versions));
-	REQUIRE(rbtdb->future_version == NULL);
-
-	if (rbtdb->current_version != NULL)
-		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
-			    sizeof(rbtdb_version_t));
- again:
-	if (rbtdb->tree != NULL) {
-		result = dns_rbt_destroy2(&rbtdb->tree,
-					  (rbtdb->task != NULL) ? 1000 : 0);
-		if (result == ISC_R_QUOTA) {
-			INSIST(rbtdb->task != NULL);
-			if (event == NULL)
-				event = isc_event_allocate(rbtdb->common.mctx,
-							   NULL,
-						         DNS_EVENT_FREESTORAGE,
-							   free_rbtdb_callback,
-							   rbtdb,
-							   sizeof(isc_event_t));
-			if (event == NULL)
-				goto again;
-			isc_task_send(rbtdb->task, &event);
-			return;
-		}
-		INSIST(result == ISC_R_SUCCESS && rbtdb->tree == NULL);
-	}
-	if (event != NULL)
-		isc_event_free(&event);
-	if (log) {
-		if (dns_name_dynamic(&rbtdb->common.origin))
-			dns_name_format(&rbtdb->common.origin, buf,
-					sizeof(buf));
-		else
-			strcpy(buf, "<UNKNOWN>");
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-			      "done free_rbtdb(%s)", buf);
-	}
-	if (dns_name_dynamic(&rbtdb->common.origin))
-		dns_name_free(&rbtdb->common.origin, rbtdb->common.mctx);
-	for (i = 0; i < rbtdb->node_lock_count; i++)
-		DESTROYLOCK(&rbtdb->node_locks[i].lock);
-	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
-		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
-	isc_rwlock_destroy(&rbtdb->tree_lock);
-	isc_refcount_destroy(&rbtdb->references);
-	if (rbtdb->task != NULL)
-		isc_task_detach(&rbtdb->task);
-	DESTROYLOCK(&rbtdb->lock);
-	rbtdb->common.magic = 0;
-	rbtdb->common.impmagic = 0;
-	ondest = rbtdb->common.ondest;
-	isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb));
-	isc_ondestroy_notify(&ondest, rbtdb);
-}
-
-static inline void
-maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
-	isc_boolean_t want_free = ISC_FALSE;
-	unsigned int i;
-	unsigned int inactive = 0;
-
-	/* XXX check for open versions here */
-
-	/*
-	 * Even though there are no external direct references, there still
-	 * may be nodes in use.
-	 */
-	for (i = 0; i < rbtdb->node_lock_count; i++) {
-		LOCK(&rbtdb->node_locks[i].lock);
-		rbtdb->node_locks[i].exiting = ISC_TRUE;
-		if (rbtdb->node_locks[i].references == 0)
-			inactive++;
-		UNLOCK(&rbtdb->node_locks[i].lock);
-	}
-
-	if (inactive != 0) {
-		LOCK(&rbtdb->lock);
-		rbtdb->active -= inactive;
-		if (rbtdb->active == 0)
-			want_free = ISC_TRUE;
-		UNLOCK(&rbtdb->lock);
-		if (want_free) {
-			char buf[DNS_NAME_FORMATSIZE];
-			if (dns_name_dynamic(&rbtdb->common.origin))
-				dns_name_format(&rbtdb->common.origin, buf,
-						sizeof(buf));
-			else
-				strcpy(buf, "<UNKNOWN>");
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-				      "calling free_rbtdb(%s)", buf);
-			free_rbtdb(rbtdb, ISC_TRUE, NULL);
-		}
-	}
-}
-
-static void
-detach(dns_db_t **dbp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(*dbp);
-	unsigned int refs;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	isc_refcount_decrement(&rbtdb->references, &refs);
-
-	if (refs == 0)
-		maybe_free_rbtdb(rbtdb);
-
-	*dbp = NULL;
-}
-
-static void
-currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_version_t *version;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	LOCK(&rbtdb->lock);
-	version = rbtdb->current_version;
-	if (version->references == 0)
-		PREPEND(rbtdb->open_versions, version, link);
-	version->references++;
-	UNLOCK(&rbtdb->lock);
-
-	*versionp = (dns_dbversion_t *)version;
-}
-
-static inline rbtdb_version_t *
-allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
-		 unsigned int references, isc_boolean_t writer)
-{
-	rbtdb_version_t *version;
-
-	version = isc_mem_get(mctx, sizeof(*version));
-	if (version == NULL)
-		return (NULL);
-	version->serial = serial;
-	version->references = references;
-	version->writer = writer;
-	version->commit_ok = ISC_FALSE;
-	ISC_LIST_INIT(version->changed_list);
-	ISC_LINK_INIT(version, link);
-
-	return (version);
-}
-
-static isc_result_t
-newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_version_t *version;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(versionp != NULL && *versionp == NULL);
-	REQUIRE(rbtdb->future_version == NULL);
-
-	LOCK(&rbtdb->lock);
-	RUNTIME_CHECK(rbtdb->next_serial != 0);		/* XXX Error? */
-	version = allocate_version(rbtdb->common.mctx, rbtdb->next_serial, 1,
-				   ISC_TRUE);
-	if (version != NULL) {
-		version->commit_ok = ISC_TRUE;
-		rbtdb->next_serial++;
-		rbtdb->future_version = version;
-	}
-	UNLOCK(&rbtdb->lock);
-
-	if (version == NULL)
-		return (ISC_R_NOMEMORY);
-
-	*versionp = version;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-attachversion(dns_db_t *db, dns_dbversion_t *source,
-	      dns_dbversion_t **targetp)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_version_t *rbtversion = source;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	LOCK(&rbtdb->lock);
-
-	INSIST(rbtversion->references > 0);
-	rbtversion->references++;
-	INSIST(rbtversion->references != 0);
-
-	UNLOCK(&rbtdb->lock);
-
-	*targetp = rbtversion;
-}
-
-static rbtdb_changed_t *
-add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
-	    dns_rbtnode_t *node)
-{
-	rbtdb_changed_t *changed;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-
-	changed = isc_mem_get(rbtdb->common.mctx, sizeof(*changed));
-
-	LOCK(&rbtdb->lock);
-
-	REQUIRE(version->writer);
-
-	if (changed != NULL) {
-		INSIST(node->references > 0);
-		node->references++;
-		INSIST(node->references != 0);
-		changed->node = node;
-		changed->dirty = ISC_FALSE;
-		ISC_LIST_INITANDAPPEND(version->changed_list, changed, link);
-	} else
-		version->commit_ok = ISC_FALSE;
-
-	UNLOCK(&rbtdb->lock);
-
-	return (changed);
-}
-
-static inline void
-free_noqname(isc_mem_t *mctx, struct noqname **noqname) {
-
-	if (dns_name_dynamic(&(*noqname)->name))
-		dns_name_free(&(*noqname)->name, mctx);
-	if ((*noqname)->nsec != NULL)
-		isc_mem_put(mctx, (*noqname)->nsec,
-			    dns_rdataslab_size((*noqname)->nsec, 0));
-	if ((*noqname)->nsec != NULL)
-		isc_mem_put(mctx, (*noqname)->nsecsig,
-			    dns_rdataslab_size((*noqname)->nsecsig, 0));
-	isc_mem_put(mctx, *noqname, sizeof(**noqname));
-	*noqname = NULL;
-}
-
-static inline void
-free_rdataset(isc_mem_t *mctx, rdatasetheader_t *rdataset) {
-	unsigned int size;
-
-	if (rdataset->noqname != NULL)
-		free_noqname(mctx, &rdataset->noqname);
-	
-	if ((rdataset->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
-		size = sizeof(*rdataset);
-	else
-		size = dns_rdataslab_size((unsigned char *)rdataset,
-					  sizeof(*rdataset));
-	isc_mem_put(mctx, rdataset, size);
-}
-
-static inline void
-rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
-	rdatasetheader_t *header, *dcurrent;
-	isc_boolean_t make_dirty = ISC_FALSE;
-
-	/*
-	 * Caller must hold the node lock.
-	 */
-
-	/*
-	 * We set the IGNORE attribute on rdatasets with serial number
-	 * 'serial'.  When the reference count goes to zero, these rdatasets
-	 * will be cleaned up; until that time, they will be ignored.
-	 */
-	for (header = node->data; header != NULL; header = header->next) {
-		if (header->serial == serial) {
-			header->attributes |= RDATASET_ATTR_IGNORE;
-			make_dirty = ISC_TRUE;
-		}
-		for (dcurrent = header->down;
-		     dcurrent != NULL;
-		     dcurrent = dcurrent->down) {
-			if (dcurrent->serial == serial) {
-				dcurrent->attributes |= RDATASET_ATTR_IGNORE;
-				make_dirty = ISC_TRUE;
-			}
-		}
-	}
-	if (make_dirty)
-		node->dirty = 1;
-}
-
-static inline void
-clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
-	rdatasetheader_t *current, *dcurrent, *top_prev, *top_next, *down_next;
-	isc_mem_t *mctx = rbtdb->common.mctx;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-
-	top_prev = NULL;
-	for (current = node->data; current != NULL; current = top_next) {
-		top_next = current->next;
-		dcurrent = current->down;
-		if (dcurrent != NULL) {
-			do {
-				down_next = dcurrent->down;
-				free_rdataset(mctx, dcurrent);
-				dcurrent = down_next;
-			} while (dcurrent != NULL);
-			current->down = NULL;
-		}
-		/*
-		 * If current is nonexistent or stale, we can clean it up.
-		 */
-		if ((current->attributes &
-		     (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0) {
-			if (top_prev != NULL)
-				top_prev->next = current->next;
-			else
-				node->data = current->next;
-			free_rdataset(mctx, current);
-		} else
-			top_prev = current;
-	}
-	node->dirty = 0;
-}
-
-static inline void
-clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-		rbtdb_serial_t least_serial)
-{
-	rdatasetheader_t *current, *dcurrent, *down_next, *dparent;
-	rdatasetheader_t *top_prev, *top_next;
-	isc_mem_t *mctx = rbtdb->common.mctx;
-	isc_boolean_t still_dirty = ISC_FALSE;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-	REQUIRE(least_serial != 0);
-
-	top_prev = NULL;
-	for (current = node->data; current != NULL; current = top_next) {
-		top_next = current->next;
-
-		/*
-		 * First, we clean up any instances of multiple rdatasets
-		 * with the same serial number, or that have the IGNORE
-		 * attribute.
-		 */
-		dparent = current;
-		for (dcurrent = current->down;
-		     dcurrent != NULL;
-		     dcurrent = down_next) {
-			down_next = dcurrent->down;
-			INSIST(dcurrent->serial <= dparent->serial);
-			if (dcurrent->serial == dparent->serial ||
-			    IGNORE(dcurrent)) {
-				if (down_next != NULL)
-					down_next->next = dparent;
-				dparent->down = down_next;
-				free_rdataset(mctx, dcurrent);
-			} else
-				dparent = dcurrent;
-		}
-
-		/*
-		 * We've now eliminated all IGNORE datasets with the possible
-		 * exception of current, which we now check.
-		 */
-		if (IGNORE(current)) {
-			down_next = current->down;
-			if (down_next == NULL) {
-				if (top_prev != NULL)
-					top_prev->next = current->next;
-				else
-					node->data = current->next;
-				free_rdataset(mctx, current);
-				/*
-				 * current no longer exists, so we can
-				 * just continue with the loop.
-				 */
-				continue;
-			} else {
-				/*
-				 * Pull up current->down, making it the new
-				 * current.
-				 */
-				if (top_prev != NULL)
-					top_prev->next = down_next;
-				else
-					node->data = down_next;
-				down_next->next = top_next;
-				free_rdataset(mctx, current);
-				current = down_next;
-			}
-		}
-
-		/*
-		 * We now try to find the first down node less than the
-		 * least serial.
-		 */
-		dparent = current;
-		for (dcurrent = current->down;
-		     dcurrent != NULL;
-		     dcurrent = down_next) {
-			down_next = dcurrent->down;
-			if (dcurrent->serial < least_serial)
-				break;
-			dparent = dcurrent;
-		}
-
-		/*
-		 * If there is a such an rdataset, delete it and any older
-		 * versions.
-		 */
-		if (dcurrent != NULL) {
-			do {
-				down_next = dcurrent->down;
-				INSIST(dcurrent->serial <= least_serial);
-				free_rdataset(mctx, dcurrent);
-				dcurrent = down_next;
-			} while (dcurrent != NULL);
-			dparent->down = NULL;
-		}
-
-		/*
-		 * Note.  The serial number of 'current' might be less than
-		 * least_serial too, but we cannot delete it because it is
-		 * the most recent version, unless it is a NONEXISTENT
-		 * rdataset.
-		 */
-		if (current->down != NULL) {
-			still_dirty = ISC_TRUE;
-			top_prev = current;
-		} else {
-			/*
-			 * If this is a NONEXISTENT rdataset, we can delete it.
-			 */
-			if (NONEXISTENT(current)) {
-				if (top_prev != NULL)
-					top_prev->next = current->next;
-				else
-					node->data = current->next;
-				free_rdataset(mctx, current);
-			} else
-				top_prev = current;
-		}
-	}
-	if (!still_dirty)
-		node->dirty = 0;
-}
-
-static inline void
-new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
-	if (node->references == 0) {
-		rbtdb->node_locks[node->locknum].references++;
-		INSIST(rbtdb->node_locks[node->locknum].references != 0);
-	}
-	node->references++;
-	INSIST(node->references != 0);
-}
-
-static void
-no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-	      rbtdb_serial_t least_serial, isc_rwlocktype_t lock)
-{
-	isc_result_t result;
-	isc_boolean_t write_locked;
-	unsigned int locknum;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-
-	REQUIRE(node->references == 0);
-
-	if (node->dirty) {
-		if (IS_CACHE(rbtdb))
-			clean_cache_node(rbtdb, node);
-		else {
-			if (least_serial == 0) {
-				/*
-				 * Caller doesn't know the least serial.
-				 * Get it.
-				 */
-				LOCK(&rbtdb->lock);
-				least_serial = rbtdb->least_serial;
-				UNLOCK(&rbtdb->lock);
-			}
-			clean_zone_node(rbtdb, node, least_serial);
-		}
-	}
-
-	locknum = node->locknum;
-
-	INSIST(rbtdb->node_locks[locknum].references > 0);
-	rbtdb->node_locks[locknum].references--;
-
-	/*
-	 * XXXDCL should this only be done for cache zones?
-	 */
-	if (node->data != NULL || node->down != NULL)
-		return;
-
-	/*
-	 * XXXDCL need to add a deferred delete method for ISC_R_LOCKBUSY.
-	 */
-	if (lock != isc_rwlocktype_write) {
-		/*
-		 * Locking hierarchy notwithstanding, we don't need to free
-		 * the node lock before acquiring the tree write lock because
-		 * we only do a trylock.
-		 */
-		if (lock == isc_rwlocktype_read)
-			result = isc_rwlock_tryupgrade(&rbtdb->tree_lock);
-		else
-			result = isc_rwlock_trylock(&rbtdb->tree_lock,
-						    isc_rwlocktype_write);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS ||
-			      result == ISC_R_LOCKBUSY);
- 
-		write_locked = ISC_TF(result == ISC_R_SUCCESS);
-	} else
-		write_locked = ISC_TRUE;
-
-	if (write_locked) {
-		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
-			char printname[DNS_NAME_FORMATSIZE];
-
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-				      "no_references: delete from rbt: %p %s",
-				      node,
-				      dns_rbt_formatnodename(node, printname,
-							   sizeof(printname)));
-		}
-
-		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-				      "no_references: dns_rbt_deletenode: %s",
-				      isc_result_totext(result));
-	}
-
-	/*
-	 * Relock a read lock, or unlock the write lock if no lock was held.
-	 */
-	if (lock == isc_rwlocktype_none)
-		if (write_locked)
-			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-
-	if (lock == isc_rwlocktype_read)
-		if (write_locked)
-			isc_rwlock_downgrade(&rbtdb->tree_lock);
-}
-
-static inline void
-make_least_version(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
-		   rbtdb_changedlist_t *cleanup_list)
-{
-	/*
-	 * Caller must be holding the database lock.
-	 */
-
-	rbtdb->least_serial = version->serial;
-	*cleanup_list = version->changed_list;
-	ISC_LIST_INIT(version->changed_list);
-}
-
-static inline void
-cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
-	rbtdb_changed_t *changed, *next_changed;
-
-	/*
-	 * If the changed record is dirty, then
-	 * an update created multiple versions of
-	 * a given rdataset.  We keep this list
-	 * until we're the least open version, at
-	 * which point it's safe to get rid of any
-	 * older versions.
-	 *
-	 * If the changed record isn't dirty, then
-	 * we don't need it anymore since we're
-	 * committing and not rolling back.
-	 *
-	 * The caller must be holding the database lock.
-	 */
-	for (changed = HEAD(version->changed_list);
-	     changed != NULL;
-	     changed = next_changed) {
-		next_changed = NEXT(changed, link);
-		if (!changed->dirty) {
-			UNLINK(version->changed_list,
-			       changed, link);
-			APPEND(*cleanup_list,
-			       changed, link);
-		}
-	}
-}
-
-static void
-closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_version_t *version, *cleanup_version, *least_greater;
-	isc_boolean_t rollback = ISC_FALSE;
-	rbtdb_changedlist_t cleanup_list;
-	rbtdb_changed_t *changed, *next_changed;
-	rbtdb_serial_t serial, least_serial;
-	dns_rbtnode_t *rbtnode;
-	isc_mutex_t *lock;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	version = (rbtdb_version_t *)*versionp;
-
-	cleanup_version = NULL;
-	ISC_LIST_INIT(cleanup_list);
-
-	LOCK(&rbtdb->lock);
-	INSIST(version->references > 0);
-	INSIST(!version->writer || !(commit && version->references > 1));
-	version->references--;
-	serial = version->serial;
-	if (version->references == 0) {
-		if (version->writer) {
-			if (commit) {
-				INSIST(version->commit_ok);
-				INSIST(version == rbtdb->future_version);
-				if (EMPTY(rbtdb->open_versions)) {
-					/*
-					 * We're going to become the least open
-					 * version.
-					 */
-					make_least_version(rbtdb, version,
-							   &cleanup_list);
-				} else {
-					/*
-					 * Some other open version is the
-					 * least version.  We can't cleanup
-					 * records that were changed in this
-					 * version because the older versions
-					 * may still be in use by an open
-					 * version.
-					 *
-					 * We can, however, discard the
-					 * changed records for things that
-					 * we've added that didn't exist in
-					 * prior versions.
-					 */
-					cleanup_nondirty(version,
-							 &cleanup_list);
-				}
-				/*
-				 * If the (soon to be former) current version
-				 * isn't being used by anyone, we can clean
-				 * it up.
-				 */
-				if (rbtdb->current_version->references == 0) {
-					cleanup_version =
-						rbtdb->current_version;
-					APPENDLIST(version->changed_list,
-						 cleanup_version->changed_list,
-						   link);
-				}
-				/*
-				 * Become the current version.
-				 */
-				version->writer = ISC_FALSE;
-				rbtdb->current_version = version;
-				rbtdb->current_serial = version->serial;
-				rbtdb->future_version = NULL;
-			} else {
-				/*
-				 * We're rolling back this transaction.
-				 */
-				cleanup_list = version->changed_list;
-				ISC_LIST_INIT(version->changed_list);
-				rollback = ISC_TRUE;
-				cleanup_version = version;
-				rbtdb->future_version = NULL;
-			}
-		} else {
-			if (version != rbtdb->current_version) {
-				/*
-				 * There are no external or internal references
-				 * to this version and it can be cleaned up.
-				 */
-				cleanup_version = version;
-
-				/*
-				 * Find the version with the least serial
-				 * number greater than ours.
-				 */
-				least_greater = PREV(version, link);
-				if (least_greater == NULL)
-					least_greater = rbtdb->current_version;
-
-				INSIST(version->serial < least_greater->serial);
-				/*
-				 * Is this the least open version?
-				 */
-				if (version->serial == rbtdb->least_serial) {
-					/*
-					 * Yes.  Install the new least open
-					 * version.
-					 */
-					make_least_version(rbtdb,
-							   least_greater,
-							   &cleanup_list);
-				} else {
-					/*
-					 * Add any unexecuted cleanups to
-					 * those of the least greater version.
-					 */
-					APPENDLIST(least_greater->changed_list,
-						   version->changed_list,
-						   link);
-				}
-			} else if (version->serial == rbtdb->least_serial)
-				INSIST(EMPTY(version->changed_list));
-			UNLINK(rbtdb->open_versions, version, link);
-		}
-	}
-	least_serial = rbtdb->least_serial;
-	UNLOCK(&rbtdb->lock);
-
-	if (cleanup_version != NULL) {
-		INSIST(EMPTY(cleanup_version->changed_list));
-		isc_mem_put(rbtdb->common.mctx, cleanup_version,
-			    sizeof(*cleanup_version));
-	}
-
-	if (!EMPTY(cleanup_list)) {
-		for (changed = HEAD(cleanup_list);
-		     changed != NULL;
-		     changed = next_changed) {
-			next_changed = NEXT(changed, link);
-			rbtnode = changed->node;
-			lock = &rbtdb->node_locks[rbtnode->locknum].lock;
-
-			LOCK(lock);
-
-			INSIST(rbtnode->references > 0);
-			rbtnode->references--;
-			if (rollback)
-				rollback_node(rbtnode, serial);
-
-			if (rbtnode->references == 0)
-				no_references(rbtdb, rbtnode, least_serial,
-					      isc_rwlocktype_none);
-
-			UNLOCK(lock);
-
-			isc_mem_put(rbtdb->common.mctx, changed,
-				    sizeof(*changed));
-		}
-	}
-
-	*versionp = NULL;
-}
-
-/*
- * Add the necessary magic for the wildcard name 'name'
- * to be found in 'rbtdb'.
- *
- * In order for wildcard matching to work correctly in
- * zone_find(), we must ensure that a node for the wildcarding
- * level exists in the database, and has its 'find_callback'
- * and 'wild' bits set.
- *
- * E.g. if the wildcard name is "*.sub.example." then we
- * must ensure that "sub.example." exists and is marked as
- * a wildcard level.
- */
-static isc_result_t
-add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) {
-	isc_result_t result;
-	dns_name_t foundname;
-	dns_offsets_t offsets;
-	unsigned int n;
-	dns_rbtnode_t *node = NULL;
-
-	dns_name_init(&foundname, offsets);
-	n = dns_name_countlabels(name);
-	INSIST(n >= 2);
-	n--;
-	dns_name_getlabelsequence(name, 1, n, &foundname);
-	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
-	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
-		return (result);
-	node->find_callback = 1;
-	node->wild = 1;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
-	isc_result_t result;
-	dns_name_t foundname;
-	dns_offsets_t offsets;
-	unsigned int n, l, i;
-
-	dns_name_init(&foundname, offsets);
-	n = dns_name_countlabels(name);
-	l = dns_name_countlabels(&rbtdb->common.origin);
-	i = l + 1;
-	while (i < n) {
-		dns_rbtnode_t *node = NULL;	/* dummy */
-		dns_name_getlabelsequence(name, n - i, i, &foundname);
-		if (dns_name_iswildcard(&foundname)) {
-			result = add_wildcard_magic(rbtdb, &foundname);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			result = dns_rbt_addnode(rbtdb->tree, &foundname,
-						 &node);
-			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
-				return (result);
-		}
-		i++;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	 dns_dbnode_t **nodep)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *node = NULL;
-	dns_name_t nodename;
-	unsigned int locknum;
-	isc_result_t result;
-	isc_rwlocktype_t locktype = isc_rwlocktype_read;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	dns_name_init(&nodename, NULL);
-	RWLOCK(&rbtdb->tree_lock, locktype);
-	result = dns_rbt_findnode(rbtdb->tree, name, NULL, &node, NULL,
-				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
-	if (result != ISC_R_SUCCESS) {
-		RWUNLOCK(&rbtdb->tree_lock, locktype);
-		if (!create) {
-			if (result == DNS_R_PARTIALMATCH)
-				result = ISC_R_NOTFOUND;
-			return (result);
-		}
-		/*
-		 * It would be nice to try to upgrade the lock instead of
-		 * unlocking then relocking.
-		 */
-		locktype = isc_rwlocktype_write;
-		RWLOCK(&rbtdb->tree_lock, locktype);
-		node = NULL;
-		result = dns_rbt_addnode(rbtdb->tree, name, &node);
-		if (result == ISC_R_SUCCESS) {
-			dns_rbt_namefromnode(node, &nodename);
-#ifdef DNS_RBT_USEHASH
-			node->locknum = node->hashval % rbtdb->node_lock_count;
-#else
-			node->locknum = dns_name_hash(&nodename, ISC_TRUE) %
-				rbtdb->node_lock_count;
-#endif
-			add_empty_wildcards(rbtdb, name);
-
-			if (dns_name_iswildcard(name)) {
-				result = add_wildcard_magic(rbtdb, name);
-				if (result != ISC_R_SUCCESS) {
-					RWUNLOCK(&rbtdb->tree_lock, locktype);
-					return (result);
-				}
-			}
-		} else if (result != ISC_R_EXISTS) {
-			RWUNLOCK(&rbtdb->tree_lock, locktype);
-			return (result);
-		}
-	}
-	locknum = node->locknum;
-	LOCK(&rbtdb->node_locks[locknum].lock);
-	new_reference(rbtdb, node);
-	UNLOCK(&rbtdb->node_locks[locknum].lock);
-	RWUNLOCK(&rbtdb->tree_lock, locktype);
-
-	*nodep = (dns_dbnode_t *)node;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
-	rbtdb_search_t *search = arg;
-	rdatasetheader_t *header, *header_next;
-	rdatasetheader_t *dname_header, *sigdname_header, *ns_header;
-	rdatasetheader_t *found;
-	isc_result_t result;
-	dns_rbtnode_t *onode;
-
-	/*
-	 * We only want to remember the topmost zone cut, since it's the one
-	 * that counts, so we'll just continue if we've already found a
-	 * zonecut.
-	 */
-	if (search->zonecut != NULL)
-		return (DNS_R_CONTINUE);
-
-	found = NULL;
-	result = DNS_R_CONTINUE;
-	onode = search->rbtdb->origin_node;
-
-	LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-
-	/*
-	 * Look for an NS or DNAME rdataset active in our version.
-	 */
-	ns_header = NULL;
-	dname_header = NULL;
-	sigdname_header = NULL;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->type == dns_rdatatype_ns ||
-		    header->type == dns_rdatatype_dname ||
-		    header->type == RBTDB_RDATATYPE_SIGDNAME) {
-			do {
-				if (header->serial <= search->serial &&
-				    !IGNORE(header)) {
-					/*
-					 * Is this a "this rdataset doesn't
-					 * exist" record?
-					 */
-					if (NONEXISTENT(header))
-						header = NULL;
-					break;
-				} else
-					header = header->down;
-			} while (header != NULL);
-			if (header != NULL) {
-				if (header->type == dns_rdatatype_dname)
-					dname_header = header;
-				else if (header->type == 
-					   RBTDB_RDATATYPE_SIGDNAME)
-					sigdname_header = header;
-				else if (node != onode ||
-					 IS_STUB(search->rbtdb)) {
-					/*
-					 * We've found an NS rdataset that
-					 * isn't at the origin node.  We check
-					 * that they're not at the origin node,
-					 * because otherwise we'd erroneously
-					 * treat the zone top as if it were
-					 * a delegation.
-					 */
-					ns_header = header;
-				}
-			}
-		}
-	}
-
-	/*
-	 * Did we find anything?
-	 */
-	if (dname_header != NULL) {
-		/*
-		 * Note that DNAME has precedence over NS if both exist.
-		 */
-		found = dname_header;
-		search->zonecut_sigrdataset = sigdname_header;
-	} else if (ns_header != NULL) {
-		found = ns_header;
-		search->zonecut_sigrdataset = NULL;
-	}
-
-	if (found != NULL) {
-		/*
-		 * We increment the reference count on node to ensure that
-		 * search->zonecut_rdataset will still be valid later.
-		 */
-		new_reference(search->rbtdb, node);
-		search->zonecut = node;
-		search->zonecut_rdataset = found;
-		search->need_cleanup = ISC_TRUE;
-		/*
-		 * Since we've found a zonecut, anything beneath it is
-		 * glue and is not subject to wildcard matching, so we
-		 * may clear search->wild.
-		 */
-		search->wild = ISC_FALSE;
-		if ((search->options & DNS_DBFIND_GLUEOK) == 0) {
-			/*
-			 * If the caller does not want to find glue, then
-			 * this is the best answer and the search should
-			 * stop now.
-			 */
-			result = DNS_R_PARTIALMATCH;
-		} else {
-			dns_name_t *zcname;
-
-			/*
-			 * The search will continue beneath the zone cut.
-			 * This may or may not be the best match.  In case it
-			 * is, we need to remember the node name.
-			 */
-			zcname = dns_fixedname_name(&search->zonecut_name);
-			RUNTIME_CHECK(dns_name_copy(name, zcname, NULL) ==
-				      ISC_R_SUCCESS);
-			search->copy_name = ISC_TRUE;
-		}
-	} else {
-		/*
-		 * There is no zonecut at this node which is active in this
-		 * version.
-		 *
-		 * If this is a "wild" node and the caller hasn't disabled
-		 * wildcard matching, remember that we've seen a wild node
-		 * in case we need to go searching for wildcard matches
-		 * later on.
-		 */
-		if (node->wild && (search->options & DNS_DBFIND_NOWILD) == 0)
-			search->wild = ISC_TRUE;
-	}
-
-	UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-
-	return (result);
-}
-
-static inline void
-bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-	      rdatasetheader_t *header, isc_stdtime_t now,
-	      dns_rdataset_t *rdataset)
-{
-	unsigned char *raw;
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-
-	if (rdataset == NULL)
-		return;
-
-	new_reference(rbtdb, node);
-
-	INSIST(rdataset->methods == NULL);	/* We must be disassociated. */
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = rbtdb->common.rdclass;
-	rdataset->type = RBTDB_RDATATYPE_BASE(header->type);
-	rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
-	rdataset->ttl = header->ttl - now;
-	rdataset->trust = header->trust;
-	if (NXDOMAIN(header))
-		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
-	rdataset->private1 = rbtdb;
-	rdataset->private2 = node;
-	raw = (unsigned char *)header + sizeof(*header);
-	rdataset->private3 = raw;
-	rdataset->count = header->count++;
-	if (header->count == ISC_UINT32_MAX)
-		header->count = 0;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-
-	/*
-	 * Add noqname proof.
-	 */
-	rdataset->private6 = header->noqname;
-	if (rdataset->private6 != NULL)
-		rdataset->attributes |=  DNS_RDATASETATTR_NOQNAME;
-}
-
-static inline isc_result_t
-setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
-		 dns_name_t *foundname, dns_rdataset_t *rdataset,
-		 dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_name_t *zcname;
-	rbtdb_rdatatype_t type;
-	dns_rbtnode_t *node;
-
-	/*
-	 * The caller MUST NOT be holding any node locks.
-	 */
-
-	node = search->zonecut;
-	type = search->zonecut_rdataset->type;
-
-	/*
-	 * If we have to set foundname, we do it before anything else.
-	 * If we were to set foundname after we had set nodep or bound the
-	 * rdataset, then we'd have to undo that work if dns_name_copy()
-	 * failed.  By setting foundname first, there's nothing to undo if
-	 * we have trouble.
-	 */
-	if (foundname != NULL && search->copy_name) {
-		zcname = dns_fixedname_name(&search->zonecut_name);
-		result = dns_name_copy(zcname, foundname, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	if (nodep != NULL) {
-		/*
-		 * Note that we don't have to increment the node's reference
-		 * count here because we're going to use the reference we
-		 * already have in the search block.
-		 */
-		*nodep = node;
-		search->need_cleanup = ISC_FALSE;
-	}
-	if (rdataset != NULL) {
-		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-		bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
-			      search->now, rdataset);
-		if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
-			bind_rdataset(search->rbtdb, node,
-				      search->zonecut_sigrdataset,
-				      search->now, sigrdataset);
-		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-	}
-
-	if (type == dns_rdatatype_dname)
-		return (DNS_R_DNAME);
-	return (DNS_R_DELEGATION);
-}
-
-static inline isc_boolean_t
-valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
-	   dns_rbtnode_t *node)
-{
-	unsigned char *raw;
-	unsigned int count, size;
-	dns_name_t ns_name;
-	isc_boolean_t valid = ISC_FALSE;
-	dns_offsets_t offsets;
-	isc_region_t region;
-	rdatasetheader_t *header;
-
-	/*
-	 * No additional locking is required.
-	 */
-
-	/*
-	 * Valid glue types are A, AAAA, A6.  NS is also a valid glue type
-	 * if it occurs at a zone cut, but is not valid below it.
-	 */
-	if (type == dns_rdatatype_ns) {
-		if (node != search->zonecut) {
-			return (ISC_FALSE);
-		}
-	} else if (type != dns_rdatatype_a &&
-		   type != dns_rdatatype_aaaa &&
-		   type != dns_rdatatype_a6) {
-		return (ISC_FALSE);
-	}
-
-	header = search->zonecut_rdataset;
-	raw = (unsigned char *)header + sizeof(*header);
-	count = raw[0] * 256 + raw[1];
-	raw += 2;
-
-	while (count > 0) {
-		count--;
-		size = raw[0] * 256 + raw[1];
-		raw += 2;
-		region.base = raw;
-		region.length = size;
-		raw += size;
-		/*
-		 * XXX Until we have rdata structures, we have no choice but
-		 * to directly access the rdata format.
-		 */
-		dns_name_init(&ns_name, offsets);
-		dns_name_fromregion(&ns_name, &region);
-		if (dns_name_compare(&ns_name, name) == 0) {
-			valid = ISC_TRUE;
-			break;
-		}
-	}
-
-	return (valid);
-}
-
-static inline isc_boolean_t
-activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
-	    dns_name_t *name)
-{
-	dns_fixedname_t fnext;
-	dns_fixedname_t forigin;
-	dns_name_t *next;
-	dns_name_t *origin;
-	dns_name_t prefix;
-	dns_rbtdb_t *rbtdb;
-	dns_rbtnode_t *node;
-	isc_result_t result;
-	isc_boolean_t answer = ISC_FALSE;
-	rdatasetheader_t *header;
-
-	rbtdb = search->rbtdb;
-
-	dns_name_init(&prefix, NULL);
-	dns_fixedname_init(&fnext);
-	next = dns_fixedname_name(&fnext);
-	dns_fixedname_init(&forigin);
-	origin = dns_fixedname_name(&forigin);
-
-	result = dns_rbtnodechain_next(chain, NULL, NULL);
-	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		node = NULL;
-		result = dns_rbtnodechain_current(chain, &prefix,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			break;
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
-		for (header = node->data;
-		     header != NULL;
-		     header = header->next) {
-			if (header->serial <= search->serial &&
-			    !IGNORE(header) && EXISTS(header))
-				break;
-		}
-		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
-		if (header != NULL)
-			break;
-		result = dns_rbtnodechain_next(chain, NULL, NULL);
-	}
-	if (result == ISC_R_SUCCESS)
-		result = dns_name_concatenate(&prefix, origin, next, NULL);
-	if (result == ISC_R_SUCCESS && dns_name_issubdomain(next, name))
-		answer = ISC_TRUE;
-	return (answer);
-}
-
-static inline isc_boolean_t
-activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
-	dns_fixedname_t fnext;
-	dns_fixedname_t forigin;
-	dns_fixedname_t fprev;
-	dns_name_t *next;
-	dns_name_t *origin;
-	dns_name_t *prev;
-	dns_name_t name;
-	dns_name_t rname;
-	dns_name_t tname;
-	dns_rbtdb_t *rbtdb;
-	dns_rbtnode_t *node;
-	dns_rbtnodechain_t chain;
-	isc_boolean_t check_next = ISC_TRUE;
-	isc_boolean_t check_prev = ISC_TRUE;
-	isc_boolean_t answer = ISC_FALSE;
-	isc_result_t result;
-	rdatasetheader_t *header;
-	unsigned int n;
-
-	rbtdb = search->rbtdb;
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&tname, NULL);
-	dns_name_init(&rname, NULL);
-	dns_fixedname_init(&fnext);
-	next = dns_fixedname_name(&fnext);
-	dns_fixedname_init(&fprev);
-	prev = dns_fixedname_name(&fprev);
-	dns_fixedname_init(&forigin);
-	origin = dns_fixedname_name(&forigin);
-
-	/*
-	 * Find if qname is at or below a empty node.
-	 * Use our own copy of the chain.
-	 */
-
-	chain = search->chain;
-	do {
-		node = NULL;
-		result = dns_rbtnodechain_current(&chain, &name,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			break;
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
-		for (header = node->data;
-		     header != NULL;
-		     header = header->next) {
-			if (header->serial <= search->serial &&
-			    !IGNORE(header) && EXISTS(header))
-				break;
-		}
-		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
-		if (header != NULL)
-			break;
-		result = dns_rbtnodechain_prev(&chain, NULL, NULL);
-	} while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN);
-	if (result == ISC_R_SUCCESS)
-		result = dns_name_concatenate(&name, origin, prev, NULL);
-	if (result != ISC_R_SUCCESS)
-		check_prev = ISC_FALSE;
-
-	result = dns_rbtnodechain_next(&chain, NULL, NULL);
-	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		node = NULL;
-		result = dns_rbtnodechain_current(&chain, &name,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			break;
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
-		for (header = node->data;
-		     header != NULL;
-		     header = header->next) {
-			if (header->serial <= search->serial &&
-			    !IGNORE(header) && EXISTS(header))
-				break;
-		}
-		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
-		if (header != NULL)
-			break;
-		result = dns_rbtnodechain_next(&chain, NULL, NULL);
-	}
-	if (result == ISC_R_SUCCESS)
-		result = dns_name_concatenate(&name, origin, next, NULL);
-	if (result != ISC_R_SUCCESS)
-		check_next = ISC_FALSE;
-
-	dns_name_clone(qname, &rname);
-
-	/*
-	 * Remove the wildcard label to find the terminal name.
-	 */
-	n = dns_name_countlabels(wname);
-	dns_name_getlabelsequence(wname, 1, n - 1, &tname);
-
-	do {
-		if ((check_prev && dns_name_issubdomain(prev, &rname)) ||
-		    (check_next && dns_name_issubdomain(next, &rname))) {
-			answer = ISC_TRUE;
-			break;
-		}
-		/*
-		 * Remove the left hand label.
-		 */
-		n = dns_name_countlabels(&rname);
-		dns_name_getlabelsequence(&rname, 1, n - 1, &rname);
-	} while (!dns_name_equal(&rname, &tname));
-	return (answer);
-}
-
-static inline isc_result_t
-find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
-	      dns_name_t *qname)
-{
-	unsigned int i, j;
-	dns_rbtnode_t *node, *level_node, *wnode;
-	rdatasetheader_t *header;
-	isc_result_t result = ISC_R_NOTFOUND;
-	dns_name_t name;
-	dns_name_t *wname;
-	dns_fixedname_t fwname;
-	dns_rbtdb_t *rbtdb;
-	isc_boolean_t done, wild, active;
-	dns_rbtnodechain_t wchain;
-
-	/*
-	 * Caller must be holding the tree lock and MUST NOT be holding
-	 * any node locks.
-	 */
-
-	/*
-	 * Examine each ancestor level.  If the level's wild bit
-	 * is set, then construct the corresponding wildcard name and
-	 * search for it.  If the wildcard node exists, and is active in
-	 * this version, we're done.  If not, then we next check to see
-	 * if the ancestor is active in this version.  If so, then there
-	 * can be no possible wildcard match and again we're done.  If not,
-	 * continue the search.
-	 */
-
-	rbtdb = search->rbtdb;
-	i = search->chain.level_matches;
-	done = ISC_FALSE;
-	node = *nodep;
-	do {
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
-
-		/*
-		 * First we try to figure out if this node is active in
-		 * the search's version.  We do this now, even though we
-		 * may not need the information, because it simplifies the
-		 * locking and code flow.
-		 */
-		for (header = node->data;
-		     header != NULL;
-		     header = header->next) {
-			if (header->serial <= search->serial &&
-			    !IGNORE(header) && EXISTS(header))
-				break;
-		}
-		if (header != NULL)
-			active = ISC_TRUE;
-		else
-			active = ISC_FALSE;
-
-		if (node->wild)
-			wild = ISC_TRUE;
-		else
-			wild = ISC_FALSE;
-
-		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
-
-		if (wild) {
-			/*
-			 * Construct the wildcard name for this level.
-			 */
-			dns_name_init(&name, NULL);
-			dns_rbt_namefromnode(node, &name);
-			dns_fixedname_init(&fwname);
-			wname = dns_fixedname_name(&fwname);
-			result = dns_name_concatenate(dns_wildcardname, &name,
-						      wname, NULL);
-			j = i;
-			while (result == ISC_R_SUCCESS && j != 0) {
-				j--;
-				level_node = search->chain.levels[j];
-				dns_name_init(&name, NULL);
-				dns_rbt_namefromnode(level_node, &name);
-				result = dns_name_concatenate(wname,
-							      &name,
-							      wname,
-							      NULL);
-			}
-			if (result != ISC_R_SUCCESS)
-				break;
-
-			wnode = NULL;
-			dns_rbtnodechain_init(&wchain, NULL);
-			result = dns_rbt_findnode(rbtdb->tree, wname,
-						  NULL, &wnode, &wchain,
-						  DNS_RBTFIND_EMPTYDATA,
-						  NULL, NULL);
-			if (result == ISC_R_SUCCESS) {
-			    /*
-			     * We have found the wildcard node.  If it
-			     * is active in the search's version, we're
-			     * done.
-			     */
-			    LOCK(&(rbtdb->node_locks[wnode->locknum].lock));
-			    for (header = wnode->data;
-				 header != NULL;
-				 header = header->next) {
-				    if (header->serial <= search->serial &&
-					!IGNORE(header) && EXISTS(header))
-					    break;
-			    }
-			    UNLOCK(&(rbtdb->node_locks[wnode->locknum].lock));
-			    if (header != NULL ||
-				activeempty(search, &wchain, wname)) {
-				    if (activeemtpynode(search, qname, wname))
-						return (ISC_R_NOTFOUND);
-				    /*
-				     * The wildcard node is active!
-				     *
-				     * Note: result is still ISC_R_SUCCESS
-				     * so we don't have to set it.
-				     */
-				    *nodep = wnode;
-				    break;
-			    }
-			} else if (result != ISC_R_NOTFOUND &&
-				   result != DNS_R_PARTIALMATCH) {
-				/*
-				 * An error has occurred.  Bail out.
-				 */
-				break;
-			}
-		}
-
-		if (active) {
-			/*
-			 * The level node is active.  Any wildcarding
-			 * present at higher levels has no
-			 * effect and we're done.
-			 */
-			result = ISC_R_NOTFOUND;
-			break;
-		}
-
-		if (i > 0) {
-			i--;
-			node = search->chain.levels[i];
-		} else
-			done = ISC_TRUE;
-	} while (!done);
-
-	return (result);
-}
-
-static inline isc_result_t
-find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
-		  dns_name_t *foundname, dns_rdataset_t *rdataset,
-		  dns_rdataset_t *sigrdataset, isc_boolean_t need_sig)
-{
-	dns_rbtnode_t *node;
-	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	isc_boolean_t empty_node;
-	isc_result_t result;
-	dns_fixedname_t fname, forigin;
-	dns_name_t *name, *origin;
-
-	do {
-		node = NULL;
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		dns_fixedname_init(&forigin);
-		origin = dns_fixedname_name(&forigin);
-		result = dns_rbtnodechain_current(&search->chain, name,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-		found = NULL;
-		foundsig = NULL;
-		empty_node = ISC_TRUE;
-		for (header = node->data;
-		     header != NULL;
-		     header = header_next) {
-			header_next = header->next;
-			/*
-			 * Look for an active, extant NSEC or RRSIG NSEC.
-			 */
-			do {
-				if (header->serial <= search->serial &&
-				    !IGNORE(header)) {
-					/*
-					 * Is this a "this rdataset doesn't
-					 * exist" record?
-					 */
-					if (NONEXISTENT(header))
-						header = NULL;
-					break;
-				} else
-					header = header->down;
-			} while (header != NULL);
-			if (header != NULL) {
-				/*
-				 * We now know that there is at least one
-				 * active rdataset at this node.
-				 */
-				empty_node = ISC_FALSE;
-				if (header->type == dns_rdatatype_nsec) {
-					found = header;
-					if (foundsig != NULL)
-						break;
-				} else if (header->type ==
-					   RBTDB_RDATATYPE_SIGNSEC) {
-					foundsig = header;
-					if (found != NULL)
-						break;
-				}
-			}
-		}
-		if (!empty_node) {
-			if (found != NULL &&
-			    (foundsig != NULL || !need_sig))
-			{
-				/*
-				 * We've found the right NSEC record.
-				 *
-				 * Note: for this to really be the right
-				 * NSEC record, it's essential that the NSEC
-				 * records of any nodes obscured by a zone
-				 * cut have been removed; we assume this is
-				 * the case.
-				 */
-				result = dns_name_concatenate(name, origin,
-							      foundname, NULL);
-				if (result == ISC_R_SUCCESS) {
-					if (nodep != NULL) {
-						new_reference(search->rbtdb,
-							      node);
-						*nodep = node;
-					}
-					bind_rdataset(search->rbtdb, node,
-						      found, search->now,
-						      rdataset);
-					if (foundsig != NULL)
-						bind_rdataset(search->rbtdb,
-							      node,
-							      foundsig,
-							      search->now,
-							      sigrdataset);
-				}
-			} else if (found == NULL && foundsig == NULL) {
-				/*
-				 * This node is active, but has no NSEC or
-				 * RRSIG NSEC.  That means it's glue or
-				 * other obscured zone data that isn't
-				 * relevant for our search.  Treat the
-				 * node as if it were empty and keep looking.
-				 */
-				empty_node = ISC_TRUE;
-				result = dns_rbtnodechain_prev(&search->chain,
-							       NULL, NULL);
-			} else {
-				/*
-				 * We found an active node, but either the
-				 * NSEC or the RRSIG NSEC is missing.  This
-				 * shouldn't happen.
-				 */
-				result = DNS_R_BADDB;
-			}
-		} else {
-			/*
-			 * This node isn't active.  We've got to keep
-			 * looking.
-			 */
-			result = dns_rbtnodechain_prev(&search->chain, NULL,
-						       NULL);
-		}
-		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-	} while (empty_node && result == ISC_R_SUCCESS);
-
-	/*
-	 * If the result is ISC_R_NOMORE, then we got to the beginning of
-	 * the database and didn't find a NSEC record.  This shouldn't
-	 * happen.
-	 */
-	if (result == ISC_R_NOMORE)
-		result = DNS_R_BADDB;
-
-	return (result);
-}
-
-static isc_result_t
-zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	  dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	  dns_dbnode_t **nodep, dns_name_t *foundname,
-	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-	rbtdb_search_t search;
-	isc_boolean_t cname_ok = ISC_TRUE;
-	isc_boolean_t close_version = ISC_FALSE;
-	isc_boolean_t maybe_zonecut = ISC_FALSE;
-	isc_boolean_t at_zonecut = ISC_FALSE;
-	isc_boolean_t wild;
-	isc_boolean_t empty_node;
-	isc_mutex_t *lock;
-	rdatasetheader_t *header, *header_next, *found, *nsecheader;
-	rdatasetheader_t *foundsig, *cnamesig, *nsecsig;
-	rbtdb_rdatatype_t sigtype;
-	isc_boolean_t active;
-	dns_rbtnodechain_t chain;
-
-
-	search.rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(search.rbtdb));
-
-	/*
-	 * We don't care about 'now'.
-	 */
-	UNUSED(now);
-
-	/*
-	 * If the caller didn't supply a version, attach to the current
-	 * version.
-	 */
-	if (version == NULL) {
-		currentversion(db, &version);
-		close_version = ISC_TRUE;
-	}
-
-	search.rbtversion = version;
-	search.serial = search.rbtversion->serial;
-	search.options = options;
-	search.copy_name = ISC_FALSE;
-	search.need_cleanup = ISC_FALSE;
-	search.wild = ISC_FALSE;
-	search.zonecut = NULL;
-	dns_fixedname_init(&search.zonecut_name);
-	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
-	search.now = 0;
-
-	/*
-	 * 'wild' will be true iff. we've matched a wildcard.
-	 */
-	wild = ISC_FALSE;
-
-	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * Search down from the root of the tree.  If, while going down, we
-	 * encounter a callback node, zone_zonecut_callback() will search the
-	 * rdatasets at the zone cut for active DNAME or NS rdatasets.
-	 */
-	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
-				  &search.chain, DNS_RBTFIND_EMPTYDATA,
-				  zone_zonecut_callback, &search);
-
-	if (result == DNS_R_PARTIALMATCH) {
-	partial_match:
-		if (search.zonecut != NULL) {
-		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset, sigrdataset);
-		    goto tree_exit;
-		}
-
-		if (search.wild) {
-			/*
-			 * At least one of the levels in the search chain
-			 * potentially has a wildcard.  For each such level,
-			 * we must see if there's a matching wildcard active
-			 * in the current version.
-			 */
-			result = find_wildcard(&search, &node, name);
-			if (result == ISC_R_SUCCESS) {
-				result = dns_name_copy(name, foundname, NULL);
-				if (result != ISC_R_SUCCESS)
-					goto tree_exit;
-				wild = ISC_TRUE;
-				goto found;
-			}
-			else if (result != ISC_R_NOTFOUND)
-				goto tree_exit;
-		}
-
-		chain = search.chain;
-		active = activeempty(&search, &chain, name);
-
-		/*
-		 * If we're here, then the name does not exist, is not
-		 * beneath a zonecut, and there's no matching wildcard.
-		 */
-		if (search.rbtdb->secure ||
-		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
-		{
-			result = find_closest_nsec(&search, nodep, foundname,
-						  rdataset, sigrdataset,
-						  search.rbtdb->secure);
-			if (result == ISC_R_SUCCESS)
-				result = active ? DNS_R_EMPTYNAME :
-						  DNS_R_NXDOMAIN;
-		} else
-			result = active ? DNS_R_EMPTYNAME : DNS_R_NXDOMAIN;
-		goto tree_exit;
-	} else if (result != ISC_R_SUCCESS)
-		goto tree_exit;
-
- found:
-	/*
-	 * We have found a node whose name is the desired name, or we
-	 * have matched a wildcard.
-	 */
-
-	if (search.zonecut != NULL) {
-		/*
-		 * If we're beneath a zone cut, we don't want to look for
-		 * CNAMEs because they're not legitimate zone glue.
-		 */
-		cname_ok = ISC_FALSE;
-	} else {
-		/*
-		 * The node may be a zone cut itself.  If it might be one,
-		 * make sure we check for it later.
-		 */
-		if (node->find_callback &&
-		    (node != search.rbtdb->origin_node ||
-		     IS_STUB(search.rbtdb)) &&
-		    !dns_rdatatype_atparent(type))
-			maybe_zonecut = ISC_TRUE;
-	}
-
-	/*
-	 * Certain DNSSEC types are not subject to CNAME matching
-	 * (RFC 2535, section 2.3.5).
-	 *
-	 * We don't check for RRSIG, because we don't store RRSIG records
-	 * directly.
-	 */
-	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
-		cname_ok = ISC_FALSE;
-
-	/*
-	 * We now go looking for rdata...
-	 */
-
-	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-
-	found = NULL;
-	foundsig = NULL;
-	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	nsecheader = NULL;
-	nsecsig = NULL;
-	cnamesig = NULL;
-	empty_node = ISC_TRUE;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		/*
-		 * Look for an active, extant rdataset.
-		 */
-		do {
-			if (header->serial <= search.serial &&
-			    !IGNORE(header)) {
-				/*
-				 * Is this a "this rdataset doesn't
-				 * exist" record?
-				 */
-				if (NONEXISTENT(header))
-					header = NULL;
-				break;
-			} else
-				header = header->down;
-		} while (header != NULL);
-		if (header != NULL) {
-			/*
-			 * We now know that there is at least one active
-			 * rdataset at this node.
-			 */
-			empty_node = ISC_FALSE;
-
-			/*
-			 * Do special zone cut handling, if requested.
-			 */
-			if (maybe_zonecut &&
-			    header->type == dns_rdatatype_ns) {
-				/*
-				 * We increment the reference count on node to
-				 * ensure that search->zonecut_rdataset will
-				 * still be valid later.
-				 */
-				new_reference(search.rbtdb, node);
-				search.zonecut = node;
-				search.zonecut_rdataset = header;
-				search.zonecut_sigrdataset = NULL;
-				search.need_cleanup = ISC_TRUE;
-				maybe_zonecut = ISC_FALSE;
-				at_zonecut = ISC_TRUE;
-				if ((search.options & DNS_DBFIND_GLUEOK) == 0
-				    && type != dns_rdatatype_nsec
-				    && type != dns_rdatatype_dnskey) {
-					/*
-					 * Glue is not OK, but any answer we
-					 * could return would be glue.  Return
-					 * the delegation.
-					 */
-					found = NULL;
-					break;
-				}
-				if (found != NULL && foundsig != NULL)
-					break;
-			}
-
-			/*
-			 * If we found a type we were looking for,
-			 * remember it.
-			 */
-			if (header->type == type ||
-			    type == dns_rdatatype_any ||
-			    (header->type == dns_rdatatype_cname &&
-			     cname_ok)) {
-				/*
-				 * We've found the answer!
-				 */
-				found = header;
-				if (header->type == dns_rdatatype_cname &&
-				    cname_ok) {
-					/*
-					 * We may be finding a CNAME instead
-					 * of the desired type.
-					 *
-					 * If we've already got the CNAME RRSIG,
-					 * use it, otherwise change sigtype
-					 * so that we find it.
-					 */
-					if (cnamesig != NULL)
-						foundsig = cnamesig;
-					else
-						sigtype =
-						    RBTDB_RDATATYPE_SIGCNAME;
-				}
-				/*
-				 * If we've got all we need, end the search.
-				 */
-				if (!maybe_zonecut && foundsig != NULL)
-					break;
-			} else if (header->type == sigtype) {
-				/*
-				 * We've found the RRSIG rdataset for our
-				 * target type.  Remember it.
-				 */
-				foundsig = header;
-				/*
-				 * If we've got all we need, end the search.
-				 */
-				if (!maybe_zonecut && found != NULL)
-					break;
-			} else if (header->type == dns_rdatatype_nsec) {
-				/*
-				 * Remember a NSEC rdataset even if we're
-				 * not specifically looking for it, because
-				 * we might need it later.
-				 */
-				nsecheader = header;
-			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC) {
-				/*
-				 * If we need the NSEC rdataset, we'll also
-				 * need its signature.
-				 */
-				nsecsig = header;
-			} else if (cname_ok &&
-				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
-				/*
-				 * If we get a CNAME match, we'll also need
-				 * its signature.
-				 */
-				cnamesig = header;
-			}
-		}
-	}
-
-	if (empty_node) {
-		/*
-		 * We have an exact match for the name, but there are no
-		 * active rdatasets in the desired version.  That means that
-		 * this node doesn't exist in the desired version, and that
-		 * we really have a partial match.
-		 */
-		if (!wild) {
-			UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-			goto partial_match;
-		}
-	}
-
-	/*
-	 * If we didn't find what we were looking for...
-	 */
-	if (found == NULL) {
-		if (search.zonecut != NULL) {
-		    /*
-		     * We were trying to find glue at a node beneath a
-		     * zone cut, but didn't.
-		     *
-		     * Return the delegation.
-		     */
-		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset, sigrdataset);
-		    goto tree_exit;
-		}
-		/*
-		 * The desired type doesn't exist.
-		 */
-		result = DNS_R_NXRRSET;
-		if (search.rbtdb->secure &&
-		    (nsecheader == NULL || nsecsig == NULL)) {
-			/*
-			 * The zone is secure but there's no NSEC,
-			 * or the NSEC has no signature!
-			 */
-			if (!wild) {
-				result = DNS_R_BADDB;
-				goto node_exit;
-			}
-			
-			UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-			result = find_closest_nsec(&search, nodep, foundname,
-						  rdataset, sigrdataset,
-						  search.rbtdb->secure);
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_EMPTYWILD;
-			goto tree_exit;
-		}
-		if ((search.options & DNS_DBFIND_FORCENSEC) != 0 &&
-		    nsecheader == NULL)
-		{
-			/*
-			 * There's no NSEC record, and we were told
-			 * to find one.
-			 */
-			result = DNS_R_BADDB;
-			goto node_exit;
-		}
-		if (nodep != NULL) {
-			new_reference(search.rbtdb, node);
-			*nodep = node;
-		}
-		if (search.rbtdb->secure ||
-		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
-		{
-			bind_rdataset(search.rbtdb, node, nsecheader,
-				      0, rdataset);
-			if (nsecsig != NULL)
-				bind_rdataset(search.rbtdb, node,
-					      nsecsig, 0, sigrdataset);
-		}
-		if (wild)
-			foundname->attributes |= DNS_NAMEATTR_WILDCARD;
-		goto node_exit;
-	}
-
-	/*
-	 * We found what we were looking for, or we found a CNAME.
-	 */
-
-	if (type != found->type &&
-	    type != dns_rdatatype_any &&
-	    found->type == dns_rdatatype_cname) {
-		/*
-		 * We weren't doing an ANY query and we found a CNAME instead
-		 * of the type we were looking for, so we need to indicate
-		 * that result to the caller.
-		 */
-		result = DNS_R_CNAME;
-	} else if (search.zonecut != NULL) {
-		/*
-		 * If we're beneath a zone cut, we must indicate that the
-		 * result is glue, unless we're actually at the zone cut
-		 * and the type is NSEC or KEY.
-		 */
-		if (search.zonecut == node) {
-			if (type == dns_rdatatype_nsec ||
-			    type == dns_rdatatype_dnskey)
-				result = ISC_R_SUCCESS;
-			else if (type == dns_rdatatype_any)
-				result = DNS_R_ZONECUT;
-			else
-				result = DNS_R_GLUE;
-		} else
-			result = DNS_R_GLUE;
-		/*
-		 * We might have found data that isn't glue, but was occluded
-		 * by a dynamic update.  If the caller cares about this, they
-		 * will have told us to validate glue.
-		 *
-		 * XXX We should cache the glue validity state!
-		 */
-		if (result == DNS_R_GLUE &&
-		    (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 &&
-		    !valid_glue(&search, foundname, type, node)) {
-		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset, sigrdataset);
-		    goto tree_exit;
-		}
-	} else {
-		/*
-		 * An ordinary successful query!
-		 */
-		result = ISC_R_SUCCESS;
-	}
-
-	if (nodep != NULL) {
-		if (!at_zonecut)
-			new_reference(search.rbtdb, node);
-		else
-			search.need_cleanup = ISC_FALSE;
-		*nodep = node;
-	}
-
-	if (type != dns_rdatatype_any) {
-		bind_rdataset(search.rbtdb, node, found, 0, rdataset);
-		if (foundsig != NULL)
-			bind_rdataset(search.rbtdb, node, foundsig, 0,
-				      sigrdataset);
-	}
-
-	if (wild)
-		foundname->attributes |= DNS_NAMEATTR_WILDCARD;
-
- node_exit:
-	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-
- tree_exit:
-	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * If we found a zonecut but aren't going to use it, we have to
-	 * let go of it.
-	 */
-	if (search.need_cleanup) {
-		node = search.zonecut;
-		lock = &(search.rbtdb->node_locks[node->locknum].lock);
-
-		LOCK(lock);
-		INSIST(node->references > 0);
-		node->references--;
-		if (node->references == 0)
-			no_references(search.rbtdb, node, 0,
-				      isc_rwlocktype_none);
-
-		UNLOCK(lock);
-	}
-
-	if (close_version)
-		closeversion(db, &version, ISC_FALSE);
-
-	dns_rbtnodechain_reset(&search.chain);
-
-	return (result);
-}
-
-static isc_result_t
-zone_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
-		 isc_stdtime_t now, dns_dbnode_t **nodep,
-		 dns_name_t *foundname,
-		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	UNUSED(db);
-	UNUSED(name);
-	UNUSED(options);
-	UNUSED(now);
-	UNUSED(nodep);
-	UNUSED(foundname);
-	UNUSED(rdataset);
-	UNUSED(sigrdataset);
-
-	FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!");
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
-	rbtdb_search_t *search = arg;
-	rdatasetheader_t *header, *header_prev, *header_next;
-	rdatasetheader_t *dname_header, *sigdname_header;
-	isc_result_t result;
-
-	/* XXX comment */
-
-	REQUIRE(search->zonecut == NULL);
-
-	/*
-	 * Keep compiler silent.
-	 */
-	UNUSED(name);
-
-	LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-
-	/*
-	 * Look for a DNAME or RRSIG DNAME rdataset.
-	 */
-	dname_header = NULL;
-	sigdname_header = NULL;
-	header_prev = NULL;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->ttl <= search->now) {
-			/*
-			 * This rdataset is stale.  If no one else is
-			 * using the node, we can clean it up right
-			 * now, otherwise we mark it as stale, and
-			 * the node as dirty, so it will get cleaned
-			 * up later.
-			 */
-			if (node->references == 0) {
-				INSIST(header->down == NULL);
-				if (header_prev != NULL)
-					header_prev->next =
-						header->next;
-				else
-					node->data = header->next;
-				free_rdataset(search->rbtdb->common.mctx,
-					      header);
-			} else {
-				header->attributes |=
-					RDATASET_ATTR_STALE;
-				node->dirty = 1;
-				header_prev = header;
-			}
-		} else if (header->type == dns_rdatatype_dname &&
-			   EXISTS(header)) {
-			dname_header = header;
-			header_prev = header;
-		} else if (header->type == RBTDB_RDATATYPE_SIGDNAME &&
-			 EXISTS(header)) {
-			sigdname_header = header;
-			header_prev = header;
-		} else
-			header_prev = header;
-	}
-
-	if (dname_header != NULL &&
-	    (dname_header->trust != dns_trust_pending ||
-	     (search->options & DNS_DBFIND_PENDINGOK) != 0)) {
-		/*
-		 * We increment the reference count on node to ensure that
-		 * search->zonecut_rdataset will still be valid later.
-		 */
-		new_reference(search->rbtdb, node);
-		search->zonecut = node;
-		search->zonecut_rdataset = dname_header;
-		search->zonecut_sigrdataset = sigdname_header;
-		search->need_cleanup = ISC_TRUE;
-		result = DNS_R_PARTIALMATCH;
-	} else
-		result = DNS_R_CONTINUE;
-
-	UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-
-	return (result);
-}
-
-static inline isc_result_t
-find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
-		     dns_dbnode_t **nodep, dns_name_t *foundname,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	unsigned int i;
-	dns_rbtnode_t *level_node;
-	rdatasetheader_t *header, *header_prev, *header_next;
-	rdatasetheader_t *found, *foundsig;
-	isc_result_t result = ISC_R_NOTFOUND;
-	dns_name_t name;
-	dns_rbtdb_t *rbtdb;
-	isc_boolean_t done;
-
-	/*
-	 * Caller must be holding the tree lock.
-	 */
-
-	rbtdb = search->rbtdb;
-	i = search->chain.level_matches;
-	done = ISC_FALSE;
-	do {
-		LOCK(&(rbtdb->node_locks[node->locknum].lock));
-
-		/*
-		 * Look for NS and RRSIG NS rdatasets.
-		 */
-		found = NULL;
-		foundsig = NULL;
-		header_prev = NULL;
-		for (header = node->data;
-		     header != NULL;
-		     header = header_next) {
-			header_next = header->next;
-			if (header->ttl <= search->now) {
-				/*
-				 * This rdataset is stale.  If no one else is
-				 * using the node, we can clean it up right
-				 * now, otherwise we mark it as stale, and
-				 * the node as dirty, so it will get cleaned
-				 * up later.
-				 */
-				if (node->references == 0) {
-					INSIST(header->down == NULL);
-					if (header_prev != NULL)
-						header_prev->next =
-							header->next;
-					else
-						node->data = header->next;
-					free_rdataset(rbtdb->common.mctx,
-						      header);
-				} else {
-					header->attributes |=
-						RDATASET_ATTR_STALE;
-					node->dirty = 1;
-					header_prev = header;
-				}
-			} else if (EXISTS(header)) {
-				/*
-				 * We've found an extant rdataset.  See if
-				 * we're interested in it.
-				 */
-				if (header->type == dns_rdatatype_ns) {
-					found = header;
-					if (foundsig != NULL)
-						break;
-				} else if (header->type ==
-					   RBTDB_RDATATYPE_SIGNS) {
-					foundsig = header;
-					if (found != NULL)
-						break;
-				}
-				header_prev = header;
-			} else
-				header_prev = header;
-		}
-
-		if (found != NULL) {
-			/*
-			 * If we have to set foundname, we do it before
-			 * anything else.  If we were to set foundname after
-			 * we had set nodep or bound the rdataset, then we'd
-			 * have to undo that work if dns_name_concatenate()
-			 * failed.  By setting foundname first, there's
-			 * nothing to undo if we have trouble.
-			 */
-			if (foundname != NULL) {
-				dns_name_init(&name, NULL);
-				dns_rbt_namefromnode(node, &name);
-				result = dns_name_copy(&name, foundname, NULL);
-				while (result == ISC_R_SUCCESS && i > 0) {
-					i--;
-					level_node = search->chain.levels[i];
-					dns_name_init(&name, NULL);
-					dns_rbt_namefromnode(level_node,
-							     &name);
-					result =
-						dns_name_concatenate(foundname,
-								     &name,
-								     foundname,
-								     NULL);
-				}
-				if (result != ISC_R_SUCCESS) {
-					*nodep = NULL;
-					goto node_exit;
-				}
-			}
-			result = DNS_R_DELEGATION;
-			if (nodep != NULL) {
-				new_reference(search->rbtdb, node);
-				*nodep = node;
-			}
-			bind_rdataset(search->rbtdb, node, found, search->now,
-				      rdataset);
-			if (foundsig != NULL)
-				bind_rdataset(search->rbtdb, node, foundsig,
-					      search->now, sigrdataset);
-		}
-
-	node_exit:
-		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-
-		if (found == NULL && i > 0) {
-			i--;
-			node = search->chain.levels[i];
-		} else
-			done = ISC_TRUE;
-
-	} while (!done);
-
-	return (result);
-}
-
-static isc_result_t
-find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
-		  isc_stdtime_t now, dns_name_t *foundname,
-		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_rbtnode_t *node;
-	rdatasetheader_t *header, *header_next, *header_prev;
-	rdatasetheader_t *found, *foundsig;
-	isc_boolean_t empty_node;
-	isc_result_t result;
-	dns_fixedname_t fname, forigin;
-	dns_name_t *name, *origin;
-	rbtdb_rdatatype_t matchtype, sigmatchtype;
-
-	matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0);
-	sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
-					     dns_rdatatype_nsec);
-	
-	do {
-		node = NULL;
-		dns_fixedname_init(&fname);
-		name = dns_fixedname_name(&fname);
-		dns_fixedname_init(&forigin);
-		origin = dns_fixedname_name(&forigin);
-		result = dns_rbtnodechain_current(&search->chain, name,
-						  origin, &node);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-		found = NULL;
-		foundsig = NULL;
-		empty_node = ISC_TRUE;
-		header_prev = NULL;
-		for (header = node->data;
-		     header != NULL;
-		     header = header_next) {
-			header_next = header->next;
-			if (header->ttl <= now) {
-				/*
-				 * This rdataset is stale.  If no one else is
-				 * using the node, we can clean it up right
-				 * now, otherwise we mark it as stale, and the
-				 * node as dirty, so it will get cleaned up 
-				 * later.
-				 */
-				if (header->ttl > search->now - RBTDB_VIRTUAL)
-					header_prev = header;
-				else if (node->references == 0) {
-					INSIST(header->down == NULL);
-					if (header_prev != NULL)
-						header_prev->next =
-							header->next;
-					else
-						node->data = header->next;
-					free_rdataset(search->rbtdb->common.mctx,
-						      header);
-				} else {
-					header->attributes |=
-						 RDATASET_ATTR_STALE;
-					node->dirty = 1;
-					header_prev = header;
-				}
-				continue;
-			}
-			if (NONEXISTENT(header) || NXDOMAIN(header)) {
-				header_prev = header;
-				continue;
-			}
-			empty_node = ISC_FALSE;
-			if (header->type == matchtype)
-				found = header;
-			else if (header->type == sigmatchtype)
-				foundsig = header;
-			header_prev = header;
-		}
-		if (found != NULL) {
-			result = dns_name_concatenate(name, origin,
-						      foundname, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto unlock_node;
-			bind_rdataset(search->rbtdb, node, found,
-				      now, rdataset);
-			if (foundsig != NULL)
-				bind_rdataset(search->rbtdb, node, foundsig,
-					      now, sigrdataset);
-			new_reference(search->rbtdb, node);
-			*nodep = node;
-			result = DNS_R_COVERINGNSEC;
-		} else if (!empty_node) {
-			result = ISC_R_NOTFOUND;
-		}else
-			result = dns_rbtnodechain_prev(&search->chain, NULL,
-						       NULL);
- unlock_node:
-		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
-	} while (empty_node && result == ISC_R_SUCCESS);
-	return (result);
-}
-
-static isc_result_t
-cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-	   dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-	   dns_dbnode_t **nodep, dns_name_t *foundname,
-	   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-	rbtdb_search_t search;
-	isc_boolean_t cname_ok = ISC_TRUE;
-	isc_boolean_t empty_node;
-	isc_mutex_t *lock;
-	rdatasetheader_t *header, *header_prev, *header_next;
-	rdatasetheader_t *found, *nsheader;
-	rdatasetheader_t *foundsig, *nssig, *cnamesig;
-	rbtdb_rdatatype_t sigtype, nsectype;
-
-	UNUSED(version);
-
-	search.rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(search.rbtdb));
-	REQUIRE(version == NULL);
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	search.rbtversion = NULL;
-	search.serial = 1;
-	search.options = options;
-	search.copy_name = ISC_FALSE;
-	search.need_cleanup = ISC_FALSE;
-	search.wild = ISC_FALSE;
-	search.zonecut = NULL;
-	dns_fixedname_init(&search.zonecut_name);
-	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
-	search.now = now;
-
-	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * Search down from the root of the tree.  If, while going down, we
-	 * encounter a callback node, cache_zonecut_callback() will search the
-	 * rdatasets at the zone cut for a DNAME rdataset.
-	 */
-	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
-				  &search.chain, DNS_RBTFIND_EMPTYDATA,
-				  cache_zonecut_callback, &search);
-
-	if (result == DNS_R_PARTIALMATCH) {
-		if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0) {
-			result = find_coveringnsec(&search, nodep, now,
-						   foundname, rdataset,
-						   sigrdataset);
-			if (result == DNS_R_COVERINGNSEC)
-				goto tree_exit;
-		}
-		if (search.zonecut != NULL) {
-		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset, sigrdataset);
-		    goto tree_exit;
-		} else {
-		find_ns:
-			result = find_deepest_zonecut(&search, node, nodep,
-						      foundname, rdataset,
-						      sigrdataset);
-			goto tree_exit;
-		}
-	} else if (result != ISC_R_SUCCESS)
-		goto tree_exit;
-
-	/*
-	 * Certain DNSSEC types are not subject to CNAME matching
-	 * (RFC 2535, section 2.3.5).
-	 *
-	 * We don't check for RRSIG, because we don't store RRSIG records
-	 * directly.
-	 */
-	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
-		cname_ok = ISC_FALSE;
-
-	/*
-	 * We now go looking for rdata...
-	 */
-
-	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-
-	found = NULL;
-	foundsig = NULL;
-	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	nsectype = RBTDB_RDATATYPE_VALUE(0, type);
-	nsheader = NULL;
-	nssig = NULL;
-	cnamesig = NULL;
-	empty_node = ISC_TRUE;
-	header_prev = NULL;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->ttl <= now) {
-			/*
-			 * This rdataset is stale.  If no one else is using the
-			 * node, we can clean it up right now, otherwise we
-			 * mark it as stale, and the node as dirty, so it will
-			 * get cleaned up later.
-			 */
-			if (header->ttl > now - RBTDB_VIRTUAL)
-				header_prev = header;
-			else if (node->references == 0) {
-				INSIST(header->down == NULL);
-				if (header_prev != NULL)
-					header_prev->next = header->next;
-				else
-					node->data = header->next;
-				free_rdataset(search.rbtdb->common.mctx,
-					      header);
-			} else {
-				header->attributes |= RDATASET_ATTR_STALE;
-				node->dirty = 1;
-				header_prev = header;
-			}
-		} else if (EXISTS(header)) {
-			/*
-			 * We now know that there is at least one active
-			 * non-stale rdataset at this node.
-			 */
-			empty_node = ISC_FALSE;
-
-			/*
-			 * If we found a type we were looking for, remember
-			 * it.
-			 */
-			if (header->type == type ||
-			    (type == dns_rdatatype_any &&
-			     RBTDB_RDATATYPE_BASE(header->type) != 0) ||
-			    (cname_ok && header->type ==
-			     dns_rdatatype_cname)) {
-				/*
-				 * We've found the answer.
-				 */
-				found = header;
-				if (header->type == dns_rdatatype_cname &&
-				    cname_ok &&
-				    cnamesig != NULL) {
-					/*
-					 * If we've already got the CNAME RRSIG,
-					 * use it, otherwise change sigtype
-					 * so that we find it.
-					 */
-					if (cnamesig != NULL)
-						foundsig = cnamesig;
-					else
-						sigtype =
-						    RBTDB_RDATATYPE_SIGCNAME;
-					foundsig = cnamesig;
-				}
-			} else if (header->type == sigtype) {
-				/*
-				 * We've found the RRSIG rdataset for our
-				 * target type.  Remember it.
-				 */
-				foundsig = header;
-			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				   header->type == nsectype) {
-				/*
-				 * We've found a negative cache entry.
-				 */
-				found = header;
-			} else if (header->type == dns_rdatatype_ns) {
-				/*
-				 * Remember a NS rdataset even if we're
-				 * not specifically looking for it, because
-				 * we might need it later.
-				 */
-				nsheader = header;
-			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
-				/*
-				 * If we need the NS rdataset, we'll also
-				 * need its signature.
-				 */
-				nssig = header;
-			} else if (cname_ok &&
-				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
-				/*
-				 * If we get a CNAME match, we'll also need
-				 * its signature.
-				 */
-				cnamesig = header;
-			}
-			header_prev = header;
-		} else
-			header_prev = header;
-	}
-
-	if (empty_node) {
-		/*
-		 * We have an exact match for the name, but there are no
-		 * extant rdatasets.  That means that this node doesn't
-		 * meaningfully exist, and that we really have a partial match.
-		 */
-		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-		goto find_ns;
-	}
-
-	/*
-	 * If we didn't find what we were looking for...
-	 */
-	if (found == NULL ||
-	    (found->trust == dns_trust_glue &&
-	     ((options & DNS_DBFIND_GLUEOK) == 0)) ||
-	    (found->trust == dns_trust_pending &&
-	     ((options & DNS_DBFIND_PENDINGOK) == 0))) {
-		/*
-		 * If there is an NS rdataset at this node, then this is the
-		 * deepest zone cut.
-		 */
-		if (nsheader != NULL) {
-			if (nodep != NULL) {
-				new_reference(search.rbtdb, node);
-				*nodep = node;
-			}
-			bind_rdataset(search.rbtdb, node, nsheader, search.now,
-				      rdataset);
-			if (nssig != NULL)
-				bind_rdataset(search.rbtdb, node, nssig,
-					      search.now, sigrdataset);
-			result = DNS_R_DELEGATION;
-			goto node_exit;
-		}
-
-		/*
-		 * Go find the deepest zone cut.
-		 */
-		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-		goto find_ns;
-	}
-
-	/*
-	 * We found what we were looking for, or we found a CNAME.
-	 */
-
-	if (nodep != NULL) {
-		new_reference(search.rbtdb, node);
-		*nodep = node;
-	}
-
-	if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
-		/*
-		 * We found a negative cache entry.
-		 */
-		if (NXDOMAIN(found))
-			result = DNS_R_NCACHENXDOMAIN;
-		else
-			result = DNS_R_NCACHENXRRSET;
-	} else if (type != found->type &&
-		   type != dns_rdatatype_any &&
-		   found->type == dns_rdatatype_cname) {
-		/*
-		 * We weren't doing an ANY query and we found a CNAME instead
-		 * of the type we were looking for, so we need to indicate
-		 * that result to the caller.
-		 */
-		result = DNS_R_CNAME;
-	} else {
-		/*
-		 * An ordinary successful query!
-		 */
-		result = ISC_R_SUCCESS;
-	}
-
-	if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN ||
-	    result == DNS_R_NCACHENXRRSET) {
-		bind_rdataset(search.rbtdb, node, found, search.now,
-			      rdataset);
-		if (foundsig != NULL)
-			bind_rdataset(search.rbtdb, node, foundsig, search.now,
-				      sigrdataset);
-	}
-
- node_exit:
-	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-
- tree_exit:
-	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * If we found a zonecut but aren't going to use it, we have to
-	 * let go of it.
-	 */
-	if (search.need_cleanup) {
-		node = search.zonecut;
-		lock = &(search.rbtdb->node_locks[node->locknum].lock);
-
-		LOCK(lock);
-		INSIST(node->references > 0);
-		node->references--;
-		if (node->references == 0)
-			no_references(search.rbtdb, node, 0,
-				      isc_rwlocktype_none);
-		UNLOCK(lock);
-	}
-
-	dns_rbtnodechain_reset(&search.chain);
-
-	return (result);
-}
-
-static isc_result_t
-cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
-		  isc_stdtime_t now, dns_dbnode_t **nodep,
-		  dns_name_t *foundname,
-		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_rbtnode_t *node = NULL;
-	isc_result_t result;
-	rbtdb_search_t search;
-	rdatasetheader_t *header, *header_prev, *header_next;
-	rdatasetheader_t *found, *foundsig;
-	unsigned int rbtoptions = DNS_RBTFIND_EMPTYDATA;
-
-	search.rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(search.rbtdb));
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	search.rbtversion = NULL;
-	search.serial = 1;
-	search.options = options;
-	search.copy_name = ISC_FALSE;
-	search.need_cleanup = ISC_FALSE;
-	search.wild = ISC_FALSE;
-	search.zonecut = NULL;
-	dns_fixedname_init(&search.zonecut_name);
-	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
-	search.now = now;
-
-	if ((options & DNS_DBFIND_NOEXACT) != 0)
-		rbtoptions |= DNS_RBTFIND_NOEXACT;
-
-	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	/*
-	 * Search down from the root of the tree.
-	 */
-	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
-				  &search.chain, rbtoptions, NULL, &search);
-
-	if (result == DNS_R_PARTIALMATCH) {
-	find_ns:
-		result = find_deepest_zonecut(&search, node, nodep, foundname,
-					      rdataset, sigrdataset);
-		goto tree_exit;
-	} else if (result != ISC_R_SUCCESS)
-		goto tree_exit;
-
-	/*
-	 * We now go looking for an NS rdataset at the node.
-	 */
-
-	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-
-	found = NULL;
-	foundsig = NULL;
-	header_prev = NULL;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->ttl <= now) {
-			/*
-			 * This rdataset is stale.  If no one else is using the
-			 * node, we can clean it up right now, otherwise we
-			 * mark it as stale, and the node as dirty, so it will
-			 * get cleaned up later.
-			 */
-			if (header->ttl > now - RBTDB_VIRTUAL)
-				header_prev = header;
-			else if (node->references == 0) {
-				INSIST(header->down == NULL);
-				if (header_prev != NULL)
-					header_prev->next = header->next;
-				else
-					node->data = header->next;
-				free_rdataset(search.rbtdb->common.mctx,
-					      header);
-			} else {
-				header->attributes |= RDATASET_ATTR_STALE;
-				node->dirty = 1;
-				header_prev = header;
-			}
-		} else if (EXISTS(header)) {
-			/*
-			 * If we found a type we were looking for, remember
-			 * it.
-			 */
-			if (header->type == dns_rdatatype_ns) {
-				/*
-				 * Remember a NS rdataset even if we're
-				 * not specifically looking for it, because
-				 * we might need it later.
-				 */
-				found = header;
-			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
-				/*
-				 * If we need the NS rdataset, we'll also
-				 * need its signature.
-				 */
-				foundsig = header;
-			}
-			header_prev = header;
-		} else
-			header_prev = header;
-	}
-
-	if (found == NULL) {
-		/*
-		 * No NS records here.
-		 */
-		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-		goto find_ns;
-	}
-
-	if (nodep != NULL) {
-		new_reference(search.rbtdb, node);
-		*nodep = node;
-	}
-
-	bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
-	if (foundsig != NULL)
-		bind_rdataset(search.rbtdb, node, foundsig, search.now,
-			      sigrdataset);
-
-	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
-
- tree_exit:
-	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
-
-	INSIST(!search.need_cleanup);
-
-	dns_rbtnodechain_reset(&search.chain);
-
-	if (result == DNS_R_DELEGATION)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static void
-attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *node = (dns_rbtnode_t *)source;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&rbtdb->node_locks[node->locknum].lock);
-	INSIST(node->references > 0);
-	node->references++;
-	INSIST(node->references != 0);			/* Catch overflow. */
-	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
-
-	*targetp = source;
-}
-
-static void
-detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *node;
-	isc_boolean_t want_free = ISC_FALSE;
-	isc_boolean_t inactive = ISC_FALSE;
-	unsigned int locknum;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(targetp != NULL && *targetp != NULL);
-
-	node = (dns_rbtnode_t *)(*targetp);
-	locknum = node->locknum;
-
-	LOCK(&rbtdb->node_locks[locknum].lock);
-
-	INSIST(node->references > 0);
-	node->references--;
-	if (node->references == 0) {
-		no_references(rbtdb, node, 0, isc_rwlocktype_none);
-		if (rbtdb->node_locks[locknum].references == 0 &&
-		    rbtdb->node_locks[locknum].exiting)
-			inactive = ISC_TRUE;
-	}
-
-	UNLOCK(&rbtdb->node_locks[locknum].lock);
-
-	*targetp = NULL;
-
-	if (inactive) {
-		LOCK(&rbtdb->lock);
-		rbtdb->active--;
-		if (rbtdb->active == 0)
-			want_free = ISC_TRUE;
-		UNLOCK(&rbtdb->lock);
-		if (want_free) {
-			char buf[DNS_NAME_FORMATSIZE];
-			if (dns_name_dynamic(&rbtdb->common.origin))
-				dns_name_format(&rbtdb->common.origin, buf,
-						sizeof(buf));
-			else
-				strcpy(buf, "<UNKNOWN>");
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-				      "calling free_rbtdb(%s)", buf);
-			free_rbtdb(rbtdb, ISC_TRUE, NULL);
-		}
-	}
-}
-
-static isc_result_t
-expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = node;
-	rdatasetheader_t *header;
-	isc_boolean_t force_expire = ISC_FALSE;
-	/*
-	 * These are the category and module used by the cache cleaner.
-	 */
-	isc_boolean_t log = ISC_FALSE;
-	isc_logcategory_t *category = DNS_LOGCATEGORY_DATABASE;
-	isc_logmodule_t *module = DNS_LOGMODULE_CACHE;
-	int level = ISC_LOG_DEBUG(2);
-	char printname[DNS_NAME_FORMATSIZE];
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	/*
-	 * Caller must hold a tree lock.
-	 */
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	if (rbtdb->overmem) {
-		isc_uint32_t val;
-
-		isc_random_get(&val);
-		/*
-		 * XXXDCL Could stand to have a better policy, like LRU.
-		 */
-		force_expire = ISC_TF(rbtnode->down == NULL && val % 4 == 0);
-
-		/*
-		 * Note that 'log' can be true IFF rbtdb->overmem is also true.
-		 * rbtdb->ovemem can currently only be true for cache databases
-		 * -- hence all of the "overmem cache" log strings.
-		 */
-		log = ISC_TF(isc_log_wouldlog(dns_lctx, level));
-		if (log)
-			isc_log_write(dns_lctx, category, module, level,
-				      "overmem cache: %s %s",
-				      force_expire ? "FORCE" : "check",
-				      dns_rbt_formatnodename(rbtnode,
-							   printname,
-							   sizeof(printname)));
-	}
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	for (header = rbtnode->data; header != NULL; header = header->next)
-		if (header->ttl <= now - RBTDB_VIRTUAL) {
-			/*
-			 * We don't check if rbtnode->references == 0 and try
-			 * to free like we do in cache_find(), because
-			 * rbtnode->references must be non-zero.  This is so
-			 * because 'node' is an argument to the function.
-			 */
-			header->attributes |= RDATASET_ATTR_STALE;
-			rbtnode->dirty = 1;
-			if (log)
-				isc_log_write(dns_lctx, category, module,
-					      level, "overmem cache: stale %s",
-					      printname);
-		} else if (force_expire) {
-			if (! RETAIN(header)) {
-				header->ttl = 0;
-				header->attributes |= RDATASET_ATTR_STALE;
-				rbtnode->dirty = 1;
-			} else if (log) {
-				isc_log_write(dns_lctx, category, module,
-					      level, "overmem cache: "
-					      "reprieve by RETAIN() %s",
-					      printname);
-			}
-		} else if (rbtdb->overmem && log)
-			isc_log_write(dns_lctx, category, module, level,
-				      "overmem cache: saved %s", printname);
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-overmem(dns_db_t *db, isc_boolean_t overmem) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-
-	if (IS_CACHE(rbtdb)) {
-		rbtdb->overmem = overmem;
-	}
-}
-
-static void
-printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = node;
-	isc_boolean_t first;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	fprintf(out, "node %p, %u references, locknum = %u\n",
-		rbtnode, rbtnode->references, rbtnode->locknum);
-	if (rbtnode->data != NULL) {
-		rdatasetheader_t *current, *top_next;
-
-		for (current = rbtnode->data; current != NULL;
-		     current = top_next) {
-			top_next = current->next;
-			first = ISC_TRUE;
-			fprintf(out, "\ttype %u", current->type);
-			do {
-				if (!first)
-					fprintf(out, "\t");
-				first = ISC_FALSE;
-				fprintf(out,
-					"\tserial = %lu, ttl = %u, "
-					"trust = %u, attributes = %u\n",
-					(unsigned long)current->serial,
-					current->ttl,
-					current->trust,
-					current->attributes);
-				current = current->down;
-			} while (current != NULL);
-		}
-	} else
-		fprintf(out, "(empty)\n");
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-}
-
-static isc_result_t
-createiterator(dns_db_t *db, isc_boolean_t relative_names,
-	       dns_dbiterator_t **iteratorp)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	rbtdb_dbiterator_t *rbtdbiter;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof(*rbtdbiter));
-	if (rbtdbiter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	rbtdbiter->common.methods = &dbiterator_methods;
-	rbtdbiter->common.db = NULL;
-	dns_db_attach(db, &rbtdbiter->common.db);
-	rbtdbiter->common.relative_names = relative_names;
-	rbtdbiter->common.magic = DNS_DBITERATOR_MAGIC;
-	rbtdbiter->common.cleaning = ISC_FALSE;
-	rbtdbiter->paused = ISC_TRUE;
-	rbtdbiter->tree_locked = isc_rwlocktype_none;
-	rbtdbiter->result = ISC_R_SUCCESS;
-	dns_fixedname_init(&rbtdbiter->name);
-	dns_fixedname_init(&rbtdbiter->origin);
-	rbtdbiter->node = NULL;
-	rbtdbiter->delete = 0;
-	memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions));
-	dns_rbtnodechain_init(&rbtdbiter->chain, db->mctx);
-
-	*iteratorp = (dns_dbiterator_t *)rbtdbiter;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		  dns_rdatatype_t type, dns_rdatatype_t covers,
-		  isc_stdtime_t now, dns_rdataset_t *rdataset,
-		  dns_rdataset_t *sigrdataset)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	rbtdb_serial_t serial;
-	rbtdb_version_t *rbtversion = version;
-	isc_boolean_t close_version = ISC_FALSE;
-	rbtdb_rdatatype_t matchtype, sigmatchtype;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(type != dns_rdatatype_any);
-
-	if (rbtversion == NULL) {
-		currentversion(db, (dns_dbversion_t **) (void *)(&rbtversion));
-		close_version = ISC_TRUE;
-	}
-	serial = rbtversion->serial;
-	now = 0;
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	found = NULL;
-	foundsig = NULL;
-	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
-	if (covers == 0)
-		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	else
-		sigmatchtype = 0;
-
-	for (header = rbtnode->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		do {
-			if (header->serial <= serial &&
-			    !IGNORE(header)) {
-				/*
-				 * Is this a "this rdataset doesn't
-				 * exist" record?
-				 */
-				if (NONEXISTENT(header))
-					header = NULL;
-				break;
-			} else
-				header = header->down;
-		} while (header != NULL);
-		if (header != NULL) {
-			/*
-			 * We have an active, extant rdataset.  If it's a
-			 * type we're looking for, remember it.
-			 */
-			if (header->type == matchtype) {
-				found = header;
-				if (foundsig != NULL)
-					break;
-			} else if (header->type == sigmatchtype) {
-				foundsig = header;
-				if (found != NULL)
-					break;
-			}
-		}
-	}
-	if (found != NULL) {
-		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
-		if (foundsig != NULL)
-			bind_rdataset(rbtdb, rbtnode, foundsig, now,
-				      sigrdataset);
-	}
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	if (close_version)
-		closeversion(db, (dns_dbversion_t **) (void *)(&rbtversion),
-			     ISC_FALSE);
-
-	if (found == NULL)
-		return (ISC_R_NOTFOUND);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		   dns_rdatatype_t type, dns_rdatatype_t covers,
-		   isc_stdtime_t now, dns_rdataset_t *rdataset,
-		   dns_rdataset_t *sigrdataset)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rdatasetheader_t *header, *header_next, *found, *foundsig;
-	rbtdb_rdatatype_t matchtype, sigmatchtype, nsectype;
-	isc_result_t result;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(type != dns_rdatatype_any);
-
-	UNUSED(version);
-
-	result = ISC_R_SUCCESS;
-
-	if (now == 0)
-		isc_stdtime_get(&now);
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	found = NULL;
-	foundsig = NULL;
-	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
-	nsectype = RBTDB_RDATATYPE_VALUE(0, type);
-	if (covers == 0)
-		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
-	else
-		sigmatchtype = 0;
-
-	for (header = rbtnode->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->ttl <= now) {
-			/*
-			 * We don't check if rbtnode->references == 0 and try
-			 * to free like we do in cache_find(), because
-			 * rbtnode->references must be non-zero.  This is so
-			 * because 'node' is an argument to the function.
-			 */
-			if (header->ttl <= now - RBTDB_VIRTUAL) {
-				header->attributes |= RDATASET_ATTR_STALE;
-				rbtnode->dirty = 1;
-			}
-		} else if (EXISTS(header)) {
-			if (header->type == matchtype)
-				found = header;
-			else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
-				 header->type == nsectype)
-				found = header;
-			else if (header->type == sigmatchtype)
-				foundsig = header;
-		}
-	}
-	if (found != NULL) {
-		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
-		if (foundsig != NULL)
-			bind_rdataset(rbtdb, rbtnode, foundsig, now,
-				      sigrdataset);
-	}
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	if (found == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
-		/*
-		 * We found a negative cache entry.
-		 */
-		if (NXDOMAIN(found))
-			result = DNS_R_NCACHENXDOMAIN;
-		else
-			result = DNS_R_NCACHENXRRSET;
-	}
-
-	return (result);
-}
-
-static isc_result_t
-allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rbtdb_version_t *rbtversion = version;
-	rbtdb_rdatasetiter_t *iterator;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	iterator = isc_mem_get(rbtdb->common.mctx, sizeof(*iterator));
-	if (iterator == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if ((db->attributes & DNS_DBATTR_CACHE) == 0) {
-		now = 0;
-		if (rbtversion == NULL)
-			currentversion(db,
-				 (dns_dbversion_t **) (void *)(&rbtversion));
-		else {
-			LOCK(&rbtdb->lock);
-			INSIST(rbtversion->references > 0);
-			rbtversion->references++;
-			INSIST(rbtversion->references != 0);
-			UNLOCK(&rbtdb->lock);
-		}
-	} else {
-		if (now == 0)
-			isc_stdtime_get(&now);
-		rbtversion = NULL;
-	}
-
-	iterator->common.magic = DNS_RDATASETITER_MAGIC;
-	iterator->common.methods = &rdatasetiter_methods;
-	iterator->common.db = db;
-	iterator->common.node = node;
-	iterator->common.version = (dns_dbversion_t *)rbtversion;
-	iterator->common.now = now;
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	INSIST(rbtnode->references > 0);
-	rbtnode->references++;
-	INSIST(rbtnode->references != 0);
-	iterator->current = NULL;
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	*iteratorp = (dns_rdatasetiter_t *)iterator;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
-	rdatasetheader_t *header, *header_next;
-	isc_boolean_t cname, other_data;
-	dns_rdatatype_t rdtype;
-
-	/*
-	 * The caller must hold the node lock.
-	 */
-
-	/*
-	 * Look for CNAME and "other data" rdatasets active in our version.
-	 */
-	cname = ISC_FALSE;
-	other_data = ISC_FALSE;
-	for (header = node->data; header != NULL; header = header_next) {
-		header_next = header->next;
-		if (header->type == dns_rdatatype_cname) {
-			/*
-			 * Look for an active extant CNAME.
-			 */
-			do {
-				if (header->serial <= serial &&
-				    !IGNORE(header)) {
-					/*
-					 * Is this a "this rdataset doesn't
-					 * exist" record?
-					 */
-					if (NONEXISTENT(header))
-						header = NULL;
-					break;
-				} else
-					header = header->down;
-			} while (header != NULL);
-			if (header != NULL)
-				cname = ISC_TRUE;
-		} else {
-			/*
-			 * Look for active extant "other data".
-			 *
-			 * "Other data" is any rdataset whose type is not
-			 * DNSKEY, RRSIG DNSKEY, NSEC, RRSIG NSEC,
-			 * or RRSIG CNAME.
-			 */
-			rdtype = RBTDB_RDATATYPE_BASE(header->type);
-			if (rdtype == dns_rdatatype_rrsig ||
-			    rdtype == dns_rdatatype_sig)
-				rdtype = RBTDB_RDATATYPE_EXT(header->type);
-			if (rdtype != dns_rdatatype_nsec &&
-			    rdtype != dns_rdatatype_dnskey &&
-			    rdtype != dns_rdatatype_nxt &&
-			    rdtype != dns_rdatatype_key &&
-			    rdtype != dns_rdatatype_cname) {
-				/*
-				 * We've found a type that isn't
-				 * NSEC, KEY, CNAME, or one of their
-				 * signatures.  Is it active and extant?
-				 */
-				do {
-					if (header->serial <= serial &&
-					    !IGNORE(header)) {
-						/*
-						 * Is this a "this rdataset
-						 * doesn't exist" record?
-						 */
-						if (NONEXISTENT(header))
-							header = NULL;
-						break;
-					} else
-						header = header->down;
-				} while (header != NULL);
-				if (header != NULL)
-					other_data = ISC_TRUE;
-			}
-		}
-	}
-
-	if (cname && other_data)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
-    rdatasetheader_t *newheader, unsigned int options, isc_boolean_t loading,
-    dns_rdataset_t *addedrdataset, isc_stdtime_t now)
-{
-	rbtdb_changed_t *changed = NULL;
-	rdatasetheader_t *topheader, *topheader_prev, *header;
-	unsigned char *merged;
-	isc_result_t result;
-	isc_boolean_t header_nx;
-	isc_boolean_t newheader_nx;
-	isc_boolean_t merge;
-	dns_rdatatype_t nsectype, rdtype, covers;
-	dns_trust_t trust;
-
-	/*
-	 * Add an rdatasetheader_t to a node.
-	 */
-
-	/*
-	 * Caller must be holding the node lock.
-	 */
-
-	if ((options & DNS_DBADD_MERGE) != 0) {
-		REQUIRE(rbtversion != NULL);
-		merge = ISC_TRUE;
-	} else
-		merge = ISC_FALSE;
-
-	if ((options & DNS_DBADD_FORCE) != 0)
-		trust = dns_trust_ultimate;
-	else
-		trust = newheader->trust;
-
-	if (rbtversion != NULL && !loading) {
-		/*
-		 * We always add a changed record, even if no changes end up
-		 * being made to this node, because it's harmless and
-		 * simplifies the code.
-		 */
-		changed = add_changed(rbtdb, rbtversion, rbtnode);
-		if (changed == NULL) {
-			free_rdataset(rbtdb->common.mctx, newheader);
-			return (ISC_R_NOMEMORY);
-		}
-	}
-
-	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
-	topheader_prev = NULL;
-
-	nsectype = 0;
-	if (rbtversion == NULL && !newheader_nx) {
-		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
-		if (rdtype == 0) {
-			/*
-			 * We're adding a negative cache entry.
-			 */
-			covers = RBTDB_RDATATYPE_EXT(newheader->type);
-			if (covers == dns_rdatatype_any) {
-				/*
-				 * We're adding an NXDOMAIN negative cache
-				 * entry.
-				 *
-				 * We make all other data stale so that the
-				 * only rdataset that can be found at this
-				 * node is the NXDOMAIN negative cache entry.
-				 */
-				for (topheader = rbtnode->data;
-				     topheader != NULL;
-				     topheader = topheader->next) {
-					topheader->ttl = 0;
-					topheader->attributes |=
-						RDATASET_ATTR_STALE;
-				}
-				rbtnode->dirty = 1;
-				goto find_header;
-			}
-			nsectype = RBTDB_RDATATYPE_VALUE(covers, 0);
-		} else {
-			/*
-			 * We're adding something that isn't a
-			 * negative cache entry.  Look for an extant
-			 * non-stale NXDOMAIN negative cache entry.
-			 */
-			for (topheader = rbtnode->data;
-			     topheader != NULL;
-			     topheader = topheader->next) {
-				if (NXDOMAIN(topheader))
-					break;
-			}
-			if (topheader != NULL && EXISTS(topheader) &&
-			    topheader->ttl > now) {
-				/*
-				 * Found one.
-				 */
-				if (trust < topheader->trust) {
-					/*
-					 * The NXDOMAIN is more trusted.
-					 */
-					free_rdataset(rbtdb->common.mctx,
-						      newheader);
-					if (addedrdataset != NULL)
-						bind_rdataset(rbtdb, rbtnode,
-							      topheader, now,
-							      addedrdataset);
-					return (DNS_R_UNCHANGED);
-				}
-				/*
-				 * The new rdataset is better.  Expire the
-				 * NXDOMAIN.
-				 */
-				topheader->ttl = 0;
-				topheader->attributes |= RDATASET_ATTR_STALE;
-				rbtnode->dirty = 1;
-				topheader = NULL;
-				goto find_header;
-			}
-			nsectype = RBTDB_RDATATYPE_VALUE(0, rdtype);
-		}
-	}
-
-	for (topheader = rbtnode->data;
-	     topheader != NULL;
-	     topheader = topheader->next) {
-		if (topheader->type == newheader->type ||
-		    topheader->type == nsectype)
-			break;
-		topheader_prev = topheader;
-	}
-
- find_header:
-	/*
-	 * If header isn't NULL, we've found the right type.  There may be
-	 * IGNORE rdatasets between the top of the chain and the first real
-	 * data.  We skip over them.
-	 */
-	header = topheader;
-	while (header != NULL && IGNORE(header))
-		header = header->down;
-	if (header != NULL) {
-		header_nx = NONEXISTENT(header) ? ISC_TRUE : ISC_FALSE;
-
-		/*
-		 * Deleting an already non-existent rdataset has no effect.
-		 */
-		if (header_nx && newheader_nx) {
-			free_rdataset(rbtdb->common.mctx, newheader);
-			return (DNS_R_UNCHANGED);
-		}
-
-		/*
-		 * Trying to add an rdataset with lower trust to a cache DB
-		 * has no effect, provided that the cache data isn't stale.
-		 */
-		if (rbtversion == NULL && trust < header->trust &&
-		    (header->ttl > now || header_nx)) {
-			free_rdataset(rbtdb->common.mctx, newheader);
-			if (addedrdataset != NULL)
-				bind_rdataset(rbtdb, rbtnode, header, now,
-					      addedrdataset);
-			return (DNS_R_UNCHANGED);
-		}
-
-		/*
-		 * Don't merge if a nonexistent rdataset is involved.
-		 */
-		if (merge && (header_nx || newheader_nx))
-			merge = ISC_FALSE;
-
-		/*
-		 * If 'merge' is ISC_TRUE, we'll try to create a new rdataset
-		 * that is the union of 'newheader' and 'header'.
-		 */
-		if (merge) {
-			unsigned int flags = 0;
-			INSIST(rbtversion->serial >= header->serial);
-			merged = NULL;
-			result = ISC_R_SUCCESS;
-			
-			if ((options & DNS_DBADD_EXACT) != 0)
-				flags |= DNS_RDATASLAB_EXACT;
-			if ((options & DNS_DBADD_EXACTTTL) != 0 &&
-			     newheader->ttl != header->ttl)
-					result = DNS_R_NOTEXACT;
-			else if (newheader->ttl != header->ttl)
-				flags |= DNS_RDATASLAB_FORCE;
-			if (result == ISC_R_SUCCESS)
-				result = dns_rdataslab_merge(
-					     (unsigned char *)header,
-					     (unsigned char *)newheader,
-					     (unsigned int)(sizeof(*newheader)),
-					     rbtdb->common.mctx,
-					     rbtdb->common.rdclass,
-					     (dns_rdatatype_t)header->type,
-					     flags, &merged);
-			if (result == ISC_R_SUCCESS) {
-				/*
-				 * If 'header' has the same serial number as
-				 * we do, we could clean it up now if we knew
-				 * that our caller had no references to it.
-				 * We don't know this, however, so we leave it
-				 * alone.  It will get cleaned up when
-				 * clean_zone_node() runs.
-				 */
-				free_rdataset(rbtdb->common.mctx, newheader);
-				newheader = (rdatasetheader_t *)merged;
-			} else {
-				free_rdataset(rbtdb->common.mctx, newheader);
-				return (result);
-			}
-		}
-		/*
-		 * Don't replace existing NS, A and AAAA RRsets
-		 * in the cache if they are already exist.  This
-		 * prevents named being locked to old servers.
-		 * Don't lower trust of existing record if the
-		 * update is forced.
-		 */
-		if (IS_CACHE(rbtdb) && header->ttl > now &&
-		    header->type == dns_rdatatype_ns &&
-		    !header_nx && !newheader_nx &&
-		    header->trust >= newheader->trust &&
-		    dns_rdataslab_equalx((unsigned char *)header,
-					 (unsigned char *)newheader,
-				         (unsigned int)(sizeof(*newheader)),
-					 rbtdb->common.rdclass,
-				         (dns_rdatatype_t)header->type)) {
-			/*
-			 * Honour the new ttl if it is less than the
-			 * older one.
-			 */
-			if (header->ttl > newheader->ttl)
-				header->ttl = newheader->ttl;
-			if (header->noqname == NULL &&
-			    newheader->noqname != NULL) {
-				header->noqname = newheader->noqname;
-				newheader->noqname = NULL;
-			}
-			free_rdataset(rbtdb->common.mctx, newheader);
-			if (addedrdataset != NULL)
-				bind_rdataset(rbtdb, rbtnode, header, now,
-					      addedrdataset);
-			return (ISC_R_SUCCESS);
-		}
-		if (IS_CACHE(rbtdb) && header->ttl > now &&
-		    (header->type == dns_rdatatype_a ||
-		     header->type == dns_rdatatype_aaaa) &&
-		    !header_nx && !newheader_nx &&
-		    header->trust >= newheader->trust &&
-		    dns_rdataslab_equal((unsigned char *)header,
-					(unsigned char *)newheader,
-				        (unsigned int)(sizeof(*newheader)))) {
-			/*
-			 * Honour the new ttl if it is less than the
-			 * older one.
-			 */
-			if (header->ttl > newheader->ttl)
-				header->ttl = newheader->ttl;
-			if (header->noqname == NULL &&
-			    newheader->noqname != NULL) {
-				header->noqname = newheader->noqname;
-				newheader->noqname = NULL;
-			}
-			free_rdataset(rbtdb->common.mctx, newheader);
-			if (addedrdataset != NULL)
-				bind_rdataset(rbtdb, rbtnode, header, now,
-					      addedrdataset);
-			return (ISC_R_SUCCESS);
-		}
-		INSIST(rbtversion == NULL ||
-		       rbtversion->serial >= topheader->serial);
-		if (topheader_prev != NULL)
-			topheader_prev->next = newheader;
-		else
-			rbtnode->data = newheader;
-		newheader->next = topheader->next;
-		if (loading) {
-			/*
-			 * There are no other references to 'header' when
-			 * loading, so we MAY clean up 'header' now.
-			 * Since we don't generate changed records when
-			 * loading, we MUST clean up 'header' now.
-			 */
-			newheader->down = NULL;
-			free_rdataset(rbtdb->common.mctx, header);
-		} else {
-			newheader->down = topheader;
-			topheader->next = newheader;
-			rbtnode->dirty = 1;
-			if (changed != NULL)
-				changed->dirty = ISC_TRUE;
-		}
-	} else {
-		/*
-		 * No non-IGNORED rdatasets of the given type exist at
-		 * this node.
-		 */
-
-		/*
-		 * If we're trying to delete the type, don't bother.
-		 */
-		if (newheader_nx) {
-			free_rdataset(rbtdb->common.mctx, newheader);
-			return (DNS_R_UNCHANGED);
-		}
-
-		if (topheader != NULL) {
-			/*
-			 * We have an list of rdatasets of the given type,
-			 * but they're all marked IGNORE.  We simply insert
-			 * the new rdataset at the head of the list.
-			 *
-			 * Ignored rdatasets cannot occur during loading, so
-			 * we INSIST on it.
-			 */
-			INSIST(!loading);
-			INSIST(rbtversion == NULL ||
-			       rbtversion->serial >= topheader->serial);
-			if (topheader_prev != NULL)
-				topheader_prev->next = newheader;
-			else
-				rbtnode->data = newheader;
-			newheader->next = topheader->next;
-			newheader->down = topheader;
-			topheader->next = newheader;
-			rbtnode->dirty = 1;
-			if (changed != NULL)
-				changed->dirty = ISC_TRUE;
-		} else {
-			/*
-			 * No rdatasets of the given type exist at the node.
-			 */
-			newheader->next = rbtnode->data;
-			newheader->down = NULL;
-			rbtnode->data = newheader;
-		}
-	}
-
-	/*
-	 * Check if the node now contains CNAME and other data.
-	 */
-	if (rbtversion != NULL &&
-	    cname_and_other_data(rbtnode, rbtversion->serial))
-		return (DNS_R_CNAMEANDOTHER);
-
-	if (addedrdataset != NULL)
-		bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_boolean_t
-delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
-		rbtdb_rdatatype_t type)
-{
-	if (IS_CACHE(rbtdb)) {
-		if (type == dns_rdatatype_dname)
-			return (ISC_TRUE);
-		else
-			return (ISC_FALSE);
-	} else if (type == dns_rdatatype_dname ||
-		   (type == dns_rdatatype_ns &&
-		    (node != rbtdb->origin_node || IS_STUB(rbtdb))))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static inline isc_result_t
-addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
-	   dns_rdataset_t *rdataset)
-{
-	struct noqname *noqname;
-	isc_mem_t *mctx = rbtdb->common.mctx;
-	dns_name_t name;
-	dns_rdataset_t nsec, nsecsig;
-	isc_result_t result;
-	isc_region_t r;
-
-	dns_name_init(&name, NULL);
-	dns_rdataset_init(&nsec);
-	dns_rdataset_init(&nsecsig);
-
-	result = dns_rdataset_getnoqname(rdataset, &name, &nsec, &nsecsig);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	noqname = isc_mem_get(mctx, sizeof(*noqname));
-	if (noqname == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	dns_name_init(&noqname->name, NULL);
-	noqname->nsec = NULL;
-	noqname->nsecsig = NULL;
-	result = dns_name_dup(&name, mctx, &noqname->name);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_rdataslab_fromrdataset(&nsec, mctx, &r, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	noqname->nsec = r.base;
-	result = dns_rdataslab_fromrdataset(&nsecsig, mctx, &r, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	noqname->nsecsig = r.base;
-	dns_rdataset_disassociate(&nsec);
-	dns_rdataset_disassociate(&nsecsig);
-	newheader->noqname = noqname;
-	return (ISC_R_SUCCESS);
-
-cleanup:
-	dns_rdataset_disassociate(&nsec);
-	dns_rdataset_disassociate(&nsecsig);
-	free_noqname(mctx, &noqname);
-	return(result);
-}
-
-static isc_result_t
-addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
-	    dns_rdataset_t *addedrdataset)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rbtdb_version_t *rbtversion = version;
-	isc_region_t region;
-	rdatasetheader_t *newheader;
-	isc_result_t result;
-	isc_boolean_t delegating;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	if (rbtversion == NULL) {
-		if (now == 0)
-			isc_stdtime_get(&now);
-	} else
-		now = 0;
-
-	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
-					    &region,
-					    sizeof(rdatasetheader_t));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	newheader = (rdatasetheader_t *)region.base;
-	newheader->ttl = rdataset->ttl + now;
-	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
-						rdataset->covers);
-	newheader->attributes = 0;
-	newheader->noqname = NULL;
-	newheader->count = 0;
-	newheader->trust = rdataset->trust;
-	if (rbtversion != NULL) {
-		newheader->serial = rbtversion->serial;
-		now = 0;
-	} else {
-		newheader->serial = 1;
-		if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
-			newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
-		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) {
-			result = addnoqname(rbtdb, newheader, rdataset);
-			if (result != ISC_R_SUCCESS) {
-				free_rdataset(rbtdb->common.mctx, newheader);
-				return (result);
-			}
-		}
-	}
-
-	/*
-	 * If we're adding a delegation type (e.g. NS or DNAME for a zone,
-	 * just DNAME for the cache), then we need to set the callback bit
-	 * on the node, and to do that we must be holding an exclusive lock
-	 * on the tree.
-	 */
-	if (delegating_type(rbtdb, rbtnode, rdataset->type)) {
-		delegating = ISC_TRUE;
-		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-	} else
-		delegating = ISC_FALSE;
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	result = add(rbtdb, rbtnode, rbtversion, newheader, options, ISC_FALSE,
-		     addedrdataset, now);
-	if (result == ISC_R_SUCCESS && delegating)
-		rbtnode->find_callback = 1;
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	if (delegating)
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-static isc_result_t
-subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 dns_rdataset_t *rdataset, unsigned int options,
-		 dns_rdataset_t *newrdataset)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rbtdb_version_t *rbtversion = version;
-	rdatasetheader_t *topheader, *topheader_prev, *header, *newheader;
-	unsigned char *subresult;
-	isc_region_t region;
-	isc_result_t result;
-	rbtdb_changed_t *changed;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
-					    &region,
-					    sizeof(rdatasetheader_t));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	newheader = (rdatasetheader_t *)region.base;
-	newheader->ttl = rdataset->ttl;
-	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
-						rdataset->covers);
-	newheader->attributes = 0;
-	newheader->serial = rbtversion->serial;
-	newheader->trust = 0;
-	newheader->noqname = NULL;
-	newheader->count = 0;
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	changed = add_changed(rbtdb, rbtversion, rbtnode);
-	if (changed == NULL) {
-		free_rdataset(rbtdb->common.mctx, newheader);
-		UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-		return (ISC_R_NOMEMORY);
-	}
-
-	topheader_prev = NULL;
-	for (topheader = rbtnode->data;
-	     topheader != NULL;
-	     topheader = topheader->next) {
-		if (topheader->type == newheader->type)
-			break;
-		topheader_prev = topheader;
-	}
-	/*
-	 * If header isn't NULL, we've found the right type.  There may be
-	 * IGNORE rdatasets between the top of the chain and the first real
-	 * data.  We skip over them.
-	 */
-	header = topheader;
-	while (header != NULL && IGNORE(header))
-		header = header->down;
-	if (header != NULL && EXISTS(header)) {
-		unsigned int flags = 0;
-		subresult = NULL;
-		result = ISC_R_SUCCESS;
-		if ((options & DNS_DBSUB_EXACT) != 0) {
-			flags |= DNS_RDATASLAB_EXACT;
-			if (newheader->ttl != header->ttl)
-				result = DNS_R_NOTEXACT;
-		}
-		if (result == ISC_R_SUCCESS)
-			result = dns_rdataslab_subtract(
-					(unsigned char *)header,
-					(unsigned char *)newheader,
-					(unsigned int)(sizeof(*newheader)),
-					rbtdb->common.mctx,
-					rbtdb->common.rdclass,
-					(dns_rdatatype_t)header->type,
-					flags, &subresult);
-		if (result == ISC_R_SUCCESS) {
-			free_rdataset(rbtdb->common.mctx, newheader);
-			newheader = (rdatasetheader_t *)subresult;
-			/*
-			 * We have to set the serial since the rdataslab
-			 * subtraction routine copies the reserved portion of
-			 * header, not newheader.
-			 */
-			newheader->serial = rbtversion->serial;
-		} else if (result == DNS_R_NXRRSET) {
-			/*
-			 * This subtraction would remove all of the rdata;
-			 * add a nonexistent header instead.
-			 */
-			free_rdataset(rbtdb->common.mctx, newheader);
-			newheader = isc_mem_get(rbtdb->common.mctx,
-						sizeof(*newheader));
-			if (newheader == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto unlock;
-			}
-			newheader->ttl = 0;
-			newheader->type = topheader->type;
-			newheader->attributes = RDATASET_ATTR_NONEXISTENT;
-			newheader->trust = 0;
-			newheader->serial = rbtversion->serial;
-			newheader->noqname = NULL;
-			newheader->count = 0;
-		} else {
-			free_rdataset(rbtdb->common.mctx, newheader);
-			goto unlock;
-		}
-
-		/*
-		 * If we're here, we want to link newheader in front of
-		 * topheader.
-		 */
-		INSIST(rbtversion->serial >= topheader->serial);
-		if (topheader_prev != NULL)
-			topheader_prev->next = newheader;
-		else
-			rbtnode->data = newheader;
-		newheader->next = topheader->next;
-		newheader->down = topheader;
-		topheader->next = newheader;
-		rbtnode->dirty = 1;
-		changed->dirty = ISC_TRUE;
-	} else {
-		/*
-		 * The rdataset doesn't exist, so we don't need to do anything
-		 * to satisfy the deletion request.
-		 */
-		free_rdataset(rbtdb->common.mctx, newheader);
-		if ((options & DNS_DBSUB_EXACT) != 0)
-			result = DNS_R_NOTEXACT;
-		else
-			result = DNS_R_UNCHANGED;			
-	}
-
-	if (result == ISC_R_SUCCESS && newrdataset != NULL)
-		bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
-
- unlock:
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	return (result);
-}
-
-static isc_result_t
-deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	       dns_rdatatype_t type, dns_rdatatype_t covers)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
-	rbtdb_version_t *rbtversion = version;
-	isc_result_t result;
-	rdatasetheader_t *newheader;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	if (type == dns_rdatatype_any)
-		return (ISC_R_NOTIMPLEMENTED);
-	if (type == dns_rdatatype_rrsig && covers == 0)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	newheader = isc_mem_get(rbtdb->common.mctx, sizeof(*newheader));
-	if (newheader == NULL)
-		return (ISC_R_NOMEMORY);
-	newheader->ttl = 0;
-	newheader->type = RBTDB_RDATATYPE_VALUE(type, covers);
-	newheader->attributes = RDATASET_ATTR_NONEXISTENT;
-	newheader->trust = 0;
-	newheader->noqname = NULL;
-	if (rbtversion != NULL)
-		newheader->serial = rbtversion->serial;
-	else
-		newheader->serial = 0;
-	newheader->count = 0;
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	result = add(rbtdb, rbtnode, rbtversion, newheader, DNS_DBADD_FORCE,
-		     ISC_FALSE, NULL, 0);
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	return (result);
-}
-
-static isc_result_t
-loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
-	rbtdb_load_t *loadctx = arg;
-	dns_rbtdb_t *rbtdb = loadctx->rbtdb;
-	dns_rbtnode_t *node;
-	isc_result_t result;
-	isc_region_t region;
-	rdatasetheader_t *newheader;
-
-	/*
-	 * This routine does no node locking.  See comments in
-	 * 'load' below for more information on loading and
-	 * locking.
-	 */
-
-
-	/*
-	 * SOA records are only allowed at top of zone.
-	 */
-	if (rdataset->type == dns_rdatatype_soa &&
-	    !IS_CACHE(rbtdb) && !dns_name_equal(name, &rbtdb->common.origin))
-		return (DNS_R_NOTZONETOP);
-
-	add_empty_wildcards(rbtdb, name);
-
-	if (dns_name_iswildcard(name)) {
-		/*
-		 * NS record owners cannot legally be wild cards.
-		 */
-		if (rdataset->type == dns_rdatatype_ns)
-			return (DNS_R_INVALIDNS);
-		result = add_wildcard_magic(rbtdb, name);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	node = NULL;
-	result = dns_rbt_addnode(rbtdb->tree, name, &node);
-	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
-		return (result);
-	if (result != ISC_R_EXISTS) {
-		dns_name_t foundname;
-		dns_name_init(&foundname, NULL);
-		dns_rbt_namefromnode(node, &foundname);
-#ifdef DNS_RBT_USEHASH
-		node->locknum = node->hashval % rbtdb->node_lock_count;
-#else
-		node->locknum = dns_name_hash(&foundname, ISC_TRUE) %
-			rbtdb->node_lock_count;
-#endif
-	}
-
-	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
-					    &region,
-					    sizeof(rdatasetheader_t));
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	newheader = (rdatasetheader_t *)region.base;
-	newheader->ttl = rdataset->ttl + loadctx->now; /* XXX overflow check */
-	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
-						rdataset->covers);
-	newheader->attributes = 0;
-	newheader->trust = rdataset->trust;
-	newheader->serial = 1;
-	newheader->noqname = NULL;
-	newheader->count = 0;
-
-	result = add(rbtdb, node, rbtdb->current_version, newheader,
-		     DNS_DBADD_MERGE, ISC_TRUE, NULL, 0);
-	if (result == ISC_R_SUCCESS &&
-	    delegating_type(rbtdb, node, rdataset->type))
-		node->find_callback = 1;
-	else if (result == DNS_R_UNCHANGED)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static isc_result_t
-beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
-	rbtdb_load_t *loadctx;
-	dns_rbtdb_t *rbtdb;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	loadctx = isc_mem_get(rbtdb->common.mctx, sizeof(*loadctx));
-	if (loadctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	loadctx->rbtdb = rbtdb;
-	if (IS_CACHE(rbtdb))
-		isc_stdtime_get(&loadctx->now);
-	else
-		loadctx->now = 0;
-
-	LOCK(&rbtdb->lock);
-
-	REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING))
-		== 0);
-	rbtdb->attributes |= RBTDB_ATTR_LOADING;
-
-	UNLOCK(&rbtdb->lock);
-
-	*addp = loading_addrdataset;
-	*dbloadp = loadctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-iszonesecure(dns_db_t *db, dns_dbnode_t *origin) {
-	dns_rdataset_t keyset;
-	dns_rdataset_t nsecset, signsecset;
-	isc_boolean_t haszonekey = ISC_FALSE;
-	isc_boolean_t hasnsec = ISC_FALSE;
-	isc_result_t result;
-
-	dns_rdataset_init(&keyset);
-	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_dnskey, 0,
-				     0, &keyset, NULL);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdata_t keyrdata = DNS_RDATA_INIT;
-		result = dns_rdataset_first(&keyset);
-		while (result == ISC_R_SUCCESS) {
-			dns_rdataset_current(&keyset, &keyrdata);
-			if (dns_zonekey_iszonekey(&keyrdata)) {
-				haszonekey = ISC_TRUE;
-				break;
-			}
-			result = dns_rdataset_next(&keyset);
-		}
-		dns_rdataset_disassociate(&keyset);
-	}
-	if (!haszonekey)
-		return (ISC_FALSE);
-
-	dns_rdataset_init(&nsecset);
-	dns_rdataset_init(&signsecset);
-	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_nsec, 0,
-				     0, &nsecset, &signsecset);
-	if (result == ISC_R_SUCCESS) {
-		if (dns_rdataset_isassociated(&signsecset)) {
-			hasnsec = ISC_TRUE;
-			dns_rdataset_disassociate(&signsecset);
-		}
-		dns_rdataset_disassociate(&nsecset);
-	}
-	return (hasnsec);
-
-}
-
-static isc_result_t
-endload(dns_db_t *db, dns_dbload_t **dbloadp) {
-	rbtdb_load_t *loadctx;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-	REQUIRE(dbloadp != NULL);
-	loadctx = *dbloadp;
-	REQUIRE(loadctx->rbtdb == rbtdb);
-
-	LOCK(&rbtdb->lock);
-
-	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADING) != 0);
-	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADED) == 0);
-
-	rbtdb->attributes &= ~RBTDB_ATTR_LOADING;
-	rbtdb->attributes |= RBTDB_ATTR_LOADED;
-
-	UNLOCK(&rbtdb->lock);
-
-	/*
-	 * If there's a KEY rdataset at the zone origin containing a
-	 * zone key, we consider the zone secure.
-	 */
-	if (! IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
-
-	*dbloadp = NULL;
-
-	isc_mem_put(rbtdb->common.mctx, loadctx, sizeof(*loadctx));
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
-	dns_rbtdb_t *rbtdb;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	return (dns_master_dump(rbtdb->common.mctx, db, version,
-				&dns_master_style_default,
-				filename));
-}
-
-static void
-delete_callback(void *data, void *arg) {
-	dns_rbtdb_t *rbtdb = arg;
-	rdatasetheader_t *current, *next;
-
-	for (current = data; current != NULL; current = next) {
-		next = current->next;
-		free_rdataset(rbtdb->common.mctx, current);
-	}
-}
-
-static isc_boolean_t
-issecure(dns_db_t *db) {
-	dns_rbtdb_t *rbtdb;
-	isc_boolean_t secure;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	secure = rbtdb->secure;
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	return (secure);
-}
-
-static unsigned int
-nodecount(dns_db_t *db) {
-	dns_rbtdb_t *rbtdb;
-	unsigned int count;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	count = dns_rbt_nodecount(rbtdb->tree);
-	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-
-	return (count);
-}
-
-static void
-settask(dns_db_t *db, isc_task_t *task) {
-	dns_rbtdb_t *rbtdb;
-
-	rbtdb = (dns_rbtdb_t *)db;
-
-	REQUIRE(VALID_RBTDB(rbtdb));
-
-	LOCK(&rbtdb->lock);
-	if (rbtdb->task != NULL)
-		isc_task_detach(&rbtdb->task);
-	if (task != NULL)
-		isc_task_attach(task, &rbtdb->task);
-	UNLOCK(&rbtdb->lock);
-}
-
-static isc_boolean_t
-ispersistent(dns_db_t *db) {
-	UNUSED(db);
-	return (ISC_FALSE);
-}
-
-static dns_dbmethods_t zone_methods = {
-	attach,
-	detach,
-	beginload,
-	endload,
-	dump,
-	currentversion,
-	newversion,
-	attachversion,
-	closeversion,
-	findnode,
-	zone_find,
-	zone_findzonecut,
-	attachnode,
-	detachnode,
-	expirenode,
-	printnode,
-	createiterator,
-	zone_findrdataset,
-	allrdatasets,
-	addrdataset,
-	subtractrdataset,
-	deleterdataset,
-	issecure,
-	nodecount,
-	ispersistent,
-	overmem,
-	settask
-};
-
-static dns_dbmethods_t cache_methods = {
-	attach,
-	detach,
-	beginload,
-	endload,
-	dump,
-	currentversion,
-	newversion,
-	attachversion,
-	closeversion,
-	findnode,
-	cache_find,
-	cache_findzonecut,
-	attachnode,
-	detachnode,
-	expirenode,
-	printnode,
-	createiterator,
-	cache_findrdataset,
-	allrdatasets,
-	addrdataset,
-	subtractrdataset,
-	deleterdataset,
-	issecure,
-	nodecount,
-	ispersistent,
-	overmem,
-	settask
-};
-
-isc_result_t
-#ifdef DNS_RBTDB_VERSION64
-dns_rbtdb64_create
-#else
-dns_rbtdb_create
-#endif
-		(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
-		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-		 void *driverarg, dns_db_t **dbp)
-{
-	dns_rbtdb_t *rbtdb;
-	isc_result_t result;
-	int i;
-	dns_name_t name;
-
-	/* Keep the compiler happy. */
-	UNUSED(argc);
-	UNUSED(argv);
-	UNUSED(driverarg);
-
-	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
-	if (rbtdb == NULL)
-		return (ISC_R_NOMEMORY);
-	memset(rbtdb, '\0', sizeof(*rbtdb));
-	dns_name_init(&rbtdb->common.origin, NULL);
-	rbtdb->common.attributes = 0;
-	if (type == dns_dbtype_cache) {
-		rbtdb->common.methods = &cache_methods;
-		rbtdb->common.attributes |= DNS_DBATTR_CACHE;
-	} else if (type == dns_dbtype_stub) {
-		rbtdb->common.methods = &zone_methods;
-		rbtdb->common.attributes |= DNS_DBATTR_STUB;
-	} else
-		rbtdb->common.methods = &zone_methods;
-	rbtdb->common.rdclass = rdclass;
-	rbtdb->common.mctx = NULL;
-
-	result = isc_mutex_init(&rbtdb->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	result = isc_rwlock_init(&rbtdb->tree_lock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		DESTROYLOCK(&rbtdb->lock);
-		isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH));
-
-	if (rbtdb->node_lock_count == 0)
-		rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
-	rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count *
-					sizeof(rbtdb_nodelock_t));
-	rbtdb->active = rbtdb->node_lock_count;
-	for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
-		result = isc_mutex_init(&rbtdb->node_locks[i].lock);
-		if (result != ISC_R_SUCCESS) {
-			i--;
-			while (i >= 0) {
-				DESTROYLOCK(&rbtdb->node_locks[i].lock);
-				i--;
-			}
-			isc_mem_put(mctx, rbtdb->node_locks,
-				    rbtdb->node_lock_count *
-				    sizeof(rbtdb_nodelock_t));
-			isc_rwlock_destroy(&rbtdb->tree_lock);
-			DESTROYLOCK(&rbtdb->lock);
-			isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_mutex_init() failed: %s",
-					 isc_result_totext(result));
-			return (ISC_R_UNEXPECTED);
-		}
-		rbtdb->node_locks[i].references = 0;
-		rbtdb->node_locks[i].exiting = ISC_FALSE;
-	}
-
-	/*
-	 * Attach to the mctx.  The database will persist so long as there
-	 * are references to it, and attaching to the mctx ensures that our
-	 * mctx won't disappear out from under us.
-	 */
-	isc_mem_attach(mctx, &rbtdb->common.mctx);
-
-	/*
-	 * Must be initalized before free_rbtdb() is called.
-	 */
-	isc_ondestroy_init(&rbtdb->common.ondest);
-
-	/*
-	 * Make a copy of the origin name.
-	 */
-	result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin);
-	if (result != ISC_R_SUCCESS) {
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (result);
-	}
-
-	/*
-	 * Make the Red-Black Tree.
-	 */
-	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->tree);
-	if (result != ISC_R_SUCCESS) {
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (result);
-	}
-	/*
-	 * In order to set the node callback bit correctly in zone databases,
-	 * we need to know if the node has the origin name of the zone.
-	 * In loading_addrdataset() we could simply compare the new name
-	 * to the origin name, but this is expensive.  Also, we don't know the
-	 * node name in addrdataset(), so we need another way of knowing the
-	 * zone's top.
-	 *
-	 * We now explicitly create a node for the zone's origin, and then
-	 * we simply remember the node's address.  This is safe, because
-	 * the top-of-zone node can never be deleted, nor can its address
-	 * change.
-	 */
-	if (! IS_CACHE(rbtdb)) {
-		rbtdb->origin_node = NULL;
-		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
-					 &rbtdb->origin_node);
-		if (result != ISC_R_SUCCESS) {
-			INSIST(result != ISC_R_EXISTS);
-			free_rbtdb(rbtdb, ISC_FALSE, NULL);
-			return (result);
-		}
-		/*
-		 * We need to give the origin node the right locknum.
-		 */
-		dns_name_init(&name, NULL);
-		dns_rbt_namefromnode(rbtdb->origin_node, &name);
-#ifdef DNS_RBT_USEHASH
-		rbtdb->origin_node->locknum =
-			rbtdb->origin_node->hashval %
-			rbtdb->node_lock_count;
-#else
-		rbtdb->origin_node->locknum =
-			dns_name_hash(&name, ISC_TRUE) %
-			rbtdb->node_lock_count;
-#endif
-	}
-
-	/*
-	 * Misc. Initialization.
-	 */
-	isc_refcount_init(&rbtdb->references, 1);
-	rbtdb->attributes = 0;
-	rbtdb->secure = ISC_FALSE;
-	rbtdb->overmem = ISC_FALSE;
-	rbtdb->task = NULL;
-
-	/*
-	 * Version Initialization.
-	 */
-	rbtdb->current_serial = 1;
-	rbtdb->least_serial = 1;
-	rbtdb->next_serial = 2;
-	rbtdb->current_version = allocate_version(mctx, 1, 0, ISC_FALSE);
-	if (rbtdb->current_version == NULL) {
-		free_rbtdb(rbtdb, ISC_FALSE, NULL);
-		return (ISC_R_NOMEMORY);
-	}
-	rbtdb->future_version = NULL;
-	ISC_LIST_INIT(rbtdb->open_versions);
-
-	rbtdb->common.magic = DNS_DB_MAGIC;
-	rbtdb->common.impmagic = RBTDB_MAGIC;
-
-	*dbp = (dns_db_t *)rbtdb;
-
-	return (ISC_R_SUCCESS);
-}
-
-
-/*
- * Slabbed Rdataset Methods
- */
-
-static void
-rdataset_disassociate(dns_rdataset_t *rdataset) {
-	dns_db_t *db = rdataset->private1;
-	dns_dbnode_t *node = rdataset->private2;
-
-	detachnode(db, &node);
-}
-
-static isc_result_t
-rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-	if (count == 0) {
-		rdataset->private5 = NULL;
-		return (ISC_R_NOMORE);
-	}
-	raw += 2;
-	/*
-	 * The privateuint4 field is the number of rdata beyond the cursor
-	 * position, so we decrement the total count by one before storing
-	 * it.
-	 */
-	count--;
-	rdataset->privateuint4 = count;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdataset_next(dns_rdataset_t *rdataset) {
-	unsigned int count;
-	unsigned int length;
-	unsigned char *raw;
-
-	count = rdataset->privateuint4;
-	if (count == 0)
-		return (ISC_R_NOMORE);
-	count--;
-	rdataset->privateuint4 = count;
-	raw = rdataset->private5;
-	length = raw[0] * 256 + raw[1];
-	raw += length + 2;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
-	isc_region_t r;
-
-	REQUIRE(raw != NULL);
-
-	r.length = raw[0] * 256 + raw[1];
-	raw += 2;
-	r.base = raw;
-	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	dns_db_t *db = source->private1;
-	dns_dbnode_t *node = source->private2;
-	dns_dbnode_t *cloned_node = NULL;
-
-	attachnode(db, node, &cloned_node);
-	*target = *source;
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->privateuint4 = 0;
-	target->private5 = NULL;
-}
-
-static unsigned int
-rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-
-	return (count);
-}
-
-static isc_result_t
-rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
-{
-	dns_db_t *db = rdataset->private1;
-	dns_dbnode_t *node = rdataset->private2;
-	dns_dbnode_t *cloned_node;
-	struct noqname *noqname = rdataset->private6;
-
-	cloned_node = NULL;
-	attachnode(db, node, &cloned_node);
-	nsec->methods = &rdataset_methods;
-	nsec->rdclass = db->rdclass;
-	nsec->type = dns_rdatatype_nsec;
-	nsec->covers = 0;
-	nsec->ttl = rdataset->ttl;
-	nsec->trust = rdataset->trust;
-	nsec->private1 = rdataset->private1;
-	nsec->private2 = rdataset->private2;
-	nsec->private3 = noqname->nsec;
-	nsec->privateuint4 = 0;
-	nsec->private5 = NULL;
-	nsec->private6 = NULL;
-
-	cloned_node = NULL;
-	attachnode(db, node, &cloned_node);
-	nsecsig->methods = &rdataset_methods;
-	nsecsig->rdclass = db->rdclass;
-	nsecsig->type = dns_rdatatype_rrsig;
-	nsecsig->covers = dns_rdatatype_nsec;
-	nsecsig->ttl = rdataset->ttl;
-	nsecsig->trust = rdataset->trust;
-	nsecsig->private1 = rdataset->private1;
-	nsecsig->private2 = rdataset->private2;
-	nsecsig->private3 = noqname->nsecsig;
-	nsecsig->privateuint4 = 0;
-	nsecsig->private5 = NULL;
-	nsec->private6 = NULL;
-
-	dns_name_clone(&noqname->name, name);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Rdataset Iterator Methods
- */
-
-static void
-rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
-	rbtdb_rdatasetiter_t *rbtiterator;
-
-	rbtiterator = (rbtdb_rdatasetiter_t *)(*iteratorp);
-
-	if (rbtiterator->common.version != NULL)
-		closeversion(rbtiterator->common.db,
-			     &rbtiterator->common.version, ISC_FALSE);
-	detachnode(rbtiterator->common.db, &rbtiterator->common.node);
-	isc_mem_put(rbtiterator->common.db->mctx, rbtiterator,
-		    sizeof(*rbtiterator));
-
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-rdatasetiter_first(dns_rdatasetiter_t *iterator) {
-	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
-	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
-	rbtdb_version_t *rbtversion = rbtiterator->common.version;
-	rdatasetheader_t *header, *top_next;
-	rbtdb_serial_t serial;
-	isc_stdtime_t now;
-
-	if (IS_CACHE(rbtdb)) {
-		serial = 1;
-		now = rbtiterator->common.now;
-	} else {
-		serial = rbtversion->serial;
-		now = 0;
-	}
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	for (header = rbtnode->data; header != NULL; header = top_next) {
-		top_next = header->next;
-		do {
-			if (header->serial <= serial && !IGNORE(header)) {
-				/*
-				 * Is this a "this rdataset doesn't exist"
-				 * record?  Or is it too old in the cache?
-				 *
-				 * Note: unlike everywhere else, we
-				 * check for now > header->ttl instead
-				 * of now >= header->ttl.  This allows
-				 * ANY and RRSIG queries for 0 TTL
-				 * rdatasets to work.
-				 */
-				if (NONEXISTENT(header) ||
-				    (now != 0 && now > header->ttl))
-					header = NULL;
-				break;
-			} else
-				header = header->down;
-		} while (header != NULL);
-		if (header != NULL)
-			break;
-	}
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	rbtiterator->current = header;
-
-	if (header == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdatasetiter_next(dns_rdatasetiter_t *iterator) {
-	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
-	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
-	rbtdb_version_t *rbtversion = rbtiterator->common.version;
-	rdatasetheader_t *header, *top_next;
-	rbtdb_serial_t serial;
-	isc_stdtime_t now;
-	rbtdb_rdatatype_t type;
-
-	header = rbtiterator->current;
-	if (header == NULL)
-		return (ISC_R_NOMORE);
-
-	if (IS_CACHE(rbtdb)) {
-		serial = 1;
-		now = rbtiterator->common.now;
-	} else {
-		serial = rbtversion->serial;
-		now = 0;
-	}
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	type = header->type;
-	for (header = header->next; header != NULL; header = top_next) {
-		top_next = header->next;
-		if (header->type != type) {
-			do {
-				if (header->serial <= serial &&
-				    !IGNORE(header)) {
-					/*
-					 * Is this a "this rdataset doesn't
-					 * exist" record?
-					 *
-					 * Note: unlike everywhere else, we
-					 * check for now > header->ttl instead
-					 * of now >= header->ttl.  This allows
-					 * ANY and RRSIG queries for 0 TTL
-					 * rdatasets to work.
-					 */
-					if ((header->attributes &
-					     RDATASET_ATTR_NONEXISTENT) != 0 ||
-					    (now != 0 && now > header->ttl))
-						header = NULL;
-					break;
-				} else
-					header = header->down;
-			} while (header != NULL);
-			if (header != NULL)
-				break;
-		}
-	}
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	rbtiterator->current = header;
-
-	if (header == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
-	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
-	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
-	rdatasetheader_t *header;
-
-	header = rbtiterator->current;
-	REQUIRE(header != NULL);
-
-	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-
-	bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
-		      rdataset);
-
-	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
-}
-
-
-/*
- * Database Iterator Methods
- */
-
-static inline void
-reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-	dns_rbtnode_t *node = rbtdbiter->node;
-
-	if (node == NULL)
-		return;
-
-	INSIST(rbtdbiter->tree_locked != isc_rwlocktype_none);
-	LOCK(&rbtdb->node_locks[node->locknum].lock);
-	new_reference(rbtdb, node);
-	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
-}
-
-static inline void
-dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-	dns_rbtnode_t *node = rbtdbiter->node;
-	isc_mutex_t *lock;
-
-	if (node == NULL)
-		return;
-
-	lock = &rbtdb->node_locks[node->locknum].lock;
-	LOCK(lock);
-	INSIST(rbtdbiter->node->references > 0);
-	if (--node->references == 0)
-		no_references(rbtdb, node, 0, rbtdbiter->tree_locked);
-	UNLOCK(lock);
-
-	rbtdbiter->node = NULL;
-}
-
-static void
-flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
-	dns_rbtnode_t *node;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-	isc_boolean_t was_read_locked = ISC_FALSE;
-	isc_mutex_t *lock;
-	int i;
-
-	if (rbtdbiter->delete != 0) {
-		/*
-		 * Note that "%d node of %d in tree" can report things like
-		 * "flush_deletions: 59 nodes of 41 in tree".  This means
-		 * That some nodes appear on the deletions list more than
-		 * once.  Only the last occurence will actually be deleted.
-		 */
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-			      "flush_deletions: %d nodes of %d in tree",
-			      rbtdbiter->delete,
-			      dns_rbt_nodecount(rbtdb->tree));
-
-		if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
-			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-			was_read_locked = ISC_TRUE;
-		}
-		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-		rbtdbiter->tree_locked = isc_rwlocktype_write;
-
-		for (i = 0; i < rbtdbiter->delete; i++) {
-			node = rbtdbiter->deletions[i];
-			lock = &rbtdb->node_locks[node->locknum].lock;
-
-			LOCK(lock);
-			INSIST(node->references > 0);
-			node->references--;
-			if (node->references == 0)
-				no_references(rbtdb, node, 0,
-					      rbtdbiter->tree_locked);
-			UNLOCK(lock);
-		}
-
-		rbtdbiter->delete = 0;
-
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-		if (was_read_locked) {
-			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-			rbtdbiter->tree_locked = isc_rwlocktype_read;
-
-		} else {
-			rbtdbiter->tree_locked = isc_rwlocktype_none;
-		}
-	}
-}
-
-static inline void
-resume_iteration(rbtdb_dbiterator_t *rbtdbiter) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-
-	REQUIRE(rbtdbiter->paused);
-	REQUIRE(rbtdbiter->tree_locked == isc_rwlocktype_none);
-
-	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	rbtdbiter->tree_locked = isc_rwlocktype_read;
-
-	rbtdbiter->paused = ISC_FALSE;
-}
-
-static void
-dbiterator_destroy(dns_dbiterator_t **iteratorp) {
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)(*iteratorp);
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
-	dns_db_t *db = NULL;
-
-	if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-		rbtdbiter->tree_locked = isc_rwlocktype_none;
-	} else
-		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_none);
-
-	dereference_iter_node(rbtdbiter);
-
-	flush_deletions(rbtdbiter);
-
-	dns_db_attach(rbtdbiter->common.db, &db);
-	dns_db_detach(&rbtdbiter->common.db);
-
-	dns_rbtnodechain_reset(&rbtdbiter->chain);
-	isc_mem_put(db->mctx, rbtdbiter, sizeof(*rbtdbiter));
-	dns_db_detach(&db);
-
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-dbiterator_first(dns_dbiterator_t *iterator) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	dns_name_t *name, *origin;
-
-	if (rbtdbiter->result != ISC_R_SUCCESS &&
-	    rbtdbiter->result != ISC_R_NOMORE)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	dereference_iter_node(rbtdbiter);
-
-	name = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	dns_rbtnodechain_reset(&rbtdbiter->chain);
-
-	result = dns_rbtnodechain_first(&rbtdbiter->chain, rbtdb->tree, name,
-					origin);
-
-	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
-						  NULL, &rbtdbiter->node);
-		if (result == ISC_R_SUCCESS) {
-			rbtdbiter->new_origin = ISC_TRUE;
-			reference_iter_node(rbtdbiter);
-		}
-	} else {
-		INSIST(result == ISC_R_NOTFOUND);
-		result = ISC_R_NOMORE; /* The tree is empty. */
-	}
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_last(dns_dbiterator_t *iterator) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	dns_name_t *name, *origin;
-
-	if (rbtdbiter->result != ISC_R_SUCCESS &&
-	    rbtdbiter->result != ISC_R_NOMORE)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	dereference_iter_node(rbtdbiter);
-
-	name = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	dns_rbtnodechain_reset(&rbtdbiter->chain);
-
-	result = dns_rbtnodechain_last(&rbtdbiter->chain, rbtdb->tree, name,
-				       origin);
-	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
-						  NULL, &rbtdbiter->node);
-		if (result == ISC_R_SUCCESS) {
-			rbtdbiter->new_origin = ISC_TRUE;
-			reference_iter_node(rbtdbiter);
-		}
-	} else {
-		INSIST(result == ISC_R_NOTFOUND);
-		result = ISC_R_NOMORE; /* The tree is empty. */
-	}
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	dns_name_t *iname, *origin;
-
-	if (rbtdbiter->result != ISC_R_SUCCESS &&
-	    rbtdbiter->result != ISC_R_NOMORE)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	dereference_iter_node(rbtdbiter);
-
-	iname = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	dns_rbtnodechain_reset(&rbtdbiter->chain);
-
-	result = dns_rbt_findnode(rbtdb->tree, name, NULL, &rbtdbiter->node,
-				  &rbtdbiter->chain, DNS_RBTFIND_EMPTYDATA,
-				  NULL, NULL);
-	if (result == ISC_R_SUCCESS) {
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, iname,
-						  origin, NULL);
-		if (result == ISC_R_SUCCESS) {
-			rbtdbiter->new_origin = ISC_TRUE;
-			reference_iter_node(rbtdbiter);
-		}
-
-	} else if (result == DNS_R_PARTIALMATCH)
-		result = ISC_R_NOTFOUND;
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_prev(dns_dbiterator_t *iterator) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_name_t *name, *origin;
-
-	REQUIRE(rbtdbiter->node != NULL);
-
-	if (rbtdbiter->result != ISC_R_SUCCESS)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	name = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	result = dns_rbtnodechain_prev(&rbtdbiter->chain, name, origin);
-
-	dereference_iter_node(rbtdbiter);
-
-	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
-		rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN);
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
-						  NULL, &rbtdbiter->node);
-	}
-
-	if (result == ISC_R_SUCCESS)
-		reference_iter_node(rbtdbiter);
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_next(dns_dbiterator_t *iterator) {
-	isc_result_t result;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_name_t *name, *origin;
-
-	REQUIRE(rbtdbiter->node != NULL);
-
-	if (rbtdbiter->result != ISC_R_SUCCESS)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	name = dns_fixedname_name(&rbtdbiter->name);
-	origin = dns_fixedname_name(&rbtdbiter->origin);
-	result = dns_rbtnodechain_next(&rbtdbiter->chain, name, origin);
-
-	dereference_iter_node(rbtdbiter);
-
-	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
-		rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN);
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
-						  NULL, &rbtdbiter->node);
-	}
-	if (result == ISC_R_SUCCESS)
-		reference_iter_node(rbtdbiter);
-
-	rbtdbiter->result = result;
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		   dns_name_t *name)
-{
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_rbtnode_t *node = rbtdbiter->node;
-	isc_result_t result;
-	dns_name_t *nodename = dns_fixedname_name(&rbtdbiter->name);
-	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
-
-	REQUIRE(rbtdbiter->result == ISC_R_SUCCESS);
-	REQUIRE(rbtdbiter->node != NULL);
-
-	if (rbtdbiter->paused)
-		resume_iteration(rbtdbiter);
-
-	if (name != NULL) {
-		if (rbtdbiter->common.relative_names)
-			origin = NULL;
-		result = dns_name_concatenate(nodename, origin, name, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (rbtdbiter->common.relative_names && rbtdbiter->new_origin)
-			result = DNS_R_NEWORIGIN;
-	} else
-		result = ISC_R_SUCCESS;
-
-	LOCK(&rbtdb->node_locks[node->locknum].lock);
-	new_reference(rbtdb, node);
-	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
-
-	*nodep = rbtdbiter->node;
-
-	if (iterator->cleaning && result == ISC_R_SUCCESS) {
-		isc_result_t expire_result;
-
-		/*
-		 * If the deletion array is full, flush it before trying
-		 * to expire the current node.  The current node can't
-		 * fully deleted while the iteration cursor is still on it.
-		 */
-		if (rbtdbiter->delete == DELETION_BATCH_MAX)
-			flush_deletions(rbtdbiter);
-
-		expire_result = expirenode(iterator->db, *nodep, 0);
-
-		/*
-		 * expirenode() currently always returns success.
-		 */
-		if (expire_result == ISC_R_SUCCESS && node->down == NULL) {
-			rbtdbiter->deletions[rbtdbiter->delete++] = node;
-			LOCK(&rbtdb->node_locks[node->locknum].lock);
-			node->references++;
-			UNLOCK(&rbtdb->node_locks[node->locknum].lock);
-		}
-	}
-
-	return (result);
-}
-
-static isc_result_t
-dbiterator_pause(dns_dbiterator_t *iterator) {
-	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-
-	if (rbtdbiter->result != ISC_R_SUCCESS &&
-	    rbtdbiter->result != ISC_R_NOMORE)
-		return (rbtdbiter->result);
-
-	if (rbtdbiter->paused)
-		return (ISC_R_SUCCESS);
-
-	rbtdbiter->paused = ISC_TRUE;
-
-	if (rbtdbiter->tree_locked != isc_rwlocktype_none) {
-		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_read);
-		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-		rbtdbiter->tree_locked = isc_rwlocktype_none;
-	}
-
-	flush_deletions(rbtdbiter);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
-	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
-	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
-
-	if (rbtdbiter->result != ISC_R_SUCCESS)
-		return (rbtdbiter->result);
-
-	return (dns_name_copy(origin, name, NULL));
-}
diff --git a/contrib/bind9/lib/dns/rbtdb.h b/contrib/bind9/lib/dns/rbtdb.h
deleted file mode 100644
index 086b75e91f49..000000000000
--- a/contrib/bind9/lib/dns/rbtdb.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbtdb.h,v 1.13.206.1 2004/03/06 08:13:42 marka Exp $ */
-
-#ifndef DNS_RBTDB_H
-#define DNS_RBTDB_H 1
-
-#include <isc/lang.h>
-#include <dns/types.h>
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Red-Black Tree DB Implementation
- */
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rbtdb_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
-		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-		 void *driverarg, dns_db_t **dbp);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RBTDB_H */
diff --git a/contrib/bind9/lib/dns/rbtdb64.c b/contrib/bind9/lib/dns/rbtdb64.c
deleted file mode 100644
index f41ab37c4a3a..000000000000
--- a/contrib/bind9/lib/dns/rbtdb64.c
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbtdb64.c,v 1.6.206.1 2004/03/06 08:13:42 marka Exp $ */
-
-#define DNS_RBTDB_VERSION64 1
-#include "rbtdb.c"
diff --git a/contrib/bind9/lib/dns/rbtdb64.h b/contrib/bind9/lib/dns/rbtdb64.h
deleted file mode 100644
index 5d426b5e509f..000000000000
--- a/contrib/bind9/lib/dns/rbtdb64.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rbtdb64.h,v 1.12.206.1 2004/03/06 08:13:43 marka Exp $ */
-
-#ifndef DNS_RBTDB64_H
-#define DNS_RBTDB64_H 1
-
-#include <isc/lang.h>
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * DNS Red-Black Tree DB Implementation with 64-bit version numbers
- */
-
-#include <dns/db.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-dns_rbtdb64_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
-		   dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-		   void *driverarg, dns_db_t **dbp);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RBTDB64_H */
diff --git a/contrib/bind9/lib/dns/rcode.c b/contrib/bind9/lib/dns/rcode.c
deleted file mode 100644
index 337f64918dff..000000000000
--- a/contrib/bind9/lib/dns/rcode.c
+++ /dev/null
@@ -1,473 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rcode.c,v 1.1.4.1 2004/03/12 10:31:25 marka Exp $ */
-
-#include <config.h>
-#include <ctype.h>
-
-#include <isc/buffer.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/result.h>
-#include <isc/stdio.h>
-#include <isc/stdlib.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/cert.h>
-#include <dns/keyflags.h>
-#include <dns/keyvalues.h>
-#include <dns/rcode.h>
-#include <dns/rdataclass.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/secproto.h>
-
-#define RETERR(x) \
-	do { \
-		isc_result_t _r = (x); \
-		if (_r != ISC_R_SUCCESS) \
-			return (_r); \
-	} while (0)
-
-#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */
-
-#define RCODENAMES \
-	/* standard rcodes */ \
-	{ dns_rcode_noerror, "NOERROR", 0}, \
-	{ dns_rcode_formerr, "FORMERR", 0}, \
-	{ dns_rcode_servfail, "SERVFAIL", 0}, \
-	{ dns_rcode_nxdomain, "NXDOMAIN", 0}, \
-	{ dns_rcode_notimp, "NOTIMP", 0}, \
-	{ dns_rcode_refused, "REFUSED", 0}, \
-	{ dns_rcode_yxdomain, "YXDOMAIN", 0}, \
-	{ dns_rcode_yxrrset, "YXRRSET", 0}, \
-	{ dns_rcode_nxrrset, "NXRRSET", 0}, \
-	{ dns_rcode_notauth, "NOTAUTH", 0}, \
-	{ dns_rcode_notzone, "NOTZONE", 0},
-
-#define ERCODENAMES \
-	/* extended rcodes */ \
-	{ dns_rcode_badvers, "BADVERS", 0}, \
-	{ 0, NULL, 0 } 
-
-#define TSIGRCODENAMES \
-	/* extended rcodes */ \
-	{ dns_tsigerror_badsig, "BADSIG", 0}, \
-	{ dns_tsigerror_badkey, "BADKEY", 0}, \
-	{ dns_tsigerror_badtime, "BADTIME", 0}, \
-	{ dns_tsigerror_badmode, "BADMODE", 0}, \
-	{ dns_tsigerror_badname, "BADNAME", 0}, \
-	{ dns_tsigerror_badalg, "BADALG", 0}, \
-	{ 0, NULL, 0 }
-
-/* RFC2538 section 2.1 */
-
-#define CERTNAMES \
-	{ 1, "PKIX", 0}, \
-	{ 2, "SPKI", 0}, \
-	{ 3, "PGP", 0}, \
-	{ 253, "URI", 0}, \
-	{ 254, "OID", 0}, \
-	{ 0, NULL, 0}
-
-/* RFC2535 section 7, RFC3110 */
-
-#define SECALGNAMES \
-	{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
-	{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
-	{ DNS_KEYALG_DH, "DH", 0 }, \
-	{ DNS_KEYALG_DSA, "DSA", 0 }, \
-	{ DNS_KEYALG_ECC, "ECC", 0 }, \
-	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
-	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
-	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
-	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
-	{ 0, NULL, 0}
-
-/* RFC2535 section 7.1 */
-
-#define SECPROTONAMES \
-	{   0,    "NONE", 0 }, \
-	{   1,    "TLS", 0 }, \
-	{   2,    "EMAIL", 0 }, \
-	{   3,    "DNSSEC", 0 }, \
-	{   4,    "IPSEC", 0 }, \
-	{ 255,    "ALL", 0 }, \
-	{ 0, NULL, 0}
-
-struct tbl {
-	unsigned int    value;
-	const char      *name;
-	int             flags;
-};
-
-static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
-static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
-static struct tbl certs[] = { CERTNAMES };
-static struct tbl secalgs[] = { SECALGNAMES };
-static struct tbl secprotos[] = { SECPROTONAMES };
-
-static struct keyflag {
-	const char *name;
-	unsigned int value;
-	unsigned int mask;
-} keyflags[] = {
-	{ "NOCONF", 0x4000, 0xC000 },
-	{ "NOAUTH", 0x8000, 0xC000 },
-	{ "NOKEY",  0xC000, 0xC000 },
-	{ "FLAG2",  0x2000, 0x2000 },
-	{ "EXTEND", 0x1000, 0x1000 },
-	{ "FLAG4",  0x0800, 0x0800 },
-	{ "FLAG5",  0x0400, 0x0400 },
-	{ "USER",   0x0000, 0x0300 },
-	{ "ZONE",   0x0100, 0x0300 },
-	{ "HOST",   0x0200, 0x0300 },
-	{ "NTYP3",  0x0300, 0x0300 },
-	{ "FLAG8",  0x0080, 0x0080 },
-	{ "FLAG9",  0x0040, 0x0040 },
-	{ "FLAG10", 0x0020, 0x0020 },
-	{ "FLAG11", 0x0010, 0x0010 },
-	{ "SIG0",   0x0000, 0x000F },
-	{ "SIG1",   0x0001, 0x000F },
-	{ "SIG2",   0x0002, 0x000F },
-	{ "SIG3",   0x0003, 0x000F },
-	{ "SIG4",   0x0004, 0x000F },
-	{ "SIG5",   0x0005, 0x000F },
-	{ "SIG6",   0x0006, 0x000F },
-	{ "SIG7",   0x0007, 0x000F },
-	{ "SIG8",   0x0008, 0x000F },
-	{ "SIG9",   0x0009, 0x000F },
-	{ "SIG10",  0x000A, 0x000F },
-	{ "SIG11",  0x000B, 0x000F },
-	{ "SIG12",  0x000C, 0x000F },
-	{ "SIG13",  0x000D, 0x000F },
-	{ "SIG14",  0x000E, 0x000F },
-	{ "SIG15",  0x000F, 0x000F },
-	{ "KSK",  DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK },
-	{ NULL,     0, 0 }
-};
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-maybe_numeric(unsigned int *valuep, isc_textregion_t *source,
-	      unsigned int max, isc_boolean_t hex_allowed)
-{
-	isc_result_t result;
-	isc_uint32_t n;
-	char buffer[NUMBERSIZE];
-
-	if (! isdigit(source->base[0] & 0xff) ||
-	    source->length > NUMBERSIZE - 1)
-		return (ISC_R_BADNUMBER);
-
-	/*
-	 * We have a potential number.  Try to parse it with
-	 * isc_parse_uint32().  isc_parse_uint32() requires
-	 * null termination, so we must make a copy.
-	 */
-	strncpy(buffer, source->base, NUMBERSIZE);
-	INSIST(buffer[source->length] == '\0');
-
-	result = isc_parse_uint32(&n, buffer, 10);
-	if (result == ISC_R_BADNUMBER && hex_allowed)
-		result = isc_parse_uint32(&n, buffer, 16);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (n > max)
-		return (ISC_R_RANGE);
-	*valuep = n;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
-		      struct tbl *table, unsigned int max)
-{
-	isc_result_t result;
-	int i;
-
-	result = maybe_numeric(valuep, source, max, ISC_FALSE);
-	if (result != ISC_R_BADNUMBER)
-		return (result);
-
-	for (i = 0; table[i].name != NULL; i++) {
-		unsigned int n;
-		n = strlen(table[i].name);
-		if (n == source->length &&
-		    strncasecmp(source->base, table[i].name, n) == 0) {
-			*valuep = table[i].value;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (DNS_R_UNKNOWN);
-}
-
-static isc_result_t
-dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
-		    struct tbl *table) 
-{
-	int i = 0;
-	char buf[sizeof("4294967296")];
-	while (table[i].name != NULL) {
-		if (table[i].value == value) {
-			return (str_totext(table[i].name, target));
-		}
-		i++;
-	}
-	snprintf(buf, sizeof(buf), "%u", value);
-	return (str_totext(buf, target));
-}
-
-isc_result_t
-dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff));
-	*rcodep = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(rcode, target, rcodes));
-}
-
-isc_result_t
-dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff));
-	*rcodep = value;
-	return (ISC_R_SUCCESS);
-} 
-
-isc_result_t
-dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(rcode, target, tsigrcodes));
-}
-
-isc_result_t
-dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff));
-	*certp = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(cert, target, certs));
-}
-
-isc_result_t
-dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
-	*secalgp = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(secalg, target, secalgs));
-}
-
-isc_result_t
-dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
-	unsigned int value;
-	RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff));
-	*secprotop = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) {
-	return (dns_mnemonic_totext(secproto, target, secprotos));
-}
-
-isc_result_t
-dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
-{
-	isc_result_t result;
-	char *text, *end;
-	unsigned int value, mask;
-
-	result = maybe_numeric(&value, source, 0xffff, ISC_TRUE);
-	if (result == ISC_R_SUCCESS) {
-		*flagsp = value;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_BADNUMBER)
-		return (result);
-
-	text = source->base;
-	end = source->base + source->length;
-	value = mask = 0;
-
-	while (text < end) {
-		struct keyflag *p;
-		unsigned int len;
-		char *delim = memchr(text, '|', end - text);
-		if (delim != NULL)
-			len = delim - text;
-		else
-			len = end - text;
-		for (p = keyflags; p->name != NULL; p++) {
-			if (strncasecmp(p->name, text, len) == 0)
-				break;
-		}
-		if (p->name == NULL)
-			return (DNS_R_UNKNOWNFLAG);
-		value |= p->value;
-#ifdef notyet
-		if ((mask & p->mask) != 0)
-			warn("overlapping key flags");
-#endif
-		mask |= p->mask;
-		text += len;
-		if (delim != NULL)
-			text++; /* Skip "|" */
-	}
-	*flagsp = value;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * This uses lots of hard coded values, but how often do we actually
- * add classes?
- */
-isc_result_t
-dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
-#define COMPARE(string, rdclass) \
-	if (((sizeof(string) - 1) == source->length) \
-	    && (strncasecmp(source->base, string, source->length) == 0)) { \
-		*classp = rdclass; \
-		return (ISC_R_SUCCESS); \
-	}
-
-	switch (tolower((unsigned char)source->base[0])) {
-	case 'a':
-		COMPARE("any", dns_rdataclass_any);
-		break;
-	case 'c':
-		/*
-		 * RFC1035 says the mnemonic for the CHAOS class is CH,
-		 * but historical BIND practice is to call it CHAOS.
-		 * We will accept both forms, but only generate CH.
-		 */
-		COMPARE("ch", dns_rdataclass_chaos);
-		COMPARE("chaos", dns_rdataclass_chaos);
-
-		if (source->length > 5 &&
-		    source->length < (5 + sizeof("65000")) &&
-		    strncasecmp("class", source->base, 5) == 0) {
-			char buf[sizeof("65000")];
-			char *endp;
-			unsigned int val;
-
-			strncpy(buf, source->base + 5, source->length - 5);
-			buf[source->length - 5] = '\0';
-			val = strtoul(buf, &endp, 10);
-			if (*endp == '\0' && val <= 0xffff) {
-				*classp = (dns_rdataclass_t)val;
-				return (ISC_R_SUCCESS);
-			}
-		}
-		break;
-	case 'h':
-		COMPARE("hs", dns_rdataclass_hs);
-		COMPARE("hesiod", dns_rdataclass_hs);
-		break;
-	case 'i':
-		COMPARE("in", dns_rdataclass_in);
-		break;
-	case 'n':
-		COMPARE("none", dns_rdataclass_none);
-		break;
-	case 'r':
-		COMPARE("reserved0", dns_rdataclass_reserved0);
-		break;
-	}
-
-#undef COMPARE
-
-	return (DNS_R_UNKNOWN);
-}
-
-isc_result_t
-dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
-	char buf[sizeof("CLASS65535")];
-
-	switch (rdclass) {
-	case dns_rdataclass_any:
-		return (str_totext("ANY", target));
-	case dns_rdataclass_chaos:
-		return (str_totext("CH", target));
-	case dns_rdataclass_hs:
-		return (str_totext("HS", target));
-	case dns_rdataclass_in:
-		return (str_totext("IN", target));
-	case dns_rdataclass_none:
-		return (str_totext("NONE", target));
-	case dns_rdataclass_reserved0:
-		return (str_totext("RESERVED0", target));
-	default:
-		snprintf(buf, sizeof(buf), "CLASS%u", rdclass);
-		return (str_totext(buf, target));
-	}
-}
-
-void
-dns_rdataclass_format(dns_rdataclass_t rdclass,
-		      char *array, unsigned int size)
-{
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	isc_buffer_init(&buf, array, size);
-	result = dns_rdataclass_totext(rdclass, &buf);
-	/*
-	 * Null terminate.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		if (isc_buffer_availablelength(&buf) >= 1)
-			isc_buffer_putuint8(&buf, 0);
-		else
-			result = ISC_R_NOSPACE;
-	}
-	if (result != ISC_R_SUCCESS) {
-		snprintf(array, size, "<unknown>");
-		array[size - 1] = '\0';
-	}
-}
diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c
deleted file mode 100644
index 1b3f2a51c13a..000000000000
--- a/contrib/bind9/lib/dns/rdata.c
+++ /dev/null
@@ -1,1724 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdata.c,v 1.147.2.11.2.20 2005/07/22 05:27:52 marka Exp $ */
-
-#include <config.h>
-#include <ctype.h>
-
-#include <isc/base64.h>
-#include <isc/hex.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/stdlib.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/cert.h>
-#include <dns/compress.h>
-#include <dns/enumtype.h>
-#include <dns/keyflags.h>
-#include <dns/keyvalues.h>
-#include <dns/rcode.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/secalg.h>
-#include <dns/secproto.h>
-#include <dns/time.h>
-#include <dns/ttl.h>
-
-#define RETERR(x) \
-	do { \
-		isc_result_t _r = (x); \
-		if (_r != ISC_R_SUCCESS) \
-			return (_r); \
-	} while (0)
-
-#define RETTOK(x) \
-	do { \
-		isc_result_t _r = (x); \
-		if (_r != ISC_R_SUCCESS) { \
-			isc_lex_ungettoken(lexer, &token); \
-			return (_r); \
-		} \
-	} while (0)
-
-#define DNS_AS_STR(t) ((t).value.as_textregion.base)
-
-#define ARGS_FROMTEXT	int rdclass, dns_rdatatype_t type, \
-			isc_lex_t *lexer, dns_name_t *origin, \
-			unsigned int options, isc_buffer_t *target, \
-			dns_rdatacallbacks_t *callbacks
-
-#define ARGS_TOTEXT	dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, \
-			isc_buffer_t *target
-
-#define ARGS_FROMWIRE	int rdclass, dns_rdatatype_t type, \
-			isc_buffer_t *source, dns_decompress_t *dctx, \
-			unsigned int options, isc_buffer_t *target
-
-#define ARGS_TOWIRE	dns_rdata_t *rdata, dns_compress_t *cctx, \
-			isc_buffer_t *target
-
-#define ARGS_COMPARE	const dns_rdata_t *rdata1, const dns_rdata_t *rdata2
-
-#define ARGS_FROMSTRUCT	int rdclass, dns_rdatatype_t type, \
-			void *source, isc_buffer_t *target
-
-#define ARGS_TOSTRUCT	dns_rdata_t *rdata, void *target, isc_mem_t *mctx
-
-#define ARGS_FREESTRUCT void *source
-
-#define ARGS_ADDLDATA	dns_rdata_t *rdata, dns_additionaldatafunc_t add, \
-			void *arg
-
-#define ARGS_DIGEST	dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg
-
-#define ARGS_CHECKOWNER dns_name_t *name, dns_rdataclass_t rdclass, \
-			dns_rdatatype_t type, isc_boolean_t wildcard
-
-#define ARGS_CHECKNAMES dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad
-
-
-/*
- * Context structure for the totext_ functions.
- * Contains formatting options for rdata-to-text
- * conversion.
- */
-typedef struct dns_rdata_textctx {
-	dns_name_t *origin;	/* Current origin, or NULL. */
-	unsigned int flags;	/* DNS_STYLEFLAG_* */
-	unsigned int width;	/* Width of rdata column. */
-  	const char *linebreak;	/* Line break string. */
-} dns_rdata_textctx_t;
-
-static isc_result_t
-txt_totext(isc_region_t *source, isc_buffer_t *target);
-
-static isc_result_t
-txt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
-
-static isc_result_t
-txt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
-
-static isc_boolean_t
-name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target);
-
-static unsigned int
-name_length(dns_name_t *name);
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target);
-
-static isc_result_t
-inet_totext(int af, isc_region_t *src, isc_buffer_t *target);
-
-static isc_boolean_t
-buffer_empty(isc_buffer_t *source);
-
-static void
-buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region);
-
-static isc_result_t
-uint32_tobuffer(isc_uint32_t, isc_buffer_t *target);
-
-static isc_result_t
-uint16_tobuffer(isc_uint32_t, isc_buffer_t *target);
-
-static isc_result_t
-uint8_tobuffer(isc_uint32_t, isc_buffer_t *target);
-
-static isc_result_t
-name_tobuffer(dns_name_t *name, isc_buffer_t *target);
-
-static isc_uint32_t
-uint32_fromregion(isc_region_t *region);
-
-static isc_uint16_t
-uint16_fromregion(isc_region_t *region);
-
-static isc_uint8_t
-uint8_fromregion(isc_region_t *region);
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
-
-static int
-hexvalue(char value);
-
-static int
-decvalue(char value);
-
-static isc_result_t
-btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target);
-
-static isc_result_t
-atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target);
-
-static void
-default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *, ...)
-     ISC_FORMAT_PRINTF(2, 3);
-
-static void
-fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
-	       dns_rdatacallbacks_t *callbacks, const char *name,
-	       unsigned long line, isc_token_t *token, isc_result_t result);
-
-static void
-fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks);
-
-static isc_result_t
-rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
-	     isc_buffer_t *target);
-
-static void
-warn_badname(dns_name_t *name, isc_lex_t *lexer,
-	     dns_rdatacallbacks_t *callbacks);
-
-static inline int
-getquad(const void *src, struct in_addr *dst,
-	isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks)
-{
-	int result;
-	struct in_addr *tmp;
-
-	result = inet_aton(src, dst);
-	if (result == 1 && callbacks != NULL &&
-	    inet_pton(AF_INET, src, &tmp) != 1) {
-		const char *name = isc_lex_getsourcename(lexer);
-		if (name == NULL)
-			name = "UNKNOWN";
-		(*callbacks->warn)(callbacks, "%s:%lu: \"%s\" "
-				   "is not a decimal dotted quad", name,
-				   isc_lex_getsourceline(lexer), src);
-	}
-	return (result);
-}
-
-static inline isc_result_t
-name_duporclone(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
-
-	if (mctx != NULL)
-		return (dns_name_dup(source, mctx, target));
-	dns_name_clone(source, target);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void *
-mem_maybedup(isc_mem_t *mctx, void *source, size_t length) {
-	void *new;
-
-	if (mctx == NULL)
-		return (source);
-	new = isc_mem_allocate(mctx, length);
-	if (new != NULL)
-		memcpy(new, source, length);
-
-	return (new);
-}
-
-static const char hexdigits[] = "0123456789abcdef";
-static const char decdigits[] = "0123456789";
-
-#include "code.h"
-
-#define META 0x0001
-#define RESERVED 0x0002
-
-/***
- *** Initialization
- ***/
-
-void
-dns_rdata_init(dns_rdata_t *rdata) {
-
-	REQUIRE(rdata != NULL);
-
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->rdclass = 0;
-	rdata->type = 0;
-	rdata->flags = 0;
-	ISC_LINK_INIT(rdata, link);
-	/* ISC_LIST_INIT(rdata->list); */
-}
-
-#if 0
-#define DNS_RDATA_INITIALIZED(rdata) \
-	((rdata)->data == NULL && (rdata)->length == 0 && \
-	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
-	 !ISC_LINK_LINKED((rdata), link))
-#else
-#ifdef ISC_LIST_CHECKINIT
-#define DNS_RDATA_INITIALIZED(rdata) \
-	(!ISC_LINK_LINKED((rdata), link))
-#else
-#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
-#endif
-#endif
-#define DNS_RDATA_VALIDFLAGS(rdata) \
-	(((rdata)->flags & ~DNS_RDATA_UPDATE) == 0)
-
-void
-dns_rdata_reset(dns_rdata_t *rdata) {
-
-	REQUIRE(rdata != NULL);
-
-	REQUIRE(!ISC_LINK_LINKED(rdata, link));
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->rdclass = 0;
-	rdata->type = 0;
-	rdata->flags = 0;
-}
-
-/***
- ***
- ***/
-
-void
-dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target) {
-
-	REQUIRE(src != NULL);
-	REQUIRE(target != NULL);
-
-	REQUIRE(DNS_RDATA_INITIALIZED(target));
-
-	REQUIRE(DNS_RDATA_VALIDFLAGS(src));
-	REQUIRE(DNS_RDATA_VALIDFLAGS(target));
-
-	target->data = src->data;
-	target->length = src->length;
-	target->rdclass = src->rdclass;
-	target->type = src->type;
-	target->flags = src->flags;
-}
-
-
-/***
- *** Comparisons
- ***/
-
-int
-dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
-	int result = 0;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	REQUIRE(rdata1 != NULL);
-	REQUIRE(rdata2 != NULL);
-	REQUIRE(rdata1->data != NULL);
-	REQUIRE(rdata2->data != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
-
-	if (rdata1->rdclass != rdata2->rdclass)
-		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
-
-	if (rdata1->type != rdata2->type)
-		return (rdata1->type < rdata2->type ? -1 : 1);
-
-	COMPARESWITCH
-
-	if (use_default) {
-		isc_region_t r1;
-		isc_region_t r2;
-
-		dns_rdata_toregion(rdata1, &r1);
-		dns_rdata_toregion(rdata2, &r2);
-		result = isc_region_compare(&r1, &r2);
-	}
-	return (result);
-}
-
-/***
- *** Conversions
- ***/
-
-void
-dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, isc_region_t *r)
-{
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-	REQUIRE(r != NULL);
-
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	rdata->data = r->base;
-	rdata->length = r->length;
-	rdata->rdclass = rdclass;
-	rdata->type = type;
-	rdata->flags = 0;
-}
-
-void
-dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r) {
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(r != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	r->base = rdata->data;
-	r->length = rdata->length;
-}
-
-isc_result_t
-dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		   dns_rdatatype_t type, isc_buffer_t *source,
-		   dns_decompress_t *dctx, unsigned int options,
-		   isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_region_t region;
-	isc_buffer_t ss;
-	isc_buffer_t st;
-	isc_boolean_t use_default = ISC_FALSE;
-	isc_uint32_t activelength;
-
-	REQUIRE(dctx != NULL);
-	if (rdata != NULL) {
-		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-	}
-
-	if (type == 0)
-		return (DNS_R_FORMERR);
-
-	ss = *source;
-	st = *target;
-
-	activelength = isc_buffer_activelength(source);
-	INSIST(activelength < 65536);
-
-	FROMWIRESWITCH
-
-	if (use_default) {
-		if (activelength > isc_buffer_availablelength(target))
-			result = ISC_R_NOSPACE;
-		else {
-			isc_buffer_putmem(target, isc_buffer_current(source),
-					  activelength);
-			isc_buffer_forward(source, activelength);
-			result = ISC_R_SUCCESS;
-		}
-	}
-
-	/*
-	 * We should have consumed all of our buffer.
-	 */
-	if (result == ISC_R_SUCCESS && !buffer_empty(source))
-		result = DNS_R_EXTRADATA;
-
-	if (rdata != NULL && result == ISC_R_SUCCESS) {
-		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
-		dns_rdata_fromregion(rdata, rdclass, type, &region);
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		*source = ss;
-		*target = st;
-	}
-	return (result);
-}
-
-isc_result_t
-dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
-		 isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-	isc_region_t tr;
-	isc_buffer_t st;
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	/*
-	 * Some DynDNS meta-RRs have empty rdata.
-	 */
-	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
-		INSIST(rdata->length == 0);
-		return (ISC_R_SUCCESS);
-	}
-
-	st = *target;
-
-	TOWIRESWITCH
-
-	if (use_default) {
-		isc_buffer_availableregion(target, &tr);
-		if (tr.length < rdata->length)
-			return (ISC_R_NOSPACE);
-		memcpy(tr.base, rdata->data, rdata->length);
-		isc_buffer_add(target, rdata->length);
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS) {
-		*target = st;
-		INSIST(target->used < 65536);
-		dns_compress_rollback(cctx, (isc_uint16_t)target->used);
-	}
-	return (result);
-}
-
-/*
- * If the binary data in 'src' is valid uncompressed wire format
- * rdata of class 'rdclass' and type 'type', return ISC_R_SUCCESS
- * and copy the validated rdata to 'dest'.  Otherwise return an error.
- */
-static isc_result_t
-rdata_validate(isc_buffer_t *src, isc_buffer_t *dest, dns_rdataclass_t rdclass,
-	    dns_rdatatype_t type)
-{
-	dns_decompress_t dctx;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-
-	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
-	isc_buffer_setactive(src, isc_buffer_usedlength(src));
-	result = dns_rdata_fromwire(&rdata, rdclass, type, src,
-				    &dctx, 0, dest);
-	dns_decompress_invalidate(&dctx);
-
-	return (result);
-}
-
-static isc_result_t
-unknown_fromtext(dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		 isc_lex_t *lexer, isc_mem_t *mctx, isc_buffer_t *target)
-{
-	isc_result_t result;
-	isc_buffer_t *buf = NULL;
-	isc_token_t token;
-
-	if (type == 0 || dns_rdatatype_ismeta(type))
-		return (DNS_R_METATYPE);
-
-	result = isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-					ISC_FALSE);
-	if (result == ISC_R_SUCCESS && token.value.as_ulong > 65535U)
-		return (ISC_R_RANGE);
-	result = isc_buffer_allocate(mctx, &buf, token.value.as_ulong);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	
-	result = isc_hex_tobuffer(lexer, buf,
-				  (unsigned int)token.value.as_ulong);
-	if (result != ISC_R_SUCCESS)
-	       goto failure;
-	if (isc_buffer_usedlength(buf) != token.value.as_ulong) {
-		result = ISC_R_UNEXPECTEDEND;
-		goto failure;
-	}
-
-	if (dns_rdatatype_isknown(type)) {
-		result = rdata_validate(buf, target, rdclass, type);
-	} else {
-		isc_region_t r;
-		isc_buffer_usedregion(buf, &r);
-		result = isc_buffer_copyregion(target, &r);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	isc_buffer_free(&buf);
-	return (ISC_R_SUCCESS);
-
- failure:
-	isc_buffer_free(&buf);
-	return (result);
-}
-
-isc_result_t
-dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		   dns_rdatatype_t type, isc_lex_t *lexer,
-		   dns_name_t *origin, unsigned int options, isc_mem_t *mctx,
-		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_region_t region;
-	isc_buffer_t st;
-	isc_token_t token;
-	unsigned int lexoptions = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
-				  ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
-	char *name;
-	unsigned long line;
-	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
-	isc_result_t tresult;
-
-	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
-	if (rdata != NULL) {
-		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-	}
-	if (callbacks != NULL) {
-		REQUIRE(callbacks->warn != NULL);
-		REQUIRE(callbacks->error != NULL);
-	}
-
-	st = *target;
-
-	if (callbacks != NULL)
-		callback = callbacks->error;
-	else
-		callback = default_fromtext_callback;
-
-	result = isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-					ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
-		name = isc_lex_getsourcename(lexer);
-		line = isc_lex_getsourceline(lexer);
-		fromtext_error(callback, callbacks, name, line,
-			       &token, result);
-		return (result);
-	}
-
-	if (strcmp(DNS_AS_STR(token), "\\#") == 0)
-		result = unknown_fromtext(rdclass, type, lexer, mctx, target);
-	else {
-		isc_lex_ungettoken(lexer, &token);
-
-		FROMTEXTSWITCH
-	}
-
-	/*
-	 * Consume to end of line / file.
-	 * If not at end of line initially set error code.
-	 * Call callback via fromtext_error once if there was an error.
-	 */
-	do {
-		name = isc_lex_getsourcename(lexer);
-		line = isc_lex_getsourceline(lexer);
-		tresult = isc_lex_gettoken(lexer, lexoptions, &token);
-		if (tresult != ISC_R_SUCCESS) {
-			if (result == ISC_R_SUCCESS)
-				result = tresult;
-			if (callback != NULL)
-				fromtext_error(callback, callbacks, name,
-					       line, NULL, result);
-			break;
-		} else if (token.type != isc_tokentype_eol &&
-			   token.type != isc_tokentype_eof) {
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_EXTRATOKEN;
-			if (callback != NULL) {
-				fromtext_error(callback, callbacks, name,
-					       line, &token, result);
-				callback = NULL;
-			}
-		} else if (result != ISC_R_SUCCESS && callback != NULL) {
-			fromtext_error(callback, callbacks, name, line,
-				       &token, result);
-			break;
-		} else {
-			if (token.type == isc_tokentype_eof)
-				fromtext_warneof(lexer, callbacks);
-			break;
-		}
-	} while (1);
-
-	if (rdata != NULL && result == ISC_R_SUCCESS) {
-		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
-		dns_rdata_fromregion(rdata, rdclass, type, &region);
-	}
-	if (result != ISC_R_SUCCESS) {
-		*target = st;
-	}
-	return (result);
-}
-
-static isc_result_t
-rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
-	     isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-	char buf[sizeof("65535")];
-	isc_region_t sr;
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(tctx->origin == NULL ||
-		dns_name_isabsolute(tctx->origin) == ISC_TRUE);
-
-	/*
-	 * Some DynDNS meta-RRs have empty rdata.
-	 */
-	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
-		INSIST(rdata->length == 0);
-		return (ISC_R_SUCCESS);
-	}
-
-	TOTEXTSWITCH
-
-	if (use_default) {
-		strlcpy(buf, "\\# ", sizeof(buf));
-		result = str_totext(buf, target);
-		dns_rdata_toregion(rdata, &sr);
-		INSIST(sr.length < 65536);
-		snprintf(buf, sizeof(buf), "%u", sr.length);
-		result = str_totext(buf, target);
-		if (sr.length != 0 && result == ISC_R_SUCCESS) {
-			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-				result = str_totext(" ( ", target);
-			else
-				result = str_totext(" ", target);
-			if (result == ISC_R_SUCCESS)
-				result = isc_hex_totext(&sr, tctx->width - 2,
-							tctx->linebreak,
-							target);
-			if (result == ISC_R_SUCCESS &&
-			    (tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-				result = str_totext(" )", target);
-		}
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target)
-{
-	dns_rdata_textctx_t tctx;
-
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	/*
-	 * Set up formatting options for single-line output.
-	 */
-	tctx.origin = origin;
-	tctx.flags = 0;
-	tctx.width = 60;
-	tctx.linebreak = " ";
-	return (rdata_totext(rdata, &tctx, target));
-}
-
-isc_result_t
-dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin,
-		    unsigned int flags, unsigned int width,
-		    char *linebreak, isc_buffer_t *target)
-{
-	dns_rdata_textctx_t tctx;
-
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	/*
-	 * Set up formatting options for formatted output.
-	 */
-	tctx.origin = origin;
-	tctx.flags = flags;
-	if ((flags & DNS_STYLEFLAG_MULTILINE) != 0) {
-		tctx.width = width;
-		tctx.linebreak = linebreak;
-	} else {
-		tctx.width = 60; /* Used for hex word length only. */
-		tctx.linebreak = " ";
-	}
-	return (rdata_totext(rdata, &tctx, target));
-}
-
-isc_result_t
-dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, void *source,
-		     isc_buffer_t *target)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_buffer_t st;
-	isc_region_t region;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	REQUIRE(source != NULL);
-	if (rdata != NULL) {
-		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
-		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-	}
-
-	st = *target;
-
-	FROMSTRUCTSWITCH
-
-	if (use_default)
-		(void)NULL;
-
-	if (rdata != NULL && result == ISC_R_SUCCESS) {
-		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
-		dns_rdata_fromregion(rdata, rdclass, type, &region);
-	}
-	if (result != ISC_R_SUCCESS)
-		*target = st;
-	return (result);
-}
-
-isc_result_t
-dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	TOSTRUCTSWITCH
-
-	if (use_default)
-		(void)NULL;
-
-	return (result);
-}
-
-void
-dns_rdata_freestruct(void *source) {
-	dns_rdatacommon_t *common = source;
-	REQUIRE(source != NULL);
-
-	FREESTRUCTSWITCH
-}
-
-isc_result_t
-dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
-			 void *arg)
-{
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-
-	/*
-	 * Call 'add' for each name and type from 'rdata' which is subject to
-	 * additional section processing.
-	 */
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(add != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	ADDITIONALDATASWITCH
-
-	/* No additional processing for unknown types */
-	if (use_default)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-isc_result_t
-dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
-	isc_result_t result = ISC_R_NOTIMPLEMENTED;
-	isc_boolean_t use_default = ISC_FALSE;
-	isc_region_t r;
-
-	/*
-	 * Send 'rdata' in DNSSEC canonical form to 'digest'.
-	 */
-
-	REQUIRE(rdata != NULL);
-	REQUIRE(digest != NULL);
-	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
-
-	DIGESTSWITCH
-
-	if (use_default) {
-		dns_rdata_toregion(rdata, &r);
-		result = (digest)(arg, &r);
-	}
-
-	return (result);
-}
-
-isc_boolean_t
-dns_rdata_checkowner(dns_name_t *name, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type, isc_boolean_t wildcard)
-{
-	isc_boolean_t result;
-
-	CHECKOWNERSWITCH
-	return (result);
-}
-
-isc_boolean_t
-dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad)
-{
-	isc_boolean_t result;
-
-	CHECKNAMESSWITCH
-	return (result);
-}
-
-unsigned int
-dns_rdatatype_attributes(dns_rdatatype_t type)
-{
-	RDATATYPE_ATTRIBUTE_SW
-	if (type >= (dns_rdatatype_t)128 && type < (dns_rdatatype_t)255)
-		return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META);
-	return (DNS_RDATATYPEATTR_UNKNOWN);
-}
-
-isc_result_t
-dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
-	unsigned int hash;
-	unsigned int n;
-	unsigned char a, b;
-
-	n = source->length;
-
-	if (n == 0)
-		return (DNS_R_UNKNOWN);
-
-	a = tolower((unsigned char)source->base[0]);
-	b = tolower((unsigned char)source->base[n - 1]);
-
-	hash = ((a + n) * b) % 256;
-
-	/*
-	 * This switch block is inlined via #define, and will use "return"
-	 * to return a result to the caller if it is a valid (known)
-	 * rdatatype name.
-	 */
-	RDATATYPE_FROMTEXT_SW(hash, source->base, n, typep);
-
-	if (source->length > 4 && source->length < (4 + sizeof("65000")) &&
-	    strncasecmp("type", source->base, 4) == 0) {
-		char buf[sizeof("65000")];
-		char *endp;
-		unsigned int val;
-
-		strncpy(buf, source->base + 4, source->length - 4);
-		buf[source->length - 4] = '\0';
-		val = strtoul(buf, &endp, 10);
-		if (*endp == '\0' && val <= 0xffff) {
-			*typep = (dns_rdatatype_t)val;
-			return (ISC_R_SUCCESS);
-		}
-	}
-
-	return (DNS_R_UNKNOWN);
-}
-
-isc_result_t
-dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target) {
-	char buf[sizeof("TYPE65535")];
-
-	RDATATYPE_TOTEXT_SW
-	snprintf(buf, sizeof(buf), "TYPE%u", type);
-	return (str_totext(buf, target));
-}
-
-void
-dns_rdatatype_format(dns_rdatatype_t rdtype,
-		     char *array, unsigned int size)
-{
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	isc_buffer_init(&buf, array, size);
-	result = dns_rdatatype_totext(rdtype, &buf);
-	/*
-	 * Null terminate.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		if (isc_buffer_availablelength(&buf) >= 1)
-			isc_buffer_putuint8(&buf, 0);
-		else
-			result = ISC_R_NOSPACE;
-	}
-	if (result != ISC_R_SUCCESS) {
-		snprintf(array, size, "<unknown>");
-		array[size - 1] = '\0';
-	}
-}
-
-/*
- * Private function.
- */
-
-static unsigned int
-name_length(dns_name_t *name) {
-	return (name->length);
-}
-
-static isc_result_t
-txt_totext(isc_region_t *source, isc_buffer_t *target) {
-	unsigned int tl;
-	unsigned int n;
-	unsigned char *sp;
-	char *tp;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	sp = source->base;
-	tp = (char *)region.base;
-	tl = region.length;
-
-	n = *sp++;
-
-	REQUIRE(n + 1 <= source->length);
-
-	if (tl < 1)
-		return (ISC_R_NOSPACE);
-	*tp++ = '"';
-	tl--;
-	while (n--) {
-		if (*sp < 0x20 || *sp >= 0x7f) {
-			if (tl < 4)
-				return (ISC_R_NOSPACE);
-			*tp++ = 0x5c;
-			*tp++ = 0x30 + ((*sp / 100) % 10);
-			*tp++ = 0x30 + ((*sp / 10) % 10);
-			*tp++ = 0x30 + (*sp % 10);
-			sp++;
-			tl -= 4;
-			continue;
-		}
-		/* double quote, semi-colon, backslash */
-		if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
-			if (tl < 2)
-				return (ISC_R_NOSPACE);
-			*tp++ = '\\';
-			tl--;
-		}
-		if (tl < 1)
-			return (ISC_R_NOSPACE);
-		*tp++ = *sp++;
-		tl--;
-	}
-	if (tl < 1)
-		return (ISC_R_NOSPACE);
-	*tp++ = '"';
-	tl--;
-	isc_buffer_add(target, tp - (char *)region.base);
-	isc_region_consume(source, *source->base + 1);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-txt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
-	isc_region_t tregion;
-	isc_boolean_t escape;
-	unsigned int n, nrem;
-	char *s;
-	unsigned char *t;
-	int d;
-	int c;
-
-	isc_buffer_availableregion(target, &tregion);
-	s = source->base;
-	n = source->length;
-	t = tregion.base;
-	nrem = tregion.length;
-	escape = ISC_FALSE;
-	if (nrem < 1)
-		return (ISC_R_NOSPACE);
-	/*
-	 * Length byte.
-	 */
-	nrem--;
-	t++;
-	/*
-	 * Maximum text string length.
-	 */
-	if (nrem > 255)
-		nrem = 255;
-	while (n-- != 0) {
-		c = (*s++) & 0xff;
-		if (escape && (d = decvalue((char)c)) != -1) {
-			c = d;
-			if (n == 0)
-				return (DNS_R_SYNTAX);
-			n--;
-			if ((d = decvalue(*s++)) != -1)
-				c = c * 10 + d;
-			else
-				return (DNS_R_SYNTAX);
-			if (n == 0)
-				return (DNS_R_SYNTAX);
-			n--;
-			if ((d = decvalue(*s++)) != -1)
-				c = c * 10 + d;
-			else
-				return (DNS_R_SYNTAX);
-			if (c > 255)
-				return (DNS_R_SYNTAX);
-		} else if (!escape && c == '\\') {
-			escape = ISC_TRUE;
-			continue;
-		}
-		escape = ISC_FALSE;
-		if (nrem == 0)
-			return (ISC_R_NOSPACE);
-		*t++ = c;
-		nrem--;
-	}
-	if (escape)
-		return (DNS_R_SYNTAX);
-	*tregion.base = t - tregion.base - 1;
-	isc_buffer_add(target, *tregion.base + 1);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
-	unsigned int n;
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length == 0)
-		return(ISC_R_UNEXPECTEDEND);
-	n = *sregion.base + 1;
-	if (n > sregion.length)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_availableregion(target, &tregion);
-	if (n > tregion.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, n);
-	isc_buffer_forward(source, n);
-	isc_buffer_add(target, n);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target) {
-	int l1, l2;
-
-	if (origin == NULL)
-		goto return_false;
-
-	if (dns_name_compare(origin, dns_rootname) == 0)
-		goto return_false;
-
-	if (!dns_name_issubdomain(name, origin))
-		goto return_false;
-
-	l1 = dns_name_countlabels(name);
-	l2 = dns_name_countlabels(origin);
-
-	if (l1 == l2)
-		goto return_false;
-
-	dns_name_getlabelsequence(name, 0, l1 - l2, target);
-	return (ISC_TRUE);
-
-return_false:
-	*target = *name;
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-inet_totext(int af, isc_region_t *src, isc_buffer_t *target) {
-	char tmpbuf[64];
-
-	/* Note - inet_ntop doesn't do size checking on its input. */
-	if (inet_ntop(af, src->base, tmpbuf, sizeof(tmpbuf)) == NULL)
-		return (ISC_R_NOSPACE);
-	if (strlen(tmpbuf) > isc_buffer_availablelength(target))
-		return (ISC_R_NOSPACE);
-	isc_buffer_putstr(target, tmpbuf);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_boolean_t
-buffer_empty(isc_buffer_t *source) {
-	return((source->current == source->active) ? ISC_TRUE : ISC_FALSE);
-}
-
-static void
-buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region) {
-	isc_buffer_init(buffer, region->base, region->length);
-	isc_buffer_add(buffer, region->length);
-	isc_buffer_setactive(buffer, region->length);
-}
-
-static isc_result_t
-uint32_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint32(target, value);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-uint16_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
-	isc_region_t region;
-
-	if (value > 0xffff)
-		return (ISC_R_RANGE);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 2)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint16(target, (isc_uint16_t)value);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-uint8_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
-	isc_region_t region;
-
-	if (value > 0xff)
-		return (ISC_R_RANGE);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 1)
-		return (ISC_R_NOSPACE);
-	isc_buffer_putuint8(target, (isc_uint8_t)value);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-name_tobuffer(dns_name_t *name, isc_buffer_t *target) {
-	isc_region_t r;
-	dns_name_toregion(name, &r);
-	return (isc_buffer_copyregion(target, &r));
-}
-
-static isc_uint32_t
-uint32_fromregion(isc_region_t *region) {
-	isc_uint32_t value;
-
-	REQUIRE(region->length >= 4);
-	value = region->base[0] << 24;
-	value |= region->base[1] << 16;
-	value |= region->base[2] << 8;
-	value |= region->base[3];
-	return(value);
-}
-
-static isc_uint16_t
-uint16_fromregion(isc_region_t *region) {
-
-	REQUIRE(region->length >= 2);
-
-	return ((region->base[0] << 8) | region->base[1]);
-}
-
-static isc_uint8_t
-uint8_fromregion(isc_region_t *region) {
-
-	REQUIRE(region->length >= 1);
-
-	return (region->base[0]);
-}
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	if (length > tr.length)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, base, length);
-	isc_buffer_add(target, length);
-	return (ISC_R_SUCCESS);
-}
-
-static int
-hexvalue(char value) {
-	char *s;
-	unsigned char c;
-
-	c = (unsigned char)value;
-
-	if (!isascii(c))
-		return (-1);
-	if (isupper(c))
-		c = tolower(c);
-	if ((s = strchr(hexdigits, value)) == NULL)
-		return (-1);
-	return (s - hexdigits);
-}
-
-static int
-decvalue(char value) {
-	char *s;
-
-	/*
-	 * isascii() is valid for full range of int values, no need to
-	 * mask or cast.
-	 */
-	if (!isascii(value))
-		return (-1);
-	if ((s = strchr(decdigits, value)) == NULL)
-		return (-1);
-	return (s - decdigits);
-}
-
-static const char atob_digits[86] =
-	"!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`" \
-	"abcdefghijklmnopqrstu";
-/*
- * Subroutines to convert between 8 bit binary bytes and printable ASCII.
- * Computes the number of bytes, and three kinds of simple checksums.
- * Incoming bytes are collected into 32-bit words, then printed in base 85:
- *	exp(85,5) > exp(2,32)
- * The ASCII characters used are between '!' and 'u';
- * 'z' encodes 32-bit zero; 'x' is used to mark the end of encoded data.
- *
- * Originally by Paul Rutter (philabs!per) and Joe Orost (petsd!joe) for
- * the atob/btoa programs, released with the compress program, in mod.sources.
- * Modified by Mike Schwartz 8/19/86 for use in BIND.
- * Modified to be re-entrant 3/2/99.
- */
-
-
-struct state {
-	isc_int32_t Ceor;
-	isc_int32_t Csum;
-	isc_int32_t Crot;
-	isc_int32_t word;
-	isc_int32_t bcount;
-};
-
-#define Ceor state->Ceor
-#define Csum state->Csum
-#define Crot state->Crot
-#define word state->word
-#define bcount state->bcount
-
-#define times85(x)	((((((x<<2)+x)<<2)+x)<<2)+x)
-
-static isc_result_t	byte_atob(int c, isc_buffer_t *target,
-				  struct state *state);
-static isc_result_t	putbyte(int c, isc_buffer_t *, struct state *state);
-static isc_result_t	byte_btoa(int c, isc_buffer_t *, struct state *state);
-
-/*
- * Decode ASCII-encoded byte c into binary representation and
- * place into *bufp, advancing bufp.
- */
-static isc_result_t
-byte_atob(int c, isc_buffer_t *target, struct state *state) {
-	char *s;
-	if (c == 'z') {
-		if (bcount != 0)
-			return(DNS_R_SYNTAX);
-		else {
-			RETERR(putbyte(0, target, state));
-			RETERR(putbyte(0, target, state));
-			RETERR(putbyte(0, target, state));
-			RETERR(putbyte(0, target, state));
-		}
-	} else if ((s = strchr(atob_digits, c)) != NULL) {
-		if (bcount == 0) {
-			word = s - atob_digits;
-			++bcount;
-		} else if (bcount < 4) {
-			word = times85(word);
-			word += s - atob_digits;
-			++bcount;
-		} else {
-			word = times85(word);
-			word += s - atob_digits;
-			RETERR(putbyte((word >> 24) & 0xff, target, state));
-			RETERR(putbyte((word >> 16) & 0xff, target, state));
-			RETERR(putbyte((word >> 8) & 0xff, target, state));
-			RETERR(putbyte(word & 0xff, target, state));
-			word = 0;
-			bcount = 0;
-		}
-	} else
-		return(DNS_R_SYNTAX);
-	return(ISC_R_SUCCESS);
-}
-
-/*
- * Compute checksum info and place c into target.
- */
-static isc_result_t
-putbyte(int c, isc_buffer_t *target, struct state *state) {
-	isc_region_t tr;
-
-	Ceor ^= c;
-	Csum += c;
-	Csum += 1;
-	if ((Crot & 0x80000000)) {
-		Crot <<= 1;
-		Crot += 1;
-	} else {
-		Crot <<= 1;
-	}
-	Crot += c;
-	isc_buffer_availableregion(target, &tr);
-	if (tr.length < 1)
-		return (ISC_R_NOSPACE);
-	tr.base[0] = c;
-	isc_buffer_add(target, 1);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Read the ASCII-encoded data from inbuf, of length inbuflen, and convert
- * it into T_UNSPEC (binary data) in outbuf, not to exceed outbuflen bytes;
- * outbuflen must be divisible by 4.  (Note: this is because outbuf is filled
- * in 4 bytes at a time.  If the actual data doesn't end on an even 4-byte
- * boundary, there will be no problem...it will be padded with 0 bytes, and
- * numbytes will indicate the correct number of bytes.  The main point is
- * that since the buffer is filled in 4 bytes at a time, even if there is
- * not a full 4 bytes of data at the end, there has to be room to 0-pad the
- * data, so the buffer must be of size divisible by 4).  Place the number of
- * output bytes in numbytes, and return a failure/success status.
- */
-
-static isc_result_t
-atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
-	long oeor, osum, orot;
-	struct state statebuf, *state= &statebuf;
-	isc_token_t token;
-	char c;
-	char *e;
-
-	Ceor = Csum = Crot = word = bcount = 0;
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	while (token.value.as_textregion.length != 0) {
-		if ((c = token.value.as_textregion.base[0]) == 'x') {
-			break;
-		} else
-			RETERR(byte_atob(c, target, state));
-		isc_textregion_consume(&token.value.as_textregion, 1);
-	}
-
-	/*
-	 * Number of bytes.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if ((token.value.as_ulong % 4) != 0U)
-		isc_buffer_subtract(target,  4 - (token.value.as_ulong % 4));
-
-	/*
-	 * Checksum.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	oeor = strtol(DNS_AS_STR(token), &e, 16);
-	if (*e != 0)
-		return (DNS_R_SYNTAX);
-
-	/*
-	 * Checksum.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	osum = strtol(DNS_AS_STR(token), &e, 16);
-	if (*e != 0)
-		return (DNS_R_SYNTAX);
-
-	/*
-	 * Checksum.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	orot = strtol(DNS_AS_STR(token), &e, 16);
-	if (*e != 0)
-		return (DNS_R_SYNTAX);
-
-	if ((oeor != Ceor) || (osum != Csum) || (orot != Crot))
-		return(DNS_R_BADCKSUM);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Encode binary byte c into ASCII representation and place into *bufp,
- * advancing bufp.
- */
-static isc_result_t
-byte_btoa(int c, isc_buffer_t *target, struct state *state) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	Ceor ^= c;
-	Csum += c;
-	Csum += 1;
-	if ((Crot & 0x80000000)) {
-		Crot <<= 1;
-		Crot += 1;
-	} else {
-		Crot <<= 1;
-	}
-	Crot += c;
-
-	word <<= 8;
-	word |= c;
-	if (bcount == 3) {
-		if (word == 0) {
-			if (tr.length < 1)
-				return (ISC_R_NOSPACE);
-			tr.base[0] = 'z';
-			isc_buffer_add(target, 1);
-		} else {
-		    register int tmp = 0;
-		    register isc_int32_t tmpword = word;
-
-		    if (tmpword < 0) {
-			   /*
-			    * Because some don't support u_long.
-			    */
-		    	tmp = 32;
-		    	tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
-		    }
-		    if (tmpword < 0) {
-		    	tmp = 64;
-		    	tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
-		    }
-			if (tr.length < 5)
-				return (ISC_R_NOSPACE);
-		    	tr.base[0] = atob_digits[(tmpword /
-					      (isc_int32_t)(85 * 85 * 85 * 85))
-						+ tmp];
-			tmpword %= (isc_int32_t)(85 * 85 * 85 * 85);
-			tr.base[1] = atob_digits[tmpword / (85 * 85 * 85)];
-			tmpword %= (85 * 85 * 85);
-			tr.base[2] = atob_digits[tmpword / (85 * 85)];
-			tmpword %= (85 * 85);
-			tr.base[3] = atob_digits[tmpword / 85];
-			tmpword %= 85;
-			tr.base[4] = atob_digits[tmpword];
-			isc_buffer_add(target, 5);
-		}
-		bcount = 0;
-	} else {
-		bcount += 1;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-
-/*
- * Encode the binary data from inbuf, of length inbuflen, into a
- * target.  Return success/failure status
- */
-static isc_result_t
-btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target) {
-	int inc;
-	struct state statebuf, *state = &statebuf;
-	char buf[sizeof("x 2000000000 ffffffff ffffffff ffffffff")];
-
-	Ceor = Csum = Crot = word = bcount = 0;
-	for (inc = 0; inc < inbuflen; inbuf++, inc++)
-		RETERR(byte_btoa(*inbuf, target, state));
-
-	while (bcount != 0)
-		RETERR(byte_btoa(0, target, state));
-
-	/*
-	 * Put byte count and checksum information at end of buffer,
-	 * delimited by 'x'
-	 */
-	snprintf(buf, sizeof(buf), "x %d %x %x %x", inbuflen, Ceor, Csum, Crot);
-	return (str_totext(buf, target));
-}
-
-
-static void
-default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *fmt,
-			  ...)
-{
-	va_list ap;
-
-	UNUSED(callbacks);
-
-	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
-	va_end(ap);
-	fprintf(stderr, "\n");
-}
-
-static void
-fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) {
-	if (isc_lex_isfile(lexer) && callbacks != NULL) {
-		const char *name = isc_lex_getsourcename(lexer);
-		if (name == NULL)
-			name = "UNKNOWN";
-		(*callbacks->warn)(callbacks,
-				   "%s:%lu: file does not end with newline",
-				   name, isc_lex_getsourceline(lexer));
-	}
-}
-
-static void
-warn_badname(dns_name_t *name, isc_lex_t *lexer,
-	     dns_rdatacallbacks_t *callbacks)
-{
-	const char *file;
-	unsigned long line;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	
-	if (lexer != NULL) {
-		file = isc_lex_getsourcename(lexer);
-		line = isc_lex_getsourceline(lexer);
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		(*callbacks->warn)(callbacks, "%s:%u: warning: %s: %s", 
-				   file, line, namebuf,
-				   dns_result_totext(DNS_R_BADNAME));
-	}
-}
-
-static void
-fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
-	       dns_rdatacallbacks_t *callbacks, const char *name,
-	       unsigned long line, isc_token_t *token, isc_result_t result)
-{
-	if (name == NULL)
-		name = "UNKNOWN";
-
-	if (token != NULL) {
-		switch (token->type) {
-		case isc_tokentype_eol:
-			(*callback)(callbacks, "%s: %s:%lu: near eol: %s",
-				    "dns_rdata_fromtext", name, line,
-				    dns_result_totext(result));
-			break;
-		case isc_tokentype_eof:
-			(*callback)(callbacks, "%s: %s:%lu: near eof: %s",
-				    "dns_rdata_fromtext", name, line,
-				    dns_result_totext(result));
-			break;
-		case isc_tokentype_number:
-			(*callback)(callbacks, "%s: %s:%lu: near %lu: %s",
-				    "dns_rdata_fromtext", name, line,
-				    token->value.as_ulong,
-				    dns_result_totext(result));
-			break;
-		case isc_tokentype_string:
-		case isc_tokentype_qstring:
-			(*callback)(callbacks, "%s: %s:%lu: near '%s': %s",
-				    "dns_rdata_fromtext", name, line,
-				    DNS_AS_STR(*token),
-				    dns_result_totext(result));
-			break;
-		default:
-			(*callback)(callbacks, "%s: %s:%lu: %s",
-				    "dns_rdata_fromtext", name, line,
-				    dns_result_totext(result));
-			break;
-		}
-	} else {
-		(*callback)(callbacks, "dns_rdata_fromtext: %s:%lu: %s",
-			    name, line, dns_result_totext(result));
-	}
-}
-
-dns_rdatatype_t
-dns_rdata_covers(dns_rdata_t *rdata) {
-	if (rdata->type == 46)
-		return (covers_rrsig(rdata));
-	return (covers_sig(rdata));
-}
-
-isc_boolean_t
-dns_rdatatype_ismeta(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_META) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_issingleton(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_SINGLETON)
-	    != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_notquestion(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_NOTQUESTION)
-	    != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_questiononly(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_QUESTIONONLY)
-	    != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_atparent(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATPARENT) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdataclass_ismeta(dns_rdataclass_t rdclass) {
-
-	if (rdclass == dns_rdataclass_reserved0
-	    || rdclass == dns_rdataclass_none
-	    || rdclass == dns_rdataclass_any)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);  /* Assume it is not a meta class. */
-}
-
-isc_boolean_t
-dns_rdatatype_isdnssec(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_DNSSEC) != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_iszonecutauth(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type)
-	     & (DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH))
-	    != 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_rdatatype_isknown(dns_rdatatype_t type) {
-	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_UNKNOWN)
-	    == 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
deleted file mode 100644
index c9b52c7e78b2..000000000000
--- a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
+++ /dev/null
@@ -1,597 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsig_250.c,v 1.52.2.1.2.8 2005/03/20 22:34:01 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
-
-#ifndef RDATA_ANY_255_TSIG_250_C
-#define RDATA_ANY_255_TSIG_250_C
-
-#define RRTYPE_TSIG_ATTRIBUTES \
-	(DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_NOTQUESTION)
-
-static inline isc_result_t
-fromtext_any_tsig(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_uint64_t sigtime;
-	isc_buffer_t buffer;
-	dns_rcode_t rcode;
-	long i;
-	char *e;
-
-	REQUIRE(type == 250);
-	REQUIRE(rdclass == 255);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Algorithm Name.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	/*
-	 * Time Signed: 48 bits.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	sigtime = isc_string_touint64(DNS_AS_STR(token), &e, 10);
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if ((sigtime >> 48) != 0)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer((isc_uint16_t)(sigtime >> 32), target));
-	RETERR(uint32_tobuffer((isc_uint32_t)(sigtime & 0xffffffffU), target));
-
-	/*
-	 * Fudge.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signature Size.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signature.
-	 */
-	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
-
-	/*
-	 * Original ID.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Error.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
-				!= ISC_R_SUCCESS)
-	{
-		i = strtol(DNS_AS_STR(token), &e, 10);
-		if (*e != 0)
-			RETTOK(DNS_R_UNKNOWN);
-		if (i < 0 || i > 0xffff)
-			RETTOK(ISC_R_RANGE);
-		rcode = (dns_rcode_t)i;
-	}
-	RETERR(uint16_tobuffer(rcode, target));
-
-	/*
-	 * Other Len.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Other Data.
-	 */
-	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
-}
-
-static inline isc_result_t
-totext_any_tsig(ARGS_TOTEXT) {
-	isc_region_t sr;
-	isc_region_t sigr;
-	char buf[sizeof("281474976710655 ")];
-	char *bufp;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	isc_uint64_t sigtime;
-	unsigned short n;
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-	/*
-	 * Algorithm Name.
-	 */
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-	RETERR(str_totext(" ", target));
-	isc_region_consume(&sr, name_length(&name));
-
-	/*
-	 * Time Signed.
-	 */
-	sigtime = ((isc_uint64_t)sr.base[0] << 40) |
-		  ((isc_uint64_t)sr.base[1] << 32) |
-		  ((isc_uint64_t)sr.base[2] << 24) |
-		  ((isc_uint64_t)sr.base[3] << 16) |
-		  ((isc_uint64_t)sr.base[4] << 8) |
-		  (isc_uint64_t)sr.base[5];
-	isc_region_consume(&sr, 6);
-	bufp = &buf[sizeof(buf) - 1];
-	*bufp-- = 0;
-	*bufp-- = ' ';
-	do {
-		*bufp-- = decdigits[sigtime % 10];
-		sigtime /= 10;
-	} while (sigtime != 0);
-	bufp++;
-	RETERR(str_totext(bufp, target));
-
-	/*
-	 * Fudge.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Signature Size.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Signature.
-	 */
-	REQUIRE(n <= sr.length);
-	sigr = sr;
-	sigr.length = n;
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_base64_totext(&sigr, tctx->width - 2,
-				 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ) ", target));
-	else
-		RETERR(str_totext(" ", target));
-	isc_region_consume(&sr, n);
-
-	/*
-	 * Original ID.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Error.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	if (dns_tsigrcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS)
-		RETERR(str_totext(" ", target));
-	else {
-		sprintf(buf, "%u ", n);
-		RETERR(str_totext(buf, target));
-	}
-
-	/*
-	 * Other Size.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Other.
-	 */
-	return (isc_base64_totext(&sr, 60, " ", target));
-}
-
-static inline isc_result_t
-fromwire_any_tsig(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	unsigned long n;
-
-	REQUIRE(type == 250);
-	REQUIRE(rdclass == 255);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	/*
-	 * Algorithm Name.
-	 */
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sr);
-	/*
-	 * Time Signed + Fudge.
-	 */
-	if (sr.length < 8)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, 8));
-	isc_region_consume(&sr, 8);
-	isc_buffer_forward(source, 8);
-
-	/*
-	 * Signature Length + Signature.
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	n = uint16_fromregion(&sr);
-	if (sr.length < n + 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, n + 2));
-	isc_region_consume(&sr, n + 2);
-	isc_buffer_forward(source, n + 2);
-
-	/*
-	 * Original ID + Error.
-	 */
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base,  4));
-	isc_region_consume(&sr, 4);
-	isc_buffer_forward(source, 4);
-
-	/*
-	 * Other Length + Other.
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	n = uint16_fromregion(&sr);
-	if (sr.length < n + 2)
-		return (ISC_R_UNEXPECTEDEND);
-	isc_buffer_forward(source, n + 2);
-	return (mem_tobuffer(target, sr.base, n + 2));
-}
-
-static inline isc_result_t
-towire_any_tsig(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	RETERR(dns_name_towire(&name, cctx, target));
-	isc_region_consume(&sr, name_length(&name));
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_any_tsig(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 250);
-	REQUIRE(rdata1->rdclass == 255);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-	isc_region_consume(&r1, name_length(&name1));
-	isc_region_consume(&r2, name_length(&name2));
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_any_tsig(ARGS_FROMSTRUCT) {
-	dns_rdata_any_tsig_t *tsig = source;
-	isc_region_t tr;
-
-	REQUIRE(type == 250);
-	REQUIRE(rdclass == 255);
-	REQUIRE(source != NULL);
-	REQUIRE(tsig->common.rdclass == rdclass);
-	REQUIRE(tsig->common.rdtype == type);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Algorithm Name.
-	 */
-	RETERR(name_tobuffer(&tsig->algorithm, target));
-
-	isc_buffer_availableregion(target, &tr);
-	if (tr.length < 6 + 2 + 2)
-		return (ISC_R_NOSPACE);
-
-	/*
-	 * Time Signed: 48 bits.
-	 */
-	RETERR(uint16_tobuffer((isc_uint16_t)(tsig->timesigned >> 32),
-			       target));
-	RETERR(uint32_tobuffer((isc_uint32_t)(tsig->timesigned & 0xffffffffU),
-			       target));
-
-	/*
-	 * Fudge.
-	 */
-	RETERR(uint16_tobuffer(tsig->fudge, target));
-
-	/*
-	 * Signature Size.
-	 */
-	RETERR(uint16_tobuffer(tsig->siglen, target));
-
-	/*
-	 * Signature.
-	 */
-	RETERR(mem_tobuffer(target, tsig->signature, tsig->siglen));
-
-	isc_buffer_availableregion(target, &tr);
-	if (tr.length < 2 + 2 + 2)
-		return (ISC_R_NOSPACE);
-
-	/*
-	 * Original ID.
-	 */
-	RETERR(uint16_tobuffer(tsig->originalid, target));
-
-	/*
-	 * Error.
-	 */
-	RETERR(uint16_tobuffer(tsig->error, target));
-
-	/*
-	 * Other Len.
-	 */
-	RETERR(uint16_tobuffer(tsig->otherlen, target));
-
-	/*
-	 * Other Data.
-	 */
-	return (mem_tobuffer(target, tsig->other, tsig->otherlen));
-}
-
-static inline isc_result_t
-tostruct_any_tsig(ARGS_TOSTRUCT) {
-	dns_rdata_any_tsig_t *tsig;
-	dns_name_t alg;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-	REQUIRE(rdata->length != 0);
-
-	tsig = (dns_rdata_any_tsig_t *) target;
-	tsig->common.rdclass = rdata->rdclass;
-	tsig->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&tsig->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Algorithm Name.
-	 */
-	dns_name_init(&alg, NULL);
-	dns_name_fromregion(&alg, &sr);
-	dns_name_init(&tsig->algorithm, NULL);
-	RETERR(name_duporclone(&alg, mctx, &tsig->algorithm));
-
-	isc_region_consume(&sr, name_length(&tsig->algorithm));
-
-	/*
-	 * Time Signed.
-	 */
-	INSIST(sr.length >= 6);
-	tsig->timesigned = ((isc_uint64_t)sr.base[0] << 40) |
-			   ((isc_uint64_t)sr.base[1] << 32) |
-			   ((isc_uint64_t)sr.base[2] << 24) |
-			   ((isc_uint64_t)sr.base[3] << 16) |
-			   ((isc_uint64_t)sr.base[4] << 8) |
-			   (isc_uint64_t)sr.base[5];
-	isc_region_consume(&sr, 6);
-
-	/*
-	 * Fudge.
-	 */
-	tsig->fudge = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Signature Size.
-	 */
-	tsig->siglen = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Signature.
-	 */
-	INSIST(sr.length >= tsig->siglen);
-	tsig->signature = mem_maybedup(mctx, sr.base, tsig->siglen);
-	if (tsig->signature == NULL)
-		goto cleanup;
-	isc_region_consume(&sr, tsig->siglen);
-
-	/*
-	 * Original ID.
-	 */
-	tsig->originalid = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Error.
-	 */
-	tsig->error = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Other Size.
-	 */
-	tsig->otherlen = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Other.
-	 */
-	INSIST(sr.length == tsig->otherlen);
-	tsig->other = mem_maybedup(mctx, sr.base, tsig->otherlen);
-	if (tsig->other == NULL)
-		goto cleanup;
-
-	tsig->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&tsig->algorithm, tsig->mctx);
-	if (mctx != NULL && tsig->signature != NULL)
-		isc_mem_free(mctx, tsig->signature);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_any_tsig(ARGS_FREESTRUCT) {
-	dns_rdata_any_tsig_t *tsig = (dns_rdata_any_tsig_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(tsig->common.rdclass == 255);
-	REQUIRE(tsig->common.rdtype == 250);
-
-	if (tsig->mctx == NULL)
-		return;
-
-	dns_name_free(&tsig->algorithm, tsig->mctx);
-	if (tsig->signature != NULL)
-		isc_mem_free(tsig->mctx, tsig->signature);
-	if (tsig->other != NULL)
-		isc_mem_free(tsig->mctx, tsig->other);
-	tsig->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_any_tsig(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_any_tsig(ARGS_DIGEST) {
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 255);
-
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_boolean_t
-checkowner_any_tsig(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 250);
-	REQUIRE(rdclass == 255);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_any_tsig(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 250);
-	REQUIRE(rdata->rdclass == 250);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_ANY_255_TSIG_250_C */
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
deleted file mode 100644
index 7b5ccc263317..000000000000
--- a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tsig_250.h,v 1.20.206.1 2004/03/06 08:14:02 marka Exp $ */
-
-/* RFC 2845 */
-
-#ifndef ANY_255_TSIG_250_H
-#define ANY_255_TSIG_250_H 1
-
-typedef struct dns_rdata_any_tsig {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_name_t		algorithm;
-	isc_uint64_t		timesigned;
-	isc_uint16_t		fudge;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-	isc_uint16_t		originalid;
-	isc_uint16_t		error;
-	isc_uint16_t		otherlen;
-	unsigned char *		other;
-} dns_rdata_any_tsig_t;
-
-#endif /* ANY_255_TSIG_250_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
deleted file mode 100644
index f46844a4b23d..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: afsdb_18.c,v 1.39.2.1.2.3 2004/03/06 08:14:03 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
-
-/* RFC 1183 */
-
-#ifndef RDATA_GENERIC_AFSDB_18_C
-#define RDATA_GENERIC_AFSDB_18_C
-
-#define RRTYPE_AFSDB_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_afsdb(ARGS_FROMTEXT) {
-	isc_token_t token;
-	isc_buffer_t buffer;
-	dns_name_t name;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 18);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Subtype.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Hostname.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_afsdb(ARGS_TOTEXT) {
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_region_t region;
-	char buf[sizeof("64000 ")];
-	isc_boolean_t sub;
-	unsigned int num;
-
-	REQUIRE(rdata->type == 18);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u ", num);
-	RETERR(str_totext(buf, target));
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_afsdb(ARGS_FROMWIRE) {
-	dns_name_t name;
-	isc_region_t sr;
-	isc_region_t tr;
-
-	REQUIRE(type == 18);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_availableregion(target, &tr);
-	if (tr.length < 2)
-		return (ISC_R_NOSPACE);
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	memcpy(tr.base, sr.base, 2);
-	isc_buffer_forward(source, 2);
-	isc_buffer_add(target, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_afsdb(ARGS_TOWIRE) {
-	isc_region_t tr;
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 18);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	isc_buffer_availableregion(target, &tr);
-	dns_rdata_toregion(rdata, &sr);
-	if (tr.length < 2)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, sr.base, 2);
-	isc_region_consume(&sr, 2);
-	isc_buffer_add(target, 2);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_afsdb(ARGS_COMPARE) {
-	int result;
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 18);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	result = memcmp(rdata1->data, rdata2->data, 2);
-	if (result != 0)
-		return (result < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_afsdb(ARGS_FROMSTRUCT) {
-	dns_rdata_afsdb_t *afsdb = source;
-	isc_region_t region;
-
-	REQUIRE(type == 18);
-	REQUIRE(source != NULL);
-	REQUIRE(afsdb->common.rdclass == rdclass);
-	REQUIRE(afsdb->common.rdtype == type);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(afsdb->subtype, target));
-	dns_name_toregion(&afsdb->server, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_afsdb(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_afsdb_t *afsdb = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 18);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	afsdb->common.rdclass = rdata->rdclass;
-	afsdb->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&afsdb->common, link);
-
-	dns_name_init(&afsdb->server, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-
-	afsdb->subtype = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-
-	RETERR(name_duporclone(&name, mctx, &afsdb->server));
-	afsdb->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_afsdb(ARGS_FREESTRUCT) {
-	dns_rdata_afsdb_t *afsdb = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(afsdb->common.rdtype == 18);
-
-	if (afsdb->mctx == NULL)
-		return;
-
-	dns_name_free(&afsdb->server, afsdb->mctx);
-	afsdb->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_afsdb(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 18);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_afsdb(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 18);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	RETERR((digest)(arg, &r1));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_afsdb(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 18);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_afsdb(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 18);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_AFSDB_18_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
deleted file mode 100644
index 3f89f9dfbdf0..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_AFSDB_18_H
-#define GENERIC_AFSDB_18_H 1
-
-/* $Id: afsdb_18.h,v 1.15.206.1 2004/03/06 08:14:03 marka Exp $ */
-
-/* RFC 1183 */
-
-typedef struct dns_rdata_afsdb {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		subtype;
-	dns_name_t		server;
-} dns_rdata_afsdb_t;
-
-#endif /* GENERIC_AFSDB_18_H */
-
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.c b/contrib/bind9/lib/dns/rdata/generic/cert_37.c
deleted file mode 100644
index 81a1aa74d4b6..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/cert_37.c
+++ /dev/null
@@ -1,280 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cert_37.c,v 1.40.2.1.2.5 2004/03/08 09:04:40 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
-
-/* RFC 2538 */
-
-#ifndef RDATA_GENERIC_CERT_37_C
-#define RDATA_GENERIC_CERT_37_C
-
-#define RRTYPE_CERT_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_cert(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_secalg_t secalg;
-	dns_cert_t cert;
-
-	REQUIRE(type == 37);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Cert type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_cert_fromtext(&cert, &token.value.as_textregion));
-	RETERR(uint16_tobuffer(cert, target));
-
-	/*
-	 * Key tag.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&secalg, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &secalg, 1));
-
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_cert(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 37);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	RETERR(dns_cert_totext((dns_cert_t)n, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Key tag.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(dns_secalg_totext(sr.base[0], target));
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Cert.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_base64_totext(&sr, tctx->width - 2,
-				 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_cert(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 37);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 5)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_cert(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 37);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_cert(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 37);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_cert(ARGS_FROMSTRUCT) {
-	dns_rdata_cert_t *cert = source;
-
-	REQUIRE(type == 37);
-	REQUIRE(source != NULL);
-	REQUIRE(cert->common.rdtype == type);
-	REQUIRE(cert->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(cert->type, target));
-	RETERR(uint16_tobuffer(cert->key_tag, target));
-	RETERR(uint8_tobuffer(cert->algorithm, target));
-
-	return (mem_tobuffer(target, cert->certificate, cert->length));
-}
-
-static inline isc_result_t
-tostruct_cert(ARGS_TOSTRUCT) {
-	dns_rdata_cert_t *cert = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 37);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	cert->common.rdclass = rdata->rdclass;
-	cert->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&cert->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	cert->type = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	cert->key_tag = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	cert->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	cert->length = region.length;
-
-	cert->certificate = mem_maybedup(mctx, region.base, region.length);
-	if (cert->certificate == NULL)
-		return (ISC_R_NOMEMORY);
-
-	cert->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_cert(ARGS_FREESTRUCT) {
-	dns_rdata_cert_t *cert = source;
-
-	REQUIRE(cert != NULL);
-	REQUIRE(cert->common.rdtype == 37);
-
-	if (cert->mctx == NULL)
-		return;
-
-	if (cert->certificate != NULL)
-		isc_mem_free(cert->mctx, cert->certificate);
-	cert->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_cert(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 37);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_cert(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 37);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_cert(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 37);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_cert(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 37);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_CERT_37_C */
-
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.h b/contrib/bind9/lib/dns/rdata/generic/cert_37.h
deleted file mode 100644
index 01ae265a2b58..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/cert_37.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cert_37.h,v 1.15.206.1 2004/03/06 08:14:03 marka Exp $ */
-
-/* RFC 2538 */
-#ifndef GENERIC_CERT_37_H
-#define GENERIC_CERT_37_H 1
-
-typedef struct dns_rdata_cert {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		type;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint16_t		length;
-	unsigned char		*certificate;
-} dns_rdata_cert_t;
-
-#endif /* GENERIC_CERT_37_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.c b/contrib/bind9/lib/dns/rdata/generic/cname_5.c
deleted file mode 100644
index 0ce7aa25b0f0..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/cname_5.c
+++ /dev/null
@@ -1,232 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cname_5.c,v 1.43.206.2 2004/03/06 08:14:03 marka Exp $ */
-
-/* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_CNAME_5_C
-#define RDATA_GENERIC_CNAME_5_C
-
-#define RRTYPE_CNAME_ATTRIBUTES \
-	(DNS_RDATATYPEATTR_EXCLUSIVE | DNS_RDATATYPEATTR_SINGLETON)
-
-static inline isc_result_t
-fromtext_cname(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 5);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_cname(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 5);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_cname(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 5);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_cname(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 5);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_cname(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 5);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_cname(ARGS_FROMSTRUCT) {
-	dns_rdata_cname_t *cname = source;
-	isc_region_t region;
-
-	REQUIRE(type == 5);
-	REQUIRE(source != NULL);
-	REQUIRE(cname->common.rdtype == type);
-	REQUIRE(cname->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&cname->cname, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_cname(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_cname_t *cname = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 5);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	cname->common.rdclass = rdata->rdclass;
-	cname->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&cname->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&cname->cname, NULL);
-	RETERR(name_duporclone(&name, mctx, &cname->cname));
-	cname->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_cname(ARGS_FREESTRUCT) {
-	dns_rdata_cname_t *cname = source;
-
-	REQUIRE(source != NULL);
-
-	if (cname->mctx == NULL)
-		return;
-
-	dns_name_free(&cname->cname, cname->mctx);
-	cname->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_cname(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 5);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_cname(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 5);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_cname(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 5);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_cname(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 5);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_CNAME_5_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.h b/contrib/bind9/lib/dns/rdata/generic/cname_5.h
deleted file mode 100644
index 2efee443ef7d..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/cname_5.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cname_5.h,v 1.23.206.1 2004/03/06 08:14:04 marka Exp $ */
-
-#ifndef GENERIC_CNAME_5_H
-#define GENERIC_CNAME_5_H 1
-
-typedef struct dns_rdata_cname {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		cname;
-} dns_rdata_cname_t;
-
-#endif /* GENERIC_CNAME_5_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_65323.c b/contrib/bind9/lib/dns/rdata/generic/dlv_65323.c
deleted file mode 100644
index 2d91758b1baa..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/dlv_65323.c
+++ /dev/null
@@ -1,281 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dlv_65323.c,v 1.2.2.4 2004/03/16 12:38:14 marka Exp $ */
-
-/* draft-ietf-dnsext-delegation-signer-05.txt */
-
-#ifndef RDATA_GENERIC_DLV_65323_C
-#define RDATA_GENERIC_DLV_65323_C
-
-#define RRTYPE_DLV_ATTRIBUTES 0
-
-static inline isc_result_t
-fromtext_dlv(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == 65323);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Key tag.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Digest type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-	type = (isc_uint16_t) token.value.as_ulong;
-
-	/*
-	 * Digest.
-	 */
-	return (isc_hex_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_dlv(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 65323);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Key tag.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Algorithm.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest type.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_dlv(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 65323);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_dlv(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 65323);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_dlv(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 65323);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_dlv(ARGS_FROMSTRUCT) {
-	dns_rdata_dlv_t *dlv = source;
-
-	REQUIRE(type == 65323);
-	REQUIRE(source != NULL);
-	REQUIRE(dlv->common.rdtype == type);
-	REQUIRE(dlv->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(dlv->key_tag, target));
-	RETERR(uint8_tobuffer(dlv->algorithm, target));
-	RETERR(uint8_tobuffer(dlv->digest_type, target));
-
-	return (mem_tobuffer(target, dlv->digest, dlv->length));
-}
-
-static inline isc_result_t
-tostruct_dlv(ARGS_TOSTRUCT) {
-	dns_rdata_dlv_t *dlv = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 65323);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	dlv->common.rdclass = rdata->rdclass;
-	dlv->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&dlv->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dlv->key_tag = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dlv->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	dlv->digest_type = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	dlv->length = region.length;
-
-	dlv->digest = mem_maybedup(mctx, region.base, region.length);
-	if (dlv->digest == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dlv->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_dlv(ARGS_FREESTRUCT) {
-	dns_rdata_dlv_t *dlv = source;
-
-	REQUIRE(dlv != NULL);
-	REQUIRE(dlv->common.rdtype == 65323);
-
-	if (dlv->mctx == NULL)
-		return;
-
-	if (dlv->digest != NULL)
-		isc_mem_free(dlv->mctx, dlv->digest);
-	dlv->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_dlv(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 65323);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_dlv(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 65323);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_dlv(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 65323);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_dlv(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 65323);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_DLV_65323_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_65323.h b/contrib/bind9/lib/dns/rdata/generic/dlv_65323.h
deleted file mode 100644
index 689fd4b33e50..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/dlv_65323.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dlv_65323.h,v 1.2.2.3 2004/03/15 01:02:55 marka Exp $ */
-
-/* draft-ietf-dnsext-delegation-signer-05.txt */
-#ifndef GENERIC_DLV_65323_H
-#define GENERIC_DLV_65323_H 1
-
-typedef struct dns_rdata_dlv {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_dlv_t;
-
-#endif /* GENERIC_DLV_65323_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.c b/contrib/bind9/lib/dns/rdata/generic/dname_39.c
deleted file mode 100644
index b532f2ea178d..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/dname_39.c
+++ /dev/null
@@ -1,233 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dname_39.c,v 1.34.206.2 2004/03/06 08:14:04 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
-
-/* RFC2672 */
-
-#ifndef RDATA_GENERIC_DNAME_39_C
-#define RDATA_GENERIC_DNAME_39_C
-
-#define RRTYPE_DNAME_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
-
-static inline isc_result_t
-fromtext_dname(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 39);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_dname(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 39);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_dname(ARGS_FROMWIRE) {
-	dns_name_t name;
-
-	REQUIRE(type == 39);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-	return(dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_dname(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 39);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_dname(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 39);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_dname(ARGS_FROMSTRUCT) {
-	dns_rdata_dname_t *dname = source;
-	isc_region_t region;
-
-	REQUIRE(type == 39);
-	REQUIRE(source != NULL);
-	REQUIRE(dname->common.rdtype == type);
-	REQUIRE(dname->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&dname->dname, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_dname(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_dname_t *dname = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 39);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	dname->common.rdclass = rdata->rdclass;
-	dname->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&dname->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&dname->dname, NULL);
-	RETERR(name_duporclone(&name, mctx, &dname->dname));
-	dname->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_dname(ARGS_FREESTRUCT) {
-	dns_rdata_dname_t *dname = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(dname->common.rdtype == 39);
-
-	if (dname->mctx == NULL)
-		return;
-
-	dns_name_free(&dname->dname, dname->mctx);
-	dname->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_dname(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 39);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_dname(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 39);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_dname(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 39);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_dname(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 39);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_DNAME_39_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.h b/contrib/bind9/lib/dns/rdata/generic/dname_39.h
deleted file mode 100644
index a1b2192daa20..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/dname_39.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNAME_39_H
-#define GENERIC_DNAME_39_H 1
-
-/* $Id: dname_39.h,v 1.16.206.1 2004/03/06 08:14:04 marka Exp $ */
-
-/* RFC2672 */
-
-typedef struct dns_rdata_dname {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		dname;
-} dns_rdata_dname_t;
-
-#endif /* GENERIC_DNAME_39_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
deleted file mode 100644
index 5cf58d54d189..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dnskey_48.c,v 1.4.2.1 2004/03/08 02:08:02 marka Exp $ */
-
-/*
- * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
- */
-
-/* RFC 2535 */
-
-#ifndef RDATA_GENERIC_DNSKEY_48_C
-#define RDATA_GENERIC_DNSKEY_48_C
-
-#include <dst/dst.h>
-
-#define RRTYPE_DNSKEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
-
-static inline isc_result_t
-fromtext_dnskey(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_secalg_t alg;
-	dns_secproto_t proto;
-	dns_keyflags_t flags;
-
-	REQUIRE(type == 48);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/* flags */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
-	RETERR(uint16_tobuffer(flags, target));
-
-	/* protocol */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &proto, 1));
-
-	/* algorithm */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &alg, 1));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_dnskey(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000")];
-	unsigned int flags;
-	unsigned char algorithm;
-
-	REQUIRE(rdata->type == 48);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* flags */
-	flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", flags);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/* protocol */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/* algorithm */
-	algorithm = sr.base[0];
-	sprintf(buf, "%u", algorithm);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	/* key */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_base64_totext(&sr, tctx->width - 2,
-				 tctx->linebreak, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0)
-		RETERR(str_totext(tctx->linebreak, target));
-	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(")", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0) {
-		isc_region_t tmpr;
-
-		RETERR(str_totext(" ; key id = ", target));
-		dns_rdata_toregion(rdata, &tmpr);
-		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
-		RETERR(str_totext(buf, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_dnskey(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 48);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_dnskey(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 48);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_dnskey(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 48);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_dnskey(ARGS_FROMSTRUCT) {
-	dns_rdata_dnskey_t *dnskey = source;
-
-	REQUIRE(type == 48);
-	REQUIRE(source != NULL);
-	REQUIRE(dnskey->common.rdtype == type);
-	REQUIRE(dnskey->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/* Flags */
-	RETERR(uint16_tobuffer(dnskey->flags, target));
-
-	/* Protocol */
-	RETERR(uint8_tobuffer(dnskey->protocol, target));
-
-	/* Algorithm */
-	RETERR(uint8_tobuffer(dnskey->algorithm, target));
-
-	/* Data */
-	return (mem_tobuffer(target, dnskey->data, dnskey->datalen));
-}
-
-static inline isc_result_t
-tostruct_dnskey(ARGS_TOSTRUCT) {
-	dns_rdata_dnskey_t *dnskey = target;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 48);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	dnskey->common.rdclass = rdata->rdclass;
-	dnskey->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&dnskey->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* Flags */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	dnskey->flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/* Protocol */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	dnskey->protocol = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Algorithm */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	dnskey->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Data */
-	dnskey->datalen = sr.length;
-	dnskey->data = mem_maybedup(mctx, sr.base, dnskey->datalen);
-	if (dnskey->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dnskey->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_dnskey(ARGS_FREESTRUCT) {
-	dns_rdata_dnskey_t *dnskey = (dns_rdata_dnskey_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(dnskey->common.rdtype == 48);
-
-	if (dnskey->mctx == NULL)
-		return;
-
-	if (dnskey->data != NULL)
-		isc_mem_free(dnskey->mctx, dnskey->data);
-	dnskey->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_dnskey(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 48);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_dnskey(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 48);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_dnskey(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 48);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_dnskey(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 48);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_DNSKEY_48_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
deleted file mode 100644
index 4dd71d2101e4..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNSKEY_48_H
-#define GENERIC_DNSKEY_48_H 1
-
-/* $Id: dnskey_48.h,v 1.3.2.1 2004/03/08 02:08:02 marka Exp $ */
-
-/* RFC 2535 */
-
-typedef struct dns_rdata_dnskey {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        isc_uint16_t		flags;
-        isc_uint8_t		protocol;
-        isc_uint8_t		algorithm;
-        isc_uint16_t		datalen;
-        unsigned char *		data;
-} dns_rdata_dnskey_t;
-
-
-#endif /* GENERIC_DNSKEY_48_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.c b/contrib/bind9/lib/dns/rdata/generic/ds_43.c
deleted file mode 100644
index 0206b6f06c22..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/ds_43.c
+++ /dev/null
@@ -1,283 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ds_43.c,v 1.6.2.4 2005/09/06 07:29:31 marka Exp $ */
-
-/* draft-ietf-dnsext-delegation-signer-05.txt */
-
-#ifndef RDATA_GENERIC_DS_43_C
-#define RDATA_GENERIC_DS_43_C
-
-#define RRTYPE_DS_ATTRIBUTES \
-	(DNS_RDATATYPEATTR_DNSSEC|DNS_RDATATYPEATTR_ATPARENT)
-
-static inline isc_result_t
-fromtext_ds(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char c;
-
-	REQUIRE(type == 43);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Key tag.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Digest type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-	type = (isc_uint16_t) token.value.as_ulong;
-
-	/*
-	 * Digest.
-	 */
-	return (isc_hex_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_ds(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 43);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Key tag.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Algorithm.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest type.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_ds(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 43);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_ds(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 43);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_ds(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 43);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_ds(ARGS_FROMSTRUCT) {
-	dns_rdata_ds_t *ds = source;
-
-	REQUIRE(type == 43);
-	REQUIRE(source != NULL);
-	REQUIRE(ds->common.rdtype == type);
-	REQUIRE(ds->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(ds->key_tag, target));
-	RETERR(uint8_tobuffer(ds->algorithm, target));
-	RETERR(uint8_tobuffer(ds->digest_type, target));
-
-	return (mem_tobuffer(target, ds->digest, ds->length));
-}
-
-static inline isc_result_t
-tostruct_ds(ARGS_TOSTRUCT) {
-	dns_rdata_ds_t *ds = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 43);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	ds->common.rdclass = rdata->rdclass;
-	ds->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&ds->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	ds->key_tag = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	ds->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	ds->digest_type = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	ds->length = region.length;
-
-	ds->digest = mem_maybedup(mctx, region.base, region.length);
-	if (ds->digest == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ds->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_ds(ARGS_FREESTRUCT) {
-	dns_rdata_ds_t *ds = source;
-
-	REQUIRE(ds != NULL);
-	REQUIRE(ds->common.rdtype == 43);
-
-	if (ds->mctx == NULL)
-		return;
-
-	if (ds->digest != NULL)
-		isc_mem_free(ds->mctx, ds->digest);
-	ds->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_ds(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 43);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_ds(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 43);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_ds(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 43);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_ds(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 43);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_DS_43_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.h b/contrib/bind9/lib/dns/rdata/generic/ds_43.h
deleted file mode 100644
index cd4a5ca9964a..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/ds_43.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ds_43.h,v 1.3.2.1 2004/03/08 02:08:03 marka Exp $ */
-
-/* draft-ietf-dnsext-delegation-signer-05.txt */
-#ifndef GENERIC_DS_43_H
-#define GENERIC_DS_43_H 1
-
-typedef struct dns_rdata_ds {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		key_tag;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_ds_t;
-
-#endif /* GENERIC_DS_43_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c b/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
deleted file mode 100644
index 1768f171f064..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gpos_27.c,v 1.32.12.5 2004/03/08 09:04:40 marka Exp $ */
-
-/* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
-
-/* RFC 1712 */
-
-#ifndef RDATA_GENERIC_GPOS_27_C
-#define RDATA_GENERIC_GPOS_27_C
-
-#define RRTYPE_GPOS_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_gpos(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int i;
-
-	REQUIRE(type == 27);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	for (i = 0; i < 3; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_qstring,
-					      ISC_FALSE));
-		RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_gpos(ARGS_TOTEXT) {
-	isc_region_t region;
-	int i;
-
-	REQUIRE(rdata->type == 27);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-
-	for (i = 0; i < 3; i++) {
-		RETERR(txt_totext(&region, target));
-		if (i != 2)
-			RETERR(str_totext(" ", target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_gpos(ARGS_FROMWIRE) {
-	int i;
-
-	REQUIRE(type == 27);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	for (i = 0; i < 3; i++)
-		RETERR(txt_fromwire(source, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_gpos(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 27);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_gpos(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 27);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_gpos(ARGS_FROMSTRUCT) {
-	dns_rdata_gpos_t *gpos = source;
-
-	REQUIRE(type == 27);
-	REQUIRE(source != NULL);
-	REQUIRE(gpos->common.rdtype == type);
-	REQUIRE(gpos->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(gpos->long_len, target));
-	RETERR(mem_tobuffer(target, gpos->longitude, gpos->long_len));
-	RETERR(uint8_tobuffer(gpos->lat_len, target));
-	RETERR(mem_tobuffer(target, gpos->latitude, gpos->lat_len));
-	RETERR(uint8_tobuffer(gpos->alt_len, target));
-	return (mem_tobuffer(target, gpos->altitude, gpos->alt_len));
-}
-
-static inline isc_result_t
-tostruct_gpos(ARGS_TOSTRUCT) {
-	dns_rdata_gpos_t *gpos = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 27);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	gpos->common.rdclass = rdata->rdclass;
-	gpos->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&gpos->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	gpos->long_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	gpos->longitude = mem_maybedup(mctx, region.base, gpos->long_len);
-	if (gpos->longitude == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_region_consume(&region, gpos->long_len);
-
-	gpos->lat_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	gpos->latitude = mem_maybedup(mctx, region.base, gpos->lat_len);
-	if (gpos->latitude == NULL)
-		goto cleanup_longitude;
-	isc_region_consume(&region, gpos->lat_len);
-
-	gpos->alt_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	if (gpos->lat_len > 0) {
-		gpos->altitude =
-			mem_maybedup(mctx, region.base, gpos->alt_len);
-		if (gpos->altitude == NULL)
-			goto cleanup_latitude;
-	} else
-		gpos->altitude = NULL;
-
-	gpos->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup_latitude:
-	if (mctx != NULL && gpos->longitude != NULL)
-		isc_mem_free(mctx, gpos->longitude);
-
- cleanup_longitude:
-	if (mctx != NULL && gpos->latitude != NULL)
-		isc_mem_free(mctx, gpos->latitude);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_gpos(ARGS_FREESTRUCT) {
-	dns_rdata_gpos_t *gpos = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(gpos->common.rdtype == 27);
-
-	if (gpos->mctx == NULL)
-		return;
-
-	if (gpos->longitude != NULL)
-		isc_mem_free(gpos->mctx, gpos->longitude);
-	if (gpos->latitude != NULL)
-		isc_mem_free(gpos->mctx, gpos->latitude);
-	if (gpos->altitude != NULL)
-		isc_mem_free(gpos->mctx, gpos->altitude);
-	gpos->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_gpos(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 27);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_gpos(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 27);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_gpos(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 27);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_gpos(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 27);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_GPOS_27_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.h b/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
deleted file mode 100644
index 6f9ed3756910..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_GPOS_27_H
-#define GENERIC_GPOS_27_H 1
-
-/* $Id: gpos_27.h,v 1.12.206.1 2004/03/06 08:14:04 marka Exp $ */
-
-/* RFC 1712 */
-
-typedef struct dns_rdata_gpos {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*longitude;
-	char			*latitude;
-	char			*altitude;
-	isc_uint8_t		long_len;
-	isc_uint8_t		lat_len;
-	isc_uint8_t		alt_len;
-} dns_rdata_gpos_t;
-
-#endif /* GENERIC_GPOS_27_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
deleted file mode 100644
index e432ce57ec0e..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hinfo_13.c,v 1.37.12.5 2004/03/08 09:04:40 marka Exp $ */
-
-/*
- * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
- */
-
-#ifndef RDATA_GENERIC_HINFO_13_C
-#define RDATA_GENERIC_HINFO_13_C
-
-#define RRTYPE_HINFO_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_hinfo(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int i;
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	REQUIRE(type == 13);
-
-	for (i = 0; i < 2; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_qstring,
-					      ISC_FALSE));
-		RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_hinfo(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 13);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &region);
-	RETERR(txt_totext(&region, target));
-	RETERR(str_totext(" ", target));
-	return (txt_totext(&region, target));
-}
-
-static inline isc_result_t
-fromwire_hinfo(ARGS_FROMWIRE) {
-
-	REQUIRE(type == 13);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	RETERR(txt_fromwire(source, target));
-	return (txt_fromwire(source, target));
-}
-
-static inline isc_result_t
-towire_hinfo(ARGS_TOWIRE) {
-
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 13);
-	REQUIRE(rdata->length != 0);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_hinfo(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 13);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_hinfo(ARGS_FROMSTRUCT) {
-	dns_rdata_hinfo_t *hinfo = source;
-
-	REQUIRE(type == 13);
-	REQUIRE(source != NULL);
-	REQUIRE(hinfo->common.rdtype == type);
-	REQUIRE(hinfo->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(hinfo->cpu_len, target));
-	RETERR(mem_tobuffer(target, hinfo->cpu, hinfo->cpu_len));
-	RETERR(uint8_tobuffer(hinfo->os_len, target));
-	return (mem_tobuffer(target, hinfo->os, hinfo->os_len));
-}
-
-static inline isc_result_t
-tostruct_hinfo(ARGS_TOSTRUCT) {
-	dns_rdata_hinfo_t *hinfo = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 13);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	hinfo->common.rdclass = rdata->rdclass;
-	hinfo->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&hinfo->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	hinfo->cpu_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	hinfo->cpu = mem_maybedup(mctx, region.base, hinfo->cpu_len);
-	if (hinfo->cpu == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_region_consume(&region, hinfo->cpu_len);
-
-	hinfo->os_len = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	hinfo->os = mem_maybedup(mctx, region.base, hinfo->os_len);
-	if (hinfo->os == NULL)
-		goto cleanup;
-
-	hinfo->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL && hinfo->cpu != NULL)
-		isc_mem_free(mctx, hinfo->cpu);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_hinfo(ARGS_FREESTRUCT) {
-	dns_rdata_hinfo_t *hinfo = source;
-
-	REQUIRE(source != NULL);
-
-	if (hinfo->mctx == NULL)
-		return;
-
-	if (hinfo->cpu != NULL)
-		isc_mem_free(hinfo->mctx, hinfo->cpu);
-	if (hinfo->os != NULL)
-		isc_mem_free(hinfo->mctx, hinfo->os);
-	hinfo->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_hinfo(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 13);
-
-	UNUSED(add);
-	UNUSED(arg);
-	UNUSED(rdata);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_hinfo(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 13);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_hinfo(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 13);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_hinfo(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 13);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_HINFO_13_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
deleted file mode 100644
index 61cbdd725113..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_HINFO_13_H
-#define GENERIC_HINFO_13_H 1
-
-/* $Id: hinfo_13.h,v 1.22.206.1 2004/03/06 08:14:05 marka Exp $ */
-
-typedef struct dns_rdata_hinfo {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*cpu;
-	char			*os;
-	isc_uint8_t		cpu_len;
-	isc_uint8_t		os_len;
-} dns_rdata_hinfo_t;
-
-#endif /* GENERIC_HINFO_13_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c b/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
deleted file mode 100644
index cc141578dde6..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: isdn_20.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
-
-/* RFC 1183 */
-
-#ifndef RDATA_GENERIC_ISDN_20_C
-#define RDATA_GENERIC_ISDN_20_C
-
-#define RRTYPE_ISDN_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_isdn(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == 20);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/* ISDN-address */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-
-	/* sa: optional */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_TRUE));
-	if (token.type != isc_tokentype_string &&
-	    token.type != isc_tokentype_qstring) {
-		isc_lex_ungettoken(lexer, &token);
-		return (ISC_R_SUCCESS);
-	}
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_isdn(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 20);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	RETERR(txt_totext(&region, target));
-	if (region.length == 0)
-		return (ISC_R_SUCCESS);
-	RETERR(str_totext(" ", target));
-	return (txt_totext(&region, target));
-}
-
-static inline isc_result_t
-fromwire_isdn(ARGS_FROMWIRE) {
-	REQUIRE(type == 20);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	RETERR(txt_fromwire(source, target));
-	if (buffer_empty(source))
-		return (ISC_R_SUCCESS);
-	return (txt_fromwire(source, target));
-}
-
-static inline isc_result_t
-towire_isdn(ARGS_TOWIRE) {
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 20);
-	REQUIRE(rdata->length != 0);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_isdn(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 20);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_isdn(ARGS_FROMSTRUCT) {
-	dns_rdata_isdn_t *isdn = source;
-
-	REQUIRE(type == 20);
-	REQUIRE(source != NULL);
-	REQUIRE(isdn->common.rdtype == type);
-	REQUIRE(isdn->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(isdn->isdn_len, target));
-	RETERR(mem_tobuffer(target, isdn->isdn, isdn->isdn_len));
-	RETERR(uint8_tobuffer(isdn->subaddress_len, target));
-	return (mem_tobuffer(target, isdn->subaddress, isdn->subaddress_len));
-}
-
-static inline isc_result_t
-tostruct_isdn(ARGS_TOSTRUCT) {
-	dns_rdata_isdn_t *isdn = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 20);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	isdn->common.rdclass = rdata->rdclass;
-	isdn->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&isdn->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-
-	isdn->isdn_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	isdn->isdn = mem_maybedup(mctx, r.base, isdn->isdn_len);
-	if (isdn->isdn == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_region_consume(&r, isdn->isdn_len);
-
-	isdn->subaddress_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	isdn->subaddress = mem_maybedup(mctx, r.base, isdn->subaddress_len);
-	if (isdn->subaddress == NULL)
-		goto cleanup;
-
-	isdn->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL && isdn->isdn != NULL)
-		isc_mem_free(mctx, isdn->isdn);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_isdn(ARGS_FREESTRUCT) {
-	dns_rdata_isdn_t *isdn = source;
-
-	REQUIRE(source != NULL);
-
-	if (isdn->mctx == NULL)
-		return;
-
-	if (isdn->isdn != NULL)
-		isc_mem_free(isdn->mctx, isdn->isdn);
-	if (isdn->subaddress != NULL)
-		isc_mem_free(isdn->mctx, isdn->subaddress);
-	isdn->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_isdn(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 20);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_isdn(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 20);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_isdn(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 20);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_isdn(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 20);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_ISDN_20_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.h b/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
deleted file mode 100644
index 3a63971ffb34..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_ISDN_20_H
-#define GENERIC_ISDN_20_H 1
-
-/* $Id: isdn_20.h,v 1.13.206.1 2004/03/06 08:14:05 marka Exp $ */
-
-/* RFC 1183 */
-
-typedef struct dns_rdata_isdn {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	char			*isdn;
-	char			*subaddress;
-	isc_uint8_t		isdn_len;
-	isc_uint8_t		subaddress_len;
-} dns_rdata_isdn_t;
-
-#endif /* GENERIC_ISDN_20_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.c b/contrib/bind9/lib/dns/rdata/generic/key_25.c
deleted file mode 100644
index defbe6df6ba0..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/key_25.c
+++ /dev/null
@@ -1,312 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: key_25.c,v 1.41.12.7 2004/03/08 09:04:41 marka Exp $ */
-
-/*
- * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
- */
-
-/* RFC 2535 */
-
-#ifndef RDATA_GENERIC_KEY_25_C
-#define RDATA_GENERIC_KEY_25_C
-
-#include <dst/dst.h>
-
-#define RRTYPE_KEY_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_key(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_secalg_t alg;
-	dns_secproto_t proto;
-	dns_keyflags_t flags;
-
-	REQUIRE(type == 25);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/* flags */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
-	RETERR(uint16_tobuffer(flags, target));
-
-	/* protocol */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &proto, 1));
-
-	/* algorithm */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &alg, 1));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_key(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000")];
-	unsigned int flags;
-	unsigned char algorithm;
-
-	REQUIRE(rdata->type == 25);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* flags */
-	flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", flags);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/* protocol */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/* algorithm */
-	algorithm = sr.base[0];
-	sprintf(buf, "%u", algorithm);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-
-	/* No Key? */
-	if ((flags & 0xc000) == 0xc000)
-		return (ISC_R_SUCCESS);
-
-	/* key */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_base64_totext(&sr, tctx->width - 2,
-				 tctx->linebreak, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0)
-		RETERR(str_totext(tctx->linebreak, target));
-	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(")", target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0) {
-		isc_region_t tmpr;
-
-		RETERR(str_totext(" ; key id = ", target));
-		dns_rdata_toregion(rdata, &tmpr);
-		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
-		RETERR(str_totext(buf, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_key(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 25);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_key(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 25);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_key(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 25);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_key(ARGS_FROMSTRUCT) {
-	dns_rdata_key_t *key = source;
-
-	REQUIRE(type == 25);
-	REQUIRE(source != NULL);
-	REQUIRE(key->common.rdtype == type);
-	REQUIRE(key->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/* Flags */
-	RETERR(uint16_tobuffer(key->flags, target));
-
-	/* Protocol */
-	RETERR(uint8_tobuffer(key->protocol, target));
-
-	/* Algorithm */
-	RETERR(uint8_tobuffer(key->algorithm, target));
-
-	/* Data */
-	return (mem_tobuffer(target, key->data, key->datalen));
-}
-
-static inline isc_result_t
-tostruct_key(ARGS_TOSTRUCT) {
-	dns_rdata_key_t *key = target;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 25);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	key->common.rdclass = rdata->rdclass;
-	key->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&key->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* Flags */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	key->flags = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/* Protocol */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	key->protocol = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Algorithm */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	key->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/* Data */
-	key->datalen = sr.length;
-	key->data = mem_maybedup(mctx, sr.base, key->datalen);
-	if (key->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	key->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_key(ARGS_FREESTRUCT) {
-	dns_rdata_key_t *key = (dns_rdata_key_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(key->common.rdtype == 25);
-
-	if (key->mctx == NULL)
-		return;
-
-	if (key->data != NULL)
-		isc_mem_free(key->mctx, key->data);
-	key->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_key(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 25);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_key(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 25);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_key(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 25);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_key(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 25);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_KEY_25_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.h b/contrib/bind9/lib/dns/rdata/generic/key_25.h
deleted file mode 100644
index e192a1ba9524..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/key_25.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_KEY_25_H
-#define GENERIC_KEY_25_H 1
-
-/* $Id: key_25.h,v 1.14.206.1 2004/03/06 08:14:06 marka Exp $ */
-
-/* RFC 2535 */
-
-typedef struct dns_rdata_key_t {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        isc_uint16_t		flags;
-        isc_uint8_t		protocol;
-        isc_uint8_t		algorithm;
-        isc_uint16_t		datalen;
-        unsigned char *		data;
-} dns_rdata_key_t;
-
-
-#endif /* GENERIC_KEY_25_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.c b/contrib/bind9/lib/dns/rdata/generic/loc_29.c
deleted file mode 100644
index 28003ab3486a..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/loc_29.c
+++ /dev/null
@@ -1,794 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: loc_29.c,v 1.30.2.3.2.6 2004/03/06 08:14:06 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
-
-/* RFC 1876 */
-
-#ifndef RDATA_GENERIC_LOC_29_C
-#define RDATA_GENERIC_LOC_29_C
-
-#define RRTYPE_LOC_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_loc(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int d1, m1, s1;
-	int d2, m2, s2;
-	unsigned char size;
-	unsigned char hp;
-	unsigned char vp;
-	unsigned char version;
-	isc_boolean_t east = ISC_FALSE;
-	isc_boolean_t north = ISC_FALSE;
-	long tmp;
-	long m;
-	long cm;
-	long poweroften[8] = { 1, 10, 100, 1000,
-			       10000, 100000, 1000000, 10000000 };
-	int man;
-	int exp;
-	char *e;
-	int i;
-	unsigned long latitude;
-	unsigned long longitude;
-	unsigned long altitude;
-
-	REQUIRE(type == 29);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-
-	/*
-	 * Defaults.
-	 */
-	m1 = s1 = 0;
-	m2 = s2 = 0;
-	size = 0x12;	/* 1.00m */
-	hp = 0x16;	/* 10000.00 m */
-	vp = 0x13;	/* 10.00 m */
-	version = 0;
-
-	/*
-	 * Degrees.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 90U)
-		RETTOK(ISC_R_RANGE);
-	d1 = (int)token.value.as_ulong;
-	/*
-	 * Minutes.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = ISC_TRUE;
-	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
-		goto getlong;
-	m1 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m1 < 0 || m1 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (d1 == 90 && m1 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Seconds.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = ISC_TRUE;
-	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
-		goto getlong;
-	s1 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.')
-		RETTOK(DNS_R_SYNTAX);
-	if (s1 < 0 || s1 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (*e == '.') {
-		const char *l;
-		e++;
-		for (i = 0; i < 3; i++) {
-			if (*e == 0)
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			s1 *= 10;
-			s1 += tmp;
-		}
-		for (; i < 3; i++)
-			s1 *= 10;
-		l = e;
-		while (*e != 0) {
-			if (decvalue(*e++) < 0)
-				RETTOK(DNS_R_SYNTAX);
-		}
-		if (*l != '\0' && callbacks != NULL) {
-			const char *file = isc_lex_getsourcename(lexer);
-			unsigned long line = isc_lex_getsourceline(lexer);
-
-			if (file == NULL)
-				file = "UNKNOWN";
-			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
-					   "precision digits ignored",
-					   "dns_rdata_fromtext", file, line,
-					   DNS_AS_STR(token));
-		}
-	} else
-		s1 *= 1000;
-	if (d1 == 90 && s1 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Direction.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
-		north = ISC_TRUE;
-	if (!north && strcasecmp(DNS_AS_STR(token), "S") != 0)
-		RETTOK(DNS_R_SYNTAX);
-
- getlong:
-	/*
-	 * Degrees.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 180U)
-		RETTOK(ISC_R_RANGE);
-	d2 = (int)token.value.as_ulong;
-
-	/*
-	 * Minutes.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = ISC_TRUE;
-	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
-		goto getalt;
-	m2 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m2 < 0 || m2 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (d2 == 180 && m2 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Seconds.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = ISC_TRUE;
-	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
-		goto getalt;
-	s2 = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.')
-		RETTOK(DNS_R_SYNTAX);
-	if (s2 < 0 || s2 > 59)
-		RETTOK(ISC_R_RANGE);
-	if (*e == '.') {
-		const char *l;
-		e++;
-		for (i = 0; i < 3; i++) {
-			if (*e == 0)
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			s2 *= 10;
-			s2 += tmp;
-		}
-		for (; i < 3; i++)
-			s2 *= 10;
-		l = e;
-		while (*e != 0) {
-			if (decvalue(*e++) < 0)
-				RETTOK(DNS_R_SYNTAX);
-		}
-		if (*l != '\0' && callbacks != NULL) {
-			const char *file = isc_lex_getsourcename(lexer);
-			unsigned long line = isc_lex_getsourceline(lexer);
-
-			if (file == NULL)
-				file = "UNKNOWN";
-			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
-					   "precision digits ignored",
-					   "dns_rdata_fromtext",
-					   file, line, DNS_AS_STR(token));
-		}
-	} else
-		s2 *= 1000;
-	if (d2 == 180 && s2 != 0)
-		RETTOK(ISC_R_RANGE);
-
-	/*
-	 * Direction.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
-		east = ISC_TRUE;
-	if (!east && strcasecmp(DNS_AS_STR(token), "W") != 0)
-		RETTOK(DNS_R_SYNTAX);
-
- getalt:
-	/*
-	 * Altitude.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < -100000 || m > 42849672)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				return (DNS_R_SYNTAX);
-			cm *= 10;
-			if (m < 0)
-				cm -= tmp;
-			else
-				cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
-	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	if (m == -100000 && cm != 0)
-		RETTOK(ISC_R_RANGE);
-	if (m == 42849672 && cm > 95)
-		RETTOK(ISC_R_RANGE);
-	/*
-	 * Adjust base.
-	 */
-	altitude = m + 100000;
-	altitude *= 100;
-	altitude += cm;
-
-	/*
-	 * Size: optional.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_TRUE));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
-		isc_lex_ungettoken(lexer, &token);
-		goto encode;
-	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			cm *= 10;
-			cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
-	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	/*
-	 * We don't just multiply out as we will overflow.
-	 */
-	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
-				break;
-		man = m / poweroften[exp];
-		exp += 2;
-	} else {
-		if (cm >= 10) {
-			man = cm / 10;
-			exp = 1;
-		} else {
-			man = cm;
-			exp = 0;
-		}
-	}
-	size = (man << 4) + exp;
-
-	/*
-	 * Horizontal precision: optional.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_TRUE));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
-		isc_lex_ungettoken(lexer, &token);
-		goto encode;
-	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			cm *= 10;
-			cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
-	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	/*
-	 * We don't just multiply out as we will overflow.
-	 */
-	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
-				break;
-		man = m / poweroften[exp];
-		exp += 2;
-	} else if (cm >= 10) {
-		man = cm / 10;
-		exp = 1;
-	} else  {
-		man = cm;
-		exp = 0;
-	}
-	hp = (man << 4) + exp;
-
-	/*
-	 * Vertical precision: optional.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_TRUE));
-	if (token.type == isc_tokentype_eol ||
-	    token.type == isc_tokentype_eof) {
-		isc_lex_ungettoken(lexer, &token);
-		goto encode;
-	}
-	m = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e != 0 && *e != '.' && *e != 'm')
-		RETTOK(DNS_R_SYNTAX);
-	if (m < 0 || m > 90000000)
-		RETTOK(ISC_R_RANGE);
-	cm = 0;
-	if (*e == '.') {
-		e++;
-		for (i = 0; i < 2; i++) {
-			if (*e == 0 || *e == 'm')
-				break;
-			if ((tmp = decvalue(*e++)) < 0)
-				RETTOK(DNS_R_SYNTAX);
-			cm *= 10;
-			cm += tmp;
-		}
-		for (; i < 2; i++)
-			cm *= 10;
-	}
-	if (*e == 'm')
-		e++;
-	if (*e != 0)
-		RETTOK(DNS_R_SYNTAX);
-	/*
-	 * We don't just multiply out as we will overflow.
-	 */
-	if (m > 0) {
-		for (exp = 0; exp < 7; exp++)
-			if (m < poweroften[exp+1])
-				break;
-		man = m / poweroften[exp];
-		exp += 2;
-	} else if (cm >= 10) {
-		man = cm / 10;
-		exp = 1;
-	} else {
-		man = cm;
-		exp = 0;
-	}
-	vp = (man << 4) + exp;
-
- encode:
-	RETERR(mem_tobuffer(target, &version, 1));
-	RETERR(mem_tobuffer(target, &size, 1));
-	RETERR(mem_tobuffer(target, &hp, 1));
-	RETERR(mem_tobuffer(target, &vp, 1));
-	if (north)
-		latitude = 0x80000000 + ( d1 * 3600 + m1 * 60 ) * 1000 + s1;
-	else
-		latitude = 0x80000000 - ( d1 * 3600 + m1 * 60 ) * 1000 - s1;
-	RETERR(uint32_tobuffer(latitude, target));
-
-	if (east)
-		longitude = 0x80000000 + ( d2 * 3600 + m2 * 60 ) * 1000 + s2;
-	else
-		longitude = 0x80000000 - ( d2 * 3600 + m2 * 60 ) * 1000 - s2;
-	RETERR(uint32_tobuffer(longitude, target));
-
-	return (uint32_tobuffer(altitude, target));
-}
-
-static inline isc_result_t
-totext_loc(ARGS_TOTEXT) {
-	int d1, m1, s1, fs1;
-	int d2, m2, s2, fs2;
-	unsigned long latitude;
-	unsigned long longitude;
-	unsigned long altitude;
-	isc_boolean_t north;
-	isc_boolean_t east;
-	isc_boolean_t below;
-	isc_region_t sr;
-	char buf[sizeof("89 59 59.999 N 179 59 59.999 E "
-			"42849672.95m 90000000m 90000000m 90000000m")];
-	char sbuf[sizeof("90000000m")];
-	char hbuf[sizeof("90000000m")];
-	char vbuf[sizeof("90000000m")];
-	unsigned char size, hp, vp;
-	unsigned long poweroften[8] = { 1, 10, 100, 1000,
-					10000, 100000, 1000000, 10000000 };
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 29);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/* version = sr.base[0]; */
-	size = sr.base[1];
-	if ((size&0x0f)> 1)
-		sprintf(sbuf, "%lum", (size>>4) * poweroften[(size&0x0f)-2]);
-	else
-		sprintf(sbuf, "0.%02lum", (size>>4) * poweroften[(size&0x0f)]);
-	hp = sr.base[2];
-	if ((hp&0x0f)> 1)
-		sprintf(hbuf, "%lum", (hp>>4) * poweroften[(hp&0x0f)-2]);
-	else
-		sprintf(hbuf, "0.%02lum", (hp>>4) * poweroften[(hp&0x0f)]);
-	vp = sr.base[3];
-	if ((vp&0x0f)> 1)
-		sprintf(vbuf, "%lum", (vp>>4) * poweroften[(vp&0x0f)-2]);
-	else
-		sprintf(vbuf, "0.%02lum", (vp>>4) * poweroften[(vp&0x0f)]);
-	isc_region_consume(&sr, 4);
-
-	latitude = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	if (latitude >= 0x80000000) {
-		north = ISC_TRUE;
-		latitude -= 0x80000000;
-	} else {
-		north = ISC_FALSE;
-		latitude = 0x80000000 - latitude;
-	}
-	fs1 = (int)(latitude % 1000);
-	latitude /= 1000;
-	s1 = (int)(latitude % 60);
-	latitude /= 60;
-	m1 = (int)(latitude % 60);
-	latitude /= 60;
-	d1 = (int)latitude;
-
-	longitude = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	if (longitude >= 0x80000000) {
-		east = ISC_TRUE;
-		longitude -= 0x80000000;
-	} else {
-		east = ISC_FALSE;
-		longitude = 0x80000000 - longitude;
-	}
-	fs2 = (int)(longitude % 1000);
-	longitude /= 1000;
-	s2 = (int)(longitude % 60);
-	longitude /= 60;
-	m2 = (int)(longitude % 60);
-	longitude /= 60;
-	d2 = (int)longitude;
-
-	altitude = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	if (altitude < 10000000U) {
-		below = ISC_TRUE;
-		altitude = 10000000 - altitude;
-	} else {
-		below =ISC_FALSE;
-		altitude -= 10000000;
-	}
-
-	sprintf(buf, "%d %d %d.%03d %s %d %d %d.%03d %s %s%ld.%02ldm %s %s %s",
-		d1, m1, s1, fs1, north ? "N" : "S",
-		d2, m2, s2, fs2, east ? "E" : "W",
-		below ? "-" : "", altitude/100, altitude % 100,
-		sbuf, hbuf, vbuf);
-
-	return (str_totext(buf, target));
-}
-
-static inline isc_result_t
-fromwire_loc(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	unsigned char c;
-	unsigned long latitude;
-	unsigned long longitude;
-
-	REQUIRE(type == 29);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	if (sr.base[0] != 0)
-		return (ISC_R_NOTIMPLEMENTED);
-	if (sr.length < 16)
-		return (ISC_R_UNEXPECTEDEND);
-
-	/*
-	 * Size.
-	 */
-	c = sr.base[1];
-	if (c != 0)
-		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-			return (ISC_R_RANGE);
-
-	/*
-	 * Horizontal precision.
-	 */
-	c = sr.base[2];
-	if (c != 0)
-		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-			return (ISC_R_RANGE);
-
-	/*
-	 * Vertical precision.
-	 */
-	c = sr.base[3];
-	if (c != 0)
-		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-			return (ISC_R_RANGE);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Latitude.
-	 */
-	latitude = uint32_fromregion(&sr);
-	if (latitude < (0x80000000UL - 90 * 3600000) ||
-	    latitude > (0x80000000UL + 90 * 3600000))
-		return (ISC_R_RANGE);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Longitude.
-	 */
-	longitude = uint32_fromregion(&sr);
-	if (longitude < (0x80000000UL - 180 * 3600000) ||
-	    longitude > (0x80000000UL + 180 * 3600000))
-		return (ISC_R_RANGE);
-
-	/*
-	 * Altitiude.
-	 * All values possible.
-	 */
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, 16);
-	return (mem_tobuffer(target, sr.base, 16));
-}
-
-static inline isc_result_t
-towire_loc(ARGS_TOWIRE) {
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 29);
-	REQUIRE(rdata->length != 0);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_loc(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 29);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_loc(ARGS_FROMSTRUCT) {
-	dns_rdata_loc_t *loc = source;
-	isc_uint8_t c;
-
-	REQUIRE(type == 29);
-	REQUIRE(source != NULL);
-	REQUIRE(loc->common.rdtype == type);
-	REQUIRE(loc->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	if (loc->v.v0.version != 0)
-		return (ISC_R_NOTIMPLEMENTED);
-	RETERR(uint8_tobuffer(loc->v.v0.version, target));
-
-	c = loc->v.v0.size;
-	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-		return (ISC_R_RANGE);
-	RETERR(uint8_tobuffer(loc->v.v0.size, target));
-
-	c = loc->v.v0.horizontal;
-	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-		return (ISC_R_RANGE);
-	RETERR(uint8_tobuffer(loc->v.v0.horizontal, target));
-
-	c = loc->v.v0.vertical;
-	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
-		return (ISC_R_RANGE);
-	RETERR(uint8_tobuffer(loc->v.v0.vertical, target));
-
-	if (loc->v.v0.latitude < (0x80000000UL - 90 * 3600000) ||
-	    loc->v.v0.latitude > (0x80000000UL + 90 * 3600000))
-		return (ISC_R_RANGE);
-	RETERR(uint32_tobuffer(loc->v.v0.latitude, target));
-
-	if (loc->v.v0.longitude < (0x80000000UL - 180 * 3600000) ||
-	    loc->v.v0.longitude > (0x80000000UL + 180 * 3600000))
-		return (ISC_R_RANGE);
-	RETERR(uint32_tobuffer(loc->v.v0.longitude, target));
-	return (uint32_tobuffer(loc->v.v0.altitude, target));
-}
-
-static inline isc_result_t
-tostruct_loc(ARGS_TOSTRUCT) {
-	dns_rdata_loc_t *loc = target;
-	isc_region_t r;
-	isc_uint8_t version;
-
-	REQUIRE(rdata->type == 29);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(mctx);
-
-	dns_rdata_toregion(rdata, &r);
-	version = uint8_fromregion(&r);
-	if (version != 0)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	loc->common.rdclass = rdata->rdclass;
-	loc->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&loc->common, link);
-
-	loc->v.v0.version = version;
-	isc_region_consume(&r, 1);
-	loc->v.v0.size = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	loc->v.v0.horizontal = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	loc->v.v0.vertical = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	loc->v.v0.latitude = uint32_fromregion(&r);
-	isc_region_consume(&r, 4);
-	loc->v.v0.longitude = uint32_fromregion(&r);
-	isc_region_consume(&r, 4);
-	loc->v.v0.altitude = uint32_fromregion(&r);
-	isc_region_consume(&r, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_loc(ARGS_FREESTRUCT) {
-	dns_rdata_loc_t *loc = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(loc->common.rdtype == 29);
-
-	UNUSED(source);
-	UNUSED(loc);
-}
-
-static inline isc_result_t
-additionaldata_loc(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 29);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_loc(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 29);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_loc(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 29);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_loc(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 29);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_LOC_29_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.h b/contrib/bind9/lib/dns/rdata/generic/loc_29.h
deleted file mode 100644
index cdca67b832ea..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/loc_29.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_LOC_29_H
-#define GENERIC_LOC_29_H 1
-
-/* $Id: loc_29.h,v 1.14.206.1 2004/03/06 08:14:06 marka Exp $ */
-
-/* RFC 1876 */
-
-typedef struct dns_rdata_loc_0 {
-	isc_uint8_t	version;	/* must be first and zero */
-	isc_uint8_t	size;
-	isc_uint8_t	horizontal;
-	isc_uint8_t	vertical;
-	isc_uint32_t	latitude;
-	isc_uint32_t	longitude;
-	isc_uint32_t	altitude;
-} dns_rdata_loc_0_t;
-
-typedef struct dns_rdata_loc {
-	dns_rdatacommon_t	common;
-	union {
-		dns_rdata_loc_0_t v0;
-	} v;
-} dns_rdata_loc_t;
-
-#endif /* GENERIC_LOC_29_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.c b/contrib/bind9/lib/dns/rdata/generic/mb_7.c
deleted file mode 100644
index 25627071d76c..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mb_7.c
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mb_7.c,v 1.41.206.2 2004/03/06 08:14:06 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_MB_7_C
-#define RDATA_GENERIC_MB_7_C
-
-#define RRTYPE_MB_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mb(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 7);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mb(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 7);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mb(ARGS_FROMWIRE) {
-        dns_name_t name;
-
-	REQUIRE(type == 7);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mb(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 7);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mb(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 7);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mb(ARGS_FROMSTRUCT) {
-	dns_rdata_mb_t *mb = source;
-	isc_region_t region;
-
-	REQUIRE(type == 7);
-	REQUIRE(source != NULL);
-	REQUIRE(mb->common.rdtype == type);
-	REQUIRE(mb->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&mb->mb, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mb(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_mb_t *mb = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 7);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mb->common.rdclass = rdata->rdclass;
-	mb->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mb->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&mb->mb, NULL);
-	RETERR(name_duporclone(&name, mctx, &mb->mb));
-	mb->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mb(ARGS_FREESTRUCT) {
-	dns_rdata_mb_t *mb = source;
-
-	REQUIRE(source != NULL);
-
-	if (mb->mctx == NULL)
-		return;
-
-	dns_name_free(&mb->mb, mb->mctx);
-	mb->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mb(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 7);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_mb(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 7);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mb(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 7);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (dns_name_ismailbox(name));
-}
-
-static inline isc_boolean_t
-checknames_mb(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 7);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_MB_7_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.h b/contrib/bind9/lib/dns/rdata/generic/mb_7.h
deleted file mode 100644
index 115ab49e8911..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mb_7.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_MB_7_H
-#define GENERIC_MB_7_H 1
-
-/* $Id: mb_7.h,v 1.22.206.1 2004/03/06 08:14:06 marka Exp $ */
-
-typedef struct dns_rdata_mb {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mb;
-} dns_rdata_mb_t;
-
-#endif /* GENERIC_MB_7_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.c b/contrib/bind9/lib/dns/rdata/generic/md_3.c
deleted file mode 100644
index 7488d84f2da5..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/md_3.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: md_3.c,v 1.43.206.2 2004/03/06 08:14:07 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_MD_3_C
-#define RDATA_GENERIC_MD_3_C
-
-#define RRTYPE_MD_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_md(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 3);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_md(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 3);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_md(ARGS_FROMWIRE) {
-        dns_name_t name;
-
-	REQUIRE(type == 3);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_md(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 3);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_md(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 3);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_md(ARGS_FROMSTRUCT) {
-	dns_rdata_md_t *md = source;
-	isc_region_t region;
-
-	REQUIRE(type == 3);
-	REQUIRE(source != NULL);
-	REQUIRE(md->common.rdtype == type);
-	REQUIRE(md->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&md->md, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_md(ARGS_TOSTRUCT) {
-	dns_rdata_md_t *md = target;
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 3);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	md->common.rdclass = rdata->rdclass;
-	md->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&md->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &r);
-	dns_name_fromregion(&name, &r);
-	dns_name_init(&md->md, NULL);
-	RETERR(name_duporclone(&name, mctx, &md->md));
-	md->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_md(ARGS_FREESTRUCT) {
-	dns_rdata_md_t *md = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(md->common.rdtype == 3);
-
-	if (md->mctx == NULL)
-		return;
-
-	dns_name_free(&md->md, md->mctx);
-	md->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_md(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 3);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_md(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 3);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_md(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 3);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_md(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 3);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_MD_3_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.h b/contrib/bind9/lib/dns/rdata/generic/md_3.h
deleted file mode 100644
index 8662829ba24c..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/md_3.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_MD_3_H
-#define GENERIC_MD_3_H 1
-
-/* $Id: md_3.h,v 1.23.206.1 2004/03/06 08:14:07 marka Exp $ */
-
-typedef struct dns_rdata_md {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		md;
-} dns_rdata_md_t;
-
-
-#endif /* GENERIC_MD_3_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.c b/contrib/bind9/lib/dns/rdata/generic/mf_4.c
deleted file mode 100644
index b6c72d937520..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mf_4.c
+++ /dev/null
@@ -1,235 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mf_4.c,v 1.41.206.2 2004/03/06 08:14:07 marka Exp $ */
-
-/* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_MF_4_C
-#define RDATA_GENERIC_MF_4_C
-
-#define RRTYPE_MF_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mf(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 4);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mf(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 4);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mf(ARGS_FROMWIRE) {
-        dns_name_t name;
-
-	REQUIRE(type == 4);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mf(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 4);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mf(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 4);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mf(ARGS_FROMSTRUCT) {
-	dns_rdata_mf_t *mf = source;
-	isc_region_t region;
-
-	REQUIRE(type == 4);
-	REQUIRE(source != NULL);
-	REQUIRE(mf->common.rdtype == type);
-	REQUIRE(mf->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&mf->mf, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mf(ARGS_TOSTRUCT) {
-	dns_rdata_mf_t *mf = target;
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 4);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mf->common.rdclass = rdata->rdclass;
-	mf->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mf->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &r);
-	dns_name_fromregion(&name, &r);
-	dns_name_init(&mf->mf, NULL);
-	RETERR(name_duporclone(&name, mctx, &mf->mf));
-	mf->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mf(ARGS_FREESTRUCT) {
-	dns_rdata_mf_t *mf = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(mf->common.rdtype == 4);
-
-	if (mf->mctx == NULL)
-		return;
-	dns_name_free(&mf->mf, mf->mctx);
-	mf->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mf(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 4);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_mf(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 4);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mf(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 4);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_mf(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 4);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_MF_4_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.h b/contrib/bind9/lib/dns/rdata/generic/mf_4.h
deleted file mode 100644
index adb825455e9e..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mf_4.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_MF_4_H
-#define GENERIC_MF_4_H 1
-
-/* $Id: mf_4.h,v 1.21.206.1 2004/03/06 08:14:07 marka Exp $ */
-
-typedef struct dns_rdata_mf {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mf;
-} dns_rdata_mf_t;
-
-#endif /* GENERIC_MF_4_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.c b/contrib/bind9/lib/dns/rdata/generic/mg_8.c
deleted file mode 100644
index 26eac8ddbf68..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mg_8.c
+++ /dev/null
@@ -1,230 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mg_8.c,v 1.39.206.2 2004/03/06 08:14:07 marka Exp $ */
-
-/* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_MG_8_C
-#define RDATA_GENERIC_MG_8_C
-
-#define RRTYPE_MG_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mg(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 8);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mg(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 8);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mg(ARGS_FROMWIRE) {
-        dns_name_t name;
-
-	REQUIRE(type == 8);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mg(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 8);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mg(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 8);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mg(ARGS_FROMSTRUCT) {
-	dns_rdata_mg_t *mg = source;
-	isc_region_t region;
-
-	REQUIRE(type == 8);
-	REQUIRE(source != NULL);
-	REQUIRE(mg->common.rdtype == type);
-	REQUIRE(mg->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&mg->mg, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mg(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_mg_t *mg = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 8);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mg->common.rdclass = rdata->rdclass;
-	mg->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mg->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&mg->mg, NULL);
-	RETERR(name_duporclone(&name, mctx, &mg->mg));
-	mg->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mg(ARGS_FREESTRUCT) {
-	dns_rdata_mg_t *mg = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(mg->common.rdtype == 8);
-
-	if (mg->mctx == NULL)
-		return;
-	dns_name_free(&mg->mg, mg->mctx);
-	mg->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mg(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 8);
-
-	UNUSED(add);
-	UNUSED(arg);
-	UNUSED(rdata);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_mg(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 8);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mg(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 8);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (dns_name_ismailbox(name));
-}
-
-static inline isc_boolean_t
-checknames_mg(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 8);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_MG_8_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.h b/contrib/bind9/lib/dns/rdata/generic/mg_8.h
deleted file mode 100644
index b45c2bf61925..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mg_8.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_MG_8_H
-#define GENERIC_MG_8_H 1
-
-/* $Id: mg_8.h,v 1.21.206.1 2004/03/06 08:14:07 marka Exp $ */
-
-typedef struct dns_rdata_mg {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mg;
-} dns_rdata_mg_t;
-
-#endif /* GENERIC_MG_8_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c b/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
deleted file mode 100644
index a3c4a9c558ac..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
+++ /dev/null
@@ -1,324 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: minfo_14.c,v 1.40.12.4 2004/03/08 09:04:41 marka Exp $ */
-
-/* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_MINFO_14_C
-#define RDATA_GENERIC_MINFO_14_C
-
-#define RRTYPE_MINFO_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_minfo(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	int i;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 14);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	for (i = 0; i < 2; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region);
-		origin = (origin != NULL) ? origin : dns_rootname;
-		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 options, target));
-		ok = ISC_TRUE;
-		if ((options & DNS_RDATA_CHECKNAMES) != 0)
-			ok = dns_name_ismailbox(&name);
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_minfo(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t rmail;
-	dns_name_t email;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 14);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&rmail, NULL);
-	dns_name_init(&email, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	dns_name_fromregion(&email, &region);
-	isc_region_consume(&region, email.length);
-
-	sub = name_prefix(&rmail, tctx->origin, &prefix);
-
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	RETERR(str_totext(" ", target));
-
-	sub = name_prefix(&email, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_minfo(ARGS_FROMWIRE) {
-        dns_name_t rmail;
-        dns_name_t email;
-
-	REQUIRE(type == 14);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&rmail, NULL);
-        dns_name_init(&email, NULL);
-
-        RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
-        return (dns_name_fromwire(&email, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_minfo(ARGS_TOWIRE) {
-	isc_region_t region;
-	dns_name_t rmail;
-	dns_name_t email;
-	dns_offsets_t roffsets;
-	dns_offsets_t eoffsets;
-
-	REQUIRE(rdata->type == 14);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&rmail, roffsets);
-	dns_name_init(&email, eoffsets);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, name_length(&rmail));
-
-	RETERR(dns_name_towire(&rmail, cctx, target));
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	return (dns_name_towire(&rmail, cctx, target));
-}
-
-static inline int
-compare_minfo(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 14);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	return (order);
-}
-
-static inline isc_result_t
-fromstruct_minfo(ARGS_FROMSTRUCT) {
-	dns_rdata_minfo_t *minfo = source;
-	isc_region_t region;
-
-	REQUIRE(type == 14);
-	REQUIRE(source != NULL);
-	REQUIRE(minfo->common.rdtype == type);
-	REQUIRE(minfo->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&minfo->rmailbox, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	dns_name_toregion(&minfo->emailbox, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_minfo(ARGS_TOSTRUCT) {
-	dns_rdata_minfo_t *minfo = target;
-	isc_region_t region;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 14);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	minfo->common.rdclass = rdata->rdclass;
-	minfo->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&minfo->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&minfo->rmailbox, NULL);
-	RETERR(name_duporclone(&name, mctx, &minfo->rmailbox));
-	isc_region_consume(&region, name_length(&name));
-
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&minfo->emailbox, NULL);
-	result = name_duporclone(&name, mctx, &minfo->emailbox);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	minfo->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&minfo->rmailbox, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_minfo(ARGS_FREESTRUCT) {
-	dns_rdata_minfo_t *minfo = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(minfo->common.rdtype == 14);
-
-	if (minfo->mctx == NULL)
-		return;
-
-	dns_name_free(&minfo->rmailbox, minfo->mctx);
-	dns_name_free(&minfo->emailbox, minfo->mctx);
-	minfo->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_minfo(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 14);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_minfo(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 14);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	result = dns_name_digest(&name, digest, arg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_region_consume(&r, name_length(&name));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_minfo(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 14);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_minfo(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 14);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ismailbox(&name)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	isc_region_consume(&region, name_length(&name));
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ismailbox(&name)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_MINFO_14_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.h b/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
deleted file mode 100644
index 84078b9b4cd0..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_MINFO_14_H
-#define GENERIC_MINFO_14_H 1
-
-/* $Id: minfo_14.h,v 1.22.206.1 2004/03/06 08:14:08 marka Exp $ */
-
-typedef struct dns_rdata_minfo {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		rmailbox;
-	dns_name_t		emailbox;
-} dns_rdata_minfo_t;
-
-#endif /* GENERIC_MINFO_14_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.c b/contrib/bind9/lib/dns/rdata/generic/mr_9.c
deleted file mode 100644
index 30da6cb58c76..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mr_9.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mr_9.c,v 1.38.206.2 2004/03/06 08:14:08 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
-
-#ifndef RDATA_GENERIC_MR_9_C
-#define RDATA_GENERIC_MR_9_C
-
-#define RRTYPE_MR_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mr(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 9);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mr(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 9);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mr(ARGS_FROMWIRE) {
-        dns_name_t name;
-
-	REQUIRE(type == 9);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mr(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 9);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mr(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 9);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mr(ARGS_FROMSTRUCT) {
-	dns_rdata_mr_t *mr = source;
-	isc_region_t region;
-
-	REQUIRE(type == 9);
-	REQUIRE(source != NULL);
-	REQUIRE(mr->common.rdtype == type);
-	REQUIRE(mr->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&mr->mr, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mr(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_mr_t *mr = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 9);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mr->common.rdclass = rdata->rdclass;
-	mr->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mr->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&mr->mr, NULL);
-	RETERR(name_duporclone(&name, mctx, &mr->mr));
-	mr->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mr(ARGS_FREESTRUCT) {
-	dns_rdata_mr_t *mr = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(mr->common.rdtype == 9);
-
-	if (mr->mctx == NULL)
-		return;
-	dns_name_free(&mr->mr, mr->mctx);
-	mr->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mr(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 9);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_mr(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 9);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mr(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 9);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_mr(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 9);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_MR_9_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.h b/contrib/bind9/lib/dns/rdata/generic/mr_9.h
deleted file mode 100644
index ba6e154041b0..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mr_9.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_MR_9_H
-#define GENERIC_MR_9_H 1
-
-/* $Id: mr_9.h,v 1.21.206.1 2004/03/06 08:14:08 marka Exp $ */
-
-typedef struct dns_rdata_mr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		mr;
-} dns_rdata_mr_t;
-
-#endif /* GENERIC_MR_9_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.c b/contrib/bind9/lib/dns/rdata/generic/mx_15.c
deleted file mode 100644
index 794249c090d9..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mx_15.c
+++ /dev/null
@@ -1,288 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mx_15.c,v 1.48.2.1.2.3 2004/03/06 08:14:08 marka Exp $ */
-
-/* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
-
-#ifndef RDATA_GENERIC_MX_15_C
-#define RDATA_GENERIC_MX_15_C
-
-#define RRTYPE_MX_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_mx(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 15);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_mx(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 15);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-
-	RETERR(str_totext(" ", target));
-
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_mx(ARGS_FROMWIRE) {
-        dns_name_t name;
-	isc_region_t sregion;
-
-	REQUIRE(type == 15);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sregion.base, 2));
-	isc_buffer_forward(source, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_mx(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 15);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_rdata_toregion(rdata, &region);
-	RETERR(mem_tobuffer(target, region.base, 2));
-	isc_region_consume(&region, 2);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_mx(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 15);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_mx(ARGS_FROMSTRUCT) {
-	dns_rdata_mx_t *mx = source;
-	isc_region_t region;
-
-	REQUIRE(type == 15);
-	REQUIRE(source != NULL);
-	REQUIRE(mx->common.rdtype == type);
-	REQUIRE(mx->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(mx->pref, target));
-	dns_name_toregion(&mx->mx, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_mx(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_mx_t *mx = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 15);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	mx->common.rdclass = rdata->rdclass;
-	mx->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&mx->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	mx->pref = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&mx->mx, NULL);
-	RETERR(name_duporclone(&name, mctx, &mx->mx));
-	mx->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_mx(ARGS_FREESTRUCT) {
-	dns_rdata_mx_t *mx = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(mx->common.rdtype == 15);
-
-	if (mx->mctx == NULL)
-		return;
-
-	dns_name_free(&mx->mx, mx->mctx);
-	mx->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_mx(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 15);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_mx(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 15);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	RETERR((digest)(arg, &r1));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_mx(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 15);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_mx(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 15);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_MX_15_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.h b/contrib/bind9/lib/dns/rdata/generic/mx_15.h
deleted file mode 100644
index 01225fa292fb..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/mx_15.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_MX_15_H
-#define GENERIC_MX_15_H 1
-
-/* $Id: mx_15.h,v 1.24.206.1 2004/03/06 08:14:09 marka Exp $ */
-
-typedef struct dns_rdata_mx {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		pref;
-	dns_name_t		mx;
-} dns_rdata_mx_t;
-
-#endif /* GENERIC_MX_15_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.c b/contrib/bind9/lib/dns/rdata/generic/ns_2.c
deleted file mode 100644
index bf32d63614ae..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/ns_2.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ns_2.c,v 1.42.206.2 2004/03/06 08:14:09 marka Exp $ */
-
-/* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_NS_2_C
-#define RDATA_GENERIC_NS_2_C
-
-#define RRTYPE_NS_ATTRIBUTES (DNS_RDATATYPEATTR_ZONECUTAUTH)
-
-static inline isc_result_t
-fromtext_ns(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 2);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token,isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_ns(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 2);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_ns(ARGS_FROMWIRE) {
-        dns_name_t name;
-
-	REQUIRE(type == 2);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_ns(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 2);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_ns(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 2);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_ns(ARGS_FROMSTRUCT) {
-	dns_rdata_ns_t *ns = source;
-	isc_region_t region;
-
-	REQUIRE(type == 2);
-	REQUIRE(source != NULL);
-	REQUIRE(ns->common.rdtype == type);
-	REQUIRE(ns->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&ns->name, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_ns(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_ns_t *ns = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 2);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	ns->common.rdclass = rdata->rdclass;
-	ns->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&ns->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&ns->name, NULL);
-	RETERR(name_duporclone(&name, mctx, &ns->name));
-	ns->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_ns(ARGS_FREESTRUCT) {
-	dns_rdata_ns_t *ns = source;
-
-	REQUIRE(source != NULL);
-
-	if (ns->mctx == NULL)
-		return;
-
-	dns_name_free(&ns->name, ns->mctx);
-	ns->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_ns(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 2);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_ns(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 2);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_ns(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 2);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_ns(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 2);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_NS_2_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.h b/contrib/bind9/lib/dns/rdata/generic/ns_2.h
deleted file mode 100644
index 2bef1f848f39..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/ns_2.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NS_2_H
-#define GENERIC_NS_2_H 1
-
-/* $Id: ns_2.h,v 1.22.206.1 2004/03/06 08:14:09 marka Exp $ */
-
-typedef struct dns_rdata_ns {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		name;
-} dns_rdata_ns_t;
-
-
-#endif /* GENERIC_NS_2_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c b/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
deleted file mode 100644
index 74b7806c7e11..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
+++ /dev/null
@@ -1,366 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsec_47.c,v 1.7.2.1 2004/03/08 02:08:03 marka Exp $ */
-
-/* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
-
-/* draft-ietf-dnsext-nsec-rdata-01.txt */
-
-#ifndef RDATA_GENERIC_NSEC_47_C
-#define RDATA_GENERIC_NSEC_47_C
-
-/*
- * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
- * because we must be able to handle a parent/child NSEC pair.
- */
-#define RRTYPE_NSEC_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
-
-static inline isc_result_t
-fromtext_nsec(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	unsigned char bm[8*1024]; /* 64k bits */
-	dns_rdatatype_t covered;
-	int octet;
-	int window;
-
-	REQUIRE(type == 47);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Next domain.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	memset(bm, 0, sizeof(bm));
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-		RETTOK(dns_rdatatype_fromtext(&covered,
-					      &token.value.as_textregion));
-		bm[covered/8] |= (0x80>>(covered%8));
-	} while (1);
-	isc_lex_ungettoken(lexer, &token);
-	for (window = 0; window < 256 ; window++) {
-		/*
-		 * Find if we have a type in this window.
-		 */
-		for (octet = 31; octet >= 0; octet--)
-			if (bm[window * 32 + octet] != 0)
-				break;
-		if (octet < 0)
-			continue;
-		RETERR(uint8_tobuffer(window, target));
-		RETERR(uint8_tobuffer(octet + 1, target));
-		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_nsec(ARGS_TOTEXT) {
-	isc_region_t sr;
-	unsigned int i, j, k;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	unsigned int window, len;
-
-	REQUIRE(rdata->type == 47);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-
-	for (i = 0; i < sr.length; i += len) {
-		INSIST(i + 2 <= sr.length);
-		window = sr.base[i];
-		len = sr.base[i + 1];
-		INSIST(len > 0 && len <= 32);
-		i += 2;
-		INSIST(i + len <= sr.length);
-		for (j = 0; j < len; j++) {
-			dns_rdatatype_t t;
-			if (sr.base[i + j] == 0)
-				continue;
-			for (k = 0; k < 8; k++) {
-				if ((sr.base[i + j] & (0x80 >> k)) == 0)
-					continue;
-				t = window * 256 + j * 8 + k;
-				RETERR(str_totext(" ", target));
-				if (dns_rdatatype_isknown(t)) {
-					RETERR(dns_rdatatype_totext(t, target));
-				} else {
-					char buf[sizeof("TYPE65535")];
-					sprintf(buf, "TYPE%u", t);
-					RETERR(str_totext(buf, target));
-				}
-			}
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static /* inline */ isc_result_t
-fromwire_nsec(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	unsigned int window, lastwindow = 0;
-	unsigned int len;
-	isc_boolean_t first = ISC_TRUE;
-	unsigned int i;
-
-	REQUIRE(type == 47);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sr);
-	for (i = 0; i < sr.length; i += len) {
-		/*
-		 * Check for overflow.
-		 */
-		if (i + 2 > sr.length)
-			RETERR(DNS_R_FORMERR);
-		window = sr.base[i];
-		len = sr.base[i + 1];
-		i += 2;
-		/*
-		 * Check that bitmap windows are in the correct order.
-		 */
-		if (!first && window <= lastwindow)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * Check for legal lengths.
-		 */
-		if (len < 1 || len > 32)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * Check for overflow.
-		 */
-		if (i + len > sr.length)
-			RETERR(DNS_R_FORMERR);
-		/*
-		 * The last octet of the bitmap must be non zero.
-		 */
-		if (sr.base[i + len - 1] == 0)
-			RETERR(DNS_R_FORMERR);
-		lastwindow = window;
-		first = ISC_FALSE;
-	}
-	if (i != sr.length)
-		return (DNS_R_EXTRADATA);
-	if (first)
-		RETERR(DNS_R_FORMERR);
-	RETERR(mem_tobuffer(target, sr.base, sr.length));
-	isc_buffer_forward(source, sr.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_nsec(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 47);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_nsec(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 47);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_nsec(ARGS_FROMSTRUCT) {
-	dns_rdata_nsec_t *nsec = source;
-	isc_region_t region;
-	unsigned int i, len, window, lastwindow = 0;
-	isc_boolean_t first = ISC_TRUE;
-
-	REQUIRE(type == 47);
-	REQUIRE(source != NULL);
-	REQUIRE(nsec->common.rdtype == type);
-	REQUIRE(nsec->common.rdclass == rdclass);
-	REQUIRE(nsec->typebits != NULL || nsec->len == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&nsec->next, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	/*
-	 * Perform sanity check.
-	 */
-	for (i = 0; i < nsec->len ; i += len) {
-		INSIST(i + 2 <= nsec->len);
-		window = nsec->typebits[i];
-		len = nsec->typebits[i+1];
-		i += 2;
-		INSIST(first || window > lastwindow); 
-		INSIST(len > 0 && len <= 32);
-		INSIST(i + len <= nsec->len);
-		INSIST(nsec->typebits[i + len - 1] != 0);
-		lastwindow = window;
-		first = ISC_FALSE;
-	}
-	INSIST(!first);
-	return (mem_tobuffer(target, nsec->typebits, nsec->len));
-}
-
-static inline isc_result_t
-tostruct_nsec(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_nsec_t *nsec = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 47);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nsec->common.rdclass = rdata->rdclass;
-	nsec->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nsec->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	dns_name_init(&nsec->next, NULL);
-	RETERR(name_duporclone(&name, mctx, &nsec->next));
-
-	nsec->len = region.length;
-	nsec->typebits = mem_maybedup(mctx, region.base, region.length);
-	if (nsec->typebits == NULL)
-		goto cleanup;
-
-	nsec->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&nsec->next, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_nsec(ARGS_FREESTRUCT) {
-	dns_rdata_nsec_t *nsec = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nsec->common.rdtype == 47);
-
-	if (nsec->mctx == NULL)
-		return;
-
-	dns_name_free(&nsec->next, nsec->mctx);
-	if (nsec->typebits != NULL)
-		isc_mem_free(nsec->mctx, nsec->typebits);
-	nsec->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_nsec(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 47);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_nsec(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 47);
-
-	dns_rdata_toregion(rdata, &r);
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_nsec(ARGS_CHECKOWNER) {
-
-       REQUIRE(type == 47);
-
-       UNUSED(name);
-       UNUSED(type);
-       UNUSED(rdclass);
-       UNUSED(wildcard);
-
-       return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_nsec(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 47);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_NSEC_47_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.h b/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
deleted file mode 100644
index d76a25cc43db..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NSEC_47_H
-#define GENERIC_NSEC_47_H 1
-
-/* $Id: nsec_47.h,v 1.4.2.1 2004/03/08 02:08:03 marka Exp $ */
-
-/* draft-ietf-dnsext-nsec-rdata-01.txt */
-
-typedef struct dns_rdata_nsec {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		next;
-	unsigned char		*typebits;
-	isc_uint16_t		len;
-} dns_rdata_nsec_t;
-
-#endif /* GENERIC_NSEC_47_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.c b/contrib/bind9/lib/dns/rdata/generic/null_10.c
deleted file mode 100644
index 492044d9c76a..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/null_10.c
+++ /dev/null
@@ -1,192 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: null_10.c,v 1.35.2.1.10.4 2004/03/08 09:04:41 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */
-
-#ifndef RDATA_GENERIC_NULL_10_C
-#define RDATA_GENERIC_NULL_10_C
-
-#define RRTYPE_NULL_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_null(ARGS_FROMTEXT) {
-	REQUIRE(type == 10);
-
-	UNUSED(rdclass);
-	UNUSED(type);
-	UNUSED(lexer);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(target);
-	UNUSED(callbacks);
-
-	return (DNS_R_SYNTAX);
-}
-
-static inline isc_result_t
-totext_null(ARGS_TOTEXT) {
-	REQUIRE(rdata->type == 10);
-
-	UNUSED(rdata);
-	UNUSED(tctx);
-	UNUSED(target);
-
-	return (DNS_R_SYNTAX);
-}
-
-static inline isc_result_t
-fromwire_null(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 10);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_null(ARGS_TOWIRE) {
-	REQUIRE(rdata->type == 10);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_null(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 10);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_null(ARGS_FROMSTRUCT) {
-	dns_rdata_null_t *null = source;
-
-	REQUIRE(type == 10);
-	REQUIRE(source != NULL);
-	REQUIRE(null->common.rdtype == type);
-	REQUIRE(null->common.rdclass == rdclass);
-	REQUIRE(null->data != NULL || null->length == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, null->data, null->length));
-}
-
-static inline isc_result_t
-tostruct_null(ARGS_TOSTRUCT) {
-	dns_rdata_null_t *null = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 10);
-	REQUIRE(target != NULL);
-
-	null->common.rdclass = rdata->rdclass;
-	null->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&null->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	null->length = r.length;
-	null->data = mem_maybedup(mctx, r.base, r.length);
-	if (null->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	null->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_null(ARGS_FREESTRUCT) {
-	dns_rdata_null_t *null = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(null->common.rdtype == 10);
-
-	if (null->mctx == NULL)
-		return;
-
-	if (null->data != NULL)
-		isc_mem_free(null->mctx, null->data);
-	null->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_null(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 10);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_null(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 10);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_null(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 10);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_null(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 10);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_NULL_10_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.h b/contrib/bind9/lib/dns/rdata/generic/null_10.h
deleted file mode 100644
index 44a9e8f785f5..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/null_10.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NULL_10_H
-#define GENERIC_NULL_10_H 1
-
-/* $Id: null_10.h,v 1.20.206.1 2004/03/06 08:14:09 marka Exp $ */
-
-typedef struct dns_rdata_null {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		length;
-	unsigned char		*data;
-} dns_rdata_null_t;
-
-
-#endif /* GENERIC_NULL_10_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c b/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
deleted file mode 100644
index e4dba7fb2727..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
+++ /dev/null
@@ -1,329 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nxt_30.c,v 1.49.2.2.2.9 2004/03/08 09:04:41 marka Exp $ */
-
-/* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
-
-/* RFC 2535 */
-
-#ifndef RDATA_GENERIC_NXT_30_C
-#define RDATA_GENERIC_NXT_30_C
-
-/*
- * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
- * because we must be able to handle a parent/child NXT pair.
- */
-#define RRTYPE_NXT_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_nxt(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	char *e;
-	unsigned char bm[8*1024]; /* 64k bits */
-	dns_rdatatype_t covered;
-	dns_rdatatype_t maxcovered = 0;
-	isc_boolean_t first = ISC_TRUE;
-	long n;
-
-	REQUIRE(type == 30);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Next domain.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	memset(bm, 0, sizeof(bm));
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-		n = strtol(DNS_AS_STR(token), &e, 10);
-		if (e != DNS_AS_STR(token) && *e == '\0') {
-			covered = (dns_rdatatype_t)n;
-		} else if (dns_rdatatype_fromtext(&covered,
-				&token.value.as_textregion) == DNS_R_UNKNOWN)
-			RETTOK(DNS_R_UNKNOWN);
-		/*
-		 * NXT is only specified for types 1..127.
-		 */
-		if (covered < 1 || covered > 127)
-			return (ISC_R_RANGE);
-		if (first || covered > maxcovered)
-			maxcovered = covered;
-		first = ISC_FALSE;
-		bm[covered/8] |= (0x80>>(covered%8));
-	} while (1);
-	isc_lex_ungettoken(lexer, &token);
-	if (first)
-		return (ISC_R_SUCCESS);
-	n = (maxcovered + 8) / 8;
-	return (mem_tobuffer(target, bm, n));
-}
-
-static inline isc_result_t
-totext_nxt(ARGS_TOTEXT) {
-	isc_region_t sr;
-	unsigned int i, j;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 30);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	for (i = 0; i < sr.length; i++) {
-		if (sr.base[i] != 0)
-			for (j = 0; j < 8; j++)
-				if ((sr.base[i] & (0x80 >> j)) != 0) {
-					dns_rdatatype_t t = i * 8 + j;
-					RETERR(str_totext(" ", target));
-					if (dns_rdatatype_isknown(t)) {
-						RETERR(dns_rdatatype_totext(t,
-								      target));
-					} else {
-						char buf[sizeof("65535")];
-						sprintf(buf, "%u", t);
-						RETERR(str_totext(buf,
-								  target));
-					}
-				}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_nxt(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-
-	REQUIRE(type == 30);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length > 0 && (sr.base[0] & 0x80) == 0 &&
-	    ((sr.length > 16) || sr.base[sr.length - 1] == 0))
-		return (DNS_R_BADBITMAP);
-	RETERR(mem_tobuffer(target, sr.base, sr.length));
-	isc_buffer_forward(source, sr.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_nxt(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 30);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_nxt(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 30);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_nxt(ARGS_FROMSTRUCT) {
-	dns_rdata_nxt_t *nxt = source;
-	isc_region_t region;
-
-	REQUIRE(type == 30);
-	REQUIRE(source != NULL);
-	REQUIRE(nxt->common.rdtype == type);
-	REQUIRE(nxt->common.rdclass == rdclass);
-	REQUIRE(nxt->typebits != NULL || nxt->len == 0);
-	if (nxt->typebits != NULL && (nxt->typebits[0] & 0x80) == 0) {
-		REQUIRE(nxt->len <= 16);
-		REQUIRE(nxt->typebits[nxt->len - 1] != 0);
-	}
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&nxt->next, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-
-	return (mem_tobuffer(target, nxt->typebits, nxt->len));
-}
-
-static inline isc_result_t
-tostruct_nxt(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_nxt_t *nxt = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 30);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nxt->common.rdclass = rdata->rdclass;
-	nxt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nxt->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	dns_name_init(&nxt->next, NULL);
-	RETERR(name_duporclone(&name, mctx, &nxt->next));
-
-	nxt->len = region.length;
-	nxt->typebits = mem_maybedup(mctx, region.base, region.length);
-	if (nxt->typebits == NULL)
-		goto cleanup;
-
-	nxt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&nxt->next, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_nxt(ARGS_FREESTRUCT) {
-	dns_rdata_nxt_t *nxt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nxt->common.rdtype == 30);
-
-	if (nxt->mctx == NULL)
-		return;
-
-	dns_name_free(&nxt->next, nxt->mctx);
-	if (nxt->typebits != NULL)
-		isc_mem_free(nxt->mctx, nxt->typebits);
-	nxt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_nxt(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 30);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_nxt(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 30);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	result = dns_name_digest(&name, digest, arg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_region_consume(&r, name_length(&name));
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_nxt(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 30);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_nxt(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 30);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_NXT_30_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.h b/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
deleted file mode 100644
index 540135f72c91..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_NXT_30_H
-#define GENERIC_NXT_30_H 1
-
-/* $Id: nxt_30.h,v 1.18.12.3 2004/03/08 09:04:41 marka Exp $ */
-
-/* RFC 2535 */
-
-typedef struct dns_rdata_nxt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		next;
-	unsigned char		*typebits;
-	isc_uint16_t		len;
-} dns_rdata_nxt_t;
-
-#endif /* GENERIC_NXT_30_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.c b/contrib/bind9/lib/dns/rdata/generic/opt_41.c
deleted file mode 100644
index ac74a28529e0..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/opt_41.c
+++ /dev/null
@@ -1,280 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: opt_41.c,v 1.25.12.4 2004/03/08 09:04:41 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */
-
-/* RFC 2671 */
-
-#ifndef RDATA_GENERIC_OPT_41_C
-#define RDATA_GENERIC_OPT_41_C
-
-#define RRTYPE_OPT_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON | \
-			       DNS_RDATATYPEATTR_META | \
-			       DNS_RDATATYPEATTR_NOTQUESTION)
-
-static inline isc_result_t
-fromtext_opt(ARGS_FROMTEXT) {
-	/*
-	 * OPT records do not have a text format.
-	 */
-
-	REQUIRE(type == 41);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(lexer);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(target);
-	UNUSED(callbacks);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-totext_opt(ARGS_TOTEXT) {
-	isc_region_t r;
-	isc_region_t or;
-	isc_uint16_t option;
-	isc_uint16_t length;
-	char buf[sizeof("64000 64000")];
-
-	/*
-	 * OPT records do not have a text format.
-	 */
-
-	REQUIRE(rdata->type == 41);
-
-	dns_rdata_toregion(rdata, &r);
-	while (r.length > 0) {
-		option = uint16_fromregion(&r);
-		isc_region_consume(&r, 2);
-		length = uint16_fromregion(&r);
-		isc_region_consume(&r, 2);
-		sprintf(buf, "%u %u", option, length);
-		RETERR(str_totext(buf, target));
-		INSIST(r.length >= length);
-		if (length > 0) {
-			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-				RETERR(str_totext(" (", target));
-			RETERR(str_totext(tctx->linebreak, target));
-			or = r;
-			or.length = length;
-			RETERR(isc_base64_totext(&or, tctx->width - 2,
-						 tctx->linebreak, target));
-			isc_region_consume(&r, length);
-			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-				RETERR(str_totext(" )", target));
-		}
-		if (r.length > 0)
-			RETERR(str_totext(" ", target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_opt(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-	isc_uint16_t length;
-	unsigned int total;
-
-	REQUIRE(type == 41);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sregion);
-	total = 0;
-	while (sregion.length != 0) {
-		if (sregion.length < 4)
-			return (ISC_R_UNEXPECTEDEND);
-		/*
-		 * Eat the 16bit option code.  There is nothing to
-		 * be done with it currently.
-		 */
-		isc_region_consume(&sregion, 2);
-		length = uint16_fromregion(&sregion);
-		isc_region_consume(&sregion, 2);
-		total += 4;
-		if (sregion.length < length)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_region_consume(&sregion, length);
-		total += length;
-	}
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (tregion.length < total)
-		return (ISC_R_NOSPACE);
-	memcpy(tregion.base, sregion.base, total);
-	isc_buffer_forward(source, total);
-	isc_buffer_add(target, total);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_opt(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 41);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_opt(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 41);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_opt(ARGS_FROMSTRUCT) {
-	dns_rdata_opt_t *opt = source;
-	isc_region_t region;
-	isc_uint16_t length;
-
-	REQUIRE(type == 41);
-	REQUIRE(source != NULL);
-	REQUIRE(opt->common.rdtype == type);
-	REQUIRE(opt->common.rdclass == rdclass);
-	REQUIRE(opt->options != NULL || opt->length == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	region.base = opt->options;
-	region.length = opt->length;
-	while (region.length >= 4) {
-		isc_region_consume(&region, 2);	/* opt */
-		length = uint16_fromregion(&region);
-		isc_region_consume(&region, 2);
-		if (region.length < length)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_region_consume(&region, length);
-	}
-	if (region.length != 0)
-		return (ISC_R_UNEXPECTEDEND);
-
-	return (mem_tobuffer(target, opt->options, opt->length));
-}
-
-static inline isc_result_t
-tostruct_opt(ARGS_TOSTRUCT) {
-	dns_rdata_opt_t *opt = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 41);
-	REQUIRE(target != NULL);
-
-	opt->common.rdclass = rdata->rdclass;
-	opt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&opt->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	opt->length = r.length;
-	opt->options = mem_maybedup(mctx, r.base, r.length);
-	if (opt->options == NULL)
-		return (ISC_R_NOMEMORY);
-
-	opt->offset = 0;
-	opt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_opt(ARGS_FREESTRUCT) {
-	dns_rdata_opt_t *opt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(opt->common.rdtype == 41);
-
-	if (opt->mctx == NULL)
-		return;
-
-	if (opt->options != NULL)
-		isc_mem_free(opt->mctx, opt->options);
-	opt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_opt(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 41);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_opt(ARGS_DIGEST) {
-
-	/*
-	 * OPT records are not digested.
-	 */
-
-	REQUIRE(rdata->type == 41);
-
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_boolean_t
-checkowner_opt(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 41);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (dns_name_equal(name, dns_rootname));
-}
-
-static inline isc_boolean_t
-checknames_opt(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 41);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_OPT_41_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.h b/contrib/bind9/lib/dns/rdata/generic/opt_41.h
deleted file mode 100644
index c70ad90fd5da..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/opt_41.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_OPT_41_H
-#define GENERIC_OPT_41_H 1
-
-/* $Id: opt_41.h,v 1.13.206.1 2004/03/06 08:14:10 marka Exp $ */
-
-/* RFC 2671 */
-
-typedef struct dns_rdata_opt_opcode {
-		isc_uint16_t	opcode;
-		isc_uint16_t	length;
-		unsigned char	*data;
-} dns_rdata_opt_opcode_t;
-
-typedef struct dns_rdata_opt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*options;
-	isc_uint16_t		length;
-	/* private */
-	isc_uint16_t		offset;
-} dns_rdata_opt_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_opt_first(dns_rdata_opt_t *);
-
-isc_result_t
-dns_rdata_opt_next(dns_rdata_opt_t *);
-
-isc_result_t
-dns_rdata_opt_current(dns_rdata_opt_t *, dns_rdata_opt_opcode_t *);
-
-#endif /* GENERIC_OPT_41_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.c b/contrib/bind9/lib/dns/rdata/generic/proforma.c
deleted file mode 100644
index 21c65775e67a..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/proforma.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: proforma.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */
-
-#ifndef RDATA_GENERIC_#_#_C
-#define RDATA_GENERIC_#_#_C
-
-#define RRTYPE_#_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_#(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == #);
-	REQUIRE(rdclass == #);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-totext_#(ARGS_TOTEXT) {
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-	REQUIRE(rdata->length != 0);	/* XXX */
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-fromwire_#(ARGS_FROMWIRE) {
-
-	REQUIRE(type == #);
-	REQUIRE(rdclass == #);
-
-	/* NONE or GLOBAL14 */
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-towire_#(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-	REQUIRE(rdata->length != 0);	/* XXX */
-
-	/* NONE or GLOBAL14 */
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline int
-compare_#(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == #);
-	REQUIRE(rdata1->rdclass == #);
-	REQUIRE(rdata1->length != 0);	/* XXX */
-	REQUIRE(rdata2->length != 0);	/* XXX */
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_#(ARGS_FROMSTRUCT) {
-	dns_rdata_#_t *# = source;
-
-	REQUIRE(type == #);
-	REQUIRE(rdclass == #);
-	REQUIRE(source != NULL);
-	REQUIRE(#->common.rdtype == type);
-	REQUIRE(#->common.rdclass == rdclass);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_result_t
-tostruct_#(ARGS_TOSTRUCT) {
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-	REQUIRE(rdata->length != 0);	/* XXX */
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline void
-freestruct_#(ARGS_FREESTRUCT) {
-	dns_rdata_#_t *# = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(#->common.rdtype == #);
-	REQUIRE(#->common.rdclass == #);
-
-}
-
-static inline isc_result_t
-additionaldata_#(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-
-	(void)add;
-	(void)arg;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_#(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_#(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == #);
-	REQUIRE(rdclass == #);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_#(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == #);
-	REQUIRE(rdata->rdclass == #);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_#_#_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.h b/contrib/bind9/lib/dns/rdata/generic/proforma.h
deleted file mode 100644
index 5d5090e03338..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/proforma.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_PROFORMA_H
-#define GENERIC_PROFORMA_H 1
-
-/* $Id: proforma.h,v 1.18.206.1 2004/03/06 08:14:11 marka Exp $ */
-
-typedef struct dns_rdata_# {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;	/* if required */
-	/* type & class specific elements */
-} dns_rdata_#_t;
-
-#endif /* GENERIC_PROFORMA_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c b/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
deleted file mode 100644
index 9be93b332922..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
+++ /dev/null
@@ -1,291 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ptr_12.c,v 1.39.206.2 2004/03/06 08:14:11 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
-
-#ifndef RDATA_GENERIC_PTR_12_C
-#define RDATA_GENERIC_PTR_12_C
-
-#define RRTYPE_PTR_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_ptr(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 12);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	if (rdclass == dns_rdataclass_in &&
-	    (options & DNS_RDATA_CHECKNAMES) != 0 &&
-	    (options & DNS_RDATA_CHECKREVERSE) != 0) {
-		isc_boolean_t ok;
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_ptr(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 12);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_ptr(ARGS_FROMWIRE) {
-        dns_name_t name;
-
-	REQUIRE(type == 12);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_ptr(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 12);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_ptr(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 12);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_ptr(ARGS_FROMSTRUCT) {
-	dns_rdata_ptr_t *ptr = source;
-	isc_region_t region;
-
-	REQUIRE(type == 12);
-	REQUIRE(source != NULL);
-	REQUIRE(ptr->common.rdtype == type);
-	REQUIRE(ptr->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&ptr->ptr, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_ptr(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_ptr_t *ptr = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 12);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	ptr->common.rdclass = rdata->rdclass;
-	ptr->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&ptr->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&ptr->ptr, NULL);
-	RETERR(name_duporclone(&name, mctx, &ptr->ptr));
-	ptr->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_ptr(ARGS_FREESTRUCT) {
-	dns_rdata_ptr_t *ptr = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(ptr->common.rdtype == 12);
-
-	if (ptr->mctx == NULL)
-		return;
-
-	dns_name_free(&ptr->ptr, ptr->mctx);
-	ptr->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_ptr(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 12);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_ptr(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 12);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_ptr(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 12);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
-static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
-static const dns_name_t ip6_arpa =
-{
-	DNS_NAME_MAGIC,
-	ip6_arpa_data, 10, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static unsigned char ip6_int_data[]  = "\003IP6\003INT";
-static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
-static const dns_name_t ip6_int =
-{
-	DNS_NAME_MAGIC,
-	ip6_int_data, 9, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_int_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
-static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
-static const dns_name_t in_addr_arpa =
-{
-	DNS_NAME_MAGIC,
-	in_addr_arpa_data, 14, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	in_addr_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-static inline isc_boolean_t
-checknames_ptr(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 12);
-
-	if (rdata->rdclass != dns_rdataclass_in)
-	    return (ISC_TRUE);
-
-	if (dns_name_issubdomain(owner, &in_addr_arpa) ||
-	    dns_name_issubdomain(owner, &ip6_arpa) ||
-	    dns_name_issubdomain(owner, &ip6_int)) {
-		dns_rdata_toregion(rdata, &region);
-		dns_name_init(&name, NULL);
-		dns_name_fromregion(&name, &region);
-		if (!dns_name_ishostname(&name, ISC_FALSE)) {
-			if (bad != NULL)
-				dns_name_clone(&name, bad);
-			return (ISC_FALSE);
-		}
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_PTR_12_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.h b/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
deleted file mode 100644
index 53e792005f54..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_PTR_12_H
-#define GENERIC_PTR_12_H 1
-
-/* $Id: ptr_12.h,v 1.22.206.1 2004/03/06 08:14:11 marka Exp $ */
-
-typedef struct dns_rdata_ptr {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        dns_name_t              ptr;
-} dns_rdata_ptr_t;
-
-#endif /* GENERIC_PTR_12_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.c b/contrib/bind9/lib/dns/rdata/generic/rp_17.c
deleted file mode 100644
index 27e02ee22b2b..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/rp_17.c
+++ /dev/null
@@ -1,314 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rp_17.c,v 1.35.12.4 2004/03/08 09:04:42 marka Exp $ */
-
-/* RFC 1183 */
-
-#ifndef RDATA_GENERIC_RP_17_C
-#define RDATA_GENERIC_RP_17_C
-
-#define RRTYPE_RP_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_rp(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	int i;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 17);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	origin = (origin != NULL) ? origin : dns_rootname;
-
-	for (i = 0; i < 2; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region);
-		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 options, target));
-		ok = ISC_TRUE;
-		if ((options & DNS_RDATA_CHECKNAMES) != 0 && i == 0)
-			ok = dns_name_ismailbox(&name);
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_rp(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t rmail;
-	dns_name_t email;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 17);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&rmail, NULL);
-	dns_name_init(&email, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	dns_name_fromregion(&email, &region);
-	isc_region_consume(&region, email.length);
-
-	sub = name_prefix(&rmail, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	RETERR(str_totext(" ", target));
-
-	sub = name_prefix(&email, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_rp(ARGS_FROMWIRE) {
-        dns_name_t rmail;
-        dns_name_t email;
-
-	REQUIRE(type == 17);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-        dns_name_init(&rmail, NULL);
-        dns_name_init(&email, NULL);
-
-        RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
-        return (dns_name_fromwire(&email, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_rp(ARGS_TOWIRE) {
-	isc_region_t region;
-	dns_name_t rmail;
-	dns_name_t email;
-	dns_offsets_t roffsets;
-	dns_offsets_t eoffsets;
-
-	REQUIRE(rdata->type == 17);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&rmail, roffsets);
-	dns_name_init(&email, eoffsets);
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	RETERR(dns_name_towire(&rmail, cctx, target));
-
-	dns_name_fromregion(&rmail, &region);
-	isc_region_consume(&region, rmail.length);
-
-	return (dns_name_towire(&rmail, cctx, target));
-}
-
-static inline int
-compare_rp(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 17);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_rp(ARGS_FROMSTRUCT) {
-	dns_rdata_rp_t *rp = source;
-	isc_region_t region;
-
-	REQUIRE(type == 17);
-	REQUIRE(source != NULL);
-	REQUIRE(rp->common.rdtype == type);
-	REQUIRE(rp->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&rp->mail, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	dns_name_toregion(&rp->text, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_rp(ARGS_TOSTRUCT) {
-	isc_result_t result;
-	isc_region_t region;
-	dns_rdata_rp_t *rp = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 17);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	rp->common.rdclass = rdata->rdclass;
-	rp->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&rp->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&rp->mail, NULL);
-	RETERR(name_duporclone(&name, mctx, &rp->mail));
-	isc_region_consume(&region, name_length(&name));
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&rp->text, NULL);
-	result = name_duporclone(&name, mctx, &rp->text);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	rp->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&rp->mail, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_rp(ARGS_FREESTRUCT) {
-	dns_rdata_rp_t *rp = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(rp->common.rdtype == 17);
-
-	if (rp->mctx == NULL)
-		return;
-
-	dns_name_free(&rp->mail, rp->mctx);
-	dns_name_free(&rp->text, rp->mctx);
-	rp->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_rp(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 17);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_rp(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 17);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-
-	dns_name_fromregion(&name, &r);
-	RETERR(dns_name_digest(&name, digest, arg));
-	isc_region_consume(&r, name_length(&name));
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_rp(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 17);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_rp(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 17);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ismailbox(&name)) {
-		if (bad != NULL)
-				dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_RP_17_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.h b/contrib/bind9/lib/dns/rdata/generic/rp_17.h
deleted file mode 100644
index a88b9c00b5e1..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/rp_17.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_RP_17_H
-#define GENERIC_RP_17_H 1
-
-/* $Id: rp_17.h,v 1.16.206.1 2004/03/06 08:14:11 marka Exp $ */
-
-/* RFC 1183 */
-
-typedef struct dns_rdata_rp {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        dns_name_t              mail;
-        dns_name_t              text;
-} dns_rdata_rp_t;
-
-
-#endif /* GENERIC_RP_17_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
deleted file mode 100644
index ad4329539832..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
+++ /dev/null
@@ -1,551 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rrsig_46.c,v 1.4.2.3 2004/06/24 00:58:06 marka Exp $ */
-
-/* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
-
-/* RFC 2535 */
-
-#ifndef RDATA_GENERIC_RRSIG_46_C
-#define RDATA_GENERIC_RRSIG_46_C
-
-#define RRTYPE_RRSIG_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
-
-static inline isc_result_t
-fromtext_rrsig(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char c;
-	long i;
-	dns_rdatatype_t covered;
-	char *e;
-	isc_result_t result;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_uint32_t time_signed, time_expire;
-
-	REQUIRE(type == 46);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Type covered.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
-		i = strtol(DNS_AS_STR(token), &e, 10);
-		if (i < 0 || i > 65535)
-			RETTOK(ISC_R_RANGE);
-		if (*e != 0)
-			RETTOK(result);
-		covered = (dns_rdatatype_t)i;
-	}
-	RETERR(uint16_tobuffer(covered, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Labels.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	c = (unsigned char)token.value.as_ulong;
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Original ttl.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signature expiration.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
-	RETERR(uint32_tobuffer(time_expire, target));
-
-	/*
-	 * Time signed.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
-	RETERR(uint32_tobuffer(time_signed, target));
-
-	/*
-	 * Key footprint.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signer.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	/*
-	 * Sig.
-	 */
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_rrsig(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("4294967295")];
-	dns_rdatatype_t covered;
-	unsigned long ttl;
-	unsigned long when;
-	unsigned long exp;
-	unsigned long foot;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 46);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type covered.
-	 */
-	covered = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	/*
-	 * XXXAG We should have something like dns_rdatatype_isknown()
-	 * that does the right thing with type 0.
-	 */
-	if (dns_rdatatype_isknown(covered) && covered != 0) {
-		RETERR(dns_rdatatype_totext(covered, target));
-	} else {
-		char buf[sizeof("TYPE65535")];
-		sprintf(buf, "TYPE%u", covered);
-		RETERR(str_totext(buf, target));
-	}
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Algorithm.
-	 */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Labels.
-	 */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Ttl.
-	 */
-	ttl = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu", ttl);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Sig exp.
-	 */
-	exp = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(exp, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-
-	/*
-	 * Time signed.
-	 */
-	when = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(when, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Footprint.
-	 */
-	foot = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", foot);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	/*
-	 * Sig.
-	 */
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_base64_totext(&sr, tctx->width - 2,
-				    tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_rrsig(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-
-	REQUIRE(type == 46);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	isc_buffer_activeregion(source, &sr);
-	/*
-	 * type covered: 2
-	 * algorithm: 1
-	 * labels: 1
-	 * original ttl: 4
-	 * signature expiration: 4
-	 * time signed: 4
-	 * key footprint: 2
-	 */
-	if (sr.length < 18)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, 18);
-	RETERR(mem_tobuffer(target, sr.base, 18));
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	/*
-	 * Sig.
-	 */
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_rrsig(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 46);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &sr);
-	/*
-	 * type covered: 2
-	 * algorithm: 1
-	 * labels: 1
-	 * original ttl: 4
-	 * signature expiration: 4
-	 * time signed: 4
-	 * key footprint: 2
-	 */
-	RETERR(mem_tobuffer(target, sr.base, 18));
-	isc_region_consume(&sr, 18);
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	/*
-	 * Signature.
-	 */
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_rrsig(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 46);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_rrsig(ARGS_FROMSTRUCT) {
-	dns_rdata_rrsig_t *sig = source;
-
-	REQUIRE(type == 46);
-	REQUIRE(source != NULL);
-	REQUIRE(sig->common.rdtype == type);
-	REQUIRE(sig->common.rdclass == rdclass);
-	REQUIRE(sig->signature != NULL || sig->siglen == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Type covered.
-	 */
-	RETERR(uint16_tobuffer(sig->covered, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(uint8_tobuffer(sig->algorithm, target));
-
-	/*
-	 * Labels.
-	 */
-	RETERR(uint8_tobuffer(sig->labels, target));
-
-	/*
-	 * Original TTL.
-	 */
-	RETERR(uint32_tobuffer(sig->originalttl, target));
-
-	/*
-	 * Expire time.
-	 */
-	RETERR(uint32_tobuffer(sig->timeexpire, target));
-
-	/*
-	 * Time signed.
-	 */
-	RETERR(uint32_tobuffer(sig->timesigned, target));
-
-	/*
-	 * Key ID.
-	 */
-	RETERR(uint16_tobuffer(sig->keyid, target));
-
-	/*
-	 * Signer name.
-	 */
-	RETERR(name_tobuffer(&sig->signer, target));
-
-	/*
-	 * Signature.
-	 */
-	return (mem_tobuffer(target, sig->signature, sig->siglen));
-}
-
-static inline isc_result_t
-tostruct_rrsig(ARGS_TOSTRUCT) {
-	isc_region_t sr;
-	dns_rdata_rrsig_t *sig = target;
-	dns_name_t signer;
-
-	REQUIRE(rdata->type == 46);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	sig->common.rdclass = rdata->rdclass;
-	sig->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&sig->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type covered.
-	 */
-	sig->covered = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Algorithm.
-	 */
-	sig->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Labels.
-	 */
-	sig->labels = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Original TTL.
-	 */
-	sig->originalttl = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Expire time.
-	 */
-	sig->timeexpire = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Time signed.
-	 */
-	sig->timesigned = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Key ID.
-	 */
-	sig->keyid = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	dns_name_init(&signer, NULL);
-	dns_name_fromregion(&signer, &sr);
-	dns_name_init(&sig->signer, NULL);
-	RETERR(name_duporclone(&signer, mctx, &sig->signer));
-	isc_region_consume(&sr, name_length(&sig->signer));
-
-	/*
-	 * Signature.
-	 */
-	sig->siglen = sr.length;
-	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
-	if (sig->signature == NULL)
-		goto cleanup;
-
-
-	sig->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&sig->signer, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_rrsig(ARGS_FREESTRUCT) {
-	dns_rdata_rrsig_t *sig = (dns_rdata_rrsig_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(sig->common.rdtype == 46);
-
-	if (sig->mctx == NULL)
-		return;
-
-	dns_name_free(&sig->signer, sig->mctx);
-	if (sig->signature != NULL)
-		isc_mem_free(sig->mctx, sig->signature);
-	sig->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_rrsig(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 46);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_rrsig(ARGS_DIGEST) {
-
-	REQUIRE(rdata->type == 46);
-
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline dns_rdatatype_t
-covers_rrsig(dns_rdata_t *rdata) {
-	dns_rdatatype_t type;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 46);
-
-	dns_rdata_toregion(rdata, &r);
-	type = uint16_fromregion(&r);
-
-	return (type);
-}
-
-static inline isc_boolean_t
-checkowner_rrsig(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 46);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_rrsig(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 46);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_RRSIG_46_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
deleted file mode 100644
index 148604b7b266..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_DNSSIG_46_H
-#define GENERIC_DNSSIG_46_H 1
-
-/* $Id: rrsig_46.h,v 1.3.2.1 2004/03/08 02:08:04 marka Exp $ */
-
-/* RFC 2535 */
-typedef struct dns_rdata_rrsig {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_rdatatype_t		covered;
-	dns_secalg_t		algorithm;
-	isc_uint8_t		labels;
-	isc_uint32_t		originalttl;
-	isc_uint32_t		timeexpire;
-	isc_uint32_t		timesigned;
-	isc_uint16_t		keyid;
-        dns_name_t		signer;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-} dns_rdata_rrsig_t;
-
-
-#endif /* GENERIC_DNSSIG_46_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.c b/contrib/bind9/lib/dns/rdata/generic/rt_21.c
deleted file mode 100644
index daf9756ff98b..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/rt_21.c
+++ /dev/null
@@ -1,311 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rt_21.c,v 1.37.2.1.2.5 2005/03/17 03:58:31 marka Exp $ */
-
-/* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
-
-/* RFC 1183 */
-
-#ifndef RDATA_GENERIC_RT_21_C
-#define RDATA_GENERIC_RT_21_C
-
-#define RRTYPE_RT_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_rt(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 21);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_rt(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 21);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_rt(ARGS_FROMWIRE) {
-        dns_name_t name;
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 21);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-        dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (tregion.length < 2)
-		return (ISC_R_NOSPACE);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	memcpy(tregion.base, sregion.base, 2);
-	isc_buffer_forward(source, 2);
-	isc_buffer_add(target, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_rt(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-	isc_region_t tr;
-
-	REQUIRE(rdata->type == 21);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	isc_buffer_availableregion(target, &tr);
-	dns_rdata_toregion(rdata, &region);
-	if (tr.length < 2)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, region.base, 2);
-	isc_region_consume(&region, 2);
-	isc_buffer_add(target, 2);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_rt(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 21);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_rt(ARGS_FROMSTRUCT) {
-	dns_rdata_rt_t *rt = source;
-	isc_region_t region;
-
-	REQUIRE(type == 21);
-	REQUIRE(source != NULL);
-	REQUIRE(rt->common.rdtype == type);
-	REQUIRE(rt->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(rt->preference, target));
-	dns_name_toregion(&rt->host, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_rt(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_rt_t *rt = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 21);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	rt->common.rdclass = rdata->rdclass;
-	rt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&rt->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	rt->preference = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&rt->host, NULL);
-	RETERR(name_duporclone(&name, mctx, &rt->host));
-
-	rt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_rt(ARGS_FREESTRUCT) {
-	dns_rdata_rt_t *rt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(rt->common.rdtype == 21);
-
-	if (rt->mctx == NULL)
-		return;
-
-	dns_name_free(&rt->host, rt->mctx);
-	rt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_rt(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 21);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	result = (add)(arg, &name, dns_rdatatype_x25);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = (add)(arg, &name, dns_rdatatype_isdn);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_rt(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	isc_result_t result;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 21);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	result = (digest)(arg, &r1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_rt(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 21);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_rt(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 21);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_RT_21_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.h b/contrib/bind9/lib/dns/rdata/generic/rt_21.h
deleted file mode 100644
index 32b0352d5791..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/rt_21.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_RT_21_H
-#define GENERIC_RT_21_H 1
-
-/* $Id: rt_21.h,v 1.16.206.1 2004/03/06 08:14:12 marka Exp $ */
-
-/* RFC 1183 */
-
-typedef struct dns_rdata_rt {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		host;
-} dns_rdata_rt_t;
-
-#endif /* GENERIC_RT_21_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.c b/contrib/bind9/lib/dns/rdata/generic/sig_24.c
deleted file mode 100644
index 39cb0644d6a9..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/sig_24.c
+++ /dev/null
@@ -1,578 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sig_24.c,v 1.54.2.1.2.7 2004/03/08 09:04:42 marka Exp $ */
-
-/* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
-
-/* RFC 2535 */
-
-#ifndef RDATA_GENERIC_SIG_24_C
-#define RDATA_GENERIC_SIG_24_C
-
-#define RRTYPE_SIG_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_sig(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char c;
-	long i;
-	dns_rdatatype_t covered;
-	char *e;
-	isc_result_t result;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_uint32_t time_signed, time_expire;
-
-	REQUIRE(type == 24);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Type covered.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
-		i = strtol(DNS_AS_STR(token), &e, 10);
-		if (i < 0 || i > 65535)
-			RETTOK(ISC_R_RANGE);
-		if (*e != 0)
-			RETTOK(result);
-		covered = (dns_rdatatype_t)i;
-	}
-	RETERR(uint16_tobuffer(covered, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Labels.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	c = (unsigned char)token.value.as_ulong;
-	RETERR(mem_tobuffer(target, &c, 1));
-
-	/*
-	 * Original ttl.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signature expiration.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
-	RETERR(uint32_tobuffer(time_expire, target));
-
-	/*
-	 * Time signed.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
-	RETERR(uint32_tobuffer(time_signed, target));
-
-	/*
-	 * Key footprint.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Signer.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	/*
-	 * Sig.
-	 */
-	return (isc_base64_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_sig(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("4294967295")];
-	dns_rdatatype_t covered;
-	unsigned long ttl;
-	unsigned long when;
-	unsigned long exp;
-	unsigned long foot;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 24);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type covered.
-	 */
-	covered = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	/*
-	 * XXXAG We should have something like dns_rdatatype_isknown()
-	 * that does the right thing with type 0.
-	 */
-	if (dns_rdatatype_isknown(covered) && covered != 0) {
-		RETERR(dns_rdatatype_totext(covered, target));
-	} else {
-		char buf[sizeof("65535")];
-		sprintf(buf, "%u", covered);
-		RETERR(str_totext(buf, target));
-	}
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Algorithm.
-	 */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Labels.
-	 */
-	sprintf(buf, "%u", sr.base[0]);
-	isc_region_consume(&sr, 1);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Ttl.
-	 */
-	ttl = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu", ttl);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Sig exp.
-	 */
-	exp = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(exp, target));
-
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-
-	/*
-	 * Time signed.
-	 */
-	when = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(when, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Footprint.
-	 */
-	foot = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", foot);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	/*
-	 * Sig.
-	 */
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_base64_totext(&sr, tctx->width - 2,
-				    tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_sig(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-
-	REQUIRE(type == 24);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	isc_buffer_activeregion(source, &sr);
-	/*
-	 * type covered: 2
-	 * algorithm: 1
-	 * labels: 1
-	 * original ttl: 4
-	 * signature expiration: 4
-	 * time signed: 4
-	 * key footprint: 2
-	 */
-	if (sr.length < 18)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, 18);
-	RETERR(mem_tobuffer(target, sr.base, 18));
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	/*
-	 * Sig.
-	 */
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_sig(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 24);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &sr);
-	/*
-	 * type covered: 2
-	 * algorithm: 1
-	 * labels: 1
-	 * original ttl: 4
-	 * signature expiration: 4
-	 * time signed: 4
-	 * key footprint: 2
-	 */
-	RETERR(mem_tobuffer(target, sr.base, 18));
-	isc_region_consume(&sr, 18);
-
-	/*
-	 * Signer.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	isc_region_consume(&sr, name_length(&name));
-	RETERR(dns_name_towire(&name, cctx, target));
-
-	/*
-	 * Signature.
-	 */
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_sig(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 24);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-
-	INSIST(r1.length > 18);
-	INSIST(r2.length > 18);
-	r1.length = 18;
-	r2.length = 18;
-	order = isc_region_compare(&r1, &r2);
-	if (order != 0)
-		return (order);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	isc_region_consume(&r1, 18);
-	isc_region_consume(&r2, 18);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&r1, name_length(&name1));
-	isc_region_consume(&r2, name_length(&name2));
-
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_sig(ARGS_FROMSTRUCT) {
-	dns_rdata_sig_t *sig = source;
-
-	REQUIRE(type == 24);
-	REQUIRE(source != NULL);
-	REQUIRE(sig->common.rdtype == type);
-	REQUIRE(sig->common.rdclass == rdclass);
-	REQUIRE(sig->signature != NULL || sig->siglen == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Type covered.
-	 */
-	RETERR(uint16_tobuffer(sig->covered, target));
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(uint8_tobuffer(sig->algorithm, target));
-
-	/*
-	 * Labels.
-	 */
-	RETERR(uint8_tobuffer(sig->labels, target));
-
-	/*
-	 * Original TTL.
-	 */
-	RETERR(uint32_tobuffer(sig->originalttl, target));
-
-	/*
-	 * Expire time.
-	 */
-	RETERR(uint32_tobuffer(sig->timeexpire, target));
-
-	/*
-	 * Time signed.
-	 */
-	RETERR(uint32_tobuffer(sig->timesigned, target));
-
-	/*
-	 * Key ID.
-	 */
-	RETERR(uint16_tobuffer(sig->keyid, target));
-
-	/*
-	 * Signer name.
-	 */
-	RETERR(name_tobuffer(&sig->signer, target));
-
-	/*
-	 * Signature.
-	 */
-	return (mem_tobuffer(target, sig->signature, sig->siglen));
-}
-
-static inline isc_result_t
-tostruct_sig(ARGS_TOSTRUCT) {
-	isc_region_t sr;
-	dns_rdata_sig_t *sig = target;
-	dns_name_t signer;
-
-	REQUIRE(rdata->type == 24);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	sig->common.rdclass = rdata->rdclass;
-	sig->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&sig->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Type covered.
-	 */
-	sig->covered = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Algorithm.
-	 */
-	sig->algorithm = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Labels.
-	 */
-	sig->labels = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-
-	/*
-	 * Original TTL.
-	 */
-	sig->originalttl = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Expire time.
-	 */
-	sig->timeexpire = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Time signed.
-	 */
-	sig->timesigned = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Key ID.
-	 */
-	sig->keyid = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	dns_name_init(&signer, NULL);
-	dns_name_fromregion(&signer, &sr);
-	dns_name_init(&sig->signer, NULL);
-	RETERR(name_duporclone(&signer, mctx, &sig->signer));
-	isc_region_consume(&sr, name_length(&sig->signer));
-
-	/*
-	 * Signature.
-	 */
-	sig->siglen = sr.length;
-	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
-	if (sig->signature == NULL)
-		goto cleanup;
-
-
-	sig->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&sig->signer, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_sig(ARGS_FREESTRUCT) {
-	dns_rdata_sig_t *sig = (dns_rdata_sig_t *) source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(sig->common.rdtype == 24);
-
-	if (sig->mctx == NULL)
-		return;
-
-	dns_name_free(&sig->signer, sig->mctx);
-	if (sig->signature != NULL)
-		isc_mem_free(sig->mctx, sig->signature);
-	sig->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_sig(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 24);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_sig(ARGS_DIGEST) {
-
-	REQUIRE(rdata->type == 24);
-
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline dns_rdatatype_t
-covers_sig(dns_rdata_t *rdata) {
-	dns_rdatatype_t type;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 24);
-
-	dns_rdata_toregion(rdata, &r);
-	type = uint16_fromregion(&r);
-
-	return (type);
-}
-
-static inline isc_boolean_t
-checkowner_sig(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 24);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_sig(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 24);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_SIG_24_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.h b/contrib/bind9/lib/dns/rdata/generic/sig_24.h
deleted file mode 100644
index 28bcac21ccce..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/sig_24.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_SIG_24_H
-#define GENERIC_SIG_24_H 1
-
-/* $Id: sig_24.h,v 1.21.206.1 2004/03/06 08:14:12 marka Exp $ */
-
-/* RFC 2535 */
-
-typedef struct dns_rdata_sig_t {
-	dns_rdatacommon_t	common;
-	isc_mem_t *		mctx;
-	dns_rdatatype_t		covered;
-	dns_secalg_t		algorithm;
-	isc_uint8_t		labels;
-	isc_uint32_t		originalttl;
-	isc_uint32_t		timeexpire;
-	isc_uint32_t		timesigned;
-	isc_uint16_t		keyid;
-        dns_name_t		signer;
-	isc_uint16_t		siglen;
-	unsigned char *		signature;
-} dns_rdata_sig_t;
-
-
-#endif /* GENERIC_SIG_24_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.c b/contrib/bind9/lib/dns/rdata/generic/soa_6.c
deleted file mode 100644
index 7eeb36e2f550..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/soa_6.c
+++ /dev/null
@@ -1,443 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: soa_6.c,v 1.53.12.6 2004/03/08 09:04:42 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
-
-#ifndef RDATA_GENERIC_SOA_6_C
-#define RDATA_GENERIC_SOA_6_C
-
-#define RRTYPE_SOA_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
-
-static inline isc_result_t
-fromtext_soa(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	int i;
-	isc_uint32_t n;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 6);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	origin = (origin != NULL) ? origin : dns_rootname;
-
-	for (i = 0; i < 2; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-
-		dns_name_init(&name, NULL);
-		buffer_fromregion(&buffer, &token.value.as_region);
-		RETTOK(dns_name_fromtext(&name, &buffer, origin,
-					 options, target));
-		ok = ISC_TRUE;
-		if ((options & DNS_RDATA_CHECKNAMES) != 0)
-			switch (i) {
-			case 0:
-				ok = dns_name_ishostname(&name, ISC_FALSE);
-				break;
-			case 1:
-				ok = dns_name_ismailbox(&name);
-				break;
-
-			}
-		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-			RETTOK(DNS_R_BADNAME);
-		if (!ok && callbacks != NULL)
-			warn_badname(&name, lexer, callbacks);
-	}
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	for (i = 0; i < 4; i++) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-		RETTOK(dns_counter_fromtext(&token.value.as_textregion, &n));
-		RETERR(uint32_tobuffer(n, target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static const char *soa_fieldnames[5] = {
-	"serial", "refresh", "retry", "expire", "minimum"
-};
-
-static inline isc_result_t
-totext_soa(ARGS_TOTEXT) {
-	isc_region_t dregion;
-	dns_name_t mname;
-	dns_name_t rname;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	int i;
-	isc_boolean_t multiline;
-	isc_boolean_t comment;
-
-	REQUIRE(rdata->type == 6);
-	REQUIRE(rdata->length != 0);
-
-	multiline = ISC_TF((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0);
-	comment = ISC_TF((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0);
-
-	dns_name_init(&mname, NULL);
-	dns_name_init(&rname, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &dregion);
-
-	dns_name_fromregion(&mname, &dregion);
-	isc_region_consume(&dregion, name_length(&mname));
-
-	dns_name_fromregion(&rname, &dregion);
-	isc_region_consume(&dregion, name_length(&rname));
-
-	sub = name_prefix(&mname, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	RETERR(str_totext(" ", target));
-
-	sub = name_prefix(&rname, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-
-	if (multiline)
-		RETERR(str_totext(" (" , target));
-	RETERR(str_totext(tctx->linebreak, target));
-
-	for (i = 0; i < 5; i++) {
-		char buf[sizeof("2147483647")];
-		unsigned long num;
-		unsigned int numlen;
-		num = uint32_fromregion(&dregion);
-		isc_region_consume(&dregion, 4);
-		numlen = sprintf(buf, "%lu", num);
-		INSIST(numlen > 0 && numlen < sizeof("2147483647"));
-		RETERR(str_totext(buf, target));
-		if (multiline && comment) {
-			RETERR(str_totext("           ; " + numlen, target));
-			RETERR(str_totext(soa_fieldnames[i], target));
-			/* Print times in week/day/hour/minute/second form */
-			if (i >= 1) {
-				RETERR(str_totext(" (", target));
-				RETERR(dns_ttl_totext(num, ISC_TRUE, target));
-				RETERR(str_totext(")", target));
-			}
-			RETERR(str_totext(tctx->linebreak, target));
-		} else if (i < 4) {
-			RETERR(str_totext(tctx->linebreak, target));			
-		}
-	}
-
-	if (multiline)
-		RETERR(str_totext(")", target));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_soa(ARGS_FROMWIRE) {
-        dns_name_t mname;
-        dns_name_t rname;
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 6);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
-
-        dns_name_init(&mname, NULL);
-        dns_name_init(&rname, NULL);
-
-        RETERR(dns_name_fromwire(&mname, source, dctx, options, target));
-        RETERR(dns_name_fromwire(&rname, source, dctx, options, target));
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-
-	if (sregion.length < 20)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 20)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 20);
-	isc_buffer_forward(source, 20);
-	isc_buffer_add(target, 20);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_soa(ARGS_TOWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-	dns_name_t mname;
-	dns_name_t rname;
-	dns_offsets_t moffsets;
-	dns_offsets_t roffsets;
-
-	REQUIRE(rdata->type == 6);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-
-	dns_name_init(&mname, moffsets);
-	dns_name_init(&rname, roffsets);
-
-	dns_rdata_toregion(rdata, &sregion);
-
-	dns_name_fromregion(&mname, &sregion);
-	isc_region_consume(&sregion, name_length(&mname));
-	RETERR(dns_name_towire(&mname, cctx, target));
-
-	dns_name_fromregion(&rname, &sregion);
-	isc_region_consume(&sregion, name_length(&rname));
-	RETERR(dns_name_towire(&rname, cctx, target));
-
-	isc_buffer_availableregion(target, &tregion);
-	if (tregion.length < 20)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 20);
-	isc_buffer_add(target, 20);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_soa(ARGS_COMPARE) {
-	isc_region_t region1;
-	isc_region_t region2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 6);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	return (isc_region_compare(&region1, &region2));
-}
-
-static inline isc_result_t
-fromstruct_soa(ARGS_FROMSTRUCT) {
-	dns_rdata_soa_t *soa = source;
-	isc_region_t region;
-
-	REQUIRE(type == 6);
-	REQUIRE(source != NULL);
-	REQUIRE(soa->common.rdtype == type);
-	REQUIRE(soa->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&soa->origin, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	dns_name_toregion(&soa->contact, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	RETERR(uint32_tobuffer(soa->serial, target));
-	RETERR(uint32_tobuffer(soa->refresh, target));
-	RETERR(uint32_tobuffer(soa->retry, target));
-	RETERR(uint32_tobuffer(soa->expire, target));
-	return (uint32_tobuffer(soa->minimum, target));
-}
-
-static inline isc_result_t
-tostruct_soa(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_soa_t *soa = target;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 6);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	soa->common.rdclass = rdata->rdclass;
-	soa->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&soa->common, link);
-
-
-	dns_rdata_toregion(rdata, &region);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	dns_name_init(&soa->origin, NULL);
-	RETERR(name_duporclone(&name, mctx, &soa->origin));
-
-	dns_name_fromregion(&name, &region);
-	isc_region_consume(&region, name_length(&name));
-	dns_name_init(&soa->contact, NULL);
-	result = name_duporclone(&name, mctx, &soa->contact);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	soa->serial = uint32_fromregion(&region);
-	isc_region_consume(&region, 4);
-
-	soa->refresh = uint32_fromregion(&region);
-	isc_region_consume(&region, 4);
-
-	soa->retry = uint32_fromregion(&region);
-	isc_region_consume(&region, 4);
-
-	soa->expire = uint32_fromregion(&region);
-	isc_region_consume(&region, 4);
-
-	soa->minimum = uint32_fromregion(&region);
-
-	soa->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&soa->origin, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_soa(ARGS_FREESTRUCT) {
-	dns_rdata_soa_t *soa = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(soa->common.rdtype == 6);
-
-	if (soa->mctx == NULL)
-		return;
-
-	dns_name_free(&soa->origin, soa->mctx);
-	dns_name_free(&soa->contact, soa->mctx);
-	soa->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_soa(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 6);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_soa(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 6);
-
-	dns_rdata_toregion(rdata, &r);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	RETERR(dns_name_digest(&name, digest, arg));
-	isc_region_consume(&r, name_length(&name));
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	RETERR(dns_name_digest(&name, digest, arg));
-	isc_region_consume(&r, name_length(&name));
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_soa(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 6);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_soa(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 6);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	isc_region_consume(&region, name_length(&name));
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ismailbox(&name)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_SOA_6_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.h b/contrib/bind9/lib/dns/rdata/generic/soa_6.h
deleted file mode 100644
index eca6dfd43bf5..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/soa_6.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_SOA_6_H
-#define GENERIC_SOA_6_H 1
-
-/* $Id: soa_6.h,v 1.27.206.1 2004/03/06 08:14:12 marka Exp $ */
-
-typedef struct dns_rdata_soa {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		origin;
-	dns_name_t		contact;
-	isc_uint32_t		serial;		/* host order */
-	isc_uint32_t		refresh;	/* host order */
-	isc_uint32_t		retry;		/* host order */
-	isc_uint32_t		expire;		/* host order */
-	isc_uint32_t		minimum;	/* host order */
-} dns_rdata_soa_t;
-
-
-#endif /* GENERIC_SOA_6_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
deleted file mode 100644
index eabf056d6f7d..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
+++ /dev/null
@@ -1,262 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sshfp_44.c,v 1.1.8.3 2004/03/06 08:14:13 marka Exp $ */
-
-/* draft-ietf-secsh-dns-05.txt */
-
-#ifndef RDATA_GENERIC_SSHFP_44_C
-#define RDATA_GENERIC_SSHFP_44_C
-
-#define RRTYPE_SSHFP_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_sshfp(ARGS_FROMTEXT) {
-	isc_token_t token;
-
-	REQUIRE(type == 44);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Digest type.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint8_tobuffer(token.value.as_ulong, target));
-	type = (isc_uint16_t) token.value.as_ulong;
-
-	/*
-	 * Digest.
-	 */
-	return (isc_hex_tobuffer(lexer, target, -1));
-}
-
-static inline isc_result_t
-totext_sshfp(ARGS_TOTEXT) {
-	isc_region_t sr;
-	char buf[sizeof("64000 ")];
-	unsigned int n;
-
-	REQUIRE(rdata->type == 44);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Algorithm.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest type.
-	 */
-	n = uint8_fromregion(&sr);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Digest.
-	 */
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" )", target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_sshfp(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 44);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_sshfp(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 44);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_sshfp(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 44);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_sshfp(ARGS_FROMSTRUCT) {
-	dns_rdata_sshfp_t *sshfp = source;
-
-	REQUIRE(type == 44);
-	REQUIRE(source != NULL);
-	REQUIRE(sshfp->common.rdtype == type);
-	REQUIRE(sshfp->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint8_tobuffer(sshfp->algorithm, target));
-	RETERR(uint8_tobuffer(sshfp->digest_type, target));
-
-	return (mem_tobuffer(target, sshfp->digest, sshfp->length));
-}
-
-static inline isc_result_t
-tostruct_sshfp(ARGS_TOSTRUCT) {
-	dns_rdata_sshfp_t *sshfp = target;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 44);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	sshfp->common.rdclass = rdata->rdclass;
-	sshfp->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&sshfp->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-
-	sshfp->algorithm = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	sshfp->digest_type = uint8_fromregion(&region);
-	isc_region_consume(&region, 1);
-	sshfp->length = region.length;
-
-	sshfp->digest = mem_maybedup(mctx, region.base, region.length);
-	if (sshfp->digest == NULL)
-		return (ISC_R_NOMEMORY);
-
-	sshfp->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_sshfp(ARGS_FREESTRUCT) {
-	dns_rdata_sshfp_t *sshfp = source;
-
-	REQUIRE(sshfp != NULL);
-	REQUIRE(sshfp->common.rdtype == 44);
-
-	if (sshfp->mctx == NULL)
-		return;
-
-	if (sshfp->digest != NULL)
-		isc_mem_free(sshfp->mctx, sshfp->digest);
-	sshfp->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_sshfp(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 44);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_sshfp(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 44);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_sshfp(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 44);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_sshfp(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 44);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_SSHFP_44_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
deleted file mode 100644
index ccdefd4ea298..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sshfp_44.h,v 1.1.8.2 2004/03/06 08:14:13 marka Exp $ */
-
-/* draft-ietf-secsh-dns-05.txt */
-
-#ifndef GENERIC_SSHFP_44_H
-#define GENERIC_SSHFP_44_H 1
-
-typedef struct dns_rdata_sshfp {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint8_t		algorithm;
-	isc_uint8_t		digest_type;
-	isc_uint16_t		length;
-	unsigned char		*digest;
-} dns_rdata_sshfp_t;
-
-#endif /* GENERIC_SSHFP_44_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c b/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
deleted file mode 100644
index da631676715e..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
+++ /dev/null
@@ -1,555 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tkey_249.c,v 1.48.2.1.2.6 2004/03/08 09:04:42 marka Exp $ */
-
-/*
- * Reviewed: Thu Mar 16 17:35:30 PST 2000 by halley.
- */
-
-/* draft-ietf-dnsext-tkey-01.txt */
-
-#ifndef RDATA_GENERIC_TKEY_249_C
-#define RDATA_GENERIC_TKEY_249_C
-
-#define RRTYPE_TKEY_ATTRIBUTES (DNS_RDATATYPEATTR_META)
-
-static inline isc_result_t
-fromtext_tkey(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_rcode_t rcode;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	long i;
-	char *e;
-
-	REQUIRE(type == 249);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Algorithm.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-
-	/*
-	 * Inception.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Expiration.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	RETERR(uint32_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Mode.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Error.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
-				!= ISC_R_SUCCESS)
-	{
-		i = strtol(DNS_AS_STR(token), &e, 10);
-		if (*e != 0)
-			RETTOK(DNS_R_UNKNOWN);
-		if (i < 0 || i > 0xffff)
-			RETTOK(ISC_R_RANGE);
-		rcode = (dns_rcode_t)i;
-	}
-	RETERR(uint16_tobuffer(rcode, target));
-
-	/*
-	 * Key Size.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Key Data.
-	 */
-	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
-
-	/*
-	 * Other Size.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Other Data.
-	 */
-	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
-}
-
-static inline isc_result_t
-totext_tkey(ARGS_TOTEXT) {
-	isc_region_t sr, dr;
-	char buf[sizeof("4294967295 ")];
-	unsigned long n;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 249);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Algorithm.
-	 */
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	RETERR(dns_name_totext(&prefix, sub, target));
-	RETERR(str_totext(" ", target));
-	isc_region_consume(&sr, name_length(&name));
-
-	/*
-	 * Inception.
-	 */
-	n = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Expiration.
-	 */
-	n = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Mode.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu ", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Error.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	if (dns_tsigrcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS)
-		RETERR(str_totext(" ", target));
-	else {
-		sprintf(buf, "%lu ", n);
-		RETERR(str_totext(buf, target));
-	}
-
-	/*
-	 * Key Size.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Key Data.
-	 */
-	REQUIRE(n <= sr.length);
-	dr = sr;
-	dr.length = n;
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" (", target));
-	RETERR(str_totext(tctx->linebreak, target));
-	RETERR(isc_base64_totext(&dr, tctx->width - 2,
-				 tctx->linebreak, target));
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		RETERR(str_totext(" ) ", target));
-	else
-		RETERR(str_totext(" ", target));
-	isc_region_consume(&sr, n);
-
-	/*
-	 * Other Size.
-	 */
-	n = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", n);
-	RETERR(str_totext(buf, target));
-
-	/*
-	 * Other Data.
-	 */
-	REQUIRE(n <= sr.length);
-	if (n != 0U) {
-	    dr = sr;
-	    dr.length = n;
-	    if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		    RETERR(str_totext(" (", target));
-	    RETERR(str_totext(tctx->linebreak, target));
-	    RETERR(isc_base64_totext(&dr, tctx->width - 2,
-				     tctx->linebreak, target));
-	    if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-		    RETERR(str_totext(" )", target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_tkey(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	unsigned long n;
-	dns_name_t name;
-
-	REQUIRE(type == 249);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	/*
-	 * Algorithm.
-	 */
-	dns_name_init(&name, NULL);
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	/*
-	 * Inception: 4
-	 * Expiration: 4
-	 * Mode: 2
-	 * Error: 2
-	 */
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 12)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, 12));
-	isc_region_consume(&sr, 12);
-	isc_buffer_forward(source, 12);
-
-	/*
-	 * Key Length + Key Data.
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	n = uint16_fromregion(&sr);
-	if (sr.length < n + 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, n + 2));
-	isc_region_consume(&sr, n + 2);
-	isc_buffer_forward(source, n + 2);
-
-	/*
-	 * Other Length + Other Data.
-	 */
-	if (sr.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	n = uint16_fromregion(&sr);
-	if (sr.length < n + 2)
-		return (ISC_R_UNEXPECTEDEND);
-	isc_buffer_forward(source, n + 2);
-	return (mem_tobuffer(target, sr.base, n + 2));
-}
-
-static inline isc_result_t
-towire_tkey(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-
-	REQUIRE(rdata->type == 249);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	/*
-	 * Algorithm.
-	 */
-	dns_rdata_toregion(rdata, &sr);
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	RETERR(dns_name_towire(&name, cctx, target));
-	isc_region_consume(&sr, name_length(&name));
-
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_tkey(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-	dns_name_t name1;
-	dns_name_t name2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 249);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	/*
-	 * Algorithm.
-	 */
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_name_fromregion(&name1, &r1);
-	dns_name_fromregion(&name2, &r2);
-	if ((order = dns_name_rdatacompare(&name1, &name2)) != 0)
-		return (order);
-	isc_region_consume(&r1, name_length(&name1));
-	isc_region_consume(&r2, name_length(&name2));
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_tkey(ARGS_FROMSTRUCT) {
-	dns_rdata_tkey_t *tkey = source;
-
-	REQUIRE(type == 249);
-	REQUIRE(source != NULL);
-	REQUIRE(tkey->common.rdtype == type);
-	REQUIRE(tkey->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	/*
-	 * Algorithm Name.
-	 */
-	RETERR(name_tobuffer(&tkey->algorithm, target));
-
-	/*
-	 * Inception: 32 bits.
-	 */
-	RETERR(uint32_tobuffer(tkey->inception, target));
-
-	/*
-	 * Expire: 32 bits.
-	 */
-	RETERR(uint32_tobuffer(tkey->expire, target));
-
-	/*
-	 * Mode: 16 bits.
-	 */
-	RETERR(uint16_tobuffer(tkey->mode, target));
-
-	/*
-	 * Error: 16 bits.
-	 */
-	RETERR(uint16_tobuffer(tkey->error, target));
-
-	/*
-	 * Key size: 16 bits.
-	 */
-	RETERR(uint16_tobuffer(tkey->keylen, target));
-
-	/*
-	 * Key.
-	 */
-	RETERR(mem_tobuffer(target, tkey->key, tkey->keylen));
-
-	/*
-	 * Other size: 16 bits.
-	 */
-	RETERR(uint16_tobuffer(tkey->otherlen, target));
-
-	/*
-	 * Other data.
-	 */
-	return (mem_tobuffer(target, tkey->other, tkey->otherlen));
-}
-
-static inline isc_result_t
-tostruct_tkey(ARGS_TOSTRUCT) {
-	dns_rdata_tkey_t *tkey = target;
-	dns_name_t alg;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 249);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	tkey->common.rdclass = rdata->rdclass;
-	tkey->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&tkey->common, link);
-
-	dns_rdata_toregion(rdata, &sr);
-
-	/*
-	 * Algorithm Name.
-	 */
-	dns_name_init(&alg, NULL);
-	dns_name_fromregion(&alg, &sr);
-	dns_name_init(&tkey->algorithm, NULL);
-	RETERR(name_duporclone(&alg, mctx, &tkey->algorithm));
-	isc_region_consume(&sr, name_length(&tkey->algorithm));
-
-	/*
-	 * Inception.
-	 */
-	tkey->inception = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Expire.
-	 */
-	tkey->expire = uint32_fromregion(&sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Mode.
-	 */
-	tkey->mode = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Error.
-	 */
-	tkey->error = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Key size.
-	 */
-	tkey->keylen = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Key.
-	 */
-	tkey->key = mem_maybedup(mctx, sr.base, tkey->keylen);
-	if (tkey->key == NULL)
-		goto cleanup;
-	isc_region_consume(&sr, tkey->keylen);
-
-	/*
-	 * Other size.
-	 */
-	tkey->otherlen = uint16_fromregion(&sr);
-	isc_region_consume(&sr, 2);
-
-	/*
-	 * Other.
-	 */
-	tkey->other = mem_maybedup(mctx, sr.base, tkey->otherlen);
-	if (tkey->other == NULL)
-		goto cleanup;
-
-	tkey->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL)
-		dns_name_free(&tkey->algorithm, mctx);
-	if (mctx != NULL && tkey->key != NULL)
-		isc_mem_free(mctx, tkey->key);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_tkey(ARGS_FREESTRUCT) {
-	dns_rdata_tkey_t *tkey = (dns_rdata_tkey_t *) source;
-
-	REQUIRE(source != NULL);
-
-	if (tkey->mctx == NULL)
-		return;
-
-	dns_name_free(&tkey->algorithm, tkey->mctx);
-	if (tkey->key != NULL)
-		isc_mem_free(tkey->mctx, tkey->key);
-	if (tkey->other != NULL)
-		isc_mem_free(tkey->mctx, tkey->other);
-	tkey->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_tkey(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 249);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_tkey(ARGS_DIGEST) {
-	UNUSED(rdata);
-	UNUSED(digest);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 249);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static inline isc_boolean_t
-checkowner_tkey(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 249);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_tkey(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 249);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_TKEY_249_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.h b/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
deleted file mode 100644
index 8e0081cf9315..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_TKEY_249_H
-#define GENERIC_TKEY_249_H 1
-
-/* $Id: tkey_249.h,v 1.18.206.2 2004/03/06 08:14:13 marka Exp $ */
-
-/* draft-ietf-dnsind-tkey-00.txt */
-
-typedef struct dns_rdata_tkey {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        dns_name_t		algorithm;
-        isc_uint32_t		inception;
-        isc_uint32_t		expire;
-        isc_uint16_t		mode;
-        isc_uint16_t		error;
-        isc_uint16_t		keylen;
-        unsigned char *		key;
-        isc_uint16_t		otherlen;
-        unsigned char *		other;
-} dns_rdata_tkey_t;
-
-
-#endif /* GENERIC_TKEY_249_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.c b/contrib/bind9/lib/dns/rdata/generic/txt_16.c
deleted file mode 100644
index 631d7af55b9b..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/txt_16.c
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: txt_16.c,v 1.37.12.4 2004/03/08 09:04:42 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
-
-#ifndef RDATA_GENERIC_TXT_16_C
-#define RDATA_GENERIC_TXT_16_C
-
-#define RRTYPE_TXT_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_txt(ARGS_FROMTEXT) {
-	isc_token_t token;
-	int strings;
-
-	REQUIRE(type == 16);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	strings = 0;
-	for (;;) {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_qstring,
-					      ISC_TRUE));
-		if (token.type != isc_tokentype_qstring &&
-		    token.type != isc_tokentype_string)
-			break;
-		RETTOK(txt_fromtext(&token.value.as_textregion, target));
-		strings++;
-	}
-	/* Let upper layer handle eol/eof. */
-	isc_lex_ungettoken(lexer, &token);
-	return (strings == 0 ? ISC_R_UNEXPECTEDEND : ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_txt(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 16);
-
-	dns_rdata_toregion(rdata, &region);
-
-	while (region.length > 0) {
-		RETERR(txt_totext(&region, target));
-		if (region.length > 0)
-			RETERR(str_totext(" ", target));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_txt(ARGS_FROMWIRE) {
-	isc_result_t result;
-
-	REQUIRE(type == 16);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	do {
-		result = txt_fromwire(source, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} while (!buffer_empty(source));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_txt(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 16);
-
-	UNUSED(cctx);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, rdata->length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_txt(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 16);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_txt(ARGS_FROMSTRUCT) {
-	dns_rdata_txt_t *txt = source;
-	isc_region_t region;
-	isc_uint8_t length;
-
-	REQUIRE(type == 16);
-	REQUIRE(source != NULL);
-	REQUIRE(txt->common.rdtype == type);
-	REQUIRE(txt->common.rdclass == rdclass);
-	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	region.base = txt->txt;
-	region.length = txt->txt_len;
-	while (region.length > 0) {
-		length = uint8_fromregion(&region);
-		isc_region_consume(&region, 1);
-		if (region.length <= length)
-			return (ISC_R_UNEXPECTEDEND);
-		isc_region_consume(&region, length);
-	}
-
-	return (mem_tobuffer(target, txt->txt, txt->txt_len));
-}
-
-static inline isc_result_t
-tostruct_txt(ARGS_TOSTRUCT) {
-	dns_rdata_txt_t *txt = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 16);
-	REQUIRE(target != NULL);
-
-	txt->common.rdclass = rdata->rdclass;
-	txt->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&txt->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	txt->txt_len = r.length;
-	txt->txt = mem_maybedup(mctx, r.base, r.length);
-	if (txt->txt == NULL)
-		return (ISC_R_NOMEMORY);
-
-	txt->offset = 0;
-	txt->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_txt(ARGS_FREESTRUCT) {
-	dns_rdata_txt_t *txt = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(txt->common.rdtype == 16);
-
-	if (txt->mctx == NULL)
-		return;
-
-	if (txt->txt != NULL)
-		isc_mem_free(txt->mctx, txt->txt);
-	txt->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_txt(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 16);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_txt(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 16);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_txt(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 16);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_txt(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 16);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_TXT_16_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.h b/contrib/bind9/lib/dns/rdata/generic/txt_16.h
deleted file mode 100644
index db5019c133b9..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/txt_16.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_TXT_16_H
-#define GENERIC_TXT_16_H 1
-
-/* $Id: txt_16.h,v 1.23.206.1 2004/03/06 08:14:14 marka Exp $ */
-
-typedef struct dns_rdata_txt_string {
-                isc_uint8_t    length;
-                unsigned char   *data;
-} dns_rdata_txt_string_t;
-
-typedef struct dns_rdata_txt {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        unsigned char           *txt;
-        isc_uint16_t            txt_len;
-        /* private */
-        isc_uint16_t            offset;
-} dns_rdata_txt_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_txt_first(dns_rdata_txt_t *);
-
-isc_result_t
-dns_rdata_txt_next(dns_rdata_txt_t *);
-
-isc_result_t
-dns_rdata_txt_current(dns_rdata_txt_t *, dns_rdata_txt_string_t *);
-
-#endif /* GENERIC_TXT_16_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c b/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
deleted file mode 100644
index 157e9a1cc06e..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
+++ /dev/null
@@ -1,189 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: unspec_103.c,v 1.28.2.1.10.4 2004/03/08 09:04:43 marka Exp $ */
-
-#ifndef RDATA_GENERIC_UNSPEC_103_C
-#define RDATA_GENERIC_UNSPEC_103_C
-
-#define RRTYPE_UNSPEC_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_unspec(ARGS_FROMTEXT) {
-
-	REQUIRE(type == 103);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	return (atob_tobuffer(lexer, target));
-}
-
-static inline isc_result_t
-totext_unspec(ARGS_TOTEXT) {
-
-	REQUIRE(rdata->type == 103);
-
-	UNUSED(tctx);
-
-	return (btoa_totext(rdata->data, rdata->length, target));
-}
-
-static inline isc_result_t
-fromwire_unspec(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 103);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(dctx);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_forward(source, sr.length);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline isc_result_t
-towire_unspec(ARGS_TOWIRE) {
-
-	REQUIRE(rdata->type == 103);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_unspec(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 103);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_unspec(ARGS_FROMSTRUCT) {
-	dns_rdata_unspec_t *unspec = source;
-
-	REQUIRE(type == 103);
-	REQUIRE(source != NULL);
-	REQUIRE(unspec->common.rdtype == type);
-	REQUIRE(unspec->common.rdclass == rdclass);
-	REQUIRE(unspec->data != NULL || unspec->datalen == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, unspec->data, unspec->datalen));
-}
-
-static inline isc_result_t
-tostruct_unspec(ARGS_TOSTRUCT) {
-	dns_rdata_unspec_t *unspec = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 103);
-	REQUIRE(target != NULL);
-
-	unspec->common.rdclass = rdata->rdclass;
-	unspec->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&unspec->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	unspec->datalen = r.length;
-	unspec->data = mem_maybedup(mctx, r.base, r.length);
-	if (unspec->data == NULL)
-		return (ISC_R_NOMEMORY);
-
-	unspec->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_unspec(ARGS_FREESTRUCT) {
-	dns_rdata_unspec_t *unspec = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(unspec->common.rdtype == 103);
-
-	if (unspec->mctx == NULL)
-		return;
-
-	if (unspec->data != NULL)
-		isc_mem_free(unspec->mctx, unspec->data);
-	unspec->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_unspec(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 103);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_unspec(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 103);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_unspec(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 103);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_unspec(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 103);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_UNSPEC_103_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.h b/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
deleted file mode 100644
index 021e308deb7c..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_UNSPEC_103_H
-#define GENERIC_UNSPEC_103_H 1
-
-/* $Id: unspec_103.h,v 1.12.206.1 2004/03/06 08:14:14 marka Exp $ */
-
-typedef struct dns_rdata_unspec_t {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*data;
-	isc_uint16_t		datalen;
-} dns_rdata_unspec_t;
-
-#endif /* GENERIC_UNSPEC_103_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.c b/contrib/bind9/lib/dns/rdata/generic/x25_19.c
deleted file mode 100644
index 2f123ad76d69..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/x25_19.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: x25_19.c,v 1.31.12.4 2004/03/08 09:04:43 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
-
-/* RFC 1183 */
-
-#ifndef RDATA_GENERIC_X25_19_C
-#define RDATA_GENERIC_X25_19_C
-
-#define RRTYPE_X25_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_x25(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned int i;
-
-	REQUIRE(type == 19);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	if (token.value.as_textregion.length < 4)
-		RETTOK(DNS_R_SYNTAX);
-	for (i = 0; i < token.value.as_textregion.length; i++)
-		if (!isdigit(token.value.as_textregion.base[i] & 0xff))
-			RETTOK(ISC_R_RANGE);
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_x25(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 19);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &region);
-	return (txt_totext(&region, target));
-}
-
-static inline isc_result_t
-fromwire_x25(ARGS_FROMWIRE) {
-	isc_region_t sr;
-
-	REQUIRE(type == 19);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 5)
-		return (DNS_R_FORMERR);
-	return (txt_fromwire(source, target));
-}
-
-static inline isc_result_t
-towire_x25(ARGS_TOWIRE) {
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 19);
-	REQUIRE(rdata->length != 0);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_x25(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 19);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_x25(ARGS_FROMSTRUCT) {
-	dns_rdata_x25_t *x25 = source;
-	isc_uint8_t i;
-
-	REQUIRE(type == 19);
-	REQUIRE(source != NULL);
-	REQUIRE(x25->common.rdtype == type);
-	REQUIRE(x25->common.rdclass == rdclass);
-	REQUIRE(x25->x25 != NULL && x25->x25_len != 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	if (x25->x25_len < 4)
-		return (ISC_R_RANGE);
-
-	for (i = 0; i < x25->x25_len; i++)
-		if (!isdigit(x25->x25[i] & 0xff))
-			return (ISC_R_RANGE);
-
-	RETERR(uint8_tobuffer(x25->x25_len, target));
-	return (mem_tobuffer(target, x25->x25, x25->x25_len));
-}
-
-static inline isc_result_t
-tostruct_x25(ARGS_TOSTRUCT) {
-	dns_rdata_x25_t *x25 = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 19);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	x25->common.rdclass = rdata->rdclass;
-	x25->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&x25->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	x25->x25_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	x25->x25 = mem_maybedup(mctx, r.base, x25->x25_len);
-	if (x25->x25 == NULL)
-		return (ISC_R_NOMEMORY);
-
-	x25->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_x25(ARGS_FREESTRUCT) {
-	dns_rdata_x25_t *x25 = source;
-	REQUIRE(source != NULL);
-	REQUIRE(x25->common.rdtype == 19);
-
-	if (x25->mctx == NULL)
-		return;
-
-	if (x25->x25 != NULL)
-		isc_mem_free(x25->mctx, x25->x25);
-	x25->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_x25(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 19);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_x25(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 19);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_x25(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 19);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_x25(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 19);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_GENERIC_X25_19_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.h b/contrib/bind9/lib/dns/rdata/generic/x25_19.h
deleted file mode 100644
index bcb74cf6037e..000000000000
--- a/contrib/bind9/lib/dns/rdata/generic/x25_19.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef GENERIC_X25_19_H
-#define GENERIC_X25_19_H 1
-
-/* $Id: x25_19.h,v 1.13.206.1 2004/03/06 08:14:14 marka Exp $ */
-
-/* RFC 1183 */
-
-typedef struct dns_rdata_x25 {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*x25;
-	isc_uint8_t		x25_len;
-} dns_rdata_x25_t;
-
-#endif /* GENERIC_X25_19_H */
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c b/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
deleted file mode 100644
index 07d6adcd4270..000000000000
--- a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
+++ /dev/null
@@ -1,232 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a_1.c,v 1.25.12.4 2004/03/08 09:04:43 marka Exp $ */
-
-/* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
-
-#ifndef RDATA_HS_4_A_1_C
-#define RDATA_HS_4_A_1_C
-
-#include <isc/net.h>
-
-#define RRTYPE_A_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_hs_a(ARGS_FROMTEXT) {
-	isc_token_t token;
-	struct in_addr addr;
-	isc_region_t region;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 4);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
-		RETTOK(DNS_R_BADDOTTEDQUAD);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, &addr, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_hs_a(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET, &region, target));
-}
-
-static inline isc_result_t
-fromwire_hs_a(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 4);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (sregion.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 4)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 4);
-	isc_buffer_forward(source, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_hs_a(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(cctx);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_hs_a(ARGS_COMPARE) {
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 1);
-	REQUIRE(rdata1->rdclass == 4);
-	REQUIRE(rdata1->length == 4);
-	REQUIRE(rdata2->length == 4);
-
-	order = memcmp(rdata1->data, rdata2->data, 4);
-	if (order != 0)
-		order = (order < 0) ? -1 : 1;
-
-	return (order);
-}
-
-static inline isc_result_t
-fromstruct_hs_a(ARGS_FROMSTRUCT) {
-	dns_rdata_hs_a_t *a = source;
-	isc_uint32_t n;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 4);
-	REQUIRE(source != NULL);
-	REQUIRE(a->common.rdtype == type);
-	REQUIRE(a->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	n = ntohl(a->in_addr.s_addr);
-
-	return (uint32_tobuffer(n, target));
-}
-
-static inline isc_result_t
-tostruct_hs_a(ARGS_TOSTRUCT) {
-	dns_rdata_hs_a_t *a = target;
-	isc_uint32_t n;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(mctx);
-
-	a->common.rdclass = rdata->rdclass;
-	a->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&a->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	n = uint32_fromregion(&region);
-	a->in_addr.s_addr = htonl(n);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_hs_a(ARGS_FREESTRUCT) {
-	UNUSED(source);
-
-	REQUIRE(source != NULL);
-}
-
-static inline isc_result_t
-additionaldata_hs_a(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_hs_a(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_hs_a(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 4);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_hs_a(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 4);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_HS_4_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.h b/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
deleted file mode 100644
index c06c648afe55..000000000000
--- a/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef HS_4_A_1_H
-#define HS_4_A_1_H 1
-
-/* $Id: a_1.h,v 1.7.206.1 2004/03/06 08:14:15 marka Exp $ */
-
-typedef struct dns_rdata_hs_a {
-	dns_rdatacommon_t	common;
-	struct in_addr          in_addr;
-} dns_rdata_hs_a_t;
-
-#endif /* HS_4_A_1_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c b/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
deleted file mode 100644
index ded70c12bda7..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
+++ /dev/null
@@ -1,461 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a6_38.c,v 1.46.2.1.2.5 2004/03/08 09:04:43 marka Exp $ */
-
-/* RFC2874 */
-
-#ifndef RDATA_IN_1_A6_28_C
-#define RDATA_IN_1_A6_28_C
-
-#include <isc/net.h>
-
-#define RRTYPE_A6_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_a6(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char addr[16];
-	unsigned char prefixlen;
-	unsigned char octets;
-	unsigned char mask;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 38);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Prefix length.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 128U)
-		RETTOK(ISC_R_RANGE);
-
-	prefixlen = (unsigned char)token.value.as_ulong;
-	RETERR(mem_tobuffer(target, &prefixlen, 1));
-
-	/*
-	 * Suffix.
-	 */
-	if (prefixlen != 128) {
-		/*
-		 * Prefix 0..127.
-		 */
-		octets = prefixlen/8;
-		/*
-		 * Octets 0..15.
-		 */
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string,
-					      ISC_FALSE));
-		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
-			RETTOK(DNS_R_BADAAAA);
-		mask = 0xff >> (prefixlen % 8);
-		addr[octets] &= mask;
-		RETERR(mem_tobuffer(target, &addr[octets], 16 - octets));
-	}
-
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_a6(ARGS_TOTEXT) {
-	isc_region_t sr, ar;
-	unsigned char addr[16];
-	unsigned char prefixlen;
-	unsigned char octets;
-	unsigned char mask;
-	char buf[sizeof("128")];
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-	prefixlen = sr.base[0];
-	INSIST(prefixlen <= 128);
-	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", prefixlen);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	if (prefixlen != 128) {
-		octets = prefixlen/8;
-		memset(addr, 0, sizeof(addr));
-		memcpy(&addr[octets], sr.base, 16 - octets);
-		mask = 0xff >> (prefixlen % 8);
-		addr[octets] &= mask;
-		ar.base = addr;
-		ar.length = sizeof(addr);
-		RETERR(inet_totext(AF_INET6, &ar, target));
-		isc_region_consume(&sr, 16 - octets);
-	}
-
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	RETERR(str_totext(" ", target));
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-	dns_name_fromregion(&name, &sr);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_a6(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	unsigned char prefixlen;
-	unsigned char octets;
-	unsigned char mask;
-	dns_name_t name;
-
-	REQUIRE(type == 38);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-	isc_buffer_activeregion(source, &sr);
-	/*
-	 * Prefix length.
-	 */
-	if (sr.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-	prefixlen = sr.base[0];
-	if (prefixlen > 128)
-		return (ISC_R_RANGE);
-	isc_region_consume(&sr, 1);
-	RETERR(mem_tobuffer(target, &prefixlen, 1));
-	isc_buffer_forward(source, 1);
-
-	/*
-	 * Suffix.
-	 */
-	if (prefixlen != 128) {
-		octets = 16 - prefixlen / 8;
-		if (sr.length < octets)
-			return (ISC_R_UNEXPECTEDEND);
-		mask = 0xff >> (prefixlen % 8);
-		sr.base[0] &= mask;	/* Ensure pad bits are zero. */
-		RETERR(mem_tobuffer(target, sr.base, octets));
-		isc_buffer_forward(source, octets);
-	}
-
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	dns_name_init(&name, NULL);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_a6(ARGS_TOWIRE) {
-	isc_region_t sr;
-	dns_name_t name;
-	dns_offsets_t offsets;
-	unsigned char prefixlen;
-	unsigned char octets;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &sr);
-	prefixlen = sr.base[0];
-	INSIST(prefixlen <= 128);
-
-	octets = 1 + 16 - prefixlen / 8;
-	RETERR(mem_tobuffer(target, sr.base, octets));
-	isc_region_consume(&sr, octets);
-
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_a6(ARGS_COMPARE) {
-	int order;
-	unsigned char prefixlen1, prefixlen2;
-	unsigned char octets;
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 38);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-	prefixlen1 = region1.base[0];
-	prefixlen2 = region2.base[0];
-	isc_region_consume(&region1, 1);
-	isc_region_consume(&region2, 1);
-	if (prefixlen1 < prefixlen2)
-		return (-1);
-	else if (prefixlen1 > prefixlen2)
-		return (1);
-	/*
-	 * Prefix lengths are equal.
-	 */
-	octets = 16 - prefixlen1 / 8;
-
-	if (octets > 0) {
-		order = memcmp(region1.base, region2.base, octets);
-		if (order < 0)
-			return (-1);
-		else if (order > 0)
-			return (1);
-		/*
-		 * Address suffixes are equal.
-		 */
-		if (prefixlen1 == 0)
-			return (order);
-		isc_region_consume(&region1, octets);
-		isc_region_consume(&region2, octets);
-	}
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_a6(ARGS_FROMSTRUCT) {
-	dns_rdata_in_a6_t *a6 = source;
-	isc_region_t region;
-	int octets;
-	isc_uint8_t bits;
-	isc_uint8_t first;
-	isc_uint8_t mask;
-
-	REQUIRE(type == 38);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(a6->common.rdtype == type);
-	REQUIRE(a6->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	if (a6->prefixlen > 128)
-		return (ISC_R_RANGE);
-
-	RETERR(uint8_tobuffer(a6->prefixlen, target));
-
-	/* Suffix */
-	if (a6->prefixlen != 128) {
-		octets = 16 - a6->prefixlen / 8;
-		bits = a6->prefixlen % 8;
-		if (bits != 0) {
-			mask = 0xffU >> bits;
-			first = a6->in6_addr.s6_addr[16 - octets] & mask;
-			RETERR(uint8_tobuffer(first, target));
-			octets--;
-		}
-		if (octets > 0)
-			RETERR(mem_tobuffer(target,
-					    a6->in6_addr.s6_addr + 16 - octets,
-					    octets));
-	}
-
-	if (a6->prefixlen == 0)
-		return (ISC_R_SUCCESS);
-	dns_name_toregion(&a6->prefix, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_a6(ARGS_TOSTRUCT) {
-	dns_rdata_in_a6_t *a6 = target;
-	unsigned char octets;
-	dns_name_t name;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	a6->common.rdclass = rdata->rdclass;
-	a6->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&a6->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-
-	a6->prefixlen = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	memset(a6->in6_addr.s6_addr, 0, sizeof(a6->in6_addr.s6_addr));
-
-	/*
-	 * Suffix.
-	 */
-	if (a6->prefixlen != 128) {
-		octets = 16 - a6->prefixlen / 8;
-		INSIST(r.length >= octets);
-		memcpy(a6->in6_addr.s6_addr + 16 - octets, r.base, octets);
-		isc_region_consume(&r, octets);
-	}
-
-	/*
-	 * Prefix.
-	 */
-	dns_name_init(&a6->prefix, NULL);
-	if (a6->prefixlen != 0) {
-		dns_name_init(&name, NULL);
-		dns_name_fromregion(&name, &r);
-		RETERR(name_duporclone(&name, mctx, &a6->prefix));
-	}
-	a6->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_a6(ARGS_FREESTRUCT) {
-	dns_rdata_in_a6_t *a6 = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(a6->common.rdclass == 1);
-	REQUIRE(a6->common.rdtype == 38);
-
-	if (a6->mctx == NULL)
-		return;
-
-	if (dns_name_dynamic(&a6->prefix))
-		dns_name_free(&a6->prefix, a6->mctx);
-	a6->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_a6(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_a6(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	unsigned char prefixlen, octets;
-	isc_result_t result;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	prefixlen = r1.base[0];
-	octets = 1 + 16 - prefixlen / 8;
-
-	r1.length = octets;
-	result = (digest)(arg, &r1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (prefixlen == 0)
-		return (ISC_R_SUCCESS);
-
-	isc_region_consume(&r2, octets);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_a6(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 38);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_in_a6(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-	unsigned int prefixlen;
-
-	REQUIRE(rdata->type == 38);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	prefixlen = uint8_fromregion(&region);
-	if (prefixlen == 0)
-		return (ISC_TRUE);
-	isc_region_consume(&region, 1 + 16 - prefixlen / 8);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_A6_38_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.h b/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
deleted file mode 100644
index 9134cedb0614..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_A6_38_H
-#define IN_1_A6_38_H 1
-
-/* $Id: a6_38.h,v 1.19.206.1 2004/03/06 08:14:15 marka Exp $ */
-
-/* RFC2874 */
-
-typedef struct dns_rdata_in_a6 {
-        dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		prefix;
-	isc_uint8_t		prefixlen;
-	struct in6_addr		in6_addr;
-} dns_rdata_in_a6_t;
-
-#endif /* IN_1_A6_38_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.c b/contrib/bind9/lib/dns/rdata/in_1/a_1.c
deleted file mode 100644
index 30165c9045ff..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/a_1.c
+++ /dev/null
@@ -1,236 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: a_1.c,v 1.46.12.5 2004/03/08 09:04:43 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
-
-#ifndef RDATA_IN_1_A_1_C
-#define RDATA_IN_1_A_1_C
-
-#include <string.h>
-
-#include <isc/net.h>
-
-#define RRTYPE_A_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_a(ARGS_FROMTEXT) {
-	isc_token_t token;
-	struct in_addr addr;
-	isc_region_t region;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
-		RETTOK(DNS_R_BADDOTTEDQUAD);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, &addr, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_a(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET, &region, target));
-}
-
-static inline isc_result_t
-fromwire_in_a(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (sregion.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 4)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 4);
-	isc_buffer_forward(source, 4);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_in_a(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(cctx);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, 4);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_in_a(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 1);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length == 4);
-	REQUIRE(rdata2->length == 4);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_a(ARGS_FROMSTRUCT) {
-	dns_rdata_in_a_t *a = source;
-	isc_uint32_t n;
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(a->common.rdtype == type);
-	REQUIRE(a->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	n = ntohl(a->in_addr.s_addr);
-
-	return (uint32_tobuffer(n, target));
-}
-
-
-static inline isc_result_t
-tostruct_in_a(ARGS_TOSTRUCT) {
-	dns_rdata_in_a_t *a = target;
-	isc_uint32_t n;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 4);
-
-	UNUSED(mctx);
-
-	a->common.rdclass = rdata->rdclass;
-	a->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&a->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	n = uint32_fromregion(&region);
-	a->in_addr.s_addr = htonl(n);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_a(ARGS_FREESTRUCT) {
-	dns_rdata_in_a_t *a = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(a->common.rdtype == 1);
-	REQUIRE(a->common.rdclass == 1);
-
-	UNUSED(a);
-}
-
-static inline isc_result_t
-additionaldata_in_a(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_a(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_a(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 1);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_in_a(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 1);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.h b/contrib/bind9/lib/dns/rdata/in_1/a_1.h
deleted file mode 100644
index 34d74697f64c..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/a_1.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_A_1_H
-#define IN_1_A_1_H 1
-
-/* $Id: a_1.h,v 1.23.206.1 2004/03/06 08:14:16 marka Exp $ */
-
-typedef struct dns_rdata_in_a {
-	dns_rdatacommon_t	common;
-	struct in_addr          in_addr;
-} dns_rdata_in_a_t;
-
-#endif /* IN_1_A_1_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
deleted file mode 100644
index 489fe0153545..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
+++ /dev/null
@@ -1,233 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: aaaa_28.c,v 1.36.12.5 2004/03/08 09:04:44 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
-
-/* RFC 1886 */
-
-#ifndef RDATA_IN_1_AAAA_28_C
-#define RDATA_IN_1_AAAA_28_C
-
-#include <isc/net.h>
-
-#define RRTYPE_AAAA_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_aaaa(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char addr[16];
-	isc_region_t region;
-
-	REQUIRE(type == 28);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
-		RETTOK(DNS_R_BADAAAA);
-	isc_buffer_availableregion(target, &region);
-	if (region.length < 16)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, addr, 16);
-	isc_buffer_add(target, 16);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_aaaa(ARGS_TOTEXT) {
-	isc_region_t region;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 16);
-
-	dns_rdata_toregion(rdata, &region);
-	return (inet_totext(AF_INET6, &region, target));
-}
-
-static inline isc_result_t
-fromwire_in_aaaa(ARGS_FROMWIRE) {
-	isc_region_t sregion;
-	isc_region_t tregion;
-
-	REQUIRE(type == 28);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &sregion);
-	isc_buffer_availableregion(target, &tregion);
-	if (sregion.length < 16)
-		return (ISC_R_UNEXPECTEDEND);
-	if (tregion.length < 16)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tregion.base, sregion.base, 16);
-	isc_buffer_forward(source, 16);
-	isc_buffer_add(target, 16);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_in_aaaa(ARGS_TOWIRE) {
-	isc_region_t region;
-
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length == 16);
-
-	isc_buffer_availableregion(target, &region);
-	if (region.length < rdata->length)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, rdata->data, rdata->length);
-	isc_buffer_add(target, 16);
-	return (ISC_R_SUCCESS);
-}
-
-static inline int
-compare_in_aaaa(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 28);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length == 16);
-	REQUIRE(rdata2->length == 16);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_aaaa(ARGS_FROMSTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = source;
-
-	REQUIRE(type == 28);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(aaaa->common.rdtype == type);
-	REQUIRE(aaaa->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, aaaa->in6_addr.s6_addr, 16));
-}
-
-static inline isc_result_t
-tostruct_in_aaaa(ARGS_TOSTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length == 16);
-
-	UNUSED(mctx);
-
-	aaaa->common.rdclass = rdata->rdclass;
-	aaaa->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&aaaa->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	INSIST(r.length == 16);
-	memcpy(aaaa->in6_addr.s6_addr, r.base, 16);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_aaaa(ARGS_FREESTRUCT) {
-	dns_rdata_in_aaaa_t *aaaa = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(aaaa->common.rdclass == 1);
-	REQUIRE(aaaa->common.rdtype == 28);
-
-	UNUSED(aaaa);
-}
-
-static inline isc_result_t
-additionaldata_in_aaaa(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_aaaa(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_aaaa(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 28);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_in_aaaa(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 28);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_AAAA_28_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
deleted file mode 100644
index e8a93195da13..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_AAAA_28_H
-#define IN_1_AAAA_28_H 1
-
-/* $Id: aaaa_28.h,v 1.16.206.1 2004/03/06 08:14:16 marka Exp $ */
-
-/* RFC 1886 */
-
-typedef struct dns_rdata_in_aaaa {
-	dns_rdatacommon_t	common;
-	struct in6_addr		in6_addr;
-} dns_rdata_in_aaaa_t;
-
-#endif /* IN_1_AAAA_28_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c b/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
deleted file mode 100644
index ac3956983d9f..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
+++ /dev/null
@@ -1,402 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: apl_42.c,v 1.4.200.8 2004/03/16 12:38:15 marka Exp $ */
-
-/* RFC 3123 */
-
-#ifndef RDATA_IN_1_APL_42_C
-#define RDATA_IN_1_APL_42_C
-
-#define RRTYPE_APL_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_apl(ARGS_FROMTEXT) {
-	isc_token_t token;
-	unsigned char addr[16];
-	unsigned long afi;
-	isc_uint8_t prefix;
-	isc_uint8_t len;
-	isc_boolean_t neg;
-	char *cp, *ap, *slash;
-	int n;
-
-	REQUIRE(type == 42);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(callbacks);
-
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-	
-		cp = DNS_AS_STR(token);
-		neg = ISC_TF(*cp == '!');
-		if (neg)
-			cp++;
-		afi = strtoul(cp, &ap, 10);
-		if (*ap++ != ':' || cp == ap)
-			RETTOK(DNS_R_SYNTAX);
-		if (afi > 0xffffU)
-			RETTOK(ISC_R_RANGE);
-		slash = strchr(ap, '/');
-		if (slash == NULL || slash == ap)
-			RETTOK(DNS_R_SYNTAX);
-		RETTOK(isc_parse_uint8(&prefix, slash + 1, 10));
-		switch (afi) {
-		case 1:
-			*slash = '\0';
-			n = inet_pton(AF_INET, ap, addr);
-			*slash = '/';
-			if (n != 1)
-				RETTOK(DNS_R_BADDOTTEDQUAD);
-			if (prefix > 32)
-				RETTOK(ISC_R_RANGE);
-			for (len = 4; len > 0; len--)
-				if (addr[len - 1] != 0)
-					break;
-			break;
-
-		case 2:
-			*slash = '\0';
-			n = inet_pton(AF_INET6, ap, addr);
-			*slash = '/';
-			if (n != 1)
-				RETTOK(DNS_R_BADAAAA);
-			if (prefix > 128)
-				RETTOK(ISC_R_RANGE);
-			for (len = 16; len > 0; len--)
-				if (addr[len - 1] != 0)
-					break;
-			break;
-
-		default:
-			RETTOK(ISC_R_NOTIMPLEMENTED);
-		}
-		RETERR(uint16_tobuffer(afi, target));
-		RETERR(uint8_tobuffer(prefix, target));
-		RETERR(uint8_tobuffer(len | ((neg) ? 0x80 : 0), target));
-		RETERR(mem_tobuffer(target, addr, len));
-	} while (1);
-
-	/*
-	 * Let upper layer handle eol/eof.
-	 */
-	isc_lex_ungettoken(lexer, &token);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_apl(ARGS_TOTEXT) {
-	isc_region_t sr;
-	isc_region_t ir;
-	isc_uint16_t afi;
-	isc_uint8_t prefix;
-	isc_uint8_t len;
-	isc_boolean_t neg;
-	unsigned char buf[16];
-	char txt[sizeof(" !64000")];
-	const char *sep = "";
-	int n;
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &sr);
-	ir.base = buf;
-	ir.length = sizeof(buf);
-
-	while (sr.length > 0) {
-		INSIST(sr.length >= 4);
-		afi = uint16_fromregion(&sr);
-		isc_region_consume(&sr, 2);
-		prefix = *sr.base;
-		isc_region_consume(&sr, 1);
-		len = (*sr.base & 0x7f);
-		neg = ISC_TF((*sr.base & 0x80) != 0);
-		isc_region_consume(&sr, 1);
-		INSIST(len <= sr.length);
-		n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
-			     neg ? "!": "", afi);
-		INSIST(n < (int)sizeof(txt));
-		RETERR(str_totext(txt, target));
-		switch (afi) {
-		case 1:
-			INSIST(len <= 4);
-			INSIST(prefix <= 32);
-			memset(buf, 0, sizeof(buf));
-			memcpy(buf, sr.base, len);
-			RETERR(inet_totext(AF_INET, &ir, target));
-			break;
-
-		case 2:
-			INSIST(len <= 16);
-			INSIST(prefix <= 128);
-			memset(buf, 0, sizeof(buf));
-			memcpy(buf, sr.base, len);
-			RETERR(inet_totext(AF_INET6, &ir, target));
-			break;
-
-		default:
-			return (ISC_R_NOTIMPLEMENTED);
-		}
-		n = snprintf(txt, sizeof(txt), "/%u", prefix);
-		INSIST(n < (int)sizeof(txt));
-		RETERR(str_totext(txt, target));
-		isc_region_consume(&sr, len);
-		sep = " ";
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_in_apl(ARGS_FROMWIRE) {
-	isc_region_t sr, sr2;
-	isc_region_t tr;
-	isc_uint16_t afi;
-	isc_uint8_t prefix;
-	isc_uint8_t len;
-
-	REQUIRE(type == 42);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(rdclass);
-	UNUSED(options);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_availableregion(target, &tr);
-	if (sr.length > tr.length)
-		return (ISC_R_NOSPACE);
-	sr2 = sr;
-
-	/* Zero or more items */
-	while (sr.length > 0) {
-		if (sr.length < 4)
-			return (ISC_R_UNEXPECTEDEND);
-		afi = uint16_fromregion(&sr);
-		isc_region_consume(&sr, 2);
-		prefix = *sr.base;
-		isc_region_consume(&sr, 1);
-		len = (*sr.base & 0x7f);
-		isc_region_consume(&sr, 1);
-		if (len > sr.length)
-			return (ISC_R_UNEXPECTEDEND);
-		switch (afi) {
-		case 1:
-			if (prefix > 32 || len > 4)
-				return (ISC_R_RANGE);
-			break;
-		case 2:
-			if (prefix > 128 || len > 16)
-				return (ISC_R_RANGE);
-		}
-		if (len > 0 && sr.base[len - 1] == 0)
-			return (DNS_R_FORMERR);
-		isc_region_consume(&sr, len);
-	}
-	isc_buffer_forward(source, sr2.length);
-	return (mem_tobuffer(target, sr2.base, sr2.length));
-}
-
-static inline isc_result_t
-towire_in_apl(ARGS_TOWIRE) {
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_in_apl(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 42);
-	REQUIRE(rdata1->rdclass == 1);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_apl(ARGS_FROMSTRUCT) {
-	dns_rdata_in_apl_t *apl = source;
-	isc_buffer_t b;
-
-	REQUIRE(type == 42);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(apl->common.rdtype == type);
-	REQUIRE(apl->common.rdclass == rdclass);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
-	
-	isc_buffer_init(&b, apl->apl, apl->apl_len);
-	isc_buffer_add(&b, apl->apl_len);
-	isc_buffer_setactive(&b, apl->apl_len);
-	return(fromwire_in_apl(rdclass, type, &b, NULL, ISC_FALSE, target));
-}
-
-static inline isc_result_t
-tostruct_in_apl(ARGS_TOSTRUCT) {
-	dns_rdata_in_apl_t *apl = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	apl->common.rdclass = rdata->rdclass;
-	apl->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&apl->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	apl->apl_len = r.length;
-	apl->apl = mem_maybedup(mctx, r.base, r.length);
-	if (apl->apl == NULL)
-		return (ISC_R_NOMEMORY);
-
-	apl->offset = 0;
-	apl->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_apl(ARGS_FREESTRUCT) {
-	dns_rdata_in_apl_t *apl = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(apl->common.rdtype == 42);
-	REQUIRE(apl->common.rdclass == 1);
-
-	if (apl->mctx == NULL)
-		return;
-	if (apl->apl != NULL)
-		isc_mem_free(apl->mctx, apl->apl);
-	apl->mctx = NULL;
-}
-
-isc_result_t
-dns_rdata_apl_first(dns_rdata_in_apl_t *apl) {
-	REQUIRE(apl->common.rdtype == 42);
-	REQUIRE(apl->common.rdclass == 1);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
-
-	apl->offset = 0;
-	return ((apl->apl_len != 0) ? ISC_R_SUCCESS : ISC_R_NOMORE);
-}
-
-isc_result_t
-dns_rdata_apl_next(dns_rdata_in_apl_t *apl) {
-	REQUIRE(apl->common.rdtype == 42);
-	REQUIRE(apl->common.rdclass == 1);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
-
-	if (apl->offset + 3 < apl->apl_len)
-		return (ISC_R_NOMORE);
-	apl->offset += apl->apl[apl->offset + 3] & 0x7f;
-	return ((apl->offset >= apl->apl_len) ? ISC_R_SUCCESS : ISC_R_NOMORE);
-}
-
-isc_result_t
-dns_rdata_apl_current(dns_rdata_in_apl_t *apl, dns_rdata_apl_ent_t *ent) {
-
-	REQUIRE(apl->common.rdtype == 42);
-	REQUIRE(apl->common.rdclass == 1);
-	REQUIRE(ent != NULL);
-	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
-
-	if (apl->offset >= apl->apl_len)
-		return (ISC_R_NOMORE);
-
-	ent->family = (apl->apl[apl->offset] << 8) + apl->apl[apl->offset + 1];
-	ent->prefix = apl->apl[apl->offset + 2];
-	ent->length = apl->apl[apl->offset + 3] & 0x7f;
-	ent->negative = ISC_TF((apl->apl[apl->offset + 3] & 0x80) != 0);
-	if (ent->length != 0)
-		ent->data = &apl->apl[apl->offset + 4];
-	else
-		ent->data = NULL;
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-additionaldata_in_apl(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	(void)add;
-	(void)arg;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_apl(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_apl(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 42);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-
-static inline isc_boolean_t
-checknames_in_apl(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 42);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_APL_42_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.h b/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
deleted file mode 100644
index 83309a60e0ef..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_APL_42_H
-#define IN_1_APL_42_H 1
-
-/* $Id: apl_42.h,v 1.1.202.3 2004/03/08 09:04:44 marka Exp $ */
-
-typedef struct dns_rdata_apl_ent {
-	isc_boolean_t	negative;
-	isc_uint16_t	family;
-	isc_uint8_t	prefix;
-	isc_uint8_t	length;
-	unsigned char	*data;
-} dns_rdata_apl_ent_t;
-
-typedef struct dns_rdata_in_apl {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	/* type & class specific elements */
-	unsigned char           *apl;
-        isc_uint16_t            apl_len;
-        /* private */
-        isc_uint16_t            offset;
-} dns_rdata_in_apl_t;
-
-/*
- * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
- * via rdatastructpre.h and rdatastructsuf.h.
- */
-
-isc_result_t
-dns_rdata_apl_first(dns_rdata_in_apl_t *);
-
-isc_result_t
-dns_rdata_apl_next(dns_rdata_in_apl_t *);
-
-isc_result_t
-dns_rdata_apl_current(dns_rdata_in_apl_t *, dns_rdata_apl_ent_t *);
-
-#endif /* IN_1_APL_42_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c b/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
deleted file mode 100644
index fee1e3d7a596..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
+++ /dev/null
@@ -1,288 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: kx_36.c,v 1.37.2.1.2.3 2004/03/06 08:14:17 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
-
-/* RFC 2230 */
-
-#ifndef RDATA_IN_1_KX_36_C
-#define RDATA_IN_1_KX_36_C
-
-#define RRTYPE_KX_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_kx(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 36);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_kx(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-
-	RETERR(str_totext(" ", target));
-
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_kx(ARGS_FROMWIRE) {
-        dns_name_t name;
-	isc_region_t sregion;
-
-	REQUIRE(type == 36);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-        dns_name_init(&name, NULL);
-
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sregion.base, 2));
-	isc_buffer_forward(source, 2);
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_kx(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_rdata_toregion(rdata, &region);
-	RETERR(mem_tobuffer(target, region.base, 2));
-	isc_region_consume(&region, 2);
-
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_kx(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 36);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_kx(ARGS_FROMSTRUCT) {
-	dns_rdata_in_kx_t *kx = source;
-	isc_region_t region;
-
-	REQUIRE(type == 36);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(kx->common.rdtype == type);
-	REQUIRE(kx->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(kx->preference, target));
-	dns_name_toregion(&kx->exchange, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_kx(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_in_kx_t *kx = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	kx->common.rdclass = rdata->rdclass;
-	kx->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&kx->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-
-	kx->preference = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&kx->exchange, NULL);
-	RETERR(name_duporclone(&name, mctx, &kx->exchange));
-	kx->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_kx(ARGS_FREESTRUCT) {
-	dns_rdata_in_kx_t *kx = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(kx->common.rdclass == 1);
-	REQUIRE(kx->common.rdtype == 36);
-
-	if (kx->mctx == NULL)
-		return;
-
-	dns_name_free(&kx->exchange, kx->mctx);
-	kx->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_kx(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_in_kx(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	RETERR((digest)(arg, &r1));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_kx(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 36);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_kx(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 36);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_KX_36_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.h b/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
deleted file mode 100644
index 5ac328d9ab5a..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_KX_36_H
-#define IN_1_KX_36_H 1
-
-/* $Id: kx_36.h,v 1.15.206.1 2004/03/06 08:14:17 marka Exp $ */
-
-/* RFC 2230 */
-
-typedef struct dns_rdata_in_kx {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		exchange;
-} dns_rdata_in_kx_t;
-
-#endif /* IN_1_KX_36_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
deleted file mode 100644
index f3c93c7c03d9..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
+++ /dev/null
@@ -1,578 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: naptr_35.c,v 1.43.2.1.2.3 2004/03/06 08:14:17 marka Exp $ */
-
-/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
-
-/* RFC 2915 */
-
-#ifndef RDATA_IN_1_NAPTR_35_C
-#define RDATA_IN_1_NAPTR_35_C
-
-#define RRTYPE_NAPTR_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_naptr(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 35);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Order.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Preference.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Flags.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-
-	/*
-	 * Service.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-
-	/*
-	 * Regexp.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
-				      ISC_FALSE));
-	RETTOK(txt_fromtext(&token.value.as_textregion, target));
-
-	/*
-	 * Replacement.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_naptr(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-
-	/*
-	 * Order.
-	 */
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Preference.
-	 */
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Flags.
-	 */
-	RETERR(txt_totext(&region, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Service.
-	 */
-	RETERR(txt_totext(&region, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Regexp.
-	 */
-	RETERR(txt_totext(&region, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Replacement.
-	 */
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_naptr(ARGS_FROMWIRE) {
-        dns_name_t name;
-	isc_region_t sr;
-
-	REQUIRE(type == 35);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-        dns_name_init(&name, NULL);
-
-	/*
-	 * Order, preference.
-	 */
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, 4));
-	isc_buffer_forward(source, 4);
-
-	/*
-	 * Flags.
-	 */
-	RETERR(txt_fromwire(source, target));
-
-	/*
-	 * Service.
-	 */
-	RETERR(txt_fromwire(source, target));
-
-	/*
-	 * Regexp.
-	 */
-	RETERR(txt_fromwire(source, target));
-
-	/*
-	 * Replacement.
-	 */
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_naptr(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	/*
-	 * Order, preference.
-	 */
-	dns_rdata_toregion(rdata, &sr);
-	RETERR(mem_tobuffer(target, sr.base, 4));
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Flags.
-	 */
-	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Service.
-	 */
-	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Regexp.
-	 */
-	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Replacement.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_naptr(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order, len;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 35);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	/*
-	 * Order, preference.
-	 */
-	order = memcmp(region1.base, region2.base, 4);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&region1, 4);
-	isc_region_consume(&region2, 4);
-
-	/*
-	 * Flags.
-	 */
-	len = ISC_MIN(region1.base[0], region2.base[0]);
-	order = memcmp(region1.base, region2.base, len + 1);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&region1, region1.base[0] + 1);
-	isc_region_consume(&region2, region2.base[0] + 1);
-
-	/*
-	 * Service.
-	 */
-	len = ISC_MIN(region1.base[0], region2.base[0]);
-	order = memcmp(region1.base, region2.base, len + 1);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&region1, region1.base[0] + 1);
-	isc_region_consume(&region2, region2.base[0] + 1);
-
-	/*
-	 * Regexp.
-	 */
-	len = ISC_MIN(region1.base[0], region2.base[0]);
-	order = memcmp(region1.base, region2.base, len + 1);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-	isc_region_consume(&region1, region1.base[0] + 1);
-	isc_region_consume(&region2, region2.base[0] + 1);
-
-	/*
-	 * Replacement.
-	 */
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_naptr(ARGS_FROMSTRUCT) {
-	dns_rdata_in_naptr_t *naptr = source;
-	isc_region_t region;
-
-	REQUIRE(type == 35);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(naptr->common.rdtype == type);
-	REQUIRE(naptr->common.rdclass == rdclass);
-	REQUIRE(naptr->flags != NULL || naptr->flags_len == 0);
-	REQUIRE(naptr->service != NULL && naptr->service_len == 0);
-	REQUIRE(naptr->regexp != NULL && naptr->regexp_len == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(naptr->order, target));
-	RETERR(uint16_tobuffer(naptr->preference, target));
-	RETERR(uint8_tobuffer(naptr->flags_len, target));
-	RETERR(mem_tobuffer(target, naptr->flags, naptr->flags_len));
-	RETERR(uint8_tobuffer(naptr->service_len, target));
-	RETERR(mem_tobuffer(target, naptr->service, naptr->service_len));
-	RETERR(uint8_tobuffer(naptr->regexp_len, target));
-	RETERR(mem_tobuffer(target, naptr->regexp, naptr->regexp_len));
-	dns_name_toregion(&naptr->replacement, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_naptr(ARGS_TOSTRUCT) {
-	dns_rdata_in_naptr_t *naptr = target;
-	isc_region_t r;
-	isc_result_t result;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	naptr->common.rdclass = rdata->rdclass;
-	naptr->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&naptr->common, link);
-
-	naptr->flags = NULL;
-	naptr->service = NULL;
-	naptr->regexp = NULL;
-
-	dns_rdata_toregion(rdata, &r);
-
-	naptr->order = uint16_fromregion(&r);
-	isc_region_consume(&r, 2);
-
-	naptr->preference = uint16_fromregion(&r);
-	isc_region_consume(&r, 2);
-
-	naptr->flags_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	INSIST(naptr->flags_len <= r.length);
-	naptr->flags = mem_maybedup(mctx, r.base, naptr->flags_len);
-	if (naptr->flags == NULL)
-		goto cleanup;
-	isc_region_consume(&r, naptr->flags_len);
-
-	naptr->service_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	INSIST(naptr->service_len <= r.length);
-	naptr->service = mem_maybedup(mctx, r.base, naptr->service_len);
-	if (naptr->service == NULL)
-		goto cleanup;
-	isc_region_consume(&r, naptr->service_len);
-
-	naptr->regexp_len = uint8_fromregion(&r);
-	isc_region_consume(&r, 1);
-	INSIST(naptr->regexp_len <= r.length);
-	naptr->regexp = mem_maybedup(mctx, r.base, naptr->regexp_len);
-	if (naptr->regexp == NULL)
-		goto cleanup;
-	isc_region_consume(&r, naptr->regexp_len);
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-	dns_name_init(&naptr->replacement, NULL);
-	result = name_duporclone(&name, mctx, &naptr->replacement);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	naptr->mctx = mctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (mctx != NULL && naptr->flags != NULL)
-		isc_mem_free(mctx, naptr->flags);
-	if (mctx != NULL && naptr->service != NULL)
-		isc_mem_free(mctx, naptr->service);
-	if (mctx != NULL && naptr->regexp != NULL)
-		isc_mem_free(mctx, naptr->regexp);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_in_naptr(ARGS_FREESTRUCT) {
-	dns_rdata_in_naptr_t *naptr = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(naptr->common.rdclass == 1);
-	REQUIRE(naptr->common.rdtype == 35);
-
-	if (naptr->mctx == NULL)
-		return;
-
-	if (naptr->flags != NULL)
-		isc_mem_free(naptr->mctx, naptr->flags);
-	if (naptr->service != NULL)
-		isc_mem_free(naptr->mctx, naptr->service);
-	if (naptr->regexp != NULL)
-		isc_mem_free(naptr->mctx, naptr->regexp);
-	dns_name_free(&naptr->replacement, naptr->mctx);
-	naptr->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_naptr(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t sr;
-	dns_rdatatype_t atype;
-	unsigned int i, flagslen;
-	char *cp;
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(rdata->rdclass == 1);
-
-	/*
-	 * Order, preference.
-	 */
-	dns_rdata_toregion(rdata, &sr);
-	isc_region_consume(&sr, 4);
-
-	/*
-	 * Flags.
-	 */
-	atype = 0;
-	flagslen = sr.base[0];
-	cp = (char *)&sr.base[1];
-	for (i = 0; i < flagslen; i++, cp++) {
-		if (*cp == 'S' || *cp == 's') {
-			atype = dns_rdatatype_srv;
-			break;
-		}
-		if (*cp == 'A' || *cp == 'a') {
-			atype = dns_rdatatype_a;
-			break;
-		}
-	}
-	isc_region_consume(&sr, flagslen + 1);
-
-	/*
-	 * Service.
-	 */
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Regexp.
-	 */
-	isc_region_consume(&sr, sr.base[0] + 1);
-
-	/*
-	 * Replacement.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-
-	if (atype != 0)
-		return ((add)(arg, &name, atype));
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_naptr(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	unsigned int length, n;
-	isc_result_t result;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	length = 0;
-
-	/*
-	 * Order, preference.
-	 */
-	length += 4;
-	isc_region_consume(&r2, 4);
-
-	/*
-	 * Flags.
-	 */
-	n = r2.base[0] + 1;
-	length += n;
-	isc_region_consume(&r2, n);
-
-	/*
-	 * Service.
-	 */
-	n = r2.base[0] + 1;
-	length += n;
-	isc_region_consume(&r2, n);
-
-	/*
-	 * Regexp.
-	 */
-	n = r2.base[0] + 1;
-	length += n;
-	isc_region_consume(&r2, n);
-
-	/*
-	 * Digest the RR up to the replacement name.
-	 */
-	r1.length = length;
-	result = (digest)(arg, &r1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Replacement.
-	 */
-
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_naptr(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 35);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_naptr(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 35);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_NAPTR_35_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
deleted file mode 100644
index b1deb2cef50f..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_NAPTR_35_H
-#define IN_1_NAPTR_35_H 1
-
-/* $Id: naptr_35.h,v 1.18.206.1 2004/03/06 08:14:17 marka Exp $ */
-
-/* RFC 2915 */
-
-typedef struct dns_rdata_in_naptr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		order;
-	isc_uint16_t		preference;
-	char			*flags;
-	isc_uint8_t		flags_len;
-	char			*service;
-	isc_uint8_t		service_len;
-	char			*regexp;
-	isc_uint8_t		regexp_len;
-	dns_name_t		replacement;
-} dns_rdata_in_naptr_t;
-
-#endif /* IN_1_NAPTR_35_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
deleted file mode 100644
index 0fa0fb25e385..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ /dev/null
@@ -1,245 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsap-ptr_23.c,v 1.32.206.2 2004/03/06 08:14:17 marka Exp $ */
-
-/* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
-
-/* RFC 1348.  Obsoleted in RFC 1706 - use PTR instead. */
-
-#ifndef RDATA_IN_1_NSAP_PTR_23_C
-#define RDATA_IN_1_NSAP_PTR_23_C
-
-#define RRTYPE_NSAP_PTR_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_nsap_ptr(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 23);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_nsap_ptr(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	sub = name_prefix(&name, tctx->origin, &prefix);
-
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_nsap_ptr(ARGS_FROMWIRE) {
-        dns_name_t name;
-
-	REQUIRE(type == 23);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-        dns_name_init(&name, NULL);
-        return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_nsap_ptr(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_nsap_ptr(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 23);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_nsap_ptr(ARGS_FROMSTRUCT) {
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
-	isc_region_t region;
-
-	REQUIRE(type == 23);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(nsap_ptr->common.rdtype == type);
-	REQUIRE(nsap_ptr->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_name_toregion(&nsap_ptr->owner, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_nsap_ptr(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nsap_ptr->common.rdclass = rdata->rdclass;
-	nsap_ptr->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nsap_ptr->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&nsap_ptr->owner, NULL);
-	RETERR(name_duporclone(&name, mctx, &nsap_ptr->owner));
-	nsap_ptr->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_nsap_ptr(ARGS_FREESTRUCT) {
-	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nsap_ptr->common.rdclass == 1);
-	REQUIRE(nsap_ptr->common.rdtype == 23);
-
-	if (nsap_ptr->mctx == NULL)
-		return;
-
-	dns_name_free(&nsap_ptr->owner, nsap_ptr->mctx);
-	nsap_ptr->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_nsap_ptr(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_nsap_ptr(ARGS_DIGEST) {
-	isc_region_t r;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_nsap_ptr(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 23);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_nsap_ptr(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 23);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_NSAP_PTR_23_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
deleted file mode 100644
index 9bf3c6564e15..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_NSAP_PTR_23_H
-#define IN_1_NSAP_PTR_23_H 1
-
-/* $Id: nsap-ptr_23.h,v 1.14.206.1 2004/03/06 08:14:18 marka Exp $ */
-
-/* RFC 1348.  Obsoleted in RFC 1706 - use PTR instead. */
-
-typedef struct dns_rdata_in_nsap_ptr {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	dns_name_t		owner;
-} dns_rdata_in_nsap_ptr_t;
-
-#endif /* IN_1_NSAP_PTR_23_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
deleted file mode 100644
index 594b97fb6318..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
+++ /dev/null
@@ -1,255 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: nsap_22.c,v 1.33.12.5 2004/03/08 09:04:44 marka Exp $ */
-
-/* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
-
-/* RFC 1706 */
-
-#ifndef RDATA_IN_1_NSAP_22_C
-#define RDATA_IN_1_NSAP_22_C
-
-#define RRTYPE_NSAP_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_nsap(ARGS_FROMTEXT) {
-	isc_token_t token;
-	isc_textregion_t *sr;
-	int n;
-	int digits;
-	unsigned char c = 0;
-
-	REQUIRE(type == 22);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/* 0x<hex.string.with.periods> */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	sr = &token.value.as_textregion;
-	if (sr->length < 2)
-		RETTOK(ISC_R_UNEXPECTEDEND);
-	if (sr->base[0] != '0' || (sr->base[1] != 'x' && sr->base[1] != 'X'))
-		RETTOK(DNS_R_SYNTAX);
-	isc_textregion_consume(sr, 2);
-	digits = 0;
-	n = 0;
-	while (sr->length > 0) {
-		if (sr->base[0] == '.') {
-			isc_textregion_consume(sr, 1);
-			continue;
-		}
-		if ((n = hexvalue(sr->base[0])) == -1)
-			RETTOK(DNS_R_SYNTAX);
-		c <<= 4;
-		c += n;
-		if (++digits == 2) {
-			RETERR(mem_tobuffer(target, &c, 1));
-			digits = 0;
-		}
-		isc_textregion_consume(sr, 1);
-	}
-	if (digits)
-		RETTOK(ISC_R_UNEXPECTEDEND);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_nsap(ARGS_TOTEXT) {
-	isc_region_t region;
-	char buf[sizeof("xx")];
-
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(tctx);
-
-	dns_rdata_toregion(rdata, &region);
-	RETERR(str_totext("0x", target));
-	while (region.length != 0) {
-		sprintf(buf, "%02x", region.base[0]);
-		isc_region_consume(&region, 1);
-		RETERR(str_totext(buf, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_in_nsap(ARGS_FROMWIRE) {
-	isc_region_t region;
-
-	REQUIRE(type == 22);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &region);
-	if (region.length < 1)
-		return (ISC_R_UNEXPECTEDEND);
-
-	RETERR(mem_tobuffer(target, region.base, region.length));
-	isc_buffer_forward(source, region.length);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_in_nsap(ARGS_TOWIRE) {
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	UNUSED(cctx);
-
-	return (mem_tobuffer(target, rdata->data, rdata->length));
-}
-
-static inline int
-compare_in_nsap(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 22);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_nsap(ARGS_FROMSTRUCT) {
-	dns_rdata_in_nsap_t *nsap = source;
-
-	REQUIRE(type == 22);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(nsap->common.rdtype == type);
-	REQUIRE(nsap->common.rdclass == rdclass);
-	REQUIRE(nsap->nsap != NULL || nsap->nsap_len == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (mem_tobuffer(target, nsap->nsap, nsap->nsap_len));
-}
-
-static inline isc_result_t
-tostruct_in_nsap(ARGS_TOSTRUCT) {
-	dns_rdata_in_nsap_t *nsap = target;
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	nsap->common.rdclass = rdata->rdclass;
-	nsap->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&nsap->common, link);
-
-	dns_rdata_toregion(rdata, &r);
-	nsap->nsap_len = r.length;
-	nsap->nsap = mem_maybedup(mctx, r.base, r.length);
-	if (nsap->nsap == NULL)
-		return (ISC_R_NOMEMORY);
-
-	nsap->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_nsap(ARGS_FREESTRUCT) {
-	dns_rdata_in_nsap_t *nsap = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(nsap->common.rdclass == 1);
-	REQUIRE(nsap->common.rdtype == 22);
-
-	if (nsap->mctx == NULL)
-		return;
-
-	if (nsap->nsap != NULL)
-		isc_mem_free(nsap->mctx, nsap->nsap);
-	nsap->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_nsap(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_nsap(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_nsap(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 22);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_nsap(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 22);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_NSAP_22_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
deleted file mode 100644
index 646743356c4e..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_NSAP_22_H
-#define IN_1_NSAP_22_H 1
-
-/* $Id: nsap_22.h,v 1.13.206.1 2004/03/06 08:14:18 marka Exp $ */
-
-/* RFC 1706 */
-
-typedef struct dns_rdata_in_nsap {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	unsigned char		*nsap;
-	isc_uint16_t		nsap_len;
-} dns_rdata_in_nsap_t;
-
-#endif /* IN_1_NSAP_22_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.c b/contrib/bind9/lib/dns/rdata/in_1/px_26.c
deleted file mode 100644
index 66214dd4bdad..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/px_26.c
+++ /dev/null
@@ -1,374 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: px_26.c,v 1.34.2.1.2.4 2004/03/06 08:14:18 marka Exp $ */
-
-/* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
-
-/* RFC 2163 */
-
-#ifndef RDATA_IN_1_PX_26_C
-#define RDATA_IN_1_PX_26_C
-
-#define RRTYPE_PX_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_px(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-
-	REQUIRE(type == 26);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Preference.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * MAP822.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-
-	/*
-	 * MAPX400.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_px(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	/*
-	 * Preference.
-	 */
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * MAP822.
-	 */
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	isc_region_consume(&region, name_length(&name));
-	RETERR(dns_name_totext(&prefix, sub, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * MAPX400.
-	 */
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return(dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_px(ARGS_FROMWIRE) {
-        dns_name_t name;
-	isc_region_t sregion;
-
-	REQUIRE(type == 26);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-        dns_name_init(&name, NULL);
-
-	/*
-	 * Preference.
-	 */
-	isc_buffer_activeregion(source, &sregion);
-	if (sregion.length < 2)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sregion.base, 2));
-	isc_buffer_forward(source, 2);
-
-	/*
-	 * MAP822.
-	 */
-	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
-
-	/*
-	 * MAPX400.
-	 */
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_px(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	/*
-	 * Preference.
-	 */
-	dns_rdata_toregion(rdata, &region);
-	RETERR(mem_tobuffer(target, region.base, 2));
-	isc_region_consume(&region, 2);
-
-	/*
-	 * MAP822.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-	RETERR(dns_name_towire(&name, cctx, target));
-	isc_region_consume(&region, name_length(&name));
-
-	/*
-	 * MAPX400.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &region);
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_px(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 26);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	order = memcmp(rdata1->data, rdata2->data, 2);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 2);
-	isc_region_consume(&region2, 2);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	order = dns_name_rdatacompare(&name1, &name2);
-	if (order != 0)
-		return (order);
-
-	isc_region_consume(&region1, name_length(&name1));
-	isc_region_consume(&region2, name_length(&name2));
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_px(ARGS_FROMSTRUCT) {
-	dns_rdata_in_px_t *px = source;
-	isc_region_t region;
-
-	REQUIRE(type == 26);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(px->common.rdtype == type);
-	REQUIRE(px->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(px->preference, target));
-	dns_name_toregion(&px->map822, &region);
-	RETERR(isc_buffer_copyregion(target, &region));
-	dns_name_toregion(&px->mapx400, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_px(ARGS_TOSTRUCT) {
-	dns_rdata_in_px_t *px = target;
-	dns_name_t name;
-	isc_region_t region;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	px->common.rdclass = rdata->rdclass;
-	px->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&px->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-
-	px->preference = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-
-	dns_name_fromregion(&name, &region);
-
-	dns_name_init(&px->map822, NULL);
-	RETERR(name_duporclone(&name, mctx, &px->map822));
-	isc_region_consume(&region, name_length(&px->map822));
-
-	dns_name_init(&px->mapx400, NULL);
-	result = name_duporclone(&name, mctx, &px->mapx400);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	px->mctx = mctx;
-	return (result);
-
- cleanup:
-	dns_name_free(&px->map822, mctx);
-	return (ISC_R_NOMEMORY);
-}
-
-static inline void
-freestruct_in_px(ARGS_FREESTRUCT) {
-	dns_rdata_in_px_t *px = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(px->common.rdclass == 1);
-	REQUIRE(px->common.rdtype == 26);
-
-	if (px->mctx == NULL)
-		return;
-
-	dns_name_free(&px->map822, px->mctx);
-	dns_name_free(&px->mapx400, px->mctx);
-	px->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_px(ARGS_ADDLDATA) {
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_px(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-	isc_result_t result;
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 2);
-	r1.length = 2;
-	result = (digest)(arg, &r1);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	result = dns_name_digest(&name, digest, arg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_region_consume(&r2, name_length(&name));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_px(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 26);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_px(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 26);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_PX_26_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.h b/contrib/bind9/lib/dns/rdata/in_1/px_26.h
deleted file mode 100644
index 79d4b189fbc2..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/px_26.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_PX_26_H
-#define IN_1_PX_26_H 1
-
-/* $Id: px_26.h,v 1.14.206.1 2004/03/06 08:14:18 marka Exp $ */
-
-/* RFC 2163 */
-
-typedef struct dns_rdata_in_px {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		preference;
-	dns_name_t		map822;
-	dns_name_t		mapx400;
-} dns_rdata_in_px_t;
-
-#endif /* IN_1_PX_26_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c b/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
deleted file mode 100644
index 7bcba1b74c4c..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
+++ /dev/null
@@ -1,373 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: srv_33.c,v 1.36.2.1.2.4 2004/03/06 08:14:18 marka Exp $ */
-
-/* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
-
-/* RFC 2782 */
-
-#ifndef RDATA_IN_1_SRV_33_C
-#define RDATA_IN_1_SRV_33_C
-
-#define RRTYPE_SRV_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_srv(ARGS_FROMTEXT) {
-	isc_token_t token;
-	dns_name_t name;
-	isc_buffer_t buffer;
-	isc_boolean_t ok;
-
-	REQUIRE(type == 33);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(callbacks);
-
-	/*
-	 * Priority.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Weight.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Port.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
-				      ISC_FALSE));
-	if (token.value.as_ulong > 0xffffU)
-		RETTOK(ISC_R_RANGE);
-	RETERR(uint16_tobuffer(token.value.as_ulong, target));
-
-	/*
-	 * Target.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-	dns_name_init(&name, NULL);
-	buffer_fromregion(&buffer, &token.value.as_region);
-	origin = (origin != NULL) ? origin : dns_rootname;
-	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
-	ok = ISC_TRUE;
-	if ((options & DNS_RDATA_CHECKNAMES) != 0)
-		ok = dns_name_ishostname(&name, ISC_FALSE);
-	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
-		RETTOK(DNS_R_BADNAME);
-	if (!ok && callbacks != NULL)
-		warn_badname(&name, lexer, callbacks);
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-totext_in_srv(ARGS_TOTEXT) {
-	isc_region_t region;
-	dns_name_t name;
-	dns_name_t prefix;
-	isc_boolean_t sub;
-	char buf[sizeof("64000")];
-	unsigned short num;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_name_init(&name, NULL);
-	dns_name_init(&prefix, NULL);
-
-	/*
-	 * Priority.
-	 */
-	dns_rdata_toregion(rdata, &region);
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Weight.
-	 */
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Port.
-	 */
-	num = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
-	RETERR(str_totext(buf, target));
-	RETERR(str_totext(" ", target));
-
-	/*
-	 * Target.
-	 */
-	dns_name_fromregion(&name, &region);
-	sub = name_prefix(&name, tctx->origin, &prefix);
-	return (dns_name_totext(&prefix, sub, target));
-}
-
-static inline isc_result_t
-fromwire_in_srv(ARGS_FROMWIRE) {
-        dns_name_t name;
-	isc_region_t sr;
-
-	REQUIRE(type == 33);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
-
-        dns_name_init(&name, NULL);
-
-	/*
-	 * Priority, weight, port.
-	 */
-	isc_buffer_activeregion(source, &sr);
-	if (sr.length < 6)
-		return (ISC_R_UNEXPECTEDEND);
-	RETERR(mem_tobuffer(target, sr.base, 6));
-	isc_buffer_forward(source, 6);
-
-	/*
-	 * Target.
-	 */
-	return (dns_name_fromwire(&name, source, dctx, options, target));
-}
-
-static inline isc_result_t
-towire_in_srv(ARGS_TOWIRE) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t sr;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->length != 0);
-
-	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
-	/*
-	 * Priority, weight, port.
-	 */
-	dns_rdata_toregion(rdata, &sr);
-	RETERR(mem_tobuffer(target, sr.base, 6));
-	isc_region_consume(&sr, 6);
-
-	/*
-	 * Target.
-	 */
-	dns_name_init(&name, offsets);
-	dns_name_fromregion(&name, &sr);
-	return (dns_name_towire(&name, cctx, target));
-}
-
-static inline int
-compare_in_srv(ARGS_COMPARE) {
-	dns_name_t name1;
-	dns_name_t name2;
-	isc_region_t region1;
-	isc_region_t region2;
-	int order;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 33);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	/*
-	 * Priority, weight, port.
-	 */
-	order = memcmp(rdata1->data, rdata2->data, 6);
-	if (order != 0)
-		return (order < 0 ? -1 : 1);
-
-	/*
-	 * Target.
-	 */
-	dns_name_init(&name1, NULL);
-	dns_name_init(&name2, NULL);
-
-	dns_rdata_toregion(rdata1, &region1);
-	dns_rdata_toregion(rdata2, &region2);
-
-	isc_region_consume(&region1, 6);
-	isc_region_consume(&region2, 6);
-
-	dns_name_fromregion(&name1, &region1);
-	dns_name_fromregion(&name2, &region2);
-
-	return (dns_name_rdatacompare(&name1, &name2));
-}
-
-static inline isc_result_t
-fromstruct_in_srv(ARGS_FROMSTRUCT) {
-	dns_rdata_in_srv_t *srv = source;
-	isc_region_t region;
-
-	REQUIRE(type == 33);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(srv->common.rdtype == type);
-	REQUIRE(srv->common.rdclass == rdclass);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	RETERR(uint16_tobuffer(srv->priority, target));
-	RETERR(uint16_tobuffer(srv->weight, target));
-	RETERR(uint16_tobuffer(srv->port, target));
-	dns_name_toregion(&srv->target, &region);
-	return (isc_buffer_copyregion(target, &region));
-}
-
-static inline isc_result_t
-tostruct_in_srv(ARGS_TOSTRUCT) {
-	isc_region_t region;
-	dns_rdata_in_srv_t *srv = target;
-	dns_name_t name;
-
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->type == 33);
-	REQUIRE(target != NULL);
-	REQUIRE(rdata->length != 0);
-
-	srv->common.rdclass = rdata->rdclass;
-	srv->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&srv->common, link);
-
-	dns_name_init(&name, NULL);
-	dns_rdata_toregion(rdata, &region);
-	srv->priority = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	srv->weight = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	srv->port = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	dns_name_fromregion(&name, &region);
-	dns_name_init(&srv->target, NULL);
-	RETERR(name_duporclone(&name, mctx, &srv->target));
-	srv->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_srv(ARGS_FREESTRUCT) {
-	dns_rdata_in_srv_t *srv = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(srv->common.rdclass == 1);
-	REQUIRE(srv->common.rdtype == 33);
-
-	if (srv->mctx == NULL)
-		return;
-
-	dns_name_free(&srv->target, srv->mctx);
-	srv->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_srv(ARGS_ADDLDATA) {
-	dns_name_t name;
-	dns_offsets_t offsets;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_name_init(&name, offsets);
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 6);
-	dns_name_fromregion(&name, &region);
-
-	return ((add)(arg, &name, dns_rdatatype_a));
-}
-
-static inline isc_result_t
-digest_in_srv(ARGS_DIGEST) {
-	isc_region_t r1, r2;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r1);
-	r2 = r1;
-	isc_region_consume(&r2, 6);
-	r1.length = 6;
-	RETERR((digest)(arg, &r1));
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &r2);
-	return (dns_name_digest(&name, digest, arg));
-}
-
-static inline isc_boolean_t
-checkowner_in_srv(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 33);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(name);
-	UNUSED(type);
-	UNUSED(rdclass);
-	UNUSED(wildcard);
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-checknames_in_srv(ARGS_CHECKNAMES) {
-	isc_region_t region;
-	dns_name_t name;
-
-	REQUIRE(rdata->type == 33);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(owner);
-
-	dns_rdata_toregion(rdata, &region);
-	isc_region_consume(&region, 6);
-	dns_name_init(&name, NULL);
-	dns_name_fromregion(&name, &region);
-	if (!dns_name_ishostname(&name, ISC_FALSE)) {
-		if (bad != NULL)
-			dns_name_clone(&name, bad);
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_SRV_33_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.h b/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
deleted file mode 100644
index 91dbf37345cd..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_SRV_33_H
-#define IN_1_SRV_33_H 1
-
-/* $Id: srv_33.h,v 1.14.206.1 2004/03/06 08:14:19 marka Exp $ */
-
-/* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
-
-/* RFC 2782 */
-
-typedef struct dns_rdata_in_srv {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	isc_uint16_t		priority;
-	isc_uint16_t		weight;
-	isc_uint16_t		port;
-	dns_name_t		target;
-} dns_rdata_in_srv_t;
-
-#endif /* IN_1_SRV_33_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c b/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
deleted file mode 100644
index c27868602de6..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
+++ /dev/null
@@ -1,349 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: wks_11.c,v 1.44.12.8 2004/09/16 01:00:58 marka Exp $ */
-
-/* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
-
-#ifndef RDATA_IN_1_WKS_11_C
-#define RDATA_IN_1_WKS_11_C
-
-#include <limits.h>
-#include <stdlib.h>
-
-#include <isc/net.h>
-#include <isc/netdb.h>
-
-#define RRTYPE_WKS_ATTRIBUTES (0)
-
-static inline isc_result_t
-fromtext_in_wks(ARGS_FROMTEXT) {
-	isc_token_t token;
-	isc_region_t region;
-	struct in_addr addr;
-	struct protoent *pe;
-	struct servent *se;
-	char *e;
-	long proto;
-	unsigned char bm[8*1024]; /* 64k bits */
-	long port;
-	long maxport = -1;
-	const char *ps = NULL;
-	unsigned int n;
-	char service[32];
-	int i;
-
-	REQUIRE(type == 11);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(origin);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	/*
-	 * IPv4 dotted quad.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	isc_buffer_availableregion(target, &region);
-	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
-		RETTOK(DNS_R_BADDOTTEDQUAD);
-	if (region.length < 4)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, &addr, 4);
-	isc_buffer_add(target, 4);
-
-	/*
-	 * Protocol.
-	 */
-	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
-				      ISC_FALSE));
-
-	proto = strtol(DNS_AS_STR(token), &e, 10);
-	if (*e == 0)
-		;
-	else if ((pe = getprotobyname(DNS_AS_STR(token))) != NULL)
-		proto = pe->p_proto;
-	else
-		RETTOK(DNS_R_UNKNOWNPROTO);
-	if (proto < 0 || proto > 0xff)
-		RETTOK(ISC_R_RANGE);
-
-	if (proto == IPPROTO_TCP)
-		ps = "tcp";
-	else if (proto == IPPROTO_UDP)
-		ps = "udp";
-
-	RETERR(uint8_tobuffer(proto, target));
-
-	memset(bm, 0, sizeof(bm));
-	do {
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, ISC_TRUE));
-		if (token.type != isc_tokentype_string)
-			break;
-
-		/*
-		 * Lowercase the service string as some getservbyname() are
-		 * case sensitive and the database is usually in lowercase.
-		 */
-		strncpy(service, DNS_AS_STR(token), sizeof(service));
-		service[sizeof(service)-1] = '\0';
-		for (i = strlen(service) - 1; i >= 0; i--)
-			if (isupper(service[i]&0xff))
-				service[i] = tolower(service[i]&0xff);
-
-		port = strtol(DNS_AS_STR(token), &e, 10);
-		if (*e == 0)
-			;
-		else if ((se = getservbyname(service, ps)) != NULL)
-			port = ntohs(se->s_port);
-		else if ((se = getservbyname(DNS_AS_STR(token), ps))
-			  != NULL)
-			port = ntohs(se->s_port);
-		else
-			RETTOK(DNS_R_UNKNOWNSERVICE);
-		if (port < 0 || port > 0xffff)
-			RETTOK(ISC_R_RANGE);
-		if (port > maxport)
-			maxport = port;
-		bm[port / 8] |= (0x80 >> (port % 8));
-	} while (1);
-
-	/*
-	 * Let upper layer handle eol/eof.
-	 */
-	isc_lex_ungettoken(lexer, &token);
-
-	n = (maxport + 8) / 8;
-	return (mem_tobuffer(target, bm, n));
-}
-
-static inline isc_result_t
-totext_in_wks(ARGS_TOTEXT) {
-	isc_region_t sr;
-	unsigned short proto;
-	char buf[sizeof("65535")];
-	unsigned int i, j;
-
-	UNUSED(tctx);
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length >= 5);
-
-	dns_rdata_toregion(rdata, &sr);
-	RETERR(inet_totext(AF_INET, &sr, target));
-	isc_region_consume(&sr, 4);
-
-	proto = uint8_fromregion(&sr);
-	sprintf(buf, "%u", proto);
-	RETERR(str_totext(" ", target));
-	RETERR(str_totext(buf, target));
-	isc_region_consume(&sr, 1);
-
-	for (i = 0; i < sr.length; i++) {
-		if (sr.base[i] != 0)
-			for (j = 0; j < 8; j++)
-				if ((sr.base[i] & (0x80 >> j)) != 0) {
-					sprintf(buf, "%u", i * 8 + j);
-					RETERR(str_totext(" ", target));
-					RETERR(str_totext(buf, target));
-				}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-fromwire_in_wks(ARGS_FROMWIRE) {
-	isc_region_t sr;
-	isc_region_t tr;
-
-	REQUIRE(type == 11);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(dctx);
-	UNUSED(options);
-	UNUSED(rdclass);
-
-	isc_buffer_activeregion(source, &sr);
-	isc_buffer_availableregion(target, &tr);
-
-	if (sr.length < 5)
-		return (ISC_R_UNEXPECTEDEND);
-	if (sr.length > 8 * 1024 + 5)
-		return (DNS_R_EXTRADATA);
-	if (tr.length < sr.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(tr.base, sr.base, sr.length);
-	isc_buffer_add(target, sr.length);
-	isc_buffer_forward(source, sr.length);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-towire_in_wks(ARGS_TOWIRE) {
-	isc_region_t sr;
-
-	UNUSED(cctx);
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	dns_rdata_toregion(rdata, &sr);
-	return (mem_tobuffer(target, sr.base, sr.length));
-}
-
-static inline int
-compare_in_wks(ARGS_COMPARE) {
-	isc_region_t r1;
-	isc_region_t r2;
-
-	REQUIRE(rdata1->type == rdata2->type);
-	REQUIRE(rdata1->rdclass == rdata2->rdclass);
-	REQUIRE(rdata1->type == 11);
-	REQUIRE(rdata1->rdclass == 1);
-	REQUIRE(rdata1->length != 0);
-	REQUIRE(rdata2->length != 0);
-
-	dns_rdata_toregion(rdata1, &r1);
-	dns_rdata_toregion(rdata2, &r2);
-	return (isc_region_compare(&r1, &r2));
-}
-
-static inline isc_result_t
-fromstruct_in_wks(ARGS_FROMSTRUCT) {
-	dns_rdata_in_wks_t *wks = source;
-	isc_uint32_t a;
-
-	REQUIRE(type == 11);
-	REQUIRE(rdclass == 1);
-	REQUIRE(source != NULL);
-	REQUIRE(wks->common.rdtype == type);
-	REQUIRE(wks->common.rdclass == rdclass);
-	REQUIRE(wks->map != NULL || wks->map_len == 0);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	a = ntohl(wks->in_addr.s_addr);
-	RETERR(uint32_tobuffer(a, target));
-	RETERR(uint16_tobuffer(wks->protocol, target));
-	return (mem_tobuffer(target, wks->map, wks->map_len));
-}
-
-static inline isc_result_t
-tostruct_in_wks(ARGS_TOSTRUCT) {
-	dns_rdata_in_wks_t *wks = target;
-	isc_uint32_t n;
-	isc_region_t region;
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-	REQUIRE(rdata->length != 0);
-
-	wks->common.rdclass = rdata->rdclass;
-	wks->common.rdtype = rdata->type;
-	ISC_LINK_INIT(&wks->common, link);
-
-	dns_rdata_toregion(rdata, &region);
-	n = uint32_fromregion(&region);
-	wks->in_addr.s_addr = htonl(n);
-	isc_region_consume(&region, 4);
-	wks->protocol = uint16_fromregion(&region);
-	isc_region_consume(&region, 2);
-	wks->map_len = region.length;
-	wks->map = mem_maybedup(mctx, region.base, region.length);
-	if (wks->map == NULL)
-		return (ISC_R_NOMEMORY);
-	wks->mctx = mctx;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-freestruct_in_wks(ARGS_FREESTRUCT) {
-	dns_rdata_in_wks_t *wks = source;
-
-	REQUIRE(source != NULL);
-	REQUIRE(wks->common.rdtype == 11);
-	REQUIRE(wks->common.rdclass == 1);
-
-	if (wks->mctx == NULL)
-		return;
-
-	if (wks->map != NULL)
-		isc_mem_free(wks->mctx, wks->map);
-	wks->mctx = NULL;
-}
-
-static inline isc_result_t
-additionaldata_in_wks(ARGS_ADDLDATA) {
-	UNUSED(rdata);
-	UNUSED(add);
-	UNUSED(arg);
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-digest_in_wks(ARGS_DIGEST) {
-	isc_region_t r;
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-
-	dns_rdata_toregion(rdata, &r);
-
-	return ((digest)(arg, &r));
-}
-
-static inline isc_boolean_t
-checkowner_in_wks(ARGS_CHECKOWNER) {
-
-	REQUIRE(type == 11);
-	REQUIRE(rdclass == 1);
-
-	UNUSED(type);
-	UNUSED(rdclass);
-
-	return (dns_name_ishostname(name, wildcard));
-}
-
-static inline isc_boolean_t
-checknames_in_wks(ARGS_CHECKNAMES) {
-
-	REQUIRE(rdata->type == 11);
-	REQUIRE(rdata->rdclass == 1);
-
-	UNUSED(rdata);
-	UNUSED(owner);
-	UNUSED(bad);
-
-	return (ISC_TRUE);
-}
-
-#endif	/* RDATA_IN_1_WKS_11_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.h b/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
deleted file mode 100644
index e7342819770c..000000000000
--- a/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef IN_1_WKS_11_H
-#define IN_1_WKS_11_H 1
-
-/* $Id: wks_11.h,v 1.19.206.1 2004/03/06 08:14:19 marka Exp $ */
-
-typedef	struct dns_rdata_in_wks {
-	dns_rdatacommon_t	common;
-	isc_mem_t		*mctx;
-	struct in_addr		in_addr;
-	isc_uint16_t		protocol;
-	unsigned char		*map;
-	isc_uint16_t		map_len;
-} dns_rdata_in_wks_t;
-
-#endif /* IN_1_WKS_11_H */
diff --git a/contrib/bind9/lib/dns/rdata/rdatastructpre.h b/contrib/bind9/lib/dns/rdata/rdatastructpre.h
deleted file mode 100644
index 19af8b455b87..000000000000
--- a/contrib/bind9/lib/dns/rdata/rdatastructpre.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatastructpre.h,v 1.13.206.1 2004/03/06 08:14:02 marka Exp $ */
-
-#ifndef DNS_RDATASTRUCT_H
-#define DNS_RDATASTRUCT_H 1
-
-#include <isc/lang.h>
-#include <isc/sockaddr.h>
-
-#include <dns/name.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef struct dns_rdatacommon {
-	dns_rdataclass_t			rdclass;
-	dns_rdatatype_t				rdtype;
-	ISC_LINK(struct dns_rdatacommon)	link;
-} dns_rdatacommon_t;
-
-#define DNS_RDATACOMMON_INIT(_data, _rdtype, _rdclass) \
-	do { \
-		(_data)->common.rdtype = (_rdtype); \
-		(_data)->common.rdclass = (_rdclass); \
-		ISC_LINK_INIT(&(_data)->common, link); \
-	} while (0)
diff --git a/contrib/bind9/lib/dns/rdata/rdatastructsuf.h b/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
deleted file mode 100644
index 3eabff24d212..000000000000
--- a/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatastructsuf.h,v 1.7.206.1 2004/03/06 08:14:02 marka Exp $ */
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATASTRUCT_H */
diff --git a/contrib/bind9/lib/dns/rdatalist.c b/contrib/bind9/lib/dns/rdatalist.c
deleted file mode 100644
index baa62e5e583f..000000000000
--- a/contrib/bind9/lib/dns/rdatalist.c
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatalist.c,v 1.25.2.2.2.2 2004/03/08 02:07:56 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/util.h>
-
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-
-#include "rdatalist_p.h"
-
-static dns_rdatasetmethods_t methods = {
-	isc__rdatalist_disassociate,
-	isc__rdatalist_first,
-	isc__rdatalist_next,
-	isc__rdatalist_current,
-	isc__rdatalist_clone,
-	isc__rdatalist_count,
-	isc__rdatalist_addnoqname,
-	isc__rdatalist_getnoqname
-};
-
-void
-dns_rdatalist_init(dns_rdatalist_t *rdatalist) {
-
-	/*
-	 * Initialize rdatalist.
-	 */
-
-	rdatalist->rdclass = 0;
-	rdatalist->type = 0;
-	rdatalist->covers = 0;
-	rdatalist->ttl = 0;
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LINK_INIT(rdatalist, link);
-}
-
-isc_result_t
-dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
-			 dns_rdataset_t *rdataset) {
-
-	/*
-	 * Make 'rdataset' refer to the rdata in 'rdatalist'.
-	 */
-
-	REQUIRE(rdatalist != NULL);
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(! dns_rdataset_isassociated(rdataset));
-
-	rdataset->methods = &methods;
-	rdataset->rdclass = rdatalist->rdclass;
-	rdataset->type = rdatalist->type;
-	rdataset->covers = rdatalist->covers;
-	rdataset->ttl = rdatalist->ttl;
-	rdataset->trust = 0;
-	rdataset->private1 = rdatalist;
-	rdataset->private2 = NULL;
-	rdataset->private3 = NULL;
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc__rdatalist_disassociate(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-}
-
-isc_result_t
-isc__rdatalist_first(dns_rdataset_t *rdataset) {
-	dns_rdatalist_t *rdatalist;
-
-	rdatalist = rdataset->private1;
-	rdataset->private2 = ISC_LIST_HEAD(rdatalist->rdata);
-
-	if (rdataset->private2 == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc__rdatalist_next(dns_rdataset_t *rdataset) {
-	dns_rdata_t *rdata;
-
-	rdata = rdataset->private2;
-	if (rdata == NULL)
-		return (ISC_R_NOMORE);
-
-	rdataset->private2 = ISC_LIST_NEXT(rdata, link);
-
-	if (rdataset->private2 == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	dns_rdata_t *list_rdata;
-
-	list_rdata = rdataset->private2;
-	INSIST(list_rdata != NULL);
-
-	dns_rdata_clone(list_rdata, rdata);
-}
-
-void
-isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	*target = *source;
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->private2 = NULL;
-}
-
-unsigned int
-isc__rdatalist_count(dns_rdataset_t *rdataset) {
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	unsigned int count;
-
-	rdatalist = rdataset->private1;
-
-	count = 0;
-	for (rdata = ISC_LIST_HEAD(rdatalist->rdata);
-	     rdata != NULL;
-	     rdata = ISC_LIST_NEXT(rdata, link))
-		count++;
-
-	return (count);
-}
-
-isc_result_t
-isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
-	dns_rdataset_t *nsec = NULL;
-	dns_rdataset_t *nsecsig = NULL;
-	dns_rdataset_t *rdset;
-	dns_ttl_t ttl;
-
-	for (rdset = ISC_LIST_HEAD(name->list);
-	     rdset != NULL;
-	     rdset = ISC_LIST_NEXT(rdset, link))
-	{
-		if (rdset->rdclass != rdataset->rdclass)
-			continue;
-		if (rdset->type == dns_rdatatype_nsec)
-			nsec = rdset;
-		if (rdset->type == dns_rdatatype_rrsig &&
-		    rdset->covers == dns_rdatatype_nsec)
-			nsecsig = rdset;
-	}
-
-	if (nsec == NULL || nsecsig == NULL)
-		return (ISC_R_NOTFOUND);
-	/*
-	 * Minimise ttl.
-	 */
-	ttl = rdataset->ttl;
-	if (nsec->ttl < ttl)
-		ttl = nsec->ttl;
-	if (nsecsig->ttl < ttl)
-		ttl = nsecsig->ttl;
-	rdataset->ttl = nsec->ttl = nsecsig->ttl = ttl;
-	rdataset->attributes |= DNS_RDATASETATTR_NOQNAME;
-	rdataset->private6 = name;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			 dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
-{
-	dns_rdataclass_t rdclass = rdataset->rdclass;
-	dns_rdataset_t *tnsec = NULL;
-	dns_rdataset_t *tnsecsig = NULL;
-	dns_name_t *noqname = rdataset->private6;
-
-	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0);
-	(void)dns_name_dynamic(noqname);	/* Sanity Check. */
-
-	for (rdataset = ISC_LIST_HEAD(noqname->list);
-	     rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link))
-	{
-		if (rdataset->rdclass != rdclass)
-			continue;
-		if (rdataset->type == dns_rdatatype_nsec)
-			tnsec = rdataset;
-		if (rdataset->type == dns_rdatatype_rrsig &&
-		    rdataset->covers == dns_rdatatype_nsec)
-			tnsecsig = rdataset;
-	}
-	if (tnsec == NULL || tnsecsig == NULL)
-		return (ISC_R_NOTFOUND);
-
-	dns_name_clone(noqname, name);
-	dns_rdataset_clone(tnsec, nsec);
-	dns_rdataset_clone(tnsecsig, nsecsig);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/rdatalist_p.h b/contrib/bind9/lib/dns/rdatalist_p.h
deleted file mode 100644
index 3a7b52c25605..000000000000
--- a/contrib/bind9/lib/dns/rdatalist_p.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatalist_p.h,v 1.3.206.2 2004/03/08 02:07:56 marka Exp $ */
-
-#ifndef DNS_RDATALIST_P_H
-#define DNS_RDATALIST_P_H
-
-#include <isc/result.h>
-#include <dns/types.h>
-
-ISC_LANG_BEGINDECLS
-
-void
-isc__rdatalist_disassociate(dns_rdataset_t *rdatasetp);
-
-isc_result_t
-isc__rdatalist_first(dns_rdataset_t *rdataset);
-
-isc_result_t
-isc__rdatalist_next(dns_rdataset_t *rdataset);
-
-void
-isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
-
-void
-isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target);
-
-unsigned int
-isc__rdatalist_count(dns_rdataset_t *rdataset);
-
-isc_result_t
-isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
-
-isc_result_t
-isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			  dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
-
-ISC_LANG_ENDDECLS
-
-#endif /* DNS_RDATALIST_P_H */
diff --git a/contrib/bind9/lib/dns/rdataset.c b/contrib/bind9/lib/dns/rdataset.c
deleted file mode 100644
index 672777b02f50..000000000000
--- a/contrib/bind9/lib/dns/rdataset.c
+++ /dev/null
@@ -1,626 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdataset.c,v 1.58.2.2.2.10 2004/03/08 09:04:31 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/random.h>
-#include <isc/util.h>
-
-#include <dns/name.h>
-#include <dns/ncache.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/compress.h>
-
-void
-dns_rdataset_init(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Make 'rdataset' a valid, disassociated rdataset.
-	 */
-
-	REQUIRE(rdataset != NULL);
-
-	rdataset->magic = DNS_RDATASET_MAGIC;
-	rdataset->methods = NULL;
-	ISC_LINK_INIT(rdataset, link);
-	rdataset->rdclass = 0;
-	rdataset->type = 0;
-	rdataset->ttl = 0;
-	rdataset->trust = 0;
-	rdataset->covers = 0;
-	rdataset->attributes = 0;
-	rdataset->count = ISC_UINT32_MAX;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-	rdataset->private3 = NULL;
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-	rdataset->private6 = NULL;
-}
-
-void
-dns_rdataset_invalidate(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Invalidate 'rdataset'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods == NULL);
-
-	rdataset->magic = 0;
-	ISC_LINK_INIT(rdataset, link);
-	rdataset->rdclass = 0;
-	rdataset->type = 0;
-	rdataset->ttl = 0;
-	rdataset->trust = 0;
-	rdataset->covers = 0;
-	rdataset->attributes = 0;
-	rdataset->count = ISC_UINT32_MAX;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-	rdataset->private3 = NULL;
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-}
-
-void
-dns_rdataset_disassociate(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Disassociate 'rdataset' from its rdata, allowing it to be reused.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	(rdataset->methods->disassociate)(rdataset);
-	rdataset->methods = NULL;
-	ISC_LINK_INIT(rdataset, link);
-	rdataset->rdclass = 0;
-	rdataset->type = 0;
-	rdataset->ttl = 0;
-	rdataset->trust = 0;
-	rdataset->covers = 0;
-	rdataset->attributes = 0;
-	rdataset->count = ISC_UINT32_MAX;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-	rdataset->private3 = NULL;
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-	rdataset->private6 = NULL;
-}
-
-isc_boolean_t
-dns_rdataset_isassociated(dns_rdataset_t *rdataset) {
-	/*
-	 * Is 'rdataset' associated?
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-
-	if (rdataset->methods != NULL)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-static void
-question_disassociate(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-}
-
-static isc_result_t
-question_cursor(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-	
-	return (ISC_R_NOMORE);
-}
-
-static void
-question_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	/*
-	 * This routine should never be called.
-	 */
-	UNUSED(rdataset);
-	UNUSED(rdata);
-	
-	REQUIRE(0);
-}
-
-static void
-question_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	*target = *source;
-}
-
-static unsigned int
-question_count(dns_rdataset_t *rdataset) {
-	/*
-	 * This routine should never be called.
-	 */
-	UNUSED(rdataset);
-	REQUIRE(0);
-
-	return (0);
-}
-
-static dns_rdatasetmethods_t question_methods = {
-	question_disassociate,
-	question_cursor,
-	question_cursor,
-	question_current,
-	question_clone,
-	question_count,
-	NULL,
-	NULL
-};
-
-void
-dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
-			  dns_rdatatype_t type)
-{
-
-	/*
-	 * Make 'rdataset' a valid, associated, question rdataset, with a
-	 * question class of 'rdclass' and type 'type'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods == NULL);
-
-	rdataset->methods = &question_methods;
-	rdataset->rdclass = rdclass;
-	rdataset->type = type;
-	rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
-}
-
-unsigned int
-dns_rdataset_count(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Return the number of records in 'rdataset'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	return ((rdataset->methods->count)(rdataset));
-}
-
-void
-dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-
-	/*
-	 * Make 'target' refer to the same rdataset as 'source'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(source));
-	REQUIRE(source->methods != NULL);
-	REQUIRE(DNS_RDATASET_VALID(target));
-	REQUIRE(target->methods == NULL);
-
-	(source->methods->clone)(source, target);
-}
-
-isc_result_t
-dns_rdataset_first(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Move the rdata cursor to the first rdata in the rdataset (if any).
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	return ((rdataset->methods->first)(rdataset));
-}
-
-isc_result_t
-dns_rdataset_next(dns_rdataset_t *rdataset) {
-
-	/*
-	 * Move the rdata cursor to the next rdata in the rdataset (if any).
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	return ((rdataset->methods->next)(rdataset));
-}
-
-void
-dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-
-	/*
-	 * Make 'rdata' refer to the current rdata.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	(rdataset->methods->current)(rdataset, rdata);
-}
-
-#define MAX_SHUFFLE	32
-#define WANT_FIXED(r)	(((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0)
-#define WANT_RANDOM(r)	(((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0)
-
-struct towire_sort {
-	int key;
-	dns_rdata_t *rdata;
-};
-
-static int
-towire_compare(const void *av, const void *bv) {
-	const struct towire_sort *a = (const struct towire_sort *) av;
-	const struct towire_sort *b = (const struct towire_sort *) bv;
-	return (a->key - b->key);
-}
-
-static isc_result_t
-towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
-	     dns_compress_t *cctx, isc_buffer_t *target,
-	     dns_rdatasetorderfunc_t order, void *order_arg,
-	     isc_boolean_t partial, unsigned int options,
-	     unsigned int *countp, void **state)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_region_t r;
-	isc_result_t result;
-	unsigned int i, count, added, choice;
-	isc_buffer_t savedbuffer, rdlen, rrbuffer;
-	unsigned int headlen;
-	isc_boolean_t question = ISC_FALSE;
-	isc_boolean_t shuffle = ISC_FALSE;
-	dns_rdata_t *shuffled = NULL, shuffled_fixed[MAX_SHUFFLE];
-	struct towire_sort *sorted = NULL, sorted_fixed[MAX_SHUFFLE];
-
-	UNUSED(state);
-
-	/*
-	 * Convert 'rdataset' to wire format, compressing names as specified
-	 * in cctx, and storing the result in 'target'.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(countp != NULL);
-	REQUIRE((order == NULL) == (order_arg == NULL));
-	REQUIRE(cctx != NULL && cctx->mctx != NULL);
-
-	count = 0;
-	if ((rdataset->attributes & DNS_RDATASETATTR_QUESTION) != 0) {
-		question = ISC_TRUE;
-		count = 1;
-		result = dns_rdataset_first(rdataset);
-		INSIST(result == ISC_R_NOMORE);
-	} else if (rdataset->type == 0) {
-		/*
-		 * This is a negative caching rdataset.
-		 */
-		unsigned int ncache_opts = 0;
-		if ((options & DNS_RDATASETTOWIRE_OMITDNSSEC) != 0)
-			ncache_opts |= DNS_NCACHETOWIRE_OMITDNSSEC;
-		return (dns_ncache_towire(rdataset, cctx, target, ncache_opts,
-					  countp));
-	} else {
-		count = (rdataset->methods->count)(rdataset);
-		result = dns_rdataset_first(rdataset);
-		if (result == ISC_R_NOMORE)
-			return (ISC_R_SUCCESS);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	/*
-	 * Do we want to shuffle this anwer?
-	 */
-	if (!question && count > 1 &&
-	    (!WANT_FIXED(rdataset) || order != NULL) &&
-	    rdataset->type != dns_rdatatype_rrsig)
-		shuffle = ISC_TRUE;
-
-	if (shuffle && count > MAX_SHUFFLE) {
-		shuffled = isc_mem_get(cctx->mctx, count * sizeof(*shuffled));
-		sorted = isc_mem_get(cctx->mctx, count * sizeof(*sorted));
-		if (shuffled == NULL || sorted == NULL)
-			shuffle = ISC_FALSE;
-	} else {
-		shuffled = shuffled_fixed;
-		sorted = sorted_fixed;
-	}
-
-	if (shuffle) {
-		/*
-		 * First we get handles to all of the rdata.
-		 */
-		i = 0;
-		do {
-			INSIST(i < count);
-			dns_rdata_init(&shuffled[i]);
-			dns_rdataset_current(rdataset, &shuffled[i]);
-			i++;
-			result = dns_rdataset_next(rdataset);
-		} while (result == ISC_R_SUCCESS);
-		if (result != ISC_R_NOMORE)
-			goto cleanup;
-		INSIST(i == count);
-
-		/*
-		 * Now we shuffle.
-		 */
-		if (WANT_FIXED(rdataset)) {
-			/*
-			 * 'Fixed' order.
-			 */
-			INSIST(order != NULL);
-			for (i = 0; i < count; i++) {
-				sorted[i].key = (*order)(&shuffled[i],
-							 order_arg);
-				sorted[i].rdata = &shuffled[i];
-			}
-		} else if (WANT_RANDOM(rdataset)) {
-			/*
-			 * 'Random' order.
-			 */
-			for (i = 0; i < count; i++) {
-				dns_rdata_t rdata;
-				isc_uint32_t val;
-
-				isc_random_get(&val);
-				choice = i + (val % (count - i));
-				rdata = shuffled[i];
-				shuffled[i] = shuffled[choice];
-				shuffled[choice] = rdata;
-				if (order != NULL)
-					sorted[i].key = (*order)(&shuffled[i],
-								 order_arg);
-				else
-					sorted[i].key = 0; /* Unused */
-				sorted[i].rdata = &shuffled[i];
-			}
-		} else {
-			/*
-			 * "Cyclic" order.
-			 */
-			isc_uint32_t val;
-			unsigned int j;
-
-			val = rdataset->count;
-			if (val == ISC_UINT32_MAX)
-				isc_random_get(&val);
-			j = val % count;
-			for (i = 0; i < count; i++) {
-				if (order != NULL)
-					sorted[j].key = (*order)(&shuffled[i],
-								 order_arg);
-				else
-					sorted[j].key = 0; /* Unused */
-				sorted[j].rdata = &shuffled[i];
-				j++;
-				if (j == count)
-					j = 0; /* Wrap around. */
-			}
-		}
-
-		/*
-		 * Sorted order.
-		 */
-		if (order != NULL)
-			qsort(sorted, count, sizeof(sorted[0]),
-			      towire_compare);
-	}
-
-	savedbuffer = *target;
-	i = 0;
-	added = 0;
-
-	do {
-		/*
-		 * Copy out the name, type, class, ttl.
-		 */
-		
-		rrbuffer = *target;
-		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
-		result = dns_name_towire(owner_name, cctx, target);
-		if (result != ISC_R_SUCCESS)
-			goto rollback;
-		headlen = sizeof(dns_rdataclass_t) + sizeof(dns_rdatatype_t);
-		if (!question)
-			headlen += sizeof(dns_ttl_t)
-				+ 2;  /* XXX 2 for rdata len */
-		isc_buffer_availableregion(target, &r);
-		if (r.length < headlen) {
-			result = ISC_R_NOSPACE;
-			goto rollback;
-		}
-		isc_buffer_putuint16(target, rdataset->type);
-		isc_buffer_putuint16(target, rdataset->rdclass);
-		if (!question) {
-			isc_buffer_putuint32(target, rdataset->ttl);
-
-			/*
-			 * Save space for rdlen.
-			 */
-			rdlen = *target;
-			isc_buffer_add(target, 2);
-
-			/*
-			 * Copy out the rdata
-			 */
-			if (shuffle)
-				rdata = *(sorted[i].rdata);
-			else {
-				dns_rdata_reset(&rdata);
-				dns_rdataset_current(rdataset, &rdata);
-			}
-			result = dns_rdata_towire(&rdata, cctx, target);
-			if (result != ISC_R_SUCCESS)
-				goto rollback;
-			INSIST((target->used >= rdlen.used + 2) &&
-			       (target->used - rdlen.used - 2 < 65536));
-			isc_buffer_putuint16(&rdlen,
-					     (isc_uint16_t)(target->used -
-							    rdlen.used - 2));
-			added++;
-		}
-
-		if (shuffle) {
-			i++;
-			if (i == count)
-				result = ISC_R_NOMORE;
-			else
-				result = ISC_R_SUCCESS;
-		} else {
-			result = dns_rdataset_next(rdataset);
-		}
-	} while (result == ISC_R_SUCCESS);
-
-	if (result != ISC_R_NOMORE)
-		goto rollback;
-
-	*countp += count;
-
-	result = ISC_R_SUCCESS;
-	goto cleanup;
-
- rollback:
-	if (partial && result == ISC_R_NOSPACE) {
-		INSIST(rrbuffer.used < 65536);
-		dns_compress_rollback(cctx, (isc_uint16_t)rrbuffer.used);
-		*countp += added;
-		*target = rrbuffer;
-		goto cleanup;
-	}
-	INSIST(savedbuffer.used < 65536);
-	dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
-	*countp = 0;
-	*target = savedbuffer;
-
- cleanup:
-	if (sorted != NULL && sorted != sorted_fixed)
-		isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted));
-	if (shuffled != NULL && shuffled != shuffled_fixed)
-		isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled));
-	return (result);
-}
-
-isc_result_t
-dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
-			  dns_name_t *owner_name,
-			  dns_compress_t *cctx,
-			  isc_buffer_t *target,
-			  dns_rdatasetorderfunc_t order,
-			  void *order_arg,
-			  unsigned int options,
-			  unsigned int *countp)
-{
-	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_FALSE, options,
-			     countp, NULL));
-}
-
-isc_result_t
-dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
-			   dns_name_t *owner_name,
-			   dns_compress_t *cctx,
-			   isc_buffer_t *target,
-			   dns_rdatasetorderfunc_t order,
-			   void *order_arg,
-			   unsigned int options,
-			   unsigned int *countp,
-			   void **state)
-{
-	REQUIRE(state == NULL);	/* XXX remove when implemented */
-	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_TRUE, options,
-			     countp, state));
-}
-
-isc_result_t
-dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    dns_compress_t *cctx,
-		    isc_buffer_t *target,
-		    unsigned int options,
-		    unsigned int *countp)
-{
-	return (towiresorted(rdataset, owner_name, cctx, target,
-			     NULL, NULL, ISC_FALSE, options, countp, NULL));
-}
-
-isc_result_t
-dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
-			    dns_additionaldatafunc_t add, void *arg)
-{
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-
-	/*
-	 * For each rdata in rdataset, call 'add' for each name and type in the
-	 * rdata which is subject to additional section processing.
-	 */
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	do {
-		dns_rdataset_current(rdataset, &rdata);
-		result = dns_rdata_additionaldata(&rdata, add, arg);
-		if (result == ISC_R_SUCCESS)
-			result = dns_rdataset_next(rdataset);
-		dns_rdata_reset(&rdata);
-	} while (result == ISC_R_SUCCESS);
-
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
-
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-	if (rdataset->methods->addnoqname == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-	return((rdataset->methods->addnoqname)(rdataset, name));
-}
-
-isc_result_t
-dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-		        dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
-{
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(rdataset->methods != NULL);
-
-	if (rdataset->methods->getnoqname == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-	return((rdataset->methods->getnoqname)(rdataset, name, nsec, nsecsig));
-}
diff --git a/contrib/bind9/lib/dns/rdatasetiter.c b/contrib/bind9/lib/dns/rdatasetiter.c
deleted file mode 100644
index f3b0f8bf391d..000000000000
--- a/contrib/bind9/lib/dns/rdatasetiter.c
+++ /dev/null
@@ -1,78 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdatasetiter.c,v 1.11.206.1 2004/03/06 08:13:44 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/util.h>
-
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-
-void
-dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
-	/*
-	 * Destroy '*iteratorp'.
-	 */
-
-	REQUIRE(iteratorp != NULL);
-	REQUIRE(DNS_RDATASETITER_VALID(*iteratorp));
-
-	(*iteratorp)->methods->destroy(iteratorp);
-
-	ENSURE(*iteratorp == NULL);
-}
-
-isc_result_t
-dns_rdatasetiter_first(dns_rdatasetiter_t *iterator) {
-	/*
-	 * Move the rdataset cursor to the first rdataset at the node (if any).
-	 */
-
-	REQUIRE(DNS_RDATASETITER_VALID(iterator));
-
-	return (iterator->methods->first(iterator));
-}
-
-isc_result_t
-dns_rdatasetiter_next(dns_rdatasetiter_t *iterator) {
-	/*
-	 * Move the rdataset cursor to the next rdataset at the node (if any).
-	 */
-
-	REQUIRE(DNS_RDATASETITER_VALID(iterator));
-
-	return (iterator->methods->next(iterator));
-}
-
-void
-dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
-			 dns_rdataset_t *rdataset)
-{
-	/*
-	 * Return the current rdataset.
-	 */
-
-	REQUIRE(DNS_RDATASETITER_VALID(iterator));
-	REQUIRE(DNS_RDATASET_VALID(rdataset));
-	REQUIRE(! dns_rdataset_isassociated(rdataset));
-
-	iterator->methods->current(iterator, rdataset);
-}
diff --git a/contrib/bind9/lib/dns/rdataslab.c b/contrib/bind9/lib/dns/rdataslab.c
deleted file mode 100644
index 0604cd5d4d9b..000000000000
--- a/contrib/bind9/lib/dns/rdataslab.c
+++ /dev/null
@@ -1,715 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rdataslab.c,v 1.29.2.2.2.6 2004/03/08 09:04:31 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/rdata.h>
-#include <dns/rdataset.h>
-#include <dns/rdataslab.h>
-
-/* Note: the "const void *" are just to make qsort happy. */
-static int
-compare_rdata(const void *p1, const void *p2) {
-	const dns_rdata_t *rdata1 = p1;
-	const dns_rdata_t *rdata2 = p2;
-	return (dns_rdata_compare(rdata1, rdata2));
-}
-
-isc_result_t
-dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
-			   isc_region_t *region, unsigned int reservelen)
-{
-	dns_rdata_t    *rdatas;
-	unsigned char  *rawbuf;
-	unsigned int	buflen;
-	isc_result_t	result;
-	unsigned int	nitems;
-	unsigned int	nalloc;
-	unsigned int	i;
-
-	buflen = reservelen + 2;
-
-	nalloc = dns_rdataset_count(rdataset);
-	nitems = nalloc;
-	if (nitems == 0)
-		return (ISC_R_FAILURE);
-
-	rdatas = isc_mem_get(mctx, nalloc * sizeof(dns_rdata_t));
-	if (rdatas == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * Save all of the rdata members into an array.
-	 */
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto free_rdatas;
-	for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) {
-		INSIST(result == ISC_R_SUCCESS);
-		dns_rdata_init(&rdatas[i]);
-		dns_rdataset_current(rdataset, &rdatas[i]);
-		result = dns_rdataset_next(rdataset);
-	}
-	if (result != ISC_R_NOMORE)
-		goto free_rdatas;
-	if (i != nalloc) {
-		/*
-		 * Somehow we iterated over fewer rdatas than
-		 * dns_rdataset_count() said there were!
-		 */
-		result = ISC_R_FAILURE;
-		goto free_rdatas;
-	}
-
-	qsort(rdatas, nalloc, sizeof(dns_rdata_t), compare_rdata);
-
-	/*
-	 * Remove duplicates and compute the total storage required.
-	 *
-	 * If an rdata is not a duplicate, accumulate the storage size
-	 * required for the rdata.  We do not store the class, type, etc,
-	 * just the rdata, so our overhead is 2 bytes for the number of
-	 * records, and 2 for each rdata length, and then the rdata itself.
-	 */
-	for (i = 1; i < nalloc; i++) {
-		if (compare_rdata(&rdatas[i-1], &rdatas[i]) == 0) {
-			rdatas[i-1].data = NULL;
-			rdatas[i-1].length = 0;
-			nitems--;
-		} else
-			buflen += (2 + rdatas[i-1].length);
-	}
-	/*
-	 * Don't forget the last item!
-	 */
-	buflen += (2 + rdatas[i-1].length);
-
-	/*
-	 * Ensure that singleton types are actually singletons.
-	 */
-	if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) {
-		/*
-		 * We have a singleton type, but there's more than one
-		 * RR in the rdataset.
-		 */
-		result = DNS_R_SINGLETON;
-		goto free_rdatas;
-	}
-
-	/*
-	 * Allocate the memory, set up a buffer, start copying in
-	 * data.
-	 */
-	rawbuf = isc_mem_get(mctx, buflen);
-	if (rawbuf == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto free_rdatas;
-	}
-
-	region->base = rawbuf;
-	region->length = buflen;
-
-	rawbuf += reservelen;
-
-	*rawbuf++ = (nitems & 0xff00) >> 8;
-	*rawbuf++ = (nitems & 0x00ff);
-	for (i = 0; i < nalloc; i++) {
-		if (rdatas[i].data == NULL)
-			continue;
-		*rawbuf++ = (rdatas[i].length & 0xff00) >> 8;
-		*rawbuf++ = (rdatas[i].length & 0x00ff);
-		memcpy(rawbuf, rdatas[i].data, rdatas[i].length);
-		rawbuf += rdatas[i].length;
-	}
-	result = ISC_R_SUCCESS;
-
- free_rdatas:
-	isc_mem_put(mctx, rdatas, nalloc * sizeof(dns_rdata_t));
-	return (result);
-}
-
-static void
-rdataset_disassociate(dns_rdataset_t *rdataset) {
-	UNUSED(rdataset);
-}
-
-static isc_result_t
-rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-	if (count == 0) {
-		rdataset->private5 = NULL;
-		return (ISC_R_NOMORE);
-	}
-	raw += 2;
-	/*
-	 * The privateuint4 field is the number of rdata beyond the cursor
-	 * position, so we decrement the total count by one before storing
-	 * it.
-	 */
-	count--;
-	rdataset->privateuint4 = count;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdataset_next(dns_rdataset_t *rdataset) {
-	unsigned int count;
-	unsigned int length;
-	unsigned char *raw;
-
-	count = rdataset->privateuint4;
-	if (count == 0)
-		return (ISC_R_NOMORE);
-	count--;
-	rdataset->privateuint4 = count;
-	raw = rdataset->private5;
-	length = raw[0] * 256 + raw[1];
-	raw += length + 2;
-	rdataset->private5 = raw;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;
-	isc_region_t r;
-
-	REQUIRE(raw != NULL);
-
-	r.length = raw[0] * 256 + raw[1];
-	raw += 2;
-	r.base = raw;
-	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	*target = *source;
-
-	/*
-	 * Reset iterator state.
-	 */
-	target->privateuint4 = 0;
-	target->private5 = NULL;
-}
-
-static unsigned int
-rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;
-	unsigned int count;
-
-	count = raw[0] * 256 + raw[1];
-
-	return (count);
-}
-
-static dns_rdatasetmethods_t rdataset_methods = {
-	rdataset_disassociate,
-	rdataset_first,
-	rdataset_next,
-	rdataset_current,
-	rdataset_clone,
-	rdataset_count,
-	NULL,
-	NULL
-};
-
-void
-dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
-			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
-			 dns_rdatatype_t covers, dns_ttl_t ttl,
-			 dns_rdataset_t *rdataset)
-{
-	REQUIRE(slab != NULL);
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-
-	rdataset->methods = &rdataset_methods;
-	rdataset->rdclass = rdclass;
-	rdataset->type = rdtype;
-	rdataset->covers = covers;
-	rdataset->ttl = ttl;
-	rdataset->trust = 0;
-	rdataset->private1 = NULL;
-	rdataset->private2 = NULL;
-	rdataset->private3 = slab + reservelen;
-
-	/*
-	 * Reset iterator state.
-	 */
-	rdataset->privateuint4 = 0;
-	rdataset->private5 = NULL;
-}
-
-unsigned int
-dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
-	unsigned int count, length;
-	unsigned char *current;
-
-	REQUIRE(slab != NULL);
-
-	current = slab + reservelen;
-	count = *current++ * 256;
-	count += *current++;
-	while (count > 0) {
-		count--;
-		length = *current++ * 256;
-		length += *current++;
-		current += length;
-	}
-
-	return ((unsigned int)(current - slab));
-}
-
-/*
- * Make the dns_rdata_t 'rdata' refer to the slab item
- * beginning at '*current', which is part of a slab of type
- * 'type' and class 'rdclass', and advance '*current' to
- * point to the next item in the slab.
- */
-static inline void
-rdata_from_slab(unsigned char **current,
-	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
-	      dns_rdata_t *rdata)
-{
-	unsigned char *tcurrent = *current;
-	isc_region_t region;
-
-	region.length = *tcurrent++ * 256;
-	region.length += *tcurrent++;
-	region.base = tcurrent;
-	tcurrent += region.length;
-	dns_rdata_fromregion(rdata, rdclass, type, &region);
-	*current = tcurrent;
-}
-
-/*
- * Return true iff 'slab' (slab data of type 'type' and class 'rdclass')
- * contains an rdata identical to 'rdata'.  This does case insensitive
- * comparisons per DNSSEC.
- */
-static inline isc_boolean_t
-rdata_in_slab(unsigned char *slab, unsigned int reservelen,
-	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
-	      dns_rdata_t *rdata)
-{
-	unsigned int count, i;
-	unsigned char *current;
-	dns_rdata_t trdata = DNS_RDATA_INIT;
-
-	current = slab + reservelen;
-	count = *current++ * 256;
-	count += *current++;
-
-	for (i = 0; i < count; i++) {
-		rdata_from_slab(&current, rdclass, type, &trdata);
-		if (dns_rdata_compare(&trdata, rdata) == 0)
-			return (ISC_TRUE);
-		dns_rdata_reset(&trdata);
-	}
-	return (ISC_FALSE);
-}
-
-isc_result_t
-dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
-		    unsigned int reservelen, isc_mem_t *mctx,
-		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		    unsigned int flags, unsigned char **tslabp)
-{
-	unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent;
-	unsigned int ocount, ncount, count, olength, tlength, tcount, length;
-	isc_region_t nregion;
-	dns_rdata_t ordata = DNS_RDATA_INIT;
-	dns_rdata_t nrdata = DNS_RDATA_INIT;
-	isc_boolean_t added_something = ISC_FALSE;
-	unsigned int oadded = 0;
-	unsigned int nadded = 0;
-	unsigned int nncount = 0;
-
-	/*
-	 * XXX  Need parameter to allow "delete rdatasets in nslab" merge,
-	 * or perhaps another merge routine for this purpose.
-	 */
-
-	REQUIRE(tslabp != NULL && *tslabp == NULL);
-	REQUIRE(oslab != NULL && nslab != NULL);
-
-	ocurrent = oslab + reservelen;
-	ocount = *ocurrent++ * 256;
-	ocount += *ocurrent++;
-	ostart = ocurrent;
-	ncurrent = nslab + reservelen;
-	ncount = *ncurrent++ * 256;
-	ncount += *ncurrent++;
-	INSIST(ocount > 0 && ncount > 0);
-
-	/*
-	 * Yes, this is inefficient!
-	 */
-
-	/*
-	 * Figure out the length of the old slab's data.
-	 */
-	olength = 0;
-	for (count = 0; count < ocount; count++) {
-		length = *ocurrent++ * 256;
-		length += *ocurrent++;
-		olength += length + 2;
-		ocurrent += length;
-	}
-
-	/*
-	 * Start figuring out the target length and count.
-	 */
-	tlength = reservelen + 2 + olength;
-	tcount = ocount;
-
-	/*
-	 * Add in the length of rdata in the new slab that aren't in
-	 * the old slab.
-	 */
-	do {
-		nregion.length = *ncurrent++ * 256;
-		nregion.length += *ncurrent++;
-		nregion.base = ncurrent;
-		dns_rdata_init(&nrdata);
-		dns_rdata_fromregion(&nrdata, rdclass, type, &nregion);
-		if (!rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata))
-		{
-			/*
-			 * This rdata isn't in the old slab.
-			 */
-			tlength += nregion.length + 2;
-			tcount++;
-			nncount++;
-			added_something = ISC_TRUE;
-		}
-		ncurrent += nregion.length;
-		ncount--;
-	} while (ncount > 0);
-	ncount = nncount;
-
-	if (((flags & DNS_RDATASLAB_EXACT) != 0) &&
-	    (tcount != ncount + ocount))
-		return (DNS_R_NOTEXACT);
-
-	if (!added_something && (flags & DNS_RDATASLAB_FORCE) == 0)
-		return (DNS_R_UNCHANGED);
-
-	/*
-	 * Ensure that singleton types are actually singletons.
-	 */
-	if (tcount > 1 && dns_rdatatype_issingleton(type)) {
-		/*
-		 * We have a singleton type, but there's more than one
-		 * RR in the rdataset.
-		 */
-		return (DNS_R_SINGLETON);
-	}
-
-	/*
-	 * Copy the reserved area from the new slab.
-	 */
-	tstart = isc_mem_get(mctx, tlength);
-	if (tstart == NULL)
-		return (ISC_R_NOMEMORY);
-	memcpy(tstart, nslab, reservelen);
-	tcurrent = tstart + reservelen;
-
-	/*
-	 * Write the new count.
-	 */
-	*tcurrent++ = (tcount & 0xff00) >> 8;
-	*tcurrent++ = (tcount & 0x00ff);
-
-	/*
-	 * Merge the two slabs.
-	 */
-	ocurrent = ostart;
-	INSIST(ocount != 0);
-	rdata_from_slab(&ocurrent, rdclass, type, &ordata);
-
-	ncurrent = nslab + reservelen + 2;
-	if (ncount > 0) {
-		do {
-			dns_rdata_reset(&nrdata);
-       			rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
-		} while (rdata_in_slab(oslab, reservelen, rdclass,
-				       type, &nrdata));
-	}
-
-	while (oadded < ocount || nadded < ncount) {
-		isc_boolean_t fromold;
-		if (oadded == ocount)
-			fromold = ISC_FALSE;
-		else if (nadded == ncount)
-			fromold = ISC_TRUE;
-		else
-			fromold = ISC_TF(compare_rdata(&ordata, &nrdata) < 0);
-		if (fromold) {
-			length = ordata.length;
-			*tcurrent++ = (length & 0xff00) >> 8;
-			*tcurrent++ = (length & 0x00ff);
-			memcpy(tcurrent, ordata.data, length);
-			tcurrent += length;
-			oadded++;
-			if (oadded < ocount) {
-				dns_rdata_reset(&ordata);
-       				rdata_from_slab(&ocurrent, rdclass, type,
-						&ordata);
-			}
-		} else {
-			length = nrdata.length;
-			*tcurrent++ = (length & 0xff00) >> 8;
-			*tcurrent++ = (length & 0x00ff);
-			memcpy(tcurrent, nrdata.data, length);
-			tcurrent += length;
-			nadded++;
-			if (nadded < ncount) {
-				do {
-					dns_rdata_reset(&nrdata);
-       					rdata_from_slab(&ncurrent, rdclass,
-							type, &nrdata);
-				} while (rdata_in_slab(oslab, reservelen,
-						       rdclass, type,
-						       &nrdata));
-			}
-		}
-	}
-
-	INSIST(tcurrent == tstart + tlength);
-
-	*tslabp = tstart;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
-		       unsigned int reservelen, isc_mem_t *mctx,
-		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
-		       unsigned int flags, unsigned char **tslabp)
-{
-	unsigned char *mcurrent, *sstart, *scurrent, *tstart, *tcurrent;
-	unsigned int mcount, scount, rcount ,count, tlength, tcount;
-	dns_rdata_t srdata = DNS_RDATA_INIT;
-	dns_rdata_t mrdata = DNS_RDATA_INIT;
-
-	REQUIRE(tslabp != NULL && *tslabp == NULL);
-	REQUIRE(mslab != NULL && sslab != NULL);
-
-	mcurrent = mslab + reservelen;
-	mcount = *mcurrent++ * 256;
-	mcount += *mcurrent++;
-	scurrent = sslab + reservelen;
-	scount = *scurrent++ * 256;
-	scount += *scurrent++;
-	sstart = scurrent;
-	INSIST(mcount > 0 && scount > 0);
-
-	/*
-	 * Yes, this is inefficient!
-	 */
-
-	/*
-	 * Start figuring out the target length and count.
-	 */
-	tlength = reservelen + 2;
-	tcount = 0;
-	rcount = 0;
-
-	/*
-	 * Add in the length of rdata in the mslab that aren't in
-	 * the sslab.
-	 */
-	do {
-		unsigned char *mrdatabegin = mcurrent;
-		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
-		scurrent = sstart;
-		for (count = 0; count < scount; count++) {
-			dns_rdata_reset(&srdata);
-			rdata_from_slab(&scurrent, rdclass, type, &srdata);
-			if (dns_rdata_compare(&mrdata, &srdata) == 0)
-				break;
-		}
-		if (count == scount) {
-			/*
-			 * This rdata isn't in the sslab, and thus isn't
-			 * being subtracted.
-			 */
-			tlength += mcurrent - mrdatabegin;
-			tcount++;
-		} else
-			rcount++;
-		mcount--;
-		dns_rdata_reset(&mrdata);
-	} while (mcount > 0);
-
-	/*
-	 * Check that all the records originally existed.  The numeric
- 	 * check only works as rdataslabs do not contain duplicates.
-	 */
-	if (((flags & DNS_RDATASLAB_EXACT) != 0) && (rcount != scount))
-		return (DNS_R_NOTEXACT);
-
-	/*
-	 * Don't continue if the new rdataslab would be empty.
-	 */
-	if (tcount == 0)
-		return (DNS_R_NXRRSET);
-
-	/*
-	 * If nothing is going to change, we can stop.
-	 */
-	if (rcount == 0)
-		return (DNS_R_UNCHANGED);
-
-	/*
-	 * Copy the reserved area from the mslab.
-	 */
-	tstart = isc_mem_get(mctx, tlength);
-	if (tstart == NULL)
-		return (ISC_R_NOMEMORY);
-	memcpy(tstart, mslab, reservelen);
-	tcurrent = tstart + reservelen;
-
-	/*
-	 * Write the new count.
-	 */
-	*tcurrent++ = (tcount & 0xff00) >> 8;
-	*tcurrent++ = (tcount & 0x00ff);
-
-	/*
-	 * Copy the parts of mslab not in sslab.
-	 */
-	mcurrent = mslab + reservelen;
-	mcount = *mcurrent++ * 256;
-	mcount += *mcurrent++;
-	do {
-		unsigned char *mrdatabegin = mcurrent;
-		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
-		scurrent = sstart;
-		for (count = 0; count < scount; count++) {
-			dns_rdata_reset(&srdata);
-			rdata_from_slab(&scurrent, rdclass, type, &srdata);
-			if (dns_rdata_compare(&mrdata, &srdata) == 0)
-				break;
-		}
-		if (count == scount) {
-			/*
-			 * This rdata isn't in the sslab, and thus should be
-			 * copied to the tslab.
-			 */
-			unsigned int length = mcurrent - mrdatabegin;
-			memcpy(tcurrent, mrdatabegin, length);
-			tcurrent += length;
-		}
-		dns_rdata_reset(&mrdata);
-		mcount--;
-	} while (mcount > 0);
-
-	INSIST(tcurrent == tstart + tlength);
-
-	*tslabp = tstart;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
-		    unsigned int reservelen)
-{
-	unsigned char *current1, *current2;
-	unsigned int count1, count2;
-	unsigned int length1, length2;
-
-	current1 = slab1 + reservelen;
-	count1 = *current1++ * 256;
-	count1 += *current1++;
-
-	current2 = slab2 + reservelen;
-	count2 = *current2++ * 256;
-	count2 += *current2++;
-
-	if (count1 != count2)
-		return (ISC_FALSE);
-
-	while (count1 > 0) {
-		length1 = *current1++ * 256;
-		length1 += *current1++;
-
-		length2 = *current2++ * 256;
-		length2 += *current2++;
-
-		if (length1 != length2 ||
-		    memcmp(current1, current2, length1) != 0)
-			return (ISC_FALSE);
-
-		current1 += length1;
-		current2 += length1;
-
-		count1--;
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
-		     unsigned int reservelen, dns_rdataclass_t rdclass,
-		     dns_rdatatype_t type)
-{
-	unsigned char *current1, *current2;
-	unsigned int count1, count2;
-	dns_rdata_t rdata1 = DNS_RDATA_INIT;
-	dns_rdata_t rdata2 = DNS_RDATA_INIT;
-
-	current1 = slab1 + reservelen;
-	count1 = *current1++ * 256;
-	count1 += *current1++;
-
-	current2 = slab2 + reservelen;
-	count2 = *current2++ * 256;
-	count2 += *current2++;
-
-	if (count1 != count2)
-		return (ISC_FALSE);
-
-	while (count1-- > 0) {
-		rdata_from_slab(&current1, rdclass, type, &rdata1);
-		rdata_from_slab(&current2, rdclass, type, &rdata2);
-		if (dns_rdata_compare(&rdata1, &rdata2) != 0)
-			return (ISC_FALSE);
-		dns_rdata_reset(&rdata1);
-		dns_rdata_reset(&rdata2);
-	}
-	return (ISC_TRUE);
-}
diff --git a/contrib/bind9/lib/dns/request.c b/contrib/bind9/lib/dns/request.c
deleted file mode 100644
index 3ec845f80d8c..000000000000
--- a/contrib/bind9/lib/dns/request.c
+++ /dev/null
@@ -1,1455 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: request.c,v 1.64.2.1.10.6 2004/03/08 09:04:31 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/compress.h>
-#include <dns/dispatch.h>
-#include <dns/events.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/request.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-
-#define REQUESTMGR_MAGIC	ISC_MAGIC('R', 'q', 'u', 'M')
-#define VALID_REQUESTMGR(mgr)	ISC_MAGIC_VALID(mgr, REQUESTMGR_MAGIC)
-
-#define REQUEST_MAGIC		ISC_MAGIC('R', 'q', 'u', '!')
-#define VALID_REQUEST(request)	ISC_MAGIC_VALID(request, REQUEST_MAGIC)
-
-typedef ISC_LIST(dns_request_t) dns_requestlist_t;
-
-#define DNS_REQUEST_NLOCKS 7
-
-struct dns_requestmgr {
-	unsigned int			magic;
-	isc_mutex_t			lock;
-	isc_mem_t		       *mctx;
-
-	/* locked */
-	isc_int32_t			eref;
-	isc_int32_t			iref;
-	isc_timermgr_t		       *timermgr;
-	isc_socketmgr_t		       *socketmgr;
-	isc_taskmgr_t		       *taskmgr;
-	dns_dispatchmgr_t	       *dispatchmgr;
-	dns_dispatch_t		       *dispatchv4;
-	dns_dispatch_t		       *dispatchv6;
-	isc_boolean_t			exiting;
-	isc_eventlist_t			whenshutdown;
-	unsigned int			hash;
-	isc_mutex_t			locks[DNS_REQUEST_NLOCKS];
-	dns_requestlist_t 		requests;
-};
-
-struct dns_request {
-	unsigned int			magic;
-	unsigned int			hash;
-	isc_mem_t		       *mctx;
-	isc_int32_t			flags;
-	ISC_LINK(dns_request_t) 	link;
-	isc_buffer_t		       *query;
-	isc_buffer_t		       *answer;
-	dns_requestevent_t	       *event;
-	dns_dispatch_t		       *dispatch;
-	dns_dispentry_t		       *dispentry;
-	isc_timer_t		       *timer;
-	dns_requestmgr_t	       *requestmgr;
-	isc_buffer_t		       *tsig;
-	dns_tsigkey_t		       *tsigkey;
-	isc_event_t			ctlevent;
-	isc_boolean_t			canceling; /* ctlevent outstanding */
-	isc_sockaddr_t			destaddr;
-	unsigned int			udpcount;
-};
-
-#define DNS_REQUEST_F_CONNECTING 0x0001
-#define DNS_REQUEST_F_SENDING 0x0002
-#define DNS_REQUEST_F_CANCELED 0x0004	/* ctlevent received, or otherwise
-					   synchronously canceled */
-#define DNS_REQUEST_F_TIMEDOUT 0x0008	/* cancelled due to a timeout */
-#define DNS_REQUEST_F_TCP 0x0010	/* This request used TCP */
-#define DNS_REQUEST_CANCELED(r) \
-	(((r)->flags & DNS_REQUEST_F_CANCELED) != 0)
-#define DNS_REQUEST_CONNECTING(r) \
-	(((r)->flags & DNS_REQUEST_F_CONNECTING) != 0)
-#define DNS_REQUEST_SENDING(r) \
-	(((r)->flags & DNS_REQUEST_F_SENDING) != 0)
-#define DNS_REQUEST_TIMEDOUT(r) \
-	(((r)->flags & DNS_REQUEST_F_TIMEDOUT) != 0)
-
-
-/***
- *** Forward
- ***/
-
-static void mgr_destroy(dns_requestmgr_t *requestmgr);
-static void mgr_shutdown(dns_requestmgr_t *requestmgr);
-static unsigned int mgr_gethash(dns_requestmgr_t *requestmgr);
-static void send_shutdown_events(dns_requestmgr_t *requestmgr);
-
-static isc_result_t req_render(dns_message_t *message, isc_buffer_t **buffer,
-			       unsigned int options, isc_mem_t *mctx);
-static void req_senddone(isc_task_t *task, isc_event_t *event);
-static void req_response(isc_task_t *task, isc_event_t *event);
-static void req_timeout(isc_task_t *task, isc_event_t *event);
-static void req_connected(isc_task_t *task, isc_event_t *event);
-static void req_sendevent(dns_request_t *request, isc_result_t result);
-static void req_cancel(dns_request_t *request);
-static void req_destroy(dns_request_t *request);
-static void req_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
-static void do_cancel(isc_task_t *task, isc_event_t *event);
-
-/***
- *** Public
- ***/
-
-isc_result_t
-dns_requestmgr_create(isc_mem_t *mctx,
-		      isc_timermgr_t *timermgr,
-		      isc_socketmgr_t *socketmgr,
-		      isc_taskmgr_t *taskmgr,
-		      dns_dispatchmgr_t *dispatchmgr,
-		      dns_dispatch_t *dispatchv4,
-		      dns_dispatch_t *dispatchv6,
-		      dns_requestmgr_t **requestmgrp)
-{
-	dns_requestmgr_t *requestmgr;
-	isc_socket_t *socket;
-	isc_result_t result;
-	int i;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create");
-
-	REQUIRE(requestmgrp != NULL && *requestmgrp == NULL);
-	REQUIRE(timermgr != NULL);
-	REQUIRE(socketmgr != NULL);
-	REQUIRE(taskmgr != NULL);
-	REQUIRE(dispatchmgr != NULL);
-	if (dispatchv4 != NULL) {
-		socket = dns_dispatch_getsocket(dispatchv4);
-		REQUIRE(isc_socket_gettype(socket) == isc_sockettype_udp);
-	}
-	if (dispatchv6 != NULL) {
-		socket = dns_dispatch_getsocket(dispatchv6);
-		REQUIRE(isc_socket_gettype(socket) == isc_sockettype_udp);
-	}
-
-	requestmgr = isc_mem_get(mctx, sizeof(*requestmgr));
-	if (requestmgr == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&requestmgr->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
-		return (result);
-	}
-	for (i = 0; i < DNS_REQUEST_NLOCKS; i++) {
-		result = isc_mutex_init(&requestmgr->locks[i]);
-		if (result != ISC_R_SUCCESS) {
-			while (--i >= 0)
-				DESTROYLOCK(&requestmgr->locks[i]);
-			DESTROYLOCK(&requestmgr->lock);
-			isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
-			return (result);
-		}
-	}
-	requestmgr->timermgr = timermgr;
-	requestmgr->socketmgr = socketmgr;
-	requestmgr->taskmgr = taskmgr;
-	requestmgr->dispatchmgr = dispatchmgr;
-	requestmgr->dispatchv4 = NULL;
-	if (dispatchv4 != NULL)
-		dns_dispatch_attach(dispatchv4, &requestmgr->dispatchv4);
-	requestmgr->dispatchv6 = NULL;
-	if (dispatchv6 != NULL)
-		dns_dispatch_attach(dispatchv6, &requestmgr->dispatchv6);
-	requestmgr->mctx = NULL;
-	isc_mem_attach(mctx, &requestmgr->mctx);
-	requestmgr->eref = 1;	/* implict attach */
-	requestmgr->iref = 0;
-	ISC_LIST_INIT(requestmgr->whenshutdown);
-	ISC_LIST_INIT(requestmgr->requests);
-	requestmgr->exiting = ISC_FALSE;
-	requestmgr->hash = 0;
-	requestmgr->magic = REQUESTMGR_MAGIC;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create: %p", requestmgr);
-
-	*requestmgrp = requestmgr;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
-			    isc_event_t **eventp)
-{
-	isc_task_t *clone;
-	isc_event_t *event;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_whenshutdown");
-
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-	REQUIRE(eventp != NULL);
-
-	event = *eventp;
-	*eventp = NULL;
-
-	LOCK(&requestmgr->lock);
-
-	if (requestmgr->exiting) {
-		/*
-		 * We're already shutdown.  Send the event.
-		 */
-		event->ev_sender = requestmgr;
-		isc_task_send(task, &event);
-	} else {
-		clone = NULL;
-		isc_task_attach(task, &clone);
-		event->ev_sender = clone;
-		ISC_LIST_APPEND(requestmgr->whenshutdown, event, ev_link);
-	}
-	UNLOCK(&requestmgr->lock);
-}
-
-void
-dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr) {
-
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_shutdown: %p", requestmgr);
-
-	LOCK(&requestmgr->lock);
-	mgr_shutdown(requestmgr);
-	UNLOCK(&requestmgr->lock);
-}
-
-static void
-mgr_shutdown(dns_requestmgr_t *requestmgr) {
-	dns_request_t *request;
-
-	/*
-	 * Caller holds lock.
-	 */
-	if (!requestmgr->exiting) {
-		requestmgr->exiting = ISC_TRUE;
-		for (request = ISC_LIST_HEAD(requestmgr->requests);
-		     request != NULL;
-		     request = ISC_LIST_NEXT(request, link)) {
-			dns_request_cancel(request);
-		}
-		if (requestmgr->iref == 0) {
-			INSIST(ISC_LIST_EMPTY(requestmgr->requests));
-			send_shutdown_events(requestmgr);
-		}
-	}
-}
-
-static void
-requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
-
-	/*
-	 * Locked by caller.
-	 */
-
-	REQUIRE(VALID_REQUESTMGR(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	REQUIRE(!source->exiting);
-
-	source->iref++;
-	*targetp = source;
-
-	req_log(ISC_LOG_DEBUG(3), "requestmgr_attach: %p: eref %d iref %d",
-		source, source->eref, source->iref);
-}
-
-static void
-requestmgr_detach(dns_requestmgr_t **requestmgrp) {
-	dns_requestmgr_t *requestmgr;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(requestmgrp != NULL);
-	requestmgr = *requestmgrp;
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-
-	*requestmgrp = NULL;
-	LOCK(&requestmgr->lock);
-	INSIST(requestmgr->iref > 0);
-	requestmgr->iref--;
-
-	req_log(ISC_LOG_DEBUG(3), "requestmgr_detach: %p: eref %d iref %d",
-		requestmgr, requestmgr->eref, requestmgr->iref);
-
-	if (requestmgr->iref == 0 && requestmgr->exiting) {
-		INSIST(ISC_LIST_HEAD(requestmgr->requests) == NULL);
-		send_shutdown_events(requestmgr);
-		if (requestmgr->eref == 0)
-			need_destroy = ISC_TRUE;
-	}
-	UNLOCK(&requestmgr->lock);
-
-	if (need_destroy)
-		mgr_destroy(requestmgr);
-}
-
-void
-dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
-
-	REQUIRE(VALID_REQUESTMGR(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-	REQUIRE(!source->exiting);
-
-	LOCK(&source->lock);
-	source->eref++;
-	*targetp = source;
-	UNLOCK(&source->lock);
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_attach: %p: eref %d iref %d",
-		source, source->eref, source->iref);
-}
-
-void
-dns_requestmgr_detach(dns_requestmgr_t **requestmgrp) {
-	dns_requestmgr_t *requestmgr;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(requestmgrp != NULL);
-	requestmgr = *requestmgrp;
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-
-	LOCK(&requestmgr->lock);
-	INSIST(requestmgr->eref > 0);
-	requestmgr->eref--;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_detach: %p: eref %d iref %d",
-		requestmgr, requestmgr->eref, requestmgr->iref);
-
-	if (requestmgr->eref == 0 && requestmgr->iref == 0) {
-		INSIST(requestmgr->exiting &&
-		       ISC_LIST_HEAD(requestmgr->requests) == NULL);
-		need_destroy = ISC_TRUE;
-	}
-	UNLOCK(&requestmgr->lock);
-
-	if (need_destroy)
-		mgr_destroy(requestmgr);
-
-	*requestmgrp = NULL;
-}
-
-static void
-send_shutdown_events(dns_requestmgr_t *requestmgr) {
-	isc_event_t *event, *next_event;
-	isc_task_t *etask;
-
-	req_log(ISC_LOG_DEBUG(3), "send_shutdown_events: %p", requestmgr);
-
-	/*
-	 * Caller must be holding the manager lock.
-	 */
-	for (event = ISC_LIST_HEAD(requestmgr->whenshutdown);
-	     event != NULL;
-	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, ev_link);
-		ISC_LIST_UNLINK(requestmgr->whenshutdown, event, ev_link);
-		etask = event->ev_sender;
-		event->ev_sender = requestmgr;
-		isc_task_sendanddetach(&etask, &event);
-	}
-}
-
-static void
-mgr_destroy(dns_requestmgr_t *requestmgr) {
-	int i;
-	isc_mem_t *mctx;
-
-	req_log(ISC_LOG_DEBUG(3), "mgr_destroy");
-
-	REQUIRE(requestmgr->eref == 0);
-	REQUIRE(requestmgr->iref == 0);
-
-	DESTROYLOCK(&requestmgr->lock);
-	for (i = 0; i < DNS_REQUEST_NLOCKS; i++)
-		DESTROYLOCK(&requestmgr->locks[i]);
-	if (requestmgr->dispatchv4 != NULL)
-		dns_dispatch_detach(&requestmgr->dispatchv4);
-	if (requestmgr->dispatchv6 != NULL)
-		dns_dispatch_detach(&requestmgr->dispatchv6);
-	requestmgr->magic = 0;
-	mctx = requestmgr->mctx;
-	isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
-	isc_mem_detach(&mctx);
-}
-
-static unsigned int
-mgr_gethash(dns_requestmgr_t *requestmgr) {
-	req_log(ISC_LOG_DEBUG(3), "mgr_gethash");
-	/*
-	 * Locked by caller.
-	 */
-	requestmgr->hash++;
-	return (requestmgr->hash % DNS_REQUEST_NLOCKS);
-}
-
-static inline isc_result_t
-req_send(dns_request_t *request, isc_task_t *task, isc_sockaddr_t *address) {
-	isc_region_t r;
-	isc_socket_t *socket;
-	isc_result_t result;
-
-	req_log(ISC_LOG_DEBUG(3), "req_send: request %p", request);
-
-	REQUIRE(VALID_REQUEST(request));
-	socket = dns_dispatch_getsocket(request->dispatch);
-	isc_buffer_usedregion(request->query, &r);
-	result = isc_socket_sendto(socket, &r, task, req_senddone,
-				  request, address, NULL);
-	if (result == ISC_R_SUCCESS)
-		request->flags |= DNS_REQUEST_F_SENDING;
-	return (result);
-}
-
-static isc_result_t
-new_request(isc_mem_t *mctx, dns_request_t **requestp) {
-	dns_request_t *request;
-
-	request = isc_mem_get(mctx, sizeof(*request));
-	if (request == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * Zero structure.
-	 */
-	request->magic = 0;
-	request->mctx = NULL;
-	request->flags = 0;
-	ISC_LINK_INIT(request, link);
-	request->query = NULL;
-	request->answer = NULL;
-	request->event = NULL;
-	request->dispatch = NULL;
-	request->dispentry = NULL;
-	request->timer = NULL;
-	request->requestmgr = NULL;
-	request->tsig = NULL;
-	request->tsigkey = NULL;
-	ISC_EVENT_INIT(&request->ctlevent, sizeof(request->ctlevent), 0, NULL,
-		       DNS_EVENT_REQUESTCONTROL, do_cancel, request, NULL,
-		       NULL, NULL);
-	request->canceling = ISC_FALSE;
-	request->udpcount = 0;
-
-	isc_mem_attach(mctx, &request->mctx);
-
-	request->magic = REQUEST_MAGIC;
-	*requestp = request;
-	return (ISC_R_SUCCESS);
-}
-
-
-static isc_boolean_t
-isblackholed(dns_dispatchmgr_t *dispatchmgr, isc_sockaddr_t *destaddr) {
-	dns_acl_t *blackhole;
-	isc_netaddr_t netaddr;
-	int match;
-	isc_boolean_t drop = ISC_FALSE;
-	char netaddrstr[ISC_NETADDR_FORMATSIZE];
-
-	blackhole = dns_dispatchmgr_getblackhole(dispatchmgr);
-	if (blackhole != NULL) {
-		isc_netaddr_fromsockaddr(&netaddr, destaddr);
-		if (dns_acl_match(&netaddr, NULL, blackhole,
-				  NULL, &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-			drop = ISC_TRUE;
-	}
-	if (drop) {
-		isc_netaddr_format(&netaddr, netaddrstr, sizeof(netaddrstr));
-		req_log(ISC_LOG_DEBUG(10), "blackholed address %s", netaddrstr);
-	}
-	return (drop);
-}
-
-static isc_result_t
-create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
-		    isc_sockaddr_t *destaddr, dns_dispatch_t **dispatchp)
-{
-	isc_result_t result;
-	isc_socket_t *socket = NULL;
-	isc_sockaddr_t src;
-	unsigned int attrs;
-	isc_sockaddr_t bind_any;
-
-	result = isc_socket_create(requestmgr->socketmgr,
-				   isc_sockaddr_pf(destaddr),
-				   isc_sockettype_tcp, &socket);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (srcaddr == NULL) {
-		isc_sockaddr_anyofpf(&bind_any,
-				     isc_sockaddr_pf(destaddr));
-		result = isc_socket_bind(socket, &bind_any);
-	} else {
-		src = *srcaddr;
-		isc_sockaddr_setport(&src, 0);
-		result = isc_socket_bind(socket, &src);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_TCP;
-	attrs |= DNS_DISPATCHATTR_PRIVATE;
-	if (isc_sockaddr_pf(destaddr) == AF_INET)
-		attrs |= DNS_DISPATCHATTR_IPV4;
-	else
-		attrs |= DNS_DISPATCHATTR_IPV6;
-	attrs |= DNS_DISPATCHATTR_MAKEQUERY;
-	result = dns_dispatch_createtcp(requestmgr->dispatchmgr,
-					socket, requestmgr->taskmgr,
-					4096, 2, 1, 1, 3, attrs,
-					dispatchp);
-cleanup:
-	isc_socket_detach(&socket);
-	return (result);
-}
-
-static isc_result_t
-find_udp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
-		  isc_sockaddr_t *destaddr, dns_dispatch_t **dispatchp)
-{
-	dns_dispatch_t *disp = NULL;
-	unsigned int attrs, attrmask;
-
-	if (srcaddr == NULL) {
-		switch (isc_sockaddr_pf(destaddr)) {
-		case PF_INET:
-			disp = requestmgr->dispatchv4;
-			break;
-
-		case PF_INET6:
-			disp = requestmgr->dispatchv6;
-			break;
-
-		default:
-			return (ISC_R_NOTIMPLEMENTED);
-		}
-		if (disp == NULL)
-			return (ISC_R_FAMILYNOSUPPORT);
-		dns_dispatch_attach(disp, dispatchp);
-		return (ISC_R_SUCCESS);
-	}
-	attrs = 0;
-	attrs |= DNS_DISPATCHATTR_UDP;
-	switch (isc_sockaddr_pf(srcaddr)) {
-	case PF_INET:
-		attrs |= DNS_DISPATCHATTR_IPV4;
-		break;
-
-	case PF_INET6:
-		attrs |= DNS_DISPATCHATTR_IPV6;
-		break;
-
-	default:
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-	attrmask = 0;
-	attrmask |= DNS_DISPATCHATTR_UDP;
-	attrmask |= DNS_DISPATCHATTR_TCP;
-	attrmask |= DNS_DISPATCHATTR_IPV4;
-	attrmask |= DNS_DISPATCHATTR_IPV6;
-	return (dns_dispatch_getudp(requestmgr->dispatchmgr,
-				    requestmgr->socketmgr,
-				    requestmgr->taskmgr,
-				    srcaddr, 4096,
-				    1000, 32768, 16411, 16433,
-				    attrs, attrmask,
-				    dispatchp));
-}
-
-static isc_result_t
-get_dispatch(isc_boolean_t tcp, dns_requestmgr_t *requestmgr,
-	     isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-	     dns_dispatch_t **dispatchp)
-{
-	isc_result_t result;
-	if (tcp)
-		result = create_tcp_dispatch(requestmgr, srcaddr,
-					     destaddr, dispatchp);
-	else
-		result = find_udp_dispatch(requestmgr, srcaddr,
-					   destaddr, dispatchp);
-	return (result);
-}
-
-static isc_result_t
-set_timer(isc_timer_t *timer, unsigned int timeout, unsigned int udpresend) {
-	isc_time_t expires;
-	isc_interval_t interval;
-	isc_result_t result;
-	isc_timertype_t timertype;
-
-	isc_interval_set(&interval, timeout, 0);
-	result = isc_time_nowplusinterval(&expires, &interval);
-	isc_interval_set(&interval, udpresend, 0);
-
-	timertype = udpresend != 0 ? isc_timertype_limited : isc_timertype_once;
-	if (result == ISC_R_SUCCESS)
-		result = isc_timer_reset(timer, timertype, &expires,
-					 &interval, ISC_FALSE);
-	return (result);
-}
-
-isc_result_t
-dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		      unsigned int options, unsigned int timeout,
-		      isc_task_t *task, isc_taskaction_t action, void *arg,
-		      dns_request_t **requestp)
-{
-	return(dns_request_createraw3(requestmgr, msgbuf, srcaddr, destaddr,
-				      options, timeout, 0, 0, task, action,
-				      arg, requestp));
-}
-
-isc_result_t
-dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, unsigned int timeout,
-		       unsigned int udptimeout, isc_task_t *task,
-		       isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp)
-{
-	unsigned int udpretries = 0;
-
-	if (udptimeout != 0)
-		udpretries = timeout / udptimeout;
-
-	return (dns_request_createraw3(requestmgr, msgbuf, srcaddr, destaddr,
-				       options, timeout, udptimeout,
-				       udpretries, task, action, arg,
-				       requestp));
-}
-
-isc_result_t
-dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, unsigned int timeout,
-		       unsigned int udptimeout, unsigned int udpretries,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp)
-{
-	dns_request_t *request = NULL;
-	isc_task_t *tclone = NULL;
-	isc_socket_t *socket = NULL;
-	isc_result_t result;
-	isc_mem_t *mctx;
-	dns_messageid_t	id;
-	isc_boolean_t tcp = ISC_FALSE;
-	isc_region_t r;
-
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-	REQUIRE(msgbuf != NULL);
-	REQUIRE(destaddr != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-	REQUIRE(requestp != NULL && *requestp == NULL);
-	REQUIRE(timeout > 0);
-	if (srcaddr != NULL) 
-		REQUIRE(isc_sockaddr_pf(srcaddr) == isc_sockaddr_pf(destaddr));
-
-	mctx = requestmgr->mctx;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw");
-
-	if (isblackholed(requestmgr->dispatchmgr, destaddr))
-		return (DNS_R_BLACKHOLED);
-
-	request = NULL;
-	result = new_request(mctx, &request);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (udptimeout == 0 && udpretries != 0) {
-		udptimeout = timeout / (udpretries + 1);
-		if (udptimeout == 0)
-			udptimeout = 1;
-	}
-
-	/*
-	 * Create timer now.  We will set it below once.
-	 */
-	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
-				  NULL, NULL, task, req_timeout, request,
-				  &request->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	request->event = (dns_requestevent_t *)
-		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
-				   action, arg, sizeof(dns_requestevent_t));
-	if (request->event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	isc_task_attach(task, &tclone);
-	request->event->ev_sender = task;
-	request->event->request = request;
-	request->event->result = ISC_R_FAILURE;
-
-	isc_buffer_usedregion(msgbuf, &r);
-	if (r.length < DNS_MESSAGE_HEADERLEN || r.length > 65535) {
-		result = DNS_R_FORMERR;
-		goto cleanup;
-	}
-		
-	if ((options & DNS_REQUESTOPT_TCP) != 0 || r.length > 512)
-		tcp = ISC_TRUE;
-
-	result = get_dispatch(tcp, requestmgr, srcaddr, destaddr,
-			      &request->dispatch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	socket = dns_dispatch_getsocket(request->dispatch);
-	INSIST(socket != NULL);
-	result = dns_dispatch_addresponse(request->dispatch, destaddr, task,
-					  req_response, request, &id,
-					  &request->dispentry);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_buffer_allocate(mctx, &request->query,
-				     r.length + (tcp ? 2 : 0));
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (tcp)
-		isc_buffer_putuint16(request->query, (isc_uint16_t)r.length);
-	result = isc_buffer_copyregion(request->query, &r);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/* Add message ID. */
-	isc_buffer_usedregion(request->query, &r);
-	if (tcp)
-		isc_region_consume(&r, 2);
-	r.base[0] = (id>>8) & 0xff;
-	r.base[1] = id & 0xff;
-
-	LOCK(&requestmgr->lock);
-	if (requestmgr->exiting) {
-		UNLOCK(&requestmgr->lock);
-		result = ISC_R_SHUTTINGDOWN;
-		goto cleanup;
-	}
-	requestmgr_attach(requestmgr, &request->requestmgr);
-	request->hash = mgr_gethash(requestmgr);
-	ISC_LIST_APPEND(requestmgr->requests, request, link);
-	UNLOCK(&requestmgr->lock);
-
-	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
-	if (result != ISC_R_SUCCESS)
-		goto unlink;
-
-	request->destaddr = *destaddr;
-	if (tcp) {
-		result = isc_socket_connect(socket, destaddr, task,
-					    req_connected, request);
-		if (result != ISC_R_SUCCESS)
-			goto unlink;
-		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
-	} else {
-		result = req_send(request, task, destaddr);
-		if (result != ISC_R_SUCCESS)
-			goto unlink;
-	}
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: request %p",
-		request);
-	*requestp = request;
-	return (ISC_R_SUCCESS);
-
- unlink:
-	LOCK(&requestmgr->lock);
-	ISC_LIST_UNLINK(requestmgr->requests, request, link);
-	UNLOCK(&requestmgr->lock);
-
- cleanup:
-	if (tclone != NULL)
-		isc_task_detach(&tclone);
-	req_destroy(request);
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: failed %s",
-		dns_result_totext(result));
-	return (result);
-}
-
-isc_result_t
-dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		   isc_sockaddr_t *address, unsigned int options,
-		   dns_tsigkey_t *key,
-		   unsigned int timeout, isc_task_t *task,
-		   isc_taskaction_t action, void *arg,
-		   dns_request_t **requestp)
-{
-	return (dns_request_createvia3(requestmgr, message, NULL, address,
-				       options, key, timeout, 0, 0, task,
-				       action, arg, requestp));
-}
-
-isc_result_t
-dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		      unsigned int options, dns_tsigkey_t *key,
-		      unsigned int timeout, isc_task_t *task,
-		      isc_taskaction_t action, void *arg,
-		      dns_request_t **requestp)
-{
-	return(dns_request_createvia3(requestmgr, message, srcaddr, destaddr,
-				      options, key, timeout, 0, 0, task,
-				      action, arg, requestp));
-}
-
-isc_result_t
-dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, dns_tsigkey_t *key,
-		       unsigned int timeout, unsigned int udptimeout,
-		       isc_task_t *task, isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp)
-{
-	unsigned int udpretries = 0;
-
-	if (udptimeout != 0)
-		udpretries = timeout / udptimeout;
-	return (dns_request_createvia3(requestmgr, message, srcaddr, destaddr,
-				       options, key, timeout, udptimeout,
-				       udpretries, task, action, arg,
-				       requestp));
-}
-					
-isc_result_t
-dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
-		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-		       unsigned int options, dns_tsigkey_t *key,
-		       unsigned int timeout, unsigned int udptimeout,
-		       unsigned int udpretries, isc_task_t *task,
-		       isc_taskaction_t action, void *arg,
-		       dns_request_t **requestp)
-{
-	dns_request_t *request = NULL;
-	isc_task_t *tclone = NULL;
-	isc_socket_t *socket = NULL;
-	isc_result_t result;
-	isc_mem_t *mctx;
-	dns_messageid_t	id;
-	isc_boolean_t tcp;
-	isc_boolean_t setkey = ISC_TRUE;
-
-	REQUIRE(VALID_REQUESTMGR(requestmgr));
-	REQUIRE(message != NULL);
-	REQUIRE(destaddr != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-	REQUIRE(requestp != NULL && *requestp == NULL);
-	REQUIRE(timeout > 0);
-	if (srcaddr != NULL) 
-		REQUIRE(isc_sockaddr_pf(srcaddr) == isc_sockaddr_pf(destaddr));
-
-	mctx = requestmgr->mctx;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia");
-
-	if (isblackholed(requestmgr->dispatchmgr, destaddr))
-		return (DNS_R_BLACKHOLED);
-
-	request = NULL;
-	result = new_request(mctx, &request);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (udptimeout == 0 && udpretries != 0) {
-		udptimeout = timeout / (udpretries + 1);
-		if (udptimeout == 0)
-			udptimeout = 1;
-	}
-
-	/*
-	 * Create timer now.  We will set it below once.
-	 */
-	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
-				  NULL, NULL, task, req_timeout, request,
-				  &request->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	request->event = (dns_requestevent_t *)
-		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
-				   action, arg, sizeof(dns_requestevent_t));
-	if (request->event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	isc_task_attach(task, &tclone);
-	request->event->ev_sender = task;
-	request->event->request = request;
-	request->event->result = ISC_R_FAILURE;
-	if (key != NULL)
-		dns_tsigkey_attach(key, &request->tsigkey);
-
- use_tcp:
-	tcp = ISC_TF((options & DNS_REQUESTOPT_TCP) != 0);
-	result = get_dispatch(tcp, requestmgr, srcaddr, destaddr,
-			      &request->dispatch);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	socket = dns_dispatch_getsocket(request->dispatch);
-	INSIST(socket != NULL);
-	result = dns_dispatch_addresponse(request->dispatch, destaddr, task,
-					  req_response, request, &id,
-					  &request->dispentry);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	message->id = id;
-	if (setkey) {
-		result = dns_message_settsigkey(message, request->tsigkey);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-	result = req_render(message, &request->query, options, mctx);
-	if (result == DNS_R_USETCP &&
-	    (options & DNS_REQUESTOPT_TCP) == 0) {
-		/*
-		 * Try again using TCP.
-		 */
-		dns_message_renderreset(message);
-		dns_dispatch_removeresponse(&request->dispentry, NULL);
-		dns_dispatch_detach(&request->dispatch);
-		socket = NULL;
-		options |= DNS_REQUESTOPT_TCP;
-		setkey = ISC_FALSE;
-		goto use_tcp;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_getquerytsig(message, mctx, &request->tsig);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	LOCK(&requestmgr->lock);
-	if (requestmgr->exiting) {
-		UNLOCK(&requestmgr->lock);
-		result = ISC_R_SHUTTINGDOWN;
-		goto cleanup;
-	}
-	requestmgr_attach(requestmgr, &request->requestmgr);
-	request->hash = mgr_gethash(requestmgr);
-	ISC_LIST_APPEND(requestmgr->requests, request, link);
-	UNLOCK(&requestmgr->lock);
-
-	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
-	if (result != ISC_R_SUCCESS)
-		goto unlink;
-
-	request->destaddr = *destaddr;
-	if (tcp) {
-		result = isc_socket_connect(socket, destaddr, task,
-					    req_connected, request);
-		if (result != ISC_R_SUCCESS)
-			goto unlink;
-		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
-	} else {
-		result = req_send(request, task, destaddr);
-		if (result != ISC_R_SUCCESS)
-			goto unlink;
-	}
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: request %p",
-		request);
-	*requestp = request;
-	return (ISC_R_SUCCESS);
-
- unlink:
-	LOCK(&requestmgr->lock);
-	ISC_LIST_UNLINK(requestmgr->requests, request, link);
-	UNLOCK(&requestmgr->lock);
-
- cleanup:
-	if (tclone != NULL)
-		isc_task_detach(&tclone);
-	req_destroy(request);
-	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: failed %s",
-		dns_result_totext(result));
-	return (result);
-}
-
-static isc_result_t
-req_render(dns_message_t *message, isc_buffer_t **bufferp,
-	   unsigned int options, isc_mem_t *mctx)
-{
-	isc_buffer_t *buf1 = NULL;
-	isc_buffer_t *buf2 = NULL;
-	isc_result_t result;
-	isc_region_t r;
-	isc_boolean_t tcp = ISC_FALSE;
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-
-	REQUIRE(bufferp != NULL && *bufferp == NULL);
-
-	req_log(ISC_LOG_DEBUG(3), "request_render");
-
-	/*
-	 * Create buffer able to hold largest possible message.
-	 */
-	result = isc_buffer_allocate(mctx, &buf1, 65535);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_compress_init(&cctx, -1, mctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	cleanup_cctx = ISC_TRUE;
-
-	/*
-	 * Render message.
-	 */
-	result = dns_message_renderbegin(message, &cctx, buf1);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(message, DNS_SECTION_QUESTION, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(message, DNS_SECTION_ANSWER, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(message, DNS_SECTION_AUTHORITY, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_rendersection(message, DNS_SECTION_ADDITIONAL, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_renderend(message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_compress_invalidate(&cctx);
-	cleanup_cctx = ISC_FALSE;
-
-	/*
-	 * Copy rendered message to exact sized buffer.
-	 */
-	isc_buffer_usedregion(buf1, &r);
-	if ((options & DNS_REQUESTOPT_TCP) != 0) {
-		tcp = ISC_TRUE;
-	} else if (r.length > 512) {
-		result = DNS_R_USETCP;
-		goto cleanup;
-	}
-	result = isc_buffer_allocate(mctx, &buf2, r.length + (tcp ? 2 : 0));
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	if (tcp)
-		isc_buffer_putuint16(buf2, (isc_uint16_t)r.length);
-	result = isc_buffer_copyregion(buf2, &r);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/*
-	 * Cleanup and return.
-	 */
-	isc_buffer_free(&buf1);
-	*bufferp = buf2;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	dns_message_renderreset(message);
-	if (buf1 != NULL)
-		isc_buffer_free(&buf1);
-	if (buf2 != NULL)
-		isc_buffer_free(&buf2);
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-	return (result);
-}
-
-
-/*
- * If this request is no longer waiting for events,
- * send the completion event.  This will ultimately
- * cause the request to be destroyed.
- *
- * Requires:
- *	'request' is locked by the caller.
- */
-static void
-send_if_done(dns_request_t *request, isc_result_t result) {
-	if (!DNS_REQUEST_CONNECTING(request) &&
-	    !DNS_REQUEST_SENDING(request) &&
-	    !request->canceling)
-		req_sendevent(request, result);
-}
-
-/*
- * Handle the control event.
- */
-static void
-do_cancel(isc_task_t *task, isc_event_t *event) {
-	dns_request_t *request = event->ev_arg;
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_REQUESTCONTROL);
-	LOCK(&request->requestmgr->locks[request->hash]);
-	request->canceling = ISC_FALSE;
-	if (!DNS_REQUEST_CANCELED(request))
-		req_cancel(request);
-	send_if_done(request, ISC_R_CANCELED);
-	UNLOCK(&request->requestmgr->locks[request->hash]);	
-}
-
-void
-dns_request_cancel(dns_request_t *request) {
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_cancel: request %p", request);
-
-	REQUIRE(VALID_REQUEST(request));
-
-	LOCK(&request->requestmgr->locks[request->hash]);
-	if (!request->canceling && !DNS_REQUEST_CANCELED(request)) {
-		isc_event_t *ev =  &request->ctlevent;
-		isc_task_send(request->event->ev_sender, &ev);
-		request->canceling = ISC_TRUE;
-	}
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-}
-
-isc_result_t
-dns_request_getresponse(dns_request_t *request, dns_message_t *message,
-			unsigned int options)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(request->answer != NULL);
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_getresponse: request %p",
-		request);
-
-	result = dns_message_setquerytsig(message, request->tsig);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_settsigkey(message, request->tsigkey);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = dns_message_parse(message, request->answer, options);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (request->tsigkey != NULL)
-		result = dns_tsig_verify(request->answer, message, NULL, NULL);
-	return (result);
-}
-
-isc_boolean_t
-dns_request_usedtcp(dns_request_t *request) {
-	REQUIRE(VALID_REQUEST(request));
-
-	return (ISC_TF((request->flags & DNS_REQUEST_F_TCP) != 0));
-}
-
-void
-dns_request_destroy(dns_request_t **requestp) {
-	dns_request_t *request;
-
-	REQUIRE(requestp != NULL && VALID_REQUEST(*requestp));
-
-	request = *requestp;
-
-	req_log(ISC_LOG_DEBUG(3), "dns_request_destroy: request %p", request);
-
-	LOCK(&request->requestmgr->lock);
-	LOCK(&request->requestmgr->locks[request->hash]);
-	ISC_LIST_UNLINK(request->requestmgr->requests, request, link);
-	INSIST(!DNS_REQUEST_CONNECTING(request));
-	INSIST(!DNS_REQUEST_SENDING(request));
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-	UNLOCK(&request->requestmgr->lock);
-
-	/*
-	 * These should have been cleaned up by req_cancel() before
-	 * the completion event was sent.
-	 */
-	INSIST(!ISC_LINK_LINKED(request, link));
-	INSIST(request->dispentry == NULL);
-	INSIST(request->dispatch == NULL);
-	INSIST(request->timer == NULL);
-
-	req_destroy(request);
-
-	*requestp = NULL;
-}
-
-/***
- *** Private: request.
- ***/
-
-static void
-req_connected(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	isc_result_t result;
-	dns_request_t *request = event->ev_arg;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
-	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(DNS_REQUEST_CONNECTING(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_connected: request %p", request);
-
-	LOCK(&request->requestmgr->locks[request->hash]);
-	request->flags &= ~DNS_REQUEST_F_CONNECTING;
-
-	if (DNS_REQUEST_CANCELED(request)) {
-		/*
-		 * Send delayed event.
-		 */
-		if (DNS_REQUEST_TIMEDOUT(request))
-			send_if_done(request, ISC_R_TIMEDOUT);
-		else
-			send_if_done(request, ISC_R_CANCELED);
-	} else {
-		dns_dispatch_starttcp(request->dispatch);
-		result = sevent->result;
-		if (result == ISC_R_SUCCESS)
-			result = req_send(request, task, NULL);
-
-		if (result != ISC_R_SUCCESS) {
-			req_cancel(request);
-			send_if_done(request, ISC_R_CANCELED);
-		}
-	}
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-	isc_event_free(&event);
-}
-
-static void
-req_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	dns_request_t *request = event->ev_arg;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(DNS_REQUEST_SENDING(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_senddone: request %p", request);
-
-	UNUSED(task);
-
-	LOCK(&request->requestmgr->locks[request->hash]);
-	request->flags &= ~DNS_REQUEST_F_SENDING;
-
-	if (DNS_REQUEST_CANCELED(request)) {
-		/*
-		 * Send delayed event.
-		 */
-		if (DNS_REQUEST_TIMEDOUT(request))
-			send_if_done(request, ISC_R_TIMEDOUT);
-		else
-			send_if_done(request, ISC_R_CANCELED);
-	} else if (sevent->result != ISC_R_SUCCESS) {
-			req_cancel(request);
-			send_if_done(request, ISC_R_CANCELED);
-	}
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-
-	isc_event_free(&event);
-}
-
-static void
-req_response(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_request_t *request = event->ev_arg;
-	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
-	isc_region_t r;
-
-	REQUIRE(VALID_REQUEST(request));
-	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
-
-	UNUSED(task);
-
-	req_log(ISC_LOG_DEBUG(3), "req_response: request %p: %s", request,
-		dns_result_totext(devent->result));
-
-	LOCK(&request->requestmgr->locks[request->hash]);
-	result = devent->result;
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	/*
-	 * Copy buffer to request.
-	 */
-	isc_buffer_usedregion(&devent->buffer, &r);
-	result = isc_buffer_allocate(request->mctx, &request->answer,
-				     r.length);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-	result = isc_buffer_copyregion(request->answer, &r);
-	if (result != ISC_R_SUCCESS)
-		isc_buffer_free(&request->answer);
- done:
-	/*
-	 * Cleanup.
-	 */
-	dns_dispatch_removeresponse(&request->dispentry, &devent);
-	req_cancel(request);
-	/*
-	 * Send completion event.
-	 */
-	send_if_done(request, result);
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-}
-
-static void
-req_timeout(isc_task_t *task, isc_event_t *event) {
-	dns_request_t *request = event->ev_arg;
-	isc_result_t result;
-
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_timeout: request %p", request);
-
-	UNUSED(task);
-	LOCK(&request->requestmgr->locks[request->hash]);
-	if (event->ev_type == ISC_TIMEREVENT_TICK &&
-	    request->udpcount-- != 0) {
-		if (! DNS_REQUEST_SENDING(request)) {
-			result = req_send(request, task, &request->destaddr);
-			if (result != ISC_R_SUCCESS) {
-				req_cancel(request);
-				send_if_done(request, result);
-			}
-		}
-	} else {
-		request->flags |= DNS_REQUEST_F_TIMEDOUT;
-		req_cancel(request);
-		send_if_done(request, ISC_R_TIMEDOUT);
-	}
-	UNLOCK(&request->requestmgr->locks[request->hash]);
-	isc_event_free(&event);
-}
-
-static void
-req_sendevent(dns_request_t *request, isc_result_t result) {
-	isc_task_t *task;
-
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_sendevent: request %p", request);
-
-	/*
-	 * Lock held by caller.
-	 */
-	task = request->event->ev_sender;
-	request->event->ev_sender = request;
-	request->event->result = result;
-	isc_task_sendanddetach(&task, (isc_event_t **)&request->event);
-}
-
-static void
-req_destroy(dns_request_t *request) {
-	isc_mem_t *mctx;
-
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_destroy: request %p", request);
-
-	request->magic = 0;
-	if (request->query != NULL)
-		isc_buffer_free(&request->query);
-	if (request->answer != NULL)
-		isc_buffer_free(&request->answer);
-	if (request->event != NULL)
-		isc_event_free((isc_event_t **)&request->event);
-	if (request->dispentry != NULL)
-		dns_dispatch_removeresponse(&request->dispentry, NULL);
-	if (request->dispatch != NULL)
-		dns_dispatch_detach(&request->dispatch);
-	if (request->timer != NULL)
-		isc_timer_detach(&request->timer);
-	if (request->tsig != NULL)
-		isc_buffer_free(&request->tsig);
-	if (request->tsigkey != NULL)
-		dns_tsigkey_detach(&request->tsigkey);
-	if (request->requestmgr != NULL)
-		requestmgr_detach(&request->requestmgr);
-	mctx = request->mctx;
-	isc_mem_put(mctx, request, sizeof(*request));
-	isc_mem_detach(&mctx);
-}
-
-/*
- * Stop the current request.  Must be called from the request's task.
- */
-static void
-req_cancel(dns_request_t *request) {
-	isc_socket_t *socket;
-
-	REQUIRE(VALID_REQUEST(request));
-
-	req_log(ISC_LOG_DEBUG(3), "req_cancel: request %p", request);
-
-	/*
-	 * Lock held by caller.
-	 */
-	request->flags |= DNS_REQUEST_F_CANCELED;
-
-	if (request->timer != NULL)
-		isc_timer_detach(&request->timer);
-	if (request->dispentry != NULL)
-		dns_dispatch_removeresponse(&request->dispentry, NULL);
-	if (DNS_REQUEST_CONNECTING(request)) {
-		socket = dns_dispatch_getsocket(request->dispatch);
-		isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_CONNECT);
-	}
-	if (DNS_REQUEST_SENDING(request)) {
-		socket = dns_dispatch_getsocket(request->dispatch);
-		isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_SEND);
-	}
-	dns_dispatch_detach(&request->dispatch);
-}
-
-static void
-req_log(int level, const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_REQUEST, level, fmt, ap);
-	va_end(ap);
-}
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
deleted file mode 100644
index 6f803eb192f4..000000000000
--- a/contrib/bind9/lib/dns/resolver.c
+++ /dev/null
@@ -1,6639 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resolver.c,v 1.218.2.18.4.56 2005/10/14 01:38:48 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/adb.h>
-#include <dns/db.h>
-#include <dns/dispatch.h>
-#include <dns/events.h>
-#include <dns/forward.h>
-#include <dns/keytable.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/ncache.h>
-#include <dns/opcode.h>
-#include <dns/peer.h>
-#include <dns/rbt.h>
-#include <dns/rcode.h>
-#include <dns/rdata.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-#include <dns/validator.h>
-
-#define DNS_RESOLVER_TRACE
-#ifdef DNS_RESOLVER_TRACE
-#define RTRACE(m)	isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "res %p: %s", res, (m))
-#define RRTRACE(r, m)	isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "res %p: %s", (r), (m))
-#define FCTXTRACE(m)	isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "fctx %p(%s'): %s", fctx, fctx->info, (m))
-#define FCTXTRACE2(m1, m2) \
-			isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "fctx %p(%s): %s %s", \
-				      fctx, fctx->info, (m1), (m2))
-#define FTRACE(m)	isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "fetch %p (fctx %p(%s)): %s", \
-				      fetch, fetch->private, \
-				      fetch->private->info, (m))
-#define QTRACE(m)	isc_log_write(dns_lctx, \
-				      DNS_LOGCATEGORY_RESOLVER, \
-				      DNS_LOGMODULE_RESOLVER, \
-				      ISC_LOG_DEBUG(3), \
-				      "resquery %p (fctx %p(%s)): %s", \
-				      query, query->fctx, \
-				      query->fctx->info, (m))
-#else
-#define RTRACE(m)
-#define RRTRACE(r, m)
-#define FCTXTRACE(m)
-#define FTRACE(m)
-#define QTRACE(m)
-#endif
-
-/*
- * Maximum EDNS0 input packet size.
- */
-#define RECV_BUFFER_SIZE		4096		/* XXXRTH  Constant. */
-
-/*
- * This defines the maximum number of timeouts we will permit before we
- * disable EDNS0 on the query.
- */
-#define MAX_EDNS0_TIMEOUTS	3
-
-typedef struct fetchctx fetchctx_t;
-
-typedef struct query {
-	/* Locked by task event serialization. */
-	unsigned int			magic;
-	fetchctx_t *			fctx;
-	isc_mem_t *			mctx;
-	dns_dispatchmgr_t *		dispatchmgr;
-	dns_dispatch_t *		dispatch;
-	dns_adbaddrinfo_t *		addrinfo;
-	isc_socket_t *			tcpsocket;
-	isc_time_t			start;
-	dns_messageid_t			id;
-	dns_dispentry_t *		dispentry;
-	ISC_LINK(struct query)		link;
-	isc_buffer_t			buffer;
-	isc_buffer_t			*tsig;
-	dns_tsigkey_t			*tsigkey;
-	unsigned int			options;
-	unsigned int			attributes;
-	unsigned int			sends;
-	unsigned int			connects;
-	unsigned char			data[512];
-} resquery_t;
-
-#define QUERY_MAGIC			ISC_MAGIC('Q', '!', '!', '!')
-#define VALID_QUERY(query)		ISC_MAGIC_VALID(query, QUERY_MAGIC)
-
-#define RESQUERY_ATTR_CANCELED		0x02
-
-#define RESQUERY_CONNECTING(q)		((q)->connects > 0)
-#define RESQUERY_CANCELED(q)		(((q)->attributes & \
-					  RESQUERY_ATTR_CANCELED) != 0)
-#define RESQUERY_SENDING(q)		((q)->sends > 0)
-
-typedef enum {
-	fetchstate_init = 0,		/* Start event has not run yet. */
-	fetchstate_active,
-	fetchstate_done			/* FETCHDONE events posted. */
-} fetchstate;
-
-struct fetchctx {
-	/* Not locked. */
-	unsigned int			magic;
-	dns_resolver_t *		res;
-	dns_name_t			name;
-	dns_rdatatype_t			type;
-	unsigned int			options;
-	unsigned int			bucketnum;
-	char *				info;
-	/* Locked by appropriate bucket lock. */
-	fetchstate			state;
-	isc_boolean_t			want_shutdown;
-	isc_boolean_t			cloned;
-	unsigned int			references;
-	isc_event_t			control_event;
-	ISC_LINK(struct fetchctx)	link;
-	ISC_LIST(dns_fetchevent_t)	events;
-	/* Locked by task event serialization. */
-	dns_name_t			domain;
-	dns_rdataset_t			nameservers;
-	unsigned int			attributes;
-	isc_timer_t *			timer;
-	isc_time_t			expires;
-	isc_interval_t			interval;
-	dns_message_t *			qmessage;
-	dns_message_t *			rmessage;
-	ISC_LIST(resquery_t)		queries;
-	dns_adbfindlist_t		finds;
-	dns_adbfind_t *			find;
-	dns_adbfindlist_t		altfinds;
-	dns_adbfind_t *			altfind;
-	dns_adbaddrinfolist_t		forwaddrs;
-	dns_adbaddrinfolist_t		altaddrs;
-	isc_sockaddrlist_t		forwarders;
-	dns_fwdpolicy_t			fwdpolicy;
-	isc_sockaddrlist_t		bad;
-	ISC_LIST(dns_validator_t)	validators;
-	dns_db_t *			cache;
-	dns_adb_t *			adb;
-
-	/*
-	 * The number of events we're waiting for.
-	 */
-	unsigned int			pending;
-
-	/*
-	 * The number of times we've "restarted" the current
-	 * nameserver set.  This acts as a failsafe to prevent
-	 * us from pounding constantly on a particular set of
-	 * servers that, for whatever reason, are not giving
-	 * us useful responses, but are responding in such a
-	 * way that they are not marked "bad".
-	 */
-	unsigned int			restarts;
-
-	/*
-	 * The number of timeouts that have occurred since we 
-	 * last successfully received a response packet.  This
-	 * is used for EDNS0 black hole detection.
-	 */
-	unsigned int			timeouts;
-	/*
-	 * Look aside state for DS lookups.
-	 */
-	dns_name_t 			nsname; 
-	dns_fetch_t *			nsfetch;
-	dns_rdataset_t			nsrrset;
-};
-
-#define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
-#define VALID_FCTX(fctx)		ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
-
-#define FCTX_ATTR_HAVEANSWER		0x0001
-#define FCTX_ATTR_GLUING		0x0002
-#define FCTX_ATTR_ADDRWAIT		0x0004
-#define FCTX_ATTR_SHUTTINGDOWN		0x0008
-#define FCTX_ATTR_WANTCACHE		0x0010
-#define FCTX_ATTR_WANTNCACHE		0x0020
-#define FCTX_ATTR_NEEDEDNS0		0x0040
-#define FCTX_ATTR_TRIEDFIND		0x0080
-#define FCTX_ATTR_TRIEDALT		0x0100
-
-#define HAVE_ANSWER(f)		(((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
-				 0)
-#define GLUING(f)		(((f)->attributes & FCTX_ATTR_GLUING) != \
-				 0)
-#define ADDRWAIT(f)		(((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
-				 0)
-#define SHUTTINGDOWN(f)		(((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
- 				 != 0)
-#define WANTCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
-#define WANTNCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
-#define NEEDEDNS0(f)		(((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
-#define TRIEDFIND(f)		(((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
-#define TRIEDALT(f)		(((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
-
-typedef struct {
-	dns_adbaddrinfo_t *		addrinfo;
-	fetchctx_t *			fctx;
-} dns_valarg_t;
-
-struct dns_fetch {
-	unsigned int			magic;
-	fetchctx_t *			private;
-};
-
-#define DNS_FETCH_MAGIC			ISC_MAGIC('F', 't', 'c', 'h')
-#define DNS_FETCH_VALID(fetch)		ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC)
-
-typedef struct fctxbucket {
-	isc_task_t *			task;
-	isc_mutex_t			lock;
-	ISC_LIST(fetchctx_t)		fctxs;
-	isc_boolean_t			exiting;
-} fctxbucket_t;
-
-typedef struct alternate {
-	isc_boolean_t			isaddress;
-	union	{
-		isc_sockaddr_t		addr;
-		struct {
-			dns_name_t	name;
-			in_port_t	port;
-		} _n;
-	} _u;
-	ISC_LINK(struct alternate)	link;
-} alternate_t;
-
-struct dns_resolver {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	isc_mutex_t			lock;
-	isc_mutex_t			nlock;	
-	isc_mutex_t			primelock;	
-	dns_rdataclass_t		rdclass;
-	isc_socketmgr_t *		socketmgr;
-	isc_timermgr_t *		timermgr;
-	isc_taskmgr_t *			taskmgr;
-	dns_view_t *			view;
-	isc_boolean_t			frozen;
-	unsigned int			options;
-	dns_dispatchmgr_t *		dispatchmgr;
-	dns_dispatch_t *		dispatchv4;
-	dns_dispatch_t *		dispatchv6;
-	unsigned int			nbuckets;
-	fctxbucket_t *			buckets;
-	isc_uint32_t			lame_ttl;
-	ISC_LIST(alternate_t)		alternates;
-	isc_uint16_t			udpsize;
-#if USE_ALGLOCK
-	isc_rwlock_t			alglock;
-#endif
-	dns_rbt_t *			algorithms;
-#if USE_MBSLOCK
-	isc_rwlock_t			mbslock;
-#endif
-	dns_rbt_t *			mustbesecure;
-	/* Locked by lock. */
-	unsigned int			references;
-	isc_boolean_t			exiting;
-	isc_eventlist_t			whenshutdown;
-	unsigned int			activebuckets;
-	isc_boolean_t			priming;
-	/* Locked by primelock. */
-	dns_fetch_t *			primefetch;
-	/* Locked by nlock. */
-	unsigned int			nfctx;
-};
-
-#define RES_MAGIC			ISC_MAGIC('R', 'e', 's', '!')
-#define VALID_RESOLVER(res)		ISC_MAGIC_VALID(res, RES_MAGIC)
-
-/*
- * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0,
- * which we also use as an addrinfo flag.
- */
-#define FCTX_ADDRINFO_MARK		0x0001
-#define FCTX_ADDRINFO_FORWARDER		0x1000
-#define UNMARKED(a)			(((a)->flags & FCTX_ADDRINFO_MARK) \
-					 == 0)
-#define ISFORWARDER(a)			(((a)->flags & \
-					 FCTX_ADDRINFO_FORWARDER) != 0)
-
-#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
-
-static void destroy(dns_resolver_t *res);
-static void empty_bucket(dns_resolver_t *res);
-static isc_result_t resquery_send(resquery_t *query);
-static void resquery_response(isc_task_t *task, isc_event_t *event);
-static void resquery_connected(isc_task_t *task, isc_event_t *event);
-static void fctx_try(fetchctx_t *fctx);
-static isc_boolean_t fctx_destroy(fetchctx_t *fctx);
-static isc_result_t ncache_adderesult(dns_message_t *message,
-				      dns_db_t *cache, dns_dbnode_t *node,
-				      dns_rdatatype_t covers,
-				      isc_stdtime_t now, dns_ttl_t maxttl,
-				      dns_rdataset_t *ardataset,
-				      isc_result_t *eresultp);
-static void validated(isc_task_t *task, isc_event_t *event); 
-
-static isc_result_t
-valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
-	  dns_rdatatype_t type, dns_rdataset_t *rdataset,
-	  dns_rdataset_t *sigrdataset, unsigned int valoptions,
-	  isc_task_t *task)
-{
-	dns_validator_t *validator = NULL;
-	dns_valarg_t *valarg;
-	isc_result_t result;
-
-	valarg = isc_mem_get(fctx->res->mctx, sizeof(*valarg));
-	if (valarg == NULL)
-		return (ISC_R_NOMEMORY);
-
-	valarg->fctx = fctx;
-	valarg->addrinfo = addrinfo;
-
-	result = dns_validator_create(fctx->res->view, name, type, rdataset,
-				      sigrdataset, fctx->rmessage,
-				      valoptions, task, validated, valarg,
-				      &validator);
-	if (result == ISC_R_SUCCESS)
-		ISC_LIST_APPEND(fctx->validators, validator, link);
-	else
-		isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg));
-	return (result);
-}
-
-static isc_boolean_t
-fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
-	dns_name_t *name;
-	dns_name_t *domain = &fctx->domain;
-	dns_rdataset_t *rdataset;
-	dns_rdatatype_t type;
-	isc_result_t result;
-	isc_boolean_t keep_auth = ISC_FALSE;
-
-	if (message->rcode == dns_rcode_nxdomain)
-		return (ISC_FALSE);
-
-	/*
-	 * Look for BIND 8 style delegations.
-	 * Also look for answers to ANY queries where the duplicate NS RRset
-	 * may have been stripped from the authority section.
-	 */
-	if (message->counts[DNS_SECTION_ANSWER] != 0 &&
-	    (fctx->type == dns_rdatatype_ns ||
-	     fctx->type == dns_rdatatype_any)) {
-		result = dns_message_firstname(message, DNS_SECTION_ANSWER);
-		while (result == ISC_R_SUCCESS) {
-			name = NULL;
-			dns_message_currentname(message, DNS_SECTION_ANSWER,
-						&name);
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				type = rdataset->type;
-				if (type != dns_rdatatype_ns)
-					continue;
-				if (dns_name_issubdomain(name, domain))
-					return (ISC_FALSE);
-			}
-			result = dns_message_nextname(message,
-						      DNS_SECTION_ANSWER);
-		}
-	}
-
-	/* Look for referral. */
-	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
-		goto munge;
-
-	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			type = rdataset->type;
-			if (type == dns_rdatatype_soa &&
-			    dns_name_equal(name, domain))
-				keep_auth = ISC_TRUE;
-			if (type != dns_rdatatype_ns &&
-			    type != dns_rdatatype_soa)
-				continue;
-			if (dns_name_equal(name, domain))
-				goto munge;
-			if (dns_name_issubdomain(name, domain))
-				return (ISC_FALSE);
-		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-	}
-
- munge:
-	message->rcode = dns_rcode_nxdomain;
-	message->counts[DNS_SECTION_ANSWER] = 0;
-	if (!keep_auth)
-		message->counts[DNS_SECTION_AUTHORITY] = 0;
-	message->counts[DNS_SECTION_ADDITIONAL] = 0;
-	return (ISC_TRUE);
-}
-
-static inline isc_result_t
-fctx_starttimer(fetchctx_t *fctx) {
-	/*
-	 * Start the lifetime timer for fctx.
-	 *
-	 * This is also used for stopping the idle timer; in that
-	 * case we must purge events already posted to ensure that
-	 * no further idle events are delivered.
-	 */
-	return (isc_timer_reset(fctx->timer, isc_timertype_once,
-				&fctx->expires, NULL,
-				ISC_TRUE));
-}
-
-static inline void
-fctx_stoptimer(fetchctx_t *fctx) {
-	isc_result_t result;
-
-	/*
-	 * We don't return a result if resetting the timer to inactive fails
-	 * since there's nothing to be done about it.  Resetting to inactive
-	 * should never fail anyway, since the code as currently written
-	 * cannot fail in that case.
-	 */
-	result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
-				  NULL, NULL, ISC_TRUE);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_timer_reset(): %s",
-				 isc_result_totext(result));
-	}
-}
-
-
-static inline isc_result_t
-fctx_startidletimer(fetchctx_t *fctx) {
-	/*
-	 * Start the idle timer for fctx.  The lifetime timer continues
-	 * to be in effect.
-	 */
-	return (isc_timer_reset(fctx->timer, isc_timertype_once,
-				&fctx->expires, &fctx->interval,
-				ISC_FALSE));
-}
-
-/*
- * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
- * we use fctx_stopidletimer for readability in the code below.
- */
-#define fctx_stopidletimer	fctx_starttimer
-
-
-static inline void
-resquery_destroy(resquery_t **queryp) {
-	resquery_t *query;
-
-	REQUIRE(queryp != NULL);
-	query = *queryp;
-	REQUIRE(!ISC_LINK_LINKED(query, link));
-
-	INSIST(query->tcpsocket == NULL);
-
-	query->magic = 0;
-	isc_mem_put(query->mctx, query, sizeof(*query));
-	*queryp = NULL;
-}
-
-static void
-fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
-		 isc_time_t *finish, isc_boolean_t no_response)
-{
-	fetchctx_t *fctx;
-	resquery_t *query;
-	unsigned int rtt;
-	unsigned int factor;
-	dns_adbfind_t *find;
-	dns_adbaddrinfo_t *addrinfo;
-
-	query = *queryp;
-	fctx = query->fctx;
-
-	FCTXTRACE("cancelquery");
-
-	REQUIRE(!RESQUERY_CANCELED(query));
-
-	query->attributes |= RESQUERY_ATTR_CANCELED;
-
-	/*
-	 * Should we update the RTT?
-	 */
-	if (finish != NULL || no_response) {
-		if (finish != NULL) {
-			/*
-			 * We have both the start and finish times for this
-			 * packet, so we can compute a real RTT.
-			 */
-			rtt = (unsigned int)isc_time_microdiff(finish,
-							       &query->start);
-			factor = DNS_ADB_RTTADJDEFAULT;
-		} else {
-			/*
-			 * We don't have an RTT for this query.  Maybe the
-			 * packet was lost, or maybe this server is very
-			 * slow.  We don't know.  Increase the RTT.
-			 */
-			INSIST(no_response);
-			rtt = query->addrinfo->srtt +
-				(200000 * fctx->restarts);
-			if (rtt > 10000000)
-				rtt = 10000000;
-			/*
-			 * Replace the current RTT with our value.
-			 */
-			factor = DNS_ADB_RTTADJREPLACE;
-		}
-		dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
-	}
-
-	/*
-	 * Age RTTs of servers not tried.
-	 */
-	factor = DNS_ADB_RTTADJAGE;
-	if (finish != NULL)
-		for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
-		     addrinfo != NULL;
-		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
-			if (UNMARKED(addrinfo))
-				dns_adb_adjustsrtt(fctx->adb, addrinfo,
-						   0, factor);
-
-	if (finish != NULL && TRIEDFIND(fctx))
-		for (find = ISC_LIST_HEAD(fctx->finds);
-		     find != NULL;
-		     find = ISC_LIST_NEXT(find, publink))
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
-				if (UNMARKED(addrinfo))
-					dns_adb_adjustsrtt(fctx->adb, addrinfo,
-							   0, factor);
-
-	if (finish != NULL && TRIEDALT(fctx)) {
-		for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
-		     addrinfo != NULL;
-		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
-			if (UNMARKED(addrinfo))
-				dns_adb_adjustsrtt(fctx->adb, addrinfo,
-						   0, factor);
-		for (find = ISC_LIST_HEAD(fctx->altfinds);
-		     find != NULL;
-		     find = ISC_LIST_NEXT(find, publink))
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
-				if (UNMARKED(addrinfo))
-					dns_adb_adjustsrtt(fctx->adb, addrinfo,
-							   0, factor);
-	}
-
-	if (query->dispentry != NULL)
-		dns_dispatch_removeresponse(&query->dispentry, deventp);
-
-	ISC_LIST_UNLINK(fctx->queries, query, link);
-
-	if (query->tsig != NULL)
-		isc_buffer_free(&query->tsig);
-
-	if (query->tsigkey != NULL)
-		dns_tsigkey_detach(&query->tsigkey);
-
-	/*
-	 * Check for any outstanding socket events.  If they exist, cancel
-	 * them and let the event handlers finish the cleanup.  The resolver
-	 * only needs to worry about managing the connect and send events;
-	 * the dispatcher manages the recv events.
-	 */
-	if (RESQUERY_CONNECTING(query))
-		/*
-		 * Cancel the connect.
-		 */
-		isc_socket_cancel(query->tcpsocket, NULL,
-				  ISC_SOCKCANCEL_CONNECT);
-	else if (RESQUERY_SENDING(query))
-		/*
-		 * Cancel the pending send.
-		 */
-		isc_socket_cancel(dns_dispatch_getsocket(query->dispatch),
-				  NULL, ISC_SOCKCANCEL_SEND);
-
-	if (query->dispatch != NULL)
-		dns_dispatch_detach(&query->dispatch);
-
-	if (! (RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query)))
-		/*
-		 * It's safe to destroy the query now.
-		 */
-		resquery_destroy(&query);
-}
-
-static void
-fctx_cancelqueries(fetchctx_t *fctx, isc_boolean_t no_response) {
-	resquery_t *query, *next_query;
-
-	FCTXTRACE("cancelqueries");
-
-	for (query = ISC_LIST_HEAD(fctx->queries);
-	     query != NULL;
-	     query = next_query) {
-		next_query = ISC_LIST_NEXT(query, link);
-		fctx_cancelquery(&query, NULL, NULL, no_response);
-	}
-}
-
-static void
-fctx_cleanupfinds(fetchctx_t *fctx) {
-	dns_adbfind_t *find, *next_find;
-
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-
-	for (find = ISC_LIST_HEAD(fctx->finds);
-	     find != NULL;
-	     find = next_find) {
-		next_find = ISC_LIST_NEXT(find, publink);
-		ISC_LIST_UNLINK(fctx->finds, find, publink);
-		dns_adb_destroyfind(&find);
-	}
-	fctx->find = NULL;
-}
-
-static void
-fctx_cleanupaltfinds(fetchctx_t *fctx) {
-	dns_adbfind_t *find, *next_find;
-
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-
-	for (find = ISC_LIST_HEAD(fctx->altfinds);
-	     find != NULL;
-	     find = next_find) {
-		next_find = ISC_LIST_NEXT(find, publink);
-		ISC_LIST_UNLINK(fctx->altfinds, find, publink);
-		dns_adb_destroyfind(&find);
-	}
-	fctx->altfind = NULL;
-}
-
-static void
-fctx_cleanupforwaddrs(fetchctx_t *fctx) {
-	dns_adbaddrinfo_t *addr, *next_addr;
-
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-
-	for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
-	     addr != NULL;
-	     addr = next_addr) {
-		next_addr = ISC_LIST_NEXT(addr, publink);
-		ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
-		dns_adb_freeaddrinfo(fctx->adb, &addr);
-	}
-}
-
-static void
-fctx_cleanupaltaddrs(fetchctx_t *fctx) {
-	dns_adbaddrinfo_t *addr, *next_addr;
-
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-
-	for (addr = ISC_LIST_HEAD(fctx->altaddrs);
-	     addr != NULL;
-	     addr = next_addr) {
-		next_addr = ISC_LIST_NEXT(addr, publink);
-		ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
-		dns_adb_freeaddrinfo(fctx->adb, &addr);
-	}
-}
-
-static inline void
-fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
-	FCTXTRACE("stopeverything");
-	fctx_cancelqueries(fctx, no_response);
-	fctx_cleanupfinds(fctx);
-	fctx_cleanupaltfinds(fctx);
-	fctx_cleanupforwaddrs(fctx);
-	fctx_cleanupaltaddrs(fctx);
-	fctx_stoptimer(fctx);
-}
-
-static inline void
-fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
-	dns_fetchevent_t *event, *next_event;
-	isc_task_t *task;
-
-	/*
-	 * Caller must be holding the appropriate bucket lock.
-	 */
-	REQUIRE(fctx->state == fetchstate_done);
-
-	FCTXTRACE("sendevents");
-
-	for (event = ISC_LIST_HEAD(fctx->events);
-	     event != NULL;
-	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, ev_link);
-		ISC_LIST_UNLINK(fctx->events, event, ev_link);
-		task = event->ev_sender;
-		event->ev_sender = fctx;
-		if (!HAVE_ANSWER(fctx))
-			event->result = result;
-
-		INSIST(result != ISC_R_SUCCESS ||
-		       dns_rdataset_isassociated(event->rdataset) ||
-		       fctx->type == dns_rdatatype_any ||
-		       fctx->type == dns_rdatatype_rrsig);
-
-		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
-	}
-}
-
-static void
-fctx_done(fetchctx_t *fctx, isc_result_t result) {
-	dns_resolver_t *res;
-	isc_boolean_t no_response;
-
-	FCTXTRACE("done");
-
-	res = fctx->res;
-
-	if (result == ISC_R_SUCCESS)
-		no_response = ISC_TRUE;
-	else
-		no_response = ISC_FALSE;
-	fctx_stopeverything(fctx, no_response);
-
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-
-	fctx->state = fetchstate_done;
-	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-	fctx_sendevents(fctx, result);
-
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-}
-
-static void
-resquery_senddone(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	resquery_t *query = event->ev_arg;
-	isc_boolean_t retry = ISC_FALSE;
-	isc_result_t result;
-	fetchctx_t *fctx;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-
-	QTRACE("senddone");
-
-	/*
-	 * XXXRTH
-	 *
-	 * Currently we don't wait for the senddone event before retrying
-	 * a query.  This means that if we get really behind, we may end
-	 * up doing extra work!
-	 */
-
-	UNUSED(task);
-
-	INSIST(RESQUERY_SENDING(query));
-
-	query->sends--;
-	fctx = query->fctx;
-
-	if (RESQUERY_CANCELED(query)) {
-		if (query->sends == 0) {
-			/*
-			 * This query was canceled while the
-			 * isc_socket_sendto() was in progress.
-			 */
-			if (query->tcpsocket != NULL)
-				isc_socket_detach(&query->tcpsocket);
-			resquery_destroy(&query);
-		}
-	} else 
-		switch (sevent->result) {
-		case ISC_R_SUCCESS:
-			break;
-
-		case ISC_R_HOSTUNREACH:
-		case ISC_R_NETUNREACH:
-		case ISC_R_NOPERM:
-		case ISC_R_ADDRNOTAVAIL:
-		case ISC_R_CONNREFUSED:
-
-			/*
-			 * No route to remote.
-			 */
-			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
-			retry = ISC_TRUE;
-			break;
-
-		default:
-			fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
-			break;
-		}
-
-	isc_event_free(&event);
-
-	if (retry) {
-		/*
-		 * Behave as if the idle timer has expired.  For TCP
-		 * this may not actually reflect the latest timer.
-		 */
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-		else
-			fctx_try(fctx);
-	}
-}
-
-static inline isc_result_t
-fctx_addopt(dns_message_t *message, dns_resolver_t *res) {
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	isc_result_t result;
-
-	rdatalist = NULL;
-	result = dns_message_gettemprdatalist(message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdata = NULL;
-	result = dns_message_gettemprdata(message, &rdata);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_init(rdataset);
-
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-
-	/*
-	 * Set Maximum UDP buffer size.
-	 */
-	rdatalist->rdclass = res->udpsize;
-
-	/*
-	 * Set EXTENDED-RCODE, VERSION, and Z to 0, and the DO bit to 1.
-	 */
-	rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
-
-	/*
-	 * No EDNS options.
-	 */
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatalist->type;
-	rdata->flags = 0;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS);
-
-	return (dns_message_setopt(message, rdataset));
-}
-
-static inline void
-fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
-	unsigned int seconds;
-
-	/*
-	 * We retry every 2 seconds the first two times through the address
-	 * list, and then we do exponential back-off.
-	 */
-	if (fctx->restarts < 3)
-		seconds = 2;
-	else
-		seconds = (2 << (fctx->restarts - 1));
-
-	/*
-	 * Double the round-trip time and convert to seconds.
-	 */
-	rtt /= 500000;
-
-	/*
-	 * Always wait for at least the doubled round-trip time.
-	 */
-	if (seconds < rtt)
-		seconds = rtt;
-
-	/*
-	 * But don't ever wait for more than 30 seconds.
-	 */
-	if (seconds > 30)
-		seconds = 30;
-
-	isc_interval_set(&fctx->interval, seconds, 0);
-}
-
-static isc_result_t
-fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
-	   unsigned int options)
-{
-	dns_resolver_t *res;
-	isc_task_t *task;
-	isc_result_t result;
-	resquery_t *query;
-
-	FCTXTRACE("query");
-
-	res = fctx->res;
-	task = res->buckets[fctx->bucketnum].task;
-
-	fctx_setretryinterval(fctx, addrinfo->srtt);
-	result = fctx_startidletimer(fctx);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
-
-	query = isc_mem_get(res->mctx, sizeof(*query));
-	if (query == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto stop_idle_timer;
-	}
-	query->mctx = res->mctx;
-	query->options = options;
-	query->attributes = 0;
-	query->sends = 0;
-	query->connects = 0;
-	/*
-	 * Note that the caller MUST guarantee that 'addrinfo' will remain
-	 * valid until this query is canceled.
-	 */
-	query->addrinfo = addrinfo;
-	TIME_NOW(&query->start);
-
-	/*
-	 * If this is a TCP query, then we need to make a socket and
-	 * a dispatch for it here.  Otherwise we use the resolver's
-	 * shared dispatch.
-	 */
-	query->dispatchmgr = res->dispatchmgr;
-	query->dispatch = NULL;
-	query->tcpsocket = NULL;
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		isc_sockaddr_t addr;
-		int pf;
-
-		pf = isc_sockaddr_pf(&addrinfo->sockaddr);
-
-		switch (pf) {
-		case PF_INET:
-			result = dns_dispatch_getlocaladdress(res->dispatchv4,
-							      &addr);
-			break;
-		case PF_INET6:
-			result = dns_dispatch_getlocaladdress(res->dispatchv6,
-							      &addr);
-			break;
-		default:
-			result = ISC_R_NOTIMPLEMENTED;
-			break;
-		}
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_query;
-
-		isc_sockaddr_setport(&addr, 0);
-
-		result = isc_socket_create(res->socketmgr, pf,
-					   isc_sockettype_tcp,
-					   &query->tcpsocket);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_query;
-
-		result = isc_socket_bind(query->tcpsocket, &addr);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_socket;
-
-		/*
-		 * A dispatch will be created once the connect succeeds.
-		 */
-	} else {
-		switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
-		case PF_INET:
-			dns_dispatch_attach(res->dispatchv4, &query->dispatch);
-			break;
-		case PF_INET6:
-			dns_dispatch_attach(res->dispatchv6, &query->dispatch);
-			break;
-		default:
-			result = ISC_R_NOTIMPLEMENTED;
-			goto cleanup_query;
-		}
-		/*
-		 * We should always have a valid dispatcher here.  If we
-		 * don't support a protocol family, then its dispatcher
-		 * will be NULL, but we shouldn't be finding addresses for
-		 * protocol types we don't support, so the dispatcher
-		 * we found should never be NULL.
-		 */
-		INSIST(query->dispatch != NULL);
-	}
-
-	query->dispentry = NULL;
-	query->fctx = fctx;
-	query->tsig = NULL;
-	query->tsigkey = NULL;
-	ISC_LINK_INIT(query, link);
-	query->magic = QUERY_MAGIC;
-
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		/*
-		 * Connect to the remote server.
-		 *
-		 * XXXRTH  Should we attach to the socket?
-		 */
-		result = isc_socket_connect(query->tcpsocket,
-					    &addrinfo->sockaddr, task,
-					    resquery_connected, query);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_socket;
-		query->connects++;
-		QTRACE("connecting via TCP");
-	} else {
-		result = resquery_send(query);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_dispatch;
-	}
-
-	ISC_LIST_APPEND(fctx->queries, query, link);
-
-	return (ISC_R_SUCCESS);
-
- cleanup_socket:
-	isc_socket_detach(&query->tcpsocket);
-
- cleanup_dispatch:
-	if (query->dispatch != NULL)
-		dns_dispatch_detach(&query->dispatch);
-
- cleanup_query:
-	query->magic = 0;
-	isc_mem_put(res->mctx, query, sizeof(*query));
-
- stop_idle_timer:
-	RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
-
-	return (result);
-}
-
-static isc_result_t
-resquery_send(resquery_t *query) {
-	fetchctx_t *fctx;
-	isc_result_t result;
-	dns_name_t *qname = NULL;
-	dns_rdataset_t *qrdataset = NULL;
-	isc_region_t r;
-	dns_resolver_t *res;
-	isc_task_t *task;
-	isc_socket_t *socket;
-	isc_buffer_t tcpbuffer;
-	isc_sockaddr_t *address;
-	isc_buffer_t *buffer;
-	isc_netaddr_t ipaddr;
-	dns_tsigkey_t *tsigkey = NULL;
-	dns_peer_t *peer = NULL;
-	isc_boolean_t useedns;
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-	isc_boolean_t secure_domain;
-
-	fctx = query->fctx;
-	QTRACE("send");
-
-	res = fctx->res;
-	task = res->buckets[fctx->bucketnum].task;
-	address = NULL;
-
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		/*
-		 * Reserve space for the TCP message length.
-		 */
-		isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
-		isc_buffer_init(&query->buffer, query->data + 2,
-				sizeof(query->data) - 2);
-		buffer = &tcpbuffer;
-	} else {
-		isc_buffer_init(&query->buffer, query->data,
-				sizeof(query->data));
-		buffer = &query->buffer;
-	}
-
-	result = dns_message_gettempname(fctx->qmessage, &qname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_temps;
-	result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_temps;
-
-	/*
-	 * Get a query id from the dispatch.
-	 */
-	result = dns_dispatch_addresponse(query->dispatch,
-					  &query->addrinfo->sockaddr,
-					  task,
-					  resquery_response,
-					  query,
-					  &query->id,
-					  &query->dispentry);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_temps;
-
-	fctx->qmessage->opcode = dns_opcode_query;
-
-	/*
-	 * Set up question.
-	 */
-	dns_name_init(qname, NULL);
-	dns_name_clone(&fctx->name, qname);
-	dns_rdataset_init(qrdataset);
-	dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION);
-	qname = NULL;
-	qrdataset = NULL;
-
-	/*
-	 * Set RD if the client has requested that we do a recursive query,
-	 * or if we're sending to a forwarder.
-	 */
-	if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 ||
-	    ISFORWARDER(query->addrinfo))
-		fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
-
-	/*
-	 * Set CD if the client says don't validate or the question is
-	 * under a secure entry point.
-	 */
-	if ((query->options & DNS_FETCHOPT_NOVALIDATE) == 0) {
-		result = dns_keytable_issecuredomain(res->view->secroots,
-						     &fctx->name,
-						     &secure_domain);
-		if (result != ISC_R_SUCCESS)
-			secure_domain = ISC_FALSE;
-		if (res->view->dlv != NULL)
-			secure_domain = ISC_TRUE;
-		if (secure_domain)
-			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-	} else
-		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
-
-	/*
-	 * We don't have to set opcode because it defaults to query.
-	 */
-	fctx->qmessage->id = query->id;
-
-	/*
-	 * Convert the question to wire format.
-	 */
-	result = dns_compress_init(&cctx, -1, fctx->res->mctx);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-	cleanup_cctx = ISC_TRUE;
-
-	result = dns_message_renderbegin(fctx->qmessage, &cctx,
-					 &query->buffer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-
-	result = dns_message_rendersection(fctx->qmessage,
-					   DNS_SECTION_QUESTION, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-
-	peer = NULL;
-	isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr);
-	(void) dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
-
-	/*
-	 * The ADB does not know about servers with "edns no".  Check this,
-	 * and then inform the ADB for future use.
-	 */
-	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
-	    peer != NULL &&
-	    dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
-	    !useedns)
-	{
-		query->options |= DNS_FETCHOPT_NOEDNS0;
-		dns_adb_changeflags(fctx->adb,
-				    query->addrinfo,
-				    DNS_FETCHOPT_NOEDNS0,
-				    DNS_FETCHOPT_NOEDNS0);
-	}
-
-	/*
-	 * Use EDNS0, unless the caller doesn't want it, or we know that
-	 * the remote server doesn't like it.
-	 */
-	if (fctx->timeouts >= MAX_EDNS0_TIMEOUTS &&
-	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-		query->options |= DNS_FETCHOPT_NOEDNS0;
-		FCTXTRACE("too many timeouts, disabling EDNS0");
-	}
-
-	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
-			result = fctx_addopt(fctx->qmessage, res);
-			if (result != ISC_R_SUCCESS) {
-				/*
-				 * We couldn't add the OPT, but we'll press on.
-				 * We're not using EDNS0, so set the NOEDNS0
-				 * bit.
-				 */
-				query->options |= DNS_FETCHOPT_NOEDNS0;
-			}
-		} else {
-			/*
-			 * We know this server doesn't like EDNS0, so we
-			 * won't use it.  Set the NOEDNS0 bit since we're
-			 * not using EDNS0.
-			 */
-			query->options |= DNS_FETCHOPT_NOEDNS0;
-		}
-	}
-
-	/*
-	 * If we need EDNS0 to do this query and aren't using it, we lose.
-	 */
-	if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
-		result = DNS_R_SERVFAIL;
-		goto cleanup_message;
-	}
-
-	/*
-	 * Add TSIG record tailored to the current recipient.
-	 */
-	result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		goto cleanup_message;
-
-	if (tsigkey != NULL) {
-		result = dns_message_settsigkey(fctx->qmessage, tsigkey);
-		dns_tsigkey_detach(&tsigkey);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_message;
-	}
-
-	result = dns_message_rendersection(fctx->qmessage,
-					   DNS_SECTION_ADDITIONAL, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-
-	result = dns_message_renderend(fctx->qmessage);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-
-	dns_compress_invalidate(&cctx);
-	cleanup_cctx = ISC_FALSE;
-
-	if (dns_message_gettsigkey(fctx->qmessage) != NULL) {
-		dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage),
-				   &query->tsigkey);
-		result = dns_message_getquerytsig(fctx->qmessage,
-						  fctx->res->mctx,
-						  &query->tsig);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_message;
-	}
-
-	/*
-	 * If using TCP, write the length of the message at the beginning
-	 * of the buffer.
-	 */
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
-		isc_buffer_usedregion(&query->buffer, &r);
-		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length);
-		isc_buffer_add(&tcpbuffer, r.length);
-	}
-
-	/*
-	 * We're now done with the query message.
-	 */
-	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
-
-	socket = dns_dispatch_getsocket(query->dispatch);
-	/*
-	 * Send the query!
-	 */
-	if ((query->options & DNS_FETCHOPT_TCP) == 0)
-		address = &query->addrinfo->sockaddr;
-	isc_buffer_usedregion(buffer, &r);
-
-	/*
-	 * XXXRTH  Make sure we don't send to ourselves!  We should probably
-	 *	   prune out these addresses when we get them from the ADB.
-	 */
-	result = isc_socket_sendto(socket, &r, task, resquery_senddone,
-				   query, address, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_message;
-	query->sends++;
-	QTRACE("sent");
-
-	return (ISC_R_SUCCESS);
-
- cleanup_message:
-	if (cleanup_cctx)
-		dns_compress_invalidate(&cctx);
-
-	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
-
-	/*
-	 * Stop the dispatcher from listening.
-	 */
-	dns_dispatch_removeresponse(&query->dispentry, NULL);
-
- cleanup_temps:
-	if (qname != NULL)
-		dns_message_puttempname(fctx->qmessage, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(fctx->qmessage, &qrdataset);
-
-	return (result);
-}
-
-static void
-resquery_connected(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
-	resquery_t *query = event->ev_arg;
-	isc_boolean_t retry = ISC_FALSE;
-	isc_result_t result;
-	unsigned int attrs;
-	fetchctx_t *fctx;
-
-	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
-	REQUIRE(VALID_QUERY(query));
-
-	QTRACE("connected");
-
-	UNUSED(task);
-
-	/*
-	 * XXXRTH
-	 *
-	 * Currently we don't wait for the connect event before retrying
-	 * a query.  This means that if we get really behind, we may end
-	 * up doing extra work!
-	 */
-
-	query->connects--;
-	fctx = query->fctx;
-
-	if (RESQUERY_CANCELED(query)) {
-		/*
-		 * This query was canceled while the connect() was in
-		 * progress.
-		 */
-		isc_socket_detach(&query->tcpsocket);
-		resquery_destroy(&query);
-	} else {
-		switch (sevent->result) {
-		case ISC_R_SUCCESS:
-			/*
-			 * We are connected.  Create a dispatcher and
-			 * send the query.
-			 */
-			attrs = 0;
-			attrs |= DNS_DISPATCHATTR_TCP;
-			attrs |= DNS_DISPATCHATTR_PRIVATE;
-			attrs |= DNS_DISPATCHATTR_CONNECTED;
-			if (isc_sockaddr_pf(&query->addrinfo->sockaddr) ==
-			    AF_INET)
-				attrs |= DNS_DISPATCHATTR_IPV4;
-			else
-				attrs |= DNS_DISPATCHATTR_IPV6;
-			attrs |= DNS_DISPATCHATTR_MAKEQUERY;
-
-			result = dns_dispatch_createtcp(query->dispatchmgr,
-						     query->tcpsocket,
-						     query->fctx->res->taskmgr,
-						     4096, 2, 1, 1, 3, attrs,
-						     &query->dispatch);
-
-			/*
-			 * Regardless of whether dns_dispatch_create()
-			 * succeeded or not, we don't need our reference
-			 * to the socket anymore.
-			 */
-			isc_socket_detach(&query->tcpsocket);
-
-			if (result == ISC_R_SUCCESS)
-				result = resquery_send(query);
-
-			if (result != ISC_R_SUCCESS) {
-				fctx_cancelquery(&query, NULL, NULL,
-						 ISC_FALSE);
-				fctx_done(fctx, result);
-			}
-			break;
-
-		case ISC_R_NETUNREACH:
-		case ISC_R_HOSTUNREACH:
-		case ISC_R_CONNREFUSED:
-		case ISC_R_NOPERM:
-		case ISC_R_ADDRNOTAVAIL:
-		case ISC_R_CONNECTIONRESET:
-			/*
-			 * No route to remote.
-			 */
-			isc_socket_detach(&query->tcpsocket);
-			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
-			retry = ISC_TRUE;
-			break;
-
-		default:
-			isc_socket_detach(&query->tcpsocket);
-			fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
-			break;
-		}
-	}
-
-	isc_event_free(&event);
-	
-	if (retry) {
-		/*
-		 * Behave as if the idle timer has expired.  For TCP
-		 * connections this may not actually reflect the latest timer.
-		 */
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-		else
-			fctx_try(fctx);
-	}
-}
-
-static void
-fctx_finddone(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx;
-	dns_adbfind_t *find;
-	dns_resolver_t *res;
-	isc_boolean_t want_try = ISC_FALSE;
-	isc_boolean_t want_done = ISC_FALSE;
-	isc_boolean_t bucket_empty = ISC_FALSE;
-	unsigned int bucketnum;
-
-	find = event->ev_sender;
-	fctx = event->ev_arg;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	UNUSED(task);
-
-	FCTXTRACE("finddone");
-
-	INSIST(fctx->pending > 0);
-	fctx->pending--;
-
-	if (ADDRWAIT(fctx)) {
-		/*
-		 * The fetch is waiting for a name to be found.
-		 */
-		INSIST(!SHUTTINGDOWN(fctx));
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
-			want_try = ISC_TRUE;
-		else if (fctx->pending == 0) {
-			/*
-			 * We've got nothing else to wait for and don't
-			 * know the answer.  There's nothing to do but
-			 * fail the fctx.
-			 */
-			want_done = ISC_TRUE;
-		}
-	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
-		   ISC_LIST_EMPTY(fctx->validators)) {
-		bucketnum = fctx->bucketnum;
-		LOCK(&res->buckets[bucketnum].lock);
-		/*
-		 * Note that we had to wait until we had the lock before
-		 * looking at fctx->references.
-		 */
-		if (fctx->references == 0)
-			bucket_empty = fctx_destroy(fctx);
-		UNLOCK(&res->buckets[bucketnum].lock);
-	}
-
-	isc_event_free(&event);
-	dns_adb_destroyfind(&find);
-
-	if (want_try)
-		fctx_try(fctx);
-	else if (want_done)
-		fctx_done(fctx, ISC_R_FAILURE);
-	else if (bucket_empty)
-		empty_bucket(res);
-}
-
-
-static inline isc_boolean_t
-bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
-	isc_sockaddr_t *sa;
-
-	for (sa = ISC_LIST_HEAD(fctx->bad);
-	     sa != NULL;
-	     sa = ISC_LIST_NEXT(sa, link)) {
-		if (isc_sockaddr_equal(sa, address))
-			return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-static inline isc_boolean_t
-mark_bad(fetchctx_t *fctx) {
-	dns_adbfind_t *curr;
-	dns_adbaddrinfo_t *addrinfo;
-	isc_boolean_t all_bad = ISC_TRUE;
-
-	/*
-	 * Mark all known bad servers, so we don't try to talk to them
-	 * again.
-	 */
-
-	/*
-	 * Mark any bad nameservers.
-	 */
-	for (curr = ISC_LIST_HEAD(fctx->finds);
-	     curr != NULL;
-	     curr = ISC_LIST_NEXT(curr, publink)) {
-		for (addrinfo = ISC_LIST_HEAD(curr->list);
-		     addrinfo != NULL;
-		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-			if (bad_server(fctx, &addrinfo->sockaddr))
-				addrinfo->flags |= FCTX_ADDRINFO_MARK;
-			else
-				all_bad = ISC_FALSE;
-		}
-	}
-
-	/*
-	 * Mark any bad forwarders.
-	 */
-	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
-	     addrinfo != NULL;
-	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-		if (bad_server(fctx, &addrinfo->sockaddr))
-			addrinfo->flags |= FCTX_ADDRINFO_MARK;
-		else
-			all_bad = ISC_FALSE;
-	}
-
-	/*
-	 * Mark any bad alternates.
-	 */
-	for (curr = ISC_LIST_HEAD(fctx->altfinds);
-	     curr != NULL;
-	     curr = ISC_LIST_NEXT(curr, publink)) {
-		for (addrinfo = ISC_LIST_HEAD(curr->list);
-		     addrinfo != NULL;
-		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-			if (bad_server(fctx, &addrinfo->sockaddr))
-				addrinfo->flags |= FCTX_ADDRINFO_MARK;
-			else
-				all_bad = ISC_FALSE;
-		}
-	}
-
-	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
-	     addrinfo != NULL;
-	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-		if (bad_server(fctx, &addrinfo->sockaddr))
-			addrinfo->flags |= FCTX_ADDRINFO_MARK;
-		else
-			all_bad = ISC_FALSE;
-	}
-
-	return (all_bad);
-}
-
-static void
-add_bad(fetchctx_t *fctx, isc_sockaddr_t *address, isc_result_t reason) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	char classbuf[64];
-	char typebuf[64];
-	char code[64];
-	isc_buffer_t b;
-	isc_sockaddr_t *sa;
-	const char *sep1, *sep2;
-
-	if (bad_server(fctx, address)) {
-		/*
-		 * We already know this server is bad.
-		 */
-		return;
-	}
-
-	FCTXTRACE("add_bad");
-
-	sa = isc_mem_get(fctx->res->mctx, sizeof(*sa));
-	if (sa == NULL)
-		return;
-	*sa = *address;
-	ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
-
-	if (reason == DNS_R_LAME)	/* already logged */
-		return;
-
-	if (reason == DNS_R_UNEXPECTEDRCODE) {
-		isc_buffer_init(&b, code, sizeof(code) - 1);
-		dns_rcode_totext(fctx->rmessage->rcode, &b);
-		code[isc_buffer_usedlength(&b)] = '\0';
-		sep1 = "(";
-		sep2 = ") ";
-	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
-		isc_buffer_init(&b, code, sizeof(code) - 1);
-		dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
-		code[isc_buffer_usedlength(&b)] = '\0';
-		sep1 = "(";
-		sep2 = ") ";
-	} else {
-		code[0] = '\0';
-		sep1 = "";
-		sep2 = "";
-	}
-	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
-	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
-	dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
-	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-		      "%s %s%s%sresolving '%s/%s/%s': %s",
-		      dns_result_totext(reason), sep1, code, sep2,
-		      namebuf, typebuf, classbuf, addrbuf);
-}
-
-static void
-sort_adbfind(dns_adbfind_t *find) {
-	dns_adbaddrinfo_t *best, *curr;
-	dns_adbaddrinfolist_t sorted;
-
-	/*
-	 * Lame N^2 bubble sort.
-	 */
-
-	ISC_LIST_INIT(sorted);
-	while (!ISC_LIST_EMPTY(find->list)) {
-		best = ISC_LIST_HEAD(find->list);
-		curr = ISC_LIST_NEXT(best, publink);
-		while (curr != NULL) {
-			if (curr->srtt < best->srtt)
-				best = curr;
-			curr = ISC_LIST_NEXT(curr, publink);
-		}
-		ISC_LIST_UNLINK(find->list, best, publink);
-		ISC_LIST_APPEND(sorted, best, publink);
-	}
-	find->list = sorted;
-}
-
-static void
-sort_finds(fetchctx_t *fctx) {
-	dns_adbfind_t *best, *curr;
-	dns_adbfindlist_t sorted;
-	dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
-
-	/*
-	 * Lame N^2 bubble sort.
-	 */
-
-	ISC_LIST_INIT(sorted);
-	while (!ISC_LIST_EMPTY(fctx->finds)) {
-		best = ISC_LIST_HEAD(fctx->finds);
-		bestaddrinfo = ISC_LIST_HEAD(best->list);
-		INSIST(bestaddrinfo != NULL);
-		curr = ISC_LIST_NEXT(best, publink);
-		while (curr != NULL) {
-			addrinfo = ISC_LIST_HEAD(curr->list);
-			INSIST(addrinfo != NULL);
-			if (addrinfo->srtt < bestaddrinfo->srtt) {
-				best = curr;
-				bestaddrinfo = addrinfo;
-			}
-			curr = ISC_LIST_NEXT(curr, publink);
-		}
-		ISC_LIST_UNLINK(fctx->finds, best, publink);
-		ISC_LIST_APPEND(sorted, best, publink);
-	}
-	fctx->finds = sorted;
-
-	ISC_LIST_INIT(sorted);
-	while (!ISC_LIST_EMPTY(fctx->altfinds)) {
-		best = ISC_LIST_HEAD(fctx->altfinds);
-		bestaddrinfo = ISC_LIST_HEAD(best->list);
-		INSIST(bestaddrinfo != NULL);
-		curr = ISC_LIST_NEXT(best, publink);
-		while (curr != NULL) {
-			addrinfo = ISC_LIST_HEAD(curr->list);
-			INSIST(addrinfo != NULL);
-			if (addrinfo->srtt < bestaddrinfo->srtt) {
-				best = curr;
-				bestaddrinfo = addrinfo;
-			}
-			curr = ISC_LIST_NEXT(curr, publink);
-		}
-		ISC_LIST_UNLINK(fctx->altfinds, best, publink);
-		ISC_LIST_APPEND(sorted, best, publink);
-	}
-	fctx->altfinds = sorted;
-}
-
-static void
-findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
-	 unsigned int options, unsigned int flags, isc_stdtime_t now,
-	 isc_boolean_t *pruned, isc_boolean_t *need_alternate)
-{
-	dns_adbaddrinfo_t *ai;
-	dns_adbfind_t *find;
-	dns_resolver_t *res;
-	isc_boolean_t unshared;
-	isc_result_t result;
-
-	res = fctx->res;
-	unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0);
-	/*
-	 * If this name is a subdomain of the query domain, tell
-	 * the ADB to start looking using zone/hint data. This keeps us
-	 * from getting stuck if the nameserver is beneath the zone cut
-	 * and we don't know its address (e.g. because the A record has
-	 * expired).
-	 */
-	if (dns_name_issubdomain(name, &fctx->domain))
-		options |= DNS_ADBFIND_STARTATZONE;
-	options |= DNS_ADBFIND_GLUEOK;
-	options |= DNS_ADBFIND_HINTOK;
-
-	/*
-	 * See what we know about this address.
-	 */
-	find = NULL;
-	result = dns_adb_createfind(fctx->adb,
-				    res->buckets[fctx->bucketnum].task,
-				    fctx_finddone, fctx, name,
-				    &fctx->domain, options, now, NULL,
-				    res->view->dstport, &find);
-	if (result != ISC_R_SUCCESS) {
-		if (result == DNS_R_ALIAS) {
-			/*
-			 * XXXRTH  Follow the CNAME/DNAME chain?
-			 */
-			dns_adb_destroyfind(&find);
-		}
-	} else if (!ISC_LIST_EMPTY(find->list)) {
-		/*
-		 * We have at least some of the addresses for the
-		 * name.
-		 */
-		INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
-		sort_adbfind(find);
-		if (flags != 0 || port != 0) {
-			for (ai = ISC_LIST_HEAD(find->list);
-			     ai != NULL;
-			     ai = ISC_LIST_NEXT(ai, publink)) {
-				ai->flags |= flags;
-				if (port != 0)
-					isc_sockaddr_setport(&ai->sockaddr,
-							     port);
-			}
-		}
-		if ((flags & FCTX_ADDRINFO_FORWARDER) != 0)
-			ISC_LIST_APPEND(fctx->altfinds, find, publink);
-		else
-			ISC_LIST_APPEND(fctx->finds, find, publink);
-	} else {
-		/*
-		 * We don't know any of the addresses for this
-		 * name.
-		 */
-		if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
-			/*
-			 * We're looking for them and will get an
-			 * event about it later.
-			 */
-			fctx->pending++;
-			/*
-			 * Bootstrap.
-			 */
-			if (need_alternate != NULL &&
-			    !*need_alternate && unshared &&
-			    ((res->dispatchv4 == NULL &&
-			      find->result_v6 != DNS_R_NXDOMAIN) ||
-			     (res->dispatchv6 == NULL &&
-			      find->result_v4 != DNS_R_NXDOMAIN)))
-				*need_alternate = ISC_TRUE;
-		} else {
-			/*
-			 * If we know there are no addresses for
-			 * the family we are using then try to add
-			 * an alternative server.
-			 */
-			if (need_alternate != NULL && !*need_alternate &&
-			    ((res->dispatchv4 == NULL &&
-			      find->result_v6 == DNS_R_NXRRSET) ||
-			     (res->dispatchv6 == NULL &&
-			      find->result_v4 == DNS_R_NXRRSET)))
-				*need_alternate = ISC_TRUE;
-			/*
-			 * And ADB isn't going to send us any events
-			 * either.  This find loses.
-			 */
-			if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0) {
-				/*
-				 * The ADB pruned lame servers for
-				 * this name.  Remember that in case
-				 * we get desperate later on.
-				 */
-				*pruned = ISC_TRUE;
-			}
-			dns_adb_destroyfind(&find);
-		}
-	}
-}
-
-static isc_result_t
-fctx_getaddresses(fetchctx_t *fctx) {
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dns_resolver_t *res;
-	isc_stdtime_t now;
-	unsigned int stdoptions;
-	isc_sockaddr_t *sa;
-	dns_adbaddrinfo_t *ai;
-	isc_boolean_t pruned, all_bad;
-	dns_rdata_ns_t ns;
-	isc_boolean_t need_alternate = ISC_FALSE;
-
-	FCTXTRACE("getaddresses");
-
-	/*
-	 * Don't pound on remote servers.  (Failsafe!)
-	 */
-	fctx->restarts++;
-	if (fctx->restarts > 10) {
-		FCTXTRACE("too many restarts");
-		return (DNS_R_SERVFAIL);
-	}
-
-	res = fctx->res;
-	pruned = ISC_FALSE;
-	stdoptions = 0;		/* Keep compiler happy. */
-
-	/*
-	 * Forwarders.
-	 */
-
-	INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
-	INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
-
-	/*
-	 * If this fctx has forwarders, use them; otherwise use any
-	 * selective forwarders specified in the view; otherwise use the
-	 * resolver's forwarders (if any).
-	 */
-	sa = ISC_LIST_HEAD(fctx->forwarders);
-	if (sa == NULL) {
-		dns_forwarders_t *forwarders = NULL;
-		dns_name_t *name = &fctx->name;
-		dns_name_t suffix;
-		unsigned int labels;
-
-		/*
-		 * DS records are found in the parent server.
-		 * Strip label to get the correct forwarder (if any).
-		 */
-		if (fctx->type == dns_rdatatype_ds &&
-		    dns_name_countlabels(name) > 1) {
-			dns_name_init(&suffix, NULL);
-			labels = dns_name_countlabels(name);
-			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
-			name = &suffix;
-		}
-		result = dns_fwdtable_find(fctx->res->view->fwdtable, name,
-					   &forwarders);
-		if (result == ISC_R_SUCCESS) {
-			sa = ISC_LIST_HEAD(forwarders->addrs);
-			fctx->fwdpolicy = forwarders->fwdpolicy;
-		}
-	}
-
-	while (sa != NULL) {
-		ai = NULL;
-		result = dns_adb_findaddrinfo(fctx->adb,
-					      sa, &ai, 0);  /* XXXMLG */
-		if (result == ISC_R_SUCCESS) {
-			dns_adbaddrinfo_t *cur;
-			ai->flags |= FCTX_ADDRINFO_FORWARDER;
-			cur = ISC_LIST_HEAD(fctx->forwaddrs);
-			while (cur != NULL && cur->srtt < ai->srtt)
-				cur = ISC_LIST_NEXT(cur, publink);
-			if (cur != NULL)
-				ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur,
-						      ai, publink);
-			else
-				ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
-		}
-		sa = ISC_LIST_NEXT(sa, link);
-	}
-
-	/*
-	 * If the forwarding policy is "only", we don't need the addresses
-	 * of the nameservers.
-	 */
-	if (fctx->fwdpolicy == dns_fwdpolicy_only)
-		goto out;
-
-	/*
-	 * Normal nameservers.
-	 */
-
-	stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
-	if (fctx->restarts == 1) {
-		/*
-		 * To avoid sending out a flood of queries likely to
-		 * result in NXRRSET, we suppress fetches for address
-		 * families we don't have the first time through,
-		 * provided that we have addresses in some family we
-		 * can use.
-		 *
-		 * We don't want to set this option all the time, since
-		 * if fctx->restarts > 1, we've clearly been having trouble
-		 * with the addresses we had, so getting more could help.
-		 */
-		stdoptions |= DNS_ADBFIND_AVOIDFETCHES;
-	}
-	if (res->dispatchv4 != NULL)
-		stdoptions |= DNS_ADBFIND_INET;
-	if (res->dispatchv6 != NULL)
-		stdoptions |= DNS_ADBFIND_INET6;
-	isc_stdtime_get(&now);
-
- restart:
-	INSIST(ISC_LIST_EMPTY(fctx->finds));
-	INSIST(ISC_LIST_EMPTY(fctx->altfinds));
-
-	for (result = dns_rdataset_first(&fctx->nameservers);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&fctx->nameservers))
-	{
-		dns_rdataset_current(&fctx->nameservers, &rdata);
-		/*
-		 * Extract the name from the NS record.
-		 */
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		findname(fctx, &ns.name, 0, stdoptions, 0, now,
-			 &pruned, &need_alternate);
-		dns_rdata_reset(&rdata);
-		dns_rdata_freestruct(&ns);
-	}
-	if (result != ISC_R_NOMORE)
-		return (result);
-
-	/*
-	 * Do we need to use 6 to 4?
-	 */
-	if (need_alternate) {
-		int family;
-		alternate_t *a;
-		family = (res->dispatchv6 != NULL) ? AF_INET6 : AF_INET;
-		for (a = ISC_LIST_HEAD(fctx->res->alternates);
-		     a != NULL;
-		     a = ISC_LIST_NEXT(a, link)) {
-			if (!a->isaddress) {
-				findname(fctx, &a->_u._n.name, a->_u._n.port,
-					 stdoptions, FCTX_ADDRINFO_FORWARDER,
-					 now, &pruned, NULL);
-				continue;
-			}
-			if (isc_sockaddr_pf(&a->_u.addr) != family)
-				continue;
-			ai = NULL;
-			result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
-						      &ai, 0);
-			if (result == ISC_R_SUCCESS) {
-				dns_adbaddrinfo_t *cur;
-				ai->flags |= FCTX_ADDRINFO_FORWARDER;
-				cur = ISC_LIST_HEAD(fctx->altaddrs);
-				while (cur != NULL && cur->srtt < ai->srtt)
-					cur = ISC_LIST_NEXT(cur, publink);
-				if (cur != NULL)
-					ISC_LIST_INSERTBEFORE(fctx->altaddrs,
-							      cur, ai, publink);
-				else
-					ISC_LIST_APPEND(fctx->altaddrs, ai,
-							publink);
-			}
-		}
-	}
-
- out:
-	/*
-	 * Mark all known bad servers.
-	 */
-	all_bad = mark_bad(fctx);
-
-	/*
-	 * How are we doing?
-	 */
-	if (all_bad) {
-		/*
-		 * We've got no addresses.
-		 */
-		if (fctx->pending > 0) {
-			/*
-			 * We're fetching the addresses, but don't have any
-			 * yet.   Tell the caller to wait for an answer.
-			 */
-			result = DNS_R_WAIT;
-		} else if (pruned) {
-			/*
-			 * Some addresses were removed by lame pruning.
-			 * Turn pruning off and try again.
-			 */
-			FCTXTRACE("restarting with returnlame");
-			INSIST((stdoptions & DNS_ADBFIND_RETURNLAME) == 0);
-			stdoptions |= DNS_ADBFIND_RETURNLAME;
-			pruned = ISC_FALSE;
-			fctx_cleanupaltfinds(fctx);
-			fctx_cleanupfinds(fctx);
-			goto restart;
-		} else {
-			/*
-			 * We've lost completely.  We don't know any
-			 * addresses, and the ADB has told us it can't get
-			 * them.
-			 */
-			FCTXTRACE("no addresses");
-			result = ISC_R_FAILURE;
-		}
-	} else {
-		/*
-		 * We've found some addresses.  We might still be looking
-		 * for more addresses.
-		 */
-		sort_finds(fctx);
-		result = ISC_R_SUCCESS;
-	}
-
-	return (result);
-}
-
-static inline void
-possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
-{
-	isc_netaddr_t na;
-	char buf[ISC_NETADDR_FORMATSIZE];
-	isc_sockaddr_t *sa;
-	isc_boolean_t aborted = ISC_FALSE;
-	isc_boolean_t bogus;
-	dns_acl_t *blackhole;
-	isc_netaddr_t ipaddr;
-	dns_peer_t *peer = NULL;
-	dns_resolver_t *res;
-	const char *msg = NULL;
-
-	sa = &addr->sockaddr;
-
-	res = fctx->res;
-	isc_netaddr_fromsockaddr(&ipaddr, sa);
-	blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
-	(void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
-	
-	if (blackhole != NULL) {
-		int match;
-
-		if (dns_acl_match(&ipaddr, NULL, blackhole,
-				  &res->view->aclenv,
-				  &match, NULL) == ISC_R_SUCCESS &&
-		    match > 0)
-			aborted = ISC_TRUE;
-	}
-
-	if (peer != NULL &&
-	    dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
-	    bogus)
-		aborted = ISC_TRUE;
-
-	if (aborted) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring blackholed / bogus server: ";
-	} else if (isc_sockaddr_ismulticast(sa)) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring multicast address: ";
-	} else if (isc_sockaddr_isexperimental(sa)) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring experimental address: ";
-	} else if (sa->type.sa.sa_family != AF_INET6) {
-		return;
-	} else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring IPv6 mapped IPV4 address: ";
-	} else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
-		addr->flags |= FCTX_ADDRINFO_MARK;
-		msg = "ignoring IPv6 compatibility IPV4 address: ";
-	} else
-		return;
-
-	if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
-		return;
-
-	isc_netaddr_fromsockaddr(&na, sa);
-	isc_netaddr_format(&na, buf, sizeof(buf));
-	FCTXTRACE2(msg, buf);
-}
-
-static inline dns_adbaddrinfo_t *
-fctx_nextaddress(fetchctx_t *fctx) {
-	dns_adbfind_t *find, *start;
-	dns_adbaddrinfo_t *addrinfo;
-	dns_adbaddrinfo_t *faddrinfo;
-
-	/*
-	 * Return the next untried address, if any.
-	 */
-
-	/*
-	 * Find the first unmarked forwarder (if any).
-	 */
-	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
-	     addrinfo != NULL;
-	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-		if (!UNMARKED(addrinfo))
-			continue;
-		possibly_mark(fctx, addrinfo);
-		if (UNMARKED(addrinfo)) {
-			addrinfo->flags |= FCTX_ADDRINFO_MARK;
-			fctx->find = NULL;
-			return (addrinfo);
-		}
-	}
-
-	/*
-	 * No forwarders.  Move to the next find.
-	 */
-
-	fctx->attributes |= FCTX_ATTR_TRIEDFIND;
-
-	find = fctx->find;
-	if (find == NULL)
-		find = ISC_LIST_HEAD(fctx->finds);
-	else {
-		find = ISC_LIST_NEXT(find, publink);
-		if (find == NULL)
-			find = ISC_LIST_HEAD(fctx->finds);
-	}
-
-	/*
-	 * Find the first unmarked addrinfo.
-	 */
-	addrinfo = NULL;
-	if (find != NULL) {
-		start = find;
-		do {
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-				if (!UNMARKED(addrinfo))
-					continue;
-				possibly_mark(fctx, addrinfo);
-				if (UNMARKED(addrinfo)) {
-					addrinfo->flags |= FCTX_ADDRINFO_MARK;
-					break;
-				}
-			}
-			if (addrinfo != NULL)
-				break;
-			find = ISC_LIST_NEXT(find, publink);
-			if (find == NULL)
-				find = ISC_LIST_HEAD(fctx->finds);
-		} while (find != start);
-	}
-
-	fctx->find = find;
-	if (addrinfo != NULL)
-		return (addrinfo);
-
-	/*
-	 * No nameservers left.  Try alternates.
-	 */
-
-	fctx->attributes |= FCTX_ATTR_TRIEDALT;
-
-	find = fctx->altfind;
-	if (find == NULL)
-		find = ISC_LIST_HEAD(fctx->altfinds);
-	else {
-		find = ISC_LIST_NEXT(find, publink);
-		if (find == NULL)
-			find = ISC_LIST_HEAD(fctx->altfinds);
-	}
-
-	/*
-	 * Find the first unmarked addrinfo.
-	 */
-	addrinfo = NULL;
-	if (find != NULL) {
-		start = find;
-		do {
-			for (addrinfo = ISC_LIST_HEAD(find->list);
-			     addrinfo != NULL;
-			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-				if (!UNMARKED(addrinfo))
-					continue;
-				possibly_mark(fctx, addrinfo);
-				if (UNMARKED(addrinfo)) {
-					addrinfo->flags |= FCTX_ADDRINFO_MARK;
-					break;
-				}
-			}
-			if (addrinfo != NULL)
-				break;
-			find = ISC_LIST_NEXT(find, publink);
-			if (find == NULL)
-				find = ISC_LIST_HEAD(fctx->altfinds);
-		} while (find != start);
-	}
-
-	faddrinfo = addrinfo;
-
-	/*
-	 * See if we have a better alternate server by address.
-	 */
-
-	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
-	     addrinfo != NULL;
-	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
-		if (!UNMARKED(addrinfo))
-			continue;
-		possibly_mark(fctx, addrinfo);
-		if (UNMARKED(addrinfo) &&
-		    (faddrinfo == NULL ||
-		     addrinfo->srtt < faddrinfo->srtt)) {
-			if (faddrinfo != NULL)
-				faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
-			addrinfo->flags |= FCTX_ADDRINFO_MARK;
-			break;
-		}
-	}
-
-	if (addrinfo == NULL) {
-		addrinfo = faddrinfo;
-		fctx->altfind = find;
-	}
-
-	return (addrinfo);
-}
-
-static void
-fctx_try(fetchctx_t *fctx) {
-	isc_result_t result;
-	dns_adbaddrinfo_t *addrinfo;
-
-	FCTXTRACE("try");
-
-	REQUIRE(!ADDRWAIT(fctx));
-
-	addrinfo = fctx_nextaddress(fctx);
-	if (addrinfo == NULL) {
-		/*
-		 * We have no more addresses.  Start over.
-		 */
-		fctx_cancelqueries(fctx, ISC_TRUE);
-		fctx_cleanupfinds(fctx);
-		fctx_cleanupaltfinds(fctx);
-		fctx_cleanupforwaddrs(fctx);
-		fctx_cleanupaltaddrs(fctx);
-		result = fctx_getaddresses(fctx);
-		if (result == DNS_R_WAIT) {
-			/*
-			 * Sleep waiting for addresses.
-			 */
-			FCTXTRACE("addrwait");
-			fctx->attributes |= FCTX_ATTR_ADDRWAIT;
-			return;
-		} else if (result != ISC_R_SUCCESS) {
-			/*
-			 * Something bad happened.
-			 */
-			fctx_done(fctx, result);
-			return;
-		}
-
-		addrinfo = fctx_nextaddress(fctx);
-		/*
-		 * While we may have addresses from the ADB, they
-		 * might be bad ones.  In this case, return SERVFAIL.
-		 */
-		if (addrinfo == NULL) {
-			fctx_done(fctx, DNS_R_SERVFAIL);
-			return;
-		}
-	}
-
-	result = fctx_query(fctx, addrinfo, fctx->options);
-	if (result != ISC_R_SUCCESS)
-		fctx_done(fctx, result);
-}
-
-static isc_boolean_t
-fctx_destroy(fetchctx_t *fctx) {
-	dns_resolver_t *res;
-	unsigned int bucketnum;
-	isc_sockaddr_t *sa, *next_sa;
-
-	/*
-	 * Caller must be holding the bucket lock.
-	 */
-
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(fctx->state == fetchstate_done ||
-		fctx->state == fetchstate_init);
-	REQUIRE(ISC_LIST_EMPTY(fctx->events));
-	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
-	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
-	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
-	REQUIRE(fctx->pending == 0);
-	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
-	REQUIRE(fctx->references == 0);
-
-	FCTXTRACE("destroy");
-
-	res = fctx->res;
-	bucketnum = fctx->bucketnum;
-
-	ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link);
-
-	/*
-	 * Free bad.
-	 */
-	for (sa = ISC_LIST_HEAD(fctx->bad);
-	     sa != NULL;
-	     sa = next_sa) {
-		next_sa = ISC_LIST_NEXT(sa, link);
-		ISC_LIST_UNLINK(fctx->bad, sa, link);
-		isc_mem_put(res->mctx, sa, sizeof(*sa));
-	}
-
-	isc_timer_detach(&fctx->timer);
-	dns_message_destroy(&fctx->rmessage);
-	dns_message_destroy(&fctx->qmessage);
-	if (dns_name_countlabels(&fctx->domain) > 0)
-		dns_name_free(&fctx->domain, res->mctx);
-	if (dns_rdataset_isassociated(&fctx->nameservers))
-		dns_rdataset_disassociate(&fctx->nameservers);
-	dns_name_free(&fctx->name, res->mctx);
-	dns_db_detach(&fctx->cache);
-	dns_adb_detach(&fctx->adb);
-	isc_mem_free(res->mctx, fctx->info);
-	isc_mem_put(res->mctx, fctx, sizeof(*fctx));
-
-	LOCK(&res->nlock);
-	res->nfctx--;
-	UNLOCK(&res->nlock);
-
-	if (res->buckets[bucketnum].exiting &&
-	    ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-/*
- * Fetch event handlers.
- */
-
-static void
-fctx_timeout(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->ev_arg;
-
-	REQUIRE(VALID_FCTX(fctx));
-
-	UNUSED(task);
-
-	FCTXTRACE("timeout");
-
-	if (event->ev_type == ISC_TIMEREVENT_LIFE) {
-		fctx_done(fctx, ISC_R_TIMEDOUT);
-	} else {
-		isc_result_t result;
-
-		fctx->timeouts++;
-		/*
-		 * We could cancel the running queries here, or we could let
-		 * them keep going.  Right now we choose the latter...
-		 */
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-		/*
-		 * Our timer has triggered.  Reestablish the fctx lifetime
-		 * timer.
-		 */
-		result = fctx_starttimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-		else
-			/*
-			 * Keep trying.
-			 */
-			fctx_try(fctx);
-	}
-
-	isc_event_free(&event);
-}
-
-static void
-fctx_shutdown(fetchctx_t *fctx) {
-	isc_event_t *cevent;
-
-	/*
-	 * Start the shutdown process for fctx, if it isn't already underway.
-	 */
-
-	FCTXTRACE("shutdown");
-
-	/*
-	 * The caller must be holding the appropriate bucket lock.
-	 */
-
-	if (fctx->want_shutdown)
-		return;
-
-	fctx->want_shutdown = ISC_TRUE;
-
-	/*
-	 * Unless we're still initializing (in which case the
-	 * control event is still outstanding), we need to post
-	 * the control event to tell the fetch we want it to
-	 * exit.
-	 */
-	if (fctx->state != fetchstate_init) {
-		cevent = &fctx->control_event;
-		isc_task_send(fctx->res->buckets[fctx->bucketnum].task,
-			      &cevent);
-	}
-}
-
-static void
-fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->ev_arg;
-	isc_boolean_t bucket_empty = ISC_FALSE;
-	dns_resolver_t *res;
-	unsigned int bucketnum;
-	dns_validator_t *validator;
-
-	REQUIRE(VALID_FCTX(fctx));
-
-	UNUSED(task);
-
-	res = fctx->res;
-	bucketnum = fctx->bucketnum;
-
-	FCTXTRACE("doshutdown");
-
-	/*
-	 * An fctx that is shutting down is no longer in ADDRWAIT mode.
-	 */
-	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-
-	/*
-	 * Cancel all pending validators.  Note that this must be done
-	 * without the bucket lock held, since that could cause deadlock.
-	 */
-	validator = ISC_LIST_HEAD(fctx->validators);
-	while (validator != NULL) {
-		dns_validator_cancel(validator);
-		validator = ISC_LIST_NEXT(validator, link);
-	}
-	
-	if (fctx->nsfetch != NULL)
-		dns_resolver_cancelfetch(fctx->nsfetch);
-
-	/*
-	 * Shut down anything that is still running on behalf of this
-	 * fetch.  To avoid deadlock with the ADB, we must do this
-	 * before we lock the bucket lock.
-	 */
-	fctx_stopeverything(fctx, ISC_FALSE);
-
-	LOCK(&res->buckets[bucketnum].lock);
-
-	fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
-
-	INSIST(fctx->state == fetchstate_active ||
-	       fctx->state == fetchstate_done);
-	INSIST(fctx->want_shutdown);
-
-	if (fctx->state != fetchstate_done) {
-		fctx->state = fetchstate_done;
-		fctx_sendevents(fctx, ISC_R_CANCELED);
-	}
-
-	if (fctx->references == 0 && fctx->pending == 0 &&
-	    ISC_LIST_EMPTY(fctx->validators))
-		bucket_empty = fctx_destroy(fctx);
-
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	if (bucket_empty)
-		empty_bucket(res);
-}
-
-static void
-fctx_start(isc_task_t *task, isc_event_t *event) {
-	fetchctx_t *fctx = event->ev_arg;
-	isc_boolean_t done = ISC_FALSE, bucket_empty = ISC_FALSE;
-	dns_resolver_t *res;
-	unsigned int bucketnum;
-
-	REQUIRE(VALID_FCTX(fctx));
-
-	UNUSED(task);
-
-	res = fctx->res;
-	bucketnum = fctx->bucketnum;
-
-	FCTXTRACE("start");
-
-	LOCK(&res->buckets[bucketnum].lock);
-
-	INSIST(fctx->state == fetchstate_init);
-	if (fctx->want_shutdown) {
-		/*
-		 * We haven't started this fctx yet, and we've been requested
-		 * to shut it down.
-		 */
-		fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
-		fctx->state = fetchstate_done;
-		fctx_sendevents(fctx, ISC_R_CANCELED);
-		/*
-		 * Since we haven't started, we INSIST that we have no
-		 * pending ADB finds and no pending validations.
-		 */
-		INSIST(fctx->pending == 0);
-		INSIST(ISC_LIST_EMPTY(fctx->validators));
-		if (fctx->references == 0) {
-			/*
-			 * It's now safe to destroy this fctx.
-			 */
-			bucket_empty = fctx_destroy(fctx);
-		}
-		done = ISC_TRUE;
-	} else {
-		/*
-		 * Normal fctx startup.
-		 */
-		fctx->state = fetchstate_active;
-		/*
-		 * Reset the control event for later use in shutting down
-		 * the fctx.
-		 */
-		ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
-			       DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
-			       NULL, NULL, NULL);
-	}
-
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	if (!done) {
-		isc_result_t result;
-
-		/*
-		 * All is well.  Start working on the fetch.
-		 */
-		result = fctx_starttimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-		else
-			fctx_try(fctx);
-	} else if (bucket_empty)
-		empty_bucket(res);
-}
-
-/*
- * Fetch Creation, Joining, and Cancelation.
- */
-
-static inline isc_result_t
-fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_taskaction_t action,
-	  void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-	  dns_fetch_t *fetch)
-{
-	isc_task_t *clone;
-	dns_fetchevent_t *event;
-
-	FCTXTRACE("join");
-
-	/*
-	 * We store the task we're going to send this event to in the
-	 * sender field.  We'll make the fetch the sender when we actually
-	 * send the event.
-	 */
-	clone = NULL;
-	isc_task_attach(task, &clone);
-	event = (dns_fetchevent_t *)
-		isc_event_allocate(fctx->res->mctx, clone,
-				   DNS_EVENT_FETCHDONE,
-				   action, arg, sizeof(*event));
-	if (event == NULL) {
-		isc_task_detach(&clone);
-		return (ISC_R_NOMEMORY);
-	}
-	event->result = DNS_R_SERVFAIL;
-	event->qtype = fctx->type;
-	event->db = NULL;
-	event->node = NULL;
-	event->rdataset = rdataset;
-	event->sigrdataset = sigrdataset;
-	event->fetch = fetch;
-	dns_fixedname_init(&event->foundname);
-
-	/*
-	 * Make sure that we can store the sigrdataset in the
-	 * first event if it is needed by any of the events.
-	 */
-	if (event->sigrdataset != NULL)
-		ISC_LIST_PREPEND(fctx->events, event, ev_link);
-	else
-		ISC_LIST_APPEND(fctx->events, event, ev_link);
-	fctx->references++;
-
-	fetch->magic = DNS_FETCH_MAGIC;
-	fetch->private = fctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
-	    dns_name_t *domain, dns_rdataset_t *nameservers,
-	    unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
-{
-	fetchctx_t *fctx;
-	isc_result_t result;
-	isc_result_t iresult;
-	isc_interval_t interval;
-	dns_fixedname_t fixed;
-	unsigned int findoptions = 0;
-	char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	dns_name_t suffix;
-
-	/*
-	 * Caller must be holding the lock for bucket number 'bucketnum'.
-	 */
-	REQUIRE(fctxp != NULL && *fctxp == NULL);
-
-	fctx = isc_mem_get(res->mctx, sizeof(*fctx));
-	if (fctx == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_format(name, buf, sizeof(buf));
-	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-	strcat(buf, "/");	/* checked */
-	strcat(buf, typebuf);	/* checked */
-	fctx->info = isc_mem_strdup(res->mctx, buf);
-	if (fctx->info == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_fetch;
-	}
-	FCTXTRACE("create");
-	dns_name_init(&fctx->name, NULL);
-	result = dns_name_dup(name, res->mctx, &fctx->name);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_info;
-	dns_name_init(&fctx->domain, NULL);
-	dns_rdataset_init(&fctx->nameservers);
-
-	fctx->type = type;
-	fctx->options = options;
-	/*
-	 * Note!  We do not attach to the task.  We are relying on the
-	 * resolver to ensure that this task doesn't go away while we are
-	 * using it.
-	 */
-	fctx->res = res;
-	fctx->references = 0;
-	fctx->bucketnum = bucketnum;
-	fctx->state = fetchstate_init;
-	fctx->want_shutdown = ISC_FALSE;
-	fctx->cloned = ISC_FALSE;
-	ISC_LIST_INIT(fctx->queries);
-	ISC_LIST_INIT(fctx->finds);
-	ISC_LIST_INIT(fctx->altfinds);
-	ISC_LIST_INIT(fctx->forwaddrs);
-	ISC_LIST_INIT(fctx->altaddrs);
-	ISC_LIST_INIT(fctx->forwarders);
-	fctx->fwdpolicy = dns_fwdpolicy_none;
-	ISC_LIST_INIT(fctx->bad);
-	ISC_LIST_INIT(fctx->validators);
-	fctx->find = NULL;
-	fctx->altfind = NULL;
-	fctx->pending = 0;
-	fctx->restarts = 0;
-	fctx->timeouts = 0;
-	fctx->attributes = 0;
-
-	dns_name_init(&fctx->nsname, NULL);
-	fctx->nsfetch = NULL;
-	dns_rdataset_init(&fctx->nsrrset);
-
-	if (domain == NULL) {
-		dns_forwarders_t *forwarders = NULL;
-		unsigned int labels;
-
-		/*
-		 * DS records are found in the parent server.
-		 * Strip label to get the correct forwarder (if any).
-		 */
-		if (fctx->type == dns_rdatatype_ds &&
-		    dns_name_countlabels(name) > 1) {
-			dns_name_init(&suffix, NULL);
-			labels = dns_name_countlabels(name);
-			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
-			name = &suffix;
-		}
-		dns_fixedname_init(&fixed);
-		domain = dns_fixedname_name(&fixed);
-		result = dns_fwdtable_find2(fctx->res->view->fwdtable, name,
-					    domain, &forwarders);
-		if (result == ISC_R_SUCCESS)
-			fctx->fwdpolicy = forwarders->fwdpolicy;
-
-		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
-			/*
-			 * The caller didn't supply a query domain and
-			 * nameservers, and we're not in forward-only mode,
-			 * so find the best nameservers to use.
-			 */
-			if (dns_rdatatype_atparent(type))
-				findoptions |= DNS_DBFIND_NOEXACT;
-			result = dns_view_findzonecut(res->view, name, domain,
-						      0, findoptions, ISC_TRUE,
-						      &fctx->nameservers,
-						      NULL);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup_name;
-			result = dns_name_dup(domain, res->mctx, &fctx->domain);
-			if (result != ISC_R_SUCCESS) {
-				dns_rdataset_disassociate(&fctx->nameservers);
-				goto cleanup_name;
-			}
-		} else {
-			/*
-			 * We're in forward-only mode.  Set the query domain.
-			 */
-			result = dns_name_dup(domain, res->mctx, &fctx->domain);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup_name;
-		}
-	} else {
-		result = dns_name_dup(domain, res->mctx, &fctx->domain);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_name;
-		dns_rdataset_clone(nameservers, &fctx->nameservers);
-	}
-
-	INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
-
-	fctx->qmessage = NULL;
-	result = dns_message_create(res->mctx, DNS_MESSAGE_INTENTRENDER,
-				    &fctx->qmessage);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_domain;
-
-	fctx->rmessage = NULL;
-	result = dns_message_create(res->mctx, DNS_MESSAGE_INTENTPARSE,
-				    &fctx->rmessage);
-
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_qmessage;
-
-	/*
-	 * Compute an expiration time for the entire fetch.
-	 */
-	isc_interval_set(&interval, 30, 0);		/* XXXRTH constant */
-	iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
-	if (iresult != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_time_nowplusinterval: %s",
-				 isc_result_totext(iresult));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_rmessage;
-	}
-
-	/*
-	 * Default retry interval initialization.  We set the interval now
-	 * mostly so it won't be uninitialized.  It will be set to the
-	 * correct value before a query is issued.
-	 */
-	isc_interval_set(&fctx->interval, 2, 0);
-
-	/*
-	 * Create an inactive timer.  It will be made active when the fetch
-	 * is actually started.
-	 */
-	fctx->timer = NULL;
-	iresult = isc_timer_create(res->timermgr, isc_timertype_inactive,
-				   NULL, NULL,
-				   res->buckets[bucketnum].task, fctx_timeout,
-				   fctx, &fctx->timer);
-	if (iresult != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_timer_create: %s",
-				 isc_result_totext(iresult));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_rmessage;
-	}
-
-	/*
-	 * Attach to the view's cache and adb.
-	 */
-	fctx->cache = NULL;
-	dns_db_attach(res->view->cachedb, &fctx->cache);
-	fctx->adb = NULL;
-	dns_adb_attach(res->view->adb, &fctx->adb);
-
-	ISC_LIST_INIT(fctx->events);
-	ISC_LINK_INIT(fctx, link);
-	fctx->magic = FCTX_MAGIC;
-
-	ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
-
-	LOCK(&res->nlock);
-	res->nfctx++;
-	UNLOCK(&res->nlock);
-
-	*fctxp = fctx;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_rmessage:
-	dns_message_destroy(&fctx->rmessage);
-
- cleanup_qmessage:
-	dns_message_destroy(&fctx->qmessage);
-
- cleanup_domain:
-	if (dns_name_countlabels(&fctx->domain) > 0)
-		dns_name_free(&fctx->domain, res->mctx);
-	if (dns_rdataset_isassociated(&fctx->nameservers))
-		dns_rdataset_disassociate(&fctx->nameservers);
-
- cleanup_name:
-	dns_name_free(&fctx->name, res->mctx);
-
- cleanup_info:
-	isc_mem_free(res->mctx, fctx->info);
-
- cleanup_fetch:
-	isc_mem_put(res->mctx, fctx, sizeof(*fctx));
-
-	return (result);
-}
-
-/*
- * Handle Responses
- */
-static inline isc_boolean_t
-is_lame(fetchctx_t *fctx) {
-	dns_message_t *message = fctx->rmessage;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	if (message->rcode != dns_rcode_noerror &&
-	    message->rcode != dns_rcode_nxdomain)
-		return (ISC_FALSE);
-
-	if (message->counts[DNS_SECTION_ANSWER] != 0)
-		return (ISC_FALSE);
-
-	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
-		return (ISC_FALSE);
-
-	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			dns_namereln_t namereln;
-			int order;
-			unsigned int labels;
-			if (rdataset->type != dns_rdatatype_ns)
-				continue;
-			namereln = dns_name_fullcompare(name, &fctx->domain,
-				   			&order, &labels);
-			if (namereln == dns_namereln_equal &&
-			    (message->flags & DNS_MESSAGEFLAG_AA) != 0)
-				return (ISC_FALSE);
-			if (namereln == dns_namereln_subdomain)
-				return (ISC_FALSE);
-			return (ISC_TRUE);
-		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-	}
-
-	return (ISC_FALSE);
-}
-
-static inline void
-log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char domainbuf[DNS_NAME_FORMATSIZE];	
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	
-	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
-	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
-	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
-		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-		      "lame server resolving '%s' (in '%s'?): %s",
-		      namebuf, domainbuf, addrbuf);
-}
-
-static inline isc_result_t
-same_question(fetchctx_t *fctx) {
-	isc_result_t result;
-	dns_message_t *message = fctx->rmessage;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-
-	/*
-	 * Caller must be holding the fctx lock.
-	 */
-
-	/*
-	 * XXXRTH  Currently we support only one question.
-	 */
-	if (message->counts[DNS_SECTION_QUESTION] != 1)
-		return (DNS_R_FORMERR);
-
-	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	name = NULL;
-	dns_message_currentname(message, DNS_SECTION_QUESTION, &name);
-	rdataset = ISC_LIST_HEAD(name->list);
-	INSIST(rdataset != NULL);
-	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
-	if (fctx->type != rdataset->type ||
-	    fctx->res->rdclass != rdataset->rdclass ||
-	    !dns_name_equal(&fctx->name, name))
-		return (DNS_R_FORMERR);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-clone_results(fetchctx_t *fctx) {
-	dns_fetchevent_t *event, *hevent;
-	isc_result_t result;
-	dns_name_t *name, *hname;
-
-	FCTXTRACE("clone_results");
-
-	/*
-	 * Set up any other events to have the same data as the first
-	 * event.
-	 *
-	 * Caller must be holding the appropriate lock.
-	 */
-
-	fctx->cloned = ISC_TRUE;
-	hevent = ISC_LIST_HEAD(fctx->events);
-	if (hevent == NULL)
-		return;
-	hname = dns_fixedname_name(&hevent->foundname);
-	for (event = ISC_LIST_NEXT(hevent, ev_link);
-	     event != NULL;
-	     event = ISC_LIST_NEXT(event, ev_link)) {
-		name = dns_fixedname_name(&event->foundname);
-		result = dns_name_copy(hname, name, NULL);
-		if (result != ISC_R_SUCCESS)
-			event->result = result;
-		else
-			event->result = hevent->result;
-		dns_db_attach(hevent->db, &event->db);
-		dns_db_attachnode(hevent->db, hevent->node, &event->node);
-		INSIST(hevent->rdataset != NULL);
-		INSIST(event->rdataset != NULL);
-		if (dns_rdataset_isassociated(hevent->rdataset))
-			dns_rdataset_clone(hevent->rdataset, event->rdataset);
-		INSIST(! (hevent->sigrdataset == NULL &&
-			  event->sigrdataset != NULL));
-		if (hevent->sigrdataset != NULL &&
-		    dns_rdataset_isassociated(hevent->sigrdataset) &&
-		    event->sigrdataset != NULL)
-			dns_rdataset_clone(hevent->sigrdataset,
-					   event->sigrdataset);
-	}
-}
-
-#define CACHE(r)	(((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
-#define ANSWER(r)	(((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
-#define ANSWERSIG(r)	(((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
-#define EXTERNAL(r)	(((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
-#define CHAINING(r)	(((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
-#define CHASE(r)	(((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
-#define CHECKNAMES(r)	(((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
-
-
-/*
- * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
- * no references and is no longer waiting for any events).  If this
- * was the last fctx in the resolver, destroy the resolver.
- *
- * Requires:
- *	'*fctx' is shutting down.
- */
-static void
-maybe_destroy(fetchctx_t *fctx) {
-	unsigned int bucketnum;
-	isc_boolean_t bucket_empty = ISC_FALSE;
-	dns_resolver_t *res = fctx->res;
-
-	REQUIRE(SHUTTINGDOWN(fctx));
-
-	if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
-		return;
-
-	bucketnum = fctx->bucketnum;
-	LOCK(&res->buckets[bucketnum].lock);
-	if (fctx->references == 0)
-		bucket_empty = fctx_destroy(fctx);
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	if (bucket_empty)
-		empty_bucket(res);
-}
-
-/*
- * The validator has finished.
- */
-static void
-validated(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_result_t eresult = ISC_R_SUCCESS;
-	isc_stdtime_t now;
-	fetchctx_t *fctx;
-	dns_validatorevent_t *vevent;
-	dns_fetchevent_t *hevent;
-	dns_rdataset_t *ardataset = NULL;
-	dns_rdataset_t *asigrdataset = NULL;
-	dns_dbnode_t *node = NULL;
-	isc_boolean_t negative;
-	isc_boolean_t chaining;
-	isc_boolean_t sentresponse;
-	isc_uint32_t ttl;
-	dns_dbnode_t *nsnode = NULL;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	dns_rdataset_t *sigrdataset;
-	dns_valarg_t *valarg;
-	dns_adbaddrinfo_t *addrinfo;
-
-	UNUSED(task); /* for now */
-
-	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
-	valarg = event->ev_arg;
-	fctx = valarg->fctx;
-	addrinfo = valarg->addrinfo;
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
-
-	vevent = (dns_validatorevent_t *)event;
-
-	FCTXTRACE("received validation completion event");
-
-	ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
-
-	/*
-	 * Destroy the validator early so that we can
-	 * destroy the fctx if necessary.
-	 */
-	dns_validator_destroy(&vevent->validator);
-	isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg));
-
-	negative = ISC_TF(vevent->rdataset == NULL);
-
-	sentresponse = ISC_TF((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
-
-	/*
-	 * If shutting down, ignore the results.  Check to see if we're
-	 * done waiting for validator completions and ADB pending events; if
-	 * so, destroy the fctx.
-	 */
-	if (SHUTTINGDOWN(fctx) && !sentresponse) {
-		maybe_destroy(fctx);
-		goto cleanup_event;
-	}
-
-	/*
-	 * If chaining, we need to make sure that the right result code is
-	 * returned, and that the rdatasets are bound.
-	 */
-	if (vevent->result == ISC_R_SUCCESS &&
-	    !negative &&
-	    vevent->rdataset != NULL &&
-	    CHAINING(vevent->rdataset))
-	{
-		if (vevent->rdataset->type == dns_rdatatype_cname)
-			eresult = DNS_R_CNAME;
-		else {
-			INSIST(vevent->rdataset->type == dns_rdatatype_dname);
-			eresult = DNS_R_DNAME;
-		}
-		chaining = ISC_TRUE;
-	} else
-		chaining = ISC_FALSE;
-
-	/*
-	 * Either we're not shutting down, or we are shutting down but want
-	 * to cache the result anyway (if this was a validation started by
-	 * a query with cd set)
-	 */
-
-	hevent = ISC_LIST_HEAD(fctx->events);
-	if (hevent != NULL) {
-		if (!negative && !chaining &&
-		    (fctx->type == dns_rdatatype_any ||
-		     fctx->type == dns_rdatatype_rrsig)) {
-			/*
-			 * Don't bind rdatasets; the caller
-			 * will iterate the node.
-			 */
-		} else {
-			ardataset = hevent->rdataset;
-			asigrdataset = hevent->sigrdataset;
-		}
-	}
-
-	if (vevent->result != ISC_R_SUCCESS) {
-		FCTXTRACE("validation failed");
-		result = ISC_R_NOTFOUND;
-		if (vevent->rdataset != NULL)
-			result = dns_db_findnode(fctx->cache, vevent->name,
-						 ISC_TRUE, &node);
-		if (result == ISC_R_SUCCESS)
-			(void)dns_db_deleterdataset(fctx->cache, node, NULL,
-						    vevent->type, 0);
-		if (result == ISC_R_SUCCESS && vevent->sigrdataset != NULL)
-			(void)dns_db_deleterdataset(fctx->cache, node, NULL,
-						    dns_rdatatype_rrsig,
-						    vevent->type);
-		if (result == ISC_R_SUCCESS)
-			dns_db_detachnode(fctx->cache, &node);
-		result = vevent->result;
-		add_bad(fctx, &addrinfo->sockaddr, result);
-		isc_event_free(&event);
-		if (sentresponse)
-			fctx_done(fctx, result);
-		else
-			fctx_try(fctx);
-		return;
-	}
-
-	isc_stdtime_get(&now);
-
-	if (negative) {
-		dns_rdatatype_t covers;
-		FCTXTRACE("nonexistence validation OK");
-
-		if (fctx->rmessage->rcode == dns_rcode_nxdomain)
-			covers = dns_rdatatype_any;
-		else
-			covers = fctx->type;
-
-		result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE,
-					 &node);
-		if (result != ISC_R_SUCCESS)
-			goto noanswer_response;
-
-		/*
-		 * If we are asking for a SOA record set the cache time
-		 * to zero to facilitate locating the containing zone of
-		 * a arbitary zone.
-		 */
-		ttl = fctx->res->view->maxncachettl;
-		if (fctx->type == dns_rdatatype_soa &&
-		    covers == dns_rdatatype_any)
-			ttl = 0;
-
-		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-					   covers, now, ttl,
-					   ardataset, &eresult);
-		if (result != ISC_R_SUCCESS)
-			goto noanswer_response;
-		goto answer_response;
-	}
-
-	FCTXTRACE("validation OK");
-
-	if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
-
-		result = dns_rdataset_addnoqname(vevent->rdataset,
-				   vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		vevent->sigrdataset->ttl = vevent->rdataset->ttl;
-	}
-
-	/*
-	 * The data was already cached as pending data.
-	 * Re-cache it as secure and bind the cached
-	 * rdatasets to the first event on the fetch
-	 * event list.
-	 */
-	result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto noanswer_response;
-
-	result = dns_db_addrdataset(fctx->cache, node, NULL, now,
-				    vevent->rdataset, 0, ardataset);
-	if (result != ISC_R_SUCCESS &&
-	    result != DNS_R_UNCHANGED)
-		goto noanswer_response;
-	if (vevent->sigrdataset != NULL) {
-		result = dns_db_addrdataset(fctx->cache, node, NULL, now,
-					    vevent->sigrdataset, 0,
-					    asigrdataset);
-		if (result != ISC_R_SUCCESS &&
-		    result != DNS_R_UNCHANGED)
-			goto noanswer_response;
-	}
-
-	if (sentresponse) {
-		/*
-		 * If we only deferred the destroy because we wanted to cache
-		 * the data, destroy now.
-		 */
-		if (SHUTTINGDOWN(fctx))
-			maybe_destroy(fctx);
-
-		goto cleanup_event;
-	}
-
-	if (!ISC_LIST_EMPTY(fctx->validators)) {
-		INSIST(!negative);
-		INSIST(fctx->type == dns_rdatatype_any ||
-		       fctx->type == dns_rdatatype_rrsig);
-		/*
-		 * Don't send a response yet - we have
-		 * more rdatasets that still need to
-		 * be validated.
-		 */
-		goto cleanup_event;
-	}
-
- answer_response:
-	/*
-	 * Cache any NS/NSEC records that happened to be validated.
-	 */
-	result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
-					&name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if ((rdataset->type != dns_rdatatype_ns &&
-			     rdataset->type != dns_rdatatype_nsec) ||
-			    rdataset->trust != dns_trust_secure)
-				continue;
-			for (sigrdataset = ISC_LIST_HEAD(name->list);
-			     sigrdataset != NULL;
-			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
-				if (sigrdataset->type != dns_rdatatype_rrsig ||
-				    sigrdataset->covers != rdataset->type)
-					continue;
-				break;
-			}
-			if (sigrdataset == NULL ||
-			    sigrdataset->trust != dns_trust_secure)
-				continue;
-			result = dns_db_findnode(fctx->cache, name, ISC_TRUE,
-						 &nsnode);
-			if (result != ISC_R_SUCCESS)
-				continue;
-
-			result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
-						    now, rdataset, 0, NULL);
-			if (result == ISC_R_SUCCESS)
-				result = dns_db_addrdataset(fctx->cache, nsnode,
-							    NULL, now,
-							    sigrdataset, 0,
-							    NULL);
-			dns_db_detachnode(fctx->cache, &nsnode);
-		}
-		result = dns_message_nextname(fctx->rmessage,
-					      DNS_SECTION_AUTHORITY);
-	}
-
-	result = ISC_R_SUCCESS;
-
-	/*
-	 * Respond with an answer, positive or negative,
-	 * as opposed to an error.  'node' must be non-NULL.
-	 */
-
-	fctx->attributes |= FCTX_ATTR_HAVEANSWER;
-
-	if (hevent != NULL) {
-		hevent->result = eresult;
-		RUNTIME_CHECK(dns_name_copy(vevent->name,
-			      dns_fixedname_name(&hevent->foundname), NULL)
-			      == ISC_R_SUCCESS);
-		dns_db_attach(fctx->cache, &hevent->db);
-		hevent->node = node;
-		node = NULL;
-		clone_results(fctx);
-	}
-
- noanswer_response:
-	if (node != NULL)
-		dns_db_detachnode(fctx->cache, &node);
-
-	fctx_done(fctx, result);
-
- cleanup_event:
-	isc_event_free(&event);
-}
-
-static inline isc_result_t
-cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
-	   isc_stdtime_t now) {
-	dns_rdataset_t *rdataset, *sigrdataset;
-	dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset;
-	dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
-	dns_dbnode_t *node, **anodep;
-	dns_db_t **adbp;
-	dns_name_t *aname;
-	dns_resolver_t *res;
-	isc_boolean_t need_validation, secure_domain, have_answer;
-	isc_result_t result, eresult;
-	dns_fetchevent_t *event;
-	unsigned int options;
-	isc_task_t *task;
-	isc_boolean_t fail;
-	unsigned int valoptions = 0;
-
-	/*
-	 * The appropriate bucket lock must be held.
-	 */
-
-	res = fctx->res;
-	need_validation = ISC_FALSE;
-	secure_domain = ISC_FALSE;
-	have_answer = ISC_FALSE;
-	eresult = ISC_R_SUCCESS;
-	task = res->buckets[fctx->bucketnum].task;
-
-	/*
-	 * Is DNSSEC validation required for this name?
-	 */
-	result = dns_keytable_issecuredomain(res->view->secroots, name,
-					     &secure_domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (!secure_domain && res->view->dlv != NULL) {
-		valoptions = DNS_VALIDATOR_DLV;
-		secure_domain = ISC_TRUE;
-	}
-
-	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
-		need_validation = ISC_FALSE;
-	else
-		need_validation = secure_domain;
-
-	adbp = NULL;
-	aname = NULL;
-	anodep = NULL;
-	ardataset = NULL;
-	asigrdataset = NULL;
-	event = NULL;
-	if ((name->attributes & DNS_NAMEATTR_ANSWER) != 0 &&
-	    !need_validation) {
-		have_answer = ISC_TRUE;
-		event = ISC_LIST_HEAD(fctx->events);
-		if (event != NULL) {
-			adbp = &event->db;
-			aname = dns_fixedname_name(&event->foundname);
-			result = dns_name_copy(name, aname, NULL);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			anodep = &event->node;
-			/*
-			 * If this is an ANY or SIG query, we're not going
-			 * to return any rdatasets, unless we encountered
-			 * a CNAME or DNAME as "the answer".  In this case,
-			 * we're going to return DNS_R_CNAME or DNS_R_DNAME
-			 * and we must set up the rdatasets.
-			 */
-			if ((fctx->type != dns_rdatatype_any &&
-			    fctx->type != dns_rdatatype_rrsig) ||
-			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
-				ardataset = event->rdataset;
-				asigrdataset = event->sigrdataset;
-			}
-		}
-	}
-
-	/*
-	 * Find or create the cache node.
-	 */
-	node = NULL;
-	result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Cache or validate each cacheable rdataset.
-	 */
-	fail = ISC_TF((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0);
-	for (rdataset = ISC_LIST_HEAD(name->list);
-	     rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-		if (!CACHE(rdataset))
-			continue;
-		if (CHECKNAMES(rdataset)) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			char typebuf[DNS_RDATATYPE_FORMATSIZE];
-			char classbuf[DNS_RDATATYPE_FORMATSIZE];
-
-			dns_name_format(name, namebuf, sizeof(namebuf));
-			dns_rdatatype_format(rdataset->type, typebuf,
-					     sizeof(typebuf));
-			dns_rdataclass_format(rdataset->rdclass, classbuf,
-					      sizeof(classbuf));
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,  
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-				      "check-names %s %s/%s/%s", 
-				      fail ? "failure" : "warning",
-				      namebuf, typebuf, classbuf);
-			if (fail) {
-				if (ANSWER(rdataset))
-					return (DNS_R_BADNAME);
-				continue;
-			}
-		}
-
-		/*
-		 * Enforce the configure maximum cache TTL.
-		 */
-		if (rdataset->ttl > res->view->maxcachettl)
-			rdataset->ttl = res->view->maxcachettl;
-
-		/*
-		 * If this rrset is in a secure domain, do DNSSEC validation
-		 * for it, unless it is glue.
-		 */
-		if (secure_domain && rdataset->trust != dns_trust_glue) {
-			/*
-			 * SIGs are validated as part of validating the
-			 * type they cover.
-			 */
-			if (rdataset->type == dns_rdatatype_rrsig)
-				continue;
-			/*
-			 * Find the SIG for this rdataset, if we have it.
-			 */
-			for (sigrdataset = ISC_LIST_HEAD(name->list);
-			     sigrdataset != NULL;
-			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
-				if (sigrdataset->type == dns_rdatatype_rrsig &&
-				    sigrdataset->covers == rdataset->type)
-					break;
-			}
-			if (sigrdataset == NULL) {
-				if (!ANSWER(rdataset) && need_validation) {
-					/*
-					 * Ignore non-answer rdatasets that
-					 * are missing signatures.
-					 */
-					continue;
-				}
-			}
-
-			/*
-			 * Normalize the rdataset and sigrdataset TTLs.
-			 */
-			if (sigrdataset != NULL) {
-				rdataset->ttl = ISC_MIN(rdataset->ttl,
-							sigrdataset->ttl);
-				sigrdataset->ttl = rdataset->ttl;
-			}
-
-			/*
-			 * Cache this rdataset/sigrdataset pair as
-			 * pending data.
-			 */
-			rdataset->trust = dns_trust_pending;
-			if (sigrdataset != NULL)
-				sigrdataset->trust = dns_trust_pending;
-			if (!need_validation)
-				addedrdataset = ardataset;
-			else
-				addedrdataset = NULL;
-			result = dns_db_addrdataset(fctx->cache, node, NULL,
-						    now, rdataset, 0,
-						    addedrdataset);
-			if (result == DNS_R_UNCHANGED)
-				result = ISC_R_SUCCESS;
-			if (result != ISC_R_SUCCESS)
-				break;
-			if (sigrdataset != NULL) {
-				if (!need_validation)
-					addedrdataset = asigrdataset;
-				else
-					addedrdataset = NULL;
-				result = dns_db_addrdataset(fctx->cache,
-							    node, NULL, now,
-							    sigrdataset, 0,
-							    addedrdataset);
-				if (result == DNS_R_UNCHANGED)
-					result = ISC_R_SUCCESS;
-				if (result != ISC_R_SUCCESS)
-					break;
-			} else if (!ANSWER(rdataset))
-				continue;
-
-			if (ANSWER(rdataset) && need_validation) {
-				if (fctx->type != dns_rdatatype_any &&
-				    fctx->type != dns_rdatatype_rrsig) {
-					/*
-					 * This is The Answer.  We will
-					 * validate it, but first we cache
-					 * the rest of the response - it may
-					 * contain useful keys.
-					 */
-					INSIST(valrdataset == NULL &&
-					       valsigrdataset == NULL);
-					valrdataset = rdataset;
-					valsigrdataset = sigrdataset;
-				} else {
-					/*
-					 * This is one of (potentially)
-					 * multiple answers to an ANY
-					 * or SIG query.  To keep things
-					 * simple, we just start the
-					 * validator right away rather
-					 * than caching first and
-					 * having to remember which
-					 * rdatasets needed validation.
-					 */
-					result = valcreate(fctx, addrinfo,
-							   name, rdataset->type,
-							   rdataset,
-							   sigrdataset,
-							   valoptions, task);
-				}
-			} else if (CHAINING(rdataset)) {
-				if (rdataset->type == dns_rdatatype_cname)
-					eresult = DNS_R_CNAME;
-				else {
-					INSIST(rdataset->type ==
-					       dns_rdatatype_dname);
-					eresult = DNS_R_DNAME;
-				}
-			}
-		} else if (!EXTERNAL(rdataset)) {
-			/*
-			 * It's OK to cache this rdataset now.
-			 */
-			if (ANSWER(rdataset))
-				addedrdataset = ardataset;
-			else if (ANSWERSIG(rdataset))
-				addedrdataset = asigrdataset;
-			else
-				addedrdataset = NULL;
-			if (CHAINING(rdataset)) {
-				if (rdataset->type == dns_rdatatype_cname)
-					eresult = DNS_R_CNAME;
-				else {
-					INSIST(rdataset->type ==
-					       dns_rdatatype_dname);
-					eresult = DNS_R_DNAME;
-				}
-			}
-			if (rdataset->trust == dns_trust_glue &&
-			    (rdataset->type == dns_rdatatype_ns ||
-			     (rdataset->type == dns_rdatatype_rrsig &&
-			      rdataset->covers == dns_rdatatype_ns))) {
-				/*
-				 * If the trust level is 'dns_trust_glue'
-				 * then we are adding data from a referral
-				 * we got while executing the search algorithm.
-				 * New referral data always takes precedence
-				 * over the existing cache contents.
-				 */
-				options = DNS_DBADD_FORCE;
-			} else
-				options = 0;
-			/*
-			 * Now we can add the rdataset.
-			 */
-			result = dns_db_addrdataset(fctx->cache,
-						    node, NULL, now,
-						    rdataset,
-						    options,
-						    addedrdataset);
-			if (result == DNS_R_UNCHANGED) {
-				if (ANSWER(rdataset) &&
-				    ardataset != NULL &&
-				    ardataset->type == 0) {
-					/*
-					 * The answer in the cache is better
-					 * than the answer we found, and is
-					 * a negative cache entry, so we
-					 * must set eresult appropriately.
-					 */
-					 if (NXDOMAIN(ardataset))
-						 eresult =
-							 DNS_R_NCACHENXDOMAIN;
-					 else
-						 eresult =
-							 DNS_R_NCACHENXRRSET;
-				}
-				result = ISC_R_SUCCESS;
-			} else if (result != ISC_R_SUCCESS)
-				break;
-		}
-	}
-
-	if (valrdataset != NULL)
-		result = valcreate(fctx, addrinfo, name, fctx->type,
-				   valrdataset, valsigrdataset, valoptions,
-				    task);
-
-	if (result == ISC_R_SUCCESS && have_answer) {
-		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
-		if (event != NULL) {
-			event->result = eresult;
-			dns_db_attach(fctx->cache, adbp);
-			*anodep = node;
-			node = NULL;
-			clone_results(fctx);
-		}
-	}
-
-	if (node != NULL)
-		dns_db_detachnode(fctx->cache, &node);
-
-	return (result);
-}
-
-static inline isc_result_t
-cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
-{
-	isc_result_t result;
-	dns_section_t section;
-	dns_name_t *name;
-
-	FCTXTRACE("cache_message");
-
-	fctx->attributes &= ~FCTX_ATTR_WANTCACHE;
-
-	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-
-	for (section = DNS_SECTION_ANSWER;
-	     section <= DNS_SECTION_ADDITIONAL;
-	     section++) {
-		result = dns_message_firstname(fctx->rmessage, section);
-		while (result == ISC_R_SUCCESS) {
-			name = NULL;
-			dns_message_currentname(fctx->rmessage, section,
-						&name);
-			if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
-				result = cache_name(fctx, name, addrinfo, now);
-				if (result != ISC_R_SUCCESS)
-					break;
-			}
-			result = dns_message_nextname(fctx->rmessage, section);
-		}
-		if (result != ISC_R_NOMORE)
-			break;
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-
-	return (result);
-}
-
-/*
- * Do what dns_ncache_add() does, and then compute an appropriate eresult.
- */
-static isc_result_t
-ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
-		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-		  dns_rdataset_t *ardataset,
-		  isc_result_t *eresultp)
-{
-	isc_result_t result;
-	result = dns_ncache_add(message, cache, node, covers, now,
-				maxttl, ardataset);
-	if (result == DNS_R_UNCHANGED) {
-		/*
-		 * The data in the cache are better than the negative cache
-		 * entry we're trying to add.
-		 */
-		if (ardataset != NULL && ardataset->type == 0) {
-			/*
-			 * The cache data is also a negative cache
-			 * entry.
-			 */
-			if (NXDOMAIN(ardataset))
-				*eresultp = DNS_R_NCACHENXDOMAIN;
-			else
-				*eresultp = DNS_R_NCACHENXRRSET;
-			result = ISC_R_SUCCESS;
-		} else {
-			/*
-			 * Either we don't care about the nature of the
-			 * cache rdataset (because no fetch is interested
-			 * in the outcome), or the cache rdataset is not
-			 * a negative cache entry.  Whichever case it is,
-			 * we can return success.
-			 *
-			 * XXXRTH  There's a CNAME/DNAME problem here.
-			 */
-			*eresultp = ISC_R_SUCCESS;
-			result = ISC_R_SUCCESS;
-		}
-	} else if (result == ISC_R_SUCCESS) {
-		if (NXDOMAIN(ardataset))
-			*eresultp = DNS_R_NCACHENXDOMAIN;
-		else
-			*eresultp = DNS_R_NCACHENXRRSET;
-	}
-
-	return (result);
-}
-
-static inline isc_result_t
-ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
-	       dns_rdatatype_t covers, isc_stdtime_t now)
-{
-	isc_result_t result, eresult;
-	dns_name_t *name;
-	dns_resolver_t *res;
-	dns_db_t **adbp;
-	dns_dbnode_t *node, **anodep;
-	dns_rdataset_t *ardataset;
-	isc_boolean_t need_validation, secure_domain;
-	dns_name_t *aname;
-	dns_fetchevent_t *event;
-	isc_uint32_t ttl;
-	unsigned int valoptions = 0;
-
-	FCTXTRACE("ncache_message");
-
-	fctx->attributes &= ~FCTX_ATTR_WANTNCACHE;
-
-	res = fctx->res;
-	need_validation = ISC_FALSE;
-	secure_domain = ISC_FALSE;
-	eresult = ISC_R_SUCCESS;
-	name = &fctx->name;
-	node = NULL;
-
-	/*
-	 * XXXMPA remove when we follow cnames and adjust the setting
-	 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
-	 */
-	INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
-
-	/*
-	 * Is DNSSEC validation required for this name?
-	 */
-	result = dns_keytable_issecuredomain(res->view->secroots, name,
-					     &secure_domain);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (!secure_domain && res->view->dlv != NULL) {
-		valoptions = DNS_VALIDATOR_DLV;
-		secure_domain = ISC_TRUE;
-	}
-
-	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
-		need_validation = ISC_FALSE;
-	else
-		need_validation = secure_domain;
-
-	if (secure_domain) {
-		/*
-		 * Mark all rdatasets as pending.
-		 */
-		dns_rdataset_t *trdataset;
-		dns_name_t *tname;
-
-		result = dns_message_firstname(fctx->rmessage,
-					       DNS_SECTION_AUTHORITY);
-		while (result == ISC_R_SUCCESS) {
-			tname = NULL;
-			dns_message_currentname(fctx->rmessage,
-						DNS_SECTION_AUTHORITY,
-						&tname);
-			for (trdataset = ISC_LIST_HEAD(tname->list);
-			     trdataset != NULL;
-			     trdataset = ISC_LIST_NEXT(trdataset, link))
-				trdataset->trust = dns_trust_pending;
-			result = dns_message_nextname(fctx->rmessage,
-						      DNS_SECTION_AUTHORITY);
-		}
-		if (result != ISC_R_NOMORE)
-			return (result);
-
-	}
-
-	if (need_validation) {
-		/*
-		 * Do negative response validation.
-		 */
-		result = valcreate(fctx, addrinfo, name, fctx->type,
-				   NULL, NULL, valoptions,
-				   res->buckets[fctx->bucketnum].task);
-		/*
-		 * If validation is necessary, return now.  Otherwise continue
-		 * to process the message, letting the validation complete
-		 * in its own good time.
-		 */
-		return (result);
-	}
-
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-
-	adbp = NULL;
-	aname = NULL;
-	anodep = NULL;
-	ardataset = NULL;
-	if (!HAVE_ANSWER(fctx)) {
-		event = ISC_LIST_HEAD(fctx->events);
-		if (event != NULL) {
-			adbp = &event->db;
-			aname = dns_fixedname_name(&event->foundname);
-			result = dns_name_copy(name, aname, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto unlock;
-			anodep = &event->node;
-			ardataset = event->rdataset;
-		}
-	} else
-		event = NULL;
-
-	result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto unlock;
-
-	/*
-	 * If we are asking for a SOA record set the cache time
-	 * to zero to facilitate locating the containing zone of
-	 * a arbitary zone.
-	 */
-	ttl = fctx->res->view->maxncachettl;
-	if (fctx->type == dns_rdatatype_soa &&
-	    covers == dns_rdatatype_any)
-		ttl = 0;
-
-	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-				   covers, now, ttl, ardataset, &eresult);
-	if (result != ISC_R_SUCCESS)
-		goto unlock;
-
-	if (!HAVE_ANSWER(fctx)) {
-		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
-		if (event != NULL) {
-			event->result = eresult;
-			dns_db_attach(fctx->cache, adbp);
-			*anodep = node;
-			node = NULL;
-			clone_results(fctx);
-		}
-	}
-
- unlock:
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-
-	if (node != NULL)
-		dns_db_detachnode(fctx->cache, &node);
-
-	return (result);
-}
-
-static inline void
-mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
-	     isc_boolean_t external, isc_boolean_t gluing)
-{
-	name->attributes |= DNS_NAMEATTR_CACHE;
-	if (gluing) {
-		rdataset->trust = dns_trust_glue;
-		/*
-		 * Glue with 0 TTL causes problems.  We force the TTL to
-		 * 1 second to prevent this.
-		 */
-		if (rdataset->ttl == 0)
-			rdataset->ttl = 1;
-	} else
-		rdataset->trust = dns_trust_additional;
-	/*
-	 * Avoid infinite loops by only marking new rdatasets.
-	 */
-	if (!CACHE(rdataset)) {
-		name->attributes |= DNS_NAMEATTR_CHASE;
-		rdataset->attributes |= DNS_RDATASETATTR_CHASE;
-	}
-	rdataset->attributes |= DNS_RDATASETATTR_CACHE;
-	if (external)
-		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
-}
-
-static isc_result_t
-check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
-	fetchctx_t *fctx = arg;
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t external;
-	dns_rdatatype_t rtype;
-	isc_boolean_t gluing;
-
-	REQUIRE(VALID_FCTX(fctx));
-
-	if (GLUING(fctx))
-		gluing = ISC_TRUE;
-	else
-		gluing = ISC_FALSE;
-	name = NULL;
-	rdataset = NULL;
-	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
-				      addname, dns_rdatatype_any, 0, &name,
-				      NULL);
-	if (result == ISC_R_SUCCESS) {
-		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
-		if (type == dns_rdatatype_a) {
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if (rdataset->type == dns_rdatatype_rrsig)
-					rtype = rdataset->covers;
-				else
-					rtype = rdataset->type;
-				if (rtype == dns_rdatatype_a ||
-				    rtype == dns_rdatatype_aaaa)
-					mark_related(name, rdataset, external,
-						     gluing);
-			}
-		} else {
-			result = dns_message_findtype(name, type, 0,
-						      &rdataset);
-			if (result == ISC_R_SUCCESS) {
-				mark_related(name, rdataset, external, gluing);
-				/*
-				 * Do we have its SIG too?
-				 */
-				rdataset = NULL;
-				result = dns_message_findtype(name,
-						      dns_rdatatype_rrsig,
-						      type, &rdataset);
-				if (result == ISC_R_SUCCESS)
-					mark_related(name, rdataset, external,
-						     gluing);
-			}
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-chase_additional(fetchctx_t *fctx) {
-	isc_boolean_t rescan;
-	dns_section_t section = DNS_SECTION_ADDITIONAL;
-	isc_result_t result;
-
- again:
-	rescan = ISC_FALSE;
-	
-	for (result = dns_message_firstname(fctx->rmessage, section);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(fctx->rmessage, section)) {
-		dns_name_t *name = NULL;
-		dns_rdataset_t *rdataset;
-		dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
-					&name);
-		if ((name->attributes & DNS_NAMEATTR_CHASE) == 0)
-			continue;
-		name->attributes &= ~DNS_NAMEATTR_CHASE;
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			if (CHASE(rdataset)) {
-				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
-				(void)dns_rdataset_additionaldata(rdataset,
-								  check_related,
-								  fctx);
-				rescan = ISC_TRUE;
-			}
-		}
-	}
-	if (rescan)
-		goto again;
-}
-
-static inline isc_result_t
-cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_cname_t cname;
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &cname, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_name_init(tname, NULL);
-	dns_name_clone(&cname.cname, tname);
-	dns_rdata_freestruct(&cname);
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
-	     dns_fixedname_t *fixeddname)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	unsigned int nlabels;
-	int order;
-	dns_namereln_t namereln;
-	dns_rdata_dname_t dname;
-	dns_fixedname_t prefix;
-
-	/*
-	 * Get the target name of the DNAME.
-	 */
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &dname, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Get the prefix of qname.
-	 */
-	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
-	if (namereln != dns_namereln_subdomain) {
-		dns_rdata_freestruct(&dname);
-		return (DNS_R_FORMERR);
-	}
-	dns_fixedname_init(&prefix);
-	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); 
-	dns_fixedname_init(fixeddname);
-	result = dns_name_concatenate(dns_fixedname_name(&prefix),
-				      &dname.dname,
-				      dns_fixedname_name(fixeddname), NULL);
-	dns_rdata_freestruct(&dname);
-	return (result);
-}
-
-/*
- * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
- * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8
- * response to an NS query that should be treated as a referral
- * even though the NS records occur in the answer section
- * rather than the authority section.
- */
-static isc_result_t
-noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
-		  isc_boolean_t bind8_ns_resp)
-{
-	isc_result_t result;
-	dns_message_t *message;
-	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name;
-	dns_rdataset_t *rdataset, *ns_rdataset;
-	isc_boolean_t done, aa, negative_response;
-	dns_rdatatype_t type;
-	dns_section_t section =
-		bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY;
-
-	FCTXTRACE("noanswer_response");
-
-	message = fctx->rmessage;
-
-	/*
-	 * Setup qname.
-	 */
-	if (oqname == NULL) {
-		/*
-		 * We have a normal, non-chained negative response or
-		 * referral.
-		 */
-		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
-			aa = ISC_TRUE;
-		else
-			aa = ISC_FALSE;
-		qname = &fctx->name;
-	} else {
-		/*
-		 * We're being invoked by answer_response() after it has
-		 * followed a CNAME/DNAME chain.
-		 */
-		qname = oqname;
-		aa = ISC_FALSE;
-		/*
-		 * If the current qname is not a subdomain of the query
-		 * domain, there's no point in looking at the authority
-		 * section without doing DNSSEC validation.
-		 *
-		 * Until we do that validation, we'll just return success
-		 * in this case.
-		 */
-		if (!dns_name_issubdomain(qname, &fctx->domain))
-			return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * We have to figure out if this is a negative response, or a
-	 * referral.
-	 */
-
-	/*
-	 * Sometimes we can tell if its a negative response by looking at
-	 * the message header.
-	 */
-	negative_response = ISC_FALSE;
-	if (message->rcode == dns_rcode_nxdomain ||
-	    (message->counts[DNS_SECTION_ANSWER] == 0 &&
-	     message->counts[DNS_SECTION_AUTHORITY] == 0))
-		negative_response = ISC_TRUE;
-
-	/*
-	 * Process the authority section.
-	 */
-	done = ISC_FALSE;
-	ns_name = NULL;
-	ns_rdataset = NULL;
-	soa_name = NULL;
-	ds_name = NULL;
-	result = dns_message_firstname(message, section);
-	while (!done && result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, section, &name);
-		if (dns_name_issubdomain(name, &fctx->domain)) {
-			/*
-			 * Look for NS/SOA RRsets first.
-			 */
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				type = rdataset->type;
-				if (type == dns_rdatatype_rrsig)
-					type = rdataset->covers;
-				if (((type == dns_rdatatype_ns ||
-				      type == dns_rdatatype_soa) &&
-				     !dns_name_issubdomain(qname, name)))
-					return (DNS_R_FORMERR);
-				if (type == dns_rdatatype_ns) {
-					/*
-					 * NS or RRSIG NS.
-					 *
-					 * Only one set of NS RRs is allowed.
-					 */
-					if (rdataset->type ==
-					    dns_rdatatype_ns) {
-						if (ns_name != NULL &&
-						    name != ns_name)
-							return (DNS_R_FORMERR);
-						ns_name = name;
-						ns_rdataset = rdataset;
-					}
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					rdataset->trust = dns_trust_glue;
-				}
-				if (type == dns_rdatatype_soa) {
-					/*
-					 * SOA, or RRSIG SOA.
-					 *
-					 * Only one SOA is allowed.
-					 */
-					if (rdataset->type ==
-					    dns_rdatatype_soa) {
-						if (soa_name != NULL &&
-						    name != soa_name)
-							return (DNS_R_FORMERR);
-						soa_name = name;
-					}
-					name->attributes |=
-						DNS_NAMEATTR_NCACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_NCACHE;
-					if (aa)
-						rdataset->trust =
-						    dns_trust_authauthority;
-					else
-						rdataset->trust =
-							dns_trust_additional;
-				}
-			}
-			/*
-			 * A negative response has a SOA record (Type 2) 
-			 * and a optional NS RRset (Type 1) or it has neither
-			 * a SOA or a NS RRset (Type 3, handled above) or
-			 * rcode is NXDOMAIN (handled above) in which case
-			 * the NS RRset is allowed (Type 4).
-			 */
-			if (soa_name != NULL)
-				negative_response = ISC_TRUE;
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				type = rdataset->type;
-				if (type == dns_rdatatype_rrsig)
-					type = rdataset->covers;
-				if (type == dns_rdatatype_nsec) {
-					/*
-					 * NSEC or RRSIG NSEC.
-					 */
-					if (negative_response) {
-						name->attributes |=
-							DNS_NAMEATTR_NCACHE;
-						rdataset->attributes |=
-							DNS_RDATASETATTR_NCACHE;
-					} else {
-						name->attributes |=
-							DNS_NAMEATTR_CACHE;
-						rdataset->attributes |=
-							DNS_RDATASETATTR_CACHE;
-					}
-					if (aa)
-						rdataset->trust =
-						    dns_trust_authauthority;
-					else
-						rdataset->trust =
-							dns_trust_additional;
-					/*
-					 * No additional data needs to be
-					 * marked.
-					 */
-				} else if (type == dns_rdatatype_ds) {
-					/*
-					 * DS or SIG DS.
-					 *
-					 * These should only be here if
-					 * this is a referral, and there
-					 * should only be one DS.
-					 */
-					if (ns_name == NULL)
-						return (DNS_R_FORMERR);
-					if (rdataset->type ==
-					    dns_rdatatype_ds) {
-						if (ds_name != NULL &&
-						    name != ds_name)
-							return (DNS_R_FORMERR);
-						ds_name = name;
-					}
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					if (aa)
-						rdataset->trust =
-						    dns_trust_authauthority;
-					else
-						rdataset->trust =
-							dns_trust_additional;
-				}
-			}
-		}
-		result = dns_message_nextname(message, section);
-		if (result == ISC_R_NOMORE)
-			break;
-		else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	/*
-	 * Trigger lookups for DNS nameservers.
-	 */
-	if (negative_response && message->rcode == dns_rcode_noerror &&
-	    fctx->type == dns_rdatatype_ds && soa_name != NULL &&
-	    dns_name_equal(soa_name, qname) &&
-	    !dns_name_equal(qname, dns_rootname))
-		return (DNS_R_CHASEDSSERVERS);
-
-	/*
-	 * Did we find anything?
-	 */
-	if (!negative_response && ns_name == NULL) {
-		/*
-		 * Nope.
-		 */
-		if (oqname != NULL) {
-			/*
-			 * We've already got a partial CNAME/DNAME chain,
-			 * and haven't found else anything useful here, but
-			 * no error has occurred since we have an answer.
-			 */
-			return (ISC_R_SUCCESS);
-		} else {
-			/*
-			 * The responder is insane.
-			 */
-			return (DNS_R_FORMERR);
-		}
-	}
-
-	/*
-	 * If we found both NS and SOA, they should be the same name.
-	 */
-	if (ns_name != NULL && soa_name != NULL && ns_name != soa_name)
-		return (DNS_R_FORMERR);
-
-	/*
-	 * Do we have a referral?  (We only want to follow a referral if
-	 * we're not following a chain.)
-	 */
-	if (!negative_response && ns_name != NULL && oqname == NULL) {
-		/*
-		 * We already know ns_name is a subdomain of fctx->domain.
-		 * If ns_name is equal to fctx->domain, we're not making
-		 * progress.  We return DNS_R_FORMERR so that we'll keep
-		 * trying other servers.
-		 */
-		if (dns_name_equal(ns_name, &fctx->domain))
-			return (DNS_R_FORMERR);
-
-		/*
-		 * If the referral name is not a parent of the query
-		 * name, consider the responder insane.
-		 */
-		if (! dns_name_issubdomain(&fctx->name, ns_name)) {
-			FCTXTRACE("referral to non-parent");
-			return (DNS_R_FORMERR);
-		}
-
-		/*
-		 * Mark any additional data related to this rdataset.
-		 * It's important that we do this before we change the
-		 * query domain.
-		 */
-		INSIST(ns_rdataset != NULL);
-		fctx->attributes |= FCTX_ATTR_GLUING;
-		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
-						  fctx);
-		fctx->attributes &= ~FCTX_ATTR_GLUING;
-		/*
-		 * NS rdatasets with 0 TTL cause problems.
-		 * dns_view_findzonecut() will not find them when we
-		 * try to follow the referral, and we'll SERVFAIL
-		 * because the best nameservers are now above QDOMAIN.
-		 * We force the TTL to 1 second to prevent this.
-		 */
-		if (ns_rdataset->ttl == 0)
-			ns_rdataset->ttl = 1;
-		/*
-		 * Set the current query domain to the referral name.
-		 *
-		 * XXXRTH  We should check if we're in forward-only mode, and
-		 *	   if so we should bail out.
-		 */
-		INSIST(dns_name_countlabels(&fctx->domain) > 0);
-		dns_name_free(&fctx->domain, fctx->res->mctx);
-		if (dns_rdataset_isassociated(&fctx->nameservers))
-			dns_rdataset_disassociate(&fctx->nameservers);
-		dns_name_init(&fctx->domain, NULL);
-		result = dns_name_dup(ns_name, fctx->res->mctx, &fctx->domain);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		fctx->attributes |= FCTX_ATTR_WANTCACHE;
-		return (DNS_R_DELEGATION);
-	}
-
-	/*
-	 * Since we're not doing a referral, we don't want to cache any
-	 * NS RRs we may have found.
-	 */
-	if (ns_name != NULL)
-		ns_name->attributes &= ~DNS_NAMEATTR_CACHE;
-
-	if (negative_response && oqname == NULL)
-		fctx->attributes |= FCTX_ATTR_WANTNCACHE;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-answer_response(fetchctx_t *fctx) {
-	isc_result_t result;
-	dns_message_t *message;
-	dns_name_t *name, *qname, tname;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t done, external, chaining, aa, found, want_chaining;
-	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
-	unsigned int aflag;
-	dns_rdatatype_t type;
-	dns_fixedname_t dname, fqname;
-
-	FCTXTRACE("answer_response");
-
-	message = fctx->rmessage;
-
-	/*
-	 * Examine the answer section, marking those rdatasets which are
-	 * part of the answer and should be cached.
-	 */
-
-	done = ISC_FALSE;
-	found_cname = ISC_FALSE;
-	found_type = ISC_FALSE;
-	chaining = ISC_FALSE;
-	have_answer = ISC_FALSE;
-	want_chaining = ISC_FALSE;
-	if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
-		aa = ISC_TRUE;
-	else
-		aa = ISC_FALSE;
-	qname = &fctx->name;
-	type = fctx->type;
-	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
-	while (!done && result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
-		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
-		if (dns_name_equal(name, qname)) {
-			wanted_chaining = ISC_FALSE;
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				found = ISC_FALSE;
-				want_chaining = ISC_FALSE;
-				aflag = 0;
-				if (rdataset->type == type && !found_cname) {
-					/*
-					 * We've found an ordinary answer.
-					 */
-					found = ISC_TRUE;
-					found_type = ISC_TRUE;
-					done = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-				} else if (type == dns_rdatatype_any) {
-					/*
-					 * We've found an answer matching
-					 * an ANY query.  There may be
-					 * more.
-					 */
-					found = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers == type
-					   && !found_cname) {
-					/*
-					 * We've found a signature that
-					 * covers the type we're looking for.
-					 */
-					found = ISC_TRUE;
-					found_type = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
-				} else if (rdataset->type ==
-					   dns_rdatatype_cname
-					   && !found_type) {
-					/*
-					 * We're looking for something else,
-					 * but we found a CNAME.
-					 *
-					 * Getting a CNAME response for some
-					 * query types is an error.
-					 */
-					if (type == dns_rdatatype_rrsig ||
-					    type == dns_rdatatype_dnskey ||
-					    type == dns_rdatatype_nsec)
-						return (DNS_R_FORMERR);
-					found = ISC_TRUE;
-					found_cname = ISC_TRUE;
-					want_chaining = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-					result = cname_target(rdataset,
-							      &tname);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers ==
-					   dns_rdatatype_cname
-					   && !found_type) {
-					/*
-					 * We're looking for something else,
-					 * but we found a SIG CNAME.
-					 */
-					found = ISC_TRUE;
-					found_cname = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
-				}
-
-				if (found) {
-					/*
-					 * We've found an answer to our
-					 * question.
-					 */
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					rdataset->trust = dns_trust_answer;
-					if (!chaining) {
-						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining (i.e.
-						 * if we haven't followed
-						 * a CNAME or DNAME).
-						 */
-						INSIST(!external);
-						if (aflag ==
-						    DNS_RDATASETATTR_ANSWER)
-							have_answer = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_ANSWER;
-						rdataset->attributes |= aflag;
-						if (aa)
-							rdataset->trust =
-							  dns_trust_authanswer;
-					} else if (external) {
-						/*
-						 * This data is outside of
-						 * our query domain, and
-						 * may only be cached if it
-						 * comes from a secure zone
-						 * and validates.
-						 */
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
-					}
-
-					/*
-					 * Mark any additional data related
-					 * to this rdataset.
-					 */
-					(void)dns_rdataset_additionaldata(
-							rdataset,
-							check_related,
-							fctx);
-
-					/*
-					 * CNAME chaining.
-					 */
-					if (want_chaining) {
-						wanted_chaining = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_CHAINING;
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_CHAINING;
-						qname = &tname;
-					}
-				}
-				/*
-				 * We could add an "else" clause here and
-				 * log that we're ignoring this rdataset.
-				 */
-			}
-			/*
-			 * If wanted_chaining is true, we've done
-			 * some chaining as the result of processing
-			 * this node, and thus we need to set
-			 * chaining to true.
-			 *
-			 * We don't set chaining inside of the
-			 * rdataset loop because doing that would
-			 * cause us to ignore the signatures of
-			 * CNAMEs.
-			 */
-			if (wanted_chaining)
-				chaining = ISC_TRUE;
-		} else {
-			/*
-			 * Look for a DNAME (or its SIG).  Anything else is
-			 * ignored.
-			 */
-			wanted_chaining = ISC_FALSE;
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				isc_boolean_t found_dname = ISC_FALSE;
-				found = ISC_FALSE;
-				aflag = 0;
-				if (rdataset->type == dns_rdatatype_dname) {
-					/*
-					 * We're looking for something else,
-					 * but we found a DNAME.
-					 *
-					 * If we're not chaining, then the
-					 * DNAME should not be external.
-					 */
-					if (!chaining && external)
-						return (DNS_R_FORMERR);
-					found = ISC_TRUE;
-					want_chaining = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWER;
-					result = dname_target(rdataset,
-							      qname, name,
-							      &dname);
-					if (result == ISC_R_NOSPACE) {
-						/*
-						 * We can't construct the
-						 * DNAME target.  Do not
-						 * try to continue.
-						 */
-						want_chaining = ISC_FALSE;
-					} else if (result != ISC_R_SUCCESS)
-						return (result);
-					else
-						found_dname = ISC_TRUE;
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers ==
-					   dns_rdatatype_dname) {
-					/*
-					 * We've found a signature that
-					 * covers the DNAME.
-					 */
-					found = ISC_TRUE;
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
-				}
-
-				if (found) {
-					/*
-					 * We've found an answer to our
-					 * question.
-					 */
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					rdataset->trust = dns_trust_answer;
-					if (!chaining) {
-						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining.
-						 */
-						INSIST(!external);
-						if (aflag ==
-						    DNS_RDATASETATTR_ANSWER)
-							have_answer = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_ANSWER;
-						rdataset->attributes |= aflag;
-						if (aa)
-							rdataset->trust =
-							  dns_trust_authanswer;
-					} else if (external) {
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
-					}
-
-					/*
-					 * DNAME chaining.
-					 */
-					if (found_dname) {
-						/*
-						 * Copy the the dname into the
-						 * qname fixed name.
-						 *
-						 * Although we check for
-						 * failure of the copy
-						 * operation, in practice it
-						 * should never fail since
-						 * we already know that the
-						 * result fits in a fixedname.
-						 */
-						dns_fixedname_init(&fqname);
-						result = dns_name_copy(
-						  dns_fixedname_name(&dname),
-						  dns_fixedname_name(&fqname),
-						  NULL);
-						if (result != ISC_R_SUCCESS)
-							return (result);
-						wanted_chaining = ISC_TRUE;
-						name->attributes |=
-							DNS_NAMEATTR_CHAINING;
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_CHAINING;
-						qname = dns_fixedname_name(
-								   &fqname);
-					}
-				}
-			}
-			if (wanted_chaining)
-				chaining = ISC_TRUE;
-		}
-		result = dns_message_nextname(message, DNS_SECTION_ANSWER);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * We should have found an answer.
-	 */
-	if (!have_answer)
-		return (DNS_R_FORMERR);
-
-	/*
-	 * This response is now potentially cacheable.
-	 */
-	fctx->attributes |= FCTX_ATTR_WANTCACHE;
-
-	/*
-	 * Did chaining end before we got the final answer?
-	 */
-	if (chaining) {
-		/*
-		 * Yes.  This may be a negative reply, so hand off
-		 * authority section processing to the noanswer code.
-		 * If it isn't a noanswer response, no harm will be
-		 * done.
-		 */
-		return (noanswer_response(fctx, qname, ISC_FALSE));
-	}
-
-	/*
-	 * We didn't end with an incomplete chain, so the rcode should be
-	 * "no error".
-	 */
-	if (message->rcode != dns_rcode_noerror)
-		return (DNS_R_FORMERR);
-
-	/*
-	 * Examine the authority section (if there is one).
-	 *
-	 * We expect there to be only one owner name for all the rdatasets
-	 * in this section, and we expect that it is not external.
-	 */
-	done = ISC_FALSE;
-	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	while (!done && result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
-		if (!external) {
-			/*
-			 * We expect to find NS or SIG NS rdatasets, and
-			 * nothing else.
-			 */
-			for (rdataset = ISC_LIST_HEAD(name->list);
-			     rdataset != NULL;
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-				if (rdataset->type == dns_rdatatype_ns ||
-				    (rdataset->type == dns_rdatatype_rrsig &&
-				     rdataset->covers == dns_rdatatype_ns)) {
-					name->attributes |=
-						DNS_NAMEATTR_CACHE;
-					rdataset->attributes |=
-						DNS_RDATASETATTR_CACHE;
-					if (aa && !chaining)
-						rdataset->trust =
-						    dns_trust_authauthority;
-					else
-						rdataset->trust =
-						    dns_trust_additional;
-
-					/*
-					 * Mark any additional data related
-					 * to this rdataset.
-					 */
-					(void)dns_rdataset_additionaldata(
-							rdataset,
-							check_related,
-							fctx);
-					done = ISC_TRUE;
-				}
-			}
-		}
-		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
-
-static void
-resume_dslookup(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *fevent;
-	dns_resolver_t *res;
-	fetchctx_t *fctx;
-	isc_result_t result;
-	isc_boolean_t bucket_empty = ISC_FALSE;
-	isc_boolean_t locked = ISC_FALSE;
-	unsigned int bucketnum;
-	dns_rdataset_t nameservers;
-	dns_fixedname_t fixed;
-	dns_name_t *domain;
-
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	fevent = (dns_fetchevent_t *)event;
-	fctx = event->ev_arg;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	UNUSED(task);
-	FCTXTRACE("resume_dslookup");
-
-	if (fevent->node != NULL)
-		dns_db_detachnode(fevent->db, &fevent->node);
-	if (fevent->db != NULL)
-		dns_db_detach(&fevent->db);
-
-	dns_rdataset_init(&nameservers);
-
-	bucketnum = fctx->bucketnum;
-	if (fevent->result == ISC_R_CANCELED) {
-		dns_resolver_destroyfetch(&fctx->nsfetch);
-		fctx_done(fctx, ISC_R_CANCELED);
-	} else if (fevent->result == ISC_R_SUCCESS) {
-
-		FCTXTRACE("resuming DS lookup");
-
-		dns_resolver_destroyfetch(&fctx->nsfetch);
-		if (dns_rdataset_isassociated(&fctx->nameservers))
-			dns_rdataset_disassociate(&fctx->nameservers);
-		dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
-		dns_name_free(&fctx->domain, fctx->res->mctx);
-		dns_name_init(&fctx->domain, NULL);
-		result = dns_name_dup(&fctx->nsname, fctx->res->mctx,
-				      &fctx->domain);
-		if (result != ISC_R_SUCCESS) {
-			fctx_done(fctx, DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-		/*
-		 * Try again.
-		 */
-		fctx_try(fctx);
-	} else {
-		unsigned int n;
-
-		/*
-		 * Retrieve state from fctx->nsfetch before we destroy it.
-		 */
-		dns_fixedname_init(&fixed);
-		domain = dns_fixedname_name(&fixed);
-		dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
-		dns_rdataset_clone(&fctx->nsfetch->private->nameservers,
-				   &nameservers);
-		dns_resolver_destroyfetch(&fctx->nsfetch);
-		if (dns_name_equal(&fctx->nsname, domain)) {
-			fctx_done(fctx, DNS_R_SERVFAIL);
-			goto cleanup;
-		}
-		n = dns_name_countlabels(&fctx->nsname);
-		dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
-					  &fctx->nsname);
-
-		if (dns_rdataset_isassociated(fevent->rdataset))
-			dns_rdataset_disassociate(fevent->rdataset);
-		FCTXTRACE("continuing to look for parent's NS records");
-		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
-						  dns_rdatatype_ns, domain,
-						  &nameservers, NULL, 0, task,
-						  resume_dslookup, fctx,
-						  &fctx->nsrrset, NULL,
-						  &fctx->nsfetch);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-		else {
-			LOCK(&res->buckets[bucketnum].lock);
-			locked = ISC_TRUE;
-			fctx->references++;
-		}
-	}
-
- cleanup:
-	if (dns_rdataset_isassociated(&nameservers))
-		dns_rdataset_disassociate(&nameservers);
-	if (dns_rdataset_isassociated(fevent->rdataset))
-		dns_rdataset_disassociate(fevent->rdataset);
-	INSIST(fevent->sigrdataset == NULL);
-	isc_event_free(&event);
-	if (!locked)
-		LOCK(&res->buckets[bucketnum].lock);
-	fctx->references--;
-	if (fctx->references == 0)
-		bucket_empty = fctx_destroy(fctx);
-	UNLOCK(&res->buckets[bucketnum].lock);
-	if (bucket_empty)
-		empty_bucket(res);
-}
-
-static inline void
-checknamessection(dns_message_t *message, dns_section_t section) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t *rdataset;
-	
-	for (result = dns_message_firstname(message, section);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, section))
-	{
-		name = NULL;
-		dns_message_currentname(message, section, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-			for (result = dns_rdataset_first(rdataset);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rdataset)) {
-				dns_rdataset_current(rdataset, &rdata);
-				if (!dns_rdata_checkowner(name, rdata.rdclass,
-							  rdata.type,
-							  ISC_FALSE) ||
-				    !dns_rdata_checknames(&rdata, name, NULL))
-				{
-					rdataset->attributes |= 
-						DNS_RDATASETATTR_CHECKNAMES;
-				}
-				dns_rdata_reset(&rdata);
-			}
-		}
-	}
-}
-
-static void
-checknames(dns_message_t *message) {
-
-	checknamessection(message, DNS_SECTION_ANSWER);
-	checknamessection(message, DNS_SECTION_AUTHORITY);
-	checknamessection(message, DNS_SECTION_ADDITIONAL);
-}
-
-static void
-log_packet(dns_message_t *message, int level, isc_mem_t *mctx) {
-	isc_buffer_t buffer;
-	char *buf = NULL;
-	int len = 1024;
-	isc_result_t result;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	/*
-	 * Note that these are multiline debug messages.  We want a newline
-	 * to appear in the log after each message.
-	 */
-
-	do {
-		buf = isc_mem_get(mctx, len);
-		if (buf == NULL)
-			break;
-		isc_buffer_init(&buffer, buf, len);
-		result = dns_message_totext(message, &dns_master_style_debug,
-					    0, &buffer);
-		if (result == ISC_R_NOSPACE) {
-			isc_mem_put(mctx, buf, len);
-			len += 1024;
-		} else if (result == ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, level,
-				      "received packet:\n%.*s",
-				      (int)isc_buffer_usedlength(&buffer),
-				      buf);
-	} while (result == ISC_R_NOSPACE);
-
-	if (buf != NULL)
-		isc_mem_put(mctx, buf, len);
-}
-
-static void
-resquery_response(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result = ISC_R_SUCCESS;
-	resquery_t *query = event->ev_arg;
-	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
-	isc_boolean_t keep_trying, get_nameservers, resend;
-	isc_boolean_t truncated;
-	dns_message_t *message;
-	fetchctx_t *fctx;
-	dns_name_t *fname;
-	dns_fixedname_t foundname;
-	isc_stdtime_t now;
-	isc_time_t tnow, *finish;
-	dns_adbaddrinfo_t *addrinfo;
-	unsigned int options;
-	unsigned int findoptions;
-	isc_result_t broken_server;
-
-	REQUIRE(VALID_QUERY(query));
-	fctx = query->fctx;
-	options = query->options;
-	REQUIRE(VALID_FCTX(fctx));
-	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
-
-	QTRACE("response");
-
-	(void)isc_timer_touch(fctx->timer);
-
-	keep_trying = ISC_FALSE;
-	broken_server = ISC_R_SUCCESS;
-	get_nameservers = ISC_FALSE;
-	resend = ISC_FALSE;
-	truncated = ISC_FALSE;
-	finish = NULL;
-
-	if (fctx->res->exiting) {
-		result = ISC_R_SHUTTINGDOWN;
-		goto done;
-	}
-
-	fctx->timeouts = 0;
-
-	/*
-	 * XXXRTH  We should really get the current time just once.  We
-	 *	   need a routine to convert from an isc_time_t to an
-	 *	   isc_stdtime_t.
-	 */
-	TIME_NOW(&tnow);
-	finish = &tnow;
-	isc_stdtime_get(&now);
-
-	/*
-	 * Did the dispatcher have a problem?
-	 */
-	if (devent->result != ISC_R_SUCCESS) {
-		if (devent->result == ISC_R_EOF &&
-		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-			/*
-			 * The problem might be that they
-			 * don't understand EDNS0.  Turn it
-			 * off and try again.
-			 */
-			options |= DNS_FETCHOPT_NOEDNS0;
-			resend = ISC_TRUE;
-			/*
-			 * Remember that they don't like EDNS0.
-			 */
-			dns_adb_changeflags(fctx->adb,
-					    query->addrinfo,
-					    DNS_FETCHOPT_NOEDNS0,
-					    DNS_FETCHOPT_NOEDNS0);
-		} else {
-			/*
-			 * There's no hope for this query.
-			 */
-			keep_trying = ISC_TRUE;
-		}
-		goto done;
-	}
-
-	message = fctx->rmessage;
-
-	if (query->tsig != NULL) {
-		result = dns_message_setquerytsig(message, query->tsig);
-		if (result != ISC_R_SUCCESS)
-			goto done;
-	}
-
-	if (query->tsigkey) {
-		result = dns_message_settsigkey(message, query->tsigkey);
-		if (result != ISC_R_SUCCESS)
-			goto done;
-	}
-
-	result = dns_message_parse(message, &devent->buffer, 0);
-	if (result != ISC_R_SUCCESS) {
-		switch (result) {
-		case ISC_R_UNEXPECTEDEND:
-			if (!message->question_ok ||
-			    (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
-			    (options & DNS_FETCHOPT_TCP) != 0) {
-				/*
-				 * Either the message ended prematurely,
-				 * and/or wasn't marked as being truncated,
-				 * and/or this is a response to a query we
-				 * sent over TCP.  In all of these cases,
-				 * something is wrong with the remote
-				 * server and we don't want to retry using
-				 * TCP.
-				 */
-				if ((query->options & DNS_FETCHOPT_NOEDNS0)
-				    == 0) {
-					/*
-					 * The problem might be that they
-					 * don't understand EDNS0.  Turn it
-					 * off and try again.
-					 */
-					options |= DNS_FETCHOPT_NOEDNS0;
-					resend = ISC_TRUE;
-					/*
-					 * Remember that they don't like EDNS0.
-					 */
-					dns_adb_changeflags(
-							fctx->adb,
-							query->addrinfo,
-							DNS_FETCHOPT_NOEDNS0,
-							DNS_FETCHOPT_NOEDNS0);
-				} else {
-					broken_server = result;
-					keep_trying = ISC_TRUE;
-				}
-				goto done;
-			}
-			/*
-			 * We defer retrying via TCP for a bit so we can
-			 * check out this message further.
-			 */
-			truncated = ISC_TRUE;
-			break;
-		case DNS_R_FORMERR:
-			if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-				/*
-				 * The problem might be that they
-				 * don't understand EDNS0.  Turn it
-				 * off and try again.
-				 */
-				options |= DNS_FETCHOPT_NOEDNS0;
-				resend = ISC_TRUE;
-				/*
-				 * Remember that they don't like EDNS0.
-				 */
-				dns_adb_changeflags(fctx->adb,
-						    query->addrinfo,
-						    DNS_FETCHOPT_NOEDNS0,
-						    DNS_FETCHOPT_NOEDNS0);
-			} else {
-				broken_server = DNS_R_UNEXPECTEDRCODE;
-				keep_trying = ISC_TRUE;
-			}
-			goto done;
-		default:
-			/*
-			 * Something bad has happened.
-			 */
-			goto done;
-		}
-	}
-
-	/*
-	 * Log the incoming packet.
-	 */
-	log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
-
-	/*
-	 * If the message is signed, check the signature.  If not, this
-	 * returns success anyway.
-	 */
-	result = dns_message_checksig(message, fctx->res->view);
-	if (result != ISC_R_SUCCESS)
-		goto done;
-
-	/*
-	 * The dispatcher should ensure we only get responses with QR set.
-	 */
-	INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
-	/*
-	 * INSIST() that the message comes from the place we sent it to,
-	 * since the dispatch code should ensure this.
-	 *
-	 * INSIST() that the message id is correct (this should also be
-	 * ensured by the dispatch code).
-	 */
-
-
-	/*
-	 * Deal with truncated responses by retrying using TCP.
-	 */
-	if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
-		truncated = ISC_TRUE;
-
-	if (truncated) {
-		if ((options & DNS_FETCHOPT_TCP) != 0) {
-			broken_server = DNS_R_TRUNCATEDTCP;
-			keep_trying = ISC_TRUE;
-		} else {
-			options |= DNS_FETCHOPT_TCP;
-			resend = ISC_TRUE;
-		}
-		goto done;
-	}
-
-	/*
-	 * Is it a query response?
-	 */
-	if (message->opcode != dns_opcode_query) {
-		/* XXXRTH Log */
-		broken_server = DNS_R_UNEXPECTEDOPCODE;
-		keep_trying = ISC_TRUE;
-		goto done;
-	}
-
-	/*
-	 * Is the remote server broken, or does it dislike us?
-	 */
-	if (message->rcode != dns_rcode_noerror &&
-	    message->rcode != dns_rcode_nxdomain) {
-		if ((message->rcode == dns_rcode_formerr ||
-		     message->rcode == dns_rcode_notimp ||
-		     message->rcode == dns_rcode_servfail) &&
-		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-			/*
-			 * It's very likely they don't like EDNS0.
-			 *
-			 * XXXRTH  We should check if the question
-			 *	   we're asking requires EDNS0, and
-			 *	   if so, we should bail out.
-			 */
-			options |= DNS_FETCHOPT_NOEDNS0;
-			resend = ISC_TRUE;
-			/*
-			 * Remember that they don't like EDNS0.
-			 */
-			if (message->rcode != dns_rcode_servfail)
-				dns_adb_changeflags(fctx->adb, query->addrinfo,
-						    DNS_FETCHOPT_NOEDNS0,
-						    DNS_FETCHOPT_NOEDNS0);
-		} else if (message->rcode == dns_rcode_formerr) {
-			if (ISFORWARDER(query->addrinfo)) {
-				/*
-				 * This forwarder doesn't understand us,
-				 * but other forwarders might.  Keep trying.
-				 */
-				broken_server = DNS_R_REMOTEFORMERR;
-				keep_trying = ISC_TRUE;
-			} else {
-				/*
-				 * The server doesn't understand us.  Since
-				 * all servers for a zone need similar
-				 * capabilities, we assume that we will get
-				 * FORMERR from all servers, and thus we
-				 * cannot make any more progress with this
-				 * fetch.
-				 */
-				result = DNS_R_FORMERR;
-			}
-		} else if (message->rcode == dns_rcode_yxdomain) {
-			/*
-			 * DNAME mapping failed because the new name
-			 * was too long.  There's no chance of success
-			 * for this fetch.
-			 */
-			result = DNS_R_YXDOMAIN;
-		} else {
-			/*
-			 * XXXRTH log.
-			 */
-			broken_server = DNS_R_UNEXPECTEDRCODE;
-			INSIST(broken_server != ISC_R_SUCCESS);
-			keep_trying = ISC_TRUE;
-		}
-		goto done;
-	}
-
-	/*
-	 * Is the question the same as the one we asked?
-	 */
-	result = same_question(fctx);
-	if (result != ISC_R_SUCCESS) {
-		/* XXXRTH Log */
-		if (result == DNS_R_FORMERR)
-			keep_trying = ISC_TRUE;
-		goto done;
-	}
-
-	/*
-	 * Is the server lame?
-	 */
-	if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
-	    is_lame(fctx)) {
-		log_lame(fctx, query->addrinfo);
-		result = dns_adb_marklame(fctx->adb, query->addrinfo,
-					  &fctx->domain,
-					  now + fctx->res->lame_ttl);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
-				      "could not mark server as lame: %s",
-				      isc_result_totext(result));
-		broken_server = DNS_R_LAME;
-		keep_trying = ISC_TRUE;
-		goto done;
-	}
-
-	/*
-	 * Enforce delegations only zones like NET and COM.
-	 */
-	if (!ISFORWARDER(query->addrinfo) &&
-	    dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
-	    !dns_name_equal(&fctx->domain, &fctx->name) &&
-	    fix_mustbedelegationornxdomain(message, fctx)) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char domainbuf[DNS_NAME_FORMATSIZE];
-		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-		char classbuf[64];
-		char typebuf[64];
-
-		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
-		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
-		dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
-		dns_rdataclass_format(fctx->res->rdclass, classbuf,
-				      sizeof(classbuf));
-		isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
-				    sizeof(addrbuf));
-
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
-			     DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-			     "enforced delegation-only for '%s' (%s/%s/%s) "
-			     "from %s",
-			     domainbuf, namebuf, typebuf, classbuf, addrbuf);
-	}
-
-	if ((fctx->res->options & DNS_RESOLVER_CHECKNAMES) != 0)
-		checknames(message);
-
-	/*
-	 * Clear cache bits.
-	 */
-	fctx->attributes &= ~(FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE);
-
-	/*
-	 * Did we get any answers?
-	 */
-	if (message->counts[DNS_SECTION_ANSWER] > 0 &&
-	    (message->rcode == dns_rcode_noerror ||
-	     message->rcode == dns_rcode_nxdomain)) {
-		/*
-		 * We've got answers.  However, if we sent
-		 * a BIND 8 server an NS query, it may have
-		 * incorrectly responded with a non-authoritative
-		 * answer instead of a referral.  Since this
-		 * answer lacks the SIGs necessary to do DNSSEC
-		 * validation, we must invoke the following special
-		 * kludge to treat it as a referral.
-		 */
-		if (fctx->type == dns_rdatatype_ns &&
-		    (message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
-		    !ISFORWARDER(query->addrinfo))
-		{
-			result = noanswer_response(fctx, NULL, ISC_TRUE);
-			if (result != DNS_R_DELEGATION) {
-				/*
-				 * The answer section must have contained
-				 * something other than the NS records
-				 * we asked for.  Since AA is not set
-				 * and the server is not a forwarder,
-				 * it is technically lame and it's easier
-				 * to treat it as such than to figure out
-				 * some more elaborate course of action.
-				 */
-				broken_server = DNS_R_LAME;
-				keep_trying = ISC_TRUE;
-				goto done;
-			}
-			goto force_referral;
-		}
-		result = answer_response(fctx);
-		if (result != ISC_R_SUCCESS) {
-			if (result == DNS_R_FORMERR)
-				keep_trying = ISC_TRUE;
-			goto done;
-		}
-	} else if (message->counts[DNS_SECTION_AUTHORITY] > 0 ||
-		   message->rcode == dns_rcode_noerror ||
-		   message->rcode == dns_rcode_nxdomain) {
-		/*
-		 * NXDOMAIN, NXRDATASET, or referral.
-		 */
-		result = noanswer_response(fctx, NULL, ISC_FALSE);
-		if (result == DNS_R_CHASEDSSERVERS) {
-		} else if (result == DNS_R_DELEGATION) {
-		force_referral:
-			/*
-			 * We don't have the answer, but we know a better
-			 * place to look.
-			 */
-			get_nameservers = ISC_TRUE;
-			keep_trying = ISC_TRUE;
-			/*
-			 * We have a new set of name servers, and it
-			 * has not experienced any restarts yet.
-			 */
-			fctx->restarts = 0;
-			result = ISC_R_SUCCESS;
-		} else if (result != ISC_R_SUCCESS) {
-			/*
-			 * Something has gone wrong.
-			 */
-			if (result == DNS_R_FORMERR)
-				keep_trying = ISC_TRUE;
-			goto done;
-		}
-	} else {
-		/*
-		 * The server is insane.
-		 */
-		/* XXXRTH Log */
-		broken_server = DNS_R_UNEXPECTEDRCODE;
-		keep_trying = ISC_TRUE;
-		goto done;
-	}
-
-	/*
-	 * Follow additional section data chains.
-	 */
-	chase_additional(fctx);
-
-	/*
-	 * Cache the cacheable parts of the message.  This may also cause
-	 * work to be queued to the DNSSEC validator.
-	 */
-	if (WANTCACHE(fctx)) {
-		result = cache_message(fctx, query->addrinfo, now);
-		if (result != ISC_R_SUCCESS)
-			goto done;
-	}
-
-	/*
-	 * Ncache the negatively cacheable parts of the message.  This may
-	 * also cause work to be queued to the DNSSEC validator.
-	 */
-	if (WANTNCACHE(fctx)) {
-		dns_rdatatype_t covers;
-		if (message->rcode == dns_rcode_nxdomain)
-			covers = dns_rdatatype_any;
-		else
-			covers = fctx->type;
-
-		/*
-		 * Cache any negative cache entries in the message.
-		 */
-		result = ncache_message(fctx, query->addrinfo, covers, now);
-	}
-
- done:
-	/*
-	 * Remember the query's addrinfo, in case we need to mark the
-	 * server as broken.
-	 */
-	addrinfo = query->addrinfo;
-
-	/*
-	 * Cancel the query.
-	 *
-	 * XXXRTH  Don't cancel the query if waiting for validation?
-	 */
-	fctx_cancelquery(&query, &devent, finish, ISC_FALSE);
-
-	if (keep_trying) {
-		if (result == DNS_R_FORMERR)
-			broken_server = DNS_R_FORMERR;
-		if (broken_server != ISC_R_SUCCESS) {
-			/*
-			 * Add this server to the list of bad servers for
-			 * this fctx.
-			 */
-			add_bad(fctx, &addrinfo->sockaddr, broken_server);
-		}
-
-		if (get_nameservers) {
-			dns_name_t *name;
-			dns_fixedname_init(&foundname);
-			fname = dns_fixedname_name(&foundname);
-			if (result != ISC_R_SUCCESS) {
-				fctx_done(fctx, DNS_R_SERVFAIL);
-				return;
-			}
-			findoptions = 0;
-			if (dns_rdatatype_atparent(fctx->type))
-				findoptions |= DNS_DBFIND_NOEXACT;
-			if ((options & DNS_FETCHOPT_UNSHARED) == 0)
-				name = &fctx->name;
-			else
-				name = &fctx->domain;
-			result = dns_view_findzonecut(fctx->res->view,
-						      name, fname,
-						      now, findoptions,
-						      ISC_TRUE,
-						      &fctx->nameservers,
-						      NULL);
-			if (result != ISC_R_SUCCESS) {
-				FCTXTRACE("couldn't find a zonecut");
-				fctx_done(fctx, DNS_R_SERVFAIL);
-				return;
-			}
-			if (!dns_name_issubdomain(fname, &fctx->domain)) {
-				/*
-				 * The best nameservers are now above our
-				 * QDOMAIN.
-				 */
-				FCTXTRACE("nameservers now above QDOMAIN");
-				fctx_done(fctx, DNS_R_SERVFAIL);
-				return;
-			}
-			dns_name_free(&fctx->domain, fctx->res->mctx);
-			dns_name_init(&fctx->domain, NULL);
-			result = dns_name_dup(fname, fctx->res->mctx,
-					      &fctx->domain);
-			if (result != ISC_R_SUCCESS) {
-				fctx_done(fctx, DNS_R_SERVFAIL);
-				return;
-			}
-			fctx_cancelqueries(fctx, ISC_TRUE);
-			fctx_cleanupfinds(fctx);
-			fctx_cleanupaltfinds(fctx);
-			fctx_cleanupforwaddrs(fctx);
-			fctx_cleanupaltaddrs(fctx);
-		}
-		/*
-		 * Try again.
-		 */
-		fctx_try(fctx);
-	} else if (resend) {
-		/*
-		 * Resend (probably with changed options).
-		 */
-		FCTXTRACE("resend");
-		result = fctx_query(fctx, addrinfo, options);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-	} else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
-		/*
-		 * All has gone well so far, but we are waiting for the
-		 * DNSSEC validator to validate the answer.
-		 */
-		FCTXTRACE("wait for validator");
-		fctx_cancelqueries(fctx, ISC_TRUE);
-		/*
-		 * We must not retransmit while the validator is working;
-		 * it has references to the current rmessage.
-		 */
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-	} else if (result == DNS_R_CHASEDSSERVERS) {
-		unsigned int n;
-		add_bad(fctx, &addrinfo->sockaddr, result);
-		fctx_cancelqueries(fctx, ISC_TRUE);
-		fctx_cleanupfinds(fctx);
-		fctx_cleanupforwaddrs(fctx);
-
-		n = dns_name_countlabels(&fctx->name);
-		dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
-
-		FCTXTRACE("suspending DS lookup to find parent's NS records");
-
-		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
-						  dns_rdatatype_ns,
-						  NULL, NULL, NULL, 0, task,
-						  resume_dslookup, fctx,
-						  &fctx->nsrrset, NULL,
-						  &fctx->nsfetch);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-		LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-		fctx->references++;
-		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-		result = fctx_stopidletimer(fctx);
-		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
-	} else {
-		/*
-		 * We're done.
-		 */
-		fctx_done(fctx, result);
-	}
-}
-
-
-/***
- *** Resolver Methods
- ***/
-
-static void
-destroy(dns_resolver_t *res) {
-	unsigned int i;
-	alternate_t *a;
-
-	REQUIRE(res->references == 0);
-	REQUIRE(!res->priming);
-	REQUIRE(res->primefetch == NULL);
-
-	RTRACE("destroy");
-
-	INSIST(res->nfctx == 0);
-
-	DESTROYLOCK(&res->primelock);
-	DESTROYLOCK(&res->nlock);
-	DESTROYLOCK(&res->lock);
-	for (i = 0; i < res->nbuckets; i++) {
-		INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
-		isc_task_shutdown(res->buckets[i].task);
-		isc_task_detach(&res->buckets[i].task);
-		DESTROYLOCK(&res->buckets[i].lock);
-	}
-	isc_mem_put(res->mctx, res->buckets,
-		    res->nbuckets * sizeof(fctxbucket_t));
-	if (res->dispatchv4 != NULL)
-		dns_dispatch_detach(&res->dispatchv4);
-	if (res->dispatchv6 != NULL)
-		dns_dispatch_detach(&res->dispatchv6);
-	while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
-		ISC_LIST_UNLINK(res->alternates, a, link);
-		if (!a->isaddress)
-			dns_name_free(&a->_u._n.name, res->mctx);
-		isc_mem_put(res->mctx, a, sizeof(*a));
-	}
-	dns_resolver_reset_algorithms(res);
-	dns_resolver_resetmustbesecure(res);
-#if USE_ALGLOCK
-	isc_rwlock_destroy(&res->alglock);
-#endif
-#if USE_MBSLOCK
-	isc_rwlock_destroy(&res->mbslock);
-#endif
-	res->magic = 0;
-	isc_mem_put(res->mctx, res, sizeof(*res));
-}
-
-static void
-send_shutdown_events(dns_resolver_t *res) {
-	isc_event_t *event, *next_event;
-	isc_task_t *etask;
-
-	/*
-	 * Caller must be holding the resolver lock.
-	 */
-
-	for (event = ISC_LIST_HEAD(res->whenshutdown);
-	     event != NULL;
-	     event = next_event) {
-		next_event = ISC_LIST_NEXT(event, ev_link);
-		ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
-		etask = event->ev_sender;
-		event->ev_sender = res;
-		isc_task_sendanddetach(&etask, &event);
-	}
-}
-
-static void
-empty_bucket(dns_resolver_t *res) {
-	RTRACE("empty_bucket");
-
-	LOCK(&res->lock);
-
-	INSIST(res->activebuckets > 0);
-	res->activebuckets--;
-	if (res->activebuckets == 0)
-		send_shutdown_events(res);
-
-	UNLOCK(&res->lock);
-}
-
-isc_result_t
-dns_resolver_create(dns_view_t *view,
-		    isc_taskmgr_t *taskmgr, unsigned int ntasks,
-		    isc_socketmgr_t *socketmgr,
-		    isc_timermgr_t *timermgr,
-		    unsigned int options,
-		    dns_dispatchmgr_t *dispatchmgr,
-		    dns_dispatch_t *dispatchv4,
-		    dns_dispatch_t *dispatchv6,
-		    dns_resolver_t **resp)
-{
-	dns_resolver_t *res;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int i, buckets_created = 0;
-	char name[16];
-
-	/*
-	 * Create a resolver.
-	 */
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(ntasks > 0);
-	REQUIRE(resp != NULL && *resp == NULL);
-	REQUIRE(dispatchmgr != NULL);
-	REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
-
-	res = isc_mem_get(view->mctx, sizeof(*res));
-	if (res == NULL)
-		return (ISC_R_NOMEMORY);
-	RTRACE("create");
-	res->mctx = view->mctx;
-	res->rdclass = view->rdclass;
-	res->socketmgr = socketmgr;
-	res->timermgr = timermgr;
-	res->taskmgr = taskmgr;
-	res->dispatchmgr = dispatchmgr;
-	res->view = view;
-	res->options = options;
-	res->lame_ttl = 0;
-	ISC_LIST_INIT(res->alternates);
-	res->udpsize = RECV_BUFFER_SIZE;
-	res->algorithms = NULL;
-	res->mustbesecure = NULL;
-
-	res->nbuckets = ntasks;
-	res->activebuckets = ntasks;
-	res->buckets = isc_mem_get(view->mctx,
-				   ntasks * sizeof(fctxbucket_t));
-	if (res->buckets == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_res;
-	}
-	for (i = 0; i < ntasks; i++) {
-		result = isc_mutex_init(&res->buckets[i].lock);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_buckets;
-		res->buckets[i].task = NULL;
-		result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
-		if (result != ISC_R_SUCCESS) {
-			DESTROYLOCK(&res->buckets[i].lock);
-			goto cleanup_buckets;
-		}
-		snprintf(name, sizeof(name), "res%u", i);
-		isc_task_setname(res->buckets[i].task, name, res);
-		ISC_LIST_INIT(res->buckets[i].fctxs);
-		res->buckets[i].exiting = ISC_FALSE;
-		buckets_created++;
-	}
-
-	res->dispatchv4 = NULL;
-	if (dispatchv4 != NULL)
-		dns_dispatch_attach(dispatchv4, &res->dispatchv4);
-	res->dispatchv6 = NULL;
-	if (dispatchv6 != NULL)
-		dns_dispatch_attach(dispatchv6, &res->dispatchv6);
-
-	res->references = 1;
-	res->exiting = ISC_FALSE;
-	res->frozen = ISC_FALSE;
-	ISC_LIST_INIT(res->whenshutdown);
-	res->priming = ISC_FALSE;
-	res->primefetch = NULL;
-	res->nfctx = 0;
-
-	result = isc_mutex_init(&res->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_dispatches;
-
-	result = isc_mutex_init(&res->nlock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	result = isc_mutex_init(&res->primelock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_nlock;
-
-#if USE_ALGLOCK
-	result = isc_rwlock_init(&res->alglock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_primelock;
-#endif
-#if USE_MBSLOCK
-	result = isc_rwlock_init(&res->mbslock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_alglock;
-#endif
-
-	res->magic = RES_MAGIC;
-
-	*resp = res;
-
-	return (ISC_R_SUCCESS);
-
-#if USE_MBSLOCK
- cleanup_alglock:
-#if USE_ALGLOCK
-	isc_rwlock_destroy(&res->alglock);
-#endif
-#endif
-#if USE_ALGLOCK || USE_MBSLOCK
- cleanup_primelock:
-	DESTROYLOCK(&res->primelock);
-#endif
-
- cleanup_nlock:
-	DESTROYLOCK(&res->nlock);
-
- cleanup_lock:
-	DESTROYLOCK(&res->lock);
-
- cleanup_dispatches:
-	if (res->dispatchv6 != NULL)
-		dns_dispatch_detach(&res->dispatchv6);
-	if (res->dispatchv4 != NULL)
-		dns_dispatch_detach(&res->dispatchv4);
-
- cleanup_buckets:
-	for (i = 0; i < buckets_created; i++) {
-		DESTROYLOCK(&res->buckets[i].lock);
-		isc_task_shutdown(res->buckets[i].task);
-		isc_task_detach(&res->buckets[i].task);
-	}
-	isc_mem_put(view->mctx, res->buckets,
-		    res->nbuckets * sizeof(fctxbucket_t));
-
- cleanup_res:
-	isc_mem_put(view->mctx, res, sizeof(*res));
-
-	return (result);
-}
-
-static void
-prime_done(isc_task_t *task, isc_event_t *event) {
-	dns_resolver_t *res;
-	dns_fetchevent_t *fevent;
-	dns_fetch_t *fetch;
-
-	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
-	fevent = (dns_fetchevent_t *)event;
-	res = event->ev_arg;
-	REQUIRE(VALID_RESOLVER(res));
-
-	UNUSED(task);
-
-	LOCK(&res->lock);
-
-	INSIST(res->priming);
-	res->priming = ISC_FALSE;
-	LOCK(&res->primelock);
-	fetch = res->primefetch;
-	res->primefetch = NULL;
-	UNLOCK(&res->primelock);
-
-	UNLOCK(&res->lock);
-
-	if (fevent->node != NULL)
-		dns_db_detachnode(fevent->db, &fevent->node);
-	if (fevent->db != NULL)
-		dns_db_detach(&fevent->db);
-	if (dns_rdataset_isassociated(fevent->rdataset))
-		dns_rdataset_disassociate(fevent->rdataset);
-	INSIST(fevent->sigrdataset == NULL);
-
-	isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
-
-	isc_event_free(&event);
-	dns_resolver_destroyfetch(&fetch);
-}
-
-void
-dns_resolver_prime(dns_resolver_t *res) {
-	isc_boolean_t want_priming = ISC_FALSE;
-	dns_rdataset_t *rdataset;
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(res->frozen);
-
-	RTRACE("dns_resolver_prime");
-
-	LOCK(&res->lock);
-
-	if (!res->exiting && !res->priming) {
-		INSIST(res->primefetch == NULL);
-		res->priming = ISC_TRUE;
-		want_priming = ISC_TRUE;
-	}
-
-	UNLOCK(&res->lock);
-
-	if (want_priming) {
-		/*
-		 * To avoid any possible recursive locking problems, we
-		 * start the priming fetch like any other fetch, and holding
-		 * no resolver locks.  No one else will try to start it
-		 * because we're the ones who set res->priming to true.
-		 * Any other callers of dns_resolver_prime() while we're
-		 * running will see that res->priming is already true and
-		 * do nothing.
-		 */
-		RTRACE("priming");
-		rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
-		if (rdataset == NULL) {
-			LOCK(&res->lock);
-			INSIST(res->priming);
-			INSIST(res->primefetch == NULL);
-			res->priming = ISC_FALSE;
-			UNLOCK(&res->lock);
-			return;
-		}
-		dns_rdataset_init(rdataset);
-		LOCK(&res->primelock);
-		result = dns_resolver_createfetch(res, dns_rootname,
-						  dns_rdatatype_ns,
-						  NULL, NULL, NULL, 0,
-						  res->buckets[0].task,
-						  prime_done,
-						  res, rdataset, NULL,
-						  &res->primefetch);
-		UNLOCK(&res->primelock);
-		if (result != ISC_R_SUCCESS) {
-			LOCK(&res->lock);
-			INSIST(res->priming);
-			res->priming = ISC_FALSE;
-			UNLOCK(&res->lock);
-		}
-	}
-}
-
-void
-dns_resolver_freeze(dns_resolver_t *res) {
-
-	/*
-	 * Freeze resolver.
-	 */
-
-	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(!res->frozen);
-
-	res->frozen = ISC_TRUE;
-}
-
-void
-dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
-	REQUIRE(VALID_RESOLVER(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	RRTRACE(source, "attach");
-	LOCK(&source->lock);
-	REQUIRE(!source->exiting);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
-			  isc_event_t **eventp)
-{
-	isc_task_t *clone;
-	isc_event_t *event;
-
-	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(eventp != NULL);
-
-	event = *eventp;
-	*eventp = NULL;
-
-	LOCK(&res->lock);
-
-	if (res->exiting && res->activebuckets == 0) {
-		/*
-		 * We're already shutdown.  Send the event.
-		 */
-		event->ev_sender = res;
-		isc_task_send(task, &event);
-	} else {
-		clone = NULL;
-		isc_task_attach(task, &clone);
-		event->ev_sender = clone;
-		ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
-	}
-
-	UNLOCK(&res->lock);
-}
-
-void
-dns_resolver_shutdown(dns_resolver_t *res) {
-	unsigned int i;
-	fetchctx_t *fctx;
-	isc_socket_t *sock;
-
-	REQUIRE(VALID_RESOLVER(res));
-
-	RTRACE("shutdown");
-
-	LOCK(&res->lock);
-
-	if (!res->exiting) {
-		RTRACE("exiting");
-		res->exiting = ISC_TRUE;
-
-		for (i = 0; i < res->nbuckets; i++) {
-			LOCK(&res->buckets[i].lock);
-			for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs);
-			     fctx != NULL;
-			     fctx = ISC_LIST_NEXT(fctx, link))
-				fctx_shutdown(fctx);
-			if (res->dispatchv4 != NULL) {
-				sock = dns_dispatch_getsocket(res->dispatchv4);
-				isc_socket_cancel(sock, res->buckets[i].task,
-						  ISC_SOCKCANCEL_ALL);
-			}
-			if (res->dispatchv6 != NULL) {
-				sock = dns_dispatch_getsocket(res->dispatchv6);
-				isc_socket_cancel(sock, res->buckets[i].task,
-						  ISC_SOCKCANCEL_ALL);
-			}
-			res->buckets[i].exiting = ISC_TRUE;
-			if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
-				INSIST(res->activebuckets > 0);
-				res->activebuckets--;
-			}
-			UNLOCK(&res->buckets[i].lock);
-		}
-		if (res->activebuckets == 0)
-			send_shutdown_events(res);
-	}
-
-	UNLOCK(&res->lock);
-}
-
-void
-dns_resolver_detach(dns_resolver_t **resp) {
-	dns_resolver_t *res;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(resp != NULL);
-	res = *resp;
-	REQUIRE(VALID_RESOLVER(res));
-
-	RTRACE("detach");
-
-	LOCK(&res->lock);
-
-	INSIST(res->references > 0);
-	res->references--;
-	if (res->references == 0) {
-		INSIST(res->exiting && res->activebuckets == 0);
-		need_destroy = ISC_TRUE;
-	}
-
-	UNLOCK(&res->lock);
-
-	if (need_destroy)
-		destroy(res);
-
-	*resp = NULL;
-}
-
-static inline isc_boolean_t
-fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
-	   unsigned int options)
-{
-	if (fctx->type != type || fctx->options != options)
-		return (ISC_FALSE);
-	return (dns_name_equal(&fctx->name, name));
-}
-
-static inline void
-log_fetch(dns_name_t *name, dns_rdatatype_t type) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	int level = ISC_LOG_DEBUG(1);
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	dns_name_format(name, namebuf, sizeof(namebuf));
-	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
-		      DNS_LOGMODULE_RESOLVER, level,
-		      "createfetch: %s %s", namebuf, typebuf);
-}
-
-isc_result_t
-dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
-			 dns_rdatatype_t type,
-			 dns_name_t *domain, dns_rdataset_t *nameservers,
-			 dns_forwarders_t *forwarders,
-			 unsigned int options, isc_task_t *task,
-			 isc_taskaction_t action, void *arg,
-			 dns_rdataset_t *rdataset,
-			 dns_rdataset_t *sigrdataset,
-			 dns_fetch_t **fetchp)
-{
-	dns_fetch_t *fetch;
-	fetchctx_t *fctx = NULL;
-	isc_result_t result;
-	unsigned int bucketnum;
-	isc_boolean_t new_fctx = ISC_FALSE;
-	isc_event_t *event;
-
-	UNUSED(forwarders);
-
-	REQUIRE(VALID_RESOLVER(res));
-	REQUIRE(res->frozen);
-	/* XXXRTH  Check for meta type */
-	if (domain != NULL) {
-		REQUIRE(DNS_RDATASET_VALID(nameservers));
-		REQUIRE(nameservers->type == dns_rdatatype_ns);
-	} else
-		REQUIRE(nameservers == NULL);
-	REQUIRE(forwarders == NULL);
-	REQUIRE(!dns_rdataset_isassociated(rdataset));
-	REQUIRE(sigrdataset == NULL ||
-		!dns_rdataset_isassociated(sigrdataset));
-	REQUIRE(fetchp != NULL && *fetchp == NULL);
-
-	log_fetch(name, type);
-
-	/*
-	 * XXXRTH  use a mempool?
-	 */
-	fetch = isc_mem_get(res->mctx, sizeof(*fetch));
-	if (fetch == NULL)
-		return (ISC_R_NOMEMORY);
-
-	bucketnum = dns_name_hash(name, ISC_FALSE) % res->nbuckets;
-
-	LOCK(&res->buckets[bucketnum].lock);
-
-	if (res->buckets[bucketnum].exiting) {
-		result = ISC_R_SHUTTINGDOWN;
-		goto unlock;
-	}
-
-	if ((options & DNS_FETCHOPT_UNSHARED) == 0) {
-		for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs);
-		     fctx != NULL;
-		     fctx = ISC_LIST_NEXT(fctx, link)) {
-			if (fctx_match(fctx, name, type, options))
-				break;
-		}
-	}
-
-	/*
-	 * If we didn't have a fetch, would attach to a done fetch, this
-	 * fetch has already cloned its results, or if the fetch has gone
-	 * "idle" (no one was interested in it), we need to start a new
-	 * fetch instead of joining with the existing one.
-	 */
-	if (fctx == NULL ||
-	    fctx->state == fetchstate_done ||
-	    fctx->cloned ||
-	    ISC_LIST_EMPTY(fctx->events)) {
-		fctx = NULL;
-		result = fctx_create(res, name, type, domain, nameservers,
-				     options, bucketnum, &fctx);
-		if (result != ISC_R_SUCCESS)
-			goto unlock;
-		new_fctx = ISC_TRUE;
-	}
-
-	result = fctx_join(fctx, task, action, arg,
-			   rdataset, sigrdataset, fetch);
-	if (new_fctx) {
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * Launch this fctx.
-			 */
-			event = &fctx->control_event;
-			ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
-				       DNS_EVENT_FETCHCONTROL,
-				       fctx_start, fctx, NULL,
-				       NULL, NULL);
-			isc_task_send(res->buckets[bucketnum].task, &event);
-		} else {
-			/*
-			 * We don't care about the result of fctx_destroy()
-			 * since we know we're not exiting.
-			 */
-			(void)fctx_destroy(fctx);
-		}
-	}
-
- unlock:
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	if (result == ISC_R_SUCCESS) {
-		FTRACE("created");
-		*fetchp = fetch;
-	} else
-		isc_mem_put(res->mctx, fetch, sizeof(*fetch));
-
-	return (result);
-}
-
-void
-dns_resolver_cancelfetch(dns_fetch_t *fetch) {
-	fetchctx_t *fctx;
-	dns_resolver_t *res;
-	dns_fetchevent_t *event, *next_event;
-	isc_task_t *etask;
-
-	REQUIRE(DNS_FETCH_VALID(fetch));
-	fctx = fetch->private;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	FTRACE("cancelfetch");
-
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-
-	/*
-	 * Find the completion event for this fetch (as opposed
-	 * to those for other fetches that have joined the same
-	 * fctx) and send it with result = ISC_R_CANCELED.
-	 */
-	event = NULL;
-	if (fctx->state != fetchstate_done) {
-		for (event = ISC_LIST_HEAD(fctx->events);
-		     event != NULL;
-		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, ev_link);
-			if (event->fetch == fetch) {
-				ISC_LIST_UNLINK(fctx->events, event, ev_link);
-				break;
-			}
-		}
-	}
-	if (event != NULL) {
-		etask = event->ev_sender;
-		event->ev_sender = fctx;
-		event->result = ISC_R_CANCELED;
-		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
-	}
-	/*
-	 * The fctx continues running even if no fetches remain;
-	 * the answer is still cached.
-	 */
-
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-}
-
-void
-dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
-	dns_fetch_t *fetch;
-	dns_resolver_t *res;
-	dns_fetchevent_t *event, *next_event;
-	fetchctx_t *fctx;
-	unsigned int bucketnum;
-	isc_boolean_t bucket_empty = ISC_FALSE;
-
-	REQUIRE(fetchp != NULL);
-	fetch = *fetchp;
-	REQUIRE(DNS_FETCH_VALID(fetch));
-	fctx = fetch->private;
-	REQUIRE(VALID_FCTX(fctx));
-	res = fctx->res;
-
-	FTRACE("destroyfetch");
-
-	bucketnum = fctx->bucketnum;
-	LOCK(&res->buckets[bucketnum].lock);
-
-	/*
-	 * Sanity check: the caller should have gotten its event before
-	 * trying to destroy the fetch.
-	 */
-	event = NULL;
-	if (fctx->state != fetchstate_done) {
-		for (event = ISC_LIST_HEAD(fctx->events);
-		     event != NULL;
-		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, ev_link);
-			RUNTIME_CHECK(event->fetch != fetch);
-		}
-	}
-
-	INSIST(fctx->references > 0);
-	fctx->references--;
-	if (fctx->references == 0) {
-		/*
-		 * No one cares about the result of this fetch anymore.
-		 */
-		if (fctx->pending == 0 && ISC_LIST_EMPTY(fctx->validators) &&
-		    SHUTTINGDOWN(fctx)) {
-			/*
-			 * This fctx is already shutdown; we were just
-			 * waiting for the last reference to go away.
-			 */
-			bucket_empty = fctx_destroy(fctx);
-		} else {
-			/*
-			 * Initiate shutdown.
-			 */
-			fctx_shutdown(fctx);
-		}
-	}
-
-	UNLOCK(&res->buckets[bucketnum].lock);
-
-	isc_mem_put(res->mctx, fetch, sizeof(*fetch));
-	*fetchp = NULL;
-
-	if (bucket_empty)
-		empty_bucket(res);
-}
-
-dns_dispatchmgr_t *
-dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->dispatchmgr);
-}
-
-dns_dispatch_t *
-dns_resolver_dispatchv4(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->dispatchv4);
-}
-
-dns_dispatch_t *
-dns_resolver_dispatchv6(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->dispatchv6);
-}
-
-isc_socketmgr_t *
-dns_resolver_socketmgr(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->socketmgr);
-}
-
-isc_taskmgr_t *
-dns_resolver_taskmgr(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->taskmgr);
-}
-
-isc_uint32_t
-dns_resolver_getlamettl(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->lame_ttl);
-}
-
-void
-dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	resolver->lame_ttl = lame_ttl;
-}
-
-unsigned int
-dns_resolver_nrunning(dns_resolver_t *resolver) {
-	unsigned int n;
-	LOCK(&resolver->nlock);
-	n = resolver->nfctx;
-	UNLOCK(&resolver->nlock);
-	return (n);
-}
-
-isc_result_t
-dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
-			  dns_name_t *name, in_port_t port) {
-	alternate_t *a;
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-	REQUIRE(!resolver->frozen);
-	REQUIRE((alt == NULL) ^ (name == NULL));
-
-	a = isc_mem_get(resolver->mctx, sizeof(*a));
-	if (a == NULL)
-		return (ISC_R_NOMEMORY);
-	if (alt != NULL) {
-		a->isaddress = ISC_TRUE;
-		a->_u.addr = *alt;
-	} else {
-		a->isaddress = ISC_FALSE;
-		a->_u._n.port = port;
-		dns_name_init(&a->_u._n.name, NULL);
-		result = dns_name_dup(name, resolver->mctx, &a->_u._n.name);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(resolver->mctx, a, sizeof(*a));
-			return (result);
-		}
-	}
-	ISC_LINK_INIT(a, link);
-	ISC_LIST_APPEND(resolver->alternates, a, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	resolver->udpsize = udpsize;
-}
-
-isc_uint16_t
-dns_resolver_getudpsize(dns_resolver_t *resolver) {
-	REQUIRE(VALID_RESOLVER(resolver));
-	return (resolver->udpsize);
-}
-
-static void
-free_algorithm(void *node, void *arg) {
-	unsigned char *algorithms = node;
-	isc_mem_t *mctx = arg;
-
-	isc_mem_put(mctx, algorithms, *algorithms);
-}
- 
-void
-dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_ALGLOCK
-	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
-#endif
-	if (resolver->algorithms != NULL)
-		dns_rbt_destroy(&resolver->algorithms);
-#if USE_ALGLOCK
-	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
-#endif
-}
-
-isc_result_t
-dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
-			       unsigned int alg)
-{
-	unsigned int len, mask;
-	unsigned char *new;
-	unsigned char *algorithms;
-	isc_result_t result;
-	dns_rbtnode_t *node = NULL;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-	if (alg > 255)
-		return (ISC_R_RANGE);
-
-#if USE_ALGLOCK
-	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
-#endif
-	if (resolver->algorithms == NULL) {
-		result = dns_rbt_create(resolver->mctx, free_algorithm,
-					resolver->mctx, &resolver->algorithms);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-
-	len = alg/8 + 2;
-	mask = 1 << (alg%8);
-
-	result = dns_rbt_addnode(resolver->algorithms, name, &node);
-	
-	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
-		algorithms = node->data;
-		if (algorithms == NULL || len > *algorithms) {
-			new = isc_mem_get(resolver->mctx, len);
-			if (new == NULL) {
-				result = ISC_R_NOMEMORY;
-				goto cleanup;
-			}
-			memset(new, 0, len);
-			if (algorithms != NULL)
-				memcpy(new, algorithms, *algorithms);
-			new[len-1] |= mask;
-			*new = len;
-			node->data = new;
-			if (algorithms != NULL)
-				isc_mem_put(resolver->mctx, algorithms, 
-					    *algorithms);
-		} else
-			algorithms[len-1] |= mask;
-	}
-	result = ISC_R_SUCCESS;
- cleanup:
-#if USE_ALGLOCK
-	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
-#endif
-	return (result);
-}
-
-isc_boolean_t
-dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
-				 unsigned int alg)
-{
-	unsigned int len, mask;
-	unsigned char *algorithms;
-	void *data = NULL;
-	isc_result_t result;
-	isc_boolean_t found = ISC_FALSE;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_ALGLOCK
-	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
-#endif
-	if (resolver->algorithms == NULL)
-		goto unlock;
-	result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		len = alg/8 + 2;
-		mask = 1 << (alg%8);
-		algorithms = data;
-		if (len <= *algorithms && (algorithms[len-1] & mask) != 0)
-			found = ISC_TRUE;
-	}
- unlock:
-#if USE_ALGLOCK
-	RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
-#endif
-	if (found)
-		return (ISC_FALSE);
-	return (dst_algorithm_supported(alg));
-}
-
-void
-dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_MBSLOCK
-	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
-#endif
-	if (resolver->mustbesecure != NULL)
-		dns_rbt_destroy(&resolver->mustbesecure);
-#if USE_MBSLOCK
-	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
-#endif
-}
- 
-static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE;
-
-isc_result_t
-dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
-                             isc_boolean_t value)
-{
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_MBSLOCK
-	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
-#endif
-	if (resolver->mustbesecure == NULL) {
-		result = dns_rbt_create(resolver->mctx, NULL, NULL,
-					&resolver->mustbesecure);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	}
-	result = dns_rbt_addname(resolver->mustbesecure, name, 
-				 value ? &yes : &no);
- cleanup:
-#if USE_MBSLOCK
-	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
-#endif
-	return (result);
-}
-
-isc_boolean_t
-dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) {
-	void *data = NULL;
-	isc_boolean_t value = ISC_FALSE;
-	isc_result_t result;
-
-	REQUIRE(VALID_RESOLVER(resolver));
-
-#if USE_MBSLOCK
-	RWLOCK(&resolver->mbslock, isc_rwlocktype_read);
-#endif
-	if (resolver->mustbesecure == NULL)
-		goto unlock;
-	result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		value = *(isc_boolean_t*)data;
- unlock:
-#if USE_MBSLOCK
-	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read);
-#endif
-	return (value);
-}
diff --git a/contrib/bind9/lib/dns/result.c b/contrib/bind9/lib/dns/result.c
deleted file mode 100644
index eb8308a33dd6..000000000000
--- a/contrib/bind9/lib/dns/result.c
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.c,v 1.90.2.9.2.13 2004/05/14 05:06:39 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/once.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/lib.h>
-
-static const char *text[DNS_R_NRESULTS] = {
-	"label too long",		       /*  0 DNS_R_LABELTOOLONG	     */
-	"bad escape",			       /*  1 DNS_R_BADESCAPE	     */
-	/*
-	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
-	 * deprecated.
-	 */
-	"bad bitstring",		       /*  2 DNS_R_BADBITSTRING	     */
-	"bitstring too long",		       /*  3 DNS_R_BITSTRINGTOOLONG  */
-	"empty label",			       /*  4 DNS_R_EMPTYLABEL	     */
-
-	"bad dotted quad",		       /*  5 DNS_R_BADDOTTEDQUAD     */
-	"invalid NS owner name (wildcard)",    /*  6 DNS_R_INVALIDNS	     */
-	"unknown class/type",		       /*  7 DNS_R_UNKNOWN	     */
-	"bad label type",		       /*  8 DNS_R_BADLABELTYPE	     */
-	"bad compression pointer",	       /*  9 DNS_R_BADPOINTER	     */
-
-	"too many hops",		       /* 10 DNS_R_TOOMANYHOPS	     */
-	"disallowed (by application policy)",  /* 11 DNS_R_DISALLOWED	     */
-	"extra input text",		       /* 12 DNS_R_EXTRATOKEN	     */
-	"extra input data",		       /* 13 DNS_R_EXTRADATA	     */
-	"text too long",		       /* 14 DNS_R_TEXTTOOLONG	     */
-
-	"not at top of zone",		       /* 15 DNS_R_NOTZONETOP	     */
-	"syntax error",			       /* 16 DNS_R_SYNTAX	     */
-	"bad checksum",			       /* 17 DNS_R_BADCKSUM	     */
-	"bad IPv6 address",		       /* 18 DNS_R_BADAAAA	     */
-	"no owner",			       /* 19 DNS_R_NOOWNER	     */
-
-	"no ttl",			       /* 20 DNS_R_NOTTL	     */
-	"bad class",			       /* 21 DNS_R_BADCLASS	     */
-	"name too long",		       /* 22 DNS_R_NAMETOOLONG	     */
-	"partial match",		       /* 23 DNS_R_PARTIALMATCH	     */
-	"new origin",			       /* 24 DNS_R_NEWORIGIN	     */
-
-	"unchanged",			       /* 25 DNS_R_UNCHANGED	     */
-	"bad ttl",			       /* 26 DNS_R_BADTTL	     */
-	"more data needed/to be rendered",     /* 27 DNS_R_NOREDATA	     */
-	"continue",			       /* 28 DNS_R_CONTINUE	     */
-	"delegation",			       /* 29 DNS_R_DELEGATION	     */
-
-	"glue",				       /* 30 DNS_R_GLUE		     */
-	"dname",			       /* 31 DNS_R_DNAME	     */
-	"cname",			       /* 32 DNS_R_CNAME	     */
-	"bad database",			       /* 33 DNS_R_BADDB	     */
-	"zonecut",			       /* 34 DNS_R_ZONECUT	     */
-
-	"bad zone",			       /* 35 DNS_R_BADZONE	     */
-	"more data",			       /* 36 DNS_R_MOREDATA	     */
-	"up to date",			       /* 37 DNS_R_UPTODATE	     */
-	"tsig verify failure",		       /* 38 DNS_R_TSIGVERIFYFAILURE */
-	"tsig indicates error",		       /* 39 DNS_R_TSIGERRORSET	     */
-
-	"RRSIG failed to verify",	       /* 40 DNS_R_SIGINVALID	     */
-	"RRSIG has expired",		       /* 41 DNS_R_SIGEXPIRED	     */
-	"RRSIG validity period has not begun", /* 42 DNS_R_SIGFUTURE	     */
-	"key is unauthorized to sign data",    /* 43 DNS_R_KEYUNAUTHORIZED   */
-	"invalid time",			       /* 44 DNS_R_INVALIDTIME	     */
-
-	"expected a TSIG or SIG(0)",	       /* 45 DNS_R_EXPECTEDTSIG	     */
-	"did not expect a TSIG or SIG(0)",     /* 46 DNS_R_UNEXPECTEDTSIG    */
-	"TKEY is unacceptable",		       /* 47 DNS_R_INVALIDTKEY	     */
-	"hint",				       /* 48 DNS_R_HINT		     */
-	"drop",				       /* 49 DNS_R_DROP		     */
-
-	"zone not loaded",		       /* 50 DNS_R_NOTLOADED	     */
-	"ncache nxdomain",		       /* 51 DNS_R_NCACHENXDOMAIN    */
-	"ncache nxrrset",		       /* 52 DNS_R_NCACHENXRRSET     */
-	"wait",				       /* 53 DNS_R_WAIT		     */
-	"not verified yet",		       /* 54 DNS_R_NOTVERIFIEDYET    */
-
-	"no identity",			       /* 55 DNS_R_NOIDENTITY	     */
-	"no journal",			       /* 56 DNS_R_NOJOURNAL	     */
-	"alias",			       /* 57 DNS_R_ALIAS	     */
-	"use TCP",			       /* 58 DNS_R_USETCP	     */
-	"no valid RRSIG",		       /* 59 DNS_R_NOVALIDSIG	     */
-
-	"no valid NSEC",		       /* 60 DNS_R_NOVALIDNSEC	     */
-	"not insecure",			       /* 61 DNS_R_NOTINSECURE	     */
-	"unknown service",		       /* 62 DNS_R_UNKNOWNSERVICE    */
-	"recoverable error occurred",	       /* 63 DNS_R_RECOVERABLE       */
-	"unknown opt attribute record",	       /* 64 DNS_R_UNKNOWNOPT	     */
-
-	"unexpected message id",	       /* 65 DNS_R_UNEXPECTEDID      */
-	"seen include file",		       /* 66 DNS_R_SEENINCLUDE       */
-	"not exact",		       	       /* 67 DNS_R_NOTEXACT	     */
-	"address blackholed",	       	       /* 68 DNS_R_BLACKHOLED	     */
-	"bad algorithm",		       /* 69 DNS_R_BADALG	     */
-
-	"invalid use of a meta type",	       /* 70 DNS_R_METATYPE	     */
-	"CNAME and other data",		       /* 71 DNS_R_CNAMEANDOTHER     */
-	"multiple RRs of singleton type",      /* 72 DNS_R_SINGLETON	     */
-	"hint nxrrset",			       /* 73 DNS_R_HINTNXRRSET	     */
-	"no master file configured",	       /* 74 DNS_R_NOMASTERFILE	     */
-
-	"unknown protocol",		       /* 75 DNS_R_UNKNOWNPROTO	     */
-	"clocks are unsynchronized",	       /* 76 DNS_R_CLOCKSKEW	     */
-	"IXFR failed",			       /* 77 DNS_R_BADIXFR	     */
-	"not authoritative",		       /* 78 DNS_R_NOTAUTHORITATIVE  */
-	"no valid KEY",		       	       /* 79 DNS_R_NOVALIDKEY	     */
-
-	"obsolete",			       /* 80 DNS_R_OBSOLETE	     */
-	"already frozen",		       /* 81 DNS_R_FROZEN	     */
-	"unknown flag",			       /* 82 DNS_R_UNKNOWNFLAG	     */
-	"expected a response",		       /* 83 DNS_R_EXPECTEDRESPONSE  */
-	"no valid DS",			       /* 84 DNS_R_NOVALIDDS	     */
-
-	"NS is an address",		       /* 85 DNS_R_NSISADDRESS	     */
-	"received FORMERR",		       /* 86 DNS_R_REMOTEFORMERR     */
-	"truncated TCP response",	       /* 87 DNS_R_TRUNCATEDTCP	     */
-	"lame server detected",		       /* 88 DNS_R_LAME		     */
-	"unexpected RCODE",		       /* 89 DNS_R_UNEXPECTEDRCODE   */
-
-	"unexpected OPCODE",		       /* 90 DNS_R_UNEXPECTEDOPCODE  */
-	"chase DS servers",		       /* 91 DNS_R_CHASEDSSERVERS    */
-	"empty name",			       /* 92 DNS_R_EMPTYNAME	     */
-	"empty wild",			       /* 93 DNS_R_EMPTYWILD	     */
-	"bad bitmap",			       /* 94 DNS_R_BADBITMAP	     */
-
-	"from wildcard",		       /* 95 DNS_R_FROMWILDCARD	     */
-	"bad owner name (check-names)",	       /* 96 DNS_R_BADOWNERNAME	     */
-	"bad name (check-names)",	       /* 97 DNS_R_BADNAME	     */
-	"dynamic zone",			       /* 98 DNS_R_DYNAMIC	     */
-	"unknown command",		       /* 99 DNS_R_UNKNOWNCOMMAND    */
-
-	"must-be-secure",		       /* 100 DNS_R_MUSTBESECURE     */
-	"covering NSEC record returned"	       /* 101 DNS_R_COVERINGNSEC     */
-};
-
-static const char *rcode_text[DNS_R_NRCODERESULTS] = {
-	"NOERROR",				/*  0 DNS_R_NOEROR	     */
-	"FORMERR",				/*  1 DNS_R_FORMERR	     */
-	"SERVFAIL",				/*  2 DNS_R_SERVFAIL	     */
-	"NXDOMAIN",				/*  3 DNS_R_NXDOMAIN	     */
-	"NOTIMP",				/*  4 DNS_R_NOTIMP	     */
-
-	"REFUSED",				/*  5 DNS_R_REFUSED	     */
-	"YXDOMAIN",				/*  6 DNS_R_YXDOMAIN	     */
-	"YXRRSET",				/*  7 DNS_R_YXRRSET	     */
-	"NXRRSET",				/*  8 DNS_R_NXRRSET	     */
-	"NOTAUTH",				/*  9 DNS_R_NOTAUTH	     */
-
-	"NOTZONE",				/* 10 DNS_R_NOTZONE 	     */
-	"<rcode 11>",				/* 11 has no macro	     */
-	"<rcode 12>",				/* 12 has no macro	     */
-	"<rcode 13>",				/* 13 has no macro	     */
-	"<rcode 14>",				/* 14 has no macro	     */
-
-	"<rcode 15>",				/* 15 has no macro	     */
-	"BADVERS",				/* 16 DNS_R_BADVERS	     */
-};
-
-#define DNS_RESULT_RESULTSET			2
-#define DNS_RESULT_RCODERESULTSET		3
-
-static isc_once_t		once = ISC_ONCE_INIT;
-
-static void
-initialize_action(void) {
-	isc_result_t result;
-
-	result = isc_result_register(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS,
-				     text, dns_msgcat, DNS_RESULT_RESULTSET);
-	if (result == ISC_R_SUCCESS)
-		result = isc_result_register(ISC_RESULTCLASS_DNSRCODE,
-					     DNS_R_NRCODERESULTS,
-					     rcode_text, dns_msgcat,
-					     DNS_RESULT_RCODERESULTSET);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_result_register() failed: %u", result);
-}
-
-static void
-initialize(void) {
-	dns_lib_initmsgcat();
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-dns_result_totext(isc_result_t result) {
-	initialize();
-
-	return (isc_result_totext(result));
-}
-
-void
-dns_result_register(void) {
-	initialize();
-}
-
-dns_rcode_t
-dns_result_torcode(isc_result_t result) {
-	dns_rcode_t rcode = dns_rcode_servfail;
-
-	if (DNS_RESULT_ISRCODE(result)) {
-		/*
-		 * Rcodes can't be bigger than 12 bits, which is why we
-		 * AND with 0xFFF instead of 0xFFFF.
-		 */
-		return ((dns_rcode_t)((result) & 0xFFF));
-	}
-	/*
-	 * Try to supply an appropriate rcode.
-	 */
-	switch (result) {
-	case ISC_R_SUCCESS:
-		rcode = dns_rcode_noerror;
-		break;
-	case ISC_R_BADBASE64:
-	case ISC_R_NOSPACE:
-	case ISC_R_RANGE:
-	case ISC_R_UNEXPECTEDEND:
-	case DNS_R_BADAAAA:
-	/* case DNS_R_BADBITSTRING: deprecated */
-	case DNS_R_BADCKSUM:
-	case DNS_R_BADCLASS:
-	case DNS_R_BADLABELTYPE:
-	case DNS_R_BADPOINTER:
-	case DNS_R_BADTTL:
-	case DNS_R_BADZONE:
-	/* case DNS_R_BITSTRINGTOOLONG: deprecated */
-	case DNS_R_EXTRADATA:
-	case DNS_R_LABELTOOLONG:
-	case DNS_R_NOREDATA:
-	case DNS_R_SYNTAX:
-	case DNS_R_TEXTTOOLONG:
-	case DNS_R_TOOMANYHOPS:
-	case DNS_R_TSIGERRORSET:
-	case DNS_R_UNKNOWN:
-		rcode = dns_rcode_formerr;
-		break;
-	case DNS_R_DISALLOWED:
-		rcode = dns_rcode_refused;
-		break;
-	case DNS_R_TSIGVERIFYFAILURE:
-	case DNS_R_CLOCKSKEW:
-		rcode = dns_rcode_notauth;
-		break;
-	default:
-		rcode = dns_rcode_servfail;
-	}
-
-	return (rcode);
-}
diff --git a/contrib/bind9/lib/dns/rootns.c b/contrib/bind9/lib/dns/rootns.c
deleted file mode 100644
index 9e9c9409039f..000000000000
--- a/contrib/bind9/lib/dns/rootns.c
+++ /dev/null
@@ -1,247 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rootns.c,v 1.20.2.3.2.5 2004/03/08 09:04:32 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/log.h>
-#include <dns/fixedname.h>
-#include <dns/master.h>
-#include <dns/rdata.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/rootns.h>
-
-static char root_ns[] =
-";\n"
-"; Internet Root Nameservers\n"
-";\n"
-"; Thu Sep 23 17:57:37 PDT 1999\n"
-";\n"
-"$TTL 518400\n"
-".                       518400  IN      NS      A.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      B.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      C.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      D.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      E.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      F.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      G.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      H.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      I.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      J.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      K.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      L.ROOT-SERVERS.NET.\n"
-".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
-"A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
-"B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201\n"
-"C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
-"D.ROOT-SERVERS.NET.     3600000 IN      A       128.8.10.90\n"
-"E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10\n"
-"F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241\n"
-"G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4\n"
-"H.ROOT-SERVERS.NET.     3600000 IN      A       128.63.2.53\n"
-"I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17\n"
-"J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30\n"
-"K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129\n"
-"L.ROOT-SERVERS.NET.     3600000 IN      A       198.32.64.12\n"
-"M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33\n";
-
-static isc_result_t
-in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_ns_t ns;
-	
-	if (!dns_rdataset_isassociated(rootns))
-		return (ISC_R_NOTFOUND);
-
-	result = dns_rdataset_first(rootns);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(rootns, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (dns_name_compare(name, &ns.name) == 0)
-			return (ISC_R_SUCCESS);
-		result = dns_rdataset_next(rootns);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_NOTFOUND;
-	return (result);
-}
-
-static isc_result_t 
-check_node(dns_rdataset_t *rootns, dns_name_t *name,
-	   dns_rdatasetiter_t *rdsiter) {
-	isc_result_t result;
-	dns_rdataset_t rdataset;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_rdatasetiter_first(rdsiter);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdatasetiter_current(rdsiter, &rdataset);
-		switch (rdataset.type) {
-		case dns_rdatatype_a:
-		case dns_rdatatype_aaaa:
-			result = in_rootns(rootns, name);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			break;
-		case dns_rdatatype_ns:
-			if (dns_name_compare(name, dns_rootname) == 0)
-				break;
-			/*FALLTHROUGH*/
-		default:
-			result = ISC_R_FAILURE;
-			goto cleanup;
-		}
-		dns_rdataset_disassociate(&rdataset);
-		result = dns_rdatasetiter_next(rdsiter);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
- cleanup:
-	if (dns_rdataset_isassociated(&rdataset))
-		dns_rdataset_disassociate(&rdataset);
-	return (result);
-}
-
-static isc_result_t
-check_hints(dns_db_t *db) {
-	isc_result_t result;
-	dns_rdataset_t rootns;
-	dns_dbiterator_t *dbiter = NULL;
-	dns_dbnode_t *node = NULL;
-	isc_stdtime_t now;
-	dns_fixedname_t fixname;
-	dns_name_t *name;
-	dns_rdatasetiter_t *rdsiter = NULL;
-
-	isc_stdtime_get(&now);
-
-	dns_fixedname_init(&fixname);
-	name = dns_fixedname_name(&fixname);
-
-	dns_rdataset_init(&rootns);
-	(void)dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
-			  now, NULL, name, &rootns, NULL);
-	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_dbiterator_first(dbiter);
-	while (result == ISC_R_SUCCESS) {
-		result = dns_dbiterator_current(dbiter, &node, name);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = dns_db_allrdatasets(db, node, NULL, now, &rdsiter);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = check_node(&rootns, name, rdsiter);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		dns_rdatasetiter_destroy(&rdsiter);
-		dns_db_detachnode(db, &node);
-		result = dns_dbiterator_next(dbiter);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- cleanup:
-	if (dns_rdataset_isassociated(&rootns))
-		dns_rdataset_disassociate(&rootns);
-	if (rdsiter != NULL)
-		dns_rdatasetiter_destroy(&rdsiter);
-	if (node != NULL)
-		dns_db_detachnode(db, &node);
-	if (dbiter != NULL)
-		dns_dbiterator_destroy(&dbiter);
-	return (result);
-}
-
-isc_result_t
-dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		  const char *filename, dns_db_t **target)
-{
-	isc_result_t result, eresult;
-	isc_buffer_t source;
-	size_t len;
-	dns_rdatacallbacks_t callbacks;
-	dns_db_t *db = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
-			       rdclass, 0, NULL, &db);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	dns_rdatacallbacks_init(&callbacks);
-
-	len = strlen(root_ns);
-	isc_buffer_init(&source, root_ns, len);
-	isc_buffer_add(&source, len);
-
-	result = dns_db_beginload(db, &callbacks.add,
-				  &callbacks.add_private);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (filename != NULL) {
-		/*
-		 * Load the hints from the specified filename.
-		 */
-		result = dns_master_loadfile(filename, &db->origin,
-					     &db->origin, db->rdclass,
-					     DNS_MASTER_HINT,
-					     &callbacks, db->mctx);
-	} else if (rdclass == dns_rdataclass_in) {
-		/*
-		 * Default to using the Internet root servers.
-		 */
-		result = dns_master_loadbuffer(&source, &db->origin,
-					       &db->origin, db->rdclass, 
-					       DNS_MASTER_HINT,
-					       &callbacks, db->mctx);
-	} else
-		result = ISC_R_NOTFOUND;
-	eresult = dns_db_endload(db, &callbacks.add_private);
-	if (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE)
-		result = eresult;
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
-		goto db_detach;
-	if (check_hints(db) != ISC_R_SUCCESS)
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
-			      "extra data in root hints '%s'",
-			      (filename != NULL) ? filename : "<BUILT-IN>");
-	*target = db;
-	return (ISC_R_SUCCESS);
-
- db_detach:
-	dns_db_detach(&db);
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/sdb.c b/contrib/bind9/lib/dns/sdb.c
deleted file mode 100644
index ef22418629ff..000000000000
--- a/contrib/bind9/lib/dns/sdb.c
+++ /dev/null
@@ -1,1528 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sdb.c,v 1.35.12.8 2004/07/22 04:01:58 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/buffer.h>
-#include <isc/lex.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/util.h>
-
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/dbiterator.h>
-#include <dns/fixedname.h>
-#include <dns/log.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatasetiter.h>
-#include <dns/rdatatype.h>
-#include <dns/result.h>
-#include <dns/sdb.h>
-#include <dns/types.h>
-
-#include "rdatalist_p.h"
-
-struct dns_sdbimplementation {
-	const dns_sdbmethods_t		*methods;
-	void				*driverdata;
-	unsigned int			flags;
-	isc_mem_t			*mctx;
-	isc_mutex_t			driverlock;
-	dns_dbimplementation_t		*dbimp;
-};
-
-struct dns_sdb {
-	/* Unlocked */
-	dns_db_t			common;
-	char				*zone;
-	dns_sdbimplementation_t		*implementation;
-	void				*dbdata;
-	isc_mutex_t			lock;
-	/* Locked */
-	unsigned int			references;
-};
-
-struct dns_sdblookup {
-	/* Unlocked */
-	unsigned int			magic;
-	dns_sdb_t			*sdb;
-	ISC_LIST(dns_rdatalist_t)	lists;
-	ISC_LIST(isc_buffer_t)		buffers;
-	dns_name_t			*name;
-	ISC_LINK(dns_sdblookup_t)	link;
-	isc_mutex_t			lock;
-	dns_rdatacallbacks_t		callbacks;
-	/* Locked */
-	unsigned int			references;
-};
-
-typedef struct dns_sdblookup dns_sdbnode_t;
-
-struct dns_sdballnodes {
-	dns_dbiterator_t		common;
-	ISC_LIST(dns_sdbnode_t)		nodelist;
-	dns_sdbnode_t			*current;
-	dns_sdbnode_t			*origin;
-};
-
-typedef dns_sdballnodes_t sdb_dbiterator_t;
-
-typedef struct sdb_rdatasetiter {
-	dns_rdatasetiter_t		common;
-	dns_rdatalist_t			*current;
-} sdb_rdatasetiter_t;
-
-#define SDB_MAGIC		ISC_MAGIC('S', 'D', 'B', '-')
-
-/*
- * Note that "impmagic" is not the first four bytes of the struct, so
- * ISC_MAGIC_VALID cannot be used.
- */
-#define VALID_SDB(sdb)		((sdb) != NULL && \
-				 (sdb)->common.impmagic == SDB_MAGIC)
-
-#define SDBLOOKUP_MAGIC		ISC_MAGIC('S','D','B','L')
-#define VALID_SDBLOOKUP(sdbl)	ISC_MAGIC_VALID(sdbl, SDBLOOKUP_MAGIC)
-#define VALID_SDBNODE(sdbn)	VALID_SDBLOOKUP(sdbn)
-
-/* These values are taken from RFC 1537 */
-#define SDB_DEFAULT_REFRESH	(60 * 60 * 8)
-#define SDB_DEFAULT_RETRY	(60 * 60 * 2)
-#define SDB_DEFAULT_EXPIRE	(60 * 60 * 24 * 7)
-#define SDB_DEFAULT_MINIMUM	(60 * 60 * 24)
-
-/* This is a reasonable value */
-#define SDB_DEFAULT_TTL		(60 * 60 * 24)
-
-#define MAYBE_LOCK(sdb)							\
-	do {								\
-		unsigned int flags = sdb->implementation->flags;	\
-		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)		\
-			LOCK(&sdb->implementation->driverlock);		\
-	} while (0)
-
-#define MAYBE_UNLOCK(sdb)						\
-	do {								\
-		unsigned int flags = sdb->implementation->flags;	\
-		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)		\
-			UNLOCK(&sdb->implementation->driverlock);	\
-	} while (0)
-
-static int dummy;
-
-static isc_result_t dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin,
-				   dns_dbtype_t type, dns_rdataclass_t rdclass,
-				   unsigned int argc, char *argv[],
-				   void *driverarg, dns_db_t **dbp);
-
-static isc_result_t findrdataset(dns_db_t *db, dns_dbnode_t *node,
-				 dns_dbversion_t *version,
-				 dns_rdatatype_t type, dns_rdatatype_t covers,
-				 isc_stdtime_t now, dns_rdataset_t *rdataset,
-				 dns_rdataset_t *sigrdataset);
-
-static isc_result_t createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep);
-
-static void destroynode(dns_sdbnode_t *node);
-
-static void detachnode(dns_db_t *db, dns_dbnode_t **targetp);
-
-
-static void list_tordataset(dns_rdatalist_t *rdatalist,
-			    dns_db_t *db, dns_dbnode_t *node,
-			    dns_rdataset_t *rdataset);
-
-static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
-static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
-					dns_name_t *name);
-static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
-					   dns_dbnode_t **nodep,
-					   dns_name_t *name);
-static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
-					  dns_name_t *name);
-
-static dns_dbiteratormethods_t dbiterator_methods = {
-	dbiterator_destroy,
-	dbiterator_first,
-	dbiterator_last,
-	dbiterator_seek,
-	dbiterator_prev,
-	dbiterator_next,
-	dbiterator_current,
-	dbiterator_pause,
-	dbiterator_origin
-};
-
-static void		rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
-static isc_result_t	rdatasetiter_first(dns_rdatasetiter_t *iterator);
-static isc_result_t	rdatasetiter_next(dns_rdatasetiter_t *iterator);
-static void		rdatasetiter_current(dns_rdatasetiter_t *iterator,
-					     dns_rdataset_t *rdataset);
-
-static dns_rdatasetitermethods_t rdatasetiter_methods = {
-	rdatasetiter_destroy,
-	rdatasetiter_first,
-	rdatasetiter_next,
-	rdatasetiter_current
-};
-
-/*
- * Functions used by implementors of simple databases
- */
-isc_result_t
-dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
-		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
-		 dns_sdbimplementation_t **sdbimp)
-{
-	dns_sdbimplementation_t *imp;
-	isc_result_t result;
-
-	REQUIRE(drivername != NULL);
-	REQUIRE(methods != NULL);
-	REQUIRE(methods->lookup != NULL);
-	REQUIRE(mctx != NULL);
-	REQUIRE(sdbimp != NULL && *sdbimp == NULL);
-	REQUIRE((flags & ~(DNS_SDBFLAG_RELATIVEOWNER |
-			   DNS_SDBFLAG_RELATIVERDATA |
-			   DNS_SDBFLAG_THREADSAFE)) == 0);
-
-	imp = isc_mem_get(mctx, sizeof(dns_sdbimplementation_t));
-	if (imp == NULL)
-		return (ISC_R_NOMEMORY);
-	imp->methods = methods;
-	imp->driverdata = driverdata;
-	imp->flags = flags;
-	imp->mctx = NULL;
-	isc_mem_attach(mctx, &imp->mctx);
-	result = isc_mutex_init(&imp->driverlock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		goto cleanup_mctx;
-	}
-
-	imp->dbimp = NULL;
-	result = dns_db_register(drivername, dns_sdb_create, imp, mctx,
-				 &imp->dbimp);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_mutex;
-	*sdbimp = imp;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_mutex:
-	DESTROYLOCK(&imp->driverlock);
- cleanup_mctx:
-	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
-	return (result);
-}
-
-void
-dns_sdb_unregister(dns_sdbimplementation_t **sdbimp) {
-	dns_sdbimplementation_t *imp;
-	isc_mem_t *mctx;
-
-	REQUIRE(sdbimp != NULL && *sdbimp != NULL);
-
-	imp = *sdbimp;
-	dns_db_unregister(&imp->dbimp);
-	DESTROYLOCK(&imp->driverlock);
-
-	mctx = imp->mctx;
-	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
-	isc_mem_detach(&mctx);
-
-	*sdbimp = NULL;
-}
-
-static inline unsigned int
-initial_size(unsigned int len) {
-	unsigned int size;
-	for (size = 64; size < (64 * 1024); size *= 2)
-		if (len < size)
-			return (size);
-	return (64 * 1024);
-}
-
-isc_result_t
-dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval, dns_ttl_t ttl,
-		 const unsigned char *rdatap, unsigned int rdlen)
-{
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
-	isc_buffer_t *rdatabuf = NULL;
-	isc_result_t result;
-	isc_mem_t *mctx;
-	isc_region_t region;
-
-	mctx = lookup->sdb->common.mctx;
-
-	rdatalist = ISC_LIST_HEAD(lookup->lists);
-	while (rdatalist != NULL) {
-		if (rdatalist->type == typeval)
-			break;
-		rdatalist = ISC_LIST_NEXT(rdatalist, link);
-	}
-
-	if (rdatalist == NULL) {
-		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
-		if (rdatalist == NULL)
-			return (ISC_R_NOMEMORY);
-		rdatalist->rdclass = lookup->sdb->common.rdclass;
-		rdatalist->type = typeval;
-		rdatalist->covers = 0;
-		rdatalist->ttl = ttl;
-		ISC_LIST_INIT(rdatalist->rdata);
-		ISC_LINK_INIT(rdatalist, link);
-		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
-	} else 
-		if (rdatalist->ttl != ttl)
-			return (DNS_R_BADTTL);
-
-	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
-	if (rdata == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_buffer_allocate(mctx, &rdatabuf, rdlen);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	DE_CONST(rdatap, region.base);
-	region.length = rdlen;
-	isc_buffer_copyregion(rdatabuf, &region);
-	isc_buffer_usedregion(rdatabuf, &region);
-	dns_rdata_init(rdata);
-	dns_rdata_fromregion(rdata, rdatalist->rdclass, rdatalist->type,
-			     &region);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
-	rdata = NULL;
-
- failure:
-	if (rdata != NULL)
-		isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
-	return (result);
-}
-	
-
-isc_result_t
-dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
-	      const char *data)
-{
-	unsigned int datalen;
-	dns_rdatatype_t typeval;
-	isc_textregion_t r;
-	isc_lex_t *lex = NULL;
-	isc_result_t result;
-	unsigned char *p = NULL;
-	unsigned int size = 0; /* Init to suppress compiler warning */
-	isc_mem_t *mctx;
-	dns_sdbimplementation_t *imp;
-	dns_name_t *origin;
-	isc_buffer_t b;
-	isc_buffer_t rb;
-
-	REQUIRE(VALID_SDBLOOKUP(lookup));
-	REQUIRE(type != NULL);
-	REQUIRE(data != NULL);
-
-	mctx = lookup->sdb->common.mctx;
-
-	DE_CONST(type, r.base);
-	r.length = strlen(type);
-	result = dns_rdatatype_fromtext(&typeval, &r);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	imp = lookup->sdb->implementation;
-	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
-		origin = &lookup->sdb->common.origin;
-	else
-		origin = dns_rootname;
-
-	result = isc_lex_create(mctx, 64, &lex);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	datalen = strlen(data);
-	size = initial_size(datalen);
-	for (;;) {
-		isc_buffer_init(&b, data, datalen);
-		isc_buffer_add(&b, datalen);
-		result = isc_lex_openbuffer(lex, &b);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		p = isc_mem_get(mctx, size);
-		if (p == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		isc_buffer_init(&rb, p, size);
-		result = dns_rdata_fromtext(NULL,
-					    lookup->sdb->common.rdclass,
-					    typeval, lex,
-					    origin, 0,
-					    mctx, &rb,
-					    &lookup->callbacks);
-		if (result != ISC_R_NOSPACE)
-			break;
-
-		isc_mem_put(mctx, p, size);
-		p = NULL;
-		size *= 2;
-	} while (result == ISC_R_NOSPACE);
-
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	result = dns_sdb_putrdata(lookup, typeval, ttl,
-				  isc_buffer_base(&rb),
-				  isc_buffer_usedlength(&rb));
- failure:
-	if (p != NULL)
-		isc_mem_put(mctx, p, size);
-	if (lex != NULL)
-		isc_lex_destroy(&lex);
-
-	return (result);
-}
-
-static isc_result_t
-getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) {
-	dns_name_t *newname, *origin;
-	dns_fixedname_t fnewname;
-	dns_sdb_t *sdb = (dns_sdb_t *)allnodes->common.db;
-	dns_sdbimplementation_t *imp = sdb->implementation;
-	dns_sdbnode_t *sdbnode;
-	isc_mem_t *mctx = sdb->common.mctx;
-	isc_buffer_t b;
-	isc_result_t result;
-
-	dns_fixedname_init(&fnewname);
-	newname = dns_fixedname_name(&fnewname);
-
-	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
-		origin = &sdb->common.origin;
-	else
-		origin = dns_rootname;
-	isc_buffer_init(&b, name, strlen(name));
-	isc_buffer_add(&b, strlen(name));
-
-	result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (allnodes->common.relative_names) {
-		/* All names are relative to the root */
-		unsigned int nlabels = dns_name_countlabels(newname);
-		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
-	}
-
-	sdbnode = ISC_LIST_HEAD(allnodes->nodelist);
-	if (sdbnode == NULL || !dns_name_equal(sdbnode->name, newname)) {
-		sdbnode = NULL;
-		result = createnode(sdb, &sdbnode);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		sdbnode->name = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (sdbnode->name == NULL) {
-			destroynode(sdbnode);
-			return (ISC_R_NOMEMORY);
-		}
-		dns_name_init(sdbnode->name, NULL);
-		result = dns_name_dup(newname, mctx, sdbnode->name);
-		if (result != ISC_R_SUCCESS) {
-			isc_mem_put(mctx, sdbnode->name, sizeof(dns_name_t));
-			destroynode(sdbnode);
-			return (result);
-		}
-		ISC_LIST_PREPEND(allnodes->nodelist, sdbnode, link);
-		if (allnodes->origin == NULL &&
-		    dns_name_equal(newname, &sdb->common.origin))
-			allnodes->origin = sdbnode;
-	}
-	*nodep = sdbnode;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
-		   const char *type, dns_ttl_t ttl, const char *data)
-{
-	isc_result_t result;
-	dns_sdbnode_t *sdbnode = NULL;
-	result = getnode(allnodes, name, &sdbnode);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (dns_sdb_putrr(sdbnode, type, ttl, data));
-}
-
-isc_result_t
-dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
-		      dns_rdatatype_t type, dns_ttl_t ttl,
-		      const void *rdata, unsigned int rdlen)
-{
-	isc_result_t result;
-	dns_sdbnode_t *sdbnode = NULL;
-	result = getnode(allnodes, name, &sdbnode);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	return (dns_sdb_putrdata(sdbnode, type, ttl, rdata, rdlen));
-}
-
-isc_result_t
-dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
-	       isc_uint32_t serial)
-{
-	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
-	int n;
-
-	REQUIRE(mname != NULL);
-	REQUIRE(rname != NULL);
-
-	n = snprintf(str, sizeof(str), "%s %s %u %u %u %u %u",
-		     mname, rname, serial,
-		     SDB_DEFAULT_REFRESH, SDB_DEFAULT_RETRY,
-		     SDB_DEFAULT_EXPIRE, SDB_DEFAULT_MINIMUM);
-	if (n >= (int)sizeof(str) || n < 0)
-		return (ISC_R_NOSPACE);
-	return (dns_sdb_putrr(lookup, "SOA", SDB_DEFAULT_TTL, str));
-}
-
-/*
- * DB routines
- */
-
-static void
-attach(dns_db_t *source, dns_db_t **targetp) {
-	dns_sdb_t *sdb = (dns_sdb_t *) source;
-
-	REQUIRE(VALID_SDB(sdb));
-
-	LOCK(&sdb->lock);
-	REQUIRE(sdb->references > 0);
-	sdb->references++;
-	UNLOCK(&sdb->lock);
-
-	*targetp = source;
-}
-
-static void
-destroy(dns_sdb_t *sdb) {
-	isc_mem_t *mctx;
-	dns_sdbimplementation_t *imp = sdb->implementation;
-
-	mctx = sdb->common.mctx;
-
-	if (imp->methods->destroy != NULL) {
-		MAYBE_LOCK(sdb);
-		imp->methods->destroy(sdb->zone, imp->driverdata,
-				      &sdb->dbdata);
-		MAYBE_UNLOCK(sdb);
-	}
-
-	isc_mem_free(mctx, sdb->zone);
-	DESTROYLOCK(&sdb->lock);
-
-	sdb->common.magic = 0;
-	sdb->common.impmagic = 0;
-
-	dns_name_free(&sdb->common.origin, mctx);
-
-	isc_mem_put(mctx, sdb, sizeof(dns_sdb_t));
-	isc_mem_detach(&mctx);
-}
-
-static void
-detach(dns_db_t **dbp) {
-	dns_sdb_t *sdb = (dns_sdb_t *)(*dbp);
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(VALID_SDB(sdb));
-	LOCK(&sdb->lock);
-	REQUIRE(sdb->references > 0);
-	sdb->references--;
-	if (sdb->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&sdb->lock);
-
-	if (need_destroy)
-		destroy(sdb);
-
-	*dbp = NULL;
-}
-
-static isc_result_t
-beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
-	UNUSED(db);
-	UNUSED(addp);
-	UNUSED(dbloadp);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-endload(dns_db_t *db, dns_dbload_t **dbloadp) {
-	UNUSED(db);
-	UNUSED(dbloadp);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
-	UNUSED(db);
-	UNUSED(version);
-	UNUSED(filename);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static void
-currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	REQUIRE(versionp != NULL && *versionp == NULL);
-
-	UNUSED(db);
-
-	*versionp = (void *) &dummy;
-	return;
-}
-
-static isc_result_t
-newversion(dns_db_t *db, dns_dbversion_t **versionp) {
-	UNUSED(db);
-	UNUSED(versionp);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static void
-attachversion(dns_db_t *db, dns_dbversion_t *source, 
-	      dns_dbversion_t **targetp)
-{
-	REQUIRE(source != NULL && source == (void *) &dummy);
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	UNUSED(db);
-	*targetp = source;
-	return;
-}
-
-static void
-closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
-	REQUIRE(versionp != NULL && *versionp == (void *) &dummy);
-	REQUIRE(commit == ISC_FALSE);
-
-	UNUSED(db);
-	UNUSED(commit);
-
-	*versionp = NULL;
-}
-
-static isc_result_t
-createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep) {
-	dns_sdbnode_t *node;
-	isc_result_t result;
-
-	node = isc_mem_get(sdb->common.mctx, sizeof(dns_sdbnode_t));
-	if (node == NULL)
-		return (ISC_R_NOMEMORY);
-
-	node->sdb = NULL;
-	attach((dns_db_t *)sdb, (dns_db_t **)&node->sdb);
-	ISC_LIST_INIT(node->lists);
-	ISC_LIST_INIT(node->buffers);
-	ISC_LINK_INIT(node, link);
-	node->name = NULL;
-	result = isc_mutex_init(&node->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		isc_mem_put(sdb->common.mctx, node, sizeof(dns_sdbnode_t));
-		return (ISC_R_UNEXPECTED);
-	}
-	dns_rdatacallbacks_init(&node->callbacks);
-	node->references = 1;
-	node->magic = SDBLOOKUP_MAGIC;
-
-	*nodep = node;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-destroynode(dns_sdbnode_t *node) {
-	dns_rdatalist_t *list;
-	dns_rdata_t *rdata;
-	isc_buffer_t *b;
-	dns_sdb_t *sdb;
-	isc_mem_t *mctx;
-
-	sdb = node->sdb;
-	mctx = sdb->common.mctx;
-
-	while (!ISC_LIST_EMPTY(node->lists)) {
-		list = ISC_LIST_HEAD(node->lists);
-		while (!ISC_LIST_EMPTY(list->rdata)) {
-			rdata = ISC_LIST_HEAD(list->rdata);
-			ISC_LIST_UNLINK(list->rdata, rdata, link);
-			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
-		}
-		ISC_LIST_UNLINK(node->lists, list, link);
-		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
-	}
-
-	while (!ISC_LIST_EMPTY(node->buffers)) {
-		b = ISC_LIST_HEAD(node->buffers);
-		ISC_LIST_UNLINK(node->buffers, b, link);
-		isc_buffer_free(&b);
-	}
-
-	if (node->name != NULL) {
-		dns_name_free(node->name, mctx);
-		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
-	}
-	DESTROYLOCK(&node->lock);
-	node->magic = 0;
-	isc_mem_put(mctx, node, sizeof(dns_sdbnode_t));
-	detach((dns_db_t **) (void *)&sdb);
-}
-
-static isc_result_t
-findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
-	 dns_dbnode_t **nodep)
-{
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	dns_sdbnode_t *node = NULL;
-	isc_result_t result;
-	isc_buffer_t b;
-	char namestr[DNS_NAME_MAXTEXT + 1];
-	isc_boolean_t isorigin;
-	dns_sdbimplementation_t *imp;
-
-	REQUIRE(VALID_SDB(sdb));
-	REQUIRE(create == ISC_FALSE);
-	REQUIRE(nodep != NULL && *nodep == NULL);
-
-	UNUSED(name);
-	UNUSED(create);
-
-	imp = sdb->implementation;
-
-	isc_buffer_init(&b, namestr, sizeof(namestr));
-	if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
-		dns_name_t relname;
-		unsigned int labels;
-
-		labels = dns_name_countlabels(name) -
-			 dns_name_countlabels(&db->origin);
-		dns_name_init(&relname, NULL);
-		dns_name_getlabelsequence(name, 0, labels, &relname);
-		result = dns_name_totext(&relname, ISC_TRUE, &b);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else {
-		result = dns_name_totext(name, ISC_TRUE, &b);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	isc_buffer_putuint8(&b, 0);
-
-	result = createnode(sdb, &node);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	isorigin = dns_name_equal(name, &sdb->common.origin);
-
-	MAYBE_LOCK(sdb);
-	result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata, node);
-	MAYBE_UNLOCK(sdb);
-	if (result != ISC_R_SUCCESS &&
-	    !(result == ISC_R_NOTFOUND &&
-	      isorigin && imp->methods->authority != NULL))
-	{
-		destroynode(node);
-		return (result);
-	}
-
-	if (isorigin && imp->methods->authority != NULL) {
-		MAYBE_LOCK(sdb);
-		result = imp->methods->authority(sdb->zone, sdb->dbdata, node);
-		MAYBE_UNLOCK(sdb);
-		if (result != ISC_R_SUCCESS) {
-			destroynode(node);
-			return (result);
-		}
-	}
-	
-	*nodep = node;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
-     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
-     dns_dbnode_t **nodep, dns_name_t *foundname,
-     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	dns_dbnode_t *node = NULL;
-	dns_fixedname_t fname;
-	dns_rdataset_t xrdataset;
-	dns_name_t *xname;
-	unsigned int nlabels, olabels;
-	isc_result_t result;
-	unsigned int i;
-
-	REQUIRE(VALID_SDB(sdb));
-	REQUIRE(nodep == NULL || *nodep == NULL);
-	REQUIRE(version == NULL || version == (void *) &dummy);
-
-	UNUSED(options);
-	UNUSED(sdb);
-
-	if (!dns_name_issubdomain(name, &db->origin))
-		return (DNS_R_NXDOMAIN);
-
-	olabels = dns_name_countlabels(&db->origin);
-	nlabels = dns_name_countlabels(name);
-
-	dns_fixedname_init(&fname);
-	xname = dns_fixedname_name(&fname);
-
-	if (rdataset == NULL) {
-		dns_rdataset_init(&xrdataset);
-		rdataset = &xrdataset;
-	}
-
-	result = DNS_R_NXDOMAIN;
-
-	for (i = olabels; i <= nlabels; i++) {
-		/*
-		 * Unless this is an explicit lookup at the origin, don't
-		 * look at the origin.
-		 */
-		if (i == olabels && i != nlabels)
-			continue;
-
-		/*
-		 * Look up the next label.
-		 */
-		dns_name_getlabelsequence(name, nlabels - i, i, xname);
-		result = findnode(db, xname, ISC_FALSE, &node);
-		if (result != ISC_R_SUCCESS) {
-			result = DNS_R_NXDOMAIN;
-			continue;
-		}
-
-		/*
-		 * Look for a DNAME at the current label, unless this is
-		 * the qname.
-		 */
-		if (i < nlabels) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_dname,
-					      0, now, rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				result = DNS_R_DNAME;
-				break;
-			}
-		}
-
-		/*
-		 * Look for an NS at the current label, unless this is the
-		 * origin or glue is ok.
-		 */
-		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_ns,
-					      0, now, rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				if (i == nlabels && type == dns_rdatatype_any)
-				{
-					result = DNS_R_ZONECUT;
-					dns_rdataset_disassociate(rdataset);
-					if (sigrdataset != NULL)
-						dns_rdataset_disassociate
-								(sigrdataset);
-				} else
-					result = DNS_R_DELEGATION;
-				break;
-			}
-		}
-
-		/*
-		 * If the current name is not the qname, add another label
-		 * and try again.
-		 */
-		if (i < nlabels) {
-			destroynode(node);
-			node = NULL;
-			continue;
-		}
-
-		/*
-		 * If we're looking for ANY, we're done.
-		 */
-		if (type == dns_rdatatype_any) {
-			result = ISC_R_SUCCESS;
-			break;
-		}
-
-		/*
-		 * Look for the qtype.
-		 */
-		result = findrdataset(db, node, version, type,
-				      0, now, rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS)
-			break;
-
-		/*
-		 * Look for a CNAME
-		 */
-		if (type != dns_rdatatype_cname) {
-			result = findrdataset(db, node, version,
-					      dns_rdatatype_cname,
-					      0, now, rdataset, sigrdataset);
-			if (result == ISC_R_SUCCESS) {
-				result = DNS_R_CNAME;
-				break;
-			}
-		}
-
-		result = DNS_R_NXRRSET;
-		break;
-	}
-
-	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset))
-		dns_rdataset_disassociate(rdataset);
-
-	if (foundname != NULL) {
-		isc_result_t xresult;
-
-		xresult = dns_name_copy(xname, foundname, NULL);
-		if (xresult != ISC_R_SUCCESS) {
-			destroynode(node);
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-			return (DNS_R_BADDB);
-		}
-	}
-
-	if (nodep != NULL)
-		*nodep = node;
-	else if (node != NULL)
-		detachnode(db, &node);
-
-	return (result);
-}
-
-static isc_result_t
-findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
-	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	UNUSED(db);
-	UNUSED(name);
-	UNUSED(options);
-	UNUSED(now);
-	UNUSED(nodep);
-	UNUSED(foundname);
-	UNUSED(rdataset);
-	UNUSED(sigrdataset);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static void
-attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	dns_sdbnode_t *node = (dns_sdbnode_t *)source;
-
-	REQUIRE(VALID_SDB(sdb));
-
-	UNUSED(sdb);
-
-	LOCK(&node->lock);
-	INSIST(node->references > 0);
-	node->references++;
-	INSIST(node->references != 0);		/* Catch overflow. */
-	UNLOCK(&node->lock);
-
-	*targetp = source;
-}
-
-static void
-detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	dns_sdbnode_t *node;
-	isc_boolean_t need_destroy = ISC_FALSE;
-
-	REQUIRE(VALID_SDB(sdb));
-	REQUIRE(targetp != NULL && *targetp != NULL);
-
-	UNUSED(sdb);
-
-	node = (dns_sdbnode_t *)(*targetp);
-
-	LOCK(&node->lock);
-	INSIST(node->references > 0);
-	node->references--;
-	if (node->references == 0)
-		need_destroy = ISC_TRUE;
-	UNLOCK(&node->lock);
-
-	if (need_destroy)
-		destroynode(node);
-
-	*targetp = NULL;
-}
-
-static isc_result_t
-expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(now);
-	INSIST(0);
-	return (ISC_R_UNEXPECTED);
-}
-
-static void
-printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(out);
-	return;
-}
-
-static isc_result_t
-createiterator(dns_db_t *db, isc_boolean_t relative_names,
-	       dns_dbiterator_t **iteratorp)
-{
-	dns_sdb_t *sdb = (dns_sdb_t *)db;
-	sdb_dbiterator_t *sdbiter;
-	dns_sdbimplementation_t *imp = sdb->implementation;
-	isc_result_t result;
-
-	REQUIRE(VALID_SDB(sdb));
-
-	if (imp->methods->allnodes == NULL)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	sdbiter = isc_mem_get(sdb->common.mctx, sizeof(sdb_dbiterator_t));
-	if (sdbiter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	sdbiter->common.methods = &dbiterator_methods;
-	sdbiter->common.db = NULL;
-	dns_db_attach(db, &sdbiter->common.db);
-	sdbiter->common.relative_names = relative_names;
-	sdbiter->common.magic = DNS_DBITERATOR_MAGIC;
-	ISC_LIST_INIT(sdbiter->nodelist);
-	sdbiter->current = NULL;
-	sdbiter->origin = NULL;
-
-	MAYBE_LOCK(sdb);
-	result = imp->methods->allnodes(sdb->zone, sdb->dbdata, sdbiter);
-	MAYBE_UNLOCK(sdb);
-	if (result != ISC_R_SUCCESS) {
-		dbiterator_destroy((dns_dbiterator_t **) (void *)&sdbiter);
-		return (result);
-	}
-
-	if (sdbiter->origin != NULL) {
-		ISC_LIST_UNLINK(sdbiter->nodelist, sdbiter->origin, link);
-		ISC_LIST_PREPEND(sdbiter->nodelist, sdbiter->origin, link);
-	}
-
-	*iteratorp = (dns_dbiterator_t *)sdbiter;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     dns_rdatatype_t type, dns_rdatatype_t covers,
-	     isc_stdtime_t now, dns_rdataset_t *rdataset,
-	     dns_rdataset_t *sigrdataset)
-{
-	dns_rdatalist_t *list;
-	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node;
-
-	REQUIRE(VALID_SDBNODE(node));
-
-	UNUSED(db);
-	UNUSED(version);
-	UNUSED(covers);
-	UNUSED(now);
-	UNUSED(sigrdataset);
-
-	if (type == dns_rdatatype_rrsig)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	list = ISC_LIST_HEAD(sdbnode->lists);
-	while (list != NULL) {
-		if (list->type == type)
-			break;
-		list = ISC_LIST_NEXT(list, link);
-	}
-	if (list == NULL)
-		return (ISC_R_NOTFOUND);
-
-	list_tordataset(list, db, node, rdataset);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
-{
-	sdb_rdatasetiter_t *iterator;
-
-	REQUIRE(version == NULL || version == &dummy);
-	
-	UNUSED(version);
-	UNUSED(now);
-
-	iterator = isc_mem_get(db->mctx, sizeof(sdb_rdatasetiter_t));
-	if (iterator == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iterator->common.magic = DNS_RDATASETITER_MAGIC;
-	iterator->common.methods = &rdatasetiter_methods;
-	iterator->common.db = db;
-	iterator->common.node = NULL;
-	attachnode(db, node, &iterator->common.node);
-	iterator->common.version = version;
-	iterator->common.now = now;
-
-	*iteratorp = (dns_rdatasetiter_t *)iterator;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
-	    dns_rdataset_t *addedrdataset)
-{
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(now);
-	UNUSED(rdataset);
-	UNUSED(options);
-	UNUSED(addedrdataset);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 dns_rdataset_t *rdataset, unsigned int options,
-		 dns_rdataset_t *newrdataset)
-{
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(rdataset);
-	UNUSED(options);
-	UNUSED(newrdataset);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_result_t
-deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-	       dns_rdatatype_t type, dns_rdatatype_t covers)
-{
-	UNUSED(db);
-	UNUSED(node);
-	UNUSED(version);
-	UNUSED(type);
-	UNUSED(covers);
-
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-static isc_boolean_t
-issecure(dns_db_t *db) {
-	UNUSED(db);
-
-	return (ISC_FALSE);
-}
-
-static unsigned int
-nodecount(dns_db_t *db) {
-	UNUSED(db);
-
-	return (0);
-}
-
-static isc_boolean_t
-ispersistent(dns_db_t *db) {
-	UNUSED(db);
-	return (ISC_TRUE);
-}
-
-static void
-overmem(dns_db_t *db, isc_boolean_t overmem) {
-	UNUSED(db);
-	UNUSED(overmem);
-}
-
-static void
-settask(dns_db_t *db, isc_task_t *task) {
-	UNUSED(db);
-	UNUSED(task);
-}
-
-
-static dns_dbmethods_t sdb_methods = {
-	attach,
-	detach,
-	beginload,
-	endload,
-	dump,
-	currentversion,
-	newversion,
-	attachversion,
-	closeversion,
-	findnode,
-	find,
-	findzonecut,
-	attachnode,
-	detachnode,
-	expirenode,
-	printnode,
-	createiterator,
-	findrdataset,
-	allrdatasets,
-	addrdataset,
-	subtractrdataset,
-	deleterdataset,
-	issecure,
-	nodecount,
-	ispersistent,
-	overmem,
-	settask
-};
-
-static isc_result_t
-dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
-	       dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
-	       void *driverarg, dns_db_t **dbp)
-{
-	dns_sdb_t *sdb;
-	isc_result_t result;
-	char zonestr[DNS_NAME_MAXTEXT + 1];
-	isc_buffer_t b;
-	dns_sdbimplementation_t *imp;
-
-	REQUIRE(driverarg != NULL);
-
-	imp = driverarg;
-
-	if (type != dns_dbtype_zone)
-		return (ISC_R_NOTIMPLEMENTED);
-
-	sdb = isc_mem_get(mctx, sizeof(dns_sdb_t));
-	if (sdb == NULL)
-		return (ISC_R_NOMEMORY);
-	memset(sdb, 0, sizeof(dns_sdb_t));
-
-	dns_name_init(&sdb->common.origin, NULL);
-	sdb->common.attributes = 0;
-	sdb->common.methods = &sdb_methods;
-	sdb->common.rdclass = rdclass;
-	sdb->common.mctx = NULL;
-	sdb->implementation = imp;
-
-	isc_mem_attach(mctx, &sdb->common.mctx);
-
-	result = isc_mutex_init(&sdb->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_mctx;
-	}
-
-	result = dns_name_dupwithoffsets(origin, mctx, &sdb->common.origin);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
-
-	isc_buffer_init(&b, zonestr, sizeof(zonestr));
-	result = dns_name_totext(origin, ISC_TRUE, &b);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_origin;
-	isc_buffer_putuint8(&b, 0);
-
-	sdb->zone = isc_mem_strdup(mctx, zonestr);
-	if (sdb->zone == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_origin;
-	}
-
-	sdb->dbdata = NULL;
-	if (imp->methods->create != NULL) {
-		MAYBE_LOCK(sdb);
-		result = imp->methods->create(sdb->zone, argc, argv,
-					      imp->driverdata, &sdb->dbdata);
-		MAYBE_UNLOCK(sdb);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_zonestr;
-	}
-
-	sdb->references = 1;
-
-	sdb->common.magic = DNS_DB_MAGIC;
-	sdb->common.impmagic = SDB_MAGIC;
-
-	*dbp = (dns_db_t *)sdb;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_zonestr:
-	isc_mem_free(mctx, sdb->zone);
- cleanup_origin:
-	dns_name_free(&sdb->common.origin, mctx);
- cleanup_lock:
-	isc_mutex_destroy(&sdb->lock);
- cleanup_mctx:
-	isc_mem_put(mctx, sdb, sizeof(dns_sdb_t));
-	isc_mem_detach(&mctx);
-
-	return (result);
-}
-
-
-/*
- * Rdataset Methods
- */
-
-static void
-disassociate(dns_rdataset_t *rdataset) {
-	dns_dbnode_t *node = rdataset->private5;
-	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node;
-	dns_db_t *db = (dns_db_t *) sdbnode->sdb;
-
-	detachnode(db, &node);
-	isc__rdatalist_disassociate(rdataset);
-}
-
-static void
-rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
-	dns_dbnode_t *node = source->private5;
-	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node;
-	dns_db_t *db = (dns_db_t *) sdbnode->sdb;
-	dns_dbnode_t *tempdb = NULL;
-
-	isc__rdatalist_clone(source, target);
-	attachnode(db, node, &tempdb);
-	source->private5 = tempdb;
-}
-
-static dns_rdatasetmethods_t methods = {
-	disassociate,
-	isc__rdatalist_first,
-	isc__rdatalist_next,
-	isc__rdatalist_current,
-	rdataset_clone,
-	isc__rdatalist_count,
-	isc__rdatalist_addnoqname,
-	isc__rdatalist_getnoqname
-};
-
-static void
-list_tordataset(dns_rdatalist_t *rdatalist,
-		dns_db_t *db, dns_dbnode_t *node,
-		dns_rdataset_t *rdataset)
-{
-	/*
-	 * The sdb rdataset is an rdatalist with some additions.
-	 *	- private1 & private2 are used by the rdatalist.
-	 *	- private3 & private 4 are unused.
-	 *	- private5 is the node.
-	 */
-
-	/* This should never fail. */
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
-		      ISC_R_SUCCESS);
-
-	rdataset->methods = &methods;
-	dns_db_attachnode(db, node, &rdataset->private5);
-}
-
-/*
- * Database Iterator Methods
- */
-static void
-dbiterator_destroy(dns_dbiterator_t **iteratorp) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)(*iteratorp);
-	dns_sdb_t *sdb = (dns_sdb_t *)sdbiter->common.db;
-
-	while (!ISC_LIST_EMPTY(sdbiter->nodelist)) {
-		dns_sdbnode_t *node;
-		node = ISC_LIST_HEAD(sdbiter->nodelist);
-		ISC_LIST_UNLINK(sdbiter->nodelist, node, link);
-		destroynode(node);
-	}
-
-	dns_db_detach(&sdbiter->common.db);
-	isc_mem_put(sdb->common.mctx, sdbiter, sizeof(sdb_dbiterator_t));
-
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-dbiterator_first(dns_dbiterator_t *iterator) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
-	if (sdbiter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_last(dns_dbiterator_t *iterator) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_TAIL(sdbiter->nodelist);
-	if (sdbiter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
-	while (sdbiter->current != NULL)
-		if (dns_name_equal(sdbiter->current->name, name))
-			return (ISC_R_SUCCESS);
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
-dbiterator_prev(dns_dbiterator_t *iterator) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_PREV(sdbiter->current, link);
-	if (sdbiter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_next(dns_dbiterator_t *iterator) {
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link);
-	if (sdbiter->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
-		   dns_name_t *name)
-{
-	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
-
-	attachnode(iterator->db, sdbiter->current, nodep);
-	if (name != NULL)
-		return (dns_name_copy(sdbiter->current->name, name, NULL));
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_pause(dns_dbiterator_t *iterator) {
-	UNUSED(iterator);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
-	UNUSED(iterator);
-	return (dns_name_copy(dns_rootname, name, NULL));
-}
-
-/*
- * Rdataset Iterator Methods
- */
-
-static void
-rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
-	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)(*iteratorp);
-	detachnode(sdbiterator->common.db, &sdbiterator->common.node);
-	isc_mem_put(sdbiterator->common.db->mctx, sdbiterator,
-		    sizeof(sdb_rdatasetiter_t));
-	*iteratorp = NULL;
-}
-
-static isc_result_t
-rdatasetiter_first(dns_rdatasetiter_t *iterator) {
-	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
-	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)iterator->node;
-
-	if (ISC_LIST_EMPTY(sdbnode->lists))
-		return (ISC_R_NOMORE);
-	sdbiterator->current = ISC_LIST_HEAD(sdbnode->lists);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-rdatasetiter_next(dns_rdatasetiter_t *iterator) {
-	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
-
-	sdbiterator->current = ISC_LIST_NEXT(sdbiterator->current, link);
-	if (sdbiterator->current == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-static void
-rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
-	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
-
-	list_tordataset(sdbiterator->current, iterator->db, iterator->node,
-			rdataset);
-}
diff --git a/contrib/bind9/lib/dns/soa.c b/contrib/bind9/lib/dns/soa.c
deleted file mode 100644
index c0e05184c5d4..000000000000
--- a/contrib/bind9/lib/dns/soa.c
+++ /dev/null
@@ -1,109 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: soa.c,v 1.3.206.1 2004/03/06 08:13:45 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <dns/rdata.h>
-#include <dns/soa.h>
-
-static inline isc_uint32_t
-decode_uint32(unsigned char *p) {
-	return ((p[0] << 24) +
-		(p[1] << 16) +
-		(p[2] <<  8) +
-		(p[3] <<  0));
-}
-
-static inline void
-encode_uint32(isc_uint32_t val, unsigned char *p) {
-	p[0] = (isc_uint8_t)(val >> 24);
-	p[1] = (isc_uint8_t)(val >> 16);
-	p[2] = (isc_uint8_t)(val >>  8);
-	p[3] = (isc_uint8_t)(val >>  0);
-}
-
-static isc_uint32_t
-soa_get(dns_rdata_t *rdata, int offset) {
-	INSIST(rdata->type == dns_rdatatype_soa);
-	/*
-	 * Locate the field within the SOA RDATA based
-	 * on its position relative to the end of the data.
-	 *
-	 * This is a bit of a kludge, but the alternative approach of
-	 * using dns_rdata_tostruct() and dns_rdata_fromstruct() would
-	 * involve a lot of unnecessary work (like building domain
-	 * names and allocating temporary memory) when all we really
-	 * want to do is to get 32 bits of fixed-sized data.
-	 */
-	INSIST(rdata->length >= 20);
-	INSIST(offset >= 0 && offset <= 16);
-	return (decode_uint32(rdata->data + rdata->length - 20 + offset));
-}
-
-isc_uint32_t
-dns_soa_getserial(dns_rdata_t *rdata) {
-	return soa_get(rdata, 0);
-}
-isc_uint32_t
-dns_soa_getrefresh(dns_rdata_t *rdata) {
-	return soa_get(rdata, 4);
-}
-isc_uint32_t
-dns_soa_getretry(dns_rdata_t *rdata) {
-	return soa_get(rdata, 8);
-}
-isc_uint32_t
-dns_soa_getexpire(dns_rdata_t *rdata) {
-	return soa_get(rdata, 12);
-}
-isc_uint32_t
-dns_soa_getminimum(dns_rdata_t *rdata) {
-	return soa_get(rdata, 16);
-}
-
-static void
-soa_set(dns_rdata_t *rdata, isc_uint32_t val, int offset) {
-	INSIST(rdata->type == dns_rdatatype_soa);
-	INSIST(rdata->length >= 20);
-	INSIST(offset >= 0 && offset <= 16);
-	encode_uint32(val, rdata->data + rdata->length - 20 + offset);
-}
-
-void
-dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 0);
-}
-void
-dns_soa_setrefresh(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 4);
-}
-void
-dns_soa_setretry(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 8);
-}
-void
-dns_soa_setexpire(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 12);
-}
-void
-dns_soa_setminimum(isc_uint32_t val, dns_rdata_t *rdata) {
-	soa_set(rdata, val, 16);
-}
diff --git a/contrib/bind9/lib/dns/ssu.c b/contrib/bind9/lib/dns/ssu.c
deleted file mode 100644
index a9ecdceed39d..000000000000
--- a/contrib/bind9/lib/dns/ssu.c
+++ /dev/null
@@ -1,357 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: ssu.c,v 1.22.206.3 2004/03/08 09:04:32 marka Exp $
- * Principal Author: Brian Wellington
- */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/name.h>
-#include <dns/ssu.h>
-
-#define SSUTABLEMAGIC		ISC_MAGIC('S', 'S', 'U', 'T')
-#define VALID_SSUTABLE(table)	ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
-
-#define SSURULEMAGIC		ISC_MAGIC('S', 'S', 'U', 'R')
-#define VALID_SSURULE(table)	ISC_MAGIC_VALID(table, SSURULEMAGIC)
-
-struct dns_ssurule {
-	unsigned int magic;
-	isc_boolean_t grant;	/* is this a grant or a deny? */
-	unsigned int matchtype;	/* which type of pattern match? */
-	dns_name_t *identity;	/* the identity to match */
-	dns_name_t *name;	/* the name being updated */
-	unsigned int ntypes;	/* number of data types covered */
-	dns_rdatatype_t *types;	/* the data types.  Can include ANY, */
-				/* defaults to all but SIG,SOA,NS if NULL*/
-	ISC_LINK(dns_ssurule_t) link;
-};
-
-struct dns_ssutable {
-	unsigned int magic;
-	isc_mem_t *mctx;
-	unsigned int references;
-	isc_mutex_t lock;
-	ISC_LIST(dns_ssurule_t) rules;
-};
-
-isc_result_t
-dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
-	isc_result_t result;
-	dns_ssutable_t *table;
-
-	REQUIRE(tablep != NULL && *tablep == NULL);
-	REQUIRE(mctx != NULL);
-
-	table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
-	if (table == NULL)
-		return (ISC_R_NOMEMORY);
-	result = isc_mutex_init(&table->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
-		return (result);
-	}
-	table->references = 1;
-	table->mctx = mctx;
-	ISC_LIST_INIT(table->rules);
-	table->magic = SSUTABLEMAGIC;
-	*tablep = table;
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-destroy(dns_ssutable_t *table) {
-	isc_mem_t *mctx;
-
-	REQUIRE(VALID_SSUTABLE(table));
-
-	mctx = table->mctx;
-	while (!ISC_LIST_EMPTY(table->rules)) {
-		dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
-		if (rule->identity != NULL) {
-			dns_name_free(rule->identity, mctx);
-			isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
-		}
-		if (rule->name != NULL) {
-			dns_name_free(rule->name, mctx);
-			isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
-		}
-		if (rule->types != NULL)
-			isc_mem_put(mctx, rule->types,
-				    rule->ntypes * sizeof(dns_rdatatype_t));
-		ISC_LIST_UNLINK(table->rules, rule, link);
-		rule->magic = 0;
-		isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
-	}
-	DESTROYLOCK(&table->lock);
-	table->magic = 0;
-	isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
-}
-
-void
-dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
-	REQUIRE(VALID_SSUTABLE(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-dns_ssutable_detach(dns_ssutable_t **tablep) {
-	dns_ssutable_t *table;
-	isc_boolean_t done = ISC_FALSE;
-
-	REQUIRE(tablep != NULL);
-	table = *tablep;
-	REQUIRE(VALID_SSUTABLE(table));
-
-	LOCK(&table->lock);
-
-	INSIST(table->references > 0);
-	if (--table->references == 0)
-		done = ISC_TRUE;
-	UNLOCK(&table->lock);
-
-	*tablep = NULL;
-
-	if (done)
-		destroy(table);
-}
-
-isc_result_t
-dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
-		     dns_name_t *identity, unsigned int matchtype,
-		     dns_name_t *name, unsigned int ntypes,
-		     dns_rdatatype_t *types)
-{
-	dns_ssurule_t *rule;
-	isc_mem_t *mctx;
-	isc_result_t result;
-
-	REQUIRE(VALID_SSUTABLE(table));
-	REQUIRE(dns_name_isabsolute(identity));
-	REQUIRE(dns_name_isabsolute(name));
-	REQUIRE(matchtype <= DNS_SSUMATCHTYPE_SELF);
-	if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
-		REQUIRE(dns_name_iswildcard(name));
-	if (ntypes > 0)
-		REQUIRE(types != NULL);
-
-	mctx = table->mctx;
-	rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
-	if (rule == NULL)
-		return (ISC_R_NOMEMORY);
-
-	rule->identity = NULL;
-	rule->name = NULL;
-	rule->types = NULL;
-
-	rule->grant = grant;
-
-	rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
-	if (rule->identity == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	dns_name_init(rule->identity, NULL);
-	result = dns_name_dup(identity, mctx, rule->identity);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
-	if (rule->name == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	dns_name_init(rule->name, NULL);
-	result = dns_name_dup(name, mctx, rule->name);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	rule->matchtype = matchtype;
-
-	rule->ntypes = ntypes;
-	if (ntypes > 0) {
-		rule->types = isc_mem_get(mctx,
-					  ntypes * sizeof(dns_rdatatype_t));
-		if (rule->types == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto failure;
-		}
-		memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
-	}
-	else
-		rule->types = NULL;
-
-	rule->magic = SSURULEMAGIC;
-	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (rule->identity != NULL) {
-		if (dns_name_dynamic(rule->identity))
-			dns_name_free(rule->identity, mctx);
-		isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
-	}
-	if (rule->name != NULL) {
-		if (dns_name_dynamic(rule->name))
-			dns_name_free(rule->name, mctx);
-		isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
-	}
-	if (rule->types != NULL)
-		isc_mem_put(mctx, rule->types,
-			    ntypes * sizeof(dns_rdatatype_t));
-	isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
-
-	return (result);
-}
-
-static inline isc_boolean_t
-isusertype(dns_rdatatype_t type) {
-	return (ISC_TF(type != dns_rdatatype_ns &&
-		       type != dns_rdatatype_soa &&
-		       type != dns_rdatatype_rrsig));
-}
-
-isc_boolean_t
-dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
-			dns_name_t *name, dns_rdatatype_t type)
-{
-	dns_ssurule_t *rule;
-	unsigned int i;
-
-	REQUIRE(VALID_SSUTABLE(table));
-	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
-	REQUIRE(dns_name_isabsolute(name));
-
-	if (signer == NULL)
-		return (ISC_FALSE);
-	rule = ISC_LIST_HEAD(table->rules);
-		rule = ISC_LIST_NEXT(rule, link);
-	for (rule = ISC_LIST_HEAD(table->rules);
-	     rule != NULL;
-	     rule = ISC_LIST_NEXT(rule, link))
-	{
-		if (dns_name_iswildcard(rule->identity)) {
-			if (!dns_name_matcheswildcard(signer, rule->identity))
-				continue;
-		}
-		else {
-			if (!dns_name_equal(signer, rule->identity))
-				continue;
-		}
-
-		if (rule->matchtype == DNS_SSUMATCHTYPE_NAME) {
-			if (!dns_name_equal(name, rule->name))
-				continue;
-		}
-		else if (rule->matchtype == DNS_SSUMATCHTYPE_SUBDOMAIN) {
-			if (!dns_name_issubdomain(name, rule->name))
-				continue;
-		}
-		else if (rule->matchtype == DNS_SSUMATCHTYPE_WILDCARD) {
-			if (!dns_name_matcheswildcard(name, rule->name))
-				continue;
-
-		}
-		else if (rule->matchtype == DNS_SSUMATCHTYPE_SELF) {
-			if (!dns_name_equal(signer, name))
-				continue;
-		}
-
-		if (rule->ntypes == 0) {
-			if (!isusertype(type))
-				continue;
-		}
-		else {
-			for (i = 0; i < rule->ntypes; i++) {
-				if (rule->types[i] == dns_rdatatype_any ||
-				    rule->types[i] == type)
-					break;
-			}
-			if (i == rule->ntypes)
-				continue;
-		}
-		return (rule->grant);
-	}
-
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-dns_ssurule_isgrant(const dns_ssurule_t *rule) {
-	REQUIRE(VALID_SSURULE(rule));
-	return (rule->grant);
-}
-
-dns_name_t *
-dns_ssurule_identity(const dns_ssurule_t *rule) {
-	REQUIRE(VALID_SSURULE(rule));
-	return (rule->identity);
-}
-
-unsigned int
-dns_ssurule_matchtype(const dns_ssurule_t *rule) {
-	REQUIRE(VALID_SSURULE(rule));
-	return (rule->matchtype);
-}
-
-dns_name_t *
-dns_ssurule_name(const dns_ssurule_t *rule) {
-	REQUIRE(VALID_SSURULE(rule));
-	return (rule->name);
-}
-
-unsigned int
-dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
-	REQUIRE(VALID_SSURULE(rule));
-	REQUIRE(types != NULL && *types != NULL);
-	*types = rule->types;
-	return (rule->ntypes);
-}
-
-isc_result_t
-dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
-	REQUIRE(VALID_SSUTABLE(table));
-	REQUIRE(rule != NULL && *rule == NULL);
-	*rule = ISC_LIST_HEAD(table->rules);
-	return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
-}
-
-isc_result_t
-dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
-	REQUIRE(VALID_SSURULE(rule));
-	REQUIRE(nextrule != NULL && *nextrule == NULL);
-	*nextrule = ISC_LIST_NEXT(rule, link);
-	return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
-}
diff --git a/contrib/bind9/lib/dns/stats.c b/contrib/bind9/lib/dns/stats.c
deleted file mode 100644
index aefcbe0bcc7e..000000000000
--- a/contrib/bind9/lib/dns/stats.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stats.c,v 1.5.206.1 2004/03/06 08:13:46 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-
-#include <dns/stats.h>
-
-LIBDNS_EXTERNAL_DATA const char *dns_statscounter_names[DNS_STATS_NCOUNTERS] =
-	{
-	"success",
-	"referral",
-	"nxrrset",
-	"nxdomain",
-	"recursion",
-	"failure"
-	};
-
-isc_result_t
-dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp) {
-	int i;
-	isc_uint64_t *p =
-		isc_mem_get(mctx, DNS_STATS_NCOUNTERS * sizeof(isc_uint64_t));
-	if (p == NULL)
-		return (ISC_R_NOMEMORY);
-	for (i = 0; i < DNS_STATS_NCOUNTERS; i++)
-		p[i] = 0;
-	*ctrp = p;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp) {
-	isc_mem_put(mctx, *ctrp, DNS_STATS_NCOUNTERS * sizeof(isc_uint64_t));
-	*ctrp = NULL;
-}
diff --git a/contrib/bind9/lib/dns/tcpmsg.c b/contrib/bind9/lib/dns/tcpmsg.c
deleted file mode 100644
index 4400a3a58f7f..000000000000
--- a/contrib/bind9/lib/dns/tcpmsg.c
+++ /dev/null
@@ -1,240 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: tcpmsg.c,v 1.24.206.1 2004/03/06 08:13:46 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/events.h>
-#include <dns/result.h>
-#include <dns/tcpmsg.h>
-
-#ifdef TCPMSG_DEBUG
-#include <stdio.h>		/* Required for printf. */
-#define XDEBUG(x) printf x
-#else
-#define XDEBUG(x)
-#endif
-
-#define TCPMSG_MAGIC		ISC_MAGIC('T', 'C', 'P', 'm')
-#define VALID_TCPMSG(foo)	ISC_MAGIC_VALID(foo, TCPMSG_MAGIC)
-
-static void recv_length(isc_task_t *, isc_event_t *);
-static void recv_message(isc_task_t *, isc_event_t *);
-
-
-static void
-recv_length(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	isc_event_t *dev;
-	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
-	isc_region_t region;
-	isc_result_t result;
-
-	INSIST(VALID_TCPMSG(tcpmsg));
-
-	dev = &tcpmsg->event;
-
-	if (ev->result != ISC_R_SUCCESS) {
-		tcpmsg->result = ev->result;
-		goto send_and_free;
-	}
-
-	/*
-	 * Success.
-	 */
-	tcpmsg->size = ntohs(tcpmsg->size);
-	if (tcpmsg->size == 0) {
-		tcpmsg->result = ISC_R_UNEXPECTEDEND;
-		goto send_and_free;
-	}
-	if (tcpmsg->size > tcpmsg->maxsize) {
-		tcpmsg->result = ISC_R_RANGE;
-		goto send_and_free;
-	}
-
-	region.base = isc_mem_get(tcpmsg->mctx, tcpmsg->size);
-	region.length = tcpmsg->size;
-	if (region.base == NULL) {
-		tcpmsg->result = ISC_R_NOMEMORY;
-		goto send_and_free;
-	}
-	XDEBUG(("Allocated %d bytes\n", tcpmsg->size));
-
-	isc_buffer_init(&tcpmsg->buffer, region.base, region.length);
-	result = isc_socket_recv(tcpmsg->sock, &region, 0,
-				 task, recv_message, tcpmsg);
-	if (result != ISC_R_SUCCESS) {
-		tcpmsg->result = result;
-		goto send_and_free;
-	}
-
-	isc_event_free(&ev_in);
-	return;
-
- send_and_free:
-	isc_task_send(tcpmsg->task, &dev);
-	tcpmsg->task = NULL;
-	isc_event_free(&ev_in);
-	return;
-}
-
-static void
-recv_message(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	isc_event_t *dev;
-	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
-
-	(void)task;
-
-	INSIST(VALID_TCPMSG(tcpmsg));
-
-	dev = &tcpmsg->event;
-
-	if (ev->result != ISC_R_SUCCESS) {
-		tcpmsg->result = ev->result;
-		goto send_and_free;
-	}
-
-	tcpmsg->result = ISC_R_SUCCESS;
-	isc_buffer_add(&tcpmsg->buffer, ev->n);
-	tcpmsg->address = ev->address;
-
-	XDEBUG(("Received %d bytes (of %d)\n", ev->n, tcpmsg->size));
-
- send_and_free:
-	isc_task_send(tcpmsg->task, &dev);
-	tcpmsg->task = NULL;
-	isc_event_free(&ev_in);
-}
-
-void
-dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg) {
-	REQUIRE(mctx != NULL);
-	REQUIRE(sock != NULL);
-	REQUIRE(tcpmsg != NULL);
-
-	tcpmsg->magic = TCPMSG_MAGIC;
-	tcpmsg->size = 0;
-	tcpmsg->buffer.base = NULL;
-	tcpmsg->buffer.length = 0;
-	tcpmsg->maxsize = 65535;		/* Largest message possible. */
-	tcpmsg->mctx = mctx;
-	tcpmsg->sock = sock;
-	tcpmsg->task = NULL;			/* None yet. */
-	tcpmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
-	/*
-	 * Should probably initialize the event here, but it can wait.
-	 */
-}
-
-
-void
-dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-	REQUIRE(maxsize < 65536);
-
-	tcpmsg->maxsize = maxsize;
-}
-
-
-isc_result_t
-dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
-		       isc_task_t *task, isc_taskaction_t action, void *arg)
-{
-	isc_result_t result;
-	isc_region_t region;
-
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-	REQUIRE(task != NULL);
-	REQUIRE(tcpmsg->task == NULL);  /* not currently in use */
-
-	if (tcpmsg->buffer.base != NULL) {
-		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
-			    tcpmsg->buffer.length);
-		tcpmsg->buffer.base = NULL;
-		tcpmsg->buffer.length = 0;
-	}
-
-	tcpmsg->task = task;
-	tcpmsg->action = action;
-	tcpmsg->arg = arg;
-	tcpmsg->result = ISC_R_UNEXPECTED;  /* unknown right now */
-
-	ISC_EVENT_INIT(&tcpmsg->event, sizeof(isc_event_t), 0, 0,
-		       DNS_EVENT_TCPMSG, action, arg, tcpmsg,
-		       NULL, NULL);
-
-	region.base = (unsigned char *)&tcpmsg->size;
-	region.length = 2;  /* isc_uint16_t */
-	result = isc_socket_recv(tcpmsg->sock, &region, 0,
-				 tcpmsg->task, recv_length, tcpmsg);
-
-	if (result != ISC_R_SUCCESS)
-		tcpmsg->task = NULL;
-
-	return (result);
-}
-
-void
-dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-
-	isc_socket_cancel(tcpmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
-}
-
-void
-dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-	REQUIRE(buffer != NULL);
-
-	*buffer = tcpmsg->buffer;
-	tcpmsg->buffer.base = NULL;
-	tcpmsg->buffer.length = 0;
-}
-
-#if 0
-void
-dns_tcpmsg_freebuffer(dns_tcpmsg_t *tcpmsg) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-
-	if (tcpmsg->buffer.base == NULL)
-		return;
-
-	isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base, tcpmsg->buffer.length);
-	tcpmsg->buffer.base = NULL;
-	tcpmsg->buffer.length = 0;
-}
-#endif
-
-void
-dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg) {
-	REQUIRE(VALID_TCPMSG(tcpmsg));
-
-	tcpmsg->magic = 0;
-
-	if (tcpmsg->buffer.base != NULL) {
-		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
-			    tcpmsg->buffer.length);
-		tcpmsg->buffer.base = NULL;
-		tcpmsg->buffer.length = 0;
-	}
-}
diff --git a/contrib/bind9/lib/dns/time.c b/contrib/bind9/lib/dns/time.c
deleted file mode 100644
index 770f021a77d9..000000000000
--- a/contrib/bind9/lib/dns/time.c
+++ /dev/null
@@ -1,172 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: time.c,v 1.18.2.4.2.8 2004/08/28 06:25:20 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <time.h>
-
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/stdtime.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/time.h>
-
-static int days[12] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
-
-isc_result_t
-dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
-	struct tm tm;
-	char buf[sizeof("YYYYMMDDHHMMSS")];
-	int secs;
-	unsigned int l;
-	isc_region_t region;
-
-	REQUIRE(t >= 0);
-
-#define is_leap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
-#define year_secs(y) ((is_leap(y) ? 366 : 365 ) * 86400)
-#define month_secs(m,y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0 )) * 86400)
-
-	tm.tm_year = 70;
-	while ((secs = year_secs(tm.tm_year + 1900)) <= t) {
-		t -= secs;
-		tm.tm_year++;
-		if (tm.tm_year + 1900 > 9999)
-			return (ISC_R_RANGE);
-	}
-	tm.tm_mon = 0;
-	while ((secs = month_secs(tm.tm_mon, tm.tm_year + 1900)) <= t) {
-		t -= secs;
-		tm.tm_mon++;
-	}
-	tm.tm_mday = 1;
-	while (86400 <= t) {
-		t -= 86400;
-		tm.tm_mday++;
-	}
-	tm.tm_hour = 0;
-	while (3600 <= t) {
-		t -= 3600;
-		tm.tm_hour++;
-	}
-	tm.tm_min = 0;
-	while (60 <= t) {
-		t -= 60;
-		tm.tm_min++;
-	}
-	tm.tm_sec = (int)t;
-				 /* yyyy  mm  dd  HH  MM  SS */
-	snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d",
-		 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
-		 tm.tm_hour, tm.tm_min, tm.tm_sec);
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(buf);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, buf, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) {
-	isc_stdtime_t now;
-	isc_int64_t start;
-	isc_int64_t base;
-	isc_int64_t t;
-
-	/*
-	 * Adjust the time to the closest epoch.  This should be changed
-	 * to use a 64-bit counterpart to isc_stdtime_get() if one ever
-	 * is defined, but even the current code is good until the year
-	 * 2106.
-	 */
-	isc_stdtime_get(&now);
-	start = (isc_int64_t) now;
-	start -= 0x7fffffff;
-	base = 0;
-	while ((t = (base + value)) < start) {
-		base += 0x80000000;
-		base += 0x80000000;
-	}
-	return (dns_time64_totext(t, target));
-}
-
-isc_result_t
-dns_time64_fromtext(const char *source, isc_int64_t *target) {
-	int year, month, day, hour, minute, second;
-	isc_int64_t value;
-	int secs;
-	int i;
-
-#define RANGE(min, max, value) \
-	do { \
-		if (value < (min) || value > (max)) \
-			return (ISC_R_RANGE); \
-	} while (0)
-
-	if (strlen(source) != 14U)
-		return (DNS_R_SYNTAX);
-	if (sscanf(source, "%4d%2d%2d%2d%2d%2d",
-		   &year, &month, &day, &hour, &minute, &second) != 6)
-		return (DNS_R_SYNTAX);
-
-	RANGE(1970, 9999, year);
-	RANGE(1, 12, month);
-	RANGE(1, days[month - 1] +
-		 ((month == 2 && is_leap(year)) ? 1 : 0), day);
-	RANGE(0, 23, hour);
-	RANGE(0, 59, minute);
-	RANGE(0, 60, second);		/* 60 == leap second. */
-
-	/*
-	 * Calulate seconds since epoch.
-	 */
-	value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400);
-	for (i = 0; i < (month - 1); i++)
-		value += days[i] * 86400;
-	if (is_leap(year) && month > 2)
-		value += 86400;
-	for (i = 1970; i < year; i++) {
-		secs = (is_leap(i) ? 366 : 365) * 86400;
-		value += secs;
-	}
-
-	*target = value;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_time32_fromtext(const char *source, isc_uint32_t *target) {
-	isc_int64_t value64;
-	isc_result_t result;
-	result = dns_time64_fromtext(source, &value64);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	*target = (isc_uint32_t)value64;
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/timer.c b/contrib/bind9/lib/dns/timer.c
deleted file mode 100644
index b364f54cbeac..000000000000
--- a/contrib/bind9/lib/dns/timer.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer.c,v 1.2.206.1 2004/03/06 08:13:46 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/result.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-
-#include <dns/types.h>
-#include <dns/timer.h>
-
-#define CHECK(op) \
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-isc_result_t
-dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
-		  unsigned int idletime, isc_boolean_t purge)
-{
-	isc_result_t result;
-	isc_interval_t maxinterval, idleinterval;
-	isc_time_t expires;
-
-	/* Compute the time of expiry. */
-	isc_interval_set(&maxinterval, maxtime, 0);
-	CHECK(isc_time_nowplusinterval(&expires, &maxinterval));
-
-	/*
-	 * Compute the idle interval, and add a spare nanosecond to
-	 * work around the silly limitation of the ISC timer interface
-	 * that you cannot specify an idle interval of zero.
-	 */
-	isc_interval_set(&idleinterval, idletime, 1);
-
-	CHECK(isc_timer_reset(timer, isc_timertype_once,
-			      &expires, &idleinterval,
-			      purge));
- failure:
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/tkey.c b/contrib/bind9/lib/dns/tkey.c
deleted file mode 100644
index 43c8db0e57c8..000000000000
--- a/contrib/bind9/lib/dns/tkey.c
+++ /dev/null
@@ -1,1240 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: tkey.c,v 1.71.2.1.10.7 2005/06/12 00:02:26 marka Exp $
- */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/md5.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/dnssec.h>
-#include <dns/fixedname.h>
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/tkey.h>
-#include <dns/tsig.h>
-
-#include <dst/dst.h>
-#include <dst/gssapi.h>
-
-#define TKEY_RANDOM_AMOUNT 16
-
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto failure; \
-	} while (0)
-
-static void
-tkey_log(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
-
-static void
-tkey_log(const char *fmt, ...) {
-	va_list ap;
-
-	va_start(ap, fmt);
-	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		       DNS_LOGMODULE_REQUEST, ISC_LOG_DEBUG(4), fmt, ap);
-	va_end(ap);
-}
-
-isc_result_t
-dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
-{
-	dns_tkeyctx_t *tctx;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(ectx != NULL);
-	REQUIRE(tctxp != NULL && *tctxp == NULL);
-
-	tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
-	if (tctx == NULL)
-		return (ISC_R_NOMEMORY);
-	tctx->mctx = NULL;
-	isc_mem_attach(mctx, &tctx->mctx);
-	tctx->ectx = NULL;
-	isc_entropy_attach(ectx, &tctx->ectx);
-	tctx->dhkey = NULL;
-	tctx->domain = NULL;
-	tctx->gsscred = NULL;
-
-	*tctxp = tctx;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
-	isc_mem_t *mctx;
-	dns_tkeyctx_t *tctx;
-
-	REQUIRE(tctxp != NULL && *tctxp != NULL);
-
-	tctx = *tctxp;
-	mctx = tctx->mctx;
-
-	if (tctx->dhkey != NULL)
-		dst_key_free(&tctx->dhkey);
-	if (tctx->domain != NULL) {
-		if (dns_name_dynamic(tctx->domain))
-			dns_name_free(tctx->domain, mctx);
-		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
-	}
-	isc_entropy_detach(&tctx->ectx);
-	isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t));
-	isc_mem_detach(&mctx);
-	*tctxp = NULL;
-}
-
-static isc_result_t
-add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
-		isc_uint32_t ttl, dns_namelist_t *namelist)
-{
-	isc_result_t result;
-	isc_region_t r, newr;
-	dns_rdata_t *newrdata = NULL;
-	dns_name_t *newname = NULL;
-	dns_rdatalist_t *newlist = NULL;
-	dns_rdataset_t *newset = NULL;
-	isc_buffer_t *tmprdatabuf = NULL;
-
-	RETERR(dns_message_gettemprdata(msg, &newrdata));
-
-	dns_rdata_toregion(rdata, &r);
-	RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
-	isc_buffer_availableregion(tmprdatabuf, &newr);
-	memcpy(newr.base, r.base, r.length);
-	dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
-	dns_message_takebuffer(msg, &tmprdatabuf);
-
-	RETERR(dns_message_gettempname(msg, &newname));
-	dns_name_init(newname, NULL);
-	RETERR(dns_name_dup(name, msg->mctx, newname));
-
-	RETERR(dns_message_gettemprdatalist(msg, &newlist));
-	newlist->rdclass = newrdata->rdclass;
-	newlist->type = newrdata->type;
-	newlist->covers = 0;
-	newlist->ttl = ttl;
-	ISC_LIST_INIT(newlist->rdata);
-	ISC_LIST_APPEND(newlist->rdata, newrdata, link);
-
-	RETERR(dns_message_gettemprdataset(msg, &newset));
-	dns_rdataset_init(newset);
-	RETERR(dns_rdatalist_tordataset(newlist, newset));
-
-	ISC_LIST_INIT(newname->list);
-	ISC_LIST_APPEND(newname->list, newset, link);
-
-	ISC_LIST_APPEND(*namelist, newname, link);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (newrdata != NULL) {
-		if (ISC_LINK_LINKED(newrdata, link))
-			ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
-		dns_message_puttemprdata(msg, &newrdata);
-	}
-	if (newname != NULL)
-		dns_message_puttempname(msg, &newname);
-	if (newset != NULL) {
-		dns_rdataset_disassociate(newset);
-		dns_message_puttemprdataset(msg, &newset);
-	}
-	if (newlist != NULL)
-		dns_message_puttemprdatalist(msg, &newlist);
-	return (result);
-}
-
-static void
-free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
-	dns_name_t *name;
-	dns_rdataset_t *set;
-
-	while (!ISC_LIST_EMPTY(*namelist)) {
-		name = ISC_LIST_HEAD(*namelist);
-		ISC_LIST_UNLINK(*namelist, name, link);
-		while (!ISC_LIST_EMPTY(name->list)) {
-			set = ISC_LIST_HEAD(name->list);
-			ISC_LIST_UNLINK(name->list, set, link);
-			dns_message_puttemprdataset(msg, &set);
-		}
-		dns_message_puttempname(msg, &name);
-	}
-}
-
-static isc_result_t
-compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
-	       isc_region_t *serverrandomness, isc_buffer_t *secret)
-{
-	isc_md5_t md5ctx;
-	isc_region_t r, r2;
-	unsigned char digests[32];
-	unsigned int i;
-
-	isc_buffer_usedregion(shared, &r);
-
-	/*
-	 * MD5 ( query data | DH value ).
-	 */
-	isc_md5_init(&md5ctx);
-	isc_md5_update(&md5ctx, queryrandomness->base,
-		       queryrandomness->length);
-	isc_md5_update(&md5ctx, r.base, r.length);
-	isc_md5_final(&md5ctx, digests);
-
-	/*
-	 * MD5 ( server data | DH value ).
-	 */
-	isc_md5_init(&md5ctx);
-	isc_md5_update(&md5ctx, serverrandomness->base,
-		       serverrandomness->length);
-	isc_md5_update(&md5ctx, r.base, r.length);
-	isc_md5_final(&md5ctx, &digests[ISC_MD5_DIGESTLENGTH]);
-
-	/*
-	 * XOR ( DH value, MD5-1 | MD5-2).
-	 */
-	isc_buffer_availableregion(secret, &r);
-	isc_buffer_usedregion(shared, &r2);
-	if (r.length < sizeof(digests) || r.length < r2.length)
-		return (ISC_R_NOSPACE);
-	if (r2.length > sizeof(digests)) {
-		memcpy(r.base, r2.base, r2.length);
-		for (i = 0; i < sizeof(digests); i++)
-			r.base[i] ^= digests[i];
-		isc_buffer_add(secret, r2.length);
-	} else {
-		memcpy(r.base, digests, sizeof(digests));
-		for (i = 0; i < r2.length; i++)
-			r.base[i] ^= r2.base[i];
-		isc_buffer_add(secret, sizeof(digests));
-	}
-	return (ISC_R_SUCCESS);
-
-}
-
-static isc_result_t
-process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
-	       dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
-	       dns_rdata_tkey_t *tkeyout,
-	       dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_name_t *keyname, ourname;
-	dns_rdataset_t *keyset = NULL;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
-	isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
-	dst_key_t *pubkey = NULL;
-	isc_buffer_t ourkeybuf, *shared = NULL;
-	isc_region_t r, r2, ourkeyr;
-	unsigned char keydata[DST_KEY_MAXSIZE];
-	unsigned int sharedsize;
-	isc_buffer_t secret;
-	unsigned char *randomdata = NULL, secretdata[256];
-	dns_ttl_t ttl = 0;
-
-	if (tctx->dhkey == NULL) {
-		tkey_log("process_dhtkey: tkey-dhkey not defined");
-		tkeyout->error = dns_tsigerror_badalg;
-		return (DNS_R_REFUSED);
-	}
-
-	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
-		tkey_log("process_dhtkey: algorithms other than "
-			 "hmac-md5 are not supported");
-		tkeyout->error = dns_tsigerror_badalg;
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Look for a DH KEY record that will work with ours.
-	 */
-	for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
-	     result == ISC_R_SUCCESS && !found_key;
-	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL))
-	{
-		keyname = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
-		keyset = NULL;
-		result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
-					      &keyset);
-		if (result != ISC_R_SUCCESS)
-			continue;
-
-		for (result = dns_rdataset_first(keyset);
-		     result == ISC_R_SUCCESS && !found_key;
-		     result = dns_rdataset_next(keyset))
-		{
-			dns_rdataset_current(keyset, &keyrdata);
-			pubkey = NULL;
-			result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
-							 msg->mctx, &pubkey);
-			if (result != ISC_R_SUCCESS) {
-				dns_rdata_reset(&keyrdata);
-				continue;
-			}
-			if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
-				if (dst_key_paramcompare(pubkey, tctx->dhkey))
-				{
-					found_key = ISC_TRUE;
-					ttl = keyset->ttl;
-					break;
-				} else
-					found_incompatible = ISC_TRUE;
-			}
-			dst_key_free(&pubkey);
-			dns_rdata_reset(&keyrdata);
-		}
-	}
-
-	if (!found_key) {
-		if (found_incompatible) {
-			tkey_log("process_dhtkey: found an incompatible key");
-			tkeyout->error = dns_tsigerror_badkey;
-			return (ISC_R_SUCCESS);
-		} else {
-			tkey_log("process_dhtkey: failed to find a key");
-			return (DNS_R_FORMERR);
-		}
-	}
-
-	RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
-
-	isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
-	RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
-	isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
-	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
-			     dns_rdatatype_key, &ourkeyr);
-
-	dns_name_init(&ourname, NULL);
-	dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
-
-	/*
-	 * XXXBEW The TTL should be obtained from the database, if it exists.
-	 */
-	RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
-
-	RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
-	RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
-
-	result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
-	if (result != ISC_R_SUCCESS) {
-		tkey_log("process_dhtkey: failed to compute shared secret: %s",
-			 isc_result_totext(result));
-		goto failure;
-	}
-	dst_key_free(&pubkey);
-
-	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
-
-	randomdata = isc_mem_get(tkeyout->mctx, TKEY_RANDOM_AMOUNT);
-	if (randomdata == NULL)
-		goto failure;
-
-	result = isc_entropy_getdata(tctx->ectx, randomdata,
-				     TKEY_RANDOM_AMOUNT, NULL, 0);
-	if (result != ISC_R_SUCCESS) {
-		tkey_log("process_dhtkey: failed to obtain entropy: %s",
-			 isc_result_totext(result));
-		goto failure;
-	}
-
-	r.base = randomdata;
-	r.length = TKEY_RANDOM_AMOUNT;
-	r2.base = tkeyin->key;
-	r2.length = tkeyin->keylen;
-	RETERR(compute_secret(shared, &r2, &r, &secret));
-	isc_buffer_free(&shared);
-
-	RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
-				  isc_buffer_base(&secret),
-				  isc_buffer_usedlength(&secret),
-				  ISC_TRUE, signer, tkeyin->inception,
-				  tkeyin->expire, msg->mctx, ring, NULL));
-
-	/* This key is good for a long time */
-	tkeyout->inception = tkeyin->inception;
-	tkeyout->expire = tkeyin->expire;
-
-	tkeyout->key = randomdata;
-	tkeyout->keylen = TKEY_RANDOM_AMOUNT;
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (!ISC_LIST_EMPTY(*namelist))
-		free_namelist(msg, namelist);
-	if (shared != NULL)
-		isc_buffer_free(&shared);
-	if (pubkey != NULL)
-		dst_key_free(&pubkey);
-	if (randomdata != NULL)
-		isc_mem_put(tkeyout->mctx, randomdata, TKEY_RANDOM_AMOUNT);
-	return (result);
-}
-
-static isc_result_t
-process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
-		dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
-		dns_rdata_tkey_t *tkeyout,
-		dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dst_key_t *dstkey = NULL;
-	void *gssctx = NULL;
-	isc_stdtime_t now;
-	isc_region_t intoken;
-	unsigned char array[1024];
-	isc_buffer_t outtoken;
-
-	UNUSED(namelist);
-
-	if (tctx->gsscred == NULL)
-		return (ISC_R_NOPERM);
-
-	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
-	    !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
-		tkeyout->error = dns_tsigerror_badalg;
-		return (ISC_R_SUCCESS);
-	}
-
-	intoken.base = tkeyin->key;
-	intoken.length = tkeyin->keylen;
-
-	isc_buffer_init(&outtoken, array, sizeof(array));
-	RETERR(dst_gssapi_acceptctx(name, tctx->gsscred, &intoken,
-				    &outtoken, &gssctx));
-
-	dstkey = NULL;
-	RETERR(dst_key_fromgssapi(name, gssctx, msg->mctx, &dstkey));
-
-	result = dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
-					   dstkey, ISC_TRUE, signer,
-					   tkeyin->inception, tkeyin->expire,
-					   msg->mctx, ring, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	if (result == ISC_R_NOTFOUND) {
-		tkeyout->error = dns_tsigerror_badalg;
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	/* This key is good for a long time */
-	isc_stdtime_get(&now);
-	tkeyout->inception = tkeyin->inception;
-	tkeyout->expire = tkeyin->expire;
-
-	tkeyout->key = isc_mem_get(msg->mctx,
-				   isc_buffer_usedlength(&outtoken));
-	if (tkeyout->key == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-	tkeyout->keylen = isc_buffer_usedlength(&outtoken);
-	memcpy(tkeyout->key, isc_buffer_base(&outtoken), tkeyout->keylen);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (dstkey != NULL)
-		dst_key_free(&dstkey);
-
-	return (result);
-}
-
-static isc_result_t
-process_deletetkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
-		   dns_rdata_tkey_t *tkeyin,
-		   dns_rdata_tkey_t *tkeyout,
-		   dns_tsig_keyring_t *ring,
-		   dns_namelist_t *namelist)
-{
-	isc_result_t result;
-	dns_tsigkey_t *tsigkey = NULL;
-	dns_name_t *identity;
-
-	UNUSED(msg);
-	UNUSED(namelist);
-
-	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
-	if (result != ISC_R_SUCCESS) {
-		tkeyout->error = dns_tsigerror_badname;
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Only allow a delete if the identity that created the key is the
-	 * same as the identity that signed the message.
-	 */
-	identity = dns_tsigkey_identity(tsigkey);
-	if (identity == NULL || !dns_name_equal(identity, signer)) {
-		dns_tsigkey_detach(&tsigkey);
-		return (DNS_R_REFUSED);
-	}
-
-	/*
-	 * Set the key to be deleted when no references are left.  If the key
-	 * was not generated with TKEY and is in the config file, it may be
-	 * reloaded later.
-	 */
-	dns_tsigkey_setdeleted(tsigkey);
-
-	/* Release the reference */
-	dns_tsigkey_detach(&tsigkey);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
-		      dns_tsig_keyring_t *ring)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_rdata_tkey_t tkeyin, tkeyout;
-	isc_boolean_t freetkeyin = ISC_FALSE;
-	dns_name_t *qname, *name, *keyname, *signer, tsigner;
-	dns_fixedname_t fkeyname;
-	dns_rdataset_t *tkeyset;
-	dns_rdata_t rdata;
-	dns_namelist_t namelist;
-	char tkeyoutdata[512];
-	isc_buffer_t tkeyoutbuf;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(tctx != NULL);
-	REQUIRE(ring != NULL);
-
-	ISC_LIST_INIT(namelist);
-
-	/*
-	 * Interpret the question section.
-	 */
-	result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
-	if (result != ISC_R_SUCCESS)
-		return (DNS_R_FORMERR);
-
-	qname = NULL;
-	dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
-
-	/*
-	 * Look for a TKEY record that matches the question.
-	 */
-	tkeyset = NULL;
-	name = NULL;
-	result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
-				      dns_rdatatype_tkey, 0, &name, &tkeyset);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Try the answer section, since that's where Win2000
-		 * puts it.
-		 */
-		if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
-					 dns_rdatatype_tkey, 0, &name,
-					 &tkeyset) != ISC_R_SUCCESS)
-		{
-			result = DNS_R_FORMERR;
-			tkey_log("dns_tkey_processquery: couldn't find a TKEY "
-				 "matching the question");
-			goto failure;
-		}
-	}
-	result = dns_rdataset_first(tkeyset);
-	if (result != ISC_R_SUCCESS) {
-		result = DNS_R_FORMERR;
-		goto failure;
-	}
-	dns_rdata_init(&rdata);
-	dns_rdataset_current(tkeyset, &rdata);
-
-	RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
-	freetkeyin = ISC_TRUE;
-
-	if (tkeyin.error != dns_rcode_noerror) {
-		result = DNS_R_FORMERR;
-		goto failure;
-	}
-
-	/*
-	 * Before we go any farther, verify that the message was signed.
-	 * GSSAPI TKEY doesn't require a signature, the rest do.
-	 */
-	dns_name_init(&tsigner, NULL);
-	result = dns_message_signer(msg, &tsigner);
-	if (result != ISC_R_SUCCESS) {
-		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
-		    result == ISC_R_NOTFOUND)
-		       signer = NULL;
-		else {
-			tkey_log("dns_tkey_processquery: query was not "
-				 "properly signed - rejecting");
-			result = DNS_R_FORMERR;
-			goto failure;
-		}
-	} else
-		signer = &tsigner;
-
-	tkeyout.common.rdclass = tkeyin.common.rdclass;
-	tkeyout.common.rdtype = tkeyin.common.rdtype;
-	ISC_LINK_INIT(&tkeyout.common, link);
-	tkeyout.mctx = msg->mctx;
-
-	dns_name_init(&tkeyout.algorithm, NULL);
-	dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
-
-	tkeyout.inception = tkeyout.expire = 0;
-	tkeyout.mode = tkeyin.mode;
-	tkeyout.error = 0;
-	tkeyout.keylen = tkeyout.otherlen = 0;
-	tkeyout.key = tkeyout.other = NULL;
-
-	/*
-	 * A delete operation must have a fully specified key name.  If this
-	 * is not a delete, we do the following:
-	 * if (qname != ".")
-	 *	keyname = qname + defaultdomain
-	 * else
-	 *	keyname = <random hex> + defaultdomain
-	 */
-	if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
-		dns_tsigkey_t *tsigkey = NULL;
-
-		if (tctx->domain == NULL) {
-			tkey_log("dns_tkey_processquery: tkey-domain not set");
-			result = DNS_R_REFUSED;
-			goto failure;
-		}
-
-		dns_fixedname_init(&fkeyname);
-		keyname = dns_fixedname_name(&fkeyname);
-
-		if (!dns_name_equal(qname, dns_rootname)) {
-			unsigned int n = dns_name_countlabels(qname);
-			RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
-				      == ISC_R_SUCCESS);
-			dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
-		} else {
-			static char hexdigits[16] = {
-				'0', '1', '2', '3', '4', '5', '6', '7',
-				'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
-			unsigned char randomdata[16];
-			char randomtext[32];
-			isc_buffer_t b;
-			unsigned int i, j;
-
-			result = isc_entropy_getdata(tctx->ectx,
-						     randomdata,
-						     sizeof(randomdata),
-						     NULL, 0);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-
-			for (i = 0, j = 0; i < sizeof(randomdata); i++) {
-				unsigned char val = randomdata[i];
-				randomtext[j++] = hexdigits[val >> 4];
-				randomtext[j++] = hexdigits[val & 0xF];
-			}
-			isc_buffer_init(&b, randomtext, sizeof(randomtext));
-			isc_buffer_add(&b, sizeof(randomtext));
-			result = dns_name_fromtext(keyname, &b, NULL,
-						   ISC_FALSE, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto failure;
-		}
-		result = dns_name_concatenate(keyname, tctx->domain,
-					      keyname, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-
-		result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
-		if (result == ISC_R_SUCCESS) {
-			tkeyout.error = dns_tsigerror_badname;
-			dns_tsigkey_detach(&tsigkey);
-			goto failure_with_tkey;
-		} else if (result != ISC_R_NOTFOUND)
-			goto failure;
-	} else
-		keyname = qname;
-
-	switch (tkeyin.mode) {
-		case DNS_TKEYMODE_DIFFIEHELLMAN:
-			tkeyout.error = dns_rcode_noerror;
-			RETERR(process_dhtkey(msg, signer, keyname, &tkeyin,
-					      tctx, &tkeyout, ring,
-					      &namelist));
-			break;
-		case DNS_TKEYMODE_GSSAPI:
-			tkeyout.error = dns_rcode_noerror;
-			RETERR(process_gsstkey(msg, signer, keyname, &tkeyin,
-					       tctx, &tkeyout, ring,
-					       &namelist));
-			break;
-		case DNS_TKEYMODE_DELETE:
-			tkeyout.error = dns_rcode_noerror;
-			RETERR(process_deletetkey(msg, signer, keyname,
-						  &tkeyin, &tkeyout,
-						  ring, &namelist));
-			break;
-		case DNS_TKEYMODE_SERVERASSIGNED:
-		case DNS_TKEYMODE_RESOLVERASSIGNED:
-			result = DNS_R_NOTIMP;
-			goto failure;
-		default:
-			tkeyout.error = dns_tsigerror_badmode;
-	}
-
- failure_with_tkey:
-	dns_rdata_init(&rdata);
-	isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
-	result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
-				      tkeyout.common.rdtype, &tkeyout,
-				      &tkeyoutbuf);
-
-	if (freetkeyin) {
-		dns_rdata_freestruct(&tkeyin);
-		freetkeyin = ISC_FALSE;
-	}
-
-	if (tkeyout.key != NULL)
-		isc_mem_put(msg->mctx, tkeyout.key, tkeyout.keylen);
-	if (tkeyout.other != NULL)
-		isc_mem_put(msg->mctx, tkeyout.other, tkeyout.otherlen);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-
-	RETERR(add_rdata_to_list(msg, keyname, &rdata, 0, &namelist));
-
-	RETERR(dns_message_reply(msg, ISC_TRUE));
-
-	name = ISC_LIST_HEAD(namelist);
-	while (name != NULL) {
-		dns_name_t *next = ISC_LIST_NEXT(name, link);
-		ISC_LIST_UNLINK(namelist, name, link);
-		dns_message_addname(msg, name, DNS_SECTION_ANSWER);
-		name = next;
-	}
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (freetkeyin)
-		dns_rdata_freestruct(&tkeyin);
-	if (!ISC_LIST_EMPTY(namelist))
-		free_namelist(msg, &namelist);
-	return (result);
-}
-
-static isc_result_t
-buildquery(dns_message_t *msg, dns_name_t *name,
-	   dns_rdata_tkey_t *tkey)
-{
-	dns_name_t *qname = NULL, *aname = NULL;
-	dns_rdataset_t *question = NULL, *tkeyset = NULL;
-	dns_rdatalist_t *tkeylist = NULL;
-	dns_rdata_t *rdata = NULL;
-	isc_buffer_t *dynbuf = NULL;
-	isc_result_t result;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(tkey != NULL);
-
-	RETERR(dns_message_gettempname(msg, &qname));
-	RETERR(dns_message_gettempname(msg, &aname));
-
-	RETERR(dns_message_gettemprdataset(msg, &question));
-	dns_rdataset_init(question);
-	dns_rdataset_makequestion(question, dns_rdataclass_any,
-				  dns_rdatatype_tkey);
-
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 512));
-	RETERR(dns_message_gettemprdata(msg, &rdata));
-	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
-				    dns_rdatatype_tkey, tkey, dynbuf));
-	dns_message_takebuffer(msg, &dynbuf);
-
-	RETERR(dns_message_gettemprdatalist(msg, &tkeylist));
-	tkeylist->rdclass = dns_rdataclass_any;
-	tkeylist->type = dns_rdatatype_tkey;
-	tkeylist->covers = 0;
-	tkeylist->ttl = 0;
-	ISC_LIST_INIT(tkeylist->rdata);
-	ISC_LIST_APPEND(tkeylist->rdata, rdata, link);
-
-	RETERR(dns_message_gettemprdataset(msg, &tkeyset));
-	dns_rdataset_init(tkeyset);
-	RETERR(dns_rdatalist_tordataset(tkeylist, tkeyset));
-
-	dns_name_init(qname, NULL);
-	dns_name_clone(name, qname);
-
-	dns_name_init(aname, NULL);
-	dns_name_clone(name, aname);
-
-	ISC_LIST_APPEND(qname->list, question, link);
-	ISC_LIST_APPEND(aname->list, tkeyset, link);
-
-	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-	dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (qname != NULL)
-		dns_message_puttempname(msg, &qname);
-	if (aname != NULL)
-		dns_message_puttempname(msg, &aname);
-	if (question != NULL) {
-		dns_rdataset_disassociate(question);
-		dns_message_puttemprdataset(msg, &question);
-	}
-	if (dynbuf != NULL)
-		isc_buffer_free(&dynbuf);
-	return (result);
-}
-
-isc_result_t
-dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
-		      dns_name_t *algorithm, isc_buffer_t *nonce,
-		      isc_uint32_t lifetime)
-{
-	dns_rdata_tkey_t tkey;
-	dns_rdata_t *rdata = NULL;
-	isc_buffer_t *dynbuf = NULL;
-	isc_region_t r;
-	dns_name_t keyname;
-	dns_namelist_t namelist;
-	isc_result_t result;
-	isc_stdtime_t now;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(key != NULL);
-	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
-	REQUIRE(dst_key_isprivate(key));
-	REQUIRE(name != NULL);
-	REQUIRE(algorithm != NULL);
-
-	tkey.common.rdclass = dns_rdataclass_any;
-	tkey.common.rdtype = dns_rdatatype_tkey;
-	ISC_LINK_INIT(&tkey.common, link);
-	tkey.mctx = msg->mctx;
-	dns_name_init(&tkey.algorithm, NULL);
-	dns_name_clone(algorithm, &tkey.algorithm);
-	isc_stdtime_get(&now);
-	tkey.inception = now;
-	tkey.expire = now + lifetime;
-	tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
-	if (nonce != NULL)
-		isc_buffer_usedregion(nonce, &r);
-	else {
-		r.base = isc_mem_get(msg->mctx, 0);
-		r.length = 0;
-	}
-	tkey.error = 0;
-	tkey.key = r.base;
-	tkey.keylen =  r.length;
-	tkey.other = NULL;
-	tkey.otherlen = 0;
-
-	RETERR(buildquery(msg, name, &tkey));
-
-	if (nonce == NULL)
-		isc_mem_put(msg->mctx, r.base, 0);
-
-	RETERR(dns_message_gettemprdata(msg, &rdata));
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
-	RETERR(dst_key_todns(key, dynbuf));
-	isc_buffer_usedregion(dynbuf, &r);
-	dns_rdata_fromregion(rdata, dns_rdataclass_any,
-			     dns_rdatatype_key, &r);
-	dns_message_takebuffer(msg, &dynbuf);
-
-	dns_name_init(&keyname, NULL);
-	dns_name_clone(dst_key_name(key), &keyname);
-
-	ISC_LIST_INIT(namelist);
-	RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
-	dns_message_addname(msg, ISC_LIST_HEAD(namelist),
-			    DNS_SECTION_ADDITIONAL);
-
-	return (ISC_R_SUCCESS);
-
- failure:
-
-	if (dynbuf != NULL)
-		isc_buffer_free(&dynbuf);
-	return (result);
-}
-
-isc_result_t
-dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
-		       dns_name_t *gname, void *cred,
-		       isc_uint32_t lifetime, void **context)
-{
-	dns_rdata_tkey_t tkey;
-	isc_result_t result;
-	isc_stdtime_t now;
-	isc_buffer_t token;
-	unsigned char array[1024];
-
-	REQUIRE(msg != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(gname != NULL);
-	REQUIRE(context != NULL && *context == NULL);
-
-	isc_buffer_init(&token, array, sizeof(array));
-	result = dst_gssapi_initctx(gname, cred, NULL, &token, context);
-	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
-		return (result);
-
-	tkey.common.rdclass = dns_rdataclass_any;
-	tkey.common.rdtype = dns_rdatatype_tkey;
-	ISC_LINK_INIT(&tkey.common, link);
-	tkey.mctx = NULL;
-	dns_name_init(&tkey.algorithm, NULL);
-	dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
-	isc_stdtime_get(&now);
-	tkey.inception = now;
-	tkey.expire = now + lifetime;
-	tkey.mode = DNS_TKEYMODE_GSSAPI;
-	tkey.error = 0;
-	tkey.key = isc_buffer_base(&token);
-	tkey.keylen = isc_buffer_usedlength(&token);
-	tkey.other = NULL;
-	tkey.otherlen = 0;
-
-	RETERR(buildquery(msg, name, &tkey));
-
-	return (ISC_R_SUCCESS);
-
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
-	dns_rdata_tkey_t tkey;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(key != NULL);
-
-	tkey.common.rdclass = dns_rdataclass_any;
-	tkey.common.rdtype = dns_rdatatype_tkey;
-	ISC_LINK_INIT(&tkey.common, link);
-	tkey.mctx = msg->mctx;
-	dns_name_init(&tkey.algorithm, NULL);
-	dns_name_clone(key->algorithm, &tkey.algorithm);
-	tkey.inception = tkey.expire = 0;
-	tkey.mode = DNS_TKEYMODE_DELETE;
-	tkey.error = 0;
-	tkey.keylen = tkey.otherlen = 0;
-	tkey.key = tkey.other = NULL;
-
-	return (buildquery(msg, &key->name, &tkey));
-}
-
-static isc_result_t
-find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
-	  int section)
-{
-	dns_rdataset_t *tkeyset;
-	isc_result_t result;
-
-	result = dns_message_firstname(msg, section);
-	while (result == ISC_R_SUCCESS) {
-		*name = NULL;
-		dns_message_currentname(msg, section, name);
-		tkeyset = NULL;
-		result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
-					      &tkeyset);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_rdataset_first(tkeyset);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			dns_rdataset_current(tkeyset, rdata);
-			return (ISC_R_SUCCESS);
-		}
-		result = dns_message_nextname(msg, section);
-	}
-	if (result == ISC_R_NOMORE)
-		return (ISC_R_NOTFOUND);
-	return (result);
-}
-
-isc_result_t
-dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			   dst_key_t *key, isc_buffer_t *nonce,
-			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
-{
-	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
-	dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
-	dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
-	dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
-	dst_key_t *theirkey = NULL;
-	dns_rdata_tkey_t qtkey, rtkey;
-	unsigned char secretdata[256];
-	unsigned int sharedsize;
-	isc_buffer_t *shared = NULL, secret;
-	isc_region_t r, r2;
-	isc_result_t result;
-	isc_boolean_t freertkey = ISC_FALSE;
-
-	REQUIRE(qmsg != NULL);
-	REQUIRE(rmsg != NULL);
-	REQUIRE(key != NULL);
-	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
-	REQUIRE(dst_key_isprivate(key));
-	if (outkey != NULL)
-		REQUIRE(*outkey == NULL);
-
-	if (rmsg->rcode != dns_rcode_noerror)
-		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
-	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-	freertkey = ISC_TRUE;
-
-	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
-			 DNS_SECTION_ADDITIONAL));
-	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
-	if (rtkey.error != dns_rcode_noerror ||
-	    rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
-	    rtkey.mode != qtkey.mode ||
-	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
-	    rmsg->rcode != dns_rcode_noerror)
-	{
-		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
-			 "or error set");
-		result = DNS_R_INVALIDTKEY;
-		dns_rdata_freestruct(&qtkey);
-		goto failure;
-	}
-
-	dns_rdata_freestruct(&qtkey);
-
-	dns_name_init(&keyname, NULL);
-	dns_name_clone(dst_key_name(key), &keyname);
-
-	ourkeyname = NULL;
-	ourkeyset = NULL;
-	RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
-				    dns_rdatatype_key, 0, &ourkeyname,
-				    &ourkeyset));
-
-	result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
-	while (result == ISC_R_SUCCESS) {
-		theirkeyname = NULL;
-		dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
-					&theirkeyname);
-		if (dns_name_equal(theirkeyname, ourkeyname))
-			goto next;
-		theirkeyset = NULL;
-		result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
-					      0, &theirkeyset);
-		if (result == ISC_R_SUCCESS) {
-			RETERR(dns_rdataset_first(theirkeyset));
-			break;
-		}
- next:
-		result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
-	}
-
-	if (theirkeyset == NULL) {
-		tkey_log("dns_tkey_processdhresponse: failed to find server "
-			 "key");
-		result = ISC_R_NOTFOUND;
-		goto failure;
-	}
-
-	dns_rdataset_current(theirkeyset, &theirkeyrdata);
-	RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata,
-				       rmsg->mctx, &theirkey));
-
-	RETERR(dst_key_secretsize(key, &sharedsize));
-	RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize));
-
-	RETERR(dst_key_computesecret(theirkey, key, shared));
-
-	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
-
-	r.base = rtkey.key;
-	r.length = rtkey.keylen;
-	if (nonce != NULL)
-		isc_buffer_usedregion(nonce, &r2);
-	else {
-		r2.base = isc_mem_get(rmsg->mctx, 0);
-		r2.length = 0;
-	}
-	RETERR(compute_secret(shared, &r2, &r, &secret));
-	if (nonce == NULL)
-		isc_mem_put(rmsg->mctx, r2.base, 0);
-
-	isc_buffer_usedregion(&secret, &r);
-	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
-				    r.base, r.length, ISC_TRUE,
-				    NULL, rtkey.inception, rtkey.expire,
-				    rmsg->mctx, ring, outkey);
-	isc_buffer_free(&shared);
-	dns_rdata_freestruct(&rtkey);
-	dst_key_free(&theirkey);
-	return (result);
-
- failure:
-	if (shared != NULL)
-		isc_buffer_free(&shared);
-
-	if (theirkey != NULL)
-		dst_key_free(&theirkey);
-
-	if (freertkey)
-		dns_rdata_freestruct(&rtkey);
-
-	return (result);
-}
-
-isc_result_t
-dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			    dns_name_t *gname, void *cred, void **context,
-			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
-{
-	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
-	dns_name_t *tkeyname;
-	dns_rdata_tkey_t rtkey, qtkey;
-	isc_buffer_t outtoken;
-	dst_key_t *dstkey = NULL;
-	isc_region_t r;
-	isc_result_t result;
-	unsigned char array[1024];
-
-	REQUIRE(qmsg != NULL);
-	REQUIRE(rmsg != NULL);
-	REQUIRE(gname != NULL);
-	if (outkey != NULL)
-		REQUIRE(*outkey == NULL);
-
-	if (rmsg->rcode != dns_rcode_noerror)
-		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
-	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-
-	RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-			 DNS_SECTION_ADDITIONAL));
-	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
-	if (rtkey.error != dns_rcode_noerror ||
-	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
-	    !dns_name_equal(&rtkey.algorithm, &rtkey.algorithm))
-	{
-		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
-			 "or error set");
-		result = DNS_R_INVALIDTKEY;
-		goto failure;
-	}
-
-	isc_buffer_init(&outtoken, array, sizeof(array));
-	r.base = rtkey.key;
-	r.length = rtkey.keylen;
-	RETERR(dst_gssapi_initctx(gname, cred, &r, &outtoken, context));
-
-	dstkey = NULL;
-	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
-				  &dstkey));
-
-	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
-					 dstkey, ISC_TRUE, NULL,
-					 rtkey.inception, rtkey.expire,
-					 rmsg->mctx, ring, outkey));
-
-	dns_rdata_freestruct(&rtkey);
-	return (result);
-
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			       dns_tsig_keyring_t *ring)
-{
-	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
-	dns_name_t *tkeyname, *tempname;
-	dns_rdata_tkey_t qtkey, rtkey;
-	dns_tsigkey_t *tsigkey = NULL;
-	isc_result_t result;
-
-	REQUIRE(qmsg != NULL);
-	REQUIRE(rmsg != NULL);
-
-	if (rmsg->rcode != dns_rcode_noerror)
-		return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
-
-	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
-	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
-
-	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
-			 DNS_SECTION_ADDITIONAL));
-	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
-
-	if (rtkey.error != dns_rcode_noerror ||
-	    rtkey.mode != DNS_TKEYMODE_DELETE ||
-	    rtkey.mode != qtkey.mode ||
-	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
-	    rmsg->rcode != dns_rcode_noerror)
-	{
-		tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
-			 "or error set");
-		result = DNS_R_INVALIDTKEY;
-		dns_rdata_freestruct(&qtkey);
-		dns_rdata_freestruct(&rtkey);
-		goto failure;
-	}
-
-	dns_rdata_freestruct(&qtkey);
-
-	RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
-
-	dns_rdata_freestruct(&rtkey);
-
-	/*
-	 * Mark the key as deleted.
-	 */
-	dns_tsigkey_setdeleted(tsigkey);
-	/*
-	 * Release the reference.
-	 */
-	dns_tsigkey_detach(&tsigkey);
-
- failure:
-	return (result);
-}
diff --git a/contrib/bind9/lib/dns/tsig.c b/contrib/bind9/lib/dns/tsig.c
deleted file mode 100644
index 6a8d774a2702..000000000000
--- a/contrib/bind9/lib/dns/tsig.c
+++ /dev/null
@@ -1,1218 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: tsig.c,v 1.112.2.3.8.6 2005/03/17 03:58:31 marka Exp $
- */
-
-#include <config.h>
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/refcount.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/rbt.h>
-#include <dns/rdata.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-
-#include <dst/result.h>
-
-#define TSIG_MAGIC		ISC_MAGIC('T', 'S', 'I', 'G')
-#define VALID_TSIG_KEY(x)	ISC_MAGIC_VALID(x, TSIG_MAGIC)
-
-#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
-#define algname_is_allocated(algname) \
-	((algname) != dns_tsig_hmacmd5_name && \
-	 (algname) != dns_tsig_gssapi_name && \
-	 (algname) != dns_tsig_gssapims_name)
-
-#define BADTIMELEN 6
-
-static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
-static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
-
-static dns_name_t hmacmd5 = {
-	DNS_NAME_MAGIC,
-	hmacmd5_ndata, 26, 5,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacmd5_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
-
-static unsigned char gsstsig_ndata[] = "\010gss-tsig";
-static unsigned char gsstsig_offsets[] = { 0, 9 };
-
-static dns_name_t gsstsig = {
-	DNS_NAME_MAGIC,
-	gsstsig_ndata, 10, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	gsstsig_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
-
-/* It's nice of Microsoft to conform to their own standard. */
-static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
-static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
-
-static dns_name_t gsstsigms = {
-	DNS_NAME_MAGIC,
-	gsstsigms_ndata, 19, 4,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	gsstsigms_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
-LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
-
-static isc_result_t
-tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
-
-static void
-tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-static void
-tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
-	va_list ap;
-	char message[4096];
-	char namestr[DNS_NAME_FORMATSIZE];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-	if (key != NULL)
-		dns_name_format(&key->name, namestr, sizeof(namestr));
-	else
-		strcpy(namestr, "<null>");
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
-		      level, "tsig key '%s': %s", namestr, message);
-}
-
-isc_result_t
-dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
-			  dst_key_t *dstkey, isc_boolean_t generated,
-			  dns_name_t *creator, isc_stdtime_t inception,
-			  isc_stdtime_t expire, isc_mem_t *mctx,
-			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
-{
-	dns_tsigkey_t *tkey;
-	isc_result_t ret;
-	unsigned int refs = 0;
-
-	REQUIRE(key == NULL || *key == NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(algorithm != NULL);
-	REQUIRE(mctx != NULL);
-
-	tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
-	if (tkey == NULL)
-		return (ISC_R_NOMEMORY);
-
-	dns_name_init(&tkey->name, NULL);
-	ret = dns_name_dup(name, mctx, &tkey->name);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_key;
-	(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
-
-	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
-		tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
-		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
-		tkey->algorithm = DNS_TSIG_GSSAPI_NAME;
-		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
-		tkey->algorithm = DNS_TSIG_GSSAPIMS_NAME;
-		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-	} else {
-		if (dstkey != NULL) {
-			ret = DNS_R_BADALG;
-			goto cleanup_name;
-		}
-		tkey->algorithm = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (tkey->algorithm == NULL) {
-			ret = ISC_R_NOMEMORY;
-			goto cleanup_name;
-		}
-		dns_name_init(tkey->algorithm, NULL);
-		ret = dns_name_dup(algorithm, mctx, tkey->algorithm);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_algorithm;
-		(void)dns_name_downcase(tkey->algorithm, tkey->algorithm,
-					NULL);
-	}
-
-	if (creator != NULL) {
-		tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
-		if (tkey->creator == NULL) {
-			ret = ISC_R_NOMEMORY;
-			goto cleanup_algorithm;
-		}
-		dns_name_init(tkey->creator, NULL);
-		ret = dns_name_dup(creator, mctx, tkey->creator);
-		if (ret != ISC_R_SUCCESS) {
-			isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
-			goto cleanup_algorithm;
-		}
-	} else
-		tkey->creator = NULL;
-
-	tkey->key = dstkey;
-	tkey->ring = ring;
-
-	if (ring != NULL) {
-		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		ret = dns_rbt_addname(ring->keys, name, tkey);
-		if (ret != ISC_R_SUCCESS) {
-			RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-			goto cleanup_algorithm;
-		}
-		refs++;
-		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-	}
-
-	if (key != NULL)
-		refs++;
-	isc_refcount_init(&tkey->refs, refs);
-	tkey->generated = generated;
-	tkey->inception = inception;
-	tkey->expire = expire;
-	tkey->mctx = mctx;
-
-	tkey->magic = TSIG_MAGIC;
-
-	if (dstkey != NULL && dst_key_size(dstkey) < 64) {
-		char namestr[DNS_NAME_FORMATSIZE];
-		dns_name_format(name, namestr, sizeof(namestr));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
-			      DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
-			      "the key '%s' is too short to be secure",
-			      namestr);
-	}
-	if (key != NULL)
-		*key = tkey;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_algorithm:
-	if (algname_is_allocated(tkey->algorithm)) {
-		if (dns_name_dynamic(tkey->algorithm))
-			dns_name_free(tkey->algorithm, mctx);
-		isc_mem_put(mctx, tkey->algorithm, sizeof(dns_name_t));
-	}
- cleanup_name:
-	dns_name_free(&tkey->name, mctx);
- cleanup_key:
-	isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
-
-	return (ret);
-}
-
-isc_result_t
-dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
-		   unsigned char *secret, int length, isc_boolean_t generated,
-		   dns_name_t *creator, isc_stdtime_t inception,
-		   isc_stdtime_t expire, isc_mem_t *mctx,
-		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
-{
-	dst_key_t *dstkey = NULL;
-	isc_result_t result;
-
-	REQUIRE(length >= 0);
-	if (length > 0)
-		REQUIRE(secret != NULL);
-
-	if (!dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && length > 0)
-		return (DNS_R_BADALG);
-
-	if (secret != NULL) {
-		isc_buffer_t b;
-
-		isc_buffer_init(&b, secret, length);
-		isc_buffer_add(&b, length);
-		result = dst_key_frombuffer(name, DST_ALG_HMACMD5,
-					    DNS_KEYOWNER_ENTITY,
-					    DNS_KEYPROTO_DNSSEC,
-					    dns_rdataclass_in,
-					    &b, mctx, &dstkey);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
-					   generated, creator,
-					   inception, expire, mctx, ring, key);
-	if (result != ISC_R_SUCCESS && dstkey != NULL)
-		dst_key_free(&dstkey);
-	return (result);
-}
-
-void
-dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
-	REQUIRE(VALID_TSIG_KEY(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	isc_refcount_increment(&source->refs, NULL);
-	*targetp = source;
-}
-
-static void
-tsigkey_free(dns_tsigkey_t *key) {
-	REQUIRE(VALID_TSIG_KEY(key));
-
-	key->magic = 0;
-	dns_name_free(&key->name, key->mctx);
-	if (algname_is_allocated(key->algorithm)) {
-		dns_name_free(key->algorithm, key->mctx);
-		isc_mem_put(key->mctx, key->algorithm, sizeof(dns_name_t));
-	}
-	if (key->key != NULL)
-		dst_key_free(&key->key);
-	if (key->creator != NULL) {
-		dns_name_free(key->creator, key->mctx);
-		isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
-	}
-	isc_refcount_destroy(&key->refs);
-	isc_mem_put(key->mctx, key, sizeof(dns_tsigkey_t));
-}
-
-void
-dns_tsigkey_detach(dns_tsigkey_t **keyp) {
-	dns_tsigkey_t *key;
-	unsigned int refs;
-
-	REQUIRE(keyp != NULL);
-	REQUIRE(VALID_TSIG_KEY(*keyp));
-
-	key = *keyp;
-	isc_refcount_decrement(&key->refs, &refs);
-
-	if (refs == 0)
-		tsigkey_free(key);
-
-	*keyp = NULL;
-}
-
-void
-dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
-	REQUIRE(VALID_TSIG_KEY(key));
-	REQUIRE(key->ring != NULL);
-
-	RWLOCK(&key->ring->lock, isc_rwlocktype_write);
-	(void)dns_rbt_deletename(key->ring->keys, &key->name, ISC_FALSE);
-	RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
-}
-
-static void
-buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
-	isc_uint16_t valhi;
-	isc_uint32_t vallo;
-
-	valhi = (isc_uint16_t)(val >> 32);
-	vallo = (isc_uint32_t)(val & 0xFFFFFFFF);
-	isc_buffer_putuint16(b, valhi);
-	isc_buffer_putuint32(b, vallo);
-}
-
-isc_result_t
-dns_tsig_sign(dns_message_t *msg) {
-	dns_tsigkey_t *key;
-	dns_rdata_any_tsig_t tsig, querytsig;
-	unsigned char data[128];
-	isc_buffer_t databuf, sigbuf;
-	isc_buffer_t *dynbuf;
-	dns_name_t *owner;
-	dns_rdata_t *rdata;
-	dns_rdatalist_t *datalist;
-	dns_rdataset_t *dataset;
-	isc_region_t r;
-	isc_stdtime_t now;
-	isc_mem_t *mctx;
-	dst_context_t *ctx = NULL;
-	isc_result_t ret;
-	unsigned char badtimedata[BADTIMELEN];
-	unsigned int sigsize = 0;
-
-	REQUIRE(msg != NULL);
-	REQUIRE(VALID_TSIG_KEY(dns_message_gettsigkey(msg)));
-
-	/*
-	 * If this is a response, there should be a query tsig.
-	 */
-	if (is_response(msg) && msg->querytsig == NULL)
-		return (DNS_R_EXPECTEDTSIG);
-
-	dynbuf = NULL;
-
-	mctx = msg->mctx;
-	key = dns_message_gettsigkey(msg);
-
-	tsig.mctx = mctx;
-	tsig.common.rdclass = dns_rdataclass_any;
-	tsig.common.rdtype = dns_rdatatype_tsig;
-	ISC_LINK_INIT(&tsig.common, link);
-	dns_name_init(&tsig.algorithm, NULL);
-	dns_name_clone(key->algorithm, &tsig.algorithm);
-
-	isc_stdtime_get(&now);
-	tsig.timesigned = now + msg->timeadjust;
-	tsig.fudge = DNS_TSIG_FUDGE;
-
-	tsig.originalid = msg->id;
-
-	isc_buffer_init(&databuf, data, sizeof(data));
-
-	if (is_response(msg))
-		tsig.error = msg->querytsigstatus;
-	else
-		tsig.error = dns_rcode_noerror;
-
-	if (tsig.error != dns_tsigerror_badtime) {
-		tsig.otherlen = 0;
-		tsig.other = NULL;
-	} else {
-		isc_buffer_t otherbuf;
-
-		tsig.otherlen = BADTIMELEN;
-		tsig.other = badtimedata;
-		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
-		buffer_putuint48(&otherbuf, tsig.timesigned);
-	}
-
-	if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
-		unsigned char header[DNS_MESSAGE_HEADERLEN];
-		isc_buffer_t headerbuf;
-
-		ret = dst_context_create(key->key, mctx, &ctx);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-
-		/*
-		 * If this is a response, digest the query signature.
-		 */
-		if (is_response(msg)) {
-			dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
-
-			ret = dns_rdataset_first(msg->querytsig);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-			dns_rdataset_current(msg->querytsig, &querytsigrdata);
-			ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
-						 NULL);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-			isc_buffer_putuint16(&databuf, querytsig.siglen);
-			if (isc_buffer_availablelength(&databuf) <
-			    querytsig.siglen)
-			{
-				ret = ISC_R_NOSPACE;
-				goto cleanup_context;
-			}
-			isc_buffer_putmem(&databuf, querytsig.signature,
-					  querytsig.siglen);
-			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-		}
-
-		/*
-		 * Digest the header.
-		 */
-		isc_buffer_init(&headerbuf, header, sizeof(header));
-		dns_message_renderheader(msg, &headerbuf);
-		isc_buffer_usedregion(&headerbuf, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest the remainder of the message.
-		 */
-		isc_buffer_usedregion(msg->buffer, &r);
-		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		if (msg->tcp_continuation == 0) {
-			/*
-			 * Digest the name, class, ttl, alg.
-			 */
-			dns_name_toregion(&key->name, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-
-			isc_buffer_clear(&databuf);
-			isc_buffer_putuint16(&databuf, dns_rdataclass_any);
-			isc_buffer_putuint32(&databuf, 0); /* ttl */
-			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-
-			dns_name_toregion(&tsig.algorithm, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-
-		}
-		/* Digest the timesigned and fudge */
-		isc_buffer_clear(&databuf);
-		if (tsig.error == dns_tsigerror_badtime)
-			tsig.timesigned = querytsig.timesigned;
-		buffer_putuint48(&databuf, tsig.timesigned);
-		isc_buffer_putuint16(&databuf, tsig.fudge);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		if (msg->tcp_continuation == 0) {
-			/*
-			 * Digest the error and other data length.
-			 */
-			isc_buffer_clear(&databuf);
-			isc_buffer_putuint16(&databuf, tsig.error);
-			isc_buffer_putuint16(&databuf, tsig.otherlen);
-
-			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-
-			/*
-			 * Digest the error and other data.
-			 */
-			if (tsig.otherlen > 0) {
-				r.length = tsig.otherlen;
-				r.base = tsig.other;
-				ret = dst_context_adddata(ctx, &r);
-				if (ret != ISC_R_SUCCESS)
-					goto cleanup_context;
-			}
-		}
-
-		ret = dst_key_sigsize(key->key, &sigsize);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-		tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
-		if (tsig.signature == NULL) {
-			ret = ISC_R_NOMEMORY;
-			goto cleanup_context;
-		}
-
-		isc_buffer_init(&sigbuf, tsig.signature, sigsize);
-		ret = dst_context_sign(ctx, &sigbuf);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_signature;
-		dst_context_destroy(&ctx);
-		tsig.siglen = isc_buffer_usedlength(&sigbuf);
-	} else {
-		tsig.siglen = 0;
-		tsig.signature = NULL;
-	}
-
-	rdata = NULL;
-	ret = dns_message_gettemprdata(msg, &rdata);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
-	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_signature;
-	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
-				   dns_rdatatype_tsig, &tsig, dynbuf);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_dynbuf;
-
-	dns_message_takebuffer(msg, &dynbuf);
-
-	if (tsig.signature != NULL) {
-		isc_mem_put(mctx, tsig.signature, sigsize);
-		tsig.signature = NULL;
-	}
-
-	owner = NULL;
-	ret = dns_message_gettempname(msg, &owner);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_dynbuf;
-	dns_name_init(owner, NULL);
-	ret = dns_name_dup(&key->name, msg->mctx, owner);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_owner;
-
-	datalist = NULL;
-	ret = dns_message_gettemprdatalist(msg, &datalist);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_owner;
-	datalist->rdclass = dns_rdataclass_any;
-	datalist->type = dns_rdatatype_tsig;
-	datalist->covers = 0;
-	datalist->ttl = 0;
-	ISC_LIST_INIT(datalist->rdata);
-	ISC_LIST_APPEND(datalist->rdata, rdata, link);
-	dataset = NULL;
-	ret = dns_message_gettemprdataset(msg, &dataset);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_owner;
-	dns_rdataset_init(dataset);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
-		      == ISC_R_SUCCESS);
-	msg->tsig = dataset;
-	msg->tsigname = owner;
-
-	return (ISC_R_SUCCESS);
-
-cleanup_owner:
-	if (owner != NULL)
-		dns_message_puttempname(msg, &owner);
-cleanup_dynbuf:
-	if (dynbuf != NULL)
-		isc_buffer_free(&dynbuf);
-cleanup_signature:
-	if (tsig.signature != NULL)
-		isc_mem_put(mctx, tsig.signature, sigsize);
-cleanup_context:
-	if (ctx != NULL)
-		dst_context_destroy(&ctx);
-	return (ret);
-}
-
-isc_result_t
-dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
-		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
-{
-	dns_rdata_any_tsig_t tsig, querytsig;
-	isc_region_t r, source_r, header_r, sig_r;
-	isc_buffer_t databuf;
-	unsigned char data[32];
-	dns_name_t *keyname;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_stdtime_t now;
-	isc_result_t ret;
-	dns_tsigkey_t *tsigkey;
-	dst_key_t *key = NULL;
-	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	dst_context_t *ctx = NULL;
-	isc_mem_t *mctx;
-	isc_uint16_t addcount, id;
-
-	REQUIRE(source != NULL);
-	REQUIRE(DNS_MESSAGE_VALID(msg));
-	tsigkey = dns_message_gettsigkey(msg);
-	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
-
-	msg->verify_attempted = 1;
-
-	if (msg->tcp_continuation)
-		return (tsig_verify_tcp(source, msg));
-
-	/*
-	 * There should be a TSIG record...
-	 */
-	if (msg->tsig == NULL)
-		return (DNS_R_EXPECTEDTSIG);
-
-	/*
-	 * If this is a response and there's no key or query TSIG, there
-	 * shouldn't be one on the response.
-	 */
-	if (is_response(msg) &&
-	    (tsigkey == NULL || msg->querytsig == NULL))
-		return (DNS_R_UNEXPECTEDTSIG);
-
-	mctx = msg->mctx;
-
-	/*
-	 * If we're here, we know the message is well formed and contains a
-	 * TSIG record.
-	 */
-
-	keyname = msg->tsigname;
-	ret = dns_rdataset_first(msg->tsig);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_rdataset_current(msg->tsig, &rdata);
-	ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_rdata_reset(&rdata);
-	if (is_response(msg)) {
-		ret = dns_rdataset_first(msg->querytsig);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-		dns_rdataset_current(msg->querytsig, &rdata);
-		ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-	}
-
-	/*
-	 * Do the key name and algorithm match that of the query?
-	 */
-	if (is_response(msg) &&
-	    (!dns_name_equal(keyname, &tsigkey->name) ||
-	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)))
-	{
-		msg->tsigstatus = dns_tsigerror_badkey;
-		tsig_log(msg->tsigkey, 2,
-			 "key name and algorithm do not match");
-		return (DNS_R_TSIGVERIFYFAILURE);
-	}
-
-	/*
-	 * Get the current time.
-	 */
-	isc_stdtime_get(&now);
-
-	/*
-	 * Find dns_tsigkey_t based on keyname.
-	 */
-	if (tsigkey == NULL) {
-		ret = ISC_R_NOTFOUND;
-		if (ring1 != NULL)
-			ret = dns_tsigkey_find(&tsigkey, keyname,
-					       &tsig.algorithm, ring1);
-		if (ret == ISC_R_NOTFOUND && ring2 != NULL)
-			ret = dns_tsigkey_find(&tsigkey, keyname,
-					       &tsig.algorithm, ring2);
-		if (ret != ISC_R_SUCCESS) {
-			msg->tsigstatus = dns_tsigerror_badkey;
-			ret = dns_tsigkey_create(keyname, &tsig.algorithm,
-						 NULL, 0, ISC_FALSE, NULL,
-						 now, now,
-						 mctx, NULL, &msg->tsigkey);
-			if (ret != ISC_R_SUCCESS)
-				return (ret);
-			tsig_log(msg->tsigkey, 2, "unknown key");
-			return (DNS_R_TSIGVERIFYFAILURE);
-		}
-		msg->tsigkey = tsigkey;
-	}
-
-	key = tsigkey->key;
-
-	/*
-	 * Is the time ok?
-	 */
-	if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
-		msg->tsigstatus = dns_tsigerror_badtime;
-		tsig_log(msg->tsigkey, 2, "signature has expired");
-		return (DNS_R_CLOCKSKEW);
-	} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
-		msg->tsigstatus = dns_tsigerror_badtime;
-		tsig_log(msg->tsigkey, 2, "signature is in the future");
-		return (DNS_R_CLOCKSKEW);
-	}
-
-	if (tsig.siglen > 0) {
-		sig_r.base = tsig.signature;
-		sig_r.length = tsig.siglen;
-
-		ret = dst_context_create(key, mctx, &ctx);
-		if (ret != ISC_R_SUCCESS)
-			return (ret);
-
-		if (is_response(msg)) {
-			isc_buffer_init(&databuf, data, sizeof(data));
-			isc_buffer_putuint16(&databuf, querytsig.siglen);
-			isc_buffer_usedregion(&databuf, &r);
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-			if (querytsig.siglen > 0) {
-				r.length = querytsig.siglen;
-				r.base = querytsig.signature;
-				ret = dst_context_adddata(ctx, &r);
-				if (ret != ISC_R_SUCCESS)
-					goto cleanup_context;
-			}
-		}
-
-		/*
-		 * Extract the header.
-		 */
-		isc_buffer_usedregion(source, &r);
-		memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
-		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-
-		/*
-		 * Decrement the additional field counter.
-		 */
-		memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
-		addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
-		memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
-
-		/*
-		 * Put in the original id.
-		 */
-		id = htons(tsig.originalid);
-		memcpy(&header[0], &id, 2);
-
-		/*
-		 * Digest the modified header.
-		 */
-		header_r.base = (unsigned char *) header;
-		header_r.length = DNS_MESSAGE_HEADERLEN;
-		ret = dst_context_adddata(ctx, &header_r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest all non-TSIG records.
-		 */
-		isc_buffer_usedregion(source, &source_r);
-		r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
-		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest the key name.
-		 */
-		dns_name_toregion(&tsigkey->name, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		isc_buffer_init(&databuf, data, sizeof(data));
-		isc_buffer_putuint16(&databuf, tsig.common.rdclass);
-		isc_buffer_putuint32(&databuf, msg->tsig->ttl);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest the key algorithm.
-		 */
-		dns_name_toregion(tsigkey->algorithm, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		isc_buffer_clear(&databuf);
-		buffer_putuint48(&databuf, tsig.timesigned);
-		isc_buffer_putuint16(&databuf, tsig.fudge);
-		isc_buffer_putuint16(&databuf, tsig.error);
-		isc_buffer_putuint16(&databuf, tsig.otherlen);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(ctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		if (tsig.otherlen > 0) {
-			r.base = tsig.other;
-			r.length = tsig.otherlen;
-			ret = dst_context_adddata(ctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-		}
-
-		ret = dst_context_verify(ctx, &sig_r);
-		if (ret == DST_R_VERIFYFAILURE) {
-			msg->tsigstatus = dns_tsigerror_badsig;
-			ret = DNS_R_TSIGVERIFYFAILURE;
-			tsig_log(msg->tsigkey, 2,
-				 "signature failed to verify");
-			goto cleanup_context;
-		} else if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		dst_context_destroy(&ctx);
-	} else if (tsig.error != dns_tsigerror_badsig &&
-		   tsig.error != dns_tsigerror_badkey)
-	{
-		msg->tsigstatus = dns_tsigerror_badsig;
-		tsig_log(msg->tsigkey, 2, "signature was empty");
-		return (DNS_R_TSIGVERIFYFAILURE);
-	}
-
-	msg->tsigstatus = dns_rcode_noerror;
-
-	if (tsig.error != dns_rcode_noerror) {
-		if (tsig.error == dns_tsigerror_badtime)
-			return (DNS_R_CLOCKSKEW);
-		else
-			return (DNS_R_TSIGERRORSET);
-	}
-
-	msg->verified_sig = 1;
-
-	return (ISC_R_SUCCESS);
-
-cleanup_context:
-	if (ctx != NULL)
-		dst_context_destroy(&ctx);
-
-	return (ret);
-}
-
-static isc_result_t
-tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
-	dns_rdata_any_tsig_t tsig, querytsig;
-	isc_region_t r, source_r, header_r, sig_r;
-	isc_buffer_t databuf;
-	unsigned char data[32];
-	dns_name_t *keyname;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_stdtime_t now;
-	isc_result_t ret;
-	dns_tsigkey_t *tsigkey;
-	dst_key_t *key = NULL;
-	unsigned char header[DNS_MESSAGE_HEADERLEN];
-	isc_uint16_t addcount, id;
-	isc_boolean_t has_tsig = ISC_FALSE;
-	isc_mem_t *mctx;
-
-	REQUIRE(source != NULL);
-	REQUIRE(msg != NULL);
-	REQUIRE(dns_message_gettsigkey(msg) != NULL);
-	REQUIRE(msg->tcp_continuation == 1);
-	REQUIRE(msg->querytsig != NULL);
-
-	if (!is_response(msg))
-		return (DNS_R_EXPECTEDRESPONSE);
-
-	mctx = msg->mctx;
-
-	tsigkey = dns_message_gettsigkey(msg);
-
-	/*
-	 * Extract and parse the previous TSIG
-	 */
-	ret = dns_rdataset_first(msg->querytsig);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_rdataset_current(msg->querytsig, &rdata);
-	ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-	dns_rdata_reset(&rdata);
-
-	/*
-	 * If there is a TSIG in this message, do some checks.
-	 */
-	if (msg->tsig != NULL) {
-		has_tsig = ISC_TRUE;
-
-		keyname = msg->tsigname;
-		ret = dns_rdataset_first(msg->tsig);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_querystruct;
-		dns_rdataset_current(msg->tsig, &rdata);
-		ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_querystruct;
-
-		/*
-		 * Do the key name and algorithm match that of the query?
-		 */
-		if (!dns_name_equal(keyname, &tsigkey->name) ||
-		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
-		{
-			msg->tsigstatus = dns_tsigerror_badkey;
-			ret = DNS_R_TSIGVERIFYFAILURE;
-			tsig_log(msg->tsigkey, 2,
-				 "key name and algorithm do not match");
-			goto cleanup_querystruct;
-		}
-
-		/*
-		 * Is the time ok?
-		 */
-		isc_stdtime_get(&now);
-
-		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
-			msg->tsigstatus = dns_tsigerror_badtime;
-			tsig_log(msg->tsigkey, 2, "signature has expired");
-			ret = DNS_R_CLOCKSKEW;
-			goto cleanup_querystruct;
-		} else if (now + msg->timeadjust <
-			   tsig.timesigned - tsig.fudge)
-		{
-			msg->tsigstatus = dns_tsigerror_badtime;
-			tsig_log(msg->tsigkey, 2,
-				 "signature is in the future");
-			ret = DNS_R_CLOCKSKEW;
-			goto cleanup_querystruct;
-		}
-	}
-
-	key = tsigkey->key;
-
-	if (msg->tsigctx == NULL) {
-		ret = dst_context_create(key, mctx, &msg->tsigctx);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_querystruct;
-
-		/*
-		 * Digest the length of the query signature
-		 */
-		isc_buffer_init(&databuf, data, sizeof(data));
-		isc_buffer_putuint16(&databuf, querytsig.siglen);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(msg->tsigctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		/*
-		 * Digest the data of the query signature
-		 */
-		if (querytsig.siglen > 0) {
-			r.length = querytsig.siglen;
-			r.base = querytsig.signature;
-			ret = dst_context_adddata(msg->tsigctx, &r);
-			if (ret != ISC_R_SUCCESS)
-				goto cleanup_context;
-		}
-	}
-
-	/*
-	 * Extract the header.
-	 */
-	isc_buffer_usedregion(source, &r);
-	memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
-	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
-
-	/*
-	 * Decrement the additional field counter if necessary.
-	 */
-	if (has_tsig) {
-		memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
-		addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
-		memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
-	}
-
-	/*
-	 * Put in the original id.
-	 */
-	/* XXX Can TCP transfers be forwarded?  How would that work? */
-	if (has_tsig) {
-		id = htons(tsig.originalid);
-		memcpy(&header[0], &id, 2);
-	}
-
-	/*
-	 * Digest the modified header.
-	 */
-	header_r.base = (unsigned char *) header;
-	header_r.length = DNS_MESSAGE_HEADERLEN;
-	ret = dst_context_adddata(msg->tsigctx, &header_r);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	/*
-	 * Digest all non-TSIG records.
-	 */
-	isc_buffer_usedregion(source, &source_r);
-	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
-	if (has_tsig)
-		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
-	else
-		r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
-	ret = dst_context_adddata(msg->tsigctx, &r);
-	if (ret != ISC_R_SUCCESS)
-		goto cleanup_context;
-
-	/*
-	 * Digest the time signed and fudge.
-	 */
-	if (has_tsig) {
-		isc_buffer_init(&databuf, data, sizeof(data));
-		buffer_putuint48(&databuf, tsig.timesigned);
-		isc_buffer_putuint16(&databuf, tsig.fudge);
-		isc_buffer_usedregion(&databuf, &r);
-		ret = dst_context_adddata(msg->tsigctx, &r);
-		if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		sig_r.base = tsig.signature;
-		sig_r.length = tsig.siglen;
-		if (tsig.siglen == 0) {
-			if (tsig.error != dns_rcode_noerror) {
-				if (tsig.error == dns_tsigerror_badtime)
-					ret = DNS_R_CLOCKSKEW;
-				else
-					ret = DNS_R_TSIGERRORSET;
-			} else {
-				tsig_log(msg->tsigkey, 2,
-					 "signature is empty");
-				ret = DNS_R_TSIGVERIFYFAILURE;
-			}
-			goto cleanup_context;
-		}
-
-		ret = dst_context_verify(msg->tsigctx, &sig_r);
-		if (ret == DST_R_VERIFYFAILURE) {
-			msg->tsigstatus = dns_tsigerror_badsig;
-			tsig_log(msg->tsigkey, 2,
-				 "signature failed to verify");
-			ret = DNS_R_TSIGVERIFYFAILURE;
-			goto cleanup_context;
-		}
-		else if (ret != ISC_R_SUCCESS)
-			goto cleanup_context;
-
-		dst_context_destroy(&msg->tsigctx);
-	}
-
-	msg->tsigstatus = dns_rcode_noerror;
-	return (ISC_R_SUCCESS);
-
- cleanup_context:
-	dst_context_destroy(&msg->tsigctx);
-
- cleanup_querystruct:
-	dns_rdata_freestruct(&querytsig);
-
-	return (ret);
-
-}
-
-isc_result_t
-dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
-		 dns_name_t *algorithm, dns_tsig_keyring_t *ring)
-{
-	dns_tsigkey_t *key;
-	isc_stdtime_t now;
-	isc_result_t result;
-
-	REQUIRE(tsigkey != NULL);
-	REQUIRE(*tsigkey == NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(ring != NULL);
-
-	isc_stdtime_get(&now);
-	RWLOCK(&ring->lock, isc_rwlocktype_read);
-	key = NULL;
-	result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
-	if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
-		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-		return (ISC_R_NOTFOUND);
-	}
-	if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
-		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-		return (ISC_R_NOTFOUND);
-	}
-	if (key->inception != key->expire && key->expire < now) {
-		/*
-		 * The key has expired.
-		 */
-		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		(void) dns_rbt_deletename(ring->keys, name, ISC_FALSE);
-		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
-		return (ISC_R_NOTFOUND);
-	}
-
-	isc_refcount_increment(&key->refs, NULL);
-	RWUNLOCK(&ring->lock, isc_rwlocktype_read);
-	*tsigkey = key;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-free_tsignode(void *node, void *_unused) {
-	dns_tsigkey_t *key;
-
-	UNUSED(_unused);
-
-	REQUIRE(node != NULL);
-
-	key = node;
-	dns_tsigkey_detach(&key);
-}
-
-isc_result_t
-dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
-	isc_result_t result;
-	dns_tsig_keyring_t *ring;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(ringp != NULL);
-	REQUIRE(*ringp == NULL);
-
-	ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
-	if (ring == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_rwlock_init(&ring->lock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	ring->keys = NULL;
-	result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
-	if (result != ISC_R_SUCCESS) {
-		isc_rwlock_destroy(&ring->lock);
-		isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
-		return (result);
-	}
-
-	ring->mctx = mctx;
-
-	*ringp = ring;
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
-	dns_tsig_keyring_t *ring;
-
-	REQUIRE(ringp != NULL);
-	REQUIRE(*ringp != NULL);
-
-	ring = *ringp;
-	*ringp = NULL;
-
-	dns_rbt_destroy(&ring->keys);
-	isc_rwlock_destroy(&ring->lock);
-	isc_mem_put(ring->mctx, ring, sizeof(dns_tsig_keyring_t));
-}
diff --git a/contrib/bind9/lib/dns/ttl.c b/contrib/bind9/lib/dns/ttl.c
deleted file mode 100644
index 1dad0fbad6fa..000000000000
--- a/contrib/bind9/lib/dns/ttl.c
+++ /dev/null
@@ -1,214 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ttl.c,v 1.21.12.5 2004/03/08 09:04:32 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/result.h>
-#include <dns/ttl.h>
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-
-static isc_result_t bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl);
-
-/*
- * Helper for dns_ttl_totext().
- */
-static isc_result_t
-ttlfmt(unsigned int t, const char *s, isc_boolean_t verbose,
-       isc_boolean_t space, isc_buffer_t *target)
-{
-	char tmp[60];
-	size_t len;
-	isc_region_t region;
-
-	if (verbose)
-		len = snprintf(tmp, sizeof(tmp), "%s%u %s%s",
-			       space ? " " : "",
-			       t, s,
-			       t == 1 ? "" : "s");
-	else
-		len = snprintf(tmp, sizeof(tmp), "%u%c", t, s[0]);
-
-	INSIST(len + 1 <= sizeof(tmp));
-	isc_buffer_availableregion(target, &region);
-	if (len > region.length)
-		return (ISC_R_NOSPACE);
-	memcpy(region.base, tmp, len);
-	isc_buffer_add(target, len);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Derived from bind8 ns_format_ttl().
- */
-isc_result_t
-dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose, isc_buffer_t *target) {
-	unsigned secs, mins, hours, days, weeks, x;
-
-	secs = src % 60;   src /= 60;
-	mins = src % 60;   src /= 60;
-	hours = src % 24;  src /= 24;
-	days = src % 7;    src /= 7;
-	weeks = src;       src = 0;
-
-	x = 0;
-	if (weeks != 0) {
-		RETERR(ttlfmt(weeks, "week", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	if (days != 0) {
-		RETERR(ttlfmt(days, "day", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	if (hours != 0) {
-		RETERR(ttlfmt(hours, "hour", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	if (mins != 0) {
-		RETERR(ttlfmt(mins, "minute", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	if (secs != 0 ||
-	    (weeks == 0 && days == 0 && hours == 0 && mins == 0)) {
-		RETERR(ttlfmt(secs, "second", verbose, ISC_TF(x > 0), target));
-		x++;
-	}
-	INSIST (x > 0);
-	/*
-	 * If only a single unit letter is printed, print it
-	 * in upper case. (Why?  Because BIND 8 does that.
-	 * Presumably it has a reason.)
-	 */
-	if (x == 1 && !verbose) {
-		isc_region_t region;
-		/*
-		 * The unit letter is the last character in the
-		 * used region of the buffer.
-		 *
-		 * toupper() does not need its argument to be masked of cast
-		 * here because region.base is type unsigned char *.
-		 */
-		isc_buffer_usedregion(target, &region);
-		region.base[region.length - 1] =
-			toupper(region.base[region.length - 1]);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl) {
-	return (bind_ttl(source, ttl));
-}
-
-isc_result_t
-dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl) {
-	isc_result_t result;
-
-	result = bind_ttl(source, ttl);
-	if (result != ISC_R_SUCCESS)
-		result = DNS_R_BADTTL;
-	return (result);
-}
-
-static isc_result_t
-bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl) {
-	isc_uint32_t tmp = 0;
-	isc_uint32_t n;
-	char *s;
-	char buf[64];
-	char nbuf[64]; /* Number buffer */
-
-	/*
-	 * Copy the buffer as it may not be NULL terminated.
-	 * No legal counter / ttl is longer that 63 characters.
-	 */
-	if (source->length > sizeof(buf) - 1)
-		return (DNS_R_SYNTAX);
-	strncpy(buf, source->base, source->length);
-	buf[source->length] = '\0';
-	s = buf;
-
-	do {
-		isc_result_t result;
-
-		char *np = nbuf;
-		while (*s != '\0' && isdigit((unsigned char)*s))
-			*np++ = *s++;
-		*np++ = '\0';
-		INSIST(np - nbuf <= (int)sizeof(nbuf));
-		result = isc_parse_uint32(&n, nbuf, 10);
-		if (result != ISC_R_SUCCESS)
-			return (DNS_R_SYNTAX);
-		switch (*s) {
-		case 'w':
-		case 'W':
-			tmp += n * 7 * 24 * 3600;
-			s++;
-			break;
-		case 'd':
-		case 'D':
-			tmp += n * 24 * 3600;
-			s++;
-			break;
-		case 'h':
-		case 'H':
-			tmp += n * 3600;
-			s++;
-			break;
-		case 'm':
-		case 'M':
-			tmp += n * 60;
-			s++;
-			break;
-		case 's':
-		case 'S':
-			tmp += n;
-			s++;
-			break;
-		case '\0':
-			/* Plain number? */
-			if (tmp != 0)
-				return (DNS_R_SYNTAX);
-			tmp = n;
-			break;
-		default:
-			return (DNS_R_SYNTAX);
-		}
-	} while (*s != '\0');
-	*ttl = tmp;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c
deleted file mode 100644
index a62db3413768..000000000000
--- a/contrib/bind9/lib/dns/validator.c
+++ /dev/null
@@ -1,2781 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: validator.c,v 1.91.2.5.8.21 2005/11/02 02:07:47 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/ds.h>
-#include <dns/dnssec.h>
-#include <dns/events.h>
-#include <dns/keytable.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/ncache.h>
-#include <dns/nsec.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdataset.h>
-#include <dns/rdatatype.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/validator.h>
-#include <dns/view.h>
-
-#define VALIDATOR_MAGIC			ISC_MAGIC('V', 'a', 'l', '?')
-#define VALID_VALIDATOR(v)		ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
-
-#define VALATTR_SHUTDOWN		0x0001
-#define VALATTR_FOUNDNONEXISTENCE	0x0002
-#define VALATTR_TRIEDVERIFY		0x0004
-#define VALATTR_NEGATIVE		0x0008
-#define VALATTR_INSECURITY		0x0010
-#define VALATTR_DLVTRIED		0x0020
-
-#define VALATTR_NEEDNOQNAME		0x0100
-#define VALATTR_NEEDNOWILDCARD		0x0200
-#define VALATTR_NEEDNODATA		0x0400
-
-#define VALATTR_FOUNDNOQNAME		0x1000
-#define VALATTR_FOUNDNOWILDCARD		0x2000
-#define VALATTR_FOUNDNODATA		0x4000
-
-#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
-#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
-#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
-#define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
-
-#define SHUTDOWN(v)		(((v)->attributes & VALATTR_SHUTDOWN) != 0)
-
-static void
-destroy(dns_validator_t *val);
-
-static isc_result_t
-get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
-	    dns_rdataset_t *rdataset);
-
-static isc_result_t
-validate(dns_validator_t *val, isc_boolean_t resume);
-
-static isc_result_t
-validatezonekey(dns_validator_t *val);
-
-static isc_result_t
-nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
-
-static isc_result_t
-proveunsecure(dns_validator_t *val, isc_boolean_t resume);
-
-static void
-validator_logv(dns_validator_t *val, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
-
-static void
-validator_log(dns_validator_t *val, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-static void
-validator_logcreate(dns_validator_t *val,
-		    dns_name_t *name, dns_rdatatype_t type,
-		    const char *caller, const char *operation);
-
-static isc_result_t
-dlv_validatezonekey(dns_validator_t *val);
-
-static isc_result_t
-dlv_validator_start(dns_validator_t *val);
-
-static isc_result_t
-finddlvsep(dns_validator_t *val, isc_boolean_t resume);
-
-static inline void
-markanswer(dns_validator_t *val) {
-	validator_log(val, ISC_LOG_DEBUG(3), "marking as answer");
-	if (val->event->rdataset)
-		val->event->rdataset->trust = dns_trust_answer;
-	if (val->event->sigrdataset)
-		val->event->sigrdataset->trust = dns_trust_answer;
-}
-
-static void
-validator_done(dns_validator_t *val, isc_result_t result) {
-	isc_task_t *task;
-
-	if (val->event == NULL)
-		return;
-
-	/*
-	 * Caller must be holding the lock.
-	 */
-
-	val->event->result = result;
-	task = val->event->ev_sender;
-	val->event->ev_sender = val;
-	val->event->ev_type = DNS_EVENT_VALIDATORDONE;
-	val->event->ev_action = val->action;
-	val->event->ev_arg = val->arg;
-	isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
-}
-
-static inline isc_boolean_t
-exit_check(dns_validator_t *val) {
-	/*
-	 * Caller must be holding the lock.
-	 */
-	if (!SHUTDOWN(val))
-		return (ISC_FALSE);
-
-	INSIST(val->event == NULL);
-
-	if (val->fetch != NULL || val->subvalidator != NULL)
-		return (ISC_FALSE);
-
-	return (ISC_TRUE);
-}
-
-static void
-auth_nonpending(dns_message_t *message) {
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
-
-	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
-	{
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-		{
-			if (rdataset->trust == dns_trust_pending)
-				rdataset->trust = dns_trust_authauthority;
-		}
-	}
-}
-
-static isc_boolean_t
-isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
-	     isc_result_t dbresult)
-{
-	dns_rdataset_t set;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_boolean_t found;
-	isc_result_t result;
-
-	REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
-
-	dns_rdataset_init(&set);
-	if (dbresult == DNS_R_NXRRSET)
-		dns_rdataset_clone(rdataset, &set);
-	else {
-		result = dns_ncache_getrdataset(rdataset, name,
-						dns_rdatatype_nsec, &set);
-		if (result != ISC_R_SUCCESS)
-			return (ISC_FALSE);
-	}
-
-	INSIST(set.type == dns_rdatatype_nsec);
-
-	found = ISC_FALSE;
-	result = dns_rdataset_first(&set);
-	if (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&set, &rdata);
-		found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
-	}
-	dns_rdataset_disassociate(&set);
-	return (found);
-}
-
-static void
-fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent;
-	dns_validator_t *val;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
-	devent = (dns_fetchevent_t *)event;
-	val = devent->ev_arg;
-	rdataset = &val->frdataset;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest. */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	isc_event_free(&event);
-	dns_resolver_destroyfetch(&val->fetch);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
-	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %d", rdataset->trust);
-		/*
-		 * Only extract the dst key if the keyset is secure.
-		 */
-		if (rdataset->trust >= dns_trust_secure) {
-			result = get_dst_key(val, val->siginfo, rdataset);
-			if (result == ISC_R_SUCCESS)
-				val->keyset = &val->frdataset;
-		}
-		result = validate(val, ISC_TRUE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "fetch_callback_validator: got %s",
-			      isc_result_totext(eresult));
-		if (eresult == ISC_R_CANCELED)
-			validator_done(val, eresult);
-		else
-			validator_done(val, DNS_R_NOVALIDKEY);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-static void
-dsfetched(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent;
-	dns_validator_t *val;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
-	devent = (dns_fetchevent_t *)event;
-	val = devent->ev_arg;
-	rdataset = &val->frdataset;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest. */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	isc_event_free(&event);
-	dns_resolver_destroyfetch(&val->fetch);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
-	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsset with trust %d", rdataset->trust);
-		val->dsset = &val->frdataset;
-		result = validatezonekey(val);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else if (eresult == DNS_R_NXRRSET ||
-		   eresult == DNS_R_NCACHENXRRSET)
-	{
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "falling back to insecurity proof");
-		val->attributes |= VALATTR_INSECURITY;
-		result = proveunsecure(val, ISC_FALSE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsfetched: got %s",
-			      isc_result_totext(eresult));
-		if (eresult == ISC_R_CANCELED)
-			validator_done(val, eresult);
-		else
-			validator_done(val, DNS_R_NOVALIDDS);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*
- * XXX there's too much duplicated code here.
- */
-static void
-dsfetched2(isc_task_t *task, isc_event_t *event) {
-	dns_fetchevent_t *devent;
-	dns_validator_t *val;
-	dns_name_t *tname;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
-	devent = (dns_fetchevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest. */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	dns_resolver_destroyfetch(&val->fetch);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2");
-	LOCK(&val->lock);
-	if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
-		/*
-		 * There is no DS.  If this is a delegation, we're done.
-		 */
-		tname = dns_fixedname_name(&devent->foundname);
-		if (isdelegation(tname, &val->frdataset, eresult)) {
-			if (val->mustbesecure) {
-				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure");
-				validator_done(val, DNS_R_MUSTBESECURE);
-			} else {
-				markanswer(val);
-				validator_done(val, ISC_R_SUCCESS);
-			}
-		} else {
-			result = proveunsecure(val, ISC_TRUE);
-			if (result != DNS_R_WAIT)
-				validator_done(val, result);
-		}
-	} else if (eresult == ISC_R_SUCCESS ||
-		   eresult == DNS_R_NXDOMAIN ||
-		   eresult == DNS_R_NCACHENXDOMAIN)
-	{
-		/*
-		 * Either there is a DS or this is not a zone cut.  Continue.
-		 */
-		result = proveunsecure(val, ISC_TRUE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		if (eresult == ISC_R_CANCELED)
-			validator_done(val, eresult);
-		else
-			validator_done(val, DNS_R_NOVALIDDS);
-	}
-	isc_event_free(&event);
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-static void
-keyvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	isc_event_free(&event);
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
-	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyset with trust %d", val->frdataset.trust);
-		/*
-		 * Only extract the dst key if the keyset is secure.
-		 */
-		if (val->frdataset.trust >= dns_trust_secure)
-			(void) get_dst_key(val, val->siginfo, &val->frdataset);
-		result = validate(val, ISC_TRUE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "keyvalidated: got %s",
-			      isc_result_totext(eresult));
-		validator_done(val, eresult);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-static void
-dsvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	isc_event_free(&event);
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
-	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsset with trust %d", val->frdataset.trust);
-		if ((val->attributes & VALATTR_INSECURITY) != 0)
-			result = proveunsecure(val, ISC_TRUE);
-		else
-			result = validatezonekey(val);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "dsvalidated: got %s",
-			      isc_result_totext(eresult));
-		validator_done(val, eresult);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-/*
- * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
- * or we can determine whether there is data or not at the name.
- * If the name does not exist return the wildcard name.
- */
-static isc_result_t
-nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
-		  dns_rdataset_t *nsecset, isc_boolean_t *exists,
-		  isc_boolean_t *data, dns_name_t *wild)
-{
-	int order;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	dns_namereln_t relation;
-	unsigned int olabels, nlabels, labels;
-	dns_rdata_nsec_t nsec;
-	isc_boolean_t atparent;
-
-	REQUIRE(exists != NULL);
-	REQUIRE(data != NULL);
-	REQUIRE(nsecset != NULL &&
-		nsecset->type == dns_rdatatype_nsec);
-
-	result = dns_rdataset_first(nsecset);
-	if (result != ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			"failure processing NSEC set");
-		return (result);
-	}
-	dns_rdataset_current(nsecset, &rdata);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
-	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
-
-	if (order < 0) {
-		/*
-		 * The name is not within the NSEC range.
-		 */
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "NSEC does not cover name, before NSEC");
-		return (ISC_R_IGNORE);
-	}
-
-	if (order == 0) {
-		/*
-		 * The names are the same.
-		 */
-		atparent = dns_rdatatype_atparent(val->event->type);
-		if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
-		    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
-		{
-			if (!atparent) {
-				/*
-				 * This NSEC record is from somewhere higher in
-				 * the DNS, and at the parent of a delegation.
-				 * It can not be legitimately used here.
-				 */
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "ignoring parent nsec");
-				return (ISC_R_IGNORE);
-			}
-		} else if (atparent) {
-			/*
-			 * This NSEC record is from the child.
-			 * It can not be legitimately used here.
-			 */
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "ignoring child nsec");
-			return (ISC_R_IGNORE);
-		}
-		*exists = ISC_TRUE;
-		*data = dns_nsec_typepresent(&rdata, val->event->type);
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nsec proves name exists (owner) data=%d",
-			      *data);
-		return (ISC_R_SUCCESS);
-	}
-
-	if (relation == dns_namereln_subdomain &&
-	    dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
-	    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
-	{
-		/*
-		 * This NSEC record is from somewhere higher in
-		 * the DNS, and at the parent of a delegation.
-		 * It can not be legitimately used here.
-		 */
-		validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
-		return (ISC_R_IGNORE);
-	}
-
-	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
-	if (order == 0) {
-		dns_rdata_freestruct(&nsec);
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "ignoring nsec matches next name");
-		return (ISC_R_IGNORE);
-	}
-
-	if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
-		/*
-		 * The name is not within the NSEC range.
-		 */
-		dns_rdata_freestruct(&nsec);
-		validator_log(val, ISC_LOG_DEBUG(3),
-			    "ignoring nsec because name is past end of range");
-		return (ISC_R_IGNORE);
-	}
-
-	if (order > 0 && relation == dns_namereln_subdomain) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nsec proves name exist (empty)");
-		dns_rdata_freestruct(&nsec);
-		*exists = ISC_TRUE;
-		*data = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	}
-	if (wild != NULL) {
-		dns_name_t common;
-		dns_name_init(&common, NULL);
-		if (olabels > nlabels) {
-			labels = dns_name_countlabels(nsecname);
-			dns_name_getlabelsequence(nsecname, labels - olabels,
-						  olabels, &common);
-		} else {
-			labels = dns_name_countlabels(&nsec.next);
-			dns_name_getlabelsequence(&nsec.next, labels - nlabels,
-						  nlabels, &common);
-		}
-		result = dns_name_concatenate(dns_wildcardname, &common,
-					       wild, NULL);
-		if (result != ISC_R_SUCCESS) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				    "failure generating wilcard name");
-			return (result);
-		}
-	}
-	dns_rdata_freestruct(&nsec);
-	validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
-	*exists = ISC_FALSE;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-authvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	dns_rdataset_t *rdataset;
-	isc_boolean_t want_destroy;
-	isc_result_t result;
-	isc_boolean_t exists, data;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	rdataset = devent->rdataset;
-	val = devent->ev_arg;
-	result = devent->result;
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
-	LOCK(&val->lock);
-	if (result != ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "authvalidated: got %s",
-			      isc_result_totext(result));
-		if (result == ISC_R_CANCELED)
-			validator_done(val, result);
-		else {
-			result = nsecvalidate(val, ISC_TRUE);
-			if (result != DNS_R_WAIT)
-				validator_done(val, result);
-		}
-	} else {
-		dns_name_t **proofs = val->event->proofs;
-		
-		if (rdataset->trust == dns_trust_secure)
-			val->seensig = ISC_TRUE;
-
-		if (rdataset->type == dns_rdatatype_nsec &&
-		    rdataset->trust == dns_trust_secure &&
-		    ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
-		     (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&
-	            (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
-		    (val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
-		    nsecnoexistnodata(val, val->event->name, devent->name,
-				      rdataset, &exists, &data,
-				      dns_fixedname_name(&val->wild))
-				      == ISC_R_SUCCESS)
-		 {
-			if (exists && !data) {
-				val->attributes |= VALATTR_FOUNDNODATA;
-				if (NEEDNODATA(val))
-					proofs[DNS_VALIDATOR_NODATAPROOF] =
-						devent->name;
-			}
-			if (!exists) {
-				val->attributes |= VALATTR_FOUNDNOQNAME;
-				if (NEEDNOQNAME(val))
-					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
-						devent->name;
-			}
-		}
-		result = nsecvalidate(val, ISC_TRUE);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-
-	/*
-	 * Free stuff from the event.
-	 */
-	isc_event_free(&event);
-}
-
-static void
-negauthvalidated(isc_task_t *task, isc_event_t *event) {
-	dns_validatorevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t eresult;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
-
-	devent = (dns_validatorevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-	isc_event_free(&event);
-	dns_validator_destroy(&val->subvalidator);
-
-	INSIST(val->event != NULL);
-
-	validator_log(val, ISC_LOG_DEBUG(3), "in negauthvalidated");
-	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		val->attributes |= VALATTR_FOUNDNONEXISTENCE;
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nonexistence proof found");
-		auth_nonpending(val->event->message);
-		validator_done(val, ISC_R_SUCCESS);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "negauthvalidated: got %s",
-			      isc_result_totext(eresult));
-		validator_done(val, eresult);
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-static inline isc_result_t
-view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
-	dns_fixedname_t fixedname;
-	dns_name_t *foundname;
-	dns_rdata_nsec_t nsec;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	unsigned int options;
-	char buf1[DNS_NAME_FORMATSIZE];
-	char buf2[DNS_NAME_FORMATSIZE];
-	char buf3[DNS_NAME_FORMATSIZE];
-
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-
-	if (val->view->zonetable == NULL)
-		return (ISC_R_CANCELED);
-
-	options = DNS_DBFIND_PENDINGOK;
-	if (type == dns_rdatatype_dlv)
-		options |= DNS_DBFIND_COVERINGNSEC;
-	dns_fixedname_init(&fixedname);
-	foundname = dns_fixedname_name(&fixedname);
-	result = dns_view_find(val->view, name, type, 0, options,
-			       ISC_FALSE, NULL, NULL, foundname,
-			       &val->frdataset, &val->fsigrdataset);
-	if (result == DNS_R_NXDOMAIN) {
-		if (dns_rdataset_isassociated(&val->frdataset))
-			dns_rdataset_disassociate(&val->frdataset);
-		if (dns_rdataset_isassociated(&val->fsigrdataset))
-			dns_rdataset_disassociate(&val->fsigrdataset);
-	} else if (result == DNS_R_COVERINGNSEC) {
-		validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
-		/*
-		 * Check if the returned NSEC covers the name.
-		 */
-		INSIST(type == dns_rdatatype_dlv);
-		if (val->frdataset.trust != dns_trust_secure) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec: trust %u",
-				      val->frdataset.trust);
-			goto notfound;
-		}
-		result = dns_rdataset_first(&val->frdataset);
-		if (result != ISC_R_SUCCESS)
-			goto notfound;
-		dns_rdataset_current(&val->frdataset, &rdata);
-		if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
-		    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
-			/* Parent NSEC record. */
-			if (dns_name_issubdomain(name, foundname)) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "covering nsec: for parent");
-				goto notfound;
-			}
-		}
-		result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto notfound;
-		if (dns_name_compare(foundname, &nsec.next) >= 0) {
-			/* End of zone chain. */
-			if (!dns_name_issubdomain(name, &nsec.next)) {
-				/*
- 				 * XXXMPA We could look for a parent NSEC
-				 * at nsec.next and if found retest with
-				 * this NSEC.
-				 */
-				dns_rdata_freestruct(&nsec);
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "covering nsec: not in zone");
-				goto notfound;
-			}
-		} else if (dns_name_compare(name, &nsec.next) >= 0) {
-			/*
-			 * XXXMPA We could check if this NSEC is at a zone
-			 * apex and if the qname is not below it and look for
-			 * a parent NSEC with the same name.  This requires
-			 * that we can cache both NSEC records which we
-			 * currently don't support.
-			 */
-			dns_rdata_freestruct(&nsec);
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec: not in range");
-			goto notfound;
-		}
-		if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
-			dns_name_format(name, buf1, sizeof buf1);
-			dns_name_format(foundname, buf2, sizeof buf2);
-			dns_name_format(&nsec.next, buf3, sizeof buf3);
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "covering nsec found: '%s' '%s' '%s'",
-				      buf1, buf2, buf3);
-		}
-		if (dns_rdataset_isassociated(&val->frdataset))
-			dns_rdataset_disassociate(&val->frdataset);
-		if (dns_rdataset_isassociated(&val->fsigrdataset))
-			dns_rdataset_disassociate(&val->fsigrdataset);
-		dns_rdata_freestruct(&nsec);
-		result = DNS_R_NCACHENXDOMAIN;
-	} else if (result != ISC_R_SUCCESS &&
-                   result != DNS_R_GLUE &&
-                   result != DNS_R_HINT &&
-                   result != DNS_R_NCACHENXDOMAIN &&
-                   result != DNS_R_NCACHENXRRSET &&
-                   result != DNS_R_NXRRSET &&
-                   result != DNS_R_HINTNXRRSET &&
-                   result != ISC_R_NOTFOUND) {
-		goto  notfound;
-	}
-	return (result);
-
- notfound:
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	return (ISC_R_NOTFOUND);
-}
-
-static inline isc_boolean_t
-check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
-	dns_validator_t *parent;
-
-	for (parent = val->parent; parent != NULL; parent = parent->parent) {
-		if (parent->event != NULL &&
-		    parent->event->type == type &&
-		    dns_name_equal(parent->event->name, name))
-		{
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "continuing validation would lead to "
-				      "deadlock: aborting validation");
-			return (ISC_TRUE);
-		}
-	}
-	return (ISC_FALSE);
-}
-
-static inline isc_result_t
-create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
-	     isc_taskaction_t callback, const char *caller)
-{
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-
-	if (check_deadlock(val, name, type))
-		return (DNS_R_NOVALIDSIG);
-
-	validator_logcreate(val, name, type, caller, "fetch");
-	return (dns_resolver_createfetch(val->view->resolver, name, type,
-					 NULL, NULL, NULL, 0,
-					 val->event->ev_sender,
-					 callback, val,
-					 &val->frdataset,
-					 &val->fsigrdataset,
-					 &val->fetch));
-}
-
-static inline isc_result_t
-create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
-		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		 isc_taskaction_t action, const char *caller)
-{
-	isc_result_t result;
-
-	if (check_deadlock(val, name, type))
-		return (DNS_R_NOVALIDSIG);
-
-	validator_logcreate(val, name, type, caller, "validator");
-	result = dns_validator_create(val->view, name, type,
-				      rdataset, sigrdataset, NULL, 0,
-				      val->task, action, val,
-				      &val->subvalidator);
-	if (result == ISC_R_SUCCESS) {
-		val->subvalidator->parent = val;
-		val->subvalidator->depth = val->depth + 1;
-	}
-	return (result);
-}
-
-/*
- * Try to find a key that could have signed 'siginfo' among those
- * in 'rdataset'.  If found, build a dst_key_t for it and point
- * val->key at it.
- *
- * If val->key is non-NULL, this returns the next matching key.
- */
-static isc_result_t
-get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
-	    dns_rdataset_t *rdataset)
-{
-	isc_result_t result;
-	isc_buffer_t b;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dst_key_t *oldkey = val->key;
-	isc_boolean_t foundold;
-
-	if (oldkey == NULL)
-		foundold = ISC_TRUE;
-	else {
-		foundold = ISC_FALSE;
-		val->key = NULL;
-	}
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-	do {
-		dns_rdataset_current(rdataset, &rdata);
-
-		isc_buffer_init(&b, rdata.data, rdata.length);
-		isc_buffer_add(&b, rdata.length);
-		INSIST(val->key == NULL);
-		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
-					 val->view->mctx, &val->key);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-		if (siginfo->algorithm ==
-		    (dns_secalg_t)dst_key_alg(val->key) &&
-		    siginfo->keyid ==
-		    (dns_keytag_t)dst_key_id(val->key) &&
-		    dst_key_iszonekey(val->key))
-		{
-			if (foundold)
-				/*
-				 * This is the key we're looking for.
-				 */
-				return (ISC_R_SUCCESS);
-			else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
-			{
-				foundold = ISC_TRUE;
-				dst_key_free(&oldkey);
-			}
-		}
-		dst_key_free(&val->key);
-		dns_rdata_reset(&rdata);
-		result = dns_rdataset_next(rdataset);
-	} while (result == ISC_R_SUCCESS);
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_NOTFOUND;
-
- failure:
-	if (oldkey != NULL)
-		dst_key_free(&oldkey);
-
-	return (result);
-}
-
-static isc_result_t
-get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
-	isc_result_t result;
-	unsigned int nlabels;
-	int order;
-	dns_namereln_t namereln;
-
-	/*
-	 * Is the signer name appropriate for this signature?
-	 *
-	 * The signer name must be at the same level as the owner name
-	 * or closer to the the DNS root.
-	 */
-	namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
-					&order, &nlabels);
-	if (namereln != dns_namereln_subdomain &&
-	    namereln != dns_namereln_equal)
-		return (DNS_R_CONTINUE);
-
-	if (namereln == dns_namereln_equal) {
-		/*
-		 * If this is a self-signed keyset, it must not be a zone key
-		 * (since get_key is not called from validatezonekey).
-		 */
-		if (val->event->rdataset->type == dns_rdatatype_dnskey)
-			return (DNS_R_CONTINUE);
-
-		/*
-		 * Records appearing in the parent zone at delegation
-		 * points cannot be self-signed.
-		 */
-		if (dns_rdatatype_atparent(val->event->rdataset->type))
-			return (DNS_R_CONTINUE);
-	}
-
-	/*
-	 * Do we know about this key?
-	 */
-	result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * We have an rrset for the given keyname.
-		 */
-		val->keyset = &val->frdataset;
-		if (val->frdataset.trust == dns_trust_pending &&
-		    dns_rdataset_isassociated(&val->fsigrdataset))
-		{
-			/*
-			 * We know the key but haven't validated it yet.
-			 */
-			result = create_validator(val, &siginfo->signer,
-						  dns_rdatatype_dnskey,
-						  &val->frdataset,
-						  &val->fsigrdataset,
-						  keyvalidated,
-						  "get_key");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-		} else if (val->frdataset.trust == dns_trust_pending) {
-			/*
-			 * Having a pending key with no signature means that
-			 * something is broken.
-			 */
-			result = DNS_R_CONTINUE;
-		} else if (val->frdataset.trust < dns_trust_secure) {
-			/*
-			 * The key is legitimately insecure.  There's no
-			 * point in even attempting verification.
-			 */
-			val->key = NULL;
-			result = ISC_R_SUCCESS;
-		} else {
-			/*
-			 * See if we've got the key used in the signature.
-			 */
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "keyset with trust %d",
-				      val->frdataset.trust);
-			result = get_dst_key(val, siginfo, val->keyset);
-			if (result != ISC_R_SUCCESS) {
-				/*
-				 * Either the key we're looking for is not
-				 * in the rrset, or something bad happened.
-				 * Give up.
-				 */
-				result = DNS_R_CONTINUE;
-			}
-		}
-	} else if (result == ISC_R_NOTFOUND) {
-		/*
-		 * We don't know anything about this key.
-		 */
-		result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey,
-				      fetch_callback_validator, "get_key");
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		return (DNS_R_WAIT);
-	} else if (result ==  DNS_R_NCACHENXDOMAIN ||
-		   result == DNS_R_NCACHENXRRSET ||
-		   result == DNS_R_NXDOMAIN ||
-		   result == DNS_R_NXRRSET)
-	{
-		/*
-		 * This key doesn't exist.
-		 */
-		result = DNS_R_CONTINUE;
-	}
-
-	if (dns_rdataset_isassociated(&val->frdataset) &&
-	    val->keyset != &val->frdataset)
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-
-	return (result);
-}
-
-static dns_keytag_t
-compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
-	isc_region_t r;
-
-	dns_rdata_toregion(rdata, &r);
-	return (dst_region_computeid(&r, key->algorithm));
-}
-
-/*
- * Is this keyset self-signed?
- */
-static isc_boolean_t
-isselfsigned(dns_validator_t *val) {
-	dns_rdataset_t *rdataset, *sigrdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
-	dns_keytag_t keytag;
-	isc_result_t result;
-
-	rdataset = val->event->rdataset;
-	sigrdataset = val->event->sigrdataset;
-
-	INSIST(rdataset->type == dns_rdatatype_dnskey);
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset))
-	{
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(rdataset, &rdata);
-		(void)dns_rdata_tostruct(&rdata, &key, NULL);
-		keytag = compute_keytag(&rdata, &key);
-		for (result = dns_rdataset_first(sigrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(sigrdataset))
-		{
-			dns_rdata_reset(&sigrdata);
-			dns_rdataset_current(sigrdataset, &sigrdata);
-			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
-
-			if (sig.algorithm == key.algorithm &&
-			    sig.keyid == keytag)
-				return (ISC_TRUE);
-		}
-	}
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata) {
-	isc_result_t result;
-	dns_fixedname_t fixed;
-
-	val->attributes |= VALATTR_TRIEDVERIFY;
-	dns_fixedname_init(&fixed);
-	result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
-				    key, ISC_FALSE, val->view->mctx, rdata,
-				    dns_fixedname_name(&fixed));
-	validator_log(val, ISC_LOG_DEBUG(3),
-		      "verify rdataset: %s",
-		      isc_result_totext(result));
-	if (result == DNS_R_FROMWILDCARD) {
-		if (!dns_name_equal(val->event->name,
-				    dns_fixedname_name(&fixed)))
-			val->attributes |= VALATTR_NEEDNOQNAME;
-		result = ISC_R_SUCCESS;
-	}
-	return (result);
-}
-
-/*
- * Attempts positive response validation of a normal RRset.
- *
- * Returns:
- *	ISC_R_SUCCESS	Validation completed successfully
- *	DNS_R_WAIT	Validation has started but is waiting
- *			for an event.
- *	Other return codes are possible and all indicate failure.
- */
-static isc_result_t
-validate(dns_validator_t *val, isc_boolean_t resume) {
-	isc_result_t result;
-	dns_validatorevent_t *event;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * Caller must be holding the validator lock.
-	 */
-
-	event = val->event;
-
-	if (resume) {
-		/*
-		 * We already have a sigrdataset.
-		 */
-		result = ISC_R_SUCCESS;
-		validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
-	} else {
-		result = dns_rdataset_first(event->sigrdataset);
-	}
-
-	for (;
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(event->sigrdataset))
-	{
-		dns_rdata_reset(&rdata);
-		dns_rdataset_current(event->sigrdataset, &rdata);
-		if (val->siginfo == NULL) {
-			val->siginfo = isc_mem_get(val->view->mctx,
-						   sizeof(*val->siginfo));
-			if (val->siginfo == NULL)
-				return (ISC_R_NOMEMORY);
-		}
-		result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-
-		/*
-		 * At this point we could check that the signature algorithm
-		 * was known and "sufficiently good".
-		 */
-		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      event->name,
-						      val->siginfo->algorithm))
-			continue;
-
-		if (!resume) {
-			result = get_key(val, val->siginfo);
-			if (result == DNS_R_CONTINUE)
-				continue; /* Try the next SIG RR. */
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
-
-		/*
-		 * The key is insecure, so mark the data as insecure also.
-		 */
-		if (val->key == NULL) {
-			if (val->mustbesecure) {
-				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure");
-				return (DNS_R_MUSTBESECURE);
-			}
-			markanswer(val);
-			return (ISC_R_SUCCESS);
-		}
-
-		do {
-			result = verify(val, val->key, &rdata);
-			if (result == ISC_R_SUCCESS)
-				break;
-			if (val->keynode != NULL) {
-				dns_keynode_t *nextnode = NULL;
-				result = dns_keytable_findnextkeynode(
-							val->keytable,
-							val->keynode,
-							&nextnode);
-				dns_keytable_detachkeynode(val->keytable,
-							   &val->keynode);
-				val->keynode = nextnode;
-				if (result != ISC_R_SUCCESS) {
-					val->key = NULL;
-					break;
-				}
-				val->key = dns_keynode_key(val->keynode);
-			} else {
-				if (get_dst_key(val, val->siginfo, val->keyset)
-				    != ISC_R_SUCCESS)
-					break;
-			}
-		} while (1);
-		if (result != ISC_R_SUCCESS)
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "failed to verify rdataset");
-		else {
-			isc_uint32_t ttl;
-			isc_stdtime_t now;
-
-			isc_stdtime_get(&now);
-			ttl = ISC_MIN(event->rdataset->ttl,
-				      val->siginfo->timeexpire - now);
-			if (val->keyset != NULL)
-				ttl = ISC_MIN(ttl, val->keyset->ttl);
-			event->rdataset->ttl = ttl;
-			event->sigrdataset->ttl = ttl;
-		}
-
-		if (val->keynode != NULL)
-			dns_keytable_detachkeynode(val->keytable,
-						   &val->keynode);
-		else {
-			if (val->key != NULL)
-				dst_key_free(&val->key);
-			if (val->keyset != NULL) {
-				dns_rdataset_disassociate(val->keyset);
-				val->keyset = NULL;
-			}
-		}
-		val->key = NULL;
-		if ((val->attributes & VALATTR_NEEDNOQNAME) != 0) {
-			if (val->event->message == NULL) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-				      "no message available for noqname proof");
-				return (DNS_R_NOVALIDSIG);
-			}
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "looking for noqname proof");
-			return (nsecvalidate(val, ISC_FALSE));
-		} else if (result == ISC_R_SUCCESS) {
-			event->rdataset->trust = dns_trust_secure;
-			event->sigrdataset->trust = dns_trust_secure;
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "marking as secure");
-			return (result);
-		} else {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "verify failure: %s",
-				      isc_result_totext(result));
-			resume = ISC_FALSE;
-		}
-	}
-	if (result != ISC_R_NOMORE) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "failed to iterate signatures: %s",
-			      isc_result_totext(result));
-		return (result);
-	}
-
-	validator_log(val, ISC_LOG_INFO, "no valid signature found");
-	return (DNS_R_NOVALIDSIG);
-}
-
-static isc_result_t
-dlv_validatezonekey(dns_validator_t *val) {
-	dns_keytag_t keytag;
-	dns_rdata_dlv_t dlv;
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
-	dns_rdata_t dlvrdata = DNS_RDATA_INIT;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	dns_rdataset_t trdataset;
-	dst_key_t *dstkey;
-	isc_boolean_t supported_algorithm;
-	isc_result_t result;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-
-	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validatezonekey");
-	/*
-	 * Look through the DLV record and find the keys that can sign the
-	 * key set and the matching signature.  For each such key, attempt
-	 * verification.
-	 */
-
-	supported_algorithm = ISC_FALSE;
-
-	for (result = dns_rdataset_first(&val->dlv);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&val->dlv))
-	{
-		dns_rdata_reset(&dlvrdata);
-		dns_rdataset_current(&val->dlv, &dlvrdata);
-		(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
-
-		if (dlv.digest_type != DNS_DSDIGEST_SHA1 ||
-		    !dns_resolver_algorithm_supported(val->view->resolver,
-						      val->event->name,
-						      dlv.algorithm))
-			continue;
-
-		supported_algorithm = ISC_TRUE;
-
-		dns_rdataset_init(&trdataset);
-		dns_rdataset_clone(val->event->rdataset, &trdataset);
-
-		for (result = dns_rdataset_first(&trdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&trdataset))
-		{
-			dns_rdata_reset(&keyrdata);
-			dns_rdataset_current(&trdataset, &keyrdata);
-			(void)dns_rdata_tostruct(&keyrdata, &key, NULL);
-			keytag = compute_keytag(&keyrdata, &key);
-			if (dlv.key_tag != keytag ||
-			    dlv.algorithm != key.algorithm)
-				continue;
-			dns_rdata_reset(&newdsrdata);
-			result = dns_ds_buildrdata(val->event->name,
-						   &keyrdata, dlv.digest_type,
-						   dsbuf, &newdsrdata);
-			if (result != ISC_R_SUCCESS) {
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "dns_ds_buildrdata() -> %s",
-					      dns_result_totext(result));
-				continue;
-			}
-			/* Covert to DLV */
-			newdsrdata.type = dns_rdatatype_dlv;
-			if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
-				break;
-		}
-		if (result != ISC_R_SUCCESS) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no DNSKEY matching DLV");
-			continue;
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-		      "Found matching DLV record: checking for signature");
-
-		for (result = dns_rdataset_first(val->event->sigrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(val->event->sigrdataset))
-		{
-			dns_rdata_reset(&sigrdata);
-			dns_rdataset_current(val->event->sigrdataset,
-					     &sigrdata);
-			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
-			if (dlv.key_tag != sig.keyid &&
-			    dlv.algorithm != sig.algorithm)
-				continue;
-			dstkey = NULL;
-			result = dns_dnssec_keyfromrdata(val->event->name,
-							 &keyrdata,
-							 val->view->mctx,
-							 &dstkey);
-			if (result != ISC_R_SUCCESS)
-				/*
-				 * This really shouldn't happen, but...
-				 */
-				continue;
-
-			result = verify(val, dstkey, &sigrdata);
-			dst_key_free(&dstkey);
-			if (result == ISC_R_SUCCESS)
-				break;
-		}
-		dns_rdataset_disassociate(&trdataset);
-		if (result == ISC_R_SUCCESS)
-			break;
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no RRSIG matching DLV key");
-	}
-	if (result == ISC_R_SUCCESS) {
-		val->event->rdataset->trust = dns_trust_secure;
-		val->event->sigrdataset->trust = dns_trust_secure;
-		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
-		return (result);
-	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
-		if (val->mustbesecure) {
-			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure");
-			return (DNS_R_MUSTBESECURE);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm/digest (dlv)");
-		markanswer(val);
-		return (ISC_R_SUCCESS);
-	} else
-		return (DNS_R_NOVALIDSIG);
-}
-
-/*
- * Attempts positive response validation of an RRset containing zone keys.
- *
- * Returns:
- *	ISC_R_SUCCESS	Validation completed successfully
- *	DNS_R_WAIT	Validation has started but is waiting
- *			for an event.
- *	Other return codes are possible and all indicate failure.
- */
-static isc_result_t
-validatezonekey(dns_validator_t *val) {
-	isc_result_t result;
-	dns_validatorevent_t *event;
-	dns_rdataset_t trdataset;
-	dns_rdata_t dsrdata = DNS_RDATA_INIT;
-	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-	dns_rdata_t keyrdata = DNS_RDATA_INIT;
-	dns_rdata_t sigrdata = DNS_RDATA_INIT;
-	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
-	dns_keytag_t keytag;
-	dns_rdata_ds_t ds;
-	dns_rdata_dnskey_t key;
-	dns_rdata_rrsig_t sig;
-	dst_key_t *dstkey;
-	isc_boolean_t supported_algorithm;
-
-	/*
-	 * Caller must be holding the validator lock.
-	 */
-
-	event = val->event;
-
-	if (val->havedlvsep && val->dlv.trust >= dns_trust_secure &&
-	    dns_name_equal(event->name, dns_fixedname_name(&val->dlvsep)))
-		return (dlv_validatezonekey(val));
-
-	if (val->dsset == NULL) {
-		/*
-		 * First, see if this key was signed by a trusted key.
-		 */
-		for (result = dns_rdataset_first(val->event->sigrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(val->event->sigrdataset))
-		{
-			dns_keynode_t *keynode = NULL, *nextnode = NULL;
-
-			dns_rdata_reset(&sigrdata);
-			dns_rdataset_current(val->event->sigrdataset,
-					     &sigrdata);
-			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
-			result = dns_keytable_findkeynode(val->keytable,
-							  val->event->name,
-							  sig.algorithm,
-							  sig.keyid,
-							  &keynode);
-			while (result == ISC_R_SUCCESS) {
-				dstkey = dns_keynode_key(keynode);
-				result = verify(val, dstkey, &sigrdata);
-				if (result == ISC_R_SUCCESS) {
-					dns_keytable_detachkeynode(val->keytable,
-								   &keynode);
-					break;
-				}
-				result = dns_keytable_findnextkeynode(
-								val->keytable,
-								keynode,
-								&nextnode);
-				dns_keytable_detachkeynode(val->keytable,
-							   &keynode);
-				keynode = nextnode;
-			}
-			if (result == ISC_R_SUCCESS) {
-				event->rdataset->trust = dns_trust_secure;
-				event->sigrdataset->trust = dns_trust_secure;
-				validator_log(val, ISC_LOG_DEBUG(3),
-					      "signed by trusted key; "
-					      "marking as secure");
-				return (result);
-			}
-		}
-
-		/*
-		 * If this is the root name and there was no trusted key,
-		 * give up, since there's no DS at the root.
-		 */
-		if (dns_name_equal(event->name, dns_rootname)) {
-			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
-				return (DNS_R_NOVALIDSIG);
-			else
-				return (DNS_R_NOVALIDDS);
-		}
-
-		/*
-		 * Otherwise, try to find the DS record.
-		 */
-		result = view_find(val, val->event->name, dns_rdatatype_ds);
-		if (result == ISC_R_SUCCESS) {
-			/*
-			 * We have DS records.
-			 */
-			val->dsset = &val->frdataset;
-			if (val->frdataset.trust == dns_trust_pending &&
-			    dns_rdataset_isassociated(&val->fsigrdataset))
-			{
-				result = create_validator(val,
-							  val->event->name,
-							  dns_rdatatype_ds,
-							  &val->frdataset,
-							  &val->fsigrdataset,
-							  dsvalidated,
-							  "validatezonekey");
-				if (result != ISC_R_SUCCESS)
-					return (result);
-				return (DNS_R_WAIT);
-			} else if (val->frdataset.trust == dns_trust_pending) {
-				/*
-				 * There should never be an unsigned DS.
-				 */
-				dns_rdataset_disassociate(&val->frdataset);
-				validator_log(val, ISC_LOG_DEBUG(2),
-					      "unsigned DS record");
-				return (DNS_R_NOVALIDSIG);
-			} else
-				result = ISC_R_SUCCESS;
-		} else if (result == ISC_R_NOTFOUND) {
-			/*
-			 * We don't have the DS.  Find it.
-			 */
-			result = create_fetch(val, val->event->name,
-					      dns_rdatatype_ds, dsfetched,
-					      "validatezonekey");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-		 } else if (result ==  DNS_R_NCACHENXDOMAIN ||
-			   result == DNS_R_NCACHENXRRSET ||
-			   result == DNS_R_NXDOMAIN ||
-			   result == DNS_R_NXRRSET)
-		{
-			/*
-			 * The DS does not exist.
-			 */
-			if (dns_rdataset_isassociated(&val->frdataset))
-				dns_rdataset_disassociate(&val->frdataset);
-			if (dns_rdataset_isassociated(&val->fsigrdataset))
-				dns_rdataset_disassociate(&val->fsigrdataset);
-			validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
-			return (DNS_R_NOVALIDSIG);
-		}
-	}
-
-	/*
-	 * We have a DS set.
-	 */
-	INSIST(val->dsset != NULL);
-
-	if (val->dsset->trust < dns_trust_secure) {
-		if (val->mustbesecure) {
-			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure");
-			return (DNS_R_MUSTBESECURE);
-		}
-		markanswer(val);
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * Look through the DS record and find the keys that can sign the
-	 * key set and the matching signature.  For each such key, attempt
-	 * verification.
-	 */
-
-	supported_algorithm = ISC_FALSE;
-
-	for (result = dns_rdataset_first(val->dsset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(val->dsset))
-	{
-		dns_rdata_reset(&dsrdata);
-		dns_rdataset_current(val->dsset, &dsrdata);
-		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
-
-		if (ds.digest_type != DNS_DSDIGEST_SHA1)
-			continue;
-		if (!dns_resolver_algorithm_supported(val->view->resolver,
-						      val->event->name,
-						      ds.algorithm))
-			continue;
-
-		supported_algorithm = ISC_TRUE;
-
-		dns_rdataset_init(&trdataset);
-		dns_rdataset_clone(val->event->rdataset, &trdataset);
-
-		for (result = dns_rdataset_first(&trdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&trdataset))
-		{
-			dns_rdata_reset(&keyrdata);
-			dns_rdataset_current(&trdataset, &keyrdata);
-			(void)dns_rdata_tostruct(&keyrdata, &key, NULL);
-			keytag = compute_keytag(&keyrdata, &key);
-			if (ds.key_tag != keytag ||
-			    ds.algorithm != key.algorithm)
-				continue;
-			dns_rdata_reset(&newdsrdata);
-			result = dns_ds_buildrdata(val->event->name,
-						   &keyrdata, ds.digest_type,
-						   dsbuf, &newdsrdata);
-			if (result != ISC_R_SUCCESS)
-				continue;
-			if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
-				break;
-		}
-		if (result != ISC_R_SUCCESS) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no DNSKEY matching DS");
-			continue;
-		}
-		
-		for (result = dns_rdataset_first(val->event->sigrdataset);
-		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(val->event->sigrdataset))
-		{
-			dns_rdata_reset(&sigrdata);
-			dns_rdataset_current(val->event->sigrdataset,
-					     &sigrdata);
-			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
-			if (ds.key_tag != sig.keyid &&
-			    ds.algorithm != sig.algorithm)
-				continue;
-
-			dstkey = NULL;
-			result = dns_dnssec_keyfromrdata(val->event->name,
-							 &keyrdata,
-							 val->view->mctx,
-							 &dstkey);
-			if (result != ISC_R_SUCCESS)
-				/*
-				 * This really shouldn't happen, but...
-				 */
-				continue;
-
-			result = verify(val, dstkey, &sigrdata);
-			dst_key_free(&dstkey);
-			if (result == ISC_R_SUCCESS)
-				break;
-		}
-		dns_rdataset_disassociate(&trdataset);
-		if (result == ISC_R_SUCCESS)
-			break;
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no RRSIG matching DS key");
-	}
-	if (result == ISC_R_SUCCESS) {
-		event->rdataset->trust = dns_trust_secure;
-		event->sigrdataset->trust = dns_trust_secure;
-		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
-		return (result);
-	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
-		if (val->mustbesecure) {
-			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure");
-			return (DNS_R_MUSTBESECURE);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm/digest (DS)");
-		markanswer(val);
-		return (ISC_R_SUCCESS);
-	} else
-		return (DNS_R_NOVALIDSIG);
-}
-
-/*
- * Starts a positive response validation.
- *
- * Returns:
- *	ISC_R_SUCCESS	Validation completed successfully
- *	DNS_R_WAIT	Validation has started but is waiting
- *			for an event.
- *	Other return codes are possible and all indicate failure.
- */
-static isc_result_t
-start_positive_validation(dns_validator_t *val) {
-	/*
-	 * If this is not a key, go straight into validate().
-	 */
-	if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
-		return (validate(val, ISC_FALSE));
-
-	return (validatezonekey(val));
-}
-
-static isc_result_t
-checkwildcard(dns_validator_t *val) {
-	dns_name_t *name, *wild;
-	dns_message_t *message = val->event->message;
-	isc_result_t result;
-	isc_boolean_t exists, data;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	wild = dns_fixedname_name(&val->wild);
-	dns_name_format(wild, namebuf, sizeof(namebuf));
-	validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
-
-	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
-	{
-		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
-
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-
-		for (rdataset = ISC_LIST_HEAD(name->list);
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-		{
-			if (rdataset->type != dns_rdatatype_nsec)
-				continue;
-			val->nsecset = rdataset;
-
-			for (sigrdataset = ISC_LIST_HEAD(name->list);
-			     sigrdataset != NULL;
-			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
-			{
-				if (sigrdataset->type == dns_rdatatype_rrsig &&
-				    sigrdataset->covers == rdataset->type)
-					break;
-			}
-			if (sigrdataset == NULL)
-				continue;
-
-			if (rdataset->trust != dns_trust_secure)
-				continue;
-
-			if (((val->attributes & VALATTR_NEEDNODATA) != 0 ||
-			     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
-			    (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
-			    (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
-			    nsecnoexistnodata(val, wild, name, rdataset,
-					      &exists, &data, NULL)
-					       == ISC_R_SUCCESS)
-			{
-				dns_name_t **proofs = val->event->proofs;
-				if (exists && !data)
-					val->attributes |= VALATTR_FOUNDNODATA;
-				if (exists && !data && NEEDNODATA(val))
-					proofs[DNS_VALIDATOR_NODATAPROOF] =
-							 name;
-				if (!exists)
-					val->attributes |=
-						 VALATTR_FOUNDNOWILDCARD;
-				if (!exists && NEEDNOQNAME(val))
-					proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
-							 name;
-				return (ISC_R_SUCCESS);
-			}
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-static isc_result_t
-nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
-	dns_name_t *name;
-	dns_message_t *message = val->event->message;
-	isc_result_t result;
-
-	if (!resume)
-		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-	else {
-		result = ISC_R_SUCCESS;
-		validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
-	}
-
-	for (;
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
-	{
-		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
-
-		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
-		if (resume) {
-			rdataset = ISC_LIST_NEXT(val->currentset, link);
-			val->currentset = NULL;
-			resume = ISC_FALSE;
-		} else
-			rdataset = ISC_LIST_HEAD(name->list);
-
-		for (;
-		     rdataset != NULL;
-		     rdataset = ISC_LIST_NEXT(rdataset, link))
-		{
-			if (rdataset->type == dns_rdatatype_rrsig)
-				continue;
-
-			if (rdataset->type == dns_rdatatype_soa) {
-				val->soaset = rdataset;
-				val->soaname = name;
-			} else if (rdataset->type == dns_rdatatype_nsec)
-				val->nsecset = rdataset;
-
-			for (sigrdataset = ISC_LIST_HEAD(name->list);
-			     sigrdataset != NULL;
-			     sigrdataset = ISC_LIST_NEXT(sigrdataset,
-							 link))
-			{
-				if (sigrdataset->type == dns_rdatatype_rrsig &&
-				    sigrdataset->covers == rdataset->type)
-					break;
-			}
-			if (sigrdataset == NULL)
-				continue;
-			/*
-			 * If a signed zone is missing the zone key, bad
-			 * things could happen.  A query for data in the zone
-			 * would lead to a query for the zone key, which
-			 * would return a negative answer, which would contain
-			 * an SOA and an NSEC signed by the missing key, which
-			 * would trigger another query for the DNSKEY (since
-			 * the first one is still in progress), and go into an
-			 * infinite loop.  Avoid that.
-			 */
-			if (val->event->type == dns_rdatatype_dnskey &&
-			    dns_name_equal(name, val->event->name))
-			{
-				dns_rdata_t nsec = DNS_RDATA_INIT;
-
-				if (rdataset->type != dns_rdatatype_nsec)
-					continue;
-
-				result = dns_rdataset_first(rdataset);
-				if (result != ISC_R_SUCCESS)
-					return (result);
-				dns_rdataset_current(rdataset, &nsec);
-				if (dns_nsec_typepresent(&nsec,
-							dns_rdatatype_soa))
-					continue;
-			}
-			val->currentset = rdataset;
-			result = create_validator(val, name, rdataset->type,
-						  rdataset, sigrdataset,
-						  authvalidated,
-						  "nsecvalidate");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Do we only need to check for NOQNAME?
-	 */
-	if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
-	    (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
-	    (val->attributes & VALATTR_NEEDNOQNAME) != 0) {
-		if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "noqname proof found");
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "marking as secure");
-			val->event->rdataset->trust = dns_trust_secure;
-			val->event->sigrdataset->trust = dns_trust_secure;
-			return (ISC_R_SUCCESS);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "noqname proof not found");
-		return (DNS_R_NOVALIDNSEC);
-	}
-
-	/*
-	 * Do we need to check for the wildcard?
-	 */
-	if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
-	    (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
-	      (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
-	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
-		result = checkwildcard(val);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	if (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
-	     (val->attributes & VALATTR_FOUNDNODATA) != 0) ||
-	    ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
-	     (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
-	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
-	     (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0))
-		val->attributes |= VALATTR_FOUNDNONEXISTENCE;
-
-	if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
-		if (!val->seensig && val->soaset != NULL) {
-			result = create_validator(val, val->soaname,
-						  dns_rdatatype_soa,
-						  val->soaset, NULL,
-						  negauthvalidated,
-						  "nsecvalidate");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-		}
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nonexistence proof not found");
-		return (DNS_R_NOVALIDNSEC);
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "nonexistence proof found");
-		return (ISC_R_SUCCESS);
-	}
-}
-
-static isc_boolean_t
-check_ds(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset) {
-	dns_rdata_t dsrdata = DNS_RDATA_INIT;
-	dns_rdata_ds_t ds;
-	isc_result_t result;
-
-	for (result = dns_rdataset_first(rdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(rdataset)) {
-		dns_rdataset_current(rdataset, &dsrdata);
-		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
-
-		if (ds.digest_type == DNS_DSDIGEST_SHA1 &&
-		    dns_resolver_algorithm_supported(val->view->resolver,
-						     name, ds.algorithm)) {
-			dns_rdata_reset(&dsrdata);
-			return (ISC_TRUE);
-		}
-		dns_rdata_reset(&dsrdata);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-dlvfetched(isc_task_t *task, isc_event_t *event) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_fetchevent_t *devent;
-	dns_validator_t *val;
-	isc_boolean_t want_destroy;
-	isc_result_t eresult;
-	isc_result_t result;
-
-	UNUSED(task);
-	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
-	devent = (dns_fetchevent_t *)event;
-	val = devent->ev_arg;
-	eresult = devent->result;
-
-	/* Free resources which are not of interest. */
-	if (devent->node != NULL)
-		dns_db_detachnode(devent->db, &devent->node);
-	if (devent->db != NULL)
-		dns_db_detach(&devent->db);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	isc_event_free(&event);
-	dns_resolver_destroyfetch(&val->fetch);
-
-	INSIST(val->event != NULL);
-	validator_log(val, ISC_LOG_DEBUG(3), "in dlvfetched: %s",
-		      dns_result_totext(eresult));
-
-	LOCK(&val->lock);
-	if (eresult == ISC_R_SUCCESS) {
-		dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
-				sizeof(namebuf));
-		dns_rdataset_clone(&val->frdataset, &val->dlv);
-		val->havedlvsep = ISC_TRUE;
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-		result = dlv_validator_start(val);
-		if (result != DNS_R_WAIT)
-			validator_done(val, result);
-	} else if (eresult == DNS_R_NXRRSET ||
-		   eresult == DNS_R_NXDOMAIN ||
-		   eresult == DNS_R_NCACHENXRRSET ||
-		   eresult == DNS_R_NCACHENXDOMAIN) {
-		   result = finddlvsep(val, ISC_TRUE);
-		if (result == ISC_R_SUCCESS) {
-			dns_name_format(dns_fixedname_name(&val->dlvsep),
-					namebuf, sizeof(namebuf));
-			validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
-				      namebuf);
-			result = dlv_validator_start(val);
-			if (result != DNS_R_WAIT)
-				validator_done(val, result);
-		} else if (result == ISC_R_NOTFOUND) {
-			validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
-			markanswer(val);
-			validator_done(val, ISC_R_SUCCESS);
-		} else {
-			validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
-				      dns_result_totext(result));
-			if (result != DNS_R_WAIT)
-				validator_done(val, result);
-		}
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
-			      dns_result_totext(eresult));
-	}
-	want_destroy = exit_check(val);
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-static isc_result_t
-startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	isc_result_t result;
-
-	INSIST(!DLVTRIED(val));
-
-	val->attributes |= VALATTR_DLVTRIED;
-
-	dns_name_format(unsecure, namebuf, sizeof(namebuf));
-	validator_log(val, ISC_LOG_DEBUG(3),
-		      "plain DNSSEC returns unsecure (%s): looking for DLV",
-		      namebuf);
-
-	if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
-		validator_log(val, ISC_LOG_WARNING, "must be secure failure");
-		return (DNS_R_MUSTBESECURE);
-	}
-
-	val->dlvlabels = dns_name_countlabels(unsecure) - 1;
-	result = finddlvsep(val, ISC_FALSE);
-	if (result == ISC_R_NOTFOUND) {
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
-		markanswer(val);
-		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(3), "DLV lookup: %s",
-			      dns_result_totext(result));
-		return (result);
-	}
-	dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
-			sizeof(namebuf));
-	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-	return (dlv_validator_start(val));
-}
-
-static isc_result_t
-finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
-	char namebuf[DNS_NAME_FORMATSIZE];
-	dns_fixedname_t dlvfixed;
-	dns_name_t *dlvname;
-	dns_name_t *dlvsep;
-	dns_name_t noroot;
-	isc_result_t result;
-	unsigned int labels;
-		
-	INSIST(val->view->dlv != NULL);
-
-	if (!resume) {
-
-		if (dns_name_issubdomain(val->event->name, val->view->dlv)) {
-			validator_log(val, ISC_LOG_WARNING,
-				      "must be secure failure");
-			return (DNS_R_MUSTBESECURE);
-		}
-
-		dns_fixedname_init(&val->dlvsep);
-		dlvsep = dns_fixedname_name(&val->dlvsep);
-		dns_name_copy(val->event->name, dlvsep, NULL);
-		if (val->event->type == dns_rdatatype_ds) {
-			labels = dns_name_countlabels(dlvsep);
-			if (labels == 0)
-				return (ISC_R_NOTFOUND);
-			dns_name_getlabelsequence(dlvsep, 1, labels - 1,
-						  dlvsep);
-		}
-	} else {
-		dlvsep = dns_fixedname_name(&val->dlvsep);
-		labels = dns_name_countlabels(dlvsep);
-		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
-	}
-	dns_name_init(&noroot, NULL);
-	dns_fixedname_init(&dlvfixed);
-	dlvname = dns_fixedname_name(&dlvfixed);
-	labels = dns_name_countlabels(dlvsep);
-	if (labels == 0)
-		return (ISC_R_NOTFOUND);
-	dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
-	result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
-	while (result == ISC_R_NOSPACE) {
-		labels = dns_name_countlabels(dlvsep);
-		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
-		dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
-		result = dns_name_concatenate(&noroot, val->view->dlv,
-					      dlvname, NULL);
-	}
-	if (result != ISC_R_SUCCESS) {
-		validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
-		return (DNS_R_NOVALIDSIG);
-	}
-
-	while (dns_name_countlabels(dlvname) >=
-	       dns_name_countlabels(val->view->dlv) + val->dlvlabels) {
-		dns_name_format(dlvname, namebuf, sizeof(namebuf));
-		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV %s",
-			      namebuf);
-		result = view_find(val, dlvname, dns_rdatatype_dlv);
-		if (result == ISC_R_SUCCESS) {
-			if (val->frdataset.trust < dns_trust_secure)
-				return (DNS_R_NOVALIDSIG);
-			val->havedlvsep = ISC_TRUE;
-			dns_rdataset_clone(&val->frdataset, &val->dlv);
-			return (ISC_R_SUCCESS);
-		}
-		if (result == ISC_R_NOTFOUND) {
-			result = create_fetch(val, dlvname, dns_rdatatype_dlv,
-					      dlvfetched, "finddlvsep");
-			if (result != ISC_R_SUCCESS)
-				return (result);
-			return (DNS_R_WAIT);
-		}
-		if (result != DNS_R_NXRRSET &&
-		    result != DNS_R_NXDOMAIN &&
-		    result != DNS_R_NCACHENXRRSET &&
-		    result != DNS_R_NCACHENXDOMAIN)
-			return (result);
-		/*
-		 * Strip first labels from both dlvsep and dlvname.
-		 */
-		labels = dns_name_countlabels(dlvsep);
-		if (labels == 0)
-			break;
-		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
-		labels = dns_name_countlabels(dlvname);
-		dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-/*
- * proveunsecure walks down from the SEP looking for a break in the
- * chain of trust.   That occurs when we can prove the DS record does
- * not exist at a delegation point or the DS exists at a delegation
- * but we don't support the algorithm/digest.
- */
-static isc_result_t
-proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
-	isc_result_t result;
-	dns_fixedname_t fixedsecroot;
-	dns_name_t *secroot;
-	dns_name_t *tname;
-	char namebuf[DNS_NAME_FORMATSIZE];
-
-	dns_fixedname_init(&fixedsecroot);
-	secroot = dns_fixedname_name(&fixedsecroot);
-	if (val->havedlvsep)
-		dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
-	else {
-		result = dns_keytable_finddeepestmatch(val->keytable,
-						       val->event->name,
-						       secroot);
-
-		if (result == ISC_R_NOTFOUND) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "not beneath secure root");
-			if (val->mustbesecure) {
-				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure");
-				result = DNS_R_MUSTBESECURE;
-				goto out;
-			}
-			if (val->view->dlv == NULL || DLVTRIED(val)) {
-				markanswer(val);
-				return (ISC_R_SUCCESS);
-			}
-			return (startfinddlvsep(val, dns_rootname));
-		} else if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	if (!resume) {
-		/*
-		 * We are looking for breaks below the SEP so add a label.
-		 */
-		val->labels = dns_name_countlabels(secroot) + 1;
-	} else {
-		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
-		if (val->frdataset.trust >= dns_trust_secure &&
-		    !check_ds(val, dns_fixedname_name(&val->fname),
-			      &val->frdataset)) {
-			dns_name_format(dns_fixedname_name(&val->fname),
-					namebuf, sizeof(namebuf));
-			if (val->mustbesecure) {
-				validator_log(val, ISC_LOG_WARNING,
-					      "must be secure failure at '%s'",
-					      namebuf);
-				result = DNS_R_MUSTBESECURE;
-				goto out;
-			}
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "no supported algorithm/digest (%s/DS)",
-				      namebuf);
-			if (val->view->dlv == NULL || DLVTRIED(val)) {
-				markanswer(val);
-				result = ISC_R_SUCCESS;
-				goto out;
-			}
-			result = startfinddlvsep(val,
-					      dns_fixedname_name(&val->fname));
-			goto out;
-		}
-		val->labels++;
-	}
-
-	for (;
-	     val->labels <= dns_name_countlabels(val->event->name);
-	     val->labels++)
-	{
-
-		dns_fixedname_init(&val->fname);
-		tname = dns_fixedname_name(&val->fname);
-		if (val->labels == dns_name_countlabels(val->event->name))
-			dns_name_copy(val->event->name, tname, NULL);
-		else
-			dns_name_split(val->event->name, val->labels,
-				       NULL, tname);
-
-		dns_name_format(tname, namebuf, sizeof(namebuf));
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "checking existence of DS at '%s'",
-			      namebuf);
-
-		result = view_find(val, tname, dns_rdatatype_ds);
-		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
-			/*
-			 * There is no DS.  If this is a delegation,
-			 * we maybe done.
-			 */
-			if (val->frdataset.trust < dns_trust_secure) {
-				/*
-				 * This shouldn't happen, since the negative
-				 * response should have been validated.  Since
-				 * there's no way of validating existing
-				 * negative response blobs, give up.
-				 */
-				result = DNS_R_NOVALIDSIG;
-				goto out;
-			}
-			if (isdelegation(tname, &val->frdataset, result)) {
-				if (val->mustbesecure) {
-					validator_log(val, ISC_LOG_WARNING,
-						      "must be secure failure");
-					return (DNS_R_MUSTBESECURE);
-				}
-				if (val->view->dlv == NULL || DLVTRIED(val)) {
-					markanswer(val);
-					return (ISC_R_SUCCESS);
-				}
-				return (startfinddlvsep(val, tname));
-			}
-			continue;
-		} else if (result == ISC_R_SUCCESS) {
-			/*
-			 * There is a DS here.  Verify that it's secure and
-			 * continue.
-			 */
-			if (val->frdataset.trust >= dns_trust_secure) {
-				if (!check_ds(val, tname, &val->frdataset)) {
-					validator_log(val, ISC_LOG_DEBUG(3),
-						     "no supported algorithm/"
-						     "digest (%s/DS)", namebuf);
-					if (val->mustbesecure) {
-						validator_log(val,
-							      ISC_LOG_WARNING,
-						      "must be secure failure");
-						result = DNS_R_MUSTBESECURE;
-						goto out;
-					}
-					if (val->view->dlv == NULL ||
-					    DLVTRIED(val)) {
-						markanswer(val);
-						result = ISC_R_SUCCESS;
-						goto out;
-					}
-					result = startfinddlvsep(val, tname);
-					goto out;
-				}
-				continue;
-			}
-			else if (!dns_rdataset_isassociated(&val->fsigrdataset))
-			{
-				result = DNS_R_NOVALIDSIG;
-				goto out;
-			}
-			result = create_validator(val, tname, dns_rdatatype_ds,
-						  &val->frdataset,
-						  &val->fsigrdataset,
-						  dsvalidated,
-						  "proveunsecure");
-			if (result != ISC_R_SUCCESS)
-				goto out;
-			return (DNS_R_WAIT);
-		} else if (result == DNS_R_NXDOMAIN ||
-			   result == DNS_R_NCACHENXDOMAIN)
-		{
-			/*
-			 * This is not a zone cut.  Assuming things are
-			 * as expected, continue.
-			 */
-			if (!dns_rdataset_isassociated(&val->frdataset)) {
-				/*
-				 * There should be an NSEC here, since we
-				 * are still in a secure zone.
-				 */
-				result = DNS_R_NOVALIDNSEC;
-				goto out;
-			} else if (val->frdataset.trust < dns_trust_secure) {
-				/*
-				 * This shouldn't happen, since the negative
-				 * response should have been validated.  Since
-				 * there's no way of validating existing
-				 * negative response blobs, give up.
-				 */
-				result = DNS_R_NOVALIDSIG;
-				goto out;
-			}
-			continue;
-		} else if (result == ISC_R_NOTFOUND) {
-			/*
-			 * We don't know anything about the DS.  Find it.
-			 */
-			result = create_fetch(val, tname, dns_rdatatype_ds,
-					      dsfetched2, "proveunsecure");
-			if (result != ISC_R_SUCCESS)
-				goto out;
-			return (DNS_R_WAIT);
-		}
-	}
-	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
-	return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
-
- out:
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	return (result);
-}
-
-static isc_result_t
-dlv_validator_start(dns_validator_t *val) {
-	isc_event_t *event;
-
-	validator_log(val, ISC_LOG_DEBUG(3), "dlv_validator_start");
-
-	/*
-	 * Reset state and try again.
-	 */
-	val->attributes &= VALATTR_DLVTRIED;
-	val->options &= ~DNS_VALIDATOR_DLV;
-
-	event = (isc_event_t *)val->event;
-	isc_task_send(val->task, &event);
-	return (DNS_R_WAIT);
-}
-
-static void
-validator_start(isc_task_t *task, isc_event_t *event) {
-	dns_validator_t *val;
-	dns_validatorevent_t *vevent;
-	isc_boolean_t want_destroy = ISC_FALSE;
-	isc_result_t result = ISC_R_FAILURE;
-
-	UNUSED(task);
-	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
-	vevent = (dns_validatorevent_t *)event;
-	val = vevent->validator;
-
-	/* If the validator has been cancelled, val->event == NULL */
-	if (val->event == NULL)
-		return;
-
-	if (DLVTRIED(val))
-		validator_log(val, ISC_LOG_DEBUG(3), "restarting using DLV");
-	else
-		validator_log(val, ISC_LOG_DEBUG(3), "starting");
-
-	LOCK(&val->lock);
-
-	if ((val->options & DNS_VALIDATOR_DLV) != 0) {
-		validator_log(val, ISC_LOG_DEBUG(3), "looking for DLV");
-		result = startfinddlvsep(val, dns_rootname);
-	} else if (val->event->rdataset != NULL &&
-		   val->event->sigrdataset != NULL) {
-		isc_result_t saved_result;
-
-		/*
-		 * This looks like a simple validation.  We say "looks like"
-		 * because it might end up requiring an insecurity proof.
-		 */
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "attempting positive response validation");
-
-		INSIST(dns_rdataset_isassociated(val->event->rdataset));
-		INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
-		result = start_positive_validation(val);
-		if (result == DNS_R_NOVALIDSIG &&
-		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
-		{
-			saved_result = result;
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "falling back to insecurity proof");
-			val->attributes |= VALATTR_INSECURITY;
-			result = proveunsecure(val, ISC_FALSE);
-			if (result == DNS_R_NOTINSECURE)
-				result = saved_result;
-		}
-	} else if (val->event->rdataset != NULL) {
-		/*
-		 * This is either an unsecure subdomain or a response from
-		 * a broken server.
-		 */
-		INSIST(dns_rdataset_isassociated(val->event->rdataset));
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "attempting insecurity proof");
-
-		val->attributes |= VALATTR_INSECURITY;
-		result = proveunsecure(val, ISC_FALSE);
-	} else if (val->event->rdataset == NULL &&
-		   val->event->sigrdataset == NULL)
-	{
-		/*
-		 * This is a nonexistence validation.
-		 */
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "attempting negative response validation");
-
-		val->attributes |= VALATTR_NEGATIVE;
-		if (val->event->message->rcode == dns_rcode_nxdomain) {
-			val->attributes |= VALATTR_NEEDNOQNAME;
-			val->attributes |= VALATTR_NEEDNOWILDCARD;
-		} else
-			val->attributes |= VALATTR_NEEDNODATA;
-		result = nsecvalidate(val, ISC_FALSE);
-	} else {
-		/*
-		 * This shouldn't happen.
-		 */
-		INSIST(0);
-	}
-
-	if (result != DNS_R_WAIT) {
-		want_destroy = exit_check(val);
-		validator_done(val, result);
-	}
-
-	UNLOCK(&val->lock);
-	if (want_destroy)
-		destroy(val);
-}
-
-isc_result_t
-dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
-		     dns_message_t *message, unsigned int options,
-		     isc_task_t *task, isc_taskaction_t action, void *arg,
-		     dns_validator_t **validatorp)
-{
-	isc_result_t result;
-	dns_validator_t *val;
-	isc_task_t *tclone;
-	dns_validatorevent_t *event;
-
-	REQUIRE(name != NULL);
-	REQUIRE(type != 0);
-	REQUIRE(rdataset != NULL ||
-		(rdataset == NULL && sigrdataset == NULL && message != NULL));
-	REQUIRE(validatorp != NULL && *validatorp == NULL);
-
-	tclone = NULL;
-	result = ISC_R_FAILURE;
-
-	val = isc_mem_get(view->mctx, sizeof(*val));
-	if (val == NULL)
-		return (ISC_R_NOMEMORY);
-	val->view = NULL;
-	dns_view_weakattach(view, &val->view);
-	event = (dns_validatorevent_t *)
-		isc_event_allocate(view->mctx, task,
-				   DNS_EVENT_VALIDATORSTART,
-				   validator_start, NULL,
-				   sizeof(dns_validatorevent_t));
-	if (event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_val;
-	}
-	isc_task_attach(task, &tclone);
-	event->validator = val;
-	event->result = ISC_R_FAILURE;
-	event->name = name;
-	event->type = type;
-	event->rdataset = rdataset;
-	event->sigrdataset = sigrdataset;
-	event->message = message;
-	memset(event->proofs, 0, sizeof(event->proofs));
-	result = isc_mutex_init(&val->lock);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_event;
-	val->event = event;
-	val->options = options;
-	val->attributes = 0;
-	val->fetch = NULL;
-	val->subvalidator = NULL;
-	val->parent = NULL;
-	val->keytable = NULL;
-	dns_keytable_attach(val->view->secroots, &val->keytable);
-	val->keynode = NULL;
-	val->key = NULL;
-	val->siginfo = NULL;
-	val->task = task;
-	val->action = action;
-	val->arg = arg;
-	val->labels = 0;
-	val->currentset = NULL;
-	val->keyset = NULL;
-	val->dsset = NULL;
-	dns_rdataset_init(&val->dlv);
-	val->soaset = NULL;
-	val->nsecset = NULL;
-	val->soaname = NULL;
-	val->seensig = ISC_FALSE;
-	val->havedlvsep = ISC_FALSE;
-	val->depth = 0;
-	val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
-	dns_rdataset_init(&val->frdataset);
-	dns_rdataset_init(&val->fsigrdataset);
-	dns_fixedname_init(&val->wild);
-	ISC_LINK_INIT(val, link);
-	val->magic = VALIDATOR_MAGIC;
-
-	isc_task_send(task, ISC_EVENT_PTR(&event));
-
-	*validatorp = val;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_event:
-	isc_task_detach(&tclone);
-	isc_event_free((isc_event_t **)&val->event);
-
- cleanup_val:
-	dns_view_weakdetach(&val->view);
-	isc_mem_put(view->mctx, val, sizeof(*val));
-
-	return (result);
-}
-
-void
-dns_validator_cancel(dns_validator_t *validator) {
-	REQUIRE(VALID_VALIDATOR(validator));
-
-	LOCK(&validator->lock);
-
-	validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
-
-	if (validator->event != NULL) {
-		if (validator->fetch != NULL)
-			dns_resolver_cancelfetch(validator->fetch);
-
-		if (validator->subvalidator != NULL)
-			dns_validator_cancel(validator->subvalidator);
-	}
-	UNLOCK(&validator->lock);
-}
-
-static void
-destroy(dns_validator_t *val) {
-	isc_mem_t *mctx;
-
-	REQUIRE(SHUTDOWN(val));
-	REQUIRE(val->event == NULL);
-	REQUIRE(val->fetch == NULL);
-
-	if (val->keynode != NULL)
-		dns_keytable_detachkeynode(val->keytable, &val->keynode);
-	else if (val->key != NULL)
-		dst_key_free(&val->key);
-	if (val->keytable != NULL)
-		dns_keytable_detach(&val->keytable);
-	if (val->subvalidator != NULL)
-		dns_validator_destroy(&val->subvalidator);
-	if (val->havedlvsep)
-		dns_rdataset_disassociate(&val->dlv);
-	if (dns_rdataset_isassociated(&val->frdataset))
-		dns_rdataset_disassociate(&val->frdataset);
-	if (dns_rdataset_isassociated(&val->fsigrdataset))
-		dns_rdataset_disassociate(&val->fsigrdataset);
-	mctx = val->view->mctx;
-	if (val->siginfo != NULL)
-		isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
-	DESTROYLOCK(&val->lock);
-	dns_view_weakdetach(&val->view);
-	val->magic = 0;
-	isc_mem_put(mctx, val, sizeof(*val));
-}
-
-void
-dns_validator_destroy(dns_validator_t **validatorp) {
-	dns_validator_t *val;
-	isc_boolean_t want_destroy = ISC_FALSE;
-
-	REQUIRE(validatorp != NULL);
-	val = *validatorp;
-	REQUIRE(VALID_VALIDATOR(val));
-
-	LOCK(&val->lock);
-
-	val->attributes |= VALATTR_SHUTDOWN;
-	validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
-
-	want_destroy = exit_check(val);
-
-	UNLOCK(&val->lock);
-
-	if (want_destroy)
-		destroy(val);
-
-	*validatorp = NULL;
-}
-
-static void
-validator_logv(dns_validator_t *val, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
-{
-	char msgbuf[2048];
-	static const char spaces[] = "        *";
-	int depth = val->depth * 2;
-
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-
-	if ((unsigned int) depth >= sizeof spaces)
-		depth = sizeof spaces - 1;
-
-	if (val->event != NULL && val->event->name != NULL) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-		char typebuf[DNS_RDATATYPE_FORMATSIZE];
-
-		dns_name_format(val->event->name, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(val->event->type, typebuf,
-				     sizeof(typebuf));
-		isc_log_write(dns_lctx, category, module, level,
-			      "%.*svalidating @%p: %s %s: %s", depth, spaces,
-			      val, namebuf, typebuf, msgbuf);
-	} else {
-		isc_log_write(dns_lctx, category, module, level,
-			      "%.*svalidator @%p: %s", depth, spaces,
-			       val, msgbuf);
-	}
-}
-
-static void
-validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
-	va_list ap;
-
-	if (! isc_log_wouldlog(dns_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-
-	validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
-		       DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
-	va_end(ap);
-}
-
-static void
-validator_logcreate(dns_validator_t *val,
-		    dns_name_t *name, dns_rdatatype_t type,
-		    const char *caller, const char *operation)
-{
-	char namestr[DNS_NAME_FORMATSIZE];
-	char typestr[DNS_RDATATYPE_FORMATSIZE];
-
-	dns_name_format(name, namestr, sizeof(namestr));
-	dns_rdatatype_format(type, typestr, sizeof(typestr));
-	validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
-		      caller, operation, namestr, typestr);
-}
diff --git a/contrib/bind9/lib/dns/version.c b/contrib/bind9/lib/dns/version.c
deleted file mode 100644
index 6b043ab5a872..000000000000
--- a/contrib/bind9/lib/dns/version.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:33 marka Exp $ */
-
-#include <dns/version.h>
-
-const char dns_version[] = VERSION;
-
-const unsigned int dns_libinterface = LIBINTERFACE;
-const unsigned int dns_librevision = LIBREVISION;
-const unsigned int dns_libage = LIBAGE;
diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c
deleted file mode 100644
index ac7af61639de..000000000000
--- a/contrib/bind9/lib/dns/view.c
+++ /dev/null
@@ -1,1332 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: view.c,v 1.103.2.5.2.14 2004/03/10 02:55:58 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/hash.h>
-#include <isc/task.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/adb.h>
-#include <dns/cache.h>
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/forward.h>
-#include <dns/keytable.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/order.h>
-#include <dns/peer.h>
-#include <dns/rdataset.h>
-#include <dns/request.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/tsig.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-#define RESSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_RESSHUTDOWN) != 0)
-#define ADBSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_ADBSHUTDOWN) != 0)
-#define REQSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_REQSHUTDOWN) != 0)
-
-#define DNS_VIEW_DELONLYHASH 111
-
-static void resolver_shutdown(isc_task_t *task, isc_event_t *event);
-static void adb_shutdown(isc_task_t *task, isc_event_t *event);
-static void req_shutdown(isc_task_t *task, isc_event_t *event);
-
-isc_result_t
-dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-		const char *name, dns_view_t **viewp)
-{
-	dns_view_t *view;
-	isc_result_t result;
-
-	/*
-	 * Create a view.
-	 */
-
-	REQUIRE(name != NULL);
-	REQUIRE(viewp != NULL && *viewp == NULL);
-
-	view = isc_mem_get(mctx, sizeof(*view));
-	if (view == NULL)
-		return (ISC_R_NOMEMORY);
-	view->name = isc_mem_strdup(mctx, name);
-	if (view->name == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_view;
-	}
-	result = isc_mutex_init(&view->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_name;
-	}
-	view->zonetable = NULL;
-	result = dns_zt_create(mctx, rdclass, &view->zonetable);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_zt_create() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_mutex;
-	}
-	view->secroots = NULL;
-	result = dns_keytable_create(mctx, &view->secroots);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_keytable_create() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_zt;
-	}
-	view->trustedkeys = NULL;
-	result = dns_keytable_create(mctx, &view->trustedkeys);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_keytable_create() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_secroots;
-	}
-	view->fwdtable = NULL;
-	result = dns_fwdtable_create(mctx, &view->fwdtable);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "dns_fwdtable_create() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_trustedkeys;
-	}
-
-	view->cache = NULL;
-	view->cachedb = NULL;
-	view->hints = NULL;
-	view->resolver = NULL;
-	view->adb = NULL;
-	view->requestmgr = NULL;
-	view->mctx = mctx;
-	view->rdclass = rdclass;
-	view->frozen = ISC_FALSE;
-	view->task = NULL;
-	isc_refcount_init(&view->references, 1);
-	view->weakrefs = 0;
-	view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN|
-			    DNS_VIEWATTR_REQSHUTDOWN);
-	view->statickeys = NULL;
-	view->dynamickeys = NULL;
-	view->matchclients = NULL;
-	view->matchdestinations = NULL;
-	view->matchrecursiveonly = ISC_FALSE;
-	result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_fwdtable;
-	view->peers = NULL;
-	view->order = NULL;
-	view->delonly = NULL;
-	view->rootdelonly = ISC_FALSE;
-	view->rootexclude = NULL;
-
-	/*
-	 * Initialize configuration data with default values.
-	 */
-	view->recursion = ISC_TRUE;
-	view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
-	view->additionalfromcache = ISC_TRUE;
-	view->additionalfromauth = ISC_TRUE;
-	view->enablednssec = ISC_TRUE;
-	view->minimalresponses = ISC_FALSE;
-	view->transfer_format = dns_one_answer;
-	view->queryacl = NULL;
-	view->recursionacl = NULL;
-	view->sortlist = NULL;
-	view->requestixfr = ISC_TRUE;
-	view->provideixfr = ISC_TRUE;
-	view->maxcachettl = 7 * 24 * 3600;
-	view->maxncachettl = 3 * 3600;
-	view->dstport = 53;
-	view->preferred_glue = 0;
-	view->flush = ISC_FALSE;
-	view->dlv = NULL;
-	dns_fixedname_init(&view->dlv_fixed);
-
-	result = dns_order_create(view->mctx, &view->order);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_dynkeys;
-
-	result = dns_peerlist_new(view->mctx, &view->peers);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_order;
-
-	result = dns_aclenv_init(view->mctx, &view->aclenv);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_peerlist;
-
-	ISC_LINK_INIT(view, link);
-	ISC_EVENT_INIT(&view->resevent, sizeof(view->resevent), 0, NULL,
-		       DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown,
-		       view, NULL, NULL, NULL);
-	ISC_EVENT_INIT(&view->adbevent, sizeof(view->adbevent), 0, NULL,
-		       DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown,
-		       view, NULL, NULL, NULL);
-	ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL,
-		       DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown,
-		       view, NULL, NULL, NULL);
-	view->magic = DNS_VIEW_MAGIC;
-
-	*viewp = view;
-
-	return (ISC_R_SUCCESS);
-
- cleanup_peerlist:
-	dns_peerlist_detach(&view->peers);
-
- cleanup_order:
-	dns_order_detach(&view->order);
-
- cleanup_dynkeys:
-	dns_tsigkeyring_destroy(&view->dynamickeys);
-
- cleanup_fwdtable:
-	dns_fwdtable_destroy(&view->fwdtable);
-
- cleanup_trustedkeys:
-	dns_keytable_detach(&view->trustedkeys);
-
- cleanup_secroots:
-	dns_keytable_detach(&view->secroots);
-
- cleanup_zt:
-	dns_zt_detach(&view->zonetable);
-
- cleanup_mutex:
-	DESTROYLOCK(&view->lock);
-
- cleanup_name:
-	isc_mem_free(mctx, view->name);
-
- cleanup_view:
-	isc_mem_put(mctx, view, sizeof(*view));
-
-	return (result);
-}
-
-static inline void
-destroy(dns_view_t *view) {
-	REQUIRE(!ISC_LINK_LINKED(view, link));
-	REQUIRE(isc_refcount_current(&view->references) == 0);
-	REQUIRE(view->weakrefs == 0);
-	REQUIRE(RESSHUTDOWN(view));
-	REQUIRE(ADBSHUTDOWN(view));
-	REQUIRE(REQSHUTDOWN(view));
-
-	if (view->order != NULL)
-		dns_order_detach(&view->order);
-	if (view->peers != NULL)
-		dns_peerlist_detach(&view->peers);
-	if (view->dynamickeys != NULL)
-		dns_tsigkeyring_destroy(&view->dynamickeys);
-	if (view->statickeys != NULL)
-		dns_tsigkeyring_destroy(&view->statickeys);
-	if (view->adb != NULL)
-		dns_adb_detach(&view->adb);
-	if (view->resolver != NULL)
-		dns_resolver_detach(&view->resolver);
-	if (view->requestmgr != NULL)
-		dns_requestmgr_detach(&view->requestmgr);
-	if (view->task != NULL)
-		isc_task_detach(&view->task);
-	if (view->hints != NULL)
-		dns_db_detach(&view->hints);
-	if (view->cachedb != NULL)
-		dns_db_detach(&view->cachedb);
-	if (view->cache != NULL)
-		dns_cache_detach(&view->cache);
-	if (view->matchclients != NULL)
-		dns_acl_detach(&view->matchclients);
-	if (view->matchdestinations != NULL)
-		dns_acl_detach(&view->matchdestinations);
-	if (view->queryacl != NULL)
-		dns_acl_detach(&view->queryacl);
-	if (view->recursionacl != NULL)
-		dns_acl_detach(&view->recursionacl);
-	if (view->sortlist != NULL)
-		dns_acl_detach(&view->sortlist);
-	if (view->delonly != NULL) {
-		dns_name_t *name;
-		int i;
-
-		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
-			name = ISC_LIST_HEAD(view->delonly[i]);
-			while (name != NULL) {
-				ISC_LIST_UNLINK(view->delonly[i], name, link);
-				dns_name_free(name, view->mctx);
-				isc_mem_put(view->mctx, name, sizeof(*name));
-				name = ISC_LIST_HEAD(view->delonly[i]);
-			}
-		}
-		isc_mem_put(view->mctx, view->delonly, sizeof(dns_namelist_t) *
-			    DNS_VIEW_DELONLYHASH);
-		view->delonly = NULL;
-	}
-	if (view->rootexclude != NULL) {
-		dns_name_t *name;
-		int i;
-
-		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
-			name = ISC_LIST_HEAD(view->rootexclude[i]);
-			while (name != NULL) {
-				ISC_LIST_UNLINK(view->rootexclude[i],
-					 	name, link);
-				dns_name_free(name, view->mctx);
-				isc_mem_put(view->mctx, name, sizeof(*name));
-				name = ISC_LIST_HEAD(view->rootexclude[i]);
-			}
-		}
-		isc_mem_put(view->mctx, view->rootexclude,
-			    sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
-		view->rootexclude = NULL;
-	}
-	dns_keytable_detach(&view->trustedkeys);
-	dns_keytable_detach(&view->secroots);
-	dns_fwdtable_destroy(&view->fwdtable);
-	dns_aclenv_destroy(&view->aclenv);
-	DESTROYLOCK(&view->lock);
-	isc_refcount_destroy(&view->references);
-	isc_mem_free(view->mctx, view->name);
-	isc_mem_put(view->mctx, view, sizeof(*view));
-}
-
-/*
- * Return true iff 'view' may be freed.
- * The caller must be holding the view lock.
- */
-static isc_boolean_t
-all_done(dns_view_t *view) {
-
-	if (isc_refcount_current(&view->references) == 0 &&
-	    view->weakrefs == 0 &&
-	    RESSHUTDOWN(view) && ADBSHUTDOWN(view) && REQSHUTDOWN(view))
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-void
-dns_view_attach(dns_view_t *source, dns_view_t **targetp) {
-
-	REQUIRE(DNS_VIEW_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	isc_refcount_increment(&source->references, NULL);
-
-	*targetp = source;
-}
-
-static void
-view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) {
-	dns_view_t *view;
-	unsigned int refs;
-	isc_boolean_t done = ISC_FALSE;
-
-	REQUIRE(viewp != NULL);
-	view = *viewp;
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (flush)
-		view->flush = ISC_TRUE;
-	isc_refcount_decrement(&view->references, &refs);
-	if (refs == 0) {
-		LOCK(&view->lock);
-		if (!RESSHUTDOWN(view))
-			dns_resolver_shutdown(view->resolver);
-		if (!ADBSHUTDOWN(view))
-			dns_adb_shutdown(view->adb);
-		if (!REQSHUTDOWN(view))
-			dns_requestmgr_shutdown(view->requestmgr);
-		if (view->flush)
-			dns_zt_flushanddetach(&view->zonetable);
-		else
-			dns_zt_detach(&view->zonetable);
-		done = all_done(view);
-		UNLOCK(&view->lock);
-	}
-
-	*viewp = NULL;
-
-	if (done)
-		destroy(view);
-}
-
-void
-dns_view_flushanddetach(dns_view_t **viewp) {
-	view_flushanddetach(viewp, ISC_TRUE);
-}
-
-void
-dns_view_detach(dns_view_t **viewp) {
-	view_flushanddetach(viewp, ISC_FALSE);
-}
-
-static isc_result_t
-dialup(dns_zone_t *zone, void *dummy) {
-	UNUSED(dummy);
-	dns_zone_dialup(zone);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_view_dialup(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	(void)dns_zt_apply(view->zonetable, ISC_FALSE, dialup, NULL);
-}
-
-void
-dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) {
-
-	REQUIRE(DNS_VIEW_VALID(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-	source->weakrefs++;
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-dns_view_weakdetach(dns_view_t **viewp) {
-	dns_view_t *view;
-	isc_boolean_t done = ISC_FALSE;
-
-	REQUIRE(viewp != NULL);
-	view = *viewp;
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	LOCK(&view->lock);
-
-	INSIST(view->weakrefs > 0);
-	view->weakrefs--;
-	done = all_done(view);
-
-	UNLOCK(&view->lock);
-
-	*viewp = NULL;
-
-	if (done)
-		destroy(view);
-}
-
-static void
-resolver_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_view_t *view = event->ev_arg;
-	isc_boolean_t done;
-
-	REQUIRE(event->ev_type == DNS_EVENT_VIEWRESSHUTDOWN);
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->task == task);
-
-	UNUSED(task);
-
-	LOCK(&view->lock);
-
-	view->attributes |= DNS_VIEWATTR_RESSHUTDOWN;
-	done = all_done(view);
-
-	UNLOCK(&view->lock);
-
-	isc_event_free(&event);
-
-	if (done)
-		destroy(view);
-}
-
-static void
-adb_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_view_t *view = event->ev_arg;
-	isc_boolean_t done;
-
-	REQUIRE(event->ev_type == DNS_EVENT_VIEWADBSHUTDOWN);
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->task == task);
-
-	UNUSED(task);
-
-	LOCK(&view->lock);
-
-	view->attributes |= DNS_VIEWATTR_ADBSHUTDOWN;
-	done = all_done(view);
-
-	UNLOCK(&view->lock);
-
-	isc_event_free(&event);
-
-	if (done)
-		destroy(view);
-}
-
-static void
-req_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_view_t *view = event->ev_arg;
-	isc_boolean_t done;
-
-	REQUIRE(event->ev_type == DNS_EVENT_VIEWREQSHUTDOWN);
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->task == task);
-
-	UNUSED(task);
-
-	LOCK(&view->lock);
-
-	view->attributes |= DNS_VIEWATTR_REQSHUTDOWN;
-	done = all_done(view);
-
-	UNLOCK(&view->lock);
-
-	isc_event_free(&event);
-
-	if (done)
-		destroy(view);
-}
-
-isc_result_t
-dns_view_createresolver(dns_view_t *view,
-			isc_taskmgr_t *taskmgr, unsigned int ntasks,
-			isc_socketmgr_t *socketmgr,
-			isc_timermgr_t *timermgr,
-			unsigned int options,
-			dns_dispatchmgr_t *dispatchmgr,
-			dns_dispatch_t *dispatchv4,
-			dns_dispatch_t *dispatchv6)
-{
-	isc_result_t result;
-	isc_event_t *event;
-	isc_mem_t *mctx = NULL;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-	REQUIRE(view->resolver == NULL);
-
-	result = isc_task_create(taskmgr, 0, &view->task);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	isc_task_setname(view->task, "view", view);
-
-	result = dns_resolver_create(view, taskmgr, ntasks, socketmgr,
-				     timermgr, options, dispatchmgr,
-				     dispatchv4, dispatchv6,
-				     &view->resolver);
-	if (result != ISC_R_SUCCESS) {
-		isc_task_detach(&view->task);
-		return (result);
-	}
-	event = &view->resevent;
-	dns_resolver_whenshutdown(view->resolver, view->task, &event);
-	view->attributes &= ~DNS_VIEWATTR_RESSHUTDOWN;
-
-	result = isc_mem_create(0, 0, &mctx);
-	if (result != ISC_R_SUCCESS) {
-		dns_resolver_shutdown(view->resolver);
-		return (result);
-	}
-
-	result = dns_adb_create(mctx, view, timermgr, taskmgr, &view->adb);
-	isc_mem_detach(&mctx);
-	if (result != ISC_R_SUCCESS) {
-		dns_resolver_shutdown(view->resolver);
-		return (result);
-	}
-	event = &view->adbevent;
-	dns_adb_whenshutdown(view->adb, view->task, &event);
-	view->attributes &= ~DNS_VIEWATTR_ADBSHUTDOWN;
-
-	result = dns_requestmgr_create(view->mctx, timermgr, socketmgr,
-				      dns_resolver_taskmgr(view->resolver),
-				      dns_resolver_dispatchmgr(view->resolver),
-				      dns_resolver_dispatchv4(view->resolver),
-				      dns_resolver_dispatchv6(view->resolver),
-				      &view->requestmgr);
-	if (result != ISC_R_SUCCESS) {
-		dns_adb_shutdown(view->adb);
-		dns_resolver_shutdown(view->resolver);
-		return (result);
-	}
-	event = &view->reqevent;
-	dns_requestmgr_whenshutdown(view->requestmgr, view->task, &event);
-	view->attributes &= ~DNS_VIEWATTR_REQSHUTDOWN;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-
-	if (view->cache != NULL) {
-		dns_db_detach(&view->cachedb);
-		dns_cache_detach(&view->cache);
-	}
-	dns_cache_attach(cache, &view->cache);
-	dns_cache_attachdb(cache, &view->cachedb);
-	INSIST(DNS_DB_VALID(view->cachedb));
-}
-
-void
-dns_view_sethints(dns_view_t *view, dns_db_t *hints) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-	REQUIRE(view->hints == NULL);
-	REQUIRE(dns_db_iszone(hints));
-
-	dns_db_attach(hints, &view->hints);
-}
-
-void
-dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(ring != NULL);
-	if (view->statickeys != NULL)
-		dns_tsigkeyring_destroy(&view->statickeys);
-	view->statickeys = ring;
-}
-
-void
-dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	view->dstport = dstport;
-}
-
-isc_result_t
-dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
-	isc_result_t result;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-
-	result = dns_zt_mount(view->zonetable, zone);
-
-	return (result);
-}
-
-void
-dns_view_freeze(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(!view->frozen);
-
-	if (view->resolver != NULL) {
-		INSIST(view->cachedb != NULL);
-		dns_resolver_freeze(view->resolver);
-	}
-	view->frozen = ISC_TRUE;
-}
-
-isc_result_t
-dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
-	isc_result_t result;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
-	if (result == DNS_R_PARTIALMATCH) {
-		dns_zone_detach(zonep);
-		result = ISC_R_NOTFOUND;
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
-	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
-	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_db_t *db, *zdb;
-	dns_dbnode_t *node, *znode;
-	isc_boolean_t is_cache;
-	dns_rdataset_t zrdataset, zsigrdataset;
-	dns_zone_t *zone;
-
-	/*
-	 * Find an rdataset whose owner name is 'name', and whose type is
-	 * 'type'.
-	 */
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->frozen);
-	REQUIRE(type != dns_rdatatype_rrsig);
-	REQUIRE(rdataset != NULL);  /* XXXBEW - remove this */
-
-	/*
-	 * Initialize.
-	 */
-	dns_rdataset_init(&zrdataset);
-	dns_rdataset_init(&zsigrdataset);
-	zdb = NULL;
-	znode = NULL;
-
-	/*
-	 * Find a database to answer the query.
-	 */
-	zone = NULL;
-	db = NULL;
-	node = NULL;
-	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
-		result = dns_zone_getdb(zone, &db);
-		if (result != ISC_R_SUCCESS && view->cachedb != NULL)
-			dns_db_attach(view->cachedb, &db);
-		else if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	} else if (result == ISC_R_NOTFOUND && view->cachedb != NULL)
-		dns_db_attach(view->cachedb, &db);
-	else
-		goto cleanup;
-
-	is_cache = dns_db_iscache(db);
-
- db_find:
-	/*
-	 * Now look for an answer in the database.
-	 */
-	result = dns_db_find(db, name, NULL, type, options,
-			     now, &node, foundname, rdataset, sigrdataset);
-
-	if (result == DNS_R_DELEGATION ||
-	    result == ISC_R_NOTFOUND) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		if (node != NULL)
-			dns_db_detachnode(db, &node);
-		if (!is_cache) {
-			dns_db_detach(&db);
-			if (view->cachedb != NULL) {
-				/*
-				 * Either the answer is in the cache, or we
-				 * don't know it.
-				 */
-				is_cache = ISC_TRUE;
-				dns_db_attach(view->cachedb, &db);
-				goto db_find;
-			}
-		} else {
-			/*
-			 * We don't have the data in the cache.  If we've got
-			 * glue from the zone, use it.
-			 */
-			if (dns_rdataset_isassociated(&zrdataset)) {
-				dns_rdataset_clone(&zrdataset, rdataset);
-				if (sigrdataset != NULL &&
-				    dns_rdataset_isassociated(&zsigrdataset))
-					dns_rdataset_clone(&zsigrdataset,
-							   sigrdataset);
-				result = DNS_R_GLUE;
-				if (db != NULL)
-					dns_db_detach(&db);
-				dns_db_attach(zdb, &db);
-				dns_db_attachnode(db, znode, &node);
-				goto cleanup;
-			}
-		}
-		/*
-		 * We don't know the answer.
-		 */
-		result = ISC_R_NOTFOUND;
-	} else if (result == DNS_R_GLUE) {
-		if (view->cachedb != NULL) {
-			/*
-			 * We found an answer, but the cache may be better.
-			 * Remember what we've got and go look in the cache.
-			 */
-			is_cache = ISC_TRUE;
-			dns_rdataset_clone(rdataset, &zrdataset);
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset)) {
-				dns_rdataset_clone(sigrdataset, &zsigrdataset);
-				dns_rdataset_disassociate(sigrdataset);
-			}
-			dns_db_attach(db, &zdb);
-			dns_db_attachnode(zdb, node, &znode);
-			dns_db_detachnode(db, &node);
-			dns_db_detach(&db);
-			dns_db_attach(view->cachedb, &db);
-			goto db_find;
-		}
-		/*
-		 * Otherwise, the glue is the best answer.
-		 */
-		result = ISC_R_SUCCESS;
-	}
-
-	if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		if (db != NULL) {
-			if (node != NULL)
-				dns_db_detachnode(db, &node);
-			dns_db_detach(&db);
-		}
-		result = dns_db_find(view->hints, name, NULL, type, options,
-				     now, &node, foundname,
-				     rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS || result == DNS_R_GLUE) {
-			/*
-			 * We just used a hint.  Let the resolver know it
-			 * should consider priming.
-			 */
-			dns_resolver_prime(view->resolver);
-			dns_db_attach(view->hints, &db);
-			result = DNS_R_HINT;
-		} else if (result == DNS_R_NXRRSET) {
-			dns_db_attach(view->hints, &db);
-			result = DNS_R_HINTNXRRSET;
-		} else if (result == DNS_R_NXDOMAIN)
-			result = ISC_R_NOTFOUND;
-
-		/*
-		 * Cleanup if non-standard hints are used.
-		 */
-		if (db == NULL && node != NULL)
-			dns_db_detachnode(view->hints, &node);
-	}
-
- cleanup:
-	if (result == DNS_R_NXDOMAIN || result == DNS_R_NXRRSET) {
-		/*
-		 * We don't care about any DNSSEC proof data in these cases.
-		 */
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-	}
-
-	if (dns_rdataset_isassociated(&zrdataset)) {
-		dns_rdataset_disassociate(&zrdataset);
-		if (dns_rdataset_isassociated(&zsigrdataset))
-			dns_rdataset_disassociate(&zsigrdataset);
-	}
-
-	if (zdb != NULL) {
-		if (znode != NULL)
-			dns_db_detachnode(zdb, &znode);
-		dns_db_detach(&zdb);
-	}
-
-	if (db != NULL) {
-		if (node != NULL) {
-			if (nodep != NULL)
-				*nodep = node;
-			else
-				dns_db_detachnode(db, &node);
-		}
-		if (dbp != NULL)
-			*dbp = db;
-		else
-			dns_db_detach(&db);
-	} else
-		INSIST(node == NULL);
-
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	return (result);
-}
-
-isc_result_t
-dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
-		    isc_stdtime_t now, unsigned int options,
-		    isc_boolean_t use_hints,
-		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_fixedname_t foundname;
-
-	dns_fixedname_init(&foundname);
-	result = dns_view_find(view, name, type, now, options, use_hints,
-			       NULL, NULL, dns_fixedname_name(&foundname),
-			       rdataset, sigrdataset);
-	if (result == DNS_R_NXDOMAIN) {
-		/*
-		 * The rdataset and sigrdataset of the relevant NSEC record
-		 * may be returned, but the caller cannot use them because
-		 * foundname is not returned by this simplified API.  We
-		 * disassociate them here to prevent any misuse by the caller.
-		 */
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-	} else if (result != ISC_R_SUCCESS &&
-		   result != DNS_R_GLUE &&
-		   result != DNS_R_HINT &&
-		   result != DNS_R_NCACHENXDOMAIN &&
-		   result != DNS_R_NCACHENXRRSET &&
-		   result != DNS_R_NXRRSET &&
-		   result != DNS_R_HINTNXRRSET &&
-		   result != ISC_R_NOTFOUND) {
-		if (dns_rdataset_isassociated(rdataset))
-			dns_rdataset_disassociate(rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(sigrdataset))
-			dns_rdataset_disassociate(sigrdataset);
-		result = ISC_R_NOTFOUND;
-	}
-
-	return (result);
-}
-
-isc_result_t
-dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
-		     isc_stdtime_t now, unsigned int options,
-		     isc_boolean_t use_hints, 
-		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	return(dns_view_findzonecut2(view, name, fname, now, options,
-				     use_hints, ISC_TRUE,
-				     rdataset, sigrdataset));
-}
-
-isc_result_t
-dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
-		      isc_stdtime_t now, unsigned int options,
-		      isc_boolean_t use_hints,  isc_boolean_t use_cache,
-		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
-{
-	isc_result_t result;
-	dns_db_t *db;
-	isc_boolean_t is_cache, use_zone, try_hints;
-	dns_zone_t *zone;
-	dns_name_t *zfname;
-	dns_rdataset_t zrdataset, zsigrdataset;
-	dns_fixedname_t zfixedname;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(view->frozen);
-
-	db = NULL;
-	zone = NULL;
-	use_zone = ISC_FALSE;
-	try_hints = ISC_FALSE;
-	zfname = NULL;
-
-	/*
-	 * Initialize.
-	 */
-	dns_fixedname_init(&zfixedname);
-	dns_rdataset_init(&zrdataset);
-	dns_rdataset_init(&zsigrdataset);
-
-	/*
-	 * Find the right database.
-	 */
-	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		result = dns_zone_getdb(zone, &db);
-	if (result == ISC_R_NOTFOUND) {
-		/*
-		 * We're not directly authoritative for this query name, nor
-		 * is it a subdomain of any zone for which we're
-		 * authoritative.
-		 */
-		if (use_cache && view->cachedb != NULL) {
-			/*
-			 * We have a cache; try it.
-			 */
-			dns_db_attach(view->cachedb, &db);
-		} else {
-			/*
-			 * Maybe we have hints...
-			 */
-			try_hints = ISC_TRUE;
-			goto finish;
-		}
-	} else if (result != ISC_R_SUCCESS) {
-		/*
-		 * Something is broken.
-		 */
-		goto cleanup;
-	}
-	is_cache = dns_db_iscache(db);
-
- db_find:
-	/*
-	 * Look for the zonecut.
-	 */
-	if (!is_cache) {
-		result = dns_db_find(db, name, NULL, dns_rdatatype_ns, options,
-				     now, NULL, fname, rdataset, sigrdataset);
-		if (result == DNS_R_DELEGATION)
-			result = ISC_R_SUCCESS;
-		else if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		if (use_cache && view->cachedb != NULL && db != view->hints) {
-			/*
-			 * We found an answer, but the cache may be better.
-			 */
-			zfname = dns_fixedname_name(&zfixedname);
-			result = dns_name_copy(fname, zfname, NULL);
-			if (result != ISC_R_SUCCESS)
-				goto cleanup;
-			dns_rdataset_clone(rdataset, &zrdataset);
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset)) {
-				dns_rdataset_clone(sigrdataset, &zsigrdataset);
-				dns_rdataset_disassociate(sigrdataset);
-			}
-			dns_db_detach(&db);
-			dns_db_attach(view->cachedb, &db);
-			is_cache = ISC_TRUE;
-			goto db_find;
-		}
-	} else {
-		result = dns_db_findzonecut(db, name, options, now, NULL,
-					    fname, rdataset, sigrdataset);
-		if (result == ISC_R_SUCCESS) {
-			if (zfname != NULL &&
-			    !dns_name_issubdomain(fname, zfname)) {
-				/*
-				 * We found a zonecut in the cache, but our
-				 * zone delegation is better.
-				 */
-				use_zone = ISC_TRUE;
-			}
-		} else if (result == ISC_R_NOTFOUND) {
-			if (zfname != NULL) {
-				/*
-				 * We didn't find anything in the cache, but we
-				 * have a zone delegation, so use it.
-				 */
-				use_zone = ISC_TRUE;
-			} else {
-				/*
-				 * Maybe we have hints...
-				 */
-				try_hints = ISC_TRUE;
-			}
-		} else {
-			/*
-			 * Something bad happened.
-			 */
-			goto cleanup;
-		}
-	}
-
- finish:
-	if (use_zone) {
-		if (dns_rdataset_isassociated(rdataset)) {
-			dns_rdataset_disassociate(rdataset);
-			if (sigrdataset != NULL &&
-			    dns_rdataset_isassociated(sigrdataset))
-				dns_rdataset_disassociate(sigrdataset);
-		}
-		result = dns_name_copy(zfname, fname, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		dns_rdataset_clone(&zrdataset, rdataset);
-		if (sigrdataset != NULL &&
-		    dns_rdataset_isassociated(&zrdataset))
-			dns_rdataset_clone(&zsigrdataset, sigrdataset);
-	} else if (try_hints && use_hints && view->hints != NULL) {
-		/*
-		 * We've found nothing so far, but we have hints.
-		 */
-		result = dns_db_find(view->hints, dns_rootname, NULL,
-				     dns_rdatatype_ns, 0, now, NULL, fname,
-				     rdataset, NULL);
-		if (result != ISC_R_SUCCESS) {
-			/*
-			 * We can't even find the hints for the root
-			 * nameservers!
-			 */
-			if (dns_rdataset_isassociated(rdataset))
-				dns_rdataset_disassociate(rdataset);
-			result = ISC_R_NOTFOUND;
-		}
-	}
-
- cleanup:
-	if (dns_rdataset_isassociated(&zrdataset)) {
-		dns_rdataset_disassociate(&zrdataset);
-		if (dns_rdataset_isassociated(&zsigrdataset))
-			dns_rdataset_disassociate(&zsigrdataset);
-	}
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
-	return (result);
-}
-
-isc_result_t
-dns_viewlist_find(dns_viewlist_t *list, const char *name,
-		  dns_rdataclass_t rdclass, dns_view_t **viewp)
-{
-	dns_view_t *view;
-
-	REQUIRE(list != NULL);
-
-	for (view = ISC_LIST_HEAD(*list);
-	     view != NULL;
-	     view = ISC_LIST_NEXT(view, link)) {
-		if (strcmp(view->name, name) == 0 && view->rdclass == rdclass)
-			break;
-	}
-	if (view == NULL)
-		return (ISC_R_NOTFOUND);
-
-	dns_view_attach(view, viewp);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_view_load(dns_view_t *view, isc_boolean_t stop) {
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	return (dns_zt_load(view->zonetable, stop));
-}
-
-isc_result_t
-dns_view_loadnew(dns_view_t *view, isc_boolean_t stop) {
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	return (dns_zt_loadnew(view->zonetable, stop));
-}
-
-isc_result_t
-dns_view_gettsig(dns_view_t *view, dns_name_t *keyname, dns_tsigkey_t **keyp)
-{
-	isc_result_t result;
-	REQUIRE(keyp != NULL && *keyp == NULL);
-
-	result = dns_tsigkey_find(keyp, keyname, NULL,
-				  view->statickeys);
-	if (result == ISC_R_NOTFOUND)
-		result = dns_tsigkey_find(keyp, keyname, NULL,
-					  view->dynamickeys);
-	return (result);
-}
-
-isc_result_t
-dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
-		     dns_tsigkey_t **keyp)
-{
-	isc_result_t result;
-	dns_name_t *keyname = NULL;
-	dns_peer_t *peer = NULL;
-
-	result = dns_peerlist_peerbyaddr(view->peers, peeraddr, &peer);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = dns_peer_getkey(peer, &keyname);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	return (dns_view_gettsig(view, keyname, keyp));
-}
-
-isc_result_t
-dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	REQUIRE(source != NULL);
-
-	return (dns_tsig_verify(source, msg, view->statickeys,
-				view->dynamickeys));
-}
-
-isc_result_t
-dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
-	isc_result_t result;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	(void)fprintf(fp, ";\n; Cache dump of view '%s'\n;\n", view->name);
-	result = dns_master_dumptostream(view->mctx, view->cachedb, NULL,
-					  &dns_master_style_cache, fp);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_adb_dump(view->adb, fp);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_view_flushcache(dns_view_t *view) {
-	isc_result_t result;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->cachedb == NULL)
-		return (ISC_R_SUCCESS);
-	result = dns_cache_flush(view->cache);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_db_detach(&view->cachedb);
-	dns_cache_attachdb(view->cache, &view->cachedb);
-
-	dns_adb_flush(view->adb);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_view_flushname(dns_view_t *view, dns_name_t *name) {
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->adb != NULL)
-		dns_adb_flushname(view->adb, name);
-	if (view->cache == NULL)
-		return (ISC_R_SUCCESS);
-	return (dns_cache_flushname(view->cache, name));
-}
-
-isc_result_t
-dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
-	isc_result_t result;
-	dns_name_t *new;
-	isc_uint32_t hash;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->delonly == NULL) {
-		view->delonly = isc_mem_get(view->mctx,
-					    sizeof(dns_namelist_t) *
-					    DNS_VIEW_DELONLYHASH);
-		if (view->delonly == NULL)
-			return (ISC_R_NOMEMORY);
-		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
-			ISC_LIST_INIT(view->delonly[hash]);
-	}
-	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
-	new = ISC_LIST_HEAD(view->delonly[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new != NULL)
-		return (ISC_R_SUCCESS);
-	new = isc_mem_get(view->mctx, sizeof(*new));
-	if (new == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_init(new, NULL);
-	result = dns_name_dup(name, view->mctx, new);
-	if (result == ISC_R_SUCCESS)
-		ISC_LIST_APPEND(view->delonly[hash], new, link);
-	else
-		isc_mem_put(view->mctx, new, sizeof(*new));
-	return (result);
-}
-
-isc_result_t
-dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name) {
-	isc_result_t result;
-	dns_name_t *new;
-	isc_uint32_t hash;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (view->rootexclude == NULL) {
-		view->rootexclude = isc_mem_get(view->mctx,
-					    sizeof(dns_namelist_t) *
-					    DNS_VIEW_DELONLYHASH);
-		if (view->rootexclude == NULL)
-			return (ISC_R_NOMEMORY);
-		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
-			ISC_LIST_INIT(view->rootexclude[hash]);
-	}
-	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
-	new = ISC_LIST_HEAD(view->rootexclude[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new != NULL)
-		return (ISC_R_SUCCESS);
-	new = isc_mem_get(view->mctx, sizeof(*new));
-	if (new == NULL)
-		return (ISC_R_NOMEMORY);
-	dns_name_init(new, NULL);
-	result = dns_name_dup(name, view->mctx, new);
-	if (result == ISC_R_SUCCESS)
-		ISC_LIST_APPEND(view->rootexclude[hash], new, link);
-	else
-		isc_mem_put(view->mctx, new, sizeof(*new));
-	return (result);
-}
-
-isc_boolean_t
-dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
-	dns_name_t *new;
-	isc_uint32_t hash;
-
-	REQUIRE(DNS_VIEW_VALID(view));
-
-	if (!view->rootdelonly && view->delonly == NULL)
-		return (ISC_FALSE);
-
-	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
-	if (view->rootdelonly && dns_name_countlabels(name) <= 2) {
-		if (view->rootexclude == NULL)
-			return (ISC_TRUE);
-		new = ISC_LIST_HEAD(view->rootexclude[hash]);
-		while (new != NULL && !dns_name_equal(new, name))
-			new = ISC_LIST_NEXT(new, link);
-		if (new == NULL)
-			return (ISC_TRUE);
-	}
-
-	if (view->delonly == NULL)
-		return (ISC_FALSE);
-
-	new = ISC_LIST_HEAD(view->delonly[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new == NULL)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-void 
-dns_view_setrootdelonly(dns_view_t *view, isc_boolean_t value) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	view->rootdelonly = value;
-}
-
-isc_boolean_t
-dns_view_getrootdelonly(dns_view_t *view) {
-	REQUIRE(DNS_VIEW_VALID(view));
-	return (view->rootdelonly);
-}
diff --git a/contrib/bind9/lib/dns/xfrin.c b/contrib/bind9/lib/dns/xfrin.c
deleted file mode 100644
index 8a824a73ef5e..000000000000
--- a/contrib/bind9/lib/dns/xfrin.c
+++ /dev/null
@@ -1,1404 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: xfrin.c,v 1.124.2.4.2.12 2005/11/03 23:08:41 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
-#include <isc/task.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/db.h>
-#include <dns/diff.h>
-#include <dns/events.h>
-#include <dns/journal.h>
-#include <dns/log.h>
-#include <dns/message.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/result.h>
-#include <dns/soa.h>
-#include <dns/tcpmsg.h>
-#include <dns/timer.h>
-#include <dns/tsig.h>
-#include <dns/view.h>
-#include <dns/xfrin.h>
-#include <dns/zone.h>
-
-#include <dst/dst.h>
-
-/*
- * Incoming AXFR and IXFR.
- */
-
-/*
- * It would be non-sensical (or at least obtuse) to use FAIL() with an
- * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define FAIL(code) \
-	do { result = (code);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-#define CHECK(op) \
-	do { result = (op);					\
-		if (result != ISC_R_SUCCESS) goto failure;	\
-	} while (0)
-
-/*
- * The states of the *XFR state machine.  We handle both IXFR and AXFR
- * with a single integrated state machine because they cannot be distinguished
- * immediately - an AXFR response to an IXFR request can only be detected
- * when the first two (2) response RRs have already been received.
- */
-typedef enum {
-	XFRST_INITIALSOA,
-	XFRST_FIRSTDATA,
-	XFRST_IXFR_DELSOA,
-	XFRST_IXFR_DEL,
-	XFRST_IXFR_ADDSOA,
-	XFRST_IXFR_ADD,
-	XFRST_AXFR,
-	XFRST_END
-} xfrin_state_t;
-
-/*
- * Incoming zone transfer context.
- */
-
-struct dns_xfrin_ctx {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-
-	int			refcount;
-
-	isc_task_t 		*task;
-	isc_timer_t		*timer;
-	isc_socketmgr_t 	*socketmgr;
-
-	int			connects; 	/* Connect in progress */
-	int			sends;		/* Send in progress */
-	int			recvs;	  	/* Receive in progress */
-	isc_boolean_t		shuttingdown;
-
-	dns_name_t 		name; 		/* Name of zone to transfer */
-	dns_rdataclass_t 	rdclass;
-
-	isc_boolean_t		checkid;
-	dns_messageid_t		id;
-
-	/*
-	 * Requested transfer type (dns_rdatatype_axfr or
-	 * dns_rdatatype_ixfr).  The actual transfer type
-	 * may differ due to IXFR->AXFR fallback.
-	 */
-	dns_rdatatype_t 	reqtype;
-
-	isc_sockaddr_t 		masteraddr;
-	isc_sockaddr_t		sourceaddr;
-	isc_socket_t 		*socket;
-
-	/* Buffer for IXFR/AXFR request message */
-	isc_buffer_t 		qbuffer;
-	unsigned char 		qbuffer_data[512];
-
-	/* Incoming reply TCP message */
-	dns_tcpmsg_t		tcpmsg;
-	isc_boolean_t		tcpmsg_valid;
-
-	dns_db_t 		*db;
-	dns_dbversion_t 	*ver;
-	dns_diff_t 		diff;		/* Pending database changes */
-	int 			difflen;	/* Number of pending tuples */
-
-	xfrin_state_t 		state;
-	isc_uint32_t 		end_serial;
-	isc_boolean_t 		is_ixfr;
-
-	unsigned int		nmsg;		/* Number of messages recvd */
-
-	dns_tsigkey_t		*tsigkey;	/* Key used to create TSIG */
-	isc_buffer_t		*lasttsig;	/* The last TSIG */
-	dst_context_t		*tsigctx;	/* TSIG verification context */
-	unsigned int		sincetsig;	/* recvd since the last TSIG */
-	dns_xfrindone_t		done;
-
-	/*
-	 * AXFR- and IXFR-specific data.  Only one is used at a time
-	 * according to the is_ixfr flag, so this could be a union,
-	 * but keeping them separate makes it a bit simpler to clean
-	 * things up when destroying the context.
-	 */
-	struct {
-		dns_addrdatasetfunc_t add_func;
-		dns_dbload_t	      *add_private;
-	} axfr;
-
-	struct {
-		isc_uint32_t 	request_serial;
-		isc_uint32_t 	current_serial;
-		dns_journal_t	*journal;
-
-	} ixfr;
-};
-
-#define XFRIN_MAGIC		  ISC_MAGIC('X', 'f', 'r', 'I')
-#define VALID_XFRIN(x)		  ISC_MAGIC_VALID(x, XFRIN_MAGIC)
-
-/**************************************************************************/
-/*
- * Forward declarations.
- */
-
-static isc_result_t
-xfrin_create(isc_mem_t *mctx,
-	     dns_zone_t *zone,
-	     dns_db_t *db,
-	     isc_task_t *task,
-	     isc_timermgr_t *timermgr,
-	     isc_socketmgr_t *socketmgr,
-	     dns_name_t *zonename,
-	     dns_rdataclass_t rdclass,
-	     dns_rdatatype_t reqtype,
-	     isc_sockaddr_t *masteraddr,
-	     isc_sockaddr_t *sourceaddr,
-	     dns_tsigkey_t *tsigkey,
-	     dns_xfrin_ctx_t **xfrp);
-
-static isc_result_t axfr_init(dns_xfrin_ctx_t *xfr);
-static isc_result_t axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp);
-static isc_result_t axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
-				   dns_name_t *name, dns_ttl_t ttl,
-				   dns_rdata_t *rdata);
-static isc_result_t axfr_apply(dns_xfrin_ctx_t *xfr);
-static isc_result_t axfr_commit(dns_xfrin_ctx_t *xfr);
-
-static isc_result_t ixfr_init(dns_xfrin_ctx_t *xfr);
-static isc_result_t ixfr_apply(dns_xfrin_ctx_t *xfr);
-static isc_result_t ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
-				 dns_name_t *name, dns_ttl_t ttl,
-				 dns_rdata_t *rdata);
-static isc_result_t ixfr_commit(dns_xfrin_ctx_t *xfr);
-
-static isc_result_t xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name,
-			   isc_uint32_t ttl, dns_rdata_t *rdata);
-
-static isc_result_t xfrin_start(dns_xfrin_ctx_t *xfr);
-
-static void xfrin_connect_done(isc_task_t *task, isc_event_t *event);
-static isc_result_t xfrin_send_request(dns_xfrin_ctx_t *xfr);
-static void xfrin_send_done(isc_task_t *task, isc_event_t *event);
-static void xfrin_sendlen_done(isc_task_t *task, isc_event_t *event);
-static void xfrin_recv_done(isc_task_t *task, isc_event_t *event);
-static void xfrin_timeout(isc_task_t *task, isc_event_t *event);
-
-static void maybe_free(dns_xfrin_ctx_t *xfr);
-
-static void
-xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg);
-static isc_result_t
-render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf);
-
-static void
-xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, va_list ap)
-     ISC_FORMAT_PRINTF(5, 0);
-
-static void
-xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(5, 6);
-
-static void
-xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-/**************************************************************************/
-/*
- * AXFR handling
- */
-
-static isc_result_t
-axfr_init(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
- 	xfr->is_ixfr = ISC_FALSE;
-
-	if (xfr->db != NULL)
-		dns_db_detach(&xfr->db);
-
-	CHECK(axfr_makedb(xfr, &xfr->db));
-	CHECK(dns_db_beginload(xfr->db, &xfr->axfr.add_func,
-			       &xfr->axfr.add_private));
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) {
-	return (dns_db_create(xfr->mctx, /* XXX */
-			      "rbt", /* XXX guess */
-			      &xfr->name,
-			      dns_dbtype_zone,
-			      xfr->rdclass,
-			      0, NULL, /* XXX guess */
-			      dbp));
-}
-
-static isc_result_t
-axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
-	     dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
-{
-	isc_result_t result;
-
-	dns_difftuple_t *tuple = NULL;
-
-	CHECK(dns_zone_checknames(xfr->zone, name, rdata));
-	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
-				   name, ttl, rdata, &tuple));
-	dns_diff_append(&xfr->diff, &tuple);
-	if (++xfr->difflen > 100)
-		CHECK(axfr_apply(xfr));
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/*
- * Store a set of AXFR RRs in the database.
- */
-static isc_result_t
-axfr_apply(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	CHECK(dns_diff_load(&xfr->diff,
-			    xfr->axfr.add_func, xfr->axfr.add_private));
-	xfr->difflen = 0;
-	dns_diff_clear(&xfr->diff);
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-axfr_commit(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	CHECK(axfr_apply(xfr));
-	CHECK(dns_db_endload(xfr->db, &xfr->axfr.add_private));
-	CHECK(dns_zone_replacedb(xfr->zone, xfr->db, ISC_TRUE));
-
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * IXFR handling
- */
-
-static isc_result_t
-ixfr_init(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-	char *journalfile;
-
-	if (xfr->reqtype != dns_rdatatype_ixfr) {
-		xfrin_log(xfr, ISC_LOG_ERROR,
-			  "got incremental response to AXFR request");
-		return (DNS_R_FORMERR);
-	}
-
-	xfr->is_ixfr = ISC_TRUE;
-	INSIST(xfr->db != NULL);
-	xfr->difflen = 0;
-
-	journalfile = dns_zone_getjournal(xfr->zone);
-	if (journalfile != NULL)
-		CHECK(dns_journal_open(xfr->mctx, journalfile,
-				       ISC_TRUE, &xfr->ixfr.journal));
-
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
-	     dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
-{
-	isc_result_t result;
-
-	dns_difftuple_t *tuple = NULL;
-	if (op == DNS_DIFFOP_ADD)
-		CHECK(dns_zone_checknames(xfr->zone, name, rdata));
-	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
-				   name, ttl, rdata, &tuple));
-	dns_diff_append(&xfr->diff, &tuple);
-	if (++xfr->difflen > 100)
-		CHECK(ixfr_apply(xfr));
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/*
- * Apply a set of IXFR changes to the database.
- */
-static isc_result_t
-ixfr_apply(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	if (xfr->ver == NULL) {
-		CHECK(dns_db_newversion(xfr->db, &xfr->ver));
-		if (xfr->ixfr.journal != NULL)
-			CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
-	}
-	CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
-	if (xfr->ixfr.journal != NULL) {
-		result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
-	}
-	dns_diff_clear(&xfr->diff);
-	xfr->difflen = 0;
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-static isc_result_t
-ixfr_commit(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-
-	CHECK(ixfr_apply(xfr));
-	if (xfr->ver != NULL) {
-		/* XXX enter ready-to-commit state here */
-		if (xfr->ixfr.journal != NULL)
-			CHECK(dns_journal_commit(xfr->ixfr.journal));
-		dns_db_closeversion(xfr->db, &xfr->ver, ISC_TRUE);
-		dns_zone_markdirty(xfr->zone);
-	}
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-/**************************************************************************/
-/*
- * Common AXFR/IXFR protocol code
- */
-
-/*
- * Handle a single incoming resource record according to the current
- * state.
- */
-static isc_result_t
-xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
-       dns_rdata_t *rdata)
-{
-	isc_result_t result;
-
- redo:
-	switch (xfr->state) {
-	case XFRST_INITIALSOA:
-		if (rdata->type != dns_rdatatype_soa) {
-			xfrin_log(xfr, ISC_LOG_ERROR,
-				  "first RR in zone transfer must be SOA");
-			FAIL(DNS_R_FORMERR);
-		}
-		/*
-		 * Remember the serial number in the intial SOA.
-		 * We need it to recognize the end of an IXFR.
-		 */
-		xfr->end_serial = dns_soa_getserial(rdata);
-		if (xfr->reqtype == dns_rdatatype_ixfr &&
-		    ! DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial)
-		    && !dns_zone_isforced(xfr->zone))
-		{
-			/*
-			 * This must be the single SOA record that is
-			 * sent when the current version on the master
-			 * is not newer than the version in the request.
-			 */
-			xfrin_log(xfr, ISC_LOG_DEBUG(3),
-				  "requested serial %u, "
-				  "master has %u, not updating",
-				  xfr->ixfr.request_serial, xfr->end_serial);
-			FAIL(DNS_R_UPTODATE);
-		}
-		if (xfr->reqtype == dns_rdatatype_axfr)
-			xfr->checkid = ISC_FALSE;
-		xfr->state = XFRST_FIRSTDATA;
-		break;
-
-	case XFRST_FIRSTDATA:
-		/*
-		 * If the transfer begins with one SOA record, it is an AXFR,
-		 * if it begins with two SOAs, it is an IXFR.
-		 */
-		if (xfr->reqtype == dns_rdatatype_ixfr &&
-		    rdata->type == dns_rdatatype_soa &&
-		    xfr->ixfr.request_serial == dns_soa_getserial(rdata)) {
-			xfrin_log(xfr, ISC_LOG_DEBUG(3),
-				  "got incremental response");
-			CHECK(ixfr_init(xfr));
-			xfr->state = XFRST_IXFR_DELSOA;
-		} else {
-			xfrin_log(xfr, ISC_LOG_DEBUG(3),
-				  "got nonincremental response");
-			CHECK(axfr_init(xfr));
-			xfr->state = XFRST_AXFR;
-		}
-		goto redo;
-
-	case XFRST_IXFR_DELSOA:
-		INSIST(rdata->type == dns_rdatatype_soa);
-		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
-		xfr->state = XFRST_IXFR_DEL;
-		break;
-
-	case XFRST_IXFR_DEL:
-		if (rdata->type == dns_rdatatype_soa) {
-			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
-			xfr->state = XFRST_IXFR_ADDSOA;
-			xfr->ixfr.current_serial = soa_serial;
-			goto redo;
-		}
-		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
-		break;
-
-	case XFRST_IXFR_ADDSOA:
-		INSIST(rdata->type == dns_rdatatype_soa);
-		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
-		xfr->state = XFRST_IXFR_ADD;
-		break;
-
-	case XFRST_IXFR_ADD:
-		if (rdata->type == dns_rdatatype_soa) {
-			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
-			if (soa_serial == xfr->end_serial) {
-				CHECK(ixfr_commit(xfr));
-				xfr->state = XFRST_END;
-				break;
-			} else if (soa_serial != xfr->ixfr.current_serial) {
-				xfrin_log(xfr, ISC_LOG_ERROR,
-					  "IXFR out of sync: "
-					  "expected serial %u, got %u",
-					  xfr->ixfr.current_serial, soa_serial);
-				FAIL(DNS_R_FORMERR);
-			} else {
-				CHECK(ixfr_commit(xfr));
-				xfr->state = XFRST_IXFR_DELSOA;
-				goto redo;
-			}
-		}
-		if (rdata->type == dns_rdatatype_ns &&
-		    dns_name_iswildcard(name))
-			FAIL(DNS_R_INVALIDNS);
-		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
-		break;
-
-	case XFRST_AXFR:
-		/*
-		 * Old BINDs sent cross class A records for non IN classes.
-		 */
-		if (rdata->type == dns_rdatatype_a &&
-		    rdata->rdclass != xfr->rdclass &&
-		    xfr->rdclass != dns_rdataclass_in)
-			break;
-		CHECK(axfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
-		if (rdata->type == dns_rdatatype_soa) {
-			CHECK(axfr_commit(xfr));
-			xfr->state = XFRST_END;
-			break;
-		}
-		break;
-	case XFRST_END:
-		FAIL(DNS_R_EXTRADATA);
-	default:
-		INSIST(0);
-		break;
-	}
-	result = ISC_R_SUCCESS;
- failure:
-	return (result);
-}
-
-isc_result_t
-dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
-		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
-		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		 isc_socketmgr_t *socketmgr, isc_task_t *task,
-		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
-{
-	isc_sockaddr_t sourceaddr;
-
-	switch (isc_sockaddr_pf(masteraddr)) {
-	case PF_INET:
-		sourceaddr = *dns_zone_getxfrsource4(zone);
-		break;
-	case PF_INET6:
-		sourceaddr = *dns_zone_getxfrsource6(zone);
-		break;
-	default:
-		INSIST(0);
-	}
-
-	return(dns_xfrin_create2(zone, xfrtype, masteraddr, &sourceaddr,
-				 tsigkey, mctx, timermgr, socketmgr,
-				 task, done, xfrp));
-}
-
-isc_result_t
-dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
-		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
-		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
-		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
-		  isc_task_t *task, dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
-{
-	dns_name_t *zonename = dns_zone_getorigin(zone);
-	dns_xfrin_ctx_t *xfr = NULL;
-	isc_result_t result;
-	dns_db_t *db = NULL;
-
-	REQUIRE(xfrp != NULL && *xfrp == NULL);
-
-	(void)dns_zone_getdb(zone, &db);
-
-	CHECK(xfrin_create(mctx, zone, db, task, timermgr, socketmgr, zonename,
-			   dns_zone_getclass(zone), xfrtype, masteraddr,
-			   sourceaddr, tsigkey, &xfr));
-
-	CHECK(xfrin_start(xfr));
-
-	xfr->done = done;
-	xfr->refcount++;
-	*xfrp = xfr;
-
- failure:
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (result != ISC_R_SUCCESS)
-		xfrin_log1(ISC_LOG_ERROR, zonename, dns_zone_getclass(zone),
-			   masteraddr, "zone transfer setup failed");
-	return (result);
-}
-
-void
-dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr) {
-	if (! xfr->shuttingdown)
-		xfrin_fail(xfr, ISC_R_CANCELED, "shut down");
-}
-
-void
-dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target) {
-	REQUIRE(target != NULL && *target == NULL);
-	source->refcount++;
-	*target = source;
-}
-
-void
-dns_xfrin_detach(dns_xfrin_ctx_t **xfrp) {
-	dns_xfrin_ctx_t *xfr = *xfrp;
-	INSIST(xfr->refcount > 0);
-	xfr->refcount--;
-	maybe_free(xfr);
-	*xfrp = NULL;
-}
-
-static void
-xfrin_cancelio(dns_xfrin_ctx_t *xfr) {
-	if (xfr->connects > 0) {
-		isc_socket_cancel(xfr->socket, xfr->task,
-				  ISC_SOCKCANCEL_CONNECT);
-	} else if (xfr->recvs > 0) {
-		dns_tcpmsg_cancelread(&xfr->tcpmsg);
-	} else if (xfr->sends > 0) {
-		isc_socket_cancel(xfr->socket, xfr->task,
-				  ISC_SOCKCANCEL_SEND);
-	}
-}
-
-static void
-xfrin_reset(dns_xfrin_ctx_t *xfr) {
-	REQUIRE(VALID_XFRIN(xfr));
-
-	xfrin_log(xfr, ISC_LOG_INFO, "resetting");
-
-	xfrin_cancelio(xfr);
-
-	if (xfr->socket != NULL)
-		isc_socket_detach(&xfr->socket);
-
-	if (xfr->lasttsig != NULL)
-		isc_buffer_free(&xfr->lasttsig);
-
-	dns_diff_clear(&xfr->diff);
-	xfr->difflen = 0;
-
-	if (xfr->ixfr.journal != NULL)
-		dns_journal_destroy(&xfr->ixfr.journal);
-
-	if (xfr->axfr.add_private != NULL) {
-		(void)dns_db_endload(xfr->db, &xfr->axfr.add_private);
-		xfr->axfr.add_func = NULL;
-	}
-
-	if (xfr->tcpmsg_valid) {
-		dns_tcpmsg_invalidate(&xfr->tcpmsg);
-		xfr->tcpmsg_valid = ISC_FALSE;
-	}
-
-	if (xfr->ver != NULL)
-		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
-}
-
-
-static void
-xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
-	if (result != DNS_R_UPTODATE) {
-		xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s",
-			  msg, isc_result_totext(result));
-		if (xfr->is_ixfr)
-			/* Pass special result code to force AXFR retry */
-			result = DNS_R_BADIXFR;
-	}
-	xfrin_cancelio(xfr);
-	if (xfr->done != NULL) {
-		(xfr->done)(xfr->zone, result);
-		xfr->done = NULL;
-	}
-	xfr->shuttingdown = ISC_TRUE;
-	maybe_free(xfr);
-}
-
-static isc_result_t
-xfrin_create(isc_mem_t *mctx,
-	     dns_zone_t *zone,
-	     dns_db_t *db,
-	     isc_task_t *task,
-	     isc_timermgr_t *timermgr,
-	     isc_socketmgr_t *socketmgr,
-	     dns_name_t *zonename,
-	     dns_rdataclass_t rdclass,
-	     dns_rdatatype_t reqtype,
-	     isc_sockaddr_t *masteraddr,
-	     isc_sockaddr_t *sourceaddr,
-	     dns_tsigkey_t *tsigkey,
-	     dns_xfrin_ctx_t **xfrp)
-{
-	dns_xfrin_ctx_t *xfr = NULL;
-	isc_result_t result;
-	isc_uint32_t tmp;
-
-	xfr = isc_mem_get(mctx, sizeof(*xfr));
-	if (xfr == NULL)
-		return (ISC_R_NOMEMORY);
-	xfr->mctx = mctx;
-	xfr->refcount = 0;
-	xfr->zone = NULL;
-	dns_zone_iattach(zone, &xfr->zone);
-	xfr->task = NULL;
-	isc_task_attach(task, &xfr->task);
-	xfr->timer = NULL;
-	xfr->socketmgr = socketmgr;
-	xfr->done = NULL;
-
-	xfr->connects = 0;
-	xfr->sends = 0;
-	xfr->recvs = 0;
-	xfr->shuttingdown = ISC_FALSE;
-
-	dns_name_init(&xfr->name, NULL);
-	xfr->rdclass = rdclass;
-	isc_random_get(&tmp);
-	xfr->checkid = ISC_TRUE;
-	xfr->id	= (isc_uint16_t)(tmp & 0xffff);
-	xfr->reqtype = reqtype;
-
-	/* sockaddr */
-	xfr->socket = NULL;
-	/* qbuffer */
-	/* qbuffer_data */
-	/* tcpmsg */
-	xfr->tcpmsg_valid = ISC_FALSE;
-
-	xfr->db = NULL;
-	if (db != NULL)
-		dns_db_attach(db, &xfr->db);
-	xfr->ver = NULL;
-	dns_diff_init(xfr->mctx, &xfr->diff);
-	xfr->difflen = 0;
-
-	xfr->state = XFRST_INITIALSOA;
-	/* end_serial */
-
-	xfr->nmsg = 0;
-
-	xfr->tsigkey = NULL;
-	if (tsigkey != NULL)
-		dns_tsigkey_attach(tsigkey, &xfr->tsigkey);
-	xfr->lasttsig = NULL;
-	xfr->tsigctx = NULL;
-	xfr->sincetsig = 0;
-	xfr->is_ixfr = ISC_FALSE;
-
-	/* ixfr.request_serial */
-	/* ixfr.current_serial */
-	xfr->ixfr.journal = NULL;
-
-	xfr->axfr.add_func = NULL;
-	xfr->axfr.add_private = NULL;
-
-	CHECK(dns_name_dup(zonename, mctx, &xfr->name));
-
-	CHECK(isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
-			       task, xfrin_timeout, xfr, &xfr->timer));
-	CHECK(dns_timer_setidle(xfr->timer,
-				dns_zone_getmaxxfrin(xfr->zone),
-				dns_zone_getidlein(xfr->zone),
-				ISC_FALSE));
-
-	xfr->masteraddr = *masteraddr;
-
-	INSIST(isc_sockaddr_pf(masteraddr) == isc_sockaddr_pf(sourceaddr));
-	xfr->sourceaddr = *sourceaddr;
-	isc_sockaddr_setport(&xfr->sourceaddr, 0);
-
-	isc_buffer_init(&xfr->qbuffer, xfr->qbuffer_data,
-			sizeof(xfr->qbuffer_data));
-
-	xfr->magic = XFRIN_MAGIC;
-	*xfrp = xfr;
-	return (ISC_R_SUCCESS);
-
- failure:
-	xfrin_fail(xfr, result, "failed creating transfer context");
-	return (result);
-}
-
-static isc_result_t
-xfrin_start(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-	CHECK(isc_socket_create(xfr->socketmgr,
-				isc_sockaddr_pf(&xfr->sourceaddr),
-				isc_sockettype_tcp,
-				&xfr->socket));
-	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr));
-	CHECK(isc_socket_connect(xfr->socket, &xfr->masteraddr, xfr->task,
-				 xfrin_connect_done, xfr));
-	xfr->connects++;
-	return (ISC_R_SUCCESS);
- failure:
-	xfrin_fail(xfr, result, "failed setting up socket");
-	return (result);
-}
-
-/* XXX the resolver could use this, too */
-
-static isc_result_t
-render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf) {
-	dns_compress_t cctx;
-	isc_boolean_t cleanup_cctx = ISC_FALSE;
-	isc_result_t result;
-
-	CHECK(dns_compress_init(&cctx, -1, mctx));
-	cleanup_cctx = ISC_TRUE;
-	CHECK(dns_message_renderbegin(msg, &cctx, buf));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_AUTHORITY, 0));
-	CHECK(dns_message_rendersection(msg, DNS_SECTION_ADDITIONAL, 0));
-	CHECK(dns_message_renderend(msg));
-	result = ISC_R_SUCCESS;
- failure:
- 	if (cleanup_cctx)
-	 	dns_compress_invalidate(&cctx);
-	return (result);
-}
-
-/*
- * A connection has been established.
- */
-static void
-xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
-	isc_socket_connev_t *cev = (isc_socket_connev_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t evresult = cev->result;
-	isc_result_t result;
-	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t sockaddr;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_SOCKEVENT_CONNECT);
-	isc_event_free(&event);
-
-	xfr->connects--;
-	if (xfr->shuttingdown) {
-		maybe_free(xfr);
-		return;
-	}
-
-	CHECK(evresult);
-	result = isc_socket_getsockname(xfr->socket, &sockaddr);
-	if (result == ISC_R_SUCCESS) {
-		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
-	} else
-		strcpy(sourcetext, "<UNKNOWN>");
-	xfrin_log(xfr, ISC_LOG_INFO, "connected using %s", sourcetext);
-
-	dns_tcpmsg_init(xfr->mctx, xfr->socket, &xfr->tcpmsg);
-	xfr->tcpmsg_valid = ISC_TRUE;
-
-	CHECK(xfrin_send_request(xfr));
- failure:
-	if (result != ISC_R_SUCCESS)
-		xfrin_fail(xfr, result, "failed to connect");
-}
-
-/*
- * Convert a tuple into a dns_name_t suitable for inserting
- * into the given dns_message_t.
- */
-static isc_result_t
-tuple2msgname(dns_difftuple_t *tuple, dns_message_t *msg, dns_name_t **target)
-{
-	isc_result_t result;
-	dns_rdata_t *rdata = NULL;
-	dns_rdatalist_t *rdl = NULL;
-	dns_rdataset_t *rds = NULL;
-	dns_name_t *name = NULL;
-
-	REQUIRE(target != NULL && *target == NULL);
-
-	CHECK(dns_message_gettemprdata(msg, &rdata));
-	dns_rdata_init(rdata);
-	dns_rdata_clone(&tuple->rdata, rdata);
-
-	CHECK(dns_message_gettemprdatalist(msg, &rdl));
-	dns_rdatalist_init(rdl);
-	rdl->type = tuple->rdata.type;
-	rdl->rdclass = tuple->rdata.rdclass;
-	rdl->ttl = tuple->ttl;
-	ISC_LIST_APPEND(rdl->rdata, rdata, link);
-
-	CHECK(dns_message_gettemprdataset(msg, &rds));
-	dns_rdataset_init(rds);
-	CHECK(dns_rdatalist_tordataset(rdl, rds));
-
-	CHECK(dns_message_gettempname(msg, &name));
-	dns_name_init(name, NULL);
-	dns_name_clone(&tuple->name, name);
-	ISC_LIST_APPEND(name->list, rds, link);
-
-	*target = name;
-	return (ISC_R_SUCCESS);
-
- failure:
-
-	if (rds != NULL) {
-		dns_rdataset_disassociate(rds);
-		dns_message_puttemprdataset(msg, &rds);
-	}
-	if (rdl != NULL) {
-		ISC_LIST_UNLINK(rdl->rdata, rdata, link);
-		dns_message_puttemprdatalist(msg, &rdl);
-	}
-	if (rdata != NULL)
-		dns_message_puttemprdata(msg, &rdata);
-
-	return (result);
-}
-
-
-/*
- * Build an *XFR request and send its length prefix.
- */
-static isc_result_t
-xfrin_send_request(dns_xfrin_ctx_t *xfr) {
-	isc_result_t result;
-	isc_region_t region;
-	isc_region_t lregion;
-	dns_rdataset_t *qrdataset = NULL;
-	dns_message_t *msg = NULL;
-	unsigned char length[2];
-	dns_difftuple_t *soatuple = NULL;
-	dns_name_t *qname = NULL;
-	dns_dbversion_t *ver = NULL;
-	dns_name_t *msgsoaname = NULL;
-
-	/* Create the request message */
-	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTRENDER, &msg));
-	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
-
-	/* Create a name for the question section. */
-	CHECK(dns_message_gettempname(msg, &qname));
-	dns_name_init(qname, NULL);
-	dns_name_clone(&xfr->name, qname);
-
-	/* Formulate the question and attach it to the question name. */
-	CHECK(dns_message_gettemprdataset(msg, &qrdataset));
-	dns_rdataset_init(qrdataset);
-	dns_rdataset_makequestion(qrdataset, xfr->rdclass, xfr->reqtype);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	qrdataset = NULL;
-
-	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-	qname = NULL;
-
-	if (xfr->reqtype == dns_rdatatype_ixfr) {
-		/* Get the SOA and add it to the authority section. */
-		/* XXX is using the current version the right thing? */
-		dns_db_currentversion(xfr->db, &ver);
-		CHECK(dns_db_createsoatuple(xfr->db, ver, xfr->mctx,
-					    DNS_DIFFOP_EXISTS, &soatuple));
-		xfr->ixfr.request_serial = dns_soa_getserial(&soatuple->rdata);
-		xfr->ixfr.current_serial = xfr->ixfr.request_serial;
-		xfrin_log(xfr, ISC_LOG_DEBUG(3),
-			  "requesting IXFR for serial %u",
-			  xfr->ixfr.request_serial);
-
-		CHECK(tuple2msgname(soatuple, msg, &msgsoaname));
-		dns_message_addname(msg, msgsoaname, DNS_SECTION_AUTHORITY);
-	}
-
-	xfr->checkid = ISC_TRUE;
-	xfr->id++;
-	msg->id = xfr->id;
-
-	CHECK(render(msg, xfr->mctx, &xfr->qbuffer));
-
-	/*
-	 * Free the last tsig, if there is one.
-	 */
-	if (xfr->lasttsig != NULL)
-		isc_buffer_free(&xfr->lasttsig);
-
-	/*
-	 * Save the query TSIG and don't let message_destroy free it.
-	 */
-	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
-
-	isc_buffer_usedregion(&xfr->qbuffer, &region);
-	INSIST(region.length <= 65535);
-
-	length[0] = region.length >> 8;
-	length[1] = region.length & 0xFF;
-	lregion.base = length;
-	lregion.length = 2;
-	CHECK(isc_socket_send(xfr->socket, &lregion, xfr->task,
-			      xfrin_sendlen_done, xfr));
-	xfr->sends++;
-
- failure:
-	if (qname != NULL)
-		dns_message_puttempname(msg, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(msg, &qrdataset);
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	if (soatuple != NULL)
-		dns_difftuple_free(&soatuple);
-	if (ver != NULL)
-		dns_db_closeversion(xfr->db, &ver, ISC_FALSE);
-	return (result);
-}
-
-/* XXX there should be library support for sending DNS TCP messages */
-
-static void
-xfrin_sendlen_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sev = (isc_socketevent_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t evresult = sev->result;
-	isc_result_t result;
-	isc_region_t region;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-	isc_event_free(&event);
-
-	xfr->sends--;
-	if (xfr->shuttingdown) {
-		maybe_free(xfr);
-		return;
-	}
-
-	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request length prefix");
-	CHECK(evresult);
-
-	isc_buffer_usedregion(&xfr->qbuffer, &region);
-	CHECK(isc_socket_send(xfr->socket, &region, xfr->task,
-			      xfrin_send_done, xfr));
-	xfr->sends++;
- failure:
-	if (result != ISC_R_SUCCESS)
-		xfrin_fail(xfr, result, "failed sending request length prefix");
-}
-
-
-static void
-xfrin_send_done(isc_task_t *task, isc_event_t *event) {
-	isc_socketevent_t *sev = (isc_socketevent_t *) event;
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t result;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
-
-	xfr->sends--;
-	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request data");
-	CHECK(sev->result);
-
-	CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
-				     xfrin_recv_done, xfr));
-	xfr->recvs++;
- failure:
-	isc_event_free(&event);
-	if (result != ISC_R_SUCCESS)
-		xfrin_fail(xfr, result, "failed sending request data");
-}
-
-
-static void
-xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) ev->ev_arg;
-	isc_result_t result;
-	dns_message_t *msg = NULL;
-	dns_name_t *name;
-	dns_tcpmsg_t *tcpmsg;
-	dns_name_t *tsigowner = NULL;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	INSIST(ev->ev_type == DNS_EVENT_TCPMSG);
-	tcpmsg = ev->ev_sender;
-	isc_event_free(&ev);
-
-	xfr->recvs--;
-	if (xfr->shuttingdown) {
-		maybe_free(xfr);
-		return;
-	}
-
-	CHECK(tcpmsg->result);
-
-	xfrin_log(xfr, ISC_LOG_DEBUG(7), "received %u bytes",
-		  tcpmsg->buffer.used);
-
-	CHECK(isc_timer_touch(xfr->timer));
-
-	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTPARSE, &msg));
-
-	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
-	CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
-	msg->tsigctx = xfr->tsigctx;
-	if (xfr->nmsg > 0)
-		msg->tcp_continuation = 1;
-
-	result = dns_message_parse(msg, &tcpmsg->buffer,
-				   DNS_MESSAGEPARSE_PRESERVEORDER);
-
-	if (result != ISC_R_SUCCESS || msg->rcode != dns_rcode_noerror ||
-	    (xfr->checkid && msg->id != xfr->id)) {
-		if (result == ISC_R_SUCCESS)
-			result = ISC_RESULTCLASS_DNSRCODE + msg->rcode; /*XXX*/
-		if (result == ISC_R_SUCCESS || result == DNS_R_NOERROR)
-			result = DNS_R_UNEXPECTEDID;
-		if (xfr->reqtype == dns_rdatatype_axfr ||
-		    xfr->reqtype == dns_rdatatype_soa)
-			FAIL(result);
-		xfrin_log(xfr, ISC_LOG_DEBUG(3), "got %s, retrying with AXFR",
-		       isc_result_totext(result));
- try_axfr:
-		dns_message_destroy(&msg);
-		xfrin_reset(xfr);
-		xfr->reqtype = dns_rdatatype_axfr;
-		xfr->state = XFRST_INITIALSOA;
-		(void)xfrin_start(xfr);
-		return;
-	}
-
-	/*
-	 * Does the server know about IXFR?  If it doesn't we will get
-	 * a message with a empty answer section or a potentially a CNAME /
-	 * DNAME, the later is handled by xfr_rr() which will return FORMERR
-	 * if the first RR in the answer section is not a SOA record.
-	 */
-	if (xfr->reqtype == dns_rdatatype_ixfr &&
-	    xfr->state == XFRST_INITIALSOA &&
-	    msg->counts[DNS_SECTION_ANSWER] == 0) {
-		xfrin_log(xfr, ISC_LOG_DEBUG(3),
-			  "empty answer section, retrying with AXFR");
-		goto try_axfr;
-	}
-
-	if (xfr->reqtype == dns_rdatatype_soa &&
-	    (msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
-		FAIL(DNS_R_NOTAUTHORITATIVE);
-	}
-
-
-	result = dns_message_checksig(msg, dns_zone_getview(xfr->zone));
-	if (result != ISC_R_SUCCESS) {
-		xfrin_log(xfr, ISC_LOG_DEBUG(3), "TSIG check failed: %s",
-		       isc_result_totext(result));
-		FAIL(result);
-	}
-
-	for (result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
-	     result == ISC_R_SUCCESS;
-	     result = dns_message_nextname(msg, DNS_SECTION_ANSWER))
-	{
-		dns_rdataset_t *rds;
-
-		name = NULL;
-		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
-		for (rds = ISC_LIST_HEAD(name->list);
-		     rds != NULL;
-		     rds = ISC_LIST_NEXT(rds, link))
-		{
-			for (result = dns_rdataset_first(rds);
-			     result == ISC_R_SUCCESS;
-			     result = dns_rdataset_next(rds))
-			{
-				dns_rdata_t rdata = DNS_RDATA_INIT;
-				dns_rdataset_current(rds, &rdata);
-				CHECK(xfr_rr(xfr, name, rds->ttl, &rdata));
-			}
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		goto failure;
-
-	if (dns_message_gettsig(msg, &tsigowner) != NULL) {
-		/*
-		 * Reset the counter.
-		 */
-		xfr->sincetsig = 0;
-
-		/*
-		 * Free the last tsig, if there is one.
-		 */
-		if (xfr->lasttsig != NULL)
-			isc_buffer_free(&xfr->lasttsig);
-
-		/*
-		 * Update the last tsig pointer.
-		 */
-		CHECK(dns_message_getquerytsig(msg, xfr->mctx,
-					       &xfr->lasttsig));
-
-	} else if (dns_message_gettsigkey(msg) != NULL) {
-		xfr->sincetsig++;
-		if (xfr->sincetsig > 100 ||
-		    xfr->nmsg == 0 || xfr->state == XFRST_END)
-		{
-			result = DNS_R_EXPECTEDTSIG;
-			goto failure;
-		}
-	}
-
-	/*
-	 * Update the number of messages received.
-	 */
-	xfr->nmsg++;
-
-	/*
-	 * Copy the context back.
-	 */
-	xfr->tsigctx = msg->tsigctx;
-
-	dns_message_destroy(&msg);
-
-	if (xfr->state == XFRST_END) {
-		/*
-		 * Inform the caller we succeeded.
-		 */
-		if (xfr->done != NULL) {
-			(xfr->done)(xfr->zone, ISC_R_SUCCESS);
-			xfr->done = NULL;
-		}
-		/*
-		 * We should have no outstanding events at this
-		 * point, thus maybe_free() should succeed.
-		 */
-		xfr->shuttingdown = ISC_TRUE;
-		maybe_free(xfr);
-	} else {
-		/*
-		 * Read the next message.
-		 */
-		CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
-					     xfrin_recv_done, xfr));
-		xfr->recvs++;
-	}
-	return;
-
- failure:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	if (result != ISC_R_SUCCESS)
-		xfrin_fail(xfr, result, "failed while receiving responses");
-}
-
-static void
-xfrin_timeout(isc_task_t *task, isc_event_t *event) {
-	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-
-	REQUIRE(VALID_XFRIN(xfr));
-
-	UNUSED(task);
-
-	isc_event_free(&event);
-	/*
-	 * This will log "giving up: timeout".
-	 */
-	xfrin_fail(xfr, ISC_R_TIMEDOUT, "giving up");
-}
-
-static void
-maybe_free(dns_xfrin_ctx_t *xfr) {
-	REQUIRE(VALID_XFRIN(xfr));
-
-	if (! xfr->shuttingdown || xfr->refcount != 0 ||
-	    xfr->connects != 0 || xfr->sends != 0 ||
-	    xfr->recvs != 0)
-		return;
-
-	xfrin_log(xfr, ISC_LOG_INFO, "end of transfer");
-
-	if (xfr->socket != NULL)
-		isc_socket_detach(&xfr->socket);
-
-	if (xfr->timer != NULL)
-		isc_timer_detach(&xfr->timer);
-
-	if (xfr->task != NULL)
-		isc_task_detach(&xfr->task);
-
-	if (xfr->tsigkey != NULL)
-		dns_tsigkey_detach(&xfr->tsigkey);
-
-	if (xfr->lasttsig != NULL)
-		isc_buffer_free(&xfr->lasttsig);
-
-	dns_diff_clear(&xfr->diff);
-
-	if (xfr->ixfr.journal != NULL)
-		dns_journal_destroy(&xfr->ixfr.journal);
-
-	if (xfr->axfr.add_private != NULL)
-		(void)dns_db_endload(xfr->db, &xfr->axfr.add_private);
-
-	if (xfr->tcpmsg_valid)
-		dns_tcpmsg_invalidate(&xfr->tcpmsg);
-
-	if ((xfr->name.attributes & DNS_NAMEATTR_DYNAMIC) != 0)
-		dns_name_free(&xfr->name, xfr->mctx);
-
-	if (xfr->ver != NULL)
-		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
-
-	if (xfr->db != NULL)
-		dns_db_detach(&xfr->db);
-
-	if (xfr->zone != NULL)
-		dns_zone_idetach(&xfr->zone);
-
-	isc_mem_put(xfr->mctx, xfr, sizeof(*xfr));
-}
-
-/*
- * Log incoming zone transfer messages in a format like
- * transfer of <zone> from <address>: <message>
- */
-static void
-xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, va_list ap)
-{
-	char zntext[DNS_NAME_FORMATSIZE];
-	char mastertext[ISC_SOCKADDR_FORMATSIZE];
-	char classtext[DNS_RDATACLASS_FORMATSIZE];
-	char msgtext[2048];
-
-	dns_name_format(zonename, zntext, sizeof(zntext));
-	dns_rdataclass_format(rdclass, classtext, sizeof(classtext));
-	isc_sockaddr_format(masteraddr, mastertext, sizeof(mastertext));
-	vsnprintf(msgtext, sizeof(msgtext), fmt, ap);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_XFER_IN,
-		      DNS_LOGMODULE_XFER_IN, level,
-		      "transfer of '%s/%s' from %s: %s",
-		      zntext, classtext, mastertext, msgtext);
-}
-
-/*
- * Logging function for use when a xfrin_ctx_t has not yet been created.
- */
-
-static void
-xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
-	   isc_sockaddr_t *masteraddr, const char *fmt, ...)
-{
-	va_list ap;
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	va_start(ap, fmt);
-	xfrin_logv(level, zonename, rdclass, masteraddr, fmt, ap);
-	va_end(ap);
-}
-
-/*
- * Logging function for use when there is a xfrin_ctx_t.
- */
-
-static void
-xfrin_log(dns_xfrin_ctx_t *xfr, int level, const char *fmt, ...)
-{
-	va_list ap;
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	va_start(ap, fmt);
-	xfrin_logv(level, &xfr->name, xfr->rdclass, &xfr->masteraddr, fmt, ap);
-	va_end(ap);
-}
diff --git a/contrib/bind9/lib/dns/zone.c b/contrib/bind9/lib/dns/zone.c
deleted file mode 100644
index a993877e91ae..000000000000
--- a/contrib/bind9/lib/dns/zone.c
+++ /dev/null
@@ -1,7012 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zone.c,v 1.333.2.23.2.59 2005/07/29 00:38:33 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/file.h>
-#include <isc/mutex.h>
-#include <isc/print.h>
-#include <isc/random.h>
-#include <isc/ratelimiter.h>
-#include <isc/refcount.h>
-#include <isc/serial.h>
-#include <isc/string.h>
-#include <isc/taskpool.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#include <dns/acl.h>
-#include <dns/adb.h>
-#include <dns/callbacks.h>
-#include <dns/db.h>
-#include <dns/events.h>
-#include <dns/journal.h>
-#include <dns/log.h>
-#include <dns/master.h>
-#include <dns/masterdump.h>
-#include <dns/message.h>
-#include <dns/name.h>
-#include <dns/peer.h>
-#include <dns/rcode.h>
-#include <dns/rdataclass.h>
-#include <dns/rdatalist.h>
-#include <dns/rdataset.h>
-#include <dns/rdatastruct.h>
-#include <dns/rdatatype.h>
-#include <dns/request.h>
-#include <dns/resolver.h>
-#include <dns/result.h>
-#include <dns/stats.h>
-#include <dns/ssu.h>
-#include <dns/tsig.h>
-#include <dns/xfrin.h>
-#include <dns/zone.h>
-
-#define ZONE_MAGIC			ISC_MAGIC('Z', 'O', 'N', 'E')
-#define DNS_ZONE_VALID(zone)		ISC_MAGIC_VALID(zone, ZONE_MAGIC)
-
-#define NOTIFY_MAGIC			ISC_MAGIC('N', 't', 'f', 'y')
-#define DNS_NOTIFY_VALID(notify)	ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)
-
-#define STUB_MAGIC			ISC_MAGIC('S', 't', 'u', 'b')
-#define DNS_STUB_VALID(stub)		ISC_MAGIC_VALID(stub, STUB_MAGIC)
-
-#define ZONEMGR_MAGIC			ISC_MAGIC('Z', 'm', 'g', 'r')
-#define DNS_ZONEMGR_VALID(stub)		ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC)
-
-#define LOAD_MAGIC			ISC_MAGIC('L', 'o', 'a', 'd')
-#define DNS_LOAD_VALID(load)		ISC_MAGIC_VALID(load, LOAD_MAGIC)
-
-#define FORWARD_MAGIC			ISC_MAGIC('F', 'o', 'r', 'w')
-#define DNS_FORWARD_VALID(load)		ISC_MAGIC_VALID(load, FORWARD_MAGIC)
-
-#define IO_MAGIC			ISC_MAGIC('Z', 'm', 'I', 'O')
-#define DNS_IO_VALID(load)		ISC_MAGIC_VALID(load, IO_MAGIC)
-
-/*
- * Ensure 'a' is at least 'min' but not more than 'max'.
- */
-#define RANGE(a, min, max) \
-		(((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))
-
-/*
- * Default values.
- */
-#define DNS_DEFAULT_IDLEIN 3600		/* 1 hour */
-#define DNS_DEFAULT_IDLEOUT 3600	/* 1 hour */
-#define MAX_XFER_TIME (2*3600)		/* Documented default is 2 hours */
-
-#ifndef DNS_MAX_EXPIRE
-#define DNS_MAX_EXPIRE	14515200	/* 24 weeks */
-#endif
-
-#ifndef DNS_DUMP_DELAY
-#define DNS_DUMP_DELAY 900		/* 15 minutes */
-#endif
-
-typedef struct dns_notify dns_notify_t;
-typedef struct dns_stub dns_stub_t;
-typedef struct dns_load dns_load_t;
-typedef struct dns_forward dns_forward_t;
-typedef struct dns_io dns_io_t;
-typedef ISC_LIST(dns_io_t) dns_iolist_t;
-
-#define DNS_ZONE_CHECKLOCK
-#ifdef DNS_ZONE_CHECKLOCK
-#define LOCK_ZONE(z) \
-	 do { LOCK(&(z)->lock); \
-	      INSIST((z)->locked == ISC_FALSE); \
-	     (z)->locked = ISC_TRUE; \
-		} while (0)
-#define UNLOCK_ZONE(z) \
-	do { (z)->locked = ISC_FALSE; UNLOCK(&(z)->lock); } while (0)
-#define LOCKED_ZONE(z) ((z)->locked)
-#else
-#define LOCK_ZONE(z) LOCK(&(z)->lock)
-#define UNLOCK_ZONE(z) UNLOCK(&(z)->lock)
-#define LOCKED_ZONE(z) ISC_TRUE
-#endif
-
-struct dns_zone {
-	/* Unlocked */
-	unsigned int		magic;
-	isc_mutex_t		lock;
-#ifdef DNS_ZONE_CHECKLOCK
-	isc_boolean_t		locked;
-#endif
-	isc_mem_t		*mctx;
-	isc_refcount_t		erefs;
-
-	/* Locked */
-	dns_db_t		*db;
-	dns_zonemgr_t		*zmgr;
-	ISC_LINK(dns_zone_t)	link;		/* Used by zmgr. */
-	isc_timer_t		*timer;
-	unsigned int		irefs;
-	dns_name_t		origin;
-	char			*masterfile;
-	char			*journal;
-	isc_int32_t		journalsize;
-	dns_rdataclass_t	rdclass;
-	dns_zonetype_t		type;
-	unsigned int		flags;
-	unsigned int		options;
-	unsigned int		db_argc;
-	char			**db_argv;
-	isc_time_t		expiretime;
-	isc_time_t		refreshtime;
-	isc_time_t		dumptime;
-	isc_time_t		loadtime;
-	isc_uint32_t		serial;
-	isc_uint32_t		refresh;
-	isc_uint32_t		retry;
-	isc_uint32_t		expire;
-	isc_uint32_t		minimum;
-	char			*keydirectory;
-
-	isc_uint32_t		maxrefresh;
-	isc_uint32_t		minrefresh;
-	isc_uint32_t		maxretry;
-	isc_uint32_t		minretry;
-
-	isc_sockaddr_t		*masters;
-	dns_name_t		**masterkeynames;
-	isc_boolean_t		*mastersok;
-	unsigned int		masterscnt;
-	unsigned int		curmaster;
-	isc_sockaddr_t		masteraddr;
-	dns_notifytype_t	notifytype;
-	isc_sockaddr_t		*notify;
-	unsigned int		notifycnt;
-	isc_sockaddr_t		notifyfrom;
-	isc_task_t		*task;
-	isc_sockaddr_t	 	notifysrc4;
-	isc_sockaddr_t	 	notifysrc6;
-	isc_sockaddr_t	 	xfrsource4;
-	isc_sockaddr_t	 	xfrsource6;
-	isc_sockaddr_t	 	altxfrsource4;
-	isc_sockaddr_t	 	altxfrsource6;
-	isc_sockaddr_t	 	sourceaddr;
-	dns_xfrin_ctx_t		*xfr;		/* task locked */
-	dns_tsigkey_t		*tsigkey;	/* key used for xfr */
-	/* Access Control Lists */
-	dns_acl_t		*update_acl;
-	dns_acl_t		*forward_acl;
-	dns_acl_t		*notify_acl;
-	dns_acl_t		*query_acl;
-	dns_acl_t		*xfr_acl;
-	isc_boolean_t		update_disabled;
-	dns_severity_t		check_names;
-	ISC_LIST(dns_notify_t)	notifies;
-	dns_request_t		*request;
-	dns_loadctx_t		*lctx;
-	dns_io_t		*readio;
-	dns_dumpctx_t		*dctx;
-	dns_io_t		*writeio;
-	isc_uint32_t		maxxfrin;
-	isc_uint32_t		maxxfrout;
-	isc_uint32_t		idlein;
-	isc_uint32_t		idleout;
-	isc_event_t		ctlevent;
-	dns_ssutable_t		*ssutable;
-	isc_uint32_t		sigvalidityinterval;
-	dns_view_t		*view;
-	/*
-	 * Zones in certain states such as "waiting for zone transfer"
-	 * or "zone transfer in progress" are kept on per-state linked lists
-	 * in the zone manager using the 'statelink' field.  The 'statelist'
-	 * field points at the list the zone is currently on.  It the zone
-	 * is not on any such list, statelist is NULL.
-	 */
-	ISC_LINK(dns_zone_t)	statelink;
-	dns_zonelist_t		*statelist;
-	/*
-	 * Optional per-zone statistics counters (NULL if not present).
-	 */
-	isc_uint64_t	    *counters;
-};
-
-#define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
-#define DNS_ZONE_SETFLAG(z,f) do { \
-		INSIST(LOCKED_ZONE(z)); \
-		(z)->flags |= (f); \
-		} while (0)
-#define DNS_ZONE_CLRFLAG(z,f) do { \
-		INSIST(LOCKED_ZONE(z)); \
-		(z)->flags &= ~(f); \
-		} while (0)
-	/* XXX MPA these may need to go back into zone.h */
-#define DNS_ZONEFLG_REFRESH	0x00000001U	/* refresh check in progress */
-#define DNS_ZONEFLG_NEEDDUMP	0x00000002U	/* zone need consolidation */
-#define DNS_ZONEFLG_USEVC	0x00000004U	/* use tcp for refresh query */
-#define DNS_ZONEFLG_DUMPING	0x00000008U	/* a dump is in progress */
-#define DNS_ZONEFLG_HASINCLUDE	0x00000010U	/* $INCLUDE in zone file */
-#define DNS_ZONEFLG_LOADED	0x00000020U	/* database has loaded */
-#define DNS_ZONEFLG_EXITING	0x00000040U	/* zone is being destroyed */
-#define DNS_ZONEFLG_EXPIRED	0x00000080U	/* zone has expired */
-#define DNS_ZONEFLG_NEEDREFRESH	0x00000100U	/* refresh check needed */
-#define DNS_ZONEFLG_UPTODATE	0x00000200U	/* zone contents are
-						 * uptodate */
-#define DNS_ZONEFLG_NEEDNOTIFY	0x00000400U	/* need to send out notify
-						 * messages */
-#define DNS_ZONEFLG_DIFFONRELOAD 0x00000800U	/* generate a journal diff on
-						 * reload */
-#define DNS_ZONEFLG_NOMASTERS	0x00001000U	/* an attempt to refresh a
-						 * zone with no masters
-						 * occured */
-#define DNS_ZONEFLG_LOADING	0x00002000U	/* load from disk in progress*/
-#define DNS_ZONEFLG_HAVETIMERS	0x00004000U	/* timer values have been set
-						 * from SOA (if not set, we
-						 * are still using
-						 * default timer values) */
-#define DNS_ZONEFLG_FORCEXFER   0x00008000U     /* Force a zone xfer */
-#define DNS_ZONEFLG_NOREFRESH	0x00010000U
-#define DNS_ZONEFLG_DIALNOTIFY	0x00020000U
-#define DNS_ZONEFLG_DIALREFRESH	0x00040000U
-#define DNS_ZONEFLG_SHUTDOWN	0x00080000U
-#define DNS_ZONEFLAG_NOIXFR	0x00100000U	/* IXFR failed, force AXFR */
-#define DNS_ZONEFLG_FLUSH	0x00200000U
-#define DNS_ZONEFLG_NOEDNS	0x00400000U
-#define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
-
-#define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
-
-/* Flags for zone_load() */
-#define DNS_ZONELOADFLAG_NOSTAT	0x00000001U	/* Do not stat() master files */
-
-struct dns_zonemgr {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	int			refs;		/* Locked by rwlock */
-	isc_taskmgr_t *		taskmgr;
-	isc_timermgr_t *	timermgr;
-	isc_socketmgr_t *	socketmgr;
-	isc_taskpool_t *	zonetasks;
-	isc_task_t *		task;
-	isc_ratelimiter_t *	rl;
-	isc_rwlock_t		rwlock;
-	isc_mutex_t		iolock;
-
-	/* Locked by rwlock. */
-	dns_zonelist_t		zones;
-	dns_zonelist_t		waiting_for_xfrin;
-	dns_zonelist_t		xfrin_in_progress;
-
-	/* Configuration data. */
-	isc_uint32_t		transfersin;
-	isc_uint32_t		transfersperns;
-	unsigned int		serialqueryrate;
-
-	/* Locked by iolock */
-	isc_uint32_t		iolimit;
-	isc_uint32_t		ioactive;
-	dns_iolist_t		high;
-	dns_iolist_t		low;
-};
-
-/*
- * Hold notify state.
- */
-struct dns_notify {
-	unsigned int		magic;
-	unsigned int		flags;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	dns_adbfind_t		*find;
-	dns_request_t		*request;
-	dns_name_t		ns;
-	isc_sockaddr_t		dst;
-	ISC_LINK(dns_notify_t)	link;
-};
-
-#define DNS_NOTIFY_NOSOA	0x0001U
-
-/*
- *	dns_stub holds state while performing a 'stub' transfer.
- *	'db' is the zone's 'db' or a new one if this is the initial
- *	transfer.
- */
-
-struct dns_stub {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	dns_db_t		*db;
-	dns_dbversion_t		*version;
-};
-
-/*
- *	Hold load state.
- */
-struct dns_load {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	dns_db_t		*db;
-	isc_time_t		loadtime;
-	dns_rdatacallbacks_t	callbacks;
-};
-
-/*
- *	Hold forward state.
- */
-struct dns_forward {
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_zone_t		*zone;
-	isc_buffer_t		*msgbuf;
-	dns_request_t		*request;
-	isc_uint32_t		which;
-	isc_sockaddr_t		addr;
-	dns_updatecallback_t	callback;
-	void			*callback_arg;
-};
-
-/*
- *	Hold IO request state.
- */
-struct dns_io {
-	unsigned int	magic;
-	dns_zonemgr_t	*zmgr;
-	isc_boolean_t	high;
-	isc_task_t	*task;
-	ISC_LINK(dns_io_t) link;
-	isc_event_t	*event;
-};
-
-#define SEND_BUFFER_SIZE 2048
-
-static void zone_settimer(dns_zone_t *, isc_time_t *);
-static void cancel_refresh(dns_zone_t *);
-static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
-			  const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
-static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-static void queue_xfrin(dns_zone_t *zone);
-static void zone_unload(dns_zone_t *zone);
-static void zone_expire(dns_zone_t *zone);
-static void zone_iattach(dns_zone_t *source, dns_zone_t **target);
-static void zone_idetach(dns_zone_t **zonep);
-static isc_result_t zone_replacedb(dns_zone_t *zone, dns_db_t *db,
-				   isc_boolean_t dump);
-static isc_result_t default_journal(dns_zone_t *zone);
-static void zone_xfrdone(dns_zone_t *zone, isc_result_t result);
-static isc_result_t zone_postload(dns_zone_t *zone, dns_db_t *db,
-				  isc_time_t loadtime, isc_result_t result);
-static void zone_needdump(dns_zone_t *zone, unsigned int delay);
-static void zone_shutdown(isc_task_t *, isc_event_t *);
-static void zone_loaddone(void *arg, isc_result_t result);
-static isc_result_t zone_startload(dns_db_t *db, dns_zone_t *zone,
-				   isc_time_t loadtime);
-
-#if 0
-/* ondestroy example */
-static void dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event);
-#endif
-
-static void refresh_callback(isc_task_t *, isc_event_t *);
-static void stub_callback(isc_task_t *, isc_event_t *);
-static void queue_soa_query(dns_zone_t *zone);
-static void soa_query(isc_task_t *, isc_event_t *);
-static void ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset,
-		     dns_stub_t *stub);
-static int message_count(dns_message_t *msg, dns_section_t section,
-			 dns_rdatatype_t type);
-static void notify_cancel(dns_zone_t *zone);
-static void notify_find_address(dns_notify_t *notify);
-static void notify_send(dns_notify_t *notify);
-static isc_result_t notify_createmessage(dns_zone_t *zone,
-					 unsigned int flags,
-					 dns_message_t **messagep);
-static void notify_done(isc_task_t *task, isc_event_t *event);
-static void notify_send_toaddr(isc_task_t *task, isc_event_t *event);
-static isc_result_t zone_dump(dns_zone_t *, isc_boolean_t);
-static void got_transfer_quota(isc_task_t *task, isc_event_t *event);
-static isc_result_t zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr,
-					     dns_zone_t *zone);
-static void zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi);
-static void zonemgr_free(dns_zonemgr_t *zmgr);
-static isc_result_t zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
-				  isc_task_t *task, isc_taskaction_t action,
-				  void *arg, dns_io_t **iop);
-static void zonemgr_putio(dns_io_t **iop);
-static void zonemgr_cancelio(dns_io_t *io);
-
-static isc_result_t
-zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
-		 unsigned int *soacount, isc_uint32_t *serial,
-		 isc_uint32_t *refresh, isc_uint32_t *retry,
-		 isc_uint32_t *expire, isc_uint32_t *minimum);
-
-static void zone_freedbargs(dns_zone_t *zone);
-static void forward_callback(isc_task_t *task, isc_event_t *event);
-static void zone_saveunique(dns_zone_t *zone, const char *path,
-			    const char *templat);
-static void zone_maintenance(dns_zone_t *zone);
-static void zone_notify(dns_zone_t *zone);
-static void dump_done(void *arg, isc_result_t result);
-
-#define ENTER zone_debuglog(zone, me, 1, "enter")
-
-static const unsigned int dbargc_default = 1;
-static const char *dbargv_default[] = { "rbt" };
-
-#define DNS_ZONE_JITTER_ADD(a, b, c) \
-	do { \
-		isc_interval_t _i; \
-		isc_uint32_t _j; \
-		_j = isc_random_jitter((b), (b)/4); \
-		isc_interval_set(&_i, _j, 0); \
-		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
-			dns_zone_log(zone, ISC_LOG_WARNING, \
-				     "epoch approaching: upgrade required: " \
-				     "now + %s failed", #b); \
-			isc_interval_set(&_i, _j/2, 0); \
-			(void)isc_time_add((a), &_i, (c)); \
-		} \
-	} while (0)
-
-#define DNS_ZONE_TIME_ADD(a, b, c) \
-	do { \
-		isc_interval_t _i; \
-		isc_interval_set(&_i, (b), 0); \
-		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
-			dns_zone_log(zone, ISC_LOG_WARNING, \
-				     "epoch approaching: upgrade required: " \
-				     "now + %s failed", #b); \
-			isc_interval_set(&_i, (b)/2, 0); \
-			(void)isc_time_add((a), &_i, (c)); \
-		} \
-	} while (0)
-
-/***
- ***	Public functions.
- ***/
-
-isc_result_t
-dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
-	isc_result_t result;
-	dns_zone_t *zone;
-
-	REQUIRE(zonep != NULL && *zonep == NULL);
-	REQUIRE(mctx != NULL);
-
-	zone = isc_mem_get(mctx, sizeof(*zone));
-	if (zone == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = isc_mutex_init(&zone->lock);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, zone, sizeof(*zone));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/* XXX MPA check that all elements are initialised */
-	zone->mctx = NULL;
-#ifdef DNS_ZONE_CHECKLOCK
-	zone->locked = ISC_FALSE;
-#endif
-	isc_mem_attach(mctx, &zone->mctx);
-	zone->db = NULL;
-	zone->zmgr = NULL;
-	ISC_LINK_INIT(zone, link);
-	isc_refcount_init(&zone->erefs, 1);	/* Implicit attach. */
-	zone->irefs = 0;
-	dns_name_init(&zone->origin, NULL);
-	zone->masterfile = NULL;
-	zone->keydirectory = NULL;
-	zone->journalsize = -1;
-	zone->journal = NULL;
-	zone->rdclass = dns_rdataclass_none;
-	zone->type = dns_zone_none;
-	zone->flags = 0;
-	zone->options = 0;
-	zone->db_argc = 0;
-	zone->db_argv = NULL;
-	isc_time_settoepoch(&zone->expiretime);
-	isc_time_settoepoch(&zone->refreshtime);
-	isc_time_settoepoch(&zone->dumptime);
-	isc_time_settoepoch(&zone->loadtime);
-	zone->serial = 0;
-	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
-	zone->retry = DNS_ZONE_DEFAULTRETRY;
-	zone->expire = 0;
-	zone->minimum = 0;
-	zone->maxrefresh = DNS_ZONE_MAXREFRESH;
-	zone->minrefresh = DNS_ZONE_MINREFRESH;
-	zone->maxretry = DNS_ZONE_MAXRETRY;
-	zone->minretry = DNS_ZONE_MINRETRY;
-	zone->masters = NULL;
-	zone->masterkeynames = NULL;
-	zone->mastersok = NULL;
-	zone->masterscnt = 0;
-	zone->curmaster = 0;
-	zone->notify = NULL;
-	zone->notifytype = dns_notifytype_yes;
-	zone->notifycnt = 0;
-	zone->task = NULL;
-	zone->update_acl = NULL;
-	zone->forward_acl = NULL;
-	zone->notify_acl = NULL;
-	zone->query_acl = NULL;
-	zone->xfr_acl = NULL;
-	zone->update_disabled = ISC_FALSE;
-	zone->check_names = dns_severity_ignore;
-	zone->request = NULL;
-	zone->lctx = NULL;
-	zone->readio = NULL;
-	zone->dctx = NULL;
-	zone->writeio = NULL;
-	zone->timer = NULL;
-	zone->idlein = DNS_DEFAULT_IDLEIN;
-	zone->idleout = DNS_DEFAULT_IDLEOUT;
-	ISC_LIST_INIT(zone->notifies);
-	isc_sockaddr_any(&zone->notifysrc4);
-	isc_sockaddr_any6(&zone->notifysrc6);
-	isc_sockaddr_any(&zone->xfrsource4);
-	isc_sockaddr_any6(&zone->xfrsource6);
-	isc_sockaddr_any(&zone->altxfrsource4);
-	isc_sockaddr_any6(&zone->altxfrsource6);
-	zone->xfr = NULL;
-	zone->tsigkey = NULL;
-	zone->maxxfrin = MAX_XFER_TIME;
-	zone->maxxfrout = MAX_XFER_TIME;
-	zone->ssutable = NULL;
-	zone->sigvalidityinterval = 30 * 24 * 3600;
-	zone->view = NULL;
-	ISC_LINK_INIT(zone, statelink);
-	zone->statelist = NULL;
-	zone->counters = NULL;
-
-	zone->magic = ZONE_MAGIC;
-
-	/* Must be after magic is set. */
-	result = dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
-	if (result != ISC_R_SUCCESS)
-		goto free_mutex;
-
-	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
-		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
-		       NULL, NULL);
-	*zonep = zone;
-	return (ISC_R_SUCCESS);
-
- free_mutex:
-	DESTROYLOCK(&zone->lock);
-	isc_mem_putanddetach(&zone->mctx, zone, sizeof(*zone));
-	return (result);
-}
-
-/*
- * Free a zone.  Because we require that there be no more
- * outstanding events or references, no locking is necessary.
- */
-static void
-zone_free(dns_zone_t *zone) {
-	isc_mem_t *mctx = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(isc_refcount_current(&zone->erefs) == 0);
-	REQUIRE(zone->irefs == 0);
-	REQUIRE(!LOCKED_ZONE(zone));
-	REQUIRE(zone->timer == NULL);
-
-	/*
-	 * Managed objects.  Order is important.
-	 */
-	if (zone->request != NULL)
-		dns_request_destroy(&zone->request); /* XXXMPA */
-	INSIST(zone->readio == NULL);
-	INSIST(zone->statelist == NULL);
-	INSIST(zone->writeio == NULL);
-
-	if (zone->task != NULL)
-		isc_task_detach(&zone->task);
-	if (zone->zmgr)
-		dns_zonemgr_releasezone(zone->zmgr, zone);
-
-	/* Unmanaged objects */
-	if (zone->masterfile != NULL)
-		isc_mem_free(zone->mctx, zone->masterfile);
-	zone->masterfile = NULL;
-	if (zone->keydirectory != NULL)
-		isc_mem_free(zone->mctx, zone->keydirectory);
-	zone->keydirectory = NULL;
-	zone->journalsize = -1;
-	if (zone->journal != NULL)
-		isc_mem_free(zone->mctx, zone->journal);
-	zone->journal = NULL;
-	if (zone->counters != NULL)
-		dns_stats_freecounters(zone->mctx, &zone->counters);
-	if (zone->db != NULL)
-		dns_db_detach(&zone->db);
-	zone_freedbargs(zone);
-	RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0)
-		      == ISC_R_SUCCESS);
-	RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0)
-		      == ISC_R_SUCCESS);
-	zone->check_names = dns_severity_ignore;
-	if (zone->update_acl != NULL)
-		dns_acl_detach(&zone->update_acl);
-	if (zone->forward_acl != NULL)
-		dns_acl_detach(&zone->forward_acl);
-	if (zone->notify_acl != NULL)
-		dns_acl_detach(&zone->notify_acl);
-	if (zone->query_acl != NULL)
-		dns_acl_detach(&zone->query_acl);
-	if (zone->xfr_acl != NULL)
-		dns_acl_detach(&zone->xfr_acl);
-	if (dns_name_dynamic(&zone->origin))
-		dns_name_free(&zone->origin, zone->mctx);
-	if (zone->ssutable != NULL)
-		dns_ssutable_detach(&zone->ssutable);
-
-	/* last stuff */
-	DESTROYLOCK(&zone->lock);
-	isc_refcount_destroy(&zone->erefs);
-	zone->magic = 0;
-	mctx = zone->mctx;
-	isc_mem_put(mctx, zone, sizeof(*zone));
-	isc_mem_detach(&mctx);
-}
-
-/*
- *	Single shot.
- */
-void
-dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(rdclass != dns_rdataclass_none);
-
-	/*
-	 * Test and set.
-	 */
-	LOCK_ZONE(zone);
-	REQUIRE(zone->rdclass == dns_rdataclass_none ||
-		zone->rdclass == rdclass);
-	zone->rdclass = rdclass;
-	UNLOCK_ZONE(zone);
-}
-
-dns_rdataclass_t
-dns_zone_getclass(dns_zone_t *zone){
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->rdclass);
-}
-
-void
-dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->notifytype = notifytype;
-	UNLOCK_ZONE(zone);
-}
-
-/*
- *	Single shot.
- */
-void
-dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(type != dns_zone_none);
-
-	/*
-	 * Test and set.
-	 */
-	LOCK_ZONE(zone);
-	REQUIRE(zone->type == dns_zone_none || zone->type == type);
-	zone->type = type;
-	UNLOCK_ZONE(zone);
-}
-
-static void
-zone_freedbargs(dns_zone_t *zone) {
-	unsigned int i;
-
-	/* Free the old database argument list. */
-	if (zone->db_argv != NULL) {
-		for (i = 0; i < zone->db_argc; i++)
-			isc_mem_free(zone->mctx, zone->db_argv[i]);
-		isc_mem_put(zone->mctx, zone->db_argv,
-			    zone->db_argc * sizeof(*zone->db_argv));
-	}
-	zone->db_argc = 0;
-	zone->db_argv = NULL;
-}
-
-isc_result_t
-dns_zone_setdbtype(dns_zone_t *zone,
-		   unsigned int dbargc, const char * const *dbargv) {
-	isc_result_t result = ISC_R_SUCCESS;
-	char **new = NULL;
-	unsigned int i;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(dbargc >= 1);
-	REQUIRE(dbargv != NULL);
-
-	LOCK_ZONE(zone);
-
-	/* Set up a new database argument list. */
-	new = isc_mem_get(zone->mctx, dbargc * sizeof(*new));
-	if (new == NULL)
-		goto nomem;
-	for (i = 0; i < dbargc; i++)
-		new[i] = NULL;
-	for (i = 0; i < dbargc; i++) {
-		new[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
-		if (new[i] == NULL)
-			goto nomem;
-	}
-
-	/* Free the old list. */
-	zone_freedbargs(zone);
-
-	zone->db_argc = dbargc;
-	zone->db_argv = new;
-	result = ISC_R_SUCCESS;
-	goto unlock;
-
- nomem:
-	if (new != NULL) {
-		for (i = 0; i < dbargc; i++) {
-			if (zone->db_argv[i] != NULL)
-				isc_mem_free(zone->mctx, new[i]);
-			isc_mem_put(zone->mctx, new,
-				    dbargc * sizeof(*new));
-		}
-	}
-	result = ISC_R_NOMEMORY;
-
- unlock:
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-void
-dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->view != NULL)
-		dns_view_weakdetach(&zone->view);
-	dns_view_weakattach(view, &zone->view);
-	UNLOCK_ZONE(zone);
-}
-
-
-dns_view_t *
-dns_zone_getview(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->view);
-}
-
-
-isc_result_t
-dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin) {
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(origin != NULL);
-
-	LOCK_ZONE(zone);
-	if (dns_name_dynamic(&zone->origin)) {
-		dns_name_free(&zone->origin, zone->mctx);
-		dns_name_init(&zone->origin, NULL);
-	}
-	result = dns_name_dup(origin, zone->mctx, &zone->origin);
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-
-static isc_result_t
-dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
-	char *copy;
-
-	if (value != NULL) {
-		copy = isc_mem_strdup(zone->mctx, value);
-		if (copy == NULL)
-			return (ISC_R_NOMEMORY);
-	} else {
-		copy = NULL;
-	}
-
-	if (*field != NULL)
-		isc_mem_free(zone->mctx, *field);
-
-	*field = copy;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zone_setfile(dns_zone_t *zone, const char *file) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	result = dns_zone_setstring(zone, &zone->masterfile, file);
-	if (result == ISC_R_SUCCESS)
-		result = default_journal(zone);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-const char *
-dns_zone_getfile(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->masterfile);
-}
-
-static isc_result_t
-default_journal(dns_zone_t *zone) {
-	isc_result_t result;
-	char *journal;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-
-	if (zone->masterfile != NULL) {
-		/* Calculate string length including '\0'. */
-		int len = strlen(zone->masterfile) + sizeof(".jnl");
-		journal = isc_mem_allocate(zone->mctx, len);
-		if (journal == NULL)
-			return (ISC_R_NOMEMORY);
-		strcpy(journal, zone->masterfile);
-		strcat(journal, ".jnl");
-	} else {
-		journal = NULL;
-	}
-	result = dns_zone_setstring(zone, &zone->journal, journal);
-	if (journal != NULL)
-		isc_mem_free(zone->mctx, journal);
-	return (result);
-}
-
-isc_result_t
-dns_zone_setjournal(dns_zone_t *zone, const char *journal) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	result = dns_zone_setstring(zone, &zone->journal, journal);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-char *
-dns_zone_getjournal(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->journal);
-}
-
-/*
- * Return true iff the zone is "dynamic", in the sense that the zone's
- * master file (if any) is written by the server, rather than being
- * updated manually and read by the server.
- *
- * This is true for slave zones, stub zones, and zones that allow
- * dynamic updates either by having an update policy ("ssutable")
- * or an "allow-update" ACL with a value other than exactly "{ none; }".
- */
-static isc_boolean_t
-zone_isdynamic(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (ISC_TF(zone->type == dns_zone_slave ||
-		       zone->type == dns_zone_stub ||
-		       (!zone->update_disabled && zone->ssutable != NULL) ||
-		       (!zone->update_disabled && zone->update_acl != NULL &&
-			! (zone->update_acl->length == 1 &&
-			   zone->update_acl->elements[0].negative == ISC_TRUE
-			   &&
-			   zone->update_acl->elements[0].type ==
-			   dns_aclelementtype_any))));
-}
-
-
-static isc_result_t
-zone_load(dns_zone_t *zone, unsigned int flags) {
-	isc_result_t result;
-	isc_time_t now;
-	isc_time_t loadtime, filetime;
-	dns_db_t *db = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	TIME_NOW(&now);
-
-	INSIST(zone->type != dns_zone_none);
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
-		result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
-	if (zone->db != NULL && zone->masterfile == NULL) {
-		/*
-		 * The zone has no master file configured, but it already
-		 * has a database.  It could be the built-in
-		 * version.bind. CH zone, a zone with a persistent
-		 * database being reloaded, or maybe a zone that
-		 * used to have a master file but whose configuration
-		 * was changed so that it no longer has one.  Do nothing.
-		 */
-		result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
-	if (zone->db != NULL && zone_isdynamic(zone)) {
-		/*
-		 * This is a slave, stub, or dynamically updated
-		 * zone being reloaded.  Do nothing - the database
-		 * we already have is guaranteed to be up-to-date.
-		 */
-		if (zone->type == dns_zone_master)
-			result = DNS_R_DYNAMIC;
-		else
-			result = ISC_R_SUCCESS;
-		goto cleanup;
-	}
-
-	/*
-	 * Don't do the load if the file that stores the zone is older
-	 * than the last time the zone was loaded.  If the zone has not
-	 * been loaded yet, zone->loadtime will be the epoch.
-	 */
-	if (zone->masterfile != NULL && ! isc_time_isepoch(&zone->loadtime)) {
-		/*
-		 * The file is already loaded.  If we are just doing a
-		 * "rndc reconfig", we are done.
-		 */
-		if ((flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
-			result = ISC_R_SUCCESS;
-			goto cleanup;
-		}
-		if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE)) {
-			result = isc_file_getmodtime(zone->masterfile,
-						     &filetime);
-			if (result == ISC_R_SUCCESS &&
-			    isc_time_compare(&filetime, &zone->loadtime) < 0) {
-				dns_zone_log(zone, ISC_LOG_DEBUG(1),
-					     "skipping load: master file older "
-					     "than last load");
-				result = DNS_R_UPTODATE;
-				goto cleanup;
-			}
-		}
-	}
-
-	INSIST(zone->db_argc >= 1);
-
-	if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub) &&
-	    (strcmp(zone->db_argv[0], "rbt") == 0 ||
-	     strcmp(zone->db_argv[0], "rbt64") == 0)) {
-		if (zone->masterfile == NULL ||
-		    !isc_file_exists(zone->masterfile)) {
-			if (zone->masterfile != NULL)
-				dns_zone_log(zone, ISC_LOG_DEBUG(1),
-					     "no master file");
-			zone->refreshtime = now;
-			if (zone->task != NULL)
-				zone_settimer(zone, &now);
-			result = ISC_R_SUCCESS;
-			goto cleanup;
-		}
-	}
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "starting load");
-
-	/*
-	 * Store the current time before the zone is loaded, so that if the
-	 * file changes between the time of the load and the time that
-	 * zone->loadtime is set, then the file will still be reloaded
-	 * the next time dns_zone_load is called.
-	 */
-	TIME_NOW(&loadtime);
-
-	result = dns_db_create(zone->mctx, zone->db_argv[0],
-			       &zone->origin, (zone->type == dns_zone_stub) ?
-			       dns_dbtype_stub : dns_dbtype_zone,
-			       zone->rdclass,
-			       zone->db_argc - 1, zone->db_argv + 1,
-			       &db);
-
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "loading zone: creating database: %s",
-			     isc_result_totext(result));
-		goto cleanup;
-	}
-	dns_db_settask(db, zone->task);
-
-	if (! dns_db_ispersistent(db)) {
-		if (zone->masterfile != NULL) {
-			result = zone_startload(db, zone, loadtime);
-		} else {
-			result = DNS_R_NOMASTERFILE;
-			if (zone->type == dns_zone_master) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "loading zone: "
-					     "no master file configured");
-				goto cleanup;
-			}
-			dns_zone_log(zone, ISC_LOG_INFO, "loading zone: "
-				     "no master file configured: continuing");
-		}
-	}
-
-	if (result == DNS_R_CONTINUE) {
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
-		goto cleanup;
-	}
-
-	result = zone_postload(zone, db, loadtime, result);
-
- cleanup:
-	UNLOCK_ZONE(zone);
-	if (db != NULL)
-		dns_db_detach(&db);
-	return (result);
-}
-
-isc_result_t
-dns_zone_load(dns_zone_t *zone) {
-	return (zone_load(zone, 0));
-}
-
-isc_result_t
-dns_zone_loadnew(dns_zone_t *zone) {
-	return (zone_load(zone, DNS_ZONELOADFLAG_NOSTAT));
-}
-
-static void
-zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
-	dns_load_t *load = event->ev_arg;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int options;
-
-	REQUIRE(DNS_LOAD_VALID(load));
-
-	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
-		result = ISC_R_CANCELED;
-	isc_event_free(&event);
-	if (result == ISC_R_CANCELED)
-		goto fail;
-
-	options = DNS_MASTER_ZONE;
-	if (load->zone->type == dns_zone_slave)
-		options |= DNS_MASTER_SLAVE;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNS))
-		options |= DNS_MASTER_CHECKNS;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_FATALNS))
-		options |= DNS_MASTER_FATALNS;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMES))
-		options |= DNS_MASTER_CHECKNAMES;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMESFAIL))
-		options |= DNS_MASTER_CHECKNAMESFAIL;
-	result = dns_master_loadfileinc(load->zone->masterfile,
-					dns_db_origin(load->db),
-					dns_db_origin(load->db),
-					load->zone->rdclass,
-					options,
-					&load->callbacks, task,
-					zone_loaddone, load,
-					&load->zone->lctx, load->zone->mctx);
-	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE &&
-	    result != DNS_R_SEENINCLUDE)
-		goto fail;
-	return;
-
- fail:
-	zone_loaddone(load, result);
-}
-
-static void
-zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "zone_gotwritehandle";
-	dns_zone_t *zone = event->ev_arg;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_dbversion_t *version = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	INSIST(task == zone->task);
-	ENTER;
-
-	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
-		result = ISC_R_CANCELED;
-	isc_event_free(&event);
-	if (result == ISC_R_CANCELED)
-		goto fail;
-
-	LOCK_ZONE(zone);
-	dns_db_currentversion(zone->db, &version);
-	result = dns_master_dumpinc(zone->mctx, zone->db, version,
-				    &dns_master_style_default,
-				    zone->masterfile, zone->task,
-				    dump_done, zone, &zone->dctx);
-	dns_db_closeversion(zone->db, &version, ISC_FALSE);
-	UNLOCK_ZONE(zone);
-	if (result != DNS_R_CONTINUE)
-		goto fail;
-	return;
-
- fail:
-	dump_done(zone, result);
-}
-
-static isc_result_t
-zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
-	dns_load_t *load;
-	isc_result_t result;
-	isc_result_t tresult;
-	unsigned int options;
-
-	options = DNS_MASTER_ZONE;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
-		options |= DNS_MASTER_MANYERRORS;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
-		options |= DNS_MASTER_CHECKNS;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
-		options |= DNS_MASTER_FATALNS;
-	if (zone->type == dns_zone_slave)
-		options |= DNS_MASTER_SLAVE;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
-		options |= DNS_MASTER_CHECKNAMES;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
-		options |= DNS_MASTER_CHECKNAMESFAIL;
-
-	if (zone->zmgr != NULL && zone->db != NULL && zone->task != NULL) {
-		load = isc_mem_get(zone->mctx, sizeof(*load));
-		if (load == NULL)
-			return (ISC_R_NOMEMORY);
-
-		load->mctx = NULL;
-		load->zone = NULL;
-		load->db = NULL;
-		load->loadtime = loadtime;
-		load->magic = LOAD_MAGIC;
-
-		isc_mem_attach(zone->mctx, &load->mctx);
-		zone_iattach(zone, &load->zone);
-		dns_db_attach(db, &load->db);
-		dns_rdatacallbacks_init(&load->callbacks);
-		result = dns_db_beginload(db, &load->callbacks.add,
-					  &load->callbacks.add_private);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		result = zonemgr_getio(zone->zmgr, ISC_TRUE, zone->task,
-				       zone_gotreadhandle, load,
-				       &zone->readio);
-		if (result != ISC_R_SUCCESS) {
-			tresult = dns_db_endload(load->db,
-						 &load->callbacks.add_private);
-			if (result == ISC_R_SUCCESS)
-				result = tresult;
-			goto cleanup;
-		} else
-			result = DNS_R_CONTINUE;
-	} else {
-		dns_rdatacallbacks_t callbacks;
-
-		dns_rdatacallbacks_init(&callbacks);
-		result = dns_db_beginload(db, &callbacks.add,
-					  &callbacks.add_private);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		result = dns_master_loadfile(zone->masterfile, &zone->origin,
-					     &zone->origin, zone->rdclass,
-					     options, &callbacks, zone->mctx);
-		tresult = dns_db_endload(db, &callbacks.add_private);
-		if (result == ISC_R_SUCCESS)
-			result = tresult;
-	}
-
-	return (result);
-
- cleanup:
-	load->magic = 0;
-	dns_db_detach(&load->db);
-	zone_idetach(&load->zone);
-	isc_mem_detach(&load->mctx);
-	isc_mem_put(zone->mctx, load, sizeof(*load));
-	return (result);
-}
-
-static isc_result_t
-zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
-	      isc_result_t result)
-{
-	unsigned int soacount = 0;
-	unsigned int nscount = 0;
-	isc_uint32_t serial, refresh, retry, expire, minimum;
-	isc_time_t now;
-	isc_boolean_t needdump = ISC_FALSE;
-	isc_boolean_t hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
-
-	TIME_NOW(&now);
-
-	/*
-	 * Initiate zone transfer?  We may need a error code that
-	 * indicates that the "permanent" form does not exist.
-	 * XXX better error feedback to log.
-	 */
-	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
-		if (zone->type == dns_zone_slave ||
-		    zone->type == dns_zone_stub) {
-			if (result == ISC_R_FILENOTFOUND)
-				dns_zone_log(zone, ISC_LOG_DEBUG(1),
-					     "no master file");
-			else if (result != DNS_R_NOMASTERFILE)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "loading master file %s: %s",
-					     zone->masterfile,
-					     dns_result_totext(result));
-		} else
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "loading master file %s: %s",
-				     zone->masterfile,
-				     dns_result_totext(result));
-		goto cleanup;
-	}
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(2),
-		     "number of nodes in database: %u",
-		     dns_db_nodecount(db));
-	zone->loadtime = loadtime;
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded");
-
-	if (result == DNS_R_SEENINCLUDE)
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
-	else
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
-	/*
-	 * Apply update log, if any, on initial load.
-	 */
-	if (zone->journal != NULL &&
-	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
-	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
-	{
-		result = dns_journal_rollforward(zone->mctx, db,
-						 zone->journal);
-		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
-		    result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL &&
-		    result != ISC_R_RANGE) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "journal rollforward failed: %s",
-				     dns_result_totext(result));
-			goto cleanup;
-		}
-		if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "journal rollforward failed: "
-				     "journal out of sync with zone");
-			goto cleanup;
-		}
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "journal rollforward completed "
-			     "successfully: %s",
-			     dns_result_totext(result));
-		if (result == ISC_R_SUCCESS)
-			needdump = ISC_TRUE;
-	}
-
-	/*
-	 * Obtain ns and soa counts for top of zone.
-	 */
-	nscount = 0;
-	soacount = 0;
-	INSIST(db != NULL);
-	result = zone_get_from_db(db, &zone->origin, &nscount,
-				  &soacount, &serial, &refresh, &retry,
-				  &expire, &minimum);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "could not find NS and/or SOA records");
-	}
-
-	/*
-	 * Master / Slave / Stub zones require both NS and SOA records at
-	 * the top of the zone.
-	 */
-
-	switch (zone->type) {
-	case dns_zone_master:
-	case dns_zone_slave:
-	case dns_zone_stub:
-		if (soacount != 1) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "has %d SOA records", soacount);
-			result = DNS_R_BADZONE;
-		}
-		if (nscount == 0) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "has no NS records");
-			result = DNS_R_BADZONE;
-		}
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		if (zone->db != NULL) {
-			/*
-			 * This is checked in zone_replacedb() for slave zones
-			 * as they don't reload from disk.
-			 */
-			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
-			    !isc_serial_gt(serial, zone->serial)) {
-				isc_uint32_t serialmin, serialmax;
-
-				INSIST(zone->type == dns_zone_master);
-
-				serialmin = (zone->serial + 1) & 0xffffffffU;
-				serialmax = (zone->serial + 0x7fffffffU) &
-					     0xffffffffU;
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "ixfr-from-differences: "
-					     "new serial (%u) out of range "
-					     "[%u - %u]", serial, serialmin,
-					     serialmax);
-				result = DNS_R_BADZONE;
-				goto cleanup;
-			} else if (!isc_serial_ge(serial, zone->serial))
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial has gone backwards");
-			else if (serial == zone->serial && !hasinclude) 
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "zone serial unchanged");
-		}
-		zone->serial = serial;
-		zone->refresh = RANGE(refresh,
-				      zone->minrefresh, zone->maxrefresh);
-		zone->retry = RANGE(retry,
-				    zone->minretry, zone->maxretry);
-		zone->expire = RANGE(expire, zone->refresh + zone->retry,
-				     DNS_MAX_EXPIRE);
-		zone->minimum = minimum;
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-
-		if (zone->type == dns_zone_slave ||
-		    zone->type == dns_zone_stub) {
-			isc_time_t t;
-			isc_uint32_t delay;
-
-			result = isc_file_getmodtime(zone->journal, &t);
-			if (result != ISC_R_SUCCESS)
-				result = isc_file_getmodtime(zone->masterfile,
-							     &t);
-			if (result == ISC_R_SUCCESS)
-				DNS_ZONE_TIME_ADD(&t, zone->expire,
-						  &zone->expiretime);
-			else
-				DNS_ZONE_TIME_ADD(&now, zone->retry,
-						  &zone->expiretime);
-
-			delay = isc_random_jitter(zone->retry,
-						  (zone->retry * 3) / 4);
-			DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
-			if (isc_time_compare(&zone->refreshtime,
-					     &zone->expiretime) >= 0)
-				zone->refreshtime = now;
-		}
-		break;
-	default:
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "unexpected zone type %d", zone->type);
-		result = ISC_R_UNEXPECTED;
-		goto cleanup;
-	}
-
-
-#if 0
-	/* destroy notification example. */
-	{
-		isc_event_t *e = isc_event_allocate(zone->mctx, NULL,
-						    DNS_EVENT_DBDESTROYED,
-						    dns_zonemgr_dbdestroyed,
-						    zone,
-						    sizeof(isc_event_t));
-		dns_db_ondestroy(db, zone->task, &e);
-	}
-#endif
-
-	if (zone->db != NULL) {
-		result = zone_replacedb(zone, db, ISC_FALSE);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-	} else {
-		dns_db_attach(db, &zone->db);
-		DNS_ZONE_SETFLAG(zone,
-				 DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
-	}
-	result = ISC_R_SUCCESS;
-	if (needdump)
-		zone_needdump(zone, DNS_DUMP_DELAY);
-	if (zone->task != NULL)
-		zone_settimer(zone, &now);
-
-	if (! dns_db_ispersistent(db))
-		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s",
-			     zone->serial,
-			     dns_db_issecure(db) ? " (signed)" : "");
-
-	return (result);
-
- cleanup:
-	if (zone->type == dns_zone_slave ||
-	    zone->type == dns_zone_stub) {
-		if (zone->journal != NULL)
-			zone_saveunique(zone, zone->journal, "jn-XXXXXXXX");
-		if (zone->masterfile != NULL)
-			zone_saveunique(zone, zone->masterfile, "db-XXXXXXXX");
-
-		/* Mark the zone for immediate refresh. */
-		zone->refreshtime = now;
-		if (zone->task != NULL)
-			zone_settimer(zone, &now);
-		result = ISC_R_SUCCESS;
-	}
-	return (result);
-}
-
-static isc_boolean_t
-exit_check(dns_zone_t *zone) {
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) &&
-	    zone->irefs == 0)
-	{
-		/*
-		 * DNS_ZONEFLG_SHUTDOWN can only be set if erefs == 0.
-		 */
-		INSIST(isc_refcount_current(&zone->erefs) == 0);
-		return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-zone_count_ns_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 unsigned int *nscount)
-{
-	isc_result_t result;
-	unsigned int count;
-	dns_rdataset_t rdataset;
-
-	REQUIRE(nscount != NULL);
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		*nscount = 0;
-		result = ISC_R_SUCCESS;
-		goto invalidate_rdataset;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto invalidate_rdataset;
-
-	count = 0;
-	result = dns_rdataset_first(&rdataset);
-	while (result == ISC_R_SUCCESS) {
-		count++;
-		result = dns_rdataset_next(&rdataset);
-	}
-	dns_rdataset_disassociate(&rdataset);
-
-	*nscount = count;
-	result = ISC_R_SUCCESS;
-
- invalidate_rdataset:
-	dns_rdataset_invalidate(&rdataset);
-
-	return (result);
-}
-
-static isc_result_t
-zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
-		 unsigned int *soacount,
-		 isc_uint32_t *serial, isc_uint32_t *refresh,
-		 isc_uint32_t *retry, isc_uint32_t *expire,
-		 isc_uint32_t *minimum)
-{
-	isc_result_t result;
-	unsigned int count;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
-				     dns_rdatatype_none, 0, &rdataset, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		if (soacount != NULL)
-			*soacount = 0;
-		if (serial != NULL)
-			*serial = 0;
-		if (refresh != NULL)
-			*refresh = 0;
-		if (retry != NULL)
-			*retry = 0;
-		if (expire != NULL)
-			*expire = 0;
-		if (minimum != NULL)
-			*minimum = 0;
-		result = ISC_R_SUCCESS;
-		goto invalidate_rdataset;
-	}
-	if (result != ISC_R_SUCCESS)
-		goto invalidate_rdataset;
-
-	count = 0;
-	result = dns_rdataset_first(&rdataset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdata_init(&rdata);
-		dns_rdataset_current(&rdataset, &rdata);
-		count++;
-		if (count == 1) {
-			result = dns_rdata_tostruct(&rdata, &soa, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		}
-
-		result = dns_rdataset_next(&rdataset);
-		dns_rdata_reset(&rdata);
-	}
-	dns_rdataset_disassociate(&rdataset);
-
-	if (soacount != NULL)
-		*soacount = count;
-
-	if (count > 0) {
-		if (serial != NULL)
-			*serial = soa.serial;
-		if (refresh != NULL)
-			*refresh = soa.refresh;
-		if (retry != NULL)
-			*retry = soa.retry;
-		if (expire != NULL)
-			*expire = soa.expire;
-		if (minimum != NULL)
-			*minimum = soa.minimum;
-	}
-
-	result = ISC_R_SUCCESS;
-
- invalidate_rdataset:
-	dns_rdataset_invalidate(&rdataset);
-
-	return (result);
-}
-
-/*
- * zone must be locked.
- */
-static isc_result_t
-zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
-		 unsigned int *soacount, isc_uint32_t *serial,
-		 isc_uint32_t *refresh, isc_uint32_t *retry,
-		 isc_uint32_t *expire, isc_uint32_t *minimum)
-{
-	dns_dbversion_t *version;
-	isc_result_t result;
-	isc_result_t answer = ISC_R_SUCCESS;
-	dns_dbnode_t *node;
-
-	REQUIRE(db != NULL);
-	REQUIRE(origin != NULL);
-
-	version = NULL;
-	dns_db_currentversion(db, &version);
-
-	node = NULL;
-	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS) {
-		answer = result;
-		goto closeversion;
-	}
-
-	if (nscount != NULL) {
-		result = zone_count_ns_rr(db, node, version, nscount);
-		if (result != ISC_R_SUCCESS)
-			answer = result;
-	}
-
-	if (soacount != NULL || serial != NULL || refresh != NULL
-	    || retry != NULL || expire != NULL || minimum != NULL) {
-		result = zone_load_soa_rr(db, node, version, soacount,
-					  serial, refresh, retry, expire,
-					  minimum);
-		if (result != ISC_R_SUCCESS)
-			answer = result;
-	}
-
-	dns_db_detachnode(db, &node);
- closeversion:
-	dns_db_closeversion(db, &version, ISC_FALSE);
-
-	return (answer);
-}
-
-void
-dns_zone_attach(dns_zone_t *source, dns_zone_t **target) {
-	REQUIRE(DNS_ZONE_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-	isc_refcount_increment(&source->erefs, NULL);
-	*target = source;
-}
-
-void
-dns_zone_detach(dns_zone_t **zonep) {
-	dns_zone_t *zone;
-	unsigned int refs;
-	isc_boolean_t free_now = ISC_FALSE;
-
-	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
-
-	zone = *zonep;
-
-	isc_refcount_decrement(&zone->erefs, &refs);
-
-	if (refs == 0) {
-		LOCK_ZONE(zone);
-		/*
-		 * We just detached the last external reference.
-		 */
-		if (zone->task != NULL) {
-			/*
-			 * This zone is being managed.  Post
-			 * its control event and let it clean
-			 * up synchronously in the context of
-			 * its task.
-			 */
-			isc_event_t *ev = &zone->ctlevent;
-			isc_task_send(zone->task, &ev);
-		} else {
-			/*
-			 * This zone is not being managed; it has
-			 * no task and can have no outstanding
-			 * events.  Free it immediately.
-			 */
-			/*
-			 * Unmanaged zones should not have non-null views;
-			 * we have no way of detaching from the view here
-			 * without causing deadlock because this code is called
-			 * with the view already locked.
-			 */
-			INSIST(zone->view == NULL);
-			free_now = ISC_TRUE;
-		}
-		UNLOCK_ZONE(zone);
-	}
-	*zonep = NULL;
-	if (free_now)
-		zone_free(zone);
-}
-
-void
-dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
-	REQUIRE(DNS_ZONE_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-	LOCK_ZONE(source);
-	zone_iattach(source, target);
-	UNLOCK_ZONE(source);
-}
-
-static void
-zone_iattach(dns_zone_t *source, dns_zone_t **target) {
-
-	/*
-	 * 'source' locked by caller.
-	 */
-	REQUIRE(LOCKED_ZONE(source));
-	REQUIRE(DNS_ZONE_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-	INSIST(source->irefs + isc_refcount_current(&source->erefs) > 0);
-	source->irefs++;
-	INSIST(source->irefs != 0);
-	*target = source;
-}
-
-static void
-zone_idetach(dns_zone_t **zonep) {
-	dns_zone_t *zone;
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
-	zone = *zonep;
-	REQUIRE(LOCKED_ZONE(*zonep));
-	*zonep = NULL;
-
-	INSIST(zone->irefs > 0);
-	zone->irefs--;
-	INSIST(zone->irefs + isc_refcount_current(&zone->erefs) > 0);
-}
-
-void
-dns_zone_idetach(dns_zone_t **zonep) {
-	dns_zone_t *zone;
-	isc_boolean_t free_needed;
-
-	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
-	zone = *zonep;
-	*zonep = NULL;
-
-	LOCK_ZONE(zone);
-	INSIST(zone->irefs > 0);
-	zone->irefs--;
-	free_needed = exit_check(zone);
-	UNLOCK_ZONE(zone);
-	if (free_needed)
-		zone_free(zone);
-}
-
-isc_mem_t *
-dns_zone_getmctx(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->mctx);
-}
-
-dns_zonemgr_t *
-dns_zone_getmgr(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->zmgr);
-}
-
-void
-dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (value)
-		DNS_ZONE_SETFLAG(zone, flags);
-	else
-		DNS_ZONE_CLRFLAG(zone, flags);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value)
-{
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (value)
-		zone->options |= option;
-	else
-		zone->options &= ~option;
-	UNLOCK_ZONE(zone);
-}
-
-unsigned int
-dns_zone_getoptions(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->options);
-}
-
-isc_result_t
-dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->xfrsource4 = *xfrsource;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getxfrsource4(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->xfrsource4);
-}
-
-isc_result_t
-dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->xfrsource6 = *xfrsource;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getxfrsource6(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->xfrsource6);
-}
-
-isc_result_t
-dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->altxfrsource4 = *altxfrsource;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getaltxfrsource4(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->altxfrsource4);
-}
-
-isc_result_t
-dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->altxfrsource6 = *altxfrsource;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getaltxfrsource6(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->altxfrsource6);
-}
-
-isc_result_t
-dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->notifysrc4 = *notifysrc;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getnotifysrc4(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->notifysrc4);
-}
-
-isc_result_t
-dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone->notifysrc6 = *notifysrc;
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_sockaddr_t *
-dns_zone_getnotifysrc6(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (&zone->notifysrc6);
-}
-
-isc_result_t
-dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
-		       isc_uint32_t count)
-{
-	isc_sockaddr_t *new;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(count == 0 || notify != NULL);
-
-	LOCK_ZONE(zone);
-	if (zone->notify != NULL) {
-		isc_mem_put(zone->mctx, zone->notify,
-			    zone->notifycnt * sizeof(*new));
-		zone->notify = NULL;
-		zone->notifycnt = 0;
-	}
-	if (count != 0) {
-		new = isc_mem_get(zone->mctx, count * sizeof(*new));
-		if (new == NULL) {
-			UNLOCK_ZONE(zone);
-			return (ISC_R_NOMEMORY);
-		}
-		memcpy(new, notify, count * sizeof(*new));
-		zone->notify = new;
-		zone->notifycnt = count;
-	}
-	UNLOCK_ZONE(zone);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
-		    isc_uint32_t count)
-{
-	isc_result_t result;
-
-	result = dns_zone_setmasterswithkeys(zone, masters, NULL, count);
-	return (result);
-}
-
-isc_result_t
-dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
-			    dns_name_t **keynames, isc_uint32_t count)
-{
-	isc_sockaddr_t *new;
-	isc_result_t result = ISC_R_SUCCESS;
-	dns_name_t **newname;
-	isc_boolean_t *newok;
-	unsigned int i;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(count == 0 || masters != NULL);
-	if (keynames != NULL) {
-		REQUIRE(count != 0);
-	}
-
-	LOCK_ZONE(zone);
-	if (zone->masters != NULL) {
-		isc_mem_put(zone->mctx, zone->masters,
-			    zone->masterscnt * sizeof(*new));
-		zone->masters = NULL;
-	}
-	if (zone->masterkeynames != NULL) {
-		for (i = 0; i < zone->masterscnt; i++) {
-			if (zone->masterkeynames[i] != NULL) {
-				dns_name_free(zone->masterkeynames[i],
-					      zone->mctx);
-				isc_mem_put(zone->mctx,
-					    zone->masterkeynames[i],
-					    sizeof(dns_name_t));
-				zone->masterkeynames[i] = NULL;
-			}
-		}
-		isc_mem_put(zone->mctx, zone->masterkeynames,
-			    zone->masterscnt * sizeof(dns_name_t *));
-		zone->masterkeynames = NULL;
-	}
-	if (zone->mastersok != NULL) {
-		isc_mem_put(zone->mctx, zone->mastersok,
-			    zone->masterscnt * sizeof(isc_boolean_t));
-		zone->mastersok = NULL;
-	}
-	zone->masterscnt = 0;
-	/*
-	 * If count == 0, don't allocate any space for masters, mastersok or
-	 * keynames so internally, those pointers are NULL if count == 0
-	 */
-	if (count == 0)
-		goto unlock;
-
-	/*
-	 * masters must countain count elements!
-	 */
-	new = isc_mem_get(zone->mctx, count * sizeof(*new));
-	if (new == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto unlock;
-	}
-	memcpy(new, masters, count * sizeof(*new));
-	
-	/*
-	 * Similarly for mastersok.
-	 */
-	newok = isc_mem_get(zone->mctx, count * sizeof(*newok));
-	if (newok == NULL) {
-		result = ISC_R_NOMEMORY;
-		isc_mem_put(zone->mctx, new, count * sizeof(*new));
-		goto unlock;
-	};
-	for (i = 0; i < count; i++)
-		newok[i] = ISC_FALSE;
-
-	/*
-	 * if keynames is non-NULL, it must contain count elements!
-	 */
-	newname = NULL;
-	if (keynames != NULL) {
-		newname = isc_mem_get(zone->mctx, count * sizeof(*newname));
-		if (newname == NULL) {
-			result = ISC_R_NOMEMORY;
-			isc_mem_put(zone->mctx, new, count * sizeof(*new));
-			isc_mem_put(zone->mctx, newok, count * sizeof(*newok));
-			goto unlock;
-		}
-		for (i = 0; i < count; i++)
-			newname[i] = NULL;
-		for (i = 0; i < count; i++) {
-			if (keynames[i] != NULL) {
-				newname[i] = isc_mem_get(zone->mctx,
-							 sizeof(dns_name_t));
-				if (newname[i] == NULL)
-					goto allocfail;
-				dns_name_init(newname[i], NULL);
-				result = dns_name_dup(keynames[i], zone->mctx,
-						      newname[i]);
-				if (result != ISC_R_SUCCESS) {
-				allocfail:
-					for (i = 0; i < count; i++)
-						if (newname[i] != NULL)
-							dns_name_free(
-							       newname[i],
-							       zone->mctx);
-					isc_mem_put(zone->mctx, new,
-						    count * sizeof(*new));
-					isc_mem_put(zone->mctx, newok,
-						    count * sizeof(*newok));
-					isc_mem_put(zone->mctx, newname,
-						    count * sizeof(*newname));
-					goto unlock;
-				}
-			}
-		}
-	}
-
-	/*
-	 * Everything is ok so attach to the zone.
-	 */
-	zone->masters = new;
-	zone->mastersok = newok;
-	zone->masterkeynames = newname;
-	zone->masterscnt = count;
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS);
-
- unlock:
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-isc_result_t
-dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->db == NULL)
-		result = DNS_R_NOTLOADED;
-	else
-		dns_db_attach(zone->db, dpb);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-/*
- * Co-ordinates the starting of routine jobs.
- */
-
-void
-dns_zone_maintenance(dns_zone_t *zone) {
-	const char me[] = "dns_zone_maintenance";
-	isc_time_t now;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	ENTER;
-
-	LOCK_ZONE(zone);
-	TIME_NOW(&now);
-	zone_settimer(zone, &now);
-	UNLOCK_ZONE(zone);
-}
-
-static inline isc_boolean_t
-was_dumping(dns_zone_t *zone) {
-	isc_boolean_t dumping;
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	dumping = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
-	if (!dumping) {
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-		isc_time_settoepoch(&zone->dumptime);
-	}
-	return (dumping);
-}
-
-static void
-zone_maintenance(dns_zone_t *zone) {
-	const char me[] = "zone_maintenance";
-	isc_time_t now;
-	isc_result_t result;
-	isc_boolean_t dumping;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	ENTER;
-
-	/*
-	 * Configuring the view of this zone may have
-	 * failed, for example because the config file
-	 * had a syntax error.  In that case, the view
-	 * adb or resolver, and we had better not try
-	 * to do maintenance on it.
-	 */
-	if (zone->view == NULL || zone->view->adb == NULL)
-		return;
-
-	TIME_NOW(&now);
-
-	/*
-	 * Expire check.
-	 */
-	switch (zone->type) {
-	case dns_zone_slave:
-	case dns_zone_stub:
-		LOCK_ZONE(zone);
-		if (isc_time_compare(&now, &zone->expiretime) >= 0 &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-			zone_expire(zone);
-			zone->refreshtime = now;
-		}
-		UNLOCK_ZONE(zone);
-		break;
-	default:
-		break;
-	}
-
-	/*
-	 * Up to date check.
-	 */
-	switch (zone->type) {
-	case dns_zone_slave:
-	case dns_zone_stub:
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
-		    isc_time_compare(&now, &zone->refreshtime) >= 0)
-			dns_zone_refresh(zone);
-		break;
-	default:
-		break;
-	}
-
-	/*
-	 * Do we need to consolidate the backing store?
-	 */
-	switch (zone->type) {
-	case dns_zone_master:
-	case dns_zone_slave:
-		LOCK_ZONE(zone);
-		if (zone->masterfile != NULL &&
-		    isc_time_compare(&now, &zone->dumptime) >= 0 &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
-		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP)) {
-			dumping = was_dumping(zone);
-		} else
-			dumping = ISC_TRUE;
-		UNLOCK_ZONE(zone);
-		if (!dumping) {
-			result = zone_dump(zone, ISC_TRUE); /* task locked */
-			if (result != ISC_R_SUCCESS)
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "dump failed: %s",
-					     dns_result_totext(result));
-		}
-		break;
-	default:
-		break;
-	}
-
-	/*
-	 * Do we need to send out notify messages?
-	 */
-	switch (zone->type) {
-	case dns_zone_master:
-	case dns_zone_slave:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
-			zone_notify(zone);
-		break;
-	default:
-		break;
-	}
-	zone_settimer(zone, &now);
-}
-
-void
-dns_zone_markdirty(dns_zone_t *zone) {
-
-	LOCK_ZONE(zone);
-	zone_needdump(zone, DNS_DUMP_DELAY);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_expire(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone_expire(zone);
-	UNLOCK_ZONE(zone);
-}
-
-static void
-zone_expire(dns_zone_t *zone) {
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	dns_zone_log(zone, ISC_LOG_WARNING, "expired");
-
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED);
-	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
-	zone->retry = DNS_ZONE_DEFAULTRETRY;
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-	zone_unload(zone);
-}
-
-void
-dns_zone_refresh(dns_zone_t *zone) {
-	isc_interval_t i;
-	isc_uint32_t oldflags;
-	unsigned int j;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
-		return;
-
-	/*
-	 * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
-	 * in progress at a time.
-	 */
-
-	LOCK_ZONE(zone);
-	oldflags = zone->flags;
-	if (zone->masterscnt == 0) {
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOMASTERS);
-		if ((oldflags & DNS_ZONEFLG_NOMASTERS) == 0)
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "cannot refresh: no masters");
-		goto unlock;
-	}
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-	if ((oldflags & (DNS_ZONEFLG_REFRESH|DNS_ZONEFLG_LOADING)) != 0)
-		goto unlock;
-
-	/*
-	 * Set the next refresh time as if refresh check has failed.
-	 * Setting this to the retry time will do that.  XXXMLG
-	 * If we are successful it will be reset using zone->refresh.
-	 */
-	isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4),
-			 0);
-	isc_time_nowplusinterval(&zone->refreshtime, &i);
-
-	/*
-	 * When lacking user-specified timer values from the SOA,
-	 * do exponential backoff of the retry time up to a
-	 * maximum of six hours.
-	 */
-	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
-		zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
-
-	zone->curmaster = 0;
-	for (j = 0; j < zone->masterscnt; j++)
-		zone->mastersok[j] = ISC_FALSE;
-	/* initiate soa query */
-	queue_soa_query(zone);
- unlock:
-	UNLOCK_ZONE(zone);
-}
-
-isc_result_t
-dns_zone_flush(dns_zone_t *zone) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t dumping;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-	    zone->masterfile != NULL) {
-		result = ISC_R_ALREADYRUNNING;
-		dumping = was_dumping(zone);
-	} else
-		dumping = ISC_TRUE;
-	UNLOCK_ZONE(zone);
-	if (!dumping)
-		result = zone_dump(zone, ISC_FALSE);	/* Unknown task. */
-	return (result);
-}
-
-isc_result_t
-dns_zone_dump(dns_zone_t *zone) {
-	isc_result_t result = ISC_R_ALREADYRUNNING;
-	isc_boolean_t dumping;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	dumping = was_dumping(zone);
-	UNLOCK_ZONE(zone);
-	if (!dumping)
-		result = zone_dump(zone, ISC_FALSE);	/* Unknown task. */
-	return (result);
-}
-
-static void
-zone_needdump(dns_zone_t *zone, unsigned int delay) {
-	isc_time_t dumptime;
-	isc_time_t now;
-
-	/*
-	 * 'zone' locked by caller
-	 */
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-
-	/*
-	 * Do we have a place to dump to and are we loaded?
-	 */
-	if (zone->masterfile == NULL ||
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
-		return;
-
-	TIME_NOW(&now);
-	/* add some noise */
-	DNS_ZONE_JITTER_ADD(&now, delay, &dumptime);
-
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-	if (isc_time_isepoch(&zone->dumptime) ||
-	    isc_time_compare(&zone->dumptime, &dumptime) > 0)
-		zone->dumptime = dumptime;
-	if (zone->task != NULL)
-		zone_settimer(zone, &now);
-}
-
-static void
-dump_done(void *arg, isc_result_t result) {
-	const char me[] = "dump_done";
-	dns_zone_t *zone = arg;
-	dns_db_t *db;
-	dns_dbversion_t *version;
-	isc_boolean_t again = ISC_FALSE;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	ENTER;
-
-	if (result == ISC_R_SUCCESS && zone->journal != NULL &&
-	    zone->journalsize != -1) {
-		isc_uint32_t serial;
-		isc_result_t tresult;
-
-		/*
-		 * We don't own these, zone->dctx must stay valid.
-		 */
-		db = dns_dumpctx_db(zone->dctx);
-		version = dns_dumpctx_version(zone->dctx);
-
-		tresult = dns_db_getsoaserial(db, version, &serial);
-		if (tresult == ISC_R_SUCCESS) {
-			tresult = dns_journal_compact(zone->mctx,
-						      zone->journal,
-						      serial,
-						      zone->journalsize);
-			switch (tresult) {
-			case ISC_R_SUCCESS:
-			case ISC_R_NOSPACE:
-			case ISC_R_NOTFOUND:
-				dns_zone_log(zone, ISC_LOG_DEBUG(3),
-					     "dns_journal_compact: %s",
-					     dns_result_totext(tresult));
-				break;
-			default:
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "dns_journal_compact failed: %s",
-					     dns_result_totext(tresult));
-				break;
-			}
-		}
-	}
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
-	if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) {
-		/*
-		 * Try again in a short while.
-		 */
-		zone_needdump(zone, DNS_DUMP_DELAY);
-	} else if (result == ISC_R_SUCCESS &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
-		isc_time_settoepoch(&zone->dumptime);
-		again = ISC_TRUE;
-	} else if (result == ISC_R_SUCCESS)
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
-
-	if (zone->dctx != NULL)
-		dns_dumpctx_detach(&zone->dctx);
-	zonemgr_putio(&zone->writeio);
-	UNLOCK_ZONE(zone);
-	if (again)
-		(void)zone_dump(zone, ISC_FALSE);
-	dns_zone_idetach(&zone);
-}
-
-static isc_result_t
-zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
-	const char me[] = "zone_dump";
-	isc_result_t result;
-	dns_dbversion_t *version = NULL;
-	isc_boolean_t again;
-	dns_db_t *db = NULL;
-	char *masterfile = NULL;
-
-/*
- * 'compact' MUST only be set if we are task locked.
- */
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	ENTER;
-
- redo:
-	LOCK_ZONE(zone);
-	if (zone->db != NULL)
-		dns_db_attach(zone->db, &db);
-	if (zone->masterfile != NULL)
-		masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
-	UNLOCK_ZONE(zone);
-	if (db == NULL) {
-		result = DNS_R_NOTLOADED;
-		goto fail;
-	}
-	if (masterfile == NULL) {
-		result = DNS_R_NOMASTERFILE;
-		goto fail;
-	}
-
-	if (compact) {
-		dns_zone_t *dummy = NULL;
-		LOCK_ZONE(zone);
-		zone_iattach(zone, &dummy);
-		result = zonemgr_getio(zone->zmgr, ISC_FALSE, zone->task,
-				       zone_gotwritehandle, zone,
-				       &zone->writeio);
-		if (result != ISC_R_SUCCESS)
-			zone_idetach(&dummy);
-		else
-			result = DNS_R_CONTINUE;
-		UNLOCK_ZONE(zone);
-	} else {
-		dns_db_currentversion(db, &version);
-		result = dns_master_dump(zone->mctx, db, version,
-					 &dns_master_style_default,
-					 masterfile);
-		dns_db_closeversion(db, &version, ISC_FALSE);
-	}
- fail:
-	if (db != NULL)
-		dns_db_detach(&db);
-	if (masterfile != NULL)
-		isc_mem_free(zone->mctx, masterfile);
-	masterfile = NULL;
-
-	if (result == DNS_R_CONTINUE)
-		return (ISC_R_SUCCESS); /* XXXMPA */
-
-	again = ISC_FALSE;
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Try again in a short while.
-		 */
-		zone_needdump(zone, DNS_DUMP_DELAY);
-	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
-		isc_time_settoepoch(&zone->dumptime);
-		again = ISC_TRUE;
-	} else
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
-	UNLOCK_ZONE(zone);
-	if (again)
-		goto redo;
-
-	return (result);
-}
-
-static isc_result_t
-dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style) {
-	isc_result_t result;
-	dns_dbversion_t *version = NULL;
-	dns_db_t *db = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->db != NULL)
-		dns_db_attach(zone->db, &db);
-	UNLOCK_ZONE(zone);
-	if (db == NULL)
-		return (DNS_R_NOTLOADED);
-
-	dns_db_currentversion(db, &version);
-	result = dns_master_dumptostream(zone->mctx, db, version, style, fd);
-	dns_db_closeversion(db, &version, ISC_FALSE);
-	dns_db_detach(&db);
-	return (result);
-}
-
-isc_result_t
-dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
-	return dumptostream(zone, fd, &dns_master_style_default);
-}
-
-isc_result_t
-dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd) {
-	return dumptostream(zone, fd, &dns_master_style_full);
-}
-
-void
-dns_zone_unload(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	zone_unload(zone);
-	UNLOCK_ZONE(zone);
-}
-
-static void
-notify_cancel(dns_zone_t *zone) {
-	dns_notify_t *notify;
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	for (notify = ISC_LIST_HEAD(zone->notifies);
-	     notify != NULL;
-	     notify = ISC_LIST_NEXT(notify, link)) {
-		if (notify->find != NULL)
-			dns_adb_cancelfind(notify->find);
-		if (notify->request != NULL)
-			dns_request_cancel(notify->request);
-	}
-}
-
-static void
-zone_unload(dns_zone_t *zone) {
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(LOCKED_ZONE(zone));
-
-	dns_db_detach(&zone->db);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
-}
-
-void
-dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(val > 0);
-
-	zone->minrefresh = val;
-}
-
-void
-dns_zone_setmaxrefreshtime(dns_zone_t *zone, isc_uint32_t val) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(val > 0);
-
-	zone->maxrefresh = val;
-}
-
-void
-dns_zone_setminretrytime(dns_zone_t *zone, isc_uint32_t val) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(val > 0);
-
-	zone->minretry = val;
-}
-
-void
-dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(val > 0);
-
-	zone->maxretry = val;
-}
-
-static isc_boolean_t
-notify_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr) {
-	dns_notify_t *notify;
-
-	for (notify = ISC_LIST_HEAD(zone->notifies);
-	     notify != NULL;
-	     notify = ISC_LIST_NEXT(notify, link)) {
-		if (notify->request != NULL)
-			continue;
-		if (name != NULL && dns_name_dynamic(&notify->ns) &&
-		    dns_name_equal(name, &notify->ns))
-			return (ISC_TRUE);
-		if (addr != NULL && isc_sockaddr_equal(addr, &notify->dst))
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static void
-notify_destroy(dns_notify_t *notify, isc_boolean_t locked) {
-	isc_mem_t *mctx;
-
-	/*
-	 * Caller holds zone lock.
-	 */
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-
-	if (notify->zone != NULL) {
-		if (!locked)
-			LOCK_ZONE(notify->zone);
-		REQUIRE(LOCKED_ZONE(notify->zone));
-		if (ISC_LINK_LINKED(notify, link))
-			ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
-		if (!locked)
-			UNLOCK_ZONE(notify->zone);
-		if (locked)
-			zone_idetach(&notify->zone);
-		else
-			dns_zone_idetach(&notify->zone);
-	}
-	if (notify->find != NULL)
-		dns_adb_destroyfind(&notify->find);
-	if (notify->request != NULL)
-		dns_request_destroy(&notify->request);
-	if (dns_name_dynamic(&notify->ns))
-		dns_name_free(&notify->ns, notify->mctx);
-	mctx = notify->mctx;
-	isc_mem_put(notify->mctx, notify, sizeof(*notify));
-	isc_mem_detach(&mctx);
-}
-
-static isc_result_t
-notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
-	dns_notify_t *notify;
-
-	REQUIRE(notifyp != NULL && *notifyp == NULL);
-
-	notify = isc_mem_get(mctx, sizeof(*notify));
-	if (notify == NULL)
-		return (ISC_R_NOMEMORY);
-
-	notify->mctx = NULL;
-	isc_mem_attach(mctx, &notify->mctx);
-	notify->flags = flags;
-	notify->zone = NULL;
-	notify->find = NULL;
-	notify->request = NULL;
-	isc_sockaddr_any(&notify->dst);
-	dns_name_init(&notify->ns, NULL);
-	ISC_LINK_INIT(notify, link);
-	notify->magic = NOTIFY_MAGIC;
-	*notifyp = notify;
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * XXXAG should check for DNS_ZONEFLG_EXITING
- */
-static void
-process_adb_event(isc_task_t *task, isc_event_t *ev) {
-	dns_notify_t *notify;
-	isc_eventtype_t result;
-
-	UNUSED(task);
-
-	notify = ev->ev_arg;
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-	INSIST(task == notify->zone->task);
-	result = ev->ev_type;
-	isc_event_free(&ev);
-	if (result == DNS_EVENT_ADBMOREADDRESSES) {
-		dns_adb_destroyfind(&notify->find);
-		notify_find_address(notify);
-		return;
-	}
-	if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
-		LOCK_ZONE(notify->zone);
-		notify_send(notify);
-		UNLOCK_ZONE(notify->zone);
-	}
-	notify_destroy(notify, ISC_FALSE);
-}
-
-static void
-notify_find_address(dns_notify_t *notify) {
-	isc_result_t result;
-	unsigned int options;
-
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET |
-		  DNS_ADBFIND_INET6 | DNS_ADBFIND_RETURNLAME;
-
-	if (notify->zone->view->adb == NULL)
-		goto destroy;
-
-	result = dns_adb_createfind(notify->zone->view->adb,
-				    notify->zone->task,
-				    process_adb_event, notify,
-				    &notify->ns, dns_rootname,
-				    options, 0, NULL,
-				    notify->zone->view->dstport,
-				    &notify->find);
-
-	/* Something failed? */
-	if (result != ISC_R_SUCCESS)
-		goto destroy;
-
-	/* More addresses pending? */
-	if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0)
-		return;
-
-	/* We have as many addresses as we can get. */
-	LOCK_ZONE(notify->zone);
-	notify_send(notify);
-	UNLOCK_ZONE(notify->zone);
-
- destroy:
-	notify_destroy(notify, ISC_FALSE);
-}
-
-
-static isc_result_t
-notify_send_queue(dns_notify_t *notify) {
-	isc_event_t *e;
-	isc_result_t result;
-
-	e = isc_event_allocate(notify->mctx, NULL,
-			       DNS_EVENT_NOTIFYSENDTOADDR,
-			       notify_send_toaddr,
-			       notify, sizeof(isc_event_t));
-	if (e == NULL)
-		return (ISC_R_NOMEMORY);
-	e->ev_arg = notify;
-	e->ev_sender = NULL;
-	result = isc_ratelimiter_enqueue(notify->zone->zmgr->rl,
-					 notify->zone->task, &e);
-	if (result != ISC_R_SUCCESS)
-		isc_event_free(&e);
-	return (result);
-}
-
-static void
-notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
-	dns_notify_t *notify;
-	isc_result_t result;
-	dns_message_t *message = NULL;
-	isc_netaddr_t dstip;
-	dns_tsigkey_t *key = NULL;
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	isc_sockaddr_t src;
-	int timeout;
-
-	notify = event->ev_arg;
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-
-	UNUSED(task);
-
-	LOCK_ZONE(notify->zone);
-
-	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0) {
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ||
-	    DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) ||
-	    notify->zone->view->requestmgr == NULL ||
-	    notify->zone->db == NULL) {
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	/*
-	 * The raw IPv4 address should also exist.  Don't send to the
-	 * mapped form.
-	 */
-	if (isc_sockaddr_pf(&notify->dst) == PF_INET6 &&
-	    IN6_IS_ADDR_V4MAPPED(&notify->dst.type.sin6.sin6_addr)) {
-	        isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
-		notify_log(notify->zone, ISC_LOG_DEBUG(3),
-			   "notify: ignoring IPv6 mapped IPV4 address: %s",
-			   addrbuf);
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	result = notify_createmessage(notify->zone, notify->flags, &message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	isc_netaddr_fromsockaddr(&dstip, &notify->dst);
-	(void)dns_view_getpeertsig(notify->zone->view, &dstip, &key);
-
-	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
-	notify_log(notify->zone, ISC_LOG_DEBUG(3), "sending notify to %s",
-		   addrbuf);
-	switch (isc_sockaddr_pf(&notify->dst)) {
-	case PF_INET:
-		src = notify->zone->notifysrc4;
-		break;
-	case PF_INET6:
-		src = notify->zone->notifysrc6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto cleanup_key;
-	}
-	timeout = 15;
-	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY))
-		timeout = 30;
-	result = dns_request_createvia2(notify->zone->view->requestmgr,
-					message, &src, &notify->dst, 0, key,
-					timeout * 3, timeout,
-					notify->zone->task, notify_done,
-					notify, &notify->request);
- cleanup_key:
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
-	dns_message_destroy(&message);
- cleanup:
-	UNLOCK_ZONE(notify->zone);
-	if (result != ISC_R_SUCCESS)
-		notify_destroy(notify, ISC_FALSE);
-	isc_event_free(&event);
-}
-
-static void
-notify_send(dns_notify_t *notify) {
-	dns_adbaddrinfo_t *ai;
-	isc_sockaddr_t dst;
-	isc_result_t result;
-	dns_notify_t *new = NULL;
-
-	/*
-	 * Zone lock held by caller.
-	 */
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-	REQUIRE(LOCKED_ZONE(notify->zone));
-
-	for (ai = ISC_LIST_HEAD(notify->find->list);
-	     ai != NULL;
-	     ai = ISC_LIST_NEXT(ai, publink)) {
-		dst = ai->sockaddr;
-		if (notify_isqueued(notify->zone, NULL, &dst))
-			continue;
-		new = NULL;
-		result = notify_create(notify->mctx,
-				       (notify->flags & DNS_NOTIFY_NOSOA),
-				       &new);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		zone_iattach(notify->zone, &new->zone);
-		ISC_LIST_APPEND(new->zone->notifies, new, link);
-		new->dst = dst;
-		result = notify_send_queue(new);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
-		new = NULL;
-	}
-
- cleanup:
-	if (new != NULL)
-		notify_destroy(new, ISC_TRUE);
-}
-
-void
-dns_zone_notify(dns_zone_t *zone) {
-	isc_time_t now;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-
-	TIME_NOW(&now);
-	zone_settimer(zone, &now);
-	UNLOCK_ZONE(zone);
-}
-
-static void
-zone_notify(dns_zone_t *zone) {
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_name_t *origin = NULL;
-	dns_name_t master;
-	dns_rdata_ns_t ns;
-	dns_rdata_soa_t soa;
-	isc_uint32_t serial;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdataset_t nsrdset;
-	dns_rdataset_t soardset;
-	isc_result_t result;
-	dns_notify_t *notify = NULL;
-	unsigned int i;
-	isc_sockaddr_t dst;
-	isc_boolean_t isqueued;
-	dns_notifytype_t notifytype;
-	unsigned int flags = 0;
-	isc_boolean_t loggednotify = ISC_FALSE;
-	dns_db_t *db = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-	notifytype = zone->notifytype;
-	UNLOCK_ZONE(zone);
-
-	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
-		return;
-
-	if (notifytype == dns_notifytype_no)
-		return;
-
-	LOCK_ZONE(zone);
-	if (zone->db != NULL)
-		dns_db_attach(zone->db, &db);
-	UNLOCK_ZONE(zone);
-	if (db == NULL)
-		return;
-
-	origin = &zone->origin;
-
-	/*
-	 * If the zone is dialup we are done as we don't want to send
-	 * the current soa so as to force a refresh query.
-	 */
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
-		flags |= DNS_NOTIFY_NOSOA;
-
-	/*
-	 * Get SOA RRset.
-	 */
-	dns_db_currentversion(db, &version);
-	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup1;
-
-	dns_rdataset_init(&soardset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
-				     dns_rdatatype_none, 0, &soardset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup2;
-
-	/*
-	 * Find serial and master server's name.
-	 */
-	dns_name_init(&master, NULL);
-	result = dns_rdataset_first(&soardset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup3;
-	dns_rdataset_current(&soardset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	dns_rdata_reset(&rdata);
-	result = dns_name_dup(&soa.origin, zone->mctx, &master);
-	serial = soa.serial;
-	dns_rdataset_disassociate(&soardset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup3;
-
-	/*
-	 * Enqueue notify requests for 'also-notify' servers.
-	 */
-	LOCK_ZONE(zone);
-	for (i = 0; i < zone->notifycnt; i++) {
-		dst = zone->notify[i];
-		if (notify_isqueued(zone, NULL, &dst))
-			continue;
-		result = notify_create(zone->mctx, flags, &notify);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		zone_iattach(zone, &notify->zone);
-		notify->dst = dst;
-		ISC_LIST_APPEND(zone->notifies, notify, link);
-		result = notify_send_queue(notify);
-		if (result != ISC_R_SUCCESS)
-			notify_destroy(notify, ISC_TRUE);
-		if (!loggednotify) {
-			notify_log(zone, ISC_LOG_INFO,
-				   "sending notifies (serial %u)",
-				   serial);
-			loggednotify = ISC_TRUE;
-		}
-		notify = NULL;
-	}
-	UNLOCK_ZONE(zone);
-
-	if (notifytype == dns_notifytype_explicit)
-		goto cleanup3;
-
-	/*
-	 * Process NS RRset to generate notifies.
-	 */
-
-	dns_rdataset_init(&nsrdset);
-	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
-				     dns_rdatatype_none, 0, &nsrdset, NULL);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup3;
-
-	result = dns_rdataset_first(&nsrdset);
-	while (result == ISC_R_SUCCESS) {
-		dns_rdataset_current(&nsrdset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdata_reset(&rdata);
-		/*
-		 * don't notify the master server.
-		 */
-		if (dns_name_compare(&master, &ns.name) == 0) {
-			result = dns_rdataset_next(&nsrdset);
-			continue;
-		}
-
-		if (!loggednotify) {
-			notify_log(zone, ISC_LOG_INFO,
-				   "sending notifies (serial %u)",
-				   serial);
-			loggednotify = ISC_TRUE;
-		}
-
-		LOCK_ZONE(zone);
-		isqueued = notify_isqueued(zone, &ns.name, NULL);
-		UNLOCK_ZONE(zone);
-		if (isqueued) {
-			result = dns_rdataset_next(&nsrdset);
-			continue;
-		}
-		result = notify_create(zone->mctx, flags, &notify);
-		if (result != ISC_R_SUCCESS)
-			continue;
-		dns_zone_iattach(zone, &notify->zone);
-		result = dns_name_dup(&ns.name, zone->mctx, &notify->ns);
-		if (result != ISC_R_SUCCESS) {
-			LOCK_ZONE(zone);
-			notify_destroy(notify, ISC_TRUE);
-			UNLOCK_ZONE(zone);
-			continue;
-		}
-		LOCK_ZONE(zone);
-		ISC_LIST_APPEND(zone->notifies, notify, link);
-		UNLOCK_ZONE(zone);
-		notify_find_address(notify);
-		notify = NULL;
-		result = dns_rdataset_next(&nsrdset);
-	}
-	dns_rdataset_disassociate(&nsrdset);
-
- cleanup3:
-	if (dns_name_dynamic(&master))
-		dns_name_free(&master, zone->mctx);
- cleanup2:
-	dns_db_detachnode(db, &node);
- cleanup1:
-	dns_db_closeversion(db, &version, ISC_FALSE);
-	dns_db_detach(&db);
-}
-
-/***
- *** Private
- ***/
-
-static inline isc_result_t
-save_nsrrset(dns_message_t *message, dns_name_t *name,
-	     dns_db_t *db, dns_dbversion_t *version)
-{
-	dns_rdataset_t *nsrdataset = NULL;
-	dns_rdataset_t *rdataset = NULL;
-	dns_dbnode_t *node = NULL;
-	dns_rdata_ns_t ns;
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	/*
-	 * Extract NS RRset from message.
-	 */
-	result = dns_message_findname(message, DNS_SECTION_ANSWER, name,
-				      dns_rdatatype_ns, dns_rdatatype_none,
-				      NULL, &nsrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-
-	/*
-	 * Add NS rdataset.
-	 */
-	result = dns_db_findnode(db, name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	result = dns_db_addrdataset(db, node, version, 0,
-				    nsrdataset, 0, NULL);
-	dns_db_detachnode(db, &node);
-	if (result != ISC_R_SUCCESS)
-		goto fail;
-	/*
-	 * Add glue rdatasets.
-	 */
-	for (result = dns_rdataset_first(nsrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(nsrdataset)) {
-		dns_rdataset_current(nsrdataset, &rdata);
-		result = dns_rdata_tostruct(&rdata, &ns, NULL);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-		dns_rdata_reset(&rdata);
-		if (!dns_name_issubdomain(&ns.name, name))
-			continue;
-		rdataset = NULL;
-		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
-					      &ns.name, dns_rdatatype_aaaa,
-					      dns_rdatatype_none, NULL,
-					      &rdataset);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_db_findnode(db, &ns.name,
-						 ISC_TRUE, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-			result = dns_db_addrdataset(db, node, version, 0,
-						    rdataset, 0, NULL);
-			dns_db_detachnode(db, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-		}
-		rdataset = NULL;
-		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
-					      &ns.name, dns_rdatatype_a,
-					      dns_rdatatype_none, NULL,
-					      &rdataset);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_db_findnode(db, &ns.name,
-						 ISC_TRUE, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-			result = dns_db_addrdataset(db, node, version, 0,
-						    rdataset, 0, NULL);
-			dns_db_detachnode(db, &node);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-		}
-	}
-	if (result != ISC_R_NOMORE)
-		goto fail;
-
-	return (ISC_R_SUCCESS);
-
-fail:
-	return (result);
-}
-
-static void
-stub_callback(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "stub_callback";
-	dns_requestevent_t *revent = (dns_requestevent_t *)event;
-	dns_stub_t *stub = NULL;
-	dns_message_t *msg = NULL;
-	dns_zone_t *zone = NULL;
-	char master[ISC_SOCKADDR_FORMATSIZE];
-	char source[ISC_SOCKADDR_FORMATSIZE];
-	isc_uint32_t nscnt, cnamecnt;
-	isc_result_t result;
-	isc_time_t now;
-	isc_boolean_t exiting = ISC_FALSE;
-	isc_interval_t i;
-	unsigned int j;
-
-	stub = revent->ev_arg;
-	INSIST(DNS_STUB_VALID(stub));
-
-	UNUSED(task);
-
-	zone = stub->zone;
-
-	ENTER;
-
-	TIME_NOW(&now);
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
-		zone_debuglog(zone, me, 1, "exiting");
-		exiting = ISC_TRUE;
-		goto next_master;
-	}
-
-	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
-	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
-
-	if (revent->result != ISC_R_SUCCESS) {
-		if (revent->result == ISC_R_TIMEDOUT &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-			LOCK_ZONE(zone);
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			UNLOCK_ZONE(zone);
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "refreshing stub: timeout retrying "
-				     " without EDNS master %s (source %s)",
-				     master, source);
-			goto same_master;
-		}
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "could not refresh stub from master %s"
-			     " (source %s): %s", master, source,
-			     dns_result_totext(revent->result));
-		goto next_master;
-	}
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-
-	result = dns_request_getresponse(revent->request, msg, 0);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-
-	/*
-	 * Unexpected rcode.
-	 */
-	if (msg->rcode != dns_rcode_noerror) {
-		char rcode[128];
-		isc_buffer_t rb;
-
-		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		(void)dns_rcode_totext(msg->rcode, &rb);
-
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
-		    (msg->rcode == dns_rcode_servfail ||
-		     msg->rcode == dns_rcode_notimp ||
-		     msg->rcode == dns_rcode_formerr)) {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "refreshing stub: rcode (%.*s) retrying "
-				     "without EDNS master %s (source %s)",
-				     (int)rb.used, rcode, master, source);
-			LOCK_ZONE(zone);
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			UNLOCK_ZONE(zone);
-			goto same_master;
-		}
-
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refreshing stub: "
-			     "unexpected rcode (%.*s) from %s (source %s)",
-			     (int)rb.used, rcode, master, source);
-		goto next_master;
-	}
-
-	/*
-	 * We need complete messages.
-	 */
-	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
-		if (dns_request_usedtcp(revent->request)) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refreshing stub: truncated TCP "
-				     "response from master %s (source %s)",
-				     master, source);
-			goto next_master;
-		}
-		LOCK_ZONE(zone);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
-		UNLOCK_ZONE(zone);
-		goto same_master;
-	}
-
-	/*
-	 * If non-auth log and next master.
-	 */
-	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
-		dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
-			     "non-authoritative answer from "
-			     "master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Sanity checks.
-	 */
-	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
-	nscnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_ns);
-
-	if (cnamecnt != 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refreshing stub: unexpected CNAME response "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	if (nscnt == 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refreshing stub: no NS records in response "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Save answer.
-	 */
-	result = save_nsrrset(msg, &zone->origin, stub->db, stub->version);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refreshing stub: unable to save NS records "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Tidy up.
-	 */
-	dns_db_closeversion(stub->db, &stub->version, ISC_TRUE);
-	LOCK_ZONE(zone);
-	if (zone->db == NULL)
-		dns_db_attach(stub->db, &zone->db);
-	UNLOCK_ZONE(zone);
-	dns_db_detach(&stub->db);
-
-	if (zone->masterfile != NULL) {
-		dns_zone_dump(zone);
-		TIME_NOW(&zone->loadtime);
-	}
-
-	dns_message_destroy(&msg);
-	isc_event_free(&event);
-	LOCK_ZONE(zone);
-	dns_request_destroy(&zone->request);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
-	isc_interval_set(&i, zone->expire, 0);
-	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
-	zone_settimer(zone, &now);
-	UNLOCK_ZONE(zone);
-	goto free_stub;
-
- next_master:
-	if (stub->version != NULL)
-		dns_db_closeversion(stub->db, &stub->version, ISC_FALSE);
-	if (stub->db != NULL)
-		dns_db_detach(&stub->db);
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	LOCK_ZONE(zone);
-	dns_request_destroy(&zone->request);
-	/*
-	 * Skip to next failed / untried master.
-	 */
-	do {
-		zone->curmaster++;
-	} while (zone->curmaster < zone->masterscnt &&
-		 zone->mastersok[zone->curmaster]);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
-	if (exiting || zone->curmaster >= zone->masterscnt) {
-		isc_boolean_t done = ISC_TRUE;
-		if (!exiting &&
-		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-			/*
-			 * Did we get a good answer from all the masters?
-			 */
-			for (j = 0; j < zone->masterscnt; j++)
-				if (zone->mastersok[j] == ISC_FALSE) {
-					done = ISC_FALSE;
-					break;
-				}
-		} else
-			done = ISC_TRUE;
-		if (!done) {
-			zone->curmaster = 0;
-			/*
-			 * Find the next failed master.
-			 */
-			while (zone->curmaster < zone->masterscnt &&
-			       zone->mastersok[zone->curmaster])
-				zone->curmaster++;
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-		} else {
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-
-			zone_settimer(zone, &now);
-			UNLOCK_ZONE(zone);
-			goto free_stub;
-		}
-	}
-	queue_soa_query(zone);
-	UNLOCK_ZONE(zone);
-	goto free_stub;
-
- same_master:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	LOCK_ZONE(zone);
-	dns_request_destroy(&zone->request);
-	UNLOCK_ZONE(zone);
-	ns_query(zone, NULL, stub);
-	goto done;
-
- free_stub:
-	stub->magic = 0;
-	dns_zone_idetach(&stub->zone);
-	INSIST(stub->db == NULL);
-	INSIST(stub->version == NULL);
-	isc_mem_put(stub->mctx, stub, sizeof(*stub));
-
- done:
-	INSIST(event == NULL);
-	return;
-}
-
-/*
- * An SOA query has finished (successfully or not).
- */
-static void
-refresh_callback(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "refresh_callback";
-	dns_requestevent_t *revent = (dns_requestevent_t *)event;
-	dns_zone_t *zone;
-	dns_message_t *msg = NULL;
-	isc_uint32_t soacnt, cnamecnt, soacount, nscount;
-	isc_time_t now;
-	char master[ISC_SOCKADDR_FORMATSIZE];
-	char source[ISC_SOCKADDR_FORMATSIZE];
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_soa_t soa;
-	isc_result_t result;
-	isc_uint32_t serial;
-	unsigned int j;
-
-	zone = revent->ev_arg;
-	INSIST(DNS_ZONE_VALID(zone));
-
-	UNUSED(task);
-
-	ENTER;
-
-	/*
-	 * if timeout log and next master;
-	 */
-
-	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
-	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
-
-	TIME_NOW(&now);
-
-	if (revent->result != ISC_R_SUCCESS) {
-		if (revent->result == ISC_R_TIMEDOUT &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-			LOCK_ZONE(zone);
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			UNLOCK_ZONE(zone);
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "refresh: timeout retrying without EDNS "
-				     "master %s (source %s)", master, source);
-			goto same_master;
-		}
-		if (revent->result == ISC_R_TIMEDOUT &&
-		    !dns_request_usedtcp(revent->request)) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refresh: retry limit for "
-				     "master %s exceeded (source %s)",
-				     master, source);
-			/* Try with slave with TCP. */
-			if (zone->type == dns_zone_slave)
-				goto tcp_transfer;
-		} else
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refresh: failure trying master "
-				     "%s (source %s): %s", master, source,
-				     dns_result_totext(revent->result));
-		goto next_master;
-	}
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-	result = dns_request_getresponse(revent->request, msg, 0);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: failure trying master "
-			     "%s (source %s): %s", master, source,
-			     dns_result_totext(result));
-		goto next_master;
-	}
-
-	/*
-	 * Unexpected rcode.
-	 */
-	if (msg->rcode != dns_rcode_noerror) {
-		char rcode[128];
-		isc_buffer_t rb;
-
-		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		(void)dns_rcode_totext(msg->rcode, &rb);
-
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
-		    (msg->rcode == dns_rcode_servfail ||
-		     msg->rcode == dns_rcode_notimp ||
-		     msg->rcode == dns_rcode_formerr)) {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "refresh: rcode (%.*s) retrying without "
-				     "EDNS master %s (source %s)",
-				     (int)rb.used, rcode, master, source);
-			LOCK_ZONE(zone);
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			UNLOCK_ZONE(zone);
-			goto same_master;
-		}
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: unexpected rcode (%.*s) from "
-			     "master %s (source %s)", (int)rb.used, rcode,
-			     master, source);
-		/*
-		 * Perhaps AXFR/IXFR is allowed even if SOA queries arn't.
-		 */
-		if (msg->rcode == dns_rcode_refused &&
-		    zone->type == dns_zone_slave)
-			goto tcp_transfer;
-		goto next_master;
-	}
-
-	/*
-	 * If truncated punt to zone transfer which will query again.
-	 */
-	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
-		if (zone->type == dns_zone_slave) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refresh: truncated UDP answer, "
-				     "initiating TCP zone xfer "
-				     "for master %s (source %s)",
-				     master, source);
-			goto tcp_transfer;
-		} else {
-			INSIST(zone->type == dns_zone_stub);
-			if (dns_request_usedtcp(revent->request)) {
-				dns_zone_log(zone, ISC_LOG_INFO,
-					     "refresh: truncated TCP response "
-					     "from master %s (source %s)",
-					     master, source);
-				goto next_master;
-			}
-			LOCK_ZONE(zone);
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
-			UNLOCK_ZONE(zone);
-			goto same_master;
-		}
-	}
-
-	/*
-	 * if non-auth log and next master;
-	 */
-	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: non-authoritative answer from "
-			     "master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
-	soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa);
-	nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
-	soacount = message_count(msg, DNS_SECTION_AUTHORITY,
-				 dns_rdatatype_soa);
-
-	/*
-	 * There should not be a CNAME record at top of zone.
-	 */
-	if (cnamecnt != 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: CNAME at top of zone "
-			     "in master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * if referral log and next master;
-	 */
-	if (soacnt == 0 && soacount == 0 && nscount != 0) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: referral response "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * if nodata log and next master;
-	 */
-	if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: NODATA response "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	/*
-	 * Only one soa at top of zone.
-	 */
-	if (soacnt != 1) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: answer SOA count (%d) != 1 "
-			     "from master %s (source %s)",
-			     soacnt, master, source);
-		goto next_master;
-	}
-	/*
-	 * Extract serial
-	 */
-	rdataset = NULL;
-	result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
-				      dns_rdatatype_soa, dns_rdatatype_none,
-				      NULL, &rdataset);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: unable to get SOA record "
-			     "from master %s (source %s)", master, source);
-		goto next_master;
-	}
-
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refresh: dns_rdataset_first() failed");
-		goto next_master;
-	}
-
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &soa, NULL);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-
-	serial = soa.serial;
-
-	zone_debuglog(zone, me, 1, "serial: new %u, old %u",
-		      serial, zone->serial);
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
-	    isc_serial_gt(serial, zone->serial)) {
- tcp_transfer:
-		isc_event_free(&event);
-		LOCK_ZONE(zone);
-		dns_request_destroy(&zone->request);
-		UNLOCK_ZONE(zone);
-		if (zone->type == dns_zone_slave) {
-			queue_xfrin(zone);
-		} else {
-			INSIST(zone->type == dns_zone_stub);
-			ns_query(zone, rdataset, NULL);
-		}
-		if (msg != NULL)
-			dns_message_destroy(&msg);
-	} else if (isc_serial_eq(soa.serial, zone->serial)) {
-		if (zone->masterfile != NULL) {
-			result = ISC_R_FAILURE;
-			if (zone->journal != NULL)
-				result = isc_file_settime(zone->journal, &now);
-			if (result == ISC_R_SUCCESS &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-				result = isc_file_settime(zone->masterfile,
-							  &now);
-			} else if (result != ISC_R_SUCCESS)
-				result = isc_file_settime(zone->masterfile,
-							  &now);
-			/* Someone removed the file from underneath us! */
-			if (result == ISC_R_FILENOTFOUND) {
-				LOCK_ZONE(zone);
-				zone_needdump(zone, DNS_DUMP_DELAY);
-				UNLOCK_ZONE(zone);
-			} else if (result != ISC_R_SUCCESS)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "refresh: could not set file "
-					     "modification time of '%s': %s",
-					     zone->masterfile,
-					     dns_result_totext(result));
-		}
-		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
-		DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
-		zone->mastersok[zone->curmaster] = ISC_TRUE;
-		goto next_master;
-	} else {
-		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER))
-			dns_zone_log(zone, ISC_LOG_INFO, "serial number (%u) "
-				     "received from master %s < ours (%u)",
-				     soa.serial, master, zone->serial);
-		else
-			zone_debuglog(zone, me, 1, "ahead");
-		zone->mastersok[zone->curmaster] = ISC_TRUE;
-		goto next_master;
-	}
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	goto detach;
-
- next_master:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	LOCK_ZONE(zone);
-	dns_request_destroy(&zone->request);
-	/*
-	 * Skip to next failed / untried master.
-	 */
-	do {
-		zone->curmaster++;
-	} while (zone->curmaster < zone->masterscnt &&
-		 zone->mastersok[zone->curmaster]);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
-	if (zone->curmaster >= zone->masterscnt) {
-		isc_boolean_t done = ISC_TRUE;
-		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-			/*
-			 * Did we get a good answer from all the masters?
-			 */
-			for (j = 0; j < zone->masterscnt; j++)
-				if (zone->mastersok[j] == ISC_FALSE) {
-					done = ISC_FALSE;
-					break;
-				}
-		} else
-			done = ISC_TRUE;
-		if (!done) {
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-			zone->curmaster = 0;
-			/*
-			 * Find the next failed master.
-			 */
-			while (zone->curmaster < zone->masterscnt &&
-			       zone->mastersok[zone->curmaster])
-				zone->curmaster++;
-			goto requeue;
-		}
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
-			zone->refreshtime = now;
-		}
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-		zone_settimer(zone, &now);
-		UNLOCK_ZONE(zone);
-		goto detach;
-	}
-
- requeue:
-	queue_soa_query(zone);
-	UNLOCK_ZONE(zone);
-	goto detach;
-
- same_master:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	LOCK_ZONE(zone);
-	dns_request_destroy(&zone->request);
-	queue_soa_query(zone);
-	UNLOCK_ZONE(zone);
-
- detach:
-	dns_zone_idetach(&zone);
-	return;
-}
-
-static void
-queue_soa_query(dns_zone_t *zone) {
-	const char me[] = "queue_soa_query";
-	isc_event_t *e;
-	dns_zone_t *dummy = NULL;
-	isc_result_t result;
-
-	ENTER;
-	/*
-	 * Locked by caller
-	 */
-	REQUIRE(LOCKED_ZONE(zone));
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
-		cancel_refresh(zone);
-		return;
-	}
-
-	e = isc_event_allocate(zone->mctx, NULL, DNS_EVENT_ZONE,
-			       soa_query, zone, sizeof(isc_event_t));
-	if (e == NULL) {
-		cancel_refresh(zone);
-		return;
-	}
-
-	/*
-	 * Attach so that we won't clean up
-	 * until the event is delivered.
-	 */
-	zone_iattach(zone, &dummy);
-
-	e->ev_arg = zone;
-	e->ev_sender = NULL;
-	result = isc_ratelimiter_enqueue(zone->zmgr->rl, zone->task, &e);
-	if (result != ISC_R_SUCCESS) {
-		zone_idetach(&dummy);
-		isc_event_free(&e);
-		cancel_refresh(zone);
-	}
-}
-
-static inline isc_result_t
-create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
-	     dns_message_t **messagep)
-{
-	dns_message_t *message = NULL;
-	dns_name_t *qname = NULL;
-	dns_rdataset_t *qrdataset = NULL;
-	isc_result_t result;
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
-				    &message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	message->opcode = dns_opcode_query;
-	message->rdclass = zone->rdclass;
-
-	result = dns_message_gettempname(message, &qname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdataset(message, &qrdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/*
-	 * Make question.
-	 */
-	dns_name_init(qname, NULL);
-	dns_name_clone(&zone->origin, qname);
-	dns_rdataset_init(qrdataset);
-	dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
-	ISC_LIST_APPEND(qname->list, qrdataset, link);
-	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
-
-	*messagep = message;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (qname != NULL)
-		dns_message_puttempname(message, &qname);
-	if (qrdataset != NULL)
-		dns_message_puttemprdataset(message, &qrdataset);
-	if (message != NULL)
-		dns_message_destroy(&message);
-	return (result);
-}
-
-static isc_result_t
-add_opt(dns_message_t *message) {
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdatalist_t *rdatalist = NULL;
-	dns_rdata_t *rdata = NULL;
-	isc_result_t result;
-
-	result = dns_message_gettemprdatalist(message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdata(message, &rdata);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = dns_message_gettemprdataset(message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	dns_rdataset_init(rdataset);
-	
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-
-	/*
-	 * Set Maximum UDP buffer size.
-	 */
-	rdatalist->rdclass = SEND_BUFFER_SIZE;
-
-	/*
-	 * Set EXTENDED-RCODE, VERSION, DO and Z to 0.
-	 */
-	rdatalist->ttl = 0;
-
-	/*
-	 * No EDNS options.
-	 */
-	rdata->data = NULL;
-	rdata->length = 0;
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatalist->type;
-	rdata->flags = 0;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
-		      == ISC_R_SUCCESS);
-
-	return (dns_message_setopt(message, rdataset));
-
- cleanup:
-	if (rdatalist != NULL)
-		dns_message_puttemprdatalist(message, &rdatalist);
-	if (rdataset != NULL)
-		dns_message_puttemprdataset(message, &rdataset);
-	if (rdata != NULL)
-		dns_message_puttemprdata(message, &rdata);
-	
-	return (result);
-}
-
-static void
-soa_query(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "soa_query";
-	isc_result_t result = ISC_R_FAILURE;
-	dns_message_t *message = NULL;
-	dns_zone_t *zone = event->ev_arg;
-	dns_zone_t *dummy = NULL;
-	isc_netaddr_t masterip;
-	dns_tsigkey_t *key = NULL;
-	isc_uint32_t options;
-	isc_boolean_t cancel = ISC_TRUE;
-	int timeout;
-	isc_boolean_t have_xfrsource;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	UNUSED(task);
-
-	ENTER;
-
-	LOCK_ZONE(zone);
-	if (((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) ||
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
-	    zone->view->requestmgr == NULL) {
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
-			cancel = ISC_FALSE;
-		goto cleanup;
-	}
-
-	/*
-	 * XXX Optimisation: Create message when zone is setup and reuse.
-	 */
-	result = create_query(zone, dns_rdatatype_soa, &message);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
- again:
-	INSIST(zone->masterscnt > 0);
-	INSIST(zone->curmaster < zone->masterscnt);
-
-	zone->masteraddr = zone->masters[zone->curmaster];
-
-	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	/*
-	 * First, look for a tsig key in the master statement, then
-	 * try for a server key.
-	 */
-	if ((zone->masterkeynames != NULL) &&
-	    (zone->masterkeynames[zone->curmaster] != NULL)) {
-		dns_view_t *view = dns_zone_getview(zone);
-		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
-		result = dns_view_gettsig(view, keyname, &key);
-		if (result != ISC_R_SUCCESS) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(keyname, namebuf, sizeof(namebuf));
-			dns_zone_log(zone, ISC_LOG_ERROR,
-			             "unable to find key: %s", namebuf);
-		}
-	}
-	if (key == NULL)
-		(void)dns_view_getpeertsig(zone->view, &masterip, &key);
-
-	have_xfrsource = ISC_FALSE;
-	if (zone->view->peers != NULL) {
-		dns_peer_t *peer = NULL;
-		isc_boolean_t edns;
-		result = dns_peerlist_peerbyaddr(zone->view->peers,
-						 &masterip, &peer);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_peer_getsupportedns(peer, &edns);
-			if (result == ISC_R_SUCCESS && !edns)
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			result = dns_peer_gettransfersource(peer,
-							    &zone->sourceaddr);
-			if (result == ISC_R_SUCCESS)
-				have_xfrsource = ISC_TRUE;
-		}
-	}
-
-	switch (isc_sockaddr_pf(&zone->masteraddr)) {
-	case PF_INET:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-			if (isc_sockaddr_equal(&zone->altxfrsource4,
-					       &zone->xfrsource4))
-				goto skip_master;
-			zone->sourceaddr = zone->altxfrsource4;
-		} else if (!have_xfrsource)
-			zone->sourceaddr = zone->xfrsource4;
-		break;
-	case PF_INET6:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-			if (isc_sockaddr_equal(&zone->altxfrsource6,
-					       &zone->xfrsource6))
-				goto skip_master;
-			zone->sourceaddr = zone->altxfrsource6;
-		} else if (!have_xfrsource)
-			zone->sourceaddr = zone->xfrsource6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto cleanup;
-	}
-
-	options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ?
-		  DNS_REQUESTOPT_TCP : 0;
-
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-		result = add_opt(message);
-		if (result != ISC_R_SUCCESS)
-			zone_debuglog(zone, me, 1,
-				      "unable to add opt record: %s",
-				      dns_result_totext(result));
-	}
-
-	zone_iattach(zone, &dummy);
-	timeout = 15;
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
-		timeout = 30;
-	result = dns_request_createvia2(zone->view->requestmgr, message,
-					&zone->sourceaddr, &zone->masteraddr,
-					options, key, timeout * 3, timeout,
-					zone->task, refresh_callback, zone,
-					&zone->request);
-	if (result != ISC_R_SUCCESS) {
-		zone_idetach(&dummy);
-		zone_debuglog(zone, me, 1,
-			      "dns_request_createvia2() failed: %s",
-			      dns_result_totext(result));
-		goto cleanup;
-	}
-	cancel = ISC_FALSE;
-
- cleanup:
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
-	if (result != ISC_R_SUCCESS)
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	if (message != NULL)
-		dns_message_destroy(&message);
-	if (cancel)
-		cancel_refresh(zone);
-	isc_event_free(&event);
-	UNLOCK_ZONE(zone);
-	dns_zone_idetach(&zone);
-	return;
-
- skip_master:
-	if (key != NULL)
-		dns_tsigkey_detach(&key);
-	/*
-	 * Skip to next failed / untried master.
-	 */
-	do {
-		zone->curmaster++;
-	} while (zone->curmaster < zone->masterscnt &&
-		 zone->mastersok[zone->curmaster]);
-	if (zone->curmaster < zone->masterscnt)
-		goto again;
-	zone->curmaster = 0;
-	goto cleanup;
-}
-
-static void
-ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
-	const char me[] = "ns_query";
-	isc_result_t result;
-	dns_message_t *message = NULL;
-	isc_netaddr_t masterip;
-	dns_tsigkey_t *key = NULL;
-	dns_dbnode_t *node = NULL;
-	int timeout;
-	isc_boolean_t have_xfrsource = ISC_FALSE;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE((soardataset != NULL && stub == NULL) ||
-		(soardataset == NULL && stub != NULL));
-	REQUIRE(stub == NULL || DNS_STUB_VALID(stub));
-
-	ENTER;
-
-	LOCK_ZONE(zone);
-	if (stub == NULL) {
-		stub = isc_mem_get(zone->mctx, sizeof(*stub));
-		if (stub == NULL)
-			goto cleanup;
-		stub->magic = STUB_MAGIC;
-		stub->mctx = zone->mctx;
-		stub->zone = NULL;
-		stub->db = NULL;
-		stub->version = NULL;
-
-		/*
-		 * Attach so that the zone won't disappear from under us.
-		 */
-		zone_iattach(zone, &stub->zone);
-
-		/*
-		 * If a db exists we will update it, otherwise we create a
-		 * new one and attach it to the zone once we have the NS
-		 * RRset and glue.
-		 */
-		if (zone->db != NULL)
-			dns_db_attach(zone->db, &stub->db);
-		else {
-			INSIST(zone->db_argc >= 1);
-			result = dns_db_create(zone->mctx, zone->db_argv[0],
-					       &zone->origin, dns_dbtype_stub,
-					       zone->rdclass,
-					       zone->db_argc - 1,
-					       zone->db_argv + 1,
-					       &stub->db);
-			if (result != ISC_R_SUCCESS) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "refreshing stub: "
-					     "could not create "
-					     "database: %s",
-					     dns_result_totext(result));
-				goto cleanup;
-			}
-			dns_db_settask(stub->db, zone->task);
-		}
-
-		dns_db_newversion(stub->db, &stub->version);
-
-		/*
-		 * Update SOA record.
-		 */
-		result = dns_db_findnode(stub->db, &zone->origin, ISC_TRUE,
-					 &node);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refreshing stub: "
-				     "dns_db_findnode() failed: %s",
-				     dns_result_totext(result));
-			goto cleanup;
-		}
-
-		result = dns_db_addrdataset(stub->db, node, stub->version, 0,
-					    soardataset, 0, NULL);
-		dns_db_detachnode(stub->db, &node);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "refreshing stub: "
-				     "dns_db_addrdataset() failed: %s",
-				     dns_result_totext(result));
-			goto cleanup;
-		}
-	}
-
-	/*
-	 * XXX Optimisation: Create message when zone is setup and reuse.
-	 */
-	result = create_query(zone, dns_rdatatype_ns, &message);
-
-	INSIST(zone->masterscnt > 0);
-	INSIST(zone->curmaster < zone->masterscnt);
-	zone->masteraddr = zone->masters[zone->curmaster];
-
-	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	/*
-	 * First, look for a tsig key in the master statement, then
-	 * try for a server key.
-	 */
-	if ((zone->masterkeynames != NULL) &&
-	    (zone->masterkeynames[zone->curmaster] != NULL)) {
-		dns_view_t *view = dns_zone_getview(zone);
-		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
-		result = dns_view_gettsig(view, keyname, &key);
-		if (result != ISC_R_SUCCESS) {
-			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(keyname, namebuf, sizeof(namebuf));
-			dns_zone_log(zone, ISC_LOG_ERROR,
-			             "unable to find key: %s", namebuf);
-		}
-	}
-	if (key == NULL)
-		(void)dns_view_getpeertsig(zone->view, &masterip, &key);	
-
-	if (zone->view->peers != NULL) {
-		dns_peer_t *peer = NULL;
-		isc_boolean_t edns;
-		result = dns_peerlist_peerbyaddr(zone->view->peers,
-						 &masterip, &peer);
-		if (result == ISC_R_SUCCESS) {
-			result = dns_peer_getsupportedns(peer, &edns);
-			if (result == ISC_R_SUCCESS && !edns)
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
-			result = dns_peer_gettransfersource(peer,
-							    &zone->sourceaddr);
-			if (result == ISC_R_SUCCESS)
-				have_xfrsource = ISC_TRUE;
-		}
-		
-	}
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-		result = add_opt(message);
-		if (result != ISC_R_SUCCESS)
-			zone_debuglog(zone, me, 1,
-				      "unable to add opt record: %s",
-				      dns_result_totext(result));
-	}
-
-	/*
-	 * Always use TCP so that we shouldn't truncate in additional section.
-	 */
-	switch (isc_sockaddr_pf(&zone->masteraddr)) {
-	case PF_INET:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
-			zone->sourceaddr = zone->altxfrsource4;
-		else if (!have_xfrsource)
-			zone->sourceaddr = zone->xfrsource4;
-		break;
-	case PF_INET6:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
-			zone->sourceaddr = zone->altxfrsource6;
-		else if (!have_xfrsource)
-			zone->sourceaddr = zone->xfrsource6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto cleanup;
-	}
-	timeout = 15;
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
-		timeout = 30;
-	result = dns_request_createvia2(zone->view->requestmgr, message,
-					&zone->sourceaddr, &zone->masteraddr,
-					DNS_REQUESTOPT_TCP, key, timeout * 3,
-					timeout, zone->task, stub_callback,
-					stub, &zone->request);
-	if (result != ISC_R_SUCCESS) {
-		zone_debuglog(zone, me, 1,
-			      "dns_request_createvia() failed: %s",
-			      dns_result_totext(result));
-		goto cleanup;
-	}
-	dns_message_destroy(&message);
-	goto unlock;
-
- cleanup:
-	cancel_refresh(zone);
-	if (stub != NULL) {
-		stub->magic = 0;
-		if (stub->version != NULL)
-			dns_db_closeversion(stub->db, &stub->version,
-					    ISC_FALSE);
-		if (stub->db != NULL)
-			dns_db_detach(&stub->db);
-		if (stub->zone != NULL)
-			zone_idetach(&stub->zone);
-		isc_mem_put(stub->mctx, stub, sizeof(*stub));
-	}
-	if (message != NULL)
-		dns_message_destroy(&message);
-  unlock:
-        if (key != NULL)
-		dns_tsigkey_detach(&key);
-	UNLOCK_ZONE(zone);
-	return;
-}
-
-/*
- * Handle the control event.  Note that although this event causes the zone
- * to shut down, it is not a shutdown event in the sense of the task library.
- */
-static void
-zone_shutdown(isc_task_t *task, isc_event_t *event) {
-	dns_zone_t *zone = (dns_zone_t *) event->ev_arg;
-	isc_boolean_t free_needed, linked = ISC_FALSE;
-
-	UNUSED(task);
-	REQUIRE(DNS_ZONE_VALID(zone));
-	INSIST(event->ev_type == DNS_EVENT_ZONECONTROL);
-	INSIST(isc_refcount_current(&zone->erefs) == 0);
-	zone_debuglog(zone, "zone_shutdown", 3, "shutting down");
-
-	/*
-	 * Stop things being restarted after we cancel them below.
-	 */
-	LOCK_ZONE(zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING);
-	UNLOCK_ZONE(zone);
-
-	/*
-	 * If we were waiting for xfrin quota, step out of
-	 * the queue.
-	 * If there's no zone manager, we can't be waiting for the
-	 * xfrin quota
-	 */
-	if (zone->zmgr != NULL) {
-		RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-		if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
-			ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
-					statelink);
-			linked = ISC_TRUE;
-			zone->statelist = NULL;
-		}
-		RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-	}
-
-	/*
-	 * In task context, no locking required.  See zone_xfrdone().
-	 */
-	if (zone->xfr != NULL)
-		dns_xfrin_shutdown(zone->xfr);
-
-	LOCK_ZONE(zone);
-	if (linked) {
-		INSIST(zone->irefs > 0);
-		zone->irefs--;
-	}
-	if (zone->request != NULL) {
-		dns_request_cancel(zone->request);
-	}
-
-	if (zone->readio != NULL)
-		zonemgr_cancelio(zone->readio);
-
-	if (zone->lctx != NULL)
-		dns_loadctx_cancel(zone->lctx);
-
-	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-		if (zone->writeio != NULL)
-			zonemgr_cancelio(zone->writeio);
-
-		if (zone->dctx != NULL) 
-			dns_dumpctx_cancel(zone->dctx);
-	}
-
-	notify_cancel(zone);
-
-	if (zone->timer != NULL) {
-		isc_timer_detach(&zone->timer);
-		INSIST(zone->irefs > 0);
-		zone->irefs--;
-	}
-
-	if (zone->view != NULL)
-		dns_view_weakdetach(&zone->view);
-
-	/*
-	 * We have now canceled everything set the flag to allow exit_check()
-	 * to succeed.  We must not unlock between setting this flag and
-	 * calling exit_check().
-	 */
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
-	free_needed = exit_check(zone);
-	UNLOCK_ZONE(zone);
-	if (free_needed)
-		zone_free(zone);
-}
-
-static void
-zone_timer(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "zone_timer";
-	dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
-
-	UNUSED(task);
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	ENTER;
-
-	zone_maintenance(zone);
-
-	isc_event_free(&event);
-}
-
-static void
-zone_settimer(dns_zone_t *zone, isc_time_t *now) {
-	const char me[] = "zone_settimer";
-	isc_time_t next;
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
-		return;
-
-	isc_time_settoepoch(&next);
-
-	switch (zone->type) {
-	case dns_zone_master:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
-			next = *now;
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-			INSIST(!isc_time_isepoch(&zone->dumptime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->dumptime, &next) < 0)
-				next = zone->dumptime;
-		}
-		break;
-
-	case dns_zone_slave:
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
-			next = *now;
-		/*FALLTHROUGH*/
-
-	case dns_zone_stub:
-		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOMASTERS) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
-			INSIST(!isc_time_isepoch(&zone->refreshtime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->refreshtime, &next) < 0)
-				next = zone->refreshtime;
-		}
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
-			INSIST(!isc_time_isepoch(&zone->expiretime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->expiretime, &next) < 0)
-				next = zone->expiretime;
-		}
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
-		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
-			INSIST(!isc_time_isepoch(&zone->dumptime));
-			if (isc_time_isepoch(&next) ||
-			    isc_time_compare(&zone->dumptime, &next) < 0)
-				next = zone->dumptime;
-		}
-		break;
-
-	default:
-		break;
-	}
-
-	if (isc_time_isepoch(&next)) {
-		zone_debuglog(zone, me, 10, "settimer inactive");
-		result = isc_timer_reset(zone->timer, isc_timertype_inactive,
-					  NULL, NULL, ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "could not deactivate zone timer: %s",
-				     isc_result_totext(result));
-	} else {
-		if (isc_time_compare(&next, now) <= 0)
-			next = *now;
-		result = isc_timer_reset(zone->timer, isc_timertype_once,
-					 &next, NULL, ISC_TRUE);
-		if (result != ISC_R_SUCCESS)
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "could not reset zone timer: %s",
-				     isc_result_totext(result));
-	}
-}
-
-static void
-cancel_refresh(dns_zone_t *zone) {
-	const char me[] = "cancel_refresh";
-	isc_time_t now;
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-
-	ENTER;
-
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-	TIME_NOW(&now);
-	zone_settimer(zone, &now);
-}
-
-static isc_result_t
-notify_createmessage(dns_zone_t *zone, unsigned int flags,
-		     dns_message_t **messagep)
-{
-	dns_dbnode_t *node = NULL;
-	dns_dbversion_t *version = NULL;
-	dns_message_t *message = NULL;
-	dns_rdataset_t rdataset;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-
-	dns_name_t *tempname = NULL;
-	dns_rdata_t *temprdata = NULL;
-	dns_rdatalist_t *temprdatalist = NULL;
-	dns_rdataset_t *temprdataset = NULL;
-
-	isc_result_t result;
-	isc_region_t r;
-	isc_buffer_t *b = NULL;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(messagep != NULL && *messagep == NULL);
-
-	message = NULL;
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
-				    &message);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	message->opcode = dns_opcode_notify;
-	message->flags |= DNS_MESSAGEFLAG_AA;
-	message->rdclass = zone->rdclass;
-
-	result = dns_message_gettempname(message, &tempname);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = dns_message_gettemprdataset(message, &temprdataset);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	/*
-	 * Make question.
-	 */
-	dns_name_init(tempname, NULL);
-	dns_name_clone(&zone->origin, tempname);
-	dns_rdataset_init(temprdataset);
-	dns_rdataset_makequestion(temprdataset, zone->rdclass,
-				  dns_rdatatype_soa);
-	ISC_LIST_APPEND(tempname->list, temprdataset, link);
-	dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
-	tempname = NULL;
-	temprdataset = NULL;
-
-	if ((flags & DNS_NOTIFY_NOSOA) != 0)
-		goto done;
-
-	result = dns_message_gettempname(message, &tempname);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	result = dns_message_gettemprdata(message, &temprdata);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	result = dns_message_gettemprdataset(message, &temprdataset);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	result = dns_message_gettemprdatalist(message, &temprdatalist);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-
-	dns_name_init(tempname, NULL);
-	dns_name_clone(&zone->origin, tempname);
-	dns_db_currentversion(zone->db, &version);
-	result = dns_db_findnode(zone->db, tempname, ISC_FALSE, &node);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-
-	dns_rdataset_init(&rdataset);
-	result = dns_db_findrdataset(zone->db, node, version,
-				     dns_rdatatype_soa,
-				     dns_rdatatype_none, 0, &rdataset,
-				     NULL);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	result = dns_rdataset_first(&rdataset);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	dns_rdataset_current(&rdataset, &rdata);
-	dns_rdata_toregion(&rdata, &r);
-	result = isc_buffer_allocate(zone->mctx, &b, r.length);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-	isc_buffer_putmem(b, r.base, r.length);
-	isc_buffer_usedregion(b, &r);
-	dns_rdata_init(temprdata);
-	dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r);
-	dns_message_takebuffer(message, &b);
-	result = dns_rdataset_next(&rdataset);
-	dns_rdataset_disassociate(&rdataset);
-	if (result != ISC_R_NOMORE)
-		goto soa_cleanup;
-	temprdatalist->rdclass = rdata.rdclass;
-	temprdatalist->type = rdata.type;
-	temprdatalist->covers = 0;
-	temprdatalist->ttl = rdataset.ttl;
-	ISC_LIST_INIT(temprdatalist->rdata);
-	ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link);
-
-	dns_rdataset_init(temprdataset);
-	result = dns_rdatalist_tordataset(temprdatalist, temprdataset);
-	if (result != ISC_R_SUCCESS)
-		goto soa_cleanup;
-
-	ISC_LIST_APPEND(tempname->list, temprdataset, link);
-	dns_message_addname(message, tempname, DNS_SECTION_ANSWER);
-	temprdatalist = NULL;
-	temprdataset = NULL;
-	temprdata = NULL;
-	tempname = NULL;
-
- soa_cleanup:
-	if (node != NULL)
-		dns_db_detachnode(zone->db, &node);
-	if (version != NULL)
-		dns_db_closeversion(zone->db, &version, ISC_FALSE);
-	if (tempname != NULL)
-		dns_message_puttempname(message, &tempname);
-	if (temprdata != NULL)
-		dns_message_puttemprdata(message, &temprdata);
-	if (temprdataset != NULL)
-		dns_message_puttemprdataset(message, &temprdataset);
-	if (temprdatalist != NULL)
-		dns_message_puttemprdatalist(message, &temprdatalist);
-
- done:
-	*messagep = message;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (tempname != NULL)
-		dns_message_puttempname(message, &tempname);
-	if (temprdataset != NULL)
-		dns_message_puttemprdataset(message, &temprdataset);
-	if (message != NULL)
-		dns_message_destroy(&message);
-	return (result);
-}
-
-isc_result_t
-dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
-		       dns_message_t *msg)
-{
-	unsigned int i;
-	dns_rdata_soa_t soa;
-	dns_rdataset_t *rdataset = NULL;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	isc_result_t result;
-	char fromtext[ISC_SOCKADDR_FORMATSIZE];
-	int match = 0;
-	isc_netaddr_t netaddr;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	/*
-	 * If type != T_SOA return DNS_R_REFUSED.  We don't yet support
-	 * ROLLOVER.
-	 *
-	 * SOA:	RFC 1996
-	 * Check that 'from' is a valid notify source, (zone->masters).
-	 *	Return DNS_R_REFUSED if not.
-	 *
-	 * If the notify message contains a serial number check it
-	 * against the zones serial and return if <= current serial
-	 *
-	 * If a refresh check is progress, if so just record the
-	 * fact we received a NOTIFY and from where and return.
-	 * We will perform a new refresh check when the current one
-	 * completes. Return ISC_R_SUCCESS.
-	 *
-	 * Otherwise initiate a refresh check using 'from' as the
-	 * first address to check.  Return ISC_R_SUCCESS.
-	 */
-
-	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
-
-	/*
-	 *  We only handle NOTIFY (SOA) at the present.
-	 */
-	LOCK_ZONE(zone);
-	if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
-	    dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
-				 dns_rdatatype_soa, dns_rdatatype_none,
-				 NULL, NULL) != ISC_R_SUCCESS) {
-		UNLOCK_ZONE(zone);
-		if (msg->counts[DNS_SECTION_QUESTION] == 0) {
-			dns_zone_log(zone, ISC_LOG_NOTICE,
-				     "NOTIFY with no "
-				     "question section from: %s", fromtext);
-			return (DNS_R_FORMERR);
-		}
-		dns_zone_log(zone, ISC_LOG_NOTICE,
-			     "NOTIFY zone does not match");
-		return (DNS_R_NOTIMP);
-	}
-
-	/*
-	 * If we are a master zone just succeed.
-	 */
-	if (zone->type == dns_zone_master) {
-		UNLOCK_ZONE(zone);
-		return (ISC_R_SUCCESS);
-	}
-
-	isc_netaddr_fromsockaddr(&netaddr, from);
-	for (i = 0; i < zone->masterscnt; i++) {
-		if (isc_sockaddr_eqaddr(from, &zone->masters[i]))
-			break;
-		if (zone->view->aclenv.match_mapped &&
-		    IN6_IS_ADDR_V4MAPPED(&from->type.sin6.sin6_addr) &&
-		    isc_sockaddr_pf(&zone->masters[i]) == AF_INET) {
-			isc_netaddr_t na1, na2;
-			isc_netaddr_fromv4mapped(&na1, &netaddr);
-			isc_netaddr_fromsockaddr(&na2, &zone->masters[i]);
-			if (isc_netaddr_equal(&na1, &na2))
-				break;
-		}
-	}
-
-	/*
-	 * Accept notify requests from non masters if they are on
-	 * 'zone->notify_acl'.
-	 */
-	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
-	    dns_acl_match(&netaddr, NULL, zone->notify_acl,
-			  &zone->view->aclenv,
-			  &match, NULL) == ISC_R_SUCCESS &&
-	    match > 0)
-	{
-		/* Accept notify. */
-	} else if (i >= zone->masterscnt) {
-		UNLOCK_ZONE(zone);
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "refused notify from non-master: %s", fromtext);
-		return (DNS_R_REFUSED);
-	}
-
-	/*
-	 * If the zone is loaded and there are answers check the serial
-	 * to see if we need to do a refresh.  Do not worry about this
-	 * check if we are a dialup zone as we use the notify request
-	 * to trigger a refresh check.
-	 */
-	if (msg->counts[DNS_SECTION_ANSWER] > 0 &&
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH)) {
-		result = dns_message_findname(msg, DNS_SECTION_ANSWER,
-					      &zone->origin,
-					      dns_rdatatype_soa,
-					      dns_rdatatype_none, NULL,
-					      &rdataset);
-		if (result == ISC_R_SUCCESS)
-			result = dns_rdataset_first(rdataset);
-		if (result == ISC_R_SUCCESS) {
-			isc_uint32_t serial = 0;
-
-			dns_rdataset_current(rdataset, &rdata);
-			result = dns_rdata_tostruct(&rdata, &soa, NULL);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			serial = soa.serial;
-			if (isc_serial_le(serial, zone->serial)) {
-			  dns_zone_log(zone, ISC_LOG_INFO,
-					     "notify from %s: "
-					     "zone is up to date",
-					     fromtext);
-				UNLOCK_ZONE(zone);
-				return (ISC_R_SUCCESS);
-			}
-		}
-	}
-
-	/*
-	 * If we got this far and there was a refresh in progress just
-	 * let it complete.  Record where we got the notify from so we
-	 * can perform a refresh check when the current one completes
-	 */
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
-		zone->notifyfrom = *from;
-		UNLOCK_ZONE(zone);
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "notify from %s: refresh in progress, "
-			     "refresh check queued",
-			     fromtext);
-		return (ISC_R_SUCCESS);
-	}
-	zone->notifyfrom = *from;
-	UNLOCK_ZONE(zone);
-	dns_zone_refresh(zone);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->notify_acl != NULL)
-		dns_acl_detach(&zone->notify_acl);
-	dns_acl_attach(acl, &zone->notify_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->query_acl != NULL)
-		dns_acl_detach(&zone->query_acl);
-	dns_acl_attach(acl, &zone->query_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->update_acl != NULL)
-		dns_acl_detach(&zone->update_acl);
-	dns_acl_attach(acl, &zone->update_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->forward_acl != NULL)
-		dns_acl_detach(&zone->forward_acl);
-	dns_acl_attach(acl, &zone->forward_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->xfr_acl != NULL)
-		dns_acl_detach(&zone->xfr_acl);
-	dns_acl_attach(acl, &zone->xfr_acl);
-	UNLOCK_ZONE(zone);
-}
-
-dns_acl_t *
-dns_zone_getnotifyacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->notify_acl);
-}
-
-dns_acl_t *
-dns_zone_getqueryacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->query_acl);
-}
-
-dns_acl_t *
-dns_zone_getupdateacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->update_acl);
-}
-
-dns_acl_t *
-dns_zone_getforwardacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->forward_acl);
-}
-
-dns_acl_t *
-dns_zone_getxfracl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->xfr_acl);
-}
-
-void
-dns_zone_clearupdateacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->update_acl != NULL)
-		dns_acl_detach(&zone->update_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearforwardacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->forward_acl != NULL)
-		dns_acl_detach(&zone->forward_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearnotifyacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->notify_acl != NULL)
-		dns_acl_detach(&zone->notify_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearqueryacl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->query_acl != NULL)
-		dns_acl_detach(&zone->query_acl);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_clearxfracl(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->xfr_acl != NULL)
-		dns_acl_detach(&zone->xfr_acl);
-	UNLOCK_ZONE(zone);
-}
-
-isc_boolean_t
-dns_zone_getupdatedisabled(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	return (zone->update_disabled);
-
-}
-
-void
-dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->update_disabled = state;
-}
-
-void
-dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->check_names = severity;
-}
-
-dns_severity_t
-dns_zone_getchecknames(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->check_names);
-}
-
-void
-dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->journalsize = size;
-}
-
-isc_int32_t
-dns_zone_getjournalsize(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->journalsize);
-}
-
-static void
-zone_tostr(dns_zone_t *zone, char *buf, size_t length) {
-	isc_result_t result = ISC_R_FAILURE;
-	isc_buffer_t buffer;
-
-	REQUIRE(buf != NULL);
-	REQUIRE(length > 1U);
-
-	/*
-	 * Leave space for terminating '\0'.
-	 */
-	isc_buffer_init(&buffer, buf, length - 1);
-	if (dns_name_dynamic(&zone->origin))
-		result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
-	if (result != ISC_R_SUCCESS &&
-	    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
-		isc_buffer_putstr(&buffer, "<UNKNOWN>");
-
-	if (isc_buffer_availablelength(&buffer) > 0)
-		isc_buffer_putstr(&buffer, "/");
-	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
-
-	if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
-	    strcmp(zone->view->name, "_default") != 0 &&
-	    strlen(zone->view->name) < isc_buffer_availablelength(&buffer)) {
-		isc_buffer_putstr(&buffer, "/");
-		isc_buffer_putstr(&buffer, zone->view->name);
-	}
-
-	buf[isc_buffer_usedlength(&buffer)] = '\0';
-}
-
-void
-dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(buf != NULL);
-	zone_tostr(zone, buf, length);
-}
-
-static void
-notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
-	va_list ap;
-	char message[4096];
-	char namebuf[1024+32];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_NOTIFY, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
-}
-
-void
-dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
-	      int level, const char *fmt, ...) {
-	va_list ap;
-	char message[4096];
-	char namebuf[1024+32];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
-}
-
-void
-dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
-	va_list ap;
-	char message[4096];
-	char namebuf[1024+32];
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
-}
-
-static void
-zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
-	      const char *fmt, ...)
-{
-	va_list ap;
-	char message[4096];
-	char namebuf[1024+32];
-	int level = ISC_LOG_DEBUG(debuglevel);
-
-	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
-		return;
-
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
-	va_start(ap, fmt);
-	vsnprintf(message, sizeof(message), fmt, ap);
-	va_end(ap);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "%s: zone %s: %s", me, namebuf, message);
-}
-
-static int
-message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type)
-{
-	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *curr;
-	int count = 0;
-
-	result = dns_message_firstname(msg, section);
-	while (result == ISC_R_SUCCESS) {
-		name = NULL;
-		dns_message_currentname(msg, section, &name);
-
-		for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
-		     curr = ISC_LIST_PREV(curr, link)) {
-			if (curr->type == type)
-				count++;
-		}
-		result = dns_message_nextname(msg, section);
-	}
-
-	return (count);
-}
-
-void
-dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->maxxfrin = maxxfrin;
-}
-
-isc_uint32_t
-dns_zone_getmaxxfrin(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->maxxfrin);
-}
-
-void
-dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	zone->maxxfrout = maxxfrout;
-}
-
-isc_uint32_t
-dns_zone_getmaxxfrout(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->maxxfrout);
-}
-
-dns_zonetype_t dns_zone_gettype(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->type);
-}
-
-dns_name_t *
-dns_zone_getorigin(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (&zone->origin);
-}
-
-void
-dns_zone_settask(dns_zone_t *zone, isc_task_t *task) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->task != NULL)
-		isc_task_detach(&zone->task);
-	isc_task_attach(task, &zone->task);
-	if (zone->db != NULL)
-		dns_db_settask(zone->db, zone->task);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_gettask(dns_zone_t *zone, isc_task_t **target) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	isc_task_attach(zone->task, target);
-}
-
-void
-dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (idlein == 0)
-		idlein = DNS_DEFAULT_IDLEIN;
-	zone->idlein = idlein;
-}
-
-isc_uint32_t
-dns_zone_getidlein(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->idlein);
-}
-
-void
-dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->idleout = idleout;
-}
-
-isc_uint32_t
-dns_zone_getidleout(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->idleout);
-}
-
-static void
-notify_done(isc_task_t *task, isc_event_t *event) {
-	dns_requestevent_t *revent = (dns_requestevent_t *)event;
-	dns_notify_t *notify;
-	isc_result_t result;
-	dns_message_t *message = NULL;
-	isc_buffer_t buf;
-	char rcode[128];
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-
-	UNUSED(task);
-
-	notify = event->ev_arg;
-	REQUIRE(DNS_NOTIFY_VALID(notify));
-	INSIST(task == notify->zone->task);
-
-	isc_buffer_init(&buf, rcode, sizeof(rcode));
-	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
-
-	result = revent->result;
-	if (result == ISC_R_SUCCESS)
-		result = dns_message_create(notify->zone->mctx,
-					    DNS_MESSAGE_INTENTPARSE, &message);
-	if (result == ISC_R_SUCCESS)
-		result = dns_request_getresponse(revent->request, message,
-					DNS_MESSAGEPARSE_PRESERVEORDER);
-	if (result == ISC_R_SUCCESS)
-		result = dns_rcode_totext(message->rcode, &buf);
-	if (result == ISC_R_SUCCESS)
-		notify_log(notify->zone, ISC_LOG_DEBUG(3),
-			   "notify response from %s: %.*s",
-			   addrbuf, (int)buf.used, rcode);
-	else
-		notify_log(notify->zone, ISC_LOG_DEBUG(2),
-			   "notify to %s failed: %s", addrbuf,
-			   dns_result_totext(result));
-
-	/*
-	 * Old bind's return formerr if they see a soa record.  Retry w/o
-	 * the soa if we see a formerr and had sent a SOA.
-	 */
-	isc_event_free(&event);
-	if (message != NULL && message->rcode == dns_rcode_formerr &&
-	    (notify->flags & DNS_NOTIFY_NOSOA) == 0) {
-		notify->flags |= DNS_NOTIFY_NOSOA;
-		dns_request_destroy(&notify->request);
-		result = notify_send_queue(notify);
-		if (result != ISC_R_SUCCESS)
-			notify_destroy(notify, ISC_FALSE);
-	} else {
-		if (result == ISC_R_TIMEDOUT)
-			notify_log(notify->zone, ISC_LOG_DEBUG(1),
-				   "notify to %s: retries exceeded", addrbuf);
-		notify_destroy(notify, ISC_FALSE);
-	}
-	if (message != NULL)
-		dns_message_destroy(&message);
-}
-
-isc_result_t
-dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	LOCK_ZONE(zone);
-	result = zone_replacedb(zone, db, dump);
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-static isc_result_t
-zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
-	dns_dbversion_t *ver;
-	isc_result_t result;
-	unsigned int soacount = 0;
-	unsigned int nscount = 0;
-
-	/*
-	 * 'zone' locked by caller.
-	 */
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(LOCKED_ZONE(zone));
-
-	result = zone_get_from_db(db, &zone->origin, &nscount, &soacount,
-				  NULL, NULL, NULL, NULL, NULL);
-	if (result == ISC_R_SUCCESS) {
-		if (soacount != 1) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "has %d SOA records", soacount);
-			result = DNS_R_BADZONE;
-		}
-		if (nscount == 0) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "has no NS records");
-			result = DNS_R_BADZONE;
-		}
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			    "retrieving SOA and NS records failed: %s",
-			    dns_result_totext(result));
-		return (result);
-	}
-
-	ver = NULL;
-	dns_db_currentversion(db, &ver);
-
-	/*
-	 * The initial version of a slave zone is always dumped;
-	 * subsequent versions may be journalled instead if this
-	 * is enabled in the configuration.
-	 */
-	if (zone->db != NULL && zone->journal != NULL &&
-	    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS) &&
-	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
-		isc_uint32_t serial;
-
-		dns_zone_log(zone, ISC_LOG_DEBUG(3), "generating diffs");
-
-		result = dns_db_getsoaserial(db, ver, &serial);
-		if (result != ISC_R_SUCCESS) {
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "ixfr-from-differences: unable to get "
-				     "new serial");
-			goto fail;
-		}
-
-		/*
-		 * This is checked in zone_postload() for master zones.
-		 */
-		if (zone->type == dns_zone_slave &&
-		    !isc_serial_gt(serial, zone->serial)) {
-			isc_uint32_t serialmin, serialmax;
-			serialmin = (zone->serial + 1) & 0xffffffffU;
-			serialmax = (zone->serial + 0x7fffffffU) & 0xffffffffU;
-			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "ixfr-from-differences: failed: "
-				     "new serial (%u) out of range [%u - %u]",
-				     serial, serialmin, serialmax);
-			result = ISC_R_RANGE;
-			goto fail;
-		}
-
-		result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL,
-				     zone->journal);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
-		if (dump)
-			zone_needdump(zone, DNS_DUMP_DELAY);
-		else if (zone->journalsize != -1) {
-			result = dns_journal_compact(zone->mctx, zone->journal,
-						     serial, zone->journalsize);
-			switch (result) {
-			case ISC_R_SUCCESS:
-			case ISC_R_NOSPACE:
-			case ISC_R_NOTFOUND:
-				dns_zone_log(zone, ISC_LOG_DEBUG(3),
-					     "dns_journal_compact: %s",
-					     dns_result_totext(result));
-				break;
-			default:
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "dns_journal_compact failed: %s",
-					     dns_result_totext(result));
-				break;
-			}
-		}
-	} else {
-		if (dump && zone->masterfile != NULL) {
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
-				      "dumping new zone version");
-			result = dns_db_dump(db, ver, zone->masterfile);
-			if (result != ISC_R_SUCCESS)
-				goto fail;
-
-			/*
-			 * Update the time the zone was updated, so
-			 * dns_zone_load can avoid loading it when
-			 * the server is reloaded.  If isc_time_now
-			 * fails for some reason, all that happens is
-			 * the timestamp is not updated.
-			 */
-			TIME_NOW(&zone->loadtime);
-		}
-
-		if (dump && zone->journal != NULL) {
-			/*
-			 * The in-memory database just changed, and
-			 * because 'dump' is set, it didn't change by
-			 * being loaded from disk.  Also, we have not
-			 * journalled diffs for this change.
-			 * Therefore, the on-disk journal is missing
-			 * the deltas for this change.  Since it can
-			 * no longer be used to bring the zone
-			 * up-to-date, it is useless and should be
-			 * removed.
-			 */
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
-				      "removing journal file");
-			(void)remove(zone->journal);
-		}
-	}
-
-	dns_db_closeversion(db, &ver, ISC_FALSE);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
-		      "replacing zone database");
-
-	if (zone->db != NULL)
-		dns_db_detach(&zone->db);
-	dns_db_attach(db, &zone->db);
-	dns_db_settask(zone->db, zone->task);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
-	return (ISC_R_SUCCESS);
-
- fail:
-	dns_db_closeversion(db, &ver, ISC_FALSE);
-	return (result);
-}
-
-static void
-zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
-	isc_time_t now;
-	isc_boolean_t again = ISC_FALSE;
-	unsigned int soacount;
-	unsigned int nscount;
-	isc_uint32_t serial, refresh, retry, expire, minimum;
-	isc_result_t xfrresult = result;
-	isc_boolean_t free_needed;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	dns_zone_log(zone, ISC_LOG_DEBUG(1),
-		     "zone transfer finished: %s", dns_result_totext(result));
-
-	LOCK_ZONE(zone);
-	INSIST((zone->flags & DNS_ZONEFLG_REFRESH) != 0);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
-
-	TIME_NOW(&now);
-	switch (result) {
-	case ISC_R_SUCCESS:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-		/*FALLTHROUGH*/
-	case DNS_R_UPTODATE:
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER);
-		/*
-		 * Has the zone expired underneath us?
-		 */
-		if (zone->db == NULL)
-			goto same_master;
-
-		/*
-		 * Update the zone structure's data from the actual
-		 * SOA received.
-		 */
-		nscount = 0;
-		soacount = 0;
-		INSIST(zone->db != NULL);
-		result = zone_get_from_db(zone->db, &zone->origin, &nscount,
-					  &soacount, &serial, &refresh,
-					  &retry, &expire, &minimum);
-		if (result == ISC_R_SUCCESS) {
-			if (soacount != 1)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "transferred zone "
-					     "has %d SOA record%s", soacount,
-					     (soacount != 0) ? "s" : "");
-			if (nscount == 0) {
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "transferred zone "
-					     "has no NS records");
-				if (DNS_ZONE_FLAG(zone,
-						  DNS_ZONEFLG_HAVETIMERS)) {
-					zone->refresh = DNS_ZONE_DEFAULTREFRESH;
-					zone->retry = DNS_ZONE_DEFAULTRETRY;
-				}
-				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-				zone_unload(zone);
-				goto next_master;
-			}
-			zone->serial = serial;
-			zone->refresh = RANGE(refresh, zone->minrefresh,
-					      zone->maxrefresh);
-			zone->retry = RANGE(retry, zone->minretry,
-					    zone->maxretry);
-			zone->expire = RANGE(expire,
-					     zone->refresh + zone->retry,
-					     DNS_MAX_EXPIRE);
-			zone->minimum = minimum;
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
-		}
-
-		/*
-		 * Set our next update/expire times.
-		 */
-		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
-			zone->refreshtime = now;
-			DNS_ZONE_TIME_ADD(&now, zone->expire,
-					  &zone->expiretime);
-		} else {
-			DNS_ZONE_JITTER_ADD(&now, zone->refresh,
-					    &zone->refreshtime);
-			DNS_ZONE_TIME_ADD(&now, zone->expire,
-					  &zone->expiretime);
-		}
-		if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) {
-			char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
-			if (zone->tsigkey != NULL) {
-				char namebuf[DNS_NAME_FORMATSIZE];
-				dns_name_format(&zone->tsigkey->name, namebuf,
-						sizeof(namebuf));
-				snprintf(buf, sizeof(buf), ": TSIG '%s'",
-					 namebuf);
-			} else
-				buf[0] = '\0';
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "transferred serial %u%s",
-				     zone->serial, buf);
-		}
-
-		/*
-		 * This is not neccessary if we just performed a AXFR
-		 * however it is necessary for an IXFR / UPTODATE and
-		 * won't hurt with an AXFR.
-		 */
-		if (zone->masterfile != NULL || zone->journal != NULL) {
-			result = ISC_R_FAILURE;
-			if (zone->journal != NULL)
-				result = isc_file_settime(zone->journal, &now);
-			if (result != ISC_R_SUCCESS &&
-			    zone->masterfile != NULL)
-				result = isc_file_settime(zone->masterfile,
-							  &now);
-			/* Someone removed the file from underneath us! */
-			if (result == ISC_R_FILENOTFOUND &&
-			    zone->masterfile != NULL)
-				zone_needdump(zone, DNS_DUMP_DELAY);
-			else if (result != ISC_R_SUCCESS)
-				dns_zone_log(zone, ISC_LOG_ERROR,
-					     "transfer: could not set file "
-					     "modification time of '%s': %s",
-					     zone->masterfile,
-					     dns_result_totext(result));
-		}
-
-		break;
-
-	case DNS_R_BADIXFR:
-		/* Force retry with AXFR. */
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
-		goto same_master;
-
-	default:
-	next_master:
-		/*
-		 * Skip to next failed / untried master.
-		 */
-		do {
-			zone->curmaster++;
-		} while (zone->curmaster < zone->masterscnt &&
-			 zone->mastersok[zone->curmaster]);
-		/* FALLTHROUGH */
-	same_master:
-		if (zone->curmaster >= zone->masterscnt) {
-			zone->curmaster = 0;
-			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
-			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
-				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-				while (zone->curmaster < zone->masterscnt &&
-				       zone->mastersok[zone->curmaster])
-					zone->curmaster++;
-				again = ISC_TRUE;
-			} else
-				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
-		} else {
-			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
-			again = ISC_TRUE;
-		}
-		break;
-	}
-	zone_settimer(zone, &now);
-
-	/*
-	 * If creating the transfer object failed, zone->xfr is NULL.
-	 * Otherwise, we are called as the done callback of a zone
-	 * transfer object that just entered its shutting-down
-	 * state.  Since we are no longer responsible for shutting
-	 * it down, we can detach our reference.
-	 */
-	if (zone->xfr != NULL)
-		dns_xfrin_detach(&zone->xfr);
-
-	if (zone->tsigkey != NULL)
-		dns_tsigkey_detach(&zone->tsigkey);
-
-	/*
-	 * This transfer finishing freed up a transfer quota slot.
-	 * Let any other zones waiting for quota have it.
-	 */
-	RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-	ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
-	zone->statelist = NULL;
-	zmgr_resume_xfrs(zone->zmgr, ISC_FALSE);
-	RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-
-	/*
-	 * Retry with a different server if necessary.
-	 */
-	if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
-		queue_soa_query(zone);
-
-	INSIST(zone->irefs > 0);
-	zone->irefs--;
-	free_needed = exit_check(zone);
-	UNLOCK_ZONE(zone);
-	if (free_needed)
-		zone_free(zone);
-}
-
-static void
-zone_loaddone(void *arg, isc_result_t result) {
-	static char me[] = "zone_loaddone";
-	dns_load_t *load = arg;
-	dns_zone_t *zone;
-	isc_result_t tresult;
-
-	REQUIRE(DNS_LOAD_VALID(load));
-	zone = load->zone;
-
-	ENTER;
-
-	tresult = dns_db_endload(load->db, &load->callbacks.add_private);
-	if (tresult != ISC_R_SUCCESS && 
-	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
-		result = tresult;
-
-	LOCK_ZONE(load->zone);
-	(void)zone_postload(load->zone, load->db, load->loadtime, result);
-	zonemgr_putio(&load->zone->readio);
-	DNS_ZONE_CLRFLAG(load->zone, DNS_ZONEFLG_LOADING);
-	UNLOCK_ZONE(load->zone);
-
-	load->magic = 0;
-	dns_db_detach(&load->db);
-	if (load->zone->lctx != NULL)
-		dns_loadctx_detach(&load->zone->lctx);
-	dns_zone_idetach(&load->zone);
-	isc_mem_putanddetach(&load->mctx, load, sizeof(*load));
-}
-
-void
-dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(table != NULL);
-	REQUIRE(*table == NULL);
-
-	LOCK_ZONE(zone);
-	if (zone->ssutable != NULL)
-		dns_ssutable_attach(zone->ssutable, table);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	if (zone->ssutable != NULL)
-		dns_ssutable_detach(&zone->ssutable);
-	if (table != NULL)
-		dns_ssutable_attach(table, &zone->ssutable);
-	UNLOCK_ZONE(zone);
-}
-
-void
-dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone->sigvalidityinterval = interval;
-}
-
-isc_uint32_t
-dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->sigvalidityinterval);
-}
-
-static void
-queue_xfrin(dns_zone_t *zone) {
-	const char me[] = "queue_xfrin";
-	isc_result_t result;
-	dns_zonemgr_t *zmgr = zone->zmgr;
-
-	ENTER;
-
-	INSIST(zone->statelist == NULL);
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
-	LOCK_ZONE(zone);
-	zone->irefs++;
-	UNLOCK_ZONE(zone);
-	zone->statelist = &zmgr->waiting_for_xfrin;
-	result = zmgr_start_xfrin_ifquota(zmgr, zone);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-
-	if (result == ISC_R_QUOTA) {
-		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
-			      "zone transfer deferred due to quota");
-	} else if (result != ISC_R_SUCCESS) {
-		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
-			      "starting zone transfer: %s",
-			      isc_result_totext(result));
-	}
-}
-
-/*
- * This event callback is called when a zone has received
- * any necessary zone transfer quota.  This is the time
- * to go ahead and start the transfer.
- */
-static void
-got_transfer_quota(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result;
-	dns_peer_t *peer = NULL;
-	char mastertext[256];
-	dns_rdatatype_t xfrtype;
-	dns_zone_t *zone = event->ev_arg;
-	isc_netaddr_t masterip;
-	isc_sockaddr_t sourceaddr;
-	isc_sockaddr_t masteraddr;
-
-	UNUSED(task);
-
-	INSIST(task == zone->task);
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
-		result = ISC_R_CANCELED;
-		goto cleanup;
-	}
-
-	isc_sockaddr_format(&zone->masteraddr, mastertext, sizeof(mastertext));
-
-	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	(void)dns_peerlist_peerbyaddr(zone->view->peers,
-				      &masterip, &peer);
-
-	/*
-	 * Decide whether we should request IXFR or AXFR.
-	 */
-	if (zone->db == NULL) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "no database exists yet, "
-			     "requesting AXFR of "
-			     "initial version from %s", mastertext);
-		xfrtype = dns_rdatatype_axfr;
-	} else if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1), "ixfr-from-differences "
-			     "set, requesting AXFR from %s", mastertext);
-		xfrtype = dns_rdatatype_axfr;
-	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "forced reload, requesting AXFR of "
-			     "initial version from %s", mastertext);
-		xfrtype = dns_rdatatype_axfr;
-	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
-		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "retrying with AXFR from %s due to "
-			     "previous IXFR failure", mastertext);
-		xfrtype = dns_rdatatype_axfr;
-		LOCK_ZONE(zone);
-		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLAG_NOIXFR);
-		UNLOCK_ZONE(zone);
-	} else {
-		isc_boolean_t use_ixfr = ISC_TRUE;
-		if (peer != NULL &&
-		    dns_peer_getrequestixfr(peer, &use_ixfr) ==
-		    ISC_R_SUCCESS) {
-			; /* Using peer setting */
-		} else {
-			use_ixfr = zone->view->requestixfr;
-		}
-		if (use_ixfr == ISC_FALSE) {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "IXFR disabled, "
-				     "requesting AXFR from %s",
-				     mastertext);
-			xfrtype = dns_rdatatype_axfr;
-		} else {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "requesting IXFR from %s",
-				     mastertext);
-			xfrtype = dns_rdatatype_ixfr;
-		}
-	}
-
-	/*
-	 * Determine if we should attempt to sign the request with TSIG.
-	 */
-	result = ISC_R_NOTFOUND;
-	/*
-	 * First, look for a tsig key in the master statement, then
-	 * try for a server key.
-	 */
-	if ((zone->masterkeynames != NULL) &&
-	    (zone->masterkeynames[zone->curmaster] != NULL)) {
-		dns_view_t *view = dns_zone_getview(zone);
-		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
-		result = dns_view_gettsig(view, keyname, &zone->tsigkey);
-	}
-	if (zone->tsigkey == NULL)
-		result = dns_view_getpeertsig(zone->view, &masterip,
-					      &zone->tsigkey);
-
-	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
-		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "could not get TSIG key "
-			     "for zone transfer: %s",
-			     isc_result_totext(result));
-	}
-
-	LOCK_ZONE(zone);
-	masteraddr = zone->masteraddr;
-	sourceaddr = zone->sourceaddr;
-	UNLOCK_ZONE(zone);
-	INSIST(isc_sockaddr_pf(&masteraddr) == isc_sockaddr_pf(&sourceaddr));
-	result = dns_xfrin_create2(zone, xfrtype, &masteraddr, &sourceaddr,
-				   zone->tsigkey, zone->mctx,
-				   zone->zmgr->timermgr, zone->zmgr->socketmgr,
-				   zone->task, zone_xfrdone, &zone->xfr);
- cleanup:
-	/*
-	 * Any failure in this function is handled like a failed
-	 * zone transfer.  This ensures that we get removed from
-	 * zmgr->xfrin_in_progress.
-	 */
-	if (result != ISC_R_SUCCESS)
-		zone_xfrdone(zone, result);
-
-	isc_event_free(&event);
-}
-
-/*
- * Update forwarding support.
- */
-
-static void
-forward_destroy(dns_forward_t *forward) {
-
-	forward->magic = 0;
-	if (forward->request != NULL)
-		dns_request_destroy(&forward->request);
-	if (forward->msgbuf != NULL)
-		isc_buffer_free(&forward->msgbuf);
-	if (forward->zone != NULL)
-		dns_zone_idetach(&forward->zone);
-	isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward));
-}
-
-static isc_result_t
-sendtomaster(dns_forward_t *forward) {
-	isc_result_t result;
-	isc_sockaddr_t src;
-
-	LOCK_ZONE(forward->zone);
-	if (forward->which >= forward->zone->masterscnt) {
-		UNLOCK_ZONE(forward->zone);
-		return (ISC_R_NOMORE);
-	}
-
-	forward->addr = forward->zone->masters[forward->which];
-	/*
-	 * Always use TCP regardless of whether the original update
-	 * used TCP.
-	 * XXX The timeout may but a bit small if we are far down a
-	 * transfer graph and the master has to try several masters.
-	 */
-	switch (isc_sockaddr_pf(&forward->addr)) {
-	case PF_INET:
-		src = forward->zone->xfrsource4;
-		break;
-	case PF_INET6:
-		src = forward->zone->xfrsource6;
-		break;
-	default:
-		result = ISC_R_NOTIMPLEMENTED;
-		goto unlock;
-	}
-	result = dns_request_createraw(forward->zone->view->requestmgr,
-				       forward->msgbuf,
-				       &src, &forward->addr,
-				       DNS_REQUESTOPT_TCP, 15 /* XXX */,
-				       forward->zone->task,
-				       forward_callback, forward,
-				       &forward->request);
- unlock:
-	UNLOCK_ZONE(forward->zone);
-	return (result);
-}
-
-static void
-forward_callback(isc_task_t *task, isc_event_t *event) {
-	const char me[] = "forward_callback";
-	dns_requestevent_t *revent = (dns_requestevent_t *)event;
-	dns_message_t *msg = NULL;
-	char master[ISC_SOCKADDR_FORMATSIZE];
-	isc_result_t result;
-	dns_forward_t *forward;
-	dns_zone_t *zone;
-
-	UNUSED(task);
-
-	forward = revent->ev_arg;
-	INSIST(DNS_FORWARD_VALID(forward));
-	zone = forward->zone;
-	INSIST(DNS_ZONE_VALID(zone));
-
-	ENTER;
-
-	isc_sockaddr_format(&forward->addr, master, sizeof(master));
-
-	if (revent->result != ISC_R_SUCCESS) {
-		dns_zone_log(zone, ISC_LOG_INFO,
-			     "could not forward dynamic update to %s: %s",
-			     master, dns_result_totext(revent->result));
-		goto next_master;
-	}
-
-	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-
-	result = dns_request_getresponse(revent->request, msg,
-					 DNS_MESSAGEPARSE_PRESERVEORDER |
-					 DNS_MESSAGEPARSE_CLONEBUFFER);
-	if (result != ISC_R_SUCCESS)
-		goto next_master;
-
-	switch (msg->rcode) {
-	/*
-	 * Pass these rcodes back to client.
-	 */
-	case dns_rcode_noerror:
-	case dns_rcode_yxdomain:
-	case dns_rcode_yxrrset:
-	case dns_rcode_nxrrset:
-	case dns_rcode_refused:
-	case dns_rcode_nxdomain:
-		break;
-
-	/* These should not occur if the masters/zone are valid. */
-	case dns_rcode_notzone:
-	case dns_rcode_notauth: {
-		char rcode[128];
-		isc_buffer_t rb;
-
-		isc_buffer_init(&rb, rcode, sizeof(rcode));
-		(void)dns_rcode_totext(msg->rcode, &rb);
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "forwarding dynamic update: "
-			     "unexpected response: master %s returned: %.*s",
-			     master, (int)rb.used, rcode);
-		goto next_master;
-	}
-
-	/* Try another server for these rcodes. */
-	case dns_rcode_formerr:
-	case dns_rcode_servfail:
-	case dns_rcode_notimp:
-	case dns_rcode_badvers:
-	default:
-		goto next_master;
-	}
-
-	/* call callback */
-	(forward->callback)(forward->callback_arg, ISC_R_SUCCESS, msg);
-	msg = NULL;
-	dns_request_destroy(&forward->request);
-	forward_destroy(forward);
-	isc_event_free(&event);
-	return;
-
- next_master:
-	if (msg != NULL)
-		dns_message_destroy(&msg);
-	isc_event_free(&event);
-	forward->which++;
-	dns_request_destroy(&forward->request);
-	result = sendtomaster(forward);
-	if (result != ISC_R_SUCCESS) {
-		/* call callback */
-		dns_zone_log(zone, ISC_LOG_DEBUG(3),
-			     "exhausted dynamic update forwarder list");
-		(forward->callback)(forward->callback_arg, result, NULL);
-		forward_destroy(forward);
-	}
-}
-
-isc_result_t
-dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
-		       dns_updatecallback_t callback, void *callback_arg)
-{
-	dns_forward_t *forward;
-	isc_result_t result;
-	isc_region_t *mr;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(msg != NULL);
-	REQUIRE(callback != NULL);
-
-	forward = isc_mem_get(zone->mctx, sizeof(*forward));
-	if (forward == NULL)
-		return (ISC_R_NOMEMORY);
-
-	forward->request = NULL;
-	forward->zone = NULL;
-	forward->msgbuf = NULL;
-	forward->which = 0;
-	forward->mctx = 0;
-	forward->callback = callback;
-	forward->callback_arg = callback_arg;
-	forward->magic = FORWARD_MAGIC;
-
-	mr = dns_message_getrawmessage(msg);
-	if (mr == NULL) {
-		result = ISC_R_UNEXPECTEDEND;
-		goto cleanup;
-	}
-
-	result = isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-	result = isc_buffer_copyregion(forward->msgbuf, mr);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	isc_mem_attach(zone->mctx, &forward->mctx);
-	dns_zone_iattach(zone, &forward->zone);
-	result = sendtomaster(forward);
-
- cleanup:
-	if (result != ISC_R_SUCCESS) {
-		forward_destroy(forward);
-	}
-	return (result);
-}
-
-isc_result_t
-dns_zone_next(dns_zone_t *zone, dns_zone_t **next) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(next != NULL && *next == NULL);
-
-	*next = ISC_LIST_NEXT(zone, link);
-	if (*next == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(first != NULL && *first == NULL);
-
-	*first = ISC_LIST_HEAD(zmgr->zones);
-	if (*first == NULL)
-		return (ISC_R_NOMORE);
-	else
-		return (ISC_R_SUCCESS);
-}
-
-/***
- ***	Zone manager.
- ***/
-
-isc_result_t
-dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
-		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
-		   dns_zonemgr_t **zmgrp)
-{
-	dns_zonemgr_t *zmgr;
-	isc_result_t result;
-	isc_interval_t interval;
-
-	zmgr = isc_mem_get(mctx, sizeof(*zmgr));
-	if (zmgr == NULL)
-		return (ISC_R_NOMEMORY);
-	zmgr->mctx = NULL;
-	zmgr->refs = 1;
-	isc_mem_attach(mctx, &zmgr->mctx);
-	zmgr->taskmgr = taskmgr;
-	zmgr->timermgr = timermgr;
-	zmgr->socketmgr = socketmgr;
-	zmgr->zonetasks = NULL;
-	zmgr->task = NULL;
-	zmgr->rl = NULL;
-	ISC_LIST_INIT(zmgr->zones);
-	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
-	ISC_LIST_INIT(zmgr->xfrin_in_progress);
-	result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto free_mem;
-	}
-	zmgr->transfersin = 10;
-	zmgr->transfersperns = 2;
-
-	/* Create the zone task pool. */
-	result = isc_taskpool_create(taskmgr, mctx,
-				     8 /* XXX */, 2, &zmgr->zonetasks);
-	if (result != ISC_R_SUCCESS)
-		goto free_rwlock;
-
-	/* Create a single task for queueing of SOA queries. */
-	result = isc_task_create(taskmgr, 1, &zmgr->task);
-	if (result != ISC_R_SUCCESS)
-		goto free_taskpool;
-	isc_task_setname(zmgr->task, "zmgr", zmgr);
-	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
-					&zmgr->rl);
-	if (result != ISC_R_SUCCESS)
-		goto free_task;
-	/* default to 20 refresh queries / notifies per second. */
-	isc_interval_set(&interval, 0, 1000000000/2);
-	result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	isc_ratelimiter_setpertic(zmgr->rl, 10);
-
-	zmgr->iolimit = 1;
-	zmgr->ioactive = 0;
-	ISC_LIST_INIT(zmgr->high);
-	ISC_LIST_INIT(zmgr->low);
-
-	result = isc_mutex_init(&zmgr->iolock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() failed: %s",
-				 isc_result_totext(result));
-		goto free_rl;
-	}
-	zmgr->magic = ZONEMGR_MAGIC;
-
-	*zmgrp = zmgr;
-	return (ISC_R_SUCCESS);
-
-#if 0
- free_iolock:
-	DESTROYLOCK(&zmgr->iolock);
-#endif
- free_rl:
-	isc_ratelimiter_detach(&zmgr->rl);
- free_task:
-	isc_task_detach(&zmgr->task);
- free_taskpool:
-	isc_taskpool_destroy(&zmgr->zonetasks);
- free_rwlock:
-	isc_rwlock_destroy(&zmgr->rwlock);
- free_mem:
-	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
-	isc_mem_detach(&mctx);
-	return (result);
-}
-
-isc_result_t
-dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	LOCK_ZONE(zone);
-	REQUIRE(zone->task == NULL);
-	REQUIRE(zone->timer == NULL);
-	REQUIRE(zone->zmgr == NULL);
-
-	isc_taskpool_gettask(zmgr->zonetasks,
-			     dns_name_hash(dns_zone_getorigin(zone),
-					   ISC_FALSE),
-			     &zone->task);
-
-	/*
-	 * Set the task name.  The tag will arbitrarily point to one
-	 * of the zones sharing the task (in practice, the one
-	 * to be managed last).
-	 */
-	isc_task_setname(zone->task, "zone", zone);
-
-	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive,
-				  NULL, NULL,
-				  zone->task, zone_timer, zone,
-				  &zone->timer);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_task;
-	/*
-	 * The timer "holds" a iref.
-	 */
-	zone->irefs++;
-	INSIST(zone->irefs != 0);
-
-	ISC_LIST_APPEND(zmgr->zones, zone, link);
-	zone->zmgr = zmgr;
-	zmgr->refs++;
-
-	goto unlock;
-
- cleanup_task:
-	isc_task_detach(&zone->task);
-
- unlock:
-	UNLOCK_ZONE(zone);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	return (result);
-}
-
-void
-dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
-	isc_boolean_t free_now = ISC_FALSE;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(zone->zmgr == zmgr);
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	LOCK_ZONE(zone);
-
-	ISC_LIST_UNLINK(zmgr->zones, zone, link);
-	zone->zmgr = NULL;
-	zmgr->refs--;
-	if (zmgr->refs == 0)
-		free_now = ISC_TRUE;
-
-	UNLOCK_ZONE(zone);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-
-	if (free_now)
-		zonemgr_free(zmgr);
-	ENSURE(zone->zmgr == NULL);
-}
-
-void
-dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target) {
-	REQUIRE(DNS_ZONEMGR_VALID(source));
-	REQUIRE(target != NULL && *target == NULL);
-
-	RWLOCK(&source->rwlock, isc_rwlocktype_write);
-	REQUIRE(source->refs > 0);
-	source->refs++;
-	INSIST(source->refs > 0);
-	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
-	*target = source;
-}
-
-void
-dns_zonemgr_detach(dns_zonemgr_t **zmgrp) {
-	dns_zonemgr_t *zmgr;
-	isc_boolean_t free_now = ISC_FALSE;
-
-	REQUIRE(zmgrp != NULL);
-	zmgr = *zmgrp;
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	zmgr->refs--;
-	if (zmgr->refs == 0)
-		free_now = ISC_TRUE;
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-
-	if (free_now)
-		zonemgr_free(zmgr);
-}
-
-isc_result_t
-dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
-	dns_zone_t *p;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-	for (p = ISC_LIST_HEAD(zmgr->zones);
-	     p != NULL;
-	     p = ISC_LIST_NEXT(p, link))
-	{
-		dns_zone_maintenance(p);
-	}
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-
-	/*
-	 * Recent configuration changes may have increased the
-	 * amount of available transfers quota.  Make sure any
-	 * transfers currently blocked on quota get started if
-	 * possible.
-	 */
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	zmgr_resume_xfrs(zmgr, ISC_TRUE);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) {
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-	zmgr_resume_xfrs(zmgr, ISC_TRUE);
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
-}
-
-void
-dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	isc_ratelimiter_shutdown(zmgr->rl);
-
-	if (zmgr->task != NULL)
-		isc_task_destroy(&zmgr->task);
-	if (zmgr->zonetasks != NULL)
-		isc_taskpool_destroy(&zmgr->zonetasks);
-}
-
-static void
-zonemgr_free(dns_zonemgr_t *zmgr) {
-	isc_mem_t *mctx;
-
-	INSIST(zmgr->refs == 0);
-	INSIST(ISC_LIST_EMPTY(zmgr->zones));
-
-	zmgr->magic = 0;
-
-	DESTROYLOCK(&zmgr->iolock);
-	isc_ratelimiter_detach(&zmgr->rl);
-
-	isc_rwlock_destroy(&zmgr->rwlock);
-	mctx = zmgr->mctx;
-	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
-	isc_mem_detach(&mctx);
-}
-
-void
-dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	zmgr->transfersin = value;
-}
-
-isc_uint32_t
-dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	return (zmgr->transfersin);
-}
-
-void
-dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, isc_uint32_t value) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	zmgr->transfersperns = value;
-}
-
-isc_uint32_t
-dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	return (zmgr->transfersperns);
-}
-
-/*
- * Try to start a new incoming zone transfer to fill a quota
- * slot that was just vacated.
- *
- * Requires:
- *	The zone manager is locked by the caller.
- */
-static void
-zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi) {
-	dns_zone_t *zone;
-	dns_zone_t *next;
-
-	for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
-	     zone != NULL;
-	     zone = next)
-	{
-		isc_result_t result;
-		next = ISC_LIST_NEXT(zone, statelink);
-		result = zmgr_start_xfrin_ifquota(zmgr, zone);
-		if (result == ISC_R_SUCCESS) {
-			if (multi)
-				continue;
-			/*
-			 * We successfully filled the slot.  We're done.
-			 */
-			break;
-		} else if (result == ISC_R_QUOTA) {
-			/*
-			 * Not enough quota.  This is probably the per-server
-			 * quota, because we usually get called when a unit of
-			 * global quota has just been freed.  Try the next
-			 * zone, it may succeed if it uses another master.
-			 */
-			continue;
-		} else {
-			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "starting zone transfer: %s",
-				     isc_result_totext(result));
-			break;
-		}
-	}
-}
-
-/*
- * Try to start an incoming zone transfer for 'zone', quota permitting.
- *
- * Requires:
- *	The zone manager is locked by the caller.
- *
- * Returns:
- *	ISC_R_SUCCESS	There was enough quota and we attempted to
- *			start a transfer.  zone_xfrdone() has been or will
- *			be called.
- *	ISC_R_QUOTA	Not enough quota.
- *	Others		Failure.
- */
-static isc_result_t
-zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
-	dns_peer_t *peer = NULL;
-	isc_netaddr_t masterip;
-	isc_uint32_t nxfrsin, nxfrsperns;
-	dns_zone_t *x;
-	isc_uint32_t maxtransfersin, maxtransfersperns;
-	isc_event_t *e;
-
-	/*
-	 * Find any configured information about the server we'd
-	 * like to transfer this zone from.
-	 */
-	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	(void)dns_peerlist_peerbyaddr(zone->view->peers,
-				      &masterip, &peer);
-
-	/*
-	 * Determine the total maximum number of simultaneous
-	 * transfers allowed, and the maximum for this specific
-	 * master.
-	 */
-	maxtransfersin = zmgr->transfersin;
-	maxtransfersperns = zmgr->transfersperns;
-	if (peer != NULL)
-		(void)dns_peer_gettransfers(peer, &maxtransfersperns);
-
-	/*
-	 * Count the total number of transfers that are in progress,
-	 * and the number of transfers in progress from this master.
-	 * We linearly scan a list of all transfers; if this turns
-	 * out to be too slow, we could hash on the master address.
-	 */
-	nxfrsin = nxfrsperns = 0;
-	for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
-	     x != NULL;
-	     x = ISC_LIST_NEXT(x, statelink))
-	{
-		isc_netaddr_t xip;
-		isc_netaddr_fromsockaddr(&xip, &x->masteraddr);
-		nxfrsin++;
-		if (isc_netaddr_equal(&xip, &masterip))
-			nxfrsperns++;
-	}
-
-	/* Enforce quota. */
-	if (nxfrsin >= maxtransfersin)
-		return (ISC_R_QUOTA);
-
-	if (nxfrsperns >= maxtransfersperns)
-		return (ISC_R_QUOTA);
-
-	/*
-	 * We have sufficient quota.  Move the zone to the "xfrin_in_progress"
-	 * list and send it an event to let it start the actual transfer in the
-	 * context of its own task.
-	 */
-	e = isc_event_allocate(zmgr->mctx, zmgr,
-			       DNS_EVENT_ZONESTARTXFRIN,
-			       got_transfer_quota, zone,
-			       sizeof(isc_event_t));
-	if (e == NULL)
-		return (ISC_R_NOMEMORY);
-
-	LOCK_ZONE(zone);
-	INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
-	ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
-	ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
-	zone->statelist = &zmgr->xfrin_in_progress;
-	isc_task_send(zone->task, &e);
-	dns_zone_log(zone, ISC_LOG_INFO, "Transfer started.");
-	UNLOCK_ZONE(zone);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit) {
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(iolimit > 0);
-
-	zmgr->iolimit = iolimit;
-}
-
-isc_uint32_t
-dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr) {
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	return (zmgr->iolimit);
-}
-
-/*
- * Get permission to request a file handle from the OS.
- * An event will be sent to action when one is available.
- * There are two queues available (high and low), the high
- * queue will be serviced before the low one.
- *
- * zonemgr_putio() must be called after the event is delivered to
- * 'action'.
- */
-
-static isc_result_t
-zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
-	      isc_task_t *task, isc_taskaction_t action, void *arg,
-	      dns_io_t **iop)
-{
-	dns_io_t *io;
-	isc_boolean_t queue;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-	REQUIRE(iop != NULL && *iop == NULL);
-
-	io = isc_mem_get(zmgr->mctx, sizeof(*io));
-	if (io == NULL)
-		return (ISC_R_NOMEMORY);
-	io->event = isc_event_allocate(zmgr->mctx, task, DNS_EVENT_IOREADY,
-				       action, arg, sizeof(*io->event));
-	if (io->event == NULL) {
-		isc_mem_put(zmgr->mctx, io, sizeof(*io));
-		return (ISC_R_NOMEMORY);
-	}
-	io->zmgr = zmgr;
-	io->high = high;
-	io->task = NULL;
-	isc_task_attach(task, &io->task);
-	ISC_LINK_INIT(io, link);
-	io->magic = IO_MAGIC;
-
-	LOCK(&zmgr->iolock);
-	zmgr->ioactive++;
-	queue = ISC_TF(zmgr->ioactive > zmgr->iolimit);
-	if (queue) {
-		if (io->high)
-			ISC_LIST_APPEND(zmgr->high, io, link);
-		else
-			ISC_LIST_APPEND(zmgr->low, io, link);
-	}
-	UNLOCK(&zmgr->iolock);
-	*iop = io;
-
-	if (!queue) {
-		isc_task_send(io->task, &io->event);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static void
-zonemgr_putio(dns_io_t **iop) {
-	dns_io_t *io;
-	dns_io_t *next;
-	dns_zonemgr_t *zmgr;
-
-	REQUIRE(iop != NULL);
-	io = *iop;
-	REQUIRE(DNS_IO_VALID(io));
-
-	*iop = NULL;
-
-	INSIST(!ISC_LINK_LINKED(io, link));
-	INSIST(io->event == NULL);
-
-	zmgr = io->zmgr;
-	isc_task_detach(&io->task);
-	io->magic = 0;
-	isc_mem_put(zmgr->mctx, io, sizeof(*io));
-
-	LOCK(&zmgr->iolock);
-	INSIST(zmgr->ioactive > 0);
-	zmgr->ioactive--;
-	next = HEAD(zmgr->high);
-	if (next == NULL)
-		next = HEAD(zmgr->low);
-	if (next != NULL) {
-		if (next->high)
-			ISC_LIST_UNLINK(zmgr->high, next, link);
-		else
-			ISC_LIST_UNLINK(zmgr->low, next, link);
-		INSIST(next->event != NULL);
-	}
-	UNLOCK(&zmgr->iolock);
-	if (next != NULL)
-		isc_task_send(next->task, &next->event);
-}
-
-static void
-zonemgr_cancelio(dns_io_t *io) {
-	isc_boolean_t send_event = ISC_FALSE;
-
-	REQUIRE(DNS_IO_VALID(io));
-
-	/*
-	 * If we are queued to be run then dequeue.
-	 */
-	LOCK(&io->zmgr->iolock);
-	if (ISC_LINK_LINKED(io, link)) {
-		if (io->high)
-			ISC_LIST_UNLINK(io->zmgr->high, io, link);
-		else
-			ISC_LIST_UNLINK(io->zmgr->low, io, link);
-
-		send_event = ISC_TRUE;
-		INSIST(io->event != NULL);
-	}
-	UNLOCK(&io->zmgr->iolock);
-	if (send_event) {
-		io->event->ev_attributes |= ISC_EVENTATTR_CANCELED;
-		isc_task_send(io->task, &io->event);
-	}
-}
-
-static void
-zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
-	char *buf;
-	int buflen;
-	isc_result_t result;
-
-	buflen = strlen(path) + strlen(templat) + 2;
-
-	buf = isc_mem_get(zone->mctx, buflen);
-	if (buf == NULL)
-		return;
-
-	result = isc_file_template(path, templat, buf, buflen);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	result = isc_file_renameunique(path, buf);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	dns_zone_log(zone, ISC_LOG_INFO, "saved '%s' as '%s'",
-		     path, buf);
-
- cleanup:
-	isc_mem_put(zone->mctx, buf, buflen);
-}
-
-#if 0
-/* Hook for ondestroy notifcation from a database. */
-
-static void
-dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event) {
-	dns_db_t *db = event->sender;
-	UNUSED(task);
-
-	isc_event_free(&event);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-		      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
-		      "database (%p) destroyed", (void*) db);
-}
-#endif
-
-void
-dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
-	isc_interval_t interval;
-	isc_uint32_t s, ns;
-	isc_uint32_t pertic;
-	isc_result_t result;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	if (value == 0)
-		value = 1;
-
-	if (value == 1) {
-		s = 1;
-		ns = 0;
-		pertic = 1;
-	} else if (value <= 10) {
-		s = 0;
-		ns = 1000000000 / value;
-		pertic = 1;
-	} else {
-		s = 0;
-		ns = (1000000000 / value) * 10;
-		pertic = 10;
-	}
-
-	isc_interval_set(&interval, s, ns);
-	result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	isc_ratelimiter_setpertic(zmgr->rl, pertic);
-
-	zmgr->serialqueryrate = value;
-}
-
-unsigned int
-dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	return (zmgr->serialqueryrate);
-}
-
-void
-dns_zone_forcereload(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (zone->type == dns_zone_master)
-		return;
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER);
-	UNLOCK_ZONE(zone);
-	dns_zone_refresh(zone);
-}
-
-isc_boolean_t
-dns_zone_isforced(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER));
-}
-
-isc_result_t
-dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	LOCK_ZONE(zone);
-	if (on) {
-		if (zone->counters != NULL)
-			goto done;
-		result = dns_stats_alloccounters(zone->mctx, &zone->counters);
-	} else {
-		if (zone->counters == NULL)
-			goto done;
-		dns_stats_freecounters(zone->mctx, &zone->counters);
-	}
- done:
-	UNLOCK_ZONE(zone);
-	return (result);
-}
-
-isc_uint64_t *
-dns_zone_getstatscounters(dns_zone_t *zone) {
-	return (zone->counters);
-}
-
-void
-dns_zone_dialup(dns_zone_t *zone) {
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	zone_debuglog(zone, "dns_zone_dialup", 3,
-		      "notify = %d, refresh = %d",
-		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
-		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
-
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
-		dns_zone_notify(zone);
-	if (zone->type != dns_zone_master &&
-	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
-		dns_zone_refresh(zone);
-}
-
-void
-dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
-			 DNS_ZONEFLG_DIALREFRESH |
-			 DNS_ZONEFLG_NOREFRESH);
-	switch (dialup) {
-	case dns_dialuptype_no:
-		break;
-	case dns_dialuptype_yes:
-		DNS_ZONE_SETFLAG(zone,  (DNS_ZONEFLG_DIALNOTIFY |
-				 DNS_ZONEFLG_DIALREFRESH |
-				 DNS_ZONEFLG_NOREFRESH));
-		break;
-	case dns_dialuptype_notify:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
-		break;
-	case dns_dialuptype_notifypassive:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
-		break;
-	case dns_dialuptype_refresh:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
-		break;
-	case dns_dialuptype_passive:
-		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
-		break;
-	default:
-		INSIST(0);
-	}
-	UNLOCK_ZONE(zone);
-}
-
-isc_result_t
-dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	LOCK_ZONE(zone);
-	result = dns_zone_setstring(zone, &zone->keydirectory, directory);
-	UNLOCK_ZONE(zone);
-
-	return (result);
-}
-
-const char *
-dns_zone_getkeydirectory(dns_zone_t *zone) {
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	return (zone->keydirectory);
-}
-unsigned int
-dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
-	dns_zone_t *zone;
-	unsigned int count = 0;
-
-	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
-
-	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-	switch (state) {
-	case DNS_ZONESTATE_XFERRUNNING:
-		for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
-		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, statelink))
-			count++;
-		break;
-	case DNS_ZONESTATE_XFERDEFERRED:
-		for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
-		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, statelink))
-			count++;
-		break;
-	case DNS_ZONESTATE_SOAQUERY:
-		for (zone = ISC_LIST_HEAD(zmgr->zones);
-		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, link))
-			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH))
-				count++;
-		break;
-	case DNS_ZONESTATE_ANY:
-		for (zone = ISC_LIST_HEAD(zmgr->zones);
-		     zone != NULL;
-		     zone = ISC_LIST_NEXT(zone, link)) {
-			dns_view_t *view = zone->view;
-			if (view != NULL && strcmp(view->name, "_bind") == 0)
-				continue;
-			count++;
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-
-	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
-
-	return (count);
-}
-
-isc_result_t
-dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata) {
-	isc_boolean_t ok = ISC_TRUE;
-	isc_boolean_t fail = ISC_FALSE;
-	char namebuf[DNS_NAME_FORMATSIZE];
-	char namebuf2[DNS_NAME_FORMATSIZE];
-	char typebuf[DNS_RDATATYPE_FORMATSIZE];
-	int level = ISC_LOG_WARNING;
-	dns_name_t bad;
-
-	REQUIRE(DNS_ZONE_VALID(zone));
-
-	if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
-		return (ISC_R_SUCCESS);
-
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
-		level = ISC_LOG_ERROR;
-		fail = ISC_TRUE;
-	}
-
-	ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, ISC_TRUE);
-	if (!ok) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
-		dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
-			     dns_result_totext(DNS_R_BADOWNERNAME));
-		if (fail)
-			return (DNS_R_BADOWNERNAME);
-	}
-
-	dns_name_init(&bad, NULL);
-	ok = dns_rdata_checknames(rdata, name, &bad);
-	if (!ok) {
-		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_name_format(&bad, namebuf2, sizeof(namebuf2));
-		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
-		dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
-			     namebuf2, dns_result_totext(DNS_R_BADNAME));
-		if (fail)
-			return (DNS_R_BADNAME);
-	}
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/dns/zonekey.c b/contrib/bind9/lib/dns/zonekey.c
deleted file mode 100644
index dc7ae0f6c870..000000000000
--- a/contrib/bind9/lib/dns/zonekey.c
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zonekey.c,v 1.3.206.3 2004/03/08 09:04:33 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/result.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-#include <dns/rdata.h>
-#include <dns/rdatastruct.h>
-#include <dns/types.h>
-#include <dns/zonekey.h>
-
-isc_boolean_t
-dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
-	isc_result_t result;
-	dns_rdata_dnskey_t key;
-	isc_boolean_t iszonekey = ISC_TRUE;
-
-	REQUIRE(keyrdata != NULL);
-
-	result = dns_rdata_tostruct(keyrdata, &key, NULL);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_FALSE);
-
-	if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0)
-		iszonekey = ISC_FALSE;
-	if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
-		iszonekey = ISC_FALSE;
-	if (key.protocol != DNS_KEYPROTO_DNSSEC &&
-	key.protocol != DNS_KEYPROTO_ANY)
-		iszonekey = ISC_FALSE;
-	
-	return (iszonekey);
-}
diff --git a/contrib/bind9/lib/dns/zt.c b/contrib/bind9/lib/dns/zt.c
deleted file mode 100644
index 7aa6a9f4c96e..000000000000
--- a/contrib/bind9/lib/dns/zt.c
+++ /dev/null
@@ -1,320 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: zt.c,v 1.33.12.6 2004/03/08 21:06:28 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/util.h>
-
-#include <dns/rbt.h>
-#include <dns/result.h>
-#include <dns/zone.h>
-#include <dns/zt.h>
-
-struct dns_zt {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mem_t		*mctx;
-	dns_rdataclass_t	rdclass;
-	isc_rwlock_t		rwlock;
-	/* Locked by lock. */
-	isc_uint32_t		references;
-	dns_rbt_t		*table;
-};
-
-#define ZTMAGIC			ISC_MAGIC('Z', 'T', 'b', 'l')
-#define VALID_ZT(zt) 		ISC_MAGIC_VALID(zt, ZTMAGIC)
-
-static void
-auto_detach(void *, void *);
-
-static isc_result_t
-load(dns_zone_t *zone, void *uap);
-
-static isc_result_t
-loadnew(dns_zone_t *zone, void *uap);
-
-isc_result_t
-dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
-	dns_zt_t *zt;
-	isc_result_t result;
-
-	REQUIRE(ztp != NULL && *ztp == NULL);
-
-	zt = isc_mem_get(mctx, sizeof(*zt));
-	if (zt == NULL)
-		return (ISC_R_NOMEMORY);
-
-	zt->table = NULL;
-	result = dns_rbt_create(mctx, auto_detach, zt, &zt->table);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_zt;
-
-	result = isc_rwlock_init(&zt->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_rwlock_init() failed: %s",
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_rbt;
-	}
-
-	zt->mctx = mctx;
-	zt->references = 1;
-	zt->rdclass = rdclass;
-	zt->magic = ZTMAGIC;
-	*ztp = zt;
-
-	return (ISC_R_SUCCESS);
-
-   cleanup_rbt:
-	dns_rbt_destroy(&zt->table);
-
-   cleanup_zt:
-	isc_mem_put(mctx, zt, sizeof(*zt));
-
-	return (result);
-}
-
-isc_result_t
-dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone) {
-	isc_result_t result;
-	dns_zone_t *dummy = NULL;
-	dns_name_t *name;
-
-	REQUIRE(VALID_ZT(zt));
-
-	name = dns_zone_getorigin(zone);
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	result = dns_rbt_addname(zt->table, name, zone);
-	if (result == ISC_R_SUCCESS)
-		dns_zone_attach(zone, &dummy);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-isc_result_t
-dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone) {
-	isc_result_t result;
-	dns_name_t *name;
-
-	REQUIRE(VALID_ZT(zt));
-
-	name = dns_zone_getorigin(zone);
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	result = dns_rbt_deletename(zt->table, name, ISC_FALSE);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-isc_result_t
-dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
-	    dns_name_t *foundname, dns_zone_t **zonep)
-{
-	isc_result_t result;
-	dns_zone_t *dummy = NULL;
-	unsigned int rbtoptions = 0;
-
-	REQUIRE(VALID_ZT(zt));
-
-	if ((options & DNS_ZTFIND_NOEXACT) != 0)
-		rbtoptions |= DNS_RBTFIND_NOEXACT;
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-
-	result = dns_rbt_findname(zt->table, name, rbtoptions, foundname,
-				  (void **) (void*)&dummy);
-	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
-		dns_zone_attach(dummy, zonep);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
-
-	return (result);
-}
-
-void
-dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp) {
-
-	REQUIRE(VALID_ZT(zt));
-	REQUIRE(ztp != NULL && *ztp == NULL);
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	INSIST(zt->references > 0);
-	zt->references++;
-	INSIST(zt->references != 0);
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	*ztp = zt;
-}
-
-static isc_result_t
-flush(dns_zone_t *zone, void *uap) {
-	UNUSED(uap);
-	return (dns_zone_flush(zone));
-}
-
-static void
-zt_flushanddetach(dns_zt_t **ztp, isc_boolean_t need_flush) {
-	isc_boolean_t destroy = ISC_FALSE;
-	dns_zt_t *zt;
-
-	REQUIRE(ztp != NULL && VALID_ZT(*ztp));
-
-	zt = *ztp;
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	INSIST(zt->references > 0);
-	zt->references--;
-	if (zt->references == 0)
-		destroy = ISC_TRUE;
-
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
-
-	if (destroy) {
-		if (need_flush)
-			(void)dns_zt_apply(zt, ISC_FALSE, flush, NULL);
-		dns_rbt_destroy(&zt->table);
-		isc_rwlock_destroy(&zt->rwlock);
-		zt->magic = 0;
-		isc_mem_put(zt->mctx, zt, sizeof(*zt));
-	}
-
-	*ztp = NULL;
-}
-
-void
-dns_zt_flushanddetach(dns_zt_t **ztp) {
-	zt_flushanddetach(ztp, ISC_TRUE);
-}
-
-void
-dns_zt_detach(dns_zt_t **ztp) {
-	zt_flushanddetach(ztp, ISC_FALSE);
-}
-
-isc_result_t
-dns_zt_load(dns_zt_t *zt, isc_boolean_t stop) {
-	isc_result_t result;
-
-	REQUIRE(VALID_ZT(zt));
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-	result = dns_zt_apply(zt, stop, load, NULL);
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
-	return (result);
-}
-
-static isc_result_t
-load(dns_zone_t *zone, void *uap) {
-	isc_result_t result;
-	UNUSED(uap);
-	result = dns_zone_load(zone);
-	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-isc_result_t
-dns_zt_loadnew(dns_zt_t *zt, isc_boolean_t stop) {
-	isc_result_t result;
-
-	REQUIRE(VALID_ZT(zt));
-
-	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
-	result = dns_zt_apply(zt, stop, loadnew, NULL);
-	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
-	return (result);
-}
-
-static isc_result_t
-loadnew(dns_zone_t *zone, void *uap) {
-	isc_result_t result;
-	UNUSED(uap);
-	result = dns_zone_loadnew(zone);
-	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE ||
-	    result == DNS_R_DYNAMIC)
-		result = ISC_R_SUCCESS;
-	return (result);
-}
-
-isc_result_t
-dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
-	     isc_result_t (*action)(dns_zone_t *, void *), void *uap)
-{
-	dns_rbtnode_t *node;
-	dns_rbtnodechain_t chain;
-	isc_result_t result;
-	dns_zone_t *zone;
-
-	REQUIRE(VALID_ZT(zt));
-	REQUIRE(action != NULL);
-
-	dns_rbtnodechain_init(&chain, zt->mctx);
-	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
-	if (result == ISC_R_NOTFOUND) {
-		/*
-		 * The tree is empty.
-		 */
-		result = ISC_R_NOMORE;
-	}
-	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
-		result = dns_rbtnodechain_current(&chain, NULL, NULL,
-						  &node);
-		if (result == ISC_R_SUCCESS) {
-			zone = node->data;
-			if (zone != NULL)
-				result = (action)(zone, uap);
-			if (result != ISC_R_SUCCESS && stop)
-				goto cleanup;	/* don't break */
-		}
-		result = dns_rbtnodechain_next(&chain, NULL, NULL);
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
-
- cleanup:
-	dns_rbtnodechain_invalidate(&chain);
-
-	return (result);
-}
-
-/***
- *** Private
- ***/
-
-static void
-auto_detach(void *data, void *arg) {
-	dns_zone_t *zone = data;
-
-	UNUSED(arg);
-
-	dns_zone_detach(&zone);
-}
diff --git a/contrib/bind9/lib/isc/Makefile.in b/contrib/bind9/lib/isc/Makefile.in
deleted file mode 100644
index 7e53510c507d..000000000000
--- a/contrib/bind9/lib/isc/Makefile.in
+++ /dev/null
@@ -1,111 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.71.2.2.2.8 2004/07/20 07:01:58 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBISC_API@
-
-CINCLUDES =	-I${srcdir}/unix/include \
-		-I${srcdir}/@ISC_THREAD_DIR@/include \
-		-I./include \
-		-I${srcdir}/include
-CDEFINES =
-CWARNINGS =
-
-# Alphabetically
-UNIXOBJS =	@ISC_ISCIPV6_O@ \
-		unix/app.@O@ unix/dir.@O@ unix/entropy.@O@ \
-		unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \
-		unix/interfaceiter.@O@ unix/keyboard.@O@ unix/net.@O@ \
-		unix/os.@O@ unix/resource.@O@ unix/socket.@O@ unix/stdio.@O@ \
-		unix/stdtime.@O@ unix/strerror.@O@ unix/syslog.@O@ unix/time.@O@
-
-
-NLSOBJS =	nls/msgcat.@O@
-
-THREADOBJS =	@ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@ \
-		@ISC_THREAD_DIR@/thread.@O@
-
-WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
-		win32/fsaccess.@O@ win32/once.@O@ win32/stdtime.@O@ \
-		win32/thread.@O@ win32/time.@O@
-
-# Alphabetically
-OBJS =		@ISC_EXTRA_OBJS@ \
-		assertions.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
-		bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \
-		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ \
-		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ md5.@O@ \
-		mem.@O@ mutexblock.@O@ netaddr.@O@ netscope.@O@ ondestroy.@O@ \
-		parseint.@O@ quota.@O@ random.@O@ \
-		ratelimiter.@O@ region.@O@ result.@O@ rwlock.@O@ \
-		serial.@O@ sha1.@O@ sockaddr.@O@ string.@O@ strtoul.@O@ \
-		symtab.@O@ task.@O@ taskpool.@O@ timer.@O@ version.@O@ \
-		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
-
-# Alphabetically
-SRCS =		@ISC_EXTRA_SRCS@ \
-		assertions.c base64.c bitstring.c buffer.c \
-		bufferlist.c commandline.c error.c event.c \
-		heap.c hex.c hmacmd5.c \
-		lex.c lfsr.c lib.c log.c \
-		md5.c mem.c mutexblock.c netaddr.c netscope.c ondestroy.c \
-		parseint.c quota.c random.c \
-		ratelimiter.c result.c rwlock.c \
-		serial.c sha1.c sockaddr.c string.c strtoul.c symtab.c \
-		task.c taskpool.c timer.c version.c
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include unix nls @ISC_THREAD_DIR@
-TARGETS =	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libisc.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libisc.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${LIBS}
-
-timestamp: libisc.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libisc.@A@ libisc.la timestamp
diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api
deleted file mode 100644
index ddeff334f036..000000000000
--- a/contrib/bind9/lib/isc/api
+++ /dev/null
@@ -1,3 +0,0 @@
-LIBINTERFACE = 11
-LIBREVISION = 1
-LIBAGE = 0
diff --git a/contrib/bind9/lib/isc/assertions.c b/contrib/bind9/lib/isc/assertions.c
deleted file mode 100644
index 94c6732fd8bd..000000000000
--- a/contrib/bind9/lib/isc/assertions.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: assertions.c,v 1.16.206.1 2004/03/06 08:14:27 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/assertions.h>
-#include <isc/msgs.h>
-
-/*
- * Forward.
- */
-
-static void
-default_callback(const char *, int, isc_assertiontype_t, const char *);
-
-/*
- * Public.
- */
-
-LIBISC_EXTERNAL_DATA isc_assertioncallback_t isc_assertion_failed =
-					     default_callback;
-
-void
-isc_assertion_setcallback(isc_assertioncallback_t cb) {
-	if (cb == NULL)
-		isc_assertion_failed = default_callback;
-	else
-		isc_assertion_failed = cb;
-}
-
-const char *
-isc_assertion_typetotext(isc_assertiontype_t type) {
-	const char *result;
-
-	/*
-	 * These strings have purposefully not been internationalized
-	 * because they are considered to essentially be keywords of
-	 * the ISC development environment.
-	 */
-	switch (type) {
-	case isc_assertiontype_require:
-		result = "REQUIRE";
-		break;
-	case isc_assertiontype_ensure:
-		result = "ENSURE";
-		break;
-	case isc_assertiontype_insist:
-		result = "INSIST";
-		break;
-	case isc_assertiontype_invariant:
-		result = "INVARIANT";
-		break;
-	default:
-		result = NULL;
-	}
-	return (result);
-}
-
-/*
- * Private.
- */
-
-static void
-default_callback(const char *file, int line, isc_assertiontype_t type,
-		 const char *cond)
-{
-	fprintf(stderr, "%s:%d: %s(%s) %s.\n",
-		file, line, isc_assertion_typetotext(type), cond,
-		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-			       ISC_MSG_FAILED, "failed"));
-	fflush(stderr);
-	abort();
-	/* NOTREACHED */
-}
diff --git a/contrib/bind9/lib/isc/base64.c b/contrib/bind9/lib/isc/base64.c
deleted file mode 100644
index 445f8f56337b..000000000000
--- a/contrib/bind9/lib/isc/base64.c
+++ /dev/null
@@ -1,246 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base64.c,v 1.23.2.2.2.3 2004/03/06 08:14:27 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/lex.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-
-/*
- * These static functions are also present in lib/dns/rdata.c.  I'm not
- * sure where they should go. -- bwelling
- */
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target);
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
-
-static const char base64[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
-
-isc_result_t
-isc_base64_totext(isc_region_t *source, int wordlength,
-		  const char *wordbreak, isc_buffer_t *target)
-{
-	char buf[5];
-	unsigned int loops = 0;
-
-	if (wordlength < 4)
-		wordlength = 4;
-
-	memset(buf, 0, sizeof(buf));
-	while (source->length > 2) {
-		buf[0] = base64[(source->base[0]>>2)&0x3f];
-		buf[1] = base64[((source->base[0]<<4)&0x30)|
-				((source->base[1]>>4)&0x0f)];
-		buf[2] = base64[((source->base[1]<<2)&0x3c)|
-				((source->base[2]>>6)&0x03)];
-		buf[3] = base64[source->base[2]&0x3f];
-		RETERR(str_totext(buf, target));
-		isc_region_consume(source, 3);
-
-		loops++;
-		if (source->length != 0 &&
-		    (int)((loops + 1) * 4) >= wordlength)
-		{
-			loops = 0;
-			RETERR(str_totext(wordbreak, target));
-		}
-	}
-	if (source->length == 2) {
-		buf[0] = base64[(source->base[0]>>2)&0x3f];
-		buf[1] = base64[((source->base[0]<<4)&0x30)|
-				((source->base[1]>>4)&0x0f)];
-		buf[2] = base64[((source->base[1]<<2)&0x3c)];
-		buf[3] = '=';
-		RETERR(str_totext(buf, target));
-	} else if (source->length == 1) {
-		buf[0] = base64[(source->base[0]>>2)&0x3f];
-		buf[1] = base64[((source->base[0]<<4)&0x30)];
-		buf[2] = buf[3] = '=';
-		RETERR(str_totext(buf, target));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * State of a base64 decoding process in progress.
- */
-typedef struct {
-	int length;		/* Desired length of binary data or -1 */
-	isc_buffer_t *target;	/* Buffer for resulting binary data */
-	int digits;		/* Number of buffered base64 digits */
-	isc_boolean_t seen_end;	/* True if "=" end marker seen */
-	int val[4];
-} base64_decode_ctx_t;
-
-static inline void
-base64_decode_init(base64_decode_ctx_t *ctx, int length, isc_buffer_t *target)
-{
-	ctx->digits = 0;
-	ctx->seen_end = ISC_FALSE;
-	ctx->length = length;
-	ctx->target = target;
-}
-
-static inline isc_result_t
-base64_decode_char(base64_decode_ctx_t *ctx, int c) {
-	char *s;
-
-	if (ctx->seen_end)
-		return (ISC_R_BADBASE64);
-	if ((s = strchr(base64, c)) == NULL)
-		return (ISC_R_BADBASE64);
-	ctx->val[ctx->digits++] = s - base64;
-	if (ctx->digits == 4) {
-		int n;
-		unsigned char buf[3];
-		if (ctx->val[0] == 64 || ctx->val[1] == 64)
-			return (ISC_R_BADBASE64);
-		if (ctx->val[2] == 64 && ctx->val[3] != 64)
-			return (ISC_R_BADBASE64);
-		/*
-		 * Check that bits that should be zero are.
-		 */
-		if (ctx->val[2] == 64 && (ctx->val[1] & 0xf) != 0)
-			return (ISC_R_BADBASE64);
-		/*
-		 * We don't need to test for ctx->val[2] != 64 as
-		 * the bottom two bits of 64 are zero.
-		 */
-		if (ctx->val[3] == 64 && (ctx->val[2] & 0x3) != 0)
-			return (ISC_R_BADBASE64);
-		n = (ctx->val[2] == 64) ? 1 :
-			(ctx->val[3] == 64) ? 2 : 3;
-		if (n != 3) {
-			ctx->seen_end = ISC_TRUE;
-			if (ctx->val[2] == 64)
-				ctx->val[2] = 0;
-			if (ctx->val[3] == 64)
-				ctx->val[3] = 0;
-		}
-		buf[0] = (ctx->val[0]<<2)|(ctx->val[1]>>4);
-		buf[1] = (ctx->val[1]<<4)|(ctx->val[2]>>2);
-		buf[2] = (ctx->val[2]<<6)|(ctx->val[3]);
-		RETERR(mem_tobuffer(ctx->target, buf, n));
-		if (ctx->length >= 0) {
-			if (n > ctx->length)
-				return (ISC_R_BADBASE64);
-			else
-				ctx->length -= n;
-		}
-		ctx->digits = 0;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-base64_decode_finish(base64_decode_ctx_t *ctx) {
-	if (ctx->length > 0)
-		return (ISC_R_UNEXPECTEDEND);
-	if (ctx->digits != 0)
-		return (ISC_R_BADBASE64);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
-	base64_decode_ctx_t ctx;
-	isc_textregion_t *tr;
-	isc_token_t token;
-	isc_boolean_t eol;
-
-	base64_decode_init(&ctx, length, target);
-
-	while (!ctx.seen_end && (ctx.length != 0)) {
-		unsigned int i;
-
-		if (length > 0)
-			eol = ISC_FALSE;
-		else
-			eol = ISC_TRUE;
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, eol));
-		if (token.type != isc_tokentype_string)
-			break;
-		tr = &token.value.as_textregion;
-		for (i = 0; i < tr->length; i++)
-			RETERR(base64_decode_char(&ctx, tr->base[i]));
-	}
-	if (ctx.length < 0 && !ctx.seen_end)
-		isc_lex_ungettoken(lexer, &token);
-	RETERR(base64_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_base64_decodestring(const char *cstr, isc_buffer_t *target) {
-	base64_decode_ctx_t ctx;
-
-	base64_decode_init(&ctx, -1, target);
-	for (;;) {
-		int c = *cstr++;
-		if (c == '\0')
-			break;
-		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
-			continue;
-		RETERR(base64_decode_char(&ctx, c));
-	}
-	RETERR(base64_decode_finish(&ctx));	
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	if (length > tr.length)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, base, length);
-	isc_buffer_add(target, length);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/bitstring.c b/contrib/bind9/lib/isc/bitstring.c
deleted file mode 100644
index e77ed39ba23c..000000000000
--- a/contrib/bind9/lib/isc/bitstring.c
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bitstring.c,v 1.12.206.1 2004/03/06 08:14:27 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/magic.h>
-#include <isc/bitstring.h>
-#include <isc/util.h>
-
-#define DIV8(x)			((x) >> 3)
-#define MOD8(x)			((x) & 0x00000007U)
-#define OCTETS(n)		(((n) + 7) >> 3)
-#define PADDED(n)		((((n) + 7) >> 3) << 3)
-#define BITSET(bs, n) 		(((bs)->data[DIV8(n)] & \
-				 (1 << (7 - MOD8(n)))) != 0)
-#define SETBIT(bs, n)		(bs)->data[DIV8(n)] |= (1 << (7 - MOD8(n)))
-#define CLEARBIT(bs, n)		(bs)->data[DIV8(n)] &= ~(1 << (7 - MOD8(n)))
-
-#define BITSTRING_MAGIC		ISC_MAGIC('B', 'S', 't', 'r')
-#define VALID_BITSTRING(b)	ISC_MAGIC_VALID(b, BITSTRING_MAGIC)
-
-void
-isc_bitstring_init(isc_bitstring_t *bitstring, unsigned char *data,
-		   unsigned int length, unsigned int size, isc_boolean_t lsb0)
-{
-	/*
-	 * Make 'bitstring' refer to the bitstring of 'size' bits starting
-	 * at 'data'.  'length' bits of the bitstring are valid.  If 'lsb0'
-	 * is set then, bit 0 refers to the least significant bit of the
-	 * bitstring.  Otherwise bit 0 is the most significant bit.
-	 */
-
-	REQUIRE(bitstring != NULL);
-	REQUIRE(data != NULL);
-	REQUIRE(length <= size);
-
-	bitstring->magic = BITSTRING_MAGIC;
-	bitstring->data = data;
-	bitstring->length = length;
-	bitstring->size = size;
-	bitstring->lsb0 = lsb0;
-}
-
-void
-isc_bitstring_invalidate(isc_bitstring_t *bitstring) {
-
-	/*
-	 * Invalidate 'bitstring'.
-	 */
-
-	REQUIRE(VALID_BITSTRING(bitstring));
-
-	bitstring->magic = 0;
-	bitstring->data = NULL;
-	bitstring->length = 0;
-	bitstring->size = 0;
-	bitstring->lsb0 = ISC_FALSE;
-}
-
-void
-isc_bitstring_copy(isc_bitstring_t *source, unsigned int sbitpos,
-		   isc_bitstring_t *target, unsigned int tbitpos,
-		   unsigned int n)
-{
-	unsigned int tlast;
-
-	/*
-	 * Starting at bit 'sbitpos', copy 'n' bits from 'source' to
-	 * the 'n' bits of 'target' starting at 'tbitpos'.
-	 */
-
-	REQUIRE(VALID_BITSTRING(source));
-	REQUIRE(VALID_BITSTRING(target));
-	REQUIRE(source->lsb0 == target->lsb0);
-	if (source->lsb0) {
-		REQUIRE(sbitpos <= source->length);
-		sbitpos = PADDED(source->size) - sbitpos;
-		REQUIRE(sbitpos >= n);
-		sbitpos -= n;
-	} else
-		REQUIRE(sbitpos + n <= source->length);
-	tlast = tbitpos + n;
-	if (target->lsb0) {
-		REQUIRE(tbitpos <= target->length);
-		tbitpos = PADDED(target->size) - tbitpos;
-		REQUIRE(tbitpos >= n);
-		tbitpos -= n;
-	} else
-		REQUIRE(tlast <= target->size);
-
-	if (tlast > target->length)
-		target->length = tlast;
-
-	/*
-	 * This is far from optimal...
-	 */
-
-	while (n > 0) {
-		if (BITSET(source, sbitpos))
-			SETBIT(target, tbitpos);
-		else
-			CLEARBIT(target, tbitpos);
-		sbitpos++;
-		tbitpos++;
-		n--;
-	}
-}
diff --git a/contrib/bind9/lib/isc/buffer.c b/contrib/bind9/lib/isc/buffer.c
deleted file mode 100644
index 30ce529e500a..000000000000
--- a/contrib/bind9/lib/isc/buffer.c
+++ /dev/null
@@ -1,411 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: buffer.c,v 1.36.12.2 2004/03/08 09:04:48 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/mem.h>
-#include <isc/region.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-void
-isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length) {
-	/*
-	 * Make 'b' refer to the 'length'-byte region starting at 'base'.
-	 * XXXDCL see the comment in buffer.h about base being const.
-	 */
-
-	REQUIRE(b != NULL);
-
-	ISC__BUFFER_INIT(b, base, length);
-}
-
-void
-isc__buffer_invalidate(isc_buffer_t *b) {
-	/*
-	 * Make 'b' an invalid buffer.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(!ISC_LINK_LINKED(b, link));
-	REQUIRE(b->mctx == NULL);
-
-	ISC__BUFFER_INVALIDATE(b);
-}
-
-void
-isc__buffer_region(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_REGION(b, r);
-}
-
-void
-isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the used region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_USEDREGION(b, r);
-}
-
-void
-isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the available region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_AVAILABLEREGION(b, r);
-}
-
-void
-isc__buffer_add(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Increase the 'used' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + n <= b->length);
-
-	ISC__BUFFER_ADD(b, n);
-}
-
-void
-isc__buffer_subtract(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Decrease the 'used' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used >= n);
-
-	ISC__BUFFER_SUBTRACT(b, n);
-}
-
-void
-isc__buffer_clear(isc_buffer_t *b) {
-	/*
-	 * Make the used region empty.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-
-	ISC__BUFFER_CLEAR(b);
-}
-
-void
-isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the consumed region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_CONSUMEDREGION(b, r);
-}
-
-void
-isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the remaining region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_REMAININGREGION(b, r);
-}
-
-void
-isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r) {
-	/*
-	 * Make 'r' refer to the active region of 'b'.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	ISC__BUFFER_ACTIVEREGION(b, r);
-}
-
-void
-isc__buffer_setactive(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Sets the end of the active region 'n' bytes after current.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->current + n <= b->used);
-
-	ISC__BUFFER_SETACTIVE(b, n);
-}
-
-void
-isc__buffer_first(isc_buffer_t *b) {
-	/*
-	 * Make the consumed region empty.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-
-	ISC__BUFFER_FIRST(b);
-}
-
-void
-isc__buffer_forward(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Increase the 'consumed' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->current + n <= b->used);
-
-	ISC__BUFFER_FORWARD(b, n);
-}
-
-void
-isc__buffer_back(isc_buffer_t *b, unsigned int n) {
-	/*
-	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(n <= b->current);
-
-	ISC__BUFFER_BACK(b, n);
-}
-
-void
-isc_buffer_compact(isc_buffer_t *b) {
-	unsigned int length;
-	void *src;
-
-	/*
-	 * Compact the used region by moving the remaining region so it occurs
-	 * at the start of the buffer.  The used region is shrunk by the size
-	 * of the consumed region, and the consumed region is then made empty.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-
-	src = isc_buffer_current(b);
-	length = isc_buffer_remaininglength(b);
-	(void)memmove(b->base, src, (size_t)length);
-
-	if (b->active > b->current)
-		b->active -= b->current;
-	else
-		b->active = 0;
-	b->current = 0;
-	b->used = length;
-}
-
-isc_uint8_t
-isc_buffer_getuint8(isc_buffer_t *b) {
-	unsigned char *cp;
-	isc_uint8_t result;
-
-	/*
-	 * Read an unsigned 8-bit integer from 'b' and return it.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 1);
-
-	cp = isc_buffer_current(b);
-	b->current += 1;
-	result = ((isc_uint8_t)(cp[0]));
-
-	return (result);
-}
-
-void
-isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val) {
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + 1 <= b->length);
-
-	ISC__BUFFER_PUTUINT8(b, val);
-}
-
-isc_uint16_t
-isc_buffer_getuint16(isc_buffer_t *b) {
-	unsigned char *cp;
-	isc_uint16_t result;
-
-	/*
-	 * Read an unsigned 16-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 2);
-
-	cp = isc_buffer_current(b);
-	b->current += 2;
-	result = ((unsigned int)(cp[0])) << 8;
-	result |= ((unsigned int)(cp[1]));
-
-	return (result);
-}
-
-void
-isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val) {
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + 2 <= b->length);
-
-	ISC__BUFFER_PUTUINT16(b, val);
-}
-
-isc_uint32_t
-isc_buffer_getuint32(isc_buffer_t *b) {
-	unsigned char *cp;
-	isc_uint32_t result;
-
-	/*
-	 * Read an unsigned 32-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 4);
-
-	cp = isc_buffer_current(b);
-	b->current += 4;
-	result = ((unsigned int)(cp[0])) << 24;
-	result |= ((unsigned int)(cp[1])) << 16;
-	result |= ((unsigned int)(cp[2])) << 8;
-	result |= ((unsigned int)(cp[3]));
-
-	return (result);
-}
-
-void
-isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val) {
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + 4 <= b->length);
-
-	ISC__BUFFER_PUTUINT32(b, val);
-}
-
-void
-isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
-		   unsigned int length)
-{
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(b->used + length <= b->length);
-
-	ISC__BUFFER_PUTMEM(b, base, length);
-}
-
-void
-isc__buffer_putstr(isc_buffer_t *b, const char *source) {
-	unsigned int l;
-	unsigned char *cp;
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(source != NULL);
-
-	/*
-	 * Do not use ISC__BUFFER_PUTSTR(), so strlen is only done once.
-	 */
-	l = strlen(source);
-
-	REQUIRE(l <= isc_buffer_availablelength(b));
-
-	cp = isc_buffer_used(b);
-	memcpy(cp, source, l);
-	b->used += l;
-}
-
-isc_result_t
-isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r) {
-	unsigned char *base;
-	unsigned int available;
-
-	REQUIRE(ISC_BUFFER_VALID(b));
-	REQUIRE(r != NULL);
-
-	/*
-	 * XXXDCL
-	 */
-	base = isc_buffer_used(b);
-	available = isc_buffer_availablelength(b);
-        if (r->length > available)
-		return (ISC_R_NOSPACE);
-	memcpy(base, r->base, r->length);
-	b->used += r->length;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
-		    unsigned int length)
-{
-	isc_buffer_t *dbuf;
-
-	REQUIRE(dynbuffer != NULL);
-	REQUIRE(*dynbuffer == NULL);
-
-	dbuf = isc_mem_get(mctx, length + sizeof(isc_buffer_t));
-	if (dbuf == NULL)
-		return (ISC_R_NOMEMORY);
-
-	isc_buffer_init(dbuf, ((unsigned char *)dbuf) + sizeof(isc_buffer_t),
-			length);
-	dbuf->mctx = mctx;
-
-	*dynbuffer = dbuf;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_buffer_free(isc_buffer_t **dynbuffer) {
-	unsigned int real_length;
-	isc_buffer_t *dbuf;
-	isc_mem_t *mctx;
-
-	REQUIRE(dynbuffer != NULL);
-	REQUIRE(ISC_BUFFER_VALID(*dynbuffer));
-	REQUIRE((*dynbuffer)->mctx != NULL);
-
-	dbuf = *dynbuffer;
-	*dynbuffer = NULL;	/* destroy external reference */
-
-	real_length = dbuf->length + sizeof(isc_buffer_t);
-	mctx = dbuf->mctx;
-	dbuf->mctx = NULL;
-	isc_buffer_invalidate(dbuf);
-
-	isc_mem_put(mctx, dbuf, real_length);
-}
diff --git a/contrib/bind9/lib/isc/bufferlist.c b/contrib/bind9/lib/isc/bufferlist.c
deleted file mode 100644
index 6d64a3f6109d..000000000000
--- a/contrib/bind9/lib/isc/bufferlist.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bufferlist.c,v 1.12.206.1 2004/03/06 08:14:28 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/buffer.h>
-#include <isc/bufferlist.h>
-#include <isc/util.h>
-
-unsigned int
-isc_bufferlist_usedcount(isc_bufferlist_t *bl) {
-	isc_buffer_t *buffer;
-	unsigned int length;
-
-	REQUIRE(bl != NULL);
-
-	length = 0;
-	buffer = ISC_LIST_HEAD(*bl);
-	while (buffer != NULL) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		length += isc_buffer_usedlength(buffer);
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	return (length);
-}
-
-unsigned int
-isc_bufferlist_availablecount(isc_bufferlist_t *bl) {
-	isc_buffer_t *buffer;
-	unsigned int length;
-
-	REQUIRE(bl != NULL);
-
-	length = 0;
-	buffer = ISC_LIST_HEAD(*bl);
-	while (buffer != NULL) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		length += isc_buffer_availablelength(buffer);
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	return (length);
-}
diff --git a/contrib/bind9/lib/isc/commandline.c b/contrib/bind9/lib/isc/commandline.c
deleted file mode 100644
index 4c8af7f0ec01..000000000000
--- a/contrib/bind9/lib/isc/commandline.c
+++ /dev/null
@@ -1,222 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1987, 1993, 1994
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id: commandline.c,v 1.15.206.1 2004/03/06 08:14:28 marka Exp $ */
-
-/*
- * This file was adapted from the NetBSD project's source tree, RCS ID:
- *    NetBSD: getopt.c,v 1.15 1999/09/20 04:39:37 lukem Exp
- *
- * The primary change has been to rename items to the ISC namespace
- * and format in the ISC coding style.
- */
-
-/*
- * Principal Authors: Computer Systems Research Group at UC Berkeley
- * Principal ISC caretaker: DCL
- */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <isc/commandline.h>
-#include <isc/msgs.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-/* Index into parent argv vector. */
-LIBISC_EXTERNAL_DATA int isc_commandline_index = 1;
-/* Character checked for validity. */
-LIBISC_EXTERNAL_DATA int isc_commandline_option;
-/* Argument associated with option. */
-LIBISC_EXTERNAL_DATA char *isc_commandline_argument;
-/* For printing error messages. */
-LIBISC_EXTERNAL_DATA char *isc_commandline_progname;
-/* Print error messages. */
-LIBISC_EXTERNAL_DATA isc_boolean_t isc_commandline_errprint = ISC_TRUE;
-/* Reset processing. */
-LIBISC_EXTERNAL_DATA isc_boolean_t isc_commandline_reset = ISC_TRUE;
-
-static char endopt = '\0';
-
-#define	BADOPT	'?'
-#define	BADARG	':'
-#define ENDOPT  &endopt
-
-/*
- * getopt --
- *	Parse argc/argv argument vector.
- */
-int
-isc_commandline_parse(int argc, char * const *argv, const char *options) {
-	static char *place = ENDOPT;
-	char *option;			/* Index into *options of option. */
-
-	REQUIRE(argc >= 0 && argv != NULL && options != NULL);
-
-	/*
-	 * Update scanning pointer, either because a reset was requested or
-	 * the previous argv was finished.
-	 */
-	if (isc_commandline_reset || *place == '\0') {
-		isc_commandline_reset = ISC_FALSE;
-
-		if (isc_commandline_progname == NULL)
-			isc_commandline_progname = argv[0];
-
-		if (isc_commandline_index >= argc ||
-		    *(place = argv[isc_commandline_index]) != '-') {
-			/*
-			 * Index out of range or points to non-option.
-			 */
-			place = ENDOPT;
-			return (-1);
-		}
-
-		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
-			/*
-			 * Found '--' to signal end of options.  Advance
-			 * index to next argv, the first non-option.
-			 */
-			isc_commandline_index++;
-			place = ENDOPT;
-			return (-1);
-		}
-	}
-
-	isc_commandline_option = *place++;
-	option = strchr(options, isc_commandline_option);
-
-	/*
-	 * Ensure valid option has been passed as specified by options string.
-	 * '-:' is never a valid command line option because it could not
-	 * distinguish ':' from the argument specifier in the options string.
-	 */
-	if (isc_commandline_option == ':' || option == NULL) {
-		if (*place == '\0')
-			isc_commandline_index++;
-
-		if (isc_commandline_errprint && *options != ':')
-			fprintf(stderr, "%s: %s -- %c\n",
-				isc_commandline_progname,
-				isc_msgcat_get(isc_msgcat,
-					       ISC_MSGSET_COMMANDLINE,
-					       ISC_MSG_ILLEGALOPT,
-					       "illegal option"),
-				isc_commandline_option);
-
-		return (BADOPT);
-	}
-
-	if (*++option != ':') {
-		/*
-		 * Option does not take an argument.
-		 */
-		isc_commandline_argument = NULL;
-
-		/*
-		 * Skip to next argv if at the end of the current argv.
-		 */
-		if (*place == '\0')
-			++isc_commandline_index;
-
-	} else {
-		/*
-		 * Option needs an argument.
-		 */
-		if (*place != '\0')
-			/*
-			 * Option is in this argv, -D1 style.
-			 */
-			isc_commandline_argument = place;
-
-		else if (argc > ++isc_commandline_index)
-			/*
-			 * Option is next argv, -D 1 style.
-			 */
-			isc_commandline_argument = argv[isc_commandline_index];
-
-		else {
-			/*
-			 * Argument needed, but no more argv.
-			 */
-			place = ENDOPT;
-
-			/*
-			 * Silent failure with "missing argument" return
-			 * when ':' starts options string, per historical spec.
-			 */
-			if (*options == ':')
-				return (BADARG);
-
-			if (isc_commandline_errprint)
-				fprintf(stderr, "%s: %s -- %c\n",
-					isc_commandline_progname,
-					isc_msgcat_get(isc_msgcat,
-						       ISC_MSGSET_COMMANDLINE,
-						       ISC_MSG_OPTNEEDARG,
-						       "option requires "
-						       "an argument"),
-					isc_commandline_option);
-
-			return (BADOPT);
-		}
-
-		place = ENDOPT;
-
-		/*
-		 * Point to argv that follows argument.
-		 */
-		isc_commandline_index++;
-	}
-
-	return (isc_commandline_option);
-}
diff --git a/contrib/bind9/lib/isc/entropy.c b/contrib/bind9/lib/isc/entropy.c
deleted file mode 100644
index 8834eefd17a6..000000000000
--- a/contrib/bind9/lib/isc/entropy.c
+++ /dev/null
@@ -1,1256 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: entropy.c,v 1.3.2.2.2.7 2004/03/08 09:04:48 marka Exp $ */
-
-/*
- * This is the system independent part of the entropy module.  It is
- * compiled via inclusion from the relevant OS source file, ie,
- * unix/entropy.c or win32/entropy.c.
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-
-#include <isc/buffer.h>
-#include <isc/entropy.h>
-#include <isc/keyboard.h>
-#include <isc/list.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/mutex.h>
-#include <isc/platform.h>
-#include <isc/region.h>
-#include <isc/sha1.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-/*
- * Much of this code is modeled after the NetBSD /dev/random implementation,
- * written by Michael Graff <explorer@netbsd.org>.
- */
-
-#define ENTROPY_MAGIC		ISC_MAGIC('E', 'n', 't', 'e')
-#define SOURCE_MAGIC		ISC_MAGIC('E', 'n', 't', 's')
-
-#define VALID_ENTROPY(e)	ISC_MAGIC_VALID(e, ENTROPY_MAGIC)
-#define VALID_SOURCE(s)		ISC_MAGIC_VALID(s, SOURCE_MAGIC)
-
-/***
- *** "constants."  Do not change these unless you _really_ know what
- *** you are doing.
- ***/
-
-/*
- * size of entropy pool in 32-bit words.  This _MUST_ be a power of 2.
- */
-#define RND_POOLWORDS	128
-#define RND_POOLBYTES	(RND_POOLWORDS * 4)
-#define RND_POOLBITS	(RND_POOLWORDS * 32)
-
-/*
- * Number of bytes returned per hash.  This must be true:
- *	threshold * 2 <= digest_size_in_bytes
- */
-#define RND_ENTROPY_THRESHOLD	10
-#define THRESHOLD_BITS		(RND_ENTROPY_THRESHOLD * 8)
-
-/*
- * Size of the input event queue in samples.
- */
-#define RND_EVENTQSIZE	32
-
-/*
- * The number of times we'll "reseed" for pseudorandom seeds.  This is an
- * extremely weak pseudorandom seed.  If the caller is using lots of
- * pseudorandom data and they cannot provide a stronger random source,
- * there is little we can do other than hope they're smart enough to
- * call _adddata() with something better than we can come up with.
- */
-#define RND_INITIALIZE	128
-
-typedef struct {
-	isc_uint32_t	cursor;		/* current add point in the pool */
-	isc_uint32_t	entropy;	/* current entropy estimate in bits */
-	isc_uint32_t	pseudo;		/* bits extracted in pseudorandom */
-	isc_uint32_t	rotate;		/* how many bits to rotate by */
-	isc_uint32_t	pool[RND_POOLWORDS];	/* random pool data */
-} isc_entropypool_t;
-
-struct isc_entropy {
-	unsigned int			magic;
-	isc_mem_t		       *mctx;
-	isc_mutex_t			lock;
-	unsigned int			refcnt;
-	isc_uint32_t			initialized;
-	isc_uint32_t			initcount;
-	isc_entropypool_t		pool;
-	unsigned int			nsources;
-	isc_entropysource_t	       *nextsource;
-	ISC_LIST(isc_entropysource_t)	sources;
-};
-
-typedef struct {
-	isc_uint32_t	last_time;	/* last time recorded */
-	isc_uint32_t	last_delta;	/* last delta value */
-	isc_uint32_t	last_delta2;	/* last delta2 value */
-	isc_uint32_t	nsamples;	/* number of samples filled in */
-	isc_uint32_t   *samples;	/* the samples */
-	isc_uint32_t   *extra;		/* extra samples added in */
-} sample_queue_t;
-
-typedef struct {
-	sample_queue_t	samplequeue;
-} isc_entropysamplesource_t;
-
-typedef struct {
-	isc_boolean_t		start_called;
-	isc_entropystart_t	startfunc;
-	isc_entropyget_t	getfunc;
-	isc_entropystop_t	stopfunc;
-	void		       *arg;
-	sample_queue_t		samplequeue;
-} isc_cbsource_t;
-
-typedef struct {
-	FILESOURCE_HANDLE_TYPE handle;
-} isc_entropyfilesource_t;
-
-struct isc_entropysource {
-	unsigned int	magic;
-	unsigned int	type;
-	isc_entropy_t  *ent;
-	isc_uint32_t	total;		/* entropy from this source */
-	ISC_LINK(isc_entropysource_t)	link;
-	char		name[32];
-	isc_boolean_t	bad;
-	isc_boolean_t	warn_keyboard;
-	isc_keyboard_t	kbd;
-	union {
-		isc_entropysamplesource_t	sample;
-		isc_entropyfilesource_t		file;
-		isc_cbsource_t			callback;
-		isc_entropyusocketsource_t	usocket;
-	} sources;
-};
-
-#define ENTROPY_SOURCETYPE_SAMPLE	1	/* Type is a sample source */
-#define ENTROPY_SOURCETYPE_FILE		2	/* Type is a file source */
-#define ENTROPY_SOURCETYPE_CALLBACK	3	/* Type is a callback source */
-#define ENTROPY_SOURCETYPE_USOCKET	4	/* Type is a Unix socket source */
-
-/*
- * The random pool "taps"
- */
-#define TAP1	99
-#define TAP2	59
-#define TAP3	31
-#define TAP4	 9
-#define TAP5	 7
-
-/*
- * Declarations for function provided by the system dependent sources that
- * include this file.
- */
-static void
-fillpool(isc_entropy_t *, unsigned int, isc_boolean_t);
-
-static int
-wait_for_sources(isc_entropy_t *);
-
-static void
-destroyfilesource(isc_entropyfilesource_t *source);
-
-static void
-destroyusocketsource(isc_entropyusocketsource_t *source);
-
-
-static void
-samplequeue_release(isc_entropy_t *ent, sample_queue_t *sq) {
-	REQUIRE(sq->samples != NULL);
-	REQUIRE(sq->extra != NULL);
-
-	isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4);
-	isc_mem_put(ent->mctx, sq->extra, RND_EVENTQSIZE * 4);
-	sq->samples = NULL;
-	sq->extra = NULL;
-}
-
-static isc_result_t
-samplesource_allocate(isc_entropy_t *ent, sample_queue_t *sq) {
-	sq->samples = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4);
-	if (sq->samples == NULL)
-		return (ISC_R_NOMEMORY);
-
-	sq->extra = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4);
-	if (sq->extra == NULL) {
-		isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4);
-		sq->samples = NULL;
-		return (ISC_R_NOMEMORY);
-	}
-
-	sq->nsamples = 0;
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Add in entropy, even when the value we're adding in could be
- * very large.
- */
-static inline void
-add_entropy(isc_entropy_t *ent, isc_uint32_t entropy) {
-	/* clamp input.  Yes, this must be done. */
-	entropy = ISC_MIN(entropy, RND_POOLBITS);
-	/* Add in the entropy we already have. */
-	entropy += ent->pool.entropy;
-	/* Clamp. */
-	ent->pool.entropy = ISC_MIN(entropy, RND_POOLBITS);
-}
-
-/*
- * Decrement the amount of entropy the pool has.
- */
-static inline void
-subtract_entropy(isc_entropy_t *ent, isc_uint32_t entropy) {
-	entropy = ISC_MIN(entropy, ent->pool.entropy);
-	ent->pool.entropy -= entropy;
-}
-
-/*
- * Add in entropy, even when the value we're adding in could be
- * very large.
- */
-static inline void
-add_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) {
-	/* clamp input.  Yes, this must be done. */
-	pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
-	/* Add in the pseudo we already have. */
-	pseudo += ent->pool.pseudo;
-	/* Clamp. */
-	ent->pool.pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
-}
-
-/*
- * Decrement the amount of pseudo the pool has.
- */
-static inline void
-subtract_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) {
-	pseudo = ISC_MIN(pseudo, ent->pool.pseudo);
-	ent->pool.pseudo -= pseudo;
-}
-
-/*
- * Add one word to the pool, rotating the input as needed.
- */
-static inline void
-entropypool_add_word(isc_entropypool_t *rp, isc_uint32_t val) {
-	/*
-	 * Steal some values out of the pool, and xor them into the
-	 * word we were given.
-	 *
-	 * Mix the new value into the pool using xor.  This will
-	 * prevent the actual values from being known to the caller
-	 * since the previous values are assumed to be unknown as well.
-	 */
-	val ^= rp->pool[(rp->cursor + TAP1) & (RND_POOLWORDS - 1)];
-	val ^= rp->pool[(rp->cursor + TAP2) & (RND_POOLWORDS - 1)];
-	val ^= rp->pool[(rp->cursor + TAP3) & (RND_POOLWORDS - 1)];
-	val ^= rp->pool[(rp->cursor + TAP4) & (RND_POOLWORDS - 1)];
-	val ^= rp->pool[(rp->cursor + TAP5) & (RND_POOLWORDS - 1)];
-	rp->pool[rp->cursor++] ^=
-	  ((val << rp->rotate) | (val >> (32 - rp->rotate)));
-
-	/*
-	 * If we have looped around the pool, increment the rotate
-	 * variable so the next value will get xored in rotated to
-	 * a different position.
-	 * Increment by a value that is relativly prime to the word size
-	 * to try to spread the bits throughout the pool quickly when the
-	 * pool is empty.
-	 */
-	if (rp->cursor == RND_POOLWORDS) {
-		rp->cursor = 0;
-		rp->rotate = (rp->rotate + 7) & 31;
-	}
-}
-
-/*
- * Add a buffer's worth of data to the pool.
- *
- * Requires that the lock is held on the entropy pool.
- */
-static void
-entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len,
-		    isc_uint32_t entropy)
-{
-	isc_uint32_t val;
-	unsigned long addr;
-	isc_uint8_t *buf;
-
-	addr = (unsigned long)p;
-	buf = p;
-
-	if ((addr & 0x03U) != 0U) {
-		val = 0;
-		switch (len) {
-		case 3:
-			val = *buf++;
-			len--;
-		case 2:
-			val = val << 8 | *buf++;
-			len--;
-		case 1:
-			val = val << 8 | *buf++;
-			len--;
-		}
-
-		entropypool_add_word(&ent->pool, val);
-	}
-
-	for (; len > 3; len -= 4) {
-		val = *((isc_uint32_t *)buf);
-
-		entropypool_add_word(&ent->pool, val);
-		buf += 4;
-	}
-
-	if (len != 0) {
-		val = 0;
-		switch (len) {
-		case 3:
-			val = *buf++;
-		case 2:
-			val = val << 8 | *buf++;
-		case 1:
-			val = val << 8 | *buf++;
-		}
-
-		entropypool_add_word(&ent->pool, val);
-	}
-
-	add_entropy(ent, entropy);
-	subtract_pseudo(ent, entropy);
-}
-
-static inline void
-reseed(isc_entropy_t *ent) {
-	isc_time_t t;
-	pid_t pid;
-
-	if (ent->initcount == 0) {
-		pid = getpid();
-		entropypool_adddata(ent, &pid, sizeof(pid), 0);
-		pid = getppid();
-		entropypool_adddata(ent, &pid, sizeof(pid), 0);
-	}
-
-	/*
-	 * After we've reseeded 100 times, only add new timing info every
-	 * 50 requests.  This will keep us from using lots and lots of
-	 * CPU just to return bad pseudorandom data anyway.
-	 */
-	if (ent->initcount > 100)
-		if ((ent->initcount % 50) != 0)
-			return;
-
-	TIME_NOW(&t);
-	entropypool_adddata(ent, &t, sizeof(t), 0);
-	ent->initcount++;
-}
-
-static inline unsigned int
-estimate_entropy(sample_queue_t *sq, isc_uint32_t t) {
-	isc_int32_t		delta;
-	isc_int32_t		delta2;
-	isc_int32_t		delta3;
-
-	/*
-	 * If the time counter has overflowed, calculate the real difference.
-	 * If it has not, it is simpler.
-	 */
-	if (t < sq->last_time)
-		delta = UINT_MAX - sq->last_time + t;
-	else
-		delta = sq->last_time - t;
-
-	if (delta < 0)
-		delta = -delta;
-
-	/*
-	 * Calculate the second and third order differentials
-	 */
-	delta2 = sq->last_delta - delta;
-	if (delta2 < 0)
-		delta2 = -delta2;
-
-	delta3 = sq->last_delta2 - delta2;
-	if (delta3 < 0)
-		delta3 = -delta3;
-
-	sq->last_time = t;
-	sq->last_delta = delta;
-	sq->last_delta2 = delta2;
-
-	/*
-	 * If any delta is 0, we got no entropy.  If all are non-zero, we
-	 * might have something.
-	 */
-	if (delta == 0 || delta2 == 0 || delta3 == 0)
-		return 0;
-
-	/*
-	 * We could find the smallest delta and claim we got log2(delta)
-	 * bits, but for now return that we found 1 bit.
-	 */
-	return 1;
-}
-
-static unsigned int
-crunchsamples(isc_entropy_t *ent, sample_queue_t *sq) {
-	unsigned int ns;
-	unsigned int added;
-
-	if (sq->nsamples < 6)
-		return (0);
-
-	added = 0;
-	sq->last_time = sq->samples[0];
-	sq->last_delta = 0;
-	sq->last_delta2 = 0;
-
-	/*
-	 * Prime the values by adding in the first 4 samples in.  This
-	 * should completely initialize the delta calculations.
-	 */
-	for (ns = 0; ns < 4; ns++)
-		(void)estimate_entropy(sq, sq->samples[ns]);
-
-	for (ns = 4; ns < sq->nsamples; ns++)
-		added += estimate_entropy(sq, sq->samples[ns]);
-
-	entropypool_adddata(ent, sq->samples, sq->nsamples * 4, added);
-	entropypool_adddata(ent, sq->extra, sq->nsamples * 4, 0);
-
-	/*
-	 * Move the last 4 samples into the first 4 positions, and start
-	 * adding new samples from that point.
-	 */
-	for (ns = 0; ns < 4; ns++) {
-		sq->samples[ns] = sq->samples[sq->nsamples - 4 + ns];
-		sq->extra[ns] = sq->extra[sq->nsamples - 4 + ns];
-	}
-
-	sq->nsamples = 4;
-
-	return (added);
-}
-
-static unsigned int
-get_from_callback(isc_entropysource_t *source, unsigned int desired,
-		  isc_boolean_t blocking)
-{
-	isc_entropy_t *ent = source->ent;
-	isc_cbsource_t *cbs = &source->sources.callback;
-	unsigned int added;
-	unsigned int got;
-	isc_result_t result;
-
-	if (desired == 0)
-		return (0);
-
-	if (source->bad)
-		return (0);
-
-	if (!cbs->start_called && cbs->startfunc != NULL) {
-		result = cbs->startfunc(source, cbs->arg, blocking);
-		if (result != ISC_R_SUCCESS)
-			return (0);
-		cbs->start_called = ISC_TRUE;
-	}
-
-	added = 0;
-	result = ISC_R_SUCCESS;
-	while (desired > 0 && result == ISC_R_SUCCESS) {
-		result = cbs->getfunc(source, cbs->arg, blocking);
-		if (result == ISC_R_QUEUEFULL) {
-			got = crunchsamples(ent, &cbs->samplequeue);
-			added += got;
-			desired -= ISC_MIN(got, desired);
-			result = ISC_R_SUCCESS;
-		} else if (result != ISC_R_SUCCESS &&
-			   result != ISC_R_NOTBLOCKING)
-			source->bad = ISC_TRUE;
-
-	}
-
-	return (added);
-}
-
-/*
- * Extract some number of bytes from the random pool, decreasing the
- * estimate of randomness as each byte is extracted.
- *
- * Do this by stiring the pool and returning a part of hash as randomness.
- * Note that no secrets are given away here since parts of the hash are
- * xored together before returned.
- *
- * Honor the request from the caller to only return good data, any data,
- * etc.
- */
-isc_result_t
-isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
-		    unsigned int *returned, unsigned int flags)
-{
-	unsigned int i;
-	isc_sha1_t hash;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	isc_uint32_t remain, deltae, count, total;
-	isc_uint8_t *buf;
-	isc_boolean_t goodonly, partial, blocking;
-
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(data != NULL);
-	REQUIRE(length > 0);
-
-	goodonly = ISC_TF((flags & ISC_ENTROPY_GOODONLY) != 0);
-	partial = ISC_TF((flags & ISC_ENTROPY_PARTIAL) != 0);
-	blocking = ISC_TF((flags & ISC_ENTROPY_BLOCKING) != 0);
-
-	REQUIRE(!partial || returned != NULL);
-
-	LOCK(&ent->lock);
-
-	remain = length;
-	buf = data;
-	total = 0;
-	while (remain != 0) {
-		count = ISC_MIN(remain, RND_ENTROPY_THRESHOLD);
-
-		/*
-		 * If we are extracting good data only, make certain we
-		 * have enough data in our pool for this pass.  If we don't,
-		 * get some, and fail if we can't, and partial returns
-		 * are not ok.
-		 */
-		if (goodonly) {
-			unsigned int fillcount;
-
-			fillcount = ISC_MAX(remain * 8, count * 8);
-
-			/*
-			 * If, however, we have at least THRESHOLD_BITS
-			 * of entropy in the pool, don't block here.  It is
-			 * better to drain the pool once in a while and
-			 * then refill it than it is to constantly keep the
-			 * pool full.
-			 */
-			if (ent->pool.entropy >= THRESHOLD_BITS)
-				fillpool(ent, fillcount, ISC_FALSE);
-			else
-				fillpool(ent, fillcount, blocking);
-
-			/*
-			 * Verify that we got enough entropy to do one
-			 * extraction.  If we didn't, bail.
-			 */
-			if (ent->pool.entropy < THRESHOLD_BITS) {
-				if (!partial)
-					goto zeroize;
-				else
-					goto partial_output;
-			}
-		} else {
-			/*
-			 * If we've extracted half our pool size in bits
-			 * since the last refresh, try to refresh here.
-			 */
-			if (ent->initialized < THRESHOLD_BITS)
-				fillpool(ent, THRESHOLD_BITS, blocking);
-			else
-				fillpool(ent, 0, ISC_FALSE);
-
-			/*
-			 * If we've not initialized with enough good random
-			 * data, seed with our crappy code.
-			 */
-			if (ent->initialized < THRESHOLD_BITS)
-				reseed(ent);
-		}
-
-		isc_sha1_init(&hash);
-		isc_sha1_update(&hash, (void *)(ent->pool.pool),
-				RND_POOLBYTES);
-		isc_sha1_final(&hash, digest);
-
-		/*
-		 * Stir the extracted data (all of it) back into the pool.
-		 */
-		entropypool_adddata(ent, digest, ISC_SHA1_DIGESTLENGTH, 0);
-
-		for (i = 0; i < count; i++)
-			buf[i] = digest[i] ^ digest[i + RND_ENTROPY_THRESHOLD];
-
-		buf += count;
-		remain -= count;
-
-		deltae = count * 8;
-		deltae = ISC_MIN(deltae, ent->pool.entropy);
-		total += deltae;
-		subtract_entropy(ent, deltae);
-		add_pseudo(ent, count * 8);
-	}
-
- partial_output:
-	memset(digest, 0, sizeof(digest));
-
-	if (returned != NULL)
-		*returned = (length - remain);
-
-	UNLOCK(&ent->lock);
-
-	return (ISC_R_SUCCESS);
-
- zeroize:
-	/* put the entropy we almost extracted back */
-	add_entropy(ent, total);
-	memset(data, 0, length);
-	memset(digest, 0, sizeof(digest));
-	if (returned != NULL)
-		*returned = 0;
-
-	UNLOCK(&ent->lock);
-
-	return (ISC_R_NOENTROPY);
-}
-
-static void
-isc_entropypool_init(isc_entropypool_t *pool) {
-	pool->cursor = RND_POOLWORDS - 1;
-	pool->entropy = 0;
-	pool->pseudo = 0;
-	pool->rotate = 0;
-	memset(pool->pool, 0, RND_POOLBYTES);
-}
-
-static void
-isc_entropypool_invalidate(isc_entropypool_t *pool) {
-	pool->cursor = 0;
-	pool->entropy = 0;
-	pool->pseudo = 0;
-	pool->rotate = 0;
-	memset(pool->pool, 0, RND_POOLBYTES);
-}
-
-isc_result_t
-isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
-	isc_result_t ret;
-	isc_entropy_t *ent;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(entp != NULL && *entp == NULL);
-
-	ent = isc_mem_get(mctx, sizeof(isc_entropy_t));
-	if (ent == NULL)
-		return (ISC_R_NOMEMORY);
-
-	/*
-	 * We need a lock.
-	 */
-	if (isc_mutex_init(&ent->lock) != ISC_R_SUCCESS) {
-		ret = ISC_R_UNEXPECTED;
-		goto errout;
-	}
-
-	/*
-	 * From here down, no failures will/can occur.
-	 */
-	ISC_LIST_INIT(ent->sources);
-	ent->nextsource = NULL;
-	ent->nsources = 0;
-	ent->mctx = NULL;
-	isc_mem_attach(mctx, &ent->mctx);
-	ent->refcnt = 1;
-	ent->initialized = 0;
-	ent->initcount = 0;
-	ent->magic = ENTROPY_MAGIC;
-
-	isc_entropypool_init(&ent->pool);
-
-	*entp = ent;
-	return (ISC_R_SUCCESS);
-
- errout:
-	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
-
-	return (ret);
-}
-
-/*
- * Requires "ent" be locked.
- */
-static void
-destroysource(isc_entropysource_t **sourcep) {
-	isc_entropysource_t *source;
-	isc_entropy_t *ent;
-	isc_cbsource_t *cbs;
-
-	source = *sourcep;
-	*sourcep = NULL;
-	ent = source->ent;
-
-	ISC_LIST_UNLINK(ent->sources, source, link);
-	ent->nextsource = NULL;
-	REQUIRE(ent->nsources > 0);
-	ent->nsources--;
-
-	switch (source->type) {
-	case ENTROPY_SOURCETYPE_FILE:
-		if (! source->bad)
-			destroyfilesource(&source->sources.file);
-		break;
-	case ENTROPY_SOURCETYPE_USOCKET:
-		if (! source->bad)
-			destroyusocketsource(&source->sources.usocket);
-		break;
-	case ENTROPY_SOURCETYPE_SAMPLE:
-		samplequeue_release(ent, &source->sources.sample.samplequeue);
-		break;
-	case ENTROPY_SOURCETYPE_CALLBACK:
-		cbs = &source->sources.callback;
-		if (cbs->start_called && cbs->stopfunc != NULL) {
-			cbs->stopfunc(source, cbs->arg);
-			cbs->start_called = ISC_FALSE;
-		}
-		samplequeue_release(ent, &cbs->samplequeue);
-		break;
-	}
-
-	memset(source, 0, sizeof(isc_entropysource_t));
-
-	isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
-}
-
-static inline isc_boolean_t
-destroy_check(isc_entropy_t *ent) {
-	isc_entropysource_t *source;
-
-	if (ent->refcnt > 0)
-		return (ISC_FALSE);
-
-	source = ISC_LIST_HEAD(ent->sources);
-	while (source != NULL) {
-		switch (source->type) {
-		case ENTROPY_SOURCETYPE_FILE:
-		case ENTROPY_SOURCETYPE_USOCKET:
-			break;
-		default:
-			return (ISC_FALSE);
-		}
-		source = ISC_LIST_NEXT(source, link);
-	}
-
-	return (ISC_TRUE);
-}
-
-static void
-destroy(isc_entropy_t **entp) {
-	isc_entropy_t *ent;
-	isc_entropysource_t *source;
-	isc_mem_t *mctx;
-
-	REQUIRE(entp != NULL && *entp != NULL);
-	ent = *entp;
-	*entp = NULL;
-
-	LOCK(&ent->lock);
-
-	REQUIRE(ent->refcnt == 0);
-
-	/*
-	 * Here, detach non-sample sources.
-	 */
-	source = ISC_LIST_HEAD(ent->sources);
-	while (source != NULL) {
-		switch(source->type) {
-		case ENTROPY_SOURCETYPE_FILE:
-		case ENTROPY_SOURCETYPE_USOCKET:
-			destroysource(&source);
-			break;
-		}
-		source = ISC_LIST_HEAD(ent->sources);
-	}
-
-	/*
-	 * If there are other types of sources, we've found a bug.
-	 */
-	REQUIRE(ISC_LIST_EMPTY(ent->sources));
-
-	mctx = ent->mctx;
-
-	isc_entropypool_invalidate(&ent->pool);
-
-	UNLOCK(&ent->lock);
-
-	DESTROYLOCK(&ent->lock);
-
-	memset(ent, 0, sizeof(isc_entropy_t));
-	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
-	isc_mem_detach(&mctx);
-}
-
-void
-isc_entropy_destroysource(isc_entropysource_t **sourcep) {
-	isc_entropysource_t *source;
-	isc_entropy_t *ent;
-	isc_boolean_t killit;
-
-	REQUIRE(sourcep != NULL);
-	REQUIRE(VALID_SOURCE(*sourcep));
-
-	source = *sourcep;
-	*sourcep = NULL;
-
-	ent = source->ent;
-	REQUIRE(VALID_ENTROPY(ent));
-
-	LOCK(&ent->lock);
-
-	destroysource(&source);
-
-	killit = destroy_check(ent);
-
-	UNLOCK(&ent->lock);
-
-	if (killit)
-		destroy(&ent);
-}
-
-isc_result_t
-isc_entropy_createcallbacksource(isc_entropy_t *ent,
-				 isc_entropystart_t start,
-				 isc_entropyget_t get,
-				 isc_entropystop_t stop,
-				 void *arg,
-				 isc_entropysource_t **sourcep)
-{
-	isc_result_t ret;
-	isc_entropysource_t *source;
-	isc_cbsource_t *cbs;
-
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(get != NULL);
-	REQUIRE(sourcep != NULL && *sourcep == NULL);
-
-	LOCK(&ent->lock);
-
-	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
-	if (source == NULL) {
-		ret = ISC_R_NOMEMORY;
-		goto errout;
-	}
-	source->bad = ISC_FALSE;
-
-	cbs = &source->sources.callback;
-
-	ret = samplesource_allocate(ent, &cbs->samplequeue);
-	if (ret != ISC_R_SUCCESS)
-		goto errout;
-
-	cbs->start_called = ISC_FALSE;
-	cbs->startfunc = start;
-	cbs->getfunc = get;
-	cbs->stopfunc = stop;
-	cbs->arg = arg;
-
-	/*
-	 * From here down, no failures can occur.
-	 */
-	source->magic = SOURCE_MAGIC;
-	source->type = ENTROPY_SOURCETYPE_CALLBACK;
-	source->ent = ent;
-	source->total = 0;
-	memset(source->name, 0, sizeof(source->name));
-	ISC_LINK_INIT(source, link);
-
-	/*
-	 * Hook it into the entropy system.
-	 */
-	ISC_LIST_APPEND(ent->sources, source, link);
-	ent->nsources++;
-
-	*sourcep = source;
-
-	UNLOCK(&ent->lock);
-	return (ISC_R_SUCCESS);
-
- errout:
-	if (source != NULL)
-		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
-
-	UNLOCK(&ent->lock);
-
-	return (ret);
-}
-
-void
-isc_entropy_stopcallbacksources(isc_entropy_t *ent) {
-	isc_entropysource_t *source;
-	isc_cbsource_t *cbs;
-
-	REQUIRE(VALID_ENTROPY(ent));
-
-	LOCK(&ent->lock);
-
-	source = ISC_LIST_HEAD(ent->sources);
-	while (source != NULL) {
-		if (source->type == ENTROPY_SOURCETYPE_CALLBACK) {
-			cbs = &source->sources.callback;
-			if (cbs->start_called && cbs->stopfunc != NULL) {
-				cbs->stopfunc(source, cbs->arg);
-				cbs->start_called = ISC_FALSE;
-			}
-		}
-
-		source = ISC_LIST_NEXT(source, link);
-	}
-
-	UNLOCK(&ent->lock);
-}
-
-isc_result_t
-isc_entropy_createsamplesource(isc_entropy_t *ent,
-			       isc_entropysource_t **sourcep)
-{
-	isc_result_t ret;
-	isc_entropysource_t *source;
-	sample_queue_t *sq;
-
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(sourcep != NULL && *sourcep == NULL);
-
-	LOCK(&ent->lock);
-
-	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
-	if (source == NULL) {
-		ret = ISC_R_NOMEMORY;
-		goto errout;
-	}
-
-	sq = &source->sources.sample.samplequeue;
-	ret = samplesource_allocate(ent, sq);
-	if (ret != ISC_R_SUCCESS)
-		goto errout;
-
-	/*
-	 * From here down, no failures can occur.
-	 */
-	source->magic = SOURCE_MAGIC;
-	source->type = ENTROPY_SOURCETYPE_SAMPLE;
-	source->ent = ent;
-	source->total = 0;
-	memset(source->name, 0, sizeof(source->name));
-	ISC_LINK_INIT(source, link);
-
-	/*
-	 * Hook it into the entropy system.
-	 */
-	ISC_LIST_APPEND(ent->sources, source, link);
-	ent->nsources++;
-
-	*sourcep = source;
-
-	UNLOCK(&ent->lock);
-	return (ISC_R_SUCCESS);
-
- errout:
-	if (source != NULL)
-		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
-
-	UNLOCK(&ent->lock);
-
-	return (ret);
-}
-
-/*
- * Add a sample, and return ISC_R_SUCCESS if the queue has become full,
- * ISC_R_NOENTROPY if it has space remaining, and ISC_R_NOMORE if the
- * queue was full when this function was called.
- */
-static isc_result_t
-addsample(sample_queue_t *sq, isc_uint32_t sample, isc_uint32_t extra) {
-	if (sq->nsamples >= RND_EVENTQSIZE)
-		return (ISC_R_NOMORE);
-
-	sq->samples[sq->nsamples] = sample;
-	sq->extra[sq->nsamples] = extra;
-	sq->nsamples++;
-
-	if (sq->nsamples >= RND_EVENTQSIZE)
-		return (ISC_R_QUEUEFULL);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
-		      isc_uint32_t extra)
-{
-	isc_entropy_t *ent;
-	sample_queue_t *sq;
-	unsigned int entropy;
-	isc_result_t result;
-
-	REQUIRE(VALID_SOURCE(source));
-
-	ent = source->ent;
-
-	LOCK(&ent->lock);
-
-	sq = &source->sources.sample.samplequeue;
-	result = addsample(sq, sample, extra);
-	if (result == ISC_R_QUEUEFULL) {
-		entropy = crunchsamples(ent, sq);
-		add_entropy(ent, entropy);
-	}
-
-	UNLOCK(&ent->lock);
-
-	return (result);
-}
-
-isc_result_t
-isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample,
-			      isc_uint32_t extra)
-{
-	sample_queue_t *sq;
-	isc_result_t result;
-
-	REQUIRE(VALID_SOURCE(source));
-	REQUIRE(source->type == ENTROPY_SOURCETYPE_CALLBACK);
-
-	sq = &source->sources.callback.samplequeue;
-	result = addsample(sq, sample, extra);
-
-	return (result);
-}
-
-void
-isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
-		    isc_uint32_t entropy)
-{
-	REQUIRE(VALID_ENTROPY(ent));
-
-	LOCK(&ent->lock);
-
-	entropypool_adddata(ent, data, length, entropy);
-
-	if (ent->initialized < THRESHOLD_BITS)
-		ent->initialized = THRESHOLD_BITS;
-
-	UNLOCK(&ent->lock);
-}
-
-static void
-dumpstats(isc_entropy_t *ent, FILE *out) {
-	fprintf(out,
-		isc_msgcat_get(isc_msgcat, ISC_MSGSET_ENTROPY,
-			       ISC_MSG_ENTROPYSTATS,
-			       "Entropy pool %p:  refcnt %u cursor %u,"
-			       " rotate %u entropy %u pseudo %u nsources %u"
-			       " nextsource %p initialized %u initcount %u\n"),
-		ent, ent->refcnt,
-		ent->pool.cursor, ent->pool.rotate,
-		ent->pool.entropy, ent->pool.pseudo,
-		ent->nsources, ent->nextsource, ent->initialized,
-		ent->initcount);
-}
-
-/*
- * This function ignores locking.  Use at your own risk.
- */
-void
-isc_entropy_stats(isc_entropy_t *ent, FILE *out) {
-	REQUIRE(VALID_ENTROPY(ent));
-
-	LOCK(&ent->lock);
-	dumpstats(ent, out);
-	UNLOCK(&ent->lock);
-}
-
-void
-isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp) {
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(entp != NULL && *entp == NULL);
-
-	LOCK(&ent->lock);
-
-	ent->refcnt++;
-	*entp = ent;
-
-	UNLOCK(&ent->lock);
-}
-
-void
-isc_entropy_detach(isc_entropy_t **entp) {
-	isc_entropy_t *ent;
-	isc_boolean_t killit;
-
-	REQUIRE(entp != NULL && VALID_ENTROPY(*entp));
-	ent = *entp;
-	*entp = NULL;
-
-	LOCK(&ent->lock);
-
-	REQUIRE(ent->refcnt > 0);
-	ent->refcnt--;
-
-	killit = destroy_check(ent);
-
-	UNLOCK(&ent->lock);
-
-	if (killit)
-		destroy(&ent);
-}
-
-static isc_result_t
-kbdstart(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) {
-	/*
-	 * The intent of "first" is to provide a warning message only once
-	 * during the run of a program that might try to gather keyboard
-	 * entropy multiple times.
-	 */
-	static isc_boolean_t first = ISC_TRUE;
-
-	UNUSED(arg);
-
-	if (! blocking)
-		return (ISC_R_NOENTROPY);
-
-	if (first) {
-		if (source->warn_keyboard)
-			fprintf(stderr, "You must use the keyboard to create "
-				"entropy, since your system is lacking\n"
-				"/dev/random (or equivalent)\n\n");
-		first = ISC_FALSE;
-	}
-	fprintf(stderr, "start typing:\n");
-
-	return (isc_keyboard_open(&source->kbd));
-}
-
-static void
-kbdstop(isc_entropysource_t *source, void *arg) {
-
-	UNUSED(arg);
-
-	if (! isc_keyboard_canceled(&source->kbd))
-		fprintf(stderr, "stop typing.\r\n");
-
-	(void)isc_keyboard_close(&source->kbd, 3);
-}
-
-static isc_result_t
-kbdget(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) {
-	isc_result_t result;
-	isc_time_t t;
-	isc_uint32_t sample;
-	isc_uint32_t extra;
-	unsigned char c;
-
-	UNUSED(arg);
-
-	if (!blocking)
-		return (ISC_R_NOTBLOCKING);
-
-	result = isc_keyboard_getchar(&source->kbd, &c);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	TIME_NOW(&t);
-
-	sample = isc_time_nanoseconds(&t);
-	extra = c;
-
-	result = isc_entropy_addcallbacksample(source, sample, extra);
-	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "\r\n");
-		return (result);
-	}
-
-	fprintf(stderr, ".");
-	fflush(stderr);
-
-	return (result);
-}
-
-isc_result_t
-isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
-			  const char *randomfile, int use_keyboard)
-{
-	isc_result_t result;
-	isc_result_t final_result = ISC_R_NOENTROPY;
-	isc_boolean_t userfile = ISC_TRUE;
-
-	REQUIRE(VALID_ENTROPY(ectx));
-	REQUIRE(source != NULL && *source == NULL);
-	REQUIRE(use_keyboard == ISC_ENTROPY_KEYBOARDYES ||
-		use_keyboard == ISC_ENTROPY_KEYBOARDNO  ||
-		use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE);
-
-#ifdef PATH_RANDOMDEV
-	if (randomfile == NULL) {
-		randomfile = PATH_RANDOMDEV;
-		userfile = ISC_FALSE;
-	}
-#endif
-
-	if (randomfile != NULL && use_keyboard != ISC_ENTROPY_KEYBOARDYES) {
-		result = isc_entropy_createfilesource(ectx, randomfile);
-		if (result == ISC_R_SUCCESS &&
-		    use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE)
-			use_keyboard = ISC_ENTROPY_KEYBOARDNO;
-		if (result != ISC_R_SUCCESS && userfile)
-			return (result);
-
-		final_result = result;
-	}
-
-	if (use_keyboard != ISC_ENTROPY_KEYBOARDNO) {
-		result = isc_entropy_createcallbacksource(ectx, kbdstart,
-							  kbdget, kbdstop,
-							  NULL, source);
-		if (result == ISC_R_SUCCESS)
-			(*source)->warn_keyboard =
-				ISC_TF(use_keyboard ==
-				       ISC_ENTROPY_KEYBOARDMAYBE);
-
-		if (final_result != ISC_R_SUCCESS)
-			final_result = result;
-	}	
-
-	/*
-	 * final_result is ISC_R_SUCCESS if at least one source of entropy
-	 * could be started, otherwise it is the error from the most recently
-	 * failed operation (or ISC_R_NOENTROPY if PATH_RANDOMDEV is not
-	 * defined and use_keyboard is ISC_ENTROPY_KEYBOARDNO).
-	 */
-	return (final_result);
-}
diff --git a/contrib/bind9/lib/isc/error.c b/contrib/bind9/lib/isc/error.c
deleted file mode 100644
index ceb7d2a49de2..000000000000
--- a/contrib/bind9/lib/isc/error.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: error.c,v 1.16.206.1 2004/03/06 08:14:28 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/error.h>
-#include <isc/msgs.h>
-
-static void
-default_unexpected_callback(const char *, int, const char *, va_list)
-     ISC_FORMAT_PRINTF(3, 0);
-
-static void
-default_fatal_callback(const char *, int, const char *, va_list)
-     ISC_FORMAT_PRINTF(3, 0);
-
-static isc_errorcallback_t unexpected_callback = default_unexpected_callback;
-static isc_errorcallback_t fatal_callback = default_fatal_callback;
-
-void
-isc_error_setunexpected(isc_errorcallback_t cb) {
-	if (cb == NULL)
-		unexpected_callback = default_unexpected_callback;
-	else
-		unexpected_callback = cb;
-}
-
-void
-isc_error_setfatal(isc_errorcallback_t cb) {
-	if (cb == NULL)
-		fatal_callback = default_fatal_callback;
-	else
-		fatal_callback = cb;
-}
-
-void
-isc_error_unexpected(const char *file, int line, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	(unexpected_callback)(file, line, format, args);
-	va_end(args);
-}
-
-void
-isc_error_fatal(const char *file, int line, const char *format, ...) {
-	va_list args;
-
-	va_start(args, format);
-	(fatal_callback)(file, line, format, args);
-	va_end(args);
-	abort();
-}
-
-void
-isc_error_runtimecheck(const char *file, int line, const char *expression) {
-	isc_error_fatal(file, line, "RUNTIME_CHECK(%s) %s", expression,
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				       ISC_MSG_FAILED, "failed"));
-}
-
-static void
-default_unexpected_callback(const char *file, int line, const char *format,
-			    va_list args)
-{
-	fprintf(stderr, "%s:%d: ", file, line);
-	vfprintf(stderr, format, args);
-	fprintf(stderr, "\n");
-	fflush(stderr);
-}
-
-static void
-default_fatal_callback(const char *file, int line, const char *format,
-		       va_list args)
-{
-	fprintf(stderr, "%s:%d: %s: ", file, line,
-		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-			       ISC_MSG_FATALERROR, "fatal error"));
-	vfprintf(stderr, format, args);
-	fprintf(stderr, "\n");
-	fflush(stderr);
-}
diff --git a/contrib/bind9/lib/isc/event.c b/contrib/bind9/lib/isc/event.c
deleted file mode 100644
index f767870ee805..000000000000
--- a/contrib/bind9/lib/isc/event.c
+++ /dev/null
@@ -1,87 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: event.c,v 1.15.12.3 2004/03/08 09:04:48 marka Exp $ */
-
-/*
- * Principal Author: Bob Halley
- */
-
-#include <config.h>
-
-#include <isc/event.h>
-#include <isc/mem.h>
-#include <isc/util.h>
-
-/***
- *** Events.
- ***/
-
-static void
-destroy(isc_event_t *event) {
-	isc_mem_t *mctx = event->ev_destroy_arg;
-
-	isc_mem_put(mctx, event, event->ev_size);
-}
-
-isc_event_t *
-isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
-		   isc_taskaction_t action, const void *arg, size_t size)
-{
-	isc_event_t *event;
-	void *deconst_arg;
-
-	REQUIRE(size >= sizeof(struct isc_event));
-	REQUIRE(action != NULL);
-
-	event = isc_mem_get(mctx, size);
-	if (event == NULL)
-		return (NULL);
-
-	/*
-	 * Removing the const attribute from "arg" is the best of two
-	 * evils here.  If the event->ev_arg member is made const, then
-	 * it affects a great many users of the task/event subsystem
-	 * which are not passing in an "arg" which starts its life as
-	 * const.  Changing isc_event_allocate() and isc_task_onshutdown()
-	 * to not have "arg" prototyped as const (which is quite legitimate,
-	 * because neither of those functions modify arg) can cause
-	 * compiler whining anytime someone does want to use a const
-	 * arg that they themselves never modify, such as with
-	 * gcc -Wwrite-strings and using a string "arg".
-	 */
-	DE_CONST(arg, deconst_arg);
-
-	ISC_EVENT_INIT(event, size, 0, NULL, type, action, deconst_arg,
-		       sender, destroy, mctx);
-
-	return (event);
-}
-
-void
-isc_event_free(isc_event_t **eventp) {
-	isc_event_t *event;
-
-	REQUIRE(eventp != NULL);
-	event = *eventp;
-	REQUIRE(event != NULL);
-
-	if (event->ev_destroy != NULL)
-		(event->ev_destroy)(event);
-
-	*eventp = NULL;
-}
diff --git a/contrib/bind9/lib/isc/fsaccess.c b/contrib/bind9/lib/isc/fsaccess.c
deleted file mode 100644
index 11934724fab7..000000000000
--- a/contrib/bind9/lib/isc/fsaccess.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: fsaccess.c,v 1.5.206.1 2004/03/06 08:14:29 marka Exp $ */
-
-/*
- * This file contains the OS-independent functionality of the API.
- */
-#include <isc/fsaccess.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-/*
- * Shorthand.  Maybe ISC__FSACCESS_PERMISSIONBITS should not even be in
- * <isc/fsaccess.h>.  Could check consistency with sizeof(isc_fsaccess_t)
- * and the number of bits in each function.
- */
-#define STEP		(ISC__FSACCESS_PERMISSIONBITS)
-#define GROUP		(STEP)
-#define OTHER		(STEP * 2)
-
-void
-isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access) {
-	REQUIRE(trustee <= 0x7);
-	REQUIRE(permission <= 0xFF);
-
-	if ((trustee & ISC_FSACCESS_OWNER) != 0)
-		*access |= permission;
-
-	if ((trustee & ISC_FSACCESS_GROUP) != 0)
-		*access |= (permission << GROUP);
-
-	if ((trustee & ISC_FSACCESS_OTHER) != 0)
-		*access |= (permission << OTHER);
-}
-
-void
-isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access) {
-	REQUIRE(trustee <= 0x7);
-	REQUIRE(permission <= 0xFF);
-
-
-	if ((trustee & ISC_FSACCESS_OWNER) != 0)
-		*access &= ~permission;
-
-	if ((trustee & ISC_FSACCESS_GROUP) != 0)
-		*access &= ~(permission << GROUP);
-
-	if ((trustee & ISC_FSACCESS_OTHER) != 0)
-		*access &= ~(permission << OTHER);
-}
-
-static isc_result_t
-check_bad_bits(isc_fsaccess_t access, isc_boolean_t is_dir) {
-	isc_fsaccess_t bits;
-
-	/*
-	 * Check for disallowed user bits.
-	 */
-	if (is_dir)
-		bits = ISC_FSACCESS_READ |
-		       ISC_FSACCESS_WRITE |
-		       ISC_FSACCESS_EXECUTE;
-	else
-		bits = ISC_FSACCESS_CREATECHILD |
-		       ISC_FSACCESS_ACCESSCHILD |
-		       ISC_FSACCESS_DELETECHILD |
-		       ISC_FSACCESS_LISTDIRECTORY;
-
-	/*
-	 * Set group bad bits.
-	 */
-	bits |= bits << STEP;
-	/*
-	 * Set other bad bits.
-	 */
-	bits |= bits << STEP;
-
-	if ((access & bits) != 0) {
-		if (is_dir)
-			return (ISC_R_NOTFILE);
-		else
-			return (ISC_R_NOTDIRECTORY);
-	}
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/hash.c b/contrib/bind9/lib/isc/hash.c
deleted file mode 100644
index 22f370064af4..000000000000
--- a/contrib/bind9/lib/isc/hash.c
+++ /dev/null
@@ -1,387 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hash.c,v 1.2.2.4.2.1 2004/03/06 08:14:29 marka Exp $ */
-
-/*
- * Some portion of this code was derived from universal hash function
- * libraries of Rice University. 
- */
-
-/*  "UH Universal Hashing Library"
-
-Copyright ((c)) 2002, Rice University
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-    * Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above
-    copyright notice, this list of conditions and the following
-    disclaimer in the documentation and/or other materials provided
-    with the distribution.
-
-    * Neither the name of Rice University (RICE) nor the names of its
-    contributors may be used to endorse or promote products derived
-    from this software without specific prior written permission.
-
-
-This software is provided by RICE and the contributors on an "as is"
-basis, without any representations or warranties of any kind, express
-or implied including, but not limited to, representations or
-warranties of non-infringement, merchantability or fitness for a
-particular purpose. In no event shall RICE or contributors be liable
-for any direct, indirect, incidental, special, exemplary, or
-consequential damages (including, but not limited to, procurement of
-substitute goods or services; loss of use, data, or profits; or
-business interruption) however caused and on any theory of liability,
-whether in contract, strict liability, or tort (including negligence
-or otherwise) arising in any way out of the use of this software, even
-if advised of the possibility of such damage.
-*/
-
-#include <config.h>
-
-#include <isc/entropy.h>
-#include <isc/hash.h>
-#include <isc/mem.h>
-#include <isc/magic.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/random.h>
-#include <isc/refcount.h>
-#include <isc/rwlock.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#define HASH_MAGIC		ISC_MAGIC('H', 'a', 's', 'h')
-#define VALID_HASH(h)		ISC_MAGIC_VALID((h), HASH_MAGIC)
-
-/*
- * A large 32-bit prime number that specifies the range of the hash output.
- */
-#define PRIME32 0xFFFFFFFB              /* 2^32 -  5 */
-
-/*
- * Types of random seed and hash accumulator.  Perhaps they can be system
- * dependent.
- */
-typedef isc_uint32_t hash_accum_t;
-typedef isc_uint16_t hash_random_t;
-
-struct isc_hash {
-	unsigned int	magic;
-	isc_mem_t	*mctx;
-	isc_mutex_t	lock;
-	isc_boolean_t	initialized;
-	isc_refcount_t	refcnt;
-	isc_entropy_t	*entropy; /* entropy source */
-	unsigned int	limit;	/* upper limit of key length */
-	size_t		vectorlen; /* size of the vector below */
-	hash_random_t	*rndvector; /* random vector for universal hashing */
-};
-
-static isc_rwlock_t createlock;
-static isc_once_t once = ISC_ONCE_INIT;
-static isc_hash_t *hash = NULL;
-
-static unsigned char maptolower[] = {
-	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
-	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
-	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
-	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
-	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
-	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
-	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
-	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
-	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
-	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
-	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
-	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
-	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
-	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
-	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
-	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
-	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
-	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
-	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
-	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
-	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
-	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
-	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
-	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
-	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
-	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
-	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
-};
-
-isc_result_t
-isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
-		   unsigned int limit, isc_hash_t **hctxp)
-{
-	isc_result_t ret;
-	isc_hash_t *hctx;
-	size_t vlen;
-	hash_random_t *rv;
-	hash_accum_t overflow_limit;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(hctxp != NULL && *hctxp == NULL);
-
-	/*
-	 * Overflow check.  Since our implementation only does a modulo
-	 * operation at the last stage of hash calculation, the accumulator
-	 * must not overflow.
-	 */
-	overflow_limit =
-		1 << (((sizeof(hash_accum_t) - sizeof(hash_random_t))) * 8);
-	if (overflow_limit < (limit + 1) * 0xff)
-		return (ISC_R_RANGE);
-
-	hctx = isc_mem_get(mctx, sizeof(isc_hash_t));
-	if (hctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	vlen = sizeof(hash_random_t) * (limit + 1);
-	rv = isc_mem_get(mctx, vlen);
-	if (rv == NULL) {
-		ret = ISC_R_NOMEMORY;
-		goto errout;
-	}
-
-	/*
-	 * We need a lock.
-	 */
-	if (isc_mutex_init(&hctx->lock) != ISC_R_SUCCESS) {
-		ret = ISC_R_UNEXPECTED;
-		goto errout;
-	}
-
-	/*
-	 * From here down, no failures will/can occur.
-	 */
-	hctx->magic = HASH_MAGIC;
-	hctx->mctx = NULL;
-	isc_mem_attach(mctx, &hctx->mctx);
-	hctx->initialized = ISC_FALSE;
-	isc_refcount_init(&hctx->refcnt, 1);
-	hctx->entropy = NULL;
-	hctx->limit = limit;
-	hctx->vectorlen = vlen;
-	hctx->rndvector = rv;
-
-	if (entropy != NULL)
-		isc_entropy_attach(entropy, &hctx->entropy);
-
-	*hctxp = hctx;
-	return (ISC_R_SUCCESS);
-
- errout:
-	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
-	if (rv != NULL)
-		isc_mem_put(mctx, rv, vlen);
-
-	return (ret);
-}
-
-static void
-initialize_lock(void) {
-	RUNTIME_CHECK(isc_rwlock_init(&createlock, 0, 0) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(mctx != NULL);
-	INSIST(hash == NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, initialize_lock) == ISC_R_SUCCESS);
-
-	RWLOCK(&createlock, isc_rwlocktype_write);
-
-	if (hash == NULL)
-		result = isc_hash_ctxcreate(mctx, entropy, limit, &hash);
-
-	RWUNLOCK(&createlock, isc_rwlocktype_write);
-
-	return (result);
-}
-
-void
-isc_hash_ctxinit(isc_hash_t *hctx) {
-	isc_result_t result;
-
-	LOCK(&hctx->lock);
-
-	if (hctx->initialized == ISC_TRUE)
-		goto out;
-
-	if (hctx->entropy) {
-		result = isc_entropy_getdata(hctx->entropy, 
-					     hctx->rndvector, hctx->vectorlen,
-					     NULL, 0);
-		INSIST(result == ISC_R_SUCCESS);
-	} else {
-		isc_uint32_t pr;
-		unsigned int i, copylen;
-		unsigned char *p;
-
-		p = (unsigned char *)hctx->rndvector;
-		for (i = 0; i < hctx->vectorlen; i += copylen, p += copylen) {
-			isc_random_get(&pr);
-			if (i + sizeof(pr) <= hctx->vectorlen)
-				copylen = sizeof(pr);
-			else
-				copylen = hctx->vectorlen - i;
-
-			memcpy(p, &pr, copylen);
-		}
-		INSIST(p == (unsigned char *)hctx->rndvector +
-		       hctx->vectorlen);
-	}
-
-	hctx->initialized = ISC_TRUE;
-
- out:
-	UNLOCK(&hctx->lock);
-}
-
-void
-isc_hash_init() {
-	INSIST(hash != NULL && VALID_HASH(hash));
-	
-	isc_hash_ctxinit(hash);
-}
-
-void
-isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp) {
-	REQUIRE(VALID_HASH(hctx));
-	REQUIRE(hctxp != NULL && *hctxp == NULL);
-
-	isc_refcount_increment(&hctx->refcnt, NULL);
-	*hctxp = hctx;
-}
-
-static void
-destroy(isc_hash_t **hctxp) {
-	isc_hash_t *hctx;
-	isc_mem_t *mctx;
-
-	REQUIRE(hctxp != NULL && *hctxp != NULL);
-	hctx = *hctxp;
-	*hctxp = NULL;
-
-	LOCK(&hctx->lock);
-
-	isc_refcount_destroy(&hctx->refcnt);
-
-	mctx = hctx->mctx;
-	if (hctx->entropy != NULL)
-		isc_entropy_detach(&hctx->entropy);
-	if (hctx->rndvector != NULL)
-		isc_mem_put(mctx, hctx->rndvector, hctx->vectorlen);
-
-	UNLOCK(&hctx->lock);
-
-	DESTROYLOCK(&hctx->lock);
-
-	memset(hctx, 0, sizeof(isc_hash_t));
-	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
-	isc_mem_detach(&mctx);
-}
-
-void
-isc_hash_ctxdetach(isc_hash_t **hctxp) {
-	isc_hash_t *hctx;
-	unsigned int refs;
-
-	REQUIRE(hctxp != NULL && VALID_HASH(*hctxp));
-	hctx = *hctxp;
-
-	isc_refcount_decrement(&hctx->refcnt, &refs);
-	if (refs == 0)
-		destroy(&hctx);
-
-	*hctxp = NULL;
-}
-
-void
-isc_hash_destroy() {
-	unsigned int refs;
-
-	INSIST(hash != NULL && VALID_HASH(hash));
-
-	isc_refcount_decrement(&hash->refcnt, &refs);
-	INSIST(refs == 0);
-
-	destroy(&hash);
-}
-
-static inline unsigned int
-hash_calc(isc_hash_t *hctx, const unsigned char *key, unsigned int keylen,
-	  isc_boolean_t case_sensitive)
-{
-	hash_accum_t partial_sum = 0;
-	hash_random_t *p = hctx->rndvector;
-	unsigned int i = 0;
-
-	/* Make it sure that the hash context is initialized. */
-	if (hctx->initialized == ISC_FALSE)
-		isc_hash_ctxinit(hctx);
-
-	if (case_sensitive) {
-		for (i = 0; i < keylen; i++)
-			partial_sum += key[i] * (hash_accum_t)p[i];
-	} else {
-		for (i = 0; i < keylen; i++)
-			partial_sum += maptolower[key[i]] * (hash_accum_t)p[i];
-	}
-
-	partial_sum += p[i];
-
-	return ((unsigned int)(partial_sum % PRIME32));
-}
-
-unsigned int
-isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
-		 unsigned int keylen, isc_boolean_t case_sensitive)
-{
-	REQUIRE(hctx != NULL && VALID_HASH(hctx));
-	REQUIRE(keylen <= hctx->limit);
-
-	return (hash_calc(hctx, key, keylen, case_sensitive));
-}
-
-unsigned int
-isc_hash_calc(const unsigned char *key, unsigned int keylen,
-	      isc_boolean_t case_sensitive)
-{
-	INSIST(hash != NULL && VALID_HASH(hash));
-	REQUIRE(keylen <= hash->limit);
-
-	return (hash_calc(hash, key, keylen, case_sensitive));
-}
diff --git a/contrib/bind9/lib/isc/heap.c b/contrib/bind9/lib/isc/heap.c
deleted file mode 100644
index 78b192548a9c..000000000000
--- a/contrib/bind9/lib/isc/heap.c
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: heap.c,v 1.28.12.3 2004/03/08 09:04:48 marka Exp $ */
-
-/*
- * Heap implementation of priority queues adapted from the following:
- *
- *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
- *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
- *
- *	_Algorithms_, Second Edition, Sedgewick, Addison-Wesley, 1988,
- *	ISBN 0-201-06673-4, chapter 11.
- */
-
-#include <config.h>
-
-#include <isc/heap.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/string.h>		/* Required for memcpy. */
-#include <isc/util.h>
-
-/*
- * Note: to make heap_parent and heap_left easy to compute, the first
- * element of the heap array is not used; i.e. heap subscripts are 1-based,
- * not 0-based.
- */
-#define heap_parent(i)			((i) >> 1)
-#define heap_left(i)			((i) << 1)
-
-#define SIZE_INCREMENT			1024
-
-#define HEAP_MAGIC			ISC_MAGIC('H', 'E', 'A', 'P')
-#define VALID_HEAP(h)			ISC_MAGIC_VALID(h, HEAP_MAGIC)
-
-/*
- * When the heap is in a consistent state, the following invariant
- * holds true: for every element i > 1, heap_parent(i) has a priority
- * higher than or equal to that of i.
- */
-#define HEAPCONDITION(i) ((i) == 1 || \
-			  ! heap->compare(heap->array[(i)], \
-					  heap->array[heap_parent(i)]))
-
-struct isc_heap {
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	unsigned int			size;
-	unsigned int			size_increment;
-	unsigned int			last;
-	void				**array;
-	isc_heapcompare_t		compare;
-	isc_heapindex_t			index;
-};
-
-isc_result_t
-isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
-		isc_heapindex_t index, unsigned int size_increment,
-		isc_heap_t **heapp)
-{
-	isc_heap_t *heap;
-
-	REQUIRE(heapp != NULL && *heapp == NULL);
-	REQUIRE(compare != NULL);
-
-	heap = isc_mem_get(mctx, sizeof(*heap));
-	if (heap == NULL)
-		return (ISC_R_NOMEMORY);
-	heap->magic = HEAP_MAGIC;
-	heap->mctx = mctx;
-	heap->size = 0;
-	if (size_increment == 0)
-		heap->size_increment = SIZE_INCREMENT;
-	else
-		heap->size_increment = size_increment;
-	heap->last = 0;
-	heap->array = NULL;
-	heap->compare = compare;
-	heap->index = index;
-
-	*heapp = heap;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_heap_destroy(isc_heap_t **heapp) {
-	isc_heap_t *heap;
-
-	REQUIRE(heapp != NULL);
-	heap = *heapp;
-	REQUIRE(VALID_HEAP(heap));
-
-	if (heap->array != NULL)
-		isc_mem_put(heap->mctx, heap->array,
-			    heap->size * sizeof(void *));
-	heap->magic = 0;
-	isc_mem_put(heap->mctx, heap, sizeof(*heap));
-
-	*heapp = NULL;
-}
-
-static isc_boolean_t
-resize(isc_heap_t *heap) {
-	void **new_array;
-	size_t new_size;
-
-	REQUIRE(VALID_HEAP(heap));
-
-	new_size = heap->size + heap->size_increment;
-	new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));
-	if (new_array == NULL)
-		return (ISC_FALSE);
-	if (heap->array != NULL) {
-		memcpy(new_array, heap->array, heap->size * sizeof(void *));
-		isc_mem_put(heap->mctx, heap->array,
-			    heap->size * sizeof(void *));
-	}
-	heap->size = new_size;
-	heap->array = new_array;
-
-	return (ISC_TRUE);
-}
-
-static void
-float_up(isc_heap_t *heap, unsigned int i, void *elt) {
-	unsigned int p;
-
-	for (p = heap_parent(i);
-	     i > 1 && heap->compare(elt, heap->array[p]);
-	     i = p, p = heap_parent(i)) {
-		heap->array[i] = heap->array[p];
-		if (heap->index != NULL)
-			(heap->index)(heap->array[i], i);
-	}
-	heap->array[i] = elt;
-	if (heap->index != NULL)
-		(heap->index)(heap->array[i], i);
-
-	INSIST(HEAPCONDITION(i));
-}
-
-static void
-sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
-	unsigned int j, size, half_size;
-	size = heap->last;
-	half_size = size / 2;
-	while (i <= half_size) {
-		/* Find the smallest of the (at most) two children. */
-		j = heap_left(i);
-		if (j < size && heap->compare(heap->array[j+1],
-					      heap->array[j]))
-			j++;
-		if (heap->compare(elt, heap->array[j]))
-			break;
-		heap->array[i] = heap->array[j];
-		if (heap->index != NULL)
-			(heap->index)(heap->array[i], i);
-		i = j;
-	}
-	heap->array[i] = elt;
-	if (heap->index != NULL)
-		(heap->index)(heap->array[i], i);
-
-	INSIST(HEAPCONDITION(i));
-}
-
-isc_result_t
-isc_heap_insert(isc_heap_t *heap, void *elt) {
-	unsigned int i;
-
-	REQUIRE(VALID_HEAP(heap));
-
-	i = ++heap->last;
-	if (heap->last >= heap->size && !resize(heap))
-		return (ISC_R_NOMEMORY);
-
-	float_up(heap, i, elt);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_heap_delete(isc_heap_t *heap, unsigned int i) {
-	void *elt;
-	isc_boolean_t less;
-
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
-
-	if (i == heap->last) {
-		heap->last--;
-	} else {
-		elt = heap->array[heap->last--];
-		less = heap->compare(elt, heap->array[i]);
-		heap->array[i] = elt;
-		if (less)
-			float_up(heap, i, heap->array[i]);
-		else
-			sink_down(heap, i, heap->array[i]);
-	}
-}
-
-void
-isc_heap_increased(isc_heap_t *heap, unsigned int i) {
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
-
-	float_up(heap, i, heap->array[i]);
-}
-
-void
-isc_heap_decreased(isc_heap_t *heap, unsigned int i) {
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
-
-	sink_down(heap, i, heap->array[i]);
-}
-
-void *
-isc_heap_element(isc_heap_t *heap, unsigned int i) {
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(i >= 1 && i <= heap->last);
-
-	return (heap->array[i]);
-}
-
-void
-isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
-	unsigned int i;
-
-	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(action != NULL);
-
-	for (i = 1; i <= heap->last; i++)
-		(action)(heap->array[i], uap);
-}
diff --git a/contrib/bind9/lib/isc/hex.c b/contrib/bind9/lib/isc/hex.c
deleted file mode 100644
index a90f1ce078d3..000000000000
--- a/contrib/bind9/lib/isc/hex.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hex.c,v 1.8.2.2.8.3 2004/03/06 08:14:30 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/buffer.h>
-#include <isc/hex.h>
-#include <isc/lex.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#define RETERR(x) do { \
-	isc_result_t _r = (x); \
-	if (_r != ISC_R_SUCCESS) \
-		return (_r); \
-	} while (0)
-
-
-/*
- * BEW: These static functions are copied from lib/dns/rdata.c.
- */
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target);
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
-
-static const char hex[] = "0123456789ABCDEF";
-
-isc_result_t
-isc_hex_totext(isc_region_t *source, int wordlength,
-	       const char *wordbreak, isc_buffer_t *target)
-{
-	char buf[3];
-	unsigned int loops = 0;
-
-	if (wordlength < 2)
-		wordlength = 2;
-
-	memset(buf, 0, sizeof(buf));
-	while (source->length > 0) {
-		buf[0] = hex[(source->base[0] >> 4) & 0xf];
-		buf[1] = hex[(source->base[0]) & 0xf];
-		RETERR(str_totext(buf, target));
-		isc_region_consume(source, 1);
-
-		loops++;
-		if (source->length != 0 &&
-		    (int)((loops + 1) * 2) >= wordlength)
-		{
-			loops = 0;
-			RETERR(str_totext(wordbreak, target));
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * State of a hex decoding process in progress.
- */
-typedef struct {
-	int length;		/* Desired length of binary data or -1 */
-	isc_buffer_t *target;	/* Buffer for resulting binary data */
-	int digits;		/* Number of buffered hex digits */
-	int val[2];
-} hex_decode_ctx_t;
-
-static inline void
-hex_decode_init(hex_decode_ctx_t *ctx, int length, isc_buffer_t *target)
-{
-	ctx->digits = 0;
-	ctx->length = length;
-	ctx->target = target;
-}
-
-static inline isc_result_t
-hex_decode_char(hex_decode_ctx_t *ctx, int c) {
-	char *s;
-
-	if ((s = strchr(hex, toupper(c))) == NULL)
-		return (ISC_R_BADHEX);
-	ctx->val[ctx->digits++] = s - hex;
-	if (ctx->digits == 2) {
-		unsigned char num;
-
-		num = (ctx->val[0] << 4) + (ctx->val[1]);
-		RETERR(mem_tobuffer(ctx->target, &num, 1));
-		if (ctx->length >= 0) {
-			if (ctx->length == 0)
-				return (ISC_R_BADHEX);
-			else
-				ctx->length -= 1;
-		}
-		ctx->digits = 0;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static inline isc_result_t
-hex_decode_finish(hex_decode_ctx_t *ctx) {
-	if (ctx->length > 0)
-		return (ISC_R_UNEXPECTEDEND);
-	if (ctx->digits != 0)
-		return (ISC_R_BADHEX);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
-	hex_decode_ctx_t ctx;
-	isc_textregion_t *tr;
-	isc_token_t token;
-	isc_boolean_t eol;
-
-	hex_decode_init(&ctx, length, target);
-
-	while (ctx.length != 0) {
-		unsigned int i;
-
-		if (length > 0)
-			eol = ISC_FALSE;
-		else
-			eol = ISC_TRUE;
-		RETERR(isc_lex_getmastertoken(lexer, &token,
-					      isc_tokentype_string, eol));
-		if (token.type != isc_tokentype_string)
-			break;
-		tr = &token.value.as_textregion;
-		for (i = 0; i < tr->length; i++)
-			RETERR(hex_decode_char(&ctx, tr->base[i]));
-	}
-	if (ctx.length < 0)
-		isc_lex_ungettoken(lexer, &token);
-	RETERR(hex_decode_finish(&ctx));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_hex_decodestring(char *cstr, isc_buffer_t *target) {
-	hex_decode_ctx_t ctx;
-
-	hex_decode_init(&ctx, -1, target);
-	for (;;) {
-		int c = *cstr++;
-		if (c == '\0')
-			break;
-		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
-			continue;
-		RETERR(hex_decode_char(&ctx, c));
-	}
-	RETERR(hex_decode_finish(&ctx));	
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-str_totext(const char *source, isc_buffer_t *target) {
-	unsigned int l;
-	isc_region_t region;
-
-	isc_buffer_availableregion(target, &region);
-	l = strlen(source);
-
-	if (l > region.length)
-		return (ISC_R_NOSPACE);
-
-	memcpy(region.base, source, l);
-	isc_buffer_add(target, l);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
-	isc_region_t tr;
-
-	isc_buffer_availableregion(target, &tr);
-	if (length > tr.length)
-		return (ISC_R_NOSPACE);
-	memcpy(tr.base, base, length);
-	isc_buffer_add(target, length);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/hmacmd5.c b/contrib/bind9/lib/isc/hmacmd5.c
deleted file mode 100644
index 04dc8c5e0576..000000000000
--- a/contrib/bind9/lib/isc/hmacmd5.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hmacmd5.c,v 1.5.12.3 2004/03/08 09:04:48 marka Exp $ */
-
-/*
- * This code implements the HMAC-MD5 keyed hash algorithm
- * described in RFC 2104.
- */
-
-#include "config.h"
-
-#include <isc/assertions.h>
-#include <isc/hmacmd5.h>
-#include <isc/md5.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#define PADLEN 64
-#define IPAD 0x36
-#define OPAD 0x5C
-
-/*
- * Start HMAC-MD5 process.  Initialize an md5 context and digest the key.
- */
-void
-isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
-		 unsigned int len)
-{
-	unsigned char ipad[PADLEN];
-	int i;
-
-	memset(ctx->key, 0, sizeof(ctx->key));
-	if (len > sizeof(ctx->key)) {
-		isc_md5_t md5ctx;
-		isc_md5_init(&md5ctx);
-		isc_md5_update(&md5ctx, key, len);
-		isc_md5_final(&md5ctx, ctx->key);
-	} else
-		memcpy(ctx->key, key, len);
-
-	isc_md5_init(&ctx->md5ctx);
-	memset(ipad, IPAD, sizeof(ipad));
-	for (i = 0; i < PADLEN; i++)
-		ipad[i] ^= ctx->key[i];
-	isc_md5_update(&ctx->md5ctx, ipad, sizeof(ipad));
-}
-
-void
-isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
-	isc_md5_invalidate(&ctx->md5ctx);
-	memset(ctx->key, 0, sizeof(ctx->key));
-	memset(ctx, 0, sizeof(ctx));
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
-		   unsigned int len)
-{
-	isc_md5_update(&ctx->md5ctx, buf, len);
-}
-
-/*
- * Compute signature - finalize MD5 operation and reapply MD5.
- */
-void
-isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
-	unsigned char opad[PADLEN];
-	int i;
-
-	isc_md5_final(&ctx->md5ctx, digest);
-
-	memset(opad, OPAD, sizeof(opad));
-	for (i = 0; i < PADLEN; i++)
-		opad[i] ^= ctx->key[i];
-
-	isc_md5_init(&ctx->md5ctx);
-	isc_md5_update(&ctx->md5ctx, opad, sizeof(opad));
-	isc_md5_update(&ctx->md5ctx, digest, ISC_MD5_DIGESTLENGTH);
-	isc_md5_final(&ctx->md5ctx, digest);
-	isc_hmacmd5_invalidate(ctx);
-}
-
-/*
- * Verify signature - finalize MD5 operation and reapply MD5, then
- * compare to the supplied digest.
- */
-isc_boolean_t
-isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest) {
-	unsigned char newdigest[ISC_MD5_DIGESTLENGTH];
-
-	isc_hmacmd5_sign(ctx, newdigest);
-	return (ISC_TF(memcmp(digest, newdigest, ISC_MD5_DIGESTLENGTH) == 0));
-}
diff --git a/contrib/bind9/lib/isc/include/Makefile.in b/contrib/bind9/lib/isc/include/Makefile.in
deleted file mode 100644
index 59d66c729500..000000000000
--- a/contrib/bind9/lib/isc/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.10.206.1 2004/03/06 08:14:38 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/include/isc/Makefile.in b/contrib/bind9/lib/isc/include/isc/Makefile.in
deleted file mode 100644
index f484c0bd4a7e..000000000000
--- a/contrib/bind9/lib/isc/include/isc/Makefile.in
+++ /dev/null
@@ -1,57 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.50.12.6 2005/03/22 02:32:07 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h buffer.h \
-		bufferlist.h commandline.h entropy.h error.h event.h \
-		eventclass.h file.h formatcheck.h fsaccess.h \
-		hash.h heap.h hex.h hmacmd5.h \
-		interfaceiter.h @ISC_IPV6_H@ lang.h lex.h \
-		lfsr.h lib.h list.h log.h magic.h md5.h mem.h msgcat.h msgs.h \
-		mutexblock.h netaddr.h ondestroy.h os.h parseint.h \
-		print.h quota.h random.h ratelimiter.h \
-		refcount.h region.h resource.h \
-		result.h resultclass.h rwlock.h serial.h sha1.h sockaddr.h \
-		socket.h stdio.h stdlib.h string.h symtab.h task.h taskpool.h \
-		timer.h types.h util.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isc ; \
-	done
-	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/isc
-
-distclean::
-	rm -f platform.h
diff --git a/contrib/bind9/lib/isc/include/isc/app.h b/contrib/bind9/lib/isc/include/isc/app.h
deleted file mode 100644
index f77057b38865..000000000000
--- a/contrib/bind9/lib/isc/include/isc/app.h
+++ /dev/null
@@ -1,212 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: app.h,v 1.1.206.1 2004/03/06 08:14:38 marka Exp $ */
-
-#ifndef ISC_APP_H
-#define ISC_APP_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * ISC Application Support
- *
- * Dealing with program termination can be difficult, especially in a
- * multithreaded program.  The routines in this module help coordinate
- * the shutdown process.  They are used as follows by the initial (main)
- * thread of the application:
- *
- *		isc_app_start();	Call very early in main(), before
- *					any other threads have been created.
- *
- *		isc_app_run();		This will post any on-run events,
- *					and then block until application
- *					shutdown is requested.  A shutdown
- *					request is made by calling
- *					isc_app_shutdown(), or by sending
- *					SIGINT or SIGTERM to the process.
- *					After isc_app_run() returns, the
- *					application should shutdown itself.
- *
- *		isc_app_finish();	Call very late in main().
- *
- * Applications that want to use SIGHUP/isc_app_reload() to trigger reloading
- * should check the result of isc_app_run() and call the reload routine if
- * the result is ISC_R_RELOAD.  They should then call isc_app_run() again
- * to resume waiting for reload or termination.
- *
- * Use of this module is not required.  In particular, isc_app_start() is
- * NOT an ISC library initialization routine.
- *
- * MP:
- *	Clients must ensure that isc_app_start(), isc_app_run(), and
- *	isc_app_finish() are called at most once.  isc_app_shutdown()
- *	is safe to use by any thread (provided isc_app_start() has been
- *	called previously).
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	None.
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-#include <isc/eventclass.h>
-#include <isc/lang.h>
-#include <isc/result.h>
-
-typedef isc_event_t isc_appevent_t;
-
-#define ISC_APPEVENT_FIRSTEVENT		(ISC_EVENTCLASS_APP + 0)
-#define ISC_APPEVENT_SHUTDOWN		(ISC_EVENTCLASS_APP + 1)
-#define ISC_APPEVENT_LASTEVENT		(ISC_EVENTCLASS_APP + 65535)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_app_start(void);
-/*
- * Start an ISC library application.
- *
- * Notes:
- *	This call should be made before any other ISC library call, and as
- *	close to the beginning of the application as possible.
- */
-
-isc_result_t
-isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
-	      void *arg);
-/*
- * Request delivery of an event when the application is run.
- *
- * Requires:
- *	isc_app_start() has been called.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-isc_result_t
-isc_app_run(void);
-/*
- * Run an ISC library application.
- *
- * Notes:
- *	The caller (typically the initial thread of an application) will
- *	block until shutdown is requested.  When the call returns, the
- *	caller should start shutting down the application.
- *
- * Requires:
- *	isc_app_start() has been called.
- *
- * Ensures:
- *	Any events requested via isc_app_onrun() will have been posted (in
- *	FIFO order) before isc_app_run() blocks.
- *
- * Returns:
- *	ISC_R_SUCCESS			Shutdown has been requested.
- *	ISC_R_RELOAD			Reload has been requested.
- */
-
-isc_result_t
-isc_app_shutdown(void);
-/*
- * Request application shutdown.
- *
- * Notes:
- *	It is safe to call isc_app_shutdown() multiple times.  Shutdown will
- *	only be triggered once.
- *
- * Requires:
- *	isc_app_run() has been called.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_app_reload(void);
-/*
- * Request application reload.
- *
- * Requires:
- *	isc_app_run() has been called.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
- */
-
-void
-isc_app_finish(void);
-/*
- * Finish an ISC library application.
- *
- * Notes:
- *	This call should be made at or near the end of main().
- *
- * Requires:
- *	isc_app_start() has been called.
- *
- * Ensures:
- *	Any resources allocated by isc_app_start() have been released.
- */
-
-void
-isc_app_block(void);
-/*
- * Indicate that a blocking operation will be performed.
- *
- * Notes:
- *	If a blocking operation is in process, a call to isc_app_shutdown()
- *	or an external signal will abort the program, rather than allowing
- *	clean shutdown.  This is primarily useful for reading user input.
- *
- * Requires:
- * 	isc_app_start() has been called.
- * 	No other blocking operations are in progress.
- */
-
-void
-isc_app_unblock(void);
-/*
- * Indicate that a blocking operation is complete.
- *
- * Notes:
- * 	When a blocking operation has completed, return the program to a
- * 	state where a call to isc_app_shutdown() or an external signal will
- * 	shutdown normally.
- *
- * Requires:
- * 	isc_app_start() has been called.
- * 	isc_app_block() has been called by the same thread.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_APP_H */
diff --git a/contrib/bind9/lib/isc/include/isc/assertions.h b/contrib/bind9/lib/isc/include/isc/assertions.h
deleted file mode 100644
index 6091de9a6338..000000000000
--- a/contrib/bind9/lib/isc/include/isc/assertions.h
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * $Id: assertions.h,v 1.17.206.1 2004/03/06 08:14:38 marka Exp $
- */
-
-#ifndef ISC_ASSERTIONS_H
-#define ISC_ASSERTIONS_H 1
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef enum {
-	isc_assertiontype_require,
-	isc_assertiontype_ensure,
-	isc_assertiontype_insist,
-	isc_assertiontype_invariant
-} isc_assertiontype_t;
-
-typedef void (*isc_assertioncallback_t)(const char *, int, isc_assertiontype_t,
-					const char *);
-
-LIBISC_EXTERNAL_DATA extern isc_assertioncallback_t isc_assertion_failed;
-
-void
-isc_assertion_setcallback(isc_assertioncallback_t);
-
-const char *
-isc_assertion_typetotext(isc_assertiontype_t type);
-
-#ifdef ISC_CHECK_ALL
-#define ISC_CHECK_REQUIRE		1
-#define ISC_CHECK_ENSURE		1
-#define ISC_CHECK_INSIST		1
-#define ISC_CHECK_INVARIANT		1
-#endif
-
-#ifdef ISC_CHECK_NONE
-#define ISC_CHECK_REQUIRE		0
-#define ISC_CHECK_ENSURE		0
-#define ISC_CHECK_INSIST		0
-#define ISC_CHECK_INVARIANT		0
-#endif
-
-#ifndef ISC_CHECK_REQUIRE
-#define ISC_CHECK_REQUIRE		1
-#endif
-
-#ifndef ISC_CHECK_ENSURE
-#define ISC_CHECK_ENSURE		1
-#endif
-
-#ifndef ISC_CHECK_INSIST
-#define ISC_CHECK_INSIST		1
-#endif
-
-#ifndef ISC_CHECK_INVARIANT
-#define ISC_CHECK_INVARIANT		1
-#endif
-
-#if ISC_CHECK_REQUIRE != 0
-#define ISC_REQUIRE(cond) \
-	((void) ((cond) || \
-		 ((isc_assertion_failed)(__FILE__, __LINE__, \
-					 isc_assertiontype_require, \
-					 #cond), 0)))
-#else
-#define ISC_REQUIRE(cond)	((void) 0)
-#endif /* ISC_CHECK_REQUIRE */
-
-#if ISC_CHECK_ENSURE != 0
-#define ISC_ENSURE(cond) \
-	((void) ((cond) || \
-		 ((isc_assertion_failed)(__FILE__, __LINE__, \
-					 isc_assertiontype_ensure, \
-					 #cond), 0)))
-#else
-#define ISC_ENSURE(cond)	((void) 0)
-#endif /* ISC_CHECK_ENSURE */
-
-#if ISC_CHECK_INSIST != 0
-#define ISC_INSIST(cond) \
-	((void) ((cond) || \
-		 ((isc_assertion_failed)(__FILE__, __LINE__, \
-					 isc_assertiontype_insist, \
-					 #cond), 0)))
-#else
-#define ISC_INSIST(cond)	((void) 0)
-#endif /* ISC_CHECK_INSIST */
-
-#if ISC_CHECK_INVARIANT != 0
-#define ISC_INVARIANT(cond) \
-	((void) ((cond) || \
-		 ((isc_assertion_failed)(__FILE__, __LINE__, \
-					 isc_assertiontype_invariant, \
-					 #cond), 0)))
-#else
-#define ISC_INVARIANT(cond)	((void) 0)
-#endif /* ISC_CHECK_INVARIANT */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ASSERTIONS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/base64.h b/contrib/bind9/lib/isc/include/isc/base64.h
deleted file mode 100644
index 260dd1d2e9b2..000000000000
--- a/contrib/bind9/lib/isc/include/isc/base64.h
+++ /dev/null
@@ -1,97 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base64.h,v 1.15.206.1 2004/03/06 08:14:38 marka Exp $ */
-
-#ifndef ISC_BASE64_H
-#define ISC_BASE64_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_base64_totext(isc_region_t *source, int wordlength,
-		  const char *wordbreak, isc_buffer_t *target);
-/*
- * Convert data into base64 encoded text.
- *
- * Notes:
- *	The base64 encoded text in 'target' will be divided into
- *	words of at most 'wordlength' characters, separated by
- * 	the 'wordbreak' string.  No parentheses will surround
- *	the text.
- *
- * Requires:
- *	'source' is a region containing binary data
- *	'target' is a text buffer containing available space
- *	'wordbreak' points to a null-terminated string of
- *		zero or more whitespace characters
- *
- * Ensures:
- *	target will contain the base64 encoded version of the data
- *	in source.  The 'used' pointer in target will be advanced as
- *	necessary.
- */
-
-isc_result_t
-isc_base64_decodestring(const char *cstr, isc_buffer_t *target);
-/*
- * Decode a null-terminated base64 string.
- *
- * Requires:
- *	'cstr' is non-null.
- *	'target' is a valid buffer.
- *
- * Returns:
- *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
- *			   fit in 'target'.
- *	ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
- *
- * 	Other error returns are any possible error code from:
- *		isc_lex_create(),
- *		isc_lex_openbuffer(),
- *		isc_base64_tobuffer().
- */
-
-isc_result_t
-isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
-/*
- * Convert base64 encoded text from a lexer context into data.
- *
- * Requires:
- *	'lex' is a valid lexer context
- *	'target' is a buffer containing binary data
- *	'length' is an integer
- *
- * Ensures:
- *	target will contain the data represented by the base64 encoded
- *	string parsed by the lexer.  No more than length bytes will be read,
- *	if length is positive.  The 'used' pointer in target will be
- *	advanced as necessary.
- */
-
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_BASE64_H */
diff --git a/contrib/bind9/lib/isc/include/isc/bitstring.h b/contrib/bind9/lib/isc/include/isc/bitstring.h
deleted file mode 100644
index 6d6a555f233c..000000000000
--- a/contrib/bind9/lib/isc/include/isc/bitstring.h
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bitstring.h,v 1.7.206.1 2004/03/06 08:14:38 marka Exp $ */
-
-#ifndef ISC_BITSTRING_H
-#define ISC_BITSTRING_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Bitstring
- *
- * A bitstring is a packed array of bits, stored in a contiguous
- * sequence of octets.  The "most significant bit" (msb) of a bitstring
- * is the high bit of the first octet.  The "least significant bit" of a
- * bitstring is the low bit of the last octet.
- *
- * Two bit numbering schemes are supported, "msb0" and "lsb0".
- *
- * In the "msb0" scheme, bit number 0 designates the most significant bit,
- * and any padding bits required to make the bitstring a multiple of 8 bits
- * long are added to the least significant end of the last octet.
- *
- * In the "lsb0" scheme, bit number 0 designates the least significant bit,
- * and any padding bits required to make the bitstring a multiple of 8 bits
- * long are added to the most significant end of the first octet.
- *
- * E.g., consider the bitstring "11010001111".  This bitstring is 11 bits
- * long and will take two octets.  Let "p" denote a pad bit.  In the msb0
- * encoding, it would be
- *
- *             Octet 0           Octet 1
- *                         |
- *         1 1 0 1 0 0 0 1 | 1 1 1 p p p p p
- *         ^               |               ^
- *         |                               |
- *         bit 0                           bit 15
- *
- * In the lsb0 encoding, it would be
- *
- *             Octet 0           Octet 1
- *                         |
- *         p p p p p 1 1 0 | 1 0 0 0 1 1 1 1 
- *         ^               |               ^
- *         |                               |
- *         bit 15                          bit 0
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-struct isc_bitstring {
-	unsigned int		magic;
-	unsigned char *		data;
-	unsigned int		length;
-	unsigned int		size;
-	isc_boolean_t		lsb0;
-};
-
-/***
- *** Functions
- ***/
-
-void
-isc_bitstring_init(isc_bitstring_t *bitstring, unsigned char *data,
-		   unsigned int length, unsigned int size, isc_boolean_t lsb0);
-/*
- * Make 'bitstring' refer to the bitstring of 'size' bits starting
- * at 'data'.  'length' bits of the bitstring are valid.  If 'lsb0'
- * is set then, bit 0 refers to the least significant bit of the
- * bitstring.  Otherwise bit 0 is the most significant bit.
- *
- * Requires:
- *
- *	'bitstring' points to a isc_bitstring_t.
- *
- *	'data' points to an array of unsigned char large enough to hold
- *	'size' bits.
- *
- *	'length' <= 'size'.
- *
- * Ensures:
- *
- *	'bitstring' is a valid bitstring.
- */
-
-void
-isc_bitstring_invalidate(isc_bitstring_t *bitstring);
-/*
- * Invalidate 'bitstring'.
- *
- * Requires:
- *
- *	'bitstring' is a valid bitstring.
- *
- * Ensures:
- *
- *	'bitstring' is not a valid bitstring.
- */
-
-void
-isc_bitstring_copy(isc_bitstring_t *source, unsigned int sbitpos,
-		   isc_bitstring_t *target, unsigned int tbitpos,
-		   unsigned int n);
-/*
- * Starting at bit 'sbitpos', copy 'n' bits from 'source' to
- * the 'n' bits of 'target' starting at 'tbitpos'.
- *
- * Requires:
- *
- *	'source' and target are valid bitstrings with the same lsb0 setting.
- *
- *	'sbitpos' + 'n' is less than or equal to the length of 'source'.
- *
- *	'tbitpos' + 'n' is less than or equal to the size of 'target'.
- *
- * Ensures:
- *
- *	The specified bits have been copied, and the length of 'target'
- *	adjusted (if required).
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_BITSTRING_H */
diff --git a/contrib/bind9/lib/isc/include/isc/boolean.h b/contrib/bind9/lib/isc/include/isc/boolean.h
deleted file mode 100644
index 0081447dec60..000000000000
--- a/contrib/bind9/lib/isc/include/isc/boolean.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: boolean.h,v 1.12.206.1 2004/03/06 08:14:39 marka Exp $ */
-
-#ifndef ISC_BOOLEAN_H
-#define ISC_BOOLEAN_H 1
-
-typedef enum { isc_boolean_false = 0, isc_boolean_true = 1 } isc_boolean_t;
-
-#define ISC_FALSE isc_boolean_false
-#define ISC_TRUE isc_boolean_true
-#define ISC_TF(x) ((x) ? ISC_TRUE : ISC_FALSE)
-
-#endif /* ISC_BOOLEAN_H */
diff --git a/contrib/bind9/lib/isc/include/isc/buffer.h b/contrib/bind9/lib/isc/include/isc/buffer.h
deleted file mode 100644
index 02b82bcbacc5..000000000000
--- a/contrib/bind9/lib/isc/include/isc/buffer.h
+++ /dev/null
@@ -1,800 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: buffer.h,v 1.39.12.2 2004/03/08 09:04:51 marka Exp $ */
-
-#ifndef ISC_BUFFER_H
-#define ISC_BUFFER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Buffers
- *
- * A buffer is a region of memory, together with a set of related subregions.
- * Buffers are used for parsing and I/O operations.
- *
- * The 'used region' and the 'available' region are disjoint, and their
- * union is the buffer's region.  The used region extends from the beginning
- * of the buffer region to the last used byte.  The available region
- * extends from one byte greater than the last used byte to the end of the
- * buffer's region.  The size of the used region can be changed using various
- * buffer commands.  Initially, the used region is empty.
- *
- * The used region is further subdivided into two disjoint regions: the
- * 'consumed region' and the 'remaining region'.  The union of these two
- * regions is the used region.  The consumed region extends from the beginning
- * of the used region to the byte before the 'current' offset (if any).  The
- * 'remaining' region the current pointer to the end of the used
- * region.  The size of the consumed region can be changed using various
- * buffer commands.  Initially, the consumed region is empty.
- *
- * The 'active region' is an (optional) subregion of the remaining region.
- * It extends from the current offset to an offset in the remaining region
- * that is selected with isc_buffer_setactive().  Initially, the active region
- * is empty.  If the current offset advances beyond the chosen offset, the
- * active region will also be empty.
- *
- *  /------------entire length---------------\
- *  /----- used region -----\/-- available --\
- *  +----------------------------------------+
- *  | consumed  | remaining |                |
- *  +----------------------------------------+
- *  a           b     c     d                e
- *
- * a == base of buffer.
- * b == current pointer.  Can be anywhere between a and d.
- * c == active pointer.  Meaningful between b and d.
- * d == used pointer.
- * e == length of buffer.
- *
- * a-e == entire length of buffer.
- * a-d == used region.
- * a-b == consumed region.
- * b-d == remaining region.
- * b-c == optional active region.
- *
- * The following invariants are maintained by all routines:
- *
- *	length > 0
- *
- *	base is a valid pointer to length bytes of memory
- *
- *	0 <= used <= length
- *
- *	0 <= current <= used
- *
- *	0 <= active <= used
- *	(although active < current implies empty active region)
- *
- * MP:
- *	Buffers have no synchronization.  Clients must ensure exclusive
- *	access.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	Memory: 1 pointer + 6 unsigned integers per buffer.
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/magic.h>
-#include <isc/types.h>
-
-/*
- * To make many functions be inline macros (via #define) define this.
- * If it is undefined, a function will be used.
- */
-/* #define ISC_BUFFER_USEINLINE */
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Magic numbers
- ***/
-#define ISC_BUFFER_MAGIC		0x42756621U	/* Buf!. */
-#define ISC_BUFFER_VALID(b)		ISC_MAGIC_VALID(b, ISC_BUFFER_MAGIC)
-
-/*
- * The following macros MUST be used only on valid buffers.  It is the
- * caller's responsibility to ensure this by using the ISC_BUFFER_VALID
- * check above, or by calling another isc_buffer_*() function (rather than
- * another macro.)
- */
-
-/*
- * Fundamental buffer elements.  (A through E in the introductory comment.)
- */
-#define isc_buffer_base(b)    ((void *)(b)->base)			  /*a*/
-#define isc_buffer_current(b) \
-		((void *)((unsigned char *)(b)->base + (b)->current))     /*b*/
-#define isc_buffer_active(b)  \
-		((void *)((unsigned char *)(b)->base + (b)->active))      /*c*/
-#define isc_buffer_used(b)    \
-		((void *)((unsigned char *)(b)->base + (b)->used))        /*d*/
-#define isc_buffer_length(b)  ((b)->length)				  /*e*/
-
-/*
- * Derived lengths.  (Described in the introductory comment.)
- */
-#define isc_buffer_usedlength(b)	((b)->used)		      /* d-a */
-#define isc_buffer_consumedlength(b)	((b)->current)		      /* b-a */
-#define isc_buffer_remaininglength(b)	((b)->used - (b)->current)    /* d-b */
-#define isc_buffer_activelength(b)	((b)->active - (b)->current)  /* c-b */
-#define isc_buffer_availablelength(b)	((b)->length - (b)->used)     /* e-d */
-
-/*
- * Note that the buffer structure is public.  This is principally so buffer
- * operations can be implemented using macros.  Applications are strongly
- * discouraged from directly manipulating the structure.
- */
-
-struct isc_buffer {
-	unsigned int		magic;
-	void		       *base;
-	/* The following integers are byte offsets from 'base'. */
-	unsigned int		length;
-	unsigned int		used;
-	unsigned int 		current;
-	unsigned int 		active;
-	/* linkable */
-	ISC_LINK(isc_buffer_t)	link;
-	/* private internal elements */
-	isc_mem_t	       *mctx;
-};
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
-		    unsigned int length);
-/*
- * Allocate a dynamic linkable buffer which has "length" bytes in the
- * data region.
- *
- * Requires:
- *	"mctx" is valid.
- *
- *	"dynbuffer" is non-NULL, and "*dynbuffer" is NULL.
- *
- * Returns:
- *	ISC_R_SUCCESS		- success
- *	ISC_R_NOMEMORY		- no memory available
- *
- * Note:
- *	Changing the buffer's length field is not permitted.
- */
-
-void
-isc_buffer_free(isc_buffer_t **dynbuffer);
-/*
- * Release resources allocated for a dynamic buffer.
- *
- * Requires:
- *	"dynbuffer" is not NULL.
- *
- *	"*dynbuffer" is a valid dynamic buffer.
- *
- * Ensures:
- *	"*dynbuffer" will be NULL on return, and all memory associated with
- *	the dynamic buffer is returned to the memory context used in
- *	isc_buffer_allocate().
- */
-
-void
-isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length);
-/*
- * Make 'b' refer to the 'length'-byte region starting at base.
- *
- * Requires:
- *
- *	'length' > 0
- *
- *	'base' is a pointer to a sequence of 'length' bytes.
- *
- */
-
-void
-isc__buffer_invalidate(isc_buffer_t *b);
-/*
- * Make 'b' an invalid buffer.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- * Ensures:
- *	If assertion checking is enabled, future attempts to use 'b' without
- *	calling isc_buffer_init() on it will cause an assertion failure.
- */
-
-void
-isc__buffer_region(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the region of 'b'.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	'r' points to a region structure.
- */
-
-void
-isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the used region of 'b'.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	'r' points to a region structure.
- */
-
-void
-isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the available region of 'b'.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	'r' points to a region structure.
- */
-
-void
-isc__buffer_add(isc_buffer_t *b, unsigned int n);
-/*
- * Increase the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	used + n <= length
- *
- */
-
-void
-isc__buffer_subtract(isc_buffer_t *b, unsigned int n);
-/*
- * Decrease the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	used >= n
- *
- */
-
-void
-isc__buffer_clear(isc_buffer_t *b);
-/*
- * Make the used region empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	used = 0
- *
- */
-
-void
-isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the consumed region of 'b'.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	'r' points to a region structure.
- */
-
-void
-isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the remaining region of 'b'.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	'r' points to a region structure.
- */
-
-void
-isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r);
-/*
- * Make 'r' refer to the active region of 'b'.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	'r' points to a region structure.
- */
-
-void
-isc__buffer_setactive(isc_buffer_t *b, unsigned int n);
-/*
- * Sets the end of the active region 'n' bytes after current.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	current + n <= used
- */
-
-void
-isc__buffer_first(isc_buffer_t *b);
-/*
- * Make the consumed region empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	current == 0
- *
- */
-
-void
-isc__buffer_forward(isc_buffer_t *b, unsigned int n);
-/*
- * Increase the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	current + n <= used
- *
- */
-
-void
-isc__buffer_back(isc_buffer_t *b, unsigned int n);
-/*
- * Decrease the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	n <= current
- *
- */
-
-void
-isc_buffer_compact(isc_buffer_t *b);
-/*
- * Compact the used region by moving the remaining region so it occurs
- * at the start of the buffer.  The used region is shrunk by the size of
- * the consumed region, and the consumed region is then made empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	current == 0
- *
- *	The size of the used region is now equal to the size of the remaining
- *	region (as it was before the call).  The contents of the used region
- *	are those of the remaining region (as it was before the call).
- */
-
-isc_uint8_t
-isc_buffer_getuint8(isc_buffer_t *b);
-/*
- * Read an unsigned 8-bit integer from 'b' and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 1.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 1.
- *
- * Returns:
- *
- *	A 8-bit unsigned integer.
- */
-
-void
-isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val);
-/*
- * Store an unsigned 8-bit integer from 'val' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 1.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 1.
- */
-
-isc_uint16_t
-isc_buffer_getuint16(isc_buffer_t *b);
-/*
- * Read an unsigned 16-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 2.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 2.
- *
- * Returns:
- *
- *	A 16-bit unsigned integer.
- */
-
-void
-isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val);
-/*
- * Store an unsigned 16-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 2.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 2.
- */
-
-isc_uint32_t
-isc_buffer_getuint32(isc_buffer_t *b);
-/*
- * Read an unsigned 32-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 4.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 4.
- *
- * Returns:
- *
- *	A 32-bit unsigned integer.
- */
-
-void
-isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
-/*
- * Store an unsigned 32-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 4.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 4.
- */
-
-void
-isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
-		   unsigned int length);
-/*
- * Copy 'length' bytes of memory at 'base' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'base' points to 'length' bytes of valid memory.
- *
- */
-
-void
-isc__buffer_putstr(isc_buffer_t *b, const char *source);
-/*
- * Copy 'source' into 'b', not including terminating NUL.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'source' to be a valid NULL terminated string.
- *
- *	strlen(source) <= isc_buffer_available(b)
- */
-
-isc_result_t
-isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r);
-/*
- * Copy the contents of 'r' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'r' is a valid region.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE			The available region of 'b' is not
- *					big enough.
- */
-
-ISC_LANG_ENDDECLS
-
-/*
- * Inline macro versions of the functions.  These should never be called
- * directly by an application, but will be used by the functions within
- * buffer.c.  The callers should always use "isc_buffer_*()" names, never
- * ones beginning with "isc__"
- */
-
-/*
- * XXXDCL Something more could be done with initializing buffers that
- * point to const data.  For example, a new function, isc_buffer_initconst,
- * could be used, and a new boolean flag in the buffer structure could
- * indicate whether the buffer was initialized with that function.
- * (isc_bufer_init itself would be reprototyped to *not* have its "base"
- * parameter be const.)  Then if the boolean were true, the isc_buffer_put*
- * functions could assert a contractual requirement for a non-const buffer.
- * One drawback is that the isc_buffer_* functions (macros) that return
- * pointers would still need to return non-const pointers to avoid compiler
- * warnings, so it would be up to code that uses them to have to deal
- * with the possibility that the buffer was initialized as const --
- * a problem that they *already* have to deal with but have absolutely
- * no ability to.  With a new isc_buffer_isconst() function returning
- * true/false, they could at least assert a contractual requirement for
- * non-const buffers when needed.
- */
-#define ISC__BUFFER_INIT(_b, _base, _length) \
-	do { \
-		union { \
-			const void *	konst; \
-			void *		var; \
-		} _u; \
-		_u.konst = (_base); \
-		(_b)->base = _u.var; \
-		(_b)->length = (_length); \
-		(_b)->used = 0; \
-		(_b)->current = 0; \
-		(_b)->active = 0; \
-		(_b)->mctx = NULL; \
-		ISC_LINK_INIT(_b, link); \
-		(_b)->magic = ISC_BUFFER_MAGIC; \
-	} while (0)
-
-#define ISC__BUFFER_INVALIDATE(_b) \
-	do { \
-		(_b)->magic = 0; \
-		(_b)->base = NULL; \
-		(_b)->length = 0; \
-		(_b)->used = 0; \
-		(_b)->current = 0; \
-		(_b)->active = 0; \
-	} while (0)
-
-#define ISC__BUFFER_REGION(_b, _r) \
-	do { \
-		(_r)->base = (_b)->base; \
-		(_r)->length = (_b)->length; \
-	} while (0)
-
-#define ISC__BUFFER_USEDREGION(_b, _r) \
-	do { \
-		(_r)->base = (_b)->base; \
-		(_r)->length = (_b)->used; \
-	} while (0)
-
-#define ISC__BUFFER_AVAILABLEREGION(_b, _r) \
-	do { \
-		(_r)->base = isc_buffer_used(_b); \
-		(_r)->length = isc_buffer_availablelength(_b); \
-	} while (0)
-
-#define ISC__BUFFER_ADD(_b, _n) \
-	do { \
-		(_b)->used += (_n); \
-	} while (0)
-
-#define ISC__BUFFER_SUBTRACT(_b, _n) \
-	do { \
-		(_b)->used -= (_n); \
-		if ((_b)->current > (_b)->used) \
-			(_b)->current = (_b)->used; \
-		if ((_b)->active > (_b)->used) \
-			(_b)->active = (_b)->used; \
-	} while (0)
-
-#define ISC__BUFFER_CLEAR(_b) \
-	do { \
-		(_b)->used = 0; \
-		(_b)->current = 0; \
-		(_b)->active = 0; \
-	} while (0)
-
-#define ISC__BUFFER_CONSUMEDREGION(_b, _r) \
-	do { \
-		(_r)->base = (_b)->base; \
-		(_r)->length = (_b)->current; \
-	} while (0)
-
-#define ISC__BUFFER_REMAININGREGION(_b, _r) \
-	do { \
-		(_r)->base = isc_buffer_current(_b); \
-		(_r)->length = isc_buffer_remaininglength(_b); \
-	} while (0)
-
-#define ISC__BUFFER_ACTIVEREGION(_b, _r) \
-	do { \
-		if ((_b)->current < (_b)->active) { \
-			(_r)->base = isc_buffer_current(_b); \
-			(_r)->length = isc_buffer_activelength(_b); \
-		} else { \
-			(_r)->base = NULL; \
-			(_r)->length = 0; \
-		} \
-	} while (0)
-
-#define ISC__BUFFER_SETACTIVE(_b, _n) \
-	do { \
-		(_b)->active = (_b)->current + (_n); \
-	} while (0)
-
-#define ISC__BUFFER_FIRST(_b) \
-	do { \
-		(_b)->current = 0; \
-	} while (0)
-
-#define ISC__BUFFER_FORWARD(_b, _n) \
-	do { \
-		(_b)->current += (_n); \
-	} while (0)
-
-#define ISC__BUFFER_BACK(_b, _n) \
-	do { \
-		(_b)->current -= (_n); \
-	} while (0)
-
-#define ISC__BUFFER_PUTMEM(_b, _base, _length) \
-	do { \
-		memcpy(isc_buffer_used(_b), (_base), (_length)); \
-		(_b)->used += (_length); \
-	} while (0)
-
-#define ISC__BUFFER_PUTSTR(_b, _source) \
-	do { \
-		unsigned int _length; \
-		unsigned char *_cp; \
-		_length = strlen(_source); \
-		_cp = isc_buffer_used(_b); \
-		memcpy(_cp, (_source), _length); \
-		(_b)->used += (_length); \
-	} while (0)
-
-#define ISC__BUFFER_PUTUINT8(_b, _val) \
-	do { \
-		unsigned char *_cp; \
-		isc_uint8_t _val2 = (_val); \
-		_cp = isc_buffer_used(_b); \
-		(_b)->used++; \
-		_cp[0] = _val2 & 0x00ff; \
-	} while (0)
-
-#define ISC__BUFFER_PUTUINT16(_b, _val) \
-	do { \
-		unsigned char *_cp; \
-		isc_uint16_t _val2 = (_val); \
-		_cp = isc_buffer_used(_b); \
-		(_b)->used += 2; \
-		_cp[0] = (unsigned char)((_val2 & 0xff00U) >> 8); \
-		_cp[1] = (unsigned char)(_val2 & 0x00ffU); \
-	} while (0)
-
-#define ISC__BUFFER_PUTUINT32(_b, _val) \
-	do { \
-		unsigned char *_cp; \
-		isc_uint32_t _val2 = (_val); \
-		_cp = isc_buffer_used(_b); \
-		(_b)->used += 4; \
-		_cp[0] = (unsigned char)((_val2 & 0xff000000) >> 24); \
-		_cp[1] = (unsigned char)((_val2 & 0x00ff0000) >> 16); \
-		_cp[2] = (unsigned char)((_val2 & 0x0000ff00) >> 8); \
-		_cp[3] = (unsigned char)((_val2 & 0x000000ff)); \
-	} while (0)
-
-#if defined(ISC_BUFFER_USEINLINE)
-#define isc_buffer_init			ISC__BUFFER_INIT
-#define isc_buffer_invalidate		ISC__BUFFER_INVALIDATE
-#define isc_buffer_region		ISC__BUFFER_REGION
-#define isc_buffer_usedregion		ISC__BUFFER_USEDREGION
-#define isc_buffer_availableregion	ISC__BUFFER_AVAILABLEREGION
-#define isc_buffer_add			ISC__BUFFER_ADD
-#define isc_buffer_subtract		ISC__BUFFER_SUBTRACT
-#define isc_buffer_clear		ISC__BUFFER_CLEAR
-#define isc_buffer_consumedregion	ISC__BUFFER_CONSUMEDREGION
-#define isc_buffer_remainingregion	ISC__BUFFER_REMAININGREGION
-#define isc_buffer_activeregion		ISC__BUFFER_ACTIVEREGION
-#define isc_buffer_setactive		ISC__BUFFER_SETACTIVE
-#define isc_buffer_first		ISC__BUFFER_FIRST
-#define isc_buffer_forward		ISC__BUFFER_FORWARD
-#define isc_buffer_back			ISC__BUFFER_BACK
-#define isc_buffer_putmem		ISC__BUFFER_PUTMEM
-#define isc_buffer_putstr		ISC__BUFFER_PUTSTR
-#define isc_buffer_putuint8		ISC__BUFFER_PUTUINT8
-#define isc_buffer_putuint16		ISC__BUFFER_PUTUINT16
-#define isc_buffer_putuint32		ISC__BUFFER_PUTUINT32
-#else
-#define isc_buffer_init			isc__buffer_init
-#define isc_buffer_invalidate		isc__buffer_invalidate
-#define isc_buffer_region		isc__buffer_region
-#define isc_buffer_usedregion		isc__buffer_usedregion
-#define isc_buffer_availableregion	isc__buffer_availableregion
-#define isc_buffer_add			isc__buffer_add
-#define isc_buffer_subtract		isc__buffer_subtract
-#define isc_buffer_clear		isc__buffer_clear
-#define isc_buffer_consumedregion	isc__buffer_consumedregion
-#define isc_buffer_remainingregion	isc__buffer_remainingregion
-#define isc_buffer_activeregion		isc__buffer_activeregion
-#define isc_buffer_setactive		isc__buffer_setactive
-#define isc_buffer_first		isc__buffer_first
-#define isc_buffer_forward		isc__buffer_forward
-#define isc_buffer_back			isc__buffer_back
-#define isc_buffer_putmem		isc__buffer_putmem
-#define isc_buffer_putstr		isc__buffer_putstr
-#define isc_buffer_putuint8		isc__buffer_putuint8
-#define isc_buffer_putuint16		isc__buffer_putuint16
-#define isc_buffer_putuint32		isc__buffer_putuint32
-#endif
-
-#endif /* ISC_BUFFER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/bufferlist.h b/contrib/bind9/lib/isc/include/isc/bufferlist.h
deleted file mode 100644
index b24cde0cbff5..000000000000
--- a/contrib/bind9/lib/isc/include/isc/bufferlist.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: bufferlist.h,v 1.10.206.1 2004/03/06 08:14:39 marka Exp $ */
-
-#ifndef ISC_BUFFERLIST_H
-#define ISC_BUFFERLIST_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Buffer Lists
- *
- *	Buffer lists have no synchronization.  Clients must ensure exclusive
- *	access.
- *
- * Reliability:
- *	No anticipated impact.
-
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-unsigned int
-isc_bufferlist_usedcount(isc_bufferlist_t *bl);
-/*
- * Return the length of the sum of all used regions of all buffers in
- * the buffer list 'bl'
- *
- * Requires:
- *
- *	'bl' is not NULL.
- *
- * Returns:
- *	sum of all used regions' lengths.
- */
-
-unsigned int
-isc_bufferlist_availablecount(isc_bufferlist_t *bl);
-/*
- * Return the length of the sum of all available regions of all buffers in
- * the buffer list 'bl'
- *
- * Requires:
- *
- *	'bl' is not NULL.
- *
- * Returns:
- *	sum of all available regions' lengths.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_BUFFERLIST_H */
diff --git a/contrib/bind9/lib/isc/include/isc/commandline.h b/contrib/bind9/lib/isc/include/isc/commandline.h
deleted file mode 100644
index 250f7f0f0deb..000000000000
--- a/contrib/bind9/lib/isc/include/isc/commandline.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: commandline.h,v 1.9.206.1 2004/03/06 08:14:39 marka Exp $ */
-
-#ifndef ISC_COMMANDLINE_H
-#define ISC_COMMANDLINE_H 1
-
-#include <isc/boolean.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-/* Index into parent argv vector. */
-LIBISC_EXTERNAL_DATA extern int isc_commandline_index;
-/* Character checked for validity. */
-LIBISC_EXTERNAL_DATA extern int isc_commandline_option;
-/* Argument associated with option. */
-LIBISC_EXTERNAL_DATA extern char *isc_commandline_argument;
-/* For printing error messages. */
-LIBISC_EXTERNAL_DATA extern char *isc_commandline_progname;
-/* Print error message. */
-LIBISC_EXTERNAL_DATA extern isc_boolean_t isc_commandline_errprint;
-/* Reset getopt. */
-LIBISC_EXTERNAL_DATA extern isc_boolean_t isc_commandline_reset;
-
-ISC_LANG_BEGINDECLS
-
-int
-isc_commandline_parse(int argc, char * const *argv, const char *options);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_COMMANDLINE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/entropy.h b/contrib/bind9/lib/isc/include/isc/entropy.h
deleted file mode 100644
index 7200a127e62f..000000000000
--- a/contrib/bind9/lib/isc/include/isc/entropy.h
+++ /dev/null
@@ -1,288 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: entropy.h,v 1.23.2.1.10.1 2004/03/06 08:14:40 marka Exp $ */
-
-#ifndef ISC_ENTROPY_H
-#define ISC_ENTROPY_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Entropy
- *
- * The entropy API
- *
- * MP:
- *	The entropy object is locked internally.  All callbacks into
- *	application-provided functions (for setup, gathering, and
- *	shutdown of sources) are guaranteed to be called with the
- *	entropy API lock held.  This means these functions are
- *	not permitted to call back into the entropy API.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	A buffer, used as an entropy pool.
- *
- * Security:
- *	While this code is believed to implement good entropy gathering
- *	and distribution, it has not been reviewed by a cryptographic
- *	expert.
- *
- *	Since the added entropy is only as good as the sources used,
- *	this module could hand out bad data and never know it.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*
- * Entropy callback function.
- */
-typedef isc_result_t (*isc_entropystart_t)(isc_entropysource_t *source,
-					   void *arg, isc_boolean_t blocking);
-typedef isc_result_t (*isc_entropyget_t)(isc_entropysource_t *source,
-					 void *arg, isc_boolean_t blocking);
-typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
-
-/***
- *** Flags.
- ***/
-
-/*
- * _GOODONLY
- *	Extract only "good" data; return failure if there is not enough
- *	data available and there are no sources which we can poll to get
- *	data, or those sources are empty.
- *
- * _PARTIAL
- *	Extract as much good data as possible, but if there isn't enough
- *	at hand, return what is available.  This flag only makes sense
- *	when used with _GOODONLY.
- *
- * _BLOCKING
- *	Block the task until data is available.  This is contrary to the
- *	ISC task system, where tasks should never block.  However, if
- *	this is a special purpose application where blocking a task is
- *	acceptable (say, an offline zone signer) this flag may be set.
- *	This flag only makes sense when used with _GOODONLY, and will
- *	block regardless of the setting for _PARTIAL.
- */
-#define ISC_ENTROPY_GOODONLY	0x00000001U
-#define ISC_ENTROPY_PARTIAL	0x00000002U
-#define ISC_ENTROPY_BLOCKING	0x00000004U
-
-/*
- * _ESTIMATE
- *	Estimate the amount of entropy contained in the sample pool.
- *	If this is not set, the source will be gathered and perodically
- *	mixed into the entropy pool, but no increment in contained entropy
- *	will be assumed.  This flag only makes sense on sample sources.
- */
-#define ISC_ENTROPYSOURCE_ESTIMATE	0x00000001U
-
-/*
- * For use with isc_entropy_usebestsource().
- *
- * _KEYBOARDYES
- *	Use the keyboard as the only entropy source.
- * _KEYBOARDNO
- *	Never use the keyboard as an entropy source.
- * _KEYBOARDMAYBE
- *	Use the keyboard as an entropy source only if opening the
- *	random device fails.
- */
-#define ISC_ENTROPY_KEYBOARDYES		1
-#define ISC_ENTROPY_KEYBOARDNO		2
-#define ISC_ENTROPY_KEYBOARDMAYBE	3
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp);
-/*
- * Create a new entropy object.
- */
-
-void
-isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp);
-/*
- * Attaches to an entropy object.
- */
-
-void
-isc_entropy_detach(isc_entropy_t **entp);
-/*
- * Detaches from an entropy object.
- */
-
-isc_result_t
-isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname);
-/*
- * Create a new entropy source from a file.
- *
- * The file is assumed to contain good randomness, and will be mixed directly
- * into the pool with every byte adding 8 bits of entropy.
- *
- * The file will be put into non-blocking mode, so it may be a device file,
- * such as /dev/random.  /dev/urandom should not be used here if it can
- * be avoided, since it will always provide data even if it isn't good.
- * We will make as much pseudorandom data as we need internally if our
- * caller asks for it.
- *
- * If we hit end-of-file, we will stop reading from this source.  Callers
- * who require strong random data will get failure when our pool drains.
- * The file will never be opened/read again once EOF is reached.
- */
-
-void
-isc_entropy_destroysource(isc_entropysource_t **sourcep);
-/*
- * Removes an entropy source from the entropy system.
- */
-
-isc_result_t
-isc_entropy_createsamplesource(isc_entropy_t *ent,
-			       isc_entropysource_t **sourcep);
-/*
- * Create an entropy source that consists of samples.  Each sample is added
- * to the source via isc_entropy_addsamples(), below.
- */
-
-isc_result_t
-isc_entropy_createcallbacksource(isc_entropy_t *ent,
-				 isc_entropystart_t start,
-				 isc_entropyget_t get,
-				 isc_entropystop_t stop,
-				 void *arg,
-				 isc_entropysource_t **sourcep);
-/*
- * Create an entropy source that is polled via a callback.  This would
- * be used when keyboard input is used, or a GUI input method.  It can
- * also be used to hook in any external entropy source.
- *
- * Samples are added via isc_entropy_addcallbacksample(), below.
- * _addcallbacksample() is the only function which may be called from
- * within an entropy API callback function.
- */
-
-void
-isc_entropy_stopcallbacksources(isc_entropy_t *ent);
-/*
- * Call the stop functions for callback sources that have had their
- * start functions called.
- */
-
-isc_result_t
-isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample,
-			      isc_uint32_t extra);
-isc_result_t
-isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
-		      isc_uint32_t extra);
-/*
- * Add a sample to the sample source.  The sample MUST be a timestamp
- * that increases over time, with the exception of wrap-around for
- * extremely high resolution timers which will quickly wrap-around
- * a 32-bit integer.
- *
- * The "extra" parameter is used only to add a bit more unpredictable
- * data.  It is not used other than included in the hash of samples.
- *
- * When in an entropy API callback function, _addcallbacksource() must be
- * used.  At all other times, _addsample() must be used.
- */
-
-isc_result_t
-isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
-		    unsigned int *returned, unsigned int flags);
-/*
- * Extract data from the entropy pool.  This may load the pool from various
- * sources.
- */
-
-void
-isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
-		    isc_uint32_t entropy);
-/*
- * Add "length" bytes in "data" to the entropy pool, incrementing the pool's
- * entropy count by "entropy."
- *
- * These bytes will prime the pseudorandom portion even no entropy is actually
- * added.
- */
-
-void
-isc_entropy_stats(isc_entropy_t *ent, FILE *out);
-/*
- * Dump some (trivial) stats to the stdio stream "out".
- */
-
-isc_result_t
-isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
-			  const char *randomfile, int use_keyboard);
-/*
- * Use whatever source of entropy is best.
- *
- * Notes:
- *	If "randomfile" is not NULL, open it with
- *	isc_entropy_createfilesource(). 
- *
- *	If "randomfile" is NULL and the system's random device was detected
- *	when the program was configured and built, open that device with
- *	isc_entropy_createfilesource(). 
- *
- *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDYES, then always open
- *	the keyboard as an entropy source (possibly in addition to
- *	"randomfile" or the random device).
- *
- *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDMAYBE, open the keyboard only
- *	if opening the random file/device fails.  A message will be
- *	printed describing the need for keyboard input.
- *
- *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDNO, the keyboard will
- *	never be opened.
- *
- * Returns:
- *	ISC_R_SUCCESS if at least one source of entropy could be started.
- *
- *	ISC_R_NOENTROPY if use_keyboard is ISC_ENTROPY_KEYBOARDNO and
- *	there is no random device pathname compiled into the program.
- *
- *	A return code from isc_entropy_createfilesource() or
- *	isc_entropy_createcallbacksource().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ENTROPY_H */
diff --git a/contrib/bind9/lib/isc/include/isc/error.h b/contrib/bind9/lib/isc/include/isc/error.h
deleted file mode 100644
index 6142926270cb..000000000000
--- a/contrib/bind9/lib/isc/include/isc/error.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: error.h,v 1.13.206.1 2004/03/06 08:14:40 marka Exp $ */
-
-#ifndef ISC_ERROR_H
-#define ISC_ERROR_H 1
-
-#include <stdarg.h>
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef void (*isc_errorcallback_t)(const char *, int, const char *, va_list);
-
-void
-isc_error_setunexpected(isc_errorcallback_t);
-
-void
-isc_error_setfatal(isc_errorcallback_t);
-
-void
-isc_error_unexpected(const char *, int, const char *, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-void
-isc_error_fatal(const char *, int, const char *, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-
-void
-isc_error_runtimecheck(const char *, int, const char *);
-
-#define ISC_ERROR_RUNTIMECHECK(cond) \
-	((void) ((cond) || \
-		 ((isc_error_runtimecheck)(__FILE__, __LINE__, #cond), 0)))
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ERROR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/event.h b/contrib/bind9/lib/isc/include/isc/event.h
deleted file mode 100644
index 58ef2c32849f..000000000000
--- a/contrib/bind9/lib/isc/include/isc/event.h
+++ /dev/null
@@ -1,115 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: event.h,v 1.24.2.2.8.2 2004/04/15 02:10:41 marka Exp $ */
-
-#ifndef ISC_EVENT_H
-#define ISC_EVENT_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*****
- ***** Events.
- *****/
-
-typedef void (*isc_eventdestructor_t)(isc_event_t *);
-
-#define ISC_EVENT_COMMON(ltype)		\
-	size_t				ev_size; \
-	unsigned int			ev_attributes; \
-	void *				ev_tag; \
-	isc_eventtype_t			ev_type; \
-	isc_taskaction_t		ev_action; \
-	void *				ev_arg; \
-	void *				ev_sender; \
-	isc_eventdestructor_t		ev_destroy; \
-	void *				ev_destroy_arg; \
-	ISC_LINK(ltype)			ev_link
-
-/*
- * Attributes matching a mask of 0x000000ff are reserved for the task library's
- * definition.  Attributes of 0xffffff00 may be used by the application
- * or non-ISC libraries.
- */
-#define ISC_EVENTATTR_NOPURGE		0x00000001
-
-/*
- * The ISC_EVENTATTR_CANCELED attribute is intended to indicate
- * that an event is delivered as a result of a canceled operation
- * rather than successful completion, by mutual agreement
- * between the sender and receiver.  It is not set or used by
- * the task system.
- */
-#define ISC_EVENTATTR_CANCELED		0x00000002
-
-#define ISC_EVENT_INIT(event, sz, at, ta, ty, ac, ar, sn, df, da) \
-do { \
-	(event)->ev_size = (sz); \
-	(event)->ev_attributes = (at); \
-	(event)->ev_tag = (ta); \
-	(event)->ev_type = (ty); \
-	(event)->ev_action = (ac); \
-	(event)->ev_arg = (ar); \
-	(event)->ev_sender = (sn); \
-	(event)->ev_destroy = (df); \
-	(event)->ev_destroy_arg = (da); \
-	ISC_LINK_INIT((event), ev_link); \
-} while (0)
-
-/*
- * This structure is public because "subclassing" it may be useful when
- * defining new event types.
- */
-struct isc_event {
-	ISC_EVENT_COMMON(struct isc_event);
-};
-
-#define ISC_EVENTTYPE_FIRSTEVENT	0x00000000
-#define ISC_EVENTTYPE_LASTEVENT		0xffffffff
-
-#define ISC_EVENT_PTR(p) ((isc_event_t **)(void *)(p))
-
-ISC_LANG_BEGINDECLS
-
-isc_event_t *
-isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
-		   isc_taskaction_t action, const void *arg, size_t size);
-/*
- * Allocate and initialize in a structure with initial elements
- * defined by:
- *
- *	struct {
- *		ISC_EVENT_COMMON(struct isc_event);
- *		...
- *	};
- *	
- * Requires:
- *	'size' >= sizeof(struct isc_event)
- *	'action' to be non NULL
- *
- * Returns:
- *	a pointer to a initialized structure of the requested size.
- *	NULL if unable to allocate memory.
- */
-
-void
-isc_event_free(isc_event_t **);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_EVENT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/eventclass.h b/contrib/bind9/lib/isc/include/isc/eventclass.h
deleted file mode 100644
index a783d35cf49f..000000000000
--- a/contrib/bind9/lib/isc/include/isc/eventclass.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: eventclass.h,v 1.13.206.1 2004/03/06 08:14:40 marka Exp $ */
-
-#ifndef ISC_EVENTCLASS_H
-#define ISC_EVENTCLASS_H 1
-
-/*****
- ***** Registry of Predefined Event Type Classes
- *****/
-
-/*
- * An event class is an unsigned 16 bit number.  Each class may contain up
- * to 65536 events.  An event type is formed by adding the event number
- * within the class to the class number.
- */
-
-#define ISC_EVENTCLASS(eclass)		((eclass) << 16)
-
-/*
- * Classes < 1024 are reserved for ISC use.
- */
-
-#define	ISC_EVENTCLASS_TASK		ISC_EVENTCLASS(0)
-#define	ISC_EVENTCLASS_TIMER		ISC_EVENTCLASS(1)
-#define	ISC_EVENTCLASS_SOCKET		ISC_EVENTCLASS(2)
-#define	ISC_EVENTCLASS_FILE		ISC_EVENTCLASS(3)
-#define	ISC_EVENTCLASS_DNS		ISC_EVENTCLASS(4)
-#define	ISC_EVENTCLASS_APP		ISC_EVENTCLASS(5)
-#define	ISC_EVENTCLASS_OMAPI		ISC_EVENTCLASS(6)
-#define	ISC_EVENTCLASS_RATELIMITER	ISC_EVENTCLASS(7)
-#define	ISC_EVENTCLASS_ISCCC		ISC_EVENTCLASS(8)
-
-/*
- * Event classes >= 1024 and <= 65535 are reserved for application use.
- */
-
-#endif /* ISC_EVENTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/file.h b/contrib/bind9/lib/isc/include/isc/file.h
deleted file mode 100644
index 6de6c8a82f20..000000000000
--- a/contrib/bind9/lib/isc/include/isc/file.h
+++ /dev/null
@@ -1,252 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: file.h,v 1.24.12.3 2004/03/08 09:04:51 marka Exp $ */
-
-#ifndef ISC_FILE_H
-#define ISC_FILE_H 1
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_file_settime(const char *file, isc_time_t *time);
-
-isc_result_t
-isc_file_getmodtime(const char *file, isc_time_t *time);
-/*
- * Get the time of last modication of a file.
- *
- * Notes:
- *	The time that is set is relative to the (OS-specific) epoch, as are
- *	all isc_time_t structures.
- *
- * Requires:
- *	file != NULL.
- *	time != NULL.
- *
- * Ensures:
- *	If the file could not be accessed, 'time' is unchanged.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *		Success.
- *	ISC_R_NOTFOUND
- *		No such file exists.
- *	ISC_R_INVALIDFILE
- *		The path specified was not usable by the operating system.
- *	ISC_R_NOPERM
- *		The file's metainformation could not be retrieved because
- *		permission was denied to some part of the file's path.
- *	ISC_R_EIO
- *		Hardware error interacting with the filesystem.
- *	ISC_R_UNEXPECTED
- *		Something totally unexpected happened.
- *
- */
-
-isc_result_t
-isc_file_mktemplate(const char *path, char *buf, size_t buflen);
-/*
- * Generate a template string suitable for use with isc_file_openunique.
- *
- * Notes:
- *	This function is intended to make creating temporary files
- *	portable between different operating systems.
- *
- *	The path is prepended to an implementation-defined string and
- *	placed into buf.  The string has no path characters in it,
- *	and its maximum length is 14 characters plus a NUL.  Thus
- *	buflen should be at least strlen(path) + 15 characters or
- *	an error will be returned.
- *
- * Requires:
- *	buf != NULL.
- *
- * Ensures:
- *	If result == ISC_R_SUCCESS:
- *		buf contains a string suitable for use as the template argument
- *		to isc_file_openunique.
- *
- *	If result != ISC_R_SUCCESS:
- *		buf is unchanged.
- *
- * Returns:
- *	ISC_R_SUCCESS 	Success.
- *	ISC_R_NOSPACE	buflen indicates buf is too small for the catenation
- *				of the path with the internal template string.
- */
-
-
-isc_result_t
-isc_file_openunique(char *templet, FILE **fp);
-/*
- * Create and open a file with a unique name based on 'templet'.
- *
- * Notes:
- *	'template' is a reserved work in C++.  If you want to complain
- *	about the spelling of 'templet', first look it up in the
- *	Merriam-Webster English dictionary. (http://www.m-w.com/)
- *
- *	This function works by using the template to generate file names.
- *	The template must be a writable string, as it is modified in place.
- *	Trailing X characters in the file name (full file name on Unix,
- *	basename on Win32 -- eg, tmp-XXXXXX vs XXXXXX.tmp, respectively)
- *	are replaced with ASCII characters until a non-existent filename
- *	is found.  If the template does not include pathname information,
- *	the files in the working directory of the program are searched.
- *
- *	isc_file_mktemplate is a good, portable way to get a template.
- *
- * Requires:
- *	'fp' is non-NULL and '*fp' is NULL.
- *
- *	'template' is non-NULL, and of a form suitable for use by
- *	the system as described above.
- *
- * Ensures:
- *	If result is ISC_R_SUCCESS:
- *		*fp points to an stream opening in stdio's "w+" mode.
- *
- *	If result is not ISC_R_SUCCESS:
- *		*fp is NULL.
- *
- *		No file is open.  Even if one was created (but unable
- *		to be reopened as a stdio FILE pointer) then it has been
- *		removed.
- *
- *	This function does *not* ensure that the template string has not been
- *	modified, even if the operation was unsuccessful.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *		Success.
- *	ISC_R_EXISTS
- *		No file with a unique name could be created based on the
- *		template.
- *	ISC_R_INVALIDFILE
- *		The path specified was not usable by the operating system.
- *	ISC_R_NOPERM
- *		The file could not be created because permission was denied
- *		to some part of the file's path.
- *	ISC_R_EIO
- *		Hardware error interacting with the filesystem.
- *	ISC_R_UNEXPECTED
- *		Something totally unexpected happened.
- */
-
-isc_result_t
-isc_file_remove(const char *filename);
-/*
- * Remove the file named by 'filename'.
- */
-
-isc_result_t
-isc_file_rename(const char *oldname, const char *newname);
-/*
- * Rename the file 'oldname' to 'newname'.
- */
-
-isc_boolean_t
-isc_file_exists(const char *pathname);
-/*
- * Return ISC_TRUE iff the calling process can tell that the given file exists.
- * Will not return true if the calling process has insufficient privileges
- * to search the entire path.
- */
-
-isc_boolean_t
-isc_file_isabsolute(const char *filename);
-/*
- * Return ISC_TRUE iff the given file name is absolute.
- */
-
-isc_boolean_t
-isc_file_iscurrentdir(const char *filename);
-/*
- * Return ISC_TRUE iff the given file name is the current directory (".").
- */
-
-isc_boolean_t
-isc_file_ischdiridempotent(const char *filename);
-/*
- * Return ISC_TRUE if calling chdir(filename) multiple times will give
- * the same result as calling it once.
- */
-
-const char *
-isc_file_basename(const char *filename);
-/*
- * Return the final component of the path in the file name.
- */
-
-isc_result_t
-isc_file_progname(const char *filename, char *buf, size_t buflen);
-/*
- * Given an operating system specific file name "filename"
- * referring to a program, return the canonical program name. 
- * Any directory prefix or executable file name extension (if
- * used on the OS in case) is stripped.  On systems where program
- * names are case insensitive, the name is canonicalized to all
- * lower case.  The name is written to 'buf', an array of 'buflen'
- * chars, and null terminated.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE 	The name did not fit in 'buf'.
- */
-
-isc_result_t
-isc_file_template(const char *path, const char *templet, char *buf,
-		  size_t buflen);
-/*
- * Create an OS specific template using 'path' to define the directory
- * 'templet' to describe the filename and store the result in 'buf'
- * such that path can be renamed to buf atomically.
- */
-
-isc_result_t
-isc_file_renameunique(const char *file, char *templet);
-/*
- * Rename 'file' using 'templet' as a template for the new file name.
- */
-
-isc_result_t
-isc_file_absolutepath(const char *filename, char *path, size_t pathlen);
-/*
- * Given a file name, return the fully qualified path to the file.
- */
-
-/*
- * XXX We should also have a isc_file_writeeopen() function
- * for safely open a file in a publicly writable directory
- * (see write_open() in BIND 8's ns_config.c).
- */
-
-isc_result_t
-isc_file_truncate(const char *filename, isc_offset_t size);
-/*
- * Truncate/extend the file specified to 'size' bytes.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_FILE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/formatcheck.h b/contrib/bind9/lib/isc/include/isc/formatcheck.h
deleted file mode 100644
index a7f26c15acab..000000000000
--- a/contrib/bind9/lib/isc/include/isc/formatcheck.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: formatcheck.h,v 1.6.206.1 2004/03/06 08:14:41 marka Exp $ */
-
-#ifndef ISC_FORMATCHECK_H
-#define ISC_FORMATCHECK_H 1
-
-/*
- * fmt is the location of the format string parameter.
- * args is the location of the first argument (or 0 for no argument checking).
- * Note: the first parameter is 1, not 0.
- */
-#ifdef __GNUC__
-#define ISC_FORMAT_PRINTF(fmt, args) __attribute__((__format__(__printf__, fmt, args)))
-#else
-#define ISC_FORMAT_PRINTF(fmt, args)
-#endif
-
-#endif /* ISC_FORMATCHECK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/fsaccess.h b/contrib/bind9/lib/isc/include/isc/fsaccess.h
deleted file mode 100644
index 0f0c8ceb57b8..000000000000
--- a/contrib/bind9/lib/isc/include/isc/fsaccess.h
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: fsaccess.h,v 1.7.206.1 2004/03/06 08:14:41 marka Exp $ */
-
-#ifndef ISC_FSACCESS_H
-#define ISC_FSACCESS_H 1
-
-/*
- * The ISC filesystem access module encapsulates the setting of file
- * and directory access permissions into one API that is meant to be
- * portable to multiple operating systems.
- *
- * The two primary operating system flavors that are initially accomodated are
- * POSIX and Windows NT 4.0 and later.  The Windows NT access model is
- * considerable more flexible than POSIX's model (as much as I am loathe to
- * admit it), and so the ISC API has a higher degree of complexity than would
- * be needed to simply address POSIX's needs.
- *
- * The full breadth of NT's flexibility is not available either, for the
- * present time.  Much of it is to provide compatibility with what Unix
- * programmers are expecting.  This is also due to not yet really needing all
- * of the functionality of an NT system (or, for that matter, a POSIX system)
- * in BIND9, and so resolving how to handle the various incompatibilities has
- * been a purely theoretical exercise with no operational experience to
- * indicate how flawed the thinking may be.
- *
- * Some of the more notable dumbing down of NT for this API includes:
- *
- *   o Each of FILE_READ_DATA and FILE_READ_EA are set with ISC_FSACCESS_READ.
- *
- *   o All of FILE_WRITE_DATA, FILE_WRITE_EA and FILE_APPEND_DATA are
- *     set with ISC_FSACCESS_WRITE.  FILE_WRITE_ATTRIBUTES is not set
- *     so as to be consistent with Unix, where only the owner of the file
- *     or the superuser can change the attributes/mode of a file.
- *
- *   o Both of FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY are set with
- *     ISC_FSACCESS_CREATECHILD.  This is similar to setting the WRITE
- *     permission on a Unix directory.
- *
- *   o SYNCHRONIZE is always set for files and directories, unless someone
- *     can give me a reason why this is a bad idea.
- *
- *   o READ_CONTROL and FILE_READ_ATTRIBUTES are always set; this is
- *     consistent with Unix, where any file or directory can be stat()'d
- *     unless the directory path disallows complete access somewhere along
- *     the way.
- *
- *   o WRITE_DAC is only set for the owner.  This too is consistent with
- *     Unix, and is tighter security than allowing anyone else to be
- *     able to set permissions.
- *
- *   o DELETE is only set for the owner.  On Unix the ability to delete
- *     a file is controlled by the directory permissions, but it isn't
- *     currently clear to me what happens on NT if the directory has
- *     FILE_DELETE_CHILD set but a file within it does not have DELETE
- *     set.  Always setting DELETE on the file/directory for the owner
- *     gives maximum flexibility to the owner without exposing the
- *     file to deletion by others.
- *
- *   o WRITE_OWNER is never set.  This too is consistent with Unix,
- *     and is also tighter security than allowing anyone to change the
- *     ownership of the file apart from the superu..ahem, Administrator.
- *
- *   o Inheritance is set to NO_INHERITANCE.
- *
- * Unix's dumbing down includes:
- *
- *   o The sticky bit cannot be set.
- *
- *   o setuid and setgid cannot be set.
- *
- *   o Only regular files and directories can be set.
- *
- * The rest of this comment discusses a few of the incompatibilities
- * between the two systems that need more thought if this API is to
- * be extended to accomodate them.
- *
- * The Windows standard access right "DELETE" doesn't have a direct
- * equivalent in the Unix world, so it isn't clear what should be done
- * with it.
- *
- * The Unix sticky bit is not supported.  While NT does have a concept
- * of allowing users to create files in a directory but not delete or
- * rename them, it does not have a concept of allowing them to be deleted
- * if they are owned by the user trying to delete/rename.  While it is
- * probable that something could be cobbled together in NT 5 with inheritence,
- * it can't really be done in NT 4 as a single property that you could
- * set on a directory.  You'd need to coordinate something with file creation
- * so that every file created had DELETE set for the owner but noone else.
- *
- * On Unix systems, setting ISC_FSACCESS_LISTDIRECTORY sets READ.
- * ... setting either of ISC_FSACCESS_(CREATE|DELETE)CHILD sets WRITE.
- * ... setting ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
- *
- * On NT systems, setting ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
- * ... setting ISC_FSACCESS_(CREATE|DELETE)CHILD sets
- *	FILE_(CREATE|DELETE)_CHILD independently.
- * ... setting ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
- *
- * Unresolved:							XXXDCL
- *   What NT access right controls the ability to rename a file?
- *   How does DELETE work?  If a directory has FILE_DELETE_CHILD but a
- *      file or directory within it does not have DELETE, is that file
- *	or directory deletable?
- *   To implement isc_fsaccess_get(), mapping an existing Unix permission
- * 	mode_t back to an isc_fsaccess_t is pretty trivial; however, mapping
- *	an NT DACL could be impossible to do in a responsible way.
- *   Similarly, trying to implement the functionality of being able to
- *	say "add group writability to whatever permissions already exist"
- *	could be tricky on NT because of the order-of-entry issue combined
- *	with possibly having one or more matching ACEs already explicitly
- *	granting or denying access.  Because this functionality is
- *	not yet needed by the ISC, no code has been written to try to
- * 	solve this problem.
- */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*
- * Trustees.
- */
-#define ISC_FSACCESS_OWNER	0x1 /* User account. */
-#define ISC_FSACCESS_GROUP	0x2 /* Primary group owner. */
-#define ISC_FSACCESS_OTHER	0x4 /* Not the owner or the group owner. */
-#define ISC_FSACCESS_WORLD	0x7 /* User, Group, Other. */
-
-/*
- * Types of permission.
- */
-#define ISC_FSACCESS_READ		0x00000001 /* File only. */
-#define ISC_FSACCESS_WRITE		0x00000002 /* File only. */
-#define ISC_FSACCESS_EXECUTE		0x00000004 /* File only. */
-#define ISC_FSACCESS_CREATECHILD	0x00000008 /* Dir only. */
-#define ISC_FSACCESS_DELETECHILD	0x00000010 /* Dir only. */
-#define ISC_FSACCESS_LISTDIRECTORY	0x00000020 /* Dir only. */
-#define ISC_FSACCESS_ACCESSCHILD	0x00000040 /* Dir only. */
-
-/*
- * Adding any permission bits beyond 0x200 would mean typedef'ing
- * isc_fsaccess_t as isc_uint64_t, and redefining this value to
- * reflect the new range of permission types, Probably to 21 for
- * maximum flexibility.  The number of bits has to accomodate all of
- * the permission types, and three full sets of them have to fit
- * within an isc_fsaccess_t.
- */
-#define ISC__FSACCESS_PERMISSIONBITS 10
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access);
-
-void
-isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access);
-
-isc_result_t
-isc_fsaccess_set(const char *path, isc_fsaccess_t access);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_FSACCESS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hash.h b/contrib/bind9/lib/isc/include/isc/hash.h
deleted file mode 100644
index b94142b48e20..000000000000
--- a/contrib/bind9/lib/isc/include/isc/hash.h
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hash.h,v 1.2.2.1.2.2 2004/03/06 08:14:41 marka Exp $ */
-
-#ifndef ISC_HASH_H
-#define ISC_HASH_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Hash
- *
- * The hash API
- *
- *	Provides an unpredictable hash value for variable length data.
- *	A hash object contains a random vector (which is hidden from clients
- *	of this API) to make the actual hash value unpredictable.
- *
- *	The algorithm used in the API guarantees the probability of hash
- *	collision; in the current implementation, as long as the values stored
- *	in the random vector are unpredictable, the probability of hash
- *	collision between arbitrary two different values is at most 1/2^16.
- *
- *	Altough the API is generic about the hash keys, it mainly expects
- *	DNS names (and sometimes IPv4/v6 addresses) as inputs.  It has an
- *	upper limit of the input length, and may run slow to calculate the
- *	hash values for large inputs.
- *
- *	This API is designed to be general so that it can provide multiple
- *	different hash contexts that have different random vectors.  However,
- *	it should be typical to have a single context for an entire system.
- *	To support such cases, the API also provides a single-context mode.
- *
- * MP:
- *	The hash object is almost read-only.  Once the internal random vector
- *	is initialized, no write operation will occur, and there will be no
- *	need to lock the object to calculate actual hash values.
- *
- * Reliability:
- *	In some cases this module uses low-level data copy to initialize the
- *	random vector.  Errors in this part are likely to crash the server or
- *	corrupt memory.
- *
- * Resources:
- *	A buffer, used as a random vector for calculating hash values.
- *
- * Security:
- *	This module intends to provide unpredictable hash values in
- *	adversarial environments in order to avoid denial of service attacks
- *	to hash buckets.
- *	Its unpredictability relies on the quality of entropy to build the
- *	random vector.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/types.h>
-
-/***
- *** Functions
- ***/
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy, unsigned int limit,
-		   isc_hash_t **hctx);
-isc_result_t
-isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit);
-/*
- * Create a new hash object.
- *
- * isc_hash_ctxcreate() creates a different object.
- * isc_hash_create() creates a module-internal object to support the
- * single-context mode.  It should be called only once.
- *
- * 'entropy' must be NULL or a valid entropy object.  If 'entropy' is NULL,
- * pseudo random values will be used to build the random vector, which may
- * weaken security.
- *
- * 'limit' specifies the maximum number of hash keys.  If it is too large,
- * these functions may fail.
- */
-
-void
-isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp);
-/*
- * Attach to a hash object.
- * This function is only necessary for the multiple-context mode.
- */
-
-void
-isc_hash_ctxdetach(isc_hash_t **hctxp);
-/*
- * Detach from a hash object.
- *
- * This function  is for the multiple-context mode, and takes a valid
- * hash object as an argument.
- */
-
-void
-isc_hash_destroy(void);
-/*
- * This function is for the single-context mode, and is expected to be used
- * as a counterpart of isc_hash_create().
- * A valid module-internal hash object must have been created, and this
- * function should be called only once.
- */
-
-void
-isc_hash_ctxinit(isc_hash_t *hctx);
-void
-isc_hash_init(void);
-/*
- * Initialize a hash object.  It fills in the random vector with a proper
- * source of entropy, which is typically from the entropy object specified
- * at the creation.  Thus, it is desirable to call these functions after
- * initializing the entropy object with some good entropy sources.
- *
- * These functions should be called before the first hash calculation.
- *
- * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
- * object as an argument.
- * isc_hash_init() is for the single-context mode.  A valid module-internal
- * hash object must have been created, and this function should be called only
- * once.
- */
-
-unsigned int
-isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
-		 unsigned int keylen, isc_boolean_t case_sensitive);
-unsigned int
-isc_hash_calc(const unsigned char *key, unsigned int keylen,
-	      isc_boolean_t case_sensitive);
-/*
- * Calculate a hash value.
- *
- * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
- * object as an argument.
- * isc_hash_init() is for the single-context mode.  A valid module-internal
- * hash object must have been created.
- *
- * 'key' is the hash key, which is a variable length buffer.
- * 'keylen' specifies the key length, which must not be larger than the limit
- * specified for the corresponding hash object.
- *
- * 'case_sensitive' specifies whether the hash key should be treated as
- * case_sensitive values.  It should typically be ISC_FALSE if the hash key
- * is a DNS name.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HASH_H */
diff --git a/contrib/bind9/lib/isc/include/isc/heap.h b/contrib/bind9/lib/isc/include/isc/heap.h
deleted file mode 100644
index 5ebf40471e22..000000000000
--- a/contrib/bind9/lib/isc/include/isc/heap.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: heap.h,v 1.16.206.1 2004/03/06 08:14:41 marka Exp $ */
-
-#ifndef ISC_HEAP_H
-#define ISC_HEAP_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * The comparision function returns ISC_TRUE if the first argument has
- * higher priority than the second argument, and ISC_FALSE otherwise.
- */
-typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
-
-typedef void (*isc_heapindex_t)(void *, unsigned int);
-typedef void (*isc_heapaction_t)(void *, void *);
-
-typedef struct isc_heap isc_heap_t;
-
-isc_result_t	isc_heap_create(isc_mem_t *, isc_heapcompare_t,
-				isc_heapindex_t, unsigned int, isc_heap_t **);
-void		isc_heap_destroy(isc_heap_t **);
-isc_result_t	isc_heap_insert(isc_heap_t *, void *);
-void		isc_heap_delete(isc_heap_t *, unsigned int);
-void		isc_heap_increased(isc_heap_t *, unsigned int);
-void		isc_heap_decreased(isc_heap_t *, unsigned int);
-void *		isc_heap_element(isc_heap_t *, unsigned int);
-void		isc_heap_foreach(isc_heap_t *, isc_heapaction_t, void *);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HEAP_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hex.h b/contrib/bind9/lib/isc/include/isc/hex.h
deleted file mode 100644
index cf7dfd0e7994..000000000000
--- a/contrib/bind9/lib/isc/include/isc/hex.h
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hex.h,v 1.4.206.1 2004/03/06 08:14:41 marka Exp $ */
-
-#ifndef ISC_HEX_H
-#define ISC_HEX_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_hex_totext(isc_region_t *source, int wordlength,
-	       const char *wordbreak, isc_buffer_t *target);
-/*
- * Convert data into hex encoded text.
- *
- * Notes:
- *	The hex encoded text in 'target' will be divided into
- *	words of at most 'wordlength' characters, separated by
- * 	the 'wordbreak' string.  No parentheses will surround
- *	the text.
- *
- * Requires:
- *	'source' is a region containing binary data
- *	'target' is a text buffer containing available space
- *	'wordbreak' points to a null-terminated string of
- *		zero or more whitespace characters
- *
- * Ensures:
- *	target will contain the hex encoded version of the data
- *	in source.  The 'used' pointer in target will be advanced as
- *	necessary.
- */
-
-isc_result_t
-isc_hex_decodestring(char *cstr, isc_buffer_t *target);
-/*
- * Decode a null-terminated hex string.
- *
- * Requires:
- *	'cstr' is non-null.
- *	'target' is a valid buffer.
- *
- * Returns:
- *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
- *			   fit in 'target'.
- *	ISC_R_BADHEX -- 'cstr' is not a valid hex encoding.
- *
- * 	Other error returns are any possible error code from:
- *		isc_lex_create(),
- *		isc_lex_openbuffer(),
- *		isc_hex_tobuffer().
- */
-
-isc_result_t
-isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
-/*
- * Convert hex encoded text from a lexer context into data.
- *
- * Requires:
- *	'lex' is a valid lexer context
- *	'target' is a buffer containing binary data
- *	'length' is an integer
- *
- * Ensures:
- *	target will contain the data represented by the hex encoded
- *	string parsed by the lexer.  No more than length bytes will be read,
- *	if length is positive.  The 'used' pointer in target will be
- *	advanced as necessary.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HEX_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hmacmd5.h b/contrib/bind9/lib/isc/include/isc/hmacmd5.h
deleted file mode 100644
index 6e8647fa5334..000000000000
--- a/contrib/bind9/lib/isc/include/isc/hmacmd5.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: hmacmd5.h,v 1.4.206.1 2004/03/06 08:14:42 marka Exp $ */
-
-/*
- * This is the header file for the HMAC-MD5 keyed hash algorithm
- * described in RFC 2104.
- */
-
-#ifndef ISC_HMACMD5_H
-#define ISC_HMACMD5_H 1
-
-#include <isc/lang.h>
-#include <isc/md5.h>
-#include <isc/types.h>
-
-#define ISC_HMACMD5_KEYLENGTH 64
-
-typedef struct {
-	isc_md5_t md5ctx;
-	unsigned char key[ISC_HMACMD5_KEYLENGTH];
-} isc_hmacmd5_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
-		 unsigned int len);
-
-void
-isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx);
-
-void
-isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
-		   unsigned int len);
-
-void
-isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest);
-
-isc_boolean_t
-isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_HMACMD5_H */
diff --git a/contrib/bind9/lib/isc/include/isc/interfaceiter.h b/contrib/bind9/lib/isc/include/isc/interfaceiter.h
deleted file mode 100644
index 3a9b21bac3c7..000000000000
--- a/contrib/bind9/lib/isc/include/isc/interfaceiter.h
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: interfaceiter.h,v 1.10.206.1 2004/03/06 08:14:42 marka Exp $ */
-
-#ifndef ISC_INTERFACEITER_H
-#define ISC_INTERFACEITER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Interface iterator
- *
- * Iterate over the list of network interfaces.
- *
- * Interfaces whose address family is not supported are ignored and never
- * returned by the iterator.  Interfaces whose netmask, interface flags,
- * or similar cannot be obtained are also ignored, and the failure is logged.
- *
- * Standards:
- *	The API for scanning varies greatly among operating systems.
- *	This module attempts to hide the differences.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/netaddr.h>
-#include <isc/types.h>
-
-/*
- * Public structure describing a network interface.
- */
-
-struct isc_interface {
-	char name[32];			/* Interface name, null-terminated. */
-	unsigned int af;		/* Address family. */
-	isc_netaddr_t address;		/* Local address. */
-	isc_netaddr_t netmask;		/* Network mask. */
-	isc_netaddr_t dstaddress; 	/* Destination address
-					   (point-to-point only). */
-	isc_uint32_t flags;		/* Flags; see below. */
-};
-
-/* Interface flags. */
-
-#define INTERFACE_F_UP			0x00000001U
-#define INTERFACE_F_POINTTOPOINT	0x00000002U
-#define INTERFACE_F_LOOPBACK		0x00000004U
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp);
-/*
- * Create an iterator for traversing the operating system's list
- * of network interfaces.
- *
- * Returns:
- *	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
- *	Various network-related errors
- */
-
-isc_result_t
-isc_interfaceiter_first(isc_interfaceiter_t *iter);
-/*
- * Position the iterator on the first interface.
- *
- * Returns:
- *	ISC_R_SUCCESS		Success.
- *	ISC_R_NOMORE		There are no interfaces.
- */
-
-isc_result_t
-isc_interfaceiter_current(isc_interfaceiter_t *iter,
-			  isc_interface_t *ifdata);
-/*
- * Get information about the interface the iterator is currently
- * positioned at and store it at *ifdata.
- *
- * Requires:
- * 	The iterator has been successfully positioned using
- * 	isc_interface_iter_first() / isc_interface_iter_next().
- *
- * Returns:
- *	ISC_R_SUCCESS		Success.
- */
-
-isc_result_t
-isc_interfaceiter_next(isc_interfaceiter_t *iter);
-/*
- * Position the iterator on the next interface.
- *
- * Requires:
- * 	The iterator has been successfully positioned using
- * 	isc_interface_iter_first() / isc_interface_iter_next().
- *
- * Returns:
- *	ISC_R_SUCCESS		Success.
- *	ISC_R_NOMORE		There are no more interfaces.
- */
-
-void
-isc_interfaceiter_destroy(isc_interfaceiter_t **iterp);
-/*
- * Destroy the iterator.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_INTERFACEITER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ipv6.h b/contrib/bind9/lib/isc/include/isc/ipv6.h
deleted file mode 100644
index 8b4b0eb31f6a..000000000000
--- a/contrib/bind9/lib/isc/include/isc/ipv6.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipv6.h,v 1.17.12.4 2004/03/09 05:21:09 marka Exp $ */
-
-#ifndef ISC_IPV6_H
-#define ISC_IPV6_H 1
-
-/*
- * Also define LWRES_IPV6_H to keep it from being included if liblwres is
- * being used, or redefinition errors will occur.
- */
-#define LWRES_IPV6_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * IPv6 definitions for systems which do not support IPv6.
- *
- * MP:
- *	No impact.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	N/A.
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	RFC 2553.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/int.h>
-#include <isc/platform.h>
-
-/***
- *** Types.
- ***/
-
-struct in6_addr {
-        union {
-		isc_uint8_t	_S6_u8[16];
-		isc_uint16_t	_S6_u16[8];
-		isc_uint32_t	_S6_u32[4];
-        } _S6_un;
-};
-#define s6_addr		_S6_un._S6_u8
-#define s6_addr8	_S6_un._S6_u8
-#define s6_addr16	_S6_un._S6_u16
-#define s6_addr32	_S6_un._S6_u32
-
-#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
-#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
-
-LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
-LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
-
-struct sockaddr_in6 {
-#ifdef ISC_PLATFORM_HAVESALEN
-	isc_uint8_t		sin6_len;
-	isc_uint8_t		sin6_family;
-#else
-	isc_uint16_t		sin6_family;
-#endif
-	isc_uint16_t		sin6_port;
-	isc_uint32_t		sin6_flowinfo;
-	struct in6_addr		sin6_addr;
-	isc_uint32_t		sin6_scope_id;
-};
-
-#ifdef ISC_PLATFORM_HAVESALEN
-#define SIN6_LEN 1
-#endif
-
-/*
- * Unspecified
- */
-#define IN6_IS_ADDR_UNSPECIFIED(a)      \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == 0))
-
-/*
- * Loopback
- */
-#define IN6_IS_ADDR_LOOPBACK(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == htonl(1)))
-
-/*
- * IPv4 compatible
- */
-#define IN6_IS_ADDR_V4COMPAT(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] != 0) &&    \
-         ((a)->s6_addr32[3] != htonl(1)))
-
-/*
- * Mapped
- */
-#define IN6_IS_ADDR_V4MAPPED(a)               \
-        (((a)->s6_addr32[0] == 0) &&          \
-         ((a)->s6_addr32[1] == 0) &&          \
-         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
-
-/*
- * Multicast
- */
-#define IN6_IS_ADDR_MULTICAST(a)	\
-	((a)->s6_addr8[0] == 0xffU)
-
-/*
- * Unicast link / site local.
- */
-#define IN6_IS_ADDR_LINKLOCAL(a)	\
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
-#define IN6_IS_ADDR_SITELOCAL(a)	\
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
-
-#endif /* ISC_IPV6_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lang.h b/contrib/bind9/lib/isc/include/isc/lang.h
deleted file mode 100644
index f94f12310a23..000000000000
--- a/contrib/bind9/lib/isc/include/isc/lang.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lang.h,v 1.6.206.1 2004/03/06 08:14:42 marka Exp $ */
-
-#ifndef ISC_LANG_H
-#define ISC_LANG_H 1
-
-#ifdef __cplusplus
-#define ISC_LANG_BEGINDECLS	extern "C" {
-#define ISC_LANG_ENDDECLS	}
-#else
-#define ISC_LANG_BEGINDECLS
-#define ISC_LANG_ENDDECLS
-#endif
-
-#endif /* ISC_LANG_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lex.h b/contrib/bind9/lib/isc/include/isc/lex.h
deleted file mode 100644
index 29bdb2fed7ca..000000000000
--- a/contrib/bind9/lib/isc/include/isc/lex.h
+++ /dev/null
@@ -1,410 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lex.h,v 1.26.2.2.8.3 2004/03/08 09:04:51 marka Exp $ */
-
-#ifndef ISC_LEX_H
-#define ISC_LEX_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Lex
- *
- * The "lex" module provides a lightweight tokenizer.  It can operate
- * on files or buffers, and can handle "include".  It is designed for
- * parsing of DNS master files and the BIND configuration file, but
- * should be general enough to tokenize other things, e.g. HTTP.
- *
- * MP:
- *	No synchronization is provided.  Clients must ensure exclusive
- *	access.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- * 	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/region.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Options
- ***/
-
-/*
- * Various options for isc_lex_gettoken().
- */
-
-#define ISC_LEXOPT_EOL			0x01	/* Want end-of-line token. */
-#define ISC_LEXOPT_EOF			0x02	/* Want end-of-file token. */
-#define ISC_LEXOPT_INITIALWS		0x04	/* Want initial whitespace. */
-#define ISC_LEXOPT_NUMBER		0x08	/* Recognize numbers. */
-#define ISC_LEXOPT_QSTRING		0x10	/* Recognize qstrings. */
-
-/*
- * The ISC_LEXOPT_DNSMULTILINE option handles the processing of '(' and ')' in
- * the DNS master file format.  If this option is set, then the
- * ISC_LEXOPT_INITIALWS and ISC_LEXOPT_EOL options will be ignored when
- * the paren count is > 0.  To use this option, '(' and ')' must be special
- * characters.
- */
-#define ISC_LEXOPT_DNSMULTILINE		0x20	/* Handle '(' and ')'. */
-#define ISC_LEXOPT_NOMORE		0x40	/* Want "no more" token. */
-
-#define ISC_LEXOPT_CNUMBER		0x80    /* Regognise octal and hex */
-#define ISC_LEXOPT_ESCAPE		0x100	/* Recognize escapes. */
-#define ISC_LEXOPT_QSTRINGMULTILINE	0x200	/* Allow multiline "" strings */
-
-/*
- * Various commenting styles, which may be changed at any time with
- * isc_lex_setcomments().
- */
-
-#define ISC_LEXCOMMENT_C		0x01
-#define ISC_LEXCOMMENT_CPLUSPLUS	0x02
-#define ISC_LEXCOMMENT_SHELL		0x04
-#define ISC_LEXCOMMENT_DNSMASTERFILE	0x08
-
-/***
- *** Types
- ***/
-
-/* Lex */
-
-typedef char isc_lexspecials_t[256];
-
-/* Tokens */
-
-typedef enum {
-	isc_tokentype_unknown = 0,
-	isc_tokentype_string = 1,
-	isc_tokentype_number = 2,
-	isc_tokentype_qstring = 3,
-	isc_tokentype_eol = 4,
-	isc_tokentype_eof = 5,
-	isc_tokentype_initialws = 6,
-	isc_tokentype_special = 7,
-	isc_tokentype_nomore = 8
-} isc_tokentype_t;
-
-typedef union {
-	char				as_char;
-	unsigned long			as_ulong;
-	isc_region_t			as_region;
-	isc_textregion_t		as_textregion;
-	void *				as_pointer;
-} isc_tokenvalue_t;
-
-typedef struct isc_token {
-	isc_tokentype_t			type;
-	isc_tokenvalue_t		value;
-} isc_token_t;
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp);
-/*
- * Create a lexer.
- *
- * 'max_token' is a hint of the number of bytes in the largest token.
- *
- * Requires:
- *	'*lexp' is a valid lexer.
- *
- *	max_token > 0.
- *
- * Ensures:
- *	On success, *lexp is attached to the newly created lexer.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- */
-
-void
-isc_lex_destroy(isc_lex_t **lexp);
-/*
- * Destroy the lexer.
- *
- * Requires:
- *	'*lexp' is a valid lexer.
- *
- * Ensures:
- *	*lexp == NULL
- */
-
-unsigned int
-isc_lex_getcomments(isc_lex_t *lex);
-/*
- * Return the current lexer commenting styles.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- * Returns:
- *	The commenting sytles which are currently allowed.
- */
-
-void
-isc_lex_setcomments(isc_lex_t *lex, unsigned int comments);
-/*
- * Set allowed lexer commenting styles.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- *	'comments' has meaningful values.
- */
-
-void
-isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials);
-/*
- * Put the current list of specials into 'specials'.
- *
- * Requires:
- *	'lex' is a valid lexer.
- */
-
-void
-isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials);
-/*
- * The characters in 'specials' are returned as tokens.  Along with
- * whitespace, they delimit strings and numbers.
- *
- * Note:
- *	Comment processing takes precedence over special character
- *	recognition.
- *
- * Requires:
- *	'lex' is a valid lexer.
- */
-
-isc_result_t
-isc_lex_openfile(isc_lex_t *lex, const char *filename);
-/*
- * Open 'filename' and make it the current input source for 'lex'.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- *	filename is a valid C string.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY			Out of memory
- *	ISC_R_NOTFOUND			File not found
- *	ISC_R_NOPERM			No permission to open file
- *	ISC_R_FAILURE			Couldn't open file, not sure why
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_lex_openstream(isc_lex_t *lex, FILE *stream);
-/*
- * Make 'stream' the current input source for 'lex'.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- *	'stream' is a valid C stream.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY			Out of memory
- */
-
-isc_result_t
-isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer);
-/*
- * Make 'buffer' the current input source for 'lex'.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- *	'buffer' is a valid buffer.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY			Out of memory
- */
-
-isc_result_t
-isc_lex_close(isc_lex_t *lex);
-/*
- * Close the most recently opened object (i.e. file or buffer).
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMORE			No more input sources
- */
-
-isc_result_t
-isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp);
-/*
- * Get the next token.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- *	'lex' has an input source.
- *
- *	'options' contains valid options.
- *
- *	'*tokenp' is a valid pointer.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTEDEND
- *	ISC_R_NOMEMORY
- *
- *	These two results are returned only if their corresponding lexer
- *	options are not set.
- *
- *	ISC_R_EOF			End of input source
- *	ISC_R_NOMORE			No more input sources
- */
-
-isc_result_t
-isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
-		       isc_tokentype_t expect, isc_boolean_t eol);
-/*
- * Get the next token from a DNS master file type stream.  This is a
- * convenience function that sets appropriate options and handles quoted
- * strings and end of line correctly for master files.  It also ungets
- * unexpected tokens.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- *	'token' is a valid pointer
- *
- * Returns:
- *
- * 	any return code from isc_lex_gettoken.
- */
-
-void
-isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp);
-/*
- * Unget the current token.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- *	'lex' has an input source.
- *
- *	'tokenp' points to a valid token.
- *
- *	There is no ungotten token already.
- */
-
-void
-isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r);
-/*
- * Returns a region containing the text of the last token returned.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- *	'lex' has an input source.
- *
- *	'tokenp' points to a valid token.
- *
- *	A token has been gotten and not ungotten.
- */
-
-char *
-isc_lex_getsourcename(isc_lex_t *lex);
-/*
- * Return the input source name.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- * Returns:
- * 	source name or NULL if no current source.
- *	result valid while current input source exists.
- */
-
-
-unsigned long
-isc_lex_getsourceline(isc_lex_t *lex);
-/*
- * Return the input source line number.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- * Returns:
- * 	Current line number or 0 if no current source.
- */
-
-isc_result_t
-isc_lex_setsourcename(isc_lex_t *lex, const char *name);
-/*
- * Assigns a new name to the input source.
- *
- * Requires:
- *
- * 	'lex' is a valid lexer.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOMEMORY
- * 	ISC_R_NOTFOUND - there are no sources.
- */
-
-isc_boolean_t
-isc_lex_isfile(isc_lex_t *lex);
-/*
- * Return whether the current input source is a file.
- *
- * Requires:
- *	'lex' is a valid lexer.
- *
- * Returns:
- * 	ISC_TRUE if the current input is a file,
- *	ISC_FALSE otherwise.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_LEX_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lfsr.h b/contrib/bind9/lib/isc/include/isc/lfsr.h
deleted file mode 100644
index e562380cf9f1..000000000000
--- a/contrib/bind9/lib/isc/include/isc/lfsr.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lfsr.h,v 1.10.206.1 2004/03/06 08:14:43 marka Exp $ */
-
-#ifndef ISC_LFSR_H
-#define ISC_LFSR_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-typedef struct isc_lfsr isc_lfsr_t;
-
-/*
- * This function is called when reseeding is needed.  It is allowed to
- * modify any state in the LFSR in any way it sees fit OTHER THAN "bits".
- *
- * It MUST set "count" to a new value or the lfsr will never reseed again.
- *
- * Also, a reseed will never occur in the middle of an extraction.  This
- * is purely an optimization, and is probably what one would want.
- */
-typedef void (*isc_lfsrreseed_t)(isc_lfsr_t *, void *);
-
-/*
- * The members of this structure can be used by the application, but care
- * needs to be taken to not change state once the lfsr is in operation.
- */
-struct isc_lfsr {
-	isc_uint32_t		state;	/* previous state */
-	unsigned int		bits;	/* length */
-	isc_uint32_t		tap;	/* bit taps */
-	unsigned int		count;	/* reseed count (in BITS!) */
-	isc_lfsrreseed_t	reseed;	/* reseed function */
-	void		       *arg;	/* reseed function argument */
-};
-
-ISC_LANG_BEGINDECLS
-
-/*
- * In all these functions it is important that the caller only use as many
- * bits as the LFSR has state.  Also, it isn't guaranteed that an LFSR of
- * bit length 32 will have 2^32 unique states before repeating.
- */
-
-void 
-isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
-		   isc_uint32_t tap, unsigned int count,
-		   isc_lfsrreseed_t reseed, void *arg);
-/*
- * Initialize an LFSR.
- *
- * Note:
- *
- *	Putting untrusted values into this function will cause the LFSR to
- *	generate (perhaps) non-maximal length sequences.
- *
- * Requires:
- *
- *	lfsr != NULL
- *
- *	8 <= bits <= 32
- *
- *	tap != 0
- */
-
-void 
-isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count);
-/*
- * Returns "count" bytes of data from the LFSR.
- *
- * Requires:
- *
- *	lfsr be valid.
- *
- *	data != NULL.
- *
- *	count > 0.
- */
-
-void 
-isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip);
-/*
- * Skip "skip" states.
- *
- * Requires:
- *
- *	lfsr be valid.
- */
-
-isc_uint32_t 
-isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2);
-/*
- * Given two LFSRs, use the current state from each to skip entries in the
- * other.  The next states are then xor'd together and returned.
- *
- * WARNING:
- *
- *	This function is used only for very, very low security data, such
- *	as DNS message IDs where it is desired to have an unpredictable
- *	stream of bytes that are harder to predict than a simple flooding
- *	attack.
- *
- * Notes:
- *
- *	Since the current state from each of the LFSRs is used to skip
- *	state in the other, it is important that no state be leaked
- *	from either LFSR.
- *
- * Requires:
- *
- *	lfsr1 and lfsr2 be valid.
- *
- *	1 <= skipbits <= 31
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_LFSR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lib.h b/contrib/bind9/lib/isc/include/isc/lib.h
deleted file mode 100644
index 1ad449311fb2..000000000000
--- a/contrib/bind9/lib/isc/include/isc/lib.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:51 marka Exp $ */
-
-#ifndef ISC_LIB_H
-#define ISC_LIB_H 1
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-LIBISC_EXTERNAL_DATA extern isc_msgcat_t *isc_msgcat;
-
-void
-isc_lib_initmsgcat(void);
-/*
- * Initialize the ISC library's message catalog, isc_msgcat, if it
- * has not already been initialized.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_LIB_H */
diff --git a/contrib/bind9/lib/isc/include/isc/list.h b/contrib/bind9/lib/isc/include/isc/list.h
deleted file mode 100644
index 962336ada8a0..000000000000
--- a/contrib/bind9/lib/isc/include/isc/list.h
+++ /dev/null
@@ -1,180 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: list.h,v 1.18.2.2.8.1 2004/03/06 08:14:43 marka Exp $ */
-
-#ifndef ISC_LIST_H
-#define ISC_LIST_H 1
-#include <isc/boolean.h>
-#include <isc/assertions.h>
-
-#ifdef ISC_LIST_CHECKINIT
-#define ISC_LINK_INSIST(x) ISC_INSIST(x)
-#else
-#define ISC_LINK_INSIST(x)
-#endif
-
-#define ISC_LIST(type) struct { type *head, *tail; }
-#define ISC_LIST_INIT(list) \
-	do { (list).head = NULL; (list).tail = NULL; } while (0)
-
-#define ISC_LINK(type) struct { type *prev, *next; }
-#define ISC_LINK_INIT_TYPE(elt, link, type) \
-	do { \
-		(elt)->link.prev = (type *)(-1); \
-		(elt)->link.next = (type *)(-1); \
-	} while (0)
-#define ISC_LINK_INIT(elt, link) \
-	ISC_LINK_INIT_TYPE(elt, link, void)
-#define ISC_LINK_LINKED(elt, link) ((void *)((elt)->link.prev) != (void *)(-1))
-
-#define ISC_LIST_HEAD(list) ((list).head)
-#define ISC_LIST_TAIL(list) ((list).tail)
-#define ISC_LIST_EMPTY(list) ISC_TF((list).head == NULL)
-
-#define __ISC_LIST_PREPENDUNSAFE(list, elt, link) \
-	do { \
-		if ((list).head != NULL) \
-			(list).head->link.prev = (elt); \
-		else \
-			(list).tail = (elt); \
-		(elt)->link.prev = NULL; \
-		(elt)->link.next = (list).head; \
-		(list).head = (elt); \
-	} while (0)
-
-#define ISC_LIST_PREPEND(list, elt, link) \
-	do { \
-		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_PREPENDUNSAFE(list, elt, link); \
-	} while (0)
-
-#define ISC_LIST_INITANDPREPEND(list, elt, link) \
-		__ISC_LIST_PREPENDUNSAFE(list, elt, link)
-
-#define __ISC_LIST_APPENDUNSAFE(list, elt, link) \
-	do { \
-		if ((list).tail != NULL) \
-			(list).tail->link.next = (elt); \
-		else \
-			(list).head = (elt); \
-		(elt)->link.prev = (list).tail; \
-		(elt)->link.next = NULL; \
-		(list).tail = (elt); \
-	} while (0)
-
-#define ISC_LIST_APPEND(list, elt, link) \
-	do { \
-		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_APPENDUNSAFE(list, elt, link); \
-	} while (0)
-
-#define ISC_LIST_INITANDAPPEND(list, elt, link) \
-		__ISC_LIST_APPENDUNSAFE(list, elt, link)
-
-#define __ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type) \
-	do { \
-		if ((elt)->link.next != NULL) \
-			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
-			(list).tail = (elt)->link.prev; \
-		if ((elt)->link.prev != NULL) \
-			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
-			(list).head = (elt)->link.next; \
-		(elt)->link.prev = (type *)(-1); \
-		(elt)->link.next = (type *)(-1); \
-	} while (0)
-
-#define __ISC_LIST_UNLINKUNSAFE(list, elt, link) \
-	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
-
-#define ISC_LIST_UNLINK_TYPE(list, elt, link, type) \
-	do { \
-		ISC_LINK_INSIST(ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type); \
-	} while (0)
-#define ISC_LIST_UNLINK(list, elt, link) \
-	ISC_LIST_UNLINK_TYPE(list, elt, link, void)
-
-#define ISC_LIST_PREV(elt, link) ((elt)->link.prev)
-#define ISC_LIST_NEXT(elt, link) ((elt)->link.next)
-
-#define __ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link) \
-	do { \
-		if ((before)->link.prev == NULL) \
-			ISC_LIST_PREPEND(list, elt, link); \
-		else { \
-			(elt)->link.prev = (before)->link.prev; \
-			(before)->link.prev = (elt); \
-			(elt)->link.prev->link.next = (elt); \
-			(elt)->link.next = (before); \
-		} \
-	} while (0)
-
-#define ISC_LIST_INSERTBEFORE(list, before, elt, link) \
-	do { \
-		ISC_LINK_INSIST(ISC_LINK_LINKED(before, link)); \
-		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link); \
-	} while (0)
-
-#define __ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link) \
-	do { \
-		if ((after)->link.next == NULL) \
-			ISC_LIST_APPEND(list, elt, link); \
-		else { \
-			(elt)->link.next = (after)->link.next; \
-			(after)->link.next = (elt); \
-			(elt)->link.next->link.prev = (elt); \
-			(elt)->link.prev = (after); \
-		} \
-	} while (0)
-
-#define ISC_LIST_INSERTAFTER(list, after, elt, link) \
-	do { \
-		ISC_LINK_INSIST(ISC_LINK_LINKED(after, link)); \
-		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
-		__ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link); \
-	} while (0)
-
-#define ISC_LIST_APPENDLIST(list1, list2, link) \
-	do { \
-		if (ISC_LIST_EMPTY(list1)) \
-			(list1) = (list2); \
-		else if (!ISC_LIST_EMPTY(list2)) { \
-			(list1).tail->link.next = (list2).head; \
-			(list2).head->link.prev = (list1).tail; \
-			(list1).tail = (list2).tail; \
-		} \
-		(list2).head = NULL; \
-		(list2).tail = NULL; \
-	} while (0)
-
-#define ISC_LIST_ENQUEUE(list, elt, link) ISC_LIST_APPEND(list, elt, link)
-#define __ISC_LIST_ENQUEUEUNSAFE(list, elt, link) \
-	__ISC_LIST_APPENDUNSAFE(list, elt, link)
-#define ISC_LIST_DEQUEUE(list, elt, link) \
-	 ISC_LIST_UNLINK_TYPE(list, elt, link, void)
-#define ISC_LIST_DEQUEUE_TYPE(list, elt, link, type) \
-	 ISC_LIST_UNLINK_TYPE(list, elt, link, type)
-#define __ISC_LIST_DEQUEUEUNSAFE(list, elt, link) \
-	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
-#define __ISC_LIST_DEQUEUEUNSAFE_TYPE(list, elt, link, type) \
-	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type)
-
-#endif /* ISC_LIST_H */
diff --git a/contrib/bind9/lib/isc/include/isc/log.h b/contrib/bind9/lib/isc/include/isc/log.h
deleted file mode 100644
index 97aeba0c2425..000000000000
--- a/contrib/bind9/lib/isc/include/isc/log.h
+++ /dev/null
@@ -1,879 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.h,v 1.39.2.4.2.7 2004/04/10 04:31:40 marka Exp $ */
-
-#ifndef ISC_LOG_H
-#define ISC_LOG_H 1
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <syslog.h> /* XXXDCL NT */
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-/*
- * Severity levels, patterned after Unix's syslog levels.
- *
- * ISC_LOG_DYNAMIC can only be used for defining channels with
- * isc_log_createchannel(), not to specify a level in isc_log_write().
- */
-#define ISC_LOG_DEBUG(level)	(level)
-#define ISC_LOG_DYNAMIC	  	  0
-#define ISC_LOG_INFO		(-1)
-#define ISC_LOG_NOTICE		(-2)
-#define ISC_LOG_WARNING 	(-3)
-#define ISC_LOG_ERROR		(-4)
-#define ISC_LOG_CRITICAL	(-5)
-
-/*
- * Destinations.
- */
-#define ISC_LOG_TONULL		1
-#define ISC_LOG_TOSYSLOG	2
-#define ISC_LOG_TOFILE		3
-#define ISC_LOG_TOFILEDESC	4
-
-/*
- * Channel flags.
- */
-#define ISC_LOG_PRINTTIME	0x0001
-#define ISC_LOG_PRINTLEVEL	0x0002
-#define ISC_LOG_PRINTCATEGORY	0x0004
-#define ISC_LOG_PRINTMODULE	0x0008
-#define ISC_LOG_PRINTTAG	0x0010
-#define ISC_LOG_PRINTALL	0x001F
-#define ISC_LOG_DEBUGONLY	0x1000
-#define ISC_LOG_OPENERR		0x8000		/* internal */
-
-/*
- * Other options.
- * XXXDCL INFINITE doesn't yet work.  Arguably it isn't needed, but
- *   since I am intend to make large number of versions work efficiently,
- *   INFINITE is going to be trivial to add to that.
- */
-#define ISC_LOG_ROLLINFINITE	(-1)
-#define ISC_LOG_ROLLNEVER	(-2)
-
-/*
- * Used to name the categories used by a library.  An array of isc_logcategory
- * structures names each category, and the id value is initialized by calling
- * isc_log_registercategories.
- */
-struct isc_logcategory {
-	const char *name;
-	unsigned int id;
-};
-
-/*
- * Similar to isc_logcategory above, but for all the modules a library defines.
- */
-struct isc_logmodule {
-	const char *name;
-	unsigned int id;
-};
-
-/*
- * The isc_logfile structure is initialized as part of an isc_logdestination
- * before calling isc_log_createchannel().  When defining an ISC_LOG_TOFILE
- * channel the name, versions and maximum_size should be set before calling
- * isc_log_createchannel().  To define an ISC_LOG_TOFILEDESC channel set only
- * the stream before the call.
- * 
- * Setting maximum_size to zero implies no maximum.
- */
-typedef struct isc_logfile {
-	FILE *stream;		/* Initialized to NULL for ISC_LOG_TOFILE. */
-	const char *name;	/* NULL for ISC_LOG_TOFILEDESC. */
-	int versions;	/* >= 0, ISC_LOG_ROLLNEVER, ISC_LOG_ROLLINFINITE. */
-	/*
-	 * stdio's ftell is standardized to return a long, which may well not
-	 * be big enough for the largest file supportable by the operating
-	 * system (though it is _probably_ big enough for the largest log
-	 * anyone would want).  st_size returned by fstat should be typedef'd
-	 * to a size large enough for the largest possible file on a system.
-	 */
-	isc_offset_t maximum_size;
-	isc_boolean_t maximum_reached; /* Private. */
-} isc_logfile_t;
-
-/*
- * Passed to isc_log_createchannel to define the attributes of either
- * a stdio or a syslog log.
- */
-typedef union isc_logdestination {
-	isc_logfile_t file;
-	int facility;		/* XXXDCL NT */
-} isc_logdestination_t;
-
-/*
- * The built-in categories of libisc.
- *
- * Each library registering categories should provide library_LOGCATEGORY_name
- * definitions with indexes into its isc_logcategory structure corresponding to
- * the order of the names.
- */
-LIBISC_EXTERNAL_DATA extern isc_logcategory_t isc_categories[];
-LIBISC_EXTERNAL_DATA extern isc_log_t *isc_lctx;
-LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
-
-/*
- * Do not log directly to DEFAULT.  Use another category.  When in doubt,
- * use GENERAL.
- */
-#define ISC_LOGCATEGORY_DEFAULT	(&isc_categories[0])
-#define ISC_LOGCATEGORY_GENERAL	(&isc_categories[1])
-
-#define ISC_LOGMODULE_SOCKET (&isc_modules[0])
-#define ISC_LOGMODULE_TIME (&isc_modules[1])
-#define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
-#define ISC_LOGMODULE_TIMER (&isc_modules[3])
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp);
-/*
- * Establish a new logging context, with default channels.
- *
- * Notes:
- *	isc_log_create calls isc_logconfig_create, so see its comment
- *	below for more information.
- *
- * Requires:
- *	mctx is a valid memory context.
- *	lctxp is not null and *lctxp is null.
- *	lcfgp is null or lcfgp is not null and *lcfgp is null.
- *
- * Ensures:
- *	*lctxp will point to a valid logging context if all of the necessary
- *	memory was allocated, or NULL otherwise.
- *	*lcfgp will point to a valid logging configuration if all of the
- *	necessary memory was allocated, or NULL otherwise.
- *	On failure, no additional memory is allocated.
- *
- * Returns:
- *	ISC_R_SUCCESS		Success
- *	ISC_R_NOMEMORY		Resource limit: Out of memory
- */
-
-isc_result_t
-isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp);
-/*
- * Create the data structure that holds all of the configurable information
- * about where messages are actually supposed to be sent -- the information
- * that could changed based on some configuration file, as opposed to the
- * the category/module specification of isc_log_[v]write[1] that is compiled
- * into a program, or the debug_level which is dynamic state information.
- *
- * Notes:
- *	It is necessary to specify the logging context the configuration
- * 	will be used with because the number of categories and modules
- *	needs to be known in order to set the configuration.  However,
- *	the configuration is not used by the logging context until the
- *	isc_logconfig_use function is called.
- *
- *	The memory context used for operations that allocate memory for
- *	the configuration is that of the logging context, as specified
- *	in the isc_log_create call.
- *
- *	Four default channels are established:
- *	    	default_syslog
- *		 - log to syslog's daemon facility ISC_LOG_INFO or higher
- *		default_stderr
- *		 - log to stderr ISC_LOG_INFO or higher
- *		default_debug
- *		 - log to stderr ISC_LOG_DEBUG dynamically
- *		null
- *		 - log nothing
- *
- * Requires:
- * 	lctx is a valid logging context.
- *	lcftp is not null and *lcfgp is null.
- *
- * Ensures:
- *	*lcfgp will point to a valid logging context if all of the necessary
- *	memory was allocated, or NULL otherwise.
- *	On failure, no additional memory is allocated.
- *
- * Returns:
- *	ISC_R_SUCCESS		Success
- *	ISC_R_NOMEMORY		Resource limit: Out of memory
- */
-
-isc_logconfig_t *
-isc_logconfig_get(isc_log_t *lctx);
-/*
- * Returns a pointer to the configuration currently in use by the log context.
- *
- * Requires:
- *	lctx is a valid context.
- *
- * Ensures:
- *	The configuration pointer is non-null.
- *
- * Returns:
- *	The configuration pointer.
- */
-
-isc_result_t
-isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg);
-/*
- * Associate a new configuration with a logging context.
- *
- * Notes:
- *	This is thread safe.  The logging context will lock a mutex
- *	before attempting to swap in the new configuration, and isc_log_doit
- *	(the internal function used by all of isc_log_[v]write[1]) locks
- *	the same lock for the duration of its use of the configuration.
- *
- * Requires:
- *	lctx is a valid logging context.
- *	lcfg is a valid logging configuration.
- *	lctx is the same configuration given to isc_logconfig_create
- *		when the configuration was created.
- *
- * Ensures:
- *	Future calls to isc_log_write will use the new configuration.
- *
- * Returns:
- *	ISC_R_SUCCESS		Success
- *	ISC_R_NOMEMORY		Resource limit: Out of memory
- */
-
-void
-isc_log_destroy(isc_log_t **lctxp);
-/*
- * Deallocate the memory associated with a logging context.
- *
- * Requires:
- *	*lctx is a valid logging context.
- *
- * Ensures:
- *	All of the memory associated with the logging context is returned
- *	to the free memory pool.
- *
- *	Any open files are closed.
- *
- *	The logging context is marked as invalid.
- */
-
-void
-isc_logconfig_destroy(isc_logconfig_t **lcfgp);
-/*
- * Destroy a logging configuration.
- *
- * Notes:
- *	This function cannot be used directly with the return value of
- *	isc_logconfig_get, because a logging context must always have
- *	a valid configuration associated with it.
- *
- * Requires:
- *	lcfgp is not null and *lcfgp is a valid logging configuration.
- *	The logging configuration is not in use by an existing logging context.
- *
- * Ensures:
- *	All memory allocated for the configuration is freed.
- *
- *	The configuration is marked as invalid.
- */
-
-void
-isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]);
-/*
- * Identify logging categories a library will use.
- *
- * Notes:
- *	A category should only be registered once, but no mechanism enforces
- *	this rule.
- *
- *	The end of the categories array is identified by a NULL name.
- *
- *	Because the name is used by ISC_LOG_PRINTCATEGORY, it should not
- *	be altered or destroyed after isc_log_registercategories().
- *
- *	Because each element of the categories array is used by
- *	isc_log_categorybyname, it should not be altered or destroyed
- *	after registration.
- *
- *	The value of the id integer in each structure is overwritten
- *	by this function, and so id need not be initialized to any particular
- *	value prior to the function call.
- *
- *	A subsequent call to isc_log_registercategories with the same
- *	logging context (but new categories) will cause the last
- *	element of the categories array from the prior call to have
- *	its "name" member changed from NULL to point to the new
- *	categories array, and its "id" member set to UINT_MAX.
- *
- * Requires:
- *	lctx is a valid logging context.
- *	categories != NULL.
- *	categories[0].name != NULL.
- *
- * Ensures:
- * 	There are references to each category in the logging context,
- * 	so they can be used with isc_log_usechannel() and isc_log_write().
- */
-
-void
-isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]);
-/*
- * Identify logging categories a library will use.
- *
- * Notes:
- *	A module should only be registered once, but no mechanism enforces
- *	this rule.
- *
- *	The end of the modules array is identified by a NULL name.
- *
- *	Because the name is used by ISC_LOG_PRINTMODULE, it should not
- *	be altered or destroyed after isc_log_registermodules().
- *
- *	Because each element of the modules array is used by
- *	isc_log_modulebyname, it should not be altered or destroyed
- *	after registration.
- *
- *	The value of the id integer in each structure is overwritten
- *	by this function, and so id need not be initialized to any particular
- *	value prior to the function call.
- *
- *	A subsequent call to isc_log_registermodules with the same
- *	logging context (but new modules) will cause the last
- *	element of the modules array from the prior call to have
- *	its "name" member changed from NULL to point to the new
- *	modules array, and its "id" member set to UINT_MAX.
- *
- * Requires:
- *	lctx is a valid logging context.
- *	modules != NULL.
- *	modules[0].name != NULL;
- *
- * Ensures:
- *	Each module has a reference in the logging context, so they can be
- *	used with isc_log_usechannel() and isc_log_write().
- */
-
-isc_result_t
-isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
-		      unsigned int type, int level,
-		      const isc_logdestination_t *destination,
-		      unsigned int flags);
-/*
- * Specify the parameters of a logging channel.
- *
- * Notes:
- *	The name argument is copied to memory in the logging context, so
- *	it can be altered or destroyed after isc_log_createchannel().
- *
- *	Defining a very large number of channels will have a performance
- *	impact on isc_log_usechannel(), since the names are searched
- *	linearly until a match is made.  This same issue does not affect
- *	isc_log_write, however.
- *
- *	Channel names can be redefined; this is primarily useful for programs
- *	that want their own definition of default_syslog, default_debug
- *	and default_stderr.
- *
- *	Any channel that is redefined will not affect logging that was
- *	already directed to its original definition, _except_ for the
- *	default_stderr channel.  This case is handled specially so that
- *	the default logging category can be changed by redefining
- *	default_stderr.  (XXXDCL Though now that I think of it, the default
- *	logging category can be changed with only one additional function
- *	call by defining a new channel and then calling isc_log_usechannel()
- *	for ISC_LOGCATEGORY_DEFAULT.)
- *
- *	Specifying ISC_LOG_PRINTTIME or ISC_LOG_PRINTTAG for syslog is allowed,
- *	but probably not what you wanted to do.
- *
- *	ISC_LOG_DEBUGONLY will mark the channel as usable only when the
- *	debug level of the logging context (see isc_log_setdebuglevel)
- *	is non-zero.
- *
- * Requires:
- *	lcfg is a valid logging configuration.
- *
- *	name is not NULL.
- *
- *	type is ISC_LOG_TOSYSLOG, ISC_LOG_TOFILE, ISC_LOG_TOFILEDESC or
- *		ISC_LOG_TONULL.
- *
- *	destination is not NULL unless type is ISC_LOG_TONULL.
- *
- *	level is >= ISC_LOG_CRITICAL (the most negative logging level).
- *
- *	flags does not include any bits aside from the ISC_LOG_PRINT* bits
- *	or ISC_LOG_DEBUGONLY.
- *
- * Ensures:
- *	ISC_R_SUCCESS
- *		A channel with the given name is usable with
- *		isc_log_usechannel().
- *
- *	ISC_R_NOMEMORY or ISC_R_UNEXPECTED
- *		No additional memory is being used by the logging context.
- *
- *		Any channel that previously existed with the given name
- *		is not redefined.
- *
- * Returns:
- *	ISC_R_SUCCESS		Success
- *	ISC_R_NOMEMORY		Resource limit: Out of memory
- *	ISC_R_UNEXPECTED	type was out of range and REQUIRE()
- *					was disabled.
- */
-
-isc_result_t
-isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
-		   const isc_logcategory_t *category,
-		   const isc_logmodule_t *module);
-/*
- * Associate a named logging channel with a category and module that
- * will use it.
- *
- * Notes:
- *	The name is searched for linearly in the set of known channel names
- *	until a match is found.  (Note the performance impact of a very large
- *	number of named channels.)  When multiple channels of the same
- *	name are defined, the most recent definition is found.
- *
- *	Specifing a very large number of channels for a category will have
- *	a moderate impact on performance in isc_log_write(), as each
- *	call looks up the category for the start of a linked list, which
- *	it follows all the way to the end to find matching modules.  The
- *	test for matching modules is  integral, though.
- *
- *	If category is NULL, then the channel is associated with the indicated
- *	module for all known categories (including the "default" category).
- *
- *	If module is NULL, then the channel is associated with every module
- *	that uses that category.
- *
- *	Passing both category and module as NULL would make every log message
- *	use the indicated channel.
- *
- * 	Specifying a channel that is ISC_LOG_TONULL for a category/module pair
- *	has no effect on any other channels associated with that pair,
- *	regardless of ordering.  Thus you cannot use it to "mask out" one
- *	category/module pair when you have specified some other channel that
- * 	is also used by that category/module pair.
- *
- * Requires:
- *	lcfg is a valid logging configuration.
- *
- *	category is NULL or has an id that is in the range of known ids.
- *
- *	module is NULL or has an id that is in the range of known ids.
- *
- * Ensures:
- *	ISC_R_SUCCESS
- *		The channel will be used by the indicated category/module
- *		arguments.
- *
- *	ISC_R_NOMEMORY
- *		If assignment for a specific category has been requested,
- *		the channel has not been associated with the indicated
- *		category/module arguments and no additional memory is
- *		used by the logging context.
- *
- *		If assignment for all categories has been requested
- *		then _some_ may have succeeded (starting with category
- *		"default" and progressing through the order of categories
- *		passed to isc_log_registercategories) and additional memory
- *		is being used by whatever assignments succeeded.
- *
- * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOMEMORY	Resource limit: Out of memory
- */
-
-void
-isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
-	      isc_logmodule_t *module, int level,
-	      const char *format, ...)
-ISC_FORMAT_PRINTF(5, 6);
-/*
- * Write a message to the log channels.
- *
- * Notes:
- *	Log messages containing natural language text should be logged with
- *	isc_log_iwrite() to allow for localization.
- *
- *	lctx can be NULL; this is allowed so that programs which use
- *	libraries that use the ISC logging system are not required to
- *	also use it.
- *
- *	The format argument is a printf(3) string, with additional arguments
- *	as necessary.
- *
- * Requires:
- *	lctx is a valid logging context.
- *
- *	The category and module arguments must have ids that are in the
- *	range of known ids, as estabished by isc_log_registercategories()
- *	and isc_log_registermodules().
- *
- *	level != ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
- *	channels, and explicit debugging level must be identified for
- *	isc_log_write() via ISC_LOG_DEBUG(level).
- *
- *	format != NULL.
- *
- * Ensures:
- *	The log message is written to every channel associated with the
- *	indicated category/module pair.
- *
- * Returns:
- *	Nothing.  Failure to log a message is not construed as a
- *	meaningful error.
- */
-
-void
-isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	       const char *format, va_list args)
-ISC_FORMAT_PRINTF(5, 0);
-/*
- * Write a message to the log channels.
- *
- * Notes:
- *	lctx can be NULL; this is allowed so that programs which use
- *	libraries that use the ISC logging system are not required to
- *	also use it.
- *
- *	The format argument is a printf(3) string, with additional arguments
- *	as necessary.
- *
- * Requires:
- *	lctx is a valid logging context.
- *
- *	The category and module arguments must have ids that are in the
- *	range of known ids, as estabished by isc_log_registercategories()
- *	and isc_log_registermodules().
- *
- *	level != ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
- *	channels, and explicit debugging level must be identified for
- *	isc_log_write() via ISC_LOG_DEBUG(level).
- *
- *	format != NULL.
- *
- * Ensures:
- *	The log message is written to every channel associated with the
- *	indicated category/module pair.
- *
- * Returns:
- *	Nothing.  Failure to log a message is not construed as a
- *	meaningful error.
- */
-
-void
-isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *format, ...)
-ISC_FORMAT_PRINTF(5, 6);
-/*
- * Write a message to the log channels, pruning duplicates that occur within
- * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
- * This function is otherwise identical to isc_log_write().
- */
-
-void
-isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level, const char *format,
-		va_list args)
-ISC_FORMAT_PRINTF(5, 0);
-/*
- * Write a message to the log channels, pruning duplicates that occur within
- * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
- * This function is otherwise identical to isc_log_vwrite().
- */
-
-void
-isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	      isc_logmodule_t *module, int level,
-	      isc_msgcat_t *msgcat, int msgset, int message,
-	      const char *format, ...)
-ISC_FORMAT_PRINTF(8, 9);
-
-void
-isc_log_ivwrite(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level,
-		isc_msgcat_t *msgcat, int msgset, int message,
-		const char *format, va_list args)
-ISC_FORMAT_PRINTF(8, 0);
-
-void
-isc_log_iwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level,
-		isc_msgcat_t *msgcat, int msgset, int message,
-		const char *format, ...)
-ISC_FORMAT_PRINTF(8, 9);
-
-void
-isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		 isc_logmodule_t *module, int level,
-		 isc_msgcat_t *msgcat, int msgset, int message,
-		 const char *format, va_list args)
-ISC_FORMAT_PRINTF(8, 0);
-/*
- * These are four internationalized versions of the the isc_log_[v]write[1]
- * functions.  The only difference is that they take arguments for a message
- * catalog, message set, and message number, all immediately preceding the
- * format argument.  The format argument becomes the default text, a la
- * isc_msgcat_get.  If the message catalog is NULL, no lookup is attempted
- * for a message -- which makes the message set and message number irrelevant,
- * and the non-internationalized call should have probably been used instead.
- *
- * Yes, that means there are now *eight* interfaces to logging a message.
- * Sheesh.   Make the madness stop!
- */
-
-void
-isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level);
-/*
- * Set the debugging level used for logging.
- *
- * Notes:
- *	Setting the debugging level to 0 disables debugging log messages.
- *
- * Requires:
- *	lctx is a valid logging context.
- *
- * Ensures:
- *	The debugging level is set to the requested value.
- */
-
-unsigned int
-isc_log_getdebuglevel(isc_log_t *lctx);
-/*
- * Get the current debugging level.
- *
- * Notes:
- *	This is provided so that a program can have a notion of
- *	"increment debugging level" or "decrement debugging level"
- *	without needing to keep track of what the current level is.
- *
- *	A return value of 0 indicates that debugging messages are disabled.
- *
- * Requires:
- *	lctx is a valid logging context.
- *
- * Ensures:
- *	The current logging debugging level is returned.
- */
-
-isc_boolean_t
-isc_log_wouldlog(isc_log_t *lctx, int level);
-/*
- * Determine whether logging something to 'lctx' at 'level' would
- * actually cause something to be logged somewhere.
- *
- * If ISC_FALSE is returned, it is guaranteed that nothing would
- * be logged, allowing the caller to omit unnecessary
- * isc_log_write() calls and possible message preformatting.
- */
-
-void
-isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval);
-/*
- * Set the interval over which duplicate log messages will be ignored
- * by isc_log_[v]write1(), in seconds.
- *
- * Notes:
- *	Increasing the duplicate interval from X to Y will not necessarily
- *	filter out duplicates of messages logged in Y - X seconds since the
- *	increase.  (Example: Message1 is logged at midnight.  Message2
- *	is logged at 00:01:00, when the interval is only 30 seconds, causing
- *	Message1 to be expired from the log message history.  Then the interval
- *	is increased to 3000 (five minutes) and at 00:04:00 Message1 is logged
- *	again.  It will appear the second time even though less than five
- *	passed since the first occurrence.
- *
- * Requires:
- *	lctx is a valid logging context.
- */
-
-unsigned int
-isc_log_getduplicateinterval(isc_logconfig_t *lcfg);
-/*
- * Get the current duplicate filtering interval.
- *
- * Requires:
- *	lctx is a valid logging context.
- *
- * Returns:
- *	The current duplicate filtering interval.
- */
-
-isc_result_t
-isc_log_settag(isc_logconfig_t *lcfg, const char *tag);
-/*
- * Set the program name or other identifier for ISC_LOG_PRINTTAG.
- *
- * Requires:
- *	lcfg is a valid logging configuration.
- *
- * Notes:
- *	If this function has not set the tag to a non-NULL, non-empty value,
- *	then the ISC_LOG_PRINTTAG channel flag will not print anything.
- *	Unlike some implementations of syslog on Unix systems, you *must* set
- *	the tag in order to get it logged.  It is not implicitly derived from
- *	the program name (which is pretty impossible to infer portably).
- *
- *	Setting the tag to NULL or the empty string will also cause the
- *	ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
- *	empty string, calls to isc_log_gettag will return NULL.
- *
- * Returns:
- *	ISC_R_SUCCESS	Success
- *	ISC_R_NOMEMORY  Resource Limit: Out of memory
- *
- * XXXDCL when creating a new isc_logconfig_t, it might be nice if the tag
- * of the currently active isc_logconfig_t was inherited.  this does not
- * currently happen.
- */
-
-char *
-isc_log_gettag(isc_logconfig_t *lcfg);
-/*
- * Get the current identifier printed with ISC_LOG_PRINTTAG.
- *
- * Requires:
- *	lcfg is a valid logging configuration.
- *
- * Notes:
- *	Since isc_log_settag() will not associate a zero-length string
- *	with the logging configuration, attempts to do so will cause
- *	this function to return NULL.  However, a determined programmer
- *	will observe that (currently) a tag of length greater than zero
- *	could be set, and then modified to be zero length.
- *
- * Returns:
- *	A pointer to the current identifier, or NULL if none has been set.
- */
-
-void
-isc_log_opensyslog(const char *tag, int options, int facility);
-/*
- * Initialize syslog logging.
- *
- * Notes:
- *	XXXDCL NT
- *	This is currently equivalent to openlog(), but is not going to remain
- *	that way.  In the meantime, the arguments are all identical to
- *	those used by openlog(3), as follows:
- *		tag: The string to use in the position of the program
- *			name in syslog messages.  Most (all?) syslogs
- *			will use basename(argv[0]) if tag is NULL.
- *
- *		options: LOG_CONS, LOG_PID, LOG_NDELAY ... whatever your
- *			syslog supports.
- *
- *		facility: The default syslog facility.  This is irrelevant
- *			since isc_log_write will ALWAYS use the channel's
- *			declared facility.
- *
- *	Zero effort has been made (yet) to accomodate systems with openlog()
- *	that only takes two arguments, or to identify valid syslog
- *	facilities or options for any given architecture.
- *
- *	It is necessary to call isc_log_opensyslog() to initialize
- *	syslogging on machines which do not support network connections to
- *	syslogd because they require a Unix domain socket to be used.  Since
- *	this is a chore to determine at run-time, it is suggested that it
- *	always be called by programs using the ISC logging system.
- *
- * Requires:
- *	Nothing.
- *
- * Ensures:
- *	openlog() is called to initialize the syslog system.
- */
-
-void
-isc_log_closefilelogs(isc_log_t *lctx);
-/*
- * Close all open files used by ISC_LOG_TOFILE channels.
- *
- * Notes:
- *	This function is provided for programs that want to use their own
- *	log rolling mechanism rather than the one provided internally.
- *	For example, a program that wanted to keep daily logs would define
- *	a channel which used ISC_LOG_ROLLNEVER, then once a day would
- *	rename the log file and call isc_log_closefilelogs().
- *
- *	ISC_LOG_TOFILEDESC channels are unaffected.
- *
- * Requires:
- *	lctx is a valid context.
- *
- * Ensures:
- *	The open files are closed and will be reopened when they are
- *	next needed.
- */
-
-isc_logcategory_t *
-isc_log_categorybyname(isc_log_t *lctx, const char *name);
-/*
- * Find a category by its name.
- *
- * Notes:
- *	The string name of a category is not required to be unique.
- *
- * Requires:
- *	lctx is a valid context.
- *	name is not NULL.
- *
- * Returns:
- *	A pointer to the _first_ isc_logcategory_t structure used by "name".
- *
- *	NULL if no category exists by that name.
- */
-
-isc_logmodule_t *
-isc_log_modulebyname(isc_log_t *lctx, const char *name);
-/*
- * Find a module by its name.
- *
- * Notes:
- *	The string name of a module is not required to be unique.
- *
- * Requires:
- *	lctx is a valid context.
- *	name is not NULL.
- *
- * Returns:
- *	A pointer to the _first_ isc_logmodule_t structure used by "name".
- *
- *	NULL if no module exists by that name.
- */
-
-void
-isc_log_setcontext(isc_log_t *lctx);
-/*
- * Sets the context used by the libisc for logging.
- *
- * Requires:
- *	lctx be a valid context.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_LOG_H */
diff --git a/contrib/bind9/lib/isc/include/isc/magic.h b/contrib/bind9/lib/isc/include/isc/magic.h
deleted file mode 100644
index 729e5123c2b4..000000000000
--- a/contrib/bind9/lib/isc/include/isc/magic.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: magic.h,v 1.11.206.1 2004/03/06 08:14:43 marka Exp $ */
-
-#ifndef ISC_MAGIC_H
-#define ISC_MAGIC_H 1
-
-typedef struct {
-	unsigned int magic;
-} isc__magic_t;
-
-
-/*
- * To use this macro the magic number MUST be the first thing in the
- * structure, and MUST be of type "unsigned int".
- *
- * The intent of this is to allow magic numbers to be checked even though
- * the object is otherwise opaque.
- */
-#define ISC_MAGIC_VALID(a,b)	(((a) != NULL) && \
-				 (((const isc__magic_t *)(a))->magic == (b)))
-
-#define ISC_MAGIC(a, b, c, d)	((a) << 24 | (b) << 16 | (c) << 8 | (d))
-
-#endif /* ISC_MAGIC_H */
diff --git a/contrib/bind9/lib/isc/include/isc/md5.h b/contrib/bind9/lib/isc/include/isc/md5.h
deleted file mode 100644
index c6c38258ff11..000000000000
--- a/contrib/bind9/lib/isc/include/isc/md5.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: md5.h,v 1.8.206.1 2004/03/06 08:14:43 marka Exp $ */
-
-/*
- * This is the header file for the MD5 message-digest algorithm.
- * The algorithm is due to Ron Rivest.  This code was
- * written by Colin Plumb in 1993, no copyright is claimed.
- * This code is in the public domain; do with it what you wish.
- *
- * Equivalent code is available from RSA Data Security, Inc.
- * This code has been tested against that, and is equivalent,
- * except that you don't need to include two pages of legalese
- * with every copy.
- *
- * To compute the message digest of a chunk of bytes, declare an
- * MD5Context structure, pass it to MD5Init, call MD5Update as
- * needed on buffers full of bytes, and then call MD5Final, which
- * will fill a supplied 16-byte array with the digest.
- *
- * Changed so as no longer to depend on Colin Plumb's `usual.h'
- * header definitions; now uses stuff from dpkg's config.h
- *  - Ian Jackson <ijackson@nyx.cs.du.edu>.
- * Still in the public domain.
- */
-
-#ifndef ISC_MD5_H
-#define ISC_MD5_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#define ISC_MD5_DIGESTLENGTH 16
-
-typedef struct {
-	isc_uint32_t buf[4];
-	isc_uint32_t bytes[2];
-	isc_uint32_t in[16];
-} isc_md5_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_md5_init(isc_md5_t *ctx);
-
-void
-isc_md5_invalidate(isc_md5_t *ctx);
-
-void
-isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len);
-
-void
-isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MD5_H */
diff --git a/contrib/bind9/lib/isc/include/isc/mem.h b/contrib/bind9/lib/isc/include/isc/mem.h
deleted file mode 100644
index 64559240808e..000000000000
--- a/contrib/bind9/lib/isc/include/isc/mem.h
+++ /dev/null
@@ -1,452 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mem.h,v 1.54.12.4 2004/10/11 05:55:51 marka Exp $ */
-
-#ifndef ISC_MEM_H
-#define ISC_MEM_H 1
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define ISC_MEM_LOWATER 0
-#define ISC_MEM_HIWATER 1
-typedef void (*isc_mem_water_t)(void *, int);
-
-typedef void * (*isc_memalloc_t)(void *, size_t);
-typedef void (*isc_memfree_t)(void *, void *);
-
-/*
- * Define ISC_MEM_DEBUG=1 to make all functions that free memory
- * set the pointer being freed to NULL after being freed.
- * This is the default; set ISC_MEM_DEBUG=0 to disable it.
- */
-#ifndef ISC_MEM_DEBUG
-#define ISC_MEM_DEBUG 1
-#endif
-
-/*
- * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory
- * allocation and freeing by file and line number.
- */
-#ifndef ISC_MEM_TRACKLINES
-#define ISC_MEM_TRACKLINES 1
-#endif
-
-/*
- * Define ISC_MEM_CHECKOVERRUN=1 to turn on checks for using memory outside
- * the requested space.  This will increase the size of each allocation.
- */
-#ifndef ISC_MEM_CHECKOVERRUN
-#define ISC_MEM_CHECKOVERRUN 1
-#endif
-
-/*
- * Define ISC_MEM_FILL=1 to fill each block of memory returned to the system
- * with the byte string '0xbe'.  This helps track down uninitialized pointers
- * and the like.  On freeing memory, the space is filled with '0xde' for
- * the same reasons.
- */
-#ifndef ISC_MEM_FILL
-#define ISC_MEM_FILL 1
-#endif
-
-/*
- * Define ISC_MEMPOOL_NAMES=1 to make memory pools store a symbolic
- * name so that the leaking pool can be more readily identified in
- * case of a memory leak.
- */
-#ifndef ISC_MEMPOOL_NAMES
-#define ISC_MEMPOOL_NAMES 1
-#endif
-
-LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
-#define ISC_MEM_DEBUGTRACE		0x00000001U
-#define ISC_MEM_DEBUGRECORD		0x00000002U
-#define ISC_MEM_DEBUGUSAGE		0x00000004U
-/*
- * The variable isc_mem_debugging holds a set of flags for
- * turning certain memory debugging options on or off at
- * runtime.  Its is intialized to the value ISC_MEM_DEGBUGGING,
- * which is 0 by default but may be overridden at compile time.
- * The following flags can be specified:
- *
- * ISC_MEM_DEBUGTRACE
- *	Log each allocation and free to isc_lctx.
- *
- * ISC_MEM_DEBUGRECORD
- *	Remember each allocation, and match them up on free.
- *	Crash if a free doesn't match an allocation.
- *
- * ISC_MEM_DEBUGUSAGE
- *	If a hi_water mark is set, print the maximium inuse memory
- *	every time it is raised once it exceeds the hi_water mark.
- */
-
-#if ISC_MEM_TRACKLINES
-#define _ISC_MEM_FILELINE	, __FILE__, __LINE__
-#define _ISC_MEM_FLARG		, const char *, int
-#else
-#define _ISC_MEM_FILELINE
-#define _ISC_MEM_FLARG
-#endif
-
-#define isc_mem_get(c, s)	isc__mem_get((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_allocate(c, s)	isc__mem_allocate((c), (s) _ISC_MEM_FILELINE)
-#define isc_mem_strdup(c, p)	isc__mem_strdup((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_get(c)	isc__mempool_get((c) _ISC_MEM_FILELINE)
-
-/*
- * isc_mem_putanddetach() is a convienence function for use where you
- * have a structure with an attached memory context.
- *
- * Given:
- *
- * struct {
- *	...
- *	isc_mem_t *mctx;
- *	...
- * } *ptr;
- *
- * isc_mem_t *mctx;
- *
- * isc_mem_putanddetach(&ptr->mctx, ptr, sizeof(*ptr));
- *
- * is the equivalent of:
- *
- * mctx = NULL;
- * isc_mem_attach(ptr->mctx, &mctx);
- * isc_mem_detach(&ptr->mctx);
- * isc_mem_put(mctx, ptr, sizeof(*ptr));
- * isc_mem_detach(&mctx);
- */
-
-#if ISC_MEM_DEBUG
-#define isc_mem_put(c, p, s) \
-	do { \
-		isc__mem_put((c), (p), (s) _ISC_MEM_FILELINE); \
-		(p) = NULL; \
-	} while (0)
-#define isc_mem_putanddetach(c, p, s) \
-	do { \
-		isc__mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE); \
-		(p) = NULL; \
-	} while (0)
-#define isc_mem_free(c, p) \
-	do { \
-		isc__mem_free((c), (p) _ISC_MEM_FILELINE); \
-		(p) = NULL; \
-	} while (0)
-#define isc_mempool_put(c, p) \
-	do { \
-		isc__mempool_put((c), (p) _ISC_MEM_FILELINE); \
-		(p) = NULL; \
-	} while (0)
-#else
-#define isc_mem_put(c, p, s)	isc__mem_put((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_putanddetach(c, p, s) \
-	isc__mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE)
-#define isc_mem_free(c, p)	isc__mem_free((c), (p) _ISC_MEM_FILELINE)
-#define isc_mempool_put(c, p)	isc__mempool_put((c), (p) _ISC_MEM_FILELINE)
-#endif
-
-isc_result_t 
-isc_mem_create(size_t max_size, size_t target_size,
-	       isc_mem_t **mctxp);
-
-isc_result_t 
-isc_mem_createx(size_t max_size, size_t target_size,
-		isc_memalloc_t memalloc, isc_memfree_t memfree,
-		void *arg, isc_mem_t **mctxp);
-/*
- * Create a memory context.
- *
- * 'max_size' and 'target_size' are tuning parameters.  When
- * ISC_MEM_USE_INTERNAL_MALLOC is true, allocations smaller than
- * 'max_size' will be satisfied by getting blocks of size
- * 'target_size' from the system allocator and breaking them up into
- * pieces; larger allocations will use the system allocator directly.
- * If 'max_size' and/or 'target_size' are zero, default values will be
- * used.  When ISC_MEM_USE_INTERNAL_MALLOC is false, 'target_size' is
- * ignored.
- *
- * 'max_size' is also used to size the statistics arrays and the array
- * used to record active memory when ISC_MEM_DEBUGRECORD is set.  Settin
- * 'max_size' too low can have detrimental effects on performance.
- *
- * A memory context created using isc_mem_createx() will obtain
- * memory from the system by calling 'memalloc' and 'memfree',
- * passing them the argument 'arg'.  A memory context created
- * using isc_mem_create() will use the standard library malloc()
- * and free().
- *
- * Requires:
- * mctxp != NULL && *mctxp == NULL */
-
-void 
-isc_mem_attach(isc_mem_t *, isc_mem_t **);
-void 
-isc_mem_detach(isc_mem_t **);
-/*
- * Attach to / detach from a memory context.
- *
- * This is intended for applications that use multiple memory contexts
- * in such a way that it is not obvious when the last allocations from
- * a given context has been freed and destroying the context is safe.
- * 
- * Most applications do not need to call these functions as they can
- * simply create a single memory context at the beginning of main()
- * and destroy it at the end of main(), thereby guaranteeing that it
- * is not destroyed while there are outstanding allocations.
- */
-
-void 
-isc_mem_destroy(isc_mem_t **);
-/*
- * Destroy a memory context.
- */
-
-isc_result_t 
-isc_mem_ondestroy(isc_mem_t *ctx,
-		  isc_task_t *task,
-		  isc_event_t **event);
-/*
- * Request to be notified with an event when a memory context has
- * been successfully destroyed.
- */
-
-void 
-isc_mem_stats(isc_mem_t *mctx, FILE *out);
-/*
- * Print memory usage statistics for 'mctx' on the stream 'out'.
- */
-
-void 
-isc_mem_setdestroycheck(isc_mem_t *mctx,
-			isc_boolean_t on);
-/*
- * Iff 'on' is ISC_TRUE, 'mctx' will check for memory leaks when
- * destroyed and abort the program if any are present.
- */
-
-void 
-isc_mem_setquota(isc_mem_t *, size_t);
-size_t 
-isc_mem_getquota(isc_mem_t *);
-/*
- * Set/get the memory quota of 'mctx'.  This is a hard limit
- * on the amount of memory that may be allocated from mctx;
- * if it is exceeded, allocations will fail.
- */
-
-size_t 
-isc_mem_inuse(isc_mem_t *mctx);
-/*
- * Get an estimate of the number of memory in use in 'mctx', in bytes.
- * This includes quantization overhead, but does not include memory
- * allocated from the system but not yet used.
- */
-
-void
-isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
-		 size_t hiwater, size_t lowater);
-/*
- * Set high and low water marks for this memory context.  When the memory
- * usage of 'mctx' exceeds 'hiwater', '(water)(water_arg, ISC_MEM_HIWATER)'
- * will be called.  When the usage drops below 'lowater', 'water' will
- * again be called, this time with ISC_MEM_LOWATER.
- *
- * If 'water' is NULL then 'water_arg', 'hi_water' and 'lo_water' are
- * ignored and the state is reset.
- *
- * Requires:
- *
- *	'water' is not NULL.
- *	hi_water >= lo_water
- */
-
-/*
- * Memory pools
- */
-
-isc_result_t
-isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
-/*
- * Create a memory pool.
- *
- * Requires:
- *	mctx is a valid memory context.
- *	size > 0
- *	mpctxp != NULL and *mpctxp == NULL
- *
- * Defaults:
- *	maxalloc = UINT_MAX
- *	freemax = 1
- *	fillcount = 1
- *
- * Returns:
- *	ISC_R_NOMEMORY		-- not enough memory to create pool
- *	ISC_R_SUCCESS		-- all is well.
- */
-
-void
-isc_mempool_destroy(isc_mempool_t **mpctxp);
-/*
- * Destroy a memory pool.
- *
- * Requires:
- *	mpctxp != NULL && *mpctxp is a valid pool.
- *	The pool has no un"put" allocations outstanding
- */
-
-void
-isc_mempool_setname(isc_mempool_t *mpctx, const char *name);
-/*
- * Associate a name with a memory pool.  At most 15 characters may be used.
- *
- * Requires:
- *	mpctx is a valid pool.
- *	name != NULL;
- */
-
-void
-isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
-/*
- * Associate a lock with this memory pool.
- *
- * This lock is used when getting or putting items using this memory pool,
- * and it is also used to set or get internal state via the isc_mempool_get*()
- * and isc_mempool_set*() set of functions.
- *
- * Mutiple pools can each share a single lock.  For instance, if "manager"
- * type object contained pools for various sizes of events, and each of
- * these pools used a common lock.  Note that this lock must NEVER be used
- * by other than mempool routines once it is given to a pool, since that can
- * easily cause double locking.
- *
- * Requires:
- *
- *	mpctpx is a valid pool.
- *
- *	lock != NULL.
- *
- *	No previous lock is assigned to this pool.
- *
- *	The lock is initialized before calling this function via the normal
- *	means of doing that.
- */
-
-/*
- * The following functions get/set various parameters.  Note that due to
- * the unlocked nature of pools these are potentially random values unless
- * the imposed externally provided locking protocols are followed.
- *
- * Also note that the quota limits will not always take immediate effect.
- * For instance, setting "maxalloc" to a number smaller than the currently
- * allocated count is permitted.  New allocations will be refused until
- * the count drops below this threshold.
- *
- * All functions require (in addition to other requirements):
- *	mpctx is a valid memory pool
- */
-
-unsigned int
-isc_mempool_getfreemax(isc_mempool_t *mpctx);
-/*
- * Returns the maximum allowed size of the free list.
- */
-
-void
-isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
-/*
- * Sets the maximum allowed size of the free list.
- */
-
-unsigned int
-isc_mempool_getfreecount(isc_mempool_t *mpctx);
-/*
- * Returns current size of the free list.
- */
-
-unsigned int
-isc_mempool_getmaxalloc(isc_mempool_t *mpctx);
-/*
- * Returns the maximum allowed number of allocations.
- */
-
-void
-isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
-/*
- * Sets the maximum allowed number of allocations.
- *
- * Additional requirements:
- *	limit > 0
- */
-
-unsigned int
-isc_mempool_getallocated(isc_mempool_t *mpctx);
-/*
- * Returns the number of items allocated from this pool.
- */
-
-unsigned int
-isc_mempool_getfillcount(isc_mempool_t *mpctx);
-/*
- * Returns the number of items allocated as a block from the parent memory
- * context when the free list is empty.
- */
-
-void
-isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
-/*
- * Sets the fillcount.
- *
- * Additional requirements:
- *	limit > 0
- */
-
-
-/*
- * Pseudo-private functions for use via macros.  Do not call directly.
- */
-void *		
-isc__mem_get(isc_mem_t *, size_t _ISC_MEM_FLARG);
-void 		
-isc__mem_putanddetach(isc_mem_t **, void *,
-				      size_t _ISC_MEM_FLARG);
-void 		
-isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
-void *		
-isc__mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
-void		
-isc__mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
-char *		
-isc__mem_strdup(isc_mem_t *, const char *_ISC_MEM_FLARG);
-void *		
-isc__mempool_get(isc_mempool_t * _ISC_MEM_FLARG);
-void 		
-isc__mempool_put(isc_mempool_t *, void * _ISC_MEM_FLARG);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MEM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/msgcat.h b/contrib/bind9/lib/isc/include/isc/msgcat.h
deleted file mode 100644
index 97839fad46c4..000000000000
--- a/contrib/bind9/lib/isc/include/isc/msgcat.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: msgcat.h,v 1.8.206.1 2004/03/06 08:14:44 marka Exp $ */
-
-#ifndef ISC_MSGCAT_H
-#define ISC_MSGCAT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * ISC Message Catalog
- *
- * Message catalogs aid internationalization of applications by allowing
- * messages to be retrieved from locale-specific files instead of
- * hardwiring them into the application.  This allows translations of
- * messages appropriate to the locale to be supplied without recompiling
- * the application.
- *
- * Notes:
- *	It's very important that message catalogs work, even if only the
- *	default_text can be used.
- *
- * MP:
- *	The caller must ensure appropriate synchronization of
- *	isc_msgcat_open() and isc_msgcat_close().  isc_msgcat_get()
- *	ensures appropriate synchronization.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/*****
- ***** Imports
- *****/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Methods
- *****/
-
-void
-isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp);
-/*
- * Open a message catalog.
- *
- * Notes:
- *
- *	If memory cannot be allocated or other failures occur, *msgcatp
- *	will be set to NULL.  If a NULL msgcat is given to isc_msgcat_get(),
- *	the default_text will be returned, ensuring that some message text
- *	will be available, no matter what's going wrong.
- *
- * Requires:
- *
- *	'name' is a valid string.
- *
- *	msgcatp != NULL && *msgcatp == NULL
- */
-
-void
-isc_msgcat_close(isc_msgcat_t **msgcatp);
-/*
- * Close a message catalog.
- *
- * Notes:
- *
- *	Any string pointers returned by prior calls to isc_msgcat_get() are
- *	invalid after isc_msgcat_close() has been called and must not be
- *	used.
- *
- * Requires:
- *
- *	*msgcatp is a valid message catalog or is NULL.
- *
- * Ensures:
- *
- *	All resources associated with the message catalog are released.
- *
- *	*msgcatp == NULL
- */
-
-const char *
-isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
-	       const char *default_text);
-/*
- * Get message 'message' from message set 'set' in 'msgcat'.  If it
- * is not available, use 'default_text'.
- *
- * Requires:
- *
- *	'msgcat' is a valid message catalog or is NULL.
- *
- *	set > 0
- *
- *	message > 0
- *
- *	'default_text' is a valid string.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MSGCAT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/msgs.h b/contrib/bind9/lib/isc/include/isc/msgs.h
deleted file mode 100644
index 967005bf3531..000000000000
--- a/contrib/bind9/lib/isc/include/isc/msgs.h
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: msgs.h,v 1.5.2.2.8.3 2004/03/06 08:14:44 marka Exp $ */
-
-#ifndef ISC_MSGS_H
-#define ISC_MSGS_H 1
-
-#include <isc/lib.h>		/* Provide isc_msgcat global variable. */
-#include <isc/msgcat.h>		/* Provide isc_msgcat_*() functions. */
-
-/*
- * Message sets, named per source file, excepting "GENERAL".
- * IMPORTANT: The original list is alphabetical, but any new sets must
- * be added to the end.
- */
-#define ISC_MSGSET_GENERAL	1
-/*	ISC_RESULT_RESULTSET    2 */     /* XXX */
-/*	ISC_RESULT_UNAVAILABLESET 3 */   /* XXX */
-#define ISC_MSGSET_APP		4
-#define ISC_MSGSET_COMMANDLINE	5
-#define ISC_MSGSET_ENTROPY	6
-#define ISC_MSGSET_IFITERIOCTL	7
-#define ISC_MSGSET_IFITERSYSCTL	8
-#define ISC_MSGSET_LEX		9
-#define ISC_MSGSET_LOG		10
-#define ISC_MSGSET_MEM		11
-#define ISC_MSGSET_NETADDR	12
-#define ISC_MSGSET_PRINT	13
-#define ISC_MSGSET_RESULT	14
-#define ISC_MSGSET_RWLOCK	15
-#define ISC_MSGSET_SOCKADDR	16
-#define ISC_MSGSET_SOCKET	17
-#define ISC_MSGSET_TASK		18
-#define ISC_MSGSET_TIMER	19
-#define ISC_MSGSET_UTIL		20
-#define ISC_MSGSET_IFITERGETIFADDRS 21
-
-/*
- * Message numbers.  They are only required to be unique per message set,
- * but are unique throughout the entire catalog to not be as confusing when
- * debugging.
- *
- * The initial numbering was done by multiply by 100 the set number the
- * message appears in then adding the incremental message number.
- */
-#define ISC_MSG_FAILED		101 /* "failed" */
-#define ISC_MSG_SUCCEEDED	102 /* Compatible with "failed" */
-#define ISC_MSG_SUCCESS		103 /* More usual way to say "success" */
-#define ISC_MSG_STARTING	104 /* As in "daemon: starting" */
-#define ISC_MSG_STOPING		105 /* As in "daemon: stopping" */
-#define ISC_MSG_ENTERING	106 /* As in "some_subr: entering" */
-#define ISC_MSG_EXITING		107 /* As in "some_subr: exiting" */
-#define ISC_MSG_CALLING		108 /* As in "calling some_subr()" */
-#define ISC_MSG_RETURNED	109 /* As in "some_subr: returned <foo>" */
-#define ISC_MSG_FATALERROR	110 /* "fatal error" */
-#define ISC_MSG_SHUTTINGDOWN	111 /* "shutting down" */
-#define ISC_MSG_RUNNING		112 /* "running" */
-#define ISC_MSG_WAIT		113 /* "wait" */
-#define ISC_MSG_WAITUNTIL	114 /* "waituntil" */
-
-#define ISC_MSG_SIGNALSETUP	201 /* "handle_signal() %d setup: %s" */
-
-#define ISC_MSG_ILLEGALOPT	301 /* "illegal option" */
-#define ISC_MSG_OPTNEEDARG	302 /* "option requires an argument" */
-
-#define ISC_MSG_ENTROPYSTATS	401 /* "Entropy pool %p:  refcnt %u ..." */
-
-#define ISC_MSG_MAKESCANSOCKET	501 /* "making interface scan socket: %s" */
-#define ISC_MSG_GETIFCONFIG	502 /* "get interface configuration: %s" */
-#define ISC_MSG_BUFFERMAX	503 /* "... maximum buffer size exceeded" */
-#define ISC_MSG_GETDESTADDR	504 /* "%s: getting destination address: %s" */
-#define ISC_MSG_GETNETMASK	505 /* "%s: getting netmask: %s" */
-
-#define ISC_MSG_GETIFLISTSIZE	601 /* "getting interface list size: ..." */
-#define ISC_MSG_GETIFLIST	602 /* "getting interface list: ..." */
-#define ISC_MSG_UNEXPECTEDTYPE	603 /* "... unexpected ... message type" */
-
-#define ISC_MSG_UNEXPECTEDSTATE	701 /* "Unexpected state %d" */
-
-#define ISC_MSG_BADTIME		801 /* "Bad 00 99:99:99.999 " */
-#define ISC_MSG_LEVEL		802 /* "level %d: " */
-
-#define ISC_MSG_ADDTRACE	901 /* "add %p size %u " */
-#define ISC_MSG_DELTRACE	902 /* "del %p size %u " */
-#define ISC_MSG_POOLSTATS	903 /* "[Pool statistics]\n" */
-#define ISC_MSG_POOLNAME	904 /* "name" */
-#define ISC_MSG_POOLSIZE	905 /* "size" */
-#define ISC_MSG_POOLMAXALLOC	906 /* "maxalloc" */
-#define ISC_MSG_POOLALLOCATED	907 /* "allocated" */
-#define ISC_MSG_POOLFREECOUNT	908 /* "freecount" */
-#define ISC_MSG_POOLFREEMAX	909 /* "freemax" */
-#define ISC_MSG_POOLFILLCOUNT	910 /* "fillcount" */
-#define ISC_MSG_POOLGETS	911 /* "gets" */
-#define ISC_MSG_DUMPALLOC	912 /* "DUMP OF ALL OUTSTANDING MEMORY ..." */
-#define ISC_MSG_NONE		913 /* "\tNone.\n" */
-#define ISC_MSG_PTRFILELINE	914 /* "\tptr %p file %s line %u\n" */
-
-#define ISC_MSG_UNKNOWNADDR    1001 /* "<unknown address, family %u>" */
-
-#define ISC_MSG_NOLONGDBL      1104 /* "long doubles are not supported" */
-
-#define ISC_MSG_PRINTLOCK      1201 /* "rwlock %p thread %lu ..." */
-#define ISC_MSG_READ	       1202 /* "read" */
-#define ISC_MSG_WRITE	       1203 /* "write" */
-#define ISC_MSG_READING	       1204 /* "reading" */
-#define ISC_MSG_WRITING	       1205 /* "writing" */
-#define ISC_MSG_PRELOCK	       1206 /* "prelock" */
-#define ISC_MSG_POSTLOCK       1207 /* "postlock" */
-#define ISC_MSG_PREUNLOCK      1208 /* "preunlock" */
-#define ISC_MSG_POSTUNLOCK     1209 /* "postunlock" */
-
-#define ISC_MSG_UNKNOWNFAMILY  1301 /* "unknown address family: %d" */
-
-#define ISC_MSG_WRITEFAILED    1401 /* "write() failed during watcher ..." */
-#define ISC_MSG_READFAILED     1402 /* "read() failed during watcher ... " */
-#define ISC_MSG_PROCESSCMSG    1403 /* "processing cmsg %p" */
-#define ISC_MSG_IFRECEIVED     1404 /* "interface received on ifindex %u" */
-#define ISC_MSG_SENDTODATA     1405 /* "sendto pktinfo data, ifindex %u" */
-#define ISC_MSG_DOIORECV       1406 /* "doio_recv: recvmsg(%d) %d bytes ..." */
-#define ISC_MSG_PKTRECV	       1407 /* "packet received correctly" */
-#define ISC_MSG_DESTROYING     1408 /* "destroying" */
-#define ISC_MSG_CREATED	       1409 /* "created" */
-#define ISC_MSG_ACCEPTLOCK     1410 /* "internal_accept called, locked ..." */
-#define ISC_MSG_ACCEPTEDCXN    1411 /* "accepted connection, new socket %p" */
-#define ISC_MSG_INTERNALRECV   1412 /* "internal_recv: task %p got event %p" */
-#define ISC_MSG_INTERNALSEND   1413 /* "internal_send: task %p got event %p" */
-#define ISC_MSG_WATCHERMSG     1414 /* "watcher got message %d" */
-#define ISC_MSG_SOCKETSREMAIN  1415 /* "sockets exist" */
-#define ISC_MSG_PKTINFOPROVIDED	1416 /* "pktinfo structure provided, ..." */
-#define ISC_MSG_BOUND	       1417 /* "bound" */
-#define ISC_MSG_ACCEPTRETURNED 1418 /* accept() returned %d/%s */
-#define ISC_MSG_TOOMANYFDS     1419 /* %s: too many open file descriptors */
-#define ISC_MSG_ZEROPORT       1420 /* dropping source port zero packet */
-#define ISC_MSG_FILTER	       1420 /* setsockopt(SO_ACCEPTFILTER): %s */
-
-#define ISC_MSG_AWAKE	       1502 /* "awake" */
-#define ISC_MSG_WORKING	       1503 /* "working" */
-#define ISC_MSG_EXECUTE	       1504 /* "execute action" */
-#define ISC_MSG_EMPTY	       1505 /* "empty" */
-#define ISC_MSG_DONE	       1506 /* "done" */
-#define ISC_MSG_QUANTUM	       1507 /* "quantum" */
-
-#define ISC_MSG_SCHEDULE       1601 /* "schedule" */
-#define ISC_MSG_SIGNALSCHED    1602 /* "signal (schedule)" */
-#define ISC_MSG_SIGNALDESCHED  1603 /* "signal (deschedule)" */
-#define ISC_MSG_SIGNALDESTROY  1604 /* "signal (destroy)" */
-#define ISC_MSG_IDLERESCHED    1605 /* "idle reschedule" */
-#define ISC_MSG_EVENTNOTALLOC  1606 /* "couldn't allocate event" */
-#define ISC_MSG_SCHEDFAIL      1607 /* "couldn't schedule timer: %u" */
-#define ISC_MSG_POSTING	       1608 /* "posting" */
-#define ISC_MSG_WAKEUP	       1609 /* "wakeup" */
-
-#define ISC_MSG_LOCK	       1701 /* "LOCK" */
-#define ISC_MSG_LOCKING	       1702 /* "LOCKING" */
-#define ISC_MSG_LOCKED	       1703 /* "LOCKED" */
-#define ISC_MSG_UNLOCKED       1704 /* "UNLOCKED" */
-#define ISC_MSG_RWLOCK	       1705 /* "RWLOCK" */
-#define ISC_MSG_RWLOCKED       1706 /* "RWLOCKED" */
-#define ISC_MSG_RWUNLOCK       1707 /* "RWUNLOCK" */
-#define ISC_MSG_BROADCAST      1708 /* "BROADCAST" */
-#define ISC_MSG_SIGNAL	       1709 /* "SIGNAL" */
-#define ISC_MSG_UTILWAIT       1710 /* "WAIT" */
-#define ISC_MSG_WAITED	       1711 /* "WAITED" */
-
-#define ISC_MSG_GETIFADDRS     1801 /* "getting interface addresses: ..." */
-
-
-#endif /* ISC_MSGS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/mutexblock.h b/contrib/bind9/lib/isc/include/isc/mutexblock.h
deleted file mode 100644
index 9bfd90ccce5f..000000000000
--- a/contrib/bind9/lib/isc/include/isc/mutexblock.h
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutexblock.h,v 1.10.206.1 2004/03/06 08:14:44 marka Exp $ */
-
-#ifndef ISC_MUTEXBLOCK_H
-#define ISC_MUTEXBLOCK_H 1
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_mutexblock_init(isc_mutex_t *block, unsigned int count);
-/*
- * Initialize a block of locks.  If an error occurs all initialized locks
- * will be destroyed, if possible.
- *
- * Requires:
- *
- *	block != NULL
- *
- *	count > 0
- *
- * Returns:
- *
- *	Any code isc_mutex_init() can return is a valid return for this
- *	function.
- */
-
-isc_result_t
-isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count);
-/*
- * Destroy a block of locks.
- *
- * Requires:
- *
- *	block != NULL
- *
- *	count > 0
- *
- *	Each lock in the block be initialized via isc_mutex_init() or
- * 	the whole block was initialized via isc_mutex_initblock().
- *
- * Returns:
- *
- *	Any code isc_mutex_init() can return is a valid return for this
- *	function.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_MUTEXBLOCK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/netaddr.h b/contrib/bind9/lib/isc/include/isc/netaddr.h
deleted file mode 100644
index ad3328c47cdf..000000000000
--- a/contrib/bind9/lib/isc/include/isc/netaddr.h
+++ /dev/null
@@ -1,149 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netaddr.h,v 1.18.12.9 2005/07/29 00:13:10 marka Exp $ */
-
-#ifndef ISC_NETADDR_H
-#define ISC_NETADDR_H 1
-
-#include <isc/lang.h>
-#include <isc/net.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-struct isc_netaddr {
-	unsigned int family;
-	union {
-    		struct in_addr in;
-		struct in6_addr in6;
-	} type;
-	isc_uint32_t zone;
-};
-
-isc_boolean_t
-isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b);
-
-isc_boolean_t
-isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
-		     unsigned int prefixlen);
-/*
- * Compare the 'prefixlen' most significant bits of the network
- * addresses 'a' and 'b'.  Return ISC_TRUE if they are equal,
- * ISC_FALSE if not.
- */
-
-isc_result_t
-isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp);
-/*
- * Convert a netmask in 's' into a prefix length in '*lenp'.
- * The mask should consist of zero or more '1' bits in the most
- * most significant part of the address, followed by '0' bits.
- * If this is not the case, ISC_R_MASKNONCONTIG is returned.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_MASKNONCONTIG
- */
-
-isc_result_t
-isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target);
-/*
- * Append a text representation of 'sockaddr' to the buffer 'target'.
- * The text is NOT null terminated.  Handles IPv4 and IPv6 addresses.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE	The text or the null termination did not fit.
- *	ISC_R_FAILURE	Unspecified failure
- */
-
-void
-isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size);
-/*
- * Format a human-readable representation of the network address '*na'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-
-#define ISC_NETADDR_FORMATSIZE \
-	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX%SSSSSSSSSS")
-/*
- * Minimum size of array to pass to isc_netaddr_format().
- */
-
-void
-isc_netaddr_fromsockaddr(isc_netaddr_t *netaddr, const isc_sockaddr_t *source);
-
-void
-isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina);
-
-void
-isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6);
-
-void
-isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone);
-
-isc_uint32_t
-isc_netaddr_getzone(const isc_netaddr_t *netaddr);
-
-void
-isc_netaddr_any(isc_netaddr_t *netaddr);
-/*
- * Return the IPv4 wildcard address.
- */
-
-void
-isc_netaddr_any6(isc_netaddr_t *netaddr);
-/*
- * Return the IPv6 wildcard address.
- */
-
-isc_boolean_t
-isc_netaddr_ismulticast(isc_netaddr_t *na);
-/*
- * Returns ISC_TRUE if the address is a multicast address.
- */
-
-isc_boolean_t
-isc_netaddr_isexperimental(isc_netaddr_t *na);
-/*
- * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
- */
-
-isc_boolean_t
-isc_netaddr_islinklocal(isc_netaddr_t *na);
-/*
- * Returns ISC_TRUE if the address is a link local address.
- */
-
-isc_boolean_t
-isc_netaddr_issitelocal(isc_netaddr_t *na);
-/*
- * Returns ISC_TRUE if the address is a site local address.
- */
-
-void
-isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
-/*
- * Convert an IPv6 v4mapped address into an IPv4 address.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_NETADDR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/netscope.h b/contrib/bind9/lib/isc/include/isc/netscope.h
deleted file mode 100644
index 7cc0f182d742..000000000000
--- a/contrib/bind9/lib/isc/include/isc/netscope.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netscope.h,v 1.4.142.5 2004/03/08 09:04:52 marka Exp $ */
-
-#ifndef ISC_NETSCOPE_H
-#define ISC_NETSCOPE_H 1
-
-ISC_LANG_BEGINDECLS
-
-/*
- * Convert a string of an IPv6 scope zone to zone index.  If the conversion
- * succeeds, 'zoneid' will store the index value.
- * XXXJT: when a standard interface for this purpose is defined,
- * we should use it.
- *
- * Returns:
- *	ISC_R_SUCCESS: conversion succeeds
- *	ISC_R_FAILURE: conversion fails
- */
-isc_result_t
-isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_NETADDR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ondestroy.h b/contrib/bind9/lib/isc/include/isc/ondestroy.h
deleted file mode 100644
index a2c584a99050..000000000000
--- a/contrib/bind9/lib/isc/include/isc/ondestroy.h
+++ /dev/null
@@ -1,108 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ondestroy.h,v 1.7.206.1 2004/03/06 08:14:45 marka Exp $ */
-
-#ifndef ISC_ONDESTROY_H
-#define ISC_ONDESTROY_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*
- * ondestroy handling.
- *
- * Any class ``X'' of objects that wants to send out notifications
- * on its destruction should declare a field of type isc_ondestroy_t
- * (call it 'ondest').
- *
- * 	typedef struct {
- * 		...
- * 		isc_ondestroy_t	ondest;
- * 		...
- * 	} X;
- *
- * When an object ``A'' of type X is created
- * it must initialize the field ondest with a call to
- *
- * 	isc_ondestroy_init(&A->ondest).
- *
- * X should also provide a registration function for third-party
- * objects to call to register their interest in being told about
- * the destruction of a particular instance of X.
- *
- *	isc_result_t
- * 	X_ondestroy(X *instance, isc_task_t *task,
- * 		     isc_event_t **eventp) {
- * 		return(isc_ondestroy_register(&instance->ondest, task,eventp));
- * 	}
- *
- *	Note: locking of the ondestory structure embedded inside of X, is
- * 	X's responsibility.
- *
- * When an instance of X is destroyed, a call to  isc_ondestroy_notify()
- * sends the notifications:
- *
- *	X *instance;
- *	isc_ondestroy_t ondest = instance->ondest;
- *
- *	... completely cleanup 'instance' here...
- *
- * 	isc_ondestroy_notify(&ondest, instance);
- *
- *
- * see dns/zone.c for an ifdef'd-out example.
- */
-
-struct isc_ondestroy {
-	unsigned int magic;
-	isc_eventlist_t events;
-};
-
-void
-isc_ondestroy_init(isc_ondestroy_t *ondest);
-/*
- * Initialize the on ondest structure. *must* be called before first call
- * to isc_ondestroy_register().
- */
-
-isc_result_t
-isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
-		       isc_event_t **eventp);
-
-/*
- * Stores task and *eventp away inside *ondest.  Ownership of **event is
- * taken from the caller (and *eventp is set to NULL). The task is attached
- * to.
- */
-
-void
-isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender);
-/*
- * Dispatches the event(s) to the task(s) that were given in
- * isc_ondestroy_register call(s) (done via calls to
- * isc_task_sendanddetach()).  Before dispatch, the sender value of each
- * event structure is set to the value of the sender paramater. The
- * internal structures of the ondest parameter are cleaned out, so no other
- * cleanup is needed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_ONDESTROY_H */
diff --git a/contrib/bind9/lib/isc/include/isc/os.h b/contrib/bind9/lib/isc/include/isc/os.h
deleted file mode 100644
index 5c3bd6206101..000000000000
--- a/contrib/bind9/lib/isc/include/isc/os.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.h,v 1.5.206.1 2004/03/06 08:14:45 marka Exp $ */
-
-#ifndef ISC_OS_H
-#define ISC_OS_H 1
-
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-unsigned int
-isc_os_ncpus(void);
-/*
- * Return the number of CPUs available on the system, or 1 if this cannot
- * be determined.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_OS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/parseint.h b/contrib/bind9/lib/isc/include/isc/parseint.h
deleted file mode 100644
index c877131c94fe..000000000000
--- a/contrib/bind9/lib/isc/include/isc/parseint.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: parseint.h,v 1.2.202.4 2004/03/08 09:04:52 marka Exp $ */
-
-#ifndef ISC_PARSEINT_H
-#define ISC_PARSEINT_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*
- * Parse integers, in a saner way than atoi() or strtoul() do.
- */
-
-/***
- ***	Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_parse_uint32(isc_uint32_t *uip, const char *string, int base);
-
-isc_result_t
-isc_parse_uint16(isc_uint16_t *uip, const char *string, int base);
-
-isc_result_t
-isc_parse_uint8(isc_uint8_t *uip, const char *string, int base);
-/*
- * Parse the null-terminated string 'string' containing a base 'base'
- * integer, storing the result in '*uip'.  The base is interpreted
- * as in strtoul().  Unlike strtoul(), leading whitespace, minus or
- * plus signs are not accepted, and all errors (including overflow)
- * are reported uniformly through the return value.
- *
- * Requires:
- *	'string' points to a null-terminated string
- *	0 <= 'base' <= 36
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_BADNUMBER   The string is not numeric (in the given base)
- *	ISC_R_RANGE	  The number is not representable as the requested type.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_PARSEINT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/platform.h.in b/contrib/bind9/lib/isc/include/isc/platform.h.in
deleted file mode 100644
index 7a803d7dfb98..000000000000
--- a/contrib/bind9/lib/isc/include/isc/platform.h.in
+++ /dev/null
@@ -1,255 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h.in,v 1.24.2.1.10.11 2004/03/08 09:04:52 marka Exp $ */
-
-#ifndef ISC_PLATFORM_H
-#define ISC_PLATFORM_H 1
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-/***
- *** Network.
- ***/
-
-/*
- * Define if this system needs the <netinet/in6.h> header file included
- * for full IPv6 support (pretty much only UnixWare).
- */
-@ISC_PLATFORM_NEEDNETINETIN6H@
-
-/*
- * Define if this system needs the <netinet6/in6.h> header file included
- * to support in6_pkinfo (pretty much only BSD/OS).
- */
-@ISC_PLATFORM_NEEDNETINET6IN6H@
-
-/*
- * If sockaddrs on this system have an sa_len field, ISC_PLATFORM_HAVESALEN
- * will be defined.
- */
-@ISC_PLATFORM_HAVESALEN@
-
-/*
- * If this system has the IPv6 structure definitions, ISC_PLATFORM_HAVEIPV6
- * will be defined.
- */
-@ISC_PLATFORM_HAVEIPV6@
-
-/*
- * If this system is missing in6addr_any, ISC_PLATFORM_NEEDIN6ADDRANY will
- * be defined.
- */
-@ISC_PLATFORM_NEEDIN6ADDRANY@
-
-/*
- * If this system is missing in6addr_loopback, ISC_PLATFORM_NEEDIN6ADDRLOOPBACK
- * will be defined.
- */
-@ISC_PLATFORM_NEEDIN6ADDRLOOPBACK@
-
-/*
- * If this system has in6_pktinfo, ISC_PLATFORM_HAVEIN6PKTINFO will be
- * defined.
- */
-@ISC_PLATFORM_HAVEIN6PKTINFO@
-
-/*
- * If this system has in_addr6, rather than in6_addr, ISC_PLATFORM_HAVEINADDR6
- * will be defined.
- */
-@ISC_PLATFORM_HAVEINADDR6@
-
-/*
- * If this system has sin6_scope_id, ISC_PLATFORM_HAVESCOPEID will be defined.
- */
-@ISC_PLATFORM_HAVESCOPEID@
-
-/*
- * If this system needs inet_ntop(), ISC_PLATFORM_NEEDNTOP will be defined.
- */
-@ISC_PLATFORM_NEEDNTOP@
-
-/*
- * If this system needs inet_pton(), ISC_PLATFORM_NEEDPTON will be defined.
- */
-@ISC_PLATFORM_NEEDPTON@
-
-/*
- * If this system needs inet_aton(), ISC_PLATFORM_NEEDATON will be defined.
- */
-@ISC_PLATFORM_NEEDATON@
-
-/*
- * If this system needs in_port_t, ISC_PLATFORM_NEEDPORTT will be defined.
- */
-@ISC_PLATFORM_NEEDPORTT@
-
-/*
- * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
- */
-@ISC_PLATFORM_NEEDSTRSEP@
-
-/*
- * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
- */
-@ISC_PLATFORM_NEEDSTRLCPY@
-
-/*
- * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
- */
-@ISC_PLATFORM_NEEDSTRLCAT@
-
-/*
- * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
- */
-@ISC_PLATFORM_MSGHDRFLAVOR@
-
-/*
- * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
- * prevent compiler warnings (such as with gcc on Solaris 2.8).
- */
-@ISC_PLATFORM_BRACEPTHREADONCEINIT@
-
-/*
- * Define on some UnixWare systems to fix erroneous definitions of various
- * IN6_IS_ADDR_* macros.
- */
-@ISC_PLATFORM_FIXIN6ISADDR@
-
-/***
- *** Printing.
- ***/
-
-/*
- * If this system needs vsnprintf() and snprintf(), ISC_PLATFORM_NEEDVSNPRINTF
- * will be defined.
- */
-@ISC_PLATFORM_NEEDVSNPRINTF@
-
-/*
- * If this system need a modern sprintf() that returns (int) not (char*).
- */
-@ISC_PLATFORM_NEEDSPRINTF@
-
-/*
- * The printf format string modifier to use with isc_uint64_t values.
- */
-@ISC_PLATFORM_QUADFORMAT@
-
-/*
- * Defined if we are using threads.
- */
-@ISC_PLATFORM_USETHREADS@
-
-/*
- * Defined if unistd.h does not cause fd_set to be delared.
- */
-@ISC_PLATFORM_NEEDSYSSELECTH@
-
-/*
- * Type used for resource limits.
- */
-@ISC_PLATFORM_RLIMITTYPE@
-
-/*
- * Define if your compiler supports "long long int".
- */
-@ISC_PLATFORM_HAVELONGLONG@
-
-/*
- * Define if the system has struct lifconf which is a extended struct ifconf
- * for IPv6.
- */
-@ISC_PLATFORM_HAVELIFCONF@
-
-/*
- * Define if the system has struct if_laddrconf which is a extended struct
- * ifconf for IPv6.
- */
-@ISC_PLATFORM_HAVEIF_LADDRCONF@
-
-/*
- * Define if the system has struct if_laddrreq.
- */
-@ISC_PLATFORM_HAVEIF_LADDRREQ@
-
-/*
- * Used to control how extern data is linked; needed for Win32 platforms.
- */
-@ISC_PLATFORM_USEDECLSPEC@
-
-/*
- * Define if the system supports if_nametoindex.
- */
-@ISC_PLATFORM_HAVEIFNAMETOINDEX@
-
-/*
- * Define if this system needs strtoul.
- */
-@ISC_PLATFORM_NEEDSTRTOUL@
-
-/*
- * Define if this system needs memmove.
- */
-@ISC_PLATFORM_NEEDMEMMOVE@
-
-#ifndef ISC_PLATFORM_USEDECLSPEC
-#define LIBISC_EXTERNAL_DATA
-#define LIBDNS_EXTERNAL_DATA
-#define LIBISCCC_EXTERNAL_DATA
-#define LIBISCCFG_EXTERNAL_DATA
-#define LIBBIND9_EXTERNAL_DATA
-#else /* ISC_PLATFORM_USEDECLSPEC */
-#ifdef LIBISC_EXPORTS
-#define LIBISC_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISC_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBDNS_EXPORTS
-#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBISCCC_EXPORTS
-#define LIBISCCC_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBISCCFG_EXPORTS
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#ifdef LIBBIND9_EXPORTS
-#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif /* ISC_PLATFORM_USEDECLSPEC */
-
-/*
- * Tell emacs to use C mode for this file.
- *
- * Local Variables:
- * mode: c
- * End:
- */
-
-#endif /* ISC_PLATFORM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/print.h b/contrib/bind9/lib/isc/include/isc/print.h
deleted file mode 100644
index 1bf3704a26f4..000000000000
--- a/contrib/bind9/lib/isc/include/isc/print.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print.h,v 1.17.188.4 2005/06/09 23:54:30 marka Exp $ */
-
-#ifndef ISC_PRINT_H
-#define ISC_PRINT_H 1
-
-/***
- *** Imports
- ***/
-
-#include <isc/formatcheck.h>    /* Required for ISC_FORMAT_PRINTF() macro. */
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-/*
- * This block allows lib/isc/print.c to be cleanly compiled even if
- * the platform does not need it.  The standard Makefile will still
- * not compile print.c or archive print.o, so this is just to make test
- * compilation ("make print.o") easier.
- */
-#if !defined(ISC_PLATFORM_NEEDVSNPRINTF) && defined(ISC__PRINT_SOURCE)
-#define ISC_PLATFORM_NEEDVSNPRINTF
-#endif
-
-#if !defined(ISC_PLATFORM_NEEDSPRINTF) && defined(ISC__PRINT_SOURCE)
-#define ISC_PLATFORM_NEEDSPRINTF
-#endif
-
-/***
- *** Macros
- ***/
-#define ISC_PRINT_QUADFORMAT ISC_PLATFORM_QUADFORMAT
-
-/***
- *** Functions
- ***/
-
-#ifdef ISC_PLATFORM_NEEDVSNPRINTF
-#include <stdarg.h>
-#include <stddef.h>
-#endif
-#ifdef ISC_PLATFORM_NEEDSPRINTF
-#include <stdio.h>
-#endif
-
-
-ISC_LANG_BEGINDECLS
-
-#ifdef ISC_PLATFORM_NEEDVSNPRINTF
-int
-isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
-     ISC_FORMAT_PRINTF(3, 0);
-#define vsnprintf isc_print_vsnprintf
-
-int
-isc_print_snprintf(char *str, size_t size, const char *format, ...)
-     ISC_FORMAT_PRINTF(3, 4);
-#define snprintf isc_print_snprintf
-#endif /* ISC_PLATFORM_NEEDVSNPRINTF */
-
-#ifdef ISC_PLATFORM_NEEDSPRINTF
-int
-isc_print_sprintf(char *str, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
-#define sprintf isc_print_sprintf
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_PRINT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/quota.h b/contrib/bind9/lib/isc/include/isc/quota.h
deleted file mode 100644
index 4044118747b3..000000000000
--- a/contrib/bind9/lib/isc/include/isc/quota.h
+++ /dev/null
@@ -1,120 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: quota.h,v 1.8.12.6 2005/08/11 15:00:08 marka Exp $ */
-
-#ifndef ISC_QUOTA_H
-#define ISC_QUOTA_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Quota
- *
- * The isc_quota_t object is a simple helper object for implementing
- * quotas on things like the number of simultaneous connections to
- * a server.  It keeps track of the amount of quota in use, and
- * encapsulates the locking necessary to allow multiple tasks to
- * share a quota.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/types.h>
-
-/*****
- ***** Types.
- *****/
-
-ISC_LANG_BEGINDECLS
-
-struct isc_quota {
-	isc_mutex_t	lock;
-	/* Locked by lock. */
-	int 		max;
-	int 		used;
-	int		soft;
-};
-
-isc_result_t
-isc_quota_init(isc_quota_t *quota, int max);
-/*
- * Initialize a quota object.
- *
- * Returns:
- * 	ISC_R_SUCCESS
- *	Other error	Lock creation failed.
- */
-
-void
-isc_quota_destroy(isc_quota_t *quota);
-/*
- * Destroy a quota object.
- */
-
-void
-isc_quota_soft(isc_quota_t *quota, int soft);
-/*
- * Turn on/off soft quotas.
- */
-
-void
-isc_quota_max(isc_quota_t *quota, int max);
-/*
- * Re-set a maximum quota.
- */
-
-isc_result_t
-isc_quota_reserve(isc_quota_t *quota);
-/*
- * Attempt to reserve one unit of 'quota'.
- *
- * Returns:
- * 	ISC_R_SUCCESS	Success
- *	ISC_R_SOFTQUOTA	Success soft quota reached
- *	ISC_R_QUOTA	Quota is full
- */
-
-void
-isc_quota_release(isc_quota_t *quota);
-/*
- * Release one unit of quota.
- */
-
-isc_result_t
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
-/*
- * Like isc_quota_reserve, and also attaches '*p' to the
- * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
- */
-
-void
-isc_quota_detach(isc_quota_t **p);
-/*
- * Like isc_quota_release, and also detaches '*p' from the
- * quota.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_QUOTA_H */
diff --git a/contrib/bind9/lib/isc/include/isc/random.h b/contrib/bind9/lib/isc/include/isc/random.h
deleted file mode 100644
index ee416c5b2f14..000000000000
--- a/contrib/bind9/lib/isc/include/isc/random.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: random.h,v 1.11.206.1 2004/03/06 08:14:46 marka Exp $ */
-
-#ifndef ISC_RANDOM_H
-#define ISC_RANDOM_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*
- * Implements a random state pool which will let the caller return a
- * series of possibly non-reproducable random values.  Note that the
- * strength of these numbers is not all that high, and should not be
- * used in cryptography functions.  It is useful for jittering values
- * a bit here and there, such as timeouts, etc.
- */
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_random_seed(isc_uint32_t seed);
-/*
- * Set the initial seed of the random state.
- */
-
-void
-isc_random_get(isc_uint32_t *val);
-/*
- * Get a random value.
- *
- * Requires:
- *	val != NULL.
- */
-
-isc_uint32_t
-isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter);
-/*
- * Get a random value between (max - jitter) and (max).
- * This is useful for jittering timer values.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RANDOM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ratelimiter.h b/contrib/bind9/lib/isc/include/isc/ratelimiter.h
deleted file mode 100644
index 2acab34b5ad9..000000000000
--- a/contrib/bind9/lib/isc/include/isc/ratelimiter.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ratelimiter.h,v 1.13.14.3 2004/03/08 09:04:53 marka Exp $ */
-
-#ifndef ISC_RATELIMITER_H
-#define ISC_RATELIMITER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * A rate limiter is a mechanism for dispatching events at a limited
- * rate.  This is intended to be used when sending zone maintenance
- * SOA queries, NOTIFY messages, etc.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Functions.
- *****/
-
-isc_result_t
-isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp);
-/*
- * Create a rate limiter.  The execution interval is initially undefined.
- */
-
-isc_result_t
-isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
-/*
- * Set the mininum interval between event executions.
- * The interval value is copied, so the caller need not preserve it.
- *
- * Requires:
- *	'*interval' is a nonzero interval.
- */
-
-void
-isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t perint);
-/*
- * Set the number of events processed per interval timer tick.
- * If 'perint' is zero it is treated as 1.
- */
-
-isc_result_t
-isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
-			isc_event_t **eventp);
-/*
- * Queue an event for rate-limited execution.  This is similar
- * to doing an isc_task_send() to the 'task', except that the
- * execution may be delayed to achieve the desired rate of
- * execution.
- *
- * '(*eventp)->ev_sender' is used to hold the task.  The caller
- * must ensure that the task exists until the event is delivered.
- *
- * Requires:
- *	An interval has been set by calling
- *	isc_ratelimiter_setinterval().
- *
- *	'task' to be non NULL.
- *	'(*eventp)->ev_sender' to be NULL.
- */
-
-void
-isc_ratelimiter_shutdown(isc_ratelimiter_t *ratelimiter);
-/*
- * Shut down a rate limiter.
- *
- * Ensures:
- *	All events that have not yet been
- * 	dispatched to the task are dispatched immediately with
- *	the ISC_EVENTATTR_CANCELED bit set in ev_attributes.
- *
- *	Further attempts to enqueue events will fail with
- * 	ISC_R_SHUTTINGDOWN.
- *
- *	The reatelimiter is no longer attached to its task.
- */
-
-void
-isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target);
-/*
- * Attach to a rate limiter.
- */
-
-void
-isc_ratelimiter_detach(isc_ratelimiter_t **ratelimiterp);
-/*
- * Detach from a rate limiter.
- */
-
-isc_result_t
-isc_ratelimiter_stall(isc_ratelimiter_t *rl);
-/*
- * Stall event processing.
- */
-
-isc_result_t
-isc_ratelimiter_release(isc_ratelimiter_t *rl);
-/*
- * Release a stalled rate limiter.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RATELIMITER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/refcount.h b/contrib/bind9/lib/isc/include/isc/refcount.h
deleted file mode 100644
index d2c7b6f5cacb..000000000000
--- a/contrib/bind9/lib/isc/include/isc/refcount.h
+++ /dev/null
@@ -1,164 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: refcount.h,v 1.3.2.2.2.2 2004/04/14 05:12:25 marka Exp $ */
-
-#ifndef ISC_REFCOUNT_H
-#define ISC_REFCOUNT_H 1
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-/*
- * Implements a locked reference counter.  These functions may actually be
- * implemented using macros, and implementations of these macros are below.
- * The isc_refcount_t type should not be accessed directly, as its contents
- * depend on the implementation.
- */
-
-ISC_LANG_BEGINDECLS
-
-/*
- * Function prototypes
- */
-
-/*
- * void
- * isc_refcount_init(isc_refcount_t *ref, unsigned int n);
- *
- * Initialize the reference counter.  There will be 'n' initial references.
- *
- * Requires:
- *	ref != NULL
- */
-
-/*
- * void
- * isc_refcount_destroy(isc_refcount_t *ref);
- *
- * Destroys a reference counter.
- *
- * Requires:
- *	ref != NULL
- *	The number of references is 0.
- */
-
-/*
- * void
- * isc_refcount_increment(isc_refcount_t *ref, unsigned int *targetp);
- *
- * Increments the reference count, returning the new value in targetp if it's
- * not NULL.
- *
- * Requires:
- *	ref != NULL.
- */
-
-/*
- * void
- * isc_refcount_decrement(isc_refcount_t *ref, unsigned int *targetp);
- *
- * Decrements the reference count,  returning the new value in targetp if it's
- * not NULL.
- *
- * Requires:
- *	ref != NULL.
- */
-
-
-/*
- * Sample implementations
- */
-#ifdef ISC_PLATFORM_USETHREADS
-
-typedef struct isc_refcount {
-	int refs;
-	isc_mutex_t lock;
-} isc_refcount_t;
-
-#define isc_refcount_init(rp, n) 			\
-	do {						\
-		isc_result_t _r;			\
-		(rp)->refs = (n);			\
-		_r = isc_mutex_init(&(rp)->lock);	\
-		RUNTIME_CHECK(_r == ISC_R_SUCCESS);	\
-	} while (0)
-
-#define isc_refcount_destroy(rp)			\
-	do {						\
-		REQUIRE((rp)->refs == 0);		\
-		DESTROYLOCK(&(rp)->lock);		\
-	} while (0)
-
-#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
-
-#define isc_refcount_increment(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		LOCK(&(rp)->lock);				\
-		REQUIRE((rp)->refs > 0);			\
-		++((rp)->refs);					\
-		if (_tmp != NULL)				\
-			*_tmp = ((rp)->refs);			\
-		UNLOCK(&(rp)->lock);				\
-	} while (0)
-
-#define isc_refcount_decrement(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		LOCK(&(rp)->lock);				\
-		REQUIRE((rp)->refs > 0);			\
-		--((rp)->refs);					\
-		if (_tmp != NULL)				\
-			*_tmp = ((rp)->refs);			\
-		UNLOCK(&(rp)->lock);				\
-	} while (0)
-
-#else
-
-typedef struct isc_refcount {
-	int refs;
-} isc_refcount_t;
-
-#define isc_refcount_init(rp, n) ((rp)->refs = (n))
-#define isc_refcount_destroy(rp) (REQUIRE((rp)->refs == 0))
-#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
-
-#define isc_refcount_increment(rp, tp)					\
-	do {								\
-		unsigned int *_tmp = (unsigned int *)(tp);		\
-		int _n = ++(rp)->refs;					\
-		if (_tmp != NULL)					\
-			*_tmp = _n;					\
-	} while (0)
-
-#define isc_refcount_decrement(rp, tp)					\
-	do {								\
-		unsigned int *_tmp = (unsigned int *)(tp);		\
-		int _n = --(rp)->refs;					\
-		if (_tmp != NULL)					\
-			*_tmp = _n;					\
-	} while (0)
-
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_REFCOUNT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/region.h b/contrib/bind9/lib/isc/include/isc/region.h
deleted file mode 100644
index 5622394aaf43..000000000000
--- a/contrib/bind9/lib/isc/include/isc/region.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: region.h,v 1.16.12.3 2004/03/08 09:04:53 marka Exp $ */
-
-#ifndef ISC_REGION_H
-#define ISC_REGION_H 1
-
-#include <isc/types.h>
-
-struct isc_region {
-	unsigned char *	base;
-	unsigned int	length;
-};
-
-struct isc_textregion {
-	char *		base;
-	unsigned int	length;
-};
-
-/* XXXDCL questionable ... bears discussion.  we have been putting off
- * discussing the region api.
- */
-struct isc_constregion {
-	const void *	base;
-	unsigned int	length;
-};
-
-struct isc_consttextregion {
-	const char *	base;
-	unsigned int	length;
-};
-
-/*
- * The region structure is not opaque, and is usually directly manipulated.
- * Some macros are defined below for convenience.
- */
-
-#define isc_region_consume(r,l) \
-	do { \
-		isc_region_t *_r = (r); \
-		unsigned int _l = (l); \
-		INSIST(_r->length >= _l); \
-		_r->base += _l; \
-		_r->length -= _l; \
-	} while (0)
-
-#define isc_textregion_consume(r,l) \
-	do { \
-		isc_textregion_t *_r = (r); \
-		unsigned int _l = (l); \
-		INSIST(_r->length >= _l); \
-		_r->base += _l; \
-		_r->length -= _l; \
-	} while (0)
-
-#define isc_constregion_consume(r,l) \
-	do { \
-		isc_constregion_t *_r = (r); \
-		unsigned int _l = (l); \
-		INSIST(_r->length >= _l); \
-		_r->base += _l; \
-		_r->length -= _l; \
-	} while (0)
-
-int
-isc_region_compare(isc_region_t *r1, isc_region_t *r2);
-/*
- * Compares the contents of two regions 
- *
- * Requires: 
- *	'r1' is a valid region
- *	'r2' is a valid region
- *
- * Returns:
- *	 < 0 if r1 is lexicographically less than r2
- *	 = 0 if r1 is lexicographically identical to r2
- *	 > 0 if r1 is lexicographically greater than r2
- */
-
-#endif /* ISC_REGION_H */
diff --git a/contrib/bind9/lib/isc/include/isc/resource.h b/contrib/bind9/lib/isc/include/isc/resource.h
deleted file mode 100644
index 2c2a82981c56..000000000000
--- a/contrib/bind9/lib/isc/include/isc/resource.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resource.h,v 1.4.206.1 2004/03/06 08:14:47 marka Exp $ */
-
-#ifndef ISC_RESOURCE_H
-#define ISC_RESOURCE_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#define ISC_RESOURCE_UNLIMITED ((isc_resourcevalue_t)ISC_UINT64_MAX)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value);
-/*
- * Set the maximum limit for a system resource.
- *
- * Notes:
- *	If 'value' exceeds the maximum possible on the operating system,
- *	it is silently limited to that maximum -- or to "infinity", if
- *	the operating system has that concept.  ISC_RESOURCE_UNLIMITED
- *	can be used to explicitly ask for the maximum.
- *
- * Requires:
- *	'resource' is a valid member of the isc_resource_t enumeration.
- *
- * Returns:
- *	ISC_R_SUCCESS	Success.
- *	ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
- *	ISC_R_NOPERM	The calling process did not have adequate permission
- *			to change the resource limit.
- */
-
-isc_result_t
-isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value);
-/*
- * Get the maximum limit for a system resource.
- *
- * Notes:
- *	'value' is set to the maximum limit.
- *
- *	ISC_RESOURCE_UNLIMITED is the maximum value of isc_resourcevalue_t.
- *
- *	On many (all?) Unix systems, RLIM_INFINITY is a valid value that is
- *	significantly less than ISC_RESOURCE_UNLIMITED, but which in practice
- *	behaves the same.
- *
- *	The current ISC libdns configuration file parser assigns a value
- *	of ISC_UINT32_MAX for a size_spec of "unlimited" and ISC_UNIT32_MAX - 1
- *	for "default", the latter of which is supposed to represent "the
- *	limit that was in force when the server started".  Since these are
- *	valid values in the middle of the range of isc_resourcevalue_t,
- *	there is the possibility for confusion over what exactly those
- *	particular values are supposed to represent in a particular context --
- *	discrete integral values or generalized concepts.
- *
- * Requires:
- *	'resource' is a valid member of the isc_resource_t enumeration.
- *
- * Returns:
- *	ISC_R_SUCCESS		Success.
- *	ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RESOURCE_H */
-
diff --git a/contrib/bind9/lib/isc/include/isc/result.h b/contrib/bind9/lib/isc/include/isc/result.h
deleted file mode 100644
index 93f7cefbd658..000000000000
--- a/contrib/bind9/lib/isc/include/isc/result.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.57.2.2.8.5 2004/05/15 03:46:13 jinmei Exp $ */
-
-#ifndef ISC_RESULT_H
-#define ISC_RESULT_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#define ISC_R_SUCCESS			0	/* success */
-#define ISC_R_NOMEMORY			1	/* out of memory */
-#define ISC_R_TIMEDOUT			2	/* timed out */
-#define ISC_R_NOTHREADS			3	/* no available threads */
-#define ISC_R_ADDRNOTAVAIL		4	/* address not available */
-#define ISC_R_ADDRINUSE			5	/* address in use */
-#define ISC_R_NOPERM			6	/* permission denied */
-#define ISC_R_NOCONN			7	/* no pending connections */
-#define ISC_R_NETUNREACH		8	/* network unreachable */
-#define ISC_R_HOSTUNREACH		9	/* host unreachable */
-#define ISC_R_NETDOWN			10	/* network down */
-#define ISC_R_HOSTDOWN			11	/* host down */
-#define ISC_R_CONNREFUSED		12	/* connection refused */
-#define ISC_R_NORESOURCES		13	/* not enough free resources */
-#define ISC_R_EOF			14	/* end of file */
-#define ISC_R_BOUND			15	/* socket already bound */
-#define ISC_R_RELOAD			16	/* reload */
-#define ISC_R_LOCKBUSY			17	/* lock busy */
-#define ISC_R_EXISTS			18	/* already exists */
-#define ISC_R_NOSPACE			19	/* ran out of space */
-#define ISC_R_CANCELED			20	/* operation canceled */
-#define ISC_R_NOTBOUND			21	/* socket is not bound */
-#define ISC_R_SHUTTINGDOWN		22	/* shutting down */
-#define ISC_R_NOTFOUND			23	/* not found */
-#define ISC_R_UNEXPECTEDEND		24	/* unexpected end of input */
-#define ISC_R_FAILURE			25	/* generic failure */
-#define ISC_R_IOERROR			26	/* I/O error */
-#define ISC_R_NOTIMPLEMENTED		27	/* not implemented */
-#define ISC_R_UNBALANCED		28	/* unbalanced parentheses */
-#define ISC_R_NOMORE			29	/* no more */
-#define ISC_R_INVALIDFILE		30	/* invalid file */
-#define ISC_R_BADBASE64			31	/* bad base64 encoding */
-#define ISC_R_UNEXPECTEDTOKEN		32	/* unexpected token */
-#define ISC_R_QUOTA			33	/* quota reached */
-#define ISC_R_UNEXPECTED		34	/* unexpected error */
-#define ISC_R_ALREADYRUNNING		35	/* already running */
-#define ISC_R_IGNORE			36	/* ignore */
-#define ISC_R_MASKNONCONTIG             37	/* addr mask not contiguous */
-#define ISC_R_FILENOTFOUND		38	/* file not found */
-#define ISC_R_FILEEXISTS		39	/* file already exists */
-#define ISC_R_NOTCONNECTED		40	/* socket is not connected */
-#define ISC_R_RANGE			41	/* out of range */
-#define ISC_R_NOENTROPY			42	/* out of entropy */
-#define ISC_R_MULTICAST			43	/* invalid use of multicast */
-#define ISC_R_NOTFILE			44	/* not a file */
-#define ISC_R_NOTDIRECTORY		45	/* not a directory */
-#define ISC_R_QUEUEFULL			46	/* queue is full */
-#define ISC_R_FAMILYMISMATCH		47	/* address family mismatch */
-#define ISC_R_FAMILYNOSUPPORT		48	/* AF not supported */
-#define ISC_R_BADHEX			49	/* bad hex encoding */
-#define ISC_R_TOOMANYOPENFILES		50	/* too many open files */
-#define ISC_R_NOTBLOCKING		51	/* not blocking */
-#define ISC_R_UNBALANCEDQUOTES		52	/* unbalanced quotes */
-#define ISC_R_INPROGRESS		53	/* operation in progress */
-#define ISC_R_CONNECTIONRESET		54	/* connection reset */
-#define ISC_R_SOFTQUOTA			55	/* soft quota reached */
-#define ISC_R_BADNUMBER			56	/* not a valid number */
-#define ISC_R_DISABLED			57	/* disabled */
-#define ISC_R_MAXSIZE			58	/* max size */
-#define ISC_R_BADADDRESSFORM		59	/* invalid address format */
-
-/*
- * Not a result code: the number of results.
- */
-#define ISC_R_NRESULTS 			60
-
-ISC_LANG_BEGINDECLS
-
-const char *
-isc_result_totext(isc_result_t);
-/*
- * Convert an isc_result_t into a string message describing the result.
- */
-
-isc_result_t
-isc_result_register(unsigned int base, unsigned int nresults,
-		    const char **text, isc_msgcat_t *msgcat, int set);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RESULT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/resultclass.h b/contrib/bind9/lib/isc/include/isc/resultclass.h
deleted file mode 100644
index adb53383a6df..000000000000
--- a/contrib/bind9/lib/isc/include/isc/resultclass.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resultclass.h,v 1.11.206.1 2004/03/06 08:14:47 marka Exp $ */
-
-#ifndef ISC_RESULTCLASS_H
-#define ISC_RESULTCLASS_H 1
-
-/*****
- ***** Registry of Predefined Result Type Classes
- *****/
-
-/*
- * A result class number is an unsigned 16 bit number.  Each class may
- * contain up to 65536 results.  A result code is formed by adding the
- * result number within the class to the class number multiplied by 65536.
- */
-
-#define ISC_RESULTCLASS_FROMNUM(num)		((num) << 16)
-#define ISC_RESULTCLASS_TONUM(rclass)		((rclass) >> 16)
-#define ISC_RESULTCLASS_SIZE			65536
-#define ISC_RESULTCLASS_INCLASS(rclass, result) \
-	((rclass) == ((result) & 0xFFFF0000))
-
-/*
- * Classes < 1024 are reserved for ISC use.
- */
-
-#define	ISC_RESULTCLASS_ISC		ISC_RESULTCLASS_FROMNUM(0)
-#define	ISC_RESULTCLASS_DNS		ISC_RESULTCLASS_FROMNUM(1)
-#define	ISC_RESULTCLASS_DST		ISC_RESULTCLASS_FROMNUM(2)
-#define	ISC_RESULTCLASS_DNSRCODE	ISC_RESULTCLASS_FROMNUM(3)
-#define	ISC_RESULTCLASS_OMAPI		ISC_RESULTCLASS_FROMNUM(4)
-#define	ISC_RESULTCLASS_ISCCC		ISC_RESULTCLASS_FROMNUM(5)
-
-/*
- * Result classes >= 1024 and <= 65535 are reserved for application use.
- */
-
-#endif /* ISC_RESULTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/rwlock.h b/contrib/bind9/lib/isc/include/isc/rwlock.h
deleted file mode 100644
index 44edfcc68b0c..000000000000
--- a/contrib/bind9/lib/isc/include/isc/rwlock.h
+++ /dev/null
@@ -1,95 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rwlock.h,v 1.18.2.3.2.1 2004/03/06 08:14:47 marka Exp $ */
-
-#ifndef ISC_RWLOCK_H
-#define ISC_RWLOCK_H 1
-
-#include <isc/condition.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef enum {
-	isc_rwlocktype_none = 0,
-	isc_rwlocktype_read,
-	isc_rwlocktype_write
-} isc_rwlocktype_t;
-
-#ifdef ISC_PLATFORM_USETHREADS
-struct isc_rwlock {
-	/* Unlocked. */
-	unsigned int		magic;
-	isc_mutex_t		lock;
-	/* Locked by lock. */
-	isc_condition_t		readable;
-	isc_condition_t		writeable;
-	isc_rwlocktype_t	type;
-
-	/* The number of threads that have the lock. */
-	unsigned int		active;
-
-	/*
-	 * The number of lock grants made since the lock was last switched
-	 * from reading to writing or vice versa; used in determining
-	 * when the quota is reached and it is time to switch.
-	 */
-	unsigned int		granted;
-	
-	unsigned int		readers_waiting;
-	unsigned int		writers_waiting;
-	unsigned int		read_quota;
-	unsigned int		write_quota;
-	isc_rwlocktype_t	original;
-};
-#else /* ISC_PLATFORM_USETHREADS */
-struct isc_rwlock {
-	unsigned int		magic;
-	isc_rwlocktype_t	type;
-	unsigned int		active;
-};
-#endif /* ISC_PLATFORM_USETHREADS */
-
-
-isc_result_t
-isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
-		unsigned int write_quota);
-
-isc_result_t
-isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
-
-isc_result_t
-isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
-
-isc_result_t
-isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
-
-isc_result_t
-isc_rwlock_tryupgrade(isc_rwlock_t *rwl);
-
-void
-isc_rwlock_downgrade(isc_rwlock_t *rwl);
-
-void
-isc_rwlock_destroy(isc_rwlock_t *rwl);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_RWLOCK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/serial.h b/contrib/bind9/lib/isc/include/isc/serial.h
deleted file mode 100644
index cb054a6f7dd7..000000000000
--- a/contrib/bind9/lib/isc/include/isc/serial.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: serial.h,v 1.9.206.1 2004/03/06 08:14:48 marka Exp $ */
-
-#ifndef ISC_SERIAL_H
-#define ISC_SERIAL_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/*
- *	Implement 32 bit serial space arithmetic comparision functions.
- *
- *	Note: Undefined results are returned as ISC_FALSE.
- */
-
-/***
- ***	Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_boolean_t
-isc_serial_lt(isc_uint32_t a, isc_uint32_t b);
-/*
- *	Return true if 'a' < 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_gt(isc_uint32_t a, isc_uint32_t b);
-/*
- *	Return true if 'a' > 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_le(isc_uint32_t a, isc_uint32_t b);
-/*
- *	Return true if 'a' <= 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_ge(isc_uint32_t a, isc_uint32_t b);
-/*
- *	Return true if 'a' >= 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_eq(isc_uint32_t a, isc_uint32_t b);
-/*
- *	Return true if 'a' == 'b' otherwise false.
- */
-
-isc_boolean_t
-isc_serial_ne(isc_uint32_t a, isc_uint32_t b);
-/*
- *	Return true if 'a' != 'b' otherwise false.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SERIAL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/sha1.h b/contrib/bind9/lib/isc/include/isc/sha1.h
deleted file mode 100644
index 935578b23b19..000000000000
--- a/contrib/bind9/lib/isc/include/isc/sha1.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef ISC_SHA1_H
-#define ISC_SHA1_H 1
-
-/* $Id: sha1.h,v 1.8.206.1 2004/03/06 08:14:48 marka Exp $ */
-
-/*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
-
-/*
- * SHA-1 in C
- * By Steve Reid <steve@edmweb.com>
- * 100% Public Domain
- */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#define ISC_SHA1_DIGESTLENGTH 20
-
-typedef struct {
-	isc_uint32_t state[5];
-	isc_uint32_t count[2];
-	unsigned char buffer[64];
-} isc_sha1_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_sha1_init(isc_sha1_t *ctx);
-
-void
-isc_sha1_invalidate(isc_sha1_t *ctx);
-
-void
-isc_sha1_update(isc_sha1_t *ctx, const unsigned char *data, unsigned int len);
-
-void
-isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SHA1_H */
diff --git a/contrib/bind9/lib/isc/include/isc/sockaddr.h b/contrib/bind9/lib/isc/include/isc/sockaddr.h
deleted file mode 100644
index 1ffbca640fc1..000000000000
--- a/contrib/bind9/lib/isc/include/isc/sockaddr.h
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sockaddr.h,v 1.35.12.8 2005/07/29 00:13:10 marka Exp $ */
-
-#ifndef ISC_SOCKADDR_H
-#define ISC_SOCKADDR_H 1
-
-#include <isc/lang.h>
-#include <isc/net.h>
-#include <isc/types.h>
-
-struct isc_sockaddr {
-	union {
-		struct sockaddr		sa;
-		struct sockaddr_in	sin;
-		struct sockaddr_in6	sin6;
-	}				type;
-	unsigned int			length;		/* XXXRTH beginning? */
-	ISC_LINK(struct isc_sockaddr)	link;
-};
-
-typedef ISC_LIST(struct isc_sockaddr)	isc_sockaddrlist_t;
-
-ISC_LANG_BEGINDECLS
-
-isc_boolean_t
-isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
-/*
- * Return ISC_TRUE iff the socket addresses 'a' and 'b' are equal.
- */
-
-isc_boolean_t
-isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
-/*
- * Return ISC_TRUE iff the address parts of the socket addresses
- * 'a' and 'b' are equal, ignoring the ports.
- */
-
-isc_boolean_t
-isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
-			  unsigned int prefixlen);
-/*
- * Return ISC_TRUE iff the most significant 'prefixlen' bits of the
- * socket addresses 'a' and 'b' are equal, ignoring the ports.
- */
-
-unsigned int
-isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only);
-/*
- * Return a hash value for the socket address 'sockaddr'.  If 'address_only'
- * is ISC_TRUE, the hash value will not depend on the port.
- *
- * IPv6 addresses containing mapped IPv4 addresses generate the same hash
- * value as the equivalent IPv4 address.
- */
-
-void
-isc_sockaddr_any(isc_sockaddr_t *sockaddr);
-/*
- * Return the IPv4 wildcard address.
- */
-
-void
-isc_sockaddr_any6(isc_sockaddr_t *sockaddr);
-/*
- * Return the IPv6 wildcard address.
- */
-
-void
-isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int family);
-/*
- * Set '*sockaddr' to the wildcard address of protocol family
- * 'family'.
- *
- * Requires:
- *	'family' is AF_INET or AF_INET6.
- */
-
-void
-isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
-		    in_port_t port);
-/*
- * Construct an isc_sockaddr_t from an IPv4 address and port.
- */
-
-void
-isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
-		     in_port_t port);
-/*
- * Construct an isc_sockaddr_t from an IPv6 address and port.
- */
-
-void
-isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
-		      in_port_t port);
-/*
- * Construct an IPv6 isc_sockaddr_t representing a mapped IPv4 address.
- */
-
-void
-isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
-			 in_port_t port);
-/*
- * Construct an isc_sockaddr_t from an isc_netaddr_t and port.
- */
-
-int
-isc_sockaddr_pf(const isc_sockaddr_t *sockaddr);
-/*
- * Get the protocol family of 'sockaddr'.
- *
- * Requires:
- *
- *	'sockaddr' is a valid sockaddr with an address family of AF_INET
- *	or AF_INET6.
- *
- * Returns:
- *
- *	The protocol family of 'sockaddr', e.g. PF_INET or PF_INET6.
- */
-
-void
-isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
-/*
- * Set the port of 'sockaddr' to 'port'.
- */
-
-in_port_t
-isc_sockaddr_getport(isc_sockaddr_t *sockaddr);
-/*
- * Get the port stored in 'sockaddr'.
- */
-
-isc_result_t
-isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target);
-/*
- * Append a text representation of 'sockaddr' to the buffer 'target'.
- * The text will include both the IP address (v4 or v6) and the port.
- * The text is null terminated, but the terminating null is not
- * part of the buffer's used region.
- *
- * Returns:
- *	ISC_R_SUCCESS
- *	ISC_R_NOSPACE	The text or the null termination did not fit.
- */
-
-void
-isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
-/*
- * Format a human-readable representation of the socket address '*sa'
- * into the character array 'array', which is of size 'size'.
- * The resulting string is guaranteed to be null-terminated.
- */
-
-isc_boolean_t
-isc_sockaddr_ismulticast(isc_sockaddr_t *sa);
-/*
- * Returns ISC_TRUE if the address is a multicast address.
- */
-
-isc_boolean_t
-isc_sockaddr_isexperimental(isc_sockaddr_t *sa);
-/*
- * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
- */
-
-isc_boolean_t
-isc_sockaddr_islinklocal(isc_sockaddr_t *sa);
-/*
- * Returns ISC_TRUE if the address is a link local addresss.
- */
-
-isc_boolean_t
-isc_sockaddr_issitelocal(isc_sockaddr_t *sa);
-/*
- * Returns ISC_TRUE if the address is a sitelocal address.
- */
-
-#define ISC_SOCKADDR_FORMATSIZE \
-	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX#YYYYY%SSSSSSSSSS")
-/*
- * Minimum size of array to pass to isc_sockaddr_format().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SOCKADDR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/socket.h b/contrib/bind9/lib/isc/include/isc/socket.h
deleted file mode 100644
index 9dcadb213caf..000000000000
--- a/contrib/bind9/lib/isc/include/isc/socket.h
+++ /dev/null
@@ -1,704 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: socket.h,v 1.54.12.4 2004/03/08 09:04:53 marka Exp $ */
-
-#ifndef ISC_SOCKET_H
-#define ISC_SOCKET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Sockets
- *
- * Provides TCP and UDP sockets for network I/O.  The sockets are event
- * sources in the task system.
- *
- * When I/O completes, a completion event for the socket is posted to the
- * event queue of the task which requested the I/O.
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- *	Clients of this module must not be holding a socket's task's lock when
- *	making a call that affects that socket.  Failure to follow this rule
- *	can result in deadlock.
- *
- *	The caller must ensure that isc_socketmgr_destroy() is called only
- *	once for a given manager.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-#include <isc/event.h>
-#include <isc/eventclass.h>
-#include <isc/time.h>
-#include <isc/region.h>
-#include <isc/sockaddr.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Constants
- ***/
-
-/*
- * Maximum number of buffers in a scatter/gather read/write.  The operating
- * system in use must support at least this number (plus one on some.)
- */
-#define ISC_SOCKET_MAXSCATTERGATHER	8
-
-/***
- *** Types
- ***/
-
-struct isc_socketevent {
-	ISC_EVENT_COMMON(isc_socketevent_t);
-	isc_result_t		result;		/* OK, EOF, whatever else */
-	unsigned int		minimum;	/* minimum i/o for event */
-	unsigned int		n;		/* bytes read or written */
-	unsigned int		offset;		/* offset into buffer list */
-	isc_region_t		region;		/* for single-buffer i/o */
-	isc_bufferlist_t	bufferlist;	/* list of buffers */
-	isc_sockaddr_t		address;	/* source address */
-	isc_time_t		timestamp;	/* timestamp of packet recv */
-	struct in6_pktinfo	pktinfo;	/* ipv6 pktinfo */
-	isc_uint32_t		attributes;	/* see below */
-};
-
-typedef struct isc_socket_newconnev isc_socket_newconnev_t;
-struct isc_socket_newconnev {
-	ISC_EVENT_COMMON(isc_socket_newconnev_t);
-	isc_socket_t *		newsocket;
-	isc_result_t		result;		/* OK, EOF, whatever else */
-	isc_sockaddr_t		address;	/* source address */
-};
-
-typedef struct isc_socket_connev isc_socket_connev_t;
-struct isc_socket_connev {
-	ISC_EVENT_COMMON(isc_socket_connev_t);
-	isc_result_t		result;		/* OK, EOF, whatever else */
-};
-
-/*
- * _ATTACHED:	Internal use only.
- * _TRUNC:	Packet was truncated on receive.
- * _CTRUNC:	Packet control information was truncated.  This can
- *		indicate that the packet is not complete, even though
- *		all the data is valid.
- * _TIMESTAMP:	The timestamp member is valid.
- * _PKTINFO:	The pktinfo member is valid.
- * _MULTICAST:	The UDP packet was received via a multicast transmission.
- */
-#define ISC_SOCKEVENTATTR_ATTACHED		0x80000000U /* internal */
-#define ISC_SOCKEVENTATTR_TRUNC			0x00800000U /* public */
-#define ISC_SOCKEVENTATTR_CTRUNC		0x00400000U /* public */
-#define ISC_SOCKEVENTATTR_TIMESTAMP		0x00200000U /* public */
-#define ISC_SOCKEVENTATTR_PKTINFO		0x00100000U /* public */
-#define ISC_SOCKEVENTATTR_MULTICAST		0x00080000U /* public */
-
-#define ISC_SOCKEVENT_ANYEVENT  (0)
-#define ISC_SOCKEVENT_RECVDONE	(ISC_EVENTCLASS_SOCKET + 1)
-#define ISC_SOCKEVENT_SENDDONE	(ISC_EVENTCLASS_SOCKET + 2)
-#define ISC_SOCKEVENT_NEWCONN	(ISC_EVENTCLASS_SOCKET + 3)
-#define ISC_SOCKEVENT_CONNECT	(ISC_EVENTCLASS_SOCKET + 4)
-
-/*
- * Internal events.
- */
-#define ISC_SOCKEVENT_INTR	(ISC_EVENTCLASS_SOCKET + 256)
-#define ISC_SOCKEVENT_INTW	(ISC_EVENTCLASS_SOCKET + 257)
-
-typedef enum {
-	isc_sockettype_udp = 1,
-	isc_sockettype_tcp = 2
-} isc_sockettype_t;
-
-/*
- * How a socket should be shutdown in isc_socket_shutdown() calls.
- */
-#define ISC_SOCKSHUT_RECV	0x00000001	/* close read side */
-#define ISC_SOCKSHUT_SEND	0x00000002	/* close write side */
-#define ISC_SOCKSHUT_ALL	0x00000003	/* close them all */
-
-/*
- * What I/O events to cancel in isc_socket_cancel() calls.
- */
-#define ISC_SOCKCANCEL_RECV	0x00000001	/* cancel recv */
-#define ISC_SOCKCANCEL_SEND	0x00000002	/* cancel send */
-#define ISC_SOCKCANCEL_ACCEPT	0x00000004	/* cancel accept */
-#define ISC_SOCKCANCEL_CONNECT	0x00000008	/* cancel connect */
-#define ISC_SOCKCANCEL_ALL	0x0000000f	/* cancel everything */
-
-/*
- * Flags for isc_socket_send() and isc_socket_recv() calls.
- */
-#define ISC_SOCKFLAG_IMMEDIATE	0x00000001	/* send event only if needed */
-#define ISC_SOCKFLAG_NORETRY	0x00000002	/* drop failed UDP sends */
-
-/***
- *** Socket and Socket Manager Functions
- ***
- *** Note: all Ensures conditions apply only if the result is success for
- *** those functions which return an isc_result.
- ***/
-
-isc_result_t
-isc_socket_create(isc_socketmgr_t *manager,
-		  int pf,
-		  isc_sockettype_t type,
-		  isc_socket_t **socketp);
-/*
- * Create a new 'type' socket managed by 'manager'.
- *
- * Note:
- *
- *	'pf' is the desired protocol family, e.g. PF_INET or PF_INET6.
- *
- * Requires:
- *
- *	'manager' is a valid manager
- *
- *	'socketp' is a valid pointer, and *socketp == NULL
- *
- * Ensures:
- *
- *	'*socketp' is attached to the newly created socket
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_NORESOURCES
- *	ISC_R_UNEXPECTED
- */
-
-void
-isc_socket_cancel(isc_socket_t *sock, isc_task_t *task,
-		  unsigned int how);
-/*
- * Cancel pending I/O of the type specified by "how".
- *
- * Note: if "task" is NULL, then the cancel applies to all tasks using the
- * socket.
- *
- * Requires:
- *
- *	"socket" is a valid socket
- *
- *	"task" is NULL or a valid task
- *
- * "how" is a bitmask describing the type of cancelation to perform.
- * The type ISC_SOCKCANCEL_ALL will cancel all pending I/O on this
- * socket.
- *
- * ISC_SOCKCANCEL_RECV:
- *	Cancel pending isc_socket_recv() calls.
- *
- * ISC_SOCKCANCEL_SEND:
- *	Cancel pending isc_socket_send() and isc_socket_sendto() calls.
- *
- * ISC_SOCKCANCEL_ACCEPT:
- *	Cancel pending isc_socket_accept() calls.
- *
- * ISC_SOCKCANCEL_CONNECT:
- *	Cancel pending isc_socket_connect() call.
- */
-
-void
-isc_socket_shutdown(isc_socket_t *sock, unsigned int how);
-/*
- * Shutdown 'socket' according to 'how'.
- *
- * Requires:
- *
- *	'socket' is a valid socket.
- *
- *	'task' is NULL or is a valid task.
- *
- *	If 'how' is 'ISC_SOCKSHUT_RECV' or 'ISC_SOCKSHUT_ALL' then
- *
- *		The read queue must be empty.
- *
- *		No further read requests may be made.
- *
- *	If 'how' is 'ISC_SOCKSHUT_SEND' or 'ISC_SOCKSHUT_ALL' then
- *
- *		The write queue must be empty.
- *
- *		No further write requests may be made.
- */
-
-void
-isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
-/*
- * Attach *socketp to socket.
- *
- * Requires:
- *
- *	'socket' is a valid socket.
- *
- *	'socketp' points to a NULL socket.
- *
- * Ensures:
- *
- *	*socketp is attached to socket.
- */
-
-void
-isc_socket_detach(isc_socket_t **socketp);
-/*
- * Detach *socketp from its socket.
- *
- * Requires:
- *
- *	'socketp' points to a valid socket.
- *
- *	If '*socketp' is the last reference to the socket,
- *	then:
- *
- *		There must be no pending I/O requests.
- *
- * Ensures:
- *
- *	*socketp is NULL.
- *
- *	If '*socketp' is the last reference to the socket,
- *	then:
- *
- *		The socket will be shutdown (both reading and writing)
- *		for all tasks.
- *
- *		All resources used by the socket have been freed
- */
-
-isc_result_t
-isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *addressp);
-/*
- * Bind 'socket' to '*addressp'.
- *
- * Requires:
- *
- *	'socket' is a valid socket
- *
- *	'addressp' points to a valid isc_sockaddr.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOPERM
- *	ISC_R_ADDRNOTAVAIL
- *	ISC_R_ADDRINUSE
- *	ISC_R_BOUND
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_filter(isc_socket_t *sock, const char *filter);
-/*
- * Inform the kernel that it should perform accept filtering.
- * If filter is NULL the current filter will be removed.:w
- */
-
-isc_result_t
-isc_socket_listen(isc_socket_t *sock, unsigned int backlog);
-/*
- * Set listen mode on the socket.  After this call, the only function that
- * can be used (other than attach and detach) is isc_socket_accept().
- *
- * Notes:
- *
- *	'backlog' is as in the UNIX system call listen() and may be
- *	ignored by non-UNIX implementations.
- *
- *	If 'backlog' is zero, a reasonable system default is used, usually
- *	SOMAXCONN.
- *
- * Requires:
- *
- *	'socket' is a valid, bound TCP socket.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_accept(isc_socket_t *sock,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg);
-/*
- * Queue accept event.  When a new connection is received, the task will
- * get an ISC_SOCKEVENT_NEWCONN event with the sender set to the listen
- * socket.  The new socket structure is sent inside the isc_socket_newconnev_t
- * event type, and is attached to the task 'task'.
- *
- * REQUIRES:
- *	'socket' is a valid TCP socket that isc_socket_listen() was called
- *	on.
- *
- *	'task' is a valid task
- *
- *	'action' is a valid action
- *
- * RETURNS:
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addressp,
-		   isc_task_t *task, isc_taskaction_t action,
-		   const void *arg);
-/*
- * Connect 'socket' to peer with address *saddr.  When the connection
- * succeeds, or when an error occurs, a CONNECT event with action 'action'
- * and arg 'arg' will be posted to the event queue for 'task'.
- *
- * Requires:
- *
- *	'socket' is a valid TCP socket
- *
- *	'addressp' points to a valid isc_sockaddr
- *
- *	'task' is a valid task
- *
- *	'action' is a valid action
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- *
- * Posted event's result code:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_TIMEDOUT
- *	ISC_R_CONNREFUSED
- *	ISC_R_NETUNREACH
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
-/*
- * Get the name of the peer connected to 'socket'.
- *
- * Requires:
- *
- *	'socket' is a valid TCP socket.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_TOOSMALL
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
-/*
- * Get the name of 'socket'.
- *
- * Requires:
- *
- *	'socket' is a valid socket.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_TOOSMALL
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_socket_recv(isc_socket_t *sock, isc_region_t *region,
-		unsigned int minimum,
-		isc_task_t *task, isc_taskaction_t action, const void *arg);
-isc_result_t
-isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 unsigned int minimum,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg);
-
-isc_result_t
-isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_socketevent_t *event, unsigned int flags);
-
-/*
- * Receive from 'socket', storing the results in region.
- *
- * Notes:
- *
- *	Let 'length' refer to the length of 'region' or to the sum of all
- *	available regions in the list of buffers '*buflist'.
- *
- *	If 'minimum' is non-zero and at least that many bytes are read,
- *	the completion event will be posted to the task 'task.'  If minimum
- *	is zero, the exact number of bytes requested in the region must
- * 	be read for an event to be posted.  This only makes sense for TCP
- *	connections, and is always set to 1 byte for UDP.
- *
- *	The read will complete when the desired number of bytes have been
- *	read, if end-of-input occurs, or if an error occurs.  A read done
- *	event with the given 'action' and 'arg' will be posted to the
- *	event queue of 'task'.
- *
- *	The caller may not modify 'region', the buffers which are passed
- *	into this function, or any data they refer to until the completion
- *	event is received.
- *
- *	For isc_socket_recvv():
- *	On successful completion, '*buflist' will be empty, and the list of
- *	all buffers will be returned in the done event's 'bufferlist'
- *	member.  On error return, '*buflist' will be unchanged.
- *
- *	For isc_socket_recv2():
- *	'event' is not NULL, and the non-socket specific fields are
- *	expected to be initialized.
- *
- *	For isc_socket_recv2():
- *	The only defined value for 'flags' is ISC_SOCKFLAG_IMMEDIATE.  If
- *	set and the operation completes, the return value will be
- *	ISC_R_SUCCESS and the event will be filled in and not sent.  If the
- *	operation does not complete, the return value will be
- *	ISC_R_INPROGRESS and the event will be sent when the operation
- *	completes.
- *
- * Requires:
- *
- *	'socket' is a valid, bound socket.
- *
- *	For isc_socket_recv():
- *	'region' is a valid region
- *
- *	For isc_socket_recvv():
- *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
- *
- *	'task' is a valid task
- *
- *	For isc_socket_recv() and isc_socket_recvv():
- *	action != NULL and is a valid action
- *
- *	For isc_socket_recv2():
- *	event != NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_INPROGRESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- *
- * Event results:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
- *	XXX needs other net-type errors
- */
-
-isc_result_t
-isc_socket_send(isc_socket_t *sock, isc_region_t *region,
-		isc_task_t *task, isc_taskaction_t action, const void *arg);
-isc_result_t
-isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg,
-		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
-isc_result_t
-isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg);
-isc_result_t
-isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
-isc_result_t
-isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
-		   isc_task_t *task,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-		   isc_socketevent_t *event, unsigned int flags);
-
-/*
- * Send the contents of 'region' to the socket's peer.
- *
- * Notes:
- *
- *	Shutting down the requestor's task *may* result in any
- *	still pending writes being dropped or completed, depending on the
- *	underlying OS implementation.
- *
- *	If 'action' is NULL, then no completion event will be posted.
- *
- *	The caller may not modify 'region', the buffers which are passed
- *	into this function, or any data they refer to until the completion
- *	event is received.
- *
- *	For isc_socket_sendv() and isc_socket_sendtov():
- *	On successful completion, '*buflist' will be empty, and the list of
- *	all buffers will be returned in the done event's 'bufferlist'
- *	member.  On error return, '*buflist' will be unchanged.
- *
- *	For isc_socket_sendto2():
- *	'event' is not NULL, and the non-socket specific fields are
- *	expected to be initialized.
- *
- *	For isc_socket_sendto2():
- *	The only defined values for 'flags' are ISC_SOCKFLAG_IMMEDIATE
- *	and ISC_SOCKFLAG_NORETRY.
- *
- *	If ISC_SOCKFLAG_IMMEDIATE is set and the operation completes, the
- *	return value will be ISC_R_SUCCESS and the event will be filled
- *	in and not sent.  If the operation does not complete, the return
- *	value will be ISC_R_INPROGRESS and the event will be sent when
- *	the operation completes.
- *
- *	ISC_SOCKFLAG_NORETRY can only be set for UDP sockets.  If set
- *	and the send operation fails due to a transient error, the send
- *	will not be retried and the error will be indicated in the event.
- *	Using this option along with ISC_SOCKFLAG_IMMEDIATE allows the caller
- *	to specify a region that is allocated on the stack.
- *
- * Requires:
- *
- *	'socket' is a valid, bound socket.
- *
- *	For isc_socket_send():
- *	'region' is a valid region
- *
- *	For isc_socket_sendv() and isc_socket_sendtov():
- *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
- *
- *	'task' is a valid task
- *
- *	For isc_socket_sendv(), isc_socket_sendtov(), isc_socket_send(), and
- *	isc_socket_sendto():
- *	action == NULL or is a valid action
- *
- *	For isc_socket_sendto2():
- *	event != NULL
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_INPROGRESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- *
- * Event results:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_UNEXPECTED
- *	XXX needs other net-type errors
- */
-
-isc_result_t
-isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
-/*
- * Create a socket manager.
- *
- * Notes:
- *
- *	All memory will be allocated in memory context 'mctx'.
- *
- * Requires:
- *
- *	'mctx' is a valid memory context.
- *
- *	'managerp' points to a NULL isc_socketmgr_t.
- *
- * Ensures:
- *
- *	'*managerp' is a valid isc_socketmgr_t.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- */
-
-void
-isc_socketmgr_destroy(isc_socketmgr_t **managerp);
-/*
- * Destroy a socket manager.
- *
- * Notes:
- *
- *	This routine blocks until there are no sockets left in the manager,
- *	so if the caller holds any socket references using the manager, it
- *	must detach them before calling isc_socketmgr_destroy() or it will
- *	block forever.
- *
- * Requires:
- *
- *	'*managerp' is a valid isc_socketmgr_t.
- *
- *	All sockets managed by this manager are fully detached.
- *
- * Ensures:
- *
- *	*managerp == NULL
- *
- *	All resources used by the manager have been freed.
- */
-
-isc_sockettype_t
-isc_socket_gettype(isc_socket_t *sock);
-/*
- * Returns the socket type for "sock."
- *
- * Requires:
- *
- *	"sock" is a valid socket.
- */
-
-isc_boolean_t
-isc_socket_isbound(isc_socket_t *sock);
-
-void
-isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes);
-/*
- * If the socket is an IPv6 socket set/clear the IPV6_IPV6ONLY socket
- * option if the host OS supports this option.
- *
- * Requires:
- *	'sock' is a valid socket.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SOCKET_H */
diff --git a/contrib/bind9/lib/isc/include/isc/stdio.h b/contrib/bind9/lib/isc/include/isc/stdio.h
deleted file mode 100644
index 7dad28483e30..000000000000
--- a/contrib/bind9/lib/isc/include/isc/stdio.h
+++ /dev/null
@@ -1,67 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdio.h,v 1.6.206.1 2004/03/06 08:14:48 marka Exp $ */
-
-#ifndef ISC_STDIO_H
-#define ISC_STDIO_H 1
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_stdio_open(const char *filename, const char *mode, FILE **fp);
-
-isc_result_t
-isc_stdio_close(FILE *f);
-
-isc_result_t
-isc_stdio_seek(FILE *f, long offset, int whence);
-
-isc_result_t
-isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f,
-	       size_t *nret);
-
-isc_result_t
-isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
-		size_t *nret);
-
-isc_result_t
-isc_stdio_flush(FILE *f);
-/*
- * These functions are wrappers around the corresponding stdio functions,
- * returning a detailed error code in the form of an an isc_result_t.  ANSI C
- * does not guarantee that stdio functions set errno, hence these functions
- * must use platform dependent methods (e.g., the POSIX errno) to construct the
- * error code.
- */
-
-isc_result_t
-isc_stdio_sync(FILE *f);
-/*
- * Invoke fsync() on the file descriptor underlying an stdio stream, or an
- * equivalent system-dependent operation.  Note that this function has no
- * direct counterpart in the stdio library.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STDIO_H */
diff --git a/contrib/bind9/lib/isc/include/isc/stdlib.h b/contrib/bind9/lib/isc/include/isc/stdlib.h
deleted file mode 100644
index 7b75584a3cde..000000000000
--- a/contrib/bind9/lib/isc/include/isc/stdlib.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdlib.h,v 1.1.32.2 2004/03/06 08:14:48 marka Exp $ */
-
-#ifndef ISC_STDLIB_H
-#define ISC_STDLIB_H 1
-
-#include <stdlib.h>
-
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-#ifdef ISC_PLATFORM_NEEDSTRTOUL
-#define strtoul isc_strtoul
-#endif
-
-ISC_LANG_BEGINDECLS
-
-unsigned long isc_strtoul(const char *, char **, int);
-
-ISC_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/lib/isc/include/isc/string.h b/contrib/bind9/lib/isc/include/isc/string.h
deleted file mode 100644
index 4fbfe1909cb9..000000000000
--- a/contrib/bind9/lib/isc/include/isc/string.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: string.h,v 1.9.164.3 2004/03/06 08:14:49 marka Exp $ */
-
-#ifndef ISC_STRING_H
-#define ISC_STRING_H 1
-
-#include <string.h>
-
-#include <isc/int.h>
-#include <isc/lang.h>
-#include <isc/platform.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_uint64_t
-isc_string_touint64(char *source, char **endp, int base);
-/*
- * Convert the string pointed to by 'source' to isc_uint64_t.
- *
- * On successful conversion 'endp' points to the first character
- * after conversion is complete.
- *
- * 'base': 0 or 2..36
- *
- * If base is 0 the base is computed from the string type.
- *
- * On error 'endp' points to 'source'.
- */
-
-
-char *
-isc_string_separate(char **stringp, const char *delim);
-
-#ifdef ISC_PLATFORM_NEEDSTRSEP
-#define strsep isc_string_separate
-#endif
-
-#ifdef ISC_PLATFORM_NEEDMEMMOVE
-#define memmove(a,b,c) bcopy(b,a,c)
-#endif
-
-size_t
-isc_string_strlcpy(char *dst, const char *src, size_t size);
-
-
-#ifdef ISC_PLATFORM_NEEDSTRLCPY
-#define strlcpy isc_string_strlcpy
-#endif
-
-
-size_t
-isc_string_strlcat(char *dst, const char *src, size_t size);
-
-#ifdef ISC_PLATFORM_NEEDSTRLCAT
-#define strlcat isc_string_strlcat
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STRING_H */
diff --git a/contrib/bind9/lib/isc/include/isc/symtab.h b/contrib/bind9/lib/isc/include/isc/symtab.h
deleted file mode 100644
index d8dbd2107ec5..000000000000
--- a/contrib/bind9/lib/isc/include/isc/symtab.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: symtab.h,v 1.16.206.1 2004/03/06 08:14:49 marka Exp $ */
-
-#ifndef ISC_SYMTAB_H
-#define ISC_SYMTAB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Symbol Table
- *
- * Provides a simple memory-based symbol table.
- *
- * Keys are C strings, and key comparisons are case-insenstive.  A type may
- * be specified when looking up, defining, or undefining.  A type value of
- * 0 means "match any type"; any other value will only match the given
- * type.
- *
- * It's possible that a client will attempt to define a <key, type, value>
- * tuple when a tuple with the given key and type already exists in the table.
- * What to do in this case is specified by the client.  Possible policies are:
- *
- *	isc_symexists_reject	Disallow the define, returning ISC_R_EXISTS
- *	isc_symexists_replace	Replace the old value with the new.  The
- *				undefine action (if provided) will be called
- *				with the old <key, type, value> tuple.
- *	isc_symexists_add	Add the new tuple, leaving the old tuple in
- *				the table.  Subsequent lookups will retrieve
- *				the most-recently-defined tuple.
- *
- * A lookup of a key using type 0 will return the most-recently defined
- * symbol with that key.  An undefine of a key using type 0 will undefine the
- * most-recently defined symbol with that key.  Trying to define a key with
- * type 0 is illegal.
- *
- * The symbol table library does not make a copy the key field, so the
- * caller must ensure that any key it passes to isc_symtab_define() will not
- * change until it calls isc_symtab_undefine() or isc_symtab_destroy().
- *
- * A user-specified action will be called (if provided) when a symbol is
- * undefined.  It can be used to free memory associated with keys and/or
- * values.
- *
- * MP:
- *	The callers of this module must ensure any required synchronization.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/***
- *** Symbol Tables.
- ***/
-
-typedef union isc_symvalue {
-	void *				as_pointer;
-	int				as_integer;
-	unsigned int			as_uinteger;
-} isc_symvalue_t;
-
-typedef void (*isc_symtabaction_t)(char *key, unsigned int type,
-				   isc_symvalue_t value, void *userarg);
-
-typedef enum {
-	isc_symexists_reject = 0,
-	isc_symexists_replace = 1,
-	isc_symexists_add = 2
-} isc_symexists_t;
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_symtab_create(isc_mem_t *mctx, unsigned int size,
-		  isc_symtabaction_t undefine_action, void *undefine_arg,
-		  isc_boolean_t case_sensitive, isc_symtab_t **symtabp);
-
-void
-isc_symtab_destroy(isc_symtab_t **symtabp);
-
-isc_result_t
-isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
-		  isc_symvalue_t *value);
-
-isc_result_t
-isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
-		  isc_symvalue_t value, isc_symexists_t exists_policy);
-
-isc_result_t
-isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SYMTAB_H */
diff --git a/contrib/bind9/lib/isc/include/isc/task.h b/contrib/bind9/lib/isc/include/isc/task.h
deleted file mode 100644
index 0e8190a32eb6..000000000000
--- a/contrib/bind9/lib/isc/include/isc/task.h
+++ /dev/null
@@ -1,615 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: task.h,v 1.49.206.3 2004/03/09 05:21:09 marka Exp $ */
-
-#ifndef ISC_TASK_H
-#define ISC_TASK_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Task System
- *
- * The task system provides a lightweight execution context, which is
- * basically an event queue.  When a task's event queue is non-empty, the
- * task is runnable.  A small work crew of threads, typically one per CPU,
- * execute runnable tasks by dispatching the events on the tasks' event
- * queues.  Context switching between tasks is fast.
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- *	The caller must ensure that isc_taskmgr_destroy() is called only
- *	once for a given manager.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-
-/***
- *** Imports.
- ***/
-
-#include <isc/eventclass.h>
-#include <isc/lang.h>
-#include <isc/stdtime.h>
-#include <isc/types.h>
-
-#define ISC_TASKEVENT_FIRSTEVENT	(ISC_EVENTCLASS_TASK + 0)
-#define ISC_TASKEVENT_SHUTDOWN		(ISC_EVENTCLASS_TASK + 1)
-#define ISC_TASKEVENT_LASTEVENT		(ISC_EVENTCLASS_TASK + 65535)
-
-/*****
- ***** Tasks.
- *****/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
-		isc_task_t **taskp);
-/*
- * Create a task.
- *
- * Notes:
- *
- *	If 'quantum' is non-zero, then only that many events can be dispatched
- *	before the task must yield to other tasks waiting to execute.  If
- *	quantum is zero, then the default quantum of the task manager will
- *	be used.
- *
- *	The 'quantum' option may be removed from isc_task_create() in the
- *	future.  If this happens, isc_task_getquantum() and
- *	isc_task_setquantum() will be provided.
- *
- * Requires:
- *
- *	'manager' is a valid task manager.
- *
- *	taskp != NULL && *taskp == NULL
- *
- * Ensures:
- *
- *	On success, '*taskp' is bound to the new task.
- *
- * Returns:
- *
- *     	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- *	ISC_R_SHUTTINGDOWN
- */
-
-void
-isc_task_attach(isc_task_t *source, isc_task_t **targetp);
-/*
- * Attach *targetp to source.
- *
- * Requires:
- *
- *	'source' is a valid task.
- *
- *	'targetp' points to a NULL isc_task_t *.
- *
- * Ensures:
- *
- *	*targetp is attached to source.
- */
-
-void
-isc_task_detach(isc_task_t **taskp);
-/*
- * Detach *taskp from its task.
- *
- * Requires:
- *
- *	'*taskp' is a valid task.
- *
- * Ensures:
- *
- *	*taskp is NULL.
- *
- *	If '*taskp' is the last reference to the task, the task is idle (has
- *	an empty event queue), and has not been shutdown, the task will be
- *	shutdown.
- *
- *	If '*taskp' is the last reference to the task and
- *	the task has been shutdown,
- *
- *		All resources used by the task will be freed.
- */
-
-void
-isc_task_send(isc_task_t *task, isc_event_t **eventp);
-/*
- * Send '*event' to 'task'.
- *
- * Requires:
- *
- *	'task' is a valid task.
- *	eventp != NULL && *eventp != NULL.
- *
- * Ensures:
- *
- *	*eventp == NULL.
- */
-
-void
-isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
-/*
- * Send '*event' to '*taskp' and then detach '*taskp' from its
- * task.
- *
- * Requires:
- *
- *	'*taskp' is a valid task.
- *	eventp != NULL && *eventp != NULL.
- *
- * Ensures:
- *
- *	*eventp == NULL.
- *
- *	*taskp == NULL.
- *
- *	If '*taskp' is the last reference to the task, the task is
- *	idle (has an empty event queue), and has not been shutdown,
- *	the task will be shutdown.
- *
- *	If '*taskp' is the last reference to the task and
- *	the task has been shutdown,
- *
- *		All resources used by the task will be freed.
- */
-
-/*
- * Purging and Unsending
- *
- * Events which have been queued for a task but not delivered may be removed
- * from the task's event queue by purging or unsending.
- *
- * With both types, the caller specifies a matching pattern that selects
- * events based upon their sender, type, and tag.
- *
- * Purging calls isc_event_free() on the matching events.
- *
- * Unsending returns a list of events that matched the pattern.
- * The caller is then responsible for them.
- *
- * Consumers of events should purge, not unsend.
- *
- * Producers of events often want to remove events when the caller indicates
- * it is no longer interested in the object, e.g. by cancelling a timer.
- * Sometimes this can be done by purging, but for some event types, the
- * calls to isc_event_free() cause deadlock because the event free routine
- * wants to acquire a lock the caller is already holding.  Unsending instead
- * of purging solves this problem.  As a general rule, producers should only
- * unsend events which they have sent.
- */
-
-unsigned int
-isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		    isc_eventtype_t last, void *tag);
-/*
- * Purge events from a task's event queue.
- *
- * Requires:
- *
- *	'task' is a valid task.
- *
- *	last >= first
- *
- * Ensures:
- *
- *	Events in the event queue of 'task' whose sender is 'sender', whose
- *	type is >= first and <= last, and whose tag is 'tag' will be purged,
- *	unless they are marked as unpurgable.
- *
- *	A sender of NULL will match any sender.  A NULL tag matches any
- *	tag.
- *
- * Returns:
- *
- *	The number of events purged.
- */
-
-unsigned int
-isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
-	       void *tag);
-/*
- * Purge events from a task's event queue.
- *
- * Notes:
- *
- *	This function is equivalent to
- *
- *		isc_task_purgerange(task, sender, type, type, tag);
- *
- * Requires:
- *
- *	'task' is a valid task.
- *
- * Ensures:
- *
- *	Events in the event queue of 'task' whose sender is 'sender', whose
- *	type is 'type', and whose tag is 'tag' will be purged, unless they
- *	are marked as unpurgable.
- *
- *	A sender of NULL will match any sender.  A NULL tag matches any
- *	tag.
- *
- * Returns:
- *
- *	The number of events purged.
- */
-
-isc_boolean_t
-isc_task_purgeevent(isc_task_t *task, isc_event_t *event);
-/*
- * Purge 'event' from a task's event queue.
- *
- * XXXRTH:  WARNING:  This method may be removed before beta.
- *
- * Notes:
- *
- *	If 'event' is on the task's event queue, it will be purged,
- * 	unless it is marked as unpurgeable.  'event' does not have to be
- *	on the task's event queue; in fact, it can even be an invalid
- *	pointer.  Purging only occurs if the event is actually on the task's
- *	event queue.
- *
- * 	Purging never changes the state of the task.
- *
- * Requires:
- *
- *	'task' is a valid task.
- *
- * Ensures:
- *
- *	'event' is not in the event queue for 'task'.
- *
- * Returns:
- *
- *	ISC_TRUE			The event was purged.
- *	ISC_FALSE			The event was not in the event queue,
- *					or was marked unpurgeable.
- */
-
-unsigned int
-isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		     isc_eventtype_t last, void *tag, isc_eventlist_t *events);
-/*
- * Remove events from a task's event queue.
- *
- * Requires:
- *
- *	'task' is a valid task.
- *
- *	last >= first.
- *
- *	*events is a valid list.
- *
- * Ensures:
- *
- *	Events in the event queue of 'task' whose sender is 'sender', whose
- *	type is >= first and <= last, and whose tag is 'tag' will be dequeued
- *	and appended to *events.
- *
- *	A sender of NULL will match any sender.  A NULL tag matches any
- *	tag.
- *
- * Returns:
- *
- *	The number of events unsent.
- */
-
-unsigned int
-isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
-		void *tag, isc_eventlist_t *events);
-/*
- * Remove events from a task's event queue.
- *
- * Notes:
- *
- *	This function is equivalent to
- *
- *		isc_task_unsendrange(task, sender, type, type, tag, events);
- *
- * Requires:
- *
- *	'task' is a valid task.
- *
- *	*events is a valid list.
- *
- * Ensures:
- *
- *	Events in the event queue of 'task' whose sender is 'sender', whose
- *	type is 'type', and whose tag is 'tag' will be dequeued and appended
- *	to *events.
- *
- * Returns:
- *
- *	The number of events unsent.
- */
-
-isc_result_t
-isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action,
-		    const void *arg);
-/*
- * Send a shutdown event with action 'action' and argument 'arg' when
- * 'task' is shutdown.
- *
- * Notes:
- *
- *	Shutdown events are posted in LIFO order.
- *
- * Requires:
- *
- *	'task' is a valid task.
- *
- *	'action' is a valid task action.
- *
- * Ensures:
- *
- *	When the task is shutdown, shutdown events requested with
- *	isc_task_onshutdown() will be appended to the task's event queue.
- *
-
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_TASKSHUTTINGDOWN			Task is shutting down.
- */
-
-void
-isc_task_shutdown(isc_task_t *task);
-/*
- * Shutdown 'task'.
- *
- * Notes:
- *
- *	Shutting down a task causes any shutdown events requested with
- *	isc_task_onshutdown() to be posted (in LIFO order).  The task
- *	moves into a "shutting down" mode which prevents further calls
- *	to isc_task_onshutdown().
- *
- *	Trying to shutdown a task that has already been shutdown has no
- *	effect.
- *
- * Requires:
- *
- *	'task' is a valid task.
- *
- * Ensures:
- *
- *	Any shutdown events requested with isc_task_onshutdown() have been
- *	posted (in LIFO order).
- */
-
-void
-isc_task_destroy(isc_task_t **taskp);
-/*
- * Destroy '*taskp'.
- *
- * Notes:
- *
- *	This call is equivalent to:
- *
- *		isc_task_shutdown(*taskp);
- *		isc_task_detach(taskp);
- *
- * Requires:
- *
- *	'*taskp' is a valid task.
- *
- * Ensures:
- *
- *	Any shutdown events requested with isc_task_onshutdown() have been
- *	posted (in LIFO order).
- *
- *	*taskp == NULL
- *
- *	If '*taskp' is the last reference to the task,
- *
- *		All resources used by the task will be freed.
- */
-
-void
-isc_task_setname(isc_task_t *task, const char *name, void *tag);
-/*
- * Name 'task'.
- *
- * Notes:
- *
- *	Only the first 15 characters of 'name' will be copied.
- *
- *	Naming a task is currently only useful for debugging purposes.
- *
- * Requires:
- *
- *	'task' is a valid task.
- */
-
-const char *
-isc_task_getname(isc_task_t *task);
-/*
- * Get the name of 'task', as previously set using isc_task_setname().
- *
- * Notes:
- *	This function is for debugging purposes only.
- *
- * Requires:
- *	'task' is a valid task.
- *
- * Returns:
- *	A non-NULL pointer to a null-terminated string.
- * 	If the task has not been named, the string is
- * 	empty.
- *
- */
-
-void *
-isc_task_gettag(isc_task_t *task);
-/*
- * Get the tag value for  'task', as previously set using isc_task_settag().
- *
- * Notes:
- *	This function is for debugging purposes only.
- *
- * Requires:
- *	'task' is a valid task.
- */
-
-isc_result_t
-isc_task_beginexclusive(isc_task_t *task);
-/*
- * Request exclusive access for 'task', which must be the calling
- * task.  Waits for any other concurrently executing tasks to finish their
- * current event, and prevents any new events from executing in any of the
- * tasks sharing a task manager with 'task'.
- *
- * The exclusive access must be relinquished by calling 
- * isc_task_endexclusive() before returning from the current event handler.
- *
- * Requires:
- *	'task' is the calling task.
- *
- * Returns:
- *	ISC_R_SUCCESS		The current task now has exclusive access.
- *	ISC_R_LOCKBUSY		Another task has already requested exclusive
- *				access.
- */
-
-void
-isc_task_endexclusive(isc_task_t *task);
-/*
- * Relinquish the exclusive access obtained by isc_task_beginexclusive(), 
- * allowing other tasks to execute.
- *
- * Requires:
- *	'task' is the calling task, and has obtained
- *		exclusive access by calling isc_task_spl().
- */
-
-void
-isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
-/*
- * Provide the most recent timestamp on the task.  The timestamp is considered
- * as the "current time" in the second-order granularity.
- *
- * Requires:
- *	'task' is a valid task.
- *	't' is a valid non NULL pointer.
- *
- * Ensures:
- *	'*t' has the "current time".
- */
-
-/*****
- ***** Task Manager.
- *****/
-
-isc_result_t
-isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
-		   unsigned int default_quantum, isc_taskmgr_t **managerp);
-/*
- * Create a new task manager.
- *
- * Notes:
- *
- *	'workers' in the number of worker threads to create.  In general,
- *	the value should be close to the number of processors in the system.
- *	The 'workers' value is advisory only.  An attempt will be made to
- *	create 'workers' threads, but if at least one thread creation
- *	succeeds, isc_taskmgr_create() may return ISC_R_SUCCESS.
- *
- *	If 'default_quantum' is non-zero, then it will be used as the default
- *	quantum value when tasks are created.  If zero, then an implementation
- *	defined default quantum will be used.
- *
- * Requires:
- *
- *      'mctx' is a valid memory context.
- *
- *	workers > 0
- *
- *	managerp != NULL && *managerp == NULL
- *
- * Ensures:
- *
- *	On success, '*managerp' will be attached to the newly created task
- *	manager.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_NOTHREADS			No threads could be created.
- *	ISC_R_UNEXPECTED		An unexpected error occurred.
- */
-
-void
-isc_taskmgr_destroy(isc_taskmgr_t **managerp);
-/*
- * Destroy '*managerp'.
- *
- * Notes:
- *
- *	Calling isc_taskmgr_destroy() will shutdown all tasks managed by
- *	*managerp that haven't already been shutdown.  The call will block
- *	until all tasks have entered the done state.
- *
- *	isc_taskmgr_destroy() must not be called by a task event action,
- *	because it would block forever waiting for the event action to
- *	complete.  An event action that wants to cause task manager shutdown
- *	should request some non-event action thread of execution to do the
- *	shutdown, e.g. by signalling a condition variable or using
- *	isc_app_shutdown().
- *
- *	Task manager references are not reference counted, so the caller
- *	must ensure that no attempt will be made to use the manager after
- *	isc_taskmgr_destroy() returns.
- *
- * Requires:
- *
- *	'*managerp' is a valid task manager.
- *
- *	isc_taskmgr_destroy() has not be called previously on '*managerp'.
- *
- * Ensures:
- *
- *	All resources used by the task manager, and any tasks it managed,
- *	have been freed.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_TASK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/taskpool.h b/contrib/bind9/lib/isc/include/isc/taskpool.h
deleted file mode 100644
index 42066d21b9f3..000000000000
--- a/contrib/bind9/lib/isc/include/isc/taskpool.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: taskpool.h,v 1.8.206.1 2004/03/06 08:14:49 marka Exp $ */
-
-#ifndef ISC_TASKPOOL_H
-#define ISC_TASKPOOL_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Task Pool
- *
- * A task pool is a mechanism for sharing a small number of tasks
- * among a large number of objects such that each object is
- * assigned a unique task, but each task may be shared by several
- * objects.
- *
- * Task pools are used to let objects that can exist in large
- * numbers (e.g., zones) use tasks for synchronization without
- * the memory overhead and unfair scheduling competition that
- * could result from creating a separate task for each object.
- */
-
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isc/task.h>
-
-ISC_LANG_BEGINDECLS
-
-/*****
- ***** Types.
- *****/
-
-typedef struct isc_taskpool isc_taskpool_t;
-
-/*****
- ***** Functions.
- *****/
-
-isc_result_t
-isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
-		    unsigned int ntasks, unsigned int quantum,
-		    isc_taskpool_t **poolp);
-/*
- * Create a task pool of "ntasks" tasks, each with quantum
- * "quantum".
- *
- * Requires:
- *
- *	'tmgr' is a valid task manager.
- *
- *	'mctx' is a valid memory context.
- *
- *	poolp != NULL && *poolp == NULL
- *
- * Ensures:
- *
- *	On success, '*taskp' points to the new task pool.
- *
- * Returns:
- *
- *     	ISC_R_SUCCESS
- *	ISC_R_NOMEMORY
- *	ISC_R_UNEXPECTED
- */
-
-void 
-isc_taskpool_gettask(isc_taskpool_t *pool, unsigned int hash,
-			  isc_task_t **targetp);
-/*
- * Attach to the task corresponding to the hash value "hash".
- */
-
-void
-isc_taskpool_destroy(isc_taskpool_t **poolp);
-/*
- * Destroy a task pool.  The tasks in the pool are detached but not
- * shut down.
- *
- * Requires:
- * 	'*poolp' is a valid task pool.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_TASKPOOL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/timer.h b/contrib/bind9/lib/isc/include/isc/timer.h
deleted file mode 100644
index 439c943dad53..000000000000
--- a/contrib/bind9/lib/isc/include/isc/timer.h
+++ /dev/null
@@ -1,343 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer.h,v 1.28.12.6 2005/10/27 00:27:30 marka Exp $ */
-
-#ifndef ISC_TIMER_H
-#define ISC_TIMER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Timers
- *
- * Provides timers which are event sources in the task system.
- *
- * Three types of timers are supported:
- *
- *	'ticker' timers generate a periodic tick event.
- *
- *	'once' timers generate an idle timeout event if they are idle for too
- *	long, and generate a life timeout event if their lifetime expires.
- *	They are used to implement both (possibly expiring) idle timers and
- *	'one-shot' timers.
- *
- *	'limited' timers generate a periodic tick event until they reach
- *	their lifetime when they generate a life timeout event.
- *
- *	'inactive' timers generate no events.
- *
- * Timers can change type.  It is typical to create a timer as
- * an 'inactive' timer and then change it into a 'ticker' or
- * 'once' timer.
- *
- * MP:
- *	The module ensures appropriate synchronization of data structures it
- *	creates and manipulates.
- *
- *	Clients of this module must not be holding a timer's task's lock when
- *	making a call that affects that timer.  Failure to follow this rule
- *	can result in deadlock.
- *
- *	The caller must ensure that isc_timermgr_destroy() is called only
- *	once for a given manager.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	<TBS>
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-
-/***
- *** Imports
- ***/
-
-#include <isc/types.h>
-#include <isc/event.h>
-#include <isc/eventclass.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Types
- ***/
-
-typedef enum {
-	isc_timertype_ticker = 0,
-	isc_timertype_once = 1,
-	isc_timertype_limited = 2,
-	isc_timertype_inactive = 3
-} isc_timertype_t;
-
-typedef struct isc_timerevent {
-	struct isc_event	common;
-} isc_timerevent_t;
-
-#define ISC_TIMEREVENT_FIRSTEVENT	(ISC_EVENTCLASS_TIMER + 0)
-#define ISC_TIMEREVENT_TICK		(ISC_EVENTCLASS_TIMER + 1)
-#define ISC_TIMEREVENT_IDLE		(ISC_EVENTCLASS_TIMER + 2)
-#define ISC_TIMEREVENT_LIFE		(ISC_EVENTCLASS_TIMER + 3)
-#define ISC_TIMEREVENT_LASTEVENT	(ISC_EVENTCLASS_TIMER + 65535)
-
-/***
- *** Timer and Timer Manager Functions
- ***
- *** Note: all Ensures conditions apply only if the result is success for
- *** those functions which return an isc_result_t.
- ***/
-
-isc_result_t
-isc_timer_create(isc_timermgr_t *manager,
-		 isc_timertype_t type,
-		 isc_time_t *expires,
-		 isc_interval_t *interval,
-		 isc_task_t *task,
-		 isc_taskaction_t action,
-		 const void *arg,
-		 isc_timer_t **timerp);
-/*
- * Create a new 'type' timer managed by 'manager'.  The timers parameters
- * are specified by 'expires' and 'interval'.  Events will be posted to
- * 'task' and when dispatched 'action' will be called with 'arg' as the
- * arg value.  The new timer is returned in 'timerp'.
- *
- * Notes:
- *
- *	For ticker timers, the timer will generate a 'tick' event every
- *	'interval' seconds.  The value of 'expires' is ignored.
- *
- *	For once timers, 'expires' specifies the time when a life timeout
- *	event should be generated.  If 'expires' is 0 (the epoch), then no life
- *	timeout will be generated.  'interval' specifies how long the timer
- *	can be idle before it generates an idle timeout.  If 0, then no
- *	idle timeout will be generated.
- *
- *	If 'expires' is NULL, the epoch will be used.
- *
- *	If 'interval' is NULL, the zero interval will be used.
- *
- * Requires:
- *
- *	'manager' is a valid manager
- *
- *	'task' is a valid task
- *
- *	'action' is a valid action
- *
- *	'expires' points to a valid time, or is NULL.
- *
- *	'interval' points to a valid interval, or is NULL.
- *
- *	type == isc_timertype_inactive ||
- *	('expires' and 'interval' are not both 0)
- *
- *	'timerp' is a valid pointer, and *timerp == NULL
- *
- * Ensures:
- *
- *	'*timerp' is attached to the newly created timer
- *
- *	The timer is attached to the task
- *
- *	An idle timeout will not be generated until at least Now + the
- *	timer's interval if 'timer' is a once timer with a non-zero
- *	interval.
- *
- * Returns:
- *
- *	Success
- *	No memory
- *	Unexpected error
- */
-
-isc_result_t
-isc_timer_reset(isc_timer_t *timer,
-		isc_timertype_t type,
-		isc_time_t *expires,
-		isc_interval_t *interval,
-		isc_boolean_t purge);
-/*
- * Change the timer's type, expires, and interval values to the given
- * values.  If 'purge' is TRUE, any pending events from this timer
- * are purged from its task's event queue.
- *
- * Notes:
- *
- *	If 'expires' is NULL, the epoch will be used.
- *
- *	If 'interval' is NULL, the zero interval will be used.
- *
- * Requires:
- *
- *	'timer' is a valid timer
- *
- *	The same requirements that isc_timer_create() imposes on 'type',
- *	'expires' and 'interval' apply.
- *
- * Ensures:
- *
- *	An idle timeout will not be generated until at least Now + the
- *	timer's interval if 'timer' is a once timer with a non-zero
- *	interval.
- *
- * Returns:
- *
- *	Success
- *	No memory
- *	Unexpected error
- */
-
-isc_result_t
-isc_timer_touch(isc_timer_t *timer);
-/*
- * Set the last-touched time of 'timer' to the current time.
- *
- * Requires:
- *
- *	'timer' is a valid once timer.
- *
- * Ensures:
- *
- *	An idle timeout will not be generated until at least Now + the
- *	timer's interval if 'timer' is a once timer with a non-zero
- *	interval.
- *
- * Returns:
- *
- *	Success
- *	Unexpected error
- */
-
-void
-isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp);
-/*
- * Attach *timerp to timer.
- *
- * Requires:
- *
- *	'timer' is a valid timer.
- *
- *	'timerp' points to a NULL timer.
- *
- * Ensures:
- *
- *	*timerp is attached to timer.
- */
-
-void
-isc_timer_detach(isc_timer_t **timerp);
-/*
- * Detach *timerp from its timer.
- *
- * Requires:
- *
- *	'timerp' points to a valid timer.
- *
- * Ensures:
- *
- *	*timerp is NULL.
- *
- *	If '*timerp' is the last reference to the timer,
- *	then:
- *
- *		The timer will be shutdown
- *
- *		The timer will detach from its task
- *
- *		All resources used by the timer have been freed
- *
- *		Any events already posted by the timer will be purged.
- *		Therefore, if isc_timer_detach() is called in the context
- *		of the timer's task, it is guaranteed that no more
- *		timer event callbacks will run after the call.
- */
-
-isc_timertype_t
-isc_timer_gettype(isc_timer_t *timer);
-/*%<
- * Return the timer type.
- *
- * Requires:
- *
- *\li	'timer' to be a valid timer.
- */
-
-isc_result_t
-isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
-/*
- * Create a timer manager.
- *
- * Notes:
- *
- *	All memory will be allocated in memory context 'mctx'.
- *
- * Requires:
- *
- *	'mctx' is a valid memory context.
- *
- *	'managerp' points to a NULL isc_timermgr_t.
- *
- * Ensures:
- *
- *	'*managerp' is a valid isc_timermgr_t.
- *
- * Returns:
- *
- *	Success
- *	No memory
- *	Unexpected error
- */
-
-void
-isc_timermgr_destroy(isc_timermgr_t **managerp);
-/*
- * Destroy a timer manager.
- *
- * Notes:
- *
- *	This routine blocks until there are no timers left in the manager,
- *	so if the caller holds any timer references using the manager, it
- *	must detach them before calling isc_timermgr_destroy() or it will
- *	block forever.
- *
- * Requires:
- *
- *	'*managerp' is a valid isc_timermgr_t.
- *
- * Ensures:
- *
- *	*managerp == NULL
- *
- *	All resources used by the manager have been freed.
- */
-
-void isc_timermgr_poke(isc_timermgr_t *m);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_TIMER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/types.h b/contrib/bind9/lib/isc/include/isc/types.h
deleted file mode 100644
index fad77da99e7b..000000000000
--- a/contrib/bind9/lib/isc/include/isc/types.h
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: types.h,v 1.32.2.3.2.1 2004/03/06 08:14:50 marka Exp $ */
-
-#ifndef ISC_TYPES_H
-#define ISC_TYPES_H 1
-
-/*
- * OS-specific types, from the OS-specific include directories.
- */
-#include <isc/int.h>
-#include <isc/offset.h>
-
-/*
- * XXXDCL should isc_boolean_t be moved here, requiring an explicit include
- * of <isc/boolean.h> when ISC_TRUE/ISC_FALSE/ISC_TF() are desired?
- */
-#include <isc/boolean.h>
-/*
- * XXXDCL This is just for ISC_LIST and ISC_LINK, but gets all of the other
- * list macros too.
- */
-#include <isc/list.h>
-
-/***
- *** Core Types.  Alphabetized by defined type.
- ***/
-
-typedef struct isc_bitstring		isc_bitstring_t;
-typedef struct isc_buffer		isc_buffer_t;
-typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;
-typedef struct isc_constregion		isc_constregion_t;
-typedef struct isc_consttextregion	isc_consttextregion_t;
-typedef struct isc_entropy		isc_entropy_t;
-typedef struct isc_entropysource	isc_entropysource_t;
-typedef struct isc_event		isc_event_t;
-typedef ISC_LIST(isc_event_t)		isc_eventlist_t;
-typedef unsigned int			isc_eventtype_t;
-typedef isc_uint32_t			isc_fsaccess_t;
-typedef struct isc_hash			isc_hash_t;
-typedef struct isc_interface		isc_interface_t;
-typedef struct isc_interfaceiter	isc_interfaceiter_t;
-typedef struct isc_interval		isc_interval_t;
-typedef struct isc_lex			isc_lex_t;
-typedef struct isc_log 			isc_log_t;
-typedef struct isc_logcategory		isc_logcategory_t;
-typedef struct isc_logconfig		isc_logconfig_t;
-typedef struct isc_logmodule		isc_logmodule_t;
-typedef struct isc_mem			isc_mem_t;
-typedef struct isc_mempool		isc_mempool_t;
-typedef struct isc_msgcat		isc_msgcat_t;
-typedef struct isc_ondestroy		isc_ondestroy_t;
-typedef struct isc_netaddr		isc_netaddr_t;
-typedef struct isc_quota		isc_quota_t;
-typedef struct isc_random		isc_random_t;
-typedef struct isc_ratelimiter		isc_ratelimiter_t;
-typedef struct isc_region		isc_region_t;
-typedef isc_uint64_t			isc_resourcevalue_t;
-typedef unsigned int			isc_result_t;
-typedef struct isc_rwlock		isc_rwlock_t;
-typedef struct isc_sockaddr		isc_sockaddr_t;
-typedef struct isc_socket		isc_socket_t;
-typedef struct isc_socketevent		isc_socketevent_t;
-typedef struct isc_socketmgr		isc_socketmgr_t;
-typedef struct isc_symtab		isc_symtab_t;
-typedef struct isc_task			isc_task_t;
-typedef ISC_LIST(isc_task_t)		isc_tasklist_t;
-typedef struct isc_taskmgr		isc_taskmgr_t;
-typedef struct isc_textregion		isc_textregion_t;
-typedef struct isc_time			isc_time_t;
-typedef struct isc_timer		isc_timer_t;
-typedef struct isc_timermgr		isc_timermgr_t;
-
-typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
-
-typedef enum {
-	isc_resource_coresize = 1,
-	isc_resource_cputime,
-	isc_resource_datasize,
-	isc_resource_filesize,
-	isc_resource_lockedmemory,
-	isc_resource_openfiles,
-	isc_resource_processes,
-	isc_resource_residentsize,
-	isc_resource_stacksize
-} isc_resource_t;
-
-#endif /* ISC_TYPES_H */
diff --git a/contrib/bind9/lib/isc/include/isc/util.h b/contrib/bind9/lib/isc/include/isc/util.h
deleted file mode 100644
index c2798d6df0c7..000000000000
--- a/contrib/bind9/lib/isc/include/isc/util.h
+++ /dev/null
@@ -1,225 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.h,v 1.21.12.5 2004/03/08 09:04:53 marka Exp $ */
-
-#ifndef ISC_UTIL_H
-#define ISC_UTIL_H 1
-
-/*
- * NOTE:
- *
- * This file is not to be included from any <isc/???.h> (or other) library
- * files.
- *
- * Including this file puts several macros in your name space that are
- * not protected (as all the other ISC functions/macros do) by prepending
- * ISC_ or isc_ to the name.
- */
-
-/***
- *** General Macros.
- ***/
-
-/*
- * Use this to hide unused function arguments.
- *
- * int
- * foo(char *bar)
- * {
- *	UNUSED(bar);
- * }
- */
-#define UNUSED(x)      (void)(x)
-
-#define ISC_MAX(a, b)  ((a) > (b) ? (a) : (b))
-#define ISC_MIN(a, b)  ((a) < (b) ? (a) : (b))
-
-/*
- * Use this to remove the const qualifier of a variable to assign it to
- * a non-const variable or pass it as a non-const function argument ...
- * but only when you are sure it won't then be changed!
- * This is necessary to sometimes shut up some compilers
- * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
- * situation.
- */
-#define DE_CONST(konst, var) \
-	do { \
-		union { const void *k; void *v; } _u; \
-		_u.k = konst; \
-		var = _u.v; \
-	} while (0)
-
-/*
- * Use this in translation units that would otherwise be empty, to
- * suppress compiler warnings.
- */
-#define EMPTY_TRANSLATION_UNIT static void isc__empty(void) { isc__empty(); }
-
-/*
- * We use macros instead of calling the routines directly because
- * the capital letters make the locking stand out.
- *
- * We RUNTIME_CHECK for success since in general there's no way
- * for us to continue if they fail.
- */
-
-#ifdef ISC_UTIL_TRACEON
-#define ISC_UTIL_TRACE(a) a
-#include <stdio.h>		/* Required for fprintf/stderr when tracing. */
-#include <isc/msgs.h>		/* Required for isc_msgcat when tracing. */
-#else
-#define ISC_UTIL_TRACE(a)
-#endif
-
-#include <isc/result.h>		/* Contractual promise. */
-
-#define LOCK(lp) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_LOCKING, "LOCKING"), \
-			       (lp), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_LOCKED, "LOCKED"), \
-			       (lp), __FILE__, __LINE__)); \
-	} while (0)
-#define UNLOCK(lp) do { \
-	RUNTIME_CHECK(isc_mutex_unlock((lp)) == ISC_R_SUCCESS); \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_UNLOCKED, "UNLOCKED"), \
-			       (lp), __FILE__, __LINE__)); \
-	} while (0)
-#define ISLOCKED(lp) (1)
-#define DESTROYLOCK(lp) \
-	RUNTIME_CHECK(isc_mutex_destroy((lp)) == ISC_R_SUCCESS)
-
-
-#define BROADCAST(cvp) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_BROADCAST, "BROADCAST"),\
-			       (cvp), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_condition_broadcast((cvp)) == ISC_R_SUCCESS); \
-	} while (0)
-#define SIGNAL(cvp) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_SIGNAL, "SIGNAL"), \
-			       (cvp), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_condition_signal((cvp)) == ISC_R_SUCCESS); \
-	} while (0)
-#define WAIT(cvp, lp) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_UTILWAIT, "WAIT"), \
-			       (cvp), \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_LOCK, "LOCK"), \
-			       (lp), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_condition_wait((cvp), (lp)) == ISC_R_SUCCESS); \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %p %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_WAITED, "WAITED"), \
-			       (cvp), \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_LOCKED, "LOCKED"), \
-			       (lp), __FILE__, __LINE__)); \
-	} while (0)
-
-/*
- * isc_condition_waituntil can return ISC_R_TIMEDOUT, so we
- * don't RUNTIME_CHECK the result.
- *
- *  XXX Also, can't really debug this then...
- */
-
-#define WAITUNTIL(cvp, lp, tp) \
-	isc_condition_waituntil((cvp), (lp), (tp))
-
-#define RWLOCK(lp, t) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_RWLOCK, "RWLOCK"), \
-			       (lp), (t), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_rwlock_lock((lp), (t)) == ISC_R_SUCCESS); \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_RWLOCKED, "RWLOCKED"), \
-			       (lp), (t), __FILE__, __LINE__)); \
-	} while (0)
-#define RWUNLOCK(lp, t) do { \
-	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
-			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
-					      ISC_MSG_RWUNLOCK, "RWUNLOCK"), \
-			       (lp), (t), __FILE__, __LINE__)); \
-	RUNTIME_CHECK(isc_rwlock_unlock((lp), (t)) == ISC_R_SUCCESS); \
-	} while (0)
-
-#define DESTROYMUTEXBLOCK(bp, n) \
-	RUNTIME_CHECK(isc_mutexblock_destroy((bp), (n)) == ISC_R_SUCCESS)
-
-/*
- * List Macros.
- */
-#include <isc/list.h>		/* Contractual promise. */
-
-#define LIST(type)			ISC_LIST(type)
-#define INIT_LIST(type)			ISC_LIST_INIT(type)
-#define LINK(type)			ISC_LINK(type)
-#define INIT_LINK(elt, link)		ISC_LINK_INIT(elt, link)
-#define HEAD(list)			ISC_LIST_HEAD(list)
-#define TAIL(list)			ISC_LIST_TAIL(list)
-#define EMPTY(list)			ISC_LIST_EMPTY(list)
-#define PREV(elt, link)			ISC_LIST_PREV(elt, link)
-#define NEXT(elt, link)			ISC_LIST_NEXT(elt, link)
-#define APPEND(list, elt, link)		ISC_LIST_APPEND(list, elt, link)
-#define PREPEND(list, elt, link)	ISC_LIST_PREPEND(list, elt, link)
-#define UNLINK(list, elt, link)		ISC_LIST_UNLINK(list, elt, link)
-#define ENQUEUE(list, elt, link)	ISC_LIST_APPEND(list, elt, link)
-#define DEQUEUE(list, elt, link)	ISC_LIST_UNLINK(list, elt, link)
-#define INSERTBEFORE(li, b, e, ln)	ISC_LIST_INSERTBEFORE(li, b, e, ln)
-#define INSERTAFTER(li, a, e, ln)	ISC_LIST_INSERTAFTER(li, a, e, ln)
-#define APPENDLIST(list1, list2, link)	ISC_LIST_APPENDLIST(list1, list2, link)
-
-/*
- * Assertions
- */
-#include <isc/assertions.h>	/* Contractual promise. */
-
-#define REQUIRE(e)			ISC_REQUIRE(e)
-#define ENSURE(e)			ISC_ENSURE(e)
-#define INSIST(e)			ISC_INSIST(e)
-#define INVARIANT(e)			ISC_INVARIANT(e)
-
-/*
- * Errors
- */
-#include <isc/error.h>		/* Contractual promise. */
-
-#define UNEXPECTED_ERROR		isc_error_unexpected
-#define FATAL_ERROR			isc_error_fatal
-#define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
-
-/*
- * Time
- */
-#define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
-
-#endif /* ISC_UTIL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/version.h b/contrib/bind9/lib/isc/include/isc/version.h
deleted file mode 100644
index 3da836c3e8dd..000000000000
--- a/contrib/bind9/lib/isc/include/isc/version.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.2.220.3 2004/03/08 09:04:54 marka Exp $ */
-
-#include <isc/platform.h>
-
-LIBISC_EXTERNAL_DATA extern const char isc_version[];
-
-LIBISC_EXTERNAL_DATA extern const unsigned int isc_libinterface;
-LIBISC_EXTERNAL_DATA extern const unsigned int isc_librevision;
-LIBISC_EXTERNAL_DATA extern const unsigned int isc_libage;
diff --git a/contrib/bind9/lib/isc/inet_aton.c b/contrib/bind9/lib/isc/inet_aton.c
deleted file mode 100644
index 530b0103bab0..000000000000
--- a/contrib/bind9/lib/isc/inet_aton.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.15.12.3 2004/03/08 09:04:49 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stddef.h>		/* Required for NULL. */
-
-#include <isc/types.h>
-#include <isc/net.h>
-
-/*
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-isc_net_aton(const char *cp, struct in_addr *addr) {
-	unsigned long val;
-	int base, n;
-	unsigned char c;
-	isc_uint8_t parts[4];
-	isc_uint8_t *pp = parts;
-	int digit;
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit(c & 0xff))
-			return (0);
-		val = 0; base = 10; digit = 0;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X')
-				base = 16, c = *++cp;
-			else {
-				base = 8;
-				digit = 1;
-			}
-		}
-		for (;;) {
-			/*
-			 * isascii() is valid for all integer values, and
-			 * when it is true, c is known to be in scope
-			 * for isdigit().  No cast necessary.  Similar
-			 * comment applies for later ctype uses.
-			 */
-			if (isascii(c) && isdigit(c)) {
-				if (base == 8 && (c == '8' || c == '9'))
-					return (0);
-				val = (val * base) + (c - '0');
-				c = *++cp;
-				digit = 1;
-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
-				val = (val << 4) |
-					(c + 10 - (islower(c) ? 'a' : 'A'));
-				c = *++cp;
-				digit = 1;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3 || val > 0xff)
-				return (0);
-			*pp++ = (isc_uint8_t)val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace(c)))
-		return (0);
-	/*
-	 * Did we get a valid digit?
-	 */
-	if (!digit)
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffff)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xff)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr != NULL)
-		addr->s_addr = htonl(val);
-
-	return (1);
-}
diff --git a/contrib/bind9/lib/isc/inet_ntop.c b/contrib/bind9/lib/isc/inet_ntop.c
deleted file mode 100644
index 6dadd736e953..000000000000
--- a/contrib/bind9/lib/isc/inet_ntop.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: inet_ntop.c,v 1.12.12.4 2004/08/28 06:25:21 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/net.h>
-#include <isc/print.h>
-
-#define NS_INT16SZ	 2
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static const char *inet_ntop4(const unsigned char *src, char *dst,
-			      size_t size);
-
-#ifdef AF_INET6
-static const char *inet_ntop6(const unsigned char *src, char *dst,
-			      size_t size);
-#endif
-
-/* char *
- * isc_net_ntop(af, src, dst, size)
- *	convert a network format address to presentation format.
- * return:
- *	pointer to presentation format address (`dst'), or NULL (see errno).
- * author:
- *	Paul Vixie, 1996.
- */
-const char *
-isc_net_ntop(int af, const void *src, char *dst, size_t size)
-{
-	switch (af) {
-	case AF_INET:
-		return (inet_ntop4(src, dst, size));
-#ifdef AF_INET6
-	case AF_INET6:
-		return (inet_ntop6(src, dst, size));
-#endif
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	/* NOTREACHED */
-}
-
-/* const char *
- * inet_ntop4(src, dst, size)
- *	format an IPv4 address
- * return:
- *	`dst' (as a const)
- * notes:
- *	(1) uses no statics
- *	(2) takes a unsigned char* not an in_addr as input
- * author:
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop4(const unsigned char *src, char *dst, size_t size)
-{
-	static const char *fmt = "%u.%u.%u.%u";
-	char tmp[sizeof("255.255.255.255")];
-
-	if ((size_t)sprintf(tmp, fmt, src[0], src[1], src[2], src[3]) >= size)
-	{
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-
-	return (dst);
-}
-
-/* const char *
- * isc_inet_ntop6(src, dst, size)
- *	convert IPv6 binary address into presentation (printable) format
- * author:
- *	Paul Vixie, 1996.
- */
-#ifdef AF_INET6
-static const char *
-inet_ntop6(const unsigned char *src, char *dst, size_t size)
-{
-	/*
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
-	struct { int base, len; } best, cur;
-	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
-	int i;
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof(words));
-	for (i = 0; i < NS_IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	cur.base = -1;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base)
-				*tp++ = ':';
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0)
-			*tp++ = ':';
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 &&
-		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
-			if (!inet_ntop4(src+12, tp,
-					sizeof(tmp) - (tp - tmp)))
-				return (NULL);
-			tp += strlen(tp);
-			break;
-		}
-		tp += sprintf(tp, "%x", words[i]);
-	}
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) ==
-	    (NS_IN6ADDRSZ / NS_INT16SZ))
-		*tp++ = ':';
-	*tp++ = '\0';
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((size_t)(tp - tmp) > size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
-#endif /* AF_INET6 */
diff --git a/contrib/bind9/lib/isc/inet_pton.c b/contrib/bind9/lib/isc/inet_pton.c
deleted file mode 100644
index 026fedf23c7e..000000000000
--- a/contrib/bind9/lib/isc/inet_pton.c
+++ /dev/null
@@ -1,210 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: inet_pton.c,v 1.10.2.4.2.3 2005/03/31 23:56:14 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include <isc/net.h>
-
-#define NS_INT16SZ	 2
-#define NS_INADDRSZ	 4
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int inet_pton4(const char *src, unsigned char *dst);
-static int inet_pton6(const char *src, unsigned char *dst);
-
-/* int
- * isc_net_pton(af, src, dst)
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * return:
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
- *	Paul Vixie, 1996.
- */
-int
-isc_net_pton(int af, const char *src, void *dst) {
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/* int
- * inet_pton4(src, dst)
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
- *	1 if `src' is a valid dotted quad, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(const char *src, unsigned char *dst) {
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	unsigned char tmp[NS_INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			unsigned int new = *tp * 10 + (pch - digits);
-
-			if (saw_digit && *tp == 0)
-				return (0);
-			if (new > 255)
-				return (0);
-			*tp = new;
-			if (!saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			*++tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-	memcpy(dst, tmp, NS_INADDRSZ);
-	return (1);
-}
-
-/* int
- * inet_pton6(src, dst)
- *	convert presentation level address to network order binary form.
- * return:
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
- *	(1) does not touch `dst' unless it's returning 1.
- *	(2) :: in a full address is silently ignored.
- * credit:
- *	inspired by Mark Andrews.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(const char *src, unsigned char *dst) {
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, seen_xdigits;
-	unsigned int val;
-
-	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
-	endp = tp + NS_IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	seen_xdigits = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
-				return (0);
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!seen_xdigits) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			}
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (unsigned char) (val >> 8) & 0xff;
-			*tp++ = (unsigned char) val & 0xff;
-			seen_xdigits = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += NS_INADDRSZ;
-			seen_xdigits = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (seen_xdigits) {
-		if (tp + NS_INT16SZ > endp)
-			return (0);
-		*tp++ = (unsigned char) (val >> 8) & 0xff;
-		*tp++ = (unsigned char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		if (tp == endp)
-			return (0);
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, NS_IN6ADDRSZ);
-	return (1);
-}
diff --git a/contrib/bind9/lib/isc/lex.c b/contrib/bind9/lib/isc/lex.c
deleted file mode 100644
index bb832dd0b41c..000000000000
--- a/contrib/bind9/lib/isc/lex.c
+++ /dev/null
@@ -1,921 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lex.c,v 1.66.2.6.2.8 2004/08/28 06:25:21 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include <isc/buffer.h>
-#include <isc/file.h>
-#include <isc/lex.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/parseint.h>
-#include <isc/print.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-typedef struct inputsource {
-	isc_result_t			result;
-	isc_boolean_t			is_file;
-	isc_boolean_t			need_close;
-	isc_boolean_t			at_eof;
-	isc_buffer_t *			pushback;
-	unsigned int			ignored;
-	void *				input;
-	char *				name;
-	unsigned long			line;
-	unsigned long			saved_line;
-	ISC_LINK(struct inputsource)	link;
-} inputsource;
-
-#define LEX_MAGIC			ISC_MAGIC('L', 'e', 'x', '!')
-#define VALID_LEX(l)			ISC_MAGIC_VALID(l, LEX_MAGIC)
-
-struct isc_lex {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	size_t				max_token;
-	char *				data;
-	unsigned int			comments;
-	isc_boolean_t			comment_ok;
-	isc_boolean_t			last_was_eol;
-	unsigned int			paren_count;
-	unsigned int			saved_paren_count;
-	isc_lexspecials_t		specials;
-	LIST(struct inputsource)	sources;
-};
-
-static inline isc_result_t
-grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) {
-	char *new;
-
-	new = isc_mem_get(lex->mctx, lex->max_token * 2 + 1);
-	if (new == NULL)
-		return (ISC_R_NOMEMORY);
-	memcpy(new, lex->data, lex->max_token + 1);
-	*currp = new + (*currp - lex->data);
-	if (*prevp != NULL)
-		*prevp = new + (*prevp - lex->data);
-	isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
-	lex->data = new;
-	*remainingp += lex->max_token;
-	lex->max_token *= 2;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp) {
-	isc_lex_t *lex;
-
-	/*
-	 * Create a lexer.
-	 */
-
-	REQUIRE(lexp != NULL && *lexp == NULL);
-	REQUIRE(max_token > 0U);
-
-	lex = isc_mem_get(mctx, sizeof(*lex));
-	if (lex == NULL)
-		return (ISC_R_NOMEMORY);
-	lex->data = isc_mem_get(mctx, max_token + 1);
-	if (lex->data == NULL) {
-		isc_mem_put(mctx, lex, sizeof(*lex));
-		return (ISC_R_NOMEMORY);
-	}
-	lex->mctx = mctx;
-	lex->max_token = max_token;
-	lex->comments = 0;
-	lex->comment_ok = ISC_TRUE;
-	lex->last_was_eol = ISC_TRUE;
-	lex->paren_count = 0;
-	lex->saved_paren_count = 0;
-	memset(lex->specials, 0, 256);
-	INIT_LIST(lex->sources);
-	lex->magic = LEX_MAGIC;
-
-	*lexp = lex;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_lex_destroy(isc_lex_t **lexp) {
-	isc_lex_t *lex;
-
-	/*
-	 * Destroy the lexer.
-	 */
-
-	REQUIRE(lexp != NULL);
-	lex = *lexp;
-	REQUIRE(VALID_LEX(lex));
-
-	while (!EMPTY(lex->sources))
-		RUNTIME_CHECK(isc_lex_close(lex) == ISC_R_SUCCESS);
-	if (lex->data != NULL)
-		isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
-	lex->magic = 0;
-	isc_mem_put(lex->mctx, lex, sizeof(*lex));
-
-	*lexp = NULL;
-}
-
-unsigned int
-isc_lex_getcomments(isc_lex_t *lex) {
-	/*
-	 * Return the current lexer commenting styles.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	return (lex->comments);
-}
-
-void
-isc_lex_setcomments(isc_lex_t *lex, unsigned int comments) {
-	/*
-	 * Set allowed lexer commenting styles.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	lex->comments = comments;
-}
-
-void
-isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
-	/*
-	 * Put the current list of specials into 'specials'.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	memcpy(specials, lex->specials, 256);
-}
-
-void
-isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
-	/*
-	 * The characters in 'specials' are returned as tokens.  Along with
-	 * whitespace, they delimit strings and numbers.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	memcpy(lex->specials, specials, 256);
-}
-
-static inline isc_result_t
-new_source(isc_lex_t *lex, isc_boolean_t is_file, isc_boolean_t need_close,
-	   void *input, const char *name)
-{
-	inputsource *source;
-	isc_result_t result;
-
-	source = isc_mem_get(lex->mctx, sizeof(*source));
-	if (source == NULL)
-		return (ISC_R_NOMEMORY);
-	source->result = ISC_R_SUCCESS;
-	source->is_file = is_file;
-	source->need_close = need_close;
-	source->at_eof = ISC_FALSE;
-	source->input = input;
-	source->name = isc_mem_strdup(lex->mctx, name);
-	if (source->name == NULL) {
-		isc_mem_put(lex->mctx, source, sizeof(*source));
-		return (ISC_R_NOMEMORY);
-	}
-	source->pushback = NULL;
-	result = isc_buffer_allocate(lex->mctx, &source->pushback,
-				     lex->max_token);
-	if (result != ISC_R_SUCCESS) {
-		isc_mem_free(lex->mctx, source->name);
-		isc_mem_put(lex->mctx, source, sizeof(*source));
-		return (result);
-	}
-	source->ignored = 0;
-	source->line = 1;
-	ISC_LIST_INITANDPREPEND(lex->sources, source, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_lex_openfile(isc_lex_t *lex, const char *filename) {
-	isc_result_t result;
-	FILE *stream = NULL;
-
-	/*
-	 * Open 'filename' and make it the current input source for 'lex'.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	result = isc_stdio_open(filename, "r", &stream);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	result = new_source(lex, ISC_TRUE, ISC_TRUE, stream, filename);
-	if (result != ISC_R_SUCCESS)
-		(void)fclose(stream);
-	return (result);
-}
-
-isc_result_t
-isc_lex_openstream(isc_lex_t *lex, FILE *stream) {
-	char name[128];
-
-	/*
-	 * Make 'stream' the current input source for 'lex'.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	snprintf(name, sizeof(name), "stream-%p", stream);
-
-	return (new_source(lex, ISC_TRUE, ISC_FALSE, stream, name));
-}
-
-isc_result_t
-isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer) {
-	char name[128];
-
-	/*
-	 * Make 'buffer' the current input source for 'lex'.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	snprintf(name, sizeof(name), "buffer-%p", buffer);
-
-	return (new_source(lex, ISC_FALSE, ISC_FALSE, buffer, name));
-}
-
-isc_result_t
-isc_lex_close(isc_lex_t *lex) {
-	inputsource *source;
-
-	/*
-	 * Close the most recently opened object (i.e. file or buffer).
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-
-	source = HEAD(lex->sources);
-	if (source == NULL)
-		return (ISC_R_NOMORE);
-
-	ISC_LIST_UNLINK(lex->sources, source, link);
-	if (source->is_file) {
-		if (source->need_close)
-			(void)fclose((FILE *)(source->input));
-	}
-	isc_mem_free(lex->mctx, source->name);
-	isc_buffer_free(&source->pushback);
-	isc_mem_put(lex->mctx, source, sizeof(*source));
-
-	return (ISC_R_SUCCESS);
-}
-
-typedef enum {
-	lexstate_start,
-	lexstate_crlf,
-	lexstate_string,
-	lexstate_number,
-	lexstate_maybecomment,
-	lexstate_ccomment,
-	lexstate_ccommentend,
-	lexstate_eatline,
-	lexstate_qstring
-} lexstate;
-
-#define IWSEOL (ISC_LEXOPT_INITIALWS | ISC_LEXOPT_EOL)
-
-static void
-pushback(inputsource *source, int c) {
-	REQUIRE(source->pushback->current > 0);
-	if (c == EOF) {
-		source->at_eof = ISC_FALSE;
-		return;
-	}
-	source->pushback->current--;
-	if (c == '\n')
-		source->line--;
-}
-
-static isc_result_t
-pushandgrow(isc_lex_t *lex, inputsource *source, int c) {
-	if (isc_buffer_availablelength(source->pushback) == 0) {
-		isc_buffer_t *tbuf = NULL;
-		unsigned int oldlen;
-		isc_region_t used;
-		isc_result_t result;
-
-		oldlen = isc_buffer_length(source->pushback);
-		result = isc_buffer_allocate(lex->mctx, &tbuf, oldlen * 2);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		isc_buffer_usedregion(source->pushback, &used);
-		result = isc_buffer_copyregion(tbuf, &used);
-		INSIST(result == ISC_R_SUCCESS);
-		tbuf->current = source->pushback->current;
-		isc_buffer_free(&source->pushback);
-		source->pushback = tbuf;
-	}
-	isc_buffer_putuint8(source->pushback, (isc_uint8_t)c);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
-	inputsource *source;
-	int c;
-	isc_boolean_t done = ISC_FALSE;
-	isc_boolean_t no_comments = ISC_FALSE;
-	isc_boolean_t escaped = ISC_FALSE;
-	lexstate state = lexstate_start;
-	lexstate saved_state = lexstate_start;
-	isc_buffer_t *buffer;
-	FILE *stream;
-	char *curr, *prev;
-	size_t remaining;
-	isc_uint32_t as_ulong;
-	unsigned int saved_options;
-	isc_result_t result;
-
-	/*
-	 * Get the next token.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-	REQUIRE(tokenp != NULL);
-
-	lex->saved_paren_count = lex->paren_count;
-	source->saved_line = source->line;
-
-	if (source == NULL) {
-		if ((options & ISC_LEXOPT_NOMORE) != 0) {
-			tokenp->type = isc_tokentype_nomore;
-			return (ISC_R_SUCCESS);
-		}
-		return (ISC_R_NOMORE);
-	}
-
-	if (source->result != ISC_R_SUCCESS)
-		return (source->result);
-
-	if (isc_buffer_remaininglength(source->pushback) == 0 &&
-	    source->at_eof)
-	{
-		if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
-		    lex->paren_count != 0) {
-			lex->paren_count = 0;
-			return (ISC_R_UNBALANCED);
-		}
-		if ((options & ISC_LEXOPT_EOF) != 0) {
-			tokenp->type = isc_tokentype_eof;
-			return (ISC_R_SUCCESS);
-		}
-		return (ISC_R_EOF);
-	}
-
-	isc_buffer_compact(source->pushback);
-
-	saved_options = options;
-	if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 && lex->paren_count > 0)
-		options &= ~IWSEOL;
-
-	curr = lex->data;
-	*curr = '\0';
-
-	prev = NULL;
-	remaining = lex->max_token;
-
-#ifdef HAVE_FLOCKFILE
-	if (source->is_file)
-		flockfile(source->input);
-#endif
-
-	do {
-		if (isc_buffer_remaininglength(source->pushback) == 0) {
-			if (source->is_file) {
-				stream = source->input;
-
-#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
-				c = getc_unlocked(stream);
-#else
-				c = getc(stream);
-#endif
-				if (c == EOF) {
-					if (ferror(stream)) {
-						source->result = ISC_R_IOERROR;
-						result = source->result;
-						goto done;
-					}
-					source->at_eof = ISC_TRUE;
-				}
-			} else {
-				buffer = source->input;
-
-				if (buffer->current == buffer->used) {
-					c = EOF;
-					source->at_eof = ISC_TRUE;
-				} else {
-					c = *((char *)buffer->base +
-					      buffer->current);
-					buffer->current++;
-				}
-			}
-			if (c != EOF) {
-				source->result = pushandgrow(lex, source, c);
-				if (source->result != ISC_R_SUCCESS) {
-					result = source->result;
-					goto done;
-				}
-			}
-		}
-
-		if (!source->at_eof) {
-			if (state == lexstate_start)
-				/* Token has not started yet. */
-				source->ignored =
-				   isc_buffer_consumedlength(source->pushback);
-			c = isc_buffer_getuint8(source->pushback);
-		} else {
-			c = EOF;
-		}
-
-		if (c == '\n')
-			source->line++;
-
-		if (lex->comment_ok && !no_comments) {
-			if (!escaped && c == ';' &&
-			    ((lex->comments & ISC_LEXCOMMENT_DNSMASTERFILE)
-			     != 0)) {
-				saved_state = state;
-				state = lexstate_eatline;
-				no_comments = ISC_TRUE;
-				continue;
-			} else if (c == '/' &&
-				   (lex->comments &
-				    (ISC_LEXCOMMENT_C|
-				     ISC_LEXCOMMENT_CPLUSPLUS)) != 0) {
-				saved_state = state;
-				state = lexstate_maybecomment;
-				no_comments = ISC_TRUE;
-				continue;
-			} else if (c == '#' &&
-				   ((lex->comments & ISC_LEXCOMMENT_SHELL)
-				    != 0)) {
-				saved_state = state;
-				state = lexstate_eatline;
-				no_comments = ISC_TRUE;
-				continue;
-			}
-		}
-
-	no_read:
-		/* INSIST(c == EOF || (c >= 0 && c <= 255)); */
-		switch (state) {
-		case lexstate_start:
-			if (c == EOF) {
-				lex->last_was_eol = ISC_FALSE;
-				if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
-				    lex->paren_count != 0) {
-					lex->paren_count = 0;
-					result = ISC_R_UNBALANCED;
-					goto done;
-				}
-				if ((options & ISC_LEXOPT_EOF) == 0) {
-					result = ISC_R_EOF;
-					goto done;
-				}
-				tokenp->type = isc_tokentype_eof;
-				done = ISC_TRUE;
-			} else if (c == ' ' || c == '\t') {
-				if (lex->last_was_eol &&
-				    (options & ISC_LEXOPT_INITIALWS)
-				    != 0) {
-					lex->last_was_eol = ISC_FALSE;
-					tokenp->type = isc_tokentype_initialws;
- 					tokenp->value.as_char = c;
-					done = ISC_TRUE;
-				}
-			} else if (c == '\n') {
-				if ((options & ISC_LEXOPT_EOL) != 0) {
-					tokenp->type = isc_tokentype_eol;
-					done = ISC_TRUE;
-				}
-				lex->last_was_eol = ISC_TRUE;
-			} else if (c == '\r') {
-				if ((options & ISC_LEXOPT_EOL) != 0)
-					state = lexstate_crlf;
-			} else if (c == '"' &&
-				   (options & ISC_LEXOPT_QSTRING) != 0) {
-				lex->last_was_eol = ISC_FALSE;
-				no_comments = ISC_TRUE;
-				state = lexstate_qstring;
-			} else if (lex->specials[c]) {
-				lex->last_was_eol = ISC_FALSE;
-				if ((c == '(' || c == ')') &&
-				    (options & ISC_LEXOPT_DNSMULTILINE) != 0) {
-					if (c == '(') {
-						if (lex->paren_count == 0)
-							options &= ~IWSEOL;
-						lex->paren_count++;
-					} else {
-						if (lex->paren_count == 0) {
-						    result = ISC_R_UNBALANCED;
-						    goto done;
-						}
-						lex->paren_count--;
-						if (lex->paren_count == 0)
-							options =
-								saved_options;
-					}
-					continue;
-				}
-				tokenp->type = isc_tokentype_special;
-				tokenp->value.as_char = c;
-				done = ISC_TRUE;
-			} else if (isdigit((unsigned char)c) &&
-				   (options & ISC_LEXOPT_NUMBER) != 0) {
-				lex->last_was_eol = ISC_FALSE;
-				state = lexstate_number;
-				goto no_read;
-			} else {
-				lex->last_was_eol = ISC_FALSE;
-				state = lexstate_string;
-				goto no_read;
-			}
-			break;
-		case lexstate_crlf:
-			if (c != '\n')
-				pushback(source, c);
-			tokenp->type = isc_tokentype_eol;
-			done = ISC_TRUE;
-			lex->last_was_eol = ISC_TRUE;
-			break;
-		case lexstate_number:
-			if (c == EOF || !isdigit((unsigned char)c)) {
-				if (c == ' ' || c == '\t' || c == '\r' ||
-				    c == '\n' || c == EOF ||
-				    lex->specials[c]) {
-					int base;
-					if ((options & ISC_LEXOPT_CNUMBER) != 0)
-						base = 0;
-					else
-						base = 10;
-					pushback(source, c);
-
-					result = isc_parse_uint32(&as_ulong,
-								  lex->data,
-								  base);
-					if (result == ISC_R_SUCCESS) {
-						tokenp->type =
-							isc_tokentype_number;
-						tokenp->value.as_ulong =
-							as_ulong;
-					} else if (result == ISC_R_BADNUMBER) {
-						isc_tokenvalue_t *v;
-
-						tokenp->type =
-							isc_tokentype_string;
-						v = &(tokenp->value);
-						v->as_textregion.base =
-							lex->data;
-						v->as_textregion.length =
-							lex->max_token -
-							remaining;
-					} else
-						goto done;
-					done = ISC_TRUE;
-					continue;
-				} else if (!(options & ISC_LEXOPT_CNUMBER) ||
-					   ((c != 'x' && c != 'X') ||
-					   (curr != &lex->data[1]) ||
-					   (lex->data[0] != '0'))) {
-					/* Above test supports hex numbers */
-					state = lexstate_string;
-				}
-			}
-			if (remaining == 0U) {
-				result = grow_data(lex, &remaining,
-						   &curr, &prev);
-				if (result != ISC_R_SUCCESS)
-					goto done;
-			}
-			INSIST(remaining > 0U);
-			*curr++ = c;
-			*curr = '\0';
-			remaining--;
-			break;
-		case lexstate_string:
-			if ((!escaped &&
-			     (c == ' ' || c == '\t' || lex->specials[c])) ||
-			    c == '\r' || c == '\n' || c == EOF) {
-				pushback(source, c);
-				if (source->result != ISC_R_SUCCESS) {
-					result = source->result;
-					goto done;
-				}
-				tokenp->type = isc_tokentype_string;
-				tokenp->value.as_textregion.base = lex->data;
-				tokenp->value.as_textregion.length =
-					lex->max_token - remaining;
-				done = ISC_TRUE;
-				continue;
-			}
-			if ((options & ISC_LEXOPT_ESCAPE) != 0)
-				escaped = (!escaped && c == '\\') ?
-						ISC_TRUE : ISC_FALSE;
-			if (remaining == 0U) {
-				result = grow_data(lex, &remaining,
-						   &curr, &prev);
-				if (result != ISC_R_SUCCESS)
-					goto done;
-			}
-			INSIST(remaining > 0U);
-			*curr++ = c;
-			*curr = '\0';
-			remaining--;
-			break;
-		case lexstate_maybecomment:
-			if (c == '*' &&
-			    (lex->comments & ISC_LEXCOMMENT_C) != 0) {
-				state = lexstate_ccomment;
-				continue;
-			} else if (c == '/' &&
-			    (lex->comments & ISC_LEXCOMMENT_CPLUSPLUS) != 0) {
-				state = lexstate_eatline;
-				continue;
-			}
-			pushback(source, c);
-			c = '/';
-			no_comments = ISC_FALSE;
-			state = saved_state;
-			goto no_read;
-		case lexstate_ccomment:
-			if (c == EOF) {
-				result = ISC_R_UNEXPECTEDEND;
-				goto done;
-			}
-			if (c == '*')
-				state = lexstate_ccommentend;
-			break;
-		case lexstate_ccommentend:
-			if (c == EOF) {
-				result = ISC_R_UNEXPECTEDEND;
-				goto done;
-			}
-			if (c == '/') {
-				/*
-				 * C-style comments become a single space.
-				 * We do this to ensure that a comment will
-				 * act as a delimiter for strings and
-				 * numbers.
-				 */
-				c = ' ';
-				no_comments = ISC_FALSE;
-				state = saved_state;
-				goto no_read;
-			} else if (c != '*')
-				state = lexstate_ccomment;
-			break;
-		case lexstate_eatline:
-			if (c == EOF) {
-				result = ISC_R_UNEXPECTEDEND;
-				goto done;
-			}
-			if (c == '\n') {
-				no_comments = ISC_FALSE;
-				state = saved_state;
-				goto no_read;
-			}
-			break;
-		case lexstate_qstring:
-			if (c == EOF) {
-				result = ISC_R_UNEXPECTEDEND;
-				goto done;
-			}
-			if (c == '"') {
-				if (escaped) {
-					escaped = ISC_FALSE;
-					/*
-					 * Overwrite the preceding backslash.
-					 */
-					INSIST(prev != NULL);
-					*prev = '"';
-				} else {
-					tokenp->type = isc_tokentype_qstring;
-					tokenp->value.as_textregion.base =
-						lex->data;
-					tokenp->value.as_textregion.length =
-						lex->max_token - remaining;
-					no_comments = ISC_FALSE;
-					done = ISC_TRUE;
-				}
-			} else {
-				if (c == '\n' && !escaped &&
-			    (options & ISC_LEXOPT_QSTRINGMULTILINE) == 0) {
-					pushback(source, c);
-					result = ISC_R_UNBALANCEDQUOTES;
-					goto done;
-				}
-				if (c == '\\' && !escaped)
-					escaped = ISC_TRUE;
-				else
-					escaped = ISC_FALSE;
-				if (remaining == 0U) {
-					result = grow_data(lex, &remaining,
-							   &curr, &prev);
-					if (result != ISC_R_SUCCESS)
-						goto done;
-				}
-				INSIST(remaining > 0U);
-				prev = curr;
-				*curr++ = c;
-				*curr = '\0';
-				remaining--;
-			}
-			break;
-		default:
-			FATAL_ERROR(__FILE__, __LINE__,
-				    isc_msgcat_get(isc_msgcat, ISC_MSGSET_LEX,
-						   ISC_MSG_UNEXPECTEDSTATE,
-						   "Unexpected state %d"),
-				    state);
-			/* Does not return. */
-		}
-
-	} while (!done);
-
-	result = ISC_R_SUCCESS;
- done:
-#ifdef HAVE_FLOCKFILE
-	if (source->is_file)
-		funlockfile(source->input);
-#endif
-	return (result);
-}
-
-isc_result_t
-isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
-		       isc_tokentype_t expect, isc_boolean_t eol)
-{
-	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
-			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
-	isc_result_t result;
-
-	if (expect == isc_tokentype_qstring)
-		options |= ISC_LEXOPT_QSTRING;
-	else if (expect == isc_tokentype_number)
-		options |= ISC_LEXOPT_NUMBER;
-	result = isc_lex_gettoken(lex, options, token);
-	if (result == ISC_R_RANGE)
-		isc_lex_ungettoken(lex, token);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (eol && ((token->type == isc_tokentype_eol) ||
-		    (token->type == isc_tokentype_eof)))
-		return (ISC_R_SUCCESS);
-	if (token->type == isc_tokentype_string &&
-	    expect == isc_tokentype_qstring)
-		return (ISC_R_SUCCESS);
-	if (token->type != expect) {
-		isc_lex_ungettoken(lex, token);
-		if (token->type == isc_tokentype_eol ||
-		    token->type == isc_tokentype_eof)
-			return (ISC_R_UNEXPECTEDEND);
-		if (expect == isc_tokentype_number)
-			return (ISC_R_BADNUMBER);
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp) {
-	inputsource *source;
-	/*
-	 * Unget the current token.
-	 */
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-	REQUIRE(source != NULL);
-	REQUIRE(tokenp != NULL);
-	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
-		tokenp->type == isc_tokentype_eof);
-
-	UNUSED(tokenp);
-
-	isc_buffer_first(source->pushback);
-	lex->paren_count = lex->saved_paren_count;
-	source->line = source->saved_line;
-	source->at_eof = ISC_FALSE;
-}
-
-void
-isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r)
-{
-	inputsource *source;
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-	REQUIRE(source != NULL);
-	REQUIRE(tokenp != NULL);
-	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
-		tokenp->type == isc_tokentype_eof);
-
-	UNUSED(tokenp);
-
-	INSIST(source->ignored <= isc_buffer_consumedlength(source->pushback));
-	r->base = (unsigned char *)isc_buffer_base(source->pushback) +
-		  source->ignored;
-	r->length = isc_buffer_consumedlength(source->pushback) -
-		    source->ignored;
-}
-
-
-char *
-isc_lex_getsourcename(isc_lex_t *lex) {
-	inputsource *source;
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-
-	if (source == NULL)
-		return (NULL);
-
-	return (source->name);
-}
-
-unsigned long
-isc_lex_getsourceline(isc_lex_t *lex) {
-	inputsource *source;
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-
-	if (source == NULL)
-		return (0);
-
-	return (source->line);
-}
-
-
-isc_result_t
-isc_lex_setsourcename(isc_lex_t *lex, const char *name) {
-	inputsource *source;
-	char *newname;
-
-	REQUIRE(VALID_LEX(lex));
-	source = HEAD(lex->sources);
-
-	if (source == NULL)
-		return(ISC_R_NOTFOUND);
-	newname = isc_mem_strdup(lex->mctx, name);
-	if (newname == NULL)
-		return (ISC_R_NOMEMORY);
-	isc_mem_free(lex->mctx, source->name);
-	source->name = newname;
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-isc_lex_isfile(isc_lex_t *lex) {
-	inputsource *source;
-
-	REQUIRE(VALID_LEX(lex));
-
-	source = HEAD(lex->sources);
-
-	if (source == NULL)
-		return (ISC_FALSE);
-
-	return (source->is_file);
-}
diff --git a/contrib/bind9/lib/isc/lfsr.c b/contrib/bind9/lib/isc/lfsr.c
deleted file mode 100644
index 6d5b7ff82385..000000000000
--- a/contrib/bind9/lib/isc/lfsr.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lfsr.c,v 1.11.2.2.2.6 2005/10/14 01:38:50 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/assertions.h>
-#include <isc/lfsr.h>
-#include <isc/util.h>
-
-#define VALID_LFSR(x)	(x != NULL)
-
-void
-isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
-	      isc_uint32_t tap, unsigned int count,
-	      isc_lfsrreseed_t reseed, void *arg)
-{
-	REQUIRE(VALID_LFSR(lfsr));
-	REQUIRE(8 <= bits && bits <= 32);
-	REQUIRE(tap != 0);
-
-	lfsr->state = state;
-	lfsr->bits = bits;
-	lfsr->tap = tap;
-	lfsr->count = count;
-	lfsr->reseed = reseed;
-	lfsr->arg = arg;
-
-	if (count == 0 && reseed != NULL)
-		reseed(lfsr, arg);
-	if (lfsr->state == 0)
-		lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
-}
-
-/*
- * Return the next state of the lfsr.
- */
-static inline isc_uint32_t
-lfsr_generate(isc_lfsr_t *lfsr)
-{
-
-	/*
-	 * If the previous state is zero, we must fill it with something
-	 * here, or we will begin to generate an extremely predictable output.
-	 *
-	 * First, give the reseed function a crack at it.  If the state is
-	 * still 0, set it to all ones.
-	 */
-	if (lfsr->state == 0) {
-		if (lfsr->reseed != NULL)
-			lfsr->reseed(lfsr, lfsr->arg);
-		if (lfsr->state == 0)
-			lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
-	}
-
-	if (lfsr->state & 0x01) {
-		lfsr->state = (lfsr->state >> 1) ^ lfsr->tap;
-		return (1);
-	} else {
-		lfsr->state >>= 1;
-		return (0);
-	}
-}
-
-void
-isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count)
-{
-	unsigned char *p;
-	unsigned int bit;
-	unsigned int byte;
-
-	REQUIRE(VALID_LFSR(lfsr));
-	REQUIRE(data != NULL);
-	REQUIRE(count > 0);
-
-	p = data;
-	byte = count;
-
-	while (byte--) {
-		*p = 0;
-		for (bit = 0; bit < 7; bit++) {
-			*p |= lfsr_generate(lfsr);
-			*p <<= 1;
-		}
-		*p |= lfsr_generate(lfsr);
-		p++;
-	}
-
-	if (lfsr->count != 0 && lfsr->reseed != NULL) {
-		if (lfsr->count <= count * 8)
-			lfsr->reseed(lfsr, lfsr->arg);
-		else
-			lfsr->count -= (count * 8);
-	}
-}
-
-static inline isc_uint32_t
-lfsr_skipgenerate(isc_lfsr_t *lfsr, unsigned int skip)
-{
-	while (skip--)
-		(void)lfsr_generate(lfsr);
-
-	(void)lfsr_generate(lfsr);
-
-	return (lfsr->state);
-}
-
-/*
- * Skip "skip" states in "lfsr".
- */
-void
-isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip)
-{
-	REQUIRE(VALID_LFSR(lfsr));
-
-	while (skip--)
-		(void)lfsr_generate(lfsr);
-}
-
-/*
- * Skip states in lfsr1 and lfsr2 using the other's current state.
- * Return the final state of lfsr1 ^ lfsr2.
- */
-isc_uint32_t
-isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2)
-{
-	isc_uint32_t state1, state2;
-	isc_uint32_t skip1, skip2;
-
-	REQUIRE(VALID_LFSR(lfsr1));
-	REQUIRE(VALID_LFSR(lfsr2));
-
-	skip1 = lfsr1->state & 0x01;
-	skip2 = lfsr2->state & 0x01;
-
-	/* cross-skip. */
-	state1 = lfsr_skipgenerate(lfsr1, skip2);
-	state2 = lfsr_skipgenerate(lfsr2, skip1);
-
-	return (state1 ^ state2);
-}
diff --git a/contrib/bind9/lib/isc/lib.c b/contrib/bind9/lib/isc/lib.c
deleted file mode 100644
index fa30abf13a19..000000000000
--- a/contrib/bind9/lib/isc/lib.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.c,v 1.8.12.3 2004/03/08 09:04:49 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-
-#include <isc/once.h>
-#include <isc/msgs.h>
-#include <isc/lib.h>
-
-/***
- *** Globals
- ***/
-
-LIBISC_EXTERNAL_DATA isc_msgcat_t *		isc_msgcat = NULL;
-
-
-/***
- *** Private
- ***/
-
-static isc_once_t		msgcat_once = ISC_ONCE_INIT;
-
-
-/***
- *** Functions
- ***/
-
-static void
-open_msgcat(void) {
-	isc_msgcat_open("libisc.cat", &isc_msgcat);
-}
-
-void
-isc_lib_initmsgcat(void) {
-	isc_result_t result;
-
-	/*
-	 * Initialize the ISC library's message catalog, isc_msgcat, if it
-	 * has not already been initialized.
-	 */
-
-	result = isc_once_do(&msgcat_once, open_msgcat);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * Normally we'd use RUNTIME_CHECK() or FATAL_ERROR(), but
-		 * we can't do that here, since they might call us!
-		 * (Note that the catalog might be open anyway, so we might
-		 * as well try to  provide an internationalized message.)
-		 */
-		fprintf(stderr, "%s:%d: %s: isc_once_do() %s.\n",
-			__FILE__, __LINE__,
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				       ISC_MSG_FATALERROR, "fatal error"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				       ISC_MSG_FAILED, "failed"));
-		abort();
-	}
-}
diff --git a/contrib/bind9/lib/isc/log.c b/contrib/bind9/lib/isc/log.c
deleted file mode 100644
index 247b25339d26..000000000000
--- a/contrib/bind9/lib/isc/log.c
+++ /dev/null
@@ -1,1753 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.c,v 1.70.2.8.2.12 2004/06/11 00:35:38 marka Exp $ */
-
-/* Principal Authors: DCL */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <limits.h>
-#include <time.h>
-
-#include <sys/types.h>	/* dev_t FreeBSD 2.1 */
-
-#include <isc/dir.h>
-#include <isc/file.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/print.h>
-#include <isc/stat.h>
-#include <isc/stdio.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#define LCTX_MAGIC		ISC_MAGIC('L', 'c', 't', 'x')
-#define VALID_CONTEXT(lctx)	ISC_MAGIC_VALID(lctx, LCTX_MAGIC)
-
-#define LCFG_MAGIC		ISC_MAGIC('L', 'c', 'f', 'g')
-#define VALID_CONFIG(lcfg)	ISC_MAGIC_VALID(lcfg, LCFG_MAGIC)
-
-/*
- * XXXDCL make dynamic?
- */
-#define LOG_BUFFER_SIZE	(8 * 1024)
-
-#ifndef PATH_MAX
-#define PATH_MAX 1024	/* AIX and others don't define this. */
-#endif
-
-/*
- * This is the structure that holds each named channel.  A simple linked
- * list chains all of the channels together, so an individual channel is
- * found by doing strcmp()s with the names down the list.  Their should
- * be no peformance penalty from this as it is expected that the number
- * of named channels will be no more than a dozen or so, and name lookups
- * from the head of the list are only done when isc_log_usechannel() is
- * called, which should also be very infrequent.
- */
-typedef struct isc_logchannel isc_logchannel_t;
-
-struct isc_logchannel {
-	char *				name;
-	unsigned int			type;
-	int 				level;
-	unsigned int			flags;
-	isc_logdestination_t 		destination;
-	ISC_LINK(isc_logchannel_t)	link;
-};
-
-/*
- * The logchannellist structure associates categories and modules with
- * channels.  First the appropriate channellist is found based on the
- * category, and then each structure in the linked list is checked for
- * a matching module.  It is expected that the number of channels
- * associated with any given category will be very short, no more than
- * three or four in the more unusual cases.
- */
-typedef struct isc_logchannellist isc_logchannellist_t;
-
-struct isc_logchannellist {
-	const isc_logmodule_t *		module;
-	isc_logchannel_t *		channel;
-	ISC_LINK(isc_logchannellist_t)	link;
-};
-
-/*
- * This structure is used to remember messages for pruning via
- * isc_log_[v]write1().
- */
-typedef struct isc_logmessage isc_logmessage_t;
-
-struct isc_logmessage {
-	char *				text;
-	isc_time_t			time;
-	ISC_LINK(isc_logmessage_t)	link;
-};
-
-/*
- * The isc_logconfig structure is used to store the configurable information
- * about where messages are actually supposed to be sent -- the information
- * that could changed based on some configuration file, as opposed to the
- * the category/module specification of isc_log_[v]write[1] that is compiled
- * into a program, or the debug_level which is dynamic state information.
- */
-struct isc_logconfig {
-	unsigned int			magic;
-	isc_log_t *			lctx;
-	ISC_LIST(isc_logchannel_t)	channels;
-	ISC_LIST(isc_logchannellist_t) *channellists;
-	unsigned int			channellist_count;
-	unsigned int			duplicate_interval;
-	int				highest_level;
-	char *				tag;
-	isc_boolean_t			dynamic;
-};
-
-/*
- * This isc_log structure provides the context for the isc_log functions.
- * The log context locks itself in isc_log_doit, the internal backend to
- * isc_log_write.  The locking is necessary both to provide exclusive access
- * to the the buffer into which the message is formatted and to guard against
- * competing threads trying to write to the same syslog resource.  (On
- * some systems, such as BSD/OS, stdio is thread safe but syslog is not.)
- * Unfortunately, the lock cannot guard against a _different_ logging
- * context in the same program competing for syslog's attention.  Thus
- * There Can Be Only One, but this is not enforced.
- * XXXDCL enforce it?
- *
- * Note that the category and module information is not locked.
- * This is because in the usual case, only one isc_log_t is ever created
- * in a program, and the category/module registration happens only once.
- * XXXDCL it might be wise to add more locking overall.
- */
-struct isc_log {
-	/* Not locked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	isc_logcategory_t *		categories;
-	unsigned int			category_count;
-	isc_logmodule_t *		modules;
-	unsigned int			module_count;
-	int				debug_level;
-	isc_mutex_t			lock;
-	/* Locked by isc_log lock. */
-	isc_logconfig_t * 		logconfig;
-	char 				buffer[LOG_BUFFER_SIZE];
-	ISC_LIST(isc_logmessage_t)	messages;
-};
-
-/*
- * Used when ISC_LOG_PRINTLEVEL is enabled for a channel.
- */
-static const char *log_level_strings[] = {
-	"debug",
-	"info",
-	"notice",
-	"warning",
-	"error",
-	"critical"
-};
-
-/*
- * Used to convert ISC_LOG_* priorities into syslog priorities.
- * XXXDCL This will need modification for NT.
- */
-static const int syslog_map[] = {
-	LOG_DEBUG,
-	LOG_INFO,
-	LOG_NOTICE,
-	LOG_WARNING,
-	LOG_ERR,
-	LOG_CRIT
-};
-
-/*
- * When adding new categories, a corresponding ISC_LOGCATEGORY_foo
- * definition needs to be added to <isc/log.h>.
- *
- * The default category is provided so that the internal default can
- * be overridden.  Since the default is always looked up as the first
- * channellist in the log context, it must come first in isc_categories[].
- */
-LIBISC_EXTERNAL_DATA isc_logcategory_t isc_categories[] = {
-	{ "default", 0 },	/* "default" must come first. */
-	{ "general", 0 },
-	{ NULL, 0 }
-};
-
-/*
- * See above comment for categories, and apply it to modules.
- */
-LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
-	{ "socket", 0 },
-	{ "time", 0 },
-	{ "interface", 0 },
-	{ "timer", 0 },
-	{ NULL, 0 }
-};
-
-/*
- * This essentially constant structure must be filled in at run time,
- * because its channel member is pointed to a channel that is created
- * dynamically with isc_log_createchannel.
- */
-static isc_logchannellist_t default_channel;
-
-/*
- * libisc logs to this context.
- */
-LIBISC_EXTERNAL_DATA isc_log_t *isc_lctx = NULL;
-
-/*
- * Forward declarations.
- */
-static isc_result_t
-assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
-	      const isc_logmodule_t *module, isc_logchannel_t *channel);
-
-static isc_result_t
-sync_channellist(isc_logconfig_t *lcfg);
-
-static isc_result_t
-greatest_version(isc_logchannel_t *channel, int *greatest);
-
-static isc_result_t
-roll_log(isc_logchannel_t *channel);
-
-static void
-isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
-	     isc_logmodule_t *module, int level, isc_boolean_t write_once,
-	     isc_msgcat_t *msgcat, int msgset, int msg,
-	     const char *format, va_list args)
-     ISC_FORMAT_PRINTF(9, 0);
-
-/*
- * Convenience macros.
- */
-
-#define FACILITY(channel)	 (channel->destination.facility)
-#define FILE_NAME(channel)	 (channel->destination.file.name)
-#define FILE_STREAM(channel)	 (channel->destination.file.stream)
-#define FILE_VERSIONS(channel)	 (channel->destination.file.versions)
-#define FILE_MAXSIZE(channel)	 (channel->destination.file.maximum_size)
-#define FILE_MAXREACHED(channel) (channel->destination.file.maximum_reached)
-
-/****
- **** Public interfaces.
- ****/
-
-/*
- * Establish a new logging context, with default channels.
- */
-isc_result_t
-isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp) {
-	isc_log_t *lctx;
-	isc_logconfig_t *lcfg = NULL;
-	isc_result_t result;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(lctxp != NULL && *lctxp == NULL);
-	REQUIRE(lcfgp == NULL || *lcfgp == NULL);
-
-	lctx = isc_mem_get(mctx, sizeof(*lctx));
-	if (lctx != NULL) {
-		lctx->mctx = mctx;
-		lctx->categories = NULL;
-		lctx->category_count = 0;
-		lctx->modules = NULL;
-		lctx->module_count = 0;
-		lctx->debug_level = 0;
-
-		ISC_LIST_INIT(lctx->messages);
-
-		RUNTIME_CHECK(isc_mutex_init(&lctx->lock) == ISC_R_SUCCESS);
-
-		/*
-		 * Normally setting the magic number is the last step done
-		 * in a creation function, but a valid log context is needed
-		 * by isc_log_registercategories and isc_logconfig_create.
-		 * If either fails, the lctx is destroyed and not returned
-		 * to the caller.
-		 */
-		lctx->magic = LCTX_MAGIC;
-
-		isc_log_registercategories(lctx, isc_categories);
-		isc_log_registermodules(lctx, isc_modules);
-		result = isc_logconfig_create(lctx, &lcfg);
-
-	} else
-		result = ISC_R_NOMEMORY;
-
-	if (result == ISC_R_SUCCESS)
-		result = sync_channellist(lcfg);
-
-	if (result == ISC_R_SUCCESS) {
-		lctx->logconfig = lcfg;
-
-		*lctxp = lctx;
-		if (lcfgp != NULL)
-			*lcfgp = lcfg;
-
-	} else {
-		if (lcfg != NULL)
-			isc_logconfig_destroy(&lcfg);
-		if (lctx != NULL)
-			isc_log_destroy(&lctx);
-	}
-
-	return (result);
-}
-
-isc_result_t
-isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp) {
-	isc_logconfig_t *lcfg;
-	isc_logdestination_t destination;
-	isc_result_t result = ISC_R_SUCCESS;
-	int level = ISC_LOG_INFO;
-
-	REQUIRE(lcfgp != NULL && *lcfgp == NULL);
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	lcfg = isc_mem_get(lctx->mctx, sizeof(*lcfg));
-
-	if (lcfg != NULL) {
-		lcfg->lctx = lctx;
-		lcfg->channellists = NULL;
-		lcfg->channellist_count = 0;
-		lcfg->duplicate_interval = 0;
-		lcfg->highest_level = level;
-		lcfg->tag = NULL;
-		lcfg->dynamic = ISC_FALSE;
-
-		ISC_LIST_INIT(lcfg->channels);
-
-		/*
-		 * Normally the magic number is the last thing set in the
-		 * structure, but isc_log_createchannel() needs a valid
-		 * config.  If the channel creation fails, the lcfg is not
-		 * returned to the caller.
-		 */
-		lcfg->magic = LCFG_MAGIC;
-
-	} else
-		result = ISC_R_NOMEMORY;
-
-	/*
-	 * Create the default channels:
-	 *   	default_syslog, default_stderr, default_debug and null.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		destination.facility = LOG_DAEMON;
-		result = isc_log_createchannel(lcfg, "default_syslog",
-					       ISC_LOG_TOSYSLOG, level,
-					       &destination, 0);
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		destination.file.stream = stderr;
-		destination.file.name = NULL;
-		destination.file.versions = ISC_LOG_ROLLNEVER;
-		destination.file.maximum_size = 0;
-		result = isc_log_createchannel(lcfg, "default_stderr",
-					       ISC_LOG_TOFILEDESC,
-					       level,
-					       &destination,
-					       ISC_LOG_PRINTTIME);
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Set the default category's channel to default_stderr,
-		 * which is at the head of the channels list because it was
-		 * just created.
-		 */
-		default_channel.channel = ISC_LIST_HEAD(lcfg->channels);
-
-		destination.file.stream = stderr;
-		destination.file.name = NULL;
-		destination.file.versions = ISC_LOG_ROLLNEVER;
-		destination.file.maximum_size = 0;
-		result = isc_log_createchannel(lcfg, "default_debug",
-					       ISC_LOG_TOFILEDESC,
-					       ISC_LOG_DYNAMIC,
-					       &destination,
-					       ISC_LOG_PRINTTIME);
-	}
-
-	if (result == ISC_R_SUCCESS)
-		result = isc_log_createchannel(lcfg, "null",
-					       ISC_LOG_TONULL,
-					       ISC_LOG_DYNAMIC,
-					       NULL, 0);
-
-	if (result == ISC_R_SUCCESS)
-		*lcfgp = lcfg;
-
-	else
-		if (lcfg != NULL)
-			isc_logconfig_destroy(&lcfg);
-
-	return (result);
-}
-
-isc_logconfig_t *
-isc_logconfig_get(isc_log_t *lctx) {
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	ENSURE(lctx->logconfig != NULL);
-
-	return (lctx->logconfig);
-}
-
-isc_result_t
-isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg) {
-	isc_logconfig_t *old_cfg;
-	isc_result_t result;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(VALID_CONFIG(lcfg));
-	REQUIRE(lcfg->lctx == lctx);
-
-	/*
-	 * Ensure that lcfg->channellist_count == lctx->category_count.
-	 * They won't be equal if isc_log_usechannel has not been called
-	 * since any call to isc_log_registercategories.
-	 */
-	result = sync_channellist(lcfg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	LOCK(&lctx->lock);
-
-	old_cfg = lctx->logconfig;
-	lctx->logconfig = lcfg;
-
-	UNLOCK(&lctx->lock);
-
-	isc_logconfig_destroy(&old_cfg);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_log_destroy(isc_log_t **lctxp) {
-	isc_log_t *lctx;
-	isc_logconfig_t *lcfg;
-	isc_mem_t *mctx;
-	isc_logmessage_t *message;
-
-	REQUIRE(lctxp != NULL && VALID_CONTEXT(*lctxp));
-
-	lctx = *lctxp;
-	mctx = lctx->mctx;
-
-	if (lctx->logconfig != NULL) {
-		lcfg = lctx->logconfig;
-		lctx->logconfig = NULL;
-		isc_logconfig_destroy(&lcfg);
-	}
-
-	DESTROYLOCK(&lctx->lock);
-
-	while ((message = ISC_LIST_HEAD(lctx->messages)) != NULL) {
-		ISC_LIST_UNLINK(lctx->messages, message, link);
-
-		isc_mem_put(mctx, message,
-			    sizeof(*message) + strlen(message->text) + 1);
-	}
-
-	lctx->buffer[0] = '\0';
-	lctx->debug_level = 0;
-	lctx->categories = NULL;
-	lctx->category_count = 0;
-	lctx->modules = NULL;
-	lctx->module_count = 0;
-	lctx->mctx = NULL;
-	lctx->magic = 0;
-
-	isc_mem_put(mctx, lctx, sizeof(*lctx));
-
-	*lctxp = NULL;
-}
-
-void
-isc_logconfig_destroy(isc_logconfig_t **lcfgp) {
-	isc_logconfig_t *lcfg;
-	isc_mem_t *mctx;
-	isc_logchannel_t *channel;
-	isc_logchannellist_t *item;
-	char *filename;
-	unsigned int i;
-
-	REQUIRE(lcfgp != NULL && VALID_CONFIG(*lcfgp));
-
-	lcfg = *lcfgp;
-
-	/*
-	 * This function cannot be called with a logconfig that is in
-	 * use by a log context.
-	 */
-	REQUIRE(lcfg->lctx != NULL && lcfg->lctx->logconfig != lcfg);
-
-	mctx = lcfg->lctx->mctx;
-
-	while ((channel = ISC_LIST_HEAD(lcfg->channels)) != NULL) {
-		ISC_LIST_UNLINK(lcfg->channels, channel, link);
-
-		if (channel->type == ISC_LOG_TOFILE) {
-			/*
-			 * The filename for the channel may have ultimately
-			 * started its life in user-land as a const string,
-			 * but in isc_log_createchannel it gets copied
-			 * into writable memory and is not longer truly const.
-			 */
-			DE_CONST(FILE_NAME(channel), filename);
-			isc_mem_free(mctx, filename);
-
-			if (FILE_STREAM(channel) != NULL)
-				(void)fclose(FILE_STREAM(channel));
-		}
-
-		isc_mem_free(mctx, channel->name);
-		isc_mem_put(mctx, channel, sizeof(*channel));
-	}
-
-	for (i = 0; i < lcfg->channellist_count; i++)
-		while ((item = ISC_LIST_HEAD(lcfg->channellists[i])) != NULL) {
-			ISC_LIST_UNLINK(lcfg->channellists[i], item, link);
-			isc_mem_put(mctx, item, sizeof(*item));
-		}
-
-	if (lcfg->channellist_count > 0)
-		isc_mem_put(mctx, lcfg->channellists,
-			    lcfg->channellist_count *
-			    sizeof(ISC_LIST(isc_logchannellist_t)));
-
-	lcfg->dynamic = ISC_FALSE;
-	if (lcfg->tag != NULL)
-		isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
-	lcfg->tag = NULL;
-	lcfg->highest_level = 0;
-	lcfg->duplicate_interval = 0;
-	lcfg->magic = 0;
-
-	isc_mem_put(mctx, lcfg, sizeof(*lcfg));
-
-	*lcfgp = NULL;
-}
-
-void
-isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]) {
-	isc_logcategory_t *catp;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(categories != NULL && categories[0].name != NULL);
-
-	/*
-	 * XXXDCL This somewhat sleazy situation of using the last pointer
-	 * in one category array to point to the next array exists because
-	 * this registration function returns void and I didn't want to have
-	 * change everything that used it by making it return an isc_result_t.
-	 * It would need to do that if it had to allocate memory to store
-	 * pointers to each array passed in.
-	 */
-	if (lctx->categories == NULL)
-		lctx->categories = categories;
-
-	else {
-		/*
-		 * Adjust the last (NULL) pointer of the already registered
-		 * categories to point to the incoming array.
-		 */
-		for (catp = lctx->categories; catp->name != NULL; )
-			if (catp->id == UINT_MAX)
-				/*
-				 * The name pointer points to the next array.
-				 * Ick.
-				 */
-				DE_CONST(catp->name, catp);
-			else
-				catp++;
-
-		catp->name = (void *)categories;
-		catp->id = UINT_MAX;
-	}
-
-	/*
-	 * Update the id number of the category with its new global id.
-	 */
-	for (catp = categories; catp->name != NULL; catp++)
-		catp->id = lctx->category_count++;
-}
-
-isc_logcategory_t *
-isc_log_categorybyname(isc_log_t *lctx, const char *name) {
-	isc_logcategory_t *catp;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(name != NULL);
-
-	for (catp = lctx->categories; catp->name != NULL; )
-		if (catp->id == UINT_MAX)
-			/*
-			 * catp is neither modified nor returned to the
-			 * caller, so removing its const qualifier is ok.
-			 */
-			DE_CONST(catp->name, catp);
-		else {
-			if (strcmp(catp->name, name) == 0)
-				return (catp);
-			catp++;
-		}
-
-	return (NULL);
-}
-
-void
-isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]) {
-	isc_logmodule_t *modp;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(modules != NULL && modules[0].name != NULL);
-
-	/*
-	 * XXXDCL This somewhat sleazy situation of using the last pointer
-	 * in one category array to point to the next array exists because
-	 * this registration function returns void and I didn't want to have
-	 * change everything that used it by making it return an isc_result_t.
-	 * It would need to do that if it had to allocate memory to store
-	 * pointers to each array passed in.
-	 */
-	if (lctx->modules == NULL)
-		lctx->modules = modules;
-
-	else {
-		/*
-		 * Adjust the last (NULL) pointer of the already registered
-		 * modules to point to the incoming array.
-		 */
-		for (modp = lctx->modules; modp->name != NULL; )
-			if (modp->id == UINT_MAX)
-				/*
-				 * The name pointer points to the next array.
-				 * Ick.
-				 */
-				DE_CONST(modp->name, modp);
-			else
-				modp++;
-
-		modp->name = (void *)modules;
-		modp->id = UINT_MAX;
-	}
-
-	/*
-	 * Update the id number of the module with its new global id.
-	 */
-	for (modp = modules; modp->name != NULL; modp++)
-		modp->id = lctx->module_count++;
-}
-
-isc_logmodule_t *
-isc_log_modulebyname(isc_log_t *lctx, const char *name) {
-	isc_logmodule_t *modp;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-	REQUIRE(name != NULL);
-
-	for (modp = lctx->modules; modp->name != NULL; )
-		if (modp->id == UINT_MAX)
-			/*
-			 * modp is neither modified nor returned to the
-			 * caller, so removing its const qualifier is ok.
-			 */
-			DE_CONST(modp->name, modp);
-		else {
-			if (strcmp(modp->name, name) == 0)
-				return (modp);
-			modp++;
-		}
-
-	return (NULL);
-}
-
-isc_result_t
-isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
-		      unsigned int type, int level,
-		      const isc_logdestination_t *destination,
-		      unsigned int flags)
-{
-	isc_logchannel_t *channel;
-	isc_mem_t *mctx;
-
-	REQUIRE(VALID_CONFIG(lcfg));
-	REQUIRE(name != NULL);
-	REQUIRE(type == ISC_LOG_TOSYSLOG   || type == ISC_LOG_TOFILE ||
-		type == ISC_LOG_TOFILEDESC || type == ISC_LOG_TONULL);
-	REQUIRE(destination != NULL || type == ISC_LOG_TONULL);
-	REQUIRE(level >= ISC_LOG_CRITICAL);
-	REQUIRE((flags &
-		 (unsigned int)~(ISC_LOG_PRINTALL | ISC_LOG_DEBUGONLY)) == 0);
-
-	/* XXXDCL find duplicate names? */
-
-	mctx = lcfg->lctx->mctx;
-
-	channel = isc_mem_get(mctx, sizeof(*channel));
-	if (channel == NULL)
-		return (ISC_R_NOMEMORY);
-
-	channel->name = isc_mem_strdup(mctx, name);
-	if (channel->name == NULL) {
-		isc_mem_put(mctx, channel, sizeof(*channel));
-		return (ISC_R_NOMEMORY);
-	}
-
-	channel->type = type;
-	channel->level = level;
-	channel->flags = flags;
-	ISC_LINK_INIT(channel, link);
-
-	switch (type) {
-	case ISC_LOG_TOSYSLOG:
-		FACILITY(channel) = destination->facility;
-		break;
-
-	case ISC_LOG_TOFILE:
-		/*
-		 * The file name is copied because greatest_version wants
-		 * to scribble on it, so it needs to be definitely in
-		 * writable memory.
-		 */
-		FILE_NAME(channel) =
-			isc_mem_strdup(mctx, destination->file.name);
-		FILE_STREAM(channel) = NULL;
-		FILE_VERSIONS(channel) = destination->file.versions;
-		FILE_MAXSIZE(channel) = destination->file.maximum_size;
-		FILE_MAXREACHED(channel) = ISC_FALSE;
-		break;
-
-	case ISC_LOG_TOFILEDESC:
-		FILE_NAME(channel) = NULL;
-		FILE_STREAM(channel) = destination->file.stream;
-		FILE_MAXSIZE(channel) = 0;
-		FILE_VERSIONS(channel) = ISC_LOG_ROLLNEVER;
-		break;
-
-	case ISC_LOG_TONULL:
-		/* Nothing. */
-		break;
-
-	default:
-		isc_mem_put(mctx, channel->name, strlen(channel->name) + 1);
-		isc_mem_put(mctx, channel, sizeof(*channel));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	ISC_LIST_PREPEND(lcfg->channels, channel, link);
-
-	/*
-	 * If default_stderr was redefined, make the default category
-	 * point to the new default_stderr.
-	 */
-	if (strcmp(name, "default_stderr") == 0)
-		default_channel.channel = channel;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
-		   const isc_logcategory_t *category,
-		   const isc_logmodule_t *module)
-{
-	isc_log_t *lctx;
-	isc_logchannel_t *channel;
-	isc_result_t result = ISC_R_SUCCESS;
-	unsigned int i;
-
-	REQUIRE(VALID_CONFIG(lcfg));
-	REQUIRE(name != NULL);
-
-	lctx = lcfg->lctx;
-
-	REQUIRE(category == NULL || category->id < lctx->category_count);
-	REQUIRE(module == NULL || module->id < lctx->module_count);
-
-	for (channel = ISC_LIST_HEAD(lcfg->channels); channel != NULL;
-	     channel = ISC_LIST_NEXT(channel, link))
-		if (strcmp(name, channel->name) == 0)
-			break;
-
-	if (channel == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (category != NULL)
-		result = assignchannel(lcfg, category->id, module, channel);
-
-	else
-		/*
-		 * Assign to all categories.  Note that this includes
-		 * the default channel.
-		 */
-		for (i = 0; i < lctx->category_count; i++) {
-			result = assignchannel(lcfg, i, module, channel);
-			if (result != ISC_R_SUCCESS)
-				break;
-		}
-
-	return (result);
-}
-
-void
-isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
-	      isc_logmodule_t *module, int level, const char *format, ...)
-{
-	va_list args;
-
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-
-	va_start(args, format);
-	isc_log_doit(lctx, category, module, level, ISC_FALSE,
-		     NULL, 0, 0, format, args);
-	va_end(args);
-}
-
-void
-isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	       const char *format, va_list args)
-{
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-	isc_log_doit(lctx, category, module, level, ISC_FALSE,
-		     NULL, 0, 0, format, args);
-}
-
-void
-isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level, const char *format, ...)
-{
-	va_list args;
-
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-
-	va_start(args, format);
-	isc_log_doit(lctx, category, module, level, ISC_TRUE,
-		     NULL, 0, 0, format, args);
-	va_end(args);
-}
-
-void
-isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level,
-		const char *format, va_list args)
-{
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-	isc_log_doit(lctx, category, module, level, ISC_TRUE,
-		     NULL, 0, 0, format, args);
-}
-
-void
-isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	       isc_msgcat_t *msgcat, int msgset, int msg,
-	       const char *format, ...)
-{
-	va_list args;
-
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-
-	va_start(args, format);
-	isc_log_doit(lctx, category, module, level, ISC_FALSE,
-		     msgcat, msgset, msg, format, args);
-	va_end(args);
-}
-
-void
-isc_log_ivwrite(isc_log_t *lctx, isc_logcategory_t *category,
-	       isc_logmodule_t *module, int level,
-	       isc_msgcat_t *msgcat, int msgset, int msg,
-	       const char *format, va_list args)
-{
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-	isc_log_doit(lctx, category, module, level, ISC_FALSE,
-		     msgcat, msgset, msg, format, args);
-}
-
-void
-isc_log_iwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		isc_logmodule_t *module, int level,
-		isc_msgcat_t *msgcat, int msgset, int msg,
-		const char *format, ...)
-{
-	va_list args;
-
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-
-	va_start(args, format);
-	isc_log_doit(lctx, category, module, level, ISC_TRUE,
-		     msgcat, msgset, msg, format, args);
-	va_end(args);
-}
-
-void
-isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
-		 isc_logmodule_t *module, int level,
-		 isc_msgcat_t *msgcat, int msgset, int msg,
-		 const char *format, va_list args)
-{
-	/*
-	 * Contract checking is done in isc_log_doit().
-	 */
-	isc_log_doit(lctx, category, module, level, ISC_TRUE,
-		     msgcat, msgset, msg, format, args);
-}
-
-void
-isc_log_setcontext(isc_log_t *lctx) {
-	isc_lctx = lctx;
-}
-
-void
-isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level) {
-	isc_logchannel_t *channel;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	LOCK(&lctx->lock);
-
-	lctx->debug_level = level;
-	/*
-	 * Close ISC_LOG_DEBUGONLY channels if level is zero.
-	 */
-	if (lctx->debug_level == 0)
-		for (channel = ISC_LIST_HEAD(lctx->logconfig->channels);
-		     channel != NULL;
-		     channel = ISC_LIST_NEXT(channel, link))
-			if (channel->type == ISC_LOG_TOFILE &&
-			    (channel->flags & ISC_LOG_DEBUGONLY) != 0 &&
-			    FILE_STREAM(channel) != NULL) {
-				(void)fclose(FILE_STREAM(channel));
-				FILE_STREAM(channel) = NULL;
-			}
-	UNLOCK(&lctx->lock);
-}
-
-unsigned int
-isc_log_getdebuglevel(isc_log_t *lctx) {
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	return (lctx->debug_level);
-}
-
-void
-isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval) {
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	lcfg->duplicate_interval = interval;
-}
-
-unsigned int
-isc_log_getduplicateinterval(isc_logconfig_t *lcfg) {
-	REQUIRE(VALID_CONTEXT(lcfg));
-
-	return (lcfg->duplicate_interval);
-}
-
-isc_result_t
-isc_log_settag(isc_logconfig_t *lcfg, const char *tag) {
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	if (tag != NULL && *tag != '\0') {
-		if (lcfg->tag != NULL)
-			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
-		lcfg->tag = isc_mem_strdup(lcfg->lctx->mctx, tag);
-		if (lcfg->tag == NULL)
-			return (ISC_R_NOMEMORY);
-
-	} else {
-		if (lcfg->tag != NULL)
-			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
-		lcfg->tag = NULL;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-char *
-isc_log_gettag(isc_logconfig_t *lcfg) {
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	return (lcfg->tag);
-}
-
-/* XXXDCL NT  -- This interface will assuredly be changing. */
-void
-isc_log_opensyslog(const char *tag, int options, int facility) {
-	(void)openlog(tag, options, facility);
-}
-
-void
-isc_log_closefilelogs(isc_log_t *lctx) {
-	isc_logchannel_t *channel;
-
-	REQUIRE(VALID_CONTEXT(lctx));
-
-	LOCK(&lctx->lock);
-	for (channel = ISC_LIST_HEAD(lctx->logconfig->channels);
-	     channel != NULL;
-	     channel = ISC_LIST_NEXT(channel, link))
-
-		if (channel->type == ISC_LOG_TOFILE &&
-		    FILE_STREAM(channel) != NULL) {
-			(void)fclose(FILE_STREAM(channel));
-			FILE_STREAM(channel) = NULL;
-		}
-	UNLOCK(&lctx->lock);
-}
-
-/****
- **** Internal functions
- ****/
-
-static isc_result_t
-assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
-	      const isc_logmodule_t *module, isc_logchannel_t *channel)
-{
-	isc_logchannellist_t *new_item;
-	isc_log_t *lctx;
-	isc_result_t result;
-
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	lctx = lcfg->lctx;
-
-	REQUIRE(category_id < lctx->category_count);
-	REQUIRE(module == NULL || module->id < lctx->module_count);
-	REQUIRE(channel != NULL);
-
-	/*
-	 * Ensure lcfg->channellist_count == lctx->category_count.
-	 */
-	result = sync_channellist(lcfg);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	new_item = isc_mem_get(lctx->mctx, sizeof(*new_item));
-	if (new_item == NULL)
-		return (ISC_R_NOMEMORY);
-
-	new_item->channel = channel;
-	new_item->module = module;
-	ISC_LIST_INITANDPREPEND(lcfg->channellists[category_id],
-			       new_item, link);
-
-	/*
-	 * Remember the highest logging level set by any channel in the
-	 * logging config, so isc_log_doit() can quickly return if the
-	 * message is too high to be logged by any channel.
-	 */
-	if (channel->type != ISC_LOG_TONULL) {
-		if (lcfg->highest_level < channel->level)
-			lcfg->highest_level = channel->level;
-		if (channel->level == ISC_LOG_DYNAMIC)
-			lcfg->dynamic = ISC_TRUE;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * This would ideally be part of isc_log_registercategories(), except then
- * that function would have to return isc_result_t instead of void.
- */
-static isc_result_t
-sync_channellist(isc_logconfig_t *lcfg) {
-	unsigned int bytes;
-	isc_log_t *lctx;
-	void *lists;
-
-	REQUIRE(VALID_CONFIG(lcfg));
-
-	lctx = lcfg->lctx;
-
-	REQUIRE(lctx->category_count != 0);
-
-	if (lctx->category_count == lcfg->channellist_count)
-		return (ISC_R_SUCCESS);
-
-	bytes = lctx->category_count * sizeof(ISC_LIST(isc_logchannellist_t));
-
-	lists = isc_mem_get(lctx->mctx, bytes);
-
-	if (lists == NULL)
-		return (ISC_R_NOMEMORY);
-
-	memset(lists, 0, bytes);
-
-	if (lcfg->channellist_count != 0) {
-		bytes = lcfg->channellist_count *
-			sizeof(ISC_LIST(isc_logchannellist_t));
-		memcpy(lists, lcfg->channellists, bytes);
-		isc_mem_put(lctx->mctx, lcfg->channellists, bytes);
-	}
-
-	lcfg->channellists = lists;
-	lcfg->channellist_count = lctx->category_count;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-greatest_version(isc_logchannel_t *channel, int *greatestp) {
-	/* XXXDCL HIGHLY NT */
-	char *basename, *digit_end;
-	const char *dirname;
-	int version, greatest = -1;
-	unsigned int basenamelen;
-	isc_dir_t dir;
-	isc_result_t result;
-	char sep = '/';
-#ifdef _WIN32
-	char *basename2;
-#endif
-
-	REQUIRE(channel->type == ISC_LOG_TOFILE);
-
-	/*
-	 * It is safe to DE_CONST the file.name because it was copied
-	 * with isc_mem_strdup in isc_log_createchannel.
-	 */
-	basename = strrchr(FILE_NAME(channel), sep);
-#ifdef _WIN32
-	basename2 = strrchr(FILE_NAME(channel), '\\');
-	if ((basename != NULL && basename2 != NULL && basename2 > basename) ||
-	    (basename == NULL && basename2 != NULL)) {
-		basename = basename2;
-		sep = '\\';
-	}
-#endif
-	if (basename != NULL) {
-		*basename++ = '\0';
-		dirname = FILE_NAME(channel);
-	} else {
-		DE_CONST(FILE_NAME(channel), basename);
-		dirname = ".";
-	}
-	basenamelen = strlen(basename);
-
-	isc_dir_init(&dir);
-	result = isc_dir_open(&dir, dirname);
-
-	/*
-	 * Replace the file separator if it was taken out.
-	 */
-	if (basename != FILE_NAME(channel))
-		*(basename - 1) = sep;
-
-	/*
-	 * Return if the directory open failed.
-	 */
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
-		if (dir.entry.length > basenamelen &&
-		    strncmp(dir.entry.name, basename, basenamelen) == 0 &&
-		    dir.entry.name[basenamelen] == '.') {
-
-			version = strtol(&dir.entry.name[basenamelen + 1],
-					 &digit_end, 10);
-			if (*digit_end == '\0' && version > greatest)
-				greatest = version;
-		}
-	}
-	isc_dir_close(&dir);
-
-	*greatestp = ++greatest;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-roll_log(isc_logchannel_t *channel) {
-	int i, n, greatest;
-	char current[PATH_MAX + 1];
-	char new[PATH_MAX + 1];
-	const char *path;
-	isc_result_t result;
-
-	/*
-	 * Do nothing (not even excess version trimming) if ISC_LOG_ROLLNEVER
-	 * is specified.  Apparently complete external control over the log
-	 * files is desired.
-	 */
-	if (FILE_VERSIONS(channel) == ISC_LOG_ROLLNEVER)
-		return (ISC_R_SUCCESS);
-
-	path = FILE_NAME(channel);
-
-	/*
-	 * Set greatest_version to the greatest existing version
-	 * (not the maximum requested version).  This is 1 based even
-	 * though the file names are 0 based, so an oldest log of log.1
-	 * is a greatest_version of 2.
-	 */
-	result = greatest_version(channel, &greatest);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Now greatest should be set to the highest version number desired.
-	 * Since the highest number is one less than FILE_VERSIONS(channel)
-	 * when not doing infinite log rolling, greatest will need to be
-	 * decremented when it is equal to -- or greater than --
-	 * FILE_VERSIONS(channel).  When greatest is less than
-	 * FILE_VERSIONS(channel), it is already suitable for use as
-	 * the maximum version number.
-	 */
-
-	if (FILE_VERSIONS(channel) == ISC_LOG_ROLLINFINITE ||
-	    FILE_VERSIONS(channel) > greatest)
-		;		/* Do nothing. */
-	else
-		/*
-		 * When greatest is >= FILE_VERSIONS(channel), it needs to
-		 * be reduced until it is FILE_VERSIONS(channel) - 1.
-		 * Remove any excess logs on the way to that value.
-		 */
-		while (--greatest >= FILE_VERSIONS(channel)) {
-			n = snprintf(current, sizeof(current), "%s.%d",
-				     path, greatest);
-			if (n >= (int)sizeof(current) || n < 0)
-				result = ISC_R_NOSPACE;
-			else
-				result = isc_file_remove(current);
-			if (result != ISC_R_SUCCESS &&
-			    result != ISC_R_FILENOTFOUND)
-				syslog(LOG_ERR,
-				       "unable to remove log file '%s.%d': %s",
-				       path, greatest,
-				       isc_result_totext(result));
-		}
-
-	for (i = greatest; i > 0; i--) {
-		result = ISC_R_SUCCESS;
-		n = snprintf(current, sizeof(current), "%s.%d", path, i - 1);
-		if (n >= (int)sizeof(current) || n < 0)
-			result = ISC_R_NOSPACE;
-		if (result == ISC_R_SUCCESS) {
-			n = snprintf(new, sizeof(new), "%s.%d", path, i);
-			if (n >= (int)sizeof(new) || n < 0)
-				result = ISC_R_NOSPACE;
-		}
-		if (result == ISC_R_SUCCESS)
-			result = isc_file_rename(current, new);
-		if (result != ISC_R_SUCCESS &&
-		    result != ISC_R_FILENOTFOUND)
-			syslog(LOG_ERR,
-			       "unable to rename log file '%s.%d' to "
-			       "'%s.%d': %s", path, i - 1, path, i,
-			       isc_result_totext(result));
-	}
-
-	if (FILE_VERSIONS(channel) != 0) {
-		n = snprintf(new, sizeof(new), "%s.0", path);
-		if (n >= (int)sizeof(new) || n < 0)
-			result = ISC_R_NOSPACE;
-		else
-			result = isc_file_rename(path, new);
-		if (result != ISC_R_SUCCESS &&
-		    result != ISC_R_FILENOTFOUND)
-			syslog(LOG_ERR,
-			       "unable to rename log file '%s' to '%s.0': %s",
-			       path, path, isc_result_totext(result));
-	} else {
-		result = isc_file_remove(path);
-		if (result != ISC_R_SUCCESS &&
-		    result != ISC_R_FILENOTFOUND)
-			syslog(LOG_ERR, "unable to remove log file '%s': %s",
-			       path, isc_result_totext(result));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-isc_log_open(isc_logchannel_t *channel) {
-	struct stat statbuf;
-	isc_boolean_t regular_file;
-	isc_boolean_t roll = ISC_FALSE;
-	isc_result_t result = ISC_R_SUCCESS;
-	const char *path;
-
-	REQUIRE(channel->type == ISC_LOG_TOFILE);
-	REQUIRE(FILE_STREAM(channel) == NULL);
-
-	path = FILE_NAME(channel);
-
-	REQUIRE(path != NULL && *path != '\0');
-
-	/*
-	 * Determine type of file; only regular files will be
-	 * version renamed, and only if the base file exists
-	 * and either has no size limit or has reached its size limit.
-	 */
-	if (stat(path, &statbuf) == 0) {
-		regular_file = S_ISREG(statbuf.st_mode) ? ISC_TRUE : ISC_FALSE;
-		/* XXXDCL if not regular_file complain? */
-		if ((FILE_MAXSIZE(channel) == 0 &&
-		     FILE_VERSIONS(channel) != ISC_LOG_ROLLNEVER) ||
-		    (FILE_MAXSIZE(channel) > 0 &&
-		     statbuf.st_size >= FILE_MAXSIZE(channel)))
-			roll = regular_file;
-	} else if (errno == ENOENT)
-		regular_file = ISC_TRUE;
-	else
-		result = ISC_R_INVALIDFILE;
-
-	/*
-	 * Version control.
-	 */
-	if (result == ISC_R_SUCCESS && roll) {
-		if (FILE_VERSIONS(channel) == ISC_LOG_ROLLNEVER)
-			return (ISC_R_MAXSIZE);
-		result = roll_log(channel);
-		if (result != ISC_R_SUCCESS) {
-			if ((channel->flags & ISC_LOG_OPENERR) == 0) {
-				syslog(LOG_ERR,
-				       "isc_log_open: roll_log '%s' "
-				       "failed: %s",
-				       FILE_NAME(channel),
-				       isc_result_totext(result));
-				channel->flags |= ISC_LOG_OPENERR;
-			}
-			return (result);
-		}
-	}
-
-	result = isc_stdio_open(path, "a", &FILE_STREAM(channel));
-
-	return (result);
-}
-
-isc_boolean_t
-isc_log_wouldlog(isc_log_t *lctx, int level) {
-	/*
-	 * Try to avoid locking the mutex for messages which can't
-	 * possibly be logged to any channels -- primarily debugging
-	 * messages that the debug level is not high enough to print.
-	 *
-	 * If the level is (mathematically) less than or equal to the
-	 * highest_level, or if there is a dynamic channel and the level is
-	 * less than or equal to the debug level, the main loop must be
-	 * entered to see if the message should really be output.
-	 *
-	 * NOTE: this is UNLOCKED access to the logconfig.  However,
-	 * the worst thing that can happen is that a bad decision is made
-	 * about returning without logging, and that's not a big concern,
-	 * because that's a risk anyway if the logconfig is being
-	 * dynamically changed.
-	 */
-
-	if (lctx == NULL || lctx->logconfig == NULL)
-		return (ISC_FALSE);
-
-	return (ISC_TF(level <= lctx->logconfig->highest_level ||
-		       (lctx->logconfig->dynamic &&
-			level <= lctx->debug_level)));
-}
-
-static void
-isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
-	     isc_logmodule_t *module, int level, isc_boolean_t write_once,
-	     isc_msgcat_t *msgcat, int msgset, int msg,
-	     const char *format, va_list args)
-{
-	int syslog_level;
-	char time_string[64];
-	char level_string[24];
-	const char *iformat;
-	struct stat statbuf;
-	isc_boolean_t matched = ISC_FALSE;
-	isc_boolean_t printtime, printtag;
-	isc_boolean_t printcategory, printmodule, printlevel;
-	isc_logconfig_t *lcfg;
-	isc_logchannel_t *channel;
-	isc_logchannellist_t *category_channels;
-	isc_result_t result;
-
-	REQUIRE(lctx == NULL || VALID_CONTEXT(lctx));
-	REQUIRE(category != NULL);
-	REQUIRE(module != NULL);
-	REQUIRE(level != ISC_LOG_DYNAMIC);
-	REQUIRE(format != NULL);
-
-	/*
-	 * Programs can use libraries that use this logging code without
-	 * wanting to do any logging, thus the log context is allowed to
-	 * be non-existent.
-	 */
-	if (lctx == NULL)
-		return;
-
-	REQUIRE(category->id < lctx->category_count);
-	REQUIRE(module->id < lctx->module_count);
-
-	if (! isc_log_wouldlog(lctx, level))
-		return;
-
-	if (msgcat != NULL)
-		iformat = isc_msgcat_get(msgcat, msgset, msg, format);
-	else
-		iformat = format;
-
-	time_string[0]  = '\0';
-	level_string[0] = '\0';
-
-	LOCK(&lctx->lock);
-
-	lctx->buffer[0] = '\0';
-	
-	lcfg = lctx->logconfig;
-
-	category_channels = ISC_LIST_HEAD(lcfg->channellists[category->id]);
-
-	/*
-	 * XXXDCL add duplicate filtering? (To not write multiple times to
-	 * the same source via various channels).
-	 */
-	do {
-		/*
-		 * If the channel list end was reached and a match was made,
-		 * everything is finished.
-		 */
-		if (category_channels == NULL && matched)
-			break;
-
-		if (category_channels == NULL && ! matched &&
-		    category_channels != ISC_LIST_HEAD(lcfg->channellists[0]))
-			/*
-			 * No category/module pair was explicitly configured.
-			 * Try the category named "default".
-			 */
-			category_channels =
-				ISC_LIST_HEAD(lcfg->channellists[0]);
-
-		if (category_channels == NULL && ! matched)
-			/*
-			 * No matching module was explicitly configured
-			 * for the category named "default".  Use the internal
-			 * default channel.
-			 */
-			category_channels = &default_channel;
-
-		if (category_channels->module != NULL &&
-		    category_channels->module != module) {
-			category_channels = ISC_LIST_NEXT(category_channels,
-							  link);
-			continue;
-		}
-
-		matched = ISC_TRUE;
-
-		channel = category_channels->channel;
-		category_channels = ISC_LIST_NEXT(category_channels, link);
-
-		if (((channel->flags & ISC_LOG_DEBUGONLY) != 0) &&
-		    lctx->debug_level == 0)
-			continue;
-
-		if (channel->level == ISC_LOG_DYNAMIC) {
-			if (lctx->debug_level < level)
-				continue;
-		} else if (channel->level < level)
-			continue;
-
-		if ((channel->flags & ISC_LOG_PRINTTIME) != 0 &&
-		    time_string[0] == '\0') {
-			isc_time_t isctime;
-			
-			TIME_NOW(&isctime);
-			isc_time_formattimestamp(&isctime, time_string,
-						 sizeof(time_string));
-		}
-
-		if ((channel->flags & ISC_LOG_PRINTLEVEL) != 0 &&
-		    level_string[0] == '\0') {
-			if (level < ISC_LOG_CRITICAL)
-				snprintf(level_string, sizeof(level_string),
-					 isc_msgcat_get(isc_msgcat,
-						        ISC_MSGSET_LOG,
-						        ISC_MSG_LEVEL,
-						        "level %d: "),
-					 level);
-			else if (level > ISC_LOG_DYNAMIC)
-				snprintf(level_string, sizeof(level_string),
-					 "%s %d: ", log_level_strings[0],
-					 level);
-			else
-				snprintf(level_string, sizeof(level_string),
-					 "%s: ", log_level_strings[-level]);
-		}
-
-		/*
-		 * Only format the message once.
-		 */
-		if (lctx->buffer[0] == '\0') {
-			(void)vsnprintf(lctx->buffer, sizeof(lctx->buffer),
-					iformat, args);
-
-			/*
-			 * Check for duplicates.
-			 */
-			if (write_once) {
-				isc_logmessage_t *message, *new;
-				isc_time_t oldest;
-				isc_interval_t interval;
-
-				isc_interval_set(&interval,
-						 lcfg->duplicate_interval, 0);
-
-				/*
-				 * 'oldest' is the age of the oldest messages
-				 * which fall within the duplicate_interval
-				 * range.
-				 */
-				TIME_NOW(&oldest);
-				if (isc_time_subtract(&oldest, &interval, &oldest)
-				    != ISC_R_SUCCESS)
-					/*
-					 * Can't effectively do the checking
-					 * without having a valid time.
-					 */
-					message = NULL;
-				else
-					message =ISC_LIST_HEAD(lctx->messages);
-
-				while (message != NULL) {
-					if (isc_time_compare(&message->time,
-							     &oldest) < 0) {
-						/*
-						 * This message is older
-						 * than the duplicate_interval,
-						 * so it should be dropped from
-						 * the history.
-						 *
-						 * Setting the interval to be
-						 * to be longer will obviously
-						 * not cause the expired
-						 * message to spring back into
-						 * existence.
-						 */
-						new = ISC_LIST_NEXT(message,
-								    link);
-
-						ISC_LIST_UNLINK(lctx->messages,
-								message, link);
-
-						isc_mem_put(lctx->mctx,
-							message,
-							sizeof(*message) + 1 +
-							strlen(message->text));
-
-						message = new;
-						continue;
-					}
-
-					/*
-					 * This message is in the duplicate
-					 * filtering interval ...
-					 */
-					if (strcmp(lctx->buffer, message->text)
-					    == 0) {
-						/*
-						 * ... and it is a duplicate.
-						 * Unlock the mutex and
-						 * get the hell out of Dodge.
-						 */
-						UNLOCK(&lctx->lock);
-						return;
-					}
-
-					message = ISC_LIST_NEXT(message, link);
-				}
-
-				/*
-				 * It wasn't in the duplicate interval,
-				 * so add it to the message list.
-				 */
-				new = isc_mem_get(lctx->mctx,
-						  sizeof(isc_logmessage_t) +
-						  strlen(lctx->buffer) + 1);
-				if (new != NULL) {
-					/*
-					 * Put the text immediately after
-					 * the struct.  The strcpy is safe.
-					 */
-					new->text = (char *)(new + 1);
-					strcpy(new->text, lctx->buffer);
-
-					TIME_NOW(&new->time);
-
-					ISC_LIST_APPEND(lctx->messages,
-							new, link);
-				}
-			}
-		}
-
-		printtime     = ISC_TF((channel->flags & ISC_LOG_PRINTTIME)
-				       != 0);
-		printtag      = ISC_TF((channel->flags & ISC_LOG_PRINTTAG)
-				       != 0 && lcfg->tag != NULL);
-		printcategory = ISC_TF((channel->flags & ISC_LOG_PRINTCATEGORY)
-				       != 0);
-		printmodule   = ISC_TF((channel->flags & ISC_LOG_PRINTMODULE)
-				       != 0);
-		printlevel    = ISC_TF((channel->flags & ISC_LOG_PRINTLEVEL)
-				       != 0);
-
-		switch (channel->type) {
-		case ISC_LOG_TOFILE:
-			if (FILE_MAXREACHED(channel)) {
-				/*
-				 * If the file can be rolled, OR
-				 * If the file no longer exists, OR
-				 * If the file is less than the maximum size,
-				 *    (such as if it had been renamed and
-				 *     a new one touched, or it was truncated
-				 *     in place)
-				 * ... then close it to trigger reopening.
-				 */
-				if (FILE_VERSIONS(channel) !=
-				    ISC_LOG_ROLLNEVER ||
-				    (stat(FILE_NAME(channel), &statbuf) != 0 &&
-				     errno == ENOENT) ||
-				    statbuf.st_size < FILE_MAXSIZE(channel)) {
-					(void)fclose(FILE_STREAM(channel));
-					FILE_STREAM(channel) = NULL;
-					FILE_MAXREACHED(channel) = ISC_FALSE;
-				} else
-					/*
-					 * Eh, skip it.
-					 */
-					break;
-			}
-
-			if (FILE_STREAM(channel) == NULL) {
-				result = isc_log_open(channel);
-				if (result != ISC_R_SUCCESS &&
-				    result != ISC_R_MAXSIZE &&
-				    (channel->flags & ISC_LOG_OPENERR) == 0) {
-					syslog(LOG_ERR,
-					       "isc_log_open '%s' failed: %s",
-					       FILE_NAME(channel),
-					       isc_result_totext(result));
-					channel->flags |= ISC_LOG_OPENERR;
-				}
-				if (result != ISC_R_SUCCESS)
-					break;
-				channel->flags &= ~ISC_LOG_OPENERR;
-			}
-			/* FALLTHROUGH */
-
-		case ISC_LOG_TOFILEDESC:
-			fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s%s%s%s\n",
-				printtime     ? time_string	: "",
-				printtime     ? " "		: "",
-				printtag      ? lcfg->tag	: "",
-				printtag      ? ": "		: "",
-				printcategory ? category->name	: "",
-				printcategory ? ": "		: "",
-				printmodule   ? (module != NULL ? module->name
-						 		: "no_module")
-					      			: "",
-				printmodule   ? ": "		: "",
-				printlevel    ? level_string	: "",
-				lctx->buffer);
-
-			fflush(FILE_STREAM(channel));
-
-			/*
-			 * If the file now exceeds its maximum size
-			 * threshold, note it so that it will not be logged
-			 * to any more.
-			 */
-			if (FILE_MAXSIZE(channel) > 0) {
-				INSIST(channel->type == ISC_LOG_TOFILE);
-
-				/* XXXDCL NT fstat/fileno */
-				/* XXXDCL complain if fstat fails? */
-				if (fstat(fileno(FILE_STREAM(channel)),
-					  &statbuf) >= 0 &&
-				    statbuf.st_size > FILE_MAXSIZE(channel))
-					FILE_MAXREACHED(channel) = ISC_TRUE;
-			}
-
-			break;
-
-		case ISC_LOG_TOSYSLOG:
-			if (level > 0)
-				syslog_level = LOG_DEBUG;
-			else if (level < ISC_LOG_CRITICAL)
-				syslog_level = LOG_CRIT;
-			else
-				syslog_level = syslog_map[-level];
-
-			(void)syslog(FACILITY(channel) | syslog_level,
-			       "%s%s%s%s%s%s%s%s%s",
-			       printtime     ? time_string	: "",
-			       printtag      ? lcfg->tag	: "",
-			       printtag      ? ": "		: "",
-			       printcategory ? category->name	: "",
-			       printcategory ? ": "		: "",
-			       printmodule   ? (module != NULL	? module->name
-						 		: "no_module")
-					      			: "",
-			       printmodule   ? ": "		: "",
-			       printlevel    ? level_string	: "",
-			       lctx->buffer);
-			break;
-
-		case ISC_LOG_TONULL:
-			break;
-
-		}
-
-	} while (1);
-
-	UNLOCK(&lctx->lock);
-}
diff --git a/contrib/bind9/lib/isc/md5.c b/contrib/bind9/lib/isc/md5.c
deleted file mode 100644
index 863612b9ec2a..000000000000
--- a/contrib/bind9/lib/isc/md5.c
+++ /dev/null
@@ -1,249 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: md5.c,v 1.9.206.1 2004/03/06 08:14:32 marka Exp $ */
-
-/*
- * This code implements the MD5 message-digest algorithm.
- * The algorithm is due to Ron Rivest.  This code was
- * written by Colin Plumb in 1993, no copyright is claimed.
- * This code is in the public domain; do with it what you wish.
- *
- * Equivalent code is available from RSA Data Security, Inc.
- * This code has been tested against that, and is equivalent,
- * except that you don't need to include two pages of legalese
- * with every copy.
- *
- * To compute the message digest of a chunk of bytes, declare an
- * MD5Context structure, pass it to MD5Init, call MD5Update as
- * needed on buffers full of bytes, and then call MD5Final, which
- * will fill a supplied 16-byte array with the digest.
- */
-
-#include "config.h"
-
-#include <isc/assertions.h>
-#include <isc/md5.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-static void
-byteSwap(isc_uint32_t *buf, unsigned words)
-{
-	unsigned char *p = (unsigned char *)buf;
-
-	do {
-		*buf++ = (isc_uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 |
-			((unsigned)p[1] << 8 | p[0]);
-		p += 4;
-	} while (--words);
-}
-
-/*
- * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
- * initialization constants.
- */
-void
-isc_md5_init(isc_md5_t *ctx) {
-	ctx->buf[0] = 0x67452301;
-	ctx->buf[1] = 0xefcdab89;
-	ctx->buf[2] = 0x98badcfe;
-	ctx->buf[3] = 0x10325476;
-
-	ctx->bytes[0] = 0;
-	ctx->bytes[1] = 0;
-}
-
-void
-isc_md5_invalidate(isc_md5_t *ctx) {
-	memset(ctx, 0, sizeof(isc_md5_t));
-}
-
-/* The four core functions - F1 is optimized somewhat */
-
-/* #define F1(x, y, z) (x & y | ~x & z) */
-#define F1(x, y, z) (z ^ (x & (y ^ z)))
-#define F2(x, y, z) F1(z, x, y)
-#define F3(x, y, z) (x ^ y ^ z)
-#define F4(x, y, z) (y ^ (x | ~z))
-
-/* This is the central step in the MD5 algorithm. */
-#define MD5STEP(f,w,x,y,z,in,s) \
-	 (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x)
-
-/*
- * The core of the MD5 algorithm, this alters an existing MD5 hash to
- * reflect the addition of 16 longwords of new data.  MD5Update blocks
- * the data and converts bytes into longwords for this routine.
- */
-static void
-transform(isc_uint32_t buf[4], isc_uint32_t const in[16]) {
-	register isc_uint32_t a, b, c, d;
-
-	a = buf[0];
-	b = buf[1];
-	c = buf[2];
-	d = buf[3];
-
-	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
-	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
-	MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
-	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
-	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
-	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
-	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
-	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
-	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
-	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
-	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
-	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
-	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
-	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
-	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
-	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
-
-	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
-	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
-	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
-	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
-	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
-	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
-	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
-	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
-	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
-	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
-	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
-	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
-	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
-	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
-	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
-	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
-
-	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
-	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
-	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
-	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
-	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
-	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
-	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
-	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
-	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
-	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
-	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
-	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
-	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
-	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
-	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
-	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
-
-	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
-	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
-	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
-	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
-	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
-	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
-	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
-	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
-	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
-	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
-	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
-	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
-	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
-	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
-	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
-	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
-
-	buf[0] += a;
-	buf[1] += b;
-	buf[2] += c;
-	buf[3] += d;
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void
-isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
-	isc_uint32_t t;
-
-	/* Update byte count */
-
-	t = ctx->bytes[0];
-	if ((ctx->bytes[0] = t + len) < t)
-		ctx->bytes[1]++;	/* Carry from low to high */
-
-	t = 64 - (t & 0x3f);	/* Space available in ctx->in (at least 1) */
-	if (t > len) {
-		memcpy((unsigned char *)ctx->in + 64 - t, buf, len);
-		return;
-	}
-	/* First chunk is an odd size */
-	memcpy((unsigned char *)ctx->in + 64 - t, buf, t);
-	byteSwap(ctx->in, 16);
-	transform(ctx->buf, ctx->in);
-	buf += t;
-	len -= t;
-
-	/* Process data in 64-byte chunks */
-	while (len >= 64) {
-		memcpy(ctx->in, buf, 64);
-		byteSwap(ctx->in, 16);
-		transform(ctx->buf, ctx->in);
-		buf += 64;
-		len -= 64;
-	}
-
-	/* Handle any remaining bytes of data. */
-	memcpy(ctx->in, buf, len);
-}
-
-/*
- * Final wrapup - pad to 64-byte boundary with the bit pattern
- * 1 0* (64-bit count of bits processed, MSB-first)
- */
-void
-isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
-	int count = ctx->bytes[0] & 0x3f;    /* Number of bytes in ctx->in */
-	unsigned char *p = (unsigned char *)ctx->in + count;
-
-	/* Set the first char of padding to 0x80.  There is always room. */
-	*p++ = 0x80;
-
-	/* Bytes of padding needed to make 56 bytes (-8..55) */
-	count = 56 - 1 - count;
-
-	if (count < 0) {	/* Padding forces an extra block */
-		memset(p, 0, count + 8);
-		byteSwap(ctx->in, 16);
-		transform(ctx->buf, ctx->in);
-		p = (unsigned char *)ctx->in;
-		count = 56;
-	}
-	memset(p, 0, count);
-	byteSwap(ctx->in, 14);
-
-	/* Append length in bits and transform */
-	ctx->in[14] = ctx->bytes[0] << 3;
-	ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29;
-	transform(ctx->buf, ctx->in);
-
-	byteSwap(ctx->buf, 4);
-	memcpy(digest, ctx->buf, 16);
-	memset(ctx, 0, sizeof(isc_md5_t));	/* In case it's sensitive */
-}
diff --git a/contrib/bind9/lib/isc/mem.c b/contrib/bind9/lib/isc/mem.c
deleted file mode 100644
index f5069fb7dc17..000000000000
--- a/contrib/bind9/lib/isc/mem.c
+++ /dev/null
@@ -1,1777 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mem.c,v 1.98.2.7.2.7 2005/03/17 03:58:32 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stddef.h>
-
-#include <limits.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/ondestroy.h>
-#include <isc/string.h>
-
-#include <isc/mutex.h>
-#include <isc/util.h>
-
-#ifndef ISC_MEM_DEBUGGING
-#define ISC_MEM_DEBUGGING 0
-#endif
-LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
-
-/*
- * Define ISC_MEM_USE_INTERNAL_MALLOC=1 to use the internal malloc()
- * implementation in preference to the system one.  The internal malloc()
- * is very space-efficient, and quite fast on uniprocessor systems.  It
- * performs poorly on multiprocessor machines.
- */
-#ifndef ISC_MEM_USE_INTERNAL_MALLOC
-#define ISC_MEM_USE_INTERNAL_MALLOC 0
-#endif
-
-/*
- * Constants.
- */
-
-#define DEF_MAX_SIZE		1100
-#define DEF_MEM_TARGET		4096
-#define ALIGNMENT_SIZE		8		/* must be a power of 2 */
-#define NUM_BASIC_BLOCKS	64		/* must be > 1 */
-#define TABLE_INCREMENT		1024
-#define DEBUGLIST_COUNT		1024
-
-/*
- * Types.
- */
-#if ISC_MEM_TRACKLINES
-typedef struct debuglink debuglink_t;
-struct debuglink {
-	ISC_LINK(debuglink_t)	link;
-	const void	       *ptr[DEBUGLIST_COUNT];
-	unsigned int		size[DEBUGLIST_COUNT];
-	const char	       *file[DEBUGLIST_COUNT];
-	unsigned int		line[DEBUGLIST_COUNT];
-	unsigned int		count;
-};
-
-#define FLARG_PASS	, file, line
-#define FLARG		, const char *file, int line
-#else
-#define FLARG_PASS
-#define FLARG
-#endif
-
-typedef struct element element;
-struct element {
-	element *		next;
-};
-
-typedef struct {
-	/*
-	 * This structure must be ALIGNMENT_SIZE bytes.
-	 */
-	union {
-		size_t		size;
-		char		bytes[ALIGNMENT_SIZE];
-	} u;
-} size_info;
-
-struct stats {
-	unsigned long		gets;
-	unsigned long		totalgets;
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	unsigned long		blocks;
-	unsigned long		freefrags;
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-};
-
-#define MEM_MAGIC		ISC_MAGIC('M', 'e', 'm', 'C')
-#define VALID_CONTEXT(c)	ISC_MAGIC_VALID(c, MEM_MAGIC)
-
-#if ISC_MEM_TRACKLINES
-typedef ISC_LIST(debuglink_t)	debuglist_t;
-#endif
-
-struct isc_mem {
-	unsigned int		magic;
-	isc_ondestroy_t		ondestroy;
-	isc_mutex_t		lock;
-	isc_memalloc_t		memalloc;
-	isc_memfree_t		memfree;
-	void *			arg;
-	size_t			max_size;
-	isc_boolean_t		checkfree;
-	struct stats *		stats;
-	unsigned int		references;
-	size_t			quota;
-	size_t			total;
-	size_t			inuse;
-	size_t			maxinuse;
-	size_t			hi_water;
-	size_t			lo_water;
-	isc_boolean_t		hi_called;
-	isc_mem_water_t		water;
-	void *			water_arg;
-	ISC_LIST(isc_mempool_t)	pools;
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	size_t			mem_target;
-	element **		freelists;
-	element *		basic_blocks;
-	unsigned char **	basic_table;
-	unsigned int		basic_table_count;
-	unsigned int		basic_table_size;
-	unsigned char *		lowest;
-	unsigned char *		highest;
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-#if ISC_MEM_TRACKLINES
-	debuglist_t *	 	debuglist;
-#endif
-
-	unsigned int		memalloc_failures;
-};
-
-#define MEMPOOL_MAGIC		ISC_MAGIC('M', 'E', 'M', 'p')
-#define VALID_MEMPOOL(c)	ISC_MAGIC_VALID(c, MEMPOOL_MAGIC)
-
-struct isc_mempool {
-	/* always unlocked */
-	unsigned int	magic;		/* magic number */
-	isc_mutex_t    *lock;		/* optional lock */
-	isc_mem_t      *mctx;		/* our memory context */
-	/* locked via the memory context's lock */
-	ISC_LINK(isc_mempool_t)	link;	/* next pool in this mem context */
-	/* optionally locked from here down */
-	element	       *items;		/* low water item list */
-	size_t		size;		/* size of each item on this pool */
-	unsigned int	maxalloc;	/* max number of items allowed */
-	unsigned int	allocated;	/* # of items currently given out */
-	unsigned int	freecount;	/* # of items on reserved list */
-	unsigned int	freemax;	/* # of items allowed on free list */
-	unsigned int	fillcount;	/* # of items to fetch on each fill */
-	/* Stats only. */
-	unsigned int	gets;		/* # of requests to this pool */
-	/* Debugging only. */
-#if ISC_MEMPOOL_NAMES
-	char		name[16];	/* printed name in stats reports */
-#endif
-};
-
-/*
- * Private Inline-able.
- */
-
-#if ! ISC_MEM_TRACKLINES
-#define ADD_TRACE(a, b, c, d, e)
-#define DELETE_TRACE(a, b, c, d, e)
-#else
-#define ADD_TRACE(a, b, c, d, e) \
-	do { \
-		if ((isc_mem_debugging & (ISC_MEM_DEBUGTRACE | \
-					  ISC_MEM_DEBUGRECORD)) != 0 && \
-		     b != NULL) \
-		         add_trace_entry(a, b, c, d, e); \
-	} while (0)
-#define DELETE_TRACE(a, b, c, d, e)	delete_trace_entry(a, b, c, d, e)
-
-static void
-print_active(isc_mem_t *ctx, FILE *out);
-
-/*
- * mctx must be locked.
- */
-static inline void
-add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
-		FLARG)
-{
-	debuglink_t *dl;
-	unsigned int i;
-
-	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
-		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					       ISC_MSG_ADDTRACE,
-					       "add %p size %u "
-					       "file %s line %u mctx %p\n"),
-			ptr, size, file, line, mctx);
-
-	if (mctx->debuglist == NULL)
-		return;
-
-	if (size > mctx->max_size)
-		size = mctx->max_size;
-
-	dl = ISC_LIST_HEAD(mctx->debuglist[size]);
-	while (dl != NULL) {
-		if (dl->count == DEBUGLIST_COUNT)
-			goto next;
-		for (i = 0; i < DEBUGLIST_COUNT; i++) {
-			if (dl->ptr[i] == NULL) {
-				dl->ptr[i] = ptr;
-				dl->size[i] = size;
-				dl->file[i] = file;
-				dl->line[i] = line;
-				dl->count++;
-				return;
-			}
-		}
-	next:
-		dl = ISC_LIST_NEXT(dl, link);
-	}
-
-	dl = malloc(sizeof(debuglink_t));
-	INSIST(dl != NULL);
-
-	ISC_LINK_INIT(dl, link);
-	for (i = 1; i < DEBUGLIST_COUNT; i++) {
-		dl->ptr[i] = NULL;
-		dl->size[i] = 0;
-		dl->file[i] = NULL;
-		dl->line[i] = 0;
-	}
-
-	dl->ptr[0] = ptr;
-	dl->size[0] = size;
-	dl->file[0] = file;
-	dl->line[0] = line;
-	dl->count = 1;
-
-	ISC_LIST_PREPEND(mctx->debuglist[size], dl, link);
-}
-
-static inline void
-delete_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size,
-		   const char *file, unsigned int line)
-{
-	debuglink_t *dl;
-	unsigned int i;
-
-	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
-		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					       ISC_MSG_DELTRACE,
-					       "del %p size %u "
-					       "file %s line %u mctx %p\n"),
-			ptr, size, file, line, mctx);
-
-	if (mctx->debuglist == NULL)
-		return;
-
-	if (size > mctx->max_size)
-		size = mctx->max_size;
-
-	dl = ISC_LIST_HEAD(mctx->debuglist[size]);
-	while (dl != NULL) {
-		for (i = 0; i < DEBUGLIST_COUNT; i++) {
-			if (dl->ptr[i] == ptr) {
-				dl->ptr[i] = NULL;
-				dl->size[i] = 0;
-				dl->file[i] = NULL;
-				dl->line[i] = 0;
-
-				INSIST(dl->count > 0);
-				dl->count--;
-				if (dl->count == 0) {
-					ISC_LIST_UNLINK(mctx->debuglist[size],
-							dl, link);
-					free(dl);
-				}
-				return;
-			}
-		}
-		dl = ISC_LIST_NEXT(dl, link);
-	}
-
-	/*
-	 * If we get here, we didn't find the item on the list.  We're
-	 * screwed.
-	 */
-	INSIST(dl != NULL);
-}
-#endif /* ISC_MEM_TRACKLINES */
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-static inline size_t
-rmsize(size_t size) {
-	/*
- 	 * round down to ALIGNMENT_SIZE
-	 */
-	return (size & (~(ALIGNMENT_SIZE - 1)));
-}
-
-static inline size_t
-quantize(size_t size) {
-	/*
-	 * Round up the result in order to get a size big
-	 * enough to satisfy the request and be aligned on ALIGNMENT_SIZE
-	 * byte boundaries.
-	 */
-
-	if (size == 0)
-		return (ALIGNMENT_SIZE);
-	return ((size + ALIGNMENT_SIZE - 1) & (~(ALIGNMENT_SIZE - 1)));
-}
-
-static inline isc_boolean_t
-more_basic_blocks(isc_mem_t *ctx) {
-	void *new;
-	unsigned char *curr, *next;
-	unsigned char *first, *last;
-	unsigned char **table;
-	unsigned int table_size;
-	size_t increment;
-	int i;
-
-	/* Require: we hold the context lock. */
-
-	/*
-	 * Did we hit the quota for this context?
-	 */
-	increment = NUM_BASIC_BLOCKS * ctx->mem_target;
-	if (ctx->quota != 0 && ctx->total + increment > ctx->quota)
-		return (ISC_FALSE);
-
-	INSIST(ctx->basic_table_count <= ctx->basic_table_size);
-	if (ctx->basic_table_count == ctx->basic_table_size) {
-		table_size = ctx->basic_table_size + TABLE_INCREMENT;
-		table = (ctx->memalloc)(ctx->arg,
-					table_size * sizeof(unsigned char *));
-		if (table == NULL) {
-			ctx->memalloc_failures++;
-			return (ISC_FALSE);
-		}
-		if (ctx->basic_table_size != 0) {
-			memcpy(table, ctx->basic_table,
-			       ctx->basic_table_size *
-			       sizeof(unsigned char *));
-			(ctx->memfree)(ctx->arg, ctx->basic_table);
-		}
-		ctx->basic_table = table;
-		ctx->basic_table_size = table_size;
-	}
-
-	new = (ctx->memalloc)(ctx->arg, NUM_BASIC_BLOCKS * ctx->mem_target);
-	if (new == NULL) {
-		ctx->memalloc_failures++;
-		return (ISC_FALSE);
-	}
-	ctx->total += increment;
-	ctx->basic_table[ctx->basic_table_count] = new;
-	ctx->basic_table_count++;
-
-	curr = new;
-	next = curr + ctx->mem_target;
-	for (i = 0; i < (NUM_BASIC_BLOCKS - 1); i++) {
-		((element *)curr)->next = (element *)next;
-		curr = next;
-		next += ctx->mem_target;
-	}
-	/*
-	 * curr is now pointing at the last block in the
-	 * array.
-	 */
-	((element *)curr)->next = NULL;
-	first = new;
-	last = first + NUM_BASIC_BLOCKS * ctx->mem_target - 1;
-	if (first < ctx->lowest || ctx->lowest == NULL)
-		ctx->lowest = first;
-	if (last > ctx->highest)
-		ctx->highest = last;
-	ctx->basic_blocks = new;
-
-	return (ISC_TRUE);
-}
-
-static inline isc_boolean_t
-more_frags(isc_mem_t *ctx, size_t new_size) {
-	int i, frags;
-	size_t total_size;
-	void *new;
-	unsigned char *curr, *next;
-
-	/*
-	 * Try to get more fragments by chopping up a basic block.
-	 */
-
-	if (ctx->basic_blocks == NULL) {
-		if (!more_basic_blocks(ctx)) {
-			/*
-			 * We can't get more memory from the OS, or we've
-			 * hit the quota for this context.
-			 */
-			/*
-			 * XXXRTH  "At quota" notification here.
-			 */
-			return (ISC_FALSE);
-		}
-	}
-
-	total_size = ctx->mem_target;
-	new = ctx->basic_blocks;
-	ctx->basic_blocks = ctx->basic_blocks->next;
-	frags = total_size / new_size;
-	ctx->stats[new_size].blocks++;
-	ctx->stats[new_size].freefrags += frags;
-	/*
-	 * Set up a linked-list of blocks of size
-	 * "new_size".
-	 */
-	curr = new;
-	next = curr + new_size;
-	total_size -= new_size;
-	for (i = 0; i < (frags - 1); i++) {
-		((element *)curr)->next = (element *)next;
-		curr = next;
-		next += new_size;
-		total_size -= new_size;
-	}
-	/*
-	 * Add the remaining fragment of the basic block to a free list.
-	 */
-	total_size = rmsize(total_size);
-	if (total_size > 0) {
-		((element *)next)->next = ctx->freelists[total_size];
-		ctx->freelists[total_size] = (element *)next;
-		ctx->stats[total_size].freefrags++;
-	}
-	/*
-	 * curr is now pointing at the last block in the
-	 * array.
-	 */
-	((element *)curr)->next = NULL;
-	ctx->freelists[new_size] = new;
-
-	return (ISC_TRUE);
-}
-
-static inline void *
-mem_getunlocked(isc_mem_t *ctx, size_t size) {
-	size_t new_size = quantize(size);
-	void *ret;
-
-	if (size >= ctx->max_size || new_size >= ctx->max_size) {
-		/*
-		 * memget() was called on something beyond our upper limit.
-		 */
-		if (ctx->quota != 0 && ctx->total + size > ctx->quota) {
-			ret = NULL;
-			goto done;
-		}
-		ret = (ctx->memalloc)(ctx->arg, size);
-		if (ret == NULL) {
-			ctx->memalloc_failures++;
-			goto done;
-		}
-		ctx->total += size;
-		ctx->inuse += size;
-		ctx->stats[ctx->max_size].gets++;
-		ctx->stats[ctx->max_size].totalgets++;
-		/*
-		 * If we don't set new_size to size, then the
-		 * ISC_MEM_FILL code might write over bytes we
-		 * don't own.
-		 */
-		new_size = size;
-		goto done;
-	}
-
-	/*
-	 * If there are no blocks in the free list for this size, get a chunk
-	 * of memory and then break it up into "new_size"-sized blocks, adding
-	 * them to the free list.
-	 */
-	if (ctx->freelists[new_size] == NULL && !more_frags(ctx, new_size))
-		return (NULL);
-
-	/*
-	 * The free list uses the "rounded-up" size "new_size".
-	 */
-	ret = ctx->freelists[new_size];
-	ctx->freelists[new_size] = ctx->freelists[new_size]->next;
-
-	/*
-	 * The stats[] uses the _actual_ "size" requested by the
-	 * caller, with the caveat (in the code above) that "size" >= the
-	 * max. size (max_size) ends up getting recorded as a call to
-	 * max_size.
-	 */
-	ctx->stats[size].gets++;
-	ctx->stats[size].totalgets++;
-	ctx->stats[new_size].freefrags--;
-	ctx->inuse += new_size;
-
- done:
-
-#if ISC_MEM_FILL
-	if (ret != NULL)
-		memset(ret, 0xbe, new_size); /* Mnemonic for "beef". */
-#endif
-
-	return (ret);
-}
-
-#if ISC_MEM_FILL && ISC_MEM_CHECKOVERRUN
-static inline void
-check_overrun(void *mem, size_t size, size_t new_size) {
-	unsigned char *cp;
-
-	cp = (unsigned char *)mem;
-	cp += size;
-	while (size < new_size) {
-		INSIST(*cp == 0xbe);
-		cp++;
-		size++;
-	}
-}
-#endif
-
-static inline void
-mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
-	size_t new_size = quantize(size);
-
-	if (size == ctx->max_size || new_size >= ctx->max_size) {
-		/*
-		 * memput() called on something beyond our upper limit.
-		 */
-#if ISC_MEM_FILL
-		memset(mem, 0xde, size); /* Mnemonic for "dead". */
-#endif
-		(ctx->memfree)(ctx->arg, mem);
-		INSIST(ctx->stats[ctx->max_size].gets != 0);
-		ctx->stats[ctx->max_size].gets--;
-		INSIST(size <= ctx->total);
-		ctx->inuse -= size;
-		ctx->total -= size;
-		return;
-	}
-
-#if ISC_MEM_FILL
-#if ISC_MEM_CHECKOVERRUN
-	check_overrun(mem, size, new_size);
-#endif
-	memset(mem, 0xde, new_size); /* Mnemonic for "dead". */
-#endif
-
-	/*
-	 * The free list uses the "rounded-up" size "new_size".
-	 */
-	((element *)mem)->next = ctx->freelists[new_size];
-	ctx->freelists[new_size] = (element *)mem;
-
-	/*
-	 * The stats[] uses the _actual_ "size" requested by the
-	 * caller, with the caveat (in the code above) that "size" >= the
-	 * max. size (max_size) ends up getting recorded as a call to
-	 * max_size.
-	 */
-	INSIST(ctx->stats[size].gets != 0);
-	ctx->stats[size].gets--;
-	ctx->stats[new_size].freefrags++;
-	ctx->inuse -= new_size;
-}
-
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-/*
- * Perform a malloc, doing memory filling and overrun detection as necessary.
- */
-static inline void *
-mem_get(isc_mem_t *ctx, size_t size) {
-	char *ret;
-
-#if ISC_MEM_CHECKOVERRUN
-	size += 1;
-#endif
-
-	ret = (ctx->memalloc)(ctx->arg, size);
-	if (ret == NULL)
-		ctx->memalloc_failures++;	
-
-#if ISC_MEM_FILL
-	if (ret != NULL)
-		memset(ret, 0xbe, size); /* Mnemonic for "beef". */
-#else
-#  if ISC_MEM_CHECKOVERRUN
-	if (ret != NULL)
-		ret[size-1] = 0xbe;
-#  endif
-#endif
-
-	return (ret);
-}
-
-/*
- * Perform a free, doing memory filling and overrun detection as necessary.
- */
-static inline void
-mem_put(isc_mem_t *ctx, void *mem, size_t size) {
-#if ISC_MEM_CHECKOVERRUN
-	INSIST(((unsigned char *)mem)[size] == 0xbe);
-#endif
-#if ISC_MEM_FILL
-	memset(mem, 0xde, size); /* Mnemonic for "dead". */
-#else
-	UNUSED(size);
-#endif
-	(ctx->memfree)(ctx->arg, mem);
-}
-
-/*
- * Update internal counters after a memory get.
- */
-static inline void
-mem_getstats(isc_mem_t *ctx, size_t size) {
-	ctx->total += size;
-	ctx->inuse += size;
-
-	if (size > ctx->max_size) {
-		ctx->stats[ctx->max_size].gets++;
-		ctx->stats[ctx->max_size].totalgets++;
-	} else {
-		ctx->stats[size].gets++;
-		ctx->stats[size].totalgets++;
-	}
-}
-
-/*
- * Update internal counters after a memory put.
- */
-static inline void
-mem_putstats(isc_mem_t *ctx, void *ptr, size_t size) {
-	UNUSED(ptr);
-
-	INSIST(ctx->inuse >= size);
-	ctx->inuse -= size;
-
-	if (size > ctx->max_size) {
-		INSIST(ctx->stats[ctx->max_size].gets > 0U);
-		ctx->stats[ctx->max_size].gets--;
-	} else {
-		INSIST(ctx->stats[size].gets > 0U);
-		ctx->stats[size].gets--;
-	}
-}
-
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-/*
- * Private.
- */
-
-static void *
-default_memalloc(void *arg, size_t size) {
-	UNUSED(arg);
-	if (size == 0U)
-		size = 1;
-	return (malloc(size));
-}
-
-static void
-default_memfree(void *arg, void *ptr) {
-	UNUSED(arg);
-	free(ptr);
-}
-
-/*
- * Public.
- */
-
-isc_result_t
-isc_mem_createx(size_t init_max_size, size_t target_size,
-		isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
-		isc_mem_t **ctxp)
-{
-	isc_mem_t *ctx;
-	isc_result_t result;
-
-	REQUIRE(ctxp != NULL && *ctxp == NULL);
-	REQUIRE(memalloc != NULL);
-	REQUIRE(memfree != NULL);
-
-	INSIST((ALIGNMENT_SIZE & (ALIGNMENT_SIZE - 1)) == 0);
-
-#if !ISC_MEM_USE_INTERNAL_MALLOC
-	UNUSED(target_size);
-#endif
-
-	ctx = (memalloc)(arg, sizeof(*ctx));
-	if (ctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	if (isc_mutex_init(&ctx->lock) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		(memfree)(arg, ctx);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	if (init_max_size == 0U)
-		ctx->max_size = DEF_MAX_SIZE;
-	else
-		ctx->max_size = init_max_size;
-	ctx->references = 1;
-	ctx->quota = 0;
-	ctx->total = 0;
-	ctx->inuse = 0;
-	ctx->maxinuse = 0;
-	ctx->hi_water = 0;
-	ctx->lo_water = 0;
-	ctx->hi_called = ISC_FALSE;
-	ctx->water = NULL;
-	ctx->water_arg = NULL;
-	ctx->magic = MEM_MAGIC;
-	isc_ondestroy_init(&ctx->ondestroy);
-	ctx->memalloc = memalloc;
-	ctx->memfree = memfree;
-	ctx->arg = arg;
-	ctx->stats = NULL;
-	ctx->checkfree = ISC_TRUE;
-#if ISC_MEM_TRACKLINES
-	ctx->debuglist = NULL;
-#endif
-	ISC_LIST_INIT(ctx->pools);
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	ctx->freelists = NULL;
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-	ctx->stats = (memalloc)(arg,
-				(ctx->max_size+1) * sizeof(struct stats));
-	if (ctx->stats == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto error;
-	}
-	memset(ctx->stats, 0, (ctx->max_size + 1) * sizeof(struct stats));
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	if (target_size == 0)
-		ctx->mem_target = DEF_MEM_TARGET;
-	else
-		ctx->mem_target = target_size;
-	ctx->freelists = (memalloc)(arg, ctx->max_size * sizeof(element *));
-	if (ctx->freelists == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto error;
-	}
-	memset(ctx->freelists, 0,
-	       ctx->max_size * sizeof(element *));
-	ctx->basic_blocks = NULL;
-	ctx->basic_table = NULL;
-	ctx->basic_table_count = 0;
-	ctx->basic_table_size = 0;
-	ctx->lowest = NULL;
-	ctx->highest = NULL;
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-#if ISC_MEM_TRACKLINES
-	if ((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0) {
-		unsigned int i;
-
-		ctx->debuglist = (memalloc)(arg,
-				      (ctx->max_size+1) * sizeof(debuglist_t));
-		if (ctx->debuglist == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto error;
-		}
-		for (i = 0; i <= ctx->max_size; i++)
-			ISC_LIST_INIT(ctx->debuglist[i]);
-	}
-#endif
-
-	ctx->memalloc_failures = 0;
-
-	*ctxp = ctx;
-	return (ISC_R_SUCCESS);
-
-  error:
-	if (ctx != NULL) {
-		if (ctx->stats != NULL)
-			(memfree)(arg, ctx->stats);
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		if (ctx->freelists != NULL)
-			(memfree)(arg, ctx->freelists);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-#if ISC_MEM_TRACKLINES
-		if (ctx->debuglist != NULL)
-			(ctx->memfree)(ctx->arg, ctx->debuglist);
-#endif /* ISC_MEM_TRACKLINES */
-		DESTROYLOCK(&ctx->lock);
-		(memfree)(arg, ctx);
-	}
-
-	return (result);
-}
-
-isc_result_t
-isc_mem_create(size_t init_max_size, size_t target_size,
-	       isc_mem_t **ctxp)
-{
-	return (isc_mem_createx(init_max_size, target_size,
-				default_memalloc, default_memfree, NULL,
-				ctxp));
-}
-
-static void
-destroy(isc_mem_t *ctx) {
-	unsigned int i;
-	isc_ondestroy_t ondest;
-
-	ctx->magic = 0;
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	INSIST(ISC_LIST_EMPTY(ctx->pools));
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-#if ISC_MEM_TRACKLINES
-	if (ctx->debuglist != NULL) {
-		if (ctx->checkfree) {
-			for (i = 0; i <= ctx->max_size; i++) {
-				if (!ISC_LIST_EMPTY(ctx->debuglist[i]))
-					print_active(ctx, stderr);
-				INSIST(ISC_LIST_EMPTY(ctx->debuglist[i]));
-			}
-		} else {
-			debuglink_t *dl;
-
-			for (i = 0; i <= ctx->max_size; i++)
-				for (dl = ISC_LIST_HEAD(ctx->debuglist[i]);
-				     dl != NULL;
-				     dl = ISC_LIST_HEAD(ctx->debuglist[i])) {
-					ISC_LIST_UNLINK(ctx->debuglist[i],
-						 	dl, link);
-					free(dl);
-				}
-		}
-		(ctx->memfree)(ctx->arg, ctx->debuglist);
-	}
-#endif
-	INSIST(ctx->references == 0);
-
-	if (ctx->checkfree) {
-		for (i = 0; i <= ctx->max_size; i++) {
-#if ISC_MEM_TRACKLINES
-			if (ctx->stats[i].gets != 0U)
-				print_active(ctx, stderr);
-#endif
-			INSIST(ctx->stats[i].gets == 0U);
-		}
-	}
-
-	(ctx->memfree)(ctx->arg, ctx->stats);
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	for (i = 0; i < ctx->basic_table_count; i++)
-		(ctx->memfree)(ctx->arg, ctx->basic_table[i]);
-	(ctx->memfree)(ctx->arg, ctx->freelists);
-	(ctx->memfree)(ctx->arg, ctx->basic_table);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-	ondest = ctx->ondestroy;
-
-	DESTROYLOCK(&ctx->lock);
-	(ctx->memfree)(ctx->arg, ctx);
-
-	isc_ondestroy_notify(&ondest, ctx);
-}
-
-void
-isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
-	REQUIRE(VALID_CONTEXT(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	LOCK(&source->lock);
-	source->references++;
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-void
-isc_mem_detach(isc_mem_t **ctxp) {
-	isc_mem_t *ctx;
-	isc_boolean_t want_destroy = ISC_FALSE;
-
-	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	LOCK(&ctx->lock);
-	INSIST(ctx->references > 0);
-	ctx->references--;
-	if (ctx->references == 0)
-		want_destroy = ISC_TRUE;
-	UNLOCK(&ctx->lock);
-
-	if (want_destroy)
-		destroy(ctx);
-
-	*ctxp = NULL;
-}
-
-/*
- * isc_mem_putanddetach() is the equivalent of:
- *
- * mctx = NULL;
- * isc_mem_attach(ptr->mctx, &mctx);
- * isc_mem_detach(&ptr->mctx);
- * isc_mem_put(mctx, ptr, sizeof(*ptr);
- * isc_mem_detach(&mctx);
- */
-
-void
-isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
-	isc_mem_t *ctx;
-	isc_boolean_t want_destroy = ISC_FALSE;
-
-	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(ptr != NULL);
-
-	/*
-	 * Must be before mem_putunlocked() as ctxp is usually within
-	 * [ptr..ptr+size).
-	 */
-	*ctxp = NULL;
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	mem_putunlocked(ctx, ptr, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	mem_put(ctx, ptr, size);
-	LOCK(&ctx->lock);
-	mem_putstats(ctx, ptr, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-	DELETE_TRACE(ctx, ptr, size, file, line);
-	INSIST(ctx->references > 0);
-	ctx->references--;
-	if (ctx->references == 0)
-		want_destroy = ISC_TRUE;
-
-	UNLOCK(&ctx->lock);
-
-	if (want_destroy)
-		destroy(ctx);
-}
-
-void
-isc_mem_destroy(isc_mem_t **ctxp) {
-	isc_mem_t *ctx;
-
-	/*
-	 * This routine provides legacy support for callers who use mctxs
-	 * without attaching/detaching.
-	 */
-
-	REQUIRE(ctxp != NULL);
-	ctx = *ctxp;
-	REQUIRE(VALID_CONTEXT(ctx));
-
-	LOCK(&ctx->lock);
-#if ISC_MEM_TRACKLINES
-	if (ctx->references != 1)
-		print_active(ctx, stderr);
-#endif
-	REQUIRE(ctx->references == 1);
-	ctx->references--;
-	UNLOCK(&ctx->lock);
-
-	destroy(ctx);
-
-	*ctxp = NULL;
-}
-
-isc_result_t
-isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
-	isc_result_t res;
-
-	LOCK(&ctx->lock);
-	res = isc_ondestroy_register(&ctx->ondestroy, task, event);
-	UNLOCK(&ctx->lock);
-
-	return (res);
-}
-
-
-void *
-isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
-	void *ptr;
-	isc_boolean_t call_water = ISC_FALSE;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	ptr = mem_getunlocked(ctx, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	ptr = mem_get(ctx, size);
-	LOCK(&ctx->lock);
-	if (ptr != NULL)
-		mem_getstats(ctx, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-	ADD_TRACE(ctx, ptr, size, file, line);
-	if (ctx->hi_water != 0U && !ctx->hi_called &&
-	    ctx->inuse > ctx->hi_water) {
-		ctx->hi_called = ISC_TRUE;
-		call_water = ISC_TRUE;
-	}
-	if (ctx->inuse > ctx->maxinuse) {
-		ctx->maxinuse = ctx->inuse;
-		if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
-		    (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0)
-			fprintf(stderr, "maxinuse = %lu\n",
-				(unsigned long)ctx->inuse);
-	}
-	UNLOCK(&ctx->lock);
-
-	if (call_water)
-		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
-
-	return (ptr);
-}
-
-void
-isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
-{
-	isc_boolean_t call_water = ISC_FALSE;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(ptr != NULL);
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	mem_putunlocked(ctx, ptr, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	mem_put(ctx, ptr, size);
-	LOCK(&ctx->lock);
-	mem_putstats(ctx, ptr, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-	DELETE_TRACE(ctx, ptr, size, file, line);
-
-	/*
-	 * The check against ctx->lo_water == 0 is for the condition
-	 * when the context was pushed over hi_water but then had
-	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
-	 */
-	if (ctx->hi_called && 
-	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
-		ctx->hi_called = ISC_FALSE;
-
-		if (ctx->water != NULL)
-			call_water = ISC_TRUE;
-	}
-	UNLOCK(&ctx->lock);
-
-	if (call_water)
-		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
-}
-
-#if ISC_MEM_TRACKLINES
-static void
-print_active(isc_mem_t *mctx, FILE *out) {
-	if (mctx->debuglist != NULL) {
-		debuglink_t *dl;
-		unsigned int i, j;
-		const char *format;
-		isc_boolean_t found;
-
-		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					    ISC_MSG_DUMPALLOC,
-					    "Dump of all outstanding "
-					    "memory allocations:\n"));
-		found = ISC_FALSE;
-		format = isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				        ISC_MSG_PTRFILELINE,
-					"\tptr %p size %u file %s line %u\n");
-		for (i = 0; i <= mctx->max_size; i++) {
-			dl = ISC_LIST_HEAD(mctx->debuglist[i]);
-			
-			if (dl != NULL)
-				found = ISC_TRUE;
-
-			while (dl != NULL) {
-				for (j = 0; j < DEBUGLIST_COUNT; j++)
-					if (dl->ptr[j] != NULL)
-						fprintf(out, format,
-							dl->ptr[j],
-							dl->size[j],
-							dl->file[j],
-							dl->line[j]);
-				dl = ISC_LIST_NEXT(dl, link);
-			}
-		}
-		if (!found)
-			fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-						    ISC_MSG_NONE, "\tNone.\n"));
-	}
-}
-#endif
-
-/*
- * Print the stats[] on the stream "out" with suitable formatting.
- */
-void
-isc_mem_stats(isc_mem_t *ctx, FILE *out) {
-	size_t i;
-	const struct stats *s;
-	const isc_mempool_t *pool;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
-
-	for (i = 0; i <= ctx->max_size; i++) {
-		s = &ctx->stats[i];
-
-		if (s->totalgets == 0U && s->gets == 0U)
-			continue;
-		fprintf(out, "%s%5lu: %11lu gets, %11lu rem",
-			(i == ctx->max_size) ? ">=" : "  ",
-			(unsigned long) i, s->totalgets, s->gets);
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		if (s->blocks != 0 || s->freefrags != 0)
-			fprintf(out, " (%lu bl, %lu ff)",
-				s->blocks, s->freefrags);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-		fputc('\n', out);
-	}
-
-	/*
-	 * Note that since a pool can be locked now, these stats might be
-	 * somewhat off if the pool is in active use at the time the stats
-	 * are dumped.  The link fields are protected by the isc_mem_t's
-	 * lock, however, so walking this list and extracting integers from
-	 * stats fields is always safe.
-	 */
-	pool = ISC_LIST_HEAD(ctx->pools);
-	if (pool != NULL) {
-		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-					    ISC_MSG_POOLSTATS,
-					    "[Pool statistics]\n"));
-		fprintf(out, "%15s %10s %10s %10s %10s %10s %10s %10s %1s\n",
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLNAME, "name"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLSIZE, "size"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLMAXALLOC, "maxalloc"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLALLOCATED, "allocated"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLFREECOUNT, "freecount"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLFREEMAX, "freemax"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLFILLCOUNT, "fillcount"),
-			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
-				       ISC_MSG_POOLGETS, "gets"),
-			"L");
-	}
-	while (pool != NULL) {
-		fprintf(out, "%15s %10lu %10u %10u %10u %10u %10u %10u %s\n",
-			pool->name, (unsigned long) pool->size, pool->maxalloc,
-			pool->allocated, pool->freecount, pool->freemax,
-			pool->fillcount, pool->gets,
-			(pool->lock == NULL ? "N" : "Y"));
-		pool = ISC_LIST_NEXT(pool, link);
-	}
-
-#if ISC_MEM_TRACKLINES
-	print_active(ctx, out);
-#endif
-
-	UNLOCK(&ctx->lock);
-}
-
-/*
- * Replacements for malloc() and free() -- they implicitly remember the
- * size of the object allocated (with some additional overhead).
- */
-
-static void *
-isc__mem_allocateunlocked(isc_mem_t *ctx, size_t size) {
-	size_info *si;
-
-	size += ALIGNMENT_SIZE;
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	si = mem_getunlocked(ctx, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	si = mem_get(ctx, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-	if (si == NULL)
-		return (NULL);
-	si->u.size = size;
-	return (&si[1]);
-}
-
-void *
-isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
-	size_info *si;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	si = isc__mem_allocateunlocked(ctx, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	si = isc__mem_allocateunlocked(ctx, size);
-	LOCK(&ctx->lock);
-	if (si != NULL)
-		mem_getstats(ctx, si[-1].u.size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-#if ISC_MEM_TRACKLINES
-	ADD_TRACE(ctx, si, si[-1].u.size, file, line);
-#endif
-
-	UNLOCK(&ctx->lock);
-
-	return (si);
-}
-
-void
-isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
-	size_info *si;
-	size_t size;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(ptr != NULL);
-
-	si = &(((size_info *)ptr)[-1]);
-	size = si->u.size;
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-	LOCK(&ctx->lock);
-	mem_putunlocked(ctx, si, size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-	mem_put(ctx, si, size);
-	LOCK(&ctx->lock);
-	mem_putstats(ctx, si, size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-
-	DELETE_TRACE(ctx, ptr, size, file, line);
-
-	UNLOCK(&ctx->lock);
-}
-
-
-/*
- * Other useful things.
- */
-
-char *
-isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
-	size_t len;
-	char *ns;
-
-	REQUIRE(VALID_CONTEXT(mctx));
-	REQUIRE(s != NULL);
-
-	len = strlen(s);
-
-	ns = isc__mem_allocate(mctx, len + 1 FLARG_PASS);
-
-	if (ns != NULL)
-		strncpy(ns, s, len + 1);
-
-	return (ns);
-}
-
-void
-isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
-	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
-
-	ctx->checkfree = flag;
-
-	UNLOCK(&ctx->lock);
-}
-
-/*
- * Quotas
- */
-
-void
-isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
-	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
-
-	ctx->quota = quota;
-
-	UNLOCK(&ctx->lock);
-}
-
-size_t
-isc_mem_getquota(isc_mem_t *ctx) {
-	size_t quota;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
-
-	quota = ctx->quota;
-
-	UNLOCK(&ctx->lock);
-
-	return (quota);
-}
-
-size_t
-isc_mem_inuse(isc_mem_t *ctx) {
-	size_t inuse;
-
-	REQUIRE(VALID_CONTEXT(ctx));
-	LOCK(&ctx->lock);
-
-	inuse = ctx->inuse;
-
-	UNLOCK(&ctx->lock);
-
-	return (inuse);
-}
-
-void
-isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
-                 size_t hiwater, size_t lowater)
-{
-	REQUIRE(VALID_CONTEXT(ctx));
-	REQUIRE(hiwater >= lowater);
-
-	LOCK(&ctx->lock);
-	if (water == NULL) {
-		ctx->water = NULL;
-		ctx->water_arg = NULL;
-		ctx->hi_water = 0;
-		ctx->lo_water = 0;
-		ctx->hi_called = ISC_FALSE;
-	} else {
-		ctx->water = water;
-		ctx->water_arg = water_arg;
-		ctx->hi_water = hiwater;
-		ctx->lo_water = lowater;
-		ctx->hi_called = ISC_FALSE;
-	}
-	UNLOCK(&ctx->lock);
-}
-
-/*
- * Memory pool stuff
- */
-
-isc_result_t
-isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
-	isc_mempool_t *mpctx;
-
-	REQUIRE(VALID_CONTEXT(mctx));
-	REQUIRE(size > 0U);
-	REQUIRE(mpctxp != NULL && *mpctxp == NULL);
-
-	/*
-	 * Allocate space for this pool, initialize values, and if all works
-	 * well, attach to the memory context.
-	 */
-	mpctx = isc_mem_get(mctx, sizeof(isc_mempool_t));
-	if (mpctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	mpctx->magic = MEMPOOL_MAGIC;
-	mpctx->lock = NULL;
-	mpctx->mctx = mctx;
-	mpctx->size = size;
-	mpctx->maxalloc = UINT_MAX;
-	mpctx->allocated = 0;
-	mpctx->freecount = 0;
-	mpctx->freemax = 1;
-	mpctx->fillcount = 1;
-	mpctx->gets = 0;
-#if ISC_MEMPOOL_NAMES
-	mpctx->name[0] = 0;
-#endif
-	mpctx->items = NULL;
-
-	*mpctxp = mpctx;
-
-	LOCK(&mctx->lock);
-	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
-	UNLOCK(&mctx->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
-	REQUIRE(name != NULL);
-
-#if ISC_MEMPOOL_NAMES
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	strncpy(mpctx->name, name, sizeof(mpctx->name) - 1);
-	mpctx->name[sizeof(mpctx->name) - 1] = '\0';
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-#else
-	UNUSED(mpctx);
-	UNUSED(name);
-#endif
-}
-
-void
-isc_mempool_destroy(isc_mempool_t **mpctxp) {
-	isc_mempool_t *mpctx;
-	isc_mem_t *mctx;
-	isc_mutex_t *lock;
-	element *item;
-
-	REQUIRE(mpctxp != NULL);
-	mpctx = *mpctxp;
-	REQUIRE(VALID_MEMPOOL(mpctx));
-#if ISC_MEMPOOL_NAMES
-	if (mpctx->allocated > 0)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mempool_destroy(): mempool %s "
-				 "leaked memory",
-				 mpctx->name);
-#endif
-	REQUIRE(mpctx->allocated == 0);
-
-	mctx = mpctx->mctx;
-
-	lock = mpctx->lock;
-
-	if (lock != NULL)
-		LOCK(lock);
-
-	/*
-	 * Return any items on the free list
-	 */
-	LOCK(&mctx->lock);
-	while (mpctx->items != NULL) {
-		INSIST(mpctx->freecount > 0);
-		mpctx->freecount--;
-		item = mpctx->items;
-		mpctx->items = item->next;
-
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		mem_putunlocked(mctx, item, mpctx->size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-		mem_put(mctx, item, mpctx->size);
-		mem_putstats(mctx, item, mpctx->size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-	}
-	UNLOCK(&mctx->lock);
-
-	/*
-	 * Remove our linked list entry from the memory context.
-	 */
-	LOCK(&mctx->lock);
-	ISC_LIST_UNLINK(mctx->pools, mpctx, link);
-	UNLOCK(&mctx->lock);
-
-	mpctx->magic = 0;
-
-	isc_mem_put(mpctx->mctx, mpctx, sizeof(isc_mempool_t));
-
-	if (lock != NULL)
-		UNLOCK(lock);
-
-	*mpctxp = NULL;
-}
-
-void
-isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
-	REQUIRE(VALID_MEMPOOL(mpctx));
-	REQUIRE(mpctx->lock == NULL);
-	REQUIRE(lock != NULL);
-
-	mpctx->lock = lock;
-}
-
-void *
-isc__mempool_get(isc_mempool_t *mpctx FLARG) {
-	element *item;
-	isc_mem_t *mctx;
-	unsigned int i;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	mctx = mpctx->mctx;
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	/*
-	 * Don't let the caller go over quota
-	 */
-	if (mpctx->allocated >= mpctx->maxalloc) {
-		item = NULL;
-		goto out;
-	}
-
-	/*
-	 * if we have a free list item, return the first here
-	 */
-	item = mpctx->items;
-	if (item != NULL) {
-		mpctx->items = item->next;
-		INSIST(mpctx->freecount > 0);
-		mpctx->freecount--;
-		mpctx->gets++;
-		mpctx->allocated++;
-		goto out;
-	}
-
-	/*
-	 * We need to dip into the well.  Lock the memory context here and
-	 * fill up our free list.
-	 */
-	LOCK(&mctx->lock);
-	for (i = 0; i < mpctx->fillcount; i++) {
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		item = mem_getunlocked(mctx, mpctx->size);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-		item = mem_get(mctx, mpctx->size);
-		if (item != NULL)
-			mem_getstats(mctx, mpctx->size);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-		if (item == NULL)
-			break;
-		item->next = mpctx->items;
-		mpctx->items = item;
-		mpctx->freecount++;
-	}
-	UNLOCK(&mctx->lock);
-
-	/*
-	 * If we didn't get any items, return NULL.
-	 */
-	item = mpctx->items;
-	if (item == NULL)
-		goto out;
-
-	mpctx->items = item->next;
-	mpctx->freecount--;
-	mpctx->gets++;
-	mpctx->allocated++;
-
- out:
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-#if ISC_MEM_TRACKLINES
-	if (item != NULL) {
-		LOCK(&mctx->lock);
-		ADD_TRACE(mctx, item, mpctx->size, file, line);
-		UNLOCK(&mctx->lock);
-	}
-#endif /* ISC_MEM_TRACKLINES */
-
-	return (item);
-}
-
-void
-isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
-	isc_mem_t *mctx;
-	element *item;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-	REQUIRE(mem != NULL);
-
-	mctx = mpctx->mctx;
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	INSIST(mpctx->allocated > 0);
-	mpctx->allocated--;
-
-#if ISC_MEM_TRACKLINES
-	LOCK(&mctx->lock);
-	DELETE_TRACE(mctx, mem, mpctx->size, file, line);
-	UNLOCK(&mctx->lock);
-#endif /* ISC_MEM_TRACKLINES */
-
-	/*
-	 * If our free list is full, return this to the mctx directly.
-	 */
-	if (mpctx->freecount >= mpctx->freemax) {
-#if ISC_MEM_USE_INTERNAL_MALLOC
-		LOCK(&mctx->lock);
-		mem_putunlocked(mctx, mem, mpctx->size);
-		UNLOCK(&mctx->lock);
-#else /* ISC_MEM_USE_INTERNAL_MALLOC */
-		mem_put(mctx, mem, mpctx->size);
-		LOCK(&mctx->lock);
-		mem_putstats(mctx, mem, mpctx->size);
-		UNLOCK(&mctx->lock);
-#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
-		if (mpctx->lock != NULL)
-			UNLOCK(mpctx->lock);
-		return;
-	}
-
-	/*
-	 * Otherwise, attach it to our free list and bump the counter.
-	 */
-	mpctx->freecount++;
-	item = (element *)mem;
-	item->next = mpctx->items;
-	mpctx->items = item;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-}
-
-/*
- * Quotas
- */
-
-void
-isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	mpctx->freemax = limit;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-}
-
-unsigned int
-isc_mempool_getfreemax(isc_mempool_t *mpctx) {
-	unsigned int freemax;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	freemax = mpctx->freemax;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (freemax);
-}
-
-unsigned int
-isc_mempool_getfreecount(isc_mempool_t *mpctx) {
-	unsigned int freecount;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	freecount = mpctx->freecount;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (freecount);
-}
-
-void
-isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
-	REQUIRE(limit > 0);
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	mpctx->maxalloc = limit;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-}
-
-unsigned int
-isc_mempool_getmaxalloc(isc_mempool_t *mpctx) {
-	unsigned int maxalloc;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	maxalloc = mpctx->maxalloc;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (maxalloc);
-}
-
-unsigned int
-isc_mempool_getallocated(isc_mempool_t *mpctx) {
-	unsigned int allocated;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	allocated = mpctx->allocated;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (allocated);
-}
-
-void
-isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
-	REQUIRE(limit > 0);
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	mpctx->fillcount = limit;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-}
-
-unsigned int
-isc_mempool_getfillcount(isc_mempool_t *mpctx) {
-	unsigned int fillcount;
-
-	REQUIRE(VALID_MEMPOOL(mpctx));
-
-	if (mpctx->lock != NULL)
-		LOCK(mpctx->lock);
-
-	fillcount = mpctx->fillcount;
-
-	if (mpctx->lock != NULL)
-		UNLOCK(mpctx->lock);
-
-	return (fillcount);
-}
diff --git a/contrib/bind9/lib/isc/mutexblock.c b/contrib/bind9/lib/isc/mutexblock.c
deleted file mode 100644
index dc7c23d8689e..000000000000
--- a/contrib/bind9/lib/isc/mutexblock.c
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutexblock.c,v 1.14.12.3 2004/03/08 09:04:49 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mutexblock.h>
-#include <isc/util.h>
-
-isc_result_t
-isc_mutexblock_init(isc_mutex_t *block, unsigned int count) {
-	isc_result_t result;
-	unsigned int i;
-
-	for (i = 0; i < count; i++) {
-		result = isc_mutex_init(&block[i]);
-		if (result != ISC_R_SUCCESS) {
-			i--;
-			while (i > 0) {
-				DESTROYLOCK(&block[i]);
-				i--;
-			}
-			return (result);
-		}
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count) {
-	isc_result_t result;
-	unsigned int i;
-
-	for (i = 0; i < count; i++) {
-		result = isc_mutex_destroy(&block[i]);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/netaddr.c b/contrib/bind9/lib/isc/netaddr.c
deleted file mode 100644
index 712ad2c1341b..000000000000
--- a/contrib/bind9/lib/isc/netaddr.c
+++ /dev/null
@@ -1,357 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netaddr.c,v 1.18.12.9 2004/05/15 03:46:12 jinmei Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <isc/buffer.h>
-#include <isc/msgs.h>
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/sockaddr.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-isc_boolean_t
-isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) {
-	REQUIRE(a != NULL && b != NULL);
-
-	if (a->family != b->family)
-		return (ISC_FALSE);
-
-	if (a->zone != b->zone)
-		return (ISC_FALSE);
-
-	switch (a->family) {
-	case AF_INET:
-		if (a->type.in.s_addr != b->type.in.s_addr)
-			return (ISC_FALSE);
-		break;
-	case AF_INET6:
-		if (memcmp(&a->type.in6, &b->type.in6,
-			   sizeof(a->type.in6)) != 0 ||
-		    a->zone != b->zone)
-			return (ISC_FALSE);
-		break;
-	default:
-		return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
-		     unsigned int prefixlen)
-{
-	const unsigned char *pa, *pb;
-	unsigned int ipabytes; /* Length of whole IP address in bytes */
-	unsigned int nbytes;   /* Number of significant whole bytes */
-	unsigned int nbits;    /* Number of significant leftover bits */
-
-	REQUIRE(a != NULL && b != NULL);
-
-	if (a->family != b->family)
-		return (ISC_FALSE);
-
-	if (a->zone != b->zone)
-		return (ISC_FALSE);
-
-	switch (a->family) {
-	case AF_INET:
-		pa = (const unsigned char *) &a->type.in;
-		pb = (const unsigned char *) &b->type.in;
-		ipabytes = 4;
-		break;
-	case AF_INET6:
-		pa = (const unsigned char *) &a->type.in6;
-		pb = (const unsigned char *) &b->type.in6;
-		ipabytes = 16;
-		break;
-	default:
-		pa = pb = NULL; /* Avoid silly compiler warning. */
-		ipabytes = 0; /* Ditto. */
-		return (ISC_FALSE);
-	}
-
-	/*
-	 * Don't crash if we get a pattern like 10.0.0.1/9999999.
-	 */
-	if (prefixlen > ipabytes * 8)
-		prefixlen = ipabytes * 8;
-
-	nbytes = prefixlen / 8;
-	nbits = prefixlen % 8;
-
-	if (nbytes > 0) {
-		if (memcmp(pa, pb, nbytes) != 0)
-			return (ISC_FALSE);
-	}
-	if (nbits > 0) {
-		unsigned int bytea, byteb, mask;
-		INSIST(nbytes < ipabytes);
-		INSIST(nbits < 8);
-		bytea = pa[nbytes];
-		byteb = pb[nbytes];
-		mask = (0xFF << (8-nbits)) & 0xFF;
-		if ((bytea & mask) != (byteb & mask))
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-isc_result_t
-isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target) {
-	char abuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")];
-	char zbuf[sizeof("%4294967295")];
-	unsigned int alen;
-	int zlen;
-	const char *r;
-	const void *type;
-
-	REQUIRE(netaddr != NULL);
-
-	switch (netaddr->family) {
-	case AF_INET:
-		type = &netaddr->type.in;
-		break;
-	case AF_INET6:
-		type = &netaddr->type.in6;
-		break;
-	default:
-		return (ISC_R_FAILURE);
-	}
-	r = inet_ntop(netaddr->family, type, abuf, sizeof(abuf));
-	if (r == NULL)
-		return (ISC_R_FAILURE);
-
-	alen = strlen(abuf);
-	INSIST(alen < sizeof(abuf));
-
-	zlen = 0;
-	if (netaddr->family == AF_INET6 && netaddr->zone != 0) {
-		zlen = snprintf(zbuf, sizeof(zbuf), "%%%u", netaddr->zone);
-		if (zlen < 0)
-			return (ISC_R_FAILURE);
-		INSIST((unsigned int)zlen < sizeof(zbuf));
-	}
-
-	if (alen + zlen > isc_buffer_availablelength(target))
-		return (ISC_R_NOSPACE);
-
-	isc_buffer_putmem(target, (unsigned char *)abuf, alen);
-	isc_buffer_putmem(target, (unsigned char *)zbuf, zlen);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	isc_buffer_init(&buf, array, size);
-	result = isc_netaddr_totext(na, &buf);
-
-	/*
-	 * Null terminate.
-	 */
-	if (result == ISC_R_SUCCESS) {
-		if (isc_buffer_availablelength(&buf) >= 1)
-			isc_buffer_putuint8(&buf, 0);
-		else
-			result = ISC_R_NOSPACE;
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		snprintf(array, size,
-			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_NETADDR,
-					ISC_MSG_UNKNOWNADDR,
-					"<unknown address, family %u>"),
-			 na->family);
-		array[size - 1] = '\0';
-	}
-}
-
-isc_result_t
-isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp) {
-	unsigned int nbits, nbytes, ipbytes, i;
-	const unsigned char *p;
-
-	switch (s->family) {
-	case AF_INET:
-		p = (const unsigned char *) &s->type.in;
-		ipbytes = 4;
-		break;
-	case AF_INET6:
-		p = (const unsigned char *) &s->type.in6;
-		ipbytes = 16;
-		break;
-	default:
-		ipbytes = 0;
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-	nbytes = nbits = 0;
-	for (i = 0; i < ipbytes; i++) {
-		if (p[i] != 0xFF)
-			break;
-	}
-	nbytes = i;
-	if (i < ipbytes) {
-		unsigned int c = p[nbytes];
-		while ((c & 0x80) != 0 && nbits < 8) {
-			c <<= 1; nbits++;
-		}
-		if ((c & 0xFF) != 0)
-			return (ISC_R_MASKNONCONTIG);
-		i++;
-	}
-	for (; i < ipbytes; i++) {
-		if (p[i] != 0)
-			return (ISC_R_MASKNONCONTIG);
-		i++;
-	}
-	*lenp = nbytes * 8 + nbits;
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina) {
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_INET;
-	netaddr->type.in = *ina;
-}
-
-void
-isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6) {
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_INET6;
-	netaddr->type.in6 = *ina6;
-}
-
-void
-isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone) {
-	/* we currently only support AF_INET6. */
-	REQUIRE(netaddr->family == AF_INET6);
-
-	netaddr->zone = zone;
-}
-
-isc_uint32_t
-isc_netaddr_getzone(const isc_netaddr_t *netaddr) {
-	return (netaddr->zone);
-}
-
-void
-isc_netaddr_fromsockaddr(isc_netaddr_t *t, const isc_sockaddr_t *s) {
-	int family = s->type.sa.sa_family;
-	t->family = family;
-	switch (family) {
-	case AF_INET:
-		t->type.in = s->type.sin.sin_addr;
-		t->zone = 0;
-		break;
-	case AF_INET6:
-		memcpy(&t->type.in6, &s->type.sin6.sin6_addr, 16);
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		t->zone = s->type.sin6.sin6_scope_id;
-#else
-		t->zone = 0;
-#endif
-		break;
-	default:
-		INSIST(0);
-	}
-}
-
-void
-isc_netaddr_any(isc_netaddr_t *netaddr) {
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_INET;
-	netaddr->type.in.s_addr = INADDR_ANY;
-}
-
-void
-isc_netaddr_any6(isc_netaddr_t *netaddr) {
-	memset(netaddr, 0, sizeof(*netaddr));
-	netaddr->family = AF_INET6;
-	netaddr->type.in6 = in6addr_any;
-}
-
-isc_boolean_t
-isc_netaddr_ismulticast(isc_netaddr_t *na) {
-	switch (na->family) {
-	case AF_INET:
-		return (ISC_TF(ISC_IPADDR_ISMULTICAST(na->type.in.s_addr)));
-	case AF_INET6:
-		return (ISC_TF(IN6_IS_ADDR_MULTICAST(&na->type.in6)));
-	default:
-		return (ISC_FALSE);  /* XXXMLG ? */
-	}
-}
-
-isc_boolean_t
-isc_netaddr_isexperimental(isc_netaddr_t *na) {
-	switch (na->family) {
-	case AF_INET:
-		return (ISC_TF(ISC_IPADDR_ISEXPERIMENTAL(na->type.in.s_addr)));
-	default:
-		return (ISC_FALSE);  /* XXXMLG ? */
-	}
-}
-
-isc_boolean_t
-isc_netaddr_islinklocal(isc_netaddr_t *na) {
-	switch (na->family) {
-	case AF_INET:
-		return (ISC_FALSE);
-	case AF_INET6:
-		return (ISC_TF(IN6_IS_ADDR_LINKLOCAL(&na->type.in6)));
-	default:
-		return (ISC_FALSE);
-	}
-}
-
-isc_boolean_t
-isc_netaddr_issitelocal(isc_netaddr_t *na) {
-	switch (na->family) {
-	case AF_INET:
-		return (ISC_FALSE);
-	case AF_INET6:
-		return (ISC_TF(IN6_IS_ADDR_SITELOCAL(&na->type.in6)));
-	default:
-		return (ISC_FALSE);
-	}
-}
-
-void
-isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) {
-	isc_netaddr_t *src;
-
-	DE_CONST(s, src);	/* Must come before IN6_IS_ADDR_V4MAPPED. */
-
-	REQUIRE(s->family == AF_INET6);
-	REQUIRE(IN6_IS_ADDR_V4MAPPED(&src->type.in6));
-
-	memset(t, 0, sizeof(*t));
-	t->family = AF_INET;
-	memcpy(&t->type.in, (char *)&src->type.in6 + 12, 4);
-	return;
-}
diff --git a/contrib/bind9/lib/isc/netscope.c b/contrib/bind9/lib/isc/netscope.c
deleted file mode 100644
index 843c46df9e2b..000000000000
--- a/contrib/bind9/lib/isc/netscope.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: netscope.c,v 1.5.142.7 2004/03/12 10:31:26 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <isc/string.h>
-#include <isc/net.h>
-#include <isc/netscope.h>
-#include <isc/result.h>
-
-isc_result_t
-isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid) {
-	char *ep;
-#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
-	unsigned int ifid;
-#endif
-	struct in6_addr *in6;
-	isc_uint32_t zone;
-	isc_uint64_t llz;
-
-	/* at this moment, we only support AF_INET6 */
-	if (af != AF_INET6)
-		return (ISC_R_FAILURE);
-
-	in6 = (struct in6_addr *)addr;
-
-	/*
-	 * Basically, "names" are more stable than numeric IDs in terms of
-	 * renumbering, and are more preferred.  However, since there is no
-	 * standard naming convention and APIs to deal with the names.  Thus,
-	 * we only handle the case of link-local addresses, for which we use
-	 * interface names as link names, assuming one to one mapping between
-	 * interfaces and links.
-	 */
-#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
-	if (IN6_IS_ADDR_LINKLOCAL(in6) &&
-	    (ifid = if_nametoindex((const char *)scopename)) != 0)
-		zone = (isc_uint32_t)ifid;
-	else {
-#endif
-		llz = isc_string_touint64(scopename, &ep, 10);
-		if (ep == scopename)
-			return (ISC_R_FAILURE);
-
-		/* check overflow */
-		zone = (isc_uint32_t)(llz & 0xffffffffUL);
-		if (zone != llz)
-			return (ISC_R_FAILURE);
-#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
-	}
-#endif
-
-	*zoneid = zone;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/nls/Makefile.in b/contrib/bind9/lib/isc/nls/Makefile.in
deleted file mode 100644
index f16b4cb886b6..000000000000
--- a/contrib/bind9/lib/isc/nls/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:50 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-CINCLUDES =	-I../unix/include \
-		-I${srcdir}/../unix/include \
-		-I../include \
-		-I${srcdir}/../include
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		msgcat.@O@
-
-SRCS =		msgcat.c
-
-SUBDIRS =
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nls/msgcat.c b/contrib/bind9/lib/isc/nls/msgcat.c
deleted file mode 100644
index 906e26e9070e..000000000000
--- a/contrib/bind9/lib/isc/nls/msgcat.c
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: msgcat.c,v 1.10.12.6 2005/06/09 23:54:31 marka Exp $ */
-
-/*
- * Principal Author: Bob Halley
- */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/magic.h>
-#include <isc/msgcat.h>
-#include <isc/util.h>
-
-#ifdef HAVE_CATGETS
-#include <nl_types.h>		/* Required for nl_catd. */
-#endif
-
-/*
- * Implementation Notes:
- *
- *	We use malloc() and free() instead of isc_mem_get() and isc_mem_put()
- *	because we don't want to require a memory context to be specified
- *	in order to use a message catalog.
- */
-
-struct isc_msgcat {
-	unsigned int	magic;
-#ifdef HAVE_CATGETS
-	nl_catd		catalog;
-#endif
-};
-
-#define MSGCAT_MAGIC			ISC_MAGIC('M', 'C', 'a', 't')
-#define VALID_MSGCAT(m)			ISC_MAGIC_VALID(m, MSGCAT_MAGIC)
-
-void
-isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp) {
-	isc_msgcat_t *msgcat;
-
-	/*
-	 * Open a message catalog.
-	 */
-
-	REQUIRE(name != NULL);
-	REQUIRE(msgcatp != NULL && *msgcatp == NULL);
-
-	msgcat = malloc(sizeof(*msgcat));
-	if (msgcat == NULL) {
-		*msgcatp = NULL;
-		return;
-	}
-
-#ifdef HAVE_CATGETS
-	/*
-	 * We don't check if catopen() fails because we don't care.
-	 * If it does fail, then when we call catgets(), it will use
-	 * the default string.
-	 */
-	msgcat->catalog = catopen(name, 0);
-#endif
-	msgcat->magic = MSGCAT_MAGIC;
-
-	*msgcatp = msgcat;
-}
-
-void
-isc_msgcat_close(isc_msgcat_t **msgcatp) {
-	isc_msgcat_t *msgcat;
-
-	/*
-	 * Close a message catalog.
-	 */
-
-	REQUIRE(msgcatp != NULL);
-	msgcat = *msgcatp;
-	REQUIRE(VALID_MSGCAT(msgcat) || msgcat == NULL);
-
-	if (msgcat != NULL) {
-#ifdef HAVE_CATGETS
-		if (msgcat->catalog != (nl_catd)(-1))
-			(void)catclose(msgcat->catalog);
-#endif
-		msgcat->magic = 0;
-		free(msgcat);
-	}
-
-	*msgcatp = NULL;
-}
-
-const char *
-isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
-	       const char *default_text)
-{
-	/*
-	 * Get message 'message' from message set 'set' in 'msgcat'.  If it
-	 * is not available, use 'default'.
-	 */
-
-	REQUIRE(VALID_MSGCAT(msgcat) || msgcat == NULL);
-	REQUIRE(set > 0);
-	REQUIRE(message > 0);
-	REQUIRE(default_text != NULL);
-
-#ifdef HAVE_CATGETS
-	if (msgcat == NULL)
-		return (default_text);
-	return (catgets(msgcat->catalog, set, message, default_text));
-#else
-	return (default_text);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/nothreads/Makefile.in b/contrib/bind9/lib/isc/nothreads/Makefile.in
deleted file mode 100644
index 639c9fa6e0c8..000000000000
--- a/contrib/bind9/lib/isc/nothreads/Makefile.in
+++ /dev/null
@@ -1,38 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:14:51 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../unix/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		condition.@O@ mutex.@O@ thread.@O@
-
-SRCS =		condition.c mutex.c thread.c
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nothreads/condition.c b/contrib/bind9/lib/isc/nothreads/condition.c
deleted file mode 100644
index 0bc6196a1a73..000000000000
--- a/contrib/bind9/lib/isc/nothreads/condition.c
+++ /dev/null
@@ -1,22 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: condition.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
diff --git a/contrib/bind9/lib/isc/nothreads/include/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/Makefile.in
deleted file mode 100644
index 4c582695562e..000000000000
--- a/contrib/bind9/lib/isc/nothreads/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2.206.1 2004/03/06 08:14:52 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
deleted file mode 100644
index 6717404be28d..000000000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:14:52 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	condition.h mutex.h once.h thread.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/condition.h b/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
deleted file mode 100644
index b899a8267984..000000000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: condition.h,v 1.3.206.1 2004/03/06 08:14:52 marka Exp $ */
-
-/*
- * This provides a limited subset of the isc_condition_t
- * functionality for use by single-threaded programs that
- * need to block waiting for events.   Only a single
- * call to isc_condition_wait() may be blocked at any given
- * time, and the _waituntil and _broadcast functions are not
- * supported.  This is intended primarily for use by the omapi
- * library, and may go away once omapi goes away.  Use for
- * other purposes is strongly discouraged.
- */
-
-#ifndef ISC_CONDITION_H
-#define ISC_CONDITION_H 1
-
-#include <isc/mutex.h>
-
-typedef int isc_condition_t;
-
-isc_result_t isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp);
-isc_result_t isc__nothread_signal_hack(isc_condition_t *cp);
-
-#define isc_condition_init(cp) \
-	(*(cp) = 0, ISC_R_SUCCESS)
-
-#define isc_condition_wait(cp, mp) \
-	isc__nothread_wait_hack(cp, mp)
-
-#define isc_condition_waituntil(cp, mp, tp) \
-	((void)(cp), (void)(mp), (void)(tp), ISC_R_NOTIMPLEMENTED)
-
-#define isc_condition_signal(cp) \
-	isc__nothread_signal_hack(cp)
-
-#define isc_condition_broadcast(cp) \
-	((void)(cp), ISC_R_NOTIMPLEMENTED)
-
-#define isc_condition_destroy(cp) \
-	(*(cp) == 0 ? (*(cp) = -1, ISC_R_SUCCESS) : ISC_R_UNEXPECTED)
-
-#endif /* ISC_CONDITION_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h b/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
deleted file mode 100644
index c80a945b839c..000000000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutex.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
-
-#ifndef ISC_MUTEX_H
-#define ISC_MUTEX_H 1
-
-#include <isc/result.h>		/* for ISC_R_ codes */
-
-typedef int isc_mutex_t;
-
-#define isc_mutex_init(mp) \
-	(*(mp) = 0, ISC_R_SUCCESS)
-#define isc_mutex_lock(mp) \
-	((*(mp))++ == 0 ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#define isc_mutex_unlock(mp) \
-	(--(*(mp)) == 0 ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#define isc_mutex_trylock(mp) \
-	(*(mp) == 0 ? ((*(mp))++, ISC_R_SUCCESS) : ISC_R_LOCKBUSY)
-#define isc_mutex_destroy(mp) \
-	(*(mp) == 0 ? (*(mp) = -1, ISC_R_SUCCESS) : ISC_R_UNEXPECTED)
-#define isc_mutex_stats(fp)
-
-#endif /* ISC_MUTEX_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/once.h b/contrib/bind9/lib/isc/nothreads/include/isc/once.h
deleted file mode 100644
index 9f54ac8fda63..000000000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/once.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: once.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
-
-#ifndef ISC_ONCE_H
-#define ISC_ONCE_H 1
-
-#include <isc/result.h>
-
-typedef isc_boolean_t isc_once_t;
-
-#define ISC_ONCE_INIT ISC_FALSE
-
-#define isc_once_do(op, f) \
-	(!*(op) ? (f(), *(op) = ISC_TRUE, ISC_R_SUCCESS) : ISC_R_SUCCESS)
-
-#endif /* ISC_ONCE_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/thread.h b/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
deleted file mode 100644
index e045b98b5bf6..000000000000
--- a/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: thread.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
-
-#ifndef ISC_THREAD_H
-#define ISC_THREAD_H 1
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_thread_setconcurrency(unsigned int level);
-
-#define isc_thread_self() ((unsigned long)0)
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_THREAD_H */
diff --git a/contrib/bind9/lib/isc/nothreads/mutex.c b/contrib/bind9/lib/isc/nothreads/mutex.c
deleted file mode 100644
index cc7572a69738..000000000000
--- a/contrib/bind9/lib/isc/nothreads/mutex.c
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutex.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
-
-#include <isc/util.h>
-
-EMPTY_TRANSLATION_UNIT
-
diff --git a/contrib/bind9/lib/isc/nothreads/thread.c b/contrib/bind9/lib/isc/nothreads/thread.c
deleted file mode 100644
index 1aea72ad85a3..000000000000
--- a/contrib/bind9/lib/isc/nothreads/thread.c
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: thread.c,v 1.2.206.1 2004/03/06 08:14:52 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/thread.h>
-#include <isc/util.h>
-
-void
-isc_thread_setconcurrency(unsigned int level) {
-	UNUSED(level);
-}
diff --git a/contrib/bind9/lib/isc/ondestroy.c b/contrib/bind9/lib/isc/ondestroy.c
deleted file mode 100644
index aacb8f2db6b5..000000000000
--- a/contrib/bind9/lib/isc/ondestroy.c
+++ /dev/null
@@ -1,83 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ondestroy.c,v 1.11.206.1 2004/03/06 08:14:33 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/event.h>
-#include <isc/magic.h>
-#include <isc/ondestroy.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#define ONDESTROY_MAGIC		ISC_MAGIC('D', 'e', 'S', 't')
-#define VALID_ONDESTROY(s)	ISC_MAGIC_VALID(s, ONDESTROY_MAGIC)
-
-void
-isc_ondestroy_init(isc_ondestroy_t *ondest) {
-	ondest->magic = ONDESTROY_MAGIC;
-	ISC_LIST_INIT(ondest->events);
-}
-
-isc_result_t
-isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
-		       isc_event_t **eventp)
-{
-	isc_event_t *theevent;
-	isc_task_t *thetask = NULL;
-
-	REQUIRE(VALID_ONDESTROY(ondest));
-	REQUIRE(task != NULL);
-	REQUIRE(eventp != NULL);
-
-	theevent = *eventp;
-
-	REQUIRE(theevent != NULL);
-
-	isc_task_attach(task, &thetask);
-
-	theevent->ev_sender = thetask;
-
-	ISC_LIST_APPEND(ondest->events, theevent, ev_link);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender) {
-	isc_event_t *eventp;
-	isc_task_t *task;
-
-	REQUIRE(VALID_ONDESTROY(ondest));
-
-	eventp = ISC_LIST_HEAD(ondest->events);
-	while (eventp != NULL) {
-		ISC_LIST_UNLINK(ondest->events, eventp, ev_link);
-
-		task = eventp->ev_sender;
-		eventp->ev_sender = sender;
-
-		isc_task_sendanddetach(&task, &eventp);
-
-		eventp = ISC_LIST_HEAD(ondest->events);
-	}
-}
-
-
diff --git a/contrib/bind9/lib/isc/parseint.c b/contrib/bind9/lib/isc/parseint.c
deleted file mode 100644
index fe74e57c3e64..000000000000
--- a/contrib/bind9/lib/isc/parseint.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: parseint.c,v 1.3.26.5 2004/03/08 09:04:49 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <limits.h>
-
-#include <isc/parseint.h>
-#include <isc/result.h>
-#include <isc/stdlib.h>
-
-isc_result_t
-isc_parse_uint32(isc_uint32_t *uip, const char *string, int base) {
-	unsigned long n;
-	char *e;
-	if (! isalnum((unsigned char)(string[0])))
-		return (ISC_R_BADNUMBER);
-	errno = 0;
-	n = strtoul(string, &e, base);
-	if (*e != '\0')
-		return (ISC_R_BADNUMBER);
-	if (n == ULONG_MAX && errno == ERANGE)
-		return (ISC_R_RANGE);
-	*uip = n;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_parse_uint16(isc_uint16_t *uip, const char *string, int base) {
-	isc_uint32_t val;
-	isc_result_t result;
-	result = isc_parse_uint32(&val, string, base);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (val > 0xFFFF)
-		return (ISC_R_RANGE);
-	*uip = (isc_uint16_t) val;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_parse_uint8(isc_uint8_t *uip, const char *string, int base) {
-	isc_uint32_t val;
-	isc_result_t result;
-	result = isc_parse_uint32(&val, string, base);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (val > 0xFF)
-		return (ISC_R_RANGE);
-	*uip = (isc_uint8_t) val;
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/print.c b/contrib/bind9/lib/isc/print.c
deleted file mode 100644
index 6542fe4f1909..000000000000
--- a/contrib/bind9/lib/isc/print.c
+++ /dev/null
@@ -1,556 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print.c,v 1.22.2.3.2.3 2004/03/06 08:14:33 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdio.h>		/* for sprintf */
-
-#define	ISC__PRINT_SOURCE	/* Used to get the isc_print_* prototypes. */
-
-#include <isc/assertions.h>
-#include <isc/int.h>
-#include <isc/msgs.h>
-#include <isc/print.h>
-#include <isc/stdlib.h>
-#include <isc/util.h>
-
-int
-isc_print_sprintf(char *str, const char *format, ...) {
-	va_list ap;
-
-	va_start(ap, format);
-	vsprintf(str, format, ap);
-	va_end(ap);
-	return (strlen(str));
-}
-
-/*
- * Return length of string that would have been written if not truncated.
- */
-
-int
-isc_print_snprintf(char *str, size_t size, const char *format, ...) {
-	va_list ap;
-	int ret;
-
-	va_start(ap, format);
-	ret = vsnprintf(str, size, format, ap);
-	va_end(ap);
-	return (ret);
-
-}
-
-/*
- * Return length of string that would have been written if not truncated.
- */
-
-int
-isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
-	int h;
-	int l;
-	int q;
-	int alt;
-	int zero;
-	int left;
-	int plus;
-	int space;
-	int neg;
-	isc_int64_t tmpi;
-	isc_uint64_t tmpui;
-	unsigned long width;
-	unsigned long precision;
-	unsigned int length;
-	char buf[1024];
-	char c;
-	void *v;
-	char *save = str;
-	const char *cp;
-	const char *head;
-	int count = 0;
-	int pad;
-	int zeropad;
-	int dot;
-	double dbl;
-#ifdef HAVE_LONG_DOUBLE
-	long double ldbl;
-#endif
-	char fmt[32];
-
-	INSIST(str != NULL);
-	INSIST(format != NULL);
-
-	while (*format != '\0') {
-		if (*format != '%') {
-			if (size > 1) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			format++;
-			continue;
-		}
-		format++;
-
-		/*
-		 * Reset flags.
-		 */
-		dot = neg = space = plus = left = zero = alt = h = l = q = 0;
-		width = precision = 0;
-		head = "";
-		length = pad = zeropad = 0;
-
-		do {
-			if (*format == '#') {
-				alt = 1;
-				format++;
-			} else if (*format == '-') {
-				left = 1;
-				zero = 0;
-				format++;
-			} else if (*format == ' ') {
-				if (!plus)
-					space = 1;
-				format++;
-			} else if (*format == '+') {
-				plus = 1;
-				space = 0;
-				format++;
-			} else if (*format == '0') {
-				if (!left)
-					zero = 1;
-				format++;
-			} else
-				break;
-		} while (1);
-
-		/*
-		 * Width.
-		 */
-		if (*format == '*') {
-			width = va_arg(ap, int);
-			format++;
-		} else if (isdigit((unsigned char)*format)) {
-			char *e;
-			width = strtoul(format, &e, 10);
-			format = e;
-		}
-
-		/*
-		 * Precision.
-		 */
-		if (*format == '.') {
-			format++;
-			dot = 1;
-			if (*format == '*') {
-				precision = va_arg(ap, int);
-				format++;
-			} else if (isdigit((unsigned char)*format)) {
-				char *e;
-				precision = strtoul(format, &e, 10);
-				format = e;
-			}
-		}
-
-		switch (*format) {
-		case '\0':
-			continue;
-		case '%':
-			if (size > 1) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			break;
-		case 'q':
-			q = 1;
-			format++;
-			goto doint;
-		case 'h':
-			h = 1;
-			format++;
-			goto doint;
-		case 'l':
-			l = 1;
-			format++;
-			if (*format == 'l') {
-				q = 1;
-				format++;
-			}
-			goto doint;
-		case 'n':
-		case 'i':
-		case 'd':
-		case 'o':
-		case 'u':
-		case 'x':
-		case 'X':
-		doint:
-			if (precision != 0)
-				zero = 0;
-			switch (*format) {
-			case 'n':
-				if (h) {
-					short int *p;
-					p = va_arg(ap, short *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else if (l) {
-					long int *p;
-					p = va_arg(ap, long *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else {
-					int *p;
-					p = va_arg(ap, int *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				}
-				break;
-			case 'i':
-			case 'd':
-				if (q)
-					tmpi = va_arg(ap, isc_int64_t);
-				else if (l)
-					tmpi = va_arg(ap, long int);
-				else
-					tmpi = va_arg(ap, int);
-				if (tmpi < 0) {
-					head = "-";
-					tmpui = -tmpi;
-				} else {
-					if (plus)
-						head = "+";
-					else if (space)
-						head = " ";
-					else
-						head = "";
-					tmpui = tmpi;
-				}
-				sprintf(buf, "%" ISC_PRINT_QUADFORMAT "u",
-					tmpui);
-				goto printint;
-			case 'o':
-				if (q)
-					tmpui = va_arg(ap, isc_uint64_t);
-				else if (l)
-					tmpui = va_arg(ap, long int);
-				else
-					tmpui = va_arg(ap, int);
-				sprintf(buf,
-					alt ? "%#" ISC_PRINT_QUADFORMAT "o"
-					    : "%" ISC_PRINT_QUADFORMAT "o",
-					tmpui);
-				goto printint;
-			case 'u':
-				if (q)
-					tmpui = va_arg(ap, isc_uint64_t);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				sprintf(buf, "%" ISC_PRINT_QUADFORMAT "u",
-					tmpui);
-				goto printint;
-			case 'x':
-				if (q)
-					tmpui = va_arg(ap, isc_uint64_t);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0x";
-					if (precision > 2)
-						precision -= 2;
-				}
-				sprintf(buf, "%" ISC_PRINT_QUADFORMAT "x",
-					tmpui);
-				goto printint;
-			case 'X':
-				if (q)
-					tmpui = va_arg(ap, isc_uint64_t);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0X";
-					if (precision > 2)
-						precision -= 2;
-				}
-				sprintf(buf, "%" ISC_PRINT_QUADFORMAT "X",
-					tmpui);
-				goto printint;
-			printint:
-				if (precision != 0 || width != 0) {
-					length = strlen(buf);
-					if (length < precision)
-						zeropad = precision - length;
-					else if (length < width && zero)
-						zeropad = width - length;
-					if (width != 0) {
-						pad = width - length -
-						      zeropad - strlen(head);
-						if (pad < 0)
-							pad = 0;
-					}
-				}
-				count += strlen(head) + strlen(buf) + pad +
-					 zeropad;
-				if (!left) {
-					while (pad > 0 && size > 1) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				}
-				cp = head;
-				while (*cp != '\0' && size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-				cp = buf;
-				while (*cp != '\0' && size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				break;
-			}
-			break;
-		case 's':
-			cp = va_arg(ap, char *);
-			REQUIRE(cp != NULL);
-
-			if (precision != 0) {
-				/*
-				 * cp need not be NULL terminated.
-				 */
-				const char *tp;
-				unsigned long n;
-
-				n = precision;
-				tp = cp;
-				while (n != 0 && *tp != '\0')
-					n--, tp++;
-				length = precision - n;
-			} else {
-				length = strlen(cp);
-			}
-			if (width != 0) {
-				pad = width - length;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += pad + length;
-			if (!left)
-				while (pad > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			if (precision != 0)
-				while (precision > 0 && *cp != '\0' &&
-				       size > 1) {
-					*str++ = *cp++;
-					size--;
-					precision--;
-				}
-			else
-				while (*cp != '\0' && size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-			while (pad > 0 && size > 1) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'c':
-			c = va_arg(ap, int);
-			if (width > 0) {
-				count += width;
-				width--;
-				if (left) {
-					*str++ = c;
-					size--;
-				}
-				while (width-- > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-				}
-				if (!left && size > 1) {
-					*str++ = c;
-					size--;
-				}
-			} else {
-				count++;
-				if (size > 1) {
-					*str++ = c;
-					size--;
-				}
-			}
-			break;
-		case 'p':
-			v = va_arg(ap, void *);
-			sprintf(buf, "%p", v);
-			length = strlen(buf);
-			if (precision > length)
-				zeropad = precision - length;
-			if (width > 0) {
-				pad = width - length - zeropad;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += length + pad + zeropad;
-			if (!left)
-				while (pad > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			cp = buf;
-			if (zeropad > 0 && buf[0] == '0' &&
-			    (buf[1] == 'x' || buf[1] == 'X')) {
-				if (size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				if (size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-			}
-			while (*cp != '\0' && size > 1) {
-				*str++ = *cp++;
-				size--;
-			}
-			while (pad > 0 && size > 1) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'D':	/*deprecated*/
-			INSIST("use %ld instead of %D" == NULL);
-		case 'O':	/*deprecated*/
-			INSIST("use %lo instead of %O" == NULL);
-		case 'U':	/*deprecated*/
-			INSIST("use %lu instead of %U" == NULL);
-
-		case 'L':
-#ifdef HAVE_LONG_DOUBLE
-			l = 1;
-#else
-			INSIST("long doubles are not supported" == NULL);
-#endif
-			/*FALLTHROUGH*/
-		case 'e':
-		case 'E':
-		case 'f':
-		case 'g':
-		case 'G':
-			if (!dot)
-				precision = 6;
-			/*
-			 * IEEE floating point.
-			 * MIN 2.2250738585072014E-308
-			 * MAX 1.7976931348623157E+308
-			 * VAX floating point has a smaller range than IEEE.
-			 *
-			 * precisions > 324 don't make much sense.
-			 * if we cap the precision at 512 we will not
-			 * overflow buf.
-			 */
-			if (precision > 512)
-				precision = 512;
-			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
-				plus ? "+" : space ? " " : "",
-				precision, l ? "L" : "", *format);
-			switch (*format) {
-			case 'e':
-			case 'E':
-			case 'f':
-			case 'g':
-			case 'G':
-#ifdef HAVE_LONG_DOUBLE
-				if (l) {
-					ldbl = va_arg(ap, long double);
-					sprintf(buf, fmt, ldbl);
-				} else
-#endif
-				{
-					dbl = va_arg(ap, double);
-					sprintf(buf, fmt, dbl);
-				}
-				length = strlen(buf);
-				if (width > 0) {
-					pad = width - length;
-					if (pad < 0)
-						pad = 0;
-				}
-				count += length + pad;
-				if (!left)
-					while (pad > 0 && size > 1) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				cp = buf;
-				while (*cp != ' ' && size > 1) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				continue;
-			}
-			break;
-		default:
-			continue;
-		}
-		format++;
-	}
-	if (size > 0)
-		*str = '\0';
-	return (count);
-}
diff --git a/contrib/bind9/lib/isc/pthreads/Makefile.in b/contrib/bind9/lib/isc/pthreads/Makefile.in
deleted file mode 100644
index f245afa925ec..000000000000
--- a/contrib/bind9/lib/isc/pthreads/Makefile.in
+++ /dev/null
@@ -1,38 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.16.206.1 2004/03/06 08:14:53 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../unix/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =
-CWARNINGS =
-
-OBJS =		condition.@O@ mutex.@O@ thread.@O@
-
-SRCS =		condition.c mutex.c thread.c
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/pthreads/condition.c b/contrib/bind9/lib/isc/pthreads/condition.c
deleted file mode 100644
index 489980c1f5a9..000000000000
--- a/contrib/bind9/lib/isc/pthreads/condition.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: condition.c,v 1.30.2.1.10.1 2004/03/06 08:14:53 marka Exp $ */
-
-#include <config.h>
-
-#include <errno.h>
-
-#include <isc/condition.h>
-#include <isc/msgs.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-isc_result_t
-isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t) {
-	int presult;
-	isc_result_t result;
-	struct timespec ts;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(c != NULL && m != NULL && t != NULL);
-
-	/*
-	 * POSIX defines a timespec's tv_sec as time_t.
-	 */
-	result = isc_time_secondsastimet(t, &ts.tv_sec);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * POSIX defines a timespec's tv_nsec as long.  isc_time_nanoseconds
-	 * ensures its return value is < 1 billion, which will fit in a long.
-	 */
-	ts.tv_nsec = (long)isc_time_nanoseconds(t);
-
-	do {
-#if ISC_MUTEX_PROFILE
-		presult = pthread_cond_timedwait(c, &m->mutex, &ts);
-#else
-		presult = pthread_cond_timedwait(c, m, &ts);
-#endif
-		if (presult == 0)
-			return (ISC_R_SUCCESS);
-		if (presult == ETIMEDOUT)
-			return (ISC_R_TIMEDOUT);
-	} while (presult == EINTR);
-
-	isc__strerror(presult, strbuf, sizeof(strbuf));
-	UNEXPECTED_ERROR(__FILE__, __LINE__,
-			 "pthread_cond_timedwait() %s %s",
-			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					ISC_MSG_RETURNED, "returned"),
-			 strbuf);
-	return (ISC_R_UNEXPECTED);
-}
diff --git a/contrib/bind9/lib/isc/pthreads/include/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/Makefile.in
deleted file mode 100644
index 5fec836cd71c..000000000000
--- a/contrib/bind9/lib/isc/pthreads/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:54 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
deleted file mode 100644
index dd15a11bf28a..000000000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.13.206.1 2004/03/06 08:14:56 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	condition.h mutex.h once.h thread.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/condition.h b/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
deleted file mode 100644
index c33772f1a149..000000000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: condition.h,v 1.21.206.1 2004/03/06 08:14:56 marka Exp $ */
-
-#ifndef ISC_CONDITION_H
-#define ISC_CONDITION_H 1
-
-#include <isc/lang.h>
-#include <isc/mutex.h>
-#include <isc/result.h>
-#include <isc/types.h>
-
-typedef pthread_cond_t isc_condition_t;
-
-#define isc_condition_init(cp) \
-	((pthread_cond_init((cp), NULL) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#if ISC_MUTEX_PROFILE
-#define isc_condition_wait(cp, mp) \
-	((pthread_cond_wait((cp), &((mp)->mutex)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#else
-#define isc_condition_wait(cp, mp) \
-	((pthread_cond_wait((cp), (mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-
-#define isc_condition_signal(cp) \
-	((pthread_cond_signal((cp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#define isc_condition_broadcast(cp) \
-	((pthread_cond_broadcast((cp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#define isc_condition_destroy(cp) \
-	((pthread_cond_destroy((cp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_CONDITION_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h b/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
deleted file mode 100644
index f6e526d8b2fa..000000000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
+++ /dev/null
@@ -1,139 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutex.h,v 1.23.26.3 2004/03/08 09:04:55 marka Exp $ */
-
-#ifndef ISC_MUTEX_H
-#define ISC_MUTEX_H 1
-
-#include <pthread.h>
-#include <stdio.h>
-
-#include <isc/result.h>		/* for ISC_R_ codes */
-
-/*
- * Supply mutex attributes that enable deadlock detection
- * (helpful when debugging).  This is system dependent and
- * currently only supported on NetBSD.
- */
-#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
-extern pthread_mutexattr_t isc__mutex_attrs;
-#define ISC__MUTEX_ATTRS &isc__mutex_attrs
-#else
-#define ISC__MUTEX_ATTRS NULL
-#endif
-
-/* XXX We could do fancier error handling... */
-
-/*
- * Define ISC_MUTEX_PROFILE to turn on profiling of mutexes by line.  When
- * enabled, isc_mutex_stats() can be used to print a table showing the
- * number of times each type of mutex was locked and the amount of time
- * waiting to obtain the lock.
- */
-#ifndef ISC_MUTEX_PROFILE
-#define ISC_MUTEX_PROFILE 0
-#endif
-
-#if ISC_MUTEX_PROFILE
-typedef struct isc_mutexstats isc_mutexstats_t;
-
-typedef struct {
-	pthread_mutex_t		mutex;	/* The actual mutex. */
-	isc_mutexstats_t *	stats;	/* Mutex statistics. */
-} isc_mutex_t;
-#else
-typedef pthread_mutex_t	isc_mutex_t;
-#endif
-
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_init(mp) \
-	isc_mutex_init_profile((mp), __FILE__, __LINE__)
-#else
-#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
-#define isc_mutex_init(mp) \
-        isc_mutex_init_errcheck((mp))
-#else
-#define isc_mutex_init(mp) \
-	((pthread_mutex_init((mp), ISC__MUTEX_ATTRS) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_lock(mp) \
-	isc_mutex_lock_profile((mp), __FILE__, __LINE__)
-#else
-#define isc_mutex_lock(mp) \
-	((pthread_mutex_lock((mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_unlock(mp) \
-	isc_mutex_unlock_profile((mp), __FILE__, __LINE__)
-#else
-#define isc_mutex_unlock(mp) \
-	((pthread_mutex_unlock((mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_trylock(mp) \
-	((pthread_mutex_trylock((&(mp)->mutex)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_LOCKBUSY)
-#else
-#define isc_mutex_trylock(mp) \
-	((pthread_mutex_trylock((mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_LOCKBUSY)
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_destroy(mp) \
-	((pthread_mutex_destroy((&(mp)->mutex)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#else
-#define isc_mutex_destroy(mp) \
-	((pthread_mutex_destroy((mp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-#endif
-
-#if ISC_MUTEX_PROFILE
-#define isc_mutex_stats(fp) isc_mutex_statsprofile(fp);
-#else
-#define isc_mutex_stats(fp)
-#endif
-
-#if ISC_MUTEX_PROFILE
-
-isc_result_t
-isc_mutex_init_profile(isc_mutex_t *mp, const char * _file, int _line);
-isc_result_t
-isc_mutex_lock_profile(isc_mutex_t *mp, const char * _file, int _line);
-isc_result_t
-isc_mutex_unlock_profile(isc_mutex_t *mp, const char * _file, int _line);
-
-void
-isc_mutex_statsprofile(FILE *fp);
-
-isc_result_t
-isc_mutex_init_errcheck(isc_mutex_t *mp);
-
-#endif /* ISC_MUTEX_PROFILE */
-
-#endif /* ISC_MUTEX_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/once.h b/contrib/bind9/lib/isc/pthreads/include/isc/once.h
deleted file mode 100644
index 39b4885a8538..000000000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/once.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: once.h,v 1.8.206.1 2004/03/06 08:14:57 marka Exp $ */
-
-#ifndef ISC_ONCE_H
-#define ISC_ONCE_H 1
-
-#include <pthread.h>
-
-#include <isc/platform.h>
-#include <isc/result.h>
-
-typedef pthread_once_t isc_once_t;
-
-#ifdef ISC_PLATFORM_BRACEPTHREADONCEINIT
-/*
- * This accomodates systems that define PTHRAD_ONCE_INIT improperly.
- */
-#define ISC_ONCE_INIT { PTHREAD_ONCE_INIT }
-#else
-/*
- * This is the usual case.
- */
-#define ISC_ONCE_INIT PTHREAD_ONCE_INIT
-#endif
-
-/* XXX We could do fancier error handling... */
-
-#define isc_once_do(op, f) \
-	((pthread_once((op), (f)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#endif /* ISC_ONCE_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/thread.h b/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
deleted file mode 100644
index 6287dcd07e37..000000000000
--- a/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: thread.h,v 1.19.206.1 2004/03/06 08:14:57 marka Exp $ */
-
-#ifndef ISC_THREAD_H
-#define ISC_THREAD_H 1
-
-#include <pthread.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef pthread_t isc_thread_t;
-typedef void * isc_threadresult_t;
-typedef void * isc_threadarg_t;
-typedef isc_threadresult_t (*isc_threadfunc_t)(isc_threadarg_t);
-
-isc_result_t
-isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
-
-void
-isc_thread_setconcurrency(unsigned int level);
-
-/* XXX We could do fancier error handling... */
-
-#define isc_thread_join(t, rp) \
-	((pthread_join((t), (rp)) == 0) ? \
-	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
-
-#define isc_thread_self \
-	(unsigned long)pthread_self
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_THREAD_H */
diff --git a/contrib/bind9/lib/isc/pthreads/mutex.c b/contrib/bind9/lib/isc/pthreads/mutex.c
deleted file mode 100644
index 71db6696610d..000000000000
--- a/contrib/bind9/lib/isc/pthreads/mutex.c
+++ /dev/null
@@ -1,241 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: mutex.c,v 1.6.26.5 2005/03/17 03:58:32 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <time.h>
-#include <sys/time.h>
-
-#include <isc/mutex.h>
-#include <isc/util.h>
-
-#if ISC_MUTEX_PROFILE
-
-/* Operations on timevals; adapted from FreeBSD's sys/time.h */
-#define timevalclear(tvp)      ((tvp)->tv_sec = (tvp)->tv_usec = 0)
-#define timevaladd(vvp, uvp)                                            \
-        do {                                                            \
-                (vvp)->tv_sec += (uvp)->tv_sec;                         \
-                (vvp)->tv_usec += (uvp)->tv_usec;                       \
-                if ((vvp)->tv_usec >= 1000000) {                        \
-                        (vvp)->tv_sec++;                                \
-                        (vvp)->tv_usec -= 1000000;                      \
-                }                                                       \
-        } while (0)
-#define timevalsub(vvp, uvp)                                            \
-        do {                                                            \
-                (vvp)->tv_sec -= (uvp)->tv_sec;                         \
-                (vvp)->tv_usec -= (uvp)->tv_usec;                       \
-                if ((vvp)->tv_usec < 0) {                               \
-                        (vvp)->tv_sec--;                                \
-                        (vvp)->tv_usec += 1000000;                      \
-                }                                                       \
-        } while (0)
-
-#define ISC_MUTEX_MAX_LOCKERS 32
-
-typedef struct {
-	const char *		file;
-	int			line;
-	unsigned		count;
-	struct timeval		locked_total;
-	struct timeval		wait_total;
-} isc_mutexlocker_t;
-
-struct isc_mutexstats {
-	const char *		file;	/* File mutex was created in. */
-	int 			line;	/* Line mutex was created on. */
-	unsigned		count;
-	struct timeval		lock_t;
-	struct timeval		locked_total;
-	struct timeval		wait_total;
-	isc_mutexlocker_t *	cur_locker;
-	isc_mutexlocker_t	lockers[ISC_MUTEX_MAX_LOCKERS];
-};
-
-#define TABLESIZE (8 * 1024)
-static isc_mutexstats_t stats[TABLESIZE];
-static isc_boolean_t stats_init = ISC_FALSE;
-static pthread_mutex_t statslock = PTHREAD_MUTEX_INITIALIZER;
-
-
-isc_result_t
-isc_mutex_init_profile(isc_mutex_t *mp, const char *file, int line) {
-	int i;
-
-	if (pthread_mutex_init(&mp->mutex, NULL) != 0)
-		return ISC_R_UNEXPECTED;
-
-	RUNTIME_CHECK(pthread_mutex_lock(&statslock) == 0);
-
-	if (stats_init == ISC_FALSE) {
-		for (i = 0; i < TABLESIZE; i++) {
-			stats[i].file = NULL;
-		}
-		stats_init = ISC_TRUE;
-	}
-
-	mp->stats = NULL;
-	for (i = 0; i < TABLESIZE; i++) {
-		if (stats[i].file == NULL) {
-			mp->stats = &stats[i];
-			break;
-		}
-	}
-	RUNTIME_CHECK(mp->stats != NULL);
-
-	RUNTIME_CHECK(pthread_mutex_unlock(&statslock) == 0);
-
-	mp->stats->file = file;
-	mp->stats->line = line;
-	mp->stats->count = 0;
-	timevalclear(&mp->stats->locked_total);
-	timevalclear(&mp->stats->wait_total);
-	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
-		mp->stats->lockers[i].file = NULL;
-		mp->stats->lockers[i].line = 0;
-		mp->stats->lockers[i].count = 0;
-		timevalclear(&mp->stats->lockers[i].locked_total);
-		timevalclear(&mp->stats->lockers[i].wait_total);
-	}
-
-	return ISC_R_SUCCESS;
-}
-
-isc_result_t
-isc_mutex_lock_profile(isc_mutex_t *mp, const char *file, int line) {
-	struct timeval prelock_t;
-	struct timeval postlock_t;
-	isc_mutexlocker_t *locker = NULL;
-	int i;
-
-	gettimeofday(&prelock_t, NULL);
-
-	if (pthread_mutex_lock(&mp->mutex) != 0)
-		return (ISC_R_UNEXPECTED);
-
-	gettimeofday(&postlock_t, NULL);
-	mp->stats->lock_t = postlock_t;
-
-	timevalsub(&postlock_t, &prelock_t);
-
-	mp->stats->count++;
-	timevaladd(&mp->stats->wait_total, &postlock_t);
-
-	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
-		if (mp->stats->lockers[i].file == NULL) {
-			locker = &mp->stats->lockers[i];
-			locker->file = file;
-			locker->line = line;
-			break;
-		} else if (mp->stats->lockers[i].file == file &&
-			   mp->stats->lockers[i].line == line) {
-			locker = &mp->stats->lockers[i];
-			break;
-		}
-	}
-
-	if (locker != NULL) {
-		locker->count++;
-		timevaladd(&locker->wait_total, &postlock_t);
-	}
-
-	mp->stats->cur_locker = locker;
-
-	return ISC_R_SUCCESS;
-}
-
-isc_result_t
-isc_mutex_unlock_profile(isc_mutex_t *mp, const char *file, int line) {
-	struct timeval unlock_t;
-
-	UNUSED(file);
-	UNUSED(line);
-
-	if (mp->stats->cur_locker != NULL) {
-		gettimeofday(&unlock_t, NULL);
-		timevalsub(&unlock_t, &mp->stats->lock_t);
-		timevaladd(&mp->stats->locked_total, &unlock_t);
-		timevaladd(&mp->stats->cur_locker->locked_total, &unlock_t);
-		mp->stats->cur_locker = NULL;
-	}
-
-	return ((pthread_mutex_unlock((&mp->mutex)) == 0) ? \
-		ISC_R_SUCCESS : ISC_R_UNEXPECTED);
-}
-
-
-void
-isc_mutex_statsprofile(FILE *fp) {
-	isc_mutexlocker_t *locker;
-	int i, j;
-	fprintf(fp, "Mutex stats (in us)\n");
-	for (i = 0; i < TABLESIZE; i++) {
-		if (stats[i].file == NULL)
-			continue;
-		fprintf(fp, "%-12s %4d: %10u  %lu.%06lu %lu.%06lu\n",
-			stats[i].file, stats[i].line, stats[i].count,
-			stats[i].locked_total.tv_sec,
-			stats[i].locked_total.tv_usec,
-			stats[i].wait_total.tv_sec,
-			stats[i].wait_total.tv_usec
-			);
-		for (j = 0; j < ISC_MUTEX_MAX_LOCKERS; j++) {
-			locker = &stats[i].lockers[j];
-			if (locker->file == NULL)
-				continue;
-			fprintf(fp, " %-11s %4d: %10u  %lu.%06lu %lu.%06lu\n",
-				locker->file, locker->line, locker->count,
-				locker->locked_total.tv_sec,
-				locker->locked_total.tv_usec,
-				locker->wait_total.tv_sec,
-				locker->wait_total.tv_usec
-				);
-		}
-	}
-}
-
-#endif /* ISC_MUTEX_PROFILE */
-
-#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
-isc_result_t
-isc_mutex_init_errcheck(isc_mutex_t *mp)
-{
-	pthread_mutexattr_t attr;
-
-	if (pthread_mutexattr_init(&attr) != 0)
-		return ISC_R_UNEXPECTED;
-
-	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
-		return ISC_R_UNEXPECTED;
-  
-	if (pthread_mutex_init(mp, &attr) != 0)
-		return ISC_R_UNEXPECTED;
-
-	return ISC_R_SUCCESS;
-}
-#endif
-
-#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
-pthread_mutexattr_t isc__mutex_attrs = {
-	PTHREAD_MUTEX_ERRORCHECK,	/* m_type */
-	0				/* m_flags, which appears to be unused. */
-};
-#endif
diff --git a/contrib/bind9/lib/isc/pthreads/thread.c b/contrib/bind9/lib/isc/pthreads/thread.c
deleted file mode 100644
index a07daf804aea..000000000000
--- a/contrib/bind9/lib/isc/pthreads/thread.c
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: thread.c,v 1.9.2.2.2.2 2004/12/04 06:50:03 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#ifndef THREAD_MINSTACKSIZE
-#define THREAD_MINSTACKSIZE		(64U * 1024)
-#endif
-
-isc_result_t
-isc_thread_create(isc_threadfunc_t func, isc_threadarg_t arg,
-		  isc_thread_t *thread)
-{
-	pthread_attr_t attr;
-	size_t stacksize;
-	int ret;
-
-	pthread_attr_init(&attr);
-
-#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
-    defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
-	ret = pthread_attr_getstacksize(&attr, &stacksize);
-	if (ret != 0)
-		return (ISC_R_UNEXPECTED);
-
-	if (stacksize < THREAD_MINSTACKSIZE) {
-		ret = pthread_attr_setstacksize(&attr, THREAD_MINSTACKSIZE);
-		if (ret != 0)
-			return (ISC_R_UNEXPECTED);
-	}
-#endif
-
-#if defined(PTHREAD_SCOPE_SYSTEM) && defined(NEED_PTHREAD_SCOPE_SYSTEM)
-	ret = pthread_attr_setscope(&attr, PTHREAD_SCOPE_SYSTEM);
-	if (ret != 0)
-		return (ISC_R_UNEXPECTED);
-#endif
-
-	ret = pthread_create(thread, &attr, func, arg);
-	if (ret != 0)
-		return (ISC_R_UNEXPECTED);
-
-	pthread_attr_destroy(&attr);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_thread_setconcurrency(unsigned int level) {
-#if defined(CALL_PTHREAD_SETCONCURRENCY)
-	(void)pthread_setconcurrency(level);
-#else
-	UNUSED(level);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/quota.c b/contrib/bind9/lib/isc/quota.c
deleted file mode 100644
index 273a1b2ac6dd..000000000000
--- a/contrib/bind9/lib/isc/quota.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: quota.c,v 1.11.12.5 2005/07/29 00:13:09 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/quota.h>
-#include <isc/util.h>
-
-isc_result_t
-isc_quota_init(isc_quota_t *quota, int max) {
-	quota->max = max;
-	quota->used = 0;
-	quota->soft = 0;
-	return (isc_mutex_init(&quota->lock));
-}
-
-void
-isc_quota_destroy(isc_quota_t *quota) {
-	INSIST(quota->used == 0);
-	quota->max = 0;
-	quota->used = 0;
-	quota->soft = 0;
-	DESTROYLOCK(&quota->lock);
-}
-
-void
-isc_quota_soft(isc_quota_t *quota, int soft) {
-	LOCK(&quota->lock);
-	quota->soft = soft;
-	UNLOCK(&quota->lock);
-}
-
-void
-isc_quota_max(isc_quota_t *quota, int max) {
-	LOCK(&quota->lock);
-	quota->max = max;
-	UNLOCK(&quota->lock);
-}
-
-isc_result_t
-isc_quota_reserve(isc_quota_t *quota) {
-	isc_result_t result;
-	LOCK(&quota->lock);
-	if (quota->max == 0 || quota->used < quota->max) {
-		if (quota->soft == 0 || quota->used < quota->soft)
-			result = ISC_R_SUCCESS;
-		else
-			result = ISC_R_SOFTQUOTA;
-		quota->used++;
-	} else
-		result = ISC_R_QUOTA;
-	UNLOCK(&quota->lock);
-	return (result);
-}
-
-void
-isc_quota_release(isc_quota_t *quota) {
-	LOCK(&quota->lock);
-	INSIST(quota->used > 0);
-	quota->used--;
-	UNLOCK(&quota->lock);
-}
-
-isc_result_t
-isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
-{
-	isc_result_t result;
-	INSIST(p != NULL && *p == NULL);
-	result = isc_quota_reserve(quota);
-	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
-		*p = quota;
-	return (result);
-}
-
-void
-isc_quota_detach(isc_quota_t **p)
-{
-	INSIST(p != NULL && *p != NULL);
-	isc_quota_release(*p);
-	*p = NULL;
-}
diff --git a/contrib/bind9/lib/isc/random.c b/contrib/bind9/lib/isc/random.c
deleted file mode 100644
index e5c4d3118fc5..000000000000
--- a/contrib/bind9/lib/isc/random.c
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: random.c,v 1.15.74.5 2004/03/08 09:04:49 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <time.h>		/* Required for time(). */
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-static isc_once_t once = ISC_ONCE_INIT;
-
-static void
-initialize_rand(void)
-{
-#ifndef HAVE_ARC4RANDOM
-	unsigned int pid = getpid();
-	
-	/*
-	 * The low bits of pid generally change faster.
-	 * Xor them with the high bits of time which change slowly.
-	 */
-	pid = ((pid << 16) & 0xffff0000) | ((pid >> 16) & 0xffff);
-
-	srand(time(NULL) ^ pid);
-#endif
-}
-
-static void
-initialize(void)
-{
-	RUNTIME_CHECK(isc_once_do(&once, initialize_rand) == ISC_R_SUCCESS);
-}
-
-void
-isc_random_seed(isc_uint32_t seed)
-{
-	initialize();
-
-#ifndef HAVE_ARC4RANDOM
-	srand(seed);
-#else
-	arc4random_addrandom((u_char *) &seed, sizeof(isc_uint32_t));
-#endif
-}
-
-void
-isc_random_get(isc_uint32_t *val)
-{
-	REQUIRE(val != NULL);
-
-	initialize();
-
-#ifndef HAVE_ARC4RANDOM
-	/*
-	 * rand()'s lower bits are not random.
-	 * rand()'s upper bit is zero.
-	 */
-	*val = ((rand() >> 4) & 0xffff) | ((rand() << 12) & 0xffff0000);
-#else
-	*val = arc4random();
-#endif
-}
-
-isc_uint32_t
-isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter) {
-	REQUIRE(jitter < max);
-	if (jitter == 0)
-		return (max);
-	else
-#ifndef HAVE_ARC4RANDOM
-		return (max - rand() % jitter);
-#else
-		return (max - arc4random() % jitter);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/ratelimiter.c b/contrib/bind9/lib/isc/ratelimiter.c
deleted file mode 100644
index 211363ccf0f1..000000000000
--- a/contrib/bind9/lib/isc/ratelimiter.c
+++ /dev/null
@@ -1,326 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ratelimiter.c,v 1.18.14.4 2004/03/08 09:04:50 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/ratelimiter.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-typedef enum {
-	isc_ratelimiter_stalled = 0,
-	isc_ratelimiter_ratelimited = 1,
-	isc_ratelimiter_idle = 2,
-	isc_ratelimiter_shuttingdown = 3
-} isc_ratelimiter_state_t;
-
-struct isc_ratelimiter {
-	isc_mem_t *		mctx;
-	isc_mutex_t		lock;
-	int			refs;
-	isc_task_t *		task;
-	isc_timer_t *		timer;
-	isc_interval_t		interval;
-	isc_uint32_t		pertic;
-	isc_ratelimiter_state_t	state;
-	isc_event_t		shutdownevent;
-	ISC_LIST(isc_event_t)	pending;
-};
-
-#define ISC_RATELIMITEREVENT_SHUTDOWN (ISC_EVENTCLASS_RATELIMITER + 1)
-
-static void
-ratelimiter_tick(isc_task_t *task, isc_event_t *event);
-
-static void
-ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event);
-
-isc_result_t
-isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
-		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp)
-{
-	isc_result_t result;
-	isc_ratelimiter_t *rl;
-	INSIST(ratelimiterp != NULL && *ratelimiterp == NULL);
-
-	rl = isc_mem_get(mctx, sizeof(*rl));
-	if (rl == NULL)
-		return ISC_R_NOMEMORY;
-	rl->mctx = mctx;
-	rl->refs = 1;
-	rl->task = task;
-	isc_interval_set(&rl->interval, 0, 0);
-	rl->timer = NULL;
-	rl->pertic = 1;
-	rl->state = isc_ratelimiter_idle;
-	ISC_LIST_INIT(rl->pending);
-
-	result = isc_mutex_init(&rl->lock);
-	if (result != ISC_R_SUCCESS)
-		goto free_mem;
-	result = isc_timer_create(timermgr, isc_timertype_inactive,
-				  NULL, NULL, rl->task, ratelimiter_tick,
-				  rl, &rl->timer);
-	if (result != ISC_R_SUCCESS)
-		goto free_mutex;
-
-	/*
-	 * Increment the reference count to indicate that we may
-	 * (soon) have events outstanding.
-	 */
-	rl->refs++;
-
-	ISC_EVENT_INIT(&rl->shutdownevent,
-		       sizeof(isc_event_t),
-		       0, NULL, ISC_RATELIMITEREVENT_SHUTDOWN,
-		       ratelimiter_shutdowncomplete, rl, rl, NULL, NULL);
-
-	*ratelimiterp = rl;
-	return (ISC_R_SUCCESS);
-
-free_mutex:
-	DESTROYLOCK(&rl->lock);
-free_mem:
-	isc_mem_put(mctx, rl, sizeof(*rl));
-	return (result);
-}
-
-isc_result_t
-isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval) {
-	isc_result_t result = ISC_R_SUCCESS;
-	LOCK(&rl->lock);
-	rl->interval = *interval;
-	/*
-	 * If the timer is currently running, change its rate.
-	 */
-        if (rl->state == isc_ratelimiter_ratelimited) {
-		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
-					 &rl->interval, ISC_FALSE);
-	}
-	UNLOCK(&rl->lock);
-	return (result);
-}
-
-void
-isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t pertic) {
-	if (pertic == 0)
-		pertic = 1;
-	rl->pertic = pertic;
-}
-
-isc_result_t
-isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
-			isc_event_t **eventp)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_event_t *ev;
-
-	REQUIRE(eventp != NULL && *eventp != NULL);
-	REQUIRE(task != NULL);
-	ev = *eventp;
-	REQUIRE(ev->ev_sender == NULL);
-
-	LOCK(&rl->lock);
-        if (rl->state == isc_ratelimiter_ratelimited ||
-	    rl->state == isc_ratelimiter_stalled) {
-		isc_event_t *ev = *eventp;
-		ev->ev_sender = task;
-                ISC_LIST_APPEND(rl->pending, ev, ev_link);
-		*eventp = NULL;
-        } else if (rl->state == isc_ratelimiter_idle) {
-		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
-					 &rl->interval, ISC_FALSE);
-		if (result == ISC_R_SUCCESS) {
-			ev->ev_sender = task;
-			rl->state = isc_ratelimiter_ratelimited;
-		}
-	} else {
-		INSIST(rl->state == isc_ratelimiter_shuttingdown);
-		result = ISC_R_SHUTTINGDOWN;
-	}
-	UNLOCK(&rl->lock);
-	if (*eventp != NULL && result == ISC_R_SUCCESS)
-		isc_task_send(task, eventp);
-	return (result);
-}
-
-static void
-ratelimiter_tick(isc_task_t *task, isc_event_t *event) {
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
-	isc_event_t *p;
-	isc_uint32_t pertic;
-
-	UNUSED(task);
-
-	isc_event_free(&event);
-
-	pertic = rl->pertic;
-        while (pertic != 0) {
-		pertic--;
-		LOCK(&rl->lock);
-		p = ISC_LIST_HEAD(rl->pending);
-		if (p != NULL) {
-			/*
-			 * There is work to do.  Let's do it after unlocking.
-			 */
-			ISC_LIST_UNLINK(rl->pending, p, ev_link);
-		} else {
-			/*
-			 * No work left to do.  Stop the timer so that we don't
-			 * waste resources by having it fire periodically.
-			 */
-			result = isc_timer_reset(rl->timer,
-						 isc_timertype_inactive,
-						 NULL, NULL, ISC_FALSE);
-			RUNTIME_CHECK(result == ISC_R_SUCCESS);
-			rl->state = isc_ratelimiter_idle;
-			pertic = 0;	/* Force the loop to exit. */
-		}
-		UNLOCK(&rl->lock);
-		if (p != NULL) {
-			isc_task_t *evtask = p->ev_sender;
-			isc_task_send(evtask, &p);
-		}
-		INSIST(p == NULL);
-	}
-}
-
-void
-isc_ratelimiter_shutdown(isc_ratelimiter_t *rl) {
-	isc_event_t *ev;
-	isc_task_t *task;
-	LOCK(&rl->lock);
-	rl->state = isc_ratelimiter_shuttingdown;
-	(void)isc_timer_reset(rl->timer, isc_timertype_inactive,
-			      NULL, NULL, ISC_FALSE);
-	while ((ev = ISC_LIST_HEAD(rl->pending)) != NULL) {
-		ISC_LIST_UNLINK(rl->pending, ev, ev_link);
-		ev->ev_attributes |= ISC_EVENTATTR_CANCELED;
-		task = ev->ev_sender;
-		isc_task_send(task, &ev);
-	}
-	isc_timer_detach(&rl->timer);
-	/*
-	 * Send an event to our task.  The delivery of this event
-	 * indicates that no more timer events will be delivered.
-	 */
-	ev = &rl->shutdownevent;
-	isc_task_send(rl->task, &ev);
-
-	UNLOCK(&rl->lock);
-}
-
-static void
-ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event) {
-	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
-
-	UNUSED(task);
-
-	isc_ratelimiter_detach(&rl);
-}
-
-static void
-ratelimiter_free(isc_ratelimiter_t *rl) {
-	DESTROYLOCK(&rl->lock);
-	isc_mem_put(rl->mctx, rl, sizeof(*rl));
-}
-
-void
-isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target) {
-	REQUIRE(source != NULL);
-	REQUIRE(target != NULL && *target == NULL);
-
-	LOCK(&source->lock);
-	REQUIRE(source->refs > 0);
-	source->refs++;
-	INSIST(source->refs > 0);
-	UNLOCK(&source->lock);
-	*target = source;
-}
-
-void
-isc_ratelimiter_detach(isc_ratelimiter_t **rlp) {
-	isc_ratelimiter_t *rl = *rlp;
-	isc_boolean_t free_now = ISC_FALSE;
-
-	LOCK(&rl->lock);
-	REQUIRE(rl->refs > 0);
-	rl->refs--;
-	if (rl->refs == 0)
-		free_now = ISC_TRUE;
-	UNLOCK(&rl->lock);
-
-	if (free_now)
-		ratelimiter_free(rl);
-
-	*rlp = NULL;
-}
-
-isc_result_t
-isc_ratelimiter_stall(isc_ratelimiter_t *rl) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	LOCK(&rl->lock);
-	switch (rl->state) {
-	case isc_ratelimiter_shuttingdown:
-		result = ISC_R_SHUTTINGDOWN;
-		break;
-	case isc_ratelimiter_ratelimited:
-		result = isc_timer_reset(rl->timer, isc_timertype_inactive,
-				 	 NULL, NULL, ISC_FALSE);
-		RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	case isc_ratelimiter_idle:
-	case isc_ratelimiter_stalled:
-		rl->state = isc_ratelimiter_stalled;
-		break;
-	}
-	UNLOCK(&rl->lock);
-	return (result);
-}
-
-isc_result_t
-isc_ratelimiter_release(isc_ratelimiter_t *rl) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	LOCK(&rl->lock);
-	switch (rl->state) {
-	case isc_ratelimiter_shuttingdown:
-		result = ISC_R_SHUTTINGDOWN;
-		break;
-	case isc_ratelimiter_stalled:
-		if (!ISC_LIST_EMPTY(rl->pending)) {
-			result = isc_timer_reset(rl->timer,
-						 isc_timertype_ticker, NULL,
-						 &rl->interval, ISC_FALSE);
-			if (result == ISC_R_SUCCESS)
-				rl->state = isc_ratelimiter_ratelimited;
-		} else 
-			rl->state = isc_ratelimiter_idle;
-		break;
-	case isc_ratelimiter_ratelimited:
-	case isc_ratelimiter_idle:
-		break;
-	}
-	UNLOCK(&rl->lock);
-	return (result);
-}
diff --git a/contrib/bind9/lib/isc/region.c b/contrib/bind9/lib/isc/region.c
deleted file mode 100644
index 92f4f027f3d6..000000000000
--- a/contrib/bind9/lib/isc/region.c
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: region.c,v 1.2.202.3 2004/03/08 09:04:50 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/region.h>
-#include <isc/util.h>
-
-int
-isc_region_compare(isc_region_t *r1, isc_region_t *r2) {
-	unsigned int l;
-	int result;
-
-	REQUIRE(r1 != NULL);
-	REQUIRE(r2 != NULL);
-	       
-	l = (r1->length < r2->length) ? r1->length : r2->length;
-
-	if ((result = memcmp(r1->base, r2->base, l)) != 0)
-		return ((result < 0) ? -1 : 1);
-	else
-		return ((r1->length == r2->length) ? 0 :
-			(r1->length < r2->length) ? -1 : 1);
-}
diff --git a/contrib/bind9/lib/isc/result.c b/contrib/bind9/lib/isc/result.c
deleted file mode 100644
index fd4e5c6cb98a..000000000000
--- a/contrib/bind9/lib/isc/result.c
+++ /dev/null
@@ -1,210 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.c,v 1.56.2.2.8.9 2005/06/09 23:54:30 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <isc/lib.h>
-#include <isc/msgs.h>
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/resultclass.h>
-#include <isc/util.h>
-
-typedef struct resulttable {
-	unsigned int				base;
-	unsigned int				last;
-	const char **				text;
-	isc_msgcat_t *				msgcat;
-	int					set;
-	ISC_LINK(struct resulttable)		link;
-} resulttable;
-
-static const char *text[ISC_R_NRESULTS] = {
-	"success",				/*  0 */
-	"out of memory",			/*  1 */
-	"timed out",				/*  2 */
-	"no available threads",			/*  3 */
-	"address not available",		/*  4 */
-	"address in use",			/*  5 */
-	"permission denied",			/*  6 */
-	"no pending connections",		/*  7 */
-	"network unreachable",			/*  8 */
-	"host unreachable",			/*  9 */
-	"network down",				/* 10 */
-	"host down",				/* 11 */
-	"connection refused",			/* 12 */
-	"not enough free resources",		/* 13 */
-	"end of file",				/* 14 */
-	"socket already bound",			/* 15 */
-	"reload",				/* 16 */
-	"lock busy",				/* 17 */
-	"already exists",			/* 18 */
-	"ran out of space",			/* 19 */
-	"operation canceled",			/* 20 */
-	"socket is not bound",			/* 21 */
-	"shutting down",			/* 22 */
-	"not found",				/* 23 */
-	"unexpected end of input",		/* 24 */
-	"failure",				/* 25 */
-	"I/O error",				/* 26 */
-	"not implemented",			/* 27 */
-	"unbalanced parentheses",		/* 28 */
-	"no more",				/* 29 */
-	"invalid file",				/* 30 */
-	"bad base64 encoding",			/* 31 */
-	"unexpected token",			/* 32 */
-	"quota reached",			/* 33 */
-	"unexpected error",			/* 34 */
-	"already running",			/* 35 */
-	"ignore",				/* 36 */
-	"address mask not contiguous",		/* 37 */
-	"file not found",			/* 38 */
-	"file already exists",			/* 39 */
-	"socket is not connected",		/* 40 */
-	"out of range",				/* 41 */
-	"out of entropy",			/* 42 */
-	"invalid use of multicast address",	/* 43 */
-	"not a file",				/* 44 */
-	"not a directory",			/* 45 */
-	"queue is full",			/* 46 */
-	"address family mismatch",		/* 47 */
-	"address family not supported",		/* 48 */
-	"bad hex encoding",			/* 49 */
-	"too many open files",			/* 50 */
-	"not blocking",				/* 51 */
-	"unbalanced quotes",			/* 52 */
-	"operation in progress",		/* 53 */
-	"connection reset",			/* 54 */
-	"soft quota reached",			/* 55 */
-	"not a valid number",			/* 56 */
-	"disabled",				/* 57 */
-	"max size",				/* 58 */
-	"invalid address format"		/* 59 */
-};
-
-#define ISC_RESULT_RESULTSET			2
-#define ISC_RESULT_UNAVAILABLESET		3
-
-static isc_once_t 				once = ISC_ONCE_INIT;
-static ISC_LIST(resulttable)			tables;
-static isc_mutex_t				lock;
-
-static isc_result_t
-register_table(unsigned int base, unsigned int nresults, const char **text,
-	       isc_msgcat_t *msgcat, int set)
-{
-	resulttable *table;
-
-	REQUIRE(base % ISC_RESULTCLASS_SIZE == 0);
-	REQUIRE(nresults <= ISC_RESULTCLASS_SIZE);
-	REQUIRE(text != NULL);
-
-	/*
-	 * We use malloc() here because we we want to be able to use
-	 * isc_result_totext() even if there is no memory context.
-	 */
-	table = malloc(sizeof(*table));
-	if (table == NULL)
-		return (ISC_R_NOMEMORY);
-	table->base = base;
-	table->last = base + nresults - 1;
-	table->text = text;
-	table->msgcat = msgcat;
-	table->set = set;
-	ISC_LINK_INIT(table, link);
-
-	LOCK(&lock);
-
-	ISC_LIST_APPEND(tables, table, link);
-
-	UNLOCK(&lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-initialize_action(void) {
-	isc_result_t result;
-
-	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
-	ISC_LIST_INIT(tables);
-
-	result = register_table(ISC_RESULTCLASS_ISC, ISC_R_NRESULTS, text,
-				isc_msgcat, ISC_RESULT_RESULTSET);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "register_table() %s: %u",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 result);
-}
-
-static void
-initialize(void) {
-	isc_lib_initmsgcat();
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-isc_result_totext(isc_result_t result) {
-	resulttable *table;
-	const char *text, *default_text;
-	int index;
-
-	initialize();
-
-	LOCK(&lock);
-
-	text = NULL;
-	for (table = ISC_LIST_HEAD(tables);
-	     table != NULL;
-	     table = ISC_LIST_NEXT(table, link)) {
-		if (result >= table->base && result <= table->last) {
-			index = (int)(result - table->base);
-			default_text = table->text[index];
-			/*
-			 * Note: we use 'index + 1' as the message number
-			 * instead of index because isc_msgcat_get() requires
-			 * the message number to be > 0.
-			 */
-			text = isc_msgcat_get(table->msgcat, table->set,
-					      index + 1, default_text);
-			break;
-		}
-	}
-	if (text == NULL)
-		text = isc_msgcat_get(isc_msgcat, ISC_RESULT_UNAVAILABLESET,
-				      1, "(result code text not available)");
-
-	UNLOCK(&lock);
-
-	return (text);
-}
-
-isc_result_t
-isc_result_register(unsigned int base, unsigned int nresults,
-		    const char **text, isc_msgcat_t *msgcat, int set)
-{
-	initialize();
-
-	return (register_table(base, nresults, text, msgcat, set));
-}
diff --git a/contrib/bind9/lib/isc/rwlock.c b/contrib/bind9/lib/isc/rwlock.c
deleted file mode 100644
index 3e444d8a1125..000000000000
--- a/contrib/bind9/lib/isc/rwlock.c
+++ /dev/null
@@ -1,427 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: rwlock.c,v 1.33.2.4.2.3 2005/03/17 03:58:32 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/magic.h>
-#include <isc/msgs.h>
-#include <isc/platform.h>
-#include <isc/rwlock.h>
-#include <isc/util.h>
-
-#define RWLOCK_MAGIC		ISC_MAGIC('R', 'W', 'L', 'k')
-#define VALID_RWLOCK(rwl)	ISC_MAGIC_VALID(rwl, RWLOCK_MAGIC)
-
-#ifdef ISC_PLATFORM_USETHREADS
-
-#ifndef RWLOCK_DEFAULT_READ_QUOTA
-#define RWLOCK_DEFAULT_READ_QUOTA 4
-#endif
-
-#ifndef RWLOCK_DEFAULT_WRITE_QUOTA
-#define RWLOCK_DEFAULT_WRITE_QUOTA 4
-#endif
-
-#ifdef ISC_RWLOCK_TRACE
-#include <stdio.h>		/* Required for fprintf/stderr. */
-#include <isc/thread.h>		/* Requried for isc_thread_self(). */
-
-static void
-print_lock(const char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	fprintf(stderr,
-		isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-			       ISC_MSG_PRINTLOCK,
-			       "rwlock %p thread %lu %s(%s): %s, %u active, "
-			       "%u granted, %u rwaiting, %u wwaiting\n"),
-		rwl, isc_thread_self(), operation,
-		(type == isc_rwlocktype_read ? 
-		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_READ, "read") :
-		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_WRITE, "write")),
-	        (rwl->type == isc_rwlocktype_read ?
-		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_READING, "reading") : 
-		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_WRITING, "writing")),
-	        rwl->active, rwl->granted, rwl->readers_waiting,
-		rwl->writers_waiting);
-}
-#endif
-
-isc_result_t
-isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
-		unsigned int write_quota)
-{
-	isc_result_t result;
-
-	REQUIRE(rwl != NULL);
-
-	/*
-	 * In case there's trouble initializing, we zero magic now.  If all
-	 * goes well, we'll set it to RWLOCK_MAGIC.
-	 */
-	rwl->magic = 0;
-
-	rwl->type = isc_rwlocktype_read;
-	rwl->original = isc_rwlocktype_none;
-	rwl->active = 0;
-	rwl->granted = 0;
-	rwl->readers_waiting = 0;
-	rwl->writers_waiting = 0;
-	if (read_quota == 0)
-		read_quota = RWLOCK_DEFAULT_READ_QUOTA;
-	rwl->read_quota = read_quota;
-	if (write_quota == 0)
-		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
-	rwl->write_quota = write_quota;
-	result = isc_mutex_init(&rwl->lock);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 isc_result_totext(result));
-		return (ISC_R_UNEXPECTED);
-	}
-	result = isc_condition_init(&rwl->readable);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init(readable) %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto destroy_lock;
-
-	}
-	result = isc_condition_init(&rwl->writeable);
-	if (result != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init(writeable) %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 isc_result_totext(result));
-		result = ISC_R_UNEXPECTED;
-		goto destroy_rcond;
-	}
-
-	rwl->magic = RWLOCK_MAGIC;
-
-	return (ISC_R_SUCCESS);
-
-  destroy_rcond:
-	(void)isc_condition_destroy(&rwl->readable);
-  destroy_lock:
-	DESTROYLOCK(&rwl->lock);
-
-	return (result);
-}
-
-static isc_result_t
-doit(isc_rwlock_t *rwl, isc_rwlocktype_t type, isc_boolean_t nonblock) {
-	isc_boolean_t skip = ISC_FALSE;
-	isc_boolean_t done = ISC_FALSE;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-
-	LOCK(&rwl->lock);
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
-#endif
-
-	if (type == isc_rwlocktype_read) {
-		if (rwl->readers_waiting != 0)
-			skip = ISC_TRUE;
-		while (!done) {
-			if (!skip &&
-			    ((rwl->active == 0 ||
-			      (rwl->type == isc_rwlocktype_read &&
-			       (rwl->writers_waiting == 0 ||
-			        rwl->granted < rwl->read_quota)))))
-			{
-				rwl->type = isc_rwlocktype_read;
-				rwl->active++;
-				rwl->granted++;
-				done = ISC_TRUE;
-			} else if (nonblock) {
-				result = ISC_R_LOCKBUSY;
-				done = ISC_TRUE;
-			} else {
-				skip = ISC_FALSE;
-				rwl->readers_waiting++;
-				WAIT(&rwl->readable, &rwl->lock);
-				rwl->readers_waiting--;
-			}
-		}
-	} else {
-		if (rwl->writers_waiting != 0)
-			skip = ISC_TRUE;
-		while (!done) {
-			if (!skip && rwl->active == 0) {
-				rwl->type = isc_rwlocktype_write;
-				rwl->active = 1;
-				rwl->granted++;
-				done = ISC_TRUE;
-			} else if (nonblock) {
-				result = ISC_R_LOCKBUSY;
-				done = ISC_TRUE;
-			} else {
-				skip = ISC_FALSE;
-				rwl->writers_waiting++;
-				WAIT(&rwl->writeable, &rwl->lock);
-				rwl->writers_waiting--;
-			}
-		}
-	}
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
-#endif
-
-	UNLOCK(&rwl->lock);
-
-	return (result);
-}
-
-isc_result_t
-isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	return (doit(rwl, type, ISC_FALSE));
-}
-
-isc_result_t
-isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	return (doit(rwl, type, ISC_TRUE));
-}
-
-isc_result_t
-isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->type == isc_rwlocktype_read);
-	REQUIRE(rwl->active != 0);
-
-	/* If we are the only reader then succeed. */
-	if (rwl->active == 1) {
-		rwl->original = (rwl->original == isc_rwlocktype_none) ?
-				isc_rwlocktype_read : isc_rwlocktype_none;
-		rwl->type = isc_rwlocktype_write;
-	} else
-		result = ISC_R_LOCKBUSY;
-
-	UNLOCK(&rwl->lock);
-	return (result);
-}
-
-void
-isc_rwlock_downgrade(isc_rwlock_t *rwl) {
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->type == isc_rwlocktype_write);
-	REQUIRE(rwl->active == 1);
-
-	rwl->type = isc_rwlocktype_read;
-	rwl->original = (rwl->original == isc_rwlocktype_none) ?
-			isc_rwlocktype_write : isc_rwlocktype_none;
-	/*
-	 * Resume processing any read request that were blocked when
-	 * we upgraded.
-	 */
-	if (rwl->original == isc_rwlocktype_none &&
-	    (rwl->writers_waiting == 0 || rwl->granted < rwl->read_quota) &&
-	    rwl->readers_waiting > 0)
-		BROADCAST(&rwl->readable);
-
-	UNLOCK(&rwl->lock);
-}
-
-isc_result_t
-isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->type == type);
-
-	UNUSED(type);
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_PREUNLOCK, "preunlock"), rwl, type);
-#endif
-
-	INSIST(rwl->active > 0);
-	rwl->active--;
-	if (rwl->active == 0) {
-		if (rwl->original != isc_rwlocktype_none) {
-			rwl->type = rwl->original;
-			rwl->original = isc_rwlocktype_none;
-		}
-		if (rwl->type == isc_rwlocktype_read) {
-			rwl->granted = 0;
-			if (rwl->writers_waiting > 0) {
-				rwl->type = isc_rwlocktype_write;
-				SIGNAL(&rwl->writeable);
-			} else if (rwl->readers_waiting > 0) {
-				/* Does this case ever happen? */
-				BROADCAST(&rwl->readable);
-			}
-		} else {
-			if (rwl->readers_waiting > 0) {
-				if (rwl->writers_waiting > 0 &&
-				    rwl->granted < rwl->write_quota) {
-					SIGNAL(&rwl->writeable);
-				} else {
-					rwl->granted = 0;
-					rwl->type = isc_rwlocktype_read;
-					BROADCAST(&rwl->readable);
-				}
-			} else if (rwl->writers_waiting > 0) {
-				rwl->granted = 0;
-				SIGNAL(&rwl->writeable);
-			} else {
-				rwl->granted = 0;
-			}
-		}
-	}
-	INSIST(rwl->original == isc_rwlocktype_none);
-
-#ifdef ISC_RWLOCK_TRACE
-	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				  ISC_MSG_POSTUNLOCK, "postunlock"),
-		   rwl, type);
-#endif
-
-	UNLOCK(&rwl->lock);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_rwlock_destroy(isc_rwlock_t *rwl) {
-	REQUIRE(VALID_RWLOCK(rwl));
-
-	LOCK(&rwl->lock);
-	REQUIRE(rwl->active == 0 &&
-		rwl->readers_waiting == 0 &&
-		rwl->writers_waiting == 0);
-	UNLOCK(&rwl->lock);
-
-	rwl->magic = 0;
-	(void)isc_condition_destroy(&rwl->readable);
-	(void)isc_condition_destroy(&rwl->writeable);
-	DESTROYLOCK(&rwl->lock);
-}
-
-#else /* ISC_PLATFORM_USETHREADS */
-
-isc_result_t
-isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
-		unsigned int write_quota)
-{
-	REQUIRE(rwl != NULL);
-
-	UNUSED(read_quota);
-	UNUSED(write_quota);
-
-	rwl->type = isc_rwlocktype_read;
-	rwl->active = 0;
-	rwl->magic = RWLOCK_MAGIC;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	REQUIRE(VALID_RWLOCK(rwl));
-
-	if (type == isc_rwlocktype_read) {
-		if (rwl->type != isc_rwlocktype_read && rwl->active != 0)
-			return (ISC_R_LOCKBUSY);
-		rwl->type = isc_rwlocktype_read;
-		rwl->active++;
-	} else {
-		if (rwl->active != 0)
-			return (ISC_R_LOCKBUSY);
-		rwl->type = isc_rwlocktype_write;
-		rwl->active = 1;
-	}
-        return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	return (isc_rwlock_lock(rwl, type));
-}
-
-isc_result_t
-isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	REQUIRE(rwl->type == isc_rwlocktype_read);
-	REQUIRE(rwl->active != 0);
-	
-	/* If we are the only reader then succeed. */
-	if (rwl->active == 1)
-		rwl->type = isc_rwlocktype_write;
-	else
-		result = ISC_R_LOCKBUSY;
-	return (result);
-}
-
-void
-isc_rwlock_downgrade(isc_rwlock_t *rwl) {
-
-	REQUIRE(VALID_RWLOCK(rwl));
-	REQUIRE(rwl->type == isc_rwlocktype_write);
-	REQUIRE(rwl->active == 1);
-
-	rwl->type = isc_rwlocktype_read;
-}
-
-isc_result_t
-isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
-	REQUIRE(VALID_RWLOCK(rwl));
-	REQUIRE(rwl->type == type);
-
-	UNUSED(type);
-
-	INSIST(rwl->active > 0);
-	rwl->active--;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_rwlock_destroy(isc_rwlock_t *rwl) {
-	REQUIRE(rwl != NULL);
-	REQUIRE(rwl->active == 0);
-	rwl->magic = 0;
-}
-
-#endif /* ISC_PLATFORM_USETHREADS */
diff --git a/contrib/bind9/lib/isc/serial.c b/contrib/bind9/lib/isc/serial.c
deleted file mode 100644
index 4fe0ee592a2b..000000000000
--- a/contrib/bind9/lib/isc/serial.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: serial.c,v 1.7.206.1 2004/03/06 08:14:35 marka Exp $ */
-#include <config.h>
-
-#include <isc/serial.h>
-
-isc_boolean_t
-isc_serial_lt(isc_uint32_t a, isc_uint32_t b) {
-	/*
-	 * Undefined => ISC_FALSE
-	 */
-	if (a == (b ^ 0x80000000U))
-		return (ISC_FALSE);
-	return (((isc_int32_t)(a - b) < 0) ? ISC_TRUE : ISC_FALSE);
-}
-
-isc_boolean_t
-isc_serial_gt(isc_uint32_t a, isc_uint32_t b) {
-	return (((isc_int32_t)(a - b) > 0) ? ISC_TRUE : ISC_FALSE);
-}
-
-isc_boolean_t
-isc_serial_le(isc_uint32_t a, isc_uint32_t b) {
-	return ((a == b) ? ISC_TRUE : isc_serial_lt(a, b));
-}
-
-isc_boolean_t
-isc_serial_ge(isc_uint32_t a, isc_uint32_t b) {
-	return ((a == b) ? ISC_TRUE : isc_serial_gt(a, b));
-}
-
-isc_boolean_t
-isc_serial_eq(isc_uint32_t a, isc_uint32_t b) {
-	return ((a == b) ? ISC_TRUE : ISC_FALSE);
-}
-
-isc_boolean_t
-isc_serial_ne(isc_uint32_t a, isc_uint32_t b) {
-	return ((a != b) ? ISC_TRUE : ISC_FALSE);
-}
diff --git a/contrib/bind9/lib/isc/sha1.c b/contrib/bind9/lib/isc/sha1.c
deleted file mode 100644
index 0549e887ab8e..000000000000
--- a/contrib/bind9/lib/isc/sha1.c
+++ /dev/null
@@ -1,309 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sha1.c,v 1.10.2.2.2.3 2004/03/06 08:14:35 marka Exp $ */
-
-/*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
-/*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
-
-/*
- * SHA-1 in C
- * By Steve Reid <steve@edmweb.com>
- * 100% Public Domain
- *
- * Test Vectors (from FIPS PUB 180-1)
- * "abc"
- *   A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
- * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
- *   84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
- * A million repetitions of "a"
- *   34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
- */
-
-#include "config.h"
-
-#include <isc/assertions.h>
-#include <isc/sha1.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
-
-/*
- * blk0() and blk() perform the initial expand.
- * I got the idea of expanding during the round function from SSLeay
- */
-#if !defined(WORDS_BIGENDIAN)
-# define blk0(i) \
-	(block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) \
-	 | (rol(block->l[i], 8) & 0x00FF00FF))
-#else
-# define blk0(i) block->l[i]
-#endif
-#define blk(i) \
-	(block->l[i & 15] = rol(block->l[(i + 13) & 15] \
-				^ block->l[(i + 8) & 15] \
-				^ block->l[(i + 2) & 15] \
-				^ block->l[i & 15], 1))
-
-/*
- * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
- */
-#define R0(v,w,x,y,z,i) \
-	z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
-	w = rol(w, 30);
-#define R1(v,w,x,y,z,i) \
-	z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
-	w = rol(w, 30);
-#define R2(v,w,x,y,z,i) \
-	z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
-	w = rol(w, 30);
-#define R3(v,w,x,y,z,i) \
-	z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
-	w = rol(w, 30);
-#define R4(v,w,x,y,z,i) \
-	z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
-	w = rol(w, 30);
-
-typedef union {
-	unsigned char c[64];
-	unsigned int l[16];
-} CHAR64LONG16;
-
-#ifdef __sparc_v9__
-static void do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
-		   isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
-		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
-		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-static void do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
-		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
-
-#define nR0(v,w,x,y,z,i) R0(*v,*w,*x,*y,*z,i)
-#define nR1(v,w,x,y,z,i) R1(*v,*w,*x,*y,*z,i)
-#define nR2(v,w,x,y,z,i) R2(*v,*w,*x,*y,*z,i)
-#define nR3(v,w,x,y,z,i) R3(*v,*w,*x,*y,*z,i)
-#define nR4(v,w,x,y,z,i) R4(*v,*w,*x,*y,*z,i)
-
-static void
-do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
-       isc_uint32_t *e, CHAR64LONG16 *block)
-{
-	nR0(a,b,c,d,e, 0); nR0(e,a,b,c,d, 1); nR0(d,e,a,b,c, 2);
-	nR0(c,d,e,a,b, 3); nR0(b,c,d,e,a, 4); nR0(a,b,c,d,e, 5);
-	nR0(e,a,b,c,d, 6); nR0(d,e,a,b,c, 7); nR0(c,d,e,a,b, 8);
-	nR0(b,c,d,e,a, 9); nR0(a,b,c,d,e,10); nR0(e,a,b,c,d,11);
-	nR0(d,e,a,b,c,12); nR0(c,d,e,a,b,13); nR0(b,c,d,e,a,14);
-	nR0(a,b,c,d,e,15); nR1(e,a,b,c,d,16); nR1(d,e,a,b,c,17);
-	nR1(c,d,e,a,b,18); nR1(b,c,d,e,a,19);
-}
-
-static void
-do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
-      isc_uint32_t *e, CHAR64LONG16 *block)
-{
-	nR2(a,b,c,d,e,20); nR2(e,a,b,c,d,21); nR2(d,e,a,b,c,22);
-	nR2(c,d,e,a,b,23); nR2(b,c,d,e,a,24); nR2(a,b,c,d,e,25);
-	nR2(e,a,b,c,d,26); nR2(d,e,a,b,c,27); nR2(c,d,e,a,b,28);
-	nR2(b,c,d,e,a,29); nR2(a,b,c,d,e,30); nR2(e,a,b,c,d,31);
-	nR2(d,e,a,b,c,32); nR2(c,d,e,a,b,33); nR2(b,c,d,e,a,34);
-	nR2(a,b,c,d,e,35); nR2(e,a,b,c,d,36); nR2(d,e,a,b,c,37);
-	nR2(c,d,e,a,b,38); nR2(b,c,d,e,a,39);
-}
-
-static void
-do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
-      isc_uint32_t *e, CHAR64LONG16 *block)
-{
-	nR3(a,b,c,d,e,40); nR3(e,a,b,c,d,41); nR3(d,e,a,b,c,42);
-	nR3(c,d,e,a,b,43); nR3(b,c,d,e,a,44); nR3(a,b,c,d,e,45);
-	nR3(e,a,b,c,d,46); nR3(d,e,a,b,c,47); nR3(c,d,e,a,b,48);
-	nR3(b,c,d,e,a,49); nR3(a,b,c,d,e,50); nR3(e,a,b,c,d,51);
-	nR3(d,e,a,b,c,52); nR3(c,d,e,a,b,53); nR3(b,c,d,e,a,54);
-	nR3(a,b,c,d,e,55); nR3(e,a,b,c,d,56); nR3(d,e,a,b,c,57);
-	nR3(c,d,e,a,b,58); nR3(b,c,d,e,a,59);
-}
-
-static void
-do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
-      isc_uint32_t *e, CHAR64LONG16 *block)
-{
-	nR4(a,b,c,d,e,60); nR4(e,a,b,c,d,61); nR4(d,e,a,b,c,62);
-	nR4(c,d,e,a,b,63); nR4(b,c,d,e,a,64); nR4(a,b,c,d,e,65);
-	nR4(e,a,b,c,d,66); nR4(d,e,a,b,c,67); nR4(c,d,e,a,b,68);
-	nR4(b,c,d,e,a,69); nR4(a,b,c,d,e,70); nR4(e,a,b,c,d,71);
-	nR4(d,e,a,b,c,72); nR4(c,d,e,a,b,73); nR4(b,c,d,e,a,74);
-	nR4(a,b,c,d,e,75); nR4(e,a,b,c,d,76); nR4(d,e,a,b,c,77);
-	nR4(c,d,e,a,b,78); nR4(b,c,d,e,a,79);
-}
-#endif
-
-/*
- * Hash a single 512-bit block. This is the core of the algorithm.
- */
-static void
-transform(isc_uint32_t state[5], const unsigned char buffer[64]) {
-	isc_uint32_t a, b, c, d, e;
-	CHAR64LONG16 *block;
-	CHAR64LONG16 workspace;
-
-	INSIST(buffer != NULL);
-	INSIST(state != NULL);
-
-	block = &workspace;
-	(void)memcpy(block, buffer, 64);
-
-	/* Copy context->state[] to working vars */
-	a = state[0];
-	b = state[1];
-	c = state[2];
-	d = state[3];
-	e = state[4];
-
-#ifdef __sparc_v9__
-	do_R01(&a, &b, &c, &d, &e, block);
-	do_R2(&a, &b, &c, &d, &e, block);
-	do_R3(&a, &b, &c, &d, &e, block);
-	do_R4(&a, &b, &c, &d, &e, block);
-#else
-	/* 4 rounds of 20 operations each. Loop unrolled. */
-	R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-	R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
-	R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
-	R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
-	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
-	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
-	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
-	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
-	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
-	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
-	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
-	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
-	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
-	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
-	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
-	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
-	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
-	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
-	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
-	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
-#endif
-
-	/* Add the working vars back into context.state[] */
-	state[0] += a;
-	state[1] += b;
-	state[2] += c;
-	state[3] += d;
-	state[4] += e;
-
-	/* Wipe variables */
-	a = b = c = d = e = 0;
-}
-
-
-/*
- * isc_sha1_init - Initialize new context
- */
-void
-isc_sha1_init(isc_sha1_t *context)
-{
-	INSIST(context != NULL);
-
-	/* SHA1 initialization constants */
-	context->state[0] = 0x67452301;
-	context->state[1] = 0xEFCDAB89;
-	context->state[2] = 0x98BADCFE;
-	context->state[3] = 0x10325476;
-	context->state[4] = 0xC3D2E1F0;
-	context->count[0] = 0;
-	context->count[1] = 0;
-}
-
-void
-isc_sha1_invalidate(isc_sha1_t *context) {
-	memset(context, 0, sizeof(isc_sha1_t));
-}
-
-/*
- * Run your data through this.
- */
-void
-isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
-		unsigned int len)
-{
-	unsigned int i, j;
-
-	INSIST(context != 0);
-	INSIST(data != 0);
-
-	j = context->count[0];
-	if ((context->count[0] += len << 3) < j)
-		context->count[1] += (len >> 29) + 1;
-	j = (j >> 3) & 63;
-	if ((j + len) > 63) {
-		(void)memcpy(&context->buffer[j], data, (i = 64 - j));
-		transform(context->state, context->buffer);
-		for (; i + 63 < len; i += 64)
-			transform(context->state, &data[i]);
-		j = 0;
-	} else {
-		i = 0;
-	}
-
-	(void)memcpy(&context->buffer[j], &data[i], len - i);
-}
-
-
-/*
- * Add padding and return the message digest.
- */
-
-static const unsigned char final_200 = 128;
-static const unsigned char final_0 = 0;
-
-void
-isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
-	unsigned int i;
-	unsigned char finalcount[8];
-
-	INSIST(digest != 0);
-	INSIST(context != 0);
-
-	for (i = 0; i < 8; i++) {
-		/* Endian independent */
-		finalcount[i] = (unsigned char)
-			((context->count[(i >= 4 ? 0 : 1)]
-			  >> ((3 - (i & 3)) * 8)) & 255);
-	}
-
-	isc_sha1_update(context, &final_200, 1);
-	while ((context->count[0] & 504) != 448)
-		isc_sha1_update(context, &final_0, 1);
-	/* The next Update should cause a transform() */
-	isc_sha1_update(context, finalcount, 8);
-
-	if (digest) {
-		for (i = 0; i < 20; i++)
-			digest[i] = (unsigned char)
-				((context->state[i >> 2]
-				  >> ((3 - (i & 3)) * 8)) & 255);
-	}
-
-	memset(context, 0, sizeof(isc_sha1_t));
-}
diff --git a/contrib/bind9/lib/isc/sockaddr.c b/contrib/bind9/lib/isc/sockaddr.c
deleted file mode 100644
index 4c47e4e06bce..000000000000
--- a/contrib/bind9/lib/isc/sockaddr.c
+++ /dev/null
@@ -1,463 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sockaddr.c,v 1.48.2.1.2.10 2004/05/15 03:46:12 jinmei Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <isc/buffer.h>
-#include <isc/hash.h>
-#include <isc/msgs.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/sockaddr.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-isc_boolean_t
-isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
-	REQUIRE(a != NULL && b != NULL);
-
-	if (a->length != b->length)
-		return (ISC_FALSE);
-
-	/*
-	 * We don't just memcmp because the sin_zero field isn't always
-	 * zero.
-	 */
-
-	if (a->type.sa.sa_family != b->type.sa.sa_family)
-		return (ISC_FALSE);
-	switch (a->type.sa.sa_family) {
-	case AF_INET:
-		if (memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
-			   sizeof(a->type.sin.sin_addr)) != 0)
-			return (ISC_FALSE);
-		if (a->type.sin.sin_port != b->type.sin.sin_port)
-			return (ISC_FALSE);
-		break;
-	case AF_INET6:
-		if (memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
-			   sizeof(a->type.sin6.sin6_addr)) != 0)
-			return (ISC_FALSE);
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		if (a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id)
-			return (ISC_FALSE);
-#endif
-		if (a->type.sin6.sin6_port != b->type.sin6.sin6_port)
-			return (ISC_FALSE);
-		break;
-	default:
-		if (memcmp(&a->type, &b->type, a->length) != 0)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
-	REQUIRE(a != NULL && b != NULL);
-
-	if (a->length != b->length)
-		return (ISC_FALSE);
-
-	if (a->type.sa.sa_family != b->type.sa.sa_family)
-		return (ISC_FALSE);
-	switch (a->type.sa.sa_family) {
-	case AF_INET:
-		if (memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
-			   sizeof(a->type.sin.sin_addr)) != 0)
-			return (ISC_FALSE);
-		break;
-	case AF_INET6:
-		if (memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
-			   sizeof(a->type.sin6.sin6_addr)) != 0)
-			return (ISC_FALSE);
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		if (a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id)
-			return (ISC_FALSE);
-#endif
-		break;
-	default:
-		if (memcmp(&a->type, &b->type, a->length) != 0)
-			return (ISC_FALSE);
-	}
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
-			  unsigned int prefixlen)
-{
-	isc_netaddr_t na, nb;
-	isc_netaddr_fromsockaddr(&na, a);
-	isc_netaddr_fromsockaddr(&nb, b);
-	return (isc_netaddr_eqprefix(&na, &nb, prefixlen));
-}
-
-isc_result_t
-isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
-	isc_result_t result;
-	isc_netaddr_t netaddr;
-	char pbuf[sizeof("65000")];
-	unsigned int plen;
-	isc_region_t avail;
-
-	REQUIRE(sockaddr != NULL);
-
-	/*
-	 * Do the port first, giving us the opportunity to check for
-	 * unsupported address families before calling
-	 * isc_netaddr_fromsockaddr().
-	 */
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin.sin_port));
-		break;
-	case AF_INET6:
-		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin6.sin6_port));
-		break;
-	default:
-		return (ISC_R_FAILURE);
-	}
-
-	plen = strlen(pbuf);
-	INSIST(plen < sizeof(pbuf));
-
-	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-	result = isc_netaddr_totext(&netaddr, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (1 + plen + 1 > isc_buffer_availablelength(target))
-		return (ISC_R_NOSPACE);
-
-	isc_buffer_putmem(target, (const unsigned char *)"#", 1);
-	isc_buffer_putmem(target, (const unsigned char *)pbuf, plen);
-
-	/*
-	 * Null terminate after used region.
-	 */
-	isc_buffer_availableregion(target, &avail);
-	INSIST(avail.length >= 1);
-	avail.base[0] = '\0';
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size) {
-	isc_result_t result;
-	isc_buffer_t buf;
-
-	isc_buffer_init(&buf, array, size);
-	result = isc_sockaddr_totext(sa, &buf);
-	if (result != ISC_R_SUCCESS) {
-		/*
-		 * The message is the same as in netaddr.c.
-		 */
-		snprintf(array, size,
-			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_NETADDR,
-					ISC_MSG_UNKNOWNADDR,
-					"<unknown address, family %u>"),
-			 sa->type.sa.sa_family);
-		array[size - 1] = '\0';
-	}
-}
-
-unsigned int
-isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only) {
-	unsigned int length = 0;
-	const unsigned char *s = NULL;
-	unsigned int h = 0;
-	unsigned int g;
-	unsigned int p = 0;
-	const struct in6_addr *in6;
-
-	REQUIRE(sockaddr != NULL);
-
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		s = (const unsigned char *)&sockaddr->type.sin.sin_addr;
-		p = ntohs(sockaddr->type.sin.sin_port);
-		length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
-		break;
-	case AF_INET6:
-		in6 = &sockaddr->type.sin6.sin6_addr;
-		if (IN6_IS_ADDR_V4MAPPED(in6)) {
-			s = (const unsigned char *)&in6[12];
-			length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
-		} else {
-			s = (const unsigned char *)in6;
-			length = sizeof(sockaddr->type.sin6.sin6_addr);
-		}
-		p = ntohs(sockaddr->type.sin6.sin6_port);
-		break;
-	default:
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_SOCKADDR,
-						ISC_MSG_UNKNOWNFAMILY,
-						"unknown address family: %d"),
-					     (int)sockaddr->type.sa.sa_family);
-		s = (const unsigned char *)&sockaddr->type;
-		length = sockaddr->length;
-		p = 0;
-	}
-
-	h = isc_hash_calc(s, length, ISC_TRUE);
-	if (!address_only) {
-		g = isc_hash_calc((const unsigned char *)&p, sizeof(p),
-				  ISC_TRUE);
-		h = h ^ g; /* XXX: we should concatenate h and p first */
-	}
-
-	return (h);
-}
-
-void
-isc_sockaddr_any(isc_sockaddr_t *sockaddr)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin.sin_family = AF_INET;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
-#endif
-	sockaddr->type.sin.sin_addr.s_addr = INADDR_ANY;
-	sockaddr->type.sin.sin_port = 0;
-	sockaddr->length = sizeof(sockaddr->type.sin);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_any6(isc_sockaddr_t *sockaddr)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin6.sin6_family = AF_INET6;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
-#endif
-	sockaddr->type.sin6.sin6_addr = in6addr_any;
-	sockaddr->type.sin6.sin6_port = 0;
-	sockaddr->length = sizeof(sockaddr->type.sin6);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
-		    in_port_t port)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin.sin_family = AF_INET;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
-#endif
-	sockaddr->type.sin.sin_addr = *ina;
-	sockaddr->type.sin.sin_port = htons(port);
-	sockaddr->length = sizeof(sockaddr->type.sin);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int pf) {
-     switch (pf) {
-     case AF_INET:
-	     isc_sockaddr_any(sockaddr);
-	     break;
-     case AF_INET6:
-	     isc_sockaddr_any6(sockaddr);
-	     break;
-     default:
-	     INSIST(0);
-     }
-}
-
-void
-isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
-		     in_port_t port)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin6.sin6_family = AF_INET6;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
-#endif
-	sockaddr->type.sin6.sin6_addr = *ina6;
-	sockaddr->type.sin6.sin6_port = htons(port);
-	sockaddr->length = sizeof(sockaddr->type.sin6);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
-		      in_port_t port)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin6.sin6_family = AF_INET6;
-#ifdef ISC_PLATFORM_HAVESALEN
-	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
-#endif
-	sockaddr->type.sin6.sin6_addr.s6_addr[10] = 0xff;
-	sockaddr->type.sin6.sin6_addr.s6_addr[11] = 0xff;
-	memcpy(&sockaddr->type.sin6.sin6_addr.s6_addr[12], ina, 4);
-	sockaddr->type.sin6.sin6_port = htons(port);
-	sockaddr->length = sizeof(sockaddr->type.sin6);
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-int
-isc_sockaddr_pf(const isc_sockaddr_t *sockaddr) {
-
-	/*
-	 * Get the protocol family of 'sockaddr'.
-	 */
-
-#if (AF_INET == PF_INET && AF_INET6 == PF_INET6)
-	/*
-	 * Assume that PF_xxx == AF_xxx for all AF and PF.
-	 */
-	return (sockaddr->type.sa.sa_family);
-#else
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		return (PF_INET);
-	case AF_INET6:
-		return (PF_INET6);
-	default:
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
-					   ISC_MSG_UNKNOWNFAMILY,
-					   "unknown address family: %d"),
-			    (int)sockaddr->type.sa.sa_family);
-	}
-#endif
-}
-
-void
-isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
-		    in_port_t port)
-{
-	memset(sockaddr, 0, sizeof(*sockaddr));
-	sockaddr->type.sin.sin_family = na->family;
-	switch (na->family) {
-	case AF_INET:
-		sockaddr->length = sizeof(sockaddr->type.sin);
-#ifdef ISC_PLATFORM_HAVESALEN
-		sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
-#endif
-		sockaddr->type.sin.sin_addr = na->type.in;
-		sockaddr->type.sin.sin_port = htons(port);
-		break;
-	case AF_INET6:
-		sockaddr->length = sizeof(sockaddr->type.sin6);
-#ifdef ISC_PLATFORM_HAVESALEN
-		sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
-#endif
-		memcpy(&sockaddr->type.sin6.sin6_addr, &na->type.in6, 16);
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		sockaddr->type.sin6.sin6_scope_id = isc_netaddr_getzone(na);
-#endif
-		sockaddr->type.sin6.sin6_port = htons(port);
-		break;
-        default:
-                INSIST(0);
-	}
-	ISC_LINK_INIT(sockaddr, link);
-}
-
-void
-isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		sockaddr->type.sin.sin_port = htons(port);
-		break;
-	case AF_INET6:
-		sockaddr->type.sin6.sin6_port = htons(port);
-		break;
-	default:
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
-					   ISC_MSG_UNKNOWNFAMILY,
-					   "unknown address family: %d"),
-			    (int)sockaddr->type.sa.sa_family);
-	}
-}
-
-in_port_t
-isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
-	in_port_t port = 0;
-
-	switch (sockaddr->type.sa.sa_family) {
-	case AF_INET:
-		port = ntohs(sockaddr->type.sin.sin_port);
-		break;
-	case AF_INET6:
-		port = ntohs(sockaddr->type.sin6.sin6_port);
-		break;
-	default:
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
-					   ISC_MSG_UNKNOWNFAMILY,
-					   "unknown address family: %d"),
-			    (int)sockaddr->type.sa.sa_family);
-	}
-
-	return (port);
-}
-
-isc_boolean_t
-isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
-	isc_netaddr_t netaddr;
-
-	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-	return (isc_netaddr_ismulticast(&netaddr));
-}
-
-isc_boolean_t
-isc_sockaddr_isexperimental(isc_sockaddr_t *sockaddr) {
-	isc_netaddr_t netaddr;
-
-	if (sockaddr->type.sa.sa_family == AF_INET) {
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-		return (isc_netaddr_isexperimental(&netaddr));
-	}
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isc_sockaddr_issitelocal(isc_sockaddr_t *sockaddr) {
-	isc_netaddr_t netaddr;
-
-	if (sockaddr->type.sa.sa_family == AF_INET6) {
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-		return (isc_netaddr_issitelocal(&netaddr));
-	}
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isc_sockaddr_islinklocal(isc_sockaddr_t *sockaddr) {
-	isc_netaddr_t netaddr;
-
-	if (sockaddr->type.sa.sa_family == AF_INET6) {
-		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
-		return (isc_netaddr_islinklocal(&netaddr));
-	}
-	return (ISC_FALSE);
-}
diff --git a/contrib/bind9/lib/isc/string.c b/contrib/bind9/lib/isc/string.c
deleted file mode 100644
index 2a1e557bd0a2..000000000000
--- a/contrib/bind9/lib/isc/string.c
+++ /dev/null
@@ -1,165 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: string.c,v 1.6.164.5 2004/09/16 01:00:58 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/string.h>
-
-static char digits[] = "0123456789abcdefghijklmnoprstuvwxyz";
-
-isc_uint64_t
-isc_string_touint64(char *source, char **end, int base) {
-	isc_uint64_t tmp;
-	isc_uint64_t overflow;
-	char *s = source;
-	char *o;
-	char c;
-
-	if ((base < 0) || (base == 1) || (base > 36)) {
-		*end = source;
-		return (0);
-	}
-
-	while (*s != 0 && isascii(*s&0xff) && isspace(*s&0xff))
-		s++;
-	if (*s == '+' /* || *s == '-' */)
-		s++;
-	if (base == 0) {
-		if (*s == '0' && (*(s+1) == 'X' || *(s+1) == 'x')) {
-			s += 2;
-			base = 16;
-		} else if (*s == '0')
-			base = 8;
-		else
-			base = 10;
-	}
-	if (*s == 0) {
-		*end = source;
-		return (0);
-	}
-	overflow = ~0;
-	overflow /= base;
-	tmp = 0;
-
-	while ((c = *s) != 0) {
-		c = tolower(c&0xff);
-		/* end ? */
-		if ((o = strchr(digits, c)) == NULL) {
-			*end = s;
-			return (tmp);
-		}
-		/* end ? */
-		if ((o - digits) >= base) {
-			*end = s;
-			return (tmp);
-		}
-		/* overflow ? */
-		if (tmp > overflow) {
-			*end = source;
-			return (0);
-		}
-		tmp *= base;
-		/* overflow ? */
-		if ((tmp + (o - digits)) < tmp) {
-			*end = source;
-			return (0);
-		}
-		tmp += o - digits;
-		s++;
-	}
-	*end = s;
-	return (tmp);
-}
-
-char *
-isc_string_separate(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (s = string; (sc = *s) != '\0'; s++)
-		for (d = delim; (dc = *d) != '\0'; d++)
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-	*stringp = NULL;
-	return (string);
-}
-
-size_t
-isc_string_strlcpy(char *dst, const char *src, size_t size)
-{
-	char *d = dst;
-	const char *s = src;
-	size_t n = size;
-
-	/* Copy as many bytes as will fit */
-	if (n != 0U && --n != 0U) {
-		do {
-			if ((*d++ = *s++) == 0)
-				break;
-		} while (--n != 0U);
-	}
-
-	/* Not enough room in dst, add NUL and traverse rest of src */
-	if (n == 0U) {
-		if (size != 0U)
-			*d = '\0';		/* NUL-terminate dst */
-		while (*s++)
-			;
-	}
-
-	return(s - src - 1);	/* count does not include NUL */
-}
-
-size_t
-isc_string_strlcat(char *dst, const char *src, size_t size)
-{
-	char *d = dst;
-	const char *s = src;
-	size_t n = size;
-	size_t dlen;
-
-	/* Find the end of dst and adjust bytes left but don't go past end */
-	while (n-- != 0U && *d != '\0')
-		d++;
-	dlen = d - dst;
-	n = size - dlen;
-
-	if (n == 0U)
-		return(dlen + strlen(s));
-	while (*s != '\0') {
-		if (n != 1U) {
-			*d++ = *s;
-			n--;
-		}
-		s++;
-	}
-	*d = '\0';
-
-	return(dlen + (s - src));	/* count does not include NUL */
-}
diff --git a/contrib/bind9/lib/isc/strtoul.c b/contrib/bind9/lib/isc/strtoul.c
deleted file mode 100644
index b3d7e499ee5d..000000000000
--- a/contrib/bind9/lib/isc/strtoul.c
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-/* $Id: strtoul.c,v 1.2.14.3 2004/03/06 08:14:36 marka Exp $ */
-
-#include <config.h>
-
-#include <limits.h>
-#include <ctype.h>
-#include <errno.h>
-
-#include <isc/stdlib.h>
-#include <isc/util.h>
-
-/*
- * Convert a string to an unsigned long integer.
- *
- * Ignores `locale' stuff.  Assumes that the upper and lower case
- * alphabets and digits are each contiguous.
- */
-unsigned long
-isc_strtoul(const char *nptr, char **endptr, int base) {
-	const char *s = nptr;
-	unsigned long acc;
-	unsigned char c;
-	unsigned long cutoff;
-	int neg = 0, any, cutlim;
-
-	/*
-	 * See strtol for comments as to the logic used.
-	 */
-	do {
-		c = *s++;
-	} while (isspace(c));
-	if (c == '-') {
-		neg = 1;
-		c = *s++;
-	} else if (c == '+')
-		c = *s++;
-	if ((base == 0 || base == 16) &&
-	    c == '0' && (*s == 'x' || *s == 'X')) {
-		c = s[1];
-		s += 2;
-		base = 16;
-	}
-	if (base == 0)
-		base = c == '0' ? 8 : 10;
-	cutoff = (unsigned long)ULONG_MAX / (unsigned long)base;
-	cutlim = (unsigned long)ULONG_MAX % (unsigned long)base;
-	for (acc = 0, any = 0;; c = *s++) {
-		if (!isascii(c))
-			break;
-		if (isdigit(c))
-			c -= '0';
-		else if (isalpha(c))
-			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
-		else
-			break;
-		if (c >= base)
-			break;
-		if (any < 0 || acc > cutoff || (acc == cutoff && c > cutlim))
-			any = -1;
-		else {
-			any = 1;
-			acc *= base;
-			acc += c;
-		}
-	}
-	if (any < 0) {
-		acc = ULONG_MAX;
-		errno = ERANGE;
-	} else if (neg)
-		acc = -acc;
-	if (endptr != 0)
-		DE_CONST(any ? s - 1 : nptr, *endptr);
-	return (acc);
-}
diff --git a/contrib/bind9/lib/isc/symtab.c b/contrib/bind9/lib/isc/symtab.c
deleted file mode 100644
index 8b2b8c46bc33..000000000000
--- a/contrib/bind9/lib/isc/symtab.c
+++ /dev/null
@@ -1,250 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: symtab.c,v 1.24.12.3 2004/03/08 09:04:50 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/string.h>
-#include <isc/symtab.h>
-#include <isc/util.h>
-
-typedef struct elt {
-	char *				key;
-	unsigned int			type;
-	isc_symvalue_t			value;
-	LINK(struct elt)		link;
-} elt_t;
-
-typedef LIST(elt_t)			eltlist_t;
-
-#define SYMTAB_MAGIC			ISC_MAGIC('S', 'y', 'm', 'T')
-#define VALID_SYMTAB(st)		ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
-
-struct isc_symtab {
-	/* Unlocked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	unsigned int			size;
-	eltlist_t *			table;
-	isc_symtabaction_t		undefine_action;
-	void *				undefine_arg;
-	isc_boolean_t			case_sensitive;
-};
-
-isc_result_t
-isc_symtab_create(isc_mem_t *mctx, unsigned int size,
-		  isc_symtabaction_t undefine_action,
-		  void *undefine_arg,
-		  isc_boolean_t case_sensitive,
-		  isc_symtab_t **symtabp)
-{
-	isc_symtab_t *symtab;
-	unsigned int i;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(symtabp != NULL && *symtabp == NULL);
-	REQUIRE(size > 0);	/* Should be prime. */
-
-	symtab = (isc_symtab_t *)isc_mem_get(mctx, sizeof(*symtab));
-	if (symtab == NULL)
-		return (ISC_R_NOMEMORY);
-	symtab->table = (eltlist_t *)isc_mem_get(mctx,
-						 size * sizeof(eltlist_t));
-	if (symtab->table == NULL) {
-		isc_mem_put(mctx, symtab, sizeof(*symtab));
-		return (ISC_R_NOMEMORY);
-	}
-	for (i = 0; i < size; i++)
-		INIT_LIST(symtab->table[i]);
-	symtab->mctx = mctx;
-	symtab->size = size;
-	symtab->undefine_action = undefine_action;
-	symtab->undefine_arg = undefine_arg;
-	symtab->case_sensitive = case_sensitive;
-	symtab->magic = SYMTAB_MAGIC;
-
-	*symtabp = symtab;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_symtab_destroy(isc_symtab_t **symtabp) {
-	isc_symtab_t *symtab;
-	unsigned int i;
-	elt_t *elt, *nelt;
-
-	REQUIRE(symtabp != NULL);
-	symtab = *symtabp;
-	REQUIRE(VALID_SYMTAB(symtab));
-
-	for (i = 0; i < symtab->size; i++) {
-		for (elt = HEAD(symtab->table[i]); elt != NULL; elt = nelt) {
-			nelt = NEXT(elt, link);
-			if (symtab->undefine_action != NULL)
-			       (symtab->undefine_action)(elt->key,
-							 elt->type,
-							 elt->value,
-							 symtab->undefine_arg);
-			isc_mem_put(symtab->mctx, elt, sizeof(*elt));
-		}
-	}
-	isc_mem_put(symtab->mctx, symtab->table,
-		    symtab->size * sizeof(eltlist_t));
-	symtab->magic = 0;
-	isc_mem_put(symtab->mctx, symtab, sizeof(*symtab));
-
-	*symtabp = NULL;
-}
-
-static inline unsigned int
-hash(const char *key, isc_boolean_t case_sensitive) {
-	const char *s;
-	unsigned int h = 0;
-	int c;
-
-	/*
-	 * This hash function is similar to the one Ousterhout
-	 * uses in Tcl.
-	 */
-
-	if (case_sensitive) {
-		for (s = key; *s != '\0'; s++) {
-			h += (h << 3) + *s;
-		}
-	} else {
-		for (s = key; *s != '\0'; s++) {
-			c = *s;
-			c = tolower((unsigned char)c);
-			h += (h << 3) + c;
-		}
-	}
-
-	return (h);
-}
-
-#define FIND(s, k, t, b, e) \
-	b = hash((k), (s)->case_sensitive) % (s)->size; \
-	if ((s)->case_sensitive) { \
-		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
-			if (((t) == 0 || e->type == (t)) && \
-			    strcmp(e->key, (k)) == 0) \
-				break; \
-		} \
-	} else { \
-		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
-			if (((t) == 0 || e->type == (t)) && \
-			    strcasecmp(e->key, (k)) == 0) \
-				break; \
-		} \
-	}
-
-isc_result_t
-isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
-		  isc_symvalue_t *value)
-{
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (elt == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (value != NULL)
-		*value = elt->value;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
-		  isc_symvalue_t value, isc_symexists_t exists_policy)
-{
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-	REQUIRE(type != 0);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (exists_policy != isc_symexists_add && elt != NULL) {
-		if (exists_policy == isc_symexists_reject)
-			return (ISC_R_EXISTS);
-		INSIST(exists_policy == isc_symexists_replace);
-		UNLINK(symtab->table[bucket], elt, link);
-		if (symtab->undefine_action != NULL)
-			(symtab->undefine_action)(elt->key, elt->type,
-						  elt->value,
-						  symtab->undefine_arg);
-	} else {
-		elt = (elt_t *)isc_mem_get(symtab->mctx, sizeof(*elt));
-		if (elt == NULL)
-			return (ISC_R_NOMEMORY);
-		ISC_LINK_INIT(elt, link);
-	}
-
-	/*
-	 * Though the "key" can be const coming in, it is not stored as const
-	 * so that the calling program can easily have writable access to
-	 * it in its undefine_action function.  In the event that it *was*
-	 * truly const coming in and then the caller modified it anyway ...
-	 * well, don't do that!
-	 */
-	DE_CONST(key, elt->key);
-	elt->type = type;
-	elt->value = value;
-
-	/*
-	 * We prepend so that the most recent definition will be found.
-	 */
-	PREPEND(symtab->table[bucket], elt, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type) {
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (elt == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (symtab->undefine_action != NULL)
-		(symtab->undefine_action)(elt->key, elt->type,
-					  elt->value, symtab->undefine_arg);
-	UNLINK(symtab->table[bucket], elt, link);
-	isc_mem_put(symtab->mctx, elt, sizeof(*elt));
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/task.c b/contrib/bind9/lib/isc/task.c
deleted file mode 100644
index 9b31523496c8..000000000000
--- a/contrib/bind9/lib/isc/task.c
+++ /dev/null
@@ -1,1302 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: task.c,v 1.85.2.3.8.5 2004/10/15 00:45:45 marka Exp $ */
-
-/*
- * Principal Author: Bob Halley
- */
-
-/*
- * XXXRTH  Need to document the states a task can be in, and the rules
- * for changing states.
- */
-
-#include <config.h>
-
-#include <isc/condition.h>
-#include <isc/event.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/platform.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#ifndef ISC_PLATFORM_USETHREADS
-#include "task_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
-
-#define ISC_TASK_NAMES 1
-
-#ifdef ISC_TASK_TRACE
-#define XTRACE(m)		fprintf(stderr, "task %p thread %lu: %s\n", \
-				       task, isc_thread_self(), (m))
-#define XTTRACE(t, m)		fprintf(stderr, "task %p thread %lu: %s\n", \
-				       (t), isc_thread_self(), (m))
-#define XTHREADTRACE(m)		fprintf(stderr, "thread %lu: %s\n", \
-				       isc_thread_self(), (m))
-#else
-#define XTRACE(m)
-#define XTTRACE(t, m)
-#define XTHREADTRACE(m)
-#endif
-
-/***
- *** Types.
- ***/
-
-typedef enum {
-	task_state_idle, task_state_ready, task_state_running,
-	task_state_done
-} task_state_t;
-
-#define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
-#define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
-
-struct isc_task {
-	/* Not locked. */
-	unsigned int			magic;
-	isc_taskmgr_t *			manager;
-	isc_mutex_t			lock;
-	/* Locked by task lock. */
-	task_state_t			state;
-	unsigned int			references;
-	isc_eventlist_t			events;
-	isc_eventlist_t			on_shutdown;
-	unsigned int			quantum;
-	unsigned int			flags;
-	isc_stdtime_t			now;
-#ifdef ISC_TASK_NAMES
-	char				name[16];
-	void *				tag;
-#endif
-	/* Locked by task manager lock. */
-	LINK(isc_task_t)		link;
-	LINK(isc_task_t)		ready_link;
-};
-
-#define TASK_F_SHUTTINGDOWN		0x01
-
-#define TASK_SHUTTINGDOWN(t)		(((t)->flags & TASK_F_SHUTTINGDOWN) \
-					 != 0)
-
-#define TASK_MANAGER_MAGIC		ISC_MAGIC('T', 'S', 'K', 'M')
-#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TASK_MANAGER_MAGIC)
-
-struct isc_taskmgr {
-	/* Not locked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	isc_mutex_t			lock;
-#ifdef ISC_PLATFORM_USETHREADS
-	unsigned int			workers;
-	isc_thread_t *			threads;
-#endif /* ISC_PLATFORM_USETHREADS */
-	/* Locked by task manager lock. */
-	unsigned int			default_quantum;
-	LIST(isc_task_t)		tasks;
-	isc_tasklist_t			ready_tasks;
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_condition_t			work_available;
-	isc_condition_t			exclusive_granted;
-#endif /* ISC_PLATFORM_USETHREADS */
-	unsigned int			tasks_running;
-	isc_boolean_t			exclusive_requested;
-	isc_boolean_t			exiting;
-#ifndef ISC_PLATFORM_USETHREADS
-	unsigned int			refs;
-#endif /* ISC_PLATFORM_USETHREADS */
-};
-
-#define DEFAULT_TASKMGR_QUANTUM		10
-#define DEFAULT_DEFAULT_QUANTUM		5
-#define FINISHED(m)			((m)->exiting && EMPTY((m)->tasks))
-
-#ifndef ISC_PLATFORM_USETHREADS
-static isc_taskmgr_t *taskmgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-/***
- *** Tasks.
- ***/
-
-static void
-task_finished(isc_task_t *task) {
-	isc_taskmgr_t *manager = task->manager;
-
-	REQUIRE(EMPTY(task->events));
-	REQUIRE(EMPTY(task->on_shutdown));
-	REQUIRE(task->references == 0);
-	REQUIRE(task->state == task_state_done);
-
-	XTRACE("task_finished");
-
-	LOCK(&manager->lock);
-	UNLINK(manager->tasks, task, link);
-#ifdef ISC_PLATFORM_USETHREADS
-	if (FINISHED(manager)) {
-		/*
-		 * All tasks have completed and the
-		 * task manager is exiting.  Wake up
-		 * any idle worker threads so they
-		 * can exit.
-		 */
-		BROADCAST(&manager->work_available);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-	UNLOCK(&manager->lock);
-
-	DESTROYLOCK(&task->lock);
-	task->magic = 0;
-	isc_mem_put(manager->mctx, task, sizeof(*task));
-}
-
-isc_result_t
-isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
-		isc_task_t **taskp)
-{
-	isc_task_t *task;
-	isc_boolean_t exiting;
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(taskp != NULL && *taskp == NULL);
-
-	task = isc_mem_get(manager->mctx, sizeof(*task));
-	if (task == NULL)
-		return (ISC_R_NOMEMORY);
-	XTRACE("isc_task_create");
-	task->manager = manager;
-	if (isc_mutex_init(&task->lock) != ISC_R_SUCCESS) {
-		isc_mem_put(manager->mctx, task, sizeof(*task));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-	task->state = task_state_idle;
-	task->references = 1;
-	INIT_LIST(task->events);
-	INIT_LIST(task->on_shutdown);
-	task->quantum = quantum;
-	task->flags = 0;
-	task->now = 0;
-#ifdef ISC_TASK_NAMES
-	memset(task->name, 0, sizeof(task->name));
-	task->tag = NULL;
-#endif
-	INIT_LINK(task, link);
-	INIT_LINK(task, ready_link);
-
-	exiting = ISC_FALSE;
-	LOCK(&manager->lock);
-	if (!manager->exiting) {
-		if (task->quantum == 0)
-			task->quantum = manager->default_quantum;
-		APPEND(manager->tasks, task, link);
-	} else
-		exiting = ISC_TRUE;
-	UNLOCK(&manager->lock);
-
-	if (exiting) {
-		DESTROYLOCK(&task->lock);
-		isc_mem_put(manager->mctx, task, sizeof(*task));
-		return (ISC_R_SHUTTINGDOWN);
-	}
-
-	task->magic = TASK_MAGIC;
-	*taskp = task;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
-
-	/*
-	 * Attach *targetp to source.
-	 */
-
-	REQUIRE(VALID_TASK(source));
-	REQUIRE(targetp != NULL && *targetp == NULL);
-
-	XTTRACE(source, "isc_task_attach");
-
-	LOCK(&source->lock);
-	source->references++;
-	UNLOCK(&source->lock);
-
-	*targetp = source;
-}
-
-static inline isc_boolean_t
-task_shutdown(isc_task_t *task) {
-	isc_boolean_t was_idle = ISC_FALSE;
-	isc_event_t *event, *prev;
-
-	/*
-	 * Caller must be holding the task's lock.
-	 */
-
-	XTRACE("task_shutdown");
-
-	if (! TASK_SHUTTINGDOWN(task)) {
-		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				      ISC_MSG_SHUTTINGDOWN, "shutting down"));
-		task->flags |= TASK_F_SHUTTINGDOWN;
-		if (task->state == task_state_idle) {
-			INSIST(EMPTY(task->events));
-			task->state = task_state_ready;
-			was_idle = ISC_TRUE;
-		}
-		INSIST(task->state == task_state_ready ||
-		       task->state == task_state_running);
-		/*
-		 * Note that we post shutdown events LIFO.
-		 */
-		for (event = TAIL(task->on_shutdown);
-		     event != NULL;
-		     event = prev) {
-			prev = PREV(event, ev_link);
-			DEQUEUE(task->on_shutdown, event, ev_link);
-			ENQUEUE(task->events, event, ev_link);
-		}
-	}
-
-	return (was_idle);
-}
-
-static inline void
-task_ready(isc_task_t *task) {
-	isc_taskmgr_t *manager = task->manager;
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(task->state == task_state_ready);
-
-	XTRACE("task_ready");
-
-	LOCK(&manager->lock);
-
-	ENQUEUE(manager->ready_tasks, task, ready_link);
-#ifdef ISC_PLATFORM_USETHREADS
-	SIGNAL(&manager->work_available);
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	UNLOCK(&manager->lock);
-}
-
-static inline isc_boolean_t
-task_detach(isc_task_t *task) {
-
-	/*
-	 * Caller must be holding the task lock.
-	 */
-
-	REQUIRE(task->references > 0);
-
-	XTRACE("detach");
-
-	task->references--;
-	if (task->references == 0 && task->state == task_state_idle) {
-		INSIST(EMPTY(task->events));
-		/*
-		 * There are no references to this task, and no
-		 * pending events.  We could try to optimize and
-		 * either initiate shutdown or clean up the task,
-		 * depending on its state, but it's easier to just
-		 * make the task ready and allow run() or the event
-		 * loop to deal with shutting down and termination.
-		 */
-		task->state = task_state_ready;
-		return (ISC_TRUE);
-	}
-
-	return (ISC_FALSE);
-}
-
-void
-isc_task_detach(isc_task_t **taskp) {
-	isc_task_t *task;
-	isc_boolean_t was_idle;
-
-	/*
-	 * Detach *taskp from its task.
-	 */
-
-	REQUIRE(taskp != NULL);
-	task = *taskp;
-	REQUIRE(VALID_TASK(task));
-
-	XTRACE("isc_task_detach");
-
-	LOCK(&task->lock);
-	was_idle = task_detach(task);
-	UNLOCK(&task->lock);
-
-	if (was_idle)
-		task_ready(task);
-
-	*taskp = NULL;
-}
-
-static inline isc_boolean_t
-task_send(isc_task_t *task, isc_event_t **eventp) {
-	isc_boolean_t was_idle = ISC_FALSE;
-	isc_event_t *event;
-
-	/*
-	 * Caller must be holding the task lock.
-	 */
-
-	REQUIRE(eventp != NULL);
-	event = *eventp;
-	REQUIRE(event != NULL);
-	REQUIRE(event->ev_type > 0);
-	REQUIRE(task->state != task_state_done);
-
-	XTRACE("task_send");
-
-	if (task->state == task_state_idle) {
-		was_idle = ISC_TRUE;
-		INSIST(EMPTY(task->events));
-		task->state = task_state_ready;
-	}
-	INSIST(task->state == task_state_ready ||
-	       task->state == task_state_running);
-	ENQUEUE(task->events, event, ev_link);
-	*eventp = NULL;
-
-	return (was_idle);
-}
-
-void
-isc_task_send(isc_task_t *task, isc_event_t **eventp) {
-	isc_boolean_t was_idle;
-
-	/*
-	 * Send '*event' to 'task'.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-
-	XTRACE("isc_task_send");
-
-	/*
-	 * We're trying hard to hold locks for as short a time as possible.
-	 * We're also trying to hold as few locks as possible.  This is why
-	 * some processing is deferred until after the lock is released.
-	 */
-	LOCK(&task->lock);
-	was_idle = task_send(task, eventp);
-	UNLOCK(&task->lock);
-
-	if (was_idle) {
-		/*
-		 * We need to add this task to the ready queue.
-		 *
-		 * We've waited until now to do it because making a task
-		 * ready requires locking the manager.  If we tried to do
-		 * this while holding the task lock, we could deadlock.
-		 *
-		 * We've changed the state to ready, so no one else will
-		 * be trying to add this task to the ready queue.  The
-		 * only way to leave the ready state is by executing the
-		 * task.  It thus doesn't matter if events are added,
-		 * removed, or a shutdown is started in the interval
-		 * between the time we released the task lock, and the time
-		 * we add the task to the ready queue.
-		 */
-		task_ready(task);
-	}
-}
-
-void
-isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
-	isc_boolean_t idle1, idle2;
-	isc_task_t *task;
-
-	/*
-	 * Send '*event' to '*taskp' and then detach '*taskp' from its
-	 * task.
-	 */
-
-	REQUIRE(taskp != NULL);
-	task = *taskp;
-	REQUIRE(VALID_TASK(task));
-
-	XTRACE("isc_task_sendanddetach");
-
-	LOCK(&task->lock);
-	idle1 = task_send(task, eventp);
-	idle2 = task_detach(task);
-	UNLOCK(&task->lock);
-
-	/*
-	 * If idle1, then idle2 shouldn't be true as well since we're holding
-	 * the task lock, and thus the task cannot switch from ready back to
-	 * idle.
-	 */
-	INSIST(!(idle1 && idle2));
-
-	if (idle1 || idle2)
-		task_ready(task);
-
-	*taskp = NULL;
-}
-
-#define PURGE_OK(event)	(((event)->ev_attributes & ISC_EVENTATTR_NOPURGE) == 0)
-
-static unsigned int
-dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
-	       isc_eventtype_t last, void *tag,
-	       isc_eventlist_t *events, isc_boolean_t purging)
-{
-	isc_event_t *event, *next_event;
-	unsigned int count = 0;
-
-	REQUIRE(VALID_TASK(task));
-	REQUIRE(last >= first);
-
-	XTRACE("dequeue_events");
-
-	/*
-	 * Events matching 'sender', whose type is >= first and <= last, and
-	 * whose tag is 'tag' will be dequeued.  If 'purging', matching events
-	 * which are marked as unpurgable will not be dequeued.
-	 *
-	 * sender == NULL means "any sender", and tag == NULL means "any tag".
-	 */
-
-	LOCK(&task->lock);
-
-	for (event = HEAD(task->events); event != NULL; event = next_event) {
-		next_event = NEXT(event, ev_link);
-		if (event->ev_type >= first && event->ev_type <= last &&
-		    (sender == NULL || event->ev_sender == sender) &&
-		    (tag == NULL || event->ev_tag == tag) &&
-		    (!purging || PURGE_OK(event))) {
-			DEQUEUE(task->events, event, ev_link);
-			ENQUEUE(*events, event, ev_link);
-			count++;
-		}
-	}
-
-	UNLOCK(&task->lock);
-
-	return (count);
-}
-
-unsigned int
-isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		    isc_eventtype_t last, void *tag)
-{
-	unsigned int count;
-	isc_eventlist_t events;
-	isc_event_t *event, *next_event;
-
-	/*
-	 * Purge events from a task's event queue.
-	 */
-
-	XTRACE("isc_task_purgerange");
-
-	ISC_LIST_INIT(events);
-
-	count = dequeue_events(task, sender, first, last, tag, &events,
-			       ISC_TRUE);
-
-	for (event = HEAD(events); event != NULL; event = next_event) {
-		next_event = NEXT(event, ev_link);
-		isc_event_free(&event);
-	}
-
-	/*
-	 * Note that purging never changes the state of the task.
-	 */
-
-	return (count);
-}
-
-unsigned int
-isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
-	       void *tag)
-{
-	/*
-	 * Purge events from a task's event queue.
-	 */
-
-	XTRACE("isc_task_purge");
-
-	return (isc_task_purgerange(task, sender, type, type, tag));
-}
-
-isc_boolean_t
-isc_task_purgeevent(isc_task_t *task, isc_event_t *event) {
-	isc_event_t *curr_event, *next_event;
-
-	/*
-	 * Purge 'event' from a task's event queue.
-	 *
-	 * XXXRTH:  WARNING:  This method may be removed before beta.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-
-	/*
-	 * If 'event' is on the task's event queue, it will be purged,
-	 * unless it is marked as unpurgeable.  'event' does not have to be
-	 * on the task's event queue; in fact, it can even be an invalid
-	 * pointer.  Purging only occurs if the event is actually on the task's
-	 * event queue.
-	 *
-	 * Purging never changes the state of the task.
-	 */
-
-	LOCK(&task->lock);
-	for (curr_event = HEAD(task->events);
-	     curr_event != NULL;
-	     curr_event = next_event) {
-		next_event = NEXT(curr_event, ev_link);
-		if (curr_event == event && PURGE_OK(event)) {
-			DEQUEUE(task->events, curr_event, ev_link);
-			break;
-		}
-	}
-	UNLOCK(&task->lock);
-
-	if (curr_event == NULL)
-		return (ISC_FALSE);
-
-	isc_event_free(&curr_event);
-
-	return (ISC_TRUE);
-}
-
-unsigned int
-isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
-		     isc_eventtype_t last, void *tag,
-		     isc_eventlist_t *events)
-{
-	/*
-	 * Remove events from a task's event queue.
-	 */
-
-	XTRACE("isc_task_unsendrange");
-
-	return (dequeue_events(task, sender, first, last, tag, events,
-			       ISC_FALSE));
-}
-
-unsigned int
-isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
-		void *tag, isc_eventlist_t *events)
-{
-	/*
-	 * Remove events from a task's event queue.
-	 */
-
-	XTRACE("isc_task_unsend");
-
-	return (dequeue_events(task, sender, type, type, tag, events,
-			       ISC_FALSE));
-}
-
-isc_result_t
-isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	isc_boolean_t disallowed = ISC_FALSE;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_event_t *event;
-
-	/*
-	 * Send a shutdown event with action 'action' and argument 'arg' when
-	 * 'task' is shutdown.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-	REQUIRE(action != NULL);
-
-	event = isc_event_allocate(task->manager->mctx,
-				   NULL,
-				   ISC_TASKEVENT_SHUTDOWN,
-				   action,
-				   arg,
-				   sizeof(*event));
-	if (event == NULL)
-		return (ISC_R_NOMEMORY);
-
-	LOCK(&task->lock);
-	if (TASK_SHUTTINGDOWN(task)) {
-		disallowed = ISC_TRUE;
-		result = ISC_R_SHUTTINGDOWN;
-	} else
-		ENQUEUE(task->on_shutdown, event, ev_link);
-	UNLOCK(&task->lock);
-
-	if (disallowed)
-		isc_mem_put(task->manager->mctx, event, sizeof(*event));
-
-	return (result);
-}
-
-void
-isc_task_shutdown(isc_task_t *task) {
-	isc_boolean_t was_idle;
-
-	/*
-	 * Shutdown 'task'.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-
-	LOCK(&task->lock);
-	was_idle = task_shutdown(task);
-	UNLOCK(&task->lock);
-
-	if (was_idle)
-		task_ready(task);
-}
-
-void
-isc_task_destroy(isc_task_t **taskp) {
-
-	/*
-	 * Destroy '*taskp'.
-	 */
-
-	REQUIRE(taskp != NULL);
-
-	isc_task_shutdown(*taskp);
-	isc_task_detach(taskp);
-}
-
-void
-isc_task_setname(isc_task_t *task, const char *name, void *tag) {
-
-	/*
-	 * Name 'task'.
-	 */
-
-	REQUIRE(VALID_TASK(task));
-
-#ifdef ISC_TASK_NAMES
-	LOCK(&task->lock);
-	memset(task->name, 0, sizeof(task->name));
-	strncpy(task->name, name, sizeof(task->name) - 1);
-	task->tag = tag;
-	UNLOCK(&task->lock);
-#else
-	UNUSED(name);
-	UNUSED(tag);
-#endif
-
-}
-
-const char *
-isc_task_getname(isc_task_t *task) {
-	return (task->name);
-}
-
-void *
-isc_task_gettag(isc_task_t *task) {
-	return (task->tag);
-}
-
-void
-isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
-	REQUIRE(VALID_TASK(task));
-	REQUIRE(t != NULL);
-
-	LOCK(&task->lock);
-
-	*t = task->now;
-
-	UNLOCK(&task->lock);
-}
-
-/***
- *** Task Manager.
- ***/
-static void
-dispatch(isc_taskmgr_t *manager) {
-	isc_task_t *task;
-#ifndef ISC_PLATFORM_USETHREADS
-	unsigned int total_dispatch_count = 0;
-	isc_tasklist_t ready_tasks;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	REQUIRE(VALID_MANAGER(manager));
-
-	/*
-	 * Again we're trying to hold the lock for as short a time as possible
-	 * and to do as little locking and unlocking as possible.
-	 *
-	 * In both while loops, the appropriate lock must be held before the
-	 * while body starts.  Code which acquired the lock at the top of
-	 * the loop would be more readable, but would result in a lot of
-	 * extra locking.  Compare:
-	 *
-	 * Straightforward:
-	 *
-	 *	LOCK();
-	 *	...
-	 *	UNLOCK();
-	 *	while (expression) {
-	 *		LOCK();
-	 *		...
-	 *		UNLOCK();
-	 *
-	 *	       	Unlocked part here...
-	 *
-	 *		LOCK();
-	 *		...
-	 *		UNLOCK();
-	 *	}
-	 *
-	 * Note how if the loop continues we unlock and then immediately lock.
-	 * For N iterations of the loop, this code does 2N+1 locks and 2N+1
-	 * unlocks.  Also note that the lock is not held when the while
-	 * condition is tested, which may or may not be important, depending
-	 * on the expression.
-	 *
-	 * As written:
-	 *
-	 *	LOCK();
-	 *	while (expression) {
-	 *		...
-	 *		UNLOCK();
-	 *
-	 *	       	Unlocked part here...
-	 *
-	 *		LOCK();
-	 *		...
-	 *	}
-	 *	UNLOCK();
-	 *
-	 * For N iterations of the loop, this code does N+1 locks and N+1
-	 * unlocks.  The while expression is always protected by the lock.
-	 */
-
-#ifndef ISC_PLATFORM_USETHREADS
-	ISC_LIST_INIT(ready_tasks);
-#endif
-	LOCK(&manager->lock);
-	while (!FINISHED(manager)) {
-#ifdef ISC_PLATFORM_USETHREADS
-		/*
-		 * For reasons similar to those given in the comment in
-		 * isc_task_send() above, it is safe for us to dequeue
-		 * the task while only holding the manager lock, and then
-		 * change the task to running state while only holding the
-		 * task lock.
-		 */
-		while ((EMPTY(manager->ready_tasks) ||
-		        manager->exclusive_requested) &&
-		  	!FINISHED(manager)) 
-	  	{
-			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
-						    ISC_MSGSET_GENERAL,
-						    ISC_MSG_WAIT, "wait"));
-			WAIT(&manager->work_available, &manager->lock);
-			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
-						    ISC_MSGSET_TASK,
-						    ISC_MSG_AWAKE, "awake"));
-		}
-#else /* ISC_PLATFORM_USETHREADS */
-		if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
-		    EMPTY(manager->ready_tasks))
-			break;
-#endif /* ISC_PLATFORM_USETHREADS */
-		XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
-					    ISC_MSG_WORKING, "working"));
-
-		task = HEAD(manager->ready_tasks);
-		if (task != NULL) {
-			unsigned int dispatch_count = 0;
-			isc_boolean_t done = ISC_FALSE;
-			isc_boolean_t requeue = ISC_FALSE;
-			isc_boolean_t finished = ISC_FALSE;
-			isc_event_t *event;
-
-			INSIST(VALID_TASK(task));
-
-			/*
-			 * Note we only unlock the manager lock if we actually
-			 * have a task to do.  We must reacquire the manager
-			 * lock before exiting the 'if (task != NULL)' block.
-			 */
-			DEQUEUE(manager->ready_tasks, task, ready_link);
-			manager->tasks_running++;
-			UNLOCK(&manager->lock);
-
-			LOCK(&task->lock);
-			INSIST(task->state == task_state_ready);
-			task->state = task_state_running;
-			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					      ISC_MSG_RUNNING, "running"));
-			isc_stdtime_get(&task->now);
-			do {
-				if (!EMPTY(task->events)) {
-					event = HEAD(task->events);
-					DEQUEUE(task->events, event, ev_link);
-
-					/*
-					 * Execute the event action.
-					 */
-					XTRACE(isc_msgcat_get(isc_msgcat,
-							    ISC_MSGSET_TASK,
-							    ISC_MSG_EXECUTE,
-							    "execute action"));
-					if (event->ev_action != NULL) {
-						UNLOCK(&task->lock);
-						(event->ev_action)(task,event);
-						LOCK(&task->lock);
-					}
-					dispatch_count++;
-#ifndef ISC_PLATFORM_USETHREADS
-					total_dispatch_count++;
-#endif /* ISC_PLATFORM_USETHREADS */
-				}
-
-				if (task->references == 0 &&
-				    EMPTY(task->events) &&
-				    !TASK_SHUTTINGDOWN(task)) {
-					isc_boolean_t was_idle;
-
-					/*
-					 * There are no references and no
-					 * pending events for this task,
-					 * which means it will not become
-					 * runnable again via an external
-					 * action (such as sending an event
-					 * or detaching).
-					 *
-					 * We initiate shutdown to prevent
-					 * it from becoming a zombie.
-					 *
-					 * We do this here instead of in
-					 * the "if EMPTY(task->events)" block
-					 * below because:
-					 *
-					 *	If we post no shutdown events,
-					 *	we want the task to finish.
-					 *
-					 *	If we did post shutdown events,
-					 *	will still want the task's
-					 *	quantum to be applied.
-					 */
-					was_idle = task_shutdown(task);
-					INSIST(!was_idle);
-				}
-
-				if (EMPTY(task->events)) {
-					/*
-					 * Nothing else to do for this task
-					 * right now.
-					 */
-					XTRACE(isc_msgcat_get(isc_msgcat,
-							      ISC_MSGSET_TASK,
-							      ISC_MSG_EMPTY,
-							      "empty"));
-					if (task->references == 0 &&
-					    TASK_SHUTTINGDOWN(task)) {
-						/*
-						 * The task is done.
-						 */
-						XTRACE(isc_msgcat_get(
-							       isc_msgcat,
-							       ISC_MSGSET_TASK,
-							       ISC_MSG_DONE,
-							       "done"));
-						finished = ISC_TRUE;
-						task->state = task_state_done;
-					} else
-						task->state = task_state_idle;
-					done = ISC_TRUE;
-				} else if (dispatch_count >= task->quantum) {
-					/*
-					 * Our quantum has expired, but
-					 * there is more work to be done.
-					 * We'll requeue it to the ready
-					 * queue later.
-					 *
-					 * We don't check quantum until
-					 * dispatching at least one event,
-					 * so the minimum quantum is one.
-					 */
-					XTRACE(isc_msgcat_get(isc_msgcat,
-							      ISC_MSGSET_TASK,
-							      ISC_MSG_QUANTUM,
-							      "quantum"));
-					task->state = task_state_ready;
-					requeue = ISC_TRUE;
-					done = ISC_TRUE;
-				}
-			} while (!done);
-			UNLOCK(&task->lock);
-
-			if (finished)
-				task_finished(task);
-
-			LOCK(&manager->lock);
-			manager->tasks_running--;
-#ifdef ISC_PLATFORM_USETHREADS
-			if (manager->exclusive_requested &&
-			    manager->tasks_running == 1) {
-				SIGNAL(&manager->exclusive_granted);
-			}
-#endif /* ISC_PLATFORM_USETHREADS */
-			if (requeue) {
-				/*
-				 * We know we're awake, so we don't have
-				 * to wakeup any sleeping threads if the
-				 * ready queue is empty before we requeue.
-				 *
-				 * A possible optimization if the queue is
-				 * empty is to 'goto' the 'if (task != NULL)'
-				 * block, avoiding the ENQUEUE of the task
-				 * and the subsequent immediate DEQUEUE
-				 * (since it is the only executable task).
-				 * We don't do this because then we'd be
-				 * skipping the exit_requested check.  The
-				 * cost of ENQUEUE is low anyway, especially
-				 * when you consider that we'd have to do
-				 * an extra EMPTY check to see if we could
-				 * do the optimization.  If the ready queue
-				 * were usually nonempty, the 'optimization'
-				 * might even hurt rather than help.
-				 */
-#ifdef ISC_PLATFORM_USETHREADS
-				ENQUEUE(manager->ready_tasks, task,
-					ready_link);
-#else
-				ENQUEUE(ready_tasks, task, ready_link);
-#endif
-			}
-		}
-	}
-#ifndef ISC_PLATFORM_USETHREADS
-	ISC_LIST_APPENDLIST(manager->ready_tasks, ready_tasks, ready_link);
-#endif
-	UNLOCK(&manager->lock);
-}
-
-#ifdef ISC_PLATFORM_USETHREADS
-static isc_threadresult_t
-#ifdef _WIN32
-WINAPI
-#endif
-run(void *uap) {
-	isc_taskmgr_t *manager = uap;
-
-	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				    ISC_MSG_STARTING, "starting"));
-
-	dispatch(manager);
-
-	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				    ISC_MSG_EXITING, "exiting"));
-
-	return ((isc_threadresult_t)0);
-}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-static void
-manager_free(isc_taskmgr_t *manager) {
-	isc_mem_t *mctx;
-
-#ifdef ISC_PLATFORM_USETHREADS
-	(void)isc_condition_destroy(&manager->exclusive_granted);	
-	(void)isc_condition_destroy(&manager->work_available);
-	isc_mem_free(manager->mctx, manager->threads);
-#endif /* ISC_PLATFORM_USETHREADS */
-	DESTROYLOCK(&manager->lock);
-	manager->magic = 0;
-	mctx = manager->mctx;
-	isc_mem_put(mctx, manager, sizeof(*manager));
-	isc_mem_detach(&mctx);
-}
-
-isc_result_t
-isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
-		   unsigned int default_quantum, isc_taskmgr_t **managerp)
-{
-	isc_result_t result;
-	unsigned int i, started = 0;
-	isc_taskmgr_t *manager;
-
-	/*
-	 * Create a new task manager.
-	 */
-
-	REQUIRE(workers > 0);
-	REQUIRE(managerp != NULL && *managerp == NULL);
-
-#ifndef ISC_PLATFORM_USETHREADS
-	UNUSED(i);
-	UNUSED(started);
-	UNUSED(workers);
-
-	if (taskmgr != NULL) {
-		taskmgr->refs++;
-		*managerp = taskmgr;
-		return (ISC_R_SUCCESS);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	manager = isc_mem_get(mctx, sizeof(*manager));
-	if (manager == NULL)
-		return (ISC_R_NOMEMORY);
-	manager->magic = TASK_MANAGER_MAGIC;
-	manager->mctx = NULL;
-	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_mgr;
-	}
-#ifdef ISC_PLATFORM_USETHREADS
-	manager->workers = 0;
-	manager->threads = isc_mem_allocate(mctx,
-					    workers * sizeof(isc_thread_t));
-	if (manager->threads == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_lock;
-	}
-	if (isc_condition_init(&manager->work_available) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_threads;
-	}
-	if (isc_condition_init(&manager->exclusive_granted) != ISC_R_SUCCESS) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		result = ISC_R_UNEXPECTED;
-		goto cleanup_workavailable;
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-	if (default_quantum == 0)
-		default_quantum = DEFAULT_DEFAULT_QUANTUM;
-	manager->default_quantum = default_quantum;
-	INIT_LIST(manager->tasks);
-	INIT_LIST(manager->ready_tasks);
-	manager->tasks_running = 0;
-	manager->exclusive_requested = ISC_FALSE;
-	manager->exiting = ISC_FALSE;
-
-	isc_mem_attach(mctx, &manager->mctx);
-
-#ifdef ISC_PLATFORM_USETHREADS
-	LOCK(&manager->lock);
-	/*
-	 * Start workers.
-	 */
-	for (i = 0; i < workers; i++) {
-		if (isc_thread_create(run, manager,
-				      &manager->threads[manager->workers]) ==
-		    ISC_R_SUCCESS) {
-			manager->workers++;
-			started++;
-		}
-	}
-	UNLOCK(&manager->lock);
-
-	if (started == 0) {
-		manager_free(manager);
-		return (ISC_R_NOTHREADS);
-	}
-	isc_thread_setconcurrency(workers);
-#else /* ISC_PLATFORM_USETHREADS */
-	manager->refs = 1;
-	taskmgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	*managerp = manager;
-
-	return (ISC_R_SUCCESS);
-
-#ifdef ISC_PLATFORM_USETHREADS
- cleanup_workavailable:
-	(void)isc_condition_destroy(&manager->work_available);
- cleanup_threads:
-	isc_mem_free(mctx, manager->threads);
- cleanup_lock:
-	DESTROYLOCK(&manager->lock);
-#endif
- cleanup_mgr:
-	isc_mem_put(mctx, manager, sizeof(*manager));
-	return (result);
-}
-
-void
-isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
-	isc_taskmgr_t *manager;
-	isc_task_t *task;
-	unsigned int i;
-
-	/*
-	 * Destroy '*managerp'.
-	 */
-
-	REQUIRE(managerp != NULL);
-	manager = *managerp;
-	REQUIRE(VALID_MANAGER(manager));
-
-#ifndef ISC_PLATFORM_USETHREADS
-	UNUSED(i);
-
-	if (manager->refs > 1) {
-		manager->refs--;
-		*managerp = NULL;
-		return;
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	XTHREADTRACE("isc_taskmgr_destroy");
-	/*
-	 * Only one non-worker thread may ever call this routine.
-	 * If a worker thread wants to initiate shutdown of the
-	 * task manager, it should ask some non-worker thread to call
-	 * isc_taskmgr_destroy(), e.g. by signalling a condition variable
-	 * that the startup thread is sleeping on.
-	 */
-
-	/*
-	 * Unlike elsewhere, we're going to hold this lock a long time.
-	 * We need to do so, because otherwise the list of tasks could
-	 * change while we were traversing it.
-	 *
-	 * This is also the only function where we will hold both the
-	 * task manager lock and a task lock at the same time.
-	 */
-
-	LOCK(&manager->lock);
-
-	/*
-	 * Make sure we only get called once.
-	 */
-	INSIST(!manager->exiting);
-	manager->exiting = ISC_TRUE;
-
-	/*
-	 * Post shutdown event(s) to every task (if they haven't already been
-	 * posted).
-	 */
-	for (task = HEAD(manager->tasks);
-	     task != NULL;
-	     task = NEXT(task, link)) {
-		LOCK(&task->lock);
-		if (task_shutdown(task))
-			ENQUEUE(manager->ready_tasks, task, ready_link);
-		UNLOCK(&task->lock);
-	}
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * Wake up any sleeping workers.  This ensures we get work done if
-	 * there's work left to do, and if there are already no tasks left
-	 * it will cause the workers to see manager->exiting.
-	 */
-	BROADCAST(&manager->work_available);
-	UNLOCK(&manager->lock);
-
-	/*
-	 * Wait for all the worker threads to exit.
-	 */
-	for (i = 0; i < manager->workers; i++)
-		(void)isc_thread_join(manager->threads[i], NULL);
-#else /* ISC_PLATFORM_USETHREADS */
-	/*
-	 * Dispatch the shutdown events.
-	 */
-	UNLOCK(&manager->lock);
-	while (isc__taskmgr_ready())
-		(void)isc__taskmgr_dispatch();
-	INSIST(ISC_LIST_EMPTY(manager->tasks));
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	manager_free(manager);
-
-	*managerp = NULL;
-}
-
-#ifndef ISC_PLATFORM_USETHREADS
-isc_boolean_t
-isc__taskmgr_ready(void) {
-	if (taskmgr == NULL)
-		return (ISC_FALSE);
-	return (ISC_TF(!ISC_LIST_EMPTY(taskmgr->ready_tasks)));
-}
-
-isc_result_t
-isc__taskmgr_dispatch(void) {
-	isc_taskmgr_t *manager = taskmgr;
-
-	if (taskmgr == NULL)
-		return (ISC_R_NOTFOUND);
-
-	dispatch(manager);
-
-	return (ISC_R_SUCCESS);
-}
-
-#endif /* ISC_PLATFORM_USETHREADS */
-
-isc_result_t
-isc_task_beginexclusive(isc_task_t *task) {
-#ifdef ISC_PLATFORM_USETHREADS	
-	isc_taskmgr_t *manager = task->manager;
-	REQUIRE(task->state == task_state_running);
-	LOCK(&manager->lock);
-	if (manager->exclusive_requested) {
-		UNLOCK(&manager->lock);			
-		return (ISC_R_LOCKBUSY);
-	}
-	manager->exclusive_requested = ISC_TRUE;
-	while (manager->tasks_running > 1) {
-		WAIT(&manager->exclusive_granted, &manager->lock);
-	}
-	UNLOCK(&manager->lock);	
-#else
-	UNUSED(task);
-#endif
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_task_endexclusive(isc_task_t *task) {
-#ifdef ISC_PLATFORM_USETHREADS	
-	isc_taskmgr_t *manager = task->manager;
-	REQUIRE(task->state == task_state_running);
-	LOCK(&manager->lock);
-	REQUIRE(manager->exclusive_requested);
-	manager->exclusive_requested = ISC_FALSE;
-	BROADCAST(&manager->work_available);
-	UNLOCK(&manager->lock);
-#else
-	UNUSED(task);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/task_p.h b/contrib/bind9/lib/isc/task_p.h
deleted file mode 100644
index f842c5bf712d..000000000000
--- a/contrib/bind9/lib/isc/task_p.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: task_p.h,v 1.6.206.1 2004/03/06 08:14:36 marka Exp $ */
-
-#ifndef ISC_TASK_P_H
-#define ISC_TASK_P_H
-
-isc_boolean_t
-isc__taskmgr_ready(void);
-
-isc_result_t
-isc__taskmgr_dispatch(void);
-
-#endif /* ISC_TASK_P_H */
diff --git a/contrib/bind9/lib/isc/taskpool.c b/contrib/bind9/lib/isc/taskpool.c
deleted file mode 100644
index 0b400bf722f6..000000000000
--- a/contrib/bind9/lib/isc/taskpool.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: taskpool.c,v 1.10.12.3 2004/03/08 09:04:50 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/taskpool.h>
-#include <isc/util.h>
-
-/***
- *** Types.
- ***/
-
-struct isc_taskpool {
-	isc_mem_t *			mctx;
-	unsigned int			ntasks;
-	isc_task_t **			tasks;
-};
-/***
- *** Functions.
- ***/
-
-isc_result_t
-isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
-		    unsigned int ntasks, unsigned int quantum,
-		    isc_taskpool_t **poolp)
-{
-	unsigned int i;
-	isc_taskpool_t *pool;
-	isc_result_t result;
-
-	INSIST(ntasks > 0);
-	pool = isc_mem_get(mctx, sizeof(*pool));
-	if (pool == NULL)
-		return (ISC_R_NOMEMORY);
-	pool->mctx = mctx;
-	pool->ntasks = ntasks;
-	pool->tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
-	for (i = 0; i < ntasks; i++)
-		pool->tasks[i] = NULL;
-	for (i = 0; i < ntasks; i++) {
-		result = isc_task_create(tmgr, quantum, &pool->tasks[i]);
-		if (result != ISC_R_SUCCESS) {
-			isc_taskpool_destroy(&pool);
-			return (result);
-		}
-	}
-	*poolp = pool;
-	return (ISC_R_SUCCESS);
-}
-
-void isc_taskpool_gettask(isc_taskpool_t *pool, unsigned int hash,
-			  isc_task_t **targetp)
-{
-	isc_task_attach(pool->tasks[hash % pool->ntasks], targetp);
-}
-
-void
-isc_taskpool_destroy(isc_taskpool_t **poolp) {
-	unsigned int i;
-	isc_taskpool_t *pool = *poolp;
-	for (i = 0; i < pool->ntasks; i++) {
-		if (pool->tasks[i] != NULL) {
-			isc_task_detach(&pool->tasks[i]);
-		}
-	}
-	isc_mem_put(pool->mctx, pool->tasks,
-		    pool->ntasks * sizeof(isc_task_t *));
-	isc_mem_put(pool->mctx, pool, sizeof(*pool));
-	*poolp = NULL;
-}
-
-
diff --git a/contrib/bind9/lib/isc/timer.c b/contrib/bind9/lib/isc/timer.c
deleted file mode 100644
index 5426079397e0..000000000000
--- a/contrib/bind9/lib/isc/timer.c
+++ /dev/null
@@ -1,920 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer.c,v 1.64.12.11 2005/10/27 00:27:29 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/condition.h>
-#include <isc/heap.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/platform.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/time.h>
-#include <isc/timer.h>
-#include <isc/util.h>
-
-#ifndef ISC_PLATFORM_USETHREADS
-#include "timer_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
-
-#ifdef ISC_TIMER_TRACE
-#define XTRACE(s)			fprintf(stderr, "%s\n", (s))
-#define XTRACEID(s, t)			fprintf(stderr, "%s %p\n", (s), (t))
-#define XTRACETIME(s, d)		fprintf(stderr, "%s %u.%09u\n", (s), \
-					       (d).seconds, (d).nanoseconds)
-#define XTRACETIME2(s, d, n)		fprintf(stderr, "%s %u.%09u %u.%09u\n", (s), \
-					       (d).seconds, (d).nanoseconds, (n).seconds, (n).nanoseconds)
-#define XTRACETIMER(s, t, d)		fprintf(stderr, "%s %p %u.%09u\n", (s), (t), \
-					       (d).seconds, (d).nanoseconds)
-#else
-#define XTRACE(s)
-#define XTRACEID(s, t)
-#define XTRACETIME(s, d)
-#define XTRACETIME2(s, d, n)
-#define XTRACETIMER(s, t, d)
-#endif /* ISC_TIMER_TRACE */
-
-#define TIMER_MAGIC			ISC_MAGIC('T', 'I', 'M', 'R')
-#define VALID_TIMER(t)			ISC_MAGIC_VALID(t, TIMER_MAGIC)
-
-struct isc_timer {
-	/* Not locked. */
-	unsigned int			magic;
-	isc_timermgr_t *		manager;
-	isc_mutex_t			lock;
-	/* Locked by timer lock. */
-	unsigned int			references;
-	isc_time_t			idle;
-	/* Locked by manager lock. */
-	isc_timertype_t			type;
-	isc_time_t			expires;
-	isc_interval_t			interval;
-	isc_task_t *			task;
-	isc_taskaction_t		action;
-	void *				arg;
-	unsigned int			index;
-	isc_time_t			due;
-	LINK(isc_timer_t)		link;
-};
-
-#define TIMER_MANAGER_MAGIC		ISC_MAGIC('T', 'I', 'M', 'M')
-#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TIMER_MANAGER_MAGIC)
-
-struct isc_timermgr {
-	/* Not locked. */
-	unsigned int			magic;
-	isc_mem_t *			mctx;
-	isc_mutex_t			lock;
-	/* Locked by manager lock. */
-	isc_boolean_t			done;
-	LIST(isc_timer_t)		timers;
-	unsigned int			nscheduled;
-	isc_time_t			due;
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_condition_t			wakeup;
-	isc_thread_t			thread;
-#else /* ISC_PLATFORM_USETHREADS */
-	unsigned int			refs;
-#endif /* ISC_PLATFORM_USETHREADS */
-	isc_heap_t *			heap;
-};
-
-#ifndef ISC_PLATFORM_USETHREADS
-/*
- * If threads are not in use, there can be only one.
- */
-static isc_timermgr_t *timermgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-static inline isc_result_t
-schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
-	isc_result_t result;
-	isc_timermgr_t *manager;
-	isc_time_t due;
-	int cmp;
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_boolean_t timedwait;
-#endif
-
-	/*
-	 * Note: the caller must ensure locking.
-	 */
-
-	REQUIRE(timer->type != isc_timertype_inactive);
-
-#ifndef ISC_PLATFORM_USETHREADS
-	UNUSED(signal_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	manager = timer->manager;
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * If the manager was timed wait, we may need to signal the
-	 * manager to force a wakeup.
-	 */
-	timedwait = ISC_TF(manager->nscheduled > 0 &&
-			   isc_time_seconds(&manager->due) != 0);
-#endif
-
-	/*
-	 * Compute the new due time.
-	 */
-	if (timer->type != isc_timertype_once) {
-		result = isc_time_add(now, &timer->interval, &due);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		if (timer->type == isc_timertype_limited &&
-		    isc_time_compare(&timer->expires, &due) < 0)
-			due = timer->expires;
-	} else {
-		if (isc_time_isepoch(&timer->idle))
-			due = timer->expires;
-		else if (isc_time_isepoch(&timer->expires))
-			due = timer->idle;
-		else if (isc_time_compare(&timer->idle, &timer->expires) < 0)
-			due = timer->idle;
-		else
-			due = timer->expires;
-	}
-
-	/*
-	 * Schedule the timer.
-	 */
-
-	if (timer->index > 0) {
-		/*
-		 * Already scheduled.
-		 */
-		cmp = isc_time_compare(&due, &timer->due);
-		timer->due = due;
-		switch (cmp) {
-		case -1:
-			isc_heap_increased(manager->heap, timer->index);
-			break;
-		case 1:
-			isc_heap_decreased(manager->heap, timer->index);
-			break;
-		case 0:
-			/* Nothing to do. */
-			break;
-		}
-	} else {
-		timer->due = due;
-		result = isc_heap_insert(manager->heap, timer);
-		if (result != ISC_R_SUCCESS) {
-			INSIST(result == ISC_R_NOMEMORY);
-			return (ISC_R_NOMEMORY);
-		}
-		manager->nscheduled++;
-	}
-
-	XTRACETIMER(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-				   ISC_MSG_SCHEDULE, "schedule"), timer, due);
-
-	/*
-	 * If this timer is at the head of the queue, we need to ensure
-	 * that we won't miss it if it has a more recent due time than
-	 * the current "next" timer.  We do this either by waking up the
-	 * run thread, or explicitly setting the value in the manager.
-	 */
-#ifdef ISC_PLATFORM_USETHREADS
-
-	/*
-	 * This is a temporary (probably) hack to fix a bug on tru64 5.1
-	 * and 5.1a.  Sometimes, pthread_cond_timedwait() doesn't actually
-	 * return when the time expires, so here, we check to see if
-	 * we're 15 seconds or more behind, and if we are, we signal
-	 * the dispatcher.  This isn't such a bad idea as a general purpose
-	 * watchdog, so perhaps we should just leave it in here.
-	 */
-	if (signal_ok && timedwait) {
-		isc_interval_t fifteen;
-		isc_time_t then;
-
-		isc_interval_set(&fifteen, 15, 0);
-		isc_time_add(&manager->due, &fifteen, &then);
-
-		if (isc_time_compare(&then, now) < 0) {
-			SIGNAL(&manager->wakeup);
-			signal_ok = ISC_FALSE;
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_TIMER, ISC_LOG_WARNING,
-				      "*** POKED TIMER ***");
-		}
-	}
-		
-	if (timer->index == 1 && signal_ok) {
-		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-				      ISC_MSG_SIGNALSCHED,
-				      "signal (schedule)"));
-		SIGNAL(&manager->wakeup);
-	}
-#else /* ISC_PLATFORM_USETHREADS */
-	if (timer->index == 1 &&
-	    isc_time_compare(&timer->due, &manager->due) < 0)
-		manager->due = timer->due;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-deschedule(isc_timer_t *timer) {
-	isc_boolean_t need_wakeup = ISC_FALSE;
-	isc_timermgr_t *manager;
-
-	/*
-	 * The caller must ensure locking.
-	 */
-
-	manager = timer->manager;
-	if (timer->index > 0) {
-		if (timer->index == 1)
-			need_wakeup = ISC_TRUE;
-		isc_heap_delete(manager->heap, timer->index);
-		timer->index = 0;
-		INSIST(manager->nscheduled > 0);
-		manager->nscheduled--;
-#ifdef ISC_PLATFORM_USETHREADS
-		if (need_wakeup) {
-			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-					      ISC_MSG_SIGNALDESCHED,
-					      "signal (deschedule)"));
-			SIGNAL(&manager->wakeup);
-		}
-#endif /* ISC_PLATFORM_USETHREADS */
-	}
-}
-
-static void
-destroy(isc_timer_t *timer) {
-	isc_timermgr_t *manager = timer->manager;
-
-	/*
-	 * The caller must ensure it is safe to destroy the timer.
-	 */
-
-	LOCK(&manager->lock);
-
-	(void)isc_task_purgerange(timer->task,
-				  timer,
-				  ISC_TIMEREVENT_FIRSTEVENT,
-				  ISC_TIMEREVENT_LASTEVENT,
-				  NULL);
-	deschedule(timer);
-	UNLINK(manager->timers, timer, link);
-
-	UNLOCK(&manager->lock);
-
-	isc_task_detach(&timer->task);
-	DESTROYLOCK(&timer->lock);
-	timer->magic = 0;
-	isc_mem_put(manager->mctx, timer, sizeof(*timer));
-}
-
-isc_result_t
-isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
-		 isc_time_t *expires, isc_interval_t *interval,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg,
-		 isc_timer_t **timerp)
-{
-	isc_timer_t *timer;
-	isc_result_t result;
-	isc_time_t now;
-
-	/*
-	 * Create a new 'type' timer managed by 'manager'.  The timers
-	 * parameters are specified by 'expires' and 'interval'.  Events
-	 * will be posted to 'task' and when dispatched 'action' will be
-	 * called with 'arg' as the arg value.  The new timer is returned
-	 * in 'timerp'.
-	 */
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-	if (expires == NULL)
-		expires = isc_time_epoch;
-	if (interval == NULL)
-		interval = isc_interval_zero;
-	REQUIRE(type == isc_timertype_inactive ||
-		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
-	REQUIRE(timerp != NULL && *timerp == NULL);
-	REQUIRE(type != isc_timertype_limited ||
-		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
-
-	/*
-	 * Get current time.
-	 */
-	if (type != isc_timertype_inactive) {
-		TIME_NOW(&now);
-	} else {
-		/*
-		 * We don't have to do this, but it keeps the compiler from
-		 * complaining about "now" possibly being used without being
-		 * set, even though it will never actually happen.
-		 */
-		isc_time_settoepoch(&now);
-	}
-
-
-	timer = isc_mem_get(manager->mctx, sizeof(*timer));
-	if (timer == NULL)
-		return (ISC_R_NOMEMORY);
-
-	timer->manager = manager;
-	timer->references = 1;
-
-	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
-		result = isc_time_add(&now, interval, &timer->idle);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else
-		isc_time_settoepoch(&timer->idle);
-
-	timer->type = type;
-	timer->expires = *expires;
-	timer->interval = *interval;
-	timer->task = NULL;
-	isc_task_attach(task, &timer->task);
-	timer->action = action;
-	/*
-	 * Removing the const attribute from "arg" is the best of two
-	 * evils here.  If the timer->arg member is made const, then
-	 * it affects a great many recipients of the timer event
-	 * which did not pass in an "arg" that was truly const.
-	 * Changing isc_timer_create() to not have "arg" prototyped as const,
-	 * though, can cause compilers warnings for calls that *do*
-	 * have a truly const arg.  The caller will have to carefully
-	 * keep track of whether arg started as a true const.
-	 */
-	DE_CONST(arg, timer->arg);
-	timer->index = 0;
-	if (isc_mutex_init(&timer->lock) != ISC_R_SUCCESS) {
-		isc_task_detach(&timer->task);
-		isc_mem_put(manager->mctx, timer, sizeof(*timer));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-	ISC_LINK_INIT(timer, link);
-	timer->magic = TIMER_MAGIC;
-
-	LOCK(&manager->lock);
-
-	/*
-	 * Note we don't have to lock the timer like we normally would because
-	 * there are no external references to it yet.
-	 */
-
-	if (type != isc_timertype_inactive)
-		result = schedule(timer, &now, ISC_TRUE);
-	else
-		result = ISC_R_SUCCESS;
-	if (result == ISC_R_SUCCESS)
-		APPEND(manager->timers, timer, link);
-
-	UNLOCK(&manager->lock);
-
-	if (result != ISC_R_SUCCESS) {
-		timer->magic = 0;
-		DESTROYLOCK(&timer->lock);
-		isc_task_detach(&timer->task);
-		isc_mem_put(manager->mctx, timer, sizeof(*timer));
-		return (result);
-	}
-
-	*timerp = timer;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
-		isc_time_t *expires, isc_interval_t *interval,
-		isc_boolean_t purge)
-{
-	isc_time_t now;
-	isc_timermgr_t *manager;
-	isc_result_t result;
-
-	/*
-	 * Change the timer's type, expires, and interval values to the given
-	 * values.  If 'purge' is ISC_TRUE, any pending events from this timer
-	 * are purged from its task's event queue.
-	 */
-
-	REQUIRE(VALID_TIMER(timer));
-	manager = timer->manager;
-	REQUIRE(VALID_MANAGER(manager));
-	if (expires == NULL)
-		expires = isc_time_epoch;
-	if (interval == NULL)
-		interval = isc_interval_zero;
-	REQUIRE(type == isc_timertype_inactive ||
-		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
-	REQUIRE(type != isc_timertype_limited ||
-		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
-
-	/*
-	 * Get current time.
-	 */
-	if (type != isc_timertype_inactive) {
-		TIME_NOW(&now);
-	} else {
-		/*
-		 * We don't have to do this, but it keeps the compiler from
-		 * complaining about "now" possibly being used without being
-		 * set, even though it will never actually happen.
-		 */
-		isc_time_settoepoch(&now);
-	}
-
-	manager = timer->manager;
-
-	LOCK(&manager->lock);
-	LOCK(&timer->lock);
-
-	if (purge)
-		(void)isc_task_purgerange(timer->task,
-					  timer,
-					  ISC_TIMEREVENT_FIRSTEVENT,
-					  ISC_TIMEREVENT_LASTEVENT,
-					  NULL);
-	timer->type = type;
-	timer->expires = *expires;
-	timer->interval = *interval;
-	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
-		result = isc_time_add(&now, interval, &timer->idle);
-	} else {
-		isc_time_settoepoch(&timer->idle);
-		result = ISC_R_SUCCESS;
-	}
-
-	if (result == ISC_R_SUCCESS) {
-		if (type == isc_timertype_inactive) {
-			deschedule(timer);
-			result = ISC_R_SUCCESS;
-		} else
-			result = schedule(timer, &now, ISC_TRUE);
-	}
-
-	UNLOCK(&timer->lock);
-	UNLOCK(&manager->lock);
-
-	return (result);
-}
-
-isc_timertype_t
-isc_timer_gettype(isc_timer_t *timer) {
-	isc_timertype_t t;
-
-	REQUIRE(VALID_TIMER(timer));
-
-	LOCK(&timer->lock);
-	t = timer->type;
-	UNLOCK(&timer->lock);
-
-	return (t);
-}
-
-isc_result_t
-isc_timer_touch(isc_timer_t *timer) {
-	isc_result_t result;
-	isc_time_t now;
-
-	/*
-	 * Set the last-touched time of 'timer' to the current time.
-	 */
-
-	REQUIRE(VALID_TIMER(timer));
-
-	LOCK(&timer->lock);
-
-	/*
-	 * We'd like to
-	 *
-	 *	REQUIRE(timer->type == isc_timertype_once);
-	 *
-	 * but we cannot without locking the manager lock too, which we
-	 * don't want to do.
-	 */
-
-	TIME_NOW(&now);
-	result = isc_time_add(&now, &timer->interval, &timer->idle);
-
-	UNLOCK(&timer->lock);
-
-	return (result);
-}
-
-void
-isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
-	/*
-	 * Attach *timerp to timer.
-	 */
-
-	REQUIRE(VALID_TIMER(timer));
-	REQUIRE(timerp != NULL && *timerp == NULL);
-
-	LOCK(&timer->lock);
-	timer->references++;
-	UNLOCK(&timer->lock);
-
-	*timerp = timer;
-}
-
-void
-isc_timer_detach(isc_timer_t **timerp) {
-	isc_timer_t *timer;
-	isc_boolean_t free_timer = ISC_FALSE;
-
-	/*
-	 * Detach *timerp from its timer.
-	 */
-
-	REQUIRE(timerp != NULL);
-	timer = *timerp;
-	REQUIRE(VALID_TIMER(timer));
-
-	LOCK(&timer->lock);
-	REQUIRE(timer->references > 0);
-	timer->references--;
-	if (timer->references == 0)
-		free_timer = ISC_TRUE;
-	UNLOCK(&timer->lock);
-
-	if (free_timer)
-		destroy(timer);
-
-	*timerp = NULL;
-}
-
-static void
-dispatch(isc_timermgr_t *manager, isc_time_t *now) {
-	isc_boolean_t done = ISC_FALSE, post_event, need_schedule;
-	isc_event_t *event;
-	isc_eventtype_t type = 0;
-	isc_timer_t *timer;
-	isc_result_t result;
-
-	/*
-	 * The caller must be holding the manager lock.
-	 */
-
-	while (manager->nscheduled > 0 && !done) {
-		timer = isc_heap_element(manager->heap, 1);
-		INSIST(timer->type != isc_timertype_inactive);
-		if (isc_time_compare(now, &timer->due) >= 0) {
-			if (timer->type == isc_timertype_ticker) {
-				type = ISC_TIMEREVENT_TICK;
-				post_event = ISC_TRUE;
-				need_schedule = ISC_TRUE;
-			} else if (timer->type == isc_timertype_limited) {
-				int cmp;
-				cmp = isc_time_compare(now, &timer->expires);
-				if (cmp >= 0) {
-					type = ISC_TIMEREVENT_LIFE;
-					post_event = ISC_TRUE;
-					need_schedule = ISC_FALSE;
-				} else {
-					type = ISC_TIMEREVENT_TICK;
-					post_event = ISC_TRUE;
-					need_schedule = ISC_TRUE;
-				}
-			} else if (!isc_time_isepoch(&timer->expires) &&
-				   isc_time_compare(now,
-						    &timer->expires) >= 0) {
-				type = ISC_TIMEREVENT_LIFE;
-				post_event = ISC_TRUE;
-				need_schedule = ISC_FALSE;
-			} else if (!isc_time_isepoch(&timer->idle) &&
-				   isc_time_compare(now,
-						    &timer->idle) >= 0) {
-				type = ISC_TIMEREVENT_IDLE;
-				post_event = ISC_TRUE;
-				need_schedule = ISC_FALSE;
-			} else {
-				/*
-				 * Idle timer has been touched; reschedule.
-				 */
-				XTRACEID(isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_TIMER,
-							ISC_MSG_IDLERESCHED,
-							"idle reschedule"),
-					 timer);
-				post_event = ISC_FALSE;
-				need_schedule = ISC_TRUE;
-			}
-
-			if (post_event) {
-				XTRACEID(isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_TIMER,
-							ISC_MSG_POSTING,
-							"posting"), timer);
-				/*
-				 * XXX We could preallocate this event.
-				 */
-				event = isc_event_allocate(manager->mctx,
-							   timer,
-							   type,
-							   timer->action,
-							   timer->arg,
-							   sizeof(*event));
-
-				if (event != NULL)
-					isc_task_send(timer->task, &event);
-				else
-					UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 isc_msgcat_get(isc_msgcat,
-							 ISC_MSGSET_TIMER,
-							 ISC_MSG_EVENTNOTALLOC,
-							 "couldn't "
-							 "allocate event"));
-			}
-
-			timer->index = 0;
-			isc_heap_delete(manager->heap, 1);
-			manager->nscheduled--;
-
-			if (need_schedule) {
-				result = schedule(timer, now, ISC_FALSE);
-				if (result != ISC_R_SUCCESS)
-					UNEXPECTED_ERROR(__FILE__, __LINE__,
-						isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_TIMER,
-							ISC_MSG_SCHEDFAIL,
-							"couldn't "
-							"schedule timer: %u"),
-							 result);
-			}
-		} else {
-			manager->due = timer->due;
-			done = ISC_TRUE;
-		}
-	}
-}
-
-#ifdef ISC_PLATFORM_USETHREADS
-static isc_threadresult_t
-#ifdef _WIN32			/* XXXDCL */
-WINAPI
-#endif
-run(void *uap) {
-	isc_timermgr_t *manager = uap;
-	isc_time_t now;
-	isc_result_t result;
-
-	LOCK(&manager->lock);
-	while (!manager->done) {
-		TIME_NOW(&now);
-
-		XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-					  ISC_MSG_RUNNING,
-					  "running"), now);
-
-		dispatch(manager, &now);
-
-		if (manager->nscheduled > 0) {
-			XTRACETIME2(isc_msgcat_get(isc_msgcat,
-						   ISC_MSGSET_GENERAL,
-						   ISC_MSG_WAITUNTIL,
-						   "waituntil"),
-				    manager->due, now);
-			result = WAITUNTIL(&manager->wakeup, &manager->lock, &manager->due);
-			INSIST(result == ISC_R_SUCCESS ||
-			       result == ISC_R_TIMEDOUT);
-		} else {
-			XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						  ISC_MSG_WAIT, "wait"), now);
-			WAIT(&manager->wakeup, &manager->lock);
-		}
-		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-				      ISC_MSG_WAKEUP, "wakeup"));
-	}
-	UNLOCK(&manager->lock);
-
-	return ((isc_threadresult_t)0);
-}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-static isc_boolean_t
-sooner(void *v1, void *v2) {
-	isc_timer_t *t1, *t2;
-
-	t1 = v1;
-	t2 = v2;
-	REQUIRE(VALID_TIMER(t1));
-	REQUIRE(VALID_TIMER(t2));
-
-	if (isc_time_compare(&t1->due, &t2->due) < 0)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-static void
-set_index(void *what, unsigned int index) {
-	isc_timer_t *timer;
-
-	timer = what;
-	REQUIRE(VALID_TIMER(timer));
-
-	timer->index = index;
-}
-
-isc_result_t
-isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
-	isc_timermgr_t *manager;
-	isc_result_t result;
-
-	/*
-	 * Create a timer manager.
-	 */
-
-	REQUIRE(managerp != NULL && *managerp == NULL);
-
-#ifndef ISC_PLATFORM_USETHREADS
-	if (timermgr != NULL) {
-		timermgr->refs++;
-		*managerp = timermgr;
-		return (ISC_R_SUCCESS);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	manager = isc_mem_get(mctx, sizeof(*manager));
-	if (manager == NULL)
-		return (ISC_R_NOMEMORY);
-
-	manager->magic = TIMER_MANAGER_MAGIC;
-	manager->mctx = NULL;
-	manager->done = ISC_FALSE;
-	INIT_LIST(manager->timers);
-	manager->nscheduled = 0;
-	isc_time_settoepoch(&manager->due);
-	manager->heap = NULL;
-	result = isc_heap_create(mctx, sooner, set_index, 0, &manager->heap);
-	if (result != ISC_R_SUCCESS) {
-		INSIST(result == ISC_R_NOMEMORY);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		return (ISC_R_NOMEMORY);
-	}
-	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
-		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-	isc_mem_attach(mctx, &manager->mctx);
-#ifdef ISC_PLATFORM_USETHREADS
-	if (isc_condition_init(&manager->wakeup) != ISC_R_SUCCESS) {
-		isc_mem_detach(&manager->mctx);
-		DESTROYLOCK(&manager->lock);
-		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-	if (isc_thread_create(run, manager, &manager->thread) !=
-	    ISC_R_SUCCESS) {
-		isc_mem_detach(&manager->mctx);
-		(void)isc_condition_destroy(&manager->wakeup);
-		DESTROYLOCK(&manager->lock);
-		isc_heap_destroy(&manager->heap);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_thread_create() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-#else /* ISC_PLATFORM_USETHREADS */
-	manager->refs = 1;
-	timermgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	*managerp = manager;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_timermgr_poke(isc_timermgr_t *manager) {
-#ifdef ISC_PLATFORM_USETHREADS
-	REQUIRE(VALID_MANAGER(manager));
-
-	SIGNAL(&manager->wakeup);
-#else
-	UNUSED(manager);
-#endif
-}
-
-void
-isc_timermgr_destroy(isc_timermgr_t **managerp) {
-	isc_timermgr_t *manager;
-	isc_mem_t *mctx;
-
-	/*
-	 * Destroy a timer manager.
-	 */
-
-	REQUIRE(managerp != NULL);
-	manager = *managerp;
-	REQUIRE(VALID_MANAGER(manager));
-
-	LOCK(&manager->lock);
-
-#ifndef ISC_PLATFORM_USETHREADS
-	if (manager->refs > 1) {
-		manager->refs--;
-		UNLOCK(&manager->lock);
-		*managerp = NULL;
-		return;
-	}
-
-	isc__timermgr_dispatch();
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	REQUIRE(EMPTY(manager->timers));
-	manager->done = ISC_TRUE;
-
-#ifdef ISC_PLATFORM_USETHREADS
-	XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
-			      ISC_MSG_SIGNALDESTROY, "signal (destroy)"));
-	SIGNAL(&manager->wakeup);
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	UNLOCK(&manager->lock);
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * Wait for thread to exit.
-	 */
-	if (isc_thread_join(manager->thread, NULL) != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_thread_join() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	/*
-	 * Clean up.
-	 */
-#ifdef ISC_PLATFORM_USETHREADS
-	(void)isc_condition_destroy(&manager->wakeup);
-#endif /* ISC_PLATFORM_USETHREADS */
-	DESTROYLOCK(&manager->lock);
-	isc_heap_destroy(&manager->heap);
-	manager->magic = 0;
-	mctx = manager->mctx;
-	isc_mem_put(mctx, manager, sizeof(*manager));
-	isc_mem_detach(&mctx);
-
-	*managerp = NULL;
-}
-
-#ifndef ISC_PLATFORM_USETHREADS
-isc_result_t
-isc__timermgr_nextevent(isc_time_t *when) {
-	if (timermgr == NULL || timermgr->nscheduled == 0)
-		return (ISC_R_NOTFOUND);
-	*when = timermgr->due;
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc__timermgr_dispatch(void) {
-	isc_time_t now;
-	if (timermgr == NULL)
-		return;
-	TIME_NOW(&now);
-	dispatch(timermgr, &now);
-}
-#endif /* ISC_PLATFORM_USETHREADS */
diff --git a/contrib/bind9/lib/isc/timer_p.h b/contrib/bind9/lib/isc/timer_p.h
deleted file mode 100644
index ad7a5d042b22..000000000000
--- a/contrib/bind9/lib/isc/timer_p.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: timer_p.h,v 1.4.12.3 2004/03/08 09:04:50 marka Exp $ */
-
-#ifndef ISC_TIMER_P_H
-#define ISC_TIMER_P_H
-
-isc_result_t
-isc__timermgr_nextevent(isc_time_t *when);
-
-void
-isc__timermgr_dispatch(void);
-
-#endif /* ISC_TIMER_P_H */
diff --git a/contrib/bind9/lib/isc/unix/Makefile.in b/contrib/bind9/lib/isc/unix/Makefile.in
deleted file mode 100644
index 49845d420d5b..000000000000
--- a/contrib/bind9/lib/isc/unix/Makefile.in
+++ /dev/null
@@ -1,51 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.35.2.1.10.2 2004/06/22 02:48:36 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-CINCLUDES =	-I${srcdir}/include \
-		-I${srcdir}/../@ISC_THREAD_DIR@/include \
-		-I../include \
-		-I${srcdir}/../include \
-		-I${srcdir}/..
-
-CDEFINES =
-CWARNINGS =
-
-# Alphabetically
-OBJS =		@ISC_IPV6_O@ \
-		app.@O@ dir.@O@ entropy.@O@ errno2result.@O@ file.@O@ \
-		fsaccess.@O@ interfaceiter.@O@ keyboard.@O@ net.@O@ \
-		os.@O@ resource.@O@ socket.@O@ stdio.@O@ stdtime.@O@ \
-		strerror.@O@ syslog.@O@ time.@O@
-
-# Alphabetically
-SRCS =		@ISC_IPV6_C@ \
-		app.c dir.c entropy.c errno2result.c file.c \
-		fsaccess.c interfaceiter.c keyboard.c net.c \
-		os.c resource.c socket.c stdio.c stdtime.c \
-		strerror.c syslog.c time.c
-
-SUBDIRS =	include
-TARGETS =	${OBJS}
-
-@BIND9_MAKE_RULES@
-
-interfaceiter.@O@: interfaceiter.c ifiter_ioctl.c ifiter_sysctl.c ifiter_getifaddrs.c
-
diff --git a/contrib/bind9/lib/isc/unix/app.c b/contrib/bind9/lib/isc/unix/app.c
deleted file mode 100644
index 811d67be1ff6..000000000000
--- a/contrib/bind9/lib/isc/unix/app.c
+++ /dev/null
@@ -1,681 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: app.c,v 1.43.2.3.8.5 2004/03/08 02:08:05 marka Exp $ */
-
-#include <config.h>
-
-#include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
-#include <sys/types.h>
-
-#include <stddef.h>
-#include <stdlib.h>
-#include <errno.h>
-#include <unistd.h>
-#include <signal.h>
-#include <sys/time.h>
-
-#include <isc/app.h>
-#include <isc/boolean.h>
-#include <isc/condition.h>
-#include <isc/msgs.h>
-#include <isc/mutex.h>
-#include <isc/event.h>
-#include <isc/platform.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/task.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#ifdef ISC_PLATFORM_USETHREADS
-#include <pthread.h>
-#else /* ISC_PLATFORM_USETHREADS */
-#include "../timer_p.h"
-#include "../task_p.h"
-#include "socket_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
-
-static isc_eventlist_t		on_run;
-static isc_mutex_t		lock;
-static isc_boolean_t		shutdown_requested = ISC_FALSE;
-static isc_boolean_t		running = ISC_FALSE;
-/*
- * We assume that 'want_shutdown' can be read and written atomically.
- */
-static isc_boolean_t		want_shutdown = ISC_FALSE;
-/*
- * We assume that 'want_reload' can be read and written atomically.
- */
-static isc_boolean_t		want_reload = ISC_FALSE;
-
-static isc_boolean_t		blocked  = ISC_FALSE;
-#ifdef ISC_PLATFORM_USETHREADS
-static pthread_t		blockedthread;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-#ifdef HAVE_LINUXTHREADS
-/*
- * Linux has sigwait(), but it appears to prevent signal handlers from
- * running, even if they're not in the set being waited for.  This makes
- * it impossible to get the default actions for SIGILL, SIGSEGV, etc.
- * Instead of messing with it, we just use sigsuspend() instead.
- */
-#undef HAVE_SIGWAIT
-/*
- * We need to remember which thread is the main thread...
- */
-static pthread_t		main_thread;
-#endif
-
-#ifndef HAVE_SIGWAIT
-static void
-exit_action(int arg) {
-        UNUSED(arg);
-	want_shutdown = ISC_TRUE;
-}
-
-static void
-reload_action(int arg) {
-        UNUSED(arg);
-	want_reload = ISC_TRUE;
-}
-#endif
-
-static isc_result_t
-handle_signal(int sig, void (*handler)(int)) {
-	struct sigaction sa;
-	char strbuf[ISC_STRERRORSIZE];
-
-	memset(&sa, 0, sizeof(sa));
-	sa.sa_handler = handler;
-
-	if (sigfillset(&sa.sa_mask) != 0 ||
-	    sigaction(sig, &sa, NULL) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_APP,
-					       ISC_MSG_SIGNALSETUP,
-					       "handle_signal() %d setup: %s"),
-				 sig, strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_app_start(void) {
-	isc_result_t result;
-	int presult;
-	sigset_t sset;
-	char strbuf[ISC_STRERRORSIZE];
-
-	/*
-	 * Start an ISC library application.
-	 */
-
-#ifdef NEED_PTHREAD_INIT
-	/*
-	 * BSDI 3.1 seg faults in pthread_sigmask() if we don't do this.
-	 */
-	presult = pthread_init();
-	if (presult != 0) {
-		isc__strerror(presult, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() pthread_init: %s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-#endif
-
-#ifdef HAVE_LINUXTHREADS
-	main_thread = pthread_self();
-#endif
-
-	result = isc_mutex_init(&lock);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-#ifndef HAVE_SIGWAIT
-	/*
-	 * Install do-nothing handlers for SIGINT and SIGTERM.
-	 *
-	 * We install them now because BSDI 3.1 won't block
-	 * the default actions, regardless of what we do with
-	 * pthread_sigmask().
-	 */
-	result = handle_signal(SIGINT, exit_action);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = handle_signal(SIGTERM, exit_action);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-#endif
-
-	/*
-	 * Always ignore SIGPIPE.
-	 */
-	result = handle_signal(SIGPIPE, SIG_IGN);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * On Solaris 2, delivery of a signal whose action is SIG_IGN
-	 * will not cause sigwait() to return. We may have inherited
-	 * unexpected actions for SIGHUP, SIGINT, and SIGTERM from our parent
-	 * process (e.g, Solaris cron).  Set an action of SIG_DFL to make
-	 * sure sigwait() works as expected.  Only do this for SIGTERM and
-	 * SIGINT if we don't have sigwait(), since a different handler is
-	 * installed above.
-	 */
-	result = handle_signal(SIGHUP, SIG_DFL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-#ifdef HAVE_SIGWAIT
-	result = handle_signal(SIGTERM, SIG_DFL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	result = handle_signal(SIGINT, SIG_DFL);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-#endif
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * Block SIGHUP, SIGINT, SIGTERM.
-	 *
-	 * If isc_app_start() is called from the main thread before any other
-	 * threads have been created, then the pthread_sigmask() call below
-	 * will result in all threads having SIGHUP, SIGINT and SIGTERM
-	 * blocked by default, ensuring that only the thread that calls
-	 * sigwait() for them will get those signals.
-	 */
-	if (sigemptyset(&sset) != 0 ||
-	    sigaddset(&sset, SIGHUP) != 0 ||
-	    sigaddset(&sset, SIGINT) != 0 ||
-	    sigaddset(&sset, SIGTERM) != 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() sigsetops: %s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-	presult = pthread_sigmask(SIG_BLOCK, &sset, NULL);
-	if (presult != 0) {
-		isc__strerror(presult, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() pthread_sigmask: %s",
-				 strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-#else /* ISC_PLATFORM_USETHREADS */
-	/*
-	 * Unblock SIGHUP, SIGINT, SIGTERM.
-	 *
-	 * If we're not using threads, we need to make sure that SIGHUP,
-	 * SIGINT and SIGTERM are not inherited as blocked from the parent
-	 * process.
-	 */
-	if (sigemptyset(&sset) != 0 ||
-	    sigaddset(&sset, SIGHUP) != 0 ||
-	    sigaddset(&sset, SIGINT) != 0 ||
-	    sigaddset(&sset, SIGTERM) != 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() sigsetops: %s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-	presult = sigprocmask(SIG_UNBLOCK, &sset, NULL);
-	if (presult != 0) {
-		isc__strerror(presult, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_app_start() sigprocmask: %s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	ISC_LIST_INIT(on_run);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
-	      void *arg)
-{
-	isc_event_t *event;
-	isc_task_t *cloned_task = NULL;
-	isc_result_t result;
-
-	LOCK(&lock);
-
-	if (running) {
-		result = ISC_R_ALREADYRUNNING;
-		goto unlock;
-	}
-
-	/*
-	 * Note that we store the task to which we're going to send the event
-	 * in the event's "sender" field.
-	 */
-	isc_task_attach(task, &cloned_task);
-	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
-				   action, arg, sizeof(*event));
-	if (event == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto unlock;
-	}
-
-	ISC_LIST_APPEND(on_run, event, ev_link);
-
-	result = ISC_R_SUCCESS;
-
- unlock:
-	UNLOCK(&lock);
-
-	return (result);
-}
-
-#ifndef ISC_PLATFORM_USETHREADS
-/*
- * Event loop for nonthreaded programs.
- */
-static isc_result_t
-evloop() {
-	isc_result_t result;
-	while (!want_shutdown) {
-		int n;
-		isc_time_t when, now;
-		struct timeval tv, *tvp;
-		fd_set readfds, writefds;
-		int maxfd;
-		isc_boolean_t readytasks;
-		isc_boolean_t call_timer_dispatch = ISC_FALSE;
-
-		readytasks = isc__taskmgr_ready();
-		if (readytasks) {
-			tv.tv_sec = 0;
-			tv.tv_usec = 0;
-			tvp = &tv;
-			call_timer_dispatch = ISC_TRUE;
-		} else {
-			result = isc__timermgr_nextevent(&when);
-			if (result != ISC_R_SUCCESS)
-				tvp = NULL;
-			else {
-				isc_uint64_t us;
-
-				TIME_NOW(&now);
-				us = isc_time_microdiff(&when, &now);
-				if (us == 0)
-					call_timer_dispatch = ISC_TRUE;
-				tv.tv_sec = us / 1000000;
-				tv.tv_usec = us % 1000000;
-				tvp = &tv;
-			}
-		}
-
-		isc__socketmgr_getfdsets(&readfds, &writefds, &maxfd);
-		n = select(maxfd, &readfds, &writefds, NULL, tvp);
-
-		if (n == 0 || call_timer_dispatch) {
-			/*
-			 * We call isc__timermgr_dispatch() only when
-			 * necessary, in order to reduce overhead.  If the
-			 * select() call indicates a timeout, we need the
-			 * dispatch.  Even if not, if we set the 0-timeout 
-			 * for the select() call, we need to check the timer
-			 * events.  In the 'readytasks' case, there may be no
-			 * timeout event actually, but there is no other way
-			 * to reduce the overhead.
-			 * Note that we do not have to worry about the case
-			 * where a new timer is inserted during the select()
-			 * call, since this loop only runs in the non-thread
-			 * mode.
-			 */
-			isc__timermgr_dispatch();
-		}
-		if (n > 0)
-			(void)isc__socketmgr_dispatch(&readfds, &writefds,
-						      maxfd);
-		(void)isc__taskmgr_dispatch();
-
-		if (want_reload) {
-			want_reload = ISC_FALSE;
-			return (ISC_R_RELOAD);
-		}
-	}
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * This is a gross hack to support waiting for condition
- * variables in nonthreaded programs in a limited way;
- * see lib/isc/nothreads/include/isc/condition.h.
- * We implement isc_condition_wait() by entering the
- * event loop recursively until the want_shutdown flag
- * is set by isc_condition_signal().
- */
-
-/*
- * True iff we are currently executing in the recursive
- * event loop.
- */
-static isc_boolean_t in_recursive_evloop = ISC_FALSE;
-
-/*
- * True iff we are exiting the event loop as the result of
- * a call to isc_condition_signal() rather than a shutdown
- * or reload.
- */
-static isc_boolean_t signalled = ISC_FALSE;
-
-isc_result_t
-isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp) {
-	isc_result_t result;
-
-	UNUSED(cp);
-	UNUSED(mp);
-
-	INSIST(!in_recursive_evloop);
-	in_recursive_evloop = ISC_TRUE;
-
-	INSIST(*mp == 1); /* Mutex must be locked on entry. */
-	--*mp;
-
-	result = evloop();
-	if (result == ISC_R_RELOAD)
-		want_reload = ISC_TRUE;
-	if (signalled) {
-		want_shutdown = ISC_FALSE;
-		signalled = ISC_FALSE;
-	}
-
-	++*mp;
-	in_recursive_evloop = ISC_FALSE;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc__nothread_signal_hack(isc_condition_t *cp) {
-
-	UNUSED(cp);
-
-	INSIST(in_recursive_evloop);
-
-	want_shutdown = ISC_TRUE;
-	signalled = ISC_TRUE;
-	return (ISC_R_SUCCESS);
-}
-	
-#endif /* ISC_PLATFORM_USETHREADS */
-
-isc_result_t
-isc_app_run(void) {
-	int result;
-	isc_event_t *event, *next_event;
-	isc_task_t *task;
-#ifdef ISC_PLATFORM_USETHREADS
-	sigset_t sset;
-	char strbuf[ISC_STRERRORSIZE];
-#endif /* ISC_PLATFORM_USETHREADS */
-#ifdef HAVE_SIGWAIT
-	int sig;
-#endif
-
-#ifdef HAVE_LINUXTHREADS
-	REQUIRE(main_thread == pthread_self());
-#endif
-
-	LOCK(&lock);
-
-	if (!running) {
-		running = ISC_TRUE;
-
-		/*
-		 * Post any on-run events (in FIFO order).
-		 */
-		for (event = ISC_LIST_HEAD(on_run);
-		     event != NULL;
-		     event = next_event) {
-			next_event = ISC_LIST_NEXT(event, ev_link);
-			ISC_LIST_UNLINK(on_run, event, ev_link);
-			task = event->ev_sender;
-			event->ev_sender = NULL;
-			isc_task_sendanddetach(&task, &event);
-		}
-
-	}
-
-	UNLOCK(&lock);
-
-#ifndef HAVE_SIGWAIT
-	/*
-	 * Catch SIGHUP.
-	 *
-	 * We do this here to ensure that the signal handler is installed
-	 * (i.e. that it wasn't a "one-shot" handler).
-	 */
-	result = handle_signal(SIGHUP, reload_action);
-	if (result != ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-#endif
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * There is no danger if isc_app_shutdown() is called before we wait
-	 * for signals.  Signals are blocked, so any such signal will simply
-	 * be made pending and we will get it when we call sigwait().
-	 */
-
-	while (!want_shutdown) {
-#ifdef HAVE_SIGWAIT
-		/*
-		 * Wait for SIGHUP, SIGINT, or SIGTERM.
-		 */
-		if (sigemptyset(&sset) != 0 ||
-		    sigaddset(&sset, SIGHUP) != 0 ||
-		    sigaddset(&sset, SIGINT) != 0 ||
-		    sigaddset(&sset, SIGTERM) != 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_run() sigsetops: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-
-#ifndef HAVE_UNIXWARE_SIGWAIT
-		result = sigwait(&sset, &sig);
-		if (result == 0) {
-			if (sig == SIGINT ||
-			    sig == SIGTERM)
-				want_shutdown = ISC_TRUE;
-			else if (sig == SIGHUP)
-				want_reload = ISC_TRUE;
-		}
-
-#else /* Using UnixWare sigwait semantics. */
-		sig = sigwait(&sset);
-		if (sig >= 0) {
-			if (sig == SIGINT ||
-			    sig == SIGTERM)
-				want_shutdown = ISC_TRUE;
-			else if (sig == SIGHUP)
-				want_reload = ISC_TRUE;
-		}
-
-#endif /* HAVE_UNIXWARE_SIGWAIT */
-#else  /* Don't have sigwait(). */
-		/*
-		 * Listen for all signals.
-		 */
-		if (sigemptyset(&sset) != 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_run() sigsetops: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-		result = sigsuspend(&sset);
-#endif /* HAVE_SIGWAIT */
-
-		if (want_reload) {
-			want_reload = ISC_FALSE;
-			return (ISC_R_RELOAD);
-		}
-
-		if (want_shutdown && blocked)
-			exit(1);
-	}
-
-#else /* ISC_PLATFORM_USETHREADS */
-
-	(void)isc__taskmgr_dispatch();
-
-	result = evloop();
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_app_shutdown(void) {
-	isc_boolean_t want_kill = ISC_TRUE;
-	char strbuf[ISC_STRERRORSIZE];
-
-	LOCK(&lock);
-
-	REQUIRE(running);
-
-	if (shutdown_requested)
-		want_kill = ISC_FALSE;
-	else
-		shutdown_requested = ISC_TRUE;
-
-	UNLOCK(&lock);
-
-	if (want_kill) {
-#ifdef HAVE_LINUXTHREADS
-		int result;
-
-		result = pthread_kill(main_thread, SIGTERM);
-		if (result != 0) {
-			isc__strerror(result, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_shutdown() pthread_kill: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-#else
-		if (kill(getpid(), SIGTERM) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_shutdown() kill: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-#endif
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_app_reload(void) {
-	isc_boolean_t want_kill = ISC_TRUE;
-	char strbuf[ISC_STRERRORSIZE];
-
-	LOCK(&lock);
-
-	REQUIRE(running);
-
-	/*
-	 * Don't send the reload signal if we're shutting down.
-	 */
-	if (shutdown_requested)
-		want_kill = ISC_FALSE;
-
-	UNLOCK(&lock);
-
-	if (want_kill) {
-#ifdef HAVE_LINUXTHREADS
-		int result;
-
-		result = pthread_kill(main_thread, SIGHUP);
-		if (result != 0) {
-			isc__strerror(result, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_reload() pthread_kill: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-#else
-		if (kill(getpid(), SIGHUP) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "isc_app_reload() kill: %s", strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-#endif
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_app_finish(void) {
-	DESTROYLOCK(&lock);
-}
-
-void
-isc_app_block(void) {
-#ifdef ISC_PLATFORM_USETHREADS
-	sigset_t sset;
-#endif /* ISC_PLATFORM_USETHREADS */
-	REQUIRE(running);
-	REQUIRE(!blocked);
-
-	blocked = ISC_TRUE;
-#ifdef ISC_PLATFORM_USETHREADS
-	blockedthread = pthread_self();
-	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
-		      sigaddset(&sset, SIGINT) == 0 &&
-		      sigaddset(&sset, SIGTERM) == 0);
-	RUNTIME_CHECK(pthread_sigmask(SIG_UNBLOCK, &sset, NULL) == 0);
-#endif /* ISC_PLATFORM_USETHREADS */
-}
-
-void
-isc_app_unblock(void) {
-#ifdef ISC_PLATFORM_USETHREADS
-	sigset_t sset;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	REQUIRE(running);
-	REQUIRE(blocked);
-
-	blocked = ISC_FALSE;
-
-#ifdef ISC_PLATFORM_USETHREADS
-	REQUIRE(blockedthread == pthread_self());
-
-	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
-		      sigaddset(&sset, SIGINT) == 0 && 
-		      sigaddset(&sset, SIGTERM) == 0);
-	RUNTIME_CHECK(pthread_sigmask(SIG_BLOCK, &sset, NULL) == 0);
-#endif /* ISC_PLATFORM_USETHREADS */
-}
diff --git a/contrib/bind9/lib/isc/unix/dir.c b/contrib/bind9/lib/isc/unix/dir.c
deleted file mode 100644
index 85a121739b4c..000000000000
--- a/contrib/bind9/lib/isc/unix/dir.c
+++ /dev/null
@@ -1,225 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dir.c,v 1.18.2.1.2.3 2004/03/08 09:04:55 marka Exp $ */
-
-/* Principal Authors: DCL */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <unistd.h>
-
-#include <isc/dir.h>
-#include <isc/magic.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include "errno2result.h"
-
-#define ISC_DIR_MAGIC		ISC_MAGIC('D', 'I', 'R', '*')
-#define VALID_DIR(dir)		ISC_MAGIC_VALID(dir, ISC_DIR_MAGIC)
-
-void
-isc_dir_init(isc_dir_t *dir) {
-	REQUIRE(dir != NULL);
-
-	dir->entry.name[0] = '\0';
-	dir->entry.length = 0;
-
-	dir->handle = NULL;
-
-	dir->magic = ISC_DIR_MAGIC;
-}
-
-/*
- * Allocate workspace and open directory stream. If either one fails,
- * NULL will be returned.
- */
-isc_result_t
-isc_dir_open(isc_dir_t *dir, const char *dirname) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(VALID_DIR(dir));
-	REQUIRE(dirname != NULL);
-
-	/*
-	 * Open stream.
-	 */
-	dir->handle = opendir(dirname);
-
-	if (dir->handle == NULL)
-		return isc__errno2result(errno);
-
-	return (result);
-}
-
-/*
- * Return previously retrieved file or get next one.  Unix's dirent has
- * separate open and read functions, but the Win32 and DOS interfaces open
- * the dir stream and reads the first file in one operation.
- */
-isc_result_t
-isc_dir_read(isc_dir_t *dir) {
-	struct dirent *entry;
-
-	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
-
-	/*
-	 * Fetch next file in directory.
-	 */
-	entry = readdir(dir->handle);
-
-	if (entry == NULL)
-		return (ISC_R_NOMORE);
-
-	/*
-	 * Make sure that the space for the name is long enough.
-	 */
-	if (sizeof(dir->entry.name) <= strlen(entry->d_name))
-	    return (ISC_R_UNEXPECTED);
-
-	strcpy(dir->entry.name, entry->d_name);
-
-	/*
-	 * Some dirents have d_namlen, but it is not portable.
-	 */
-	dir->entry.length = strlen(entry->d_name);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Close directory stream.
- */
-void
-isc_dir_close(isc_dir_t *dir) {
-       REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
-
-       (void)closedir(dir->handle);
-       dir->handle = NULL;
-}
-
-/*
- * Reposition directory stream at start.
- */
-isc_result_t
-isc_dir_reset(isc_dir_t *dir) {
-	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
-
-	rewinddir(dir->handle);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_dir_chdir(const char *dirname) {
-	/*
-	 * Change the current directory to 'dirname'.
-	 */
-
-	REQUIRE(dirname != NULL);
-
-	if (chdir(dirname) < 0)
-		return (isc__errno2result(errno));
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_dir_chroot(const char *dirname) {
-
-	REQUIRE(dirname != NULL);
-
-	if (chroot(dirname) < 0)
-		return (isc__errno2result(errno));
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_dir_createunique(char *templet) {
-	isc_result_t result;
-	char *x;
-	char *p;
-	int i;
-	int pid;
-
-	REQUIRE(templet != NULL);
-
-	/*
-	 * mkdtemp is not portable, so this emulates it.
-	 */
-
-	pid = getpid();
-
-	/*
-	 * Replace trailing Xs with the process-id, zero-filled.
-	 */
-	for (x = templet + strlen(templet) - 1; *x == 'X' && x >= templet;
-	     x--, pid /= 10)
-		*x = pid % 10 + '0';
-
-	x++;			/* Set x to start of ex-Xs. */
-
-	do {
-		i = mkdir(templet, 0700);
-		if (i == 0 || errno != EEXIST)
-			break;
-
-		/*
-		 * The BSD algorithm.
-		 */
-		p = x;
-		while (*p != '\0') {
-			if (isdigit(*p & 0xff))
-				*p = 'a';
-			else if (*p != 'z')
-				++*p;
-			else {
-				/*
-				 * Reset character and move to next.
-				 */
-				*p++ = 'a';
-				continue;
-			}
-
-			break;
-		}
-
-		if (*p == '\0') {
-			/*
-			 * Tried all combinations.  errno should already
-			 * be EEXIST, but ensure it is anyway for
-			 * isc__errno2result().
-			 */
-			errno = EEXIST;
-			break;
-		}
-	} while (1);
-
-	if (i == -1)
-		result = isc__errno2result(errno);
-	else
-		result = ISC_R_SUCCESS;
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/isc/unix/entropy.c b/contrib/bind9/lib/isc/unix/entropy.c
deleted file mode 100644
index 50506634e4cd..000000000000
--- a/contrib/bind9/lib/isc/unix/entropy.c
+++ /dev/null
@@ -1,598 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: entropy.c,v 1.60.2.3.8.11 2005/07/12 05:47:43 marka Exp $ */
-
-/*
- * This is the system depenedent part of the ISC entropy API.
- */
-
-#include <config.h>
-
-#include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <unistd.h>
-
-#include <isc/platform.h>
-#include <isc/strerror.h>
-
-#ifdef ISC_PLATFORM_NEEDSYSSELECTH
-#include <sys/select.h>
-#endif
-
-#include "errno2result.h"
-
-/*
- * There is only one variable in the entropy data structures that is not
- * system independent, but pulling the structure that uses it into this file
- * ultimately means pulling several other independent structures here also to
- * resolve their interdependencies.  Thus only the problem variable's type
- * is defined here.
- */
-#define FILESOURCE_HANDLE_TYPE	int
-
-typedef struct {
-	int	handle;
-	enum	{
-		isc_usocketsource_disconnected,
-		isc_usocketsource_connecting,
-		isc_usocketsource_connected,
-		isc_usocketsource_ndesired,
-		isc_usocketsource_wrote,
-		isc_usocketsource_reading
-	} status;
-	size_t	sz_to_recv;
-} isc_entropyusocketsource_t;
-
-#include "../entropy.c"
-
-static unsigned int
-get_from_filesource(isc_entropysource_t *source, isc_uint32_t desired) {
-	isc_entropy_t *ent = source->ent;
-	unsigned char buf[128];
-	int fd = source->sources.file.handle;
-	ssize_t n, ndesired;
-	unsigned int added;
-
-	if (source->bad)
-		return (0);
-
-	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
-
-	added = 0;
-	while (desired > 0) {
-		ndesired = ISC_MIN(desired, sizeof(buf));
-		n = read(fd, buf, ndesired);
-		if (n < 0) {
-			if (errno == EAGAIN || errno == EINTR)
-				goto out;
-			goto err;
-		}
-		if (n == 0)
-			goto err;
-
-		entropypool_adddata(ent, buf, n, n * 8);
-		added += n * 8;
-		desired -= n;
-	}
-	goto out;
-
- err:
-	(void)close(fd);
-	source->sources.file.handle = -1;
-	source->bad = ISC_TRUE;
-
- out:
-	return (added);
-}
-
-static unsigned int
-get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
-	isc_entropy_t *ent = source->ent;
-	unsigned char buf[128];
-	int fd = source->sources.usocket.handle;
-	ssize_t n = 0, ndesired;
-	unsigned int added;
-	size_t sz_to_recv = source->sources.usocket.sz_to_recv;
-
-	if (source->bad)
-		return (0);
-
-	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
-
-	added = 0;
-	while (desired > 0) {
-		ndesired = ISC_MIN(desired, sizeof(buf));
- eagain_loop:
-
-		switch ( source->sources.usocket.status ) {
-		case isc_usocketsource_ndesired:
-			buf[0] = ndesired;
-			if ((n = send(fd, buf, 1, 0)) < 0) {
-				if (errno == EWOULDBLOCK || errno == EINTR ||
-				    errno == ECONNRESET)
-					goto out;
-				goto err;
-			}
-			INSIST(n == 1);
-			source->sources.usocket.status =
-						isc_usocketsource_wrote;
-			goto eagain_loop;
-
-		case isc_usocketsource_connecting:
-		case isc_usocketsource_connected:
-			buf[0] = 1;
-			buf[1] = ndesired;
-			if ((n = send(fd, buf, 2, 0)) < 0) {
-				if (errno == EWOULDBLOCK || errno == EINTR ||
-				    errno == ECONNRESET)
-					goto out;
-				goto err;
-			}
-			if (n == 1) {
-				source->sources.usocket.status =
-					isc_usocketsource_ndesired;
-				goto eagain_loop;
-			}	
-			INSIST(n == 2);
-			source->sources.usocket.status =
-						isc_usocketsource_wrote;
-			/*FALLTHROUGH*/
-		
-		case isc_usocketsource_wrote:
-			if (recv(fd, buf, 1, 0) != 1) {
-				if (errno == EAGAIN) {
-					/*
-					 * The problem of EAGAIN (try again
-					 * later) is a major issue on HP-UX.
-					 * Solaris actually tries the recv
-					 * call again, while HP-UX just dies. 
-					 * This code is an attempt to let the
-					 * entropy pool fill back up (at least
-					 * that's what I think the problem is.)
-					 * We go to eagain_loop because if we 
-					 * just "break", then the "desired"
-					 * amount gets borked.
-					 */
-					usleep(1000);
-					goto eagain_loop;
-				}
-				if (errno == EWOULDBLOCK || errno == EINTR)
-					goto out;
-				goto err;
-			}
-			source->sources.usocket.status =
-					isc_usocketsource_reading;
-			sz_to_recv = buf[0];
-			source->sources.usocket.sz_to_recv = sz_to_recv;
-			if (sz_to_recv > sizeof(buf))
-				goto err;
-			/*FALLTHROUGH*/
-
-		case isc_usocketsource_reading:
-			if (sz_to_recv != 0U) {
-				n = recv(fd, buf, sz_to_recv, 0);
-				if (n < 0) {
-					if (errno == EWOULDBLOCK ||
-					    errno == EINTR)
-						goto out;
-					goto err;
-				}
-			} else
-				n = 0;
-			break;
-		
-		default:
-			goto err;
-		}
-
-		if ((size_t)n != sz_to_recv)
-			source->sources.usocket.sz_to_recv -= n;
-		else
-			source->sources.usocket.status =
-				isc_usocketsource_connected;
-
-		if (n == 0)
-			goto out;
-
-		entropypool_adddata(ent, buf, n, n * 8);
-		added += n * 8;
-		desired -= n;
-	}
-	goto out;
-
- err:
-	close(fd);
-	source->bad = ISC_TRUE;
-	source->sources.usocket.status = isc_usocketsource_disconnected;
-	source->sources.usocket.handle = -1;
-
- out:
-	return (added);
-}
-
-/*
- * Poll each source, trying to get data from it to stuff into the entropy
- * pool.
- */
-static void
-fillpool(isc_entropy_t *ent, unsigned int desired, isc_boolean_t blocking) {
-	unsigned int added;
-	unsigned int remaining;
-	unsigned int needed;
-	unsigned int nsource;
-	isc_entropysource_t *source;
-
-	REQUIRE(VALID_ENTROPY(ent));
-
-	needed = desired;
-
-	/*
-	 * This logic is a little strange, so an explanation is in order.
-	 *
-	 * If needed is 0, it means we are being asked to "fill to whatever
-	 * we think is best."  This means that if we have at least a
-	 * partially full pool (say, > 1/4th of the pool) we probably don't
-	 * need to add anything.
-	 *
-	 * Also, we will check to see if the "pseudo" count is too high.
-	 * If it is, try to mix in better data.  Too high is currently
-	 * defined as 1/4th of the pool.
-	 *
-	 * Next, if we are asked to add a specific bit of entropy, make
-	 * certain that we will do so.  Clamp how much we try to add to
-	 * (DIGEST_SIZE * 8 < needed < POOLBITS - entropy).
-	 *
-	 * Note that if we are in a blocking mode, we will only try to
-	 * get as much data as we need, not as much as we might want
-	 * to build up.
-	 */
-	if (needed == 0) {
-		REQUIRE(!blocking);
-
-		if ((ent->pool.entropy >= RND_POOLBITS / 4)
-		    && (ent->pool.pseudo <= RND_POOLBITS / 4))
-			return;
-
-		needed = THRESHOLD_BITS * 4;
-	} else {
-		needed = ISC_MAX(needed, THRESHOLD_BITS);
-		needed = ISC_MIN(needed, RND_POOLBITS);
-	}
-
-	/*
-	 * In any case, clamp how much we need to how much we can add.
-	 */
-	needed = ISC_MIN(needed, RND_POOLBITS - ent->pool.entropy);
-
-	/*
-	 * But wait!  If we're not yet initialized, we need at least
-	 *	THRESHOLD_BITS
-	 * of randomness.
-	 */
-	if (ent->initialized < THRESHOLD_BITS)
-		needed = ISC_MAX(needed, THRESHOLD_BITS - ent->initialized);
-
-	/*
-	 * Poll each file source to see if we can read anything useful from
-	 * it.  XXXMLG When where are multiple sources, we should keep a
-	 * record of which one we last used so we can start from it (or the
-	 * next one) to avoid letting some sources build up entropy while
-	 * others are always drained.
-	 */
-
-	added = 0;
-	remaining = needed;
-	if (ent->nextsource == NULL) {
-		ent->nextsource = ISC_LIST_HEAD(ent->sources);
-		if (ent->nextsource == NULL)
-			return;
-	}
-	source = ent->nextsource;
- again_file:
-	for (nsource = 0; nsource < ent->nsources; nsource++) {
-		unsigned int got;
-
-		if (remaining == 0)
-			break;
-
-		got = 0;
-
-		switch ( source->type ) {
-		case ENTROPY_SOURCETYPE_FILE:
-			got = get_from_filesource(source, remaining);
-			break;
-
-		case ENTROPY_SOURCETYPE_USOCKET:
-			got = get_from_usocketsource(source, remaining);
-			break;
-		}
-
-		added += got;
-
-		remaining -= ISC_MIN(remaining, got);
-
-		source = ISC_LIST_NEXT(source, link);
-		if (source == NULL)
-			source = ISC_LIST_HEAD(ent->sources);
-	}
-	ent->nextsource = source;
-
-	if (blocking && remaining != 0) {
-		int fds;
-
-		fds = wait_for_sources(ent);
-		if (fds > 0)
-			goto again_file;
-	}
-
-	/*
-	 * Here, if there are bits remaining to be had and we can block,
-	 * check to see if we have a callback source.  If so, call them.
-	 */
-	source = ISC_LIST_HEAD(ent->sources);
-	while ((remaining != 0) && (source != NULL)) {
-		unsigned int got;
-
-		got = 0;
-
-		if (source->type == ENTROPY_SOURCETYPE_CALLBACK)
-			got = get_from_callback(source, remaining, blocking);
-
-		added += got;
-		remaining -= ISC_MIN(remaining, got);
-
-		if (added >= needed)
-			break;
-
-		source = ISC_LIST_NEXT(source, link);
-	}
-
-	/*
-	 * Mark as initialized if we've added enough data.
-	 */
-	if (ent->initialized < THRESHOLD_BITS)
-		ent->initialized += added;
-}
-
-static int
-wait_for_sources(isc_entropy_t *ent) {
-	isc_entropysource_t *source;
-	int maxfd, fd;
-	int cc;
-	fd_set reads;
-	fd_set writes;
-
-	maxfd = -1;
-	FD_ZERO(&reads);
-	FD_ZERO(&writes);
-
-	source = ISC_LIST_HEAD(ent->sources);
-	while (source != NULL) {
-		if (source->type == ENTROPY_SOURCETYPE_FILE) {
-			fd = source->sources.file.handle;
-			if (fd >= 0) {
-				maxfd = ISC_MAX(maxfd, fd);
-				FD_SET(fd, &reads);
-			}
-		}
-		if (source->type == ENTROPY_SOURCETYPE_USOCKET) {
-			fd = source->sources.usocket.handle;
-			if (fd >= 0) {
-				switch (source->sources.usocket.status) {
-				case isc_usocketsource_disconnected:
-					break;
-				case isc_usocketsource_connecting:
-				case isc_usocketsource_connected:
-				case isc_usocketsource_ndesired:
-					maxfd = ISC_MAX(maxfd, fd);
-					FD_SET(fd, &writes);
-					break;
-				case isc_usocketsource_wrote:
-				case isc_usocketsource_reading:
-					maxfd = ISC_MAX(maxfd, fd);
-					FD_SET(fd, &reads);
-					break;
-				}
-			}
-		}
-		source = ISC_LIST_NEXT(source, link);
-	}
-
-	if (maxfd < 0)
-		return (-1);
-
-	cc = select(maxfd + 1, &reads, &writes, NULL, NULL);
-	if (cc < 0)
-		return (-1);
-
-	return (cc);
-}
-
-static void
-destroyfilesource(isc_entropyfilesource_t *source) {
-	(void)close(source->handle);
-}
-
-static void
-destroyusocketsource(isc_entropyusocketsource_t *source) {
-	close(source->handle);
-}
-
-/*
- * Make a fd non-blocking
- */
-static isc_result_t
-make_nonblock(int fd) {
-	int ret;
-	int flags;
-	char strbuf[ISC_STRERRORSIZE];
-#ifdef USE_FIONBIO_IOCTL
-	int on = 1;
-
-	ret = ioctl(fd, FIONBIO, (char *)&on);
-#else
-	flags = fcntl(fd, F_GETFL, 0);
-	flags |= PORT_NONBLOCK;
-	ret = fcntl(fd, F_SETFL, flags);
-#endif
-
-	if (ret == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-#ifdef USE_FIONBIO_IOCTL
-				 "ioctl(%d, FIONBIO, &on): %s", fd,
-#else
-				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
-#endif
-				 strbuf);
-
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
-	int fd;
-	struct stat _stat;
-	isc_boolean_t is_usocket = ISC_FALSE;
-	isc_boolean_t is_connected = ISC_FALSE;
-	isc_result_t ret;
-	isc_entropysource_t *source;
-
-	REQUIRE(VALID_ENTROPY(ent));
-	REQUIRE(fname != NULL);
-
-	LOCK(&ent->lock);
-
-	source = NULL;
-
-	if (stat(fname, &_stat) < 0) {
-		ret = isc__errno2result(errno);
-		goto errout;
-	}
-	/* 
-	 * Solaris 2.5.1 does not have support for sockets (S_IFSOCK),
-	 * but it does return type S_IFIFO (the OS believes that
-	 * the socket is a fifo).  This may be an issue if we tell
-	 * the program to look at an actual FIFO as its source of
-	 * entropy.
-	 */
-#if defined(S_ISSOCK)
-	if (S_ISSOCK(_stat.st_mode))
-		is_usocket = ISC_TRUE;
-#endif
-#if defined(S_ISFIFO)
-	if (S_ISFIFO(_stat.st_mode))
-		is_usocket = ISC_TRUE;
-#endif
-	if (is_usocket)
-		fd = socket(PF_UNIX, SOCK_STREAM, 0);
-	else
-		fd = open(fname, O_RDONLY | PORT_NONBLOCK, 0);
-
-	if (fd < 0) {
-		ret = isc__errno2result(errno);
-		goto errout;
-	}
-
-	ret = make_nonblock(fd);
-	if (ret != ISC_R_SUCCESS)
-		goto closefd;
-
-	if (is_usocket) {
-		struct sockaddr_un sname;
-
-		memset(&sname, 0, sizeof(sname));
-		sname.sun_family = AF_UNIX;
-		strncpy(sname.sun_path, fname, sizeof(sname.sun_path));
-		sname.sun_path[sizeof(sname.sun_path)-1] = '0';
-#ifdef ISC_PLATFORM_HAVESALEN
-#if !defined(SUN_LEN)
-#define SUN_LEN(su) \
-	(sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path))
-#endif
-		sname.sun_len = SUN_LEN(&sname);
-#endif
-
-		if (connect(fd, (struct sockaddr *) &sname,
-			    sizeof(struct sockaddr_un)) < 0) {
-			if (errno != EINPROGRESS) {
-				ret = isc__errno2result(errno);
-				goto closefd;
-			}
-		} else
-			is_connected = ISC_TRUE;
-	}
-
-	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
-	if (source == NULL) {
-		ret = ISC_R_NOMEMORY;
-		goto closefd;
-	}
-
-	/*
-	 * From here down, no failures can occur.
-	 */
-	source->magic = SOURCE_MAGIC;
-	source->ent = ent;
-	source->total = 0;
-	source->bad = ISC_FALSE;
-	memset(source->name, 0, sizeof(source->name));
-	ISC_LINK_INIT(source, link);
-	if (is_usocket) {
-		source->sources.usocket.handle = fd;
-		if (is_connected)
-			source->sources.usocket.status =
-					isc_usocketsource_connected;
-		else
-			source->sources.usocket.status =
-					isc_usocketsource_connecting;
-		source->sources.usocket.sz_to_recv = 0;
-		source->type = ENTROPY_SOURCETYPE_USOCKET;
-	} else {
-		source->sources.file.handle = fd;
-		source->type = ENTROPY_SOURCETYPE_FILE;
-	}
-
-	/*
-	 * Hook it into the entropy system.
-	 */
-	ISC_LIST_APPEND(ent->sources, source, link);
-	ent->nsources++;
-
-	UNLOCK(&ent->lock);
-	return (ISC_R_SUCCESS);
-
- closefd:
-	(void)close(fd);
-
- errout:
-	if (source != NULL)
-		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
-
-	UNLOCK(&ent->lock);
-
-	return (ret);
-}
diff --git a/contrib/bind9/lib/isc/unix/errno2result.c b/contrib/bind9/lib/isc/unix/errno2result.c
deleted file mode 100644
index 66a4e916d79c..000000000000
--- a/contrib/bind9/lib/isc/unix/errno2result.c
+++ /dev/null
@@ -1,121 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: errno2result.c,v 1.8.2.4.8.1 2004/03/06 08:14:59 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/result.h>
-#include <isc/strerror.h>
-#include <isc/util.h>
-
-#include "errno2result.h"
-
-/*
- * Convert a POSIX errno value into an isc_result_t.  The
- * list of supported errno values is not complete; new users
- * of this function should add any expected errors that are
- * not already there.
- */
-isc_result_t
-isc__errno2result(int posixerrno) {
-	char strbuf[ISC_STRERRORSIZE];
-
-	switch (posixerrno) {
-	case ENOTDIR:
-	case ELOOP:
-	case EINVAL:		/* XXX sometimes this is not for files */
-	case ENAMETOOLONG:
-	case EBADF:
-		return (ISC_R_INVALIDFILE);
-	case ENOENT:
-		return (ISC_R_FILENOTFOUND);
-	case EACCES:
-	case EPERM:
-		return (ISC_R_NOPERM);
-	case EEXIST:
-		return (ISC_R_FILEEXISTS);
-	case EIO:
-		return (ISC_R_IOERROR);
-	case ENOMEM:
-		return (ISC_R_NOMEMORY);
-	case ENFILE:	
-	case EMFILE:
-		return (ISC_R_TOOMANYOPENFILES);
-	case EPIPE:
-#ifdef ECONNRESET
-	case ECONNRESET:
-#endif
-#ifdef ECONNABORTED
-	case ECONNABORTED:
-#endif
-		return (ISC_R_CONNECTIONRESET);
-#ifdef ENOTCONN
-	case ENOTCONN:
-		return (ISC_R_NOTCONNECTED);
-#endif
-#ifdef ETIMEDOUT
-	case ETIMEDOUT:
-		return (ISC_R_TIMEDOUT);
-#endif
-#ifdef ENOBUFS
-	case ENOBUFS:
-		return (ISC_R_NORESOURCES);
-#endif
-#ifdef EAFNOSUPPORT
-	case EAFNOSUPPORT:
-		return (ISC_R_FAMILYNOSUPPORT);
-#endif
-#ifdef ENETDOWN
-	case ENETDOWN:
-		return (ISC_R_NETDOWN);
-#endif
-#ifdef EHOSTDOWN
-	case EHOSTDOWN:
-		return (ISC_R_HOSTDOWN);
-#endif
-#ifdef ENETUNREACH
-	case ENETUNREACH:
-		return (ISC_R_NETUNREACH);
-#endif
-#ifdef EHOSTUNREACH
-	case EHOSTUNREACH:
-		return (ISC_R_HOSTUNREACH);
-#endif
-#ifdef EADDRINUSE
-	case EADDRINUSE:
-		return (ISC_R_ADDRINUSE);
-#endif
-	case EADDRNOTAVAIL:
-		return (ISC_R_ADDRNOTAVAIL);
-	case ECONNREFUSED:
-		return (ISC_R_CONNREFUSED);
-	default:
-		isc__strerror(posixerrno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "unable to convert errno "
-				 "to isc_result: %d: %s",
-				 posixerrno, strbuf);
-		/*
-		 * XXXDCL would be nice if perhaps this function could
-		 * return the system's error string, so the caller
-		 * might have something more descriptive than "unexpected
-		 * error" to log with.
-		 */
-		return (ISC_R_UNEXPECTED);
-	}
-}
diff --git a/contrib/bind9/lib/isc/unix/errno2result.h b/contrib/bind9/lib/isc/unix/errno2result.h
deleted file mode 100644
index 9a8d07c6d4cf..000000000000
--- a/contrib/bind9/lib/isc/unix/errno2result.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: errno2result.h,v 1.7.206.1 2004/03/06 08:14:59 marka Exp $ */
-
-#ifndef UNIX_ERRNO2RESULT_H
-#define UNIX_ERRNO2RESULT_H 1
-
-/* XXXDCL this should be moved to lib/isc/include/isc/errno2result.h. */
-
-#include <errno.h>		/* Provides errno. */
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc__errno2result(int posixerrno);
-
-ISC_LANG_ENDDECLS
-
-#endif /* UNIX_ERRNO2RESULT_H */
diff --git a/contrib/bind9/lib/isc/unix/file.c b/contrib/bind9/lib/isc/unix/file.c
deleted file mode 100644
index 7ed6272efb73..000000000000
--- a/contrib/bind9/lib/isc/unix/file.c
+++ /dev/null
@@ -1,435 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Portions Copyright (c) 1987, 1993
- *      The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by the University of
- *      California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* $Id: file.c,v 1.38.12.8 2004/03/16 05:50:25 marka Exp $ */
-
-#include <config.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <time.h>		/* Required for utimes on some platforms. */
-#include <unistd.h>		/* Required for mkstemp on NetBSD. */
-
-
-#include <sys/stat.h>
-#include <sys/time.h>
-
-#include <isc/dir.h>
-#include <isc/file.h>
-#include <isc/random.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#include "errno2result.h"
-
-/*
- * XXXDCL As the API for accessing file statistics undoubtedly gets expanded,
- * it might be good to provide a mechanism that allows for the results
- * of a previous stat() to be used again without having to do another stat,
- * such as perl's mechanism of using "_" in place of a file name to indicate
- * that the results of the last stat should be used.  But then you get into
- * annoying MP issues.   BTW, Win32 has stat().
- */
-static isc_result_t
-file_stats(const char *file, struct stat *stats) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(file != NULL);
-	REQUIRE(stats != NULL);
-
-	if (stat(file, stats) != 0)
-		result = isc__errno2result(errno);
-
-	return (result);
-}
-
-isc_result_t
-isc_file_getmodtime(const char *file, isc_time_t *time) {
-	isc_result_t result;
-	struct stat stats;
-
-	REQUIRE(file != NULL);
-	REQUIRE(time != NULL);
-
-	result = file_stats(file, &stats);
-
-	if (result == ISC_R_SUCCESS)
-		/*
-		 * XXXDCL some operating systems provide nanoseconds, too,
-		 * such as BSD/OS via st_mtimespec.
-		 */
-		isc_time_set(time, stats.st_mtime, 0);
-
-	return (result);
-}
-
-isc_result_t
-isc_file_settime(const char *file, isc_time_t *time) {
-	struct timeval times[2];
-
-	REQUIRE(file != NULL && time != NULL);
-
-	/*
-	 * tv_sec is at least a 32 bit quantity on all platforms we're
-	 * dealing with, but it is signed on most (all?) of them,
-	 * so we need to make sure the high bit isn't set.  This unfortunately
-	 * loses when either:
-	 *   * tv_sec becomes a signed 64 bit integer but long is 32 bits
-	 *	and isc_time_seconds > LONG_MAX, or
-	 *   * isc_time_seconds is changed to be > 32 bits but long is 32 bits
-	 *      and isc_time_seconds has at least 33 significant bits.
-	 */
-	times[0].tv_sec = times[1].tv_sec = (long)isc_time_seconds(time);
-
-	/*
-	 * Here is the real check for the high bit being set.
-	 */
-	if ((times[0].tv_sec &
-	     (1ULL << (sizeof(times[0].tv_sec) * CHAR_BIT - 1))) != 0)
-		return (ISC_R_RANGE);
-
-	/*
-	 * isc_time_nanoseconds guarantees a value that divided by 1000 will
-	 * fit into the minimum possible size tv_usec field.  Unfortunately,
-	 * we don't know what that type is so can't cast directly ... but
-	 * we can at least cast to signed so the IRIX compiler shuts up.
-	 */
-	times[0].tv_usec = times[1].tv_usec =
-		(isc_int32_t)(isc_time_nanoseconds(time) / 1000);
-
-	if (utimes(file, times) < 0)
-		return (isc__errno2result(errno));
-
-	return (ISC_R_SUCCESS);
-}
-
-#undef TEMPLATE
-#define TEMPLATE "tmp-XXXXXXXXXX" /* 14 characters. */
-
-isc_result_t
-isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
-	return (isc_file_template(path, TEMPLATE, buf, buflen));
-}
-
-isc_result_t
-isc_file_template(const char *path, const char *templet, char *buf,
-			size_t buflen) {
-	char *s;
-
-	REQUIRE(path != NULL);
-	REQUIRE(templet != NULL);
-	REQUIRE(buf != NULL);
-
-	s = strrchr(templet, '/');
-	if (s != NULL)
-		templet = s + 1;
-
-	s = strrchr(path, '/');
-
-	if (s != NULL) {
-		if ((s - path + 1 + strlen(templet) + 1) > buflen)
-			return (ISC_R_NOSPACE);
-
-		strncpy(buf, path, s - path + 1);
-		buf[s - path + 1] = '\0';
-		strcat(buf, templet);
-	} else {
-		if ((strlen(templet) + 1) > buflen)
-			return (ISC_R_NOSPACE);
-
-		strcpy(buf, templet);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static char alphnum[] =
-	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-
-isc_result_t
-isc_file_renameunique(const char *file, char *templet) {
-	char *x;
-	char *cp;
-	isc_uint32_t which;
-
-	REQUIRE(file != NULL);
-	REQUIRE(templet != NULL);
-
-	cp = templet;
-	while (*cp != '\0')
-		cp++;
-	if (cp == templet)
-		return (ISC_R_FAILURE);
-
-	x = cp--;
-	while (cp >= templet && *cp == 'X') {
-		isc_random_get(&which);
-		*cp = alphnum[which % (sizeof(alphnum) - 1)];
-		x = cp--;
-	}
-	while (link(file, templet) == -1) {
-		if (errno != EEXIST)
-			return (isc__errno2result(errno));
-		for (cp = x;;) {
-			char *t;
-			if (*cp == '\0')
-				return (ISC_R_FAILURE);
-			t = strchr(alphnum, *cp);
-			if (t == NULL || *++t == '\0')
-				*cp++ = alphnum[0];
-			else {
-				*cp = *t;
-				break;
-			}
-		}
-	}
-	(void)unlink(file);
-	return (ISC_R_SUCCESS);
-}
-
-
-isc_result_t
-isc_file_openunique(char *templet, FILE **fp) {
-	int fd;
-	FILE *f;
-	isc_result_t result = ISC_R_SUCCESS;
-	char *x;
-	char *cp;
-	isc_uint32_t which;
-	int mode;
-
-	REQUIRE(templet != NULL);
-	REQUIRE(fp != NULL && *fp == NULL);
-
-	cp = templet;
-	while (*cp != '\0')
-		cp++;
-	if (cp == templet)
-		return (ISC_R_FAILURE);
-
-	x = cp--;
-	while (cp >= templet && *cp == 'X') {
-		isc_random_get(&which);
-		*cp = alphnum[which % (sizeof(alphnum) - 1)];
-		x = cp--;
-	}
-
-	mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
-
-	while ((fd = open(templet, O_RDWR|O_CREAT|O_EXCL, mode)) == -1) {
-		if (errno != EEXIST)
-			return (isc__errno2result(errno));
-		for (cp = x;;) {
-			char *t;
-			if (*cp == '\0')
-				return (ISC_R_FAILURE);
-			t = strchr(alphnum, *cp);
-			if (t == NULL || *++t == '\0')
-				*cp++ = alphnum[0];
-			else {
-				*cp = *t;
-				break;
-			}
-		}
-	}
-	f = fdopen(fd, "w+");
-	if (f == NULL) {
-		result = isc__errno2result(errno);
-		(void)remove(templet);
-		(void)close(fd);
-	} else
-		*fp = f;
-
-	return (result);
-}
-
-isc_result_t
-isc_file_remove(const char *filename) {
-	int r;
-
-	REQUIRE(filename != NULL);
-
-	r = unlink(filename);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_file_rename(const char *oldname, const char *newname) {
-	int r;
-
-	REQUIRE(oldname != NULL);
-	REQUIRE(newname != NULL);
-
-	r = rename(oldname, newname);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_boolean_t
-isc_file_exists(const char *pathname) {
-	struct stat stats;
-
-	REQUIRE(pathname != NULL);
-
-	return (ISC_TF(file_stats(pathname, &stats) == ISC_R_SUCCESS));
-}
-
-isc_boolean_t
-isc_file_isabsolute(const char *filename) {
-	REQUIRE(filename != NULL);
-	return (ISC_TF(filename[0] == '/'));
-}
-
-isc_boolean_t
-isc_file_iscurrentdir(const char *filename) {
-	REQUIRE(filename != NULL);
-	return (ISC_TF(filename[0] == '.' && filename[1] == '\0'));
-}
-
-isc_boolean_t
-isc_file_ischdiridempotent(const char *filename) {
-	REQUIRE(filename != NULL);
-	if (isc_file_isabsolute(filename))
-		return (ISC_TRUE);
-	if (isc_file_iscurrentdir(filename))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-const char *
-isc_file_basename(const char *filename) {
-	char *s;
-
-	REQUIRE(filename != NULL);
-
-	s = strrchr(filename, '/');
-	if (s == NULL)
-		return (filename);
-
-	return (s + 1);
-}
-
-isc_result_t
-isc_file_progname(const char *filename, char *buf, size_t buflen) {
-	const char *base;
-	size_t len;
-
-	REQUIRE(filename != NULL);
-	REQUIRE(buf != NULL);
-
-	base = isc_file_basename(filename);
-	len = strlen(base) + 1;
-
-	if (len > buflen)
-		return (ISC_R_NOSPACE);
-	memcpy(buf, base, len);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Put the absolute name of the current directory into 'dirname', which is
- * a buffer of at least 'length' characters.  End the string with the 
- * appropriate path separator, such that the final product could be
- * concatenated with a relative pathname to make a valid pathname string.
- */
-static isc_result_t
-dir_current(char *dirname, size_t length) {
-	char *cwd;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	REQUIRE(dirname != NULL);
-	REQUIRE(length > 0U);
-
-	cwd = getcwd(dirname, length);
-
-	if (cwd == NULL) {
-		if (errno == ERANGE)
-			result = ISC_R_NOSPACE;
-		else
-			result = isc__errno2result(errno);
-	} else {
-		if (strlen(dirname) + 1 == length)
-			result = ISC_R_NOSPACE;
-		else if (dirname[1] != '\0')
-			strcat(dirname, "/");
-	}
-
-	return (result);
-}
-
-isc_result_t
-isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
-	isc_result_t result;
-	result = dir_current(path, pathlen);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (strlen(path) + strlen(filename) + 1 > pathlen)
-		return (ISC_R_NOSPACE);
-	strcat(path, filename);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_file_truncate(const char *filename, isc_offset_t size) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	if (truncate(filename, size) < 0) 
-		result = isc__errno2result(errno);
-	return (result);
-}
diff --git a/contrib/bind9/lib/isc/unix/fsaccess.c b/contrib/bind9/lib/isc/unix/fsaccess.c
deleted file mode 100644
index 5fa4fb47495a..000000000000
--- a/contrib/bind9/lib/isc/unix/fsaccess.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: fsaccess.c,v 1.6.206.1 2004/03/06 08:14:59 marka Exp $ */
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <errno.h>
-
-#include "errno2result.h"
-
-/*
- * The OS-independent part of the API is in lib/isc.
- */
-#include "../fsaccess.c"
-
-isc_result_t
-isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
-	struct stat statb;
-	mode_t mode;
-	isc_boolean_t is_dir = ISC_FALSE;
-	isc_fsaccess_t bits;
-	isc_result_t result;
-
-	if (stat(path, &statb) != 0)
-		return (isc__errno2result(errno));
-
-	if ((statb.st_mode & S_IFDIR) != 0)
-		is_dir = ISC_TRUE;
-	else if ((statb.st_mode & S_IFREG) == 0)
-		return (ISC_R_INVALIDFILE);
-
-	result = check_bad_bits(access, is_dir);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	/*
-	 * Done with checking bad bits.  Set mode_t.
-	 */
-	mode = 0;
-
-#define SET_AND_CLEAR1(modebit) \
-	if ((access & bits) != 0) { \
-		mode |= modebit; \
-		access &= ~bits; \
-	}
-#define SET_AND_CLEAR(user, group, other) \
-	SET_AND_CLEAR1(user); \
-	bits <<= STEP; \
-	SET_AND_CLEAR1(group); \
-	bits <<= STEP; \
-	SET_AND_CLEAR1(other);
-
-	bits = ISC_FSACCESS_READ | ISC_FSACCESS_LISTDIRECTORY;
-
-	SET_AND_CLEAR(S_IRUSR, S_IRGRP, S_IROTH);
-
-	bits = ISC_FSACCESS_WRITE |
-	       ISC_FSACCESS_CREATECHILD |
-	       ISC_FSACCESS_DELETECHILD;
-
-	SET_AND_CLEAR(S_IWUSR, S_IWGRP, S_IWOTH);
-
-	bits = ISC_FSACCESS_EXECUTE |
-	       ISC_FSACCESS_ACCESSCHILD;
-
-	SET_AND_CLEAR(S_IXUSR, S_IXGRP, S_IXOTH);
-
-	INSIST(access == 0);
-
-	if (chmod(path, mode) < 0)
-		return (isc__errno2result(errno));
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c b/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
deleted file mode 100644
index ad6e1e0b0409..000000000000
--- a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
+++ /dev/null
@@ -1,178 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ifiter_getifaddrs.c,v 1.2.68.3 2004/03/06 08:14:59 marka Exp $ */
-
-/*
- * Obtain the list of network interfaces using the getifaddrs(3) library.
- */
-
-#include <ifaddrs.h>
-
-#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'G')
-#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
-
-struct isc_interfaceiter {
-	unsigned int		magic;		/* Magic number. */
-	isc_mem_t		*mctx;
-	void			*buf;		/* (unused) */
-	unsigned int		bufsize;	/* (always 0) */
-	struct ifaddrs		*ifaddrs;	/* List of ifaddrs */
-	struct ifaddrs		*pos;		/* Ptr to current ifaddr */
-	isc_interface_t		current;	/* Current interface data. */
-	isc_result_t		result;		/* Last result code. */
-};
-
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
-	isc_interfaceiter_t *iter;
-	isc_result_t result;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(iterp != NULL);
-	REQUIRE(*iterp == NULL);
-
-	iter = isc_mem_get(mctx, sizeof(*iter));
-	if (iter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iter->mctx = mctx;
-	iter->buf = NULL;
-	iter->bufsize = 0;
-	iter->ifaddrs = NULL;
-
-	if (getifaddrs(&iter->ifaddrs) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERGETIFADDRS,
-						ISC_MSG_GETIFADDRS,
-						"getting interface "
-						"addresses: getifaddrs: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto failure;
-	}
-
-	/*
-	 * A newly created iterator has an undefined position
-	 * until isc_interfaceiter_first() is called.
-	 */
-	iter->pos = NULL;
-	iter->result = ISC_R_FAILURE;
-
-	iter->magic = IFITER_MAGIC;
-	*iterp = iter;
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (iter->ifaddrs != NULL) /* just in case */
-		freeifaddrs(iter->ifaddrs);
-	isc_mem_put(mctx, iter, sizeof(*iter));
-	return (result);
-}
-
-/*
- * Get information about the current interface to iter->current.
- * If successful, return ISC_R_SUCCESS.
- * If the interface has an unsupported address family,
- * return ISC_R_IGNORE.
- */
-
-static isc_result_t
-internal_current(isc_interfaceiter_t *iter) {
-	struct ifaddrs *ifa;
-	int family;
-	unsigned int namelen;
-
-	REQUIRE(VALID_IFITER(iter));
-
-	ifa = iter->pos;
-
-	INSIST(ifa != NULL);
-	INSIST(ifa->ifa_name != NULL);
-	INSIST(ifa->ifa_addr != NULL);
-
-	family = ifa->ifa_addr->sa_family;
-	if (family != AF_INET && family != AF_INET6)
-		return (ISC_R_IGNORE);
-
-	memset(&iter->current, 0, sizeof(iter->current));
-
-	namelen = strlen(ifa->ifa_name);
-	if (namelen > sizeof(iter->current.name) - 1)
-		namelen = sizeof(iter->current.name) - 1;
-
-	memset(iter->current.name, 0, sizeof(iter->current.name));
-	memcpy(iter->current.name, ifa->ifa_name, namelen);
-
-	iter->current.flags = 0;
-
-	if ((ifa->ifa_flags & IFF_UP) != 0)
-		iter->current.flags |= INTERFACE_F_UP;
-
-	if ((ifa->ifa_flags & IFF_POINTOPOINT) != 0)
-		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
-
-	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0)
-		iter->current.flags |= INTERFACE_F_LOOPBACK;
-
-	iter->current.af = family;
-
-	get_addr(family, &iter->current.address, ifa->ifa_addr, ifa->ifa_name);
-
-	if (ifa->ifa_netmask != NULL)
-		get_addr(family, &iter->current.netmask, ifa->ifa_netmask,
-			 ifa->ifa_name);
-
-	if (ifa->ifa_dstaddr != NULL &&
-	    (iter->current.flags & IFF_POINTOPOINT) != 0)
-		get_addr(family, &iter->current.dstaddress, ifa->ifa_dstaddr,
-			 ifa->ifa_name);
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Step the iterator to the next interface.  Unlike
- * isc_interfaceiter_next(), this may leave the iterator
- * positioned on an interface that will ultimately
- * be ignored.  Return ISC_R_NOMORE if there are no more
- * interfaces, otherwise ISC_R_SUCCESS.
- */
-static isc_result_t
-internal_next(isc_interfaceiter_t *iter) {
-	iter->pos = iter->pos->ifa_next;
-
-	if (iter->pos == NULL)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-internal_destroy(isc_interfaceiter_t *iter) {
-	if (iter->ifaddrs)
-		freeifaddrs(iter->ifaddrs);
-	iter->ifaddrs = NULL;
-}
-
-static
-void internal_first(isc_interfaceiter_t *iter) {
-	iter->pos = iter->ifaddrs;
-}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c b/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
deleted file mode 100644
index 0b01b96f942c..000000000000
--- a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
+++ /dev/null
@@ -1,1019 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ifiter_ioctl.c,v 1.19.2.5.2.17 2005/10/14 02:13:07 marka Exp $ */
-
-/*
- * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
- * See netintro(4).
- */
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-#ifdef ISC_PLATFORM_HAVEIF_LADDRCONF
-#define lifc_len iflc_len
-#define lifc_buf iflc_buf
-#define lifc_req iflc_req
-#define LIFCONF if_laddrconf
-#else
-#define ISC_HAVE_LIFC_FAMILY 1
-#define ISC_HAVE_LIFC_FLAGS 1
-#define LIFCONF lifconf
-#endif
-
-#ifdef ISC_PLATFORM_HAVEIF_LADDRREQ
-#define lifr_addr iflr_addr
-#define lifr_name iflr_name
-#define lifr_dstaddr iflr_dstaddr
-#define lifr_flags iflr_flags
-#define ss_family sa_family
-#define LIFREQ if_laddrreq
-#else
-#define LIFREQ lifreq
-#endif
-#endif
-
-#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'T')
-#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
-
-#define ISC_IF_INET6_SZ \
-    sizeof("00000000000000000000000000000001 01 80 10 80 XXXXXXloXXXXXXXX\n")
-
-struct isc_interfaceiter {
-	unsigned int		magic;		/* Magic number. */
-	isc_mem_t		*mctx;
-	int			mode;
-	int			socket;
-	struct ifconf 		ifc;
-	void			*buf;		/* Buffer for sysctl data. */
-	unsigned int		bufsize;	/* Bytes allocated. */
-	unsigned int		pos;		/* Current offset in
-						   SIOCGIFCONF data */
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	int			socket6;
-	struct LIFCONF 		lifc;
-	void			*buf6;		/* Buffer for sysctl data. */
-	unsigned int		bufsize6;	/* Bytes allocated. */
-	unsigned int		pos6;		/* Current offset in
-						   SIOCGLIFCONF data */
-	isc_result_t		result6;	/* Last result code. */
-	isc_boolean_t		first6;
-#endif
-#ifdef HAVE_TRUCLUSTER
-	int			clua_context;	/* Cluster alias context */
-	isc_boolean_t		clua_done;
-	struct sockaddr		clua_sa;
-#endif
-#ifdef	__linux
-	FILE *			proc;
-	char			entry[ISC_IF_INET6_SZ];
-	isc_result_t		valid;
-	isc_boolean_t		first;
-#endif
-	isc_interface_t		current;	/* Current interface data. */
-	isc_result_t		result;		/* Last result code. */
-};
-
-#ifdef HAVE_TRUCLUSTER
-#include <clua/clua.h>
-#include <sys/socket.h>
-#endif
-
-
-/*
- * Size of buffer for SIOCGLIFCONF, in bytes.  We assume no sane system
- * will have more than a megabyte of interface configuration data.
- */
-#define IFCONF_BUFSIZE_INITIAL	4096
-#define IFCONF_BUFSIZE_MAX	1048576
-
-#ifdef __linux
-#ifndef IF_NAMESIZE
-# ifdef IFNAMSIZ
-#  define IF_NAMESIZE  IFNAMSIZ  
-# else
-#  define IF_NAMESIZE 16
-# endif
-#endif
-#endif
-
-static isc_result_t
-getbuf4(isc_interfaceiter_t *iter) {
-	char strbuf[ISC_STRERRORSIZE];
-
-	iter->bufsize = IFCONF_BUFSIZE_INITIAL;
-
-	for (;;) {
-		iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
-		if (iter->buf == NULL)
-			return (ISC_R_NOMEMORY);
-
-		memset(&iter->ifc.ifc_len, 0, sizeof(iter->ifc.ifc_len));
-		iter->ifc.ifc_len = iter->bufsize;
-		iter->ifc.ifc_buf = iter->buf;
-		/*
-		 * Ignore the HP/UX warning about "interger overflow during
-		 * conversion".  It comes from its own macro definition,
-		 * and is really hard to shut up.
-		 */
-		if (ioctl(iter->socket, SIOCGIFCONF, (char *)&iter->ifc)
-		    == -1) {
-			if (errno != EINVAL) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_GETIFCONFIG,
-							"get interface "
-							"configuration: %s"),
-						 strbuf);
-				goto unexpected;
-			}
-			/*
-			 * EINVAL.  Retry with a bigger buffer.
-			 */
-		} else {
-			/*
-			 * The ioctl succeeded.
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If
-			 * ifc.lifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (iter->ifc.ifc_len + 2 * sizeof(struct ifreq)
-			    < iter->bufsize)
-				break;
-		}
-		if (iter->bufsize >= IFCONF_BUFSIZE_MAX) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_BUFFERMAX,
-							"get interface "
-							"configuration: "
-							"maximum buffer "
-							"size exceeded"));
-			goto unexpected;
-		}
-		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
-
-		iter->bufsize *= 2;
-	}
-	return (ISC_R_SUCCESS);
-
- unexpected:
-	isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
-	iter->buf = NULL;
-	return (ISC_R_UNEXPECTED);
-}
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-static isc_result_t
-getbuf6(isc_interfaceiter_t *iter) {
-	char strbuf[ISC_STRERRORSIZE];
-	isc_result_t result;
-
-	iter->bufsize6 = IFCONF_BUFSIZE_INITIAL;
-
-	for (;;) {
-		iter->buf6 = isc_mem_get(iter->mctx, iter->bufsize6);
-		if (iter->buf6 == NULL)
-			return (ISC_R_NOMEMORY);
-
-		memset(&iter->lifc, 0, sizeof(iter->lifc));
-#ifdef ISC_HAVE_LIFC_FAMILY
-		iter->lifc.lifc_family = AF_INET6;
-#endif
-#ifdef ISC_HAVE_LIFC_FLAGS
-		iter->lifc.lifc_flags = 0;
-#endif
-		iter->lifc.lifc_len = iter->bufsize6;
-		iter->lifc.lifc_buf = iter->buf6;
-		/*
-		 * Ignore the HP/UX warning about "interger overflow during
-		 * conversion".  It comes from its own macro definition,
-		 * and is really hard to shut up.
-		 */
-		if (ioctl(iter->socket6, SIOCGLIFCONF, (char *)&iter->lifc)
-		    == -1) {
-#ifdef __hpux
-			/*
-			 * IPv6 interface scanning is not available on all
-			 * kernels w/ IPv6 sockets.
-			 */
-			if (errno == ENOENT) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-					      ISC_LOGMODULE_INTERFACE,
-					      ISC_LOG_DEBUG(1),
-					      isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_GETIFCONFIG,
-							"get interface "
-							"configuration: %s"),
-					       strbuf);
-				result = ISC_R_FAILURE;
-				goto cleanup;
-			}
-#endif
-			if (errno != EINVAL) {
-				isc__strerror(errno, strbuf, sizeof(strbuf));
-				UNEXPECTED_ERROR(__FILE__, __LINE__,
-						 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_GETIFCONFIG,
-							"get interface "
-							"configuration: %s"),
-						 strbuf);
-				result = ISC_R_UNEXPECTED;
-				goto cleanup;
-			}
-			/*
-			 * EINVAL.  Retry with a bigger buffer.
-			 */
-		} else {
-			/*
-			 * The ioctl succeeded.
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If
-			 * ifc.ifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (iter->lifc.lifc_len + 2 * sizeof(struct LIFREQ)
-			    < iter->bufsize6)
-				break;
-		}
-		if (iter->bufsize6 >= IFCONF_BUFSIZE_MAX) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_BUFFERMAX,
-							"get interface "
-							"configuration: "
-							"maximum buffer "
-							"size exceeded"));
-			result = ISC_R_UNEXPECTED;
-			goto cleanup;
-		}
-		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
-
-		iter->bufsize6 *= 2;
-	}
-
-	if (iter->lifc.lifc_len != 0)
-		iter->mode = 6;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
-	iter->buf6 = NULL;
-	return (result);
-}
-#endif
-
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
-	isc_interfaceiter_t *iter;
-	isc_result_t result;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(iterp != NULL);
-	REQUIRE(*iterp == NULL);
-
-	iter = isc_mem_get(mctx, sizeof(*iter));
-	if (iter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iter->mctx = mctx;
-	iter->mode = 4;
-	iter->buf = NULL;
-	iter->pos = (unsigned int) -1;
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	iter->buf6 = NULL;
-	iter->pos6 = (unsigned int) -1;
-	iter->result6 = ISC_R_NOMORE;
-	iter->socket6 = -1;
-	iter->first6 = ISC_FALSE;
-#endif
-
-	/*
-	 * Get the interface configuration, allocating more memory if
-	 * necessary.
-	 */
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	result = isc_net_probeipv6();
-	if (result == ISC_R_SUCCESS) {
-		/*
-		 * Create an unbound datagram socket to do the SIOCGLIFCONF
-		 * ioctl on.  HP/UX requires an AF_INET6 socket for
-		 * SIOCGLIFCONF to get IPv6 addresses.
-		 */
-		if ((iter->socket6 = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_IFITERIOCTL,
-							ISC_MSG_MAKESCANSOCKET,
-							"making interface "
-							"scan socket: %s"),
-					 strbuf);
-			result = ISC_R_UNEXPECTED;
-			goto socket6_failure;
-		}
-		result = iter->result6 = getbuf6(iter);
-		if (result != ISC_R_NOTIMPLEMENTED && result != ISC_R_SUCCESS)
-			goto ioctl6_failure;
-	}
-#endif
-	if ((iter->socket = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERIOCTL,
-						ISC_MSG_MAKESCANSOCKET,
-						"making interface "
-						"scan socket: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto socket_failure;
-	}
-	result = getbuf4(iter);
-	if (result != ISC_R_SUCCESS)
-		goto ioctl_failure;
-
-	/*
-	 * A newly created iterator has an undefined position
-	 * until isc_interfaceiter_first() is called.
-	 */
-#ifdef HAVE_TRUCLUSTER
-	iter->clua_context = -1;
-	iter->clua_done = ISC_TRUE;
-#endif
-#ifdef __linux
-	iter->proc = fopen("/proc/net/if_inet6", "r");
-	iter->valid = ISC_R_FAILURE;
-	iter->first = ISC_FALSE;
-#endif
-	iter->result = ISC_R_FAILURE;
-
-	iter->magic = IFITER_MAGIC;
-	*iterp = iter;
-	return (ISC_R_SUCCESS);
-
- ioctl_failure:
-	if (iter->buf != NULL)
-		isc_mem_put(mctx, iter->buf, iter->bufsize);
-	(void) close(iter->socket);
-
- socket_failure:
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	if (iter->buf6 != NULL)
-		isc_mem_put(mctx, iter->buf6, iter->bufsize6);
-  ioctl6_failure:
-	if (iter->socket6 != -1)
-		(void) close(iter->socket6);
-  socket6_failure:
-#endif
- 
-	isc_mem_put(mctx, iter, sizeof(*iter));
-	return (result);
-}
-
-#ifdef HAVE_TRUCLUSTER
-static void
-get_inaddr(isc_netaddr_t *dst, struct in_addr *src) {
-	dst->family = AF_INET;
-	memcpy(&dst->type.in, src, sizeof(struct in_addr));
-}
-
-static isc_result_t
-internal_current_clusteralias(isc_interfaceiter_t *iter) {
-	struct clua_info ci;
-	if (clua_getaliasinfo(&iter->clua_sa, &ci) != CLUA_SUCCESS)
-		return (ISC_R_IGNORE);
-	memset(&iter->current, 0, sizeof(iter->current));
-	iter->current.af = iter->clua_sa.sa_family;
-	memset(iter->current.name, 0, sizeof(iter->current.name));
-	sprintf(iter->current.name, "clua%d", ci.aliasid);
-	iter->current.flags = INTERFACE_F_UP;
-	get_inaddr(&iter->current.address, &ci.addr);
-	get_inaddr(&iter->current.netmask, &ci.netmask);
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-#ifdef __linux
-static isc_result_t
-linux_if_inet6_next(isc_interfaceiter_t *iter) {
-	if (iter->proc != NULL &&
-	    fgets(iter->entry, sizeof(iter->entry), iter->proc) != NULL)
-		iter->valid = ISC_R_SUCCESS;
-	else
-		iter->valid = ISC_R_NOMORE;
-	return (iter->valid);
-}
-
-static void
-linux_if_inet6_first(isc_interfaceiter_t *iter) {
-	if (iter->proc != NULL) {
-		rewind(iter->proc);
-		(void)linux_if_inet6_next(iter);
-	} else
-		iter->valid = ISC_R_NOMORE;
-	iter->first = ISC_FALSE;
-}
-
-static isc_result_t
-linux_if_inet6_current(isc_interfaceiter_t *iter) {
-	char address[33];
-	char name[IF_NAMESIZE+1];
-	struct in6_addr addr6;
-	int ifindex, prefix, flag3, flag4;
-	int res;
-	unsigned int i;
-
-	if (iter->valid != ISC_R_SUCCESS)
-		return (iter->valid);
-	if (iter->proc == NULL) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:iter->proc == NULL");
-		return (ISC_R_FAILURE);
-	}
-
-	res = sscanf(iter->entry, "%32[a-f0-9] %x %x %x %x %16s\n",
-		     address, &ifindex, &prefix, &flag3, &flag4, name);
-	if (res != 6) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:sscanf() -> %d (expected 6)",
-			      res);
-		return (ISC_R_FAILURE);
-	}
-	if (strlen(address) != 32) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:strlen(%s) != 32", address);
-		return (ISC_R_FAILURE);
-	}
-	for (i = 0; i < 16; i++) {
-		unsigned char byte;
-		static const char hex[] = "0123456789abcdef";
-		byte = ((index(hex, address[i * 2]) - hex) << 4) |
-		       (index(hex, address[i * 2 + 1]) - hex);
-		addr6.s6_addr[i] = byte;
-	}
-	iter->current.af = AF_INET6;
-	iter->current.flags = INTERFACE_F_UP;
-	isc_netaddr_fromin6(&iter->current.address, &addr6);
-	if (isc_netaddr_islinklocal(&iter->current.address)) {
-		isc_netaddr_setzone(&iter->current.address,
-				    (isc_uint32_t)ifindex);
-	}
-	for (i = 0; i < 16; i++) {
-		if (prefix > 8) {
-			addr6.s6_addr[i] = 0xff;
-			prefix -= 8;
-		} else {
-			addr6.s6_addr[i] = (0xff << (8 - prefix)) & 0xff;
-			prefix = 0;
-		}
-	}
-	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
-	strncpy(iter->current.name, name, sizeof(iter->current.name));
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-/*
- * Get information about the current interface to iter->current.
- * If successful, return ISC_R_SUCCESS.
- * If the interface has an unsupported address family, or if
- * some operation on it fails, return ISC_R_IGNORE to make
- * the higher-level iterator code ignore it.
- */
-
-static isc_result_t
-internal_current4(isc_interfaceiter_t *iter) {
-	struct ifreq *ifrp;
-	struct ifreq ifreq;
-	int family;
-	char strbuf[ISC_STRERRORSIZE];
-#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
-	struct lifreq lifreq;
-#else
-	char sabuf[256];
-#endif
-	int i, bits, prefixlen;
-#ifdef __linux
-	isc_result_t result;
-#endif
-
-	REQUIRE(VALID_IFITER(iter));
-	REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len);
-
-#ifdef __linux
-	result = linux_if_inet6_current(iter);
-	if (result != ISC_R_NOMORE)
-		return (result);
-	iter->first = ISC_TRUE;
-#endif
-
-	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
-
-	memset(&ifreq, 0, sizeof(ifreq));
-	memcpy(&ifreq, ifrp, sizeof(ifreq));
-
-	family = ifreq.ifr_addr.sa_family;
-#if defined(ISC_PLATFORM_HAVEIPV6)
-	if (family != AF_INET && family != AF_INET6)
-#else
-	if (family != AF_INET)
-#endif
-		return (ISC_R_IGNORE);
-
-	memset(&iter->current, 0, sizeof(iter->current));
-	iter->current.af = family;
-
-	INSIST(sizeof(ifreq.ifr_name) <= sizeof(iter->current.name));
-	memset(iter->current.name, 0, sizeof(iter->current.name));
-	memcpy(iter->current.name, ifreq.ifr_name, sizeof(ifreq.ifr_name));
-
-	get_addr(family, &iter->current.address,
-		 (struct sockaddr *)&ifrp->ifr_addr, ifreq.ifr_name);
-
-	/*
-	 * If the interface does not have a address ignore it.
-	 */
-	switch (family) {
-	case AF_INET:
-		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
-			return (ISC_R_IGNORE);
-		break;
-	case AF_INET6:
-		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
-			   sizeof(in6addr_any)) == 0)
-			return (ISC_R_IGNORE);
-		break;
-	}
-
-	/*
-	 * Get interface flags.
-	 */
-
-	iter->current.flags = 0;
-
-	/*
-	 * Ignore the HP/UX warning about "interger overflow during
-	 * conversion.  It comes from its own macro definition,
-	 * and is really hard to shut up.
-	 */
-	if (ioctl(iter->socket, SIOCGIFFLAGS, (char *) &ifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "%s: getting interface flags: %s",
-				 ifreq.ifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-
-	if ((ifreq.ifr_flags & IFF_UP) != 0)
-		iter->current.flags |= INTERFACE_F_UP;
-
-#ifdef IFF_POINTOPOINT
-	if ((ifreq.ifr_flags & IFF_POINTOPOINT) != 0)
-		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
-#endif
-
-	if ((ifreq.ifr_flags & IFF_LOOPBACK) != 0)
-		iter->current.flags |= INTERFACE_F_LOOPBACK;
-
-	if (family == AF_INET)
-		goto inet;
-
-#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
-	memset(&lifreq, 0, sizeof(lifreq));
-	memcpy(lifreq.lifr_name, iter->current.name, sizeof(lifreq.lifr_name));
-	memcpy(&lifreq.lifr_addr, &iter->current.address.type.in6,
-	       sizeof(iter->current.address.type.in6));
-
-	if (ioctl(iter->socket, SIOCGLIFADDR, &lifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "%s: getting interface address: %s",
-				 ifreq.ifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-	prefixlen = lifreq.lifr_addrlen;
-#else
-	isc_netaddr_format(&iter->current.address, sabuf, sizeof(sabuf));
-	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-		      ISC_LOGMODULE_INTERFACE,
-		      ISC_LOG_INFO,
-		      isc_msgcat_get(isc_msgcat,
-				     ISC_MSGSET_IFITERIOCTL,
-				     ISC_MSG_GETIFCONFIG,
-				     "prefix length for %s is unknown "
-				     "(assume 128)"), sabuf);
-	prefixlen = 128;
-#endif
-
-	/*
-	 * Netmask already zeroed.
-	 */
-	iter->current.netmask.family = family;
-	for (i = 0; i < 16; i++) {
-		if (prefixlen > 8) {
-			bits = 0;
-			prefixlen -= 8;
-		} else {
-			bits = 8 - prefixlen;
-			prefixlen = 0;
-		}
-		iter->current.netmask.type.in6.s6_addr[i] = (~0 << bits) & 0xff;
-	}
-	return (ISC_R_SUCCESS);
-
- inet:
-	if (family != AF_INET)
-		return (ISC_R_IGNORE);
-#ifdef IFF_POINTOPOINT
-	/*
-	 * If the interface is point-to-point, get the destination address.
-	 */
-	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
-		/*
-		 * Ignore the HP/UX warning about "interger overflow during
-		 * conversion.  It comes from its own macro definition,
-		 * and is really hard to shut up.
-		 */
-		if (ioctl(iter->socket, SIOCGIFDSTADDR, (char *)&ifreq)
-		    < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-				isc_msgcat_get(isc_msgcat,
-					       ISC_MSGSET_IFITERIOCTL,
-					       ISC_MSG_GETDESTADDR,
-					       "%s: getting "
-					       "destination address: %s"),
-					 ifreq.ifr_name, strbuf);
-			return (ISC_R_IGNORE);
-		}
-		get_addr(family, &iter->current.dstaddress,
-			 (struct sockaddr *)&ifreq.ifr_dstaddr, ifreq.ifr_name);
-	}
-#endif
-
-	/*
-	 * Get the network mask.
-	 */
-	memset(&ifreq, 0, sizeof(ifreq));
-	memcpy(&ifreq, ifrp, sizeof(ifreq));
-	/*
-	 * Ignore the HP/UX warning about "interger overflow during
-	 * conversion.  It comes from its own macro definition,
-	 * and is really hard to shut up.
-	 */
-	if (ioctl(iter->socket, SIOCGIFNETMASK, (char *)&ifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-			isc_msgcat_get(isc_msgcat,
-				       ISC_MSGSET_IFITERIOCTL,
-				       ISC_MSG_GETNETMASK,
-				       "%s: getting netmask: %s"),
-				       ifreq.ifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-	get_addr(family, &iter->current.netmask,
-		 (struct sockaddr *)&ifreq.ifr_addr, ifreq.ifr_name);
-	return (ISC_R_SUCCESS);
-}
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-static isc_result_t
-internal_current6(isc_interfaceiter_t *iter) {
-	struct LIFREQ *ifrp;
-	struct LIFREQ lifreq;
-	int family;
-	char strbuf[ISC_STRERRORSIZE];
-	int fd;
-
-	REQUIRE(VALID_IFITER(iter));
-	if (iter->result6 != ISC_R_SUCCESS)
-		return (iter->result6);
-	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
-
-	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
-
-	memset(&lifreq, 0, sizeof(lifreq));
-	memcpy(&lifreq, ifrp, sizeof(lifreq));
-
-	family = lifreq.lifr_addr.ss_family;
-#ifdef ISC_PLATFORM_HAVEIPV6
-	if (family != AF_INET && family != AF_INET6)
-#else
-	if (family != AF_INET)
-#endif
-		return (ISC_R_IGNORE);
-
-	memset(&iter->current, 0, sizeof(iter->current));
-	iter->current.af = family;
-
-	INSIST(sizeof(lifreq.lifr_name) <= sizeof(iter->current.name));
-	memset(iter->current.name, 0, sizeof(iter->current.name));
-	memcpy(iter->current.name, lifreq.lifr_name, sizeof(lifreq.lifr_name));
-
-	get_addr(family, &iter->current.address,
-		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
-
-	/*
-	 * If the interface does not have a address ignore it.
-	 */
-	switch (family) {
-	case AF_INET:
-		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
-			return (ISC_R_IGNORE);
-		break;
-	case AF_INET6:
-		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
-			   sizeof(in6addr_any)) == 0)
-			return (ISC_R_IGNORE);
-		break;
-	}
-
-	/*
-	 * Get interface flags.
-	 */
-
-	iter->current.flags = 0;
-
-	if (family == AF_INET6)
-		fd = iter->socket6;
-	else
-		fd = iter->socket;
-
-	/*
-	 * Ignore the HP/UX warning about "interger overflow during
-	 * conversion.  It comes from its own macro definition,
-	 * and is really hard to shut up.
-	 */
-	if (ioctl(fd, SIOCGLIFFLAGS, (char *) &lifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "%s: getting interface flags: %s",
-				 lifreq.lifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-
-	if ((lifreq.lifr_flags & IFF_UP) != 0)
-		iter->current.flags |= INTERFACE_F_UP;
-
-#ifdef IFF_POINTOPOINT
-	if ((lifreq.lifr_flags & IFF_POINTOPOINT) != 0)
-		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
-#endif
-
-	if ((lifreq.lifr_flags & IFF_LOOPBACK) != 0)
-		iter->current.flags |= INTERFACE_F_LOOPBACK;
-
-#ifdef IFF_POINTOPOINT
-	/*
-	 * If the interface is point-to-point, get the destination address.
-	 */
-	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
-		/*
-		 * Ignore the HP/UX warning about "interger overflow during
-		 * conversion.  It comes from its own macro definition,
-		 * and is really hard to shut up.
-		 */
-		if (ioctl(fd, SIOCGLIFDSTADDR, (char *)&lifreq)
-		    < 0) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-				isc_msgcat_get(isc_msgcat,
-					       ISC_MSGSET_IFITERIOCTL,
-					       ISC_MSG_GETDESTADDR,
-					       "%s: getting "
-					       "destination address: %s"),
-					 lifreq.lifr_name, strbuf);
-			return (ISC_R_IGNORE);
-		}
-		get_addr(family, &iter->current.dstaddress,
-			 (struct sockaddr *)&lifreq.lifr_dstaddr,
-			 lifreq.lifr_name);
-	}
-#endif
-
-	/*
-	 * Get the network mask.  Netmask already zeroed.
-	 */
-	memset(&lifreq, 0, sizeof(lifreq));
-	memcpy(&lifreq, ifrp, sizeof(lifreq));
-
-#ifdef lifr_addrlen
-	/*
-	 * Special case: if the system provides lifr_addrlen member, the
-	 * netmask of an IPv6 address can be derived from the length, since
-	 * an IPv6 address always has a contiguous mask.
-	 */
-	if (family == AF_INET6) {
-		int i, bits;
-
-		iter->current.netmask.family = family;
-		for (i = 0; i < lifreq.lifr_addrlen; i += 8) {
-			bits = lifreq.lifr_addrlen - i;
-			bits = (bits < 8) ? (8 - bits) : 0;
-			iter->current.netmask.type.in6.s6_addr[i / 8] =
-				(~0 << bits) & 0xff;
-		}
-
-		return (ISC_R_SUCCESS);
-	}
-#endif
-
-	/*
-	 * Ignore the HP/UX warning about "interger overflow during
-	 * conversion.  It comes from its own macro definition,
-	 * and is really hard to shut up.
-	 */
-	if (ioctl(fd, SIOCGLIFNETMASK, (char *)&lifreq) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERIOCTL,
-						ISC_MSG_GETNETMASK,
-						"%s: getting netmask: %s"),
-				 lifreq.lifr_name, strbuf);
-		return (ISC_R_IGNORE);
-	}
-	get_addr(family, &iter->current.netmask,
-		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
-
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-static isc_result_t
-internal_current(isc_interfaceiter_t *iter) {
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	if (iter->mode == 6) {
-		iter->result6 = internal_current6(iter);
-		if (iter->result6 != ISC_R_NOMORE)
-			return (iter->result6);
-	}
-#endif
-#ifdef HAVE_TRUCLUSTER
-	if (!iter->clua_done)
-		return(internal_current_clusteralias(iter));
-#endif
-	return (internal_current4(iter));
-}
-
-/*
- * Step the iterator to the next interface.  Unlike
- * isc_interfaceiter_next(), this may leave the iterator
- * positioned on an interface that will ultimately
- * be ignored.  Return ISC_R_NOMORE if there are no more
- * interfaces, otherwise ISC_R_SUCCESS.
- */
-static isc_result_t
-internal_next4(isc_interfaceiter_t *iter) {
-#ifdef ISC_PLATFORM_HAVESALEN
-	struct ifreq *ifrp;
-#endif
-
-	REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len);
-
-#ifdef __linux
-	if (linux_if_inet6_next(iter) == ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-	if (!iter->first)
-		return (ISC_R_SUCCESS);
-#endif
-#ifdef ISC_PLATFORM_HAVESALEN
-	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
-
-	if (ifrp->ifr_addr.sa_len > sizeof(struct sockaddr))
-		iter->pos += sizeof(ifrp->ifr_name) + ifrp->ifr_addr.sa_len;
-	else
-#endif
-		iter->pos += sizeof(struct ifreq);
-
-	if (iter->pos >= (unsigned int) iter->ifc.ifc_len)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-static isc_result_t
-internal_next6(isc_interfaceiter_t *iter) {
-#ifdef ISC_PLATFORM_HAVESALEN
-	struct LIFREQ *ifrp;
-#endif
-	
-	if (iter->result6 != ISC_R_SUCCESS && iter->result6 != ISC_R_IGNORE)
-		return (iter->result6);
-
-	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
-
-#ifdef ISC_PLATFORM_HAVESALEN
-	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
-
-	if (ifrp->lifr_addr.sa_len > sizeof(struct sockaddr))
-		iter->pos6 += sizeof(ifrp->lifr_name) + ifrp->lifr_addr.sa_len;
-	else
-#endif
-		iter->pos6 += sizeof(struct LIFREQ);
-
-	if (iter->pos6 >= (unsigned int) iter->lifc.lifc_len)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-#endif
-
-static isc_result_t
-internal_next(isc_interfaceiter_t *iter) {
-#ifdef HAVE_TRUCLUSTER
-	int clua_result;
-#endif
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	if (iter->mode == 6) {
-		iter->result6 = internal_next6(iter);
-		if (iter->result6 != ISC_R_NOMORE)
-			return (iter->result6);
-		if (iter->first6) {
-			iter->first6 = ISC_FALSE;
-			return (ISC_R_SUCCESS);
-		}
-	}
-#endif
-#ifdef HAVE_TRUCLUSTER
-	if (!iter->clua_done) {
-		clua_result = clua_getaliasaddress(&iter->clua_sa,
-						   &iter->clua_context);
-		if (clua_result != CLUA_SUCCESS)
-			iter->clua_done = ISC_TRUE;
-		return (ISC_R_SUCCESS);
-	}
-#endif
-	return (internal_next4(iter));
-}
-
-static void
-internal_destroy(isc_interfaceiter_t *iter) {
-	(void) close(iter->socket);
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	if (iter->socket6 != -1)
-		(void) close(iter->socket6);
-	if (iter->buf6 != NULL) {
-		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
-	}
-#endif
-#ifdef __linux
-	if (iter->proc != NULL)
-		fclose(iter->proc);
-#endif
-}
-
-static
-void internal_first(isc_interfaceiter_t *iter) {
-#ifdef HAVE_TRUCLUSTER
-	int clua_result;
-#endif
-	iter->pos = 0;
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
-	iter->pos6 = 0;
-	if (iter->result6 == ISC_R_NOMORE)
-		iter->result6 = ISC_R_SUCCESS;
-	iter->first6 = ISC_TRUE;
-#endif
-#ifdef HAVE_TRUCLUSTER
-	iter->clua_context = 0;
-	clua_result = clua_getaliasaddress(&iter->clua_sa,
-					   &iter->clua_context);
-	iter->clua_done = ISC_TF(clua_result != CLUA_SUCCESS);
-#endif
-#ifdef __linux
-	linux_if_inet6_first(iter);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_sysctl.c b/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
deleted file mode 100644
index b10a2d2090f0..000000000000
--- a/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
+++ /dev/null
@@ -1,301 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ifiter_sysctl.c,v 1.14.12.9 2005/03/17 03:58:33 marka Exp $ */
-
-/*
- * Obtain the list of network interfaces using sysctl.
- * See TCP/IP Illustrated Volume 2, sections 19.8, 19.14,
- * and 19.16.
- */
-
-#include <sys/param.h>
-#include <sys/sysctl.h>
-
-#include <net/route.h>
-#include <net/if_dl.h>
-
-/* XXX what about Alpha? */
-#ifdef sgi
-#define ROUNDUP(a) ((a) > 0 ? \
-		(1 + (((a) - 1) | (sizeof(__uint64_t) - 1))) : \
-		sizeof(__uint64_t))
-#else
-#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) \
-                    : sizeof(long))
-#endif
-
-#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'S')
-#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
-
-struct isc_interfaceiter {
-	unsigned int		magic;		/* Magic number. */
-	isc_mem_t		*mctx;
-	void			*buf;		/* Buffer for sysctl data. */
-	unsigned int		bufsize;	/* Bytes allocated. */
-	unsigned int		bufused;	/* Bytes used. */
-	unsigned int		pos;		/* Current offset in
-						   sysctl data. */
-	isc_interface_t		current;	/* Current interface data. */
-	isc_result_t		result;		/* Last result code. */
-};
-
-static int mib[6] = {
-	CTL_NET,
-	PF_ROUTE,
-        0,
-	0, 			/* Any address family. */
-        NET_RT_IFLIST,
-	0 			/* Flags. */
-};
-
-isc_result_t
-isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
-	isc_interfaceiter_t *iter;
-	isc_result_t result;
-	size_t bufsize;
-	size_t bufused;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(iterp != NULL);
-	REQUIRE(*iterp == NULL);
-
-	iter = isc_mem_get(mctx, sizeof(*iter));
-	if (iter == NULL)
-		return (ISC_R_NOMEMORY);
-
-	iter->mctx = mctx;
-	iter->buf = 0;
-
-	/*
-	 * Determine the amount of memory needed.
-	 */
-	bufsize = 0;
-	if (sysctl(mib, 6, NULL, &bufsize, NULL, (size_t) 0) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERSYSCTL,
-						ISC_MSG_GETIFLISTSIZE,
-						"getting interface "
-						"list size: sysctl: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto failure;
-	}
-	iter->bufsize = bufsize;
-
-	iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
-	if (iter->buf == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
-	}
-
-	bufused = bufsize;
-	if (sysctl(mib, 6, iter->buf, &bufused, NULL, (size_t) 0) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_IFITERSYSCTL,
-						ISC_MSG_GETIFLIST,
-						"getting interface list: "
-						"sysctl: %s"),
-				 strbuf);
-		result = ISC_R_UNEXPECTED;
-		goto failure;
-	}
-	iter->bufused = bufused;
-	INSIST(iter->bufused <= iter->bufsize);
-
-	/*
-	 * A newly created iterator has an undefined position
-	 * until isc_interfaceiter_first() is called.
-	 */
-	iter->pos = (unsigned int) -1;
-	iter->result = ISC_R_FAILURE;
-
-	iter->magic = IFITER_MAGIC;
-	*iterp = iter;
-	return (ISC_R_SUCCESS);
-
- failure:
-	if (iter->buf != NULL)
-		isc_mem_put(mctx, iter->buf, iter->bufsize);
-	isc_mem_put(mctx, iter, sizeof(*iter));
-	return (result);
-}
-
-/*
- * Get information about the current interface to iter->current.
- * If successful, return ISC_R_SUCCESS.
- * If the interface has an unsupported address family,
- * return ISC_R_IGNORE.  In case of other failure,
- * return ISC_R_UNEXPECTED.
- */
-
-static isc_result_t
-internal_current(isc_interfaceiter_t *iter) {
-	struct ifa_msghdr *ifam, *ifam_end;
-
-	REQUIRE(VALID_IFITER(iter));
-	REQUIRE (iter->pos < (unsigned int) iter->bufused);
-
-	ifam = (struct ifa_msghdr *) ((char *) iter->buf + iter->pos);
-	ifam_end = (struct ifa_msghdr *) ((char *) iter->buf + iter->bufused);
-
-	if (ifam->ifam_type == RTM_IFINFO) {
-		struct if_msghdr *ifm = (struct if_msghdr *) ifam;
-		struct sockaddr_dl *sdl = (struct sockaddr_dl *) (ifm + 1);
-		unsigned int namelen;
-
-		memset(&iter->current, 0, sizeof(iter->current));
-
-		namelen = sdl->sdl_nlen;
-		if (namelen > sizeof(iter->current.name) - 1)
-			namelen = sizeof(iter->current.name) - 1;
-
-		memset(iter->current.name, 0, sizeof(iter->current.name));
-		memcpy(iter->current.name, sdl->sdl_data, namelen);
-
-		iter->current.flags = 0;
-
-		if ((ifam->ifam_flags & IFF_UP) != 0)
-			iter->current.flags |= INTERFACE_F_UP;
-
-		if ((ifam->ifam_flags & IFF_POINTOPOINT) != 0)
-			iter->current.flags |= INTERFACE_F_POINTTOPOINT;
-
-		if ((ifam->ifam_flags & IFF_LOOPBACK) != 0)
-			iter->current.flags |= INTERFACE_F_LOOPBACK;
-
-		/*
-		 * This is not an interface address.
-		 * Force another iteration.
-		 */
-		return (ISC_R_IGNORE);
-	} else if (ifam->ifam_type == RTM_NEWADDR) {
-		int i;
-		int family;
-		struct sockaddr *mask_sa = NULL;
-		struct sockaddr *addr_sa = NULL;
-		struct sockaddr *dst_sa = NULL;
-
-		struct sockaddr *sa = (struct sockaddr *)(ifam + 1);
-		family = sa->sa_family;
-
-		for (i = 0; i < RTAX_MAX; i++)
-		{
-			if ((ifam->ifam_addrs & (1 << i)) == 0)
-				continue;
-
-			INSIST(sa < (struct sockaddr *) ifam_end);
-
-			switch (i) {
-			case RTAX_NETMASK: /* Netmask */
-				mask_sa = sa;
-				break;
-			case RTAX_IFA: /* Interface address */
-				addr_sa = sa;
-				break;
-			case RTAX_BRD: /* Broadcast or destination address */
-				dst_sa = sa;
-				break;
-			}
-#ifdef ISC_PLATFORM_HAVESALEN
-			sa = (struct sockaddr *)((char*)(sa)
-					 + ROUNDUP(sa->sa_len));
-#else
-#ifdef sgi
-			/*
-			 * Do as the contributed SGI code does.
-			 */
-			sa = (struct sockaddr *)((char*)(sa)
-					 + ROUNDUP(_FAKE_SA_LEN_DST(sa)));
-#else
-			/* XXX untested. */
-			sa = (struct sockaddr *)((char*)(sa)
-					 + ROUNDUP(sizeof(struct sockaddr)));
-#endif
-#endif
-		}
-
-		if (addr_sa == NULL)
-			return (ISC_R_IGNORE);
-
-		family = addr_sa->sa_family;
-		if (family != AF_INET && family != AF_INET6)
-			return (ISC_R_IGNORE);
-
-		iter->current.af = family;
-
-		get_addr(family, &iter->current.address, addr_sa,
-			 iter->current.name);
-
-		if (mask_sa != NULL)
-			get_addr(family, &iter->current.netmask, mask_sa,
-				 iter->current.name);
-
-		if (dst_sa != NULL &&
-		    (iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0)
-			get_addr(family, &iter->current.dstaddress, dst_sa,
-				 iter->current.name);
-
-		return (ISC_R_SUCCESS);
-	} else {
-		printf(isc_msgcat_get(isc_msgcat, ISC_MSGSET_IFITERSYSCTL,
-				      ISC_MSG_UNEXPECTEDTYPE,
-				      "warning: unexpected interface list "
-				      "message type\n"));
-		return (ISC_R_IGNORE);
-	}
-}
-
-/*
- * Step the iterator to the next interface.  Unlike
- * isc_interfaceiter_next(), this may leave the iterator
- * positioned on an interface that will ultimately
- * be ignored.  Return ISC_R_NOMORE if there are no more
- * interfaces, otherwise ISC_R_SUCCESS.
- */
-static isc_result_t
-internal_next(isc_interfaceiter_t *iter) {
-	struct ifa_msghdr *ifam;
-	REQUIRE (iter->pos < (unsigned int) iter->bufused);
-
-	ifam = (struct ifa_msghdr *) ((char *) iter->buf + iter->pos);
-
-	iter->pos += ifam->ifam_msglen;
-
-	if (iter->pos >= iter->bufused)
-		return (ISC_R_NOMORE);
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-internal_destroy(isc_interfaceiter_t *iter) {
-	UNUSED(iter); /* Unused. */
-	/*
-	 * Do nothing.
-	 */
-}
-
-static
-void internal_first(isc_interfaceiter_t *iter) {
-	iter->pos = 0;
-}
diff --git a/contrib/bind9/lib/isc/unix/include/Makefile.in b/contrib/bind9/lib/isc/unix/include/Makefile.in
deleted file mode 100644
index 5a06022fbdf1..000000000000
--- a/contrib/bind9/lib/isc/unix/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:15:03 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in b/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
deleted file mode 100644
index 4c5bae2c345a..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
+++ /dev/null
@@ -1,38 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.27.206.1 2004/03/06 08:15:03 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-HEADERS =	dir.h int.h net.h netdb.h offset.h stdtime.h \
-		syslog.h time.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
-	done
diff --git a/contrib/bind9/lib/isc/unix/include/isc/dir.h b/contrib/bind9/lib/isc/unix/include/isc/dir.h
deleted file mode 100644
index 53b51df087b1..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/dir.h
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: dir.h,v 1.15.12.3 2004/03/08 09:04:57 marka Exp $ */
-
-/* Principal Authors: DCL */
-
-#ifndef ISC_DIR_H
-#define ISC_DIR_H 1
-
-#include <sys/types.h>		/* Required on some systems. */
-#include <dirent.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-#define ISC_DIR_NAMEMAX 256
-#define ISC_DIR_PATHMAX 1024
-
-typedef struct isc_direntry {
-	/*
-	 * Ideally, this should be NAME_MAX, but AIX does not define it by
-	 * default and dynamically allocating the space based on pathconf()
-	 * complicates things undesirably, as does adding special conditionals
-	 * just for AIX.  So a comfortably sized buffer is chosen instead.
-	 */
-	char 		name[ISC_DIR_NAMEMAX];
-	unsigned int	length;
-} isc_direntry_t;
-
-typedef struct isc_dir {
-	unsigned int	magic;
-	/*
-	 * As with isc_direntry_t->name, making this "right" for all systems
-	 * is slightly problematic because AIX does not define PATH_MAX.
-	 */
-	char		dirname[ISC_DIR_PATHMAX];
-	isc_direntry_t	entry;
-	DIR *		handle;
-} isc_dir_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_dir_init(isc_dir_t *dir);
-
-isc_result_t
-isc_dir_open(isc_dir_t *dir, const char *dirname);
-
-isc_result_t
-isc_dir_read(isc_dir_t *dir);
-
-isc_result_t
-isc_dir_reset(isc_dir_t *dir);
-
-void
-isc_dir_close(isc_dir_t *dir);
-
-isc_result_t
-isc_dir_chdir(const char *dirname);
-
-isc_result_t
-isc_dir_chroot(const char *dirname);
-
-isc_result_t
-isc_dir_createunique(char *templet);
-/*
- * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
- * named, empty directory.  The templet string is modified in place.
- * If result == ISC_R_SUCCESS, it is the name of the directory that was
- * created.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_DIR_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/int.h b/contrib/bind9/lib/isc/unix/include/isc/int.h
deleted file mode 100644
index be36ccb1a160..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/int.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: int.h,v 1.11.206.1 2004/03/06 08:15:04 marka Exp $ */
-
-#ifndef ISC_INT_H
-#define ISC_INT_H 1
-
-typedef char				isc_int8_t;
-typedef unsigned char			isc_uint8_t;
-typedef short				isc_int16_t;
-typedef unsigned short			isc_uint16_t;
-typedef int				isc_int32_t;
-typedef unsigned int			isc_uint32_t;
-typedef long long			isc_int64_t;
-typedef unsigned long long		isc_uint64_t;
-
-#define ISC_INT8_MIN	-128
-#define ISC_INT8_MAX	127
-#define ISC_UINT8_MAX	255
-
-#define ISC_INT16_MIN	-32768
-#define ISC_INT16_MAX	32767
-#define ISC_UINT16_MAX	65535
-
-/*
- * Note that "int" is 32 bits on all currently supported Unix-like operating
- * systems, but "long" can be either 32 bits or 64 bits, thus the 32 bit
- * constants are not qualified with "L".
- */
-#define ISC_INT32_MIN	-2147483648
-#define ISC_INT32_MAX	2147483647
-#define ISC_UINT32_MAX	4294967295U
-
-#define ISC_INT64_MIN	-9223372036854775808LL
-#define ISC_INT64_MAX	9223372036854775807LL
-#define ISC_UINT64_MAX	18446744073709551615ULL
-
-#endif /* ISC_INT_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/keyboard.h b/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
deleted file mode 100644
index 31005b10e6d0..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keyboard.h,v 1.6.206.1 2004/03/06 08:15:04 marka Exp $ */
-
-#ifndef ISC_KEYBOARD_H
-#define ISC_KEYBOARD_H 1
-
-#include <termios.h>
-
-#include <isc/lang.h>
-#include <isc/result.h>
-
-ISC_LANG_BEGINDECLS
-
-typedef struct {
-	int fd;
-	struct termios saved_mode;
-	isc_result_t result;
-} isc_keyboard_t;
-
-isc_result_t
-isc_keyboard_open(isc_keyboard_t *keyboard);
-
-isc_result_t
-isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleepseconds);
-
-isc_result_t
-isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp);
-
-isc_boolean_t
-isc_keyboard_canceled(isc_keyboard_t *keyboard);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_KEYBOARD_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/net.h b/contrib/bind9/lib/isc/unix/include/isc/net.h
deleted file mode 100644
index f1a015f5bb1d..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/net.h
+++ /dev/null
@@ -1,327 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: net.h,v 1.31.2.2.10.8 2004/04/29 01:31:23 marka Exp $ */
-
-#ifndef ISC_NET_H
-#define ISC_NET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Basic Networking Types
- *
- * This module is responsible for defining the following basic networking
- * types:
- *
- *		struct in_addr
- *		struct in6_addr
- *		struct in6_pktinfo
- *		struct sockaddr
- *		struct sockaddr_in
- *		struct sockaddr_in6
- *		in_port_t
- *
- * It ensures that the AF_ and PF_ macros are defined.
- *
- * It declares ntoh[sl]() and hton[sl]().
- *
- * It declares inet_aton(), inet_ntop(), and inet_pton().
- *
- * It ensures that INADDR_LOOPBACK, INADDR_ANY, IN6ADDR_ANY_INIT,
- * in6addr_any, and in6addr_loopback are available.
- *
- * It ensures that IN_MULTICAST() is available to check for multicast
- * addresses.
- *
- * MP:
- *	No impact.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	N/A.
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	BSD Socket API
- *	RFC 2553
- */
-
-/***
- *** Imports.
- ***/
-#include <isc/platform.h>
-
-#include <sys/types.h>
-#include <sys/socket.h>		/* Contractual promise. */
-
-#include <net/if.h>
-
-#include <netinet/in.h>		/* Contractual promise. */
-#include <arpa/inet.h>		/* Contractual promise. */
-#ifdef ISC_PLATFORM_NEEDNETINETIN6H
-#include <netinet/in6.h>	/* Required on UnixWare. */
-#endif
-#ifdef ISC_PLATFORM_NEEDNETINET6IN6H
-#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
-#endif
-
-#ifndef ISC_PLATFORM_HAVEIPV6
-#include <isc/ipv6.h>		/* Contractual promise. */
-#endif
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-#ifdef ISC_PLATFORM_HAVEINADDR6
-#define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
-#endif
-
-#ifdef ISC_PLATFORM_HAVEIPV6
-/*
- * Required for some pre RFC2133 implementations.
- * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
- * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
- * If 's6_addr' is defined then assume that there is a union and three
- * levels otherwise assume two levels required.
- */
-#ifndef IN6ADDR_ANY_INIT
-#ifdef s6_addr
-#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
-#else
-#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
-#endif
-#endif
-
-#ifndef IN6ADDR_LOOPBACK_INIT
-#ifdef s6_addr
-#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
-#else
-#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
-#endif
-#endif
-
-#ifndef IN6_IS_ADDR_V4MAPPED
-#define IN6_IS_ADDR_V4MAPPED(x) \
-	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 10) == 0 && \
-	  (x)->s6_addr[10] == 0xff && (x)->s6_addr[11] == 0xff)
-#endif
-
-#ifndef IN6_IS_ADDR_V4COMPAT
-#define IN6_IS_ADDR_V4COMPAT(x) \
-	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 12) == 0 && \
-	 ((x)->s6_addr[12] != 0 || (x)->s6_addr[13] != 0 || \
-	  (x)->s6_addr[14] != 0 || \
-	  ((x)->s6_addr[15] != 0 && (x)->s6_addr[15] != 1)))
-#endif
-
-#ifndef IN6_IS_ADDR_MULTICAST
-#define IN6_IS_ADDR_MULTICAST(a)        ((a)->s6_addr[0] == 0xff)
-#endif
-
-#ifndef IN6_IS_ADDR_LINKLOCAL
-#define IN6_IS_ADDR_LINKLOCAL(a) \
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
-#endif
-
-#ifndef IN6_IS_ADDR_SITELOCAL
-#define IN6_IS_ADDR_SITELOCAL(a) \
-	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
-#endif
-
-
-#ifndef IN6_IS_ADDR_LOOPBACK
-#define IN6_IS_ADDR_LOOPBACK(x) \
-	(memcmp((x)->s6_addr, in6addr_loopback.s6_addr, 16) == 0)
-#endif
-#endif
-
-#ifndef AF_INET6
-#define AF_INET6 99
-#endif
-
-#ifndef PF_INET6
-#define PF_INET6 AF_INET6
-#endif
-
-#ifndef INADDR_LOOPBACK
-#define INADDR_LOOPBACK 0x7f000001UL
-#endif
-
-#ifndef ISC_PLATFORM_HAVEIN6PKTINFO
-struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /* send/recv interface index */
-};
-#endif
-
-/*
- * Cope with a missing in6addr_any and in6addr_loopback.
- */
-#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
-extern const struct in6_addr isc_net_in6addrany;
-#define in6addr_any isc_net_in6addrany
-#endif
-
-#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
-extern const struct in6_addr isc_net_in6addrloop;
-#define in6addr_loopback isc_net_in6addrloop
-#endif
-
-/*
- * Fix UnixWare 7.1.1's broken IN6_IS_ADDR_* definitions.
- */
-#ifdef ISC_PLATFORM_FIXIN6ISADDR
-#undef  IN6_IS_ADDR_GEOGRAPHIC
-#define IN6_IS_ADDR_GEOGRAPHIC(a) (((a)->S6_un.S6_l[0] & 0xE0) == 0x80)
-#undef  IN6_IS_ADDR_IPX
-#define IN6_IS_ADDR_IPX(a)        (((a)->S6_un.S6_l[0] & 0xFE) == 0x04)
-#undef  IN6_IS_ADDR_LINKLOCAL
-#define IN6_IS_ADDR_LINKLOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0x80FE)
-#undef  IN6_IS_ADDR_MULTICAST
-#define IN6_IS_ADDR_MULTICAST(a)  (((a)->S6_un.S6_l[0] & 0xFF) == 0xFF)
-#undef  IN6_IS_ADDR_NSAP
-#define IN6_IS_ADDR_NSAP(a)       (((a)->S6_un.S6_l[0] & 0xFE) == 0x02)
-#undef  IN6_IS_ADDR_PROVIDER
-#define IN6_IS_ADDR_PROVIDER(a)   (((a)->S6_un.S6_l[0] & 0xE0) == 0x40)
-#undef  IN6_IS_ADDR_SITELOCAL
-#define IN6_IS_ADDR_SITELOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0xC0FE)
-#endif /* ISC_PLATFORM_FIXIN6ISADDR */
-
-/*
- * Ensure type in_port_t is defined.
- */
-#ifdef ISC_PLATFORM_NEEDPORTT
-typedef isc_uint16_t in_port_t;
-#endif
-
-/*
- * If this system does not have MSG_TRUNC (as returned from recvmsg())
- * ISC_PLATFORM_RECVOVERFLOW will be defined.  This will enable the MSG_TRUNC
- * faking code in socket.c.
- */
-#ifndef MSG_TRUNC
-#define ISC_PLATFORM_RECVOVERFLOW
-#endif
-
-#define ISC__IPADDR(x)	((isc_uint32_t)htonl((isc_uint32_t)(x)))
-
-#define ISC_IPADDR_ISMULTICAST(i) \
-		(((isc_uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
-		 == ISC__IPADDR(0xe0000000))
-
-#define ISC_IPADDR_ISEXPERIMENTAL(i) \
-		(((isc_uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
-		 == ISC__IPADDR(0xf0000000))
-
-/***
- *** Functions.
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_net_probeipv4(void);
-/*
- * Check if the system's kernel supports IPv4.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		IPv4 is supported.
- *	ISC_R_NOTFOUND		IPv4 is not supported.
- *	ISC_R_DISABLED		IPv4 is disabled.
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_net_probeipv6(void);
-/*
- * Check if the system's kernel supports IPv6.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		IPv6 is supported.
- *	ISC_R_NOTFOUND		IPv6 is not supported.
- *	ISC_R_DISABLED		IPv6 is disabled.
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_net_probe_ipv6only(void);
-/*
- * Check if the system's kernel supports the IPV6_V6ONLY socket option.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		the option is supported for both TCP and UDP.
- *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
- *	ISC_R_UNEXPECTED
- */
-
-isc_result_t
-isc_net_probe_ipv6pktinfo(void);
-/*
- * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option
- * for UDP sockets.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		the option is supported.
- *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
- *	ISC_R_UNEXPECTED
- */
-
-void
-isc_net_disableipv4(void);
-
-void
-isc_net_disableipv6(void);
-
-void
-isc_net_enableipv4(void);
-
-void
-isc_net_enableipv6(void);
-
-#ifdef ISC_PLATFORM_NEEDNTOP
-const char *
-isc_net_ntop(int af, const void *src, char *dst, size_t size);
-#define inet_ntop isc_net_ntop
-#endif
-
-#ifdef ISC_PLATFORM_NEEDPTON
-int
-isc_net_pton(int af, const char *src, void *dst);
-#undef inet_pton
-#define inet_pton isc_net_pton
-#endif
-
-#ifdef ISC_PLATFORM_NEEDATON
-int
-isc_net_aton(const char *cp, struct in_addr *addr);
-#define inet_aton isc_net_aton
-#endif
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_NET_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/netdb.h b/contrib/bind9/lib/isc/unix/include/isc/netdb.h
deleted file mode 100644
index beb91375aeec..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/netdb.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netdb.h,v 1.6.206.1 2004/03/06 08:15:04 marka Exp $ */
-
-#ifndef ISC_NETDB_H
-#define ISC_NETDB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Portable netdb.h support.
- *
- * This module is responsible for defining the get<x>by<y> APIs.
- *
- * MP:
- *	No impact.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	N/A.
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	BSD API
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/net.h>
-
-#include <netdb.h>
-
-#endif /* ISC_NETDB_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/offset.h b/contrib/bind9/lib/isc/unix/include/isc/offset.h
deleted file mode 100644
index 0ea136258f33..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/offset.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: offset.h,v 1.10.206.1 2004/03/06 08:15:04 marka Exp $ */
-
-#ifndef ISC_OFFSET_H
-#define ISC_OFFSET_H 1
-
-/*
- * File offsets are operating-system dependent.
- */
-#include <limits.h>             /* Required for CHAR_BIT. */
-#include <sys/types.h>
-
-typedef off_t isc_offset_t;
-
-/*
- * POSIX says "Additionally, blkcnt_t and off_t are extended signed integral
- * types", so the maximum value is all 1s except for the high bit.
- * This definition is more complex than it really needs to be because it was
- * crafted to keep both the SunOS 5.6 and the HP/UX 11 compilers quiet about
- * integer overflow.  For example, though this is equivalent to just left
- * shifting 1 to the high bit and then inverting the bits, the SunOS compiler
- * is unhappy about shifting a positive "1" to negative in a signed integer.
- */
-#define ISC_OFFSET_MAXIMUM \
-	(~(((off_t)-1 >> (sizeof(off_t) * CHAR_BIT - 1)) \
-		      << (sizeof(off_t) * CHAR_BIT - 1)))
-
-#endif /* ISC_OFFSET_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/stat.h b/contrib/bind9/lib/isc/unix/include/isc/stat.h
deleted file mode 100644
index 430420865d38..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/stat.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stat.h,v 1.1.2.1.4.1 2004/03/06 08:15:05 marka Exp $ */
-
-#ifndef ISC_STAT_H
-#define ISC_STAT_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Portable netdb.h support.
- *
- * This module is responsible for defining S_IS??? macros.
- *
- * MP:
- *	No impact.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	N/A.
- *
- * Security:
- *	No anticipated impact.
- *
- */
-
-/***
- *** Imports.
- ***/
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#endif /* ISC_STAT_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/stdtime.h b/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
deleted file mode 100644
index 9b855c70eba9..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdtime.h,v 1.8.206.1 2004/03/06 08:15:05 marka Exp $ */
-
-#ifndef ISC_STDTIME_H
-#define ISC_STDTIME_H 1
-
-#include <isc/lang.h>
-#include <isc/int.h>
-
-/*
- * It's public information that 'isc_stdtime_t' is an unsigned integral type.
- * Applications that want maximum portability should not assume anything
- * about its size.
- */
-typedef isc_uint32_t isc_stdtime_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_stdtime_get(isc_stdtime_t *t);
-/*
- * Set 't' to the number of seconds since 00:00:00 UTC, January 1, 1970.
- *
- * Requires:
- *
- *	't' is a valid pointer.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STDTIME_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/strerror.h b/contrib/bind9/lib/isc/unix/include/isc/strerror.h
deleted file mode 100644
index f51fbdc2d04c..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/strerror.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: strerror.h,v 1.2.12.3 2004/03/08 09:04:57 marka Exp $ */
-
-#ifndef ISC_STRERROR_H
-#define ISC_STRERROR_H
-
-#include <sys/types.h>
-
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-#define ISC_STRERRORSIZE 128
-
-/*
- * Provide a thread safe wrapper to strerrror().
- *
- * Requires:
- * 	'buf' to be non NULL.
- */
-void
-isc__strerror(int num, char *buf, size_t bufsize);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_STRERROR_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/syslog.h b/contrib/bind9/lib/isc/unix/include/isc/syslog.h
deleted file mode 100644
index 2c0625eb277d..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/syslog.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: syslog.h,v 1.2.206.1 2004/03/06 08:15:05 marka Exp $ */
-
-#ifndef ISC_SYSLOG_H
-#define ISC_SYSLOG_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isc_syslog_facilityfromstring(const char *str, int *facilityp);
-/*
- * Convert 'str' to the appropriate syslog facility constant.
- *
- * Requires:
- *
- *	'str' is not NULL
- *	'facilityp' is not NULL
- *
- * Returns:
- * 	ISC_R_SUCCESS
- * 	ISC_R_NOTFOUND
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_SYSLOG_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/time.h b/contrib/bind9/lib/isc/unix/include/isc/time.h
deleted file mode 100644
index 6021c13d9295..000000000000
--- a/contrib/bind9/lib/isc/unix/include/isc/time.h
+++ /dev/null
@@ -1,299 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: time.h,v 1.25.2.1.10.4 2004/03/08 09:04:58 marka Exp $ */
-
-#ifndef ISC_TIME_H
-#define ISC_TIME_H 1
-
-#include <isc/lang.h>
-#include <isc/types.h>
-
-/***
- *** Intervals
- ***/
-
-/*
- * The contents of this structure are private, and MUST NOT be accessed
- * directly by callers.
- *
- * The contents are exposed only to allow callers to avoid dynamic allocation.
- */
-struct isc_interval {
-	unsigned int seconds;
-	unsigned int nanoseconds;
-};
-
-extern isc_interval_t *isc_interval_zero;
-
-ISC_LANG_BEGINDECLS
-
-void
-isc_interval_set(isc_interval_t *i,
-		 unsigned int seconds, unsigned int nanoseconds);
-/*
- * Set 'i' to a value representing an interval of 'seconds' seconds and
- * 'nanoseconds' nanoseconds, suitable for use in isc_time_add() and
- * isc_time_subtract().
- *
- * Requires:
- *
- *	't' is a valid pointer.
- *	nanoseconds < 1000000000.
- */
-
-isc_boolean_t
-isc_interval_iszero(const isc_interval_t *i);
-/*
- * Returns ISC_TRUE iff. 'i' is the zero interval.
- *
- * Requires:
- *
- *	'i' is a valid pointer.
- */
-
-/***
- *** Absolute Times
- ***/
-
-/*
- * The contents of this structure are private, and MUST NOT be accessed
- * directly by callers.
- *
- * The contents are exposed only to allow callers to avoid dynamic allocation.
- */
-
-struct isc_time {
-	unsigned int	seconds;
-	unsigned int	nanoseconds;
-};
-
-extern isc_time_t *isc_time_epoch;
-
-void
-isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
-/*
- * Set 't' to a particular number of seconds + nanoseconds since the epoch.
- *
- * Notes:
- *	This call is equivalent to:
- *
- *	isc_time_settoepoch(t);
- *	isc_interval_set(i, seconds, nanoseconds);
- *	isc_time_add(t, i, t);
- *
- * Requires:
- *	't' is a valid pointer.
- *	nanoseconds < 1000000000.
- */
-
-void
-isc_time_settoepoch(isc_time_t *t);
-/*
- * Set 't' to the time of the epoch.
- *
- * Notes:
- * 	The date of the epoch is platform-dependent.
- *
- * Requires:
- *
- *	't' is a valid pointer.
- */
-
-isc_boolean_t
-isc_time_isepoch(const isc_time_t *t);
-/*
- * Returns ISC_TRUE iff. 't' is the epoch ("time zero").
- *
- * Requires:
- *
- *	't' is a valid pointer.
- */
-
-isc_result_t
-isc_time_now(isc_time_t *t);
-/*
- * Set 't' to the current absolute time.
- *
- * Requires:
- *
- *	't' is a valid pointer.
- *
- * Returns:
- *
- *	Success
- *	Unexpected error
- *		Getting the time from the system failed.
- *	Out of range
- *		The time from the system is too large to be represented
- *		in the current definition of isc_time_t.
- */
-
-isc_result_t
-isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
-/*
- * Set *t to the current absolute time + i.
- *
- * Note:
- *	This call is equivalent to:
- *
- *		isc_time_now(t);
- *		isc_time_add(t, i, t);
- *
- * Requires:
- *
- *	't' and 'i' are valid pointers.
- *
- * Returns:
- *
- *	Success
- *	Unexpected error
- *		Getting the time from the system failed.
- *	Out of range
- *		The interval added to the time from the system is too large to
- *		be represented in the current definition of isc_time_t.
- */
-
-int
-isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
-/*
- * Compare the times referenced by 't1' and 't2'
- *
- * Requires:
- *
- *	't1' and 't2' are valid pointers.
- *
- * Returns:
- *
- *	-1		t1 < t2		(comparing times, not pointers)
- *	0		t1 = t2
- *	1		t1 > t2
- */
-
-isc_result_t
-isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
-/*
- * Add 'i' to 't', storing the result in 'result'.
- *
- * Requires:
- *
- *	't', 'i', and 'result' are valid pointers.
- *
- * Returns:
- * 	Success
- *	Out of range
- * 		The interval added to the time is too large to
- *		be represented in the current definition of isc_time_t.
- */
-
-isc_result_t
-isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
-		  isc_time_t *result);
-/*
- * Subtract 'i' from 't', storing the result in 'result'.
- *
- * Requires:
- *
- *	't', 'i', and 'result' are valid pointers.
- *
- * Returns:
- *	Success
- *	Out of range
- *		The interval is larger than the time since the epoch.
- */
-
-isc_uint64_t
-isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
-/*
- * Find the difference in microseconds between time t1 and time t2.
- * t2 is the subtrahend of t1; ie, difference = t1 - t2.
- *
- * Requires:
- *
- *	't1' and 't2' are valid pointers.
- *
- * Returns:
- *	The difference of t1 - t2, or 0 if t1 <= t2.
- */
-
-isc_uint32_t
-isc_time_seconds(const isc_time_t *t);
-/*
- * Return the number of seconds since the epoch stored in a time structure.
- *
- * Requires:
- *
- *	't' is a valid pointer.
- */
-
-isc_result_t
-isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
-/*
- * Ensure the number of seconds in an isc_time_t is representable by a time_t.
- *
- * Notes:
- *	The number of seconds stored in an isc_time_t might be larger
- *	than the number of seconds a time_t is able to handle.  Since
- *	time_t is mostly opaque according to the ANSI/ISO standard
- *	(essentially, all you can be sure of is that it is an arithmetic type,
- *	not even necessarily integral), it can be tricky to ensure that
- *	the isc_time_t is in the range a time_t can handle.  Use this
- *	function in place of isc_time_seconds() any time you need to set a
- *	time_t from an isc_time_t.
- *
- * Requires:
- *	't' is a valid pointer.
- *
- * Returns:
- *	Success
- *	Out of range
- */
-
-isc_uint32_t
-isc_time_nanoseconds(const isc_time_t *t);
-/*
- * Return the number of nanoseconds stored in a time structure.
- *
- * Notes:
- *	This is the number of nanoseconds in excess of the the number
- *	of seconds since the epoch; it will always be less than one
- *	full second.
- *
- * Requires:
- *	't' is a valid pointer.
- *
- * Ensures:
- *	The returned value is less than 1*10^9.
- */
-
-void
-isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
-/*
- * Format the time 't' into the buffer 'buf' of length 'len',
- * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
- * If the text does not fit in the buffer, the result is indeterminate,
- * but is always guaranteed to be null terminated.
- *
- *  Requires:
- *      'len' > 0
- *      'buf' points to an array of at least len chars
- *
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISC_TIME_H */
diff --git a/contrib/bind9/lib/isc/unix/interfaceiter.c b/contrib/bind9/lib/isc/unix/interfaceiter.c
deleted file mode 100644
index 9520bdeb5670..000000000000
--- a/contrib/bind9/lib/isc/unix/interfaceiter.c
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: interfaceiter.c,v 1.22.2.1.10.14 2004/08/28 06:25:22 marka Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/ioctl.h>
-#ifdef HAVE_SYS_SOCKIO_H
-#include <sys/sockio.h>		/* Required for ifiter_ioctl.c. */
-#endif
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include <isc/interfaceiter.h>
-#include <isc/log.h>
-#include <isc/magic.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/net.h>
-#include <isc/print.h>
-#include <isc/result.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/types.h>
-#include <isc/util.h>
-
-/* Must follow <isc/net.h>. */
-#ifdef HAVE_NET_IF6_H
-#include <net/if6.h>
-#endif
-#include <net/if.h>
-
-/* Common utility functions */
-
-/*
- * Extract the network address part from a "struct sockaddr".
- *
- * The address family is given explicitly
- * instead of using src->sa_family, because the latter does not work
- * for copying a network mask obtained by SIOCGIFNETMASK (it does
- * not have a valid address family).
- */
-
-static void
-get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src,
-	 char *ifname)
-{
-	struct sockaddr_in6 *sa6;
-
-#if !defined(ISC_PLATFORM_HAVEIFNAMETOINDEX) || \
-    !defined(ISC_PLATFORM_HAVESCOPEID)
-	UNUSED(ifname);
-#endif
-
-	/* clear any remaining value for safety */
-	memset(dst, 0, sizeof(*dst));
-
-	dst->family = family;
-	switch (family) {
-	case AF_INET:
-		memcpy(&dst->type.in,
-		       &((struct sockaddr_in *) src)->sin_addr,
-		       sizeof(struct in_addr));
-		break;
-	case AF_INET6:
-		sa6 = (struct sockaddr_in6 *)src;
-		memcpy(&dst->type.in6, &sa6->sin6_addr,
-		       sizeof(struct in6_addr));
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		if (sa6->sin6_scope_id != 0)
-			isc_netaddr_setzone(dst, sa6->sin6_scope_id);
-		else {
-			/*
-			 * BSD variants embed scope zone IDs in the 128bit
-			 * address as a kernel internal form.  Unfortunately,
-			 * the embedded IDs are not hidden from applications
-			 * when getting access to them by sysctl or ioctl.
-			 * We convert the internal format to the pure address
-			 * part and the zone ID part.
-			 * Since multicast addresses should not appear here
-			 * and they cannot be distinguished from netmasks,
-			 * we only consider unicast link-local addresses.
-			 */
-			if (IN6_IS_ADDR_LINKLOCAL(&sa6->sin6_addr)) {
-				isc_uint16_t zone16;
-
-				memcpy(&zone16, &sa6->sin6_addr.s6_addr[2],
-				       sizeof(zone16));
-				zone16 = ntohs(zone16);
-				if (zone16 != 0) {
-					/* the zone ID is embedded */
-					isc_netaddr_setzone(dst,
-							    (isc_uint32_t)zone16);
-					dst->type.in6.s6_addr[2] = 0;
-					dst->type.in6.s6_addr[3] = 0;
-#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
-				} else if (ifname != NULL) {
-					unsigned int zone;
-
-					/*
-					 * sin6_scope_id is still not provided,
-					 * but the corresponding interface name
-					 * is know.  Use the interface ID as
-					 * the link ID.
-					 */
-					zone = if_nametoindex(ifname);
-					if (zone != 0) {
-						isc_netaddr_setzone(dst,
-								    (isc_uint32_t)zone);
-					}
-#endif
-				}
-			}
-		}
-#endif
-		break;
-	default:
-		INSIST(0);
-		break;
-	}
-}
-
-/*
- * Include system-dependent code.
- */
-
-#if HAVE_GETIFADDRS
-#include "ifiter_getifaddrs.c"
-#elif HAVE_IFLIST_SYSCTL
-#include "ifiter_sysctl.c"
-#else
-#include "ifiter_ioctl.c"
-#endif
-
-/*
- * The remaining code is common to the sysctl and ioctl case.
- */
-
-isc_result_t
-isc_interfaceiter_current(isc_interfaceiter_t *iter,
-			  isc_interface_t *ifdata)
-{
-	REQUIRE(iter->result == ISC_R_SUCCESS);
-	memcpy(ifdata, &iter->current, sizeof(*ifdata));
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_interfaceiter_first(isc_interfaceiter_t *iter) {
-	isc_result_t result;
-
-	REQUIRE(VALID_IFITER(iter));
-
-	internal_first(iter);
-	for (;;) {
-		result = internal_current(iter);
-		if (result != ISC_R_IGNORE)
-			break;
-		result = internal_next(iter);
-		if (result != ISC_R_SUCCESS)
-			break;
-	}
-	iter->result = result;
-	return (result);
-}
-
-isc_result_t
-isc_interfaceiter_next(isc_interfaceiter_t *iter) {
-	isc_result_t result;
-
-	REQUIRE(VALID_IFITER(iter));
-	REQUIRE(iter->result == ISC_R_SUCCESS);
-
-	for (;;) {
-		result = internal_next(iter);
-		if (result != ISC_R_SUCCESS)
-			break;
-		result = internal_current(iter);
-		if (result != ISC_R_IGNORE)
-			break;
-	}
-	iter->result = result;
-	return (result);
-}
-
-void
-isc_interfaceiter_destroy(isc_interfaceiter_t **iterp)
-{
-	isc_interfaceiter_t *iter;
-	REQUIRE(iterp != NULL);
-	iter = *iterp;
-	REQUIRE(VALID_IFITER(iter));
-
-	internal_destroy(iter);
-	if (iter->buf != NULL)
-		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
-
-	iter->magic = 0;
-	isc_mem_put(iter->mctx, iter, sizeof(*iter));
-	*iterp = NULL;
-}
diff --git a/contrib/bind9/lib/isc/unix/ipv6.c b/contrib/bind9/lib/isc/unix/ipv6.c
deleted file mode 100644
index 25e0c57b09fc..000000000000
--- a/contrib/bind9/lib/isc/unix/ipv6.c
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipv6.c,v 1.7.206.1 2004/03/06 08:15:00 marka Exp $ */
-
-#include <isc/ipv6.h>
-
-const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
-const struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
diff --git a/contrib/bind9/lib/isc/unix/keyboard.c b/contrib/bind9/lib/isc/unix/keyboard.c
deleted file mode 100644
index 146338aebe75..000000000000
--- a/contrib/bind9/lib/isc/unix/keyboard.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: keyboard.c,v 1.9.12.3 2004/03/08 09:04:56 marka Exp $ */
-
-#include <config.h>
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <termios.h>
-#include <unistd.h>
-#include <fcntl.h>
-
-#include <isc/keyboard.h>
-#include <isc/util.h>
-
-isc_result_t
-isc_keyboard_open(isc_keyboard_t *keyboard) {
-	int fd;
-	isc_result_t ret;
-	struct termios current_mode;
-
-	REQUIRE(keyboard != NULL);
-
-	fd = open("/dev/tty", O_RDONLY, 0);
-	if (fd < 0)
-		return (ISC_R_IOERROR);
-
-	keyboard->fd = fd;
-
-	if (tcgetattr(fd, &keyboard->saved_mode) < 0) {
-		ret = ISC_R_IOERROR;
-		goto errout;
-	}
-
-	current_mode = keyboard->saved_mode;
-
-	current_mode.c_iflag &=
-			~(IGNBRK|BRKINT|PARMRK|ISTRIP|INLCR|IGNCR|ICRNL|IXON);
-	current_mode.c_oflag &= ~OPOST;
-	current_mode.c_lflag &= ~(ECHO|ECHONL|ICANON|ISIG|IEXTEN);
-	current_mode.c_cflag &= ~(CSIZE|PARENB);
-	current_mode.c_cflag |= CS8;
-
-	current_mode.c_cc[VMIN] = 1;
-	current_mode.c_cc[VTIME] = 0;
-	if (tcsetattr(fd, TCSAFLUSH, &current_mode) < 0) {
-		ret = ISC_R_IOERROR;
-		goto errout;
-	}
-
-	keyboard->result = ISC_R_SUCCESS;
-
-	return (ISC_R_SUCCESS);
-
- errout:
-	close (fd);
-
-	return (ret);
-}
-
-isc_result_t
-isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleeptime) {
-	REQUIRE(keyboard != NULL);
-
-	if (sleeptime > 0 && keyboard->result != ISC_R_CANCELED)
-		(void)sleep(sleeptime);
-
-	(void)tcsetattr(keyboard->fd, TCSAFLUSH, &keyboard->saved_mode);
-	(void)close(keyboard->fd);
-
-	keyboard->fd = -1;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp) {
-	ssize_t cc;
-	unsigned char c;
-	cc_t *controlchars;
-
-	REQUIRE(keyboard != NULL);
-	REQUIRE(cp != NULL);
-
-	cc = read(keyboard->fd, &c, 1);
-	if (cc < 0) {
-		keyboard->result = ISC_R_IOERROR;
-		return (keyboard->result);
-	}
-
-	controlchars = keyboard->saved_mode.c_cc;
-	if (c == controlchars[VINTR] || c == controlchars[VQUIT]) {
-		keyboard->result = ISC_R_CANCELED;
-		return (keyboard->result);
-	}
-
-	*cp = c;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_boolean_t
-isc_keyboard_canceled(isc_keyboard_t *keyboard) {
-	return (ISC_TF(keyboard->result == ISC_R_CANCELED));
-}
diff --git a/contrib/bind9/lib/isc/unix/net.c b/contrib/bind9/lib/isc/unix/net.c
deleted file mode 100644
index e0aeccbbbf4d..000000000000
--- a/contrib/bind9/lib/isc/unix/net.c
+++ /dev/null
@@ -1,348 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: net.c,v 1.22.2.2.10.9 2005/03/17 03:58:33 marka Exp $ */
-
-#include <config.h>
-
-#include <errno.h>
-#include <unistd.h>
-
-#include <isc/log.h>
-#include <isc/msgs.h>
-#include <isc/net.h>
-#include <isc/once.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
-const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT;
-#endif
-
-#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
-const struct in6_addr isc_net_in6addrloop = IN6ADDR_LOOPBACK_INIT;
-#endif
-
-static isc_once_t 	once = ISC_ONCE_INIT;
-static isc_once_t 	once_ipv6only = ISC_ONCE_INIT;
-static isc_once_t 	once_ipv6pktinfo = ISC_ONCE_INIT;
-static isc_result_t	ipv4_result = ISC_R_NOTFOUND;
-static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
-static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
-static isc_result_t	ipv6pktinfo_result = ISC_R_NOTFOUND;
-
-static isc_result_t
-try_proto(int domain) {
-	int s;
-	isc_result_t result = ISC_R_SUCCESS;
-	char strbuf[ISC_STRERRORSIZE];
-
-	s = socket(domain, SOCK_STREAM, 0);
-	if (s == -1) {
-		switch (errno) {
-#ifdef EAFNOSUPPORT
-		case EAFNOSUPPORT:
-#endif
-#ifdef EPROTONOSUPPORT
-		case EPROTONOSUPPORT:
-#endif
-#ifdef EINVAL
-		case EINVAL:
-#endif
-			return (ISC_R_NOTFOUND);
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "socket() %s: %s",
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-	}
-
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef WANT_IPV6
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-	if (domain == PF_INET6) {
-		struct sockaddr_in6 sin6;
-		unsigned int len;
-
-		/*
-		 * Check to see if IPv6 is broken, as is common on Linux.
-		 */
-		len = sizeof(sin6);
-		if (getsockname(s, (struct sockaddr *)&sin6, (void *)&len) < 0)
-		{
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				      "retrieving the address of an IPv6 "
-				      "socket from the kernel failed.");
-			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				      "IPv6 is not supported.");
-			result = ISC_R_NOTFOUND;
-		} else {
-			if (len == sizeof(struct sockaddr_in6))
-				result = ISC_R_SUCCESS;
-			else {
-				isc_log_write(isc_lctx,
-					      ISC_LOGCATEGORY_GENERAL,
-					      ISC_LOGMODULE_SOCKET,
-					      ISC_LOG_ERROR,
-					      "IPv6 structures in kernel and "
-					      "user space do not match.");
-				isc_log_write(isc_lctx,
-					      ISC_LOGCATEGORY_GENERAL,
-					      ISC_LOGMODULE_SOCKET,
-					      ISC_LOG_ERROR,
-					      "IPv6 is not supported.");
-				result = ISC_R_NOTFOUND;
-			}
-		}
-	}
-#endif
-#endif
-#endif
-
-	(void)close(s);
-
-	return (result);
-}
-
-static void
-initialize_action(void) {
-	ipv4_result = try_proto(PF_INET);
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef WANT_IPV6
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-	ipv6_result = try_proto(PF_INET6);
-#endif
-#endif
-#endif
-}
-
-static void
-initialize(void) {
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_net_probeipv4(void) {
-	initialize();
-	return (ipv4_result);
-}
-
-isc_result_t
-isc_net_probeipv6(void) {
-	initialize();
-	return (ipv6_result);
-}
-
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef WANT_IPV6
-static void
-try_ipv6only(void) {
-#ifdef IPV6_V6ONLY
-	int s, on;
-	char strbuf[ISC_STRERRORSIZE];
-#endif
-	isc_result_t result;
-
-	result = isc_net_probeipv6();
-	if (result != ISC_R_SUCCESS) {
-		ipv6only_result = result;
-		return;
-	}
-
-#ifndef IPV6_V6ONLY
-	ipv6only_result = ISC_R_NOTFOUND;
-	return;
-#else
-	/* check for TCP sockets */
-	s = socket(PF_INET6, SOCK_STREAM, 0);
-	if (s == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "socket() %s: %s",
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-		ipv6only_result = ISC_R_UNEXPECTED;
-		return;
-	}
-
-	on = 1;
-	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
-		ipv6only_result = ISC_R_NOTFOUND;
-		goto close;
-	}
-
-	close(s);
-
-	/* check for UDP sockets */
-	s = socket(PF_INET6, SOCK_DGRAM, 0);
-	if (s == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "socket() %s: %s",
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-		ipv6only_result = ISC_R_UNEXPECTED;
-		return;
-	}
-
-	on = 1;
-	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
-		ipv6only_result = ISC_R_NOTFOUND;
-		goto close;
-	}
-
-	close(s);
-
-	ipv6only_result = ISC_R_SUCCESS;
-
-close:
-	close(s);
-	return;
-#endif /* IPV6_V6ONLY */
-}
-
-static void
-initialize_ipv6only(void) {
-	RUNTIME_CHECK(isc_once_do(&once_ipv6only,
-				  try_ipv6only) == ISC_R_SUCCESS);
-}
-#endif /* IPV6_V6ONLY */
-
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-static void
-try_ipv6pktinfo(void) {
-	int s, on;
-	char strbuf[ISC_STRERRORSIZE];
-	isc_result_t result;
-	int optname;
-
-	result = isc_net_probeipv6();
-	if (result != ISC_R_SUCCESS) {
-		ipv6pktinfo_result = result;
-		return;
-	}
-
-	/* we only use this for UDP sockets */
-	s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
-	if (s == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "socket() %s: %s",
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-		ipv6pktinfo_result = ISC_R_UNEXPECTED;
-		return;
-	}
-
-#ifdef IPV6_RECVPKTINFO
-	optname = IPV6_RECVPKTINFO;
-#else
-	optname = IPV6_PKTINFO;
-#endif
-	on = 1;
-	if (setsockopt(s, IPPROTO_IPV6, optname, &on, sizeof(on)) < 0) {
-		ipv6pktinfo_result = ISC_R_NOTFOUND;
-		goto close;
-	}
-
-	close(s);
-	ipv6pktinfo_result = ISC_R_SUCCESS;
-
-close:
-	close(s);
-	return;
-}
-
-static void
-initialize_ipv6pktinfo(void) {
-	RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo,
-				  try_ipv6pktinfo) == ISC_R_SUCCESS);
-}
-#endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
-#endif /* WANT_IPV6 */
-
-isc_result_t
-isc_net_probe_ipv6only(void) {
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef WANT_IPV6
-	initialize_ipv6only();
-#else
-	ipv6only_result = ISC_R_NOTFOUND;
-#endif
-#endif
-	return (ipv6only_result);
-}
-
-isc_result_t
-isc_net_probe_ipv6pktinfo(void) {
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-#ifdef WANT_IPV6
-	initialize_ipv6pktinfo();
-#else
-	ipv6pktinfo_result = ISC_R_NOTFOUND;
-#endif
-#endif
-#endif
-	return (ipv6pktinfo_result);
-}
-
-void
-isc_net_disableipv4(void) {
-	initialize();
-	if (ipv4_result == ISC_R_SUCCESS)
-		ipv4_result = ISC_R_DISABLED;
-}
-
-void
-isc_net_disableipv6(void) {
-	initialize();
-	if (ipv6_result == ISC_R_SUCCESS)
-		ipv6_result = ISC_R_DISABLED;
-}
-
-void
-isc_net_enableipv4(void) {
-	initialize();
-	if (ipv4_result == ISC_R_DISABLED)
-		ipv4_result = ISC_R_SUCCESS;
-}
-
-void
-isc_net_enableipv6(void) {
-	initialize();
-	if (ipv6_result == ISC_R_DISABLED)
-		ipv6_result = ISC_R_SUCCESS;
-}
diff --git a/contrib/bind9/lib/isc/unix/os.c b/contrib/bind9/lib/isc/unix/os.c
deleted file mode 100644
index 4d34d8ce6f47..000000000000
--- a/contrib/bind9/lib/isc/unix/os.c
+++ /dev/null
@@ -1,94 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: os.c,v 1.11.12.6 2005/10/14 02:13:07 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/os.h>
-
-
-#ifdef HAVE_SYSCONF
-
-#include <unistd.h>
-
-#ifndef __hpux
-static inline long
-sysconf_ncpus(void) {
-#if defined(_SC_NPROCESSORS_ONLN)
-	return sysconf((_SC_NPROCESSORS_ONLN));
-#elif defined(_SC_NPROC_ONLN)
-	return sysconf((_SC_NPROC_ONLN));
-#else
-	return (0);
-#endif
-}
-#endif
-#endif /* HAVE_SYSCONF */
-
-
-#ifdef __hpux
-
-#include <sys/pstat.h>
-
-static inline int
-hpux_ncpus(void) {
-	struct pst_dynamic psd;
-	if (pstat_getdynamic(&psd, sizeof(psd), 1, 0) != -1)
-		return (psd.psd_proc_cnt);
-	else
-		return (0);
-}
-
-#endif /* __hpux */
-
-#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
-#include <sys/types.h>  /* for FreeBSD */
-#include <sys/param.h>  /* for NetBSD */
-#include <sys/sysctl.h>
-
-static int
-sysctl_ncpus(void) {
-	int ncpu, result;
-	size_t len;
-
-	len = sizeof(ncpu);
-	result = sysctlbyname("hw.ncpu", &ncpu, &len , 0, 0);
-	if (result != -1)
-		return (ncpu);
-	return (0);
-}
-#endif
-
-unsigned int
-isc_os_ncpus(void) {
-	long ncpus = 0;
-
-#ifdef __hpux
-	ncpus = hpux_ncpus();
-#elif defined(HAVE_SYSCONF)
-	ncpus = sysconf_ncpus();
-#endif
-#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
-	if (ncpus <= 0)
-		ncpus = sysctl_ncpus();
-#endif
-	if (ncpus <= 0)
-		ncpus = 1;
-
-	return ((unsigned int)ncpus);
-}
diff --git a/contrib/bind9/lib/isc/unix/resource.c b/contrib/bind9/lib/isc/unix/resource.c
deleted file mode 100644
index b6faf32a5e4d..000000000000
--- a/contrib/bind9/lib/isc/unix/resource.c
+++ /dev/null
@@ -1,204 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: resource.c,v 1.11.206.1 2004/03/06 08:15:01 marka Exp $ */
-
-#include <config.h>
-
-#include <sys/types.h>
-#include <sys/time.h>	/* Required on some systems for <sys/resource.h>. */
-#include <sys/resource.h>
-
-#include <isc/platform.h>
-#include <isc/resource.h>
-#include <isc/result.h>
-#include <isc/util.h>
-
-#include "errno2result.h"
-
-static isc_result_t
-resource2rlim(isc_resource_t resource, int *rlim_resource) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	switch (resource) {
-	case isc_resource_coresize:
-		*rlim_resource = RLIMIT_CORE;
-		break;
-	case isc_resource_cputime:
-		*rlim_resource = RLIMIT_CPU;
-		break;		
-	case isc_resource_datasize:
-		*rlim_resource = RLIMIT_DATA;
-		break;		
-	case isc_resource_filesize:
-		*rlim_resource = RLIMIT_FSIZE;
-		break;		
-	case isc_resource_lockedmemory:
-#ifdef RLIMIT_MEMLOCK
-		*rlim_resource = RLIMIT_MEMLOCK;
-#else
-		result = ISC_R_NOTIMPLEMENTED;
-#endif
-		break;
-	case isc_resource_openfiles:
-#ifdef RLIMIT_NOFILE
-		*rlim_resource = RLIMIT_NOFILE;
-#else
-		result = ISC_R_NOTIMPLEMENTED;
-#endif
-		break;
-	case isc_resource_processes:
-#ifdef RLIMIT_NPROC
-		*rlim_resource = RLIMIT_NPROC;
-#else
-		result = ISC_R_NOTIMPLEMENTED;
-#endif
-		break;
-	case isc_resource_residentsize:
-#ifdef RLIMIT_RSS
-		*rlim_resource = RLIMIT_RSS;
-#else
-		result = ISC_R_NOTIMPLEMENTED;
-#endif
-		break;
-	case isc_resource_stacksize:
-		*rlim_resource = RLIMIT_STACK;
-		break;
-	default:
-                /*
-		 * This test is not very robust if isc_resource_t
-		 * changes, but generates a clear assertion message.
-		 */
-		REQUIRE(resource >= isc_resource_coresize &&
-			resource <= isc_resource_stacksize);
-
-		result = ISC_R_RANGE;
-		break;
-	}
-
-	return (result);
-}
-
-isc_result_t
-isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
-	struct rlimit rl;
-	ISC_PLATFORM_RLIMITTYPE rlim_value;
-	int unixresult;
-	int unixresource;
-	isc_result_t result;
-
-	result = resource2rlim(resource, &unixresource);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (value == ISC_RESOURCE_UNLIMITED)
-		rlim_value = RLIM_INFINITY;
-
-	else {
-		/*
-		 * isc_resourcevalue_t was chosen as an unsigned 64 bit
-		 * integer so that it could contain the maximum range of
-		 * reasonable values.  Unfortunately, this exceeds the typical
-		 * range on Unix systems.  Ensure the range of
-		 * ISC_PLATFORM_RLIMITTYPE is not overflowed.
-		 */
-		isc_resourcevalue_t rlim_max;
-		isc_boolean_t rlim_t_is_signed =
-			ISC_TF(((double)(ISC_PLATFORM_RLIMITTYPE)-1) < 0);
-
-		if (rlim_t_is_signed)
-			rlim_max = ~((ISC_PLATFORM_RLIMITTYPE)1 <<
-				     (sizeof(ISC_PLATFORM_RLIMITTYPE) * 8 - 1));
-		else
-			rlim_max = (ISC_PLATFORM_RLIMITTYPE)-1;
-
-		if (value > rlim_max)
-			value = rlim_max;
-
-		rlim_value = value;
-	}
-
-	/*
-	 * The BIND 8 documentation reports:
-	 *
-	 *	Note: on some operating systems the server cannot set an
-	 *	unlimited value and cannot determine the maximum number of
-	 *	open files the kernel can support. On such systems, choosing
-	 *	unlimited will cause the server to use the larger of the
-	 *	rlim_max for RLIMIT_NOFILE and the value returned by
-	 *	sysconf(_SC_OPEN_MAX). If the actual kernel limit is larger
-	 *	than this value, use limit files to specify the limit
-	 *	explicitly.
-	 *
-	 * The CHANGES for 8.1.2-T3A also mention:
-	 *
-	 *	352. [bug] Because of problems with setting an infinite
-	 *	rlim_max for RLIMIT_NOFILE on some systems, previous versions
-	 *	of the server implemented "limit files unlimited" by setting
-	 *	the limit to the value returned by sysconf(_SC_OPEN_MAX).  The
-	 *	server will now use RLIM_INFINITY on systems which allow it.
-	 *
-	 * At some point the BIND 8 server stopped using SC_OPEN_MAX for this
-	 * purpose at all, but it isn't clear to me when or why, as my access
-	 * to the CVS archive is limited at the time of this writing.  What
-	 * BIND 8 *does* do is to set RLIMIT_NOFILE to either RLIMIT_INFINITY
-	 * on a half dozen operating systems or to FD_SETSIZE on the rest,
-	 * the latter of which is probably fewer than the real limit.  (Note
-	 * that libisc's socket module will have problems with any fd over
-	 * FD_SETSIZE.  This should be fixed in the socket module, not a
-	 * limitation here.  BIND 8's eventlib also has a problem, making
-	 * its RLIMIT_INFINITY setting useless, because it closes and ignores
-	 * any fd over FD_SETSIZE.)
-	 *
-	 * More troubling is the reference to some operating systems not being
-	 * able to set an unlimited value for the number of open files.  I'd
-	 * hate to put in code that is really only there to support archaic
-	 * systems that the rest of libisc won't work on anyway.  So what this
-	 * extremely verbose comment is here to say is the following:
-	 *
-	 *   I'm aware there might be an issue with not limiting the value
-	 *   for RLIMIT_NOFILE on some systems, but since I don't know yet
-	 *   what those systems are and what the best workaround is (use
-	 *   sysconf()?  rlim_max from getrlimit()?  FD_SETSIZE?) so nothing
-	 *   is currently being done to clamp the value for open files.
-	 */
-
-	rl.rlim_cur = rl.rlim_max = rlim_value;
-	unixresult = setrlimit(unixresource, &rl);
-
-	if (unixresult == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
-	int unixresult;
-	int unixresource;
-	struct rlimit rl;
-	isc_result_t result;
-
-	result = resource2rlim(resource, &unixresource);
-	if (result == ISC_R_SUCCESS) {
-		unixresult = getrlimit(unixresource, &rl);
-		INSIST(unixresult == 0);
-		*value = rl.rlim_max;
-	}
-
-	return (result);
-}
diff --git a/contrib/bind9/lib/isc/unix/socket.c b/contrib/bind9/lib/isc/unix/socket.c
deleted file mode 100644
index 595990f995c5..000000000000
--- a/contrib/bind9/lib/isc/unix/socket.c
+++ /dev/null
@@ -1,3526 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: socket.c,v 1.207.2.19.2.22 2005/11/03 23:08:42 marka Exp $ */
-
-#include <config.h>
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <isc/buffer.h>
-#include <isc/bufferlist.h>
-#include <isc/condition.h>
-#include <isc/formatcheck.h>
-#include <isc/list.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/msgs.h>
-#include <isc/mutex.h>
-#include <isc/net.h>
-#include <isc/platform.h>
-#include <isc/print.h>
-#include <isc/region.h>
-#include <isc/socket.h>
-#include <isc/strerror.h>
-#include <isc/task.h>
-#include <isc/thread.h>
-#include <isc/util.h>
-
-#include "errno2result.h"
-
-#ifndef ISC_PLATFORM_USETHREADS
-#include "socket_p.h"
-#endif /* ISC_PLATFORM_USETHREADS */
-
-/*
- * Some systems define the socket length argument as an int, some as size_t,
- * some as socklen_t.  This is here so it can be easily changed if needed.
- */
-#ifndef ISC_SOCKADDR_LEN_T
-#define ISC_SOCKADDR_LEN_T unsigned int
-#endif
-
-/*
- * Define what the possible "soft" errors can be.  These are non-fatal returns
- * of various network related functions, like recv() and so on.
- *
- * For some reason, BSDI (and perhaps others) will sometimes return <0
- * from recv() but will have errno==0.  This is broken, but we have to
- * work around it here.
- */
-#define SOFT_ERROR(e)	((e) == EAGAIN || \
-			 (e) == EWOULDBLOCK || \
-			 (e) == EINTR || \
-			 (e) == 0)
-
-#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
-
-/*
- * DLVL(90)  --  Function entry/exit and other tracing.
- * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
- * DLVL(60)  --  Socket data send/receive
- * DLVL(50)  --  Event tracing, including receiving/sending completion events.
- * DLVL(20)  --  Socket creation/destruction.
- */
-#define TRACE_LEVEL		90
-#define CORRECTNESS_LEVEL	70
-#define IOEVENT_LEVEL		60
-#define EVENT_LEVEL		50
-#define CREATION_LEVEL		20
-
-#define TRACE		DLVL(TRACE_LEVEL)
-#define CORRECTNESS	DLVL(CORRECTNESS_LEVEL)
-#define IOEVENT		DLVL(IOEVENT_LEVEL)
-#define EVENT		DLVL(EVENT_LEVEL)
-#define CREATION	DLVL(CREATION_LEVEL)
-
-typedef isc_event_t intev_t;
-
-#define SOCKET_MAGIC		ISC_MAGIC('I', 'O', 'i', 'o')
-#define VALID_SOCKET(t)		ISC_MAGIC_VALID(t, SOCKET_MAGIC)
-
-/*
- * IPv6 control information.  If the socket is an IPv6 socket we want
- * to collect the destination address and interface so the client can
- * set them on outgoing packets.
- */
-#ifdef ISC_PLATFORM_HAVEIPV6
-#ifndef USE_CMSG
-#define USE_CMSG	1
-#endif
-#endif
-
-/*
- * NetBSD and FreeBSD can timestamp packets.  XXXMLG Should we have
- * a setsockopt() like interface to request timestamps, and if the OS
- * doesn't do it for us, call gettimeofday() on every UDP receive?
- */
-#ifdef SO_TIMESTAMP
-#ifndef USE_CMSG
-#define USE_CMSG	1
-#endif
-#endif
-
-/*
- * The number of times a send operation is repeated if the result is EINTR.
- */
-#define NRETRIES 10
-
-struct isc_socket {
-	/* Not locked. */
-	unsigned int		magic;
-	isc_socketmgr_t	       *manager;
-	isc_mutex_t		lock;
-	isc_sockettype_t	type;
-
-	/* Locked by socket lock. */
-	ISC_LINK(isc_socket_t)	link;
-	unsigned int		references;
-	int			fd;
-	int			pf;
-
-	ISC_LIST(isc_socketevent_t)		send_list;
-	ISC_LIST(isc_socketevent_t)		recv_list;
-	ISC_LIST(isc_socket_newconnev_t)	accept_list;
-	isc_socket_connev_t		       *connect_ev;
-
-	/*
-	 * Internal events.  Posted when a descriptor is readable or
-	 * writable.  These are statically allocated and never freed.
-	 * They will be set to non-purgable before use.
-	 */
-	intev_t			readable_ev;
-	intev_t			writable_ev;
-
-	isc_sockaddr_t		address;  /* remote address */
-
-	unsigned int		pending_recv : 1,
-				pending_send : 1,
-				pending_accept : 1,
-				listener : 1, /* listener socket */
-				connected : 1,
-				connecting : 1, /* connect pending */
-				bound : 1; /* bound to local addr */
-
-#ifdef ISC_NET_RECVOVERFLOW
-	unsigned char		overflow; /* used for MSG_TRUNC fake */
-#endif
-
-	char			*recvcmsgbuf;
-	ISC_SOCKADDR_LEN_T	recvcmsgbuflen;
-	char			*sendcmsgbuf;
-	ISC_SOCKADDR_LEN_T	sendcmsgbuflen;
-};
-
-#define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
-#define VALID_MANAGER(m)	ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
-
-struct isc_socketmgr {
-	/* Not locked. */
-	unsigned int		magic;
-	isc_mem_t	       *mctx;
-	isc_mutex_t		lock;
-	/* Locked by manager lock. */
-	ISC_LIST(isc_socket_t)	socklist;
-	fd_set			read_fds;
-	fd_set			write_fds;
-	isc_socket_t	       *fds[FD_SETSIZE];
-	int			fdstate[FD_SETSIZE];
-	int			maxfd;
-#ifdef ISC_PLATFORM_USETHREADS
-	isc_thread_t		watcher;
-	isc_condition_t		shutdown_ok;
-	int			pipe_fds[2];
-#else /* ISC_PLATFORM_USETHREADS */
-	unsigned int		refs;
-#endif /* ISC_PLATFORM_USETHREADS */
-};
-
-#ifndef ISC_PLATFORM_USETHREADS
-static isc_socketmgr_t *socketmgr = NULL;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-#define CLOSED		0	/* this one must be zero */
-#define MANAGED		1
-#define CLOSE_PENDING	2
-
-/*
- * send() and recv() iovec counts
- */
-#define MAXSCATTERGATHER_SEND	(ISC_SOCKET_MAXSCATTERGATHER)
-#ifdef ISC_NET_RECVOVERFLOW
-# define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER + 1)
-#else
-# define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER)
-#endif
-
-static void send_recvdone_event(isc_socket_t *, isc_socketevent_t **);
-static void send_senddone_event(isc_socket_t *, isc_socketevent_t **);
-static void free_socket(isc_socket_t **);
-static isc_result_t allocate_socket(isc_socketmgr_t *, isc_sockettype_t,
-				    isc_socket_t **);
-static void destroy(isc_socket_t **);
-static void internal_accept(isc_task_t *, isc_event_t *);
-static void internal_connect(isc_task_t *, isc_event_t *);
-static void internal_recv(isc_task_t *, isc_event_t *);
-static void internal_send(isc_task_t *, isc_event_t *);
-static void process_cmsg(isc_socket_t *, struct msghdr *, isc_socketevent_t *);
-static void build_msghdr_send(isc_socket_t *, isc_socketevent_t *,
-			      struct msghdr *, struct iovec *, size_t *);
-static void build_msghdr_recv(isc_socket_t *, isc_socketevent_t *,
-			      struct msghdr *, struct iovec *, size_t *);
-
-#define SELECT_POKE_SHUTDOWN		(-1)
-#define SELECT_POKE_NOTHING		(-2)
-#define SELECT_POKE_READ		(-3)
-#define SELECT_POKE_ACCEPT		(-3) /* Same as _READ */
-#define SELECT_POKE_WRITE		(-4)
-#define SELECT_POKE_CONNECT		(-4) /* Same as _WRITE */
-#define SELECT_POKE_CLOSE		(-5)
-
-#define SOCK_DEAD(s)			((s)->references == 0)
-
-static void
-manager_log(isc_socketmgr_t *sockmgr,
-	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
-	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
-static void
-manager_log(isc_socketmgr_t *sockmgr,
-	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
-	    const char *fmt, ...)
-{
-	char msgbuf[2048];
-	va_list ap;
-
-	if (! isc_log_wouldlog(isc_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	isc_log_write(isc_lctx, category, module, level,
-		      "sockmgr %p: %s", sockmgr, msgbuf);
-}
-
-static void
-socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
-	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
-	   isc_msgcat_t *msgcat, int msgset, int message,
-	   const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10);
-static void
-socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
-	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
-	   isc_msgcat_t *msgcat, int msgset, int message,
-	   const char *fmt, ...)
-{
-	char msgbuf[2048];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-	va_list ap;
-
-	if (! isc_log_wouldlog(isc_lctx, level))
-		return;
-
-	va_start(ap, fmt);
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	va_end(ap);
-
-	if (address == NULL) {
-		isc_log_iwrite(isc_lctx, category, module, level,
-			       msgcat, msgset, message,
-			       "socket %p: %s", sock, msgbuf);
-	} else {
-		isc_sockaddr_format(address, peerbuf, sizeof(peerbuf));
-		isc_log_iwrite(isc_lctx, category, module, level,
-			       msgcat, msgset, message,
-			       "socket %p %s: %s", sock, peerbuf, msgbuf);
-	}
-}
-
-static void
-wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
-	isc_socket_t *sock;
-
-	/*
-	 * This is a wakeup on a socket.  If the socket is not in the
-	 * process of being closed, start watching it for either reads
-	 * or writes.
-	 */
-
-	INSIST(fd >= 0 && fd < (int)FD_SETSIZE);
-
-	if (manager->fdstate[fd] == CLOSE_PENDING) {
-		manager->fdstate[fd] = CLOSED;
-		FD_CLR(fd, &manager->read_fds);
-		FD_CLR(fd, &manager->write_fds);
-		(void)close(fd);
-		return;
-	}
-	if (manager->fdstate[fd] != MANAGED)
-		return;
-
-	sock = manager->fds[fd];
-
-	/*
-	 * Set requested bit.
-	 */
-	if (msg == SELECT_POKE_READ)
-		FD_SET(sock->fd, &manager->read_fds);
-	if (msg == SELECT_POKE_WRITE)
-		FD_SET(sock->fd, &manager->write_fds);
-}
-
-#ifdef ISC_PLATFORM_USETHREADS
-/*
- * Poke the select loop when there is something for us to do.
- * The write is required (by POSIX) to complete.  That is, we
- * will not get partial writes.
- */
-static void
-select_poke(isc_socketmgr_t *mgr, int fd, int msg) {
-	int cc;
-	int buf[2];
-	char strbuf[ISC_STRERRORSIZE];
-
-	buf[0] = fd;
-	buf[1] = msg;
-
-	do {
-		cc = write(mgr->pipe_fds[1], buf, sizeof(buf));
-#ifdef ENOSR
-		/*
-		 * Treat ENOSR as EAGAIN but loop slowly as it is
-		 * unlikely to clear fast.
-		 */
-		if (cc < 0 && errno == ENOSR) {
-			sleep(1);
-			errno = EAGAIN;
-		}
-#endif
-	} while (cc < 0 && SOFT_ERROR(errno));
-
-	if (cc < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_WRITEFAILED,
-					   "write() failed "
-					   "during watcher poke: %s"),
-			    strbuf);
-	}
-
-	INSIST(cc == sizeof(buf));
-}
-
-/*
- * Read a message on the internal fd.
- */
-static void
-select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) {
-	int buf[2];
-	int cc;
-	char strbuf[ISC_STRERRORSIZE];
-
-	cc = read(mgr->pipe_fds[0], buf, sizeof(buf));
-	if (cc < 0) {
-		*msg = SELECT_POKE_NOTHING;
-		*fd = -1;	/* Silence compiler. */
-		if (SOFT_ERROR(errno))
-			return;
-
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		FATAL_ERROR(__FILE__, __LINE__,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_READFAILED,
-					   "read() failed "
-					   "during watcher poke: %s"),
-			    strbuf);
-		
-		return;
-	}
-	INSIST(cc == sizeof(buf));
-
-	*fd = buf[0];
-	*msg = buf[1];
-}
-#else /* ISC_PLATFORM_USETHREADS */
-/*
- * Update the state of the socketmgr when something changes.
- */
-static void
-select_poke(isc_socketmgr_t *manager, int fd, int msg) {
-	if (msg == SELECT_POKE_SHUTDOWN)
-		return;
-	else if (fd >= 0)
-		wakeup_socket(manager, fd, msg);
-	return;
-}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-/*
- * Make a fd non-blocking.
- */
-static isc_result_t
-make_nonblock(int fd) {
-	int ret;
-	int flags;
-	char strbuf[ISC_STRERRORSIZE];
-#ifdef USE_FIONBIO_IOCTL
-	int on = 1;
-
-	ret = ioctl(fd, FIONBIO, (char *)&on);
-#else
-	flags = fcntl(fd, F_GETFL, 0);
-	flags |= PORT_NONBLOCK;
-	ret = fcntl(fd, F_SETFL, flags);
-#endif
-
-	if (ret == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-#ifdef USE_FIONBIO_IOCTL
-				 "ioctl(%d, FIONBIO, &on): %s", fd,
-#else
-				 "fcntl(%d, F_SETFL, %d): %s", fd, flags,
-#endif
-				 strbuf);
-
-		return (ISC_R_UNEXPECTED);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef USE_CMSG
-/*
- * Not all OSes support advanced CMSG macros: CMSG_LEN and CMSG_SPACE.
- * In order to ensure as much portability as possible, we provide wrapper
- * functions of these macros.
- * Note that cmsg_space() could run slow on OSes that do not have
- * CMSG_SPACE.
- */
-static inline ISC_SOCKADDR_LEN_T
-cmsg_len(ISC_SOCKADDR_LEN_T len) {
-#ifdef CMSG_LEN
-	return (CMSG_LEN(len));
-#else
-	ISC_SOCKADDR_LEN_T hdrlen;
-
-	/*
-	 * Cast NULL so that any pointer arithmetic performed by CMSG_DATA
-	 * is correct.
-	 */
-	hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(((struct cmsghdr *)NULL));
-	return (hdrlen + len);
-#endif
-}
-
-static inline ISC_SOCKADDR_LEN_T
-cmsg_space(ISC_SOCKADDR_LEN_T len) {
-#ifdef CMSG_SPACE
-	return (CMSG_SPACE(len));
-#else
-	struct msghdr msg;
-	struct cmsghdr *cmsgp;
-	/*
-	 * XXX: The buffer length is an ad-hoc value, but should be enough
-	 * in a practical sense.
-	 */
-	char dummybuf[sizeof(struct cmsghdr) + 1024];
-
-	memset(&msg, 0, sizeof(msg));
-	msg.msg_control = dummybuf;
-	msg.msg_controllen = sizeof(dummybuf);
-
-	cmsgp = (struct cmsghdr *)dummybuf;
-	cmsgp->cmsg_len = cmsg_len(len);
-
-	cmsgp = CMSG_NXTHDR(&msg, cmsgp);
-	if (cmsgp != NULL)
-		return ((char *)cmsgp - (char *)msg.msg_control);
-	else
-		return (0);
-#endif	
-}
-#endif /* USE_CMSG */
-
-/*
- * Process control messages received on a socket.
- */
-static void
-process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
-#ifdef USE_CMSG
-	struct cmsghdr *cmsgp;
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-	struct in6_pktinfo *pktinfop;
-#endif
-#ifdef SO_TIMESTAMP
-	struct timeval *timevalp;
-#endif
-#endif
-
-	/*
-	 * sock is used only when ISC_NET_BSD44MSGHDR and USE_CMSG are defined.
-	 * msg and dev are used only when ISC_NET_BSD44MSGHDR is defined.
-	 * They are all here, outside of the CPP tests, because it is
-	 * more consistent with the usual ISC coding style.
-	 */
-	UNUSED(sock);
-	UNUSED(msg);
-	UNUSED(dev);
-
-#ifdef ISC_NET_BSD44MSGHDR
-
-#ifdef MSG_TRUNC
-	if ((msg->msg_flags & MSG_TRUNC) == MSG_TRUNC)
-		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
-#endif
-
-#ifdef MSG_CTRUNC
-	if ((msg->msg_flags & MSG_CTRUNC) == MSG_CTRUNC)
-		dev->attributes |= ISC_SOCKEVENTATTR_CTRUNC;
-#endif
-
-#ifndef USE_CMSG
-	return;
-#else
-	if (msg->msg_controllen == 0U || msg->msg_control == NULL)
-		return;
-
-#ifdef SO_TIMESTAMP
-	timevalp = NULL;
-#endif
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-	pktinfop = NULL;
-#endif
-
-	cmsgp = CMSG_FIRSTHDR(msg);
-	while (cmsgp != NULL) {
-		socket_log(sock, NULL, TRACE,
-			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PROCESSCMSG,
-			   "processing cmsg %p", cmsgp);
-
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-		if (cmsgp->cmsg_level == IPPROTO_IPV6
-		    && cmsgp->cmsg_type == IPV6_PKTINFO) {
-
-			pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
-			memcpy(&dev->pktinfo, pktinfop,
-			       sizeof(struct in6_pktinfo));
-			dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
-			socket_log(sock, NULL, TRACE,
-				   isc_msgcat, ISC_MSGSET_SOCKET,
-				   ISC_MSG_IFRECEIVED,
-				   "interface received on ifindex %u",
-				   dev->pktinfo.ipi6_ifindex);
-			if (IN6_IS_ADDR_MULTICAST(&pktinfop->ipi6_addr))
-				dev->attributes |= ISC_SOCKEVENTATTR_MULTICAST;				
-			goto next;
-		}
-#endif
-
-#ifdef SO_TIMESTAMP
-		if (cmsgp->cmsg_level == SOL_SOCKET
-		    && cmsgp->cmsg_type == SCM_TIMESTAMP) {
-			timevalp = (struct timeval *)CMSG_DATA(cmsgp);
-			dev->timestamp.seconds = timevalp->tv_sec;
-			dev->timestamp.nanoseconds = timevalp->tv_usec * 1000;
-			dev->attributes |= ISC_SOCKEVENTATTR_TIMESTAMP;
-			goto next;
-		}
-#endif
-
-	next:
-		cmsgp = CMSG_NXTHDR(msg, cmsgp);
-	}
-#endif /* USE_CMSG */
-
-#endif /* ISC_NET_BSD44MSGHDR */
-}
-
-/*
- * Construct an iov array and attach it to the msghdr passed in.  This is
- * the SEND constructor, which will use the used region of the buffer
- * (if using a buffer list) or will use the internal region (if a single
- * buffer I/O is requested).
- *
- * Nothing can be NULL, and the done event must list at least one buffer
- * on the buffer linked list for this function to be meaningful.
- *
- * If write_countp != NULL, *write_countp will hold the number of bytes
- * this transaction can send.
- */
-static void
-build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
-		  struct msghdr *msg, struct iovec *iov, size_t *write_countp)
-{
-	unsigned int iovcount;
-	isc_buffer_t *buffer;
-	isc_region_t used;
-	size_t write_count;
-	size_t skip_count;
-
-	memset(msg, 0, sizeof(*msg));
-
-	if (sock->type == isc_sockettype_udp) {
-		msg->msg_name = (void *)&dev->address.type.sa;
-		msg->msg_namelen = dev->address.length;
-	} else {
-		msg->msg_name = NULL;
-		msg->msg_namelen = 0;
-	}
-
-	buffer = ISC_LIST_HEAD(dev->bufferlist);
-	write_count = 0;
-	iovcount = 0;
-
-	/*
-	 * Single buffer I/O?  Skip what we've done so far in this region.
-	 */
-	if (buffer == NULL) {
-		write_count = dev->region.length - dev->n;
-		iov[0].iov_base = (void *)(dev->region.base + dev->n);
-		iov[0].iov_len = write_count;
-		iovcount = 1;
-
-		goto config;
-	}
-
-	/*
-	 * Multibuffer I/O.
-	 * Skip the data in the buffer list that we have already written.
-	 */
-	skip_count = dev->n;
-	while (buffer != NULL) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (skip_count < isc_buffer_usedlength(buffer))
-			break;
-		skip_count -= isc_buffer_usedlength(buffer);
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	while (buffer != NULL) {
-		INSIST(iovcount < MAXSCATTERGATHER_SEND);
-
-		isc_buffer_usedregion(buffer, &used);
-
-		if (used.length > 0) {
-			iov[iovcount].iov_base = (void *)(used.base
-							  + skip_count);
-			iov[iovcount].iov_len = used.length - skip_count;
-			write_count += (used.length - skip_count);
-			skip_count = 0;
-			iovcount++;
-		}
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	INSIST(skip_count == 0U);
-
- config:
-	msg->msg_iov = iov;
-	msg->msg_iovlen = iovcount;
-
-#ifdef ISC_NET_BSD44MSGHDR
-	msg->msg_control = NULL;
-	msg->msg_controllen = 0;
-	msg->msg_flags = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	if ((sock->type == isc_sockettype_udp)
-	    && ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0)) {
-		struct cmsghdr *cmsgp;
-		struct in6_pktinfo *pktinfop;
-
-		socket_log(sock, NULL, TRACE,
-			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_SENDTODATA,
-			   "sendto pktinfo data, ifindex %u",
-			   dev->pktinfo.ipi6_ifindex);
-
-		msg->msg_controllen = cmsg_space(sizeof(struct in6_pktinfo));
-		INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
-		msg->msg_control = (void *)sock->sendcmsgbuf;
-
-		cmsgp = (struct cmsghdr *)sock->sendcmsgbuf;
-		cmsgp->cmsg_level = IPPROTO_IPV6;
-		cmsgp->cmsg_type = IPV6_PKTINFO;
-		cmsgp->cmsg_len = cmsg_len(sizeof(struct in6_pktinfo));
-		pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
-		memcpy(pktinfop, &dev->pktinfo, sizeof(struct in6_pktinfo));
-	}
-#endif /* USE_CMSG && ISC_PLATFORM_HAVEIPV6 */
-#else /* ISC_NET_BSD44MSGHDR */
-	msg->msg_accrights = NULL;
-	msg->msg_accrightslen = 0;
-#endif /* ISC_NET_BSD44MSGHDR */
-
-	if (write_countp != NULL)
-		*write_countp = write_count;
-}
-
-/*
- * Construct an iov array and attach it to the msghdr passed in.  This is
- * the RECV constructor, which will use the avialable region of the buffer
- * (if using a buffer list) or will use the internal region (if a single
- * buffer I/O is requested).
- *
- * Nothing can be NULL, and the done event must list at least one buffer
- * on the buffer linked list for this function to be meaningful.
- *
- * If read_countp != NULL, *read_countp will hold the number of bytes
- * this transaction can receive.
- */
-static void
-build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
-		  struct msghdr *msg, struct iovec *iov, size_t *read_countp)
-{
-	unsigned int iovcount;
-	isc_buffer_t *buffer;
-	isc_region_t available;
-	size_t read_count;
-
-	memset(msg, 0, sizeof(struct msghdr));
-
-	if (sock->type == isc_sockettype_udp) {
-		memset(&dev->address, 0, sizeof(dev->address));
-		msg->msg_name = (void *)&dev->address.type.sa;
-		msg->msg_namelen = sizeof(dev->address.type);
-#ifdef ISC_NET_RECVOVERFLOW
-		/* If needed, steal one iovec for overflow detection. */
-		maxiov--;
-#endif
-	} else { /* TCP */
-		msg->msg_name = NULL;
-		msg->msg_namelen = 0;
-		dev->address = sock->address;
-	}
-
-	buffer = ISC_LIST_HEAD(dev->bufferlist);
-	read_count = 0;
-
-	/*
-	 * Single buffer I/O?  Skip what we've done so far in this region.
-	 */
-	if (buffer == NULL) {
-		read_count = dev->region.length - dev->n;
-		iov[0].iov_base = (void *)(dev->region.base + dev->n);
-		iov[0].iov_len = read_count;
-		iovcount = 1;
-
-		goto config;
-	}
-
-	/*
-	 * Multibuffer I/O.
-	 * Skip empty buffers.
-	 */
-	while (buffer != NULL) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (isc_buffer_availablelength(buffer) != 0)
-			break;
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
-	iovcount = 0;
-	while (buffer != NULL) {
-		INSIST(iovcount < MAXSCATTERGATHER_RECV);
-
-		isc_buffer_availableregion(buffer, &available);
-
-		if (available.length > 0) {
-			iov[iovcount].iov_base = (void *)(available.base);
-			iov[iovcount].iov_len = available.length;
-			read_count += available.length;
-			iovcount++;
-		}
-		buffer = ISC_LIST_NEXT(buffer, link);
-	}
-
- config:
-
-	/*
-	 * If needed, set up to receive that one extra byte.  Note that
-	 * we know there is at least one iov left, since we stole it
-	 * at the top of this function.
-	 */
-#ifdef ISC_NET_RECVOVERFLOW
-	if (sock->type == isc_sockettype_udp) {
-		iov[iovcount].iov_base = (void *)(&sock->overflow);
-		iov[iovcount].iov_len = 1;
-		iovcount++;
-	}
-#endif
-
-	msg->msg_iov = iov;
-	msg->msg_iovlen = iovcount;
-
-#ifdef ISC_NET_BSD44MSGHDR
-	msg->msg_control = NULL;
-	msg->msg_controllen = 0;
-	msg->msg_flags = 0;
-#if defined(USE_CMSG)
-	if (sock->type == isc_sockettype_udp) {
-		msg->msg_control = sock->recvcmsgbuf;
-		msg->msg_controllen = sock->recvcmsgbuflen;
-	}
-#endif /* USE_CMSG */
-#else /* ISC_NET_BSD44MSGHDR */
-	msg->msg_accrights = NULL;
-	msg->msg_accrightslen = 0;
-#endif /* ISC_NET_BSD44MSGHDR */
-
-	if (read_countp != NULL)
-		*read_countp = read_count;
-}
-
-static void
-set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
-		isc_socketevent_t *dev)
-{
-	if (sock->type == isc_sockettype_udp) {
-		if (address != NULL)
-			dev->address = *address;
-		else
-			dev->address = sock->address;
-	} else if (sock->type == isc_sockettype_tcp) {
-		INSIST(address == NULL);
-		dev->address = sock->address;
-	}
-}
-
-static isc_socketevent_t *
-allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
-		     isc_taskaction_t action, const void *arg)
-{
-	isc_socketevent_t *ev;
-
-	ev = (isc_socketevent_t *)isc_event_allocate(sock->manager->mctx,
-						     sock, eventtype,
-						     action, arg,
-						     sizeof(*ev));
-
-	if (ev == NULL)
-		return (NULL);
-
-	ev->result = ISC_R_UNEXPECTED;
-	ISC_LINK_INIT(ev, ev_link);
-	ISC_LIST_INIT(ev->bufferlist);
-	ev->region.base = NULL;
-	ev->n = 0;
-	ev->offset = 0;
-	ev->attributes = 0;
-
-	return (ev);
-}
-
-#if defined(ISC_SOCKET_DEBUG)
-static void
-dump_msg(struct msghdr *msg) {
-	unsigned int i;
-
-	printf("MSGHDR %p\n", msg);
-	printf("\tname %p, namelen %d\n", msg->msg_name, msg->msg_namelen);
-	printf("\tiov %p, iovlen %d\n", msg->msg_iov, msg->msg_iovlen);
-	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++)
-		printf("\t\t%d\tbase %p, len %d\n", i,
-		       msg->msg_iov[i].iov_base,
-		       msg->msg_iov[i].iov_len);
-#ifdef ISC_NET_BSD44MSGHDR
-	printf("\tcontrol %p, controllen %d\n", msg->msg_control,
-	       msg->msg_controllen);
-#endif
-}
-#endif
-
-#define DOIO_SUCCESS		0	/* i/o ok, event sent */
-#define DOIO_SOFT		1	/* i/o ok, soft error, no event sent */
-#define DOIO_HARD		2	/* i/o error, event sent */
-#define DOIO_EOF		3	/* EOF, no event sent */
-
-static int
-doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
-	int cc;
-	struct iovec iov[MAXSCATTERGATHER_RECV];
-	size_t read_count;
-	size_t actual_count;
-	struct msghdr msghdr;
-	isc_buffer_t *buffer;
-	int recv_errno;
-	char strbuf[ISC_STRERRORSIZE];
-
-	build_msghdr_recv(sock, dev, &msghdr, iov, &read_count);
-
-#if defined(ISC_SOCKET_DEBUG)
-	dump_msg(&msghdr);
-#endif
-
-	cc = recvmsg(sock->fd, &msghdr, 0);
-	recv_errno = errno;
-
-	if (cc < 0) {
-		if (SOFT_ERROR(recv_errno))
-			return (DOIO_SOFT);
-
-		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
-			isc__strerror(recv_errno, strbuf, sizeof(strbuf));
-			socket_log(sock, NULL, IOEVENT,
-				   isc_msgcat, ISC_MSGSET_SOCKET,
-				   ISC_MSG_DOIORECV, 
-				  "doio_recv: recvmsg(%d) %d bytes, err %d/%s",
-				   sock->fd, cc, recv_errno, strbuf);
-		}
-
-#define SOFT_OR_HARD(_system, _isc) \
-	if (recv_errno == _system) { \
-		if (sock->connected) { \
-			dev->result = _isc; \
-			return (DOIO_HARD); \
-		} \
-		return (DOIO_SOFT); \
-	}
-#define ALWAYS_HARD(_system, _isc) \
-	if (recv_errno == _system) { \
-		dev->result = _isc; \
-		return (DOIO_HARD); \
-	}
-
-		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
-		SOFT_OR_HARD(ENETUNREACH, ISC_R_NETUNREACH);
-		SOFT_OR_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-		SOFT_OR_HARD(EHOSTDOWN, ISC_R_HOSTDOWN);
-		/* HPUX 11.11 can return EADDRNOTAVAIL. */
-		SOFT_OR_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
-		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
-
-#undef SOFT_OR_HARD
-#undef ALWAYS_HARD
-
-		dev->result = isc__errno2result(recv_errno);
-		return (DOIO_HARD);
-	}
-
-	/*
-	 * On TCP, zero length reads indicate EOF, while on
-	 * UDP, zero length reads are perfectly valid, although
-	 * strange.
-	 */
-	if ((sock->type == isc_sockettype_tcp) && (cc == 0))
-		return (DOIO_EOF);
-
-	if (sock->type == isc_sockettype_udp) {
-		dev->address.length = msghdr.msg_namelen;
-		if (isc_sockaddr_getport(&dev->address) == 0) {
-			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
-				socket_log(sock, &dev->address, IOEVENT,
-					   isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_ZEROPORT, 
-					   "dropping source port zero packet");
-			}
-			return (DOIO_SOFT);
-		}
-	}
-
-	socket_log(sock, &dev->address, IOEVENT,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PKTRECV,
-		   "packet received correctly");
-
-	/*
-	 * Overflow bit detection.  If we received MORE bytes than we should,
-	 * this indicates an overflow situation.  Set the flag in the
-	 * dev entry and adjust how much we read by one.
-	 */
-#ifdef ISC_NET_RECVOVERFLOW
-	if ((sock->type == isc_sockettype_udp) && ((size_t)cc > read_count)) {
-		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
-		cc--;
-	}
-#endif
-
-	/*
-	 * If there are control messages attached, run through them and pull
-	 * out the interesting bits.
-	 */
-	if (sock->type == isc_sockettype_udp)
-		process_cmsg(sock, &msghdr, dev);
-
-	/*
-	 * update the buffers (if any) and the i/o count
-	 */
-	dev->n += cc;
-	actual_count = cc;
-	buffer = ISC_LIST_HEAD(dev->bufferlist);
-	while (buffer != NULL && actual_count > 0U) {
-		REQUIRE(ISC_BUFFER_VALID(buffer));
-		if (isc_buffer_availablelength(buffer) <= actual_count) {
-			actual_count -= isc_buffer_availablelength(buffer);
-			isc_buffer_add(buffer,
-				       isc_buffer_availablelength(buffer));
-		} else {
-			isc_buffer_add(buffer, actual_count);
-			actual_count = 0;
-			break;
-		}
-		buffer = ISC_LIST_NEXT(buffer, link);
-		if (buffer == NULL) {
-			INSIST(actual_count == 0U);
-		}
-	}
-
-	/*
-	 * If we read less than we expected, update counters,
-	 * and let the upper layer poke the descriptor.
-	 */
-	if (((size_t)cc != read_count) && (dev->n < dev->minimum))
-		return (DOIO_SOFT);
-
-	/*
-	 * Full reads are posted, or partials if partials are ok.
-	 */
-	dev->result = ISC_R_SUCCESS;
-	return (DOIO_SUCCESS);
-}
-
-/*
- * Returns:
- *	DOIO_SUCCESS	The operation succeeded.  dev->result contains
- *			ISC_R_SUCCESS.
- *
- *	DOIO_HARD	A hard or unexpected I/O error was encountered.
- *			dev->result contains the appropriate error.
- *
- *	DOIO_SOFT	A soft I/O error was encountered.  No senddone
- *			event was sent.  The operation should be retried.
- *
- *	No other return values are possible.
- */
-static int
-doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
-	int cc;
-	struct iovec iov[MAXSCATTERGATHER_SEND];
-	size_t write_count;
-	struct msghdr msghdr;
-	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
-	int attempts = 0;
-	int send_errno;
-	char strbuf[ISC_STRERRORSIZE];
-
-	build_msghdr_send(sock, dev, &msghdr, iov, &write_count);
-
- resend:
-	cc = sendmsg(sock->fd, &msghdr, 0);
-	send_errno = errno;
-
-	/*
-	 * Check for error or block condition.
-	 */
-	if (cc < 0) {
-		if (send_errno == EINTR && ++attempts < NRETRIES)
-			goto resend;
-
-		if (SOFT_ERROR(send_errno))
-			return (DOIO_SOFT);
-
-#define SOFT_OR_HARD(_system, _isc) \
-	if (send_errno == _system) { \
-		if (sock->connected) { \
-			dev->result = _isc; \
-			return (DOIO_HARD); \
-		} \
-		return (DOIO_SOFT); \
-	}
-#define ALWAYS_HARD(_system, _isc) \
-	if (send_errno == _system) { \
-		dev->result = _isc; \
-		return (DOIO_HARD); \
-	}
-
-		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
-		ALWAYS_HARD(EACCES, ISC_R_NOPERM);
-		ALWAYS_HARD(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
-		ALWAYS_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
-		ALWAYS_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-#ifdef EHOSTDOWN
-		ALWAYS_HARD(EHOSTDOWN, ISC_R_HOSTUNREACH);
-#endif
-		ALWAYS_HARD(ENETUNREACH, ISC_R_NETUNREACH);
-		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
-		ALWAYS_HARD(EPERM, ISC_R_HOSTUNREACH);
-		ALWAYS_HARD(EPIPE, ISC_R_NOTCONNECTED);
-		ALWAYS_HARD(ECONNRESET, ISC_R_CONNECTIONRESET);
-
-#undef SOFT_OR_HARD
-#undef ALWAYS_HARD
-
-		/*
-		 * The other error types depend on whether or not the
-		 * socket is UDP or TCP.  If it is UDP, some errors
-		 * that we expect to be fatal under TCP are merely
-		 * annoying, and are really soft errors.
-		 *
-		 * However, these soft errors are still returned as
-		 * a status.
-		 */
-		isc_sockaddr_format(&dev->address, addrbuf, sizeof(addrbuf));
-		isc__strerror(send_errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "internal_send: %s: %s",
-				 addrbuf, strbuf);
-		dev->result = isc__errno2result(send_errno);
-		return (DOIO_HARD);
-	}
-
-	if (cc == 0)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "internal_send: send() %s 0",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_RETURNED, "returned"));
-
-	/*
-	 * If we write less than we expected, update counters, poke.
-	 */
-	dev->n += cc;
-	if ((size_t)cc != write_count)
-		return (DOIO_SOFT);
-
-	/*
-	 * Exactly what we wanted to write.  We're done with this
-	 * entry.  Post its completion event.
-	 */
-	dev->result = ISC_R_SUCCESS;
-	return (DOIO_SUCCESS);
-}
-
-/*
- * Kill.
- *
- * Caller must ensure that the socket is not locked and no external
- * references exist.
- */
-static void
-destroy(isc_socket_t **sockp) {
-	isc_socket_t *sock = *sockp;
-	isc_socketmgr_t *manager = sock->manager;
-
-	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
-		   ISC_MSG_DESTROYING, "destroying");
-
-	INSIST(ISC_LIST_EMPTY(sock->accept_list));
-	INSIST(ISC_LIST_EMPTY(sock->recv_list));
-	INSIST(ISC_LIST_EMPTY(sock->send_list));
-	INSIST(sock->connect_ev == NULL);
-	REQUIRE(sock->fd >= 0 && sock->fd < (int)FD_SETSIZE);
-
-	LOCK(&manager->lock);
-
-	/*
-	 * No one has this socket open, so the watcher doesn't have to be
-	 * poked, and the socket doesn't have to be locked.
-	 */
-	manager->fds[sock->fd] = NULL;
-	manager->fdstate[sock->fd] = CLOSE_PENDING;
-	select_poke(manager, sock->fd, SELECT_POKE_CLOSE);
-	ISC_LIST_UNLINK(manager->socklist, sock, link);
-
-#ifdef ISC_PLATFORM_USETHREADS
-	if (ISC_LIST_EMPTY(manager->socklist))
-		SIGNAL(&manager->shutdown_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	/*
-	 * XXX should reset manager->maxfd here
-	 */
-
-	UNLOCK(&manager->lock);
-
-	free_socket(sockp);
-}
-
-static isc_result_t
-allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
-		isc_socket_t **socketp)
-{
-	isc_socket_t *sock;
-	isc_result_t ret;
-	ISC_SOCKADDR_LEN_T cmsgbuflen;
-
-	sock = isc_mem_get(manager->mctx, sizeof(*sock));
-
-	if (sock == NULL)
-		return (ISC_R_NOMEMORY);
-
-	ret = ISC_R_UNEXPECTED;
-
-	sock->magic = 0;
-	sock->references = 0;
-
-	sock->manager = manager;
-	sock->type = type;
-	sock->fd = -1;
-
-	ISC_LINK_INIT(sock, link);
-
-	sock->recvcmsgbuf = NULL;
-	sock->sendcmsgbuf = NULL;
-
-	/*
-	 * set up cmsg buffers
-	 */
-	cmsgbuflen = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	cmsgbuflen = cmsg_space(sizeof(struct in6_pktinfo));
-#endif
-#if defined(USE_CMSG) && defined(SO_TIMESTAMP)
-	cmsgbuflen += cmsg_space(sizeof(struct timeval));
-#endif
-	sock->recvcmsgbuflen = cmsgbuflen;
-	if (sock->recvcmsgbuflen != 0U) {
-		sock->recvcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
-		if (sock->recvcmsgbuf == NULL)
-			goto error;
-	}
-
-	cmsgbuflen = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	cmsgbuflen = cmsg_space(sizeof(struct in6_pktinfo));
-#endif
-	sock->sendcmsgbuflen = cmsgbuflen;
-	if (sock->sendcmsgbuflen != 0U) {
-		sock->sendcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
-		if (sock->sendcmsgbuf == NULL)
-			goto error;
-	}
-
-	/*
-	 * set up list of readers and writers to be initially empty
-	 */
-	ISC_LIST_INIT(sock->recv_list);
-	ISC_LIST_INIT(sock->send_list);
-	ISC_LIST_INIT(sock->accept_list);
-	sock->connect_ev = NULL;
-	sock->pending_recv = 0;
-	sock->pending_send = 0;
-	sock->pending_accept = 0;
-	sock->listener = 0;
-	sock->connected = 0;
-	sock->connecting = 0;
-	sock->bound = 0;
-
-	/*
-	 * initialize the lock
-	 */
-	if (isc_mutex_init(&sock->lock) != ISC_R_SUCCESS) {
-		sock->magic = 0;
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		ret = ISC_R_UNEXPECTED;
-		goto error;
-	}
-
-	/*
-	 * Initialize readable and writable events
-	 */
-	ISC_EVENT_INIT(&sock->readable_ev, sizeof(intev_t),
-		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTR,
-		       NULL, sock, sock, NULL, NULL);
-	ISC_EVENT_INIT(&sock->writable_ev, sizeof(intev_t),
-		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTW,
-		       NULL, sock, sock, NULL, NULL);
-
-	sock->magic = SOCKET_MAGIC;
-	*socketp = sock;
-
-	return (ISC_R_SUCCESS);
-
- error:
-	if (sock->recvcmsgbuf != NULL)
-		isc_mem_put(manager->mctx, sock->recvcmsgbuf,
-			    sock->recvcmsgbuflen);
-	if (sock->sendcmsgbuf != NULL)
-		isc_mem_put(manager->mctx, sock->sendcmsgbuf,
-			    sock->sendcmsgbuflen);
-	isc_mem_put(manager->mctx, sock, sizeof(*sock));
-
-	return (ret);
-}
-
-/*
- * This event requires that the various lists be empty, that the reference
- * count be 1, and that the magic number is valid.  The other socket bits,
- * like the lock, must be initialized as well.  The fd associated must be
- * marked as closed, by setting it to -1 on close, or this routine will
- * also close the socket.
- */
-static void
-free_socket(isc_socket_t **socketp) {
-	isc_socket_t *sock = *socketp;
-
-	INSIST(sock->references == 0);
-	INSIST(VALID_SOCKET(sock));
-	INSIST(!sock->connecting);
-	INSIST(!sock->pending_recv);
-	INSIST(!sock->pending_send);
-	INSIST(!sock->pending_accept);
-	INSIST(ISC_LIST_EMPTY(sock->recv_list));
-	INSIST(ISC_LIST_EMPTY(sock->send_list));
-	INSIST(ISC_LIST_EMPTY(sock->accept_list));
-	INSIST(!ISC_LINK_LINKED(sock, link));
-
-	if (sock->recvcmsgbuf != NULL)
-		isc_mem_put(sock->manager->mctx, sock->recvcmsgbuf,
-			    sock->recvcmsgbuflen);
-	if (sock->sendcmsgbuf != NULL)
-		isc_mem_put(sock->manager->mctx, sock->sendcmsgbuf,
-			    sock->sendcmsgbuflen);
-
-	sock->magic = 0;
-
-	DESTROYLOCK(&sock->lock);
-
-	isc_mem_put(sock->manager->mctx, sock, sizeof(*sock));
-
-	*socketp = NULL;
-}
-
-/*
- * Create a new 'type' socket managed by 'manager'.  Events
- * will be posted to 'task' and when dispatched 'action' will be
- * called with 'arg' as the arg value.  The new socket is returned
- * in 'socketp'.
- */
-isc_result_t
-isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
-		  isc_socket_t **socketp)
-{
-	isc_socket_t *sock = NULL;
-	isc_result_t ret;
-#if defined(USE_CMSG) || defined(SO_BSDCOMPAT)
-	int on = 1;
-#endif
-	char strbuf[ISC_STRERRORSIZE];
-	const char *err = "socket";
-
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(socketp != NULL && *socketp == NULL);
-
-	ret = allocate_socket(manager, type, &sock);
-	if (ret != ISC_R_SUCCESS)
-		return (ret);
-
-	sock->pf = pf;
-	switch (type) {
-	case isc_sockettype_udp:
-		sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP);
-		break;
-	case isc_sockettype_tcp:
-		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
-		break;
-	}
-
-#ifdef F_DUPFD
-	/*
-	 * Leave a space for stdio to work in.
-	 */
-	if (sock->fd >= 0 && sock->fd < 20) {
-		int new, tmp;
-		new = fcntl(sock->fd, F_DUPFD, 20);
-		tmp = errno;
-		(void)close(sock->fd);
-		errno = tmp;
-		sock->fd = new;
-		err = "isc_socket_create: fcntl";
-	}
-#endif
-
-	if (sock->fd >= (int)FD_SETSIZE) {
-		(void)close(sock->fd);
-		isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-			       isc_msgcat, ISC_MSGSET_SOCKET,
-			       ISC_MSG_TOOMANYFDS,
-			       "%s: too many open file descriptors", "socket");
-		free_socket(&sock);
-		return (ISC_R_NORESOURCES);
-	}
-	
-	if (sock->fd < 0) {
-		free_socket(&sock);
-
-		switch (errno) {
-		case EMFILE:
-		case ENFILE:
-		case ENOBUFS:
-			return (ISC_R_NORESOURCES);
-
-		case EPROTONOSUPPORT:
-		case EPFNOSUPPORT:
-		case EAFNOSUPPORT:
-		/*
-		 * Linux 2.2 (and maybe others) return EINVAL instead of
-		 * EAFNOSUPPORT.
-		 */
-		case EINVAL:
-			return (ISC_R_FAMILYNOSUPPORT);
-
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "%s() %s: %s", err,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-	}
-
-	if (make_nonblock(sock->fd) != ISC_R_SUCCESS) {
-		(void)close(sock->fd);
-		free_socket(&sock);
-		return (ISC_R_UNEXPECTED);
-	}
-
-#ifdef SO_BSDCOMPAT
-	if (setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
-		       (void *)&on, sizeof(on)) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "setsockopt(%d, SO_BSDCOMPAT) %s: %s",
-				 sock->fd,
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 strbuf);
-		/* Press on... */
-	}
-#endif
-
-#if defined(USE_CMSG)
-	if (type == isc_sockettype_udp) {
-
-#if defined(SO_TIMESTAMP)
-		if (setsockopt(sock->fd, SOL_SOCKET, SO_TIMESTAMP,
-			       (void *)&on, sizeof(on)) < 0
-		    && errno != ENOPROTOOPT) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "setsockopt(%d, SO_TIMESTAMP) %s: %s",
-					 sock->fd, 
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-			/* Press on... */
-		}
-#endif /* SO_TIMESTAMP */
-
-#if defined(ISC_PLATFORM_HAVEIPV6)
-		if (pf == AF_INET6 && sock->recvcmsgbuflen == 0U) {
-			/*
-			 * Warn explicitly because this anomaly can be hidden
-			 * in usual operation (and unexpectedly appear later).
-			 */
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "No buffer available to receive "
-					 "IPv6 destination");
-		}
-#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
-#ifdef IPV6_RECVPKTINFO
-		/* 2292bis */
-		if ((pf == AF_INET6)
-		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
-				   (void *)&on, sizeof(on)) < 0)) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "setsockopt(%d, IPV6_RECVPKTINFO) "
-					 "%s: %s", sock->fd,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-		}
-#else
-		/* 2292 */
-		if ((pf == AF_INET6)
-		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
-				   (void *)&on, sizeof(on)) < 0)) {
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "setsockopt(%d, IPV6_PKTINFO) %s: %s",
-					 sock->fd,
-					 isc_msgcat_get(isc_msgcat,
-							ISC_MSGSET_GENERAL,
-							ISC_MSG_FAILED,
-							"failed"),
-					 strbuf);
-		}
-#endif /* IPV6_RECVPKTINFO */
-#endif /* ISC_PLATFORM_HAVEIN6PKTINFO */
-#ifdef IPV6_USE_MIN_MTU        /*2292bis, not too common yet*/
-		/* use minimum MTU */
-		if (pf == AF_INET6) {
-			(void)setsockopt(sock->fd, IPPROTO_IPV6,
-					 IPV6_USE_MIN_MTU,
-					 (void *)&on, sizeof(on));
-		}
-#endif
-#endif /* ISC_PLATFORM_HAVEIPV6 */
-
-	}
-#endif /* USE_CMSG */
-
-	sock->references = 1;
-	*socketp = sock;
-
-	LOCK(&manager->lock);
-
-	/*
-	 * Note we don't have to lock the socket like we normally would because
-	 * there are no external references to it yet.
-	 */
-
-	manager->fds[sock->fd] = sock;
-	manager->fdstate[sock->fd] = MANAGED;
-	ISC_LIST_APPEND(manager->socklist, sock, link);
-	if (manager->maxfd < sock->fd)
-		manager->maxfd = sock->fd;
-
-	UNLOCK(&manager->lock);
-
-	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
-		   ISC_MSG_CREATED, "created");
-
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Attach to a socket.  Caller must explicitly detach when it is done.
- */
-void
-isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(socketp != NULL && *socketp == NULL);
-
-	LOCK(&sock->lock);
-	sock->references++;
-	UNLOCK(&sock->lock);
-
-	*socketp = sock;
-}
-
-/*
- * Dereference a socket.  If this is the last reference to it, clean things
- * up by destroying the socket.
- */
-void
-isc_socket_detach(isc_socket_t **socketp) {
-	isc_socket_t *sock;
-	isc_boolean_t kill_socket = ISC_FALSE;
-
-	REQUIRE(socketp != NULL);
-	sock = *socketp;
-	REQUIRE(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	REQUIRE(sock->references > 0);
-	sock->references--;
-	if (sock->references == 0)
-		kill_socket = ISC_TRUE;
-	UNLOCK(&sock->lock);
-
-	if (kill_socket)
-		destroy(&sock);
-
-	*socketp = NULL;
-}
-
-/*
- * I/O is possible on a given socket.  Schedule an event to this task that
- * will call an internal function to do the I/O.  This will charge the
- * task with the I/O operation and let our select loop handler get back
- * to doing something real as fast as possible.
- *
- * The socket and manager must be locked before calling this function.
- */
-static void
-dispatch_recv(isc_socket_t *sock) {
-	intev_t *iev;
-	isc_socketevent_t *ev;
-
-	INSIST(!sock->pending_recv);
-
-	ev = ISC_LIST_HEAD(sock->recv_list);
-	if (ev == NULL)
-		return;
-
-	sock->pending_recv = 1;
-	iev = &sock->readable_ev;
-
-	socket_log(sock, NULL, EVENT, NULL, 0, 0,
-		   "dispatch_recv:  event %p -> task %p", ev, ev->ev_sender);
-
-	sock->references++;
-	iev->ev_sender = sock;
-	iev->ev_action = internal_recv;
-	iev->ev_arg = sock;
-
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
-}
-
-static void
-dispatch_send(isc_socket_t *sock) {
-	intev_t *iev;
-	isc_socketevent_t *ev;
-
-	INSIST(!sock->pending_send);
-
-	ev = ISC_LIST_HEAD(sock->send_list);
-	if (ev == NULL)
-		return;
-
-	sock->pending_send = 1;
-	iev = &sock->writable_ev;
-
-	socket_log(sock, NULL, EVENT, NULL, 0, 0,
-		   "dispatch_send:  event %p -> task %p", ev, ev->ev_sender);
-
-	sock->references++;
-	iev->ev_sender = sock;
-	iev->ev_action = internal_send;
-	iev->ev_arg = sock;
-
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
-}
-
-/*
- * Dispatch an internal accept event.
- */
-static void
-dispatch_accept(isc_socket_t *sock) {
-	intev_t *iev;
-	isc_socket_newconnev_t *ev;
-
-	INSIST(!sock->pending_accept);
-
-	/*
-	 * Are there any done events left, or were they all canceled
-	 * before the manager got the socket lock?
-	 */
-	ev = ISC_LIST_HEAD(sock->accept_list);
-	if (ev == NULL)
-		return;
-
-	sock->pending_accept = 1;
-	iev = &sock->readable_ev;
-
-	sock->references++;  /* keep socket around for this internal event */
-	iev->ev_sender = sock;
-	iev->ev_action = internal_accept;
-	iev->ev_arg = sock;
-
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
-}
-
-static void
-dispatch_connect(isc_socket_t *sock) {
-	intev_t *iev;
-	isc_socket_connev_t *ev;
-
-	iev = &sock->writable_ev;
-
-	ev = sock->connect_ev;
-	INSIST(ev != NULL); /* XXX */
-
-	INSIST(sock->connecting);
-
-	sock->references++;  /* keep socket around for this internal event */
-	iev->ev_sender = sock;
-	iev->ev_action = internal_connect;
-	iev->ev_arg = sock;
-
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
-}
-
-/*
- * Dequeue an item off the given socket's read queue, set the result code
- * in the done event to the one provided, and send it to the task it was
- * destined for.
- *
- * If the event to be sent is on a list, remove it before sending.  If
- * asked to, send and detach from the socket as well.
- *
- * Caller must have the socket locked if the event is attached to the socket.
- */
-static void
-send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
-	isc_task_t *task;
-
-	task = (*dev)->ev_sender;
-
-	(*dev)->ev_sender = sock;
-
-	if (ISC_LINK_LINKED(*dev, ev_link))
-		ISC_LIST_DEQUEUE(sock->recv_list, *dev, ev_link);
-
-	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
-	    == ISC_SOCKEVENTATTR_ATTACHED)
-		isc_task_sendanddetach(&task, (isc_event_t **)dev);
-	else
-		isc_task_send(task, (isc_event_t **)dev);
-}
-
-/*
- * See comments for send_recvdone_event() above.
- *
- * Caller must have the socket locked if the event is attached to the socket.
- */
-static void
-send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
-	isc_task_t *task;
-
-	INSIST(dev != NULL && *dev != NULL);
-
-	task = (*dev)->ev_sender;
-	(*dev)->ev_sender = sock;
-
-	if (ISC_LINK_LINKED(*dev, ev_link))
-		ISC_LIST_DEQUEUE(sock->send_list, *dev, ev_link);
-
-	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
-	    == ISC_SOCKEVENTATTR_ATTACHED)
-		isc_task_sendanddetach(&task, (isc_event_t **)dev);
-	else
-		isc_task_send(task, (isc_event_t **)dev);
-}
-
-/*
- * Call accept() on a socket, to get the new file descriptor.  The listen
- * socket is used as a prototype to create a new isc_socket_t.  The new
- * socket has one outstanding reference.  The task receiving the event
- * will be detached from just after the event is delivered.
- *
- * On entry to this function, the event delivered is the internal
- * readable event, and the first item on the accept_list should be
- * the done event we want to send.  If the list is empty, this is a no-op,
- * so just unlock and return.
- */
-static void
-internal_accept(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
-	isc_socketmgr_t *manager;
-	isc_socket_newconnev_t *dev;
-	isc_task_t *task;
-	ISC_SOCKADDR_LEN_T addrlen;
-	int fd;
-	isc_result_t result = ISC_R_SUCCESS;
-	char strbuf[ISC_STRERRORSIZE];
-	const char *err = "accept";
-
-	UNUSED(me);
-
-	sock = ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	socket_log(sock, NULL, TRACE,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
-		   "internal_accept called, locked socket");
-
-	manager = sock->manager;
-	INSIST(VALID_MANAGER(manager));
-
-	INSIST(sock->listener);
-	INSIST(sock->pending_accept == 1);
-	sock->pending_accept = 0;
-
-	INSIST(sock->references > 0);
-	sock->references--;  /* the internal event is done with this socket */
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	/*
-	 * Get the first item off the accept list.
-	 * If it is empty, unlock the socket and return.
-	 */
-	dev = ISC_LIST_HEAD(sock->accept_list);
-	if (dev == NULL) {
-		UNLOCK(&sock->lock);
-		return;
-	}
-
-	/*
-	 * Try to accept the new connection.  If the accept fails with
-	 * EAGAIN or EINTR, simply poke the watcher to watch this socket
-	 * again.  Also ignore ECONNRESET, which has been reported to
-	 * be spuriously returned on Linux 2.2.19 although it is not
-	 * a documented error for accept().  ECONNABORTED has been
-	 * reported for Solaris 8.  The rest are thrown in not because
-	 * we have seen them but because they are ignored by other
-	 * deamons such as BIND 8 and Apache.
-	 */
-
-	addrlen = sizeof(dev->newsocket->address.type);
-	memset(&dev->newsocket->address.type.sa, 0, addrlen);
-	fd = accept(sock->fd, &dev->newsocket->address.type.sa,
-		    (void *)&addrlen);
-
-#ifdef F_DUPFD
-	/*
-	 * Leave a space for stdio to work in.
-	 */
-	if (fd >= 0 && fd < 20) {
-		int new, tmp;
-		new = fcntl(fd, F_DUPFD, 20);
-		tmp = errno;
-		(void)close(fd);
-		errno = tmp;
-		fd = new;
-		err = "fcntl";
-	}
-#endif
-
-	if (fd < 0) {
-		if (SOFT_ERROR(errno))
-			goto soft_error;
-		switch (errno) {
-		case ENOBUFS:
-		case ENFILE:
-		case ENOMEM:
-		case ECONNRESET:
-		case ECONNABORTED:
-		case EHOSTUNREACH:
-		case EHOSTDOWN:
-		case ENETUNREACH:
-		case ENETDOWN:
-		case ECONNREFUSED:
-#ifdef EPROTO
-		case EPROTO:
-#endif
-#ifdef ENONET
-		case ENONET:
-#endif
-			goto soft_error;
-		default:
-			break;
-		}
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "internal_accept: %s() %s: %s", err,
-				 isc_msgcat_get(isc_msgcat,
-						ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED,
-						"failed"),
-				 strbuf);
-		fd = -1;
-		result = ISC_R_UNEXPECTED;
-	} else {
-		if (addrlen == 0U) {
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "internal_accept(): "
-					 "accept() failed to return "
-					 "remote address");
-
-			(void)close(fd);
-			goto soft_error;
-		} else if (dev->newsocket->address.type.sa.sa_family !=
-			   sock->pf)
-		{
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "internal_accept(): "
-					 "accept() returned peer address "
-					 "family %u (expected %u)", 
-					 dev->newsocket->address.
-					 type.sa.sa_family,
-					 sock->pf);
-			(void)close(fd);
-			goto soft_error;
-		} else if (fd >= (int)FD_SETSIZE) {
-			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
-				       isc_msgcat, ISC_MSGSET_SOCKET,
-				       ISC_MSG_TOOMANYFDS,
-				       "%s: too many open file descriptors",
-				       "accept");
-			(void)close(fd);
-			goto soft_error;
-		}
-	}
-
-	if (fd != -1) {
-		dev->newsocket->address.length = addrlen;
-		dev->newsocket->pf = sock->pf;
-	}
-
-	/*
-	 * Pull off the done event.
-	 */
-	ISC_LIST_UNLINK(sock->accept_list, dev, ev_link);
-
-	/*
-	 * Poke watcher if there are more pending accepts.
-	 */
-	if (!ISC_LIST_EMPTY(sock->accept_list))
-		select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
-
-	UNLOCK(&sock->lock);
-
-	if (fd != -1 && (make_nonblock(fd) != ISC_R_SUCCESS)) {
-		(void)close(fd);
-		fd = -1;
-		result = ISC_R_UNEXPECTED;
-	}
-
-	/*
-	 * -1 means the new socket didn't happen.
-	 */
-	if (fd != -1) {
-		LOCK(&manager->lock);
-		ISC_LIST_APPEND(manager->socklist, dev->newsocket, link);
-
-		dev->newsocket->fd = fd;
-		dev->newsocket->bound = 1;
-		dev->newsocket->connected = 1;
-
-		/*
-		 * Save away the remote address
-		 */
-		dev->address = dev->newsocket->address;
-
-		manager->fds[fd] = dev->newsocket;
-		manager->fdstate[fd] = MANAGED;
-		if (manager->maxfd < fd)
-			manager->maxfd = fd;
-
-		socket_log(sock, &dev->newsocket->address, CREATION,
-			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
-			   "accepted connection, new socket %p",
-			   dev->newsocket);
-
-		UNLOCK(&manager->lock);
-	} else {
-		dev->newsocket->references--;
-		free_socket(&dev->newsocket);
-	}
-	
-	/*
-	 * Fill in the done event details and send it off.
-	 */
-	dev->result = result;
-	task = dev->ev_sender;
-	dev->ev_sender = sock;
-
-	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
-	return;
-
- soft_error:
-	select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
-	UNLOCK(&sock->lock);
-	return;
-}
-
-static void
-internal_recv(isc_task_t *me, isc_event_t *ev) {
-	isc_socketevent_t *dev;
-	isc_socket_t *sock;
-
-	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
-
-	sock = ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	socket_log(sock, NULL, IOEVENT,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
-		   "internal_recv: task %p got event %p", me, ev);
-
-	INSIST(sock->pending_recv == 1);
-	sock->pending_recv = 0;
-
-	INSIST(sock->references > 0);
-	sock->references--;  /* the internal event is done with this socket */
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	/*
-	 * Try to do as much I/O as possible on this socket.  There are no
-	 * limits here, currently.
-	 */
-	dev = ISC_LIST_HEAD(sock->recv_list);
-	while (dev != NULL) {
-		switch (doio_recv(sock, dev)) {
-		case DOIO_SOFT:
-			goto poke;
-
-		case DOIO_EOF:
-			/*
-			 * read of 0 means the remote end was closed.
-			 * Run through the event queue and dispatch all
-			 * the events with an EOF result code.
-			 */
-			do {
-				dev->result = ISC_R_EOF;
-				send_recvdone_event(sock, &dev);
-				dev = ISC_LIST_HEAD(sock->recv_list);
-			} while (dev != NULL);
-			goto poke;
-
-		case DOIO_SUCCESS:
-		case DOIO_HARD:
-			send_recvdone_event(sock, &dev);
-			break;
-		}
-
-		dev = ISC_LIST_HEAD(sock->recv_list);
-	}
-
- poke:
-	if (!ISC_LIST_EMPTY(sock->recv_list))
-		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
-
-	UNLOCK(&sock->lock);
-}
-
-static void
-internal_send(isc_task_t *me, isc_event_t *ev) {
-	isc_socketevent_t *dev;
-	isc_socket_t *sock;
-
-	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
-
-	/*
-	 * Find out what socket this is and lock it.
-	 */
-	sock = (isc_socket_t *)ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-	socket_log(sock, NULL, IOEVENT,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
-		   "internal_send: task %p got event %p", me, ev);
-
-	INSIST(sock->pending_send == 1);
-	sock->pending_send = 0;
-
-	INSIST(sock->references > 0);
-	sock->references--;  /* the internal event is done with this socket */
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	/*
-	 * Try to do as much I/O as possible on this socket.  There are no
-	 * limits here, currently.
-	 */
-	dev = ISC_LIST_HEAD(sock->send_list);
-	while (dev != NULL) {
-		switch (doio_send(sock, dev)) {
-		case DOIO_SOFT:
-			goto poke;
-
-		case DOIO_HARD:
-		case DOIO_SUCCESS:
-			send_senddone_event(sock, &dev);
-			break;
-		}
-
-		dev = ISC_LIST_HEAD(sock->send_list);
-	}
-
- poke:
-	if (!ISC_LIST_EMPTY(sock->send_list))
-		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
-
-	UNLOCK(&sock->lock);
-}
-
-static void
-process_fds(isc_socketmgr_t *manager, int maxfd,
-	    fd_set *readfds, fd_set *writefds)
-{
-	int i;
-	isc_socket_t *sock;
-	isc_boolean_t unlock_sock;
-
-	REQUIRE(maxfd <= (int)FD_SETSIZE);
-
-	/*
-	 * Process read/writes on other fds here.  Avoid locking
-	 * and unlocking twice if both reads and writes are possible.
-	 */
-	for (i = 0; i < maxfd; i++) {
-#ifdef ISC_PLATFORM_USETHREADS
-		if (i == manager->pipe_fds[0] || i == manager->pipe_fds[1])
-			continue;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-		if (manager->fdstate[i] == CLOSE_PENDING) {
-			manager->fdstate[i] = CLOSED;
-			FD_CLR(i, &manager->read_fds);
-			FD_CLR(i, &manager->write_fds);
-
-			(void)close(i);
-
-			continue;
-		}
-
-		sock = manager->fds[i];
-		unlock_sock = ISC_FALSE;
-		if (FD_ISSET(i, readfds)) {
-			if (sock == NULL) {
-				FD_CLR(i, &manager->read_fds);
-				goto check_write;
-			}
-			unlock_sock = ISC_TRUE;
-			LOCK(&sock->lock);
-			if (!SOCK_DEAD(sock)) {
-				if (sock->listener)
-					dispatch_accept(sock);
-				else
-					dispatch_recv(sock);
-			}
-			FD_CLR(i, &manager->read_fds);
-		}
-	check_write:
-		if (FD_ISSET(i, writefds)) {
-			if (sock == NULL) {
-				FD_CLR(i, &manager->write_fds);
-				continue;
-			}
-			if (!unlock_sock) {
-				unlock_sock = ISC_TRUE;
-				LOCK(&sock->lock);
-			}
-			if (!SOCK_DEAD(sock)) {
-				if (sock->connecting)
-					dispatch_connect(sock);
-				else
-					dispatch_send(sock);
-			}
-			FD_CLR(i, &manager->write_fds);
-		}
-		if (unlock_sock)
-			UNLOCK(&sock->lock);
-	}
-}
-
-#ifdef ISC_PLATFORM_USETHREADS
-/*
- * This is the thread that will loop forever, always in a select or poll
- * call.
- *
- * When select returns something to do, track down what thread gets to do
- * this I/O and post the event to it.
- */
-static isc_threadresult_t
-watcher(void *uap) {
-	isc_socketmgr_t *manager = uap;
-	isc_boolean_t done;
-	int ctlfd;
-	int cc;
-	fd_set readfds;
-	fd_set writefds;
-	int msg, fd;
-	int maxfd;
-	char strbuf[ISC_STRERRORSIZE];
-
-	/*
-	 * Get the control fd here.  This will never change.
-	 */
-	LOCK(&manager->lock);
-	ctlfd = manager->pipe_fds[0];
-
-	done = ISC_FALSE;
-	while (!done) {
-		do {
-			readfds = manager->read_fds;
-			writefds = manager->write_fds;
-			maxfd = manager->maxfd + 1;
-
-			UNLOCK(&manager->lock);
-
-			cc = select(maxfd, &readfds, &writefds, NULL, NULL);
-			if (cc < 0) {
-				if (!SOFT_ERROR(errno)) {
-					isc__strerror(errno, strbuf,
-						      sizeof(strbuf));
-					FATAL_ERROR(__FILE__, __LINE__,
-						    "select() %s: %s",
-						    isc_msgcat_get(isc_msgcat,
-							    ISC_MSGSET_GENERAL,
-							    ISC_MSG_FAILED,
-							    "failed"),
-						    strbuf);
-				}
-			}
-
-			LOCK(&manager->lock);
-		} while (cc < 0);
-
-
-		/*
-		 * Process reads on internal, control fd.
-		 */
-		if (FD_ISSET(ctlfd, &readfds)) {
-			for (;;) {
-				select_readmsg(manager, &fd, &msg);
-
-				manager_log(manager, IOEVENT,
-					    isc_msgcat_get(isc_msgcat,
-						     ISC_MSGSET_SOCKET,
-						     ISC_MSG_WATCHERMSG,
-						     "watcher got message %d"),
-						     msg);
-
-				/*
-				 * Nothing to read?
-				 */
-				if (msg == SELECT_POKE_NOTHING)
-					break;
-
-				/*
-				 * Handle shutdown message.  We really should
-				 * jump out of this loop right away, but
-				 * it doesn't matter if we have to do a little
-				 * more work first.
-				 */
-				if (msg == SELECT_POKE_SHUTDOWN) {
-					done = ISC_TRUE;
-
-					break;
-				}
-
-				/*
-				 * This is a wakeup on a socket.  Look
-				 * at the event queue for both read and write,
-				 * and decide if we need to watch on it now
-				 * or not.
-				 */
-				wakeup_socket(manager, fd, msg);
-			}
-		}
-
-		process_fds(manager, maxfd, &readfds, &writefds);
-	}
-
-	manager_log(manager, TRACE,
-		    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-				   ISC_MSG_EXITING, "watcher exiting"));
-
-	UNLOCK(&manager->lock);
-	return ((isc_threadresult_t)0);
-}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-/*
- * Create a new socket manager.
- */
-isc_result_t
-isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
-	isc_socketmgr_t *manager;
-#ifdef ISC_PLATFORM_USETHREADS
-	char strbuf[ISC_STRERRORSIZE];
-#endif
-
-	REQUIRE(managerp != NULL && *managerp == NULL);
-
-#ifndef ISC_PLATFORM_USETHREADS
-	if (socketmgr != NULL) {
-		socketmgr->refs++;
-		*managerp = socketmgr;
-		return (ISC_R_SUCCESS);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	manager = isc_mem_get(mctx, sizeof(*manager));
-	if (manager == NULL)
-		return (ISC_R_NOMEMORY);
-
-	manager->magic = SOCKET_MANAGER_MAGIC;
-	manager->mctx = NULL;
-	memset(manager->fds, 0, sizeof(manager->fds));
-	ISC_LIST_INIT(manager->socklist);
-	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_mutex_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-#ifdef ISC_PLATFORM_USETHREADS
-	if (isc_condition_init(&manager->shutdown_ok) != ISC_R_SUCCESS) {
-		DESTROYLOCK(&manager->lock);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_condition_init() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * Create the special fds that will be used to wake up the
-	 * select/poll loop when something internal needs to be done.
-	 */
-	if (pipe(manager->pipe_fds) != 0) {
-		DESTROYLOCK(&manager->lock);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "pipe() %s: %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"),
-				 strbuf);
-
-		return (ISC_R_UNEXPECTED);
-	}
-
-	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[0]) == ISC_R_SUCCESS);
-#if 0
-	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[1]) == ISC_R_SUCCESS);
-#endif
-#else /* ISC_PLATFORM_USETHREADS */
-	manager->refs = 1;
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	/*
-	 * Set up initial state for the select loop
-	 */
-	FD_ZERO(&manager->read_fds);
-	FD_ZERO(&manager->write_fds);
-#ifdef ISC_PLATFORM_USETHREADS
-	FD_SET(manager->pipe_fds[0], &manager->read_fds);
-	manager->maxfd = manager->pipe_fds[0];
-#else /* ISC_PLATFORM_USETHREADS */
-	manager->maxfd = 0;
-#endif /* ISC_PLATFORM_USETHREADS */
-	memset(manager->fdstate, 0, sizeof(manager->fdstate));
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * Start up the select/poll thread.
-	 */
-	if (isc_thread_create(watcher, manager, &manager->watcher) !=
-	    ISC_R_SUCCESS) {
-		(void)close(manager->pipe_fds[0]);
-		(void)close(manager->pipe_fds[1]);
-		DESTROYLOCK(&manager->lock);
-		isc_mem_put(mctx, manager, sizeof(*manager));
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_thread_create() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		return (ISC_R_UNEXPECTED);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-	isc_mem_attach(mctx, &manager->mctx);
-
-#ifndef ISC_PLATFORM_USETHREADS
-	socketmgr = manager;
-#endif /* ISC_PLATFORM_USETHREADS */
-	*managerp = manager;
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
-	isc_socketmgr_t *manager;
-	int i;
-	isc_mem_t *mctx;
-
-	/*
-	 * Destroy a socket manager.
-	 */
-
-	REQUIRE(managerp != NULL);
-	manager = *managerp;
-	REQUIRE(VALID_MANAGER(manager));
-
-#ifndef ISC_PLATFORM_USETHREADS
-	if (manager->refs > 1) {
-		manager->refs--;
-		*managerp = NULL;
-		return;
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	LOCK(&manager->lock);
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * Wait for all sockets to be destroyed.
-	 */
-	while (!ISC_LIST_EMPTY(manager->socklist)) {
-		manager_log(manager, CREATION,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_SOCKETSREMAIN,
-					   "sockets exist"));
-		WAIT(&manager->shutdown_ok, &manager->lock);
-	}
-#else /* ISC_PLATFORM_USETHREADS */
-	/*
-	 * Hope all sockets have been destroyed.
-	 */
-	if (!ISC_LIST_EMPTY(manager->socklist)) {
-		manager_log(manager, CREATION,
-			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
-					   ISC_MSG_SOCKETSREMAIN,
-					   "sockets exist"));
-		INSIST(0);
-	}
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	UNLOCK(&manager->lock);
-
-	/*
-	 * Here, poke our select/poll thread.  Do this by closing the write
-	 * half of the pipe, which will send EOF to the read half.
-	 * This is currently a no-op in the non-threaded case.
-	 */
-	select_poke(manager, 0, SELECT_POKE_SHUTDOWN);
-
-#ifdef ISC_PLATFORM_USETHREADS
-	/*
-	 * Wait for thread to exit.
-	 */
-	if (isc_thread_join(manager->watcher, NULL) != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_thread_join() %s",
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	/*
-	 * Clean up.
-	 */
-#ifdef ISC_PLATFORM_USETHREADS
-	(void)close(manager->pipe_fds[0]);
-	(void)close(manager->pipe_fds[1]);
-	(void)isc_condition_destroy(&manager->shutdown_ok);
-#endif /* ISC_PLATFORM_USETHREADS */
-
-	for (i = 0; i < (int)FD_SETSIZE; i++)
-		if (manager->fdstate[i] == CLOSE_PENDING)
-			(void)close(i);
-
-	DESTROYLOCK(&manager->lock);
-	manager->magic = 0;
-	mctx= manager->mctx;
-	isc_mem_put(mctx, manager, sizeof(*manager));
-
-	isc_mem_detach(&mctx);
-
-	*managerp = NULL;
-}
-
-static isc_result_t
-socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
-	    unsigned int flags)
-{
-	int io_state;
-	isc_boolean_t have_lock = ISC_FALSE;
-	isc_task_t *ntask = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	dev->ev_sender = task;
-
-	if (sock->type == isc_sockettype_udp) {
-		io_state = doio_recv(sock, dev);
-	} else {
-		LOCK(&sock->lock);
-		have_lock = ISC_TRUE;
-
-		if (ISC_LIST_EMPTY(sock->recv_list))
-			io_state = doio_recv(sock, dev);
-		else
-			io_state = DOIO_SOFT;
-	}
-
-	switch (io_state) {
-	case DOIO_SOFT:
-		/*
-		 * We couldn't read all or part of the request right now, so
-		 * queue it.
-		 *
-		 * Attach to socket and to task
-		 */
-		isc_task_attach(task, &ntask);
-		dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
-
-		if (!have_lock) {
-			LOCK(&sock->lock);
-			have_lock = ISC_TRUE;
-		}
-
-		/*
-		 * Enqueue the request.  If the socket was previously not being
-		 * watched, poke the watcher to start paying attention to it.
-		 */
-		if (ISC_LIST_EMPTY(sock->recv_list))
-			select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
-		ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
-
-		socket_log(sock, NULL, EVENT, NULL, 0, 0,
-			   "socket_recv: event %p -> task %p",
-			   dev, ntask);
-
-		if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
-			result = ISC_R_INPROGRESS;
-		break;
-
-	case DOIO_EOF:
-		dev->result = ISC_R_EOF;
-		/* fallthrough */
-
-	case DOIO_HARD:
-	case DOIO_SUCCESS:
-		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
-			send_recvdone_event(sock, &dev);
-		break;
-	}
-
-	if (have_lock)
-		UNLOCK(&sock->lock);
-
-	return (result);
-}
-
-isc_result_t
-isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_taskaction_t action, const void *arg)
-{
-	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
-	unsigned int iocount;
-	isc_buffer_t *buffer;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(buflist != NULL);
-	REQUIRE(!ISC_LIST_EMPTY(*buflist));
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	iocount = isc_bufferlist_availablecount(buflist);
-	REQUIRE(iocount > 0);
-
-	INSIST(sock->bound);
-
-	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVDONE, action, arg);
-	if (dev == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-
-	/*
-	 * UDP sockets are always partial read
-	 */
-	if (sock->type == isc_sockettype_udp)
-		dev->minimum = 1;
-	else {
-		if (minimum == 0)
-			dev->minimum = iocount;
-		else
-			dev->minimum = minimum;
-	}
-
-	/*
-	 * Move each buffer from the passed in list to our internal one.
-	 */
-	buffer = ISC_LIST_HEAD(*buflist);
-	while (buffer != NULL) {
-		ISC_LIST_DEQUEUE(*buflist, buffer, link);
-		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
-		buffer = ISC_LIST_HEAD(*buflist);
-	}
-
-	return (socket_recv(sock, dev, task, 0));
-}
-
-isc_result_t
-isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	INSIST(sock->bound);
-
-	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVDONE, action, arg);
-	if (dev == NULL)
-		return (ISC_R_NOMEMORY);
-
-	return (isc_socket_recv2(sock, region, minimum, task, dev, 0));
-}
-
-isc_result_t
-isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
-		 unsigned int minimum, isc_task_t *task,
-		 isc_socketevent_t *event, unsigned int flags)
-{
-	event->ev_sender = sock;
-	event->result = ISC_R_UNEXPECTED;
-	ISC_LIST_INIT(event->bufferlist);
-	event->region = *region;
-	event->n = 0;
-	event->offset = 0;
-	event->attributes = 0;
-
-	/*
-	 * UDP sockets are always partial read.
-	 */
-	if (sock->type == isc_sockettype_udp)
-		event->minimum = 1;
-	else {
-		if (minimum == 0)
-			event->minimum = region->length;
-		else
-			event->minimum = minimum;
-	}
-
-	return (socket_recv(sock, event, task, flags));
-}
-
-static isc_result_t
-socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
-	    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-	    unsigned int flags)
-{
-	int io_state;
-	isc_boolean_t have_lock = ISC_FALSE;
-	isc_task_t *ntask = NULL;
-	isc_result_t result = ISC_R_SUCCESS;
-
-	dev->ev_sender = task;
-
-	set_dev_address(address, sock, dev);
-	if (pktinfo != NULL) {
-		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
-		dev->pktinfo = *pktinfo;
-
-		if (!isc_sockaddr_issitelocal(address) &&
-		    !isc_sockaddr_islinklocal(address)) {
-			socket_log(sock, NULL, TRACE, isc_msgcat,
-				   ISC_MSGSET_SOCKET, ISC_MSG_PKTINFOPROVIDED,
-				   "pktinfo structure provided, ifindex %u "
-				   "(set to 0)", pktinfo->ipi6_ifindex);
-
-			/*
-			 * Set the pktinfo index to 0 here, to let the
-			 * kernel decide what interface it should send on.
-			 */
-			dev->pktinfo.ipi6_ifindex = 0;
-		}
-	}
-
-	if (sock->type == isc_sockettype_udp)
-		io_state = doio_send(sock, dev);
-	else {
-		LOCK(&sock->lock);
-		have_lock = ISC_TRUE;
-
-		if (ISC_LIST_EMPTY(sock->send_list))
-			io_state = doio_send(sock, dev);
-		else
-			io_state = DOIO_SOFT;
-	}
-
-	switch (io_state) {
-	case DOIO_SOFT:
-		/*
-		 * We couldn't send all or part of the request right now, so
-		 * queue it unless ISC_SOCKFLAG_NORETRY is set.
-		 */
-		if ((flags & ISC_SOCKFLAG_NORETRY) == 0) {
-			isc_task_attach(task, &ntask);
-			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
-
-			if (!have_lock) {
-				LOCK(&sock->lock);
-				have_lock = ISC_TRUE;
-			}
-
-			/*
-			 * Enqueue the request.  If the socket was previously
-			 * not being watched, poke the watcher to start
-			 * paying attention to it.
-			 */
-			if (ISC_LIST_EMPTY(sock->send_list))
-				select_poke(sock->manager, sock->fd,
-					    SELECT_POKE_WRITE);
-			ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
-
-			socket_log(sock, NULL, EVENT, NULL, 0, 0,
-				   "socket_send: event %p -> task %p",
-				   dev, ntask);
-
-			if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
-				result = ISC_R_INPROGRESS;
-			break;
-		}
-
-	case DOIO_HARD:
-	case DOIO_SUCCESS:
-		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
-			send_senddone_event(sock, &dev);
-		break;
-	}
-
-	if (have_lock)
-		UNLOCK(&sock->lock);
-
-	return (result);
-}
-
-isc_result_t
-isc_socket_send(isc_socket_t *sock, isc_region_t *region,
-		isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	/*
-	 * REQUIRE() checking is performed in isc_socket_sendto().
-	 */
-	return (isc_socket_sendto(sock, region, task, action, arg, NULL,
-				  NULL));
-}
-
-isc_result_t
-isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg,
-		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
-{
-	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(region != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	INSIST(sock->bound);
-
-	dev = allocate_socketevent(sock, ISC_SOCKEVENT_SENDDONE, action, arg);
-	if (dev == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-
-	dev->region = *region;
-
-	return (socket_send(sock, dev, task, address, pktinfo, 0));
-}
-
-isc_result_t
-isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		 isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	return (isc_socket_sendtov(sock, buflist, task, action, arg, NULL,
-				   NULL));
-}
-
-isc_result_t
-isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
-{
-	isc_socketevent_t *dev;
-	isc_socketmgr_t *manager;
-	unsigned int iocount;
-	isc_buffer_t *buffer;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(buflist != NULL);
-	REQUIRE(!ISC_LIST_EMPTY(*buflist));
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	iocount = isc_bufferlist_usedcount(buflist);
-	REQUIRE(iocount > 0);
-
-	dev = allocate_socketevent(sock, ISC_SOCKEVENT_SENDDONE, action, arg);
-	if (dev == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-
-	/*
-	 * Move each buffer from the passed in list to our internal one.
-	 */
-	buffer = ISC_LIST_HEAD(*buflist);
-	while (buffer != NULL) {
-		ISC_LIST_DEQUEUE(*buflist, buffer, link);
-		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
-		buffer = ISC_LIST_HEAD(*buflist);
-	}
-
-	return (socket_send(sock, dev, task, address, pktinfo, 0));
-}
-
-isc_result_t
-isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
-		   isc_task_t *task,
-		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
-		   isc_socketevent_t *event, unsigned int flags)
-{
-	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE|ISC_SOCKFLAG_NORETRY)) == 0);
-	if ((flags & ISC_SOCKFLAG_NORETRY) != 0)
-		REQUIRE(sock->type == isc_sockettype_udp);
-	event->ev_sender = sock;
-	event->result = ISC_R_UNEXPECTED;
-	ISC_LIST_INIT(event->bufferlist);
-	event->region = *region;
-	event->n = 0;
-	event->offset = 0;
-	event->attributes = 0;
-
-	return (socket_send(sock, event, task, address, pktinfo, flags));
-}
-
-isc_result_t
-isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
-	char strbuf[ISC_STRERRORSIZE];
-	int on = 1;
-
-	LOCK(&sock->lock);
-
-	INSIST(!sock->bound);
-
-	if (sock->pf != sockaddr->type.sa.sa_family) {
-		UNLOCK(&sock->lock);
-		return (ISC_R_FAMILYMISMATCH);
-	}
-	/*
-	 * Only set SO_REUSEADDR when we want a specific port.
-	 */
-	if (isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
-	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
-		       sizeof(on)) < 0) {
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "setsockopt(%d) %s", sock->fd,
-				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
-						ISC_MSG_FAILED, "failed"));
-		/* Press on... */
-	}
-	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
-		UNLOCK(&sock->lock);
-		switch (errno) {
-		case EACCES:
-			return (ISC_R_NOPERM);
-		case EADDRNOTAVAIL:
-			return (ISC_R_ADDRNOTAVAIL);
-		case EADDRINUSE:
-			return (ISC_R_ADDRINUSE);
-		case EINVAL:
-			return (ISC_R_BOUND);
-		default:
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__, "bind: %s",
-					 strbuf);
-			return (ISC_R_UNEXPECTED);
-		}
-	}
-
-	socket_log(sock, sockaddr, TRACE,
-		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_BOUND, "bound");
-	sock->bound = 1;
-
-	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_socket_filter(isc_socket_t *sock, const char *filter) {
-#ifdef SO_ACCEPTFILTER
-	char strbuf[ISC_STRERRORSIZE];
-	struct accept_filter_arg afa;
-#else
-	UNUSED(sock);
-	UNUSED(filter);
-#endif
-
-	REQUIRE(VALID_SOCKET(sock));
-
-#ifdef SO_ACCEPTFILTER
-	bzero(&afa, sizeof(afa));
-	strncpy(afa.af_name, filter, sizeof(afa.af_name));
-	if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER,
-			 &afa, sizeof(afa)) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
-			   ISC_MSG_FILTER, "setsockopt(SO_ACCEPTFILTER): %s",
-			   strbuf);
-		return (ISC_R_FAILURE);
-	}
-	return (ISC_R_SUCCESS);
-#else
-	return (ISC_R_NOTIMPLEMENTED);
-#endif
-}
-
-/*
- * Set up to listen on a given socket.  We do this by creating an internal
- * event that will be dispatched when the socket has read activity.  The
- * watcher will send the internal event to the task when there is a new
- * connection.
- *
- * Unlike in read, we don't preallocate a done event here.  Every time there
- * is a new connection we'll have to allocate a new one anyway, so we might
- * as well keep things simple rather than having to track them.
- */
-isc_result_t
-isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-
-	REQUIRE(!sock->listener);
-	REQUIRE(sock->bound);
-	REQUIRE(sock->type == isc_sockettype_tcp);
-
-	if (backlog == 0)
-		backlog = SOMAXCONN;
-
-	if (listen(sock->fd, (int)backlog) < 0) {
-		UNLOCK(&sock->lock);
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "listen: %s", strbuf);
-
-		return (ISC_R_UNEXPECTED);
-	}
-
-	sock->listener = 1;
-
-	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * This should try to do agressive accept() XXXMLG
- */
-isc_result_t
-isc_socket_accept(isc_socket_t *sock,
-		  isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	isc_socket_newconnev_t *dev;
-	isc_socketmgr_t *manager;
-	isc_task_t *ntask = NULL;
-	isc_socket_t *nsock;
-	isc_result_t ret;
-	isc_boolean_t do_poke = ISC_FALSE;
-
-	REQUIRE(VALID_SOCKET(sock));
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-
-	LOCK(&sock->lock);
-
-	REQUIRE(sock->listener);
-
-	/*
-	 * Sender field is overloaded here with the task we will be sending
-	 * this event to.  Just before the actual event is delivered the
-	 * actual ev_sender will be touched up to be the socket.
-	 */
-	dev = (isc_socket_newconnev_t *)
-		isc_event_allocate(manager->mctx, task, ISC_SOCKEVENT_NEWCONN,
-				   action, arg, sizeof(*dev));
-	if (dev == NULL) {
-		UNLOCK(&sock->lock);
-		return (ISC_R_NOMEMORY);
-	}
-	ISC_LINK_INIT(dev, ev_link);
-
-	ret = allocate_socket(manager, sock->type, &nsock);
-	if (ret != ISC_R_SUCCESS) {
-		isc_event_free(ISC_EVENT_PTR(&dev));
-		UNLOCK(&sock->lock);
-		return (ret);
-	}
-
-	/*
-	 * Attach to socket and to task.
-	 */
-	isc_task_attach(task, &ntask);
-	nsock->references++;
-
-	dev->ev_sender = ntask;
-	dev->newsocket = nsock;
-
-	/*
-	 * Poke watcher here.  We still have the socket locked, so there
-	 * is no race condition.  We will keep the lock for such a short
-	 * bit of time waking it up now or later won't matter all that much.
-	 */
-	if (ISC_LIST_EMPTY(sock->accept_list))
-		do_poke = ISC_TRUE;
-
-	ISC_LIST_ENQUEUE(sock->accept_list, dev, ev_link);
-
-	if (do_poke)
-		select_poke(manager, sock->fd, SELECT_POKE_ACCEPT);
-
-	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
-		   isc_task_t *task, isc_taskaction_t action, const void *arg)
-{
-	isc_socket_connev_t *dev;
-	isc_task_t *ntask = NULL;
-	isc_socketmgr_t *manager;
-	int cc;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(addr != NULL);
-	REQUIRE(task != NULL);
-	REQUIRE(action != NULL);
-
-	manager = sock->manager;
-	REQUIRE(VALID_MANAGER(manager));
-	REQUIRE(addr != NULL);
-
-	if (isc_sockaddr_ismulticast(addr))
-		return (ISC_R_MULTICAST);
-
-	LOCK(&sock->lock);
-
-	REQUIRE(!sock->connecting);
-
-	dev = (isc_socket_connev_t *)isc_event_allocate(manager->mctx, sock,
-							ISC_SOCKEVENT_CONNECT,
-							action,	arg,
-							sizeof(*dev));
-	if (dev == NULL) {
-		UNLOCK(&sock->lock);
-		return (ISC_R_NOMEMORY);
-	}
-	ISC_LINK_INIT(dev, ev_link);
-
-	/*
-	 * Try to do the connect right away, as there can be only one
-	 * outstanding, and it might happen to complete.
-	 */
-	sock->address = *addr;
-	cc = connect(sock->fd, &addr->type.sa, addr->length);
-	if (cc < 0) {
-		if (SOFT_ERROR(errno) || errno == EINPROGRESS)
-			goto queue;
-
-		switch (errno) {
-#define ERROR_MATCH(a, b) case a: dev->result = b; goto err_exit;
-			ERROR_MATCH(EACCES, ISC_R_NOPERM);
-			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
-			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
-			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
-			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-#ifdef EHOSTDOWN
-			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
-#endif
-			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
-			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
-			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
-			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
-			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
-#undef ERROR_MATCH
-		}
-
-		sock->connected = 0;
-
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "%d/%s", errno, strbuf);
-
-		UNLOCK(&sock->lock);
-		isc_event_free(ISC_EVENT_PTR(&dev));
-		return (ISC_R_UNEXPECTED);
-
-	err_exit:
-		sock->connected = 0;
-		isc_task_send(task, ISC_EVENT_PTR(&dev));
-
-		UNLOCK(&sock->lock);
-		return (ISC_R_SUCCESS);
-	}
-
-	/*
-	 * If connect completed, fire off the done event.
-	 */
-	if (cc == 0) {
-		sock->connected = 1;
-		sock->bound = 1;
-		dev->result = ISC_R_SUCCESS;
-		isc_task_send(task, ISC_EVENT_PTR(&dev));
-
-		UNLOCK(&sock->lock);
-		return (ISC_R_SUCCESS);
-	}
-
- queue:
-
-	/*
-	 * Attach to task.
-	 */
-	isc_task_attach(task, &ntask);
-
-	sock->connecting = 1;
-
-	dev->ev_sender = ntask;
-
-	/*
-	 * Poke watcher here.  We still have the socket locked, so there
-	 * is no race condition.  We will keep the lock for such a short
-	 * bit of time waking it up now or later won't matter all that much.
-	 */
-	if (sock->connect_ev == NULL)
-		select_poke(manager, sock->fd, SELECT_POKE_CONNECT);
-
-	sock->connect_ev = dev;
-
-	UNLOCK(&sock->lock);
-	return (ISC_R_SUCCESS);
-}
-
-/*
- * Called when a socket with a pending connect() finishes.
- */
-static void
-internal_connect(isc_task_t *me, isc_event_t *ev) {
-	isc_socket_t *sock;
-	isc_socket_connev_t *dev;
-	isc_task_t *task;
-	int cc;
-	ISC_SOCKADDR_LEN_T optlen;
-	char strbuf[ISC_STRERRORSIZE];
-	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
-
-	UNUSED(me);
-	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
-
-	sock = ev->ev_sender;
-	INSIST(VALID_SOCKET(sock));
-
-	LOCK(&sock->lock);
-
-	/*
-	 * When the internal event was sent the reference count was bumped
-	 * to keep the socket around for us.  Decrement the count here.
-	 */
-	INSIST(sock->references > 0);
-	sock->references--;
-	if (sock->references == 0) {
-		UNLOCK(&sock->lock);
-		destroy(&sock);
-		return;
-	}
-
-	/*
-	 * Has this event been canceled?
-	 */
-	dev = sock->connect_ev;
-	if (dev == NULL) {
-		INSIST(!sock->connecting);
-		UNLOCK(&sock->lock);
-		return;
-	}
-
-	INSIST(sock->connecting);
-	sock->connecting = 0;
-
-	/*
-	 * Get any possible error status here.
-	 */
-	optlen = sizeof(cc);
-	if (getsockopt(sock->fd, SOL_SOCKET, SO_ERROR,
-		       (void *)&cc, (void *)&optlen) < 0)
-		cc = errno;
-	else
-		errno = cc;
-
-	if (errno != 0) {
-		/*
-		 * If the error is EAGAIN, just re-select on this
-		 * fd and pretend nothing strange happened.
-		 */
-		if (SOFT_ERROR(errno) || errno == EINPROGRESS) {
-			sock->connecting = 1;
-			select_poke(sock->manager, sock->fd,
-				    SELECT_POKE_CONNECT);
-			UNLOCK(&sock->lock);
-
-			return;
-		}
-
-		/*
-		 * Translate other errors into ISC_R_* flavors.
-		 */
-		switch (errno) {
-#define ERROR_MATCH(a, b) case a: dev->result = b; break;
-			ERROR_MATCH(EACCES, ISC_R_NOPERM);
-			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
-			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
-			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
-			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
-#ifdef EHOSTDOWN
-			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
-#endif
-			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
-			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
-			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
-			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
-			ERROR_MATCH(ETIMEDOUT, ISC_R_TIMEDOUT);
-			ERROR_MATCH(ECONNRESET, ISC_R_CONNECTIONRESET);
-#undef ERROR_MATCH
-		default:
-			dev->result = ISC_R_UNEXPECTED;
-			isc_sockaddr_format(&sock->address, peerbuf,
-					    sizeof(peerbuf));
-			isc__strerror(errno, strbuf, sizeof(strbuf));
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "internal_connect: connect(%s) %s",
-					 peerbuf, strbuf);
-		}
-	} else {
-		dev->result = ISC_R_SUCCESS;
-		sock->connected = 1;
-		sock->bound = 1;
-	}
-
-	sock->connect_ev = NULL;
-
-	UNLOCK(&sock->lock);
-
-	task = dev->ev_sender;
-	dev->ev_sender = sock;
-	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
-}
-
-isc_result_t
-isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
-	isc_result_t ret;
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(addressp != NULL);
-
-	LOCK(&sock->lock);
-
-	if (sock->connected) {
-		*addressp = sock->address;
-		ret = ISC_R_SUCCESS;
-	} else {
-		ret = ISC_R_NOTCONNECTED;
-	}
-
-	UNLOCK(&sock->lock);
-
-	return (ret);
-}
-
-isc_result_t
-isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
-	ISC_SOCKADDR_LEN_T len;
-	isc_result_t ret;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(VALID_SOCKET(sock));
-	REQUIRE(addressp != NULL);
-
-	LOCK(&sock->lock);
-
-	if (!sock->bound) {
-		ret = ISC_R_NOTBOUND;
-		goto out;
-	}
-
-	ret = ISC_R_SUCCESS;
-
-	len = sizeof(addressp->type);
-	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "getsockname: %s",
-				 strbuf);
-		ret = ISC_R_UNEXPECTED;
-		goto out;
-	}
-	addressp->length = (unsigned int)len;
-
- out:
-	UNLOCK(&sock->lock);
-
-	return (ret);
-}
-
-/*
- * Run through the list of events on this socket, and cancel the ones
- * queued for task "task" of type "how".  "how" is a bitmask.
- */
-void
-isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
-
-	REQUIRE(VALID_SOCKET(sock));
-
-	/*
-	 * Quick exit if there is nothing to do.  Don't even bother locking
-	 * in this case.
-	 */
-	if (how == 0)
-		return;
-
-	LOCK(&sock->lock);
-
-	/*
-	 * All of these do the same thing, more or less.
-	 * Each will:
-	 *	o If the internal event is marked as "posted" try to
-	 *	  remove it from the task's queue.  If this fails, mark it
-	 *	  as canceled instead, and let the task clean it up later.
-	 *	o For each I/O request for that task of that type, post
-	 *	  its done event with status of "ISC_R_CANCELED".
-	 *	o Reset any state needed.
-	 */
-	if (((how & ISC_SOCKCANCEL_RECV) == ISC_SOCKCANCEL_RECV)
-	    && !ISC_LIST_EMPTY(sock->recv_list)) {
-		isc_socketevent_t      *dev;
-		isc_socketevent_t      *next;
-		isc_task_t	       *current_task;
-
-		dev = ISC_LIST_HEAD(sock->recv_list);
-
-		while (dev != NULL) {
-			current_task = dev->ev_sender;
-			next = ISC_LIST_NEXT(dev, ev_link);
-
-			if ((task == NULL) || (task == current_task)) {
-				dev->result = ISC_R_CANCELED;
-				send_recvdone_event(sock, &dev);
-			}
-			dev = next;
-		}
-	}
-
-	if (((how & ISC_SOCKCANCEL_SEND) == ISC_SOCKCANCEL_SEND)
-	    && !ISC_LIST_EMPTY(sock->send_list)) {
-		isc_socketevent_t      *dev;
-		isc_socketevent_t      *next;
-		isc_task_t	       *current_task;
-
-		dev = ISC_LIST_HEAD(sock->send_list);
-
-		while (dev != NULL) {
-			current_task = dev->ev_sender;
-			next = ISC_LIST_NEXT(dev, ev_link);
-
-			if ((task == NULL) || (task == current_task)) {
-				dev->result = ISC_R_CANCELED;
-				send_senddone_event(sock, &dev);
-			}
-			dev = next;
-		}
-	}
-
-	if (((how & ISC_SOCKCANCEL_ACCEPT) == ISC_SOCKCANCEL_ACCEPT)
-	    && !ISC_LIST_EMPTY(sock->accept_list)) {
-		isc_socket_newconnev_t *dev;
-		isc_socket_newconnev_t *next;
-		isc_task_t	       *current_task;
-
-		dev = ISC_LIST_HEAD(sock->accept_list);
-		while (dev != NULL) {
-			current_task = dev->ev_sender;
-			next = ISC_LIST_NEXT(dev, ev_link);
-
-			if ((task == NULL) || (task == current_task)) {
-
-				ISC_LIST_UNLINK(sock->accept_list, dev,
-						ev_link);
-
-				dev->newsocket->references--;
-				free_socket(&dev->newsocket);
-
-				dev->result = ISC_R_CANCELED;
-				dev->ev_sender = sock;
-				isc_task_sendanddetach(&current_task,
-						       ISC_EVENT_PTR(&dev));
-			}
-
-			dev = next;
-		}
-	}
-
-	/*
-	 * Connecting is not a list.
-	 */
-	if (((how & ISC_SOCKCANCEL_CONNECT) == ISC_SOCKCANCEL_CONNECT)
-	    && sock->connect_ev != NULL) {
-		isc_socket_connev_t    *dev;
-		isc_task_t	       *current_task;
-
-		INSIST(sock->connecting);
-		sock->connecting = 0;
-
-		dev = sock->connect_ev;
-		current_task = dev->ev_sender;
-
-		if ((task == NULL) || (task == current_task)) {
-			sock->connect_ev = NULL;
-
-			dev->result = ISC_R_CANCELED;
-			dev->ev_sender = sock;
-			isc_task_sendanddetach(&current_task,
-					       ISC_EVENT_PTR(&dev));
-		}
-	}
-
-	UNLOCK(&sock->lock);
-}
-
-isc_sockettype_t
-isc_socket_gettype(isc_socket_t *sock) {
-	REQUIRE(VALID_SOCKET(sock));
-
-	return (sock->type);
-}
-
-isc_boolean_t
-isc_socket_isbound(isc_socket_t *sock) {
-	isc_boolean_t val;
-
-	LOCK(&sock->lock);
-	val = ((sock->bound) ? ISC_TRUE : ISC_FALSE);
-	UNLOCK(&sock->lock);
-
-	return (val);
-}
-
-void
-isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
-#if defined(IPV6_V6ONLY)
-	int onoff = yes ? 1 : 0;
-#else
-	UNUSED(yes);
-	UNUSED(sock);
-#endif
-
-	REQUIRE(VALID_SOCKET(sock));
-
-#ifdef IPV6_V6ONLY
-	if (sock->pf == AF_INET6) {
-		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
-				 (void *)&onoff, sizeof(onoff));
-	}
-#endif
-}
-
-#ifndef ISC_PLATFORM_USETHREADS
-void
-isc__socketmgr_getfdsets(fd_set *readset, fd_set *writeset, int *maxfd) {
-	if (socketmgr == NULL)
-		*maxfd = 0;
-	else {
-		*readset = socketmgr->read_fds;
-		*writeset = socketmgr->write_fds;
-		*maxfd = socketmgr->maxfd + 1;
-	}
-}
-
-isc_result_t
-isc__socketmgr_dispatch(fd_set *readset, fd_set *writeset, int maxfd) {
-	isc_socketmgr_t *manager = socketmgr;
-
-	if (manager == NULL)
-		return (ISC_R_NOTFOUND);
-
-	process_fds(manager, maxfd, readset, writeset);
-	return (ISC_R_SUCCESS);
-}
-#endif /* ISC_PLATFORM_USETHREADS */
diff --git a/contrib/bind9/lib/isc/unix/socket_p.h b/contrib/bind9/lib/isc/unix/socket_p.h
deleted file mode 100644
index f430bf22e1c6..000000000000
--- a/contrib/bind9/lib/isc/unix/socket_p.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: socket_p.h,v 1.6.206.1 2004/03/06 08:15:02 marka Exp $ */
-
-#ifndef ISC_SOCKET_P_H
-#define ISC_SOCKET_P_H
-
-#ifdef ISC_PLATFORM_NEEDSYSSELECTH
-#include <sys/select.h>
-#endif
-
-void
-isc__socketmgr_getfdsets(fd_set *readset, fd_set *writeset, int *maxfd);
-
-isc_result_t
-isc__socketmgr_dispatch(fd_set *readset, fd_set *writeset, int maxfd);
-
-#endif /* ISC_SOCKET_P_H */
diff --git a/contrib/bind9/lib/isc/unix/stdio.c b/contrib/bind9/lib/isc/unix/stdio.c
deleted file mode 100644
index 794164e73a9e..000000000000
--- a/contrib/bind9/lib/isc/unix/stdio.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdio.c,v 1.5.206.1 2004/03/06 08:15:02 marka Exp $ */
-
-#include <config.h>
-
-#include <errno.h>
-#include <unistd.h>
-
-#include <isc/stdio.h>
-
-#include "errno2result.h"
-
-isc_result_t
-isc_stdio_open(const char *filename, const char *mode, FILE **fp) {
-	FILE *f;
-
-	f = fopen(filename, mode);
-	if (f == NULL)
-		return (isc__errno2result(errno));
-	*fp = f;
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_stdio_close(FILE *f) {
-	int r;
-
-	r = fclose(f);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_stdio_seek(FILE *f, long offset, int whence) {
-	int r;
-
-	r = fseek(f, offset, whence);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret) {
-	isc_result_t result = ISC_R_SUCCESS;
-	size_t r;
-
-	clearerr(f);
-	r = fread(ptr, size, nmemb, f);
-	if (r != nmemb) {
-		if (feof(f))
-			result = ISC_R_EOF;
-		else
-			result = isc__errno2result(errno);
-	}
-	if (nret != NULL)
-		*nret = r;
-	return (result);
-}
-
-isc_result_t
-isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
-	       size_t *nret)
-{
-	isc_result_t result = ISC_R_SUCCESS;
-	size_t r;
-
-	clearerr(f);
-	r = fwrite(ptr, size, nmemb, f);
-	if (r != nmemb)
-		result = isc__errno2result(errno);
-	if (nret != NULL)
-		*nret = r;
-	return (result);
-}
-
-isc_result_t
-isc_stdio_flush(FILE *f) {
-	int r;
-
-	r = fflush(f);
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
-isc_result_t
-isc_stdio_sync(FILE *f) {
-	int r;
-
-	r = fsync(fileno(f));
-	if (r == 0)
-		return (ISC_R_SUCCESS);
-	else
-		return (isc__errno2result(errno));
-}
-
diff --git a/contrib/bind9/lib/isc/unix/stdtime.c b/contrib/bind9/lib/isc/unix/stdtime.c
deleted file mode 100644
index b8d818dcfd7a..000000000000
--- a/contrib/bind9/lib/isc/unix/stdtime.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdtime.c,v 1.11.2.1.10.5 2005/06/09 23:54:31 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>	/* NULL */
-#include <stdlib.h>	/* NULL */
-#include <syslog.h>
-
-#include <sys/time.h>
-
-#include <isc/stdtime.h>
-#include <isc/util.h>
-
-#ifndef ISC_FIX_TV_USEC
-#define ISC_FIX_TV_USEC 1
-#endif
-
-#define US_PER_S 1000000
-
-#if ISC_FIX_TV_USEC
-static inline void
-fix_tv_usec(struct timeval *tv) {
-	isc_boolean_t fixed = ISC_FALSE;
-
-	if (tv->tv_usec < 0) {
-		fixed = ISC_TRUE;
-		do {
-			tv->tv_sec -= 1;
-			tv->tv_usec += US_PER_S;
-		} while (tv->tv_usec < 0);
-	} else if (tv->tv_usec >= US_PER_S) {
-		fixed = ISC_TRUE;
-		do {
-			tv->tv_sec += 1;
-			tv->tv_usec -= US_PER_S;
-		} while (tv->tv_usec >=US_PER_S);
-	}
-	/*
-	 * Call syslog directly as we are called from the logging functions.
-	 */
-	if (fixed)
-		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
-}
-#endif
-
-void
-isc_stdtime_get(isc_stdtime_t *t) {
-	struct timeval tv;
-
-	/*
-	 * Set 't' to the number of seconds since 00:00:00 UTC, January 1,
-	 * 1970.
-	 */
-
-	REQUIRE(t != NULL);
-
-	RUNTIME_CHECK(gettimeofday(&tv, NULL) != -1);
-
-#if ISC_FIX_TV_USEC
-	fix_tv_usec(&tv);
-	INSIST(tv.tv_usec >= 0);
-#else
-	INSIST(tv.tv_usec >= 0 && tv.tv_usec < US_PER_S);
-#endif
-
-	*t = (unsigned int)tv.tv_sec;
-}
diff --git a/contrib/bind9/lib/isc/unix/strerror.c b/contrib/bind9/lib/isc/unix/strerror.c
deleted file mode 100644
index 863867e15953..000000000000
--- a/contrib/bind9/lib/isc/unix/strerror.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: strerror.c,v 1.1.2.1.10.3 2004/03/08 09:04:57 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include <isc/mutex.h>
-#include <isc/once.h>
-#include <isc/print.h>
-#include <isc/strerror.h>
-#include <isc/util.h>
-
-#ifdef HAVE_STRERROR
-/*
- * We need to do this this way for profiled locks.
- */
-static isc_mutex_t isc_strerror_lock;
-static void init_lock(void) {
-	RUNTIME_CHECK(isc_mutex_init(&isc_strerror_lock) == ISC_R_SUCCESS);
-}
-#else
-extern const char * const sys_errlist[];
-extern const int sys_nerr;
-#endif
-
-void
-isc__strerror(int num, char *buf, size_t size) {
-#ifdef HAVE_STRERROR
-	char *msg;
-	unsigned int unum = num;
-	static isc_once_t once = ISC_ONCE_INIT;
-
-	REQUIRE(buf != NULL);
-
-	RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS);
-
-	LOCK(&isc_strerror_lock);
-	msg = strerror(num);
-	if (msg != NULL)
-		snprintf(buf, size, "%s", msg);
-	else
-		snprintf(buf, size, "Unknown error: %u", unum);
-	UNLOCK(&isc_strerror_lock);
-#else
-	unsigned int unum = num;
-
-	REQUIRE(buf != NULL);
-
-	if (num >= 0 && num < sys_nerr)
-		snprintf(buf, size, "%s", sys_errlist[num]);
-	else
-		snprintf(buf, size, "Unknown error: %u", unum);
-#endif
-}
diff --git a/contrib/bind9/lib/isc/unix/syslog.c b/contrib/bind9/lib/isc/unix/syslog.c
deleted file mode 100644
index e53154452254..000000000000
--- a/contrib/bind9/lib/isc/unix/syslog.c
+++ /dev/null
@@ -1,82 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: syslog.c,v 1.1.12.3 2004/03/08 09:04:57 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-
-#include <isc/result.h>
-#include <isc/syslog.h>
-#include <isc/util.h>
-
-static struct dsn_c_pvt_sfnt {
-	int val;
-	const char *strval;
-} facilities[] = {
-	{ LOG_KERN,			"kern" },
-	{ LOG_USER,			"user" },
-	{ LOG_MAIL,			"mail" },
-	{ LOG_DAEMON,			"daemon" },
-	{ LOG_AUTH,			"auth" },
-	{ LOG_SYSLOG,			"syslog" },
-	{ LOG_LPR,			"lpr" },
-#ifdef LOG_NEWS
-	{ LOG_NEWS,			"news" },
-#endif
-#ifdef LOG_UUCP
-	{ LOG_UUCP,			"uucp" },
-#endif
-#ifdef LOG_CRON
-	{ LOG_CRON,			"cron" },
-#endif
-#ifdef LOG_AUTHPRIV
-	{ LOG_AUTHPRIV,			"authpriv" },
-#endif
-#ifdef LOG_FTP
-	{ LOG_FTP,			"ftp" },
-#endif
-	{ LOG_LOCAL0,			"local0"},
-	{ LOG_LOCAL1,			"local1"},
-	{ LOG_LOCAL2,			"local2"},
-	{ LOG_LOCAL3,			"local3"},
-	{ LOG_LOCAL4,			"local4"},
-	{ LOG_LOCAL5,			"local5"},
-	{ LOG_LOCAL6,			"local6"},
-	{ LOG_LOCAL7,			"local7"},
-	{ 0,				NULL }
-};
-
-isc_result_t
-isc_syslog_facilityfromstring(const char *str, int *facilityp) {
-	int i;
-
-	REQUIRE(str != NULL);
-	REQUIRE(facilityp != NULL);
-
-	for (i = 0; facilities[i].strval != NULL; i++) {
-		if (strcasecmp(facilities[i].strval, str) == 0) {
-			*facilityp = facilities[i].val;
-			return (ISC_R_SUCCESS);
-		}
-	}
-	return (ISC_R_NOTFOUND);
-
-}
diff --git a/contrib/bind9/lib/isc/unix/time.c b/contrib/bind9/lib/isc/unix/time.c
deleted file mode 100644
index 39c851cebe9a..000000000000
--- a/contrib/bind9/lib/isc/unix/time.c
+++ /dev/null
@@ -1,412 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: time.c,v 1.34.2.6.2.4 2004/03/06 08:15:03 marka Exp $ */
-
-#include <config.h>
-
-#include <errno.h>
-#include <limits.h>
-#include <syslog.h>
-#include <time.h>
-
-#include <sys/time.h>	/* Required for struct timeval on some platforms. */
-
-#include <isc/log.h>
-#include <isc/print.h>
-#include <isc/strerror.h>
-#include <isc/string.h>
-#include <isc/time.h>
-#include <isc/util.h>
-
-#define NS_PER_S	1000000000	/* Nanoseconds per second. */
-#define NS_PER_US	1000		/* Nanoseconds per microsecond. */
-#define US_PER_S	1000000		/* Microseconds per second. */
-
-/*
- * All of the INSIST()s checks of nanoseconds < NS_PER_S are for
- * consistency checking of the type. In lieu of magic numbers, it
- * is the best we've got.  The check is only performed on functions which
- * need an initialized type.
- */
-
-#ifndef ISC_FIX_TV_USEC
-#define ISC_FIX_TV_USEC 1
-#endif
-
-/***
- *** Intervals
- ***/
-
-static isc_interval_t zero_interval = { 0, 0 };
-isc_interval_t *isc_interval_zero = &zero_interval;
-
-#if ISC_FIX_TV_USEC
-static inline void
-fix_tv_usec(struct timeval *tv) {
-	isc_boolean_t fixed = ISC_FALSE;
-
-	if (tv->tv_usec < 0) {
-		fixed = ISC_TRUE;
-		do {
-			tv->tv_sec -= 1;
-			tv->tv_usec += US_PER_S;
-		} while (tv->tv_usec < 0);
-	} else if (tv->tv_usec >= US_PER_S) {
-		fixed = ISC_TRUE;
-		do {
-			tv->tv_sec += 1;
-			tv->tv_usec -= US_PER_S;
-		} while (tv->tv_usec >=US_PER_S);
-	}
-	/*
-	 * Call syslog directly as was are called from the logging functions.
-	 */
-	if (fixed)
-		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
-}
-#endif
-
-void
-isc_interval_set(isc_interval_t *i,
-		 unsigned int seconds, unsigned int nanoseconds)
-{
-	REQUIRE(i != NULL);
-	REQUIRE(nanoseconds < NS_PER_S);
-
-	i->seconds = seconds;
-	i->nanoseconds = nanoseconds;
-}
-
-isc_boolean_t
-isc_interval_iszero(const isc_interval_t *i) {
-	REQUIRE(i != NULL);
-	INSIST(i->nanoseconds < NS_PER_S);
-
-	if (i->seconds == 0 && i->nanoseconds == 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-
-/***
- *** Absolute Times
- ***/
-
-static isc_time_t epoch = { 0, 0 };
-isc_time_t *isc_time_epoch = &epoch;
-
-void
-isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
-	REQUIRE(t != NULL);
-	REQUIRE(nanoseconds < NS_PER_S);
-
-	t->seconds = seconds;
-	t->nanoseconds = nanoseconds;
-}
-
-void
-isc_time_settoepoch(isc_time_t *t) {
-	REQUIRE(t != NULL);
-
-	t->seconds = 0;
-	t->nanoseconds = 0;
-}
-
-isc_boolean_t
-isc_time_isepoch(const isc_time_t *t) {
-	REQUIRE(t != NULL);
-	INSIST(t->nanoseconds < NS_PER_S);
-
-	if (t->seconds == 0 && t->nanoseconds == 0)
-		return (ISC_TRUE);
-
-	return (ISC_FALSE);
-}
-
-
-isc_result_t
-isc_time_now(isc_time_t *t) {
-	struct timeval tv;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(t != NULL);
-
-	if (gettimeofday(&tv, NULL) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
-	 * then this test will generate warnings for platforms on which it is
-	 * unsigned.  In any event, the chances of any of these problems
-	 * happening are pretty much zero, but since the libisc library ensures
-	 * certain things to be true ...
-	 */
-#if ISC_FIX_TV_USEC
-	fix_tv_usec(&tv);
-	if (tv.tv_sec < 0)
-		return (ISC_R_UNEXPECTED);
-#else
-	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
-		return (ISC_R_UNEXPECTED);
-#endif
-
-	/*
-	 * Ensure the tv_sec value fits in t->seconds.
-	 */
-	if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
-	    ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
-		return (ISC_R_RANGE);
-
-	t->seconds = tv.tv_sec;
-	t->nanoseconds = tv.tv_usec * NS_PER_US;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
-	struct timeval tv;
-	char strbuf[ISC_STRERRORSIZE];
-
-	REQUIRE(t != NULL);
-	REQUIRE(i != NULL);
-	INSIST(i->nanoseconds < NS_PER_S);
-
-	if (gettimeofday(&tv, NULL) == -1) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
-		return (ISC_R_UNEXPECTED);
-	}
-
-	/*
-	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
-	 * then this test will generate warnings for platforms on which it is
-	 * unsigned.  In any event, the chances of any of these problems
-	 * happening are pretty much zero, but since the libisc library ensures
-	 * certain things to be true ...
-	 */
-#if ISC_FIX_TV_USEC
-	fix_tv_usec(&tv);
-	if (tv.tv_sec < 0)
-		return (ISC_R_UNEXPECTED);
-#else
-	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
-		return (ISC_R_UNEXPECTED);
-#endif
-
-	/*
-	 * Ensure the resulting seconds value fits in the size of an
-	 * unsigned int.  (It is written this way as a slight optimization;
-	 * note that even if both values == INT_MAX, then when added
-	 * and getting another 1 added below the result is UINT_MAX.)
-	 */
-	if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
-	    ((long long)tv.tv_sec + i->seconds > UINT_MAX))
-		return (ISC_R_RANGE);
-
-	t->seconds = tv.tv_sec + i->seconds;
-	t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds;
-	if (t->nanoseconds > NS_PER_S) {
-		t->seconds++;
-		t->nanoseconds -= NS_PER_S;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-int
-isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
-	REQUIRE(t1 != NULL && t2 != NULL);
-	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
-
-	if (t1->seconds < t2->seconds)
-		return (-1);
-	if (t1->seconds > t2->seconds)
-		return (1);
-	if (t1->nanoseconds < t2->nanoseconds)
-		return (-1);
-	if (t1->nanoseconds > t2->nanoseconds)
-		return (1);
-	return (0);
-}
-
-isc_result_t
-isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result)
-{
-	REQUIRE(t != NULL && i != NULL && result != NULL);
-	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
-
-	/*
-	 * Ensure the resulting seconds value fits in the size of an
-	 * unsigned int.  (It is written this way as a slight optimization;
-	 * note that even if both values == INT_MAX, then when added
-	 * and getting another 1 added below the result is UINT_MAX.)
-	 */
-	if ((t->seconds > INT_MAX || i->seconds > INT_MAX) &&
-	    ((long long)t->seconds + i->seconds > UINT_MAX))
-		return (ISC_R_RANGE);
-
-	result->seconds = t->seconds + i->seconds;
-	result->nanoseconds = t->nanoseconds + i->nanoseconds;
-	if (result->nanoseconds >= NS_PER_S) {
-		result->seconds++;
-		result->nanoseconds -= NS_PER_S;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
-		  isc_time_t *result)
-{
-	REQUIRE(t != NULL && i != NULL && result != NULL);
-	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
-
-	if ((unsigned int)t->seconds < i->seconds ||
-	    ((unsigned int)t->seconds == i->seconds &&
-	     t->nanoseconds < i->nanoseconds))
-	    return (ISC_R_RANGE);
-
-	result->seconds = t->seconds - i->seconds;
-	if (t->nanoseconds >= i->nanoseconds)
-		result->nanoseconds = t->nanoseconds - i->nanoseconds;
-	else {
-		result->nanoseconds = NS_PER_S - i->nanoseconds +
-			t->nanoseconds;
-		result->seconds--;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_uint64_t
-isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
-	isc_uint64_t i1, i2, i3;
-
-	REQUIRE(t1 != NULL && t2 != NULL);
-	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
-
-	i1 = (isc_uint64_t)t1->seconds * NS_PER_S + t1->nanoseconds;
-	i2 = (isc_uint64_t)t2->seconds * NS_PER_S + t2->nanoseconds;
-
-	if (i1 <= i2)
-		return (0);
-
-	i3 = i1 - i2;
-
-	/*
-	 * Convert to microseconds.
-	 */
-	i3 = (i1 - i2) / NS_PER_US;
-
-	return (i3);
-}
-
-isc_uint32_t
-isc_time_seconds(const isc_time_t *t) {
-	REQUIRE(t != NULL);
-	INSIST(t->nanoseconds < NS_PER_S);
-
-	return ((isc_uint32_t)t->seconds);
-}
-
-isc_result_t
-isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
-	isc_uint64_t i;
-	time_t seconds;
-
-	REQUIRE(t != NULL);
-	INSIST(t->nanoseconds < NS_PER_S);
-
-	/*
-	 * Ensure that the number of seconds represented by t->seconds
-	 * can be represented by a time_t.  Since t->seconds is an unsigned
-	 * int and since time_t is mostly opaque, this is trickier than
-	 * it seems.  (This standardized opaqueness of time_t is *very*
-	 * frustrating; time_t is not even limited to being an integral
-	 * type.)
-	 *
-	 * The mission, then, is to avoid generating any kind of warning
-	 * about "signed versus unsigned" while trying to determine if the
-	 * the unsigned int t->seconds is out range for tv_sec, which is
-	 * pretty much only true if time_t is a signed integer of the same
-	 * size as the return value of isc_time_seconds.
-	 *
-	 * The use of the 64 bit integer ``i'' takes advantage of C's
-	 * conversion rules to either zero fill or sign extend the widened
-	 * type.
-	 *
-	 * Solaris 5.6 gives this warning about the left shift:
-	 *	warning: integer overflow detected: op "<<"
-	 * if the U(nsigned) qualifier is not on the 1.
-	 */
-	seconds = (time_t)t->seconds;
-
-	INSIST(sizeof(unsigned int) == sizeof(isc_uint32_t));
-	INSIST(sizeof(time_t) >= sizeof(isc_uint32_t));
-
-	if (sizeof(time_t) == sizeof(isc_uint32_t) &&	       /* Same size. */
-	    (time_t)0.5 != 0.5 &&	       /* Not a floating point type. */
-	    (i = (time_t)-1) != 4294967295u &&		       /* Is signed. */
-	    (seconds &
-	     (1U << (sizeof(time_t) * CHAR_BIT - 1))) != 0U) {   /* Negative. */
-		/*
-		 * This UNUSED() is here to shut up the IRIX compiler:
-		 *	variable "i" was set but never used
-		 * when the value of i *was* used in the third test.
-		 * (Let's hope the compiler got the actual test right.)
-		 */
-		UNUSED(i);
-		return (ISC_R_RANGE);
-	}
-
-	*secondsp = seconds;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_uint32_t
-isc_time_nanoseconds(const isc_time_t *t) {
-	REQUIRE(t != NULL);
-
-	ENSURE(t->nanoseconds < NS_PER_S);
-
-	return ((isc_uint32_t)t->nanoseconds);
-}
-
-void
-isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
-	time_t now;
-	unsigned int flen;
-
-	REQUIRE(len > 0);
-
-	now = (time_t) t->seconds;
-	flen = strftime(buf, len, "%d-%b-%Y %X", localtime(&now));
-	INSIST(flen < len);
-	if (flen != 0)
-		snprintf(buf + flen, len - flen,
-			 ".%03u", t->nanoseconds / 1000000);
-	else
-                snprintf(buf, len, "99-Bad-9999 99:99:99.999");
-}
diff --git a/contrib/bind9/lib/isc/version.c b/contrib/bind9/lib/isc/version.c
deleted file mode 100644
index d0f270d4a47d..000000000000
--- a/contrib/bind9/lib/isc/version.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:51 marka Exp $ */
-
-#include <isc/version.h>
-
-const char isc_version[] = VERSION;
-
-const unsigned int isc_libinterface = LIBINTERFACE;
-const unsigned int isc_librevision = LIBREVISION;
-const unsigned int isc_libage = LIBAGE;
diff --git a/contrib/bind9/lib/isccc/Makefile.in b/contrib/bind9/lib/isccc/Makefile.in
deleted file mode 100644
index f6ae951abf31..000000000000
--- a/contrib/bind9/lib/isccc/Makefile.in
+++ /dev/null
@@ -1,86 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2.12.5 2004/07/20 07:01:58 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBISCCC_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCC_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCCDEPLIBS =	libisccc.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-
-# Alphabetically
-OBJS =		alist.@O@ base64.@O@ cc.@O@ ccmsg.@O@ \
-		lib.@O@ \
-		result.@O@ sexpr.@O@ symtab.@O@ version.@O@
-
-# Alphabetically
-SRCS =		alist.c base64.c cc.c ccmsg.c \
-		lib.c \
-		result.c sexpr.c symtab.c version.c
-
-
-TARGETS = 	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libisccc.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libisccc.la: ${OBJS}
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${LIBS} ${ISCLIBS}
-
-timestamp: libisccc.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccc.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libisccc.@A@ timestamp
diff --git a/contrib/bind9/lib/isccc/alist.c b/contrib/bind9/lib/isccc/alist.c
deleted file mode 100644
index 21b14a25bfa5..000000000000
--- a/contrib/bind9/lib/isccc/alist.c
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: alist.c,v 1.2.206.1 2004/03/06 08:15:18 marka Exp $ */
-
-#include <config.h>
-
-#include <stdlib.h>
-#include <string.h>
-
-#include <isccc/alist.h>
-#include <isc/assertions.h>
-#include <isccc/result.h>
-#include <isccc/sexpr.h>
-#include <isccc/util.h>
-
-#define CAR(s)			(s)->value.as_dottedpair.car
-#define CDR(s)			(s)->value.as_dottedpair.cdr
-
-#define ALIST_TAG		"*alist*"
-#define MAX_INDENT		64
-
-static char spaces[MAX_INDENT + 1] = 
-	"                                                                ";
-
-isccc_sexpr_t *
-isccc_alist_create(void)
-{
-	isccc_sexpr_t *alist, *tag;
-
-	tag = isccc_sexpr_fromstring(ALIST_TAG);
-	if (tag == NULL)
-		return (NULL);
-	alist = isccc_sexpr_cons(tag, NULL);
-	if (alist == NULL) {
-		isccc_sexpr_free(&tag);
-		return (NULL);
-	}
-
-	return (alist);
-}
-
-isc_boolean_t
-isccc_alist_alistp(isccc_sexpr_t *alist)
-{
-	isccc_sexpr_t *car;
-
-	if (alist == NULL || alist->type != ISCCC_SEXPRTYPE_DOTTEDPAIR)
-		return (ISC_FALSE);
-	car = CAR(alist);
-	if (car == NULL || car->type != ISCCC_SEXPRTYPE_STRING)
-		return (ISC_FALSE);
-	if (strcmp(car->value.as_string, ALIST_TAG) != 0)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-isc_boolean_t
-isccc_alist_emptyp(isccc_sexpr_t *alist)
-{
-	REQUIRE(isccc_alist_alistp(alist));
-
-	if (CDR(alist) == NULL)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isccc_sexpr_t *
-isccc_alist_first(isccc_sexpr_t *alist)
-{
-	REQUIRE(isccc_alist_alistp(alist));
-
-	return (CDR(alist));
-}
-
-isccc_sexpr_t *
-isccc_alist_assq(isccc_sexpr_t *alist, const char *key)
-{
-	isccc_sexpr_t *car, *caar;
-
-	REQUIRE(isccc_alist_alistp(alist));
-
-	/*
-	 * Skip alist type tag.
-	 */
-	alist = CDR(alist);
-
-	while (alist != NULL) {
-		INSIST(alist->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-		car = CAR(alist);
-		INSIST(car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-		caar = CAR(car);
-		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
-		    strcmp(caar->value.as_string, key) == 0)
-			return (car);
-		alist = CDR(alist);
-	}
-
-	return (NULL);
-}
-
-void
-isccc_alist_delete(isccc_sexpr_t *alist, const char *key)
-{
-	isccc_sexpr_t *car, *caar, *rest, *prev;
-
-	REQUIRE(isccc_alist_alistp(alist));
-
-	prev = alist;
-	rest = CDR(alist);
-	while (rest != NULL) {
-		INSIST(rest->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-		car = CAR(rest);
-		INSIST(car != NULL && car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-		caar = CAR(car);
-		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
-		    strcmp(caar->value.as_string, key) == 0) {
-			CDR(prev) = CDR(rest);
-			CDR(rest) = NULL;
-			isccc_sexpr_free(&rest);
-			break;
-		}
-		prev = rest;
-		rest = CDR(rest);
-	}
-}
-
-isccc_sexpr_t *
-isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value)
-{
-	isccc_sexpr_t *kv, *k, *elt;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv == NULL) {
-		/*
-		 * New association.
-		 */
-		k = isccc_sexpr_fromstring(key);
-		if (k == NULL)
-			return (NULL);
-		kv = isccc_sexpr_cons(k, value);
-		if (kv == NULL) {
-			isccc_sexpr_free(&kv);
-			return (NULL);
-		}
-		elt = isccc_sexpr_addtolist(&alist, kv);
-		if (elt == NULL) {
-			isccc_sexpr_free(&kv);
-			return (NULL);
-		}
-	} else {
-		/*
-		 * We've already got an entry for this key.  Replace it.
-		 */
-		isccc_sexpr_free(&CDR(kv));
-		CDR(kv) = value;
-	}
-
-	return (kv);
-}
-
-isccc_sexpr_t *
-isccc_alist_definestring(isccc_sexpr_t *alist, const char *key, const char *str)
-{
-	isccc_sexpr_t *v, *kv;
-
-	v = isccc_sexpr_fromstring(str);
-	if (v == NULL)
-		return (NULL);
-	kv = isccc_alist_define(alist, key, v);
-	if (kv == NULL)
-		isccc_sexpr_free(&v);
-
-	return (kv);
-}
-
-isccc_sexpr_t *
-isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key, isccc_region_t *r)
-{
-	isccc_sexpr_t *v, *kv;
-
-	v = isccc_sexpr_frombinary(r);
-	if (v == NULL)
-		return (NULL);
-	kv = isccc_alist_define(alist, key, v);
-	if (kv == NULL)
-		isccc_sexpr_free(&v);
-
-	return (kv);
-}
-
-isccc_sexpr_t *
-isccc_alist_lookup(isccc_sexpr_t *alist, const char *key)
-{
-	isccc_sexpr_t *kv;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL)
-		return (CDR(kv));
-	return (NULL);
-}
-
-isc_result_t
-isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
-{
-	isccc_sexpr_t *kv, *v;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL) {
-		v = CDR(kv);
-		if (isccc_sexpr_stringp(v)) {
-			if (strp != NULL)
-				*strp = isccc_sexpr_tostring(v);
-			return (ISC_R_SUCCESS);
-		} else
-			return (ISC_R_EXISTS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key, isccc_region_t **r)
-{
-	isccc_sexpr_t *kv, *v;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL) {
-		v = CDR(kv);
-		if (isccc_sexpr_binaryp(v)) {
-			if (r != NULL)
-				*r = isccc_sexpr_tobinary(v);
-			return (ISC_R_SUCCESS);
-		} else
-			return (ISC_R_EXISTS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-void
-isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent, FILE *stream)
-{
-	isccc_sexpr_t *elt, *kv, *k, *v;
-
-	if (isccc_alist_alistp(sexpr)) {
-		fprintf(stream, "{\n");
-		indent += 4;
-		for (elt = isccc_alist_first(sexpr);
-		     elt != NULL;
-		     elt = CDR(elt)) {
-			kv = CAR(elt);
-			INSIST(isccc_sexpr_listp(kv));
-			k = CAR(kv);
-			v = CDR(kv);
-			INSIST(isccc_sexpr_stringp(k));
-			fprintf(stream, "%.*s%s => ", (int)indent, spaces,
-				isccc_sexpr_tostring(k));
-			isccc_alist_prettyprint(v, indent, stream);
-			if (CDR(elt) != NULL)
-				fprintf(stream, ",");
-			fprintf(stream, "\n");
-		}
-		indent -= 4;
-		fprintf(stream, "%.*s}", (int)indent, spaces);
-	} else if (isccc_sexpr_listp(sexpr)) {
-		fprintf(stream, "(\n");
-		indent += 4;
-		for (elt = sexpr;
-		     elt != NULL;
-		     elt = CDR(elt)) {
-			fprintf(stream, "%.*s", (int)indent, spaces);
-			isccc_alist_prettyprint(CAR(elt), indent, stream);
-			if (CDR(elt) != NULL)
-				fprintf(stream, ",");
-			fprintf(stream, "\n");
-		}
-		indent -= 4;
-		fprintf(stream, "%.*s)", (int)indent, spaces);
-	} else
-		isccc_sexpr_print(sexpr, stream);
-}
diff --git a/contrib/bind9/lib/isccc/api b/contrib/bind9/lib/isccc/api
deleted file mode 100644
index 4f115e73f2db..000000000000
--- a/contrib/bind9/lib/isccc/api
+++ /dev/null
@@ -1,3 +0,0 @@
-LIBINTERFACE = 2
-LIBREVISION = 1
-LIBAGE = 2
diff --git a/contrib/bind9/lib/isccc/base64.c b/contrib/bind9/lib/isccc/base64.c
deleted file mode 100644
index 81d356c8ac88..000000000000
--- a/contrib/bind9/lib/isccc/base64.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base64.c,v 1.2.206.1 2004/03/06 08:15:19 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/base64.h>
-#include <isc/buffer.h>
-#include <isc/region.h>
-#include <isc/result.h>
-
-#include <isccc/base64.h>
-#include <isccc/result.h>
-#include <isccc/util.h>
-
-isc_result_t
-isccc_base64_encode(isccc_region_t *source, int wordlength,
-		  const char *wordbreak, isccc_region_t *target)
-{
-	isc_region_t sr;
-	isc_buffer_t tb;
-	isc_result_t result;
-
-	sr.base = source->rstart;
-	sr.length = source->rend - source->rstart;
-	isc_buffer_init(&tb, target->rstart, target->rend - target->rstart);
-
-	result = isc_base64_totext(&sr, wordlength, wordbreak, &tb);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	source->rstart = source->rend;
-	target->rstart = isc_buffer_used(&tb);
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_base64_decode(const char *cstr, isccc_region_t *target) {
-	isc_buffer_t b;
-	isc_result_t result;
-
-	isc_buffer_init(&b, target->rstart, target->rend - target->rstart);
-	result = isc_base64_decodestring(cstr, &b);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	target->rstart = isc_buffer_used(&b);
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isccc/cc.c b/contrib/bind9/lib/isccc/cc.c
deleted file mode 100644
index ccf8c686aee5..000000000000
--- a/contrib/bind9/lib/isccc/cc.c
+++ /dev/null
@@ -1,807 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001-2003  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cc.c,v 1.4.2.3.2.5 2004/08/28 06:25:23 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include <isc/assertions.h>
-#include <isc/hmacmd5.h>
-#include <isc/print.h>
-#include <isc/stdlib.h>
-
-#include <isccc/alist.h>
-#include <isccc/base64.h>
-#include <isccc/cc.h>
-#include <isccc/result.h>
-#include <isccc/sexpr.h>
-#include <isccc/symtab.h>
-#include <isccc/symtype.h>
-#include <isccc/util.h>
-
-#define MAX_TAGS		256
-#define DUP_LIFETIME		900
-
-typedef isccc_sexpr_t *sexpr_ptr;
-
-static unsigned char auth_hmd5[] = {
-	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/* len + _auth */
-	ISCCC_CCMSGTYPE_TABLE,				/* message type */
-	0x00, 0x00, 0x00, 0x20,				/* length == 32 */
-	0x04, 0x68, 0x6d, 0x64, 0x35,			/* len + hmd5 */
-	ISCCC_CCMSGTYPE_BINARYDATA,			/* message type */
-	0x00, 0x00, 0x00, 0x16,				/* length == 22 */
-	/*
-	 * The base64 encoding of one of our HMAC-MD5 signatures is
-	 * 22 bytes.
-	 */
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-};
-
-#define HMD5_OFFSET	21		/* 6 + 1 + 4 + 5 + 1 + 4 */
-#define HMD5_LENGTH	22
-
-static isc_result_t
-table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
-
-static isc_result_t
-list_towire(isccc_sexpr_t *alist, isccc_region_t *target);
-
-static isc_result_t
-value_towire(isccc_sexpr_t *elt, isccc_region_t *target)
-{
-	size_t len;
-	unsigned char *lenp;
-	isccc_region_t *vr;
-	isc_result_t result;
-
-	if (isccc_sexpr_binaryp(elt)) {
-		vr = isccc_sexpr_tobinary(elt);
-		len = REGION_SIZE(*vr);
-		if (REGION_SIZE(*target) < 1 + 4 + len)
-			return (ISC_R_NOSPACE);
-		PUT8(ISCCC_CCMSGTYPE_BINARYDATA, target->rstart);
-		PUT32(len, target->rstart);
-		if (REGION_SIZE(*target) < len)
-			return (ISC_R_NOSPACE);
-		PUT_MEM(vr->rstart, len, target->rstart);
-	} else if (isccc_alist_alistp(elt)) {
-		if (REGION_SIZE(*target) < 1 + 4)
-			return (ISC_R_NOSPACE);
-		PUT8(ISCCC_CCMSGTYPE_TABLE, target->rstart);
-		/*
-		 * Emit a placeholder length.
-		 */
-		lenp = target->rstart;
-		PUT32(0, target->rstart);
-		/*
-		 * Emit the table.
-		 */
-		result = table_towire(elt, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		len = (size_t)(target->rstart - lenp);
-		/*
-		 * 'len' is 4 bytes too big, since it counts
-		 * the placeholder length too.  Adjust and
-		 * emit.
-		 */
-		INSIST(len >= 4U);
-		len -= 4;
-		PUT32(len, lenp);
-	} else if (isccc_sexpr_listp(elt)) {
-		if (REGION_SIZE(*target) < 1 + 4)
-			return (ISC_R_NOSPACE);
-		PUT8(ISCCC_CCMSGTYPE_LIST, target->rstart);
-		/*
-		 * Emit a placeholder length and count.
-		 */
-		lenp = target->rstart;
-		PUT32(0, target->rstart);
-		/*
-		 * Emit the list.
-		 */
-		result = list_towire(elt, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		len = (size_t)(target->rstart - lenp);
-		/*
-		 * 'len' is 4 bytes too big, since it counts
-		 * the placeholder length.  Adjust and emit.
-		 */
-		INSIST(len >= 4U);
-		len -= 4;
-		PUT32(len, lenp);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-table_towire(isccc_sexpr_t *alist, isccc_region_t *target)
-{
-	isccc_sexpr_t *kv, *elt, *k, *v;
-	char *ks;
-	isc_result_t result;
-	size_t len;
-
-	for (elt = isccc_alist_first(alist);
-	     elt != NULL;
-	     elt = ISCCC_SEXPR_CDR(elt)) {
-		kv = ISCCC_SEXPR_CAR(elt);
-		k = ISCCC_SEXPR_CAR(kv);
-		ks = isccc_sexpr_tostring(k);
-		v = ISCCC_SEXPR_CDR(kv);
-		len = strlen(ks);
-		INSIST(len <= 255U);
-		/*
-		 * Emit the key name.
-		 */
-		if (REGION_SIZE(*target) < 1 + len)
-			return (ISC_R_NOSPACE);
-		PUT8(len, target->rstart);
-		PUT_MEM(ks, len, target->rstart);
-		/*
-		 * Emit the value.
-		 */
-		result = value_towire(v, target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-list_towire(isccc_sexpr_t *list, isccc_region_t *target)
-{
-	isc_result_t result;
-
-	while (list != NULL) {
-		result = value_towire(ISCCC_SEXPR_CAR(list), target);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-		list = ISCCC_SEXPR_CDR(list);
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
-     isccc_region_t *secret)
-{
-	isc_hmacmd5_t ctx;
-	isc_result_t result;
-	isccc_region_t source, target;
-	unsigned char digest[ISC_MD5_DIGESTLENGTH];
-	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
-
-	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
-	isc_hmacmd5_update(&ctx, data, length);
-	isc_hmacmd5_sign(&ctx, digest);
-	source.rstart = digest;
-	source.rend = digest + ISC_MD5_DIGESTLENGTH;
-	target.rstart = digestb64;
-	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
-	result = isccc_base64_encode(&source, 64, "", &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
-	      isccc_region_t *secret)
-{
-	unsigned char *hmd5_rstart, *signed_rstart;
-	isc_result_t result;
-
-	if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
-		return (ISC_R_NOSPACE);
-	/*
-	 * Emit protocol version.
-	 */
-	PUT32(1, target->rstart);
-	if (secret != NULL) {
-		/*
-		 * Emit _auth section with zeroed HMAC-MD5 signature.
-		 * We'll replace the zeros with the real signature once
-		 * we know what it is.
-		 */
-		hmd5_rstart = target->rstart + HMD5_OFFSET;
-		PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
-	} else
-		hmd5_rstart = NULL;
-	signed_rstart = target->rstart;
-	/*
-	 * Delete any existing _auth section so that we don't try
-	 * to encode it.
-	 */
-	isccc_alist_delete(alist, "_auth");
-	/*
-	 * Emit the message.
-	 */
-	result = table_towire(alist, target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	if (secret != NULL)
-		return (sign(signed_rstart, (target->rstart - signed_rstart),
-			     hmd5_rstart, secret));
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
-       isccc_region_t *secret)
-{
-	isc_hmacmd5_t ctx;
-	isccc_region_t source;
-	isccc_region_t target;
-	isc_result_t result;
-	isccc_sexpr_t *_auth, *hmd5;
-	unsigned char digest[ISC_MD5_DIGESTLENGTH];
-	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
-
-	/*
-	 * Extract digest.
-	 */
-	_auth = isccc_alist_lookup(alist, "_auth");
-	if (_auth == NULL)
-		return (ISC_R_FAILURE);
-	hmd5 = isccc_alist_lookup(_auth, "hmd5");
-	if (hmd5 == NULL)
-		return (ISC_R_FAILURE);
-	/*
-	 * Compute digest.
-	 */
-	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
-	isc_hmacmd5_update(&ctx, data, length);
-	isc_hmacmd5_sign(&ctx, digest);
-	source.rstart = digest;
-	source.rend = digest + ISC_MD5_DIGESTLENGTH;
-	target.rstart = digestb64;
-	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
-	result = isccc_base64_encode(&source, 64, "", &target);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	/*
-	 * Strip trailing == and NUL terminate target.
-	 */
-	target.rstart -= 2;
-	*target.rstart++ = '\0';
-	/*
-	 * Verify.
-	 */
-	if (strcmp((char *)digestb64, isccc_sexpr_tostring(hmd5)) != 0)
-		return (ISCCC_R_BADAUTH);
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-table_fromwire(isccc_region_t *source, isccc_region_t *secret,
-	       isccc_sexpr_t **alistp);
-
-static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
-
-static isc_result_t
-value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
-{
-	unsigned int msgtype;
-	isc_uint32_t len;
-	isccc_sexpr_t *value;
-	isccc_region_t active;
-	isc_result_t result;
-
-	if (REGION_SIZE(*source) < 1 + 4)
-		return (ISC_R_UNEXPECTEDEND);
-	GET8(msgtype, source->rstart);
-	GET32(len, source->rstart);
-	if (REGION_SIZE(*source) < len)
-		return (ISC_R_UNEXPECTEDEND);
-	active.rstart = source->rstart;
-	active.rend = active.rstart + len;
-	source->rstart = active.rend;
-	if (msgtype == ISCCC_CCMSGTYPE_BINARYDATA) {
-		value = isccc_sexpr_frombinary(&active);
-		if (value != NULL) {
-			*valuep = value;
-			result = ISC_R_SUCCESS;
-		} else
-			result = ISC_R_NOMEMORY;
-	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
-		result = table_fromwire(&active, NULL, valuep);
-	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
-		result = list_fromwire(&active, valuep);
-	else
-		result = ISCCC_R_SYNTAX;
-
-	return (result);
-}
-
-static isc_result_t
-table_fromwire(isccc_region_t *source, isccc_region_t *secret,
-	       isccc_sexpr_t **alistp)
-{
-	char key[256];
-	isc_uint32_t len;
-	isc_result_t result;
-	isccc_sexpr_t *alist, *value;
-	isc_boolean_t first_tag;
-	unsigned char *checksum_rstart;
-
-	REQUIRE(alistp != NULL && *alistp == NULL);
-
-	checksum_rstart = NULL;
-	first_tag = ISC_TRUE;
-	alist = isccc_alist_create();
-	if (alist == NULL)
-		return (ISC_R_NOMEMORY);
-
-	while (!REGION_EMPTY(*source)) {
-		GET8(len, source->rstart);
-		if (REGION_SIZE(*source) < len) {
-			result = ISC_R_UNEXPECTEDEND;
-			goto bad;
-		}
-		GET_MEM(key, len, source->rstart);
-		key[len] = '\0';	/* Ensure NUL termination. */
-		value = NULL;
-		result = value_fromwire(source, &value);
-		if (result != ISC_R_SUCCESS)
-			goto bad;
-		if (isccc_alist_define(alist, key, value) == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto bad;
-		}
-		if (first_tag && secret != NULL && strcmp(key, "_auth") == 0)
-			checksum_rstart = source->rstart;
-		first_tag = ISC_FALSE;
-	}
-
-	*alistp = alist;
-
-	if (secret != NULL) {
-		if (checksum_rstart != NULL)
-			return (verify(alist, checksum_rstart,
-				       (source->rend - checksum_rstart),
-				       secret));
-		return (ISCCC_R_BADAUTH);
-	}
-
-	return (ISC_R_SUCCESS);
-
- bad:
-	isccc_sexpr_free(&alist);
-
-	return (result);
-}
-
-static isc_result_t
-list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp)
-{
-	isccc_sexpr_t *list, *value;
-	isc_result_t result;
-
-	list = NULL;
-	while (!REGION_EMPTY(*source)) {
-		value = NULL;
-		result = value_fromwire(source, &value);
-		if (result != ISC_R_SUCCESS) {
-			isccc_sexpr_free(&list);
-			return (result);
-		}
-		if (isccc_sexpr_addtolist(&list, value) == NULL) {
-			isccc_sexpr_free(&value);
-			isccc_sexpr_free(&list);
-			return (result);
-		}
-	}
-
-	*listp = list;
-	
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
-		isccc_region_t *secret)
-{
-	unsigned int size;
-	isc_uint32_t version;
-
-	size = REGION_SIZE(*source);
-	if (size < 4)
-		return (ISC_R_UNEXPECTEDEND);
-	GET32(version, source->rstart);
-	if (version != 1)
-		return (ISCCC_R_UNKNOWNVERSION);	
-	
-	return (table_fromwire(source, secret, alistp));
-}
-
-static isc_result_t
-createmessage(isc_uint32_t version, const char *from, const char *to,
-	      isc_uint32_t serial, isccc_time_t now,
-	      isccc_time_t expires, isccc_sexpr_t **alistp,
-	      isc_boolean_t want_expires)
-{
-	isccc_sexpr_t *alist, *_ctrl, *_data;
-	isc_result_t result;
-
-	REQUIRE(alistp != NULL && *alistp == NULL);
-
-	if (version != 1)
-		return (ISCCC_R_UNKNOWNVERSION);
-
-	alist = isccc_alist_create();
-	if (alist == NULL)
-		return (ISC_R_NOMEMORY);
-
-	result = ISC_R_NOMEMORY;
-
-	_ctrl = isccc_alist_create();
-	_data = isccc_alist_create();
-	if (_ctrl == NULL || _data == NULL)
-		goto bad;
-	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL ||
-	    isccc_alist_define(alist, "_data", _data) == NULL)
-		goto bad;
-	if (isccc_cc_defineuint32(_ctrl, "_ser", serial) == NULL ||
-	    isccc_cc_defineuint32(_ctrl, "_tim", now) == NULL ||
-	    (want_expires &&
-	     isccc_cc_defineuint32(_ctrl, "_exp", expires) == NULL))
-		goto bad;
-	if (from != NULL &&
-	    isccc_cc_definestring(_ctrl, "_frm", from) == NULL)
-		goto bad;
-	if (to != NULL &&
-	    isccc_cc_definestring(_ctrl, "_to", to) == NULL)
-		goto bad;
-		
-	*alistp = alist;
-
-	return (ISC_R_SUCCESS);
-
- bad:
-	isccc_sexpr_free(&alist);
-
-	return (result);
-}
-
-isc_result_t
-isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
-		     isc_uint32_t serial, isccc_time_t now,
-		     isccc_time_t expires, isccc_sexpr_t **alistp)
-{
-	return (createmessage(version, from, to, serial, now, expires,
-			      alistp, ISC_TRUE));
-}
-
-isc_result_t
-isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
-		 isccc_sexpr_t **ackp)
-{
-	char *_frm, *_to;
-	isc_uint32_t serial;
-	isccc_sexpr_t *ack, *_ctrl;
-	isc_result_t result;
-	isccc_time_t t;
-
-	REQUIRE(ackp != NULL && *ackp == NULL);
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	if (_ctrl == NULL ||
-	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
-	    isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-	/*
-	 * _frm and _to are optional.
-	 */
-	_frm = NULL;
-	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
-	_to = NULL;
-	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
-	/*
-	 * Create the ack.
-	 */
-	ack = NULL;
-	result = createmessage(1, _to, _frm, serial, t, 0, &ack, ISC_FALSE);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	_ctrl = isccc_alist_lookup(ack, "_ctrl");
-	if (_ctrl == NULL)
-		return (ISC_R_FAILURE);
-	if (isccc_cc_definestring(ack, "_ack", (ok) ? "1" : "0") == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto bad;
-	}
-
-	*ackp = ack;
-
-	return (ISC_R_SUCCESS);
-
- bad:
-	isccc_sexpr_free(&ack);
-
-	return (result);
-}
-
-isc_boolean_t
-isccc_cc_isack(isccc_sexpr_t *message)
-{
-	isccc_sexpr_t *_ctrl;
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	if (_ctrl == NULL)
-		return (ISC_FALSE);
-	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isccc_cc_isreply(isccc_sexpr_t *message)
-{
-	isccc_sexpr_t *_ctrl;
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	if (_ctrl == NULL)
-		return (ISC_FALSE);
-	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_result_t
-isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
-		      isccc_time_t expires, isccc_sexpr_t **alistp)
-{
-	char *_frm, *_to, *type;
-	isc_uint32_t serial;
-	isccc_sexpr_t *alist, *_ctrl, *_data;
-	isc_result_t result;
-
-	REQUIRE(alistp != NULL && *alistp == NULL);
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	_data = isccc_alist_lookup(message, "_data");
-	if (_ctrl == NULL ||
-	    _data == NULL ||
-	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
-	    isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-	/*
-	 * _frm and _to are optional.
-	 */
-	_frm = NULL;
-	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
-	_to = NULL;
-	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
-	/*
-	 * Create the response.
-	 */
-	alist = NULL;
-	result = isccc_cc_createmessage(1, _to, _frm, serial, now, expires,
-					 &alist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	_ctrl = isccc_alist_lookup(alist, "_ctrl");
-	if (_ctrl == NULL)
-		return (ISC_R_FAILURE);
-	_data = isccc_alist_lookup(alist, "_data");
-	if (_data == NULL)
-		return (ISC_R_FAILURE);
-	if (isccc_cc_definestring(_ctrl, "_rpl", "1") == NULL ||
-	    isccc_cc_definestring(_data, "type", type) == NULL) {
-		isccc_sexpr_free(&alist);
-		return (ISC_R_NOMEMORY);
-	}
-
-	*alistp = alist;
-
-	return (ISC_R_SUCCESS);
-}
-
-isccc_sexpr_t *
-isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str)
-{
-	size_t len;
-	isccc_region_t r;
-
-	len = strlen(str);
-	DE_CONST(str, r.rstart);
-	r.rend = r.rstart + len;
-
-	return (isccc_alist_definebinary(alist, key, &r));
-}
-
-isccc_sexpr_t *
-isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, isc_uint32_t i)
-{
-	char b[100];
-	size_t len;
-	isccc_region_t r;
-
-	snprintf(b, sizeof(b), "%u", i);
-	len = strlen(b);
-	r.rstart = (unsigned char *)b;
-	r.rend = (unsigned char *)b + len;
-
-	return (isccc_alist_definebinary(alist, key, &r));
-}
-
-isc_result_t
-isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
-{
-	isccc_sexpr_t *kv, *v;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL) {
-		v = ISCCC_SEXPR_CDR(kv);
-		if (isccc_sexpr_binaryp(v)) {
-			if (strp != NULL)
-				*strp = isccc_sexpr_tostring(v);
-			return (ISC_R_SUCCESS);
-		} else
-			return (ISC_R_EXISTS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-isc_result_t
-isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
-		       isc_uint32_t *uintp)
-{
-	isccc_sexpr_t *kv, *v;
-
-	kv = isccc_alist_assq(alist, key);
-	if (kv != NULL) {
-		v = ISCCC_SEXPR_CDR(kv);
-		if (isccc_sexpr_binaryp(v)) {
-			if (uintp != NULL)
-				*uintp = (isc_uint32_t)
-					strtoul(isccc_sexpr_tostring(v),
-						NULL, 10);
-			return (ISC_R_SUCCESS);
-		} else
-			return (ISC_R_EXISTS);
-	}
-
-	return (ISC_R_NOTFOUND);
-}
-
-static void
-symtab_undefine(char *key, unsigned int type, isccc_symvalue_t value,
-		void *arg)
-{
-	UNUSED(type);
-	UNUSED(value);
-	UNUSED(arg);
-
-	free(key);
-}
-
-static isc_boolean_t
-symtab_clean(char *key, unsigned int type, isccc_symvalue_t value,
-	     void *arg)
-{
-	isccc_time_t *now;
-
-	UNUSED(key);
-	UNUSED(type);
-
-	now = arg;
-
-	if (*now < value.as_uinteger)
-		return (ISC_FALSE);
-	if ((*now - value.as_uinteger) < DUP_LIFETIME)
-		return (ISC_FALSE);
-	return (ISC_TRUE);
-}
-
-isc_result_t
-isccc_cc_createsymtab(isccc_symtab_t **symtabp)
-{
-	return (isccc_symtab_create(11897, symtab_undefine, NULL, ISC_FALSE,
-				  symtabp));
-}
-
-void
-isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now)
-{
-	isccc_symtab_foreach(symtab, symtab_clean, &now);
-}
-
-static isc_boolean_t
-has_whitespace(const char *str)
-{
-	char c;
-
-	if (str == NULL)
-		return (ISC_FALSE);
-	while ((c = *str++) != '\0') {
-		if (c == ' ' || c == '\t' || c == '\n')
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-isc_result_t
-isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
-		isccc_time_t now)
-{
-	const char *_frm;
-	const char *_to;
-	char *_ser, *_tim, *tmp;
-	isc_result_t result;
-	char *key;
-	size_t len;
-	isccc_symvalue_t value;
-	isccc_sexpr_t *_ctrl;
-
-	_ctrl = isccc_alist_lookup(message, "_ctrl");
-	if (_ctrl == NULL ||
-	    isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
-	    isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
-		return (ISC_R_FAILURE);
-	/*
-	 * _frm and _to are optional.
-	 */
-	if (isccc_cc_lookupstring(_ctrl, "_frm", &tmp) != ISC_R_SUCCESS)
-		_frm = "";
-	else
-		_frm = tmp;
-	if (isccc_cc_lookupstring(_ctrl, "_to", &tmp) != ISC_R_SUCCESS)
-		_to = "";
-	else
-		_to = tmp;
-	/*
-	 * Ensure there is no newline in any of the strings.  This is so
-	 * we can write them to a file later.
-	 */
-	if (has_whitespace(_frm) || has_whitespace(_to) ||
-	    has_whitespace(_ser) || has_whitespace(_tim))
-		return (ISC_R_FAILURE);
-	len = strlen(_frm) + strlen(_to) + strlen(_ser) + strlen(_tim) + 4;
-	key = malloc(len);
-	if (key == NULL)
-		return (ISC_R_NOMEMORY);
-	snprintf(key, len, "%s;%s;%s;%s", _frm, _to, _ser, _tim);
-	value.as_uinteger = now;
-	result = isccc_symtab_define(symtab, key, ISCCC_SYMTYPE_CCDUP, value,
-				   isccc_symexists_reject);
-	if (result != ISC_R_SUCCESS) {
-		free(key);
-		return (result);
-	}
-
-	return (ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isccc/ccmsg.c b/contrib/bind9/lib/isccc/ccmsg.c
deleted file mode 100644
index fc5fae8aa3a4..000000000000
--- a/contrib/bind9/lib/isccc/ccmsg.c
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ccmsg.c,v 1.4.206.1 2004/03/06 08:15:19 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/task.h>
-#include <isc/util.h>
-
-#include <isccc/events.h>
-#include <isccc/ccmsg.h>
-
-#define CCMSG_MAGIC		ISC_MAGIC('C', 'C', 'm', 's')
-#define VALID_CCMSG(foo)	ISC_MAGIC_VALID(foo, CCMSG_MAGIC)
-
-static void recv_length(isc_task_t *, isc_event_t *);
-static void recv_message(isc_task_t *, isc_event_t *);
-
-
-static void
-recv_length(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	isc_event_t *dev;
-	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
-	isc_region_t region;
-	isc_result_t result;
-
-	INSIST(VALID_CCMSG(ccmsg));
-
-	dev = &ccmsg->event;
-
-	if (ev->result != ISC_R_SUCCESS) {
-		ccmsg->result = ev->result;
-		goto send_and_free;
-	}
-
-	/*
-	 * Success.
-	 */
-	ccmsg->size = ntohl(ccmsg->size);
-	if (ccmsg->size == 0) {
-		ccmsg->result = ISC_R_UNEXPECTEDEND;
-		goto send_and_free;
-	}
-	if (ccmsg->size > ccmsg->maxsize) {
-		ccmsg->result = ISC_R_RANGE;
-		goto send_and_free;
-	}
-
-	region.base = isc_mem_get(ccmsg->mctx, ccmsg->size);
-	region.length = ccmsg->size;
-	if (region.base == NULL) {
-		ccmsg->result = ISC_R_NOMEMORY;
-		goto send_and_free;
-	}
-
-	isc_buffer_init(&ccmsg->buffer, region.base, region.length);
-	result = isc_socket_recv(ccmsg->sock, &region, 0,
-				 task, recv_message, ccmsg);
-	if (result != ISC_R_SUCCESS) {
-		ccmsg->result = result;
-		goto send_and_free;
-	}
-
-	isc_event_free(&ev_in);
-	return;
-
- send_and_free:
-	isc_task_send(ccmsg->task, &dev);
-	ccmsg->task = NULL;
-	isc_event_free(&ev_in);
-	return;
-}
-
-static void
-recv_message(isc_task_t *task, isc_event_t *ev_in) {
-	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
-	isc_event_t *dev;
-	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
-
-	(void)task;
-
-	INSIST(VALID_CCMSG(ccmsg));
-
-	dev = &ccmsg->event;
-
-	if (ev->result != ISC_R_SUCCESS) {
-		ccmsg->result = ev->result;
-		goto send_and_free;
-	}
-
-	ccmsg->result = ISC_R_SUCCESS;
-	isc_buffer_add(&ccmsg->buffer, ev->n);
-	ccmsg->address = ev->address;
-
- send_and_free:
-	isc_task_send(ccmsg->task, &dev);
-	ccmsg->task = NULL;
-	isc_event_free(&ev_in);
-}
-
-void
-isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg) {
-	REQUIRE(mctx != NULL);
-	REQUIRE(sock != NULL);
-	REQUIRE(ccmsg != NULL);
-
-	ccmsg->magic = CCMSG_MAGIC;
-	ccmsg->size = 0;
-	ccmsg->buffer.base = NULL;
-	ccmsg->buffer.length = 0;
-	ccmsg->maxsize = 4294967295U;	/* Largest message possible. */
-	ccmsg->mctx = mctx;
-	ccmsg->sock = sock;
-	ccmsg->task = NULL;			/* None yet. */
-	ccmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
-	/*
-	 * Should probably initialize the event here, but it can wait.
-	 */
-}
-
-
-void
-isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize) {
-	REQUIRE(VALID_CCMSG(ccmsg));
-
-	ccmsg->maxsize = maxsize;
-}
-
-
-isc_result_t
-isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
-		       isc_task_t *task, isc_taskaction_t action, void *arg)
-{
-	isc_result_t result;
-	isc_region_t region;
-
-	REQUIRE(VALID_CCMSG(ccmsg));
-	REQUIRE(task != NULL);
-	REQUIRE(ccmsg->task == NULL);  /* not currently in use */
-
-	if (ccmsg->buffer.base != NULL) {
-		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
-			    ccmsg->buffer.length);
-		ccmsg->buffer.base = NULL;
-		ccmsg->buffer.length = 0;
-	}
-
-	ccmsg->task = task;
-	ccmsg->action = action;
-	ccmsg->arg = arg;
-	ccmsg->result = ISC_R_UNEXPECTED;  /* unknown right now */
-
-	ISC_EVENT_INIT(&ccmsg->event, sizeof(isc_event_t), 0, 0,
-		       ISCCC_EVENT_CCMSG, action, arg, ccmsg,
-		       NULL, NULL);
-
-	region.base = (unsigned char *)&ccmsg->size;
-	region.length = 4;  /* isc_uint32_t */
-	result = isc_socket_recv(ccmsg->sock, &region, 0,
-				 ccmsg->task, recv_length, ccmsg);
-
-	if (result != ISC_R_SUCCESS)
-		ccmsg->task = NULL;
-
-	return (result);
-}
-
-void
-isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg) {
-	REQUIRE(VALID_CCMSG(ccmsg));
-
-	isc_socket_cancel(ccmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
-}
-
-#if 0
-void
-isccc_ccmsg_freebuffer(isccc_ccmsg_t *ccmsg) {
-	REQUIRE(VALID_CCMSG(ccmsg));
-
-	if (ccmsg->buffer.base == NULL)
-		return;
-
-	isc_mem_put(ccmsg->mctx, ccmsg->buffer.base, ccmsg->buffer.length);
-	ccmsg->buffer.base = NULL;
-	ccmsg->buffer.length = 0;
-}
-#endif
-
-void
-isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg) {
-	REQUIRE(VALID_CCMSG(ccmsg));
-
-	ccmsg->magic = 0;
-
-	if (ccmsg->buffer.base != NULL) {
-		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
-			    ccmsg->buffer.length);
-		ccmsg->buffer.base = NULL;
-		ccmsg->buffer.length = 0;
-	}
-}
diff --git a/contrib/bind9/lib/isccc/include/Makefile.in b/contrib/bind9/lib/isccc/include/Makefile.in
deleted file mode 100644
index 91a2bca73e8c..000000000000
--- a/contrib/bind9/lib/isccc/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.2.206.1 2004/03/06 08:15:20 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isccc
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isccc/include/isccc/Makefile.in b/contrib/bind9/lib/isccc/include/isccc/Makefile.in
deleted file mode 100644
index b86e50cf39e2..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.3.12.3 2004/03/08 09:05:05 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	alist.h base64.h cc.h ccmsg.h events.h lib.h result.h \
-		sexpr.h symtab.h symtype.h types.h util.h version.h
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccc
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccc ; \
-	done
diff --git a/contrib/bind9/lib/isccc/include/isccc/alist.h b/contrib/bind9/lib/isccc/include/isccc/alist.h
deleted file mode 100644
index 409c48b817cb..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/alist.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: alist.h,v 1.2.206.1 2004/03/06 08:15:21 marka Exp $ */
-
-#ifndef ISCCC_ALIST_H
-#define ISCCC_ALIST_H 1
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-isccc_sexpr_t *
-isccc_alist_create(void);
-
-isc_boolean_t
-isccc_alist_alistp(isccc_sexpr_t *alist);
-
-isc_boolean_t
-isccc_alist_emptyp(isccc_sexpr_t *alist);
-
-isccc_sexpr_t *
-isccc_alist_first(isccc_sexpr_t *alist);
-
-isccc_sexpr_t *
-isccc_alist_assq(isccc_sexpr_t *alist, const char *key);
-
-void
-isccc_alist_delete(isccc_sexpr_t *alist, const char *key);
-
-isccc_sexpr_t *
-isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value);
-
-isccc_sexpr_t *
-isccc_alist_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
-
-isccc_sexpr_t *
-isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key, isccc_region_t *r);
-
-isccc_sexpr_t *
-isccc_alist_lookup(isccc_sexpr_t *alist, const char *key);
-
-isc_result_t
-isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
-
-isc_result_t
-isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key, isccc_region_t **r);
-
-void
-isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent, FILE *stream);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_ALIST_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/base64.h b/contrib/bind9/lib/isccc/include/isccc/base64.h
deleted file mode 100644
index 14fbe577b704..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/base64.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: base64.h,v 1.2.206.1 2004/03/06 08:15:21 marka Exp $ */
-
-#ifndef ISCCC_BASE64_H
-#define ISCCC_BASE64_H 1
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-/***
- *** Functions
- ***/
-
-isc_result_t
-isccc_base64_encode(isccc_region_t *source, int wordlength,
-		  const char *wordbreak, isccc_region_t *target);
-/*
- * Convert data into base64 encoded text.
- *
- * Notes:
- *	The base64 encoded text in 'target' will be divided into
- *	words of at most 'wordlength' characters, separated by
- * 	the 'wordbreak' string.  No parentheses will surround
- *	the text.
- *
- * Requires:
- *	'source' is a region containing binary data.
- *	'target' is a text region containing available space.
- *	'wordbreak' points to a null-terminated string of
- *		zero or more whitespace characters.
- */
-
-isc_result_t
-isccc_base64_decode(const char *cstr, isccc_region_t *target);
-/*
- * Decode a null-terminated base64 string.
- *
- * Requires:
- *	'cstr' is non-null.
- *	'target' is a valid region.
- *
- * Returns:
- *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
- *			   fit in 'target'.
- *	ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
- *	ISC_R_NOSPACE	-- 'target' is not big enough.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_BASE64_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/cc.h b/contrib/bind9/lib/isccc/include/isccc/cc.h
deleted file mode 100644
index aedf1f75700a..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/cc.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cc.h,v 1.3.206.1 2004/03/06 08:15:21 marka Exp $ */
-
-#ifndef ISCCC_CC_H
-#define ISCCC_CC_H 1
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-#define ISCCC_CC_MAXDGRAMPACKET		4096
-
-#define ISCCC_CCMSGTYPE_STRING		0x00
-#define ISCCC_CCMSGTYPE_BINARYDATA	0x01
-#define ISCCC_CCMSGTYPE_TABLE		0x02
-#define ISCCC_CCMSGTYPE_LIST		0x03
-
-isc_result_t
-isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
-	      isccc_region_t *secret);
-
-isc_result_t
-isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
-		isccc_region_t *secret);
-
-isc_result_t
-isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
-		     isc_uint32_t serial, isccc_time_t now,
-		     isccc_time_t expires, isccc_sexpr_t **alistp);
-
-isc_result_t
-isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
-		 isccc_sexpr_t **ackp);
-
-isc_boolean_t
-isccc_cc_isack(isccc_sexpr_t *message);
-
-isc_boolean_t
-isccc_cc_isreply(isccc_sexpr_t *message);
-
-isc_result_t
-isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
-		      isccc_time_t expires, isccc_sexpr_t **alistp);
-
-isccc_sexpr_t *
-isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
-
-isccc_sexpr_t *
-isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, isc_uint32_t i);
-
-isc_result_t
-isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
-
-isc_result_t
-isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
-		    isc_uint32_t *uintp);
-
-isc_result_t
-isccc_cc_createsymtab(isccc_symtab_t **symtabp);
-
-void
-isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
-
-isc_result_t
-isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
-		   isccc_time_t now);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_CC_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/ccmsg.h b/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
deleted file mode 100644
index 54734bb22f36..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ccmsg.h,v 1.3.206.1 2004/03/06 08:15:21 marka Exp $ */
-
-#ifndef ISCCC_CCMSG_H
-#define ISCCC_CCMSG_H 1
-
-#include <isc/buffer.h>
-#include <isc/lang.h>
-#include <isc/socket.h>
-
-typedef struct isccc_ccmsg {
-	/* private (don't touch!) */
-	unsigned int		magic;
-	isc_uint32_t		size;
-	isc_buffer_t		buffer;
-	unsigned int		maxsize;
-	isc_mem_t	       *mctx;
-	isc_socket_t	       *sock;
-	isc_task_t	       *task;
-	isc_taskaction_t	action;
-	void		       *arg;
-	isc_event_t		event;
-	/* public (read-only) */
-	isc_result_t		result;
-	isc_sockaddr_t		address;
-} isccc_ccmsg_t;
-
-ISC_LANG_BEGINDECLS
-
-void
-isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg);
-/*
- * Associate a cc message state with a given memory context and
- * TCP socket.
- *
- * Requires:
- *
- *	"mctx" and "sock" be non-NULL and valid types.
- *
- *	"sock" be a read/write TCP socket.
- *
- *	"ccmsg" be non-NULL and an uninitialized or invalidated structure.
- *
- * Ensures:
- *
- *	"ccmsg" is a valid structure.
- */
-
-void
-isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize);
-/*
- * Set the maximum packet size to "maxsize"
- *
- * Requires:
- *
- *	"ccmsg" be valid.
- *
- *	512 <= "maxsize" <= 4294967296
- */
-
-isc_result_t
-isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
-		       isc_task_t *task, isc_taskaction_t action, void *arg);
-/*
- * Schedule an event to be delivered when a command channel message is
- * readable, or when an error occurs on the socket.
- *
- * Requires:
- *
- *	"ccmsg" be valid.
- *
- *	"task", "taskaction", and "arg" be valid.
- *
- * Returns:
- *
- *	ISC_R_SUCCESS		-- no error
- *	Anything that the isc_socket_recv() call can return.  XXXMLG
- *
- * Notes:
- *
- *	The event delivered is a fully generic event.  It will contain no
- *	actual data.  The sender will be a pointer to the isccc_ccmsg_t.
- *	The result code inside that structure should be checked to see
- *	what the final result was.
- */
-
-void
-isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg);
-/*
- * Cancel a readmessage() call.  The event will still be posted with a
- * CANCELED result code.
- *
- * Requires:
- *
- *	"ccmsg" be valid.
- */
-
-void
-isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg);
-/*
- * Clean up all allocated state, and invalidate the structure.
- *
- * Requires:
- *
- *	"ccmsg" be valid.
- *
- * Ensures:
- *
- *	"ccmsg" is invalidated and disassociated with all memory contexts,
- *	sockets, etc.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_CCMSG_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/events.h b/contrib/bind9/lib/isccc/include/isccc/events.h
deleted file mode 100644
index b78fc6581e56..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/events.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: events.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
-
-#ifndef ISCCC_EVENTS_H
-#define ISCCC_EVENTS_H 1
-
-#include <isc/eventclass.h>
-
-/*
- * Registry of ISCCC event numbers.
- */
-
-#define ISCCC_EVENT_CCMSG			(ISC_EVENTCLASS_ISCCC + 0)
-
-#define ISCCC_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_ISCCC + 0)
-#define ISCCC_EVENT_LASTEVENT			(ISC_EVENTCLASS_ISCCC + 65535)
-
-#endif /* ISCCC_EVENTS_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/lib.h b/contrib/bind9/lib/isccc/include/isccc/lib.h
deleted file mode 100644
index a57357d28005..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/lib.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.h,v 1.2.12.3 2004/03/08 09:05:05 marka Exp $ */
-
-#ifndef ISCCC_LIB_H
-#define ISCCC_LIB_H 1
-
-#include <isc/types.h>
-#include <isc/lang.h>
-
-ISC_LANG_BEGINDECLS
-
-LIBISCCC_EXTERNAL_DATA extern isc_msgcat_t *isccc_msgcat;
-
-void
-isccc_lib_initmsgcat(void);
-/*
- * Initialize the ISCCC library's message catalog, isccc_msgcat, if it
- * has not already been initialized.
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_LIB_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/result.h b/contrib/bind9/lib/isccc/include/isccc/result.h
deleted file mode 100644
index 33bbb4fc0c36..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/result.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.3.2.2.2.1 2004/03/06 08:15:22 marka Exp $ */
-
-#ifndef ISCCC_RESULT_H
-#define ISCCC_RESULT_H 1
-
-#include <isc/lang.h>
-#include <isc/resultclass.h>
-#include <isc/result.h>
-
-#include <isccc/types.h>
-
-#define ISCCC_R_UNKNOWNVERSION		(ISC_RESULTCLASS_ISCCC + 0)
-#define ISCCC_R_SYNTAX			(ISC_RESULTCLASS_ISCCC + 1)
-#define ISCCC_R_BADAUTH			(ISC_RESULTCLASS_ISCCC + 2)
-#define ISCCC_R_EXPIRED			(ISC_RESULTCLASS_ISCCC + 3)
-#define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
-#define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
-
-#define ISCCC_R_NRESULTS 		6	/* Number of results */
-
-ISC_LANG_BEGINDECLS
-
-const char *
-isccc_result_totext(isc_result_t result);
-/*
- * Convert a isccc_result_t into a string message describing the result.
- */
-
-void
-isccc_result_register(void);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_RESULT_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/sexpr.h b/contrib/bind9/lib/isccc/include/isccc/sexpr.h
deleted file mode 100644
index 0195a9469454..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/sexpr.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sexpr.h,v 1.3.206.1 2004/03/06 08:15:22 marka Exp $ */
-
-#ifndef ISCCC_SEXPR_H
-#define ISCCC_SEXPR_H 1
-
-#include <stdio.h>
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-ISC_LANG_BEGINDECLS
-
-struct isccc_dottedpair {
-	isccc_sexpr_t *car;
-	isccc_sexpr_t *cdr;
-};
-
-struct isccc_sexpr {
-	unsigned int			type;
-	union {
-		char *			as_string;
-		isccc_dottedpair_t	as_dottedpair;
-		isccc_region_t		as_region;
-	}				value;
-};
-
-#define ISCCC_SEXPRTYPE_NONE		0x00	/* Illegal. */
-#define ISCCC_SEXPRTYPE_T			0x01
-#define ISCCC_SEXPRTYPE_STRING		0x02
-#define ISCCC_SEXPRTYPE_DOTTEDPAIR	0x03
-#define ISCCC_SEXPRTYPE_BINARY		0x04
-
-#define ISCCC_SEXPR_CAR(s)		(s)->value.as_dottedpair.car
-#define ISCCC_SEXPR_CDR(s)		(s)->value.as_dottedpair.cdr
-
-isccc_sexpr_t *
-isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr);
-
-isccc_sexpr_t *
-isccc_sexpr_tconst(void);
-
-isccc_sexpr_t *
-isccc_sexpr_fromstring(const char *str);
-
-isccc_sexpr_t *
-isccc_sexpr_frombinary(const isccc_region_t *region);
-
-void
-isccc_sexpr_free(isccc_sexpr_t **sexprp);
-
-void
-isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream);
-
-isccc_sexpr_t *
-isccc_sexpr_car(isccc_sexpr_t *list);
-
-isccc_sexpr_t *
-isccc_sexpr_cdr(isccc_sexpr_t *list);
-
-void
-isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car);
-
-void
-isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr);
-
-isccc_sexpr_t *
-isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2);
-
-isc_boolean_t
-isccc_sexpr_listp(isccc_sexpr_t *sexpr);
-
-isc_boolean_t
-isccc_sexpr_emptyp(isccc_sexpr_t *sexpr);
-
-isc_boolean_t
-isccc_sexpr_stringp(isccc_sexpr_t *sexpr);
-
-isc_boolean_t
-isccc_sexpr_binaryp(isccc_sexpr_t *sexpr);
-
-char *
-isccc_sexpr_tostring(isccc_sexpr_t *sexpr);
-
-isccc_region_t *
-isccc_sexpr_tobinary(isccc_sexpr_t *sexpr);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_SEXPR_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/symtab.h b/contrib/bind9/lib/isccc/include/isccc/symtab.h
deleted file mode 100644
index 53f30e7abda0..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/symtab.h
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: symtab.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
-
-#ifndef ISCCC_SYMTAB_H
-#define ISCCC_SYMTAB_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Symbol Table
- *
- * Provides a simple memory-based symbol table.
- *
- * Keys are C strings.  A type may be specified when looking up,
- * defining, or undefining.  A type value of 0 means "match any type";
- * any other value will only match the given type.
- *
- * It's possible that a client will attempt to define a <key, type,
- * value> tuple when a tuple with the given key and type already
- * exists in the table.  What to do in this case is specified by the
- * client.  Possible policies are:
- *
- *	isccc_symexists_reject	Disallow the define, returning ISC_R_EXISTS
- *	isccc_symexists_replace	Replace the old value with the new.  The
- *				undefine action (if provided) will be called
- *				with the old <key, type, value> tuple.
- *	isccc_symexists_add	Add the new tuple, leaving the old tuple in
- *				the table.  Subsequent lookups will retrieve
- *				the most-recently-defined tuple.
- *
- * A lookup of a key using type 0 will return the most-recently
- * defined symbol with that key.  An undefine of a key using type 0
- * will undefine the most-recently defined symbol with that key.
- * Trying to define a key with type 0 is illegal.
- *
- * The symbol table library does not make a copy the key field, so the
- * caller must ensure that any key it passes to isccc_symtab_define()
- * will not change until it calls isccc_symtab_undefine() or
- * isccc_symtab_destroy().
- *
- * A user-specified action will be called (if provided) when a symbol
- * is undefined.  It can be used to free memory associated with keys
- * and/or values.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <isc/lang.h>
-#include <isccc/types.h>
-
-/***
- *** Symbol Tables.
- ***/
-
-typedef union isccc_symvalue {
-	void *				as_pointer;
-	int				as_integer;
-	unsigned int			as_uinteger;
-} isccc_symvalue_t;
-
-typedef void (*isccc_symtabundefaction_t)(char *key, unsigned int type,
-					isccc_symvalue_t value, void *userarg);
-
-typedef isc_boolean_t (*isccc_symtabforeachaction_t)(char *key,
-						   unsigned int type,
-						   isccc_symvalue_t value,
-						   void *userarg);
-
-typedef enum {
-	isccc_symexists_reject = 0,
-	isccc_symexists_replace = 1,
-	isccc_symexists_add = 2
-} isccc_symexists_t;
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-isccc_symtab_create(unsigned int size,
-		  isccc_symtabundefaction_t undefine_action, void *undefine_arg,
-		  isc_boolean_t case_sensitive, isccc_symtab_t **symtabp);
-
-void
-isccc_symtab_destroy(isccc_symtab_t **symtabp);
-
-isc_result_t
-isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
-		  isccc_symvalue_t *value);
-
-isc_result_t
-isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
-		  isccc_symvalue_t value, isccc_symexists_t exists_policy);
-
-isc_result_t
-isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key, unsigned int type);
-
-void
-isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
-		   void *arg);
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCC_SYMTAB_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/symtype.h b/contrib/bind9/lib/isccc/include/isccc/symtype.h
deleted file mode 100644
index 2c15603ec3e4..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/symtype.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: symtype.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
-
-#ifndef ISCCC_SYMTYPE_H
-#define ISCCC_SYMTYPE_H 1
-
-#define ISCCC_SYMTYPE_ZONESTATS			0x0001
-#define ISCCC_SYMTYPE_CCDUP			0x0002
-#define ISCCC_SYMTYPE_TELLSERVICE			0x0003
-#define ISCCC_SYMTYPE_TELLRESPONSE		0x0004
-
-#endif /* ISCCC_SYMTYPE_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/types.h b/contrib/bind9/lib/isccc/include/isccc/types.h
deleted file mode 100644
index 9b21ca152488..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/types.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: types.h,v 1.2.206.1 2004/03/06 08:15:23 marka Exp $ */
-
-#ifndef ISCCC_TYPES_H
-#define ISCCC_TYPES_H 1
-
-#include <isc/boolean.h>
-#include <isc/int.h>
-#include <isc/result.h>
-
-typedef isc_uint32_t isccc_time_t;
-typedef struct isccc_sexpr isccc_sexpr_t;
-typedef struct isccc_dottedpair isccc_dottedpair_t;
-typedef struct isccc_symtab isccc_symtab_t;
-
-typedef struct isccc_region {
-	unsigned char *		rstart;
-	unsigned char *		rend;
-} isccc_region_t;
-
-#endif /* ISCCC_TYPES_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/util.h b/contrib/bind9/lib/isccc/include/isccc/util.h
deleted file mode 100644
index 84425867d698..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/util.h
+++ /dev/null
@@ -1,211 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: util.h,v 1.3.206.1 2004/03/06 08:15:23 marka Exp $ */
-
-#ifndef ISCCC_UTIL_H
-#define ISCCC_UTIL_H 1
-
-#include <isc/util.h>
-
-/*
- * Macros for dealing with unaligned numbers.
- *
- * Note: no side effects are allowed when invoking these macros!
- */
-
-#define GET8(v, w) \
-	do { \
-		v = *w; \
-		w++; \
-	} while (0)
-
-#define GET16(v, w) \
-	do { \
-		v = (unsigned int)w[0] << 8; \
- 		v |= (unsigned int)w[1]; \
-		w += 2; \
-	} while (0)
-
-#define GET24(v, w) \
-	do { \
- 		v = (unsigned int)w[0] << 16; \
- 		v |= (unsigned int)w[1] << 8; \
- 		v |= (unsigned int)w[2]; \
-		w += 3; \
-	} while (0)
-
-#define GET32(v, w) \
-	do { \
-		v = (unsigned int)w[0] << 24; \
- 		v |= (unsigned int)w[1] << 16; \
- 		v |= (unsigned int)w[2] << 8; \
- 		v |= (unsigned int)w[3]; \
-		w += 4; \
-	} while (0)
-
-#define GET64(v, w) \
-	do { \
-		v = (isc_uint64_t)w[0] << 56; \
- 		v |= (isc_uint64_t)w[1] << 48; \
- 		v |= (isc_uint64_t)w[2] << 40; \
- 		v |= (isc_uint64_t)w[3] << 32; \
- 		v |= (isc_uint64_t)w[4] << 24; \
- 		v |= (isc_uint64_t)w[5] << 16; \
- 		v |= (isc_uint64_t)w[6] << 8; \
- 		v |= (isc_uint64_t)w[7]; \
-		w += 8; \
-	} while (0)
-
-#define GETC16(v, w, d) \
-	do { \
-		GET8(v, w); \
-		if (v == 0) \
-			d = ISCCC_TRUE; \
- 		else { \
-			d = ISCCC_FALSE; \
-			if (v == 255) \
-				GET16(v, w); \
-		} \
-	} while (0)
-
-#define GETC32(v, w) \
-	do { \
-		GET24(v, w); \
- 		if (v == 0xffffffu) \
-			GET32(v, w); \
-	} while (0)
-
-#define GET_OFFSET(v, w)		GET32(v, w)
-
-#define GET_MEM(v, c, w) \
-	do { \
-		memcpy(v, w, c); \
-		w += c; \
-	} while (0)
-
-#define GET_TYPE(v, w) \
-	do { \
-		GET8(v, w); \
-		if (v > 127) { \
-			if (v < 255) \
-				v = ((v & 0x7f) << 16) | ISCCC_RDATATYPE_SIG; \
-			else \
-				GET32(v, w); \
-		} \
-	} while (0)
-
-#define PUT8(v, w) \
-	do { \
-		*w = (v & 0x000000ffU); \
-		w++; \
-	} while (0)
-
-#define PUT16(v, w) \
-	do { \
-		w[0] = (v & 0x0000ff00U) >> 8; \
-		w[1] = (v & 0x000000ffU); \
-		w += 2; \
-	} while (0)
-
-#define PUT24(v, w) \
-	do { \
-		w[0] = (v & 0x00ff0000U) >> 16; \
-		w[1] = (v & 0x0000ff00U) >> 8; \
-		w[2] = (v & 0x000000ffU); \
-		w += 3; \
-	} while (0)
-
-#define PUT32(v, w) \
-	do { \
-		w[0] = (v & 0xff000000U) >> 24; \
-		w[1] = (v & 0x00ff0000U) >> 16; \
-		w[2] = (v & 0x0000ff00U) >> 8; \
-		w[3] = (v & 0x000000ffU); \
-		w += 4; \
-	} while (0)
-
-#define PUT64(v, w) \
-	do { \
-		w[0] = (v & 0xff00000000000000ULL) >> 56; \
-		w[1] = (v & 0x00ff000000000000ULL) >> 48; \
-		w[2] = (v & 0x0000ff0000000000ULL) >> 40; \
-		w[3] = (v & 0x000000ff00000000ULL) >> 32; \
-		w[4] = (v & 0x00000000ff000000ULL) >> 24; \
-		w[5] = (v & 0x0000000000ff0000ULL) >> 16; \
-		w[6] = (v & 0x000000000000ff00ULL) >> 8; \
-		w[7] = (v & 0x00000000000000ffULL); \
-		w += 8; \
-	} while (0)
-
-#define PUTC16(v, w) \
-	do { \
-		if (v > 0 && v < 255) \
-			PUT8(v, w); \
-		else { \
-			PUT8(255, w); \
-			PUT16(v, w); \
-		} \
-	} while (0)
-
-#define PUTC32(v, w) \
-	do { \
-		if (v < 0xffffffU) \
-			PUT24(v, w); \
-		else { \
-			PUT24(0xffffffU, w); \
-			PUT32(v, w); \
-		} \
-	} while (0)
-
-#define PUT_OFFSET(v, w)		PUT32(v, w)
-
-#include <string.h>
-
-#define PUT_MEM(s, c, w) \
-	do { \
-		memcpy(w, s, c); \
-		w += c; \
-	} while (0)
-
-/*
- * Regions.
- */
-#define REGION_SIZE(r)		((unsigned int)((r).rend - (r).rstart))
-#define REGION_EMPTY(r)		((r).rstart == (r).rend)
-#define REGION_FROMSTRING(r, s) do { \
-	(r).rstart = (unsigned char *)s; \
-	(r).rend = (r).rstart + strlen(s); \
-} while (0)
-
-/*
- * Use this to remove the const qualifier of a variable to assign it to
- * a non-const variable or pass it as a non-const function argument ...
- * but only when you are sure it won't then be changed!
- * This is necessary to sometimes shut up some compilers
- * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
- * situation.
- */
-#define DE_CONST(konst, var) \
-	do { \
-		union { const void *k; void *v; } _u; \
-		_u.k = konst; \
-		var = _u.v; \
-	} while (0)
-
-#endif /* ISCCC_UTIL_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/version.h b/contrib/bind9/lib/isccc/include/isccc/version.h
deleted file mode 100644
index 36a909c51494..000000000000
--- a/contrib/bind9/lib/isccc/include/isccc/version.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:05 marka Exp $ */
-
-#include <isc/platform.h>
-
-LIBISCCC_EXTERNAL_DATA extern const char isccc_version[];
-
-LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libinterface;
-LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_librevision;
-LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libage;
diff --git a/contrib/bind9/lib/isccc/lib.c b/contrib/bind9/lib/isccc/lib.c
deleted file mode 100644
index d37e28c768f0..000000000000
--- a/contrib/bind9/lib/isccc/lib.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lib.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */
-
-#include <config.h>
-
-#include <stddef.h>
-
-#include <isc/once.h>
-#include <isc/msgcat.h>
-#include <isc/util.h>
-
-#include <isccc/lib.h>
-
-/***
- *** Globals
- ***/
-
-LIBISCCC_EXTERNAL_DATA isc_msgcat_t *		isccc_msgcat = NULL;
-
-
-/***
- *** Private
- ***/
-
-static isc_once_t		msgcat_once = ISC_ONCE_INIT;
-
-
-/***
- *** Functions
- ***/
-
-static void
-open_msgcat(void) {
-	isc_msgcat_open("libisccc.cat", &isccc_msgcat);
-}
-
-void
-isccc_lib_initmsgcat(void) {
-
-	/*
-	 * Initialize the DNS library's message catalog, isccc_msgcat, if it
-	 * has not already been initialized.
-	 */
-
-	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/isccc/result.c b/contrib/bind9/lib/isccc/result.c
deleted file mode 100644
index e63e85fa1473..000000000000
--- a/contrib/bind9/lib/isccc/result.c
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.c,v 1.3.2.2.2.1 2004/03/06 08:15:19 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/once.h>
-#include <isc/util.h>
-
-#include <isccc/result.h>
-#include <isccc/lib.h>
-
-static const char *text[ISCCC_R_NRESULTS] = {
-	"unknown version",			/* 1 */
-	"syntax error",				/* 2 */
-	"bad auth",				/* 3 */
-	"expired",				/* 4 */
-	"clock skew",				/* 5 */
-	"duplicate"				/* 6 */
-};
-
-#define ISCCC_RESULT_RESULTSET			2
-
-static isc_once_t		once = ISC_ONCE_INIT;
-
-static void
-initialize_action(void) {
-	isc_result_t result;
-
-	result = isc_result_register(ISC_RESULTCLASS_ISCCC, ISCCC_R_NRESULTS,
-				     text, isccc_msgcat,
-				     ISCCC_RESULT_RESULTSET);
-	if (result != ISC_R_SUCCESS)
-		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "isc_result_register() failed: %u", result);
-}
-
-static void
-initialize(void) {
-	isccc_lib_initmsgcat();
-	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
-}
-
-const char *
-isccc_result_totext(isc_result_t result) {
-	initialize();
-
-	return (isc_result_totext(result));
-}
-
-void
-isccc_result_register(void) {
-	initialize();
-}
diff --git a/contrib/bind9/lib/isccc/sexpr.c b/contrib/bind9/lib/isccc/sexpr.c
deleted file mode 100644
index a372a7d2aa71..000000000000
--- a/contrib/bind9/lib/isccc/sexpr.c
+++ /dev/null
@@ -1,310 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: sexpr.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isccc/sexpr.h>
-#include <isccc/util.h>
-
-static isccc_sexpr_t sexpr_t = { ISCCC_SEXPRTYPE_T, { NULL } };
-
-#define CAR(s)			(s)->value.as_dottedpair.car
-#define CDR(s)			(s)->value.as_dottedpair.cdr
-
-isccc_sexpr_t *
-isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr)
-{
-	isccc_sexpr_t *sexpr;
-
-	sexpr = malloc(sizeof(*sexpr));
-	if (sexpr == NULL)
-		return (NULL);
-	sexpr->type = ISCCC_SEXPRTYPE_DOTTEDPAIR;
-	CAR(sexpr) = car;
-	CDR(sexpr) = cdr;
-
-	return (sexpr);
-}
-
-isccc_sexpr_t *
-isccc_sexpr_tconst(void)
-{
-	return (&sexpr_t);
-}
-
-isccc_sexpr_t *
-isccc_sexpr_fromstring(const char *str)
-{
-	isccc_sexpr_t *sexpr;
-
-	sexpr = malloc(sizeof(*sexpr));
-	if (sexpr == NULL)
-		return (NULL);
-	sexpr->type = ISCCC_SEXPRTYPE_STRING;
-	sexpr->value.as_string = strdup(str);
-	if (sexpr->value.as_string == NULL) {
-		free(sexpr);
-		return (NULL);
-	}
-
-	return (sexpr);
-}
-
-isccc_sexpr_t *
-isccc_sexpr_frombinary(const isccc_region_t *region)
-{
-	isccc_sexpr_t *sexpr;
-	unsigned int region_size;
-
-	sexpr = malloc(sizeof(*sexpr));
-	if (sexpr == NULL)
-		return (NULL);
-	sexpr->type = ISCCC_SEXPRTYPE_BINARY;
-	region_size = REGION_SIZE(*region);
-	/*
-	 * We add an extra byte when we malloc so we can NUL terminate
-	 * the binary data.  This allows the caller to use it as a C
-	 * string.  It's up to the caller to ensure this is safe.  We don't
-	 * add 1 to the length of the binary region, because the NUL is
-	 * not part of the binary data.
-	 */
-	sexpr->value.as_region.rstart = malloc(region_size + 1);
-	if (sexpr->value.as_region.rstart == NULL) {
-		free(sexpr);
-		return (NULL);
-	}
-	sexpr->value.as_region.rend = sexpr->value.as_region.rstart +
-		region_size;
-	memcpy(sexpr->value.as_region.rstart, region->rstart, region_size);
-	/*
-	 * NUL terminate.
-	 */
-	sexpr->value.as_region.rstart[region_size] = '\0';
-
-	return (sexpr);
-}
-
-void
-isccc_sexpr_free(isccc_sexpr_t **sexprp)
-{
-	isccc_sexpr_t *sexpr;
-	isccc_sexpr_t *item;
-
-	sexpr = *sexprp;
-	if (sexpr == NULL)
-		return;
-	switch (sexpr->type) {
-	case ISCCC_SEXPRTYPE_STRING:
-		free(sexpr->value.as_string);
-		break;
-	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
-		item = CAR(sexpr);
-		if (item != NULL)
-			isccc_sexpr_free(&item);
-		item = CDR(sexpr);
-		if (item != NULL)
-			isccc_sexpr_free(&item);
-		break;
-	case ISCCC_SEXPRTYPE_BINARY:
-		free(sexpr->value.as_region.rstart);
-		break;
-	}
-	free(sexpr);
-
-	*sexprp = NULL;
-}
-
-static isc_boolean_t
-printable(isccc_region_t *r)
-{
-	unsigned char *curr;
-
-	curr = r->rstart;
-	while (curr != r->rend) {
-		if (!isprint(*curr))
-			return (ISC_FALSE);
-		curr++;
-	}
-
-	return (ISC_TRUE);
-}
-
-void
-isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream)
-{
-	isccc_sexpr_t *cdr;
-	unsigned int size, i;
-	unsigned char *curr;
-
-	if (sexpr == NULL) {
-		fprintf(stream, "nil");
-		return;
-	}
-
-	switch (sexpr->type) {
-	case ISCCC_SEXPRTYPE_T:
-		fprintf(stream, "t");
-		break;
-	case ISCCC_SEXPRTYPE_STRING:
-		fprintf(stream, "\"%s\"", sexpr->value.as_string);
-		break;
-	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
-		fprintf(stream, "(");
-		do {
-			isccc_sexpr_print(CAR(sexpr), stream);
-			cdr = CDR(sexpr);
-			if (cdr != NULL) {
-				fprintf(stream, " ");
-				if (cdr->type != ISCCC_SEXPRTYPE_DOTTEDPAIR) {
-					fprintf(stream, ". ");
-					isccc_sexpr_print(cdr, stream);
-					cdr = NULL;
-				}
-			}
-			sexpr = cdr;
-		} while (sexpr != NULL);
-		fprintf(stream, ")");
-		break;
-	case ISCCC_SEXPRTYPE_BINARY:
-		size = REGION_SIZE(sexpr->value.as_region);
-		curr = sexpr->value.as_region.rstart;
-		if (printable(&sexpr->value.as_region)) {
-			fprintf(stream, "'%.*s'", (int)size, curr);
-		} else {
-			fprintf(stream, "0x");
-			for (i = 0; i < size; i++)
-				fprintf(stream, "%02x", *curr++);
-		}
-		break;
-	default:
-		INSIST(0);
-	}
-}
-
-isccc_sexpr_t *
-isccc_sexpr_car(isccc_sexpr_t *list)
-{
-	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	return (CAR(list));
-}
-
-isccc_sexpr_t *
-isccc_sexpr_cdr(isccc_sexpr_t *list)
-{
-	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	return (CDR(list));
-}
-
-void
-isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car)
-{
-	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	CAR(pair) = car;
-}
-
-void
-isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr)
-{
-	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	CDR(pair) = cdr;
-}
-
-isccc_sexpr_t *
-isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2)
-{
-	isccc_sexpr_t *last, *elt, *l1;
-
-	REQUIRE(l1p != NULL);
-	l1 = *l1p;
-	REQUIRE(l1 == NULL || l1->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
-
-	elt = isccc_sexpr_cons(l2, NULL);
-	if (elt == NULL)
-		return (NULL);
-	if (l1 == NULL) {
-		*l1p = elt;
-		return (elt);
-	}
-	for (last = l1; CDR(last) != NULL; last = CDR(last))
-		/* Nothing */;
-	CDR(last) = elt;
-
-	return (elt);
-}
-
-isc_boolean_t
-isccc_sexpr_listp(isccc_sexpr_t *sexpr)
-{
-	if (sexpr == NULL || sexpr->type == ISCCC_SEXPRTYPE_DOTTEDPAIR)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isccc_sexpr_emptyp(isccc_sexpr_t *sexpr)
-{
-	if (sexpr == NULL)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isccc_sexpr_stringp(isccc_sexpr_t *sexpr)
-{
-	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_STRING)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-isc_boolean_t
-isccc_sexpr_binaryp(isccc_sexpr_t *sexpr)
-{
-	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
-}
-
-char *
-isccc_sexpr_tostring(isccc_sexpr_t *sexpr)
-{
-	REQUIRE(sexpr != NULL &&
-		(sexpr->type == ISCCC_SEXPRTYPE_STRING ||
-		 sexpr->type == ISCCC_SEXPRTYPE_BINARY));
-	
-	if (sexpr->type == ISCCC_SEXPRTYPE_BINARY)
-		return ((char *)sexpr->value.as_region.rstart);
-	return (sexpr->value.as_string);
-}
-
-isccc_region_t *
-isccc_sexpr_tobinary(isccc_sexpr_t *sexpr)
-{
-	REQUIRE(sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY);
-	return (&sexpr->value.as_region);
-}
diff --git a/contrib/bind9/lib/isccc/symtab.c b/contrib/bind9/lib/isccc/symtab.c
deleted file mode 100644
index 6aca4850f4da..000000000000
--- a/contrib/bind9/lib/isccc/symtab.c
+++ /dev/null
@@ -1,278 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
- * Portions Copyright (C) 2001  Nominum, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: symtab.c,v 1.3.12.3 2004/03/08 09:05:04 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <isc/assertions.h>
-#include <isc/magic.h>
-
-#include <isccc/result.h>
-#include <isccc/symtab.h>
-#include <isccc/util.h>
-
-typedef struct elt {
-	char *				key;
-	unsigned int			type;
-	isccc_symvalue_t			value;
-	ISC_LINK(struct elt)		link;
-} elt_t;
-
-typedef ISC_LIST(elt_t)			eltlist_t;
-
-#define SYMTAB_MAGIC			ISC_MAGIC('S', 'y', 'm', 'T')
-#define VALID_SYMTAB(st)		ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
-
-struct isccc_symtab {
-	unsigned int			magic;
-	unsigned int			size;
-	eltlist_t *			table;
-	isccc_symtabundefaction_t		undefine_action;
-	void *				undefine_arg;
-	isc_boolean_t			case_sensitive;
-};
-
-isc_result_t
-isccc_symtab_create(unsigned int size,
-		  isccc_symtabundefaction_t undefine_action,
-		  void *undefine_arg,
-		  isc_boolean_t case_sensitive,
-		  isccc_symtab_t **symtabp)
-{
-	isccc_symtab_t *symtab;
-	unsigned int i;
-
-	REQUIRE(symtabp != NULL && *symtabp == NULL);
-	REQUIRE(size > 0);	/* Should be prime. */
-
-	symtab = malloc(sizeof(*symtab));
-	if (symtab == NULL)
-		return (ISC_R_NOMEMORY);
-	symtab->table = malloc(size * sizeof(eltlist_t));
-	if (symtab->table == NULL) {
-		free(symtab);
-		return (ISC_R_NOMEMORY);
-	}
-	for (i = 0; i < size; i++)
-		ISC_LIST_INIT(symtab->table[i]);
-	symtab->size = size;
-	symtab->undefine_action = undefine_action;
-	symtab->undefine_arg = undefine_arg;
-	symtab->case_sensitive = case_sensitive;
-	symtab->magic = SYMTAB_MAGIC;
-
-	*symtabp = symtab;
-
-	return (ISC_R_SUCCESS);
-}
-
-static inline void
-free_elt(isccc_symtab_t *symtab, unsigned int bucket, elt_t *elt) {
-	ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
-	if (symtab->undefine_action != NULL)
-		(symtab->undefine_action)(elt->key, elt->type, elt->value,
-					  symtab->undefine_arg);
-	free(elt);
-}
-
-void
-isccc_symtab_destroy(isccc_symtab_t **symtabp) {
-	isccc_symtab_t *symtab;
-	unsigned int i;
-	elt_t *elt, *nelt;
-
-	REQUIRE(symtabp != NULL);
-	symtab = *symtabp;
-	REQUIRE(VALID_SYMTAB(symtab));
-
-	for (i = 0; i < symtab->size; i++) {
-		for (elt = ISC_LIST_HEAD(symtab->table[i]);
-		     elt != NULL;
-		     elt = nelt) {
-			nelt = ISC_LIST_NEXT(elt, link);
-			free_elt(symtab, i, elt);
-		}
-	}
-	free(symtab->table);
-	symtab->magic = 0;
-	free(symtab);
-
-	*symtabp = NULL;
-}
-
-static inline unsigned int
-hash(const char *key, isc_boolean_t case_sensitive) {
-	const char *s;
-	unsigned int h = 0;
-	unsigned int g;
-	int c;
-
-	/*
-	 * P. J. Weinberger's hash function, adapted from p. 436 of
-	 * _Compilers: Principles, Techniques, and Tools_, Aho, Sethi
-	 * and Ullman, Addison-Wesley, 1986, ISBN 0-201-10088-6.
-	 */
-
-	if (case_sensitive) {
-		for (s = key; *s != '\0'; s++) {
-			h = ( h << 4 ) + *s;
-			if ((g = ( h & 0xf0000000 )) != 0) {
-				h = h ^ (g >> 24);
-				h = h ^ g;
-			}
-		}
-	} else {
-		for (s = key; *s != '\0'; s++) {
-			c = *s;
-			c = tolower((unsigned char)c);
-			h = ( h << 4 ) + c;
-			if ((g = ( h & 0xf0000000 )) != 0) {
-				h = h ^ (g >> 24);
-				h = h ^ g;
-			}
-		}
-	}
-
-	return (h);
-}
-
-#define FIND(s, k, t, b, e) \
-	b = hash((k), (s)->case_sensitive) % (s)->size; \
-	if ((s)->case_sensitive) { \
-		for (e = ISC_LIST_HEAD((s)->table[b]); \
-		     e != NULL; \
-		     e = ISC_LIST_NEXT(e, link)) { \
-			if (((t) == 0 || e->type == (t)) && \
-			    strcmp(e->key, (k)) == 0) \
-				break; \
-		} \
-	} else { \
-		for (e = ISC_LIST_HEAD((s)->table[b]); \
-		     e != NULL; \
-		     e = ISC_LIST_NEXT(e, link)) { \
-			if (((t) == 0 || e->type == (t)) && \
-			    strcasecmp(e->key, (k)) == 0) \
-				break; \
-		} \
-	}
-
-isc_result_t
-isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
-		  isccc_symvalue_t *value)
-{
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (elt == NULL)
-		return (ISC_R_NOTFOUND);
-
-	if (value != NULL)
-		*value = elt->value;
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
-		  isccc_symvalue_t value, isccc_symexists_t exists_policy)
-{
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-	REQUIRE(type != 0);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (exists_policy != isccc_symexists_add && elt != NULL) {
-		if (exists_policy == isccc_symexists_reject)
-			return (ISC_R_EXISTS);
-		INSIST(exists_policy == isccc_symexists_replace);
-		ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
-		if (symtab->undefine_action != NULL)
-			(symtab->undefine_action)(elt->key, elt->type,
-						  elt->value,
-						  symtab->undefine_arg);
-	} else {
-		elt = malloc(sizeof(*elt));
-		if (elt == NULL)
-			return (ISC_R_NOMEMORY);
-		ISC_LINK_INIT(elt, link);
-	}
-
-	elt->key = key;
-	elt->type = type;
-	elt->value = value;
-
-	/*
-	 * We prepend so that the most recent definition will be found.
-	 */
-	ISC_LIST_PREPEND(symtab->table[bucket], elt, link);
-
-	return (ISC_R_SUCCESS);
-}
-
-isc_result_t
-isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key, unsigned int type) {
-	unsigned int bucket;
-	elt_t *elt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(key != NULL);
-
-	FIND(symtab, key, type, bucket, elt);
-
-	if (elt == NULL)
-		return (ISC_R_NOTFOUND);
-
-	free_elt(symtab, bucket, elt);
-
-	return (ISC_R_SUCCESS);
-}
-
-void
-isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
-		   void *arg)
-{
-	unsigned int i;
-	elt_t *elt, *nelt;
-
-	REQUIRE(VALID_SYMTAB(symtab));
-	REQUIRE(action != NULL);
-
-	for (i = 0; i < symtab->size; i++) {
-		for (elt = ISC_LIST_HEAD(symtab->table[i]);
-		     elt != NULL;
-		     elt = nelt) {
-			nelt = ISC_LIST_NEXT(elt, link);
-			if ((action)(elt->key, elt->type, elt->value, arg))
-				free_elt(symtab, i, elt);
-		}
-	}
-}
diff --git a/contrib/bind9/lib/isccc/version.c b/contrib/bind9/lib/isccc/version.c
deleted file mode 100644
index 08cda2f33dad..000000000000
--- a/contrib/bind9/lib/isccc/version.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:04 marka Exp $ */
-
-#include <isccc/version.h>
-
-const char isccc_version[] = VERSION;
-
-const unsigned int isccc_libinterface = LIBINTERFACE;
-const unsigned int isccc_librevision = LIBREVISION;
-const unsigned int isccc_libage = LIBAGE;
diff --git a/contrib/bind9/lib/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/Makefile.in
deleted file mode 100644
index ee80508c44bf..000000000000
--- a/contrib/bind9/lib/isccfg/Makefile.in
+++ /dev/null
@@ -1,83 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.6.12.8 2004/07/20 07:01:58 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBISCCFG_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
-
-CDEFINES =
-CWARNINGS =
-
-ISCLIBS =	../../lib/isc/libisc.@A@
-ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-DNSLIBS =	../../lib/dns/libdns.@A@
-ISCCFGLIBS =	../../lib/cfg/libisccfg.@A@
-
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
-ISCCFGDEPLIBS =	libisccfg.@A@
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include
-
-# Alphabetically
-OBJS =		log.@O@ namedconf.@O@ parser.@O@ version.@O@
-
-# Alphabetically
-SRCS =		log.c namedconf.c parser.c version.c
-
-TARGETS = 	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-libisccfg.@SA@: ${OBJS}
-	${AR} ${ARFLAGS} $@ ${OBJS}
-	${RANLIB} $@
-
-libisccfg.la: ${OBJS}
-	 ${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} ${LIBS} ${DNSLIBS} ${ISCCCLIBS} ${ISCLIBS}
-
-timestamp: libisccfg.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f libisccfg.@A@ timestamp
diff --git a/contrib/bind9/lib/isccfg/api b/contrib/bind9/lib/isccfg/api
deleted file mode 100644
index 59ed93b01104..000000000000
--- a/contrib/bind9/lib/isccfg/api
+++ /dev/null
@@ -1,3 +0,0 @@
-LIBINTERFACE = 1
-LIBREVISION = 6
-LIBAGE = 0
diff --git a/contrib/bind9/lib/isccfg/include/Makefile.in b/contrib/bind9/lib/isccfg/include/Makefile.in
deleted file mode 100644
index 77d321960229..000000000000
--- a/contrib/bind9/lib/isccfg/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:15:27 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	isccfg
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
deleted file mode 100644
index dc8b1b1ea6f7..000000000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2002  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.4.12.3 2004/03/08 09:05:07 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	cfg.h grammar.h log.h namedconf.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccfg
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccfg ; \
-	done
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h b/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
deleted file mode 100644
index b4081cd7b383..000000000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
+++ /dev/null
@@ -1,415 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: cfg.h,v 1.30.12.4 2004/03/08 09:05:07 marka Exp $ */
-
-#ifndef ISCCFG_CFG_H
-#define ISCCFG_CFG_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * This is the new, table-driven, YACC-free configuration file parser.
- */
-
-/***
- *** Imports
- ***/
-
-#include <isc/formatcheck.h>
-#include <isc/lang.h>
-#include <isc/types.h>
-#include <isc/list.h>
-
-
-/***
- *** Types
- ***/
-
-typedef struct cfg_parser cfg_parser_t;
-/*
- * A configuration parser.
- */
-
-/*
- * A configuration type definition object.  There is a single
- * static cfg_type_t object for each data type supported by
- * the configuration parser.
- */
-typedef struct cfg_type cfg_type_t;
-
-/*
- * A configuration object.  This is the basic building block of the
- * configuration parse tree.  It contains a value (which may be
- * of one of several types) and information identifying the file
- * and line number the value came from, for printing error
- * messages.
- */
-typedef struct cfg_obj cfg_obj_t;
-
-/*
- * A configuration object list element.
- */
-typedef struct cfg_listelt cfg_listelt_t;
-
-/*
- * A callback function to be called when parsing an option 
- * that needs to be interpreted at parsing time, like
- * "directory".
- */
-typedef isc_result_t
-(*cfg_parsecallback_t)(const char *clausename, cfg_obj_t *obj, void *arg);
-
-/***
- *** Functions
- ***/
-
-ISC_LANG_BEGINDECLS
-
-isc_result_t
-cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret);
-/*
- * Create a configuration file parser.  Any warning and error
- * messages will be logged to 'lctx'.
- *
- * The parser object returned can be used for a single call
- * to cfg_parse_file() or cfg_parse_buffer().  It must not
- * be reused for parsing multiple files or buffers.
- */
-
-void
-cfg_parser_setcallback(cfg_parser_t *pctx,
-		       cfg_parsecallback_t callback,
-		       void *arg);
-/*
- * Make the parser call 'callback' whenever it encounters
- * a configuration clause with the callback attribute,
- * passing it the clause name, the clause value,
- * and 'arg' as arguments.
- *
- * To restore the default of not invoking callbacks, pass
- * callback==NULL and arg==NULL.
- */
-
-isc_result_t
-cfg_parse_file(cfg_parser_t *pctx, const char *filename,
-	       const cfg_type_t *type, cfg_obj_t **ret);
-isc_result_t
-cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
-		 const cfg_type_t *type, cfg_obj_t **ret);
-/*
- * Read a configuration containing data of type 'type'
- * and make '*ret' point to its parse tree.
- *
- * The configuration is read from the file 'filename'
- * (isc_parse_file()) or the buffer 'buffer'
- * (isc_parse_buffer()).
- *
- * Returns an error if the file does not parse correctly.
- * 
- * Requires:
- *      "filename" is valid.
- *      "mem" is valid.
- *	"type" is valid.
- *      "cfg" is non-NULL and "*cfg" is NULL.
- *
- * Returns:
- *      ISC_R_SUCCESS                 - success
- *      ISC_R_NOMEMORY                - no memory available
- *      ISC_R_INVALIDFILE             - file doesn't exist or is unreadable
- *      others	                      - file contains errors
- */
-
-void
-cfg_parser_destroy(cfg_parser_t **pctxp);
-/*
- * Destroy a configuration parser.
- */
-
-isc_boolean_t
-cfg_obj_isvoid(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is of void type (e.g., an optional 
- * value not specified).
- */
-
-isc_boolean_t
-cfg_obj_ismap(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is of a map type.
- */
-
-isc_result_t
-cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
-/*
- * Extract an element from a configuration object, which
- * must be of a map type.
- *
- * Requires:
- *      'mapobj' points to a valid configuration object of a map type.
- *      'name' points to a null-terminated string.
- * 	'obj' is non-NULL and '*obj' is NULL.
- *
- * Returns:
- *      ISC_R_SUCCESS                  - success
- *      ISC_R_NOTFOUND                 - name not found in map
- */
-
-cfg_obj_t *
-cfg_map_getname(cfg_obj_t *mapobj);
-/*
- * Get the name of a named map object, like a server "key" clause.
- *
- * Requires:
- *      'mapobj' points to a valid configuration object of a map type.
- *
- * Returns:
- *      A pointer to a configuration object naming the map object,
- *	or NULL if the map object does not have a name.
- */
-
-isc_boolean_t
-cfg_obj_istuple(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is of a map type.
- */
-
-cfg_obj_t *
-cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
-/*
- * Extract an element from a configuration object, which
- * must be of a tuple type.
- *
- * Requires:
- *      'tupleobj' points to a valid configuration object of a tuple type.
- *      'name' points to a null-terminated string naming one of the
- *	fields of said tuple type.
- */
-
-isc_boolean_t
-cfg_obj_isuint32(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is of integer type.
- */
-
-isc_uint32_t
-cfg_obj_asuint32(cfg_obj_t *obj);
-/*
- * Returns the value of a configuration object of 32-bit integer type.
- *
- * Requires:
- *      'obj' points to a valid configuration object of 32-bit integer type.
- *
- * Returns:
- *      A 32-bit unsigned integer.
- */
-
-isc_boolean_t
-cfg_obj_isuint64(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is of integer type.
- */
-
-isc_uint64_t
-cfg_obj_asuint64(cfg_obj_t *obj);
-/*
- * Returns the value of a configuration object of 64-bit integer type.
- *
- * Requires:
- *      'obj' points to a valid configuration object of 64-bit integer type.
- *
- * Returns:
- *      A 64-bit unsigned integer.
- */
-
-isc_boolean_t
-cfg_obj_isstring(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is of string type.
- */
-
-char *
-cfg_obj_asstring(cfg_obj_t *obj);
-/*
- * Returns the value of a configuration object of a string type
- * as a null-terminated string.
- *
- * Requires:
- *      'obj' points to a valid configuration object of a string type.
- *
- * Returns:
- *      A pointer to a null terminated string.
- */
-
-isc_boolean_t
-cfg_obj_isboolean(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is of a boolean type.
- */
-
-isc_boolean_t
-cfg_obj_asboolean(cfg_obj_t *obj);
-/*
- * Returns the value of a configuration object of a boolean type.
- *
- * Requires:
- *      'obj' points to a valid configuration object of a boolean type.
- *
- * Returns:
- *      A boolean value.
- */
-
-isc_boolean_t
-cfg_obj_issockaddr(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is a socket address.
- */
-
-isc_sockaddr_t *
-cfg_obj_assockaddr(cfg_obj_t *obj);
-/*
- * Returns the value of a configuration object representing a socket address.
- *
- * Requires:
- *      'obj' points to a valid configuration object of a socket address type.
- *
- * Returns:
- *      A pointer to a sockaddr.  The sockaddr must be copied by the caller
- *      if necessary.
- */
-
-isc_boolean_t
-cfg_obj_isnetprefix(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is a network prefix.
- */
-
-void
-cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
-		    unsigned int *prefixlen);
-/*
- * Gets the value of a configuration object representing a network
- * prefix.  The network address is returned through 'netaddr' and the
- * prefix length in bits through 'prefixlen'.
- *
- * Requires:
- *      'obj' points to a valid configuration object of network prefix type.
- *	'netaddr' and 'prefixlen' are non-NULL.
- */
-
-isc_boolean_t
-cfg_obj_islist(cfg_obj_t *obj);
-/*
- * Return true iff 'obj' is of list type.
- */
-
-cfg_listelt_t *
-cfg_list_first(cfg_obj_t *obj);
-/*
- * Returns the first list element in a configuration object of a list type.
- *
- * Requires:
- *      'obj' points to a valid configuration object of a list type or NULL.
- *
- * Returns:
- *      A pointer to a cfg_listelt_t representing the first list element,
- * 	or NULL if the list is empty or nonexistent.
- */
-
-cfg_listelt_t *
-cfg_list_next(cfg_listelt_t *elt);
-/*
- * Returns the next element of a list of configuration objects.
- *
- * Requires:
- *      'elt' points to cfg_listelt_t obtained from cfg_list_first() or
- *	a previous call to cfg_list_next().
- *
- * Returns:
- *      A pointer to a cfg_listelt_t representing the next element,
- * 	or NULL if there are no more elements.
- */
-
-cfg_obj_t *
-cfg_listelt_value(cfg_listelt_t *elt);
-/*
- * Returns the configuration object associated with cfg_listelt_t.
- *
- * Requires:
- *      'elt' points to cfg_listelt_t obtained from cfg_list_first() or
- *	cfg_list_next().
- *
- * Returns:
- *      A non-NULL pointer to a configuration object.
- */
-
-void
-cfg_print(cfg_obj_t *obj,
-	  void (*f)(void *closure, const char *text, int textlen),
-	  void *closure);
-/*
- * Print the configuration object 'obj' by repeatedly calling the
- * function 'f', passing 'closure' and a region of text starting
- * at 'text' and comprising 'textlen' characters.
- */
-
-void
-cfg_print_grammar(const cfg_type_t *type,
-	  void (*f)(void *closure, const char *text, int textlen),
-	  void *closure);
-/*
- * Print a summary of the grammar of the configuration type 'type'.
- */
-
-isc_boolean_t
-cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type);
-/*
- * Return true iff 'obj' is of type 'type'. 
- */
-
-void cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
-/*
- * Destroy a configuration object.
- */
-
-void
-cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...)
-	ISC_FORMAT_PRINTF(4, 5);
-/*
- * Log a message concerning configuration object 'obj' to the logging
- * channel of 'pctx', at log level 'level'.  The message will be prefixed
- * with the file name(s) and line number where 'obj' was defined.
- */
-
-const char *
-cfg_obj_file(cfg_obj_t *obj);
-/*
- * Return the file that defined this object.
- */
-
-unsigned int
-cfg_obj_line(cfg_obj_t *obj);
-/*
- * Return the line in file where this object was defined.
- */
-
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCFG_CFG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h b/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
deleted file mode 100644
index 92b142b7ac75..000000000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
+++ /dev/null
@@ -1,439 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: grammar.h,v 1.3.50.4 2004/11/30 01:15:44 marka Exp $ */
-
-#ifndef ISCCFG_GRAMMAR_H
-#define ISCCFG_GRAMMAR_H 1
-
-#include <isc/lex.h>
-#include <isc/netaddr.h>
-#include <isc/sockaddr.h>
-#include <isc/region.h>
-#include <isc/types.h>
-
-#include <isccfg/cfg.h>
-
-/*
- * Definitions shared between the configuration parser
- * and the grammars; not visible to users of the parser.
- */
-
-/* Clause may occur multiple times (e.g., "zone") */
-#define CFG_CLAUSEFLAG_MULTI 		0x00000001
-/* Clause is obsolete */
-#define CFG_CLAUSEFLAG_OBSOLETE 	0x00000002
-/* Clause is not implemented, and may never be */
-#define CFG_CLAUSEFLAG_NOTIMP	 	0x00000004
-/* Clause is not implemented yet */
-#define CFG_CLAUSEFLAG_NYI 		0x00000008
-/* Default value has changed since earlier release */
-#define CFG_CLAUSEFLAG_NEWDEFAULT	0x00000010
-/*
- * Clause needs to be interpreted during parsing
- * by calling a callback function, like the
- * "directory" option.
- */
-#define CFG_CLAUSEFLAG_CALLBACK		0x00000020
-
-typedef struct cfg_clausedef cfg_clausedef_t;
-typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
-typedef struct cfg_printer cfg_printer_t;
-typedef ISC_LIST(cfg_listelt_t) cfg_list_t;
-typedef struct cfg_map cfg_map_t;
-typedef struct cfg_rep cfg_rep_t;
-
-/*
- * Function types for configuration object methods
- */
-
-typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
-					cfg_obj_t **);
-typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, cfg_obj_t *);
-typedef void	     (*cfg_docfunc_t)(cfg_printer_t *, const cfg_type_t *);
-typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
-
-/*
- * Structure definitions
- */
-
-/*
- * A configuration printer object.  This is an abstract
- * interface to a destination to which text can be printed
- * by calling the function 'f'.
- */
-struct cfg_printer {
-	void (*f)(void *closure, const char *text, int textlen);
-	void *closure;
-	int indent;
-};
-
-/* A clause definition. */
-
-struct cfg_clausedef {
-	const char      *name;
-	cfg_type_t      *type;
-	unsigned int	flags;
-};
-
-/* A tuple field definition. */
-
-struct cfg_tuplefielddef {
-	const char      *name;
-	cfg_type_t      *type;
-	unsigned int	flags;
-};
-
-/* A configuration object type definition. */
-struct cfg_type {
-	const char *name;	/* For debugging purposes only */
-	cfg_parsefunc_t	parse;
-	cfg_printfunc_t print;
-	cfg_docfunc_t	doc;	/* Print grammar description */
-	cfg_rep_t *	rep;	/* Data representation */
-	const void *	of;	/* Additional data for meta-types */
-};
-
-/* A keyword-type definition, for things like "port <integer>". */
-
-typedef struct {
-	const char *name;
-	const cfg_type_t *type;
-} keyword_type_t;
-
-struct cfg_map {
-	cfg_obj_t	 *id; /* Used for 'named maps' like keys, zones, &c */
-	const cfg_clausedef_t * const *clausesets; /* The clauses that
-						      can occur in this map;
-						      used for printing */
-	isc_symtab_t     *symtab;
-};
-
-typedef struct cfg_netprefix cfg_netprefix_t;
-
-struct cfg_netprefix {
-	isc_netaddr_t address; /* IP4/IP6 */
-	unsigned int prefixlen;
-};
-
-/*
- * A configuration data representation.
- */
-struct cfg_rep {
-	const char *	name;	/* For debugging only */
-	cfg_freefunc_t 	free;	/* How to free this kind of data. */
-};
-
-/*
- * A configuration object.  This is the main building block
- * of the configuration parse tree.
- */
-
-struct cfg_obj {
-	const cfg_type_t *type;
-	union {
-		isc_uint32_t  	uint32;
-		isc_uint64_t  	uint64;
-		isc_textregion_t string; /* null terminated, too */
-		isc_boolean_t 	boolean;
-		cfg_map_t	map;
-		cfg_list_t	list;
-		cfg_obj_t **	tuple;
-		isc_sockaddr_t	sockaddr;
-		cfg_netprefix_t netprefix;
-	}               value;
-	char *		file;
-	unsigned int    line;
-};
-
-
-/* A list element. */
-
-struct cfg_listelt {
-	cfg_obj_t               *obj;
-	ISC_LINK(cfg_listelt_t)  link;
-};
-
-/* The parser object. */
-struct cfg_parser {
-	isc_mem_t *	mctx;
-	isc_log_t *	lctx;
-	isc_lex_t *	lexer;
-	unsigned int    errors;
-	unsigned int    warnings;
-	isc_token_t     token;
-
-	/* We are at the end of all input. */
-	isc_boolean_t	seen_eof;
-
-	/* The current token has been pushed back. */
-	isc_boolean_t	ungotten;
-
-	/*
-	 * The stack of currently active files, represented
-	 * as a configuration list of configuration strings.
-	 * The head is the top-level file, subsequent elements 
-	 * (if any) are the nested include files, and the 
-	 * last element is the file currently being parsed.
-	 */
-	cfg_obj_t *	open_files;
-
-	/*
-	 * Names of files that we have parsed and closed
-	 * and were previously on the open_file list.
-	 * We keep these objects around after closing
-	 * the files because the file names may still be
-	 * referenced from other configuration objects
-	 * for use in reporting semantic errors after
-	 * parsing is complete.
-	 */
-	cfg_obj_t *	closed_files;
-
-	/*
-	 * Current line number.  We maintain our own
-	 * copy of this so that it is available even
-	 * when a file has just been closed.
-	 */
-	unsigned int	line;
-
-	cfg_parsecallback_t callback;
-	void *callbackarg;
-};
-
-
-/*
- * Flags defining whether to accept certain types of network addresses.
- */
-#define CFG_ADDR_V4OK 		0x00000001
-#define CFG_ADDR_V4PREFIXOK 	0x00000002
-#define CFG_ADDR_V6OK 		0x00000004
-#define CFG_ADDR_WILDOK		0x00000008
-
-/*
- * Predefined data representation types.
- */
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint32;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_uint64;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_string;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_boolean;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_map;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_list;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_tuple;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_sockaddr;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_netprefix;
-LIBISCCFG_EXTERNAL_DATA extern cfg_rep_t cfg_rep_void;
-
-/*
- * Predefined configuration object types.
- */
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_boolean;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint32;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint64;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_qstring;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netprefix;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_void;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_token;
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_unsupported;
-
-isc_result_t
-cfg_gettoken(cfg_parser_t *pctx, int options);
-
-isc_result_t
-cfg_peektoken(cfg_parser_t *pctx, int options);
-
-void
-cfg_ungettoken(cfg_parser_t *pctx);
-
-#define CFG_LEXOPT_QSTRING (ISC_LEXOPT_QSTRING | ISC_LEXOPT_QSTRINGMULTILINE)
-
-isc_result_t
-cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
-void
-cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u);
-
-isc_result_t
-cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-void
-cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-isc_result_t
-cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-isc_result_t
-cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
-
-void
-cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na);
-
-isc_boolean_t
-cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags);
-
-isc_result_t
-cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
-
-isc_result_t
-cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-void
-cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_special(cfg_parser_t *pctx, int special);
-/* Parse a required special character 'special'. */
-
-isc_result_t
-cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
-isc_result_t
-cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-void
-cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
-isc_result_t
-cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
-		  cfg_listelt_t **ret);
-
-isc_result_t
-cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-void
-cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-isc_result_t
-cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type);
-
-void
-cfg_print_chars(cfg_printer_t *pctx, const char *text, int len);
-/* Print 'len' characters at 'text' */
-
-void
-cfg_print_cstr(cfg_printer_t *pctx, const char *s);
-/* Print the null-terminated string 's' */
-
-isc_result_t
-cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-isc_result_t
-cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-void
-cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-void
-cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-void
-cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type);
-
-isc_result_t
-cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-void
-cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-void
-cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
-/*
- * Print a description of the grammar of an arbitrary configuration
- * type 'type'
- */
-
-void
-cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type);
-/*
- * Document the type 'type' as a terminal by printing its
- * name in angle brackets, e.g., <uint32>.
- */
-
-void
-cfg_parser_error(cfg_parser_t *pctx, unsigned int flags,
-		 const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
-/*
- * Pass one of these flags to cfg_parser_error() to include the
- * token text in log message.
- */
-#define CFG_LOG_NEAR    0x00000001	/* Say "near <token>" */
-#define CFG_LOG_BEFORE  0x00000002	/* Say "before <token>" */
-#define CFG_LOG_NOPREP  0x00000004	/* Say just "<token>" */
-
-void
-cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags,
-		   const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
-
-isc_boolean_t
-cfg_is_enum(const char *s, const char *const *enums);
-/* Return true iff the string 's' is one of the strings in 'enums' */
-
-#endif /* ISCCFG_GRAMMAR_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/log.h b/contrib/bind9/lib/isccfg/include/isccfg/log.h
deleted file mode 100644
index b3d2da7d72b4..000000000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/log.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.h,v 1.3.2.1.10.3 2004/03/08 09:05:07 marka Exp $ */
-
-#ifndef ISCCFG_LOG_H
-#define ISCCFG_LOG_H 1
-
-#include <isc/lang.h>
-#include <isc/log.h>
-
-LIBISCCFG_EXTERNAL_DATA extern isc_logcategory_t cfg_categories[];
-LIBISCCFG_EXTERNAL_DATA extern isc_logmodule_t cfg_modules[];
-
-#define CFG_LOGCATEGORY_CONFIG	(&cfg_categories[0])
-
-#define CFG_LOGMODULE_PARSER	(&cfg_modules[0])
-
-ISC_LANG_BEGINDECLS
-
-void
-cfg_log_init(isc_log_t *lctx);
-/*
- * Make the libisccfg categories and modules available for use with the
- * ISC logging library.
- *
- * Requires:
- *	lctx is a valid logging context.
- *
- *	cfg_log_init() is called only once.
- *
- * Ensures:
- * 	The catgories and modules defined above are available for
- * 	use by isc_log_usechannnel() and isc_log_write().
- */
-
-ISC_LANG_ENDDECLS
-
-#endif /* ISCCFG_LOG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h b/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
deleted file mode 100644
index 4d5bd0b2701b..000000000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: namedconf.h,v 1.2.202.3 2004/03/08 09:05:07 marka Exp $ */
-
-#ifndef ISCCFG_NAMEDCONF_H
-#define ISCCFG_NAMEDCONF_H 1
-
-/*
- * This module defines the named.conf, rndc.conf, and rndc.key grammars.
- */
-
-#include <isccfg/cfg.h>
-
-/*
- * Configuration object types.
- */
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
-/* A complete named.conf file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
-/* A complete rndc.conf file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
-/* A complete rndc.key file. */
-
-LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
-/* A key reference, used as an ACL element */
-
-#endif /* ISCCFG_CFG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/version.h b/contrib/bind9/lib/isccfg/include/isccfg/version.h
deleted file mode 100644
index d02a814b018f..000000000000
--- a/contrib/bind9/lib/isccfg/include/isccfg/version.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:08 marka Exp $ */
-
-#include <isc/platform.h>
-
-LIBISCCFG_EXTERNAL_DATA extern const char cfg_version[];
-
-LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libinterface;
-LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_librevision;
-LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libage;
diff --git a/contrib/bind9/lib/isccfg/log.c b/contrib/bind9/lib/isccfg/log.c
deleted file mode 100644
index b16b4d3b3a9b..000000000000
--- a/contrib/bind9/lib/isccfg/log.c
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: log.c,v 1.2.2.1.10.3 2004/03/08 09:05:06 marka Exp $ */
-
-#include <config.h>
-
-#include <isc/util.h>
-
-#include <isccfg/log.h>
-
-/*
- * When adding a new category, be sure to add the appropriate
- * #define to <isccfg/log.h>.
- */
-LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
-	{ "config", 	0 },
-	{ NULL, 	0 }
-};
-
-/*
- * When adding a new module, be sure to add the appropriate
- * #define to <isccfg/log.h>.
- */
-LIBISCCFG_EXTERNAL_DATA isc_logmodule_t cfg_modules[] = {
-	{ "isccfg/parser",	0 },
-	{ NULL, 		0 }
-};
-
-void
-cfg_log_init(isc_log_t *lctx) {
-	REQUIRE(lctx != NULL);
-
-	isc_log_registercategories(lctx, cfg_categories);
-	isc_log_registermodules(lctx, cfg_modules);
-}
diff --git a/contrib/bind9/lib/isccfg/namedconf.c b/contrib/bind9/lib/isccfg/namedconf.c
deleted file mode 100644
index bfc5dda425e6..000000000000
--- a/contrib/bind9/lib/isccfg/namedconf.c
+++ /dev/null
@@ -1,1908 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: namedconf.c,v 1.21.44.32 2005/10/26 05:06:40 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <isc/lex.h>
-#include <isc/result.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <isccfg/cfg.h>
-#include <isccfg/grammar.h>
-#include <isccfg/log.h>
-
-#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
-
-/* Check a return value. */
-#define CHECK(op) 						\
-     	do { result = (op); 					\
-		if (result != ISC_R_SUCCESS) goto cleanup; 	\
-	} while (0)
-
-/* Clean up a configuration object if non-NULL. */
-#define CLEANUP_OBJ(obj) \
-	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
-
-
-/*
- * Forward declarations of static functions.
- */
-
-static isc_result_t
-parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
-		    const cfg_type_t *othertype, cfg_obj_t **ret);
-
-static isc_result_t
-parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static isc_result_t
-parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-static void
-doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
-
-static void
-doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
-
-static cfg_type_t cfg_type_acl;
-static cfg_type_t cfg_type_addrmatchelt;
-static cfg_type_t cfg_type_bracketed_aml;
-static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
-static cfg_type_t cfg_type_bracketed_sockaddrlist;
-static cfg_type_t cfg_type_controls;
-static cfg_type_t cfg_type_controls_sockaddr;
-static cfg_type_t cfg_type_destinationlist;
-static cfg_type_t cfg_type_dialuptype;
-static cfg_type_t cfg_type_key;
-static cfg_type_t cfg_type_logfile;
-static cfg_type_t cfg_type_logging;
-static cfg_type_t cfg_type_logseverity;
-static cfg_type_t cfg_type_lwres;
-static cfg_type_t cfg_type_masterselement;
-static cfg_type_t cfg_type_nameportiplist;
-static cfg_type_t cfg_type_negated;
-static cfg_type_t cfg_type_notifytype;
-static cfg_type_t cfg_type_optional_class;
-static cfg_type_t cfg_type_optional_facility;
-static cfg_type_t cfg_type_optional_facility;
-static cfg_type_t cfg_type_optional_keyref;
-static cfg_type_t cfg_type_optional_port;
-static cfg_type_t cfg_type_options;
-static cfg_type_t cfg_type_portiplist;
-static cfg_type_t cfg_type_querysource4;
-static cfg_type_t cfg_type_querysource6;
-static cfg_type_t cfg_type_querysource;
-static cfg_type_t cfg_type_server;
-static cfg_type_t cfg_type_server_key_kludge;
-static cfg_type_t cfg_type_size;
-static cfg_type_t cfg_type_sizenodefault;
-static cfg_type_t cfg_type_sockaddr4wild;
-static cfg_type_t cfg_type_sockaddr6wild;
-static cfg_type_t cfg_type_view;
-static cfg_type_t cfg_type_viewopts;
-static cfg_type_t cfg_type_zone;
-static cfg_type_t cfg_type_zoneopts;
-
-/* tkey-dhkey */
-
-static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
-	{ "name", &cfg_type_qstring, 0 },
-	{ "keyid", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_tkey_dhkey = {
-	"tkey-dhkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	tkey_dhkey_fields
-};
-
-/* listen-on */
-
-static cfg_tuplefielddef_t listenon_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "acl", &cfg_type_bracketed_aml, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_listenon = {
-	"listenon", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, listenon_fields };
-
-/* acl */
-
-static cfg_tuplefielddef_t acl_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "value", &cfg_type_bracketed_aml, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_acl = {
-	"acl", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, acl_fields };
-
-/* masters */
-static cfg_tuplefielddef_t masters_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_masters = {
-	"masters", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, masters_fields };
-
-/*
- * "sockaddrkeylist", a list of socket addresses with optional keys
- * and an optional default port, as used in the masters option.
- * E.g.,
- *   "port 1234 { mymasters; 10.0.0.1 key foo; 1::2 port 69; }"
- */
-
-static cfg_tuplefielddef_t namesockaddrkey_fields[] = {
-	{ "masterselement", &cfg_type_masterselement, 0 },
-	{ "key", &cfg_type_optional_keyref, 0 },
-	{ NULL, NULL, 0 },
-};
-
-static cfg_type_t cfg_type_namesockaddrkey = {
-	"namesockaddrkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	namesockaddrkey_fields
-};
-
-static cfg_type_t cfg_type_bracketed_namesockaddrkeylist = {
-	"bracketed_namesockaddrkeylist", cfg_parse_bracketed_list,
-	cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_namesockaddrkey
-};
-
-static cfg_tuplefielddef_t namesockaddrkeylist_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_namesockaddrkeylist = {
-	"sockaddrkeylist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	namesockaddrkeylist_fields
-};
-
-/*
- * A list of socket addresses with an optional default port,
- * as used in the also-notify option.  E.g.,
- * "port 1234 { 10.0.0.1; 1::2 port 69; }"
- */
-static cfg_tuplefielddef_t portiplist_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_sockaddrlist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_portiplist = {
-	"portiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	portiplist_fields
-};
-
-/*
- * A public key, as in the "pubkey" statement.
- */
-static cfg_tuplefielddef_t pubkey_fields[] = {
-	{ "flags", &cfg_type_uint32, 0 },
-	{ "protocol", &cfg_type_uint32, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
-	{ "key", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_pubkey = {
-	"pubkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, pubkey_fields };
-
-/*
- * A list of RR types, used in grant statements.
- * Note that the old parser allows quotes around the RR type names.
- */
-static cfg_type_t cfg_type_rrtypelist = {
- 	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal,
-	&cfg_rep_list, &cfg_type_astring
-};
-
-static const char *mode_enums[] = { "grant", "deny", NULL };
-static cfg_type_t cfg_type_mode = {
-	"mode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&mode_enums
-};
-
-static const char *matchtype_enums[] = {
-	"name", "subdomain", "wildcard", "self", NULL };
-static cfg_type_t cfg_type_matchtype = {
-	"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&matchtype_enums
-};
-
-/*
- * A grant statement, used in the update policy.
- */
-static cfg_tuplefielddef_t grant_fields[] = {
-	{ "mode", &cfg_type_mode, 0 },
-	{ "identity", &cfg_type_astring, 0 }, /* domain name */ 
-	{ "matchtype", &cfg_type_matchtype, 0 },
-	{ "name", &cfg_type_astring, 0 }, /* domain name */
-	{ "types", &cfg_type_rrtypelist, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_grant = {
-	"grant", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, grant_fields };
-
-static cfg_type_t cfg_type_updatepolicy = {
-	"update_policy", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_grant
-};
-
-/*
- * A view statement.
- */
-static cfg_tuplefielddef_t view_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ "options", &cfg_type_viewopts, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_view = {
-	"view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, view_fields };
-
-/*
- * A zone statement.
- */
-static cfg_tuplefielddef_t zone_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ "options", &cfg_type_zoneopts, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_zone = {
-	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, zone_fields };
-
-/*
- * A "category" clause in the "logging" statement.
- */
-static cfg_tuplefielddef_t category_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "destinations", &cfg_type_destinationlist,0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_category = {
-	"category", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, category_fields };
-
-
-/*
- * A trusted key, as used in the "trusted-keys" statement.
- */
-static cfg_tuplefielddef_t trustedkey_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "flags", &cfg_type_uint32, 0 },
-	{ "protocol", &cfg_type_uint32, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
-	{ "key", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_trustedkey = {
-	"trustedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	trustedkey_fields
-};
-
-static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
-
-static cfg_type_t cfg_type_optional_wild_class = {
-	"optional_wild_class", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_string, &wild_class_kw
-};
-
-static keyword_type_t wild_type_kw = { "type", &cfg_type_ustring };
-
-static cfg_type_t cfg_type_optional_wild_type = {
-	"optional_wild_type", parse_optional_keyvalue,
-	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_type_kw
-};
-
-static keyword_type_t wild_name_kw = { "name", &cfg_type_qstring };
-
-static cfg_type_t cfg_type_optional_wild_name = {
-	"optional_wild_name", parse_optional_keyvalue,
-	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_name_kw
-};
-
-/*
- * An rrset ordering element.
- */
-static cfg_tuplefielddef_t rrsetorderingelement_fields[] = {
-	{ "class", &cfg_type_optional_wild_class, 0 },
-	{ "type", &cfg_type_optional_wild_type, 0 },
-	{ "name", &cfg_type_optional_wild_name, 0 },
-	{ "order", &cfg_type_ustring, 0 }, /* must be literal "order" */ 
-	{ "ordering", &cfg_type_ustring, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_rrsetorderingelement = {
-	"rrsetorderingelement", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	rrsetorderingelement_fields
-};
-
-/*
- * A global or view "check-names" option.  Note that the zone
- * "check-names" option has a different syntax.
- */
-
-static const char *checktype_enums[] = { "master", "slave", "response", NULL };
-static cfg_type_t cfg_type_checktype = {
-	"checktype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &checktype_enums
-};
-
-static const char *checkmode_enums[] = { "fail", "warn", "ignore", NULL };
-static cfg_type_t cfg_type_checkmode = {
-	"checkmode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
-	&cfg_rep_string, &checkmode_enums
-};
-
-static cfg_tuplefielddef_t checknames_fields[] = {
-	{ "type", &cfg_type_checktype, 0 },
-	{ "mode", &cfg_type_checkmode, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_checknames = {
-	"checknames", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	checknames_fields
-};
-
-static cfg_type_t cfg_type_bracketed_sockaddrlist = {
-	"bracketed_sockaddrlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_sockaddr
-};
-
-static cfg_type_t cfg_type_rrsetorder = {
-	"rrsetorder", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_rrsetorderingelement
-};
-
-static keyword_type_t port_kw = { "port", &cfg_type_uint32 };
-
-static cfg_type_t cfg_type_optional_port = {
-	"optional_port", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_uint32, &port_kw
-};
-
-/* A list of keys, as in the "key" clause of the controls statement. */
-static cfg_type_t cfg_type_keylist = {
-	"keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
-	&cfg_type_astring
-};
-
-static cfg_type_t cfg_type_trustedkeys = {
-	"trusted-keys", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
-	&cfg_type_trustedkey
-};
-
-static const char *forwardtype_enums[] = { "first", "only", NULL };
-static cfg_type_t cfg_type_forwardtype = {
-	"forwardtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&forwardtype_enums
-};
-
-static const char *zonetype_enums[] = {
-	"master", "slave", "stub", "hint", "forward", "delegation-only", NULL };
-static cfg_type_t cfg_type_zonetype = {
-	"zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&zonetype_enums
-};
-
-static const char *loglevel_enums[] = {
-	"critical", "error", "warning", "notice", "info", "dynamic", NULL };
-static cfg_type_t cfg_type_loglevel = {
-	"loglevel", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&loglevel_enums
-};
-
-static const char *transferformat_enums[] = {
-	"many-answers", "one-answer", NULL };
-static cfg_type_t cfg_type_transferformat = {
-	"transferformat", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
-	&transferformat_enums
-};
-
-/*
- * The special keyword "none", as used in the pid-file option.
- */
-
-static void
-print_none(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	UNUSED(obj);
-	cfg_print_chars(pctx, "none", 4);
-}
-
-static cfg_type_t cfg_type_none = {
-	"none", NULL, print_none, NULL, &cfg_rep_void, NULL
-};
-
-/*
- * A quoted string or the special keyword "none".  Used in the pid-file option.
- */
-static isc_result_t
-parse_qstringornone(cfg_parser_t *pctx, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
-		return (cfg_create_obj(pctx, &cfg_type_none, ret));
-	cfg_ungettoken(pctx);
-	return (cfg_parse_qstring(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-static void
-doc_qstringornone(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_chars(pctx, "( <quoted_string> | none )", 26);
-}
-
-static cfg_type_t cfg_type_qstringornone = {
-	"qstringornone", parse_qstringornone, NULL, doc_qstringornone, NULL, NULL };
-
-/*
- * keyword hostname
- */
-
-static void
-print_hostname(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	UNUSED(obj);
-	cfg_print_chars(pctx, "hostname", 4);
-}
-
-static cfg_type_t cfg_type_hostname = {
-	"hostname", NULL, print_hostname, NULL, &cfg_rep_boolean, NULL
-};
-
-/*
- * "server-id" argument.
- */
-
-static isc_result_t
-parse_serverid(cfg_parser_t *pctx, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
-		return (cfg_create_obj(pctx, &cfg_type_none, ret));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "hostname") == 0) {
-		return (cfg_create_obj(pctx, &cfg_type_hostname, ret));
-	}
-	cfg_ungettoken(pctx);
-	return (cfg_parse_qstring(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-static void
-doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_chars(pctx, "( <quoted_string> | none | hostname )", 26);
-}
-
-static cfg_type_t cfg_type_serverid = {
-	"serverid", parse_serverid, NULL, doc_serverid, NULL, NULL };
-
-/*
- * Port list.
- */
-static isc_result_t
-parse_port(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	
-	UNUSED(type);
-
-	CHECK(cfg_parse_uint32(pctx, NULL, ret));
-	if ((*ret)->value.uint32 > 0xffff) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port");
-		cfg_obj_destroy(pctx, ret);
-		result = ISC_R_RANGE;
-	}
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_port = {
-	"port", parse_port, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-
-static cfg_type_t cfg_type_bracketed_portlist = {
-	"bracketed_sockaddrlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_port
-};
-
-/*
- * Clauses that can be found within the top level of the named.conf
- * file only.
- */
-static cfg_clausedef_t
-namedconf_clauses[] = {
-	{ "options", &cfg_type_options, 0 },
-	{ "controls", &cfg_type_controls, CFG_CLAUSEFLAG_MULTI },
-	{ "acl", &cfg_type_acl, CFG_CLAUSEFLAG_MULTI },
-	{ "masters", &cfg_type_masters, CFG_CLAUSEFLAG_MULTI },
-	{ "logging", &cfg_type_logging, 0 },
-	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
-	{ "lwres", &cfg_type_lwres, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can occur at the top level or in the view
- * statement, but not in the options block.
- */
-static cfg_clausedef_t
-namedconf_or_view_clauses[] = {
-	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
-	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
-	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
-	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can be found within the 'options' statement.
- */
-static cfg_clausedef_t
-options_clauses[] = {
-	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
-	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
-	{ "blackhole", &cfg_type_bracketed_aml, 0 },
-	{ "coresize", &cfg_type_size, 0 },
-	{ "datasize", &cfg_type_size, 0 },
-	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
-	{ "dump-file", &cfg_type_qstring, 0 },
-	{ "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "files", &cfg_type_size, 0 },
-	{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "heartbeat-interval", &cfg_type_uint32, 0 },
-	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP },
-	{ "host-statistics-max", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
-	{ "hostname", &cfg_type_qstringornone, 0 },
-	{ "interface-interval", &cfg_type_uint32, 0 },
-	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
-	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
-	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
-	{ "memstatistics-file", &cfg_type_qstring, 0 },
-	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "pid-file", &cfg_type_qstringornone, 0 },
-	{ "port", &cfg_type_uint32, 0 },
-	{ "querylog", &cfg_type_boolean, 0 },
-	{ "recursing-file", &cfg_type_qstring, 0 },
-	{ "random-device", &cfg_type_qstring, 0 },
-	{ "recursive-clients", &cfg_type_uint32, 0 },
-	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "serial-query-rate", &cfg_type_uint32, 0 },
-	{ "server-id", &cfg_type_serverid, 0 },
-	{ "stacksize", &cfg_type_size, 0 },
-	{ "statistics-file", &cfg_type_qstring, 0 },
-	{ "statistics-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_NYI },
-	{ "tcp-clients", &cfg_type_uint32, 0 },
-	{ "tcp-listen-queue", &cfg_type_uint32, 0 },
-	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
-	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
-	{ "tkey-domain", &cfg_type_qstring, 0 },
-	{ "transfers-per-ns", &cfg_type_uint32, 0 },
-	{ "transfers-in", &cfg_type_uint32, 0 },
-	{ "transfers-out", &cfg_type_uint32, 0 },
-	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "use-ixfr", &cfg_type_boolean, 0 },
-	{ "version", &cfg_type_qstringornone, 0 },
-	{ "flush-zones-on-shutdown", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-
-
-static cfg_type_t cfg_type_namelist = {
-	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring };
-
-static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
-
-static cfg_type_t cfg_type_optional_exclude = {
-	"optional_exclude", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_list, &exclude_kw };
-
-static cfg_type_t cfg_type_algorithmlist = {
-	"algorithmlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring };
-
-static cfg_tuplefielddef_t disablealgorithm_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "algorithms", &cfg_type_algorithmlist, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_disablealgorithm = {
-	"disablealgorithm", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, disablealgorithm_fields
-};
-
-static cfg_tuplefielddef_t mustbesecure_fields[] = {
-        { "name", &cfg_type_astring, 0 },
-        { "value", &cfg_type_boolean, 0 },
-        { NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_mustbesecure = {
-	"mustbesecure", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, mustbesecure_fields
-};
-
-/*
- * dnssec-lookaside
- */
-
-static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
-
-static cfg_type_t cfg_type_trustanchor = {
-	"trust-anchor", parse_keyvalue, print_keyvalue, doc_keyvalue,
-	&cfg_rep_string, &trustanchor_kw
-};
-
-static cfg_tuplefielddef_t lookaside_fields[] = {
-	{ "domain", &cfg_type_astring, 0 },
-	{ "trust-anchor", &cfg_type_trustanchor, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_lookaside = {
-	"lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, lookaside_fields
-};
-
-/*
- * Clauses that can be found within the 'view' statement,
- * with defaults in the 'options' statement.
- */
-
-static cfg_clausedef_t
-view_clauses[] = {
-	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
-	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
-	  CFG_CLAUSEFLAG_OBSOLETE },
-	{ "sortlist", &cfg_type_bracketed_aml, 0 },
-	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
-	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
-	{ "minimal-responses", &cfg_type_boolean, 0 },
-	{ "recursion", &cfg_type_boolean, 0 },
-	{ "rrset-order", &cfg_type_rrsetorder, 0 },
-	{ "provide-ixfr", &cfg_type_boolean, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
-	{ "additional-from-auth", &cfg_type_boolean, 0 },
-	{ "additional-from-cache", &cfg_type_boolean, 0 },
-	/*
-	 * Note that the query-source option syntax is different
-	 * from the other -source options.
-	 */
-	{ "query-source", &cfg_type_querysource4, 0 },
-	{ "query-source-v6", &cfg_type_querysource6, 0 },
-	{ "cleaning-interval", &cfg_type_uint32, 0 },
-	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
-	{ "lame-ttl", &cfg_type_uint32, 0 },
-	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
-	{ "max-cache-ttl", &cfg_type_uint32, 0 },
-	{ "transfer-format", &cfg_type_transferformat, 0 },
-	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
-	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
-	{ "cache-file", &cfg_type_qstring, 0 },
-	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
-	{ "preferred-glue", &cfg_type_astring, 0 },
-	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
-	{ "edns-udp-size", &cfg_type_uint32, 0 },
-	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
-	{ "disable-algorithms", &cfg_type_disablealgorithm,
-	  CFG_CLAUSEFLAG_MULTI },
-	{ "dnssec-enable", &cfg_type_boolean, 0 },
-	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
-	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
-	   CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can be found within the 'view' statement only.
- */
-static cfg_clausedef_t
-view_only_clauses[] = {
-	{ "match-clients", &cfg_type_bracketed_aml, 0 },
-	{ "match-destinations", &cfg_type_bracketed_aml, 0 },
-	{ "match-recursive-only", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can be found in a 'zone' statement,
- * with defaults in the 'view' or 'options' statement.
- */
-static cfg_clausedef_t
-zone_clauses[] = {
-	{ "allow-query", &cfg_type_bracketed_aml, 0 },
-	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
-	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
-	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
-	{ "notify", &cfg_type_notifytype, 0 },
-	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
-	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "also-notify", &cfg_type_portiplist, 0 },
-	{ "dialup", &cfg_type_dialuptype, 0 },
-	{ "forward", &cfg_type_forwardtype, 0 },
-	{ "forwarders", &cfg_type_portiplist, 0 },
-	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
-	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "max-journal-size", &cfg_type_sizenodefault, 0 },
-	{ "max-transfer-time-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-time-out", &cfg_type_uint32, 0 },
-	{ "max-transfer-idle-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-idle-out", &cfg_type_uint32, 0 },
-	{ "max-retry-time", &cfg_type_uint32, 0 },
-	{ "min-retry-time", &cfg_type_uint32, 0 },
-	{ "max-refresh-time", &cfg_type_uint32, 0 },
-	{ "min-refresh-time", &cfg_type_uint32, 0 },
-	{ "multi-master", &cfg_type_boolean, 0 },
-	{ "sig-validity-interval", &cfg_type_uint32, 0 },
-	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "use-alt-transfer-source", &cfg_type_boolean, 0 },
-	{ "zone-statistics", &cfg_type_boolean, 0 },
-	{ "key-directory", &cfg_type_qstring, 0 },
-	{ NULL, NULL, 0 }
-};
-
-/*
- * Clauses that can be found in a 'zone' statement
- * only.
- */
-static cfg_clausedef_t
-zone_only_clauses[] = {
-	{ "type", &cfg_type_zonetype, 0 },
-	{ "allow-update", &cfg_type_bracketed_aml, 0 },
-	{ "file", &cfg_type_qstring, 0 },
-	{ "ixfr-base", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "masters", &cfg_type_namesockaddrkeylist, 0 },
-	{ "pubkey", &cfg_type_pubkey,
-	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
-	{ "update-policy", &cfg_type_updatepolicy, 0 },
-	{ "database", &cfg_type_astring, 0 },
-	{ "delegation-only", &cfg_type_boolean, 0 },
-	/*
-	 * Note that the format of the check-names option is different between
-	 * the zone options and the global/view options.  Ugh.
-	 */
-	{ "check-names", &cfg_type_checkmode, 0 },
-	{ NULL, NULL, 0 }
-};
-
-
-/* The top-level named.conf syntax. */
-
-static cfg_clausedef_t *
-namedconf_clausesets[] = {
-	namedconf_clauses,
-	namedconf_or_view_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
-	"namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, namedconf_clausesets
-};
-
-/* The "options" statement syntax. */
-
-static cfg_clausedef_t *
-options_clausesets[] = {
-	options_clauses,
-	view_clauses,
-	zone_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_options = {
-	"options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, options_clausesets };
-
-/* The "view" statement syntax. */
-
-static cfg_clausedef_t *
-view_clausesets[] = {
-	view_only_clauses,
-	namedconf_or_view_clauses,
-	view_clauses,
-	zone_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_viewopts = {
-	"view", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, view_clausesets };
-
-/* The "zone" statement syntax. */
-
-static cfg_clausedef_t *
-zone_clausesets[] = {
-	zone_only_clauses,
-	zone_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_zoneopts = {
-	"zoneopts", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, zone_clausesets };
-
-/*
- * Clauses that can be found within the 'key' statement.
- */
-static cfg_clausedef_t
-key_clauses[] = {
-	{ "algorithm", &cfg_type_astring, 0 },
-	{ "secret", &cfg_type_astring, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-key_clausesets[] = {
-	key_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_key = {
-	"key", cfg_parse_named_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, key_clausesets };
-
-
-/*
- * Clauses that can be found in a 'server' statement.
- */
-static cfg_clausedef_t
-server_clauses[] = {
-	{ "bogus", &cfg_type_boolean, 0 },
-	{ "provide-ixfr", &cfg_type_boolean, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "transfers", &cfg_type_uint32, 0 },
-	{ "transfer-format", &cfg_type_transferformat, 0 },
-	{ "keys", &cfg_type_server_key_kludge, 0 },
-	{ "edns", &cfg_type_boolean, 0 },
-	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-server_clausesets[] = {
-	server_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_server = {
-	"server", cfg_parse_addressed_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
-	server_clausesets
-};
-
-
-/*
- * Clauses that can be found in a 'channel' clause in the
- * 'logging' statement.
- *
- * These have some additional constraints that need to be
- * checked after parsing:
- *  - There must exactly one of file/syslog/null/stderr
- *
- */
-static cfg_clausedef_t
-channel_clauses[] = {
-	/* Destinations.  We no longer require these to be first. */
-	{ "file", &cfg_type_logfile, 0 },
-	{ "syslog", &cfg_type_optional_facility, 0 },
-	{ "null", &cfg_type_void, 0 },
-	{ "stderr", &cfg_type_void, 0 },
-	/* Options.  We now accept these for the null channel, too. */
-	{ "severity", &cfg_type_logseverity, 0 },
-	{ "print-time", &cfg_type_boolean, 0 },
-	{ "print-severity", &cfg_type_boolean, 0 },
-	{ "print-category", &cfg_type_boolean, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-channel_clausesets[] = {
-	channel_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_channel = {
-	"channel", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
-	&cfg_rep_map, channel_clausesets
-};
-
-/* A list of log destination, used in the "category" clause. */
-static cfg_type_t cfg_type_destinationlist = {
-	"destinationlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_astring };
-
-/*
- * Clauses that can be found in a 'logging' statement.
- */
-static cfg_clausedef_t
-logging_clauses[] = {
-	{ "channel", &cfg_type_channel, CFG_CLAUSEFLAG_MULTI },
-	{ "category", &cfg_type_category, CFG_CLAUSEFLAG_MULTI },
-	{ NULL, NULL, 0 }
-};
-static cfg_clausedef_t *
-logging_clausesets[] = {
-	logging_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_logging = {
-	"logging", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, logging_clausesets };
-
-
-static isc_result_t
-parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
-	char *endp;
-	unsigned int len;
-	isc_uint64_t value;
-	isc_uint64_t unit;
-
-	value = isc_string_touint64(str, &endp, 10);
-	if (*endp == 0) {
-		*valuep = value;
-		return (ISC_R_SUCCESS);
-	}
-
-	len = strlen(str);
-	if (len < 2 || endp[1] != '\0')
-		return (ISC_R_FAILURE);
-
-	switch (str[len - 1]) {
-	case 'k':
-	case 'K':
-		unit = 1024;
-		break;
-	case 'm':
-	case 'M':
-		unit = 1024 * 1024;
-		break;
-	case 'g':
-	case 'G':
-		unit = 1024 * 1024 * 1024;
-		break;
-	default:
-		return (ISC_R_FAILURE);
-	}
-	if (value > ISC_UINT64_MAX / unit)
-		return (ISC_R_FAILURE);
-	*valuep = value * unit;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-parse_sizeval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_uint64_t val;
-
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type != isc_tokentype_string) {
-		result = ISC_R_UNEXPECTEDTOKEN;
-		goto cleanup;
-	}
-	CHECK(parse_unitstring(TOKEN_STRING(pctx), &val));
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_uint64, &obj));
-	obj->value.uint64 = val;
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected integer and optional unit");
-	return (result);
-}
-
-/*
- * A size value (number + optional unit).
- */
-static cfg_type_t cfg_type_sizeval = {
-	"sizeval", parse_sizeval, cfg_print_uint64, cfg_doc_terminal,
-	&cfg_rep_uint64, NULL };
-
-/*
- * A size, "unlimited", or "default".
- */
-
-static isc_result_t
-parse_size(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
-}
-
-static const char *size_enums[] = { "unlimited", "default", NULL };
-static cfg_type_t cfg_type_size = {
-	"size", parse_size, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, size_enums
-};
-
-/*
- * A size or "unlimited", but not "default".
- */
-static const char *sizenodefault_enums[] = { "unlimited", NULL };
-static cfg_type_t cfg_type_sizenodefault = {
-	"size_no_default", parse_size, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, sizenodefault_enums
-};
-
-/*
- * optional_keyvalue
- */
-static isc_result_t
-parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
-			      isc_boolean_t optional, cfg_obj_t **ret)
-{
-        isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	const keyword_type_t *kw = type->of;
-
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), kw->name) == 0) {
-		CHECK(cfg_gettoken(pctx, 0));
-		CHECK(kw->type->parse(pctx, kw->type, &obj));
-		obj->type = type; /* XXX kludge */
-	} else {
-		if (optional) {
-			CHECK(cfg_parse_void(pctx, NULL, &obj));
-		} else {
-			cfg_parser_error(pctx, CFG_LOG_NEAR, "expected '%s'",
-				     kw->name);
-			result = ISC_R_UNEXPECTEDTOKEN;
-			goto cleanup;
-		}
-	}
-	*ret = obj;
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
-		    const cfg_type_t *othertype, cfg_obj_t **ret)
-{
-        isc_result_t result;
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    cfg_is_enum(TOKEN_STRING(pctx), enumtype->of)) {
-		CHECK(cfg_parse_enum(pctx, enumtype, ret));
-	} else {
-		CHECK(cfg_parse_obj(pctx, othertype, ret));
-	}
- cleanup:
-	return (result);
-}
-
-static void
-doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_doc_terminal(pctx, type);
-#if 0 /* XXX */
-	cfg_print_chars(pctx, "( ", 2);...
-#endif
-
-}
-
-static isc_result_t
-parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_maybe_optional_keyvalue(pctx, type, ISC_FALSE, ret));
-}
-
-static isc_result_t
-parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_maybe_optional_keyvalue(pctx, type, ISC_TRUE, ret));
-}
-
-static void
-print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	const keyword_type_t *kw = obj->type->of;
-	cfg_print_cstr(pctx, kw->name);
-	cfg_print_chars(pctx, " ", 1);
-	kw->type->print(pctx, obj);
-}
-
-static void
-doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const keyword_type_t *kw = type->of;
-	cfg_print_cstr(pctx, kw->name);
-	cfg_print_chars(pctx, " ", 1);
-	cfg_doc_obj(pctx, kw->type);
-}
-
-static void
-doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const keyword_type_t *kw = type->of;
-	cfg_print_chars(pctx, "[ ", 2);
-	cfg_print_cstr(pctx, kw->name);
-	cfg_print_chars(pctx, " ", 1);
-	cfg_doc_obj(pctx, kw->type);
-	cfg_print_chars(pctx, " ]", 2);
-}
-
-static const char *dialup_enums[] = {
-	"notify", "notify-passive", "refresh", "passive", NULL };
-static isc_result_t
-parse_dialup_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
-}
-static cfg_type_t cfg_type_dialuptype = {
-	"dialuptype", parse_dialup_type, cfg_print_ustring, doc_enum_or_other,
-	&cfg_rep_string, dialup_enums
-};
-
-static const char *notify_enums[] = { "explicit", NULL };
-static isc_result_t
-parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
-}
-static cfg_type_t cfg_type_notifytype = {
-	"notifytype", parse_notify_type, cfg_print_ustring, doc_enum_or_other,
- 	&cfg_rep_string, notify_enums,
-};
-
-static keyword_type_t key_kw = { "key", &cfg_type_astring };
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
-	"keyref", parse_keyvalue, print_keyvalue, doc_keyvalue,
-	&cfg_rep_string, &key_kw
-};
-
-static cfg_type_t cfg_type_optional_keyref = {
-	"optional_keyref", parse_optional_keyvalue, print_keyvalue,
-	doc_optional_keyvalue, &cfg_rep_string, &key_kw
-};
-
-/*
- * A "controls" statement is represented as a map with the multivalued
- * "inet" and "unix" clauses.  Inet controls are tuples; unix controls
- * are cfg_unsupported_t objects.
- */
-
-static keyword_type_t controls_allow_kw = {
-	"allow", &cfg_type_bracketed_aml };
-static cfg_type_t cfg_type_controls_allow = {
-	"controls_allow", parse_keyvalue,
-	print_keyvalue, doc_keyvalue,
-	&cfg_rep_list, &controls_allow_kw
-};
-
-static keyword_type_t controls_keys_kw = {
-	"keys", &cfg_type_keylist };
-static cfg_type_t cfg_type_controls_keys = {
-	"controls_keys", parse_optional_keyvalue,
-	print_keyvalue, doc_optional_keyvalue,
-	&cfg_rep_list, &controls_keys_kw
-};
-
-static cfg_tuplefielddef_t inetcontrol_fields[] = {
-	{ "address", &cfg_type_controls_sockaddr, 0 },
-	{ "allow", &cfg_type_controls_allow, 0 },
-	{ "keys", &cfg_type_controls_keys, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_inetcontrol = {
-	"inetcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	inetcontrol_fields
-};
-
-static cfg_clausedef_t
-controls_clauses[] = {
-	{ "inet", &cfg_type_inetcontrol, CFG_CLAUSEFLAG_MULTI },
-	{ "unix", &cfg_type_unsupported,
-	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_NOTIMP },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-controls_clausesets[] = {
-	controls_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_controls = {
-	"controls", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,	&controls_clausesets
-};
-
-/*
- * An optional class, as used in view and zone statements.
- */
-static isc_result_t
-parse_optional_class(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string)
-		CHECK(cfg_parse_obj(pctx, &cfg_type_ustring, ret));
-	else
-		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_optional_class = {
-	"optional_class", parse_optional_class, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-
-static isc_result_t
-parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_netaddr_t netaddr;
-	in_port_t port;
-	unsigned int have_address = 0;
-	unsigned int have_port = 0;
-
-	if ((flags & CFG_ADDR_V4OK) != 0)
-		isc_netaddr_any(&netaddr);
-	else if ((flags & CFG_ADDR_V6OK) != 0)
-		isc_netaddr_any6(&netaddr);
-	else
-		INSIST(0);
-
-	port = 0;
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_string) {
-			if (strcasecmp(TOKEN_STRING(pctx),
-				       "address") == 0)
-			{
-				/* read "address" */
-				CHECK(cfg_gettoken(pctx, 0)); 
-				CHECK(cfg_parse_rawaddr(pctx,
-						flags | CFG_ADDR_WILDOK,
-							&netaddr));
-				have_address++;
-			} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
-			{
-				/* read "port" */
-				CHECK(cfg_gettoken(pctx, 0)); 
-				CHECK(cfg_parse_rawport(pctx,
-							CFG_ADDR_WILDOK,
-							&port));
-				have_port++;
-			} else {
-				cfg_parser_error(pctx, CFG_LOG_NEAR,
-					     "expected 'address' or 'port'");
-				return (ISC_R_UNEXPECTEDTOKEN);
-			}
-		} else
-			break;
-	}
-	if (have_address > 1 || have_port > 1 ||
-	    have_address + have_port == 0) {
-		cfg_parser_error(pctx, 0, "expected one address and/or port");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-
-	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid query source");
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static isc_result_t
-parse_querysource4(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	UNUSED(type);
-	return (parse_querysource(pctx, CFG_ADDR_V4OK, ret));
-}
-
-static isc_result_t
-parse_querysource6(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	UNUSED(type);
-	return (parse_querysource(pctx, CFG_ADDR_V6OK, ret));
-}
-
-static void
-print_querysource(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	isc_netaddr_t na;
-	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
-	cfg_print_chars(pctx, "address ", 8);
-	cfg_print_rawaddr(pctx, &na);
-	cfg_print_chars(pctx, " port ", 6);
-	cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
-}
-
-static cfg_type_t cfg_type_querysource4 = {
-	"querysource4", parse_querysource4, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-static cfg_type_t cfg_type_querysource6 = {
-	"querysource6", parse_querysource6, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-static cfg_type_t cfg_type_querysource = {
-	"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL };
-
-/* addrmatchelt */
-
-static isc_result_t
-parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		if (pctx->token.type == isc_tokentype_string &&
-		    (strcasecmp(TOKEN_STRING(pctx), "key") == 0)) {
-			CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
-		} else {
-			if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK |
-						  CFG_ADDR_V4PREFIXOK |
-						  CFG_ADDR_V6OK))
-			{
-				CHECK(cfg_parse_netprefix(pctx, NULL, ret));
-			} else {
-				CHECK(cfg_parse_astring(pctx, NULL, ret));
-			}
-		}
-	} else if (pctx->token.type == isc_tokentype_special) {
-		if (pctx->token.value.as_char == '{') {
-			/* Nested match list. */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_bracketed_aml, ret));
-		} else if (pctx->token.value.as_char == '!') {
-			CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_negated, ret));
-		} else {
-			goto bad;
-		}
-	} else {
-	bad:
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "expected IP match list element");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
- cleanup:
-	return (result);
-}
-
-/*
- * A negated address match list element (like "! 10.0.0.1").
- * Somewhat sneakily, the caller is expected to parse the
- * "!", but not to print it.
- */
-
-static cfg_tuplefielddef_t negated_fields[] = {
-	{ "value", &cfg_type_addrmatchelt, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static void
-print_negated(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_print_chars(pctx, "!", 1);
-	cfg_print_tuple(pctx, obj);
-}
-
-static cfg_type_t cfg_type_negated = {
-	"negated", cfg_parse_tuple, print_negated, NULL, &cfg_rep_tuple,
-	&negated_fields
-};
-
-/* An address match list element */
-
-static cfg_type_t cfg_type_addrmatchelt = {
-	"address_match_element", parse_addrmatchelt, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-
-/* A bracketed address match list */
-
-static cfg_type_t cfg_type_bracketed_aml = {
-	"bracketed_aml", cfg_parse_bracketed_list, cfg_print_bracketed_list,
-	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_addrmatchelt
-};
-
-/*
- * The socket address syntax in the "controls" statement is silly.
- * It allows both socket address families, but also allows "*",
- * whis is gratuitously interpreted as the IPv4 wildcard address.
- */
-static unsigned int controls_sockaddr_flags =
-	CFG_ADDR_V4OK | CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
-static cfg_type_t cfg_type_controls_sockaddr = {
-	"controls_sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr,
-	cfg_doc_sockaddr, &cfg_rep_sockaddr, &controls_sockaddr_flags
-};
-
-/*
- * Handle the special kludge syntax of the "keys" clause in the "server"
- * statement, which takes a single key with or without braces and semicolon.
- */
-static isc_result_t
-parse_server_key_kludge(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	isc_boolean_t braces = ISC_FALSE;
-	UNUSED(type);
-
-	/* Allow opening brace. */
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == '{') {
-		result = cfg_gettoken(pctx, 0);
-		braces = ISC_TRUE;
-	}
-
-	CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
-
-	if (braces) {
-		/* Skip semicolon if present. */
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special &&
-		    pctx->token.value.as_char == ';')
-			CHECK(cfg_gettoken(pctx, 0));
-
-		CHECK(cfg_parse_special(pctx, '}'));
-	}
- cleanup:
-	return (result);
-}
-static cfg_type_t cfg_type_server_key_kludge = {
-	"server_key", parse_server_key_kludge, NULL, cfg_doc_terminal,
-	NULL, NULL
-};
-
-
-/*
- * An optional logging facility.
- */
-
-static isc_result_t
-parse_optional_facility(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
-	} else {
-		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
-	}
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_optional_facility = {
-	"optional_facility", parse_optional_facility, NULL, cfg_doc_terminal,
-	NULL, NULL };
-
-
-/*
- * A log severity.  Return as a string, except "debug N",
- * which is returned as a keyword object.
- */
-
-static keyword_type_t debug_kw = { "debug", &cfg_type_uint32 };
-static cfg_type_t cfg_type_debuglevel = {
-	"debuglevel", parse_keyvalue,
-	print_keyvalue, doc_keyvalue,
-	&cfg_rep_uint32, &debug_kw
-};
-
-static isc_result_t
-parse_logseverity(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "debug") == 0) {
-		CHECK(cfg_gettoken(pctx, 0)); /* read "debug" */
-		CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER));
-		if (pctx->token.type == isc_tokentype_number) {
-			CHECK(cfg_parse_uint32(pctx, NULL, ret));
-		} else {
-			/*
-			 * The debug level is optional and defaults to 1.
-			 * This makes little sense, but we support it for
-			 * compatibility with BIND 8.
-			 */
-			CHECK(cfg_create_obj(pctx, &cfg_type_uint32, ret));
-			(*ret)->value.uint32 = 1;
-		}
-		(*ret)->type = &cfg_type_debuglevel; /* XXX kludge */
-	} else {
-		CHECK(cfg_parse_obj(pctx, &cfg_type_loglevel, ret));
-	}
- cleanup:
-	return (result);
-}
-
-static cfg_type_t cfg_type_logseverity = {
-	"log_severity", parse_logseverity, NULL, cfg_doc_terminal,
-	NULL, NULL };
-
-/*
- * The "file" clause of the "channel" statement.
- * This is yet another special case.
- */
-
-static const char *logversions_enums[] = { "unlimited", NULL };
-static isc_result_t
-parse_logversions(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
-}
-static cfg_type_t cfg_type_logversions = {
-	"logversions", parse_logversions, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, logversions_enums
-};
-
-static cfg_tuplefielddef_t logfile_fields[] = {
-	{ "file", &cfg_type_qstring, 0 },
-	{ "versions", &cfg_type_logversions, 0 },
-	{ "size", &cfg_type_size, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static isc_result_t
-parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	const cfg_tuplefielddef_t *fields = type->of;	
-
-	CHECK(cfg_create_tuple(pctx, type, &obj));	
-
-	/* Parse the mandatory "file" field */
-	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
-
-	/* Parse "versions" and "size" fields in any order. */
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_string) {
-			CHECK(cfg_gettoken(pctx, 0));		
-			if (strcasecmp(TOKEN_STRING(pctx),
-				       "versions") == 0 &&
-			    obj->value.tuple[1] == NULL) {
-				CHECK(cfg_parse_obj(pctx, fields[1].type,
-					    &obj->value.tuple[1]));
-			} else if (strcasecmp(TOKEN_STRING(pctx),
-					      "size") == 0 &&
-				   obj->value.tuple[2] == NULL) {
-				CHECK(cfg_parse_obj(pctx, fields[2].type,
-					    &obj->value.tuple[2]));
-			} else {
-				break;
-			}
-		} else {
-			break;
-		}
-	}
-
-	/* Create void objects for missing optional values. */
-	if (obj->value.tuple[1] == NULL)
-		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
-	if (obj->value.tuple[2] == NULL)
-		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2]));
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);	
-	return (result);
-}
-
-static void
-print_logfile(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_print_obj(pctx, obj->value.tuple[0]); /* file */
-	if (obj->value.tuple[1]->type->print != cfg_print_void) {
-		cfg_print_chars(pctx, " versions ", 10);
-		cfg_print_obj(pctx, obj->value.tuple[1]);
-	}
-	if (obj->value.tuple[2]->type->print != cfg_print_void) {
-		cfg_print_chars(pctx, " size ", 6);
-		cfg_print_obj(pctx, obj->value.tuple[2]);
-	}
-}
-
-static cfg_type_t cfg_type_logfile = {
-	"log_file", parse_logfile, print_logfile, cfg_doc_terminal,
-	&cfg_rep_tuple, logfile_fields
-};
-
-/* An IPv4/IPv6 address with optional port, "*" accepted as wildcard. */
-static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK;
-static cfg_type_t cfg_type_sockaddr4wild = {
-	"sockaddr4wild", cfg_parse_sockaddr, cfg_print_sockaddr,
-	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr4wild_flags
-};
-
-static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK;
-static cfg_type_t cfg_type_sockaddr6wild = {
-	"v6addrportwild", cfg_parse_sockaddr, cfg_print_sockaddr,
-	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr6wild_flags
-};
-
-/*
- * lwres
- */
-
-static cfg_tuplefielddef_t lwres_view_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "class", &cfg_type_optional_class, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_lwres_view = {
-	"lwres_view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
-	lwres_view_fields
-};
-
-static cfg_type_t cfg_type_lwres_searchlist = {
-	"lwres_searchlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_astring };
-
-static cfg_clausedef_t
-lwres_clauses[] = {
-	{ "listen-on", &cfg_type_portiplist, 0 },
-	{ "view", &cfg_type_lwres_view, 0 },
-	{ "search", &cfg_type_lwres_searchlist, 0 },
-	{ "ndots", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-lwres_clausesets[] = {
-	lwres_clauses,
-	NULL
-};
-static cfg_type_t cfg_type_lwres = {
-	"lwres", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, lwres_clausesets };
-
-/*
- * rndc
- */
-
-static cfg_clausedef_t
-rndcconf_options_clauses[] = {
-	{ "default-server", &cfg_type_astring, 0 },
-	{ "default-key", &cfg_type_astring, 0 },
-	{ "default-port", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_options_clausesets[] = {
-	rndcconf_options_clauses,
-	NULL
-};
-
-static cfg_type_t cfg_type_rndcconf_options = {
-	"rndcconf_options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
-	rndcconf_options_clausesets
-};
-
-static cfg_clausedef_t
-rndcconf_server_clauses[] = {
-	{ "key", &cfg_type_astring, 0 },
-	{ "port", &cfg_type_uint32, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_server_clausesets[] = {
-	rndcconf_server_clauses,
-	NULL
-};
-
-static cfg_type_t cfg_type_rndcconf_server = {
-	"rndcconf_server", cfg_parse_named_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
-	rndcconf_server_clausesets
-};
-
-static cfg_clausedef_t
-rndcconf_clauses[] = {
-	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
-	{ "server", &cfg_type_rndcconf_server, CFG_CLAUSEFLAG_MULTI },
-	{ "options", &cfg_type_rndcconf_options, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndcconf_clausesets[] = {
-	rndcconf_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndcconf = {
-	"rndcconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, rndcconf_clausesets
-};
-
-static cfg_clausedef_t
-rndckey_clauses[] = {
-	{ "key", &cfg_type_key, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_clausedef_t *
-rndckey_clausesets[] = {
-	rndckey_clauses,
-	NULL
-};
-
-LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
-	"rndckey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
-	&cfg_rep_map, rndckey_clausesets
-};
-
-static cfg_tuplefielddef_t nameport_fields[] = {
-	{ "name", &cfg_type_astring, 0 },
-	{ "port", &cfg_type_optional_port, 0 },
-	{ NULL, NULL, 0 }
-};
-static cfg_type_t cfg_type_nameport = {
-	"nameport", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, nameport_fields
-};
-
-static void
-doc_sockaddrnameport(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_chars(pctx, "( ", 2);
-	cfg_print_cstr(pctx, "<quoted_string>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[port <integer>]");
-	cfg_print_chars(pctx, " | ", 3);
-	cfg_print_cstr(pctx, "<ipv4_address>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[port <integer>]");
-	cfg_print_chars(pctx, " | ", 3);
-	cfg_print_cstr(pctx, "<ipv6_address>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[port <integer>]");
-	cfg_print_chars(pctx, " )", 2);
-}
-
-static isc_result_t
-parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type,
-		       cfg_obj_t **ret)
-{
-        isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
-			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret));
-		else {
-			const cfg_tuplefielddef_t *fields =
-						   cfg_type_nameport.of;	
-			CHECK(cfg_create_tuple(pctx, &cfg_type_nameport,
-					       &obj));	
-			CHECK(cfg_parse_obj(pctx, fields[0].type,
-					    &obj->value.tuple[0]));
-			CHECK(cfg_parse_obj(pctx, fields[1].type,
-					    &obj->value.tuple[1]));
-			*ret = obj;
-			obj = NULL;
-		}
-	} else {
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "expected IP address or hostname");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
- cleanup:
-	CLEANUP_OBJ(obj);	
-	return (result);
-}
-
-static cfg_type_t cfg_type_sockaddrnameport = {
-	"sockaddrnameport_element", parse_sockaddrnameport, NULL,
-	 doc_sockaddrnameport, NULL, NULL
-};
-
-static cfg_type_t cfg_type_bracketed_sockaddrnameportlist = {
-	"bracketed_sockaddrnameportlist", cfg_parse_bracketed_list,
-	cfg_print_bracketed_list, cfg_doc_bracketed_list,
-	&cfg_rep_list, &cfg_type_sockaddrnameport
-};
-
-/*
- * A list of socket addresses or name with an optional default port,
- * as used in the dual-stack-servers option.  E.g.,
- * "port 1234 { dual-stack-servers.net; 10.0.0.1; 1::2 port 69; }"
- */
-static cfg_tuplefielddef_t nameportiplist_fields[] = {
-	{ "port", &cfg_type_optional_port, 0 },
-	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
-	{ NULL, NULL, 0 }
-};
-
-static cfg_type_t cfg_type_nameportiplist = {
-	"nameportiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
-	&cfg_rep_tuple, nameportiplist_fields
-};
-
-/*
- * masters element.
- */
-
-static void
-doc_masterselement(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(type);
-	cfg_print_chars(pctx, "( ", 2);
-	cfg_print_cstr(pctx, "<masters>");
-	cfg_print_chars(pctx, " | ", 3);
-	cfg_print_cstr(pctx, "<ipv4_address>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[port <integer>]");
-	cfg_print_chars(pctx, " | ", 3);
-	cfg_print_cstr(pctx, "<ipv6_address>");
-	cfg_print_chars(pctx, " ", 1);
-	cfg_print_cstr(pctx, "[port <integer>]");
-	cfg_print_chars(pctx, " )", 2);
-}
-
-static isc_result_t
-parse_masterselement(cfg_parser_t *pctx, const cfg_type_t *type,
-		     cfg_obj_t **ret)
-{
-        isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	UNUSED(type);
-
-	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_string ||
-	    pctx->token.type == isc_tokentype_qstring) {
-		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
-			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret));
-		else
-			CHECK(cfg_parse_astring(pctx, &cfg_type_astring, ret));
-	} else {
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "expected IP address or masters name");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
- cleanup:
-	CLEANUP_OBJ(obj);	
-	return (result);
-}
-
-static cfg_type_t cfg_type_masterselement = {
-	"masters_element", parse_masterselement, NULL,
-	 doc_masterselement, NULL, NULL
-};
diff --git a/contrib/bind9/lib/isccfg/parser.c b/contrib/bind9/lib/isccfg/parser.c
deleted file mode 100644
index f72c3c2b9265..000000000000
--- a/contrib/bind9/lib/isccfg/parser.c
+++ /dev/null
@@ -1,2289 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: parser.c,v 1.70.2.20.2.18 2004/05/15 03:46:13 jinmei Exp $ */
-
-#include <config.h>
-
-#include <isc/buffer.h>
-#include <isc/dir.h>
-#include <isc/formatcheck.h>
-#include <isc/lex.h>
-#include <isc/log.h>
-#include <isc/mem.h>
-#include <isc/net.h>
-#include <isc/netaddr.h>
-#include <isc/print.h>
-#include <isc/string.h>
-#include <isc/sockaddr.h>
-#include <isc/netscope.h>
-#include <isc/util.h>
-#include <isc/symtab.h>
-
-#include <isccfg/cfg.h>
-#include <isccfg/grammar.h>
-#include <isccfg/log.h>
-
-/* Shorthand */
-#define CAT CFG_LOGCATEGORY_CONFIG
-#define MOD CFG_LOGMODULE_PARSER
-
-#define MAP_SYM 1 	/* Unique type for isc_symtab */
-
-#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
-
-/* Check a return value. */
-#define CHECK(op) 						\
-     	do { result = (op); 					\
-		if (result != ISC_R_SUCCESS) goto cleanup; 	\
-	} while (0)
-
-/* Clean up a configuration object if non-NULL. */
-#define CLEANUP_OBJ(obj) \
-	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
-
-
-/*
- * Forward declarations of static functions.
- */
-
-static void
-free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
-
-static void
-print_list(cfg_printer_t *pctx, cfg_obj_t *obj);
-
-static void
-free_list(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp);
-
-static isc_result_t
-create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
-	      cfg_obj_t **ret);
-
-static void
-free_string(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
-
-static void
-free_map(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-parse_symtab_elt(cfg_parser_t *pctx, const char *name,
-		 cfg_type_t *elttype, isc_symtab_t *symtab,
-		 isc_boolean_t callback);
-
-static void
-free_noop(cfg_parser_t *pctx, cfg_obj_t *obj);
-
-static isc_result_t
-cfg_getstringtoken(cfg_parser_t *pctx);
-
-static void
-parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
-		unsigned int flags, const char *format, va_list args);
-
-/*
- * Data representations.  These correspond to members of the
- * "value" union in struct cfg_obj (except "void", which does
- * not need a union member).
- */
-
-cfg_rep_t cfg_rep_uint32 = { "uint32", free_noop };
-cfg_rep_t cfg_rep_uint64 = { "uint64", free_noop };
-cfg_rep_t cfg_rep_string = { "string", free_string };
-cfg_rep_t cfg_rep_boolean = { "boolean", free_noop };
-cfg_rep_t cfg_rep_map = { "map", free_map };
-cfg_rep_t cfg_rep_list = { "list", free_list };
-cfg_rep_t cfg_rep_tuple = { "tuple", free_tuple };
-cfg_rep_t cfg_rep_sockaddr = { "sockaddr", free_noop };
-cfg_rep_t cfg_rep_netprefix = { "netprefix", free_noop };
-cfg_rep_t cfg_rep_void = { "void", free_noop };
-
-/*
- * Configuration type definitions.
- */
-
-/*
- * An implicit list.  These are formed by clauses that occur multiple times.
- */
-static cfg_type_t cfg_type_implicitlist = {
-	"implicitlist", NULL, print_list, NULL, &cfg_rep_list, NULL };
-
-/* Functions. */
-
-void
-cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	obj->type->print(pctx, obj);
-}
-
-void
-cfg_print_chars(cfg_printer_t *pctx, const char *text, int len) {
-	pctx->f(pctx->closure, text, len);
-}
-
-static void
-print_open(cfg_printer_t *pctx) {
-	cfg_print_chars(pctx, "{\n", 2);
-	pctx->indent++;
-}
-
-static void
-print_indent(cfg_printer_t *pctx) {
-	int indent = pctx->indent;
-	while (indent > 0) {
-		cfg_print_chars(pctx, "\t", 1);
-		indent--;
-	}
-}
-
-static void
-print_close(cfg_printer_t *pctx) {
-	pctx->indent--;
-	print_indent(pctx);
-	cfg_print_chars(pctx, "}", 1);
-}
-
-isc_result_t
-cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	INSIST(ret != NULL && *ret == NULL);
-	result = type->parse(pctx, type, ret);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	INSIST(*ret != NULL);
-	return (ISC_R_SUCCESS);
-}
-
-void
-cfg_print(cfg_obj_t *obj,
-	  void (*f)(void *closure, const char *text, int textlen),
-	  void *closure)
-{
-	cfg_printer_t pctx;
-	pctx.f = f;
-	pctx.closure = closure;
-	pctx.indent = 0;
-	obj->type->print(&pctx, obj);
-}
-
-
-/* Tuples. */
-  
-isc_result_t
-cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	const cfg_tuplefielddef_t *fields = type->of;
-	const cfg_tuplefielddef_t *f;
-	cfg_obj_t *obj = NULL;
-	unsigned int nfields = 0;
-	int i;
-
-	for (f = fields; f->name != NULL; f++)
-		nfields++;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	obj->value.tuple = isc_mem_get(pctx->mctx,
-				       nfields * sizeof(cfg_obj_t *));
-	if (obj->value.tuple == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup;
-	}
-	for (f = fields, i = 0; f->name != NULL; f++, i++)
-		obj->value.tuple[i] = NULL;
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (obj != NULL)
-		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
-	return (result);
-}
-
-isc_result_t
-cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	const cfg_tuplefielddef_t *fields = type->of;
-	const cfg_tuplefielddef_t *f;
-	cfg_obj_t *obj = NULL;
-	unsigned int i;
-
-	CHECK(cfg_create_tuple(pctx, type, &obj));
-	for (f = fields, i = 0; f->name != NULL; f++, i++)
-		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[i]));
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-void
-cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	unsigned int i;
-	const cfg_tuplefielddef_t *fields = obj->type->of;
-	const cfg_tuplefielddef_t *f;
-	isc_boolean_t need_space = ISC_FALSE;
-
-	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		cfg_obj_t *fieldobj = obj->value.tuple[i];
-		if (need_space)
-			cfg_print_chars(pctx, " ", 1);
-		cfg_print_obj(pctx, fieldobj);
-		need_space = ISC_TF(fieldobj->type->print != cfg_print_void);
-	}
-}
-
-void
-cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const cfg_tuplefielddef_t *fields = type->of;
-	const cfg_tuplefielddef_t *f;
-	isc_boolean_t need_space = ISC_FALSE;
-
-	for (f = fields; f->name != NULL; f++) {
-		if (need_space)
-			cfg_print_chars(pctx, " ", 1);
-		cfg_doc_obj(pctx, f->type);
-		need_space = ISC_TF(f->type->print != cfg_print_void);
-	}
-}
-
-static void
-free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	unsigned int i;
-	const cfg_tuplefielddef_t *fields = obj->type->of;
-	const cfg_tuplefielddef_t *f;
-	unsigned int nfields = 0;
-
-	if (obj->value.tuple == NULL)
-		return;
-
-	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		CLEANUP_OBJ(obj->value.tuple[i]);
-		nfields++;
-	}
-	isc_mem_put(pctx->mctx, obj->value.tuple,
-		    nfields * sizeof(cfg_obj_t *));
-}
-
-isc_boolean_t
-cfg_obj_istuple(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_tuple));
-}
-
-cfg_obj_t *
-cfg_tuple_get(cfg_obj_t *tupleobj, const char* name) {
-	unsigned int i;
-	const cfg_tuplefielddef_t *fields;
-	const cfg_tuplefielddef_t *f;
-	
-	REQUIRE(tupleobj != NULL && tupleobj->type->rep == &cfg_rep_tuple);
-
-	fields = tupleobj->type->of;
-	for (f = fields, i = 0; f->name != NULL; f++, i++) {
-		if (strcmp(f->name, name) == 0)
-			return (tupleobj->value.tuple[i]);
-	}
-	INSIST(0);
-	return (NULL);
-}
-
-isc_result_t
-cfg_parse_special(cfg_parser_t *pctx, int special) {
-        isc_result_t result;
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == special)
-		return (ISC_R_SUCCESS);
-
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "'%c' expected", special);
-	return (ISC_R_UNEXPECTEDTOKEN);
- cleanup:
-	return (result);
-}
-
-/*
- * Parse a required semicolon.  If it is not there, log
- * an error and increment the error count but continue
- * parsing.  Since the next token is pushed back,
- * care must be taken to make sure it is eventually
- * consumed or an infinite loop may result.
- */
-static isc_result_t
-parse_semicolon(cfg_parser_t *pctx) {
-        isc_result_t result;
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == ';')
-		return (ISC_R_SUCCESS);
-
-	cfg_parser_error(pctx, CFG_LOG_BEFORE, "missing ';'");
-	cfg_ungettoken(pctx);
- cleanup:
-	return (result);
-}
-
-/*
- * Parse EOF, logging and returning an error if not there.
- */
-static isc_result_t
-parse_eof(cfg_parser_t *pctx) {
-        isc_result_t result;
-	CHECK(cfg_gettoken(pctx, 0));
-
-	if (pctx->token.type == isc_tokentype_eof)
-		return (ISC_R_SUCCESS);
-
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "syntax error");
-	return (ISC_R_UNEXPECTEDTOKEN);
- cleanup:
-	return (result);
-}
-
-/* A list of files, used internally for pctx->files. */
-
-static cfg_type_t cfg_type_filelist = {
-	"filelist", NULL, print_list, NULL, &cfg_rep_list,
-	&cfg_type_qstring
-};
-
-isc_result_t
-cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
-	isc_result_t result;
-	cfg_parser_t *pctx;
-	isc_lexspecials_t specials;
-
-	REQUIRE(mctx != NULL);
-	REQUIRE(ret != NULL && *ret == NULL);
-
-	pctx = isc_mem_get(mctx, sizeof(*pctx));
-	if (pctx == NULL)
-		return (ISC_R_NOMEMORY);
-
-	pctx->mctx = mctx;
-	pctx->lctx = lctx;
-	pctx->lexer = NULL;
-	pctx->seen_eof = ISC_FALSE;
-	pctx->ungotten = ISC_FALSE;
-	pctx->errors = 0;
-	pctx->warnings = 0;
-	pctx->open_files = NULL;
-	pctx->closed_files = NULL;
-	pctx->line = 0;
-	pctx->callback = NULL;
-	pctx->callbackarg = NULL;
-	pctx->token.type = isc_tokentype_unknown;
-
-	memset(specials, 0, sizeof(specials));
-	specials['{'] = 1;
-	specials['}'] = 1;
-	specials[';'] = 1;
-	specials['/'] = 1;
-	specials['"'] = 1;
-	specials['!'] = 1;
-
-	CHECK(isc_lex_create(pctx->mctx, 1024, &pctx->lexer));
-
-	isc_lex_setspecials(pctx->lexer, specials);
-	isc_lex_setcomments(pctx->lexer, (ISC_LEXCOMMENT_C |
-					 ISC_LEXCOMMENT_CPLUSPLUS |
-					 ISC_LEXCOMMENT_SHELL));
-
-	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->open_files));
-	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->closed_files));
-
-	*ret = pctx;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (pctx->lexer != NULL)
-		isc_lex_destroy(&pctx->lexer);
-	CLEANUP_OBJ(pctx->open_files);
-	CLEANUP_OBJ(pctx->closed_files);
-	isc_mem_put(mctx, pctx, sizeof(*pctx));
-	return (result);
-}
-
-static isc_result_t
-parser_openfile(cfg_parser_t *pctx, const char *filename) {
-	isc_result_t result;
-	cfg_listelt_t *elt = NULL;
-	cfg_obj_t *stringobj = NULL;
-
-	result = isc_lex_openfile(pctx->lexer, filename);
-	if (result != ISC_R_SUCCESS) {
-		cfg_parser_error(pctx, 0, "open: %s: %s",
-			     filename, isc_result_totext(result));
-		goto cleanup;
-	}
-
-	CHECK(create_string(pctx, filename, &cfg_type_qstring, &stringobj));
-	CHECK(create_listelt(pctx, &elt));
-	elt->obj = stringobj;
-	ISC_LIST_APPEND(pctx->open_files->value.list, elt, link);
-
-	return (ISC_R_SUCCESS);
- cleanup:
-	CLEANUP_OBJ(stringobj);
-	return (result);
-}
-
-void
-cfg_parser_setcallback(cfg_parser_t *pctx,
-		       cfg_parsecallback_t callback,
-		       void *arg)
-{
-	pctx->callback = callback;
-	pctx->callbackarg = arg;
-}
-
-/*
- * Parse a configuration using a pctx where a lexer has already
- * been set up with a source.
- */
-static isc_result_t
-parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-
-	result = cfg_parse_obj(pctx, type, &obj);
-
-	if (pctx->errors != 0) {
-		/* Errors have been logged. */
-		if (result == ISC_R_SUCCESS)
-			result = ISC_R_FAILURE;
-		goto cleanup;
-	}
-
-	if (result != ISC_R_SUCCESS) {
-		/* Parsing failed but no errors have been logged. */
-		cfg_parser_error(pctx, 0, "parsing failed");
-		goto cleanup;
-	}
-
-	CHECK(parse_eof(pctx));
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-isc_result_t
-cfg_parse_file(cfg_parser_t *pctx, const char *filename,
-	       const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-
-	REQUIRE(filename != NULL);
-
-	CHECK(parser_openfile(pctx, filename));
-	CHECK(parse2(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-
-isc_result_t
-cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
-	const cfg_type_t *type, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	REQUIRE(buffer != NULL);
-	CHECK(isc_lex_openbuffer(pctx->lexer, buffer));	
-	CHECK(parse2(pctx, type, ret));
- cleanup:
-	return (result);
-}
-
-void
-cfg_parser_destroy(cfg_parser_t **pctxp) {
-	cfg_parser_t *pctx = *pctxp;
-	isc_lex_destroy(&pctx->lexer);
-	/*
-	 * Cleaning up open_files does not
-	 * close the files; that was already done
-	 * by closing the lexer.
-	 */
-	CLEANUP_OBJ(pctx->open_files);
-	CLEANUP_OBJ(pctx->closed_files);
-	isc_mem_put(pctx->mctx, pctx, sizeof(*pctx));
-	*pctxp = NULL;
-}
-
-/*
- * void
- */
-isc_result_t
-cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	UNUSED(type);
-	return (cfg_create_obj(pctx, &cfg_type_void, ret));
-}
-
-void
-cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	UNUSED(pctx);
-	UNUSED(obj);
-}
-
-void
-cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type) {
-	UNUSED(pctx);
-	UNUSED(type);
-}
-
-isc_boolean_t
-cfg_obj_isvoid(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_void));
-}
-
-cfg_type_t cfg_type_void = {
-	"void", cfg_parse_void, cfg_print_void, cfg_doc_void, &cfg_rep_void,
-	NULL };
-
-
-/*
- * uint32
- */
-isc_result_t
-cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
-	if (pctx->token.type != isc_tokentype_number) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected number");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_uint32, &obj));
-
-	obj->value.uint32 = pctx->token.value.as_ulong;
-	*ret = obj;
- cleanup:
-	return (result);
-}
-
-void
-cfg_print_cstr(cfg_printer_t *pctx, const char *s) {
-	cfg_print_chars(pctx, s, strlen(s));
-}
-
-void
-cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u) {
-	char buf[32];
-	snprintf(buf, sizeof(buf), "%u", u);
-	cfg_print_cstr(pctx, buf);
-}
-
-void
-cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_print_rawuint(pctx, obj->value.uint32);
-}
-
-isc_boolean_t
-cfg_obj_isuint32(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_uint32));
-}
-
-isc_uint32_t
-cfg_obj_asuint32(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
-	return (obj->value.uint32);
-}
-
-cfg_type_t cfg_type_uint32 = {
-	"integer", cfg_parse_uint32, cfg_print_uint32, cfg_doc_terminal,
-	&cfg_rep_uint32, NULL
-};
-
-
-/*
- * uint64
- */
-isc_boolean_t
-cfg_obj_isuint64(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_uint64));
-}
-
-isc_uint64_t
-cfg_obj_asuint64(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
-	return (obj->value.uint64);
-}
-
-void
-cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	char buf[32];
-	snprintf(buf, sizeof(buf), "%" ISC_PRINT_QUADFORMAT "u",
-		 obj->value.uint64);
-	cfg_print_cstr(pctx, buf);
-}
-
-cfg_type_t cfg_type_uint64 = {
-	"64_bit_integer", NULL, cfg_print_uint64, cfg_doc_terminal,
-	&cfg_rep_uint64, NULL
-};
-
-/*
- * qstring (quoted string), ustring (unquoted string), astring
- * (any string)
- */
-
-/* Create a string object from a null-terminated C string. */
-static isc_result_t
-create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
-	      cfg_obj_t **ret)
-{
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	int len;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	len = strlen(contents);
-	obj->value.string.length = len;
-	obj->value.string.base = isc_mem_get(pctx->mctx, len + 1);
-	if (obj->value.string.base == 0) {
-		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
-		return (ISC_R_NOMEMORY);
-	}
-	memcpy(obj->value.string.base, contents, len);
-	obj->value.string.base[len] = '\0';
-
-	*ret = obj;
- cleanup:
-	return (result);
-}
-
-isc_result_t
-cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type != isc_tokentype_qstring) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected quoted string");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	return (create_string(pctx,
-			      TOKEN_STRING(pctx),
-			      &cfg_type_qstring,
-			      ret));
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_gettoken(pctx, 0));
-	if (pctx->token.type != isc_tokentype_string) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected unquoted string");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	return (create_string(pctx,
-			      TOKEN_STRING(pctx),
-			      &cfg_type_ustring,
-			      ret));
- cleanup:
-	return (result);
-}
-
-isc_result_t
-cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
-	UNUSED(type);
-
-	CHECK(cfg_getstringtoken(pctx));
-	return (create_string(pctx,
-			      TOKEN_STRING(pctx),
-			      &cfg_type_qstring,
-			      ret));
- cleanup:
-	return (result);
-}
-
-isc_boolean_t
-cfg_is_enum(const char *s, const char *const *enums) {
-	const char * const *p;
-	for (p = enums; *p != NULL; p++) {
-		if (strcasecmp(*p, s) == 0)
-			return (ISC_TRUE);
-	}
-	return (ISC_FALSE);
-}
-
-static isc_result_t
-check_enum(cfg_parser_t *pctx, cfg_obj_t *obj, const char *const *enums) {
-	const char *s = obj->value.string.base;
-	if (cfg_is_enum(s, enums))
-		return (ISC_R_SUCCESS);
-	cfg_parser_error(pctx, 0, "'%s' unexpected", s);
-	return (ISC_R_UNEXPECTEDTOKEN);
-}
-
-isc_result_t
-cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	CHECK(parse_ustring(pctx, NULL, &obj));
-	CHECK(check_enum(pctx, obj, type->of));
-	*ret = obj;
-	return (ISC_R_SUCCESS);
- cleanup:
-	CLEANUP_OBJ(obj);	
-	return (result);
-}
-
-void
-cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const char * const *p;
-	cfg_print_chars(pctx, "( ", 2);
-	for (p = type->of; *p != NULL; p++) {
-		cfg_print_cstr(pctx, *p);
-		if (p[1] != NULL)
-			cfg_print_chars(pctx, " | ", 3);
-	}
-	cfg_print_chars(pctx, " )", 2);
-}
-
-void
-cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
-}
-
-static void
-print_qstring(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_print_chars(pctx, "\"", 1);
-	cfg_print_ustring(pctx, obj);
-	cfg_print_chars(pctx, "\"", 1);
-}
-
-static void
-free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	isc_mem_put(pctx->mctx, obj->value.string.base,
-		    obj->value.string.length + 1);
-}
-
-isc_boolean_t
-cfg_obj_isstring(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_string));
-}
-
-char *
-cfg_obj_asstring(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
-	return (obj->value.string.base);
-}
-
-/* Quoted string only */
-cfg_type_t cfg_type_qstring = {
-	"quoted_string", cfg_parse_qstring, print_qstring, cfg_doc_terminal,
-	&cfg_rep_string, NULL
-};
-
-/* Unquoted string only */
-cfg_type_t cfg_type_ustring = {
-	"string", parse_ustring, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, NULL
-};
-
-/* Any string (quoted or unquoted); printed with quotes */
-cfg_type_t cfg_type_astring = {
-	"string", cfg_parse_astring, print_qstring, cfg_doc_terminal,
-	&cfg_rep_string, NULL
-};
-
-/*
- * Booleans
- */
-
-isc_boolean_t
-cfg_obj_isboolean(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_boolean));
-}
-
-isc_boolean_t
-cfg_obj_asboolean(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
-	return (obj->value.boolean);
-}
-
-static isc_result_t
-parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-        isc_result_t result;
-	isc_boolean_t value;
-	cfg_obj_t *obj = NULL;
-	UNUSED(type);
-
-	result = cfg_gettoken(pctx, 0);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (pctx->token.type != isc_tokentype_string)
-		goto bad_boolean;
-
-	if ((strcasecmp(TOKEN_STRING(pctx), "true") == 0) ||
-	    (strcasecmp(TOKEN_STRING(pctx), "yes") == 0) ||
-	    (strcmp(TOKEN_STRING(pctx), "1") == 0)) {
-		value = ISC_TRUE;
-	} else if ((strcasecmp(TOKEN_STRING(pctx), "false") == 0) ||
-		   (strcasecmp(TOKEN_STRING(pctx), "no") == 0) ||
-		   (strcmp(TOKEN_STRING(pctx), "0") == 0)) {
-		value = ISC_FALSE;
-	} else {
-		goto bad_boolean;
-	}
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_boolean, &obj));
-	obj->value.boolean = value;
-	*ret = obj;
-	return (result);
-
- bad_boolean:
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "boolean expected");
-	return (ISC_R_UNEXPECTEDTOKEN);
-
- cleanup:
-	return (result);
-}
-
-static void
-print_boolean(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	if (obj->value.boolean)
-		cfg_print_chars(pctx, "yes", 3);
-	else
-		cfg_print_chars(pctx, "no", 2);
-}
-
-cfg_type_t cfg_type_boolean = {
-	"boolean", parse_boolean, print_boolean, cfg_doc_terminal,
-	&cfg_rep_boolean, NULL
-};
-
-/*
- * Lists.
- */
-
-isc_result_t
-cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **obj) {
-	isc_result_t result;
-	CHECK(cfg_create_obj(pctx, type, obj));
-	ISC_LIST_INIT((*obj)->value.list);
- cleanup:
-	return (result);
-}
-
-static isc_result_t
-create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp) {
-	cfg_listelt_t *elt;
-	elt = isc_mem_get(pctx->mctx, sizeof(*elt));
-	if (elt == NULL)
-		return (ISC_R_NOMEMORY);
-	elt->obj = NULL;
-	ISC_LINK_INIT(elt, link);
-	*eltp = elt;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-free_list_elt(cfg_parser_t *pctx, cfg_listelt_t *elt) {
-	cfg_obj_destroy(pctx, &elt->obj);
-	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
-}
-
-static void
-free_list(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	cfg_listelt_t *elt, *next;
-	for (elt = ISC_LIST_HEAD(obj->value.list);
-	     elt != NULL;
-	     elt = next)
-	{
-		next = ISC_LIST_NEXT(elt, link);
-		free_list_elt(pctx, elt);
-	}
-}
-
-isc_result_t
-cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
-		  cfg_listelt_t **ret)
-{
-	isc_result_t result;
-	cfg_listelt_t *elt = NULL;
-	cfg_obj_t *value = NULL;
-
-	CHECK(create_listelt(pctx, &elt));
-
-	result = cfg_parse_obj(pctx, elttype, &value);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup;
-
-	elt->obj = value;
-
-	*ret = elt;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
-	return (result);
-}
-
-/*
- * Parse a homogeneous list whose elements are of type 'elttype'
- * and where each element is terminated by a semicolon.
- */
-static isc_result_t
-parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
-{
-	cfg_obj_t *listobj = NULL;
-	const cfg_type_t *listof = listtype->of;
-	isc_result_t result;
-	cfg_listelt_t *elt = NULL;
-
-	CHECK(cfg_create_list(pctx, listtype, &listobj));
-
-	for (;;) {
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special &&
-		    pctx->token.value.as_char == /*{*/ '}')
-			break;
-		CHECK(cfg_parse_listelt(pctx, listof, &elt));
-		CHECK(parse_semicolon(pctx));
-		ISC_LIST_APPEND(listobj->value.list, elt, link);
-		elt = NULL;
-	}
-	*ret = listobj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (elt != NULL)
-		free_list_elt(pctx, elt);
-	CLEANUP_OBJ(listobj);
-	return (result);
-}
-
-static void
-print_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_list_t *list = &obj->value.list;
-	cfg_listelt_t *elt;
-
-	for (elt = ISC_LIST_HEAD(*list);
-	     elt != NULL;
-	     elt = ISC_LIST_NEXT(elt, link)) {
-		print_indent(pctx);
-		cfg_print_obj(pctx, elt->obj);
-		cfg_print_chars(pctx, ";\n", 2);
-	}
-}
-
-isc_result_t
-cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
-		     cfg_obj_t **ret)
-{
-	isc_result_t result;
-	CHECK(cfg_parse_special(pctx, '{'));
-	CHECK(parse_list(pctx, type, ret));
-	CHECK(cfg_parse_special(pctx, '}'));
- cleanup:
-	return (result);
-}
-
-void
-cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	print_open(pctx);
-	print_list(pctx, obj);
-	print_close(pctx);
-}
-
-void
-cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_print_chars(pctx, "{ ", 2);
-	cfg_doc_obj(pctx, type->of);
-	cfg_print_chars(pctx, "; ... }", 7);
-}
-
-/*
- * Parse a homogeneous list whose elements are of type 'elttype'
- * and where elements are separated by space.  The list ends
- * before the first semicolon.
- */
-isc_result_t
-cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype,
-		    cfg_obj_t **ret)
-{
-	cfg_obj_t *listobj = NULL;
-	const cfg_type_t *listof = listtype->of;
-	isc_result_t result;
-
-	CHECK(cfg_create_list(pctx, listtype, &listobj));
-
-	for (;;) {
-		cfg_listelt_t *elt = NULL;
-
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special &&
-		    pctx->token.value.as_char == ';')
-			break;
-		CHECK(cfg_parse_listelt(pctx, listof, &elt));
-		ISC_LIST_APPEND(listobj->value.list, elt, link);
-	}
-	*ret = listobj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(listobj);
-	return (result);
-}
-
-void
-cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_list_t *list = &obj->value.list;
-	cfg_listelt_t *elt;
-
-	for (elt = ISC_LIST_HEAD(*list);
-	     elt != NULL;
-	     elt = ISC_LIST_NEXT(elt, link)) {
-		cfg_print_obj(pctx, elt->obj);
-		if (ISC_LIST_NEXT(elt, link) != NULL)
-			cfg_print_chars(pctx, " ", 1);
-	}
-}
-
-
-isc_boolean_t
-cfg_obj_islist(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_list));
-}
-
-cfg_listelt_t *
-cfg_list_first(cfg_obj_t *obj) {
-	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
-	if (obj == NULL)
-		return (NULL);
-	return (ISC_LIST_HEAD(obj->value.list));
-}
-
-cfg_listelt_t *
-cfg_list_next(cfg_listelt_t *elt) {
-	REQUIRE(elt != NULL);
-	return (ISC_LIST_NEXT(elt, link));
-}
-
-cfg_obj_t *
-cfg_listelt_value(cfg_listelt_t *elt) {
-	REQUIRE(elt != NULL);
-	return (elt->obj);
-}
-
-/*
- * Maps.
- */
-
-/*
- * Parse a map body.  That's something like
- *
- *   "foo 1; bar { glub; }; zap true; zap false;"
- *
- * i.e., a sequence of option names followed by values and
- * terminated by semicolons.  Used for the top level of
- * the named.conf syntax, as well as for the body of the
- * options, view, zone, and other statements.
- */
-isc_result_t
-cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
-{
-	const cfg_clausedef_t * const *clausesets = type->of;
-	isc_result_t result;
-	const cfg_clausedef_t * const *clauseset;
-	const cfg_clausedef_t *clause;
-	cfg_obj_t *value = NULL;
-	cfg_obj_t *obj = NULL;
-	cfg_obj_t *eltobj = NULL;
-	cfg_obj_t *includename = NULL;
-	isc_symvalue_t symval;
-	cfg_list_t *list = NULL;
-
-	CHECK(create_map(pctx, type, &obj));
-
-	obj->value.map.clausesets = clausesets;
-
-	for (;;) {
-		cfg_listelt_t *elt;
-
-	redo:
-		/*
-		 * Parse the option name and see if it is known.
-		 */
-		CHECK(cfg_gettoken(pctx, 0));
-
-		if (pctx->token.type != isc_tokentype_string) {
-			cfg_ungettoken(pctx);
-			break;
-		}
-
-		/*
-		 * We accept "include" statements wherever a map body
-		 * clause can occur.
-		 */
-		if (strcasecmp(TOKEN_STRING(pctx), "include") == 0) {
-			/*
-			 * Turn the file name into a temporary configuration
-			 * object just so that it is not overwritten by the
-			 * semicolon token.
-			 */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_qstring, &includename));
-			CHECK(parse_semicolon(pctx));
-			CHECK(parser_openfile(pctx, includename->
-					      value.string.base));
-			 cfg_obj_destroy(pctx, &includename);
-			 goto redo;
-		}
-
-		clause = NULL;
-		for (clauseset = clausesets; *clauseset != NULL; clauseset++) {
-			for (clause = *clauseset;
-			     clause->name != NULL;
-			     clause++) {
-				if (strcasecmp(TOKEN_STRING(pctx),
-					   clause->name) == 0)
-					goto done;
-			}
-		}
-	done:
-		if (clause == NULL || clause->name == NULL) {
-			cfg_parser_error(pctx, CFG_LOG_NOPREP, "unknown option");
-			/*
-			 * Try to recover by parsing this option as an unknown
-			 * option and discarding it.
-			 */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_unsupported, &eltobj));
-			cfg_obj_destroy(pctx, &eltobj);
-			CHECK(parse_semicolon(pctx));
-			continue;
-		}
-
-		/* Clause is known. */
-
-		/* Issue warnings if appropriate */
-		if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0)
-			cfg_parser_warning(pctx, 0, "option '%s' is obsolete",
-				       clause->name);
-		if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0)
-			cfg_parser_warning(pctx, 0, "option '%s' is "
-				       "not implemented", clause->name);
-		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0)
-			cfg_parser_warning(pctx, 0, "option '%s' is "
-				       "not implemented", clause->name);
-		/*
-		 * Don't log options with CFG_CLAUSEFLAG_NEWDEFAULT
-		 * set here - we need to log the *lack* of such an option,
-		 * not its presence.
-		 */
-
-		/* See if the clause already has a value; if not create one. */
-		result = isc_symtab_lookup(obj->value.map.symtab,
-					   clause->name, 0, &symval);
-
-		if ((clause->flags & CFG_CLAUSEFLAG_MULTI) != 0) {
-			/* Multivalued clause */
-			cfg_obj_t *listobj = NULL;
-			if (result == ISC_R_NOTFOUND) {
-				CHECK(cfg_create_list(pctx,
-						  &cfg_type_implicitlist,
-						  &listobj));
-				symval.as_pointer = listobj;
-				result = isc_symtab_define(obj->value.
-						   map.symtab,
-						   clause->name,
-						   1, symval,
-						   isc_symexists_reject);
-				if (result != ISC_R_SUCCESS) {
-					cfg_parser_error(pctx, CFG_LOG_NEAR,
-						     "isc_symtab_define(%s) "
-						     "failed", clause->name);
-					isc_mem_put(pctx->mctx, list,
-						    sizeof(cfg_list_t));
-					goto cleanup;
-				}
-			} else {
-				INSIST(result == ISC_R_SUCCESS);
-				listobj = symval.as_pointer;
-			}
-
-			elt = NULL;
-			CHECK(cfg_parse_listelt(pctx, clause->type, &elt));
-			CHECK(parse_semicolon(pctx));
-
-			ISC_LIST_APPEND(listobj->value.list, elt, link);
-		} else {
-			/* Single-valued clause */
-			if (result == ISC_R_NOTFOUND) {
-				isc_boolean_t callback =
-					ISC_TF((clause->flags &
-						CFG_CLAUSEFLAG_CALLBACK) != 0);
-				CHECK(parse_symtab_elt(pctx, clause->name,
-						       clause->type,
-						       obj->value.map.symtab,
-						       callback));
-				CHECK(parse_semicolon(pctx));
-			} else if (result == ISC_R_SUCCESS) {
-				cfg_parser_error(pctx, CFG_LOG_NEAR, "'%s' redefined",
-					     clause->name);
-				result = ISC_R_EXISTS;
-				goto cleanup;
-			} else {
-				cfg_parser_error(pctx, CFG_LOG_NEAR,
-					     "isc_symtab_define() failed");
-				goto cleanup;
-			}
-		}
-	}
-
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(value);
-	CLEANUP_OBJ(obj);
-	CLEANUP_OBJ(eltobj);
-	CLEANUP_OBJ(includename);
-	return (result);
-}
-
-static isc_result_t
-parse_symtab_elt(cfg_parser_t *pctx, const char *name,
-		 cfg_type_t *elttype, isc_symtab_t *symtab,
-		 isc_boolean_t callback)
-{
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_symvalue_t symval;
-
-	CHECK(cfg_parse_obj(pctx, elttype, &obj));
-
-	if (callback && pctx->callback != NULL)
-		CHECK(pctx->callback(name, obj, pctx->callbackarg));
-	
-	symval.as_pointer = obj;
-	CHECK(isc_symtab_define(symtab, name,
-				1, symval,
-				isc_symexists_reject));
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-/*
- * Parse a map; e.g., "{ foo 1; bar { glub; }; zap true; zap false; }"
- */
-isc_result_t
-cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	CHECK(cfg_parse_special(pctx, '{'));
-	CHECK(cfg_parse_mapbody(pctx, type, ret));
-	CHECK(cfg_parse_special(pctx, '}'));
- cleanup:
-	return (result);
-}
-
-/*
- * Subroutine for cfg_parse_named_map() and cfg_parse_addressed_map().
- */
-static isc_result_t
-parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	isc_result_t result;
-	cfg_obj_t *idobj = NULL;
-	cfg_obj_t *mapobj = NULL;
-
-	CHECK(cfg_parse_obj(pctx, nametype, &idobj));
-	CHECK(cfg_parse_map(pctx, type, &mapobj));
-	mapobj->value.map.id = idobj;
-	idobj = NULL;
-	*ret = mapobj;
- cleanup:
-	CLEANUP_OBJ(idobj);
-	return (result);
-}
-
-/*
- * Parse a map identified by a string name.  E.g., "name { foo 1; }".  
- * Used for the "key" and "channel" statements.
- */
-isc_result_t
-cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_any_named_map(pctx, &cfg_type_astring, type, ret));
-}
-
-/*
- * Parse a map identified by a network address.
- * Used for the "server" statement.
- */
-isc_result_t
-cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	return (parse_any_named_map(pctx, &cfg_type_netaddr, type, ret));
-}
-
-void
-cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	isc_result_t result = ISC_R_SUCCESS;
-
-	const cfg_clausedef_t * const *clauseset;
-
-	for (clauseset = obj->value.map.clausesets;
-	     *clauseset != NULL;
-	     clauseset++)
-	{
-		isc_symvalue_t symval;
-		const cfg_clausedef_t *clause;
-
-		for (clause = *clauseset;
-		     clause->name != NULL;
-		     clause++) {
-			result = isc_symtab_lookup(obj->value.map.symtab,
-						   clause->name, 0, &symval);
-			if (result == ISC_R_SUCCESS) {
-				cfg_obj_t *obj = symval.as_pointer;
-				if (obj->type == &cfg_type_implicitlist) {
-					/* Multivalued. */
-					cfg_list_t *list = &obj->value.list;
-					cfg_listelt_t *elt;
-					for (elt = ISC_LIST_HEAD(*list);
-					     elt != NULL;
-					     elt = ISC_LIST_NEXT(elt, link)) {
-						print_indent(pctx);
-						cfg_print_cstr(pctx, clause->name);
-						cfg_print_chars(pctx, " ", 1);
-						cfg_print_obj(pctx, elt->obj);
-						cfg_print_chars(pctx, ";\n", 2);
-					}
-				} else {
-					/* Single-valued. */
-					print_indent(pctx);
-					cfg_print_cstr(pctx, clause->name);
-					cfg_print_chars(pctx, " ", 1);
-					cfg_print_obj(pctx, obj);
-					cfg_print_chars(pctx, ";\n", 2);
-				}
-			} else if (result == ISC_R_NOTFOUND) {
-				; /* do nothing */
-			} else {
-				INSIST(0);
-			}
-		}
-	}
-}
-
-void
-cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const cfg_clausedef_t * const *clauseset;
-	const cfg_clausedef_t *clause;
-	
-	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
-		for (clause = *clauseset;
-		     clause->name != NULL;
-		     clause++) {
-			cfg_print_cstr(pctx, clause->name);
-			cfg_print_chars(pctx, " ", 1);
-			cfg_doc_obj(pctx, clause->type);
-			cfg_print_chars(pctx, ";", 1);
-			/* XXX print flags here? */
-			cfg_print_chars(pctx, "\n\n", 2);
-		}
-	}
-}
-
-static struct flagtext {
-	unsigned int flag;
-	const char *text;
-} flagtexts[] = {
-	{ CFG_CLAUSEFLAG_NOTIMP, "not implemented" },
-	{ CFG_CLAUSEFLAG_NYI, "not yet implemented" },
-	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
-	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
-	{ 0, NULL }
-};
-
-void
-cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	if (obj->value.map.id != NULL) {
-		cfg_print_obj(pctx, obj->value.map.id);
-		cfg_print_chars(pctx, " ", 1);
-	}
-	print_open(pctx);
-	cfg_print_mapbody(pctx, obj);
-	print_close(pctx);
-}
-
-static void
-print_clause_flags(cfg_printer_t *pctx, unsigned int flags) {
-	struct flagtext *p;
-	isc_boolean_t first = ISC_TRUE;
-	for (p = flagtexts; p->flag != 0; p++) {
-		if ((flags & p->flag) != 0) {
-			if (first)
-				cfg_print_chars(pctx, " // ", 4);
-			else
-				cfg_print_chars(pctx, ", ", 2);
-			cfg_print_cstr(pctx, p->text);
-			first = ISC_FALSE;
-		}
-	}
-}
-
-void
-cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const cfg_clausedef_t * const *clauseset;
-	const cfg_clausedef_t *clause;
-	
-	if (type->parse == cfg_parse_named_map) {
-		cfg_doc_obj(pctx, &cfg_type_astring);
-		cfg_print_chars(pctx, " ", 1);
-	} else if (type->parse == cfg_parse_addressed_map) {
-		cfg_doc_obj(pctx, &cfg_type_netaddr);
-		cfg_print_chars(pctx, " ", 1);
-	}
-	
-	print_open(pctx);
-	
-	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
-		for (clause = *clauseset;
-		     clause->name != NULL;
-		     clause++) {
-			print_indent(pctx);
-			cfg_print_cstr(pctx, clause->name);
-			if (clause->type->print != cfg_print_void)
-				cfg_print_chars(pctx, " ", 1);
-			cfg_doc_obj(pctx, clause->type);
-			cfg_print_chars(pctx, ";", 1);
-			print_clause_flags(pctx, clause->flags);
-			cfg_print_chars(pctx, "\n", 1);
-		}
-	}
-	print_close(pctx);
-}
-
-isc_boolean_t
-cfg_obj_ismap(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_map));
-}
-
-isc_result_t
-cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
-	isc_result_t result;
-	isc_symvalue_t val;
-	cfg_map_t *map;
-	
-	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
-	REQUIRE(name != NULL);
-	REQUIRE(obj != NULL && *obj == NULL);
-
-	map = &mapobj->value.map;
-	
-	result = isc_symtab_lookup(map->symtab, name, MAP_SYM, &val);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	*obj = val.as_pointer;
-	return (ISC_R_SUCCESS);
-}
-
-cfg_obj_t *
-cfg_map_getname(cfg_obj_t *mapobj) {
-	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
-	return (mapobj->value.map.id);
-}
-
-
-/* Parse an arbitrary token, storing its raw text representation. */
-static isc_result_t
-parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	cfg_obj_t *obj = NULL;
-        isc_result_t result;
-	isc_region_t r;
-
-	UNUSED(type);
-
-	CHECK(cfg_create_obj(pctx, &cfg_type_token, &obj));
-	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
-	if (pctx->token.type == isc_tokentype_eof) {
-		cfg_ungettoken(pctx);
-		result = ISC_R_EOF;
-		goto cleanup;
-	}
-
-	isc_lex_getlasttokentext(pctx->lexer, &pctx->token, &r);
-
-	obj->value.string.base = isc_mem_get(pctx->mctx, r.length + 1);
-	obj->value.string.length = r.length;
-	memcpy(obj->value.string.base, r.base, r.length);
-	obj->value.string.base[r.length] = '\0';
-	*ret = obj;
-
- cleanup:
-	return (result);
-}
-
-cfg_type_t cfg_type_token = {
-	"token", parse_token, cfg_print_ustring, cfg_doc_terminal,
-	&cfg_rep_string, NULL
-};
-
-/*
- * An unsupported option.  This is just a list of tokens with balanced braces
- * ending in a semicolon.
- */
-
-static isc_result_t
-parse_unsupported(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	cfg_obj_t *listobj = NULL;
-	isc_result_t result;
-	int braces = 0;
-
-	CHECK(cfg_create_list(pctx, type, &listobj));
-
-	for (;;) {
-		cfg_listelt_t *elt = NULL;
-
-		CHECK(cfg_peektoken(pctx, 0));
-		if (pctx->token.type == isc_tokentype_special) {
-			if (pctx->token.value.as_char == '{')
-				braces++;
-			else if (pctx->token.value.as_char == '}')
-				braces--;
-			else if (pctx->token.value.as_char == ';')
-				if (braces == 0)
-					break;
-		}
-		if (pctx->token.type == isc_tokentype_eof || braces < 0) {
-			cfg_parser_error(pctx, CFG_LOG_NEAR, "unexpected token");
-			result = ISC_R_UNEXPECTEDTOKEN;
-			goto cleanup;
-		}
-
-		CHECK(cfg_parse_listelt(pctx, &cfg_type_token, &elt));
-		ISC_LIST_APPEND(listobj->value.list, elt, link);
-	}
-	INSIST(braces == 0);
-	*ret = listobj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(listobj);
-	return (result);
-}
-
-cfg_type_t cfg_type_unsupported = {
-	"unsupported", parse_unsupported, cfg_print_spacelist, cfg_doc_terminal,
-	&cfg_rep_list, NULL
-};
-
-/*
- * Try interpreting the current token as a network address.
- *
- * If CFG_ADDR_WILDOK is set in flags, "*" can be used as a wildcard
- * and at least one of CFG_ADDR_V4OK and CFG_ADDR_V6OK must also be set.  The
- * "*" is interpreted as the IPv4 wildcard address if CFG_ADDR_V4OK is 
- * set (including the case where CFG_ADDR_V4OK and CFG_ADDR_V6OK are both set),
- * and the IPv6 wildcard address otherwise.
- */
-static isc_result_t
-token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
-	char *s;
-	struct in_addr in4a;
-	struct in6_addr in6a;
-
-	if (pctx->token.type != isc_tokentype_string)
-		return (ISC_R_UNEXPECTEDTOKEN);
-
-	s = TOKEN_STRING(pctx);
-	if ((flags & CFG_ADDR_WILDOK) != 0 && strcmp(s, "*") == 0) {
-		if ((flags & CFG_ADDR_V4OK) != 0) {
-			isc_netaddr_any(na);
-			return (ISC_R_SUCCESS);
-		} else if ((flags & CFG_ADDR_V6OK) != 0) {
-			isc_netaddr_any6(na);
-			return (ISC_R_SUCCESS);
-		} else {
-			INSIST(0);
-		}
-	} else {
-		if ((flags & (CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK)) != 0) {
-			if (inet_pton(AF_INET, s, &in4a) == 1) {
-				isc_netaddr_fromin(na, &in4a);
-				return (ISC_R_SUCCESS);
-			}
-		}
-		if ((flags & CFG_ADDR_V4PREFIXOK) != 0 &&
-		    strlen(s) <= 15U) {
-			char buf[64];
-			int i;
-
-			strcpy(buf, s);
-			for (i = 0; i < 3; i++) {
-				strcat(buf, ".0");
-				if (inet_pton(AF_INET, buf, &in4a) == 1) {
-					isc_netaddr_fromin(na, &in4a);
-					return (ISC_R_SUCCESS);
-				}
-			}
-		}
-		if ((flags & CFG_ADDR_V6OK) != 0 &&
-		    strlen(s) <= 127U) {
-			char buf[128]; /* see lib/bind9/getaddresses.c */
-			char *d; /* zone delimiter */
-			isc_uint32_t zone = 0; /* scope zone ID */
-
-			strcpy(buf, s);
-			d = strchr(buf, '%');
-			if (d != NULL)
-				*d = '\0';
-
-			if (inet_pton(AF_INET6, buf, &in6a) == 1) {
-				if (d != NULL) {
-#ifdef ISC_PLATFORM_HAVESCOPEID
-					isc_result_t result;
-
-					result = isc_netscope_pton(AF_INET6,
-								   d + 1,
-								   &in6a,
-								   &zone);
-					if (result != ISC_R_SUCCESS)
-						return (result);
-#else
-				return (ISC_R_BADADDRESSFORM);
-#endif
-				}
-
-				isc_netaddr_fromin6(na, &in6a);
-				isc_netaddr_setzone(na, zone);
-				return (ISC_R_SUCCESS);
-			}
-		}
-	}
-	return (ISC_R_UNEXPECTEDTOKEN);
-}
-
-isc_result_t
-cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, 0));
-	result = token_addr(pctx, flags, na);
-	if (result == ISC_R_UNEXPECTEDTOKEN)
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected IP address");
- cleanup:
-	return (result);
-}
-
-isc_boolean_t
-cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags) {
-	isc_result_t result;
-	isc_netaddr_t na_dummy;
-	result = token_addr(pctx, flags, &na_dummy);
-	return (ISC_TF(result == ISC_R_SUCCESS));
-}
-
-isc_result_t
-cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
-	isc_result_t result;
-
-	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
-
-	if ((flags & CFG_ADDR_WILDOK) != 0 &&
-	    pctx->token.type == isc_tokentype_string &&
-	    strcmp(TOKEN_STRING(pctx), "*") == 0) {
-		*port = 0;
-		return (ISC_R_SUCCESS);
-	}
-	if (pctx->token.type != isc_tokentype_number) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "expected port number or '*'");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	if (pctx->token.value.as_ulong >= 65536U) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR,
-			     "port number out of range");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	*port = (in_port_t)(pctx->token.value.as_ulong);
-	return (ISC_R_SUCCESS);
- cleanup:
-	return (result);
-}
-
-void
-cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na) {
-	isc_result_t result;
-	char text[128];
-	isc_buffer_t buf;
-
-	isc_buffer_init(&buf, text, sizeof(text));
-	result = isc_netaddr_totext(na, &buf);
-	RUNTIME_CHECK(result == ISC_R_SUCCESS);
-	cfg_print_chars(pctx, isc_buffer_base(&buf), isc_buffer_usedlength(&buf));
-}
-
-/* netaddr */
-
-static isc_result_t
-parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	cfg_obj_t *obj = NULL;
-	isc_netaddr_t netaddr;
-	UNUSED(type);
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK, &netaddr));
-	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, 0);
-	*ret = obj;
-	return (ISC_R_SUCCESS);
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-cfg_type_t cfg_type_netaddr = {
-	"netaddr", parse_netaddr, cfg_print_sockaddr, cfg_doc_terminal,
-	&cfg_rep_sockaddr, NULL
-};
-
-/* netprefix */
-
-isc_result_t
-cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
-		    cfg_obj_t **ret)
-{
-	cfg_obj_t *obj = NULL;
-	isc_result_t result;
-	isc_netaddr_t netaddr;
-	unsigned int addrlen, prefixlen;
-	UNUSED(type);
-
-	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK |
-				CFG_ADDR_V6OK, &netaddr));
-	switch (netaddr.family) {
-	case AF_INET:
-		addrlen = 32;
-		break;
-	case AF_INET6:
-		addrlen = 128;
-		break;
-	default:
-		addrlen = 0;
-		INSIST(0);
-		break;
-	}
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_special &&
-	    pctx->token.value.as_char == '/') {
-		CHECK(cfg_gettoken(pctx, 0)); /* read "/" */
-		CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
-		if (pctx->token.type != isc_tokentype_number) {
-			cfg_parser_error(pctx, CFG_LOG_NEAR,
-				     "expected prefix length");
-			return (ISC_R_UNEXPECTEDTOKEN);
-		}
-		prefixlen = pctx->token.value.as_ulong;
-		if (prefixlen > addrlen) {
-			cfg_parser_error(pctx, CFG_LOG_NOPREP,
-				     "invalid prefix length");
-			return (ISC_R_RANGE);
-		}
-	} else {
-		prefixlen = addrlen;
-	}
-	CHECK(cfg_create_obj(pctx, &cfg_type_netprefix, &obj));
-	obj->value.netprefix.address = netaddr;
-	obj->value.netprefix.prefixlen = prefixlen;
-	*ret = obj;
-	return (ISC_R_SUCCESS);
- cleanup:
-	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected network prefix");
-	return (result);
-}
-
-static void
-print_netprefix(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	cfg_netprefix_t *p = &obj->value.netprefix;
-	cfg_print_rawaddr(pctx, &p->address);
-	cfg_print_chars(pctx, "/", 1);
-	cfg_print_rawuint(pctx, p->prefixlen);
-}
-
-isc_boolean_t
-cfg_obj_isnetprefix(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_netprefix));
-}
-
-void
-cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
-		    unsigned int *prefixlen) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
-	*netaddr = obj->value.netprefix.address;
-	*prefixlen = obj->value.netprefix.prefixlen;
-}
-
-cfg_type_t cfg_type_netprefix = {
-	"netprefix", cfg_parse_netprefix, print_netprefix, cfg_doc_terminal,
-	&cfg_rep_netprefix, NULL
-};
-
-static isc_result_t
-parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type,
-		  int flags, cfg_obj_t **ret)
-{
-	isc_result_t result;
-	isc_netaddr_t netaddr;
-	in_port_t port = 0;
-	cfg_obj_t *obj = NULL;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
-	CHECK(cfg_peektoken(pctx, 0));
-	if (pctx->token.type == isc_tokentype_string &&
-	    strcasecmp(TOKEN_STRING(pctx), "port") == 0) {
-		CHECK(cfg_gettoken(pctx, 0)); /* read "port" */
-		CHECK(cfg_parse_rawport(pctx, flags, &port));
-	}
-	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	CLEANUP_OBJ(obj);
-	return (result);
-}
-
-static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
-cfg_type_t cfg_type_sockaddr = {
-	"sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr, cfg_doc_sockaddr,
-	&cfg_rep_sockaddr, &sockaddr_flags
-};
-
-isc_result_t
-cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	const unsigned int *flagp = type->of;
-	return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret));
-}
-
-void
-cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj) {
-	isc_netaddr_t netaddr;
-	in_port_t port;
-	char buf[ISC_NETADDR_FORMATSIZE];
-
-	isc_netaddr_fromsockaddr(&netaddr, &obj->value.sockaddr);
-	isc_netaddr_format(&netaddr, buf, sizeof(buf));
-	cfg_print_cstr(pctx, buf);
-	port = isc_sockaddr_getport(&obj->value.sockaddr);
-	if (port != 0) {
-		cfg_print_chars(pctx, " port ", 6);
-		cfg_print_rawuint(pctx, port);
-	}
-}
-
-void
-cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const unsigned int *flagp = type->of;
-	int n = 0;
-	cfg_print_chars(pctx, "( ", 2);
-	if (*flagp & CFG_ADDR_V4OK) {
-		if (n != 0)
-			cfg_print_chars(pctx, " | ", 3);
-		cfg_print_cstr(pctx, "<ipv4_address>");
-		n++;
-	}
-	if (*flagp & CFG_ADDR_V6OK) {
-		if (n != 0)
-			cfg_print_chars(pctx, " | ", 3);
-		cfg_print_cstr(pctx, "<ipv6_address>");
-		n++;			
-	}
-	if (*flagp & CFG_ADDR_WILDOK) {
-		if (n != 0)
-			cfg_print_chars(pctx, " | ", 3);
-		cfg_print_chars(pctx, "*", 1);
-		n++;
-	}
-	cfg_print_chars(pctx, " ) ", 3);
-	if (*flagp & CFG_ADDR_WILDOK) {
-		cfg_print_cstr(pctx, "[ port ( <integer> | * ) ]");
-	} else {
-		cfg_print_cstr(pctx, "[ port <integer> ]");
-	}
-}
-
-isc_boolean_t
-cfg_obj_issockaddr(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL);
-	return (ISC_TF(obj->type->rep == &cfg_rep_sockaddr));
-}
-
-isc_sockaddr_t *
-cfg_obj_assockaddr(cfg_obj_t *obj) {
-	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
-	return (&obj->value.sockaddr);
-}
-
-isc_result_t
-cfg_gettoken(cfg_parser_t *pctx, int options) {
-	isc_result_t result;
-
-	if (pctx->seen_eof)
-		return (ISC_R_SUCCESS);
-
-	options |= (ISC_LEXOPT_EOF | ISC_LEXOPT_NOMORE);
-
- redo:
-	pctx->token.type = isc_tokentype_unknown;
-	result = isc_lex_gettoken(pctx->lexer, options, &pctx->token);
-	pctx->ungotten = ISC_FALSE;
-	pctx->line = isc_lex_getsourceline(pctx->lexer);
-
-	switch (result) {
-	case ISC_R_SUCCESS:
-		if (pctx->token.type == isc_tokentype_eof) {
-			result = isc_lex_close(pctx->lexer);
-			INSIST(result == ISC_R_NOMORE ||
-			       result == ISC_R_SUCCESS);
-
-			if (isc_lex_getsourcename(pctx->lexer) != NULL) {
-				/*
-				 * Closed an included file, not the main file.
-				 */
-				cfg_listelt_t *elt;
-				elt = ISC_LIST_TAIL(pctx->open_files->
-						    value.list);
-				INSIST(elt != NULL);
-				ISC_LIST_UNLINK(pctx->open_files->
-						value.list, elt, link);
-				ISC_LIST_APPEND(pctx->closed_files->
-						value.list, elt, link);
-				goto redo;
-			}
-			pctx->seen_eof = ISC_TRUE;
-		}
-		break;
-
-	case ISC_R_NOSPACE:
-		/* More understandable than "ran out of space". */
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "token too big");
-		break;
-
-	case ISC_R_IOERROR:
-		cfg_parser_error(pctx, 0, "%s",
-				 isc_result_totext(result));
-		break;
-
-	default:
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "%s",
-				 isc_result_totext(result));
-		break;
-	}
-	return (result);
-}
-
-void
-cfg_ungettoken(cfg_parser_t *pctx) {
-	if (pctx->seen_eof)
-		return;
-	isc_lex_ungettoken(pctx->lexer, &pctx->token);
-	pctx->ungotten = ISC_TRUE;
-}
-
-isc_result_t
-cfg_peektoken(cfg_parser_t *pctx, int options) {
-	isc_result_t result;
-	CHECK(cfg_gettoken(pctx, options));
-	cfg_ungettoken(pctx);
- cleanup:
-	return (result);
-}
-
-/*
- * Get a string token, accepting both the quoted and the unquoted form.
- * Log an error if the next token is not a string.
- */
-static isc_result_t
-cfg_getstringtoken(cfg_parser_t *pctx) {
-	isc_result_t result;
-
-	result = cfg_gettoken(pctx, CFG_LEXOPT_QSTRING);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-
-	if (pctx->token.type != isc_tokentype_string &&
-	    pctx->token.type != isc_tokentype_qstring) {
-		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected string");
-		return (ISC_R_UNEXPECTEDTOKEN);
-	}
-	return (ISC_R_SUCCESS);
-}
-
-void
-cfg_parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
-	va_list args;
-	va_start(args, fmt);
-	parser_complain(pctx, ISC_FALSE, flags, fmt, args);
-	va_end(args);
-	pctx->errors++;
-}
-
-void
-cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
-	va_list args;
-	va_start(args, fmt);
-	parser_complain(pctx, ISC_TRUE, flags, fmt, args);
-	va_end(args);
-	pctx->warnings++;
-}
-
-#define MAX_LOG_TOKEN 30 /* How much of a token to quote in log messages. */
-
-static char *
-current_file(cfg_parser_t *pctx) {
-	static char none[] = "none";
-	cfg_listelt_t *elt;
-	cfg_obj_t *fileobj;
-
-	if (pctx->open_files == NULL)
-		return (none);
-	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
-	if (elt == NULL)
-	      return (none);
-
-	fileobj = elt->obj;
-	INSIST(fileobj->type == &cfg_type_qstring);
-	return (fileobj->value.string.base);
-}
-
-static void
-parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
-		unsigned int flags, const char *format,
-		va_list args)
-{
-	char tokenbuf[MAX_LOG_TOKEN + 10];
-	static char where[ISC_DIR_PATHMAX + 100];
-	static char message[2048];
-	int level = ISC_LOG_ERROR;
-	const char *prep = "";
-	size_t len;
-
-	if (is_warning)
-		level = ISC_LOG_WARNING;
-
-	snprintf(where, sizeof(where), "%s:%u: ",
-		 current_file(pctx), pctx->line);
-
-	len = vsnprintf(message, sizeof(message), format, args);
-	if (len >= sizeof(message))
-		FATAL_ERROR(__FILE__, __LINE__,
-			    "error message would overflow");
-
-	if ((flags & (CFG_LOG_NEAR|CFG_LOG_BEFORE|CFG_LOG_NOPREP)) != 0) {
-		isc_region_t r;
-
-		if (pctx->ungotten)
-			(void)cfg_gettoken(pctx, 0);
-
-		if (pctx->token.type == isc_tokentype_eof) {
-			snprintf(tokenbuf, sizeof(tokenbuf), "end of file");
-		} else if (pctx->token.type == isc_tokentype_unknown) {
-			flags = 0;
-			tokenbuf[0] = '\0';
-		} else {
-			isc_lex_getlasttokentext(pctx->lexer,
-						 &pctx->token, &r);
-			if (r.length > MAX_LOG_TOKEN)
-				snprintf(tokenbuf, sizeof(tokenbuf),
-					 "'%.*s...'", MAX_LOG_TOKEN, r.base);
-			else
-				snprintf(tokenbuf, sizeof(tokenbuf),
-					 "'%.*s'", (int)r.length, r.base);
-		}
-
-		/* Choose a preposition. */
-		if (flags & CFG_LOG_NEAR)
-			prep = " near ";
-		else if (flags & CFG_LOG_BEFORE)
-			prep = " before ";
-		else
-			prep = " ";
-	} else {
-		tokenbuf[0] = '\0';
-	}
-	isc_log_write(pctx->lctx, CAT, MOD, level,
-		      "%s%s%s%s", where, message, prep, tokenbuf);
-}
-
-void
-cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...) {
-	va_list ap;
-	char msgbuf[2048];
-
-	if (! isc_log_wouldlog(lctx, level))
-		return;
-
-	va_start(ap, fmt);
-
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
-	isc_log_write(lctx, CAT, MOD, level,
-		      "%s:%u: %s",
-		      obj->file == NULL ? "<unknown file>" : obj->file,
-		      obj->line, msgbuf);
-	va_end(ap);
-}
-
-const char *
-cfg_obj_file(cfg_obj_t *obj) {
-	return (obj->file);
-}
-
-unsigned int
-cfg_obj_line(cfg_obj_t *obj) {
-	return (obj->line);
-}
-
-isc_result_t
-cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	cfg_obj_t *obj;
-
-	obj = isc_mem_get(pctx->mctx, sizeof(cfg_obj_t));
-	if (obj == NULL)
-		return (ISC_R_NOMEMORY);
-	obj->type = type;
-	obj->file = current_file(pctx);
-	obj->line = pctx->line;
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-}
-
-static void
-map_symtabitem_destroy(char *key, unsigned int type,
-		       isc_symvalue_t symval, void *userarg)
-{
-	cfg_obj_t *obj = symval.as_pointer;
-	cfg_parser_t *pctx = (cfg_parser_t *)userarg;
-
-	UNUSED(key);
-	UNUSED(type);
-
-	cfg_obj_destroy(pctx, &obj);
-}
-
-
-static isc_result_t
-create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-	isc_result_t result;
-	isc_symtab_t *symtab = NULL;
-	cfg_obj_t *obj = NULL;
-
-	CHECK(cfg_create_obj(pctx, type, &obj));
-	CHECK(isc_symtab_create(pctx->mctx, 5, /* XXX */
-				map_symtabitem_destroy,
-				pctx, ISC_FALSE, &symtab));
-
-	obj->value.map.symtab = symtab;
-	obj->value.map.id = NULL;
-
-	*ret = obj;
-	return (ISC_R_SUCCESS);
-
- cleanup:
-	if (obj != NULL)
-		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
-	return (result);
-}
-
-static void
-free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	CLEANUP_OBJ(obj->value.map.id);
-	isc_symtab_destroy(&obj->value.map.symtab);
-}
-
-isc_boolean_t
-cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type) {
-	return (ISC_TF(obj->type == type));
-}
-
-/*
- * Destroy 'obj', a configuration object created in 'pctx'.
- */
-void
-cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **objp) {
-	cfg_obj_t *obj = *objp;
-	obj->type->rep->free(pctx, obj);
-	isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
-	*objp = NULL;
-}
-
-static void
-free_noop(cfg_parser_t *pctx, cfg_obj_t *obj) {
-	UNUSED(pctx);
-	UNUSED(obj);
-}
-
-void
-cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type) {
-	type->doc(pctx, type);
-}
-
-void
-cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type) {
-	cfg_print_chars(pctx, "<", 1);
-	cfg_print_cstr(pctx, type->name);
-	cfg_print_chars(pctx, ">", 1);
-}
-
-void
-cfg_print_grammar(const cfg_type_t *type,
-	void (*f)(void *closure, const char *text, int textlen),
-	void *closure)
-{
-	cfg_printer_t pctx;
-	pctx.f = f;
-	pctx.closure = closure;
-	pctx.indent = 0;
-	cfg_doc_obj(&pctx, type);
-}
diff --git a/contrib/bind9/lib/isccfg/version.c b/contrib/bind9/lib/isccfg/version.c
deleted file mode 100644
index fe001d7434bf..000000000000
--- a/contrib/bind9/lib/isccfg/version.c
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:06 marka Exp $ */
-
-#include <isccfg/version.h>
-
-const char cfg_version[] = VERSION;
-
-const unsigned int cfg_libinterface = LIBINTERFACE;
-const unsigned int cfg_librevision = LIBREVISION;
-const unsigned int cfg_libage = LIBAGE;
-
diff --git a/contrib/bind9/lib/lwres/Makefile.in b/contrib/bind9/lib/lwres/Makefile.in
deleted file mode 100644
index 024b988492a7..000000000000
--- a/contrib/bind9/lib/lwres/Makefile.in
+++ /dev/null
@@ -1,84 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.25.12.8 2005/06/09 23:54:32 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@LIBLWRES_API@
-
-@BIND9_MAKE_INCLUDES@
-
-CINCLUDES =	-I${srcdir}/unix/include \
-		-I. -I./include -I${srcdir}/include ${ISC_INCLUDES}
-CDEFINES =
-CWARNINGS =
-
-# Alphabetically
-OBJS =		context.@O@ gai_strerror.@O@ getaddrinfo.@O@ gethost.@O@ \
-		getipnode.@O@ getnameinfo.@O@ getrrset.@O@ herror.@O@ \
-		lwbuffer.@O@ lwconfig.@O@ lwpacket.@O@ lwresutil.@O@ \
-		lwres_gabn.@O@ lwres_gnba.@O@ lwres_grbn.@O@ lwres_noop.@O@ \
-		lwinetaton.@O@ lwinetpton.@O@ lwinetntop.@O@ print.@O@ \
-		strtoul.@O@
-
-# Alphabetically
-SRCS =		context.c gai_strerror.c getaddrinfo.c gethost.c \
-		getipnode.c getnameinfo.c getrrset.c herror.c \
-		lwbuffer.c lwconfig.c lwpacket.c lwresutil.c \
-		lwres_gabn.c lwres_gnba.c lwres_grbn.c lwres_noop.c \
-		lwinetaton.c lwinetpton.c lwinetntop.c print.c \
-		strtoul.c
-
-LIBS =		@LIBS@
-
-SUBDIRS =	include man unix
-TARGETS =	timestamp
-
-@BIND9_MAKE_RULES@
-
-version.@O@: version.c
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
-		-DVERSION=\"${VERSION}\" \
-		-DLIBINTERFACE=${LIBINTERFACE} \
-		-DLIBREVISION=${LIBREVISION} \
-		-DLIBAGE=${LIBAGE} \
-		-c ${srcdir}/version.c
-
-liblwres.@SA@: ${OBJS} version.@O@
-	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
-	${RANLIB} $@
-
-liblwres.la: ${OBJS} version.@O@
-	${LIBTOOL_MODE_LINK} \
-		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o liblwres.la -rpath ${libdir} \
-		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
-		${OBJS} version.@O@ ${LIBS}
-
-timestamp: liblwres.@A@
-	touch timestamp
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
-
-install:: timestamp installdirs
-	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} liblwres.@A@ ${DESTDIR}${libdir}
-
-clean distclean::
-	rm -f liblwres.@A@ liblwres.la timestamp
diff --git a/contrib/bind9/lib/lwres/api b/contrib/bind9/lib/lwres/api
deleted file mode 100644
index 0ab1e92dc29e..000000000000
--- a/contrib/bind9/lib/lwres/api
+++ /dev/null
@@ -1,3 +0,0 @@
-LIBINTERFACE = 10
-LIBREVISION = 1
-LIBAGE = 1
diff --git a/contrib/bind9/lib/lwres/assert_p.h b/contrib/bind9/lib/lwres/assert_p.h
deleted file mode 100644
index 78b4b7927a54..000000000000
--- a/contrib/bind9/lib/lwres/assert_p.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: assert_p.h,v 1.9.206.1 2004/03/06 08:15:30 marka Exp $ */
-
-#ifndef LWRES_ASSERT_P_H
-#define LWRES_ASSERT_P_H 1
-
-#include <assert.h>		/* Required for assert() prototype. */
-
-#define REQUIRE(x)		assert(x)
-#define INSIST(x)		assert(x)
-
-#define UNUSED(x)		((void)(x))
-
-#define SPACE_OK(b, s)		(LWRES_BUFFER_AVAILABLECOUNT(b) >= (s))
-#define SPACE_REMAINING(b, s)	(LWRES_BUFFER_REMAINING(b) >= (s))
-
-#endif /* LWRES_ASSERT_P_H */
diff --git a/contrib/bind9/lib/lwres/context.c b/contrib/bind9/lib/lwres/context.c
deleted file mode 100644
index b606b9d21a1f..000000000000
--- a/contrib/bind9/lib/lwres/context.c
+++ /dev/null
@@ -1,379 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context.c,v 1.41.2.1.2.4 2004/09/17 05:50:31 marka Exp $ */
-
-#include <config.h>
-
-#include <fcntl.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <unistd.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/platform.h>
-
-#ifdef LWRES_PLATFORM_NEEDSYSSELECTH
-#include <sys/select.h>
-#endif
-
-#include "context_p.h"
-#include "assert_p.h"
-
-/*
- * Some systems define the socket length argument as an int, some as size_t,
- * some as socklen_t.  The last is what the current POSIX standard mandates.
- * This definition is here so it can be portable but easily changed if needed.
- */
-#ifndef LWRES_SOCKADDR_LEN_T
-#define LWRES_SOCKADDR_LEN_T unsigned int
-#endif
-
-/*
- * Make a socket nonblocking.
- */
-#ifndef MAKE_NONBLOCKING
-#define MAKE_NONBLOCKING(sd, retval) \
-do { \
-	retval = fcntl(sd, F_GETFL, 0); \
-	if (retval != -1) { \
-		retval |= O_NONBLOCK; \
-		retval = fcntl(sd, F_SETFL, retval); \
-	} \
-} while (0)
-#endif
-
-LIBLWRES_EXTERNAL_DATA lwres_uint16_t lwres_udp_port = LWRES_UDP_PORT;
-LIBLWRES_EXTERNAL_DATA const char *lwres_resolv_conf = LWRES_RESOLV_CONF;
-
-static void *
-lwres_malloc(void *, size_t);
-
-static void
-lwres_free(void *, void *, size_t);
-
-static lwres_result_t
-context_connect(lwres_context_t *);
-
-lwres_result_t
-lwres_context_create(lwres_context_t **contextp, void *arg,
-		     lwres_malloc_t malloc_function,
-		     lwres_free_t free_function,
-		     unsigned int flags)
-{
-	lwres_context_t *ctx;
-
-	REQUIRE(contextp != NULL && *contextp == NULL);
-	UNUSED(flags);
-
-	/*
-	 * If we were not given anything special to use, use our own
-	 * functions.  These are just wrappers around malloc() and free().
-	 */
-	if (malloc_function == NULL || free_function == NULL) {
-		REQUIRE(malloc_function == NULL);
-		REQUIRE(free_function == NULL);
-		malloc_function = lwres_malloc;
-		free_function = lwres_free;
-	}
-
-	ctx = malloc_function(arg, sizeof(lwres_context_t));
-	if (ctx == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	/*
-	 * Set up the context.
-	 */
-	ctx->malloc = malloc_function;
-	ctx->free = free_function;
-	ctx->arg = arg;
-	ctx->sock = -1;
-
-	ctx->timeout = LWRES_DEFAULT_TIMEOUT;
-	ctx->serial = time(NULL); /* XXXMLG or BEW */
-
-	/*
-	 * Init resolv.conf bits.
-	 */
-	lwres_conf_init(ctx);
-
-	*contextp = ctx;
-	return (LWRES_R_SUCCESS);
-}
-
-void
-lwres_context_destroy(lwres_context_t **contextp) {
-	lwres_context_t *ctx;
-
-	REQUIRE(contextp != NULL && *contextp != NULL);
-
-	ctx = *contextp;
-	*contextp = NULL;
-
-	if (ctx->sock != -1) {
-		(void)close(ctx->sock);
-		ctx->sock = -1;
-	}
-
-	CTXFREE(ctx, sizeof(lwres_context_t));
-}
-
-lwres_uint32_t
-lwres_context_nextserial(lwres_context_t *ctx) {
-	REQUIRE(ctx != NULL);
-
-	return (ctx->serial++);
-}
-
-void
-lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial) {
-	REQUIRE(ctx != NULL);
-
-	ctx->serial = serial;
-}
-
-void
-lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len) {
-	REQUIRE(mem != NULL);
-	REQUIRE(len != 0U);
-
-	CTXFREE(mem, len);
-}
-
-void *
-lwres_context_allocmem(lwres_context_t *ctx, size_t len) {
-	REQUIRE(len != 0U);
-
-	return (CTXMALLOC(len));
-}
-
-static void *
-lwres_malloc(void *arg, size_t len) {
-	void *mem;
-
-	UNUSED(arg);
-
-	mem = malloc(len);
-	if (mem == NULL)
-		return (NULL);
-
-	memset(mem, 0xe5, len);
-
-	return (mem);
-}
-
-static void
-lwres_free(void *arg, void *mem, size_t len) {
-	UNUSED(arg);
-
-	memset(mem, 0xa9, len);
-	free(mem);
-}
-
-static lwres_result_t
-context_connect(lwres_context_t *ctx) {
-	int s;
-	int ret;
-	struct sockaddr_in sin;
-	struct sockaddr_in6 sin6;
-	struct sockaddr *sa;
-	LWRES_SOCKADDR_LEN_T salen;
-	int domain;
-
-	if (ctx->confdata.lwnext != 0) {
-		memcpy(&ctx->address, &ctx->confdata.lwservers[0],
-		       sizeof(lwres_addr_t));
-		LWRES_LINK_INIT(&ctx->address, link);
-	} else {
-		/* The default is the IPv4 loopback address 127.0.0.1. */
-		memset(&ctx->address, 0, sizeof(ctx->address));
-		ctx->address.family = LWRES_ADDRTYPE_V4;
-		ctx->address.length = 4;
-		ctx->address.address[0] = 127;
-		ctx->address.address[1] = 0;
-		ctx->address.address[2] = 0;
-		ctx->address.address[3] = 1;
-	}
-
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		memcpy(&sin.sin_addr, ctx->address.address,
-		       sizeof(sin.sin_addr));
-		sin.sin_port = htons(lwres_udp_port);
-		sin.sin_family = AF_INET;
-		sa = (struct sockaddr *)&sin;
-		salen = sizeof(sin);
-		domain = PF_INET;
-	} else if (ctx->address.family == LWRES_ADDRTYPE_V6) {
-		memcpy(&sin6.sin6_addr, ctx->address.address,
-		       sizeof(sin6.sin6_addr));
-		sin6.sin6_port = htons(lwres_udp_port);
-		sin6.sin6_family = AF_INET6;
-		sa = (struct sockaddr *)&sin6;
-		salen = sizeof(sin6);
-		domain = PF_INET6;
-	} else
-		return (LWRES_R_IOERROR);
-
-	s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
-	if (s < 0)
-		return (LWRES_R_IOERROR);
-
-	ret = connect(s, sa, salen);
-	if (ret != 0) {
-		(void)close(s);
-		return (LWRES_R_IOERROR);
-	}
-
-	MAKE_NONBLOCKING(s, ret);
-	if (ret < 0)
-		return (LWRES_R_IOERROR);
-
-	ctx->sock = s;
-
-	return (LWRES_R_SUCCESS);
-}
-
-int
-lwres_context_getsocket(lwres_context_t *ctx) {
-	return (ctx->sock);
-}
-
-lwres_result_t
-lwres_context_send(lwres_context_t *ctx,
-		   void *sendbase, int sendlen) {
-	int ret;
-	lwres_result_t lwresult;
-
-	if (ctx->sock == -1) {
-		lwresult = context_connect(ctx);
-		if (lwresult != LWRES_R_SUCCESS)
-			return (lwresult);
-	}
-
-	ret = sendto(ctx->sock, sendbase, sendlen, 0, NULL, 0);
-	if (ret < 0)
-		return (LWRES_R_IOERROR);
-	if (ret != sendlen)
-		return (LWRES_R_IOERROR);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_context_recv(lwres_context_t *ctx,
-		   void *recvbase, int recvlen,
-		   int *recvd_len)
-{
-	LWRES_SOCKADDR_LEN_T fromlen;
-	struct sockaddr_in sin;
-	struct sockaddr_in6 sin6;
-	struct sockaddr *sa;
-	int ret;
-
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		sa = (struct sockaddr *)&sin;
-		fromlen = sizeof(sin);
-	} else {
-		sa = (struct sockaddr *)&sin6;
-		fromlen = sizeof(sin6);
-	}
-
-	/*
-	 * The address of fromlen is cast to void * to shut up compiler
-	 * warnings, namely on systems that have the sixth parameter
-	 * prototyped as a signed int when LWRES_SOCKADDR_LEN_T is
-	 * defined as unsigned.
-	 */
-	ret = recvfrom(ctx->sock, recvbase, recvlen, 0, sa, (void *)&fromlen);
-
-	if (ret < 0)
-		return (LWRES_R_IOERROR);
-
-	if (ret == recvlen)
-		return (LWRES_R_TOOLARGE);
-
-	/*
-	 * If we got something other than what we expect, have the caller
-	 * wait for another packet.  This can happen if an old result
-	 * comes in, or if someone is sending us random stuff.
-	 */
-	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
-		if (fromlen != sizeof(sin)
-		    || memcmp(&sin.sin_addr, ctx->address.address,
-			      sizeof(sin.sin_addr)) != 0
-		    || sin.sin_port != htons(lwres_udp_port))
-			return (LWRES_R_RETRY);
-	} else {
-		if (fromlen != sizeof(sin6)
-		    || memcmp(&sin6.sin6_addr, ctx->address.address,
-			      sizeof(sin6.sin6_addr)) != 0
-		    || sin6.sin6_port != htons(lwres_udp_port))
-			return (LWRES_R_RETRY);
-	}
-
-	if (recvd_len != NULL)
-		*recvd_len = ret;
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_context_sendrecv(lwres_context_t *ctx,
-		       void *sendbase, int sendlen,
-		       void *recvbase, int recvlen,
-		       int *recvd_len)
-{
-	lwres_result_t result;
-	int ret2;
-	fd_set readfds;
-	struct timeval timeout;
-
-	/*
-	 * Type of tv_sec is 32 bits long. 
-	 */
-	if (ctx->timeout <= 0x7FFFFFFFU)
-		timeout.tv_sec = (int)ctx->timeout;
-	else
-		timeout.tv_sec = 0x7FFFFFFF;
-
-	timeout.tv_usec = 0;
-
-	result = lwres_context_send(ctx, sendbase, sendlen);
-	if (result != LWRES_R_SUCCESS)
-		return (result);
- again:
-	FD_ZERO(&readfds);
-	FD_SET(ctx->sock, &readfds);
-	ret2 = select(ctx->sock + 1, &readfds, NULL, NULL, &timeout);
-	
-	/*
-	 * What happened with select?
-	 */
-	if (ret2 < 0)
-		return (LWRES_R_IOERROR);
-	if (ret2 == 0)
-		return (LWRES_R_TIMEOUT);
-
-	result = lwres_context_recv(ctx, recvbase, recvlen, recvd_len);
-	if (result == LWRES_R_RETRY)
-		goto again;
-	
-	return (result);
-}
diff --git a/contrib/bind9/lib/lwres/context_p.h b/contrib/bind9/lib/lwres/context_p.h
deleted file mode 100644
index 3e22bc00d45e..000000000000
--- a/contrib/bind9/lib/lwres/context_p.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context_p.h,v 1.12.206.1 2004/03/06 08:15:30 marka Exp $ */
-
-#ifndef LWRES_CONTEXT_P_H
-#define LWRES_CONTEXT_P_H 1
-
-/*
- * Helper functions, assuming the context is always called "ctx" in
- * the scope these functions are called from.
- */
-#define CTXMALLOC(len)		ctx->malloc(ctx->arg, (len))
-#define CTXFREE(addr, len)	ctx->free(ctx->arg, (addr), (len))
-
-#define LWRES_DEFAULT_TIMEOUT	120	/* 120 seconds for a reply */
-
-/*
- * Not all the attributes here are actually settable by the application at
- * this time.
- */
-struct lwres_context {
-	unsigned int		timeout;	/* time to wait for reply */
-	lwres_uint32_t		serial;		/* serial number state */
-
-	/*
-	 * For network I/O.
-	 */
-	int			sock;		/* socket to send on */
-	lwres_addr_t		address;	/* address to send to */
-
-	/*
-	 * Function pointers for allocating memory.
-	 */
-	lwres_malloc_t		malloc;
-	lwres_free_t		free;
-	void		       *arg;
-
-	/*
-	 * resolv.conf-like data
-	 */
-	lwres_conf_t		confdata;
-};
-
-#endif /* LWRES_CONTEXT_P_H */
diff --git a/contrib/bind9/lib/lwres/gai_strerror.c b/contrib/bind9/lib/lwres/gai_strerror.c
deleted file mode 100644
index ae819dda4b4e..000000000000
--- a/contrib/bind9/lib/lwres/gai_strerror.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gai_strerror.c,v 1.14.2.1.10.1 2004/03/06 08:15:30 marka Exp $ */
-
-#include <lwres/netdb.h>
-
-static const char *gai_messages[] = {
-	"no error",
-	"address family for hostname not supported",
-	"temporary failure in name resolution",
-	"invalid value for ai_flags",
-	"non-recoverable failure in name resolution",
-	"ai_family not supported",
-	"memory allocation failure",
-	"no address associated with hostname",
-	"hostname nor servname provided, or not known",
-	"servname not supported for ai_socktype",
-	"ai_socktype not supported",
-	"system error returned in errno",
-	"bad hints",
-	"bad protocol"
-};
-
-char *
-lwres_gai_strerror(int ecode) {
-	union {
-		const char *const_ptr;
-		char *deconst_ptr;
-	} ptr;
-
-	if ((ecode < 0) ||
-	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
-		ptr.const_ptr = "invalid error code";
-	else
-		ptr.const_ptr = gai_messages[ecode];
-	return (ptr.deconst_ptr);
-}
diff --git a/contrib/bind9/lib/lwres/getaddrinfo.c b/contrib/bind9/lib/lwres/getaddrinfo.c
deleted file mode 100644
index c06327446b34..000000000000
--- a/contrib/bind9/lib/lwres/getaddrinfo.c
+++ /dev/null
@@ -1,691 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * This code is derived from software contributed to ISC by
- * Berkeley Software Design, Inc.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
- * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getaddrinfo.c,v 1.41.206.3 2005/06/09 23:54:33 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-#include <errno.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-#include <lwres/stdlib.h>
-
-#define SA(addr)	((struct sockaddr *)(addr))
-#define SIN(addr)	((struct sockaddr_in *)(addr))
-#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
-#define SUN(addr)	((struct sockaddr_un *)(addr))
-
-static struct addrinfo
-	*ai_reverse(struct addrinfo *oai),
-	*ai_clone(struct addrinfo *oai, int family),
-	*ai_alloc(int family, int addrlen);
-#ifdef AF_LOCAL
-static int get_local(const char *name, int socktype, struct addrinfo **res);
-#endif
-
-static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-    int socktype, int port);
-static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
-    int socktype, int port);
-static void set_order(int, int (**)(const char *, int, struct addrinfo **,
-         int, int));
-
-#define FOUND_IPV4	0x1
-#define FOUND_IPV6	0x2
-#define FOUND_MAX	2
-
-#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
-
-int
-lwres_getaddrinfo(const char *hostname, const char *servname,
-	const struct addrinfo *hints, struct addrinfo **res)
-{
-	struct servent *sp;
-	const char *proto;
-	int family, socktype, flags, protocol;
-	struct addrinfo *ai, *ai_list;
-	int port, err, i;
-	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
-		 int, int);
-
-	if (hostname == NULL && servname == NULL)
-		return (EAI_NONAME);
-
-	proto = NULL;
-	if (hints != NULL) {
-		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
-			return (EAI_BADFLAGS);
-		if (hints->ai_addrlen || hints->ai_canonname ||
-		    hints->ai_addr || hints->ai_next) {
-			errno = EINVAL;
-			return (EAI_SYSTEM);
-		}
-		family = hints->ai_family;
-		socktype = hints->ai_socktype;
-		protocol = hints->ai_protocol;
-		flags = hints->ai_flags;
-		switch (family) {
-		case AF_UNSPEC:
-			switch (hints->ai_socktype) {
-			case SOCK_STREAM:
-				proto = "tcp";
-				break;
-			case SOCK_DGRAM:
-				proto = "udp";
-				break;
-			}
-			break;
-		case AF_INET:
-		case AF_INET6:
-			switch (hints->ai_socktype) {
-			case 0:
-				break;
-			case SOCK_STREAM:
-				proto = "tcp";
-				break;
-			case SOCK_DGRAM:
-				proto = "udp";
-				break;
-			case SOCK_RAW:
-				break;
-			default:
-				return (EAI_SOCKTYPE);
-			}
-			break;
-#ifdef	AF_LOCAL
-		case AF_LOCAL:
-			switch (hints->ai_socktype) {
-			case 0:
-				break;
-			case SOCK_STREAM:
-				break;
-			case SOCK_DGRAM:
-				break;
-			default:
-				return (EAI_SOCKTYPE);
-			}
-			break;
-#endif
-		default:
-			return (EAI_FAMILY);
-		}
-	} else {
-		protocol = 0;
-		family = 0;
-		socktype = 0;
-		flags = 0;
-	}
-
-#ifdef	AF_LOCAL
-	/*
-	 * First, deal with AF_LOCAL.  If the family was not set,
-	 * then assume AF_LOCAL if the first character of the
-	 * hostname/servname is '/'.
-	 */
-
-	if (hostname != NULL &&
-	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
-		return (get_local(hostname, socktype, res));
-
-	if (servname != NULL &&
-	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
-		return (get_local(servname, socktype, res));
-#endif
-
-	/*
-	 * Ok, only AF_INET and AF_INET6 left.
-	 */
-	ai_list = NULL;
-
-	/*
-	 * First, look up the service name (port) if it was
-	 * requested.  If the socket type wasn't specified, then
-	 * try and figure it out.
-	 */
-	if (servname != NULL) {
-		char *e;
-
-		port = strtol(servname, &e, 10);
-		if (*e == '\0') {
-			if (socktype == 0)
-				return (EAI_SOCKTYPE);
-			if (port < 0 || port > 65535)
-				return (EAI_SERVICE);
-			port = htons((unsigned short) port);
-		} else {
-			sp = getservbyname(servname, proto);
-			if (sp == NULL)
-				return (EAI_SERVICE);
-			port = sp->s_port;
-			if (socktype == 0) {
-				if (strcmp(sp->s_proto, "tcp") == 0)
-					socktype = SOCK_STREAM;
-				else if (strcmp(sp->s_proto, "udp") == 0)
-					socktype = SOCK_DGRAM;
-			}
-		}
-	} else
-		port = 0;
-
-	/*
-	 * Next, deal with just a service name, and no hostname.
-	 * (we verified that one of them was non-null up above).
-	 */
-	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
-		if (family == AF_INET || family == 0) {
-			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
-			if (ai == NULL)
-				return (EAI_MEMORY);
-			ai->ai_socktype = socktype;
-			ai->ai_protocol = protocol;
-			SIN(ai->ai_addr)->sin_port = port;
-			ai->ai_next = ai_list;
-			ai_list = ai;
-		}
-
-		if (family == AF_INET6 || family == 0) {
-			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
-			if (ai == NULL) {
-				lwres_freeaddrinfo(ai_list);
-				return (EAI_MEMORY);
-			}
-			ai->ai_socktype = socktype;
-			ai->ai_protocol = protocol;
-			SIN6(ai->ai_addr)->sin6_port = port;
-			ai->ai_next = ai_list;
-			ai_list = ai;
-		}
-
-		*res = ai_list;
-		return (0);
-	}
-
-	/*
-	 * If the family isn't specified or AI_NUMERICHOST specified,
-	 * check first to see if it is a numeric address.
-	 * Though the gethostbyname2() routine
-	 * will recognize numeric addresses, it will only recognize
-	 * the format that it is being called for.  Thus, a numeric
-	 * AF_INET address will be treated by the AF_INET6 call as
-	 * a domain name, and vice versa.  Checking for both numerics
-	 * here avoids that.
-	 */
-	if (hostname != NULL &&
-	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
-		char abuf[sizeof(struct in6_addr)];
-		char nbuf[NI_MAXHOST];
-		int addrsize, addroff;
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		char *p, *ep;
-		char ntmp[NI_MAXHOST];
-		lwres_uint32_t scopeid;
-#endif
-
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		/*
-		 * Scope identifier portion.
-		 */
-		ntmp[0] = '\0';
-		if (strchr(hostname, '%') != NULL) {
-			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
-			ntmp[sizeof(ntmp) - 1] = '\0';
-			p = strchr(ntmp, '%');
-			ep = NULL;
-
-			/*
-			 * Vendors may want to support non-numeric
-			 * scopeid around here.
-			 */
-
-			if (p != NULL)
-				scopeid = (lwres_uint32_t)strtoul(p + 1,
-								  &ep, 10);
-			if (p != NULL && ep != NULL && ep[0] == '\0')
-				*p = '\0';
-			else {
-				ntmp[0] = '\0';
-				scopeid = 0;
-			}
-		} else
-			scopeid = 0;
-#endif
-
-               if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
-		   == 1)
-	       {
-			if (family == AF_INET6) {
-				/*
-				 * Convert to a V4 mapped address.
-				 */
-				struct in6_addr *a6 = (struct in6_addr *)abuf;
-				memcpy(&a6->s6_addr[12], &a6->s6_addr[0], 4);
-				memset(&a6->s6_addr[10], 0xff, 2);
-				memset(&a6->s6_addr[0], 0, 10);
-				goto inet6_addr;
-			}
-			addrsize = sizeof(struct in_addr);
-			addroff = (char *)(&SIN(0)->sin_addr) - (char *)0;
-			family = AF_INET;
-			goto common;
-#ifdef LWRES_HAVE_SIN6_SCOPE_ID
-		} else if (ntmp[0] != '\0' &&
-			   lwres_net_pton(AF_INET6, ntmp, abuf) == 1)
-		{
-			if (family && family != AF_INET6)
-				return (EAI_NONAME);
-			addrsize = sizeof(struct in6_addr);
-			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
-			family = AF_INET6;
-			goto common;
-#endif
-		} else if (lwres_net_pton(AF_INET6, hostname, abuf) == 1) {
-			if (family != 0 && family != AF_INET6)
-				return (EAI_NONAME);
-		inet6_addr:
-			addrsize = sizeof(struct in6_addr);
-			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
-			family = AF_INET6;
-
-		common:
-			ai = ai_clone(ai_list, family);
-			if (ai == NULL)
-				return (EAI_MEMORY);
-			ai_list = ai;
-			ai->ai_socktype = socktype;
-			SIN(ai->ai_addr)->sin_port = port;
-			memcpy((char *)ai->ai_addr + addroff, abuf, addrsize);
-			if (flags & AI_CANONNAME) {
-#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
-				if (ai->ai_family == AF_INET6)
-					SIN6(ai->ai_addr)->sin6_scope_id =
-									scopeid;
-#endif
-				if (lwres_getnameinfo(ai->ai_addr,
-				    ai->ai_addrlen, nbuf, sizeof(nbuf),
-						      NULL, 0,
-						      NI_NUMERICHOST) == 0) {
-					ai->ai_canonname = strdup(nbuf);
-					if (ai->ai_canonname == NULL)
-						return (EAI_MEMORY);
-				} else {
-					/* XXX raise error? */
-					ai->ai_canonname = NULL;
-				}
-			}
-			goto done;
-		} else if ((flags & AI_NUMERICHOST) != 0) {
-			return (EAI_NONAME);
-		}
-	}
-
-	set_order(family, net_order);
-	for (i = 0; i < FOUND_MAX; i++) {
-		if (net_order[i] == NULL)
-			break;
-		err = (net_order[i])(hostname, flags, &ai_list,
-				     socktype, port);
-		if (err != 0)
-			return (err);
-	}
-
-	if (ai_list == NULL)
-		return (EAI_NODATA);
-
-done:
-	ai_list = ai_reverse(ai_list);
-
-	*res = ai_list;
-	return (0);
-}
-
-static char *
-lwres_strsep(char **stringp, const char *delim) {
-	char *string = *stringp;
-	char *s;
-	const char *d;
-	char sc, dc;
-
-	if (string == NULL)
-		return (NULL);
-
-	for (s = string; *s != '\0'; s++) {
-		sc = *s;
-		for (d = delim; (dc = *d) != '\0'; d++)
-			if (sc == dc) {
-				*s++ = '\0';
-				*stringp = s;
-				return (string);
-			}
-	}
-	*stringp = NULL;
-	return (string);
-}
-
-static void
-set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
-					int, int))
-{
-	char *order, *tok;
-	int found;
-
-	if (family) {
-		switch (family) {
-		case AF_INET:
-			*net_order++ = add_ipv4;
-			break;
-		case AF_INET6:
-			*net_order++ = add_ipv6;
-			break;
-		}
-	} else {
-		order = getenv("NET_ORDER");
-		found = 0;
-		while (order != NULL) {
-			/*
-			 * We ignore any unknown names.
-			 */
-			tok = lwres_strsep(&order, ":");
-			if (strcasecmp(tok, "inet6") == 0) {
-				if ((found & FOUND_IPV6) == 0)
-					*net_order++ = add_ipv6;
-				found |= FOUND_IPV6;
-			} else if (strcasecmp(tok, "inet") == 0 ||
-			    strcasecmp(tok, "inet4") == 0) {
-				if ((found & FOUND_IPV4) == 0)
-					*net_order++ = add_ipv4;
-				found |= FOUND_IPV4;
-			}
-		}
-
-		/*
-		 * Add in anything that we didn't find.
-		 */
-		if ((found & FOUND_IPV4) == 0)
-			*net_order++ = add_ipv4;
-		if ((found & FOUND_IPV6) == 0)
-			*net_order++ = add_ipv6;
-	}
-	*net_order = NULL;
-	return;
-}
-
-static char v4_loop[4] = { 127, 0, 0, 1 };
-
-/*
- * The test against 0 is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define ERR(code) \
-	do { result = (code);			\
-		if (result != 0) goto cleanup;	\
-	} while (0)
-
-static int
-add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
-	int socktype, int port)
-{
-	struct addrinfo *ai;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	lwres_addr_t *addr;
-	lwres_result_t lwres;
-	int result = 0;
-
-	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwres != LWRES_R_SUCCESS)
-		ERR(EAI_FAIL);
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
-		ai = ai_clone(*aip, AF_INET);
-		if (ai == NULL) {
-			lwres_freeaddrinfo(*aip);
-			ERR(EAI_MEMORY);
-		}
-
-		*aip = ai;
-		ai->ai_socktype = socktype;
-		SIN(ai->ai_addr)->sin_port = port;
-		memcpy(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
-	} else {
-		lwres = lwres_getaddrsbyname(lwrctx, hostname,
-					     LWRES_ADDRTYPE_V4, &by);
-		if (lwres != LWRES_R_SUCCESS) {
-			if (lwres == LWRES_R_NOTFOUND)
-				goto cleanup;
-			else
-				ERR(EAI_FAIL);
-		}
-		addr = LWRES_LIST_HEAD(by->addrs);
-		while (addr != NULL) {
-			ai = ai_clone(*aip, AF_INET);
-			if (ai == NULL) {
-				lwres_freeaddrinfo(*aip);
-				ERR(EAI_MEMORY);
-			}
-			*aip = ai;
-			ai->ai_socktype = socktype;
-			SIN(ai->ai_addr)->sin_port = port;
-			memcpy(&SIN(ai->ai_addr)->sin_addr,
-			       addr->address, 4);
-			if (flags & AI_CANONNAME) {
-				ai->ai_canonname = strdup(by->realname);
-				if (ai->ai_canonname == NULL)
-					ERR(EAI_MEMORY);
-			}
-			addr = LWRES_LIST_NEXT(addr, link);
-		}
-	}
- cleanup:
-	if (by != NULL)
-		lwres_gabnresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
-
-static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
-
-static int
-add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
-	 int socktype, int port)
-{
-	struct addrinfo *ai;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	lwres_addr_t *addr;
-	lwres_result_t lwres;
-	int result = 0;
-
-	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwres != LWRES_R_SUCCESS)
-		ERR(EAI_FAIL);
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
-		ai = ai_clone(*aip, AF_INET6);
-		if (ai == NULL) {
-			lwres_freeaddrinfo(*aip);
-			ERR(EAI_MEMORY);
-		}
-
-		*aip = ai;
-		ai->ai_socktype = socktype;
-		SIN6(ai->ai_addr)->sin6_port = port;
-		memcpy(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
-	} else {
-		lwres = lwres_getaddrsbyname(lwrctx, hostname,
-					     LWRES_ADDRTYPE_V6, &by);
-		if (lwres != LWRES_R_SUCCESS) {
-			if (lwres == LWRES_R_NOTFOUND)
-				goto cleanup;
-			else
-				ERR(EAI_FAIL);
-		}
-		addr = LWRES_LIST_HEAD(by->addrs);
-		while (addr != NULL) {
-			ai = ai_clone(*aip, AF_INET6);
-			if (ai == NULL) {
-				lwres_freeaddrinfo(*aip);
-				ERR(EAI_MEMORY);
-			}
-			*aip = ai;
-			ai->ai_socktype = socktype;
-			SIN6(ai->ai_addr)->sin6_port = port;
-			memcpy(&SIN6(ai->ai_addr)->sin6_addr,
-			       addr->address, 16);
-			if (flags & AI_CANONNAME) {
-				ai->ai_canonname = strdup(by->realname);
-				if (ai->ai_canonname == NULL)
-					ERR(EAI_MEMORY);
-			}
-			addr = LWRES_LIST_NEXT(addr, link);
-		}
-	}
- cleanup:
-	if (by != NULL)
-		lwres_gabnresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
-
-void
-lwres_freeaddrinfo(struct addrinfo *ai) {
-	struct addrinfo *ai_next;
-
-	while (ai != NULL) {
-		ai_next = ai->ai_next;
-		if (ai->ai_addr != NULL)
-			free(ai->ai_addr);
-		if (ai->ai_canonname)
-			free(ai->ai_canonname);
-		free(ai);
-		ai = ai_next;
-	}
-}
-
-#ifdef AF_LOCAL
-static int
-get_local(const char *name, int socktype, struct addrinfo **res) {
-	struct addrinfo *ai;
-	struct sockaddr_un *sun;
-
-	if (socktype == 0)
-		return (EAI_SOCKTYPE);
-
-	ai = ai_alloc(AF_LOCAL, sizeof(*sun));
-	if (ai == NULL)
-		return (EAI_MEMORY);
-
-	sun = SUN(ai->ai_addr);
-	strncpy(sun->sun_path, name, sizeof(sun->sun_path));
-
-	ai->ai_socktype = socktype;
-	/*
-	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
-	 * and ai->ai_next were initialized to zero.
-	 */
-
-	*res = ai;
-	return (0);
-}
-#endif
-
-/*
- * Allocate an addrinfo structure, and a sockaddr structure
- * of the specificed length.  We initialize:
- *	ai_addrlen
- *	ai_family
- *	ai_addr
- *	ai_addr->sa_family
- *	ai_addr->sa_len	(LWRES_PLATFORM_HAVESALEN)
- * and everything else is initialized to zero.
- */
-static struct addrinfo *
-ai_alloc(int family, int addrlen) {
-	struct addrinfo *ai;
-
-	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
-	if (ai == NULL)
-		return (NULL);
-
-	ai->ai_addr = SA(calloc(1, addrlen));
-	if (ai->ai_addr == NULL) {
-		free(ai);
-		return (NULL);
-	}
-	ai->ai_addrlen = addrlen;
-	ai->ai_family = family;
-	ai->ai_addr->sa_family = family;
-#ifdef LWRES_PLATFORM_HAVESALEN
-	ai->ai_addr->sa_len = addrlen;
-#endif
-	return (ai);
-}
-
-static struct addrinfo *
-ai_clone(struct addrinfo *oai, int family) {
-	struct addrinfo *ai;
-
-	ai = ai_alloc(family, ((family == AF_INET6) ?
-	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
-
-	if (ai == NULL) {
-		lwres_freeaddrinfo(oai);
-		return (NULL);
-	}
-	if (oai == NULL)
-		return (ai);
-
-	ai->ai_flags = oai->ai_flags;
-	ai->ai_socktype = oai->ai_socktype;
-	ai->ai_protocol = oai->ai_protocol;
-	ai->ai_canonname = NULL;
-	ai->ai_next = oai;
-	return (ai);
-}
-
-static struct addrinfo *
-ai_reverse(struct addrinfo *oai) {
-	struct addrinfo *nai, *tai;
-
-	nai = NULL;
-
-	while (oai != NULL) {
-		/*
-		 * Grab one off the old list.
-		 */
-		tai = oai;
-		oai = oai->ai_next;
-		/*
-		 * Put it on the front of the new list.
-		 */
-		tai->ai_next = nai;
-		nai = tai;
-	}
-	return (nai);
-}
diff --git a/contrib/bind9/lib/lwres/gethost.c b/contrib/bind9/lib/lwres/gethost.c
deleted file mode 100644
index 9c362b92c892..000000000000
--- a/contrib/bind9/lib/lwres/gethost.c
+++ /dev/null
@@ -1,219 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: gethost.c,v 1.29.206.1 2004/03/06 08:15:30 marka Exp $ */
-
-#include <config.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-
-#include "assert_p.h"
-
-#define LWRES_ALIGNBYTES (sizeof(char *) - 1)
-#define LWRES_ALIGN(p) \
-	(((unsigned long)(p) + LWRES_ALIGNBYTES) &~ LWRES_ALIGNBYTES)
-
-static struct hostent *he = NULL;
-static int copytobuf(struct hostent *, struct hostent *, char *, int);
-
-struct hostent *
-lwres_gethostbyname(const char *name) {
-
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyname(name, AF_INET, 0, &lwres_h_errno);
-	return (he);
-}
-
-struct hostent *
-lwres_gethostbyname2(const char *name, int af) {
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyname(name, af, 0, &lwres_h_errno);
-	return (he);
-}
-
-struct hostent *
-lwres_gethostbyaddr(const char *addr, int len, int type) {
-
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	he = lwres_getipnodebyaddr(addr, len, type, &lwres_h_errno);
-	return (he);
-}
-
-struct hostent *
-lwres_gethostent(void) {
-	if (he != NULL)
-		lwres_freehostent(he);
-
-	return (NULL);
-}
-
-void
-lwres_sethostent(int stayopen) {
-	/*
-	 * Empty.
-	 */
-	UNUSED(stayopen);
-}
-
-void
-lwres_endhostent(void) {
-	/*
-	 * Empty.
-	 */
-}
-
-struct hostent *
-lwres_gethostbyname_r(const char *name, struct hostent *resbuf,
-		char *buf, int buflen, int *error)
-{
-	struct hostent *he;
-	int res;
-
-	he = lwres_getipnodebyname(name, AF_INET, 0, error);
-	if (he == NULL)
-		return (NULL);
-	res = copytobuf(he, resbuf, buf, buflen);
-	lwres_freehostent(he);
-	if (res != 0) {
-		errno = ERANGE;
-		return (NULL);
-	}
-	return (resbuf);
-}
-
-struct hostent  *
-lwres_gethostbyaddr_r(const char *addr, int len, int type,
-		      struct hostent *resbuf, char *buf, int buflen,
-		      int *error)
-{
-	struct hostent *he;
-	int res;
-
-	he = lwres_getipnodebyaddr(addr, len, type, error);
-	if (he == NULL)
-		return (NULL);
-	res = copytobuf(he, resbuf, buf, buflen);
-	lwres_freehostent(he);
-	if (res != 0) {
-		errno = ERANGE;
-		return (NULL);
-	}
-	return (resbuf);
-}
-
-struct hostent  *
-lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error) {
-	UNUSED(resbuf);
-	UNUSED(buf);
-	UNUSED(buflen);
-	*error = 0;
-	return (NULL);
-}
-
-void
-lwres_sethostent_r(int stayopen) {
-	/*
-	 * Empty.
-	 */
-	UNUSED(stayopen);
-}
-
-void
-lwres_endhostent_r(void) {
-	/*
-	 * Empty.
-	 */
-}
-
-static int
-copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) {
-        char *cp;
-        char **ptr;
-        int i, n;
-        int nptr, len;
-
-        /*
-	 * Find out the amount of space required to store the answer.
-	 */
-        nptr = 2; /* NULL ptrs */
-        len = (char *)LWRES_ALIGN(buf) - buf;
-        for (i = 0; he->h_addr_list[i]; i++, nptr++) {
-                len += he->h_length;
-        }
-        for (i = 0; he->h_aliases[i]; i++, nptr++) {
-                len += strlen(he->h_aliases[i]) + 1;
-        }
-        len += strlen(he->h_name) + 1;
-        len += nptr * sizeof(char*);
-
-        if (len > buflen) {
-                return (-1);
-        }
-
-        /*
-	 * Copy address size and type.
-	 */
-        hptr->h_addrtype = he->h_addrtype;
-        n = hptr->h_length = he->h_length;
-
-        ptr = (char **)LWRES_ALIGN(buf);
-        cp = (char *)LWRES_ALIGN(buf) + nptr * sizeof(char *);
-
-        /*
-	 * Copy address list.
-	 */
-        hptr->h_addr_list = ptr;
-        for (i = 0; he->h_addr_list[i]; i++, ptr++) {
-                memcpy(cp, he->h_addr_list[i], n);
-                hptr->h_addr_list[i] = cp;
-                cp += n;
-        }
-        hptr->h_addr_list[i] = NULL;
-        ptr++;
-
-        /*
-	 * Copy official name.
-	 */
-        n = strlen(he->h_name) + 1;
-        strcpy(cp, he->h_name);
-        hptr->h_name = cp;
-        cp += n;
-
-        /*
-	 * Copy aliases.
-	 */
-        hptr->h_aliases = ptr;
-        for (i = 0; he->h_aliases[i]; i++) {
-                n = strlen(he->h_aliases[i]) + 1;
-                strcpy(cp, he->h_aliases[i]);
-                hptr->h_aliases[i] = cp;
-                cp += n;
-        }
-        hptr->h_aliases[i] = NULL;
-
-        return (0);
-}
diff --git a/contrib/bind9/lib/lwres/getipnode.c b/contrib/bind9/lib/lwres/getipnode.c
deleted file mode 100644
index 9b1a07bdda7b..000000000000
--- a/contrib/bind9/lib/lwres/getipnode.c
+++ /dev/null
@@ -1,1029 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getipnode.c,v 1.30.2.4.2.6 2005/04/29 00:03:32 marka Exp $ */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
-
-#include "assert_p.h"
-
-#ifndef INADDRSZ
-#define INADDRSZ 4
-#endif
-#ifndef IN6ADDRSZ
-#define IN6ADDRSZ 16
-#endif
-
-#ifdef LWRES_PLATFORM_NEEDIN6ADDRANY
-LIBLWRES_EXTERNAL_DATA const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
-#endif
-
-#ifndef IN6_IS_ADDR_V4COMPAT
-static const unsigned char in6addr_compat[12] = {
-        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
-};
-#define IN6_IS_ADDR_V4COMPAT(x) (!memcmp((x)->s6_addr, in6addr_compat, 12) && \
-                                 ((x)->s6_addr[12] != 0 || \
-                                  (x)->s6_addr[13] != 0 || \
-                                  (x)->s6_addr[14] != 0 || \
-                                   ((x)->s6_addr[15] != 0 && \
-                                    (x)->s6_addr[15] != 1)))
-#endif
-#ifndef IN6_IS_ADDR_V4MAPPED
-#define IN6_IS_ADDR_V4MAPPED(x) (!memcmp((x)->s6_addr, in6addr_mapped, 12))
-#endif
-
-static const unsigned char in6addr_mapped[12] = {
-        0, 0, 0, 0,  0, 0, 0, 0,  0, 0, 0xff, 0xff
-};
-
-/***
- ***	Forward declarations.
- ***/
-
-static int
-scan_interfaces(int *, int *);
-
-static struct hostent *
-copyandmerge(struct hostent *, struct hostent *, int, int *);
-
-static struct hostent *
-hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src);
-
-static struct hostent *
-hostfromname(lwres_gabnresponse_t *name, int af);
-
-/***
- ***	Public functions.
- ***/
-
-/*
- *	AI_V4MAPPED + AF_INET6
- *	If no IPv6 address then a query for IPv4 and map returned values.
- *
- *	AI_ALL + AI_V4MAPPED + AF_INET6
- *	Return IPv6 and IPv4 mapped.
- *
- *	AI_ADDRCONFIG
- *	Only return IPv6 / IPv4 address if there is an interface of that
- *	type active.
- */
-
-struct hostent *
-lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
-	int have_v4 = 1, have_v6 = 1;
-	struct in_addr in4;
-	struct in6_addr in6;
-	struct hostent he, *he1 = NULL, *he2 = NULL, *he3 = NULL;
-	int v4 = 0, v6 = 0;
-	int tmp_err;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gabnresponse_t *by = NULL;
-	int n;
-
-	/*
-	 * If we care about active interfaces then check.
-	 */
-	if ((flags & AI_ADDRCONFIG) != 0)
-		if (scan_interfaces(&have_v4, &have_v6) == -1) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-
-	/* Check for literal address. */
-	if ((v4 = lwres_net_pton(AF_INET, name, &in4)) != 1)
-		v6 = lwres_net_pton(AF_INET6, name, &in6);
-
-	/*
-	 * Impossible combination?
-	 */
-	if ((af == AF_INET6 && (flags & AI_V4MAPPED) == 0 && v4 == 1) ||
-	    (af == AF_INET && v6 == 1) ||
-	    (have_v4 == 0 && v4 == 1) ||
-	    (have_v6 == 0 && v6 == 1) ||
-	    (have_v4 == 0 && af == AF_INET) ||
-	    (have_v6 == 0 && af == AF_INET6 &&
-	     (((flags & AI_V4MAPPED) != 0 && have_v4) ||
-	      (flags & AI_V4MAPPED) == 0))) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-
-	/*
-	 * Literal address?
-	 */
-	if (v4 == 1 || v6 == 1) {
-		char *addr_list[2];
-		char *aliases[1];
-		char mappedname[sizeof("::ffff:123.123.123.123")];
-		union {
-			const char *const_name;
-			char *deconst_name;
-		} u;
-
-		u.const_name = name;
-		if (v4 == 1 && af == AF_INET6) {
-			strcpy(mappedname, "::ffff:");
-			lwres_net_ntop(AF_INET, (char *)&in4,
-				       mappedname + sizeof("::ffff:") - 1,
-				       sizeof(mappedname) - sizeof("::ffff:")
-				       + 1);
-			he.h_name = mappedname;
-		} else
-			he.h_name = u.deconst_name;
-		he.h_addr_list = addr_list;
-		he.h_addr_list[0] = (v4 == 1) ? (char *)&in4 : (char *)&in6;
-		he.h_addr_list[1] = NULL;
-		he.h_aliases = aliases;
-		he.h_aliases[0] = NULL;
-		he.h_length = (v4 == 1) ? INADDRSZ : IN6ADDRSZ;
-		he.h_addrtype = (v4 == 1) ? AF_INET : AF_INET6;
-		return (copyandmerge(&he, NULL, af, error_num));
-	}
-
-	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (n != 0) {
-		*error_num = NO_RECOVERY;
-		goto cleanup;
-	}
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	tmp_err = NO_RECOVERY;
-	if (have_v6 && af == AF_INET6) {
-
-		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V6, &by);
-		if (n == 0) {
-			he1 = hostfromname(by, AF_INET6);
-			lwres_gabnresponse_free(lwrctx, &by);
-			if (he1 == NULL) {
-				*error_num = NO_RECOVERY;
-				goto cleanup;
-			}
-		} else {
-			tmp_err = HOST_NOT_FOUND;
-		}
-	}
-
-	if (have_v4 &&
-	    ((af == AF_INET) ||
-	     (af == AF_INET6 && (flags & AI_V4MAPPED) != 0 &&
-	      (he1 == NULL || (flags & AI_ALL) != 0)))) {
-		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V4, &by);
-		if (n == 0) {
-			he2 = hostfromname(by, AF_INET);
-			lwres_gabnresponse_free(lwrctx, &by);
-			if (he2 == NULL) {
-				*error_num = NO_RECOVERY;
-				goto cleanup;
-			}
-		} else if (he1 == NULL) {
-			if (n == LWRES_R_NOTFOUND)
-				*error_num = HOST_NOT_FOUND;
-			else
-				*error_num = NO_RECOVERY;
-			goto cleanup;
-		}
-	} else
-		*error_num = tmp_err;
-
-	he3 = copyandmerge(he1, he2, af, error_num);
-
- cleanup:
-	if (he1 != NULL)
-		lwres_freehostent(he1);
-	if (he2 != NULL)
-		lwres_freehostent(he2);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (he3);
-}
-
-struct hostent *
-lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
-	struct hostent *he1, *he2;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gnbaresponse_t *by = NULL;
-	lwres_result_t n;
-	union {
-		const void *konst;
-		struct in6_addr *in6;
-	} u;
-
-	/*
-	 * Sanity checks.
-	 */
-	if (src == NULL) {
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-
-	switch (af) {
-	case AF_INET:
-		if (len != (unsigned int)INADDRSZ) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		break;
-	case AF_INET6:
-		if (len != (unsigned int)IN6ADDRSZ) {
-			*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		break;
-	default:
-		*error_num = NO_RECOVERY;
-		return (NULL);
-	}
-
-	/*
-	 * The de-"const"-ing game is done because at least one
-	 * vendor's system (RedHat 6.0) defines the IN6_IS_ADDR_*
-	 * macros in such a way that they discard the const with
-	 * internal casting, and gcc ends up complaining.  Rather
-	 * than replacing their own (possibly optimized) definitions
-	 * with our own, cleanly discarding the const is the easiest
-	 * thing to do.
-	 */
-	u.konst = src;
-
-	/*
-	 * Look up IPv4 and IPv4 mapped/compatible addresses.
-	 */
-	if ((af == AF_INET6 && IN6_IS_ADDR_V4COMPAT(u.in6)) ||
-	    (af == AF_INET6 && IN6_IS_ADDR_V4MAPPED(u.in6)) ||
-	    (af == AF_INET)) {
-		const unsigned char *cp = src;
-
-		if (af == AF_INET6)
-			cp += 12;
-		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-		if (n == LWRES_R_SUCCESS)
-			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-		if (n == LWRES_R_SUCCESS)
-			n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V4,
-						INADDRSZ, cp, &by);
-		if (n != LWRES_R_SUCCESS) {
-			lwres_conf_clear(lwrctx);
-			lwres_context_destroy(&lwrctx);
-			if (n == LWRES_R_NOTFOUND)
-				*error_num = HOST_NOT_FOUND;
-			else
-				*error_num = NO_RECOVERY;
-			return (NULL);
-		}
-		he1 = hostfromaddr(by, AF_INET, cp);
-		lwres_gnbaresponse_free(lwrctx, &by);
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-		if (af != AF_INET6)
-			return (he1);
-
-		/*
-		 * Convert from AF_INET to AF_INET6.
-		 */
-		he2 = copyandmerge(he1, NULL, af, error_num);
-		lwres_freehostent(he1);
-		if (he2 == NULL)
-			return (NULL);
-		/*
-		 * Restore original address.
-		 */
-		memcpy(he2->h_addr, src, len);
-		return (he2);
-	}
-
-	/*
-	 * Lookup IPv6 address.
-	 */
-	if (memcmp(src, &in6addr_any, IN6ADDRSZ) == 0) {
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-
-	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (n == LWRES_R_SUCCESS)
-		(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-	if (n == LWRES_R_SUCCESS)
-		n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V6, IN6ADDRSZ,
-					src, &by);
-	if (n != 0) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-		*error_num = HOST_NOT_FOUND;
-		return (NULL);
-	}
-	he1 = hostfromaddr(by, AF_INET6, src);
-	lwres_gnbaresponse_free(lwrctx, &by);
-	if (he1 == NULL)
-		*error_num = NO_RECOVERY;
-	lwres_conf_clear(lwrctx);
-	lwres_context_destroy(&lwrctx);
-	return (he1);
-}
-
-void
-lwres_freehostent(struct hostent *he) {
-	char **cpp;
-	int names = 1;
-	int addresses = 1;
-
-	free(he->h_name);
-
-	cpp = he->h_addr_list;
-	while (*cpp != NULL) {
-		free(*cpp);
-		*cpp = NULL;
-		cpp++;
-		addresses++;
-	}
-
-	cpp = he->h_aliases;
-	while (*cpp != NULL) {
-		free(*cpp);
-		cpp++;
-		names++;
-	}
-
-	free(he->h_aliases);
-	free(he->h_addr_list);
-	free(he);
-}
-
-/*
- * Private
- */
-
-/*
- * Scan the interface table and set have_v4 and have_v6 depending
- * upon whether there are IPv4 and IPv6 interface addresses.
- *
- * Returns:
- *	0 on success
- *	-1 on failure.
- */
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
-    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
-
-#ifdef __hpux
-#define lifc_len iflc_len
-#define lifc_buf iflc_buf
-#define lifc_req iflc_req
-#define LIFCONF if_laddrconf
-#else
-#define ISC_HAVE_LIFC_FAMILY 1
-#define ISC_HAVE_LIFC_FLAGS 1
-#define LIFCONF lifconf
-#endif
- 
-#ifdef __hpux
-#define lifr_addr iflr_addr
-#define lifr_name iflr_name
-#define lifr_dstaddr iflr_dstaddr
-#define lifr_flags iflr_flags
-#define ss_family sa_family
-#define LIFREQ if_laddrreq
-#else
-#define LIFREQ lifreq
-#endif
-
-static int
-scan_interfaces6(int *have_v4, int *have_v6) {
-	struct LIFCONF lifc;
-	struct LIFREQ lifreq;
-	struct in_addr in4;
-	struct in6_addr in6;
-	char *buf = NULL, *cp, *cplim;
-	static unsigned int bufsiz = 4095;
-	int s, cpsize, n;
-
-	/*
-	 * Set to zero.  Used as loop terminators below.
-	 */
-	*have_v4 = *have_v6 = 0;
-
-	/*
-	 * Get interface list from system.
-	 */
-	if ((s = socket(AF_INET6, SOCK_DGRAM, 0)) == -1)
-		goto err_ret;
-
-	/*
-	 * Grow buffer until large enough to contain all interface
-	 * descriptions.
-	 */
-	for (;;) {
-		buf = malloc(bufsiz);
-		if (buf == NULL)
-			goto err_ret;
-#ifdef ISC_HAVE_LIFC_FAMILY
-		lifc.lifc_family = AF_UNSPEC;	/* request all families */
-#endif
-#ifdef ISC_HAVE_LIFC_FLAGS
-		lifc.lifc_flags = 0;
-#endif
-		lifc.lifc_len = bufsiz;
-		lifc.lifc_buf = buf;
-		if ((n = ioctl(s, SIOCGLIFCONF, (char *)&lifc)) != -1) {
-			/*
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If 
-			 * lifc.lifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (lifc.lifc_len + 2 * sizeof(lifreq) < bufsiz)
-				break;
-		}
-		if ((n == -1) && errno != EINVAL)
-			goto err_ret;
-
-		if (bufsiz > 1000000)
-			goto err_ret;
-
-		free(buf);
-		bufsiz += 4096;
-	}
-
-	/*
-	 * Parse system's interface list.
-	 */
-	cplim = buf + lifc.lifc_len;    /* skip over if's with big ifr_addr's */
-	for (cp = buf;
-	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
-	     cp += cpsize) {
-		memcpy(&lifreq, cp, sizeof(lifreq));
-#ifdef LWRES_PLATFORM_HAVESALEN
-#ifdef FIX_ZERO_SA_LEN
-		if (lifreq.lifr_addr.sa_len == 0)
-			lifreq.lifr_addr.sa_len = 16;
-#endif
-#ifdef HAVE_MINIMUM_IFREQ
-		cpsize = sizeof(lifreq);
-		if (lifreq.lifr_addr.sa_len > sizeof(struct sockaddr))
-			cpsize += (int)lifreq.lifr_addr.sa_len -
-				(int)(sizeof(struct sockaddr));
-#else
-		cpsize = sizeof(lifreq.lifr_name) + lifreq.lifr_addr.sa_len;
-#endif /* HAVE_MINIMUM_IFREQ */
-#elif defined SIOCGIFCONF_ADDR
-		cpsize = sizeof(lifreq);
-#else
-		cpsize = sizeof(lifreq.lifr_name);
-		/* XXX maybe this should be a hard error? */
-		if (ioctl(s, SIOCGLIFADDR, (char *)&lifreq) < 0)
-			continue;
-#endif
-		switch (lifreq.lifr_addr.ss_family) {
-		case AF_INET:
-			if (*have_v4 == 0) {
-				memcpy(&in4,
-				       &((struct sockaddr_in *)
-				       &lifreq.lifr_addr)->sin_addr,
-				       sizeof(in4));
-				if (in4.s_addr == INADDR_ANY)
-					break;
-				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
-				if (n < 0)
-					break;
-				if ((lifreq.lifr_flags & IFF_UP) == 0)
-					break;
-				*have_v4 = 1;
-			} 
-			break;
-		case AF_INET6:
-			if (*have_v6 == 0) {
-				memcpy(&in6,
-				       &((struct sockaddr_in6 *)
-				       &lifreq.lifr_addr)->sin6_addr, 
-				       sizeof(in6));
-				if (memcmp(&in6, &in6addr_any,
-					   sizeof(in6)) == 0)
-					break;
-				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
-				if (n < 0)
-					break;
-				if ((lifreq.lifr_flags & IFF_UP) == 0)
-					break;
-				*have_v6 = 1;
-			}
-			break;
-		}
-	}
-	if (buf != NULL)
-		free(buf);
-	close(s);
-	return (0);
- err_ret:
-	if (buf != NULL)
-		free(buf);
-	if (s != -1)
-		close(s);
-	return (-1);
-}
-#endif
-
-static int
-scan_interfaces(int *have_v4, int *have_v6) {
-#if !defined(SIOCGIFCONF) || !defined(SIOCGIFADDR)
-	*have_v4 = *have_v6 = 1;
-	return (0);
-#else
-	struct ifconf ifc;
-	union {
-		char _pad[256];		/* leave space for IPv6 addresses */
-		struct ifreq ifreq;
-	} u;
-	struct in_addr in4;
-	struct in6_addr in6;
-	char *buf = NULL, *cp, *cplim;
-	static unsigned int bufsiz = 4095;
-	int s, n;
-	size_t cpsize;
-
-#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
-    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
-	/*
-	 * Try to scan the interfaces using IPv6 ioctls().
-	 */
-	if (!scan_interfaces6(have_v4, have_v6))
-		return (0);
-#endif
-
-	/*
-	 * Set to zero.  Used as loop terminators below.
-	 */
-	*have_v4 = *have_v6 = 0;
-
-	/*
-	 * Get interface list from system.
-	 */
-	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
-		goto err_ret;
-
-	/*
-	 * Grow buffer until large enough to contain all interface
-	 * descriptions.
-	 */
-	for (;;) {
-		buf = malloc(bufsiz);
-		if (buf == NULL)
-			goto err_ret;
-		ifc.ifc_len = bufsiz;
-		ifc.ifc_buf = buf;
-#ifdef IRIX_EMUL_IOCTL_SIOCGIFCONF
-		/*
-		 * This is a fix for IRIX OS in which the call to ioctl with
-		 * the flag SIOCGIFCONF may not return an entry for all the
-		 * interfaces like most flavors of Unix.
-		 */
-		if (emul_ioctl(&ifc) >= 0)
-			break;
-#else
-		if ((n = ioctl(s, SIOCGIFCONF, (char *)&ifc)) != -1) {
-			/*
-			 * Some OS's just return what will fit rather
-			 * than set EINVAL if the buffer is too small
-			 * to fit all the interfaces in.  If 
-			 * ifc.ifc_len is too near to the end of the
-			 * buffer we will grow it just in case and
-			 * retry.
-			 */
-			if (ifc.ifc_len + 2 * sizeof(u.ifreq) < bufsiz)
-				break;
-		}
-#endif
-		if ((n == -1) && errno != EINVAL)
-			goto err_ret;
-
-		if (bufsiz > 1000000)
-			goto err_ret;
-
-		free(buf);
-		bufsiz += 4096;
-	}
-
-	/*
-	 * Parse system's interface list.
-	 */
-	cplim = buf + ifc.ifc_len;    /* skip over if's with big ifr_addr's */
-	for (cp = buf;
-	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
-	     cp += cpsize) {
-		memcpy(&u.ifreq, cp, sizeof(u.ifreq));
-#ifdef LWRES_PLATFORM_HAVESALEN
-#ifdef FIX_ZERO_SA_LEN
-		if (u.ifreq.ifr_addr.sa_len == 0)
-			u.ifreq.ifr_addr.sa_len = 16;
-#endif
-#ifdef HAVE_MINIMUM_IFREQ
-		cpsize = sizeof(u.ifreq);
-		if (u.ifreq.ifr_addr.sa_len > sizeof(struct sockaddr))
-			cpsize += (int)u.ifreq.ifr_addr.sa_len -
-				(int)(sizeof(struct sockaddr));
-#else
-		cpsize = sizeof(u.ifreq.ifr_name) + u.ifreq.ifr_addr.sa_len;
-#endif /* HAVE_MINIMUM_IFREQ */
-		if (cpsize > sizeof(u.ifreq) && cpsize <= sizeof(u))
-			memcpy(&u.ifreq, cp, cpsize);
-#elif defined SIOCGIFCONF_ADDR
-		cpsize = sizeof(u.ifreq);
-#else
-		cpsize = sizeof(u.ifreq.ifr_name);
-		/* XXX maybe this should be a hard error? */
-		if (ioctl(s, SIOCGIFADDR, (char *)&u.ifreq) < 0)
-			continue;
-#endif
-		switch (u.ifreq.ifr_addr.sa_family) {
-		case AF_INET:
-			if (*have_v4 == 0) {
-				memcpy(&in4,
-				       &((struct sockaddr_in *)
-				       &u.ifreq.ifr_addr)->sin_addr,
-				       sizeof(in4));
-				if (in4.s_addr == INADDR_ANY)
-					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
-				if (n < 0)
-					break;
-				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
-					break;
-				*have_v4 = 1;
-			} 
-			break;
-		case AF_INET6:
-			if (*have_v6 == 0) {
-				memcpy(&in6,
-				       &((struct sockaddr_in6 *)
-				       &u.ifreq.ifr_addr)->sin6_addr,
-				       sizeof(in6));
-				if (memcmp(&in6, &in6addr_any,
-					   sizeof(in6)) == 0)
-					break;
-				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
-				if (n < 0)
-					break;
-				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
-					break;
-				*have_v6 = 1;
-			}
-			break;
-		}
-	}
-	if (buf != NULL)
-		free(buf);
-	close(s);
-	return (0);
- err_ret:
-	if (buf != NULL)
-		free(buf);
-	if (s != -1)
-		close(s);
-	return (-1);
-#endif
-}
-
-static struct hostent *
-copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num)
-{
-	struct hostent *he = NULL;
-	int addresses = 1;	/* NULL terminator */
-	int names = 1;		/* NULL terminator */
-	int len = 0;
-	char **cpp, **npp;
-
-	/*
-	 * Work out array sizes.
-	 */
-	if (he1 != NULL) {
-		cpp = he1->h_addr_list;
-		while (*cpp != NULL) {
-			addresses++;
-			cpp++;
-		}
-		cpp = he1->h_aliases;
-		while (*cpp != NULL) {
-			names++;
-			cpp++;
-		}
-	}
-
-	if (he2 != NULL) {
-		cpp = he2->h_addr_list;
-		while (*cpp != NULL) {
-			addresses++;
-			cpp++;
-		}
-		if (he1 == NULL) {
-			cpp = he2->h_aliases;
-			while (*cpp != NULL) {
-				names++;
-				cpp++;
-			}
-		}
-	}
-
-	if (addresses == 1) {
-		*error_num = NO_ADDRESS;
-		return (NULL);
-	}
-
-	he = malloc(sizeof(*he));
-	if (he == NULL)
-		goto no_recovery;
-
-	he->h_addr_list = malloc(sizeof(char *) * (addresses));
-	if (he->h_addr_list == NULL)
-		goto cleanup0;
-	memset(he->h_addr_list, 0, sizeof(char *) * (addresses));
-
-	/*
-	 * Copy addresses.
-	 */
-	npp = he->h_addr_list;
-	if (he1 != NULL) {
-		cpp = he1->h_addr_list;
-		while (*cpp != NULL) {
-			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			if (*npp == NULL)
-				goto cleanup1;
-			/*
-			 * Convert to mapped if required.
-			 */
-			if (af == AF_INET6 && he1->h_addrtype == AF_INET) {
-				memcpy(*npp, in6addr_mapped,
-				       sizeof(in6addr_mapped));
-				memcpy(*npp + sizeof(in6addr_mapped), *cpp,
-				       INADDRSZ);
-			} else {
-				memcpy(*npp, *cpp,
-				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			}
-			cpp++;
-			npp++;
-		}
-	}
-
-	if (he2 != NULL) {
-		cpp = he2->h_addr_list;
-		while (*cpp != NULL) {
-			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			if (*npp == NULL)
-				goto cleanup1;
-			/*
-			 * Convert to mapped if required.
-			 */
-			if (af == AF_INET6 && he2->h_addrtype == AF_INET) {
-				memcpy(*npp, in6addr_mapped,
-				       sizeof(in6addr_mapped));
-				memcpy(*npp + sizeof(in6addr_mapped), *cpp,
-				       INADDRSZ);
-			} else {
-				memcpy(*npp, *cpp,
-				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
-			}
-			cpp++;
-			npp++;
-		}
-	}
-
-	he->h_aliases = malloc(sizeof(char *) * (names));
-	if (he->h_aliases == NULL)
-		goto cleanup1;
-	memset(he->h_aliases, 0, sizeof(char *) * (names));
-
-	/*
-	 * Copy aliases.
-	 */
-	npp = he->h_aliases;
-	cpp = (he1 != NULL) ? he1->h_aliases : he2->h_aliases;
-	while (*cpp != NULL) {
-		len = strlen (*cpp) + 1;
-		*npp = malloc(len);
-		if (*npp == NULL)
-			goto cleanup2;
-		strcpy(*npp, *cpp);
-		npp++;
-		cpp++;
-	}
-
-	/*
-	 * Copy hostname.
-	 */
-	he->h_name = malloc(strlen((he1 != NULL) ?
-			    he1->h_name : he2->h_name) + 1);
-	if (he->h_name == NULL)
-		goto cleanup2;
-	strcpy(he->h_name, (he1 != NULL) ? he1->h_name : he2->h_name);
-
-	/*
-	 * Set address type and length.
-	 */
-	he->h_addrtype = af;
-	he->h_length = (af == AF_INET) ? INADDRSZ : IN6ADDRSZ;
-	return (he);
-
- cleanup2:
-	cpp = he->h_aliases;
-	while (*cpp != NULL) {
-		free(*cpp);
-		cpp++;
-	}
-	free(he->h_aliases);
-
- cleanup1:
-	cpp = he->h_addr_list;
-	while (*cpp != NULL) {
-		free(*cpp);
-		*cpp = NULL;
-		cpp++;
-	}
-	free(he->h_addr_list);
-
- cleanup0:
-	free(he);
-
- no_recovery:
-	*error_num = NO_RECOVERY;
-	return (NULL);
-}
-
-static struct hostent *
-hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src) {
-	struct hostent *he;
-	int i;
-
-	he = malloc(sizeof(*he));
-	if (he == NULL)
-		goto cleanup;
-	memset(he, 0, sizeof(*he));
-
-	/*
-	 * Set family and length.
-	 */
-	he->h_addrtype = af;
-	switch (af) {
-	case AF_INET:
-		he->h_length = INADDRSZ;
-		break;
-	case AF_INET6:
-		he->h_length = IN6ADDRSZ;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	/*
-	 * Copy name.
-	 */
-	he->h_name = strdup(addr->realname);
-	if (he->h_name == NULL)
-		goto cleanup;
-
-	/*
-	 * Copy aliases.
-	 */
-	he->h_aliases = malloc(sizeof(char *) * (addr->naliases + 1));
-	if (he->h_aliases == NULL)
-		goto cleanup;
-	for (i = 0; i < addr->naliases; i++) {
-		he->h_aliases[i] = strdup(addr->aliases[i]);
-		if (he->h_aliases[i] == NULL)
-			goto cleanup;
-	}
-	he->h_aliases[i] = NULL;
-
-	/*
-	 * Copy address.
-	 */
-	he->h_addr_list = malloc(sizeof(char *) * 2);
-	if (he->h_addr_list == NULL)
-		goto cleanup;
-	he->h_addr_list[0] = malloc(he->h_length);
-	if (he->h_addr_list[0] == NULL)
-		goto cleanup;
-	memcpy(he->h_addr_list[0], src, he->h_length);
-	he->h_addr_list[1] = NULL;
-	return (he);
-
- cleanup:
-	if (he != NULL && he->h_addr_list != NULL) {
-		for (i = 0; he->h_addr_list[i] != NULL; i++)
-			free(he->h_addr_list[i]);
-		free(he->h_addr_list);
-	}
-	if (he != NULL && he->h_aliases != NULL) {
-		for (i = 0; he->h_aliases[i] != NULL; i++)
-			free(he->h_aliases[i]);
-		free(he->h_aliases);
-	}
-	if (he != NULL && he->h_name != NULL)
-		free(he->h_name);
-	if (he != NULL)
-		free(he);
-	return (NULL);
-}
-
-static struct hostent *
-hostfromname(lwres_gabnresponse_t *name, int af) {
-	struct hostent *he;
-	int i;
-	lwres_addr_t *addr;
-
-	he = malloc(sizeof(*he));
-	if (he == NULL)
-		goto cleanup;
-	memset(he, 0, sizeof(*he));
-
-	/*
-	 * Set family and length.
-	 */
-	he->h_addrtype = af;
-	switch (af) {
-	case AF_INET:
-		he->h_length = INADDRSZ;
-		break;
-	case AF_INET6:
-		he->h_length = IN6ADDRSZ;
-		break;
-	default:
-		INSIST(0);
-	}
-
-	/*
-	 * Copy name.
-	 */
-	he->h_name = strdup(name->realname);
-	if (he->h_name == NULL)
-		goto cleanup;
-
-	/*
-	 * Copy aliases.
-	 */
-	he->h_aliases = malloc(sizeof(char *) * (name->naliases + 1));
-	for (i = 0; i < name->naliases; i++) {
-		he->h_aliases[i] = strdup(name->aliases[i]);
-		if (he->h_aliases[i] == NULL)
-			goto cleanup;
-	}
-	he->h_aliases[i] = NULL;
-
-	/*
-	 * Copy addresses.
-	 */
-	he->h_addr_list = malloc(sizeof(char *) * (name->naddrs + 1));
-	addr = LWRES_LIST_HEAD(name->addrs);
-	i = 0;
-	while (addr != NULL) {
-		he->h_addr_list[i] = malloc(he->h_length);
-		if (he->h_addr_list[i] == NULL)
-			goto cleanup;
-		memcpy(he->h_addr_list[i], addr->address, he->h_length);
-		addr = LWRES_LIST_NEXT(addr, link);
-		i++;
-	}
-	he->h_addr_list[i] = NULL;
-	return (he);
-
- cleanup:
-	if (he != NULL && he->h_addr_list != NULL) {
-		for (i = 0; he->h_addr_list[i] != NULL; i++)
-			free(he->h_addr_list[i]);
-		free(he->h_addr_list);
-	}
-	if (he != NULL && he->h_aliases != NULL) {
-		for (i = 0; he->h_aliases[i] != NULL; i++)
-			free(he->h_aliases[i]);
-		free(he->h_aliases);
-	}
-	if (he != NULL && he->h_name != NULL)
-		free(he->h_name);
-	if (he != NULL)
-		free(he);
-	return (NULL);
-}
diff --git a/contrib/bind9/lib/lwres/getnameinfo.c b/contrib/bind9/lib/lwres/getnameinfo.c
deleted file mode 100644
index 059c5291bd3f..000000000000
--- a/contrib/bind9/lib/lwres/getnameinfo.c
+++ /dev/null
@@ -1,286 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getnameinfo.c,v 1.30.2.3.2.4 2004/08/28 06:25:24 marka Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * XXX
- * Issues to be discussed:
- * - Return values.  There seems to be no standard for return value (RFC2553)
- *   but INRIA implementation returns EAI_xxx defined for getaddrinfo().
- */
-
-#include <config.h>
-
-#include <stdio.h>
-#include <string.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>
-#include "print_p.h"
-
-#include "assert_p.h"
-
-#define SUCCESS 0
-
-static struct afd {
-	int a_af;
-	size_t a_addrlen;
-	size_t a_socklen;
-} afdl [] = {
-	/*
-	 * First entry is linked last...
-	 */
-	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
-	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
-	{0, 0, 0},
-};
-
-#define ENI_NOSERVNAME	1
-#define ENI_NOHOSTNAME	2
-#define ENI_MEMORY	3
-#define ENI_SYSTEM	4
-#define ENI_FAMILY	5
-#define ENI_SALEN	6
-#define ENI_NOSOCKET 	7
-
-/*
- * The test against 0 is there to keep the Solaris compiler
- * from complaining about "end-of-loop code not reached".
- */
-#define ERR(code) \
-	do { result = (code);			\
-		if (result != 0) goto cleanup;	\
-	} while (0)
-
-int
-lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
-		  size_t hostlen, char *serv, size_t servlen, int flags)
-{
-	struct afd *afd;
-	struct servent *sp;
-	unsigned short port;
-#ifdef LWRES_PLATFORM_HAVESALEN
-	size_t len;
-#endif
-	int family, i;
-	const void *addr;
-	char *p;
-#if 0
-	unsigned long v4a;
-	unsigned char pfx;
-#endif
-	char numserv[sizeof("65000")];
-	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
-		    + 1 + sizeof("4294967295")];
-	const char *proto;
-	lwres_uint32_t lwf = 0;
-	lwres_context_t *lwrctx = NULL;
-	lwres_gnbaresponse_t *by = NULL;
-	int result = SUCCESS;
-	int n;
-
-	if (sa == NULL)
-		ERR(ENI_NOSOCKET);
-
-#ifdef LWRES_PLATFORM_HAVESALEN
-	len = sa->sa_len;
-	if (len != salen)
-		ERR(ENI_SALEN);
-#endif
-
-	family = sa->sa_family;
-	for (i = 0; afdl[i].a_af; i++)
-		if (afdl[i].a_af == family) {
-			afd = &afdl[i];
-			goto found;
-		}
-	ERR(ENI_FAMILY);
-
- found:
-	if (salen != afd->a_socklen)
-		ERR(ENI_SALEN);
-
-	switch (family) {
-	case AF_INET:
-		port = ((const struct sockaddr_in *)sa)->sin_port;
-		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
-		break;
-
-	case AF_INET6:
-		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
-		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
-		break;
-
-	default:
-		port = 0;
-		addr = NULL;
-		INSIST(0);
-	}
-	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
-
-	if (serv == NULL || servlen == 0U) {
-		/*
-		 * Caller does not want service.
-		 */
-	} else if ((flags & NI_NUMERICSERV) != 0 ||
-		   (sp = getservbyport(port, proto)) == NULL) {
-		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
-		if ((strlen(numserv) + 1) > servlen)
-			ERR(ENI_MEMORY);
-		strcpy(serv, numserv);
-	} else {
-		if ((strlen(sp->s_name) + 1) > servlen)
-			ERR(ENI_MEMORY);
-		strcpy(serv, sp->s_name);
-	}
-
-#if 0
-	switch (sa->sa_family) {
-	case AF_INET:
-		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
-		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
-			flags |= NI_NUMERICHOST;
-		v4a >>= IN_CLASSA_NSHIFT;
-		if (v4a == 0 || v4a == IN_LOOPBACKNET)
-			flags |= NI_NUMERICHOST;
-		break;
-
-	case AF_INET6:
-		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
-		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
-			flags |= NI_NUMERICHOST;
-		break;
-	}
-#endif
-
-	if (host == NULL || hostlen == 0U) {
-		/*
-		 * What should we do?
-		 */
-	} else if (flags & NI_NUMERICHOST) {
-		if (lwres_net_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
-		    == NULL)
-			ERR(ENI_SYSTEM);
-#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
-		if (afd->a_af == AF_INET6 &&
-		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
-			char *p = numaddr + strlen(numaddr);
-			const char *stringscope = NULL;
-#if 0
-			if ((flags & NI_NUMERICSCOPE) == 0) {
-				/*
-				 * Vendors may want to add support for
-				 * non-numeric scope identifier.
-				 */
-				stringscope = foo;
-			}
-#endif
-			if (stringscope == NULL) {
-				snprintf(p, sizeof(numaddr) - (p - numaddr),
-				    "%%%u",
-				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
-			} else {
-				snprintf(p, sizeof(numaddr) - (p - numaddr),
-				    "%%%s", stringscope);
-			}
-		}
-#endif
-		if (strlen(numaddr) + 1 > hostlen)
-			ERR(ENI_MEMORY);
-		strcpy(host, numaddr);
-	} else {
-		switch (family) {
-		case AF_INET:
-			lwf = LWRES_ADDRTYPE_V4;
-			break;
-		case AF_INET6:
-			lwf = LWRES_ADDRTYPE_V6;
-			break;
-		default:
-			INSIST(0);
-		}
-
-		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-		if (n == 0)
-			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-		if (n == 0)
-			n = lwres_getnamebyaddr(lwrctx, lwf,
-						(lwres_uint16_t)afd->a_addrlen,
-						addr, &by);
-		if (n == 0) {
-			if (flags & NI_NOFQDN) {
-				p = strchr(by->realname, '.');
-				if (p)
-					*p = '\0';
-			}
-			if ((strlen(by->realname) + 1) > hostlen)
-				ERR(ENI_MEMORY);
-			strcpy(host, by->realname);
-		} else {
-			if (flags & NI_NAMEREQD)
-				ERR(ENI_NOHOSTNAME);
-			if (lwres_net_ntop(afd->a_af, addr, numaddr,
-					   sizeof(numaddr))
-			    == NULL)
-				ERR(ENI_NOHOSTNAME);
-			if ((strlen(numaddr) + 1) > hostlen)
-				ERR(ENI_MEMORY);
-			strcpy(host, numaddr);
-		}
-	}
-	result = SUCCESS;
- cleanup:
-	if (by != NULL)
-		lwres_gnbaresponse_free(lwrctx, &by);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
diff --git a/contrib/bind9/lib/lwres/getrrset.c b/contrib/bind9/lib/lwres/getrrset.c
deleted file mode 100644
index 6160039bf4b3..000000000000
--- a/contrib/bind9/lib/lwres/getrrset.c
+++ /dev/null
@@ -1,211 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: getrrset.c,v 1.11.2.3.2.2 2004/03/06 08:15:31 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
-
-#include "assert_p.h"
-
-static unsigned int
-lwresult_to_result(lwres_result_t lwresult) {
-	switch (lwresult) {
-	case LWRES_R_SUCCESS:	return (ERRSET_SUCCESS);
-	case LWRES_R_NOMEMORY:	return (ERRSET_NOMEMORY);
-	case LWRES_R_NOTFOUND:	return (ERRSET_NONAME);
-	case LWRES_R_TYPENOTFOUND: return (ERRSET_NODATA);
-	default:		return (ERRSET_FAIL);
-	}
-}
-
-/*
- * malloc / calloc functions that guarantee to only
- * return NULL if there is an error, like they used
- * to before the ANSI C committee broke them.
- */
-
-static void *
-sane_malloc(size_t size) {
-	if (size == 0U)
-		size = 1;
-	return (malloc(size));
-}
-
-static void *
-sane_calloc(size_t number, size_t size) {
-	size_t len = number * size;
-	void *mem  = sane_malloc(len);
-	if (mem != NULL)
-		memset(mem, 0, len);
-	return (mem);
-}
-
-int
-lwres_getrrsetbyname(const char *hostname, unsigned int rdclass,
-		     unsigned int rdtype, unsigned int flags,
-		     struct rrsetinfo **res)
-{
-	lwres_context_t *lwrctx = NULL;
-	lwres_result_t lwresult;
-	lwres_grbnresponse_t *response = NULL;
-	struct rrsetinfo *rrset = NULL;
-	unsigned int i;
-	unsigned int lwflags;
-	unsigned int result;
-
-	if (rdclass > 0xffff || rdtype > 0xffff) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	/*
-	 * Don't allow queries of class or type ANY
-	 */
-	if (rdclass == 0xff || rdtype == 0xff) {
-		result = ERRSET_INVAL;
-		goto fail;
-	}
-
-	lwresult = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = lwresult_to_result(lwresult);
-		goto fail;
-	}
-	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
-
-	/*
-	 * If any input flags were defined, lwflags would be set here
-	 * based on them
-	 */
-	UNUSED(flags);
-	lwflags = 0;
-
-	lwresult = lwres_getrdatabyname(lwrctx, hostname,
-					(lwres_uint16_t)rdclass, 
-					(lwres_uint16_t)rdtype,
-					lwflags, &response);
-	if (lwresult != LWRES_R_SUCCESS) {
-		result = lwresult_to_result(lwresult);
-		goto fail;
-	}
-
-	rrset = sane_malloc(sizeof(struct rrsetinfo));
-	if (rrset == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	rrset->rri_name = NULL;
-	rrset->rri_rdclass = response->rdclass;
-	rrset->rri_rdtype = response->rdtype;
-	rrset->rri_ttl = response->ttl;
-	rrset->rri_flags = 0;
-	rrset->rri_nrdatas = 0;
-	rrset->rri_rdatas = NULL;
-	rrset->rri_nsigs = 0;
-	rrset->rri_sigs = NULL;
-
-	rrset->rri_name = sane_malloc(response->realnamelen + 1);
-	if (rrset->rri_name == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	strncpy(rrset->rri_name, response->realname, response->realnamelen);
-	rrset->rri_name[response->realnamelen] = 0;
-
-	if ((response->flags & LWRDATA_VALIDATED) != 0)
-		rrset->rri_flags |= RRSET_VALIDATED;
-
-	rrset->rri_nrdatas = response->nrdatas;
-	rrset->rri_rdatas = sane_calloc(rrset->rri_nrdatas,
-				   sizeof(struct rdatainfo));
-	if (rrset->rri_rdatas == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	for (i = 0; i < rrset->rri_nrdatas; i++) {
-		rrset->rri_rdatas[i].rdi_length = response->rdatalen[i];
-		rrset->rri_rdatas[i].rdi_data =
-				sane_malloc(rrset->rri_rdatas[i].rdi_length);
-		if (rrset->rri_rdatas[i].rdi_data == NULL) {
-			result = ERRSET_NOMEMORY;
-			goto fail;
-		}
-		memcpy(rrset->rri_rdatas[i].rdi_data, response->rdatas[i],
-		       rrset->rri_rdatas[i].rdi_length);
-	}
-	rrset->rri_nsigs = response->nsigs;
-	rrset->rri_sigs = sane_calloc(rrset->rri_nsigs,
-				      sizeof(struct rdatainfo));
-	if (rrset->rri_sigs == NULL) {
-		result = ERRSET_NOMEMORY;
-		goto fail;
-	}
-	for (i = 0; i < rrset->rri_nsigs; i++) {
-		rrset->rri_sigs[i].rdi_length = response->siglen[i];
-		rrset->rri_sigs[i].rdi_data =
-				sane_malloc(rrset->rri_sigs[i].rdi_length);
-		if (rrset->rri_sigs[i].rdi_data == NULL) {
-			result = ERRSET_NOMEMORY;
-			goto fail;
-		}
-		memcpy(rrset->rri_sigs[i].rdi_data, response->sigs[i],
-		       rrset->rri_sigs[i].rdi_length);
-	}
-
-	lwres_grbnresponse_free(lwrctx, &response);
-	lwres_conf_clear(lwrctx);
-	lwres_context_destroy(&lwrctx);
-	*res = rrset;
-	return (ERRSET_SUCCESS);
- fail:
-	if (rrset != NULL)
-		lwres_freerrset(rrset);
-	if (response != NULL)
-		lwres_grbnresponse_free(lwrctx, &response);
-	if (lwrctx != NULL) {
-		lwres_conf_clear(lwrctx);
-		lwres_context_destroy(&lwrctx);
-	}
-	return (result);
-}
-
-void
-lwres_freerrset(struct rrsetinfo *rrset) {
-	unsigned int i;
-	for (i = 0; i < rrset->rri_nrdatas; i++) {
-		if (rrset->rri_rdatas[i].rdi_data == NULL)
-			break;
-		free(rrset->rri_rdatas[i].rdi_data);
-	}
-	free(rrset->rri_rdatas);
-	for (i = 0; i < rrset->rri_nsigs; i++) {
-		if (rrset->rri_sigs[i].rdi_data == NULL)
-			break;
-		free(rrset->rri_sigs[i].rdi_data);
-	}
-	free(rrset->rri_sigs);
-	free(rrset->rri_name);
-	free(rrset);
-}
diff --git a/contrib/bind9/lib/lwres/herror.c b/contrib/bind9/lib/lwres/herror.c
deleted file mode 100644
index 1d0756a05b0a..000000000000
--- a/contrib/bind9/lib/lwres/herror.c
+++ /dev/null
@@ -1,101 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1987, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
-static const char rcsid[] =
-	"$Id: herror.c,v 1.10.12.2 2004/03/06 08:15:31 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <stdio.h>
-
-#include <lwres/netdb.h>
-#include <lwres/platform.h>
-
-LIBLWRES_EXTERNAL_DATA int	lwres_h_errno;
-
-/*
- * these have never been declared in any header file so make them static
- */
-
-static const char *h_errlist[] = {
-	"Resolver Error 0 (no error)",
-	"Unknown host",				/* 1 HOST_NOT_FOUND */
-	"Host name lookup failure",		/* 2 TRY_AGAIN */
-	"Unknown server error",			/* 3 NO_RECOVERY */
-	"No address associated with name",	/* 4 NO_ADDRESS */
-};
-
-static int	h_nerr = { sizeof(h_errlist) / sizeof(h_errlist[0]) };
-
-
-/*
- * herror --
- *	print the error indicated by the h_errno value.
- */
-void
-lwres_herror(const char *s) {
-	fprintf(stderr, "%s: %s\n", s, lwres_hstrerror(lwres_h_errno));
-}
-
-/*
- * hstrerror --
- *	return the string associated with a given "host" errno value.
- */
-const char *
-lwres_hstrerror(int err) {
-	if (err < 0)
-		return ("Resolver internal error");
-	else if (err < h_nerr)
-		return (h_errlist[err]);
-	return ("Unknown resolver error");
-}
diff --git a/contrib/bind9/lib/lwres/include/Makefile.in b/contrib/bind9/lib/lwres/include/Makefile.in
deleted file mode 100644
index dc075b95dc1c..000000000000
--- a/contrib/bind9/lib/lwres/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.5.206.1 2004/03/06 08:15:33 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	lwres
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/include/lwres/Makefile.in
deleted file mode 100644
index 48c28f6207d0..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/Makefile.in
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.19.12.3 2004/03/08 09:05:11 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-#
-# Only list headers that are to be installed and are not
-# machine generated.  The latter are handled specially in the
-# install target below.
-#
-HEADERS =	context.h lwbuffer.h lwpacket.h lwres.h result.h \
-		int.h lang.h list.h ipv6.h version.h
-
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/lwres ; \
-	done
-	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/lwres
-	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/lwres
-
-distclean::
-	rm -f netdb.h platform.h
diff --git a/contrib/bind9/lib/lwres/include/lwres/context.h b/contrib/bind9/lib/lwres/include/lwres/context.h
deleted file mode 100644
index 962b142ec144..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/context.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: context.h,v 1.14.206.1 2004/03/06 08:15:34 marka Exp $ */
-
-#ifndef LWRES_CONTEXT_H
-#define LWRES_CONTEXT_H 1
-
-#include <stddef.h>
-
-#include <lwres/lang.h>
-#include <lwres/int.h>
-#include <lwres/result.h>
-
-/*
- * Used to set various options such as timeout, authentication, etc
- */
-typedef struct lwres_context lwres_context_t;
-
-LWRES_LANG_BEGINDECLS
-
-typedef void *(*lwres_malloc_t)(void *arg, size_t length);
-typedef void (*lwres_free_t)(void *arg, void *mem, size_t length);
-
-/*
- * XXXMLG
- *
- * Make the server reload /etc/resolv.conf periodically.
- *
- * Make the server do sortlist/searchlist.
- *
- * Client side can disable the search/sortlist processing.
- *
- * Use an array of addresses/masks and searchlist for client-side, and
- * if added to the client disable the processing on the server.
- *
- * Share /etc/resolv.conf data between contexts.
- */
-
-/*
- * _SERVERMODE
- *	Don't allocate and connect a socket to the server, since the
- *	caller _is_ a server.
- */
-#define LWRES_CONTEXT_SERVERMODE	0x00000001U
-
-lwres_result_t
-lwres_context_create(lwres_context_t **contextp, void *arg,
-		     lwres_malloc_t malloc_function,
-		     lwres_free_t free_function,
-		     unsigned int flags);
-/*
- * Allocate a lwres context.  This is used in all lwres calls.
- *
- * Memory management can be replaced here by passing in two functions.
- * If one is non-NULL, they must both be non-NULL.  "arg" is passed to
- * these functions.
- *
- * Contexts are not thread safe.  Document at the top of the file.
- * XXXMLG
- *
- * If they are NULL, the standard malloc() and free() will be used.
- *
- * Requires:
- *
- *	contextp != NULL && contextp == NULL.
- *
- * Returns:
- *
- *	Returns 0 on success, non-zero on failure.
- */
-
-void
-lwres_context_destroy(lwres_context_t **contextp);
-/*
- * Frees all memory associated with a lwres context.
- *
- * Requires:
- *
- *	contextp != NULL && contextp == NULL.
- */
-
-lwres_uint32_t
-lwres_context_nextserial(lwres_context_t *ctx);
-/*
- * XXXMLG Document
- */
-
-void
-lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial);
-
-void
-lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len);
-
-void *
-lwres_context_allocmem(lwres_context_t *ctx, size_t len);
-
-int
-lwres_context_getsocket(lwres_context_t *ctx);
-
-lwres_result_t
-lwres_context_send(lwres_context_t *ctx,
-		   void *sendbase, int sendlen);
-
-lwres_result_t
-lwres_context_recv(lwres_context_t *ctx,
-		   void *recvbase, int recvlen,
-		   int *recvd_len);
-
-lwres_result_t
-lwres_context_sendrecv(lwres_context_t *ctx,
-		       void *sendbase, int sendlen,
-		       void *recvbase, int recvlen,
-		       int *recvd_len);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_CONTEXT_H */
-
diff --git a/contrib/bind9/lib/lwres/include/lwres/int.h b/contrib/bind9/lib/lwres/include/lwres/int.h
deleted file mode 100644
index 2523924e18cb..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/int.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: int.h,v 1.7.206.1 2004/03/06 08:15:34 marka Exp $ */
-
-#ifndef LWRES_INT_H
-#define LWRES_INT_H 1
-
-typedef char				lwres_int8_t;
-typedef unsigned char			lwres_uint8_t;
-typedef short				lwres_int16_t;
-typedef unsigned short			lwres_uint16_t;
-typedef int				lwres_int32_t;
-typedef unsigned int			lwres_uint32_t;
-typedef long long			lwres_int64_t;
-typedef unsigned long long		lwres_uint64_t;
-
-#endif /* LWRES_INT_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/ipv6.h b/contrib/bind9/lib/lwres/include/lwres/ipv6.h
deleted file mode 100644
index 5dc06d6a25bf..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/ipv6.h
+++ /dev/null
@@ -1,118 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: ipv6.h,v 1.9.206.1 2004/03/06 08:15:34 marka Exp $ */
-
-#ifndef LWRES_IPV6_H
-#define LWRES_IPV6_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * IPv6 definitions for systems which do not support IPv6.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <lwres/int.h>
-#include <lwres/platform.h>
-
-/***
- *** Types.
- ***/
-
-struct in6_addr {
-        union {
-		lwres_uint8_t	_S6_u8[16];
-		lwres_uint16_t	_S6_u16[8];
-		lwres_uint32_t	_S6_u32[4];
-        } _S6_un;
-};
-#define s6_addr		_S6_un._S6_u8
-#define s6_addr8	_S6_un._S6_u8
-#define s6_addr16	_S6_un._S6_u16
-#define s6_addr32	_S6_un._S6_u32
-
-#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
-#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
-
-LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
-LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
-
-struct sockaddr_in6 {
-#ifdef LWRES_PLATFORM_HAVESALEN
-	lwres_uint8_t		sin6_len;
-	lwres_uint8_t		sin6_family;
-#else
-	lwres_uint16_t		sin6_family;
-#endif
-	lwres_uint16_t		sin6_port;
-	lwres_uint32_t		sin6_flowinfo;
-	struct in6_addr		sin6_addr;
-	lwres_uint32_t		sin6_scope_id;
-};
-
-#ifdef LWRES_PLATFORM_HAVESALEN
-#define SIN6_LEN 1
-#endif
-
-struct in6_pktinfo {
-	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
-	unsigned int    ipi6_ifindex; /* send/recv interface index */
-};
-
-/*
- * Unspecified
- */
-#define IN6_IS_ADDR_UNSPECIFIED(a)      \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == 0))
-
-/*
- * Loopback
- */
-#define IN6_IS_ADDR_LOOPBACK(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == htonl(1)))
-
-/*
- * IPv4 compatible
- */
-#define IN6_IS_ADDR_V4COMPAT(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] != 0) &&    \
-         ((a)->s6_addr32[3] != htonl(1)))
-
-/*
- * Mapped
- */
-#define IN6_IS_ADDR_V4MAPPED(a)               \
-        (((a)->s6_addr32[0] == 0) &&          \
-         ((a)->s6_addr32[1] == 0) &&          \
-         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
-
-#endif /* LWRES_IPV6_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lang.h b/contrib/bind9/lib/lwres/include/lwres/lang.h
deleted file mode 100644
index bd99ec017e38..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/lang.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lang.h,v 1.6.206.1 2004/03/06 08:15:35 marka Exp $ */
-
-#ifndef LWRES_LANG_H
-#define LWRES_LANG_H 1
-
-#ifdef __cplusplus
-#define LWRES_LANG_BEGINDECLS	extern "C" {
-#define LWRES_LANG_ENDDECLS	}
-#else
-#define LWRES_LANG_BEGINDECLS
-#define LWRES_LANG_ENDDECLS
-#endif
-
-#endif /* LWRES_LANG_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/list.h b/contrib/bind9/lib/lwres/include/lwres/list.h
deleted file mode 100644
index 9b6178799344..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/list.h
+++ /dev/null
@@ -1,119 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: list.h,v 1.7.206.1 2004/03/06 08:15:35 marka Exp $ */
-
-#ifndef LWRES_LIST_H
-#define LWRES_LIST_H 1
-
-#define LWRES_LIST(type) struct { type *head, *tail; }
-#define LWRES_LIST_INIT(list) \
-	do { (list).head = NULL; (list).tail = NULL; } while (0)
-
-#define LWRES_LINK(type) struct { type *prev, *next; }
-#define LWRES_LINK_INIT(elt, link) \
-	do { \
-		(elt)->link.prev = (void *)(-1); \
-		(elt)->link.next = (void *)(-1); \
-	} while (0)
-#define LWRES_LINK_LINKED(elt, link) \
-	((void *)((elt)->link.prev) != (void *)(-1))
-
-#define LWRES_LIST_HEAD(list) ((list).head)
-#define LWRES_LIST_TAIL(list) ((list).tail)
-#define LWRES_LIST_EMPTY(list) LWRES_TF((list).head == NULL)
-
-#define LWRES_LIST_PREPEND(list, elt, link) \
-	do { \
-		if ((list).head != NULL) \
-			(list).head->link.prev = (elt); \
-		else \
-			(list).tail = (elt); \
-		(elt)->link.prev = NULL; \
-		(elt)->link.next = (list).head; \
-		(list).head = (elt); \
-	} while (0)
-
-#define LWRES_LIST_APPEND(list, elt, link) \
-	do { \
-		if ((list).tail != NULL) \
-			(list).tail->link.next = (elt); \
-		else \
-			(list).head = (elt); \
-		(elt)->link.prev = (list).tail; \
-		(elt)->link.next = NULL; \
-		(list).tail = (elt); \
-	} while (0)
-
-#define LWRES_LIST_UNLINK(list, elt, link) \
-	do { \
-		if ((elt)->link.next != NULL) \
-			(elt)->link.next->link.prev = (elt)->link.prev; \
-		else \
-			(list).tail = (elt)->link.prev; \
-		if ((elt)->link.prev != NULL) \
-			(elt)->link.prev->link.next = (elt)->link.next; \
-		else \
-			(list).head = (elt)->link.next; \
-		(elt)->link.prev = (void *)(-1); \
-		(elt)->link.next = (void *)(-1); \
-	} while (0)
-
-#define LWRES_LIST_PREV(elt, link) ((elt)->link.prev)
-#define LWRES_LIST_NEXT(elt, link) ((elt)->link.next)
-
-#define LWRES_LIST_INSERTBEFORE(list, before, elt, link) \
-	do { \
-		if ((before)->link.prev == NULL) \
-			LWRES_LIST_PREPEND(list, elt, link); \
-		else { \
-			(elt)->link.prev = (before)->link.prev; \
-			(before)->link.prev = (elt); \
-			(elt)->link.prev->link.next = (elt); \
-			(elt)->link.next = (before); \
-		} \
-	} while (0)
-
-#define LWRES_LIST_INSERTAFTER(list, after, elt, link) \
-	do { \
-		if ((after)->link.next == NULL) \
-			LWRES_LIST_APPEND(list, elt, link); \
-		else { \
-			(elt)->link.next = (after)->link.next; \
-			(after)->link.next = (elt); \
-			(elt)->link.next->link.prev = (elt); \
-			(elt)->link.prev = (after); \
-		} \
-	} while (0)
-
-#define LWRES_LIST_APPENDLIST(list1, list2, link) \
-	do { \
-		if (LWRES_LIST_EMPTY(list1)) \
-			(list1) = (list2); \
-		else if (!LWRES_LIST_EMPTY(list2)) { \
-			(list1).tail->link.next = (list2).head; \
-			(list2).head->link.prev = (list1).tail; \
-			(list1).tail = (list2).tail; \
-		} \
-		(list2).head = NULL; \
-		(list2).tail = NULL; \
-	} while (0)
-
-#define LWRES_LIST_ENQUEUE(list, elt, link) LWRES_LIST_APPEND(list, elt, link)
-#define LWRES_LIST_DEQUEUE(list, elt, link) LWRES_LIST_UNLINK(list, elt, link)
-
-#endif /* LWRES_LIST_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h b/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
deleted file mode 100644
index 97f7b9d98d7d..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
+++ /dev/null
@@ -1,402 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwbuffer.h,v 1.15.206.1 2004/03/06 08:15:35 marka Exp $ */
-
-#ifndef LWRES_LWBUFFER_H
-#define LWRES_LWBUFFER_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Buffers
- *
- * A buffer is a region of memory, together with a set of related subregions.
- * Buffers are used for parsing and I/O operations.
- *
- * The 'used region' and the 'available' region are disjoint, and their
- * union is the buffer's region.  The used region extends from the beginning
- * of the buffer region to the last used byte.  The available region
- * extends from one byte greater than the last used byte to the end of the
- * buffer's region.  The size of the used region can be changed using various
- * buffer commands.  Initially, the used region is empty.
- *
- * The used region is further subdivided into two disjoint regions: the
- * 'consumed region' and the 'remaining region'.  The union of these two
- * regions is the used region.  The consumed region extends from the beginning
- * of the used region to the byte before the 'current' offset (if any).  The
- * 'remaining' region the current pointer to the end of the used
- * region.  The size of the consumed region can be changed using various
- * buffer commands.  Initially, the consumed region is empty.
- *
- * The 'active region' is an (optional) subregion of the remaining region.
- * It extends from the current offset to an offset in the remaining region
- * that is selected with lwres_buffer_setactive().  Initially, the active
- * region is empty.  If the current offset advances beyond the chosen offset,
- * the active region will also be empty.
- *
- *  /----- used region -----\/-- available --\
- *  +----------------------------------------+
- *  | consumed  | remaining |                |
- *  +----------------------------------------+
- *  a           b     c     d                e
- *
- * a == base of buffer.
- * b == current pointer.  Can be anywhere between a and d.
- * c == active pointer.  Meaningful between b and d.
- * d == used pointer.
- * e == length of buffer.
- *
- * a-e == entire (length) of buffer.
- * a-d == used region.
- * a-b == consumed region.
- * b-d == remaining region.
- * b-c == optional active region.
- *
- * The following invariants are maintained by all routines:
- *
- *	length > 0
- *
- *	base is a valid pointer to length bytes of memory
- *
- *	0 <= used <= length
- *
- *	0 <= current <= used
- *
- *	0 <= active <= used
- *	(although active < current implies empty active region)
- *
- * MP:
- *	Buffers have no synchronization.  Clients must ensure exclusive
- *	access.
- *
- * Reliability:
- *	No anticipated impact.
- *
- * Resources:
- *	Memory: 1 pointer + 6 unsigned integers per buffer.
- *
- * Security:
- *	No anticipated impact.
- *
- * Standards:
- *	None.
- */
-
-/***
- *** Imports
- ***/
-
-#include <lwres/lang.h>
-#include <lwres/int.h>
-
-LWRES_LANG_BEGINDECLS
-
-/***
- *** Magic numbers
- ***/
-#define LWRES_BUFFER_MAGIC		0x4275663fU	/* Buf?. */
-
-#define LWRES_BUFFER_VALID(b)		((b) != NULL && \
-					 (b)->magic == LWRES_BUFFER_MAGIC)
-
-/*
- * The following macros MUST be used only on valid buffers.  It is the
- * caller's responsibility to ensure this by using the LWRES_BUFFER_VALID
- * check above, or by calling another lwres_buffer_*() function (rather than
- * another macro.)
- */
-
-/*
- * Get the length of the used region of buffer "b"
- */
-#define LWRES_BUFFER_USEDCOUNT(b)	((b)->used)
-
-/*
- * Get the length of the available region of buffer "b"
- */
-#define LWRES_BUFFER_AVAILABLECOUNT(b)	((b)->length - (b)->used)
-
-#define LWRES_BUFFER_REMAINING(b)	((b)->used - (b)->current)
-
-/*
- * Note that the buffer structure is public.  This is principally so buffer
- * operations can be implemented using macros.  Applications are strongly
- * discouraged from directly manipulating the structure.
- */
-
-typedef struct lwres_buffer lwres_buffer_t;
-struct lwres_buffer {
-	unsigned int		magic;
-	unsigned char 	       *base;
-	/* The following integers are byte offsets from 'base'. */
-	unsigned int		length;
-	unsigned int		used;
-	unsigned int 		current;
-	unsigned int 		active;
-};
-
-/***
- *** Functions
- ***/
-
-void
-lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
-/*
- * Make 'b' refer to the 'length'-byte region starting at base.
- *
- * Requires:
- *
- *	'length' > 0
- *
- *	'base' is a pointer to a sequence of 'length' bytes.
- *
- */
-
-void
-lwres_buffer_invalidate(lwres_buffer_t *b);
-/*
- * Make 'b' an invalid buffer.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- * Ensures:
- *	If assertion checking is enabled, future attempts to use 'b' without
- *	calling lwres_buffer_init() on it will cause an assertion failure.
- */
-
-void
-lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
-/*
- * Increase the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	used + n <= length
- *
- */
-
-void
-lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
-/*
- * Decrease the 'used' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	used >= n
- *
- */
-
-void
-lwres_buffer_clear(lwres_buffer_t *b);
-/*
- * Make the used region empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	used = 0
- *
- */
-
-void
-lwres_buffer_first(lwres_buffer_t *b);
-/*
- * Make the consumed region empty.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- * Ensures:
- *
- *	current == 0
- *
- */
-
-void
-lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
-/*
- * Increase the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	current + n <= used
- *
- */
-
-void
-lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
-/*
- * Decrease the 'consumed' region of 'b' by 'n' bytes.
- *
- * Requires:
- *
- *	'b' is a valid buffer
- *
- *	n <= current
- *
- */
-
-lwres_uint8_t
-lwres_buffer_getuint8(lwres_buffer_t *b);
-/*
- * Read an unsigned 8-bit integer from 'b' and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 1.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 1.
- *
- * Returns:
- *
- *	A 8-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
-/*
- * Store an unsigned 8-bit integer from 'val' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 1.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 1.
- */
-
-lwres_uint16_t
-lwres_buffer_getuint16(lwres_buffer_t *b);
-/*
- * Read an unsigned 16-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 2.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 2.
- *
- * Returns:
- *
- *	A 16-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
-/*
- * Store an unsigned 16-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 2.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 2.
- */
-
-lwres_uint32_t
-lwres_buffer_getuint32(lwres_buffer_t *b);
-/*
- * Read an unsigned 32-bit integer in network byte order from 'b', convert
- * it to host byte order, and return it.
- *
- * Requires:
- *
- *	'b' is a valid buffer.
- *
- *	The length of the available region of 'b' is at least 2.
- *
- * Ensures:
- *
- *	The current pointer in 'b' is advanced by 2.
- *
- * Returns:
- *
- *	A 32-bit unsigned integer.
- */
-
-void
-lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
-/*
- * Store an unsigned 32-bit integer in host byte order from 'val'
- * into 'b' in network byte order.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	The length of the unused region of 'b' is at least 4.
- *
- * Ensures:
- *	The used pointer in 'b' is advanced by 4.
- */
-
-void
-lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
-		    unsigned int length);
-/*
- * Copy 'length' bytes of memory at 'base' into 'b'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'base' points to 'length' bytes of valid memory.
- *
- */
-
-void
-lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
-		    unsigned int length);
-/*
- * Copy 'length' bytes of memory from 'b' into 'base'.
- *
- * Requires:
- *	'b' is a valid buffer.
- *
- *	'base' points to at least 'length' bytes of valid memory.
- *
- *	'b' have at least 'length' bytes remaining.
- */
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWBUFFER_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwpacket.h b/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
deleted file mode 100644
index 48f6a34862ae..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
+++ /dev/null
@@ -1,124 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwpacket.h,v 1.17.206.1 2004/03/06 08:15:35 marka Exp $ */
-
-#ifndef LWRES_LWPACKET_H
-#define LWRES_LWPACKET_H 1
-
-#include <lwres/lang.h>
-#include <lwres/lwbuffer.h>
-#include <lwres/result.h>
-
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-
-struct lwres_lwpacket {
-	lwres_uint32_t		length;
-	lwres_uint16_t		version;
-	lwres_uint16_t		pktflags;
-	lwres_uint32_t		serial;
-	lwres_uint32_t		opcode;
-	lwres_uint32_t		result;
-	lwres_uint32_t		recvlength;
-	lwres_uint16_t		authtype;
-	lwres_uint16_t		authlength;
-};
-
-#define LWRES_LWPACKET_LENGTH		(4 * 5 + 2 * 4)
-
-#define LWRES_LWPACKETFLAG_RESPONSE	0x0001U	/* if set, pkt is a response */
-
-
-#define LWRES_LWPACKETVERSION_0		0
-
-/*
- * "length" is the overall packet length, including the entire packet header.
- *
- * "version" specifies the header format.  Currently, there is only one
- * format, LWRES_LWPACKETVERSION_0.
- *
- * "flags" specifies library-defined flags for this packet.  None of these
- * are definable by the caller, but library-defined values can be set by
- * the caller.  For example, one bit in this field indicates if the packet
- * is a request or a response.
- *
- * "serial" is set by the requestor and is returned in all replies.  If two
- * packets from the same source have the same serial number and are from
- * the same source, they are assumed to be duplicates and the latter ones
- * may be dropped.  (The library does not do this by default on replies, but
- * does so on requests.)
- *
- * "opcode" is application defined.  Opcodes between 0x04000000 and 0xffffffff
- * are application defined.  Opcodes between 0x00000000 and 0x03ffffff are
- * reserved for library use.
- *
- * "result" is application defined, and valid only on replies.
- * Results between 0x04000000 and 0xffffffff are application defined.
- * Results between 0x00000000 and 0x03ffffff are reserved for library use.
- * (This is the same reserved range defined in <isc/resultclass.h>, so it
- * would be trivial to map ISC_R_* result codes into packet result codes
- * when appropriate.)
- *
- * "recvlength" is set to the maximum buffer size that the receiver can
- * handle on requests, and the size of the buffer needed to satisfy a request
- * when the buffer is too large for replies.
- *
- * "authtype" is the packet level auth type used.
- * Authtypes between 0x1000 and 0xffff are application defined.  Authtypes
- * between 0x0000 and 0x0fff are reserved for library use.  This is currently
- * unused and MUST be set to zero.
- *
- * "authlen" is the length of the authentication data.  See the specific
- * authtypes for more information on what is contained in this field.  This
- * is currently unused, and MUST be set to zero.
- *
- * The remainder of the packet consists of two regions, one described by
- * "authlen" and one of "length - authlen - sizeof(lwres_lwpacket_t)".
- *
- * That is:
- *
- *	pkt header
- *	authlen bytes of auth information
- *	data bytes
- */
-
-/*
- * Currently defined opcodes:
- *
- *	NOOP.  Success is always returned, with the packet contents echoed.
- *
- *	GETADDRSBYNAME.  Return all known addresses for a given name.
- *		This may return NIS or /etc/hosts info as well as DNS
- *		information.  Flags will be provided to indicate ip4/ip6
- *		addresses are desired.
- *
- *	GETNAMEBYADDR.	Return the hostname for the given address.  Once
- *		again, it will return data from multiple sources.
- */
-
-LWRES_LANG_BEGINDECLS
-
-/* XXXMLG document */
-lwres_result_t
-lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
-
-lwres_result_t
-lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWPACKET_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwres.h b/contrib/bind9/lib/lwres/include/lwres/lwres.h
deleted file mode 100644
index 7260b00f11ce..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/lwres.h
+++ /dev/null
@@ -1,579 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres.h,v 1.49.12.3 2004/03/08 09:05:11 marka Exp $ */
-
-#ifndef LWRES_LWRES_H
-#define LWRES_LWRES_H 1
-
-#include <stdio.h>
-
-#include <lwres/context.h>
-#include <lwres/lang.h>
-#include <lwres/list.h>
-#include <lwres/lwpacket.h>
-#include <lwres/platform.h>
-
-/*
- * Design notes:
- *
- * Each opcode has two structures and three functions which operate on each
- * structure.  For example, using the "no operation/ping" opcode as an
- * example:
- *
- *	lwres_nooprequest_t:
- *
- *		lwres_nooprequest_render() takes a lwres_nooprequest_t and
- *		and renders it into wire format, storing the allocated
- *		buffer information in a passed-in buffer.  When this buffer
- *		is no longer needed, it must be freed by
- *		lwres_context_freemem().  All other memory used by the
- *		caller must be freed manually, including the
- *		lwres_nooprequest_t passed in.
- *
- *		lwres_nooprequest_parse() takes a wire format message and
- *		breaks it out into a lwres_nooprequest_t.  The structure
- *		must be freed via lwres_nooprequest_free() when it is no longer
- *		needed.
- *
- *		lwres_nooprequest_free() releases into the lwres_context_t
- *		any space allocated during parsing.
- *
- *	lwres_noopresponse_t:
- *
- *		The functions used are similar to the three used for
- *		requests, just with different names.
- *
- * Typically, the client will use request_render, response_parse, and
- * response_free, while the daemon will use request_parse, response_render,
- * and request_free.
- *
- * The basic flow of a typical client is:
- *
- *	fill in a request_t, and call the render function.
- *
- *	Transmit the buffer returned to the daemon.
- *
- *	Wait for a response.
- *
- *	When a response is received, parse it into a response_t.
- *
- *	free the request buffer using lwres_context_freemem().
- *
- *	free the response structure and its associated buffer using
- *	response_free().
- */
-
-#define LWRES_UDP_PORT		921
-#define LWRES_RECVLENGTH	16384
-#define LWRES_ADDR_MAXLEN	16	/* changing this breaks ABI */
-#define LWRES_RESOLV_CONF	"/etc/resolv.conf"
-
-/*
- * Flags.
- *
- * 	These flags are only relevant to rrset queries.
- *
- *	TRUSTNOTREQUIRED:  DNSSEC is not required (input)
- *	SECUREDATA: The data was crypto-verified with DNSSEC (output)
- *
- */
-#define LWRES_FLAG_TRUSTNOTREQUIRED	0x00000001U
-#define LWRES_FLAG_SECUREDATA		0x00000002U
-
-/*
- * no-op
- */
-#define LWRES_OPCODE_NOOP		0x00000000U
-
-typedef struct {
-	/* public */
-	lwres_uint16_t			datalength;
-	unsigned char		       *data;
-} lwres_nooprequest_t;
-
-typedef struct {
-	/* public */
-	lwres_uint16_t			datalength;
-	unsigned char		       *data;
-} lwres_noopresponse_t;
-
-/*
- * get addresses by name
- */
-#define LWRES_OPCODE_GETADDRSBYNAME	0x00010001U
-
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-struct lwres_addr {
-	lwres_uint32_t			family;
-	lwres_uint16_t			length;
-	unsigned char			address[LWRES_ADDR_MAXLEN];
-	LWRES_LINK(lwres_addr_t)	link;
-};
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint32_t			addrtypes;
-	lwres_uint16_t			namelen;
-	char			       *name;
-} lwres_gabnrequest_t;
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			naliases;
-	lwres_uint16_t			naddrs;
-	char			       *realname;
-	char			      **aliases;
-	lwres_uint16_t			realnamelen;
-	lwres_uint16_t		       *aliaslen;
-	lwres_addrlist_t		addrs;
-	/* if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_gabnresponse_t;
-
-/*
- * get name by address
- */
-#define LWRES_OPCODE_GETNAMEBYADDR	0x00010002U
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_addr_t			addr;
-} lwres_gnbarequest_t;
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			naliases;
-	char			       *realname;
-	char			      **aliases;
-	lwres_uint16_t			realnamelen;
-	lwres_uint16_t		       *aliaslen;
-	/* if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_gnbaresponse_t;
-
-/*
- * get rdata by name
- */
-#define LWRES_OPCODE_GETRDATABYNAME	0x00010003U
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			rdclass;
-	lwres_uint16_t			rdtype;
-	lwres_uint16_t			namelen;
-	char			       *name;
-} lwres_grbnrequest_t;
-
-typedef struct {
-	/* public */
-	lwres_uint32_t			flags;
-	lwres_uint16_t			rdclass;
-	lwres_uint16_t			rdtype;
-	lwres_uint32_t			ttl;
-	lwres_uint16_t			nrdatas;
-	lwres_uint16_t			nsigs;
-	char			       *realname;
-	lwres_uint16_t			realnamelen;
-	unsigned char		      **rdatas;
-	lwres_uint16_t		       *rdatalen;
-	unsigned char		      **sigs;
-	lwres_uint16_t		       *siglen;
-	/* if base != NULL, it will be freed when this structure is freed. */
-	void			       *base;
-	size_t				baselen;
-} lwres_grbnresponse_t;
-
-#define LWRDATA_VALIDATED	0x00000001
-
-/*
- * resolv.conf data
- */
-
-#define LWRES_CONFMAXNAMESERVERS 3	/* max 3 "nameserver" entries */
-#define LWRES_CONFMAXLWSERVERS 1	/* max 1 "lwserver" entry */
-#define LWRES_CONFMAXSEARCH 8		/* max 8 domains in "search" entry */
-#define LWRES_CONFMAXLINELEN 256	/* max size of a line */
-#define LWRES_CONFMAXSORTLIST 10
-typedef struct {
-	lwres_context_t *lwctx;
-	lwres_addr_t    nameservers[LWRES_CONFMAXNAMESERVERS];
-	lwres_uint8_t	nsnext;		/* index for next free slot */
-
-	lwres_addr_t	lwservers[LWRES_CONFMAXLWSERVERS];
-	lwres_uint8_t	lwnext;		/* index for next free slot */
-
-	char	       *domainname;
-
-	char 	       *search[LWRES_CONFMAXSEARCH];
-	lwres_uint8_t	searchnxt;	/* index for next free slot */
-
-	struct {
-		lwres_addr_t addr;
-		/* mask has a non-zero 'family' and 'length' if set */
-		lwres_addr_t mask;
-	} sortlist[LWRES_CONFMAXSORTLIST];
-	lwres_uint8_t	sortlistnxt;
-
-	lwres_uint8_t	resdebug;      /* non-zero if 'options debug' set */
-	lwres_uint8_t	ndots;	       /* set to n in 'options ndots:n' */
-	lwres_uint8_t	no_tld_query;  /* non-zero if 'options no_tld_query' */
-} lwres_conf_t;
-
-#define LWRES_ADDRTYPE_V4		0x00000001U	/* ipv4 */
-#define LWRES_ADDRTYPE_V6		0x00000002U	/* ipv6 */
-
-#define LWRES_MAX_ALIASES		16		/* max # of aliases */
-#define LWRES_MAX_ADDRS			64		/* max # of addrs */
-
-LWRES_LANG_BEGINDECLS
-
-/*
- * This is in host byte order.
- */
-LIBLWRES_EXTERNAL_DATA extern lwres_uint16_t lwres_udp_port;
-
-LIBLWRES_EXTERNAL_DATA extern const char *lwres_resolv_conf;
-
-lwres_result_t
-lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);
-
-lwres_result_t
-lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_gabnresponse_t **structp);
-
-void
-lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-
-lwres_result_t
-lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);
-
-lwres_result_t
-lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_gnbaresponse_t **structp);
-
-void
-lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp);
-
-lwres_result_t
-lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_grbnresponse_t **structp);
-
-void
-lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-void
-lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp);
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-/*
- * Allocate space and render into wire format a noop request packet.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	b != NULL, and points to a lwres_buffer_t.  The contents of the
- *	buffer structure will be initialized to contain the wire-format
- *	noop request packet.
- *
- *	Caller needs to fill in parts of "pkt" before calling:
- *		serial, maxrecv, result.
- *
- * Returns:
- *
- *	Returns 0 on success, non-zero on failure.
- *
- *	On successful return, *b will contain data about the wire-format
- *	packet.  It can be transmitted in any way, including lwres_sendblock().
- */
-
-lwres_result_t
-lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
-
-lwres_result_t
-lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
-/*
- * Parse a noop request.  Note that to get here, the lwpacket must have
- * already been parsed and removed by the caller, otherwise it would be
- * pretty hard for it to know this is the right function to call.
- *
- * The function verifies bits of the header, but does not modify it.
- */
-
-lwres_result_t
-lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt,
-			 lwres_noopresponse_t **structp);
-
-void
-lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
-
-void
-lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
-
-/*
- * Frees any dynamically allocated memory for this structure.
- *
- * Requires:
- *
- *	ctx != NULL, and be a context returned via lwres_contextcreate().
- *
- *	structp != NULL && *structp != NULL.
- *
- * Ensures:
- *
- *	*structp == NULL.
- *
- *	All memory allocated by this structure will be returned to the
- *	system via the context's free function.
- */
-
-lwres_result_t
-lwres_conf_parse(lwres_context_t *ctx, const char *filename);
-/*
- * parses a resolv.conf-format file and stores the results in the structure
- * pointed to by *ctx.
- *
- * Requires:
- *	ctx != NULL
- *	filename != NULL && strlen(filename) > 0
- *
- * Returns:
- *	LWRES_R_SUCCESS on a successful parse.
- *	Anything else on error, although the structure may be partially filled
- *	in.
- */
-
-lwres_result_t
-lwres_conf_print(lwres_context_t *ctx, FILE *fp);
-/*
- * Prints a resolv.conf-format of confdata output to fp.
- *
- * Requires:
- *	ctx != NULL
- */
-
-void
-lwres_conf_init(lwres_context_t *ctx);
-/*
- * sets all internal fields to a default state. Used to initialize a new
- * lwres_conf_t structure (not reset a used on).
- *
- * Requires:
- *	ctx != NULL
- */
-
-void
-lwres_conf_clear(lwres_context_t *ctx);
-/*
- * frees all internally allocated memory in confdata. Uses the memory
- * routines supplied by ctx.
- *
- * Requires:
- *	ctx != NULL
- */
-
-lwres_conf_t *
-lwres_conf_get(lwres_context_t *ctx);
-/*
- * returns a pointer to the current config structure.
- * Be extremely cautions in modifying the contents of this structure; it
- * needs an API to return the various bits of data, walk lists, etc.
- *
- * Requires:
- *	ctx != NULL
- */
-
-/*
- * Helper functions
- */
-
-lwres_result_t
-lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len);
-
-lwres_result_t
-lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len);
-
-lwres_result_t
-lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr);
-
-lwres_result_t
-lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);
-
-lwres_result_t
-lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
-		    lwres_uint16_t addrlen, const unsigned char *addr,
-		    lwres_gnbaresponse_t **structp);
-
-lwres_result_t
-lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
-		     lwres_uint32_t flags, lwres_grbnresponse_t **structp);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_LWRES_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in b/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
deleted file mode 100644
index 7bf545f4e2fb..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
+++ /dev/null
@@ -1,518 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: netdb.h.in,v 1.34.206.1 2004/03/06 08:15:35 marka Exp $ */
-
-#ifndef LWRES_NETDB_H
-#define LWRES_NETDB_H 1
-
-#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
-#include <netdb.h>	/* Contractual provision. */
-
-#include <lwres/lang.h>
-
-/*
- * Define if <netdb.h> does not declare struct addrinfo.
- */
-@ISC_LWRES_NEEDADDRINFO@
-
-#ifdef ISC_LWRES_NEEDADDRINFO
-struct addrinfo {
-	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
-	int		ai_family;     /* PF_xxx */
-	int		ai_socktype;   /* SOCK_xxx */
-	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-	size_t		ai_addrlen;    /* Length of ai_addr */
-	char		*ai_canonname; /* Canonical name for hostname */
-	struct sockaddr	*ai_addr;      /* Binary address */
-	struct addrinfo	*ai_next;      /* Next structure in linked list */
-};
-#endif
-
-/*
- * Undefine all #defines we are interested in as <netdb.h> may or may not have
- * defined them.
- */
-
-/*
- * Error return codes from gethostbyname() and gethostbyaddr()
- * (left in extern int h_errno).
- */
-
-#undef	NETDB_INTERNAL
-#undef	NETDB_SUCCESS
-#undef	HOST_NOT_FOUND
-#undef	TRY_AGAIN
-#undef	NO_RECOVERY
-#undef	NO_DATA
-#undef	NO_ADDRESS
-
-#define	NETDB_INTERNAL	-1	/* see errno */
-#define	NETDB_SUCCESS	0	/* no problem */
-#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
-#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
-#define	NO_DATA		4 /* Valid name, no data record of requested type */
-#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
-
-/*
- * Error return codes from getaddrinfo()
- */
-
-#undef	EAI_ADDRFAMILY
-#undef	EAI_AGAIN
-#undef	EAI_BADFLAGS
-#undef	EAI_FAIL
-#undef	EAI_FAMILY
-#undef	EAI_MEMORY
-#undef	EAI_NODATA
-#undef	EAI_NONAME
-#undef	EAI_SERVICE
-#undef	EAI_SOCKTYPE
-#undef	EAI_SYSTEM
-#undef	EAI_BADHINTS
-#undef	EAI_PROTOCOL
-#undef	EAI_MAX
-
-#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
-#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
-#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
-#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
-#define	EAI_FAMILY	 5	/* ai_family not supported */
-#define	EAI_MEMORY	 6	/* memory allocation failure */
-#define	EAI_NODATA	 7	/* no address associated with hostname */
-#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
-#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
-#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
-#define	EAI_SYSTEM	11	/* system error returned in errno */
-#define EAI_BADHINTS	12
-#define EAI_PROTOCOL	13
-#define EAI_MAX		14
-
-/*
- * Flag values for getaddrinfo()
- */
-#undef	AI_PASSIVE
-#undef	AI_CANONNAME
-#undef	AI_NUMERICHOST
-
-#define	AI_PASSIVE	0x00000001
-#define	AI_CANONNAME	0x00000002
-#define AI_NUMERICHOST	0x00000004
-
-/*
- * Flag values for getipnodebyname()
- */
-#undef AI_V4MAPPED
-#undef AI_ALL
-#undef AI_ADDRCONFIG
-#undef AI_DEFAULT
-
-#define AI_V4MAPPED	0x00000008
-#define AI_ALL		0x00000010
-#define AI_ADDRCONFIG	0x00000020
-#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
-
-/*
- * Constants for lwres_getnameinfo()
- */
-#undef	NI_MAXHOST
-#undef	NI_MAXSERV
-
-#define	NI_MAXHOST	1025
-#define	NI_MAXSERV	32
-
-/*
- * Flag values for lwres_getnameinfo()
- */
-#undef	NI_NOFQDN
-#undef	NI_NUMERICHOST
-#undef	NI_NAMEREQD
-#undef	NI_NUMERICSERV
-#undef	NI_DGRAM
-#undef	NI_NUMERICSCOPE
-
-#define	NI_NOFQDN	0x00000001
-#define	NI_NUMERICHOST	0x00000002
-#define	NI_NAMEREQD	0x00000004
-#define	NI_NUMERICSERV	0x00000008
-#define	NI_DGRAM	0x00000010
-#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
-
-/*
- * Define if <netdb.h> does not declare struct rrsetinfo.
- */
-@ISC_LWRES_NEEDRRSETINFO@
-
-#ifdef ISC_LWRES_NEEDRRSETINFO
-/*
- * Structures for getrrsetbyname()
- */
-struct rdatainfo {
-	unsigned int		rdi_length;
-	unsigned char		*rdi_data;
-};
-
-struct rrsetinfo {
-	unsigned int		rri_flags;
-	int			rri_rdclass;
-	int			rri_rdtype;
-	unsigned int		rri_ttl;
-	unsigned int		rri_nrdatas;
-	unsigned int		rri_nsigs;
-	char			*rri_name;
-	struct rdatainfo	*rri_rdatas;
-	struct rdatainfo	*rri_sigs;
-};
-
-/*
- * Flags for getrrsetbyname()
- */
-#define RRSET_VALIDATED		0x00000001
-	/* Set was dnssec validated */
-
-/*
- * Return codes for getrrsetbyname()
- */
-#define ERRSET_SUCCESS		0
-#define ERRSET_NOMEMORY		1
-#define ERRSET_FAIL		2
-#define ERRSET_INVAL		3
-#define	ERRSET_NONAME	 	4
-#define	ERRSET_NODATA	 	5
-#endif
-
-/*
- * Define to map into lwres_ namespace.
- */
-
-#define LWRES_NAMESPACE
-
-#ifdef LWRES_NAMESPACE
-
-/*
- * Use our versions not the ones from the C library.
- */
-
-#ifdef getnameinfo
-#undef getnameinfo
-#endif
-#define getnameinfo lwres_getnameinfo
-
-#ifdef getaddrinfo
-#undef getaddrinfo
-#endif
-#define getaddrinfo lwres_getaddrinfo
-
-#ifdef freeaddrinfo
-#undef freeaddrinfo
-#endif
-#define freeaddrinfo lwres_freeaddrinfo
-
-#ifdef gai_strerror
-#undef gai_strerror
-#endif
-#define gai_strerror lwres_gai_strerror
-
-#ifdef herror
-#undef herror
-#endif
-#define herror lwres_herror
-
-#ifdef hstrerror
-#undef hstrerror
-#endif
-#define hstrerror lwres_hstrerror
-
-#ifdef getipnodebyname
-#undef getipnodebyname
-#endif
-#define getipnodebyname lwres_getipnodebyname
-
-#ifdef getipnodebyaddr
-#undef getipnodebyaddr
-#endif
-#define getipnodebyaddr lwres_getipnodebyaddr
-
-#ifdef freehostent
-#undef freehostent
-#endif
-#define freehostent lwres_freehostent
-
-#ifdef gethostbyname
-#undef gethostbyname
-#endif
-#define gethostbyname lwres_gethostbyname
-
-#ifdef gethostbyname2
-#undef gethostbyname2
-#endif
-#define gethostbyname2 lwres_gethostbyname2
-
-#ifdef gethostbyaddr
-#undef gethostbyaddr
-#endif
-#define gethostbyaddr lwres_gethostbyaddr
-
-#ifdef gethostent
-#undef gethostent
-#endif
-#define gethostent lwres_gethostent
-
-#ifdef sethostent
-#undef sethostent
-#endif
-#define sethostent lwres_sethostent
-
-#ifdef endhostent
-#undef endhostent
-#endif
-#define endhostent lwres_endhostent
-
-/* #define sethostfile lwres_sethostfile */
-
-#ifdef gethostbyname_r
-#undef gethostbyname_r
-#endif
-#define gethostbyname_r lwres_gethostbyname_r
-
-#ifdef gethostbyaddr_r
-#undef gethostbyaddr_r
-#endif
-#define gethostbyaddr_r lwres_gethostbyaddr_r
-
-#ifdef gethostent_r
-#undef gethostent_r
-#endif
-#define gethostent_r lwres_gethostent_r
-
-#ifdef sethostent_r
-#undef sethostent_r
-#endif
-#define sethostent_r lwres_sethostent_r
-
-#ifdef endhostent_r
-#undef endhostent_r
-#endif
-#define endhostent_r lwres_endhostent_r
-
-#ifdef getrrsetbyname
-#undef getrrsetbyname
-#endif
-#define getrrsetbyname lwres_getrrsetbyname
-
-#ifdef freerrset
-#undef freerrset
-#endif
-#define freerrset lwres_freerrset
-
-#ifdef notyet
-#define getservbyname lwres_getservbyname
-#define getservbyport lwres_getservbyport
-#define getservent lwres_getservent
-#define setservent lwres_setservent
-#define endservent lwres_endservent
-
-#define getservbyname_r lwres_getservbyname_r
-#define getservbyport_r lwres_getservbyport_r
-#define getservent_r lwres_getservent_r
-#define setservent_r lwres_setservent_r
-#define endservent_r lwres_endservent_r
-
-#define getprotobyname lwres_getprotobyname
-#define getprotobynumber lwres_getprotobynumber
-#define getprotoent lwres_getprotoent
-#define setprotoent lwres_setprotoent
-#define endprotoent lwres_endprotoent
-
-#define getprotobyname_r lwres_getprotobyname_r
-#define getprotobynumber_r lwres_getprotobynumber_r
-#define getprotoent_r lwres_getprotoent_r
-#define setprotoent_r lwres_setprotoent_r
-#define endprotoent_r lwres_endprotoent_r
-
-#ifdef getnetbyname
-#undef getnetbyname
-#endif
-#define getnetbyname lwres_getnetbyname
-
-#ifdef getnetbyaddr
-#undef getnetbyaddr
-#endif
-#define getnetbyaddr lwres_getnetbyaddr
-
-#ifdef getnetent
-#undef getnetent
-#endif
-#define getnetent lwres_getnetent
-
-#ifdef setnetent
-#undef setnetent
-#endif
-#define setnetent lwres_setnetent
-
-#ifdef endnetent
-#undef endnetent
-#endif
-#define endnetent lwres_endnetent
-
-
-#ifdef getnetbyname_r
-#undef getnetbyname_r
-#endif
-#define getnetbyname_r lwres_getnetbyname_r
-
-#ifdef getnetbyaddr_r
-#undef getnetbyaddr_r
-#endif
-#define getnetbyaddr_r lwres_getnetbyaddr_r
-
-#ifdef getnetent_r
-#undef getnetent_r
-#endif
-#define getnetent_r lwres_getnetent_r
-
-#ifdef setnetent_r
-#undef setnetent_r
-#endif
-#define setnetent_r lwres_setnetent_r
-
-#ifdef endnetent_r
-#undef endnetent_r
-#endif
-#define endnetent_r lwres_endnetent_r
-#endif	/* notyet */
-
-#ifdef h_errno
-#undef h_errno
-#endif
-#define h_errno lwres_h_errno
-
-#endif	/* LWRES_NAMESPACE */
-
-LWRES_LANG_BEGINDECLS
-
-extern int lwres_h_errno;
-
-int		lwres_getaddrinfo(const char *, const char *,
-				 const struct addrinfo *, struct addrinfo **);
-int		lwres_getnameinfo(const struct sockaddr *, size_t, char *,
-				 size_t, char *, size_t, int);
-void		lwres_freeaddrinfo(struct addrinfo *);
-char		*lwres_gai_strerror(int);
-
-struct hostent	*lwres_gethostbyaddr(const char *, int, int);
-struct hostent	*lwres_gethostbyname(const char *);
-struct hostent	*lwres_gethostbyname2(const char *, int);
-struct hostent	*lwres_gethostent(void);
-struct hostent	*lwres_getipnodebyname(const char *, int, int, int *);
-struct hostent	*lwres_getipnodebyaddr(const void *, size_t, int, int *);
-void		lwres_endhostent(void);
-void		lwres_sethostent(int);
-/* void		lwres_sethostfile(const char *); */
-void		lwres_freehostent(struct hostent *);
-
-int		lwres_getrrsetbyname(const char *, unsigned int, unsigned int,
-				     unsigned int, struct rrsetinfo **);
-void		lwres_freerrset(struct rrsetinfo *);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyaddr(unsigned long, int);
-struct netent	*lwres_getnetbyname(const char *);
-struct netent	*lwres_getnetent(void);
-void		lwres_endnetent(void);
-void		lwres_setnetent(int);
-
-struct protoent	*lwres_getprotobyname(const char *);
-struct protoent	*lwres_getprotobynumber(int);
-struct protoent	*lwres_getprotoent(void);
-void		lwres_endprotoent(void);
-void		lwres_setprotoent(int);
-
-struct servent	*lwres_getservbyname(const char *, const char *);
-struct servent	*lwres_getservbyport(int, const char *);
-struct servent	*lwres_getservent(void);
-void		lwres_endservent(void);
-void		lwres_setservent(int);
-#endif /* notyet */
-
-void		lwres_herror(const char *);
-const char	*lwres_hstrerror(int);
-
-
-struct hostent	*lwres_gethostbyaddr_r(const char *, int, int, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostbyname_r(const char *, struct hostent *,
-					char *, int, int *);
-struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
-void		lwres_sethostent_r(int);
-void		lwres_endhostent_r(void);
-
-#ifdef notyet
-struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
-					char *, int);
-struct netent	*lwres_getnetent_r(struct netent *, char *, int);
-void		lwres_setnetent_r(int);
-void		lwres_endnetent_r(void);
-
-struct protoent	*lwres_getprotobyname_r(const char *,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotobynumber_r(int,
-				struct protoent *, char *, int);
-struct protoent	*lwres_getprotoent_r(struct protoent *, char *, int);
-void		lwres_setprotoent_r(int);
-void		lwres_endprotoent_r(void);
-
-struct servent	*lwres_getservbyname_r(const char *name, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservbyport_r(int port, const char *,
-					struct servent *, char *, int);
-struct servent	*lwres_getservent_r(struct servent *, char *, int);
-void		lwres_setservent_r(int);
-void		lwres_endservent_r(void);
-#endif	/* notyet */
-
-LWRES_LANG_ENDDECLS
-
-#ifdef notyet
-/* This is nec'y to make this include file properly replace the sun version. */
-#ifdef sun
-#ifdef __GNU_LIBRARY__
-#include <rpc/netdb.h>		/* Required. */
-#else /* !__GNU_LIBRARY__ */
-struct rpcent {
-	char	*r_name;	/* name of server for this rpc program */
-	char	**r_aliases;	/* alias list */
-	int	r_number;	/* rpc program number */
-};
-struct rpcent	*lwres_getrpcbyname();
-struct rpcent	*lwres_getrpcbynumber(),
-struct rpcent	*lwres_getrpcent();
-#endif /* __GNU_LIBRARY__ */
-#endif /* sun */
-#endif /* notyet */
-
-/*
- * Tell Emacs to use C mode on this file.
- * Local variables:
- * mode: c
- * End:
- */
-
-#endif /* LWRES_NETDB_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/platform.h.in b/contrib/bind9/lib/lwres/include/lwres/platform.h.in
deleted file mode 100644
index e995aa46c0e5..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/platform.h.in
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: platform.h.in,v 1.12.2.1.10.5 2005/06/08 02:08:32 marka Exp $ */
-
-#ifndef LWRES_PLATFORM_H
-#define LWRES_PLATFORM_H 1
-
-/*****
- ***** Platform-dependent defines.
- *****/
-
-/***
- *** Network.
- ***/
-
-/*
- * Define if this system needs the <netinet/in6.h> header file for IPv6.
- */
-@LWRES_PLATFORM_NEEDNETINETIN6H@
-
-/*
- * Define if this system needs the <netinet6/in6.h> header file for IPv6.
- */
-@LWRES_PLATFORM_NEEDNETINET6IN6H@
-
-/*
- * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
- * will be defined.
- */
-@LWRES_PLATFORM_HAVESALEN@
-
-/*
- * If this system has the IPv6 structure definitions, LWRES_PLATFORM_HAVEIPV6
- * will be defined.
- */
-@LWRES_PLATFORM_HAVEIPV6@
-
-/*
- * If this system is missing in6addr_any, LWRES_PLATFORM_NEEDIN6ADDRANY will
- * be defined.
- */
-@LWRES_PLATFORM_NEEDIN6ADDRANY@
-
-/*
- * If this system is missing in6addr_loopback, 
- * LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK will be defined.
- */
-@LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK@
-
-/*
- * If this system has in_addr6, rather than in6_addr,
- * LWRES_PLATFORM_HAVEINADDR6 will be defined.
- */
-@LWRES_PLATFORM_HAVEINADDR6@
-
-/*
- * Defined if unistd.h does not cause fd_set to be delared.
- */
-@LWRES_PLATFORM_NEEDSYSSELECTH@
-
-/*
- * Used to control how extern data is linked; needed for Win32 platforms.
- */
-@LWRES_PLATFORM_USEDECLSPEC@
-
-/*
- * Defined this system needs vsnprintf() and snprintf().
- */
-@LWRES_PLATFORM_NEEDVSNPRINTF@
- 
-/*
- * If this system need a modern sprintf() that returns (int) not (char*).
- */
-@LWRES_PLATFORM_NEEDSPRINTF@
-
-/*
- * The printf format string modifier to use with lwres_uint64_t values.
- */
-@LWRES_PLATFORM_QUADFORMAT@
-
-/*! \brief
- * Define if this system needs strtoul.
- */
-@LWRES_PLATFORM_NEEDSTRTOUL@
-
-#ifndef LWRES_PLATFORM_USEDECLSPEC
-#define LIBLWRES_EXTERNAL_DATA
-#else
-#ifdef LIBLWRES_EXPORTS
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllexport)
-#else
-#define LIBLWRES_EXTERNAL_DATA __declspec(dllimport)
-#endif
-#endif
-
-#endif /* LWRES_PLATFORM_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/result.h b/contrib/bind9/lib/lwres/include/lwres/result.h
deleted file mode 100644
index 617ae32225ba..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/result.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: result.h,v 1.14.206.1 2004/03/06 08:15:36 marka Exp $ */
-
-#ifndef LWRES_RESULT_H
-#define LWRES_RESULT_H 1
-
-typedef unsigned int lwres_result_t;
-
-#define LWRES_R_SUCCESS			0
-#define LWRES_R_NOMEMORY		1
-#define LWRES_R_TIMEOUT			2
-#define LWRES_R_NOTFOUND		3
-#define LWRES_R_UNEXPECTEDEND		4	/* unexpected end of input */
-#define LWRES_R_FAILURE			5	/* generic failure */
-#define LWRES_R_IOERROR			6
-#define LWRES_R_NOTIMPLEMENTED		7
-#define LWRES_R_UNEXPECTED		8
-#define LWRES_R_TRAILINGDATA		9
-#define LWRES_R_INCOMPLETE		10
-#define LWRES_R_RETRY			11
-#define LWRES_R_TYPENOTFOUND		12
-#define LWRES_R_TOOLARGE		13
-
-#endif /* LWRES_RESULT_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/stdlib.h b/contrib/bind9/lib/lwres/include/lwres/stdlib.h
deleted file mode 100644
index f5d4db281872..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/stdlib.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: stdlib.h,v 1.2.4.1 2005/06/08 02:08:32 marka Exp $ */
-
-#ifndef LWRES_STDLIB_H
-#define LWRES_STDLIB_H 1
-
-/*! \file */
-
-#include <stdlib.h>
-
-#include <lwres/lang.h>
-#include <lwres/platform.h>
-
-#ifdef LWRES_PLATFORM_NEEDSTRTOUL
-#define strtoul lwres_strtoul
-#endif
-
-LWRES_LANG_BEGINDECLS
-
-unsigned long lwres_strtoul(const char *, char **, int);
-
-LWRES_LANG_ENDDECLS
-
-#endif
diff --git a/contrib/bind9/lib/lwres/include/lwres/version.h b/contrib/bind9/lib/lwres/include/lwres/version.h
deleted file mode 100644
index 1b291ceeae9e..000000000000
--- a/contrib/bind9/lib/lwres/include/lwres/version.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.h,v 1.2.224.3 2004/03/08 09:05:11 marka Exp $ */
-
-#include <lwres/platform.h>
-
-LIBLWRES_EXTERNAL_DATA extern const char lwres_version[];
-
-LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libinterface;
-LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_librevision;
-LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libage;
diff --git a/contrib/bind9/lib/lwres/lwbuffer.c b/contrib/bind9/lib/lwres/lwbuffer.c
deleted file mode 100644
index 69009f00aebc..000000000000
--- a/contrib/bind9/lib/lwres/lwbuffer.c
+++ /dev/null
@@ -1,287 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwbuffer.c,v 1.10.206.1 2004/03/06 08:15:31 marka Exp $ */
-
-#include <config.h>
-
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-
-#include "assert_p.h"
-
-void
-lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length)
-{
-	/*
-	 * Make 'b' refer to the 'length'-byte region starting at base.
-	 */
-
-	REQUIRE(b != NULL);
-
-	b->magic = LWRES_BUFFER_MAGIC;
-	b->base = base;
-	b->length = length;
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-void
-lwres_buffer_invalidate(lwres_buffer_t *b)
-{
-	/*
-	 * Make 'b' an invalid buffer.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->magic = 0;
-	b->base = NULL;
-	b->length = 0;
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-void
-lwres_buffer_add(lwres_buffer_t *b, unsigned int n)
-{
-	/*
-	 * Increase the 'used' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + n <= b->length);
-
-	b->used += n;
-}
-
-void
-lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n)
-{
-	/*
-	 * Decrease the 'used' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used >= n);
-
-	b->used -= n;
-	if (b->current > b->used)
-		b->current = b->used;
-	if (b->active > b->used)
-		b->active = b->used;
-}
-
-void
-lwres_buffer_clear(lwres_buffer_t *b)
-{
-	/*
-	 * Make the used region empty.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->used = 0;
-	b->current = 0;
-	b->active = 0;
-}
-
-void
-lwres_buffer_first(lwres_buffer_t *b)
-{
-	/*
-	 * Make the consumed region empty.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-
-	b->current = 0;
-}
-
-void
-lwres_buffer_forward(lwres_buffer_t *b, unsigned int n)
-{
-	/*
-	 * Increase the 'consumed' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->current + n <= b->used);
-
-	b->current += n;
-}
-
-void
-lwres_buffer_back(lwres_buffer_t *b, unsigned int n)
-{
-	/*
-	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(n <= b->current);
-
-	b->current -= n;
-}
-
-lwres_uint8_t
-lwres_buffer_getuint8(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint8_t result;
-
-	/*
-	 * Read an unsigned 8-bit integer from 'b' and return it.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 1);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 1;
-	result = ((unsigned int)(cp[0]));
-
-	return (result);
-}
-
-void
-lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 1 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 1;
-	cp[0] = (val & 0x00ff);
-}
-
-lwres_uint16_t
-lwres_buffer_getuint16(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint16_t result;
-
-	/*
-	 * Read an unsigned 16-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 2);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 2;
-	result = ((unsigned int)(cp[0])) << 8;
-	result |= ((unsigned int)(cp[1]));
-
-	return (result);
-}
-
-void
-lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 2 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 2;
-	cp[0] = (val & 0xff00) >> 8;
-	cp[1] = (val & 0x00ff);
-}
-
-lwres_uint32_t
-lwres_buffer_getuint32(lwres_buffer_t *b)
-{
-	unsigned char *cp;
-	lwres_uint32_t result;
-
-	/*
-	 * Read an unsigned 32-bit integer in network byte order from 'b',
-	 * convert it to host byte order, and return it.
-	 */
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= 4);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += 4;
-	result = ((unsigned int)(cp[0])) << 24;
-	result |= ((unsigned int)(cp[1])) << 16;
-	result |= ((unsigned int)(cp[2])) << 8;
-	result |= ((unsigned int)(cp[3]));
-
-	return (result);
-}
-
-void
-lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + 4 <= b->length);
-
-	cp = b->base;
-	cp += b->used;
-	b->used += 4;
-	cp[0] = (unsigned char)((val & 0xff000000) >> 24);
-	cp[1] = (unsigned char)((val & 0x00ff0000) >> 16);
-	cp[2] = (unsigned char)((val & 0x0000ff00) >> 8);
-	cp[3] = (unsigned char)(val & 0x000000ff);
-}
-
-void
-lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
-		    unsigned int length)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used + length <= b->length);
-
-	cp = (unsigned char *)b->base + b->used;
-	memcpy(cp, base, length);
-	b->used += length;
-}
-
-void
-lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
-		    unsigned int length)
-{
-	unsigned char *cp;
-
-	REQUIRE(LWRES_BUFFER_VALID(b));
-	REQUIRE(b->used - b->current >= length);
-
-	cp = b->base;
-	cp += b->current;
-	b->current += length;
-
-	memcpy(base, cp, length);
-}
diff --git a/contrib/bind9/lib/lwres/lwconfig.c b/contrib/bind9/lib/lwres/lwconfig.c
deleted file mode 100644
index 7fc2c5d0efd3..000000000000
--- a/contrib/bind9/lib/lwres/lwconfig.c
+++ /dev/null
@@ -1,703 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwconfig.c,v 1.33.2.1.2.8 2005/06/08 02:35:21 marka Exp $ */
-
-/***
- *** Module for parsing resolv.conf files.
- ***
- *** entry points are:
- ***	lwres_conf_init(lwres_context_t *ctx)
- ***		intializes data structure for subsequent config parsing.
- ***
- ***	lwres_conf_parse(lwres_context_t *ctx, const char *filename)
- ***		parses a file and fills in the data structure.
- ***
- ***	lwres_conf_print(lwres_context_t *ctx, FILE *fp)
- ***		prints the config data structure to the FILE.
- ***
- ***	lwres_conf_clear(lwres_context_t *ctx)
- ***		frees up all the internal memory used by the config data
- ***		 structure, returning it to the lwres_context_t.
- ***
- ***/
-
-#include <config.h>
-
-#include <assert.h>
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwres.h>
-#include <lwres/net.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-#include "context_p.h"
-
-
-#if ! defined(NS_INADDRSZ)
-#define NS_INADDRSZ	 4
-#endif
-
-#if ! defined(NS_IN6ADDRSZ)
-#define NS_IN6ADDRSZ	16
-#endif
-
-static lwres_result_t
-lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsedomain(lwres_context_t *ctx, FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp);
-
-static lwres_result_t
-lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp);
-
-static void
-lwres_resetaddr(lwres_addr_t *addr);
-
-static lwres_result_t
-lwres_create_addr(const char *buff, lwres_addr_t *addr, int convert_zero);
-
-static int lwresaddr2af(int lwresaddrtype);
-
-
-static int
-lwresaddr2af(int lwresaddrtype)
-{
-	int af = 0;
-
-	switch (lwresaddrtype) {
-	case LWRES_ADDRTYPE_V4:
-		af = AF_INET;
-		break;
-
-	case LWRES_ADDRTYPE_V6:
-		af = AF_INET6;
-		break;
-	}
-
-	return (af);
-}
-
-
-/*
- * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
- */
-static int
-eatline(FILE *fp) {
-	int ch;
-
-	ch = fgetc(fp);
-	while (ch != '\n' && ch != EOF)
-		ch = fgetc(fp);
-
-	return (ch);
-}
-
-
-/*
- * Eats white space up to next newline or non-whitespace character (of
- * EOF). Returns the last character read. Comments are considered white
- * space.
- */
-static int
-eatwhite(FILE *fp) {
-	int ch;
-
-	ch = fgetc(fp);
-	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
-		ch = fgetc(fp);
-
-	if (ch == ';' || ch == '#')
-		ch = eatline(fp);
-
-	return (ch);
-}
-
-
-/*
- * Skip over any leading whitespace and then read in the next sequence of
- * non-whitespace characters. In this context newline is not considered
- * whitespace. Returns EOF on end-of-file, or the character
- * that caused the reading to stop.
- */
-static int
-getword(FILE *fp, char *buffer, size_t size) {
-	int ch;
-	char *p = buffer;
-
-	REQUIRE(buffer != NULL);
-	REQUIRE(size > 0U);
-
-	*p = '\0';
-
-	ch = eatwhite(fp);
-
-	if (ch == EOF)
-		return (EOF);
-
-	do {
-		*p = '\0';
-
-		if (ch == EOF || isspace((unsigned char)ch))
-			break;
-		else if ((size_t) (p - buffer) == size - 1)
-			return (EOF);	/* Not enough space. */
-
-		*p++ = (char)ch;
-		ch = fgetc(fp);
-	} while (1);
-
-	return (ch);
-}
-
-static void
-lwres_resetaddr(lwres_addr_t *addr) {
-	REQUIRE(addr != NULL);
-
-	memset(addr->address, 0, LWRES_ADDR_MAXLEN);
-	addr->family = 0;
-	addr->length = 0;
-}
-
-static char *
-lwres_strdup(lwres_context_t *ctx, const char *str) {
-	char *p;
-
-	REQUIRE(str != NULL);
-	REQUIRE(strlen(str) > 0U);
-
-	p = CTXMALLOC(strlen(str) + 1);
-	if (p != NULL)
-		strcpy(p, str);
-
-	return (p);
-}
-
-void
-lwres_conf_init(lwres_context_t *ctx) {
-	int i;
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	confdata->nsnext = 0;
-	confdata->lwnext = 0;
-	confdata->domainname = NULL;
-	confdata->searchnxt = 0;
-	confdata->sortlistnxt = 0;
-	confdata->resdebug = 0;
-	confdata->ndots = 1;
-	confdata->no_tld_query = 0;
-
-	for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++)
-		lwres_resetaddr(&confdata->nameservers[i]);
-
-	for (i = 0; i < LWRES_CONFMAXSEARCH; i++)
-		confdata->search[i] = NULL;
-
-	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
-		lwres_resetaddr(&confdata->sortlist[i].addr);
-		lwres_resetaddr(&confdata->sortlist[i].mask);
-	}
-}
-
-void
-lwres_conf_clear(lwres_context_t *ctx) {
-	int i;
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	for (i = 0; i < confdata->nsnext; i++)
-		lwres_resetaddr(&confdata->nameservers[i]);
-
-	if (confdata->domainname != NULL) {
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1);
-		confdata->domainname = NULL;
-	}
-
-	for (i = 0; i < confdata->searchnxt; i++) {
-		if (confdata->search[i] != NULL) {
-			CTXFREE(confdata->search[i],
-				strlen(confdata->search[i]) + 1);
-			confdata->search[i] = NULL;
-		}
-	}
-
-	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
-		lwres_resetaddr(&confdata->sortlist[i].addr);
-		lwres_resetaddr(&confdata->sortlist[i].mask);
-	}
-
-	confdata->nsnext = 0;
-	confdata->lwnext = 0;
-	confdata->domainname = NULL;
-	confdata->searchnxt = 0;
-	confdata->sortlistnxt = 0;
-	confdata->resdebug = 0;
-	confdata->ndots = 1;
-	confdata->no_tld_query = 0;
-}
-
-static lwres_result_t
-lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res;
-	lwres_conf_t *confdata;
-	lwres_addr_t address;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->nsnext == LWRES_CONFMAXNAMESERVERS)
-		return (LWRES_R_SUCCESS);
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Nothing on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	res = lwres_create_addr(word, &address, 1);
-	if (res == LWRES_R_SUCCESS)
-		confdata->nameservers[confdata->nsnext++] = address;
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->lwnext == LWRES_CONFMAXLWSERVERS)
-		return (LWRES_R_SUCCESS);
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Nothing on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	res = lwres_create_addr(word,
-				&confdata->lwservers[confdata->lwnext++], 1);
-	if (res != LWRES_R_SUCCESS)
-		return (res);
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp) {
-	char word[LWRES_CONFMAXLINELEN];
-	int res, i;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	res = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Nothing else on line. */
-	else if (res == ' ' || res == '\t')
-		res = eatwhite(fp);
-
-	if (res != EOF && res != '\n')
-		return (LWRES_R_FAILURE); /* Extra junk on line. */
-
-	if (confdata->domainname != NULL)
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1); /*  */
-
-	/*
-	 * Search and domain are mutually exclusive.
-	 */
-	for (i = 0; i < LWRES_CONFMAXSEARCH; i++) {
-		if (confdata->search[i] != NULL) {
-			CTXFREE(confdata->search[i],
-				strlen(confdata->search[i])+1);
-			confdata->search[i] = NULL;
-		}
-	}
-	confdata->searchnxt = 0;
-
-	confdata->domainname = lwres_strdup(ctx, word);
-
-	if (confdata->domainname == NULL)
-		return (LWRES_R_FAILURE);
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp) {
-	int idx, delim;
-	char word[LWRES_CONFMAXLINELEN];
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	if (confdata->domainname != NULL) {
-		/*
-		 * Search and domain are mutually exclusive.
-		 */
-		CTXFREE(confdata->domainname,
-			strlen(confdata->domainname) + 1);
-		confdata->domainname = NULL;
-	}
-
-	/*
-	 * Remove any previous search definitions.
-	 */
-	for (idx = 0; idx < LWRES_CONFMAXSEARCH; idx++) {
-		if (confdata->search[idx] != NULL) {
-			CTXFREE(confdata->search[idx],
-				strlen(confdata->search[idx])+1);
-			confdata->search[idx] = NULL;
-		}
-	}
-	confdata->searchnxt = 0;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Nothing else on line. */
-
-	idx = 0;
-	while (strlen(word) > 0U) {
-		if (confdata->searchnxt == LWRES_CONFMAXSEARCH)
-			goto ignore; /* Too many domains. */
-
-		confdata->search[idx] = lwres_strdup(ctx, word);
-		if (confdata->search[idx] == NULL)
-			return (LWRES_R_FAILURE);
-		idx++;
-		confdata->searchnxt++;
-
-	ignore:
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_create_addr(const char *buffer, lwres_addr_t *addr, int convert_zero) {
-	struct in_addr v4;
-	struct in6_addr v6;
-
-	if (lwres_net_aton(buffer, &v4) == 1) {
-		if (convert_zero) {
-			unsigned char zeroaddress[] = {0, 0, 0, 0};
-			unsigned char loopaddress[] = {127, 0, 0, 1};
-			if (memcmp(&v4, zeroaddress, 4) == 0)
-				memcpy(&v4, loopaddress, 4);
-		}
-		addr->family = LWRES_ADDRTYPE_V4;
-		addr->length = NS_INADDRSZ;
-		memcpy((void *)addr->address, &v4, NS_INADDRSZ);
-
-	} else if (lwres_net_pton(AF_INET6, buffer, &v6) == 1) {
-		addr->family = LWRES_ADDRTYPE_V6;
-		addr->length = NS_IN6ADDRSZ;
-		memcpy((void *)addr->address, &v6, NS_IN6ADDRSZ);
-	} else {
-		return (LWRES_R_FAILURE); /* Unrecognised format. */
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp) {
-	int delim, res, idx;
-	char word[LWRES_CONFMAXLINELEN];
-	char *p;
-	lwres_conf_t *confdata;
-
-	confdata = &ctx->confdata;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Empty line after keyword. */
-
-	while (strlen(word) > 0U) {
-		if (confdata->sortlistnxt == LWRES_CONFMAXSORTLIST)
-			return (LWRES_R_FAILURE); /* Too many values. */
-
-		p = strchr(word, '/');
-		if (p != NULL)
-			*p++ = '\0';
-
-		idx = confdata->sortlistnxt;
-		res = lwres_create_addr(word, &confdata->sortlist[idx].addr, 1);
-		if (res != LWRES_R_SUCCESS)
-			return (res);
-
-		if (p != NULL) {
-			res = lwres_create_addr(p,
-						&confdata->sortlist[idx].mask,
-						0);
-			if (res != LWRES_R_SUCCESS)
-				return (res);
-		} else {
-			/*
-			 * Make up a mask.
-			 */
-			confdata->sortlist[idx].mask =
-				confdata->sortlist[idx].addr;
-
-			memset(&confdata->sortlist[idx].mask.address, 0xff,
-			       confdata->sortlist[idx].addr.length);
-		}
-
-		confdata->sortlistnxt++;
-
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-static lwres_result_t
-lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp) {
-	int delim;
-	long ndots;
-	char *p;
-	char word[LWRES_CONFMAXLINELEN];
-	lwres_conf_t *confdata;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	delim = getword(fp, word, sizeof(word));
-	if (strlen(word) == 0U)
-		return (LWRES_R_FAILURE); /* Empty line after keyword. */
-
-	while (strlen(word) > 0U) {
-		if (strcmp("debug", word) == 0) {
-			confdata->resdebug = 1;
-		} else if (strcmp("no_tld_query", word) == 0) {
-			confdata->no_tld_query = 1;
-		} else if (strncmp("ndots:", word, 6) == 0) {
-			ndots = strtol(word + 6, &p, 10);
-			if (*p != '\0') /* Bad string. */
-				return (LWRES_R_FAILURE);
-			if (ndots < 0 || ndots > 0xff) /* Out of range. */
-				return (LWRES_R_FAILURE);
-			confdata->ndots = (lwres_uint8_t)ndots;
-		}
-
-		if (delim == EOF || delim == '\n')
-			break;
-		else
-			delim = getword(fp, word, sizeof(word));
-	}
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
-	FILE *fp = NULL;
-	char word[256];
-	lwres_result_t rval, ret;
-	lwres_conf_t *confdata;
-	int stopchar;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	REQUIRE(filename != NULL);
-	REQUIRE(strlen(filename) > 0U);
-	REQUIRE(confdata != NULL);
-
-	errno = 0;
-	if ((fp = fopen(filename, "r")) == NULL)
-		return (LWRES_R_FAILURE);
-
-	ret = LWRES_R_SUCCESS;
-	do {
-		stopchar = getword(fp, word, sizeof(word));
-		if (stopchar == EOF) {
-			rval = LWRES_R_SUCCESS;
-			break;
-		}
-
-		if (strlen(word) == 0U)
-			rval = LWRES_R_SUCCESS;
-		else if (strcmp(word, "nameserver") == 0)
-			rval = lwres_conf_parsenameserver(ctx, fp);
-		else if (strcmp(word, "lwserver") == 0)
-			rval = lwres_conf_parselwserver(ctx, fp);
-		else if (strcmp(word, "domain") == 0)
-			rval = lwres_conf_parsedomain(ctx, fp);
-		else if (strcmp(word, "search") == 0)
-			rval = lwres_conf_parsesearch(ctx, fp);
-		else if (strcmp(word, "sortlist") == 0)
-			rval = lwres_conf_parsesortlist(ctx, fp);
-		else if (strcmp(word, "options") == 0)
-			rval = lwres_conf_parseoption(ctx, fp);
-		else {
-			/* unrecognised word. Ignore entire line */
-			rval = LWRES_R_SUCCESS;
-			stopchar = eatline(fp);
-			if (stopchar == EOF) {
-				break;
-			}
-		}
-		if (ret == LWRES_R_SUCCESS && rval != LWRES_R_SUCCESS)
-			ret = rval;
-	} while (1);
-
-	fclose(fp);
-
-	return (ret);
-}
-
-lwres_result_t
-lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
-	int i;
-	int af;
-	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
-	const char *p;
-	lwres_conf_t *confdata;
-	lwres_addr_t tmpaddr;
-
-	REQUIRE(ctx != NULL);
-	confdata = &ctx->confdata;
-
-	REQUIRE(confdata->nsnext <= LWRES_CONFMAXNAMESERVERS);
-
-	for (i = 0; i < confdata->nsnext; i++) {
-		af = lwresaddr2af(confdata->nameservers[i].family);
-
-		p = lwres_net_ntop(af, confdata->nameservers[i].address,
-				   tmp, sizeof(tmp));
-		if (p != tmp)
-			return (LWRES_R_FAILURE);
-
-		fprintf(fp, "nameserver %s\n", tmp);
-	}
-
-	for (i = 0; i < confdata->lwnext; i++) {
-		af = lwresaddr2af(confdata->lwservers[i].family);
-
-		p = lwres_net_ntop(af, confdata->lwservers[i].address,
-				   tmp, sizeof(tmp));
-		if (p != tmp)
-			return (LWRES_R_FAILURE);
-
-		fprintf(fp, "lwserver %s\n", tmp);
-	}
-
-	if (confdata->domainname != NULL) {
-		fprintf(fp, "domain %s\n", confdata->domainname);
-	} else if (confdata->searchnxt > 0) {
-		REQUIRE(confdata->searchnxt <= LWRES_CONFMAXSEARCH);
-
-		fprintf(fp, "search");
-		for (i = 0; i < confdata->searchnxt; i++)
-			fprintf(fp, " %s", confdata->search[i]);
-		fputc('\n', fp);
-	}
-
-	REQUIRE(confdata->sortlistnxt <= LWRES_CONFMAXSORTLIST);
-
-	if (confdata->sortlistnxt > 0) {
-		fputs("sortlist", fp);
-		for (i = 0; i < confdata->sortlistnxt; i++) {
-			af = lwresaddr2af(confdata->sortlist[i].addr.family);
-
-			p = lwres_net_ntop(af,
-					   confdata->sortlist[i].addr.address,
-					   tmp, sizeof(tmp));
-			if (p != tmp)
-				return (LWRES_R_FAILURE);
-
-			fprintf(fp, " %s", tmp);
-
-			tmpaddr = confdata->sortlist[i].mask;
-			memset(&tmpaddr.address, 0xff, tmpaddr.length);
-
-			if (memcmp(&tmpaddr.address,
-				   confdata->sortlist[i].mask.address,
-				   confdata->sortlist[i].mask.length) != 0) {
-				af = lwresaddr2af(
-					    confdata->sortlist[i].mask.family);
-				p = lwres_net_ntop
-					(af,
-					 confdata->sortlist[i].mask.address,
-					 tmp, sizeof(tmp));
-				if (p != tmp)
-					return (LWRES_R_FAILURE);
-
-				fprintf(fp, "/%s", tmp);
-			}
-		}
-		fputc('\n', fp);
-	}
-
-	if (confdata->resdebug)
-		fprintf(fp, "options debug\n");
-
-	if (confdata->ndots > 0)
-		fprintf(fp, "options ndots:%d\n", confdata->ndots);
-
-	if (confdata->no_tld_query)
-		fprintf(fp, "options no_tld_query\n");
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_conf_t *
-lwres_conf_get(lwres_context_t *ctx) {
-	REQUIRE(ctx != NULL);
-
-	return (&ctx->confdata);
-}
diff --git a/contrib/bind9/lib/lwres/lwinetaton.c b/contrib/bind9/lib/lwres/lwinetaton.c
deleted file mode 100644
index aa630271e8e7..000000000000
--- a/contrib/bind9/lib/lwres/lwinetaton.c
+++ /dev/null
@@ -1,203 +0,0 @@
-/*
- * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1996-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1983, 1990, 1993
- *    The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- * 	This product includes software developed by the University of
- * 	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Portions Copyright (c) 1993 by Digital Equipment Corporation.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies, and that
- * the name of Digital Equipment Corporation not be used in advertising or
- * publicity pertaining to distribution of the document or software without
- * specific, written prior permission.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
- * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
- * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
- * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
- * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
- * SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.10.2.1.2.1 2004/03/06 08:15:32 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <ctype.h>
-
-#include <stddef.h>
-
-#include <lwres/int.h>
-#include <lwres/net.h>
-
-#include "assert_p.h"
-
-/*
- * Check whether "cp" is a valid ascii representation
- * of an Internet address and convert to a binary address.
- * Returns 1 if the address is valid, 0 if not.
- * This replaces inet_addr, the return value from which
- * cannot distinguish between failure and a local broadcast address.
- */
-int
-lwres_net_aton(const char *cp, struct in_addr *addr) {
-	unsigned long val;
-	int base, n;
-	unsigned char c;
-	lwres_uint8_t parts[4];
-	lwres_uint8_t *pp = parts;
-	int digit;
-
-	REQUIRE(cp != NULL);
-
-	c = *cp;
-	for (;;) {
-		/*
-		 * Collect number up to ``.''.
-		 * Values are specified as for C:
-		 * 0x=hex, 0=octal, isdigit=decimal.
-		 */
-		if (!isdigit(c & 0xff))
-			return (0);
-		val = 0;
-		base = 10;
-		digit = 0;
-		if (c == '0') {
-			c = *++cp;
-			if (c == 'x' || c == 'X') {
-				base = 16;
-			       	c = *++cp;
-			} else {
-				base = 8;
-				digit = 1;
-			}
-		}
-		for (;;) {
-			/*
-			 * isascii() is valid for all integer values, and
-			 * when it is true, c is known to be in scope
-			 * for isdigit().  No cast necessary.  Similar
-			 * comment applies for later ctype uses.
-			 */
-			if (isascii(c) && isdigit(c)) {
-				if (base == 8 && (c == '8' || c == '9'))
-					return (0);
-				val = (val * base) + (c - '0');
-				c = *++cp;
-				digit = 1;
-			} else if (base == 16 && isascii(c) && isxdigit(c)) {
-				val = (val << 4) |
-					(c + 10 - (islower(c) ? 'a' : 'A'));
-				c = *++cp;
-				digit = 1;
-			} else
-				break;
-		}
-		if (c == '.') {
-			/*
-			 * Internet format:
-			 *	a.b.c.d
-			 *	a.b.c	(with c treated as 16 bits)
-			 *	a.b	(with b treated as 24 bits)
-			 */
-			if (pp >= parts + 3 || val > 0xffU)
-				return (0);
-			*pp++ = (lwres_uint8_t)val;
-			c = *++cp;
-		} else
-			break;
-	}
-	/*
-	 * Check for trailing characters.
-	 */
-	if (c != '\0' && (!isascii(c) || !isspace(c)))
-		return (0);
-	/*
-	 * Did we get a valid digit?
-	 */
-	if (!digit)
-		return (0);
-	/*
-	 * Concoct the address according to
-	 * the number of parts specified.
-	 */
-	n = pp - parts + 1;
-	switch (n) {
-	case 1:				/* a -- 32 bits */
-		break;
-
-	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffffU)
-			return (0);
-		val |= parts[0] << 24;
-		break;
-
-	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffffU)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16);
-		break;
-
-	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xffU)
-			return (0);
-		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
-		break;
-	}
-	if (addr != NULL)
-		addr->s_addr = htonl(val);
-
-	return (1);
-}
diff --git a/contrib/bind9/lib/lwres/lwinetntop.c b/contrib/bind9/lib/lwres/lwinetntop.c
deleted file mode 100644
index 78cd0b033e33..000000000000
--- a/contrib/bind9/lib/lwres/lwinetntop.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.9.12.5 2005/11/04 00:16:34 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <lwres/net.h>
-#include "print_p.h"
-
-#define NS_INT16SZ	 2
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static const char *inet_ntop4(const unsigned char *src, char *dst,
-			      size_t size);
-
-#ifdef AF_INET6
-static const char *inet_ntop6(const unsigned char *src, char *dst,
-			      size_t size);
-#endif
-
-/* char *
- * lwres_net_ntop(af, src, dst, size)
- *	convert a network format address to presentation format.
- * return:
- *	pointer to presentation format address (`dst'), or NULL (see errno).
- * author:
- *	Paul Vixie, 1996.
- */
-const char *
-lwres_net_ntop(int af, const void *src, char *dst, size_t size) {
-	switch (af) {
-	case AF_INET:
-		return (inet_ntop4(src, dst, size));
-#ifdef AF_INET6
-	case AF_INET6:
-		return (inet_ntop6(src, dst, size));
-#endif
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	/* NOTREACHED */
-}
-
-/* const char *
- * inet_ntop4(src, dst, size)
- *	format an IPv4 address
- * return:
- *	`dst' (as a const)
- * notes:
- *	(1) uses no statics
- *	(2) takes a unsigned char* not an in_addr as input
- * author:
- *	Paul Vixie, 1996.
- */
-static const char *
-inet_ntop4(const unsigned char *src, char *dst, size_t size) {
-	static const char fmt[] = "%u.%u.%u.%u";
-	char tmp[sizeof("255.255.255.255")];
-	size_t len;
-
-	len = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
-	if (len >= size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-
-	return (dst);
-}
-
-/* const char *
- * inet_ntop6(src, dst, size)
- *	convert IPv6 binary address into presentation (printable) format
- * author:
- *	Paul Vixie, 1996.
- */
-#ifdef AF_INET6
-static const char *
-inet_ntop6(const unsigned char *src, char *dst, size_t size) {
-	/*
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
-	struct { int base, len; } best, cur;
-	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
-	int i;
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof(words));
-	for (i = 0; i < NS_IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	best.len = 0;
-	cur.base = -1;
-	cur.len = 0;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base)
-				*tp++ = ':';
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0)
-			*tp++ = ':';
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 &&
-		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
-			if (!inet_ntop4(src+12, tp,
-					sizeof(tmp) - (tp - tmp)))
-				return (NULL);
-			tp += strlen(tp);
-			break;
-		}
-		tp += sprintf(tp, "%x", words[i]); /* XXX */
-	}
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) ==
-	    (NS_IN6ADDRSZ / NS_INT16SZ))
-		*tp++ = ':';
-	*tp++ = '\0';
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((size_t)(tp - tmp) > size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
-#endif /* AF_INET6 */
diff --git a/contrib/bind9/lib/lwres/lwinetpton.c b/contrib/bind9/lib/lwres/lwinetpton.c
deleted file mode 100644
index e24334b1c82d..000000000000
--- a/contrib/bind9/lib/lwres/lwinetpton.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: lwinetpton.c,v 1.6.206.3 2005/03/31 23:56:15 marka Exp $";
-#endif /* LIBC_SCCS and not lint */
-
-#include <config.h>
-
-#include <errno.h>
-#include <string.h>
-
-#include <lwres/net.h>
-
-#define NS_INT16SZ	 2
-#define NS_INADDRSZ	 4
-#define NS_IN6ADDRSZ	16
-
-/*
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static int inet_pton4(const char *src, unsigned char *dst);
-static int inet_pton6(const char *src, unsigned char *dst);
-
-/* int
- * lwres_net_pton(af, src, dst)
- *	convert from presentation format (which usually means ASCII printable)
- *	to network format (which is usually some kind of binary format).
- * return:
- *	1 if the address was valid for the specified address family
- *	0 if the address wasn't valid (`dst' is untouched in this case)
- *	-1 if some other error occurred (`dst' is untouched in this case, too)
- * author:
- *	Paul Vixie, 1996.
- */
-int
-lwres_net_pton(int af, const char *src, void *dst) {
-	switch (af) {
-	case AF_INET:
-		return (inet_pton4(src, dst));
-	case AF_INET6:
-		return (inet_pton6(src, dst));
-	default:
-		errno = EAFNOSUPPORT;
-		return (-1);
-	}
-	/* NOTREACHED */
-}
-
-/* int
- * inet_pton4(src, dst)
- *	like inet_aton() but without all the hexadecimal and shorthand.
- * return:
- *	1 if `src' is a valid dotted quad, else 0.
- * notice:
- *	does not touch `dst' unless it's returning 1.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton4(const char *src, unsigned char *dst) {
-	static const char digits[] = "0123456789";
-	int saw_digit, octets, ch;
-	unsigned char tmp[NS_INADDRSZ], *tp;
-
-	saw_digit = 0;
-	octets = 0;
-	*(tp = tmp) = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr(digits, ch)) != NULL) {
-			unsigned int new = *tp * 10 + (pch - digits);
-
-			if (new > 255)
-				return (0);
-			*tp = new;
-			if (! saw_digit) {
-				if (++octets > 4)
-					return (0);
-				saw_digit = 1;
-			}
-		} else if (ch == '.' && saw_digit) {
-			if (octets == 4)
-				return (0);
-			*++tp = 0;
-			saw_digit = 0;
-		} else
-			return (0);
-	}
-	if (octets < 4)
-		return (0);
-	memcpy(dst, tmp, NS_INADDRSZ);
-	return (1);
-}
-
-/* int
- * inet_pton6(src, dst)
- *	convert presentation level address to network order binary form.
- * return:
- *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
- * notice:
- *	(1) does not touch `dst' unless it's returning 1.
- *	(2) :: in a full address is silently ignored.
- * credit:
- *	inspired by Mark Andrews.
- * author:
- *	Paul Vixie, 1996.
- */
-static int
-inet_pton6(const char *src, unsigned char *dst) {
-	static const char xdigits_l[] = "0123456789abcdef",
-			  xdigits_u[] = "0123456789ABCDEF";
-	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
-	const char *xdigits, *curtok;
-	int ch, seen_xdigits;
-	unsigned int val;
-
-	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
-	endp = tp + NS_IN6ADDRSZ;
-	colonp = NULL;
-	/* Leading :: requires some special handling. */
-	if (*src == ':')
-		if (*++src != ':')
-			return (0);
-	curtok = src;
-	seen_xdigits = 0;
-	val = 0;
-	while ((ch = *src++) != '\0') {
-		const char *pch;
-
-		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
-			pch = strchr((xdigits = xdigits_u), ch);
-		if (pch != NULL) {
-			val <<= 4;
-			val |= (pch - xdigits);
-			if (++seen_xdigits > 4)
-				return (0);
-			continue;
-		}
-		if (ch == ':') {
-			curtok = src;
-			if (!seen_xdigits) {
-				if (colonp)
-					return (0);
-				colonp = tp;
-				continue;
-			}
-			if (tp + NS_INT16SZ > endp)
-				return (0);
-			*tp++ = (unsigned char) (val >> 8) & 0xff;
-			*tp++ = (unsigned char) val & 0xff;
-			seen_xdigits = 0;
-			val = 0;
-			continue;
-		}
-		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
-		    inet_pton4(curtok, tp) > 0) {
-			tp += NS_INADDRSZ;
-			seen_xdigits = 0;
-			break;	/* '\0' was seen by inet_pton4(). */
-		}
-		return (0);
-	}
-	if (seen_xdigits) {
-		if (tp + NS_INT16SZ > endp)
-			return (0);
-		*tp++ = (unsigned char) (val >> 8) & 0xff;
-		*tp++ = (unsigned char) val & 0xff;
-	}
-	if (colonp != NULL) {
-		/*
-		 * Since some memmove()'s erroneously fail to handle
-		 * overlapping regions, we'll do the shift by hand.
-		 */
-		const int n = tp - colonp;
-		int i;
-
-		for (i = 1; i <= n; i++) {
-			endp[- i] = colonp[n - i];
-			colonp[n - i] = 0;
-		}
-		tp = endp;
-	}
-	if (tp != endp)
-		return (0);
-	memcpy(dst, tmp, NS_IN6ADDRSZ);
-	return (1);
-}
diff --git a/contrib/bind9/lib/lwres/lwpacket.c b/contrib/bind9/lib/lwres/lwpacket.c
deleted file mode 100644
index 6e28df02d677..000000000000
--- a/contrib/bind9/lib/lwres/lwpacket.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwpacket.c,v 1.13.206.1 2004/03/06 08:15:32 marka Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-
-#define LWPACKET_LENGTH \
-	(sizeof(lwres_uint16_t) * 4 + sizeof(lwres_uint32_t) * 5)
-
-lwres_result_t
-lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-
-	if (!SPACE_OK(b, LWPACKET_LENGTH))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	lwres_buffer_putuint32(b, pkt->length);
-	lwres_buffer_putuint16(b, pkt->version);
-	lwres_buffer_putuint16(b, pkt->pktflags);
-	lwres_buffer_putuint32(b, pkt->serial);
-	lwres_buffer_putuint32(b, pkt->opcode);
-	lwres_buffer_putuint32(b, pkt->result);
-	lwres_buffer_putuint32(b, pkt->recvlength);
-	lwres_buffer_putuint16(b, pkt->authtype);
-	lwres_buffer_putuint16(b, pkt->authlength);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
-	lwres_uint32_t space;
-
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-
-	space = LWRES_BUFFER_REMAINING(b);
-	if (space < LWPACKET_LENGTH)
-		return (LWRES_R_UNEXPECTEDEND);
-
-	pkt->length = lwres_buffer_getuint32(b);
-	/*
-	 * XXXBEW/MLG Checking that the buffer is long enough probably
-	 * shouldn't be done here, since this function is supposed to just
-	 * parse the header.
-	 */
-	if (pkt->length > space)
-		return (LWRES_R_UNEXPECTEDEND);
-	pkt->version = lwres_buffer_getuint16(b);
-	pkt->pktflags = lwres_buffer_getuint16(b);
-	pkt->serial = lwres_buffer_getuint32(b);
-	pkt->opcode = lwres_buffer_getuint32(b);
-	pkt->result = lwres_buffer_getuint32(b);
-	pkt->recvlength = lwres_buffer_getuint32(b);
-	pkt->authtype = lwres_buffer_getuint16(b);
-	pkt->authlength = lwres_buffer_getuint16(b);
-
-	return (LWRES_R_SUCCESS);
-}
diff --git a/contrib/bind9/lib/lwres/lwres_gabn.c b/contrib/bind9/lib/lwres/lwres_gabn.c
deleted file mode 100644
index 9df87ce6706c..000000000000
--- a/contrib/bind9/lib/lwres/lwres_gabn.c
+++ /dev/null
@@ -1,415 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_gabn.c,v 1.27.12.3 2004/03/08 09:05:10 marka Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-lwres_result_t
-lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->name != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	datalen = strlen(req->name);
-
-	payload_length = 4 + 4 + 2 + req->namelen + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Flags.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/*
-	 * Address types we'll accept.
-	 */
-	lwres_buffer_putuint32(b, req->addrtypes);
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
-	lwres_buffer_putuint8(b, 0); /* trailing NUL */
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	lwres_addr_t *addr;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/* naliases, naddrs */
-	payload_length = 4 + 2 + 2;
-	/* real name encoding */
-	payload_length += 2 + req->realnamelen + 1;
-	/* each alias */
-	for (x = 0; x < req->naliases; x++)
-		payload_length += 2 + req->aliaslen[x] + 1;
-	/* each address */
-	x = 0;
-	addr = LWRES_LIST_HEAD(req->addrs);
-	while (addr != NULL) {
-		payload_length += 4 + 2;
-		payload_length += addr->length;
-		addr = LWRES_LIST_NEXT(addr, link);
-		x++;
-	}
-	INSIST(x == req->naddrs);
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	/*
-	 * Check space needed here.
-	 */
-	INSIST(SPACE_OK(b, payload_length));
-
-	/* Flags. */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode naliases and naddrs */
-	lwres_buffer_putuint16(b, req->naliases);
-	lwres_buffer_putuint16(b, req->naddrs);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the aliases */
-	for (x = 0; x < req->naliases; x++) {
-		datalen = req->aliaslen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
-				    datalen);
-		lwres_buffer_putuint8(b, 0);
-	}
-
-	/* encode the addresses */
-	addr = LWRES_LIST_HEAD(req->addrs);
-	while (addr != NULL) {
-		lwres_buffer_putuint32(b, addr->family);
-		lwres_buffer_putuint16(b, addr->length);
-		lwres_buffer_putmem(b, addr->address, addr->length);
-		addr = LWRES_LIST_NEXT(addr, link);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp)
-{
-	int ret;
-	char *name;
-	lwres_gabnrequest_t *gabn;
-	lwres_uint32_t addrtypes;
-	lwres_uint32_t flags;
-	lwres_uint16_t namelen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	if (!SPACE_REMAINING(b, 4 + 4))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	flags = lwres_buffer_getuint32(b);
-	addrtypes = lwres_buffer_getuint32(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-	ret = lwres_string_parse(b, &name, &namelen);
-	if (ret != LWRES_R_SUCCESS)
-		return (ret);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0)
-		return (LWRES_R_TRAILINGDATA);
-
-	gabn = CTXMALLOC(sizeof(lwres_gabnrequest_t));
-	if (gabn == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	gabn->flags = flags;
-	gabn->addrtypes = addrtypes;
-	gabn->name = name;
-	gabn->namelen = namelen;
-
-	*structp = gabn;
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp)
-{
-	lwres_result_t ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t naliases;
-	lwres_uint16_t naddrs;
-	lwres_gabnresponse_t *gabn;
-	lwres_addrlist_t addrlist;
-	lwres_addr_t *addr;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	gabn = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off the name itself
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	naliases = lwres_buffer_getuint16(b);
-	naddrs = lwres_buffer_getuint16(b);
-
-	gabn = CTXMALLOC(sizeof(lwres_gabnresponse_t));
-	if (gabn == NULL)
-		return (LWRES_R_NOMEMORY);
-	gabn->aliases = NULL;
-	gabn->aliaslen = NULL;
-	LWRES_LIST_INIT(gabn->addrs);
-	gabn->base = NULL;
-
-	gabn->flags = flags;
-	gabn->naliases = naliases;
-	gabn->naddrs = naddrs;
-
-	LWRES_LIST_INIT(addrlist);
-
-	if (naliases > 0) {
-		gabn->aliases = CTXMALLOC(sizeof(char *) * naliases);
-		if (gabn->aliases == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		gabn->aliaslen = CTXMALLOC(sizeof(lwres_uint16_t) * naliases);
-		if (gabn->aliaslen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	for (x = 0; x < naddrs; x++) {
-		addr = CTXMALLOC(sizeof(lwres_addr_t));
-		if (addr == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-		LWRES_LINK_INIT(addr, link);
-		LWRES_LIST_APPEND(addrlist, addr, link);
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &gabn->realname, &gabn->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the aliases.
-	 */
-	for (x = 0; x < gabn->naliases; x++) {
-		ret = lwres_string_parse(b, &gabn->aliases[x],
-					 &gabn->aliaslen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	/*
-	 * Pull off the addresses.  We already strung the linked list
-	 * up above.
-	 */
-	addr = LWRES_LIST_HEAD(addrlist);
-	for (x = 0; x < gabn->naddrs; x++) {
-		INSIST(addr != NULL);
-		ret = lwres_addr_parse(b, addr);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-		addr = LWRES_LIST_NEXT(addr, link);
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	gabn->addrs = addrlist;
-
-	*structp = gabn;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gabn != NULL) {
-		if (gabn->aliases != NULL)
-			CTXFREE(gabn->aliases, sizeof(char *) * naliases);
-		if (gabn->aliaslen != NULL)
-			CTXFREE(gabn->aliaslen,
-				sizeof(lwres_uint16_t) * naliases);
-		addr = LWRES_LIST_HEAD(addrlist);
-		while (addr != NULL) {
-			LWRES_LIST_UNLINK(addrlist, addr, link);
-			CTXFREE(addr, sizeof(lwres_addr_t));
-			addr = LWRES_LIST_HEAD(addrlist);
-		}
-		CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
-	}
-
-	return (ret);
-}
-
-void
-lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp)
-{
-	lwres_gabnrequest_t *gabn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gabn = *structp;
-	*structp = NULL;
-
-	CTXFREE(gabn, sizeof(lwres_gabnrequest_t));
-}
-
-void
-lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp)
-{
-	lwres_gabnresponse_t *gabn;
-	lwres_addr_t *addr;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gabn = *structp;
-	*structp = NULL;
-
-	if (gabn->naliases > 0) {
-		CTXFREE(gabn->aliases, sizeof(char *) * gabn->naliases);
-		CTXFREE(gabn->aliaslen,
-			sizeof(lwres_uint16_t) * gabn->naliases);
-	}
-	addr = LWRES_LIST_HEAD(gabn->addrs);
-	while (addr != NULL) {
-		LWRES_LIST_UNLINK(gabn->addrs, addr, link);
-		CTXFREE(addr, sizeof(lwres_addr_t));
-		addr = LWRES_LIST_HEAD(gabn->addrs);
-	}
-	if (gabn->base != NULL)
-		CTXFREE(gabn->base, gabn->baselen);
-	CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
-}
diff --git a/contrib/bind9/lib/lwres/lwres_gnba.c b/contrib/bind9/lib/lwres/lwres_gnba.c
deleted file mode 100644
index a11c0665792d..000000000000
--- a/contrib/bind9/lib/lwres/lwres_gnba.c
+++ /dev/null
@@ -1,328 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_gnba.c,v 1.20.2.2.8.4 2004/03/08 09:05:11 marka Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-lwres_result_t
-lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->addr.family != 0);
-	REQUIRE(req->addr.length != 0);
-	REQUIRE(req->addr.address != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = 4 + 4 + 2 + + req->addr.length;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-	lwres_buffer_putuint32(b, req->addr.family);
-	lwres_buffer_putuint16(b, req->addr.length);
-	lwres_buffer_putmem(b, (unsigned char *)req->addr.address,
-			    req->addr.length);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/*
-	 * Calculate packet size.
-	 */
-	payload_length = 4;			       /* flags */
-	payload_length += 2;			       /* naliases */
-	payload_length += 2 + req->realnamelen + 1;    /* real name encoding */
-	for (x = 0; x < req->naliases; x++)	       /* each alias */
-		payload_length += 2 + req->aliaslen[x] + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode naliases */
-	lwres_buffer_putuint16(b, req->naliases);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the aliases */
-	for (x = 0; x < req->naliases; x++) {
-		datalen = req->aliaslen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
-				    datalen);
-		lwres_buffer_putuint8(b, 0);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp)
-{
-	int ret;
-	lwres_gnbarequest_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	if (!SPACE_REMAINING(b, 4))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	gnba = CTXMALLOC(sizeof(lwres_gnbarequest_t));
-	if (gnba == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	gnba->flags = lwres_buffer_getuint32(b);
-
-	ret = lwres_addr_parse(b, &gnba->addr);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = gnba;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gnba != NULL)
-		lwres_gnbarequest_free(ctx, &gnba);
-
-	return (ret);
-}
-
-lwres_result_t
-lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp)
-{
-	int ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t naliases;
-	lwres_gnbaresponse_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	gnba = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off flags & naliases
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	naliases = lwres_buffer_getuint16(b);
-
-	gnba = CTXMALLOC(sizeof(lwres_gnbaresponse_t));
-	if (gnba == NULL)
-		return (LWRES_R_NOMEMORY);
-	gnba->base = NULL;
-	gnba->aliases = NULL;
-	gnba->aliaslen = NULL;
-
-	gnba->flags = flags;
-	gnba->naliases = naliases;
-
-	if (naliases > 0) {
-		gnba->aliases = CTXMALLOC(sizeof(char *) * naliases);
-		if (gnba->aliases == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		gnba->aliaslen = CTXMALLOC(sizeof(lwres_uint16_t) * naliases);
-		if (gnba->aliaslen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &gnba->realname, &gnba->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the aliases.
-	 */
-	for (x = 0; x < gnba->naliases; x++) {
-		ret = lwres_string_parse(b, &gnba->aliases[x],
-					 &gnba->aliaslen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = gnba;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (gnba != NULL) {
-		if (gnba->aliases != NULL)
-			CTXFREE(gnba->aliases, sizeof(char *) * naliases);
-		if (gnba->aliaslen != NULL)
-			CTXFREE(gnba->aliaslen,
-				sizeof(lwres_uint16_t) * naliases);
-		CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
-	}
-
-	return (ret);
-}
-
-void
-lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp)
-{
-	lwres_gnbarequest_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gnba = *structp;
-	*structp = NULL;
-
-	CTXFREE(gnba, sizeof(lwres_gnbarequest_t));
-}
-
-void
-lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp)
-{
-	lwres_gnbaresponse_t *gnba;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	gnba = *structp;
-	*structp = NULL;
-
-	if (gnba->naliases > 0) {
-		CTXFREE(gnba->aliases, sizeof(char *) * gnba->naliases);
-		CTXFREE(gnba->aliaslen,
-			sizeof(lwres_uint16_t) * gnba->naliases);
-	}
-	if (gnba->base != NULL)
-		CTXFREE(gnba->base, gnba->baselen);
-	CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
-}
diff --git a/contrib/bind9/lib/lwres/lwres_grbn.c b/contrib/bind9/lib/lwres/lwres_grbn.c
deleted file mode 100644
index f8147fc622e8..000000000000
--- a/contrib/bind9/lib/lwres/lwres_grbn.c
+++ /dev/null
@@ -1,416 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_grbn.c,v 1.4.12.3 2004/03/08 09:05:11 marka Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-lwres_result_t
-lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(req->name != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	datalen = strlen(req->name);
-
-	payload_length = 4 + 2 + 2 + 2 + req->namelen + 1;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Flags.
-	 */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/*
-	 * Class.
-	 */
-	lwres_buffer_putuint16(b, req->rdclass);
-
-	/*
-	 * Type.
-	 */
-	lwres_buffer_putuint16(b, req->rdtype);
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
-	lwres_buffer_putuint8(b, 0); /* trailing NUL */
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-	lwres_uint16_t datalen;
-	int x;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	/* flags, class, type, ttl, nrdatas, nsigs */
-	payload_length = 4 + 2 + 2 + 4 + 2 + 2;
-	/* real name encoding */
-	payload_length += 2 + req->realnamelen + 1;
-	/* each rr */
-	for (x = 0; x < req->nrdatas; x++)
-		payload_length += 2 + req->rdatalen[x];
-	for (x = 0; x < req->nsigs; x++)
-		payload_length += 2 + req->siglen[x];
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	/*
-	 * Check space needed here.
-	 */
-	INSIST(SPACE_OK(b, payload_length));
-
-	/* Flags. */
-	lwres_buffer_putuint32(b, req->flags);
-
-	/* encode class, type, ttl, and nrdatas */
-	lwres_buffer_putuint16(b, req->rdclass);
-	lwres_buffer_putuint16(b, req->rdtype);
-	lwres_buffer_putuint32(b, req->ttl);
-	lwres_buffer_putuint16(b, req->nrdatas);
-	lwres_buffer_putuint16(b, req->nsigs);
-
-	/* encode the real name */
-	datalen = req->realnamelen;
-	lwres_buffer_putuint16(b, datalen);
-	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
-	lwres_buffer_putuint8(b, 0);
-
-	/* encode the rdatas */
-	for (x = 0; x < req->nrdatas; x++) {
-		datalen = req->rdatalen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, req->rdatas[x], datalen);
-	}
-
-	/* encode the signatures */
-	for (x = 0; x < req->nsigs; x++) {
-		datalen = req->siglen[x];
-		lwres_buffer_putuint16(b, datalen);
-		lwres_buffer_putmem(b, req->sigs[x], datalen);
-	}
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp)
-{
-	int ret;
-	char *name;
-	lwres_grbnrequest_t *grbn;
-	lwres_uint32_t flags;
-	lwres_uint16_t rdclass, rdtype;
-	lwres_uint16_t namelen;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	if (!SPACE_REMAINING(b, 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	/*
-	 * Pull off the flags, class, and type.
-	 */
-	flags = lwres_buffer_getuint32(b);
-	rdclass = lwres_buffer_getuint16(b);
-	rdtype = lwres_buffer_getuint16(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-	ret = lwres_string_parse(b, &name, &namelen);
-	if (ret != LWRES_R_SUCCESS)
-		return (ret);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0)
-		return (LWRES_R_TRAILINGDATA);
-
-	grbn = CTXMALLOC(sizeof(lwres_grbnrequest_t));
-	if (grbn == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	grbn->flags = flags;
-	grbn->rdclass = rdclass;
-	grbn->rdtype = rdtype;
-	grbn->name = name;
-	grbn->namelen = namelen;
-
-	*structp = grbn;
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_grbnresponse_t **structp)
-{
-	lwres_result_t ret;
-	unsigned int x;
-	lwres_uint32_t flags;
-	lwres_uint16_t rdclass, rdtype;
-	lwres_uint32_t ttl;
-	lwres_uint16_t nrdatas, nsigs;
-	lwres_grbnresponse_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	grbn = NULL;
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	/*
-	 * Pull off the flags, class, type, ttl, nrdatas, and nsigs
-	 */
-	if (!SPACE_REMAINING(b, 4 + 2 + 2 + 4 + 2 + 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	flags = lwres_buffer_getuint32(b);
-	rdclass = lwres_buffer_getuint16(b);
-	rdtype = lwres_buffer_getuint16(b);
-	ttl = lwres_buffer_getuint32(b);
-	nrdatas = lwres_buffer_getuint16(b);
-	nsigs = lwres_buffer_getuint16(b);
-
-	/*
-	 * Pull off the name itself
-	 */
-
-	grbn = CTXMALLOC(sizeof(lwres_grbnresponse_t));
-	if (grbn == NULL)
-		return (LWRES_R_NOMEMORY);
-	grbn->rdatas = NULL;
-	grbn->rdatalen = NULL;
-	grbn->sigs = NULL;
-	grbn->siglen = NULL;
-	grbn->base = NULL;
-
-	grbn->flags = flags;
-	grbn->rdclass = rdclass;
-	grbn->rdtype = rdtype;
-	grbn->ttl = ttl;
-	grbn->nrdatas = nrdatas;
-	grbn->nsigs = nsigs;
-
-	if (nrdatas > 0) {
-		grbn->rdatas = CTXMALLOC(sizeof(char *) * nrdatas);
-		if (grbn->rdatas == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		grbn->rdatalen = CTXMALLOC(sizeof(lwres_uint16_t) * nrdatas);
-		if (grbn->rdatalen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	if (nsigs > 0) {
-		grbn->sigs = CTXMALLOC(sizeof(char *) * nsigs);
-		if (grbn->sigs == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-
-		grbn->siglen = CTXMALLOC(sizeof(lwres_uint16_t) * nsigs);
-		if (grbn->siglen == NULL) {
-			ret = LWRES_R_NOMEMORY;
-			goto out;
-		}
-	}
-
-	/*
-	 * Now, pull off the real name.
-	 */
-	ret = lwres_string_parse(b, &grbn->realname, &grbn->realnamelen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Parse off the rdatas.
-	 */
-	for (x = 0; x < grbn->nrdatas; x++) {
-		ret = lwres_data_parse(b, &grbn->rdatas[x],
-					 &grbn->rdatalen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	/*
-	 * Parse off the signatures.
-	 */
-	for (x = 0; x < grbn->nsigs; x++) {
-		ret = lwres_data_parse(b, &grbn->sigs[x], &grbn->siglen[x]);
-		if (ret != LWRES_R_SUCCESS)
-			goto out;
-	}
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	*structp = grbn;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (grbn != NULL) {
-		if (grbn->rdatas != NULL)
-			CTXFREE(grbn->rdatas, sizeof(char *) * nrdatas);
-		if (grbn->rdatalen != NULL)
-			CTXFREE(grbn->rdatalen,
-				sizeof(lwres_uint16_t) * nrdatas);
-		if (grbn->sigs != NULL)
-			CTXFREE(grbn->sigs, sizeof(char *) * nsigs);
-		if (grbn->siglen != NULL)
-			CTXFREE(grbn->siglen, sizeof(lwres_uint16_t) * nsigs);
-		CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
-	}
-
-	return (ret);
-}
-
-void
-lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp)
-{
-	lwres_grbnrequest_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	grbn = *structp;
-	*structp = NULL;
-
-	CTXFREE(grbn, sizeof(lwres_grbnrequest_t));
-}
-
-void
-lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp)
-{
-	lwres_grbnresponse_t *grbn;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	grbn = *structp;
-	*structp = NULL;
-
-	if (grbn->nrdatas > 0) {
-		CTXFREE(grbn->rdatas, sizeof(char *) * grbn->nrdatas);
-		CTXFREE(grbn->rdatalen,
-			sizeof(lwres_uint16_t) * grbn->nrdatas);
-	}
-	if (grbn->nsigs > 0) {
-		CTXFREE(grbn->sigs, sizeof(char *) * grbn->nsigs);
-		CTXFREE(grbn->siglen, sizeof(lwres_uint16_t) * grbn->nsigs);
-	}
-	if (grbn->base != NULL)
-		CTXFREE(grbn->base, grbn->baselen);
-	CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
-}
diff --git a/contrib/bind9/lib/lwres/lwres_noop.c b/contrib/bind9/lib/lwres/lwres_noop.c
deleted file mode 100644
index f67c2b3cb0c5..000000000000
--- a/contrib/bind9/lib/lwres/lwres_noop.c
+++ /dev/null
@@ -1,255 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwres_noop.c,v 1.14.206.1 2004/03/06 08:15:33 marka Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwpacket.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "context_p.h"
-#include "assert_p.h"
-
-lwres_result_t
-lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
-			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = sizeof(lwres_uint16_t) + req->datalength;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_NOOP;
-	pkt->result = 0;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, req->datalength);
-	lwres_buffer_putmem(b, req->data, req->datalength);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
-			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
-{
-	unsigned char *buf;
-	size_t buflen;
-	int ret;
-	size_t payload_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(req != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(b != NULL);
-
-	payload_length = sizeof(lwres_uint16_t) + req->datalength;
-
-	buflen = LWRES_LWPACKET_LENGTH + payload_length;
-	buf = CTXMALLOC(buflen);
-	if (buf == NULL)
-		return (LWRES_R_NOMEMORY);
-	lwres_buffer_init(b, buf, buflen);
-
-	pkt->length = buflen;
-	pkt->version = LWRES_LWPACKETVERSION_0;
-	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
-	pkt->opcode = LWRES_OPCODE_NOOP;
-	pkt->authtype = 0;
-	pkt->authlength = 0;
-
-	ret = lwres_lwpacket_renderheader(b, pkt);
-	if (ret != LWRES_R_SUCCESS) {
-		lwres_buffer_invalidate(b);
-		CTXFREE(buf, buflen);
-		return (ret);
-	}
-
-	INSIST(SPACE_OK(b, payload_length));
-
-	/*
-	 * Put the length and the data.  We know this will fit because we
-	 * just checked for it.
-	 */
-	lwres_buffer_putuint16(b, req->datalength);
-	lwres_buffer_putmem(b, req->data, req->datalength);
-
-	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp)
-{
-	int ret;
-	lwres_nooprequest_t *req;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
-		return (LWRES_R_FAILURE);
-
-	req = CTXMALLOC(sizeof(lwres_nooprequest_t));
-	if (req == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t))) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->datalength = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, req->datalength)) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->data = b->base + b->current;
-	lwres_buffer_forward(b, req->datalength);
-
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	/* success! */
-	*structp = req;
-	return (LWRES_R_SUCCESS);
-
-	/* Error return */
- out:
-	CTXFREE(req, sizeof(lwres_nooprequest_t));
-	return (ret);
-}
-
-lwres_result_t
-lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
-			 lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp)
-{
-	int ret;
-	lwres_noopresponse_t *req;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(b != NULL);
-	REQUIRE(pkt != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
-		return (LWRES_R_FAILURE);
-
-	req = CTXMALLOC(sizeof(lwres_noopresponse_t));
-	if (req == NULL)
-		return (LWRES_R_NOMEMORY);
-
-	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t))) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->datalength = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, req->datalength)) {
-		ret = LWRES_R_UNEXPECTEDEND;
-		goto out;
-	}
-	req->data = b->base + b->current;
-
-	lwres_buffer_forward(b, req->datalength);
-	if (LWRES_BUFFER_REMAINING(b) != 0) {
-		ret = LWRES_R_TRAILINGDATA;
-		goto out;
-	}
-
-	/* success! */
-	*structp = req;
-	return (LWRES_R_SUCCESS);
-
-	/* Error return */
- out:
-	CTXFREE(req, sizeof(lwres_noopresponse_t));
-	return (ret);
-}
-
-void
-lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp)
-{
-	lwres_noopresponse_t *noop;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	noop = *structp;
-	*structp = NULL;
-
-	CTXFREE(noop, sizeof(lwres_noopresponse_t));
-}
-
-void
-lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp)
-{
-	lwres_nooprequest_t *noop;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(structp != NULL && *structp != NULL);
-
-	noop = *structp;
-	*structp = NULL;
-
-	CTXFREE(noop, sizeof(lwres_nooprequest_t));
-}
diff --git a/contrib/bind9/lib/lwres/lwresutil.c b/contrib/bind9/lib/lwres/lwresutil.c
deleted file mode 100644
index 1035f17057a9..000000000000
--- a/contrib/bind9/lib/lwres/lwresutil.c
+++ /dev/null
@@ -1,491 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: lwresutil.c,v 1.29.206.1 2004/03/06 08:15:33 marka Exp $ */
-
-#include <config.h>
-
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <lwres/lwbuffer.h>
-#include <lwres/lwres.h>
-#include <lwres/result.h>
-
-#include "assert_p.h"
-#include "context_p.h"
-
-/*
- * Requires:
- *
- *	The "current" pointer in "b" points to encoded raw data.
- *
- * Ensures:
- *
- *	The address of the first byte of the data is returned via "p",
- *	and the length is returned via "len".  If NULL, they are not
- *	set.
- *
- *	On return, the current pointer of "b" will point to the character
- *	following the data length and the data.
- *
- */
-lwres_result_t
-lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len)
-{
-	lwres_uint16_t datalen;
-	unsigned char *data;
-
-	REQUIRE(b != NULL);
-
-	/*
-	 * Pull off the length (2 bytes)
-	 */
-	if (!SPACE_REMAINING(b, 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	datalen = lwres_buffer_getuint16(b);
-
-	/*
-	 * Set the pointer to this string to the right place, then
-	 * advance the buffer pointer.
-	 */
-	if (!SPACE_REMAINING(b, datalen))
-		return (LWRES_R_UNEXPECTEDEND);
-	data = b->base + b->current;
-	lwres_buffer_forward(b, datalen);
-
-	if (len != NULL)
-		*len = datalen;
-	if (p != NULL)
-		*p = data;
-
-	return (LWRES_R_SUCCESS);
-}
-
-/*
- * Requires:
- *
- *	The "current" pointer in "b" point to an encoded string.
- *
- * Ensures:
- *
- *	The address of the first byte of the string is returned via "c",
- *	and the length is returned via "len".  If NULL, they are not
- *	set.
- *
- *	On return, the current pointer of "b" will point to the character
- *	following the string length, the string, and the trailing NULL.
- *
- */
-lwres_result_t
-lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len)
-{
-	lwres_uint16_t datalen;
-	char *string;
-
-	REQUIRE(b != NULL);
-
-	/*
-	 * Pull off the length (2 bytes)
-	 */
-	if (!SPACE_REMAINING(b, 2))
-		return (LWRES_R_UNEXPECTEDEND);
-	datalen = lwres_buffer_getuint16(b);
-
-	/*
-	 * Set the pointer to this string to the right place, then
-	 * advance the buffer pointer.
-	 */
-	if (!SPACE_REMAINING(b, datalen))
-		return (LWRES_R_UNEXPECTEDEND);
-	string = (char *)b->base + b->current;
-	lwres_buffer_forward(b, datalen);
-
-	/*
-	 * Skip the "must be zero" byte.
-	 */
-	if (!SPACE_REMAINING(b, 1))
-		return (LWRES_R_UNEXPECTEDEND);
-	if (0 != lwres_buffer_getuint8(b))
-		return (LWRES_R_FAILURE);
-
-	if (len != NULL)
-		*len = datalen;
-	if (c != NULL)
-		*c = string;
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr)
-{
-	REQUIRE(addr != NULL);
-
-	if (!SPACE_REMAINING(b, 6))
-		return (LWRES_R_UNEXPECTEDEND);
-
-	addr->family = lwres_buffer_getuint32(b);
-	addr->length = lwres_buffer_getuint16(b);
-
-	if (!SPACE_REMAINING(b, addr->length))
-		return (LWRES_R_UNEXPECTEDEND);
-	if (addr->length > LWRES_ADDR_MAXLEN)
-		return (LWRES_R_FAILURE);
-
-	lwres_buffer_getmem(b, addr->address, addr->length);
-
-	return (LWRES_R_SUCCESS);
-}
-
-lwres_result_t
-lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp)
-{
-	lwres_gabnrequest_t request;
-	lwres_gabnresponse_t *response;
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-	char target_name[1024];
-	unsigned int target_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(addrtypes != 0);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	target_length = strlen(name);
-	if (target_length >= sizeof(target_name))
-		return (LWRES_R_FAILURE);
-	strcpy(target_name, name); /* strcpy is safe */
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.flags = 0;
-	request.addrtypes = addrtypes;
-	request.name = target_name;
-	request.namelen = target_length;
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_gabnrequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETADDRSBYNAME)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_gabnresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_gabnresponse_free(ctx, &response);
-
-	return (ret);
-}
-
-
-lwres_result_t
-lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
-		    lwres_uint16_t addrlen, const unsigned char *addr,
-		    lwres_gnbaresponse_t **structp)
-{
-	lwres_gnbarequest_t request;
-	lwres_gnbaresponse_t *response;
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(addrtype != 0);
-	REQUIRE(addrlen != 0);
-	REQUIRE(addr != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.flags = 0;
-	request.addr.family = addrtype;
-	request.addr.length = addrlen;
-	memcpy(request.addr.address, addr, addrlen);
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_gnbarequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETNAMEBYADDR)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_gnbaresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_gnbaresponse_free(ctx, &response);
-
-	return (ret);
-}
-
-lwres_result_t
-lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
-		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
-		     lwres_uint32_t flags, lwres_grbnresponse_t **structp)
-{
-	int ret;
-	int recvlen;
-	lwres_buffer_t b_in, b_out;
-	lwres_lwpacket_t pkt;
-	lwres_uint32_t serial;
-	char *buffer;
-	lwres_grbnrequest_t request;
-	lwres_grbnresponse_t *response;
-	char target_name[1024];
-	unsigned int target_length;
-
-	REQUIRE(ctx != NULL);
-	REQUIRE(name != NULL);
-	REQUIRE(structp != NULL && *structp == NULL);
-
-	b_in.base = NULL;
-	b_out.base = NULL;
-	response = NULL;
-	buffer = NULL;
-	serial = lwres_context_nextserial(ctx);
-
-	buffer = CTXMALLOC(LWRES_RECVLENGTH);
-	if (buffer == NULL) {
-		ret = LWRES_R_NOMEMORY;
-		goto out;
-	}
-
-	target_length = strlen(name);
-	if (target_length >= sizeof(target_name))
-		return (LWRES_R_FAILURE);
-	strcpy(target_name, name); /* strcpy is safe */
-
-	/*
-	 * Set up our request and render it to a buffer.
-	 */
-	request.rdclass = rdclass;
-	request.rdtype = rdtype;
-	request.flags = flags;
-	request.name = target_name;
-	request.namelen = target_length;
-	pkt.pktflags = 0;
-	pkt.serial = serial;
-	pkt.result = 0;
-	pkt.recvlength = LWRES_RECVLENGTH;
-
- again:
-	ret = lwres_grbnrequest_render(ctx, &request, &pkt, &b_out);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
-				     LWRES_RECVLENGTH, &recvlen);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	lwres_buffer_init(&b_in, buffer, recvlen);
-	b_in.used = recvlen;
-
-	/*
-	 * Parse the packet header.
-	 */
-	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-
-	/*
-	 * Sanity check.
-	 */
-	if (pkt.serial != serial)
-		goto again;
-	if (pkt.opcode != LWRES_OPCODE_GETRDATABYNAME)
-		goto again;
-
-	/*
-	 * Free what we've transmitted
-	 */
-	CTXFREE(b_out.base, b_out.length);
-	b_out.base = NULL;
-	b_out.length = 0;
-
-	if (pkt.result != LWRES_R_SUCCESS) {
-		ret = pkt.result;
-		goto out;
-	}
-
-	/*
-	 * Parse the response.
-	 */
-	ret = lwres_grbnresponse_parse(ctx, &b_in, &pkt, &response);
-	if (ret != LWRES_R_SUCCESS)
-		goto out;
-	response->base = buffer;
-	response->baselen = LWRES_RECVLENGTH;
-	buffer = NULL; /* don't free this below */
-
-	*structp = response;
-	return (LWRES_R_SUCCESS);
-
- out:
-	if (b_out.base != NULL)
-		CTXFREE(b_out.base, b_out.length);
-	if (buffer != NULL)
-		CTXFREE(buffer, LWRES_RECVLENGTH);
-	if (response != NULL)
-		lwres_grbnresponse_free(ctx, &response);
-
-	return (ret);
-}
diff --git a/contrib/bind9/lib/lwres/man/Makefile.in b/contrib/bind9/lib/lwres/man/Makefile.in
deleted file mode 100644
index a591a2a24a3a..000000000000
--- a/contrib/bind9/lib/lwres/man/Makefile.in
+++ /dev/null
@@ -1,232 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:15:36 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-@BIND9_VERSION@
-
-@BIND9_MAKE_RULES@
-
-# Alphabetically
-#MANPAGES =	lwres.3 lwres_addr_parse.3 lwres_buffer.3 \
-#		lwres_buffer_add.3 lwres_buffer_back.3 lwres_buffer_clear.3 \
-#		lwres_buffer_first.3 lwres_buffer_forward.3 \
-#		lwres_buffer_getmem.3 lwres_buffer_getuint16.3 \
-#		lwres_buffer_getuint32.3 lwres_buffer_getuint8.3 \
-#		lwres_buffer_init.3 lwres_buffer_invalidate.3 \
-#		lwres_buffer_putmem.3 lwres_buffer_putuint16.3 \
-#		lwres_buffer_putuint32.3 lwres_buffer_putuint8.3 \
-#		lwres_buffer_subtract.3 lwres_conf_clear.3 \
-#		lwres_conf_get.3 lwres_conf_init.3 \
-#		lwres_conf_parse.3 lwres_conf_print.3 \
-#		lwres_config.3 lwres_context.3 \
-#		lwres_context_allocmem.3 lwres_context_create.3 \
-#		lwres_context_destroy.3 lwres_context_freemem.3 \
-#		lwres_context_initserial.3 lwres_context_nextserial.3 \
-#		lwres_context_sendrecv.3 lwres_endhostent.3 \
-#		lwres_endhostent_r.3 lwres_freeaddrinfo.3 \
-#		lwres_freehostent.3 lwres_gabn.3 \
-#		lwres_gabnrequest_free.3 lwres_gabnrequest_parse.3 \
-#		lwres_gabnrequest_render.3 lwres_gabnresponse_free.3 \
-#		lwres_gabnresponse_parse.3 lwres_gabnresponse_render.3 \
-#		lwres_gai_strerror.3 lwres_getaddrinfo.3 \
-#		lwres_getaddrsbyname.3 lwres_gethostbyaddr.3 \
-#		lwres_gethostbyaddr_r.3 lwres_gethostbyname.3 \
-#		lwres_gethostbyname2.3 lwres_gethostbyname_r.3 \
-#		lwres_gethostent.3 lwres_gethostent_r.3 \
-#		lwres_getipnode.3 lwres_getipnodebyaddr.3 \
-#		lwres_getipnodebyname.3 lwres_getnamebyaddr.3 \
-#		lwres_getnameinfo.3 lwres_getrrsetbyname.3 \
-#		lwres_gnba.3 lwres_gnbarequest_free.3 \
-#		lwres_gnbarequest_parse.3 lwres_gnbarequest_render.3 \
-#		lwres_gnbaresponse_free.3 lwres_gnbaresponse_parse.3 \
-#		lwres_gnbaresponse_render.3 lwres_herror.3 \
-#		lwres_hstrerror.3 lwres_inetntop.3 \
-#		lwres_lwpacket_parseheader.3 lwres_lwpacket_renderheader.3 \
-#		lwres_net_ntop.3 lwres_noop.3 \
-#		lwres_nooprequest_free.3 lwres_nooprequest_parse.3 \
-#		lwres_nooprequest_render.3 lwres_noopresponse_free.3 \
-#		lwres_noopresponse_parse.3 lwres_noopresponse_render.3 \
-#		lwres_packet.3 lwres_resutil.3 \
-#		lwres_sethostent.3 lwres_sethostent_r.3 \
-#		lwres_string_parse.3
-
-
-MANPAGES = 	lwres.3 lwres_buffer.3 lwres_config.3 lwres_context.3	\
-		lwres_gabn.3 lwres_gai_strerror.3 lwres_getaddrinfo.3			\
-		lwres_gethostent.3 lwres_getipnode.3 lwres_getnameinfo.3		\
-		lwres_getrrsetbyname.3 lwres_gnba.3 lwres_hstrerror.3 lwres_inetntop.3	\
-		lwres_noop.3 lwres_packet.3 lwres_resutil.3
-
-HTMLPAGES = 	lwres.html lwres_buffer.html lwres_config.html lwres_context.html	\
-		lwres_gabn.html lwres_gai_strerror.html lwres_getaddrinfo.html			\
-		lwres_gethostent.html lwres_getipnode.html lwres_getnameinfo.html		\
-		lwres_getrrsetbyname.html lwres_gnba.html lwres_hstrerror.html lwres_inetntop.html	\
-		lwres_noop.html lwres_packet.html lwres_resutil.html
-
-MANOBJS =	${MANPAGES} ${HTMLPAGES}
-
-doc man:: ${MANOBJS}
-
-docclean manclean maintainer-clean::
-	rm -f ${MANOBJS}
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man3
-
-man3 = ${DESTDIR}${mandir}/man3
-
-install:: installdirs
-	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man3; done
-	rm -f ${man3}/lwres_addr_parse.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_addr_parse.3
-	rm -f ${man3}/lwres_buffer_add.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_add.3
-	rm -f ${man3}/lwres_buffer_back.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_back.3
-	rm -f ${man3}/lwres_buffer_clear.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_clear.3
-	rm -f ${man3}/lwres_buffer_first.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_first.3
-	rm -f ${man3}/lwres_buffer_forward.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_forward.3
-	rm -f ${man3}/lwres_buffer_getmem.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getmem.3
-	rm -f ${man3}/lwres_buffer_getuint16.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint16.3
-	rm -f ${man3}/lwres_buffer_getuint32.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint32.3
-	rm -f ${man3}/lwres_buffer_getuint8.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint8.3
-	rm -f ${man3}/lwres_buffer_init.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_init.3
-	rm -f ${man3}/lwres_buffer_invalidate.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_invalidate.3
-	rm -f ${man3}/lwres_buffer_putmem.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putmem.3
-	rm -f ${man3}/lwres_buffer_putuint16.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint16.3
-	rm -f ${man3}/lwres_buffer_putuint32.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint32.3
-	rm -f ${man3}/lwres_buffer_putuint8.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint8.3
-	rm -f ${man3}/lwres_buffer_subtract.3
-	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_subtract.3
-	rm -f ${man3}/lwres_conf_clear.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_clear.3
-	rm -f ${man3}/lwres_conf_get.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_get.3
-	rm -f ${man3}/lwres_conf_init.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_init.3
-	rm -f ${man3}/lwres_conf_parse.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_parse.3
-	rm -f ${man3}/lwres_conf_print.3
-	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_print.3
-	rm -f ${man3}/lwres_context_allocmem.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_allocmem.3
-	rm -f ${man3}/lwres_context_create.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_create.3
-	rm -f ${man3}/lwres_context_destroy.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_destroy.3
-	rm -f ${man3}/lwres_context_freemem.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_freemem.3
-	rm -f ${man3}/lwres_context_initserial.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_initserial.3
-	rm -f ${man3}/lwres_context_nextserial.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_nextserial.3
-	rm -f ${man3}/lwres_context_sendrecv.3
-	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_sendrecv.3
-	rm -f ${man3}/lwres_endhostent.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent.3
-	rm -f ${man3}/lwres_endhostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent_r.3
-	rm -f ${man3}/lwres_freeaddrinfo.3
-	@LN@ ${man3}/lwres_getaddrinfo.3 ${man3}/lwres_freeaddrinfo.3
-	rm -f ${man3}/lwres_freehostent.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_freehostent.3
-	rm -f ${man3}/lwres_gabnrequest_free.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_free.3
-	rm -f ${man3}/lwres_gabnrequest_parse.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_parse.3
-	rm -f ${man3}/lwres_gabnrequest_render.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_render.3
-	rm -f ${man3}/lwres_gabnresponse_free.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_free.3
-	rm -f ${man3}/lwres_gabnresponse_parse.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_parse.3
-	rm -f ${man3}/lwres_gabnresponse_render.3
-	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_render.3
-	rm -f ${man3}/lwres_getaddrsbyname.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getaddrsbyname.3
-	rm -f ${man3}/lwres_gethostbyaddr.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr.3
-	rm -f ${man3}/lwres_gethostbyaddr_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr_r.3
-	rm -f ${man3}/lwres_gethostbyname.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname.3
-	rm -f ${man3}/lwres_gethostbyname2.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname2.3
-	rm -f ${man3}/lwres_gethostbyname_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname_r.3
-	rm -f ${man3}/lwres_gethostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostent_r.3
-	rm -f ${man3}/lwres_getipnodebyaddr.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyaddr.3
-	rm -f ${man3}/lwres_getipnodebyname.3
-	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyname.3
-	rm -f ${man3}/lwres_getnamebyaddr.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getnamebyaddr.3
-	rm -f ${man3}/lwres_gnbarequest_free.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_free.3
-	rm -f ${man3}/lwres_gnbarequest_parse.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_parse.3
-	rm -f ${man3}/lwres_gnbarequest_render.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_render.3
-	rm -f ${man3}/lwres_gnbaresponse_free.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_free.3
-	rm -f ${man3}/lwres_gnbaresponse_parse.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_parse.3
-	rm -f ${man3}/lwres_gnbaresponse_render.3
-	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_render.3
-	rm -f ${man3}/lwres_herror.3
-	@LN@ ${man3}/lwres_hstrerror.3 ${man3}/lwres_herror.3
-	rm -f ${man3}/lwres_lwpacket_parseheader.3
-	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_parseheader.3
-	rm -f ${man3}/lwres_lwpacket_renderheader.3
-	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_renderheader.3
-	rm -f ${man3}/lwres_net_ntop.3
-	@LN@ ${man3}/lwres_inetntop.3 ${man3}/lwres_net_ntop.3
-	rm -f ${man3}/lwres_nooprequest_free.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_free.3
-	rm -f ${man3}/lwres_nooprequest_parse.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_parse.3
-	rm -f ${man3}/lwres_nooprequest_render.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_render.3
-	rm -f ${man3}/lwres_noopresponse_free.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_free.3
-	rm -f ${man3}/lwres_noopresponse_parse.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_parse.3
-	rm -f ${man3}/lwres_noopresponse_render.3
-	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_render.3
-	rm -f ${man3}/lwres_sethostent.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent.3
-	rm -f ${man3}/lwres_sethostent_r.3
-	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent_r.3
-	rm -f ${man3}/lwres_string_parse.3
-	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_string_parse.3
diff --git a/contrib/bind9/lib/lwres/man/lwres.3 b/contrib/bind9/lib/lwres/man/lwres.3
deleted file mode 100644
index 3411eac92b8e..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres.3
+++ /dev/null
@@ -1,157 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres.3,v 1.15.206.5 2005/10/13 02:33:58 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres \- introduction to the lightweight resolver library
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.SH "DESCRIPTION"
-.PP
-The BIND 9 lightweight resolver library is a simple, name service independent stub resolver library. It provides hostname\-to\-address and address\-to\-hostname lookup services to applications by transmitting lookup requests to a resolver daemon
-\fBlwresd\fR
-running on the local host. The resover daemon performs the lookup using the DNS or possibly other name service protocols, and returns the results to the application through the library. The library and resolver daemon communicate using a simple UDP\-based protocol.
-.SH "OVERVIEW"
-.PP
-The lwresd library implements multiple name service APIs. The standard
-\fBgethostbyname()\fR,
-\fBgethostbyaddr()\fR,
-\fBgethostbyname_r()\fR,
-\fBgethostbyaddr_r()\fR,
-\fBgetaddrinfo()\fR,
-\fBgetipnodebyname()\fR, and
-\fBgetipnodebyaddr()\fR
-functions are all supported. To allow the lwres library to coexist with system libraries that define functions of the same name, the library defines these functions with names prefixed by
-lwres_. To define the standard names, applications must include the header file
-\fI<lwres/netdb.h>\fR
-which contains macro definitions mapping the standard function names into
-lwres_
-prefixed ones. Operating system vendors who integrate the lwres library into their base distributions should rename the functions in the library proper so that the renaming macros are not needed.
-.PP
-The library also provides a native API consisting of the functions
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR. These may be called by applications that require more detailed control over the lookup process than the standard functions provide.
-.PP
-In addition to these name service independent address lookup functions, the library implements a new, experimental API for looking up arbitrary DNS resource records, using the
-\fBlwres_getaddrsbyname()\fR
-function.
-.PP
-Finally, there is a low\-level API for converting lookup requests and responses to and from raw lwres protocol packets. This API can be used by clients requiring nonblocking operation, and is also used when implementing the server side of the lwres protocol, for example in the
-\fBlwresd\fR
-resolver daemon. The use of this low\-level API in clients and servers is outlined in the following sections.
-.SH "CLIENT\-SIDE LOW\-LEVEL API CALL FLOW"
-.PP
-When a client program wishes to make an lwres request using the native low\-level API, it typically performs the following sequence of actions.
-.PP
-(1) Allocate or use an existing
-\fBlwres_packet_t\fR, called
-\fIpkt\fR
-below.
-.PP
-(2) Set
-pkt.recvlength
-to the maximum length we will accept. This is done so the receiver of our packets knows how large our receive buffer is. The "default" is a constant in
-\fIlwres.h\fR:
-\fBLWRES_RECVLENGTH = 4096\fR.
-.PP
-(3) Set
-pkt.serial
-to a unique serial number. This value is echoed back to the application by the remote server.
-.PP
-(4) Set
-pkt.pktflags. Usually this is set to 0.
-.PP
-(5) Set
-pkt.result
-to 0.
-.PP
-(6) Call
-\fBlwres_*request_render()\fR, or marshall in the data using the primitives such as
-\fBlwres_packet_render()\fR
-and storing the packet data.
-.PP
-(7) Transmit the resulting buffer.
-.PP
-(8) Call
-\fBlwres_*response_parse()\fR
-to parse any packets received.
-.PP
-(9) Verify that the opcode and serial match a request, and process the packet specific information contained in the body.
-.SH "SERVER\-SIDE LOW\-LEVEL API CALL FLOW"
-.PP
-When implementing the server side of the lightweight resolver protocol using the lwres library, a sequence of actions like the following is typically involved in processing each request packet.
-.PP
-Note that the same
-\fBlwres_packet_t\fR
-is used in both the
-\fB_parse()\fR
-and
-\fB_render()\fR
-calls, with only a few modifications made to the packet header's contents between uses. This method is recommended as it keeps the serial, opcode, and other fields correct.
-.PP
-(1) When a packet is received, call
-\fBlwres_*request_parse()\fR
-to unmarshall it. This returns a
-\fBlwres_packet_t\fR
-(also called
-\fIpkt\fR, below) as well as a data specific type, such as
-\fBlwres_gabnrequest_t\fR.
-.PP
-(2) Process the request in the data specific type.
-.PP
-(3) Set the
-pkt.result,
-pkt.recvlength
-as above. All other fields can be left untouched since they were filled in by the
-\fB*_parse()\fR
-call above. If using
-\fBlwres_*response_render()\fR,
-pkt.pktflags
-will be set up properly. Otherwise, the
-\fBLWRES_LWPACKETFLAG_RESPONSE\fR
-bit should be set.
-.PP
-(4) Call the data specific rendering function, such as
-\fBlwres_gabnresponse_render()\fR.
-.PP
-(5) Send the resulting packet to the client.
-.PP
-.SH "SEE ALSO"
-.PP
-\fBlwres_gethostent\fR(3),
-\fBlwres_getipnode\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_noop\fR(3),
-\fBlwres_gabn\fR(3),
-\fBlwres_gnba\fR(3),
-\fBlwres_context\fR(3),
-\fBlwres_config\fR(3),
-\fBresolver\fR(5),
-\fBlwresd\fR(8).
diff --git a/contrib/bind9/lib/lwres/man/lwres.docbook b/contrib/bind9/lib/lwres/man/lwres.docbook
deleted file mode 100644
index 83258a9dd743..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres.docbook
+++ /dev/null
@@ -1,260 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres.docbook,v 1.3.206.3 2005/05/12 21:36:11 sra Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres</refname>
-<refpurpose>introduction to the lightweight resolver library</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-The BIND 9 lightweight resolver library is a simple, name service
-independent stub resolver library.  It provides hostname-to-address
-and address-to-hostname lookup services to applications by
-transmitting lookup requests to a resolver daemon
-<command>lwresd</command>
-running on the local host. The resover daemon performs the
-lookup using the DNS or possibly other name service protocols,
-and returns the results to the application through the library.  
-The library and resolver daemon communicate using a simple
-UDP-based protocol.
-</para>
-</refsect1>
-
-<refsect1>
-<title>OVERVIEW</title>
-<para>
-The lwresd library implements multiple name service APIs.
-The standard
-<function>gethostbyname()</function>,
-<function>gethostbyaddr()</function>,
-<function>gethostbyname_r()</function>,
-<function>gethostbyaddr_r()</function>,
-<function>getaddrinfo()</function>,
-<function>getipnodebyname()</function>,
-and
-<function>getipnodebyaddr()</function>
-functions are all supported.  To allow the lwres library to coexist
-with system libraries that define functions of the same name,
-the library defines these functions with names prefixed by
-<literal>lwres_</literal>.
-To define the standard names, applications must include the
-header file
-<filename>&lt;lwres/netdb.h&gt;</filename>
-which contains macro definitions mapping the standard function names
-into
-<literal>lwres_</literal>
-prefixed ones.  Operating system vendors who integrate the lwres
-library into their base distributions should rename the functions
-in the library proper so that the renaming macros are not needed.
-</para>
-<para>
-The library also provides a native API consisting of the functions
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>.
-These may be called by applications that require more detailed
-control over the lookup process than the standard functions
-provide.
-</para>
-<para>
-In addition to these name service independent address lookup
-functions, the library implements a new, experimental API
-for looking up arbitrary DNS resource records, using the
-<function>lwres_getaddrsbyname()</function>
-function.
-</para>
-<para>
-Finally, there is a low-level API for converting lookup
-requests and responses to and from raw lwres protocol packets.  
-This API can be used by clients requiring nonblocking operation, 
-and is also used when implementing the server side of the lwres
-protocol, for example in the
-<command>lwresd</command>
-resolver daemon.  The use of this low-level API in clients
-and servers is outlined in the following sections.
-</para>
-</refsect1>
-<refsect1>
-<title>CLIENT-SIDE LOW-LEVEL API CALL FLOW</title>
-<para>
-When a client program wishes to make an lwres request using the
-native low-level API, it typically performs the following 
-sequence of actions.
-</para>
-<para>
-(1) Allocate or use an existing <type>lwres_packet_t</type>,
-called <varname>pkt</varname> below.
-</para>
-<para>
-(2) Set <structfield>pkt.recvlength</structfield> to the maximum length we will accept.  
-This is done so the receiver of our packets knows how large our receive 
-buffer is.  The "default" is a constant in
-<filename>lwres.h</filename>: <constant>LWRES_RECVLENGTH = 4096</constant>.
-</para>
-<para>
-(3) Set <structfield>pkt.serial</structfield>
-to a unique serial number.  This value is echoed
-back to the application by the remote server.
-</para>
-<para>
-(4) Set <structfield>pkt.pktflags</structfield>.  Usually this is set to 0.
-</para>
-<para>
-(5) Set <structfield>pkt.result</structfield> to 0.
-</para>
-<para>
-(6) Call <function>lwres_*request_render()</function>, 
-or marshall in the data using the primitives
-such as <function>lwres_packet_render()</function>
-and storing the packet data.
-</para>
-<para>
-(7) Transmit the resulting buffer.
-</para>
-<para>
-(8) Call <function>lwres_*response_parse()</function>
-to parse any packets received.
-</para>
-<para>
-(9) Verify that the opcode and serial match a request, and process the
-packet specific information contained in the body.
-</para>
-</refsect1>
-<refsect1>
-<title>SERVER-SIDE LOW-LEVEL API CALL FLOW</title>
-<para>
-When implementing the server side of the lightweight resolver
-protocol using the lwres library, a sequence of actions like the
-following is typically involved in processing each request packet.
-</para>
-<para>
-Note that the same <type>lwres_packet_t</type> is used
-in both the <function>_parse()</function> and <function>_render()</function> calls,
-with only a few modifications made
-to the packet header's contents between uses.  This method is recommended
-as it keeps the serial, opcode, and other fields correct.
-</para>
-<para>
-(1) When a packet is received, call <function>lwres_*request_parse()</function> to
-unmarshall it.  This returns a <type>lwres_packet_t</type> (also called <varname>pkt</varname>, below)
-as well as a data specific type, such as <type>lwres_gabnrequest_t</type>.
-</para>
-<para>
-(2) Process the request in the data specific type.
-</para>
-<para>
-(3) Set the <structfield>pkt.result</structfield>,
-<structfield>pkt.recvlength</structfield> as above.  All other fields can
-be left untouched since they were filled in by the <function>*_parse()</function> call
-above.  If using <function>lwres_*response_render()</function>,
-<structfield>pkt.pktflags</structfield> will be set up
-properly.  Otherwise, the <constant>LWRES_LWPACKETFLAG_RESPONSE</constant> bit should be
-set.
-</para>
-<para>
-(4) Call the data specific rendering function, such as
-<function>lwres_gabnresponse_render()</function>.
-</para>
-<para>
-(5) Send the resulting packet to the client.
-</para>
-<para>
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_noop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gnba</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_context</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_config</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwresd</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres.html b/contrib/bind9/lib/lwres/man/lwres.html
deleted file mode 100644
index 1d5e57bfd248..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres.html
+++ /dev/null
@@ -1,216 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres.html,v 1.4.2.1.4.9 2005/10/13 02:33:54 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres &#8212; introduction to the lightweight resolver library</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis"><pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre></div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525832"></a><h2>DESCRIPTION</h2>
-<p>
-The BIND 9 lightweight resolver library is a simple, name service
-independent stub resolver library.  It provides hostname-to-address
-and address-to-hostname lookup services to applications by
-transmitting lookup requests to a resolver daemon
-<span><strong class="command">lwresd</strong></span>
-running on the local host. The resover daemon performs the
-lookup using the DNS or possibly other name service protocols,
-and returns the results to the application through the library.  
-The library and resolver daemon communicate using a simple
-UDP-based protocol.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525845"></a><h2>OVERVIEW</h2>
-<p>
-The lwresd library implements multiple name service APIs.
-The standard
-<code class="function">gethostbyname()</code>,
-<code class="function">gethostbyaddr()</code>,
-<code class="function">gethostbyname_r()</code>,
-<code class="function">gethostbyaddr_r()</code>,
-<code class="function">getaddrinfo()</code>,
-<code class="function">getipnodebyname()</code>,
-and
-<code class="function">getipnodebyaddr()</code>
-functions are all supported.  To allow the lwres library to coexist
-with system libraries that define functions of the same name,
-the library defines these functions with names prefixed by
-<code class="literal">lwres_</code>.
-To define the standard names, applications must include the
-header file
-<code class="filename">&lt;lwres/netdb.h&gt;</code>
-which contains macro definitions mapping the standard function names
-into
-<code class="literal">lwres_</code>
-prefixed ones.  Operating system vendors who integrate the lwres
-library into their base distributions should rename the functions
-in the library proper so that the renaming macros are not needed.
-</p>
-<p>
-The library also provides a native API consisting of the functions
-<code class="function">lwres_getaddrsbyname()</code>
-and
-<code class="function">lwres_getnamebyaddr()</code>.
-These may be called by applications that require more detailed
-control over the lookup process than the standard functions
-provide.
-</p>
-<p>
-In addition to these name service independent address lookup
-functions, the library implements a new, experimental API
-for looking up arbitrary DNS resource records, using the
-<code class="function">lwres_getaddrsbyname()</code>
-function.
-</p>
-<p>
-Finally, there is a low-level API for converting lookup
-requests and responses to and from raw lwres protocol packets.  
-This API can be used by clients requiring nonblocking operation, 
-and is also used when implementing the server side of the lwres
-protocol, for example in the
-<span><strong class="command">lwresd</strong></span>
-resolver daemon.  The use of this low-level API in clients
-and servers is outlined in the following sections.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525909"></a><h2>CLIENT-SIDE LOW-LEVEL API CALL FLOW</h2>
-<p>
-When a client program wishes to make an lwres request using the
-native low-level API, it typically performs the following 
-sequence of actions.
-</p>
-<p>
-(1) Allocate or use an existing <span class="type">lwres_packet_t</span>,
-called <code class="varname">pkt</code> below.
-</p>
-<p>
-(2) Set <em class="structfield"><code>pkt.recvlength</code></em> to the maximum length we will accept.  
-This is done so the receiver of our packets knows how large our receive 
-buffer is.  The "default" is a constant in
-<code class="filename">lwres.h</code>: <code class="constant">LWRES_RECVLENGTH = 4096</code>.
-</p>
-<p>
-(3) Set <em class="structfield"><code>pkt.serial</code></em>
-to a unique serial number.  This value is echoed
-back to the application by the remote server.
-</p>
-<p>
-(4) Set <em class="structfield"><code>pkt.pktflags</code></em>.  Usually this is set to 0.
-</p>
-<p>
-(5) Set <em class="structfield"><code>pkt.result</code></em> to 0.
-</p>
-<p>
-(6) Call <code class="function">lwres_*request_render()</code>, 
-or marshall in the data using the primitives
-such as <code class="function">lwres_packet_render()</code>
-and storing the packet data.
-</p>
-<p>
-(7) Transmit the resulting buffer.
-</p>
-<p>
-(8) Call <code class="function">lwres_*response_parse()</code>
-to parse any packets received.
-</p>
-<p>
-(9) Verify that the opcode and serial match a request, and process the
-packet specific information contained in the body.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526056"></a><h2>SERVER-SIDE LOW-LEVEL API CALL FLOW</h2>
-<p>
-When implementing the server side of the lightweight resolver
-protocol using the lwres library, a sequence of actions like the
-following is typically involved in processing each request packet.
-</p>
-<p>
-Note that the same <span class="type">lwres_packet_t</span> is used
-in both the <code class="function">_parse()</code> and <code class="function">_render()</code> calls,
-with only a few modifications made
-to the packet header's contents between uses.  This method is recommended
-as it keeps the serial, opcode, and other fields correct.
-</p>
-<p>
-(1) When a packet is received, call <code class="function">lwres_*request_parse()</code> to
-unmarshall it.  This returns a <span class="type">lwres_packet_t</span> (also called <code class="varname">pkt</code>, below)
-as well as a data specific type, such as <span class="type">lwres_gabnrequest_t</span>.
-</p>
-<p>
-(2) Process the request in the data specific type.
-</p>
-<p>
-(3) Set the <em class="structfield"><code>pkt.result</code></em>,
-<em class="structfield"><code>pkt.recvlength</code></em> as above.  All other fields can
-be left untouched since they were filled in by the <code class="function">*_parse()</code> call
-above.  If using <code class="function">lwres_*response_render()</code>,
-<em class="structfield"><code>pkt.pktflags</code></em> will be set up
-properly.  Otherwise, the <code class="constant">LWRES_LWPACKETFLAG_RESPONSE</code> bit should be
-set.
-</p>
-<p>
-(4) Call the data specific rendering function, such as
-<code class="function">lwres_gabnresponse_render()</code>.
-</p>
-<p>
-(5) Send the resulting packet to the client.
-</p>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526141"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_noop</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_gnba</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_context</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_config</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwresd</span>(8)</span>.
-
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.3 b/contrib/bind9/lib/lwres/man/lwres_buffer.3
deleted file mode 100644
index 93e888b0c389..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.3
+++ /dev/null
@@ -1,211 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_buffer.3,v 1.12.2.1.8.5 2005/10/13 02:33:58 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem \- lightweight resolver buffer management
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwbuffer.h>
-.fi
-.HP 23
-\fBvoid\ \fBlwres_buffer_init\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBvoid\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
-.HP 29
-\fBvoid\ \fBlwres_buffer_invalidate\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 22
-\fBvoid\ \fBlwres_buffer_add\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
-.HP 27
-\fBvoid\ \fBlwres_buffer_subtract\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
-.HP 24
-\fBvoid\ \fBlwres_buffer_clear\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 24
-\fBvoid\ \fBlwres_buffer_first\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 26
-\fBvoid\ \fBlwres_buffer_forward\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
-.HP 23
-\fBvoid\ \fBlwres_buffer_back\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ int\ n\fR\fB);\fR
-.HP 36
-\fBlwres_uint8_t\ \fBlwres_buffer_getuint8\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 27
-\fBvoid\ \fBlwres_buffer_putuint8\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint8_t\ val\fR\fB);\fR
-.HP 38
-\fBlwres_uint16_t\ \fBlwres_buffer_getuint16\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 28
-\fBvoid\ \fBlwres_buffer_putuint16\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint16_t\ val\fR\fB);\fR
-.HP 38
-\fBlwres_uint32_t\ \fBlwres_buffer_getuint32\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 28
-\fBvoid\ \fBlwres_buffer_putuint32\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_uint32_t\ val\fR\fB);\fR
-.HP 25
-\fBvoid\ \fBlwres_buffer_putmem\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBconst\ unsigned\ char\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
-.HP 25
-\fBvoid\ \fBlwres_buffer_getmem\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBunsigned\ char\ *base\fR\fB, \fR\fBunsigned\ int\ length\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-These functions provide bounds checked access to a region of memory where data is being read or written. They are based on, and similar to, the
-isc_buffer_
-functions in the ISC library.
-.PP
-A buffer is a region of memory, together with a set of related subregions. The
-\fIused region\fR
-and the
-\fIavailable\fR
-region are disjoint, and their union is the buffer's region. The used region extends from the beginning of the buffer region to the last used byte. The available region extends from one byte greater than the last used byte to the end of the buffer's region. The size of the used region can be changed using various buffer commands. Initially, the used region is empty.
-.PP
-The used region is further subdivided into two disjoint regions: the
-\fIconsumed region\fR
-and the
-\fIremaining region\fR. The union of these two regions is the used region. The consumed region extends from the beginning of the used region to the byte before the
-\fIcurrent\fR
-offset (if any). The
-\fIremaining\fR
-region the current pointer to the end of the used region. The size of the consumed region can be changed using various buffer commands. Initially, the consumed region is empty.
-.PP
-The
-\fIactive region\fR
-is an (optional) subregion of the remaining region. It extends from the current offset to an offset in the remaining region. Initially, the active region is empty. If the current offset advances beyond the chosen offset, the active region will also be empty.
-.PP
-.nf
-   /\-\-\-\-\-\-\-\-\-\-\-\-entire length\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\\\\
-   /\-\-\-\-\- used region \-\-\-\-\-\\\\/\-\- available \-\-\\\\
-   +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
-   | consumed  | remaining |                |
-   +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
-   a           b     c     d                e
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
-  a\-e == entire length of buffer.
-  a\-d == used region.
-  a\-b == consumed region.
-  b\-d == remaining region.
-  b\-c == optional active region.
-.fi
-.sp
-.PP
-\fBlwres_buffer_init()\fR
-initializes the
-\fBlwres_buffer_t\fR\fI*b\fR
-and assocates it with the memory region of size
-\fIlength\fR
-bytes starting at location
-\fIbase.\fR
-.PP
-\fBlwres_buffer_invalidate()\fR
-marks the buffer
-\fI*b\fR
-as invalid. Invalidating a buffer after use is not required, but makes it possible to catch its possible accidental use.
-.PP
-The functions
-\fBlwres_buffer_add()\fR
-and
-\fBlwres_buffer_subtract()\fR
-respectively increase and decrease the used space in buffer
-\fI*b\fR
-by
-\fIn\fR
-bytes.
-\fBlwres_buffer_add()\fR
-checks for buffer overflow and
-\fBlwres_buffer_subtract()\fR
-checks for underflow. These functions do not allocate or deallocate memory. They just change the value of
-used.
-.PP
-A buffer is re\-initialised by
-\fBlwres_buffer_clear()\fR. The function sets
-used
-,
-current
-and
-active
-to zero.
-.PP
-\fBlwres_buffer_first\fR
-makes the consumed region of buffer
-\fI*p\fR
-empty by setting
-current
-to zero (the start of the buffer).
-.PP
-\fBlwres_buffer_forward()\fR
-increases the consumed region of buffer
-\fI*b\fR
-by
-\fIn\fR
-bytes, checking for overflow. Similarly,
-\fBlwres_buffer_back()\fR
-decreases buffer
-\fIb\fR's consumed region by
-\fIn\fR
-bytes and checks for underflow.
-.PP
-\fBlwres_buffer_getuint8()\fR
-reads an unsigned 8\-bit integer from
-\fI*b\fR
-and returns it.
-\fBlwres_buffer_putuint8()\fR
-writes the unsigned 8\-bit integer
-\fIval\fR
-to buffer
-\fI*b\fR.
-.PP
-\fBlwres_buffer_getuint16()\fR
-and
-\fBlwres_buffer_getuint32()\fR
-are identical to
-\fBlwres_buffer_putuint8()\fR
-except that they respectively read an unsigned 16\-bit or 32\-bit integer in network byte order from
-\fIb\fR. Similarly,
-\fBlwres_buffer_putuint16()\fR
-and
-\fBlwres_buffer_putuint32()\fR
-writes the unsigned 16\-bit or 32\-bit integer
-\fIval\fR
-to buffer
-\fIb\fR, in network byte order.
-.PP
-Arbitrary amounts of data are read or written from a lightweight resolver buffer with
-\fBlwres_buffer_getmem()\fR
-and
-\fBlwres_buffer_putmem()\fR
-respectively.
-\fBlwres_buffer_putmem()\fR
-copies
-\fIlength\fR
-bytes of memory at
-\fIbase\fR
-to
-\fIb\fR. Conversely,
-\fBlwres_buffer_getmem()\fR
-copies
-\fIlength\fR
-bytes of memory from
-\fIb\fR
-to
-\fIbase\fR.
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.docbook b/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
deleted file mode 100644
index c70aee508e77..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
+++ /dev/null
@@ -1,393 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_buffer.docbook,v 1.3.206.3 2005/05/12 21:36:11 sra Exp $ -->
-
-<refentry>
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_buffer</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_buffer_init</refname>
-<refname>lwres_buffer_invalidate</refname>
-<refname>lwres_buffer_add</refname>
-<refname>lwres_buffer_subtract</refname>
-<refname>lwres_buffer_clear</refname>
-<refname>lwres_buffer_first</refname>
-<refname>lwres_buffer_forward</refname>
-<refname>lwres_buffer_back</refname>
-<refname>lwres_buffer_getuint8</refname>
-<refname>lwres_buffer_putuint8</refname>
-<refname>lwres_buffer_getuint16</refname>
-<refname>lwres_buffer_putuint16</refname>
-<refname>lwres_buffer_getuint32</refname>
-<refname>lwres_buffer_putuint32</refname>
-<refname>lwres_buffer_putmem</refname>
-<refname>lwres_buffer_getmem</refname>
-<refpurpose>lightweight resolver buffer management</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-
-<funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwbuffer.h&gt;
-</funcsynopsisinfo>
-
-<funcprototype>
-
-<funcdef>
-void
-<function>lwres_buffer_init</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>void *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_invalidate</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_add</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_subtract</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_clear</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_first</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_forward</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
-<funcprototype>
-
-<funcdef>
-void
-<function>lwres_buffer_back</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned int n</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-lwres_uint8_t
-<function>lwres_buffer_getuint8</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_putuint8</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint8_t val</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-lwres_uint16_t
-<function>lwres_buffer_getuint16</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_putuint16</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint16_t val</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-lwres_uint32_t
-<function>lwres_buffer_getuint32</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_putuint32</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_uint32_t val</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_putmem</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>const unsigned char *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_buffer_getmem</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>unsigned char *base</paramdef>
-<paramdef>unsigned int length</paramdef>
-</funcprototype>
-
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-
-<title>DESCRIPTION</title>
-<para>
-These functions provide bounds checked access to a region of memory
-where data is being read or written.
-They are based on, and similar to, the
-<literal>isc_buffer_</literal>
-functions in the ISC library.
-</para>
-<para>
-A buffer is a region of memory, together with a set of related
-subregions.
-The <emphasis>used region</emphasis> and the
-<emphasis>available</emphasis> region are disjoint, and
-their union is the buffer's region.
-The used region extends from the beginning of the buffer region to the
-last used byte.
-The available region extends from one byte greater than the last used
-byte to the end of the  buffer's region.
-The size of the used region can be changed using various
-buffer commands.
-Initially, the used region is empty.
-</para>
-<para>
-The used region is further subdivided into two disjoint regions: the
-<emphasis>consumed region</emphasis> and the <emphasis>remaining region</emphasis>.
-The union of these two regions is the used region.
-The consumed region extends from the beginning of the used region to
-the byte before the <emphasis>current</emphasis> offset (if any).
-The <emphasis>remaining</emphasis> region the current pointer to the end of the used
-region.
-The size of the consumed region can be changed using various
-buffer commands.
-Initially, the consumed region is empty.
-</para>
-<para>
-The <emphasis>active region</emphasis> is an (optional) subregion of the remaining
-region.
-It extends from the current offset to an offset in the
-remaining region.
-Initially, the active region is empty.
-If the current offset advances beyond the chosen offset,
-the active region will also be empty.
-</para>
-<para>
-<programlisting>
- 
-   /------------entire length---------------\\
-   /----- used region -----\\/-- available --\\
-   +----------------------------------------+
-   | consumed  | remaining |                |
-   +----------------------------------------+
-   a           b     c     d                e
- 
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
- 
-  a-e == entire length of buffer.
-  a-d == used region.
-  a-b == consumed region.
-  b-d == remaining region.
-  b-c == optional active region.
-</programlisting>
-</para>
-<para>
-<function>lwres_buffer_init()</function>
-initializes the
-<type>lwres_buffer_t</type>
-<parameter>*b</parameter>
-and assocates it with the memory region of size
-<parameter>length</parameter>
-bytes starting at location
-<parameter>base.</parameter>
-</para>
-<para>
-<function>lwres_buffer_invalidate()</function>
-marks the buffer
-<parameter>*b</parameter>
-as invalid.  Invalidating a buffer after use is not required,
-but makes it possible to catch its possible accidental use.
-</para>
-<para>
-The functions
-<function>lwres_buffer_add()</function>
-and
-<function>lwres_buffer_subtract()</function>
-respectively increase and decrease the used space in
-buffer
-<parameter>*b</parameter>
-by
-<parameter>n</parameter>
-bytes.
-<function>lwres_buffer_add()</function>
-checks for buffer overflow and
-<function>lwres_buffer_subtract()</function>
-checks for underflow.
-These functions do not allocate or deallocate memory.
-They just change the value of
-<structfield>used</structfield>.
-</para>
-<para>
-A buffer is re-initialised by
-<function>lwres_buffer_clear()</function>.
-The function sets
-<structfield>used</structfield> ,
-<structfield>current</structfield>
-and
-<structfield>active</structfield>
-to zero.
-</para>
-<para>
-<function>lwres_buffer_first</function>
-makes the consumed region of buffer
-<parameter>*p</parameter>
-empty by setting
-<structfield>current</structfield>
-to zero (the start of the buffer).
-</para>
-<para>
-<function>lwres_buffer_forward()</function>
-increases the consumed region of buffer
-<parameter>*b</parameter>
-by
-<parameter>n</parameter>
-bytes, checking for overflow.
-Similarly,
-<function>lwres_buffer_back()</function>
-decreases buffer
-<parameter>b</parameter>'s
-consumed region by
-<parameter>n</parameter>
-bytes and checks for underflow.
-</para>
-<para>
-<function>lwres_buffer_getuint8()</function>
-reads an unsigned 8-bit integer from
-<parameter>*b</parameter>
-and returns it.
-<function>lwres_buffer_putuint8()</function>
-writes the unsigned 8-bit integer
-<parameter>val</parameter>
-to buffer
-<parameter>*b</parameter>.
-</para>
-<para>
-<function>lwres_buffer_getuint16()</function>
-and
-<function>lwres_buffer_getuint32()</function>
-are identical to
-<function>lwres_buffer_putuint8()</function>
-except that they respectively read an unsigned 16-bit or 32-bit integer 
-in network byte order from
-<parameter>b</parameter>.
-Similarly,
-<function>lwres_buffer_putuint16()</function>
-and
-<function>lwres_buffer_putuint32()</function>
-writes the unsigned 16-bit or 32-bit integer
-<parameter>val</parameter>
-to buffer
-<parameter>b</parameter>,
-in network byte order.
-</para>
-<para>
-Arbitrary amounts of data are read or written from a lightweight
-resolver buffer with
-<function>lwres_buffer_getmem()</function>
-and
-<function>lwres_buffer_putmem()</function>
-respectively.
-<function>lwres_buffer_putmem()</function>
-copies
-<parameter>length</parameter>
-bytes of memory at
-<parameter>base</parameter>
-to
-<parameter>b</parameter>.
-Conversely,
-<function>lwres_buffer_getmem()</function>
-copies
-<parameter>length</parameter>
-bytes of memory from
-<parameter>b</parameter>
-to
-<parameter>base</parameter>.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.html b/contrib/bind9/lib/lwres/man/lwres_buffer.html
deleted file mode 100644
index 5a203f1a15a4..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_buffer.html
+++ /dev/null
@@ -1,444 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_buffer.html,v 1.4.2.1.4.8 2005/10/13 02:33:55 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_buffer</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem &#8212; lightweight resolver buffer management</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwbuffer.h&gt;
-</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_init</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_invalidate</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_add</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_subtract</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_clear</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_first</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_forward</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_back</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint8_t
-<b class="fsfunc">lwres_buffer_getuint8</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint8</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint16_t
-<b class="fsfunc">lwres_buffer_getuint16</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint16</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint32_t
-<b class="fsfunc">lwres_buffer_getuint32</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putuint32</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_putmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_buffer_getmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526109"></a><h2>DESCRIPTION</h2>
-<p>
-These functions provide bounds checked access to a region of memory
-where data is being read or written.
-They are based on, and similar to, the
-<code class="literal">isc_buffer_</code>
-functions in the ISC library.
-</p>
-<p>
-A buffer is a region of memory, together with a set of related
-subregions.
-The <span class="emphasis"><em>used region</em></span> and the
-<span class="emphasis"><em>available</em></span> region are disjoint, and
-their union is the buffer's region.
-The used region extends from the beginning of the buffer region to the
-last used byte.
-The available region extends from one byte greater than the last used
-byte to the end of the  buffer's region.
-The size of the used region can be changed using various
-buffer commands.
-Initially, the used region is empty.
-</p>
-<p>
-The used region is further subdivided into two disjoint regions: the
-<span class="emphasis"><em>consumed region</em></span> and the <span class="emphasis"><em>remaining region</em></span>.
-The union of these two regions is the used region.
-The consumed region extends from the beginning of the used region to
-the byte before the <span class="emphasis"><em>current</em></span> offset (if any).
-The <span class="emphasis"><em>remaining</em></span> region the current pointer to the end of the used
-region.
-The size of the consumed region can be changed using various
-buffer commands.
-Initially, the consumed region is empty.
-</p>
-<p>
-The <span class="emphasis"><em>active region</em></span> is an (optional) subregion of the remaining
-region.
-It extends from the current offset to an offset in the
-remaining region.
-Initially, the active region is empty.
-If the current offset advances beyond the chosen offset,
-the active region will also be empty.
-</p>
-<p>
-</p>
-<pre class="programlisting">
- 
-   /------------entire length---------------\\
-   /----- used region -----\\/-- available --\\
-   +----------------------------------------+
-   | consumed  | remaining |                |
-   +----------------------------------------+
-   a           b     c     d                e
- 
-  a == base of buffer.
-  b == current pointer.  Can be anywhere between a and d.
-  c == active pointer.  Meaningful between b and d.
-  d == used pointer.
-  e == length of buffer.
- 
-  a-e == entire length of buffer.
-  a-d == used region.
-  a-b == consumed region.
-  b-d == remaining region.
-  b-c == optional active region.
-</pre>
-<p>
-</p>
-<p>
-<code class="function">lwres_buffer_init()</code>
-initializes the
-<span class="type">lwres_buffer_t</span>
-<em class="parameter"><code>*b</code></em>
-and assocates it with the memory region of size
-<em class="parameter"><code>length</code></em>
-bytes starting at location
-<em class="parameter"><code>base.</code></em>
-</p>
-<p>
-<code class="function">lwres_buffer_invalidate()</code>
-marks the buffer
-<em class="parameter"><code>*b</code></em>
-as invalid.  Invalidating a buffer after use is not required,
-but makes it possible to catch its possible accidental use.
-</p>
-<p>
-The functions
-<code class="function">lwres_buffer_add()</code>
-and
-<code class="function">lwres_buffer_subtract()</code>
-respectively increase and decrease the used space in
-buffer
-<em class="parameter"><code>*b</code></em>
-by
-<em class="parameter"><code>n</code></em>
-bytes.
-<code class="function">lwres_buffer_add()</code>
-checks for buffer overflow and
-<code class="function">lwres_buffer_subtract()</code>
-checks for underflow.
-These functions do not allocate or deallocate memory.
-They just change the value of
-<em class="structfield"><code>used</code></em>.
-</p>
-<p>
-A buffer is re-initialised by
-<code class="function">lwres_buffer_clear()</code>.
-The function sets
-<em class="structfield"><code>used</code></em> ,
-<em class="structfield"><code>current</code></em>
-and
-<em class="structfield"><code>active</code></em>
-to zero.
-</p>
-<p>
-<code class="function">lwres_buffer_first</code>
-makes the consumed region of buffer
-<em class="parameter"><code>*p</code></em>
-empty by setting
-<em class="structfield"><code>current</code></em>
-to zero (the start of the buffer).
-</p>
-<p>
-<code class="function">lwres_buffer_forward()</code>
-increases the consumed region of buffer
-<em class="parameter"><code>*b</code></em>
-by
-<em class="parameter"><code>n</code></em>
-bytes, checking for overflow.
-Similarly,
-<code class="function">lwres_buffer_back()</code>
-decreases buffer
-<em class="parameter"><code>b</code></em>'s
-consumed region by
-<em class="parameter"><code>n</code></em>
-bytes and checks for underflow.
-</p>
-<p>
-<code class="function">lwres_buffer_getuint8()</code>
-reads an unsigned 8-bit integer from
-<em class="parameter"><code>*b</code></em>
-and returns it.
-<code class="function">lwres_buffer_putuint8()</code>
-writes the unsigned 8-bit integer
-<em class="parameter"><code>val</code></em>
-to buffer
-<em class="parameter"><code>*b</code></em>.
-</p>
-<p>
-<code class="function">lwres_buffer_getuint16()</code>
-and
-<code class="function">lwres_buffer_getuint32()</code>
-are identical to
-<code class="function">lwres_buffer_putuint8()</code>
-except that they respectively read an unsigned 16-bit or 32-bit integer 
-in network byte order from
-<em class="parameter"><code>b</code></em>.
-Similarly,
-<code class="function">lwres_buffer_putuint16()</code>
-and
-<code class="function">lwres_buffer_putuint32()</code>
-writes the unsigned 16-bit or 32-bit integer
-<em class="parameter"><code>val</code></em>
-to buffer
-<em class="parameter"><code>b</code></em>,
-in network byte order.
-</p>
-<p>
-Arbitrary amounts of data are read or written from a lightweight
-resolver buffer with
-<code class="function">lwres_buffer_getmem()</code>
-and
-<code class="function">lwres_buffer_putmem()</code>
-respectively.
-<code class="function">lwres_buffer_putmem()</code>
-copies
-<em class="parameter"><code>length</code></em>
-bytes of memory at
-<em class="parameter"><code>base</code></em>
-to
-<em class="parameter"><code>b</code></em>.
-Conversely,
-<code class="function">lwres_buffer_getmem()</code>
-copies
-<em class="parameter"><code>length</code></em>
-bytes of memory from
-<em class="parameter"><code>b</code></em>
-to
-<em class="parameter"><code>base</code></em>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.3 b/contrib/bind9/lib/lwres/man/lwres_config.3
deleted file mode 100644
index 943028375187..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_config.3
+++ /dev/null
@@ -1,97 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_config.3,v 1.12.2.1.8.5 2005/10/13 02:33:58 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get \- lightweight resolver configuration
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 21
-\fBvoid\ \fBlwres_conf_init\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
-.HP 22
-\fBvoid\ \fBlwres_conf_clear\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
-.HP 32
-\fBlwres_result_t\ \fBlwres_conf_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBconst\ char\ *filename\fR\fB);\fR
-.HP 32
-\fBlwres_result_t\ \fBlwres_conf_print\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBFILE\ *fp\fR\fB);\fR
-.HP 30
-\fBlwres_conf_t\ *\ \fBlwres_conf_get\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-\fBlwres_conf_init()\fR
-creates an empty
-\fBlwres_conf_t\fR
-structure for lightweight resolver context
-\fIctx\fR.
-.PP
-\fBlwres_conf_clear()\fR
-frees up all the internal memory used by that
-\fBlwres_conf_t\fR
-structure in resolver context
-\fIctx\fR.
-.PP
-\fBlwres_conf_parse()\fR
-opens the file
-\fIfilename\fR
-and parses it to initialise the resolver context
-\fIctx\fR's
-\fBlwres_conf_t\fR
-structure.
-.PP
-\fBlwres_conf_print()\fR
-prints the
-\fBlwres_conf_t\fR
-structure for resolver context
-\fIctx\fR
-to the
-\fBFILE\fR\fIfp\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_conf_parse()\fR
-returns
-\fBLWRES_R_SUCCESS\fR
-if it successfully read and parsed
-\fIfilename\fR. It returns
-\fBLWRES_R_FAILURE\fR
-if
-\fIfilename\fR
-could not be opened or contained incorrect resolver statements.
-.PP
-\fBlwres_conf_print()\fR
-returns
-\fBLWRES_R_SUCCESS\fR
-unless an error occurred when converting the network addresses to a numeric host address string. If this happens, the function returns
-\fBLWRES_R_FAILURE\fR.
-.SH "SEE ALSO"
-.PP
-\fBstdio\fR(3),
-\fBresolver\fR(5).
-.SH "FILES"
-.PP
-\fI/etc/resolv.conf\fR
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.docbook b/contrib/bind9/lib/lwres/man/lwres_config.docbook
deleted file mode 100644
index 03426beb3274..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_config.docbook
+++ /dev/null
@@ -1,175 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_config.docbook,v 1.2.206.3 2005/05/12 21:36:12 sra Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_config</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_conf_init</refname>
-<refname>lwres_conf_clear</refname>
-<refname>lwres_conf_parse</refname>
-<refname>lwres_conf_print</refname>
-<refname>lwres_conf_get</refname>
-<refpurpose>lightweight resolver configuration</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_conf_init</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_conf_clear</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_conf_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>const char *filename</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_conf_print</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>FILE *fp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_conf_t *
-<function>lwres_conf_get</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_conf_init()</function>
-creates an empty
-<type>lwres_conf_t</type>
-structure for lightweight resolver context
-<parameter>ctx</parameter>.
-</para>
-<para>
-<function>lwres_conf_clear()</function>
-frees up all the internal memory used by
-that
-<type>lwres_conf_t</type>
-structure in resolver context
-<parameter>ctx</parameter>.
-</para>
-<para>
-<function>lwres_conf_parse()</function>
-opens the file
-<parameter>filename</parameter>
-and parses it to initialise the resolver context
-<parameter>ctx</parameter>'s
-<type>lwres_conf_t</type>
-structure.
-</para>
-<para>
-<function>lwres_conf_print()</function>
-prints the
-<type>lwres_conf_t</type>
-structure for resolver context
-<parameter>ctx</parameter>
-to the
-<type>FILE</type>
-<parameter>fp</parameter>.
-</para>
-</refsect1>
-<refsect1>
-
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_conf_parse()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-if it successfully read and parsed
-<parameter>filename</parameter>.
-It returns
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<parameter>filename</parameter>
-could not be opened or contained incorrect
-resolver statements.
-</para>
-<para>
-<function>lwres_conf_print()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-unless an error occurred when converting the network addresses to a
-numeric host address string.
-If this happens, the function returns
-<errorcode>LWRES_R_FAILURE</errorcode>.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>stdio</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.html b/contrib/bind9/lib/lwres/man/lwres_config.html
deleted file mode 100644
index 7ea416b62b6f..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_config.html
+++ /dev/null
@@ -1,166 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_config.html,v 1.4.2.1.4.9 2005/10/13 02:33:55 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_config</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get &#8212; lightweight resolver configuration</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_conf_init</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_conf_clear</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_conf_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_conf_print</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-lwres_conf_t *
-<b class="fsfunc">lwres_conf_get</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525910"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_conf_init()</code>
-creates an empty
-<span class="type">lwres_conf_t</span>
-structure for lightweight resolver context
-<em class="parameter"><code>ctx</code></em>.
-</p>
-<p>
-<code class="function">lwres_conf_clear()</code>
-frees up all the internal memory used by
-that
-<span class="type">lwres_conf_t</span>
-structure in resolver context
-<em class="parameter"><code>ctx</code></em>.
-</p>
-<p>
-<code class="function">lwres_conf_parse()</code>
-opens the file
-<em class="parameter"><code>filename</code></em>
-and parses it to initialise the resolver context
-<em class="parameter"><code>ctx</code></em>'s
-<span class="type">lwres_conf_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_conf_print()</code>
-prints the
-<span class="type">lwres_conf_t</span>
-structure for resolver context
-<em class="parameter"><code>ctx</code></em>
-to the
-<span class="type">FILE</span>
-<em class="parameter"><code>fp</code></em>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525981"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_conf_parse()</code>
-returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
-if it successfully read and parsed
-<em class="parameter"><code>filename</code></em>.
-It returns
-<span class="errorcode">LWRES_R_FAILURE</span>
-if
-<em class="parameter"><code>filename</code></em>
-could not be opened or contained incorrect
-resolver statements.
-</p>
-<p>
-<code class="function">lwres_conf_print()</code>
-returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
-unless an error occurred when converting the network addresses to a
-numeric host address string.
-If this happens, the function returns
-<span class="errorcode">LWRES_R_FAILURE</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526021"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">stdio</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526048"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.3 b/contrib/bind9/lib/lwres/man/lwres_context.3
deleted file mode 100644
index be8cd3870893..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_context.3
+++ /dev/null
@@ -1,161 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_context.3,v 1.13.2.2.2.6 2005/10/13 02:33:52 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 36
-\fBlwres_result_t\ \fBlwres_context_create\fR\fR\fB(\fR\fBlwres_context_t\ **contextp\fR\fB, \fR\fBvoid\ *arg\fR\fB, \fR\fBlwres_malloc_t\ malloc_function\fR\fB, \fR\fBlwres_free_t\ free_function\fR\fB);\fR
-.HP 37
-\fBlwres_result_t\ \fBlwres_context_destroy\fR\fR\fB(\fR\fBlwres_context_t\ **contextp\fR\fB);\fR
-.HP 30
-\fBvoid\ \fBlwres_context_initserial\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_uint32_t\ serial\fR\fB);\fR
-.HP 40
-\fBlwres_uint32_t\ \fBlwres_context_nextserial\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB);\fR
-.HP 27
-\fBvoid\ \fBlwres_context_freemem\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBvoid\ *mem\fR\fB, \fR\fBsize_t\ len\fR\fB);\fR
-.HP 28
-\fBvoid\ \fBlwres_context_allocmem\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBsize_t\ len\fR\fB);\fR
-.HP 30
-\fBvoid\ *\ \fBlwres_context_sendrecv\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBvoid\ *sendbase\fR\fB, \fR\fBint\ sendlen\fR\fB, \fR\fBvoid\ *recvbase\fR\fB, \fR\fBint\ recvlen\fR\fB, \fR\fBint\ *recvd_len\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-\fBlwres_context_create()\fR
-creates a
-\fBlwres_context_t\fR
-structure for use in lightweight resolver operations. It holds a socket and other data needed for communicating with a resolver daemon. The new
-\fBlwres_context_t\fR
-is returned through
-\fIcontextp\fR, a pointer to a
-\fBlwres_context_t\fR
-pointer. This
-\fBlwres_context_t\fR
-pointer must initially be NULL, and is modified to point to the newly created
-\fBlwres_context_t\fR.
-.PP
-When the lightweight resolver needs to perform dynamic memory allocation, it will call
-\fImalloc_function\fR
-to allocate memory and
-\fIfree_function\fR
-to free it. If
-\fImalloc_function\fR
-and
-\fIfree_function\fR
-are NULL, memory is allocated using .Xr malloc 3 and
-\fBfree\fR(3). It is not permitted to have a NULL
-\fImalloc_function\fR
-and a non\-NULL
-\fIfree_function\fR
-or vice versa.
-\fIarg\fR
-is passed as the first parameter to the memory allocation functions. If
-\fImalloc_function\fR
-and
-\fIfree_function\fR
-are NULL,
-\fIarg\fR
-is unused and should be passed as NULL.
-.PP
-Once memory for the structure has been allocated, it is initialized using
-\fBlwres_conf_init\fR(3)
-and returned via
-\fI*contextp\fR.
-.PP
-\fBlwres_context_destroy()\fR
-destroys a
-\fBlwres_context_t\fR, closing its socket.
-\fIcontextp\fR
-is a pointer to a pointer to the context that is to be destroyed. The pointer will be set to NULL when the context has been destroyed.
-.PP
-The context holds a serial number that is used to identify resolver request packets and associate responses with the corresponding requests. This serial number is controlled using
-\fBlwres_context_initserial()\fR
-and
-\fBlwres_context_nextserial()\fR.
-\fBlwres_context_initserial()\fR
-sets the serial number for context
-\fI*ctx\fR
-to
-\fIserial\fR.
-\fBlwres_context_nextserial()\fR
-increments the serial number and returns the previous value.
-.PP
-Memory for a lightweight resolver context is allocated and freed using
-\fBlwres_context_allocmem()\fR
-and
-\fBlwres_context_freemem()\fR. These use whatever allocations were defined when the context was created with
-\fBlwres_context_create()\fR.
-\fBlwres_context_allocmem()\fR
-allocates
-\fIlen\fR
-bytes of memory and if successful returns a pointer to the allocated storage.
-\fBlwres_context_freemem()\fR
-frees
-\fIlen\fR
-bytes of space starting at location
-\fImem\fR.
-.PP
-\fBlwres_context_sendrecv()\fR
-performs I/O for the context
-\fIctx\fR. Data are read and written from the context's socket. It writes data from
-\fIsendbase\fR
-\(em typically a lightweight resolver query packet \(em and waits for a reply which is copied to the receive buffer at
-\fIrecvbase\fR. The number of bytes that were written to this receive buffer is returned in
-\fI*recvd_len\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_context_create()\fR
-returns
-\fBLWRES_R_NOMEMORY\fR
-if memory for the
-\fBstruct lwres_context\fR
-could not be allocated,
-\fBLWRES_R_SUCCESS\fR
-otherwise.
-.PP
-Successful calls to the memory allocator
-\fBlwres_context_allocmem()\fR
-return a pointer to the start of the allocated space. It returns NULL if memory could not be allocated.
-.PP
-\fBLWRES_R_SUCCESS\fR
-is returned when
-\fBlwres_context_sendrecv()\fR
-completes successfully.
-\fBLWRES_R_IOERROR\fR
-is returned if an I/O error occurs and
-\fBLWRES_R_TIMEOUT\fR
-is returned if
-\fBlwres_context_sendrecv()\fR
-times out waiting for a response.
-.SH "SEE ALSO"
-.PP
-\fBlwres_conf_init\fR(3),
-\fBmalloc\fR(3),
-\fBfree\fR(3 ).
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.docbook b/contrib/bind9/lib/lwres/man/lwres_context.docbook
deleted file mode 100644
index 48d43362e1ee..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_context.docbook
+++ /dev/null
@@ -1,300 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_context.docbook,v 1.3.2.2.2.3 2005/05/12 21:36:12 sra Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_context</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_context_create</refname>
-<refname>lwres_context_destroy</refname>
-<refname>lwres_context_nextserial</refname>
-<refname>lwres_context_initserial</refname>
-<refname>lwres_context_freemem</refname>
-<refname>lwres_context_allocmem</refname>
-<refname>lwres_context_sendrecv</refname>
-<refpurpose>lightweight resolver context management</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_context_create</function></funcdef>
-<paramdef>lwres_context_t **contextp</paramdef>
-<paramdef>void *arg</paramdef>
-<paramdef>lwres_malloc_t malloc_function</paramdef>
-<paramdef>lwres_free_t free_function</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_context_destroy</function></funcdef>
-<paramdef>lwres_context_t **contextp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_context_initserial</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_uint32_t serial</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_uint32_t
-<function>lwres_context_nextserial</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_context_freemem</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>void *mem</paramdef>
-<paramdef>size_t len</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_context_allocmem</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>size_t len</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void *
-<function>lwres_context_sendrecv</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>void *sendbase</paramdef>
-<paramdef>int sendlen</paramdef>
-<paramdef>void *recvbase</paramdef>
-<paramdef>int recvlen</paramdef>
-<paramdef>int *recvd_len</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_context_create()</function>
-creates a
-<type>lwres_context_t</type>
-structure for use in lightweight resolver operations.
-It holds a socket and other data needed for communicating
-with a resolver daemon.
-The new
-<type>lwres_context_t</type>
-is returned through
-<parameter>contextp</parameter>,
-
-a pointer to a
-<type>lwres_context_t</type>
-pointer.  This 
-<type>lwres_context_t</type>
-pointer must initially be NULL, and is modified 
-to point to the newly created
-<type>lwres_context_t</type>.
-
-</para>
-<para>
-When the lightweight resolver needs to perform dynamic memory
-allocation, it will call
-<parameter>malloc_function</parameter>
-to allocate memory and
-<parameter>free_function</parameter>
-
-to free it.  If 
-<parameter>malloc_function</parameter>
-and
-<parameter>free_function</parameter>
-
-are NULL, memory is allocated using
-.Xr malloc 3
-and
-<citerefentry>
-<refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-
-It is not permitted to have a NULL
-<parameter>malloc_function</parameter>
-and a non-NULL
-<parameter>free_function</parameter>
-or vice versa.
-<parameter>arg</parameter>
-is passed as the first parameter to the memory
-allocation functions.  
-If
-<parameter>malloc_function</parameter>
-and
-<parameter>free_function</parameter>
-are NULL,
-<parameter>arg</parameter>
-
-is unused and should be passed as NULL.
-</para>
-<para>
-Once memory for the structure has been allocated,
-it is initialized using
-<citerefentry>
-<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>
-
-and returned via
-<parameter>*contextp</parameter>.
-
-</para>
-<para>
-<function>lwres_context_destroy()</function>
-destroys a 
-<type>lwres_context_t</type>,
-
-closing its socket.
-<parameter>contextp</parameter>
-is a pointer to a pointer to the context that is to be destroyed.
-The pointer will be set to NULL when the context has been destroyed.
-</para>
-<para>
-The context holds a serial number that is used to identify resolver
-request packets and associate responses with the corresponding requests.
-This serial number is controlled using
-<function>lwres_context_initserial()</function>
-and
-<function>lwres_context_nextserial()</function>.
-<function>lwres_context_initserial()</function>
-sets the serial number for context
-<parameter>*ctx</parameter>
-to
-<parameter>serial</parameter>.
-
-<function>lwres_context_nextserial()</function>
-increments the serial number and returns the previous value.
-</para>
-<para>
-Memory for a lightweight resolver context is allocated and freed using
-<function>lwres_context_allocmem()</function>
-and
-<function>lwres_context_freemem()</function>.
-These use whatever allocations were defined when the context was
-created with
-<function>lwres_context_create()</function>.
-<function>lwres_context_allocmem()</function>
-allocates
-<parameter>len</parameter>
-bytes of memory and if successful returns a pointer to the allocated
-storage.
-<function>lwres_context_freemem()</function>
-frees
-<parameter>len</parameter>
-bytes of space starting at location
-<parameter>mem</parameter>.
-
-</para>
-<para>
-<function>lwres_context_sendrecv()</function>
-performs I/O for the context
-<parameter>ctx</parameter>.
-
-Data are read and written from the context's socket.
-It writes data from
-<parameter>sendbase</parameter>
-&mdash; typically a lightweight resolver query packet &mdash;
-and waits for a reply which is copied to the receive buffer at
-<parameter>recvbase</parameter>.
-
-The number of bytes that were written to this receive buffer is
-returned in
-<parameter>*recvd_len</parameter>.
-
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_context_create()</function>
-returns
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory for the
-<type>struct lwres_context</type>
-could not be allocated, 
-<errorcode>LWRES_R_SUCCESS</errorcode>
-otherwise.
-</para>
-<para>
-Successful calls to the memory allocator
-<function>lwres_context_allocmem()</function>
-return a pointer to the start of the allocated space.
-It returns NULL if memory could not be allocated.
-</para>
-<para>
-<errorcode>LWRES_R_SUCCESS</errorcode>
-is returned when
-<function>lwres_context_sendrecv()</function>
-completes successfully.
-<errorcode>LWRES_R_IOERROR</errorcode>
-is returned if an I/O error occurs and
-<errorcode>LWRES_R_TIMEOUT</errorcode>
-is returned if
-<function>lwres_context_sendrecv()</function>
-times out waiting for a response.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>free</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.html b/contrib/bind9/lib/lwres/man/lwres_context.html
deleted file mode 100644
index 8988c5dc102f..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_context.html
+++ /dev/null
@@ -1,335 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_context.html,v 1.5.2.2.2.10 2005/10/13 02:33:55 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_context</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv &#8212; lightweight resolver context management</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_context_create</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_context_destroy</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_initserial</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-lwres_uint32_t
-<b class="fsfunc">lwres_context_nextserial</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_freemem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_context_allocmem</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void *
-<b class="fsfunc">lwres_context_sendrecv</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525975"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_context_create()</code>
-creates a
-<span class="type">lwres_context_t</span>
-structure for use in lightweight resolver operations.
-It holds a socket and other data needed for communicating
-with a resolver daemon.
-The new
-<span class="type">lwres_context_t</span>
-is returned through
-<em class="parameter"><code>contextp</code></em>,
-
-a pointer to a
-<span class="type">lwres_context_t</span>
-pointer.  This 
-<span class="type">lwres_context_t</span>
-pointer must initially be NULL, and is modified 
-to point to the newly created
-<span class="type">lwres_context_t</span>.
-
-</p>
-<p>
-When the lightweight resolver needs to perform dynamic memory
-allocation, it will call
-<em class="parameter"><code>malloc_function</code></em>
-to allocate memory and
-<em class="parameter"><code>free_function</code></em>
-
-to free it.  If 
-<em class="parameter"><code>malloc_function</code></em>
-and
-<em class="parameter"><code>free_function</code></em>
-
-are NULL, memory is allocated using
-.Xr malloc 3
-and
-<span class="citerefentry"><span class="refentrytitle">free</span>(3)</span>.
-
-It is not permitted to have a NULL
-<em class="parameter"><code>malloc_function</code></em>
-and a non-NULL
-<em class="parameter"><code>free_function</code></em>
-or vice versa.
-<em class="parameter"><code>arg</code></em>
-is passed as the first parameter to the memory
-allocation functions.  
-If
-<em class="parameter"><code>malloc_function</code></em>
-and
-<em class="parameter"><code>free_function</code></em>
-are NULL,
-<em class="parameter"><code>arg</code></em>
-
-is unused and should be passed as NULL.
-</p>
-<p>
-Once memory for the structure has been allocated,
-it is initialized using
-<span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>
-
-and returned via
-<em class="parameter"><code>*contextp</code></em>.
-
-</p>
-<p>
-<code class="function">lwres_context_destroy()</code>
-destroys a 
-<span class="type">lwres_context_t</span>,
-
-closing its socket.
-<em class="parameter"><code>contextp</code></em>
-is a pointer to a pointer to the context that is to be destroyed.
-The pointer will be set to NULL when the context has been destroyed.
-</p>
-<p>
-The context holds a serial number that is used to identify resolver
-request packets and associate responses with the corresponding requests.
-This serial number is controlled using
-<code class="function">lwres_context_initserial()</code>
-and
-<code class="function">lwres_context_nextserial()</code>.
-<code class="function">lwres_context_initserial()</code>
-sets the serial number for context
-<em class="parameter"><code>*ctx</code></em>
-to
-<em class="parameter"><code>serial</code></em>.
-
-<code class="function">lwres_context_nextserial()</code>
-increments the serial number and returns the previous value.
-</p>
-<p>
-Memory for a lightweight resolver context is allocated and freed using
-<code class="function">lwres_context_allocmem()</code>
-and
-<code class="function">lwres_context_freemem()</code>.
-These use whatever allocations were defined when the context was
-created with
-<code class="function">lwres_context_create()</code>.
-<code class="function">lwres_context_allocmem()</code>
-allocates
-<em class="parameter"><code>len</code></em>
-bytes of memory and if successful returns a pointer to the allocated
-storage.
-<code class="function">lwres_context_freemem()</code>
-frees
-<em class="parameter"><code>len</code></em>
-bytes of space starting at location
-<em class="parameter"><code>mem</code></em>.
-
-</p>
-<p>
-<code class="function">lwres_context_sendrecv()</code>
-performs I/O for the context
-<em class="parameter"><code>ctx</code></em>.
-
-Data are read and written from the context's socket.
-It writes data from
-<em class="parameter"><code>sendbase</code></em>
-&#8212; typically a lightweight resolver query packet &#8212;
-and waits for a reply which is copied to the receive buffer at
-<em class="parameter"><code>recvbase</code></em>.
-
-The number of bytes that were written to this receive buffer is
-returned in
-<em class="parameter"><code>*recvd_len</code></em>.
-
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526156"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_context_create()</code>
-returns
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-if memory for the
-<span class="type">struct lwres_context</span>
-could not be allocated, 
-<span class="errorcode">LWRES_R_SUCCESS</span>
-otherwise.
-</p>
-<p>
-Successful calls to the memory allocator
-<code class="function">lwres_context_allocmem()</code>
-return a pointer to the start of the allocated space.
-It returns NULL if memory could not be allocated.
-</p>
-<p>
-<span class="errorcode">LWRES_R_SUCCESS</span>
-is returned when
-<code class="function">lwres_context_sendrecv()</code>
-completes successfully.
-<span class="errorcode">LWRES_R_IOERROR</span>
-is returned if an I/O error occurs and
-<span class="errorcode">LWRES_R_TIMEOUT</span>
-is returned if
-<code class="function">lwres_context_sendrecv()</code>
-times out waiting for a response.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526208"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_conf_init</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">malloc</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">free</span>(3
-)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.3 b/contrib/bind9/lib/lwres/man/lwres_gabn.3
deleted file mode 100644
index 60a56fe46b35..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.3
+++ /dev/null
@@ -1,166 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_gabn.3,v 1.13.2.1.8.5 2005/10/13 02:33:52 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free \- lightweight resolver getaddrbyname message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-\fBlwres_result_t\ \fBlwres_gabnrequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnrequest_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 41
-\fBlwres_result_t\ \fBlwres_gabnresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 39
-\fBlwres_result_t\ \fBlwres_gabnrequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gabnrequest_t\ **structp\fR\fB);\fR
-.HP 40
-\fBlwres_result_t\ \fBlwres_gabnresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
-.HP 29
-\fBvoid\ \fBlwres_gabnresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
-.HP 28
-\fBvoid\ \fBlwres_gabnrequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gabnrequest_t\ **structp\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-These are low\-level routines for creating and parsing lightweight resolver name\-to\-address lookup request and response messages.
-.PP
-There are four main functions for the getaddrbyname opcode. One render function converts a getaddrbyname request structure \(em
-\fBlwres_gabnrequest_t\fR
-\(em to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getaddrbyname request structure. Another render function converts the getaddrbyname response structure \(em
-\fBlwres_gabnresponse_t\fR
-\(em to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a getaddrbyname response structure.
-.PP
-These structures are defined in
-\fI<lwres/lwres.h>\fR. They are shown below.
-.sp
-.nf
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-.fi
-.sp
-.PP
-\fBlwres_gabnrequest_render()\fR
-uses resolver context
-\fIctx\fR
-to convert getaddrbyname request structure
-\fIreq\fR
-to canonical format. The packet header structure
-\fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
-\fI*req\fR
-are then appended to the buffer in canonical format.
-\fBlwres_gabnresponse_render()\fR
-performs the same task, except it converts a getaddrbyname response structure
-\fBlwres_gabnresponse_t\fR
-to the lightweight resolver's canonical format.
-.PP
-\fBlwres_gabnrequest_parse()\fR
-uses context
-\fIctx\fR
-to convert the contents of packet
-\fIpkt\fR
-to a
-\fBlwres_gabnrequest_t\fR
-structure. Buffer
-\fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
-\fBlwres_gabnrequest_t\fR
-is made available through
-\fI*structp\fR.
-\fBlwres_gabnresponse_parse()\fR
-offers the same semantics as
-\fBlwres_gabnrequest_parse()\fR
-except it yields a
-\fBlwres_gabnresponse_t\fR
-structure.
-.PP
-\fBlwres_gabnresponse_free()\fR
-and
-\fBlwres_gabnrequest_free()\fR
-release the memory in resolver context
-\fIctx\fR
-that was allocated to the
-\fBlwres_gabnresponse_t\fR
-or
-\fBlwres_gabnrequest_t\fR
-structures referenced via
-\fIstructp\fR. Any memory associated with ancillary buffers and strings for those structures is also discarded.
-.SH "RETURN VALUES"
-.PP
-The getaddrbyname opcode functions
-\fBlwres_gabnrequest_render()\fR,
-\fBlwres_gabnresponse_render()\fR\fBlwres_gabnrequest_parse()\fR
-and
-\fBlwres_gabnresponse_parse()\fR
-all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
-if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
-is returned if the available space in the buffer
-\fIb\fR
-is too small to accommodate the packet header or the
-\fBlwres_gabnrequest_t\fR
-and
-\fBlwres_gabnresponse_t\fR
-structures.
-\fBlwres_gabnrequest_parse()\fR
-and
-\fBlwres_gabnresponse_parse()\fR
-will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
-if
-pktflags
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3 )
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook b/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
deleted file mode 100644
index 6e90ea3905b3..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
+++ /dev/null
@@ -1,271 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gabn.docbook,v 1.3.206.3 2005/05/12 21:36:12 sra Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_gabn</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_gabnrequest_render</refname>
-<refname>lwres_gabnresponse_render</refname>
-<refname>lwres_gabnrequest_parse</refname>
-<refname>lwres_gabnresponse_parse</refname>
-<refname>lwres_gabnresponse_free</refname>
-<refname>lwres_gabnrequest_free</refname>
-<refpurpose>lightweight resolver getaddrbyname message handling</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gabnrequest_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnrequest_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gabnresponse_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gabnrequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gabnrequest_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gabnresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_gabnresponse_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_gabnrequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gabnrequest_t **structp</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver name-to-address lookup request and 
-response messages.
-</para><para>
-There are four main functions for the getaddrbyname opcode.
-One render function converts a getaddrbyname request structure &mdash;
-<type>lwres_gabnrequest_t</type> &mdash;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getaddrbyname request structure.
-Another render function converts the getaddrbyname response structure &mdash;
-<type>lwres_gabnresponse_t</type> &mdash;
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getaddrbyname response structure.
-</para>
-<para>
-These structures are defined in
-<filename>&lt;lwres/lwres.h&gt;</filename>.
-They are shown below.
-<programlisting>
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</programlisting>
-</para>
-<para>
-<function>lwres_gabnrequest_render()</function>
-uses resolver context
-<parameter>ctx</parameter>
-to convert getaddrbyname request structure
-<parameter>req</parameter>
-to canonical format.
-The packet header structure
-<parameter>pkt</parameter>
-is initialised and transferred to
-buffer
-<parameter>b</parameter>.
-
-The contents of
-<parameter>*req</parameter>
-are then appended to the buffer in canonical format.
-<function>lwres_gabnresponse_render()</function>
-performs the same task, except it converts a getaddrbyname response structure
-<type>lwres_gabnresponse_t</type>
-to the lightweight resolver's canonical format.
-</para>
-<para>
-<function>lwres_gabnrequest_parse()</function>
-uses context
-<parameter>ctx</parameter>
-to convert the contents of packet
-<parameter>pkt</parameter>
-to a
-<type>lwres_gabnrequest_t</type>
-structure.
-Buffer
-<parameter>b</parameter>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<type>lwres_gabnrequest_t</type>
-is made available through
-<parameter>*structp</parameter>.
-
-<function>lwres_gabnresponse_parse()</function>
-offers the same semantics as
-<function>lwres_gabnrequest_parse()</function>
-except it yields a
-<type>lwres_gabnresponse_t</type>
-structure.
-</para>
-<para>
-<function>lwres_gabnresponse_free()</function>
-and
-<function>lwres_gabnrequest_free()</function>
-release the memory in resolver context
-<parameter>ctx</parameter>
-that was allocated to the
-<type>lwres_gabnresponse_t</type>
-or
-<type>lwres_gabnrequest_t</type>
-structures referenced via
-<parameter>structp</parameter>.
-
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The getaddrbyname opcode functions
-<function>lwres_gabnrequest_render()</function>, 
-<function>lwres_gabnresponse_render()</function>
-<function>lwres_gabnrequest_parse()</function>
-and
-<function>lwres_gabnresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<parameter>b</parameter>
-is too small to accommodate the packet header or the
-<type>lwres_gabnrequest_t</type>
-and
-<type>lwres_gabnresponse_t</type>
-structures.
-<function>lwres_gabnrequest_parse()</function>
-and
-<function>lwres_gabnresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<structfield>pktflags</structfield>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.html b/contrib/bind9/lib/lwres/man/lwres_gabn.html
deleted file mode 100644
index 771394508a28..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gabn.html
+++ /dev/null
@@ -1,327 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_gabn.html,v 1.6.2.1.4.9 2005/10/13 02:33:55 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gabn</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free &#8212; lightweight resolver getaddrbyname message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnrequest_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnresponse_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnrequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gabnresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gabnresponse_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gabnrequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525963"></a><h2>DESCRIPTION</h2>
-<p>
-These are low-level routines for creating and parsing
-lightweight resolver name-to-address lookup request and 
-response messages.
-</p>
-<p>
-There are four main functions for the getaddrbyname opcode.
-One render function converts a getaddrbyname request structure &#8212;
-<span class="type">lwres_gabnrequest_t</span> &#8212;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getaddrbyname request structure.
-Another render function converts the getaddrbyname response structure &#8212;
-<span class="type">lwres_gabnresponse_t</span> &#8212;
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getaddrbyname response structure.
-</p>
-<p>
-These structures are defined in
-<code class="filename">&lt;lwres/lwres.h&gt;</code>.
-They are shown below.
-</p>
-<pre class="programlisting">
-#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
-
-typedef struct lwres_addr lwres_addr_t;
-typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint32_t  addrtypes;
-        lwres_uint16_t  namelen;
-        char           *name;
-} lwres_gabnrequest_t;
-
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</pre>
-<p>
-</p>
-<p>
-<code class="function">lwres_gabnrequest_render()</code>
-uses resolver context
-<em class="parameter"><code>ctx</code></em>
-to convert getaddrbyname request structure
-<em class="parameter"><code>req</code></em>
-to canonical format.
-The packet header structure
-<em class="parameter"><code>pkt</code></em>
-is initialised and transferred to
-buffer
-<em class="parameter"><code>b</code></em>.
-
-The contents of
-<em class="parameter"><code>*req</code></em>
-are then appended to the buffer in canonical format.
-<code class="function">lwres_gabnresponse_render()</code>
-performs the same task, except it converts a getaddrbyname response structure
-<span class="type">lwres_gabnresponse_t</span>
-to the lightweight resolver's canonical format.
-</p>
-<p>
-<code class="function">lwres_gabnrequest_parse()</code>
-uses context
-<em class="parameter"><code>ctx</code></em>
-to convert the contents of packet
-<em class="parameter"><code>pkt</code></em>
-to a
-<span class="type">lwres_gabnrequest_t</span>
-structure.
-Buffer
-<em class="parameter"><code>b</code></em>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<span class="type">lwres_gabnrequest_t</span>
-is made available through
-<em class="parameter"><code>*structp</code></em>.
-
-<code class="function">lwres_gabnresponse_parse()</code>
-offers the same semantics as
-<code class="function">lwres_gabnrequest_parse()</code>
-except it yields a
-<span class="type">lwres_gabnresponse_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_gabnresponse_free()</code>
-and
-<code class="function">lwres_gabnrequest_free()</code>
-release the memory in resolver context
-<em class="parameter"><code>ctx</code></em>
-that was allocated to the
-<span class="type">lwres_gabnresponse_t</span>
-or
-<span class="type">lwres_gabnrequest_t</span>
-structures referenced via
-<em class="parameter"><code>structp</code></em>.
-
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526155"></a><h2>RETURN VALUES</h2>
-<p>
-The getaddrbyname opcode functions
-<code class="function">lwres_gabnrequest_render()</code>, 
-<code class="function">lwres_gabnresponse_render()</code>
-<code class="function">lwres_gabnrequest_parse()</code>
-and
-<code class="function">lwres_gabnresponse_parse()</code>
-all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
-on success.
-They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-is returned if the available space in the buffer
-<em class="parameter"><code>b</code></em>
-is too small to accommodate the packet header or the
-<span class="type">lwres_gabnrequest_t</span>
-and
-<span class="type">lwres_gabnresponse_t</span>
-structures.
-<code class="function">lwres_gabnrequest_parse()</code>
-and
-<code class="function">lwres_gabnresponse_parse()</code>
-will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
-if
-<em class="structfield"><code>pktflags</code></em>
-in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526220"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3
-)</span>
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3 b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
deleted file mode 100644
index 388c59e0f1ef..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
+++ /dev/null
@@ -1,99 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_gai_strerror.3,v 1.13.2.1.8.5 2005/10/13 02:33:52 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-gai_strerror \- print suitable error string
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 20
-\fBchar\ *\ \fBgai_strerror\fR\fR\fB(\fR\fBint\ ecode\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-\fBlwres_gai_strerror()\fR
-returns an error message corresponding to an error code returned by
-\fBgetaddrinfo()\fR. The following error codes and their meaning are defined in
-\fIinclude/lwres/netdb.h\fR.
-.TP
-\fBEAI_ADDRFAMILY\fR
-address family for hostname not supported
-.TP
-\fBEAI_AGAIN\fR
-temporary failure in name resolution
-.TP
-\fBEAI_BADFLAGS\fR
-invalid value for
-\fBai_flags\fR
-.TP
-\fBEAI_FAIL\fR
-non\-recoverable failure in name resolution
-.TP
-\fBEAI_FAMILY\fR
-\fBai_family\fR
-not supported
-.TP
-\fBEAI_MEMORY\fR
-memory allocation failure
-.TP
-\fBEAI_NODATA\fR
-no address associated with hostname
-.TP
-\fBEAI_NONAME\fR
-hostname or servname not provided, or not known
-.TP
-\fBEAI_SERVICE\fR
-servname not supported for
-\fBai_socktype\fR
-.TP
-\fBEAI_SOCKTYPE\fR
-\fBai_socktype\fR
-not supported
-.TP
-\fBEAI_SYSTEM\fR
-system error returned in errno
-The message
-invalid error code
-is returned if
-\fIecode\fR
-is out of range.
-.PP
-\fBai_flags\fR,
-\fBai_family\fR
-and
-\fBai_socktype\fR
-are elements of the
-\fBstruct addrinfo\fR
-used by
-\fBlwres_getaddrinfo()\fR.
-.SH "SEE ALSO"
-.PP
-\fBstrerror\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBgetaddrinfo\fR(3),
-\fBRFC2133\fR().
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
deleted file mode 100644
index f34836d2a2c4..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
+++ /dev/null
@@ -1,177 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gai_strerror.docbook,v 1.3.206.3 2005/05/12 21:36:13 sra Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-
-<date>Jun 30, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_gai_strerror</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>gai_strerror</refname>
-<refpurpose>print suitable error string</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-char *
-<function>gai_strerror</function></funcdef>
-<paramdef>int ecode</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_gai_strerror()</function>
-returns an error message corresponding to an error code returned by
-<function>getaddrinfo()</function>.
-The following error codes and their meaning are defined in
-<filename>include/lwres/netdb.h</filename>.
-<variablelist>
-<varlistentry><term><errorcode>EAI_ADDRFAMILY</errorcode></term>
-<listitem>
-<para>
-address family for hostname not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_AGAIN</errorcode></term>
-<listitem>
-<para>
-temporary failure in name resolution
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_BADFLAGS</errorcode></term>
-<listitem>
-<para>
-invalid value for
-<constant>ai_flags</constant>
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_FAIL</errorcode></term>
-<listitem>
-<para>
-non-recoverable failure in name resolution
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_FAMILY</errorcode></term>
-<listitem>
-<para>
-<constant>ai_family</constant> not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_MEMORY</errorcode></term>
-<listitem>
-<para>
-memory allocation failure
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_NODATA</errorcode></term>
-<listitem>
-<para>
-no address associated with hostname
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_NONAME</errorcode></term>
-<listitem>
-<para>
-hostname or servname not provided, or not known
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SERVICE</errorcode></term>
-<listitem>
-<para>
-servname not supported for <constant>ai_socktype</constant>
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SOCKTYPE</errorcode></term>
-<listitem>
-<para>
-<constant>ai_socktype</constant> not supported
-</para>
-</listitem></varlistentry>
-<varlistentry><term><errorcode>EAI_SYSTEM</errorcode></term>
-<listitem>
-<para>
-system error returned in errno
-</para>
-</listitem></varlistentry>
-</variablelist>
-The message <errorname>invalid error code</errorname> is returned if
-<parameter>ecode</parameter>
-is out of range.
-</para>
-<para>
-<constant>ai_flags</constant>,
-<constant>ai_family</constant>
-and
-<constant>ai_socktype</constant>
-are elements of the
-<type>struct  addrinfo</type>
-used by
-<function>lwres_getaddrinfo()</function>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>strerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
deleted file mode 100644
index 5506564197e3..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
+++ /dev/null
@@ -1,124 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_gai_strerror.html,v 1.5.2.1.4.9 2005/10/13 02:33:55 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gai_strerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>gai_strerror &#8212; print suitable error string</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<p><code class="funcdef">
-char *
-<b class="fsfunc">gai_strerror</b>(</code>int ecode<code>)</code>;</p>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525843"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_gai_strerror()</code>
-returns an error message corresponding to an error code returned by
-<code class="function">getaddrinfo()</code>.
-The following error codes and their meaning are defined in
-<code class="filename">include/lwres/netdb.h</code>.
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span class="errorcode">EAI_ADDRFAMILY</span></span></dt>
-<dd><p>
-address family for hostname not supported
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_AGAIN</span></span></dt>
-<dd><p>
-temporary failure in name resolution
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_BADFLAGS</span></span></dt>
-<dd><p>
-invalid value for
-<code class="constant">ai_flags</code>
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_FAIL</span></span></dt>
-<dd><p>
-non-recoverable failure in name resolution
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_FAMILY</span></span></dt>
-<dd><p>
-<code class="constant">ai_family</code> not supported
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_MEMORY</span></span></dt>
-<dd><p>
-memory allocation failure
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_NODATA</span></span></dt>
-<dd><p>
-no address associated with hostname
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_NONAME</span></span></dt>
-<dd><p>
-hostname or servname not provided, or not known
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SERVICE</span></span></dt>
-<dd><p>
-servname not supported for <code class="constant">ai_socktype</code>
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SOCKTYPE</span></span></dt>
-<dd><p>
-<code class="constant">ai_socktype</code> not supported
-</p></dd>
-<dt><span class="term"><span class="errorcode">EAI_SYSTEM</span></span></dt>
-<dd><p>
-system error returned in errno
-</p></dd>
-</dl></div>
-<p>
-The message <span class="errorname">invalid error code</span> is returned if
-<em class="parameter"><code>ecode</code></em>
-is out of range.
-</p>
-<p>
-<code class="constant">ai_flags</code>,
-<code class="constant">ai_family</code>
-and
-<code class="constant">ai_socktype</code>
-are elements of the
-<span class="type">struct  addrinfo</span>
-used by
-<code class="function">lwres_getaddrinfo()</code>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526040"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">strerror</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">getaddrinfo</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
deleted file mode 100644
index df1390a95ebe..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
+++ /dev/null
@@ -1,227 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_getaddrinfo.3,v 1.16.2.1.8.6 2005/10/13 02:33:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and service name
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 22
-\fBint\ \fBlwres_getaddrinfo\fR\fR\fB(\fR\fBconst\ char\ *hostname\fR\fB, \fR\fBconst\ char\ *servname\fR\fB, \fR\fBconst\ struct\ addrinfo\ *hints\fR\fB, \fR\fBstruct\ addrinfo\ **res\fR\fB);\fR
-.HP 24
-\fBvoid\ \fBlwres_freeaddrinfo\fR\fR\fB(\fR\fBstruct\ addrinfo\ *ai\fR\fB);\fR
-.PP
-If the operating system does not provide a
-\fBstruct addrinfo\fR, the following structure is used:
-.sp
-.nf
-struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};
-.fi
-.sp
-.SH "DESCRIPTION"
-.PP
-\fBlwres_getaddrinfo()\fR
-is used to get a list of IP addresses and port numbers for host
-\fIhostname\fR
-and service
-\fIservname\fR. The function is the lightweight resolver's implementation of
-\fBgetaddrinfo()\fR
-as defined in RFC2133.
-\fIhostname\fR
-and
-\fIservname\fR
-are pointers to null\-terminated strings or
-\fBNULL\fR.
-\fIhostname\fR
-is either a host name or a numeric host address string: a dotted decimal IPv4 address or an IPv6 address.
-\fIservname\fR
-is either a decimal port number or a service name as listed in
-\fI/etc/services\fR.
-.PP
-\fIhints\fR
-is an optional pointer to a
-\fBstruct addrinfo\fR. This structure can be used to provide hints concerning the type of socket that the caller supports or wishes to use. The caller can supply the following structure elements in
-\fI*hints\fR:
-.TP
-\fBai_family\fR
-The protocol family that should be used. When
-\fBai_family\fR
-is set to
-\fBPF_UNSPEC\fR, it means the caller will accept any protocol family supported by the operating system.
-.TP
-\fBai_socktype\fR
-denotes the type of socket \(em
-\fBSOCK_STREAM\fR,
-\fBSOCK_DGRAM\fR
-or
-\fBSOCK_RAW\fR
-\(em that is wanted. When
-\fBai_socktype\fR
-is zero the caller will accept any socket type.
-.TP
-\fBai_protocol\fR
-indicates which transport protocol is wanted: IPPROTO_UDP or IPPROTO_TCP. If
-\fBai_protocol\fR
-is zero the caller will accept any protocol.
-.TP
-\fBai_flags\fR
-Flag bits. If the
-\fBAI_CANONNAME\fR
-bit is set, a successful call to
-\fBlwres_getaddrinfo()\fR
-will return a null\-terminated string containing the canonical name of the specified hostname in
-\fBai_canonname\fR
-of the first
-\fBaddrinfo\fR
-structure returned. Setting the
-\fBAI_PASSIVE\fR
-bit indicates that the returned socket address structure is intended for used in a call to
-\fBbind\fR(2). In this case, if the hostname argument is a
-\fBNULL\fR
-pointer, then the IP address portion of the socket address structure will be set to
-\fBINADDR_ANY\fR
-for an IPv4 address or
-\fBIN6ADDR_ANY_INIT\fR
-for an IPv6 address.
-.sp
-When
-\fBai_flags\fR
-does not set the
-\fBAI_PASSIVE\fR
-bit, the returned socket address structure will be ready for use in a call to
-\fBconnect\fR(2 )
-for a connection\-oriented protocol or
-\fBconnect\fR(2),
-\fBsendto\fR(2), or
-\fBsendmsg\fR(2 )
-if a connectionless protocol was chosen. The IP address portion of the socket address structure will be set to the loopback address if
-\fIhostname\fR
-is a
-\fBNULL\fR
-pointer and
-\fBAI_PASSIVE\fR
-is not set in
-\fBai_flags\fR.
-.sp
-If
-\fBai_flags\fR
-is set to
-\fBAI_NUMERICHOST\fR
-it indicates that
-\fIhostname\fR
-should be treated as a numeric string defining an IPv4 or IPv6 address and no name resolution should be attempted.
-.PP
-All other elements of the
-\fBstruct addrinfo\fR
-passed via
-\fIhints\fR
-must be zero.
-.PP
-A
-\fIhints\fR
-of
-\fBNULL\fR
-is treated as if the caller provided a
-\fBstruct addrinfo\fR
-initialized to zero with
-\fBai_family\fRset to
-\fBPF_UNSPEC\fR.
-.PP
-After a successful call to
-\fBlwres_getaddrinfo()\fR,
-\fI*res\fR
-is a pointer to a linked list of one or more
-\fBaddrinfo\fR
-structures. Each
-\fBstruct addrinfo\fR
-in this list cn be processed by following the
-\fBai_next\fR
-pointer, until a
-\fBNULL\fR
-pointer is encountered. The three members
-\fBai_family\fR,
-\fBai_socktype\fR, and
-\fBai_protocol\fR
-in each returned
-\fBaddrinfo\fR
-structure contain the corresponding arguments for a call to
-\fBsocket\fR(2). For each
-\fBaddrinfo\fR
-structure in the list, the
-\fBai_addr\fR
-member points to a filled\-in socket address structure of length
-\fBai_addrlen\fR.
-.PP
-All of the information returned by
-\fBlwres_getaddrinfo()\fR
-is dynamically allocated: the addrinfo structures, and the socket address structures and canonical host name strings pointed to by the
-\fBaddrinfo\fRstructures. Memory allocated for the dynamically allocated structures created by a successful call to
-\fBlwres_getaddrinfo()\fR
-is released by
-\fBlwres_freeaddrinfo()\fR.
-\fIai\fR
-is a pointer to a
-\fBstruct addrinfo\fR
-created by a call to
-\fBlwres_getaddrinfo()\fR.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getaddrinfo()\fR
-returns zero on success or one of the error codes listed in
-\fBgai_strerror\fR(3 )
-if an error occurs. If both
-\fIhostname\fR
-and
-\fIservname\fR
-are
-\fBNULL\fR\fBlwres_getaddrinfo()\fR
-returns
-\fBEAI_NONAME\fR.
-.SH "SEE ALSO"
-.PP
-\fBlwres\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBlwres_freeaddrinfo\fR(3),
-\fBlwres_gai_strerror\fR(3),
-\fBRFC2133\fR(),
-\fBgetservbyname\fR(3),
-\fBbind\fR(2),
-\fBconnect\fR(2),
-\fBsendto\fR(2),
-\fBsendmsg\fR(2),
-\fBsocket\fR(2).
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
deleted file mode 100644
index 190721923b11..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
+++ /dev/null
@@ -1,388 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getaddrinfo.docbook,v 1.5.206.4 2005/05/12 21:36:14 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_getaddrinfo</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_getaddrinfo</refname>
-<refname>lwres_freeaddrinfo</refname>
-<refpurpose>socket address structure to host and service name</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-int
-<function>lwres_getaddrinfo</function></funcdef>
-<paramdef>const char *hostname</paramdef>
-<paramdef>const char *servname</paramdef>
-<paramdef>const struct addrinfo *hints</paramdef>
-<paramdef>struct addrinfo **res</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_freeaddrinfo</function></funcdef>
-<paramdef>struct addrinfo *ai</paramdef>
-</funcprototype>
-</funcsynopsis>
-
-<para>
-If the operating system does not provide a
-<type>struct addrinfo</type>,
-the following structure is used:
-
-<programlisting>
-struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};
-</programlisting>
-</para>
-
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_getaddrinfo()</function>
-is used to get a list of IP addresses and port numbers for host
-<parameter>hostname</parameter>
-and service
-<parameter>servname</parameter>.
-
-The function is the lightweight resolver's implementation of
-<function>getaddrinfo()</function>
-as defined in RFC2133.
-<parameter>hostname</parameter>
-and
-<parameter>servname</parameter>
-are pointers to null-terminated
-strings or
-<type>NULL</type>.
-
-<parameter>hostname</parameter>
-is either a host name or a numeric host address string: a dotted decimal
-IPv4 address or an IPv6 address.
-<parameter>servname</parameter>
-is either a decimal port number or a service name as listed in
-<filename>/etc/services</filename>.
-</para>
-
-<para>
-<parameter>hints</parameter>
-is an optional pointer to a
-<type>struct addrinfo</type>.
-This structure can be used to provide hints concerning the type of socket
-that the caller supports or wishes to use.
-The caller can supply the following structure elements in
-<parameter>*hints</parameter>:
-
-<variablelist>
-<varlistentry><term><constant>ai_family</constant></term>
-<listitem>
-<para>The protocol family that should be used.
-When
-<constant>ai_family</constant>
-is set to
-<type>PF_UNSPEC</type>,
-it means the caller will accept any protocol family supported by the
-operating system.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>ai_socktype</constant></term>
-<listitem>
-<para>
-denotes the type of socket &mdash;
-<type>SOCK_STREAM</type>,
-<type>SOCK_DGRAM</type>
-or
-<type>SOCK_RAW</type>
-&mdash; that is wanted.
-When
-<constant>ai_socktype</constant>
-is zero the caller will accept any socket type.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry><term><constant>ai_protocol</constant></term>
-<listitem>
-<para>
-indicates which transport protocol is wanted: IPPROTO_UDP or 
-IPPROTO_TCP.
-If
-<constant>ai_protocol</constant>
-is zero the caller will accept any protocol.
-</para>
-</listitem>
-</varlistentry>
-<varlistentry><term><constant>ai_flags</constant></term>
-<listitem>
-<para>
-Flag bits.
-If the
-<type>AI_CANONNAME</type>
-bit is set, a successful call to
-<function>lwres_getaddrinfo()</function>
-will return a null-terminated string containing the canonical name
-of the specified hostname in
-<constant>ai_canonname</constant>
-of the first
-<type>addrinfo</type>
-structure returned.
-Setting the
-<type>AI_PASSIVE</type>
-bit indicates that the returned socket address structure is intended
-for used in a call to
-<citerefentry>
-<refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-
-In this case, if the hostname argument is a
-<type>NULL</type>
-pointer, then the IP address portion of the socket
-address structure will be set to
-<type>INADDR_ANY</type>
-for an IPv4 address or
-<type>IN6ADDR_ANY_INIT</type>
-for an IPv6 address.
-</para>
-<para>
-When
-<constant>ai_flags</constant>
-does not set the
-<type>AI_PASSIVE</type>
-bit, the returned socket address structure will be ready
-for use in a call to
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2
-</manvolnum>
-</citerefentry>
-for a connection-oriented protocol or
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-or
-<citerefentry>
-<refentrytitle>sendmsg</refentrytitle><manvolnum>2
-</manvolnum>
-</citerefentry>
-if a connectionless protocol was chosen.
-The IP address portion of the socket address structure will be
-set to the loopback address if
-<parameter>hostname</parameter>
-is a
-<type>NULL</type>
-pointer and
-<type>AI_PASSIVE</type>
-is not set in
-<constant>ai_flags</constant>.
-</para>
-<para>
-If
-<constant>ai_flags</constant>
-is set to
-<type>AI_NUMERICHOST</type>
-it indicates that
-<parameter>hostname</parameter>
-should be treated as a numeric string defining an IPv4 or IPv6 address
-and no name resolution should be attempted.
-</para>
-</listitem>
-</varlistentry>
-</variablelist>
-</para>
-
-<para>
-All other elements of the <type>struct addrinfo</type> passed
-via <parameter>hints</parameter> must be zero.
-</para>
-
-<para>
-A <parameter>hints</parameter> of <type>NULL</type> is treated as if
-the caller provided a <type>struct addrinfo</type> initialized to zero
-with <constant>ai_family</constant>set to
-<constant>PF_UNSPEC</constant>.
-</para>
-
-<para>
-After a successful call to
-<function>lwres_getaddrinfo()</function>,
-<parameter>*res</parameter>
-is a pointer to a linked list of one or more
-<type>addrinfo</type>
-structures.
-Each
-<type>struct addrinfo</type>
-in this list cn be processed by following
-the
-<constant>ai_next</constant>
-pointer, until a
-<type>NULL</type>
-pointer is encountered.
-The three members
-<constant>ai_family</constant>,
-<constant>ai_socktype</constant>,
-and
-<constant>ai_protocol</constant>
-in each
-returned
-<type>addrinfo</type>
-structure contain the corresponding arguments for a call to
-<citerefentry>
-<refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-For each
-<type>addrinfo</type>
-structure in the list, the
-<constant>ai_addr</constant>
-member points to a filled-in socket address structure of length
-<constant>ai_addrlen</constant>.
-</para>
-
-<para>
-All of the information returned by
-<function>lwres_getaddrinfo()</function>
-is dynamically allocated: the addrinfo structures, and the socket
-address structures and canonical host name strings pointed to by the
-<constant>addrinfo</constant>structures.
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<function>lwres_getaddrinfo()</function>
-is released by
-<function>lwres_freeaddrinfo()</function>.
-<parameter>ai</parameter>
-is a pointer to a
-<type>struct addrinfo</type>
-created by a call to
-<function>lwres_getaddrinfo()</function>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getaddrinfo()</function>
-returns zero on success or one of the error codes listed in
-<citerefentry>
-<refentrytitle>gai_strerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-if an error occurs.
-If both
-<parameter>hostname</parameter>
-and
-<parameter>servname</parameter>
-are
-<type>NULL</type>
-<function>lwres_getaddrinfo()</function>
-returns
-<errorcode>EAI_NONAME</errorcode>.
-
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_freeaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gai_strerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>getservbyname</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
deleted file mode 100644
index bc84e74f5c33..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
+++ /dev/null
@@ -1,333 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_getaddrinfo.html,v 1.8.2.1.4.10 2005/10/13 02:33:56 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getaddrinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getaddrinfo, lwres_freeaddrinfo &#8212; socket address structure to host and service name</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getaddrinfo</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freeaddrinfo</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-<p>
-If the operating system does not provide a
-<span class="type">struct addrinfo</span>,
-the following structure is used:
-
-</p>
-<pre class="programlisting">
-struct  addrinfo {
-        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
-        int             ai_family;      /* PF_xxx */
-        int             ai_socktype;    /* SOCK_xxx */
-        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
-        size_t          ai_addrlen;     /* length of ai_addr */
-        char            *ai_canonname;  /* canonical name for hostname */
-        struct sockaddr *ai_addr;       /* binary address */
-        struct addrinfo *ai_next;       /* next structure in linked list */
-};
-</pre>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525883"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_getaddrinfo()</code>
-is used to get a list of IP addresses and port numbers for host
-<em class="parameter"><code>hostname</code></em>
-and service
-<em class="parameter"><code>servname</code></em>.
-
-The function is the lightweight resolver's implementation of
-<code class="function">getaddrinfo()</code>
-as defined in RFC2133.
-<em class="parameter"><code>hostname</code></em>
-and
-<em class="parameter"><code>servname</code></em>
-are pointers to null-terminated
-strings or
-<span class="type">NULL</span>.
-
-<em class="parameter"><code>hostname</code></em>
-is either a host name or a numeric host address string: a dotted decimal
-IPv4 address or an IPv6 address.
-<em class="parameter"><code>servname</code></em>
-is either a decimal port number or a service name as listed in
-<code class="filename">/etc/services</code>.
-</p>
-<p>
-<em class="parameter"><code>hints</code></em>
-is an optional pointer to a
-<span class="type">struct addrinfo</span>.
-This structure can be used to provide hints concerning the type of socket
-that the caller supports or wishes to use.
-The caller can supply the following structure elements in
-<em class="parameter"><code>*hints</code></em>:
-
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">ai_family</code></span></dt>
-<dd><p>The protocol family that should be used.
-When
-<code class="constant">ai_family</code>
-is set to
-<span class="type">PF_UNSPEC</span>,
-it means the caller will accept any protocol family supported by the
-operating system.
-</p></dd>
-<dt><span class="term"><code class="constant">ai_socktype</code></span></dt>
-<dd><p>
-denotes the type of socket &#8212;
-<span class="type">SOCK_STREAM</span>,
-<span class="type">SOCK_DGRAM</span>
-or
-<span class="type">SOCK_RAW</span>
-&#8212; that is wanted.
-When
-<code class="constant">ai_socktype</code>
-is zero the caller will accept any socket type.
-</p></dd>
-<dt><span class="term"><code class="constant">ai_protocol</code></span></dt>
-<dd><p>
-indicates which transport protocol is wanted: IPPROTO_UDP or 
-IPPROTO_TCP.
-If
-<code class="constant">ai_protocol</code>
-is zero the caller will accept any protocol.
-</p></dd>
-<dt><span class="term"><code class="constant">ai_flags</code></span></dt>
-<dd>
-<p>
-Flag bits.
-If the
-<span class="type">AI_CANONNAME</span>
-bit is set, a successful call to
-<code class="function">lwres_getaddrinfo()</code>
-will return a null-terminated string containing the canonical name
-of the specified hostname in
-<code class="constant">ai_canonname</code>
-of the first
-<span class="type">addrinfo</span>
-structure returned.
-Setting the
-<span class="type">AI_PASSIVE</span>
-bit indicates that the returned socket address structure is intended
-for used in a call to
-<span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>.
-
-In this case, if the hostname argument is a
-<span class="type">NULL</span>
-pointer, then the IP address portion of the socket
-address structure will be set to
-<span class="type">INADDR_ANY</span>
-for an IPv4 address or
-<span class="type">IN6ADDR_ANY_INIT</span>
-for an IPv6 address.
-</p>
-<p>
-When
-<code class="constant">ai_flags</code>
-does not set the
-<span class="type">AI_PASSIVE</span>
-bit, the returned socket address structure will be ready
-for use in a call to
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2
-)</span>
-for a connection-oriented protocol or
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
-
-or
-<span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2
-)</span>
-if a connectionless protocol was chosen.
-The IP address portion of the socket address structure will be
-set to the loopback address if
-<em class="parameter"><code>hostname</code></em>
-is a
-<span class="type">NULL</span>
-pointer and
-<span class="type">AI_PASSIVE</span>
-is not set in
-<code class="constant">ai_flags</code>.
-</p>
-<p>
-If
-<code class="constant">ai_flags</code>
-is set to
-<span class="type">AI_NUMERICHOST</span>
-it indicates that
-<em class="parameter"><code>hostname</code></em>
-should be treated as a numeric string defining an IPv4 or IPv6 address
-and no name resolution should be attempted.
-</p>
-</dd>
-</dl></div>
-<p>
-</p>
-<p>
-All other elements of the <span class="type">struct addrinfo</span> passed
-via <em class="parameter"><code>hints</code></em> must be zero.
-</p>
-<p>
-A <em class="parameter"><code>hints</code></em> of <span class="type">NULL</span> is treated as if
-the caller provided a <span class="type">struct addrinfo</span> initialized to zero
-with <code class="constant">ai_family</code>set to
-<code class="constant">PF_UNSPEC</code>.
-</p>
-<p>
-After a successful call to
-<code class="function">lwres_getaddrinfo()</code>,
-<em class="parameter"><code>*res</code></em>
-is a pointer to a linked list of one or more
-<span class="type">addrinfo</span>
-structures.
-Each
-<span class="type">struct addrinfo</span>
-in this list cn be processed by following
-the
-<code class="constant">ai_next</code>
-pointer, until a
-<span class="type">NULL</span>
-pointer is encountered.
-The three members
-<code class="constant">ai_family</code>,
-<code class="constant">ai_socktype</code>,
-and
-<code class="constant">ai_protocol</code>
-in each
-returned
-<span class="type">addrinfo</span>
-structure contain the corresponding arguments for a call to
-<span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
-For each
-<span class="type">addrinfo</span>
-structure in the list, the
-<code class="constant">ai_addr</code>
-member points to a filled-in socket address structure of length
-<code class="constant">ai_addrlen</code>.
-</p>
-<p>
-All of the information returned by
-<code class="function">lwres_getaddrinfo()</code>
-is dynamically allocated: the addrinfo structures, and the socket
-address structures and canonical host name strings pointed to by the
-<code class="constant">addrinfo</code>structures.
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<code class="function">lwres_getaddrinfo()</code>
-is released by
-<code class="function">lwres_freeaddrinfo()</code>.
-<em class="parameter"><code>ai</code></em>
-is a pointer to a
-<span class="type">struct addrinfo</span>
-created by a call to
-<code class="function">lwres_getaddrinfo()</code>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526309"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getaddrinfo()</code>
-returns zero on success or one of the error codes listed in
-<span class="citerefentry"><span class="refentrytitle">gai_strerror</span>(3
-)</span>
-if an error occurs.
-If both
-<em class="parameter"><code>hostname</code></em>
-and
-<em class="parameter"><code>servname</code></em>
-are
-<span class="type">NULL</span>
-<code class="function">lwres_getaddrinfo()</code>
-returns
-<span class="errorcode">EAI_NONAME</span>.
-
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526347"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_freeaddrinfo</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_gai_strerror</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
-
-<span class="citerefentry"><span class="refentrytitle">getservbyname</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">bind</span>(2)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">connect</span>(2)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">sendto</span>(2)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">sendmsg</span>(2)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">socket</span>(2)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.3 b/contrib/bind9/lib/lwres/man/lwres_gethostent.3
deleted file mode 100644
index 99dc5338e58a..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.3
+++ /dev/null
@@ -1,288 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_gethostent.3,v 1.16.2.1.8.5 2005/10/13 02:33:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r \- lightweight resolver get network host entry
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 37
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB);\fR
-.HP 38
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname2\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBint\ af\fR\fB);\fR
-.HP 37
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyaddr\fR\fR\fB(\fR\fBconst\ char\ *addr\fR\fB, \fR\fBint\ len\fR\fB, \fR\fBint\ type\fR\fB);\fR
-.HP 34
-\fBstruct\ hostent\ *\ \fBlwres_gethostent\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
-.HP 22
-\fBvoid\ \fBlwres_sethostent\fR\fR\fB(\fR\fBint\ stayopen\fR\fB);\fR
-.HP 22
-\fBvoid\ \fBlwres_endhostent\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
-.HP 39
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyname_r\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
-.HP 39
-\fBstruct\ hostent\ *\ \fBlwres_gethostbyaddr_r\fR\fR\fB(\fR\fBconst\ char\ *addr\fR\fB, \fR\fBint\ len\fR\fB, \fR\fBint\ type\fR\fB, \fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
-.HP 36
-\fBstruct\ hostent\ *\ \fBlwres_gethostent_r\fR\fR\fB(\fR\fBstruct\ hostent\ *resbuf\fR\fB, \fR\fBchar\ *buf\fR\fB, \fR\fBint\ buflen\fR\fB, \fR\fBint\ *error\fR\fB);\fR
-.HP 24
-\fBvoid\ \fBlwres_sethostent_r\fR\fR\fB(\fR\fBint\ stayopen\fR\fB);\fR
-.HP 24
-\fBvoid\ \fBlwres_endhostent_r\fR\fR\fB(\fR\fBvoid\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-These functions provide hostname\-to\-address and address\-to\-hostname lookups by means of the lightweight resolver. They are similar to the standard
-\fBgethostent\fR(3 )
-functions provided by most operating systems. They use a
-\fBstruct hostent\fR
-which is usually defined in
-\fI<namedb.h>\fR.
-.sp
-.nf
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-.fi
-.sp
-.PP
-The members of this structure are:
-.TP
-\fBh_name\fR
-The official (canonical) name of the host.
-.TP
-\fBh_aliases\fR
-A NULL\-terminated array of alternate names (nicknames) for the host.
-.TP
-\fBh_addrtype\fR
-The type of address being returned \(em
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.TP
-\fBh_length\fR
-The length of the address in bytes.
-.TP
-\fBh_addr_list\fR
-A
-\fBNULL\fR
-terminated array of network addresses for the host. Host addresses are returned in network byte order.
-.PP
-For backward compatibility with very old software,
-\fBh_addr\fR
-is the first address in
-\fBh_addr_list.\fR
-.PP
-\fBlwres_gethostent()\fR,
-\fBlwres_sethostent()\fR,
-\fBlwres_endhostent()\fR,
-\fBlwres_gethostent_r()\fR,
-\fBlwres_sethostent_r()\fR
-and
-\fBlwres_endhostent_r()\fR
-provide iteration over the known host entries on systems that provide such functionality through facilities like
-\fI/etc/hosts\fR
-or NIS. The lightweight resolver does not currently implement these functions; it only provides them as stub functions that always return failure.
-.PP
-\fBlwres_gethostbyname()\fR
-and
-\fBlwres_gethostbyname2()\fR
-look up the hostname
-\fIname\fR.
-\fBlwres_gethostbyname()\fR
-always looks for an IPv4 address while
-\fBlwres_gethostbyname2()\fR
-looks for an address of protocol family
-\fIaf\fR: either
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR
-\(em IPv4 or IPV6 addresses respectively. Successful calls of the functions return a
-\fBstruct hostent\fRfor the name that was looked up.
-\fBNULL\fR
-is returned if the lookups by
-\fBlwres_gethostbyname()\fR
-or
-\fBlwres_gethostbyname2()\fR
-fail.
-.PP
-Reverse lookups of addresses are performed by
-\fBlwres_gethostbyaddr()\fR.
-\fIaddr\fR
-is an address of length
-\fIlen\fR
-bytes and protocol family
-\fItype\fR
-\(em
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-\fBlwres_gethostbyname_r()\fR
-is a thread\-safe function for forward lookups. If an error occurs, an error code is returned in
-\fI*error\fR.
-\fIresbuf\fR
-is a pointer to a
-\fBstruct hostent\fR
-which is initialised by a successful call to
-\fBlwres_gethostbyname_r()\fR
-.
-\fIbuf\fR
-is a buffer of length
-\fIlen\fR
-bytes which is used to store the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR
-returned in
-\fIresbuf\fR. Successful calls to
-\fBlwres_gethostbyname_r()\fR
-return
-\fIresbuf\fR, which is a pointer to the
-\fBstruct hostent\fR
-it created.
-.PP
-\fBlwres_gethostbyaddr_r()\fR
-is a thread\-safe function that performs a reverse lookup of address
-\fIaddr\fR
-which is
-\fIlen\fR
-bytes long and is of protocol family
-\fItype\fR
-\(em
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR. If an error occurs, the error code is returned in
-\fI*error\fR. The other function parameters are identical to those in
-\fBlwres_gethostbyname_r()\fR.
-\fIresbuf\fR
-is a pointer to a
-\fBstruct hostent\fR
-which is initialised by a successful call to
-\fBlwres_gethostbyaddr_r()\fR.
-\fIbuf\fR
-is a buffer of length
-\fIlen\fR
-bytes which is used to store the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR
-returned in
-\fIresbuf\fR. Successful calls to
-\fBlwres_gethostbyaddr_r()\fR
-return
-\fIresbuf\fR, which is a pointer to the
-\fBstruct hostent()\fR
-it created.
-.SH "RETURN VALUES"
-.PP
-The functions
-\fBlwres_gethostbyname()\fR,
-\fBlwres_gethostbyname2()\fR,
-\fBlwres_gethostbyaddr()\fR, and
-\fBlwres_gethostent()\fR
-return NULL to indicate an error. In this case the global variable
-\fBlwres_h_errno\fR
-will contain one of the following error codes defined in
-\fI<lwres/netdb.h>\fR:
-.TP
-\fBHOST_NOT_FOUND\fR
-The host or address was not found.
-.TP
-\fBTRY_AGAIN\fR
-A recoverable error occurred, e.g., a timeout. Retrying the lookup may succeed.
-.TP
-\fBNO_RECOVERY\fR
-A non\-recoverable error occurred.
-.TP
-\fBNO_DATA\fR
-The name exists, but has no address information associated with it (or vice versa in the case of a reverse lookup). The code NO_ADDRESS is accepted as a synonym for NO_DATA for backwards compatibility.
-.PP
-\fBlwres_hstrerror\fR(3 )
-translates these error codes to suitable error messages.
-.PP
-\fBlwres_gethostent()\fR
-and
-\fBlwres_gethostent_r()\fR
-always return
-\fBNULL\fR.
-.PP
-Successful calls to
-\fBlwres_gethostbyname_r()\fR
-and
-\fBlwres_gethostbyaddr_r()\fR
-return
-\fIresbuf\fR, a pointer to the
-\fBstruct hostent\fR
-that was initialised by these functions. They return
-\fBNULL\fR
-if the lookups fail or if
-\fIbuf\fR
-was too small to hold the list of addresses and names referenced by the
-\fBh_name\fR,
-\fBh_aliases\fR, and
-\fBh_addr_list\fR
-elements of the
-\fBstruct hostent\fR. If
-\fIbuf\fR
-was too small, both
-\fBlwres_gethostbyname_r()\fR
-and
-\fBlwres_gethostbyaddr_r()\fR
-set the global variable
-\fBerrno\fR
-to
-\fBERANGE\fR.
-.SH "SEE ALSO"
-.PP
-\fBgethostent\fR(3),
-\fBlwres_getipnode\fR(3),
-\fBlwres_hstrerror\fR(3 )
-.SH "BUGS"
-.PP
-\fBlwres_gethostbyname()\fR,
-\fBlwres_gethostbyname2()\fR,
-\fBlwres_gethostbyaddr()\fR
-and
-\fBlwres_endhostent()\fR
-are not thread safe; they return pointers to static data and provide error codes through a global variable. Thread\-safe versions for name and address lookup are provided by
-\fBlwres_gethostbyname_r()\fR, and
-\fBlwres_gethostbyaddr_r()\fR
-respectively.
-.PP
-The resolver daemon does not currently support any non\-DNS name services such as
-\fI/etc/hosts\fR
-or
-\fBNIS\fR, consequently the above functions don't, either.
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook b/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
deleted file mode 100644
index 9f92d3b3134c..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
+++ /dev/null
@@ -1,421 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gethostent.docbook,v 1.5.206.3 2005/05/13 01:22:36 marka Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_gethostent</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_gethostbyname</refname>
-<refname>lwres_gethostbyname2</refname>
-<refname>lwres_gethostbyaddr</refname>
-<refname>lwres_gethostent</refname>
-<refname>lwres_sethostent</refname>
-<refname>lwres_endhostent</refname>
-<refname>lwres_gethostbyname_r</refname>
-<refname>lwres_gethostbyaddr_r</refname>
-<refname>lwres_gethostent_r</refname>
-<refname>lwres_sethostent_r</refname>
-<refname>lwres_endhostent_r</refname>
-<refpurpose>lightweight resolver get network host entry</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostbyname</function></funcdef>
-<paramdef>const char *name</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostbyname2</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>int af</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostbyaddr</function></funcdef>
-<paramdef>const char *addr</paramdef>
-<paramdef>int len</paramdef>
-<paramdef>int type</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostent</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_sethostent</function></funcdef>
-<paramdef>int stayopen</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_endhostent</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_gethostbyname_r</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent  *
-<function>lwres_gethostbyaddr_r</function></funcdef>
-<paramdef>const char *addr</paramdef>
-<paramdef>int len</paramdef>
-<paramdef>int type</paramdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent  *
-<function>lwres_gethostent_r</function></funcdef>
-<paramdef>struct hostent *resbuf</paramdef>
-<paramdef>char *buf</paramdef>
-<paramdef>int buflen</paramdef>
-<paramdef>int *error</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_sethostent_r</function></funcdef>
-<paramdef>int stayopen</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_endhostent_r</function></funcdef>
-<paramdef>void</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These functions provide hostname-to-address and
-address-to-hostname lookups by means of the lightweight resolver.
-They are similar to the standard
-<citerefentry>
-<refentrytitle>gethostent</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-functions provided by most operating systems.
-They use a
-<type>struct hostent</type>
-which is usually defined in
-<filename>&lt;namedb.h&gt;</filename>.
-
-<programlisting>
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</programlisting>
-</para>
-<para>
-The members of this structure are:
-<variablelist>
-<varlistentry><term><constant>h_name</constant></term>
-<listitem>
-<para>
-The official (canonical) name of the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_aliases</constant></term>
-<listitem>
-<para>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addrtype</constant></term>
-<listitem>
-<para>
-The type of address being returned &mdash;
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_length</constant></term>
-<listitem>
-<para>
-The length of the address in bytes.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addr_list</constant></term>
-<listitem>
-<para>
-A <type>NULL</type>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-For backward compatibility with very old software,
-<constant>h_addr</constant>
-is the first address in
-<constant>h_addr_list.</constant>
-</para>
-<para>
-<function>lwres_gethostent()</function>,
-<function>lwres_sethostent()</function>,
-<function>lwres_endhostent()</function>,
-<function>lwres_gethostent_r()</function>,
-<function>lwres_sethostent_r()</function>
-and
-<function>lwres_endhostent_r()</function>
-provide iteration over the known host entries on systems that
-provide such functionality through facilities like
-<filename>/etc/hosts</filename>
-or NIS.  The lightweight resolver does not currently implement
-these functions; it only provides them as stub functions that always
-return failure.
-</para>
-
-<para>
-<function>lwres_gethostbyname()</function> and
-<function>lwres_gethostbyname2()</function> look up the hostname
-<parameter>name</parameter>.
-<function>lwres_gethostbyname()</function> always looks for an IPv4
-address while <function>lwres_gethostbyname2()</function> looks for an
-address of protocol family <parameter>af</parameter>: either
-<type>PF_INET</type> or <type>PF_INET6</type> &mdash; IPv4 or IPV6
-addresses respectively.  Successful calls of the functions return a
-<type>struct hostent</type>for the name that was looked up.
-<type>NULL</type> is returned if the lookups by
-<function>lwres_gethostbyname()</function> or
-<function>lwres_gethostbyname2()</function> fail.
-</para>
-
-<para>
-Reverse lookups of addresses are performed by
-<function>lwres_gethostbyaddr()</function>.
-<parameter>addr</parameter> is an address of length
-<parameter>len</parameter> bytes and protocol family
-<parameter>type</parameter> &mdash; <type>PF_INET</type> or
-<type>PF_INET6</type>.
-<function>lwres_gethostbyname_r()</function> is a thread-safe function
-for forward lookups.  If an error occurs, an error code is returned in
-<parameter>*error</parameter>.
-<parameter>resbuf</parameter> is a pointer to a <type>struct
-hostent</type> which is initialised by a successful call to
-<function>lwres_gethostbyname_r()</function> .
-<parameter>buf</parameter> is a buffer of length
-<parameter>len</parameter> bytes which is used to store the
-<constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type> returned in <parameter>resbuf</parameter>.
-Successful calls to <function>lwres_gethostbyname_r()</function>
-return <parameter>resbuf</parameter>,
-which is a pointer to the <type>struct hostent</type> it created.
-</para>
-
-<para>
-<function>lwres_gethostbyaddr_r()</function> is a thread-safe function
-that performs a reverse lookup of address <parameter>addr</parameter>
-which is <parameter>len</parameter> bytes long and is of protocol
-family <parameter>type</parameter> &mdash; <type>PF_INET</type> or
-<type>PF_INET6</type>.  If an error occurs, the error code is returned
-in <parameter>*error</parameter>.  The other function parameters are
-identical to those in <function>lwres_gethostbyname_r()</function>.
-<parameter>resbuf</parameter> is a pointer to a <type>struct
-hostent</type> which is initialised by a successful call to
-<function>lwres_gethostbyaddr_r()</function>.
-<parameter>buf</parameter> is a buffer of length
-<parameter>len</parameter> bytes which is used to store the
-<constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type> returned in <parameter>resbuf</parameter>.  Successful
-calls to <function>lwres_gethostbyaddr_r()</function> return
-<parameter>resbuf</parameter>, which is a pointer to the
-<function>struct hostent()</function> it created.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The functions
-<function>lwres_gethostbyname()</function>,
-<function>lwres_gethostbyname2()</function>,
-<function>lwres_gethostbyaddr()</function>,
-and
-<function>lwres_gethostent()</function>
-return NULL to indicate an error.  In this case the global variable
-<type>lwres_h_errno</type>
-will contain one of the following error codes defined in
-<filename>&lt;lwres/netdb.h&gt;</filename>:
-
-<variablelist>
-<varlistentry><term><constant>HOST_NOT_FOUND</constant></term>
-<listitem>
-<para>
-The host or address was not found.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>TRY_AGAIN</constant></term>
-<listitem>
-<para>
-A recoverable error occurred, e.g., a timeout.
-Retrying the lookup may succeed.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_RECOVERY</constant></term>
-<listitem>
-<para>
-A non-recoverable error occurred.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_DATA</constant></term>
-<listitem>
-<para>
-The name exists, but has no address information
-associated with it (or vice versa in the case
-of a reverse lookup).  The code NO_ADDRESS
-is accepted as a synonym for NO_DATA for backwards
-compatibility.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-
-<para>
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-translates these error codes to suitable error messages.
-</para>
-
-<para>
-<function>lwres_gethostent()</function>
-and
-<function>lwres_gethostent_r()</function>
-always return
-<type>NULL</type>.
-</para>
-
-<para>
-Successful calls to <function>lwres_gethostbyname_r()</function> and
-<function>lwres_gethostbyaddr_r()</function> return
-<parameter>resbuf</parameter>, a pointer to the <type>struct
-hostent</type> that was initialised by these functions.  They return
-<type>NULL</type> if the lookups fail or if <parameter>buf</parameter>
-was too small to hold the list of addresses and names referenced by
-the <constant>h_name</constant>, <constant>h_aliases</constant>, and
-<constant>h_addr_list</constant> elements of the <type>struct
-hostent</type>.  If <parameter>buf</parameter> was too small, both
-<function>lwres_gethostbyname_r()</function> and
-<function>lwres_gethostbyaddr_r()</function> set the global variable
-<type>errno</type> to <errorcode>ERANGE</errorcode>.
-</para>
-
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
-
-<refsect1>
-<title>BUGS</title>
-<para>
-<function>lwres_gethostbyname()</function>,
-<function>lwres_gethostbyname2()</function>,
-<function>lwres_gethostbyaddr()</function>
-and
-<function>lwres_endhostent()</function>
-are not thread safe; they return pointers to static data and 
-provide error codes through a global variable.
-Thread-safe versions for name and address lookup are provided by
-<function>lwres_gethostbyname_r()</function>,
-and
-<function>lwres_gethostbyaddr_r()</function>
-respectively.
-</para>
-<para>
-The resolver daemon does not currently support any non-DNS
-name services such as 
-<filename>/etc/hosts</filename>
-or
-<type>NIS</type>,
-consequently the above functions don't, either.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.html b/contrib/bind9/lib/lwres/man/lwres_gethostent.html
deleted file mode 100644
index 263f9932362c..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gethostent.html
+++ /dev/null
@@ -1,430 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_gethostent.html,v 1.8.2.1.4.8 2005/10/13 02:33:56 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gethostent</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r &#8212; lightweight resolver get network host entry</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em"><tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname2</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<p><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostent</b>(</code>void<code>)</code>;</p>
-<p><code class="funcdef">
-void
-<b class="fsfunc">lwres_sethostent</b>(</code>int stayopen<code>)</code>;</p>
-<p><code class="funcdef">
-void
-<b class="fsfunc">lwres_endhostent</b>(</code>void<code>)</code>;</p>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_gethostbyname_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent  *
-<b class="fsfunc">lwres_gethostbyaddr_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent  *
-<b class="fsfunc">lwres_gethostent_r</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<p><code class="funcdef">
-void
-<b class="fsfunc">lwres_sethostent_r</b>(</code>int stayopen<code>)</code>;</p>
-<p><code class="funcdef">
-void
-<b class="fsfunc">lwres_endhostent_r</b>(</code>void<code>)</code>;</p>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526041"></a><h2>DESCRIPTION</h2>
-<p>
-These functions provide hostname-to-address and
-address-to-hostname lookups by means of the lightweight resolver.
-They are similar to the standard
-<span class="citerefentry"><span class="refentrytitle">gethostent</span>(3
-)</span>
-functions provided by most operating systems.
-They use a
-<span class="type">struct hostent</span>
-which is usually defined in
-<code class="filename">&lt;namedb.h&gt;</code>.
-
-</p>
-<pre class="programlisting">
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</pre>
-<p>
-</p>
-<p>
-The members of this structure are:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">h_name</code></span></dt>
-<dd><p>
-The official (canonical) name of the host.
-</p></dd>
-<dt><span class="term"><code class="constant">h_aliases</code></span></dt>
-<dd><p>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</p></dd>
-<dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
-<dd><p>
-The type of address being returned &#8212;
-<span class="type">PF_INET</span>
-or
-<span class="type">PF_INET6</span>.
-</p></dd>
-<dt><span class="term"><code class="constant">h_length</code></span></dt>
-<dd><p>
-The length of the address in bytes.
-</p></dd>
-<dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
-<dd><p>
-A <span class="type">NULL</span>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-For backward compatibility with very old software,
-<code class="constant">h_addr</code>
-is the first address in
-<code class="constant">h_addr_list.</code>
-</p>
-<p>
-<code class="function">lwres_gethostent()</code>,
-<code class="function">lwres_sethostent()</code>,
-<code class="function">lwres_endhostent()</code>,
-<code class="function">lwres_gethostent_r()</code>,
-<code class="function">lwres_sethostent_r()</code>
-and
-<code class="function">lwres_endhostent_r()</code>
-provide iteration over the known host entries on systems that
-provide such functionality through facilities like
-<code class="filename">/etc/hosts</code>
-or NIS.  The lightweight resolver does not currently implement
-these functions; it only provides them as stub functions that always
-return failure.
-</p>
-<p>
-<code class="function">lwres_gethostbyname()</code> and
-<code class="function">lwres_gethostbyname2()</code> look up the hostname
-<em class="parameter"><code>name</code></em>.
-<code class="function">lwres_gethostbyname()</code> always looks for an IPv4
-address while <code class="function">lwres_gethostbyname2()</code> looks for an
-address of protocol family <em class="parameter"><code>af</code></em>: either
-<span class="type">PF_INET</span> or <span class="type">PF_INET6</span> &#8212; IPv4 or IPV6
-addresses respectively.  Successful calls of the functions return a
-<span class="type">struct hostent</span>for the name that was looked up.
-<span class="type">NULL</span> is returned if the lookups by
-<code class="function">lwres_gethostbyname()</code> or
-<code class="function">lwres_gethostbyname2()</code> fail.
-</p>
-<p>
-Reverse lookups of addresses are performed by
-<code class="function">lwres_gethostbyaddr()</code>.
-<em class="parameter"><code>addr</code></em> is an address of length
-<em class="parameter"><code>len</code></em> bytes and protocol family
-<em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
-<span class="type">PF_INET6</span>.
-<code class="function">lwres_gethostbyname_r()</code> is a thread-safe function
-for forward lookups.  If an error occurs, an error code is returned in
-<em class="parameter"><code>*error</code></em>.
-<em class="parameter"><code>resbuf</code></em> is a pointer to a <span class="type">struct
-hostent</span> which is initialised by a successful call to
-<code class="function">lwres_gethostbyname_r()</code> .
-<em class="parameter"><code>buf</code></em> is a buffer of length
-<em class="parameter"><code>len</code></em> bytes which is used to store the
-<code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.
-Successful calls to <code class="function">lwres_gethostbyname_r()</code>
-return <em class="parameter"><code>resbuf</code></em>,
-which is a pointer to the <span class="type">struct hostent</span> it created.
-</p>
-<p>
-<code class="function">lwres_gethostbyaddr_r()</code> is a thread-safe function
-that performs a reverse lookup of address <em class="parameter"><code>addr</code></em>
-which is <em class="parameter"><code>len</code></em> bytes long and is of protocol
-family <em class="parameter"><code>type</code></em> &#8212; <span class="type">PF_INET</span> or
-<span class="type">PF_INET6</span>.  If an error occurs, the error code is returned
-in <em class="parameter"><code>*error</code></em>.  The other function parameters are
-identical to those in <code class="function">lwres_gethostbyname_r()</code>.
-<em class="parameter"><code>resbuf</code></em> is a pointer to a <span class="type">struct
-hostent</span> which is initialised by a successful call to
-<code class="function">lwres_gethostbyaddr_r()</code>.
-<em class="parameter"><code>buf</code></em> is a buffer of length
-<em class="parameter"><code>len</code></em> bytes which is used to store the
-<code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span> returned in <em class="parameter"><code>resbuf</code></em>.  Successful
-calls to <code class="function">lwres_gethostbyaddr_r()</code> return
-<em class="parameter"><code>resbuf</code></em>, which is a pointer to the
-<code class="function">struct hostent()</code> it created.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526380"></a><h2>RETURN VALUES</h2>
-<p>
-The functions
-<code class="function">lwres_gethostbyname()</code>,
-<code class="function">lwres_gethostbyname2()</code>,
-<code class="function">lwres_gethostbyaddr()</code>,
-and
-<code class="function">lwres_gethostent()</code>
-return NULL to indicate an error.  In this case the global variable
-<span class="type">lwres_h_errno</span>
-will contain one of the following error codes defined in
-<code class="filename">&lt;lwres/netdb.h&gt;</code>:
-
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
-<dd><p>
-The host or address was not found.
-</p></dd>
-<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
-<dd><p>
-A recoverable error occurred, e.g., a timeout.
-Retrying the lookup may succeed.
-</p></dd>
-<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
-<dd><p>
-A non-recoverable error occurred.
-</p></dd>
-<dt><span class="term"><code class="constant">NO_DATA</code></span></dt>
-<dd><p>
-The name exists, but has no address information
-associated with it (or vice versa in the case
-of a reverse lookup).  The code NO_ADDRESS
-is accepted as a synonym for NO_DATA for backwards
-compatibility.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-translates these error codes to suitable error messages.
-</p>
-<p>
-<code class="function">lwres_gethostent()</code>
-and
-<code class="function">lwres_gethostent_r()</code>
-always return
-<span class="type">NULL</span>.
-</p>
-<p>
-Successful calls to <code class="function">lwres_gethostbyname_r()</code> and
-<code class="function">lwres_gethostbyaddr_r()</code> return
-<em class="parameter"><code>resbuf</code></em>, a pointer to the <span class="type">struct
-hostent</span> that was initialised by these functions.  They return
-<span class="type">NULL</span> if the lookups fail or if <em class="parameter"><code>buf</code></em>
-was too small to hold the list of addresses and names referenced by
-the <code class="constant">h_name</code>, <code class="constant">h_aliases</code>, and
-<code class="constant">h_addr_list</code> elements of the <span class="type">struct
-hostent</span>.  If <em class="parameter"><code>buf</code></em> was too small, both
-<code class="function">lwres_gethostbyname_r()</code> and
-<code class="function">lwres_gethostbyaddr_r()</code> set the global variable
-<span class="type">errno</span> to <span class="errorcode">ERANGE</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526540"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">gethostent</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_getipnode</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526644"></a><h2>BUGS</h2>
-<p>
-<code class="function">lwres_gethostbyname()</code>,
-<code class="function">lwres_gethostbyname2()</code>,
-<code class="function">lwres_gethostbyaddr()</code>
-and
-<code class="function">lwres_endhostent()</code>
-are not thread safe; they return pointers to static data and 
-provide error codes through a global variable.
-Thread-safe versions for name and address lookup are provided by
-<code class="function">lwres_gethostbyname_r()</code>,
-and
-<code class="function">lwres_gethostbyaddr_r()</code>
-respectively.
-</p>
-<p>
-The resolver daemon does not currently support any non-DNS
-name services such as 
-<code class="filename">/etc/hosts</code>
-or
-<span class="type">NIS</span>,
-consequently the above functions don't, either.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.3 b/contrib/bind9/lib/lwres/man/lwres_getipnode.3
deleted file mode 100644
index d83758c5acf5..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.3
+++ /dev/null
@@ -1,170 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_getipnode.3,v 1.13.2.2.4.6 2005/10/13 02:33:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 39
-\fBstruct\ hostent\ *\ \fBlwres_getipnodebyname\fR\fR\fB(\fR\fBconst\ char\ *name\fR\fB, \fR\fBint\ af\fR\fB, \fR\fBint\ flags\fR\fB, \fR\fBint\ *error_num\fR\fB);\fR
-.HP 39
-\fBstruct\ hostent\ *\ \fBlwres_getipnodebyaddr\fR\fR\fB(\fR\fBconst\ void\ *src\fR\fB, \fR\fBsize_t\ len\fR\fB, \fR\fBint\ af\fR\fB, \fR\fBint\ *error_num\fR\fB);\fR
-.HP 23
-\fBvoid\ \fBlwres_freehostent\fR\fR\fB(\fR\fBstruct\ hostent\ *he\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-These functions perform thread safe, protocol independent nodename\-to\-address and address\-to\-nodename translation as defined in RFC2553.
-.PP
-They use a
-\fBstruct hostent\fR
-which is defined in
-\fInamedb.h\fR:
-.sp
-.nf
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-.fi
-.sp
-.PP
-The members of this structure are:
-.TP
-\fBh_name\fR
-The official (canonical) name of the host.
-.TP
-\fBh_aliases\fR
-A NULL\-terminated array of alternate names (nicknames) for the host.
-.TP
-\fBh_addrtype\fR
-The type of address being returned \- usually
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.TP
-\fBh_length\fR
-The length of the address in bytes.
-.TP
-\fBh_addr_list\fR
-A
-\fBNULL\fR
-terminated array of network addresses for the host. Host addresses are returned in network byte order.
-.PP
-\fBlwres_getipnodebyname()\fR
-looks up addresses of protocol family
-\fIaf\fR
-for the hostname
-\fIname\fR. The
-\fIflags\fR
-parameter contains ORed flag bits to specify the types of addresses that are searched for, and the types of addresses that are returned. The flag bits are:
-.TP
-\fBAI_V4MAPPED\fR
-This is used with an
-\fIaf\fR
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4\-mapped IPv6 addresses.
-.TP
-\fBAI_ALL\fR
-This is used with an
-\fIaf\fR
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned. If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped IPv6 addresses.
-.TP
-\fBAI_ADDRCONFIG\fR
-Only return an IPv6 or IPv4 address if here is an active network interface of that type. This is not currently implemented in the BIND 9 lightweight resolver, and the flag is ignored.
-.TP
-\fBAI_DEFAULT\fR
-This default sets the
-\fBAI_V4MAPPED\fR
-and
-\fBAI_ADDRCONFIG\fR
-flag bits.
-.PP
-\fBlwres_getipnodebyaddr()\fR
-performs a reverse lookup of address
-\fIsrc\fR
-which is
-\fIlen\fR
-bytes long.
-\fIaf\fR
-denotes the protocol family, typically
-\fBPF_INET\fR
-or
-\fBPF_INET6\fR.
-.PP
-\fBlwres_freehostent()\fR
-releases all the memory associated with the
-\fBstruct hostent\fR
-pointer
-\fIhe\fR. Any memory allocated for the
-\fBh_name\fR,
-\fBh_addr_list\fR
-and
-\fBh_aliases\fR
-is freed, as is the memory for the
-\fBhostent\fR
-structure itself.
-.SH "RETURN VALUES"
-.PP
-If an error occurs,
-\fBlwres_getipnodebyname()\fR
-and
-\fBlwres_getipnodebyaddr()\fR
-set
-\fI*error_num\fR
-to an appropriate error code and the function returns a
-\fBNULL\fR
-pointer. The error codes and their meanings are defined in
-\fI<lwres/netdb.h>\fR:
-.TP
-\fBHOST_NOT_FOUND\fR
-No such host is known.
-.TP
-\fBNO_ADDRESS\fR
-The server recognised the request and the name but no address is available. Another type of request to the name server for the domain might return an answer.
-.TP
-\fBTRY_AGAIN\fR
-A temporary and possibly transient error occurred, such as a failure of a server to respond. The request may succeed if retried.
-.TP
-\fBNO_RECOVERY\fR
-An unexpected failure occurred, and retrying the request is pointless.
-.PP
-\fBlwres_hstrerror\fR(3 )
-translates these error codes to suitable error messages.
-.SH "SEE ALSO"
-.PP
-\fBRFC2553\fR(),
-\fBlwres\fR(3),
-\fBlwres_gethostent\fR(3),
-\fBlwres_getaddrinfo\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_hstrerror\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook b/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
deleted file mode 100644
index 94de72c0fe70..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
+++ /dev/null
@@ -1,323 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getipnode.docbook,v 1.4.2.2.4.3 2005/05/12 21:36:14 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_getipnode</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_getipnodebyname</refname>
-<refname>lwres_getipnodebyaddr</refname>
-<refname>lwres_freehostent</refname>
-<refpurpose>lightweight resolver nodename / address translation API</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_getipnodebyname</function></funcdef>
-<paramdef>const char *name</paramdef>
-<paramdef>int af</paramdef>
-<paramdef>int flags</paramdef>
-<paramdef>int *error_num</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-struct hostent *
-<function>lwres_getipnodebyaddr</function></funcdef>
-<paramdef>const void *src</paramdef>
-<paramdef>size_t len</paramdef>
-<paramdef>int af</paramdef>
-<paramdef>int *error_num</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_freehostent</function></funcdef>
-<paramdef>struct hostent *he</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-These functions perform thread safe, protocol independent
-nodename-to-address and address-to-nodename 
-translation as defined in RFC2553.
-</para>
-
-<para>
-They use a
-<type>struct hostent</type>
-which is defined in
-<filename>namedb.h</filename>:
-<programlisting>
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</programlisting>
-</para>
-
-<para>
-The members of this structure are:
-<variablelist>
-<varlistentry><term><constant>h_name</constant></term>
-<listitem>
-<para>
-The official (canonical) name of the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_aliases</constant></term>
-<listitem>
-<para>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addrtype</constant></term>
-<listitem>
-<para>
-The type of address being returned - usually
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
-
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_length</constant></term>
-<listitem>
-<para>
-The length of the address in bytes.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>h_addr_list</constant></term>
-<listitem>
-<para>
-A
-<type>NULL</type>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<function>lwres_getipnodebyname()</function>
-looks up addresses of protocol family
-<parameter>af</parameter>
-
-for the hostname
-<parameter>name</parameter>.
-
-The
-<parameter>flags</parameter>
-parameter contains ORed flag bits to 
-specify the types of addresses that are searched
-for, and the types of addresses that are returned. 
-The flag bits are:
-<variablelist>
-<varlistentry><term><constant>AI_V4MAPPED</constant></term>
-<listitem>
-<para>
-This is used with an
-<parameter>af</parameter>
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
-IPv6 addresses.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_ALL</constant></term>
-<listitem>
-<para>
-This is used with an
-<parameter>af</parameter>
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
-If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
-IPv6 addresses.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_ADDRCONFIG</constant></term>
-<listitem>
-<para>
-Only return an IPv6 or IPv4 address if here is an active network
-interface of that type.  This is not currently implemented
-in the BIND 9 lightweight resolver, and the flag is ignored.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>AI_DEFAULT</constant></term>
-<listitem>
-<para>
-This default sets the
-<constant>AI_V4MAPPED</constant>
-and
-<constant>AI_ADDRCONFIG</constant>
-flag bits.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<function>lwres_getipnodebyaddr()</function>
-performs a reverse lookup
-of address
-<parameter>src</parameter>
-which is
-<parameter>len</parameter>
-bytes long.
-<parameter>af</parameter>
-denotes the protocol family, typically
-<type>PF_INET</type>
-or
-<type>PF_INET6</type>.
-
-</para>
-<para>
-<function>lwres_freehostent()</function>
-releases all the memory associated with
-the
-<type>struct hostent</type>
-pointer
-<parameter>he</parameter>.
-
-Any memory allocated for the
-<constant>h_name</constant>,
-
-<constant>h_addr_list</constant>
-and
-<constant>h_aliases</constant>
-is freed, as is the memory for the
-<type>hostent</type>
-structure itself.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-If an error occurs,
-<function>lwres_getipnodebyname()</function>
-and
-<function>lwres_getipnodebyaddr()</function>
-set
-<parameter>*error_num</parameter>
-to an appropriate error code and the function returns a
-<type>NULL</type>
-pointer.
-The error codes and their meanings are defined in
-<filename>&lt;lwres/netdb.h&gt;</filename>:
-<variablelist>
-<varlistentry><term><constant>HOST_NOT_FOUND</constant></term>
-<listitem>
-<para>
-No such host is known.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_ADDRESS</constant></term>
-<listitem>
-<para>
-The server recognised the request and the name but no address is
-available.  Another type of request to the name server for the
-domain might return an answer.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>TRY_AGAIN</constant></term>
-<listitem>
-<para>
-A temporary and possibly transient error occurred, such as a
-failure of a server to respond.  The request may succeed if
-retried.
-</para>
-</listitem></varlistentry>
-<varlistentry><term><constant>NO_RECOVERY</constant></term>
-<listitem>
-<para>
-An unexpected failure occurred, and retrying the request
-is pointless.
-</para>
-</listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-translates these error codes to suitable error messages.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC2553</refentrytitle>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.html b/contrib/bind9/lib/lwres/man/lwres_getipnode.html
deleted file mode 100644
index c5038b4f5a5d..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getipnode.html
+++ /dev/null
@@ -1,298 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_getipnode.html,v 1.7.2.1.4.9 2005/10/13 02:33:56 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getipnode</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent &#8212; lightweight resolver nodename / address translation API</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_getipnodebyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-struct hostent *
-<b class="fsfunc">lwres_getipnodebyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freehostent</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525896"></a><h2>DESCRIPTION</h2>
-<p>
-These functions perform thread safe, protocol independent
-nodename-to-address and address-to-nodename 
-translation as defined in RFC2553.
-</p>
-<p>
-They use a
-<span class="type">struct hostent</span>
-which is defined in
-<code class="filename">namedb.h</code>:
-</p>
-<pre class="programlisting">
-struct  hostent {
-        char    *h_name;        /* official name of host */
-        char    **h_aliases;    /* alias list */
-        int     h_addrtype;     /* host address type */
-        int     h_length;       /* length of address */
-        char    **h_addr_list;  /* list of addresses from name server */
-};
-#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
-</pre>
-<p>
-</p>
-<p>
-The members of this structure are:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">h_name</code></span></dt>
-<dd><p>
-The official (canonical) name of the host.
-</p></dd>
-<dt><span class="term"><code class="constant">h_aliases</code></span></dt>
-<dd><p>
-A NULL-terminated array of alternate names (nicknames) for the host.
-</p></dd>
-<dt><span class="term"><code class="constant">h_addrtype</code></span></dt>
-<dd><p>
-The type of address being returned - usually
-<span class="type">PF_INET</span>
-or
-<span class="type">PF_INET6</span>.
-
-</p></dd>
-<dt><span class="term"><code class="constant">h_length</code></span></dt>
-<dd><p>
-The length of the address in bytes.
-</p></dd>
-<dt><span class="term"><code class="constant">h_addr_list</code></span></dt>
-<dd><p>
-A
-<span class="type">NULL</span>
-terminated array of network addresses for the host.
-Host addresses are returned in network byte order.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<code class="function">lwres_getipnodebyname()</code>
-looks up addresses of protocol family
-<em class="parameter"><code>af</code></em>
-
-for the hostname
-<em class="parameter"><code>name</code></em>.
-
-The
-<em class="parameter"><code>flags</code></em>
-parameter contains ORed flag bits to 
-specify the types of addresses that are searched
-for, and the types of addresses that are returned. 
-The flag bits are:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">AI_V4MAPPED</code></span></dt>
-<dd><p>
-This is used with an
-<em class="parameter"><code>af</code></em>
-of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
-IPv6 addresses.
-</p></dd>
-<dt><span class="term"><code class="constant">AI_ALL</code></span></dt>
-<dd><p>
-This is used with an
-<em class="parameter"><code>af</code></em>
-of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
-If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
-IPv6 addresses.
-</p></dd>
-<dt><span class="term"><code class="constant">AI_ADDRCONFIG</code></span></dt>
-<dd><p>
-Only return an IPv6 or IPv4 address if here is an active network
-interface of that type.  This is not currently implemented
-in the BIND 9 lightweight resolver, and the flag is ignored.
-</p></dd>
-<dt><span class="term"><code class="constant">AI_DEFAULT</code></span></dt>
-<dd><p>
-This default sets the
-<code class="constant">AI_V4MAPPED</code>
-and
-<code class="constant">AI_ADDRCONFIG</code>
-flag bits.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<code class="function">lwres_getipnodebyaddr()</code>
-performs a reverse lookup
-of address
-<em class="parameter"><code>src</code></em>
-which is
-<em class="parameter"><code>len</code></em>
-bytes long.
-<em class="parameter"><code>af</code></em>
-denotes the protocol family, typically
-<span class="type">PF_INET</span>
-or
-<span class="type">PF_INET6</span>.
-
-</p>
-<p>
-<code class="function">lwres_freehostent()</code>
-releases all the memory associated with
-the
-<span class="type">struct hostent</span>
-pointer
-<em class="parameter"><code>he</code></em>.
-
-Any memory allocated for the
-<code class="constant">h_name</code>,
-
-<code class="constant">h_addr_list</code>
-and
-<code class="constant">h_aliases</code>
-is freed, as is the memory for the
-<span class="type">hostent</span>
-structure itself.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526131"></a><h2>RETURN VALUES</h2>
-<p>
-If an error occurs,
-<code class="function">lwres_getipnodebyname()</code>
-and
-<code class="function">lwres_getipnodebyaddr()</code>
-set
-<em class="parameter"><code>*error_num</code></em>
-to an appropriate error code and the function returns a
-<span class="type">NULL</span>
-pointer.
-The error codes and their meanings are defined in
-<code class="filename">&lt;lwres/netdb.h&gt;</code>:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">HOST_NOT_FOUND</code></span></dt>
-<dd><p>
-No such host is known.
-</p></dd>
-<dt><span class="term"><code class="constant">NO_ADDRESS</code></span></dt>
-<dd><p>
-The server recognised the request and the name but no address is
-available.  Another type of request to the name server for the
-domain might return an answer.
-</p></dd>
-<dt><span class="term"><code class="constant">TRY_AGAIN</code></span></dt>
-<dd><p>
-A temporary and possibly transient error occurred, such as a
-failure of a server to respond.  The request may succeed if
-retried.
-</p></dd>
-<dt><span class="term"><code class="constant">NO_RECOVERY</code></span></dt>
-<dd><p>
-An unexpected failure occurred, and retrying the request
-is pointless.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3
-)</span>
-translates these error codes to suitable error messages.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526290"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2553</span></span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_gethostent</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_getaddrinfo</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
deleted file mode 100644
index 853c2b9bb940..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
+++ /dev/null
@@ -1,98 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_getnameinfo.3,v 1.15.2.1.8.5 2005/10/13 02:33:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_getnameinfo \- lightweight resolver socket address structure to hostname and service name
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 22
-\fBint\ \fBlwres_getnameinfo\fR\fR\fB(\fR\fBconst\ struct\ sockaddr\ *sa\fR\fB, \fR\fBsize_t\ salen\fR\fB, \fR\fBchar\ *host\fR\fB, \fR\fBsize_t\ hostlen\fR\fB, \fR\fBchar\ *serv\fR\fB, \fR\fBsize_t\ servlen\fR\fB, \fR\fBint\ flags\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-This function is equivalent to the
-\fBgetnameinfo\fR(3)
-function defined in RFC2133.
-\fBlwres_getnameinfo()\fR
-returns the hostname for the
-\fBstruct sockaddr\fR\fIsa\fR
-which is
-\fIsalen\fR
-bytes long. The hostname is of length
-\fIhostlen\fR
-and is returned via
-\fI*host.\fR
-The maximum length of the hostname is 1025 bytes:
-\fBNI_MAXHOST\fR.
-.PP
-The name of the service associated with the port number in
-\fIsa\fR
-is returned in
-\fI*serv.\fR
-It is
-\fIservlen\fR
-bytes long. The maximum length of the service name is
-\fBNI_MAXSERV\fR
-\- 32 bytes.
-.PP
-The
-\fIflags\fR
-argument sets the following bits:
-.TP
-\fBNI_NOFQDN\fR
-A fully qualified domain name is not required for local hosts. The local part of the fully qualified domain name is returned instead.
-.TP
-\fBNI_NUMERICHOST\fR
-Return the address in numeric form, as if calling inet_ntop(), instead of a host name.
-.TP
-\fBNI_NAMEREQD\fR
-A name is required. If the hostname cannot be found in the DNS and this flag is set, a non\-zero error code is returned. If the hostname is not found and the flag is not set, the address is returned in numeric form.
-.TP
-\fBNI_NUMERICSERV\fR
-The service name is returned as a digit string representing the port number.
-.TP
-\fBNI_DGRAM\fR
-Specifies that the service being looked up is a datagram service, and causes getservbyport() to be called with a second argument of "udp" instead of its default of "tcp". This is required for the few ports (512\-514) that have different services for UDP and TCP.
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getnameinfo()\fR
-returns 0 on success or a non\-zero error code if an error occurs.
-.SH "SEE ALSO"
-.PP
-\fBRFC2133\fR(),
-\fBgetservbyport\fR(3),
-\fBlwres\fR(3),
-\fBlwres_getnameinfo\fR(3),
-\fBlwres_getnamebyaddr\fR(3).
-\fBlwres_net_ntop\fR(3).
-.SH "BUGS"
-.PP
-RFC2133 fails to define what the nonzero return values of
-\fBgetnameinfo\fR(3)
-are.
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
deleted file mode 100644
index b6e10ac3ab05..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
+++ /dev/null
@@ -1,170 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getnameinfo.docbook,v 1.3.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_getnameinfo</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_getnameinfo</refname>
-<refpurpose>lightweight resolver socket address structure to hostname and service name</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-int
-<function>lwres_getnameinfo</function></funcdef>
-<paramdef>const struct sockaddr *sa</paramdef>
-<paramdef>size_t salen</paramdef>
-<paramdef>char *host</paramdef>
-<paramdef>size_t hostlen</paramdef>
-<paramdef>char *serv</paramdef>
-<paramdef>size_t servlen</paramdef>
-<paramdef>int flags</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para> This function is equivalent to the <citerefentry>
-<refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry> function defined in RFC2133.
-<function>lwres_getnameinfo()</function> returns the hostname for the
-<type>struct sockaddr</type> <parameter>sa</parameter> which is
-<parameter>salen</parameter> bytes long.  The hostname is of length
-<parameter>hostlen</parameter> and is returned via
-<parameter>*host.</parameter> The maximum length of the hostname is
-1025 bytes: <constant>NI_MAXHOST</constant>.</para>
-
-<para> The name of the service associated with the port number in
-<parameter>sa</parameter> is returned in <parameter>*serv.</parameter>
-It is <parameter>servlen</parameter> bytes long.  The maximum length
-of the service name is <constant>NI_MAXSERV</constant> - 32 bytes.
-</para>
-
-<para> The <parameter>flags</parameter> argument sets the following
-bits:
-<variablelist>
-<varlistentry><term><constant>NI_NOFQDN</constant></term>
-<listitem>
-<para>
-A fully qualified domain name is not required for local hosts.
-The local part of the fully qualified domain name is returned instead.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NUMERICHOST</constant></term>
-<listitem>
-<para>
-Return the address in numeric form, as if calling inet_ntop(),
-instead of a host name.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NAMEREQD</constant></term>
-<listitem>
-<para>
-A name is required. If the hostname cannot be found in the DNS and
-this flag is set, a non-zero error code is returned.
-If the hostname is not found and the flag is not set, the 
-address is returned in numeric form.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_NUMERICSERV</constant></term>
-<listitem>
-<para>
-The service name is returned as a digit string representing the port number.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>NI_DGRAM</constant></term>
-<listitem>
-<para>
-Specifies that the service being looked up is a datagram
-service,  and causes getservbyport() to be called with a second
-argument of "udp" instead of its default of "tcp".  This is required
-for the few ports (512-514) that have different services for UDP and
-TCP.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getnameinfo()</function>
-returns 0 on success or a non-zero error code if an error occurs.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC2133</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>getservbyport</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>lwres_getnamebyaddr</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-<citerefentry>
-<refentrytitle>lwres_net_ntop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-<refsect1>
-<title>BUGS</title>
-<para>
-RFC2133 fails to define what the nonzero return values of
-<citerefentry>
-<refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>
-are.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
deleted file mode 100644
index 6e7a7b166587..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
+++ /dev/null
@@ -1,154 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_getnameinfo.html,v 1.5.2.1.4.9 2005/10/13 02:33:56 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getnameinfo</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getnameinfo &#8212; lightweight resolver socket address structure to hostname and service name</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getnameinfo</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525862"></a><h2>DESCRIPTION</h2>
-<p> This function is equivalent to the <span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span> function defined in RFC2133.
-<code class="function">lwres_getnameinfo()</code> returns the hostname for the
-<span class="type">struct sockaddr</span> <em class="parameter"><code>sa</code></em> which is
-<em class="parameter"><code>salen</code></em> bytes long.  The hostname is of length
-<em class="parameter"><code>hostlen</code></em> and is returned via
-<em class="parameter"><code>*host.</code></em> The maximum length of the hostname is
-1025 bytes: <code class="constant">NI_MAXHOST</code>.</p>
-<p> The name of the service associated with the port number in
-<em class="parameter"><code>sa</code></em> is returned in <em class="parameter"><code>*serv.</code></em>
-It is <em class="parameter"><code>servlen</code></em> bytes long.  The maximum length
-of the service name is <code class="constant">NI_MAXSERV</code> - 32 bytes.
-</p>
-<p> The <em class="parameter"><code>flags</code></em> argument sets the following
-bits:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">NI_NOFQDN</code></span></dt>
-<dd><p>
-A fully qualified domain name is not required for local hosts.
-The local part of the fully qualified domain name is returned instead.
-</p></dd>
-<dt><span class="term"><code class="constant">NI_NUMERICHOST</code></span></dt>
-<dd><p>
-Return the address in numeric form, as if calling inet_ntop(),
-instead of a host name.
-</p></dd>
-<dt><span class="term"><code class="constant">NI_NAMEREQD</code></span></dt>
-<dd><p>
-A name is required. If the hostname cannot be found in the DNS and
-this flag is set, a non-zero error code is returned.
-If the hostname is not found and the flag is not set, the 
-address is returned in numeric form.
-</p></dd>
-<dt><span class="term"><code class="constant">NI_NUMERICSERV</code></span></dt>
-<dd><p>
-The service name is returned as a digit string representing the port number.
-</p></dd>
-<dt><span class="term"><code class="constant">NI_DGRAM</code></span></dt>
-<dd><p>
-Specifies that the service being looked up is a datagram
-service,  and causes getservbyport() to be called with a second
-argument of "udp" instead of its default of "tcp".  This is required
-for the few ports (512-514) that have different services for UDP and
-TCP.
-</p></dd>
-</dl></div>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525988"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getnameinfo()</code>
-returns 0 on success or a non-zero error code if an error occurs.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526001"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC2133</span></span>,
-<span class="citerefentry"><span class="refentrytitle">getservbyport</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres_getnameinfo</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">lwres_getnamebyaddr</span>(3)</span>.
-<span class="citerefentry"><span class="refentrytitle">lwres_net_ntop</span>(3)</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526059"></a><h2>BUGS</h2>
-<p>
-RFC2133 fails to define what the nonzero return values of
-<span class="citerefentry"><span class="refentrytitle">getnameinfo</span>(3)</span>
-are.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3 b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
deleted file mode 100644
index 6d900f864ff4..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
+++ /dev/null
@@ -1,136 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.1.8.5 2005/10/13 02:33:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 25
-\fBint\ \fBlwres_getrrsetbyname\fR\fR\fB(\fR\fBconst\ char\ *hostname\fR\fB, \fR\fBunsigned\ int\ rdclass\fR\fB, \fR\fBunsigned\ int\ rdtype\fR\fB, \fR\fBunsigned\ int\ flags\fR\fB, \fR\fBstruct\ rrsetinfo\ **res\fR\fB);\fR
-.HP 21
-\fBvoid\ \fBlwres_freerrset\fR\fR\fB(\fR\fBstruct\ rrsetinfo\ *rrset\fR\fB);\fR
-.PP
-The following structures are used:
-.sp
-.nf
-struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-.fi
-.sp
-.SH "DESCRIPTION"
-.PP
-\fBlwres_getrrsetbyname()\fR
-gets a set of resource records associated with a
-\fIhostname\fR,
-\fIclass\fR, and
-\fItype\fR.
-\fIhostname\fR
-is a pointer a to null\-terminated string. The
-\fIflags\fR
-field is currently unused and must be zero.
-.PP
-After a successful call to
-\fBlwres_getrrsetbyname()\fR,
-\fI*res\fR
-is a pointer to an
-\fBrrsetinfo\fR
-structure, containing a list of one or more
-\fBrdatainfo\fR
-structures containing resource records and potentially another list of
-\fBrdatainfo\fR
-structures containing SIG resource records associated with those records. The members
-\fBrri_rdclass\fR
-and
-\fBrri_rdtype\fR
-are copied from the parameters.
-\fBrri_ttl\fR
-and
-\fBrri_name\fR
-are properties of the obtained rrset. The resource records contained in
-\fBrri_rdatas\fR
-and
-\fBrri_sigs\fR
-are in uncompressed DNS wire format. Properties of the rdataset are represented in the
-\fBrri_flags\fR
-bitfield. If the RRSET_VALIDATED bit is set, the data has been DNSSEC validated and the signatures verified.
-.PP
-All of the information returned by
-\fBlwres_getrrsetbyname()\fR
-is dynamically allocated: the
-\fBrrsetinfo\fR
-and
-\fBrdatainfo\fR
-structures, and the canonical host name strings pointed to by the
-\fBrrsetinfo\fRstructure. Memory allocated for the dynamically allocated structures created by a successful call to
-\fBlwres_getrrsetbyname()\fR
-is released by
-\fBlwres_freerrset()\fR.
-\fIrrset\fR
-is a pointer to a
-\fBstruct rrset\fR
-created by a call to
-\fBlwres_getrrsetbyname()\fR.
-.PP
-.SH "RETURN VALUES"
-.PP
-\fBlwres_getrrsetbyname()\fR
-returns zero on success, and one of the following error codes if an error occurred:
-.TP
-\fBERRSET_NONAME\fR
-the name does not exist
-.TP
-\fBERRSET_NODATA\fR
-the name exists, but does not have data of the desired type
-.TP
-\fBERRSET_NOMEMORY\fR
-memory could not be allocated
-.TP
-\fBERRSET_INVAL\fR
-a parameter is invalid
-.TP
-\fBERRSET_FAIL\fR
-other failure
-.TP
-.SH "SEE ALSO"
-.PP
-\fBlwres\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
deleted file mode 100644
index 53c33bef7b34..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ /dev/null
@@ -1,224 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_getrrsetbyname.docbook,v 1.3.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
-<refentry>
-<refentryinfo>
-
-
-<date>Oct 18, 2000</date>
-</refentryinfo>
-<refmeta>
-<refentrytitle>lwres_getrrsetbyname</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_getrrsetbyname</refname>
-<refname>lwres_freerrset</refname>
-<refpurpose>retrieve DNS records</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-int
-<function>lwres_getrrsetbyname</function></funcdef>
-<paramdef>const char *hostname</paramdef>
-<paramdef>unsigned int rdclass</paramdef>
-<paramdef>unsigned int rdtype</paramdef>
-<paramdef>unsigned int flags</paramdef>
-<paramdef>struct rrsetinfo **res</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_freerrset</function></funcdef>
-<paramdef>struct rrsetinfo *rrset</paramdef>
-</funcprototype>
-</funcsynopsis>
-
-<para>
-The following structures are used:
-<programlisting>
-struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-</programlisting>
-</para>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<function>lwres_getrrsetbyname()</function>
-gets a set of resource records associated with a
-<parameter>hostname</parameter>,
-
-<parameter>class</parameter>,
-
-and
-<parameter>type</parameter>.
-
-<parameter>hostname</parameter>
-is
-a pointer a to null-terminated string.  The
-<parameter>flags</parameter>
-field is currently unused and must be zero.
-</para>
-<para>
-After a successful call to
-<function>lwres_getrrsetbyname()</function>,
-
-<parameter>*res</parameter>
-is a pointer to an
-<type>rrsetinfo</type>
-structure, containing a list of one or more
-<type>rdatainfo</type>
-structures containing resource records and potentially another list of
-<type>rdatainfo</type>
-structures containing SIG resource records
-associated with those records.
-The members
-<constant>rri_rdclass</constant>
-and
-<constant>rri_rdtype</constant>
-are copied from the parameters.
-<constant>rri_ttl</constant>
-and
-<constant>rri_name</constant>
-are properties of the obtained rrset.
-The resource records contained in
-<constant>rri_rdatas</constant>
-and
-<constant>rri_sigs</constant>
-are in uncompressed DNS wire format.
-Properties of the rdataset are represented in the
-<constant>rri_flags</constant>
-bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
-validated and the signatures verified.  
-</para>
-<para>
-All of the information returned by
-<function>lwres_getrrsetbyname()</function>
-is dynamically allocated: the
-<constant>rrsetinfo</constant>
-and
-<constant>rdatainfo</constant>
-structures,
-and the canonical host name strings pointed to by the
-<constant>rrsetinfo</constant>structure.
-
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<function>lwres_getrrsetbyname()</function>
-is released by
-<function>lwres_freerrset()</function>.
-
-<parameter>rrset</parameter>
-is a pointer to a
-<type>struct rrset</type>
-created by a call to
-<function>lwres_getrrsetbyname()</function>.
-
-</para>
-<para>
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-<function>lwres_getrrsetbyname()</function>
-returns zero on success, and one of the following error
-codes if an error occurred:
-<variablelist>
-
-<varlistentry><term><constant>ERRSET_NONAME</constant></term>
-<listitem><para>
-the name does not exist
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_NODATA</constant></term>
-<listitem><para>
-the name exists, but does not have data of the desired type
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_NOMEMORY</constant></term>
-<listitem><para>
-memory could not be allocated
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_INVAL</constant></term>
-<listitem><para>
-a parameter is invalid
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>ERRSET_FAIL</constant></term>
-<listitem><para>
-other failure
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant></constant></term>
-<listitem><para>
-</para></listitem></varlistentry>
-
-</variablelist>
-
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
deleted file mode 100644
index f36a1d21d996..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
+++ /dev/null
@@ -1,217 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_getrrsetbyname.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_getrrsetbyname</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_getrrsetbyname, lwres_freerrset &#8212; retrieve DNS records</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-int
-<b class="fsfunc">lwres_getrrsetbyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0"><tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_freerrset</b>(</code></td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr></table>
-</div>
-<p>
-The following structures are used:
-</p>
-<pre class="programlisting">
-struct  rdatainfo {
-        unsigned int            rdi_length;     /* length of data */
-        unsigned char           *rdi_data;      /* record data */
-};
-
-struct  rrsetinfo {
-        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
-        unsigned int            rri_rdclass;    /* class number */
-        unsigned int            rri_rdtype;     /* RR type number */
-        unsigned int            rri_ttl;        /* time to live */
-        unsigned int            rri_nrdatas;    /* size of rdatas array */
-        unsigned int            rri_nsigs;      /* size of sigs array */
-        char                    *rri_name;      /* canonical name */
-        struct rdatainfo        *rri_rdatas;    /* individual records */
-        struct rdatainfo        *rri_sigs;      /* individual signatures */
-};
-</pre>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525878"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_getrrsetbyname()</code>
-gets a set of resource records associated with a
-<em class="parameter"><code>hostname</code></em>,
-
-<em class="parameter"><code>class</code></em>,
-
-and
-<em class="parameter"><code>type</code></em>.
-
-<em class="parameter"><code>hostname</code></em>
-is
-a pointer a to null-terminated string.  The
-<em class="parameter"><code>flags</code></em>
-field is currently unused and must be zero.
-</p>
-<p>
-After a successful call to
-<code class="function">lwres_getrrsetbyname()</code>,
-
-<em class="parameter"><code>*res</code></em>
-is a pointer to an
-<span class="type">rrsetinfo</span>
-structure, containing a list of one or more
-<span class="type">rdatainfo</span>
-structures containing resource records and potentially another list of
-<span class="type">rdatainfo</span>
-structures containing SIG resource records
-associated with those records.
-The members
-<code class="constant">rri_rdclass</code>
-and
-<code class="constant">rri_rdtype</code>
-are copied from the parameters.
-<code class="constant">rri_ttl</code>
-and
-<code class="constant">rri_name</code>
-are properties of the obtained rrset.
-The resource records contained in
-<code class="constant">rri_rdatas</code>
-and
-<code class="constant">rri_sigs</code>
-are in uncompressed DNS wire format.
-Properties of the rdataset are represented in the
-<code class="constant">rri_flags</code>
-bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
-validated and the signatures verified.  
-</p>
-<p>
-All of the information returned by
-<code class="function">lwres_getrrsetbyname()</code>
-is dynamically allocated: the
-<code class="constant">rrsetinfo</code>
-and
-<code class="constant">rdatainfo</code>
-structures,
-and the canonical host name strings pointed to by the
-<code class="constant">rrsetinfo</code>structure.
-
-Memory allocated for the dynamically allocated structures created by
-a successful call to
-<code class="function">lwres_getrrsetbyname()</code>
-is released by
-<code class="function">lwres_freerrset()</code>.
-
-<em class="parameter"><code>rrset</code></em>
-is a pointer to a
-<span class="type">struct rrset</span>
-created by a call to
-<code class="function">lwres_getrrsetbyname()</code>.
-
-</p>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526058"></a><h2>RETURN VALUES</h2>
-<p>
-<code class="function">lwres_getrrsetbyname()</code>
-returns zero on success, and one of the following error
-codes if an error occurred:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">ERRSET_NONAME</code></span></dt>
-<dd><p>
-the name does not exist
-</p></dd>
-<dt><span class="term"><code class="constant">ERRSET_NODATA</code></span></dt>
-<dd><p>
-the name exists, but does not have data of the desired type
-</p></dd>
-<dt><span class="term"><code class="constant">ERRSET_NOMEMORY</code></span></dt>
-<dd><p>
-memory could not be allocated
-</p></dd>
-<dt><span class="term"><code class="constant">ERRSET_INVAL</code></span></dt>
-<dd><p>
-a parameter is invalid
-</p></dd>
-<dt><span class="term"><code class="constant">ERRSET_FAIL</code></span></dt>
-<dd><p>
-other failure
-</p></dd>
-<dt><span class="term"><code class="constant"></code></span></dt>
-<dd><p>
-</p></dd>
-</dl></div>
-<p>
-
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526132"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.3 b/contrib/bind9/lib/lwres/man/lwres_gnba.3
deleted file mode 100644
index 58047ce6b5dc..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.3
+++ /dev/null
@@ -1,160 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_gnba.3,v 1.13.2.1.8.5 2005/10/13 02:33:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free \- lightweight resolver getnamebyaddress message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-\fBlwres_result_t\ \fBlwres_gnbarequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *\fR\fB\fIctx\fR\fR\fB, \fR\fBlwres_gnbarequest_t\ *\fR\fB\fIreq\fR\fR\fB, \fR\fBlwres_lwpacket_t\ *\fR\fB\fIpkt\fR\fR\fB, \fR\fBlwres_buffer_t\ *\fR\fB\fIb\fR\fR\fB);\fR
-.HP 41
-\fBlwres_result_t\ \fBlwres_gnbaresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbaresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 39
-\fBlwres_result_t\ \fBlwres_gnbarequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gnbarequest_t\ **structp\fR\fB);\fR
-.HP 40
-\fBlwres_result_t\ \fBlwres_gnbaresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
-.HP 29
-\fBvoid\ \fBlwres_gnbaresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
-.HP 28
-\fBvoid\ \fBlwres_gnbarequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_gnbarequest_t\ **structp\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-These are low\-level routines for creating and parsing lightweight resolver address\-to\-name lookup request and response messages.
-.PP
-There are four main functions for the getnamebyaddr opcode. One render function converts a getnamebyaddr request structure \(em
-\fBlwres_gnbarequest_t\fR
-\(em to the lightweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a getnamebyaddr request structure. Another render function converts the getnamebyaddr response structure \(em
-\fBlwres_gnbaresponse_t\fR
-to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a getnamebyaddr response structure.
-.PP
-These structures are defined in
-\fIlwres/lwres.h\fR. They are shown below.
-.sp
-.nf
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-.fi
-.sp
-.PP
-\fBlwres_gnbarequest_render()\fR
-uses resolver context
-\fIctx\fR
-to convert getnamebyaddr request structure
-\fIreq\fR
-to canonical format. The packet header structure
-\fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
-\fI*req\fR
-are then appended to the buffer in canonical format.
-\fBlwres_gnbaresponse_render()\fR
-performs the same task, except it converts a getnamebyaddr response structure
-\fBlwres_gnbaresponse_t\fR
-to the lightweight resolver's canonical format.
-.PP
-\fBlwres_gnbarequest_parse()\fR
-uses context
-\fIctx\fR
-to convert the contents of packet
-\fIpkt\fR
-to a
-\fBlwres_gnbarequest_t\fR
-structure. Buffer
-\fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
-\fBlwres_gnbarequest_t\fR
-is made available through
-\fI*structp\fR.
-\fBlwres_gnbaresponse_parse()\fR
-offers the same semantics as
-\fBlwres_gnbarequest_parse()\fR
-except it yields a
-\fBlwres_gnbaresponse_t\fR
-structure.
-.PP
-\fBlwres_gnbaresponse_free()\fR
-and
-\fBlwres_gnbarequest_free()\fR
-release the memory in resolver context
-\fIctx\fR
-that was allocated to the
-\fBlwres_gnbaresponse_t\fR
-or
-\fBlwres_gnbarequest_t\fR
-structures referenced via
-\fIstructp\fR. Any memory associated with ancillary buffers and strings for those structures is also discarded.
-.SH "RETURN VALUES"
-.PP
-The getnamebyaddr opcode functions
-\fBlwres_gnbarequest_render()\fR,
-\fBlwres_gnbaresponse_render()\fR\fBlwres_gnbarequest_parse()\fR
-and
-\fBlwres_gnbaresponse_parse()\fR
-all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
-if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
-is returned if the available space in the buffer
-\fIb\fR
-is too small to accommodate the packet header or the
-\fBlwres_gnbarequest_t\fR
-and
-\fBlwres_gnbaresponse_t\fR
-structures.
-\fBlwres_gnbarequest_parse()\fR
-and
-\fBlwres_gnbaresponse_parse()\fR
-will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
-if
-pktflags
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook b/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
deleted file mode 100644
index 753148642efe..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
+++ /dev/null
@@ -1,274 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_gnba.docbook,v 1.4.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_gnba</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_gnbarequest_render</refname>
-<refname>lwres_gnbaresponse_render</refname>
-<refname>lwres_gnbarequest_parse</refname>
-<refname>lwres_gnbaresponse_parse</refname>
-<refname>lwres_gnbaresponse_free</refname>
-<refname>lwres_gnbarequest_free</refname>
-<refpurpose>lightweight resolver getnamebyaddress message handling</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-
-<funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwres.h&gt;
-</funcsynopsisinfo>
-
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gnbarequest_render</function>
-</funcdef>
-<paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
-<paramdef>lwres_gnbarequest_t *<parameter>req</parameter></paramdef>
-<paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
-<paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gnbaresponse_render</function>
-</funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbaresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gnbarequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gnbarequest_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_gnbaresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
-
-<funcprototype>
-<funcdef>
-void
-<function>lwres_gnbaresponse_free</function>
-</funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_gnbarequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_gnbarequest_t **structp</paramdef>
-</funcprototype>
-</funcsynopsis>
-
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver address-to-name lookup request and 
-response messages.
-</para>
-<para>
-There are four main functions for the getnamebyaddr opcode.
-One render function converts a getnamebyaddr request structure &mdash;
-<type>lwres_gnbarequest_t</type> &mdash;
-to the lightweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getnamebyaddr request structure.
-Another render function converts the getnamebyaddr response structure &mdash;
-<type>lwres_gnbaresponse_t</type>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getnamebyaddr response structure.
-</para>
-<para>
-These structures are defined in
-<filename>lwres/lwres.h</filename>.
-They are shown below.
-<programlisting>
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-</programlisting>
-</para>
-<para>
-<function>lwres_gnbarequest_render()</function>
-uses resolver context
-<varname>ctx</varname>
-to convert getnamebyaddr request structure
-<varname>req</varname>
-to canonical format.
-The packet header structure
-<varname>pkt</varname>
-is initialised and transferred to
-buffer
-<varname>b</varname>.
-The contents of
-<varname>*req</varname>
-are then appended to the buffer in canonical format.
-<function>lwres_gnbaresponse_render()</function>
-performs the same task, except it converts a getnamebyaddr response structure
-<type>lwres_gnbaresponse_t</type>
-to the lightweight resolver's canonical format.
-</para>
-<para>
-<function>lwres_gnbarequest_parse()</function>
-uses context
-<varname>ctx</varname>
-to convert the contents of packet
-<varname>pkt</varname>
-to a
-<type>lwres_gnbarequest_t</type>
-structure.
-Buffer
-<varname>b</varname>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<type>lwres_gnbarequest_t</type>
-is made available through
-<varname>*structp</varname>.
-<function>lwres_gnbaresponse_parse()</function>
-offers the same semantics as
-<function>lwres_gnbarequest_parse()</function>
-except it yields a
-<type>lwres_gnbaresponse_t</type>
-structure.
-</para>
-<para>
-<function>lwres_gnbaresponse_free()</function>
-and
-<function>lwres_gnbarequest_free()</function>
-release the memory in resolver context
-<varname>ctx</varname>
-that was allocated to the
-<type>lwres_gnbaresponse_t</type>
-or
-<type>lwres_gnbarequest_t</type>
-structures referenced via
-<varname>structp</varname>.
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</para>
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The getnamebyaddr opcode functions
-<function>lwres_gnbarequest_render()</function>,
-<function>lwres_gnbaresponse_render()</function>
-<function>lwres_gnbarequest_parse()</function>
-and
-<function>lwres_gnbaresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<varname>b</varname>
-is too small to accommodate the packet header or the
-<type>lwres_gnbarequest_t</type>
-and
-<type>lwres_gnbaresponse_t</type>
-structures.
-<function>lwres_gnbarequest_parse()</function>
-and
-<function>lwres_gnbaresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<structfield>pktflags</structfield>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle>
-<manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.html b/contrib/bind9/lib/lwres/man/lwres_gnba.html
deleted file mode 100644
index 89cf35e02c36..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_gnba.html
+++ /dev/null
@@ -1,324 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_gnba.html,v 1.6.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_gnba</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free &#8212; lightweight resolver getnamebyaddress message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwres.h&gt;
-</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbarequest_render</b>
-(</code></td>
-<td>lwres_context_t * </td>
-<td>
-<var class="pdparam">ctx</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_gnbarequest_t * </td>
-<td>
-<var class="pdparam">req</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_lwpacket_t * </td>
-<td>
-<var class="pdparam">pkt</var>, </td>
-</tr>
-<tr>
-<td> </td>
-<td>lwres_buffer_t * </td>
-<td>
-<var class="pdparam">b</var><code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbaresponse_render</b>
-(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbarequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_gnbaresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gnbaresponse_free</b>
-(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_gnbarequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525975"></a><h2>DESCRIPTION</h2>
-<p>
-These are low-level routines for creating and parsing
-lightweight resolver address-to-name lookup request and 
-response messages.
-</p>
-<p>
-There are four main functions for the getnamebyaddr opcode.
-One render function converts a getnamebyaddr request structure &#8212;
-<span class="type">lwres_gnbarequest_t</span> &#8212;
-to the lightweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a getnamebyaddr request structure.
-Another render function converts the getnamebyaddr response structure &#8212;
-<span class="type">lwres_gnbaresponse_t</span>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a getnamebyaddr response structure.
-</p>
-<p>
-These structures are defined in
-<code class="filename">lwres/lwres.h</code>.
-They are shown below.
-</p>
-<pre class="programlisting">
-#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_addr_t    addr;
-} lwres_gnbarequest_t;
-
-typedef struct {
-        lwres_uint32_t  flags;
-        lwres_uint16_t  naliases;
-        char           *realname;
-        char          **aliases;
-        lwres_uint16_t  realnamelen;
-        lwres_uint16_t *aliaslen;
-        void           *base;
-        size_t          baselen;
-} lwres_gnbaresponse_t;
-</pre>
-<p>
-</p>
-<p>
-<code class="function">lwres_gnbarequest_render()</code>
-uses resolver context
-<code class="varname">ctx</code>
-to convert getnamebyaddr request structure
-<code class="varname">req</code>
-to canonical format.
-The packet header structure
-<code class="varname">pkt</code>
-is initialised and transferred to
-buffer
-<code class="varname">b</code>.
-The contents of
-<code class="varname">*req</code>
-are then appended to the buffer in canonical format.
-<code class="function">lwres_gnbaresponse_render()</code>
-performs the same task, except it converts a getnamebyaddr response structure
-<span class="type">lwres_gnbaresponse_t</span>
-to the lightweight resolver's canonical format.
-</p>
-<p>
-<code class="function">lwres_gnbarequest_parse()</code>
-uses context
-<code class="varname">ctx</code>
-to convert the contents of packet
-<code class="varname">pkt</code>
-to a
-<span class="type">lwres_gnbarequest_t</span>
-structure.
-Buffer
-<code class="varname">b</code>
-provides space to be used for storing this structure.
-When the function succeeds, the resulting
-<span class="type">lwres_gnbarequest_t</span>
-is made available through
-<code class="varname">*structp</code>.
-<code class="function">lwres_gnbaresponse_parse()</code>
-offers the same semantics as
-<code class="function">lwres_gnbarequest_parse()</code>
-except it yields a
-<span class="type">lwres_gnbaresponse_t</span>
-structure.
-</p>
-<p>
-<code class="function">lwres_gnbaresponse_free()</code>
-and
-<code class="function">lwres_gnbarequest_free()</code>
-release the memory in resolver context
-<code class="varname">ctx</code>
-that was allocated to the
-<span class="type">lwres_gnbaresponse_t</span>
-or
-<span class="type">lwres_gnbarequest_t</span>
-structures referenced via
-<code class="varname">structp</code>.
-Any memory associated with ancillary buffers and strings for those
-structures is also discarded.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526100"></a><h2>RETURN VALUES</h2>
-<p>
-The getnamebyaddr opcode functions
-<code class="function">lwres_gnbarequest_render()</code>,
-<code class="function">lwres_gnbaresponse_render()</code>
-<code class="function">lwres_gnbarequest_parse()</code>
-and
-<code class="function">lwres_gnbaresponse_parse()</code>
-all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
-on success.
-They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-is returned if the available space in the buffer
-<code class="varname">b</code>
-is too small to accommodate the packet header or the
-<span class="type">lwres_gnbarequest_t</span>
-and
-<span class="type">lwres_gnbaresponse_t</span>
-structures.
-<code class="function">lwres_gnbarequest_parse()</code>
-and
-<code class="function">lwres_gnbaresponse_parse()</code>
-will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
-if
-<em class="structfield"><code>pktflags</code></em>
-in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526165"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3 b/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
deleted file mode 100644
index a1ecf7c2071f..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
+++ /dev/null
@@ -1,81 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_hstrerror.3,v 1.13.2.1.8.5 2005/10/13 02:33:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
-.SH "SYNOPSIS"
-.nf
-#include <lwres/netdb.h>
-.fi
-.HP 18
-\fBvoid\ \fBlwres_herror\fR\fR\fB(\fR\fBconst\ char\ *s\fR\fB);\fR
-.HP 29
-\fBconst\ char\ *\ \fBlwres_hstrerror\fR\fR\fB(\fR\fBint\ err\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-\fBlwres_herror()\fR
-prints the string
-\fIs\fR
-on
-\fBstderr\fR
-followed by the string generated by
-\fBlwres_hstrerror()\fR
-for the error code stored in the global variable
-\fBlwres_h_errno\fR.
-.PP
-\fBlwres_hstrerror()\fR
-returns an appropriate string for the error code gievn by
-\fIerr\fR. The values of the error codes and messages are as follows:
-.TP
-\fBNETDB_SUCCESS\fR
-Resolver Error 0 (no error)
-.TP
-\fBHOST_NOT_FOUND\fR
-Unknown host
-.TP
-\fBTRY_AGAIN\fR
-Host name lookup failure
-.TP
-\fBNO_RECOVERY\fR
-Unknown server error
-.TP
-\fBNO_DATA\fR
-No address associated with name
-.SH "RETURN VALUES"
-.PP
-The string
-Unknown resolver error
-is returned by
-\fBlwres_hstrerror()\fR
-when the value of
-\fBlwres_h_errno\fR
-is not a valid error code.
-.SH "SEE ALSO"
-.PP
-\fBherror\fR(3),
-\fBlwres_hstrerror\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook b/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
deleted file mode 100644
index a36c072ef394..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
+++ /dev/null
@@ -1,139 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_hstrerror.docbook,v 1.4.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_hstrerror</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_herror</refname>
-<refname>lwres_hstrerror</refname>
-<refpurpose>lightweight resolver error message generation</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_herror</function></funcdef>
-<paramdef>const char *s</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-const char *
-<function>lwres_hstrerror</function></funcdef>
-<paramdef>int err</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-<function>lwres_herror()</function> prints the string
-<parameter>s</parameter> on <type>stderr</type> followed by the string
-generated by <function>lwres_hstrerror()</function> for the error code
-stored in the global variable <constant>lwres_h_errno</constant>.
-</para>
-
-<para>
-<function>lwres_hstrerror()</function> returns an appropriate string
-for the error code gievn by <parameter>err</parameter>.  The values of
-the error codes and messages are as follows:
-
-<variablelist>
-<varlistentry><term><errorcode>NETDB_SUCCESS</errorcode></term>
-<listitem>
-<para>
-<errorname>Resolver Error 0 (no error)</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>HOST_NOT_FOUND</errorcode></term>
-<listitem>
-<para>
-<errorname>Unknown host</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>TRY_AGAIN</errorcode></term>
-<listitem>
-<para>
-<errorname>Host name lookup failure</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>NO_RECOVERY</errorcode></term>
-<listitem>
-<para>
-<errorname>Unknown server error</errorname>
-</para></listitem></varlistentry>
-<varlistentry><term><errorcode>NO_DATA</errorcode></term>
-<listitem>
-<para>
-<errorname>No address associated with name</errorname>
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The string <errorname>Unknown resolver error</errorname> is returned by
-<function>lwres_hstrerror()</function>
-when the value of
-<constant>lwres_h_errno</constant>
-is not a valid error code.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>herror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html b/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
deleted file mode 100644
index 4204a3365bd2..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
+++ /dev/null
@@ -1,100 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_hstrerror.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_hstrerror</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_herror, lwres_hstrerror &#8212; lightweight resolver error message generation</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/netdb.h&gt;</pre>
-<p><code class="funcdef">
-void
-<b class="fsfunc">lwres_herror</b>(</code>const char *s<code>)</code>;</p>
-<p><code class="funcdef">
-const char *
-<b class="fsfunc">lwres_hstrerror</b>(</code>int err<code>)</code>;</p>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525859"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_herror()</code> prints the string
-<em class="parameter"><code>s</code></em> on <span class="type">stderr</span> followed by the string
-generated by <code class="function">lwres_hstrerror()</code> for the error code
-stored in the global variable <code class="constant">lwres_h_errno</code>.
-</p>
-<p>
-<code class="function">lwres_hstrerror()</code> returns an appropriate string
-for the error code gievn by <em class="parameter"><code>err</code></em>.  The values of
-the error codes and messages are as follows:
-
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><span class="errorcode">NETDB_SUCCESS</span></span></dt>
-<dd><p>
-<span class="errorname">Resolver Error 0 (no error)</span>
-</p></dd>
-<dt><span class="term"><span class="errorcode">HOST_NOT_FOUND</span></span></dt>
-<dd><p>
-<span class="errorname">Unknown host</span>
-</p></dd>
-<dt><span class="term"><span class="errorcode">TRY_AGAIN</span></span></dt>
-<dd><p>
-<span class="errorname">Host name lookup failure</span>
-</p></dd>
-<dt><span class="term"><span class="errorcode">NO_RECOVERY</span></span></dt>
-<dd><p>
-<span class="errorname">Unknown server error</span>
-</p></dd>
-<dt><span class="term"><span class="errorcode">NO_DATA</span></span></dt>
-<dd><p>
-<span class="errorname">No address associated with name</span>
-</p></dd>
-</dl></div>
-<p>
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525971"></a><h2>RETURN VALUES</h2>
-<p>
-The string <span class="errorname">Unknown resolver error</span> is returned by
-<code class="function">lwres_hstrerror()</code>
-when the value of
-<code class="constant">lwres_h_errno</code>
-is not a valid error code.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525990"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">herror</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_hstrerror</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.3 b/contrib/bind9/lib/lwres/man/lwres_inetntop.3
deleted file mode 100644
index 782cbafd2285..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.3
+++ /dev/null
@@ -1,69 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_inetntop.3,v 1.12.2.1.8.5 2005/10/13 02:33:53 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_net_ntop \- lightweight resolver IP address presentation
-.SH "SYNOPSIS"
-.nf
-#include <lwres/net.h>
-.fi
-.HP 28
-\fBconst\ char\ *\ \fBlwres_net_ntop\fR\fR\fB(\fR\fBint\ af\fR\fB, \fR\fBconst\ void\ *src\fR\fB, \fR\fBchar\ *dst\fR\fB, \fR\fBsize_t\ size\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-\fBlwres_net_ntop()\fR
-converts an IP address of protocol family
-\fIaf\fR
-\(em IPv4 or IPv6 \(em at location
-\fIsrc\fR
-from network format to its conventional representation as a string. For IPv4 addresses, that string would be a dotted\-decimal. An IPv6 address would be represented in colon notation as described in RFC1884.
-.PP
-The generated string is copied to
-\fIdst\fR
-provided
-\fIsize\fR
-indicates it is long enough to store the ASCII representation of the address.
-.SH "RETURN VALUES"
-.PP
-If successful, the function returns
-\fIdst\fR: a pointer to a string containing the presentation format of the address.
-\fBlwres_net_ntop()\fR
-returns
-\fBNULL\fR
-and sets the global variable
-\fBerrno\fR
-to
-\fBEAFNOSUPPORT\fR
-if the protocol family given in
-\fIaf\fR
-is not supported.
-.SH "SEE ALSO"
-.PP
-\fBRFC1884\fR(),
-\fBinet_ntop\fR(3),
-\fBerrno\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook b/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
deleted file mode 100644
index 651ef04d91bd..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
+++ /dev/null
@@ -1,114 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_inetntop.docbook,v 1.3.206.3 2005/05/12 21:36:15 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_inetntop</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_net_ntop</refname>
-<refpurpose>lightweight resolver IP address presentation</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/net.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-const char *
-<function>lwres_net_ntop</function></funcdef>
-<paramdef>int af</paramdef>
-<paramdef>const void *src</paramdef>
-<paramdef>char *dst</paramdef>
-<paramdef>size_t size</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-<function>lwres_net_ntop()</function> converts an IP address of
-protocol family <parameter>af</parameter> &mdash; IPv4 or IPv6 &mdash;
-at location <parameter>src</parameter> from network format to its
-conventional representation as a string.  For IPv4 addresses, that
-string would be a dotted-decimal.  An IPv6 address would be
-represented in colon notation as described in RFC1884.
-</para>
-
-<para>
-The generated string is copied to <parameter>dst</parameter> provided
-<parameter>size</parameter> indicates it is long enough to store the
-ASCII representation of the address.
-</para>
-
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-
-<para>
-If successful, the function returns <parameter>dst</parameter>:
-a pointer to a string containing the presentation format of the
-address.  <function>lwres_net_ntop()</function> returns
-<type>NULL</type> and sets the global variable
-<constant>errno</constant> to <errorcode>EAFNOSUPPORT</errorcode> if
-the protocol family given in <parameter>af</parameter> is not
-supported.
-</para>
-
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>RFC1884</refentrytitle>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>inet_ntop</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.html b/contrib/bind9/lib/lwres/man/lwres_inetntop.html
deleted file mode 100644
index 3c794a53b45b..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_inetntop.html
+++ /dev/null
@@ -1,98 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_inetntop.html,v 1.5.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_inetntop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_net_ntop &#8212; lightweight resolver IP address presentation</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/net.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-const char *
-<b class="fsfunc">lwres_net_ntop</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525854"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_net_ntop()</code> converts an IP address of
-protocol family <em class="parameter"><code>af</code></em> &#8212; IPv4 or IPv6 &#8212;
-at location <em class="parameter"><code>src</code></em> from network format to its
-conventional representation as a string.  For IPv4 addresses, that
-string would be a dotted-decimal.  An IPv6 address would be
-represented in colon notation as described in RFC1884.
-</p>
-<p>
-The generated string is copied to <em class="parameter"><code>dst</code></em> provided
-<em class="parameter"><code>size</code></em> indicates it is long enough to store the
-ASCII representation of the address.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525888"></a><h2>RETURN VALUES</h2>
-<p>
-If successful, the function returns <em class="parameter"><code>dst</code></em>:
-a pointer to a string containing the presentation format of the
-address.  <code class="function">lwres_net_ntop()</code> returns
-<span class="type">NULL</span> and sets the global variable
-<code class="constant">errno</code> to <span class="errorcode">EAFNOSUPPORT</span> if
-the protocol family given in <em class="parameter"><code>af</code></em> is not
-supported.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525918"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">RFC1884</span></span>,
-<span class="citerefentry"><span class="refentrytitle">inet_ntop</span>(3)</span>,
-<span class="citerefentry"><span class="refentrytitle">errno</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.3 b/contrib/bind9/lib/lwres/man/lwres_noop.3
deleted file mode 100644
index d2eba576591b..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_noop.3
+++ /dev/null
@@ -1,159 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_noop.3,v 1.14.2.1.8.5 2005/10/13 02:33:54 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no\-op message handling
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 40
-\fBlwres_result_t\ \fBlwres_nooprequest_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_nooprequest_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 41
-\fBlwres_result_t\ \fBlwres_noopresponse_render\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_noopresponse_t\ *req\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB);\fR
-.HP 39
-\fBlwres_result_t\ \fBlwres_nooprequest_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_nooprequest_t\ **structp\fR\fB);\fR
-.HP 40
-\fBlwres_result_t\ \fBlwres_noopresponse_parse\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB, \fR\fBlwres_noopresponse_t\ **structp\fR\fB);\fR
-.HP 29
-\fBvoid\ \fBlwres_noopresponse_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_noopresponse_t\ **structp\fR\fB);\fR
-.HP 28
-\fBvoid\ \fBlwres_nooprequest_free\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_nooprequest_t\ **structp\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-These are low\-level routines for creating and parsing lightweight resolver no\-op request and response messages.
-.PP
-The no\-op message is analogous to a
-\fBping\fR
-packet: a packet is sent to the resolver daemon and is simply echoed back. The opcode is intended to allow a client to determine if the server is operational or not.
-.PP
-There are four main functions for the no\-op opcode. One render function converts a no\-op request structure \(em
-\fBlwres_nooprequest_t\fR
-\(em to the lighweight resolver's canonical format. It is complemented by a parse function that converts a packet in this canonical format to a no\-op request structure. Another render function converts the no\-op response structure \(em
-\fBlwres_noopresponse_t\fR
-to the canonical format. This is complemented by a parse function which converts a packet in canonical format to a no\-op response structure.
-.PP
-These structures are defined in
-\fIlwres/lwres.h\fR. They are shown below.
-.sp
-.nf
-#define LWRES_OPCODE_NOOP       0x00000000U
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;
-.fi
-.sp
-Although the structures have different types, they are identical. This is because the no\-op opcode simply echos whatever data was sent: the response is therefore identical to the request.
-.PP
-\fBlwres_nooprequest_render()\fR
-uses resolver context
-\fIctx\fR
-to convert no\-op request structure
-\fIreq\fR
-to canonical format. The packet header structure
-\fIpkt\fR
-is initialised and transferred to buffer
-\fIb\fR. The contents of
-\fI*req\fR
-are then appended to the buffer in canonical format.
-\fBlwres_noopresponse_render()\fR
-performs the same task, except it converts a no\-op response structure
-\fBlwres_noopresponse_t\fR
-to the lightweight resolver's canonical format.
-.PP
-\fBlwres_nooprequest_parse()\fR
-uses context
-\fIctx\fR
-to convert the contents of packet
-\fIpkt\fR
-to a
-\fBlwres_nooprequest_t\fR
-structure. Buffer
-\fIb\fR
-provides space to be used for storing this structure. When the function succeeds, the resulting
-\fBlwres_nooprequest_t\fR
-is made available through
-\fI*structp\fR.
-\fBlwres_noopresponse_parse()\fR
-offers the same semantics as
-\fBlwres_nooprequest_parse()\fR
-except it yields a
-\fBlwres_noopresponse_t\fR
-structure.
-.PP
-\fBlwres_noopresponse_free()\fR
-and
-\fBlwres_nooprequest_free()\fR
-release the memory in resolver context
-\fIctx\fR
-that was allocated to the
-\fBlwres_noopresponse_t\fR
-or
-\fBlwres_nooprequest_t\fR
-structures referenced via
-\fIstructp\fR.
-.SH "RETURN VALUES"
-.PP
-The no\-op opcode functions
-\fBlwres_nooprequest_render()\fR,
-\fBlwres_noopresponse_render()\fR\fBlwres_nooprequest_parse()\fR
-and
-\fBlwres_noopresponse_parse()\fR
-all return
-\fBLWRES_R_SUCCESS\fR
-on success. They return
-\fBLWRES_R_NOMEMORY\fR
-if memory allocation fails.
-\fBLWRES_R_UNEXPECTEDEND\fR
-is returned if the available space in the buffer
-\fIb\fR
-is too small to accommodate the packet header or the
-\fBlwres_nooprequest_t\fR
-and
-\fBlwres_noopresponse_t\fR
-structures.
-\fBlwres_nooprequest_parse()\fR
-and
-\fBlwres_noopresponse_parse()\fR
-will return
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer is not empty after decoding the received packet. These functions will return
-\fBLWRES_R_FAILURE\fR
-if
-\fBpktflags\fR
-in the packet header structure
-\fBlwres_lwpacket_t\fR
-indicate that the packet is not a response to an earlier query.
-.SH "SEE ALSO"
-.PP
-\fBlwres_packet\fR(3 )
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.docbook b/contrib/bind9/lib/lwres/man/lwres_noop.docbook
deleted file mode 100644
index fcb3c5933ab7..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_noop.docbook
+++ /dev/null
@@ -1,244 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_noop.docbook,v 1.4.206.3 2005/05/12 21:36:16 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_noop</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_nooprequest_render</refname>
-<refname>lwres_noopresponse_render</refname>
-<refname>lwres_nooprequest_parse</refname>
-<refname>lwres_noopresponse_parse</refname>
-<refname>lwres_noopresponse_free</refname>
-<refname>lwres_nooprequest_free</refname>
-<refpurpose>lightweight resolver no-op message handling</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>
-#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_nooprequest_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_nooprequest_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_noopresponse_render</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_noopresponse_t *req</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_nooprequest_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_nooprequest_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_noopresponse_parse</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-<paramdef>lwres_noopresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_noopresponse_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_noopresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-void
-<function>lwres_nooprequest_free</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_nooprequest_t **structp</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These are low-level routines for creating and parsing
-lightweight resolver no-op request and response messages.
-</para>
-<para>
-The no-op message is analogous to a <command>ping</command> packet: 
-a packet is sent to the resolver daemon and is simply echoed back.
-The opcode is intended to allow a client to determine if the server is
-operational or not.
-</para>
-<para>
-There are four main functions for the no-op opcode.
-One render function converts a no-op request structure &mdash;
-<type>lwres_nooprequest_t</type> &mdash;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a no-op request structure.
-Another render function converts the no-op response structure &mdash;
-<type>lwres_noopresponse_t</type>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a no-op response structure.
-</para>
-<para>
-These structures are defined in
-<filename>lwres/lwres.h</filename>.
-
-They are shown below.
-<programlisting>
-#define LWRES_OPCODE_NOOP       0x00000000U
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;
-</programlisting>
-Although the structures have different types, they are identical.
-This is because the no-op opcode simply echos whatever data was sent:
-the response is therefore identical to the request.
-</para>
-
-<para>
-<function>lwres_nooprequest_render()</function> uses resolver
-context <parameter>ctx</parameter> to convert no-op request structure
-<parameter>req</parameter> to canonical format.  The packet header
-structure <parameter>pkt</parameter> is initialised and transferred to
-buffer <parameter>b</parameter>.  The contents of
-<parameter>*req</parameter> are then appended to the buffer in
-canonical format.  <function>lwres_noopresponse_render()</function>
-performs the same task, except it converts a no-op response structure
-<type>lwres_noopresponse_t</type> to the lightweight resolver's
-canonical format.
-</para>
-
-<para>
-<function>lwres_nooprequest_parse()</function> uses context
-<parameter>ctx</parameter> to convert the contents of packet
-<parameter>pkt</parameter> to a <type>lwres_nooprequest_t</type>
-structure.  Buffer <parameter>b</parameter> provides space to be used
-for storing this structure.  When the function succeeds, the resulting
-<type>lwres_nooprequest_t</type> is made available through
-<parameter>*structp</parameter>.
-<function>lwres_noopresponse_parse()</function> offers the same
-semantics as <function>lwres_nooprequest_parse()</function> except it
-yields a <type>lwres_noopresponse_t</type> structure.
-</para>
-
-<para>
-<function>lwres_noopresponse_free()</function> and
-<function>lwres_nooprequest_free()</function> release the memory in
-resolver context <parameter>ctx</parameter> that was allocated to the
-<type>lwres_noopresponse_t</type> or <type>lwres_nooprequest_t</type>
-structures referenced via <parameter>structp</parameter>.
-</para>
-
-</refsect1>
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-The no-op opcode functions
-<function>lwres_nooprequest_render()</function>,
-
-<function>lwres_noopresponse_render()</function>
-<function>lwres_nooprequest_parse()</function>
-and
-<function>lwres_noopresponse_parse()</function>
-all return
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success.
-They return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-if memory allocation fails.
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-is returned if the available space in the buffer
-<parameter>b</parameter>
-is too small to accommodate the packet header or the
-<type>lwres_nooprequest_t</type>
-and
-<type>lwres_noopresponse_t</type>
-structures.
-<function>lwres_nooprequest_parse()</function>
-and
-<function>lwres_noopresponse_parse()</function>
-will return
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if
-<constant>pktflags</constant>
-in the packet header structure
-<type>lwres_lwpacket_t</type>
-indicate that the packet is not a response to an earlier query.
-</para>
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_packet</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-</para>
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.html b/contrib/bind9/lib/lwres/man/lwres_noop.html
deleted file mode 100644
index 261bac802f66..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_noop.html
+++ /dev/null
@@ -1,295 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_noop.html,v 1.7.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_noop</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free &#8212; lightweight resolver no-op message handling</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">
-#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_nooprequest_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_noopresponse_render</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_nooprequest_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_noopresponse_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_noopresponse_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-void
-<b class="fsfunc">lwres_nooprequest_free</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525963"></a><h2>DESCRIPTION</h2>
-<p>
-These are low-level routines for creating and parsing
-lightweight resolver no-op request and response messages.
-</p>
-<p>
-The no-op message is analogous to a <span><strong class="command">ping</strong></span> packet: 
-a packet is sent to the resolver daemon and is simply echoed back.
-The opcode is intended to allow a client to determine if the server is
-operational or not.
-</p>
-<p>
-There are four main functions for the no-op opcode.
-One render function converts a no-op request structure &#8212;
-<span class="type">lwres_nooprequest_t</span> &#8212;
-to the lighweight resolver's canonical format.
-It is complemented by a parse function that converts a packet in this
-canonical format to a no-op request structure.
-Another render function converts the no-op response structure &#8212;
-<span class="type">lwres_noopresponse_t</span>
-to the canonical format.
-This is complemented by a parse function which converts a packet in
-canonical format to a no-op response structure.
-</p>
-<p>
-These structures are defined in
-<code class="filename">lwres/lwres.h</code>.
-
-They are shown below.
-</p>
-<pre class="programlisting">
-#define LWRES_OPCODE_NOOP       0x00000000U
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_nooprequest_t;
-
-typedef struct {
-        lwres_uint16_t  datalength;
-        unsigned char   *data;
-} lwres_noopresponse_t;
-</pre>
-<p>
-Although the structures have different types, they are identical.
-This is because the no-op opcode simply echos whatever data was sent:
-the response is therefore identical to the request.
-</p>
-<p>
-<code class="function">lwres_nooprequest_render()</code> uses resolver
-context <em class="parameter"><code>ctx</code></em> to convert no-op request structure
-<em class="parameter"><code>req</code></em> to canonical format.  The packet header
-structure <em class="parameter"><code>pkt</code></em> is initialised and transferred to
-buffer <em class="parameter"><code>b</code></em>.  The contents of
-<em class="parameter"><code>*req</code></em> are then appended to the buffer in
-canonical format.  <code class="function">lwres_noopresponse_render()</code>
-performs the same task, except it converts a no-op response structure
-<span class="type">lwres_noopresponse_t</span> to the lightweight resolver's
-canonical format.
-</p>
-<p>
-<code class="function">lwres_nooprequest_parse()</code> uses context
-<em class="parameter"><code>ctx</code></em> to convert the contents of packet
-<em class="parameter"><code>pkt</code></em> to a <span class="type">lwres_nooprequest_t</span>
-structure.  Buffer <em class="parameter"><code>b</code></em> provides space to be used
-for storing this structure.  When the function succeeds, the resulting
-<span class="type">lwres_nooprequest_t</span> is made available through
-<em class="parameter"><code>*structp</code></em>.
-<code class="function">lwres_noopresponse_parse()</code> offers the same
-semantics as <code class="function">lwres_nooprequest_parse()</code> except it
-yields a <span class="type">lwres_noopresponse_t</span> structure.
-</p>
-<p>
-<code class="function">lwres_noopresponse_free()</code> and
-<code class="function">lwres_nooprequest_free()</code> release the memory in
-resolver context <em class="parameter"><code>ctx</code></em> that was allocated to the
-<span class="type">lwres_noopresponse_t</span> or <span class="type">lwres_nooprequest_t</span>
-structures referenced via <em class="parameter"><code>structp</code></em>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526096"></a><h2>RETURN VALUES</h2>
-<p>
-The no-op opcode functions
-<code class="function">lwres_nooprequest_render()</code>,
-
-<code class="function">lwres_noopresponse_render()</code>
-<code class="function">lwres_nooprequest_parse()</code>
-and
-<code class="function">lwres_noopresponse_parse()</code>
-all return
-<span class="errorcode">LWRES_R_SUCCESS</span>
-on success.
-They return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-if memory allocation fails.
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-is returned if the available space in the buffer
-<em class="parameter"><code>b</code></em>
-is too small to accommodate the packet header or the
-<span class="type">lwres_nooprequest_t</span>
-and
-<span class="type">lwres_noopresponse_t</span>
-structures.
-<code class="function">lwres_nooprequest_parse()</code>
-and
-<code class="function">lwres_noopresponse_parse()</code>
-will return
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffer is not empty after decoding the received packet.
-These functions will return
-<span class="errorcode">LWRES_R_FAILURE</span>
-if
-<code class="constant">pktflags</code>
-in the packet header structure
-<span class="type">lwres_lwpacket_t</span>
-indicate that the packet is not a response to an earlier query.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526160"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_packet</span>(3
-)</span>
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.3 b/contrib/bind9/lib/lwres/man/lwres_packet.3
deleted file mode 100644
index 777e0c76eed8..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_packet.3
+++ /dev/null
@@ -1,129 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_packet.3,v 1.15.2.1.8.5 2005/10/13 02:33:54 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver packet handling functions
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwpacket.h>
-.fi
-.HP 43
-\fBlwres_result_t\ \fBlwres_lwpacket_renderheader\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB);\fR
-.HP 42
-\fBlwres_result_t\ \fBlwres_lwpacket_parseheader\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_lwpacket_t\ *pkt\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-These functions rely on a
-\fBstruct lwres_lwpacket\fR
-which is defined in
-\fIlwres/lwpacket.h\fR.
-.sp
-.nf
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};
-.fi
-.sp
-.PP
-The elements of this structure are:
-.TP
-\fBlength\fR
-the overall packet length, including the entire packet header. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
-\fBversion\fR
-the header format. There is currently only one format,
-\fBLWRES_LWPACKETVERSION_0\fR. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
-\fBpktflags\fR
-library\-defined flags for this packet: for instance whether the packet is a request or a reply. Flag values can be set, but not defined by the caller. This field is filled in by the application wit the exception of the LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
-\fBserial\fR
-is set by the requestor and is returned in all replies. If two or more packets from the same source have the same serial number and are from the same source, they are assumed to be duplicates and the latter ones may be dropped. This field must be set by the application.
-.TP
-\fBopcode\fR
-indicates the operation. Opcodes between 0x00000000 and 0x03ffffff are reserved for use by the lightweight resolver library. Opcodes between 0x04000000 and 0xffffffff are application defined. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
-\fBresult\fR
-is only valid for replies. Results between 0x04000000 and 0xffffffff are application defined. Results between 0x00000000 and 0x03ffffff are reserved for library use. This field is filled in by the lwres_gabn_*() and lwres_gnba_*() calls.
-.TP
-\fBrecvlength\fR
-is the maximum buffer size that the receiver can handle on requests and the size of the buffer needed to satisfy a request when the buffer is too large for replies. This field is supplied by the application.
-.TP
-\fBauthtype\fR
-defines the packet level authentication that is used. Authorisation types between 0x1000 and 0xffff are application defined and types between 0x0000 and 0x0fff are reserved for library use. Currently these are not used and must be zero.
-.TP
-\fBauthlen\fR
-gives the length of the authentication data. Since packet authentication is currently not used, this must be zero.
-.PP
-The following opcodes are currently defined:
-.TP
-\fBNOOP\fR
-Success is always returned and the packet contents are echoed. The lwres_noop_*() functions should be used for this type.
-.TP
-\fBGETADDRSBYNAME\fR
-returns all known addresses for a given name. The lwres_gabn_*() functions should be used for this type.
-.TP
-\fBGETNAMEBYADDR\fR
-return the hostname for the given address. The lwres_gnba_*() functions should be used for this type.
-.PP
-\fBlwres_lwpacket_renderheader()\fR
-transfers the contents of lightweight resolver packet structure
-\fBlwres_lwpacket_t\fR\fI*pkt\fR
-in network byte order to the lightweight resolver buffer,
-\fI*b\fR.
-.PP
-\fBlwres_lwpacket_parseheader()\fR
-performs the converse operation. It transfers data in network byte order from buffer
-\fI*b\fR
-to resolver packet
-\fI*pkt\fR. The contents of the buffer
-\fIb\fR
-should correspond to a
-\fBlwres_lwpacket_t\fR.
-.SH "RETURN VALUES"
-.PP
-Successful calls to
-\fBlwres_lwpacket_renderheader()\fR
-and
-\fBlwres_lwpacket_parseheader()\fR
-return
-\fBLWRES_R_SUCCESS\fR. If there is insufficient space to copy data between the buffer
-\fI*b\fR
-and lightweight resolver packet
-\fI*pkt\fR
-both functions return
-\fBLWRES_R_UNEXPECTEDEND\fR.
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.docbook b/contrib/bind9/lib/lwres/man/lwres_packet.docbook
deleted file mode 100644
index 226f9942c9ae..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_packet.docbook
+++ /dev/null
@@ -1,233 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_packet.docbook,v 1.6.206.3 2005/05/12 21:36:16 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-<refentrytitle>lwres_packet</refentrytitle>
-<manvolnum>3</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_lwpacket_renderheader</refname>
-<refname>lwres_lwpacket_parseheader</refname>
-<refpurpose>lightweight resolver packet handling functions</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwpacket.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_lwpacket_renderheader</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_lwpacket_parseheader</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_lwpacket_t *pkt</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-These functions rely on a
-<type>struct lwres_lwpacket</type>
-which is defined in
-<filename>lwres/lwpacket.h</filename>.
-
-<programlisting>
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};
-</programlisting>
-</para>
-
-<para>
-The elements of this structure are:
-<variablelist>
-<varlistentry><term><constant>length</constant></term>
-<listitem>
-<para>
-the overall packet length, including the entire packet header.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>version</constant></term>
-<listitem>
-<para>
-the header format. There is currently only one format,
-<type>LWRES_LWPACKETVERSION_0</type>.
-
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>pktflags</constant></term>
-<listitem>
-<para>
-library-defined flags for this packet: for instance whether the packet
-is a request or a reply. Flag values can be set, but not defined by
-the caller.
-This field is filled in by the application wit the exception of the
-LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
-lwres_gabn_*() and lwres_gnba_*() calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>serial</constant></term>
-<listitem>
-<para>
-is set by the requestor and is returned in all replies. If two or more
-packets from the same source have the same serial number and are from
-the same source, they are assumed to be duplicates and the latter ones
-may be dropped.
-This field must be set by the application.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>opcode</constant></term>
-<listitem>
-<para>
-indicates the operation.
-Opcodes between 0x00000000 and 0x03ffffff are
-reserved for use by the lightweight resolver library. Opcodes between
-0x04000000 and 0xffffffff are application defined.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>result</constant></term>
-<listitem>
-<para>
-is only valid for replies.
-Results between 0x04000000 and 0xffffffff are application defined.
-Results between 0x00000000 and 0x03ffffff are reserved for library use.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>recvlength</constant></term>
-<listitem>
-<para>
-is the maximum buffer size that the receiver can handle on requests
-and the size of the buffer needed to satisfy a request when the buffer
-is too large for replies.
-This field is supplied by the application.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>authtype</constant></term>
-<listitem>
-<para>
-defines the packet level authentication that is used.
-Authorisation types between 0x1000 and 0xffff are application defined
-and types between 0x0000 and 0x0fff are reserved for library use.
-Currently these are not used and must be zero.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>authlen</constant></term>
-<listitem>
-<para>
-gives the length of the authentication data.
-Since packet authentication is currently not used, this must be zero.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-<para>
-The following opcodes are currently defined:
-<variablelist>
-<varlistentry><term><constant>NOOP</constant></term>
-<listitem>
-<para>
-Success is always returned and the packet contents are echoed.
-The lwres_noop_*() functions should be used for this type.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>GETADDRSBYNAME</constant></term>
-<listitem>
-<para>
-returns all known addresses for a given name.
-The lwres_gabn_*() functions should be used for this type.
-</para></listitem></varlistentry>
-<varlistentry><term><constant>GETNAMEBYADDR</constant></term>
-<listitem>
-<para>
-return the hostname for the given address.
-The lwres_gnba_*() functions should be used for this type.
-</para></listitem></varlistentry>
-</variablelist>
-</para>
-
-<para>
-<function>lwres_lwpacket_renderheader()</function> transfers the
-contents of lightweight resolver packet structure
-<type>lwres_lwpacket_t</type> <parameter>*pkt</parameter> in network
-byte order to the lightweight resolver buffer,
-<parameter>*b</parameter>.
-</para>
-
-<para>
-<function>lwres_lwpacket_parseheader()</function> performs the
-converse operation.  It transfers data in network byte order from
-buffer <parameter>*b</parameter> to resolver packet
-<parameter>*pkt</parameter>.  The contents of the buffer
-<parameter>b</parameter> should correspond to a
-<type>lwres_lwpacket_t</type>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para> Successful calls to
-<function>lwres_lwpacket_renderheader()</function> and
-<function>lwres_lwpacket_parseheader()</function> return
-<errorcode>LWRES_R_SUCCESS</errorcode>.  If there is insufficient
-space to copy data between the buffer <parameter>*b</parameter> and
-lightweight resolver packet <parameter>*pkt</parameter> both functions
-return <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.html b/contrib/bind9/lib/lwres/man/lwres_packet.html
deleted file mode 100644
index b83fbcbf1b5b..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_packet.html
+++ /dev/null
@@ -1,216 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_packet.html,v 1.8.2.1.4.9 2005/10/13 02:33:57 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_packet</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader &#8212; lightweight resolver packet handling functions</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwpacket.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_lwpacket_renderheader</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_lwpacket_parseheader</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525865"></a><h2>DESCRIPTION</h2>
-<p>
-These functions rely on a
-<span class="type">struct lwres_lwpacket</span>
-which is defined in
-<code class="filename">lwres/lwpacket.h</code>.
-
-</p>
-<pre class="programlisting">
-typedef struct lwres_lwpacket lwres_lwpacket_t;
-
-struct lwres_lwpacket {
-        lwres_uint32_t          length;
-        lwres_uint16_t          version;
-        lwres_uint16_t          pktflags;
-        lwres_uint32_t          serial;
-        lwres_uint32_t          opcode;
-        lwres_uint32_t          result;
-        lwres_uint32_t          recvlength;
-        lwres_uint16_t          authtype;
-        lwres_uint16_t          authlength;
-};
-</pre>
-<p>
-</p>
-<p>
-The elements of this structure are:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">length</code></span></dt>
-<dd><p>
-the overall packet length, including the entire packet header.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
-<dt><span class="term"><code class="constant">version</code></span></dt>
-<dd><p>
-the header format. There is currently only one format,
-<span class="type">LWRES_LWPACKETVERSION_0</span>.
-
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
-<dt><span class="term"><code class="constant">pktflags</code></span></dt>
-<dd><p>
-library-defined flags for this packet: for instance whether the packet
-is a request or a reply. Flag values can be set, but not defined by
-the caller.
-This field is filled in by the application wit the exception of the
-LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
-lwres_gabn_*() and lwres_gnba_*() calls.
-</p></dd>
-<dt><span class="term"><code class="constant">serial</code></span></dt>
-<dd><p>
-is set by the requestor and is returned in all replies. If two or more
-packets from the same source have the same serial number and are from
-the same source, they are assumed to be duplicates and the latter ones
-may be dropped.
-This field must be set by the application.
-</p></dd>
-<dt><span class="term"><code class="constant">opcode</code></span></dt>
-<dd><p>
-indicates the operation.
-Opcodes between 0x00000000 and 0x03ffffff are
-reserved for use by the lightweight resolver library. Opcodes between
-0x04000000 and 0xffffffff are application defined.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
-<dt><span class="term"><code class="constant">result</code></span></dt>
-<dd><p>
-is only valid for replies.
-Results between 0x04000000 and 0xffffffff are application defined.
-Results between 0x00000000 and 0x03ffffff are reserved for library use.
-This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
-calls.
-</p></dd>
-<dt><span class="term"><code class="constant">recvlength</code></span></dt>
-<dd><p>
-is the maximum buffer size that the receiver can handle on requests
-and the size of the buffer needed to satisfy a request when the buffer
-is too large for replies.
-This field is supplied by the application.
-</p></dd>
-<dt><span class="term"><code class="constant">authtype</code></span></dt>
-<dd><p>
-defines the packet level authentication that is used.
-Authorisation types between 0x1000 and 0xffff are application defined
-and types between 0x0000 and 0x0fff are reserved for library use.
-Currently these are not used and must be zero.
-</p></dd>
-<dt><span class="term"><code class="constant">authlen</code></span></dt>
-<dd><p>
-gives the length of the authentication data.
-Since packet authentication is currently not used, this must be zero.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-The following opcodes are currently defined:
-</p>
-<div class="variablelist"><dl>
-<dt><span class="term"><code class="constant">NOOP</code></span></dt>
-<dd><p>
-Success is always returned and the packet contents are echoed.
-The lwres_noop_*() functions should be used for this type.
-</p></dd>
-<dt><span class="term"><code class="constant">GETADDRSBYNAME</code></span></dt>
-<dd><p>
-returns all known addresses for a given name.
-The lwres_gabn_*() functions should be used for this type.
-</p></dd>
-<dt><span class="term"><code class="constant">GETNAMEBYADDR</code></span></dt>
-<dd><p>
-return the hostname for the given address.
-The lwres_gnba_*() functions should be used for this type.
-</p></dd>
-</dl></div>
-<p>
-</p>
-<p>
-<code class="function">lwres_lwpacket_renderheader()</code> transfers the
-contents of lightweight resolver packet structure
-<span class="type">lwres_lwpacket_t</span> <em class="parameter"><code>*pkt</code></em> in network
-byte order to the lightweight resolver buffer,
-<em class="parameter"><code>*b</code></em>.
-</p>
-<p>
-<code class="function">lwres_lwpacket_parseheader()</code> performs the
-converse operation.  It transfers data in network byte order from
-buffer <em class="parameter"><code>*b</code></em> to resolver packet
-<em class="parameter"><code>*pkt</code></em>.  The contents of the buffer
-<em class="parameter"><code>b</code></em> should correspond to a
-<span class="type">lwres_lwpacket_t</span>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526068"></a><h2>RETURN VALUES</h2>
-<p> Successful calls to
-<code class="function">lwres_lwpacket_renderheader()</code> and
-<code class="function">lwres_lwpacket_parseheader()</code> return
-<span class="errorcode">LWRES_R_SUCCESS</span>.  If there is insufficient
-space to copy data between the buffer <em class="parameter"><code>*b</code></em> and
-lightweight resolver packet <em class="parameter"><code>*pkt</code></em> both functions
-return <span class="errorcode">LWRES_R_UNEXPECTEDEND</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.3 b/contrib/bind9/lib/lwres/man/lwres_resutil.3
deleted file mode 100644
index 5d4cfc050c94..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.3
+++ /dev/null
@@ -1,160 +0,0 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
-.\" 
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\" 
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-.\" PERFORMANCE OF THIS SOFTWARE.
-.\"
-.\" $Id: lwres_resutil.3,v 1.14.2.1.8.5 2005/10/13 02:33:54 marka Exp $
-.\"
-.hy 0
-.ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" "BIND9"
-.\" disable hyphenation
-.nh
-.\" disable justification (adjust text to left margin only)
-.ad l
-.SH "NAME"
-lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr \- lightweight resolver utility functions
-.SH "SYNOPSIS"
-.nf
-#include <lwres/lwres.h>
-.fi
-.HP 34
-\fBlwres_result_t\ \fBlwres_string_parse\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBchar\ **c\fR\fB, \fR\fBlwres_uint16_t\ *len\fR\fB);\fR
-.HP 32
-\fBlwres_result_t\ \fBlwres_addr_parse\fR\fR\fB(\fR\fBlwres_buffer_t\ *b\fR\fB, \fR\fBlwres_addr_t\ *addr\fR\fB);\fR
-.HP 36
-\fBlwres_result_t\ \fBlwres_getaddrsbyname\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBconst\ char\ *name\fR\fB, \fR\fBlwres_uint32_t\ addrtypes\fR\fB, \fR\fBlwres_gabnresponse_t\ **structp\fR\fB);\fR
-.HP 35
-\fBlwres_result_t\ \fBlwres_getnamebyaddr\fR\fR\fB(\fR\fBlwres_context_t\ *ctx\fR\fB, \fR\fBlwres_uint32_t\ addrtype\fR\fB, \fR\fBlwres_uint16_t\ addrlen\fR\fB, \fR\fBconst\ unsigned\ char\ *addr\fR\fB, \fR\fBlwres_gnbaresponse_t\ **structp\fR\fB);\fR
-.SH "DESCRIPTION"
-.PP
-\fBlwres_string_parse()\fR
-retrieves a DNS\-encoded string starting the current pointer of lightweight resolver buffer
-\fIb\fR: i.e.
-\fBb\->current\fR. When the function returns, the address of the first byte of the encoded string is returned via
-\fI*c\fR
-and the length of that string is given by
-\fI*len\fR. The buffer's current pointer is advanced to point at the character following the string length, the encoded string, and the trailing
-\fBNULL\fR
-character.
-.PP
-\fBlwres_addr_parse()\fR
-extracts an address from the buffer
-\fIb\fR. The buffer's current pointer
-\fBb\->current\fR
-is presumed to point at an encoded address: the address preceded by a 32\-bit protocol family identifier and a 16\-bit length field. The encoded address is copied to
-\fBaddr\->address\fR
-and
-\fBaddr\->length\fR
-indicates the size in bytes of the address that was copied.
-\fBb\->current\fR
-is advanced to point at the next byte of available data in the buffer following the encoded address.
-.PP
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR
-use the
-\fBlwres_gnbaresponse_t\fR
-structure defined below:
-.sp
-.nf
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-.fi
-.sp
-The contents of this structure are not manipulated directly but they are controlled through the
-\fBlwres_gabn\fR(3 )
-functions.
-.PP
-The lightweight resolver uses
-\fBlwres_getaddrsbyname()\fR
-to perform foward lookups. Hostname
-\fIname\fR
-is looked up using the resolver context
-\fIctx\fR
-for memory allocation.
-\fIaddrtypes\fR
-is a bitmask indicating which type of addresses are to be looked up. Current values for this bitmask are
-\fBLWRES_ADDRTYPE_V4\fR
-for IPv4 addresses and
-\fBLWRES_ADDRTYPE_V6\fR
-for IPv6 addresses. Results of the lookup are returned in
-\fI*structp\fR.
-.PP
-\fBlwres_getnamebyaddr()\fR
-performs reverse lookups. Resolver context
-\fIctx\fR
-is used for memory allocation. The address type is indicated by
-\fIaddrtype\fR:
-\fBLWRES_ADDRTYPE_V4\fR
-or
-\fBLWRES_ADDRTYPE_V6\fR. The address to be looked up is given by
-\fIaddr\fR
-and its length is
-\fIaddrlen\fR
-bytes. The result of the function call is made available through
-\fI*structp\fR.
-.SH "RETURN VALUES"
-.PP
-Successful calls to
-\fBlwres_string_parse()\fR
-and
-\fBlwres_addr_parse()\fR
-return
-\fBLWRES_R_SUCCESS.\fR
-Both functions return
-\fBLWRES_R_FAILURE\fR
-if the buffer is corrupt or
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffer has less space than expected for the components of the encoded string or address.
-.PP
-\fBlwres_getaddrsbyname()\fR
-returns
-\fBLWRES_R_SUCCESS\fR
-on success and it returns
-\fBLWRES_R_NOTFOUND\fR
-if the hostname
-\fIname\fR
-could not be found.
-.PP
-\fBLWRES_R_SUCCESS\fR
-is returned by a successful call to
-\fBlwres_getnamebyaddr()\fR.
-.PP
-Both
-\fBlwres_getaddrsbyname()\fR
-and
-\fBlwres_getnamebyaddr()\fR
-return
-\fBLWRES_R_NOMEMORY\fR
-when memory allocation requests fail and
-\fBLWRES_R_UNEXPECTEDEND\fR
-if the buffers used for sending queries and receiving replies are too small.
-.SH "SEE ALSO"
-.PP
-\fBlwres_buffer\fR(3),
-\fBlwres_gabn\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook b/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
deleted file mode 100644
index 7ab2146b40b7..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
+++ /dev/null
@@ -1,236 +0,0 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
-	       [<!ENTITY mdash "&#8212;">]>
-<!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
- -
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-
-<!-- $Id: lwres_resutil.docbook,v 1.5.206.3 2005/05/12 21:36:16 sra Exp $ -->
-
-<refentry>
-
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
-
-<refmeta>
-  <refentrytitle>lwres_resutil</refentrytitle>
-  <manvolnum>3</manvolnum>
-  <refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
-
-  <docinfo>
-    <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
-    </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
-  </docinfo>
-
-<refnamediv>
-<refname>lwres_string_parse</refname>
-<refname>lwres_addr_parse</refname>
-<refname>lwres_getaddrsbyname</refname>
-<refname>lwres_getnamebyaddr</refname>
-<refpurpose>lightweight resolver utility functions</refpurpose>
-</refnamediv>
-<refsynopsisdiv>
-<funcsynopsis>
-<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_string_parse</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>char **c</paramdef>
-<paramdef>lwres_uint16_t *len</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_addr_parse</function></funcdef>
-<paramdef>lwres_buffer_t *b</paramdef>
-<paramdef>lwres_addr_t *addr</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_getaddrsbyname</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>const char *name</paramdef>
-<paramdef>lwres_uint32_t addrtypes</paramdef>
-<paramdef>lwres_gabnresponse_t **structp</paramdef>
-</funcprototype>
-<funcprototype>
-<funcdef>
-lwres_result_t
-<function>lwres_getnamebyaddr</function></funcdef>
-<paramdef>lwres_context_t *ctx</paramdef>
-<paramdef>lwres_uint32_t addrtype</paramdef>
-<paramdef>lwres_uint16_t addrlen</paramdef>
-<paramdef>const unsigned char *addr</paramdef>
-<paramdef>lwres_gnbaresponse_t **structp</paramdef>
-</funcprototype>
-</funcsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-
-<para>
-<function>lwres_string_parse()</function> retrieves a DNS-encoded
-string starting the current pointer of lightweight resolver buffer
-<parameter>b</parameter>: i.e.  <constant>b-&gt;current</constant>.
-When the function returns, the address of the first byte of the
-encoded string is returned via <parameter>*c</parameter> and the
-length of that string is given by <parameter>*len</parameter>.  The
-buffer's current pointer is advanced to point at the character
-following the string length, the encoded string, and the trailing
-<type>NULL</type> character.
-</para>
-
-<para>
-<function>lwres_addr_parse()</function> extracts an address from the
-buffer <parameter>b</parameter>.  The buffer's current pointer
-<constant>b-&gt;current</constant> is presumed to point at an encoded
-address: the address preceded by a 32-bit protocol family identifier
-and a 16-bit length field.  The encoded address is copied to
-<constant>addr-&gt;address</constant> and
-<constant>addr-&gt;length</constant> indicates the size in bytes of
-the address that was copied.  <constant>b-&gt;current</constant> is
-advanced to point at the next byte of available data in the buffer
-following the encoded address.
-</para>
-
-<para>
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>
-use the
-<type>lwres_gnbaresponse_t</type>
-structure defined below:
-<programlisting>
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</programlisting>
-The contents of this structure are not manipulated directly but
-they are controlled through the
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3
-</manvolnum>
-</citerefentry>
-functions.
-</para>
-
-<para>
-The lightweight resolver uses
-<function>lwres_getaddrsbyname()</function> to perform foward lookups.
-Hostname <parameter>name</parameter> is looked up using the resolver
-context <parameter>ctx</parameter> for memory allocation.
-<parameter>addrtypes</parameter> is a bitmask indicating which type of
-addresses are to be looked up.  Current values for this bitmask are
-<type>LWRES_ADDRTYPE_V4</type> for IPv4 addresses and
-<type>LWRES_ADDRTYPE_V6</type> for IPv6 addresses.  Results of the
-lookup are returned in <parameter>*structp</parameter>.
-</para>
-
-<para>
-<function>lwres_getnamebyaddr()</function> performs reverse lookups.
-Resolver context <parameter>ctx</parameter> is used for memory
-allocation.  The address type is indicated by
-<parameter>addrtype</parameter>: <type>LWRES_ADDRTYPE_V4</type> or
-<type>LWRES_ADDRTYPE_V6</type>.  The address to be looked up is given
-by <parameter>addr</parameter> and its length is
-<parameter>addrlen</parameter> bytes.  The result of the function call
-is made available through <parameter>*structp</parameter>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>RETURN VALUES</title>
-<para>
-Successful calls to
-<function>lwres_string_parse()</function>
-and
-<function>lwres_addr_parse()</function>
-return
-<errorcode>LWRES_R_SUCCESS.</errorcode>
-Both functions return
-<errorcode>LWRES_R_FAILURE</errorcode>
-if the buffer is corrupt or
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffer has less space than expected for the components of the
-encoded string or address.
-</para>
-<para>
-<function>lwres_getaddrsbyname()</function>
-returns
-<errorcode>LWRES_R_SUCCESS</errorcode>
-on success and it returns
-<errorcode>LWRES_R_NOTFOUND</errorcode>
-if the hostname
-<parameter>name</parameter>
-could not be found.
-</para>
-<para>
-<errorcode>LWRES_R_SUCCESS</errorcode>
-is returned by a successful call to
-<function>lwres_getnamebyaddr()</function>.
-</para>
-
-<para>
-Both
-<function>lwres_getaddrsbyname()</function>
-and
-<function>lwres_getnamebyaddr()</function>
-return
-<errorcode>LWRES_R_NOMEMORY</errorcode>
-when memory allocation requests fail and
-<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
-if the buffers used for sending queries and receiving replies are too
-small.
-</para>
-
-</refsect1>
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>lwres_buffer</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>,
-
-<citerefentry>
-<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.html b/contrib/bind9/lib/lwres/man/lwres_resutil.html
deleted file mode 100644
index 4cee0c7804d1..000000000000
--- a/contrib/bind9/lib/lwres/man/lwres_resutil.html
+++ /dev/null
@@ -1,255 +0,0 @@
-<!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
- - 
- - Permission to use, copy, modify, and distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- - 
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
--->
-<!-- $Id: lwres_resutil.html,v 1.8.2.1.4.9 2005/10/13 02:33:58 marka Exp $ -->
-<html>
-<head>
-<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
-<title>lwres_resutil</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
-</head>
-<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2463721"></a><div class="titlepage"></div>
-<div class="refnamediv">
-<h2>Name</h2>
-<p>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr &#8212; lightweight resolver utility functions</p>
-</div>
-<div class="refsynopsisdiv">
-<h2>Synopsis</h2>
-<div class="funcsynopsis">
-<pre class="funcsynopsisinfo">#include &lt;lwres/lwres.h&gt;</pre>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_string_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_addr_parse</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0" style="padding-bottom: 1em">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_getaddrsbyname</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-<table border="0" summary="Function synopsis" cellspacing="0" cellpadding="0">
-<tr>
-<td><code class="funcdef">
-lwres_result_t
-<b class="fsfunc">lwres_getnamebyaddr</b>(</code></td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>, </td>
-</tr>
-<tr>
-<td> </td>
-<td> </td>
-<td>
-<code>)</code>;</td>
-</tr>
-</table>
-</div>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2525921"></a><h2>DESCRIPTION</h2>
-<p>
-<code class="function">lwres_string_parse()</code> retrieves a DNS-encoded
-string starting the current pointer of lightweight resolver buffer
-<em class="parameter"><code>b</code></em>: i.e.  <code class="constant">b-&gt;current</code>.
-When the function returns, the address of the first byte of the
-encoded string is returned via <em class="parameter"><code>*c</code></em> and the
-length of that string is given by <em class="parameter"><code>*len</code></em>.  The
-buffer's current pointer is advanced to point at the character
-following the string length, the encoded string, and the trailing
-<span class="type">NULL</span> character.
-</p>
-<p>
-<code class="function">lwres_addr_parse()</code> extracts an address from the
-buffer <em class="parameter"><code>b</code></em>.  The buffer's current pointer
-<code class="constant">b-&gt;current</code> is presumed to point at an encoded
-address: the address preceded by a 32-bit protocol family identifier
-and a 16-bit length field.  The encoded address is copied to
-<code class="constant">addr-&gt;address</code> and
-<code class="constant">addr-&gt;length</code> indicates the size in bytes of
-the address that was copied.  <code class="constant">b-&gt;current</code> is
-advanced to point at the next byte of available data in the buffer
-following the encoded address.
-</p>
-<p>
-<code class="function">lwres_getaddrsbyname()</code>
-and
-<code class="function">lwres_getnamebyaddr()</code>
-use the
-<span class="type">lwres_gnbaresponse_t</span>
-structure defined below:
-</p>
-<pre class="programlisting">
-typedef struct {
-        lwres_uint32_t          flags;
-        lwres_uint16_t          naliases;
-        lwres_uint16_t          naddrs;
-        char                   *realname;
-        char                  **aliases;
-        lwres_uint16_t          realnamelen;
-        lwres_uint16_t         *aliaslen;
-        lwres_addrlist_t        addrs;
-        void                   *base;
-        size_t                  baselen;
-} lwres_gabnresponse_t;
-</pre>
-<p>
-The contents of this structure are not manipulated directly but
-they are controlled through the
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3
-)</span>
-functions.
-</p>
-<p>
-The lightweight resolver uses
-<code class="function">lwres_getaddrsbyname()</code> to perform foward lookups.
-Hostname <em class="parameter"><code>name</code></em> is looked up using the resolver
-context <em class="parameter"><code>ctx</code></em> for memory allocation.
-<em class="parameter"><code>addrtypes</code></em> is a bitmask indicating which type of
-addresses are to be looked up.  Current values for this bitmask are
-<span class="type">LWRES_ADDRTYPE_V4</span> for IPv4 addresses and
-<span class="type">LWRES_ADDRTYPE_V6</span> for IPv6 addresses.  Results of the
-lookup are returned in <em class="parameter"><code>*structp</code></em>.
-</p>
-<p>
-<code class="function">lwres_getnamebyaddr()</code> performs reverse lookups.
-Resolver context <em class="parameter"><code>ctx</code></em> is used for memory
-allocation.  The address type is indicated by
-<em class="parameter"><code>addrtype</code></em>: <span class="type">LWRES_ADDRTYPE_V4</span> or
-<span class="type">LWRES_ADDRTYPE_V6</span>.  The address to be looked up is given
-by <em class="parameter"><code>addr</code></em> and its length is
-<em class="parameter"><code>addrlen</code></em> bytes.  The result of the function call
-is made available through <em class="parameter"><code>*structp</code></em>.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526060"></a><h2>RETURN VALUES</h2>
-<p>
-Successful calls to
-<code class="function">lwres_string_parse()</code>
-and
-<code class="function">lwres_addr_parse()</code>
-return
-<span class="errorcode">LWRES_R_SUCCESS.</span>
-Both functions return
-<span class="errorcode">LWRES_R_FAILURE</span>
-if the buffer is corrupt or
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffer has less space than expected for the components of the
-encoded string or address.
-</p>
-<p>
-<code class="function">lwres_getaddrsbyname()</code>
-returns
-<span class="errorcode">LWRES_R_SUCCESS</span>
-on success and it returns
-<span class="errorcode">LWRES_R_NOTFOUND</span>
-if the hostname
-<em class="parameter"><code>name</code></em>
-could not be found.
-</p>
-<p>
-<span class="errorcode">LWRES_R_SUCCESS</span>
-is returned by a successful call to
-<code class="function">lwres_getnamebyaddr()</code>.
-</p>
-<p>
-Both
-<code class="function">lwres_getaddrsbyname()</code>
-and
-<code class="function">lwres_getnamebyaddr()</code>
-return
-<span class="errorcode">LWRES_R_NOMEMORY</span>
-when memory allocation requests fail and
-<span class="errorcode">LWRES_R_UNEXPECTEDEND</span>
-if the buffers used for sending queries and receiving replies are too
-small.
-</p>
-</div>
-<div class="refsect1" lang="en">
-<a name="id2526130"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">lwres_buffer</span>(3)</span>,
-
-<span class="citerefentry"><span class="refentrytitle">lwres_gabn</span>(3)</span>.
-</p>
-</div>
-</div></body>
-</html>
diff --git a/contrib/bind9/lib/lwres/print.c b/contrib/bind9/lib/lwres/print.c
deleted file mode 100644
index 15522284e5d5..000000000000
--- a/contrib/bind9/lib/lwres/print.c
+++ /dev/null
@@ -1,560 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print.c,v 1.2.4.7 2005/10/14 01:38:51 marka Exp $ */
-
-#include <config.h>
-
-#include <ctype.h>
-#include <stdio.h>		/* for sprintf */
-#include <string.h>
-
-#define	LWRES__PRINT_SOURCE	/* Used to get the lwres_print_* prototypes. */
-
-#include <lwres/stdlib.h>
-
-#include "assert_p.h"
-#include "print_p.h"
-
-#define LWRES_PRINT_QUADFORMAT LWRES_PLATFORM_QUADFORMAT
-
-int
-lwres__print_sprintf(char *str, const char *format, ...) {
-	va_list ap;
-
-	va_start(ap, format);
-	vsprintf(str, format, ap);
-	va_end(ap);
-	return (strlen(str));
-}
-
-/*
- * Return length of string that would have been written if not truncated.
- */
-
-int
-lwres__print_snprintf(char *str, size_t size, const char *format, ...) {
-	va_list ap;
-	int ret;
-
-	va_start(ap, format);
-	ret = vsnprintf(str, size, format, ap);
-	va_end(ap);
-	return (ret);
-
-}
-
-/*
- * Return length of string that would have been written if not truncated.
- */
-
-int
-lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
-	int h;
-	int l;
-	int q;
-	int alt;
-	int zero;
-	int left;
-	int plus;
-	int space;
-	long long tmpi;
-	unsigned long long tmpui;
-	unsigned long width;
-	unsigned long precision;
-	unsigned int length;
-	char buf[1024];
-	char c;
-	void *v;
-	char *save = str;
-	const char *cp;
-	const char *head;
-	int count = 0;
-	int pad;
-	int zeropad;
-	int dot;
-	double dbl;
-#ifdef HAVE_LONG_DOUBLE
-	long double ldbl;
-#endif
-	char fmt[32];
-
-	INSIST(str != NULL);
-	INSIST(format != NULL);
-
-	while (*format != '\0') {
-		if (*format != '%') {
-			if (size > 1U) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			format++;
-			continue;
-		}
-		format++;
-
-		/*
-		 * Reset flags.
-		 */
-		dot = space = plus = left = zero = alt = h = l = q = 0;
-		width = precision = 0;
-		head = "";
-		length = pad = zeropad = 0;
-
-		do {
-			if (*format == '#') {
-				alt = 1;
-				format++;
-			} else if (*format == '-') {
-				left = 1;
-				zero = 0;
-				format++;
-			} else if (*format == ' ') {
-				if (!plus)
-					space = 1;
-				format++;
-			} else if (*format == '+') {
-				plus = 1;
-				space = 0;
-				format++;
-			} else if (*format == '0') {
-				if (!left)
-					zero = 1;
-				format++;
-			} else
-				break;
-		} while (1);
-
-		/*
-		 * Width.
-		 */
-		if (*format == '*') {
-			width = va_arg(ap, int);
-			format++;
-		} else if (isdigit((unsigned char)*format)) {
-			char *e;
-			width = strtoul(format, &e, 10);
-			format = e;
-		}
-
-		/*
-		 * Precision.
-		 */
-		if (*format == '.') {
-			format++;
-			dot = 1;
-			if (*format == '*') {
-				precision = va_arg(ap, int);
-				format++;
-			} else if (isdigit((unsigned char)*format)) {
-				char *e;
-				precision = strtoul(format, &e, 10);
-				format = e;
-			}
-		}
-
-		switch (*format) {
-		case '\0':
-			continue;
-		case '%':
-			if (size > 1U) {
-				*str++ = *format;
-				size--;
-			}
-			count++;
-			break;
-		case 'q':
-			q = 1;
-			format++;
-			goto doint;
-		case 'h':
-			h = 1;
-			format++;
-			goto doint;
-		case 'l':
-			l = 1;
-			format++;
-			if (*format == 'l') {
-				q = 1;
-				format++;
-			}
-			goto doint;
-		case 'n':
-		case 'i':
-		case 'd':
-		case 'o':
-		case 'u':
-		case 'x':
-		case 'X':
-		doint:
-			if (precision != 0U)
-				zero = 0;
-			switch (*format) {
-			case 'n':
-				if (h) {
-					short int *p;
-					p = va_arg(ap, short *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else if (l) {
-					long int *p;
-					p = va_arg(ap, long *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				} else {
-					int *p;
-					p = va_arg(ap, int *);
-					REQUIRE(p != NULL);
-					*p = str - save;
-				}
-				break;
-			case 'i':
-			case 'd':
-				if (q)
-					tmpi = va_arg(ap, long long int);
-				else if (l)
-					tmpi = va_arg(ap, long int);
-				else
-					tmpi = va_arg(ap, int);
-				if (tmpi < 0) {
-					head = "-";
-					tmpui = -tmpi;
-				} else {
-					if (plus)
-						head = "+";
-					else if (space)
-						head = " ";
-					else
-						head = "";
-					tmpui = tmpi;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "u",
-					tmpui);
-				goto printint;
-			case 'o':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, long int);
-				else
-					tmpui = va_arg(ap, int);
-				sprintf(buf,
-					alt ? "%#" LWRES_PRINT_QUADFORMAT "o"
-					    : "%" LWRES_PRINT_QUADFORMAT "o",
-					tmpui);
-				goto printint;
-			case 'u':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "u",
-					tmpui);
-				goto printint;
-			case 'x':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0x";
-					if (precision > 2U)
-						precision -= 2;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "x",
-					tmpui);
-				goto printint;
-			case 'X':
-				if (q)
-					tmpui = va_arg(ap,
-						       unsigned long long int);
-				else if (l)
-					tmpui = va_arg(ap, unsigned long int);
-				else
-					tmpui = va_arg(ap, unsigned int);
-				if (alt) {
-					head = "0X";
-					if (precision > 2U)
-						precision -= 2;
-				}
-				sprintf(buf, "%" LWRES_PRINT_QUADFORMAT "X",
-					tmpui);
-				goto printint;
-			printint:
-				if (precision != 0U || width != 0U) {
-					length = strlen(buf);
-					if (length < precision)
-						zeropad = precision - length;
-					else if (length < width && zero)
-						zeropad = width - length;
-					if (width != 0U) {
-						pad = width - length -
-						      zeropad - strlen(head);
-						if (pad < 0)
-							pad = 0;
-					}
-				}
-				count += strlen(head) + strlen(buf) + pad +
-					 zeropad;
-				if (!left) {
-					while (pad > 0 && size > 1U) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				}
-				cp = head;
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1U) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-				cp = buf;
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				break;
-			}
-			break;
-		case 's':
-			cp = va_arg(ap, char *);
-			REQUIRE(cp != NULL);
-
-			if (precision != 0U) {
-				/*
-				 * cp need not be NULL terminated.
-				 */
-				const char *tp;
-				unsigned long n;
-
-				n = precision;
-				tp = cp;
-				while (n != 0U && *tp != '\0')
-					n--, tp++;
-				length = precision - n;
-			} else {
-				length = strlen(cp);
-			}
-			if (width != 0U) {
-				pad = width - length;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += pad + length;
-			if (!left)
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			if (precision != 0U)
-				while (precision > 0U && *cp != '\0' &&
-				       size > 1U) {
-					*str++ = *cp++;
-					size--;
-					precision--;
-				}
-			else
-				while (*cp != '\0' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-			while (pad > 0 && size > 1U) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'c':
-			c = va_arg(ap, int);
-			if (width > 0U) {
-				count += width;
-				width--;
-				if (left) {
-					*str++ = c;
-					size--;
-				}
-				while (width-- > 0U && size > 1U) {
-					*str++ = ' ';
-					size--;
-				}
-				if (!left && size > 1U) {
-					*str++ = c;
-					size--;
-				}
-			} else {
-				count++;
-				if (size > 1U) {
-					*str++ = c;
-					size--;
-				}
-			}
-			break;
-		case 'p':
-			v = va_arg(ap, void *);
-			sprintf(buf, "%p", v);
-			length = strlen(buf);
-			if (precision > length)
-				zeropad = precision - length;
-			if (width > 0U) {
-				pad = width - length - zeropad;
-				if (pad < 0)
-					pad = 0;
-			}
-			count += length + pad + zeropad;
-			if (!left)
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-			cp = buf;
-			if (zeropad > 0 && buf[0] == '0' &&
-			    (buf[1] == 'x' || buf[1] == 'X')) {
-				if (size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				if (size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (zeropad > 0 && size > 1U) {
-					*str++ = '0';
-					size--;
-					zeropad--;
-				}
-			}
-			while (*cp != '\0' && size > 1U) {
-				*str++ = *cp++;
-				size--;
-			}
-			while (pad > 0 && size > 1U) {
-				*str++ = ' ';
-				size--;
-				pad--;
-			}
-			break;
-		case 'D':	/*deprecated*/
-			INSIST("use %ld instead of %D" == NULL);
-		case 'O':	/*deprecated*/
-			INSIST("use %lo instead of %O" == NULL);
-		case 'U':	/*deprecated*/
-			INSIST("use %lu instead of %U" == NULL);
-
-		case 'L':
-#ifdef HAVE_LONG_DOUBLE
-			l = 1;
-#else
-			INSIST("long doubles are not supported" == NULL);
-#endif
-			/*FALLTHROUGH*/
-		case 'e':
-		case 'E':
-		case 'f':
-		case 'g':
-		case 'G':
-			if (!dot)
-				precision = 6;
-			/*
-			 * IEEE floating point.
-			 * MIN 2.2250738585072014E-308
-			 * MAX 1.7976931348623157E+308
-			 * VAX floating point has a smaller range than IEEE.
-			 *
-			 * precisions > 324 don't make much sense.
-			 * if we cap the precision at 512 we will not
-			 * overflow buf.
-			 */
-			if (precision > 512U)
-				precision = 512;
-			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
-				plus ? "+" : space ? " " : "",
-				precision, l ? "L" : "", *format);
-			switch (*format) {
-			case 'e':
-			case 'E':
-			case 'f':
-			case 'g':
-			case 'G':
-#ifdef HAVE_LONG_DOUBLE
-				if (l) {
-					ldbl = va_arg(ap, long double);
-					sprintf(buf, fmt, ldbl);
-				} else
-#endif
-				{
-					dbl = va_arg(ap, double);
-					sprintf(buf, fmt, dbl);
-				}
-				length = strlen(buf);
-				if (width > 0U) {
-					pad = width - length;
-					if (pad < 0)
-						pad = 0;
-				}
-				count += length + pad;
-				if (!left)
-					while (pad > 0 && size > 1U) {
-						*str++ = ' ';
-						size--;
-						pad--;
-					}
-				cp = buf;
-				while (*cp != ' ' && size > 1U) {
-					*str++ = *cp++;
-					size--;
-				}
-				while (pad > 0 && size > 1U) {
-					*str++ = ' ';
-					size--;
-					pad--;
-				}
-				break;
-			default:
-				continue;
-			}
-			break;
-		default:
-			continue;
-		}
-		format++;
-	}
-	if (size > 0U)
-		*str = '\0';
-	return (count);
-}
diff --git a/contrib/bind9/lib/lwres/print_p.h b/contrib/bind9/lib/lwres/print_p.h
deleted file mode 100644
index 4e27e5519de8..000000000000
--- a/contrib/bind9/lib/lwres/print_p.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: print_p.h,v 1.2.4.1 2004/08/28 06:25:25 marka Exp $ */
-
-#ifndef LWRES_PRINT_P_H
-#define LWRES_PRINT_P_H 1
-
-/***
- *** Imports
- ***/
-
-#include <lwres/lang.h>
-#include <lwres/platform.h>
-
-/*
- * This block allows lib/lwres/print.c to be cleanly compiled even if
- * the platform does not need it.  The standard Makefile will still
- * not compile print.c or archive print.o, so this is just to make test
- * compilation ("make print.o") easier.
- */
-#if !defined(LWRES_PLATFORM_NEEDVSNPRINTF) && defined(LWRES__PRINT_SOURCE)
-#define LWRES_PLATFORM_NEEDVSNPRINTF
-#endif
-
-#if !defined(LWRES_PLATFORM_NEEDSPRINTF) && defined(LWRES__PRINT_SOURCE)
-#define LWRES_PLATFORM_NEEDSPRINTF
-#endif
-
-/***
- *** Macros.
- ***/
-
-#ifdef __GNUC__
-#define LWRES_FORMAT_PRINTF(fmt, args) \
-        __attribute__((__format__(__printf__, fmt, args)))
-#else
-#define LWRES_FORMAT_PRINTF(fmt, args)
-#endif
-
-/***
- *** Functions
- ***/
-
-#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
-#include <stdarg.h>
-#include <stddef.h>
-#endif
-
-LWRES_LANG_BEGINDECLS
-
-#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
-int
-lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
-     LWRES_FORMAT_PRINTF(3, 0);
-#define vsnprintf lwres__print_vsnprintf
-
-int
-lwres__print_snprintf(char *str, size_t size, const char *format, ...)
-     LWRES_FORMAT_PRINTF(3, 4);
-#define snprintf lwres__print_snprintf
-#endif /* LWRES_PLATFORM_NEEDVSNPRINTF */
-
-#ifdef LWRES_PLATFORM_NEEDSPRINTF
-int
-lwres__print_sprintf(char *str, const char *format, ...) LWRES_FORMAT_PRINTF(2, 3);
-#define sprintf lwres__print_sprintf
-#endif
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_PRINT_P_H */
diff --git a/contrib/bind9/lib/lwres/strtoul.c b/contrib/bind9/lib/lwres/strtoul.c
deleted file mode 100644
index 9cda1947724a..000000000000
--- a/contrib/bind9/lib/lwres/strtoul.c
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*! \file */
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-
-/* $Id: strtoul.c,v 1.2.4.1 2005/06/08 02:08:31 marka Exp $ */
-
-#include <config.h>
-
-#include <limits.h>
-#include <ctype.h>
-#include <errno.h>
-
-#include <lwres/stdlib.h>
-
-#define DE_CONST(konst, var) \
-	do { \
-		union { const void *k; void *v; } _u; \
-		_u.k = konst; \
-		var = _u.v; \
-	} while (0)
-
-/*!
- * Convert a string to an unsigned long integer.
- *
- * Ignores `locale' stuff.  Assumes that the upper and lower case
- * alphabets and digits are each contiguous.
- */
-unsigned long
-lwres_strtoul(const char *nptr, char **endptr, int base) {
-	const char *s = nptr;
-	unsigned long acc;
-	unsigned char c;
-	unsigned long cutoff;
-	int neg = 0, any, cutlim;
-
-	/*
-	 * See strtol for comments as to the logic used.
-	 */
-	do {
-		c = *s++;
-	} while (isspace(c));
-	if (c == '-') {
-		neg = 1;
-		c = *s++;
-	} else if (c == '+')
-		c = *s++;
-	if ((base == 0 || base == 16) &&
-	    c == '0' && (*s == 'x' || *s == 'X')) {
-		c = s[1];
-		s += 2;
-		base = 16;
-	}
-	if (base == 0)
-		base = c == '0' ? 8 : 10;
-	cutoff = (unsigned long)ULONG_MAX / (unsigned long)base;
-	cutlim = (unsigned long)ULONG_MAX % (unsigned long)base;
-	for (acc = 0, any = 0;; c = *s++) {
-		if (!isascii(c))
-			break;
-		if (isdigit(c))
-			c -= '0';
-		else if (isalpha(c))
-			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
-		else
-			break;
-		if (c >= base)
-			break;
-		if (any < 0 || acc > cutoff || (acc == cutoff && c > cutlim))
-			any = -1;
-		else {
-			any = 1;
-			acc *= base;
-			acc += c;
-		}
-	}
-	if (any < 0) {
-		acc = ULONG_MAX;
-		errno = ERANGE;
-	} else if (neg)
-		acc = -acc;
-	if (endptr != 0)
-		DE_CONST(any ? s - 1 : nptr, *endptr);
-	return (acc);
-}
diff --git a/contrib/bind9/lib/lwres/unix/Makefile.in b/contrib/bind9/lib/lwres/unix/Makefile.in
deleted file mode 100644
index b734bc1ebaca..000000000000
--- a/contrib/bind9/lib/lwres/unix/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	include
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/unix/include/Makefile.in b/contrib/bind9/lib/lwres/unix/include/Makefile.in
deleted file mode 100644
index 8f3798e4e92b..000000000000
--- a/contrib/bind9/lib/lwres/unix/include/Makefile.in
+++ /dev/null
@@ -1,25 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS =	lwres
-TARGETS =
-
-@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
deleted file mode 100644
index e969f5043762..000000000000
--- a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
+++ /dev/null
@@ -1,34 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-HEADERS =	net.h
-SUBDIRS =
-TARGETS =
-
-@BIND9_MAKE_RULES@
-
-installdirs:
-	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
-
-install:: installdirs
-	for i in ${HEADERS}; do \
-		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/lwres ; \
-	done
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/net.h b/contrib/bind9/lib/lwres/unix/include/lwres/net.h
deleted file mode 100644
index b214de6b1ea4..000000000000
--- a/contrib/bind9/lib/lwres/unix/include/lwres/net.h
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: net.h,v 1.3.12.3 2004/03/08 09:05:12 marka Exp $ */
-
-#ifndef LWRES_NET_H
-#define LWRES_NET_H 1
-
-/*****
- ***** Module Info
- *****/
-
-/*
- * Basic Networking Types
- *
- * This module is responsible for defining the following basic networking
- * types:
- *
- *		struct in_addr
- *		struct in6_addr
- *		struct sockaddr
- *		struct sockaddr_in
- *		struct sockaddr_in6
- *
- * It ensures that the AF_ and PF_ macros are defined.
- *
- * It declares ntoh[sl]() and hton[sl]().
- *
- * It declares lwres_net_aton(), lwres_net_ntop(), and lwres_net_pton().
- *
- * It ensures that INADDR_LOOPBACK, INADDR_ANY and IN6ADDR_ANY_INIT
- * are defined.
- */
-
-/***
- *** Imports.
- ***/
-
-#include <lwres/platform.h>	/* Required for LWRES_PLATFORM_*. */
-
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/socket.h>		/* Contractual promise. */
-#include <sys/ioctl.h>
-#include <sys/time.h>
-#include <sys/un.h>
-
-#include <netinet/in.h>		/* Contractual promise. */
-#include <arpa/inet.h>		/* Contractual promise. */
-#ifdef LWRES_PLATFORM_NEEDNETINETIN6H
-#include <netinet/in6.h>	/* Required on UnixWare. */
-#endif
-#ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
-#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
-#endif
-#include <net/if.h>	
-
-#include <lwres/lang.h>
-
-#ifndef LWRES_PLATFORM_HAVEIPV6
-#include <lwres/ipv6.h>		/* Contractual promise. */
-#endif
-
-#ifdef LWRES_PLATFORM_HAVEINADDR6
-#define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
-#endif
-
-/*
- * Required for some pre RFC2133 implementations.
- * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
- * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
- * If 's6_addr' is defined then assume that there is a union and three
- * levels otherwise assume two levels required.
- */
-#ifndef IN6ADDR_ANY_INIT
-#ifdef s6_addr
-#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
-#else
-#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
-#endif
-#endif
-
-#ifndef IN6ADDR_LOOPBACK_INIT
-#ifdef s6_addr
-#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
-#else
-#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
-#endif
-#endif
-
-#ifndef AF_INET6
-#define AF_INET6 99
-#endif
-
-#ifndef PF_INET6
-#define PF_INET6 AF_INET6
-#endif
-
-#ifndef INADDR_LOOPBACK
-#define INADDR_LOOPBACK 0x7f000001UL
-#endif
-
-LWRES_LANG_BEGINDECLS
-
-const char *
-lwres_net_ntop(int af, const void *src, char *dst, size_t size);
-
-int
-lwres_net_pton(int af, const char *src, void *dst);
-
-int
-lwres_net_aton(const char *cp, struct in_addr *addr);
-
-LWRES_LANG_ENDDECLS
-
-#endif /* LWRES_NET_H */
diff --git a/contrib/bind9/lib/lwres/version.c b/contrib/bind9/lib/lwres/version.c
deleted file mode 100644
index ac3e6c8089e1..000000000000
--- a/contrib/bind9/lib/lwres/version.c
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $Id: version.c,v 1.6.12.3 2004/03/08 09:05:11 marka Exp $ */
-
-#include <lwres/version.h>
-
-const char lwres_version[] = VERSION;
-
-const unsigned int lwres_libinterface = LIBINTERFACE;
-const unsigned int lwres_librevision = LIBREVISION;
-const unsigned int lwres_libage = LIBAGE;
diff --git a/contrib/bind9/libtool.m4 b/contrib/bind9/libtool.m4
deleted file mode 100644
index c3b71e893267..000000000000
--- a/contrib/bind9/libtool.m4
+++ /dev/null
@@ -1,6000 +0,0 @@
-# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
-## Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004
-## Free Software Foundation, Inc.
-## Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 2 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful, but
-## WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-## General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, write to the Free Software
-## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-##
-## As a special exception to the GNU General Public License, if you
-## distribute this file as part of a program that contains a
-## configuration script generated by Autoconf, you may include it under
-## the same distribution terms that you use for the rest of that program.
-
-# serial 47 AC_PROG_LIBTOOL
-
-
-# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
-# -----------------------------------------------------------
-# If this macro is not defined by Autoconf, define it here.
-m4_ifdef([AC_PROVIDE_IFELSE],
-         [],
-         [m4_define([AC_PROVIDE_IFELSE],
-	         [m4_ifdef([AC_PROVIDE_$1],
-		           [$2], [$3])])])
-
-
-# AC_PROG_LIBTOOL
-# ---------------
-AC_DEFUN([AC_PROG_LIBTOOL],
-[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl
-dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX
-dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX.
-  AC_PROVIDE_IFELSE([AC_PROG_CXX],
-    [AC_LIBTOOL_CXX],
-    [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX
-  ])])
-dnl And a similar setup for Fortran 77 support
-  AC_PROVIDE_IFELSE([AC_PROG_F77],
-    [AC_LIBTOOL_F77],
-    [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77
-])])
-
-dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly.
-dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run
-dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both.
-  AC_PROVIDE_IFELSE([AC_PROG_GCJ],
-    [AC_LIBTOOL_GCJ],
-    [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
-      [AC_LIBTOOL_GCJ],
-      [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],
-	[AC_LIBTOOL_GCJ],
-      [ifdef([AC_PROG_GCJ],
-	     [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])
-       ifdef([A][M_PROG_GCJ],
-	     [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])])
-       ifdef([LT_AC_PROG_GCJ],
-	     [define([LT_AC_PROG_GCJ],
-		defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])])
-])])# AC_PROG_LIBTOOL
-
-
-# _AC_PROG_LIBTOOL
-# ----------------
-AC_DEFUN([_AC_PROG_LIBTOOL],
-[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl
-AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl
-
-# This can be used to rebuild libtool when needed
-LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
-
-# Always use our own libtool.
-LIBTOOL='$(SHELL) $(top_builddir)/libtool'
-AC_SUBST(LIBTOOL)dnl
-
-# Prevent multiple expansion
-define([AC_PROG_LIBTOOL], [])
-])# _AC_PROG_LIBTOOL
-
-
-# AC_LIBTOOL_SETUP
-# ----------------
-AC_DEFUN([AC_LIBTOOL_SETUP],
-[AC_PREREQ(2.50)dnl
-AC_REQUIRE([AC_ENABLE_SHARED])dnl
-AC_REQUIRE([AC_ENABLE_STATIC])dnl
-AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_PROG_LD])dnl
-AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
-AC_REQUIRE([AC_PROG_NM])dnl
-
-AC_REQUIRE([AC_PROG_LN_S])dnl
-AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
-# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
-AC_REQUIRE([AC_OBJEXT])dnl
-AC_REQUIRE([AC_EXEEXT])dnl
-dnl
-
-AC_LIBTOOL_SYS_MAX_CMD_LEN
-AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-AC_LIBTOOL_OBJDIR
-
-AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
-_LT_AC_PROG_ECHO_BACKSLASH
-
-case $host_os in
-aix3*)
-  # AIX sometimes has problems with the GCC collect2 program.  For some
-  # reason, if we set the COLLECT_NAMES environment variable, the problems
-  # vanish in a puff of smoke.
-  if test "X${COLLECT_NAMES+set}" != Xset; then
-    COLLECT_NAMES=
-    export COLLECT_NAMES
-  fi
-  ;;
-esac
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed='sed -e s/^X//'
-[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
-
-# Same as above, but do not quote variable references.
-[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g']
-
-# Sed substitution to delay expansion of an escaped shell variable in a
-# double_quote_subst'ed string.
-delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
-
-# Sed substitution to avoid accidental globbing in evaled expressions
-no_glob_subst='s/\*/\\\*/g'
-
-# Constants:
-rm="rm -f"
-
-# Global variables:
-default_ofile=libtool
-can_build_shared=yes
-
-# All known linkers require a `.a' archive for static linking (except M$VC,
-# which needs '.lib').
-libext=a
-ltmain="$ac_aux_dir/ltmain.sh"
-ofile="$default_ofile"
-with_gnu_ld="$lt_cv_prog_gnu_ld"
-
-AC_CHECK_TOOL(AR, ar, false)
-AC_CHECK_TOOL(RANLIB, ranlib, :)
-AC_CHECK_TOOL(STRIP, strip, :)
-
-old_CC="$CC"
-old_CFLAGS="$CFLAGS"
-
-# Set sane defaults for various variables
-test -z "$AR" && AR=ar
-test -z "$AR_FLAGS" && AR_FLAGS=cru
-test -z "$AS" && AS=as
-test -z "$CC" && CC=cc
-test -z "$LTCC" && LTCC=$CC
-test -z "$DLLTOOL" && DLLTOOL=dlltool
-test -z "$LD" && LD=ld
-test -z "$LN_S" && LN_S="ln -s"
-test -z "$MAGIC_CMD" && MAGIC_CMD=file
-test -z "$NM" && NM=nm
-test -z "$SED" && SED=sed
-test -z "$OBJDUMP" && OBJDUMP=objdump
-test -z "$RANLIB" && RANLIB=:
-test -z "$STRIP" && STRIP=:
-test -z "$ac_objext" && ac_objext=o
-
-# Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
-old_postinstall_cmds='chmod 644 $oldlib'
-old_postuninstall_cmds=
-
-if test -n "$RANLIB"; then
-  case $host_os in
-  openbsd*)
-    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
-    ;;
-  *)
-    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
-    ;;
-  esac
-  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
-fi
-
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
-# Only perform the check for file, if the check method requires it
-case $deplibs_check_method in
-file_magic*)
-  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
-    AC_PATH_MAGIC
-  fi
-  ;;
-esac
-
-AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
-AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
-enable_win32_dll=yes, enable_win32_dll=no)
-
-AC_ARG_ENABLE([libtool-lock],
-    [AC_HELP_STRING([--disable-libtool-lock],
-	[avoid locking (might break parallel builds)])])
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-AC_ARG_WITH([pic],
-    [AC_HELP_STRING([--with-pic],
-	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
-    [pic_mode="$withval"],
-    [pic_mode=default])
-test -z "$pic_mode" && pic_mode=default
-
-# Use C for the default configuration in the libtool script
-tagname=
-AC_LIBTOOL_LANG_C_CONFIG
-_LT_AC_TAGCONFIG
-])# AC_LIBTOOL_SETUP
-
-
-# _LT_AC_SYS_COMPILER
-# -------------------
-AC_DEFUN([_LT_AC_SYS_COMPILER],
-[AC_REQUIRE([AC_PROG_CC])dnl
-
-# If no C compiler was specified, use CC.
-LTCC=${LTCC-"$CC"}
-
-# Allow CC to be a program name with arguments.
-compiler=$CC
-])# _LT_AC_SYS_COMPILER
-
-
-# _LT_AC_SYS_LIBPATH_AIX
-# ----------------------
-# Links a minimal program and checks the executable
-# for the system default hardcoded library path. In most cases,
-# this is /usr/lib:/lib, but when the MPI compilers are used
-# the location of the communication and MPI libs are included too.
-# If we don't find anything, use the default library path according
-# to the aix ld manual.
-AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
-[AC_LINK_IFELSE(AC_LANG_PROGRAM,[
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
-# Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi],[])
-if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
-])# _LT_AC_SYS_LIBPATH_AIX
-
-
-# _LT_AC_SHELL_INIT(ARG)
-# ----------------------
-AC_DEFUN([_LT_AC_SHELL_INIT],
-[ifdef([AC_DIVERSION_NOTICE],
-	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
-	 [AC_DIVERT_PUSH(NOTICE)])
-$1
-AC_DIVERT_POP
-])# _LT_AC_SHELL_INIT
-
-
-# _LT_AC_PROG_ECHO_BACKSLASH
-# --------------------------
-# Add some code to the start of the generated configure script which
-# will find an echo command which doesn't interpret backslashes.
-AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH],
-[_LT_AC_SHELL_INIT([
-# Check that we are running under the correct shell.
-SHELL=${CONFIG_SHELL-/bin/sh}
-
-case X$ECHO in
-X*--fallback-echo)
-  # Remove one level of quotation (which was required for Make).
-  ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
-  ;;
-esac
-
-echo=${ECHO-echo}
-if test "X[$]1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X[$]1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
-  # Yippee, $echo works!
-  :
-else
-  # Restart under the correct shell.
-  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
-fi
-
-if test "X[$]1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-[$]*
-EOF
-  exit 0
-fi
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-if test -z "$ECHO"; then
-if test "X${echo_test_string+set}" != Xset; then
-# find a string as large as possible, as long as the shell can cope with it
-  for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
-    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
-       echo_test_string="`eval $cmd`" &&
-       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
-    then
-      break
-    fi
-  done
-fi
-
-if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-   test "X$echo_testing_string" = "X$echo_test_string"; then
-  :
-else
-  # The Solaris, AIX, and Digital Unix default echo programs unquote
-  # backslashes.  This makes it impossible to quote backslashes using
-  #   echo "$something" | sed 's/\\/\\\\/g'
-  #
-  # So, first we look for a working echo in the user's PATH.
-
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for dir in $PATH /usr/ucb; do
-    IFS="$lt_save_ifs"
-    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
-       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      echo="$dir/echo"
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  if test "X$echo" = Xecho; then
-    # We didn't find a better echo, so look for alternatives.
-    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
-       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
-       test "X$echo_testing_string" = "X$echo_test_string"; then
-      # This shell has a builtin print -r that does the trick.
-      echo='print -r'
-    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
-	 test "X$CONFIG_SHELL" != X/bin/ksh; then
-      # If we have ksh, try running configure again with it.
-      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
-      export ORIGINAL_CONFIG_SHELL
-      CONFIG_SHELL=/bin/ksh
-      export CONFIG_SHELL
-      exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
-    else
-      # Try using printf.
-      echo='printf %s\n'
-      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
-	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
-	 test "X$echo_testing_string" = "X$echo_test_string"; then
-	# Cool, printf works
-	:
-      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
-	export CONFIG_SHELL
-	SHELL="$CONFIG_SHELL"
-	export SHELL
-	echo="$CONFIG_SHELL [$]0 --fallback-echo"
-      elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
-	   test "X$echo_testing_string" = 'X\t' &&
-	   echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
-	   test "X$echo_testing_string" = "X$echo_test_string"; then
-	echo="$CONFIG_SHELL [$]0 --fallback-echo"
-      else
-	# maybe with a smaller string...
-	prev=:
-
-	for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
-	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
-	  then
-	    break
-	  fi
-	  prev="$cmd"
-	done
-
-	if test "$prev" != 'sed 50q "[$]0"'; then
-	  echo_test_string=`eval $prev`
-	  export echo_test_string
-	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
-	else
-	  # Oops.  We lost completely, so just stick with echo.
-	  echo=echo
-	fi
-      fi
-    fi
-  fi
-fi
-fi
-
-# Copy echo and quote the copy suitably for passing to libtool from
-# the Makefile, instead of quoting the original, which is used later.
-ECHO=$echo
-if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
-   ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
-fi
-
-AC_SUBST(ECHO)
-])])# _LT_AC_PROG_ECHO_BACKSLASH
-
-
-# _LT_AC_LOCK
-# -----------
-AC_DEFUN([_LT_AC_LOCK],
-[AC_ARG_ENABLE([libtool-lock],
-    [AC_HELP_STRING([--disable-libtool-lock],
-	[avoid locking (might break parallel builds)])])
-test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
-
-# Some flags need to be propagated to the compiler or linker for good
-# libtool support.
-case $host in
-ia64-*-hpux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *ELF-32*)
-      HPUX_IA64_MODE="32"
-      ;;
-    *ELF-64*)
-      HPUX_IA64_MODE="64"
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-*-*-irix6*)
-  # Find out which ABI we are using.
-  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-   if test "$lt_cv_prog_gnu_ld" = yes; then
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -melf32bsmip"
-      ;;
-    *N32*)
-      LD="${LD-ld} -melf32bmipn32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -melf64bmip"
-      ;;
-    esac
-   else
-    case `/usr/bin/file conftest.$ac_objext` in
-    *32-bit*)
-      LD="${LD-ld} -32"
-      ;;
-    *N32*)
-      LD="${LD-ld} -n32"
-      ;;
-    *64-bit*)
-      LD="${LD-ld} -64"
-      ;;
-    esac
-   fi
-  fi
-  rm -rf conftest*
-  ;;
-
-x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
-  # Find out which ABI we are using.
-  echo 'int i;' > conftest.$ac_ext
-  if AC_TRY_EVAL(ac_compile); then
-    case "`/usr/bin/file conftest.o`" in
-    *32-bit*)
-      case $host in
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_i386"
-          ;;
-        ppc64-*linux*|powerpc64-*linux*)
-          LD="${LD-ld} -m elf32ppclinux"
-          ;;
-        s390x-*linux*)
-          LD="${LD-ld} -m elf_s390"
-          ;;
-        sparc64-*linux*)
-          LD="${LD-ld} -m elf32_sparc"
-          ;;
-      esac
-      ;;
-    *64-bit*)
-      case $host in
-        x86_64-*linux*)
-          LD="${LD-ld} -m elf_x86_64"
-          ;;
-        ppc*-*linux*|powerpc*-*linux*)
-          LD="${LD-ld} -m elf64ppc"
-          ;;
-        s390*-*linux*)
-          LD="${LD-ld} -m elf64_s390"
-          ;;
-        sparc*-*linux*)
-          LD="${LD-ld} -m elf64_sparc"
-          ;;
-      esac
-      ;;
-    esac
-  fi
-  rm -rf conftest*
-  ;;
-
-*-*-sco3.2v5*)
-  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
-  SAVE_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -belf"
-  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
-    [AC_LANG_PUSH(C)
-     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
-     AC_LANG_POP])
-  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
-    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
-    CFLAGS="$SAVE_CFLAGS"
-  fi
-  ;;
-AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
-[*-*-cygwin* | *-*-mingw* | *-*-pw32*)
-  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
-  AC_CHECK_TOOL(AS, as, false)
-  AC_CHECK_TOOL(OBJDUMP, objdump, false)
-  ;;
-  ])
-esac
-
-need_locks="$enable_libtool_lock"
-
-])# _LT_AC_LOCK
-
-
-# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
-# ----------------------------------------------------------------
-# Check whether the given compiler option works
-AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
-[AC_REQUIRE([LT_AC_PROG_SED])
-AC_CACHE_CHECK([$1], [$2],
-  [$2=no
-  ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-   lt_compiler_flag="$3"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   # The option is referenced via a variable to avoid confusing sed.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
-   (eval "$lt_compile" 2>conftest.err)
-   ac_status=$?
-   cat conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
-   if (exit $ac_status) && test -s "$ac_outfile"; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
-       $2=yes
-     fi
-   fi
-   $rm conftest*
-])
-
-if test x"[$]$2" = xyes; then
-    ifelse([$5], , :, [$5])
-else
-    ifelse([$6], , :, [$6])
-fi
-])# AC_LIBTOOL_COMPILER_OPTION
-
-
-# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
-#                          [ACTION-SUCCESS], [ACTION-FAILURE])
-# ------------------------------------------------------------
-# Check whether the given compiler option works
-AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
-[AC_CACHE_CHECK([$1], [$2],
-  [$2=no
-   save_LDFLAGS="$LDFLAGS"
-   LDFLAGS="$LDFLAGS $3"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
-   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test -s conftest.err; then
-       # Append any errors to the config.log.
-       cat conftest.err 1>&AS_MESSAGE_LOG_FD
-     else
-       $2=yes
-     fi
-   fi
-   $rm conftest*
-   LDFLAGS="$save_LDFLAGS"
-])
-
-if test x"[$]$2" = xyes; then
-    ifelse([$4], , :, [$4])
-else
-    ifelse([$5], , :, [$5])
-fi
-])# AC_LIBTOOL_LINKER_OPTION
-
-
-# AC_LIBTOOL_SYS_MAX_CMD_LEN
-# --------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
-[# find the maximum length of command line arguments
-AC_MSG_CHECKING([the maximum length of command line arguments])
-AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
-  i=0
-  teststring="ABCD"
-
-  case $build_os in
-  msdosdjgpp*)
-    # On DJGPP, this test can blow up pretty badly due to problems in libc
-    # (any single argument exceeding 2000 bytes causes a buffer overrun
-    # during glob expansion).  Even if it were fixed, the result of this
-    # check would be larger than it should be.
-    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
-    ;;
-
-  gnu*)
-    # Under GNU Hurd, this test is not required because there is
-    # no limit to the length of command line arguments.
-    # Libtool will interpret -1 as no limit whatsoever
-    lt_cv_sys_max_cmd_len=-1;
-    ;;
-
-  cygwin* | mingw*)
-    # On Win9x/ME, this test blows up -- it succeeds, but takes
-    # about 5 minutes as the teststring grows exponentially.
-    # Worse, since 9x/ME are not pre-emptively multitasking,
-    # you end up with a "frozen" computer, even though with patience
-    # the test eventually succeeds (with a max line length of 256k).
-    # Instead, let's just punt: use the minimum linelength reported by
-    # all of the supported platforms: 8192 (on NT/2K/XP).
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  amigaos*)
-    # On AmigaOS with pdksh, this test takes hours, literally.
-    # So we just punt and use a minimum line length of 8192.
-    lt_cv_sys_max_cmd_len=8192;
-    ;;
-
-  netbsd* | freebsd* | openbsd* | darwin* )
-    # This has been around since 386BSD, at least.  Likely further.
-    if test -x /sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
-    elif test -x /usr/sbin/sysctl; then
-      lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
-    else
-      lt_cv_sys_max_cmd_len=65536 # usable default for *BSD
-    fi
-    # And add a safety zone
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
-    ;;
-
- *)
-    # If test is not a shell built-in, we'll probably end up computing a
-    # maximum length that is only half of the actual maximum length, but
-    # we can't tell.
-    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-    while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
-	       = "XX$teststring") >/dev/null 2>&1 &&
-	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
-	    lt_cv_sys_max_cmd_len=$new_result &&
-	    test $i != 17 # 1/2 MB should be enough
-    do
-      i=`expr $i + 1`
-      teststring=$teststring$teststring
-    done
-    teststring=
-    # Add a significant safety factor because C++ compilers can tack on massive
-    # amounts of additional arguments before passing them to the linker.
-    # It appears as though 1/2 is a usable value.
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
-    ;;
-  esac
-])
-if test -n $lt_cv_sys_max_cmd_len ; then
-  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
-else
-  AC_MSG_RESULT(none)
-fi
-])# AC_LIBTOOL_SYS_MAX_CMD_LEN
-
-
-# _LT_AC_CHECK_DLFCN
-# --------------------
-AC_DEFUN([_LT_AC_CHECK_DLFCN],
-[AC_CHECK_HEADERS(dlfcn.h)dnl
-])# _LT_AC_CHECK_DLFCN
-
-
-# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
-#                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
-# ------------------------------------------------------------------
-AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
-[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
-if test "$cross_compiling" = yes; then :
-  [$4]
-else
-  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
-  lt_status=$lt_dlunknown
-  cat > conftest.$ac_ext <<EOF
-[#line __oline__ "configure"
-#include "confdefs.h"
-
-#if HAVE_DLFCN_H
-#include <dlfcn.h>
-#endif
-
-#include <stdio.h>
-
-#ifdef RTLD_GLOBAL
-#  define LT_DLGLOBAL		RTLD_GLOBAL
-#else
-#  ifdef DL_GLOBAL
-#    define LT_DLGLOBAL		DL_GLOBAL
-#  else
-#    define LT_DLGLOBAL		0
-#  endif
-#endif
-
-/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
-   find out it does not work in some platform. */
-#ifndef LT_DLLAZY_OR_NOW
-#  ifdef RTLD_LAZY
-#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
-#  else
-#    ifdef DL_LAZY
-#      define LT_DLLAZY_OR_NOW		DL_LAZY
-#    else
-#      ifdef RTLD_NOW
-#        define LT_DLLAZY_OR_NOW	RTLD_NOW
-#      else
-#        ifdef DL_NOW
-#          define LT_DLLAZY_OR_NOW	DL_NOW
-#        else
-#          define LT_DLLAZY_OR_NOW	0
-#        endif
-#      endif
-#    endif
-#  endif
-#endif
-
-#ifdef __cplusplus
-extern "C" void exit (int);
-#endif
-
-void fnord() { int i=42;}
-int main ()
-{
-  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
-  int status = $lt_dlunknown;
-
-  if (self)
-    {
-      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
-      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
-      /* dlclose (self); */
-    }
-
-    exit (status);
-}]
-EOF
-  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
-    lt_status=$?
-    case x$lt_status in
-      x$lt_dlno_uscore) $1 ;;
-      x$lt_dlneed_uscore) $2 ;;
-      x$lt_unknown|x*) $3 ;;
-    esac
-  else :
-    # compilation failed
-    $3
-  fi
-fi
-rm -fr conftest*
-])# _LT_AC_TRY_DLOPEN_SELF
-
-
-# AC_LIBTOOL_DLOPEN_SELF
-# -------------------
-AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
-[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
-if test "x$enable_dlopen" != xyes; then
-  enable_dlopen=unknown
-  enable_dlopen_self=unknown
-  enable_dlopen_self_static=unknown
-else
-  lt_cv_dlopen=no
-  lt_cv_dlopen_libs=
-
-  case $host_os in
-  beos*)
-    lt_cv_dlopen="load_add_on"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ;;
-
-  mingw* | pw32*)
-    lt_cv_dlopen="LoadLibrary"
-    lt_cv_dlopen_libs=
-   ;;
-
-  cygwin*)
-    lt_cv_dlopen="dlopen"
-    lt_cv_dlopen_libs=
-   ;;
-
-  darwin*)
-  # if libdl is installed we need to link against it
-    AC_CHECK_LIB([dl], [dlopen],
-		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
-    lt_cv_dlopen="dyld"
-    lt_cv_dlopen_libs=
-    lt_cv_dlopen_self=yes
-    ])
-   ;;
-
-  *)
-    AC_CHECK_FUNC([shl_load],
-	  [lt_cv_dlopen="shl_load"],
-      [AC_CHECK_LIB([dld], [shl_load],
-	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"],
-	[AC_CHECK_FUNC([dlopen],
-	      [lt_cv_dlopen="dlopen"],
-	  [AC_CHECK_LIB([dl], [dlopen],
-		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
-	    [AC_CHECK_LIB([svld], [dlopen],
-		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
-	      [AC_CHECK_LIB([dld], [dld_link],
-		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"])
-	      ])
-	    ])
-	  ])
-	])
-      ])
-    ;;
-  esac
-
-  if test "x$lt_cv_dlopen" != xno; then
-    enable_dlopen=yes
-  else
-    enable_dlopen=no
-  fi
-
-  case $lt_cv_dlopen in
-  dlopen)
-    save_CPPFLAGS="$CPPFLAGS"
-    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
-
-    save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
-
-    save_LIBS="$LIBS"
-    LIBS="$lt_cv_dlopen_libs $LIBS"
-
-    AC_CACHE_CHECK([whether a program can dlopen itself],
-	  lt_cv_dlopen_self, [dnl
-	  _LT_AC_TRY_DLOPEN_SELF(
-	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
-	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
-    ])
-
-    if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
-      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
-    	  lt_cv_dlopen_self_static, [dnl
-	  _LT_AC_TRY_DLOPEN_SELF(
-	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
-	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
-      ])
-    fi
-
-    CPPFLAGS="$save_CPPFLAGS"
-    LDFLAGS="$save_LDFLAGS"
-    LIBS="$save_LIBS"
-    ;;
-  esac
-
-  case $lt_cv_dlopen_self in
-  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
-  *) enable_dlopen_self=unknown ;;
-  esac
-
-  case $lt_cv_dlopen_self_static in
-  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
-  *) enable_dlopen_self_static=unknown ;;
-  esac
-fi
-])# AC_LIBTOOL_DLOPEN_SELF
-
-
-# AC_LIBTOOL_PROG_CC_C_O([TAGNAME])
-# ---------------------------------
-# Check to see if options -c and -o are simultaneously supported by compiler
-AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
-[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
-AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
-  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
-  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
-   $rm -r conftest 2>/dev/null
-   mkdir conftest
-   cd conftest
-   mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-   lt_compiler_flag="-o out/conftest2.$ac_objext"
-   # Insert the option either (1) after the last *FLAGS variable, or
-   # (2) before a word containing "conftest.", or (3) at the end.
-   # Note that $ac_compile itself does not contain backslashes and begins
-   # with a dollar sign (not a hyphen), so the echo should work correctly.
-   lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
-   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
-   -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
-   (eval "$lt_compile" 2>out/conftest.err)
-   ac_status=$?
-   cat out/conftest.err >&AS_MESSAGE_LOG_FD
-   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
-   if (exit $ac_status) && test -s out/conftest2.$ac_objext
-   then
-     # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s out/conftest.err; then
-       _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
-     fi
-   fi
-   chmod u+w .
-   $rm conftest*
-   # SGI C++ compiler will create directory out/ii_files/ for
-   # template instantiation
-   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
-   $rm out/* && rmdir out
-   cd ..
-   rmdir conftest
-   $rm conftest*
-])
-])# AC_LIBTOOL_PROG_CC_C_O
-
-
-# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME])
-# -----------------------------------------
-# Check to see if we can do hard links to lock some files if needed
-AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS],
-[AC_REQUIRE([_LT_AC_LOCK])dnl
-
-hard_links="nottested"
-if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
-  # do not overwrite the value of need_locks provided by the user
-  AC_MSG_CHECKING([if we can lock with hard links])
-  hard_links=yes
-  $rm conftest*
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  touch conftest.a
-  ln conftest.a conftest.b 2>&5 || hard_links=no
-  ln conftest.a conftest.b 2>/dev/null && hard_links=no
-  AC_MSG_RESULT([$hard_links])
-  if test "$hard_links" = no; then
-    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
-    need_locks=warn
-  fi
-else
-  need_locks=no
-fi
-])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS
-
-
-# AC_LIBTOOL_OBJDIR
-# -----------------
-AC_DEFUN([AC_LIBTOOL_OBJDIR],
-[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
-[rm -f .libs 2>/dev/null
-mkdir .libs 2>/dev/null
-if test -d .libs; then
-  lt_cv_objdir=.libs
-else
-  # MS-DOS does not allow filenames that begin with a dot.
-  lt_cv_objdir=_libs
-fi
-rmdir .libs 2>/dev/null])
-objdir=$lt_cv_objdir
-])# AC_LIBTOOL_OBJDIR
-
-
-# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME])
-# ----------------------------------------------
-# Check hardcoding attributes.
-AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
-[AC_MSG_CHECKING([how to hardcode library paths into programs])
-_LT_AC_TAGVAR(hardcode_action, $1)=
-if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
-   test -n "$_LT_AC_TAGVAR(runpath_var, $1)" || \
-   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then
-
-  # We can hardcode non-existant directories.
-  if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
-     # If the only mechanism to avoid hardcoding is shlibpath_var, we
-     # have to relink, otherwise we might link with an installed library
-     # when we should be linking with a yet-to-be-installed one
-     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
-     test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then
-    # Linking always hardcodes the temporary library directory.
-    _LT_AC_TAGVAR(hardcode_action, $1)=relink
-  else
-    # We can link without hardcoding, and we can hardcode nonexisting dirs.
-    _LT_AC_TAGVAR(hardcode_action, $1)=immediate
-  fi
-else
-  # We cannot hardcode anything, or else we can only hardcode existing
-  # directories.
-  _LT_AC_TAGVAR(hardcode_action, $1)=unsupported
-fi
-AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)])
-
-if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then
-  # Fast installation is not supported
-  enable_fast_install=no
-elif test "$shlibpath_overrides_runpath" = yes ||
-     test "$enable_shared" = no; then
-  # Fast installation is not necessary
-  enable_fast_install=needless
-fi
-])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH
-
-
-# AC_LIBTOOL_SYS_LIB_STRIP
-# ------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP],
-[striplib=
-old_striplib=
-AC_MSG_CHECKING([whether stripping libraries is possible])
-if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
-  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
-  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
-  AC_MSG_RESULT([yes])
-else
-# FIXME - insert some real tests, host_os isn't really good enough
-  case $host_os in
-   darwin*)
-       if test -n "$STRIP" ; then
-         striplib="$STRIP -x"
-         AC_MSG_RESULT([yes])
-       else
-  AC_MSG_RESULT([no])
-fi
-       ;;
-   *)
-  AC_MSG_RESULT([no])
-    ;;
-  esac
-fi
-])# AC_LIBTOOL_SYS_LIB_STRIP
-
-
-# AC_LIBTOOL_SYS_DYNAMIC_LINKER
-# -----------------------------
-# PORTME Fill in your ld.so characteristics
-AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
-[AC_MSG_CHECKING([dynamic linker characteristics])
-library_names_spec=
-libname_spec='lib$name'
-soname_spec=
-shrext_cmds=".so"
-postinstall_cmds=
-postuninstall_cmds=
-finish_cmds=
-finish_eval=
-shlibpath_var=
-shlibpath_overrides_runpath=unknown
-version_type=none
-dynamic_linker="$host_os ld.so"
-sys_lib_dlsearch_path_spec="/lib /usr/lib"
-if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
-    # if the path contains ";" then we assume it to be the separator
-    # otherwise default to the standard path separator (i.e. ":") - it is
-    # assumed that no part of a normal pathname contains ";" but that should
-    # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-  else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-  fi
-else
-  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
-need_lib_prefix=unknown
-hardcode_into_libs=no
-
-# when you set need_version to no, make sure it does not cause -set_version
-# flags to be left without arguments
-need_version=unknown
-
-case $host_os in
-aix3*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
-  shlibpath_var=LIBPATH
-
-  # AIX 3 has no versioning support, so we append a major version to the name.
-  soname_spec='${libname}${release}${shared_ext}$major'
-  ;;
-
-aix4* | aix5*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  hardcode_into_libs=yes
-  if test "$host_cpu" = ia64; then
-    # AIX 5 supports IA64
-    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
-    shlibpath_var=LD_LIBRARY_PATH
-  else
-    # With GCC up to 2.95.x, collect2 would create an import file
-    # for dependence libraries.  The import file would start with
-    # the line `#! .'.  This would cause the generated library to
-    # depend on `.', always an invalid library.  This was fixed in
-    # development snapshots of GCC prior to 3.0.
-    case $host_os in
-      aix4 | aix4.[[01]] | aix4.[[01]].*)
-      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
-	   echo ' yes '
-	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
-	:
-      else
-	can_build_shared=no
-      fi
-      ;;
-    esac
-    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
-    # soname into executable. Probably we can add versioning support to
-    # collect2, so additional links can be useful in future.
-    if test "$aix_use_runtimelinking" = yes; then
-      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
-      # instead of lib<name>.a to let people know that these are not
-      # typical AIX shared libraries.
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    else
-      # We preserve .a as extension for shared libraries through AIX4.2
-      # and later when we are not doing run time linking.
-      library_names_spec='${libname}${release}.a $libname.a'
-      soname_spec='${libname}${release}${shared_ext}$major'
-    fi
-    shlibpath_var=LIBPATH
-  fi
-  ;;
-
-amigaos*)
-  library_names_spec='$libname.ixlibrary $libname.a'
-  # Create ${libname}_ixlibrary.a entries in /sys/libs.
-  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
-  ;;
-
-beos*)
-  library_names_spec='${libname}${shared_ext}'
-  dynamic_linker="$host_os ld.so"
-  shlibpath_var=LIBRARY_PATH
-  ;;
-
-bsdi[[45]]*)
-  version_type=linux
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
-  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
-  # the default ld.so.conf also contains /usr/contrib/lib and
-  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
-  # libtool to hard-code these into programs
-  ;;
-
-cygwin* | mingw* | pw32*)
-  version_type=windows
-  shrext_cmds=".dll"
-  need_version=no
-  need_lib_prefix=no
-
-  case $GCC,$host_os in
-  yes,cygwin* | yes,mingw* | yes,pw32*)
-    library_names_spec='$libname.dll.a'
-    # DLL is installed to $(libdir)/../bin by postinstall_cmds
-    postinstall_cmds='base_file=`basename \${file}`~
-      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
-      dldir=$destdir/`dirname \$dlpath`~
-      test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
-    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
-      dlpath=$dir/\$dldll~
-       $rm \$dlpath'
-    shlibpath_overrides_runpath=yes
-
-    case $host_os in
-    cygwin*)
-      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
-      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
-      ;;
-    mingw*)
-      # MinGW DLLs use traditional 'lib' prefix
-      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
-      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-      if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then
-        # It is most probably a Windows format PATH printed by
-        # mingw gcc, but we are running on Cygwin. Gcc prints its search
-        # path with ; separators, and with drive letters. We can handle the
-        # drive letters (cygwin fileutils understands them), so leave them,
-        # especially as we might pass files found there to a mingw objdump,
-        # which wouldn't understand a cygwinified path. Ahh.
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
-      else
-        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
-      fi
-      ;;
-    pw32*)
-      # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
-      ;;
-    esac
-    ;;
-
-  *)
-    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
-    ;;
-  esac
-  dynamic_linker='Win32 ld.exe'
-  # FIXME: first we should search . and the directory the executable is in
-  shlibpath_var=PATH
-  ;;
-
-darwin* | rhapsody*)
-  dynamic_linker="$host_os dyld"
-  version_type=darwin
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
-  soname_spec='${libname}${release}${major}$shared_ext'
-  shlibpath_overrides_runpath=yes
-  shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
-  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
-  ;;
-
-dgux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-freebsd1*)
-  dynamic_linker=no
-  ;;
-
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
-  version_type=freebsd-$objformat
-  case $version_type in
-    freebsd-elf*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
-      need_version=no
-      need_lib_prefix=no
-      ;;
-    freebsd-*)
-      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
-      need_version=yes
-      ;;
-  esac
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_os in
-  freebsd2*)
-    shlibpath_overrides_runpath=yes
-    ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
-    shlibpath_overrides_runpath=yes
-    hardcode_into_libs=yes
-    ;;
-  *) # from 3.2 on
-    shlibpath_overrides_runpath=no
-    hardcode_into_libs=yes
-    ;;
-  esac
-  ;;
-
-gnu*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  hardcode_into_libs=yes
-  ;;
-
-hpux9* | hpux10* | hpux11*)
-  # Give a soname corresponding to the major version so that dld.sl refuses to
-  # link against other versions.
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  case "$host_cpu" in
-  ia64*)
-    shrext_cmds='.so'
-    hardcode_into_libs=yes
-    dynamic_linker="$host_os dld.so"
-    shlibpath_var=LD_LIBRARY_PATH
-    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    if test "X$HPUX_IA64_MODE" = X32; then
-      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
-    else
-      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
-    fi
-    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-    ;;
-   hppa*64*)
-     shrext_cmds='.sl'
-     hardcode_into_libs=yes
-     dynamic_linker="$host_os dld.sl"
-     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
-     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
-     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-     soname_spec='${libname}${release}${shared_ext}$major'
-     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
-     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
-     ;;
-   *)
-    shrext_cmds='.sl'
-    dynamic_linker="$host_os dld.sl"
-    shlibpath_var=SHLIB_PATH
-    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    ;;
-  esac
-  # HP-UX runs *really* slowly unless shared libraries are mode 555.
-  postinstall_cmds='chmod 555 $lib'
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $host_os in
-    nonstopux*) version_type=nonstopux ;;
-    *)
-	if test "$lt_cv_prog_gnu_ld" = yes; then
-		version_type=linux
-	else
-		version_type=irix
-	fi ;;
-  esac
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
-  case $host_os in
-  irix5* | nonstopux*)
-    libsuff= shlibsuff=
-    ;;
-  *)
-    case $LD in # libtool.m4 will add one of these switches to LD
-    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
-      libsuff= shlibsuff= libmagic=32-bit;;
-    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
-      libsuff=32 shlibsuff=N32 libmagic=N32;;
-    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
-      libsuff=64 shlibsuff=64 libmagic=64-bit;;
-    *) libsuff= shlibsuff= libmagic=never-match;;
-    esac
-    ;;
-  esac
-  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
-  shlibpath_overrides_runpath=no
-  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
-  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
-  hardcode_into_libs=yes
-  ;;
-
-# No shared lib support for Linux oldld, aout, or coff.
-linux*oldld* | linux*aout* | linux*coff*)
-  dynamic_linker=no
-  ;;
-
-# This must be Linux ELF.
-linux*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  # This implies no fast_install, which is unacceptable.
-  # Some rework will be needed to allow for fast_install
-  # before this can be enabled.
-  hardcode_into_libs=yes
-
-  # Append ld.so.conf contents to the search path
-  if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf | tr '\n' ' '`
-    sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
-  fi
-
-  # We used to test for /lib/ld.so.1 and disable shared libraries on
-  # powerpc, because MkLinux only supported shared libraries with the
-  # GNU dynamic linker.  Since this was broken with cross compilers,
-  # most powerpc-linux boxes support dynamic linking these days and
-  # people can always --disable-shared, the test was removed, and we
-  # assume the GNU/Linux dynamic linker is in use.
-  dynamic_linker='GNU/Linux ld.so'
-  ;;
-
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-netbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-    dynamic_linker='NetBSD (a.out) ld.so'
-  else
-    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-    soname_spec='${libname}${release}${shared_ext}$major'
-    dynamic_linker='NetBSD ld.elf_so'
-  fi
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  ;;
-
-newsos6)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-nto-qnx*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  ;;
-
-openbsd*)
-  version_type=sunos
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    case $host_os in
-      openbsd2.[[89]] | openbsd2.[[89]].*)
-	shlibpath_overrides_runpath=no
-	;;
-      *)
-	shlibpath_overrides_runpath=yes
-	;;
-      esac
-  else
-    shlibpath_overrides_runpath=yes
-  fi
-  ;;
-
-os2*)
-  libname_spec='$name'
-  shrext_cmds=".dll"
-  need_lib_prefix=no
-  library_names_spec='$libname${shared_ext} $libname.a'
-  dynamic_linker='OS/2 ld.exe'
-  shlibpath_var=LIBPATH
-  ;;
-
-osf3* | osf4* | osf5*)
-  version_type=osf
-  need_lib_prefix=no
-  need_version=no
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
-  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
-  ;;
-
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-solaris*)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  hardcode_into_libs=yes
-  # ldd complains unless libraries are executable
-  postinstall_cmds='chmod +x $lib'
-  ;;
-
-sunos4*)
-  version_type=sunos
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
-  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=yes
-  if test "$with_gnu_ld" = yes; then
-    need_lib_prefix=no
-  fi
-  need_version=yes
-  ;;
-
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  case $host_vendor in
-    sni)
-      shlibpath_overrides_runpath=no
-      need_lib_prefix=no
-      export_dynamic_flag_spec='${wl}-Blargedynsym'
-      runpath_var=LD_RUN_PATH
-      ;;
-    siemens)
-      need_lib_prefix=no
-      ;;
-    motorola)
-      need_lib_prefix=no
-      need_version=no
-      shlibpath_overrides_runpath=no
-      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
-      ;;
-  esac
-  ;;
-
-sysv4*MP*)
-  if test -d /usr/nec ;then
-    version_type=linux
-    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
-    soname_spec='$libname${shared_ext}.$major'
-    shlibpath_var=LD_LIBRARY_PATH
-  fi
-  ;;
-
-uts4*)
-  version_type=linux
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  ;;
-
-*)
-  dynamic_linker=no
-  ;;
-esac
-AC_MSG_RESULT([$dynamic_linker])
-test "$dynamic_linker" = no && can_build_shared=no
-])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
-
-
-# _LT_AC_TAGCONFIG
-# ----------------
-AC_DEFUN([_LT_AC_TAGCONFIG],
-[AC_ARG_WITH([tags],
-    [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
-        [include additional configurations @<:@automatic@:>@])],
-    [tagnames="$withval"])
-
-if test -f "$ltmain" && test -n "$tagnames"; then
-  if test ! -f "${ofile}"; then
-    AC_MSG_WARN([output file `$ofile' does not exist])
-  fi
-
-  if test -z "$LTCC"; then
-    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
-    if test -z "$LTCC"; then
-      AC_MSG_WARN([output file `$ofile' does not look like a libtool script])
-    else
-      AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
-    fi
-  fi
-
-  # Extract list of available tagged configurations in $ofile.
-  # Note that this assumes the entire list is on one line.
-  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
-
-  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-  for tagname in $tagnames; do
-    IFS="$lt_save_ifs"
-    # Check whether tagname contains only valid characters
-    case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in
-    "") ;;
-    *)  AC_MSG_ERROR([invalid tag name: $tagname])
-	;;
-    esac
-
-    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
-    then
-      AC_MSG_ERROR([tag name \"$tagname\" already exists])
-    fi
-
-    # Update the list of available tags.
-    if test -n "$tagname"; then
-      echo appending configuration tag \"$tagname\" to $ofile
-
-      case $tagname in
-      CXX)
-	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || 
-	    (test "X$CXX" != "Xg++"))) ; then
-	  AC_LIBTOOL_LANG_CXX_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      F77)
-	if test -n "$F77" && test "X$F77" != "Xno"; then
-	  AC_LIBTOOL_LANG_F77_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      GCJ)
-	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
-	  AC_LIBTOOL_LANG_GCJ_CONFIG
-	else
-	  tagname=""
-	fi
-	;;
-
-      RC)
-	AC_LIBTOOL_LANG_RC_CONFIG
-	;;
-
-      *)
-	AC_MSG_ERROR([Unsupported tag name: $tagname])
-	;;
-      esac
-
-      # Append the new tag name to the list of available tags.
-      if test -n "$tagname" ; then
-      available_tags="$available_tags $tagname"
-    fi
-    fi
-  done
-  IFS="$lt_save_ifs"
-
-  # Now substitute the updated list of available tags.
-  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
-    mv "${ofile}T" "$ofile"
-    chmod +x "$ofile"
-  else
-    rm -f "${ofile}T"
-    AC_MSG_ERROR([unable to update list of available tagged configurations.])
-  fi
-fi
-])# _LT_AC_TAGCONFIG
-
-
-# AC_LIBTOOL_DLOPEN
-# -----------------
-# enable checks for dlopen support
-AC_DEFUN([AC_LIBTOOL_DLOPEN],
- [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])
-])# AC_LIBTOOL_DLOPEN
-
-
-# AC_LIBTOOL_WIN32_DLL
-# --------------------
-# declare package support for building win32 dll's
-AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
-[AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
-])# AC_LIBTOOL_WIN32_DLL
-
-
-# AC_ENABLE_SHARED([DEFAULT])
-# ---------------------------
-# implement the --enable-shared flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_SHARED],
-[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([shared],
-    [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
-	[build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_shared=yes ;;
-    no) enable_shared=no ;;
-    *)
-      enable_shared=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_shared=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_shared=]AC_ENABLE_SHARED_DEFAULT)
-])# AC_ENABLE_SHARED
-
-
-# AC_DISABLE_SHARED
-# -----------------
-#- set the default shared flag to --disable-shared
-AC_DEFUN([AC_DISABLE_SHARED],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_SHARED(no)
-])# AC_DISABLE_SHARED
-
-
-# AC_ENABLE_STATIC([DEFAULT])
-# ---------------------------
-# implement the --enable-static flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_STATIC],
-[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([static],
-    [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@],
-	[build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_static=yes ;;
-    no) enable_static=no ;;
-    *)
-     enable_static=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_static=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_static=]AC_ENABLE_STATIC_DEFAULT)
-])# AC_ENABLE_STATIC
-
-
-# AC_DISABLE_STATIC
-# -----------------
-# set the default static flag to --disable-static
-AC_DEFUN([AC_DISABLE_STATIC],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_STATIC(no)
-])# AC_DISABLE_STATIC
-
-
-# AC_ENABLE_FAST_INSTALL([DEFAULT])
-# ---------------------------------
-# implement the --enable-fast-install flag
-# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
-AC_DEFUN([AC_ENABLE_FAST_INSTALL],
-[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
-AC_ARG_ENABLE([fast-install],
-    [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
-    [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
-    [p=${PACKAGE-default}
-    case $enableval in
-    yes) enable_fast_install=yes ;;
-    no) enable_fast_install=no ;;
-    *)
-      enable_fast_install=no
-      # Look at the argument we got.  We use all the common list separators.
-      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
-      for pkg in $enableval; do
-	IFS="$lt_save_ifs"
-	if test "X$pkg" = "X$p"; then
-	  enable_fast_install=yes
-	fi
-      done
-      IFS="$lt_save_ifs"
-      ;;
-    esac],
-    [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT)
-])# AC_ENABLE_FAST_INSTALL
-
-
-# AC_DISABLE_FAST_INSTALL
-# -----------------------
-# set the default to --disable-fast-install
-AC_DEFUN([AC_DISABLE_FAST_INSTALL],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-AC_ENABLE_FAST_INSTALL(no)
-])# AC_DISABLE_FAST_INSTALL
-
-
-# AC_LIBTOOL_PICMODE([MODE])
-# --------------------------
-# implement the --with-pic flag
-# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
-AC_DEFUN([AC_LIBTOOL_PICMODE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-pic_mode=ifelse($#,1,$1,default)
-])# AC_LIBTOOL_PICMODE
-
-
-# AC_PROG_EGREP
-# -------------
-# This is predefined starting with Autoconf 2.54, so this conditional
-# definition can be removed once we require Autoconf 2.54 or later.
-m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
-[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep],
-   [if echo a | (grep -E '(a|b)') >/dev/null 2>&1
-    then ac_cv_prog_egrep='grep -E'
-    else ac_cv_prog_egrep='egrep'
-    fi])
- EGREP=$ac_cv_prog_egrep
- AC_SUBST([EGREP])
-])])
-
-
-# AC_PATH_TOOL_PREFIX
-# -------------------
-# find a file program which can recognise shared library
-AC_DEFUN([AC_PATH_TOOL_PREFIX],
-[AC_REQUIRE([AC_PROG_EGREP])dnl
-AC_MSG_CHECKING([for $1])
-AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
-[case $MAGIC_CMD in
-[[\\/*] |  ?:[\\/]*])
-  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
-  ;;
-*)
-  lt_save_MAGIC_CMD="$MAGIC_CMD"
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-dnl $ac_dummy forces splitting on constant user-supplied paths.
-dnl POSIX.2 word splitting is done only on the output of word expansions,
-dnl not every word.  This closes a longstanding sh security hole.
-  ac_dummy="ifelse([$2], , $PATH, [$2])"
-  for ac_dir in $ac_dummy; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f $ac_dir/$1; then
-      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
-      if test -n "$file_magic_test_file"; then
-	case $deplibs_check_method in
-	"file_magic "*)
-	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
-	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
-	    $EGREP "$file_magic_regex" > /dev/null; then
-	    :
-	  else
-	    cat <<EOF 1>&2
-
-*** Warning: the command libtool uses to detect shared libraries,
-*** $file_magic_cmd, produces output that libtool cannot recognize.
-*** The result is that libtool may fail to recognize shared libraries
-*** as such.  This will affect the creation of libtool libraries that
-*** depend on shared libraries, but programs linked with such libtool
-*** libraries will work regardless of this problem.  Nevertheless, you
-*** may want to report the problem to your system manager and/or to
-*** bug-libtool@gnu.org
-
-EOF
-	  fi ;;
-	esac
-      fi
-      break
-    fi
-  done
-  IFS="$lt_save_ifs"
-  MAGIC_CMD="$lt_save_MAGIC_CMD"
-  ;;
-esac])
-MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
-if test -n "$MAGIC_CMD"; then
-  AC_MSG_RESULT($MAGIC_CMD)
-else
-  AC_MSG_RESULT(no)
-fi
-])# AC_PATH_TOOL_PREFIX
-
-
-# AC_PATH_MAGIC
-# -------------
-# find a file program which can recognise a shared library
-AC_DEFUN([AC_PATH_MAGIC],
-[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
-if test -z "$lt_cv_path_MAGIC_CMD"; then
-  if test -n "$ac_tool_prefix"; then
-    AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
-  else
-    MAGIC_CMD=:
-  fi
-fi
-])# AC_PATH_MAGIC
-
-
-# AC_PROG_LD
-# ----------
-# find the pathname to the GNU or non-GNU linker
-AC_DEFUN([AC_PROG_LD],
-[AC_ARG_WITH([gnu-ld],
-    [AC_HELP_STRING([--with-gnu-ld],
-	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
-    [test "$withval" = no || with_gnu_ld=yes],
-    [with_gnu_ld=no])
-AC_REQUIRE([LT_AC_PROG_SED])dnl
-AC_REQUIRE([AC_PROG_CC])dnl
-AC_REQUIRE([AC_CANONICAL_HOST])dnl
-AC_REQUIRE([AC_CANONICAL_BUILD])dnl
-ac_prog=ld
-if test "$GCC" = yes; then
-  # Check if gcc -print-prog-name=ld gives a path.
-  AC_MSG_CHECKING([for ld used by $CC])
-  case $host in
-  *-*-mingw*)
-    # gcc leaves a trailing carriage return which upsets mingw
-    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
-  *)
-    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
-  esac
-  case $ac_prog in
-    # Accept absolute paths.
-    [[\\/]]* | ?:[[\\/]]*)
-      re_direlt='/[[^/]][[^/]]*/\.\./'
-      # Canonicalize the pathname of ld
-      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
-      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
-	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
-      done
-      test -z "$LD" && LD="$ac_prog"
-      ;;
-  "")
-    # If it fails, then pretend we aren't using GCC.
-    ac_prog=ld
-    ;;
-  *)
-    # If it is relative, then search for the first ld in PATH.
-    with_gnu_ld=unknown
-    ;;
-  esac
-elif test "$with_gnu_ld" = yes; then
-  AC_MSG_CHECKING([for GNU ld])
-else
-  AC_MSG_CHECKING([for non-GNU ld])
-fi
-AC_CACHE_VAL(lt_cv_path_LD,
-[if test -z "$LD"; then
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
-      lt_cv_path_LD="$ac_dir/$ac_prog"
-      # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some GNU ld's only accept -v.
-      # Break only if it was the GNU/non-GNU ld that we prefer.
-      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
-      *GNU* | *'with BFD'*)
-	test "$with_gnu_ld" != no && break
-	;;
-      *)
-	test "$with_gnu_ld" != yes && break
-	;;
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-else
-  lt_cv_path_LD="$LD" # Let the user override the test with a path.
-fi])
-LD="$lt_cv_path_LD"
-if test -n "$LD"; then
-  AC_MSG_RESULT($LD)
-else
-  AC_MSG_RESULT(no)
-fi
-test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
-AC_PROG_LD_GNU
-])# AC_PROG_LD
-
-
-# AC_PROG_LD_GNU
-# --------------
-AC_DEFUN([AC_PROG_LD_GNU],
-[AC_REQUIRE([AC_PROG_EGREP])dnl
-AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
-[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
-case `$LD -v 2>&1 </dev/null` in
-*GNU* | *'with BFD'*)
-  lt_cv_prog_gnu_ld=yes
-  ;;
-*)
-  lt_cv_prog_gnu_ld=no
-  ;;
-esac])
-with_gnu_ld=$lt_cv_prog_gnu_ld
-])# AC_PROG_LD_GNU
-
-
-# AC_PROG_LD_RELOAD_FLAG
-# ----------------------
-# find reload flag for linker
-#   -- PORTME Some linkers may need a different reload flag.
-AC_DEFUN([AC_PROG_LD_RELOAD_FLAG],
-[AC_CACHE_CHECK([for $LD option to reload object files],
-  lt_cv_ld_reload_flag,
-  [lt_cv_ld_reload_flag='-r'])
-reload_flag=$lt_cv_ld_reload_flag
-case $reload_flag in
-"" | " "*) ;;
-*) reload_flag=" $reload_flag" ;;
-esac
-reload_cmds='$LD$reload_flag -o $output$reload_objs'
-case $host_os in
-  darwin*)
-    if test "$GCC" = yes; then
-      reload_cmds='$CC -nostdlib ${wl}-r -o $output$reload_objs'
-    else
-      reload_cmds='$LD$reload_flag -o $output$reload_objs'
-    fi
-    ;;
-esac
-])# AC_PROG_LD_RELOAD_FLAG
-
-
-# AC_DEPLIBS_CHECK_METHOD
-# -----------------------
-# how to check for library dependencies
-#  -- PORTME fill in with the dynamic library characteristics
-AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
-[AC_CACHE_CHECK([how to recognise dependent libraries],
-lt_cv_deplibs_check_method,
-[lt_cv_file_magic_cmd='$MAGIC_CMD'
-lt_cv_file_magic_test_file=
-lt_cv_deplibs_check_method='unknown'
-# Need to set the preceding variable on all platforms that support
-# interlibrary dependencies.
-# 'none' -- dependencies not supported.
-# `unknown' -- same as none, but documents that we really don't know.
-# 'pass_all' -- all dependencies passed with no checks.
-# 'test_compile' -- check by making test program.
-# 'file_magic [[regex]]' -- check by looking for files in library path
-# which responds to the $file_magic_cmd with a given extended regex.
-# If you have `file' or equivalent on your system and you're not sure
-# whether `pass_all' will *always* work, you probably want this one.
-
-case $host_os in
-aix4* | aix5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-beos*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-bsdi[[45]]*)
-  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
-  lt_cv_file_magic_cmd='/usr/bin/file -L'
-  lt_cv_file_magic_test_file=/shlib/libc.so
-  ;;
-
-cygwin*)
-  # func_win32_libid is a shell function defined in ltmain.sh
-  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
-  lt_cv_file_magic_cmd='func_win32_libid'
-  ;;
-
-mingw* | pw32*)
-  # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
-  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-  lt_cv_file_magic_cmd='$OBJDUMP -f'
-  ;;
-
-darwin* | rhapsody*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-freebsd* | kfreebsd*-gnu)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    case $host_cpu in
-    i*86 )
-      # Not sure whether the presence of OpenBSD here was a mistake.
-      # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[[3-9]]86 (compact )?demand paged shared library'
-      lt_cv_file_magic_cmd=/usr/bin/file
-      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
-      ;;
-    esac
-  else
-    lt_cv_deplibs_check_method=pass_all
-  fi
-  ;;
-
-gnu*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-hpux10.20* | hpux11*)
-  lt_cv_file_magic_cmd=/usr/bin/file
-  case "$host_cpu" in
-  ia64*)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
-    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
-    ;;
-  hppa*64*)
-    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
-    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
-    ;;
-  *)
-    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
-    lt_cv_file_magic_test_file=/usr/lib/libc.sl
-    ;;
-  esac
-  ;;
-
-irix5* | irix6* | nonstopux*)
-  case $LD in
-  *-32|*"-32 ") libmagic=32-bit;;
-  *-n32|*"-n32 ") libmagic=N32;;
-  *-64|*"-64 ") libmagic=64-bit;;
-  *) libmagic=never-match;;
-  esac
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-# This must be Linux ELF.
-linux*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-netbsd*)
-  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
-  fi
-  ;;
-
-newos6*)
-  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
-  lt_cv_file_magic_cmd=/usr/bin/file
-  lt_cv_file_magic_test_file=/usr/lib/libnls.so
-  ;;
-
-nto-qnx*)
-  lt_cv_deplibs_check_method=unknown
-  ;;
-
-openbsd*)
-  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$'
-  else
-    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
-  fi
-  ;;
-
-osf3* | osf4* | osf5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sco3.2v5*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-solaris*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-  case $host_vendor in
-  motorola)
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
-    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
-    ;;
-  ncr)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  sequent)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
-    ;;
-  sni)
-    lt_cv_file_magic_cmd='/bin/file'
-    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
-    lt_cv_file_magic_test_file=/lib/libc.so
-    ;;
-  siemens)
-    lt_cv_deplibs_check_method=pass_all
-    ;;
-  esac
-  ;;
-
-sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7* | sysv4*uw2*)
-  lt_cv_deplibs_check_method=pass_all
-  ;;
-esac
-])
-file_magic_cmd=$lt_cv_file_magic_cmd
-deplibs_check_method=$lt_cv_deplibs_check_method
-test -z "$deplibs_check_method" && deplibs_check_method=unknown
-])# AC_DEPLIBS_CHECK_METHOD
-
-
-# AC_PROG_NM
-# ----------
-# find the pathname to a BSD-compatible name lister
-AC_DEFUN([AC_PROG_NM],
-[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM,
-[if test -n "$NM"; then
-  # Let the user override the test.
-  lt_cv_path_NM="$NM"
-else
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
-    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-      # Check to see if the nm accepts a BSD-compat flag.
-      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
-      #   nm: unknown option "B" ignored
-      # Tru64's nm complains that /dev/null is an invalid object file
-      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-      */dev/null* | *'Invalid file or object type'*)
-	lt_cv_path_NM="$tmp_nm -B"
-	break
-        ;;
-      *)
-	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	*/dev/null*)
-	  lt_cv_path_NM="$tmp_nm -p"
-	  break
-	  ;;
-	*)
-	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	  continue # so that we can try to find one that supports BSD flags
-	  ;;
-	esac
-      esac
-    fi
-  done
-  IFS="$lt_save_ifs"
-  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
-fi])
-NM="$lt_cv_path_NM"
-])# AC_PROG_NM
-
-
-# AC_CHECK_LIBM
-# -------------
-# check for math library
-AC_DEFUN([AC_CHECK_LIBM],
-[AC_REQUIRE([AC_CANONICAL_HOST])dnl
-LIBM=
-case $host in
-*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
-  # These system don't have libm, or don't need it
-  ;;
-*-ncr-sysv4.3*)
-  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
-  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
-  ;;
-*)
-  AC_CHECK_LIB(m, cos, LIBM="-lm")
-  ;;
-esac
-])# AC_CHECK_LIBM
-
-
-# AC_LIBLTDL_CONVENIENCE([DIRECTORY])
-# -----------------------------------
-# sets LIBLTDL to the link flags for the libltdl convenience library and
-# LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-convenience to the configure arguments.  Note that LIBLTDL
-# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
-# DIRECTORY is not provided, it is assumed to be `libltdl'.  LIBLTDL will
-# be prefixed with '${top_builddir}/' and LTDLINCL will be prefixed with
-# '${top_srcdir}/' (note the single quotes!).  If your package is not
-# flat and you're not using automake, define top_builddir and
-# top_srcdir appropriately in the Makefiles.
-AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-  case $enable_ltdl_convenience in
-  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
-  "") enable_ltdl_convenience=yes
-      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
-  esac
-  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
-  LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
-  # For backwards non-gettext consistent compatibility...
-  INCLTDL="$LTDLINCL"
-])# AC_LIBLTDL_CONVENIENCE
-
-
-# AC_LIBLTDL_INSTALLABLE([DIRECTORY])
-# -----------------------------------
-# sets LIBLTDL to the link flags for the libltdl installable library and
-# LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-install to the configure arguments.  Note that LIBLTDL
-# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
-# DIRECTORY is not provided and an installed libltdl is not found, it is
-# assumed to be `libltdl'.  LIBLTDL will be prefixed with '${top_builddir}/'
-# and LTDLINCL will be prefixed with '${top_srcdir}/' (note the single
-# quotes!).  If your package is not flat and you're not using automake,
-# define top_builddir and top_srcdir appropriately in the Makefiles.
-# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
-AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
-[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
-  AC_CHECK_LIB(ltdl, lt_dlinit,
-  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
-  [if test x"$enable_ltdl_install" = xno; then
-     AC_MSG_WARN([libltdl not installed, but installation disabled])
-   else
-     enable_ltdl_install=yes
-   fi
-  ])
-  if test x"$enable_ltdl_install" = x"yes"; then
-    ac_configure_args="$ac_configure_args --enable-ltdl-install"
-    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
-    LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
-  else
-    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
-    LIBLTDL="-lltdl"
-    LTDLINCL=
-  fi
-  # For backwards non-gettext consistent compatibility...
-  INCLTDL="$LTDLINCL"
-])# AC_LIBLTDL_INSTALLABLE
-
-
-# AC_LIBTOOL_CXX
-# --------------
-# enable support for C++ libraries
-AC_DEFUN([AC_LIBTOOL_CXX],
-[AC_REQUIRE([_LT_AC_LANG_CXX])
-])# AC_LIBTOOL_CXX
-
-
-# _LT_AC_LANG_CXX
-# ---------------
-AC_DEFUN([_LT_AC_LANG_CXX],
-[AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([_LT_AC_PROG_CXXCPP])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
-])# _LT_AC_LANG_CXX
-
-# _LT_AC_PROG_CXXCPP
-# ---------------
-AC_DEFUN([_LT_AC_PROG_CXXCPP],
-[
-AC_REQUIRE([AC_PROG_CXX])
-if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || 
-    (test "X$CXX" != "Xg++"))) ; then
-  AC_PROG_CXXCPP
-fi
-])# _LT_AC_PROG_CXXCPP
-
-# AC_LIBTOOL_F77
-# --------------
-# enable support for Fortran 77 libraries
-AC_DEFUN([AC_LIBTOOL_F77],
-[AC_REQUIRE([_LT_AC_LANG_F77])
-])# AC_LIBTOOL_F77
-
-
-# _LT_AC_LANG_F77
-# ---------------
-AC_DEFUN([_LT_AC_LANG_F77],
-[AC_REQUIRE([AC_PROG_F77])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77])
-])# _LT_AC_LANG_F77
-
-
-# AC_LIBTOOL_GCJ
-# --------------
-# enable support for GCJ libraries
-AC_DEFUN([AC_LIBTOOL_GCJ],
-[AC_REQUIRE([_LT_AC_LANG_GCJ])
-])# AC_LIBTOOL_GCJ
-
-
-# _LT_AC_LANG_GCJ
-# ---------------
-AC_DEFUN([_LT_AC_LANG_GCJ],
-[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[],
-  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[],
-    [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[],
-      [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])],
-	 [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])],
-	   [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
-])# _LT_AC_LANG_GCJ
-
-
-# AC_LIBTOOL_RC
-# --------------
-# enable support for Windows resource files
-AC_DEFUN([AC_LIBTOOL_RC],
-[AC_REQUIRE([LT_AC_PROG_RC])
-_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC])
-])# AC_LIBTOOL_RC
-
-
-# AC_LIBTOOL_LANG_C_CONFIG
-# ------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG])
-AC_DEFUN([_LT_AC_LANG_C_CONFIG],
-[lt_save_CC="$CC"
-AC_LANG_PUSH(C)
-
-# Source file extension for C test sources.
-ac_ext=c
-
-# Object file extension for compiled C test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}\n'
-
-_LT_AC_SYS_COMPILER
-
-#
-# Check for any special shared library compilation flags.
-#
-_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)=
-if test "$GCC" = no; then
-  case $host_os in
-  sco3.2v5*)
-    _LT_AC_TAGVAR(lt_prog_cc_shlib, $1)='-belf'
-    ;;
-  esac
-fi
-if test -n "$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)"; then
-  AC_MSG_WARN([`$CC' requires `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to build shared libraries])
-  if echo "$old_CC $old_CFLAGS " | grep "[[ 	]]$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)[[ 	]]" >/dev/null; then :
-  else
-    AC_MSG_WARN([add `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to the CC or CFLAGS env variable and reconfigure])
-    _LT_AC_TAGVAR(lt_cv_prog_cc_can_build_shared, $1)=no
-  fi
-fi
-
-
-#
-# Check to make sure the static flag actually works.
-#
-AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $_LT_AC_TAGVAR(lt_prog_compiler_static, $1) works],
-  _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1),
-  $_LT_AC_TAGVAR(lt_prog_compiler_static, $1),
-  [],
-  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
-
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
-
-# Report which librarie types wil actually be built
-AC_MSG_CHECKING([if libtool supports shared libraries])
-AC_MSG_RESULT([$can_build_shared])
-
-AC_MSG_CHECKING([whether to build shared libraries])
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case "$host_os" in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-
-aix4* | aix5*)
-  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
-    test "$enable_shared" = yes && enable_static=no
-  fi
-    ;;
-esac
-AC_MSG_RESULT([$enable_shared])
-
-AC_MSG_CHECKING([whether to build static libraries])
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-AC_MSG_RESULT([$enable_static])
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_POP
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_C_CONFIG
-
-
-# AC_LIBTOOL_LANG_CXX_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
-AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
-[AC_LANG_PUSH(C++)
-AC_REQUIRE([AC_PROG_CXX])
-AC_REQUIRE([_LT_AC_PROG_CXXCPP])
-
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_AC_TAGVAR(allow_undefined_flag, $1)=
-_LT_AC_TAGVAR(always_export_symbols, $1)=no
-_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_direct, $1)=no
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-_LT_AC_TAGVAR(hardcode_automatic, $1)=no
-_LT_AC_TAGVAR(module_cmds, $1)=
-_LT_AC_TAGVAR(module_expsym_cmds, $1)=
-_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_AC_TAGVAR(no_undefined_flag, $1)=
-_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Dependencies to place before and after the object being linked:
-_LT_AC_TAGVAR(predep_objects, $1)=
-_LT_AC_TAGVAR(postdep_objects, $1)=
-_LT_AC_TAGVAR(predeps, $1)=
-_LT_AC_TAGVAR(postdeps, $1)=
-_LT_AC_TAGVAR(compiler_lib_search_path, $1)=
-
-# Source file extension for C++ test sources.
-ac_ext=cc
-
-# Object file extension for compiled C++ test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# Allow CC to be a program name with arguments.
-lt_save_CC=$CC
-lt_save_LD=$LD
-lt_save_GCC=$GCC
-GCC=$GXX
-lt_save_with_gnu_ld=$with_gnu_ld
-lt_save_path_LD=$lt_cv_path_LD
-if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
-  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
-else
-  unset lt_cv_prog_gnu_ld
-fi
-if test -n "${lt_cv_path_LDCXX+set}"; then
-  lt_cv_path_LD=$lt_cv_path_LDCXX
-else
-  unset lt_cv_path_LD
-fi
-test -z "${LDCXX+set}" || LD=$LDCXX
-CC=${CXX-"c++"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
-# We don't want -fno-exception wen compiling C++ code, so set the
-# no_builtin_flag separately
-if test "$GXX" = yes; then
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
-else
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-fi
-
-if test "$GXX" = yes; then
-  # Set up default GNU C++ configuration
-
-  AC_PROG_LD
-
-  # Check if GNU C++ uses GNU ld as the underlying linker, since the
-  # archiving commands below assume that GNU ld is being used.
-  if test "$with_gnu_ld" = yes; then
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
-    #     investigate it a little bit more. (MM)
-    wlarc='${wl}'
-
-    # ancient GNU ld didn't support --whole-archive et. al.
-    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
-	grep 'no-whole-archive' > /dev/null; then
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    else
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-    fi
-  else
-    with_gnu_ld=no
-    wlarc=
-
-    # A generic and very simple default shared library creation
-    # command for GNU C++ for the case where it uses the native
-    # linker, instead of GNU ld.  If possible, this setting should
-    # overridden to take advantage of the native linker features on
-    # the platform it is being used on.
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-  fi
-
-  # Commands to make compiler produce verbose output that lists
-  # what "hidden" libraries, object files and flags are used when
-  # linking a shared library.
-  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-else
-  GXX=no
-  with_gnu_ld=no
-  wlarc=
-fi
-
-# PORTME: fill in a description of your system's C++ link characteristics
-AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-_LT_AC_TAGVAR(ld_shlibs, $1)=yes
-case $host_os in
-  aix3*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  aix4* | aix5*)
-    if test "$host_cpu" = ia64; then
-      # On IA64, the linker does run time linking by default, so we don't
-      # have to do anything special.
-      aix_use_runtimelinking=no
-      exp_sym_flag='-Bexport'
-      no_entry_flag=""
-    else
-      aix_use_runtimelinking=no
-
-      # Test if we are trying to use run time linking or normal
-      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
-      # need to do runtime linking.
-      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
-	for ld_flag in $LDFLAGS; do
-	  case $ld_flag in
-	  *-brtl*)
-	    aix_use_runtimelinking=yes
-	    break
-	    ;;
-	  esac
-	done
-      esac
-
-      exp_sym_flag='-bexport'
-      no_entry_flag='-bnoentry'
-    fi
-
-    # When large executables or shared objects are built, AIX ld can
-    # have problems creating the table of contents.  If linking a library
-    # or program results in "error TOC overflow" add -mminimal-toc to
-    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-    _LT_AC_TAGVAR(archive_cmds, $1)=''
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-    if test "$GXX" = yes; then
-      case $host_os in aix4.[012]|aix4.[012].*)
-      # We only want to do this on AIX 4.2 and lower, the check
-      # below for broken collect2 doesn't work under 4.3+
-	collect2name=`${CC} -print-prog-name=collect2`
-	if test -f "$collect2name" && \
-	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	then
-	  # We have reworked collect2
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	else
-	  # We have old collect2
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-	  # It fails to find uninstalled libraries when the uninstalled
-	  # path is not listed in the libpath.  Setting hardcode_minus_L
-	  # to unsupported forces relinking
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-	fi
-      esac
-      shared_flag='-shared'
-    else
-      # not using gcc
-      if test "$host_cpu" = ia64; then
-	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-	# chokes on -Wl,-G. The following line is correct:
-	shared_flag='-G'
-      else
-	if test "$aix_use_runtimelinking" = yes; then
-	  shared_flag='${wl}-G'
-	else
-	  shared_flag='${wl}-bM:SRE'
-	fi
-      fi
-    fi
-
-    # It seems that -bexpall does not export symbols beginning with
-    # underscore (_), so it is better to generate a list of symbols to export.
-    _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-    if test "$aix_use_runtimelinking" = yes; then
-      # Warning - without using the other runtime loading flags (-brtl),
-      # -berok will link without error, but may produce a broken library.
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
-      # Determine the default libpath from the value encoded in an empty executable.
-      _LT_AC_SYS_LIBPATH_AIX
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-     else
-      if test "$host_cpu" = ia64; then
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
-      else
-	# Determine the default libpath from the value encoded in an empty executable.
-	_LT_AC_SYS_LIBPATH_AIX
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	# Warning - without using the other run time loading flags,
-	# -berok will link without error, but may produce a broken library.
-	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	# -bexpall does not export symbols beginning with underscore (_)
-	_LT_AC_TAGVAR(always_export_symbols, $1)=yes
-	# Exported symbols can be pulled into shared objects from archives
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
-	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	# This is similar to how AIX traditionally builds it's shared libraries.
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-      fi
-    fi
-    ;;
-  chorus*)
-    case $cc_basename in
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-
-
-  cygwin* | mingw* | pw32*)
-    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-    # as there is no search path for DLLs.
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-    _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-    _LT_AC_TAGVAR(always_export_symbols, $1)=no
-    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-
-    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
-      # If the export-symbols file already is a .def file (1st line
-      # is EXPORTS), use it as is; otherwise, prepend...
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	cp $export_symbols $output_objdir/$soname.def;
-      else
-	echo EXPORTS > $output_objdir/$soname.def;
-	cat $export_symbols >> $output_objdir/$soname.def;
-      fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-  ;;
-      darwin* | rhapsody*)
-        case "$host_os" in
-        rhapsody* | darwin1.[[012]])
-         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[[012]])
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-        esac
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-    if test "$GXX" = yes ; then
-      lt_int_apple_cc_single_mod=no
-      output_verbose_link_cmd='echo'
-      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
-       lt_int_apple_cc_single_mod=yes
-      fi
-      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      else
-          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-        fi
-        _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          else
-            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          fi
-            _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-          _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         _LT_AC_TAGVAR(ld_shlibs, $1)=no
-          ;;
-      esac
-      fi
-        ;;
-
-  dgux*)
-    case $cc_basename in
-      ec++)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      ghcx)
-	# Green Hills C++ Compiler
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  freebsd[12]*)
-    # C++ shared libraries reported to be fairly broken before switch to ELF
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  freebsd-elf*)
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    ;;
-  freebsd* | kfreebsd*-gnu)
-    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
-    # conventions
-    _LT_AC_TAGVAR(ld_shlibs, $1)=yes
-    ;;
-  gnu*)
-    ;;
-  hpux9*)
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-				# but as the default
-				# location of the library.
-
-    case $cc_basename in
-    CC)
-      # FIXME: insert proper C++ library support
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-    aCC)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      # Commands to make compiler produce verbose output that lists
-      # what "hidden" libraries, object files and flags are used when
-      # linking a shared library.
-      #
-      # There doesn't appear to be a way to prevent this compiler from
-      # explicitly linking system object files so we need to strip them
-      # from the output so that they don't get included in the library
-      # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-      ;;
-    *)
-      if test "$GXX" = yes; then
-        _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-        # FIXME: insert proper C++ library support
-        _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-    esac
-    ;;
-  hpux10*|hpux11*)
-    if test $with_gnu_ld = no; then
-      case "$host_cpu" in
-      hppa*64*)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-        ;;
-      ia64*)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-        ;;
-      *)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-        ;;
-      esac
-    fi
-    case "$host_cpu" in
-    hppa*64*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-    ia64*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
-      ;;
-    *)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
-      ;;
-    esac
-
-    case $cc_basename in
-      CC)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      aCC)
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	  ;;
-	esac
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test $with_gnu_ld = no; then
-	    case "$host_cpu" in
-	    ia64*|hppa*64*)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
-	      ;;
-	    *)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	      ;;
-	    esac
-	  fi
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-    esac
-    ;;
-  irix5* | irix6*)
-    case $cc_basename in
-      CC)
-	# SGI C++
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
-
-	# Archives containing C++ object files must be created using
-	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
-	;;
-      *)
-	if test "$GXX" = yes; then
-	  if test "$with_gnu_ld" = no; then
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
-	  else
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
-	  fi
-	fi
-	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-	;;
-    esac
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-    ;;
-  linux*)
-    case $cc_basename in
-      KCC)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
-	;;
-      icpc)
-	# Intel C++
-	with_gnu_ld=yes
-	# version 8.0 and above of icpc choke on multiply defined symbols
-	# if we add $predep_objects and $postdep_objects, however 7.1 and
-	# earlier do not add the objects themselves.
-	case `$CC -V 2>&1` in
-	*"Version 7."*)
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	*)  # Version 8.0 or newer
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-	  ;;
-	esac
-	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
-	;;
-      cxx)
-	# Compaq C++
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
-
-	runpath_var=LD_RUN_PATH
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-    esac
-    ;;
-  lynxos*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  m88k*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  mvs*)
-    case $cc_basename in
-      cxx)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  netbsd*)
-    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
-      wlarc=
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    fi
-    # Workaround some broken pre-1.5 toolchains
-    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
-    ;;
-  openbsd2*)
-    # C++ shared libraries are fairly broken
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  openbsd*)
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-    fi
-    output_verbose_link_cmd='echo'
-    ;;
-  osf3*)
-    case $cc_basename in
-      KCC)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Archives containing C++ object files must be created using
-	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
-
-	;;
-      RCC)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      cxx)
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-    esac
-    ;;
-  osf4* | osf5*)
-    case $cc_basename in
-      KCC)
-	# Kuck and Associates, Inc. (KAI) C++ Compiler
-
-	# KCC will only create a shared library if the output file
-	# ends with ".so" (or ".sl" for HP-UX), so rename the library
-	# to its proper name (with version) after linking.
-	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Archives containing C++ object files must be created using
-	# the KAI C++ compiler.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
-	;;
-      RCC)
-	# Rational C++ 2.4.1
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      cxx)
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
-	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
-	  $rm $lib.exp'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-	;;
-      *)
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-
-	  # Commands to make compiler produce verbose output that lists
-	  # what "hidden" libraries, object files and flags are used when
-	  # linking a shared library.
-	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
-
-	else
-	  # FIXME: insert proper C++ library support
-	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
-	fi
-	;;
-    esac
-    ;;
-  psos*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  sco*)
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    case $cc_basename in
-      CC)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  sunos4*)
-    case $cc_basename in
-      CC)
-	# Sun C++ 4.x
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      lcc)
-	# Lucid
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  solaris*)
-    case $cc_basename in
-      CC)
-	# Sun C++ 4.2, 5.x and Centerline C++
-	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	case $host_os in
-	  solaris2.[0-5] | solaris2.[0-5].*) ;;
-	  *)
-	    # The C++ compiler is used as linker so we must use $wl
-	    # flag to pass the commands to the underlying system
-	    # linker.
-	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
-	    ;;
-	esac
-	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[[LR]]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
-
-	# Archives containing C++ object files must be created using
-	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
-	# necessary to make sure instantiated templates are included
-	# in the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
-	;;
-      gcx)
-	# Green Hills C++ Compiler
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-
-	# The C++ compiler must be used to create the archive.
-	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
-	;;
-      *)
-	# GNU C++ compiler with Solaris linker
-	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
-	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
-	  if $CC --version | grep -v '^2\.7' > /dev/null; then
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  else
-	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
-	    # platform.
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
-	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
-
-	    # Commands to make compiler produce verbose output that lists
-	    # what "hidden" libraries, object files and flags are used when
-	    # linking a shared library.
-	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
-	  fi
-
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
-	fi
-	;;
-    esac
-    ;;
-  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7*)
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    ;;
-  tandem*)
-    case $cc_basename in
-      NCC)
-	# NonStop-UX NCC 3.20
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
-  vxworks*)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-  *)
-    # FIXME: insert proper C++ library support
-    _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    ;;
-esac
-AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-_LT_AC_TAGVAR(GCC, $1)="$GXX"
-_LT_AC_TAGVAR(LD, $1)="$LD"
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-AC_LIBTOOL_POSTDEP_PREDEP($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_POP
-CC=$lt_save_CC
-LDCXX=$LD
-LD=$lt_save_LD
-GCC=$lt_save_GCC
-with_gnu_ldcxx=$with_gnu_ld
-with_gnu_ld=$lt_save_with_gnu_ld
-lt_cv_path_LDCXX=$lt_cv_path_LD
-lt_cv_path_LD=$lt_save_path_LD
-lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
-lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
-])# AC_LIBTOOL_LANG_CXX_CONFIG
-
-# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
-# ------------------------
-# Figure out "hidden" library dependencies from verbose
-# compiler output when linking a shared library.
-# Parse the compiler output and extract the necessary
-# objects, libraries and library flags.
-AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],[
-dnl we can't use the lt_simple_compile_test_code here,
-dnl because it contains code intended for an executable,
-dnl not a library.  It's possible we should let each
-dnl tag define a new lt_????_link_test_code variable,
-dnl but it's only used here...
-ifelse([$1],[],[cat > conftest.$ac_ext <<EOF
-int a;
-void foo (void) { a = 0; }
-EOF
-],[$1],[CXX],[cat > conftest.$ac_ext <<EOF
-class Foo
-{
-public:
-  Foo (void) { a = 0; }
-private:
-  int a;
-};
-EOF
-],[$1],[F77],[cat > conftest.$ac_ext <<EOF
-      subroutine foo
-      implicit none
-      integer*4 a
-      a=0
-      return
-      end
-EOF
-],[$1],[GCJ],[cat > conftest.$ac_ext <<EOF
-public class foo {
-  private int a;
-  public void bar (void) {
-    a = 0;
-  }
-};
-EOF
-])
-dnl Parse the compiler output and extract the necessary
-dnl objects, libraries and library flags.
-if AC_TRY_EVAL(ac_compile); then
-  # Parse the compiler output and extract the necessary
-  # objects, libraries and library flags.
-
-  # Sentinel used to keep track of whether or not we are before
-  # the conftest object file.
-  pre_test_object_deps_done=no
-
-  # The `*' in the case matches for architectures that use `case' in
-  # $output_verbose_cmd can trigger glob expansion during the loop
-  # eval without this substitution.
-  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
-
-  for p in `eval $output_verbose_link_cmd`; do
-    case $p in
-
-    -L* | -R* | -l*)
-       # Some compilers place space between "-{L,R}" and the path.
-       # Remove the space.
-       if test $p = "-L" \
-	  || test $p = "-R"; then
-	 prev=$p
-	 continue
-       else
-	 prev=
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 case $p in
-	 -L* | -R*)
-	   # Internal compiler library paths should come after those
-	   # provided the user.  The postdeps already come after the
-	   # user supplied libs so there is no need to process them.
-	   if test -z "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
-	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
-	   else
-	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${_LT_AC_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
-	   fi
-	   ;;
-	 # The "-l" case would never come before the object being
-	 # linked, so don't bother handling this case.
-	 esac
-       else
-	 if test -z "$_LT_AC_TAGVAR(postdeps, $1)"; then
-	   _LT_AC_TAGVAR(postdeps, $1)="${prev}${p}"
-	 else
-	   _LT_AC_TAGVAR(postdeps, $1)="${_LT_AC_TAGVAR(postdeps, $1)} ${prev}${p}"
-	 fi
-       fi
-       ;;
-
-    *.$objext)
-       # This assumes that the test object file only shows up
-       # once in the compiler output.
-       if test "$p" = "conftest.$objext"; then
-	 pre_test_object_deps_done=yes
-	 continue
-       fi
-
-       if test "$pre_test_object_deps_done" = no; then
-	 if test -z "$_LT_AC_TAGVAR(predep_objects, $1)"; then
-	   _LT_AC_TAGVAR(predep_objects, $1)="$p"
-	 else
-	   _LT_AC_TAGVAR(predep_objects, $1)="$_LT_AC_TAGVAR(predep_objects, $1) $p"
-	 fi
-       else
-	 if test -z "$_LT_AC_TAGVAR(postdep_objects, $1)"; then
-	   _LT_AC_TAGVAR(postdep_objects, $1)="$p"
-	 else
-	   _LT_AC_TAGVAR(postdep_objects, $1)="$_LT_AC_TAGVAR(postdep_objects, $1) $p"
-	 fi
-       fi
-       ;;
-
-    *) ;; # Ignore the rest.
-
-    esac
-  done
-
-  # Clean up.
-  rm -f a.out a.exe
-else
-  echo "libtool.m4: error: problem compiling $1 test program"
-fi
-
-$rm -f confest.$objext
-
-case " $_LT_AC_TAGVAR(postdeps, $1) " in
-*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
-esac
-])# AC_LIBTOOL_POSTDEP_PREDEP
-
-# AC_LIBTOOL_LANG_F77_CONFIG
-# ------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)])
-AC_DEFUN([_LT_AC_LANG_F77_CONFIG],
-[AC_REQUIRE([AC_PROG_F77])
-AC_LANG_PUSH(Fortran 77)
-
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-_LT_AC_TAGVAR(allow_undefined_flag, $1)=
-_LT_AC_TAGVAR(always_export_symbols, $1)=no
-_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_direct, $1)=no
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-_LT_AC_TAGVAR(hardcode_automatic, $1)=no
-_LT_AC_TAGVAR(module_cmds, $1)=
-_LT_AC_TAGVAR(module_expsym_cmds, $1)=
-_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
-_LT_AC_TAGVAR(no_undefined_flag, $1)=
-_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-
-# Source file extension for f77 test sources.
-ac_ext=f
-
-# Object file extension for compiled f77 test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="      program t\n      end\n"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${F77-"f77"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
-
-AC_MSG_CHECKING([if libtool supports shared libraries])
-AC_MSG_RESULT([$can_build_shared])
-
-AC_MSG_CHECKING([whether to build shared libraries])
-test "$can_build_shared" = "no" && enable_shared=no
-
-# On AIX, shared libraries and static libraries use the same namespace, and
-# are all built from PIC.
-case "$host_os" in
-aix3*)
-  test "$enable_shared" = yes && enable_static=no
-  if test -n "$RANLIB"; then
-    archive_cmds="$archive_cmds~\$RANLIB \$lib"
-    postinstall_cmds='$RANLIB $lib'
-  fi
-  ;;
-aix4* | aix5*)
-  test "$enable_shared" = yes && enable_static=no
-  ;;
-esac
-AC_MSG_RESULT([$enable_shared])
-
-AC_MSG_CHECKING([whether to build static libraries])
-# Make sure either enable_shared or enable_static is yes.
-test "$enable_shared" = yes || enable_static=yes
-AC_MSG_RESULT([$enable_static])
-
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-_LT_AC_TAGVAR(GCC, $1)="$G77"
-_LT_AC_TAGVAR(LD, $1)="$LD"
-
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_POP
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_F77_CONFIG
-
-
-# AC_LIBTOOL_LANG_GCJ_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the C compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)])
-AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG],
-[AC_LANG_SAVE
-
-# Source file extension for Java test sources.
-ac_ext=java
-
-# Object file extension for compiled Java test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}\n"
-
-# Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${GCJ-"gcj"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-
-# GCJ did not exist at the time GCC didn't implicitly link libc in.
-_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-
-## CAVEAT EMPTOR:
-## There is no encapsulation within the following macros, do not change
-## the running order or otherwise move them around unless you know exactly
-## what you are doing...
-AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
-AC_LIBTOOL_PROG_COMPILER_PIC($1)
-AC_LIBTOOL_PROG_CC_C_O($1)
-AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
-AC_LIBTOOL_PROG_LD_SHLIBS($1)
-AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
-AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_RESTORE
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_GCJ_CONFIG
-
-
-# AC_LIBTOOL_LANG_RC_CONFIG
-# --------------------------
-# Ensure that the configuration vars for the Windows resource compiler are
-# suitably defined.  Those variables are subsequently used by
-# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
-AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)])
-AC_DEFUN([_LT_AC_LANG_RC_CONFIG],
-[AC_LANG_SAVE
-
-# Source file extension for RC test sources.
-ac_ext=rc
-
-# Object file extension for compiled RC test sources.
-objext=o
-_LT_AC_TAGVAR(objext, $1)=$objext
-
-# Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
-
-# Code to be used in simple link tests
-lt_simple_link_test_code="$lt_simple_compile_test_code"
-
-# ltmain only uses $CC for tagged configurations so make sure $CC is set.
-_LT_AC_SYS_COMPILER
-
-# Allow CC to be a program name with arguments.
-lt_save_CC="$CC"
-CC=${RC-"windres"}
-compiler=$CC
-_LT_AC_TAGVAR(compiler, $1)=$CC
-_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
-
-AC_LIBTOOL_CONFIG($1)
-
-AC_LANG_RESTORE
-CC="$lt_save_CC"
-])# AC_LIBTOOL_LANG_RC_CONFIG
-
-
-# AC_LIBTOOL_CONFIG([TAGNAME])
-# ----------------------------
-# If TAGNAME is not passed, then create an initial libtool script
-# with a default configuration from the untagged config vars.  Otherwise
-# add code to config.status for appending the configuration named by
-# TAGNAME from the matching tagged config vars.
-AC_DEFUN([AC_LIBTOOL_CONFIG],
-[# The else clause should only fire when bootstrapping the
-# libtool distribution, otherwise you forgot to ship ltmain.sh
-# with your package, and you will get complaints that there are
-# no rules to generate ltmain.sh.
-if test -f "$ltmain"; then
-  # See if we are running on zsh, and set the options which allow our commands through
-  # without removal of \ escapes.
-  if test -n "${ZSH_VERSION+set}" ; then
-    setopt NO_GLOB_SUBST
-  fi
-  # Now quote all the things that may contain metacharacters while being
-  # careful not to overquote the AC_SUBSTed values.  We take copies of the
-  # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
-    SED SHELL STRIP \
-    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
-    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
-    deplibs_check_method reload_flag reload_cmds need_locks \
-    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
-    lt_cv_sys_global_symbol_to_c_name_address \
-    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
-    old_postinstall_cmds old_postuninstall_cmds \
-    _LT_AC_TAGVAR(compiler, $1) \
-    _LT_AC_TAGVAR(CC, $1) \
-    _LT_AC_TAGVAR(LD, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \
-    _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \
-    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \
-    _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \
-    _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \
-    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \
-    _LT_AC_TAGVAR(old_archive_cmds, $1) \
-    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \
-    _LT_AC_TAGVAR(predep_objects, $1) \
-    _LT_AC_TAGVAR(postdep_objects, $1) \
-    _LT_AC_TAGVAR(predeps, $1) \
-    _LT_AC_TAGVAR(postdeps, $1) \
-    _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
-    _LT_AC_TAGVAR(archive_cmds, $1) \
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
-    _LT_AC_TAGVAR(postinstall_cmds, $1) \
-    _LT_AC_TAGVAR(postuninstall_cmds, $1) \
-    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \
-    _LT_AC_TAGVAR(allow_undefined_flag, $1) \
-    _LT_AC_TAGVAR(no_undefined_flag, $1) \
-    _LT_AC_TAGVAR(export_symbols_cmds, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \
-    _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \
-    _LT_AC_TAGVAR(hardcode_automatic, $1) \
-    _LT_AC_TAGVAR(module_cmds, $1) \
-    _LT_AC_TAGVAR(module_expsym_cmds, $1) \
-    _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
-    _LT_AC_TAGVAR(exclude_expsyms, $1) \
-    _LT_AC_TAGVAR(include_expsyms, $1); do
-
-    case $var in
-    _LT_AC_TAGVAR(old_archive_cmds, $1) | \
-    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \
-    _LT_AC_TAGVAR(archive_cmds, $1) | \
-    _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \
-    _LT_AC_TAGVAR(module_cmds, $1) | \
-    _LT_AC_TAGVAR(module_expsym_cmds, $1) | \
-    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \
-    _LT_AC_TAGVAR(export_symbols_cmds, $1) | \
-    extract_expsyms_cmds | reload_cmds | finish_cmds | \
-    postinstall_cmds | postuninstall_cmds | \
-    old_postinstall_cmds | old_postuninstall_cmds | \
-    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
-      # Double-quote double-evaled strings.
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
-      ;;
-    *)
-      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
-      ;;
-    esac
-  done
-
-  case $lt_echo in
-  *'\[$]0 --fallback-echo"')
-    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'`
-    ;;
-  esac
-
-ifelse([$1], [],
-  [cfgfile="${ofile}T"
-  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
-  $rm -f "$cfgfile"
-  AC_MSG_NOTICE([creating $ofile])],
-  [cfgfile="$ofile"])
-
-  cat <<__EOF__ >> "$cfgfile"
-ifelse([$1], [],
-[#! $SHELL
-
-# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
-# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
-# NOTE: Changes made to this file will be lost: look at ltmain.sh.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
-# Free Software Foundation, Inc.
-#
-# This file is part of GNU Libtool:
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-# A sed program that does not truncate output.
-SED=$lt_SED
-
-# Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e s/^X//"
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-# The names of the tagged configurations supported by this script.
-available_tags=
-
-# ### BEGIN LIBTOOL CONFIG],
-[# ### BEGIN LIBTOOL TAG CONFIG: $tagname])
-
-# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
-
-# Shell to use when invoking shell scripts.
-SHELL=$lt_SHELL
-
-# Whether or not to build shared libraries.
-build_libtool_libs=$enable_shared
-
-# Whether or not to build static libraries.
-build_old_libs=$enable_static
-
-# Whether or not to add -lc for building shared libraries.
-build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)
-
-# Whether or not to disallow shared libs when runtime libs are static
-allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)
-
-# Whether or not to optimize for fast installation.
-fast_install=$enable_fast_install
-
-# The host system.
-host_alias=$host_alias
-host=$host
-
-# An echo program that does not interpret backslashes.
-echo=$lt_echo
-
-# The archiver.
-AR=$lt_AR
-AR_FLAGS=$lt_AR_FLAGS
-
-# A C compiler.
-LTCC=$lt_LTCC
-
-# A language-specific compiler.
-CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
-
-# Is the compiler the GNU C compiler?
-with_gcc=$_LT_AC_TAGVAR(GCC, $1)
-
-# An ERE matcher.
-EGREP=$lt_EGREP
-
-# The linker used to build libraries.
-LD=$lt_[]_LT_AC_TAGVAR(LD, $1)
-
-# Whether we need hard or soft links.
-LN_S=$lt_LN_S
-
-# A BSD-compatible nm program.
-NM=$lt_NM
-
-# A symbol stripping program
-STRIP=$lt_STRIP
-
-# Used to examine libraries when file_magic_cmd begins "file"
-MAGIC_CMD=$MAGIC_CMD
-
-# Used on cygwin: DLL creation program.
-DLLTOOL="$DLLTOOL"
-
-# Used on cygwin: object dumper.
-OBJDUMP="$OBJDUMP"
-
-# Used on cygwin: assembler.
-AS="$AS"
-
-# The name of the directory that contains temporary libtool files.
-objdir=$objdir
-
-# How to create reloadable object files.
-reload_flag=$lt_reload_flag
-reload_cmds=$lt_reload_cmds
-
-# How to pass a linker flag through the compiler.
-wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
-
-# Object file suffix (normally "o").
-objext="$ac_objext"
-
-# Old archive suffix (normally "a").
-libext="$libext"
-
-# Shared library suffix (normally ".so").
-shrext_cmds='$shrext_cmds'
-
-# Executable file suffix (normally "").
-exeext="$exeext"
-
-# Additional compiler flags for building library objects.
-pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
-pic_mode=$pic_mode
-
-# What is the maximum length of a command?
-max_cmd_len=$lt_cv_sys_max_cmd_len
-
-# Does compiler simultaneously support -c and -o options?
-compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
-
-# Must we lock files when doing compilation ?
-need_locks=$lt_need_locks
-
-# Do we need the lib prefix for modules?
-need_lib_prefix=$need_lib_prefix
-
-# Do we need a version for libraries?
-need_version=$need_version
-
-# Whether dlopen is supported.
-dlopen_support=$enable_dlopen
-
-# Whether dlopen of programs is supported.
-dlopen_self=$enable_dlopen_self
-
-# Whether dlopen of statically linked programs is supported.
-dlopen_self_static=$enable_dlopen_self_static
-
-# Compiler flag to prevent dynamic linking.
-link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1)
-
-# Compiler flag to turn off builtin functions.
-no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)
-
-# Compiler flag to allow reflexive dlopens.
-export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)
-
-# Compiler flag to generate shared objects directly from archives.
-whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1)
-
-# Compiler flag to generate thread-safe objects.
-thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1)
-
-# Library versioning type.
-version_type=$version_type
-
-# Format of library name prefix.
-libname_spec=$lt_libname_spec
-
-# List of archive names.  First name is the real one, the rest are links.
-# The last name is the one that the linker finds with -lNAME.
-library_names_spec=$lt_library_names_spec
-
-# The coded name of the library, if different from the real name.
-soname_spec=$lt_soname_spec
-
-# Commands used to build and install an old-style archive.
-RANLIB=$lt_RANLIB
-old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1)
-old_postinstall_cmds=$lt_old_postinstall_cmds
-old_postuninstall_cmds=$lt_old_postuninstall_cmds
-
-# Create an old-style archive from a shared archive.
-old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1)
-
-# Create a temporary old-style archive to link instead of a shared archive.
-old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)
-
-# Commands used to build and install a shared archive.
-archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1)
-archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1)
-postinstall_cmds=$lt_postinstall_cmds
-postuninstall_cmds=$lt_postuninstall_cmds
-
-# Commands used to build a loadable module (assumed same as above if empty)
-module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1)
-module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1)
-
-# Commands to strip libraries.
-old_striplib=$lt_old_striplib
-striplib=$lt_striplib
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1)
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1)
-
-# Dependencies to place before the objects being linked to create a
-# shared library.
-predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
-
-# Dependencies to place after the objects being linked to create a
-# shared library.
-postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
-
-# The library search path used internally by the compiler when linking
-# a shared library.
-compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
-
-# Method to check whether dependent libraries are shared objects.
-deplibs_check_method=$lt_deplibs_check_method
-
-# Command to use when deplibs_check_method == file_magic.
-file_magic_cmd=$lt_file_magic_cmd
-
-# Flag that allows shared libraries with undefined symbols to be built.
-allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1)
-
-# Flag that forces no undefined symbols.
-no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1)
-
-# Commands used to finish a libtool library installation in a directory.
-finish_cmds=$lt_finish_cmds
-
-# Same as above, but a single script fragment to be evaled but not shown.
-finish_eval=$lt_finish_eval
-
-# Take the output of nm and produce a listing of raw symbols and C names.
-global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
-
-# Transform the output of nm in a proper C declaration
-global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
-
-# Transform the output of nm in a C name address pair
-global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
-
-# This is the shared library runtime path variable.
-runpath_var=$runpath_var
-
-# This is the shared library path variable.
-shlibpath_var=$shlibpath_var
-
-# Is shlibpath searched before the hard-coded library search path?
-shlibpath_overrides_runpath=$shlibpath_overrides_runpath
-
-# How to hardcode a shared library path into an executable.
-hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1)
-
-# Whether we should hardcode library paths into libraries.
-hardcode_into_libs=$hardcode_into_libs
-
-# Flag to hardcode \$libdir into a binary during linking.
-# This must work even if \$libdir does not exist.
-hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)
-
-# If ld is used when linking, flag to hardcode \$libdir into
-# a binary during linking. This must work even if \$libdir does
-# not exist.
-hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)
-
-# Whether we need a single -rpath flag with a separated argument.
-hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1)
-
-# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
-# resulting binary.
-hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1)
-
-# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
-# resulting binary.
-hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1)
-
-# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
-# the resulting binary.
-hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)
-
-# Set to yes if building a shared library automatically hardcodes DIR into the library
-# and all subsequent libraries and executables linked against it.
-hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1)
-
-# Variables whose values should be saved in libtool wrapper scripts and
-# restored at relink time.
-variables_saved_for_relink="$variables_saved_for_relink"
-
-# Whether libtool must link a program against all its dependency libraries.
-link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1)
-
-# Compile-time system search path for libraries
-sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
-
-# Run-time system search path for libraries
-sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
-
-# Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)"
-
-# Set to yes if exported symbols are required.
-always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
-
-# The commands to list exported symbols.
-export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1)
-
-# The commands to extract the exported symbol list from a shared archive.
-extract_expsyms_cmds=$lt_extract_expsyms_cmds
-
-# Symbols that should not be listed in the preloaded symbols.
-exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1)
-
-# Symbols that must always be exported.
-include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1)
-
-ifelse([$1],[],
-[# ### END LIBTOOL CONFIG],
-[# ### END LIBTOOL TAG CONFIG: $tagname])
-
-__EOF__
-
-ifelse([$1],[], [
-  case $host_os in
-  aix3*)
-    cat <<\EOF >> "$cfgfile"
-
-# AIX sometimes has problems with the GCC collect2 program.  For some
-# reason, if we set the COLLECT_NAMES environment variable, the problems
-# vanish in a puff of smoke.
-if test "X${COLLECT_NAMES+set}" != Xset; then
-  COLLECT_NAMES=
-  export COLLECT_NAMES
-fi
-EOF
-    ;;
-  esac
-
-  # We use sed instead of cat because bash on DJGPP gets confused if
-  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
-  # text mode, it properly converts lines to CR/LF.  This bash problem
-  # is reportedly fixed, but why not run on old versions too?
-  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
-
-  mv -f "$cfgfile" "$ofile" || \
-    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
-  chmod +x "$ofile"
-])
-else
-  # If there is no Makefile yet, we rely on a make rule to execute
-  # `config.status --recheck' to rerun these tests and create the
-  # libtool script then.
-  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
-  if test -f "$ltmain_in"; then
-    test -f Makefile && make "$ltmain"
-  fi
-fi
-])# AC_LIBTOOL_CONFIG
-
-
-# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME])
-# -------------------------------------------
-AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI],
-[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
-
-_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
-
-if test "$GCC" = yes; then
-  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
-
-  AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
-    lt_cv_prog_compiler_rtti_exceptions,
-    [-fno-rtti -fno-exceptions], [],
-    [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
-fi
-])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI
-
-
-# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-# ---------------------------------
-AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
-[AC_REQUIRE([AC_CANONICAL_HOST])
-AC_REQUIRE([AC_PROG_NM])
-AC_REQUIRE([AC_OBJEXT])
-# Check for command to grab the raw symbol name followed by C symbol from nm.
-AC_MSG_CHECKING([command to parse $NM output from $compiler object])
-AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
-[
-# These are sane defaults that work on at least a few old systems.
-# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
-
-# Character class describing NM global symbol codes.
-symcode='[[BCDEGRST]]'
-
-# Regexp to match symbols that can be accessed directly from C.
-sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
-
-# Transform the above into a raw symbol and a C symbol.
-symxfrm='\1 \2\3 \3'
-
-# Transform an extracted symbol line into a proper C declaration
-lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
-
-# Transform an extracted symbol line into symbol name and symbol address
-lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-
-# Define system-specific variables.
-case $host_os in
-aix*)
-  symcode='[[BCDT]]'
-  ;;
-cygwin* | mingw* | pw32*)
-  symcode='[[ABCDGISTW]]'
-  ;;
-hpux*) # Its linker distinguishes data from code symbols
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDEGRST]]'
-  fi
-  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  ;;
-linux*)
-  if test "$host_cpu" = ia64; then
-    symcode='[[ABCDGIRSTW]]'
-    lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
-    lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
-  fi
-  ;;
-irix* | nonstopux*)
-  symcode='[[BCDEGRST]]'
-  ;;
-osf*)
-  symcode='[[BCDEGQRST]]'
-  ;;
-solaris* | sysv5*)
-  symcode='[[BDRT]]'
-  ;;
-sysv4)
-  symcode='[[DFNSTU]]'
-  ;;
-esac
-
-# Handle CRLF in mingw tool chain
-opt_cr=
-case $build_os in
-mingw*)
-  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
-  ;;
-esac
-
-# If we're using GNU nm, then use its standard symbol codes.
-case `$NM -V 2>&1` in
-*GNU* | *'with BFD'*)
-  symcode='[[ABCDGIRSTW]]' ;;
-esac
-
-# Try without a prefix undercore, then with it.
-for ac_symprfx in "" "_"; do
-
-  # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
-
-  # Check to see that the pipe works correctly.
-  pipe_works=no
-
-  rm -f conftest*
-  cat > conftest.$ac_ext <<EOF
-#ifdef __cplusplus
-extern "C" {
-#endif
-char nm_test_var;
-void nm_test_func(){}
-#ifdef __cplusplus
-}
-#endif
-int main(){nm_test_var='a';nm_test_func();return(0);}
-EOF
-
-  if AC_TRY_EVAL(ac_compile); then
-    # Now try to grab the symbols.
-    nlist=conftest.nm
-    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
-      # Try sorting and uniquifying the output.
-      if sort "$nlist" | uniq > "$nlist"T; then
-	mv -f "$nlist"T "$nlist"
-      else
-	rm -f "$nlist"T
-      fi
-
-      # Make sure that we snagged all the symbols we need.
-      if grep ' nm_test_var$' "$nlist" >/dev/null; then
-	if grep ' nm_test_func$' "$nlist" >/dev/null; then
-	  cat <<EOF > conftest.$ac_ext
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-EOF
-	  # Now generate the symbol file.
-	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
-
-	  cat <<EOF >> conftest.$ac_ext
-#if defined (__STDC__) && __STDC__
-# define lt_ptr_t void *
-#else
-# define lt_ptr_t char *
-# define const
-#endif
-
-/* The mapping between symbol names and symbols. */
-const struct {
-  const char *name;
-  lt_ptr_t address;
-}
-lt_preloaded_symbols[[]] =
-{
-EOF
-	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
-	  cat <<\EOF >> conftest.$ac_ext
-  {0, (lt_ptr_t) 0}
-};
-
-#ifdef __cplusplus
-}
-#endif
-EOF
-	  # Now try linking the two files.
-	  mv conftest.$ac_objext conftstm.$ac_objext
-	  lt_save_LIBS="$LIBS"
-	  lt_save_CFLAGS="$CFLAGS"
-	  LIBS="conftstm.$ac_objext"
-	  CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
-	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
-	    pipe_works=yes
-	  fi
-	  LIBS="$lt_save_LIBS"
-	  CFLAGS="$lt_save_CFLAGS"
-	else
-	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
-	fi
-      else
-	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
-      fi
-    else
-      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
-    fi
-  else
-    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
-    cat conftest.$ac_ext >&5
-  fi
-  rm -f conftest* conftst*
-
-  # Do not use the global_symbol_pipe unless it works.
-  if test "$pipe_works" = yes; then
-    break
-  else
-    lt_cv_sys_global_symbol_pipe=
-  fi
-done
-])
-if test -z "$lt_cv_sys_global_symbol_pipe"; then
-  lt_cv_sys_global_symbol_to_cdecl=
-fi
-if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
-  AC_MSG_RESULT(failed)
-else
-  AC_MSG_RESULT(ok)
-fi
-]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
-
-
-# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME])
-# ---------------------------------------
-AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC],
-[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=
-_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=
-
-AC_MSG_CHECKING([for $compiler option to produce PIC])
- ifelse([$1],[CXX],[
-  # C++ specific cases for pic, static, wl, etc.
-  if test "$GXX" = yes; then
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-
-    case $host_os in
-    aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-      ;;
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-    mingw* | os2* | pw32*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
-      ;;
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-    *djgpp*)
-      # DJGPP does not support shared libraries at all
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-      ;;
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    case $host_os in
-      aix4* | aix5*)
-	# All AIX code is PIC.
-	if test "$host_cpu" = ia64; then
-	  # AIX 5 now supports IA64 processor
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	else
-	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-	fi
-	;;
-      chorus*)
-	case $cc_basename in
-	cxch68)
-	  # Green Hills C++ Compiler
-	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
-	  ;;
-	esac
-	;;
-       darwin*)
-         # PIC is the default on this platform
-         # Common symbols not allowed in MH_DYLIB files
-         case "$cc_basename" in
-           xlc*)
-           _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
-           _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-           ;;
-         esac
-       ;;
-      dgux*)
-	case $cc_basename in
-	  ec++)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  ghcx)
-	    # Green Hills C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      freebsd* | kfreebsd*-gnu)
-	# FreeBSD uses GNU C++
-	;;
-      hpux9* | hpux10* | hpux11*)
-	case $cc_basename in
-	  CC)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
-	    if test "$host_cpu" != ia64; then
-	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	    fi
-	    ;;
-	  aCC)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
-	    case "$host_cpu" in
-	    hppa*64*|ia64*)
-	      # +Z the default
-	      ;;
-	    *)
-	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	      ;;
-	    esac
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      irix5* | irix6* | nonstopux*)
-	case $cc_basename in
-	  CC)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    # CC pic flag -KPIC is the default.
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      linux*)
-	case $cc_basename in
-	  KCC)
-	    # KAI C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    ;;
-	  icpc)
-	    # Intel C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-	    ;;
-	  cxx)
-	    # Compaq C++
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      lynxos*)
-	;;
-      m88k*)
-	;;
-      mvs*)
-	case $cc_basename in
-	  cxx)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      netbsd*)
-	;;
-      osf3* | osf4* | osf5*)
-	case $cc_basename in
-	  KCC)
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
-	    ;;
-	  RCC)
-	    # Rational C++ 2.4.1
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  cxx)
-	    # Digital/Compaq C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    # Make sure the PIC flag is empty.  It appears that all Alpha
-	    # Linux and Compaq Tru64 Unix objects are PIC.
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      psos*)
-	;;
-      sco*)
-	case $cc_basename in
-	  CC)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      solaris*)
-	case $cc_basename in
-	  CC)
-	    # Sun C++ 4.2, 5.x and Centerline C++
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-	    ;;
-	  gcx)
-	    # Green Hills C++ Compiler
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      sunos4*)
-	case $cc_basename in
-	  CC)
-	    # Sun C++ 4.x
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-	    ;;
-	  lcc)
-	    # Lucid
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      tandem*)
-	case $cc_basename in
-	  NCC)
-	    # NonStop-UX NCC 3.20
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
-      unixware*)
-	;;
-      vxworks*)
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-	;;
-    esac
-  fi
-],
-[
-  if test "$GCC" = yes; then
-    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-
-    case $host_os in
-      aix*)
-      # All AIX code is PIC.
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    amigaos*)
-      # FIXME: we need at least 68020 code to build shared libraries, but
-      # adding the `-m68020' flag to GCC prevents building anything better,
-      # like `-m68040'.
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
-      ;;
-
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
-      # PIC is the default for these OSes.
-      ;;
-
-    mingw* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
-      ;;
-
-    darwin* | rhapsody*)
-      # PIC is the default on this platform
-      # Common symbols not allowed in MH_DYLIB files
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
-      ;;
-
-    msdosdjgpp*)
-      # Just because we use GCC doesn't mean we suddenly get shared libraries
-      # on systems that don't support them.
-      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      enable_shared=no
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
-      fi
-      ;;
-
-    hpux*)
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	;;
-      esac
-      ;;
-
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-      ;;
-    esac
-  else
-    # PORTME Check for flag to pass linker flags through the system compiler.
-    case $host_os in
-    aix*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      if test "$host_cpu" = ia64; then
-	# AIX 5 now supports IA64 processor
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      else
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
-      fi
-      ;;
-      darwin*)
-        # PIC is the default on this platform
-        # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
-         xlc*)
-         _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
-         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-         ;;
-       esac
-       ;;
-
-    mingw* | pw32* | os2*)
-      # This hack is so that the source file can tell whether it is being
-      # built for inclusion in a dll (and should export symbols for example).
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
-      ;;
-
-    hpux9* | hpux10* | hpux11*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
-      # not for PA HP-UX.
-      case "$host_cpu" in
-      hppa*64*|ia64*)
-	# +Z the default
-	;;
-      *)
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
-	;;
-      esac
-      # Is there a better lt_prog_compiler_static that works with the bundled CC?
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # PIC (with -KPIC) is the default.
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    newsos6)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    linux*)
-      case $CC in
-      icc* | ecc*)
-	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
-        ;;
-      ccc*)
-        _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-        # All Alpha code is PIC.
-        _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-        ;;
-      esac
-      ;;
-
-    osf3* | osf4* | osf5*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      # All OSF/1 code is PIC.
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
-      ;;
-
-    sco3.2v5*)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kpic'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-dn'
-      ;;
-
-    solaris*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sunos4*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec ;then
-	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
-	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      fi
-      ;;
-
-    uts4*)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
-      ;;
-
-    *)
-      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
-      ;;
-    esac
-  fi
-])
-AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
-
-#
-# Check to make sure the PIC flag actually works.
-#
-if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
-  AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
-    _LT_AC_TAGVAR(lt_prog_compiler_pic_works, $1),
-    [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
-    [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
-     "" | " "*) ;;
-     *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;;
-     esac],
-    [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-     _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
-fi
-case "$host_os" in
-  # For platforms which do not support PIC, -DPIC is meaningless:
-  *djgpp*)
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
-    ;;
-  *)
-    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
-    ;;
-esac
-])
-
-
-# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME])
-# ------------------------------------
-# See if the linker supports building shared libraries.
-AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
-[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
-ifelse([$1],[CXX],[
-  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  case $host_os in
-  aix4* | aix5*)
-    # If we're using GNU nm, then we don't want the "-C" option.
-    # -C means demangle to AIX nm, but means don't demangle with GNU nm
-    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-    else
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-    fi
-    ;;
-  pw32*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
-  ;;
-  cygwin* | mingw*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  *)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  ;;
-  esac
-],[
-  runpath_var=
-  _LT_AC_TAGVAR(allow_undefined_flag, $1)=
-  _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
-  _LT_AC_TAGVAR(archive_cmds, $1)=
-  _LT_AC_TAGVAR(archive_expsym_cmds, $1)=
-  _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)=
-  _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)=
-  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
-  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-  _LT_AC_TAGVAR(thread_safe_flag_spec, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
-  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-  _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-  _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
-  _LT_AC_TAGVAR(hardcode_automatic, $1)=no
-  _LT_AC_TAGVAR(module_cmds, $1)=
-  _LT_AC_TAGVAR(module_expsym_cmds, $1)=
-  _LT_AC_TAGVAR(always_export_symbols, $1)=no
-  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
-  # include_expsyms should be a list of space-separated symbols to be *always*
-  # included in the symbol list
-  _LT_AC_TAGVAR(include_expsyms, $1)=
-  # exclude_expsyms can be an extended regexp of symbols to exclude
-  # it will be wrapped by ` (' and `)$', so one must not match beginning or
-  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
-  # as well as any symbol that contains `d'.
-  _LT_AC_TAGVAR(exclude_expsyms, $1)="_GLOBAL_OFFSET_TABLE_"
-  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
-  # platforms (ab)use it in PIC code, but their linkers get confused if
-  # the symbol is explicitly referenced.  Since portable code cannot
-  # rely on this symbol name, it's probably fine to never include it in
-  # preloaded symbol tables.
-  extract_expsyms_cmds=
-
-  case $host_os in
-  cygwin* | mingw* | pw32*)
-    # FIXME: the MSVC++ port hasn't been tested in a loooong time
-    # When not using gcc, we currently assume that we are using
-    # Microsoft Visual C++.
-    if test "$GCC" != yes; then
-      with_gnu_ld=no
-    fi
-    ;;
-  openbsd*)
-    with_gnu_ld=no
-    ;;
-  esac
-
-  _LT_AC_TAGVAR(ld_shlibs, $1)=yes
-  if test "$with_gnu_ld" = yes; then
-    # If archive_cmds runs LD, not CC, wlarc should be empty
-    wlarc='${wl}'
-
-    # See if GNU ld supports shared libraries.
-    case $host_os in
-    aix3* | aix4* | aix5*)
-      # On AIX/PPC, the GNU linker is very broken
-      if test "$host_cpu" != ia64; then
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	cat <<EOF 1>&2
-
-*** Warning: the GNU linker, at least up to release 2.9.1, is reported
-*** to be unable to reliably create shared libraries on AIX.
-*** Therefore, libtool is disabling shared libraries support.  If you
-*** really care for shared libraries, you may want to modify your PATH
-*** so that a non-GNU linker is found, and then restart.
-
-EOF
-      fi
-      ;;
-
-    amigaos*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-
-      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
-      # that the semantics of dynamic libraries on AmigaOS, at least up
-      # to version 4, is to share data among multiple programs linked
-      # with the same dynamic library.  Since this doesn't match the
-      # behavior of shared libraries on other platforms, we can't use
-      # them.
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
-    beos*)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
-	# support --undefined.  This deserves some investigation.  FIXME
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
-      # as there is no search path for DLLs.
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(always_export_symbols, $1)=no
-      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
-
-      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
-	# If the export-symbols file already is a .def file (1st line
-	# is EXPORTS), use it as is; otherwise, prepend...
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
-	  cp $export_symbols $output_objdir/$soname.def;
-	else
-	  echo EXPORTS > $output_objdir/$soname.def;
-	  cat $export_symbols >> $output_objdir/$soname.def;
-	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
-      else
-	ld_shlibs=no
-      fi
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
-	wlarc=
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      fi
-      ;;
-
-    solaris* | sysv5*)
-      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	cat <<EOF 1>&2
-
-*** Warning: The releases 2.8.* of the GNU linker cannot reliably
-*** create shared libraries on Solaris systems.  Therefore, libtool
-*** is disabling shared libraries support.  We urge you to upgrade GNU
-*** binutils to release 2.9.1 or newer.  Another option is to modify
-*** your PATH or compiler configuration so that the native linker is
-*** used, and then restart.
-
-EOF
-      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-
-    sunos4*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      wlarc=
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-  linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_cmds, $1)="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="$tmp_archive_cmds"
-      fi
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-    ;;
-
-    *)
-      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
-      else
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-      fi
-      ;;
-    esac
-
-    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = yes; then
-      runpath_var=LD_RUN_PATH
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-      fi
-    fi
-  else
-    # PORTME fill in a description of your system's linker (not GNU ld)
-    case $host_os in
-    aix3*)
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
-      # Note: this linker hardcodes the directories in LIBPATH if there
-      # are no directories specified by -L.
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
-	# Neither direct hardcoding nor static linking is supported with a
-	# broken collect2.
-	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-      fi
-      ;;
-
-    aix4* | aix5*)
-      if test "$host_cpu" = ia64; then
-	# On IA64, the linker does run time linking by default, so we don't
-	# have to do anything special.
-	aix_use_runtimelinking=no
-	exp_sym_flag='-Bexport'
-	no_entry_flag=""
-      else
-	# If we're using GNU nm, then we don't want the "-C" option.
-	# -C means demangle to AIX nm, but means don't demangle with GNU nm
-	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
-	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-	else
-	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
-	fi
-	aix_use_runtimelinking=no
-
-	# Test if we are trying to use run time linking or normal
-	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
-	# need to do runtime linking.
-	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
-	  for ld_flag in $LDFLAGS; do
-  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
-  	    aix_use_runtimelinking=yes
-  	    break
-  	  fi
-	  done
-	esac
-
-	exp_sym_flag='-bexport'
-	no_entry_flag='-bnoentry'
-      fi
-
-      # When large executables or shared objects are built, AIX ld can
-      # have problems creating the table of contents.  If linking a library
-      # or program results in "error TOC overflow" add -mminimal-toc to
-      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
-      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
-
-      _LT_AC_TAGVAR(archive_cmds, $1)=''
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-      if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
-	# We only want to do this on AIX 4.2 and lower, the check
-	# below for broken collect2 doesn't work under 4.3+
-	  collect2name=`${CC} -print-prog-name=collect2`
-	  if test -f "$collect2name" && \
-  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
-	  then
-  	  # We have reworked collect2
-  	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	  else
-  	  # We have old collect2
-  	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
-  	  # It fails to find uninstalled libraries when the uninstalled
-  	  # path is not listed in the libpath.  Setting hardcode_minus_L
-  	  # to unsupported forces relinking
-  	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-  	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-  	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
-	  fi
-	esac
-	shared_flag='-shared'
-      else
-	# not using gcc
-	if test "$host_cpu" = ia64; then
-  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
-  	# chokes on -Wl,-G. The following line is correct:
-	  shared_flag='-G'
-	else
-  	if test "$aix_use_runtimelinking" = yes; then
-	    shared_flag='${wl}-G'
-	  else
-	    shared_flag='${wl}-bM:SRE'
-  	fi
-	fi
-      fi
-
-      # It seems that -bexpall does not export symbols beginning with
-      # underscore (_), so it is better to generate a list of symbols to export.
-      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-      if test "$aix_use_runtimelinking" = yes; then
-	# Warning - without using the other runtime loading flags (-brtl),
-	# -berok will link without error, but may produce a broken library.
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
-       # Determine the default libpath from the value encoded in an empty executable.
-       _LT_AC_SYS_LIBPATH_AIX
-       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
-       else
-	if test "$host_cpu" = ia64; then
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
-	else
-	 # Determine the default libpath from the value encoded in an empty executable.
-	 _LT_AC_SYS_LIBPATH_AIX
-	 _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	  # Warning - without using the other run time loading flags,
-	  # -berok will link without error, but may produce a broken library.
-	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
-	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  _LT_AC_TAGVAR(always_export_symbols, $1)=yes
-	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
-	fi
-      fi
-      ;;
-
-    amigaos*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      # see comment about different semantics on the GNU ld section
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
-    bsdi[[45]]*)
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
-      ;;
-
-    cygwin* | mingw* | pw32*)
-      # When not using gcc, we currently assume that we are using
-      # Microsoft Visual C++.
-      # hardcode_libdir_flag_spec is actually meaningless, as there is
-      # no search path for DLLs.
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      # Tell ltmain to make .lib files, not .a files.
-      libext=lib
-      # Tell ltmain to make .dll files, not .so files.
-      shrext_cmds=".dll"
-      # FIXME: Setting linknames here is a bad hack.
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
-      # The linker will automatically build a .lib file if we build a DLL.
-      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
-      # FIXME: Should let the user specify the lib program.
-      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
-      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      ;;
-
-    darwin* | rhapsody*)
-      case "$host_os" in
-        rhapsody* | darwin1.[[012]])
-         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[[012]])
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-      esac
-      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-    if test "$GCC" = yes ; then
-    	output_verbose_link_cmd='echo'
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-    else
-      case "$cc_basename" in
-        xlc*)
-         output_verbose_link_cmd='echo'
-         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
-         _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          ;;
-       *)
-         _LT_AC_TAGVAR(ld_shlibs, $1)=no
-          ;;
-      esac
-    fi
-      ;;
-
-    dgux*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    freebsd1*)
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-
-    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
-    # support.  Future versions do this automatically, but an explicit c++rt0.o
-    # does not break anything, and helps significantly (at the cost of a little
-    # extra space).
-    freebsd2.2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
-    freebsd2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    hpux9*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-
-      # hardcode_minus_L: Not really in the search PATH,
-      # but as the default location of the library.
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      ;;
-
-    hpux10* | hpux11*)
-      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
-	  ;;
-	esac
-      else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
-	  ;;
-	esac
-      fi
-      if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  ;;
-	*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  ;;
-	esac
-      fi
-      ;;
-
-    irix5* | irix6* | nonstopux*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    netbsd*)
-      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    newsos6)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    openbsd*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      else
-       case $host_os in
-	 openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
-	   _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	   ;;
-	 *)
-	   _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	   ;;
-       esac
-      fi
-      ;;
-
-    os2*)
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
-      _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
-      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
-      ;;
-
-    osf3*)
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-      else
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
-
-    osf4* | osf5*)	# as osf3* with the addition of -msym flag
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
-      else
-	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
-
-	# Both c and cxx compiler support -rpath directly
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-      ;;
-
-    sco3.2v5*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
-    solaris*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      case $host_os in
-      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
-      esac
-      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-      ;;
-
-    sunos4*)
-      if test "x$host_vendor" = xsequent; then
-	# Use $CC to link under sequent, because it throws in some extra .o
-	# files that make .init and .fini sections work.
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
-      fi
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv4)
-      case $host_vendor in
-	sni)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true???
-	;;
-	siemens)
-	  ## LD is ld it makes a PLAMLIB
-	  ## CC just makes a GrossModule.
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-        ;;
-	motorola)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
-	;;
-      esac
-      runpath_var='LD_RUN_PATH'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv4.3*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
-      ;;
-
-    sysv4*MP*)
-      if test -d /usr/nec; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-	runpath_var=LD_RUN_PATH
-	hardcode_runpath_var=yes
-	_LT_AC_TAGVAR(ld_shlibs, $1)=yes
-      fi
-      ;;
-
-    sysv4.2uw2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
-
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[[78]]* | unixware7*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z ${wl}text'
-      if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
-      fi
-      runpath_var='LD_RUN_PATH'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    sysv5*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      runpath_var='LD_RUN_PATH'
-      ;;
-
-    uts4*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      ;;
-
-    *)
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-      ;;
-    esac
-  fi
-])
-AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
-#
-# Do we need to explicitly link libc?
-#
-case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in
-x|xyes)
-  # Assume -lc should be added
-  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-
-  if test "$enable_shared" = yes && test "$GCC" = yes; then
-    case $_LT_AC_TAGVAR(archive_cmds, $1) in
-    *'~'*)
-      # FIXME: we may have to deal with multi-command sequences.
-      ;;
-    '$CC '*)
-      # Test whether the compiler implicitly links with -lc since on some
-      # systems, -lgcc has to come before -lc. If gcc already passes -lc
-      # to ld, don't add -lc before -lgcc.
-      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
-      $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
-
-      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
-        soname=conftest
-        lib=conftest
-        libobjs=conftest.$ac_objext
-        deplibs=
-        wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
-        compiler_flags=-v
-        linker_flags=-v
-        verstring=
-        output_objdir=.
-        libname=conftest
-        lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1)
-        _LT_AC_TAGVAR(allow_undefined_flag, $1)=
-        if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1)
-        then
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-        else
-	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-        fi
-        _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
-      else
-        cat conftest.err 1>&5
-      fi
-      $rm conftest*
-      AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)])
-      ;;
-    esac
-  fi
-  ;;
-esac
-])# AC_LIBTOOL_PROG_LD_SHLIBS
-
-
-# _LT_AC_FILE_LTDLL_C
-# -------------------
-# Be careful that the start marker always follows a newline.
-AC_DEFUN([_LT_AC_FILE_LTDLL_C], [
-# /* ltdll.c starts here */
-# #define WIN32_LEAN_AND_MEAN
-# #include <windows.h>
-# #undef WIN32_LEAN_AND_MEAN
-# #include <stdio.h>
-#
-# #ifndef __CYGWIN__
-# #  ifdef __CYGWIN32__
-# #    define __CYGWIN__ __CYGWIN32__
-# #  endif
-# #endif
-#
-# #ifdef __cplusplus
-# extern "C" {
-# #endif
-# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
-# #ifdef __cplusplus
-# }
-# #endif
-#
-# #ifdef __CYGWIN__
-# #include <cygwin/cygwin_dll.h>
-# DECLARE_CYGWIN_DLL( DllMain );
-# #endif
-# HINSTANCE __hDllInstance_base;
-#
-# BOOL APIENTRY
-# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
-# {
-#   __hDllInstance_base = hInst;
-#   return TRUE;
-# }
-# /* ltdll.c ends here */
-])# _LT_AC_FILE_LTDLL_C
-
-
-# _LT_AC_TAGVAR(VARNAME, [TAGNAME])
-# ---------------------------------
-AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])])
-
-
-# old names
-AC_DEFUN([AM_PROG_LIBTOOL],   [AC_PROG_LIBTOOL])
-AC_DEFUN([AM_ENABLE_SHARED],  [AC_ENABLE_SHARED($@)])
-AC_DEFUN([AM_ENABLE_STATIC],  [AC_ENABLE_STATIC($@)])
-AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
-AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
-AC_DEFUN([AM_PROG_LD],        [AC_PROG_LD])
-AC_DEFUN([AM_PROG_NM],        [AC_PROG_NM])
-
-# This is just to silence aclocal about the macro not being used
-ifelse([AC_DISABLE_FAST_INSTALL])
-
-AC_DEFUN([LT_AC_PROG_GCJ],
-[AC_CHECK_TOOL(GCJ, gcj, no)
-  test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
-  AC_SUBST(GCJFLAGS)
-])
-
-AC_DEFUN([LT_AC_PROG_RC],
-[AC_CHECK_TOOL(RC, windres, no)
-])
-
-############################################################
-# NOTE: This macro has been submitted for inclusion into   #
-#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
-#  a released version of Autoconf we should remove this    #
-#  macro and use it instead.                               #
-############################################################
-# LT_AC_PROG_SED
-# --------------
-# Check for a fully-functional sed program, that truncates
-# as few characters as possible.  Prefer GNU sed if found.
-AC_DEFUN([LT_AC_PROG_SED],
-[AC_MSG_CHECKING([for a sed that does not truncate output])
-AC_CACHE_VAL(lt_cv_path_SED,
-[# Loop through the user's path and test for sed and gsed.
-# Then use that list of sed's as ones to test for truncation.
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
-for as_dir in $PATH
-do
-  IFS=$as_save_IFS
-  test -z "$as_dir" && as_dir=.
-  for lt_ac_prog in sed gsed; do
-    for ac_exec_ext in '' $ac_executable_extensions; do
-      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
-        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
-      fi
-    done
-  done
-done
-lt_ac_max=0
-lt_ac_count=0
-# Add /usr/xpg4/bin/sed as it is typically found on Solaris
-# along with /bin/sed that truncates output.
-for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && break
-  cat /dev/null > conftest.in
-  lt_ac_count=0
-  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
-  # Check for GNU sed and select it if it is found.
-  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
-    lt_cv_path_SED=$lt_ac_sed
-    break
-  fi
-  while true; do
-    cat conftest.in conftest.in >conftest.tmp
-    mv conftest.tmp conftest.in
-    cp conftest.in conftest.nl
-    echo >>conftest.nl
-    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
-    cmp -s conftest.out conftest.nl || break
-    # 10000 chars as input seems more than enough
-    test $lt_ac_count -gt 10 && break
-    lt_ac_count=`expr $lt_ac_count + 1`
-    if test $lt_ac_count -gt $lt_ac_max; then
-      lt_ac_max=$lt_ac_count
-      lt_cv_path_SED=$lt_ac_sed
-    fi
-  done
-done
-])
-SED=$lt_cv_path_SED
-AC_MSG_RESULT([$SED])
-])
diff --git a/contrib/bind9/ltmain.sh b/contrib/bind9/ltmain.sh
deleted file mode 100644
index a6453bbad4a5..000000000000
--- a/contrib/bind9/ltmain.sh
+++ /dev/null
@@ -1,6408 +0,0 @@
-# ltmain.sh - Provide generalized library-building support services.
-# NOTE: Changing this file will not affect anything until you rerun configure.
-#
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004
-# Free Software Foundation, Inc.
-# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 2 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-#
-# As a special exception to the GNU General Public License, if you
-# distribute this file as part of a program that contains a
-# configuration script generated by Autoconf, you may include it under
-# the same distribution terms that you use for the rest of that program.
-
-basename="s,^.*/,,g"
-
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
-
-# The name of this program:
-progname=`echo "$progpath" | $SED $basename`
-modename="$progname"
-
-# Global variables:
-EXIT_SUCCESS=0
-EXIT_FAILURE=1
-
-PROGRAM=ltmain.sh
-PACKAGE=libtool
-VERSION=1.5.10
-TIMESTAMP=" (1.1220.2.131 2004/09/19 12:46:56)"
-
-# See if we are running on zsh, and set the options which allow our
-# commands through without removal of \ escapes.
-if test -n "${ZSH_VERSION+set}" ; then
-  setopt NO_GLOB_SUBST
-fi
-
-# Check that we have a working $echo.
-if test "X$1" = X--no-reexec; then
-  # Discard the --no-reexec flag, and continue.
-  shift
-elif test "X$1" = X--fallback-echo; then
-  # Avoid inline document here, it may be left over
-  :
-elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
-  # Yippee, $echo works!
-  :
-else
-  # Restart under the correct shell, and then maybe $echo will work.
-  exec $SHELL "$progpath" --no-reexec ${1+"$@"}
-fi
-
-if test "X$1" = X--fallback-echo; then
-  # used as fallback echo
-  shift
-  cat <<EOF
-$*
-EOF
-  exit $EXIT_SUCCESS
-fi
-
-default_mode=
-help="Try \`$progname --help' for more information."
-magic="%%%MAGIC variable%%%"
-mkdir="mkdir"
-mv="mv -f"
-rm="rm -f"
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed="${SED}"' -e 1s/^X//'
-sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
-# test EBCDIC or ASCII
-case `echo A|tr A '\301'` in
- A) # EBCDIC based system
-  SP2NL="tr '\100' '\n'"
-  NL2SP="tr '\r\n' '\100\100'"
-  ;;
- *) # Assume ASCII based system
-  SP2NL="tr '\040' '\012'"
-  NL2SP="tr '\015\012' '\040\040'"
-  ;;
-esac
-
-# NLS nuisances.
-# Only set LANG and LC_ALL to C if already set.
-# These must not be set unconditionally because not all systems understand
-# e.g. LANG=C (notably SCO).
-# We save the old values to restore during execute mode.
-if test "${LC_ALL+set}" = set; then
-  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
-fi
-if test "${LANG+set}" = set; then
-  save_LANG="$LANG"; LANG=C; export LANG
-fi
-
-# Make sure IFS has a sensible default
-: ${IFS=" 	
-"}
-
-if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
-  $echo "$modename: not configured to build any kind of library" 1>&2
-  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-  exit $EXIT_FAILURE
-fi
-
-# Global variables.
-mode=$default_mode
-nonopt=
-prev=
-prevopt=
-run=
-show="$echo"
-show_help=
-execute_dlfiles=
-lo2o="s/\\.lo\$/.${objext}/"
-o2lo="s/\\.${objext}\$/.lo/"
-
-#####################################
-# Shell function definitions:
-# This seems to be the best place for them
-
-# func_win32_libid arg
-# return the library type of file 'arg'
-#
-# Need a lot of goo to handle *both* DLLs and import libs
-# Has to be a shell function in order to 'eat' the argument
-# that is supplied when $file_magic_command is called.
-func_win32_libid () {
-  win32_libid_type="unknown"
-  win32_fileres=`file -L $1 2>/dev/null`
-  case $win32_fileres in
-  *ar\ archive\ import\ library*) # definitely import
-    win32_libid_type="x86 archive import"
-    ;;
-  *ar\ archive*) # could be an import, or static
-    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
-      $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
-      win32_nmres=`eval $NM -f posix -A $1 | \
-	sed -n -e '1,100{/ I /{x;/import/!{s/^/import/;h;p;};x;};}'`
-      if test "X$win32_nmres" = "Ximport" ; then
-        win32_libid_type="x86 archive import"
-      else
-        win32_libid_type="x86 archive static"
-      fi
-    fi
-    ;;
-  *DLL*)
-    win32_libid_type="x86 DLL"
-    ;;
-  *executable*) # but shell scripts are "executable" too...
-    case $win32_fileres in
-    *MS\ Windows\ PE\ Intel*)
-      win32_libid_type="x86 DLL"
-      ;;
-    esac
-    ;;
-  esac
-  $echo $win32_libid_type
-}
-
-
-# func_infer_tag arg
-# Infer tagged configuration to use if any are available and
-# if one wasn't chosen via the "--tag" command line option.
-# Only attempt this if the compiler in the base compile
-# command doesn't match the default compiler.
-# arg is usually of the form 'gcc ...'
-func_infer_tag () {
-    if test -n "$available_tags" && test -z "$tagname"; then
-      CC_quoted=
-      for arg in $CC; do
-	case $arg in
-	  *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	CC_quoted="$CC_quoted $arg"
-      done
-      case $@ in
-      # Blanks in the command may have been stripped by the calling shell,
-      # but not from the CC environment variable when configure was run.
-      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*) ;;
-      # Blanks at the start of $base_compile will cause this to fail
-      # if we don't check for them as well.
-      *)
-	for z in $available_tags; do
-	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
-	    # Evaluate the configuration.
-	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
-	    CC_quoted=
-	    for arg in $CC; do
-	    # Double-quote args containing other shell metacharacters.
-	    case $arg in
-	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	      arg="\"$arg\""
-	      ;;
-	    esac
-	    CC_quoted="$CC_quoted $arg"
-	  done
-	    case "$@ " in
-	      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "* | " $CC_quoted"* | "$CC_quoted "* | " `$echo $CC_quoted` "* | "`$echo $CC_quoted` "*)
-	      # The compiler in the base compile command matches
-	      # the one in the tagged configuration.
-	      # Assume this is the tagged configuration we want.
-	      tagname=$z
-	      break
-	      ;;
-	    esac
-	  fi
-	done
-	# If $tagname still isn't set, then no tagged configuration
-	# was found and let the user know that the "--tag" command
-	# line option must be used.
-	if test -z "$tagname"; then
-	  $echo "$modename: unable to infer tagged configuration"
-	  $echo "$modename: specify a tag with \`--tag'" 1>&2
-	  exit $EXIT_FAILURE
-#        else
-#          $echo "$modename: using $tagname tagged configuration"
-	fi
-	;;
-      esac
-    fi
-}
-
-
-# func_extract_archives gentop oldlib ...
-func_extract_archives () {
-    my_gentop="$1"; shift
-    my_oldlibs=${1+"$@"}
-    my_oldobjs=""
-    my_xlib=""
-    my_xabs=""
-    my_xdir=""
-    my_status=""
-
-    $show "${rm}r $my_gentop"
-    $run ${rm}r "$my_gentop"
-    $show "$mkdir $my_gentop"
-    $run $mkdir "$my_gentop"
-    my_status=$?
-    if test "$my_status" -ne 0 && test ! -d "$my_gentop"; then
-      exit $my_status
-    fi
-
-    for my_xlib in $my_oldlibs; do
-      # Extract the objects.
-      case $my_xlib in
-	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
-	*) my_xabs=`pwd`"/$my_xlib" ;;
-      esac
-      my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
-      my_xdir="$my_gentop/$my_xlib"
-
-      $show "${rm}r $my_xdir"
-      $run ${rm}r "$my_xdir"
-      $show "$mkdir $my_xdir"
-      $run $mkdir "$my_xdir"
-      status=$?
-      if test "$status" -ne 0 && test ! -d "$my_xdir"; then
-	exit $status
-      fi
-      case $host in
-      *-darwin*)
-	$show "Extracting $my_xabs"
-	# Do not bother doing anything if just a dry run
-	if test -z "$run"; then
-	  darwin_orig_dir=`pwd`
-	  cd $my_xdir || exit $?
-	  darwin_archive=$my_xabs
-	  darwin_curdir=`pwd`
-	  darwin_base_archive=`basename $darwin_archive`
-	  darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null`
-	  if test -n "$darwin_arches"; then 
-	    darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'`
-	    darwin_arch=
-	    $show "$darwin_base_archive has multiple architectures $darwin_arches"
-	    for darwin_arch in  $darwin_arches ; do
-	      mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
-	      # Remove the table of contents from the thin files.
-	      $AR -d "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" __.SYMDEF 2>/dev/null || true
-	      $AR -d "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" __.SYMDEF\ SORTED 2>/dev/null || true
-	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      $AR -xo "${darwin_base_archive}"
-	      rm "${darwin_base_archive}"
-	      cd "$darwin_curdir"
-	    done # $darwin_arches
-      ## Okay now we have a bunch of thin objects, gotta fatten them up :)
-	    darwin_filelist=`find unfat-$$ -type f | xargs basename | sort -u | $NL2SP`
-	    darwin_file=
-	    darwin_files=
-	    for darwin_file in $darwin_filelist; do
-	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
-	      lipo -create -output "$darwin_file" $darwin_files
-	    done # $darwin_filelist
-	    rm -rf unfat-$$
-	    cd "$darwin_orig_dir"
-	  else
-	    cd $darwin_orig_dir
-	    (cd $my_xdir && $AR x $my_xabs) || exit $?
-	  fi # $darwin_arches
-	fi # $run
-      ;;
-      *)
-	# We will extract separately just the conflicting names and we will
-	# no longer touch any unique names. It is faster to leave these
-	# extract automatically by $AR in one run.
-	$show "(cd $my_xdir && $AR x $my_xabs)"
-	$run eval "(cd \$my_xdir && $AR x \$my_xabs)" || exit $?
-	if ($AR t "$my_xabs" | sort | sort -uc >/dev/null 2>&1); then
-	  :
-	else
-	  $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
-	  $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
-	  $AR t "$my_xabs" | sort | uniq -cd | while read -r count name
-	  do
-	    i=1
-	    while test "$i" -le "$count"
-	    do
-	      # Put our $i before any first dot (extension)
-	      # Never overwrite any file
-	      name_to="$name"
-	      while test "X$name_to" = "X$name" || test -f "$my_xdir/$name_to"
-	      do
-		name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
-	      done
-	      $show "(cd $my_xdir && $AR xN $i $my_xabs '$name' && $mv '$name' '$name_to')"
-	      $run eval "(cd \$my_xdir && $AR xN $i \$my_xabs '$name' && $mv '$name' '$name_to')" || exit $?
-	      i=`expr $i + 1`
-	    done
-	  done
-	fi
-	;;
-      esac
-      my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
-    done
-
-    func_extract_archives_result="$my_oldobjs"
-}
-# End of Shell function definitions
-#####################################
-
-# Darwin sucks
-eval std_shrext=\"$shrext_cmds\"
-
-# Parse our command line options once, thoroughly.
-while test "$#" -gt 0
-do
-  arg="$1"
-  shift
-
-  case $arg in
-  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  # If the previous option needs an argument, assign it.
-  if test -n "$prev"; then
-    case $prev in
-    execute_dlfiles)
-      execute_dlfiles="$execute_dlfiles $arg"
-      ;;
-    tag)
-      tagname="$arg"
-      preserve_args="${preserve_args}=$arg"
-
-      # Check whether tagname contains only valid characters
-      case $tagname in
-      *[!-_A-Za-z0-9,/]*)
-	$echo "$progname: invalid tag name: $tagname" 1>&2
-	exit $EXIT_FAILURE
-	;;
-      esac
-
-      case $tagname in
-      CC)
-	# Don't test for the "default" C tag, as we know, it's there, but
-	# not specially marked.
-	;;
-      *)
-	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$progpath" > /dev/null; then
-	  taglist="$taglist $tagname"
-	  # Evaluate the configuration.
-	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $progpath`"
-	else
-	  $echo "$progname: ignoring unknown tag $tagname" 1>&2
-	fi
-	;;
-      esac
-      ;;
-    *)
-      eval "$prev=\$arg"
-      ;;
-    esac
-
-    prev=
-    prevopt=
-    continue
-  fi
-
-  # Have we seen a non-optional argument yet?
-  case $arg in
-  --help)
-    show_help=yes
-    ;;
-
-  --version)
-    $echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
-    $echo
-    $echo "Copyright (C) 2003  Free Software Foundation, Inc."
-    $echo "This is free software; see the source for copying conditions.  There is NO"
-    $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-    exit $EXIT_SUCCESS
-    ;;
-
-  --config)
-    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $progpath
-    # Now print the configurations for the tags.
-    for tagname in $taglist; do
-      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath"
-    done
-    exit $EXIT_SUCCESS
-    ;;
-
-  --debug)
-    $echo "$progname: enabling shell trace mode"
-    set -x
-    preserve_args="$preserve_args $arg"
-    ;;
-
-  --dry-run | -n)
-    run=:
-    ;;
-
-  --features)
-    $echo "host: $host"
-    if test "$build_libtool_libs" = yes; then
-      $echo "enable shared libraries"
-    else
-      $echo "disable shared libraries"
-    fi
-    if test "$build_old_libs" = yes; then
-      $echo "enable static libraries"
-    else
-      $echo "disable static libraries"
-    fi
-    exit $EXIT_SUCCESS
-    ;;
-
-  --finish) mode="finish" ;;
-
-  --mode) prevopt="--mode" prev=mode ;;
-  --mode=*) mode="$optarg" ;;
-
-  --preserve-dup-deps) duplicate_deps="yes" ;;
-
-  --quiet | --silent)
-    show=:
-    preserve_args="$preserve_args $arg"
-    ;;
-
-  --tag) prevopt="--tag" prev=tag ;;
-  --tag=*)
-    set tag "$optarg" ${1+"$@"}
-    shift
-    prev=tag
-    preserve_args="$preserve_args --tag"
-    ;;
-
-  -dlopen)
-    prevopt="-dlopen"
-    prev=execute_dlfiles
-    ;;
-
-  -*)
-    $echo "$modename: unrecognized option \`$arg'" 1>&2
-    $echo "$help" 1>&2
-    exit $EXIT_FAILURE
-    ;;
-
-  *)
-    nonopt="$arg"
-    break
-    ;;
-  esac
-done
-
-if test -n "$prevopt"; then
-  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
-  $echo "$help" 1>&2
-  exit $EXIT_FAILURE
-fi
-
-# If this variable is set in any of the actions, the command in it
-# will be execed at the end.  This prevents here-documents from being
-# left over by shells.
-exec_cmd=
-
-if test -z "$show_help"; then
-
-  # Infer the operation mode.
-  if test -z "$mode"; then
-    $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2
-    $echo "*** Future versions of Libtool will require -mode=MODE be specified." 1>&2
-    case $nonopt in
-    *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*)
-      mode=link
-      for arg
-      do
-	case $arg in
-	-c)
-	   mode=compile
-	   break
-	   ;;
-	esac
-      done
-      ;;
-    *db | *dbx | *strace | *truss)
-      mode=execute
-      ;;
-    *install*|cp|mv)
-      mode=install
-      ;;
-    *rm)
-      mode=uninstall
-      ;;
-    *)
-      # If we have no mode, but dlfiles were specified, then do execute mode.
-      test -n "$execute_dlfiles" && mode=execute
-
-      # Just use the default operation mode.
-      if test -z "$mode"; then
-	if test -n "$nonopt"; then
-	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
-	else
-	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
-	fi
-      fi
-      ;;
-    esac
-  fi
-
-  # Only execute mode is allowed to have -dlopen flags.
-  if test -n "$execute_dlfiles" && test "$mode" != execute; then
-    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
-    $echo "$help" 1>&2
-    exit $EXIT_FAILURE
-  fi
-
-  # Change the help message to a mode-specific one.
-  generic_help="$help"
-  help="Try \`$modename --help --mode=$mode' for more information."
-
-  # These modes are in order of execution frequency so that they run quickly.
-  case $mode in
-  # libtool compile mode
-  compile)
-    modename="$modename: compile"
-    # Get the compilation command and the source file.
-    base_compile=
-    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
-    suppress_opt=yes
-    suppress_output=
-    arg_mode=normal
-    libobj=
-    later=
-
-    for arg
-    do
-      case "$arg_mode" in
-      arg  )
-	# do not "continue".  Instead, add this to base_compile
-	lastarg="$arg"
-	arg_mode=normal
-	;;
-
-      target )
-	libobj="$arg"
-	arg_mode=normal
-	continue
-	;;
-
-      normal )
-	# Accept any command-line options.
-	case $arg in
-	-o)
-	  if test -n "$libobj" ; then
-	    $echo "$modename: you cannot specify \`-o' more than once" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  arg_mode=target
-	  continue
-	  ;;
-
-	-static | -prefer-pic | -prefer-non-pic)
-	  later="$later $arg"
-	  continue
-	  ;;
-
-	-no-suppress)
-	  suppress_opt=no
-	  continue
-	  ;;
-
-	-Xcompiler)
-	  arg_mode=arg  #  the next one goes into the "base_compile" arg list
-	  continue      #  The current "srcfile" will either be retained or
-	  ;;            #  replaced later.  I would guess that would be a bug.
-
-	-Wc,*)
-	  args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
-	  lastarg=
-	  save_ifs="$IFS"; IFS=','
- 	  for arg in $args; do
-	    IFS="$save_ifs"
-
-	    # Double-quote args containing other shell metacharacters.
-	    # Many Bourne shells cannot handle close brackets correctly
-	    # in scan sets, so we specify it separately.
-	    case $arg in
-	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	      arg="\"$arg\""
-	      ;;
-	    esac
-	    lastarg="$lastarg $arg"
-	  done
-	  IFS="$save_ifs"
-	  lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
-
-	  # Add the arguments to base_compile.
-	  base_compile="$base_compile $lastarg"
-	  continue
-	  ;;
-
-	* )
-	  # Accept the current argument as the source file.
-	  # The previous "srcfile" becomes the current argument.
-	  #
-	  lastarg="$srcfile"
-	  srcfile="$arg"
-	  ;;
-	esac  #  case $arg
-	;;
-      esac    #  case $arg_mode
-
-      # Aesthetically quote the previous argument.
-      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
-
-      case $lastarg in
-      # Double-quote args containing other shell metacharacters.
-      # Many Bourne shells cannot handle close brackets correctly
-      # in scan sets, so we specify it separately.
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	lastarg="\"$lastarg\""
-	;;
-      esac
-
-      base_compile="$base_compile $lastarg"
-    done # for arg
-
-    case $arg_mode in
-    arg)
-      $echo "$modename: you must specify an argument for -Xcompile"
-      exit $EXIT_FAILURE
-      ;;
-    target)
-      $echo "$modename: you must specify a target with \`-o'" 1>&2
-      exit $EXIT_FAILURE
-      ;;
-    *)
-      # Get the name of the library object.
-      [ -z "$libobj" ] && libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
-      ;;
-    esac
-
-    # Recognize several different file suffixes.
-    # If the user specifies -o file.o, it is replaced with file.lo
-    xform='[cCFSifmso]'
-    case $libobj in
-    *.ada) xform=ada ;;
-    *.adb) xform=adb ;;
-    *.ads) xform=ads ;;
-    *.asm) xform=asm ;;
-    *.c++) xform=c++ ;;
-    *.cc) xform=cc ;;
-    *.ii) xform=ii ;;
-    *.class) xform=class ;;
-    *.cpp) xform=cpp ;;
-    *.cxx) xform=cxx ;;
-    *.f90) xform=f90 ;;
-    *.for) xform=for ;;
-    *.java) xform=java ;;
-    esac
-
-    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
-
-    case $libobj in
-    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
-    *)
-      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
-      exit $EXIT_FAILURE
-      ;;
-    esac
-
-    func_infer_tag $base_compile
-
-    for arg in $later; do
-      case $arg in
-      -static)
-	build_old_libs=yes
-	continue
-	;;
-
-      -prefer-pic)
-	pic_mode=yes
-	continue
-	;;
-
-      -prefer-non-pic)
-	pic_mode=no
-	continue
-	;;
-      esac
-    done
-
-    objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
-    xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
-    if test "X$xdir" = "X$obj"; then
-      xdir=
-    else
-      xdir=$xdir/
-    fi
-    lobj=${xdir}$objdir/$objname
-
-    if test -z "$base_compile"; then
-      $echo "$modename: you must specify a compilation command" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    # Delete any leftover library objects.
-    if test "$build_old_libs" = yes; then
-      removelist="$obj $lobj $libobj ${libobj}T"
-    else
-      removelist="$lobj $libobj ${libobj}T"
-    fi
-
-    $run $rm $removelist
-    trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
-
-    # On Cygwin there's no "real" PIC flag so we must build both object types
-    case $host_os in
-    cygwin* | mingw* | pw32* | os2*)
-      pic_mode=default
-      ;;
-    esac
-    if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then
-      # non-PIC code in shared libraries is not supported
-      pic_mode=default
-    fi
-
-    # Calculate the filename of the output object if compiler does
-    # not support -o with -c
-    if test "$compiler_c_o" = no; then
-      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
-      lockfile="$output_obj.lock"
-      removelist="$removelist $output_obj $lockfile"
-      trap "$run $rm $removelist; exit $EXIT_FAILURE" 1 2 15
-    else
-      output_obj=
-      need_locks=no
-      lockfile=
-    fi
-
-    # Lock this critical section if it is needed
-    # We use this script file to make the link, it avoids creating a new file
-    if test "$need_locks" = yes; then
-      until $run ln "$progpath" "$lockfile" 2>/dev/null; do
-	$show "Waiting for $lockfile to be removed"
-	sleep 2
-      done
-    elif test "$need_locks" = warn; then
-      if test -f "$lockfile"; then
-	$echo "\
-*** ERROR, $lockfile exists and contains:
-`cat $lockfile 2>/dev/null`
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-      $echo $srcfile > "$lockfile"
-    fi
-
-    if test -n "$fix_srcfile_path"; then
-      eval srcfile=\"$fix_srcfile_path\"
-    fi
-
-    $run $rm "$libobj" "${libobj}T"
-
-    # Create a libtool object file (analogous to a ".la" file),
-    # but don't create it if we're doing a dry run.
-    test -z "$run" && cat > ${libobj}T <<EOF
-# $libobj - a libtool object file
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# Please DO NOT delete this file!
-# It is necessary for linking the library.
-
-# Name of the PIC object.
-EOF
-
-    # Only build a PIC object if we are building libtool libraries.
-    if test "$build_libtool_libs" = yes; then
-      # Without this assignment, base_compile gets emptied.
-      fbsd_hideous_sh_bug=$base_compile
-
-      if test "$pic_mode" != no; then
-	command="$base_compile $srcfile $pic_flag"
-      else
-	# Don't build PIC code
-	command="$base_compile $srcfile"
-      fi
-
-      if test ! -d "${xdir}$objdir"; then
-	$show "$mkdir ${xdir}$objdir"
-	$run $mkdir ${xdir}$objdir
-	status=$?
-	if test "$status" -ne 0 && test ! -d "${xdir}$objdir"; then
-	  exit $status
-	fi
-      fi
-
-      if test -z "$output_obj"; then
-	# Place PIC objects in $objdir
-	command="$command -o $lobj"
-      fi
-
-      $run $rm "$lobj" "$output_obj"
-
-      $show "$command"
-      if $run eval "$command"; then :
-      else
-	test -n "$output_obj" && $run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      if test "$need_locks" = warn &&
-	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
-	$echo "\
-*** ERROR, $lockfile contains:
-`cat $lockfile 2>/dev/null`
-
-but it should contain:
-$srcfile
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      # Just move the object if needed, then go on to compile the next one
-      if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then
-	$show "$mv $output_obj $lobj"
-	if $run $mv $output_obj $lobj; then :
-	else
-	  error=$?
-	  $run $rm $removelist
-	  exit $error
-	fi
-      fi
-
-      # Append the name of the PIC object to the libtool object file.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-pic_object='$objdir/$objname'
-
-EOF
-
-      # Allow error messages only from the first compilation.
-      if test "$suppress_opt" = yes; then
-        suppress_output=' >/dev/null 2>&1'
-      fi
-    else
-      # No PIC object so indicate it doesn't exist in the libtool
-      # object file.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-pic_object=none
-
-EOF
-    fi
-
-    # Only build a position-dependent object if we build old libraries.
-    if test "$build_old_libs" = yes; then
-      if test "$pic_mode" != yes; then
-	# Don't build PIC code
-	command="$base_compile $srcfile"
-      else
-	command="$base_compile $srcfile $pic_flag"
-      fi
-      if test "$compiler_c_o" = yes; then
-	command="$command -o $obj"
-      fi
-
-      # Suppress compiler output if we already did a PIC compilation.
-      command="$command$suppress_output"
-      $run $rm "$obj" "$output_obj"
-      $show "$command"
-      if $run eval "$command"; then :
-      else
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      if test "$need_locks" = warn &&
-	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
-	$echo "\
-*** ERROR, $lockfile contains:
-`cat $lockfile 2>/dev/null`
-
-but it should contain:
-$srcfile
-
-This indicates that another process is trying to use the same
-temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
-repeat this compilation, it may succeed, by chance, but you had better
-avoid parallel builds (make -j) in this platform, or get a better
-compiler."
-
-	$run $rm $removelist
-	exit $EXIT_FAILURE
-      fi
-
-      # Just move the object if needed
-      if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then
-	$show "$mv $output_obj $obj"
-	if $run $mv $output_obj $obj; then :
-	else
-	  error=$?
-	  $run $rm $removelist
-	  exit $error
-	fi
-      fi
-
-      # Append the name of the non-PIC object the libtool object file.
-      # Only append if the libtool object file exists.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-# Name of the non-PIC object.
-non_pic_object='$objname'
-
-EOF
-    else
-      # Append the name of the non-PIC object the libtool object file.
-      # Only append if the libtool object file exists.
-      test -z "$run" && cat >> ${libobj}T <<EOF
-# Name of the non-PIC object.
-non_pic_object=none
-
-EOF
-    fi
-
-    $run $mv "${libobj}T" "${libobj}"
-
-    # Unlock the critical section if it was locked
-    if test "$need_locks" != no; then
-      $run $rm "$lockfile"
-    fi
-
-    exit $EXIT_SUCCESS
-    ;;
-
-  # libtool link mode
-  link | relink)
-    modename="$modename: link"
-    case $host in
-    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-      # It is impossible to link a dll without this setting, and
-      # we shouldn't force the makefile maintainer to figure out
-      # which system we are compiling for in order to pass an extra
-      # flag for every libtool invocation.
-      # allow_undefined=no
-
-      # FIXME: Unfortunately, there are problems with the above when trying
-      # to make a dll which has undefined symbols, in which case not
-      # even a static library is built.  For now, we need to specify
-      # -no-undefined on the libtool link line when we can be certain
-      # that all symbols are satisfied, otherwise we get a static library.
-      allow_undefined=yes
-      ;;
-    *)
-      allow_undefined=yes
-      ;;
-    esac
-    libtool_args="$nonopt"
-    base_compile="$nonopt $@"
-    compile_command="$nonopt"
-    finalize_command="$nonopt"
-
-    compile_rpath=
-    finalize_rpath=
-    compile_shlibpath=
-    finalize_shlibpath=
-    convenience=
-    old_convenience=
-    deplibs=
-    old_deplibs=
-    compiler_flags=
-    linker_flags=
-    dllsearchpath=
-    lib_search_path=`pwd`
-    inst_prefix_dir=
-
-    avoid_version=no
-    dlfiles=
-    dlprefiles=
-    dlself=no
-    export_dynamic=no
-    export_symbols=
-    export_symbols_regex=
-    generated=
-    libobjs=
-    ltlibs=
-    module=no
-    no_install=no
-    objs=
-    non_pic_objects=
-    precious_files_regex=
-    prefer_static_libs=no
-    preload=no
-    prev=
-    prevarg=
-    release=
-    rpath=
-    xrpath=
-    perm_rpath=
-    temp_rpath=
-    thread_safe=no
-    vinfo=
-    vinfo_number=no
-
-    func_infer_tag $base_compile
-
-    # We need to know -static, to get the right output filenames.
-    for arg
-    do
-      case $arg in
-      -all-static | -static)
-	if test "X$arg" = "X-all-static"; then
-	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
-	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
-	  fi
-	  if test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	else
-	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
-	    dlopen_self=$dlopen_self_static
-	  fi
-	fi
-	build_libtool_libs=no
-	build_old_libs=yes
-	prefer_static_libs=yes
-	break
-	;;
-      esac
-    done
-
-    # See if our shared archives depend on static archives.
-    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
-
-    # Go through the arguments, transforming them on the way.
-    while test "$#" -gt 0; do
-      arg="$1"
-      shift
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
-	;;
-      *) qarg=$arg ;;
-      esac
-      libtool_args="$libtool_args $qarg"
-
-      # If the previous option needs an argument, assign it.
-      if test -n "$prev"; then
-	case $prev in
-	output)
-	  compile_command="$compile_command @OUTPUT@"
-	  finalize_command="$finalize_command @OUTPUT@"
-	  ;;
-	esac
-
-	case $prev in
-	dlfiles|dlprefiles)
-	  if test "$preload" = no; then
-	    # Add the symbol object into the linking commands.
-	    compile_command="$compile_command @SYMFILE@"
-	    finalize_command="$finalize_command @SYMFILE@"
-	    preload=yes
-	  fi
-	  case $arg in
-	  *.la | *.lo) ;;  # We handle these cases below.
-	  force)
-	    if test "$dlself" = no; then
-	      dlself=needless
-	      export_dynamic=yes
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  self)
-	    if test "$prev" = dlprefiles; then
-	      dlself=yes
-	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
-	      dlself=yes
-	    else
-	      dlself=needless
-	      export_dynamic=yes
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  *)
-	    if test "$prev" = dlfiles; then
-	      dlfiles="$dlfiles $arg"
-	    else
-	      dlprefiles="$dlprefiles $arg"
-	    fi
-	    prev=
-	    continue
-	    ;;
-	  esac
-	  ;;
-	expsyms)
-	  export_symbols="$arg"
-	  if test ! -f "$arg"; then
-	    $echo "$modename: symbol file \`$arg' does not exist"
-	    exit $EXIT_FAILURE
-	  fi
-	  prev=
-	  continue
-	  ;;
-	expsyms_regex)
-	  export_symbols_regex="$arg"
-	  prev=
-	  continue
-	  ;;
-	inst_prefix)
-	  inst_prefix_dir="$arg"
-	  prev=
-	  continue
-	  ;;
-	precious_regex)
-	  precious_files_regex="$arg"
-	  prev=
-	  continue
-	  ;;
-	release)
-	  release="-$arg"
-	  prev=
-	  continue
-	  ;;
-	objectlist)
-	  if test -f "$arg"; then
-	    save_arg=$arg
-	    moreargs=
-	    for fil in `cat $save_arg`
-	    do
-#	      moreargs="$moreargs $fil"
-	      arg=$fil
-	      # A libtool-controlled object.
-
-	      # Check to see that this really is a libtool object.
-	      if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-		pic_object=
-		non_pic_object=
-
-		# Read the .lo file
-		# If there is no directory component, then add one.
-		case $arg in
-		*/* | *\\*) . $arg ;;
-		*) . ./$arg ;;
-		esac
-
-		if test -z "$pic_object" || \
-		   test -z "$non_pic_object" ||
-		   test "$pic_object" = none && \
-		   test "$non_pic_object" = none; then
-		  $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-		  exit $EXIT_FAILURE
-		fi
-
-		# Extract subdirectory from the argument.
-		xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-		if test "X$xdir" = "X$arg"; then
-		  xdir=
-		else
-		  xdir="$xdir/"
-		fi
-
-		if test "$pic_object" != none; then
-		  # Prepend the subdirectory the object is found in.
-		  pic_object="$xdir$pic_object"
-
-		  if test "$prev" = dlfiles; then
-		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		      dlfiles="$dlfiles $pic_object"
-		      prev=
-		      continue
-		    else
-		      # If libtool objects are unsupported, then we need to preload.
-		      prev=dlprefiles
-		    fi
-		  fi
-
-		  # CHECK ME:  I think I busted this.  -Ossama
-		  if test "$prev" = dlprefiles; then
-		    # Preload the old-style object.
-		    dlprefiles="$dlprefiles $pic_object"
-		    prev=
-		  fi
-
-		  # A PIC object.
-		  libobjs="$libobjs $pic_object"
-		  arg="$pic_object"
-		fi
-
-		# Non-PIC object.
-		if test "$non_pic_object" != none; then
-		  # Prepend the subdirectory the object is found in.
-		  non_pic_object="$xdir$non_pic_object"
-
-		  # A standard non-PIC object
-		  non_pic_objects="$non_pic_objects $non_pic_object"
-		  if test -z "$pic_object" || test "$pic_object" = none ; then
-		    arg="$non_pic_object"
-		  fi
-		fi
-	      else
-		# Only an error if not doing a dry-run.
-		if test -z "$run"; then
-		  $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-		  exit $EXIT_FAILURE
-		else
-		  # Dry-run case.
-
-		  # Extract subdirectory from the argument.
-		  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-		  if test "X$xdir" = "X$arg"; then
-		    xdir=
-		  else
-		    xdir="$xdir/"
-		  fi
-
-		  pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
-		  non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
-		  libobjs="$libobjs $pic_object"
-		  non_pic_objects="$non_pic_objects $non_pic_object"
-		fi
-	      fi
-	    done
-	  else
-	    $echo "$modename: link input file \`$save_arg' does not exist"
-	    exit $EXIT_FAILURE
-	  fi
-	  arg=$save_arg
-	  prev=
-	  continue
-	  ;;
-	rpath | xrpath)
-	  # We need an absolute path.
-	  case $arg in
-	  [\\/]* | [A-Za-z]:[\\/]*) ;;
-	  *)
-	    $echo "$modename: only absolute run-paths are allowed" 1>&2
-	    exit $EXIT_FAILURE
-	    ;;
-	  esac
-	  if test "$prev" = rpath; then
-	    case "$rpath " in
-	    *" $arg "*) ;;
-	    *) rpath="$rpath $arg" ;;
-	    esac
-	  else
-	    case "$xrpath " in
-	    *" $arg "*) ;;
-	    *) xrpath="$xrpath $arg" ;;
-	    esac
-	  fi
-	  prev=
-	  continue
-	  ;;
-	xcompiler)
-	  compiler_flags="$compiler_flags $qarg"
-	  prev=
-	  compile_command="$compile_command $qarg"
-	  finalize_command="$finalize_command $qarg"
-	  continue
-	  ;;
-	xlinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $wl$qarg"
-	  prev=
-	  compile_command="$compile_command $wl$qarg"
-	  finalize_command="$finalize_command $wl$qarg"
-	  continue
-	  ;;
-	xcclinker)
-	  linker_flags="$linker_flags $qarg"
-	  compiler_flags="$compiler_flags $qarg"
-	  prev=
-	  compile_command="$compile_command $qarg"
-	  finalize_command="$finalize_command $qarg"
-	  continue
-	  ;;
-	shrext)
-  	  shrext_cmds="$arg"
-	  prev=
-	  continue
-	  ;;
-	*)
-	  eval "$prev=\"\$arg\""
-	  prev=
-	  continue
-	  ;;
-	esac
-      fi # test -n "$prev"
-
-      prevarg="$arg"
-
-      case $arg in
-      -all-static)
-	if test -n "$link_static_flag"; then
-	  compile_command="$compile_command $link_static_flag"
-	  finalize_command="$finalize_command $link_static_flag"
-	fi
-	continue
-	;;
-
-      -allow-undefined)
-	# FIXME: remove this flag sometime in the future.
-	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
-	continue
-	;;
-
-      -avoid-version)
-	avoid_version=yes
-	continue
-	;;
-
-      -dlopen)
-	prev=dlfiles
-	continue
-	;;
-
-      -dlpreopen)
-	prev=dlprefiles
-	continue
-	;;
-
-      -export-dynamic)
-	export_dynamic=yes
-	continue
-	;;
-
-      -export-symbols | -export-symbols-regex)
-	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
-	  $echo "$modename: more than one -exported-symbols argument is not allowed"
-	  exit $EXIT_FAILURE
-	fi
-	if test "X$arg" = "X-export-symbols"; then
-	  prev=expsyms
-	else
-	  prev=expsyms_regex
-	fi
-	continue
-	;;
-
-      -inst-prefix-dir)
-	prev=inst_prefix
-	continue
-	;;
-
-      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
-      # so, if we see these flags be careful not to treat them like -L
-      -L[A-Z][A-Z]*:*)
-	case $with_gcc/$host in
-	no/*-*-irix* | /*-*-irix*)
-	  compile_command="$compile_command $arg"
-	  finalize_command="$finalize_command $arg"
-	  ;;
-	esac
-	continue
-	;;
-
-      -L*)
-	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
-	# We need an absolute path.
-	case $dir in
-	[\\/]* | [A-Za-z]:[\\/]*) ;;
-	*)
-	  absdir=`cd "$dir" && pwd`
-	  if test -z "$absdir"; then
-	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  dir="$absdir"
-	  ;;
-	esac
-	case "$deplibs " in
-	*" -L$dir "*) ;;
-	*)
-	  deplibs="$deplibs -L$dir"
-	  lib_search_path="$lib_search_path $dir"
-	  ;;
-	esac
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-	  case :$dllsearchpath: in
-	  *":$dir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$dir";;
-	  esac
-	  ;;
-	esac
-	continue
-	;;
-
-      -l*)
-	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
-	  case $host in
-	  *-*-cygwin* | *-*-pw32* | *-*-beos*)
-	    # These systems don't actually have a C or math library (as such)
-	    continue
-	    ;;
-	  *-*-mingw* | *-*-os2*)
-	    # These systems don't actually have a C library (as such)
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-openbsd* | *-*-freebsd*)
-	    # Do not include libc due to us having libc/libc_r.
-	    test "X$arg" = "X-lc" && continue
-	    ;;
-	  *-*-rhapsody* | *-*-darwin1.[012])
-	    # Rhapsody C and math libraries are in the System framework
-	    deplibs="$deplibs -framework System"
-	    continue
-	  esac
-	elif test "X$arg" = "X-lc_r"; then
-	 case $host in
-	 *-*-openbsd* | *-*-freebsd*)
-	   # Do not include libc_r directly, use -pthread flag.
-	   continue
-	   ;;
-	 esac
-	fi
-	deplibs="$deplibs $arg"
-	continue
-	;;
-
-     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
-	case "$archive_cmds" in
-	 *"\$LD"*) ;;
-	 *) deplibs="$deplibs $arg";;
-	esac
-	continue
-	;;
-
-      -module)
-	module=yes
-	continue
-	;;
-
-      # gcc -m* arguments should be passed to the linker via $compiler_flags
-      # in order to pass architecture information to the linker
-      # (e.g. 32 vs 64-bit).  This may also be accomplished via -Wl,-mfoo
-      # but this is not reliable with gcc because gcc may use -mfoo to
-      # select a different linker, different libraries, etc, while
-      # -Wl,-mfoo simply passes -mfoo to the linker.
-      -m*)
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-        compile_command="$compile_command $arg"
-        finalize_command="$finalize_command $arg"
-        if test "$with_gcc" = "yes" ; then
-          compiler_flags="$compiler_flags $arg"
-        fi
-        continue
-        ;;
-
-      -shrext)
-	prev=shrext
-	continue
-	;;
-
-      -no-fast-install)
-	fast_install=no
-	continue
-	;;
-
-      -no-install)
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-	  # The PATH hackery in wrapper scripts is required on Windows
-	  # in order for the loader to find any dlls it needs.
-	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
-	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
-	  fast_install=no
-	  ;;
-	*) no_install=yes ;;
-	esac
-	continue
-	;;
-
-      -no-undefined)
-	allow_undefined=no
-	continue
-	;;
-
-      -objectlist)
-	prev=objectlist
-	continue
-	;;
-
-      -o) prev=output ;;
-
-      -precious-files-regex)
-	prev=precious_regex
-	continue
-	;;
-
-      -release)
-	prev=release
-	continue
-	;;
-
-      -rpath)
-	prev=rpath
-	continue
-	;;
-
-      -R)
-	prev=xrpath
-	continue
-	;;
-
-      -R*)
-	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
-	# We need an absolute path.
-	case $dir in
-	[\\/]* | [A-Za-z]:[\\/]*) ;;
-	*)
-	  $echo "$modename: only absolute run-paths are allowed" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-	case "$xrpath " in
-	*" $dir "*) ;;
-	*) xrpath="$xrpath $dir" ;;
-	esac
-	continue
-	;;
-
-      -static)
-	# The effects of -static are defined in a previous loop.
-	# We used to do the same as -all-static on platforms that
-	# didn't have a PIC flag, but the assumption that the effects
-	# would be equivalent was wrong.  It would break on at least
-	# Digital Unix and AIX.
-	continue
-	;;
-
-      -thread-safe)
-	thread_safe=yes
-	continue
-	;;
-
-      -version-info)
-	prev=vinfo
-	continue
-	;;
-      -version-number)
-	prev=vinfo
-	vinfo_number=yes
-	continue
-	;;
-
-      -Wc,*)
-	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
-	arg=
-	save_ifs="$IFS"; IFS=','
-	for flag in $args; do
-	  IFS="$save_ifs"
-	  case $flag in
-	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	    flag="\"$flag\""
-	    ;;
-	  esac
-	  arg="$arg $wl$flag"
-	  compiler_flags="$compiler_flags $flag"
-	done
-	IFS="$save_ifs"
-	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
-	;;
-
-      -Wl,*)
-	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
-	arg=
-	save_ifs="$IFS"; IFS=','
-	for flag in $args; do
-	  IFS="$save_ifs"
-	  case $flag in
-	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	    flag="\"$flag\""
-	    ;;
-	  esac
-	  arg="$arg $wl$flag"
-	  compiler_flags="$compiler_flags $wl$flag"
-	  linker_flags="$linker_flags $flag"
-	done
-	IFS="$save_ifs"
-	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
-	;;
-
-      -Xcompiler)
-	prev=xcompiler
-	continue
-	;;
-
-      -Xlinker)
-	prev=xlinker
-	continue
-	;;
-
-      -XCClinker)
-	prev=xcclinker
-	continue
-	;;
-
-      # Some other compiler flag.
-      -* | +*)
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	;;
-
-      *.$objext)
-	# A standard object.
-	objs="$objs $arg"
-	;;
-
-      *.lo)
-	# A libtool-controlled object.
-
-	# Check to see that this really is a libtool object.
-	if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  pic_object=
-	  non_pic_object=
-
-	  # Read the .lo file
-	  # If there is no directory component, then add one.
-	  case $arg in
-	  */* | *\\*) . $arg ;;
-	  *) . ./$arg ;;
-	  esac
-
-	  if test -z "$pic_object" || \
-	     test -z "$non_pic_object" ||
-	     test "$pic_object" = none && \
-	     test "$non_pic_object" = none; then
-	    $echo "$modename: cannot find name of object for \`$arg'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-
-	  # Extract subdirectory from the argument.
-	  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-	  if test "X$xdir" = "X$arg"; then
-	    xdir=
- 	  else
-	    xdir="$xdir/"
-	  fi
-
-	  if test "$pic_object" != none; then
-	    # Prepend the subdirectory the object is found in.
-	    pic_object="$xdir$pic_object"
-
-	    if test "$prev" = dlfiles; then
-	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
-		dlfiles="$dlfiles $pic_object"
-		prev=
-		continue
-	      else
-		# If libtool objects are unsupported, then we need to preload.
-		prev=dlprefiles
-	      fi
-	    fi
-
-	    # CHECK ME:  I think I busted this.  -Ossama
-	    if test "$prev" = dlprefiles; then
-	      # Preload the old-style object.
-	      dlprefiles="$dlprefiles $pic_object"
-	      prev=
-	    fi
-
-	    # A PIC object.
-	    libobjs="$libobjs $pic_object"
-	    arg="$pic_object"
-	  fi
-
-	  # Non-PIC object.
-	  if test "$non_pic_object" != none; then
-	    # Prepend the subdirectory the object is found in.
-	    non_pic_object="$xdir$non_pic_object"
-
-	    # A standard non-PIC object
-	    non_pic_objects="$non_pic_objects $non_pic_object"
-	    if test -z "$pic_object" || test "$pic_object" = none ; then
-	      arg="$non_pic_object"
-	    fi
-	  fi
-	else
-	  # Only an error if not doing a dry-run.
-	  if test -z "$run"; then
-	    $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
-	    exit $EXIT_FAILURE
-	  else
-	    # Dry-run case.
-
-	    # Extract subdirectory from the argument.
-	    xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
-	    if test "X$xdir" = "X$arg"; then
-	      xdir=
-	    else
-	      xdir="$xdir/"
-	    fi
-
-	    pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
-	    non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
-	    libobjs="$libobjs $pic_object"
-	    non_pic_objects="$non_pic_objects $non_pic_object"
-	  fi
-	fi
-	;;
-
-      *.$libext)
-	# An archive.
-	deplibs="$deplibs $arg"
-	old_deplibs="$old_deplibs $arg"
-	continue
-	;;
-
-      *.la)
-	# A libtool-controlled library.
-
-	if test "$prev" = dlfiles; then
-	  # This library was specified with -dlopen.
-	  dlfiles="$dlfiles $arg"
-	  prev=
-	elif test "$prev" = dlprefiles; then
-	  # The library was specified with -dlpreopen.
-	  dlprefiles="$dlprefiles $arg"
-	  prev=
-	else
-	  deplibs="$deplibs $arg"
-	fi
-	continue
-	;;
-
-      # Some other compiler argument.
-      *)
-	# Unknown arguments in both finalize_command and compile_command need
-	# to be aesthetically quoted because they are evaled later.
-	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-	case $arg in
-	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-	  arg="\"$arg\""
-	  ;;
-	esac
-	;;
-      esac # arg
-
-      # Now actually substitute the argument into the commands.
-      if test -n "$arg"; then
-	compile_command="$compile_command $arg"
-	finalize_command="$finalize_command $arg"
-      fi
-    done # argument parsing loop
-
-    if test -n "$prev"; then
-      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
-      eval arg=\"$export_dynamic_flag_spec\"
-      compile_command="$compile_command $arg"
-      finalize_command="$finalize_command $arg"
-    fi
-
-    oldlibs=
-    # calculate the name of the file, without its directory
-    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
-    libobjs_save="$libobjs"
-
-    if test -n "$shlibpath_var"; then
-      # get the directories listed in $shlibpath_var
-      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
-    else
-      shlib_search_path=
-    fi
-    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
-    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
-
-    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
-    if test "X$output_objdir" = "X$output"; then
-      output_objdir="$objdir"
-    else
-      output_objdir="$output_objdir/$objdir"
-    fi
-    # Create the object directory.
-    if test ! -d "$output_objdir"; then
-      $show "$mkdir $output_objdir"
-      $run $mkdir $output_objdir
-      status=$?
-      if test "$status" -ne 0 && test ! -d "$output_objdir"; then
-	exit $status
-      fi
-    fi
-
-    # Determine the type of output
-    case $output in
-    "")
-      $echo "$modename: you must specify an output file" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-      ;;
-    *.$libext) linkmode=oldlib ;;
-    *.lo | *.$objext) linkmode=obj ;;
-    *.la) linkmode=lib ;;
-    *) linkmode=prog ;; # Anything else should be a program.
-    esac
-
-    case $host in
-    *cygwin* | *mingw* | *pw32*)
-      # don't eliminate duplications in $postdeps and $predeps
-      duplicate_compiler_generated_deps=yes
-      ;;
-    *)
-      duplicate_compiler_generated_deps=$duplicate_deps
-      ;;
-    esac
-    specialdeplibs=
-
-    libs=
-    # Find all interdependent deplibs by searching for libraries
-    # that are linked more than once (e.g. -la -lb -la)
-    for deplib in $deplibs; do
-      if test "X$duplicate_deps" = "Xyes" ; then
-	case "$libs " in
-	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	esac
-      fi
-      libs="$libs $deplib"
-    done
-
-    if test "$linkmode" = lib; then
-      libs="$predeps $libs $compiler_lib_search_path $postdeps"
-
-      # Compute libraries that are listed more than once in $predeps
-      # $postdeps and mark them as special (i.e., whose duplicates are
-      # not to be eliminated).
-      pre_post_deps=
-      if test "X$duplicate_compiler_generated_deps" = "Xyes" ; then
-	for pre_post_dep in $predeps $postdeps; do
-	  case "$pre_post_deps " in
-	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
-	  esac
-	  pre_post_deps="$pre_post_deps $pre_post_dep"
-	done
-      fi
-      pre_post_deps=
-    fi
-
-    deplibs=
-    newdependency_libs=
-    newlib_search_path=
-    need_relink=no # whether we're linking any uninstalled libtool libraries
-    notinst_deplibs= # not-installed libtool libraries
-    notinst_path= # paths that contain not-installed libtool libraries
-    case $linkmode in
-    lib)
-	passes="conv link"
-	for file in $dlfiles $dlprefiles; do
-	  case $file in
-	  *.la) ;;
-	  *)
-	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
-	    exit $EXIT_FAILURE
-	    ;;
-	  esac
-	done
-	;;
-    prog)
-	compile_deplibs=
-	finalize_deplibs=
-	alldeplibs=no
-	newdlfiles=
-	newdlprefiles=
-	passes="conv scan dlopen dlpreopen link"
-	;;
-    *)  passes="conv"
-	;;
-    esac
-    for pass in $passes; do
-      if test "$linkmode,$pass" = "lib,link" ||
-	 test "$linkmode,$pass" = "prog,scan"; then
-	libs="$deplibs"
-	deplibs=
-      fi
-      if test "$linkmode" = prog; then
-	case $pass in
-	dlopen) libs="$dlfiles" ;;
-	dlpreopen) libs="$dlprefiles" ;;
-	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
-	esac
-      fi
-      if test "$pass" = dlopen; then
-	# Collect dlpreopened libraries
-	save_deplibs="$deplibs"
-	deplibs=
-      fi
-      for deplib in $libs; do
-	lib=
-	found=no
-	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
-	  if test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$deplib $compile_deplibs"
-	    finalize_deplibs="$deplib $finalize_deplibs"
-	  else
-	    case "$archive_cmds" in
-	      *"\$LD"*) ;;
-	      *) deplibs="$deplibs $arg";;
-	    esac
-	  fi
-	  continue
-	  ;;
-	-l*)
-	  if test "$linkmode" != lib && test "$linkmode" != prog; then
-	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
-	    continue
-	  fi
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	    continue
-	  fi
-	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
-	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
-	    for search_ext in .la $std_shrext .so .a; do
-	      # Search the libtool library
-	      lib="$searchdir/lib${name}${search_ext}"
-	      if test -f "$lib"; then
-		if test "$search_ext" = ".la"; then
-		  found=yes
-		else
-		  found=no
-		fi
-		break 2
-	      fi
-	    done
-	  done
-	  if test "$found" != yes; then
-	    # deplib doesn't seem to be a libtool library
-	    if test "$linkmode,$pass" = "prog,link"; then
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      deplibs="$deplib $deplibs"
-	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    continue
-	  else # deplib is a libtool library
-	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
-	    # We need to do some special things here, and not later.
-	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	      case " $predeps $postdeps " in
-	      *" $deplib "*)
-		if (${SED} -e '2q' $lib |
-                    grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-		  library_names=
-		  old_library=
-		  case $lib in
-		  */* | *\\*) . $lib ;;
-		  *) . ./$lib ;;
-		  esac
-		  for l in $old_library $library_names; do
-		    ll="$l"
-		  done
-		  if test "X$ll" = "X$old_library" ; then # only static version available
-		    found=no
-		    ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
-		    test "X$ladir" = "X$lib" && ladir="."
-		    lib=$ladir/$old_library
-		    if test "$linkmode,$pass" = "prog,link"; then
-		      compile_deplibs="$deplib $compile_deplibs"
-		      finalize_deplibs="$deplib $finalize_deplibs"
-		    else
-		      deplibs="$deplib $deplibs"
-		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-		    fi
-		    continue
-		  fi
-		fi
-	        ;;
-	      *) ;;
-	      esac
-	    fi
-	  fi
-	  ;; # -l
-	-L*)
-	  case $linkmode in
-	  lib)
-	    deplibs="$deplib $deplibs"
-	    test "$pass" = conv && continue
-	    newdependency_libs="$deplib $newdependency_libs"
-	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
-	    ;;
-	  prog)
-	    if test "$pass" = conv; then
-	      deplibs="$deplib $deplibs"
-	      continue
-	    fi
-	    if test "$pass" = scan; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
-	    ;;
-	  *)
-	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
-	    ;;
-	  esac # linkmode
-	  continue
-	  ;; # -L
-	-R*)
-	  if test "$pass" = link; then
-	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
-	    # Make sure the xrpath contains only unique directories.
-	    case "$xrpath " in
-	    *" $dir "*) ;;
-	    *) xrpath="$xrpath $dir" ;;
-	    esac
-	  fi
-	  deplibs="$deplib $deplibs"
-	  continue
-	  ;;
-	*.la) lib="$deplib" ;;
-	*.$libext)
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	    continue
-	  fi
-	  case $linkmode in
-	  lib)
-	    valid_a_lib=no
-	    case $deplibs_check_method in
-	      match_pattern*)
-		set dummy $deplibs_check_method
-	        match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-		if eval $echo \"$deplib\" 2>/dev/null \
-		    | $SED 10q \
-		    | $EGREP "$match_pattern_regex" > /dev/null; then
-		  valid_a_lib=yes
-		fi
-		;;
-	      pass_all)
-		valid_a_lib=yes
-		;;
-            esac
-	    if test "$valid_a_lib" != yes; then
-	      $echo
-	      $echo "*** Warning: Trying to link with static lib archive $deplib."
-	      $echo "*** I have the capability to make that library automatically link in when"
-	      $echo "*** you link to this library.  But I can only do this if you have a"
-	      $echo "*** shared version of the library, which you do not appear to have"
-	      $echo "*** because the file extensions .$libext of this argument makes me believe"
-	      $echo "*** that it is just a static archive that I should not used here."
-	    else
-	      $echo
-	      $echo "*** Warning: Linking the shared library $output against the"
-	      $echo "*** static library $deplib is not portable!"
-	      deplibs="$deplib $deplibs"
-	    fi
-	    continue
-	    ;;
-	  prog)
-	    if test "$pass" != link; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    fi
-	    continue
-	    ;;
-	  esac # linkmode
-	  ;; # *.$libext
-	*.lo | *.$objext)
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	  elif test "$linkmode" = prog; then
-	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
-	      # If there is no dlopen support or we're linking statically,
-	      # we need to preload.
-	      newdlprefiles="$newdlprefiles $deplib"
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      newdlfiles="$newdlfiles $deplib"
-	    fi
-	  fi
-	  continue
-	  ;;
-	%DEPLIBS%)
-	  alldeplibs=yes
-	  continue
-	  ;;
-	esac # case $deplib
-	if test "$found" = yes || test -f "$lib"; then :
-	else
-	  $echo "$modename: cannot find the library \`$lib'" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-	else
-	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$ladir" = "X$lib" && ladir="."
-
-	dlname=
-	dlopen=
-	dlpreopen=
-	libdir=
-	library_names=
-	old_library=
-	# If the library was installed with an old release of libtool,
-	# it will not redefine variables installed, or shouldnotlink
-	installed=yes
-	shouldnotlink=no
-
-	# Read the .la file
-	case $lib in
-	*/* | *\\*) . $lib ;;
-	*) . ./$lib ;;
-	esac
-
-	if test "$linkmode,$pass" = "lib,link" ||
-	   test "$linkmode,$pass" = "prog,scan" ||
-	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
-	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
-	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
-	fi
-
-	if test "$pass" = conv; then
-	  # Only check for convenience libraries
-	  deplibs="$lib $deplibs"
-	  if test -z "$libdir"; then
-	    if test -z "$old_library"; then
-	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	      exit $EXIT_FAILURE
-	    fi
-	    # It is a libtool convenience library, so add in its objects.
-	    convenience="$convenience $ladir/$objdir/$old_library"
-	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
-	    tmp_libs=
-	    for deplib in $dependency_libs; do
-	      deplibs="$deplib $deplibs"
-              if test "X$duplicate_deps" = "Xyes" ; then
-	        case "$tmp_libs " in
-	        *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	        esac
-              fi
-	      tmp_libs="$tmp_libs $deplib"
-	    done
-	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
-	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  continue
-	fi # $pass = conv
-
-
-	# Get the name of the library we link against.
-	linklib=
-	for l in $old_library $library_names; do
-	  linklib="$l"
-	done
-	if test -z "$linklib"; then
-	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# This library was specified with -dlopen.
-	if test "$pass" = dlopen; then
-	  if test -z "$libdir"; then
-	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  if test -z "$dlname" ||
-	     test "$dlopen_support" != yes ||
-	     test "$build_libtool_libs" = no; then
-	    # If there is no dlname, no dlopen support or we're linking
-	    # statically, we need to preload.  We also need to preload any
-	    # dependent libraries so libltdl's deplib preloader doesn't
-	    # bomb out in the load deplibs phase.
-	    dlprefiles="$dlprefiles $lib $dependency_libs"
-	  else
-	    newdlfiles="$newdlfiles $lib"
-	  fi
-	  continue
-	fi # $pass = dlopen
-
-	# We need an absolute path.
-	case $ladir in
-	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
-	*)
-	  abs_ladir=`cd "$ladir" && pwd`
-	  if test -z "$abs_ladir"; then
-	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
-	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
-	    abs_ladir="$ladir"
-	  fi
-	  ;;
-	esac
-	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
-
-	# Find the relevant object directory and library name.
-	if test "X$installed" = Xyes; then
-	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    libdir="$abs_ladir"
-	  else
-	    dir="$libdir"
-	    absdir="$libdir"
-	  fi
-	else
-	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
-	  else
-	    dir="$ladir/$objdir"
-	    absdir="$abs_ladir/$objdir"
-	    # Remove this search path later
-	    notinst_path="$notinst_path $abs_ladir"
-	  fi
-	fi # $installed = yes
-	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
-
-	# This library was specified with -dlpreopen.
-	if test "$pass" = dlpreopen; then
-	  if test -z "$libdir"; then
-	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	  # Prefer using a static library (so that no silly _DYNAMIC symbols
-	  # are required to link).
-	  if test -n "$old_library"; then
-	    newdlprefiles="$newdlprefiles $dir/$old_library"
-	  # Otherwise, use the dlname, so that lt_dlopen finds it.
-	  elif test -n "$dlname"; then
-	    newdlprefiles="$newdlprefiles $dir/$dlname"
-	  else
-	    newdlprefiles="$newdlprefiles $dir/$linklib"
-	  fi
-	fi # $pass = dlpreopen
-
-	if test -z "$libdir"; then
-	  # Link the convenience library
-	  if test "$linkmode" = lib; then
-	    deplibs="$dir/$old_library $deplibs"
-	  elif test "$linkmode,$pass" = "prog,link"; then
-	    compile_deplibs="$dir/$old_library $compile_deplibs"
-	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
-	  else
-	    deplibs="$lib $deplibs" # used for prog,scan pass
-	  fi
-	  continue
-	fi
-
-
-	if test "$linkmode" = prog && test "$pass" != link; then
-	  newlib_search_path="$newlib_search_path $ladir"
-	  deplibs="$lib $deplibs"
-
-	  linkalldeplibs=no
-	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
-	     test "$build_libtool_libs" = no; then
-	    linkalldeplibs=yes
-	  fi
-
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    case $deplib in
-	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
-	    esac
-	    # Need to link against all dependency_libs?
-	    if test "$linkalldeplibs" = yes; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      # Need to hardcode shared library paths
-	      # or/and link against static libraries
-	      newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    if test "X$duplicate_deps" = "Xyes" ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	      esac
-	    fi
-	    tmp_libs="$tmp_libs $deplib"
-	  done # for deplib
-	  continue
-	fi # $linkmode = prog...
-
-	if test "$linkmode,$pass" = "prog,link"; then
-	  if test -n "$library_names" &&
-	     { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
-	    # We need to hardcode the library path
-	    if test -n "$shlibpath_var"; then
-	      # Make sure the rpath contains only unique directories.
-	      case "$temp_rpath " in
-	      *" $dir "*) ;;
-	      *" $absdir "*) ;;
-	      *) temp_rpath="$temp_rpath $dir" ;;
-	      esac
-	    fi
-
-	    # Hardcode the library path.
-	    # Skip directories that are in the system default run-time
-	    # search path.
-	    case " $sys_lib_dlsearch_path " in
-	    *" $absdir "*) ;;
-	    *)
-	      case "$compile_rpath " in
-	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
-	      esac
-	      ;;
-	    esac
-	    case " $sys_lib_dlsearch_path " in
-	    *" $libdir "*) ;;
-	    *)
-	      case "$finalize_rpath " in
-	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
-	      esac
-	      ;;
-	    esac
-	  fi # $linkmode,$pass = prog,link...
-
-	  if test "$alldeplibs" = yes &&
-	     { test "$deplibs_check_method" = pass_all ||
-	       { test "$build_libtool_libs" = yes &&
-		 test -n "$library_names"; }; }; then
-	    # We only need to search for static libraries
-	    continue
-	  fi
-	fi
-
-	link_static=no # Whether the deplib will be linked statically
-	if test -n "$library_names" &&
-	   { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
-	  if test "$installed" = no; then
-	    notinst_deplibs="$notinst_deplibs $lib"
-	    need_relink=yes
-	  fi
-	  # This is a shared library
-
-	  # Warn about portability, can't link against -module's on
-	  # some systems (darwin)
-	  if test "$shouldnotlink" = yes && test "$pass" = link ; then
-	    $echo
-	    if test "$linkmode" = prog; then
-	      $echo "*** Warning: Linking the executable $output against the loadable module"
-	    else
-	      $echo "*** Warning: Linking the shared library $output against the loadable module"
-	    fi
-	    $echo "*** $linklib is not portable!"
-	  fi
-	  if test "$linkmode" = lib &&
-	     test "$hardcode_into_libs" = yes; then
-	    # Hardcode the library path.
-	    # Skip directories that are in the system default run-time
-	    # search path.
-	    case " $sys_lib_dlsearch_path " in
-	    *" $absdir "*) ;;
-	    *)
-	      case "$compile_rpath " in
-	      *" $absdir "*) ;;
-	      *) compile_rpath="$compile_rpath $absdir"
-	      esac
-	      ;;
-	    esac
-	    case " $sys_lib_dlsearch_path " in
-	    *" $libdir "*) ;;
-	    *)
-	      case "$finalize_rpath " in
-	      *" $libdir "*) ;;
-	      *) finalize_rpath="$finalize_rpath $libdir"
-	      esac
-	      ;;
-	    esac
-	  fi
-
-	  if test -n "$old_archive_from_expsyms_cmds"; then
-	    # figure out the soname
-	    set dummy $library_names
-	    realname="$2"
-	    shift; shift
-	    libname=`eval \\$echo \"$libname_spec\"`
-	    # use dlname if we got it. it's perfectly good, no?
-	    if test -n "$dlname"; then
-	      soname="$dlname"
-	    elif test -n "$soname_spec"; then
-	      # bleh windows
-	      case $host in
-	      *cygwin* | mingw*)
-		major=`expr $current - $age`
-		versuffix="-$major"
-		;;
-	      esac
-	      eval soname=\"$soname_spec\"
-	    else
-	      soname="$realname"
-	    fi
-
-	    # Make a new name for the extract_expsyms_cmds to use
-	    soroot="$soname"
-	    soname=`$echo $soroot | ${SED} -e 's/^.*\///'`
-	    newlib="libimp-`$echo $soname | ${SED} 's/^lib//;s/\.dll$//'`.a"
-
-	    # If the library has no export list, then create one now
-	    if test -f "$output_objdir/$soname-def"; then :
-	    else
-	      $show "extracting exported symbol list from \`$soname'"
-	      save_ifs="$IFS"; IFS='~'
-	      cmds=$extract_expsyms_cmds
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd" || exit $?
-	      done
-	      IFS="$save_ifs"
-	    fi
-
-	    # Create $newlib
-	    if test -f "$output_objdir/$newlib"; then :; else
-	      $show "generating import library for \`$soname'"
-	      save_ifs="$IFS"; IFS='~'
-	      cmds=$old_archive_from_expsyms_cmds
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd" || exit $?
-	      done
-	      IFS="$save_ifs"
-	    fi
-	    # make sure the library variables are pointing to the new library
-	    dir=$output_objdir
-	    linklib=$newlib
-	  fi # test -n "$old_archive_from_expsyms_cmds"
-
-	  if test "$linkmode" = prog || test "$mode" != relink; then
-	    add_shlibpath=
-	    add_dir=
-	    add=
-	    lib_linked=yes
-	    case $hardcode_action in
-	    immediate | unsupported)
-	      if test "$hardcode_direct" = no; then
-		add="$dir/$linklib"
-		case $host in
-		  *-*-sco3.2v5* ) add_dir="-L$dir" ;;
-		  *-*-darwin* )
-		    # if the lib is a module then we can not link against
-		    # it, someone is ignoring the new warnings I added
-		    if /usr/bin/file -L $add 2> /dev/null | $EGREP "bundle" >/dev/null ; then
-		      $echo "** Warning, lib $linklib is a module, not a shared library"
-		      if test -z "$old_library" ; then
-		        $echo
-		        $echo "** And there doesn't seem to be a static archive available"
-		        $echo "** The link will probably fail, sorry"
-		      else
-		        add="$dir/$old_library"
-		      fi
-		    fi
-		esac
-	      elif test "$hardcode_minus_L" = no; then
-		case $host in
-		*-*-sunos*) add_shlibpath="$dir" ;;
-		esac
-		add_dir="-L$dir"
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = no; then
-		add_shlibpath="$dir"
-		add="-l$name"
-	      else
-		lib_linked=no
-	      fi
-	      ;;
-	    relink)
-	      if test "$hardcode_direct" = yes; then
-		add="$dir/$linklib"
-	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$dir"
-		# Try looking first in the location we're being installed to.
-		if test -n "$inst_prefix_dir"; then
-		  case "$libdir" in
-		    [\\/]*)
-		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
-		      ;;
-		  esac
-		fi
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = yes; then
-		add_shlibpath="$dir"
-		add="-l$name"
-	      else
-		lib_linked=no
-	      fi
-	      ;;
-	    *) lib_linked=no ;;
-	    esac
-
-	    if test "$lib_linked" != yes; then
-	      $echo "$modename: configuration error: unsupported hardcode properties"
-	      exit $EXIT_FAILURE
-	    fi
-
-	    if test -n "$add_shlibpath"; then
-	      case :$compile_shlibpath: in
-	      *":$add_shlibpath:"*) ;;
-	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
-	      esac
-	    fi
-	    if test "$linkmode" = prog; then
-	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
-	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
-	    else
-	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
-	      test -n "$add" && deplibs="$add $deplibs"
-	      if test "$hardcode_direct" != yes && \
-		 test "$hardcode_minus_L" != yes && \
-		 test "$hardcode_shlibpath_var" = yes; then
-		case :$finalize_shlibpath: in
-		*":$libdir:"*) ;;
-		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
-		esac
-	      fi
-	    fi
-	  fi
-
-	  if test "$linkmode" = prog || test "$mode" = relink; then
-	    add_shlibpath=
-	    add_dir=
-	    add=
-	    # Finalize command for both is simple: just hardcode it.
-	    if test "$hardcode_direct" = yes; then
-	      add="$libdir/$linklib"
-	    elif test "$hardcode_minus_L" = yes; then
-	      add_dir="-L$libdir"
-	      add="-l$name"
-	    elif test "$hardcode_shlibpath_var" = yes; then
-	      case :$finalize_shlibpath: in
-	      *":$libdir:"*) ;;
-	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
-	      esac
-	      add="-l$name"
-	    elif test "$hardcode_automatic" = yes; then
-	      if test -n "$inst_prefix_dir" &&
-		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
-	        add="$inst_prefix_dir$libdir/$linklib"
-	      else
-	        add="$libdir/$linklib"
-	      fi
-	    else
-	      # We cannot seem to hardcode it, guess we'll fake it.
-	      add_dir="-L$libdir"
-	      # Try looking first in the location we're being installed to.
-	      if test -n "$inst_prefix_dir"; then
-		case "$libdir" in
-		  [\\/]*)
-		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
-		    ;;
-		esac
-	      fi
-	      add="-l$name"
-	    fi
-
-	    if test "$linkmode" = prog; then
-	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
-	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
-	    else
-	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
-	      test -n "$add" && deplibs="$add $deplibs"
-	    fi
-	  fi
-	elif test "$linkmode" = prog; then
-	  # Here we assume that one of hardcode_direct or hardcode_minus_L
-	  # is not unsupported.  This is valid on all known static and
-	  # shared platforms.
-	  if test "$hardcode_direct" != unsupported; then
-	    test -n "$old_library" && linklib="$old_library"
-	    compile_deplibs="$dir/$linklib $compile_deplibs"
-	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
-	  else
-	    compile_deplibs="-l$name -L$dir $compile_deplibs"
-	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
-	  fi
-	elif test "$build_libtool_libs" = yes; then
-	  # Not a shared library
-	  if test "$deplibs_check_method" != pass_all; then
-	    # We're trying link a shared library against a static one
-	    # but the system doesn't support it.
-
-	    # Just print a warning and add the library to dependency_libs so
-	    # that the program can be linked against the static library.
-	    $echo
-	    $echo "*** Warning: This system can not link to static lib archive $lib."
-	    $echo "*** I have the capability to make that library automatically link in when"
-	    $echo "*** you link to this library.  But I can only do this if you have a"
-	    $echo "*** shared version of the library, which you do not appear to have."
-	    if test "$module" = yes; then
-	      $echo "*** But as you try to build a module library, libtool will still create "
-	      $echo "*** a static module, that should work as long as the dlopening application"
-	      $echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
-	      if test -z "$global_symbol_pipe"; then
-		$echo
-		$echo "*** However, this would only work if libtool was able to extract symbol"
-		$echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
-		$echo "*** not find such a program.  So, this module is probably useless."
-		$echo "*** \`nm' from GNU binutils and a full rebuild may help."
-	      fi
-	      if test "$build_old_libs" = no; then
-		build_libtool_libs=module
-		build_old_libs=yes
-	      else
-		build_libtool_libs=no
-	      fi
-	    fi
-	  else
-	    convenience="$convenience $dir/$old_library"
-	    old_convenience="$old_convenience $dir/$old_library"
-	    deplibs="$dir/$old_library $deplibs"
-	    link_static=yes
-	  fi
-	fi # link shared/static library?
-
-	if test "$linkmode" = lib; then
-	  if test -n "$dependency_libs" &&
-	     { test "$hardcode_into_libs" != yes ||
-	       test "$build_old_libs" = yes ||
-	       test "$link_static" = yes; }; then
-	    # Extract -R from dependency_libs
-	    temp_deplibs=
-	    for libdir in $dependency_libs; do
-	      case $libdir in
-	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
-		   case " $xrpath " in
-		   *" $temp_xrpath "*) ;;
-		   *) xrpath="$xrpath $temp_xrpath";;
-		   esac;;
-	      *) temp_deplibs="$temp_deplibs $libdir";;
-	      esac
-	    done
-	    dependency_libs="$temp_deplibs"
-	  fi
-
-	  newlib_search_path="$newlib_search_path $absdir"
-	  # Link against this library
-	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
-	  # ... and its dependency_libs
-	  tmp_libs=
-	  for deplib in $dependency_libs; do
-	    newdependency_libs="$deplib $newdependency_libs"
-	    if test "X$duplicate_deps" = "Xyes" ; then
-	      case "$tmp_libs " in
-	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
-	      esac
-	    fi
-	    tmp_libs="$tmp_libs $deplib"
-	  done
-
-	  if test "$link_all_deplibs" != no; then
-	    # Add the search paths of all dependency libraries
-	    for deplib in $dependency_libs; do
-	      case $deplib in
-	      -L*) path="$deplib" ;;
-	      *.la)
-		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
-		test "X$dir" = "X$deplib" && dir="."
-		# We need an absolute path.
-		case $dir in
-		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
-		*)
-		  absdir=`cd "$dir" && pwd`
-		  if test -z "$absdir"; then
-		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
-		    absdir="$dir"
-		  fi
-		  ;;
-		esac
-		if grep "^installed=no" $deplib > /dev/null; then
-		  path="$absdir/$objdir"
-		else
-		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		  if test -z "$libdir"; then
-		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		    exit $EXIT_FAILURE
-		  fi
-		  if test "$absdir" != "$libdir"; then
-		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
-		  fi
-		  path="$absdir"
-		fi
-		depdepl=
-		case $host in
-		*-*-darwin*)
-		  # we do not want to link against static libs,
-		  # but need to link against shared
-		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
-		  if test -n "$deplibrary_names" ; then
-		    for tmp in $deplibrary_names ; do
-		      depdepl=$tmp
-		    done
-		    if test -f "$path/$depdepl" ; then
-		      depdepl="$path/$depdepl"
-		    fi
-		    # do not add paths which are already there
-		    case " $newlib_search_path " in
-		    *" $path "*) ;;
-		    *) newlib_search_path="$newlib_search_path $path";;
-		    esac
-		  fi
-		  path=""
-		  ;;
-		*)
-		  path="-L$path"
-		  ;;
-		esac
-		;;
-	      -l*)
-		case $host in
-		*-*-darwin*)
-		  # Again, we only want to link against shared libraries
-		  eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
-		  for tmp in $newlib_search_path ; do
-		    if test -f "$tmp/lib$tmp_libs.dylib" ; then
-		      eval depdepl="$tmp/lib$tmp_libs.dylib"
-		      break
-		    fi
-		  done
-		  path=""
-		  ;;
-		*) continue ;;
-		esac
-		;;
-	      *) continue ;;
-	      esac
-	      case " $deplibs " in
-	      *" $depdepl "*) ;;
-	      *) deplibs="$depdepl $deplibs" ;;
-	      esac
-	      case " $deplibs " in
-	      *" $path "*) ;;
-	      *) deplibs="$deplibs $path" ;;
-	      esac
-	    done
-	  fi # link_all_deplibs != no
-	fi # linkmode = lib
-      done # for deplib in $libs
-      dependency_libs="$newdependency_libs"
-      if test "$pass" = dlpreopen; then
-	# Link the dlpreopened libraries before other libraries
-	for deplib in $save_deplibs; do
-	  deplibs="$deplib $deplibs"
-	done
-      fi
-      if test "$pass" != dlopen; then
-	if test "$pass" != conv; then
-	  # Make sure lib_search_path contains only unique directories.
-	  lib_search_path=
-	  for dir in $newlib_search_path; do
-	    case "$lib_search_path " in
-	    *" $dir "*) ;;
-	    *) lib_search_path="$lib_search_path $dir" ;;
-	    esac
-	  done
-	  newlib_search_path=
-	fi
-
-	if test "$linkmode,$pass" != "prog,link"; then
-	  vars="deplibs"
-	else
-	  vars="compile_deplibs finalize_deplibs"
-	fi
-	for var in $vars dependency_libs; do
-	  # Add libraries to $var in reverse order
-	  eval tmp_libs=\"\$$var\"
-	  new_libs=
-	  for deplib in $tmp_libs; do
-	    # FIXME: Pedantically, this is the right thing to do, so
-	    #        that some nasty dependency loop isn't accidentally
-	    #        broken:
-	    #new_libs="$deplib $new_libs"
-	    # Pragmatically, this seems to cause very few problems in
-	    # practice:
-	    case $deplib in
-	    -L*) new_libs="$deplib $new_libs" ;;
-	    -R*) ;;
-	    *)
-	      # And here is the reason: when a library appears more
-	      # than once as an explicit dependence of a library, or
-	      # is implicitly linked in more than once by the
-	      # compiler, it is considered special, and multiple
-	      # occurrences thereof are not removed.  Compare this
-	      # with having the same library being listed as a
-	      # dependency of multiple other libraries: in this case,
-	      # we know (pedantically, we assume) the library does not
-	      # need to be listed more than once, so we keep only the
-	      # last copy.  This is not always right, but it is rare
-	      # enough that we require users that really mean to play
-	      # such unportable linking tricks to link the library
-	      # using -Wl,-lname, so that libtool does not consider it
-	      # for duplicate removal.
-	      case " $specialdeplibs " in
-	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
-	      *)
-		case " $new_libs " in
-		*" $deplib "*) ;;
-		*) new_libs="$deplib $new_libs" ;;
-		esac
-		;;
-	      esac
-	      ;;
-	    esac
-	  done
-	  tmp_libs=
-	  for deplib in $new_libs; do
-	    case $deplib in
-	    -L*)
-	      case " $tmp_libs " in
-	      *" $deplib "*) ;;
-	      *) tmp_libs="$tmp_libs $deplib" ;;
-	      esac
-	      ;;
-	    *) tmp_libs="$tmp_libs $deplib" ;;
-	    esac
-	  done
-	  eval $var=\"$tmp_libs\"
-	done # for var
-      fi
-      # Last step: remove runtime libs from dependency_libs
-      # (they stay in deplibs)
-      tmp_libs=
-      for i in $dependency_libs ; do
-	case " $predeps $postdeps $compiler_lib_search_path " in
-	*" $i "*)
-	  i=""
-	  ;;
-	esac
-	if test -n "$i" ; then
-	  tmp_libs="$tmp_libs $i"
-	fi
-      done
-      dependency_libs=$tmp_libs
-    done # for pass
-    if test "$linkmode" = prog; then
-      dlfiles="$newdlfiles"
-      dlprefiles="$newdlprefiles"
-    fi
-
-    case $linkmode in
-    oldlib)
-      if test -n "$deplibs"; then
-	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2
-      fi
-
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$rpath"; then
-	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$xrpath"; then
-	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info/-version-number' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
-      fi
-
-      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
-	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
-      fi
-
-      # Now set the variables for building old libraries.
-      build_libtool_libs=no
-      oldlibs="$output"
-      objs="$objs$old_deplibs"
-      ;;
-
-    lib)
-      # Make sure we only generate libraries of the form `libNAME.la'.
-      case $outputname in
-      lib*)
-	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
-	eval shared_ext=\"$shrext_cmds\"
-	eval libname=\"$libname_spec\"
-	;;
-      *)
-	if test "$module" = no; then
-	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-	if test "$need_lib_prefix" != no; then
-	  # Add the "lib" prefix for modules if required
-	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
-	  eval shared_ext=\"$shrext_cmds\"
-	  eval libname=\"$libname_spec\"
-	else
-	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
-	fi
-	;;
-      esac
-
-      if test -n "$objs"; then
-	if test "$deplibs_check_method" != pass_all; then
-	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
-	  exit $EXIT_FAILURE
-	else
-	  $echo
-	  $echo "*** Warning: Linking the shared library $output against the non-libtool"
-	  $echo "*** objects $objs is not portable!"
-	  libobjs="$libobjs $objs"
-	fi
-      fi
-
-      if test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
-      fi
-
-      set dummy $rpath
-      if test "$#" -gt 2; then
-	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
-      fi
-      install_libdir="$2"
-
-      oldlibs=
-      if test -z "$rpath"; then
-	if test "$build_libtool_libs" = yes; then
-	  # Building a libtool convenience library.
-	  # Some compilers have problems with a `.al' extension so
-	  # convenience libraries should have the same extension an
-	  # archive normally would.
-	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
-	  build_libtool_libs=convenience
-	  build_old_libs=yes
-	fi
-
-	if test -n "$vinfo"; then
-	  $echo "$modename: warning: \`-version-info/-version-number' is ignored for convenience libraries" 1>&2
-	fi
-
-	if test -n "$release"; then
-	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
-	fi
-      else
-
-	# Parse the version information argument.
-	save_ifs="$IFS"; IFS=':'
-	set dummy $vinfo 0 0 0
-	IFS="$save_ifs"
-
-	if test -n "$8"; then
-	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# convert absolute version numbers to libtool ages
-	# this retains compatibility with .la files and attempts
-	# to make the code below a bit more comprehensible
-
-	case $vinfo_number in
-	yes)
-	  number_major="$2"
-	  number_minor="$3"
-	  number_revision="$4"
-	  #
-	  # There are really only two kinds -- those that
-	  # use the current revision as the major version
-	  # and those that subtract age and use age as
-	  # a minor version.  But, then there is irix
-	  # which has an extra 1 added just for fun
-	  #
-	  case $version_type in
-	  darwin|linux|osf|windows)
-	    current=`expr $number_major + $number_minor`
-	    age="$number_minor"
-	    revision="$number_revision"
-	    ;;
-	  freebsd-aout|freebsd-elf|sunos)
-	    current="$number_major"
-	    revision="$number_minor"
-	    age="0"
-	    ;;
-	  irix|nonstopux)
-	    current=`expr $number_major + $number_minor - 1`
-	    age="$number_minor"
-	    revision="$number_minor"
-	    ;;
-	  esac
-	  ;;
-	no)
-	  current="$2"
-	  revision="$3"
-	  age="$4"
-	  ;;
-	esac
-
-	# Check that each of the things are valid numbers.
-	case $current in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
-	*)
-	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	case $revision in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
-	*)
-	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	case $age in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
-	*)
-	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	if test "$age" -gt "$current"; then
-	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
-	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# Calculate the version variables.
-	major=
-	versuffix=
-	verstring=
-	case $version_type in
-	none) ;;
-
-	darwin)
-	  # Like Linux, but with the current version available in
-	  # verstring for coding it into the library header
-	  major=.`expr $current - $age`
-	  versuffix="$major.$age.$revision"
-	  # Darwin ld doesn't like 0 for these options...
-	  minor_current=`expr $current + 1`
-	  verstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
-	  ;;
-
-	freebsd-aout)
-	  major=".$current"
-	  versuffix=".$current.$revision";
-	  ;;
-
-	freebsd-elf)
-	  major=".$current"
-	  versuffix=".$current";
-	  ;;
-
-	irix | nonstopux)
-	  major=`expr $current - $age + 1`
-
-	  case $version_type in
-	    nonstopux) verstring_prefix=nonstopux ;;
-	    *)         verstring_prefix=sgi ;;
-	  esac
-	  verstring="$verstring_prefix$major.$revision"
-
-	  # Add in all the interfaces that we are compatible with.
-	  loop=$revision
-	  while test "$loop" -ne 0; do
-	    iface=`expr $revision - $loop`
-	    loop=`expr $loop - 1`
-	    verstring="$verstring_prefix$major.$iface:$verstring"
-	  done
-
-	  # Before this point, $major must not contain `.'.
-	  major=.$major
-	  versuffix="$major.$revision"
-	  ;;
-
-	linux)
-	  major=.`expr $current - $age`
-	  versuffix="$major.$age.$revision"
-	  ;;
-
-	osf)
-	  major=.`expr $current - $age`
-	  versuffix=".$current.$age.$revision"
-	  verstring="$current.$age.$revision"
-
-	  # Add in all the interfaces that we are compatible with.
-	  loop=$age
-	  while test "$loop" -ne 0; do
-	    iface=`expr $current - $loop`
-	    loop=`expr $loop - 1`
-	    verstring="$verstring:${iface}.0"
-	  done
-
-	  # Make executables depend on our current version.
-	  verstring="$verstring:${current}.0"
-	  ;;
-
-	sunos)
-	  major=".$current"
-	  versuffix=".$current.$revision"
-	  ;;
-
-	windows)
-	  # Use '-' rather than '.', since we only want one
-	  # extension on DOS 8.3 filesystems.
-	  major=`expr $current - $age`
-	  versuffix="-$major"
-	  ;;
-
-	*)
-	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
-	  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	# Clear the version info if we defaulted, and they specified a release.
-	if test -z "$vinfo" && test -n "$release"; then
-	  major=
-	  case $version_type in
-	  darwin)
-	    # we can't check for "0.0" in archive_cmds due to quoting
-	    # problems, so we reset it completely
-	    verstring=
-	    ;;
-	  *)
-	    verstring="0.0"
-	    ;;
-	  esac
-	  if test "$need_version" = no; then
-	    versuffix=
-	  else
-	    versuffix=".0.0"
-	  fi
-	fi
-
-	# Remove version info from name if versioning should be avoided
-	if test "$avoid_version" = yes && test "$need_version" = no; then
-	  major=
-	  versuffix=
-	  verstring=""
-	fi
-
-	# Check to see if the archive will have undefined symbols.
-	if test "$allow_undefined" = yes; then
-	  if test "$allow_undefined_flag" = unsupported; then
-	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
-	    build_libtool_libs=no
-	    build_old_libs=yes
-	  fi
-	else
-	  # Don't allow undefined symbols.
-	  allow_undefined_flag="$no_undefined_flag"
-	fi
-      fi
-
-      if test "$mode" != relink; then
-	# Remove our outputs, but don't remove object files since they
-	# may have been created when compiling PIC objects.
-	removelist=
-	tempremovelist=`$echo "$output_objdir/*"`
-	for p in $tempremovelist; do
-	  case $p in
-	    *.$objext)
-	       ;;
-	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
-	       if test "X$precious_files_regex" != "X"; then
-	         if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
-	         then
-		   continue
-		 fi
-	       fi
-	       removelist="$removelist $p"
-	       ;;
-	    *) ;;
-	  esac
-	done
-	if test -n "$removelist"; then
-	  $show "${rm}r $removelist"
-	  $run ${rm}r $removelist
-	fi
-      fi
-
-      # Now set the variables for building old libraries.
-      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
-	oldlibs="$oldlibs $output_objdir/$libname.$libext"
-
-	# Transform .lo files to .o files.
-	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
-      fi
-
-      # Eliminate all temporary directories.
-      for path in $notinst_path; do
-	lib_search_path=`$echo "$lib_search_path " | ${SED} -e 's% $path % %g'`
-	deplibs=`$echo "$deplibs " | ${SED} -e 's% -L$path % %g'`
-	dependency_libs=`$echo "$dependency_libs " | ${SED} -e 's% -L$path % %g'`
-      done
-
-      if test -n "$xrpath"; then
-	# If the user specified any rpath flags, then add them.
-	temp_xrpath=
-	for libdir in $xrpath; do
-	  temp_xrpath="$temp_xrpath -R$libdir"
-	  case "$finalize_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
-	  esac
-	done
-	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
-	  dependency_libs="$temp_xrpath $dependency_libs"
-	fi
-      fi
-
-      # Make sure dlfiles contains only unique files that won't be dlpreopened
-      old_dlfiles="$dlfiles"
-      dlfiles=
-      for lib in $old_dlfiles; do
-	case " $dlprefiles $dlfiles " in
-	*" $lib "*) ;;
-	*) dlfiles="$dlfiles $lib" ;;
-	esac
-      done
-
-      # Make sure dlprefiles contains only unique files
-      old_dlprefiles="$dlprefiles"
-      dlprefiles=
-      for lib in $old_dlprefiles; do
-	case "$dlprefiles " in
-	*" $lib "*) ;;
-	*) dlprefiles="$dlprefiles $lib" ;;
-	esac
-      done
-
-      if test "$build_libtool_libs" = yes; then
-	if test -n "$rpath"; then
-	  case $host in
-	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
-	    # these systems don't actually have a c library (as such)!
-	    ;;
-	  *-*-rhapsody* | *-*-darwin1.[012])
-	    # Rhapsody C library is in the System framework
-	    deplibs="$deplibs -framework System"
-	    ;;
-	  *-*-netbsd*)
-	    # Don't link with libc until the a.out ld.so is fixed.
-	    ;;
-	  *-*-openbsd* | *-*-freebsd*)
-	    # Do not include libc due to us having libc/libc_r.
-	    test "X$arg" = "X-lc" && continue
-	    ;;
- 	  *)
-	    # Add libc to deplibs on all other systems if necessary.
-	    if test "$build_libtool_need_lc" = "yes"; then
-	      deplibs="$deplibs -lc"
-	    fi
-	    ;;
-	  esac
-	fi
-
-	# Transform deplibs into only deplibs that can be linked in shared.
-	name_save=$name
-	libname_save=$libname
-	release_save=$release
-	versuffix_save=$versuffix
-	major_save=$major
-	# I'm not sure if I'm treating the release correctly.  I think
-	# release should show up in the -l (ie -lgmp5) so we don't want to
-	# add it in twice.  Is that correct?
-	release=""
-	versuffix=""
-	major=""
-	newdeplibs=
-	droppeddeps=no
-	case $deplibs_check_method in
-	pass_all)
-	  # Don't check for shared/static.  Everything works.
-	  # This might be a little naive.  We might want to check
-	  # whether the library exists or not.  But this is on
-	  # osf3 & osf4 and I'm not really sure... Just
-	  # implementing what was already the behavior.
-	  newdeplibs=$deplibs
-	  ;;
-	test_compile)
-	  # This code stresses the "libraries are programs" paradigm to its
-	  # limits. Maybe even breaks it.  We compile a program, linking it
-	  # against the deplibs as a proxy for the library.  Then we can check
-	  # whether they linked in statically or dynamically with ldd.
-	  $rm conftest.c
-	  cat > conftest.c <<EOF
-	  int main() { return 0; }
-EOF
-	  $rm conftest
-	  $LTCC -o conftest conftest.c $deplibs
-	  if test "$?" -eq 0 ; then
-	    ldd_output=`ldd conftest`
-	    for i in $deplibs; do
-	      name="`expr $i : '-l\(.*\)'`"
-	      # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" && test "$name" -ne "0"; then
-		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		  case " $predeps $postdeps " in
-		  *" $i "*)
-		    newdeplibs="$newdeplibs $i"
-		    i=""
-		    ;;
-		  esac
-	        fi
-		if test -n "$i" ; then
-		  libname=`eval \\$echo \"$libname_spec\"`
-		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
-		  set dummy $deplib_matches
-		  deplib_match=$2
-		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		    newdeplibs="$newdeplibs $i"
-		  else
-		    droppeddeps=yes
-		    $echo
-		    $echo "*** Warning: dynamic linker does not accept needed library $i."
-		    $echo "*** I have the capability to make that library automatically link in when"
-		    $echo "*** you link to this library.  But I can only do this if you have a"
-		    $echo "*** shared version of the library, which I believe you do not have"
-		    $echo "*** because a test_compile did reveal that the linker did not use it for"
-		    $echo "*** its dynamic dependency list that programs get resolved with at runtime."
-		  fi
-		fi
-	      else
-		newdeplibs="$newdeplibs $i"
-	      fi
-	    done
-	  else
-	    # Error occurred in the first compile.  Let's try to salvage
-	    # the situation: Compile a separate program for each library.
-	    for i in $deplibs; do
-	      name="`expr $i : '-l\(.*\)'`"
-	      # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" && test "$name" != "0"; then
-		$rm conftest
-		$LTCC -o conftest conftest.c $i
-		# Did it work?
-		if test "$?" -eq 0 ; then
-		  ldd_output=`ldd conftest`
-		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		    case " $predeps $postdeps " in
-		    *" $i "*)
-		      newdeplibs="$newdeplibs $i"
-		      i=""
-		      ;;
-		    esac
-		  fi
-		  if test -n "$i" ; then
-		    libname=`eval \\$echo \"$libname_spec\"`
-		    deplib_matches=`eval \\$echo \"$library_names_spec\"`
-		    set dummy $deplib_matches
-		    deplib_match=$2
-		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
-		      newdeplibs="$newdeplibs $i"
-		    else
-		      droppeddeps=yes
-		      $echo
-		      $echo "*** Warning: dynamic linker does not accept needed library $i."
-		      $echo "*** I have the capability to make that library automatically link in when"
-		      $echo "*** you link to this library.  But I can only do this if you have a"
-		      $echo "*** shared version of the library, which you do not appear to have"
-		      $echo "*** because a test_compile did reveal that the linker did not use this one"
-		      $echo "*** as a dynamic dependency that programs can get resolved with at runtime."
-		    fi
-		  fi
-		else
-		  droppeddeps=yes
-		  $echo
-		  $echo "*** Warning!  Library $i is needed by this library but I was not able to"
-		  $echo "***  make it link in!  You will probably need to install it or some"
-		  $echo "*** library that it depends on before this library will be fully"
-		  $echo "*** functional.  Installing it before continuing would be even better."
-		fi
-	      else
-		newdeplibs="$newdeplibs $i"
-	      fi
-	    done
-	  fi
-	  ;;
-	file_magic*)
-	  set dummy $deplibs_check_method
-	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-	  for a_deplib in $deplibs; do
-	    name="`expr $a_deplib : '-l\(.*\)'`"
-	    # If $name is empty we are operating on a -L argument.
-            if test "$name" != "" && test  "$name" != "0"; then
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		case " $predeps $postdeps " in
-		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
-		  a_deplib=""
-		  ;;
-		esac
-	      fi
-	      if test -n "$a_deplib" ; then
-		libname=`eval \\$echo \"$libname_spec\"`
-		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
-		  for potent_lib in $potential_libs; do
-		      # Follow soft links.
-		      if ls -lLd "$potent_lib" 2>/dev/null \
-			 | grep " -> " >/dev/null; then
-			continue
-		      fi
-		      # The statement above tries to avoid entering an
-		      # endless loop below, in case of cyclic links.
-		      # We might still enter an endless loop, since a link
-		      # loop can be closed while we follow links,
-		      # but so what?
-		      potlib="$potent_lib"
-		      while test -h "$potlib" 2>/dev/null; do
-			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
-			case $potliblink in
-			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
-			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
-			esac
-		      done
-		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
-			 | ${SED} 10q \
-			 | $EGREP "$file_magic_regex" > /dev/null; then
-			newdeplibs="$newdeplibs $a_deplib"
-			a_deplib=""
-			break 2
-		      fi
-		  done
-		done
-	      fi
-	      if test -n "$a_deplib" ; then
-		droppeddeps=yes
-		$echo
-		$echo "*** Warning: linker path does not have real file for library $a_deplib."
-		$echo "*** I have the capability to make that library automatically link in when"
-		$echo "*** you link to this library.  But I can only do this if you have a"
-		$echo "*** shared version of the library, which you do not appear to have"
-		$echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
-		  $echo "*** with $libname but no candidates were found. (...for file magic test)"
-		else
-		  $echo "*** with $libname and none of the candidates passed a file format test"
-		  $echo "*** using a file magic. Last file checked: $potlib"
-		fi
-	      fi
-	    else
-	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
-	    fi
-	  done # Gone through all deplibs.
-	  ;;
-	match_pattern*)
-	  set dummy $deplibs_check_method
-	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
-	  for a_deplib in $deplibs; do
-	    name="`expr $a_deplib : '-l\(.*\)'`"
-	    # If $name is empty we are operating on a -L argument.
-	    if test -n "$name" && test "$name" != "0"; then
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-		case " $predeps $postdeps " in
-		*" $a_deplib "*)
-		  newdeplibs="$newdeplibs $a_deplib"
-		  a_deplib=""
-		  ;;
-		esac
-	      fi
-	      if test -n "$a_deplib" ; then
-		libname=`eval \\$echo \"$libname_spec\"`
-		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
-		  for potent_lib in $potential_libs; do
-		    potlib="$potent_lib" # see symlink-check above in file_magic test
-		    if eval $echo \"$potent_lib\" 2>/dev/null \
-		        | ${SED} 10q \
-		        | $EGREP "$match_pattern_regex" > /dev/null; then
-		      newdeplibs="$newdeplibs $a_deplib"
-		      a_deplib=""
-		      break 2
-		    fi
-		  done
-		done
-	      fi
-	      if test -n "$a_deplib" ; then
-		droppeddeps=yes
-		$echo
-		$echo "*** Warning: linker path does not have real file for library $a_deplib."
-		$echo "*** I have the capability to make that library automatically link in when"
-		$echo "*** you link to this library.  But I can only do this if you have a"
-		$echo "*** shared version of the library, which you do not appear to have"
-		$echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
-		  $echo "*** with $libname but no candidates were found. (...for regex pattern test)"
-		else
-		  $echo "*** with $libname and none of the candidates passed a file format test"
-		  $echo "*** using a regex pattern. Last file checked: $potlib"
-		fi
-	      fi
-	    else
-	      # Add a -L argument.
-	      newdeplibs="$newdeplibs $a_deplib"
-	    fi
-	  done # Gone through all deplibs.
-	  ;;
-	none | unknown | *)
-	  newdeplibs=""
-	  tmp_deplibs=`$echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
-	    -e 's/ -[LR][^ ]*//g'`
-	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	    for i in $predeps $postdeps ; do
-	      # can't use Xsed below, because $i might contain '/'
-	      tmp_deplibs=`$echo "X $tmp_deplibs" | ${SED} -e "1s,^X,," -e "s,$i,,"`
-	    done
-	  fi
-	  if $echo "X $tmp_deplibs" | $Xsed -e 's/[ 	]//g' \
-	    | grep . >/dev/null; then
-	    $echo
-	    if test "X$deplibs_check_method" = "Xnone"; then
-	      $echo "*** Warning: inter-library dependencies are not supported in this platform."
-	    else
-	      $echo "*** Warning: inter-library dependencies are not known to be supported."
-	    fi
-	    $echo "*** All declared inter-library dependencies are being dropped."
-	    droppeddeps=yes
-	  fi
-	  ;;
-	esac
-	versuffix=$versuffix_save
-	major=$major_save
-	release=$release_save
-	libname=$libname_save
-	name=$name_save
-
-	case $host in
-	*-*-rhapsody* | *-*-darwin1.[012])
-	  # On Rhapsody replace the C library is the System framework
-	  newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'`
-	  ;;
-	esac
-
-	if test "$droppeddeps" = yes; then
-	  if test "$module" = yes; then
-	    $echo
-	    $echo "*** Warning: libtool could not satisfy all declared inter-library"
-	    $echo "*** dependencies of module $libname.  Therefore, libtool will create"
-	    $echo "*** a static module, that should work as long as the dlopening"
-	    $echo "*** application is linked with the -dlopen flag."
-	    if test -z "$global_symbol_pipe"; then
-	      $echo
-	      $echo "*** However, this would only work if libtool was able to extract symbol"
-	      $echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
-	      $echo "*** not find such a program.  So, this module is probably useless."
-	      $echo "*** \`nm' from GNU binutils and a full rebuild may help."
-	    fi
-	    if test "$build_old_libs" = no; then
-	      oldlibs="$output_objdir/$libname.$libext"
-	      build_libtool_libs=module
-	      build_old_libs=yes
-	    else
-	      build_libtool_libs=no
-	    fi
-	  else
-	    $echo "*** The inter-library dependencies that have been dropped here will be"
-	    $echo "*** automatically added whenever a program is linked with this library"
-	    $echo "*** or is declared to -dlopen it."
-
-	    if test "$allow_undefined" = no; then
-	      $echo
-	      $echo "*** Since this library must not contain undefined symbols,"
-	      $echo "*** because either the platform does not support them or"
-	      $echo "*** it was explicitly requested with -no-undefined,"
-	      $echo "*** libtool will only create a static version of it."
-	      if test "$build_old_libs" = no; then
-		oldlibs="$output_objdir/$libname.$libext"
-		build_libtool_libs=module
-		build_old_libs=yes
-	      else
-		build_libtool_libs=no
-	      fi
-	    fi
-	  fi
-	fi
-	# Done checking deplibs!
-	deplibs=$newdeplibs
-      fi
-
-      # All the library-specific variables (install_libdir is set above).
-      library_names=
-      old_library=
-      dlname=
-
-      # Test again, we may have decided not to build it any more
-      if test "$build_libtool_libs" = yes; then
-	if test "$hardcode_into_libs" = yes; then
-	  # Hardcode the library paths
-	  hardcode_libdirs=
-	  dep_rpath=
-	  rpath="$finalize_rpath"
-	  test "$mode" != relink && rpath="$compile_rpath$rpath"
-	  for libdir in $rpath; do
-	    if test -n "$hardcode_libdir_flag_spec"; then
-	      if test -n "$hardcode_libdir_separator"; then
-		if test -z "$hardcode_libdirs"; then
-		  hardcode_libdirs="$libdir"
-		else
-		  # Just accumulate the unique libdirs.
-		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		    ;;
-		  *)
-		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		    ;;
-		  esac
-		fi
-	      else
-		eval flag=\"$hardcode_libdir_flag_spec\"
-		dep_rpath="$dep_rpath $flag"
-	      fi
-	    elif test -n "$runpath_var"; then
-	      case "$perm_rpath " in
-	      *" $libdir "*) ;;
-	      *) perm_rpath="$perm_rpath $libdir" ;;
-	      esac
-	    fi
-	  done
-	  # Substitute the hardcoded libdirs into the rpath.
-	  if test -n "$hardcode_libdir_separator" &&
-	     test -n "$hardcode_libdirs"; then
-	    libdir="$hardcode_libdirs"
-	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
-	    else
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
-	    fi
-	  fi
-	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
-	    # We should set the runpath_var.
-	    rpath=
-	    for dir in $perm_rpath; do
-	      rpath="$rpath$dir:"
-	    done
-	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
-	  fi
-	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
-	fi
-
-	shlibpath="$finalize_shlibpath"
-	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
-	if test -n "$shlibpath"; then
-	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
-	fi
-
-	# Get the real and link names of the library.
-	eval shared_ext=\"$shrext_cmds\"
-	eval library_names=\"$library_names_spec\"
-	set dummy $library_names
-	realname="$2"
-	shift; shift
-
-	if test -n "$soname_spec"; then
-	  eval soname=\"$soname_spec\"
-	else
-	  soname="$realname"
-	fi
-	if test -z "$dlname"; then
-	  dlname=$soname
-	fi
-
-	lib="$output_objdir/$realname"
-	for link
-	do
-	  linknames="$linknames $link"
-	done
-
-	# Use standard objects if they are pic
-	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-
-	# Prepare the list of exported symbols
-	if test -z "$export_symbols"; then
-	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
-	    $show "generating symbol list for \`$libname.la'"
-	    export_symbols="$output_objdir/$libname.exp"
-	    $run $rm $export_symbols
-	    cmds=$export_symbols_cmds
-	    save_ifs="$IFS"; IFS='~'
-	    for cmd in $cmds; do
-	      IFS="$save_ifs"
-	      eval cmd=\"$cmd\"
-	      if len=`expr "X$cmd" : ".*"` &&
-	       test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	        $show "$cmd"
-	        $run eval "$cmd" || exit $?
-	        skipped_export=false
-	      else
-	        # The command line is too long to execute in one step.
-	        $show "using reloadable object file for export list..."
-	        skipped_export=:
-	      fi
-	    done
-	    IFS="$save_ifs"
-	    if test -n "$export_symbols_regex"; then
-	      $show "$EGREP -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
-	      $run eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
-	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
-	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
-	    fi
-	  fi
-	fi
-
-	if test -n "$export_symbols" && test -n "$include_expsyms"; then
-	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
-	fi
-
-	tmp_deplibs=
-	for test_deplib in $deplibs; do
-		case " $convenience " in
-		*" $test_deplib "*) ;;
-		*)
-			tmp_deplibs="$tmp_deplibs $test_deplib"
-			;;
-		esac
-	done
-	deplibs="$tmp_deplibs"
-
-	if test -n "$convenience"; then
-	  if test -n "$whole_archive_flag_spec"; then
-	    save_libobjs=$libobjs
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
-	  else
-	    gentop="$output_objdir/${outputname}x"
-	    generated="$generated $gentop"
-
-	    func_extract_archives $gentop $convenience
-	    libobjs="$libobjs $func_extract_archives_result"
-	  fi
-	fi
-	
-	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
-	  eval flag=\"$thread_safe_flag_spec\"
-	  linker_flags="$linker_flags $flag"
-	fi
-
-	# Make a backup of the uninstalled library when relinking
-	if test "$mode" = relink; then
-	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
-	fi
-
-	# Do each of the archive commands.
-	if test "$module" = yes && test -n "$module_cmds" ; then
-	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
-	    eval test_cmds=\"$module_expsym_cmds\"
-	    cmds=$module_expsym_cmds
-	  else
-	    eval test_cmds=\"$module_cmds\"
-	    cmds=$module_cmds
-	  fi
-	else
-	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
-	  eval test_cmds=\"$archive_expsym_cmds\"
-	  cmds=$archive_expsym_cmds
-	else
-	  eval test_cmds=\"$archive_cmds\"
-	  cmds=$archive_cmds
-	  fi
-	fi
-
-	if test "X$skipped_export" != "X:" && len=`expr "X$test_cmds" : ".*"` &&
-	   test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	  :
-	else
-	  # The command line is too long to link in one step, link piecewise.
-	  $echo "creating reloadable object files..."
-
-	  # Save the value of $output and $libobjs because we want to
-	  # use them later.  If we have whole_archive_flag_spec, we
-	  # want to use save_libobjs as it was before
-	  # whole_archive_flag_spec was expanded, because we can't
-	  # assume the linker understands whole_archive_flag_spec.
-	  # This may have to be revisited, in case too many
-	  # convenience libraries get linked in and end up exceeding
-	  # the spec.
-	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
-	    save_libobjs=$libobjs
-	  fi
-	  save_output=$output
-
-	  # Clear the reloadable object creation command queue and
-	  # initialize k to one.
-	  test_cmds=
-	  concat_cmds=
-	  objlist=
-	  delfiles=
-	  last_robj=
-	  k=1
-	  output=$output_objdir/$save_output-${k}.$objext
-	  # Loop over the list of objects to be linked.
-	  for obj in $save_libobjs
-	  do
-	    eval test_cmds=\"$reload_cmds $objlist $last_robj\"
-	    if test "X$objlist" = X ||
-	       { len=`expr "X$test_cmds" : ".*"` &&
-		 test "$len" -le "$max_cmd_len"; }; then
-	      objlist="$objlist $obj"
-	    else
-	      # The command $test_cmds is almost too long, add a
-	      # command to the queue.
-	      if test "$k" -eq 1 ; then
-		# The first file doesn't have a previous command to add.
-		eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
-	      else
-		# All subsequent reloadable object files will link in
-		# the last one created.
-		eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\"
-	      fi
-	      last_robj=$output_objdir/$save_output-${k}.$objext
-	      k=`expr $k + 1`
-	      output=$output_objdir/$save_output-${k}.$objext
-	      objlist=$obj
-	      len=1
-	    fi
-	  done
-	  # Handle the remaining objects by creating one last
-	  # reloadable object file.  All subsequent reloadable object
-	  # files will link in the last one created.
-	  test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	  eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
-
-	  if ${skipped_export-false}; then
-	    $show "generating symbol list for \`$libname.la'"
-	    export_symbols="$output_objdir/$libname.exp"
-	    $run $rm $export_symbols
-	    libobjs=$output
-	    # Append the command to create the export file.
-	    eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\"
-          fi
-
-	  # Set up a command to remove the reloadale object files
-	  # after they are used.
-	  i=0
-	  while test "$i" -lt "$k"
-	  do
-	    i=`expr $i + 1`
-	    delfiles="$delfiles $output_objdir/$save_output-${i}.$objext"
-	  done
-
-	  $echo "creating a temporary reloadable object file: $output"
-
-	  # Loop through the commands generated above and execute them.
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $concat_cmds; do
-	    IFS="$save_ifs"
-	    $show "$cmd"
-	    $run eval "$cmd" || exit $?
-	  done
-	  IFS="$save_ifs"
-
-	  libobjs=$output
-	  # Restore the value of output.
-	  output=$save_output
-
-	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
-	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
-	  fi
-	  # Expand the library linking commands again to reset the
-	  # value of $libobjs for piecewise linking.
-
-	  # Do each of the archive commands.
-	  if test "$module" = yes && test -n "$module_cmds" ; then
-	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
-	      cmds=$module_expsym_cmds
-	    else
-	      cmds=$module_cmds
-	    fi
-	  else
-	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
-	    cmds=$archive_expsym_cmds
-	  else
-	    cmds=$archive_cmds
-	    fi
-	  fi
-
-	  # Append the command to remove the reloadable object files
-	  # to the just-reset $cmds.
-	  eval cmds=\"\$cmds~\$rm $delfiles\"
-	fi
-	save_ifs="$IFS"; IFS='~'
-	for cmd in $cmds; do
-	  IFS="$save_ifs"
-	  eval cmd=\"$cmd\"
-	  $show "$cmd"
-	  $run eval "$cmd" || exit $?
-	done
-	IFS="$save_ifs"
-
-	# Restore the uninstalled library and exit
-	if test "$mode" = relink; then
-	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
-	  exit $EXIT_SUCCESS
-	fi
-
-	# Create links to the real library.
-	for linkname in $linknames; do
-	  if test "$realname" != "$linkname"; then
-	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
-	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
-	  fi
-	done
-
-	# If -module or -export-dynamic was specified, set the dlname.
-	if test "$module" = yes || test "$export_dynamic" = yes; then
-	  # On all known operating systems, these are identical.
-	  dlname="$soname"
-	fi
-      fi
-      ;;
-
-    obj)
-      if test -n "$deplibs"; then
-	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
-      fi
-
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
-      fi
-
-      if test -n "$rpath"; then
-	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
-      fi
-
-      if test -n "$xrpath"; then
-	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
-      fi
-
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
-      fi
-
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
-      fi
-
-      case $output in
-      *.lo)
-	if test -n "$objs$old_deplibs"; then
-	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-	libobj="$output"
-	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
-	;;
-      *)
-	libobj=
-	obj="$output"
-	;;
-      esac
-
-      # Delete the old objects.
-      $run $rm $obj $libobj
-
-      # Objects from convenience libraries.  This assumes
-      # single-version convenience libraries.  Whenever we create
-      # different ones for PIC/non-PIC, this we'll have to duplicate
-      # the extraction.
-      reload_conv_objs=
-      gentop=
-      # reload_cmds runs $LD directly, so let us get rid of
-      # -Wl from whole_archive_flag_spec
-      wl=
-
-      if test -n "$convenience"; then
-	if test -n "$whole_archive_flag_spec"; then
-	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
-	else
-	  gentop="$output_objdir/${obj}x"
-	  generated="$generated $gentop"
-
-	  func_extract_archives $gentop $convenience
-	  reload_conv_objs="$reload_objs $func_extract_archives_result"
-	fi
-      fi
-
-      # Create the old-style object.
-      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
-
-      output="$obj"
-      cmds=$reload_cmds
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-	IFS="$save_ifs"
-	eval cmd=\"$cmd\"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
-
-      # Exit if we aren't doing a library object file.
-      if test -z "$libobj"; then
-	if test -n "$gentop"; then
-	  $show "${rm}r $gentop"
-	  $run ${rm}r $gentop
-	fi
-
-	exit $EXIT_SUCCESS
-      fi
-
-      if test "$build_libtool_libs" != yes; then
-	if test -n "$gentop"; then
-	  $show "${rm}r $gentop"
-	  $run ${rm}r $gentop
-	fi
-
-	# Create an invalid libtool object if no PIC, so that we don't
-	# accidentally link it into a program.
-	# $show "echo timestamp > $libobj"
-	# $run eval "echo timestamp > $libobj" || exit $?
-	exit $EXIT_SUCCESS
-      fi
-
-      if test -n "$pic_flag" || test "$pic_mode" != default; then
-	# Only do commands if we really have different PIC objects.
-	reload_objs="$libobjs $reload_conv_objs"
-	output="$libobj"
-	cmds=$reload_cmds
-	save_ifs="$IFS"; IFS='~'
-	for cmd in $cmds; do
-	  IFS="$save_ifs"
-	  eval cmd=\"$cmd\"
-	  $show "$cmd"
-	  $run eval "$cmd" || exit $?
-	done
-	IFS="$save_ifs"
-      fi
-
-      if test -n "$gentop"; then
-	$show "${rm}r $gentop"
-	$run ${rm}r $gentop
-      fi
-
-      exit $EXIT_SUCCESS
-      ;;
-
-    prog)
-      case $host in
-	*cygwin*) output=`$echo $output | ${SED} -e 's,.exe$,,;s,$,.exe,'` ;;
-      esac
-      if test -n "$vinfo"; then
-	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
-      fi
-
-      if test -n "$release"; then
-	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
-      fi
-
-      if test "$preload" = yes; then
-	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
-	   test "$dlopen_self_static" = unknown; then
-	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
-	fi
-      fi
-
-      case $host in
-      *-*-rhapsody* | *-*-darwin1.[012])
-	# On Rhapsody replace the C library is the System framework
-	compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
-	finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
-	;;
-      esac
-
-      case $host in
-      *darwin*)
-        # Don't allow lazy linking, it breaks C++ global constructors
-        if test "$tagname" = CXX ; then
-        compile_command="$compile_command ${wl}-bind_at_load"
-        finalize_command="$finalize_command ${wl}-bind_at_load"
-        fi
-        ;;
-      esac
-
-      compile_command="$compile_command $compile_deplibs"
-      finalize_command="$finalize_command $finalize_deplibs"
-
-      if test -n "$rpath$xrpath"; then
-	# If the user specified any rpath flags, then add them.
-	for libdir in $rpath $xrpath; do
-	  # This is the magic to use -rpath.
-	  case "$finalize_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_rpath="$finalize_rpath $libdir" ;;
-	  esac
-	done
-      fi
-
-      # Now hardcode the library paths
-      rpath=
-      hardcode_libdirs=
-      for libdir in $compile_rpath $finalize_rpath; do
-	if test -n "$hardcode_libdir_flag_spec"; then
-	  if test -n "$hardcode_libdir_separator"; then
-	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
-	    else
-	      # Just accumulate the unique libdirs.
-	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		;;
-	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		;;
-	      esac
-	    fi
-	  else
-	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
-	  fi
-	elif test -n "$runpath_var"; then
-	  case "$perm_rpath " in
-	  *" $libdir "*) ;;
-	  *) perm_rpath="$perm_rpath $libdir" ;;
-	  esac
-	fi
-	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
-	  case :$dllsearchpath: in
-	  *":$libdir:"*) ;;
-	  *) dllsearchpath="$dllsearchpath:$libdir";;
-	  esac
-	  ;;
-	esac
-      done
-      # Substitute the hardcoded libdirs into the rpath.
-      if test -n "$hardcode_libdir_separator" &&
-	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
-	eval rpath=\" $hardcode_libdir_flag_spec\"
-      fi
-      compile_rpath="$rpath"
-
-      rpath=
-      hardcode_libdirs=
-      for libdir in $finalize_rpath; do
-	if test -n "$hardcode_libdir_flag_spec"; then
-	  if test -n "$hardcode_libdir_separator"; then
-	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
-	    else
-	      # Just accumulate the unique libdirs.
-	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
-	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
-		;;
-	      *)
-		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
-		;;
-	      esac
-	    fi
-	  else
-	    eval flag=\"$hardcode_libdir_flag_spec\"
-	    rpath="$rpath $flag"
-	  fi
-	elif test -n "$runpath_var"; then
-	  case "$finalize_perm_rpath " in
-	  *" $libdir "*) ;;
-	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
-	  esac
-	fi
-      done
-      # Substitute the hardcoded libdirs into the rpath.
-      if test -n "$hardcode_libdir_separator" &&
-	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
-	eval rpath=\" $hardcode_libdir_flag_spec\"
-      fi
-      finalize_rpath="$rpath"
-
-      if test -n "$libobjs" && test "$build_old_libs" = yes; then
-	# Transform all the library objects into standard objects.
-	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-      fi
-
-      dlsyms=
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	if test -n "$NM" && test -n "$global_symbol_pipe"; then
-	  dlsyms="${outputname}S.c"
-	else
-	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
-	fi
-      fi
-
-      if test -n "$dlsyms"; then
-	case $dlsyms in
-	"") ;;
-	*.c)
-	  # Discover the nlist of each of the dlfiles.
-	  nlist="$output_objdir/${outputname}.nm"
-
-	  $show "$rm $nlist ${nlist}S ${nlist}T"
-	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
-
-	  # Parse the name list into a source file.
-	  $show "creating $output_objdir/$dlsyms"
-
-	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
-/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
-/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
-
-#ifdef __cplusplus
-extern \"C\" {
-#endif
-
-/* Prevent the only kind of declaration conflicts we can make. */
-#define lt_preloaded_symbols some_other_symbol
-
-/* External symbol declarations for the compiler. */\
-"
-
-	  if test "$dlself" = yes; then
-	    $show "generating symbol list for \`$output'"
-
-	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
-
-	    # Add our own program objects to the symbol list.
-	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
-	    for arg in $progfiles; do
-	      $show "extracting global C symbols from \`$arg'"
-	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
-	    done
-
-	    if test -n "$exclude_expsyms"; then
-	      $run eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
-	      $run eval '$mv "$nlist"T "$nlist"'
-	    fi
-
-	    if test -n "$export_symbols_regex"; then
-	      $run eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
-	      $run eval '$mv "$nlist"T "$nlist"'
-	    fi
-
-	    # Prepare the list of exported symbols
-	    if test -z "$export_symbols"; then
-	      export_symbols="$output_objdir/$output.exp"
-	      $run $rm $export_symbols
-	      $run eval "${SED} -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
-	    else
-	      $run eval "${SED} -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"'
-	      $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T'
-	      $run eval 'mv "$nlist"T "$nlist"'
-	    fi
-	  fi
-
-	  for arg in $dlprefiles; do
-	    $show "extracting global C symbols from \`$arg'"
-	    name=`$echo "$arg" | ${SED} -e 's%^.*/%%'`
-	    $run eval '$echo ": $name " >> "$nlist"'
-	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
-	  done
-
-	  if test -z "$run"; then
-	    # Make sure we have at least an empty file.
-	    test -f "$nlist" || : > "$nlist"
-
-	    if test -n "$exclude_expsyms"; then
-	      $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
-	      $mv "$nlist"T "$nlist"
-	    fi
-
-	    # Try sorting and uniquifying the output.
-	    if grep -v "^: " < "$nlist" |
-		if sort -k 3 </dev/null >/dev/null 2>&1; then
-		  sort -k 3
-		else
-		  sort +2
-		fi |
-		uniq > "$nlist"S; then
-	      :
-	    else
-	      grep -v "^: " < "$nlist" > "$nlist"S
-	    fi
-
-	    if test -f "$nlist"S; then
-	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
-	    else
-	      $echo '/* NONE */' >> "$output_objdir/$dlsyms"
-	    fi
-
-	    $echo >> "$output_objdir/$dlsyms" "\
-
-#undef lt_preloaded_symbols
-
-#if defined (__STDC__) && __STDC__
-# define lt_ptr void *
-#else
-# define lt_ptr char *
-# define const
-#endif
-
-/* The mapping between symbol names and symbols. */
-const struct {
-  const char *name;
-  lt_ptr address;
-}
-lt_preloaded_symbols[] =
-{\
-"
-
-	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms"
-
-	    $echo >> "$output_objdir/$dlsyms" "\
-  {0, (lt_ptr) 0}
-};
-
-/* This works around a problem in FreeBSD linker */
-#ifdef FREEBSD_WORKAROUND
-static const void *lt_preloaded_setup() {
-  return lt_preloaded_symbols;
-}
-#endif
-
-#ifdef __cplusplus
-}
-#endif\
-"
-	  fi
-
-	  pic_flag_for_symtable=
-	  case $host in
-	  # compiling the symbol table file with pic_flag works around
-	  # a FreeBSD bug that causes programs to crash when -lm is
-	  # linked before any other PIC object.  But we must not use
-	  # pic_flag when linking with -static.  The problem exists in
-	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
-	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
-	    case "$compile_command " in
-	    *" -static "*) ;;
-	    *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";;
-	    esac;;
-	  *-*-hpux*)
-	    case "$compile_command " in
-	    *" -static "*) ;;
-	    *) pic_flag_for_symtable=" $pic_flag";;
-	    esac
-	  esac
-
-	  # Now compile the dynamic symbol file.
-	  $show "(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
-	  $run eval '(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
-
-	  # Clean up the generated files.
-	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
-	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
-
-	  # Transform the symbol file into the correct name.
-	  compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
-	  finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
-	  ;;
-	*)
-	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-      else
-	# We keep going just in case the user didn't refer to
-	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
-	# really was required.
-
-	# Nullify the symbol file.
-	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
-	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
-      fi
-
-      if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
-	# Replace the output file specification.
-	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
-	link_command="$compile_command$compile_rpath"
-
-	# We have no uninstalled library dependencies, so finalize right now.
-	$show "$link_command"
-	$run eval "$link_command"
-	status=$?
-
-	# Delete the generated files.
-	if test -n "$dlsyms"; then
-	  $show "$rm $output_objdir/${outputname}S.${objext}"
-	  $run $rm "$output_objdir/${outputname}S.${objext}"
-	fi
-
-	exit $status
-      fi
-
-      if test -n "$shlibpath_var"; then
-	# We should set the shlibpath_var
-	rpath=
-	for dir in $temp_rpath; do
-	  case $dir in
-	  [\\/]* | [A-Za-z]:[\\/]*)
-	    # Absolute path.
-	    rpath="$rpath$dir:"
-	    ;;
-	  *)
-	    # Relative path: add a thisdir entry.
-	    rpath="$rpath\$thisdir/$dir:"
-	    ;;
-	  esac
-	done
-	temp_rpath="$rpath"
-      fi
-
-      if test -n "$compile_shlibpath$finalize_shlibpath"; then
-	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
-      fi
-      if test -n "$finalize_shlibpath"; then
-	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
-      fi
-
-      compile_var=
-      finalize_var=
-      if test -n "$runpath_var"; then
-	if test -n "$perm_rpath"; then
-	  # We should set the runpath_var.
-	  rpath=
-	  for dir in $perm_rpath; do
-	    rpath="$rpath$dir:"
-	  done
-	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
-	fi
-	if test -n "$finalize_perm_rpath"; then
-	  # We should set the runpath_var.
-	  rpath=
-	  for dir in $finalize_perm_rpath; do
-	    rpath="$rpath$dir:"
-	  done
-	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
-	fi
-      fi
-
-      if test "$no_install" = yes; then
-	# We don't need to create a wrapper script.
-	link_command="$compile_var$compile_command$compile_rpath"
-	# Replace the output file specification.
-	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
-	# Delete the old output file.
-	$run $rm $output
-	# Link the executable and exit
-	$show "$link_command"
-	$run eval "$link_command" || exit $?
-	exit $EXIT_SUCCESS
-      fi
-
-      if test "$hardcode_action" = relink; then
-	# Fast installation is not supported
-	link_command="$compile_var$compile_command$compile_rpath"
-	relink_command="$finalize_var$finalize_command$finalize_rpath"
-
-	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
-	$echo "$modename: \`$output' will be relinked during installation" 1>&2
-      else
-	if test "$fast_install" != no; then
-	  link_command="$finalize_var$compile_command$finalize_rpath"
-	  if test "$fast_install" = yes; then
-	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
-	  else
-	    # fast_install is set to needless
-	    relink_command=
-	  fi
-	else
-	  link_command="$compile_var$compile_command$compile_rpath"
-	  relink_command="$finalize_var$finalize_command$finalize_rpath"
-	fi
-      fi
-
-      # Replace the output file specification.
-      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
-
-      # Delete the old output files.
-      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
-
-      $show "$link_command"
-      $run eval "$link_command" || exit $?
-
-      # Now create the wrapper script.
-      $show "creating $output"
-
-      # Quote the relink command for shipping.
-      if test -n "$relink_command"; then
-	# Preserve any variables that may affect compiler behavior
-	for var in $variables_saved_for_relink; do
-	  if eval test -z \"\${$var+set}\"; then
-	    relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
-	  elif eval var_value=\$$var; test -z "$var_value"; then
-	    relink_command="$var=; export $var; $relink_command"
-	  else
-	    var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
-	    relink_command="$var=\"$var_value\"; export $var; $relink_command"
-	  fi
-	done
-	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
-      fi
-
-      # Quote $echo for shipping.
-      if test "X$echo" = "X$SHELL $progpath --fallback-echo"; then
-	case $progpath in
-	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $progpath --fallback-echo";;
-	*) qecho="$SHELL `pwd`/$progpath --fallback-echo";;
-	esac
-	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
-      else
-	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
-      fi
-
-      # Only actually do things if our run command is non-null.
-      if test -z "$run"; then
-	# win32 will think the script is a binary if it has
-	# a .exe suffix, so we strip it off here.
-	case $output in
-	  *.exe) output=`$echo $output|${SED} 's,.exe$,,'` ;;
-	esac
-	# test for cygwin because mv fails w/o .exe extensions
-	case $host in
-	  *cygwin*)
-	    exeext=.exe
-	    outputname=`$echo $outputname|${SED} 's,.exe$,,'` ;;
-	  *) exeext= ;;
-	esac
-	case $host in
-	  *cygwin* | *mingw* )
-	    cwrappersource=`$echo ${objdir}/lt-${output}.c`
-	    cwrapper=`$echo ${output}.exe`
-	    $rm $cwrappersource $cwrapper
-	    trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
-
-	    cat > $cwrappersource <<EOF
-
-/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
-   Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-
-   The $output program cannot be directly executed until all the libtool
-   libraries that it depends on are installed.
-
-   This wrapper executable should never be moved out of the build directory.
-   If it is, it will not operate correctly.
-
-   Currently, it simply execs the wrapper *script* "/bin/sh $output",
-   but could eventually absorb all of the scripts functionality and
-   exec $objdir/$outputname directly.
-*/
-EOF
-	    cat >> $cwrappersource<<"EOF"
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <malloc.h>
-#include <stdarg.h>
-#include <assert.h>
-
-#if defined(PATH_MAX)
-# define LT_PATHMAX PATH_MAX
-#elif defined(MAXPATHLEN)
-# define LT_PATHMAX MAXPATHLEN
-#else
-# define LT_PATHMAX 1024
-#endif
-
-#ifndef DIR_SEPARATOR
-#define DIR_SEPARATOR '/'
-#endif
-
-#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
-  defined (__OS2__)
-#define HAVE_DOS_BASED_FILE_SYSTEM
-#ifndef DIR_SEPARATOR_2
-#define DIR_SEPARATOR_2 '\\'
-#endif
-#endif
-
-#ifndef DIR_SEPARATOR_2
-# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
-#else /* DIR_SEPARATOR_2 */
-# define IS_DIR_SEPARATOR(ch) \
-        (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
-#endif /* DIR_SEPARATOR_2 */
-
-#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
-#define XFREE(stale) do { \
-  if (stale) { free ((void *) stale); stale = 0; } \
-} while (0)
-
-const char *program_name = NULL;
-
-void * xmalloc (size_t num);
-char * xstrdup (const char *string);
-char * basename (const char *name);
-char * fnqualify(const char *path);
-char * strendzap(char *str, const char *pat);
-void lt_fatal (const char *message, ...);
-
-int
-main (int argc, char *argv[])
-{
-  char **newargz;
-  int i;
-
-  program_name = (char *) xstrdup ((char *) basename (argv[0]));
-  newargz = XMALLOC(char *, argc+2);
-EOF
-
-	    cat >> $cwrappersource <<EOF
-  newargz[0] = "$SHELL";
-EOF
-
-	    cat >> $cwrappersource <<"EOF"
-  newargz[1] = fnqualify(argv[0]);
-  /* we know the script has the same name, without the .exe */
-  /* so make sure newargz[1] doesn't end in .exe */
-  strendzap(newargz[1],".exe");
-  for (i = 1; i < argc; i++)
-    newargz[i+1] = xstrdup(argv[i]);
-  newargz[argc+1] = NULL;
-EOF
-
-	    cat >> $cwrappersource <<EOF
-  execv("$SHELL",newargz);
-EOF
-
-	    cat >> $cwrappersource <<"EOF"
-}
-
-void *
-xmalloc (size_t num)
-{
-  void * p = (void *) malloc (num);
-  if (!p)
-    lt_fatal ("Memory exhausted");
-
-  return p;
-}
-
-char *
-xstrdup (const char *string)
-{
-  return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL
-;
-}
-
-char *
-basename (const char *name)
-{
-  const char *base;
-
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  /* Skip over the disk name in MSDOS pathnames. */
-  if (isalpha (name[0]) && name[1] == ':')
-    name += 2;
-#endif
-
-  for (base = name; *name; name++)
-    if (IS_DIR_SEPARATOR (*name))
-      base = name + 1;
-  return (char *) base;
-}
-
-char *
-fnqualify(const char *path)
-{
-  size_t size;
-  char *p;
-  char tmp[LT_PATHMAX + 1];
-
-  assert(path != NULL);
-
-  /* Is it qualified already? */
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  if (isalpha (path[0]) && path[1] == ':')
-    return xstrdup (path);
-#endif
-  if (IS_DIR_SEPARATOR (path[0]))
-    return xstrdup (path);
-
-  /* prepend the current directory */
-  /* doesn't handle '~' */
-  if (getcwd (tmp, LT_PATHMAX) == NULL)
-    lt_fatal ("getcwd failed");
-  size = strlen(tmp) + 1 + strlen(path) + 1; /* +2 for '/' and '\0' */
-  p = XMALLOC(char, size);
-  sprintf(p, "%s%c%s", tmp, DIR_SEPARATOR, path);
-  return p;
-}
-
-char *
-strendzap(char *str, const char *pat)
-{
-  size_t len, patlen;
-
-  assert(str != NULL);
-  assert(pat != NULL);
-
-  len = strlen(str);
-  patlen = strlen(pat);
-
-  if (patlen <= len)
-  {
-    str += len - patlen;
-    if (strcmp(str, pat) == 0)
-      *str = '\0';
-  }
-  return str;
-}
-
-static void
-lt_error_core (int exit_status, const char * mode,
-          const char * message, va_list ap)
-{
-  fprintf (stderr, "%s: %s: ", program_name, mode);
-  vfprintf (stderr, message, ap);
-  fprintf (stderr, ".\n");
-
-  if (exit_status >= 0)
-    exit (exit_status);
-}
-
-void
-lt_fatal (const char *message, ...)
-{
-  va_list ap;
-  va_start (ap, message);
-  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
-  va_end (ap);
-}
-EOF
-	  # we should really use a build-platform specific compiler
-	  # here, but OTOH, the wrappers (shell script and this C one)
-	  # are only useful if you want to execute the "real" binary.
-	  # Since the "real" binary is built for $host, then this
-	  # wrapper might as well be built for $host, too.
-	  $run $LTCC -s -o $cwrapper $cwrappersource
-	  ;;
-	esac
-	$rm $output
-	trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
-
-	$echo > $output "\
-#! $SHELL
-
-# $output - temporary wrapper script for $objdir/$outputname
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# The $output program cannot be directly executed until all the libtool
-# libraries that it depends on are installed.
-#
-# This wrapper script should never be moved out of the build directory.
-# If it is, it will not operate correctly.
-
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed='${SED} -e 1s/^X//'
-sed_quote_subst='$sed_quote_subst'
-
-# The HP-UX ksh and POSIX shell print the target directory to stdout
-# if CDPATH is set.
-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
-
-relink_command=\"$relink_command\"
-
-# This environment variable determines our operation mode.
-if test \"\$libtool_install_magic\" = \"$magic\"; then
-  # install mode needs the following variable:
-  notinst_deplibs='$notinst_deplibs'
-else
-  # When we are sourced in execute mode, \$file and \$echo are already set.
-  if test \"\$libtool_execute_magic\" != \"$magic\"; then
-    echo=\"$qecho\"
-    file=\"\$0\"
-    # Make sure echo works.
-    if test \"X\$1\" = X--no-reexec; then
-      # Discard the --no-reexec flag, and continue.
-      shift
-    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
-      # Yippee, \$echo works!
-      :
-    else
-      # Restart under the correct shell, and then maybe \$echo will work.
-      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
-    fi
-  fi\
-"
-	$echo >> $output "\
-
-  # Find the directory that this script lives in.
-  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
-  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
-
-  # Follow symbolic links until we get to the real thisdir.
-  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
-  while test -n \"\$file\"; do
-    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
-
-    # If there was a directory component, then change thisdir.
-    if test \"x\$destdir\" != \"x\$file\"; then
-      case \"\$destdir\" in
-      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
-      *) thisdir=\"\$thisdir/\$destdir\" ;;
-      esac
-    fi
-
-    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
-    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
-  done
-
-  # Try to get the absolute directory name.
-  absdir=\`cd \"\$thisdir\" && pwd\`
-  test -n \"\$absdir\" && thisdir=\"\$absdir\"
-"
-
-	if test "$fast_install" = yes; then
-	  $echo >> $output "\
-  program=lt-'$outputname'$exeext
-  progdir=\"\$thisdir/$objdir\"
-
-  if test ! -f \"\$progdir/\$program\" || \\
-     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
-       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
-
-    file=\"\$\$-\$program\"
-
-    if test ! -d \"\$progdir\"; then
-      $mkdir \"\$progdir\"
-    else
-      $rm \"\$progdir/\$file\"
-    fi"
-
-	  $echo >> $output "\
-
-    # relink executable if necessary
-    if test -n \"\$relink_command\"; then
-      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
-      else
-	$echo \"\$relink_command_output\" >&2
-	$rm \"\$progdir/\$file\"
-	exit $EXIT_FAILURE
-      fi
-    fi
-
-    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
-    { $rm \"\$progdir/\$program\";
-      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
-    $rm \"\$progdir/\$file\"
-  fi"
-	else
-	  $echo >> $output "\
-  program='$outputname'
-  progdir=\"\$thisdir/$objdir\"
-"
-	fi
-
-	$echo >> $output "\
-
-  if test -f \"\$progdir/\$program\"; then"
-
-	# Export our shlibpath_var if we have one.
-	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
-	  $echo >> $output "\
-    # Add our own library path to $shlibpath_var
-    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
-
-    # Some systems cannot cope with colon-terminated $shlibpath_var
-    # The second colon is a workaround for a bug in BeOS R4 sed
-    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
-
-    export $shlibpath_var
-"
-	fi
-
-	# fixup the dll searchpath if we need to.
-	if test -n "$dllsearchpath"; then
-	  $echo >> $output "\
-    # Add the dll search path components to the executable PATH
-    PATH=$dllsearchpath:\$PATH
-"
-	fi
-
-	$echo >> $output "\
-    if test \"\$libtool_execute_magic\" != \"$magic\"; then
-      # Run the actual program with our arguments.
-"
-	case $host in
-	# Backslashes separate directories on plain windows
-	*-*-mingw | *-*-os2*)
-	  $echo >> $output "\
-      exec \$progdir\\\\\$program \${1+\"\$@\"}
-"
-	  ;;
-
-	*)
-	  $echo >> $output "\
-      exec \$progdir/\$program \${1+\"\$@\"}
-"
-	  ;;
-	esac
-	$echo >> $output "\
-      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
-      exit $EXIT_FAILURE
-    fi
-  else
-    # The program doesn't exist.
-    \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
-    \$echo \"This script is just a wrapper for \$program.\" 1>&2
-    $echo \"See the $PACKAGE documentation for more information.\" 1>&2
-    exit $EXIT_FAILURE
-  fi
-fi\
-"
-	chmod +x $output
-      fi
-      exit $EXIT_SUCCESS
-      ;;
-    esac
-
-    # See if we need to build an old-fashioned archive.
-    for oldlib in $oldlibs; do
-
-      if test "$build_libtool_libs" = convenience; then
-	oldobjs="$libobjs_save"
-	addlibs="$convenience"
-	build_libtool_libs=no
-      else
-	if test "$build_libtool_libs" = module; then
-	  oldobjs="$libobjs_save"
-	  build_libtool_libs=no
-	else
-	  oldobjs="$old_deplibs $non_pic_objects"
-	fi
-	addlibs="$old_convenience"
-      fi
-
-      if test -n "$addlibs"; then
-	gentop="$output_objdir/${outputname}x"
-	generated="$generated $gentop"
-
-	func_extract_archives $gentop $addlibs
-	oldobjs="$oldobjs $func_extract_archives_result"
-      fi
-
-      # Do each command in the archive commands.
-      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
-       cmds=$old_archive_from_new_cmds
-      else
-	eval cmds=\"$old_archive_cmds\"
-
-	if len=`expr "X$cmds" : ".*"` &&
-	     test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
-	  cmds=$old_archive_cmds
-	else
-	  # the command line is too long to link in one step, link in parts
-	  $echo "using piecewise archive linking..."
-	  save_RANLIB=$RANLIB
-	  RANLIB=:
-	  objlist=
-	  concat_cmds=
-	  save_oldobjs=$oldobjs
-	  # GNU ar 2.10+ was changed to match POSIX; thus no paths are
-	  # encoded into archives.  This makes 'ar r' malfunction in
-	  # this piecewise linking case whenever conflicting object
-	  # names appear in distinct ar calls; check, warn and compensate.
-	    if (for obj in $save_oldobjs
-	    do
-	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
-	    done | sort | sort -uc >/dev/null 2>&1); then
-	    :
-	  else
-	    $echo "$modename: warning: object name conflicts; overriding AR_FLAGS to 'cq'" 1>&2
-	    $echo "$modename: warning: to ensure that POSIX-compatible ar will work" 1>&2
-	    AR_FLAGS=cq
-	  fi
-	  # Is there a better way of finding the last object in the list?
-	  for obj in $save_oldobjs
-	  do
-	    last_oldobj=$obj
-	  done
-	  for obj in $save_oldobjs
-	  do
-	    oldobjs="$objlist $obj"
-	    objlist="$objlist $obj"
-	    eval test_cmds=\"$old_archive_cmds\"
-	    if len=`expr "X$test_cmds" : ".*"` &&
-	       test "$len" -le "$max_cmd_len"; then
-	      :
-	    else
-	      # the above command should be used before it gets too long
-	      oldobjs=$objlist
-	      if test "$obj" = "$last_oldobj" ; then
-	        RANLIB=$save_RANLIB
-	      fi
-	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
-	      objlist=
-	    fi
-	  done
-	  RANLIB=$save_RANLIB
-	  oldobjs=$objlist
-	  if test "X$oldobjs" = "X" ; then
-	    eval cmds=\"\$concat_cmds\"
-	  else
-	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
-	  fi
-	fi
-      fi
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-        eval cmd=\"$cmd\"
-	IFS="$save_ifs"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
-    done
-
-    if test -n "$generated"; then
-      $show "${rm}r$generated"
-      $run ${rm}r$generated
-    fi
-
-    # Now create the libtool archive.
-    case $output in
-    *.la)
-      old_library=
-      test "$build_old_libs" = yes && old_library="$libname.$libext"
-      $show "creating $output"
-
-      # Preserve any variables that may affect compiler behavior
-      for var in $variables_saved_for_relink; do
-	if eval test -z \"\${$var+set}\"; then
-	  relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
-	elif eval var_value=\$$var; test -z "$var_value"; then
-	  relink_command="$var=; export $var; $relink_command"
-	else
-	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
-	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
-	fi
-      done
-      # Quote the link command for shipping.
-      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
-      if test "$hardcode_automatic" = yes ; then
-	relink_command=
-      fi
-
-
-      # Only create the output if not a dry run.
-      if test -z "$run"; then
-	for installed in no yes; do
-	  if test "$installed" = yes; then
-	    if test -z "$install_libdir"; then
-	      break
-	    fi
-	    output="$output_objdir/$outputname"i
-	    # Replace all uninstalled libtool libraries with the installed ones
-	    newdependency_libs=
-	    for deplib in $dependency_libs; do
-	      case $deplib in
-	      *.la)
-		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
-		if test -z "$libdir"; then
-		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
-		  exit $EXIT_FAILURE
-		fi
-		newdependency_libs="$newdependency_libs $libdir/$name"
-		;;
-	      *) newdependency_libs="$newdependency_libs $deplib" ;;
-	      esac
-	    done
-	    dependency_libs="$newdependency_libs"
-	    newdlfiles=
-	    for lib in $dlfiles; do
-	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
-	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
-	      if test -z "$libdir"; then
-		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit $EXIT_FAILURE
-	      fi
-	      newdlfiles="$newdlfiles $libdir/$name"
-	    done
-	    dlfiles="$newdlfiles"
-	    newdlprefiles=
-	    for lib in $dlprefiles; do
-	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
-	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
-	      if test -z "$libdir"; then
-		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-		exit $EXIT_FAILURE
-	      fi
-	      newdlprefiles="$newdlprefiles $libdir/$name"
-	    done
-	    dlprefiles="$newdlprefiles"
-	  else
-	    newdlfiles=
-	    for lib in $dlfiles; do
-	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
-		*) abs=`pwd`"/$lib" ;;
-	      esac
-	      newdlfiles="$newdlfiles $abs"
-	    done
-	    dlfiles="$newdlfiles"
-	    newdlprefiles=
-	    for lib in $dlprefiles; do
-	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
-		*) abs=`pwd`"/$lib" ;;
-	      esac
-	      newdlprefiles="$newdlprefiles $abs"
-	    done
-	    dlprefiles="$newdlprefiles"
-	  fi
-	  $rm $output
-	  # place dlname in correct position for cygwin
-	  tdlname=$dlname
-	  case $host,$output,$installed,$module,$dlname in
-	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
-	  esac
-	  $echo > $output "\
-# $outputname - a libtool library file
-# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
-#
-# Please DO NOT delete this file!
-# It is necessary for linking the library.
-
-# The name that we can dlopen(3).
-dlname='$tdlname'
-
-# Names of this library.
-library_names='$library_names'
-
-# The name of the static archive.
-old_library='$old_library'
-
-# Libraries that this one depends upon.
-dependency_libs='$dependency_libs'
-
-# Version information for $libname.
-current=$current
-age=$age
-revision=$revision
-
-# Is this an already installed library?
-installed=$installed
-
-# Should we warn about portability when linking against -modules?
-shouldnotlink=$module
-
-# Files to dlopen/dlpreopen
-dlopen='$dlfiles'
-dlpreopen='$dlprefiles'
-
-# Directory that this library needs to be installed in:
-libdir='$install_libdir'"
-	  if test "$installed" = no && test "$need_relink" = yes; then
-	    $echo >> $output "\
-relink_command=\"$relink_command\""
-	  fi
-	done
-      fi
-
-      # Do a symbolic link so that the libtool archive can be found in
-      # LD_LIBRARY_PATH before the program is installed.
-      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
-      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
-      ;;
-    esac
-    exit $EXIT_SUCCESS
-    ;;
-
-  # libtool install mode
-  install)
-    modename="$modename: install"
-
-    # There may be an optional sh(1) argument at the beginning of
-    # install_prog (especially on Windows NT).
-    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
-       # Allow the use of GNU shtool's install command.
-       $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then
-      # Aesthetically quote it.
-      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
-	arg="\"$arg\""
-	;;
-      esac
-      install_prog="$arg "
-      arg="$1"
-      shift
-    else
-      install_prog=
-      arg="$nonopt"
-    fi
-
-    # The real first argument should be the name of the installation program.
-    # Aesthetically quote it.
-    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-    case $arg in
-    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
-      arg="\"$arg\""
-      ;;
-    esac
-    install_prog="$install_prog$arg"
-
-    # We need to accept at least all the BSD install flags.
-    dest=
-    files=
-    opts=
-    prev=
-    install_type=
-    isdir=no
-    stripme=
-    for arg
-    do
-      if test -n "$dest"; then
-	files="$files $dest"
-	dest="$arg"
-	continue
-      fi
-
-      case $arg in
-      -d) isdir=yes ;;
-      -f) prev="-f" ;;
-      -g) prev="-g" ;;
-      -m) prev="-m" ;;
-      -o) prev="-o" ;;
-      -s)
-	stripme=" -s"
-	continue
-	;;
-      -*) ;;
-
-      *)
-	# If the previous option needed an argument, then skip it.
-	if test -n "$prev"; then
-	  prev=
-	else
-	  dest="$arg"
-	  continue
-	fi
-	;;
-      esac
-
-      # Aesthetically quote the argument.
-      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
-      case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
-	arg="\"$arg\""
-	;;
-      esac
-      install_prog="$install_prog $arg"
-    done
-
-    if test -z "$install_prog"; then
-      $echo "$modename: you must specify an install program" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    if test -n "$prev"; then
-      $echo "$modename: the \`$prev' option requires an argument" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    if test -z "$files"; then
-      if test -z "$dest"; then
-	$echo "$modename: no file or destination specified" 1>&2
-      else
-	$echo "$modename: you must specify a destination" 1>&2
-      fi
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    # Strip any trailing slash from the destination.
-    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
-
-    # Check to see that the destination is a directory.
-    test -d "$dest" && isdir=yes
-    if test "$isdir" = yes; then
-      destdir="$dest"
-      destname=
-    else
-      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
-      test "X$destdir" = "X$dest" && destdir=.
-      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
-
-      # Not a directory, so check to see that there is only one file specified.
-      set dummy $files
-      if test "$#" -gt 2; then
-	$echo "$modename: \`$dest' is not a directory" 1>&2
-	$echo "$help" 1>&2
-	exit $EXIT_FAILURE
-      fi
-    fi
-    case $destdir in
-    [\\/]* | [A-Za-z]:[\\/]*) ;;
-    *)
-      for file in $files; do
-	case $file in
-	*.lo) ;;
-	*)
-	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-      done
-      ;;
-    esac
-
-    # This variable tells wrapper scripts just to set variables rather
-    # than running their programs.
-    libtool_install_magic="$magic"
-
-    staticlibs=
-    future_libdirs=
-    current_libdirs=
-    for file in $files; do
-
-      # Do each installation.
-      case $file in
-      *.$libext)
-	# Do the static libraries later.
-	staticlibs="$staticlibs $file"
-	;;
-
-      *.la)
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-	else
-	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	library_names=
-	old_library=
-	relink_command=
-	# If there is no directory component, then add one.
-	case $file in
-	*/* | *\\*) . $file ;;
-	*) . ./$file ;;
-	esac
-
-	# Add the libdir to current_libdirs if it is the destination.
-	if test "X$destdir" = "X$libdir"; then
-	  case "$current_libdirs " in
-	  *" $libdir "*) ;;
-	  *) current_libdirs="$current_libdirs $libdir" ;;
-	  esac
-	else
-	  # Note the libdir as a future libdir.
-	  case "$future_libdirs " in
-	  *" $libdir "*) ;;
-	  *) future_libdirs="$future_libdirs $libdir" ;;
-	  esac
-	fi
-
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
-	test "X$dir" = "X$file/" && dir=
-	dir="$dir$objdir"
-
-	if test -n "$relink_command"; then
-	  # Determine the prefix the user has applied to our future dir.
-	  inst_prefix_dir=`$echo "$destdir" | $SED "s%$libdir\$%%"`
-
-	  # Don't allow the user to place us outside of our expected
-	  # location b/c this prevents finding dependent libraries that
-	  # are installed to the same prefix.
-	  # At present, this check doesn't affect windows .dll's that
-	  # are installed into $libdir/../bin (currently, that works fine)
-	  # but it's something to keep an eye on.
-	  if test "$inst_prefix_dir" = "$destdir"; then
-	    $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-
-	  if test -n "$inst_prefix_dir"; then
-	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
-	  else
-	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
-	  fi
-
-	  $echo "$modename: warning: relinking \`$file'" 1>&2
-	  $show "$relink_command"
-	  if $run eval "$relink_command"; then :
-	  else
-	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-	fi
-
-	# See the names of the shared library.
-	set dummy $library_names
-	if test -n "$2"; then
-	  realname="$2"
-	  shift
-	  shift
-
-	  srcname="$realname"
-	  test -n "$relink_command" && srcname="$realname"T
-
-	  # Install the shared library and build the symlinks.
-	  $show "$install_prog $dir/$srcname $destdir/$realname"
-	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
-	  if test -n "$stripme" && test -n "$striplib"; then
-	    $show "$striplib $destdir/$realname"
-	    $run eval "$striplib $destdir/$realname" || exit $?
-	  fi
-
-	  if test "$#" -gt 0; then
-	    # Delete the old symlinks, and create new ones.
-	    for linkname
-	    do
-	      if test "$linkname" != "$realname"; then
-		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
-		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
-	      fi
-	    done
-	  fi
-
-	  # Do each command in the postinstall commands.
-	  lib="$destdir/$realname"
-	  cmds=$postinstall_cmds
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $cmds; do
-	    IFS="$save_ifs"
-	    eval cmd=\"$cmd\"
-	    $show "$cmd"
-	    $run eval "$cmd" || exit $?
-	  done
-	  IFS="$save_ifs"
-	fi
-
-	# Install the pseudo-library for information purposes.
-	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	instname="$dir/$name"i
-	$show "$install_prog $instname $destdir/$name"
-	$run eval "$install_prog $instname $destdir/$name" || exit $?
-
-	# Maybe install the static library, too.
-	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
-	;;
-
-      *.lo)
-	# Install (i.e. copy) a libtool object.
-
-	# Figure out destination file name, if it wasn't already specified.
-	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
-	else
-	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	  destfile="$destdir/$destfile"
-	fi
-
-	# Deduce the name of the destination old-style object file.
-	case $destfile in
-	*.lo)
-	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
-	  ;;
-	*.$objext)
-	  staticdest="$destfile"
-	  destfile=
-	  ;;
-	*)
-	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	  ;;
-	esac
-
-	# Install the libtool object if requested.
-	if test -n "$destfile"; then
-	  $show "$install_prog $file $destfile"
-	  $run eval "$install_prog $file $destfile" || exit $?
-	fi
-
-	# Install the old object if enabled.
-	if test "$build_old_libs" = yes; then
-	  # Deduce the name of the old-style object file.
-	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
-
-	  $show "$install_prog $staticobj $staticdest"
-	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
-	fi
-	exit $EXIT_SUCCESS
-	;;
-
-      *)
-	# Figure out destination file name, if it wasn't already specified.
-	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
-	else
-	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-	  destfile="$destdir/$destfile"
-	fi
-
-	# If the file is missing, and there is a .exe on the end, strip it
-	# because it is most likely a libtool script we actually want to
-	# install
-	stripped_ext=""
-	case $file in
-	  *.exe)
-	    if test ! -f "$file"; then
-	      file=`$echo $file|${SED} 's,.exe$,,'`
-	      stripped_ext=".exe"
-	    fi
-	    ;;
-	esac
-
-	# Do a test to see if this is really a libtool program.
-	case $host in
-	*cygwin*|*mingw*)
-	    wrapper=`$echo $file | ${SED} -e 's,.exe$,,'`
-	    ;;
-	*)
-	    wrapper=$file
-	    ;;
-	esac
-	if (${SED} -e '4q' $wrapper | grep "^# Generated by .*$PACKAGE")>/dev/null 2>&1; then
-	  notinst_deplibs=
-	  relink_command=
-
-	  # To insure that "foo" is sourced, and not "foo.exe",
-	  # finese the cygwin/MSYS system by explicitly sourcing "foo."
-	  # which disallows the automatic-append-.exe behavior.
-	  case $build in
-	  *cygwin* | *mingw*) wrapperdot=${wrapper}. ;;
-	  *) wrapperdot=${wrapper} ;;
-	  esac
-	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . ${wrapperdot} ;;
-	  *) . ./${wrapperdot} ;;
-	  esac
-
-	  # Check the variables that should have been set.
-	  if test -z "$notinst_deplibs"; then
-	    $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2
-	    exit $EXIT_FAILURE
-	  fi
-
-	  finalize=yes
-	  for lib in $notinst_deplibs; do
-	    # Check to see that each library is installed.
-	    libdir=
-	    if test -f "$lib"; then
-	      # If there is no directory component, then add one.
-	      case $lib in
-	      */* | *\\*) . $lib ;;
-	      *) . ./$lib ;;
-	      esac
-	    fi
-	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
-	    if test -n "$libdir" && test ! -f "$libfile"; then
-	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
-	      finalize=no
-	    fi
-	  done
-
-	  relink_command=
-	  # To insure that "foo" is sourced, and not "foo.exe",
-	  # finese the cygwin/MSYS system by explicitly sourcing "foo."
-	  # which disallows the automatic-append-.exe behavior.
-	  case $build in
-	  *cygwin* | *mingw*) wrapperdot=${wrapper}. ;;
-	  *) wrapperdot=${wrapper} ;;
-	  esac
-	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . ${wrapperdot} ;;
-	  *) . ./${wrapperdot} ;;
-	  esac
-
-	  outputname=
-	  if test "$fast_install" = no && test -n "$relink_command"; then
-	    if test "$finalize" = yes && test -z "$run"; then
-	      tmpdir="/tmp"
-	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
-	      tmpdir="$tmpdir/libtool-$$"
-	      save_umask=`umask`
-	      umask 0077
-	      if $mkdir "$tmpdir"; then
-	        umask $save_umask
-	      else
-	        umask $save_umask
-		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
-		continue
-	      fi
-	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
-	      outputname="$tmpdir/$file"
-	      # Replace the output file specification.
-	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
-
-	      $show "$relink_command"
-	      if $run eval "$relink_command"; then :
-	      else
-		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
-		${rm}r "$tmpdir"
-		continue
-	      fi
-	      file="$outputname"
-	    else
-	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
-	    fi
-	  else
-	    # Install the binary that we compiled earlier.
-	    file=`$echo "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
-	  fi
-	fi
-
-	# remove .exe since cygwin /usr/bin/install will append another
-	# one anyways
-	case $install_prog,$host in
-	*/usr/bin/install*,*cygwin*)
-	  case $file:$destfile in
-	  *.exe:*.exe)
-	    # this is ok
-	    ;;
-	  *.exe:*)
-	    destfile=$destfile.exe
-	    ;;
-	  *:*.exe)
-	    destfile=`$echo $destfile | ${SED} -e 's,.exe$,,'`
-	    ;;
-	  esac
-	  ;;
-	esac
-	$show "$install_prog$stripme $file $destfile"
-	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
-	test -n "$outputname" && ${rm}r "$tmpdir"
-	;;
-      esac
-    done
-
-    for file in $staticlibs; do
-      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-
-      # Set up the ranlib parameters.
-      oldlib="$destdir/$name"
-
-      $show "$install_prog $file $oldlib"
-      $run eval "$install_prog \$file \$oldlib" || exit $?
-
-      if test -n "$stripme" && test -n "$old_striplib"; then
-	$show "$old_striplib $oldlib"
-	$run eval "$old_striplib $oldlib" || exit $?
-      fi
-
-      # Do each command in the postinstall commands.
-      cmds=$old_postinstall_cmds
-      save_ifs="$IFS"; IFS='~'
-      for cmd in $cmds; do
-	IFS="$save_ifs"
-	eval cmd=\"$cmd\"
-	$show "$cmd"
-	$run eval "$cmd" || exit $?
-      done
-      IFS="$save_ifs"
-    done
-
-    if test -n "$future_libdirs"; then
-      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
-    fi
-
-    if test -n "$current_libdirs"; then
-      # Maybe just do a dry run.
-      test -n "$run" && current_libdirs=" -n$current_libdirs"
-      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
-    else
-      exit $EXIT_SUCCESS
-    fi
-    ;;
-
-  # libtool finish mode
-  finish)
-    modename="$modename: finish"
-    libdirs="$nonopt"
-    admincmds=
-
-    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
-      for dir
-      do
-	libdirs="$libdirs $dir"
-      done
-
-      for libdir in $libdirs; do
-	if test -n "$finish_cmds"; then
-	  # Do each command in the finish commands.
-	  cmds=$finish_cmds
-	  save_ifs="$IFS"; IFS='~'
-	  for cmd in $cmds; do
-	    IFS="$save_ifs"
-	    eval cmd=\"$cmd\"
-	    $show "$cmd"
-	    $run eval "$cmd" || admincmds="$admincmds
-       $cmd"
-	  done
-	  IFS="$save_ifs"
-	fi
-	if test -n "$finish_eval"; then
-	  # Do the single finish_eval.
-	  eval cmds=\"$finish_eval\"
-	  $run eval "$cmds" || admincmds="$admincmds
-       $cmds"
-	fi
-      done
-    fi
-
-    # Exit here if they wanted silent mode.
-    test "$show" = : && exit $EXIT_SUCCESS
-
-    $echo "----------------------------------------------------------------------"
-    $echo "Libraries have been installed in:"
-    for libdir in $libdirs; do
-      $echo "   $libdir"
-    done
-    $echo
-    $echo "If you ever happen to want to link against installed libraries"
-    $echo "in a given directory, LIBDIR, you must either use libtool, and"
-    $echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
-    $echo "flag during linking and do at least one of the following:"
-    if test -n "$shlibpath_var"; then
-      $echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
-      $echo "     during execution"
-    fi
-    if test -n "$runpath_var"; then
-      $echo "   - add LIBDIR to the \`$runpath_var' environment variable"
-      $echo "     during linking"
-    fi
-    if test -n "$hardcode_libdir_flag_spec"; then
-      libdir=LIBDIR
-      eval flag=\"$hardcode_libdir_flag_spec\"
-
-      $echo "   - use the \`$flag' linker flag"
-    fi
-    if test -n "$admincmds"; then
-      $echo "   - have your system administrator run these commands:$admincmds"
-    fi
-    if test -f /etc/ld.so.conf; then
-      $echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
-    fi
-    $echo
-    $echo "See any operating system documentation about shared libraries for"
-    $echo "more information, such as the ld(1) and ld.so(8) manual pages."
-    $echo "----------------------------------------------------------------------"
-    exit $EXIT_SUCCESS
-    ;;
-
-  # libtool execute mode
-  execute)
-    modename="$modename: execute"
-
-    # The first argument is the command name.
-    cmd="$nonopt"
-    if test -z "$cmd"; then
-      $echo "$modename: you must specify a COMMAND" 1>&2
-      $echo "$help"
-      exit $EXIT_FAILURE
-    fi
-
-    # Handle -dlopen flags immediately.
-    for file in $execute_dlfiles; do
-      if test ! -f "$file"; then
-	$echo "$modename: \`$file' is not a file" 1>&2
-	$echo "$help" 1>&2
-	exit $EXIT_FAILURE
-      fi
-
-      dir=
-      case $file in
-      *.la)
-	# Check to see that this really is a libtool archive.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
-	else
-	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
-	  $echo "$help" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-
-	# Read the libtool library.
-	dlname=
-	library_names=
-
-	# If there is no directory component, then add one.
-	case $file in
-	*/* | *\\*) . $file ;;
-	*) . ./$file ;;
-	esac
-
-	# Skip this library if it cannot be dlopened.
-	if test -z "$dlname"; then
-	  # Warn if it was a shared library.
-	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
-	  continue
-	fi
-
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$dir" = "X$file" && dir=.
-
-	if test -f "$dir/$objdir/$dlname"; then
-	  dir="$dir/$objdir"
-	else
-	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
-	  exit $EXIT_FAILURE
-	fi
-	;;
-
-      *.lo)
-	# Just add the directory containing the .lo file.
-	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-	test "X$dir" = "X$file" && dir=.
-	;;
-
-      *)
-	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
-	continue
-	;;
-      esac
-
-      # Get the absolute pathname.
-      absdir=`cd "$dir" && pwd`
-      test -n "$absdir" && dir="$absdir"
-
-      # Now add the directory to shlibpath_var.
-      if eval "test -z \"\$$shlibpath_var\""; then
-	eval "$shlibpath_var=\"\$dir\""
-      else
-	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
-      fi
-    done
-
-    # This variable tells wrapper scripts just to set shlibpath_var
-    # rather than running their programs.
-    libtool_execute_magic="$magic"
-
-    # Check if any of the arguments is a wrapper script.
-    args=
-    for file
-    do
-      case $file in
-      -*) ;;
-      *)
-	# Do a test to see if this is really a libtool program.
-	if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . $file ;;
-	  *) . ./$file ;;
-	  esac
-
-	  # Transform arg to wrapped name.
-	  file="$progdir/$program"
-	fi
-	;;
-      esac
-      # Quote arguments (to preserve shell metacharacters).
-      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
-      args="$args \"$file\""
-    done
-
-    if test -z "$run"; then
-      if test -n "$shlibpath_var"; then
-	# Export the shlibpath_var.
-	eval "export $shlibpath_var"
-      fi
-
-      # Restore saved environment variables
-      if test "${save_LC_ALL+set}" = set; then
-	LC_ALL="$save_LC_ALL"; export LC_ALL
-      fi
-      if test "${save_LANG+set}" = set; then
-	LANG="$save_LANG"; export LANG
-      fi
-
-      # Now prepare to actually exec the command.
-      exec_cmd="\$cmd$args"
-    else
-      # Display what would be done.
-      if test -n "$shlibpath_var"; then
-	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
-	$echo "export $shlibpath_var"
-      fi
-      $echo "$cmd$args"
-      exit $EXIT_SUCCESS
-    fi
-    ;;
-
-  # libtool clean and uninstall mode
-  clean | uninstall)
-    modename="$modename: $mode"
-    rm="$nonopt"
-    files=
-    rmforce=
-    exit_status=0
-
-    # This variable tells wrapper scripts just to set variables rather
-    # than running their programs.
-    libtool_install_magic="$magic"
-
-    for arg
-    do
-      case $arg in
-      -f) rm="$rm $arg"; rmforce=yes ;;
-      -*) rm="$rm $arg" ;;
-      *) files="$files $arg" ;;
-      esac
-    done
-
-    if test -z "$rm"; then
-      $echo "$modename: you must specify an RM program" 1>&2
-      $echo "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
-
-    rmdirs=
-
-    origobjdir="$objdir"
-    for file in $files; do
-      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
-      if test "X$dir" = "X$file"; then
-	dir=.
-	objdir="$origobjdir"
-      else
-	objdir="$dir/$origobjdir"
-      fi
-      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
-      test "$mode" = uninstall && objdir="$dir"
-
-      # Remember objdir for removal later, being careful to avoid duplicates
-      if test "$mode" = clean; then
-	case " $rmdirs " in
-	  *" $objdir "*) ;;
-	  *) rmdirs="$rmdirs $objdir" ;;
-	esac
-      fi
-
-      # Don't error if the file doesn't exist and rm -f was used.
-      if (test -L "$file") >/dev/null 2>&1 \
-	|| (test -h "$file") >/dev/null 2>&1 \
-	|| test -f "$file"; then
-	:
-      elif test -d "$file"; then
-	exit_status=1
-	continue
-      elif test "$rmforce" = yes; then
-	continue
-      fi
-
-      rmfiles="$file"
-
-      case $name in
-      *.la)
-	# Possibly a libtool archive, so verify it.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	  . $dir/$name
-
-	  # Delete the libtool libraries and symlinks.
-	  for n in $library_names; do
-	    rmfiles="$rmfiles $objdir/$n"
-	  done
-	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
-	  test "$mode" = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
-
-	  if test "$mode" = uninstall; then
-	    if test -n "$library_names"; then
-	      # Do each command in the postuninstall commands.
-	      cmds=$postuninstall_cmds
-	      save_ifs="$IFS"; IFS='~'
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd"
-		if test "$?" -ne 0 && test "$rmforce" != yes; then
-		  exit_status=1
-		fi
-	      done
-	      IFS="$save_ifs"
-	    fi
-
-	    if test -n "$old_library"; then
-	      # Do each command in the old_postuninstall commands.
-	      cmds=$old_postuninstall_cmds
-	      save_ifs="$IFS"; IFS='~'
-	      for cmd in $cmds; do
-		IFS="$save_ifs"
-		eval cmd=\"$cmd\"
-		$show "$cmd"
-		$run eval "$cmd"
-		if test "$?" -ne 0 && test "$rmforce" != yes; then
-		  exit_status=1
-		fi
-	      done
-	      IFS="$save_ifs"
-	    fi
-	    # FIXME: should reinstall the best remaining shared library.
-	  fi
-	fi
-	;;
-
-      *.lo)
-	# Possibly a libtool object, so verify it.
-	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-
-	  # Read the .lo file
-	  . $dir/$name
-
-	  # Add PIC object to the list of files to remove.
-	  if test -n "$pic_object" \
-	     && test "$pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$pic_object"
-	  fi
-
-	  # Add non-PIC object to the list of files to remove.
-	  if test -n "$non_pic_object" \
-	     && test "$non_pic_object" != none; then
-	    rmfiles="$rmfiles $dir/$non_pic_object"
-	  fi
-	fi
-	;;
-
-      *)
-	if test "$mode" = clean ; then
-	  noexename=$name
-	  case $file in
-	  *.exe)
-	    file=`$echo $file|${SED} 's,.exe$,,'`
-	    noexename=`$echo $name|${SED} 's,.exe$,,'`
-	    # $file with .exe has already been added to rmfiles,
-	    # add $file without .exe
-	    rmfiles="$rmfiles $file"
-	    ;;
-	  esac
-	  # Do a test to see if this is a libtool program.
-	  if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
-	    relink_command=
-	    . $dir/$noexename
-
-	    # note $name still contains .exe if it was in $file originally
-	    # as does the version of $file that was added into $rmfiles
-	    rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
-	    if test "$fast_install" = yes && test -n "$relink_command"; then
-	      rmfiles="$rmfiles $objdir/lt-$name"
-	    fi
-	    if test "X$noexename" != "X$name" ; then
-	      rmfiles="$rmfiles $objdir/lt-${noexename}.c"
-	    fi
-	  fi
-	fi
-	;;
-      esac
-      $show "$rm $rmfiles"
-      $run $rm $rmfiles || exit_status=1
-    done
-    objdir="$origobjdir"
-
-    # Try to remove the ${objdir}s in the directories where we deleted files
-    for dir in $rmdirs; do
-      if test -d "$dir"; then
-	$show "rmdir $dir"
-	$run rmdir $dir >/dev/null 2>&1
-      fi
-    done
-
-    exit $exit_status
-    ;;
-
-  "")
-    $echo "$modename: you must specify a MODE" 1>&2
-    $echo "$generic_help" 1>&2
-    exit $EXIT_FAILURE
-    ;;
-  esac
-
-  if test -z "$exec_cmd"; then
-    $echo "$modename: invalid operation mode \`$mode'" 1>&2
-    $echo "$generic_help" 1>&2
-    exit $EXIT_FAILURE
-  fi
-fi # test -z "$show_help"
-
-if test -n "$exec_cmd"; then
-  eval exec $exec_cmd
-  exit $EXIT_FAILURE
-fi
-
-# We need to display help for each of the modes.
-case $mode in
-"") $echo \
-"Usage: $modename [OPTION]... [MODE-ARG]...
-
-Provide generalized library-building support services.
-
-    --config          show all configuration variables
-    --debug           enable verbose shell tracing
--n, --dry-run         display commands without modifying any files
-    --features        display basic configuration information and exit
-    --finish          same as \`--mode=finish'
-    --help            display this help message and exit
-    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
-    --quiet           same as \`--silent'
-    --silent          don't print informational messages
-    --tag=TAG         use configuration variables from tag TAG
-    --version         print version information
-
-MODE must be one of the following:
-
-      clean           remove files from the build directory
-      compile         compile a source file into a libtool object
-      execute         automatically set library path, then run a program
-      finish          complete the installation of libtool libraries
-      install         install libraries or executables
-      link            create a library or an executable
-      uninstall       remove libraries from an installed directory
-
-MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
-a more detailed description of MODE.
-
-Report bugs to <bug-libtool@gnu.org>."
-  exit $EXIT_SUCCESS
-  ;;
-
-clean)
-  $echo \
-"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
-
-Remove files from the build directory.
-
-RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
-to RM.
-
-If FILE is a libtool library, object or program, all the files associated
-with it are deleted. Otherwise, only FILE itself is deleted using RM."
-  ;;
-
-compile)
-  $echo \
-"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
-
-Compile a source file into a libtool library object.
-
-This mode accepts the following additional options:
-
-  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
-  -prefer-pic       try to building PIC objects only
-  -prefer-non-pic   try to building non-PIC objects only
-  -static           always build a \`.o' file suitable for static linking
-
-COMPILE-COMMAND is a command to be used in creating a \`standard' object file
-from the given SOURCEFILE.
-
-The output file name is determined by removing the directory component from
-SOURCEFILE, then substituting the C source code suffix \`.c' with the
-library object suffix, \`.lo'."
-  ;;
-
-execute)
-  $echo \
-"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
-
-Automatically set library path, then run a program.
-
-This mode accepts the following additional options:
-
-  -dlopen FILE      add the directory containing FILE to the library path
-
-This mode sets the library path environment variable according to \`-dlopen'
-flags.
-
-If any of the ARGS are libtool executable wrappers, then they are translated
-into their corresponding uninstalled binary, and any of their required library
-directories are added to the library path.
-
-Then, COMMAND is executed, with ARGS as arguments."
-  ;;
-
-finish)
-  $echo \
-"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
-
-Complete the installation of libtool libraries.
-
-Each LIBDIR is a directory that contains libtool libraries.
-
-The commands that this mode executes may require superuser privileges.  Use
-the \`--dry-run' option if you just want to see what would be executed."
-  ;;
-
-install)
-  $echo \
-"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
-
-Install executables or libraries.
-
-INSTALL-COMMAND is the installation command.  The first component should be
-either the \`install' or \`cp' program.
-
-The rest of the components are interpreted as arguments to that command (only
-BSD-compatible install options are recognized)."
-  ;;
-
-link)
-  $echo \
-"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
-
-Link object files or libraries together to form another library, or to
-create an executable program.
-
-LINK-COMMAND is a command using the C compiler that you would use to create
-a program from several object files.
-
-The following components of LINK-COMMAND are treated specially:
-
-  -all-static       do not do any dynamic linking at all
-  -avoid-version    do not add a version suffix if possible
-  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
-  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
-  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
-  -export-symbols SYMFILE
-		    try to export only the symbols listed in SYMFILE
-  -export-symbols-regex REGEX
-		    try to export only the symbols matching REGEX
-  -LLIBDIR          search LIBDIR for required installed libraries
-  -lNAME            OUTPUT-FILE requires the installed library libNAME
-  -module           build a library that can dlopened
-  -no-fast-install  disable the fast-install mode
-  -no-install       link a not-installable executable
-  -no-undefined     declare that a library does not refer to external symbols
-  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
-  -objectlist FILE  Use a list of object files found in FILE to specify objects
-  -precious-files-regex REGEX
-                    don't remove output files matching REGEX
-  -release RELEASE  specify package release information
-  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
-  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
-  -static           do not do any dynamic linking of libtool libraries
-  -version-info CURRENT[:REVISION[:AGE]]
-		    specify library version info [each variable defaults to 0]
-
-All other options (arguments beginning with \`-') are ignored.
-
-Every other argument is treated as a filename.  Files ending in \`.la' are
-treated as uninstalled libtool libraries, other files are standard or library
-object files.
-
-If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
-only library objects (\`.lo' files) may be specified, and \`-rpath' is
-required, except when creating a convenience library.
-
-If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
-using \`ar' and \`ranlib', or on Windows using \`lib'.
-
-If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
-is created, otherwise an executable program is created."
-  ;;
-
-uninstall)
-  $echo \
-"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
-
-Remove libraries from an installation directory.
-
-RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
-to RM.
-
-If FILE is a libtool library, all the files associated with it are deleted.
-Otherwise, only FILE itself is deleted using RM."
-  ;;
-
-*)
-  $echo "$modename: invalid operation mode \`$mode'" 1>&2
-  $echo "$help" 1>&2
-  exit $EXIT_FAILURE
-  ;;
-esac
-
-$echo
-$echo "Try \`$modename --help' for more information about other modes."
-
-exit $EXIT_SUCCESS
-
-# The TAGs below are defined such that we never get into a situation
-# in which we disable both kinds of libraries.  Given conflicting
-# choices, we go for a static library, that is the most portable,
-# since we can't tell whether shared libraries were disabled because
-# the user asked for that or because the platform doesn't support
-# them.  This is particularly important on AIX, because we don't
-# support having both static and shared libraries enabled at the same
-# time on that platform, so we default to a shared-only configuration.
-# If a disable-shared tag is given, we'll fallback to a static-only
-# configuration.  But we'll never go from static-only to shared-only.
-
-# ### BEGIN LIBTOOL TAG CONFIG: disable-shared
-build_libtool_libs=no
-build_old_libs=yes
-# ### END LIBTOOL TAG CONFIG: disable-shared
-
-# ### BEGIN LIBTOOL TAG CONFIG: disable-static
-build_old_libs=`case $build_libtool_libs in yes) $echo no;; *) $echo yes;; esac`
-# ### END LIBTOOL TAG CONFIG: disable-static
-
-# Local Variables:
-# mode:shell-script
-# sh-indentation:2
-# End:
diff --git a/contrib/bind9/make/Makefile.in b/contrib/bind9/make/Makefile.in
deleted file mode 100644
index 73efb1f77457..000000000000
--- a/contrib/bind9/make/Makefile.in
+++ /dev/null
@@ -1,28 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: Makefile.in,v 1.13.206.1 2004/03/06 13:16:21 marka Exp $
-
-srcdir =	@srcdir@
-VPATH =		@srcdir@
-top_srcdir =	@top_srcdir@
-
-SUBDIRS=
-TARGETS=
-
-@BIND9_MAKE_RULES@
-
-distclean::
-	rm -f rules mkdep includes
diff --git a/contrib/bind9/make/includes.in b/contrib/bind9/make/includes.in
deleted file mode 100644
index 2e5b89b3581a..000000000000
--- a/contrib/bind9/make/includes.in
+++ /dev/null
@@ -1,47 +0,0 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: includes.in,v 1.15.12.4 2004/12/09 04:07:30 marka Exp $
-
-# Search for machine-generated header files in the build tree,
-# and for normal headers in the source tree (${top_srcdir}).
-# We only need to look in OS-specific subdirectories for the
-# latter case, because there are no machine-generated OS-specific
-# headers.
-
-ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/isc \
-	-I${top_srcdir}/lib/isc/include \
-	-I${top_srcdir}/lib/isc/unix/include \
-	-I${top_srcdir}/lib/isc/@ISC_THREAD_DIR@/include
-
-ISCCC_INCLUDES = @BIND9_ISCCC_BUILDINCLUDE@ \
-       -I${top_srcdir}/lib/isccc/include
-
-ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
-       -I${top_srcdir}/lib/isccfg/include
-
-DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/dns/include
-
-LWRES_INCLUDES = @BIND9_LWRES_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/lwres/unix/include \
-	-I${top_srcdir}/lib/lwres/include
-
-BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
-	-I${top_srcdir}/lib/bind9/include
-
-TEST_INCLUDES = \
-	-I${top_srcdir}/lib/tests/include
diff --git a/contrib/bind9/make/mkdep.in b/contrib/bind9/make/mkdep.in
deleted file mode 100644
index fc3e2506adb3..000000000000
--- a/contrib/bind9/make/mkdep.in
+++ /dev/null
@@ -1,148 +0,0 @@
-#!/bin/sh -
-
-## ++Copyright++ 1987
-## -
-## Copyright (c) 1987 Regents of the University of California.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted provided that the following conditions
-## are met:
-## 1. Redistributions of source code must retain the above copyright
-##    notice, this list of conditions and the following disclaimer.
-## 2. Redistributions in binary form must reproduce the above copyright
-##    notice, this list of conditions and the following disclaimer in the
-##    documentation and/or other materials provided with the distribution.
-## 3. All advertising materials mentioning features or use of this software
-##    must display the following acknowledgement:
-## This product includes software developed by the University of
-## California, Berkeley and its contributors.
-## 4. Neither the name of the University nor the names of its contributors
-##    may be used to endorse or promote products derived from this software
-##    without specific prior written permission.
-## THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-## ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-## SUCH DAMAGE.
-## -
-## Portions Copyright (c) 1993 by Digital Equipment Corporation.
-##
-## Permission to use, copy, modify, and distribute this software for any
-## purpose with or without fee is hereby granted, provided that the above
-## copyright notice and this permission notice appear in all copies, and that
-## the name of Digital Equipment Corporation not be used in advertising or
-## publicity pertaining to distribution of the document or software without
-## specific, written prior permission.
-##
-## THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
-## WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
-## OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
-## CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
-## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
-## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
-## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
-## SOFTWARE.
-## -
-## --Copyright--
-
-#
-#	@(#)mkdep.sh	5.12 (Berkeley) 6/30/88
-#
-
-MAKE=Makefile			# default makefile name is "Makefile"
-
-while :
-	do case "$1" in
-		# -f allows you to select a makefile name
-		-f)
-			MAKE=$2
-			shift; shift ;;
-
-		# the -p flag produces "program: program.c" style dependencies
-		# so .o's don't get produced
-		-p)
-			SED='s;\.o;;'
-			shift ;;
-		*)
-			break ;;
-	esac
-done
-
-if [ $# = 0 ] ; then
-	echo 'usage: mkdep [-p] [-f makefile] [flags] file ...'
-	exit 1
-fi
-
-if [ ! -w $MAKE ]; then
-	echo "mkdep: no writeable file \"$MAKE\""
-	exit 1
-fi
-
-TMP=mkdep$$
-
-trap 'rm -f $TMP ; exit 1' 1 2 3 13 15
-
-cp $MAKE ${MAKE}.bak
-
-sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP
-
-cat << _EOF_ >> $TMP
-# DO NOT DELETE THIS LINE -- mkdep uses it.
-# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY.
-
-_EOF_
-
-# If your compiler doesn't have -M, add it.  If you can't, the next two
-# lines will try and replace the "cc -M".  The real problem is that this
-# hack can't deal with anything that requires a search path, and doesn't
-# even try for anything using bracket (<>) syntax.
-#
-# egrep '^#include[ 	]*".*"' /dev/null $* |
-# sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
-
-MKDEPPROG="@MKDEPPROG@"
-if [ X"${MKDEPPROG}" != X ]; then
-    @SHELL@ -c "${MKDEPPROG} $*"
-else
-    @MKDEPCC@ @MKDEPCFLAGS@ $* |
-    sed "
-	s; \./; ;g
-	@LIBTOOL_MKDEP_SED@
-	$SED" |
-    awk '{
-	if ($1 != prev) {
-		if (rec != "")
-			print rec;
-		rec = $0;
-		prev = $1;
-	}
-	else {
-		if (length(rec $2) > 78) {
-			print rec;
-			rec = $0;
-		}
-		else
-			rec = rec " " $2
-	}
-    }
-    END {
-	print rec
-    }' >> $TMP
-fi
-
-cat << _EOF_ >> $TMP
-
-# IF YOU PUT ANYTHING HERE IT WILL GO AWAY
-_EOF_
-
-# copy to preserve permissions
-cp $TMP $MAKE
-rm -f ${MAKE}.bak $TMP
-exit 0
diff --git a/contrib/bind9/make/rules.in b/contrib/bind9/make/rules.in
deleted file mode 100644
index 6b83bce434e0..000000000000
--- a/contrib/bind9/make/rules.in
+++ /dev/null
@@ -1,224 +0,0 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
-# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
-# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
-# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-# PERFORMANCE OF THIS SOFTWARE.
-
-# $Id: rules.in,v 1.40.2.5.4.8 2005/10/28 01:53:44 marka Exp $
-
-###
-### Common Makefile rules for BIND 9.
-###
-
-###
-### Paths
-###
-### Note: paths that vary by Makefile MUST NOT be listed
-### here, or they won't get expanded correctly.
-
-prefix =	@prefix@
-exec_prefix =	@exec_prefix@
-bindir =	@bindir@
-sbindir =	@sbindir@
-includedir =	@includedir@
-libdir =	@libdir@
-sysconfdir =	@sysconfdir@
-localstatedir =	@localstatedir@
-mandir =	@mandir@
-
-DESTDIR =
-
-@SET_MAKE@
-
-top_builddir =	@BIND9_TOP_BUILDDIR@
-
-###
-### All
-###
-### Makefile may define:
-###	TARGETS
-
-all: subdirs ${TARGETS}
-
-###
-### Subdirectories
-###
-### Makefile may define:
-###	SUBDIRS
-
-ALL_SUBDIRS = ${SUBDIRS} nulldir
-
-#
-# We use a single-colon rule so that additional dependencies of
-# subdirectories can be specified after the inclusion of this file.
-# The "depend" target is treated the same way.
-#
-subdirs:
-	@for i in ${ALL_SUBDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making all in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \
-		fi; \
-	done
-
-install:: all
-
-install clean distclean maintainer-clean doc docclean man manclean::
-	@for i in ${ALL_SUBDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making $@ in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
-		fi; \
-	done
-
-###
-### C Programs
-###
-### Makefile must define
-###	CC
-### Makefile may define
-###	CFLAGS
-###	LDFLAGS
-###	CINCLUDES
-###	CDEFINES
-###	CWARNINGS
-### User may define externally
-###     EXT_CFLAGS
-
-CC = 		@CC@
-CFLAGS =	@CFLAGS@
-LDFLAGS =	@LDFLAGS@
-STD_CINCLUDES =	@STD_CINCLUDES@
-STD_CDEFINES =	@STD_CDEFINES@
-STD_CWARNINGS =	@STD_CWARNINGS@
-
-.SUFFIXES:
-.SUFFIXES: .c .@O@
-
-ALWAYS_INCLUDES = -I${top_builddir}
-ALWAYS_DEFINES = @ALWAYS_DEFINES@
-ALWAYS_WARNINGS =
-
-ALL_CPPFLAGS = \
-	${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
-	${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
-
-ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \
-	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
-
-.c.@O@:
-	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $<
-
-SHELL = @SHELL@
-LIBTOOL = @LIBTOOL@
-LIBTOOL_MODE_COMPILE = ${LIBTOOL} @LIBTOOL_MODE_COMPILE@
-LIBTOOL_MODE_INSTALL = ${LIBTOOL} @LIBTOOL_MODE_INSTALL@
-LIBTOOL_MODE_LINK = ${LIBTOOL} @LIBTOOL_MODE_LINK@
-PURIFY = @PURIFY@
-
-MKDEP = ${SHELL} ${top_builddir}/make/mkdep
-
-cleandir: distclean
-superclean: maintainer-clean
-
-clean distclean maintainer-clean::
-	rm -f *.@O@ *.o *.lo *.la core *.core .depend
-	rm -rf .libs
-
-distclean maintainer-clean::
-	rm -f Makefile
-
-depend:
-	@for i in ${ALL_SUBDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
-			echo "making depend in `pwd`/$$i"; \
-			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
-		fi; \
-	done
-	@if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
-		${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
-		${DEPENDEXTRA} \
-	elif [ X"${SRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${DEPENDEXTRA} \
-	elif [ X"${PSRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${PSRCS}; \
-		${MKDEP} -p ${ALL_CPPFLAGS} ${PSRCS}; \
-		${DEPENDEXTRA} \
-	fi
-
-FORCE:
-
-###
-### Libraries
-###
-
-AR =		@AR@
-ARFLAGS =	@ARFLAGS@
-RANLIB =	@RANLIB@
-
-###
-### Installation
-###
-
-INSTALL =		@INSTALL@
-INSTALL_PROGRAM =	@INSTALL_PROGRAM@
-INSTALL_SCRIPT =	@INSTALL_SCRIPT@
-INSTALL_DATA =		@INSTALL_DATA@
-
-###
-### Programs used when generating documentation.  It's ok for these
-### not to exist when not generating documentation.
-###
-
-XSLTPROC =		@XSLTPROC@ --novalid
-PERL =			@PERL@
-LATEX =			@LATEX@
-PDFLATEX =		@PDFLATEX@
-
-###
-### DocBook -> HTML
-### DocBook -> man page
-###
-
-.SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8
-
-.docbook.html:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-docbook-html.xsl $<
-
-.docbook.1:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.2:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.3:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.4:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.5:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.6:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.7:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
-
-.docbook.8:
-	${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $<
diff --git a/contrib/bind9/mkinstalldirs b/contrib/bind9/mkinstalldirs
deleted file mode 100755
index 4992567c9729..000000000000
--- a/contrib/bind9/mkinstalldirs
+++ /dev/null
@@ -1,40 +0,0 @@
-#! /bin/sh
-# mkinstalldirs --- make directory hierarchy
-# Author: Noah Friedman <friedman@prep.ai.mit.edu>
-# Created: 1993-05-16
-# Public domain
-
-# $Id: mkinstalldirs,v 1.1 2000/09/20 19:05:51 gson Exp $
-
-errstatus=0
-
-for file
-do
-   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
-   shift
-
-   pathcomp=
-   for d
-   do
-     pathcomp="$pathcomp$d"
-     case "$pathcomp" in
-       -* ) pathcomp=./$pathcomp ;;
-     esac
-
-     if test ! -d "$pathcomp"; then
-        echo "mkdir $pathcomp" 1>&2
-
-        mkdir "$pathcomp" || lasterr=$?
-
-        if test ! -d "$pathcomp"; then
-  	  errstatus=$lasterr
-        fi
-     fi
-
-     pathcomp="$pathcomp/"
-   done
-done
-
-exit $errstatus
-
-# mkinstalldirs ends here
diff --git a/contrib/bind9/version b/contrib/bind9/version
deleted file mode 100644
index 5c9032a3ed08..000000000000
--- a/contrib/bind9/version
+++ /dev/null
@@ -1,10 +0,0 @@
-# $Id: version,v 1.26.2.17.2.21 2005/12/14 00:43:14 marka Exp $
-#
-# This file must follow /bin/sh rules.  It is imported directly via
-# configure.
-#
-MAJORVER=9
-MINORVER=3
-PATCHVER=2
-RELEASETYPE=
-RELEASEVER=